pkinit updates

Kevin Coffman kwc at
Mon Dec 11 22:39:29 EST 2006

On 12/8/06, Douglas E. Engert <deengert at> wrote:
> I dont see the updates I got the original source using:
> snv checkout svn://

I've updated my pkinit branch with the get_init_creds_opt_set_pa()
changes, as well as other changes.  Here is the commit message:

  Pull in changes for the extended get_init_creds_opt structure.

  Pull in changes to add get_init_creds_opt_set_pa(),
    get_init_creds_opt_get_pa(), and get_init_creds_opt_free_pa()

  Change client interface to pass in the get_init_creds_opt structure
    to the process and tryagain functions.

  Pull in changes to kinit to pass preauth options entered with "-X"

  Create typedefs for all the preauth plugin client and server
    interface functions and use them.  Eliminates mismatches
    and enables better type checking of the interface paremeters.

  Add *temporary* code to client side of pkinit to handle preauth options
    and set the appropriate environment variables.
    (Currently only X509_user_identity, X509_anchors, and
    flag_RSA_PROTOCOL are handled.)

  Add code to use krb5int_accessor to obtain pointers to internal functions
    for ASN.1 encode/decode routines rather than exporting them from

  Various updates and improvements in the pkinit smartcard code.

Doug, this includes the heimdal compatibility function, but I'm not
sure you can depend on it being there long-term.  The pkinit code
currently only handles X509_user_identity, X509_anchors, and the

The server still requires environment variables for now, but the
client can be run with something like the following:

/kinit -X X509_user_identity=FILE:/tmp/x509up_u20010,/tmp/x509up_u20010 \
 -X X509_anchors=/etc/grid-security/certificates \

More information about the krbdev mailing list