[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

You can use my surname: Florent And thanks again for you quick help! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

Re: [Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

Thanks for the confirmation! What name should I use for you in acknowledgments? ** Changed in: krb5 (Ubuntu) Status: New => Confirmed ** Tags added: patch-accepted-upstream -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

The patch in https://github.com/krb5/krb5/pull/550 works well for me! Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1

[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

Also there's a proposed patch in https://github.com/krb5/krb5/pull/550 if you would be interested in testing that out. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with

[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

That is one possible workaround, but I don't have an easy way to test this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1

[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

Thanks for this. So maybe I could try recompiling with the flag PKINIT_USE_MECH_LIST ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that

[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

Thanks. It seems that omitting the NULL would produce signatures that don't interoperate (or would require additional code complexity in the signature verifier). With default compilation options, pkinit_crypto_openssl.c forces PKCS11 tokens to use CKM_RSA_PKCS, so it's unlikely that this code

[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

Sorry, I was referring to PKCS#1 v2.2 See https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa- cryptography-standard-wp.pdf Page 49, B.1 Exception: When formatting the DigestInfoValue in EMSA-PKCS1-v1_5 (see 9.2), the parameters field associated with id-sha1, id-sha512/224,

[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

RFC 3447 seems somewhat ambiguous about whether the AlgorithmIdentifier parameters (which consist of an ASN.1 NULL, DER-encoded as 05 00) must be present in various situations. Cross-checking with various CMS RFCs suggests that they are required when using EMSA-PKCS1-v1_5. cms_signeddata_create()

[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

I've forwarded this to upstream krbdev.mit.edu #8506 I don't know if this is pkcs 11 2.10 specific or specific to the backend in question, but it's worth having upstream take a look. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.