git.samba.org / amitay / samba.git / blob
? search:


c2abd4af73ee78b71984f33d75ba5899e12c9f77
[amitay/samba.git] / source4 / heimdal / lib / hdb / hdb.asn1
1 -- $Id$
2 HDB DEFINITIONS ::=
3 BEGIN
4
5 IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
6
7 HDB_DB_FORMAT INTEGER ::= 2     -- format of database, 
8                                 -- update when making changes
9
10 -- these must have the same value as the pa-* counterparts
11 hdb-pw-salt     INTEGER ::= 3
12 hdb-afs3-salt   INTEGER ::= 10
13
14 Salt ::= SEQUENCE {
15         type[0]         INTEGER (0..4294967295),
16         salt[1]         OCTET STRING,
17         opaque[2]       OCTET STRING OPTIONAL
18 }
19
20 Key ::= SEQUENCE {
21         mkvno[0]        INTEGER (0..4294967295) OPTIONAL, -- master key version number
22         key[1]          EncryptionKey,
23         salt[2]         Salt OPTIONAL
24 }
25
26 Event ::= SEQUENCE {
27         time[0]         KerberosTime,
28         principal[1]    Principal OPTIONAL
29 }
30
31 HDBFlags ::= BIT STRING {
32         initial(0),                     -- require as-req
33         forwardable(1),                 -- may issue forwardable
34         proxiable(2),                   -- may issue proxiable
35         renewable(3),                   -- may issue renewable
36         postdate(4),                    -- may issue postdatable
37         server(5),                      -- may be server
38         client(6),                      -- may be client
39         invalid(7),                     -- entry is invalid
40         require-preauth(8),             -- must use preauth
41         change-pw(9),                   -- change password service
42         require-hwauth(10),             -- must use hwauth
43         ok-as-delegate(11),             -- as in TicketFlags
44         user-to-user(12),               -- may use user-to-user auth
45         immutable(13),                  -- may not be deleted
46         trusted-for-delegation(14),     -- Trusted to print forwardabled tickets
47         allow-kerberos4(15),            -- Allow Kerberos 4 requests
48         allow-digest(16)                -- Allow digest requests
49 }
50
51 GENERATION ::= SEQUENCE {
52         time[0]         KerberosTime,                   -- timestamp
53         usec[1]         INTEGER (0..4294967295),        -- microseconds
54         gen[2]          INTEGER (0..4294967295)         -- generation number
55 }
56
57 HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
58         subject[0]      UTF8String,
59         issuer[1]       UTF8String OPTIONAL,
60         anchor[2]       UTF8String OPTIONAL
61 }
62
63 HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
64         digest-type[0] OBJECT IDENTIFIER,
65         digest[1] OCTET STRING
66 }
67
68 HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE {
69         cert[0] OCTET STRING
70 }
71
72 HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
73
74 -- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
75
76 HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
77
78 HDB-Ext-Password ::= SEQUENCE {
79         mkvno[0]        INTEGER (0..4294967295) OPTIONAL, -- master key version number
80         password        OCTET STRING
81 }
82
83 HDB-Ext-Aliases ::= SEQUENCE {
84         case-insensitive[0]     BOOLEAN, -- case insensitive name allowed
85         aliases[1]              SEQUENCE OF Principal -- all names, inc primary
86 }
87
88
89 HDB-extension ::= SEQUENCE {
90         mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
91                                         --   if not the whole entry must
92                                         --   be rejected
93         data[1]          CHOICE {
94                 pkinit-acl[0]                   HDB-Ext-PKINIT-acl,
95                 pkinit-cert-hash[1]             HDB-Ext-PKINIT-hash,
96                 allowed-to-delegate-to[2]   HDB-Ext-Constrained-delegation-acl,
97 --              referral-info[3]                HDB-Ext-Referrals,
98                 lm-owf[4]                       HDB-Ext-Lan-Manager-OWF,
99                 password[5]                     HDB-Ext-Password,
100                 aliases[6]                      HDB-Ext-Aliases,
101                 last-pw-change[7]               KerberosTime,
102                 pkinit-cert[8]                  HDB-Ext-PKINIT-cert,
103                 ...
104         },
105         ...
106 }
107
108 HDB-extensions ::= SEQUENCE OF HDB-extension
109
110 hdb_keyset ::= SEQUENCE {
111         kvno[1]         INTEGER (0..4294967295),
112         keys[0]         SEQUENCE OF Key
113 }
114
115 hdb_entry ::= SEQUENCE {
116         principal[0]    Principal  OPTIONAL, -- this is optional only 
117                                              -- for compatibility with libkrb5
118         kvno[1]         INTEGER (0..4294967295),
119         keys[2]         SEQUENCE OF Key,
120         created-by[3]   Event,
121         modified-by[4]  Event OPTIONAL,
122         valid-start[5]  KerberosTime OPTIONAL,
123         valid-end[6]    KerberosTime OPTIONAL,
124         pw-end[7]       KerberosTime OPTIONAL,
125         max-life[8]     INTEGER (0..4294967295) OPTIONAL,
126         max-renew[9]    INTEGER (0..4294967295) OPTIONAL,
127         flags[10]       HDBFlags,
128         etypes[11]      SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
129         generation[12]  GENERATION OPTIONAL,
130         extensions[13]  HDB-extensions OPTIONAL
131 }
132
133 hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
134         principal[0]    Principal  OPTIONAL
135 }
136
137 END
Amitay's Samba development tree