PKINIT encoder/decoder issues

Ken Raeburn raeburn at MIT.EDU
Tue Oct 7 21:59:06 EDT 2008

I'm doing a bit of work on the ASN.1 encoder routines in the MIT  
Kerberos library, and in preparation for that am trying to make sure  
that more of the encoders and decoders are actually tested under "make  
check".  The mechanism we have for other (base protocol) types tested  
in src/tests/asn.1 is pretty straightforward:

* We create a sample data structure, encode it, and compare the result  
(in hex) against saved copies.

* We create a sample data structure, encode it, and feed the result  
through a little ASN.1 pretty-printer, and compare the result against  
saved copies.

* We take a string with a sequence of hex values (stored separately  
from the above -- that's probably a bug), convert it to binary, feed  
it to the decoder to get a data structure, create our sample data  
structure, and recursively compare the two.

These tests check for self-consistency and that our encodings don't  
change.  Checking whether the expected and actual results are  
*correct* is a separate matter, obviously.

Extra tests are sometimes run for sequences with optional fields, or  
cases where we want to support some non-distinguished encoding variants.

There are currently no tests for the PKINIT types; I've been working  
on writing some.  However, I see a few possible problems:

In krb5_pk_authenticator_draft9, kdcRealm is set in the client-side  
plugin code but never used in the encoder or decoder.  (So obviously  
initializing and comparing the field doesn't work.)  It's a reference  
to the realm data stored in the kdcName field, and looks to me like it  
could just go away.

In krb5_pa_pk_as_req_draft9, we encode the optional field  
encryptionCert with a tag of 3, but when decoding, it looks like we  
want it to be 2, duplicating the tag on kdcCert.

In the trusted_ca encoding, with the principalName choice, the decoder  
is complaining about an incorrect tag value; I think it may be out of  

The ANY DEFINED BY seems to confuse our pretty-printer.  I'm not sure  
what to do about that except skip those tests when pretty-printing.   
Is there something we can stuff in that field that won't confuse it  
too much?

Could someone more knowledgeable than I about the ASN.1 encodings and  
the innards of PKINIT please take a look at this?  I can make my  
preliminary test cases available if it would help.


More information about the krbdev mailing list