diff --git a/lib/asn1/Makefile.am b/lib/asn1/Makefile.am index 60cf0ba18..94d24fc47 100644 --- a/lib/asn1/Makefile.am +++ b/lib/asn1/Makefile.am @@ -392,6 +392,7 @@ crmf_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/crmf.asn1 $(srcdir)/cr krb5_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/krb5.asn1 $(srcdir)/krb5.opt $(ASN1_COMPILE) --one-code-file --template \ --option-file=$(srcdir)/krb5.opt \ + --decorate='Principal:PrincipalNameAttrs:nameattrs?' \ $(srcdir)/krb5.asn1 krb5_template_asn1 || (rm -f krb5_template_asn1_files ; exit 1) ocsp_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/ocsp.asn1 @@ -433,6 +434,7 @@ crmf_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/crmf.asn1 $(srcdir)/crmf.opt krb5_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/krb5.asn1 $(srcdir)/krb5.opt $(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) \ --option-file=$(srcdir)/krb5.opt \ + --decorate='Principal:PrincipalNameAttrs:nameattrs?' \ $(srcdir)/krb5.asn1 krb5_asn1 || (rm -f krb5_asn1_files ; exit 1) ocsp_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/ocsp.asn1 diff --git a/lib/asn1/NTMakefile b/lib/asn1/NTMakefile index 8ed0b63f7..379ecfa13 100644 --- a/lib/asn1/NTMakefile +++ b/lib/asn1/NTMakefile @@ -202,6 +202,7 @@ $(gen_files_krb5) $(OBJ)\krb5_asn1.hx: $(BINDIR)\asn1_compile.exe krb5.asn1 krb5 $(BINDIR)\asn1_compile.exe \ --template \ --one-code-file \ + --decorate="Principal:PrincipalNameAttrs:nameattrs?" \ --option-file=$(SRCDIR)\krb5.opt \ $(SRCDIR)\krb5.asn1 krb5_asn1 \ || ($(RM) $(OBJ)\krb5_asn1.h ; exit /b 1) diff --git a/lib/asn1/krb5.asn1 b/lib/asn1/krb5.asn1 index 61c207c2c..baaec52f5 100644 --- a/lib/asn1/krb5.asn1 +++ b/lib/asn1/krb5.asn1 @@ -305,14 +305,6 @@ PrincipalName ::= SEQUENCE { name-string[1] SEQUENCE OF GeneralString } --- this is not part of RFC1510 -Principal ::= SEQUENCE { - name[0] PrincipalName, - realm[1] Realm -} - -Principals ::= SEQUENCE OF Principal - HostAddress ::= SEQUENCE { addr-type[0] Krb5Int32, address[1] OCTET STRING @@ -442,6 +434,49 @@ Checksum ::= SEQUENCE { checksum[1] OCTET STRING } +-- For GSS name attributes [RFC6680] we'll decorate Principal (which is not an +-- RFC4120 type, but which we use a) in HDB, b) in the API as that which +-- krb5_principal points to) with PrincipalNameAttrs. +-- +-- Attributes have three possible sources in Heimdal Kerberos at this time: +-- +-- - the EncKDCRepPart +-- - the EncTicketPart +-- - the Authenticator's AuthorizationData (if any) +-- +-- In principle there can be more: +-- +-- - locally-set (asserted) attributes +-- - locally-looked-up attributes (e.g., in LDAP) +-- - locally-transformed attributes (e.g., local groups, filtered SIDs from a +-- PAC, etc.) +-- +-- We could also cache "cooked" attributes as reported by the RFC6680 API given +-- the sources we have. +-- +-- For now we'll only support authenticated attributes where those come from +-- the KDC, and attributes asserted in Authenticator authz-data. +PrincipalNameAttrSrc ::= CHOICE { + enc-kdc-rep-part [0] EncKDCRepPart, -- minus session key + enc-ticket-part [1] EncTicketPart -- minus session key +} +PrincipalNameAttrs ::= SEQUENCE { + authenticated [0] BOOLEAN, + -- These are compiled from the Ticket and Authenticator: + source [1] PrincipalNameAttrSrc OPTIONAL, + authenticator-ad [2] AuthorizationData OPTIONAL +} + +-- this is not part of RFC1510 +Principal ::= SEQUENCE { + name[0] PrincipalName, + realm[1] Realm + -- This will be decorated with a name-attrs field of + -- PrincipalNameAttrs type that doesn't get encoded +} + +Principals ::= SEQUENCE OF Principal + Authenticator ::= [APPLICATION 2] SEQUENCE { authenticator-vno[0] Krb5Int32, crealm[1] Realm,