Building the PKINIT plugin on Windows
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Oct 9 11:39:31 EDT 2020
>When I last looked into this, the OpenSSL dependency seemed to be the
>trickiest part. I didn't have any luck finding examples on github that
>didn't check OpenSSL binaries into the repository. So insight from
>Windows developers on this point would be the most useful from my
>perspective. That would also pave the way for k5tls (for MS-KKDCP
>support) and, less importantly, SPAKE support for the NIST curves.
I guess I'm wondering exactly what kind of infrastructure you want
in the Windows build process; do you want to have it build OpenSSL
as well, or simply point to already-built OpenSSL libraries? It looks
like all our Windows build system does is run "perl Configure VC-WIN64A"
and then just uses nmake (there may be more steps involved, I'm not
an expert on the Windows build process we use, but those look like the
key ones).
>> - The use of dlopen()/dlsym to load a PKCS#11 library
>
>krb5int_open_plugin() and krb5int_get_plugin_sym() from libkrb5support
>should be helpful here.
I had looked at that, but my reading is that krb5int_get_plugin_sym()
is not currently exported. Oh, I guess you mean krb5int_get_plugin_func().
>> - The lack of regcomp()/regex() on Windows
>
>It doesn't look like we have an existing facility to help here; we use
>regexps in the aname-to-localname part of libkrb5, but appear to just
>compile out that code on Windows. gnulib isn't an ideal dependency for
>us for licensing reasons.
Fair enough; I'll see if I can dig up some replacement functions maybe
from the BSDs that have a better license.
--Ken
More information about the krbdev
mailing list