/*
* Print contents of an encoded Name (e.g. from an IssuerAndSerialNumber).
*/
void printName(
const char *title,
unsigned char *name,
unsigned nameLen)
{
SecAsn1CoderRef coder;
if(SecAsn1CoderCreate(&coder)) {
printf("*****Screwup in SecAsn1CoderCreate\n");
return;
}
CSSM_DATA der = {nameLen, name};
NSS_Name nssName;
if(SecAsn1DecodeData(coder, &der, kSecAsn1NameTemplate, &nssName)) {
printf("***Error decoding %s\n", title);
return;
}
printf(" %s:\n", title);
unsigned numRdns = pkiNssArraySize((const void **)nssName.rdns);
for(unsigned rdnDex=0; rdnDex<numRdns; rdnDex++) {
NSS_RDN *rdn = nssName.rdns[rdnDex];
unsigned numAtvs = pkiNssArraySize((const void **)rdn->atvs);
for(unsigned atvDex=0; atvDex<numAtvs; atvDex++) {
printAtv(rdn->atvs[atvDex]);
}
}
}
/*
* Top-level decode for PA-PK-AS-REQ.
*/
krb5_error_code krb5int_pkinit_pa_pk_as_req_decode(
const krb5_data *pa_pk_as_req,
krb5_data *signed_auth_pack, /* DER encoded ContentInfo, RETURNED */
/*
* Remainder are optionally RETURNED (specify NULL for pointers to
* items you're not interested in).
*/
krb5_ui_4 *num_trusted_CAs, /* sizeof trusted_CAs */
krb5_data **trusted_CAs, /* mallocd array of DER-encoded TrustedCAs issuer/serial */
krb5_data *kdc_cert) /* DER encoded issuer/serial */
{
KRB5_PA_PK_AS_REQ asReq;
SecAsn1CoderRef coder;
CSSM_DATA der;
krb5_error_code ourRtn = 0;
assert(pa_pk_as_req != NULL);
/* Decode --> KRB5_PA_PK_AS_REQ */
if(SecAsn1CoderCreate(&coder)) {
return ENOMEM;
}
PKI_KRB_TO_CSSM_DATA(pa_pk_as_req, &der);
memset(&asReq, 0, sizeof(asReq));
if(SecAsn1DecodeData(coder, &der, KRB5_PA_PK_AS_REQTemplate, &asReq)) {
ourRtn = ASN1_BAD_FORMAT;
goto errOut;
}
/* Convert decoded results to caller's args; each is optional */
if(signed_auth_pack != NULL) {
if((ourRtn = pkiCssmDataToKrb5Data(&asReq.signedAuthPack, signed_auth_pack))) {
goto errOut;
}
}
if(asReq.trusted_CAs && (trusted_CAs != NULL)) {
/* NULL-terminated array of CSSM_DATA ptrs */
unsigned numCas = pkiNssArraySize((const void **)asReq.trusted_CAs);
unsigned dex;
krb5_data *kdcCas;
kdcCas = (krb5_data *)malloc(sizeof(krb5_data) * numCas);
if(kdcCas == NULL) {
ourRtn = ENOMEM;
goto errOut;
}
for(dex=0; dex<numCas; dex++) {
KRB5_ExternalPrincipalIdentifier *epi = asReq.trusted_CAs[dex];
if(epi->issuerAndSerialNumber.Data) {
/* the only variant we support */
pkiCssmDataToKrb5Data(&epi->issuerAndSerialNumber, &kdcCas[dex]);
}
}
*trusted_CAs = kdcCas;
*num_trusted_CAs = numCas;
}
if(asReq.kdcPkId.Data && kdc_cert) {
if((ourRtn = pkiCssmDataToKrb5Data(&asReq.kdcPkId, kdc_cert))) {
goto errOut;
}
}
errOut:
SecAsn1CoderRelease(coder);
return ourRtn;
}
