Kerberos smart card logon implementation #145
Conversation
…o from pku2u module to pk_init module
… module. refactor pku2u
…ed conditional compilation;
There was a problem hiding this comment.
Question: I thought we intended to provide the smart card implementation itself in a separate standalone crate (winscard), with an API similar to the pcsc crate except it’s not powered by FFI bindings and is pure Rust instead. Did we change our mind? (cc @dbl-cross @awakecoding)
Otherwise, this is looking good to me.
| @@ -232,7 +232,7 @@ pub fn generate_as_req_kdc_body(options: &GenerateAsReqOptions) -> Result<KdcReq | |||
| } | |||
|
|
|||
| #[instrument(level = "debug", ret, skip_all)] | |||
| pub fn generate_as_req(pa_datas: &[PaData], kdc_req_body: KdcReqBody) -> AsReq { | |||
| pub fn generate_as_req(pa_datas: Vec<PaData>, kdc_req_body: KdcReqBody) -> AsReq { | |||
There was a problem hiding this comment.
What motivates this change? Maybe a to_owned or to_vec can be removed somewhere below.
There was a problem hiding this comment.
For every Kerberos AS exchange, we are using the pa_data::AsReqPaDataOptions::generate method to create needed PaDatas. They are never reused in our code. We generate new ones for every AS exchange. So, I changed this function signature to accept the owned PaDatas.
yes, .to_owned() can be removed below. I forgot about it during the refactoring.
There was a problem hiding this comment.
removed unneeded .to_owned()
|
You are right. We are still planning to replace the WinSCard API with our own implementation in Rust. The current Kerberos smart card logon implementation is just the initial one. Just to make the Kerberos work with smart cards. |
TheBestTvarynka
force-pushed
the
kerberos-smart-card-logon
branch
from
79acde7
to
468d74d
Compare
Adds Kerberos smart card logon implementation. * Moves a lot of code from the Pku2u submodules into the `pk-init` module. Motivation: This code is reused in the Kerberos AS-messages exchange. * Moves PA-DATA (pre-authentication data) generation and session key extraction into a separate module. * Small builders refactoring. I wrote comments about it in the code. References: * RFC 4556: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT): https://www.rfc-editor.org/rfc/rfc4556.html * MS-CSSP TSCredentials: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cssp/94a1ab00-5500-42fd-8d3d-7a84e6c2cf03 * Winscard.h header - Win32 apps: https://learn.microsoft.com/en-us/windows/win32/api/winscard/ * Microsoft Base Smart Card Cryptographic Service Provider: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/secsmart/microsoft-base-smart-card-cryptographic-service-provider
Hi,
In this PR I've added Kerberos smart card logon implementation. Finally 🎊 .
Changes overview:
pk-initmodule. Motivation: This code is reused in the Kerberos AS-messages exchange.Docs & references:
P.S. When this PR gets merged, I'll perform final dev testing and make sure I didn't break anything during the code review and refactoring. And after that, I'll create a final pull request from
kerberos-smart-card-devinto themasterbranch.