Minimize draft9 PKINIT code by removing dead code

The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9,
which is fortunate because it doesn't work (see issue #7072).
Instead, it passes both kinds of PKINIT replies through
decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in
alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack.
So, remove the unused broken pa_pk_as_rep_draft9 decoder.

For pa_pk_as_req_draft9, we only use two of the fields on encode and
only one of those on decode.  So, get rid of the unused fields and
the krb5_trusted_ca structure, and reduce the encoder and decoder
sequences to the minimum necessary fields.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970

8 files changed, 9 insertions, 156 deletions

diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index 8c75f1fd7..53e9abd7b 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -316,7 +316,6 @@ void free_krb5_auth_pack_draft9(krb5_context, krb5_auth_pack_draft9 **in);
 void free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
 void free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
 void free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in);
-void free_krb5_trusted_ca(krb5_trusted_ca ***in);
 void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in);
 void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in);
 void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in);
diff --git a/src/plugins/preauth/pkinit/pkinit_accessor.c b/src/plugins/preauth/pkinit/pkinit_accessor.c
index 2fa702fe1..15a3e49f3 100644
--- a/src/plugins/preauth/pkinit/pkinit_accessor.c
+++ b/src/plugins/preauth/pkinit/pkinit_accessor.c
@@ -44,7 +44,6 @@ DEF_FUNC_PTRS(krb5_auth_pack);
 DEF_FUNC_PTRS(krb5_auth_pack_draft9);
 DEF_FUNC_PTRS(krb5_kdc_dh_key_info);
 DEF_FUNC_PTRS(krb5_pa_pk_as_rep);
-DEF_FUNC_PTRS(krb5_pa_pk_as_rep_draft9);
 DEF_FUNC_PTRS(krb5_pa_pk_as_req);
 DEF_FUNC_PTRS(krb5_pa_pk_as_req_draft9);
 DEF_FUNC_PTRS(krb5_reply_key_pack);
@@ -55,6 +54,10 @@ krb5_error_code
 (*k5int_decode_krb5_principal_name)(const krb5_data *, krb5_principal_data **);
 
 krb5_error_code
+(*k5int_encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *,
+                                         krb5_data **code);
+
+krb5_error_code
 (*k5int_encode_krb5_td_dh_parameters)(const krb5_algorithm_identifier **,
                                       krb5_data **code);
 krb5_error_code
@@ -101,7 +104,6 @@ pkinit_accessor_init(void)
     SET_PTRS(krb5_auth_pack_draft9);
     SET_PTRS(krb5_kdc_dh_key_info);
     SET_PTRS(krb5_pa_pk_as_rep);
-    SET_PTRS(krb5_pa_pk_as_rep_draft9);
     SET_PTRS(krb5_pa_pk_as_req);
     SET_PTRS(krb5_pa_pk_as_req_draft9);
     SET_PTRS(krb5_reply_key_pack);
@@ -112,6 +114,8 @@ pkinit_accessor_init(void)
     /* special cases... */
     k5int_decode_krb5_principal_name = k5int.decode_krb5_principal_name;
     k5int_encode_krb5_kdc_req_body = k5int.encode_krb5_kdc_req_body;
+    k5int_encode_krb5_pa_pk_as_rep_draft9 = \
+        k5int.encode_krb5_pa_pk_as_rep_draft9;
     k5int_krb5_free_kdc_req = k5int.free_kdc_req;
     k5int_set_prompt_types = k5int.set_prompt_types;
     return 0;
diff --git a/src/plugins/preauth/pkinit/pkinit_accessor.h b/src/plugins/preauth/pkinit/pkinit_accessor.h
index a5e45bf3e..21402ad83 100644
--- a/src/plugins/preauth/pkinit/pkinit_accessor.h
+++ b/src/plugins/preauth/pkinit/pkinit_accessor.h
@@ -48,7 +48,6 @@ DEF_EXT_FUNC_PTRS(krb5_auth_pack);
 DEF_EXT_FUNC_PTRS(krb5_auth_pack_draft9);
 DEF_EXT_FUNC_PTRS(krb5_kdc_dh_key_info);
 DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_rep);
-DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_rep_draft9);
 DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_req);
 DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_req_draft9);
 DEF_EXT_FUNC_PTRS(krb5_reply_key_pack);
@@ -58,6 +57,9 @@ DEF_EXT_FUNC_PTRS(krb5_reply_key_pack_draft9);
 extern krb5_error_code (*k5int_decode_krb5_principal_name)
 	(const krb5_data *, krb5_principal_data **);
 
+extern krb5_error_code (*k5int_encode_krb5_pa_pk_as_rep_draft9)
+	(const krb5_pa_pk_as_rep_draft9 *, krb5_data **code);
+
 extern krb5_error_code (*k5int_encode_krb5_td_dh_parameters)
 	(const krb5_algorithm_identifier **, krb5_data **code);
 extern krb5_error_code (*k5int_decode_krb5_td_dh_parameters)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 609cc9b00..806cd75f5 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -431,14 +431,6 @@ pkinit_as_req_create(krb5_context context,
         retval = k5int_encode_krb5_pa_pk_as_req(req, as_req);
         break;
     case KRB5_PADATA_PK_AS_REQ_OLD:
-#if 0
-        /* W2K3 KDC doesn't like this */
-        retval = create_krb5_trustedCas(context, plgctx->cryptoctx,
-                                        reqctx->cryptoctx, reqctx->idctx, 1, &req9->trustedCertifiers);
-        if (retval)
-            goto cleanup;
-
-#endif
         retval = create_issuerAndSerial(context, plgctx->cryptoctx,
                                         reqctx->cryptoctx, reqctx->idctx,
                                         (unsigned char **)&req9->kdcCert.data,
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index e42943d57..e81e94fd9 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -400,22 +400,6 @@ krb5_error_code create_krb5_trustedCertifiers
 	krb5_external_principal_identifier ***trustedCertifiers); /* OUT */
 
 /*
- * this functions takes in crypto specific representation of
- * trustedCas (draft9) and creates a list of krb5_trusted_ca (draft9).
- * draft9 trustedCAs is a CHOICE. we only support choices for
- * [1] caName and [2] issuerAndSerial.  there is no config
- * option available to select the choice yet. default = 1.
- */
-krb5_error_code create_krb5_trustedCas
-	(krb5_context context,				/* IN */
-	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
-	pkinit_req_crypto_context req_cryptoctx,	/* IN */
-	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
-	int flag,					/* IN
-		    specifies the tag of the CHOICE */
-	krb5_trusted_ca ***trustedCas);			/* OUT */
-
-/*
  * this functions takes in crypto specific representation of the
  * KDC's certificate and creates a DER encoded kdcPKId
  */
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 8785ffb34..a14804916 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -1765,18 +1765,6 @@ create_krb5_supportedCMSTypes(krb5_context context,
     return 0;
 }
 
-#if 0
-krb5_error_code
-create_krb5_trustedCas(krb5_context context,
-                       pkinit_plg_crypto_context plg_cryptoctx,
-                       pkinit_req_crypto_context req_cryptoctx,
-                       pkinit_identity_crypto_context id_cryptoctx,
-                       int flag, krb5_trusted_ca ***trustedCas)
-{
-    return ENOSYS;
-}
-#endif
-
 /* Populate a list of trusted certifiers with the list of the root certificates
  * that we trust. */
 static void
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index b8ad380c9..ad86ba4e3 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5591,92 +5591,6 @@ create_krb5_trustedCertifiers(krb5_context context,
 }
 
 krb5_error_code
-create_krb5_trustedCas(krb5_context context,
-                       pkinit_plg_crypto_context plg_cryptoctx,
-                       pkinit_req_crypto_context req_cryptoctx,
-                       pkinit_identity_crypto_context id_cryptoctx,
-                       int flag,
-                       krb5_trusted_ca *** ids)
-{
-    krb5_error_code retval = ENOMEM;
-    STACK_OF(X509) *sk = id_cryptoctx->trustedCAs;
-    int i = 0, len = 0, sk_size = sk_X509_num(sk);
-    krb5_trusted_ca **krb5_cas = NULL;
-    X509 *x = NULL;
-    char buf[DN_BUF_LEN];
-    X509_NAME *xn = NULL;
-    unsigned char *p = NULL;
-    PKCS7_ISSUER_AND_SERIAL *is = NULL;
-
-    *ids = NULL;
-    if (id_cryptoctx->trustedCAs == NULL)
-        return KRB5KDC_ERR_PREAUTH_FAILED;
-
-    krb5_cas = malloc((sk_size + 1) * sizeof(krb5_trusted_ca *));
-    if (krb5_cas == NULL)
-        return ENOMEM;
-    krb5_cas[sk_size] = NULL;
-
-    for (i = 0; i < sk_size; i++) {
-        krb5_cas[i] = malloc(sizeof(krb5_trusted_ca));
-        if (krb5_cas[i] == NULL)
-            goto cleanup;
-        x = sk_X509_value(sk, i);
-
-        X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf));
-        pkiDebug("#%d cert= %s\n", i, buf);
-
-        switch (flag) {
-        case choice_trusted_cas_principalName:
-            krb5_cas[i]->choice = choice_trusted_cas_principalName;
-            break;
-        case choice_trusted_cas_caName:
-            krb5_cas[i]->choice = choice_trusted_cas_caName;
-            krb5_cas[i]->u.caName.data = NULL;
-            krb5_cas[i]->u.caName.length = 0;
-            xn = X509_get_subject_name(x);
-            len = i2d_X509_NAME(xn, NULL);
-            if ((p = malloc((size_t) len)) == NULL)
-                goto cleanup;
-            krb5_cas[i]->u.caName.data = (char *)p;
-            i2d_X509_NAME(xn, &p);
-            krb5_cas[i]->u.caName.length = len;
-            break;
-        case choice_trusted_cas_issuerAndSerial:
-            krb5_cas[i]->choice = choice_trusted_cas_issuerAndSerial;
-            krb5_cas[i]->u.issuerAndSerial.data = NULL;
-            krb5_cas[i]->u.issuerAndSerial.length = 0;
-            is = PKCS7_ISSUER_AND_SERIAL_new();
-            X509_NAME_set(&is->issuer, X509_get_issuer_name(x));
-            M_ASN1_INTEGER_free(is->serial);
-            is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
-            len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
-            if ((p = malloc((size_t) len)) == NULL)
-                goto cleanup;
-            krb5_cas[i]->u.issuerAndSerial.data = (char *)p;
-            i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
-            krb5_cas[i]->u.issuerAndSerial.length = len;
-            if (is != NULL) {
-                if (is->issuer != NULL)
-                    X509_NAME_free(is->issuer);
-                if (is->serial != NULL)
-                    ASN1_INTEGER_free(is->serial);
-                free(is);
-            }
-            break;
-        default: break;
-        }
-    }
-    retval = 0;
-    *ids = krb5_cas;
-cleanup:
-    if (retval)
-        free_krb5_trusted_ca(&krb5_cas);
-
-    return retval;
-}
-
-krb5_error_code
 create_issuerAndSerial(krb5_context context,
                        pkinit_plg_crypto_context plg_cryptoctx,
                        pkinit_req_crypto_context req_cryptoctx,
diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
index 50ee044a7..f1d818040 100644
--- a/src/plugins/preauth/pkinit/pkinit_lib.c
+++ b/src/plugins/preauth/pkinit/pkinit_lib.c
@@ -126,9 +126,6 @@ free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in)
     if (*in == NULL) return;
     free((*in)->signedAuthPack.data);
     free((*in)->kdcCert.data);
-    free((*in)->encryptionCert.data);
-    if ((*in)->trustedCertifiers != NULL)
-        free_krb5_trusted_ca(&(*in)->trustedCertifiers);
     free(*in);
 }
 
@@ -223,30 +220,6 @@ free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in
 }
 
 void
-free_krb5_trusted_ca(krb5_trusted_ca ***in)
-{
-    int i = 0;
-    if (*in == NULL) return;
-    while ((*in)[i] != NULL) {
-        switch((*in)[i]->choice) {
-        case choice_trusted_cas_principalName:
-            break;
-        case choice_trusted_cas_caName:
-            free((*in)[i]->u.caName.data);
-            break;
-        case choice_trusted_cas_issuerAndSerial:
-            free((*in)[i]->u.issuerAndSerial.data);
-            break;
-        case choice_trusted_cas_UNKNOWN:
-            break;
-        }
-        free((*in)[i]);
-        i++;
-    }
-    free(*in);
-}
-
-void
 free_krb5_algorithm_identifier(krb5_algorithm_identifier *in)
 {
     if (in == NULL)
@@ -304,11 +277,8 @@ init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in)
     if ((*in) == NULL) return;
     (*in)->signedAuthPack.data = NULL;
     (*in)->signedAuthPack.length = 0;
-    (*in)->trustedCertifiers = NULL;
     (*in)->kdcCert.data = NULL;
     (*in)->kdcCert.length = 0;
-    (*in)->encryptionCert.data = NULL;
-    (*in)->encryptionCert.length = 0;
 }
 
 void