krb5: Decorate Principal type with name attributes

See `asn1: Add --decorate=... for internal bookkeeping`, which adds an
option to `asn1_compile` for decorating SET/SEQUENCE types with fields
that are neither encoded nor decoded, but which _are_ copied and freed.

We'll use this to add name attributes to the `Principal` type (which is
used to represent Kerberos principal names in the krb5 GSS mechanism)
without having to rototill the GSS krb5 mechanism nor the krb5 library,
and without affecting the encodings of HDB entries (which happen to use
the `Principal` type).
This commit is contained in:
Nicolas Williams
2021-12-19 23:18:27 -06:00
parent 8962abdfbc
commit fe095aa1c0
3 changed files with 46 additions and 8 deletions

View File

@@ -392,6 +392,7 @@ crmf_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/crmf.asn1 $(srcdir)/cr
krb5_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/krb5.asn1 $(srcdir)/krb5.opt
$(ASN1_COMPILE) --one-code-file --template \
--option-file=$(srcdir)/krb5.opt \
--decorate='Principal:PrincipalNameAttrs:nameattrs?' \
$(srcdir)/krb5.asn1 krb5_template_asn1 || (rm -f krb5_template_asn1_files ; exit 1)
ocsp_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/ocsp.asn1
@@ -433,6 +434,7 @@ crmf_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/crmf.asn1 $(srcdir)/crmf.opt
krb5_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/krb5.asn1 $(srcdir)/krb5.opt
$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) \
--option-file=$(srcdir)/krb5.opt \
--decorate='Principal:PrincipalNameAttrs:nameattrs?' \
$(srcdir)/krb5.asn1 krb5_asn1 || (rm -f krb5_asn1_files ; exit 1)
ocsp_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/ocsp.asn1

View File

@@ -202,6 +202,7 @@ $(gen_files_krb5) $(OBJ)\krb5_asn1.hx: $(BINDIR)\asn1_compile.exe krb5.asn1 krb5
$(BINDIR)\asn1_compile.exe \
--template \
--one-code-file \
--decorate="Principal:PrincipalNameAttrs:nameattrs?" \
--option-file=$(SRCDIR)\krb5.opt \
$(SRCDIR)\krb5.asn1 krb5_asn1 \
|| ($(RM) $(OBJ)\krb5_asn1.h ; exit /b 1)

View File

@@ -305,14 +305,6 @@ PrincipalName ::= SEQUENCE {
name-string[1] SEQUENCE OF GeneralString
}
-- this is not part of RFC1510
Principal ::= SEQUENCE {
name[0] PrincipalName,
realm[1] Realm
}
Principals ::= SEQUENCE OF Principal
HostAddress ::= SEQUENCE {
addr-type[0] Krb5Int32,
address[1] OCTET STRING
@@ -442,6 +434,49 @@ Checksum ::= SEQUENCE {
checksum[1] OCTET STRING
}
-- For GSS name attributes [RFC6680] we'll decorate Principal (which is not an
-- RFC4120 type, but which we use a) in HDB, b) in the API as that which
-- krb5_principal points to) with PrincipalNameAttrs.
--
-- Attributes have three possible sources in Heimdal Kerberos at this time:
--
-- - the EncKDCRepPart
-- - the EncTicketPart
-- - the Authenticator's AuthorizationData (if any)
--
-- In principle there can be more:
--
-- - locally-set (asserted) attributes
-- - locally-looked-up attributes (e.g., in LDAP)
-- - locally-transformed attributes (e.g., local groups, filtered SIDs from a
-- PAC, etc.)
--
-- We could also cache "cooked" attributes as reported by the RFC6680 API given
-- the sources we have.
--
-- For now we'll only support authenticated attributes where those come from
-- the KDC, and attributes asserted in Authenticator authz-data.
PrincipalNameAttrSrc ::= CHOICE {
enc-kdc-rep-part [0] EncKDCRepPart, -- minus session key
enc-ticket-part [1] EncTicketPart -- minus session key
}
PrincipalNameAttrs ::= SEQUENCE {
authenticated [0] BOOLEAN,
-- These are compiled from the Ticket and Authenticator:
source [1] PrincipalNameAttrSrc OPTIONAL,
authenticator-ad [2] AuthorizationData OPTIONAL
}
-- this is not part of RFC1510
Principal ::= SEQUENCE {
name[0] PrincipalName,
realm[1] Realm
-- This will be decorated with a name-attrs field of
-- PrincipalNameAttrs type that doesn't get encoded
}
Principals ::= SEQUENCE OF Principal
Authenticator ::= [APPLICATION 2] SEQUENCE {
authenticator-vno[0] Krb5Int32,
crealm[1] Realm,