-
Notifications
You must be signed in to change notification settings - Fork 366
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add asn1c test vectors for alg-agility types
For the test-vectors target in tests/asn.1, add ASN.1 modules from RFC 4556 and draft-ietf-krb-wg-pkinit-alg-agility-06.txt, and output test encodings for PrincipalName, KRB5PrincipalName, OtherInfo, and PkinitSuppPubInfo. In the alg-agility module, AuthPack and DHRepInfo are renamed, as asn1c otherwise rejects them as conflicting with the RFC 4556 definitions.
- Loading branch information
1 parent
c91cda2
commit d8846c9
Showing
4 changed files
with
404 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
KerberosV5-PK-INIT-Agility-SPEC { | ||
iso(1) identified-organization(3) dod(6) internet(1) | ||
security(5) kerberosV5(2) modules(4) pkinit(5) agility (1) | ||
} DEFINITIONS EXPLICIT TAGS ::= BEGIN | ||
|
||
IMPORTS | ||
AlgorithmIdentifier, SubjectPublicKeyInfo | ||
FROM PKIX1Explicit88 { iso (1) | ||
identified-organization (3) dod (6) internet (1) | ||
security (5) mechanisms (5) pkix (7) id-mod (0) | ||
id-pkix1-explicit (18) } | ||
-- As defined in RFC 3280. | ||
|
||
Ticket, Int32, Realm, EncryptionKey, Checksum | ||
FROM KerberosV5Spec2 { iso(1) identified-organization(3) | ||
dod(6) internet(1) security(5) kerberosV5(2) | ||
modules(4) krb5spec2(2) } | ||
-- as defined in RFC 4120. | ||
|
||
PKAuthenticator, DHNonce | ||
FROM KerberosV5-PK-INIT-SPEC { | ||
iso(1) identified-organization(3) dod(6) internet(1) | ||
security(5) kerberosV5(2) modules(4) pkinit(5) }; | ||
-- as defined in RFC 4556. | ||
|
||
TD-CMS-DIGEST-ALGORITHMS-DATA ::= SEQUENCE OF | ||
AlgorithmIdentifier | ||
-- Contains the list of CMS algorithm [RFC3852] | ||
-- identifiers that identify the digest algorithms | ||
-- acceptable by the KDC for signing CMS data in | ||
-- the order of decreasing preference. | ||
|
||
TD-CERT-DIGEST-ALGORITHMS-DATA ::= SEQUENCE { | ||
allowedAlgorithms [0] SEQUENCE OF AlgorithmIdentifier, | ||
-- Contains the list of CMS algorithm [RFC3852] | ||
-- identifiers that identify the digest algorithms | ||
-- that are used by the CA to sign the client's | ||
-- X.509 certificate and acceptable by the KDC in | ||
-- the process of validating the client's X.509 | ||
-- certificate, in the order of decreasing | ||
-- preference. | ||
rejectedAlgorithm [1] AlgorithmIdentifier OPTIONAL, | ||
-- This identifies the digest algorithm that was | ||
-- used to sign the client's X.509 certificate and | ||
-- has been rejected by the KDC in the process of | ||
-- validating the client's X.509 certificate | ||
-- [RFC3280]. | ||
... | ||
} | ||
|
||
OtherInfo ::= SEQUENCE { | ||
algorithmID AlgorithmIdentifier, | ||
partyUInfo [0] OCTET STRING, | ||
partyVInfo [1] OCTET STRING, | ||
suppPubInfo [2] OCTET STRING OPTIONAL, | ||
suppPrivInfo [3] OCTET STRING OPTIONAL | ||
} | ||
|
||
PkinitSuppPubInfo ::= SEQUENCE { | ||
enctype [0] Int32, | ||
-- The enctype of the AS reply key. | ||
as-REQ [1] OCTET STRING, | ||
-- This contains the AS-REQ in the request. | ||
pk-as-rep [2] OCTET STRING, | ||
-- Contains the DER encoding of the type | ||
-- PA-PK-AS-REP [RFC4556] in the KDC reply. | ||
... | ||
} | ||
|
||
-- Renamed from AuthPack to allow asn1c to process this and pkinit.asn1 | ||
AuthPack2 ::= SEQUENCE { | ||
pkAuthenticator [0] PKAuthenticator, | ||
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | ||
supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier | ||
OPTIONAL, | ||
clientDHNonce [3] DHNonce OPTIONAL, | ||
..., | ||
supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL, | ||
-- Contains an unordered set of KDFs supported by the | ||
-- client. | ||
... | ||
} | ||
|
||
KDFAlgorithmId ::= SEQUENCE { | ||
kdf-id [0] OBJECT IDENTIFIER, | ||
-- The object identifier of the KDF | ||
... | ||
} | ||
|
||
-- Renamed from DHRepInfo to allow asn1c to process this and pkinit.asn1 | ||
DHRepInfo2 ::= SEQUENCE { | ||
dhSignedData [0] IMPLICIT OCTET STRING, | ||
serverDHNonce [1] DHNonce OPTIONAL, | ||
..., | ||
kdf [2] KDFAlgorithmId OPTIONAL, | ||
-- The KDF picked by the KDC. | ||
... | ||
} | ||
END |
Oops, something went wrong.