[Samba] Broken support for Smart Card Logon in Windows 2003 and XP

Love Hörnquist Åstrand lha at kth.se
Wed Oct 20 20:47:27 MDT 2010


17 okt 2010 kl. 20.31 skrev Николай Домуховский:

> 2010/10/7 Love Hörnquist Åstrand <lha at kth.se>:
>> 
>> 6 okt 2010 kl. 02:49 skrev Michael Wood:
>> 
>> hx509_cms_create_signed function and
>> 
>> make sigctx.cmsidflag always equal CMS_ID_NAME)
>> 
>> I think this failed because you are looking at enveloped data and not signed
>> data. try patching fill_CMSIdentifier() in hx509_cms_envelope_1() instead.
>> Love
>> 
>> 
> Thanks, Love.
> I've tried patching hx509_cms_ebvelope_1() but it didn't help.
> But now, I'm think, I've found real issue:
> XP box include in KRB5_AS_REQ only one supported digest algorithm:
> md5withRSAEncryption (1.2.840.113549.1.1.4) (and this is only
> supported algorithm for XP, 2000 and 2003 - this is written in secrion
> 2.2 of MS-PKCA).
> But response from Samba (I found a way to decrypt it!!!) contains
> digital signature made with sha512WithRSAEncryptions (in fact it is
> rather hard to understand openssl ans1parse output, but fact that
> there is no md5withRSAEncryption signature). So it looks like some bug
> in Heimdal code - I will investigate it further and try to locate
> exact place, where wrong signature formed, but maybe you already know
> answer...
> 
> 
> P.S. If you need I can send trafic capture files and decrypted KDC
> answers (both form Windows DC and from Samba).


You can probably change the code in kdc/pkinit.c around 870 that sets up the supported cms types it will use,

if you use hx509_signature_rsa_with_md5() and hx509_signature_md5() instead of SHA1 it might work for you.

Love




More information about the samba mailing list