PKINIT implementation

PKINIT implementation for Heimdal

PKINIT is an extension of the Kerberos protocol (RFC1510), which enables use of public key cryptography for client authentication. The PKINIT mechanism hasn't been standardized yet and the specification is still under development directed by the IETF Kerberos WG.
Our implementation of the PKINIT mechanism is intended for the Heimdal open source implementation of Kerberos V5. It is based on the latest draft of the PKINIT specification and was created for Heimdal v.0.5 . Please remember the implementation published here is still under development and not intended for use in production enviroments.

Features

• Support of the Globus infrastructure

Our PKINIT implementation contains support for the Grid Security Infrastructure (GSI). GSI was designed and developed by the Globus project and is widely used in grid enviroments. If Globus support is enabled, KDC can verify proxy certificates and authorize users according to system gridmap-file.

• Smartcard support

The PKINIT implementation also contains support for smartcard. Currently, only the Schlumberger Cryptoflex Win2k is supported. Another types will be added in the future.

• Client compatibility with win2k

It is possible for Heimdal clients to authenticate to Windows2000 KDC via PKINIT. The inverse direction (i.e. win2k clients against Heimdal KDC) is not implemented (yet). The main problem concerning interoperability with Win2k is a fact that the Microsoft PKINIT implementation is based on pkinit draft version 9, which is incompatible with the current version of the draft. Thus, several non-standard "hooks" had to be added to the code to satisfy the win2k protocol and message format.

Installation and Configuration

Download and unpack the heimdal distribution and apply the pkinit patch:

tar xzf heimdal-0.5.tar.gz; cd heimdal-0.5; patch -p1 < /{path_to}/pkinit.patch

Before configuring the heimdal package you have to generate a new configure script and Makefile.in in all subdirectories. To accomplish this you will need autoconf 2.53, automake 1.6.x and libtool 1.4.x (all these programs are available from the GNU web server). Script autogen.sh enclosed in the PKINIT patch can be used for generation of the configuration files. Just run the script in the top directory of Heimdal package:

sh autogen.sh

Once the configure script and all Makefile.in's are generated you can run configure with option --enable-pkinit, which sets up all parameters needed for PKINIT. Note that OpenSSL must be used if PKNIT support is requested. There are also another options you can use with pkinit:

• --with-globus=dir and --with-globus-flavor

These options enable support of Globus, root directory with Globus installation and an appropriate Globus flavor must be given. Note that only Globus 2.0 is supposed by the configuration script. However, it should be possible to use older version as well, but in this case you will need to modify appropriate Makefiles manually.

• --enable-smartcard

This option enables support for smartcards.

After the configuration has finished, run 'make' and 'make install' to build and install the heimdal package as usual.
To turn on the PKI suport on the KDC you need to add some new options to the kdc section in the KDC config file (/var/heimdal/kdc.conf by default):

enable-pkinit = yes
pki-certificate = filename
pki-private-key = filename
pki-ca-dir = directory
pki-allowed-principals = {

krb5-princ1 = X.500-name1
...

}

where pki-certificate specifies file with server X.509 certificate in the PEM format, pki-private-key specifies file with corresponding private key (if the key is encrypted a passphrase will have to be typed on every kdc start), pki-ca-dir specifies directory where certificate(s) of trusted CAs can be found (this certificates are supposed to be named in the hash format). The pki-allowed-principals option specifies allowed mapping among subject names from clients' certificates and principal names. The mapping will probably be moved to a separate file in the future.

Run the kdc server and try getting a user's TGT using PKINIT authentication:

kinit -C /home/kouril/.ssl/usercert.pem -K /home/kouril/.ssl/userkey.pem -D /etc/grid-security/certificates

where the -C switch specifies user's X.509 certificate (must be stored in the PEM format), the -K option specifies file containing the corresponding private key (you will be prompted for a passprhase if the key is encrypted) and the -D specifies a directory where trusted certificates are stored.

Directive pkinit_server in krb5.conf can be used to specify where KDC supporting PKINIT is running:

[realms]

YOUR.REALM = {

...
pkinit_server = FQDN_of_pkinit_KDC
...

}

Notes on Implementation

Although we tryied to make the implementation as close to the draft as possible, there are still some issues, which cause either an incompatibity with the specification or inconvenient usage of PKINIT:

• The ValiCert ASN.1 parser was used to process the CMS and PKINIT ASN.1 definitions. As the original Valicert parser doesn't support untagged fields in the CHOICE structures as well as a few others ASN.1 constructions, which are contained in the CMS specification, a patch adding such functionality is needed. Thanks to Mario Strasser for providing the patch. Generated sources are included in the PKINIT patch (as well as the ASN.1 sources) and are not generated during compilation. If you want to generate new sources download the Valicert parser, apply the patch and compile the ASN1 modules (cms_asn1.asn1 and pkinit_asn1.asn1 in lib/asn1). Since files in the asn1parser distribution are in the dos format (i.e. lines are ended with characters CR NL) you will have to convert them to unix format before applying the patch and compilation.
• Interoperability with another PKINIT implementation (mainly Windows 2000) still desires some work. Problem in this area is also that the PKINIT specification hasn't been standardized yet.
• The Diffie-Hellman support was not implemented and we aren't going to do it. The main thing we need is a support of our local users who already own X.509 certificates.
• There are still some incompatilities with the specification (e.g. the transited field in the ticket is not filled in, KDC doesn't fill in the e-text field if sending an error reply etc.)
• The implementation was tested on Debian GNU/Linux Woody, Solaris SunOS 5.8, and IRIX 6.5.

Acknowledgements

• Many thanks to Mario Strasser for providing support concerning ASN.1 issues, smartcard support and interoperability with Windows2000.
• This PKINIT implementation includes ValiCert ASN.1 Parser or code generated by ValiCert ASN.1 Parser copyright ValiCert, Inc. and written by Jack Kabat (jackk@valicert.com).

Authors

The first version of this implementation was created as part of Petr Holub's diploma thesis. The code was than much rewritten and additional changes and fixes were done by Daniel Kouril, who is the current maintainer of the code.