Use config storage for client identity selection

* Keep track of the names of client identities when we load them.
* Store the client identity we just used when we create or retry a
  client request.
* If we read a client identity from the configuration, treat it like the
  KDC does: pick the "this is it, there is no other" logic branch.

src/plugins/preauth/pkinit/pkinit.h

@@ -226,6 +226,7 @@ struct _pkinit_req_context {
     pkinit_req_opts *opts;
     pkinit_identity_crypto_context idctx;
     pkinit_identity_opts *idopts;
+    int do_identity_matching;
     krb5_preauthtype pa_type;
     int rfc6112_kdc;
 };
@@ -284,6 +285,8 @@ krb5_error_code pkinit_identity_initialize
 	 pkinit_req_crypto_context req_cryptoctx,	/* IN */
 	 pkinit_identity_opts *idopts,			/* IN */
 	 pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
+	 krb5_clpreauth_callbacks cb,			/* IN/OUT */
+	 krb5_clpreauth_rock rock,			/* IN/OUT */
 	 int do_matching,				/* IN */
 	 krb5_principal princ);				/* IN (optional) */
 

src/plugins/preauth/pkinit/pkinit_clnt.c

@@ -964,8 +964,11 @@ static void
 pkinit_client_profile(krb5_context context,
                       pkinit_context plgctx,
                       pkinit_req_context reqctx,
+                      krb5_clpreauth_callbacks cb,
+                      krb5_clpreauth_rock rock,
                       const krb5_data *realm)
 {
+    const char *configured_identity;
     char *eku_string = NULL;
 
     pkiDebug("pkinit_client_profile %p %p %p %p\n",
@@ -1035,6 +1038,16 @@ pkinit_client_profile(krb5_context context,
     pkinit_libdefault_strings(context, realm,
                               KRB5_CONF_PKINIT_IDENTITIES,
                               &reqctx->idopts->identity_alt);
+    reqctx->do_identity_matching = TRUE;
+
+    /* If we had a primary identity in the stored configuration, pick it up. */
+    configured_identity = cb->get_cc_config(context, rock,
+                                            "X509_user_identity");
+    if (configured_identity != NULL) {
+        free(reqctx->idopts->identity);
+        reqctx->idopts->identity = strdup(configured_identity);
+        reqctx->do_identity_matching = FALSE;
+    }
 }
 
 static krb5_error_code
@@ -1092,12 +1105,14 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
     }
 
     if (processing_request) {
-        pkinit_client_profile(context, plgctx, reqctx,
+        pkinit_client_profile(context, plgctx, reqctx, cb, rock,
                               &request->server->realm);
         pkinit_identity_set_prompter(reqctx->idctx, prompter, prompter_data);
         retval = pkinit_identity_initialize(context, plgctx->cryptoctx,
                                             reqctx->cryptoctx, reqctx->idopts,
-                                            reqctx->idctx, 1, request->client);
+                                            reqctx->idctx, cb, rock,
+                                            reqctx->do_identity_matching,
+                                            request->client);
         if (retval) {
             TRACE_PKINIT_CLIENT_NO_IDENTITY(context);
             pkiDebug("pkinit_identity_initialize returned %d (%s)\n",

src/plugins/preauth/pkinit/pkinit_crypto.h

@@ -230,6 +230,16 @@ krb5_error_code cms_envelopeddata_verify
 	unsigned int *signed_data_len);			/* OUT
 		    receives length of signed_data */
 
+/*
+ * This function retrieves the signer's identity, in a form that could
+ * be passed back in to a future invocation of this module as a candidate
+ * client identity location.
+ */
+krb5_error_code crypto_retrieve_signer_identity
+	(krb5_context context,				/* IN */
+	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
+	const char **identity);				/* OUT */
+
 /*
  * this function returns SAN information found in the
  * received certificate.  at least one of pkinit_sans,