Semantics for multiple pkinit_anchors/pkinit_pool lines

Ken Hornstein kenh at
Wed Jan 27 21:45:53 EST 2021

Again, more "cleaning up our local changes to PKINIT that have crept in
over the years".

The documentation for pkinit_anchors and pkinit_pool say that they may
be specified multiple times.  That's technically true, but the details
are a bit ... non-obvious.

The reality is that if any attempt to load a pkinit_anchors or
pkinit_pool line fails, pkinit_identity_prompt() returns an error
(usually something non-obvious).  It turns out we had modified this many
years ago because in practice, certificate bundles tend to be stored in
a whole bunch of locations so it was simplest to distribute one config
file that specified multiple locations (also, things like pathnames on
Windows were a challenge as well and we wanted one config file across
all systems).  Obviously this doesn't work with the stock MIT PKINIT

Our implementation was changed so all errors were ignored when loading
the root and intermediate certificates.  This hasn't been a problem in
practice, but I realize it might not be ideal.  So I am wondering what
kind of patch MIT _would_ accept so we could at least get something
close to our current functionality.  A couple of possibilities come to mind:

- Keep track of errors and make it so it won't error out if at least
  one pkinit_anchors line works (and possibly at least one pkinit_pool
  line; my understanding is that the pkinit_pool line is optional, but
  I can see making it so if you specify them at least one has to work).

- Provide a new config file option that means, "Ignore errors when loading
  anchors/pools".  Or the inverse; a config file entry that would make
  any error fail.

Really, these are just the first two ideas that come to mind.  I am open
to any other suggestions.


More information about the krbdev mailing list