First draft of pkinit plugin code now in Subversion

Olga Kornievskaia aglo at
Mon Nov 27 12:22:13 EST 2006

Sam Hartman wrote:
> Hi.
> Thanks for the code.
> I've confirmed that it does in fact work in the success case.  It was
> relatively easy to build and the README did document enough of how to
> get the code working.
> The code seems to crash in the following cases:
> 1) A cert is used that is not authorized to gain access to the account
>    in question.  For example if I use a hartmans cert to try and log
>    into testprinc, it crashes the kdc.
> 2) If the CA directory is not hashed, the KDC cannot find the CA cert
>    to use and crashes.
Sam, I'm unable to reproduce the problem you are describing. I've tried 
both cases and my setup fails appropriately without crashes. Could you 
describe your setup a little more?

A side comment, currently the code only supports hashed CA directory but 
it should fail properly if the directory is not there or ca files are 
not hashed.
> I'm concerned that the code uses a 1024-bit DH group and there seems
> to be no way to change this. 
that is correct. currently, the code has no way of passing options to 
the pkinit plugin so we can't choose between different options. we are 
working on passing options so the user can choose between 1024, 2048 or 
4096. as far as i know 1024-bit group is not weak.
> there seems to be no support for the supportedCMSTypes field 
that is correct as well. as it was an optional field, it's 
implementation was not high on our list.
> and that the use of CMS seems to hard code sha-1 rather than
> making intelligent decisions about the appropriate hash to sign with.
pkinit rfc states (3.1.1) that signature algorithm is always 
> However, this does look like a very good initial cut at things.

More information about the krbdev mailing list