Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

krb5.asn1

Visit:

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated trunk to 3.6.0
File size: 21.2 KB

Line
1	-- $Id$
2
3	KERBEROS5 DEFINITIONS ::=
4	BEGIN
5	EXPORTS
6	AD-AND-OR,
7	AD-IF-RELEVANT,
8	AD-KDCIssued,
9	AD-LoginAlias,
10	AP-REP,
11	AP-REQ,
12	AS-REP,
13	AS-REQ,
14	AUTHDATA-TYPE,
15	Authenticator,
16	AuthorizationData,
17	AuthorizationDataElement,
18	CKSUMTYPE,
19	ChangePasswdDataMS,
20	Checksum,
21	ENCTYPE,
22	ETYPE-INFO,
23	ETYPE-INFO-ENTRY,
24	ETYPE-INFO2,
25	ETYPE-INFO2-ENTRY,
26	EncAPRepPart,
27	EncASRepPart,
28	EncKDCRepPart,
29	EncKrbCredPart,
30	EncKrbPrivPart,
31	EncTGSRepPart,
32	EncTicketPart,
33	EncryptedData,
34	EncryptionKey,
35	EtypeList,
36	HostAddress,
37	HostAddresses,
38	KDC-REQ-BODY,
39	KDCOptions,
40	KDC-REP,
41	KRB-CRED,
42	KRB-ERROR,
43	KRB-PRIV,
44	KRB-SAFE,
45	KRB-SAFE-BODY,
46	KRB5SignedPath,
47	KRB5SignedPathData,
48	KRB5SignedPathPrincipals,
49	KerberosString,
50	KerberosTime,
51	KrbCredInfo,
52	LR-TYPE,
53	LastReq,
54	METHOD-DATA,
55	NAME-TYPE,
56	PA-ClientCanonicalized,
57	PA-ClientCanonicalizedNames,
58	PA-DATA,
59	PA-ENC-TS-ENC,
60	PA-PAC-REQUEST,
61	PA-S4U2Self,
62	PA-SERVER-REFERRAL-DATA,
63	PA-ServerReferralData,
64	PA-SvrReferralData,
65	PADATA-TYPE,
66	Principal,
67	PrincipalName,
68	Principals,
69	Realm,
70	TGS-REP,
71	TGS-REQ,
72	Ticket,
73	TicketFlags,
74	TransitedEncoding,
75	TypedData
76	;
77
78	NAME-TYPE ::= INTEGER {
79	KRB5_NT_UNKNOWN(0), -- Name type not known
80	KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
81	KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
82	KRB5_NT_SRV_HST(3), -- Service with host name as instance
83	KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
84	KRB5_NT_UID(5), -- Unique ID
85	KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
86	KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
87	KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
88	KRB5_NT_WELLKNOWN(11), -- Wellknown
89	KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
90	KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
91	KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
92	KRB5_NT_NTLM(-1200) -- NTLM name, realm is domain
93	}
94
95	-- message types
96
97	MESSAGE-TYPE ::= INTEGER {
98	krb-as-req(10), -- Request for initial authentication
99	krb-as-rep(11), -- Response to KRB_AS_REQ request
100	krb-tgs-req(12), -- Request for authentication based on TGT
101	krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
102	krb-ap-req(14), -- application request to server
103	krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
104	krb-safe(20), -- Safe (checksummed) application message
105	krb-priv(21), -- Private (encrypted) application message
106	krb-cred(22), -- Private (encrypted) message to forward credentials
107	krb-error(30) -- Error response
108	}
109
110
111	-- pa-data types
112
113	PADATA-TYPE ::= INTEGER {
114	KRB5-PADATA-NONE(0),
115	KRB5-PADATA-TGS-REQ(1),
116	KRB5-PADATA-AP-REQ(1),
117	KRB5-PADATA-ENC-TIMESTAMP(2),
118	KRB5-PADATA-PW-SALT(3),
119	KRB5-PADATA-ENC-UNIX-TIME(5),
120	KRB5-PADATA-SANDIA-SECUREID(6),
121	KRB5-PADATA-SESAME(7),
122	KRB5-PADATA-OSF-DCE(8),
123	KRB5-PADATA-CYBERSAFE-SECUREID(9),
124	KRB5-PADATA-AFS3-SALT(10),
125	KRB5-PADATA-ETYPE-INFO(11),
126	KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
127	KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
128	KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
129	KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
130	KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
131	KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
132	KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
133	KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
134	KRB5-PADATA-ETYPE-INFO2(19),
135	KRB5-PADATA-USE-SPECIFIED-KVNO(20),
136	KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
137	KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
138	KRB5-PADATA-GET-FROM-TYPED-DATA(22),
139	KRB5-PADATA-SAM-ETYPE-INFO(23),
140	KRB5-PADATA-SERVER-REFERRAL(25),
141	KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
142	KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
143	KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
144	KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
145	KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
146	KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
147	KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
148	KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
149	KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
150	KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
151	KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
152	KRB5-PADATA-FOR-USER(129), -- MS-KILE
153	KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
154	KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
155	KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
156	KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
157	-- tell KDC that is supports
158	-- the asCheckSum in the
159	-- PK-AS-REP
160	KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals
161	KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
162	KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
163	KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
164	KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
165	KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
166	KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
167	KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
168	KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
169	KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
170	KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
171	KRB5-PADATA-EPAK-AS-REQ(145),
172	KRB5-PADATA-EPAK-AS-REP(146),
173	KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
174	KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
175	KRB5-PADATA-REQ-ENC-PA-REP(149), --
176	KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE
177	}
178
179	AUTHDATA-TYPE ::= INTEGER {
180	KRB5-AUTHDATA-IF-RELEVANT(1),
181	KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
182	KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
183	KRB5-AUTHDATA-KDC-ISSUED(4),
184	KRB5-AUTHDATA-AND-OR(5),
185	KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
186	KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
187	KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
188	KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
189	KRB5-AUTHDATA-OSF-DCE(64),
190	KRB5-AUTHDATA-SESAME(65),
191	KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
192	KRB5-AUTHDATA-WIN2K-PAC(128),
193	KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
194	KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
195	KRB5-AUTHDATA-SIGNTICKET-OLD(142),
196	KRB5-AUTHDATA-SIGNTICKET(512)
197	}
198
199	-- checksumtypes
200
201	CKSUMTYPE ::= INTEGER {
202	CKSUMTYPE_NONE(0),
203	CKSUMTYPE_CRC32(1),
204	CKSUMTYPE_RSA_MD4(2),
205	CKSUMTYPE_RSA_MD4_DES(3),
206	CKSUMTYPE_DES_MAC(4),
207	CKSUMTYPE_DES_MAC_K(5),
208	CKSUMTYPE_RSA_MD4_DES_K(6),
209	CKSUMTYPE_RSA_MD5(7),
210	CKSUMTYPE_RSA_MD5_DES(8),
211	CKSUMTYPE_RSA_MD5_DES3(9),
212	CKSUMTYPE_SHA1_OTHER(10),
213	CKSUMTYPE_HMAC_SHA1_DES3(12),
214	CKSUMTYPE_SHA1(14),
215	CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
216	CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
217	CKSUMTYPE_GSSAPI(0x8003),
218	CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
219	CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
220	}
221
222	--enctypes
223	ENCTYPE ::= INTEGER {
224	ETYPE_NULL(0),
225	ETYPE_DES_CBC_CRC(1),
226	ETYPE_DES_CBC_MD4(2),
227	ETYPE_DES_CBC_MD5(3),
228	ETYPE_DES3_CBC_MD5(5),
229	ETYPE_OLD_DES3_CBC_SHA1(7),
230	ETYPE_SIGN_DSA_GENERATE(8),
231	ETYPE_ENCRYPT_RSA_PRIV(9),
232	ETYPE_ENCRYPT_RSA_PUB(10),
233	ETYPE_DES3_CBC_SHA1(16), -- with key derivation
234	ETYPE_AES128_CTS_HMAC_SHA1_96(17),
235	ETYPE_AES256_CTS_HMAC_SHA1_96(18),
236	ETYPE_ARCFOUR_HMAC_MD5(23),
237	ETYPE_ARCFOUR_HMAC_MD5_56(24),
238	ETYPE_ENCTYPE_PK_CROSS(48),
239	-- some "old" windows types
240	ETYPE_ARCFOUR_MD4(-128),
241	ETYPE_ARCFOUR_HMAC_OLD(-133),
242	ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
243	-- these are for Heimdal internal use
244	ETYPE_DES_CBC_NONE(-0x1000),
245	ETYPE_DES3_CBC_NONE(-0x1001),
246	ETYPE_DES_CFB64_NONE(-0x1002),
247	ETYPE_DES_PCBC_NONE(-0x1003),
248	ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
249	ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
250	}
251
252
253
254
255	-- this is sugar to make something ASN1 does not have: unsigned
256
257	krb5uint32 ::= INTEGER (0..4294967295)
258	krb5int32 ::= INTEGER (-2147483648..2147483647)
259
260	KerberosString ::= GeneralString
261
262	Realm ::= GeneralString
263	PrincipalName ::= SEQUENCE {
264	name-type[0] NAME-TYPE,
265	name-string[1] SEQUENCE OF GeneralString
266	}
267
268	-- this is not part of RFC1510
269	Principal ::= SEQUENCE {
270	name[0] PrincipalName,
271	realm[1] Realm
272	}
273
274	Principals ::= SEQUENCE OF Principal
275
276	HostAddress ::= SEQUENCE {
277	addr-type[0] krb5int32,
278	address[1] OCTET STRING
279	}
280
281	-- This is from RFC1510.
282	--
283	-- HostAddresses ::= SEQUENCE OF SEQUENCE {
284	-- addr-type[0] krb5int32,
285	-- address[1] OCTET STRING
286	-- }
287
288	-- This seems much better.
289	HostAddresses ::= SEQUENCE OF HostAddress
290
291
292	KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
293
294	AuthorizationDataElement ::= SEQUENCE {
295	ad-type[0] krb5int32,
296	ad-data[1] OCTET STRING
297	}
298
299	AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
300
301	APOptions ::= BIT STRING {
302	reserved(0),
303	use-session-key(1),
304	mutual-required(2)
305	}
306
307	TicketFlags ::= BIT STRING {
308	reserved(0),
309	forwardable(1),
310	forwarded(2),
311	proxiable(3),
312	proxy(4),
313	may-postdate(5),
314	postdated(6),
315	invalid(7),
316	renewable(8),
317	initial(9),
318	pre-authent(10),
319	hw-authent(11),
320	transited-policy-checked(12),
321	ok-as-delegate(13),
322	anonymous(14),
323	enc-pa-rep(15)
324	}
325
326	KDCOptions ::= BIT STRING {
327	reserved(0),
328	forwardable(1),
329	forwarded(2),
330	proxiable(3),
331	proxy(4),
332	allow-postdate(5),
333	postdated(6),
334	renewable(8),
335	request-anonymous(14),
336	canonicalize(15),
337	constrained-delegation(16), -- ms extension
338	disable-transited-check(26),
339	renewable-ok(27),
340	enc-tkt-in-skey(28),
341	renew(30),
342	validate(31)
343	}
344
345	LR-TYPE ::= INTEGER {
346	LR_NONE(0), -- no information
347	LR_INITIAL_TGT(1), -- last initial TGT request
348	LR_INITIAL(2), -- last initial request
349	LR_ISSUE_USE_TGT(3), -- time of newest TGT used
350	LR_RENEWAL(4), -- time of last renewal
351	LR_REQUEST(5), -- time of last request (of any type)
352	LR_PW_EXPTIME(6), -- expiration time of password
353	LR_ACCT_EXPTIME(7) -- expiration time of account
354	}
355
356	LastReq ::= SEQUENCE OF SEQUENCE {
357	lr-type[0] LR-TYPE,
358	lr-value[1] KerberosTime
359	}
360
361
362	EncryptedData ::= SEQUENCE {
363	etype[0] ENCTYPE, -- EncryptionType
364	kvno[1] krb5int32 OPTIONAL,
365	cipher[2] OCTET STRING -- ciphertext
366	}
367
368	EncryptionKey ::= SEQUENCE {
369	keytype[0] krb5int32,
370	keyvalue[1] OCTET STRING
371	}
372
373	-- encoded Transited field
374	TransitedEncoding ::= SEQUENCE {
375	tr-type[0] krb5int32, -- must be registered
376	contents[1] OCTET STRING
377	}
378
379	Ticket ::= [APPLICATION 1] SEQUENCE {
380	tkt-vno[0] krb5int32,
381	realm[1] Realm,
382	sname[2] PrincipalName,
383	enc-part[3] EncryptedData
384	}
385	-- Encrypted part of ticket
386	EncTicketPart ::= [APPLICATION 3] SEQUENCE {
387	flags[0] TicketFlags,
388	key[1] EncryptionKey,
389	crealm[2] Realm,
390	cname[3] PrincipalName,
391	transited[4] TransitedEncoding,
392	authtime[5] KerberosTime,
393	starttime[6] KerberosTime OPTIONAL,
394	endtime[7] KerberosTime,
395	renew-till[8] KerberosTime OPTIONAL,
396	caddr[9] HostAddresses OPTIONAL,
397	authorization-data[10] AuthorizationData OPTIONAL
398	}
399
400	Checksum ::= SEQUENCE {
401	cksumtype[0] CKSUMTYPE,
402	checksum[1] OCTET STRING
403	}
404
405	Authenticator ::= [APPLICATION 2] SEQUENCE {
406	authenticator-vno[0] krb5int32,
407	crealm[1] Realm,
408	cname[2] PrincipalName,
409	cksum[3] Checksum OPTIONAL,
410	cusec[4] krb5int32,
411	ctime[5] KerberosTime,
412	subkey[6] EncryptionKey OPTIONAL,
413	seq-number[7] krb5uint32 OPTIONAL,
414	authorization-data[8] AuthorizationData OPTIONAL
415	}
416
417	PA-DATA ::= SEQUENCE {
418	-- might be encoded AP-REQ
419	padata-type[1] PADATA-TYPE,
420	padata-value[2] OCTET STRING
421	}
422
423	ETYPE-INFO-ENTRY ::= SEQUENCE {
424	etype[0] ENCTYPE,
425	salt[1] OCTET STRING OPTIONAL,
426	salttype[2] krb5int32 OPTIONAL
427	}
428
429	ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
430
431	ETYPE-INFO2-ENTRY ::= SEQUENCE {
432	etype[0] ENCTYPE,
433	salt[1] KerberosString OPTIONAL,
434	s2kparams[2] OCTET STRING OPTIONAL
435	}
436
437	ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
438
439	METHOD-DATA ::= SEQUENCE OF PA-DATA
440
441	TypedData ::= SEQUENCE {
442	data-type[0] krb5int32,
443	data-value[1] OCTET STRING OPTIONAL
444	}
445
446	TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
447
448	KDC-REQ-BODY ::= SEQUENCE {
449	kdc-options[0] KDCOptions,
450	cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
451	realm[2] Realm, -- Server's realm
452	-- Also client's in AS-REQ
453	sname[3] PrincipalName OPTIONAL,
454	from[4] KerberosTime OPTIONAL,
455	till[5] KerberosTime OPTIONAL,
456	rtime[6] KerberosTime OPTIONAL,
457	nonce[7] krb5int32,
458	etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
459	-- in preference order
460	addresses[9] HostAddresses OPTIONAL,
461	enc-authorization-data[10] EncryptedData OPTIONAL,
462	-- Encrypted AuthorizationData encoding
463	additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
464	}
465
466	KDC-REQ ::= SEQUENCE {
467	pvno[1] krb5int32,
468	msg-type[2] MESSAGE-TYPE,
469	padata[3] METHOD-DATA OPTIONAL,
470	req-body[4] KDC-REQ-BODY
471	}
472
473	AS-REQ ::= [APPLICATION 10] KDC-REQ
474	TGS-REQ ::= [APPLICATION 12] KDC-REQ
475
476	-- padata-type ::= PA-ENC-TIMESTAMP
477	-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
478
479	PA-ENC-TS-ENC ::= SEQUENCE {
480	patimestamp[0] KerberosTime, -- client's time
481	pausec[1] krb5int32 OPTIONAL
482	}
483
484	-- draft-brezak-win2k-krb-authz-01
485	PA-PAC-REQUEST ::= SEQUENCE {
486	include-pac[0] BOOLEAN -- Indicates whether a PAC
487	-- should be included or not
488	}
489
490	-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
491	PROV-SRV-LOCATION ::= GeneralString
492
493	KDC-REP ::= SEQUENCE {
494	pvno[0] krb5int32,
495	msg-type[1] MESSAGE-TYPE,
496	padata[2] METHOD-DATA OPTIONAL,
497	crealm[3] Realm,
498	cname[4] PrincipalName,
499	ticket[5] Ticket,
500	enc-part[6] EncryptedData
501	}
502
503	AS-REP ::= [APPLICATION 11] KDC-REP
504	TGS-REP ::= [APPLICATION 13] KDC-REP
505
506	EncKDCRepPart ::= SEQUENCE {
507	key[0] EncryptionKey,
508	last-req[1] LastReq,
509	nonce[2] krb5int32,
510	key-expiration[3] KerberosTime OPTIONAL,
511	flags[4] TicketFlags,
512	authtime[5] KerberosTime,
513	starttime[6] KerberosTime OPTIONAL,
514	endtime[7] KerberosTime,
515	renew-till[8] KerberosTime OPTIONAL,
516	srealm[9] Realm,
517	sname[10] PrincipalName,
518	caddr[11] HostAddresses OPTIONAL,
519	encrypted-pa-data[12] METHOD-DATA OPTIONAL
520	}
521
522	EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
523	EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
524
525	AP-REQ ::= [APPLICATION 14] SEQUENCE {
526	pvno[0] krb5int32,
527	msg-type[1] MESSAGE-TYPE,
528	ap-options[2] APOptions,
529	ticket[3] Ticket,
530	authenticator[4] EncryptedData
531	}
532
533	AP-REP ::= [APPLICATION 15] SEQUENCE {
534	pvno[0] krb5int32,
535	msg-type[1] MESSAGE-TYPE,
536	enc-part[2] EncryptedData
537	}
538
539	EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
540	ctime[0] KerberosTime,
541	cusec[1] krb5int32,
542	subkey[2] EncryptionKey OPTIONAL,
543	seq-number[3] krb5uint32 OPTIONAL
544	}
545
546	KRB-SAFE-BODY ::= SEQUENCE {
547	user-data[0] OCTET STRING,
548	timestamp[1] KerberosTime OPTIONAL,
549	usec[2] krb5int32 OPTIONAL,
550	seq-number[3] krb5uint32 OPTIONAL,
551	s-address[4] HostAddress OPTIONAL,
552	r-address[5] HostAddress OPTIONAL
553	}
554
555	KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
556	pvno[0] krb5int32,
557	msg-type[1] MESSAGE-TYPE,
558	safe-body[2] KRB-SAFE-BODY,
559	cksum[3] Checksum
560	}
561
562	KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
563	pvno[0] krb5int32,
564	msg-type[1] MESSAGE-TYPE,
565	enc-part[3] EncryptedData
566	}
567	EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
568	user-data[0] OCTET STRING,
569	timestamp[1] KerberosTime OPTIONAL,
570	usec[2] krb5int32 OPTIONAL,
571	seq-number[3] krb5uint32 OPTIONAL,
572	s-address[4] HostAddress OPTIONAL, -- sender's addr
573	r-address[5] HostAddress OPTIONAL -- recip's addr
574	}
575
576	KRB-CRED ::= [APPLICATION 22] SEQUENCE {
577	pvno[0] krb5int32,
578	msg-type[1] MESSAGE-TYPE, -- KRB_CRED
579	tickets[2] SEQUENCE OF Ticket,
580	enc-part[3] EncryptedData
581	}
582
583	KrbCredInfo ::= SEQUENCE {
584	key[0] EncryptionKey,
585	prealm[1] Realm OPTIONAL,
586	pname[2] PrincipalName OPTIONAL,
587	flags[3] TicketFlags OPTIONAL,
588	authtime[4] KerberosTime OPTIONAL,
589	starttime[5] KerberosTime OPTIONAL,
590	endtime[6] KerberosTime OPTIONAL,
591	renew-till[7] KerberosTime OPTIONAL,
592	srealm[8] Realm OPTIONAL,
593	sname[9] PrincipalName OPTIONAL,
594	caddr[10] HostAddresses OPTIONAL
595	}
596
597	EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
598	ticket-info[0] SEQUENCE OF KrbCredInfo,
599	nonce[1] krb5int32 OPTIONAL,
600	timestamp[2] KerberosTime OPTIONAL,
601	usec[3] krb5int32 OPTIONAL,
602	s-address[4] HostAddress OPTIONAL,
603	r-address[5] HostAddress OPTIONAL
604	}
605
606	KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
607	pvno[0] krb5int32,
608	msg-type[1] MESSAGE-TYPE,
609	ctime[2] KerberosTime OPTIONAL,
610	cusec[3] krb5int32 OPTIONAL,
611	stime[4] KerberosTime,
612	susec[5] krb5int32,
613	error-code[6] krb5int32,
614	crealm[7] Realm OPTIONAL,
615	cname[8] PrincipalName OPTIONAL,
616	realm[9] Realm, -- Correct realm
617	sname[10] PrincipalName, -- Correct name
618	e-text[11] GeneralString OPTIONAL,
619	e-data[12] OCTET STRING OPTIONAL
620	}
621
622	ChangePasswdDataMS ::= SEQUENCE {
623	newpasswd[0] OCTET STRING,
624	targname[1] PrincipalName OPTIONAL,
625	targrealm[2] Realm OPTIONAL
626	}
627
628	EtypeList ::= SEQUENCE OF krb5int32
629	-- the client's proposed enctype list in
630	-- decreasing preference order, favorite choice first
631
632	krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
633
634	-- transited encodings
635
636	DOMAIN-X500-COMPRESS krb5int32 ::= 1
637
638	-- authorization data primitives
639
640	AD-IF-RELEVANT ::= AuthorizationData
641
642	AD-KDCIssued ::= SEQUENCE {
643	ad-checksum[0] Checksum,
644	i-realm[1] Realm OPTIONAL,
645	i-sname[2] PrincipalName OPTIONAL,
646	elements[3] AuthorizationData
647	}
648
649	AD-AND-OR ::= SEQUENCE {
650	condition-count[0] INTEGER,
651	elements[1] AuthorizationData
652	}
653
654	AD-MANDATORY-FOR-KDC ::= AuthorizationData
655
656	-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
657
658	PA-SAM-TYPE ::= INTEGER {
659	PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
660	PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
661	PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
662	PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
663	PA_SAM_TYPE_SECURID(5), -- Security Dynamics
664	PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
665	}
666
667	PA-SAM-REDIRECT ::= HostAddresses
668
669	SAMFlags ::= BIT STRING {
670	use-sad-as-key(0),
671	send-encrypted-sad(1),
672	must-pk-encrypt-sad(2)
673	}
674
675	PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
676	sam-type[0] krb5int32,
677	sam-flags[1] SAMFlags,
678	sam-type-name[2] GeneralString OPTIONAL,
679	sam-track-id[3] GeneralString OPTIONAL,
680	sam-challenge-label[4] GeneralString OPTIONAL,
681	sam-challenge[5] GeneralString OPTIONAL,
682	sam-response-prompt[6] GeneralString OPTIONAL,
683	sam-pk-for-sad[7] EncryptionKey OPTIONAL,
684	sam-nonce[8] krb5int32,
685	sam-etype[9] krb5int32,
686	...
687	}
688
689	PA-SAM-CHALLENGE-2 ::= SEQUENCE {
690	sam-body[0] PA-SAM-CHALLENGE-2-BODY,
691	sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
692	...
693	}
694
695	PA-SAM-RESPONSE-2 ::= SEQUENCE {
696	sam-type[0] krb5int32,
697	sam-flags[1] SAMFlags,
698	sam-track-id[2] GeneralString OPTIONAL,
699	sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
700	sam-nonce[4] krb5int32,
701	...
702	}
703
704	PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
705	sam-nonce[0] krb5int32,
706	sam-sad[1] GeneralString OPTIONAL,
707	...
708	}
709
710	PA-S4U2Self ::= SEQUENCE {
711	name[0] PrincipalName,
712	realm[1] Realm,
713	cksum[2] Checksum,
714	auth[3] GeneralString
715	}
716
717	-- never encoded on the wire, just used to checksum over
718	KRB5SignedPathData ::= SEQUENCE {
719	client[0] Principal OPTIONAL,
720	authtime[1] KerberosTime,
721	delegated[2] Principals OPTIONAL,
722	method_data[3] METHOD-DATA OPTIONAL
723	}
724
725	KRB5SignedPath ::= SEQUENCE {
726	-- DERcoded KRB5SignedPathData
727	-- krbtgt key (etype), KeyUsage = XXX
728	etype[0] ENCTYPE,
729	cksum[1] Checksum,
730	-- srvs delegated though
731	delegated[2] Principals OPTIONAL,
732	method_data[3] METHOD-DATA OPTIONAL
733	}
734
735	PA-ClientCanonicalizedNames ::= SEQUENCE{
736	requested-name [0] PrincipalName,
737	mapped-name [1] PrincipalName
738	}
739
740	PA-ClientCanonicalized ::= SEQUENCE {
741	names [0] PA-ClientCanonicalizedNames,
742	canon-checksum [1] Checksum
743	}
744
745	AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
746	login-alias [0] PrincipalName,
747	checksum [1] Checksum
748	}
749
750	-- old ms referral
751	PA-SvrReferralData ::= SEQUENCE {
752	referred-name [1] PrincipalName OPTIONAL,
753	referred-realm [0] Realm
754	}
755
756	PA-SERVER-REFERRAL-DATA ::= EncryptedData
757
758	PA-ServerReferralData ::= SEQUENCE {
759	referred-realm [0] Realm OPTIONAL,
760	true-principal-name [1] PrincipalName OPTIONAL,
761	requested-principal-name [2] PrincipalName OPTIONAL,
762	referral-valid-until [3] KerberosTime OPTIONAL,
763	...
764	}
765
766	FastOptions ::= BIT STRING {
767	reserved(0),
768	hide-client-names(1),
769	kdc-follow--referrals(16)
770	}
771
772	KrbFastReq ::= SEQUENCE {
773	fast-options [0] FastOptions,
774	padata [1] SEQUENCE OF PA-DATA,
775	req-body [2] KDC-REQ-BODY,
776	...
777	}
778
779	KrbFastArmor ::= SEQUENCE {
780	armor-type [0] krb5int32,
781	armor-value [1] OCTET STRING,
782	...
783	}
784
785	KrbFastArmoredReq ::= SEQUENCE {
786	armor [0] KrbFastArmor OPTIONAL,
787	req-checksum [1] Checksum,
788	enc-fast-req [2] EncryptedData -- KrbFastReq --
789	}
790
791	PA-FX-FAST-REQUEST ::= CHOICE {
792	armored-data [0] KrbFastArmoredReq,
793	...
794	}
795
796	KrbFastFinished ::= SEQUENCE {
797	timestamp [0] KerberosTime,
798	usec [1] krb5int32,
799	crealm [2] Realm,
800	cname [3] PrincipalName,
801	checksum [4] Checksum,
802	ticket-checksum [5] Checksum,
803	...
804	}
805
806	KrbFastResponse ::= SEQUENCE {
807	padata [0] SEQUENCE OF PA-DATA,
808	rep-key [1] EncryptionKey OPTIONAL,
809	finished [2] KrbFastFinished OPTIONAL,
810	...
811	}
812
813	KrbFastArmoredRep ::= SEQUENCE {
814	enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
815	...
816	}
817
818	PA-FX-FAST-REPLY ::= CHOICE {
819	armored-data [0] KrbFastArmoredRep,
820	...
821	}
822
823	END
824
825	-- etags -r '/$[A-Za-z][-A-Za-z0-9]$.::=/\1/' k5.asn1

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format