From beb36f85c88fab20e95c4a0d8f109c3d0ab942f5 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 11 Feb 2012 23:25:12 +0000 Subject: [PATCH] Minimize draft9 PKINIT code by removing dead code The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9, which is fortunate because it doesn't work (see issue #7072). Instead, it passes both kinds of PKINIT replies through decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack. So, remove the unused broken pa_pk_as_rep_draft9 decoder. For pa_pk_as_req_draft9, we only use two of the fields on encode and only one of those on decode. So, get rid of the unused fields and the krb5_trusted_ca structure, and reduce the encoder and decoder sequences to the minimum necessary fields. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/k5-int-pkinit.h | 23 +-- src/include/k5-int.h | 6 +- src/lib/krb5/asn.1/asn1_k_decode.c | 151 ------------------ src/lib/krb5/asn.1/asn1_k_decode.h | 7 - src/lib/krb5/asn.1/asn1_k_decode_kdc.c | 27 +--- src/lib/krb5/asn.1/asn1_k_encode.c | 52 +----- src/lib/krb5/asn.1/krb5_decode.c | 13 -- src/lib/krb5/os/accessor.c | 1 - src/plugins/preauth/pkinit/pkinit.h | 1 - src/plugins/preauth/pkinit/pkinit_accessor.c | 8 +- src/plugins/preauth/pkinit/pkinit_accessor.h | 4 +- src/plugins/preauth/pkinit/pkinit_clnt.c | 8 - src/plugins/preauth/pkinit/pkinit_crypto.h | 16 -- .../preauth/pkinit/pkinit_crypto_nss.c | 12 -- .../preauth/pkinit/pkinit_crypto_openssl.c | 86 ---------- src/plugins/preauth/pkinit/pkinit_lib.c | 30 ---- src/tests/asn.1/krb5_decode_test.c | 35 ---- src/tests/asn.1/ktest.c | 52 ------ src/tests/asn.1/ktest_equal.c | 40 ----- src/tests/asn.1/ktest_equal.h | 1 - src/tests/asn.1/pkinit_encode.out | 2 +- src/tests/asn.1/pkinit_trval.out | 10 -- 22 files changed, 22 insertions(+), 563 deletions(-) diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h index 7fbbc53ee..7b2f595cb 100644 --- a/src/include/k5-int-pkinit.h +++ b/src/include/k5-int-pkinit.h @@ -86,27 +86,12 @@ typedef struct _krb5_external_principal_identifier { krb5_data subjectKeyIdentifier; /* Optional */ } krb5_external_principal_identifier; -/* TrustedCas */ -typedef struct _krb5_trusted_ca { - enum krb5_trusted_ca_selection { - choice_trusted_cas_UNKNOWN = -1, - choice_trusted_cas_principalName = 0, - choice_trusted_cas_caName = 1, - choice_trusted_cas_issuerAndSerial = 2 - } choice; - union krb5_trusted_ca_choices { - krb5_principal principalName; - krb5_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */ - krb5_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */ - } u; -} krb5_trusted_ca; - /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ +/* This has four fields, but we only care about the first and third for + * encoding, and the only about the first for decoding. */ typedef struct _krb5_pa_pk_as_req_draft9 { krb5_data signedAuthPack; - krb5_trusted_ca **trustedCertifiers; /* Optional array */ krb5_data kdcCert; /* Optional */ - krb5_data encryptionCert; } krb5_pa_pk_as_req_draft9; /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */ @@ -258,10 +243,6 @@ decode_krb5_pa_pk_as_req_draft9(const krb5_data *, krb5_error_code decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **); -krb5_error_code -decode_krb5_pa_pk_as_rep_draft9(const krb5_data *, - krb5_pa_pk_as_rep_draft9 **); - krb5_error_code decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **); diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 7a196c69b..00cb5b113 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -1956,7 +1956,7 @@ void krb5int_free_srv_dns_data(struct srv_dns_entry *); /* To keep happy libraries which are (for now) accessing internal stuff */ /* Make sure to increment by one when changing the struct */ -#define KRB5INT_ACCESS_STRUCT_VERSION 20 +#define KRB5INT_ACCESS_STRUCT_VERSION 21 typedef struct _krb5int_access { krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context, @@ -2046,10 +2046,6 @@ typedef struct _krb5int_access { krb5_error_code (*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **); - krb5_error_code - (*decode_krb5_pa_pk_as_rep_draft9)(const krb5_data *, - krb5_pa_pk_as_rep_draft9 **); - krb5_error_code (*decode_krb5_kdc_dh_key_info)(const krb5_data *, krb5_kdc_dh_key_info **); diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c index 8df166a5a..f58bf39b1 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.c +++ b/src/lib/krb5/asn.1/asn1_k_decode.c @@ -1195,124 +1195,6 @@ asn1_decode_sequence_of_external_principal_identifier( free_external_principal_identifier); } -#if 0 /* XXX This needs to be tested!!! XXX */ -asn1_error_code -asn1_decode_trusted_ca(asn1buf *buf, krb5_trusted_ca *val) -{ - setup(); - val->choice = choice_trusted_cas_UNKNOWN; - { - char *start, *end; - size_t alloclen; - - begin_explicit_choice(); - if (t.tagnum == choice_trusted_cas_principalName) { - val->choice = choice_trusted_cas_principalName; - } else if (t.tagnum == choice_trusted_cas_caName) { - val->choice = choice_trusted_cas_caName; - val->u.caName.data = NULL; - start = subbuf.next; - { - sequence_of_no_tagvars(&subbuf); - unused_var(size); - end_sequence_of_no_tagvars(&subbuf); - } - end = subbuf.next; - alloclen = end - start; - val->u.caName.data = malloc(alloclen); - if (val->u.caName.data == NULL) - clean_return(ENOMEM); - memcpy(val->u.caName.data, start, alloclen); - val->u.caName.length = alloclen; - next_tag(); - } else if (t.tagnum == choice_trusted_cas_issuerAndSerial) { - val->choice = choice_trusted_cas_issuerAndSerial; - val->u.issuerAndSerial.data = NULL; - start = subbuf.next; - { - sequence_of_no_tagvars(&subbuf); - unused_var(size); - end_sequence_of_no_tagvars(&subbuf); - } - end = subbuf.next; - alloclen = end - start; - val->u.issuerAndSerial.data = malloc(alloclen); - if (val->u.issuerAndSerial.data == NULL) - clean_return(ENOMEM); - memcpy(val->u.issuerAndSerial.data, start, alloclen); - val->u.issuerAndSerial.length = alloclen; - next_tag(); - } else clean_return(ASN1_BAD_ID); - end_explicit_choice(); - } - return 0; -error_out: - if (val->choice == choice_trusted_cas_caName) - free(val->u.caName.data); - else if (val->choice == choice_trusted_cas_issuerAndSerial) - free(val->u.issuerAndSerial.data); - val->choice = choice_trusted_cas_UNKNOWN; - return retval; -} -#else -asn1_error_code -asn1_decode_trusted_ca(asn1buf *buf, krb5_trusted_ca *val) -{ - setup(); - val->choice = choice_trusted_cas_UNKNOWN; - { begin_choice(); - if (tagnum == choice_trusted_cas_principalName) { - val->choice = choice_trusted_cas_principalName; - val->u.principalName = NULL; - asn1_decode_krb5_principal_name(&subbuf, &(val->u.principalName)); - } else if (tagnum == choice_trusted_cas_caName) { - val->choice = choice_trusted_cas_caName; - val->u.caName.data = NULL; - get_implicit_charstring(val->u.caName.length, val->u.caName.data, - choice_trusted_cas_caName); - } else if (tagnum == choice_trusted_cas_issuerAndSerial) { - val->choice = choice_trusted_cas_issuerAndSerial; - val->u.issuerAndSerial.data = NULL; - get_implicit_charstring(val->u.issuerAndSerial.length, - val->u.issuerAndSerial.data, - choice_trusted_cas_issuerAndSerial); - } else clean_return(ASN1_BAD_ID); - end_choice(); - } - return 0; -error_out: - if (val->choice == choice_trusted_cas_caName) - free(val->u.caName.data); - else if (val->choice == choice_trusted_cas_issuerAndSerial) - free(val->u.issuerAndSerial.data); - val->choice = choice_trusted_cas_UNKNOWN; - return retval; -} -#endif /* if 0 */ - -asn1_error_code -asn1_decode_trusted_ca_ptr(asn1buf *buf, krb5_trusted_ca **valptr) -{ - decode_ptr(krb5_trusted_ca *, asn1_decode_trusted_ca); -} - -static void -free_trusted_ca(void *dummy, krb5_trusted_ca *val) -{ - if (val->choice == choice_trusted_cas_caName) - free(val->u.caName.data); - else if (val->choice == choice_trusted_cas_issuerAndSerial) - free(val->u.issuerAndSerial.data); - free(val); -} - -asn1_error_code -asn1_decode_sequence_of_trusted_ca(asn1buf *buf, krb5_trusted_ca ***val) -{ - decode_array_body(krb5_trusted_ca, asn1_decode_trusted_ca_ptr, - free_trusted_ca); -} - static asn1_error_code asn1_decode_kdf_alg_id_ptr(asn1buf *buf, krb5_data **valptr) { @@ -1625,39 +1507,6 @@ error_out: return retval; } -asn1_error_code -asn1_decode_pa_pk_as_rep_draft9(asn1buf *buf, krb5_pa_pk_as_rep_draft9 *val) -{ - setup(); - val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN; - { begin_structure(); - if (tagnum == choice_pa_pk_as_rep_draft9_dhSignedData) { - val->choice = choice_pa_pk_as_rep_draft9_dhSignedData; - val->u.dhSignedData.data = NULL; - get_lenfield(val->u.dhSignedData.length, val->u.dhSignedData.data, - choice_pa_pk_as_rep_draft9_dhSignedData, - asn1_decode_charstring); - } else if (tagnum == choice_pa_pk_as_rep_draft9_encKeyPack) { - val->choice = choice_pa_pk_as_rep_draft9_encKeyPack; - val->u.encKeyPack.data = NULL; - get_lenfield(val->u.encKeyPack.length, val->u.encKeyPack.data, - choice_pa_pk_as_rep_draft9_encKeyPack, - asn1_decode_charstring); - } else { - val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN; - } - end_structure(); - } - return 0; -error_out: - if (val->choice == choice_pa_pk_as_rep_draft9_dhSignedData) - free(val->u.dhSignedData.data); - else if (val->choice == choice_pa_pk_as_rep_draft9_encKeyPack) - free(val->u.encKeyPack.data); - val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN; - return retval; -} - asn1_error_code asn1_decode_kdf_alg_id( asn1buf *buf, krb5_data *val) { diff --git a/src/lib/krb5/asn.1/asn1_k_decode.h b/src/lib/krb5/asn.1/asn1_k_decode.h index 081f11f94..03a923512 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.h +++ b/src/lib/krb5/asn.1/asn1_k_decode.h @@ -156,9 +156,6 @@ asn1_error_code asn1_decode_external_principal_identifier( asn1_error_code asn1_decode_external_principal_identifier_ptr( asn1buf *buf, krb5_external_principal_identifier **valptr); asn1_error_code asn1_decode_pa_pk_as_req(asn1buf *buf, krb5_pa_pk_as_req *val); -asn1_error_code asn1_decode_trusted_ca(asn1buf *buf, krb5_trusted_ca *val); -asn1_error_code asn1_decode_trusted_ca_ptr(asn1buf *buf, - krb5_trusted_ca **valptr); asn1_error_code asn1_decode_pa_pk_as_req_draft9(asn1buf *buf, krb5_pa_pk_as_req_draft9 *val); asn1_error_code asn1_decode_dh_rep_info(asn1buf *buf, krb5_dh_rep_info *val); @@ -179,8 +176,6 @@ asn1_error_code asn1_decode_auth_pack_draft9(asn1buf *buf, krb5_auth_pack_draft9 *val); asn1_error_code asn1_decode_pa_pk_as_rep(asn1buf *buf, krb5_pa_pk_as_rep *val); -asn1_error_code asn1_decode_pa_pk_as_rep_draft9(asn1buf *buf, - krb5_pa_pk_as_rep_draft9 *val); asn1_error_code asn1_decode_kdc_dh_key_info(asn1buf *buf, krb5_kdc_dh_key_info *val); asn1_error_code asn1_decode_krb5_principal_name(asn1buf *buf, @@ -221,8 +216,6 @@ asn1_error_code asn1_decode_etype_info2(asn1buf *buf, krb5_boolean v1_3_behavior); asn1_error_code asn1_decode_sequence_of_external_principal_identifier( asn1buf *buf, krb5_external_principal_identifier ***val); -asn1_error_code asn1_decode_sequence_of_trusted_ca(asn1buf *buf, - krb5_trusted_ca ***val); asn1_error_code asn1_decode_sequence_of_algorithm_identifier( asn1buf *buf, krb5_algorithm_identifier ***val); diff --git a/src/lib/krb5/asn.1/asn1_k_decode_kdc.c b/src/lib/krb5/asn.1/asn1_k_decode_kdc.c index c340abcfd..1b79f2f18 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode_kdc.c +++ b/src/lib/krb5/asn.1/asn1_k_decode_kdc.c @@ -147,16 +147,6 @@ error_out: return retval; } -static void -free_trusted_ca(void *dummy, krb5_trusted_ca *val) -{ - if (val->choice == choice_trusted_cas_caName) - free(val->u.caName.data); - else if (val->choice == choice_trusted_cas_issuerAndSerial) - free(val->u.issuerAndSerial.data); - free(val); -} - asn1_error_code asn1_decode_pa_pk_as_req_draft9(asn1buf *buf, krb5_pa_pk_as_req_draft9 *val) { @@ -164,29 +154,16 @@ asn1_decode_pa_pk_as_req_draft9(asn1buf *buf, krb5_pa_pk_as_req_draft9 *val) setup(); val->signedAuthPack.data = NULL; val->kdcCert.data = NULL; - val->encryptionCert.data = NULL; - val->trustedCertifiers = NULL; { begin_structure(); + /* PA-PK-AS-REQ in draft9 has four fields, but we only care about the + * first one. */ get_implicit_charstring(val->signedAuthPack.length, val->signedAuthPack.data, 0); - opt_field(val->trustedCertifiers, 1, asn1_decode_sequence_of_trusted_ca, NULL); - opt_lenfield(val->kdcCert.length, val->kdcCert.data, 2, asn1_decode_charstring); - opt_lenfield(val->encryptionCert.length, val->encryptionCert.data, 2, asn1_decode_charstring); end_structure(); } return 0; error_out: free(val->signedAuthPack.data); - free(val->kdcCert.data); - free(val->encryptionCert.data); - if (val->trustedCertifiers) { - for (i = 0; val->trustedCertifiers[i]; i++) - free_trusted_ca(NULL, val->trustedCertifiers[i]); - free(val->trustedCertifiers); - } val->signedAuthPack.data = NULL; - val->kdcCert.data = NULL; - val->encryptionCert.data = NULL; - val->trustedCertifiers = NULL; return retval; } diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index fdaf097ca..db2afb817 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -1425,64 +1425,26 @@ DEFSEQTYPE(pa_pk_as_req, krb5_pa_pk_as_req, pa_pk_as_req_fields, pa_pk_as_req_optional); /* - * draft-ietf-cat-kerberos-pk-init-09 specifies these fields as explicitly - * tagged KerberosName, Name, and IssuerAndSerialNumber respectively, which - * means they should have constructed context tags. However, our historical - * behavior is to use primitive context-specific tags, and we don't want to - * change that behavior without interop testing. For the principal name, which - * we encode ourselves, use a DEFTAGGEDTYPE to wrap the principal encoding in a - * primitive [0] tag. For the other two types, we have the encoding in a - * krb5_data object; pretend that they are wrapped in IMPLICIT OCTET STRING in - * order to wrap them in primitive [1] and [2] tags. - */ -DEFTAGGEDTYPE(trusted_ca_0, CONTEXT_SPECIFIC, PRIMITIVE, 0, 0, principal); -DEFCTAGGEDTYPE_IMPLICIT(trusted_ca_1, 1, ostring_data); -DEFCTAGGEDTYPE_IMPLICIT(trusted_ca_2, 2, ostring_data); -static const struct atype_info *trusted_ca_alternatives[] = { - &k5_atype_trusted_ca_0, &k5_atype_trusted_ca_1, &k5_atype_trusted_ca_2 -}; -DEFCHOICETYPE(trusted_ca_choice, union krb5_trusted_ca_choices, - enum krb5_trusted_ca_selection, trusted_ca_alternatives); -DEFCOUNTEDTYPE_SIGNED(trusted_ca, krb5_trusted_ca, u, choice, - trusted_ca_choice); -DEFPTRTYPE(trusted_ca_ptr, trusted_ca); - -DEFNULLTERMSEQOFTYPE(seqof_trusted_ca, trusted_ca_ptr); -DEFPTRTYPE(ptr_seqof_trusted_ca, seqof_trusted_ca); - -/* - * draft-ietf-cat-kerberos-pk-init-09 specifies signedAuthPack, kdcCert, and - * EncryptionCert as explictly tagged SignedData, IssuerAndSerialNumber, and - * IssuerAndSerialNumber, which means they should have constructed context - * tags. However, our historical behavior is to use a primitive context tag, - * and we don't want to change that without interop testing. We have the DER - * encodings of these fields in krb5_data objects; pretend that they are - * wrapped in IMPLICIT OCTET STRING in order to generate primitive context - * tags. + * In draft-ietf-cat-kerberos-pk-init-09, this sequence has four fields, but we + * only ever use the first and third. The fields are specified as explicitly + * tagged, but our historical behavior is to pretend that they are wrapped in + * IMPLICIT OCTET STRING (i.e., generate primitive context tags), and we don't + * want to change that without interop testing. */ DEFFIELD_IMPLICIT(pa_pk_as_req9_0, krb5_pa_pk_as_req_draft9, signedAuthPack, 0, ostring_data); -DEFFIELD(pa_pk_as_req9_1, krb5_pa_pk_as_req_draft9, trustedCertifiers, 1, - ptr_seqof_trusted_ca); DEFFIELD_IMPLICIT(pa_pk_as_req9_2, krb5_pa_pk_as_req_draft9, kdcCert, 2, ostring_data); -DEFFIELD_IMPLICIT(pa_pk_as_req9_3, krb5_pa_pk_as_req_draft9, encryptionCert, 3, - ostring_data); static const struct atype_info *pa_pk_as_req_draft9_fields[] = { - &k5_atype_pa_pk_as_req9_0, &k5_atype_pa_pk_as_req9_1, - &k5_atype_pa_pk_as_req9_2, &k5_atype_pa_pk_as_req9_3 + &k5_atype_pa_pk_as_req9_0, &k5_atype_pa_pk_as_req9_2 }; static unsigned int pa_pk_as_req_draft9_optional(const void *p) { unsigned int not_present = 0; const krb5_pa_pk_as_req_draft9 *val = p; - if (val->trustedCertifiers == NULL) - not_present |= (1u << 1); if (val->kdcCert.length == 0) - not_present |= (1u << 2); - if (val->encryptionCert.length == 0) - not_present |= (1u << 3); + not_present |= (1u << 1); return not_present; } DEFSEQTYPE(pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9, diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c index 840035dab..388efd7b6 100644 --- a/src/lib/krb5/asn.1/krb5_decode.c +++ b/src/lib/krb5/asn.1/krb5_decode.c @@ -851,19 +851,6 @@ decode_krb5_pa_pk_as_rep(const krb5_data *code, krb5_pa_pk_as_rep **repptr) cleanup(free); } -krb5_error_code -decode_krb5_pa_pk_as_rep_draft9(const krb5_data *code, - krb5_pa_pk_as_rep_draft9 **repptr) -{ - setup_buf_only(krb5_pa_pk_as_rep_draft9 *); - alloc_field(rep); - - retval = asn1_decode_pa_pk_as_rep_draft9(&buf, rep); - if (retval) clean_return(retval); - - cleanup(free); -} - krb5_error_code decode_krb5_auth_pack(const krb5_data *code, krb5_auth_pack **repptr) { diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c index 8f9146312..2e31e83a9 100644 --- a/src/lib/krb5/os/accessor.c +++ b/src/lib/krb5/os/accessor.c @@ -91,7 +91,6 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version) SC (decode_krb5_pa_pk_as_req, decode_krb5_pa_pk_as_req), SC (decode_krb5_pa_pk_as_req_draft9, decode_krb5_pa_pk_as_req_draft9), SC (decode_krb5_pa_pk_as_rep, decode_krb5_pa_pk_as_rep), - SC (decode_krb5_pa_pk_as_rep_draft9, decode_krb5_pa_pk_as_rep_draft9), SC (decode_krb5_auth_pack, decode_krb5_auth_pack), SC (decode_krb5_auth_pack_draft9, decode_krb5_auth_pack_draft9), SC (decode_krb5_kdc_dh_key_info, decode_krb5_kdc_dh_key_info), diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index 8c75f1fd7..53e9abd7b 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -316,7 +316,6 @@ void free_krb5_auth_pack_draft9(krb5_context, krb5_auth_pack_draft9 **in); void free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in); void free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in); void free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in); -void free_krb5_trusted_ca(krb5_trusted_ca ***in); void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in); void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in); void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in); diff --git a/src/plugins/preauth/pkinit/pkinit_accessor.c b/src/plugins/preauth/pkinit/pkinit_accessor.c index 2fa702fe1..15a3e49f3 100644 --- a/src/plugins/preauth/pkinit/pkinit_accessor.c +++ b/src/plugins/preauth/pkinit/pkinit_accessor.c @@ -44,7 +44,6 @@ DEF_FUNC_PTRS(krb5_auth_pack); DEF_FUNC_PTRS(krb5_auth_pack_draft9); DEF_FUNC_PTRS(krb5_kdc_dh_key_info); DEF_FUNC_PTRS(krb5_pa_pk_as_rep); -DEF_FUNC_PTRS(krb5_pa_pk_as_rep_draft9); DEF_FUNC_PTRS(krb5_pa_pk_as_req); DEF_FUNC_PTRS(krb5_pa_pk_as_req_draft9); DEF_FUNC_PTRS(krb5_reply_key_pack); @@ -54,6 +53,10 @@ DEF_FUNC_PTRS(krb5_reply_key_pack_draft9); krb5_error_code (*k5int_decode_krb5_principal_name)(const krb5_data *, krb5_principal_data **); +krb5_error_code +(*k5int_encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *, + krb5_data **code); + krb5_error_code (*k5int_encode_krb5_td_dh_parameters)(const krb5_algorithm_identifier **, krb5_data **code); @@ -101,7 +104,6 @@ pkinit_accessor_init(void) SET_PTRS(krb5_auth_pack_draft9); SET_PTRS(krb5_kdc_dh_key_info); SET_PTRS(krb5_pa_pk_as_rep); - SET_PTRS(krb5_pa_pk_as_rep_draft9); SET_PTRS(krb5_pa_pk_as_req); SET_PTRS(krb5_pa_pk_as_req_draft9); SET_PTRS(krb5_reply_key_pack); @@ -112,6 +114,8 @@ pkinit_accessor_init(void) /* special cases... */ k5int_decode_krb5_principal_name = k5int.decode_krb5_principal_name; k5int_encode_krb5_kdc_req_body = k5int.encode_krb5_kdc_req_body; + k5int_encode_krb5_pa_pk_as_rep_draft9 = \ + k5int.encode_krb5_pa_pk_as_rep_draft9; k5int_krb5_free_kdc_req = k5int.free_kdc_req; k5int_set_prompt_types = k5int.set_prompt_types; return 0; diff --git a/src/plugins/preauth/pkinit/pkinit_accessor.h b/src/plugins/preauth/pkinit/pkinit_accessor.h index a5e45bf3e..21402ad83 100644 --- a/src/plugins/preauth/pkinit/pkinit_accessor.h +++ b/src/plugins/preauth/pkinit/pkinit_accessor.h @@ -48,7 +48,6 @@ DEF_EXT_FUNC_PTRS(krb5_auth_pack); DEF_EXT_FUNC_PTRS(krb5_auth_pack_draft9); DEF_EXT_FUNC_PTRS(krb5_kdc_dh_key_info); DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_rep); -DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_rep_draft9); DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_req); DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_req_draft9); DEF_EXT_FUNC_PTRS(krb5_reply_key_pack); @@ -58,6 +57,9 @@ DEF_EXT_FUNC_PTRS(krb5_reply_key_pack_draft9); extern krb5_error_code (*k5int_decode_krb5_principal_name) (const krb5_data *, krb5_principal_data **); +extern krb5_error_code (*k5int_encode_krb5_pa_pk_as_rep_draft9) + (const krb5_pa_pk_as_rep_draft9 *, krb5_data **code); + extern krb5_error_code (*k5int_encode_krb5_td_dh_parameters) (const krb5_algorithm_identifier **, krb5_data **code); extern krb5_error_code (*k5int_decode_krb5_td_dh_parameters) diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 609cc9b00..806cd75f5 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -431,14 +431,6 @@ pkinit_as_req_create(krb5_context context, retval = k5int_encode_krb5_pa_pk_as_req(req, as_req); break; case KRB5_PADATA_PK_AS_REQ_OLD: -#if 0 - /* W2K3 KDC doesn't like this */ - retval = create_krb5_trustedCas(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, 1, &req9->trustedCertifiers); - if (retval) - goto cleanup; - -#endif retval = create_issuerAndSerial(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, (unsigned char **)&req9->kdcCert.data, diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index e42943d57..e81e94fd9 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -399,22 +399,6 @@ krb5_error_code create_krb5_trustedCertifiers pkinit_identity_crypto_context id_cryptoctx, /* IN */ krb5_external_principal_identifier ***trustedCertifiers); /* OUT */ -/* - * this functions takes in crypto specific representation of - * trustedCas (draft9) and creates a list of krb5_trusted_ca (draft9). - * draft9 trustedCAs is a CHOICE. we only support choices for - * [1] caName and [2] issuerAndSerial. there is no config - * option available to select the choice yet. default = 1. - */ -krb5_error_code create_krb5_trustedCas - (krb5_context context, /* IN */ - pkinit_plg_crypto_context plg_cryptoctx, /* IN */ - pkinit_req_crypto_context req_cryptoctx, /* IN */ - pkinit_identity_crypto_context id_cryptoctx, /* IN */ - int flag, /* IN - specifies the tag of the CHOICE */ - krb5_trusted_ca ***trustedCas); /* OUT */ - /* * this functions takes in crypto specific representation of the * KDC's certificate and creates a DER encoded kdcPKId diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 8785ffb34..a14804916 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -1765,18 +1765,6 @@ create_krb5_supportedCMSTypes(krb5_context context, return 0; } -#if 0 -krb5_error_code -create_krb5_trustedCas(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - int flag, krb5_trusted_ca ***trustedCas) -{ - return ENOSYS; -} -#endif - /* Populate a list of trusted certifiers with the list of the root certificates * that we trust. */ static void diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index b8ad380c9..ad86ba4e3 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -5590,92 +5590,6 @@ create_krb5_trustedCertifiers(krb5_context context, return retval; } -krb5_error_code -create_krb5_trustedCas(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - int flag, - krb5_trusted_ca *** ids) -{ - krb5_error_code retval = ENOMEM; - STACK_OF(X509) *sk = id_cryptoctx->trustedCAs; - int i = 0, len = 0, sk_size = sk_X509_num(sk); - krb5_trusted_ca **krb5_cas = NULL; - X509 *x = NULL; - char buf[DN_BUF_LEN]; - X509_NAME *xn = NULL; - unsigned char *p = NULL; - PKCS7_ISSUER_AND_SERIAL *is = NULL; - - *ids = NULL; - if (id_cryptoctx->trustedCAs == NULL) - return KRB5KDC_ERR_PREAUTH_FAILED; - - krb5_cas = malloc((sk_size + 1) * sizeof(krb5_trusted_ca *)); - if (krb5_cas == NULL) - return ENOMEM; - krb5_cas[sk_size] = NULL; - - for (i = 0; i < sk_size; i++) { - krb5_cas[i] = malloc(sizeof(krb5_trusted_ca)); - if (krb5_cas[i] == NULL) - goto cleanup; - x = sk_X509_value(sk, i); - - X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf)); - pkiDebug("#%d cert= %s\n", i, buf); - - switch (flag) { - case choice_trusted_cas_principalName: - krb5_cas[i]->choice = choice_trusted_cas_principalName; - break; - case choice_trusted_cas_caName: - krb5_cas[i]->choice = choice_trusted_cas_caName; - krb5_cas[i]->u.caName.data = NULL; - krb5_cas[i]->u.caName.length = 0; - xn = X509_get_subject_name(x); - len = i2d_X509_NAME(xn, NULL); - if ((p = malloc((size_t) len)) == NULL) - goto cleanup; - krb5_cas[i]->u.caName.data = (char *)p; - i2d_X509_NAME(xn, &p); - krb5_cas[i]->u.caName.length = len; - break; - case choice_trusted_cas_issuerAndSerial: - krb5_cas[i]->choice = choice_trusted_cas_issuerAndSerial; - krb5_cas[i]->u.issuerAndSerial.data = NULL; - krb5_cas[i]->u.issuerAndSerial.length = 0; - is = PKCS7_ISSUER_AND_SERIAL_new(); - X509_NAME_set(&is->issuer, X509_get_issuer_name(x)); - M_ASN1_INTEGER_free(is->serial); - is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x)); - len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL); - if ((p = malloc((size_t) len)) == NULL) - goto cleanup; - krb5_cas[i]->u.issuerAndSerial.data = (char *)p; - i2d_PKCS7_ISSUER_AND_SERIAL(is, &p); - krb5_cas[i]->u.issuerAndSerial.length = len; - if (is != NULL) { - if (is->issuer != NULL) - X509_NAME_free(is->issuer); - if (is->serial != NULL) - ASN1_INTEGER_free(is->serial); - free(is); - } - break; - default: break; - } - } - retval = 0; - *ids = krb5_cas; -cleanup: - if (retval) - free_krb5_trusted_ca(&krb5_cas); - - return retval; -} - krb5_error_code create_issuerAndSerial(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c index 50ee044a7..f1d818040 100644 --- a/src/plugins/preauth/pkinit/pkinit_lib.c +++ b/src/plugins/preauth/pkinit/pkinit_lib.c @@ -126,9 +126,6 @@ free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in) if (*in == NULL) return; free((*in)->signedAuthPack.data); free((*in)->kdcCert.data); - free((*in)->encryptionCert.data); - if ((*in)->trustedCertifiers != NULL) - free_krb5_trusted_ca(&(*in)->trustedCertifiers); free(*in); } @@ -222,30 +219,6 @@ free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in free(*in); } -void -free_krb5_trusted_ca(krb5_trusted_ca ***in) -{ - int i = 0; - if (*in == NULL) return; - while ((*in)[i] != NULL) { - switch((*in)[i]->choice) { - case choice_trusted_cas_principalName: - break; - case choice_trusted_cas_caName: - free((*in)[i]->u.caName.data); - break; - case choice_trusted_cas_issuerAndSerial: - free((*in)[i]->u.issuerAndSerial.data); - break; - case choice_trusted_cas_UNKNOWN: - break; - } - free((*in)[i]); - i++; - } - free(*in); -} - void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in) { @@ -304,11 +277,8 @@ init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in) if ((*in) == NULL) return; (*in)->signedAuthPack.data = NULL; (*in)->signedAuthPack.length = 0; - (*in)->trustedCertifiers = NULL; (*in)->kdcCert.data = NULL; (*in)->kdcCert.length = 0; - (*in)->encryptionCert.data = NULL; - (*in)->encryptionCert.length = 0; } void diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c index 811f230c6..eb0fc8dbb 100644 --- a/src/tests/asn.1/krb5_decode_test.c +++ b/src/tests/asn.1/krb5_decode_test.c @@ -49,8 +49,6 @@ static void ktest_free_pa_pk_as_req(krb5_context context, krb5_pa_pk_as_req *val); static void ktest_free_pa_pk_as_rep(krb5_context context, krb5_pa_pk_as_rep *val); -static void ktest_free_pa_pk_as_rep_draft9(krb5_context context, - krb5_pa_pk_as_rep_draft9 *val); static void ktest_free_reply_key_pack(krb5_context context, krb5_reply_key_pack *val); static void ktest_free_reply_key_pack_draft9(krb5_context context, @@ -1007,30 +1005,6 @@ int main(argc, argv) ktest_empty_pa_pk_as_rep(&ref); } - /****************************************************************/ - /* decode_krb5_pa_pk_as_rep_draft9 */ - /* - * NOTE: These are NOT the encodings produced by - * encode_krb5_pa_pk_as_rep_draft9; they are hand-generated to match what - * the decoder expects. The decoder expects a sequence containing an - * explicitly tagged octet string, while the encoder produces an implicitly - * tagged octet string. See issue #7072. - */ - { - setup(krb5_pa_pk_as_rep_draft9,ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData); - decode_run("krb5_pa_pk_as_rep_draft9","(dhSignedData)","30 0C A0 0A 04 08 6B 72 62 35 64 61 74 61", - acc.decode_krb5_pa_pk_as_rep_draft9, - ktest_equal_pa_pk_as_rep_draft9,ktest_free_pa_pk_as_rep_draft9); - ktest_empty_pa_pk_as_rep_draft9(&ref); - } - { - setup(krb5_pa_pk_as_rep_draft9,ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack); - decode_run("krb5_pa_pk_as_rep_draft9","(encKeyPack)","30 0C A1 0A 04 08 6B 72 62 35 64 61 74 61", - acc.decode_krb5_pa_pk_as_rep_draft9, - ktest_equal_pa_pk_as_rep_draft9,ktest_free_pa_pk_as_rep_draft9); - ktest_empty_pa_pk_as_rep_draft9(&ref); - } - /****************************************************************/ /* decode_krb5_auth_pack */ { @@ -1169,15 +1143,6 @@ ktest_free_pa_pk_as_rep(krb5_context context, krb5_pa_pk_as_rep *val) free(val); } -static void -ktest_free_pa_pk_as_rep_draft9(krb5_context context, - krb5_pa_pk_as_rep_draft9 *val) -{ - if (val) - ktest_empty_pa_pk_as_rep_draft9(val); - free(val); -} - static void ktest_free_reply_key_pack(krb5_context context, krb5_reply_key_pack *val) { diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c index 330756453..6963c018c 100644 --- a/src/tests/asn.1/ktest.c +++ b/src/tests/asn.1/ktest.c @@ -674,27 +674,6 @@ ktest_make_sample_external_principal_identifier( ktest_make_sample_data(&p->subjectKeyIdentifier); } -static void -ktest_make_sample_trusted_ca_principalName(krb5_trusted_ca *p) -{ - p->choice = choice_trusted_cas_principalName; - ktest_make_sample_principal(&p->u.principalName); -} - -static void -ktest_make_sample_trusted_ca_caName(krb5_trusted_ca *p) -{ - p->choice = choice_trusted_cas_caName; - ktest_make_sample_data(&p->u.caName); -} - -static void -ktest_make_sample_trusted_ca_issuerAndSerial(krb5_trusted_ca *p) -{ - p->choice = choice_trusted_cas_issuerAndSerial; - ktest_make_sample_data(&p->u.issuerAndSerial); -} - void ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p) { @@ -714,15 +693,7 @@ ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p) int i; ktest_make_sample_data(&p->signedAuthPack); - p->trustedCertifiers = ealloc(4 * sizeof(krb5_trusted_ca *)); - for (i = 0; i < 3; i++) - p->trustedCertifiers[i] = ealloc(sizeof(krb5_trusted_ca)); - ktest_make_sample_trusted_ca_principalName(p->trustedCertifiers[0]); - ktest_make_sample_trusted_ca_caName(p->trustedCertifiers[1]); - ktest_make_sample_trusted_ca_issuerAndSerial(p->trustedCertifiers[2]); - p->trustedCertifiers[3] = NULL; ktest_make_sample_data(&p->kdcCert); - ktest_make_sample_data(&p->encryptionCert); } static void @@ -1466,18 +1437,6 @@ ktest_empty_external_principal_identifier( ktest_empty_data(&p->subjectKeyIdentifier); } -static void -ktest_empty_trusted_ca(krb5_trusted_ca *p) -{ - if (p->choice == choice_trusted_cas_principalName) - ktest_destroy_principal(&p->u.principalName); - else if (p->choice == choice_trusted_cas_caName) - ktest_empty_data(&p->u.caName); - else if (p->choice == choice_trusted_cas_issuerAndSerial) - ktest_empty_data(&p->u.issuerAndSerial); - p->choice = choice_trusted_cas_UNKNOWN; -} - void ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p) { @@ -1496,19 +1455,8 @@ ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p) void ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p) { - krb5_trusted_ca **ca; - ktest_empty_data(&p->signedAuthPack); - if (p->trustedCertifiers != NULL) { - for (ca = p->trustedCertifiers; *ca != NULL; ca++) { - ktest_empty_trusted_ca(*ca); - free(*ca); - } - free(p->trustedCertifiers); - p->trustedCertifiers = NULL; - } ktest_empty_data(&p->kdcCert); - ktest_empty_data(&p->encryptionCert); } static void diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c index ea218c930..0418e5daf 100644 --- a/src/tests/asn.1/ktest_equal.c +++ b/src/tests/asn.1/ktest_equal.c @@ -854,29 +854,6 @@ ktest_equal_sequence_of_external_principal_identifier( array_compare(ktest_equal_external_principal_identifier); } -static int -ktest_equal_trusted_ca(krb5_trusted_ca *ref, krb5_trusted_ca *var) -{ - int p = TRUE; - if (ref == var) return TRUE; - else if (ref == NULL || var == NULL) return FALSE; - if (ref->choice != var->choice) return FALSE; - if (ref->choice == choice_trusted_cas_principalName) - p = p && ptr_equal(u.principalName, ktest_equal_principal_data); - else if (ref->choice == choice_trusted_cas_caName) - p = p && equal_str(u.caName); - else if (ref->choice == choice_trusted_cas_issuerAndSerial) - p = p && equal_str(u.issuerAndSerial); - return p; -} - -static int -ktest_equal_sequence_of_trusted_ca(krb5_trusted_ca **ref, - krb5_trusted_ca **var) -{ - array_compare(ktest_equal_trusted_ca); -} - int ktest_equal_pa_pk_as_req(krb5_pa_pk_as_req *ref, krb5_pa_pk_as_req *var) { @@ -898,9 +875,7 @@ ktest_equal_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *ref, if (ref == var) return TRUE; else if (ref == NULL || var == NULL) return FALSE; p = p && equal_str(signedAuthPack); - p = p && ptr_equal(trustedCertifiers, ktest_equal_sequence_of_trusted_ca); p = p && equal_str(kdcCert); - p = p && equal_str(encryptionCert); return p; } @@ -930,21 +905,6 @@ ktest_equal_pa_pk_as_rep(krb5_pa_pk_as_rep *ref, krb5_pa_pk_as_rep *var) return p; } -int -ktest_equal_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *ref, - krb5_pa_pk_as_rep_draft9 *var) -{ - int p = TRUE; - if (ref == var) return TRUE; - else if (ref == NULL || var == NULL) return FALSE; - if (ref->choice != var->choice) return FALSE; - if (ref->choice == choice_pa_pk_as_rep_draft9_dhSignedData) - p = p && equal_str(u.dhSignedData); - else if (ref->choice == choice_pa_pk_as_rep_draft9_encKeyPack) - p = p && equal_str(u.encKeyPack); - return p; -} - static int ktest_equal_sequence_of_data(krb5_data **ref, krb5_data **var) { diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h index 9e88a8ccd..ab31e2970 100644 --- a/src/tests/asn.1/ktest_equal.h +++ b/src/tests/asn.1/ktest_equal.h @@ -128,7 +128,6 @@ int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref, generic(ktest_equal_pa_pk_as_req, krb5_pa_pk_as_req); generic(ktest_equal_pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9); generic(ktest_equal_pa_pk_as_rep, krb5_pa_pk_as_rep); -generic(ktest_equal_pa_pk_as_rep_draft9, krb5_pa_pk_as_rep_draft9); generic(ktest_equal_auth_pack, krb5_auth_pack); generic(ktest_equal_auth_pack_draft9, krb5_auth_pack_draft9); generic(ktest_equal_kdc_dh_key_info, krb5_kdc_dh_key_info); diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out index 77b37cd64..463128de0 100644 --- a/src/tests/asn.1/pkinit_encode.out +++ b/src/tests/asn.1/pkinit_encode.out @@ -1,5 +1,5 @@ encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 -encode_krb5_pa_pk_as_req_draft9: 30 52 80 08 6B 72 62 35 64 61 74 61 A1 32 30 30 80 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 83 08 6B 72 62 35 64 61 74 61 +encode_krb5_pa_pk_as_req_draft9: 30 14 80 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61 encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61 encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61 diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out index 7ee5b1de5..0393b7f8b 100644 --- a/src/tests/asn.1/pkinit_trval.out +++ b/src/tests/asn.1/pkinit_trval.out @@ -19,18 +19,8 @@ encode_krb5_pa_pk_as_req_draft9: [Sequence/Sequence Of] . [0] <8> 6b 72 62 35 64 61 74 61 krb5data -. [1] [Sequence/Sequence Of] -. . [0] <26> - 30 18 a0 03 02 01 01 a1 11 30 0f 1b 06 68 66 0........0...hf - 74 73 61 69 1b 05 65 78 74 72 61 tsai..extra -. . [1] <8> - 6b 72 62 35 64 61 74 61 krb5data -. . [2] <8> - 6b 72 62 35 64 61 74 61 krb5data . [2] <8> 6b 72 62 35 64 61 74 61 krb5data -. [3] <8> - 6b 72 62 35 64 61 74 61 krb5data encode_krb5_pa_pk_as_rep(dhInfo): -- 2.26.2