Hello, I am using kinit (krb5-1.15) from an Ubuntu 14.04 64bits using a smartcard in a PINPAD reader.
The KDC is an Active Directory Windows 2012 R2. If I enter the PIN code correctly the first time, it works like a charm. However if I try again (after a kdestroy) by entering a wrong PIN the first time it is asked and then then if I use the correct PIN the second time it fails with the following error: ASN1_CHECK_TLEN:wrong tag Indeed, the first preauth type which is used is 16 (PA-PK-AS-REQ). The second preauth type is then 14 (PA-PK-AS-REQ_OLD) and that doesn't work. Below is the debug output. The first time I entered a wrong PIN (C_Sign: function failed) but the second time the PIN is correct but is fails (PKCS7 Verification Failure) Thanks [...] pkinit_as_req_create pa_type = 16 [10632] 1485952709.555986: PKINIT client making DH request as_req: DH key transport algorithm Warning: dh_check failed with 8 the g value is not a generator building certificate chain size of certificate chain = 4 cert #0: /C=FR/O=MYO/OU=0002 110014016/CN=JACQUES cert #1: /C=FR/O=MYO/OU=0002 110014016/CN=AC cert #2: /C=FR/O=MYO/OU=0002 110014016/CN=AC RACINE MYO mech = CKM_RSA_PKCS found 1 private keys (ok) C_Sign: function failed failed to create pkcs7 signed data pkinit_as_req_create retval=-1765328360 error -1765328360 on pkinit_as_req_create; aborting PKINIT pkinit_client_process: returning -1765328360 (Preauthentication failed) [10632] 1485952721.907102: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed pkinit_client_process 0x1b010f0 0x1b015e0 0x1b245e0 0x1b01e30 processing KRB5_PADATA_PK_AS_REQ_OLD pkinit_client_profile 0x1b010f0 0x1b015e0 0x1b245e0 0x1b248d8 kdc_options = 0x50000010 till = 1486039105 [10632] 1485952721.907243: PKINIT client computed kdc-req-body checksum 9/168FCD9B84D3A5345ED38FCA7FADB9A24F4D79B7 pkinit_as_req_create pa_type = 14 [10632] 1485952721.907264: PKINIT client making RSA request as_req: RSA key transport algorithm building certificate chain size of certificate chain = 4 cert #0: /C=FR/O=MYO/OU=0002 110014016/CN=JACQUES cert #1: /C=FR/O=MYO/OU=0002 110014016/CN=AC cert #2: /C=FR/O=MYO/OU=0002 110014016/CN=AC RACINE MYO mech = CKM_RSA_PKCS found 1 private keys (ok) sign 35 -> 256 pkinit_as_req_create retval=0 pkinit_client_process: returning 0 (Unknown code 0) [10632] 1485952735.153607: Preauth module pkinit (14) (real) returned: 0/Success [10632] 1485952735.153627: Produced preauth for next request: 15, 132 [10632] 1485952735.153755: Sending request (5779 bytes) to AC.INT [10632] 1485952735.153807: Resolving hostname 10.10.10.10 [10632] 1485952735.153969: Initiating TCP connection to stream 10.10.10.10:88 [10632] 1485952735.154331: Sending TCP request to stream 10.10.10.10:88 [10632] 1485952735.223112: Received answer (8990 bytes) from stream 10.10.10.10:88 [10632] 1485952735.223142: Terminating TCP connection to stream 10.10.10.10:88 [10632] 1485952735.223218: Response was from master KDC [10632] 1485952735.223288: Processing preauth types: 15 pkinit_client_prep_questions: no questions to ask pkinit_client_prep_questions returning 0 pkinit_client_process 0x1b010f0 0x1b015e0 0x1b245e0 0x1b01e30 processing KRB5_PADATA_PK_AS_REP_OLD as_rep: RSA key transport algorithm found 1 private keys (ok) data_len = 256 session 0xaf9f9fff edata 0x1b59b80 edata_len 256 data 0x1b4ee70 datalen @0x7ffff4b10968 256 pData 0x1b4ee70 *pulDataLen 5 decrypt 256 -> 5 PKCS7 decryption successful [10632] 1485952735.754914: PKINIT OpenSSL error: Failed to decode CMS message [10632] 1485952735.754944: PKINIT OpenSSL error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [10632] 1485952735.754966: PKINIT OpenSSL error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error PKCS7 Verification Failure failed to verify pkcs7 enveloped data [10632] 1485952735.755014: PKINIT client could not verify RSA reply pkinit_as_rep_parse returning -1765328360 (Preauthentication failed) pkinit_as_rep_parse returned -1765328360 (Preauthentication failed) pkinit_client_process: returning -1765328360 (Preauthentication failed) [10632] 1485952735.755070: Preauth module pkinit (15) (real) returned: -1765328360/Failed to decode CMS message: wrong tag pkinit_client_req_fini: received reqctx at 0x1b245e0 pkinit_fini_req_crypto: freeing ctx at 0x1b24660 pkinit_fini_identity_crypto: freeing ctx at 0x1b24680 kinit: Preauthentication failed while getting initial credentials pkinit_client_plugin_fini: got plgctx at 0x1b015e0 pkinit_fini_plg_crypto: freeing context at 0x1b23370 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos