krb5_pac_verify and server key enctype extraction

Natalie Li Natalie.Li at Sun.COM
Wed Jul 15 12:21:07 EDT 2009

Luke Howard wrote:
> Glenn,
>> All looks good except we can't find a public GSS/krb5 API function to
>> get the enctype from the security context. gss_inquire_context() and
>> gss_inquire_sec_context_by_oid() looked promising but don't appear to
>> have it.
>> We don't think we can glean the enctype from the PAC signature buffer
>> itself.
> You can extract the session key with 
> gss_inquire_sec_context_by_oid(GSS_C_INQ_SSPI_SESSION_KEY). The 
> returned buffer set contains { session key, enctype OID } -- the 
> integer enctype is the last element of the OID arc.
> Does this help?
> cheers,
> -- luke
Just to clarify, we're interested in the enctype associated with the 
server's long-term key that was used to decrypt the krb ticket carried 
in the KRB_AP_REQ, not the session key. Do we have an API to extract 
that information from GSS context?



More information about the krbdev mailing list