[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: success with pkinit/opensc was (Re: Heimdal PKINIT complileerrors)

manu <manux@rstack.org> writes:

> Peter Duff wrote:
>>To the fun part: I'm working on porting a pam_krb5 module to work with
>>pkinit.  The main issue seems to be that, as far as I can tell,
>>certificates can only be retrieved from on disk, rather than going
>>through opensc to retrieve it.  Would it not make sense to change this
>>so that the certificate is retrieved from the same slot_x-id_x field
>>in as specified?
> Yes, it would. Unfortunately currently there's no way of doing it
> nicely and easily using openssl engines. You could use PKCS#11 API
> only for getting the certificate from the card but you would have to
> reload the PKCS#11 module and catch the
> Another approach is to use PKCS#11 all the way.
> Therefore, I have a question : Can we imagine to see the function
> pk_principal_from_X509 from kdc/pkinit.c move to lib/krb5/pkinit.c
> with a slighty different profile : pk_principal_from_X509(krb5_context
> context, X509 *client_cert, krb5_principal *principal), so that it
> could also be used on the client side to match certificate and
> principal?

Thank you both for testing the pk-init code. Soon I'll need to update the
code to match the current pk-init draft, some of the asn1 structures have

I have some code that uses pkcs11 directly, but its not ready for primetime
usage. the reason I started with that was getting the cert from openssl
interface seem impossible.

Moving the function pk_principal_from_X509 whould be just, in fact, its
something like that I want to happen, but most of the code in there is
there because of stupidness of x509 libs. I think two functions are
needed. One for mapping a principal name to a x509 cert/privatekey pair and
and one that does the reverse, getting a principal to try to use for a

The same function should also look at the microsoft upn attribute (msUPN ?,
can't rememeber the entry name now and is current offline) to figure out
the principal name to use.


PGP signature