Building the PKINIT plugin on Windows

Greg Hudson ghudson at
Thu Oct 8 21:06:16 EDT 2020

On 10/8/20 8:00 PM, Ken Hornstein wrote:
> So I think it
> makes sense to see if MIT is interested in patches to get PKINIT built
> on Windows, and what the best process would be for contributing such
> patches.

Yes.  A pull request on github is the best way to contribute changes.

> - "Minor" portability issues, like the use of unistd.h
> - Changes need to be made to the build system to build the pkinit plugin
> - A dependency on OpenSSL

When I last looked into this, the OpenSSL dependency seemed to be the
trickiest part.  I didn't have any luck finding examples on github that
didn't check OpenSSL binaries into the repository.  So insight from
Windows developers on this point would be the most useful from my
perspective.  That would also pave the way for k5tls (for MS-KKDCP
support) and, less importantly, SPAKE support for the NIST curves.

> - The use of dlopen()/dlsym to load a PKCS#11 library

krb5int_open_plugin() and krb5int_get_plugin_sym() from libkrb5support
should be helpful here.

> - The lack of regcomp()/regex() on Windows

It doesn't look like we have an existing facility to help here; we use
regexps in the aname-to-localname part of libkrb5, but appear to just
compile out that code on Windows.  gnulib isn't an ideal dependency for
us for licensing reasons.

While I'm not fond of adding more C++ code to the tree than necessary,
wrapping std::regexp might be an option.

More information about the krbdev mailing list