Coverage for /root/GitHubProjects/impacket/impacket/krb5/constants.py : 100%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
2#
3# This software is provided under under a slightly modified version
4# of the Apache Software License. See the accompanying LICENSE file
5# for more information.
6#
7# Author: Alberto Solino (@agsolino)
8#
9# Description:
10# Constants for krb5.asn1 package. I took them out from the RFC plus
11# some data from [MS-KILE] as well.
12#
13#
15from impacket.dcerpc.v5.enum import Enum
17def encodeFlags(flags):
18 finalFlags = list()
20 for i in range(0,32):
21 finalFlags.append(0,)
24 for f in flags:
25 finalFlags[f] = 1
27 return finalFlags
29class ApplicationTagNumbers(Enum):
30 Ticket = 1
31 Authenticator = 2
32 EncTicketPart = 3
33 AS_REQ = 10
34 AS_REP = 11
35 TGS_REQ = 12
36 TGS_REP = 13
37 AP_REQ = 14
38 AP_REP = 15
39 RESERVED16 = 16
40 RESERVED17 = 17
41 KRB_SAFE = 20
42 KRB_PRIV = 21
43 KRB_CRED = 22
44 EncASRepPart = 25
45 EncTGSRepPart = 26
46 EncApRepPart = 27
47 EncKrbPrivPart = 28
48 EncKrbCredPart = 29
49 KRB_ERROR = 30
51class PrincipalNameType(Enum):
52 NT_UNKNOWN = 0
53 NT_PRINCIPAL = 1
54 NT_SRV_INST = 2
55 NT_SRV_HST = 3
56 NT_SRV_XHST = 4
57 NT_UID = 5
58 NT_X500_PRINCIPAL = 6
59 NT_SMTP_NAME = 7
60 NT_ENTERPRISE = 10
61 NT_WELLKNOWN = 11
62 NT_SRV_HST_DOMAIN = 12
63 NT_MS_PRINCIPAL = -128
64 NT_MS_PRINCIPAL_AND_ID = -129
65 NT_ENT_PRINCIPAL_AND_ID = -130
67class PreAuthenticationDataTypes(Enum):
68 PA_TGS_REQ = 1
69 PA_ENC_TIMESTAMP = 2
70 PA_PW_SALT = 3
71 PA_ENC_UNIX_TIME = 5
72 PA_SANDIA_SECUREID = 6
73 PA_SESAME = 7
74 PA_OSF_DCE = 8
75 PA_CYBERSAFE_SECUREID = 9
76 PA_AFS3_SALT = 10
77 PA_ETYPE_INFO = 11
78 PA_SAM_CHALLENGE = 12
79 PA_SAM_RESPONSE = 13
80 PA_PK_AS_REQ_OLD = 14
81 PA_PK_AS_REP_OLD = 15
82 PA_PK_AS_REQ = 16
83 PA_PK_AS_REP = 17
84 PA_ETYPE_INFO2 = 19
85 PA_USE_SPECIFIED_KVNO = 20
86 PA_SAM_REDIRECT = 21
87 PA_GET_FROM_TYPED_DATA = 22
88 TD_PADATA = 22
89 PA_SAM_ETYPE_INFO = 23
90 PA_ALT_PRINC = 24
91 PA_SAM_CHALLENGE2 = 30
92 PA_SAM_RESPONSE2 = 31
93 PA_EXTRA_TGT = 41
94 TD_PKINIT_CMS_CERTIFICATES = 101
95 TD_KRB_PRINCIPAL = 102
96 TD_KRB_REALM = 103
97 TD_TRUSTED_CERTIFIERS = 104
98 TD_CERTIFICATE_INDEX = 105
99 TD_APP_DEFINED_ERROR = 106
100 TD_REQ_NONCE = 107
101 TD_REQ_SEQ = 108
102 PA_PAC_REQUEST = 128
103 PA_FOR_USER = 129
104 PA_FX_COOKIE = 133
105 PA_FX_FAST = 136
106 PA_FX_ERROR = 137
107 PA_ENCRYPTED_CHALLENGE = 138
108 KERB_KEY_LIST_REQ = 161
109 KERB_KEY_LIST_REP = 162
110 PA_SUPPORTED_ENCTYPES = 165
111 PA_PAC_OPTIONS = 167
113class AddressType(Enum):
114 IPv4 = 2
115 Directional = 3
116 ChaosNet = 5
117 XNS = 6
118 ISO = 7
119 DECNET_Phase_IV = 12
120 AppleTalk_DDP = 16
121 NetBios = 20
122 IPv6 = 24
124# 3.1.5.9 Key Usage Numbers
125KERB_NON_KERB_SALT = 16
126KERB_NON_KERB_CKSUM_SALT = 17
128# 7.5.4. Authorization Data Types
129class AuthorizationDataType(Enum):
130 AD_IF_RELEVANT = 1
131 AD_INTENDED_FOR_SERVER = 2
132 AD_INTENDED_FOR_APPLICATION_CLASS = 3
133 AD_KDC_ISSUED = 4
134 AD_AND_OR = 5
135 AD_MANDATORY_TICKET_EXTENSIONS = 6
136 AD_IN_TICKET_EXTENSIONS = 7
137 AD_MANDATORY_FOR_KDC = 8
138 #Reserved values = 9-63
139 OSF_DCE = 64
140 SESAME = 65
141 AD_OSF_DCE_PKI_CERTID = 66
142 AD_WIN2K_PAC = 128
143 AD_ETYPE_NEGOTIATION = 129
145# 7.5.5. Transited Encoding Types
146class TransitedEncodingTypes(Enum):
147 DOMAIN_X500_COMPRESS = 1
149# 7.5.6. Protocol Version Number
150class ProtocolVersionNumber(Enum):
151 pvno = 5
153# 7.5.7. Kerberos Message Types
154class KerberosMessageTypes(Enum):
155 KRB_AS_REQ = 10 # Request for initial authentication
156 KRB_AS_REP = 11 # Response to KRB_AS_REQ request
157 KRB_TGS_REQ = 12 # Request for authentication based on TGT
158 KRB_TGS_REP = 13 # Response to KRB_TGS_REQ request
159 KRB_AP_REQ = 14 # Application request to server
160 KRB_AP_REP = 15 # Response to KRB_AP_REQ_MUTUAL
161 KRB_RESERVED16 = 16 # Reserved for user-to-user krb_tgt_request
162 KRB_RESERVED17 = 17 # Reserved for user-to-user krb_tgt_reply
163 KRB_SAFE = 20 # Safe (checksummed) application message
164 KRB_PRIV = 21 # Private (encrypted) application message
165 KRB_CRED = 22 # Private (encrypted) message to forward
166 # credentials
167 KRB_ERROR = 30 # Error response
169# 7.5.8. Name Types
170class NameTypes(Enum):
171 KRB_NT_UNKNOWN = 0 # Name type not known
172 KRB_NT_PRINCIPAL = 1 # Just the name of the principal as in DCE,
173 # or for users
174 KRB_NT_SRV_INST = 2 # Service and other unique instance (krbtgt)
175 KRB_NT_SRV_HST = 3 # Service with host name as instance
176 # (telnet, rcommands)
177 KRB_NT_SRV_XHST = 4 # Service with host as remaining components
178 KRB_NT_UID = 5 # Unique ID
179 KRB_NT_X500_PRINCIPAL = 6 # Encoded X.509 Distinguished name [RFC2253]
180 KRB_NT_SMTP_NAME = 7 # Name in form of SMTP email name
181 # (e.g., user@example.com)
182 KRB_NT_ENTERPRISE = 10 # Enterprise name; may be mapped to
183 # principal name
184 # Other Name Types
185 KRB_NT_WELLKNOWN = 11
186 KRB_NT_SRV_HST_DOMAIN = 12
187 KRB_NT_MS_PRINCIPAL = -128
188 KRB_NT_MS_PRINCIPAL_AND_ID = -129
189 KRB_NT_ENT_PRINCIPAL_AND_ID = -130
191# 7.5.9. Error Codes
192class ErrorCodes(Enum):
193 KDC_ERR_NONE = 0 # No error
194 KDC_ERR_NAME_EXP = 1 # Client's entry in database
195 # has expired
196 KDC_ERR_SERVICE_EXP = 2 # Server's entry in database
197 # has expired
198 KDC_ERR_BAD_PVNO = 3 # Requested protocol version
199 # number not supported
200 KDC_ERR_C_OLD_MAST_KVNO = 4 # Client's key encrypted in
201 # old master key
202 KDC_ERR_S_OLD_MAST_KVNO = 5 # Server's key encrypted in
203 # old master key
204 KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 # Client not found in
205 # Kerberos database
206 KDC_ERR_S_PRINCIPAL_UNKNOWN = 7 # Server not found in
207 # Kerberos database
208 KDC_ERR_PRINCIPAL_NOT_UNIQUE = 8 # Multiple principal entries
209 # in database
210 KDC_ERR_NULL_KEY = 9 # The client or server has a
211 # null key
212 KDC_ERR_CANNOT_POSTDATE = 10 # Ticket not eligible for
213 # postdating
214 KDC_ERR_NEVER_VALID = 11 # Requested starttime is
215 # later than end time
216 KDC_ERR_POLICY = 12 # KDC policy rejects request
217 KDC_ERR_BADOPTION = 13 # KDC cannot accommodate
218 # requested option
219 KDC_ERR_ETYPE_NOSUPP = 14 # KDC has no support for
220 # encryption type
221 KDC_ERR_SUMTYPE_NOSUPP = 15 # KDC has no support for
222 # checksum type
223 KDC_ERR_PADATA_TYPE_NOSUPP = 16 # KDC has no support for
224 # padata type
225 KDC_ERR_TRTYPE_NOSUPP = 17 # KDC has no support for
226 # transited type
227 KDC_ERR_CLIENT_REVOKED = 18 # Clients credentials have
228 # been revoked
229 KDC_ERR_SERVICE_REVOKED = 19 # Credentials for server have
230 # been revoked
231 KDC_ERR_TGT_REVOKED = 20 # TGT has been revoked
232 KDC_ERR_CLIENT_NOTYET = 21 # Client not yet valid; try
233 # again later
234 KDC_ERR_SERVICE_NOTYET = 22 # Server not yet valid; try
235 # again later
236 KDC_ERR_KEY_EXPIRED = 23 # Password has expired;
237 # change password to reset
238 KDC_ERR_PREAUTH_FAILED = 24 # Pre-authentication
239 # information was invalid
240 KDC_ERR_PREAUTH_REQUIRED = 25 # Additional pre-
241 # authentication required
242 KDC_ERR_SERVER_NOMATCH = 26 # Requested server and ticket
243 # don't match
244 KDC_ERR_MUST_USE_USER2USER = 27 # Server principal valid for
245 # user2user only
246 KDC_ERR_PATH_NOT_ACCEPTED = 28 # KDC Policy rejects
247 # transited path
248 KDC_ERR_SVC_UNAVAILABLE = 29 # A service is not available
249 KRB_AP_ERR_BAD_INTEGRITY = 31 # Integrity check on
250 # decrypted field failed
251 KRB_AP_ERR_TKT_EXPIRED = 32 # Ticket expired
252 KRB_AP_ERR_TKT_NYV = 33 # Ticket not yet valid
253 KRB_AP_ERR_REPEAT = 34 # Request is a replay
254 KRB_AP_ERR_NOT_US = 35 # The ticket isn't for us
255 KRB_AP_ERR_BADMATCH = 36 # Ticket and authenticator
256 # don't match
257 KRB_AP_ERR_SKEW = 37 # Clock skew too great
258 KRB_AP_ERR_BADADDR = 38 # Incorrect net address
259 KRB_AP_ERR_BADVERSION = 39 # Protocol version mismatch
260 KRB_AP_ERR_MSG_TYPE = 40 # Invalid msg type
261 KRB_AP_ERR_MODIFIED = 41 # Message stream modified
262 KRB_AP_ERR_BADORDER = 42 # Message out of order
263 KRB_AP_ERR_BADKEYVER = 44 # Specified version of key is
264 # not available
265 KRB_AP_ERR_NOKEY = 45 # Service key not available
266 KRB_AP_ERR_MUT_FAIL = 46 # Mutual authentication
267 # failed
268 KRB_AP_ERR_BADDIRECTION = 47 # Incorrect message direction
269 KRB_AP_ERR_METHOD = 48 # Alternative authentication
270 # method required
271 KRB_AP_ERR_BADSEQ = 49 # Incorrect sequence number
272 # in message
273 KRB_AP_ERR_INAPP_CKSUM = 50 # Inappropriate type of
274 # checksum in message
275 KRB_AP_PATH_NOT_ACCEPTED = 51 # Policy rejects transited
276 # path
277 KRB_ERR_RESPONSE_TOO_BIG = 52 # Response too big for UDP;
278 # retry with TCP
279 KRB_ERR_GENERIC = 60 # Generic error (description
280 # in e-text)
281 KRB_ERR_FIELD_TOOLONG = 61 # Field is too long for this
282 # implementation
283 KDC_ERROR_CLIENT_NOT_TRUSTED = 62 # Reserved for PKINIT
284 KDC_ERROR_KDC_NOT_TRUSTED = 63 # Reserved for PKINIT
285 KDC_ERROR_INVALID_SIG = 64 # Reserved for PKINIT
286 KDC_ERR_KEY_TOO_WEAK = 65 # Reserved for PKINIT
287 KDC_ERR_CERTIFICATE_MISMATCH = 66 # Reserved for PKINIT
288 KRB_AP_ERR_NO_TGT = 67 # No TGT available to
289 # validate USER-TO-USER
290 KDC_ERR_WRONG_REALM = 68 # Reserved for future use
291 KRB_AP_ERR_USER_TO_USER_REQUIRED = 69 # Ticket must be for
292 # USER-TO-USER
293 KDC_ERR_CANT_VERIFY_CERTIFICATE = 70 # Reserved for PKINIT
294 KDC_ERR_INVALID_CERTIFICATE = 71 # Reserved for PKINIT
295 KDC_ERR_REVOKED_CERTIFICATE = 72 # Reserved for PKINIT
296 KDC_ERR_REVOCATION_STATUS_UNKNOWN = 73 # Reserved for PKINIT
297 KDC_ERR_REVOCATION_STATUS_UNAVAILABLE = 74 # Reserved for PKINIT
298 KDC_ERR_CLIENT_NAME_MISMATCH = 75 # Reserved for PKINIT
299 KDC_ERR_KDC_NAME_MISMATCH = 76 # Reserved for PKINIT
301ERROR_MESSAGES = {
302 0 : ('KDC_ERR_NONE', 'No error'),
303 1 : ('KDC_ERR_NAME_EXP', 'Client\'s entry in database has expired'),
304 2 : ('KDC_ERR_SERVICE_EXP', 'Server\'s entry in database has expired'),
305 3 : ('KDC_ERR_BAD_PVNO', 'Requested protocol version number not supported'),
306 4 : ('KDC_ERR_C_OLD_MAST_KVNO', 'Client\'s key encrypted in old master key'),
307 5 : ('KDC_ERR_S_OLD_MAST_KVNO', 'Server\'s key encrypted in old master key'),
308 6 : ('KDC_ERR_C_PRINCIPAL_UNKNOWN', 'Client not found in Kerberos database'),
309 7 : ('KDC_ERR_S_PRINCIPAL_UNKNOWN', 'Server not found in Kerberos database'),
310 8 : ('KDC_ERR_PRINCIPAL_NOT_UNIQUE', 'Multiple principal entries in database'),
311 9 : ('KDC_ERR_NULL_KEY', 'The client or server has a null key'),
312 10 : ('KDC_ERR_CANNOT_POSTDATE', 'Ticket not eligible for postdating'),
313 11 : ('KDC_ERR_NEVER_VALID', 'Requested starttime is later than end time'),
314 12 : ('KDC_ERR_POLICY', 'KDC policy rejects request'),
315 13 : ('KDC_ERR_BADOPTION', 'KDC cannot accommodate requested option'),
316 14 : ('KDC_ERR_ETYPE_NOSUPP', 'KDC has no support for encryption type'),
317 15 : ('KDC_ERR_SUMTYPE_NOSUPP', 'KDC has no support for checksum type'),
318 16 : ('KDC_ERR_PADATA_TYPE_NOSUPP', 'KDC has no support for padata type'),
319 17 : ('KDC_ERR_TRTYPE_NOSUPP', 'KDC has no support for transited type'),
320 18 : ('KDC_ERR_CLIENT_REVOKED', 'Clients credentials have been revoked'),
321 19 : ('KDC_ERR_SERVICE_REVOKED', 'Credentials for server have been revoked'),
322 20 : ('KDC_ERR_TGT_REVOKED', 'TGT has been revoked'),
323 21 : ('KDC_ERR_CLIENT_NOTYET', 'Client not yet valid; try again later'),
324 22 : ('KDC_ERR_SERVICE_NOTYET', 'Server not yet valid; try again later'),
325 23 : ('KDC_ERR_KEY_EXPIRED', 'Password has expired; change password to reset'),
326 24 : ('KDC_ERR_PREAUTH_FAILED', 'Pre-authentication information was invalid'),
327 25 : ('KDC_ERR_PREAUTH_REQUIRED', 'Additional pre-authentication required'),
328 26 : ('KDC_ERR_SERVER_NOMATCH', 'Requested server and ticket don\'t match'),
329 27 : ('KDC_ERR_MUST_USE_USER2USER', 'Server principal valid for user2user only'),
330 28 : ('KDC_ERR_PATH_NOT_ACCEPTED', 'KDC Policy rejects transited path'),
331 29 : ('KDC_ERR_SVC_UNAVAILABLE', 'A service is not available'),
332 31 : ('KRB_AP_ERR_BAD_INTEGRITY', 'Integrity check on decrypted field failed'),
333 32 : ('KRB_AP_ERR_TKT_EXPIRED', 'Ticket expired'),
334 33 : ('KRB_AP_ERR_TKT_NYV', 'Ticket not yet valid'),
335 34 : ('KRB_AP_ERR_REPEAT', 'Request is a replay'),
336 35 : ('KRB_AP_ERR_NOT_US', 'The ticket isn\'t for us'),
337 36 : ('KRB_AP_ERR_BADMATCH', 'Ticket and authenticator don\'t match'),
338 37 : ('KRB_AP_ERR_SKEW', 'Clock skew too great'),
339 38 : ('KRB_AP_ERR_BADADDR', 'Incorrect net address'),
340 39 : ('KRB_AP_ERR_BADVERSION', 'Protocol version mismatch'),
341 40 : ('KRB_AP_ERR_MSG_TYPE', 'Invalid msg type'),
342 41 : ('KRB_AP_ERR_MODIFIED', 'Message stream modified'),
343 42 : ('KRB_AP_ERR_BADORDER', 'Message out of order'),
344 44 : ('KRB_AP_ERR_BADKEYVER', 'Specified version of key is not available'),
345 45 : ('KRB_AP_ERR_NOKEY', 'Service key not available'),
346 46 : ('KRB_AP_ERR_MUT_FAIL', 'Mutual authentication failed'),
347 47 : ('KRB_AP_ERR_BADDIRECTION', 'Incorrect message direction'),
348 48 : ('KRB_AP_ERR_METHOD', 'Alternative authentication method required'),
349 49 : ('KRB_AP_ERR_BADSEQ', 'Incorrect sequence number in message'),
350 50 : ('KRB_AP_ERR_INAPP_CKSUM', 'Inappropriate type of checksum in message'),
351 51 : ('KRB_AP_PATH_NOT_ACCEPTED', 'Policy rejects transited path'),
352 52 : ('KRB_ERR_RESPONSE_TOO_BIG', 'Response too big for UDP; retry with TCP'),
353 60 : ('KRB_ERR_GENERIC', 'Generic error (description in e-text)'),
354 61 : ('KRB_ERR_FIELD_TOOLONG', 'Field is too long for this implementation'),
355 62 : ('KDC_ERROR_CLIENT_NOT_TRUSTED', 'Reserved for PKINIT'),
356 63 : ('KDC_ERROR_KDC_NOT_TRUSTED', 'Reserved for PKINIT'),
357 64 : ('KDC_ERROR_INVALID_SIG', 'Reserved for PKINIT'),
358 65 : ('KDC_ERR_KEY_TOO_WEAK', 'Reserved for PKINIT'),
359 66 : ('KDC_ERR_CERTIFICATE_MISMATCH', 'Reserved for PKINIT'),
360 67 : ('KRB_AP_ERR_NO_TGT', 'No TGT available to validate USER-TO-USER'),
361 68 : ('KDC_ERR_WRONG_REALM', 'Reserved for future use'),
362 69 : ('KRB_AP_ERR_USER_TO_USER_REQUIRED', 'Ticket must be for USER-TO-USER'),
363 70 : ('KDC_ERR_CANT_VERIFY_CERTIFICATE', 'Reserved for PKINIT'),
364 71 : ('KDC_ERR_INVALID_CERTIFICATE', 'Reserved for PKINIT'),
365 72 : ('KDC_ERR_REVOKED_CERTIFICATE', 'Reserved for PKINIT'),
366 73 : ('KDC_ERR_REVOCATION_STATUS_UNKNOWN', 'Reserved for PKINIT'),
367 74 : ('KDC_ERR_REVOCATION_STATUS_UNAVAILABLE', 'Reserved for PKINIT'),
368 75 : ('KDC_ERR_CLIENT_NAME_MISMATCH', 'Reserved for PKINIT'),
369 76 : ('KDC_ERR_KDC_NAME_MISMATCH', 'Reserved for PKINIT'),
370}
372class TicketFlags(Enum):
373 reserved = 0
374 forwardable = 1
375 forwarded = 2
376 proxiable = 3
377 proxy = 4
378 may_postdate = 5
379 postdated = 6
380 invalid = 7
381 renewable = 8
382 initial = 9
383 pre_authent = 10
384 hw_authent = 11
385 transited_policy_checked = 12
386 ok_as_delegate = 13
387 enc_pa_rep = 15
388 anonymous = 16
390class KDCOptions(Enum):
391 reserved = 0
392 forwardable = 1
393 forwarded = 2
394 proxiable = 3
395 proxy = 4
396 allow_postdate = 5
397 postdated = 6
398 unused7 = 7
399 renewable = 8
400 unused9 = 9
401 unused10 = 10
402 opt_hardware_auth = 11
403 unused12 = 12
404 unused13 = 13
405 cname_in_addl_tkt = 14
406 canonicalize = 15
407 disable_transited_check = 26
408 renewable_ok = 27
409 enc_tkt_in_skey = 28
410 renew = 30
411 validate = 31
413class APOptions(Enum):
414 reserved = 0
415 use_session_key = 1
416 mutual_required = 2
418class PAPacOptions(Enum):
419 # [MS-KILE] 2.2.10
420 claims = 0
421 branch_aware = 1
422 forward_to_full_dc = 2
423 # [MS-SFU] 2.2.5
424 resource_based_constrained_delegation = 3
426class EncryptionTypes(Enum):
427 des_cbc_crc = 1
428 des_cbc_md4 = 2
429 des_cbc_md5 = 3
430 _reserved_4 = 4
431 des3_cbc_md5 = 5
432 _reserved_6 = 6
433 des3_cbc_sha1 = 7
434 dsaWithSHA1_CmsOID = 9
435 md5WithRSAEncryption_CmsOID = 10
436 sha1WithRSAEncryption_CmsOID = 11
437 rc2CBC_EnvOID = 12
438 rsaEncryption_EnvOID = 13
439 rsaES_OAEP_ENV_OID = 14
440 des_ede3_cbc_Env_OID = 15
441 des3_cbc_sha1_kd = 16
442 aes128_cts_hmac_sha1_96 = 17
443 aes256_cts_hmac_sha1_96 = 18
444 rc4_hmac = 23
445 rc4_hmac_exp = 24
446 subkey_keymaterial = 65
447 rc4_hmac_old_exp = -135
449class ChecksumTypes(Enum):
450 rsa_md5_des = 8
451 rsa_md4_des = 4
452 hmac_md5 = -138
453 hmac_sha1_des3_kd = 12
454 hmac_sha1_96_aes128 = 15
455 hmac_sha1_96_aes256 = 16