I've recently been testing PKINIT with the FBCA (Federal Bridge Certificate Authority) certs. I've got it working with my agency's Active Directory servers with a minor adjustment. I'm using Fedora 13, krb5-pkinit-openssl-1.7.1-17.fc13.1.
cms_signeddata_create() has a parameter "include_certchain". When set to 1, the function is supposed to automatically construct a certificate chain based on the user's SSL certificate, and send that in the AS-REQ. When include_certchain is 0, the code appears to just bundle up everything in the "pkinit_anchors" configuration and send it. In src/plugins/preauth/pkinit/pkinit_clnt.c , cms_signeddata_create() is called with include_certchain parameter of 1. OpenSSL does not seem to handle the circular signing among the various Federal Bridge CAs. In short, if "CA1" is issued by "CA2", and "CA2" is also issued by "CA1", the OpenSSL chain functions will just spin around until they hit the maximum verification depth. The error returned is X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT (an unfortunate misnomer; I wonder why OpenSSL doesn't use X509_V_ERR_CERT_CHAIN_TOO_LONG ...) I was able to solve this by patching the MIT client PKINIT plugin to set include_certchain to 0, so OpenSSL wouldn't trip up. This doesn't seem to be a great solution. Does anyone have any opinion on the best way to handle this situation? Maybe someone had had a similar idea once upon a time, if there is an "include_certchain" parameter in the code ... ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos