[30757] in Kerberos
Re: WS-Security and GSS-API: How do I get the session key?
daemon@ATHENA.MIT.EDU (Thomas Maslen)
Tue Feb 24 01:00:55 2009
From: Thomas Maslen <Thomas.Maslen@quest.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 23 Feb 2009 21:59:24 -0800
Message-ID: <723530449330F342A68634ADF3CE8DE203395D134D@alvxmbw02.prod.quest.corp>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Feb 23, 2009, at 04:39, Speedo wrote:
> I guess this issue had been discussed before: WS-Security negotiates
> with Kerberos 5 but uses the session key in a different way from GSS
> tokens. Since GSS-API is the public API to access Kerberos 5, is there
> any recent progress in enhancing the GSS-API to provide a function
> like gss_get_session_key()?
Yes, we bumped up against this with our Java implementation of Kerberos,
GSSAPI, etc.
Since we have our own implementation (c.f. the ones that Sun and IBM ship
in their respective JDKs), I added a home-grown API[*] to extract the session
key from the GSSContext once the context is established, precisely to
support the WS-Security Kerberos Token Profile.
But if that isn't an option... the initial context token for the Kerberos 5
GSSAPI mechanism is essentially just an AP-REQ with a bit of GSSAPI
framing prepended, so perhaps you can strip off the GSSAPI cruft
(including the non-ASN.1 bytes), leaving you with the AP-REQ, and
you probably have lots of tasty APIs to process that and then give you
the session key?
[*] I wish that the Java GSSAPI had an escape mechanism akin to
XMLReader.setProperty(String,Object) in SAX2
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
