Using PKINIT with ECC

Greg Hudson ghudson at mit.edu
Fri Nov 17 00:53:17 EST 2023


On 11/15/23 23:22, Goetz Golla wrote:
> * Does MIT Kerberos support PKINIT with Elliptic Curves as described
> in RFC 5349 ?

A P-384 EC client certificate works in my tests, with either krb5-1.17 
or the current code, as long as the KDC is also running MIT krb5.

Ken is correct that there is a hardcoded reference to RSA in the source:

         p7si->digest_enc_alg->algorithm =
             OBJ_nid2obj(NID_sha256WithRSAEncryption);

and this probably means the CMS signature has a piece of incorrect 
metadata when an EC certificate is used.  But this field is not used 
when generating the signature contents and is ignored by OpenSSL when 
verifying the signature (when the KDC is running MIT krb5).

> * Could it be that for ECC client certificates the KDC certificate
> also needs the be ECC ?

In my tests the KDC certificate was an RSA cert, so no.

Of course, my experience doesn't match yours.  From your trace, I 
believe that the failure occurs in the client code, not on the KDC, so 
inspecting the KDC logs would not help.  But the trace log does not 
contain any detailed information about the failure.

You can sometimes improve the diagnostics for PKINIT failures by 
removing the long-term keys associated with the principal, so that 
authentication does not fall back to encrypted timestamp:

   kadmin purgekeys -all user

If that doesn't help, it may be necessary to build the code with 
debugging symbols and and step through it to find out where it is failing.


More information about the Kerberos mailing list