Building the PKINIT plugin on Windows

Ken Hornstein kenh at
Thu Oct 8 20:00:13 EDT 2020

As I've mentioned previously, in our Kerberos deployment we are attempting
to get rid of building our own custom PKINIT plugin and I think we're
on a course to do that.  But one piece remains.

I did not realize until recently that the stock MIT Kerberos does NOT
build the PKINIT plugin (I know it builds the SPAKE plugin).  Ok, fine
that one is on me.  PKINIT is very important to our deployment, and so
is Windows.  We have some of our Windows developers working on getting
the latest MIT plugin working on Windows, but I have to believe we
aren't the only people who want this to work on Windows.  So I think it
makes sense to see if MIT is interested in patches to get PKINIT built
on Windows, and what the best process would be for contributing such

My current understanding from our Windows developers is the following
issues exist:

- "Minor" portability issues, like the use of unistd.h
- Changes need to be made to the build system to build the pkinit plugin
- A dependency on OpenSSL
- The use of dlopen()/dlsym to load a PKCS#11 library
- The lack of regcomp()/regex() on Windows

The first three seems relatively straightforward.  I know that there are
equivalent functions under Windows for dlopen/dlsym
(LoadLibrary/GetProcAddress) so that should be easy.

Regarding regcomp/regex, we are looking at the functions provided by
GNUlib as a replacement, but there are plenty of choices here.

I'm sure there will be other issues that come up, but I don't believe
there are any insurmountable challenges; after all, we use our own
plugin on Windows (which is based on an old version of the MIT code)
for a while now.


More information about the krbdev mailing list