krb5_pac_verify and server key enctype extraction
Glenn Barry
Glenn.Barry at sun.com
Tue Jul 14 19:24:38 EDT 2009
For our application to verify the PAC we're using
krb5_error_code KRB5_CALLCONV
krb5_pac_verify
(krb5_context context,
const krb5_pac pac,
krb5_timestamp authtime,
krb5_const_principal principal,
const krb5_keyblock *server,
const krb5_keyblock *privsvr);
To get the server arg for krb5_pac_verify() from the local keytab,
we're using
krb5_error_code KRB5_CALLCONV krb5_kt_read_service_key
(krb5_context,
krb5_pointer,
krb5_principal,
krb5_kvno,
krb5_enctype,
krb5_keyblock **);
All looks good except we can't find a public GSS/krb5 API function to
get the enctype from the security context. gss_inquire_context() and
gss_inquire_sec_context_by_oid() looked promising but don't appear to
have it.
We don't think we can glean the enctype from the PAC signature buffer
itself.
So looks like we need something analogous to
gsskrb5_extract_authz_data_from_sec_context() for tik enctype.
Thoughts?
Thanks...glenn
More information about the krbdev
mailing list