On 01/17/2017 08:42 AM, Turner, Jonathan wrote: > I am working on implementing kerberos for the client and service sides in > golang. As part of this I'm looking to implement tests against some > reference kerberos messages to ensure I am parsing and decrypting them > correctly. I have been unable to find any suitable references to test > against.
Unfortunately, most of the Kerberos RFCs do not include reference encodings, except in the RFC 3961 crypto framework. This omission has come at some cost; for instance, we had to reissue RFC 4402 (which specifies gss_pseudo_random()) as RFC 7802, because neither of the two implementations correctly filled in the counter block--and for a while they weren't consistent with each other either. src/tests/asn.1 in the krb5 tree does include some reference encodings, a small subset of which were independently produced using asn1c (via make-vectors.c). These references are designed only to test individual ASN.1 encoders and decoders, and often include garbage values which wouldn't be seen on the wire. For example, if an ASN.1 type includes an EncryptedData element, we might fill in "krbASN.1 test message" in that element instead of a valid RFC 3961 token. Microsoft has a pretty extensive MS-KILE test suite which has been tried against some non-Microsoft KDC implementations, but unfortunately I don't remember any details of how it was made available or whether it includes reference messages. I can make some inquiries if that's of interest to you. You might be able to produce your own reference encodings using packet captures, if you can set up the desired conditions. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
