[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit, openssl engines, and cert retrieval.

Matthew Andrews wrote:

> Hash: SHA1
> Douglas E. Engert wrote:
>>If you want a stable API, that would be PKCS#11. The Heimdal code could
>>call this directly and would mean it could drop the engine code.
>>You might also want to look at the OpenSC libp11 that is a helper lib
>>for applications to make it easier to use pkcs11.
> as far as I can tell, pkcs11 really doesn't allow you to expose enough
> information(user/principal name for example)

And (IMHO) it should not. Although Windows may require the UPN to be in a
certificate for login, this then means that certificates are only good
for a single domain. (It appears they will remove this restriction in
Vista and be able to use arbitrary certificates from multiple CAs.)

What you are looking for is similar to the gridmap functionality, where
given a subject name, map it to the user. But in this case it is not
the local user name but a Kerberos principal.

> to be a good general
> purpose identity retrieval callout interface. In my use case, I expect
> to be getting x509 certs via calls to a myproxy client library. In this
> case I need access to a username to use in the myproxy protocol
> authentication phase. In my case it's desireable that this be the
> principal name which the user is attempting to get get krb5 credentials.

So you may have four seperate "names" and mappings to contend with:

(1)local unix account name
(2)Certificate subject name
(3)Kerberos principal
(4)myproxy name login name.

    myproxy name -> Certifcate     (myproxy must be doing this)
    Certifcate -> principal        (Pkinit or KDC may do this, or require the
                                    principal to be given.)
    principal -> local account     (.k5ogin)

None of these are gauarented to be 1 to 1 or even many to 1 so the user may
have to enter multiple names.

> I'm not sure how such information could reasonably be passed through the
>  pkcs11 interface(unless by some unholy means such as storing it in an
> object on the "card" which would hardly be the kind of thing you want to
> be hardcoded into the kerberos libraries.)

I am still not sure trying to put the myproxy under PKCS11 to hide it
from Kerberos is that good of an idea.

> - -Matt Andrews
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
> iD8DBQFDWgTGpLF3UzlwZVgRAlTtAJ9+DjndIHyXgAo2gs8tApnN4jkYdQCcCxIv
> OFwsC1Muyp66EcolEv39v9o=
> =DmhC


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444