Missing functionality in GnuTLS to produce PKINIT certificates for Kerberos KDC
This is FYI, or perhaps a feature request. We fell back to OpenSSL for doing this, but thought it'd be good to document what elementary facilities were missing in GnuTLS.
PKINIT is a public-key bootstrapping system used when initiating a Kerberos5 connection to a Key Distribution Centre. It is founded on X.509 certificates that can be generated with OpenSSL as described on http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/pkinit.html -- we stubbornly ;-) tried to do this with certtool in GnuTLS 3.4.7.
Certtool has no generic support for other_name in the subjectAltName extension, nor for specific forms of name such as a KRB5PrincipalName, so I created gnutls-3.4.7-certtool.patch that supports the literal content for other_name:
other_name = "302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
The patch runs into an exception in libgnutls not supporting other_name, even though code in support of it does seem to be present in various places. I do not have sufficient overview of libgnutls to patch that. Here's a session after applying only the certtool patch:
shell$ certtool --generate-privkey --outfile key.pem
Generating a 3072 bit RSA private key...
shell$ /usr/local/src/gnutls-3.4.7/src/certtool --generate-self-signed --load-privkey key.pem --template certtool.cfg --outfile cert.pem
Generating a self signed certificate...
set_subject_alt_name: An unimplemented or disabled feature has been requested.
I can provide a script to generate these other_name hex values, if so desired. The general syntax comes from RFC4556 (id-pkinit-san, KRB5PrincipalName) and RFC4120 (Realm, PrincipalName).
A better generic form for other_name would probably be
other_name = 1.2.3.4 aabbcc123.....12b
but I couldn't do that because I couldn't find a function gnutls_x509_crt_set_subject_alt_othername_oid()
.
Alternatively/Additionally, with domain-specific knowledge built in, it might be more in line with the rest of certtool to specify
krb5PrincipalName = rick@ARPA2.NET
and ask interactively when it is empty. Note that various forms of name may occur, see RFC4120 section 6.2, so this involves some Kerberos-specific parsing. Let me know if you would like me to create that.
Other than this, we would need to add OIDs for Extended Key Usage, but that is covered by key_purpose_oid already.
As I said, we fell back on OpenSSL but this is reported in the hope that it is useful to add useful facilities to GnuTLS.