Constrained Delegation with certificate and GSS API

Isaac Boukris iboukris at
Sun Jun 7 11:29:46 EDT 2020

On Sun, Jun 7, 2020 at 4:57 PM Puran Chand <puran157 at> wrote:
> I see gss_import_name() put the name_type to gss_union_name_t->name_type and cert_data in gss_union_name_t->external_name.
> However I don't understand how this should pass down from GSS API (gss_add_cred_impersonate_name) to krb5 API(krb5_gss_acquire_cred_impersonate_name).
> I see gss_name_t passed down to krb5 API isn't what received in GSS API. Its gss_union_name_t->mech_name and the same is converted into krb5_gss_name_t eventually.
> And I believe  krb5_gss_name_t  is constructed into krb5_gss_import_name/imp_name.c, IDK what would be the right place to store cert_data in krb5_gss_name_t, should the name_type be copied to  krb5_gss_name_t->krb5_principal->type and cert data to krb5_gss_name_t->krb5_principal->realm?

You're looking at the right places, for a simple start you could add a
krb5_data member 'cert' to krb5_gss_name_t struct, copy the
certificate data in there at krb5_gss_import_name() and set princ to
NULL, then alter in kg_impersonate_name() you check if cert->length !=
0 and use the cert instead of princ.

More information about the krbdev mailing list