[20131] in Kerberos_V5_Development
Re: Constrained Delegation with certificate and GSS API
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Sun Jun 7 11:30:05 2020
MIME-Version: 1.0
In-Reply-To: <CAKnEmRLAQJUYd7gOie7SgouSeJw_k+s8w+RJy5AxYACQapK+4w@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Sun, 7 Jun 2020 17:29:46 +0200
Message-ID: <CAC-fF8SM_O8G-r3rGv=6hovEnp_wgS_-eyHKzLhk41wPaU5qRw@mail.gmail.com>
To: Puran Chand <puran157@gmail.com>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Sun, Jun 7, 2020 at 4:57 PM Puran Chand <puran157@gmail.com> wrote:
>
> I see gss_import_name() put the name_type to gss_union_name_t->name_type and cert_data in gss_union_name_t->external_name.
> However I don't understand how this should pass down from GSS API (gss_add_cred_impersonate_name) to krb5 API(krb5_gss_acquire_cred_impersonate_name).
> I see gss_name_t passed down to krb5 API isn't what received in GSS API. Its gss_union_name_t->mech_name and the same is converted into krb5_gss_name_t eventually.
> And I believe krb5_gss_name_t is constructed into krb5_gss_import_name/imp_name.c, IDK what would be the right place to store cert_data in krb5_gss_name_t, should the name_type be copied to krb5_gss_name_t->krb5_principal->type and cert data to krb5_gss_name_t->krb5_principal->realm?
You're looking at the right places, for a simple start you could add a
krb5_data member 'cert' to krb5_gss_name_t struct, copy the
certificate data in there at krb5_gss_import_name() and set princ to
NULL, then alter in kg_impersonate_name() you check if cert->length !=
0 and use the cert instead of princ.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
