Implementing a PKINIT AS exchange

Rick van Rein rick at
Tue Jan 19 09:08:44 EST 2016

Hi Oriol,

If you are not bound to the ASN.1 code of the MIT Kerberos5 implementation (which isn't exported and which makes you do things in the "wrong" order), you might consider using libtasn1 to produce ASN.1 encoded data.  The documentation of libtasn1 is a bit underdeveloped, but that mainly concerns the flow that an example will quickly resolve.  Basically, you do this:

1. Write an ASN.1 spec (or, usually grab it from specifications)
2. Pass it through the asn1Parser command to generate a C file with a linear array used by libtasn1
3. Possibly use asn1Coding / asn1Decoding commands to translate according to ASN.1 specs between DER encoding and a textual data representation
4. Turn the linear array from asn1Parser to a quicker-usable definitions tree with asn1_array2tree()
5. Create an instance of the definitions tree with asn1_create_element()
6. Set elements in the instance with asn1_write_value()
7. Serialise to binary form (DER) with asn1_der_coding()
8. Cleanup the instance with asn1_delete_structure() or asn1_delete_element() [am not sure...]
9. Cleanup the definitions tree with asn1_delete_structure()
The opposite direction is also supported, of course.

I did not use this yet, but I found GnuTLS' support for PKINIT certificates in 3.5.0 is a nice guide,


More information about the krbdev mailing list