VOL-1967 move api-server to separate repository
Change-Id: I21b85be74205805be15f8a85e53a903d16785671
diff --git a/vendor/gopkg.in/jcmturner/gokrb5.v7/types/Authenticator.go b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/Authenticator.go
new file mode 100644
index 0000000..500e034
--- /dev/null
+++ b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/Authenticator.go
@@ -0,0 +1,100 @@
+// Package types provides Kerberos 5 data types.
+package types
+
+import (
+ "crypto/rand"
+ "fmt"
+ "math"
+ "math/big"
+ "time"
+
+ "github.com/jcmturner/gofork/encoding/asn1"
+ "gopkg.in/jcmturner/gokrb5.v7/asn1tools"
+ "gopkg.in/jcmturner/gokrb5.v7/iana"
+ "gopkg.in/jcmturner/gokrb5.v7/iana/asnAppTag"
+)
+
+/*Authenticator ::= [APPLICATION 2] SEQUENCE {
+authenticator-vno [0] INTEGER (5),
+crealm [1] Realm,
+cname [2] PrincipalName,
+cksum [3] Checksum OPTIONAL,
+cusec [4] Microseconds,
+ctime [5] KerberosTime,
+subkey [6] EncryptionKey OPTIONAL,
+seq-number [7] UInt32 OPTIONAL,
+authorization-data [8] AuthorizationData OPTIONAL
+}
+
+ cksum
+ This field contains a checksum of the application data that
+ accompanies the KRB_AP_REQ, computed using a key usage value of 10
+ in normal application exchanges, or 6 when used in the TGS-REQ
+ PA-TGS-REQ AP-DATA field.
+
+*/
+
+// Authenticator - A record containing information that can be shown to have been recently generated using the session key known only by the client and server.
+// https://tools.ietf.org/html/rfc4120#section-5.5.1
+type Authenticator struct {
+ AVNO int `asn1:"explicit,tag:0"`
+ CRealm string `asn1:"generalstring,explicit,tag:1"`
+ CName PrincipalName `asn1:"explicit,tag:2"`
+ Cksum Checksum `asn1:"explicit,optional,tag:3"`
+ Cusec int `asn1:"explicit,tag:4"`
+ CTime time.Time `asn1:"generalized,explicit,tag:5"`
+ SubKey EncryptionKey `asn1:"explicit,optional,tag:6"`
+ SeqNumber int64 `asn1:"explicit,optional,tag:7"`
+ AuthorizationData AuthorizationData `asn1:"explicit,optional,tag:8"`
+}
+
+// NewAuthenticator creates a new Authenticator.
+func NewAuthenticator(realm string, cname PrincipalName) (Authenticator, error) {
+ seq, err := rand.Int(rand.Reader, big.NewInt(math.MaxUint32))
+ if err != nil {
+ return Authenticator{}, err
+ }
+ t := time.Now().UTC()
+ return Authenticator{
+ AVNO: iana.PVNO,
+ CRealm: realm,
+ CName: cname,
+ Cksum: Checksum{},
+ Cusec: int((t.UnixNano() / int64(time.Microsecond)) - (t.Unix() * 1e6)),
+ CTime: t,
+ SeqNumber: seq.Int64(),
+ }, nil
+}
+
+// GenerateSeqNumberAndSubKey sets the Authenticator's sequence number and subkey.
+func (a *Authenticator) GenerateSeqNumberAndSubKey(keyType int32, keySize int) error {
+ seq, err := rand.Int(rand.Reader, big.NewInt(math.MaxUint32))
+ if err != nil {
+ return err
+ }
+ a.SeqNumber = seq.Int64()
+ //Generate subkey value
+ sk := make([]byte, keySize, keySize)
+ rand.Read(sk)
+ a.SubKey = EncryptionKey{
+ KeyType: keyType,
+ KeyValue: sk,
+ }
+ return nil
+}
+
+// Unmarshal bytes into the Authenticator.
+func (a *Authenticator) Unmarshal(b []byte) error {
+ _, err := asn1.UnmarshalWithParams(b, a, fmt.Sprintf("application,explicit,tag:%v", asnAppTag.Authenticator))
+ return err
+}
+
+// Marshal the Authenticator.
+func (a *Authenticator) Marshal() ([]byte, error) {
+ b, err := asn1.Marshal(*a)
+ if err != nil {
+ return nil, err
+ }
+ b = asn1tools.AddASNAppTag(b, asnAppTag.Authenticator)
+ return b, nil
+}
diff --git a/vendor/gopkg.in/jcmturner/gokrb5.v7/types/AuthorizationData.go b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/AuthorizationData.go
new file mode 100644
index 0000000..c944800
--- /dev/null
+++ b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/AuthorizationData.go
@@ -0,0 +1,123 @@
+package types
+
+import (
+ "github.com/jcmturner/gofork/encoding/asn1"
+)
+
+// Reference: https://www.ietf.org/rfc/rfc4120.txt
+// Section: 5.2.6
+
+/*
+AuthorizationData
+
+-- NOTE: AuthorizationData is always used as an OPTIONAL field and
+-- should not be empty.
+AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ad-type [0] Int32,
+ad-data [1] OCTET STRING
+}
+
+ad-data
+This field contains authorization data to be interpreted according
+to the value of the corresponding ad-type field.
+
+ad-type
+ This field specifies the format for the ad-data subfield. All
+negative values are reserved for local use. Non-negative values
+are reserved for registered use.
+
+Each sequence of type and data is referred to as an authorization
+element. Elements MAY be application specific; however, there is a
+common set of recursive elements that should be understood by all
+implementations. These elements contain other elements embedded
+within them, and the interpretation of the encapsulating element
+determines which of the embedded elements must be interpreted, and
+which may be ignored.
+
+These common authorization data elements are recursively defined,
+meaning that the ad-data for these types will itself contain a
+sequence of authorization data whose interpretation is affected by
+the encapsulating element. Depending on the meaning of the
+encapsulating element, the encapsulated elements may be ignored,
+might be interpreted as issued directly by the KDC, or might be
+stored in a separate plaintext part of the ticket. The types of the
+encapsulating elements are specified as part of the Kerberos
+specification because the behavior based on these values should be
+understood across implementations, whereas other elements need only
+be understood by the applications that they affect.
+
+Authorization data elements are considered critical if present in a
+ticket or authenticator. If an unknown authorization data element
+type is received by a server either in an AP-REQ or in a ticket
+contained in an AP-REQ, then, unless it is encapsulated in a known
+authorization data element amending the criticality of the elements
+it contains, authentication MUST fail. Authorization data is
+intended to restrict the use of a ticket. If the service cannot
+determine whether the restriction applies to that service, then a
+security weakness may result if the ticket can be used for that
+service. Authorization elements that are optional can be enclosed in
+an AD-IF-RELEVANT element.
+
+In the definitions that follow, the value of the ad-type for the
+element will be specified as the least significant part of the
+subsection number, and the value of the ad-data will be as shown in
+the ASN.1 structure that follows the subsection heading.
+
+ Contents of ad-data ad-type
+
+ DER encoding of AD-IF-RELEVANT 1
+
+ DER encoding of AD-KDCIssued 4
+
+ DER encoding of AD-AND-OR 5
+
+ DER encoding of AD-MANDATORY-FOR-KDC 8
+
+*/
+
+// AuthorizationData implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.6
+type AuthorizationData []AuthorizationDataEntry
+
+// AuthorizationDataEntry implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.6
+type AuthorizationDataEntry struct {
+ ADType int32 `asn1:"explicit,tag:0"`
+ ADData []byte `asn1:"explicit,tag:1"`
+}
+
+// ADIfRelevant implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.6.1
+type ADIfRelevant AuthorizationData
+
+// ADKDCIssued implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.6.2
+type ADKDCIssued struct {
+ ADChecksum Checksum `asn1:"explicit,tag:0"`
+ IRealm string `asn1:"optional,generalstring,explicit,tag:1"`
+ Isname PrincipalName `asn1:"optional,explicit,tag:2"`
+ Elements AuthorizationData `asn1:"explicit,tag:3"`
+}
+
+// ADAndOr implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.6.3
+type ADAndOr struct {
+ ConditionCount int32 `asn1:"explicit,tag:0"`
+ Elements AuthorizationData `asn1:"explicit,tag:1"`
+}
+
+// ADMandatoryForKDC implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.6.4
+type ADMandatoryForKDC AuthorizationData
+
+// Unmarshal bytes into the ADKDCIssued.
+func (a *ADKDCIssued) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}
+
+// Unmarshal bytes into the AuthorizationData.
+func (a *AuthorizationData) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}
+
+// Unmarshal bytes into the AuthorizationDataEntry.
+func (a *AuthorizationDataEntry) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}
diff --git a/vendor/gopkg.in/jcmturner/gokrb5.v7/types/Cryptosystem.go b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/Cryptosystem.go
new file mode 100644
index 0000000..7e8b4ab
--- /dev/null
+++ b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/Cryptosystem.go
@@ -0,0 +1,55 @@
+package types
+
+import (
+ "github.com/jcmturner/gofork/encoding/asn1"
+)
+
+// Reference: https://www.ietf.org/rfc/rfc4120.txt
+// Section: 5.2.9
+
+// EncryptedData implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.9
+type EncryptedData struct {
+ EType int32 `asn1:"explicit,tag:0"`
+ KVNO int `asn1:"explicit,optional,tag:1"`
+ Cipher []byte `asn1:"explicit,tag:2"`
+}
+
+// EncryptionKey implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.9
+// AKA KeyBlock
+type EncryptionKey struct {
+ KeyType int32 `asn1:"explicit,tag:0"`
+ KeyValue []byte `asn1:"explicit,tag:1"`
+}
+
+// Checksum implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.9
+type Checksum struct {
+ CksumType int32 `asn1:"explicit,tag:0"`
+ Checksum []byte `asn1:"explicit,tag:1"`
+}
+
+// Unmarshal bytes into the EncryptedData.
+func (a *EncryptedData) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}
+
+// Marshal the EncryptedData.
+func (a *EncryptedData) Marshal() ([]byte, error) {
+ edb, err := asn1.Marshal(*a)
+ if err != nil {
+ return edb, err
+ }
+ return edb, nil
+}
+
+// Unmarshal bytes into the EncryptionKey.
+func (a *EncryptionKey) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}
+
+// Unmarshal bytes into the Checksum.
+func (a *Checksum) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}
diff --git a/vendor/gopkg.in/jcmturner/gokrb5.v7/types/HostAddress.go b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/HostAddress.go
new file mode 100644
index 0000000..2f6a5a7
--- /dev/null
+++ b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/HostAddress.go
@@ -0,0 +1,204 @@
+package types
+
+// Reference: https://www.ietf.org/rfc/rfc4120.txt
+// Section: 5.2.5
+
+import (
+ "bytes"
+ "fmt"
+ "net"
+
+ "github.com/jcmturner/gofork/encoding/asn1"
+ "gopkg.in/jcmturner/gokrb5.v7/iana/addrtype"
+)
+
+/*
+HostAddress and HostAddresses
+
+HostAddress ::= SEQUENCE {
+ addr-type [0] Int32,
+ address [1] OCTET STRING
+}
+
+-- NOTE: HostAddresses is always used as an OPTIONAL field and
+-- should not be empty.
+HostAddresses -- NOTE: subtly different from rfc1510,
+ -- but has a value mapping and encodes the same
+ ::= SEQUENCE OF HostAddress
+
+The host address encodings consist of two fields:
+
+addr-type
+ This field specifies the type of address that follows. Pre-
+ defined values for this field are specified in Section 7.5.3.
+
+address
+ This field encodes a single address of type addr-type.
+*/
+
+// HostAddresses implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.5
+type HostAddresses []HostAddress
+
+// HostAddress implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.5
+type HostAddress struct {
+ AddrType int32 `asn1:"explicit,tag:0"`
+ Address []byte `asn1:"explicit,tag:1"`
+}
+
+// GetHostAddress returns a HostAddress struct from a string in the format <hostname>:<port>
+func GetHostAddress(s string) (HostAddress, error) {
+ var h HostAddress
+ cAddr, _, err := net.SplitHostPort(s)
+ if err != nil {
+ return h, fmt.Errorf("invalid format of client address: %v", err)
+ }
+ ip := net.ParseIP(cAddr)
+ var ht int32
+ if ip.To4() != nil {
+ ht = addrtype.IPv4
+ ip = ip.To4()
+ } else if ip.To16() != nil {
+ ht = addrtype.IPv6
+ ip = ip.To16()
+ } else {
+ return h, fmt.Errorf("could not determine client's address types: %v", err)
+ }
+ h = HostAddress{
+ AddrType: ht,
+ Address: ip,
+ }
+ return h, nil
+}
+
+// GetAddress returns a string representation of the HostAddress.
+func (h *HostAddress) GetAddress() (string, error) {
+ var b []byte
+ _, err := asn1.Unmarshal(h.Address, &b)
+ return string(b), err
+}
+
+// LocalHostAddresses returns a HostAddresses struct for the local machines interface IP addresses.
+func LocalHostAddresses() (ha HostAddresses, err error) {
+ ifs, err := net.Interfaces()
+ if err != nil {
+ return
+ }
+ for _, iface := range ifs {
+ if iface.Flags&net.FlagLoopback != 0 || iface.Flags&net.FlagUp == 0 {
+ // Interface is either loopback of not up
+ continue
+ }
+ addrs, err := iface.Addrs()
+ if err != nil {
+ continue
+ }
+ for _, addr := range addrs {
+ var ip net.IP
+ switch v := addr.(type) {
+ case *net.IPNet:
+ ip = v.IP
+ case *net.IPAddr:
+ ip = v.IP
+ }
+ var a HostAddress
+ if ip.To16() == nil {
+ //neither IPv4 or IPv6
+ continue
+ }
+ if ip.To4() != nil {
+ //Is IPv4
+ a.AddrType = addrtype.IPv4
+ a.Address = ip.To4()
+ } else {
+ a.AddrType = addrtype.IPv6
+ a.Address = ip.To16()
+ }
+ ha = append(ha, a)
+ }
+ }
+ return ha, nil
+}
+
+// HostAddressesFromNetIPs returns a HostAddresses type from a slice of net.IP
+func HostAddressesFromNetIPs(ips []net.IP) (ha HostAddresses) {
+ for _, ip := range ips {
+ ha = append(ha, HostAddressFromNetIP(ip))
+ }
+ return ha
+}
+
+// HostAddressFromNetIP returns a HostAddress type from a net.IP
+func HostAddressFromNetIP(ip net.IP) HostAddress {
+ if ip.To4() != nil {
+ //Is IPv4
+ return HostAddress{
+ AddrType: addrtype.IPv4,
+ Address: ip.To4(),
+ }
+ }
+ return HostAddress{
+ AddrType: addrtype.IPv6,
+ Address: ip.To16(),
+ }
+}
+
+// HostAddressesEqual tests if two HostAddress slices are equal.
+func HostAddressesEqual(h, a []HostAddress) bool {
+ if len(h) != len(a) {
+ return false
+ }
+ for _, e := range a {
+ var found bool
+ for _, i := range h {
+ if e.Equal(i) {
+ found = true
+ break
+ }
+ }
+ if !found {
+ return false
+ }
+ }
+ return true
+}
+
+// HostAddressesContains tests if a HostAddress is contained in a HostAddress slice.
+func HostAddressesContains(h []HostAddress, a HostAddress) bool {
+ for _, e := range h {
+ if e.Equal(a) {
+ return true
+ }
+ }
+ return false
+}
+
+// Equal tests if the HostAddress is equal to another HostAddress provided.
+func (h *HostAddress) Equal(a HostAddress) bool {
+ if h.AddrType != a.AddrType {
+ return false
+ }
+ return bytes.Equal(h.Address, a.Address)
+}
+
+// Contains tests if a HostAddress is contained within the HostAddresses struct.
+func (h *HostAddresses) Contains(a HostAddress) bool {
+ for _, e := range *h {
+ if e.Equal(a) {
+ return true
+ }
+ }
+ return false
+}
+
+// Equal tests if a HostAddress slice is equal to the HostAddresses struct.
+func (h *HostAddresses) Equal(a []HostAddress) bool {
+ if len(*h) != len(a) {
+ return false
+ }
+ for _, e := range a {
+ if !h.Contains(e) {
+ return false
+ }
+ }
+ return true
+}
diff --git a/vendor/gopkg.in/jcmturner/gokrb5.v7/types/KerberosFlags.go b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/KerberosFlags.go
new file mode 100644
index 0000000..bd75d5b
--- /dev/null
+++ b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/KerberosFlags.go
@@ -0,0 +1,124 @@
+package types
+
+// Reference: https://www.ietf.org/rfc/rfc4120.txt
+// Section: 5.2.8
+
+import (
+ "github.com/jcmturner/gofork/encoding/asn1"
+)
+
+/*
+KerberosFlags
+
+For several message types, a specific constrained bit string type,
+KerberosFlags, is used.
+
+KerberosFlags ::= BIT STRING (SIZE (32..MAX))
+-- minimum number of bits shall be sent,
+-- but no fewer than 32
+
+Compatibility note: The following paragraphs describe a change from
+the RFC 1510 description of bit strings that would result in
+incompatility in the case of an implementation that strictly
+conformed to ASN.1 DER and RFC 1510.
+
+ASN.1 bit strings have multiple uses. The simplest use of a bit
+string is to contain a vector of bits, with no particular meaning
+attached to individual bits. This vector of bits is not necessarily
+a multiple of eight bits long. The use in Kerberos of a bit string
+as a compact boolean vector wherein each element has a distinct
+meaning poses some problems. The natural notation for a compact
+boolean vector is the ASN.1 "NamedBit" notation, and the DER require
+that encodings of a bit string using "NamedBit" notation exclude any
+trailing zero bits. This truncation is easy to neglect, especially
+given C language implementations that naturally choose to store
+boolean vectors as 32-bit integers.
+
+For example, if the notation for KDCOptions were to include the
+"NamedBit" notation, as in RFC 1510, and a KDCOptions value to be
+encoded had only the "forwardable" (bit number one) bit set, the DER
+encoding MUST include only two bits: the first reserved bit
+("reserved", bit number zero, value zero) and the one-valued bit (bit
+number one) for "forwardable".
+
+Most existing implementations of Kerberos unconditionally send 32
+bits on the wire when encoding bit strings used as boolean vectors.
+This behavior violates the ASN.1 syntax used for flag values in RFC
+1510, but it occurs on such a widely installed base that the protocol
+description is being modified to accommodate it.
+
+Consequently, this document removes the "NamedBit" notations for
+individual bits, relegating them to comments. The size constraint on
+the KerberosFlags type requires that at least 32 bits be encoded at
+all times, though a lenient implementation MAY choose to accept fewer
+than 32 bits and to treat the missing bits as set to zero.
+
+Currently, no uses of KerberosFlags specify more than 32 bits' worth
+of flags, although future revisions of this document may do so. When
+more than 32 bits are to be transmitted in a KerberosFlags value,
+future revisions to this document will likely specify that the
+smallest number of bits needed to encode the highest-numbered one-
+valued bit should be sent. This is somewhat similar to the DER
+encoding of a bit string that is declared with the "NamedBit"
+notation.
+*/
+
+// NewKrbFlags returns an ASN1 BitString struct of the right size for KrbFlags.
+func NewKrbFlags() asn1.BitString {
+ f := asn1.BitString{}
+ f.Bytes = make([]byte, 4)
+ f.BitLength = len(f.Bytes) * 8
+ return f
+}
+
+// SetFlags sets the flags of an ASN1 BitString.
+func SetFlags(f *asn1.BitString, j []int) {
+ for _, i := range j {
+ SetFlag(f, i)
+ }
+}
+
+// SetFlag sets a flag in an ASN1 BitString.
+func SetFlag(f *asn1.BitString, i int) {
+ for l := len(f.Bytes); l < 4; l++ {
+ (*f).Bytes = append((*f).Bytes, byte(0))
+ (*f).BitLength = len((*f).Bytes) * 8
+ }
+ //Which byte?
+ b := i / 8
+ //Which bit in byte
+ p := uint(7 - (i - 8*b))
+ (*f).Bytes[b] = (*f).Bytes[b] | (1 << p)
+}
+
+// UnsetFlags unsets flags in an ASN1 BitString.
+func UnsetFlags(f *asn1.BitString, j []int) {
+ for _, i := range j {
+ UnsetFlag(f, i)
+ }
+}
+
+// UnsetFlag unsets a flag in an ASN1 BitString.
+func UnsetFlag(f *asn1.BitString, i int) {
+ for l := len(f.Bytes); l < 4; l++ {
+ (*f).Bytes = append((*f).Bytes, byte(0))
+ (*f).BitLength = len((*f).Bytes) * 8
+ }
+ //Which byte?
+ b := i / 8
+ //Which bit in byte
+ p := uint(7 - (i - 8*b))
+ (*f).Bytes[b] = (*f).Bytes[b] &^ (1 << p)
+}
+
+// IsFlagSet tests if a flag is set in the ASN1 BitString.
+func IsFlagSet(f *asn1.BitString, i int) bool {
+ //Which byte?
+ b := i / 8
+ //Which bit in byte
+ p := uint(7 - (i - 8*b))
+ if (*f).Bytes[b]&(1<<p) != 0 {
+ return true
+ }
+ return false
+}
diff --git a/vendor/gopkg.in/jcmturner/gokrb5.v7/types/PAData.go b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/PAData.go
new file mode 100644
index 0000000..484ec5b
--- /dev/null
+++ b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/PAData.go
@@ -0,0 +1,155 @@
+package types
+
+// Reference: https://www.ietf.org/rfc/rfc4120.txt
+// Section: 5.2.7
+import (
+ "fmt"
+ "time"
+
+ "github.com/jcmturner/gofork/encoding/asn1"
+ "gopkg.in/jcmturner/gokrb5.v7/iana/patype"
+)
+
+// PAData implements RFC 4120 types: https://tools.ietf.org/html/rfc4120#section-5.2.7
+type PAData struct {
+ PADataType int32 `asn1:"explicit,tag:1"`
+ PADataValue []byte `asn1:"explicit,tag:2"`
+}
+
+// PADataSequence implements RFC 4120 types: https://tools.ietf.org/html/rfc4120#section-5.2.7
+type PADataSequence []PAData
+
+// MethodData implements RFC 4120 types: https://tools.ietf.org/html/rfc4120#section-5.9.1
+type MethodData []PAData
+
+// PAEncTimestamp implements RFC 4120 types: https://tools.ietf.org/html/rfc4120#section-5.2.7.2
+type PAEncTimestamp EncryptedData
+
+// PAEncTSEnc implements RFC 4120 types: https://tools.ietf.org/html/rfc4120#section-5.2.7.2
+type PAEncTSEnc struct {
+ PATimestamp time.Time `asn1:"generalized,explicit,tag:0"`
+ PAUSec int `asn1:"explicit,optional,tag:1"`
+}
+
+// Contains tests if a PADataSequence contains PA Data of a certain type.
+func (pas *PADataSequence) Contains(patype int32) bool {
+ for _, pa := range *pas {
+ if pa.PADataType == patype {
+ return true
+ }
+ }
+ return false
+}
+
+// GetPAEncTSEncAsnMarshalled returns the bytes of a PAEncTSEnc.
+func GetPAEncTSEncAsnMarshalled() ([]byte, error) {
+ t := time.Now().UTC()
+ p := PAEncTSEnc{
+ PATimestamp: t,
+ PAUSec: int((t.UnixNano() / int64(time.Microsecond)) - (t.Unix() * 1e6)),
+ }
+ b, err := asn1.Marshal(p)
+ if err != nil {
+ return b, fmt.Errorf("error mashaling PAEncTSEnc: %v", err)
+ }
+ return b, nil
+}
+
+// ETypeInfoEntry implements RFC 4120 types: https://tools.ietf.org/html/rfc4120#section-5.2.7.4
+type ETypeInfoEntry struct {
+ EType int32 `asn1:"explicit,tag:0"`
+ Salt []byte `asn1:"explicit,optional,tag:1"`
+}
+
+// ETypeInfo implements RFC 4120 types: https://tools.ietf.org/html/rfc4120#section-5.2.7.4
+type ETypeInfo []ETypeInfoEntry
+
+// ETypeInfo2Entry implements RFC 4120 types: https://tools.ietf.org/html/rfc4120#section-5.2.7.5
+type ETypeInfo2Entry struct {
+ EType int32 `asn1:"explicit,tag:0"`
+ Salt string `asn1:"explicit,optional,generalstring,tag:1"`
+ S2KParams []byte `asn1:"explicit,optional,tag:2"`
+}
+
+// ETypeInfo2 implements RFC 4120 types: https://tools.ietf.org/html/rfc4120#section-5.2.7.5
+type ETypeInfo2 []ETypeInfo2Entry
+
+// PAReqEncPARep PA Data Type
+type PAReqEncPARep struct {
+ ChksumType int32 `asn1:"explicit,tag:0"`
+ Chksum []byte `asn1:"explicit,tag:1"`
+}
+
+// Unmarshal bytes into the PAData
+func (pa *PAData) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, pa)
+ return err
+}
+
+// Unmarshal bytes into the PADataSequence
+func (pas *PADataSequence) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, pas)
+ return err
+}
+
+// Unmarshal bytes into the PAReqEncPARep
+func (pa *PAReqEncPARep) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, pa)
+ return err
+}
+
+// Unmarshal bytes into the PAEncTimestamp
+func (pa *PAEncTimestamp) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, pa)
+ return err
+}
+
+// Unmarshal bytes into the PAEncTSEnc
+func (pa *PAEncTSEnc) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, pa)
+ return err
+}
+
+// Unmarshal bytes into the ETypeInfo
+func (a *ETypeInfo) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}
+
+// Unmarshal bytes into the ETypeInfoEntry
+func (a *ETypeInfoEntry) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}
+
+// Unmarshal bytes into the ETypeInfo2
+func (a *ETypeInfo2) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}
+
+// Unmarshal bytes into the ETypeInfo2Entry
+func (a *ETypeInfo2Entry) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}
+
+// GetETypeInfo returns an ETypeInfo from the PAData.
+func (pa *PAData) GetETypeInfo() (d ETypeInfo, err error) {
+ if pa.PADataType != patype.PA_ETYPE_INFO {
+ err = fmt.Errorf("PAData does not contain PA EType Info data. TypeID Expected: %v; Actual: %v", patype.PA_ETYPE_INFO, pa.PADataType)
+ return
+ }
+ _, err = asn1.Unmarshal(pa.PADataValue, &d)
+ return
+}
+
+// GetETypeInfo2 returns an ETypeInfo2 from the PAData.
+func (pa *PAData) GetETypeInfo2() (d ETypeInfo2, err error) {
+ if pa.PADataType != patype.PA_ETYPE_INFO2 {
+ err = fmt.Errorf("PAData does not contain PA EType Info 2 data. TypeID Expected: %v; Actual: %v", patype.PA_ETYPE_INFO2, pa.PADataType)
+ return
+ }
+ _, err = asn1.Unmarshal(pa.PADataValue, &d)
+ return
+}
diff --git a/vendor/gopkg.in/jcmturner/gokrb5.v7/types/PrincipalName.go b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/PrincipalName.go
new file mode 100644
index 0000000..fa6d3ce
--- /dev/null
+++ b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/PrincipalName.go
@@ -0,0 +1,64 @@
+package types
+
+import (
+ "strings"
+
+ "gopkg.in/jcmturner/gokrb5.v7/iana/nametype"
+)
+
+// Reference: https://www.ietf.org/rfc/rfc4120.txt
+// Section: 5.2.2
+
+// PrincipalName implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.2.2
+type PrincipalName struct {
+ NameType int32 `asn1:"explicit,tag:0"`
+ NameString []string `asn1:"generalstring,explicit,tag:1"`
+}
+
+// NewPrincipalName creates a new PrincipalName from the name type int32 and name string provided.
+func NewPrincipalName(ntype int32, spn string) PrincipalName {
+ return PrincipalName{
+ NameType: ntype,
+ NameString: strings.Split(spn, "/"),
+ }
+}
+
+// GetSalt returns a salt derived from the PrincipalName.
+func (pn PrincipalName) GetSalt(realm string) string {
+ var sb []byte
+ sb = append(sb, realm...)
+ for _, n := range pn.NameString {
+ sb = append(sb, n...)
+ }
+ return string(sb)
+}
+
+// Equal tests if the PrincipalName is equal to the one provided.
+func (pn PrincipalName) Equal(n PrincipalName) bool {
+ //https://tools.ietf.org/html/rfc4120#section-6.2 - the name type is not significant when checking for equivalence
+ for i, s := range pn.NameString {
+ if n.NameString[i] != s {
+ return false
+ }
+ }
+ return true
+}
+
+// PrincipalNameString returns the PrincipalName in string form.
+func (pn PrincipalName) PrincipalNameString() string {
+ return strings.Join(pn.NameString, "/")
+}
+
+// ParseSPNString will parse a string in the format <service>/<name>@<realm>
+// a PrincipalName type will be returned with the name type set to KRB_NT_PRINCIPAL(1)
+// and the realm will be returned as a string. If the "@<realm>" suffix
+// is not included in the SPN then the value of realm string returned will be ""
+func ParseSPNString(spn string) (pn PrincipalName, realm string) {
+ if strings.Contains(spn, "@") {
+ s := strings.Split(spn, "@")
+ realm = s[len(s)-1]
+ spn = strings.TrimSuffix(spn, "@"+realm)
+ }
+ pn = NewPrincipalName(nametype.KRB_NT_PRINCIPAL, spn)
+ return
+}
diff --git a/vendor/gopkg.in/jcmturner/gokrb5.v7/types/TypedData.go b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/TypedData.go
new file mode 100644
index 0000000..19e9f49
--- /dev/null
+++ b/vendor/gopkg.in/jcmturner/gokrb5.v7/types/TypedData.go
@@ -0,0 +1,18 @@
+package types
+
+import "github.com/jcmturner/gofork/encoding/asn1"
+
+// TypedData implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.9.1
+type TypedData struct {
+ DataType int32 `asn1:"explicit,tag:0"`
+ DataValue []byte `asn1:"optional,explicit,tag:1"`
+}
+
+// TypedDataSequence implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.9.1
+type TypedDataSequence []TypedData
+
+// Unmarshal bytes into the TypedDataSequence.
+func (a *TypedDataSequence) Unmarshal(b []byte) error {
+ _, err := asn1.Unmarshal(b, a)
+ return err
+}