Credential cache file format documentation

Simon Josefsson jas at extundo.com
Wed Sep 13 11:43:53 EDT 2006 

Inspired by Michael B Allen's writeup of the keytab file format posted
to this list a few months ago, which allowed me to implement support
for reading keytab's in Shishi, I became interested in documentation
of the ccache file format.

I didn't find much documentation, but the format was pretty
straight-forward, so I wrote the following description of it.  If
someone is looking for the same thing, I'd thought I'd share this.  To
read it, it probably helps to have read Michael's keytab.txt first.

As you'd might suspect, this is the first step towards reading (and
possibly writing) ccache files in Shishi...

Enjoy,
Simon

The Kerberos Credential Cache Binary File Format
Copyright (C) 2006 Simon Josefsson <simon josefsson.org>
http://josefsson.org/shishi/ccache.txt
Last updated: Wed Sep 13 17:11:53 CEST 2006

Like the MIT keytab binary format (see Michael B Allen's reverse
engineered description in keytab.txt), the credential cache format is
not standard nor documented anywhere.

In C style notation, the MIT credential cache file format is as
follows.  All values are in network byte order.  All text is ASCII.

ccache {
          uint16_t file_format_version; /* 0x0504 */
          uint16_t taglen;              /* only if version is 0x0504 */
          header tags[];                /* only if version is 0x0504 */
          principal primary_principal;
          credential credentials[*];
};

credential {
           principal client;
           principal server;
           keyblock key;
           times    time;
           uint8_t  is_skey;            /* 1 if skey, 0 otherwise */
           uint32_t tktflags;
           uint32_t num_address;
           address  addrs[num_address];
           uint32_t num_authdata;
           authdata authdata[num_authdata];
           countet_octet_string ticket;
           countet_octet_string second_ticket;
};

keyblock {
         uint16_t keytype;
         uint16_t etype;                /* only present if version 0x0503 */
         counted_octet_string keyvalue;
};

times {
      uint32_t  authtime;
      uint32_t  starttime;
      uint32_t  endtime;
      uint32_t  renew_till;
};

address {
        uint16_t addrtype;
        counted_octet_string addrdata;
};

authdata {
         uint16_t authtype;
         counted_octet_string authdata;
};

header {
       uint16_t tag;                    /* 1 = DeltaTime */
       uint16_t taglen;
       uint8_t tagdata[taglen]
};

DeltaTime {
       uint32_t time_offset;
       uint32_t usec_offset;
};

principal {
          uint32_t name_type; /* not present if version 0x0501 */
          uint32_t num_components;    /* sub 1 if version 0x501 */
          counted_octet_string realm;
          counted_octet_string components[num_components];
};

counted_octet_string {
    uint32_t length;
    uint8_t data[length];
};

Permission to copy, modify, and distribute this document, with or
without modification, for any purpose and without fee or royalty is
hereby granted, provided that you include this copyright notice in ALL
copies of the document or portions thereof, including modifications.

More information about the Kerberos mailing list