| blob | ed663fcf5fb8cee776ff57b37480e4915829e9e6 |
1 -- $Id$
3 KERBEROS5 DEFINITIONS ::=
4 BEGIN
5 EXPORTS
6 AD-AND-OR,
7 AD-IF-RELEVANT,
8 AD-KDCIssued,
9 AD-LoginAlias,
10 AP-REP,
11 AP-REQ,
12 AS-REP,
13 AS-REQ,
14 AUTHDATA-TYPE,
15 Authenticator,
16 AuthorizationData,
17 AuthorizationDataElement,
18 CKSUMTYPE,
19 ChangePasswdDataMS,
20 Checksum,
21 ENCTYPE,
22 ETYPE-INFO,
23 ETYPE-INFO-ENTRY,
24 ETYPE-INFO2,
25 ETYPE-INFO2-ENTRY,
26 EncAPRepPart,
27 EncASRepPart,
28 EncKDCRepPart,
29 EncKrbCredPart,
30 EncKrbPrivPart,
31 EncTGSRepPart,
32 EncTicketPart,
33 EncryptedData,
34 EncryptionKey,
35 EtypeList,
36 HostAddress,
37 HostAddresses,
38 KDC-REQ-BODY,
39 KDCOptions,
40 KDC-REP,
41 KRB-CRED,
42 KRB-ERROR,
43 KRB-PRIV,
44 KRB-SAFE,
45 KRB-SAFE-BODY,
46 KRB5SignedPath,
47 KRB5SignedPathData,
48 KRB5SignedPathPrincipals,
49 KerberosString,
50 KerberosTime,
51 KrbCredInfo,
52 LR-TYPE,
53 LastReq,
54 METHOD-DATA,
55 NAME-TYPE,
56 PA-ClientCanonicalized,
57 PA-ClientCanonicalizedNames,
58 PA-DATA,
59 PA-ENC-TS-ENC,
60 PA-PAC-REQUEST,
61 PA-S4U2Self,
62 PA-SERVER-REFERRAL-DATA,
63 PA-ServerReferralData,
64 PA-SvrReferralData,
65 PADATA-TYPE,
66 Principal,
67 PrincipalName,
68 Principals,
69 Realm,
70 TGS-REP,
71 TGS-REQ,
72 Ticket,
73 TicketFlags,
74 TransitedEncoding,
75 TypedData
76 ;
78 NAME-TYPE ::= INTEGER {
79 KRB5_NT_UNKNOWN(0), -- Name type not known
80 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
81 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
82 KRB5_NT_SRV_HST(3), -- Service with host name as instance
83 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
84 KRB5_NT_UID(5), -- Unique ID
85 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
86 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
87 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
88 KRB5_NT_WELLKNOWN(11), -- Wellknown
89 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
90 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
91 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
92 KRB5_NT_NTLM(-1200) -- NTLM name, realm is domain
93 }
95 -- message types
97 MESSAGE-TYPE ::= INTEGER {
98 krb-as-req(10), -- Request for initial authentication
99 krb-as-rep(11), -- Response to KRB_AS_REQ request
100 krb-tgs-req(12), -- Request for authentication based on TGT
101 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
102 krb-ap-req(14), -- application request to server
103 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
104 krb-safe(20), -- Safe (checksummed) application message
105 krb-priv(21), -- Private (encrypted) application message
106 krb-cred(22), -- Private (encrypted) message to forward credentials
107 krb-error(30) -- Error response
108 }
111 -- pa-data types
113 PADATA-TYPE ::= INTEGER {
114 KRB5-PADATA-NONE(0),
115 KRB5-PADATA-TGS-REQ(1),
116 KRB5-PADATA-AP-REQ(1),
117 KRB5-PADATA-ENC-TIMESTAMP(2),
118 KRB5-PADATA-PW-SALT(3),
119 KRB5-PADATA-ENC-UNIX-TIME(5),
120 KRB5-PADATA-SANDIA-SECUREID(6),
121 KRB5-PADATA-SESAME(7),
122 KRB5-PADATA-OSF-DCE(8),
123 KRB5-PADATA-CYBERSAFE-SECUREID(9),
124 KRB5-PADATA-AFS3-SALT(10),
125 KRB5-PADATA-ETYPE-INFO(11),
126 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
127 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
128 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
129 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
130 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
131 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
132 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
133 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
134 KRB5-PADATA-ETYPE-INFO2(19),
135 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
136 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
137 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
138 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
139 KRB5-PADATA-SAM-ETYPE-INFO(23),
140 KRB5-PADATA-SERVER-REFERRAL(25),
141 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
142 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
143 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
144 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
145 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
146 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
147 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
148 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
149 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
150 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
151 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
152 KRB5-PADATA-FOR-USER(129), -- MS-KILE
153 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
154 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
155 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
156 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
157 -- tell KDC that is supports
158 -- the asCheckSum in the
159 -- PK-AS-REP
160 KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals
161 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
162 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
163 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
164 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
165 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
166 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
167 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
168 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
169 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
170 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
171 KRB5-PADATA-EPAK-AS-REQ(145),
172 KRB5-PADATA-EPAK-AS-REP(146),
173 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
174 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
175 KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE
176 }
178 AUTHDATA-TYPE ::= INTEGER {
179 KRB5-AUTHDATA-IF-RELEVANT(1),
180 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
181 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
182 KRB5-AUTHDATA-KDC-ISSUED(4),
183 KRB5-AUTHDATA-AND-OR(5),
184 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
185 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
186 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
187 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
188 KRB5-AUTHDATA-OSF-DCE(64),
189 KRB5-AUTHDATA-SESAME(65),
190 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
191 KRB5-AUTHDATA-WIN2K-PAC(128),
192 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
193 KRB5-AUTHDATA-SIGNTICKET-OLD(-17),
194 KRB5-AUTHDATA-SIGNTICKET(142)
195 }
197 -- checksumtypes
199 CKSUMTYPE ::= INTEGER {
200 CKSUMTYPE_NONE(0),
201 CKSUMTYPE_CRC32(1),
202 CKSUMTYPE_RSA_MD4(2),
203 CKSUMTYPE_RSA_MD4_DES(3),
204 CKSUMTYPE_DES_MAC(4),
205 CKSUMTYPE_DES_MAC_K(5),
206 CKSUMTYPE_RSA_MD4_DES_K(6),
207 CKSUMTYPE_RSA_MD5(7),
208 CKSUMTYPE_RSA_MD5_DES(8),
209 CKSUMTYPE_RSA_MD5_DES3(9),
210 CKSUMTYPE_SHA1_OTHER(10),
211 CKSUMTYPE_HMAC_SHA1_DES3(12),
212 CKSUMTYPE_SHA1(14),
213 CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
214 CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
215 CKSUMTYPE_GSSAPI(0x8003),
216 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
217 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
218 }
220 --enctypes
221 ENCTYPE ::= INTEGER {
222 ETYPE_NULL(0),
223 ETYPE_DES_CBC_CRC(1),
224 ETYPE_DES_CBC_MD4(2),
225 ETYPE_DES_CBC_MD5(3),
226 ETYPE_DES3_CBC_MD5(5),
227 ETYPE_OLD_DES3_CBC_SHA1(7),
228 ETYPE_SIGN_DSA_GENERATE(8),
229 ETYPE_ENCRYPT_RSA_PRIV(9),
230 ETYPE_ENCRYPT_RSA_PUB(10),
231 ETYPE_DES3_CBC_SHA1(16), -- with key derivation
232 ETYPE_AES128_CTS_HMAC_SHA1_96(17),
233 ETYPE_AES256_CTS_HMAC_SHA1_96(18),
234 ETYPE_ARCFOUR_HMAC_MD5(23),
235 ETYPE_ARCFOUR_HMAC_MD5_56(24),
236 ETYPE_ENCTYPE_PK_CROSS(48),
237 -- some "old" windows types
238 ETYPE_ARCFOUR_MD4(-128),
239 ETYPE_ARCFOUR_HMAC_OLD(-133),
240 ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
241 -- these are for Heimdal internal use
242 ETYPE_DES_CBC_NONE(-0x1000),
243 ETYPE_DES3_CBC_NONE(-0x1001),
244 ETYPE_DES_CFB64_NONE(-0x1002),
245 ETYPE_DES_PCBC_NONE(-0x1003),
246 ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
247 ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
248 }
253 -- this is sugar to make something ASN1 does not have: unsigned
255 krb5uint32 ::= INTEGER (0..4294967295)
256 krb5int32 ::= INTEGER (-2147483648..2147483647)
258 KerberosString ::= GeneralString
260 Realm ::= GeneralString
261 PrincipalName ::= SEQUENCE {
262 name-type[0] NAME-TYPE,
263 name-string[1] SEQUENCE OF GeneralString
264 }
266 -- this is not part of RFC1510
267 Principal ::= SEQUENCE {
268 name[0] PrincipalName,
269 realm[1] Realm
270 }
272 Principals ::= SEQUENCE OF Principal
274 HostAddress ::= SEQUENCE {
275 addr-type[0] krb5int32,
276 address[1] OCTET STRING
277 }
279 -- This is from RFC1510.
280 --
281 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
282 -- addr-type[0] krb5int32,
283 -- address[1] OCTET STRING
284 -- }
286 -- This seems much better.
287 HostAddresses ::= SEQUENCE OF HostAddress
290 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
292 AuthorizationDataElement ::= SEQUENCE {
293 ad-type[0] krb5int32,
294 ad-data[1] OCTET STRING
295 }
297 AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
299 APOptions ::= BIT STRING {
300 reserved(0),
301 use-session-key(1),
302 mutual-required(2)
303 }
305 TicketFlags ::= BIT STRING {
306 reserved(0),
307 forwardable(1),
308 forwarded(2),
309 proxiable(3),
310 proxy(4),
311 may-postdate(5),
312 postdated(6),
313 invalid(7),
314 renewable(8),
315 initial(9),
316 pre-authent(10),
317 hw-authent(11),
318 transited-policy-checked(12),
319 ok-as-delegate(13),
320 anonymous(14)
321 }
323 KDCOptions ::= BIT STRING {
324 reserved(0),
325 forwardable(1),
326 forwarded(2),
327 proxiable(3),
328 proxy(4),
329 allow-postdate(5),
330 postdated(6),
331 renewable(8),
332 request-anonymous(14),
333 canonicalize(15),
334 constrained-delegation(16), -- ms extension
335 disable-transited-check(26),
336 renewable-ok(27),
337 enc-tkt-in-skey(28),
338 renew(30),
339 validate(31)
340 }
342 LR-TYPE ::= INTEGER {
343 LR_NONE(0), -- no information
344 LR_INITIAL_TGT(1), -- last initial TGT request
345 LR_INITIAL(2), -- last initial request
346 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
347 LR_RENEWAL(4), -- time of last renewal
348 LR_REQUEST(5), -- time of last request (of any type)
349 LR_PW_EXPTIME(6), -- expiration time of password
350 LR_ACCT_EXPTIME(7) -- expiration time of account
351 }
353 LastReq ::= SEQUENCE OF SEQUENCE {
354 lr-type[0] LR-TYPE,
355 lr-value[1] KerberosTime
356 }
359 EncryptedData ::= SEQUENCE {
360 etype[0] ENCTYPE, -- EncryptionType
361 kvno[1] krb5int32 OPTIONAL,
362 cipher[2] OCTET STRING -- ciphertext
363 }
365 EncryptionKey ::= SEQUENCE {
366 keytype[0] krb5int32,
367 keyvalue[1] OCTET STRING
368 }
370 -- encoded Transited field
371 TransitedEncoding ::= SEQUENCE {
372 tr-type[0] krb5int32, -- must be registered
373 contents[1] OCTET STRING
374 }
376 Ticket ::= [APPLICATION 1] SEQUENCE {
377 tkt-vno[0] krb5int32,
378 realm[1] Realm,
379 sname[2] PrincipalName,
380 enc-part[3] EncryptedData
381 }
382 -- Encrypted part of ticket
383 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
384 flags[0] TicketFlags,
385 key[1] EncryptionKey,
386 crealm[2] Realm,
387 cname[3] PrincipalName,
388 transited[4] TransitedEncoding,
389 authtime[5] KerberosTime,
390 starttime[6] KerberosTime OPTIONAL,
391 endtime[7] KerberosTime,
392 renew-till[8] KerberosTime OPTIONAL,
393 caddr[9] HostAddresses OPTIONAL,
394 authorization-data[10] AuthorizationData OPTIONAL
395 }
397 Checksum ::= SEQUENCE {
398 cksumtype[0] CKSUMTYPE,
399 checksum[1] OCTET STRING
400 }
402 Authenticator ::= [APPLICATION 2] SEQUENCE {
403 authenticator-vno[0] krb5int32,
404 crealm[1] Realm,
405 cname[2] PrincipalName,
406 cksum[3] Checksum OPTIONAL,
407 cusec[4] krb5int32,
408 ctime[5] KerberosTime,
409 subkey[6] EncryptionKey OPTIONAL,
410 seq-number[7] krb5uint32 OPTIONAL,
411 authorization-data[8] AuthorizationData OPTIONAL
412 }
414 PA-DATA ::= SEQUENCE {
415 -- might be encoded AP-REQ
416 padata-type[1] PADATA-TYPE,
417 padata-value[2] OCTET STRING
418 }
420 ETYPE-INFO-ENTRY ::= SEQUENCE {
421 etype[0] ENCTYPE,
422 salt[1] OCTET STRING OPTIONAL,
423 salttype[2] krb5int32 OPTIONAL
424 }
426 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
428 ETYPE-INFO2-ENTRY ::= SEQUENCE {
429 etype[0] ENCTYPE,
430 salt[1] KerberosString OPTIONAL,
431 s2kparams[2] OCTET STRING OPTIONAL
432 }
434 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
436 METHOD-DATA ::= SEQUENCE OF PA-DATA
438 TypedData ::= SEQUENCE {
439 data-type[0] krb5int32,
440 data-value[1] OCTET STRING OPTIONAL
441 }
443 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
445 KDC-REQ-BODY ::= SEQUENCE {
446 kdc-options[0] KDCOptions,
447 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
448 realm[2] Realm, -- Server's realm
449 -- Also client's in AS-REQ
450 sname[3] PrincipalName OPTIONAL,
451 from[4] KerberosTime OPTIONAL,
452 till[5] KerberosTime OPTIONAL,
453 rtime[6] KerberosTime OPTIONAL,
454 nonce[7] krb5int32,
455 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
456 -- in preference order
457 addresses[9] HostAddresses OPTIONAL,
458 enc-authorization-data[10] EncryptedData OPTIONAL,
459 -- Encrypted AuthorizationData encoding
460 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
461 }
463 KDC-REQ ::= SEQUENCE {
464 pvno[1] krb5int32,
465 msg-type[2] MESSAGE-TYPE,
466 padata[3] METHOD-DATA OPTIONAL,
467 req-body[4] KDC-REQ-BODY
468 }
470 AS-REQ ::= [APPLICATION 10] KDC-REQ
471 TGS-REQ ::= [APPLICATION 12] KDC-REQ
473 -- padata-type ::= PA-ENC-TIMESTAMP
474 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
476 PA-ENC-TS-ENC ::= SEQUENCE {
477 patimestamp[0] KerberosTime, -- client's time
478 pausec[1] krb5int32 OPTIONAL
479 }
481 -- draft-brezak-win2k-krb-authz-01
482 PA-PAC-REQUEST ::= SEQUENCE {
483 include-pac[0] BOOLEAN -- Indicates whether a PAC
484 -- should be included or not
485 }
487 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
488 PROV-SRV-LOCATION ::= GeneralString
490 KDC-REP ::= SEQUENCE {
491 pvno[0] krb5int32,
492 msg-type[1] MESSAGE-TYPE,
493 padata[2] METHOD-DATA OPTIONAL,
494 crealm[3] Realm,
495 cname[4] PrincipalName,
496 ticket[5] Ticket,
497 enc-part[6] EncryptedData
498 }
500 AS-REP ::= [APPLICATION 11] KDC-REP
501 TGS-REP ::= [APPLICATION 13] KDC-REP
503 EncKDCRepPart ::= SEQUENCE {
504 key[0] EncryptionKey,
505 last-req[1] LastReq,
506 nonce[2] krb5int32,
507 key-expiration[3] KerberosTime OPTIONAL,
508 flags[4] TicketFlags,
509 authtime[5] KerberosTime,
510 starttime[6] KerberosTime OPTIONAL,
511 endtime[7] KerberosTime,
512 renew-till[8] KerberosTime OPTIONAL,
513 srealm[9] Realm,
514 sname[10] PrincipalName,
515 caddr[11] HostAddresses OPTIONAL,
516 encrypted-pa-data[12] METHOD-DATA OPTIONAL
517 }
519 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
520 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
522 AP-REQ ::= [APPLICATION 14] SEQUENCE {
523 pvno[0] krb5int32,
524 msg-type[1] MESSAGE-TYPE,
525 ap-options[2] APOptions,
526 ticket[3] Ticket,
527 authenticator[4] EncryptedData
528 }
530 AP-REP ::= [APPLICATION 15] SEQUENCE {
531 pvno[0] krb5int32,
532 msg-type[1] MESSAGE-TYPE,
533 enc-part[2] EncryptedData
534 }
536 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
537 ctime[0] KerberosTime,
538 cusec[1] krb5int32,
539 subkey[2] EncryptionKey OPTIONAL,
540 seq-number[3] krb5uint32 OPTIONAL
541 }
543 KRB-SAFE-BODY ::= SEQUENCE {
544 user-data[0] OCTET STRING,
545 timestamp[1] KerberosTime OPTIONAL,
546 usec[2] krb5int32 OPTIONAL,
547 seq-number[3] krb5uint32 OPTIONAL,
548 s-address[4] HostAddress OPTIONAL,
549 r-address[5] HostAddress OPTIONAL
550 }
552 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
553 pvno[0] krb5int32,
554 msg-type[1] MESSAGE-TYPE,
555 safe-body[2] KRB-SAFE-BODY,
556 cksum[3] Checksum
557 }
559 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
560 pvno[0] krb5int32,
561 msg-type[1] MESSAGE-TYPE,
562 enc-part[3] EncryptedData
563 }
564 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
565 user-data[0] OCTET STRING,
566 timestamp[1] KerberosTime OPTIONAL,
567 usec[2] krb5int32 OPTIONAL,
568 seq-number[3] krb5uint32 OPTIONAL,
569 s-address[4] HostAddress OPTIONAL, -- sender's addr
570 r-address[5] HostAddress OPTIONAL -- recip's addr
571 }
573 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
574 pvno[0] krb5int32,
575 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
576 tickets[2] SEQUENCE OF Ticket,
577 enc-part[3] EncryptedData
578 }
580 KrbCredInfo ::= SEQUENCE {
581 key[0] EncryptionKey,
582 prealm[1] Realm OPTIONAL,
583 pname[2] PrincipalName OPTIONAL,
584 flags[3] TicketFlags OPTIONAL,
585 authtime[4] KerberosTime OPTIONAL,
586 starttime[5] KerberosTime OPTIONAL,
587 endtime[6] KerberosTime OPTIONAL,
588 renew-till[7] KerberosTime OPTIONAL,
589 srealm[8] Realm OPTIONAL,
590 sname[9] PrincipalName OPTIONAL,
591 caddr[10] HostAddresses OPTIONAL
592 }
594 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
595 ticket-info[0] SEQUENCE OF KrbCredInfo,
596 nonce[1] krb5int32 OPTIONAL,
597 timestamp[2] KerberosTime OPTIONAL,
598 usec[3] krb5int32 OPTIONAL,
599 s-address[4] HostAddress OPTIONAL,
600 r-address[5] HostAddress OPTIONAL
601 }
603 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
604 pvno[0] krb5int32,
605 msg-type[1] MESSAGE-TYPE,
606 ctime[2] KerberosTime OPTIONAL,
607 cusec[3] krb5int32 OPTIONAL,
608 stime[4] KerberosTime,
609 susec[5] krb5int32,
610 error-code[6] krb5int32,
611 crealm[7] Realm OPTIONAL,
612 cname[8] PrincipalName OPTIONAL,
613 realm[9] Realm, -- Correct realm
614 sname[10] PrincipalName, -- Correct name
615 e-text[11] GeneralString OPTIONAL,
616 e-data[12] OCTET STRING OPTIONAL
617 }
619 ChangePasswdDataMS ::= SEQUENCE {
620 newpasswd[0] OCTET STRING,
621 targname[1] PrincipalName OPTIONAL,
622 targrealm[2] Realm OPTIONAL
623 }
625 EtypeList ::= SEQUENCE OF krb5int32
626 -- the client's proposed enctype list in
627 -- decreasing preference order, favorite choice first
629 krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
631 -- transited encodings
633 DOMAIN-X500-COMPRESS krb5int32 ::= 1
635 -- authorization data primitives
637 AD-IF-RELEVANT ::= AuthorizationData
639 AD-KDCIssued ::= SEQUENCE {
640 ad-checksum[0] Checksum,
641 i-realm[1] Realm OPTIONAL,
642 i-sname[2] PrincipalName OPTIONAL,
643 elements[3] AuthorizationData
644 }
646 AD-AND-OR ::= SEQUENCE {
647 condition-count[0] INTEGER,
648 elements[1] AuthorizationData
649 }
651 AD-MANDATORY-FOR-KDC ::= AuthorizationData
653 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
655 PA-SAM-TYPE ::= INTEGER {
656 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
657 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
658 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
659 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
660 PA_SAM_TYPE_SECURID(5), -- Security Dynamics
661 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
662 }
664 PA-SAM-REDIRECT ::= HostAddresses
666 SAMFlags ::= BIT STRING {
667 use-sad-as-key(0),
668 send-encrypted-sad(1),
669 must-pk-encrypt-sad(2)
670 }
672 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
673 sam-type[0] krb5int32,
674 sam-flags[1] SAMFlags,
675 sam-type-name[2] GeneralString OPTIONAL,
676 sam-track-id[3] GeneralString OPTIONAL,
677 sam-challenge-label[4] GeneralString OPTIONAL,
678 sam-challenge[5] GeneralString OPTIONAL,
679 sam-response-prompt[6] GeneralString OPTIONAL,
680 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
681 sam-nonce[8] krb5int32,
682 sam-etype[9] krb5int32,
683 ...
684 }
686 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
687 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
688 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
689 ...
690 }
692 PA-SAM-RESPONSE-2 ::= SEQUENCE {
693 sam-type[0] krb5int32,
694 sam-flags[1] SAMFlags,
695 sam-track-id[2] GeneralString OPTIONAL,
696 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
697 sam-nonce[4] krb5int32,
698 ...
699 }
701 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
702 sam-nonce[0] krb5int32,
703 sam-sad[1] GeneralString OPTIONAL,
704 ...
705 }
707 PA-S4U2Self ::= SEQUENCE {
708 name[0] PrincipalName,
709 realm[1] Realm,
710 cksum[2] Checksum,
711 auth[3] GeneralString
712 }
714 -- never encoded on the wire, just used to checksum over
715 KRB5SignedPathData ::= SEQUENCE {
716 client[0] Principal OPTIONAL,
717 authtime[1] KerberosTime,
718 delegated[2] Principals OPTIONAL,
719 method_data[3] METHOD-DATA OPTIONAL
720 }
722 KRB5SignedPath ::= SEQUENCE {
723 -- DERcoded KRB5SignedPathData
724 -- krbtgt key (etype), KeyUsage = XXX
725 etype[0] ENCTYPE,
726 cksum[1] Checksum,
727 -- srvs delegated though
728 delegated[2] Principals OPTIONAL,
729 method_data[3] METHOD-DATA OPTIONAL
730 }
732 PA-ClientCanonicalizedNames ::= SEQUENCE{
733 requested-name [0] PrincipalName,
734 mapped-name [1] PrincipalName
735 }
737 PA-ClientCanonicalized ::= SEQUENCE {
738 names [0] PA-ClientCanonicalizedNames,
739 canon-checksum [1] Checksum
740 }
742 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
743 login-alias [0] PrincipalName,
744 checksum [1] Checksum
745 }
747 -- old ms referral
748 PA-SvrReferralData ::= SEQUENCE {
749 referred-name [1] PrincipalName OPTIONAL,
750 referred-realm [0] Realm
751 }
753 PA-SERVER-REFERRAL-DATA ::= EncryptedData
755 PA-ServerReferralData ::= SEQUENCE {
756 referred-realm [0] Realm OPTIONAL,
757 true-principal-name [1] PrincipalName OPTIONAL,
758 requested-principal-name [2] PrincipalName OPTIONAL,
759 referral-valid-until [3] KerberosTime OPTIONAL,
760 ...
761 }
763 FastOptions ::= BIT STRING {
764 reserved(0),
765 hide-client-names(1),
766 kdc-follow--referrals(16)
767 }
769 KrbFastReq ::= SEQUENCE {
770 fast-options [0] FastOptions,
771 padata [1] SEQUENCE OF PA-DATA,
772 req-body [2] KDC-REQ-BODY,
773 ...
774 }
776 KrbFastArmor ::= SEQUENCE {
777 armor-type [0] krb5int32,
778 armor-value [1] OCTET STRING,
779 ...
780 }
782 KrbFastArmoredReq ::= SEQUENCE {
783 armor [0] KrbFastArmor OPTIONAL,
784 req-checksum [1] Checksum,
785 enc-fast-req [2] EncryptedData -- KrbFastReq --
786 }
788 PA-FX-FAST-REQUEST ::= CHOICE {
789 armored-data [0] KrbFastArmoredReq,
790 ...
791 }
793 KrbFastFinished ::= SEQUENCE {
794 timestamp [0] KerberosTime,
795 usec [1] krb5int32,
796 crealm [2] Realm,
797 cname [3] PrincipalName,
798 checksum [4] Checksum,
799 ticket-checksum [5] Checksum,
800 ...
801 }
803 KrbFastResponse ::= SEQUENCE {
804 padata [0] SEQUENCE OF PA-DATA,
805 rep-key [1] EncryptionKey OPTIONAL,
806 finished [2] KrbFastFinished OPTIONAL,
807 ...
808 }
810 KrbFastArmoredRep ::= SEQUENCE {
811 enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
812 ...
813 }
815 PA-FX-FAST-REPLY ::= CHOICE {
816 armored-data [0] KrbFastArmoredRep,
817 ...
818 }
820 END
822 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1