[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT

Thanks for testing. Please try the new version I've just sent to the heimdal
list -- I believe the problems you mentioned are fixed there.

--
Dan

On Thu, May 23, 2002 at 12:16:33PM -0700, Christopher James wrote:
> Daniel Kouril wrote:
> 
> > Hi all,
> > a pre-beta version of the pkinit implementation for Heimdal is enclosed. You
> > can have a look at it but remember it's still under development.
> > Unfortunatelly I'm out of my office until end of this week so I assume I'll
> > continue in this work (and post a version of the patch) at the end of the
> > next week.
> >
> > regards
> >
> > --
> > Dan
> >
> >   ------------------------------------------------------------------------
> >
> >    pkinit.patchName: pkinit.patch
> >                Type: Plain Text (text/plain)
> 
> I have successfully built and run the KDC with the pre-beta
> PKINIT patch.    While getting it to work I found the following
> conditions that produce seg faults:
> 
> ------------------------------------------------------------
> 
> 1. kinit segmentation fault - 0 length principal's public key certificate
> 
> Run kinit using a 0 length file for the principal's public key certificate,
> the other files (principal's private key and directory with CA certificates)
> are present and good.  Program seg faults calling free_SignedData() in
> free_PA_PK_AS_REQ().  Here are some printfs showing sequence of calls:
> 
> get_init_creds_common() return = 0
> read X509
> read X509 end of file
> pk_load_config() return = 0
> starting krb5_get_in_cred_ext
> before init_as_req
> init_as_req() check patype
> starting pk_mk_padata()
> after build_auth_pack()
> after encode_auth_pack()
> after krb5_data_copy()
> pk_create_sign(): starting
> pk_create_sign(): 1
> pk_create_sign(): 1a
> pk_mk_padata(): start end: problem = -1
> free_PA_PK_AS_REQ: start
> Segmentation fault
> 
> 
> 2. kinit segmentation fault - no file in directory with CA certificates
> 
> Run kinit with no file in directory with CA certificates, other files
> (principal's public key certificate and principal's private key) are
> present and good.  Program seg faults calling sk_X509_NAME_pop_free() in
> free_PA_PK_AS_REQ().  Here are some printfs showing sequence of calls:
> 
> get_init_creds_common() return = 0
> read X509
> read X509
> read X509 end of file
> pk_load_config() return = 0
> starting krb5_get_in_cred_ext
> before init_as_req
> init_as_req() check patype
> starting pk_mk_padata()
> after build_auth_pack()
> after encode_auth_pack()
> after krb5_data_copy()
> pk_create_sign(): starting
> pk_create_sign(): 1
> pk_create_sign(): 2
> pk_create_sign(): 3
> pk_create_sign(): 4
> pk_create_sign(): 5
> pk_create_sign(): 6
> pk_create_sign(): 7
> pk_create_sign(): 8
> pk_mk_padata() after pk_create_sign
> pk_mk_padata() after trusted certs
> pk_mk_padata() after encode_PA
> pk_mk_padata(): start end: problem = 0
> free_PA_PK_AS_REQ: start
> free_PA_PK_AS_REQ: after free_SignedData
> free_PA_PK_AS_REQ: before free trusted certifiers
> Segmentation fault
> 
> 3. kinit segmentation fault - receives AS_REPLY without pkinit data
> 
> Start the kdc with a 0 length file for the key_file.  Send AS_REQ
> using kinit.  KDC recieves AS_REQ and sends normal (non-pkinit)
> AS_REPLY.  kinit seg faults reading AS_REPLY.
> 
> 4. kdc segmentation fault - after second AS_REQ
> 
> Both kdc and kinit configured correctly to run using pkinit.
> No problem on first AS_REQ from kinit - kdc returns TGT in AS_REPLY.
> KDC seg faults when it receives a second AS_REQ from kinit.
> Seg fault happens in pk_create_sign() in one of these calls:
> 
>   sd->signer_info.sid.issuer = X509_NAME_dup(X509_get_issuer_name(user_cert));
>   sd->signer_info.sid.serial =
> ASN1_INTEGER_dup(X509_get_serialNumber(user_cert));
> 
> --------------------------------------------------------
> 
> Christopher
> 
>