[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ASN.1 stuff (Re: [xad] Re: FW: SSPI client)

I think I was wrong. It's BIT STRING that is encoded incorrectly by MIT 
krb5, and by all subsequent implementors. But it might be encoded 
correctly by existing SPNEGO implementations.

and Tom Yu's posts to the various Kerberos lists for more info.


Jacques A. Vidrine wrote:

>On Thu, Nov 08, 2001 at 09:18:07AM -0500, Nicolas Williams wrote:
>>Heimdal's ASN.1 compiler caters to krb5 ASN.1, which is 
>>not true ASN.1 because MIT krb5 violates the ASN.1/DER specs in some 
>>places, like with INTEGER, where, IIRC, MIT krb5 (and therefore all 
>>other Kerberos V implementors) always writes four bytes for INTEGERs on 
>>the wire, even though the minimum needed might be one byte. 
>I'm  off  on a  tangent,  but...  at  least  in Kerberos  5  messages,
>the  Heimdal code  encodes integers  correctly.  It  must, or  digital
>signatures, message digests, and so forth would not work.  This is the
>reason DER  is specified.   For example, `pvno'  is always  encoded as
>follows: 02 01 05,  while encryption type des-cbc-md5  must be encoded
>as 02 01 03.  There are no other acceptable ways to encode it.
>Maybe I'm not understanding you correctly  ... do you mind providing a
>trace of what you mean?