Minimize draft9 PKINIT code by removing dead code

The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9,
which is fortunate because it doesn't work (see issue #7072).
Instead, it passes both kinds of PKINIT replies through
decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in
alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack.
So, remove the unused broken pa_pk_as_rep_draft9 decoder.

For pa_pk_as_req_draft9, we only use two of the fields on encode and
only one of those on decode.  So, get rid of the unused fields and
the krb5_trusted_ca structure, and reduce the encoder and decoder
sequences to the minimum necessary fields.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970

6 files changed, 1 insertions, 139 deletions

diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 811f230c6..eb0fc8dbb 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -49,8 +49,6 @@ static void ktest_free_pa_pk_as_req(krb5_context context,
                                     krb5_pa_pk_as_req *val);
 static void ktest_free_pa_pk_as_rep(krb5_context context,
                                     krb5_pa_pk_as_rep *val);
-static void ktest_free_pa_pk_as_rep_draft9(krb5_context context,
-                                           krb5_pa_pk_as_rep_draft9 *val);
 static void ktest_free_reply_key_pack(krb5_context context,
                                       krb5_reply_key_pack *val);
 static void ktest_free_reply_key_pack_draft9(krb5_context context,
@@ -1008,30 +1006,6 @@ int main(argc, argv)
     }
 
     /****************************************************************/
-    /* decode_krb5_pa_pk_as_rep_draft9 */
-    /*
-     * NOTE: These are NOT the encodings produced by
-     * encode_krb5_pa_pk_as_rep_draft9; they are hand-generated to match what
-     * the decoder expects.  The decoder expects a sequence containing an
-     * explicitly tagged octet string, while the encoder produces an implicitly
-     * tagged octet string.  See issue #7072.
-     */
-    {
-        setup(krb5_pa_pk_as_rep_draft9,ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData);
-        decode_run("krb5_pa_pk_as_rep_draft9","(dhSignedData)","30 0C A0 0A 04 08 6B 72 62 35 64 61 74 61",
-                   acc.decode_krb5_pa_pk_as_rep_draft9,
-                   ktest_equal_pa_pk_as_rep_draft9,ktest_free_pa_pk_as_rep_draft9);
-        ktest_empty_pa_pk_as_rep_draft9(&ref);
-    }
-    {
-        setup(krb5_pa_pk_as_rep_draft9,ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack);
-        decode_run("krb5_pa_pk_as_rep_draft9","(encKeyPack)","30 0C A1 0A 04 08 6B 72 62 35 64 61 74 61",
-                   acc.decode_krb5_pa_pk_as_rep_draft9,
-                   ktest_equal_pa_pk_as_rep_draft9,ktest_free_pa_pk_as_rep_draft9);
-        ktest_empty_pa_pk_as_rep_draft9(&ref);
-    }
-
-    /****************************************************************/
     /* decode_krb5_auth_pack */
     {
         setup(krb5_auth_pack,ktest_make_sample_auth_pack);
@@ -1170,15 +1144,6 @@ ktest_free_pa_pk_as_rep(krb5_context context, krb5_pa_pk_as_rep *val)
 }
 
 static void
-ktest_free_pa_pk_as_rep_draft9(krb5_context context,
-                               krb5_pa_pk_as_rep_draft9 *val)
-{
-    if (val)
-        ktest_empty_pa_pk_as_rep_draft9(val);
-    free(val);
-}
-
-static void
 ktest_free_reply_key_pack(krb5_context context, krb5_reply_key_pack *val)
 {
     if (val)
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 330756453..6963c018c 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -674,27 +674,6 @@ ktest_make_sample_external_principal_identifier(
     ktest_make_sample_data(&p->subjectKeyIdentifier);
 }
 
-static void
-ktest_make_sample_trusted_ca_principalName(krb5_trusted_ca *p)
-{
-    p->choice = choice_trusted_cas_principalName;
-    ktest_make_sample_principal(&p->u.principalName);
-}
-
-static void
-ktest_make_sample_trusted_ca_caName(krb5_trusted_ca *p)
-{
-    p->choice = choice_trusted_cas_caName;
-    ktest_make_sample_data(&p->u.caName);
-}
-
-static void
-ktest_make_sample_trusted_ca_issuerAndSerial(krb5_trusted_ca *p)
-{
-    p->choice = choice_trusted_cas_issuerAndSerial;
-    ktest_make_sample_data(&p->u.issuerAndSerial);
-}
-
 void
 ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p)
 {
@@ -714,15 +693,7 @@ ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p)
     int i;
 
     ktest_make_sample_data(&p->signedAuthPack);
-    p->trustedCertifiers = ealloc(4 * sizeof(krb5_trusted_ca *));
-    for (i = 0; i < 3; i++)
-        p->trustedCertifiers[i] = ealloc(sizeof(krb5_trusted_ca));
-    ktest_make_sample_trusted_ca_principalName(p->trustedCertifiers[0]);
-    ktest_make_sample_trusted_ca_caName(p->trustedCertifiers[1]);
-    ktest_make_sample_trusted_ca_issuerAndSerial(p->trustedCertifiers[2]);
-    p->trustedCertifiers[3] = NULL;
     ktest_make_sample_data(&p->kdcCert);
-    ktest_make_sample_data(&p->encryptionCert);
 }
 
 static void
@@ -1466,18 +1437,6 @@ ktest_empty_external_principal_identifier(
     ktest_empty_data(&p->subjectKeyIdentifier);
 }
 
-static void
-ktest_empty_trusted_ca(krb5_trusted_ca *p)
-{
-    if (p->choice == choice_trusted_cas_principalName)
-        ktest_destroy_principal(&p->u.principalName);
-    else if (p->choice == choice_trusted_cas_caName)
-        ktest_empty_data(&p->u.caName);
-    else if (p->choice == choice_trusted_cas_issuerAndSerial)
-        ktest_empty_data(&p->u.issuerAndSerial);
-    p->choice = choice_trusted_cas_UNKNOWN;
-}
-
 void
 ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p)
 {
@@ -1496,19 +1455,8 @@ ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p)
 void
 ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p)
 {
-    krb5_trusted_ca **ca;
-
     ktest_empty_data(&p->signedAuthPack);
-    if (p->trustedCertifiers != NULL) {
-        for (ca = p->trustedCertifiers; *ca != NULL; ca++) {
-            ktest_empty_trusted_ca(*ca);
-            free(*ca);
-        }
-        free(p->trustedCertifiers);
-        p->trustedCertifiers = NULL;
-    }
     ktest_empty_data(&p->kdcCert);
-    ktest_empty_data(&p->encryptionCert);
 }
 
 static void
diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c
index ea218c930..0418e5daf 100644
--- a/src/tests/asn.1/ktest_equal.c
+++ b/src/tests/asn.1/ktest_equal.c
@@ -854,29 +854,6 @@ ktest_equal_sequence_of_external_principal_identifier(
     array_compare(ktest_equal_external_principal_identifier);
 }
 
-static int
-ktest_equal_trusted_ca(krb5_trusted_ca *ref, krb5_trusted_ca *var)
-{
-    int p = TRUE;
-    if (ref == var) return TRUE;
-    else if (ref == NULL || var == NULL) return FALSE;
-    if (ref->choice != var->choice) return FALSE;
-    if (ref->choice == choice_trusted_cas_principalName)
-        p = p && ptr_equal(u.principalName, ktest_equal_principal_data);
-    else if (ref->choice == choice_trusted_cas_caName)
-        p = p && equal_str(u.caName);
-    else if (ref->choice == choice_trusted_cas_issuerAndSerial)
-        p = p && equal_str(u.issuerAndSerial);
-    return p;
-}
-
-static int
-ktest_equal_sequence_of_trusted_ca(krb5_trusted_ca **ref,
-                                   krb5_trusted_ca **var)
-{
-    array_compare(ktest_equal_trusted_ca);
-}
-
 int
 ktest_equal_pa_pk_as_req(krb5_pa_pk_as_req *ref, krb5_pa_pk_as_req *var)
 {
@@ -898,9 +875,7 @@ ktest_equal_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *ref,
     if (ref == var) return TRUE;
     else if (ref == NULL || var == NULL) return FALSE;
     p = p && equal_str(signedAuthPack);
-    p = p && ptr_equal(trustedCertifiers, ktest_equal_sequence_of_trusted_ca);
     p = p && equal_str(kdcCert);
-    p = p && equal_str(encryptionCert);
     return p;
 }
 
@@ -930,21 +905,6 @@ ktest_equal_pa_pk_as_rep(krb5_pa_pk_as_rep *ref, krb5_pa_pk_as_rep *var)
     return p;
 }
 
-int
-ktest_equal_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *ref,
-                                krb5_pa_pk_as_rep_draft9 *var)
-{
-    int p = TRUE;
-    if (ref == var) return TRUE;
-    else if (ref == NULL || var == NULL) return FALSE;
-    if (ref->choice != var->choice) return FALSE;
-    if (ref->choice == choice_pa_pk_as_rep_draft9_dhSignedData)
-        p = p && equal_str(u.dhSignedData);
-    else if (ref->choice == choice_pa_pk_as_rep_draft9_encKeyPack)
-        p = p && equal_str(u.encKeyPack);
-    return p;
-}
-
 static int
 ktest_equal_sequence_of_data(krb5_data **ref, krb5_data **var)
 {
diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h
index 9e88a8ccd..ab31e2970 100644
--- a/src/tests/asn.1/ktest_equal.h
+++ b/src/tests/asn.1/ktest_equal.h
@@ -128,7 +128,6 @@ int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
 generic(ktest_equal_pa_pk_as_req, krb5_pa_pk_as_req);
 generic(ktest_equal_pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9);
 generic(ktest_equal_pa_pk_as_rep, krb5_pa_pk_as_rep);
-generic(ktest_equal_pa_pk_as_rep_draft9, krb5_pa_pk_as_rep_draft9);
 generic(ktest_equal_auth_pack, krb5_auth_pack);
 generic(ktest_equal_auth_pack_draft9, krb5_auth_pack_draft9);
 generic(ktest_equal_kdc_dh_key_info, krb5_kdc_dh_key_info);
diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out
index 77b37cd64..463128de0 100644
--- a/src/tests/asn.1/pkinit_encode.out
+++ b/src/tests/asn.1/pkinit_encode.out
@@ -1,5 +1,5 @@
 encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_req_draft9: 30 52 80 08 6B 72 62 35 64 61 74 61 A1 32 30 30 80 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 83 08 6B 72 62 35 64 61 74 61
+encode_krb5_pa_pk_as_req_draft9: 30 14 80 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61
diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out
index 7ee5b1de5..0393b7f8b 100644
--- a/src/tests/asn.1/pkinit_trval.out
+++ b/src/tests/asn.1/pkinit_trval.out
@@ -19,18 +19,8 @@ encode_krb5_pa_pk_as_req_draft9:
 [Sequence/Sequence Of] 
 .  [0] <8>
       6b 72 62 35 64 61 74 61                             krb5data
-.  [1] [Sequence/Sequence Of] 
-.  .  [0] <26>
-         30 18 a0 03 02 01 01 a1 11 30 0f 1b 06 68 66     0........0...hf
-         74 73 61 69 1b 05 65 78 74 72 61                 tsai..extra
-.  .  [1] <8>
-         6b 72 62 35 64 61 74 61                          krb5data
-.  .  [2] <8>
-         6b 72 62 35 64 61 74 61                          krb5data
 .  [2] <8>
       6b 72 62 35 64 61 74 61                             krb5data
-.  [3] <8>
-      6b 72 62 35 64 61 74 61                             krb5data
 
 encode_krb5_pa_pk_as_rep(dhInfo):