logo_kerberos.gif

Difference between revisions of "Projects/PAC and principal APIs"

From K5Wiki
Jump to: navigation, search
(new project)
(No difference)

Revision as of 14:49, 22 December 2008

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


The PAC and principal APIs project defines some APIs that are useful in an active-directory enviroment.

PAC API

Microsoft Windows uses a data structure called the PAC in order to convey authorization information. See the expired draft-brezak-win2k-krb-authz-00 for documentation. The PAC is logically a set of type-length-value elements. That is, it is a collection of typed data items, and lengths are associated with each type. Typically the data items are NDR encoded. This API provides facilities to create and sign a PAC and to extract a given typed buffer from a PAC. NDR encoders and decoders are not provided.

/*
 * Windows PAC
 */
struct krb5_pac_data;
typedef struct krb5_pac_data *krb5_pac;

krb5_error_code KRB5_CALLCONV
krb5_pac_add_buffer
(krb5_context context,
                krb5_pac pac,
                krb5_ui_4 type,
                const krb5_data *data);

void KRB5_CALLCONV
krb5_pac_free
(krb5_context context,
                krb5_pac pac);

krb5_error_code KRB5_CALLCONV
krb5_pac_get_buffer
(krb5_context context,
                krb5_pac pac,
                krb5_ui_4 type,
                krb5_data *data);

krb5_error_code KRB5_CALLCONV
krb5_pac_get_types
(krb5_context context,
                krb5_pac pac,
                size_t *len,
                krb5_ui_4 **types);

krb5_error_code KRB5_CALLCONV
krb5_pac_init
(krb5_context context,
                krb5_pac *pac);

krb5_error_code KRB5_CALLCONV
krb5_pac_parse
(krb5_context context,
                const void *ptr,
                size_t len,
                krb5_pac *pac);

krb5_error_code KRB5_CALLCONV
krb5_pac_verify
(krb5_context context,
                const krb5_pac pac,
                krb5_timestamp authtime,
                krb5_const_principal principal,
                const krb5_keyblock *server,
                const krb5_keyblock *privsvr);

The krb5_pac_parse function will allocate a new PAC.


In addition, the following internal API is defined:

krb5_error_code KRB5_CALLCONV
krb5int_pac_sign(krb5_context context,
                 krb5_pac pac,
                 krb5_timestamp authtime,
                 krb5_const_principal principal,
                 const krb5_keyblock *server_key,
                 const krb5_keyblock *privsvr_key,
                 krb5_data *data);

This function signs and outputs a PAC. It is internal because it is only useful in the KDC.

Principal parsing and comparison

Several principal parsing and comparison functions are introduced. Several of these are Heimdal compatible.

#define KRB5_PRINCIPAL_UNPARSE_SHORT    1
#define KRB5_PRINCIPAL_UNPARSE_NO_REALM 2
#define KRB5_PRINCIPAL_UNPARSE_DISPLAY  4
krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags
        (krb5_context,
                krb5_const_principal,
                int,
                char **);
krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags_ext
        (krb5_context,
                krb5_const_principal,
                int,
                char **,
                unsigned int *);
#define KRB5_PRINCIPAL_PARSE_NO_REALM   1
#define KRB5_PRINCIPAL_PARSE_MUST_REALM 2
#define KRB5_PRINCIPAL_PARSE_ENTERPRISE 4
krb5_error_code KRB5_CALLCONV krb5_parse_name_flags
        (krb5_context,
                const char *,
                int,
                krb5_principal * );

krb5_boolean KRB5_CALLCONV krb5_principal_compare_any_realm
        (krb5_context,
                krb5_const_principal,
                krb5_const_principal);
#define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM         1
#define KRB5_PRINCIPAL_COMPARE_ENTERPRISE           2 /* compare UPNs as real principals */
#define KRB5_PRINCIPAL_COMPARE_CASEFOLD             4 /* case-insensitive comparison */
#define KRB5_PRINCIPAL_COMPARE_UTF8                 8 /* treat principals as UTF-8 */

krb5_boolean KRB5_CALLCONV krb5_principal_compare_flags
        (krb5_context,
                krb5_const_principal,
                krb5_const_principal,
                int);

User to User tickets

The following flag is defined for krb5_get_credentials:

#define KRB5_GC_USER_USER       1       /* want user-user ticket */
#define KRB5_GC_CANONICALIZE    4       /* set canonicalize KDC option */

The user_user flag searches the ccache for a credential encrypted in the right TGT.

Constants

/* Name in form of SMTP email name */
#define KRB5_NT_SMTP_NAME               7
/* Windows 2000 UPN */
#define KRB5_NT_ENTERPRISE_PRINCIPAL    10
/* Windows 2000 UPN and SID */
#define KRB5_NT_MS_PRINCIPAL            -128
/* NT 4 style name */
#define KRB5_NT_MS_PRINCIPAL_AND_ID     -129
/* NT 4 style name and SID */
#define KRB5_NT_ENT_PRINCIPAL_AND_ID    -130
#define ADDRTYPE_NETBIOS        0x0014
#define KDC_OPT_CNAME_IN_ADDL_TKT       0x00020000
#define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /*Microsoft netlogon cksumtype*/
#define KRB5_PADATA_SVR_REFERRAL_INFO   20 /* Windows 2000 referrals */
#define KRB5_PADATA_PAC_REQUEST         128 /* include Windows PAC */
#define KRB5_PADATA_FOR_USER            129 /* username protocol transition request */
#define KRB5_PADATA_S4U_X509_USER       130 /* certificate protocol transition request */
#define KRB5_AUTHDATA_WIN2K_PAC 128
#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129     /* RFC 4537 */