[cifs-protocol] [EXTERNAL] [MS-OAPXBC] Incorrect session key instructions
David Mulder
dmulder at samba.org
Thu Jan 25 21:31:36 UTC 2024
On 1/25/24 11:01 AM, David Mulder via cifs-protocol wrote:
> I just discovered something interesting. If I take the transport key
> and certificate from the powershell on Windows join, then transfer it
> to my Linux code, then I get a valid session_key_jwe in the PRT
> response. So something about the join is breaking the PRT.
I discovered what was causing the problem. In the join request I was
inserting the TransportKey as a Jwk. The request was actually expecting
a MS CNG key blob. So Azure parsed the Jwk as a CNG Blob, then stored
that garbage somewhere. This left it with a public portion of the
transport key that was longer than it was supposed to be.
Azure should be checking that the TransportKey is something sensible,
instead of blindly accepting it.
--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com
More information about the cifs-protocol
mailing list