enterprise-support team mailing list archive

Thread
Date

[Bug 1629370] [NEW] PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Jacques <caramba696@xxxxxxxxx>
Date: Fri, 30 Sep 2016 15:36:05 -0000
Reply-to: Bug 1629370 <1629370@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Problem: can't do PK-INIT with a smartcard PKCS#11 middleware that
implements PKCS#1 v2.10

$ kinit -E name.surname@something@REALM

-> fails

Diagnostic using PKCS11-SPY from OpenSC:

16: C_Sign
2016-09-16 14:31:53.265
[in] hSession = 0x6bc3a70e
[in] pData[ulDataLen] 0931e898 / 33
    00000000  30 1F 30 07 06 05 2B 0E 03 02 1A 04 14 17 07 D3  0.0...+.........
    00000010  5A 2B F8 78 C0 FD CD 87 EE 25 08 C2 DD AA 50 3D  Z+.x.....%....P=
    00000020  DC                                               .               
Returned:  32 CKR_DATA_INVALID

The signing algorithm is SHA1. However the Data Formatting is incorrect:

30 1F 30 07 06 05 2B 0E 03 02 1A 04 14 17 07 D3 5A 2B F8 78 C0 FD CD 87
EE 25 08 C2 DD AA 50 3D DC

instead it should be:

30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 17 07 D3 5A 2B F8 78 C0 FD CD 87 EE 25 08 C2 DD AA 50 3D DC  
			
See the PKCS#1 paper (page 43) https://tools.ietf.org/html/rfc3447

Extract:
" 
1. For the six hash functions mentioned in Appendix B.1, the DER
      encoding T of the DigestInfo value is equal to the following:

      MD2:     (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 02 05 00 04
                   10 || H.
      MD5:     (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04
                   10 || H.
      SHA-1:   (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H.
"
		
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: krb5-pkinit 1.12+dfsg-2ubuntu5.2
Uname: Linux 3.13.0-68-generic x86_64
Architecture: amd64
Date: Fri Sep 30 12:49:09 CEST 2016
ProcEnviron:
 PATH=(custom, user)
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
SourcePackage: krb5-pkinit

** Affects: krb5 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to krb5 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1629370

Title:
  PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions