lördag 14 februari 2009

Support for ECDSA and ECDH in PK-INIT

Heimdal now support support for ECDSA (Elliptic curve, signature mode) and ECDH (Elliptic curve, key exchange mode) when compiled with OpenSSL, no hcrypto support yet. Using ECDSA is turned on when using EC certificates, both the signature verification and CMS is done using EC certificate.

ECDH is turned used when using ECDSA, so also its also used when using EC certificates on the client. There is missing negotiation of EC curves, so the code is not future safe, but its something that we'll add in the future.  Part of the regression test now uses the EC certificate. hxtool needs support for generating EC keys and exporting the SubjectPublicKeyInfo before its can sign certificates, neither of them too hard.

Too much of the OpenSSL EC implementation is hidden, so right now its not possible to load plugins. So no support for PKCS11 or Keychain based private keys.

torsdag 5 februari 2009

New PKINIT bits, anonymous and enterprise support

I've just added anonymous Kerberos/pkinit to the KDC and the client libraries. Still only AS-REQ, what is missing is TGS-REQ and GSS-API support.
kinit --anonymous REALM

What have been implemented is draft-ietf-krb-wg-anon-04.

At the same time support for enterprise names when using PK-INIT slipped it. This is very cool, just point a cert, and the kinit will search the cert for a windows nt-name, use that with a client referrals (enterprise name) and return you a ticket for your real principal name. The only problem is that right now windows 2008 DC doesn't return client referrals PA-DATA, so that why we use --windows in the example below, it disable the client check.
kinit --windows --pk-enterprise --canon -C FILE:w2k8.pem WINDOWS2008.DOMAIN

The implementation show that the krb5_get_init_creds and friends need to be more aware PK-INIT and certificate selection. The reason the interface look the way it does is to avoid exposing that we are using hx509 beneath the kerberos library. So far I've not come up with a good langauge to express what certificate to select.

There is a query language in hx509, but its not something that you want to expose users too. Here are some examples:
%{certificate.issuer} == "C=SE,CN=hx509 Test Root CA"
%{certificate.subject} TAILMATCH "C=SE"
%{certificate.hash.sha1} EQ "412120212A2CBFD777DE5499ECB4724345F33F16"

Heimdal will show up for the Interop event in Redmond at the end of March, part of that we will do PK-INIT testing.

One things that really should be working by the is support for EC certificate and ECDSA, right now that support it not there in hx509 or hcrypto.