xref: /freebsd/crypto/heimdal/lib/hdb/hdb.asn1 (revision 884a2a699669ec61e2366e3e358342dbc94be24a) 
1-- $Id: hdb.asn1 20236 2007-02-16 23:52:29Z lha $
2HDB DEFINITIONS ::=
3BEGIN
4
5IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
6
7HDB_DB_FORMAT INTEGER ::= 2	-- format of database,
8				-- update when making changes
9
10-- these must have the same value as the pa-* counterparts
11hdb-pw-salt	INTEGER	::= 3
12hdb-afs3-salt	INTEGER	::= 10
13
14Salt ::= SEQUENCE {
15	type[0]		INTEGER (0..4294967295),
16	salt[1]		OCTET STRING
17}
18
19Key ::= SEQUENCE {
20	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
21	key[1]		EncryptionKey,
22	salt[2]		Salt OPTIONAL
23}
24
25Event ::= SEQUENCE {
26	time[0]		KerberosTime,
27	principal[1]	Principal OPTIONAL
28}
29
30HDBFlags ::= BIT STRING {
31	initial(0),			-- require as-req
32	forwardable(1),			-- may issue forwardable
33	proxiable(2),			-- may issue proxiable
34	renewable(3),			-- may issue renewable
35	postdate(4),			-- may issue postdatable
36	server(5),			-- may be server
37	client(6),			-- may be client
38	invalid(7),			-- entry is invalid
39	require-preauth(8),		-- must use preauth
40	change-pw(9),			-- change password service
41	require-hwauth(10),		-- must use hwauth
42	ok-as-delegate(11),		-- as in TicketFlags
43	user-to-user(12),		-- may use user-to-user auth
44	immutable(13),			-- may not be deleted
45	trusted-for-delegation(14),	-- Trusted to print forwardabled tickets
46	allow-kerberos4(15),		-- Allow Kerberos 4 requests
47	allow-digest(16)		-- Allow digest requests
48}
49
50GENERATION ::= SEQUENCE {
51	time[0]		KerberosTime,			-- timestamp
52	usec[1]		INTEGER (0..4294967295),	-- microseconds
53	gen[2]		INTEGER (0..4294967295)		-- generation number
54}
55
56HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
57	subject[0]	UTF8String,
58	issuer[1]	UTF8String OPTIONAL,
59	anchor[2]	UTF8String OPTIONAL
60}
61
62HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
63	digest-type[0] OBJECT IDENTIFIER,
64	digest[1] OCTET STRING
65}
66
67HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
68
69-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
70
71HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
72
73HDB-Ext-Password ::= SEQUENCE {
74	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
75	password	OCTET STRING
76}
77
78HDB-Ext-Aliases ::= SEQUENCE {
79	case-insensitive[0]	BOOLEAN, -- case insensitive name allowed
80	aliases[1]		SEQUENCE OF Principal -- all names, inc primary
81}
82
83
84HDB-extension ::= SEQUENCE {
85        mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
86                                        --   if not the whole entry must
87                                        --   be rejected
88        data[1]          CHOICE {
89	        pkinit-acl[0]			HDB-Ext-PKINIT-acl,
90	        pkinit-cert-hash[1]  		HDB-Ext-PKINIT-hash,
91		allowed-to-delegate-to[2]   HDB-Ext-Constrained-delegation-acl,
92--		referral-info[3]		HDB-Ext-Referrals,
93		lm-owf[4]			HDB-Ext-Lan-Manager-OWF,
94		password[5]			HDB-Ext-Password,
95		aliases[6]			HDB-Ext-Aliases,
96		last-pw-change[7]		KerberosTime,
97		...
98	},
99	...
100}
101
102HDB-extensions ::= SEQUENCE OF HDB-extension
103
104
105hdb_entry ::= SEQUENCE {
106	principal[0]	Principal  OPTIONAL, -- this is optional only
107					     -- for compatibility with libkrb5
108	kvno[1]		INTEGER (0..4294967295),
109	keys[2]		SEQUENCE OF Key,
110	created-by[3]	Event,
111	modified-by[4]	Event OPTIONAL,
112	valid-start[5]	KerberosTime OPTIONAL,
113	valid-end[6]	KerberosTime OPTIONAL,
114	pw-end[7]	KerberosTime OPTIONAL,
115	max-life[8]	INTEGER (0..4294967295) OPTIONAL,
116	max-renew[9]	INTEGER (0..4294967295) OPTIONAL,
117	flags[10]	HDBFlags,
118	etypes[11]	SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
119	generation[12]	GENERATION OPTIONAL,
120        extensions[13]  HDB-extensions OPTIONAL
121}
122
123hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
124	principal[0]	Principal  OPTIONAL
125}
126
127END
128