PKINIT and cross-signed certs

[Ken Dreyer]

I've recently been testing PKINIT with the FBCA (Federal Bridge
Certificate Authority) certs. I've got it working with my agency's
Active Directory servers with a minor adjustment. I'm using Fedora 13,
krb5-pkinit-openssl-1.7.1-17.fc13.1.

cms_signeddata_create() has a parameter "include_certchain". When set
to 1, the function is supposed to automatically construct a
certificate chain based on the user's SSL certificate, and send that
in the AS-REQ. When include_certchain is 0, the code appears to just
bundle up everything in the "pkinit_anchors" configuration and send
it.

In src/plugins/preauth/pkinit/pkinit_clnt.c , cms_signeddata_create()
is called with include_certchain parameter of 1.

OpenSSL does not seem to handle the circular signing among the various
Federal Bridge CAs. In short, if "CA1" is issued by "CA2", and "CA2"
is also issued by "CA1", the OpenSSL chain functions will just spin
around until they hit the maximum verification depth. The error
returned is X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT (an unfortunate
misnomer; I wonder why OpenSSL doesn't use
X509_V_ERR_CERT_CHAIN_TOO_LONG ...)

I was able to solve this by patching the MIT client PKINIT plugin to
set include_certchain to 0, so OpenSSL wouldn't trip up. This doesn't
seem to be a great solution.

Does anyone have any opinion on the best way to handle this situation?
Maybe someone had had a similar idea once upon a time, if there is an
"include_certchain" parameter in the code ...