API for setting preauth get_init_creds_options

Tue Nov 21 10:43:55 EST 2006

On 10/17/06, Sam Hartman <hartmans at mit.edu> wrote:
> I think we should perhaps move the API discussion to krbdev and so I'm
> adding that list.
>
>
> I think the requirements are:
>
> 1) The API in libkrb5 must not be pkinit specific.
> So I'm thinking of something like a get_init_creds_opt_set_pa which
> takes a patype, integer|string and value.
>
> 2) Easy compatibility with Heimdal.  So, for example, you'd like to be able
> to have a #define for the Heimdal functions or at least export similar
> functionality.
>
> 3) Minimize backend specificity.
>
> 4) Provide an interface that can be used for gssmaggot integration.
>
> I think that goal 2 and 3 are in conflict.  It seems likely that we
> may end up exporting some APIs that provide Heimdal compat at least
> when built against openssl.
>
> I would appreciate advice on how we can move forward here.

I'm hoping to renew this conversation and get advice.

This is heimdal's interface:

krb5_error_code KRB5_LIB_FUNCTION
krb5_get_init_creds_opt_set_pkinit (
        krb5_context   /*context*/,
        krb5_get_init_creds_opt *   /*opt*/,
        krb5_principal    /*principal*/,
        const char *   /*user_id*/,
        const char *   /*x509_anchors*/,
        char * const *    /*pool*/,
        char * const *    /*pki_revoke*/,
        int    /*flags*/,
        krb5_prompter_fct    /*prompter*/,
        void *   /*prompter_data*/,
        char *   /*password*/);

Taking Sam's initial suggestion, here is what I came up with:

krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_pa(krb5_context context,
                               krb5_get_init_creds_opt *opt,
                               krb5_preauthtype preauth_type,
                               krb5_principal principal,
                               const char *user_id,
                               const char *password,
                               krb5_prompter_fct prompter,
                               void *prompter_data,
                               const char *attr,
                               const char *value)

Should "attr" and "value" be an array of attr/value pairs so we could
accomplish setting several values like "x509_anchors", "pool",
"pki_revoke" in one call?

How should these be passed from the command line for kinit?

BTW, for the plugins to make use of the krb5_get_init_creds_opt, they
would have to know about the new extended structure, which I think is
undesirable.