[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
You can use my surname: Florent And thanks again for you quick help! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
Thanks for the confirmation! What name should I use for you in acknowledgments? ** Changed in: krb5 (Ubuntu) Status: New => Confirmed ** Tags added: patch-accepted-upstream -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
The patch in https://github.com/krb5/krb5/pull/550 works well for me! Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
Also there's a proposed patch in https://github.com/krb5/krb5/pull/550 if you would be interested in testing that out. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
That is one possible workaround, but I don't have an easy way to test this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
Thanks for this. So maybe I could try recompiling with the flag PKINIT_USE_MECH_LIST ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
Thanks. It seems that omitting the NULL would produce signatures that don't interoperate (or would require additional code complexity in the signature verifier). With default compilation options, pkinit_crypto_openssl.c forces PKCS11 tokens to use CKM_RSA_PKCS, so it's unlikely that this code has worked at all in the recent past. (Older versions might have checked the crypto token's mechanism list; I haven't tracked down the history yet.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
Sorry, I was referring to PKCS#1 v2.2 See https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa- cryptography-standard-wp.pdf Page 49, B.1 Exception: When formatting the DigestInfoValue in EMSA-PKCS1-v1_5 (see 9.2), the parameters field associated with id-sha1, id-sha512/224, id-sha224, id-sha256, id-sha384, id-sha512, and id-sha512/256 shall have a value of type NULL. This is to maintain compatibility with existing implementations and with the numeric information values already published for EMSA-PKCS1-v1_5 which are also reflected in IEEE 1363a-2004 [26]. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
RFC 3447 seems somewhat ambiguous about whether the AlgorithmIdentifier parameters (which consist of an ASN.1 NULL, DER-encoded as 05 00) must be present in various situations. Cross-checking with various CMS RFCs suggests that they are required when using EMSA-PKCS1-v1_5. cms_signeddata_create() in pkinit_crypto_openssl.c appears to omit the parameters when id_cryptoctx->mech is CKM_RSA_PKCS, which leads me to wonder how this ever worked. (Maybe this combination of conditions -- a token that can only do CKM_RSA_PKCS that also verifies the encoding of the DigestInfo -- is rare, but I lack sufficient information to be certain.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
I've forwarded this to upstream krbdev.mit.edu #8506 I don't know if this is pkcs 11 2.10 specific or specific to the backend in question, but it's worth having upstream take a look. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
