17 okt 2010 kl. 20.31 skrev Николай Домуховский: > 2010/10/7 Love Hörnquist Åstrand <l...@kth.se>: >> >> 6 okt 2010 kl. 02:49 skrev Michael Wood: >> >> hx509_cms_create_signed function and >> >> make sigctx.cmsidflag always equal CMS_ID_NAME) >> >> I think this failed because you are looking at enveloped data and not signed >> data. try patching fill_CMSIdentifier() in hx509_cms_envelope_1() instead. >> Love >> >> > Thanks, Love. > I've tried patching hx509_cms_ebvelope_1() but it didn't help. > But now, I'm think, I've found real issue: > XP box include in KRB5_AS_REQ only one supported digest algorithm: > md5withRSAEncryption (1.2.840.113549.1.1.4) (and this is only > supported algorithm for XP, 2000 and 2003 - this is written in secrion > 2.2 of MS-PKCA). > But response from Samba (I found a way to decrypt it!!!) contains > digital signature made with sha512WithRSAEncryptions (in fact it is > rather hard to understand openssl ans1parse output, but fact that > there is no md5withRSAEncryption signature). So it looks like some bug > in Heimdal code - I will investigate it further and try to locate > exact place, where wrong signature formed, but maybe you already know > answer... > > > P.S. If you need I can send trafic capture files and decrypted KDC > answers (both form Windows DC and from Samba).
You can probably change the code in kdc/pkinit.c around 870 that sets up the supported cms types it will use, if you use hx509_signature_rsa_with_md5() and hx509_signature_md5() instead of SHA1 it might work for you. Love
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba