krb5: Decorate Principal type with name attributes

See `asn1: Add --decorate=... for internal bookkeeping`, which adds an
option to `asn1_compile` for decorating SET/SEQUENCE types with fields
that are neither encoded nor decoded, but which _are_ copied and freed.

We'll use this to add name attributes to the `Principal` type (which is
used to represent Kerberos principal names in the krb5 GSS mechanism)
without having to rototill the GSS krb5 mechanism nor the krb5 library,
and without affecting the encodings of HDB entries (which happen to use
the `Principal` type).

lib/asn1/Makefile.am

@@ -392,6 +392,7 @@ crmf_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/crmf.asn1 $(srcdir)/cr
 krb5_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/krb5.asn1 $(srcdir)/krb5.opt
 	$(ASN1_COMPILE) --one-code-file --template			\
 			--option-file=$(srcdir)/krb5.opt		\
+			--decorate='Principal:PrincipalNameAttrs:nameattrs?'	\
 			$(srcdir)/krb5.asn1 krb5_template_asn1 || (rm -f krb5_template_asn1_files ; exit 1)
 
 ocsp_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/ocsp.asn1
@@ -433,6 +434,7 @@ crmf_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/crmf.asn1 $(srcdir)/crmf.opt
 krb5_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/krb5.asn1 $(srcdir)/krb5.opt
 	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION)		\
 			--option-file=$(srcdir)/krb5.opt		\
+			--decorate='Principal:PrincipalNameAttrs:nameattrs?'	\
 			$(srcdir)/krb5.asn1 krb5_asn1 || (rm -f krb5_asn1_files ; exit 1)
 
 ocsp_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/ocsp.asn1

lib/asn1/NTMakefile

@@ -202,6 +202,7 @@ $(gen_files_krb5) $(OBJ)\krb5_asn1.hx: $(BINDIR)\asn1_compile.exe krb5.asn1 krb5
 	$(BINDIR)\asn1_compile.exe \
 		--template	\
 		--one-code-file	\
+		--decorate="Principal:PrincipalNameAttrs:nameattrs?" \
 		--option-file=$(SRCDIR)\krb5.opt \
 		$(SRCDIR)\krb5.asn1 krb5_asn1 \
 	|| ($(RM) $(OBJ)\krb5_asn1.h ; exit /b 1)

lib/asn1/krb5.asn1

@@ -305,14 +305,6 @@ PrincipalName ::= SEQUENCE {
 	name-string[1]		SEQUENCE OF GeneralString
 }
 
--- this is not part of RFC1510
-Principal ::= SEQUENCE {
-	name[0]			PrincipalName,
-	realm[1]		Realm
-}
-
-Principals ::= SEQUENCE OF Principal
-
 HostAddress ::= SEQUENCE  {
 	addr-type[0]		Krb5Int32,
 	address[1]		OCTET STRING
@@ -442,6 +434,49 @@ Checksum ::= SEQUENCE {
 	checksum[1]		OCTET STRING
 }
 
+-- For GSS name attributes [RFC6680] we'll decorate Principal (which is not an
+-- RFC4120 type, but which we use a) in HDB, b) in the API as that which
+-- krb5_principal points to) with PrincipalNameAttrs.
+--
+-- Attributes have three possible sources in Heimdal Kerberos at this time:
+--
+--  - the EncKDCRepPart
+--  - the EncTicketPart
+--  - the Authenticator's AuthorizationData (if any)
+--
+-- In principle there can be more:
+--
+--  - locally-set (asserted) attributes
+--  - locally-looked-up attributes (e.g., in LDAP)
+--  - locally-transformed attributes (e.g., local groups, filtered SIDs from a
+--    PAC, etc.)
+--
+-- We could also cache "cooked" attributes as reported by the RFC6680 API given
+-- the sources we have.
+--
+-- For now we'll only support authenticated attributes where those come from
+-- the KDC, and attributes asserted in Authenticator authz-data.
+PrincipalNameAttrSrc ::= CHOICE {
+        enc-kdc-rep-part    [0] EncKDCRepPart,  -- minus session key
+        enc-ticket-part     [1] EncTicketPart   -- minus session key
+}
+PrincipalNameAttrs ::= SEQUENCE {
+        authenticated       [0]     BOOLEAN,
+        -- These are compiled from the Ticket and Authenticator:
+        source              [1]     PrincipalNameAttrSrc OPTIONAL,
+        authenticator-ad    [2]     AuthorizationData OPTIONAL
+}
+
+-- this is not part of RFC1510
+Principal ::= SEQUENCE {
+	name[0]			PrincipalName,
+	realm[1]		Realm
+        -- This will be decorated with a name-attrs field of
+        -- PrincipalNameAttrs type that doesn't get encoded
+}
+
+Principals ::= SEQUENCE OF Principal
+
 Authenticator ::= [APPLICATION 2] SEQUENCE    {
 	authenticator-vno[0]	Krb5Int32,
 	crealm[1]		Realm,