Extending certauth plugin to set ticket flags?

[Ken Hornstein]

For a while we've been maintaining our own PKINIT plugin because of some
needs we have in our environment.  The three things that it does that
were not always supported by MIT Kerberos are:

1) Matching of the client principal to the subject DN of the certificate
2) OCSP revocation checking of the client certificate
3) Setting of the TKT_FLG_HW_AUTH flag in the TGT if the certificate had
   had some specific policies.

1) is now implemented via MIT Kerberos for a while, and I recently discovered
the certauth plugin which would be a perfect place to implement 2).  But
I am not sure of a way to implement 3) without a whole new PKINIT plugin.
And to be honest, I sure would love being out of the business of maintaining
our own pkinit plugin.

I see that the certauth plugin can set authentication indicators, but
that's just KRB5_AUTHDATA and we have a lot of our infrastructure that
uses TKT_FLG_HW_AUTH now and that would be hard to change.  I am wondering
if it would be possible to extend the certauth plugin to allow the setting
of TKT_FLG_HW_AUTH?  What that API would look like, I have no particular
preference.  I am not sure it makes sense to pass down the whole
encrypted ticket reply down to certauth function, but that would be
easy.  A returned boolean or callback to tell the pkinit plugin to set
HW_AUTH would also be sufficient.  Really, I don't care about the API
all that much; all I need is access to the certificate to check the
policy information.  certauth seems the obvious existing plugin interface
to check for that.

Thoughts?

--Ken