| blob | 7915428fd5b0526e41220b58ee073aab63ff1e60 |
1 -- $Id$
3 KERBEROS5 DEFINITIONS ::=
4 BEGIN
5 EXPORTS
6 AD-AND-OR,
7 AD-IF-RELEVANT,
8 AD-KDCIssued,
9 AD-LoginAlias,
10 AP-REP,
11 AP-REQ,
12 AS-REP,
13 AS-REQ,
14 AUTHDATA-TYPE,
15 Authenticator,
16 AuthorizationData,
17 AuthorizationDataElement,
18 CKSUMTYPE,
19 ChangePasswdDataMS,
20 Checksum,
21 ENCTYPE,
22 ETYPE-INFO,
23 ETYPE-INFO-ENTRY,
24 ETYPE-INFO2,
25 ETYPE-INFO2-ENTRY,
26 EncAPRepPart,
27 EncASRepPart,
28 EncKDCRepPart,
29 EncKrbCredPart,
30 EncKrbPrivPart,
31 EncTGSRepPart,
32 EncTicketPart,
33 EncryptedData,
34 EncryptionKey,
35 EtypeList,
36 HostAddress,
37 HostAddresses,
38 KDC-REQ-BODY,
39 KDCOptions,
40 KDC-REP,
41 KRB-CRED,
42 KRB-ERROR,
43 KRB-PRIV,
44 KRB-SAFE,
45 KRB-SAFE-BODY,
46 KRB5SignedPath,
47 KRB5SignedPathData,
48 KRB5SignedPathPrincipals,
49 KerberosString,
50 KerberosTime,
51 KrbCredInfo,
52 LR-TYPE,
53 LastReq,
54 METHOD-DATA,
55 NAME-TYPE,
56 PA-ClientCanonicalized,
57 PA-ClientCanonicalizedNames,
58 PA-DATA,
59 PA-ENC-TS-ENC,
60 PA-PAC-REQUEST,
61 PA-S4U2Self,
62 PA-SERVER-REFERRAL-DATA,
63 PA-ServerReferralData,
64 PA-SvrReferralData,
65 PADATA-TYPE,
66 PA-FX-FAST-REQUEST,
67 PA-FX-FAST-REPLY,
68 Principal,
69 PrincipalName,
70 Principals,
71 Realm,
72 TGS-REP,
73 TGS-REQ,
74 Ticket,
75 TicketFlags,
76 TransitedEncoding,
77 TypedData,
78 KrbFastResponse,
79 KrbFastFinished,
80 KrbFastReq,
81 KrbFastArmor,
82 KDCFastState,
83 KDCFastCookie
84 ;
86 NAME-TYPE ::= INTEGER {
87 KRB5_NT_UNKNOWN(0), -- Name type not known
88 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
89 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
90 KRB5_NT_SRV_HST(3), -- Service with host name as instance
91 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
92 KRB5_NT_UID(5), -- Unique ID
93 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
94 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
95 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
96 KRB5_NT_WELLKNOWN(11), -- Wellknown
97 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
98 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
99 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
100 KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain
101 KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded)
102 KRB5_NT_GSS_HOSTBASED_SERVICE(-1202),
103 KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache,
104 KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- -(0x0bad1dea)
105 }
107 -- message types
109 MESSAGE-TYPE ::= INTEGER {
110 krb-as-req(10), -- Request for initial authentication
111 krb-as-rep(11), -- Response to KRB_AS_REQ request
112 krb-tgs-req(12), -- Request for authentication based on TGT
113 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
114 krb-ap-req(14), -- application request to server
115 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
116 krb-safe(20), -- Safe (checksummed) application message
117 krb-priv(21), -- Private (encrypted) application message
118 krb-cred(22), -- Private (encrypted) message to forward credentials
119 krb-error(30) -- Error response
120 }
123 -- pa-data types
125 PADATA-TYPE ::= INTEGER {
126 KRB5-PADATA-NONE(0),
127 KRB5-PADATA-TGS-REQ(1),
128 KRB5-PADATA-AP-REQ(1),
129 KRB5-PADATA-ENC-TIMESTAMP(2),
130 KRB5-PADATA-PW-SALT(3),
131 KRB5-PADATA-ENC-UNIX-TIME(5),
132 KRB5-PADATA-SANDIA-SECUREID(6),
133 KRB5-PADATA-SESAME(7),
134 KRB5-PADATA-OSF-DCE(8),
135 KRB5-PADATA-CYBERSAFE-SECUREID(9),
136 KRB5-PADATA-AFS3-SALT(10),
137 KRB5-PADATA-ETYPE-INFO(11),
138 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
139 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
140 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
141 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
142 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
143 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
144 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
145 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
146 KRB5-PADATA-ETYPE-INFO2(19),
147 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
148 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
149 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
150 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
151 KRB5-PADATA-SAM-ETYPE-INFO(23),
152 KRB5-PADATA-SERVER-REFERRAL(25),
153 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
154 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
155 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
156 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
157 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
158 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
159 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
160 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
161 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
162 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
163 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
164 KRB5-PADATA-FOR-USER(129), -- MS-KILE
165 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
166 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
167 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
168 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
169 -- tell KDC that is supports
170 -- the asCheckSum in the
171 -- PK-AS-REP
172 KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals
173 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
174 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
175 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
176 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
177 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
178 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
179 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
180 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
181 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
182 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
183 KRB5-PADATA-EPAK-AS-REQ(145),
184 KRB5-PADATA-EPAK-AS-REP(146),
185 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
186 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
187 KRB5-PADATA-REQ-ENC-PA-REP(149), --
188 KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE
189 }
191 AUTHDATA-TYPE ::= INTEGER {
192 KRB5-AUTHDATA-IF-RELEVANT(1),
193 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
194 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
195 KRB5-AUTHDATA-KDC-ISSUED(4),
196 KRB5-AUTHDATA-AND-OR(5),
197 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
198 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
199 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
200 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
201 KRB5-AUTHDATA-OSF-DCE(64),
202 KRB5-AUTHDATA-SESAME(65),
203 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
204 KRB5-AUTHDATA-WIN2K-PAC(128),
205 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
206 KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
207 KRB5-AUTHDATA-SIGNTICKET-OLD(142),
208 KRB5-AUTHDATA-SIGNTICKET(512)
209 }
211 -- checksumtypes
213 CKSUMTYPE ::= INTEGER {
214 CKSUMTYPE_NONE(0),
215 CKSUMTYPE_CRC32(1),
216 CKSUMTYPE_RSA_MD4(2),
217 CKSUMTYPE_RSA_MD4_DES(3),
218 CKSUMTYPE_DES_MAC(4),
219 CKSUMTYPE_DES_MAC_K(5),
220 CKSUMTYPE_RSA_MD4_DES_K(6),
221 CKSUMTYPE_RSA_MD5(7),
222 CKSUMTYPE_RSA_MD5_DES(8),
223 CKSUMTYPE_RSA_MD5_DES3(9),
224 CKSUMTYPE_SHA1_OTHER(10),
225 CKSUMTYPE_HMAC_SHA1_DES3(12),
226 CKSUMTYPE_SHA1(14),
227 CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
228 CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
229 CKSUMTYPE_GSSAPI(0x8003),
230 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
231 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
232 }
234 --enctypes
235 ENCTYPE ::= INTEGER {
236 KRB5_ENCTYPE_NULL(0),
237 KRB5_ENCTYPE_DES_CBC_CRC(1),
238 KRB5_ENCTYPE_DES_CBC_MD4(2),
239 KRB5_ENCTYPE_DES_CBC_MD5(3),
240 KRB5_ENCTYPE_DES3_CBC_MD5(5),
241 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
242 KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
243 KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
244 KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
245 KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation
246 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
247 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
248 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
249 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
250 KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
251 -- some "old" windows types
252 KRB5_ENCTYPE_ARCFOUR_MD4(-128),
253 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
254 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
255 -- these are for Heimdal internal use
256 KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
257 KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
258 KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
259 KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
260 KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
261 KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
262 }
267 -- this is sugar to make something ASN1 does not have: unsigned
269 krb5uint32 ::= INTEGER (0..4294967295)
270 krb5int32 ::= INTEGER (-2147483648..2147483647)
272 KerberosString ::= GeneralString
274 Realm ::= GeneralString
275 PrincipalName ::= SEQUENCE {
276 name-type[0] NAME-TYPE,
277 name-string[1] SEQUENCE OF GeneralString
278 }
280 -- this is not part of RFC1510
281 Principal ::= SEQUENCE {
282 name[0] PrincipalName,
283 realm[1] Realm
284 -- Note that while it'd be nice to be able to add OPTIONAL
285 -- fields at the end here there are issues regarding
286 -- applications that allocate krb5_principal_data's on the
287 -- stack.
288 }
290 Principals ::= SEQUENCE OF Principal
292 HostAddress ::= SEQUENCE {
293 addr-type[0] krb5int32,
294 address[1] OCTET STRING
295 }
297 -- This is from RFC1510.
298 --
299 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
300 -- addr-type[0] krb5int32,
301 -- address[1] OCTET STRING
302 -- }
304 -- This seems much better.
305 HostAddresses ::= SEQUENCE OF HostAddress
308 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
310 AuthorizationDataElement ::= SEQUENCE {
311 ad-type[0] krb5int32,
312 ad-data[1] OCTET STRING
313 }
315 AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
317 APOptions ::= BIT STRING {
318 reserved(0),
319 use-session-key(1),
320 mutual-required(2)
321 }
323 TicketFlags ::= BIT STRING {
324 reserved(0),
325 forwardable(1),
326 forwarded(2),
327 proxiable(3),
328 proxy(4),
329 may-postdate(5),
330 postdated(6),
331 invalid(7),
332 renewable(8),
333 initial(9),
334 pre-authent(10),
335 hw-authent(11),
336 transited-policy-checked(12),
337 ok-as-delegate(13),
338 anonymous(14),
339 enc-pa-rep(15)
340 }
342 KDCOptions ::= BIT STRING {
343 reserved(0),
344 forwardable(1),
345 forwarded(2),
346 proxiable(3),
347 proxy(4),
348 allow-postdate(5),
349 postdated(6),
350 renewable(8),
351 request-anonymous(14),
352 canonicalize(15),
353 constrained-delegation(16), -- ms extension
354 disable-transited-check(26),
355 renewable-ok(27),
356 enc-tkt-in-skey(28),
357 renew(30),
358 validate(31)
359 }
361 LR-TYPE ::= INTEGER {
362 LR_NONE(0), -- no information
363 LR_INITIAL_TGT(1), -- last initial TGT request
364 LR_INITIAL(2), -- last initial request
365 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
366 LR_RENEWAL(4), -- time of last renewal
367 LR_REQUEST(5), -- time of last request (of any type)
368 LR_PW_EXPTIME(6), -- expiration time of password
369 LR_ACCT_EXPTIME(7) -- expiration time of account
370 }
372 LastReq ::= SEQUENCE OF SEQUENCE {
373 lr-type[0] LR-TYPE,
374 lr-value[1] KerberosTime
375 }
378 EncryptedData ::= SEQUENCE {
379 etype[0] ENCTYPE, -- EncryptionType
380 kvno[1] krb5int32 OPTIONAL,
381 cipher[2] OCTET STRING -- ciphertext
382 }
384 EncryptionKey ::= SEQUENCE {
385 keytype[0] krb5int32,
386 keyvalue[1] OCTET STRING
387 }
389 -- encoded Transited field
390 TransitedEncoding ::= SEQUENCE {
391 tr-type[0] krb5int32, -- must be registered
392 contents[1] OCTET STRING
393 }
395 Ticket ::= [APPLICATION 1] SEQUENCE {
396 tkt-vno[0] krb5int32,
397 realm[1] Realm,
398 sname[2] PrincipalName,
399 enc-part[3] EncryptedData
400 }
401 -- Encrypted part of ticket
402 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
403 flags[0] TicketFlags,
404 key[1] EncryptionKey,
405 crealm[2] Realm,
406 cname[3] PrincipalName,
407 transited[4] TransitedEncoding,
408 authtime[5] KerberosTime,
409 starttime[6] KerberosTime OPTIONAL,
410 endtime[7] KerberosTime,
411 renew-till[8] KerberosTime OPTIONAL,
412 caddr[9] HostAddresses OPTIONAL,
413 authorization-data[10] AuthorizationData OPTIONAL
414 }
416 Checksum ::= SEQUENCE {
417 cksumtype[0] CKSUMTYPE,
418 checksum[1] OCTET STRING
419 }
421 Authenticator ::= [APPLICATION 2] SEQUENCE {
422 authenticator-vno[0] krb5int32,
423 crealm[1] Realm,
424 cname[2] PrincipalName,
425 cksum[3] Checksum OPTIONAL,
426 cusec[4] krb5int32,
427 ctime[5] KerberosTime,
428 subkey[6] EncryptionKey OPTIONAL,
429 seq-number[7] krb5uint32 OPTIONAL,
430 authorization-data[8] AuthorizationData OPTIONAL
431 }
433 PA-DATA ::= SEQUENCE {
434 -- might be encoded AP-REQ
435 padata-type[1] PADATA-TYPE,
436 padata-value[2] OCTET STRING
437 }
439 ETYPE-INFO-ENTRY ::= SEQUENCE {
440 etype[0] ENCTYPE,
441 salt[1] OCTET STRING OPTIONAL,
442 salttype[2] krb5int32 OPTIONAL
443 }
445 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
447 ETYPE-INFO2-ENTRY ::= SEQUENCE {
448 etype[0] ENCTYPE,
449 salt[1] KerberosString OPTIONAL,
450 s2kparams[2] OCTET STRING OPTIONAL
451 }
453 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
455 METHOD-DATA ::= SEQUENCE OF PA-DATA
457 TypedData ::= SEQUENCE {
458 data-type[0] krb5int32,
459 data-value[1] OCTET STRING OPTIONAL
460 }
462 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
464 KDC-REQ-BODY ::= SEQUENCE {
465 kdc-options[0] KDCOptions,
466 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
467 realm[2] Realm, -- Server's realm
468 -- Also client's in AS-REQ
469 sname[3] PrincipalName OPTIONAL,
470 from[4] KerberosTime OPTIONAL,
471 till[5] KerberosTime OPTIONAL,
472 rtime[6] KerberosTime OPTIONAL,
473 nonce[7] krb5int32,
474 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
475 -- in preference order
476 addresses[9] HostAddresses OPTIONAL,
477 enc-authorization-data[10] EncryptedData OPTIONAL,
478 -- Encrypted AuthorizationData encoding
479 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
480 }
482 KDC-REQ ::= SEQUENCE {
483 pvno[1] krb5int32,
484 msg-type[2] MESSAGE-TYPE,
485 padata[3] METHOD-DATA OPTIONAL,
486 req-body[4] KDC-REQ-BODY
487 }
489 AS-REQ ::= [APPLICATION 10] KDC-REQ
490 TGS-REQ ::= [APPLICATION 12] KDC-REQ
492 -- padata-type ::= PA-ENC-TIMESTAMP
493 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
495 PA-ENC-TS-ENC ::= SEQUENCE {
496 patimestamp[0] KerberosTime, -- client's time
497 pausec[1] krb5int32 OPTIONAL
498 }
500 -- draft-brezak-win2k-krb-authz-01
501 PA-PAC-REQUEST ::= SEQUENCE {
502 include-pac[0] BOOLEAN -- Indicates whether a PAC
503 -- should be included or not
504 }
506 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
507 PROV-SRV-LOCATION ::= GeneralString
509 KDC-REP ::= SEQUENCE {
510 pvno[0] krb5int32,
511 msg-type[1] MESSAGE-TYPE,
512 padata[2] METHOD-DATA OPTIONAL,
513 crealm[3] Realm,
514 cname[4] PrincipalName,
515 ticket[5] Ticket,
516 enc-part[6] EncryptedData
517 }
519 AS-REP ::= [APPLICATION 11] KDC-REP
520 TGS-REP ::= [APPLICATION 13] KDC-REP
522 EncKDCRepPart ::= SEQUENCE {
523 key[0] EncryptionKey,
524 last-req[1] LastReq,
525 nonce[2] krb5int32,
526 key-expiration[3] KerberosTime OPTIONAL,
527 flags[4] TicketFlags,
528 authtime[5] KerberosTime,
529 starttime[6] KerberosTime OPTIONAL,
530 endtime[7] KerberosTime,
531 renew-till[8] KerberosTime OPTIONAL,
532 srealm[9] Realm,
533 sname[10] PrincipalName,
534 caddr[11] HostAddresses OPTIONAL,
535 encrypted-pa-data[12] METHOD-DATA OPTIONAL
536 }
538 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
539 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
541 AP-REQ ::= [APPLICATION 14] SEQUENCE {
542 pvno[0] krb5int32,
543 msg-type[1] MESSAGE-TYPE,
544 ap-options[2] APOptions,
545 ticket[3] Ticket,
546 authenticator[4] EncryptedData
547 }
549 AP-REP ::= [APPLICATION 15] SEQUENCE {
550 pvno[0] krb5int32,
551 msg-type[1] MESSAGE-TYPE,
552 enc-part[2] EncryptedData
553 }
555 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
556 ctime[0] KerberosTime,
557 cusec[1] krb5int32,
558 subkey[2] EncryptionKey OPTIONAL,
559 seq-number[3] krb5uint32 OPTIONAL
560 }
562 KRB-SAFE-BODY ::= SEQUENCE {
563 user-data[0] OCTET STRING,
564 timestamp[1] KerberosTime OPTIONAL,
565 usec[2] krb5int32 OPTIONAL,
566 seq-number[3] krb5uint32 OPTIONAL,
567 s-address[4] HostAddress OPTIONAL,
568 r-address[5] HostAddress OPTIONAL
569 }
571 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
572 pvno[0] krb5int32,
573 msg-type[1] MESSAGE-TYPE,
574 safe-body[2] KRB-SAFE-BODY,
575 cksum[3] Checksum
576 }
578 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
579 pvno[0] krb5int32,
580 msg-type[1] MESSAGE-TYPE,
581 enc-part[3] EncryptedData
582 }
583 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
584 user-data[0] OCTET STRING,
585 timestamp[1] KerberosTime OPTIONAL,
586 usec[2] krb5int32 OPTIONAL,
587 seq-number[3] krb5uint32 OPTIONAL,
588 s-address[4] HostAddress OPTIONAL, -- sender's addr
589 r-address[5] HostAddress OPTIONAL -- recip's addr
590 }
592 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
593 pvno[0] krb5int32,
594 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
595 tickets[2] SEQUENCE OF Ticket,
596 enc-part[3] EncryptedData
597 }
599 KrbCredInfo ::= SEQUENCE {
600 key[0] EncryptionKey,
601 prealm[1] Realm OPTIONAL,
602 pname[2] PrincipalName OPTIONAL,
603 flags[3] TicketFlags OPTIONAL,
604 authtime[4] KerberosTime OPTIONAL,
605 starttime[5] KerberosTime OPTIONAL,
606 endtime[6] KerberosTime OPTIONAL,
607 renew-till[7] KerberosTime OPTIONAL,
608 srealm[8] Realm OPTIONAL,
609 sname[9] PrincipalName OPTIONAL,
610 caddr[10] HostAddresses OPTIONAL
611 }
613 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
614 ticket-info[0] SEQUENCE OF KrbCredInfo,
615 nonce[1] krb5int32 OPTIONAL,
616 timestamp[2] KerberosTime OPTIONAL,
617 usec[3] krb5int32 OPTIONAL,
618 s-address[4] HostAddress OPTIONAL,
619 r-address[5] HostAddress OPTIONAL
620 }
622 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
623 pvno[0] krb5int32,
624 msg-type[1] MESSAGE-TYPE,
625 ctime[2] KerberosTime OPTIONAL,
626 cusec[3] krb5int32 OPTIONAL,
627 stime[4] KerberosTime,
628 susec[5] krb5int32,
629 error-code[6] krb5int32,
630 crealm[7] Realm OPTIONAL,
631 cname[8] PrincipalName OPTIONAL,
632 realm[9] Realm, -- Correct realm
633 sname[10] PrincipalName, -- Correct name
634 e-text[11] GeneralString OPTIONAL,
635 e-data[12] OCTET STRING OPTIONAL
636 }
638 ChangePasswdDataMS ::= SEQUENCE {
639 newpasswd[0] OCTET STRING,
640 targname[1] PrincipalName OPTIONAL,
641 targrealm[2] Realm OPTIONAL
642 }
644 EtypeList ::= SEQUENCE OF ENCTYPE
645 -- the client's proposed enctype list in
646 -- decreasing preference order, favorite choice first
648 krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
650 -- transited encodings
652 DOMAIN-X500-COMPRESS krb5int32 ::= 1
654 -- authorization data primitives
656 AD-IF-RELEVANT ::= AuthorizationData
658 AD-KDCIssued ::= SEQUENCE {
659 ad-checksum[0] Checksum,
660 i-realm[1] Realm OPTIONAL,
661 i-sname[2] PrincipalName OPTIONAL,
662 elements[3] AuthorizationData
663 }
665 AD-AND-OR ::= SEQUENCE {
666 condition-count[0] INTEGER,
667 elements[1] AuthorizationData
668 }
670 AD-MANDATORY-FOR-KDC ::= AuthorizationData
672 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
674 PA-SAM-TYPE ::= INTEGER {
675 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
676 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
677 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
678 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
679 PA_SAM_TYPE_SECURID(5), -- Security Dynamics
680 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
681 }
683 PA-SAM-REDIRECT ::= HostAddresses
685 SAMFlags ::= BIT STRING {
686 use-sad-as-key(0),
687 send-encrypted-sad(1),
688 must-pk-encrypt-sad(2)
689 }
691 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
692 sam-type[0] krb5int32,
693 sam-flags[1] SAMFlags,
694 sam-type-name[2] GeneralString OPTIONAL,
695 sam-track-id[3] GeneralString OPTIONAL,
696 sam-challenge-label[4] GeneralString OPTIONAL,
697 sam-challenge[5] GeneralString OPTIONAL,
698 sam-response-prompt[6] GeneralString OPTIONAL,
699 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
700 sam-nonce[8] krb5int32,
701 sam-etype[9] krb5int32,
702 ...
703 }
705 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
706 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
707 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
708 ...
709 }
711 PA-SAM-RESPONSE-2 ::= SEQUENCE {
712 sam-type[0] krb5int32,
713 sam-flags[1] SAMFlags,
714 sam-track-id[2] GeneralString OPTIONAL,
715 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
716 sam-nonce[4] krb5int32,
717 ...
718 }
720 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
721 sam-nonce[0] krb5int32,
722 sam-sad[1] GeneralString OPTIONAL,
723 ...
724 }
726 PA-S4U2Self ::= SEQUENCE {
727 name[0] PrincipalName,
728 realm[1] Realm,
729 cksum[2] Checksum,
730 auth[3] GeneralString
731 }
733 -- never encoded on the wire, just used to checksum over
734 KRB5SignedPathData ::= SEQUENCE {
735 client[0] Principal OPTIONAL,
736 authtime[1] KerberosTime,
737 delegated[2] Principals OPTIONAL,
738 method_data[3] METHOD-DATA OPTIONAL
739 }
741 KRB5SignedPath ::= SEQUENCE {
742 -- DERcoded KRB5SignedPathData
743 -- krbtgt key (etype), KeyUsage = XXX
744 etype[0] ENCTYPE,
745 cksum[1] Checksum,
746 -- srvs delegated though
747 delegated[2] Principals OPTIONAL,
748 method_data[3] METHOD-DATA OPTIONAL
749 }
751 PA-ClientCanonicalizedNames ::= SEQUENCE{
752 requested-name [0] PrincipalName,
753 mapped-name [1] PrincipalName
754 }
756 PA-ClientCanonicalized ::= SEQUENCE {
757 names [0] PA-ClientCanonicalizedNames,
758 canon-checksum [1] Checksum
759 }
761 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
762 login-alias [0] PrincipalName,
763 checksum [1] Checksum
764 }
766 -- old ms referral
767 PA-SvrReferralData ::= SEQUENCE {
768 referred-name [1] PrincipalName OPTIONAL,
769 referred-realm [0] Realm
770 }
772 PA-SERVER-REFERRAL-DATA ::= EncryptedData
774 PA-ServerReferralData ::= SEQUENCE {
775 referred-realm [0] Realm OPTIONAL,
776 true-principal-name [1] PrincipalName OPTIONAL,
777 requested-principal-name [2] PrincipalName OPTIONAL,
778 referral-valid-until [3] KerberosTime OPTIONAL,
779 ...
780 }
782 FastOptions ::= BIT STRING {
783 reserved(0),
784 hide-client-names(1),
785 kdc-follow-referrals(16)
786 }
788 KrbFastReq ::= SEQUENCE {
789 fast-options [0] FastOptions,
790 padata [1] METHOD-DATA,
791 req-body [2] KDC-REQ-BODY,
792 ...
793 }
795 KrbFastArmor ::= SEQUENCE {
796 armor-type [0] krb5int32,
797 armor-value [1] OCTET STRING,
798 ...
799 }
801 KrbFastArmoredReq ::= SEQUENCE {
802 armor [0] KrbFastArmor OPTIONAL,
803 req-checksum [1] Checksum,
804 enc-fast-req [2] EncryptedData -- KrbFastReq --
805 }
807 PA-FX-FAST-REQUEST ::= CHOICE {
808 armored-data [0] KrbFastArmoredReq,
809 ...
810 }
812 KrbFastFinished ::= SEQUENCE {
813 timestamp [0] KerberosTime,
814 usec [1] krb5int32,
815 crealm [2] Realm,
816 cname [3] PrincipalName,
817 ticket-checksum [4] Checksum,
818 ...
819 }
821 KrbFastResponse ::= SEQUENCE {
822 padata [0] METHOD-DATA,
823 strengthen-key [1] EncryptionKey OPTIONAL,
824 finished [2] KrbFastFinished OPTIONAL,
825 nonce [3] krb5uint32,
826 ...
827 }
829 KrbFastArmoredRep ::= SEQUENCE {
830 enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
831 ...
832 }
834 PA-FX-FAST-REPLY ::= CHOICE {
835 armored-data [0] KrbFastArmoredRep,
836 ...
837 }
839 KDCFastFlags ::= BIT STRING {
840 use_reply_key(0),
841 reply_key_used(1),
842 reply_key_replaced(2),
843 kdc_verfied(3)
844 }
846 -- KDCFastState is stored in FX_COOKIE
847 KDCFastState ::= SEQUENCE {
848 flags [0] KDCFastFlags,
849 expiration [1] GeneralizedTime,
850 fast-state [2] METHOD-DATA,
851 expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL
852 }
854 KDCFastCookie ::= SEQUENCE {
855 version [0] UTF8String,
856 cookie [1] EncryptedData
857 }
859 KDC-PROXY-MESSAGE ::= SEQUENCE {
860 kerb-message [0] OCTET STRING,
861 target-domain [1] Realm OPTIONAL,
862 dclocator-hint [2] INTEGER OPTIONAL
863 }
865 -- these messages are used in the GSSCred communication and is not part of Kerberos propper
867 KERB-TIMES ::= SEQUENCE {
868 authtime [0] KerberosTime,
869 starttime [1] KerberosTime,
870 endtime [2] KerberosTime,
871 renew_till [3] KerberosTime
872 }
874 KERB-CRED ::= SEQUENCE {
875 client [0] Principal,
876 server [1] Principal,
877 keyblock [2] EncryptionKey,
878 times [3] KERB-TIMES,
879 ticket [4] OCTET STRING,
880 authdata [5] OCTET STRING,
881 addresses [6] HostAddresses,
882 flags [7] TicketFlags
883 }
885 KERB-TGS-REQ-IN ::= SEQUENCE {
886 cache [0] OCTET STRING SIZE (16),
887 addrs [1] HostAddresses,
888 flags [2] krb5uint32,
889 imp [3] Principal OPTIONAL,
890 ticket [4] OCTET STRING OPTIONAL,
891 in_cred [5] KERB-CRED,
892 krbtgt [6] KERB-CRED,
893 padata [7] METHOD-DATA
894 }
896 KERB-TGS-REQ-OUT ::= SEQUENCE {
897 subkey [0] EncryptionKey OPTIONAL,
898 t [1] TGS-REQ
899 }
903 KERB-TGS-REP-IN ::= SEQUENCE {
904 cache [0] OCTET STRING SIZE (16),
905 subkey [1] EncryptionKey OPTIONAL,
906 in_cred [2] KERB-CRED,
907 t [3] TGS-REP
908 }
910 KERB-TGS-REP-OUT ::= SEQUENCE {
911 cache [0] OCTET STRING SIZE (16),
912 cred [1] KERB-CRED,
913 subkey [2] EncryptionKey
914 }
917 END
919 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1