Hi David,
AFAIK, PKINIT feature never finished and in fact, unless it's documented
explicitly, I would not suggest trying any more advanced features than the
Kerberos basics.
Thanks,
Jiajia
--
From:David Soler García
Sent At:2022
Hi.
I’m trying to use Apache Kerby in an app, and I need the authentication to
be PKINIT, but it does not seem to work. I’m sending the message with
“KrbPkinitClient”, but I always receive an error because “signedAuthPack”
is null. Documentation is nonexistent, as usual for this project
Hi Darren,
It's unfortunate for the confusion. As far as I remembered, the Pkinit support
related effort wasn't finished yet, that's why it's not documented officially.
Regards,
Kai
--
发件人:Darren Govoni
发送时间:2020年12月15日(星期二) 23
KrbException {
I'm not sure how well tested this class is though. Please give it a try and
let us know how you get on.
Colm.
On Mon, May 7, 2018 at 9:46 PM, Jim Shi <hj...@yahoo.com.invalid> wrote:
> Hi,
> Do you support PKINIT?
> If do, could you please provide an example how to
Hi,
Do you support PKINIT?
If do, could you please provide an example how to use certificate to get a TGT
as a client?
Thank you so much!
Jim
Really sorry for the very late follow on discussions. These are indeed good
questions, my answers to them would be all yes.
Quite some time ago we did want to make develop complete PKINIT and then start
the work with the Anonymous support. That's why besides the Kerberos related
codes, we also
gt; To: Zheng, Kai <kai.zh...@intel.com>
> Cc: kerby@directory.apache.org
> Subject: Re: Anonymous PKINIT support
>
> OK thanks! I wrote up the "access token" case as part of a blog post in
> the context of a kerberized JAX-RS web service request using Apache CXF:
>
> http:
7 10:38 PM
> To: kerby@directory.apache.org
> Subject: Re: Anonymous PKINIT support
>
> Now that I've finished the JWT access token work, it'd be nice to finish
> the Anonymous PKINIT side of things to get the Identity token part of it to
> work. Please review my questions below.
>
&
PKINIT support
Now that I've finished the JWT access token work, it'd be nice to finish the
Anonymous PKINIT side of things to get the Identity token part of it to work.
Please review my questions below.
Colm.
On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh <cohei...@apache.org>
Now that I've finished the JWT access token work, it'd be nice to finish
the Anonymous PKINIT side of things to get the Identity token part of it to
work. Please review my questions below.
Colm.
On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh <cohei...@apache.org>
wrote:
&g
Hi all,
As per the recent email on JWT, I'd like to look at the outstanding issues
surrounding anonymous PKINIT support in Kerby.
a) Last year I raised concerns about the KDC not signing the response:
https://www.mail-archive.com/kerby@directory.apache.org/msg00808.html
Currently, we don't use
Hi Jim,
Kerby hasn't supported certificate based PKINIT yet, though it does have lots
of codes about PKI prepared for it. We did receive some user interests but the
work is a very hard taking so the effort is blocked by more important tasks.
Not sure about how Kerby PKINIT would help you
Hi, May I ask:
1) Does Kerby support certificate based PKINIT?2) Does Kerby support Elliptic
Curve certificate?
Thanks
Jim
Hi Colm,
OK. Will do.
Thanks,
Sammi
-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Tuesday, September 27, 2016 8:23 PM
To: Chen, Sammi
Cc: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT signatures
Hi Sammi,
Yes let's release RC3 soon if it's
Hi Colm,
I'm ramping up on this anonymous PKINIT signature issue. I may take a while to
understand the question and figure out the solution and would like to discuss
with you when I have some thoughts.
In the meantime, I'm trying to move on the Kerby 1.0.0-RC3 release. The
community has
sociated with the KDC. This is a requirement for anonymous PKINIT
>
> Yes, you are right. The "Identity" should be used in anonymous PKINIT.
> But now in client PkinitPreauth, start from line 393, we skip to use the
> certificateSet which is returned by server, so now the cod
Hi Colm,
>> >However, I can't see where it is signing the response with the private key
>> >associated with the KDC. This is a requirement for anonymous PKINIT
Yes, you are right. The "Identity" should be used in anonymous PKINIT.
But now in client PkinitPreauth,
Hi all,
I'm continuing to look at anonymous PKINIT as implemented in Kerby. I'm a
bit puzzled by a few things relating to signatures and would welcome some
feedback.
Looking at the server PkinitPreauth, it appears that Diffie-Hellman is used
to establish a shared secret key with the client
I thought Jiajia could elaborate some bit about what's exactly the gaps to fill
for the full PKINIT support.
Regards,
Kai
-Original Message-
From: Zheng, Kai [mailto:kai.zh...@intel.com]
Sent: Tuesday, February 23, 2016 9:04 AM
To: Apache Directory Developers List &l
Hi Lloyd,
Thanks for the interesting and trying! Unfortunately, right now only Anonymous
PKINIT is done. The RSA case is still on the going but I believe it's quite
approaching to the completion. The community is busy with other things of
higher priority like RC2 releasing, GSSAPI support
To: kerby@directory.apache.org
Subject: RE: Fix up for encoding/decoding issues for newly added types and
CMS/X509/PKINIT tests
Hi Kai,
If apply with the following patch:
diff --git
a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
b/kerby-kerb/kerb
Hi Kai,
If apply with the following patch:
diff --git
a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerber
index e9cca99..07f2e44 100644
---
a/kerby-kerb/kerb-common/src/main/java
:55 PM
To: kerby@directory.apache.org
Subject: RE: Fix up for encoding/decoding issues for newly added types and
CMS/X509/PKINIT tests
Hi Jiajia,
Could we dump it out using type info? It could be more useful. Thanks.
Regards,
Kai
-Original Message-
From: Li, Jiajia [mailto:jiajia...@int
for newly added types and
CMS/X509/PKINIT tests
Hi Kai,
It's a good idea and I will check the diff of the kdc req between MIT and Kerby.
The dumped result of ContentInfo:
Dumping data:
3082022506092A864886F70D010702A0820216308202120201033082020B06072B060105020301A08201FE048201FA308201
Thanks Jiajia for the update. It's quite unfortunate. I really wish MIT
Kerberos can use our ASN1 things so it can give specific error in such case, as
the Kerberos/PKINIT/CMS signed data is so huge and complex, how to locate it?
Maybe it can print verbose logs? Thanks.
Regards,
Kai
Thanks Jiajia for getting the most of the codes done and merging it to
trunk(master)!
Let's continue to get the great feature delivered based on trunk, the way can
save us some time avoiding having to maintain two branches.
Regards,
Kai
The code looks great. Thanks Jiajia for the finding. Hope it will help
implement PKINIT the great and hard feature!
Regards,
Kai
-Original Message-
From: Li, Jiajia [mailto:jiajia...@intel.com]
Sent: Tuesday, September 22, 2015 3:12 PM
To: kerby@directory.apache.org
Subject
Hi Tom,
I'm glad you would help with the PKINIT feature. Yes it's a good start to run
the test and hope the test will pass finally.
Do you have a list of what's working and what isn't?
Also, do you have any writeup on the intended design?
We are now working for the 1st release, after it I'd
Hi Jiajia,
Finally digging into the pkinit support in ernest. I've checked out the
pkinit-support branch and built it successfully. Saw the
WithCertKdcTest.testKdc test method and uncommented out the @Test so I
could start running the test. This helped to show some of the pieces
29 matches
Mail list logo
