[Samba] Broken support for Smart Card Logon in Windows 2003 and XP

Николай Домуховский nick2005a.d at gmail.com
Sun Oct 17 21:31:47 MDT 2010

2010/10/7 Love Hörnquist Åstrand <lha at kth.se>:
> 6 okt 2010 kl. 02:49 skrev Michael Wood:
> hx509_cms_create_signed function and
> make sigctx.cmsidflag always equal CMS_ID_NAME)
> I think this failed because you are looking at enveloped data and not signed
> data. try patching fill_CMSIdentifier() in hx509_cms_envelope_1() instead.
> Love
Thanks, Love.
I've tried patching hx509_cms_ebvelope_1() but it didn't help.
But now, I'm think, I've found real issue:
XP box include in KRB5_AS_REQ only one supported digest algorithm:
md5withRSAEncryption (1.2.840.113549.1.1.4) (and this is only
supported algorithm for XP, 2000 and 2003 - this is written in secrion
2.2 of MS-PKCA).
But response from Samba (I found a way to decrypt it!!!) contains
digital signature made with sha512WithRSAEncryptions (in fact it is
rather hard to understand openssl ans1parse output, but fact that
there is no md5withRSAEncryption signature). So it looks like some bug
in Heimdal code - I will investigate it further and try to locate
exact place, where wrong signature formed, but maybe you already know

P.S. If you need I can send trafic capture files and decrypted KDC
answers (both form Windows DC and from Samba).

More information about the samba-technical mailing list