[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More on pkinit and proxy certificates

Love Hörnquist Åstrand wrote:
>
> [kdc]
>     pkinit_allow_proxy_certificate = yes
>
is it "yes" or "true", because in the manual it is 
pkinit_allow_proxy_certificate = false

Anyway, I have tested both, but the problem persists.

my krb5.conf now is:
[kdc]
        enable-pkinit = true
        pkinit_identity =    
FILE:/usr/heimdal/ca-trust-anchors/hostcert.pem,/usr/heimdal/ca-trust-anchors/hostkey.pem
        pkinit_anchors = FILE:/usr/heimdal/ca-trust-anchors/ede78092.0
        pkinit_pool = DIR:/usr/heimdal/ca-trust-anchors/pool

        pkinit_mappings_file = /var/heimdal/pki-mapping
        pkinit_allow_proxy_certificate = true

The error is:

2007-01-31T10:57:00 AS-REQ root@GRIDCC.ORG from IPv4:147.102.13.3 for 
krbtgt/GRIDCC.ORG@GRIDCC.ORG
2007-01-31T10:57:00 Client sent patypes: PK-INIT(ietf)
2007-01-31T10:57:00 Looking for PKINIT pa-data -- root@GRIDCC.ORG
2007-01-31T10:57:00 PKINIT: failed to verify signature: Key usage 
missing from CA certificate; Key usage keyCertSign required but missing 
from certifiate CN=User Name,OU=org unit ,O=organization,C=GR: 569872
2007-01-31T10:57:00 Failed to decode PKINIT PA-DATA -- root@GRIDCC.ORG
2007-01-31T10:57:00 Looking for ENC-TS pa-data -- root@GRIDCC.ORG
2007-01-31T10:57:00 No preauth found, returning PREAUTH-REQUIRED -- 
root@GRIDCC.ORG
2007-01-31T10:57:00 sending 380 bytes to IPv4:147.102.13.3
2007-01-31T10:57:00 AS-REQ root@GRIDCC.ORG from IPv4:147.102.13.3 for 
krbtgt/GRIDCC.ORG@GRIDCC.ORG
2007-01-31T10:57:00 Client sent patypes: encrypted-timestamp, PK-INIT(ietf)
2007-01-31T10:57:00 Looking for PKINIT pa-data -- root@GRIDCC.ORG
2007-01-31T10:57:00 PKINIT: failed to verify signature: Key usage 
missing from CA certificate; Key usage keyCertSign required but missing 
from certifiate CN=User Name,OU=org unit ,O=organization,C=GR: 569872
2007-01-31T10:57:00 Failed to decode PKINIT PA-DATA -- root@GRIDCC.ORG
2007-01-31T10:57:00 Looking for ENC-TS pa-data -- root@GRIDCC.ORG
2007-01-31T10:57:00 Failed to decrypt PA-DATA -- root@GRIDCC.ORG 
(enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed
2007-01-31T10:57:00 Failed to decrypt PA-DATA -- root@GRIDCC.ORG
2007-01-31T10:57:00 sending 125 bytes to IPv4:147.102.13.3

Is it possible that the error is cased because I use certificates 
produced with globus grid-proxy-init? The kinit seems to accept it.
The structure of a globus proxy certificate is :
-----BEGIN CERTIFICATE-----
Mfdsfadsfda..... <proxy certificate>
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIBOwkD1..... <proxy key>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAkIEN..... <certificate
----END CERTIFICATE-----

To be sure, I have also have manually constructed the 
pkinit-proxy-chain.crt and pkinit-proxy.key (by coping and paste) to 
look like the ones in the tests. This also fails using the same error 
message as shown above. But I am not sure if this is the correct method 
to produce a proxy cert.
> The error seems to indicate you have not done that.
>
> Love
>
>