RFC 3447 seems somewhat ambiguous about whether the AlgorithmIdentifier parameters (which consist of an ASN.1 NULL, DER-encoded as 05 00) must be present in various situations. Cross-checking with various CMS RFCs suggests that they are required when using EMSA-PKCS1-v1_5. cms_signeddata_create() in pkinit_crypto_openssl.c appears to omit the parameters when id_cryptoctx->mech is CKM_RSA_PKCS, which leads me to wonder how this ever worked. (Maybe this combination of conditions -- a token that can only do CKM_RSA_PKCS that also verifies the encoding of the DigestInfo -- is rare, but I lack sufficient information to be certain.)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629370 Title: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs