Add PKINIT support

Pull up PKINIT support onto the trunk.

Changes from the version in branch users/coffman/pkinit are:

- Update the preauth plugin interface version to avoid
  conflict with any existing plugins.
- Add a pkcs11.h locally to the pkinit code rather than
  depending on opensc being installed.

ticket: new
Target_Version: 1.6.3

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19745 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 18 insertions, 0 deletions

diff --git a/src/plugins/preauth/pkinit/README.developers b/src/plugins/preauth/pkinit/README.developers
new file mode 100644
index 0000000000..e095327b91
--- /dev/null
+++ b/src/plugins/preauth/pkinit/README.developers
@@ -0,0 +1,18 @@
+Experimental features:
+1. If you want trustedCertifiers to be sent by the client, then set 
+X509_CA_BUNDLE to a ca-bundle file.
+2. If you want to make our KDC act like a draft9 KDC, then modify pkinit_src.c 
+file. there is an "#if 0" for "supported_server_pa_types". if you change "if 0"
+to "if 1", then the kdc will become draft9-only KDC.
+3. If you like more debugging output, add "-DDEBUG" to CFLAGS and recompile 
+the code. 
+4. If you are debugging ASN1 encoding, add "-DDEBUG_ASN1" to CFLAGS and 
+recompile the code. After running, you'll get DER encoded structures stored 
+in /tmp. For example, /tmp/client_as_req will contains DER encoding of the 
+pkinit part of the AS-REQ.
+5. Prior to having config options that manage EKU/SAN/CRL checking, you can
+modify pkinit_lib.c in function pkinit_lib_init(), set 
+    plgctx->require_eku = 1 -- will require presence of EKU in certs
+    plgctx->require_san = 1 -- will require presence of SAN in KDC's cert
+    plgctx->require_crl_checking = 1 -- will require presence of CRLs to 
+	verify every certificate