pkinit: Replace OID literals by their names

rtpt-erikgeiser · rtpt-erikgeiser · commit ea51cc58ea3f · 2025-08-13T13:06:41.000+02:00
diff --git a/pkinit/asn1.go b/pkinit/asn1.go
@@ -11,6 +11,17 @@ import (
 	"github.com/jcmturner/gokrb5/v8/types"
 )
 
+var (
+	signedDataOID                                        = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2}
+	idPKINITAuthDataOID                                  = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 2, 3, 1}
+	idPKINITDHKeyDataOID                                 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 2, 3, 2}
+	sha1HashOID                                          = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 26}
+	sha1WithRSAEncryptionOID                             = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
+	contentTypeOID                                       = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 3}
+	ephemeralStaticDiffieHellmanKeyAgreementAlgorithmOID = asn1.ObjectIdentifier{1, 2, 840, 10046, 2, 1}
+	messageDigestOID                                     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 4}
+)
+
 type SignerInfo struct {
 	Version                   int `asn1:"default:1"`
 	IssuerAndSerialNumber     IssuerAndSerial
diff --git a/pkinit/asrep.go b/pkinit/asrep.go
@@ -63,7 +63,7 @@ func ExtractNegotiatedKey(
 		return ekey, fmt.Errorf("unmarshal signed data: %w", err)
 	}
 
-	if !contentInfo.ContentType.Equal(asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2}) {
+	if !contentInfo.ContentType.Equal(signedDataOID) {
 		return ekey, fmt.Errorf("unexpected outer content type: %s", contentInfo.ContentType)
 	}
 
@@ -74,7 +74,7 @@ func ExtractNegotiatedKey(
 		return ekey, fmt.Errorf("unmarshal signed data: %w", err)
 	}
 
-	if !signedData.ContentInfo.ContentType.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 5, 2, 3, 2}) {
+	if !signedData.ContentInfo.ContentType.Equal(idPKINITDHKeyDataOID) {
 		return ekey, fmt.Errorf("unexpected inner content type: %s", signedData.ContentInfo.ContentType)
 	}
 
diff --git a/pkinit/asreq.go b/pkinit/asreq.go
@@ -58,7 +58,7 @@ func ConfigureASReq(
 		},
 		ClientPublicValue: SubjectPublicKeyInfo{
 			Algorithm: AlgorithmIdentifier{
-				Algorithm: asn1.ObjectIdentifier{1, 2, 840, 10046, 2, 1},
+				Algorithm: ephemeralStaticDiffieHellmanKeyAgreementAlgorithmOID,
 				Parameters: DomainParameters{
 					P: DiffieHellmanPrime,
 					G: 2,
diff --git a/pkinit/pkcs7.go b/pkinit/pkcs7.go
@@ -29,29 +29,29 @@ func PKCS7Sign(data []byte, key *rsa.PrivateKey, cert *x509.Certificate) ([]byte
 		return nil, fmt.Errorf("marshal digest: %w", err)
 	}
 
-	serializedPKInitOID, err := asn1.Marshal(asn1.ObjectIdentifier{1, 3, 6, 1, 5, 2, 3, 1})
+	serializedPKInitOID, err := asn1.Marshal(idPKINITAuthDataOID)
 	if err != nil {
 		return nil, fmt.Errorf("marshal PKInit OID: %w", err)
 	}
 
 	sha1AlgorithmIdentifier := pkix.AlgorithmIdentifier{
-		Algorithm: asn1.ObjectIdentifier{1, 3, 14, 3, 2, 26},
+		Algorithm: sha1HashOID,
 	}
 
 	rsaWithSHA1AlgorithmIdentifier := pkix.AlgorithmIdentifier{
-		Algorithm: asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5},
+		Algorithm: sha1WithRSAEncryptionOID,
 	}
 
 	authenticatedAttributes := []Attribute{
 		{
 			// ContentType
-			Type: asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 3},
+			Type: contentTypeOID,
 			// id-pkinit-authData
 			Value: asn1.RawValue{Tag: 17, IsCompound: true, Bytes: serializedPKInitOID},
 		},
 		{
 			// MessageDigest
-			Type:  asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 4},
+			Type:  messageDigestOID,
 			Value: asn1.RawValue{Tag: 17, IsCompound: true, Bytes: serializedDigest},
 		},
 	}
@@ -66,7 +66,7 @@ func PKCS7Sign(data []byte, key *rsa.PrivateKey, cert *x509.Certificate) ([]byte
 		DigestAlgorithmIdentifiers: []pkix.AlgorithmIdentifier{sha1AlgorithmIdentifier},
 		ContentInfo: ContentInfo{
 			// id-pkinit-authData
-			ContentType: asn1.ObjectIdentifier{1, 3, 6, 1, 5, 2, 3, 1},
+			ContentType: idPKINITAuthDataOID,
 			Content:     asn1.RawValue{Class: 2, Tag: 0, Bytes: serializedData, IsCompound: true},
 		},
 		Certificates: rawCert,
@@ -90,7 +90,7 @@ func PKCS7Sign(data []byte, key *rsa.PrivateKey, cert *x509.Certificate) ([]byte
 
 	contentInfo := ContentInfo{
 		// signed data
-		ContentType: asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2},
+		ContentType: signedDataOID,
 		Content:     asn1.RawValue{Class: 2, Tag: 0, Bytes: signedDataBytes, IsCompound: true},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func ExtractNegotiatedKey(`
`63`	`63`	`return ekey, fmt.Errorf("unmarshal signed data: %w", err)`
`64`	`64`	`}`
`65`	`65`
`66`		`- if !contentInfo.ContentType.Equal(asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2}) {`
	`66`	`+ if !contentInfo.ContentType.Equal(signedDataOID) {`
`67`	`67`	`return ekey, fmt.Errorf("unexpected outer content type: %s", contentInfo.ContentType)`
`68`	`68`	`}`
`69`	`69`
`@@ -74,7 +74,7 @@ func ExtractNegotiatedKey(`
`74`	`74`	`return ekey, fmt.Errorf("unmarshal signed data: %w", err)`
`75`	`75`	`}`
`76`	`76`
`77`		`- if !signedData.ContentInfo.ContentType.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 5, 2, 3, 2}) {`
	`77`	`+ if !signedData.ContentInfo.ContentType.Equal(idPKINITDHKeyDataOID) {`
`78`	`78`	`return ekey, fmt.Errorf("unexpected inner content type: %s", signedData.ContentInfo.ContentType)`
`79`	`79`	`}`
`80`	`80`