Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

"Laugh while you can, monkey-boy." -- Dr. Emilio Lizardo

devel / comp.protocols.kerberos / Re: Using PKINIT with ECC

SubjectAuthor
o Re: Using PKINIT with ECCKen Hornstein

1
Re: Using PKINIT with ECC

<mailman.56.1700413256.2263420.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=434&group=comp.protocols.kerberos#434

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: kenh@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: Using PKINIT with ECC
Date: Sun, 19 Nov 2023 12:00:41 -0500
Organization: TNet Consulting
Lines: 28
Message-ID: <mailman.56.1700413256.2263420.kerberos@mit.edu>
References: <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de>
<ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu>
<202311191700.3AJH0hJD016758@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="9437"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=BQzTfjxV;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=DYE1w31y
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.17
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1700413252; cv=pass;
b=Yo4FlxPxDIiZ39nBmLVJJBhG96EoQfmdh3R+9C4+mRb3vnapg2A6l0qSe0++PTLlmIxhNuVbxd8OuVd5yNYlytDVF5LqQV8cipTIIDEBOp9EBLaKHN9s+3SjKS3tRYZBYXS5MiQPbnOmC/JAbROYAzf3+Qd0hnTLnFqFoRzxk7X+3tZOpgTF3eQ++P9xQaAIInZ+fFlQSouXnvDks17kbL/7csHvMGyonnvV6kmlaAATxsEVrAHs3BNoryhG0VeYscZJwz35sARt425dU+xoJtJULIOnFcRXoEThQeiHzvYULcdN3Ges2XItMjtjK59PHm9qFpH3jaXcbIQf5BJDbQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1700413252;
c=relaxed/relaxed; bh=EQBMGjLQwxP8ObQk+1XaNSoFKQrsTw67Jz3nALDdySU=;
h=Message-ID:From:Subject:MIME-Version:Content-Type:Date;
b=yZ0EfOKjUUt/5/q1CceELLTAzJE75QhDZp2uIpbIwleBF8LcEb4naRvaK3rTu9L363Jp6oe8aXQpAEEID6N2wfohmIhmCwVc8b56Vz4FfkMpJCL/IoH4FKV2ZzSBqawEwF8Xqw3y5LoF3yGMa9lRidOf4tASalvWJAfOLlt7jI64dbSuf7v70nuvZJmrSn69JGccJnYiNFr5mTaI7zVlOzTD09pFpijkWwLjncTnPruW4g4yEaQj+ksaGXMWnKcDSEYM92TRSfwxScxQUa602B48U1Iv23a4qpsERuV8y4BAIlOgHHAr1JVcxJ3Xeoa9Rnrr455GTYmayvI3gCyqcw==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=BQzTfjxV;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=DYE1w31y
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=BQzTfjxV;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=DYE1w31y
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=WqLQUDv76wE+7/pkx4qSNZp2iVIrWIt5iy2uG68p0C7tlSg6rlyM3LgbnUkJpzdLFLQoAndmiJTtHfjjvNe6qh6gjMm97kRdXlbTLFGKKIr3eeN2MBiQ74OvF7mrVgPhHejiCWLArc+1ejqJG32Vo3gRSKMTDwwrafOQAhZVY6RHQq02yhQH/j4UnGn27H0P40L/onPa/S+EuWEoCtRuUBgRh3oGJttaYl5qmXBR8SkFmWK6bCDioJIPHWC270J1kyHbvOsfL6lFbAYkD3ZNZz5njsSDMQuXVG3CtYMKsP8SilaVz+jPzraTMCZZGG/GGnc4JlpPHDE1QtUq/BfdzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=EQBMGjLQwxP8ObQk+1XaNSoFKQrsTw67Jz3nALDdySU=;
b=nI9y6DAPBG91ExI6CoCvZCqFDWjBqkMW93njAqP0PQ5OWI8zDp3Qc9yOQ2h9rCHcFN1Yh7574ds0QQ8Jyv6cdhsn+AGhCCqEFvSsQxOCfFqrwVM3q4UaVTudWN6tENA3IUHHk3GIr/Z63bfEKLVj/mK2K5qy/fGHZrqxqX3hc2dRAw763ghSNwhTp6stvVxYeiIQt1u923Ol4TdwKgLSqtqHeInu7oy0bs2DA3NkBXTLuWvKWtxlhfvgB2ezeN5UMaXRH6oTFXSPkpXNZDvPDpmrmVJiREV+5sWTvfgrDi4TXcnh8j1rIntg4cqY+rbH+25JTXtZNfV+o1dJuCr1cw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=temperror (sender ip
is 140.32.61.234) smtp.rcpttodomain=mit.edu
smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=EQBMGjLQwxP8ObQk+1XaNSoFKQrsTw67Jz3nALDdySU=;
b=BQzTfjxV5YGH2dqhlBdajv1i/Pd+1p63LTVwECE70fnK17OQB6itaD/miGcz3fIugnZRWK0cRMMn4xW4f8hovdC9loPc7yeOhndvMIIvcQRpD+YgeR1hw9VkBGF1b5ZHi1Co++tPu3ci6C9q6aiRz25Vyb19wR5spqXByCre1K0=
Authentication-Results: spf=temperror (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: TempError (protection.outlook.com: error in processing during
lookup of cmf.nrl.navy.mil: DNS Timeout)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : subject : in-reply-to : references : mime-version : content-type :
date; s=s2.dkim; bh=EQBMGjLQwxP8ObQk+1XaNSoFKQrsTw67Jz3nALDdySU=;
b=DYE1w31yq25uCj5rDtQQHhYgfnmMdtM6jJXvOlj5fihVGcYxhIWp6ZHGCrtZyA1fsJpZ
fym6vDKFUB7+vZDShWTJlnsWcIfs18hJyKPCNtmenyhHG4kKTJg1X3CeW7zpVxeKmdTS
i1z6cfs+vF057alw+nsgs2QxZ1kbO2qtsqb3DZXK/4o5umcl9RzsijHFEDratASv2WfV
owdSR/9XvbGqU0ciujPt4fcK22v8vyCybg2Zem3fLEU7gcjqtK/FkJ+CrRPluBxGdoQ1
+WzFLMELkKye6peQor9bGGpD+NZ/eFGVp8hMxK+SWEzHreplWsxNzL0JOlmQPTMGqUF3 Mg==
In-Reply-To: <ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS2PEPF00003447:EE_|PH0PR01MB8191:EE_
X-MS-Office365-Filtering-Correlation-Id: 4e840d3f-1ac4-4f37-db4f-08dbe9211299
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: x3061+IitSaaz+eFpDBx9RJELXOnNu+A9dGQEWm8blLIaNptl7XBsL3qw1jeQH0h4cr4i4agnB/aFX8xGHf7rvaIO8zNNO05pj/7KmWcrLrcRYBXHiDto5mAZVHxm51Fw5PDL/MsFbxv+Ath8MWFWBeuWlQexEACvwYcMmXrtczgoxh5J7UyjdO2eLQgXqh6NKmRefFbdEXrkkru70rZ7wlZhnNvxbK9J5JHZQKRHJ+8q6q9nLKMUhxcsy2WZaBcHTFNOOENfSVlgUNdCb4hFhQq0GLCYrLNHfTRU2zApULjdigUhcUWso6QbdEu7CAl8ZzPvJF/Nc7onk+DqIAnZsSCo0kN652jDTfvgLhZpL6jfkNhxvOxA3qax0Bstrlxc62oKgIW9eMjbdd1iA/uWBdFyq+1VqjuQiCIKHg5Sn9WTJnaDSPW539/FgIuOOZUwsflc92wMUEXmNwjfaL3s9CMBnN/+YWLarUyujib3dB9/ZYDAdmYBbZgSt+gSzWmDQWXQTvm3aJD2KJmwjmJqqXgn3vAl4O6X8XWlzp3SbMi223nUssrMM0YR/dS/x29umR0+GIax9Nypr8PtMelOIaZn97l6bgQ8uVxn5jfUZrEDOFkbNEGnEedQUU8y9wsUM6qtLKJ7XzfZccddgR/8w==
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230031)(4636009)(396003)(376002)(136003)(346002)(39860400002)(48200799006)(451199024)(61400799012)(64100799003)(86362001)(5660300002)(2906002)(83380400001)(63350400001)(356005)(498600001)(7636003)(336012)(956004)(426003)(26005)(34206002)(8676002)(1076003)(786003)(316002)(70586007)(68406010)(3480700007);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Nov 2023 17:00:45.6447 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4e840d3f-1ac4-4f37-db4f-08dbe9211299
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS2PEPF00003447.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB8191
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202311191700.3AJH0hJD016758@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de>
<ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu>
 by: Ken Hornstein - Sun, 19 Nov 2023 17:00 UTC

>On 11/15/23 23:22, Goetz Golla wrote:
>> * Does MIT Kerberos support PKINIT with Elliptic Curves as described
>> in RFC 5349 ?
>
>A P-384 EC client certificate works in my tests, with either krb5-1.17
>or the current code, as long as the KDC is also running MIT krb5.

We got burnt a while ago with an older PKINIT client-side plugin that
worked fine when the KDC was linked against OpenSSL 1.0.2 but failed
with OpenSSL 1.1 and above (this was fixed in newer MIT code and only
occured when you were using a smartcard). I am wondering if perhaps the
incorrect metadata makes something fail on other versions of OpenSSL?
I know this seems to be a completely client-side problem.

>Of course, my experience doesn't match yours. From your trace, I
>believe that the failure occurs in the client code, not on the KDC, so
>inspecting the KDC logs would not help. But the trace log does not
>contain any detailed information about the failure.

I have mentioned this before, but ... is there any interest in adding
additional trace points for every place where the old "pkiDebug" calls
are made? Hidden errors when doing PKINIT are the bane of my existence
and I feel that I'm not the only one. I understand there are concerns
about making the trace log too verbose but I think every error could
generate a trace message and it wouldn't add too much to the trace output
when everything was working.

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor