Implementing a PKINIT AS exchange

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Implementing a PKINIT AS exchange

oriol caño
Hello,

I am working on a project for the MIT kerberos, the wiki page is the
following one:
http://k5wiki.kerberos.org/wiki/Projects/Realm_Crossover_between_KDCs

I want to perform an AS exchange between two different KDCs, and I want to
do it using a sort of PKINIT exchange with Elliptic Curve, following RFC
5349.

I think this is currently not supported by the KDC, but it wouldn't be a
problem, because I am doing all the logic in a deamon that executes on the
same machine as the KDC. The deamon gets the requests from the KDC, which
redirects them.

My problem is, I couldn't find how to create an AS request in order to send
it through the Internet.
As far as I have seen, the initial AS exchange is performed with the set of
functions *krb5_get_init_creds_X. *This functions manage the AS exchange
internally, and it does not seem to be easy to adapt to my needs.

I may be wrong in my assumptions, I don't know the code that well.

What do you think should be my approach?
One of my ideas was to build the AS_REQ myself and send it to the KDC, but
this does not seem to be the approach taken by the *kinit *client, for
example, so I am not sure how to do it.

Thanks for your help in advanced.

Kind regards,
Oriol Caño
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Implementing a PKINIT AS exchange

Rick van Rein (OpenFortress)
Hi Oriol,

If you are not bound to the ASN.1 code of the MIT Kerberos5 implementation (which isn't exported and which makes you do things in the "wrong" order), you might consider using libtasn1 to produce ASN.1 encoded data.  The documentation of libtasn1 is a bit underdeveloped, but that mainly concerns the flow that an example will quickly resolve.  Basically, you do this:

1. Write an ASN.1 spec (or, usually grab it from specifications)
2. Pass it through the asn1Parser command to generate a C file with a linear array used by libtasn1
3. Possibly use asn1Coding / asn1Decoding commands to translate according to ASN.1 specs between DER encoding and a textual data representation
4. Turn the linear array from asn1Parser to a quicker-usable definitions tree with asn1_array2tree()
5. Create an instance of the definitions tree with asn1_create_element()
6. Set elements in the instance with asn1_write_value()
7. Serialise to binary form (DER) with asn1_der_coding()
8. Cleanup the instance with asn1_delete_structure() or asn1_delete_element() [am not sure...]
9. Cleanup the definitions tree with asn1_delete_structure()
The opposite direction is also supported, of course.

I did not use this yet, but I found GnuTLS' support for PKINIT certificates in 3.5.0 is a nice guide,
https://gitlab.com/gnutls/gnutls/blob/master/lib/x509/krb5.c#L134

Cheers,
 -Rick

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev