Minimize draft9 PKINIT code by removing dead code

The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9,
which is fortunate because it doesn't work (see issue #7072).
Instead, it passes both kinds of PKINIT replies through
decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in
alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack.
So, remove the unused broken pa_pk_as_rep_draft9 decoder.

For pa_pk_as_req_draft9, we only use two of the fields on encode and
only one of those on decode.  So, get rid of the unused fields and
the krb5_trusted_ca structure, and reduce the encoder and decoder
sequences to the minimum necessary fields.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 9 insertions, 241 deletions

diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c
index 8df166a5a5..f58bf39b12 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.c
+++ b/src/lib/krb5/asn.1/asn1_k_decode.c
@@ -1195,124 +1195,6 @@ asn1_decode_sequence_of_external_principal_identifier(
                       free_external_principal_identifier);
 }
 
-#if 0   /* XXX   This needs to be tested!!! XXX */
-asn1_error_code
-asn1_decode_trusted_ca(asn1buf *buf, krb5_trusted_ca *val)
-{
-    setup();
-    val->choice = choice_trusted_cas_UNKNOWN;
-    {
-        char *start, *end;
-        size_t alloclen;
-
-        begin_explicit_choice();
-        if (t.tagnum == choice_trusted_cas_principalName) {
-            val->choice = choice_trusted_cas_principalName;
-        } else if (t.tagnum == choice_trusted_cas_caName) {
-            val->choice = choice_trusted_cas_caName;
-            val->u.caName.data = NULL;
-            start = subbuf.next;
-            {
-                sequence_of_no_tagvars(&subbuf);
-                unused_var(size);
-                end_sequence_of_no_tagvars(&subbuf);
-            }
-            end = subbuf.next;
-            alloclen = end - start;
-            val->u.caName.data = malloc(alloclen);
-            if (val->u.caName.data == NULL)
-                clean_return(ENOMEM);
-            memcpy(val->u.caName.data, start, alloclen);
-            val->u.caName.length = alloclen;
-            next_tag();
-        } else if (t.tagnum == choice_trusted_cas_issuerAndSerial) {
-            val->choice = choice_trusted_cas_issuerAndSerial;
-            val->u.issuerAndSerial.data = NULL;
-            start = subbuf.next;
-            {
-                sequence_of_no_tagvars(&subbuf);
-                unused_var(size);
-                end_sequence_of_no_tagvars(&subbuf);
-            }
-            end = subbuf.next;
-            alloclen = end - start;
-            val->u.issuerAndSerial.data = malloc(alloclen);
-            if (val->u.issuerAndSerial.data == NULL)
-                clean_return(ENOMEM);
-            memcpy(val->u.issuerAndSerial.data, start, alloclen);
-            val->u.issuerAndSerial.length = alloclen;
-            next_tag();
-        } else clean_return(ASN1_BAD_ID);
-        end_explicit_choice();
-    }
-    return 0;
-error_out:
-    if (val->choice == choice_trusted_cas_caName)
-        free(val->u.caName.data);
-    else if (val->choice == choice_trusted_cas_issuerAndSerial)
-        free(val->u.issuerAndSerial.data);
-    val->choice = choice_trusted_cas_UNKNOWN;
-    return retval;
-}
-#else
-asn1_error_code
-asn1_decode_trusted_ca(asn1buf *buf, krb5_trusted_ca *val)
-{
-    setup();
-    val->choice = choice_trusted_cas_UNKNOWN;
-    { begin_choice();
-        if (tagnum == choice_trusted_cas_principalName) {
-            val->choice = choice_trusted_cas_principalName;
-            val->u.principalName = NULL;
-            asn1_decode_krb5_principal_name(&subbuf, &(val->u.principalName));
-        } else if (tagnum == choice_trusted_cas_caName) {
-            val->choice = choice_trusted_cas_caName;
-            val->u.caName.data = NULL;
-            get_implicit_charstring(val->u.caName.length, val->u.caName.data,
-                                    choice_trusted_cas_caName);
-        } else if (tagnum == choice_trusted_cas_issuerAndSerial) {
-            val->choice = choice_trusted_cas_issuerAndSerial;
-            val->u.issuerAndSerial.data = NULL;
-            get_implicit_charstring(val->u.issuerAndSerial.length,
-                                    val->u.issuerAndSerial.data,
-                                    choice_trusted_cas_issuerAndSerial);
-        } else clean_return(ASN1_BAD_ID);
-        end_choice();
-    }
-    return 0;
-error_out:
-    if (val->choice == choice_trusted_cas_caName)
-        free(val->u.caName.data);
-    else if (val->choice == choice_trusted_cas_issuerAndSerial)
-        free(val->u.issuerAndSerial.data);
-    val->choice = choice_trusted_cas_UNKNOWN;
-    return retval;
-}
-#endif /* if 0 */
-
-asn1_error_code
-asn1_decode_trusted_ca_ptr(asn1buf *buf, krb5_trusted_ca **valptr)
-{
-    decode_ptr(krb5_trusted_ca *, asn1_decode_trusted_ca);
-}
-
-static void
-free_trusted_ca(void *dummy, krb5_trusted_ca *val)
-{
-    if (val->choice == choice_trusted_cas_caName)
-        free(val->u.caName.data);
-    else if (val->choice == choice_trusted_cas_issuerAndSerial)
-        free(val->u.issuerAndSerial.data);
-    free(val);
-}
-
-asn1_error_code
-asn1_decode_sequence_of_trusted_ca(asn1buf *buf, krb5_trusted_ca ***val)
-{
-    decode_array_body(krb5_trusted_ca, asn1_decode_trusted_ca_ptr,
-                      free_trusted_ca);
-}
-
 static asn1_error_code
 asn1_decode_kdf_alg_id_ptr(asn1buf *buf, krb5_data **valptr)
 {
@@ -1626,39 +1508,6 @@ error_out:
 }
 
 asn1_error_code
-asn1_decode_pa_pk_as_rep_draft9(asn1buf *buf, krb5_pa_pk_as_rep_draft9 *val)
-{
-    setup();
-    val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN;
-    { begin_structure();
-        if (tagnum == choice_pa_pk_as_rep_draft9_dhSignedData) {
-            val->choice = choice_pa_pk_as_rep_draft9_dhSignedData;
-            val->u.dhSignedData.data = NULL;
-            get_lenfield(val->u.dhSignedData.length, val->u.dhSignedData.data,
-                         choice_pa_pk_as_rep_draft9_dhSignedData,
-                         asn1_decode_charstring);
-        } else if (tagnum == choice_pa_pk_as_rep_draft9_encKeyPack) {
-            val->choice = choice_pa_pk_as_rep_draft9_encKeyPack;
-            val->u.encKeyPack.data = NULL;
-            get_lenfield(val->u.encKeyPack.length, val->u.encKeyPack.data,
-                         choice_pa_pk_as_rep_draft9_encKeyPack,
-                         asn1_decode_charstring);
-        } else {
-            val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN;
-        }
-        end_structure();
-    }
-    return 0;
-error_out:
-    if (val->choice == choice_pa_pk_as_rep_draft9_dhSignedData)
-        free(val->u.dhSignedData.data);
-    else if (val->choice == choice_pa_pk_as_rep_draft9_encKeyPack)
-        free(val->u.encKeyPack.data);
-    val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN;
-    return retval;
-}
-
-asn1_error_code
 asn1_decode_kdf_alg_id( asn1buf *buf, krb5_data *val)
 {
     setup();
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.h b/src/lib/krb5/asn.1/asn1_k_decode.h
index 081f11f949..03a9235121 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.h
+++ b/src/lib/krb5/asn.1/asn1_k_decode.h
@@ -156,9 +156,6 @@ asn1_error_code asn1_decode_external_principal_identifier(
 asn1_error_code asn1_decode_external_principal_identifier_ptr(
     asn1buf *buf, krb5_external_principal_identifier **valptr);
 asn1_error_code asn1_decode_pa_pk_as_req(asn1buf *buf, krb5_pa_pk_as_req *val);
-asn1_error_code asn1_decode_trusted_ca(asn1buf *buf, krb5_trusted_ca *val);
-asn1_error_code asn1_decode_trusted_ca_ptr(asn1buf *buf,
-                                           krb5_trusted_ca **valptr);
 asn1_error_code asn1_decode_pa_pk_as_req_draft9(asn1buf *buf,
                                                 krb5_pa_pk_as_req_draft9 *val);
 asn1_error_code asn1_decode_dh_rep_info(asn1buf *buf, krb5_dh_rep_info *val);
@@ -179,8 +176,6 @@ asn1_error_code asn1_decode_auth_pack_draft9(asn1buf *buf,
                                              krb5_auth_pack_draft9 *val);
 asn1_error_code asn1_decode_pa_pk_as_rep(asn1buf *buf,
                                          krb5_pa_pk_as_rep *val);
-asn1_error_code asn1_decode_pa_pk_as_rep_draft9(asn1buf *buf,
-                                                krb5_pa_pk_as_rep_draft9 *val);
 asn1_error_code asn1_decode_kdc_dh_key_info(asn1buf *buf,
                                             krb5_kdc_dh_key_info *val);
 asn1_error_code asn1_decode_krb5_principal_name(asn1buf *buf,
@@ -221,8 +216,6 @@ asn1_error_code asn1_decode_etype_info2(asn1buf *buf,
                                         krb5_boolean v1_3_behavior);
 asn1_error_code asn1_decode_sequence_of_external_principal_identifier(
     asn1buf *buf, krb5_external_principal_identifier ***val);
-asn1_error_code asn1_decode_sequence_of_trusted_ca(asn1buf *buf,
-                                                   krb5_trusted_ca ***val);
 asn1_error_code asn1_decode_sequence_of_algorithm_identifier(
     asn1buf *buf, krb5_algorithm_identifier ***val);
 
diff --git a/src/lib/krb5/asn.1/asn1_k_decode_kdc.c b/src/lib/krb5/asn.1/asn1_k_decode_kdc.c
index c340abcfdb..1b79f2f18f 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode_kdc.c
+++ b/src/lib/krb5/asn.1/asn1_k_decode_kdc.c
@@ -147,16 +147,6 @@ error_out:
     return retval;
 }
 
-static void
-free_trusted_ca(void *dummy, krb5_trusted_ca *val)
-{
-    if (val->choice == choice_trusted_cas_caName)
-        free(val->u.caName.data);
-    else if (val->choice == choice_trusted_cas_issuerAndSerial)
-        free(val->u.issuerAndSerial.data);
-    free(val);
-}
-
 asn1_error_code
 asn1_decode_pa_pk_as_req_draft9(asn1buf *buf, krb5_pa_pk_as_req_draft9 *val)
 {
@@ -164,29 +154,16 @@ asn1_decode_pa_pk_as_req_draft9(asn1buf *buf, krb5_pa_pk_as_req_draft9 *val)
     setup();
     val->signedAuthPack.data = NULL;
     val->kdcCert.data = NULL;
-    val->encryptionCert.data = NULL;
-    val->trustedCertifiers = NULL;
     { begin_structure();
+        /* PA-PK-AS-REQ in draft9 has four fields, but we only care about the
+         * first one. */
         get_implicit_charstring(val->signedAuthPack.length, val->signedAuthPack.data, 0);
-        opt_field(val->trustedCertifiers, 1, asn1_decode_sequence_of_trusted_ca, NULL);
-        opt_lenfield(val->kdcCert.length, val->kdcCert.data, 2, asn1_decode_charstring);
-        opt_lenfield(val->encryptionCert.length, val->encryptionCert.data, 2, asn1_decode_charstring);
         end_structure();
     }
     return 0;
 error_out:
     free(val->signedAuthPack.data);
-    free(val->kdcCert.data);
-    free(val->encryptionCert.data);
-    if (val->trustedCertifiers) {
-        for (i = 0; val->trustedCertifiers[i]; i++)
-            free_trusted_ca(NULL, val->trustedCertifiers[i]);
-        free(val->trustedCertifiers);
-    }
     val->signedAuthPack.data = NULL;
-    val->kdcCert.data = NULL;
-    val->encryptionCert.data = NULL;
-    val->trustedCertifiers = NULL;
     return retval;
 }
 
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index fdaf097cae..db2afb817d 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1425,64 +1425,26 @@ DEFSEQTYPE(pa_pk_as_req, krb5_pa_pk_as_req, pa_pk_as_req_fields,
            pa_pk_as_req_optional);
 
 /*
- * draft-ietf-cat-kerberos-pk-init-09 specifies these fields as explicitly
- * tagged KerberosName, Name, and IssuerAndSerialNumber respectively, which
- * means they should have constructed context tags.  However, our historical
- * behavior is to use primitive context-specific tags, and we don't want to
- * change that behavior without interop testing.  For the principal name, which
- * we encode ourselves, use a DEFTAGGEDTYPE to wrap the principal encoding in a
- * primitive [0] tag.  For the other two types, we have the encoding in a
- * krb5_data object; pretend that they are wrapped in IMPLICIT OCTET STRING in
- * order to wrap them in primitive [1] and [2] tags.
- */
-DEFTAGGEDTYPE(trusted_ca_0, CONTEXT_SPECIFIC, PRIMITIVE, 0, 0, principal);
-DEFCTAGGEDTYPE_IMPLICIT(trusted_ca_1, 1, ostring_data);
-DEFCTAGGEDTYPE_IMPLICIT(trusted_ca_2, 2, ostring_data);
-static const struct atype_info *trusted_ca_alternatives[] = {
-    &k5_atype_trusted_ca_0, &k5_atype_trusted_ca_1, &k5_atype_trusted_ca_2
-};
-DEFCHOICETYPE(trusted_ca_choice, union krb5_trusted_ca_choices,
-              enum krb5_trusted_ca_selection, trusted_ca_alternatives);
-DEFCOUNTEDTYPE_SIGNED(trusted_ca, krb5_trusted_ca, u, choice,
-                      trusted_ca_choice);
-DEFPTRTYPE(trusted_ca_ptr, trusted_ca);
-
-DEFNULLTERMSEQOFTYPE(seqof_trusted_ca, trusted_ca_ptr);
-DEFPTRTYPE(ptr_seqof_trusted_ca, seqof_trusted_ca);
-
-/*
- * draft-ietf-cat-kerberos-pk-init-09 specifies signedAuthPack, kdcCert, and
- * EncryptionCert as explictly tagged SignedData, IssuerAndSerialNumber, and
- * IssuerAndSerialNumber, which means they should have constructed context
- * tags.  However, our historical behavior is to use a primitive context tag,
- * and we don't want to change that without interop testing.  We have the DER
- * encodings of these fields in krb5_data objects; pretend that they are
- * wrapped in IMPLICIT OCTET STRING in order to generate primitive context
- * tags.
+ * In draft-ietf-cat-kerberos-pk-init-09, this sequence has four fields, but we
+ * only ever use the first and third.  The fields are specified as explicitly
+ * tagged, but our historical behavior is to pretend that they are wrapped in
+ * IMPLICIT OCTET STRING (i.e., generate primitive context tags), and we don't
+ * want to change that without interop testing.
  */
 DEFFIELD_IMPLICIT(pa_pk_as_req9_0, krb5_pa_pk_as_req_draft9, signedAuthPack, 0,
                   ostring_data);
-DEFFIELD(pa_pk_as_req9_1, krb5_pa_pk_as_req_draft9, trustedCertifiers, 1,
-         ptr_seqof_trusted_ca);
 DEFFIELD_IMPLICIT(pa_pk_as_req9_2, krb5_pa_pk_as_req_draft9, kdcCert, 2,
                   ostring_data);
-DEFFIELD_IMPLICIT(pa_pk_as_req9_3, krb5_pa_pk_as_req_draft9, encryptionCert, 3,
-                  ostring_data);
 static const struct atype_info *pa_pk_as_req_draft9_fields[] = {
-    &k5_atype_pa_pk_as_req9_0, &k5_atype_pa_pk_as_req9_1,
-    &k5_atype_pa_pk_as_req9_2, &k5_atype_pa_pk_as_req9_3
+    &k5_atype_pa_pk_as_req9_0, &k5_atype_pa_pk_as_req9_2
 };
 static unsigned int
 pa_pk_as_req_draft9_optional(const void *p)
 {
     unsigned int not_present = 0;
     const krb5_pa_pk_as_req_draft9 *val = p;
-    if (val->trustedCertifiers == NULL)
-        not_present |= (1u << 1);
     if (val->kdcCert.length == 0)
-        not_present |= (1u << 2);
-    if (val->encryptionCert.length == 0)
-        not_present |= (1u << 3);
+        not_present |= (1u << 1);
     return not_present;
 }
 DEFSEQTYPE(pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9,
diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c
index 840035dab4..388efd7b68 100644
--- a/src/lib/krb5/asn.1/krb5_decode.c
+++ b/src/lib/krb5/asn.1/krb5_decode.c
@@ -852,19 +852,6 @@ decode_krb5_pa_pk_as_rep(const krb5_data *code, krb5_pa_pk_as_rep **repptr)
 }
 
 krb5_error_code
-decode_krb5_pa_pk_as_rep_draft9(const krb5_data *code,
-                                krb5_pa_pk_as_rep_draft9 **repptr)
-{
-    setup_buf_only(krb5_pa_pk_as_rep_draft9 *);
-    alloc_field(rep);
-
-    retval = asn1_decode_pa_pk_as_rep_draft9(&buf, rep);
-    if (retval) clean_return(retval);
-
-    cleanup(free);
-}
-
-krb5_error_code
 decode_krb5_auth_pack(const krb5_data *code, krb5_auth_pack **repptr)
 {
     setup_buf_only(krb5_auth_pack *);