> as I mentioned in earlier posts, I'm working on an openssl engine
> which will aquire a cert/key from a myproxy server using the
> "myproxy protocol"(not the pretiest thing in the world, but I digress).
A few weeks back I suggested removing the openssl engine dependency from pkinit, and using instead a set of function pointers that perform the required operations.
One such function (if I recall correctly) was "get_certificate_chain", which returned STACK_OF(X509), which is exactly what you need to implement. It seems to me like a kludge to force all mechanisms (PCKS#11, your "myproxy protocol", etc) through the openssl engine (as you are now discovering).
The one advantage of using the openssl engine is that the engine can be configured from a string. But this seems simple enough to implement for any kerberos PKI mechanism as well.