Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: PAC resigning should support buffer resizing
X-RT-Original-Encoding: iso-8859-1
Content-Length: 832

krb5_pac_sign allows an existing signed PAC to be re-signed, but only if 
the mandatory cksumtype corresponding to the key enctypes has the same 
hash size as the cksumtypes used in the existing signatures.  This 
restriction makes re-signing PACs fairly useless because most of the time 
you're trying to transfer a PAC from one ticket to another (say, from a 
TGT to a service ticket) and the service key for the target ticket won't 
necessarily be of the same time as the service key for the source, which 
means the checksum types may be different.

So, we should add a routine to resize a buffer within a PAC and support 
buffer resizing while re-signing.  In the meantime, code which wants to 
re-sign a PAC needs to construct a new PAC, using krb5_pac_get_types and 
krb5_pac_get_buffer to copy information from the old one.