2010/10/7 Love Hörnquist Åstrand <[email protected]>: > > 6 okt 2010 kl. 02:49 skrev Michael Wood: > > hx509_cms_create_signed function and > > make sigctx.cmsidflag always equal CMS_ID_NAME) > > I think this failed because you are looking at enveloped data and not signed > data. try patching fill_CMSIdentifier() in hx509_cms_envelope_1() instead. > Love > > Thanks, Love. I've tried patching hx509_cms_ebvelope_1() but it didn't help. But now, I'm think, I've found real issue: XP box include in KRB5_AS_REQ only one supported digest algorithm: md5withRSAEncryption (1.2.840.113549.1.1.4) (and this is only supported algorithm for XP, 2000 and 2003 - this is written in secrion 2.2 of MS-PKCA). But response from Samba (I found a way to decrypt it!!!) contains digital signature made with sha512WithRSAEncryptions (in fact it is rather hard to understand openssl ans1parse output, but fact that there is no md5withRSAEncryption signature). So it looks like some bug in Heimdal code - I will investigate it further and try to locate exact place, where wrong signature formed, but maybe you already know answer...
P.S. If you need I can send trafic capture files and decrypted KDC answers (both form Windows DC and from Samba). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
