kerberos_parser/krb5.rs
1//! Kerberos 5 structures
2//!
3//! - [RFC1510](https://tools.ietf.org/html/rfc1510) The Kerberos Network Authentication Service (V5)
4//! - [RFC3961](https://tools.ietf.org/html/rfc3961) Encryption and Checksum Specifications for Kerberos 5
5//! - [RFC3962](https://tools.ietf.org/html/rfc3962) Advanced Encryption Standard (AES) Encryption for Kerberos 5
6//! - [RFC4120](https://tools.ietf.org/html/rfc4120) The Kerberos Network Authentication Service (V5)
7//! - [RFC6803](https://tools.ietf.org/html/rfc6803) Camellia Encryption for Kerberos 5
8//! - [RFC8009](https://tools.ietf.org/html/rfc8009) AES Encryption with HMAC-SHA2 for Kerberos 5
9
10use der_parser::asn1_rs::{BitString, GeneralizedTime};
11use std::fmt;
12
13pub use crate::krb5_constants::*;
14pub use crate::krb5_errors::*;
15
16/// Kerberos Realm
17///
18/// A Kerberos realm is a set of managed nodes that share the same Kerberos database.
19#[derive(Debug, PartialEq)]
20pub struct Realm(pub String);
21
22/// Kerberos PrincipalName
23///
24/// A Kerberos principal is a service or user that is known to the Kerberos system. Each Kerberos
25/// principal is identified by its principal name. Principal names consist of three parts: a
26/// service or user name, an instance name, and a realm name in the following form:
27///
28/// <pre>
29/// principal-name.instance-name@realm-name
30/// </pre>
31#[derive(Debug, PartialEq)]
32pub struct PrincipalName {
33 pub name_type: NameType,
34 pub name_string: Vec<String>,
35}
36
37impl fmt::Display for PrincipalName {
38 fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
39 f.write_str(&self.name_string.join("/"))
40 }
41}
42
43/// Kerberos Ticket
44///
45/// A record that helps a client authenticate itself to a server; it
46/// contains the client's identity, a session key, a timestamp, and
47/// other information, all sealed using the server's secret key. It
48/// only serves to authenticate a client when presented along with a
49/// fresh Authenticator.
50#[derive(Debug, PartialEq)]
51pub struct Ticket<'a> {
52 /// Version number for the ticket format (5)
53 pub tkt_vno: u32,
54 /// Realm that issued a ticket
55 pub realm: Realm,
56 /// Components of the name part of the server's identity
57 pub sname: PrincipalName,
58 /// Encrypted encoding of the EncTicketPart sequence
59 pub enc_part: EncryptedData<'a>,
60}
61
62/// Kerberos EncryptedData
63#[derive(Debug, PartialEq)]
64pub struct EncryptedData<'a> {
65 /// EncryptionType
66 pub etype: EncryptionType,
67 /// Version number of the key under which data is encrypted
68 pub kvno: Option<u32>,
69 /// Ciphertext
70 pub cipher: &'a [u8],
71}
72
73/// Key Distribution Center (KDC) Request Message
74#[derive(Debug, PartialEq)]
75pub struct KdcReq<'a> {
76 pub pvno: u32,
77 pub msg_type: MessageType,
78 pub padata: Vec<PAData<'a>>,
79 pub req_body: KdcReqBody<'a>,
80}
81
82/// Key Distribution Center (KDC) Request Message Body
83#[derive(Debug, PartialEq)]
84pub struct KdcReqBody<'a> {
85 /// Options requested by the client
86 pub kdc_options: BitString<'a>,
87 /// Client name (only for AS-REQ)
88 pub cname: Option<PrincipalName>,
89 /// Server's realm
90 pub realm: Realm,
91 /// Server name
92 pub sname: Option<PrincipalName>,
93 /// Desired starttime for the requested ticket
94 pub from: Option<GeneralizedTime>,
95 /// Expiration date requested by the client
96 pub till: GeneralizedTime,
97 /// Requested renew-till time
98 pub rtime: Option<GeneralizedTime>,
99 /// Random number generated by the client
100 pub nonce: u32,
101 /// Desired encryption algorithm to be used in the response
102 pub etype: Vec<EncryptionType>,
103 /// Addresses from which the requested ticket is to be valid
104 pub addresses: Vec<HostAddress<'a>>,
105 /// Encoding of the desired authorization-data encrypted under the sub-session key if present
106 /// in the Authenticator, or alternatively from the session key in the TGT
107 pub enc_authorization_data: Option<EncryptedData<'a>>,
108 /// Additional tickets MAY be optionally included in a request to the ticket-granting server
109 pub additional_tickets: Vec<Ticket<'a>>,
110}
111
112/// Kerberos HostAddress
113#[derive(Debug, PartialEq)]
114pub struct HostAddress<'a> {
115 pub addr_type: AddressType,
116 pub address: &'a [u8],
117}
118
119/// Key Distribution Center (KDC) Reply Message
120#[derive(Debug, PartialEq)]
121pub struct KdcRep<'a> {
122 pub pvno: u32,
123 pub msg_type: MessageType,
124 pub padata: Vec<PAData<'a>>,
125 pub crealm: Realm,
126 pub cname: PrincipalName,
127 pub ticket: Ticket<'a>,
128 pub enc_part: EncryptedData<'a>,
129}
130
131/// Kerberos Error message
132#[derive(Debug, PartialEq)]
133pub struct KrbError<'a> {
134 pub pvno: u32,
135 pub msg_type: MessageType,
136 pub ctime: Option<GeneralizedTime>,
137 pub cusec: Option<u32>,
138 pub stime: GeneralizedTime,
139 pub susec: u32,
140 pub error_code: ErrorCode,
141 pub crealm: Option<Realm>,
142 pub cname: Option<PrincipalName>,
143 pub realm: Realm,
144 pub sname: PrincipalName,
145 pub etext: Option<String>,
146 pub edata: Option<&'a [u8]>,
147}
148
149/// Kerberos PA-Data
150#[derive(Debug, PartialEq)]
151pub struct PAData<'a> {
152 pub padata_type: PAType,
153 pub padata_value: &'a [u8],
154}
155
156/// Kerberos AP Request
157#[derive(Debug, PartialEq)]
158pub struct ApReq<'a> {
159 pub pvno: u32,
160 pub msg_type: MessageType,
161 pub ap_options: BitString<'a>, // KerberosFlags
162 pub ticket: Ticket<'a>,
163 pub authenticator: EncryptedData<'a>,
164}
165
166/// Kerberos AP Reply
167#[derive(Debug, PartialEq)]
168pub struct ApRep<'a> {
169 pub pvno: u32,
170 pub msg_type: MessageType,
171 pub enc_part: EncryptedData<'a>,
172}