Default to false(?), at least default to something.
[heimdal.git] / lib / hdb / hdb.asn1
bloba72851c9f2011b65895aa46ba2c33aabbc2da192
1 -- $Id$
2 HDB DEFINITIONS ::=
3 BEGIN
5 IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
7 HDB_DB_FORMAT INTEGER ::= 2     -- format of database, 
8                                 -- update when making changes
10 -- these must have the same value as the pa-* counterparts
11 hdb-pw-salt     INTEGER ::= 3
12 hdb-afs3-salt   INTEGER ::= 10
14 Salt ::= SEQUENCE {
15         type[0]         INTEGER (0..4294967295),
16         salt[1]         OCTET STRING,
17         opaque[2]       OCTET STRING OPTIONAL
20 Key ::= SEQUENCE {
21         mkvno[0]        INTEGER (0..4294967295) OPTIONAL, -- master key version number
22         key[1]          EncryptionKey,
23         salt[2]         Salt OPTIONAL
26 Event ::= SEQUENCE {
27         time[0]         KerberosTime,
28         principal[1]    Principal OPTIONAL
31 HDBFlags ::= BIT STRING {
32         initial(0),                     -- require as-req
33         forwardable(1),                 -- may issue forwardable
34         proxiable(2),                   -- may issue proxiable
35         renewable(3),                   -- may issue renewable
36         postdate(4),                    -- may issue postdatable
37         server(5),                      -- may be server
38         client(6),                      -- may be client
39         invalid(7),                     -- entry is invalid
40         require-preauth(8),             -- must use preauth
41         change-pw(9),                   -- change password service
42         require-hwauth(10),             -- must use hwauth
43         ok-as-delegate(11),             -- as in TicketFlags
44         user-to-user(12),               -- may use user-to-user auth
45         immutable(13),                  -- may not be deleted
46         trusted-for-delegation(14),     -- Trusted to print forwardabled tickets
47         allow-kerberos4(15),            -- Allow Kerberos 4 requests
48         allow-digest(16),               -- Allow digest requests
49         locked-out(17)                  -- Account is locked out,
50                                         -- authentication will be denied
53 GENERATION ::= SEQUENCE {
54         time[0]         KerberosTime,                   -- timestamp
55         usec[1]         INTEGER (0..4294967295),        -- microseconds
56         gen[2]          INTEGER (0..4294967295)         -- generation number
59 HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
60         subject[0]      UTF8String,
61         issuer[1]       UTF8String OPTIONAL,
62         anchor[2]       UTF8String OPTIONAL
65 HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
66         digest-type[0] OBJECT IDENTIFIER,
67         digest[1] OCTET STRING
70 HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE {
71         cert[0] OCTET STRING
74 HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
76 -- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
78 HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
80 HDB-Ext-Password ::= SEQUENCE {
81         mkvno[0]        INTEGER (0..4294967295) OPTIONAL, -- master key version number
82         password        OCTET STRING
85 HDB-Ext-Aliases ::= SEQUENCE {
86         case-insensitive[0]     BOOLEAN, -- case insensitive name allowed
87         aliases[1]              SEQUENCE OF Principal -- all names, inc primary
91 HDB-extension ::= SEQUENCE {
92         mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
93                                         --   if not the whole entry must
94                                         --   be rejected
95         data[1]          CHOICE {
96                 pkinit-acl[0]                   HDB-Ext-PKINIT-acl,
97                 pkinit-cert-hash[1]             HDB-Ext-PKINIT-hash,
98                 allowed-to-delegate-to[2]   HDB-Ext-Constrained-delegation-acl,
99 --              referral-info[3]                HDB-Ext-Referrals,
100                 lm-owf[4]                       HDB-Ext-Lan-Manager-OWF,
101                 password[5]                     HDB-Ext-Password,
102                 aliases[6]                      HDB-Ext-Aliases,
103                 last-pw-change[7]               KerberosTime,
104                 pkinit-cert[8]                  HDB-Ext-PKINIT-cert,
105                 ...
106         },
107         ...
110 HDB-extensions ::= SEQUENCE OF HDB-extension
112 hdb_keyset ::= SEQUENCE {
113         kvno[1]         INTEGER (0..4294967295),
114         keys[0]         SEQUENCE OF Key
117 hdb_entry ::= SEQUENCE {
118         principal[0]    Principal  OPTIONAL, -- this is optional only 
119                                              -- for compatibility with libkrb5
120         kvno[1]         INTEGER (0..4294967295),
121         keys[2]         SEQUENCE OF Key,
122         created-by[3]   Event,
123         modified-by[4]  Event OPTIONAL,
124         valid-start[5]  KerberosTime OPTIONAL,
125         valid-end[6]    KerberosTime OPTIONAL,
126         pw-end[7]       KerberosTime OPTIONAL,
127         max-life[8]     INTEGER (0..4294967295) OPTIONAL,
128         max-renew[9]    INTEGER (0..4294967295) OPTIONAL,
129         flags[10]       HDBFlags,
130         etypes[11]      SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
131         generation[12]  GENERATION OPTIONAL,
132         extensions[13]  HDB-extensions OPTIONAL
135 hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
136         principal[0]    Principal  OPTIONAL