Make krb5_pac_sign public

krb5int_pac_sign was created as a private API because it is only
needed by the KDC.  But it is actually used by DAL or authdata plugin
modules, not the core KDC code.  Since plugin modules should not need
to consume internal libkrb5 functions, rename krb5int_pac_sign to
krb5_pac_sign and make it public.

ticket: 6974

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25325 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 21 insertions, 0 deletions

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 3d9dbbfb7e..33279774bd 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7495,6 +7495,27 @@ krb5_pac_verify(krb5_context context, const krb5_pac pac,
                 const krb5_keyblock *server, const krb5_keyblock *privsvr);
 
 /**
+ * Sign a PAC.
+ *
+ * @param [in]  context         Library context
+ * @param [in]  pac             PAC handle
+ * @param [in]  authtime        Expected timestamp
+ * @param [in]  principal       Expected principal name (or NULL)
+ * @param [in]  server          Key for server checksum
+ * @param [in]  privsvr         Key for KDC checksum
+ * @param [out] data            Signed PAC encoding
+ *
+ * This function signs @a pac using the keys @a server and @a privsvr and
+ * returns the signed encoding in @a data.  @a pac is modified to include the
+ * server and KDC checksum buffers.  Use krb5_free_data_contents() to free @a
+ * data when it is no longer needed.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+              krb5_const_principal principal, const krb5_keyblock *server_key,
+              const krb5_keyblock *privsvr_key, krb5_data *data);
+
+/**
  * Allow the appplication to override the profile's allow_weak_crypto setting.
  *
  * @param [in] context          Library context