PKINIT and instance principals.

[Greg Hudson]

On 01/29/2017 04:52 AM, Dr. Greg Wettstein wrote:
> Examining the certificate in DER form indicates the principal name is
> encoded as sudo/UID at REALM as is desired.

I'm not sure this is correct.  An AnotherName of type KRB5PrincipalName
is defined by RFC 4556 to be of type KRB5PrincipalName:

   KRB5PrincipalName ::= SEQUENCE {
       realm                   [0] Realm,
       principalName           [1] PrincipalName
   }

and PrincipalName is defined by RFC 4120 as:

    PrincipalName   ::= SEQUENCE {
        name-type       [0] Int32,
        name-string     [1] SEQUENCE OF KerberosString
    }

If in the DER you are seeing a name-string containing a length-1
sequence containing the string "sudo/UID", that is a single-component
principal, which unparses to "sudo\/UID at REALM" as you saw.

(It would certainly be simpler to create PKINIT certificates using
OpenSSL if RFC 4556 had used unparsed principal names instead of
ASN.1-encoding them.  But that ship sailed long ago.)

To correctly generate a multi-component principal name in the
certificate using an OpenSSL extensions file, the SEQUENCE of principal
components needs to contain separate elements for each principal.  In
http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html you can
see this being done in the extensions file for the KDC certificate, and
you can apply something similar for client certificates.  Our
documentation in this area could be improved; we have an open issue at:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7940