Implementing a PKINIT AS exchange

oriol caño oriol292 at
Tue Jan 19 05:52:54 EST 2016


I am working on a project for the MIT kerberos, the wiki page is the
following one:

I want to perform an AS exchange between two different KDCs, and I want to
do it using a sort of PKINIT exchange with Elliptic Curve, following RFC

I think this is currently not supported by the KDC, but it wouldn't be a
problem, because I am doing all the logic in a deamon that executes on the
same machine as the KDC. The deamon gets the requests from the KDC, which
redirects them.

My problem is, I couldn't find how to create an AS request in order to send
it through the Internet.
As far as I have seen, the initial AS exchange is performed with the set of
functions *krb5_get_init_creds_X. *This functions manage the AS exchange
internally, and it does not seem to be easy to adapt to my needs.

I may be wrong in my assumptions, I don't know the code that well.

What do you think should be my approach?
One of my ideas was to build the AS_REQ myself and send it to the KDC, but
this does not seem to be the approach taken by the *kinit *client, for
example, so I am not sure how to do it.

Thanks for your help in advanced.

Kind regards,
Oriol Caño

More information about the krbdev mailing list