Bug#651236: pkinit broken against heimdal-kdc 1.2

Guido Günther Tue, 06 Dec 2011 14:42:18 -0800

Package: heimdal-clients
Version: 1.5.dfsg.1-3
Severity: normal

Hi,
while pkinit works fine with 1.2 client and 1.2 kdc using the current
wheezy (1.5) client with the exact same set of certificates against a
1.2 kdc gives:


$ kinit -C FILE:user.pem,user.key u...@example.com
2011-12-06T23:32:31 using cert: subject: UID=user,DC=example,DC=com sn: 
61A80F99A986854154595138D20BC368F27686F5
2011-12-06T23:32:31 krb5_get_init_creds: loop 1
2011-12-06T23:32:31 KDC send 0 patypes
2011-12-06T23:32:31 krb5_get_init_creds: prepareing PKINIT padata (ietf)
2011-12-06T23:32:31 Trying to find service kdc for realm EXAMPLE.COM flags 2
2011-12-06T23:32:31 configuration file for realm EXAMPLE.COM found
2011-12-06T23:32:31 trying to communicate with host kdc.example.com in realm 
EXAMPLE.COM
2011-12-06T23:32:35 result of trying to talk to realm EXAMPLE.COM = 0
2011-12-06T23:32:35 krb5_get_init_creds: loop 2
2011-12-06T23:32:35 krb5_get_init_creds: processing input
2011-12-06T23:32:35 krb5_get_init_creds: got an error
2011-12-06T23:32:35 krb5_get_init_creds: KRB-ERROR -1765328359
2011-12-06T23:32:35 KDC send 4 patypes
2011-12-06T23:32:35 KDC send PA-DATA type: 2
2011-12-06T23:32:35 KDC send PA-DATA type: 16
2011-12-06T23:32:35 KDC send PA-DATA type: 15
2011-12-06T23:32:35 KDC send PA-DATA type: 19
2011-12-06T23:32:35 krb5_get_init_creds: prepareing PKINIT padata (ietf)
2011-12-06T23:32:35 Trying to find service kdc for realm EXAMPLE.COM flags 2
2011-12-06T23:32:35 configuration file for realm EXAMPLE.COM found
2011-12-06T23:32:35 trying to communicate with host kdc.example.com in realm 
EXAMPLE.COM
2011-12-06T23:32:35 result of trying to talk to realm EXAMPLE.COM = 0
2011-12-06T23:32:35 krb5_get_init_creds: loop 3
2011-12-06T23:32:35 krb5_get_init_creds: processing input
2011-12-06T23:32:35 krb5_get_init_creds: got an error
2011-12-06T23:32:35 krb5_get_init_creds: KRB-ERROR -1765328359
2011-12-06T23:32:35 KDC send 4 patypes
2011-12-06T23:32:35 KDC send PA-DATA type: 2
2011-12-06T23:32:35 KDC send PA-DATA type: 16
2011-12-06T23:32:35 KDC send PA-DATA type: 15
2011-12-06T23:32:35 KDC send PA-DATA type: 19
2011-12-06T23:32:35 krb5_get_init_creds: prepareing PKINIT padata (win2k)
kinit: krb5_get_init_creds: Already tried pkinit, looping

The server then has:

2011-12-06T22:57:28 AS-REQ u...@example.com from <IP> for 
krbtgt/example....@example.com
2011-12-06T22:57:28 Client sent patypes: PK-INIT(ietf), 132
2011-12-06T22:57:28 Looking for PKINIT pa-data -- u...@example.com
2011-12-06T22:57:28 PKINIT: failed to verify signature: Failed to verify 
messageDigest: 569861
2011-12-06T22:57:28 PKINIT: Did not find a plugin for windc
2011-12-06T22:57:28 Failed to decode PKINIT PA-DATA -- u...@example.com
2011-12-06T22:57:28 Looking for ENC-TS pa-data -- u...@example.com
2011-12-06T22:57:28 No preauth found, returning PREAUTH-REQUIRED -- 
u...@example.com
2011-12-06T22:57:28 sending 407 bytes to <IP>
2011-12-06T22:57:28 AS-REQ user@EXAMPLE>COM from <IP> for 
krbtgt/example....@example.com
2011-12-06T22:57:28 Client sent patypes: PK-INIT(win2k), 132
2011-12-06T22:57:28 Looking for PKINIT pa-data -- user@
2011-12-06T22:57:28 PKINIT: failed to verify signature: Failed to verify 
sigature in CMS SignedData: 569861
2011-12-06T22:57:28 PKINIT: Did not find a plugin for windc
2011-12-06T22:57:28 Failed to decode PKINIT PA-DATA -- u...@example.com
2011-12-06T22:57:28 Looking for ENC-TS pa-data -- u...@example.com
2011-12-06T22:57:28 No preauth found, returning PREAUTH-REQUIRED -- 
u...@example.com
2011-12-06T22:57:28 sending 407 bytes to <IP>

569861 is HX509_SIG_ALG_NO_SUPPORTED.

Non-pkinit auth works as expected.

Cheers,
 -- Guido


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.1.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages heimdal-clients depends on:
ii  krb5-config            2.2            
ii  libasn1-8-heimdal      1.5.dfsg.1-3   
ii  libc6                  2.13-21        
ii  libdb5.1               5.1.25-11      
ii  libedit2               2.11-20080614-3
ii  libgssapi3-heimdal     1.5.dfsg.1-3   
ii  libhcrypto4-heimdal    1.5.dfsg.1-3   
ii  libhdb9-heimdal        1.5.dfsg.1-3   
ii  libheimntlm0-heimdal   1.5.dfsg.1-3   
ii  libhx509-5-heimdal     1.5.dfsg.1-3   
ii  libkadm5clnt7-heimdal  1.5.dfsg.1-3   
ii  libkadm5srv8-heimdal   1.5.dfsg.1-3   
ii  libkafs0-heimdal       1.5.dfsg.1-3   
ii  libkrb5-26-heimdal     1.5.dfsg.1-3   
ii  libncurses5            5.9-4          
ii  libotp0-heimdal        1.5.dfsg.1-3   
ii  libroken18-heimdal     1.5.dfsg.1-3   
ii  libsl0-heimdal         1.5.dfsg.1-3   
ii  libtinfo5              5.9-4          
ii  libwind0-heimdal       1.5.dfsg.1-3   

heimdal-clients recommends no packages.

Versions of packages heimdal-clients suggests:
pn  heimdal-docs  <none>
pn  heimdal-kcm   <none>

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#651236: pkinit broken against heimdal-kdc 1.2

Reply via email to