Building the PKINIT plugin on Windows

Ken Hornstein kenh at
Fri Oct 9 11:39:31 EDT 2020

>When I last looked into this, the OpenSSL dependency seemed to be the
>trickiest part.  I didn't have any luck finding examples on github that
>didn't check OpenSSL binaries into the repository.  So insight from
>Windows developers on this point would be the most useful from my
>perspective.  That would also pave the way for k5tls (for MS-KKDCP
>support) and, less importantly, SPAKE support for the NIST curves.

I guess I'm wondering exactly what kind of infrastructure you want
in the Windows build process; do you want to have it build OpenSSL
as well, or simply point to already-built OpenSSL libraries?  It looks
like all our Windows build system does is run "perl Configure VC-WIN64A"
and then just uses nmake (there may be more steps involved, I'm not
an expert on the Windows build process we use, but those look like the
key ones).

>> - The use of dlopen()/dlsym to load a PKCS#11 library
>krb5int_open_plugin() and krb5int_get_plugin_sym() from libkrb5support
>should be helpful here.

I had looked at that, but my reading is that krb5int_get_plugin_sym()
is not currently exported.  Oh, I guess you mean krb5int_get_plugin_func().

>> - The lack of regcomp()/regex() on Windows
>It doesn't look like we have an existing facility to help here; we use
>regexps in the aname-to-localname part of libkrb5, but appear to just
>compile out that code on Windows.  gnulib isn't an ideal dependency for
>us for licensing reasons.

Fair enough; I'll see if I can dig up some replacement functions maybe
from the BSDs that have a better license.


More information about the krbdev mailing list