Blame doc/formats/freshness_token.rst
|
Packit Service |
99d1c0 |
PKINIT freshness tokens
|
|
Packit Service |
99d1c0 |
=======================
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
:rfc:`8070` specifies a pa-data type PA_AS_FRESHNESS, which clients
|
|
Packit Service |
99d1c0 |
should reflect within signed PKINIT data to prove recent access to the
|
|
Packit Service |
99d1c0 |
client certificate private key. The contents of a freshness token are
|
|
Packit Service |
99d1c0 |
left to the KDC implementation. The MIT krb5 KDC uses the following
|
|
Packit Service |
99d1c0 |
format for freshness tokens (starting in release 1.17):
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
* a four-byte big-endian POSIX timestamp
|
|
Packit Service |
99d1c0 |
* a four-byte big-endian key version number
|
|
Packit Service |
99d1c0 |
* an :rfc:`3961` checksum, with no ASN.1 wrapper
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The checksum is computed using the first key in the local krbtgt
|
|
Packit Service |
99d1c0 |
principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM``
|
|
Packit Service |
99d1c0 |
if the request is to the ``KRBTEST.COM`` realm) of the indicated key
|
|
Packit Service |
99d1c0 |
version. The checksum type must be the mandatory checksum type for
|
|
Packit Service |
99d1c0 |
the encryption type of the krbtgt key. The key usage value for the
|
|
Packit Service |
99d1c0 |
checksum is 514.
|