krb5_pac_verify and server key enctype extraction
Natalie Li
Natalie.Li at Sun.COM
Wed Jul 15 12:21:07 EDT 2009
Luke Howard wrote:
> Glenn,
>
>> All looks good except we can't find a public GSS/krb5 API function to
>> get the enctype from the security context. gss_inquire_context() and
>> gss_inquire_sec_context_by_oid() looked promising but don't appear to
>> have it.
>>
>> We don't think we can glean the enctype from the PAC signature buffer
>> itself.
>
> You can extract the session key with
> gss_inquire_sec_context_by_oid(GSS_C_INQ_SSPI_SESSION_KEY). The
> returned buffer set contains { session key, enctype OID } -- the
> integer enctype is the last element of the OID arc.
>
> Does this help?
>
> cheers,
>
> -- luke
Just to clarify, we're interested in the enctype associated with the
server's long-term key that was used to decrypt the krb ticket carried
in the KRB_AP_REQ, not the session key. Do we have an API to extract
that information from GSS context?
Thanks,
Natalie
More information about the krbdev
mailing list