pkinit updates

Nebergall, Christopher cneberg at
Tue Dec 12 19:39:28 EST 2006

I tested the current code from Linux using an ActivCard against an
Active Directory instance.  Worked fine.  I assume that means it can do
some sort of protocol sniffing to determine if it is using Draft 9, or
an RFC version of PKINIT as I didn't specify that any where. 

One change I made was it assumed it needed to use the first certificate
available on the card, and the cert I needed to use was the 3rd
certificate so I changed the hard coded cert # in the code.  ActivCard
software seems to have the concept of a "default certificate" and it
will only use that certificate to log into Linux.  This default cert is
actually kept track of in the card itself as I had to set the default
cert from the windows ActivCard client to get it to use the correct cert
for Linux login using the Linux ActivCard client.   Would it be possible
to determine the Activcard "default cert" by default, and then allow the
user to choose a different one if necessary? How do most OS's determine
which cert on a smart card should be used for login? Same method?

Current version of the code in SVN with -DWITHOUT_PKCS11 won't compile.

pkinit_lib.c: In function `pkcs7_signeddata_create':
pkinit_lib.c:738: error: structure has no member named `mech'
pkinit_lib.c:738: error: `CKM_RSA_PKCS' undeclared (first use in this
pkinit_lib.c:738: error: (Each undeclared identifier is reported only
pkinit_lib.c:738: error: for each function it appears in.)
pkinit_lib.c:751: warning: passing arg 1 of `malloc' makes integer from
pointer without a cast
pkinit_lib.c:856: error: structure has no member named `mech'

-----Original Message-----
From: krbdev-bounces at [mailto:krbdev-bounces at] On Behalf
Of Jim Rees
Sent: Tuesday, December 12, 2006 2:36 PM
To: Douglas E. Engert
Cc: Sam Hartman; lha at; krbdev at; Kevin Coffman
Subject: Re: pkinit updates

The environment variable will go away.  We're not done yet.

Of course you could have multiple tokens, or even a single token
appearing on multiple slots.  In that case you must specify which slot
you want.  But if you have only one slot with a token, you don't have to
specify the slot id.  That's because the code now uses the first slot
that has a token, if you don't specify.

I thought about allowing you to specify a token label, and I may do that
if I have time.
krbdev mailing list             krbdev at

More information about the krbdev mailing list