| blob | bf279a4b261c5bd3781ce440da2e050f0bd511b2 |
1 -- $Id$
3 KERBEROS5 DEFINITIONS ::=
4 BEGIN
5 EXPORTS
6 AD-AND-OR,
7 AD-IF-RELEVANT,
8 AD-KDCIssued,
9 AD-LoginAlias,
10 AP-REP,
11 AP-REQ,
12 AS-REP,
13 AS-REQ,
14 AUTHDATA-TYPE,
15 Authenticator,
16 AuthorizationData,
17 AuthorizationDataElement,
18 CKSUMTYPE,
19 ChangePasswdDataMS,
20 Checksum,
21 CompositePrincipal,
22 ENCTYPE,
23 ETYPE-INFO,
24 ETYPE-INFO-ENTRY,
25 ETYPE-INFO2,
26 ETYPE-INFO2-ENTRY,
27 EncAPRepPart,
28 EncASRepPart,
29 EncKDCRepPart,
30 EncKrbCredPart,
31 EncKrbPrivPart,
32 EncTGSRepPart,
33 EncTicketPart,
34 EncryptedData,
35 EncryptionKey,
36 EtypeList,
37 HostAddress,
38 HostAddresses,
39 KDC-REQ-BODY,
40 KDCOptions,
41 KDC-REP,
42 KRB-CRED,
43 KRB-ERROR,
44 KRB-PRIV,
45 KRB-SAFE,
46 KRB-SAFE-BODY,
47 KerberosString,
48 KerberosTime,
49 KrbCredInfo,
50 LR-TYPE,
51 LastReq,
52 METHOD-DATA,
53 NAME-TYPE,
54 PA-ClientCanonicalized,
55 PA-ClientCanonicalizedNames,
56 PA-DATA,
57 PA-ENC-TS-ENC,
58 PA-KERB-KEY-LIST-REP,
59 PA-KERB-KEY-LIST-REQ,
60 PA-PAC-OPTIONS,
61 PA-PAC-REQUEST,
62 PA-S4U2Self,
63 PA-S4U-X509-USER,
64 PA-SERVER-REFERRAL-DATA,
65 PA-ServerReferralData,
66 PA-SvrReferralData,
67 PADATA-TYPE,
68 PA-FX-FAST-REQUEST,
69 PA-FX-FAST-REPLY,
70 Principal,
71 PrincipalName,
72 Principals,
73 Realm,
74 TGS-REP,
75 TGS-REQ,
76 Ticket,
77 TicketFlags,
78 TransitedEncoding,
79 TypedData,
80 KrbFastResponse,
81 KrbFastFinished,
82 KrbFastReq,
83 KrbFastArmor,
84 KrbFastArmoredReq,
85 KDCFastState,
86 KDCFastCookie,
87 KDC-PROXY-MESSAGE,
88 KERB-AD-RESTRICTION-ENTRY,
89 KERB-TIMES,
90 KERB-CRED,
91 KERB-TGS-REQ-IN,
92 KERB-TGS-REQ-OUT,
93 KERB-ARMOR-SERVICE-REPLY,
94 KERB-ERROR-DATA
95 ;
97 NAME-TYPE ::= INTEGER {
98 KRB5_NT_UNKNOWN(0), -- Name type not known
99 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
100 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
101 KRB5_NT_SRV_HST(3), -- Service with host name as instance
102 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
103 KRB5_NT_UID(5), -- Unique ID
104 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
105 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
106 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
107 KRB5_NT_WELLKNOWN(11), -- Wellknown
108 KRB5_NT_SRV_HST_DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
109 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
110 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
111 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
112 KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain
113 KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded)
114 KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), -- not used; remove
115 KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
116 KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- Internal: indicates that name canonicalization is needed
117 }
119 -- message types
121 MESSAGE-TYPE ::= INTEGER {
122 krb-as-req(10), -- Request for initial authentication
123 krb-as-rep(11), -- Response to KRB_AS_REQ request
124 krb-tgs-req(12), -- Request for authentication based on TGT
125 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
126 krb-ap-req(14), -- application request to server
127 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
128 krb-safe(20), -- Safe (checksummed) application message
129 krb-priv(21), -- Private (encrypted) application message
130 krb-cred(22), -- Private (encrypted) message to forward credentials
131 krb-error(30) -- Error response
132 }
135 -- pa-data types
137 PADATA-TYPE ::= INTEGER {
138 KRB5-PADATA-NONE(0),
139 KRB5-PADATA-TGS-REQ(1),
140 KRB5-PADATA-AP-REQ(1),
141 KRB5-PADATA-ENC-TIMESTAMP(2),
142 KRB5-PADATA-PW-SALT(3),
143 KRB5-PADATA-ENC-UNIX-TIME(5),
144 KRB5-PADATA-SANDIA-SECUREID(6),
145 KRB5-PADATA-SESAME(7),
146 KRB5-PADATA-OSF-DCE(8),
147 KRB5-PADATA-CYBERSAFE-SECUREID(9),
148 KRB5-PADATA-AFS3-SALT(10),
149 KRB5-PADATA-ETYPE-INFO(11),
150 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
151 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
152 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
153 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
154 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
155 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
156 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
157 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
158 KRB5-PADATA-ETYPE-INFO2(19),
159 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
160 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
161 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
162 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
163 KRB5-PADATA-SAM-ETYPE-INFO(23),
164 KRB5-PADATA-SERVER-REFERRAL(25),
165 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
166 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
167 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
168 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
169 KRB5-PADATA-FX-FAST-ARMOR(71), -- fast armor
170 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
171 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
172 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
173 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
174 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
175 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
176 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
177 KRB5-PADATA-FOR-USER(129), -- MS-KILE
178 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
179 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
180 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
181 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
182 -- tell KDC that is supports
183 -- the asCheckSum in the
184 -- PK-AS-REP
185 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
186 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
187 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
188 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
189 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
190 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
191 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
192 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
193 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
194 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
195 KRB5-PADATA-EPAK-AS-REQ(145),
196 KRB5-PADATA-EPAK-AS-REP(146),
197 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
198 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
199 KRB5-PADATA-REQ-ENC-PA-REP(149), --
200 KRB5-PADATA-AS-FRESHNESS(150), -- RFC 8070
201 KER5-PADATA-KERB-KEY-LIST-REQ(161), -- MS-KILE
202 KER5-PADATA-KERB-PAKEY-LIST-REP(162), -- MS-KILE
203 KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE
204 KRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE
205 KRB5-PADATA-GSS(655) -- krb-wg-gss-preauth
207 }
209 AUTHDATA-TYPE ::= INTEGER {
210 KRB5-AUTHDATA-IF-RELEVANT(1),
211 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
212 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
213 KRB5-AUTHDATA-KDC-ISSUED(4),
214 KRB5-AUTHDATA-AND-OR(5),
215 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
216 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
217 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
218 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
219 KRB5-AUTHDATA-OSF-DCE(64),
220 KRB5-AUTHDATA-SESAME(65),
221 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
222 KRB5-AUTHDATA-AUTHENTICATION-STRENGTH(70),
223 KRB5-AUTHDATA-FX-FAST-ARMOR(71),
224 KRB5-AUTHDATA-FX-FAST-USED(72),
225 KRB5-AUTHDATA-WIN2K-PAC(128),
226 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
227 KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
228 KRB5-AUTHDATA-SIGNTICKET-OLD(142),
229 KRB5-AUTHDATA-SIGNTICKET(512),
230 KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised
231 KRB5-AUTHDATA-KERB-LOCAL(141), -- MS-KILE
232 KRB5-AUTHDATA-TOKEN-RESTRICTIONS(142), -- MS-KILE
233 KRB5-AUTHDATA-AP-OPTIONS(143), -- MS-KILE
234 KRB5-AUTHDATA-TARGET-PRINCIPAL(144), -- MS-KILE
235 -- N.B. these assignments have not been confirmed yet.
236 --
237 -- DO NOT USE in production yet!
238 KRB5-AUTHDATA-ON-BEHALF-OF(580), -- UTF8String princ name
239 KRB5-AUTHDATA-BEARER-TOKEN-JWT(581), -- JWT token
240 KRB5-AUTHDATA-BEARER-TOKEN-SAML(582), -- SAML token
241 KRB5-AUTHDATA-BEARER-TOKEN-OIDC(583), -- OIDC token
242 KRB5-AUTHDATA-CSR-AUTHORIZED(584), -- Proxy has authorized client
243 -- to requested exts in CSR
244 KRB5-AUTHDATA-GSS-COMPOSITE-NAME(655) -- gss_export_name_composite
245 }
247 -- checksumtypes
249 CKSUMTYPE ::= INTEGER {
250 CKSUMTYPE_NONE(0),
251 CKSUMTYPE_CRC32(1),
252 CKSUMTYPE_RSA_MD4(2),
253 CKSUMTYPE_RSA_MD4_DES(3),
254 CKSUMTYPE_DES_MAC(4),
255 CKSUMTYPE_DES_MAC_K(5),
256 CKSUMTYPE_RSA_MD4_DES_K(6),
257 CKSUMTYPE_RSA_MD5(7),
258 CKSUMTYPE_RSA_MD5_DES(8),
259 CKSUMTYPE_RSA_MD5_DES3(9),
260 CKSUMTYPE_SHA1_OTHER(10),
261 CKSUMTYPE_HMAC_SHA1_DES3(12),
262 CKSUMTYPE_SHA1(14),
263 CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
264 CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
265 CKSUMTYPE_HMAC_SHA256_128_AES128(19),
266 CKSUMTYPE_HMAC_SHA384_192_AES256(20),
267 CKSUMTYPE_GSSAPI(0x8003),
268 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
269 CKSUMTYPE_HMAC_MD5_ENC(-1138), -- even more unofficial
270 CKSUMTYPE_SHA256(-21),
271 CKSUMTYPE_SHA384(-22),
272 CKSUMTYPE_SHA512(-23)
273 }
275 --enctypes
276 ENCTYPE ::= INTEGER {
277 KRB5_ENCTYPE_NULL(0),
278 KRB5_ENCTYPE_DES_CBC_CRC(1),
279 KRB5_ENCTYPE_DES_CBC_MD4(2),
280 KRB5_ENCTYPE_DES_CBC_MD5(3),
281 KRB5_ENCTYPE_DES3_CBC_MD5(5),
282 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
283 KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
284 KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
285 KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
286 KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation
287 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
288 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
289 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128(19),
290 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192(20),
291 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
292 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
293 KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
294 -- some "old" windows types
295 KRB5_ENCTYPE_ARCFOUR_MD4(-128),
296 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
297 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
298 -- these are for Heimdal internal use
299 KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
300 KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
301 KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
302 KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
303 KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
304 KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
305 }
310 -- this is sugar to make something ASN1 does not have: unsigned
312 Krb5UInt32 ::= INTEGER (0..4294967295)
313 Krb5Int32 ::= INTEGER (-2147483648..2147483647)
315 KerberosString ::= GeneralString
317 Realm ::= GeneralString
318 PrincipalName ::= SEQUENCE {
319 name-type[0] NAME-TYPE,
320 name-string[1] SEQUENCE OF GeneralString
321 }
323 HostAddress ::= SEQUENCE {
324 addr-type[0] Krb5Int32,
325 address[1] OCTET STRING
326 }
328 -- This is from RFC1510.
329 --
330 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
331 -- addr-type[0] Krb5Int32,
332 -- address[1] OCTET STRING
333 -- }
335 -- This seems much better.
336 HostAddresses ::= SEQUENCE OF HostAddress
339 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
341 AuthorizationDataElement ::= SEQUENCE {
342 ad-type[0] Krb5Int32,
343 ad-data[1] OCTET STRING
344 }
346 AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
348 APOptions ::= BIT STRING {
349 reserved(0),
350 use-session-key(1),
351 mutual-required(2)
352 }
354 TicketFlags ::= BIT STRING {
355 reserved(0),
356 forwardable(1),
357 forwarded(2),
358 proxiable(3),
359 proxy(4),
360 may-postdate(5),
361 postdated(6),
362 invalid(7),
363 renewable(8),
364 initial(9),
365 pre-authent(10),
366 hw-authent(11),
367 transited-policy-checked(12),
368 ok-as-delegate(13),
369 enc-pa-rep(15),
370 anonymous(16)
371 }
373 KDCOptions ::= BIT STRING {
374 reserved(0),
375 forwardable(1),
376 forwarded(2),
377 proxiable(3),
378 proxy(4),
379 allow-postdate(5),
380 postdated(6),
381 renewable(8),
382 cname-in-addl-tkt(14), -- ms extension
383 canonicalize(15),
384 request-anonymous(16),
385 disable-transited-check(26),
386 renewable-ok(27),
387 enc-tkt-in-skey(28),
388 renew(30),
389 validate(31)
390 }
392 LR-TYPE ::= INTEGER {
393 LR_NONE(0), -- no information
394 LR_INITIAL_TGT(1), -- last initial TGT request
395 LR_INITIAL(2), -- last initial request
396 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
397 LR_RENEWAL(4), -- time of last renewal
398 LR_REQUEST(5), -- time of last request (of any type)
399 LR_PW_EXPTIME(6), -- expiration time of password
400 LR_ACCT_EXPTIME(7) -- expiration time of account
401 }
403 LastReq ::= SEQUENCE OF SEQUENCE {
404 lr-type[0] LR-TYPE,
405 lr-value[1] KerberosTime
406 }
409 EncryptedData ::= SEQUENCE {
410 etype[0] ENCTYPE, -- EncryptionType
411 kvno[1] Krb5Int32 OPTIONAL,
412 cipher[2] OCTET STRING -- ciphertext
413 }
415 EncryptionKey ::= SEQUENCE {
416 keytype[0] Krb5Int32,
417 keyvalue[1] OCTET STRING
418 }
420 -- encoded Transited field
421 TransitedEncoding ::= SEQUENCE {
422 tr-type[0] Krb5Int32, -- must be registered
423 contents[1] OCTET STRING
424 }
426 Ticket ::= [APPLICATION 1] SEQUENCE {
427 tkt-vno[0] Krb5Int32,
428 realm[1] Realm,
429 sname[2] PrincipalName,
430 enc-part[3] EncryptedData
431 }
432 -- Encrypted part of ticket
433 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
434 flags[0] TicketFlags,
435 key[1] EncryptionKey,
436 crealm[2] Realm,
437 cname[3] PrincipalName,
438 transited[4] TransitedEncoding,
439 authtime[5] KerberosTime,
440 starttime[6] KerberosTime OPTIONAL,
441 endtime[7] KerberosTime,
442 renew-till[8] KerberosTime OPTIONAL,
443 caddr[9] HostAddresses OPTIONAL,
444 authorization-data[10] AuthorizationData OPTIONAL
445 }
447 Checksum ::= SEQUENCE {
448 cksumtype[0] CKSUMTYPE,
449 checksum[1] OCTET STRING
450 }
452 -- For GSS name attributes [RFC6680] we'll decorate Principal (which is not an
453 -- RFC4120 type, but which we use a) in HDB, b) in the API as that which
454 -- krb5_principal points to) with PrincipalNameAttrs.
455 --
456 -- Attributes have three possible sources in Heimdal Kerberos at this time:
457 --
458 -- - the EncKDCRepPart (for the client's attributes on the client side)
459 -- - the EncTicketPart (for the client's attributes on the server side)
460 -- - the Authenticator's AuthorizationData (if any; server-side)
461 --
462 -- In principle there can be more:
463 --
464 -- - locally-set (asserted) attributes
465 -- - locally-looked-up attributes (e.g., in LDAP)
466 -- - locally-transformed attributes (e.g., local groups, filtered SIDs from a
467 -- PAC, etc.)
468 --
469 -- We could also cache "cooked" attributes as reported by the RFC6680 API given
470 -- the sources we have.
471 --
472 -- For now we'll only support authenticated attributes where those come from
473 -- the KDC, and attributes asserted in Authenticator authz-data.
474 PrincipalNameAttrSrc ::= CHOICE {
475 enc-kdc-rep-part [0] EncKDCRepPart, -- minus session key
476 enc-ticket-part [1] EncTicketPart -- minus session key
477 }
478 PrincipalNameAttrs ::= SEQUENCE {
479 -- True if this name was authenticated via an AP-REQ or a KDC-REP
480 authenticated [0] BOOLEAN,
481 -- These are compiled from the Ticket, KDC-REP, and/or Authenticator
482 source [1] PrincipalNameAttrSrc OPTIONAL,
483 authenticator-ad [2] AuthorizationData OPTIONAL,
484 -- For the server on the client side we should keep track of the
485 -- transit path taken to reach it (if absent -> unknown).
486 --
487 -- We don't learn much more about the server from the KDC.
488 peer-realm [3] Realm OPTIONAL,
489 transited [4] TransitedEncoding OPTIONAL,
490 -- True if the PAC was verified
491 pac-verified [5] BOOLEAN,
492 -- True if any AD-KDC-ISSUEDs in the Ticket were validated
493 kdc-issued-verified [6] BOOLEAN,
494 -- TODO: Add requested attributes, for gss_set_name_attribute(), which
495 -- should cause corresponding authz-data elements to be added to
496 -- any TGS-REQ or to the AP-REQ's Authenticator as appropriate.
497 want-ad [7] AuthorizationData OPTIONAL
498 }
499 -- This is our type for exported composite name tokens for GSS [RFC6680].
500 -- It's the same as Principal (below) as decorated with (see krb5.opt file and
501 -- asn1_compile usage), except it's not decorated, so the name attributes are
502 -- encoded/decoded.
503 CompositePrincipal ::= [APPLICATION 48] SEQUENCE {
504 name[0] PrincipalName,
505 realm[1] Realm,
506 nameattrs[2] PrincipalNameAttrs OPTIONAL
507 }
509 -- This is not part of RFC1510/RFC4120. We use this internally as our
510 -- krb5_principal (which is a typedef of *Principal), and in HDB entries.
511 Principal ::= SEQUENCE {
512 name[0] PrincipalName,
513 realm[1] Realm
514 -- This will be decorated with an optional nameattrs field of
515 -- PrincipalNameAttrs type that doesn't get encoded. Same as
516 -- CompositePrincipal above, except that CompositePrincipal's
517 -- nameattrs field does get encoded, while Principal's does not:
518 --
519 -- nameattrs[2] PrincipalNameAttrs OPTIONAL
520 }
522 Principals ::= SEQUENCE OF Principal
524 Authenticator ::= [APPLICATION 2] SEQUENCE {
525 authenticator-vno[0] Krb5Int32,
526 crealm[1] Realm,
527 cname[2] PrincipalName,
528 cksum[3] Checksum OPTIONAL,
529 cusec[4] Krb5Int32,
530 ctime[5] KerberosTime,
531 subkey[6] EncryptionKey OPTIONAL,
532 seq-number[7] Krb5UInt32 OPTIONAL,
533 authorization-data[8] AuthorizationData OPTIONAL
534 }
536 PA-DATA ::= SEQUENCE {
537 -- might be encoded AP-REQ
538 padata-type[1] PADATA-TYPE,
539 padata-value[2] OCTET STRING
540 }
542 ETYPE-INFO-ENTRY ::= SEQUENCE {
543 etype[0] ENCTYPE,
544 salt[1] OCTET STRING OPTIONAL,
545 salttype[2] Krb5Int32 OPTIONAL
546 }
548 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
550 ETYPE-INFO2-ENTRY ::= SEQUENCE {
551 etype[0] ENCTYPE,
552 salt[1] KerberosString OPTIONAL,
553 s2kparams[2] OCTET STRING OPTIONAL
554 }
556 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
558 METHOD-DATA ::= SEQUENCE OF PA-DATA
560 TypedData ::= SEQUENCE {
561 data-type[0] Krb5Int32,
562 data-value[1] OCTET STRING OPTIONAL
563 }
565 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
567 KDC-REQ-BODY ::= SEQUENCE {
568 kdc-options[0] KDCOptions,
569 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
570 realm[2] Realm, -- Server's realm
571 -- Also client's in AS-REQ
572 sname[3] PrincipalName OPTIONAL,
573 from[4] KerberosTime OPTIONAL,
574 till[5] KerberosTime OPTIONAL,
575 rtime[6] KerberosTime OPTIONAL,
576 nonce[7] Krb5Int32,
577 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
578 -- in preference order
579 addresses[9] HostAddresses OPTIONAL,
580 enc-authorization-data[10] EncryptedData OPTIONAL,
581 -- Encrypted AuthorizationData encoding
582 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
583 }
585 KDC-REQ ::= SEQUENCE {
586 pvno[1] Krb5Int32,
587 msg-type[2] MESSAGE-TYPE,
588 padata[3] METHOD-DATA OPTIONAL,
589 req-body[4] KDC-REQ-BODY
590 }
592 AS-REQ ::= [APPLICATION 10] KDC-REQ
593 TGS-REQ ::= [APPLICATION 12] KDC-REQ
595 -- padata-type ::= PA-ENC-TIMESTAMP
596 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
598 PA-ENC-TS-ENC ::= SEQUENCE {
599 patimestamp[0] KerberosTime, -- client's time
600 pausec[1] Krb5Int32 OPTIONAL
601 }
603 -- draft-brezak-win2k-krb-authz-01
604 PA-PAC-REQUEST ::= SEQUENCE {
605 include-pac[0] BOOLEAN -- Indicates whether a PAC
606 -- should be included or not
607 }
609 -- MS-KILE
611 KERB-ERROR-DATA ::= SEQUENCE {
612 data-type [1] KerbErrorDataType,
613 data-value [2] OCTET STRING OPTIONAL
614 }
616 KerbErrorDataType ::= INTEGER {
617 kERB-AP-ERR-TYPE-SKEW-RECOVERY(2),
618 kERB-ERR-TYPE-EXTENDED(3)
619 }
621 -- MS-KILE/MS-SFU
622 PAC-OPTIONS-FLAGS ::= BIT STRING {
623 claims(0),
624 branch-aware(1),
625 forward-to-full-dc(2),
626 resource-based-constrained-delegation(3)
627 }
629 -- MS-KILE
630 PA-PAC-OPTIONS ::= SEQUENCE {
631 flags [0] PAC-OPTIONS-FLAGS
632 }
634 -- MS-KILE
635 -- captures show that [UNIVERSAL 16] is required to parse it
636 KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE {
637 restriction-type [0] Krb5Int32,
638 restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
639 }
641 -- MS-KILE Section 2.2.11
642 PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE
644 -- MS-KILE Section 2.2.12
646 PA-KERB-KEY-LIST-REP ::= SEQUENCE OF ENCTYPE -- EncryptionType,
648 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
649 PROV-SRV-LOCATION ::= GeneralString
651 KDC-REP ::= SEQUENCE {
652 pvno[0] Krb5Int32,
653 msg-type[1] MESSAGE-TYPE,
654 padata[2] METHOD-DATA OPTIONAL,
655 crealm[3] Realm,
656 cname[4] PrincipalName,
657 ticket[5] Ticket,
658 enc-part[6] EncryptedData
659 }
661 AS-REP ::= [APPLICATION 11] KDC-REP
662 TGS-REP ::= [APPLICATION 13] KDC-REP
664 EncKDCRepPart ::= SEQUENCE {
665 key[0] EncryptionKey,
666 last-req[1] LastReq,
667 nonce[2] Krb5Int32,
668 key-expiration[3] KerberosTime OPTIONAL,
669 flags[4] TicketFlags,
670 authtime[5] KerberosTime,
671 starttime[6] KerberosTime OPTIONAL,
672 endtime[7] KerberosTime,
673 renew-till[8] KerberosTime OPTIONAL,
674 srealm[9] Realm,
675 sname[10] PrincipalName,
676 caddr[11] HostAddresses OPTIONAL,
677 encrypted-pa-data[12] METHOD-DATA OPTIONAL
678 }
680 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
681 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
683 AP-REQ ::= [APPLICATION 14] SEQUENCE {
684 pvno[0] Krb5Int32,
685 msg-type[1] MESSAGE-TYPE,
686 ap-options[2] APOptions,
687 ticket[3] Ticket,
688 authenticator[4] EncryptedData
689 }
691 AP-REP ::= [APPLICATION 15] SEQUENCE {
692 pvno[0] Krb5Int32,
693 msg-type[1] MESSAGE-TYPE,
694 enc-part[2] EncryptedData
695 }
697 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
698 ctime[0] KerberosTime,
699 cusec[1] Krb5Int32,
700 subkey[2] EncryptionKey OPTIONAL,
701 seq-number[3] Krb5UInt32 OPTIONAL
702 }
704 KRB-SAFE-BODY ::= SEQUENCE {
705 user-data[0] OCTET STRING,
706 timestamp[1] KerberosTime OPTIONAL,
707 usec[2] Krb5Int32 OPTIONAL,
708 seq-number[3] Krb5UInt32 OPTIONAL,
709 s-address[4] HostAddress OPTIONAL,
710 r-address[5] HostAddress OPTIONAL
711 }
713 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
714 pvno[0] Krb5Int32,
715 msg-type[1] MESSAGE-TYPE,
716 safe-body[2] KRB-SAFE-BODY,
717 cksum[3] Checksum
718 }
720 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
721 pvno[0] Krb5Int32,
722 msg-type[1] MESSAGE-TYPE,
723 enc-part[3] EncryptedData
724 }
725 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
726 user-data[0] OCTET STRING,
727 timestamp[1] KerberosTime OPTIONAL,
728 usec[2] Krb5Int32 OPTIONAL,
729 seq-number[3] Krb5UInt32 OPTIONAL,
730 s-address[4] HostAddress OPTIONAL, -- sender's addr
731 r-address[5] HostAddress OPTIONAL -- recip's addr
732 }
734 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
735 pvno[0] Krb5Int32,
736 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
737 tickets[2] SEQUENCE OF Ticket,
738 enc-part[3] EncryptedData
739 }
741 KrbCredInfo ::= SEQUENCE {
742 key[0] EncryptionKey,
743 prealm[1] Realm OPTIONAL,
744 pname[2] PrincipalName OPTIONAL,
745 flags[3] TicketFlags OPTIONAL,
746 authtime[4] KerberosTime OPTIONAL,
747 starttime[5] KerberosTime OPTIONAL,
748 endtime[6] KerberosTime OPTIONAL,
749 renew-till[7] KerberosTime OPTIONAL,
750 srealm[8] Realm OPTIONAL,
751 sname[9] PrincipalName OPTIONAL,
752 caddr[10] HostAddresses OPTIONAL
753 }
755 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
756 ticket-info[0] SEQUENCE OF KrbCredInfo,
757 nonce[1] Krb5Int32 OPTIONAL,
758 timestamp[2] KerberosTime OPTIONAL,
759 usec[3] Krb5Int32 OPTIONAL,
760 s-address[4] HostAddress OPTIONAL,
761 r-address[5] HostAddress OPTIONAL
762 }
764 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
765 pvno[0] Krb5Int32,
766 msg-type[1] MESSAGE-TYPE,
767 ctime[2] KerberosTime OPTIONAL,
768 cusec[3] Krb5Int32 OPTIONAL,
769 stime[4] KerberosTime,
770 susec[5] Krb5Int32,
771 error-code[6] Krb5Int32,
772 crealm[7] Realm OPTIONAL,
773 cname[8] PrincipalName OPTIONAL,
774 realm[9] Realm, -- Correct realm
775 sname[10] PrincipalName, -- Correct name
776 e-text[11] GeneralString OPTIONAL,
777 e-data[12] OCTET STRING OPTIONAL
778 }
780 ChangePasswdDataMS ::= SEQUENCE {
781 newpasswd[0] OCTET STRING,
782 targname[1] PrincipalName OPTIONAL,
783 targrealm[2] Realm OPTIONAL
784 }
786 EtypeList ::= SEQUENCE OF ENCTYPE
787 -- the client's proposed enctype list in
788 -- decreasing preference order, favorite choice first
790 krb5-pvno Krb5Int32 ::= 5 -- current Kerberos protocol version number
792 -- transited encodings
794 domain-X500-Compress Krb5Int32 ::= 1
796 -- authorization data primitives
798 AD-IF-RELEVANT ::= AuthorizationData
800 AD-KDCIssued ::= SEQUENCE {
801 ad-checksum[0] Checksum,
802 i-realm[1] Realm OPTIONAL,
803 i-sname[2] PrincipalName OPTIONAL,
804 elements[3] AuthorizationData
805 }
807 AD-AND-OR ::= SEQUENCE {
808 condition-count[0] Krb5Int32,
809 elements[1] AuthorizationData
810 }
812 AD-MANDATORY-FOR-KDC ::= AuthorizationData
814 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
816 PA-SAM-TYPE ::= INTEGER {
817 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
818 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
819 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
820 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
821 PA_SAM_TYPE_SECURID(5), -- Security Dynamics
822 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
823 }
825 PA-SAM-REDIRECT ::= HostAddresses
827 SAMFlags ::= BIT STRING {
828 use-sad-as-key(0),
829 send-encrypted-sad(1),
830 must-pk-encrypt-sad(2)
831 }
833 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
834 sam-type[0] Krb5Int32,
835 sam-flags[1] SAMFlags,
836 sam-type-name[2] GeneralString OPTIONAL,
837 sam-track-id[3] GeneralString OPTIONAL,
838 sam-challenge-label[4] GeneralString OPTIONAL,
839 sam-challenge[5] GeneralString OPTIONAL,
840 sam-response-prompt[6] GeneralString OPTIONAL,
841 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
842 sam-nonce[8] Krb5Int32,
843 sam-etype[9] Krb5Int32,
844 ...
845 }
847 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
848 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
849 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
850 ...
851 }
853 PA-SAM-RESPONSE-2 ::= SEQUENCE {
854 sam-type[0] Krb5Int32,
855 sam-flags[1] SAMFlags,
856 sam-track-id[2] GeneralString OPTIONAL,
857 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
858 sam-nonce[4] Krb5Int32,
859 ...
860 }
862 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
863 sam-nonce[0] Krb5Int32,
864 sam-sad[1] GeneralString OPTIONAL,
865 ...
866 }
868 PA-S4U2Self ::= SEQUENCE {
869 name[0] PrincipalName,
870 realm[1] Realm,
871 cksum[2] Checksum,
872 auth[3] GeneralString
873 }
875 PA-S4U-X509-USER::= SEQUENCE {
876 user-id[0] S4UUserID,
877 checksum[1] Checksum
878 }
880 S4UUserID ::= SEQUENCE {
881 nonce [0] Krb5UInt32, -- the nonce in KDC-REQ-BODY
882 cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints
883 crealm [2] Realm,
884 subject-certificate [3] OCTET STRING OPTIONAL,
885 options [4] BIT STRING OPTIONAL,
886 ...
887 }
889 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
890 login-alias [0] PrincipalName,
891 checksum [1] Checksum
892 }
894 -- old ms referral
895 PA-SvrReferralData ::= SEQUENCE {
896 referred-name [1] PrincipalName OPTIONAL,
897 referred-realm [0] Realm
898 }
900 PA-SERVER-REFERRAL-DATA ::= EncryptedData
902 PA-ServerReferralData ::= SEQUENCE {
903 referred-realm [0] Realm OPTIONAL,
904 true-principal-name [1] PrincipalName OPTIONAL,
905 requested-principal-name [2] PrincipalName OPTIONAL,
906 referral-valid-until [3] KerberosTime OPTIONAL,
907 ...
908 }
910 FastOptions ::= BIT STRING {
911 reserved(0),
912 hide-client-names(1),
913 critical2(2),
914 critical3(3),
915 critical4(4),
916 critical5(5),
917 critical6(6),
918 critical7(7),
919 critical8(8),
920 critical9(9),
921 critical10(10),
922 critical11(11),
923 critical12(12),
924 critical13(13),
925 critical14(14),
926 critical15(15),
927 kdc-follow-referrals(16)
928 }
930 KrbFastReq ::= SEQUENCE {
931 fast-options [0] FastOptions,
932 padata [1] METHOD-DATA,
933 req-body [2] KDC-REQ-BODY,
934 ...
935 }
937 KrbFastArmor ::= SEQUENCE {
938 armor-type [0] Krb5Int32,
939 armor-value [1] OCTET STRING,
940 ...
941 }
943 KrbFastArmoredReq ::= SEQUENCE {
944 armor [0] KrbFastArmor OPTIONAL,
945 req-checksum [1] Checksum,
946 enc-fast-req [2] EncryptedData -- KrbFastReq --
947 }
949 PA-FX-FAST-REQUEST ::= CHOICE {
950 armored-data [0] KrbFastArmoredReq,
951 ...
952 }
954 KrbFastFinished ::= SEQUENCE {
955 timestamp [0] KerberosTime,
956 usec [1] Krb5Int32,
957 crealm [2] Realm,
958 cname [3] PrincipalName,
959 ticket-checksum [4] Checksum,
960 ...
961 }
963 KrbFastResponse ::= SEQUENCE {
964 padata [0] METHOD-DATA,
965 strengthen-key [1] EncryptionKey OPTIONAL,
966 finished [2] KrbFastFinished OPTIONAL,
967 nonce [3] Krb5UInt32,
968 ...
969 }
971 KrbFastArmoredRep ::= SEQUENCE {
972 enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
973 ...
974 }
976 PA-FX-FAST-REPLY ::= CHOICE {
977 armored-data [0] KrbFastArmoredRep,
978 ...
979 }
981 KDCFastFlags ::= BIT STRING {
982 use-reply-key(0),
983 reply-key-used(1),
984 reply-key-replaced(2),
985 kdc-verified(3),
986 requested-hidden-names(4)
987 }
989 -- KDCFastState is stored in FX_COOKIE
990 KDCFastState ::= SEQUENCE {
991 flags [0] KDCFastFlags,
992 expiration [1] GeneralizedTime,
993 fast-state [2] METHOD-DATA,
994 expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL
995 }
997 KDCFastCookie ::= SEQUENCE {
998 version [0] UTF8String,
999 cookie [1] EncryptedData
1000 }
1002 KDC-PROXY-MESSAGE ::= SEQUENCE {
1003 kerb-message [0] OCTET STRING,
1004 target-domain [1] Realm OPTIONAL,
1005 dclocator-hint [2] INTEGER OPTIONAL
1006 }
1008 -- these messages are used in the GSSCred communication and is not part of Kerberos propper
1010 KERB-TIMES ::= SEQUENCE {
1011 authtime [0] KerberosTime,
1012 starttime [1] KerberosTime,
1013 endtime [2] KerberosTime,
1014 renew_till [3] KerberosTime
1015 }
1017 KERB-CRED ::= SEQUENCE {
1018 client [0] Principal,
1019 server [1] Principal,
1020 keyblock [2] EncryptionKey,
1021 times [3] KERB-TIMES,
1022 ticket [4] OCTET STRING,
1023 authdata [5] OCTET STRING,
1024 addresses [6] HostAddresses,
1025 flags [7] TicketFlags
1026 }
1028 KERB-TGS-REQ-IN ::= SEQUENCE {
1029 cache [0] OCTET STRING SIZE (16),
1030 addrs [1] HostAddresses,
1031 flags [2] Krb5UInt32,
1032 imp [3] Principal OPTIONAL,
1033 ticket [4] OCTET STRING OPTIONAL,
1034 in_cred [5] KERB-CRED,
1035 krbtgt [6] KERB-CRED,
1036 padata [7] METHOD-DATA
1037 }
1039 KERB-TGS-REQ-OUT ::= SEQUENCE {
1040 subkey [0] EncryptionKey OPTIONAL,
1041 t [1] TGS-REQ
1042 }
1046 KERB-TGS-REP-IN ::= SEQUENCE {
1047 cache [0] OCTET STRING SIZE (16),
1048 subkey [1] EncryptionKey OPTIONAL,
1049 in_cred [2] KERB-CRED,
1050 t [3] TGS-REP
1051 }
1053 KERB-TGS-REP-OUT ::= SEQUENCE {
1054 cache [0] OCTET STRING SIZE (16),
1055 cred [1] KERB-CRED,
1056 subkey [2] EncryptionKey
1057 }
1059 KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE {
1060 armor [0] KrbFastArmor,
1061 armor-key [1] EncryptionKey
1062 }
1064 END
1066 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1