You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Emmanuel Lecharny <el...@gmail.com> on 2007/06/16 00:24:56 UTC
PB with a kerberos PDU
Hi,
does anyone know if the AS-REQ-PA-ENC-TS.pdu is used anywhere in the code ?
I found something very strange in this PDU (and it seems to be wrong
to me). Here is the semi-decoded PDU :
6a 81 ed AS-REQ
30 81 ea KDC-REQ ::= SEQUENCE
a1 03 pvno [1] // tag [1]
02 01 05 INTEGER, value = 5
a2 03 msg-type [2] // tag [2]
02 01 0a INTEGER, value = 10, AS
a3 50 padata [3] // tag [3]
30 4e SEQUENCE OF PA-DATA
30 4c PA-DATA ::= SEQUENCE
a1 03 padata-type [1] // tag [1]
02 01 02 INTEGER, value = 2, pa-enc-timestamp (DER
encoding of PA-ENC-TIMESTAMP)
a2 45 padata-value [2] // tag [2]
04 43 OCTET STRING
30 41 PA-ENC-TIMESTAMP :: SEQUENCE
a0 03 patimestamp [0] // tag 0
02 01 03
a2 3a
04 38
05 88 76 c7 be fe 1c 31 38 18 37 c2 e3 21 a7 f4
ea 10 ef 07 94 cc 2e e9 04 12 51 c8 44 eb fa d8
f0 e8 ec 7b 4b ff b4 e6 e4 34 a3 67 f8 ea c3 3e
e9 43 d7 15 f1 3b 57 e9
The padata-type is 2, which is a PA-ENC-TIMESTAMP. Then, the first
object in the SEQUENCE in the padata-value OCTET-STRING field should
have been a GeneralizedTime, not a INTEGER (02 01 03)
A clue, anyone ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: PB with a kerberos PDU
Posted by Emmanuel Lecharny <el...@apache.org>.
Enrique Rodriguez a écrit :
> On 6/15/07, Emmanuel Lecharny <el...@gmail.com> wrote:
>
>> ...
>> PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
>
>
> "PA-ENC-TIMESTAMP" ::= "EncryptedData"
Damn, get it, ! I was focusing on the comment... Time to go to bed, I
think...
Thanks.
Emmanuel
>
Re: PB with a kerberos PDU
Posted by Enrique Rodriguez <en...@gmail.com>.
On 6/15/07, Emmanuel Lecharny <el...@gmail.com> wrote:
> ...
> PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
"PA-ENC-TIMESTAMP" ::= "EncryptedData"
Enrique
Re: PB with a kerberos PDU
Posted by Emmanuel Lecharny <el...@gmail.com>.
>From RFC 4120 :
AS-REQ ::= [APPLICATION 10] KDC-REQ => 0x6A LL
KDC-REQ ::= SEQUENCE { => 0x03 LL
-- NOTE: first tag is [1], not [0]
pvno [1] INTEGER (5) , => 0xA1 0x03 0x02 0x01 0x05
msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), =>
0xA2 0x03 0x02 0x01 0x0A (AS)
padata [3] SEQUENCE OF PA-DATA OPTIONAL => 0xA3 LL 0x30 LL
...
PA-DATA ::= SEQUENCE { => 0x30 LL
-- NOTE: first tag is [1], not [0]
padata-type [1] Int32, => 0xA1 0x03 0x02 0x01 0x02
with :
padata-value
Usually contains the DER encoding of another type; the padata-type
field identifies which type is encoded here.
padata-type Name Contents of padata-value
...
2 pa-enc-timestamp DER encoding of PA-ENC-TIMESTAMP
...
and
PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
PA-ENC-TS-ENC ::= SEQUENCE {
patimestamp [0] KerberosTime -- client's time --,
pausec [1] Microseconds OPTIONAL
}
So the padataValue should be 0xA2 LL 0x30 LL (SEQUENCE) followed by :
0xA0 LL 0x18 (GeneralizedTime) 0x0F [time]
no ?
Where do I make a mistake ?
On 6/16/07, Enrique Rodriguez <en...@gmail.com> wrote:
> On 6/15/07, Emmanuel Lecharny <el...@apache.org> wrote:
> > Enrique Rodriguez a écrit :
> > > On 6/15/07, Emmanuel Lecharny <el...@gmail.com> wrote:
> > >> ...
> > >> A clue, anyone ?
> > >
> > > The type says it is a "pa-enc-timestamp" but it is actually an
> > > EncryptedData. You have to decrypt it. The result of the decryption
> > > will be ASN.1 that needs to be further decoded into the PA-ENC-TS-ENC
> > > SEQUENCE.
> >
> > Yes, but the content is not a PA-ENC-TS-ENC, because this structure does
> > not have an INTEGER in first position. The patimestamp is supposed to be
> > a GeneralizedTime
> >
> > Something might be wrong...
>
> Until it is decrypted, you are looking at an EncryptedData, which does
> have an INTEGER in the first position:
>
> EncryptedData ::= SEQUENCE {
> etype [0] Int32 -- EncryptionType --,
> kvno [1] UInt32 OPTIONAL,
> cipher [2] OCTET STRING -- ciphertext
> }
>
> The OCTET STRING in position 2 must be decrypted to reveal the ASN.1
> for the timestamp.
>
> Enrique
>
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: PB with a kerberos PDU
Posted by Enrique Rodriguez <en...@gmail.com>.
On 6/15/07, Emmanuel Lecharny <el...@apache.org> wrote:
> Enrique Rodriguez a écrit :
> > On 6/15/07, Emmanuel Lecharny <el...@gmail.com> wrote:
> >> ...
> >> A clue, anyone ?
> >
> > The type says it is a "pa-enc-timestamp" but it is actually an
> > EncryptedData. You have to decrypt it. The result of the decryption
> > will be ASN.1 that needs to be further decoded into the PA-ENC-TS-ENC
> > SEQUENCE.
>
> Yes, but the content is not a PA-ENC-TS-ENC, because this structure does
> not have an INTEGER in first position. The patimestamp is supposed to be
> a GeneralizedTime
>
> Something might be wrong...
Until it is decrypted, you are looking at an EncryptedData, which does
have an INTEGER in the first position:
EncryptedData ::= SEQUENCE {
etype [0] Int32 -- EncryptionType --,
kvno [1] UInt32 OPTIONAL,
cipher [2] OCTET STRING -- ciphertext
}
The OCTET STRING in position 2 must be decrypted to reveal the ASN.1
for the timestamp.
Enrique
Re: PB with a kerberos PDU
Posted by Enrique Rodriguez <en...@gmail.com>.
On 6/15/07, Emmanuel Lecharny <el...@gmail.com> wrote:
> ...
> A clue, anyone ?
The type says it is a "pa-enc-timestamp" but it is actually an
EncryptedData. You have to decrypt it. The result of the decryption
will be ASN.1 that needs to be further decoded into the PA-ENC-TS-ENC
SEQUENCE.
Enrique