| blob | 1b2c7cc06dc2a7f1604baa1fa878dec185d459d0 |
1 -- Portions of these ASN.1 modules are structures from RFC6113
2 -- authored by S. Hartman (Painless Security) and L. Zhu (Microsoft)
3 --
4 -- Portions of these ASN.1 modules are structures from RFC4556
5 -- authored by L. Zhu (Microsoft Corporation) and B. Tung (Aerospace
6 -- Corporation)
7 --
8 -- Portions of these ASN.1 modules are structures from RFC5280
9 -- authored by D. Cooper (NIST), S. Santesson (Microsoft),
10 -- S. Farrell (Trinity College Dublin), S. Boeyen (Entrust),
11 -- R. Housley (Vigil Security), W. Polk (NIST)
12 --
13 -- Portions of these ASN.1 modules are structures from RFC0817
14 -- authored by K. Moriarty, Ed. (EMC Corporation)
15 -- B. Kaliski (Verisign), J. Jonsson (Subset AB), A. Rusch (RSA)
17 -- Portions of these ASN.1 modules are structures from RFC0818
18 -- authored by K. Moriarty, Ed. (Dell EMC), B. Kaliski (Verisign)
19 -- A. Rusch (RSA)
20 --
21 -- Copyright (c) 2011 IETF Trust and the persons identified as authors of the
22 -- code. All rights reserved.
23 --
24 -- Redistribution and use in source and binary forms, with or without
25 -- modification, is permitted pursuant to, and subject to the license terms
26 -- contained in, the Simplified BSD License set forth in Section 4.c of the IETF
27 -- Trust’s Legal Provisions Relating to IETF Documents
28 -- (http://trustee.ietf.org/license-info).
29 --
30 -- BSD License:
31 --
32 -- Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved.
33 -- Redistribution and use in source and binary forms, with or without modification, are permitted provided
34 -- that the following conditions are met:
35 -- • Redistributions of source code must retain the above copyright notice, this list of conditions and
36 -- the following disclaimer.
37 --
38 -- • Redistributions in binary form must reproduce the above copyright notice, this list of conditions
39 -- and the following disclaimer in the documentation and/or other materials provided with the
40 -- distribution.
41 --
42 -- • Neither the name of Internet Society, IETF or IETF Trust, nor the names of specific contributors,
43 -- may be used to endorse or promote products derived from this software without specific prior written
44 -- permission.
45 -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
46 -- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 -- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
48 -- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
49 -- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
50 -- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
51 -- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
52 -- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
53 -- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 -- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
55 -- POSSIBILITY OF SUCH DAMAGE.
56 --
57 --
58 -- Portions of these ASN.1 modules are from Microsoft's MS-WCCE and MS-KILE
59 -- from the Microsoft Open Specifications Documentation.
60 --
61 -- Intellectual Property Rights Notice for Open Specifications Documentation
62 --
63 -- * Technical Documentation. Microsoft publishes Open Specifications
64 -- documentation (“this documentation”) for protocols, file formats,
65 -- data portability, computer languages, and standards
66 -- support. Additionally, overview documents cover inter-protocol
67 -- relationships and interactions.
68 --
69 -- * Copyrights. This documentation is covered by Microsoft
70 -- copyrights. Regardless of any other terms that are contained in
71 -- the terms of use for the Microsoft website that hosts this
72 -- documentation, you can make copies of it in order to develop
73 -- implementations of the technologies that are described in this
74 -- documentation and can distribute portions of it in your
75 -- implementations that use these technologies or in your
76 -- documentation as necessary to properly document the
77 -- implementation. You can also distribute in your implementation,
78 -- with or without modification, any schemas, IDLs, or code samples
79 -- that are included in the documentation. This permission also
80 -- applies to any documents that are referenced in the Open
81 -- Specifications documentation.
82 --
83 -- * No Trade Secrets. Microsoft does not claim any trade secret rights
84 -- in this documentation.
85 --
86 -- * Patents. Microsoft has patents that might cover your
87 -- implementations of the technologies described in the Open
88 -- Specifications documentation. Neither this notice nor Microsoft's
89 -- delivery of this documentation grants any licenses under those
90 -- patents or any other Microsoft patents. However, a given Open
91 -- Specifications document might be covered by the Microsoft Open
92 -- Specifications Promise or the Microsoft Community Promise. If you
93 -- would prefer a written license, or if the technologies described
94 -- in this documentation are not covered by the Open Specifications
95 -- Promise or Community Promise, as applicable, patent licenses are
96 -- available by contacting iplg@microsoft.com.
97 --
98 -- * License Programs. To see all of the protocols in scope under a
99 -- specific license program and the associated patents, visit the
100 -- Patent Map.
101 --
102 -- * Trademarks. The names of companies and products contained in this
103 -- documentation might be covered by trademarks or similar
104 -- intellectual property rights. This notice does not grant any
105 -- licenses under those rights. For a list of Microsoft trademarks,
106 -- visit www.microsoft.com/trademarks.
107 --
108 -- * Fictitious Names. The example companies, organizations, products,
109 -- domain names, email addresses, logos, people, places, and events
110 -- that are depicted in this documentation are fictitious. No
111 -- association with any real company, organization, product, domain
112 -- name, email address, logo, person, place, or event is intended or
113 -- should be inferred.
114 --
115 -- Reservation of Rights. All other rights are reserved, and this notice
116 -- does not grant any rights other than as specifically described above,
117 -- whether by implication, estoppel, or otherwise.
118 --
119 -- Tools. The Open Specifications documentation does not require the use
120 -- of Microsoft programming tools or programming environments in order
121 -- for you to develop an implementation. If you have access to Microsoft
122 -- programming tools and environments, you are free to take advantage of
123 -- them. Certain Open Specifications documents are intended for use in
124 -- conjunction with publicly available standards specifications and
125 -- network programming art and, as such, assume that the reader either
126 -- is familiar with the aforementioned material or has immediate access
127 -- to it.
128 --
129 -- Support. For questions and support, please contact dochelp@microsoft.com
132 -- The above is the IPR notice from MS-KILE
134 KerberosV5Spec2 {
135 iso(1) identified-organization(3) dod(6) internet(1)
136 security(5) kerberosV5(2) modules(4) krb5spec2(2)
137 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
139 -- OID arc for KerberosV5
140 --
141 -- This OID may be used to identify Kerberos protocol messages
142 -- encapsulated in other protocols.
143 --
144 -- This OID also designates the OID arc for KerberosV5-related OIDs.
145 --
146 -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
147 id-krb5 OBJECT IDENTIFIER ::= {
148 iso(1) identified-organization(3) dod(6) internet(1)
149 security(5) kerberosV5(2)
150 }
152 Int32 ::= INTEGER (-2147483648..2147483647)
153 -- signed values representable in 32 bits
155 UInt32 ::= INTEGER (0..4294967295)
156 -- unsigned 32 bit values
158 Microseconds ::= INTEGER (0..999999)
159 -- microseconds
161 --
162 -- asn1ate doesn't support 'GeneralString (IA5String)'
163 -- only 'GeneralString' or 'IA5String', on the wire
164 -- GeneralString is used.
165 --
166 -- KerberosString ::= GeneralString (IA5String)
167 KerberosString ::= GeneralString
169 Realm ::= KerberosString
171 PrincipalName ::= SEQUENCE {
172 name-type [0] NameType, -- Int32,
173 name-string [1] SEQUENCE OF KerberosString
174 }
176 NameType ::= Int32
178 KerberosTime ::= GeneralizedTime -- with no fractional seconds
180 HostAddress ::= SEQUENCE {
181 addr-type [0] Int32,
182 address [1] OCTET STRING
183 }
185 -- NOTE: HostAddresses is always used as an OPTIONAL field and
186 -- should not be empty.
187 HostAddresses -- NOTE: subtly different from rfc1510,
188 -- but has a value mapping and encodes the same
189 ::= SEQUENCE OF HostAddress
191 -- NOTE: AuthorizationData is always used as an OPTIONAL field and
192 -- should not be empty.
193 AuthorizationData ::= SEQUENCE OF SEQUENCE {
194 ad-type [0] AuthDataType, -- Int32,
195 ad-data [1] OCTET STRING
196 }
198 AuthDataType ::= Int32
200 PA-DATA ::= SEQUENCE {
201 -- NOTE: first tag is [1], not [0]
202 padata-type [1] PADataType, -- Int32
203 padata-value [2] OCTET STRING -- might be encoded AP-REQ
204 }
206 PADataType ::= Int32
208 --
209 -- asn1ate doesn't support 'MAX' nor a lower range != 1.
210 -- We'll use a custom enodeValue() hooks for BitString
211 -- in order to encode them with at least 32-Bit.
212 --
213 -- KerberosFlags ::= BIT STRING (SIZE (32..MAX))
214 KerberosFlags ::= BIT STRING (SIZE (1..32))
215 -- minimum number of bits shall be sent,
216 -- but no fewer than 32
218 EncryptedData ::= SEQUENCE {
219 etype [0] EncryptionType, --Int32 EncryptionType --
220 kvno [1] Int32 OPTIONAL,
221 cipher [2] OCTET STRING -- ciphertext
222 }
224 EncryptionKey ::= SEQUENCE {
225 keytype [0] EncryptionType, -- Int32 actually encryption type --
226 keyvalue [1] OCTET STRING
227 }
229 Checksum ::= SEQUENCE {
230 cksumtype [0] ChecksumType, -- Int32,
231 checksum [1] OCTET STRING
232 }
234 ChecksumType ::= Int32
236 Ticket ::= [APPLICATION 1] SEQUENCE {
237 tkt-vno [0] INTEGER (5),
238 realm [1] Realm,
239 sname [2] PrincipalName,
240 enc-part [3] EncryptedData -- EncTicketPart
241 }
243 -- Encrypted part of ticket
244 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
245 flags [0] TicketFlags,
246 key [1] EncryptionKey,
247 crealm [2] Realm,
248 cname [3] PrincipalName,
249 transited [4] TransitedEncoding,
250 authtime [5] KerberosTime,
251 starttime [6] KerberosTime OPTIONAL,
252 endtime [7] KerberosTime,
253 renew-till [8] KerberosTime OPTIONAL,
254 caddr [9] HostAddresses OPTIONAL,
255 authorization-data [10] AuthorizationData OPTIONAL
256 }
258 -- encoded Transited field
259 TransitedEncoding ::= SEQUENCE {
260 tr-type [0] Int32 -- must be registered --,
261 contents [1] OCTET STRING
262 }
264 TicketFlags ::= KerberosFlags
265 -- reserved(0),
266 -- forwardable(1),
267 -- forwarded(2),
268 -- proxiable(3),
269 -- proxy(4),
270 -- may-postdate(5),
271 -- postdated(6),
272 -- invalid(7),
273 -- renewable(8),
274 -- initial(9),
275 -- pre-authent(10),
276 -- hw-authent(11),
277 -- the following are new since 1510
278 -- transited-policy-checked(12),
279 -- ok-as-delegate(13)
280 -- enc-pa-rep(15)
282 AS-REQ ::= [APPLICATION 10] KDC-REQ
284 TGS-REQ ::= [APPLICATION 12] KDC-REQ
286 KDC-REQ ::= SEQUENCE {
287 -- NOTE: first tag is [1], not [0]
288 pvno [1] INTEGER (5) ,
289 msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
290 padata [3] SEQUENCE OF PA-DATA OPTIONAL
291 -- NOTE: not empty --,
292 req-body [4] KDC-REQ-BODY
293 }
295 KDC-REQ-BODY ::= SEQUENCE {
296 kdc-options [0] KDCOptions,
297 cname [1] PrincipalName OPTIONAL
298 -- Used only in AS-REQ --,
299 realm [2] Realm
300 -- Server's realm
301 -- Also client's in AS-REQ --,
302 sname [3] PrincipalName OPTIONAL,
303 from [4] KerberosTime OPTIONAL,
304 till [5] KerberosTime,
305 rtime [6] KerberosTime OPTIONAL,
306 nonce [7] UInt32,
307 etype [8] SEQUENCE OF EncryptionType -- Int32 - EncryptionType
308 -- in preference order --,
309 addresses [9] HostAddresses OPTIONAL,
310 enc-authorization-data [10] EncryptedData OPTIONAL
311 -- AuthorizationData --,
312 additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
313 -- NOTE: not empty
314 }
316 EncryptionType ::= Int32
318 KDCOptions ::= KerberosFlags
319 -- reserved(0),
320 -- forwardable(1),
321 -- forwarded(2),
322 -- proxiable(3),
323 -- proxy(4),
324 -- allow-postdate(5),
325 -- postdated(6),
326 -- unused7(7),
327 -- renewable(8),
328 -- unused9(9),
329 -- unused10(10),
330 -- opt-hardware-auth(11),
331 -- unused12(12),
332 -- unused13(13),
333 -- Canonicalize is used in RFC 6806
334 -- canonicalize(15),
335 -- 26 was unused in 1510
336 -- disable-transited-check(26),
337 --
338 -- renewable-ok(27),
339 -- enc-tkt-in-skey(28),
340 -- renew(30),
341 -- validate(31)
343 AS-REP ::= [APPLICATION 11] KDC-REP
345 TGS-REP ::= [APPLICATION 13] KDC-REP
347 KDC-REP ::= SEQUENCE {
348 pvno [0] INTEGER (5),
349 msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
350 padata [2] SEQUENCE OF PA-DATA OPTIONAL
351 -- NOTE: not empty --,
352 crealm [3] Realm,
353 cname [4] PrincipalName,
354 ticket [5] Ticket,
355 enc-part [6] EncryptedData
356 -- EncASRepPart or EncTGSRepPart,
357 -- as appropriate
358 }
360 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
362 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
364 EncKDCRepPart ::= SEQUENCE {
365 key [0] EncryptionKey,
366 last-req [1] LastReq,
367 nonce [2] UInt32,
368 key-expiration [3] KerberosTime OPTIONAL,
369 flags [4] TicketFlags,
370 authtime [5] KerberosTime,
371 starttime [6] KerberosTime OPTIONAL,
372 endtime [7] KerberosTime,
373 renew-till [8] KerberosTime OPTIONAL,
374 srealm [9] Realm,
375 sname [10] PrincipalName,
376 caddr [11] HostAddresses OPTIONAL,
377 encrypted-pa-data[12] METHOD-DATA OPTIONAL
378 }
380 LastReq ::= SEQUENCE OF SEQUENCE {
381 lr-type [0] Int32,
382 lr-value [1] KerberosTime
383 }
385 AP-REQ ::= [APPLICATION 14] SEQUENCE {
386 pvno [0] INTEGER (5),
387 msg-type [1] INTEGER (14),
388 ap-options [2] APOptions,
389 ticket [3] Ticket,
390 authenticator [4] EncryptedData -- Authenticator
391 }
393 APOptions ::= KerberosFlags
394 -- reserved(0),
395 -- use-session-key(1),
396 -- mutual-required(2)
398 -- Unencrypted authenticator
399 Authenticator ::= [APPLICATION 2] SEQUENCE {
400 authenticator-vno [0] INTEGER (5),
401 crealm [1] Realm,
402 cname [2] PrincipalName,
403 cksum [3] Checksum OPTIONAL,
404 cusec [4] Microseconds,
405 ctime [5] KerberosTime,
406 subkey [6] EncryptionKey OPTIONAL,
407 seq-number [7] UInt32 OPTIONAL,
408 authorization-data [8] AuthorizationData OPTIONAL
409 }
411 AP-REP ::= [APPLICATION 15] SEQUENCE {
412 pvno [0] INTEGER (5),
413 msg-type [1] INTEGER (15),
414 enc-part [2] EncryptedData -- EncAPRepPart
415 }
417 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
418 ctime [0] KerberosTime,
419 cusec [1] Microseconds,
420 subkey [2] EncryptionKey OPTIONAL,
421 seq-number [3] UInt32 OPTIONAL
422 }
424 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
425 pvno [0] INTEGER (5),
426 msg-type [1] INTEGER (20),
427 safe-body [2] KRB-SAFE-BODY,
428 cksum [3] Checksum
429 }
431 KRB-SAFE-BODY ::= SEQUENCE {
432 user-data [0] OCTET STRING,
433 timestamp [1] KerberosTime OPTIONAL,
434 usec [2] Microseconds OPTIONAL,
435 seq-number [3] UInt32 OPTIONAL,
436 s-address [4] HostAddress,
437 r-address [5] HostAddress OPTIONAL
438 }
440 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
441 pvno [0] INTEGER (5),
442 msg-type [1] INTEGER (21),
443 -- NOTE: there is no [2] tag
444 enc-part [3] EncryptedData -- EncKrbPrivPart
445 }
447 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
448 user-data [0] OCTET STRING,
449 timestamp [1] KerberosTime OPTIONAL,
450 usec [2] Microseconds OPTIONAL,
451 seq-number [3] UInt32 OPTIONAL,
452 s-address [4] HostAddress -- sender's addr --,
453 r-address [5] HostAddress OPTIONAL -- recip's addr
454 }
456 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
457 pvno [0] INTEGER (5),
458 msg-type [1] INTEGER (22),
459 tickets [2] SEQUENCE OF Ticket,
460 enc-part [3] EncryptedData -- EncKrbCredPart
461 }
463 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
464 ticket-info [0] SEQUENCE OF KrbCredInfo,
465 nonce [1] UInt32 OPTIONAL,
466 timestamp [2] KerberosTime OPTIONAL,
467 usec [3] Microseconds OPTIONAL,
468 s-address [4] HostAddress OPTIONAL,
469 r-address [5] HostAddress OPTIONAL
470 }
472 KrbCredInfo ::= SEQUENCE {
473 key [0] EncryptionKey,
474 prealm [1] Realm OPTIONAL,
475 pname [2] PrincipalName OPTIONAL,
476 flags [3] TicketFlags OPTIONAL,
477 authtime [4] KerberosTime OPTIONAL,
478 starttime [5] KerberosTime OPTIONAL,
479 endtime [6] KerberosTime OPTIONAL,
480 renew-till [7] KerberosTime OPTIONAL,
481 srealm [8] Realm OPTIONAL,
482 sname [9] PrincipalName OPTIONAL,
483 caddr [10] HostAddresses OPTIONAL
484 }
486 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
487 pvno [0] INTEGER (5),
488 msg-type [1] INTEGER (30),
489 ctime [2] KerberosTime OPTIONAL,
490 cusec [3] Microseconds OPTIONAL,
491 stime [4] KerberosTime,
492 susec [5] Microseconds,
493 error-code [6] Int32,
494 crealm [7] Realm OPTIONAL,
495 cname [8] PrincipalName OPTIONAL,
496 realm [9] Realm -- service realm --,
497 sname [10] PrincipalName -- service name --,
498 e-text [11] KerberosString OPTIONAL,
499 e-data [12] OCTET STRING OPTIONAL
500 }
502 METHOD-DATA ::= SEQUENCE OF PA-DATA
504 --
505 -- asn1ate doesn't support 'MAX'
506 --
507 -- TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
508 TYPED-DATA ::= SEQUENCE SIZE (1..256) OF SEQUENCE {
509 data-type [0] Int32,
510 data-value [1] OCTET STRING OPTIONAL
511 }
513 -- preauth stuff follows
515 PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
517 PA-ENC-TS-ENC ::= SEQUENCE {
518 patimestamp [0] KerberosTime -- client's time --,
519 pausec [1] Microseconds OPTIONAL
520 }
522 ETYPE-INFO-ENTRY ::= SEQUENCE {
523 etype [0] EncryptionType, --Int32 EncryptionType --
524 salt [1] OCTET STRING OPTIONAL
525 }
527 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
529 ETYPE-INFO2-ENTRY ::= SEQUENCE {
530 etype [0] EncryptionType, --Int32 EncryptionType --
531 salt [1] KerberosString OPTIONAL,
532 s2kparams [2] OCTET STRING OPTIONAL
533 }
535 ETYPE-INFO2 ::= SEQUENCE SIZE (1..256) OF ETYPE-INFO2-ENTRY
537 AD-IF-RELEVANT ::= AuthorizationData
539 AD-KDCIssued ::= SEQUENCE {
540 ad-checksum [0] Checksum,
541 i-realm [1] Realm OPTIONAL,
542 i-sname [2] PrincipalName OPTIONAL,
543 elements [3] AuthorizationData
544 }
546 AD-AND-OR ::= SEQUENCE {
547 condition-count [0] Int32,
548 elements [1] AuthorizationData
549 }
551 AD-MANDATORY-FOR-KDC ::= AuthorizationData
553 -- S4U
555 PA-S4U2Self ::= SEQUENCE {
556 name [0] PrincipalName,
557 realm [1] Realm,
558 cksum [2] Checksum,
559 auth [3] KerberosString
560 }
562 -- PK-INIT
564 -- (from RFC 1422)
566 -- asn1ate doesn’t support ‘SIGNED’.
567 -- CertificateRevocationList ::= SIGNED SEQUENCE {
568 CertificateRevocationList ::= SEQUENCE {
569 signature AlgorithmIdentifier,
570 issuer Name,
571 lastUpdate UTCTime,
572 nextUpdate UTCTime,
573 revokedCertificates
574 SEQUENCE OF CRLEntry OPTIONAL
575 }
577 CRLEntry ::= SEQUENCE{
578 userCertificate SerialNumber,
579 revocationDate UTCTime
580 }
582 -- Not actually defined in an RFC.
583 SerialNumber ::= INTEGER
585 -- (from RFC 2315)
587 SignedData-RFC2315 ::= SEQUENCE {
588 version Version-RFC2315,
589 digestAlgorithms DigestAlgorithmIdentifiers,
590 contentInfo ContentInfo,
591 certificates [0] IMPLICIT CertificateSet OPTIONAL,
592 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
593 signerInfos SignerInfos
594 }
596 Version-RFC2315 ::= INTEGER
598 ContentInfo ::= SEQUENCE {
599 contentType ContentType,
600 content
601 [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
602 }
604 ExtendedCertificatesAndCertificates ::=
605 SET OF ExtendedCertificateOrCertificate
607 ExtendedCertificateOrCertificate ::= CHOICE {
608 certificate Certificate, -- X.509
609 extendedCertificate [0] IMPLICIT ExtendedCertificate
610 }
612 CertificateRevocationLists ::=
613 SET OF CertificateRevocationList
615 -- (from RFC 3279)
617 DomainParameters ::= SEQUENCE {
618 p INTEGER, -- odd prime, p=jq +1
619 g INTEGER, -- generator, g
620 -- Note: RFC 3279 does not mention that ‘q’ is optional.
621 q INTEGER OPTIONAL, -- factor of p-1
622 j INTEGER OPTIONAL, -- subgroup factor
623 validationParms ValidationParms OPTIONAL
624 }
626 ValidationParms ::= SEQUENCE {
627 seed BIT STRING,
628 pgenCounter INTEGER
629 }
631 DHPublicKey ::= INTEGER -- public key, y = g^x mod p
633 dhpublicnumber OBJECT IDENTIFIER ::= {
634 iso(1) member-body(2)
635 us(840) ansi-x942(10046) number-type(2) 1
636 }
638 md2 OBJECT IDENTIFIER ::= {
639 iso(1) member-body(2) us(840) rsadsi(113549)
640 digestAlgorithm(2) 2
641 }
643 md5 OBJECT IDENTIFIER ::= {
644 iso(1) member-body(2) us(840) rsadsi(113549)
645 digestAlgorithm(2) 5
646 }
648 id-sha1 OBJECT IDENTIFIER ::= {
649 iso(1) identified-organization(3) oiw(14) secsig(3)
650 algorithms(2) 26
651 }
653 -- (from RFC 3281)
655 AttributeCertificate ::= SEQUENCE {
656 acinfo AttributeCertificateInfo,
657 signatureAlgorithm AlgorithmIdentifier,
658 signatureValue BIT STRING
659 }
661 AttributeCertificateInfo ::= SEQUENCE {
662 version AttCertVersion, -- version is v2
663 holder Holder,
664 issuer AttCertIssuer,
665 signature AlgorithmIdentifier,
666 serialNumber CertificateSerialNumber,
667 attrCertValidityPeriod AttCertValidityPeriod,
668 attributes SEQUENCE OF Attribute,
669 issuerUniqueID UniqueIdentifier OPTIONAL,
670 extensions Extensions OPTIONAL
671 }
673 AttCertVersion ::= INTEGER { v2(1) }
675 Holder ::= SEQUENCE {
676 baseCertificateID [0] IssuerSerial OPTIONAL,
677 entityName [1] GeneralNames OPTIONAL,
678 objectDigestInfo [2] ObjectDigestInfo OPTIONAL
679 }
681 ObjectDigestInfo ::= SEQUENCE {
682 digestedObjectType ENUMERATED {
683 publicKey (0),
684 publicKeyCert (1),
685 otherObjectTypes (2)
686 },
687 -- otherObjectTypes MUST NOT
688 -- be used in this profile
689 otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
690 digestAlgorithm AlgorithmIdentifier,
691 objectDigest BIT STRING
692 }
694 -- (from RFC 3370)
696 sha1WithRSAEncryption OBJECT IDENTIFIER ::= {
697 iso(1)
698 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5
699 }
701 -- (from RFC 4556)
703 id-pkinit OBJECT IDENTIFIER ::= {
704 iso(1) identified-organization(3) dod(6) internet(1)
705 security(5) kerberosv5(2) pkinit (3)
706 }
708 id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 }
710 id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 }
712 id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 }
714 PA-PK-AS-REQ ::= SEQUENCE {
715 signedAuthPack [0] IMPLICIT OCTET STRING,
716 trustedCertifiers [1] SEQUENCE OF
717 ExternalPrincipalIdentifier OPTIONAL,
718 kdcPkId [2] IMPLICIT OCTET STRING
719 OPTIONAL,
720 ...
721 }
723 DHNonce ::= OCTET STRING
725 ExternalPrincipalIdentifier ::= SEQUENCE {
726 subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
727 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
728 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
729 ...
730 }
732 AuthPack ::= SEQUENCE {
733 pkAuthenticator [0] PKAuthenticator,
734 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
735 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
736 OPTIONAL,
737 clientDHNonce [3] DHNonce OPTIONAL,
738 ...
739 }
741 PKAuthenticator ::= SEQUENCE {
742 cusec [0] INTEGER (0..999999),
743 ctime [1] KerberosTime,
744 nonce [2] INTEGER (0..4294967295),
745 paChecksum [3] OCTET STRING OPTIONAL,
746 freshnessToken [4] OCTET STRING OPTIONAL,
747 ...
748 }
750 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF ExternalPrincipalIdentifier
751 TD-INVALID-CERTIFICATES ::= SEQUENCE OF ExternalPrincipalIdentifier
753 KRB5PrincipalName ::= SEQUENCE {
754 realm [0] Realm,
755 principalName [1] PrincipalName
756 }
758 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
760 PA-PK-AS-REP ::= CHOICE {
761 dhInfo [0] DHRepInfo,
762 encKeyPack [1] IMPLICIT OCTET STRING,
763 ...
764 }
766 DHRepInfo ::= SEQUENCE {
767 dhSignedData [0] IMPLICIT OCTET STRING,
768 serverDHNonce [1] DHNonce OPTIONAL,
769 ...
770 }
772 KDCDHKeyInfo ::= SEQUENCE {
773 subjectPublicKey [0] BIT STRING,
774 nonce [1] INTEGER (0..4294967295),
775 dhKeyExpiration [2] KerberosTime OPTIONAL,
776 ...
777 }
779 ReplyKeyPack ::= SEQUENCE {
780 replyKey [0] EncryptionKey,
781 asChecksum [1] Checksum,
782 ...
783 }
785 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
787 -- (from RFC 5755)
789 Attribute ::= SEQUENCE {
790 type AttributeType,
791 values SET OF AttributeValue
792 -- at least one value is required
793 }
795 AttCertIssuer ::= CHOICE {
796 v1Form GeneralNames, -- MUST NOT be used in this
797 -- profile
798 v2Form [0] V2Form -- v2 only
799 }
801 V2Form ::= SEQUENCE {
802 issuerName GeneralNames OPTIONAL,
803 baseCertificateID [0] IssuerSerial OPTIONAL,
804 objectDigestInfo [1] ObjectDigestInfo OPTIONAL
805 -- issuerName MUST be present in this profile
806 -- baseCertificateID and objectDigestInfo MUST NOT
807 -- be present in this profile
808 }
810 IssuerSerial ::= SEQUENCE {
811 issuer GeneralNames,
812 serial CertificateSerialNumber,
813 issuerUID UniqueIdentifier OPTIONAL
814 }
816 AttCertValidityPeriod ::= SEQUENCE {
817 notBeforeTime GeneralizedTime,
818 notAfterTime GeneralizedTime
819 }
821 -- (from RFC 5280)
823 id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }
825 id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
827 SubjectAltName ::= GeneralNames
829 --
830 -- asn1ate doesn’t support ‘MAX’.
831 --
832 -- GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
833 GeneralNames ::= SEQUENCE SIZE (1..256) OF GeneralName
835 GeneralName ::= CHOICE {
836 otherName [0] OtherName,
837 rfc822Name [1] IA5String,
838 dNSName [2] IA5String,
839 x400Address [3] ORAddress,
840 directoryName [4] Name,
841 ediPartyName [5] EDIPartyName,
842 uniformResourceIdentifier [6] IA5String,
843 iPAddress [7] OCTET STRING,
844 registeredID [8] OBJECT IDENTIFIER
845 }
847 OtherName ::= SEQUENCE {
848 type-id OBJECT IDENTIFIER,
849 value [0] EXPLICIT ANY DEFINED BY type-id
850 }
852 EDIPartyName ::= SEQUENCE {
853 nameAssigner [0] DirectoryString OPTIONAL,
854 partyName [1] DirectoryString
855 }
857 Name ::= CHOICE { -- only one possibility for now --
858 rdnSequence RDNSequence
859 }
861 DirectoryString ::= CHOICE {
862 --
863 -- asn1ate doesn’t support ‘MAX’.
864 --
865 -- teletexString TeletexString (SIZE (1..MAX)),
866 -- printableString PrintableString (SIZE (1..MAX)),
867 -- universalString UniversalString (SIZE (1..MAX)),
868 -- utf8String UTF8String (SIZE (1..MAX)),
869 -- bmpString BMPString (SIZE (1..MAX))
870 teletexString TeletexString (SIZE (1..256)),
871 printableString PrintableString (SIZE (1..256)),
872 universalString UniversalString (SIZE (1..256)),
873 utf8String UTF8String (SIZE (1..256)),
874 bmpString BMPString (SIZE (1..256))
875 }
877 Certificate ::= SEQUENCE {
878 tbsCertificate TBSCertificate,
879 signatureAlgorithm AlgorithmIdentifier,
880 signatureValue BIT STRING
881 }
883 TBSCertificate ::= SEQUENCE {
884 --
885 -- asn1ate doesn’t support ‘v1’.
886 --
887 -- version [0] EXPLICIT Version DEFAULT v1,
888 version [0] EXPLICIT Version DEFAULT 1,
889 serialNumber CertificateSerialNumber,
890 signature AlgorithmIdentifier,
891 issuer Name,
892 validity Validity,
893 subject Name,
894 subjectPublicKeyInfo SubjectPublicKeyInfo,
895 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
896 -- If present, version MUST be v2 or v3
897 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
898 -- If present, version MUST be v2 or v3
899 extensions [3] EXPLICIT Extensions OPTIONAL
900 -- If present, version MUST be v3
901 }
903 Version ::= INTEGER { v1(0), v2(1), v3(2) }
905 CertificateSerialNumber ::= INTEGER
907 Validity ::= SEQUENCE {
908 notBefore Time,
909 notAfter Time
910 }
912 Time ::= CHOICE {
913 utcTime UTCTime,
914 generalTime GeneralizedTime
915 }
917 UniqueIdentifier ::= BIT STRING
919 AlgorithmIdentifier ::= SEQUENCE {
920 algorithm OBJECT IDENTIFIER,
921 parameters ANY DEFINED BY algorithm OPTIONAL
922 }
924 SubjectPublicKeyInfo ::= SEQUENCE {
925 algorithm AlgorithmIdentifier,
926 subjectPublicKey BIT STRING
927 }
929 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
931 ORAddress ::= SEQUENCE {
932 built-in-standard-attributes BuiltInStandardAttributes,
933 built-in-domain-defined-attributes
934 BuiltInDomainDefinedAttributes OPTIONAL,
935 -- see also teletex-domain-defined-attributes
936 extension-attributes ExtensionAttributes OPTIONAL
937 }
939 BuiltInStandardAttributes ::= SEQUENCE {
940 country-name CountryName OPTIONAL,
941 administration-domain-name AdministrationDomainName OPTIONAL,
942 network-address [0] IMPLICIT NetworkAddress OPTIONAL,
943 -- see also extended-network-address
944 terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL,
945 private-domain-name [2] PrivateDomainName OPTIONAL,
946 organization-name [3] IMPLICIT OrganizationName OPTIONAL,
947 -- see also teletex-organization-name
948 numeric-user-identifier [4] IMPLICIT NumericUserIdentifier
949 OPTIONAL,
950 personal-name [5] IMPLICIT PersonalName OPTIONAL,
951 -- see also teletex-personal-name
952 organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
953 OPTIONAL
954 -- see also teletex-organizational-unit-names
955 }
957 CountryName ::= [APPLICATION 1] CHOICE {
958 x121-dcc-code NumericString
959 (SIZE (ub-country-name-numeric-length)),
960 iso-3166-alpha2-code PrintableString
961 (SIZE (ub-country-name-alpha-length))
962 }
964 AdministrationDomainName ::= [APPLICATION 2] CHOICE {
965 numeric NumericString (SIZE (0..ub-domain-name-length)),
966 printable PrintableString (SIZE (0..ub-domain-name-length))
967 }
969 NetworkAddress ::= X121Address -- see also extended-network-address
971 X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
973 TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
975 PrivateDomainName ::= CHOICE {
976 numeric NumericString (SIZE (1..ub-domain-name-length)),
977 printable PrintableString (SIZE (1..ub-domain-name-length))
978 }
980 OrganizationName ::= PrintableString
981 (SIZE (1..ub-organization-name-length))
982 -- see also teletex-organization-name
984 NumericUserIdentifier ::= NumericString
985 (SIZE (1..ub-numeric-user-id-length))
987 PersonalName ::= SET {
988 surname [0] IMPLICIT PrintableString
989 (SIZE (1..ub-surname-length)),
990 given-name [1] IMPLICIT PrintableString
991 (SIZE (1..ub-given-name-length)) OPTIONAL,
992 initials [2] IMPLICIT PrintableString
993 (SIZE (1..ub-initials-length)) OPTIONAL,
994 generation-qualifier [3] IMPLICIT PrintableString
995 (SIZE (1..ub-generation-qualifier-length))
996 OPTIONAL
997 }
998 -- see also teletex-personal-name
1000 OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
1001 OF OrganizationalUnitName
1002 -- see also teletex-organizational-unit-names
1004 OrganizationalUnitName ::= PrintableString (SIZE
1005 (1..ub-organizational-unit-name-length))
1007 BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
1008 (1..ub-domain-defined-attributes) OF
1009 BuiltInDomainDefinedAttribute
1011 BuiltInDomainDefinedAttribute ::= SEQUENCE {
1012 type PrintableString (SIZE
1013 (1..ub-domain-defined-attribute-type-length)),
1014 value PrintableString (SIZE
1015 (1..ub-domain-defined-attribute-value-length))
1016 }
1018 ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
1019 ExtensionAttribute
1021 ExtensionAttribute ::= SEQUENCE {
1022 extension-attribute-type [0] IMPLICIT INTEGER
1023 (0..ub-extension-attributes),
1024 extension-attribute-value [1]
1025 ANY DEFINED BY extension-attribute-type
1026 }
1028 --
1029 -- asn1ate doesn’t support ‘MAX’.
1030 --
1031 -- Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
1032 Extensions ::= SEQUENCE SIZE (1..256) OF Extension
1034 Extension ::= SEQUENCE {
1035 extnID OBJECT IDENTIFIER,
1036 critical BOOLEAN DEFAULT FALSE,
1037 extnValue OCTET STRING
1038 -- contains the DER encoding of an ASN.1 value
1039 -- corresponding to the extension type identified
1040 -- by extnID
1041 }
1043 CertificateList ::= SEQUENCE {
1044 tbsCertList TBSCertList,
1045 signatureAlgorithm AlgorithmIdentifier,
1046 signatureValue BIT STRING
1047 }
1049 TBSCertList ::= SEQUENCE {
1050 version Version OPTIONAL,
1051 -- if present, MUST be v2
1052 signature AlgorithmIdentifier,
1053 issuer Name,
1054 thisUpdate Time,
1055 nextUpdate Time OPTIONAL,
1056 revokedCertificates SEQUENCE OF SEQUENCE {
1057 userCertificate CertificateSerialNumber,
1058 revocationDate Time,
1059 crlEntryExtensions Extensions OPTIONAL
1060 -- if present, version MUST be v2
1061 } OPTIONAL,
1062 crlExtensions [0] EXPLICIT Extensions OPTIONAL
1063 -- if present, version MUST be v2
1064 }
1066 ub-name INTEGER ::= 32768
1067 ub-common-name INTEGER ::= 64
1068 ub-locality-name INTEGER ::= 128
1069 ub-state-name INTEGER ::= 128
1070 ub-organization-name INTEGER ::= 64
1071 ub-organizational-unit-name INTEGER ::= 64
1072 ub-title INTEGER ::= 64
1073 ub-serial-number INTEGER ::= 64
1074 ub-match INTEGER ::= 128
1075 ub-emailaddress-length INTEGER ::= 255
1076 ub-common-name-length INTEGER ::= 64
1077 ub-country-name-alpha-length INTEGER ::= 2
1078 ub-country-name-numeric-length INTEGER ::= 3
1079 ub-domain-defined-attributes INTEGER ::= 4
1080 ub-domain-defined-attribute-type-length INTEGER ::= 8
1081 ub-domain-defined-attribute-value-length INTEGER ::= 128
1082 ub-domain-name-length INTEGER ::= 16
1083 ub-extension-attributes INTEGER ::= 256
1084 ub-e163-4-number-length INTEGER ::= 15
1085 ub-e163-4-sub-address-length INTEGER ::= 40
1086 ub-generation-qualifier-length INTEGER ::= 3
1087 ub-given-name-length INTEGER ::= 16
1088 ub-initials-length INTEGER ::= 5
1089 ub-integer-options INTEGER ::= 256
1090 ub-numeric-user-id-length INTEGER ::= 32
1091 ub-organization-name-length INTEGER ::= 64
1092 ub-organizational-unit-name-length INTEGER ::= 32
1093 ub-organizational-units INTEGER ::= 4
1094 ub-pds-name-length INTEGER ::= 16
1095 ub-pds-parameter-length INTEGER ::= 30
1096 ub-pds-physical-address-lines INTEGER ::= 6
1097 ub-postal-code-length INTEGER ::= 16
1098 ub-pseudonym INTEGER ::= 128
1099 ub-surname-length INTEGER ::= 40
1100 ub-terminal-id-length INTEGER ::= 24
1101 ub-unformatted-address-length INTEGER ::= 180
1102 ub-x121-address-length INTEGER ::= 16
1104 --
1105 -- asn1ate doesn’t support ‘MAX’.
1106 --
1107 -- RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
1108 RelativeDistinguishedName ::= SET SIZE (1..256) OF AttributeTypeAndValue
1110 AttributeTypeAndValue ::= SEQUENCE {
1111 type AttributeType,
1112 value AttributeValue
1113 }
1115 AttributeType ::= OBJECT IDENTIFIER
1117 AttributeValue ::= ANY -- DEFINED BY AttributeType
1119 -- (from RFC 5652)
1121 ContentType ::= OBJECT IDENTIFIER
1123 RevocationInfoChoices ::= SET OF RevocationInfoChoice
1125 RevocationInfoChoice ::= CHOICE {
1126 crl CertificateList,
1127 other [1] IMPLICIT OtherRevocationInfoFormat
1128 }
1130 OtherRevocationInfoFormat ::= SEQUENCE {
1131 otherRevInfoFormat OBJECT IDENTIFIER,
1132 otherRevInfo ANY DEFINED BY otherRevInfoFormat
1133 }
1135 AttributeCertificateV1 ::= SEQUENCE {
1136 acInfo AttributeCertificateInfoV1,
1137 signatureAlgorithm AlgorithmIdentifier,
1138 signature BIT STRING
1139 }
1141 AttributeCertificateInfoV1 ::= SEQUENCE {
1142 --
1143 -- asn1ate doesn’t support ‘v1’.
1144 --
1145 -- version AttCertVersionV1 DEFAULT v1,
1146 version AttCertVersionV1 DEFAULT 1,
1147 subject CHOICE {
1148 baseCertificateID [0] IssuerSerial,
1149 -- associated with a Public Key Certificate
1150 subjectName [1] GeneralNames },
1151 -- associated with a name
1152 issuer GeneralNames,
1153 signature AlgorithmIdentifier,
1154 serialNumber CertificateSerialNumber,
1155 attCertValidityPeriod AttCertValidityPeriod,
1156 attributes SEQUENCE OF Attribute,
1157 issuerUniqueID UniqueIdentifier OPTIONAL,
1158 extensions Extensions OPTIONAL
1159 }
1161 AttCertVersionV1 ::= INTEGER { v1(0) }
1163 ExtendedCertificate ::= SEQUENCE {
1164 extendedCertificateInfo ExtendedCertificateInfo,
1165 signatureAlgorithm SignatureAlgorithmIdentifier,
1166 signature Signature
1167 }
1169 ExtendedCertificateInfo ::= SEQUENCE {
1170 version CMSVersion,
1171 certificate Certificate,
1172 attributes UnauthAttributes
1173 }
1175 CertificateChoices ::= CHOICE {
1176 certificate Certificate,
1177 extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
1178 v1AttrCert [1] IMPLICIT AttributeCertificateV1, -- Obsolete
1179 v2AttrCert [2] IMPLICIT AttributeCertificateV2,
1180 other [3] IMPLICIT OtherCertificateFormat
1181 }
1183 AttributeCertificateV2 ::= AttributeCertificate
1185 OtherCertificateFormat ::= SEQUENCE {
1186 otherCertFormat OBJECT IDENTIFIER,
1187 otherCert ANY DEFINED BY otherCertFormat
1188 }
1190 CertificateSet ::= SET OF CertificateChoices
1192 IssuerAndSerialNumber ::= SEQUENCE {
1193 issuer Name,
1194 serialNumber CertificateSerialNumber
1195 }
1197 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
1199 SignerInfo ::= SEQUENCE {
1200 version CMSVersion,
1201 sid SignerIdentifier,
1202 digestAlgorithm DigestAlgorithmIdentifier,
1203 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
1204 signatureAlgorithm SignatureAlgorithmIdentifier,
1205 signature SignatureValue,
1206 unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL
1207 }
1209 SignerIdentifier ::= CHOICE {
1210 issuerAndSerialNumber IssuerAndSerialNumber,
1211 subjectKeyIdentifier [0] SubjectKeyIdentifier
1212 }
1214 SubjectKeyIdentifier ::= OCTET STRING
1216 --
1217 -- asn1ate doesn’t support ‘MAX’.
1218 --
1219 -- SignedAttributes ::= SET SIZE (1..MAX) OF Attribute
1220 SignedAttributes ::= SET SIZE (1..256) OF Attribute
1222 --
1223 -- asn1ate doesn’t support ‘MAX’.
1224 --
1225 -- UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute
1226 UnsignedAttributes ::= SET SIZE (1..256) OF Attribute
1228 Attribute ::= SEQUENCE {
1229 attrType OBJECT IDENTIFIER,
1230 attrValues SET OF AttributeValue
1231 }
1233 AttributeValue ::= ANY
1235 SignatureValue ::= OCTET STRING
1237 SignedData ::= SEQUENCE {
1238 version CMSVersion,
1239 digestAlgorithms DigestAlgorithmIdentifiers,
1240 encapContentInfo EncapsulatedContentInfo,
1241 certificates [0] IMPLICIT CertificateSet OPTIONAL,
1242 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
1243 signerInfos SignerInfos
1244 }
1246 DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
1248 SignerInfos ::= SET OF SignerInfo
1250 EncapsulatedContentInfo ::= SEQUENCE {
1251 eContentType ContentType,
1252 eContent [0] EXPLICIT OCTET STRING OPTIONAL
1253 }
1255 EnvelopedData ::= SEQUENCE {
1256 version CMSVersion,
1257 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
1258 recipientInfos RecipientInfos,
1259 encryptedContentInfo EncryptedContentInfo,
1260 unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL
1261 }
1263 OriginatorInfo ::= SEQUENCE {
1264 certs [0] IMPLICIT CertificateSet OPTIONAL,
1265 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL
1266 }
1268 --
1269 -- asn1ate doesn't support 'MAX'
1270 --
1271 -- RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
1272 RecipientInfos ::= SET SIZE (1..256) OF RecipientInfo
1274 EncryptedContentInfo ::= SEQUENCE {
1275 contentType ContentType,
1276 contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
1277 encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL
1278 }
1280 EncryptedContent ::= OCTET STRING
1282 --
1283 -- asn1ate doesn't support 'MAX'
1284 --
1285 -- UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
1286 UnprotectedAttributes ::= SET SIZE (1..256) OF Attribute
1288 RecipientInfo ::= CHOICE {
1289 ktri KeyTransRecipientInfo,
1290 kari [1] KeyAgreeRecipientInfo,
1291 kekri [2] KEKRecipientInfo,
1292 pwri [3] PasswordRecipientInfo,
1293 ori [4] OtherRecipientInfo
1294 }
1296 EncryptedKey ::= OCTET STRING
1298 KeyTransRecipientInfo ::= SEQUENCE {
1299 version CMSVersion, -- always set to 0 or 2
1300 rid RecipientIdentifier,
1301 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
1302 encryptedKey EncryptedKey
1303 }
1305 RecipientIdentifier ::= CHOICE {
1306 issuerAndSerialNumber IssuerAndSerialNumber,
1307 subjectKeyIdentifier [0] SubjectKeyIdentifier
1308 }
1310 KeyAgreeRecipientInfo ::= SEQUENCE {
1311 version CMSVersion, -- always set to 3
1312 originator [0] EXPLICIT OriginatorIdentifierOrKey,
1313 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
1314 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
1315 recipientEncryptedKeys RecipientEncryptedKeys
1316 }
1318 OriginatorIdentifierOrKey ::= CHOICE {
1319 issuerAndSerialNumber IssuerAndSerialNumber,
1320 subjectKeyIdentifier [0] SubjectKeyIdentifier,
1321 originatorKey [1] OriginatorPublicKey
1322 }
1324 OriginatorPublicKey ::= SEQUENCE {
1325 algorithm AlgorithmIdentifier,
1326 publicKey BIT STRING
1327 }
1329 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
1331 RecipientEncryptedKey ::= SEQUENCE {
1332 rid KeyAgreeRecipientIdentifier,
1333 encryptedKey EncryptedKey
1334 }
1336 KeyAgreeRecipientIdentifier ::= CHOICE {
1337 issuerAndSerialNumber IssuerAndSerialNumber,
1338 rKeyId [0] IMPLICIT RecipientKeyIdentifier
1339 }
1341 RecipientKeyIdentifier ::= SEQUENCE {
1342 subjectKeyIdentifier SubjectKeyIdentifier,
1343 date GeneralizedTime OPTIONAL,
1344 other OtherKeyAttribute OPTIONAL
1345 }
1347 SubjectKeyIdentifier ::= OCTET STRING
1349 KEKRecipientInfo ::= SEQUENCE {
1350 version CMSVersion, -- always set to 4
1351 kekid KEKIdentifier,
1352 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
1353 encryptedKey EncryptedKey
1354 }
1356 KEKIdentifier ::= SEQUENCE {
1357 keyIdentifier OCTET STRING,
1358 date GeneralizedTime OPTIONAL,
1359 other OtherKeyAttribute OPTIONAL
1360 }
1362 PasswordRecipientInfo ::= SEQUENCE {
1363 version CMSVersion, -- always set to 0
1364 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier
1365 OPTIONAL,
1366 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
1367 encryptedKey EncryptedKey
1368 }
1370 OtherRecipientInfo ::= SEQUENCE {
1371 oriType OBJECT IDENTIFIER,
1372 oriValue ANY DEFINED BY oriType
1373 }
1375 UserKeyingMaterial ::= OCTET STRING
1377 OtherKeyAttribute ::= SEQUENCE {
1378 keyAttrId OBJECT IDENTIFIER,
1379 keyAttr ANY DEFINED BY keyAttrId OPTIONAL
1380 }
1382 MessageDigest ::= OCTET STRING
1384 id-data OBJECT IDENTIFIER ::= {
1385 iso(1) member-body(2)
1386 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1
1387 }
1389 id-signedData OBJECT IDENTIFIER ::= {
1390 iso(1) member-body(2)
1391 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2
1392 }
1394 id-envelopedData OBJECT IDENTIFIER ::= {
1395 iso(1) member-body(2)
1396 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3
1397 }
1399 id-contentType OBJECT IDENTIFIER ::= {
1400 iso(1) member-body(2)
1401 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3
1402 }
1404 id-messageDigest OBJECT IDENTIFIER ::= {
1405 iso(1) member-body(2)
1406 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4
1407 }
1409 --
1410 -- asn1ate doesn’t support ‘MAX’.
1411 --
1412 -- UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
1413 UnauthAttributes ::= SET SIZE (1..256) OF Attribute
1415 DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1417 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
1419 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
1421 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier
1423 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
1425 Signature ::= BIT STRING
1427 -- Other PK-INIT definitions
1429 id-pkcs1-sha256WithRSAEncryption OBJECT IDENTIFIER ::= {
1430 iso(1) member-body(2)
1431 us(840) rsadsi(113549) pkcs(1)
1432 label-less(1) label-less(11)
1433 }
1435 MS-UPN-SAN ::= UTF8String
1437 CMSCBCParameter ::= OCTET STRING
1439 -- (from MS-WCCE)
1441 szOID-NTDS-CA-SECURITY-EXT OBJECT IDENTIFIER ::= {
1442 iso(1) org(3) dod(6) internet(1) private(4) enterprise(1)
1443 microsoft(311) directory-service(25) 2
1444 }
1446 szOID-NTDS-OBJECTSID OBJECT IDENTIFIER ::= {
1447 iso(1) org(3) dod(6) internet(1) private(4) enterprise(1)
1448 microsoft(311) directory-service(25) 2 1
1449 }
1451 -- (from RFC 8017)
1453 rsaEncryption OBJECT IDENTIFIER ::= {
1454 iso(1)
1455 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1
1456 }
1458 id-sha512 OBJECT IDENTIFIER ::= {
1459 joint-iso-itu-t (2) country (16) us (840) organization (1)
1460 gov (101) csor (3) nistalgorithm (4) hashalgs (2) 3
1461 }
1463 -- (from RFC 8018)
1465 nistAlgorithms OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) country(16)
1466 us(840) organization(1)
1467 gov(101) csor(3) 4}
1469 aes OBJECT IDENTIFIER ::= { nistAlgorithms 1 }
1471 aes256-CBC-PAD OBJECT IDENTIFIER ::= { aes 42 }
1473 rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549}
1475 encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
1477 des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
1479 -- Windows 2000 PK-INIT definitions
1481 PKAuthenticator-Win2k ::= SEQUENCE {
1482 kdcName [0] PrincipalName,
1483 kdcRealm [1] Realm,
1484 cusec [2] INTEGER (0..4294967295),
1485 ctime [3] KerberosTime,
1486 nonce [4] INTEGER (-2147483648..2147483647)
1487 }
1489 AuthPack-Win2k ::= SEQUENCE {
1490 pkAuthenticator [0] PKAuthenticator-Win2k
1491 }
1493 TrustedCA-Win2k ::= CHOICE {
1494 caName [1] ANY,
1495 issuerAndSerial [2] IssuerAndSerialNumber
1496 }
1498 PA-PK-AS-REQ-Win2k ::= SEQUENCE {
1499 signedAuthPack [0] IMPLICIT OCTET STRING,
1500 trustedCertifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
1501 kdcCert [3] IMPLICIT OCTET STRING OPTIONAL,
1502 encryptionCert [4] IMPLICIT OCTET STRING OPTIONAL,
1503 ...
1504 }
1506 PA-PK-AS-REP-Win2k ::= CHOICE {
1507 dhSignedData [0] IMPLICIT OCTET STRING,
1508 encKeyPack [1] IMPLICIT OCTET STRING
1509 }
1511 ReplyKeyPack-Win2k ::= SEQUENCE {
1512 replyKey [0] EncryptionKey,
1513 nonce [1] INTEGER (-2147483648..2147483647),
1514 ...
1515 }
1517 --
1519 id-pkinit-ms-san OBJECT IDENTIFIER ::= {
1520 iso(1) org(3) dod(6) internet(1) private(4) enterprise(1)
1521 microsoft(311) 20 2 3
1522 }
1524 kdc-authentication OBJECT IDENTIFIER ::= { id-pkinit keyPurposeKdc(5) }
1526 smartcard-logon OBJECT IDENTIFIER ::= {
1527 iso(1) org(3) dod(6) internet(1) private(4) enterprise(1)
1528 microsoft(311) 20 2 2
1529 }
1531 CMSAttributes ::= SET OF Attribute
1533 --
1534 --
1535 -- MS-KILE Start
1537 KERB-ERROR-DATA ::= SEQUENCE {
1538 data-type [1] KerbErrorDataType,
1539 data-value [2] OCTET STRING OPTIONAL
1540 }
1542 KerbErrorDataType ::= INTEGER
1544 KERB-PA-PAC-REQUEST ::= SEQUENCE {
1545 include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC.
1546 --If FALSE, and PAC present, remove PAC
1547 }
1549 KERB-LOCAL ::= OCTET STRING -- Implementation-specific data which MUST be
1550 -- ignored if Kerberos client is not local.
1552 KERB-AD-RESTRICTION-ENTRY ::= SEQUENCE {
1553 restriction-type [0] Int32,
1554 restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
1555 }
1557 PA-SUPPORTED-ENCTYPES ::= Int32 -- Supported Encryption Types Bit Field --
1559 PACOptionFlags ::= KerberosFlags -- Claims (0)
1560 -- Branch Aware (1)
1561 -- Forward to Full DC (2)
1562 -- Resource Based Constrained Delegation (3)
1563 PA-PAC-OPTIONS ::= SEQUENCE {
1564 options [0] PACOptionFlags
1565 }
1566 -- Note: KerberosFlags ::= BIT STRING (SIZE (32..MAX))
1567 -- minimum number of bits shall be sent, but no fewer than 32
1569 KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type --
1570 KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey
1572 FastOptions ::= BIT STRING {
1573 reserved(0),
1574 hide-client-names(1),
1575 kdc-follow-referrals(16)
1576 }
1578 KrbFastReq ::= SEQUENCE {
1579 fast-options [0] FastOptions,
1580 padata [1] SEQUENCE OF PA-DATA,
1581 req-body [2] KDC-REQ-BODY,
1582 ...
1583 }
1585 KrbFastArmor ::= SEQUENCE {
1586 armor-type [0] Int32,
1587 armor-value [1] OCTET STRING,
1588 ...
1589 }
1591 KrbFastArmoredReq ::= SEQUENCE {
1592 armor [0] KrbFastArmor OPTIONAL,
1593 req-checksum [1] Checksum,
1594 enc-fast-req [2] EncryptedData -- KrbFastReq --
1595 }
1597 PA-FX-FAST-REQUEST ::= CHOICE {
1598 armored-data [0] KrbFastArmoredReq,
1599 ...
1600 }
1602 KrbFastFinished ::= SEQUENCE {
1603 timestamp [0] KerberosTime,
1604 usec [1] Int32,
1605 crealm [2] Realm,
1606 cname [3] PrincipalName,
1607 ticket-checksum [4] Checksum,
1608 ...
1609 }
1611 KrbFastResponse ::= SEQUENCE {
1612 padata [0] SEQUENCE OF PA-DATA,
1613 -- padata typed holes.
1614 strengthen-key [1] EncryptionKey OPTIONAL,
1615 -- This, if present, strengthens the reply key for AS and
1616 -- TGS. MUST be present for TGS.
1617 -- MUST be absent in KRB-ERROR.
1618 finished [2] KrbFastFinished OPTIONAL,
1619 -- Present in AS or TGS reply; absent otherwise.
1620 nonce [3] UInt32,
1621 -- Nonce from the client request.
1622 ...
1623 }
1625 KrbFastArmoredRep ::= SEQUENCE {
1626 enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
1627 ...
1628 }
1630 PA-FX-FAST-REPLY ::= CHOICE {
1631 armored-data [0] KrbFastArmoredRep,
1632 ...
1633 }
1635 ChangePasswdDataMS ::= SEQUENCE {
1636 newpasswd [0] OCTET STRING,
1637 targname [1] PrincipalName OPTIONAL,
1638 targrealm [2] Realm OPTIONAL
1639 }
1641 -- MS-KILE End
1642 --
1643 --
1645 --
1646 --
1647 -- prettyPrint values
1648 --
1649 --
1651 NameTypeValues ::= INTEGER { -- Int32
1652 kRB5-NT-UNKNOWN(0), -- Name type not known
1653 kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in
1654 kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt)
1655 kRB5-NT-SRV-HST(3), -- Service with host name as instance
1656 kRB5-NT-SRV-XHST(4), -- Service with host as remaining components
1657 kRB5-NT-UID(5), -- Unique ID
1658 kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
1659 kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name
1660 kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
1661 kRB5-NT-WELLKNOWN(11), -- Wellknown
1662 kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
1663 kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
1664 kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID
1665 }
1666 NameTypeSequence ::= SEQUENCE {
1667 dummy [0] NameTypeValues
1668 }
1670 TicketFlagsValues ::= BIT STRING { -- KerberosFlags
1671 reserved(0),
1672 forwardable(1),
1673 forwarded(2),
1674 proxiable(3),
1675 proxy(4),
1676 may-postdate(5),
1677 postdated(6),
1678 invalid(7),
1679 renewable(8),
1680 initial(9),
1681 pre-authent(10),
1682 hw-authent(11),
1683 -- the following are new since 1510
1684 transited-policy-checked(12),
1685 ok-as-delegate(13),
1686 enc-pa-rep(15)
1687 }
1688 TicketFlagsSequence ::= SEQUENCE {
1689 dummy [0] TicketFlagsValues
1690 }
1692 KDCOptionsValues ::= BIT STRING { -- KerberosFlags
1693 reserved(0),
1694 forwardable(1),
1695 forwarded(2),
1696 proxiable(3),
1697 proxy(4),
1698 allow-postdate(5),
1699 postdated(6),
1700 unused7(7),
1701 renewable(8),
1702 unused9(9),
1703 unused10(10),
1704 opt-hardware-auth(11),
1705 unused12(12),
1706 unused13(13),
1707 cname-in-addl-tkt(14),
1708 -- Canonicalize is used by RFC 6806
1709 canonicalize(15),
1710 -- 26 was unused in 1510
1711 disable-transited-check(26),
1712 --
1713 renewable-ok(27),
1714 enc-tkt-in-skey(28),
1715 renew(30),
1716 validate(31)
1717 }
1718 KDCOptionsSequence ::= SEQUENCE {
1719 dummy [0] KDCOptionsValues
1720 }
1722 APOptionsValues ::= BIT STRING { -- KerberosFlags
1723 reserved(0),
1724 use-session-key(1),
1725 mutual-required(2)
1726 }
1727 APOptionsSequence ::= SEQUENCE {
1728 dummy [0] APOptionsValues
1729 }
1731 MessageTypeValues ::= INTEGER {
1732 krb-as-req(10), -- Request for initial authentication
1733 krb-as-rep(11), -- Response to KRB_AS_REQ request
1734 krb-tgs-req(12), -- Request for authentication based on TGT
1735 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
1736 krb-ap-req(14), -- application request to server
1737 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
1738 krb-safe(20), -- Safe (checksummed) application message
1739 krb-priv(21), -- Private (encrypted) application message
1740 krb-cred(22), -- Private (encrypted) message to forward credentials
1741 krb-error(30) -- Error response
1742 }
1743 MessageTypeSequence ::= SEQUENCE {
1744 dummy [0] MessageTypeValues
1745 }
1747 PADataTypeValues ::= INTEGER {
1748 kRB5-PADATA-NONE(0),
1749 -- kRB5-PADATA-TGS-REQ(1),
1750 -- kRB5-PADATA-AP-REQ(1),
1751 kRB5-PADATA-KDC-REQ(1),
1752 kRB5-PADATA-ENC-TIMESTAMP(2),
1753 kRB5-PADATA-PW-SALT(3),
1754 kRB5-PADATA-ENC-UNIX-TIME(5),
1755 kRB5-PADATA-SANDIA-SECUREID(6),
1756 kRB5-PADATA-SESAME(7),
1757 kRB5-PADATA-OSF-DCE(8),
1758 kRB5-PADATA-CYBERSAFE-SECUREID(9),
1759 kRB5-PADATA-AFS3-SALT(10),
1760 kRB5-PADATA-ETYPE-INFO(11),
1761 kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
1762 kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
1763 kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
1764 kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
1765 -- kRB5-PADATA-PK-AS-REQ-WIN(15), - (PKINIT - old number)
1766 kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
1767 kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
1768 kRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
1769 kRB5-PADATA-ETYPE-INFO2(19),
1770 -- kRB5-PADATA-USE-SPECIFIED-KVNO(20),
1771 kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
1772 kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
1773 kRB5-PADATA-GET-FROM-TYPED-DATA(22),
1774 kRB5-PADATA-SAM-ETYPE-INFO(23),
1775 kRB5-PADATA-SERVER-REFERRAL(25),
1776 kRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
1777 kRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
1778 kRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
1779 kRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
1780 kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
1781 kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
1782 kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
1783 kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
1784 kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
1785 kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
1786 kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
1787 kRB5-PADATA-FOR-USER(129), -- MS-KILE
1788 kRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
1789 kRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
1790 kRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
1791 -- kRB5-PADATA-PK-AS-09-BINDING(132), - client send this to
1792 -- tell KDC that is supports
1793 -- the asCheckSum in the
1794 -- PK-AS-REP
1795 kRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
1796 kRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
1797 kRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
1798 kRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
1799 kRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
1800 kRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
1801 kRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
1802 kRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
1803 kBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
1804 kRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
1805 kRB5-PADATA-EPAK-AS-REQ(145),
1806 kRB5-PADATA-EPAK-AS-REP(146),
1807 kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
1808 kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
1809 kRB5-PADATA-REQ-ENC-PA-REP(149), --
1810 kRB5-PADATA-AS-FRESHNESS(150), -- RFC 8070
1811 kRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE
1812 kRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE
1813 kRB5-PADATA-GSS(655) -- gss-preauth
1814 }
1815 PADataTypeSequence ::= SEQUENCE {
1816 dummy [0] PADataTypeValues
1817 }
1819 AuthDataTypeValues ::= INTEGER {
1820 kRB5-AUTHDATA-IF-RELEVANT(1),
1821 kRB5-AUTHDATA-INTENDED-FOR-SERVER(2),
1822 kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
1823 kRB5-AUTHDATA-KDC-ISSUED(4),
1824 kRB5-AUTHDATA-AND-OR(5),
1825 kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
1826 kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
1827 kRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
1828 kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
1829 kRB5-AUTHDATA-OSF-DCE(64),
1830 kRB5-AUTHDATA-SESAME(65),
1831 kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
1832 kRB5-AUTHDATA-WIN2K-PAC(128),
1833 kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
1834 kRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
1835 kRB5-AUTHDATA-SIGNTICKET-OLD(142),
1836 kRB5-AUTHDATA-SIGNTICKET(512)
1837 }
1838 AuthDataTypeSequence ::= SEQUENCE {
1839 dummy [0] AuthDataTypeValues
1840 }
1842 ChecksumTypeValues ::= INTEGER {
1843 kRB5-CKSUMTYPE-NONE(0),
1844 kRB5-CKSUMTYPE-CRC32(1),
1845 kRB5-CKSUMTYPE-RSA-MD4(2),
1846 kRB5-CKSUMTYPE-RSA-MD4-DES(3),
1847 kRB5-CKSUMTYPE-DES-MAC(4),
1848 kRB5-CKSUMTYPE-DES-MAC-K(5),
1849 kRB5-CKSUMTYPE-RSA-MD4-DES-K(6),
1850 kRB5-CKSUMTYPE-RSA-MD5(7),
1851 kRB5-CKSUMTYPE-RSA-MD5-DES(8),
1852 kRB5-CKSUMTYPE-RSA-MD5-DES3(9),
1853 kRB5-CKSUMTYPE-SHA1-OTHER(10),
1854 kRB5-CKSUMTYPE-HMAC-SHA1-DES3(12),
1855 kRB5-CKSUMTYPE-SHA1(14),
1856 kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128(15),
1857 kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256(16),
1858 kRB5-CKSUMTYPE-GSSAPI(32771), -- 0x8003
1859 kRB5-CKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number
1860 kRB5-CKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial
1861 }
1862 ChecksumTypeSequence ::= SEQUENCE {
1863 dummy [0] ChecksumTypeValues
1864 }
1866 EncryptionTypeValues ::= INTEGER {
1867 kRB5-ENCTYPE-NULL(0),
1868 kRB5-ENCTYPE-DES-CBC-CRC(1),
1869 kRB5-ENCTYPE-DES-CBC-MD4(2),
1870 kRB5-ENCTYPE-DES-CBC-MD5(3),
1871 kRB5-ENCTYPE-DES3-CBC-MD5(5),
1872 kRB5-ENCTYPE-OLD-DES3-CBC-SHA1(7),
1873 kRB5-ENCTYPE-SIGN-DSA-GENERATE(8),
1874 kRB5-ENCTYPE-ENCRYPT-RSA-PRIV(9),
1875 kRB5-ENCTYPE-ENCRYPT-RSA-PUB(10),
1876 kRB5-ENCTYPE-DES3-CBC-SHA1(16), -- with key derivation
1877 kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96(17),
1878 kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96(18),
1879 kRB5-ENCTYPE-ARCFOUR-HMAC-MD5(23),
1880 kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56(24),
1881 kRB5-ENCTYPE-ENCTYPE-PK-CROSS(48),
1882 -- some "old" windows types
1883 kRB5-ENCTYPE-ARCFOUR-MD4(-128),
1884 kRB5-ENCTYPE-ARCFOUR-HMAC-OLD(-133),
1885 kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
1886 -- these are for Heimdal internal use
1887 -- kRB5-ENCTYPE-DES-CBC-NONE(-0x1000),
1888 -- kRB5-ENCTYPE-DES3-CBC-NONE(-0x1001),
1889 -- kRB5-ENCTYPE-DES-CFB64-NONE(-0x1002),
1890 -- kRB5-ENCTYPE-DES-PCBC-NONE(-0x1003),
1891 -- kRB5-ENCTYPE-DIGEST-MD5-NONE(-0x1004), - private use, lukeh@padl.com
1892 -- kRB5-ENCTYPE-CRAM-MD5-NONE(-0x1005) - private use, lukeh@padl.com
1893 kRB5-ENCTYPE-DUMMY(-1111)
1894 }
1895 EncryptionTypeSequence ::= SEQUENCE {
1896 dummy [0] EncryptionTypeValues
1897 }
1899 KerbErrorDataTypeValues ::= INTEGER {
1900 kERB-AP-ERR-TYPE-SKEW-RECOVERY(2),
1901 kERB-ERR-TYPE-EXTENDED(3)
1902 }
1903 KerbErrorDataTypeSequence ::= SEQUENCE {
1904 dummy [0] KerbErrorDataTypeValues
1905 }
1907 PACOptionFlagsValues ::= BIT STRING { -- KerberosFlags
1908 claims(0),
1909 branch-aware(1),
1910 forward-to-full-dc(2),
1911 resource-based-constrained-delegation(3)
1912 }
1913 PACOptionFlagsSequence ::= SEQUENCE {
1914 dummy [0] PACOptionFlagsValues
1915 }
1917 END