krb5: Add name attributes to krb5_principal

We now have what we need in krb5_principal to implement much of RFC6680. Now we populate those fields so that they can be accessed by GSS-API RFC6680 name attributes functions. The next commit should add much of the GSS-API RFC6680 name attributes functions and functionality.
2021-12-20 16:22:52 -06:00
parent f3484d5e2e
commit 87f8c0d2b5
6 changed files with 163 additions and 19 deletions
--- a/lib/asn1/krb5.asn1
+++ b/lib/asn1/krb5.asn1
@@ -18,6 +18,7 @@ EXPORTS
 	CKSUMTYPE,
 	ChangePasswdDataMS,
 	Checksum,
+        CompositePrincipal,
 	ENCTYPE,
 	ETYPE-INFO,
 	ETYPE-INFO-ENTRY,
@@ -440,9 +441,9 @@ Checksum ::= SEQUENCE {
 --
 -- Attributes have three possible sources in Heimdal Kerberos at this time:
 --
--  - the EncKDCRepPart
--  - the EncTicketPart
--  - the Authenticator's AuthorizationData (if any)
+--  - the EncKDCRepPart (for the client's attributes on the client side)
+--  - the EncTicketPart (for the client's attributes on the server side)
+--  - the Authenticator's AuthorizationData (if any; server-side)
 --
 -- In principle there can be more:
 --
@@ -464,15 +465,39 @@ PrincipalNameAttrs ::= SEQUENCE {
        authenticated       [0]     BOOLEAN,
        -- These are compiled from the Ticket and Authenticator:
        source              [1]     PrincipalNameAttrSrc OPTIONAL,
-        authenticator-ad    [2]     AuthorizationData OPTIONAL
+        authenticator-ad    [2]     AuthorizationData OPTIONAL,
+        -- For the server on the client side we should keep track of the
+        -- transit path taken to reach it (if absent -> unknown).
+        --
+        -- We don't learn much more about the server from the KDC.
+        peer-realm          [3]     Realm OPTIONAL,
+        transited           [4]     TransitedEncoding OPTIONAL,
+        pac-verified        [5]     BOOLEAN
+        -- TODO: Add requested attributes, for gss_set_name_attribute(), which
+        --       should cause corresponding authz-data elements to be added to
+        --       any TGS-REQ or to the AP-REQ's Authenticator as appropriate.
+}
+-- This is our type for exported composite name tokens for GSS [RFC6680].
+-- It's the same as Principal (below) as decorated with (see krb5.opt file and
+-- asn1_compile usage), except it's not decorated, so the name attributes are
+-- encoded/decoded.
+CompositePrincipal ::= [APPLICATION 48] SEQUENCE {
+	name[0]			PrincipalName,
+	realm[1]		Realm,
+        nameattrs[2]            PrincipalNameAttrs OPTIONAL
 }

-- this is not part of RFC1510
+-- This is not part of RFC1510/RFC4120.  We use this internally as our
+-- krb5_principal (which is a typedef of *Principal), and in HDB entries.
 Principal ::= SEQUENCE {
 	name[0]			PrincipalName,
 	realm[1]		Realm
-        -- This will be decorated with a name-attrs field of
-        -- PrincipalNameAttrs type that doesn't get encoded
+        -- This will be decorated with an optional nameattrs field of
+        -- PrincipalNameAttrs type that doesn't get encoded.  Same as
+        -- CompositePrincipal above, except that CompositePrincipal's
+        -- nameattrs field does get encoded, while Principal's does not:
+        --
+        -- nameattrs[2]         PrincipalNameAttrs OPTIONAL
 }

 Principals ::= SEQUENCE OF Principal