Hi All,
I was hoping to use the client API in Kerby to write some Java code that will
connect to an MIT Kerberos server using PKINIT — specifically, I have a user
certificate and key, and want to obtain first a TGT, and then a service ticket.
Have tried the following idea (using Kerby from the ‘trunk’ branch):
KrbClient client = new KrbClient();
client.setKdcHost(host);
client.setAllowTcp(true);
client.setAllowUdp(true);
client.setKdcTcpPort(TCP_PORT);
client.setKdcUdpPort(UDP_PORT);
client.init();
KOptions requestOptions = new KOptions();
requestOptions.add(PkinitOption.USE_PKINIT);
requestOptions.add(PkinitOption.USING_RSA);
requestOptions.add(KrbOption.CLIENT_PRINCIPAL, principal);
if (APPROACH_ONE) {
// cert and key load ok (are not null), but seem to be ignored
Certificate certificate = readCertificateFile(pemFile);
requestOptions.add(PkinitOption.X509_CERTIFICATE, certificate);
PrivateKey privateKey = readPrivateKeyFile(keyFile);
requestOptions.add(PkinitOption.X509_PRIVATE_KEY, privateKey);
} else {
// identity string set to “/path/to/pem,/path/to/pkcs8key"
requestOptions.add(PkinitOption.X509_IDENTITY, pathTo(pemFile)
+ "," + pathTo(keyFile));
}
TgtTicket tgt = client.requestTgt(requestOptions);
but the server keeps complaining that “received_cert is null”, which I assume
means the user cert is not being included in the request. Can anyone tell me if
either (1) what I want to do isn’t really implemented yet, or (2) I am missing
something.
Thanks
- Lloyd
