3 KERBEROS5 DEFINITIONS ::=
17 AuthorizationDataElement,
54 PA-ClientCanonicalized,
55 PA-ClientCanonicalizedNames,
64 PA-SERVER-REFERRAL-DATA,
65 PA-ServerReferralData,
88 KERB-AD-RESTRICTION-ENTRY,
93 KERB-ARMOR-SERVICE-REPLY,
97 NAME-TYPE ::= INTEGER {
98 KRB5_NT_UNKNOWN(0), -- Name type not known
99 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
100 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
101 KRB5_NT_SRV_HST(3), -- Service with host name as instance
102 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
103 KRB5_NT_UID(5), -- Unique ID
104 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
105 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
106 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
107 KRB5_NT_WELLKNOWN(11), -- Wellknown
108 KRB5_NT_SRV_HST_DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
109 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
110 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
111 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
112 KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain
113 KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded)
114 KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), -- not used; remove
115 KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
116 KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- Internal: indicates that name canonicalization is needed
121 MESSAGE-TYPE ::= INTEGER {
122 krb-as-req(10), -- Request for initial authentication
123 krb-as-rep(11), -- Response to KRB_AS_REQ request
124 krb-tgs-req(12), -- Request for authentication based on TGT
125 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
126 krb-ap-req(14), -- application request to server
127 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
128 krb-safe(20), -- Safe (checksummed) application message
129 krb-priv(21), -- Private (encrypted) application message
130 krb-cred(22), -- Private (encrypted) message to forward credentials
131 krb-error(30) -- Error response
137 PADATA-TYPE ::= INTEGER {
139 KRB5-PADATA-TGS-REQ(1),
140 KRB5-PADATA-AP-REQ(1),
141 KRB5-PADATA-ENC-TIMESTAMP(2),
142 KRB5-PADATA-PW-SALT(3),
143 KRB5-PADATA-ENC-UNIX-TIME(5),
144 KRB5-PADATA-SANDIA-SECUREID(6),
145 KRB5-PADATA-SESAME(7),
146 KRB5-PADATA-OSF-DCE(8),
147 KRB5-PADATA-CYBERSAFE-SECUREID(9),
148 KRB5-PADATA-AFS3-SALT(10),
149 KRB5-PADATA-ETYPE-INFO(11),
150 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
151 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
152 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
153 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
154 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
155 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
156 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
157 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
158 KRB5-PADATA-ETYPE-INFO2(19),
159 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
160 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
161 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
162 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
163 KRB5-PADATA-SAM-ETYPE-INFO(23),
164 KRB5-PADATA-SERVER-REFERRAL(25),
165 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
166 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
167 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
168 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
169 KRB5-PADATA-FX-FAST-ARMOR(71), -- fast armor
170 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
171 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
172 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
173 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
174 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
175 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
176 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
177 KRB5-PADATA-FOR-USER(129), -- MS-KILE
178 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
179 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
180 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
181 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
182 -- tell KDC that is supports
183 -- the asCheckSum in the
185 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
186 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
187 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
188 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
189 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
190 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
191 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
192 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
193 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
194 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
195 KRB5-PADATA-EPAK-AS-REQ(145),
196 KRB5-PADATA-EPAK-AS-REP(146),
197 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
198 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
199 KRB5-PADATA-REQ-ENC-PA-REP(149), --
200 KRB5-PADATA-AS-FRESHNESS(150), -- RFC 8070
201 KER5-PADATA-KERB-KEY-LIST-REQ(161), -- MS-KILE
202 KER5-PADATA-KERB-PAKEY-LIST-REP(162), -- MS-KILE
203 KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE
204 KRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE
205 KRB5-PADATA-GSS(655) -- krb-wg-gss-preauth
209 AUTHDATA-TYPE ::= INTEGER {
210 KRB5-AUTHDATA-IF-RELEVANT(1),
211 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
212 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
213 KRB5-AUTHDATA-KDC-ISSUED(4),
214 KRB5-AUTHDATA-AND-OR(5),
215 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
216 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
217 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
218 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
219 KRB5-AUTHDATA-OSF-DCE(64),
220 KRB5-AUTHDATA-SESAME(65),
221 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
222 KRB5-AUTHDATA-AUTHENTICATION-STRENGTH(70),
223 KRB5-AUTHDATA-FX-FAST-ARMOR(71),
224 KRB5-AUTHDATA-FX-FAST-USED(72),
225 KRB5-AUTHDATA-WIN2K-PAC(128),
226 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
227 KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
228 KRB5-AUTHDATA-SIGNTICKET-OLD(142),
229 KRB5-AUTHDATA-SIGNTICKET(512),
230 KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised
231 KRB5-AUTHDATA-KERB-LOCAL(141), -- MS-KILE
232 KRB5-AUTHDATA-TOKEN-RESTRICTIONS(142), -- MS-KILE
233 KRB5-AUTHDATA-AP-OPTIONS(143), -- MS-KILE
234 KRB5-AUTHDATA-TARGET-PRINCIPAL(144), -- MS-KILE
235 -- N.B. these assignments have not been confirmed yet.
237 -- DO NOT USE in production yet!
238 KRB5-AUTHDATA-ON-BEHALF-OF(580), -- UTF8String princ name
239 KRB5-AUTHDATA-BEARER-TOKEN-JWT(581), -- JWT token
240 KRB5-AUTHDATA-BEARER-TOKEN-SAML(582), -- SAML token
241 KRB5-AUTHDATA-BEARER-TOKEN-OIDC(583), -- OIDC token
242 KRB5-AUTHDATA-CSR-AUTHORIZED(584), -- Proxy has authorized client
243 -- to requested exts in CSR
244 KRB5-AUTHDATA-GSS-COMPOSITE-NAME(655) -- gss_export_name_composite
249 CKSUMTYPE ::= INTEGER {
252 CKSUMTYPE_RSA_MD4(2),
253 CKSUMTYPE_RSA_MD4_DES(3),
254 CKSUMTYPE_DES_MAC(4),
255 CKSUMTYPE_DES_MAC_K(5),
256 CKSUMTYPE_RSA_MD4_DES_K(6),
257 CKSUMTYPE_RSA_MD5(7),
258 CKSUMTYPE_RSA_MD5_DES(8),
259 CKSUMTYPE_RSA_MD5_DES3(9),
260 CKSUMTYPE_SHA1_OTHER(10),
261 CKSUMTYPE_HMAC_SHA1_DES3(12),
263 CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
264 CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
265 CKSUMTYPE_HMAC_SHA256_128_AES128(19),
266 CKSUMTYPE_HMAC_SHA384_192_AES256(20),
267 CKSUMTYPE_GSSAPI(0x8003),
268 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
269 CKSUMTYPE_HMAC_MD5_ENC(-1138), -- even more unofficial
270 CKSUMTYPE_SHA256(-21),
271 CKSUMTYPE_SHA384(-22),
272 CKSUMTYPE_SHA512(-23)
276 ENCTYPE ::= INTEGER {
277 KRB5_ENCTYPE_NULL(0),
278 KRB5_ENCTYPE_DES_CBC_CRC(1),
279 KRB5_ENCTYPE_DES_CBC_MD4(2),
280 KRB5_ENCTYPE_DES_CBC_MD5(3),
281 KRB5_ENCTYPE_DES3_CBC_MD5(5),
282 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
283 KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
284 KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
285 KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
286 KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation
287 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
288 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
289 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128(19),
290 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192(20),
291 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
292 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
293 KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
294 -- some "old" windows types
295 KRB5_ENCTYPE_ARCFOUR_MD4(-128),
296 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
297 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
298 -- these are for Heimdal internal use
299 KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
300 KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
301 KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
302 KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
303 KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
304 KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
310 -- this is sugar to make something ASN1 does not have: unsigned
312 Krb5UInt32 ::= INTEGER (0..4294967295)
313 Krb5Int32 ::= INTEGER (-2147483648..2147483647)
315 KerberosString ::= GeneralString
317 Realm ::= GeneralString
318 PrincipalName ::= SEQUENCE {
319 name-type[0] NAME-TYPE,
320 name-string[1] SEQUENCE OF GeneralString
323 HostAddress ::= SEQUENCE {
324 addr-type[0] Krb5Int32,
325 address[1] OCTET STRING
328 -- This is from RFC1510.
330 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
331 -- addr-type[0] Krb5Int32,
332 -- address[1] OCTET STRING
335 -- This seems much better.
336 HostAddresses ::= SEQUENCE OF HostAddress
339 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
341 AuthorizationDataElement ::= SEQUENCE {
342 ad-type[0] Krb5Int32,
343 ad-data[1] OCTET STRING
346 AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
348 APOptions ::= BIT STRING {
354 TicketFlags ::= BIT STRING {
367 transited-policy-checked(12),
373 KDCOptions ::= BIT STRING {
382 cname-in-addl-tkt(14), -- ms extension
384 request-anonymous(16),
385 disable-transited-check(26),
392 LR-TYPE ::= INTEGER {
393 LR_NONE(0), -- no information
394 LR_INITIAL_TGT(1), -- last initial TGT request
395 LR_INITIAL(2), -- last initial request
396 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
397 LR_RENEWAL(4), -- time of last renewal
398 LR_REQUEST(5), -- time of last request (of any type)
399 LR_PW_EXPTIME(6), -- expiration time of password
400 LR_ACCT_EXPTIME(7) -- expiration time of account
403 LastReq ::= SEQUENCE OF SEQUENCE {
405 lr-value[1] KerberosTime
409 EncryptedData ::= SEQUENCE {
410 etype[0] ENCTYPE, -- EncryptionType
411 kvno[1] Krb5Int32 OPTIONAL,
412 cipher[2] OCTET STRING -- ciphertext
415 EncryptionKey ::= SEQUENCE {
416 keytype[0] Krb5Int32,
417 keyvalue[1] OCTET STRING
420 -- encoded Transited field
421 TransitedEncoding ::= SEQUENCE {
422 tr-type[0] Krb5Int32, -- must be registered
423 contents[1] OCTET STRING
426 Ticket ::= [APPLICATION 1] SEQUENCE {
427 tkt-vno[0] Krb5Int32,
429 sname[2] PrincipalName,
430 enc-part[3] EncryptedData
432 -- Encrypted part of ticket
433 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
434 flags[0] TicketFlags,
435 key[1] EncryptionKey,
437 cname[3] PrincipalName,
438 transited[4] TransitedEncoding,
439 authtime[5] KerberosTime,
440 starttime[6] KerberosTime OPTIONAL,
441 endtime[7] KerberosTime,
442 renew-till[8] KerberosTime OPTIONAL,
443 caddr[9] HostAddresses OPTIONAL,
444 authorization-data[10] AuthorizationData OPTIONAL
447 Checksum ::= SEQUENCE {
448 cksumtype[0] CKSUMTYPE,
449 checksum[1] OCTET STRING
452 -- For GSS name attributes [RFC6680] we'll decorate Principal (which is not an
453 -- RFC4120 type, but which we use a) in HDB, b) in the API as that which
454 -- krb5_principal points to) with PrincipalNameAttrs.
456 -- Attributes have three possible sources in Heimdal Kerberos at this time:
458 -- - the EncKDCRepPart (for the client's attributes on the client side)
459 -- - the EncTicketPart (for the client's attributes on the server side)
460 -- - the Authenticator's AuthorizationData (if any; server-side)
462 -- In principle there can be more:
464 -- - locally-set (asserted) attributes
465 -- - locally-looked-up attributes (e.g., in LDAP)
466 -- - locally-transformed attributes (e.g., local groups, filtered SIDs from a
469 -- We could also cache "cooked" attributes as reported by the RFC6680 API given
470 -- the sources we have.
472 -- For now we'll only support authenticated attributes where those come from
473 -- the KDC, and attributes asserted in Authenticator authz-data.
474 PrincipalNameAttrSrc ::= CHOICE {
475 enc-kdc-rep-part [0] EncKDCRepPart, -- minus session key
476 enc-ticket-part [1] EncTicketPart -- minus session key
478 PrincipalNameAttrs ::= SEQUENCE {
479 -- True if this name was authenticated via an AP-REQ or a KDC-REP
480 authenticated [0] BOOLEAN,
481 -- These are compiled from the Ticket, KDC-REP, and/or Authenticator
482 source [1] PrincipalNameAttrSrc OPTIONAL,
483 authenticator-ad [2] AuthorizationData OPTIONAL,
484 -- For the server on the client side we should keep track of the
485 -- transit path taken to reach it (if absent -> unknown).
487 -- We don't learn much more about the server from the KDC.
488 peer-realm [3] Realm OPTIONAL,
489 transited [4] TransitedEncoding OPTIONAL,
490 -- True if the PAC was verified
491 pac-verified [5] BOOLEAN,
492 -- True if any AD-KDC-ISSUEDs in the Ticket were validated
493 kdc-issued-verified [6] BOOLEAN,
494 -- TODO: Add requested attributes, for gss_set_name_attribute(), which
495 -- should cause corresponding authz-data elements to be added to
496 -- any TGS-REQ or to the AP-REQ's Authenticator as appropriate.
497 want-ad [7] AuthorizationData OPTIONAL
499 -- This is our type for exported composite name tokens for GSS [RFC6680].
500 -- It's the same as Principal (below) as decorated with (see krb5.opt file and
501 -- asn1_compile usage), except it's not decorated, so the name attributes are
503 CompositePrincipal ::= [APPLICATION 48] SEQUENCE {
504 name[0] PrincipalName,
506 nameattrs[2] PrincipalNameAttrs OPTIONAL
509 -- This is not part of RFC1510/RFC4120. We use this internally as our
510 -- krb5_principal (which is a typedef of *Principal), and in HDB entries.
511 Principal ::= SEQUENCE {
512 name[0] PrincipalName,
514 -- This will be decorated with an optional nameattrs field of
515 -- PrincipalNameAttrs type that doesn't get encoded. Same as
516 -- CompositePrincipal above, except that CompositePrincipal's
517 -- nameattrs field does get encoded, while Principal's does not:
519 -- nameattrs[2] PrincipalNameAttrs OPTIONAL
522 Principals ::= SEQUENCE OF Principal
524 Authenticator ::= [APPLICATION 2] SEQUENCE {
525 authenticator-vno[0] Krb5Int32,
527 cname[2] PrincipalName,
528 cksum[3] Checksum OPTIONAL,
530 ctime[5] KerberosTime,
531 subkey[6] EncryptionKey OPTIONAL,
532 seq-number[7] Krb5UInt32 OPTIONAL,
533 authorization-data[8] AuthorizationData OPTIONAL
536 PA-DATA ::= SEQUENCE {
537 -- might be encoded AP-REQ
538 padata-type[1] PADATA-TYPE,
539 padata-value[2] OCTET STRING
542 ETYPE-INFO-ENTRY ::= SEQUENCE {
544 salt[1] OCTET STRING OPTIONAL,
545 salttype[2] Krb5Int32 OPTIONAL
548 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
550 ETYPE-INFO2-ENTRY ::= SEQUENCE {
552 salt[1] KerberosString OPTIONAL,
553 s2kparams[2] OCTET STRING OPTIONAL
556 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
558 METHOD-DATA ::= SEQUENCE OF PA-DATA
560 TypedData ::= SEQUENCE {
561 data-type[0] Krb5Int32,
562 data-value[1] OCTET STRING OPTIONAL
565 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
567 KDC-REQ-BODY ::= SEQUENCE {
568 kdc-options[0] KDCOptions,
569 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
570 realm[2] Realm, -- Server's realm
571 -- Also client's in AS-REQ
572 sname[3] PrincipalName OPTIONAL,
573 from[4] KerberosTime OPTIONAL,
574 till[5] KerberosTime OPTIONAL,
575 rtime[6] KerberosTime OPTIONAL,
577 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
578 -- in preference order
579 addresses[9] HostAddresses OPTIONAL,
580 enc-authorization-data[10] EncryptedData OPTIONAL,
581 -- Encrypted AuthorizationData encoding
582 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
585 KDC-REQ ::= SEQUENCE {
587 msg-type[2] MESSAGE-TYPE,
588 padata[3] METHOD-DATA OPTIONAL,
589 req-body[4] KDC-REQ-BODY
592 AS-REQ ::= [APPLICATION 10] KDC-REQ
593 TGS-REQ ::= [APPLICATION 12] KDC-REQ
595 -- padata-type ::= PA-ENC-TIMESTAMP
596 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
598 PA-ENC-TS-ENC ::= SEQUENCE {
599 patimestamp[0] KerberosTime, -- client's time
600 pausec[1] Krb5Int32 OPTIONAL
603 -- draft-brezak-win2k-krb-authz-01
604 PA-PAC-REQUEST ::= SEQUENCE {
605 include-pac[0] BOOLEAN -- Indicates whether a PAC
606 -- should be included or not
611 KERB-ERROR-DATA ::= SEQUENCE {
612 data-type [1] KerbErrorDataType,
613 data-value [2] OCTET STRING OPTIONAL
616 KerbErrorDataType ::= INTEGER {
617 kERB-AP-ERR-TYPE-SKEW-RECOVERY(2),
618 kERB-ERR-TYPE-EXTENDED(3)
622 PAC-OPTIONS-FLAGS ::= BIT STRING {
625 forward-to-full-dc(2),
626 resource-based-constrained-delegation(3)
630 PA-PAC-OPTIONS ::= SEQUENCE {
631 flags [0] PAC-OPTIONS-FLAGS
635 -- captures show that [UNIVERSAL 16] is required to parse it
636 KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE {
637 restriction-type [0] Krb5Int32,
638 restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
641 -- MS-KILE Section 2.2.11
642 PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE
644 -- MS-KILE Section 2.2.12
646 PA-KERB-KEY-LIST-REP ::= SEQUENCE OF ENCTYPE -- EncryptionType,
648 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
649 PROV-SRV-LOCATION ::= GeneralString
651 KDC-REP ::= SEQUENCE {
653 msg-type[1] MESSAGE-TYPE,
654 padata[2] METHOD-DATA OPTIONAL,
656 cname[4] PrincipalName,
658 enc-part[6] EncryptedData
661 AS-REP ::= [APPLICATION 11] KDC-REP
662 TGS-REP ::= [APPLICATION 13] KDC-REP
664 EncKDCRepPart ::= SEQUENCE {
665 key[0] EncryptionKey,
668 key-expiration[3] KerberosTime OPTIONAL,
669 flags[4] TicketFlags,
670 authtime[5] KerberosTime,
671 starttime[6] KerberosTime OPTIONAL,
672 endtime[7] KerberosTime,
673 renew-till[8] KerberosTime OPTIONAL,
675 sname[10] PrincipalName,
676 caddr[11] HostAddresses OPTIONAL,
677 encrypted-pa-data[12] METHOD-DATA OPTIONAL
680 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
681 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
683 AP-REQ ::= [APPLICATION 14] SEQUENCE {
685 msg-type[1] MESSAGE-TYPE,
686 ap-options[2] APOptions,
688 authenticator[4] EncryptedData
691 AP-REP ::= [APPLICATION 15] SEQUENCE {
693 msg-type[1] MESSAGE-TYPE,
694 enc-part[2] EncryptedData
697 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
698 ctime[0] KerberosTime,
700 subkey[2] EncryptionKey OPTIONAL,
701 seq-number[3] Krb5UInt32 OPTIONAL
704 KRB-SAFE-BODY ::= SEQUENCE {
705 user-data[0] OCTET STRING,
706 timestamp[1] KerberosTime OPTIONAL,
707 usec[2] Krb5Int32 OPTIONAL,
708 seq-number[3] Krb5UInt32 OPTIONAL,
709 s-address[4] HostAddress OPTIONAL,
710 r-address[5] HostAddress OPTIONAL
713 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
715 msg-type[1] MESSAGE-TYPE,
716 safe-body[2] KRB-SAFE-BODY,
720 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
722 msg-type[1] MESSAGE-TYPE,
723 enc-part[3] EncryptedData
725 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
726 user-data[0] OCTET STRING,
727 timestamp[1] KerberosTime OPTIONAL,
728 usec[2] Krb5Int32 OPTIONAL,
729 seq-number[3] Krb5UInt32 OPTIONAL,
730 s-address[4] HostAddress OPTIONAL, -- sender's addr
731 r-address[5] HostAddress OPTIONAL -- recip's addr
734 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
736 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
737 tickets[2] SEQUENCE OF Ticket,
738 enc-part[3] EncryptedData
741 KrbCredInfo ::= SEQUENCE {
742 key[0] EncryptionKey,
743 prealm[1] Realm OPTIONAL,
744 pname[2] PrincipalName OPTIONAL,
745 flags[3] TicketFlags OPTIONAL,
746 authtime[4] KerberosTime OPTIONAL,
747 starttime[5] KerberosTime OPTIONAL,
748 endtime[6] KerberosTime OPTIONAL,
749 renew-till[7] KerberosTime OPTIONAL,
750 srealm[8] Realm OPTIONAL,
751 sname[9] PrincipalName OPTIONAL,
752 caddr[10] HostAddresses OPTIONAL
755 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
756 ticket-info[0] SEQUENCE OF KrbCredInfo,
757 nonce[1] Krb5Int32 OPTIONAL,
758 timestamp[2] KerberosTime OPTIONAL,
759 usec[3] Krb5Int32 OPTIONAL,
760 s-address[4] HostAddress OPTIONAL,
761 r-address[5] HostAddress OPTIONAL
764 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
766 msg-type[1] MESSAGE-TYPE,
767 ctime[2] KerberosTime OPTIONAL,
768 cusec[3] Krb5Int32 OPTIONAL,
769 stime[4] KerberosTime,
771 error-code[6] Krb5Int32,
772 crealm[7] Realm OPTIONAL,
773 cname[8] PrincipalName OPTIONAL,
774 realm[9] Realm, -- Correct realm
775 sname[10] PrincipalName, -- Correct name
776 e-text[11] GeneralString OPTIONAL,
777 e-data[12] OCTET STRING OPTIONAL
780 ChangePasswdDataMS ::= SEQUENCE {
781 newpasswd[0] OCTET STRING,
782 targname[1] PrincipalName OPTIONAL,
783 targrealm[2] Realm OPTIONAL
786 EtypeList ::= SEQUENCE OF ENCTYPE
787 -- the client's proposed enctype list in
788 -- decreasing preference order, favorite choice first
790 krb5-pvno Krb5Int32 ::= 5 -- current Kerberos protocol version number
792 -- transited encodings
794 domain-X500-Compress Krb5Int32 ::= 1
796 -- authorization data primitives
798 AD-IF-RELEVANT ::= AuthorizationData
800 AD-KDCIssued ::= SEQUENCE {
801 ad-checksum[0] Checksum,
802 i-realm[1] Realm OPTIONAL,
803 i-sname[2] PrincipalName OPTIONAL,
804 elements[3] AuthorizationData
807 AD-AND-OR ::= SEQUENCE {
808 condition-count[0] Krb5Int32,
809 elements[1] AuthorizationData
812 AD-MANDATORY-FOR-KDC ::= AuthorizationData
814 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
816 PA-SAM-TYPE ::= INTEGER {
817 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
818 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
819 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
820 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
821 PA_SAM_TYPE_SECURID(5), -- Security Dynamics
822 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
825 PA-SAM-REDIRECT ::= HostAddresses
827 SAMFlags ::= BIT STRING {
829 send-encrypted-sad(1),
830 must-pk-encrypt-sad(2)
833 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
834 sam-type[0] Krb5Int32,
835 sam-flags[1] SAMFlags,
836 sam-type-name[2] GeneralString OPTIONAL,
837 sam-track-id[3] GeneralString OPTIONAL,
838 sam-challenge-label[4] GeneralString OPTIONAL,
839 sam-challenge[5] GeneralString OPTIONAL,
840 sam-response-prompt[6] GeneralString OPTIONAL,
841 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
842 sam-nonce[8] Krb5Int32,
843 sam-etype[9] Krb5Int32,
847 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
848 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
849 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
853 PA-SAM-RESPONSE-2 ::= SEQUENCE {
854 sam-type[0] Krb5Int32,
855 sam-flags[1] SAMFlags,
856 sam-track-id[2] GeneralString OPTIONAL,
857 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
858 sam-nonce[4] Krb5Int32,
862 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
863 sam-nonce[0] Krb5Int32,
864 sam-sad[1] GeneralString OPTIONAL,
868 PA-S4U2Self ::= SEQUENCE {
869 name[0] PrincipalName,
872 auth[3] GeneralString
875 PA-S4U-X509-USER::= SEQUENCE {
876 user-id[0] S4UUserID,
880 S4UUserID ::= SEQUENCE {
881 nonce [0] Krb5UInt32, -- the nonce in KDC-REQ-BODY
882 cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints
884 subject-certificate [3] OCTET STRING OPTIONAL,
885 options [4] BIT STRING OPTIONAL,
889 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
890 login-alias [0] PrincipalName,
891 checksum [1] Checksum
895 PA-SvrReferralData ::= SEQUENCE {
896 referred-name [1] PrincipalName OPTIONAL,
897 referred-realm [0] Realm
900 PA-SERVER-REFERRAL-DATA ::= EncryptedData
902 PA-ServerReferralData ::= SEQUENCE {
903 referred-realm [0] Realm OPTIONAL,
904 true-principal-name [1] PrincipalName OPTIONAL,
905 requested-principal-name [2] PrincipalName OPTIONAL,
906 referral-valid-until [3] KerberosTime OPTIONAL,
910 FastOptions ::= BIT STRING {
912 hide-client-names(1),
927 kdc-follow-referrals(16)
930 KrbFastReq ::= SEQUENCE {
931 fast-options [0] FastOptions,
932 padata [1] METHOD-DATA,
933 req-body [2] KDC-REQ-BODY,
937 KrbFastArmor ::= SEQUENCE {
938 armor-type [0] Krb5Int32,
939 armor-value [1] OCTET STRING,
943 KrbFastArmoredReq ::= SEQUENCE {
944 armor [0] KrbFastArmor OPTIONAL,
945 req-checksum [1] Checksum,
946 enc-fast-req [2] EncryptedData -- KrbFastReq --
949 PA-FX-FAST-REQUEST ::= CHOICE {
950 armored-data [0] KrbFastArmoredReq,
954 KrbFastFinished ::= SEQUENCE {
955 timestamp [0] KerberosTime,
958 cname [3] PrincipalName,
959 ticket-checksum [4] Checksum,
963 KrbFastResponse ::= SEQUENCE {
964 padata [0] METHOD-DATA,
965 strengthen-key [1] EncryptionKey OPTIONAL,
966 finished [2] KrbFastFinished OPTIONAL,
967 nonce [3] Krb5UInt32,
971 KrbFastArmoredRep ::= SEQUENCE {
972 enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
976 PA-FX-FAST-REPLY ::= CHOICE {
977 armored-data [0] KrbFastArmoredRep,
981 KDCFastFlags ::= BIT STRING {
984 reply-key-replaced(2),
986 requested-hidden-names(4)
989 -- KDCFastState is stored in FX_COOKIE
990 KDCFastState ::= SEQUENCE {
991 flags [0] KDCFastFlags,
992 expiration [1] GeneralizedTime,
993 fast-state [2] METHOD-DATA,
994 expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL
997 KDCFastCookie ::= SEQUENCE {
998 version [0] UTF8String,
999 cookie [1] EncryptedData
1002 KDC-PROXY-MESSAGE ::= SEQUENCE {
1003 kerb-message [0] OCTET STRING,
1004 target-domain [1] Realm OPTIONAL,
1005 dclocator-hint [2] INTEGER OPTIONAL
1008 -- these messages are used in the GSSCred communication and is not part of Kerberos propper
1010 KERB-TIMES ::= SEQUENCE {
1011 authtime [0] KerberosTime,
1012 starttime [1] KerberosTime,
1013 endtime [2] KerberosTime,
1014 renew_till [3] KerberosTime
1017 KERB-CRED ::= SEQUENCE {
1018 client [0] Principal,
1019 server [1] Principal,
1020 keyblock [2] EncryptionKey,
1021 times [3] KERB-TIMES,
1022 ticket [4] OCTET STRING,
1023 authdata [5] OCTET STRING,
1024 addresses [6] HostAddresses,
1025 flags [7] TicketFlags
1028 KERB-TGS-REQ-IN ::= SEQUENCE {
1029 cache [0] OCTET STRING SIZE (16),
1030 addrs [1] HostAddresses,
1031 flags [2] Krb5UInt32,
1032 imp [3] Principal OPTIONAL,
1033 ticket [4] OCTET STRING OPTIONAL,
1034 in_cred [5] KERB-CRED,
1035 krbtgt [6] KERB-CRED,
1036 padata [7] METHOD-DATA
1039 KERB-TGS-REQ-OUT ::= SEQUENCE {
1040 subkey [0] EncryptionKey OPTIONAL,
1046 KERB-TGS-REP-IN ::= SEQUENCE {
1047 cache [0] OCTET STRING SIZE (16),
1048 subkey [1] EncryptionKey OPTIONAL,
1049 in_cred [2] KERB-CRED,
1053 KERB-TGS-REP-OUT ::= SEQUENCE {
1054 cache [0] OCTET STRING SIZE (16),
1056 subkey [2] EncryptionKey
1059 KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE {
1060 armor [0] KrbFastArmor,
1061 armor-key [1] EncryptionKey
1066 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1