ASN1 framework

Greg Hudson ghudson at MIT.EDU
Mon Aug 27 11:45:03 EDT 2012

On 08/27/2012 07:49 AM, Alejandro Perez Mendez wrote:
> for my GSS preauthentication plugin I should make use of ASN1 for the 
> encoding of the PA element. I've being advised to not encode DER by 
> hand, but use instead the ASN1 macros that are defined in MIT KRB code. 
> However, I've spent a while trying to understand how they work, without 
> much success. Is there any documentation available?

lib/krb5/asn.1/README.asn1 contains my best effort at explaining those

> Am I supposed to modify the code in lib/krb5/asn1/ to define the 
> encoding of my PA element? (there are lots of PKINIT definitions there)

While we would eventually like to have a plugin-visible ASN.1 layer,
right now we do not.  This means that a plugin module designed to be
built and packaged separately from the krb5 tree must use some other
ASN.1 implementation (like asn1c or liblber), while a plugin module
included in the krb5 sources must add to the definitions in
lib/krb5/asn.1 and define internal functions.

> Are encoding/decoding functions generated automatically based on the DEF 
> macros? (some structs have encoding and decoding functions, some only 
> have decoding functions, and some seem to have none of them).

It sounds to me like you are looking at the 1.10.x release code.  Our
ASN.1 support has changed significantly since then.  Since you are, to
my understanding, hoping to produce an end product which will be part of
MIT krb5 and not packaged separately, you should be working against the
master branch and not against a specific release.

More information about the krbdev mailing list