krb5 commit: Use OpenSSL SubjectPublicKeyInfo parsing in PKINIT
Greg Hudson
ghudson at mit.edu
Thu Nov 4 14:27:41 EDT 2021
https://github.com/krb5/krb5/commit/4936bdc7b9ead67e28eae4cf268fd55d3e424ae4
commit 4936bdc7b9ead67e28eae4cf268fd55d3e424ae4
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Oct 25 01:51:59 2021 -0400
Use OpenSSL SubjectPublicKeyInfo parsing in PKINIT
Shift responsibility for encoding and decoding SubjectPublicKeyInfo
from libkrb5 to the PKINIT ASN.1 module. OpenSSL 1.0 does not support
DHX (RFC 3279 section 3), so for that version use custom ASN.1
marshalling of the parameters and compose that into
SubjectPublicKeyInfo marshalling using X509_PUBKEY.
src/include/k5-int-pkinit.h | 8 +-
src/lib/krb5/asn.1/asn1_k_encode.c | 13 +-
src/plugins/preauth/pkinit/pkinit.h | 2 -
src/plugins/preauth/pkinit/pkinit_clnt.c | 18 +-
src/plugins/preauth/pkinit/pkinit_crypto.h | 18 +-
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 529 ++++++++++----------
src/plugins/preauth/pkinit/pkinit_crypto_openssl.h | 5 -
src/plugins/preauth/pkinit/pkinit_lib.c | 27 +-
src/plugins/preauth/pkinit/pkinit_srv.c | 16 +-
src/tests/asn.1/krb5_decode_test.c | 2 +-
src/tests/asn.1/ktest.c | 24 +-
src/tests/asn.1/ktest_equal.c | 14 +-
src/tests/asn.1/pkinit_encode.out | 2 +-
src/tests/asn.1/pkinit_trval.out | 8 +-
14 files changed, 288 insertions(+), 398 deletions(-)
diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h
index c23cfd3..915904e 100644
--- a/src/include/k5-int-pkinit.h
+++ b/src/include/k5-int-pkinit.h
@@ -51,16 +51,10 @@ typedef struct _krb5_algorithm_identifier {
krb5_data parameters; /* Optional */
} krb5_algorithm_identifier;
-/* SubjectPublicKeyInfo */
-typedef struct _krb5_subject_pk_info {
- krb5_algorithm_identifier algorithm;
- krb5_data subjectPublicKey; /* BIT STRING */
-} krb5_subject_pk_info;
-
/** AuthPack from RFC 4556*/
typedef struct _krb5_auth_pack {
krb5_pk_authenticator pkAuthenticator;
- krb5_subject_pk_info *clientPublicValue; /* Optional */
+ krb5_data clientPublicValue; /* Optional */
krb5_algorithm_identifier **supportedCMSTypes; /* Optional */
krb5_data clientDHNonce; /* Optional */
krb5_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 3ce4bd5..d91964e 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1446,19 +1446,8 @@ DEFCOUNTEDSTRINGTYPE(s_bitstring, char *, unsigned int,
ASN1_BITSTRING);
DEFCOUNTEDTYPE(bitstring_data, krb5_data, data, length, s_bitstring);
-/* RFC 3280. No context tags. */
-DEFOFFSETTYPE(spki_0, krb5_subject_pk_info, algorithm, algorithm_identifier);
-DEFOFFSETTYPE(spki_1, krb5_subject_pk_info, subjectPublicKey, bitstring_data);
-static const struct atype_info *subject_pk_info_fields[] = {
- &k5_atype_spki_0, &k5_atype_spki_1
-};
-DEFSEQTYPE(subject_pk_info, krb5_subject_pk_info, subject_pk_info_fields);
-DEFPTRTYPE(subject_pk_info_ptr, subject_pk_info);
-DEFOPTIONALZEROTYPE(opt_subject_pk_info_ptr, subject_pk_info_ptr);
-
DEFFIELD(auth_pack_0, krb5_auth_pack, pkAuthenticator, 0, pk_authenticator);
-DEFFIELD(auth_pack_1, krb5_auth_pack, clientPublicValue, 1,
- opt_subject_pk_info_ptr);
+DEFFIELD(auth_pack_1, krb5_auth_pack, clientPublicValue, 1, opt_der_data);
DEFFIELD(auth_pack_2, krb5_auth_pack, supportedCMSTypes, 2,
opt_ptr_seqof_algorithm_identifier);
DEFFIELD(auth_pack_3, krb5_auth_pack, clientDHNonce, 3, opt_ostring_data);
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index b437fd5..8135535 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -330,7 +330,6 @@ void init_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
void init_krb5_reply_key_pack(krb5_reply_key_pack **in);
void init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
-void init_krb5_subject_pk_info(krb5_subject_pk_info **in);
void free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
void free_krb5_reply_key_pack(krb5_reply_key_pack **in);
@@ -340,7 +339,6 @@ void free_krb5_external_principal_identifier(krb5_external_principal_identifier
void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in);
void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in);
void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in);
-void free_krb5_subject_pk_info(krb5_subject_pk_info **in);
krb5_error_code pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src);
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index e2f8154..83fef63 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -187,19 +187,15 @@ pkinit_as_req_create(krb5_context context,
krb5_data ** as_req)
{
krb5_error_code retval = ENOMEM;
- krb5_subject_pk_info info;
- krb5_data *coded_auth_pack = NULL;
+ krb5_data spki = empty_data(), *coded_auth_pack = NULL;
krb5_auth_pack auth_pack;
krb5_pa_pk_as_req *req = NULL;
krb5_algorithm_identifier **cmstypes = NULL;
int protocol = reqctx->opts->dh_or_rsa;
- unsigned char *dh_params = NULL, *dh_pubkey = NULL;
- unsigned int dh_params_len, dh_pubkey_len;
pkiDebug("pkinit_as_req_create pa_type = %d\n", reqctx->pa_type);
/* Create the authpack */
- memset(&info, 0, sizeof(info));
memset(&auth_pack, 0, sizeof(auth_pack));
auth_pack.pkAuthenticator.ctime = ctsec;
auth_pack.pkAuthenticator.cusec = cusec;
@@ -208,7 +204,6 @@ pkinit_as_req_create(krb5_context context,
if (!reqctx->opts->disable_freshness)
auth_pack.pkAuthenticator.freshnessToken = reqctx->freshness_token;
auth_pack.clientDHNonce.length = 0;
- auth_pack.clientPublicValue = &info;
auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids;
/* add List of CMS algorithms */
@@ -223,24 +218,20 @@ pkinit_as_req_create(krb5_context context,
case DH_PROTOCOL:
TRACE_PKINIT_CLIENT_REQ_DH(context);
pkiDebug("as_req: DH key transport algorithm\n");
- info.algorithm.algorithm = dh_oid;
/* create client-side DH keys */
retval = client_create_dh(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx,
- reqctx->opts->dh_size, &dh_params,
- &dh_params_len, &dh_pubkey, &dh_pubkey_len);
+ reqctx->opts->dh_size, &spki);
+ auth_pack.clientPublicValue = spki;
if (retval != 0) {
pkiDebug("failed to create dh parameters\n");
goto cleanup;
}
- info.algorithm.parameters = make_data(dh_params, dh_params_len);
- info.subjectPublicKey = make_data(dh_pubkey, dh_pubkey_len);
break;
case RSA_PROTOCOL:
TRACE_PKINIT_CLIENT_REQ_RSA(context);
pkiDebug("as_req: RSA key transport algorithm\n");
- auth_pack.clientPublicValue = NULL;
break;
default:
pkiDebug("as_req: unknown key transport protocol %d\n",
@@ -324,9 +315,8 @@ pkinit_as_req_create(krb5_context context,
cleanup:
free_krb5_algorithm_identifiers(&cmstypes);
- free(dh_params);
- free(dh_pubkey);
free_krb5_pa_pk_as_req(&req);
+ krb5_free_data_contents(context, &spki);
pkiDebug("pkinit_as_req_create retval=%d\n", (int) retval);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index 5779583..ec097bf 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -315,14 +315,8 @@ krb5_error_code client_create_dh
pkinit_identity_crypto_context id_cryptoctx, /* IN */
int dh_size, /* IN
specifies the DH modulous, eg 1024, 2048, or 4096 */
- unsigned char **dh_params_out, /* OUT
- contains DER encoded DH params */
- unsigned int *dh_params_len_out, /* OUT
- contains length of encoded DH params */
- unsigned char **dh_pubkey_out, /* OUT
- receives DER encoded DH pub key */
- unsigned int *dh_pubkey_len_out); /* OUT
- receives length of DH pub key */
+ krb5_data *spki_out); /* OUT
+ receives SubjectPublicKeyInfo encoding */
/*
* this function completes client's the DH protocol. client
@@ -353,8 +347,8 @@ krb5_error_code server_check_dh
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
- krb5_data *dh_params, /* IN
- ???? */
+ const krb5_data *client_spki, /* IN
+ SubjectPublicKeyInfo encoding from client */
int minbits); /* IN
the minimum number of key bits acceptable */
@@ -367,10 +361,6 @@ krb5_error_code server_process_dh
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
- unsigned char *received_pubkey, /* IN
- contains client's DER encoded DH pub key */
- unsigned int received_pub_len, /* IN
- contains length of received_pubkey */
unsigned char **dh_pubkey_out, /* OUT
receives KDC's DER encoded DH pub key */
unsigned int *dh_pubkey_len_out, /* OUT
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 276adac..81f9cf7 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -50,9 +50,6 @@ static void pkinit_fini_certs(pkinit_identity_crypto_context ctx);
static krb5_error_code pkinit_init_pkcs11(pkinit_identity_crypto_context ctx);
static void pkinit_fini_pkcs11(pkinit_identity_crypto_context ctx);
-static krb5_error_code pkinit_encode_dh_params
-(const BIGNUM *, const BIGNUM *, const BIGNUM *, uint8_t **, unsigned int *);
-static DH *decode_dh_params(const krb5_data *);
static int pkinit_check_dh_params(DH *dh1, DH *dh2);
static krb5_error_code pkinit_sign_data
@@ -243,6 +240,258 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM **pub,
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+/* Encode a bignum as an ASN.1 integer in DER. */
+static int
+encode_bn_der(const BIGNUM *bn, uint8_t **der_out, int *len_out)
+{
+ ASN1_INTEGER *intval;
+ int len;
+ uint8_t *der, *outptr;
+
+ intval = BN_to_ASN1_INTEGER(bn, NULL);
+ if (intval == NULL)
+ return 0;
+ len = i2d_ASN1_INTEGER(intval, NULL);
+ if (len > 0 && (outptr = der = malloc(len)) != NULL)
+ (void)i2d_ASN1_INTEGER(intval, &outptr);
+ ASN1_INTEGER_free(intval);
+ if (der == NULL)
+ return 0;
+ *der_out = der;
+ *len_out = len;
+ return 1;
+}
+
+/* Decode an ASN.1 integer, returning a bignum. */
+static BIGNUM *
+decode_bn_der(const uint8_t *der, size_t len)
+{
+ ASN1_INTEGER *intval;
+ BIGNUM *bn;
+
+ intval = d2i_ASN1_INTEGER(NULL, &der, len);
+ if (intval == NULL)
+ return NULL;
+ bn = ASN1_INTEGER_to_BN(intval, NULL);
+ ASN1_INTEGER_free(intval);
+ return bn;
+}
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+
+static DH *
+decode_dh_params(const krb5_data *params_der)
+{
+ const uint8_t *p = (uint8_t *)params_der->data;
+
+ return d2i_DHxparams(NULL, &p, params_der->length);
+}
+
+static krb5_error_code
+encode_spki(DH *dh, krb5_data *spki_out)
+{
+ krb5_error_code ret = ENOMEM;
+ EVP_PKEY *pkey = NULL;
+ int len;
+ uint8_t *outptr;
+
+ pkey = EVP_PKEY_new();
+ if (pkey == NULL)
+ goto cleanup;
+ if (!DH_up_ref(dh))
+ goto cleanup;
+ if (!EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh)) {
+ DH_free(dh);
+ goto cleanup;
+ }
+ len = i2d_PUBKEY(pkey, NULL);
+ ret = alloc_data(spki_out, len);
+ if (ret)
+ goto cleanup;
+ outptr = (uint8_t *)spki_out->data;
+ (void)i2d_PUBKEY(pkey, &outptr);
+
+cleanup:
+ EVP_PKEY_free(pkey);
+ return ret;
+}
+
+static DH *
+decode_spki(const krb5_data *spki)
+{
+ EVP_PKEY *pkey = NULL;
+ const uint8_t *inptr = (uint8_t *)spki->data;
+ DH *dh;
+
+ pkey = d2i_PUBKEY(NULL, &inptr, spki->length);
+ if (pkey == NULL)
+ return NULL;
+ dh = EVP_PKEY_get1_DH(pkey);
+ EVP_PKEY_free(pkey);
+ return dh;
+}
+
+#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
+/*
+ * OpenSSL 1.0 has no DHX support, so we need a custom decoder for RFC 3279
+ * DomainParameters, and we need to use X509_PUBKEY values to marshal
+ * SubjectPublicKeyInfo.
+ */
+
+typedef struct {
+ ASN1_BIT_STRING *seed;
+ BIGNUM *counter;
+} int_dhvparams;
+
+typedef struct {
+ BIGNUM *p;
+ BIGNUM *q;
+ BIGNUM *g;
+ BIGNUM *j;
+ int_dhvparams *vparams;
+} int_dhxparams;
+
+ASN1_SEQUENCE(int_dhvparams) = {
+ ASN1_SIMPLE(int_dhvparams, seed, ASN1_BIT_STRING),
+ ASN1_SIMPLE(int_dhvparams, counter, BIGNUM)
+} ASN1_SEQUENCE_END(int_dhvparams);
+
+ASN1_SEQUENCE(int_dhxparams) = {
+ ASN1_SIMPLE(int_dhxparams, p, BIGNUM),
+ ASN1_SIMPLE(int_dhxparams, g, BIGNUM),
+ ASN1_SIMPLE(int_dhxparams, q, BIGNUM),
+ ASN1_OPT(int_dhxparams, j, BIGNUM),
+ ASN1_OPT(int_dhxparams, vparams, int_dhvparams)
+} ASN1_SEQUENCE_END(int_dhxparams);
+
+static DH *
+decode_dh_params(const krb5_data *params_der)
+{
+ int_dhxparams *params;
+ DH *dh;
+ const uint8_t *p;
+
+ dh = DH_new();
+ if (dh == NULL)
+ return NULL;
+
+ p = (uint8_t *)params_der->data;
+ params = (int_dhxparams *)ASN1_item_d2i(NULL, &p, params_der->length,
+ ASN1_ITEM_rptr(int_dhxparams));
+ if (params == NULL) {
+ DH_free(dh);
+ return NULL;
+ }
+
+ /* Steal p, q, and g from dhparams for dh. Ignore j and vparams. */
+ dh->p = params->p;
+ dh->q = params->q;
+ dh->g = params->g;
+ params->p = params->q = params->g = NULL;
+ ASN1_item_free((ASN1_VALUE *)params, ASN1_ITEM_rptr(int_dhxparams));
+ return dh;
+}
+
+static krb5_error_code
+encode_spki(DH *dh, krb5_data *spki_out)
+{
+ krb5_error_code ret = ENOMEM;
+ uint8_t *param_der = NULL, *pubkey_der = NULL, *outptr;
+ int param_der_len, pubkey_der_len, len;
+ X509_PUBKEY pubkey;
+ int_dhxparams dhxparams;
+ X509_ALGOR algor;
+ ASN1_OBJECT algorithm;
+ ASN1_TYPE parameter;
+ ASN1_STRING param_str, pubkey_str;
+
+ dhxparams.p = dh->p;
+ dhxparams.q = dh->q;
+ dhxparams.g = dh->g;
+ dhxparams.j = NULL;
+ dhxparams.vparams = NULL;
+ param_der_len = ASN1_item_i2d((ASN1_VALUE *)&dhxparams, ¶m_der,
+ ASN1_ITEM_rptr(int_dhxparams));
+ if (param_der_len < 0)
+ goto cleanup;
+ param_str.length = param_der_len;
+ param_str.type = V_ASN1_SEQUENCE;
+ param_str.data = param_der;
+ param_str.flags = 0;
+ parameter.type = V_ASN1_SEQUENCE;
+ parameter.value.sequence = ¶m_str;
+
+ memset(&algorithm, 0, sizeof(algorithm));
+ algorithm.data = (uint8_t *)dh_oid.data;
+ algorithm.length = dh_oid.length;
+
+ algor.algorithm = &algorithm;
+ algor.parameter = ¶meter;
+
+ if (!encode_bn_der(dh->pub_key, &pubkey_der, &pubkey_der_len))
+ goto cleanup;
+ pubkey_str.length = pubkey_der_len;
+ pubkey_str.type = V_ASN1_BIT_STRING;
+ pubkey_str.data = pubkey_der;
+ pubkey_str.flags = ASN1_STRING_FLAG_BITS_LEFT;
+
+ pubkey.algor = &algor;
+ pubkey.public_key = &pubkey_str;
+ len = i2d_X509_PUBKEY(&pubkey, NULL);
+ if (len < 0)
+ goto cleanup;
+ ret = alloc_data(spki_out, len);
+ if (ret)
+ goto cleanup;
+ outptr = (uint8_t *)spki_out->data;
+ i2d_X509_PUBKEY(&pubkey, &outptr);
+
+cleanup:
+ OPENSSL_free(param_der);
+ free(pubkey_der);
+ return ret;
+}
+
+static DH *
+decode_spki(const krb5_data *spki)
+{
+ X509_PUBKEY *pubkey = NULL;
+ const uint8_t *inptr;
+ DH *dh = NULL;
+ const ASN1_STRING *params;
+ const ASN1_BIT_STRING *public_key;
+ krb5_data d;
+
+ inptr = (uint8_t *)spki->data;
+ pubkey = d2i_X509_PUBKEY(NULL, &inptr, spki->length);
+ if (pubkey == NULL)
+ goto cleanup;
+
+ if (pubkey->algor->parameter->type != V_ASN1_SEQUENCE)
+ goto cleanup;
+ params = pubkey->algor->parameter->value.sequence;
+ d = make_data(params->data, params->length);
+ dh = decode_dh_params(&d);
+ if (dh == NULL)
+ goto cleanup;
+
+ public_key = pubkey->public_key;
+ dh->pub_key = decode_bn_der(public_key->data, public_key->length);
+ if (dh->pub_key == NULL) {
+ DH_free(dh);
+ dh = NULL;
+ }
+
+cleanup:
+ X509_PUBKEY_free(pubkey);
+ return dh;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
static struct pkcs11_errstrings {
short code;
char *text;
@@ -2346,7 +2595,7 @@ cleanup:
/* Call DH_compute_key() and ensure that we left-pad short results instead of
* leaving junk bytes at the end of the buffer. */
static void
-compute_dh(unsigned char *buf, int size, BIGNUM *server_pub_key, DH *dh)
+compute_dh(unsigned char *buf, int size, const BIGNUM *server_pub_key, DH *dh)
{
int len, pad;
@@ -2364,22 +2613,13 @@ client_create_dh(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
pkinit_req_crypto_context cryptoctx,
pkinit_identity_crypto_context id_cryptoctx,
- int dh_size,
- unsigned char **dh_params_out,
- unsigned int *dh_params_len_out,
- unsigned char **dh_pubkey_out,
- unsigned int *dh_pubkey_len_out)
+ int dh_size, krb5_data *spki_out)
{
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
- unsigned char *buf = NULL;
int dh_err = 0;
- ASN1_INTEGER *pub_key = NULL;
- const BIGNUM *pubkey_bn, *p, *q, *g;
- unsigned char *dh_params = NULL, *dh_pubkey = NULL;
- unsigned int dh_params_len, dh_pubkey_len;
+ const BIGNUM *pubkey_bn;
- *dh_params_out = *dh_pubkey_out = NULL;
- *dh_params_len_out = *dh_pubkey_len_out = 0;
+ *spki_out = empty_data();
if (cryptoctx->dh == NULL) {
if (dh_size == 1024)
@@ -2418,50 +2658,13 @@ client_create_dh(krb5_context context,
goto cleanup;
}
- /* pack DHparams */
- /* aglo: usually we could just call i2d_DHparams to encode DH params
- * however, PKINIT requires RFC3279 encoding and openssl does pkcs#3.
- */
- DH_get0_pqg(cryptoctx->dh, &p, &q, &g);
- retval = pkinit_encode_dh_params(p, g, q, &dh_params, &dh_params_len);
- if (retval)
- goto cleanup;
-
- /* pack DH public key */
- /* Diffie-Hellman public key must be ASN1 encoded as an INTEGER; this
- * encoding shall be used as the contents (the value) of the
- * subjectPublicKey component (a BIT STRING) of the SubjectPublicKeyInfo
- * data element
- */
- pub_key = BN_to_ASN1_INTEGER(pubkey_bn, NULL);
- if (pub_key == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- dh_pubkey_len = i2d_ASN1_INTEGER(pub_key, NULL);
- buf = dh_pubkey = malloc(dh_pubkey_len);
- if (dh_pubkey == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- i2d_ASN1_INTEGER(pub_key, &buf);
-
- *dh_params_out = dh_params;
- *dh_params_len_out = dh_params_len;
- *dh_pubkey_out = dh_pubkey;
- *dh_pubkey_len_out = dh_pubkey_len;
- dh_params = dh_pubkey = NULL;
-
- retval = 0;
+ retval = encode_spki(cryptoctx->dh, spki_out);
cleanup:
if (retval) {
DH_free(cryptoctx->dh);
cryptoctx->dh = NULL;
}
- free(dh_params);
- free(dh_pubkey);
- ASN1_INTEGER_free(pub_key);
return retval;
}
@@ -2553,7 +2756,7 @@ server_check_dh(krb5_context context,
pkinit_plg_crypto_context cryptoctx,
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_crypto_context id_cryptoctx,
- krb5_data *dh_params,
+ const krb5_data *client_spki,
int minbits)
{
DH *dh = NULL;
@@ -2561,7 +2764,7 @@ server_check_dh(krb5_context context,
int dh_prime_bits;
krb5_error_code retval = KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
- dh = decode_dh_params(dh_params);
+ dh = decode_spki(client_spki);
if (dh == NULL) {
pkiDebug("failed to decode dhparams\n");
goto cleanup;
@@ -2618,50 +2821,36 @@ server_process_dh(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
pkinit_req_crypto_context cryptoctx,
pkinit_identity_crypto_context id_cryptoctx,
- unsigned char *data,
- unsigned int data_len,
unsigned char **dh_pubkey_out,
unsigned int *dh_pubkey_len_out,
unsigned char **server_key_out,
unsigned int *server_key_len_out)
{
krb5_error_code retval = ENOMEM;
- DH *dh = NULL, *dh_server = NULL;
+ DH *dh_server = NULL;
unsigned char *p = NULL;
ASN1_INTEGER *pub_key = NULL;
- BIGNUM *client_pubkey = NULL;
- const BIGNUM *server_pubkey;
+ const BIGNUM *client_pubkey, *server_pubkey;
unsigned char *dh_pubkey = NULL, *server_key = NULL;
unsigned int dh_pubkey_len = 0, server_key_len = 0;
*dh_pubkey_out = *server_key_out = NULL;
*dh_pubkey_len_out = *server_key_len_out = 0;
- /* get client's received DH parameters that we saved in server_check_dh */
- dh = cryptoctx->dh;
- dh_server = dup_dh_params(dh);
+ /* Generate a server DH key with the same parameters as the client key. */
+ dh_server = dup_dh_params(cryptoctx->dh);
if (dh_server == NULL)
goto cleanup;
-
- /* decode client's public key */
- p = data;
- pub_key = d2i_ASN1_INTEGER(NULL, (const unsigned char **)&p, (int)data_len);
- if (pub_key == NULL)
- goto cleanup;
- client_pubkey = ASN1_INTEGER_to_BN(pub_key, NULL);
- if (client_pubkey == NULL)
- goto cleanup;
- ASN1_INTEGER_free(pub_key);
-
if (!DH_generate_key(dh_server))
goto cleanup;
DH_get0_key(dh_server, &server_pubkey, NULL);
- /* generate DH session key */
+ /* Generate a DH result from the server key and client public key. */
server_key_len = DH_size(dh_server);
server_key = malloc(server_key_len);
if (server_key == NULL)
goto cleanup;
+ DH_get0_key(cryptoctx->dh, &client_pubkey, NULL);
compute_dh(server_key, server_key_len, client_pubkey, dh_server);
#ifdef DEBUG_DH
@@ -2699,7 +2888,6 @@ server_process_dh(krb5_context context,
retval = 0;
cleanup:
- BN_free(client_pubkey);
DH_free(dh_server);
free(dh_pubkey);
free(server_key);
@@ -2717,193 +2905,6 @@ pkinit_openssl_init()
}
static krb5_error_code
-pkinit_encode_dh_params(const BIGNUM *p, const BIGNUM *g, const BIGNUM *q,
- uint8_t **buf, unsigned int *buf_len)
-{
- krb5_error_code retval = ENOMEM;
- int bufsize = 0, r = 0;
- unsigned char *tmp = NULL;
- ASN1_INTEGER *ap = NULL, *ag = NULL, *aq = NULL;
-
- if ((ap = BN_to_ASN1_INTEGER(p, NULL)) == NULL)
- goto cleanup;
- if ((ag = BN_to_ASN1_INTEGER(g, NULL)) == NULL)
- goto cleanup;
- if ((aq = BN_to_ASN1_INTEGER(q, NULL)) == NULL)
- goto cleanup;
- bufsize = i2d_ASN1_INTEGER(ap, NULL);
- bufsize += i2d_ASN1_INTEGER(ag, NULL);
- bufsize += i2d_ASN1_INTEGER(aq, NULL);
-
- r = ASN1_object_size(1, bufsize, V_ASN1_SEQUENCE);
-
- tmp = *buf = malloc((size_t) r);
- if (tmp == NULL)
- goto cleanup;
-
- ASN1_put_object(&tmp, 1, bufsize, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-
- i2d_ASN1_INTEGER(ap, &tmp);
- i2d_ASN1_INTEGER(ag, &tmp);
- i2d_ASN1_INTEGER(aq, &tmp);
-
- *buf_len = r;
-
- retval = 0;
-
-cleanup:
- if (ap != NULL)
- ASN1_INTEGER_free(ap);
- if (ag != NULL)
- ASN1_INTEGER_free(ag);
- if (aq != NULL)
- ASN1_INTEGER_free(aq);
-
- return retval;
-}
-
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-
-/*
- * We need to decode DomainParameters from RFC 3279 section 2.3.3. We would
- * like to just call d2i_DHxparams(), but Microsoft's implementation may omit
- * the q value in violation of the RFC. Instead we must copy the internal
- * structures and sequence declarations from dh_asn1.c, modified to make the q
- * field optional.
- */
-
-typedef struct {
- ASN1_BIT_STRING *seed;
- BIGNUM *counter;
-} int_dhvparams;
-
-typedef struct {
- BIGNUM *p;
- BIGNUM *q;
- BIGNUM *g;
- BIGNUM *j;
- int_dhvparams *vparams;
-} int_dhx942_dh;
-
-ASN1_SEQUENCE(DHvparams) = {
- ASN1_SIMPLE(int_dhvparams, seed, ASN1_BIT_STRING),
- ASN1_SIMPLE(int_dhvparams, counter, BIGNUM)
-} static_ASN1_SEQUENCE_END_name(int_dhvparams, DHvparams)
-
-ASN1_SEQUENCE(DHxparams) = {
- ASN1_SIMPLE(int_dhx942_dh, p, BIGNUM),
- ASN1_SIMPLE(int_dhx942_dh, g, BIGNUM),
- ASN1_OPT(int_dhx942_dh, q, BIGNUM),
- ASN1_OPT(int_dhx942_dh, j, BIGNUM),
- ASN1_OPT(int_dhx942_dh, vparams, DHvparams),
-} static_ASN1_SEQUENCE_END_name(int_dhx942_dh, DHxparams)
-
-static DH *
-decode_dh_params(const krb5_data *params_der)
-{
- const uint8_t *p;
- int_dhx942_dh *params;
- DH *dh;
-
- dh = DH_new();
- if (dh == NULL)
- return NULL;
-
- p = (uint8_t *)params_der->data;
- params = (int_dhx942_dh *)ASN1_item_d2i(NULL, &p, params_der->length,
- ASN1_ITEM_rptr(DHxparams));
- if (params == NULL) {
- DH_free(dh);
- return NULL;
- }
-
- /* Steal the p, q, and g values from dhparams for dh. Ignore j and
- * vparams. */
- DH_set0_pqg(dh, params->p, params->q, params->g);
- params->p = params->q = params->g = NULL;
- ASN1_item_free((ASN1_VALUE *)params, ASN1_ITEM_rptr(DHxparams));
- return dh;
-}
-
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-
-/*
- * Do the same decoding (except without decoding j and vparams or checking the
- * sequence length) using the pre-OpenSSL-1.1 asn1_mac.h. Define an internal
- * function in the form demanded by the macros, then wrap it for caller
- * convenience.
- */
-
-static DH *
-decode_dh_params_int(DH ** a, uint8_t **pp, unsigned int len)
-{
- ASN1_INTEGER ai, *aip = NULL;
- long length = (long) len;
-
- M_ASN1_D2I_vars(a, DH *, DH_new);
-
- M_ASN1_D2I_Init();
- M_ASN1_D2I_start_sequence();
- aip = &ai;
- ai.data = NULL;
- ai.length = 0;
- M_ASN1_D2I_get_x(ASN1_INTEGER, aip, d2i_ASN1_INTEGER);
- if (aip == NULL)
- return NULL;
- else {
- ret->p = ASN1_INTEGER_to_BN(aip, NULL);
- if (ret->p == NULL)
- return NULL;
- if (ai.data != NULL) {
- OPENSSL_free(ai.data);
- ai.data = NULL;
- ai.length = 0;
- }
- }
- M_ASN1_D2I_get_x(ASN1_INTEGER, aip, d2i_ASN1_INTEGER);
- if (aip == NULL)
- return NULL;
- else {
- ret->g = ASN1_INTEGER_to_BN(aip, NULL);
- if (ret->g == NULL)
- return NULL;
- if (ai.data != NULL) {
- OPENSSL_free(ai.data);
- ai.data = NULL;
- ai.length = 0;
- }
-
- }
- M_ASN1_D2I_get_opt(aip, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
- if (aip == NULL || ai.data == NULL)
- ret->q = NULL;
- else {
- ret->q = ASN1_INTEGER_to_BN(aip, NULL);
- if (ret->q == NULL)
- return NULL;
- if (ai.data != NULL) {
- OPENSSL_free(ai.data);
- ai.data = NULL;
- ai.length = 0;
- }
-
- }
- M_ASN1_D2I_end_sequence();
- M_ASN1_D2I_Finish(a, DH_free, 0);
-
-}
-
-static DH *
-decode_dh_params(const krb5_data *params_der)
-{
- uint8_t *p = (uint8_t *)params_der->data;
-
- return decode_dh_params_int(NULL, &p, params_der->length);
-}
-
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-
-static krb5_error_code
pkinit_create_sequence_of_principal_identifiers(
krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
index ea28b8e..6922951 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
@@ -45,12 +45,7 @@
#include <openssl/sha.h>
#include <openssl/asn1.h>
#include <openssl/pem.h>
-
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
#include <openssl/asn1t.h>
-#else
-#include <openssl/asn1_mac.h>
-#endif
#define DN_BUF_LEN 256
#define MAX_CREDS_ALLOWED 20
diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
index bb2916b..4c3d46b 100644
--- a/src/plugins/preauth/pkinit/pkinit_lib.c
+++ b/src/plugins/preauth/pkinit/pkinit_lib.c
@@ -123,12 +123,7 @@ void
free_krb5_auth_pack(krb5_auth_pack **in)
{
if ((*in) == NULL) return;
- if ((*in)->clientPublicValue != NULL) {
- free((*in)->clientPublicValue->algorithm.algorithm.data);
- free((*in)->clientPublicValue->algorithm.parameters.data);
- free((*in)->clientPublicValue->subjectPublicKey.data);
- free((*in)->clientPublicValue);
- }
+ krb5_free_data_contents(NULL, &(*in)->clientPublicValue);
free((*in)->pkAuthenticator.paChecksum.contents);
krb5_free_data(NULL, (*in)->pkAuthenticator.freshnessToken);
if ((*in)->supportedCMSTypes != NULL)
@@ -199,15 +194,6 @@ free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in)
}
void
-free_krb5_subject_pk_info(krb5_subject_pk_info **in)
-{
- if ((*in) == NULL) return;
- free((*in)->algorithm.parameters.data);
- free((*in)->subjectPublicKey.data);
- free(*in);
-}
-
-void
free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in)
{
if (*in == NULL) return;
@@ -252,17 +238,6 @@ init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in)
(*in)->u.dh_Info.kdfID = NULL;
}
-void
-init_krb5_subject_pk_info(krb5_subject_pk_info **in)
-{
- (*in) = malloc(sizeof(krb5_subject_pk_info));
- if ((*in) == NULL) return;
- (*in)->algorithm.parameters.data = NULL;
- (*in)->algorithm.parameters.length = 0;
- (*in)->subjectPublicKey.data = NULL;
- (*in)->subjectPublicKey.length = 0;
-}
-
krb5_error_code
pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src)
{
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index df0983e..0df0767 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -530,10 +530,10 @@ pkinit_server_verify_padata(krb5_context context,
goto cleanup;
/* check dh parameters */
- if (auth_pack->clientPublicValue != NULL) {
+ if (auth_pack->clientPublicValue.length > 0) {
retval = server_check_dh(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx,
- &auth_pack->clientPublicValue->algorithm.parameters,
+ &auth_pack->clientPublicValue,
plgctx->opts->dh_min_bits);
if (retval) {
pkiDebug("bad dh parameters\n");
@@ -761,9 +761,7 @@ pkinit_server_return_padata(krb5_context context,
krb5_pa_pk_as_req *reqp = NULL;
int i = 0;
- unsigned char *subjectPublicKey = NULL;
unsigned char *dh_pubkey = NULL, *server_key = NULL;
- unsigned int subjectPublicKey_len = 0;
unsigned int server_key_len = 0, dh_pubkey_len = 0;
krb5_kdc_dh_key_info dhkey_info;
@@ -832,17 +830,13 @@ pkinit_server_return_padata(krb5_context context,
rep->choice = choice_pa_pk_as_rep_encKeyPack;
if (reqctx->rcv_auth_pack != NULL &&
- reqctx->rcv_auth_pack->clientPublicValue != NULL) {
- subjectPublicKey = (unsigned char *)
- reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.data;
- subjectPublicKey_len =
- reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.length;
+ reqctx->rcv_auth_pack->clientPublicValue.length > 0) {
rep->choice = choice_pa_pk_as_rep_dhInfo;
pkiDebug("received DH key delivery AS REQ\n");
retval = server_process_dh(context, plgctx->cryptoctx,
- reqctx->cryptoctx, plgctx->idctx, subjectPublicKey,
- subjectPublicKey_len, &dh_pubkey, &dh_pubkey_len,
+ reqctx->cryptoctx, plgctx->idctx,
+ &dh_pubkey, &dh_pubkey_len,
&server_key, &server_key_len);
if (retval) {
pkiDebug("failed to process/create dh parameters\n");
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 61d2d59..4fa67bf 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -1183,7 +1183,7 @@ int main(argc, argv)
/* decode_krb5_auth_pack */
{
setup(krb5_auth_pack,ktest_make_sample_auth_pack);
- decode_run("krb5_auth_pack","","30 81 93 A0 29 30 27 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61",
+ decode_run("krb5_auth_pack","","30 81 85 A0 35 30 33 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 08 04 06 70 76 61 6C 75 65 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61",
acc.decode_krb5_auth_pack,
ktest_equal_auth_pack,ktest_free_auth_pack);
ktest_empty_auth_pack(&ref);
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 7bb6987..270d5b7 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -751,13 +751,6 @@ ktest_make_sample_algorithm_identifier_no_params(krb5_algorithm_identifier *p)
}
static void
-ktest_make_sample_subject_pk_info(krb5_subject_pk_info *p)
-{
- ktest_make_sample_algorithm_identifier(&p->algorithm);
- ktest_make_sample_data(&p->subjectPublicKey);
-}
-
-static void
ktest_make_sample_external_principal_identifier(
krb5_external_principal_identifier *p)
{
@@ -806,8 +799,8 @@ void
ktest_make_sample_auth_pack(krb5_auth_pack *p)
{
ktest_make_sample_pk_authenticator(&p->pkAuthenticator);
- p->clientPublicValue = ealloc(sizeof(krb5_subject_pk_info));
- ktest_make_sample_subject_pk_info(p->clientPublicValue);
+ /* Need a valid DER encoding here; this is the OCTET STRING "pvalue". */
+ krb5_data_parse(&p->clientPublicValue, "\x04\x06" "pvalue");
p->supportedCMSTypes = ealloc(3 * sizeof(krb5_algorithm_identifier *));
p->supportedCMSTypes[0] = ealloc(sizeof(krb5_algorithm_identifier));
ktest_make_sample_algorithm_identifier(p->supportedCMSTypes[0]);
@@ -1673,13 +1666,6 @@ ktest_empty_pk_authenticator(krb5_pk_authenticator *p)
}
static void
-ktest_empty_subject_pk_info(krb5_subject_pk_info *p)
-{
- ktest_empty_algorithm_identifier(&p->algorithm);
- ktest_empty_data(&p->subjectPublicKey);
-}
-
-static void
ktest_empty_external_principal_identifier(
krb5_external_principal_identifier *p)
{
@@ -1728,11 +1714,7 @@ ktest_empty_auth_pack(krb5_auth_pack *p)
krb5_data **d;
ktest_empty_pk_authenticator(&p->pkAuthenticator);
- if (p->clientPublicValue != NULL) {
- ktest_empty_subject_pk_info(p->clientPublicValue);
- free(p->clientPublicValue);
- p->clientPublicValue = NULL;
- }
+ ktest_empty_data(&p->clientPublicValue);
if (p->supportedCMSTypes != NULL) {
for (ai = p->supportedCMSTypes; *ai != NULL; ai++) {
ktest_empty_algorithm_identifier(*ai);
diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c
index eed6872..f4678b6 100644
--- a/src/tests/asn.1/ktest_equal.c
+++ b/src/tests/asn.1/ktest_equal.c
@@ -877,18 +877,6 @@ ktest_equal_pk_authenticator(krb5_pk_authenticator *ref,
}
static int
-ktest_equal_subject_pk_info(krb5_subject_pk_info *ref,
- krb5_subject_pk_info *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(algorithm, ktest_equal_algorithm_identifier);
- p = p && equal_str(subjectPublicKey);
- return p;
-}
-
-static int
ktest_equal_external_principal_identifier(
krb5_external_principal_identifier *ref,
krb5_external_principal_identifier *var)
@@ -962,7 +950,7 @@ ktest_equal_auth_pack(krb5_auth_pack *ref, krb5_auth_pack *var)
if (ref == var) return TRUE;
else if (ref == NULL || var == NULL) return FALSE;
p = p && struct_equal(pkAuthenticator, ktest_equal_pk_authenticator);
- p = p && ptr_equal(clientPublicValue, ktest_equal_subject_pk_info);
+ p = p && equal_str(clientPublicValue);
p = p && ptr_equal(supportedCMSTypes,
ktest_equal_sequence_of_algorithm_identifier);
p = p && equal_str(clientDHNonce);
diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out
index 9bd08e1..6ec7aaa 100644
--- a/src/tests/asn.1/pkinit_encode.out
+++ b/src/tests/asn.1/pkinit_encode.out
@@ -1,7 +1,7 @@
encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
-encode_krb5_auth_pack: 30 81 9F A0 35 30 33 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
+encode_krb5_auth_pack: 30 81 85 A0 35 30 33 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 08 04 06 70 76 61 6C 75 65 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out
index 3675fba..46f4a34 100644
--- a/src/tests/asn.1/pkinit_trval.out
+++ b/src/tests/asn.1/pkinit_trval.out
@@ -40,13 +40,7 @@ encode_krb5_auth_pack:
. . [2] [Integer] 42
. . [3] [Octet String] "1234"
. . [4] [Octet String] "krb5data"
-. [1] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [Object Identifier] <9>
- 2a 86 48 86 f7 12 01 02 02 *.H......
-. . . [Octet String] "params"
-. . [Bit String] <9>
- 00 6b 72 62 35 64 61 74 61 .krb5data
+. [1] [Octet String] "pvalue"
. [2] [Sequence/Sequence Of]
. . [Sequence/Sequence Of]
. . . [Object Identifier] <9>
More information about the cvs-krb5
mailing list