summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/hdb/hdb.asn1
blob: c8c276ff6e54aae9b5ca97f09ae1e9f038b3d57c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
-- $Id: hdb.asn1,v 1.17 2006/08/24 10:45:19 lha Exp $
HDB DEFINITIONS ::=
BEGIN

IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;

HDB_DB_FORMAT INTEGER ::= 2	-- format of database, 
				-- update when making changes

-- these must have the same value as the pa-* counterparts
hdb-pw-salt	INTEGER	::= 3
hdb-afs3-salt	INTEGER	::= 10

Salt ::= SEQUENCE {
	type[0]		INTEGER (0..4294967295),
	salt[1]		OCTET STRING
}

Key ::= SEQUENCE {
	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
	key[1]		EncryptionKey,
	salt[2]		Salt OPTIONAL
}

Event ::= SEQUENCE {
	time[0]		KerberosTime,
	principal[1]	Principal OPTIONAL
}

HDBFlags ::= BIT STRING {
	initial(0),			-- require as-req
	forwardable(1),			-- may issue forwardable
	proxiable(2),			-- may issue proxiable
	renewable(3),			-- may issue renewable
	postdate(4),			-- may issue postdatable
	server(5),			-- may be server
	client(6),			-- may be client
	invalid(7),			-- entry is invalid
	require-preauth(8),		-- must use preauth
	change-pw(9),			-- change password service
	require-hwauth(10),		-- must use hwauth
	ok-as-delegate(11),		-- as in TicketFlags
	user-to-user(12),		-- may use user-to-user auth
	immutable(13),			-- may not be deleted
	trusted-for-delegation(14),	-- Trusted to print forwardabled tickets
	allow-kerberos4(15),		-- Allow Kerberos 4 requests
	allow-digest(16)		-- Allow digest requests
}

GENERATION ::= SEQUENCE {
	time[0]		KerberosTime,			-- timestamp
	usec[1]		INTEGER (0..4294967295),	-- microseconds
	gen[2]		INTEGER (0..4294967295)		-- generation number
}

HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
	subject[0]	UTF8String,
	issuer[1]	UTF8String OPTIONAL,
	anchor[2]	UTF8String OPTIONAL
}

HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
	digest-type[0] OBJECT IDENTIFIER,
	digest[1] OCTET STRING
}

HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal

-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA

HDB-Ext-Lan-Manager-OWF ::= OCTET STRING

HDB-Ext-Password ::= SEQUENCE {
	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
	password	OCTET STRING
}

HDB-Ext-Aliases ::= SEQUENCE {
	case-insensitive[0]	BOOLEAN, -- case insensitive name allowed
	aliases[1]		SEQUENCE OF Principal -- all names, inc primary
}


HDB-extension ::= SEQUENCE {
        mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
                                        --   if not the whole entry must
                                        --   be rejected
        data[1]          CHOICE {
	        pkinit-acl[0]			HDB-Ext-PKINIT-acl,
	        pkinit-cert-hash[1]  		HDB-Ext-PKINIT-hash,
		allowed-to-delegate-to[2]   HDB-Ext-Constrained-delegation-acl,
--		referral-info[3]		HDB-Ext-Referrals,
		lm-owf[4]			HDB-Ext-Lan-Manager-OWF,
		password[5]			HDB-Ext-Password,
		aliases[6]			HDB-Ext-Aliases,
		last-pw-change[7]		KerberosTime,
		...
	},
	...
}

HDB-extensions ::= SEQUENCE OF HDB-extension


hdb_entry ::= SEQUENCE {
	principal[0]	Principal  OPTIONAL, -- this is optional only 
					     -- for compatibility with libkrb5
	kvno[1]		INTEGER (0..4294967295),
	keys[2]		SEQUENCE OF Key,
	created-by[3]	Event,
	modified-by[4]	Event OPTIONAL,
	valid-start[5]	KerberosTime OPTIONAL,
	valid-end[6]	KerberosTime OPTIONAL,
	pw-end[7]	KerberosTime OPTIONAL,
	max-life[8]	INTEGER (0..4294967295) OPTIONAL,
	max-renew[9]	INTEGER (0..4294967295) OPTIONAL,
	flags[10]	HDBFlags,
	etypes[11]	SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
	generation[12]	GENERATION OPTIONAL,
        extensions[13]  HDB-extensions OPTIONAL
}

END