Thanks Jiajia for the update. It looks pretty good for we now can obtain a TGT 
using anonymous PKINTI!!
I will look into the issue and resolve the workaround.

Regards,
Kai

-----Original Message-----
From: Li, Jiajia [mailto:jiajia...@intel.com] 
Sent: Tuesday, December 22, 2015 5:17 PM
To: kerby@directory.apache.org
Subject: RE: Fix up for encoding/decoding issues for newly added types and 
CMS/X509/PKINIT tests

Hi Kai,

If apply with the following patch:

diff --git 
a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
 b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerber
index e9cca99..07f2e44 100644
--- 
a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/ker
+++ b/preauth/pkinit/PkinitCrypto.java
@@ -246,7 +246,7 @@ public class PkinitCrypto {
             signedData.setSignerInfos(signerInfos);
         }
         contentInfo.setSignedData(signedData);
-        return KrbCodec.encode(contentInfo);
+        return KrbCodec.encode(eContentInfo);
     }

And run the " mvn clean package -Pdist -DskipTests"
Then to kerby-dist/tool-dist/ folder run " sh bin/kinit.sh -conf conf -n"

We can get anonymous pkinit ticket success from mit kdc:

klist -c /tmp/krb5_WELLKNOWN_ANONYMOUS.cc Ticket cache: 
FILE:/tmp/krb5_WELLKNOWN_ANONYMOUS.cc
Default principal: WELLKNOWN/anonym...@example.com 
Valid starting       Expires              Service principal 
12/22/2015 15:58:44  12/22/2015 23:58:44  krbtgt/example....@example.com

But this patch will not work in RSA pkinit, so we need to solve the failure of 
decoding ContentInfo in MIT KDC.

Thanks
Jiajia

-----Original Message-----
From: Li, Jiajia [mailto:jiajia...@intel.com]
Sent: Tuesday, December 22, 2015 3:58 PM
To: kerby@directory.apache.org
Subject: RE: Fix up for encoding/decoding issues for newly added types and 
CMS/X509/PKINIT tests

Sure, the SignedContentInfo dump:

<SignedContentInfo> sequence [tag=0x30, len=4+561]
    content-type = object identifier [tag=0x06, len=2+9] 1.2.840.113549.1.7.2
    content =
        <Any>
        <SignedData> sequence [tag=0x30, len=4+538]
            cms-version = integer [tag=0x02, len=2+1] 3
            digest-algorithms =
                set [tag=0x31, len=2+0]

            encap-content-info =
                <EncapsulatedContentInfo> sequence [tag=0x30, len=4+523]
                    content-type = object identifier [tag=0x06, len=2+7] 
1.3.6.1.5.2.3.1
                    content = octet string [tag=0x04, len=4+506] <506 octets>
            certificates =
                set [tag=0x31, len=2+0]

            crls =
                set [tag=0x31, len=2+0]

            signer-infos =
                set [tag=0x31, len=2+0]



-----Original Message-----
From: Zheng, Kai [mailto:kai.zh...@intel.com]
Sent: Tuesday, December 22, 2015 3:55 PM
To: kerby@directory.apache.org
Subject: RE: Fix up for encoding/decoding issues for newly added types and 
CMS/X509/PKINIT tests

Hi Jiajia,

Could we dump it out using type info? It could be more useful. Thanks.

Regards,
Kai

-----Original Message-----
From: Li, Jiajia [mailto:jiajia...@intel.com]
Sent: Tuesday, December 22, 2015 3:18 PM
To: kerby@directory.apache.org
Subject: RE: Fix up for encoding/decoding issues for newly added types and 
CMS/X509/PKINIT tests

Hi Kai,
It's a good idea and I will check the diff of the kdc req between MIT and Kerby.
The dumped result of ContentInfo:

Dumping data:
3082022506092A864886F70D010702A0820216308202120201033082020B06072B060105020301A08201FE048201FA308201
F6A03A3038A003020133A111180F32303135313232323037313935315AA206020408D96745A31604144DB70E64ABD4C440FE
424C752503E835C65FE8B5A18201A6308201A23082011706072A8648CE3E02013082010A02818100FFFFFFFFFFFFFFFFC90F
DAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6D
F25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B
1FE649286651ECE65381FFFFFFFFFFFFFFFF0201020281807FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E689481
27044533E63A0105DF531D89CD9128A5043CC71A026EF7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122F242DABB
312F3F637A262174D31BF6B585FFAE5B7A035BF6F71C35FDAD44CFD2D74F9208BE258FF324943328F67329C0FFFFFFFFFFFF
FFFF0381840002818007D28F54680C785C645DF2B13F3242445698F48BB18E619AD72CA45EDC70F4BFBE1CD0E5C6FAD0B74F
FEF7B56260A445EDA953F6200BB8D3591DC56933E0C4CB74E2DAD910F59955F60B622638DCCF711EF9C7F9B5EDF0E11B8CC6
EE518D4F8D6AED2A5A7236890BF0E07E0EB5DF7121AD4CF5CD05F9B81ED9540FA1B93EDDF3A20E300C300A06082A864886F7
0D0307
sequence [tag=0x30, off=0, len=4+549]
    object identifier [tag=0x06, off=4, len=2+9]
    context [0] [tag=0xA0, off=15, len=4+534]
        sequence [tag=0x30, off=19, len=4+530]
            integer [tag=0x02, off=23, len=2+1]
            sequence [tag=0x30, off=26, len=4+523]
                object identifier [tag=0x06, off=30, len=2+7]
                context [0] [tag=0xA0, off=39, len=4+510]
                    octet string [tag=0x04, off=43, len=4+506]



-----Original Message-----
From: Zheng, Kai [mailto:kai.zh...@intel.com]
Sent: Tuesday, December 22, 2015 3:02 PM
To: kerby@directory.apache.org
Subject: RE: Fix up for encoding/decoding issues for newly added types and 
CMS/X509/PKINIT tests

Or, can our message be dumped and decoded by our own programs? Please look at 
the dumped result and its content to check if it's expected by us first. Maybe 
you could paste the dumped content here and let me check. As it complained 
about the CMS signed data, so we just need to dump that part. Thanks.

Regards,
Kai

-----Original Message-----
From: Zheng, Kai [mailto:kai.zh...@intel.com]
Sent: Tuesday, December 22, 2015 2:56 PM
To: kerby@directory.apache.org
Subject: RE: Fix up for encoding/decoding issues for newly added types and 
CMS/X509/PKINIT tests

Thanks Jiajia for the update. It's quite unfortunate. I really wish MIT 
Kerberos can use our ASN1 things so it can give specific error in such case, as 
the Kerberos/PKINIT/CMS signed data is so huge and complex, how to locate it? 
Maybe it can print verbose logs? Thanks.

Regards,
Kai

-----Original Message-----
From: Li, Jiajia [mailto:jiajia...@intel.com]
Sent: Tuesday, December 22, 2015 2:44 PM
To: kerby@directory.apache.org
Subject: RE: Fix up for encoding/decoding issues for newly added types and 
CMS/X509/PKINIT tests

Hi Kai,
I think there is still with some encoding/decoding issues, because it can't 
pass in MIT Kerberos decoding process with the latest code.
The error:
"cms_signeddata_verify: failed to decode message: error:0D0680A8:asn1 encoding 
routines:ASN1_CHECK_TLEN:wrong tag"

Thanks
Jiajia

-----Original Message-----
From: Zheng, Kai [mailto:kai.zh...@intel.com]
Sent: Monday, December 21, 2015 10:05 AM
To: kerby@directory.apache.org
Subject: Fix up for encoding/decoding issues for newly added types and 
CMS/X509/PKINIT tests

Hi Jiajia & all,

Please check out the following commits and be noted that we have cleared 
existing to-be-fixed or TODO encoding/decoding issues for recently added 
CMS/X509/PKINIT types and tests.
Please let me know if our encoding results won't pass MIT Kerberos decoding 
process when testing PKINIT messages with MIT KDC. Thanks.

commit 6dca5950e7f8ded5e39a963b10f52779bc5b6756
Author: Kai Zheng <kai.zh...@intel.com>
Date:   Mon Dec 21 09:57:48 2015 +0800

    Fix existing encoding issues in CMS/X509/PKINIT tests, and Asn1Encodable 
encode may also throw IOException


commit 461b724408c45df378615b9201e78a082b8de959
Author: Kai Zheng <kai.zh...@intel.com>
Date:   Sun Dec 20 17:25:15 2015 +0800

    Blindly decoding Any when type info isnt available to assist encoding 
thereafter


commit 97cd36aa5648b5ebf88abae760271eb6eb8f0645
Author: Kai Zheng <kai.zh...@intel.com>
Date:   Sat Dec 19 20:37:04 2015 +0800

    Fixed decoding issues for newly added CMS types for envoloped contentinfo

Regards,
Kai

Reply via email to