NSS for PKINIT, in-progress patches available, feedback sought

Nalin Dahyabhai nalin at redhat.com
Wed Sep 7 23:04:33 EDT 2011

Hello everyone.

One of the roadmap items for 1.9 was adding a back end which used NSS
for crypto.  While this work was done for libk5crypto, it didn't cover
the PKINIT preauth module, which currently makes calls directly to
OpenSSL to create and parse CMS messages and validate certificates.

For the last while I've been spending some time working on the rest of
it: getting the PKINIT implementation to be able to use NSS, too.

The plugin currently wraps most of its use of OpenSSL into functions
implemented in, and structures whose definitions are only known to,
pkinit_crypto_openssl.c.  Definitions for these functions and structures
which use NSS can largely be confined to a new pkinit_crypto_nss.c file.
I've got an implementation of that mostly working now, at


The changes to the build machinery (krb5-trunk-pkinit-nss.patch) are
mostly what you'd expect: when libk5crypto is using NSS, check for a
sufficiently recent NSS, compile pkinit_crypto_nss.c, with the right
CFLAGS, instead of pkinit_crypto_openssl.c, and link with the right set
of libraries.

The build machinery patch also adds recognition of "NSS:" identity
types, to allow NSS databases to be used, though as that also implicitly
adds CA certificates in the database to the set of trusted CAs, which
can surprise people who are used to the way it works now, that might
have to be dropped.

Getting to this point has turned up a few bugs in NSS, and pointed to
some additions that needed to be made.  Interop testing has turned up a
couple of spots where other implementations don't exactly comply with my
reading of the CMS specs, and NSS needs to be extended to accommodate
them as well.  Some of that's still a work in progress.

Put all together, the client works against servers to which I have ready
access, and the server happily handles requests from our clients, but as
different CMS implementations apparently vary in how they format
messages, it could still use more testing.

So please, poke at the code, test it -- the configure script checks for
a version of NSS which I'm hoping will include everything we need, so
you may have to tweak that bit, like I do, if you're testing with an
older version with patches -- and let me know how it goes.



More information about the krbdev mailing list