[jira] [Created] (DIRKRB-755) ASN.1 structure is missing a required field when using PKINIT

Thu, 15 Apr 2021 11:31:04 -0700 

Steve Vaughan created DIRKRB-755:
------------------------------------

             Summary: ASN.1 structure is missing a required field when using 
PKINIT
                 Key: DIRKRB-755
                 URL: https://issues.apache.org/jira/browse/DIRKRB-755
             Project: Directory Kerberos
          Issue Type: Bug
    Affects Versions: 2.0.1
            Reporter: Steve Vaughan


I'm attempting to use Kerby PKINIT support with a KDC that is working with MIT 
Kerberos kinit. The client throws an exception:
{noformat}
Exception in thread "main" org.apache.kerby.kerberos.kerb.KrbException: 
PREAUTH_FAILED with error code: KDC_ERR_PREAUTH_FAILED{noformat}
and the server logs show:
{noformat}
preauth (pkinit) verify failure: ASN.1 structure is missing a required field
{noformat}
In an attempt to debug the message, I added a call to Asn1.decodeAndDump() to 
KrbTcpTransport.sendMessage(), and was surprised to find that code can't decode 
the message it is sending:
{noformat}
Caused by: java.io.IOException: Unexpected item: eoc [tag=0x00, off=0, len=2+0]
        at org.apache.kerby.asn1.Asn1Converter.convert(Asn1Converter.java:56)
        at org.apache.kerby.asn1.Asn1.decode(Asn1.java:74)
        at org.apache.kerby.asn1.Asn1Dumper.decodeAndDump(Asn1Dumper.java:48)
        at org.apache.kerby.asn1.Asn1Dumper.decodeAndDump(Asn1Dumper.java:44)
        at org.apache.kerby.asn1.Asn1.decodeAndDump(Asn1.java:184)
        at 
org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.sendMessage(KrbTcpTransport.java:50)
        at 
org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.sendMessage(DefaultKrbHandler.java:57)
        at 
org.apache.kerby.kerberos.kerb.client.KrbHandler.handleRequest(KrbHandler.java:89)
{noformat}
The code is really simple:
{noformat}
KrbPkinitClient client = new KrbPkinitClient(configDir);
client.init();

File certFile = new File ("certs/tls.crt");
File keyFile = new File ("certs/tls.key");
TgtTicket tgt = client.requestTgt("foo", certFile.getAbsolutePath(), 
keyFile.getAbsolutePath());
{noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to