------------------------------------------------------------------------------- MUNGE Credential v1 Format ------------------------------------------------------------------------------- +---+------------------------------------------------------------+---+ | | 08b : version number (1) | | | O | 08b : cipher type (munge_cipher_t) | O | | U | 08b : compression type (munge_zip_t) | U | | T | 08b : message authentication code type (munge_mac_t) | T | | E | 08b : length (in bytes) of security realm string | E | | R | var : security realm string (w/o terminating NUL) | R | | | var : cipher IV (initialization vector) | | +---+------------------------------------------------------------+---+ | M | var : MAC (message authentication code) | M | +---+------------------------------------------------------------+---+ | | 64b : salt | | | | 08b : length (in bytes) of the origin IP address | | | I | var : origin IP address (where the credential was encoded) | I | | N | 32b : time at which the credential was encoded (time_t) | N | | N | 32b : time to live (in seconds) once encoded | N | | E | 32b : UID of the process requesting the credential | E | | R | 32b : GID of the process requesting the credential | R | | | 32b : length (in bytes) of payload data | | | | var : payload data being munged into the credential | | +---+------------------------------------------------------------+---+ 1. Field lengths are expressed in bits, or 'var' for variable length. 2. All 32b integers are in network byte order (ie, big endian). 3. The length of the cipher IV is dependent on munge_cipher_t. 4. The length of the MAC is dependent on munge_mac_t. 5. The MAC is first computed over the entire message (ie, OUTER + INNER). 6. The INNER layer is then compressed according to munge_zip_t. 7. The INNER layer is then encrypted according to munge_cipher_t. 8. The entire message (ie, OUTER + MAC + INNER) is then base64 encoded. 9. The base64 encoding is prepended with "MUNGE:" and appended with ":".