[39558] in Kerberos
Re: Failing ASN.1 tests with PKINIT on HP-UX
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Sat Sep 27 10:42:35 2025
Message-Id: <202509271440.58REekdH020200@hedwig.cmf.nrl.navy.mil>
To: "Osipov, Michael \(IN IT IN\)" <michael.osipov@innomotics.com>
cc: Kerberos@mit.edu
In-Reply-To: <090f2934-d321-400a-b21f-729bda1083ea@innomotics.com>
MIME-Version: 1.0
Date: Sat, 27 Sep 2025 10:40:46 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>> 771 #ifndef DISABLE_PKINIT
>> 772 /****************************************************************/
>> 773 /* encode_krb5_pa_pk_as_req */
>> 774 {
>> 775 krb5_pa_pk_as_req req;
>> 776 ktest_make_sample_pa_pk_as_req(&req);
>> 777 encode_run(req, "pa_pk_as_req", "", acc.encode_krb5_pa_pk_as_req);
It would be interesting to drill down into the value of "req". I can see
two possibilities:
- There's a bug somewhere in the ktest_make_sample_pa_pk_as_req() code path
that is making an invalid krb5_pa_pk_as_req structure.
- There's a bug in the ASN.1 encoder somewhere.
Either way, assuming you want PKINIT to work, I don't think it's
something you should ignore. I'd start with looking at "req" and then
figuring out what part of req it is trying to encode when you get this
core dump. It looks like you omitted part of the stack trace?
>I am a bit surprised that the application is not linked against OpenSSL.
My reading is that this is just testing the ASN.1 encoding routines and
you don't need OpenSSL to do that.
As a FYI, in my limited experience it's kind of difficult to test PKINIT
completely without a complete KDC and client setup, at least in our
enviroment (we use smartcards and that's hard to replicate all of those
operations in a test environment). The unit tests in MIT Kerberos do a
reasonable job of testing all of the pieces, though.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
