Canonical/portable way to obtain long term key for a GSS security context (acceptor side)
Osipov, Michael (IN IT IN)
michael.osipov at innomotics.com
Mon May 6 14:32:40 UTC 2024
Folks,
I have a GSS security context established and need to calculate a
signature on data received form the client. The client submits me a
forwarded signature calculated by the KDC (Active Directory) with the
server's long term key from the keytab.
As far as I can see ExtendedGSSContext only exposes the server's session
key, but not the long term key used to accept this security context.
The only way I have found working is either:
> PrincipalName name = new PrincipalName("...", PrincipalName.KRB_NT_PRINCIPAL);
> EncryptionKey[] encKeys = EncryptionKey.acquireSecretKeys(name, "...");
> EncryptionKey encKey = EncryptionKey.findKey(serverSignature.getType().getEType(), encKeys);
which is ugly because these are really really private classes and the
key is disjoint with the context hoping that the KVNO matched with the
key I have here or I need to pull in a lot of dependencies from Apache
Kerby to get the key.
The signature calculation succeeds with additional private classes, but
that is another story.
Any tip would be helpful. In case you ask, I want to calculate:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/a194aa34-81bd-46a0-a931-2e05b87d1098
Ideal solution would be of course:
Key longTermKey = (Key)
extGssContext.inquireSecContext(InquireType.KRB5_GET_LONG_TERM_KEY);
I am on Java 8+
Best regards,
Michael
More information about the security-dev
mailing list