5 IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
7 HDB_DB_FORMAT INTEGER ::= 2 -- format of database,
8 -- update when making changes
10 -- these must have the same value as the pa-* counterparts
11 hdb-pw-salt INTEGER ::= 3
12 hdb-afs3-salt INTEGER ::= 10
15 type[0] INTEGER (0..4294967295),
17 opaque[2] OCTET STRING OPTIONAL
21 mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number
28 principal[1] Principal OPTIONAL
31 HDBFlags ::= BIT STRING {
32 initial(0), -- require as-req
33 forwardable(1), -- may issue forwardable
34 proxiable(2), -- may issue proxiable
35 renewable(3), -- may issue renewable
36 postdate(4), -- may issue postdatable
37 server(5), -- may be server
38 client(6), -- may be client
39 invalid(7), -- entry is invalid
40 require-preauth(8), -- must use preauth
41 change-pw(9), -- change password service
42 require-hwauth(10), -- must use hwauth
43 ok-as-delegate(11), -- as in TicketFlags
44 user-to-user(12), -- may use user-to-user auth
45 immutable(13), -- may not be deleted
46 trusted-for-delegation(14), -- Trusted to print forwardabled tickets
47 allow-kerberos4(15), -- Allow Kerberos 4 requests
48 allow-digest(16), -- Allow digest requests
49 locked-out(17), -- Account is locked out,
50 -- authentication will be denied
51 require-pwchange(18), -- require a passwd change
53 materialize(19), -- store even if within virtual namespace
54 virtual-keys(20), -- entry stored; keys mostly derived
55 virtual(21), -- entry not stored; keys always derived
56 synthetic(22), -- entry not stored; for PKINIT
57 no-auth-data-reqd(23), -- omit PAC from service tickets
59 force-canonicalize(30), -- force the KDC to return the canonical
60 -- principal irrespective of the setting
61 -- of the canonicalize KDC option
62 do-not-store(31) -- Not to be modified and stored in HDB
65 GENERATION ::= SEQUENCE {
66 time[0] KerberosTime, -- timestamp
67 usec[1] INTEGER (0..4294967295), -- microseconds
68 gen[2] INTEGER (0..4294967295) -- generation number
71 HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
72 subject[0] UTF8String,
73 issuer[1] UTF8String OPTIONAL,
74 anchor[2] UTF8String OPTIONAL
77 HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
78 digest-type[0] OBJECT IDENTIFIER,
79 digest[1] OCTET STRING
82 HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE {
86 HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
88 -- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
90 HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
92 HDB-Ext-Password ::= SEQUENCE {
93 mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number
97 HDB-Ext-Aliases ::= SEQUENCE {
98 case-insensitive[0] BOOLEAN, -- case insensitive name allowed
99 aliases[1] SEQUENCE OF Principal -- all names, inc primary
102 Keys ::= SEQUENCE OF Key
104 HDB_keyset ::= SEQUENCE {
105 kvno[0] INTEGER (0..4294967295),
107 set-time[2] KerberosTime OPTIONAL, -- time this keyset was created/set
111 HDB-Ext-KeySet ::= SEQUENCE OF HDB_keyset
114 -- We need a function of current (or given, but it will always be current) time
115 -- and a base hdb_entry or its HDB-Ext-KeyRotation and service ticket lifetime,
116 -- that outputs a sequence of {kvno, set_time, max_life} representing past keys
117 -- (up to one per past and current KeyRotation), current keys (for the current
118 -- KeyRotation), up to one future key for the current KeyRotation, and up to
119 -- one future key for the _next_ (future) KeyRotation if there is one.
121 -- We have to impose constraints on new KeyRotation elements of
122 -- HDB-Ext-KeyRotation.
124 -- So virtual keysets (keytabs) will contain:
126 -- - up to one past keyset for all KeyRotation periods that are "applicable"
127 -- - the current keyset for all KeyRotation periods that are "applicable"
128 -- - up to one future keyset for all KeyRotation periods that are "applicable"
130 -- An applicable KeyRotation period is:
132 -- - the KeyRotation whose `epoch` is a) in the past and b) nearest to the
133 -- current time - we call this the current KeyRotation
134 -- - a KeyRotation whose `epoch` is nearest but in the past of the current
136 -- - a KeyRotation whose `epoch` is nearest but in the future of the current
139 -- A service principal's max ticket life will be bounded by half the current
140 -- key rotation period.
142 -- Note: There can be more than one applicable past KeyRotation, and more than
143 -- one applicable KeyRotation. We might not want to permit this.
144 -- However, it's probably easier to permit it, though we might not test
149 -- - We should have standalone unit tests for all these pure functions.
151 -- - We should have a test that uses kadm5 and GSS to test against a KDC using
152 -- small key rotation periods on the order of seconds, with back-off in case
153 -- of losing a race condition.
155 KeyRotationFlags ::= BIT STRING {
156 deleted(0), -- if set on a materialized principal, this will mean
157 -- the principal does not exist
158 -- if set on a namespace, this will mean that
159 -- only materialized principal below it exist
160 parent(1) -- if set on a materialized principal, this will mean
161 -- that the keys for kvnos in this KeyRotation spec
162 -- will be derived from the parent's base keys and
163 -- corresponding KeyRotation spec
164 -- if set on a namespace, this flag will be ignored
165 -- (or we could support nested namespaces?)
167 KeyRotation ::= SEQUENCE {
168 -- base-kvno is always computed at set time and set for the principal,
169 -- and is never subject to admin choice. The base-kvno is that of the
170 -- current kvno at that period's `from` given the previous period.
172 -- Also, insertion of KeyRotation elements before existing ones (in
173 -- time) is never permitted, and all new KeyRotation elements must be
174 -- in the future relative to existing ones.
176 -- HDB-Ext-KeyRotation will always be sorted (as stored) by `from`, in
179 -- Max service ticket lifetime will be constrained to no more than half
180 -- the period of the the applicable KeyRotation elements.
182 flags[0] KeyRotationFlags,
183 epoch[1] KerberosTime, -- start of this period
184 period[2] INTEGER(0..4294967295), -- key rotation seconds
185 base-kvno[3] INTEGER(0..4294967295), -- starting from this kvno
186 base-key-kvno[4]INTEGER(0..4294967295), -- kvno of base-key
190 HDB-Ext-KeyRotation ::= SEQUENCE SIZE (1..3) OF KeyRotation
192 HDB-extension ::= SEQUENCE {
193 mandatory[0] BOOLEAN, -- kdc MUST understand this extension,
194 -- if not the whole entry must
197 pkinit-acl[0] HDB-Ext-PKINIT-acl,
198 pkinit-cert-hash[1] HDB-Ext-PKINIT-hash,
199 allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl,
200 -- referral-info[3] HDB-Ext-Referrals,
201 lm-owf[4] HDB-Ext-Lan-Manager-OWF,
202 password[5] HDB-Ext-Password,
203 aliases[6] HDB-Ext-Aliases,
204 last-pw-change[7] KerberosTime,
205 pkinit-cert[8] HDB-Ext-PKINIT-cert,
206 hist-keys[9] HDB-Ext-KeySet,
207 hist-kvno-diff-clnt[10] INTEGER (0..4294967295),
208 hist-kvno-diff-svc[11] INTEGER (0..4294967295),
209 policy[12] UTF8String,
210 principal-id[13] INTEGER(-9223372036854775808..9223372036854775807),
211 key-rotation[14] HDB-Ext-KeyRotation,
212 krb5-config[15] OCTET STRING,
218 HDB-extensions ::= SEQUENCE OF HDB-extension
220 -- Just for convenience, for encoding this as TL data in lib/kadm5
221 HDB-EncTypeList ::= SEQUENCE OF INTEGER (0..4294967295)
223 HDB_entry ::= SEQUENCE {
224 principal[0] Principal OPTIONAL, -- this is optional only
225 -- for compatibility with libkrb5
226 kvno[1] INTEGER (0..4294967295),
229 modified-by[4] Event OPTIONAL,
230 valid-start[5] KerberosTime OPTIONAL,
231 valid-end[6] KerberosTime OPTIONAL,
232 pw-end[7] KerberosTime OPTIONAL,
233 max-life[8] INTEGER (0..4294967295) OPTIONAL,
234 max-renew[9] INTEGER (0..4294967295) OPTIONAL,
236 etypes[11] HDB-EncTypeList OPTIONAL,
237 generation[12] GENERATION OPTIONAL,
238 extensions[13] HDB-extensions OPTIONAL
241 HDB_entry_alias ::= [APPLICATION 0] SEQUENCE {
242 principal[0] Principal OPTIONAL
245 HDB-EntryOrAlias ::= CHOICE {
247 alias HDB_entry_alias