Use preauth timestamp in PKINIT clpreauth module

Use preauth timestamp in PKINIT clpreauth module

Use the timestamp from the KDC's preauth-required error when
generating a PKAuthenticator in pa_pkinit_gen_req(), to allow PKINIT
authentication to succeed despite client clock skew if kdc_timesync is
set.

Because this timestamp is unauthenticated (unless FAST is used), an
attacker could induce a legitimate client to generate a
PKAuthenticator for a future timestamp.  But replaying this request in
the future would only cause the KDC to issue a ticket which the
attacker cannot decrypt.

ticket: 8124 (new)