Projects/PAC and principal APIs
An announcement has been sent to krbdev@mit.edu starting a review of this project. That review will conclude on January 10, 2009.
Comments can be sent to krbdev@mit.edu.
The PAC and principal APIs project defines some APIs that are useful in an active-directory enviroment.
Contents
PAC API
Microsoft Windows uses a data structure called the PAC in order to convey authorization information. See the expired draft-brezak-win2k-krb-authz-00 for documentation. The PAC is logically a set of type-length-value elements. That is, it is a collection of typed data items, and lengths are associated with each type. Typically the data items are NDR encoded. This API provides facilities to create and sign a PAC and to extract a given typed buffer from a PAC. NDR encoders and decoders are not provided.
/* * Windows PAC */ struct krb5_pac_data; typedef struct krb5_pac_data *krb5_pac; krb5_error_code KRB5_CALLCONV krb5_pac_add_buffer (krb5_context context, krb5_pac pac, krb5_ui_4 type, const krb5_data *data); void KRB5_CALLCONV krb5_pac_free (krb5_context context, krb5_pac pac); krb5_error_code KRB5_CALLCONV krb5_pac_get_buffer (krb5_context context, krb5_pac pac, krb5_ui_4 type, krb5_data *data); krb5_error_code KRB5_CALLCONV krb5_pac_get_types (krb5_context context, krb5_pac pac, size_t *len, krb5_ui_4 **types); krb5_error_code KRB5_CALLCONV krb5_pac_init (krb5_context context, krb5_pac *pac); krb5_error_code KRB5_CALLCONV krb5_pac_parse (krb5_context context, const void *ptr, size_t len, krb5_pac *pac); krb5_error_code KRB5_CALLCONV krb5_pac_verify (krb5_context context, const krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock *server, const krb5_keyblock *privsvr);
The krb5_pac_parse function will allocate a new PAC.
In addition, the following internal API is defined:
krb5_error_code KRB5_CALLCONV krb5int_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock *server_key, const krb5_keyblock *privsvr_key, krb5_data *data);
This function signs and outputs a PAC. It is internal because it is only useful in the KDC.
Principal parsing and comparison
Several principal parsing and comparison functions are introduced. Several of these are Heimdal compatible.
#define KRB5_PRINCIPAL_UNPARSE_SHORT 1 /* Omit realm if it is the local realm */ #define KRB5_PRINCIPAL_UNPARSE_NO_REALM 2 /* Omit realm always */ #define KRB5_PRINCIPAL_UNPARSE_DISPLAY 4 /* Don't escape special characters */ krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags (krb5_context, krb5_const_principal, int, char **); krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags_ext (krb5_context, krb5_const_principal, int, char **, unsigned int *); #define KRB5_PRINCIPAL_PARSE_NO_REALM 1 /* Error if realm is present */ #define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 2 /* Error if realm is not present */ #define KRB5_PRINCIPAL_PARSE_ENTERPRISE 4 /* Create single-component enterprise principle */ krb5_error_code KRB5_CALLCONV krb5_parse_name_flags (krb5_context, const char *, int, krb5_principal * ); krb5_boolean KRB5_CALLCONV krb5_principal_compare_any_realm (krb5_context, krb5_const_principal, krb5_const_principal); #define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1 #define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /* compare UPNs as real principals */ #define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /* case-insensitive comparison */ #define KRB5_PRINCIPAL_COMPARE_UTF8 8 /* treat principals as UTF-8 */ krb5_boolean KRB5_CALLCONV krb5_principal_compare_flags (krb5_context, krb5_const_principal, krb5_const_principal, int);
User to User tickets
The following flag is defined for krb5_get_credentials:
#define KRB5_GC_USER_USER 1 /* want user-user ticket */ #define KRB5_GC_CANONICALIZE 4 /* set canonicalize KDC option */
The user_user flag searches the ccache for a credential encrypted in the right TGT.
Constants
/* Name in form of SMTP email name */ #define KRB5_NT_SMTP_NAME 7 /* Windows 2000 UPN */ #define KRB5_NT_ENTERPRISE_PRINCIPAL 10 /* Windows 2000 UPN and SID */ #define KRB5_NT_MS_PRINCIPAL -128 /* NT 4 style name */ #define KRB5_NT_MS_PRINCIPAL_AND_ID -129 /* NT 4 style name and SID */ #define KRB5_NT_ENT_PRINCIPAL_AND_ID -130 #define ADDRTYPE_NETBIOS 0x0014 #define KDC_OPT_CNAME_IN_ADDL_TKT 0x00020000 #define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /*Microsoft netlogon cksumtype*/ #define KRB5_PADATA_SVR_REFERRAL_INFO 20 /* Windows 2000 referrals */ #define KRB5_PADATA_PAC_REQUEST 128 /* include Windows PAC */ #define KRB5_PADATA_FOR_USER 129 /* username protocol transition request */ #define KRB5_PADATA_S4U_X509_USER 130 /* certificate protocol transition request */ #define KRB5_AUTHDATA_WIN2K_PAC 128 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */
Review
This section documents the review of the project according to Project policy. It is divided into multiple sections. First, approvals should be listed. To list an approval type
- #~~~~
on its own line. The next section is for discussion. Use standard talk page conventions. In particular, sign comments with
- --~~~~
and indent replies.
Members of Krbcore raising Blocking objections should preface their comment with {{project-block}}. The member who raised the objection should remove this markup when their objection is handled.
Approvals
Greg Hudson, December 30, 2008