| 1 | -- $Id$ --
|
|---|
| 2 |
|
|---|
| 3 | PKINIT DEFINITIONS ::= BEGIN
|
|---|
| 4 |
|
|---|
| 5 | IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
|
|---|
| 6 | IssuerAndSerialNumber, ContentInfo FROM cms
|
|---|
| 7 | SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
|
|---|
| 8 | heim_any FROM heim;
|
|---|
| 9 |
|
|---|
| 10 | id-pkinit OBJECT IDENTIFIER ::=
|
|---|
| 11 | { iso (1) org (3) dod (6) internet (1) security (5)
|
|---|
| 12 | kerberosv5 (2) pkinit (3) }
|
|---|
| 13 |
|
|---|
| 14 | id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 }
|
|---|
| 15 | id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 }
|
|---|
| 16 | id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 }
|
|---|
| 17 | id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 }
|
|---|
| 18 | id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 }
|
|---|
| 19 |
|
|---|
| 20 | id-pkinit-kdf OBJECT IDENTIFIER ::= { id-pkinit 6 }
|
|---|
| 21 | id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER ::= { id-pkinit-kdf 1 }
|
|---|
| 22 | id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
|
|---|
| 23 | id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }
|
|---|
| 24 |
|
|---|
| 25 | id-pkinit-san OBJECT IDENTIFIER ::=
|
|---|
| 26 | { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
|
|---|
| 27 | x509-sanan(2) }
|
|---|
| 28 |
|
|---|
| 29 | id-pkinit-ms-eku OBJECT IDENTIFIER ::=
|
|---|
| 30 | { iso(1) org(3) dod(6) internet(1) private(4)
|
|---|
| 31 | enterprise(1) microsoft(311) 20 2 2 }
|
|---|
| 32 |
|
|---|
| 33 | id-pkinit-ms-san OBJECT IDENTIFIER ::=
|
|---|
| 34 | { iso(1) org(3) dod(6) internet(1) private(4)
|
|---|
| 35 | enterprise(1) microsoft(311) 20 2 3 }
|
|---|
| 36 |
|
|---|
| 37 | MS-UPN-SAN ::= UTF8String
|
|---|
| 38 |
|
|---|
| 39 | pa-pk-as-req INTEGER ::= 16
|
|---|
| 40 | pa-pk-as-rep INTEGER ::= 17
|
|---|
| 41 |
|
|---|
| 42 | td-trusted-certifiers INTEGER ::= 104
|
|---|
| 43 | td-invalid-certificates INTEGER ::= 105
|
|---|
| 44 | td-dh-parameters INTEGER ::= 109
|
|---|
| 45 |
|
|---|
| 46 | DHNonce ::= OCTET STRING
|
|---|
| 47 |
|
|---|
| 48 | KDFAlgorithmId ::= SEQUENCE {
|
|---|
| 49 | kdf-id [0] OBJECT IDENTIFIER,
|
|---|
| 50 | ...
|
|---|
| 51 | }
|
|---|
| 52 |
|
|---|
| 53 | TrustedCA ::= SEQUENCE {
|
|---|
| 54 | caName [0] IMPLICIT OCTET STRING,
|
|---|
| 55 | certificateSerialNumber [1] INTEGER OPTIONAL,
|
|---|
| 56 | subjectKeyIdentifier [2] OCTET STRING OPTIONAL,
|
|---|
| 57 | ...
|
|---|
| 58 | }
|
|---|
| 59 |
|
|---|
| 60 | ExternalPrincipalIdentifier ::= SEQUENCE {
|
|---|
| 61 | subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
|
|---|
| 62 | issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
|
|---|
| 63 | subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
|
|---|
| 64 | ...
|
|---|
| 65 | }
|
|---|
| 66 |
|
|---|
| 67 | ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
|
|---|
| 68 |
|
|---|
| 69 | PA-PK-AS-REQ ::= SEQUENCE {
|
|---|
| 70 | signedAuthPack [0] IMPLICIT OCTET STRING,
|
|---|
| 71 | trustedCertifiers [1] ExternalPrincipalIdentifiers OPTIONAL,
|
|---|
| 72 | kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL,
|
|---|
| 73 | ...
|
|---|
| 74 | }
|
|---|
| 75 |
|
|---|
| 76 | PKAuthenticator ::= SEQUENCE {
|
|---|
| 77 | cusec [0] INTEGER -- (0..999999) --,
|
|---|
| 78 | ctime [1] KerberosTime,
|
|---|
| 79 | nonce [2] INTEGER (0..4294967295),
|
|---|
| 80 | paChecksum [3] OCTET STRING OPTIONAL,
|
|---|
| 81 | ...
|
|---|
| 82 | }
|
|---|
| 83 |
|
|---|
| 84 | AuthPack ::= SEQUENCE {
|
|---|
| 85 | pkAuthenticator [0] PKAuthenticator,
|
|---|
| 86 | clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
|
|---|
| 87 | supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
|
|---|
| 88 | clientDHNonce [3] DHNonce OPTIONAL,
|
|---|
| 89 | ...,
|
|---|
| 90 | supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
|
|---|
| 91 | ...
|
|---|
| 92 | }
|
|---|
| 93 |
|
|---|
| 94 | TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
|
|---|
| 95 | TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
|
|---|
| 96 |
|
|---|
| 97 | KRB5PrincipalName ::= SEQUENCE {
|
|---|
| 98 | realm [0] Realm,
|
|---|
| 99 | principalName [1] PrincipalName
|
|---|
| 100 | }
|
|---|
| 101 |
|
|---|
| 102 | AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
|
|---|
| 103 |
|
|---|
| 104 | DHRepInfo ::= SEQUENCE {
|
|---|
| 105 | dhSignedData [0] IMPLICIT OCTET STRING,
|
|---|
| 106 | serverDHNonce [1] DHNonce OPTIONAL,
|
|---|
| 107 | ...,
|
|---|
| 108 | kdf [2] KDFAlgorithmId OPTIONAL,
|
|---|
| 109 | ...
|
|---|
| 110 | }
|
|---|
| 111 |
|
|---|
| 112 | PA-PK-AS-REP ::= CHOICE {
|
|---|
| 113 | dhInfo [0] DHRepInfo,
|
|---|
| 114 | encKeyPack [1] IMPLICIT OCTET STRING,
|
|---|
| 115 | ...
|
|---|
| 116 | }
|
|---|
| 117 |
|
|---|
| 118 | KDCDHKeyInfo ::= SEQUENCE {
|
|---|
| 119 | subjectPublicKey [0] BIT STRING,
|
|---|
| 120 | nonce [1] INTEGER (0..4294967295),
|
|---|
| 121 | dhKeyExpiration [2] KerberosTime OPTIONAL,
|
|---|
| 122 | ...
|
|---|
| 123 | }
|
|---|
| 124 |
|
|---|
| 125 | ReplyKeyPack ::= SEQUENCE {
|
|---|
| 126 | replyKey [0] EncryptionKey,
|
|---|
| 127 | asChecksum [1] Checksum,
|
|---|
| 128 | ...
|
|---|
| 129 | }
|
|---|
| 130 |
|
|---|
| 131 | TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
|
|---|
| 132 |
|
|---|
| 133 |
|
|---|
| 134 | -- Windows compat glue --
|
|---|
| 135 |
|
|---|
| 136 | PKAuthenticator-Win2k ::= SEQUENCE {
|
|---|
| 137 | kdcName [0] PrincipalName,
|
|---|
| 138 | kdcRealm [1] Realm,
|
|---|
| 139 | cusec [2] INTEGER (0..4294967295),
|
|---|
| 140 | ctime [3] KerberosTime,
|
|---|
| 141 | nonce [4] INTEGER (-2147483648..2147483647)
|
|---|
| 142 | }
|
|---|
| 143 |
|
|---|
| 144 | AuthPack-Win2k ::= SEQUENCE {
|
|---|
| 145 | pkAuthenticator [0] PKAuthenticator-Win2k,
|
|---|
| 146 | clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
|
|---|
| 147 | }
|
|---|
| 148 |
|
|---|
| 149 |
|
|---|
| 150 | TrustedCA-Win2k ::= CHOICE {
|
|---|
| 151 | caName [1] heim_any,
|
|---|
| 152 | issuerAndSerial [2] IssuerAndSerialNumber
|
|---|
| 153 | }
|
|---|
| 154 |
|
|---|
| 155 | PA-PK-AS-REQ-Win2k ::= SEQUENCE {
|
|---|
| 156 | signed-auth-pack [0] IMPLICIT OCTET STRING,
|
|---|
| 157 | trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
|
|---|
| 158 | kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
|
|---|
| 159 | encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
|
|---|
| 160 | }
|
|---|
| 161 |
|
|---|
| 162 | PA-PK-AS-REP-Win2k ::= CHOICE {
|
|---|
| 163 | dhSignedData [0] IMPLICIT OCTET STRING,
|
|---|
| 164 | encKeyPack [1] IMPLICIT OCTET STRING
|
|---|
| 165 | }
|
|---|
| 166 |
|
|---|
| 167 | KDCDHKeyInfo-Win2k ::= SEQUENCE {
|
|---|
| 168 | nonce [0] INTEGER (-2147483648..2147483647),
|
|---|
| 169 | subjectPublicKey [2] BIT STRING
|
|---|
| 170 | }
|
|---|
| 171 |
|
|---|
| 172 | ReplyKeyPack-Win2k ::= SEQUENCE {
|
|---|
| 173 | replyKey [0] EncryptionKey,
|
|---|
| 174 | nonce [1] INTEGER (-2147483648..2147483647),
|
|---|
| 175 | ...
|
|---|
| 176 | }
|
|---|
| 177 |
|
|---|
| 178 | PA-PK-AS-REP-BTMM ::= SEQUENCE {
|
|---|
| 179 | dhSignedData [0] heim_any OPTIONAL,
|
|---|
| 180 | encKeyPack [1] heim_any OPTIONAL
|
|---|
| 181 | }
|
|---|
| 182 |
|
|---|
| 183 |
|
|---|
| 184 | PkinitSP80056AOtherInfo ::= SEQUENCE {
|
|---|
| 185 | algorithmID AlgorithmIdentifier,
|
|---|
| 186 | partyUInfo [0] OCTET STRING,
|
|---|
| 187 | partyVInfo [1] OCTET STRING,
|
|---|
| 188 | suppPubInfo [2] OCTET STRING OPTIONAL,
|
|---|
| 189 | suppPrivInfo [3] OCTET STRING OPTIONAL
|
|---|
| 190 | }
|
|---|
| 191 |
|
|---|
| 192 | PkinitSuppPubInfo ::= SEQUENCE {
|
|---|
| 193 | enctype [0] INTEGER (-2147483648..2147483647),
|
|---|
| 194 | as-REQ [1] OCTET STRING,
|
|---|
| 195 | pk-as-rep [2] OCTET STRING,
|
|---|
| 196 | ticket [3] Ticket,
|
|---|
| 197 | ...
|
|---|
| 198 | }
|
|---|
| 199 |
|
|---|
| 200 | END
|
|---|
