Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

krb5.asn1

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 16 years ago
Samba 3.5.0: Initial import
File size: 19.2 KB

Line
1	-- $Id$
2
3	KERBEROS5 DEFINITIONS ::=
4	BEGIN
5
6	NAME-TYPE ::= INTEGER {
7	KRB5_NT_UNKNOWN(0), -- Name type not known
8	KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
9	KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
10	KRB5_NT_SRV_HST(3), -- Service with host name as instance
11	KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
12	KRB5_NT_UID(5), -- Unique ID
13	KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
14	KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
15	KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
16	KRB5_NT_WELLKNOWN(11), -- Wellknown
17	KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
18	KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
19	KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
20	KRB5_NT_NTLM(-1200) -- NTLM name, realm is domain
21	}
22
23	-- message types
24
25	MESSAGE-TYPE ::= INTEGER {
26	krb-as-req(10), -- Request for initial authentication
27	krb-as-rep(11), -- Response to KRB_AS_REQ request
28	krb-tgs-req(12), -- Request for authentication based on TGT
29	krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
30	krb-ap-req(14), -- application request to server
31	krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
32	krb-safe(20), -- Safe (checksummed) application message
33	krb-priv(21), -- Private (encrypted) application message
34	krb-cred(22), -- Private (encrypted) message to forward credentials
35	krb-error(30) -- Error response
36	}
37
38
39	-- pa-data types
40
41	PADATA-TYPE ::= INTEGER {
42	KRB5-PADATA-NONE(0),
43	KRB5-PADATA-TGS-REQ(1),
44	KRB5-PADATA-AP-REQ(1),
45	KRB5-PADATA-ENC-TIMESTAMP(2),
46	KRB5-PADATA-PW-SALT(3),
47	KRB5-PADATA-ENC-UNIX-TIME(5),
48	KRB5-PADATA-SANDIA-SECUREID(6),
49	KRB5-PADATA-SESAME(7),
50	KRB5-PADATA-OSF-DCE(8),
51	KRB5-PADATA-CYBERSAFE-SECUREID(9),
52	KRB5-PADATA-AFS3-SALT(10),
53	KRB5-PADATA-ETYPE-INFO(11),
54	KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
55	KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
56	KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
57	KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
58	KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
59	KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
60	KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
61	KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
62	KRB5-PADATA-ETYPE-INFO2(19),
63	KRB5-PADATA-USE-SPECIFIED-KVNO(20),
64	KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
65	KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
66	KRB5-PADATA-GET-FROM-TYPED-DATA(22),
67	KRB5-PADATA-SAM-ETYPE-INFO(23),
68	KRB5-PADATA-SERVER-REFERRAL(25),
69	KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
70	KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
71	KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
72	KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
73	KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
74	KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
75	KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
76	KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
77	KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
78	KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
79	KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
80	KRB5-PADATA-FOR-USER(129), -- MS-KILE
81	KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
82	KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
83	KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
84	KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
85	-- tell KDC that is supports
86	-- the asCheckSum in the
87	-- PK-AS-REP
88	KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals
89	KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
90	KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
91	KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
92	KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
93	KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
94	KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
95	KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
96	KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
97	KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
98	KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
99	KRB5-PADATA-EPAK-AS-REQ(145),
100	KRB5-PADATA-EPAK-AS-REP(146),
101	KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
102	KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
103	KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE
104	}
105
106	AUTHDATA-TYPE ::= INTEGER {
107	KRB5-AUTHDATA-IF-RELEVANT(1),
108	KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
109	KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
110	KRB5-AUTHDATA-KDC-ISSUED(4),
111	KRB5-AUTHDATA-AND-OR(5),
112	KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
113	KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
114	KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
115	KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
116	KRB5-AUTHDATA-OSF-DCE(64),
117	KRB5-AUTHDATA-SESAME(65),
118	KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
119	KRB5-AUTHDATA-WIN2K-PAC(128),
120	KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
121	KRB5-AUTHDATA-SIGNTICKET-OLD(-17),
122	KRB5-AUTHDATA-SIGNTICKET(142)
123	}
124
125	-- checksumtypes
126
127	CKSUMTYPE ::= INTEGER {
128	CKSUMTYPE_NONE(0),
129	CKSUMTYPE_CRC32(1),
130	CKSUMTYPE_RSA_MD4(2),
131	CKSUMTYPE_RSA_MD4_DES(3),
132	CKSUMTYPE_DES_MAC(4),
133	CKSUMTYPE_DES_MAC_K(5),
134	CKSUMTYPE_RSA_MD4_DES_K(6),
135	CKSUMTYPE_RSA_MD5(7),
136	CKSUMTYPE_RSA_MD5_DES(8),
137	CKSUMTYPE_RSA_MD5_DES3(9),
138	CKSUMTYPE_SHA1_OTHER(10),
139	CKSUMTYPE_HMAC_SHA1_DES3(12),
140	CKSUMTYPE_SHA1(14),
141	CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
142	CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
143	CKSUMTYPE_GSSAPI(0x8003),
144	CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
145	CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
146	}
147
148	--enctypes
149	ENCTYPE ::= INTEGER {
150	ETYPE_NULL(0),
151	ETYPE_DES_CBC_CRC(1),
152	ETYPE_DES_CBC_MD4(2),
153	ETYPE_DES_CBC_MD5(3),
154	ETYPE_DES3_CBC_MD5(5),
155	ETYPE_OLD_DES3_CBC_SHA1(7),
156	ETYPE_SIGN_DSA_GENERATE(8),
157	ETYPE_ENCRYPT_RSA_PRIV(9),
158	ETYPE_ENCRYPT_RSA_PUB(10),
159	ETYPE_DES3_CBC_SHA1(16), -- with key derivation
160	ETYPE_AES128_CTS_HMAC_SHA1_96(17),
161	ETYPE_AES256_CTS_HMAC_SHA1_96(18),
162	ETYPE_ARCFOUR_HMAC_MD5(23),
163	ETYPE_ARCFOUR_HMAC_MD5_56(24),
164	ETYPE_ENCTYPE_PK_CROSS(48),
165	-- some "old" windows types
166	ETYPE_ARCFOUR_MD4(-128),
167	ETYPE_ARCFOUR_HMAC_OLD(-133),
168	ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
169	-- these are for Heimdal internal use
170	ETYPE_DES_CBC_NONE(-0x1000),
171	ETYPE_DES3_CBC_NONE(-0x1001),
172	ETYPE_DES_CFB64_NONE(-0x1002),
173	ETYPE_DES_PCBC_NONE(-0x1003),
174	ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
175	ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
176	}
177
178
179
180
181	-- this is sugar to make something ASN1 does not have: unsigned
182
183	krb5uint32 ::= INTEGER (0..4294967295)
184	krb5int32 ::= INTEGER (-2147483648..2147483647)
185
186	KerberosString ::= GeneralString
187
188	Realm ::= GeneralString
189	PrincipalName ::= SEQUENCE {
190	name-type[0] NAME-TYPE,
191	name-string[1] SEQUENCE OF GeneralString
192	}
193
194	-- this is not part of RFC1510
195	Principal ::= SEQUENCE {
196	name[0] PrincipalName,
197	realm[1] Realm
198	}
199
200	Principals ::= SEQUENCE OF Principal
201
202	HostAddress ::= SEQUENCE {
203	addr-type[0] krb5int32,
204	address[1] OCTET STRING
205	}
206
207	-- This is from RFC1510.
208	--
209	-- HostAddresses ::= SEQUENCE OF SEQUENCE {
210	-- addr-type[0] krb5int32,
211	-- address[1] OCTET STRING
212	-- }
213
214	-- This seems much better.
215	HostAddresses ::= SEQUENCE OF HostAddress
216
217
218	KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
219
220	AuthorizationDataElement ::= SEQUENCE {
221	ad-type[0] krb5int32,
222	ad-data[1] OCTET STRING
223	}
224
225	AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
226
227	APOptions ::= BIT STRING {
228	reserved(0),
229	use-session-key(1),
230	mutual-required(2)
231	}
232
233	TicketFlags ::= BIT STRING {
234	reserved(0),
235	forwardable(1),
236	forwarded(2),
237	proxiable(3),
238	proxy(4),
239	may-postdate(5),
240	postdated(6),
241	invalid(7),
242	renewable(8),
243	initial(9),
244	pre-authent(10),
245	hw-authent(11),
246	transited-policy-checked(12),
247	ok-as-delegate(13),
248	anonymous(14)
249	}
250
251	KDCOptions ::= BIT STRING {
252	reserved(0),
253	forwardable(1),
254	forwarded(2),
255	proxiable(3),
256	proxy(4),
257	allow-postdate(5),
258	postdated(6),
259	unused7(7),
260	renewable(8),
261	unused9(9),
262	unused10(10),
263	unused11(11),
264	request-anonymous(14),
265	canonicalize(15),
266	constrained-delegation(16), -- ms extension
267	disable-transited-check(26),
268	renewable-ok(27),
269	enc-tkt-in-skey(28),
270	renew(30),
271	validate(31)
272	}
273
274	LR-TYPE ::= INTEGER {
275	LR_NONE(0), -- no information
276	LR_INITIAL_TGT(1), -- last initial TGT request
277	LR_INITIAL(2), -- last initial request
278	LR_ISSUE_USE_TGT(3), -- time of newest TGT used
279	LR_RENEWAL(4), -- time of last renewal
280	LR_REQUEST(5), -- time of last request (of any type)
281	LR_PW_EXPTIME(6), -- expiration time of password
282	LR_ACCT_EXPTIME(7) -- expiration time of account
283	}
284
285	LastReq ::= SEQUENCE OF SEQUENCE {
286	lr-type[0] LR-TYPE,
287	lr-value[1] KerberosTime
288	}
289
290
291	EncryptedData ::= SEQUENCE {
292	etype[0] ENCTYPE, -- EncryptionType
293	kvno[1] krb5int32 OPTIONAL,
294	cipher[2] OCTET STRING -- ciphertext
295	}
296
297	EncryptionKey ::= SEQUENCE {
298	keytype[0] krb5int32,
299	keyvalue[1] OCTET STRING
300	}
301
302	-- encoded Transited field
303	TransitedEncoding ::= SEQUENCE {
304	tr-type[0] krb5int32, -- must be registered
305	contents[1] OCTET STRING
306	}
307
308	Ticket ::= [APPLICATION 1] SEQUENCE {
309	tkt-vno[0] krb5int32,
310	realm[1] Realm,
311	sname[2] PrincipalName,
312	enc-part[3] EncryptedData
313	}
314	-- Encrypted part of ticket
315	EncTicketPart ::= [APPLICATION 3] SEQUENCE {
316	flags[0] TicketFlags,
317	key[1] EncryptionKey,
318	crealm[2] Realm,
319	cname[3] PrincipalName,
320	transited[4] TransitedEncoding,
321	authtime[5] KerberosTime,
322	starttime[6] KerberosTime OPTIONAL,
323	endtime[7] KerberosTime,
324	renew-till[8] KerberosTime OPTIONAL,
325	caddr[9] HostAddresses OPTIONAL,
326	authorization-data[10] AuthorizationData OPTIONAL
327	}
328
329	Checksum ::= SEQUENCE {
330	cksumtype[0] CKSUMTYPE,
331	checksum[1] OCTET STRING
332	}
333
334	Authenticator ::= [APPLICATION 2] SEQUENCE {
335	authenticator-vno[0] krb5int32,
336	crealm[1] Realm,
337	cname[2] PrincipalName,
338	cksum[3] Checksum OPTIONAL,
339	cusec[4] krb5int32,
340	ctime[5] KerberosTime,
341	subkey[6] EncryptionKey OPTIONAL,
342	seq-number[7] krb5uint32 OPTIONAL,
343	authorization-data[8] AuthorizationData OPTIONAL
344	}
345
346	PA-DATA ::= SEQUENCE {
347	-- might be encoded AP-REQ
348	padata-type[1] PADATA-TYPE,
349	padata-value[2] OCTET STRING
350	}
351
352	ETYPE-INFO-ENTRY ::= SEQUENCE {
353	etype[0] ENCTYPE,
354	salt[1] OCTET STRING OPTIONAL,
355	salttype[2] krb5int32 OPTIONAL
356	}
357
358	ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
359
360	ETYPE-INFO2-ENTRY ::= SEQUENCE {
361	etype[0] ENCTYPE,
362	salt[1] KerberosString OPTIONAL,
363	s2kparams[2] OCTET STRING OPTIONAL
364	}
365
366	ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
367
368	METHOD-DATA ::= SEQUENCE OF PA-DATA
369
370	TypedData ::= SEQUENCE {
371	data-type[0] krb5int32,
372	data-value[1] OCTET STRING OPTIONAL
373	}
374
375	TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
376
377	KDC-REQ-BODY ::= SEQUENCE {
378	kdc-options[0] KDCOptions,
379	cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
380	realm[2] Realm, -- Server's realm
381	-- Also client's in AS-REQ
382	sname[3] PrincipalName OPTIONAL,
383	from[4] KerberosTime OPTIONAL,
384	till[5] KerberosTime OPTIONAL,
385	rtime[6] KerberosTime OPTIONAL,
386	nonce[7] krb5int32,
387	etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
388	-- in preference order
389	addresses[9] HostAddresses OPTIONAL,
390	enc-authorization-data[10] EncryptedData OPTIONAL,
391	-- Encrypted AuthorizationData encoding
392	additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
393	}
394
395	KDC-REQ ::= SEQUENCE {
396	pvno[1] krb5int32,
397	msg-type[2] MESSAGE-TYPE,
398	padata[3] METHOD-DATA OPTIONAL,
399	req-body[4] KDC-REQ-BODY
400	}
401
402	AS-REQ ::= [APPLICATION 10] KDC-REQ
403	TGS-REQ ::= [APPLICATION 12] KDC-REQ
404
405	-- padata-type ::= PA-ENC-TIMESTAMP
406	-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
407
408	PA-ENC-TS-ENC ::= SEQUENCE {
409	patimestamp[0] KerberosTime, -- client's time
410	pausec[1] krb5int32 OPTIONAL
411	}
412
413	-- draft-brezak-win2k-krb-authz-01
414	PA-PAC-REQUEST ::= SEQUENCE {
415	include-pac[0] BOOLEAN -- Indicates whether a PAC
416	-- should be included or not
417	}
418
419	-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
420	PROV-SRV-LOCATION ::= GeneralString
421
422	KDC-REP ::= SEQUENCE {
423	pvno[0] krb5int32,
424	msg-type[1] MESSAGE-TYPE,
425	padata[2] METHOD-DATA OPTIONAL,
426	crealm[3] Realm,
427	cname[4] PrincipalName,
428	ticket[5] Ticket,
429	enc-part[6] EncryptedData
430	}
431
432	AS-REP ::= [APPLICATION 11] KDC-REP
433	TGS-REP ::= [APPLICATION 13] KDC-REP
434
435	EncKDCRepPart ::= SEQUENCE {
436	key[0] EncryptionKey,
437	last-req[1] LastReq,
438	nonce[2] krb5int32,
439	key-expiration[3] KerberosTime OPTIONAL,
440	flags[4] TicketFlags,
441	authtime[5] KerberosTime,
442	starttime[6] KerberosTime OPTIONAL,
443	endtime[7] KerberosTime,
444	renew-till[8] KerberosTime OPTIONAL,
445	srealm[9] Realm,
446	sname[10] PrincipalName,
447	caddr[11] HostAddresses OPTIONAL,
448	encrypted-pa-data[12] METHOD-DATA OPTIONAL
449	}
450
451	EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
452	EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
453
454	AP-REQ ::= [APPLICATION 14] SEQUENCE {
455	pvno[0] krb5int32,
456	msg-type[1] MESSAGE-TYPE,
457	ap-options[2] APOptions,
458	ticket[3] Ticket,
459	authenticator[4] EncryptedData
460	}
461
462	AP-REP ::= [APPLICATION 15] SEQUENCE {
463	pvno[0] krb5int32,
464	msg-type[1] MESSAGE-TYPE,
465	enc-part[2] EncryptedData
466	}
467
468	EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
469	ctime[0] KerberosTime,
470	cusec[1] krb5int32,
471	subkey[2] EncryptionKey OPTIONAL,
472	seq-number[3] krb5uint32 OPTIONAL
473	}
474
475	KRB-SAFE-BODY ::= SEQUENCE {
476	user-data[0] OCTET STRING,
477	timestamp[1] KerberosTime OPTIONAL,
478	usec[2] krb5int32 OPTIONAL,
479	seq-number[3] krb5uint32 OPTIONAL,
480	s-address[4] HostAddress OPTIONAL,
481	r-address[5] HostAddress OPTIONAL
482	}
483
484	KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
485	pvno[0] krb5int32,
486	msg-type[1] MESSAGE-TYPE,
487	safe-body[2] KRB-SAFE-BODY,
488	cksum[3] Checksum
489	}
490
491	KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
492	pvno[0] krb5int32,
493	msg-type[1] MESSAGE-TYPE,
494	enc-part[3] EncryptedData
495	}
496	EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
497	user-data[0] OCTET STRING,
498	timestamp[1] KerberosTime OPTIONAL,
499	usec[2] krb5int32 OPTIONAL,
500	seq-number[3] krb5uint32 OPTIONAL,
501	s-address[4] HostAddress OPTIONAL, -- sender's addr
502	r-address[5] HostAddress OPTIONAL -- recip's addr
503	}
504
505	KRB-CRED ::= [APPLICATION 22] SEQUENCE {
506	pvno[0] krb5int32,
507	msg-type[1] MESSAGE-TYPE, -- KRB_CRED
508	tickets[2] SEQUENCE OF Ticket,
509	enc-part[3] EncryptedData
510	}
511
512	KrbCredInfo ::= SEQUENCE {
513	key[0] EncryptionKey,
514	prealm[1] Realm OPTIONAL,
515	pname[2] PrincipalName OPTIONAL,
516	flags[3] TicketFlags OPTIONAL,
517	authtime[4] KerberosTime OPTIONAL,
518	starttime[5] KerberosTime OPTIONAL,
519	endtime[6] KerberosTime OPTIONAL,
520	renew-till[7] KerberosTime OPTIONAL,
521	srealm[8] Realm OPTIONAL,
522	sname[9] PrincipalName OPTIONAL,
523	caddr[10] HostAddresses OPTIONAL
524	}
525
526	EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
527	ticket-info[0] SEQUENCE OF KrbCredInfo,
528	nonce[1] krb5int32 OPTIONAL,
529	timestamp[2] KerberosTime OPTIONAL,
530	usec[3] krb5int32 OPTIONAL,
531	s-address[4] HostAddress OPTIONAL,
532	r-address[5] HostAddress OPTIONAL
533	}
534
535	KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
536	pvno[0] krb5int32,
537	msg-type[1] MESSAGE-TYPE,
538	ctime[2] KerberosTime OPTIONAL,
539	cusec[3] krb5int32 OPTIONAL,
540	stime[4] KerberosTime,
541	susec[5] krb5int32,
542	error-code[6] krb5int32,
543	crealm[7] Realm OPTIONAL,
544	cname[8] PrincipalName OPTIONAL,
545	realm[9] Realm, -- Correct realm
546	sname[10] PrincipalName, -- Correct name
547	e-text[11] GeneralString OPTIONAL,
548	e-data[12] OCTET STRING OPTIONAL
549	}
550
551	ChangePasswdDataMS ::= SEQUENCE {
552	newpasswd[0] OCTET STRING,
553	targname[1] PrincipalName OPTIONAL,
554	targrealm[2] Realm OPTIONAL
555	}
556
557	EtypeList ::= SEQUENCE OF krb5int32
558	-- the client's proposed enctype list in
559	-- decreasing preference order, favorite choice first
560
561	krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
562
563	-- transited encodings
564
565	DOMAIN-X500-COMPRESS krb5int32 ::= 1
566
567	-- authorization data primitives
568
569	AD-IF-RELEVANT ::= AuthorizationData
570
571	AD-KDCIssued ::= SEQUENCE {
572	ad-checksum[0] Checksum,
573	i-realm[1] Realm OPTIONAL,
574	i-sname[2] PrincipalName OPTIONAL,
575	elements[3] AuthorizationData
576	}
577
578	AD-AND-OR ::= SEQUENCE {
579	condition-count[0] INTEGER,
580	elements[1] AuthorizationData
581	}
582
583	AD-MANDATORY-FOR-KDC ::= AuthorizationData
584
585	-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
586
587	PA-SAM-TYPE ::= INTEGER {
588	PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
589	PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
590	PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
591	PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
592	PA_SAM_TYPE_SECURID(5), -- Security Dynamics
593	PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
594	}
595
596	PA-SAM-REDIRECT ::= HostAddresses
597
598	SAMFlags ::= BIT STRING {
599	use-sad-as-key(0),
600	send-encrypted-sad(1),
601	must-pk-encrypt-sad(2)
602	}
603
604	PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
605	sam-type[0] krb5int32,
606	sam-flags[1] SAMFlags,
607	sam-type-name[2] GeneralString OPTIONAL,
608	sam-track-id[3] GeneralString OPTIONAL,
609	sam-challenge-label[4] GeneralString OPTIONAL,
610	sam-challenge[5] GeneralString OPTIONAL,
611	sam-response-prompt[6] GeneralString OPTIONAL,
612	sam-pk-for-sad[7] EncryptionKey OPTIONAL,
613	sam-nonce[8] krb5int32,
614	sam-etype[9] krb5int32,
615	...
616	}
617
618	PA-SAM-CHALLENGE-2 ::= SEQUENCE {
619	sam-body[0] PA-SAM-CHALLENGE-2-BODY,
620	sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
621	...
622	}
623
624	PA-SAM-RESPONSE-2 ::= SEQUENCE {
625	sam-type[0] krb5int32,
626	sam-flags[1] SAMFlags,
627	sam-track-id[2] GeneralString OPTIONAL,
628	sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
629	sam-nonce[4] krb5int32,
630	...
631	}
632
633	PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
634	sam-nonce[0] krb5int32,
635	sam-sad[1] GeneralString OPTIONAL,
636	...
637	}
638
639	PA-S4U2Self ::= SEQUENCE {
640	name[0] PrincipalName,
641	realm[1] Realm,
642	cksum[2] Checksum,
643	auth[3] GeneralString
644	}
645
646	-- never encoded on the wire, just used to checksum over
647	KRB5SignedPathData ::= SEQUENCE {
648	encticket[0] EncTicketPart,
649	delegated[1] Principals OPTIONAL
650	}
651
652	KRB5SignedPath ::= SEQUENCE {
653	-- DERcoded KRB5SignedPathData
654	-- krbtgt key (etype), KeyUsage = XXX
655	etype[0] ENCTYPE,
656	cksum[1] Checksum,
657	-- srvs delegated though
658	delegated[2] Principals OPTIONAL
659	}
660
661	PA-ClientCanonicalizedNames ::= SEQUENCE{
662	requested-name [0] PrincipalName,
663	mapped-name [1] PrincipalName
664	}
665
666	PA-ClientCanonicalized ::= SEQUENCE {
667	names [0] PA-ClientCanonicalizedNames,
668	canon-checksum [1] Checksum
669	}
670
671	AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
672	login-alias [0] PrincipalName,
673	checksum [1] Checksum
674	}
675
676	-- old ms referral
677	PA-SvrReferralData ::= SEQUENCE {
678	referred-name [1] PrincipalName OPTIONAL,
679	referred-realm [0] Realm
680	}
681
682	PA-SERVER-REFERRAL-DATA ::= EncryptedData
683
684	PA-ServerReferralData ::= SEQUENCE {
685	referred-realm [0] Realm OPTIONAL,
686	true-principal-name [1] PrincipalName OPTIONAL,
687	requested-principal-name [2] PrincipalName OPTIONAL,
688	referral-valid-until [3] KerberosTime OPTIONAL,
689	...
690	}
691
692	FastOptions ::= BIT STRING {
693	reserved(0),
694	hide-client-names(1),
695	kdc-follow--referrals(16)
696	}
697
698	KrbFastReq ::= SEQUENCE {
699	fast-options [0] FastOptions,
700	padata [1] SEQUENCE OF PA-DATA,
701	req-body [2] KDC-REQ-BODY,
702	...
703	}
704
705	KrbFastArmor ::= SEQUENCE {
706	armor-type [0] krb5int32,
707	armor-value [1] OCTET STRING,
708	...
709	}
710
711	KrbFastArmoredReq ::= SEQUENCE {
712	armor [0] KrbFastArmor OPTIONAL,
713	req-checksum [1] Checksum,
714	enc-fast-req [2] EncryptedData -- KrbFastReq --
715	}
716
717	PA-FX-FAST-REQUEST ::= CHOICE {
718	armored-data [0] KrbFastArmoredReq,
719	...
720	}
721
722	KrbFastFinished ::= SEQUENCE {
723	timestamp [0] KerberosTime,
724	usec [1] krb5int32,
725	crealm [2] Realm,
726	cname [3] PrincipalName,
727	checksum [4] Checksum,
728	ticket-checksum [5] Checksum,
729	...
730	}
731
732	KrbFastResponse ::= SEQUENCE {
733	padata [0] SEQUENCE OF PA-DATA,
734	rep-key [1] EncryptionKey OPTIONAL,
735	finished [2] KrbFastFinished OPTIONAL,
736	...
737	}
738
739	KrbFastArmoredRep ::= SEQUENCE {
740	enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
741	...
742	}
743
744	PA-FX-FAST-REPLY ::= CHOICE {
745	armored-data [0] KrbFastArmoredRep,
746	...
747	}
748
749	END
750
751	-- etags -r '/$[A-Za-z][-A-Za-z0-9]$.::=/\1/' k5.asn1

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format