Comments on the use of plugins - useof pkinit_kdc_hostname
Douglas E. Engert
deengert at anl.gov
Fri Jun 15 15:05:47 EDT 2007
Got the pkinit code running on Solaris 10 to work with W2k3 KDCs
using OpenSC, with pcsc and ccid drivers calling libusb.
But this required the use of the pkinit_eku_checking = kpServerAuth
and pkinit_kdc_hostname parameters in the krb5.conf
The pkinit_kdc_hostname, in effect duplicates, the hostnames
as used in kdc = or in the DNS SRV records. We really like to
use the dns_lookup_kdc=1 option so we don't have to have the names
of the KDCs in the krb5.conf. Having to add the
hostnames for pkinit_kdc_hostnames defeats this goal!
If the concern is that the cert may be valid but not be from
a KDC, I would hope that some more Windows friendly code
could be added. It looks like Windows adds the extension
1.3.6.1.311.20.2 with a value of DomainController (utf8?) to
the cert as well as a SAN for DNS. (But windows being windows
the host part of the DNS name XXXXXX below is in uppercase!)
(If it would be helpful, I can send the cert. But for now here are
the pertinent extensions:
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
S/MIME Capabilities:
......0...+....0050...*.H..
..*.H..
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:XXXXXX.anl.gov
To get the cert, I added the line
PEM_write_X509(stdout, cert);
to pkinit_crypto_openssl.c
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list