Split pkinit_identity_initialize into two phases

Split part of pkinit_identity_initialize() into a second piece named
pkinit_identity_prompt().  Have each piece pass a new boolean flag to
crypto_load_certs() to indicate if it should defer prompting for a
password/PIN for client identities that require one.  If the flag isn't
set, then crypto_load_certs() should attempt to use a responder-supplied
value, or call the prompter if there isn't one.

https://github.com/krb5/krb5/commit/60426439f672fe273ceead17910f818da1954c5b
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 60426439f672fe273ceead17910f818da1954c5b
Branch: master
 src/plugins/preauth/pkinit/pkinit.h                |   10 +++
 src/plugins/preauth/pkinit/pkinit_clnt.c           |   26 +++++++--
 src/plugins/preauth/pkinit/pkinit_crypto.h         |    3 +-
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c     |    3 +-
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |    3 +-
 src/plugins/preauth/pkinit/pkinit_identity.c       |   60 ++++++++++++++++++--
 src/plugins/preauth/pkinit/pkinit_srv.c            |    7 ++-
 7 files changed, 97 insertions(+), 15 deletions(-)