I thought Jiajia could elaborate some bit about what's exactly the gaps to fill for the full PKINIT support.
Regards, Kai -----Original Message----- From: Zheng, Kai [mailto:[email protected]] Sent: Tuesday, February 23, 2016 9:04 AM To: Apache Directory Developers List <[email protected]>; [email protected] Subject: RE: PKINIT client support Hi Lloyd, Thanks for the interesting and trying! Unfortunately, right now only Anonymous PKINIT is done. The RSA case is still on the going but I believe it's quite approaching to the completion. The community is busy with other things of higher priority like RC2 releasing, GSSAPI support and kadmin-remote support, and very probably we'll be back to the PKINIT completing after some time. Please let we know if this sounds good or not for your case, and stay tuned. Thanks. Regards, Kai -----Original Message----- From: Lloyd Evans [mailto:[email protected]] Sent: Tuesday, February 23, 2016 8:56 AM To: Apache Directory Developers List <[email protected]> Subject: PKINIT client support Hi All, I was hoping to use the client API in Kerby to write some Java code that will connect to an MIT Kerberos server using PKINIT — specifically, I have a user certificate and key, and want to obtain first a TGT, and then a service ticket. Have tried the following idea (using Kerby from the ‘trunk’ branch): KrbClient client = new KrbClient(); client.setKdcHost(host); client.setAllowTcp(true); client.setAllowUdp(true); client.setKdcTcpPort(TCP_PORT); client.setKdcUdpPort(UDP_PORT); client.init(); KOptions requestOptions = new KOptions(); requestOptions.add(PkinitOption.USE_PKINIT); requestOptions.add(PkinitOption.USING_RSA); requestOptions.add(KrbOption.CLIENT_PRINCIPAL, principal); if (APPROACH_ONE) { // cert and key load ok (are not null), but seem to be ignored Certificate certificate = readCertificateFile(pemFile); requestOptions.add(PkinitOption.X509_CERTIFICATE, certificate); PrivateKey privateKey = readPrivateKeyFile(keyFile); requestOptions.add(PkinitOption.X509_PRIVATE_KEY, privateKey); } else { // identity string set to “/path/to/pem,/path/to/pkcs8key" requestOptions.add(PkinitOption.X509_IDENTITY, pathTo(pemFile) + "," + pathTo(keyFile)); } TgtTicket tgt = client.requestTgt(requestOptions); but the server keeps complaining that “received_cert is null”, which I assume means the user cert is not being included in the request. Can anyone tell me if either (1) what I want to do isn’t really implemented yet, or (2) I am missing something. Thanks - Lloyd
