Add PKINIT decoder tests

Add tests to krb5_decode_test.c for PKINIT types.  Where the decoders
do not match the encoders, include comments and hand-generated
encodings which work with the decoder.

Add a comment to asn1_k_encode.c documenting inconsistencies between
the draft 9 PA-PK-AS-REQ spec and our encoder results.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25650 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 9 insertions, 0 deletions

diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 20a5979261..f9af88d75d 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1632,6 +1632,15 @@ DEFFIELDTYPE(pa_pk_as_rep, krb5_pa_pk_as_rep,
              FIELDOF_CHOICE(krb5_pa_pk_as_rep, pa_pk_as_rep_choice, u, choice,
                             pa_pk_as_rep_selection, -1));
 
+/*
+ * draft-ietf-cat-kerberos-pk-init-09 specifies these alternatives as
+ * explicitly tagged SignedData and EnvelopedData respectively, which means
+ * they should have constructed context tags.  However, our historical behavior
+ * is to use primitive context tags, and we don't want to change that behavior
+ * without interop testing.  We have the encodings for each alternative in a
+ * krb5_data object; pretend that they are wrapped in IMPLICIT OCTET STRING in
+ * order to wrap them in primitive [0] and [1] tags.
+ */
 typedef union krb5_pa_pk_as_rep_draft9_choices
 krb5_pa_pk_as_rep_draft9_choices;
 typedef enum krb5_pa_pk_as_rep_draft9_selection