Hi, I am trying to implement a client that is compliant with https://tools.ietf.org/html/rfc6806.html#section-11
The issue I am having is on validating the checksum returned in the PA-Data from the KDC. Below is the outline of the steps I am taking. I need the checksum key and the value of the AS-REQ over which to compute the checksum. To get the key: 1) Decrypt the encpart of the AS-REP 2) From the decrypted encpart get the key value 3) Derive the key to use for the checksum by using the usage number 56 read in big-endian and concatenated with 0x99. 4) Call the etype's derive key function with the key and the usage number. I use the etype corresponding to the type indicated in the key. I'm pretty sure this derive key function is correct as I use it elsewhere successfully. To get the value of the AS-REQ 1) ASN1 marshal the AS-REQ sent to get the bytes of the AS-REQ Now pass the AS-REQ bytes and the key into the hash function of the etype. Compare the output of this with the bytes returned in the PA-Data's checksum field. Do the steps above look correct or am I missing something? Any help is appreciated as I've be staring at this for quite a while now and I'm out of ideas :) Thanks, Jonathan ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
