You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Lloyd Evans <le...@vmware.com> on 2016/02/23 01:55:35 UTC

PKINIT client support

Hi All,

I was hoping to use the client API in Kerby to write some Java code that will connect to an MIT Kerberos server using PKINIT — specifically, I have a user certificate and key, and want to obtain first a TGT, and then a service ticket. Have tried the following idea (using Kerby from the ‘trunk’ branch):

	KrbClient client = new KrbClient();

	client.setKdcHost(host);
	client.setAllowTcp(true);
	client.setAllowUdp(true);
	client.setKdcTcpPort(TCP_PORT);
	client.setKdcUdpPort(UDP_PORT);
	client.init();

	KOptions requestOptions = new KOptions();
	requestOptions.add(PkinitOption.USE_PKINIT);
	requestOptions.add(PkinitOption.USING_RSA);
	requestOptions.add(KrbOption.CLIENT_PRINCIPAL, principal);

	if (APPROACH_ONE) {
		// cert and key load ok (are not null), but seem to be ignored
		Certificate certificate = readCertificateFile(pemFile);
		requestOptions.add(PkinitOption.X509_CERTIFICATE, certificate);

		PrivateKey privateKey = readPrivateKeyFile(keyFile);
		requestOptions.add(PkinitOption.X509_PRIVATE_KEY, privateKey);
	} else {
		// identity string set to “/path/to/pem,/path/to/pkcs8key"
		requestOptions.add(PkinitOption.X509_IDENTITY, pathTo(pemFile) + "," + pathTo(keyFile));
	}

	TgtTicket tgt = client.requestTgt(requestOptions);



but the server keeps complaining that “received_cert is null”, which I assume means the user cert is not being included in the request. Can anyone tell me if either (1) what I want to do isn’t really implemented yet, or (2) I am missing something.

Thanks
 - Lloyd

RE: PKINIT client support

Posted by "Zheng, Kai" <ka...@intel.com>.

I thought Jiajia could elaborate some bit about what's exactly the gaps to fill for the full PKINIT support.

Regards,
Kai

-----Original Message-----
From: Zheng, Kai [mailto:kai.zheng@intel.com] 
Sent: Tuesday, February 23, 2016 9:04 AM
To: Apache Directory Developers List <de...@directory.apache.org>; kerby@directory.apache.org
Subject: RE: PKINIT client support

Hi Lloyd,

Thanks for the interesting and trying! Unfortunately, right now only Anonymous PKINIT is done. The RSA case is still on the going but I believe it's quite approaching to the completion. The community is busy with other things of higher priority like RC2 releasing, GSSAPI support and kadmin-remote support, and very probably we'll be back to the PKINIT completing after some time. Please let we know if this sounds good or not for your case, and stay tuned. Thanks.

Regards,
Kai

-----Original Message-----
From: Lloyd Evans [mailto:levans@vmware.com] 
Sent: Tuesday, February 23, 2016 8:56 AM
To: Apache Directory Developers List <de...@directory.apache.org>
Subject: PKINIT client support

Hi All,

I was hoping to use the client API in Kerby to write some Java code that will connect to an MIT Kerberos server using PKINIT — specifically, I have a user certificate and key, and want to obtain first a TGT, and then a service ticket. Have tried the following idea (using Kerby from the ‘trunk’ branch):

	KrbClient client = new KrbClient();

	client.setKdcHost(host);
	client.setAllowTcp(true);
	client.setAllowUdp(true);
	client.setKdcTcpPort(TCP_PORT);
	client.setKdcUdpPort(UDP_PORT);
	client.init();

	KOptions requestOptions = new KOptions();
	requestOptions.add(PkinitOption.USE_PKINIT);
	requestOptions.add(PkinitOption.USING_RSA);
	requestOptions.add(KrbOption.CLIENT_PRINCIPAL, principal);

	if (APPROACH_ONE) {
		// cert and key load ok (are not null), but seem to be ignored
		Certificate certificate = readCertificateFile(pemFile);
		requestOptions.add(PkinitOption.X509_CERTIFICATE, certificate);

		PrivateKey privateKey = readPrivateKeyFile(keyFile);
		requestOptions.add(PkinitOption.X509_PRIVATE_KEY, privateKey);
	} else {
		// identity string set to “/path/to/pem,/path/to/pkcs8key"
		requestOptions.add(PkinitOption.X509_IDENTITY, pathTo(pemFile) + "," + pathTo(keyFile));
	}

	TgtTicket tgt = client.requestTgt(requestOptions);

but the server keeps complaining that “received_cert is null”, which I assume means the user cert is not being included in the request. Can anyone tell me if either (1) what I want to do isn’t really implemented yet, or (2) I am missing something.

Thanks
 - Lloyd

RE: PKINIT client support

Posted by "Zheng, Kai" <ka...@intel.com>.

I thought Jiajia could elaborate some bit about what's exactly the gaps to fill for the full PKINIT support.

Regards,
Kai

-----Original Message-----
From: Zheng, Kai [mailto:kai.zheng@intel.com] 
Sent: Tuesday, February 23, 2016 9:04 AM
To: Apache Directory Developers List <de...@directory.apache.org>; kerby@directory.apache.org
Subject: RE: PKINIT client support

Hi Lloyd,

Thanks for the interesting and trying! Unfortunately, right now only Anonymous PKINIT is done. The RSA case is still on the going but I believe it's quite approaching to the completion. The community is busy with other things of higher priority like RC2 releasing, GSSAPI support and kadmin-remote support, and very probably we'll be back to the PKINIT completing after some time. Please let we know if this sounds good or not for your case, and stay tuned. Thanks.

Regards,
Kai

-----Original Message-----
From: Lloyd Evans [mailto:levans@vmware.com] 
Sent: Tuesday, February 23, 2016 8:56 AM
To: Apache Directory Developers List <de...@directory.apache.org>
Subject: PKINIT client support

Hi All,

I was hoping to use the client API in Kerby to write some Java code that will connect to an MIT Kerberos server using PKINIT — specifically, I have a user certificate and key, and want to obtain first a TGT, and then a service ticket. Have tried the following idea (using Kerby from the ‘trunk’ branch):

	KrbClient client = new KrbClient();

	client.setKdcHost(host);
	client.setAllowTcp(true);
	client.setAllowUdp(true);
	client.setKdcTcpPort(TCP_PORT);
	client.setKdcUdpPort(UDP_PORT);
	client.init();

	KOptions requestOptions = new KOptions();
	requestOptions.add(PkinitOption.USE_PKINIT);
	requestOptions.add(PkinitOption.USING_RSA);
	requestOptions.add(KrbOption.CLIENT_PRINCIPAL, principal);

	if (APPROACH_ONE) {
		// cert and key load ok (are not null), but seem to be ignored
		Certificate certificate = readCertificateFile(pemFile);
		requestOptions.add(PkinitOption.X509_CERTIFICATE, certificate);

		PrivateKey privateKey = readPrivateKeyFile(keyFile);
		requestOptions.add(PkinitOption.X509_PRIVATE_KEY, privateKey);
	} else {
		// identity string set to “/path/to/pem,/path/to/pkcs8key"
		requestOptions.add(PkinitOption.X509_IDENTITY, pathTo(pemFile) + "," + pathTo(keyFile));
	}

	TgtTicket tgt = client.requestTgt(requestOptions);

but the server keeps complaining that “received_cert is null”, which I assume means the user cert is not being included in the request. Can anyone tell me if either (1) what I want to do isn’t really implemented yet, or (2) I am missing something.

Thanks
 - Lloyd

RE: PKINIT client support

Posted by "Zheng, Kai" <ka...@intel.com>.

Hi Lloyd,

Thanks for the interesting and trying! Unfortunately, right now only Anonymous PKINIT is done. The RSA case is still on the going but I believe it's quite approaching to the completion. The community is busy with other things of higher priority like RC2 releasing, GSSAPI support and kadmin-remote support, and very probably we'll be back to the PKINIT completing after some time. Please let we know if this sounds good or not for your case, and stay tuned. Thanks.

Regards,
Kai

-----Original Message-----
From: Lloyd Evans [mailto:levans@vmware.com] 
Sent: Tuesday, February 23, 2016 8:56 AM
To: Apache Directory Developers List <de...@directory.apache.org>
Subject: PKINIT client support

Hi All,

I was hoping to use the client API in Kerby to write some Java code that will connect to an MIT Kerberos server using PKINIT — specifically, I have a user certificate and key, and want to obtain first a TGT, and then a service ticket. Have tried the following idea (using Kerby from the ‘trunk’ branch):

	KrbClient client = new KrbClient();

	client.setKdcHost(host);
	client.setAllowTcp(true);
	client.setAllowUdp(true);
	client.setKdcTcpPort(TCP_PORT);
	client.setKdcUdpPort(UDP_PORT);
	client.init();

	KOptions requestOptions = new KOptions();
	requestOptions.add(PkinitOption.USE_PKINIT);
	requestOptions.add(PkinitOption.USING_RSA);
	requestOptions.add(KrbOption.CLIENT_PRINCIPAL, principal);

	if (APPROACH_ONE) {
		// cert and key load ok (are not null), but seem to be ignored
		Certificate certificate = readCertificateFile(pemFile);
		requestOptions.add(PkinitOption.X509_CERTIFICATE, certificate);

		PrivateKey privateKey = readPrivateKeyFile(keyFile);
		requestOptions.add(PkinitOption.X509_PRIVATE_KEY, privateKey);
	} else {
		// identity string set to “/path/to/pem,/path/to/pkcs8key"
		requestOptions.add(PkinitOption.X509_IDENTITY, pathTo(pemFile) + "," + pathTo(keyFile));
	}

	TgtTicket tgt = client.requestTgt(requestOptions);



but the server keeps complaining that “received_cert is null”, which I assume means the user cert is not being included in the request. Can anyone tell me if either (1) what I want to do isn’t really implemented yet, or (2) I am missing something.

Thanks
 - Lloyd

RE: PKINIT client support

Posted by "Zheng, Kai" <ka...@intel.com>.

Hi Lloyd,

Thanks for the interesting and trying! Unfortunately, right now only Anonymous PKINIT is done. The RSA case is still on the going but I believe it's quite approaching to the completion. The community is busy with other things of higher priority like RC2 releasing, GSSAPI support and kadmin-remote support, and very probably we'll be back to the PKINIT completing after some time. Please let we know if this sounds good or not for your case, and stay tuned. Thanks.

Regards,
Kai

-----Original Message-----
From: Lloyd Evans [mailto:levans@vmware.com] 
Sent: Tuesday, February 23, 2016 8:56 AM
To: Apache Directory Developers List <de...@directory.apache.org>
Subject: PKINIT client support

Hi All,

I was hoping to use the client API in Kerby to write some Java code that will connect to an MIT Kerberos server using PKINIT — specifically, I have a user certificate and key, and want to obtain first a TGT, and then a service ticket. Have tried the following idea (using Kerby from the ‘trunk’ branch):

	KrbClient client = new KrbClient();

	client.setKdcHost(host);
	client.setAllowTcp(true);
	client.setAllowUdp(true);
	client.setKdcTcpPort(TCP_PORT);
	client.setKdcUdpPort(UDP_PORT);
	client.init();

	KOptions requestOptions = new KOptions();
	requestOptions.add(PkinitOption.USE_PKINIT);
	requestOptions.add(PkinitOption.USING_RSA);
	requestOptions.add(KrbOption.CLIENT_PRINCIPAL, principal);

	if (APPROACH_ONE) {
		// cert and key load ok (are not null), but seem to be ignored
		Certificate certificate = readCertificateFile(pemFile);
		requestOptions.add(PkinitOption.X509_CERTIFICATE, certificate);

		PrivateKey privateKey = readPrivateKeyFile(keyFile);
		requestOptions.add(PkinitOption.X509_PRIVATE_KEY, privateKey);
	} else {
		// identity string set to “/path/to/pem,/path/to/pkcs8key"
		requestOptions.add(PkinitOption.X509_IDENTITY, pathTo(pemFile) + "," + pathTo(keyFile));
	}

	TgtTicket tgt = client.requestTgt(requestOptions);



but the server keeps complaining that “received_cert is null”, which I assume means the user cert is not being included in the request. Can anyone tell me if either (1) what I want to do isn’t really implemented yet, or (2) I am missing something.

Thanks
 - Lloyd