[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ASN.1 stuff (Re: [xad] Re: FW: SSPI client)
I think I was wrong. It's BIT STRING that is encoded incorrectly by MIT
krb5, and by all subsequent implementors. But it might be encoded
correctly by existing SPNEGO implementations.
and Tom Yu's posts to the various Kerberos lists for more info.
Jacques A. Vidrine wrote:
>On Thu, Nov 08, 2001 at 09:18:07AM -0500, Nicolas Williams wrote:
>>Heimdal's ASN.1 compiler caters to krb5 ASN.1, which is
>>not true ASN.1 because MIT krb5 violates the ASN.1/DER specs in some
>>places, like with INTEGER, where, IIRC, MIT krb5 (and therefore all
>>other Kerberos V implementors) always writes four bytes for INTEGERs on
>>the wire, even though the minimum needed might be one byte.
>I'm off on a tangent, but... at least in Kerberos 5 messages,
>the Heimdal code encodes integers correctly. It must, or digital
>signatures, message digests, and so forth would not work. This is the
>reason DER is specified. For example, `pvno' is always encoded as
>follows: 02 01 05, while encryption type des-cbc-md5 must be encoded
>as 02 01 03. There are no other acceptable ways to encode it.
>Maybe I'm not understanding you correctly ... do you mind providing a
>trace of what you mean?