MIT Kerberos Documentation

KRB5_RESPONDER_QUESTION_PKINIT

KRB5_RESPONDER_QUESTION_PKINIT

PKINIT responder question.

The PKINIT responder question is asked when the client needs a password that’s being used to protect key information, and is formatted as a JSON object. A specific identity’s flags value, if not zero, is the bitwise-OR of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined below, and possibly other flags to be added later. Any resemblance to similarly-named CKF_* values in the PKCS#11 API should not be depended on.

 {
    identity <string> : flags <number>,
    ...
}

The answer to the question MUST be JSON formatted:

 {
    identity <string> : password <string>,
    ...
}
KRB5_RESPONDER_QUESTION_PKINIT "pkinit"