Add asn1c test vectors for alg-agility types

For the test-vectors target in tests/asn.1, add ASN.1 modules from RFC 4556 and draft-ietf-krb-wg-pkinit-alg-agility-06.txt, and output test encodings for PrincipalName, KRB5PrincipalName, OtherInfo, and PkinitSuppPubInfo. In the alg-agility module, AuthPack and DHRepInfo are renamed, as asn1c otherwise rejects them as conflicting with the RFC 4556 definitions.
krb5 · Sep 6, 2012 · d8846c9 · d8846c9
1 parent c91cda2
commit d8846c9
Show file tree

Hide file tree

Showing 4 changed files with 404 additions and 2 deletions.
diff --git a/src/tests/asn.1/Makefile.in b/src/tests/asn.1/Makefile.in
@@ -11,7 +11,8 @@ SRCS= $(srcdir)/krb5_encode_test.c $(srcdir)/krb5_decode_test.c \
 	$(srcdir)/ktest_equal.c $(srcdir)/utility.c \
 	$(srcdir)/trval.c $(srcdir)/t_trval.c
 
-ASN1SRCS= $(srcdir)/krb5.asn1 $(srcdir)/pkix.asn1 $(srcdir)/otp.asn1
+ASN1SRCS= $(srcdir)/krb5.asn1 $(srcdir)/pkix.asn1 $(srcdir)/otp.asn1 \
+	$(srcdir)/pkinit.asn1 $(srcdir)/pkinit-agility.asn1
 
 all:: krb5_encode_test krb5_decode_test krb5_decode_leak t_trval
 

diff --git a/src/tests/asn.1/make-vectors.c b/src/tests/asn.1/make-vectors.c
@@ -31,6 +31,10 @@
  * are only generated for OTP preauth objects.
  */
 
+#include <PrincipalName.h>
+#include <KRB5PrincipalName.h>
+#include <OtherInfo.h>
+#include <PkinitSuppPubInfo.h>
 #include <OTP-TOKENINFO.h>
 #include <PA-OTP-CHALLENGE.h>
 #include <PA-OTP-REQUEST.h>
@@ -39,6 +43,26 @@
 static unsigned char buf[8192];
 static size_t buf_pos;
 
+/* PrincipalName and KRB5PrincipalName */
+static KerberosString_t comp_1 = { "hftsai", 6 };
+static KerberosString_t comp_2 = { "extra", 5 };
+static KerberosString_t *comps[] = { &comp_1, &comp_2 };
+static PrincipalName_t princ = { 1, { comps, 2, 2 } };
+static KRB5PrincipalName_t krb5princ = { { "ATHENA.MIT.EDU", 14 },
+                                         { 1, { comps, 2, 2 } } };
+
+/* OtherInfo */
+static unsigned int krb5_arcs[] = { 1, 2, 840, 113554, 1, 2, 2 };
+static OCTET_STRING_t krb5data_ostring = { "krb5data", 8 };
+static OtherInfo_t other_info = {
+    { 0 }, { 0 }, { 0 },        /* Initialized in main() */
+    &krb5data_ostring, NULL
+};
+
+/* PkinitSuppPubInfo */
+static PkinitSuppPubInfo_t supp_pub_info = { 1, { "krb5data", 8 },
+                                             { "krb5data", 8 } };
+
 /* Minimal OTP-TOKENINFO */
 static OTP_TOKENINFO_t token_info_1 = { { "\0\0\0\0", 4, 0 } };
 
@@ -136,8 +160,33 @@ main()
     OBJECT_IDENTIFIER_set_arcs(&alg_sha1.algorithm, sha1_arcs,
                                sizeof(*sha1_arcs),
                                sizeof(sha1_arcs) / sizeof(*sha1_arcs));
+    OBJECT_IDENTIFIER_set_arcs(&other_info.algorithmID.algorithm, krb5_arcs,
+                               sizeof(*krb5_arcs),
+                               sizeof(krb5_arcs) / sizeof(*krb5_arcs));
+
+    printf("PrincipalName:\n");
+    der_encode(&asn_DEF_PrincipalName, &princ, consume, NULL);
+    printbuf();
+
+    /* Print this encoding and also use it to initialize two fields of
+     * other_info. */
+    printf("\nKRB5PrincipalName:\n");
+    der_encode(&asn_DEF_KRB5PrincipalName, &krb5princ, consume, NULL);
+    OCTET_STRING_fromBuf(&other_info.partyUInfo, buf, buf_pos);
+    OCTET_STRING_fromBuf(&other_info.partyVInfo, buf, buf_pos);
+    printbuf();
+
+    printf("\nOtherInfo:\n");
+    der_encode(&asn_DEF_OtherInfo, &other_info, consume, NULL);
+    printbuf();
+    free(other_info.partyUInfo.buf);
+    free(other_info.partyVInfo.buf);
+
+    printf("\nPkinitSuppPubInfo:\n");
+    der_encode(&asn_DEF_PkinitSuppPubInfo, &supp_pub_info, consume, NULL);
+    printbuf();
 
-    printf("Minimal OTP-TOKEN-INFO:\n");
+    printf("\nMinimal OTP-TOKEN-INFO:\n");
     der_encode(&asn_DEF_OTP_TOKENINFO, &token_info_1, consume, NULL);
     printbuf();
 

diff --git a/src/tests/asn.1/pkinit-agility.asn1 b/src/tests/asn.1/pkinit-agility.asn1
@@ -0,0 +1,99 @@
+KerberosV5-PK-INIT-Agility-SPEC {
+       iso(1) identified-organization(3) dod(6) internet(1)
+       security(5) kerberosV5(2) modules(4) pkinit(5) agility (1)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+IMPORTS
+   AlgorithmIdentifier, SubjectPublicKeyInfo
+       FROM PKIX1Explicit88 { iso (1)
+         identified-organization (3) dod (6) internet (1)
+         security (5) mechanisms (5) pkix (7) id-mod (0)
+         id-pkix1-explicit (18) }
+         -- As defined in RFC 3280.
+
+   Ticket, Int32, Realm, EncryptionKey, Checksum
+       FROM KerberosV5Spec2 { iso(1) identified-organization(3)
+         dod(6) internet(1) security(5) kerberosV5(2)
+         modules(4) krb5spec2(2) }
+         -- as defined in RFC 4120.
+
+   PKAuthenticator, DHNonce
+       FROM KerberosV5-PK-INIT-SPEC {
+         iso(1) identified-organization(3) dod(6) internet(1)
+         security(5) kerberosV5(2) modules(4) pkinit(5) };
+         -- as defined in RFC 4556.
+
+TD-CMS-DIGEST-ALGORITHMS-DATA ::= SEQUENCE OF
+    AlgorithmIdentifier
+        -- Contains the list of CMS algorithm [RFC3852]
+        -- identifiers that identify the digest algorithms
+        -- acceptable by the KDC for signing CMS data in
+        -- the order of decreasing preference.
+
+TD-CERT-DIGEST-ALGORITHMS-DATA ::= SEQUENCE {
+       allowedAlgorithms [0] SEQUENCE OF AlgorithmIdentifier,
+           -- Contains the list of CMS algorithm [RFC3852]
+           -- identifiers that identify the digest algorithms
+           -- that are used by the CA to sign the client's
+           -- X.509 certificate and acceptable by the KDC in
+           -- the process of validating the client's X.509
+           -- certificate, in the order of decreasing
+           -- preference.
+       rejectedAlgorithm [1] AlgorithmIdentifier OPTIONAL,
+           -- This identifies the digest algorithm that was
+           -- used to sign the client's X.509 certificate and
+           -- has been rejected by the KDC in the process of
+           -- validating the client's X.509 certificate
+           -- [RFC3280].
+       ...
+}
+
+OtherInfo ::= SEQUENCE {
+        algorithmID   AlgorithmIdentifier,
+        partyUInfo     [0] OCTET STRING,
+        partyVInfo     [1] OCTET STRING,
+        suppPubInfo    [2] OCTET STRING OPTIONAL,
+        suppPrivInfo   [3] OCTET STRING OPTIONAL
+}
+
+PkinitSuppPubInfo ::= SEQUENCE {
+       enctype           [0] Int32,
+           -- The enctype of the AS reply key.
+       as-REQ            [1] OCTET STRING,
+           -- This contains the AS-REQ in the request.
+       pk-as-rep         [2] OCTET STRING,
+           -- Contains the DER encoding of the type
+           -- PA-PK-AS-REP [RFC4556] in the KDC reply.
+       ...
+}
+
+-- Renamed from AuthPack to allow asn1c to process this and pkinit.asn1
+AuthPack2 ::= SEQUENCE {
+       pkAuthenticator   [0] PKAuthenticator,
+       clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
+       supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
+                OPTIONAL,
+       clientDHNonce     [3] DHNonce OPTIONAL,
+       ...,
+       supportedKDFs     [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
+           -- Contains an unordered set of KDFs supported by the
+           -- client.
+       ...
+}
+
+KDFAlgorithmId ::= SEQUENCE {
+       kdf-id            [0] OBJECT IDENTIFIER,
+           -- The object identifier of the KDF
+       ...
+}
+
+-- Renamed from DHRepInfo to allow asn1c to process this and pkinit.asn1
+DHRepInfo2 ::= SEQUENCE {
+       dhSignedData      [0] IMPLICIT OCTET STRING,
+       serverDHNonce     [1] DHNonce OPTIONAL,
+       ...,
+       kdf               [2] KDFAlgorithmId OPTIONAL,
+           -- The KDF picked by the KDC.
+       ...
+}
+END