Load certs when checking pkinit_identities values

Move the crypto_load_certs() probe from pkinit_identity_initialize()
to process_option_identity().  This will attempt to load a certificate
for each pkinit_identities value, and if the certificate load fails to
move to the next line.

For PKCS11, return an error if pkinit_open_session() fails, but do not
fail in pkinit_open_session() just because identity prompts are
deferred.

[ghudson@mit.edu: added test case; moved cert probe to
process_option_identity(); rewrote commit message]

ticket: 8984 (new)

1 files changed, 3 insertions, 4 deletions

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 08e0fc8..d5d6e06 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1123,10 +1123,9 @@ PKINIT krb5.conf options
 **pkinit_identities**
     Specifies the location(s) to be used to find the user's X.509
     identity information.  If this option is specified multiple times,
-    the first valid value is used; this can be used to specify an
-    environment variable (with **ENV:**\ *envvar*) followed by a
-    default value.  Note that these values are not used if the user
-    specifies **X509_user_identity** on the command line.
+    each value is attempted in order until certificates are found.
+    Note that these values are not used if the user specifies
+    **X509_user_identity** on the command line.
 
 **pkinit_kdc_hostname**
     The presence of this option indicates that the client is willing