summaryrefslogtreecommitdiffstats
path: root/src/tests
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2012-07-27 11:51:18 -0400
committerGreg Hudson <ghudson@mit.edu>2012-08-23 13:29:55 -0400
commita7dc565cafbaa6c18d5a76ea3cc823c7159a0d6b (patch)
tree821137ba5134f009c5423148f9cfd85863ab231d /src/tests
parentbe74d2e7fa486fd7e5cf59b7e845278164cfb76a (diff)
downloadkrb5-a7dc565cafbaa6c18d5a76ea3cc823c7159a0d6b.tar.gz
krb5-a7dc565cafbaa6c18d5a76ea3cc823c7159a0d6b.tar.xz
krb5-a7dc565cafbaa6c18d5a76ea3cc823c7159a0d6b.zip
Add ASN.1 support for OTP
Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE, PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more thorough testing, add support for generating test encodings using asn1c for sample objects (currently only for the OTP types).
Diffstat (limited to 'src/tests')
-rw-r--r--src/tests/asn.1/Makefile.in13
-rw-r--r--src/tests/asn.1/krb5.asn1392
-rw-r--r--src/tests/asn.1/krb5_decode_test.c47
-rw-r--r--src/tests/asn.1/krb5_encode_test.c44
-rw-r--r--src/tests/asn.1/ktest.c171
-rw-r--r--src/tests/asn.1/ktest.h11
-rw-r--r--src/tests/asn.1/ktest_equal.c102
-rw-r--r--src/tests/asn.1/ktest_equal.h10
-rw-r--r--src/tests/asn.1/make-vectors.c170
-rw-r--r--src/tests/asn.1/otp.asn1109
-rw-r--r--src/tests/asn.1/pkix.asn1654
-rw-r--r--src/tests/asn.1/reference_encode.out7
-rw-r--r--src/tests/asn.1/trval_reference.out130
13 files changed, 1834 insertions, 26 deletions
diff --git a/src/tests/asn.1/Makefile.in b/src/tests/asn.1/Makefile.in
index b2899d5f5..fe24c247d 100644
--- a/src/tests/asn.1/Makefile.in
+++ b/src/tests/asn.1/Makefile.in
@@ -11,6 +11,8 @@ SRCS= $(srcdir)/krb5_encode_test.c $(srcdir)/krb5_decode_test.c \
$(srcdir)/ktest_equal.c $(srcdir)/utility.c \
$(srcdir)/trval.c $(srcdir)/t_trval.c
+ASN1SRCS= $(srcdir)/krb5.asn1 $(srcdir)/pkix.asn1 $(srcdir)/otp.asn1
+
all:: krb5_encode_test krb5_decode_test krb5_decode_leak t_trval
LOCALINCLUDES = -I$(srcdir)/../../lib/krb5/asn.1
@@ -79,6 +81,17 @@ check-encode-trval: krb5_encode_test expected_trval.out
$(RUN_SETUP) $(VALGRIND) ./krb5_encode_test -t > trval.out
cmp trval.out expected_trval.out
+# This target uses asn1c to generate encodings of sample objects, to
+# help ensure that our implementation is correct. asn1c must be in the
+# path for this to work.
+test-vectors:
+ $(RM) -r vectors
+ mkdir vectors
+ cp $(ASN1SRCS) $(srcdir)/make-vectors.c vectors
+ (cd vectors && asn1c *.asn1 && rm converter-sample.c)
+ (cd vectors && $(CC) -I. -w *.c -o make-vectors)
+ (cd vectors && ./make-vectors)
+
install::
clean::
diff --git a/src/tests/asn.1/krb5.asn1 b/src/tests/asn.1/krb5.asn1
new file mode 100644
index 000000000..f58637a6d
--- /dev/null
+++ b/src/tests/asn.1/krb5.asn1
@@ -0,0 +1,392 @@
+KerberosV5Spec2 {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2) modules(4) krb5spec2(2)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+-- OID arc for KerberosV5
+--
+-- This OID may be used to identify Kerberos protocol messages
+-- encapsulated in other protocols.
+--
+-- This OID also designates the OID arc for KerberosV5-related OIDs.
+--
+-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
+id-krb5 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2)
+}
+
+Int32 ::= INTEGER (-2147483648..2147483647)
+ -- signed values representable in 32 bits
+
+UInt32 ::= INTEGER (0..4294967295)
+ -- unsigned 32 bit values
+
+Microseconds ::= INTEGER (0..999999)
+ -- microseconds
+
+KerberosString ::= GeneralString -- (IA5String)
+
+Realm ::= KerberosString
+
+PrincipalName ::= SEQUENCE {
+ name-type [0] Int32,
+ name-string [1] SEQUENCE OF KerberosString
+}
+
+KerberosTime ::= GeneralizedTime -- with no fractional seconds
+
+HostAddress ::= SEQUENCE {
+ addr-type [0] Int32,
+ address [1] OCTET STRING
+}
+
+-- NOTE: HostAddresses is always used as an OPTIONAL field and
+-- should not be empty.
+HostAddresses -- NOTE: subtly different from rfc1510,
+ -- but has a value mapping and encodes the same
+ ::= SEQUENCE OF HostAddress
+
+-- NOTE: AuthorizationData is always used as an OPTIONAL field and
+-- should not be empty.
+AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ ad-type [0] Int32,
+ ad-data [1] OCTET STRING
+}
+
+PA-DATA ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ padata-type [1] Int32,
+ padata-value [2] OCTET STRING -- might be encoded AP-REQ
+}
+
+KerberosFlags ::= BIT STRING (SIZE (32..MAX))
+ -- minimum number of bits shall be sent,
+ -- but no fewer than 32
+
+EncryptedData ::= SEQUENCE {
+ etype [0] Int32 -- EncryptionType --,
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptionKey ::= SEQUENCE {
+ keytype [0] Int32 -- actually encryption type --,
+ keyvalue [1] OCTET STRING
+}
+
+Checksum ::= SEQUENCE {
+ cksumtype [0] Int32,
+ checksum [1] OCTET STRING
+}
+
+Ticket ::= [APPLICATION 1] SEQUENCE {
+ tkt-vno [0] INTEGER (5),
+ realm [1] Realm,
+ sname [2] PrincipalName,
+ enc-part [3] EncryptedData -- EncTicketPart
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+ flags [0] TicketFlags,
+ key [1] EncryptionKey,
+ crealm [2] Realm,
+ cname [3] PrincipalName,
+ transited [4] TransitedEncoding,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ caddr [9] HostAddresses OPTIONAL,
+ authorization-data [10] AuthorizationData OPTIONAL
+}
+
+-- encoded Transited field
+TransitedEncoding ::= SEQUENCE {
+ tr-type [0] Int32 -- must be registered --,
+ contents [1] OCTET STRING
+}
+
+TicketFlags ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- may-postdate(5),
+ -- postdated(6),
+ -- invalid(7),
+ -- renewable(8),
+ -- initial(9),
+ -- pre-authent(10),
+ -- hw-authent(11),
+-- the following are new since 1510
+ -- transited-policy-checked(12),
+ -- ok-as-delegate(13)
+
+AS-REQ ::= [APPLICATION 10] KDC-REQ
+
+TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ pvno [1] INTEGER (5) ,
+ msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
+ padata [3] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ req-body [4] KDC-REQ-BODY
+}
+
+KDC-REQ-BODY ::= SEQUENCE {
+ kdc-options [0] KDCOptions,
+ cname [1] PrincipalName OPTIONAL
+ -- Used only in AS-REQ --,
+ realm [2] Realm
+ -- Server's realm
+ -- Also client's in AS-REQ --,
+ sname [3] PrincipalName OPTIONAL,
+ from [4] KerberosTime OPTIONAL,
+ till [5] KerberosTime,
+ rtime [6] KerberosTime OPTIONAL,
+ nonce [7] UInt32,
+ etype [8] SEQUENCE OF Int32 -- EncryptionType
+ -- in preference order --,
+ addresses [9] HostAddresses OPTIONAL,
+ enc-authorization-data [10] EncryptedData OPTIONAL
+ -- AuthorizationData --,
+ additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
+ -- NOTE: not empty
+}
+
+KDCOptions ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- allow-postdate(5),
+ -- postdated(6),
+ -- unused7(7),
+ -- renewable(8),
+ -- unused9(9),
+ -- unused10(10),
+ -- opt-hardware-auth(11),
+ -- unused12(12),
+ -- unused13(13),
+-- 15 is reserved for canonicalize
+ -- unused15(15),
+-- 26 was unused in 1510
+ -- disable-transited-check(26),
+--
+ -- renewable-ok(27),
+ -- enc-tkt-in-skey(28),
+ -- renew(30),
+ -- validate(31)
+
+AS-REP ::= [APPLICATION 11] KDC-REP
+
+TGS-REP ::= [APPLICATION 13] KDC-REP
+
+KDC-REP ::= SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
+ padata [2] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ crealm [3] Realm,
+ cname [4] PrincipalName,
+ ticket [5] Ticket,
+ enc-part [6] EncryptedData
+ -- EncASRepPart or EncTGSRepPart,
+ -- as appropriate
+}
+
+EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+
+EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::= SEQUENCE {
+ key [0] EncryptionKey,
+ last-req [1] LastReq,
+ nonce [2] UInt32,
+ key-expiration [3] KerberosTime OPTIONAL,
+ flags [4] TicketFlags,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ srealm [9] Realm,
+ sname [10] PrincipalName,
+ caddr [11] HostAddresses OPTIONAL
+}
+
+LastReq ::= SEQUENCE OF SEQUENCE {
+ lr-type [0] Int32,
+ lr-value [1] KerberosTime
+}
+
+AP-REQ ::= [APPLICATION 14] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (14),
+ ap-options [2] APOptions,
+ ticket [3] Ticket,
+ authenticator [4] EncryptedData -- Authenticator
+}
+
+APOptions ::= KerberosFlags
+ -- reserved(0),
+ -- use-session-key(1),
+ -- mutual-required(2)
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE {
+ authenticator-vno [0] INTEGER (5),
+ crealm [1] Realm,
+ cname [2] PrincipalName,
+ cksum [3] Checksum OPTIONAL,
+ cusec [4] Microseconds,
+ ctime [5] KerberosTime,
+ subkey [6] EncryptionKey OPTIONAL,
+ seq-number [7] UInt32 OPTIONAL,
+ authorization-data [8] AuthorizationData OPTIONAL
+}
+
+AP-REP ::= [APPLICATION 15] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (15),
+ enc-part [2] EncryptedData -- EncAPRepPart
+}
+
+EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+ ctime [0] KerberosTime,
+ cusec [1] Microseconds,
+ subkey [2] EncryptionKey OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL
+}
+
+KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (20),
+ safe-body [2] KRB-SAFE-BODY,
+ cksum [3] Checksum
+}
+
+KRB-SAFE-BODY ::= SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (21),
+ -- NOTE: there is no [2] tag
+ enc-part [3] EncryptedData -- EncKrbPrivPart
+}
+
+EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress -- sender's addr --,
+ r-address [5] HostAddress OPTIONAL -- recip's addr
+}
+
+KRB-CRED ::= [APPLICATION 22] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (22),
+ tickets [2] SEQUENCE OF Ticket,
+ enc-part [3] EncryptedData -- EncKrbCredPart
+}
+
+EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
+ ticket-info [0] SEQUENCE OF KrbCredInfo,
+ nonce [1] UInt32 OPTIONAL,
+ timestamp [2] KerberosTime OPTIONAL,
+ usec [3] Microseconds OPTIONAL,
+ s-address [4] HostAddress OPTIONAL,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KrbCredInfo ::= SEQUENCE {
+ key [0] EncryptionKey,
+ prealm [1] Realm OPTIONAL,
+ pname [2] PrincipalName OPTIONAL,
+ flags [3] TicketFlags OPTIONAL,
+ authtime [4] KerberosTime OPTIONAL,
+ starttime [5] KerberosTime OPTIONAL,
+ endtime [6] KerberosTime OPTIONAL,
+ renew-till [7] KerberosTime OPTIONAL,
+ srealm [8] Realm OPTIONAL,
+ sname [9] PrincipalName OPTIONAL,
+ caddr [10] HostAddresses OPTIONAL
+}
+
+KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (30),
+ ctime [2] KerberosTime OPTIONAL,
+ cusec [3] Microseconds OPTIONAL,
+ stime [4] KerberosTime,
+ susec [5] Microseconds,
+ error-code [6] Int32,
+ crealm [7] Realm OPTIONAL,
+ cname [8] PrincipalName OPTIONAL,
+ realm [9] Realm -- service realm --,
+ sname [10] PrincipalName -- service name --,
+ e-text [11] KerberosString OPTIONAL,
+ e-data [12] OCTET STRING OPTIONAL
+}
+
+METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ data-type [0] Int32,
+ data-value [1] OCTET STRING OPTIONAL
+}
+
+-- preauth stuff follows
+
+PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
+
+PA-ENC-TS-ENC ::= SEQUENCE {
+ patimestamp [0] KerberosTime -- client's time --,
+ pausec [1] Microseconds OPTIONAL
+}
+
+ETYPE-INFO-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+ETYPE-INFO2-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] KerberosString OPTIONAL,
+ s2kparams [2] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+AD-IF-RELEVANT ::= AuthorizationData
+
+AD-KDCIssued ::= SEQUENCE {
+ ad-checksum [0] Checksum,
+ i-realm [1] Realm OPTIONAL,
+ i-sname [2] PrincipalName OPTIONAL,
+ elements [3] AuthorizationData
+}
+
+AD-AND-OR ::= SEQUENCE {
+ condition-count [0] Int32,
+ elements [1] AuthorizationData
+}
+
+AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+END
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 87d3bc458..871997879 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -1030,6 +1030,53 @@ int main(argc, argv)
ktest_destroy_enc_data(&ref);
}
+ /****************************************************************/
+ /* decode_krb5_otp_tokeninfo */
+ {
+ setup(krb5_otp_tokeninfo,ktest_make_minimal_otp_tokeninfo);
+ decode_run("otp_tokeninfo","(optionals NULL)","30 07 80 05 00 00 00 00 00",decode_krb5_otp_tokeninfo,ktest_equal_otp_tokeninfo,k5_free_otp_tokeninfo);
+ ktest_empty_otp_tokeninfo(&ref);
+ }
+ {
+ setup(krb5_otp_tokeninfo,ktest_make_maximal_otp_tokeninfo);
+ decode_run("otp_tokeninfo","","30 72 80 05 00 77 00 00 00 81 0B 45 78 61 6D 70 6C 65 63 6F 72 70 82 05 68 61 72 6B 21 83 01 0A 84 01 02 85 09 79 6F 75 72 74 6F 6B 65 6E 86 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 A7 16 30 0B 06 09 60 86 48 01 65 03 04 02 01 30 07 06 05 2B 0E 03 02 1A 88 02 03 E8",decode_krb5_otp_tokeninfo,ktest_equal_otp_tokeninfo,k5_free_otp_tokeninfo);
+ ktest_empty_otp_tokeninfo(&ref);
+ }
+
+ /****************************************************************/
+ /* decode_krb5_pa_otp_challenge */
+ {
+ setup(krb5_pa_otp_challenge,ktest_make_minimal_pa_otp_challenge);
+ decode_run("pa_otp_challenge","(optionals NULL)","30 15 80 08 6D 69 6E 6E 6F 6E 63 65 A2 09 30 07 80 05 00 00 00 00 00",decode_krb5_pa_otp_challenge,ktest_equal_pa_otp_challenge,k5_free_pa_otp_challenge);
+ ktest_empty_pa_otp_challenge(&ref);
+ }
+ {
+ setup(krb5_pa_otp_challenge,ktest_make_maximal_pa_otp_challenge);
+ decode_run("pa_otp_challenge","","30 81 A5 80 08 6D 61 78 6E 6F 6E 63 65 81 0B 74 65 73 74 73 65 72 76 69 63 65 A2 7D 30 07 80 05 00 00 00 00 00 30 72 80 05 00 77 00 00 00 81 0B 45 78 61 6D 70 6C 65 63 6F 72 70 82 05 68 61 72 6B 21 83 01 0A 84 01 02 85 09 79 6F 75 72 74 6F 6B 65 6E 86 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 A7 16 30 0B 06 09 60 86 48 01 65 03 04 02 01 30 07 06 05 2B 0E 03 02 1A 88 02 03 E8 83 07 6B 65 79 73 61 6C 74 84 04 31 32 33 34",decode_krb5_pa_otp_challenge,ktest_equal_pa_otp_challenge,k5_free_pa_otp_challenge);
+ ktest_empty_pa_otp_challenge(&ref);
+ }
+
+ /****************************************************************/
+ /* decode_krb5_pa_otp_req */
+ {
+ setup(krb5_pa_otp_req,ktest_make_minimal_pa_otp_req);
+ decode_run("pa_otp_req","(optionals NULL)","30 2C 80 05 00 00 00 00 00 A2 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_pa_otp_req,ktest_equal_pa_otp_req,k5_free_pa_otp_req);
+ ktest_empty_pa_otp_req(&ref);
+ }
+ {
+ setup(krb5_pa_otp_req,ktest_make_maximal_pa_otp_req);
+ decode_run("pa_otp_req","","30 81 B9 80 05 00 60 00 00 00 81 05 6E 6F 6E 63 65 A2 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 0B 06 09 60 86 48 01 65 03 04 02 01 84 02 03 E8 85 05 66 72 6F 67 73 86 0A 6D 79 66 69 72 73 74 70 69 6E 87 05 68 61 72 6B 21 88 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 89 03 33 34 36 8A 01 02 8B 09 79 6F 75 72 74 6F 6B 65 6E 8C 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 8D 0B 45 78 61 6D 70 6C 65 63 6F 72 70",decode_krb5_pa_otp_req,ktest_equal_pa_otp_req,k5_free_pa_otp_req);
+ ktest_empty_pa_otp_req(&ref);
+ }
+
+ /****************************************************************/
+ /* decode_krb5_pa_otp_enc_req */
+ {
+ setup(krb5_data,ktest_make_sample_data);
+ decode_run("pa_otp_enc_req","","30 0A 80 08 6B 72 62 35 64 61 74 61",decode_krb5_pa_otp_enc_req,ktest_equal_data,krb5_free_data);
+ ktest_empty_data(&ref);
+ }
+
#ifndef DISABLE_PKINIT
/****************************************************************/
diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c
index df2d10190..638f6fe71 100644
--- a/src/tests/asn.1/krb5_encode_test.c
+++ b/src/tests/asn.1/krb5_encode_test.c
@@ -690,6 +690,50 @@ main(argc, argv)
encode_krb5_pa_fx_fast_reply);
ktest_destroy_enc_data(&enc_data);
}
+ /****************************************************************/
+ /* encode_krb5_otp_tokeninfo */
+ {
+ krb5_otp_tokeninfo ti;
+ ktest_make_minimal_otp_tokeninfo(&ti);
+ encode_run(ti, "otp_tokeninfo", "(optionals NULL)",
+ encode_krb5_otp_tokeninfo);
+ ktest_empty_otp_tokeninfo(&ti);
+ ktest_make_maximal_otp_tokeninfo(&ti);
+ encode_run(ti, "otp_tokeninfo", "", encode_krb5_otp_tokeninfo);
+ ktest_empty_otp_tokeninfo(&ti);
+ }
+ /****************************************************************/
+ /* encode_krb5_pa_otp_challenge */
+ {
+ krb5_pa_otp_challenge ch;
+ ktest_make_minimal_pa_otp_challenge(&ch);
+ encode_run(ch, "pa_otp_challenge", "(optionals NULL)",
+ encode_krb5_pa_otp_challenge);
+ ktest_empty_pa_otp_challenge(&ch);
+ ktest_make_maximal_pa_otp_challenge(&ch);
+ encode_run(ch, "pa_otp_challenge", "", encode_krb5_pa_otp_challenge);
+ ktest_empty_pa_otp_challenge(&ch);
+ }
+ /****************************************************************/
+ /* encode_krb5_pa_otp_req */
+ {
+ krb5_pa_otp_req req;
+ ktest_make_minimal_pa_otp_req(&req);
+ encode_run(req, "pa_otp_req", "(optionals NULL)",
+ encode_krb5_pa_otp_req);
+ ktest_empty_pa_otp_req(&req);
+ ktest_make_maximal_pa_otp_req(&req);
+ encode_run(req, "pa_otp_req", "", encode_krb5_pa_otp_req);
+ ktest_empty_pa_otp_req(&req);
+ }
+ /****************************************************************/
+ /* encode_krb5_pa_otp_enc_request */
+ {
+ krb5_data d;
+ ktest_make_sample_data(&d);
+ encode_run(d, "pa_otp_enc_req", "", encode_krb5_pa_otp_enc_req);
+ ktest_empty_data(&d);
+ }
#ifndef DISABLE_PKINIT
/****************************************************************/
/* encode_krb5_pa_pk_as_req */
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 6de0cb00f..e734aeb73 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -615,6 +615,105 @@ ktest_make_sample_fast_response(krb5_fast_response *p)
p->nonce = SAMPLE_NONCE;
}
+void
+ktest_make_sha256_alg(krb5_algorithm_identifier *p)
+{
+ /* { 2 16 840 1 101 3 4 2 1 } */
+ krb5_data_parse(&p->algorithm, "\x60\x86\x48\x01\x65\x03\x04\x02\x01");
+ p->parameters = empty_data();
+}
+
+void
+ktest_make_sha1_alg(krb5_algorithm_identifier *p)
+{
+ /* { 1 3 14 3 2 26 } */
+ krb5_data_parse(&p->algorithm, "\x2b\x0e\x03\x02\x1a");
+ p->parameters = empty_data();
+}
+
+void
+ktest_make_minimal_otp_tokeninfo(krb5_otp_tokeninfo *p)
+{
+ memset(p, 0, sizeof(*p));
+ p->length = p->format = p->iteration_count = -1;
+}
+
+void
+ktest_make_maximal_otp_tokeninfo(krb5_otp_tokeninfo *p)
+{
+ p->flags = KRB5_OTP_FLAG_NEXTOTP | KRB5_OTP_FLAG_COMBINE |
+ KRB5_OTP_FLAG_COLLECT_PIN | KRB5_OTP_FLAG_ENCRYPT_NONCE |
+ KRB5_OTP_FLAG_SEPARATE_PIN | KRB5_OTP_FLAG_CHECK_DIGIT;
+ krb5_data_parse(&p->vendor, "Examplecorp");
+ krb5_data_parse(&p->challenge, "hark!");
+ p->length = 10;
+ p->format = 2;
+ krb5_data_parse(&p->token_id, "yourtoken");
+ krb5_data_parse(&p->alg_id, "urn:ietf:params:xml:ns:keyprov:pskc:hotp");
+ p->supported_hash_alg = ealloc(3 * sizeof(*p->supported_hash_alg));
+ p->supported_hash_alg[0] = ealloc(sizeof(*p->supported_hash_alg[0]));
+ ktest_make_sha256_alg(p->supported_hash_alg[0]);
+ p->supported_hash_alg[1] = ealloc(sizeof(*p->supported_hash_alg[1]));
+ ktest_make_sha1_alg(p->supported_hash_alg[1]);
+ p->supported_hash_alg[2] = NULL;
+ p->iteration_count = 1000;
+}
+
+void
+ktest_make_minimal_pa_otp_challenge(krb5_pa_otp_challenge *p)
+{
+ memset(p, 0, sizeof(*p));
+ krb5_data_parse(&p->nonce, "minnonce");
+ p->tokeninfo = ealloc(2 * sizeof(*p->tokeninfo));
+ p->tokeninfo[0] = ealloc(sizeof(*p->tokeninfo[0]));
+ ktest_make_minimal_otp_tokeninfo(p->tokeninfo[0]);
+ p->tokeninfo[1] = NULL;
+}
+
+void
+ktest_make_maximal_pa_otp_challenge(krb5_pa_otp_challenge *p)
+{
+ krb5_data_parse(&p->nonce, "maxnonce");
+ krb5_data_parse(&p->service, "testservice");
+ p->tokeninfo = ealloc(3 * sizeof(*p->tokeninfo));
+ p->tokeninfo[0] = ealloc(sizeof(*p->tokeninfo[0]));
+ ktest_make_minimal_otp_tokeninfo(p->tokeninfo[0]);
+ p->tokeninfo[1] = ealloc(sizeof(*p->tokeninfo[1]));
+ ktest_make_maximal_otp_tokeninfo(p->tokeninfo[1]);
+ p->tokeninfo[2] = NULL;
+ krb5_data_parse(&p->salt, "keysalt");
+ krb5_data_parse(&p->s2kparams, "1234");
+}
+
+void
+ktest_make_minimal_pa_otp_req(krb5_pa_otp_req *p)
+{
+ memset(p, 0, sizeof(*p));
+ p->iteration_count = -1;
+ p->format = -1;
+ ktest_make_sample_enc_data(&p->enc_data);
+}
+
+void
+ktest_make_maximal_pa_otp_req(krb5_pa_otp_req *p)
+{
+ p->flags = KRB5_OTP_FLAG_NEXTOTP | KRB5_OTP_FLAG_COMBINE;
+ krb5_data_parse(&p->nonce, "nonce");
+ ktest_make_sample_enc_data(&p->enc_data);
+ p->hash_alg = ealloc(sizeof(*p->hash_alg));
+ ktest_make_sha256_alg(p->hash_alg);
+ p->iteration_count = 1000;
+ krb5_data_parse(&p->otp_value, "frogs");
+ krb5_data_parse(&p->pin, "myfirstpin");
+ krb5_data_parse(&p->challenge, "hark!");
+ p->time = SAMPLE_TIME;
+ krb5_data_parse(&p->counter, "346");
+ p->format = 2;
+ krb5_data_parse(&p->token_id, "yourtoken");
+ krb5_data_parse(&p->alg_id, "urn:ietf:params:xml:ns:keyprov:pskc:hotp");
+ krb5_data_parse(&p->vendor, "Examplecorp");
+}
+
#ifndef DISABLE_PKINIT
static void
@@ -1396,6 +1495,71 @@ ktest_empty_fast_response(krb5_fast_response *p)
}
}
+static void
+ktest_empty_algorithm_identifier(krb5_algorithm_identifier *p)
+{
+ ktest_empty_data(&p->algorithm);
+ ktest_empty_data(&p->parameters);
+}
+
+void
+ktest_empty_otp_tokeninfo(krb5_otp_tokeninfo *p)
+{
+ krb5_algorithm_identifier **alg;
+
+ p->flags = 0;
+ krb5_free_data_contents(NULL, &p->vendor);
+ krb5_free_data_contents(NULL, &p->challenge);
+ krb5_free_data_contents(NULL, &p->token_id);
+ krb5_free_data_contents(NULL, &p->alg_id);
+ for (alg = p->supported_hash_alg; alg != NULL && *alg != NULL; alg++) {
+ ktest_empty_algorithm_identifier(*alg);
+ free(*alg);
+ }
+ free(p->supported_hash_alg);
+ p->supported_hash_alg = NULL;
+ p->length = p->format = p->iteration_count = -1;
+}
+
+void
+ktest_empty_pa_otp_challenge(krb5_pa_otp_challenge *p)
+{
+ krb5_otp_tokeninfo **ti;
+
+ krb5_free_data_contents(NULL, &p->nonce);
+ krb5_free_data_contents(NULL, &p->service);
+ for (ti = p->tokeninfo; *ti != NULL; ti++) {
+ ktest_empty_otp_tokeninfo(*ti);
+ free(*ti);
+ }
+ free(p->tokeninfo);
+ p->tokeninfo = NULL;
+ krb5_free_data_contents(NULL, &p->salt);
+ krb5_free_data_contents(NULL, &p->s2kparams);
+}
+
+void
+ktest_empty_pa_otp_req(krb5_pa_otp_req *p)
+{
+ p->flags = 0;
+ krb5_free_data_contents(NULL, &p->nonce);
+ ktest_destroy_enc_data(&p->enc_data);
+ if (p->hash_alg != NULL)
+ ktest_empty_algorithm_identifier(p->hash_alg);
+ free(p->hash_alg);
+ p->hash_alg = NULL;
+ p->iteration_count = -1;
+ krb5_free_data_contents(NULL, &p->otp_value);
+ krb5_free_data_contents(NULL, &p->pin);
+ krb5_free_data_contents(NULL, &p->challenge);
+ p->time = 0;
+ krb5_free_data_contents(NULL, &p->counter);
+ p->format = -1;
+ krb5_free_data_contents(NULL, &p->token_id);
+ krb5_free_data_contents(NULL, &p->alg_id);
+ krb5_free_data_contents(NULL, &p->vendor);
+}
+
#ifndef DISABLE_PKINIT
static void
@@ -1412,13 +1576,6 @@ ktest_empty_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p)
}
static void
-ktest_empty_algorithm_identifier(krb5_algorithm_identifier *p)
-{
- ktest_empty_data(&p->algorithm);
- ktest_empty_data(&p->parameters);
-}
-
-static void
ktest_empty_subject_pk_info(krb5_subject_pk_info *p)
{
ktest_empty_algorithm_identifier(&p->algorithm);
diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h
index 8b81131db..67a6c6922 100644
--- a/src/tests/asn.1/ktest.h
+++ b/src/tests/asn.1/ktest.h
@@ -89,6 +89,14 @@ void ktest_make_sample_ad_signedpath(krb5_ad_signedpath *p);
void ktest_make_sample_iakerb_header(krb5_iakerb_header *p);
void ktest_make_sample_iakerb_finished(krb5_iakerb_finished *p);
void ktest_make_sample_fast_response(krb5_fast_response *p);
+void ktest_make_sha256_alg(krb5_algorithm_identifier *p);
+void ktest_make_sha1_alg(krb5_algorithm_identifier *p);
+void ktest_make_minimal_otp_tokeninfo(krb5_otp_tokeninfo *p);
+void ktest_make_maximal_otp_tokeninfo(krb5_otp_tokeninfo *p);
+void ktest_make_minimal_pa_otp_challenge(krb5_pa_otp_challenge *p);
+void ktest_make_maximal_pa_otp_challenge(krb5_pa_otp_challenge *p);
+void ktest_make_minimal_pa_otp_req(krb5_pa_otp_req *p);
+void ktest_make_maximal_pa_otp_req(krb5_pa_otp_req *p);
#ifndef DISABLE_PKINIT
void ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p);
@@ -170,6 +178,9 @@ void ktest_empty_ad_signedpath(krb5_ad_signedpath *p);
void ktest_empty_iakerb_header(krb5_iakerb_header *p);
void ktest_empty_iakerb_finished(krb5_iakerb_finished *p);
void ktest_empty_fast_response(krb5_fast_response *p);
+void ktest_empty_otp_tokeninfo(krb5_otp_tokeninfo *p);
+void ktest_empty_pa_otp_challenge(krb5_pa_otp_challenge *p);
+void ktest_empty_pa_otp_req(krb5_pa_otp_req *p);
#ifndef DISABLE_PKINIT
void ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p);
diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c
index 6953708ca..4e7124269 100644
--- a/src/tests/asn.1/ktest_equal.c
+++ b/src/tests/asn.1/ktest_equal.c
@@ -613,6 +613,75 @@ ktest_equal_fast_response(krb5_fast_response *ref, krb5_fast_response *var)
return p;
}
+static int
+ktest_equal_algorithm_identifier(krb5_algorithm_identifier *ref,
+ krb5_algorithm_identifier *var)
+{
+ int p = TRUE;
+ if (ref == var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && equal_str(algorithm);
+ p = p && equal_str(parameters);
+ return p;
+}
+
+int
+ktest_equal_otp_tokeninfo(krb5_otp_tokeninfo *ref, krb5_otp_tokeninfo *var)
+{
+ int p = TRUE;
+ if (ref == var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && scalar_equal(flags);
+ p = p && equal_str(vendor);
+ p = p && equal_str(challenge);
+ p = p && scalar_equal(length);
+ p = p && scalar_equal(format);
+ p = p && equal_str(token_id);
+ p = p && equal_str(alg_id);
+ p = p && ptr_equal(supported_hash_alg,
+ ktest_equal_sequence_of_algorithm_identifier);
+ p = p && scalar_equal(iteration_count);
+ return p;
+}
+
+int
+ktest_equal_pa_otp_challenge(krb5_pa_otp_challenge *ref,
+ krb5_pa_otp_challenge *var)
+{
+ int p = TRUE;
+ if (ref == var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && equal_str(nonce);
+ p = p && equal_str(service);
+ p = p && ptr_equal(tokeninfo, ktest_equal_sequence_of_otp_tokeninfo);
+ p = p && equal_str(salt);
+ p = p && equal_str(s2kparams);
+ return p;
+}
+
+int
+ktest_equal_pa_otp_req(krb5_pa_otp_req *ref, krb5_pa_otp_req *var)
+{
+ int p = TRUE;
+ if (ref == var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && scalar_equal(flags);
+ p = p && equal_str(nonce);
+ p = p && struct_equal(enc_data, ktest_equal_enc_data);
+ p = p && ptr_equal(hash_alg, ktest_equal_algorithm_identifier);
+ p = p && scalar_equal(iteration_count);
+ p = p && equal_str(otp_value);
+ p = p && equal_str(pin);
+ p = p && equal_str(challenge);
+ p = p && scalar_equal(time);
+ p = p && equal_str(counter);
+ p = p && scalar_equal(format);
+ p = p && equal_str(token_id);
+ p = p && equal_str(alg_id);
+ p = p && equal_str(vendor);
+ return p;
+}
+
#ifdef ENABLE_LDAP
static int
equal_key_data(krb5_key_data *ref, krb5_key_data *var)
@@ -770,6 +839,20 @@ ktest_equal_sequence_of_checksum(krb5_checksum **ref, krb5_checksum **var)
array_compare(ktest_equal_checksum);
}
+int
+ktest_equal_sequence_of_algorithm_identifier(krb5_algorithm_identifier **ref,
+ krb5_algorithm_identifier **var)
+{
+ array_compare(ktest_equal_algorithm_identifier);
+}
+
+int
+ktest_equal_sequence_of_otp_tokeninfo(krb5_otp_tokeninfo **ref,
+ krb5_otp_tokeninfo **var)
+{
+ array_compare(ktest_equal_otp_tokeninfo);
+}
+
#ifndef DISABLE_PKINIT
static int
@@ -801,25 +884,6 @@ ktest_equal_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *ref,
}
static int
-ktest_equal_algorithm_identifier(krb5_algorithm_identifier *ref,
- krb5_algorithm_identifier *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(algorithm);
- p = p && equal_str(parameters);
- return p;
-}
-
-static int
-ktest_equal_sequence_of_algorithm_identifier(krb5_algorithm_identifier **ref,
- krb5_algorithm_identifier **var)
-{
- array_compare(ktest_equal_algorithm_identifier);
-}
-
-static int
ktest_equal_subject_pk_info(krb5_subject_pk_info *ref,
krb5_subject_pk_info *var)
{
diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h
index ab31e2970..e75f86ab7 100644
--- a/src/tests/asn.1/ktest_equal.h
+++ b/src/tests/asn.1/ktest_equal.h
@@ -92,6 +92,11 @@ int ktest_equal_sequence_of_cred_info(krb5_cred_info **ref,
int ktest_equal_sequence_of_principal(krb5_principal *ref,
krb5_principal *var);
int ktest_equal_sequence_of_checksum(krb5_checksum **ref, krb5_checksum **var);
+int
+ktest_equal_sequence_of_algorithm_identifier(krb5_algorithm_identifier **ref,
+ krb5_algorithm_identifier **var);
+int ktest_equal_sequence_of_otp_tokeninfo(krb5_otp_tokeninfo **ref,
+ krb5_otp_tokeninfo **var);
len_array(ktest_equal_array_of_enctype,krb5_enctype);
len_array(ktest_equal_array_of_data,krb5_data);
@@ -120,6 +125,11 @@ int ktest_equal_iakerb_finished(krb5_iakerb_finished *ref,
krb5_iakerb_finished *var);
int ktest_equal_fast_response(krb5_fast_response *ref,
krb5_fast_response *var);
+int ktest_equal_otp_tokeninfo(krb5_otp_tokeninfo *ref,
+ krb5_otp_tokeninfo *var);
+int ktest_equal_pa_otp_challenge(krb5_pa_otp_challenge *ref,
+ krb5_pa_otp_challenge *var);
+int ktest_equal_pa_otp_req(krb5_pa_otp_req *ref, krb5_pa_otp_req *var);
int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
ldap_seqof_key_data *var);
diff --git a/src/tests/asn.1/make-vectors.c b/src/tests/asn.1/make-vectors.c
new file mode 100644
index 000000000..fd7bd4824
--- /dev/null
+++ b/src/tests/asn.1/make-vectors.c
@@ -0,0 +1,170 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/asn.1/make-vectors.c - Generate ASN.1 test vectors using asn1c */
+/*
+ * Copyright (C) 2011 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * This program generates test vectors using asn1c, to be included in other
+ * test programs which exercise the krb5 ASN.1 encoder and decoder functions.
+ * It is intended to be used via "make test-vectors". Currently, test vectors
+ * are only generated for OTP preauth objects.
+ */
+
+#include <OTP-TOKENINFO.h>
+#include <PA-OTP-CHALLENGE.h>
+#include <PA-OTP-REQUEST.h>
+#include <PA-OTP-ENC-REQUEST.h>
+
+static unsigned char buf[8192];
+static size_t buf_pos;
+
+/* Minimal OTP-TOKENINFO */
+static OTP_TOKENINFO_t token_info_1 = { { "\0\0\0\0", 4, 0 } };
+
+/* Maximal OTP-TOKENINFO */
+static UTF8String_t vendor = { "Examplecorp", 11 };
+static OCTET_STRING_t challenge = { "hark!", 5 };
+static Int32_t otp_length = 10;
+static OTPFormat_t otp_format; /* Initialized to 2 in main(). */
+static OCTET_STRING_t token_id = { "yourtoken", 9 };
+static AnyURI_t otp_alg = { "urn:ietf:params:xml:ns:keyprov:pskc:hotp", 40 };
+static unsigned int sha256_arcs[] = { 2, 16, 840, 1, 101, 3, 4, 2, 1 };
+static unsigned int sha1_arcs[] = { 1, 3, 14, 3, 2, 26 };
+static AlgorithmIdentifier_t alg_sha256, alg_sha1; /* Initialized in main(). */
+static AlgorithmIdentifier_t *algs[] = { &alg_sha256, &alg_sha1 };
+static struct supportedHashAlg hash_algs = { algs, 2, 2 };
+static Int32_t iter_count = 1000;
+/* Flags are nextOTP | combine | collect-pin | must-encrypt-nonce |
+ * separate-pin-required | check-digit */
+static OTP_TOKENINFO_t token_info_2 = { { "\x77\0\0\0", 4, 0 }, &vendor,
+ &challenge, &otp_length, &otp_format,
+ &token_id, &otp_alg, &hash_algs,
+ &iter_count };
+
+/* Minimal PA-OTP-CHALLENGE */
+static OTP_TOKENINFO_t *tinfo_1[] = { &token_info_1 };
+static PA_OTP_CHALLENGE_t challenge_1 = { { "minnonce", 8 }, NULL,
+ { { tinfo_1, 1, 1 } } };
+
+/* Maximal PA-OTP-CHALLENGE */
+static OTP_TOKENINFO_t *tinfo_2[] = { &token_info_1, &token_info_2 };
+static UTF8String_t service = { "testservice", 11 };
+static KerberosString_t salt = { "keysalt", 7 };
+static OCTET_STRING_t s2kparams = { "1234", 4 };
+static PA_OTP_CHALLENGE_t challenge_2 = { { "maxnonce", 8 }, &service,
+ { { tinfo_2, 2, 2 } }, &salt,
+ &s2kparams };
+
+/* Minimal PA-OTP-REQUEST */
+static UInt32_t kvno; /* Initialized to 5 in main(). */
+static PA_OTP_REQUEST_t request_1 = { { "\0\0\0\0", 4, 0 }, NULL,
+ { 0, &kvno,
+ { "krbASN.1 test message", 21 } } };
+
+/* Maximal PA-OTP-REQUEST */
+/* Flags are nextOTP | combine */
+static OCTET_STRING_t nonce = { "nonce", 5 };
+static OCTET_STRING_t otp_value = { "frogs", 5 };
+static UTF8String_t otp_pin = { "myfirstpin", 10 };
+/* Corresponds to Unix time 771228197 */
+static KerberosTime_t otp_time = { "19940610060317Z", 15 };
+static OCTET_STRING_t counter = { "346", 3 };
+static PA_OTP_REQUEST_t request_2 = { { "\x60\0\0\0", 4, 0 }, &nonce,
+ { 0, &kvno,
+ { "krbASN.1 test message", 21 } },
+ &alg_sha256, &iter_count, &otp_value,
+ &otp_pin, &challenge, &otp_time,
+ &counter, &otp_format, &token_id,
+ &otp_alg, &vendor };
+
+/* PA-OTP-ENC-REQUEST */
+static PA_OTP_ENC_REQUEST_t enc_request = { { "krb5data", 8 } };
+
+static int
+consume(const void *data, size_t size, void *dummy)
+{
+ memcpy(buf + buf_pos, data, size);
+ buf_pos += size;
+ return 0;
+}
+
+/* Display a C string literal representing the contents of buf, and
+ * reinitialize buf_pos for the next encoding operation. */
+static void
+printbuf(void)
+{
+ size_t i;
+
+ for (i = 0; i < buf_pos; i++) {
+ printf("%02X", buf[i]);
+ if (i + 1 < buf_pos)
+ printf(" ");
+ }
+ buf_pos = 0;
+}
+
+int
+main()
+{
+ /* Initialize values which can't use static initializers. */
+ asn_long2INTEGER(&otp_format, 2); /* Alphanumeric */
+ asn_long2INTEGER(&kvno, 5);
+ OBJECT_IDENTIFIER_set_arcs(&alg_sha256.algorithm, sha256_arcs,
+ sizeof(*sha256_arcs),
+ sizeof(sha256_arcs) / sizeof(*sha256_arcs));
+ OBJECT_IDENTIFIER_set_arcs(&alg_sha1.algorithm, sha1_arcs,
+ sizeof(*sha1_arcs),
+ sizeof(sha1_arcs) / sizeof(*sha1_arcs));
+
+ printf("Minimal OTP-TOKEN-INFO:\n");
+ der_encode(&asn_DEF_OTP_TOKENINFO, &token_info_1, consume, NULL);
+ printbuf();
+
+ printf("\nMaximal OTP-TOKEN-INFO:\n");
+ der_encode(&asn_DEF_OTP_TOKENINFO, &token_info_2, consume, NULL);
+ printbuf();
+
+ printf("\nMinimal PA-OTP-CHALLENGE:\n");
+ der_encode(&asn_DEF_PA_OTP_CHALLENGE, &challenge_1, consume, NULL);
+ printbuf();
+
+ printf("\nMaximal PA-OTP-CHALLENGE:\n");
+ der_encode(&asn_DEF_PA_OTP_CHALLENGE, &challenge_2, consume, NULL);
+ printbuf();
+
+ printf("\nMinimal PA-OTP-REQUEST:\n");
+ der_encode(&asn_DEF_PA_OTP_REQUEST, &request_1, consume, NULL);
+ printbuf();
+
+ printf("\nMaximal PA-OTP-REQUEST:\n");
+ der_encode(&asn_DEF_PA_OTP_REQUEST, &request_2, consume, NULL);
+ printbuf();
+
+ printf("\nPA-OTP-ENC-REQUEST:\n");
+ der_encode(&asn_DEF_PA_OTP_ENC_REQUEST, &enc_request, consume, NULL);
+ printbuf();
+
+ printf("\n");
+ return 0;
+}
diff --git a/src/tests/asn.1/otp.asn1 b/src/tests/asn.1/otp.asn1
new file mode 100644
index 000000000..2e3243222
--- /dev/null
+++ b/src/tests/asn.1/otp.asn1
@@ -0,0 +1,109 @@
+ OTPKerberos
+ DEFINITIONS IMPLICIT TAGS ::=
+ BEGIN
+
+ IMPORTS
+
+ KerberosTime, KerberosFlags, EncryptionKey, Int32,
+ EncryptedData, LastReq, KerberosString
+ FROM KerberosV5Spec2 {iso(1) identified-organization(3)
+ dod(6) internet(1) security(5)
+ kerberosV5(2) modules(4) krb5spec2(2)}
+ -- as defined in RFC 4120.
+ AlgorithmIdentifier
+ FROM PKIX1Explicit88 { iso (1) identified-organization (3)
+ dod (6) internet (1)
+ security (5) mechanisms (5) pkix (7)
+ id-mod (0) id-pkix1-explicit (18) };
+ -- As defined in RFC 5280.
+
+ PA-OTP-CHALLENGE ::= SEQUENCE {
+ nonce [0] OCTET STRING,
+ otp-service [1] UTF8String OPTIONAL,
+ otp-tokenInfo [2] SEQUENCE (SIZE(1..MAX)) OF
+ OTP-TOKENINFO,
+ salt [3] KerberosString OPTIONAL,
+ s2kparams [4] OCTET STRING OPTIONAL,
+ ...
+ }
+
+ OTP-TOKENINFO ::= SEQUENCE {
+ flags [0] OTPFlags,
+ otp-vendor [1] UTF8String OPTIONAL,
+ otp-challenge [2] OCTET STRING (SIZE(1..MAX))
+ OPTIONAL,
+ otp-length [3] Int32 OPTIONAL,
+ otp-format [4] OTPFormat OPTIONAL,
+ otp-tokenID [5] OCTET STRING OPTIONAL,
+ otp-algID [6] AnyURI OPTIONAL,
+ supportedHashAlg [7] SEQUENCE OF AlgorithmIdentifier
+ OPTIONAL,
+ iterationCount [8] Int32 OPTIONAL,
+ ...
+ }
+
+ OTPFormat ::= INTEGER {
+ decimal(0),
+ hexadecimal(1),
+ alphanumeric(2),
+ binary(3),
+ base64(4)
+ }
+
+ OTPFlags ::= KerberosFlags
+ -- reserved(0),
+ -- nextOTP(1),
+ -- combine(2),
+ -- collect-pin(3),
+ -- do-not-collect-pin(4),
+ -- must-encrypt-nonce (5),
+ -- separate-pin-required (6),
+ -- check-digit (7)
+
+ PA-OTP-REQUEST ::= SEQUENCE {
+ flags [0] OTPFlags,
+ nonce [1] OCTET STRING OPTIONAL,
+ encData [2] EncryptedData,
+ -- PA-OTP-ENC-REQUEST or PA-ENC-TS-ENC
+ -- Key usage of KEY_USAGE_OTP_REQUEST
+ hashAlg [3] AlgorithmIdentifier OPTIONAL,
+ iterationCount [4] Int32 OPTIONAL,
+ otp-value [5] OCTET STRING OPTIONAL,
+ otp-pin [6] UTF8String OPTIONAL,
+ otp-challenge [7] OCTET STRING (SIZE(1..MAX)) OPTIONAL,
+ otp-time [8] KerberosTime OPTIONAL,
+ otp-counter [9] OCTET STRING OPTIONAL,
+ otp-format [10] OTPFormat OPTIONAL,
+ otp-tokenID [11] OCTET STRING OPTIONAL,
+ otp-algID [12] AnyURI OPTIONAL,
+ otp-vendor [13] UTF8String OPTIONAL,
+ ...
+ }
+
+ PA-OTP-ENC-REQUEST ::= SEQUENCE {
+ nonce [0] OCTET STRING,
+ ...
+ }
+
+
+ PA-OTP-PIN-CHANGE ::= SEQUENCE {
+ flags [0] PinFlags,
+ pin [1] UTF8String OPTIONAL,
+ minLength [2] INTEGER OPTIONAL,
+ maxLength [3] INTEGER OPTIONAL,
+ last-req [4] LastReq OPTIONAL,
+ format [5] OTPFormat OPTIONAL,
+ ...
+ }
+
+ PinFlags ::= KerberosFlags
+ -- reserved(0),
+ -- systemSetPin(1),
+ -- mandatory(2)
+
+ AnyURI ::= UTF8String
+ (CONSTRAINED BY {
+ -- MUST be a valid URI in accordance with IETF RFC 2396
+ })
+
+ END
diff --git a/src/tests/asn.1/pkix.asn1 b/src/tests/asn.1/pkix.asn1
new file mode 100644
index 000000000..039818833
--- /dev/null
+++ b/src/tests/asn.1/pkix.asn1
@@ -0,0 +1,654 @@
+PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
+
+DEFINITIONS EXPLICIT TAGS ::=
+
+BEGIN
+
+-- EXPORTS ALL --
+
+-- IMPORTS NONE --
+
+-- UNIVERSAL Types defined in 1993 and 1998 ASN.1
+-- and required by this specification
+-- (Commented out for krb5 source tree)
+
+-- UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
+ -- UniversalString is defined in ASN.1:1993
+
+-- BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
+ -- BMPString is the subtype of UniversalString and models
+ -- the Basic Multilingual Plane of ISO/IEC 10646
+
+--UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
+ -- The content of this type conforms to RFC 3629.
+
+-- PKIX specific OIDs
+
+id-pkix OBJECT IDENTIFIER ::=
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) }
+
+-- PKIX arcs
+
+id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
+ -- arc for private certificate extensions
+id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+ -- arc for policy qualifier types
+id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+ -- arc for extended key purpose OIDS
+id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
+ -- arc for access descriptors
+
+-- policyQualifierIds for Internet policy qualifiers
+
+id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
+ -- OID for CPS qualifier
+id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
+ -- OID for user notice qualifier
+
+-- access descriptor definitions
+
+id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
+id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
+id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 }
+id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 }
+
+-- attribute data types
+
+Attribute ::= SEQUENCE {
+ type AttributeType,
+ values SET OF AttributeValue }
+ -- at least one value is required
+
+AttributeType ::= OBJECT IDENTIFIER
+
+AttributeValue ::= ANY -- DEFINED BY AttributeType
+
+AttributeTypeAndValue ::= SEQUENCE {
+ type AttributeType,
+ value AttributeValue }
+
+-- suggested naming attributes: Definition of the following
+-- information object set may be augmented to meet local
+-- requirements. Note that deleting members of the set may
+-- prevent interoperability with conforming implementations.
+-- presented in pairs: the AttributeType followed by the
+-- type definition for the corresponding AttributeValue
+
+-- Arc for standard naming attributes
+
+id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+
+-- Naming attributes of type X520name
+
+id-at-name AttributeType ::= { id-at 41 }
+id-at-surname AttributeType ::= { id-at 4 }
+id-at-givenName AttributeType ::= { id-at 42 }
+id-at-initials AttributeType ::= { id-at 43 }
+id-at-generationQualifier AttributeType ::= { id-at 44 }
+
+-- Naming attributes of type X520Name:
+-- X520name ::= DirectoryString (SIZE (1..ub-name))
+--
+-- Expanded to avoid parameterized type:
+X520name ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-name)),
+ printableString PrintableString (SIZE (1..ub-name)),
+ universalString UniversalString (SIZE (1..ub-name)),
+ utf8String UTF8String (SIZE (1..ub-name)),
+ bmpString BMPString (SIZE (1..ub-name)) }
+
+-- Naming attributes of type X520CommonName
+
+id-at-commonName AttributeType ::= { id-at 3 }
+
+-- Naming attributes of type X520CommonName:
+-- X520CommonName ::= DirectoryName (SIZE (1..ub-common-name))
+--
+-- Expanded to avoid parameterized type:
+X520CommonName ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-common-name)),
+ printableString PrintableString (SIZE (1..ub-common-name)),
+ universalString UniversalString (SIZE (1..ub-common-name)),
+ utf8String UTF8String (SIZE (1..ub-common-name)),
+ bmpString BMPString (SIZE (1..ub-common-name)) }
+
+-- Naming attributes of type X520LocalityName
+
+id-at-localityName AttributeType ::= { id-at 7 }
+
+-- Naming attributes of type X520LocalityName:
+-- X520LocalityName ::= DirectoryName (SIZE (1..ub-locality-name))
+--
+-- Expanded to avoid parameterized type:
+X520LocalityName ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-locality-name)),
+ printableString PrintableString (SIZE (1..ub-locality-name)),
+ universalString UniversalString (SIZE (1..ub-locality-name)),
+ utf8String UTF8String (SIZE (1..ub-locality-name)),
+ bmpString BMPString (SIZE (1..ub-locality-name)) }
+
+-- Naming attributes of type X520StateOrProvinceName
+
+id-at-stateOrProvinceName AttributeType ::= { id-at 8 }
+
+-- Naming attributes of type X520StateOrProvinceName:
+-- X520StateOrProvinceName ::= DirectoryName (SIZE (1..ub-state-name))
+--
+-- Expanded to avoid parameterized type:
+X520StateOrProvinceName ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-state-name)),
+ printableString PrintableString (SIZE (1..ub-state-name)),
+ universalString UniversalString (SIZE (1..ub-state-name)),
+ utf8String UTF8String (SIZE (1..ub-state-name)),
+ bmpString BMPString (SIZE (1..ub-state-name)) }
+
+-- Naming attributes of type X520OrganizationName
+
+id-at-organizationName AttributeType ::= { id-at 10 }
+
+-- Naming attributes of type X520OrganizationName:
+-- X520OrganizationName ::=
+-- DirectoryName (SIZE (1..ub-organization-name))
+--
+-- Expanded to avoid parameterized type:
+X520OrganizationName ::= CHOICE {
+ teletexString TeletexString
+ (SIZE (1..ub-organization-name)),
+ printableString PrintableString
+ (SIZE (1..ub-organization-name)),
+ universalString UniversalString
+ (SIZE (1..ub-organization-name)),
+ utf8String UTF8String
+ (SIZE (1..ub-organization-name)),
+ bmpString BMPString
+ (SIZE (1..ub-organization-name)) }
+
+-- Naming attributes of type X520OrganizationalUnitName
+
+id-at-organizationalUnitName AttributeType ::= { id-at 11 }
+
+-- Naming attributes of type X520OrganizationalUnitName:
+-- X520OrganizationalUnitName ::=
+-- DirectoryName (SIZE (1..ub-organizational-unit-name))
+--
+-- Expanded to avoid parameterized type:
+X520OrganizationalUnitName ::= CHOICE {
+ teletexString TeletexString
+ (SIZE (1..ub-organizational-unit-name)),
+ printableString PrintableString
+ (SIZE (1..ub-organizational-unit-name)),
+ universalString UniversalString
+ (SIZE (1..ub-organizational-unit-name)),
+ utf8String UTF8String
+ (SIZE (1..ub-organizational-unit-name)),
+ bmpString BMPString
+ (SIZE (1..ub-organizational-unit-name)) }
+
+-- Naming attributes of type X520Title
+
+id-at-title AttributeType ::= { id-at 12 }
+
+-- Naming attributes of type X520Title:
+-- X520Title ::= DirectoryName (SIZE (1..ub-title))
+--
+-- Expanded to avoid parameterized type:
+X520Title ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-title)),
+ printableString PrintableString (SIZE (1..ub-title)),
+ universalString UniversalString (SIZE (1..ub-title)),
+ utf8String UTF8String (SIZE (1..ub-title)),
+ bmpString BMPString (SIZE (1..ub-title)) }
+
+-- Naming attributes of type X520dnQualifier
+
+id-at-dnQualifier AttributeType ::= { id-at 46 }
+
+X520dnQualifier ::= PrintableString
+
+-- Naming attributes of type X520countryName (digraph from IS 3166)
+
+id-at-countryName AttributeType ::= { id-at 6 }
+
+X520countryName ::= PrintableString (SIZE (2))
+
+-- Naming attributes of type X520SerialNumber
+
+id-at-serialNumber AttributeType ::= { id-at 5 }
+
+X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number))
+
+-- Naming attributes of type X520Pseudonym
+
+id-at-pseudonym AttributeType ::= { id-at 65 }
+
+-- Naming attributes of type X520Pseudonym:
+-- X520Pseudonym ::= DirectoryName (SIZE (1..ub-pseudonym))
+--
+-- Expanded to avoid parameterized type:
+X520Pseudonym ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-pseudonym)),
+ printableString PrintableString (SIZE (1..ub-pseudonym)),
+ universalString UniversalString (SIZE (1..ub-pseudonym)),
+ utf8String UTF8String (SIZE (1..ub-pseudonym)),
+ bmpString BMPString (SIZE (1..ub-pseudonym)) }
+
+-- Naming attributes of type DomainComponent (from RFC 4519)
+
+id-domainComponent AttributeType ::= { 0 9 2342 19200300 100 1 25 }
+
+DomainComponent ::= IA5String
+
+-- Legacy attributes
+
+pkcs-9 OBJECT IDENTIFIER ::=
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
+
+id-emailAddress AttributeType ::= { pkcs-9 1 }
+
+EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length))
+
+-- naming data types --
+
+Name ::= CHOICE { -- only one possibility for now --
+ rdnSequence RDNSequence }
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+DistinguishedName ::= RDNSequence
+
+RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
+
+-- Directory string type --
+
+DirectoryString ::= CHOICE {
+ teletexString TeletexString (SIZE (1..MAX)),
+ printableString PrintableString (SIZE (1..MAX)),
+ universalString UniversalString (SIZE (1..MAX)),
+ utf8String UTF8String (SIZE (1..MAX)),
+ bmpString BMPString (SIZE (1..MAX)) }
+
+-- certificate and CRL specific structures begin here
+
+Certificate ::= SEQUENCE {
+ tbsCertificate TBSCertificate,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING }
+
+TBSCertificate ::= SEQUENCE {
+ version [0] Version DEFAULT v1,
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+ -- If present, version MUST be v2 or v3
+ subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
+ -- If present, version MUST be v2 or v3
+ extensions [3] Extensions OPTIONAL
+ -- If present, version MUST be v3 -- }
+
+Version ::= INTEGER { v1(0), v2(1), v3(2) }
+
+CertificateSerialNumber ::= INTEGER
+
+Validity ::= SEQUENCE {
+ notBefore Time,
+ notAfter Time }
+
+Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime }
+
+UniqueIdentifier ::= BIT STRING
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ subjectPublicKey BIT STRING }
+
+Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+
+Extension ::= SEQUENCE {
+ extnID OBJECT IDENTIFIER,
+ critical BOOLEAN DEFAULT FALSE,
+ extnValue OCTET STRING
+ -- contains the DER encoding of an ASN.1 value
+ -- corresponding to the extension type identified
+ -- by extnID
+ }
+
+-- CRL structures
+
+CertificateList ::= SEQUENCE {
+ tbsCertList TBSCertList,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING }
+
+TBSCertList ::= SEQUENCE {
+ version Version OPTIONAL,
+ -- if present, MUST be v2
+ signature AlgorithmIdentifier,
+ issuer Name,
+ thisUpdate Time,
+ nextUpdate Time OPTIONAL,
+ revokedCertificates SEQUENCE OF SEQUENCE {
+ userCertificate CertificateSerialNumber,
+ revocationDate Time,
+ crlEntryExtensions Extensions OPTIONAL
+ -- if present, version MUST be v2
+ } OPTIONAL,
+ crlExtensions [0] Extensions OPTIONAL }
+ -- if present, version MUST be v2
+
+-- Version, Time, CertificateSerialNumber, and Extensions were
+-- defined earlier for use in the certificate structure
+
+AlgorithmIdentifier ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY algorithm OPTIONAL }
+ -- contains a value of the type
+ -- registered for use with the
+ -- algorithm object identifier value
+
+-- X.400 address syntax starts here
+
+ORAddress ::= SEQUENCE {
+ built-in-standard-attributes BuiltInStandardAttributes,
+ built-in-domain-defined-attributes
+ BuiltInDomainDefinedAttributes OPTIONAL,
+ -- see also teletex-domain-defined-attributes
+ extension-attributes ExtensionAttributes OPTIONAL }
+
+-- Built-in Standard Attributes
+
+BuiltInStandardAttributes ::= SEQUENCE {
+ country-name CountryName OPTIONAL,
+ administration-domain-name AdministrationDomainName OPTIONAL,
+ network-address [0] IMPLICIT NetworkAddress OPTIONAL,
+ -- see also extended-network-address
+ terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL,
+ private-domain-name [2] PrivateDomainName OPTIONAL,
+ organization-name [3] IMPLICIT OrganizationName OPTIONAL,
+ -- see also teletex-organization-name
+ numeric-user-identifier [4] IMPLICIT NumericUserIdentifier
+ OPTIONAL,
+ personal-name [5] IMPLICIT PersonalName OPTIONAL,
+ -- see also teletex-personal-name
+ organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
+ OPTIONAL }
+ -- see also teletex-organizational-unit-names
+
+CountryName ::= [APPLICATION 1] CHOICE {
+ x121-dcc-code NumericString
+ (SIZE (ub-country-name-numeric-length)),
+ iso-3166-alpha2-code PrintableString
+ (SIZE (ub-country-name-alpha-length)) }
+
+AdministrationDomainName ::= [APPLICATION 2] CHOICE {
+ numeric NumericString (SIZE (0..ub-domain-name-length)),
+ printable PrintableString (SIZE (0..ub-domain-name-length)) }
+
+NetworkAddress ::= X121Address -- see also extended-network-address
+
+X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
+
+TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
+
+PrivateDomainName ::= CHOICE {
+ numeric NumericString (SIZE (1..ub-domain-name-length)),
+ printable PrintableString (SIZE (1..ub-domain-name-length)) }
+
+OrganizationName ::= PrintableString
+ (SIZE (1..ub-organization-name-length))
+ -- see also teletex-organization-name
+
+NumericUserIdentifier ::= NumericString
+ (SIZE (1..ub-numeric-user-id-length))
+
+PersonalName ::= SET {
+ surname [0] IMPLICIT PrintableString
+ (SIZE (1..ub-surname-length)),
+ given-name [1] IMPLICIT PrintableString
+ (SIZE (1..ub-given-name-length)) OPTIONAL,
+ initials [2] IMPLICIT PrintableString
+ (SIZE (1..ub-initials-length)) OPTIONAL,
+ generation-qualifier [3] IMPLICIT PrintableString
+ (SIZE (1..ub-generation-qualifier-length))
+ OPTIONAL }
+ -- see also teletex-personal-name
+
+OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
+ OF OrganizationalUnitName
+ -- see also teletex-organizational-unit-names
+
+OrganizationalUnitName ::= PrintableString (SIZE
+ (1..ub-organizational-unit-name-length))
+
+-- Built-in Domain-defined Attributes
+
+BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
+ (1..ub-domain-defined-attributes) OF
+ BuiltInDomainDefinedAttribute
+
+BuiltInDomainDefinedAttribute ::= SEQUENCE {
+ type PrintableString (SIZE
+ (1..ub-domain-defined-attribute-type-length)),
+ value PrintableString (SIZE
+ (1..ub-domain-defined-attribute-value-length)) }
+
+-- Extension Attributes
+
+ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
+ ExtensionAttribute
+
+ExtensionAttribute ::= SEQUENCE {
+ extension-attribute-type [0] IMPLICIT INTEGER
+ (0..ub-extension-attributes),
+ extension-attribute-value [1]
+ ANY DEFINED BY extension-attribute-type }
+
+-- Extension types and attribute values
+
+common-name INTEGER ::= 1
+
+CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
+
+teletex-common-name INTEGER ::= 2
+
+TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
+
+teletex-organization-name INTEGER ::= 3
+
+TeletexOrganizationName ::=
+ TeletexString (SIZE (1..ub-organization-name-length))
+
+teletex-personal-name INTEGER ::= 4
+
+TeletexPersonalName ::= SET {
+ surname [0] IMPLICIT TeletexString
+ (SIZE (1..ub-surname-length)),
+ given-name [1] IMPLICIT TeletexString
+ (SIZE (1..ub-given-name-length)) OPTIONAL,
+ initials [2] IMPLICIT TeletexString
+ (SIZE (1..ub-initials-length)) OPTIONAL,
+ generation-qualifier [3] IMPLICIT TeletexString
+ (SIZE (1..ub-generation-qualifier-length))
+ OPTIONAL }
+
+teletex-organizational-unit-names INTEGER ::= 5
+
+TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
+ (1..ub-organizational-units) OF TeletexOrganizationalUnitName
+
+TeletexOrganizationalUnitName ::= TeletexString
+ (SIZE (1..ub-organizational-unit-name-length))
+
+pds-name INTEGER ::= 7
+
+PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
+
+physical-delivery-country-name INTEGER ::= 8
+
+PhysicalDeliveryCountryName ::= CHOICE {
+ x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
+ iso-3166-alpha2-code PrintableString
+ (SIZE (ub-country-name-alpha-length)) }
+
+postal-code INTEGER ::= 9
+
+PostalCode ::= CHOICE {
+ numeric-code NumericString (SIZE (1..ub-postal-code-length)),
+ printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
+
+physical-delivery-office-name INTEGER ::= 10
+PhysicalDeliveryOfficeName ::= PDSParameter
+
+physical-delivery-office-number INTEGER ::= 11
+
+PhysicalDeliveryOfficeNumber ::= PDSParameter
+
+extension-OR-address-components INTEGER ::= 12
+
+ExtensionORAddressComponents ::= PDSParameter
+
+physical-delivery-personal-name INTEGER ::= 13
+
+PhysicalDeliveryPersonalName ::= PDSParameter
+
+physical-delivery-organization-name INTEGER ::= 14
+
+PhysicalDeliveryOrganizationName ::= PDSParameter
+
+extension-physical-delivery-address-components INTEGER ::= 15
+
+ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter
+
+unformatted-postal-address INTEGER ::= 16
+
+UnformattedPostalAddress ::= SET {
+ printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines)
+ OF PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
+ teletex-string TeletexString
+ (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
+
+street-address INTEGER ::= 17
+
+StreetAddress ::= PDSParameter
+
+post-office-box-address INTEGER ::= 18
+
+PostOfficeBoxAddress ::= PDSParameter
+
+poste-restante-address INTEGER ::= 19
+
+PosteRestanteAddress ::= PDSParameter
+
+unique-postal-name INTEGER ::= 20
+
+UniquePostalName ::= PDSParameter
+
+local-postal-attributes INTEGER ::= 21
+
+LocalPostalAttributes ::= PDSParameter
+
+PDSParameter ::= SET {
+ printable-string PrintableString
+ (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
+ teletex-string TeletexString
+ (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
+
+extended-network-address INTEGER ::= 22
+
+ExtendedNetworkAddress ::= CHOICE {
+ e163-4-address SEQUENCE {
+ number [0] IMPLICIT NumericString
+ (SIZE (1..ub-e163-4-number-length)),
+ sub-address [1] IMPLICIT NumericString
+ (SIZE (1..ub-e163-4-sub-address-length))
+ OPTIONAL },
+ psap-address [0] IMPLICIT PresentationAddress }
+
+PresentationAddress ::= SEQUENCE {
+ pSelector [0] EXPLICIT OCTET STRING OPTIONAL,
+ sSelector [1] EXPLICIT OCTET STRING OPTIONAL,
+ tSelector [2] EXPLICIT OCTET STRING OPTIONAL,
+ nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
+
+terminal-type INTEGER ::= 23
+
+TerminalType ::= INTEGER {
+ telex (3),
+ teletex (4),
+ g3-facsimile (5),
+ g4-facsimile (6),
+ ia5-terminal (7),
+ videotex (8) } (0..ub-integer-options)
+
+-- Extension Domain-defined Attributes
+
+teletex-domain-defined-attributes INTEGER ::= 6
+
+TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
+ (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
+
+TeletexDomainDefinedAttribute ::= SEQUENCE {
+ type TeletexString
+ (SIZE (1..ub-domain-defined-attribute-type-length)),
+ value TeletexString
+ (SIZE (1..ub-domain-defined-attribute-value-length)) }
+
+-- specifications of Upper Bounds MUST be regarded as mandatory
+-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
+-- Upper Bounds
+
+-- Upper Bounds
+ub-name INTEGER ::= 32768
+ub-common-name INTEGER ::= 64
+ub-locality-name INTEGER ::= 128
+ub-state-name INTEGER ::= 128
+ub-organization-name INTEGER ::= 64
+ub-organizational-unit-name INTEGER ::= 64
+ub-title INTEGER ::= 64
+ub-serial-number INTEGER ::= 64
+ub-match INTEGER ::= 128
+ub-emailaddress-length INTEGER ::= 255
+ub-common-name-length INTEGER ::= 64
+ub-country-name-alpha-length INTEGER ::= 2
+ub-country-name-numeric-length INTEGER ::= 3
+ub-domain-defined-attributes INTEGER ::= 4
+ub-domain-defined-attribute-type-length INTEGER ::= 8
+ub-domain-defined-attribute-value-length INTEGER ::= 128
+ub-domain-name-length INTEGER ::= 16
+ub-extension-attributes INTEGER ::= 256
+ub-e163-4-number-length INTEGER ::= 15
+ub-e163-4-sub-address-length INTEGER ::= 40
+ub-generation-qualifier-length INTEGER ::= 3
+ub-given-name-length INTEGER ::= 16
+ub-initials-length INTEGER ::= 5
+ub-integer-options INTEGER ::= 256
+ub-numeric-user-id-length INTEGER ::= 32
+ub-organization-name-length INTEGER ::= 64
+ub-organizational-unit-name-length INTEGER ::= 32
+ub-organizational-units INTEGER ::= 4
+ub-pds-name-length INTEGER ::= 16
+ub-pds-parameter-length INTEGER ::= 30
+ub-pds-physical-address-lines INTEGER ::= 6
+ub-postal-code-length INTEGER ::= 16
+ub-pseudonym INTEGER ::= 128
+ub-surname-length INTEGER ::= 40
+ub-terminal-id-length INTEGER ::= 24
+ub-unformatted-address-length INTEGER ::= 180
+ub-x121-address-length INTEGER ::= 16
+
+-- Note - upper bounds on string types, such as TeletexString, are
+-- measured in characters. Excepting PrintableString or IA5String, a
+-- significantly greater number of octets will be required to hold
+-- such a value. As a minimum, 16 octets, or twice the specified
+-- upper bound, whichever is the larger, should be allowed for
+-- TeletexString. For UTF8String or UniversalString at least four
+-- times the upper bound should be allowed.
+
+END
diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out
index 1a9c3d667..315e25bb0 100644
--- a/src/tests/asn.1/reference_encode.out
+++ b/src/tests/asn.1/reference_encode.out
@@ -61,3 +61,10 @@ encode_krb5_iakerb_header: 30 18 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08
encode_krb5_iakerb_finished: 30 11 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
encode_krb5_fast_response: 30 81 9F A0 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 5B 30 59 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A3 03 02 01 2A
encode_krb5_pa_fx_fast_reply: A0 29 30 27 A0 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
+encode_krb5_otp_tokeninfo(optionals NULL): 30 07 80 05 00 00 00 00 00
+encode_krb5_otp_tokeninfo: 30 72 80 05 00 77 00 00 00 81 0B 45 78 61 6D 70 6C 65 63 6F 72 70 82 05 68 61 72 6B 21 83 01 0A 84 01 02 85 09 79 6F 75 72 74 6F 6B 65 6E 86 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 A7 16 30 0B 06 09 60 86 48 01 65 03 04 02 01 30 07 06 05 2B 0E 03 02 1A 88 02 03 E8
+encode_krb5_pa_otp_challenge(optionals NULL): 30 15 80 08 6D 69 6E 6E 6F 6E 63 65 A2 09 30 07 80 05 00 00 00 00 00
+encode_krb5_pa_otp_challenge: 30 81 A5 80 08 6D 61 78 6E 6F 6E 63 65 81 0B 74 65 73 74 73 65 72 76 69 63 65 A2 7D 30 07 80 05 00 00 00 00 00 30 72 80 05 00 77 00 00 00 81 0B 45 78 61 6D 70 6C 65 63 6F 72 70 82 05 68 61 72 6B 21 83 01 0A 84 01 02 85 09 79 6F 75 72 74 6F 6B 65 6E 86 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 A7 16 30 0B 06 09 60 86 48 01 65 03 04 02 01 30 07 06 05 2B 0E 03 02 1A 88 02 03 E8 83 07 6B 65 79 73 61 6C 74 84 04 31 32 33 34
+encode_krb5_pa_otp_req(optionals NULL): 30 2C 80 05 00 00 00 00 00 A2 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
+encode_krb5_pa_otp_req: 30 81 B9 80 05 00 60 00 00 00 81 05 6E 6F 6E 63 65 A2 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 0B 06 09 60 86 48 01 65 03 04 02 01 84 02 03 E8 85 05 66 72 6F 67 73 86 0A 6D 79 66 69 72 73 74 70 69 6E 87 05 68 61 72 6B 21 88 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 89 03 33 34 36 8A 01 02 8B 09 79 6F 75 72 74 6F 6B 65 6E 8C 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 8D 0B 45 78 61 6D 70 6C 65 63 6F 72 70
+encode_krb5_pa_otp_enc_req: 30 0A 80 08 6B 72 62 35 64 61 74 61
diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out
index f1fec5f58..461021e07 100644
--- a/src/tests/asn.1/trval_reference.out
+++ b/src/tests/asn.1/trval_reference.out
@@ -1348,3 +1348,133 @@ encode_krb5_pa_fx_fast_reply:
. . . [0] [Integer] 0
. . . [1] [Integer] 5
. . . [2] [Octet String] "krbASN.1 test message"
+
+encode_krb5_otp_tokeninfo(optionals NULL):
+
+[Sequence/Sequence Of]
+. [0] <5>
+ 00 00 00 00 00 .....
+
+encode_krb5_otp_tokeninfo:
+
+[Sequence/Sequence Of]
+. [0] <5>
+ 00 77 00 00 00 .w...
+. [1] <11>
+ 45 78 61 6d 70 6c 65 63 6f 72 70 Examplecorp
+. [2] <5>
+ 68 61 72 6b 21 hark!
+. [3] 0x0 (10 unused bits)
+. [4] <1>
+ 02 .
+. [5] <9>
+ 79 6f 75 72 74 6f 6b 65 6e yourtoken
+. [6] <40>
+ 75 72 6e 3a 69 65 74 66 3a 70 61 72 61 6d 73 3a urn:ietf:params:
+ 78 6d 6c 3a 6e 73 3a 6b 65 79 70 72 6f 76 3a 70 xml:ns:keyprov:p
+ 73 6b 63 3a 68 6f 74 70 skc:hotp
+. [7] [Sequence/Sequence Of]
+. . [Object Identifier] <9>
+ 60 86 48 01 65 03 04 02 01 `.H.e....
+. [Sequence/Sequence Of]
+. . [Object Identifier] <5>
+ 2b 0e 03 02 1a +....
+. [8] <2>
+ 03 e8 ..
+
+encode_krb5_pa_otp_challenge(optionals NULL):
+
+[Sequence/Sequence Of]
+. [0] <8>
+ 6d 69 6e 6e 6f 6e 63 65 minnonce
+. [2] [Sequence/Sequence Of]
+. . [0] <5>
+ 00 00 00 00 00 .....
+
+encode_krb5_pa_otp_challenge:
+
+[Sequence/Sequence Of]
+. [0] <8>
+ 6d 61 78 6e 6f 6e 63 65 maxnonce
+. [1] <11>
+ 74 65 73 74 73 65 72 76 69 63 65 testservice
+. [2] [Sequence/Sequence Of]
+. . [0] <5>
+ 00 00 00 00 00 .....
+. [Sequence/Sequence Of]
+. . [0] <5>
+ 00 77 00 00 00 .w...
+. . [1] <11>
+ 45 78 61 6d 70 6c 65 63 6f 72 70 Examplecorp
+. . [2] <5>
+ 68 61 72 6b 21 hark!
+. . [3] 0x0 (10 unused bits)
+. . [4] <1>
+ 02 .
+. . [5] <9>
+ 79 6f 75 72 74 6f 6b 65 6e yourtoken
+. . [6] <40>
+ 75 72 6e 3a 69 65 74 66 3a 70 61 72 61 6d 73 urn:ietf:params
+ 3a 78 6d 6c 3a 6e 73 3a 6b 65 79 70 72 6f 76 :xml:ns:keyprov
+ 3a 70 73 6b 63 3a 68 6f 74 70 :pskc:hotp
+. . [7] [Sequence/Sequence Of]
+. . . [Object Identifier] <9>
+ 60 86 48 01 65 03 04 02 01 `.H.e....
+. . [Sequence/Sequence Of]
+. . . [Object Identifier] <5>
+ 2b 0e 03 02 1a +....
+. . [8] <2>
+ 03 e8 ..
+. [3] <7>
+ 6b 65 79 73 61 6c 74 keysalt
+. [4] "1234"
+
+encode_krb5_pa_otp_req(optionals NULL):
+
+[Sequence/Sequence Of]
+. [0] <5>
+ 00 00 00 00 00 .....
+. [2] [0] [Integer] 0
+. [1] [Integer] 5
+. [2] [Octet String] "krbASN.1 test message"
+
+encode_krb5_pa_otp_req:
+
+[Sequence/Sequence Of]
+. [0] <5>
+ 00 60 00 00 00 .`...
+. [1] <5>
+ 6e 6f 6e 63 65 nonce
+. [2] [0] [Integer] 0
+. [1] [Integer] 5
+. [2] [Octet String] "krbASN.1 test message"
+. [3] [Object Identifier] <9>
+ 60 86 48 01 65 03 04 02 01 `.H.e....
+. [4] <2>
+ 03 e8 ..
+. [5] <5>
+ 66 72 6f 67 73 frogs
+. [6] <10>
+ 6d 79 66 69 72 73 74 70 69 6e myfirstpin
+. [7] <5>
+ 68 61 72 6b 21 hark!
+. [8] <15>
+ 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5a 19940610060317Z
+. [9] <3>
+ 33 34 36 346
+. [10] <1>
+ 02 .
+. [11] <9>
+ 79 6f 75 72 74 6f 6b 65 6e yourtoken
+. [12] <40>
+ 75 72 6e 3a 69 65 74 66 3a 70 61 72 61 6d 73 3a urn:ietf:params:
+ 78 6d 6c 3a 6e 73 3a 6b 65 79 70 72 6f 76 3a 70 xml:ns:keyprov:p
+ 73 6b 63 3a 68 6f 74 70 skc:hotp
+. [13] <11>
+ 45 78 61 6d 70 6c 65 63 6f 72 70 Examplecorp
+
+encode_krb5_pa_otp_enc_req:
+
+[Sequence/Sequence Of]
+. [0] <8>
+ 6b 72 62 35 64 61 74 61 krb5data
generated by cgit (git 2.34.1) at 2024-09-21 09:44:11 +0000