Hi Greg and others, As suggested, I used a desktop Kerberos client (v1.13) to talk PKINIT to the v1.13 server, and now observe the following "Invalid Signature" in AS-REP signature verification. Any suggestions on to debug this more?
Interestingly, the CMS_VERIFY() error code from OpenSSL's API varies between 132 and 106 if I change the principal argument 197f67 to the form 197...@fastah.mobi kinit -V -X X509_user_identity=FILE:$HOME/client-pkinit-publicKey.pem,$HOME/client-pkinit-privateKey.pem -X X509_anchors=FILE:$HOME/cert.pem 197f67 pkinit_as_req_create retval=0 pkinit_client_process: returning 0 (Unknown code 0) pkinit_client_prep_questions: no questions to ask pkinit_client_prep_questions returning 0 pkinit_client_process 0x2147120 0x214b1a0 0x2166710 0x2176500 processing KRB5_PADATA_PK_AS_REP as_rep: DH key transport algorithm untrusted cert chain of size 1 cert #0: /C=US/ST=DE/L=Dover/O=Blackbuck Computing Inc/OU=Technical Operations/CN=Blackbuck Computing Inc. trusted cert chain of size 1 cert #0: /CN=Blackbuck Computing Inc CA v5/O=Blackbuck Computing Inc./OU=Technical Operations/ST=DE/C=US/L=Dover/emailAddress=priv...@blackbuck.mobi CMS_VERIFY error 132 CMS Verification failure failed to verify pkcs7 signed data pkinit_as_rep_parse returning -1765328320 (Invalid signature) pkinit_as_rep_parse returned -1765328320 (Invalid signature) pkinit_client_process: returning -1765328320 (Invalid signature) pkinit_client_req_fini: received reqctx at 0x2166710 pkinit_fini_req_crypto: freeing ctx at 0x216a6a0 Thanks for any assistance! Siddharth On Tue, Jan 6, 2015 at 12:09 AM, Siddharth Mathur <smat...@blackbuck.mobi> wrote: >> >> It might help to try deploying to a regular Unix client, to help >> distinguish between client-side issues with the iOS Kerberos >> implementation (which I'm not very familiar with) and server-side issues. > > Thanks for debugging tips Greg, will try them out ASAP and report back. > > Overall, does what I am trying sounds achievable? No passwords even at > the first login, and exclusive use of client certificates? > > Thanks, and hope the new year goes well for you! > Siddharth ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
