xref: /netbsd-src/crypto/external/bsd/heimdal/dist/lib/hdb/hdb.asn1 (revision b9d004c6cc8d38329417ae29768c81e5f2a296cf) 
1-- Id
2HDB DEFINITIONS ::=
3BEGIN
4
5IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
6
7HDB_DB_FORMAT INTEGER ::= 2	-- format of database,
8				-- update when making changes
9
10-- these must have the same value as the pa-* counterparts
11hdb-pw-salt	INTEGER	::= 3
12hdb-afs3-salt	INTEGER	::= 10
13
14Salt ::= SEQUENCE {
15	type[0]		INTEGER (0..4294967295),
16	salt[1]		OCTET STRING,
17	opaque[2]	OCTET STRING OPTIONAL
18}
19
20Key ::= SEQUENCE {
21	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
22	key[1]		EncryptionKey,
23	salt[2]		Salt OPTIONAL
24}
25
26Event ::= SEQUENCE {
27	time[0]		KerberosTime,
28	principal[1]	Principal OPTIONAL
29}
30
31HDBFlags ::= BIT STRING {
32	initial(0),			-- require as-req
33	forwardable(1),			-- may issue forwardable
34	proxiable(2),			-- may issue proxiable
35	renewable(3),			-- may issue renewable
36	postdate(4),			-- may issue postdatable
37	server(5),			-- may be server
38	client(6),			-- may be client
39	invalid(7),			-- entry is invalid
40	require-preauth(8),		-- must use preauth
41	change-pw(9),			-- change password service
42	require-hwauth(10),		-- must use hwauth
43	ok-as-delegate(11),		-- as in TicketFlags
44	user-to-user(12),		-- may use user-to-user auth
45	immutable(13),			-- may not be deleted
46	trusted-for-delegation(14),	-- Trusted to print forwardabled tickets
47	allow-kerberos4(15),		-- Allow Kerberos 4 requests
48	allow-digest(16),		-- Allow digest requests
49	locked-out(17),			-- Account is locked out,
50					-- authentication will be denied
51	require-pwchange(18),		-- require a passwd change
52	do-not-store(31)		-- Not to be modified and stored in HDB
53}
54
55GENERATION ::= SEQUENCE {
56	time[0]		KerberosTime,			-- timestamp
57	usec[1]		INTEGER (0..4294967295),	-- microseconds
58	gen[2]		INTEGER (0..4294967295)		-- generation number
59}
60
61HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
62	subject[0]	UTF8String,
63	issuer[1]	UTF8String OPTIONAL,
64	anchor[2]	UTF8String OPTIONAL
65}
66
67HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
68	digest-type[0] OBJECT IDENTIFIER,
69	digest[1] OCTET STRING
70}
71
72HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE {
73	cert[0] OCTET STRING
74}
75
76HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
77
78-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
79
80HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
81
82HDB-Ext-Password ::= SEQUENCE {
83	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
84	password	OCTET STRING
85}
86
87HDB-Ext-Aliases ::= SEQUENCE {
88	case-insensitive[0]	BOOLEAN, -- case insensitive name allowed
89	aliases[1]		SEQUENCE OF Principal -- all names, inc primary
90}
91
92Keys ::= SEQUENCE OF Key
93
94hdb_keyset ::= SEQUENCE {
95	kvno[0]		INTEGER (0..4294967295),
96	keys[1]		Keys,
97	set-time[2]	KerberosTime OPTIONAL,	-- time this keyset was created/set
98	...
99}
100
101HDB-Ext-KeySet ::= SEQUENCE OF hdb_keyset
102
103
104HDB-extension ::= SEQUENCE {
105        mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
106                                        --   if not the whole entry must
107                                        --   be rejected
108        data[1]          CHOICE {
109	        pkinit-acl[0]			HDB-Ext-PKINIT-acl,
110	        pkinit-cert-hash[1]  		HDB-Ext-PKINIT-hash,
111		allowed-to-delegate-to[2]   HDB-Ext-Constrained-delegation-acl,
112--		referral-info[3]		HDB-Ext-Referrals,
113		lm-owf[4]			HDB-Ext-Lan-Manager-OWF,
114		password[5]			HDB-Ext-Password,
115		aliases[6]			HDB-Ext-Aliases,
116		last-pw-change[7]		KerberosTime,
117	        pkinit-cert[8]  		HDB-Ext-PKINIT-cert,
118	        hist-keys[9]			HDB-Ext-KeySet,
119		hist-kvno-diff-clnt[10]		INTEGER (0..4294967295),
120		hist-kvno-diff-svc[11]		INTEGER (0..4294967295),
121	        policy[12]			UTF8String,
122		principal-id[13]		INTEGER(-9223372036854775808..9223372036854775807),
123		...
124	},
125	...
126}
127
128HDB-extensions ::= SEQUENCE OF HDB-extension
129
130hdb_entry ::= SEQUENCE {
131	principal[0]	Principal  OPTIONAL, -- this is optional only
132					     -- for compatibility with libkrb5
133	kvno[1]		INTEGER (0..4294967295),
134	keys[2]		Keys,
135	created-by[3]	Event,
136	modified-by[4]	Event OPTIONAL,
137	valid-start[5]	KerberosTime OPTIONAL,
138	valid-end[6]	KerberosTime OPTIONAL,
139	pw-end[7]	KerberosTime OPTIONAL,
140	max-life[8]	INTEGER (0..4294967295) OPTIONAL,
141	max-renew[9]	INTEGER (0..4294967295) OPTIONAL,
142	flags[10]	HDBFlags,
143	etypes[11]	SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
144	generation[12]	GENERATION OPTIONAL,
145        extensions[13]  HDB-extensions OPTIONAL
146}
147
148hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
149	principal[0]	Principal  OPTIONAL
150}
151
152END
153