Hide Forgot
Description of problem: When parsing PKINIT preauthentication responses from a KDC running WS2003, my code is failing to verify the signature correctly. On examination of the signed data inside of the enveloped data, it appears that the digest algorithm given for the signed data is that of a signature algorithm (in my case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION) rather than a digest algorithm (I'd expect SEC_OID_SHA1). I think the party generating the message is doing it wrong, but I'd like to parse the message successfully anyway. Version-Release number of selected component (if applicable): nss-3.12.10-6.fc16.x86_64 How reproducible: Always Steps to Reproduce: I'll attach the data that I have. Actual results: Error 18 while attempting to verify the data. Expected results: No error.
Created attachment 515930 [details] preauth data
Created attachment 515931 [details] server CA certificate
Created attachment 515932 [details] client CA certificate
Created attachment 515933 [details] client credentials
Created attachment 515934 [details] test program
Created attachment 515936 [details] possible patch, though there's probably a better way
The possibly better patch has been attached upstream. It passes Nalin's little sample program. Nalin, can you see it works in your test environment? bob
Created attachment 522558 [details] bob's improved version of nalin's patch sent upstream, yet to be applied
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
The patch was merged in upstream long ago and we have newer versions in Fedora. If the problem persists, please feel free to reopen.