Last two weeks I’ve cleaned up the the final big issues with PK-INIT code. Soon usb dongles will arrive and we can do testing for other people then me. There is only really one issue left with PK-INIT code, more error message must be generated and the correct error code must be returned.
The other part of PK-INIT is the hx509 library that I’ve been tweeking on last last year or so when I have had time. On it there is two major issues left. First there must be error string generated. There is currect two error codes, but that doesn’t help you if you get the “signature incorrect” error-code. What signature, on the CMS SignedData message, the signing certificate, or maybe some certificates in the chain. The second issue is that there is no policy mappings yet, that that is a major flaw when verifying chains that go though bridge-ca’s. I find the policy mappings to be badly written in the PKIX (rfc3280), its spread out over then whole document and no clear view how to implement it, or even how to use it!
Anyway, the last week I add proxy certificate support to hx509, so now Heimdal can use proxy certificates generated by the grid folks again.
I’ve also written more tests for the Heimdal regression suite. Both for the hx509 library and Heimdal as a system. Now as part of “make check” a kerberos database is created, kdc started, kinit run (both using Encrypted Timestamp pre-authentication and PK-INIT) and , as a client is authenticated (testing both mutual authentication and not) to a application server using krb5_mk_req API (ap-req/ap-rep).