On Feb 23, 2009, at 04:39, Speedo wrote: > I guess this issue had been discussed before: WS-Security negotiates > with Kerberos 5 but uses the session key in a different way from GSS > tokens. Since GSS-API is the public API to access Kerberos 5, is there > any recent progress in enhancing the GSS-API to provide a function > like gss_get_session_key()?
Yes, we bumped up against this with our Java implementation of Kerberos, GSSAPI, etc. Since we have our own implementation (c.f. the ones that Sun and IBM ship in their respective JDKs), I added a home-grown API[*] to extract the session key from the GSSContext once the context is established, precisely to support the WS-Security Kerberos Token Profile. But if that isn't an option... the initial context token for the Kerberos 5 GSSAPI mechanism is essentially just an AP-REQ with a bit of GSSAPI framing prepended, so perhaps you can strip off the GSSAPI cruft (including the non-ASN.1 bytes), leaving you with the AP-REQ, and you probably have lots of tasty APIs to process that and then give you the session key? [*] I wish that the Java GSSAPI had an escape mechanism akin to XMLReader.setProperty(String,Object) in SAX2 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
