directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny" <elecha...@gmail.com>
Subject Re: PB with a kerberos PDU
Date Fri, 15 Jun 2007 23:00:52 GMT
>From RFC 4120 :
AS-REQ          ::= [APPLICATION 10] KDC-REQ  => 0x6A LL

KDC-REQ         ::= SEQUENCE {  => 0x03 LL
        -- NOTE: first tag is [1], not [0]
        pvno            [1] INTEGER (5) , => 0xA1 0x03 0x02 0x01 0x05
        msg-type        [2] INTEGER (10 -- AS -- | 12 -- TGS --), =>
0xA2 0x03 0x02 0x01 0x0A (AS)
        padata          [3] SEQUENCE OF PA-DATA OPTIONAL => 0xA3 LL 0x30 LL
        ...

PA-DATA         ::= SEQUENCE { => 0x30 LL
        -- NOTE: first tag is [1], not [0]
        padata-type     [1] Int32, => 0xA1 0x03 0x02 0x01 0x02

with :
padata-value
      Usually contains the DER encoding of another type; the padata-type
      field identifies which type is encoded here.

      padata-type  Name             Contents of padata-value

      ...
      2            pa-enc-timestamp DER encoding of PA-ENC-TIMESTAMP
      ...

and

PA-ENC-TIMESTAMP        ::= EncryptedData -- PA-ENC-TS-ENC

   PA-ENC-TS-ENC           ::= SEQUENCE {
           patimestamp     [0] KerberosTime -- client's time --,
           pausec          [1] Microseconds OPTIONAL
   }

So the padataValue should be 0xA2 LL 0x30 LL (SEQUENCE) followed by :
0xA0 LL 0x18 (GeneralizedTime) 0x0F [time]

no ?

Where do I make a mistake ?

On 6/16/07, Enrique Rodriguez <enriquer9@gmail.com> wrote:
> On 6/15/07, Emmanuel Lecharny <elecharny@apache.org> wrote:
> > Enrique Rodriguez a ├ęcrit :
> > > On 6/15/07, Emmanuel Lecharny <elecharny@gmail.com> wrote:
> > >> ...
> > >> A clue, anyone ?
> > >
> > > The type says it is a "pa-enc-timestamp" but it is actually an
> > > EncryptedData.  You have to decrypt it.  The result of the decryption
> > > will be ASN.1 that needs to be further decoded into the PA-ENC-TS-ENC
> > > SEQUENCE.
> >
> > Yes, but the content is not a PA-ENC-TS-ENC, because this structure does
> > not have an INTEGER in first position. The patimestamp is supposed to be
> > a GeneralizedTime
> >
> > Something might be wrong...
>
> Until it is decrypted, you are looking at an EncryptedData, which does
> have an INTEGER in the first position:
>
>    EncryptedData   ::= SEQUENCE {
>            etype   [0] Int32 -- EncryptionType --,
>            kvno    [1] UInt32 OPTIONAL,
>            cipher  [2] OCTET STRING -- ciphertext
>    }
>
> The OCTET STRING in position 2 must be decrypted to reveal the ASN.1
> for the timestamp.
>
> Enrique
>


-- 
Regards,
Cordialement,
Emmanuel L├ęcharny
www.iktek.com

Mime
View raw message