3 KERBEROS5 DEFINITIONS ::=
17 AuthorizationDataElement,
48 KRB5SignedPathPrincipals,
56 PA-ClientCanonicalized,
57 PA-ClientCanonicalizedNames,
62 PA-SERVER-REFERRAL-DATA,
63 PA-ServerReferralData,
89 KERB-ARMOR-SERVICE-REPLY
92 NAME-TYPE ::= INTEGER {
93 KRB5_NT_UNKNOWN(0), -- Name type not known
94 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
95 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
96 KRB5_NT_SRV_HST(3), -- Service with host name as instance
97 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
98 KRB5_NT_UID(5), -- Unique ID
99 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
100 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
101 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
102 KRB5_NT_WELLKNOWN(11), -- Wellknown
103 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
104 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
105 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
106 KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain
107 KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded)
108 KRB5_NT_GSS_HOSTBASED_SERVICE(-1202),
109 KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
110 KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- -(0x0bad1dea)
115 MESSAGE-TYPE ::= INTEGER {
116 krb-as-req(10), -- Request for initial authentication
117 krb-as-rep(11), -- Response to KRB_AS_REQ request
118 krb-tgs-req(12), -- Request for authentication based on TGT
119 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
120 krb-ap-req(14), -- application request to server
121 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
122 krb-safe(20), -- Safe (checksummed) application message
123 krb-priv(21), -- Private (encrypted) application message
124 krb-cred(22), -- Private (encrypted) message to forward credentials
125 krb-error(30) -- Error response
131 PADATA-TYPE ::= INTEGER {
133 KRB5-PADATA-TGS-REQ(1),
134 KRB5-PADATA-AP-REQ(1),
135 KRB5-PADATA-ENC-TIMESTAMP(2),
136 KRB5-PADATA-PW-SALT(3),
137 KRB5-PADATA-ENC-UNIX-TIME(5),
138 KRB5-PADATA-SANDIA-SECUREID(6),
139 KRB5-PADATA-SESAME(7),
140 KRB5-PADATA-OSF-DCE(8),
141 KRB5-PADATA-CYBERSAFE-SECUREID(9),
142 KRB5-PADATA-AFS3-SALT(10),
143 KRB5-PADATA-ETYPE-INFO(11),
144 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
145 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
146 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
147 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
148 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
149 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
150 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
151 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
152 KRB5-PADATA-ETYPE-INFO2(19),
153 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
154 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
155 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
156 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
157 KRB5-PADATA-SAM-ETYPE-INFO(23),
158 KRB5-PADATA-SERVER-REFERRAL(25),
159 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
160 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
161 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
162 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
163 KRB5-PADATA-FX-FAST-ARMOR(71), -- fast armor
164 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
165 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
166 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
167 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
168 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
169 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
170 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
171 KRB5-PADATA-FOR-USER(129), -- MS-KILE
172 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
173 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
174 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
175 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
176 -- tell KDC that is supports
177 -- the asCheckSum in the
179 KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals
180 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
181 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
182 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
183 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
184 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
185 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
186 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
187 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
188 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
189 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
190 KRB5-PADATA-EPAK-AS-REQ(145),
191 KRB5-PADATA-EPAK-AS-REP(146),
192 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
193 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
194 KRB5-PADATA-REQ-ENC-PA-REP(149), --
195 KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE
198 AUTHDATA-TYPE ::= INTEGER {
199 KRB5-AUTHDATA-IF-RELEVANT(1),
200 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
201 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
202 KRB5-AUTHDATA-KDC-ISSUED(4),
203 KRB5-AUTHDATA-AND-OR(5),
204 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
205 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
206 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
207 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
208 KRB5-AUTHDATA-OSF-DCE(64),
209 KRB5-AUTHDATA-SESAME(65),
210 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
211 KRB5-AUTHDATA-WIN2K-PAC(128),
212 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
213 KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
214 KRB5-AUTHDATA-SIGNTICKET-OLD(142),
215 KRB5-AUTHDATA-SIGNTICKET(512)
220 CKSUMTYPE ::= INTEGER {
223 CKSUMTYPE_RSA_MD4(2),
224 CKSUMTYPE_RSA_MD4_DES(3),
225 CKSUMTYPE_DES_MAC(4),
226 CKSUMTYPE_DES_MAC_K(5),
227 CKSUMTYPE_RSA_MD4_DES_K(6),
228 CKSUMTYPE_RSA_MD5(7),
229 CKSUMTYPE_RSA_MD5_DES(8),
230 CKSUMTYPE_RSA_MD5_DES3(9),
231 CKSUMTYPE_SHA1_OTHER(10),
232 CKSUMTYPE_HMAC_SHA1_DES3(12),
234 CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
235 CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
236 CKSUMTYPE_GSSAPI(0x8003),
237 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
238 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
242 ENCTYPE ::= INTEGER {
243 KRB5_ENCTYPE_NULL(0),
244 KRB5_ENCTYPE_DES_CBC_CRC(1),
245 KRB5_ENCTYPE_DES_CBC_MD4(2),
246 KRB5_ENCTYPE_DES_CBC_MD5(3),
247 KRB5_ENCTYPE_DES3_CBC_MD5(5),
248 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
249 KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
250 KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
251 KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
252 KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation
253 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
254 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
255 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
256 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
257 KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
258 -- some "old" windows types
259 KRB5_ENCTYPE_ARCFOUR_MD4(-128),
260 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
261 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
262 -- these are for Heimdal internal use
263 KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
264 KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
265 KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
266 KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
267 KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
268 KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
274 -- this is sugar to make something ASN1 does not have: unsigned
276 krb5uint32 ::= INTEGER (0..4294967295)
277 krb5int32 ::= INTEGER (-2147483648..2147483647)
279 KerberosString ::= GeneralString
281 Realm ::= GeneralString
282 PrincipalName ::= SEQUENCE {
283 name-type[0] NAME-TYPE,
284 name-string[1] SEQUENCE OF GeneralString
287 -- this is not part of RFC1510
288 Principal ::= SEQUENCE {
289 name[0] PrincipalName,
293 Principals ::= SEQUENCE OF Principal
295 HostAddress ::= SEQUENCE {
296 addr-type[0] krb5int32,
297 address[1] OCTET STRING
300 -- This is from RFC1510.
302 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
303 -- addr-type[0] krb5int32,
304 -- address[1] OCTET STRING
307 -- This seems much better.
308 HostAddresses ::= SEQUENCE OF HostAddress
311 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
313 AuthorizationDataElement ::= SEQUENCE {
314 ad-type[0] krb5int32,
315 ad-data[1] OCTET STRING
318 AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
320 APOptions ::= BIT STRING {
326 TicketFlags ::= BIT STRING {
339 transited-policy-checked(12),
345 KDCOptions ::= BIT STRING {
354 request-anonymous(14),
356 constrained-delegation(16), -- ms extension
357 disable-transited-check(26),
364 LR-TYPE ::= INTEGER {
365 LR_NONE(0), -- no information
366 LR_INITIAL_TGT(1), -- last initial TGT request
367 LR_INITIAL(2), -- last initial request
368 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
369 LR_RENEWAL(4), -- time of last renewal
370 LR_REQUEST(5), -- time of last request (of any type)
371 LR_PW_EXPTIME(6), -- expiration time of password
372 LR_ACCT_EXPTIME(7) -- expiration time of account
375 LastReq ::= SEQUENCE OF SEQUENCE {
377 lr-value[1] KerberosTime
381 EncryptedData ::= SEQUENCE {
382 etype[0] ENCTYPE, -- EncryptionType
383 kvno[1] krb5int32 OPTIONAL,
384 cipher[2] OCTET STRING -- ciphertext
387 EncryptionKey ::= SEQUENCE {
388 keytype[0] krb5int32,
389 keyvalue[1] OCTET STRING
392 -- encoded Transited field
393 TransitedEncoding ::= SEQUENCE {
394 tr-type[0] krb5int32, -- must be registered
395 contents[1] OCTET STRING
398 Ticket ::= [APPLICATION 1] SEQUENCE {
399 tkt-vno[0] krb5int32,
401 sname[2] PrincipalName,
402 enc-part[3] EncryptedData
404 -- Encrypted part of ticket
405 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
406 flags[0] TicketFlags,
407 key[1] EncryptionKey,
409 cname[3] PrincipalName,
410 transited[4] TransitedEncoding,
411 authtime[5] KerberosTime,
412 starttime[6] KerberosTime OPTIONAL,
413 endtime[7] KerberosTime,
414 renew-till[8] KerberosTime OPTIONAL,
415 caddr[9] HostAddresses OPTIONAL,
416 authorization-data[10] AuthorizationData OPTIONAL
419 Checksum ::= SEQUENCE {
420 cksumtype[0] CKSUMTYPE,
421 checksum[1] OCTET STRING
424 Authenticator ::= [APPLICATION 2] SEQUENCE {
425 authenticator-vno[0] krb5int32,
427 cname[2] PrincipalName,
428 cksum[3] Checksum OPTIONAL,
430 ctime[5] KerberosTime,
431 subkey[6] EncryptionKey OPTIONAL,
432 seq-number[7] krb5uint32 OPTIONAL,
433 authorization-data[8] AuthorizationData OPTIONAL
436 PA-DATA ::= SEQUENCE {
437 -- might be encoded AP-REQ
438 padata-type[1] PADATA-TYPE,
439 padata-value[2] OCTET STRING
442 ETYPE-INFO-ENTRY ::= SEQUENCE {
444 salt[1] OCTET STRING OPTIONAL,
445 salttype[2] krb5int32 OPTIONAL
448 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
450 ETYPE-INFO2-ENTRY ::= SEQUENCE {
452 salt[1] KerberosString OPTIONAL,
453 s2kparams[2] OCTET STRING OPTIONAL
456 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
458 METHOD-DATA ::= SEQUENCE OF PA-DATA
460 TypedData ::= SEQUENCE {
461 data-type[0] krb5int32,
462 data-value[1] OCTET STRING OPTIONAL
465 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
467 KDC-REQ-BODY ::= SEQUENCE {
468 kdc-options[0] KDCOptions,
469 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
470 realm[2] Realm, -- Server's realm
471 -- Also client's in AS-REQ
472 sname[3] PrincipalName OPTIONAL,
473 from[4] KerberosTime OPTIONAL,
474 till[5] KerberosTime OPTIONAL,
475 rtime[6] KerberosTime OPTIONAL,
477 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
478 -- in preference order
479 addresses[9] HostAddresses OPTIONAL,
480 enc-authorization-data[10] EncryptedData OPTIONAL,
481 -- Encrypted AuthorizationData encoding
482 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
485 KDC-REQ ::= SEQUENCE {
487 msg-type[2] MESSAGE-TYPE,
488 padata[3] METHOD-DATA OPTIONAL,
489 req-body[4] KDC-REQ-BODY
492 AS-REQ ::= [APPLICATION 10] KDC-REQ
493 TGS-REQ ::= [APPLICATION 12] KDC-REQ
495 -- padata-type ::= PA-ENC-TIMESTAMP
496 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
498 PA-ENC-TS-ENC ::= SEQUENCE {
499 patimestamp[0] KerberosTime, -- client's time
500 pausec[1] krb5int32 OPTIONAL
503 -- draft-brezak-win2k-krb-authz-01
504 PA-PAC-REQUEST ::= SEQUENCE {
505 include-pac[0] BOOLEAN -- Indicates whether a PAC
506 -- should be included or not
509 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
510 PROV-SRV-LOCATION ::= GeneralString
512 KDC-REP ::= SEQUENCE {
514 msg-type[1] MESSAGE-TYPE,
515 padata[2] METHOD-DATA OPTIONAL,
517 cname[4] PrincipalName,
519 enc-part[6] EncryptedData
522 AS-REP ::= [APPLICATION 11] KDC-REP
523 TGS-REP ::= [APPLICATION 13] KDC-REP
525 EncKDCRepPart ::= SEQUENCE {
526 key[0] EncryptionKey,
529 key-expiration[3] KerberosTime OPTIONAL,
530 flags[4] TicketFlags,
531 authtime[5] KerberosTime,
532 starttime[6] KerberosTime OPTIONAL,
533 endtime[7] KerberosTime,
534 renew-till[8] KerberosTime OPTIONAL,
536 sname[10] PrincipalName,
537 caddr[11] HostAddresses OPTIONAL,
538 encrypted-pa-data[12] METHOD-DATA OPTIONAL
541 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
542 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
544 AP-REQ ::= [APPLICATION 14] SEQUENCE {
546 msg-type[1] MESSAGE-TYPE,
547 ap-options[2] APOptions,
549 authenticator[4] EncryptedData
552 AP-REP ::= [APPLICATION 15] SEQUENCE {
554 msg-type[1] MESSAGE-TYPE,
555 enc-part[2] EncryptedData
558 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
559 ctime[0] KerberosTime,
561 subkey[2] EncryptionKey OPTIONAL,
562 seq-number[3] krb5uint32 OPTIONAL
565 KRB-SAFE-BODY ::= SEQUENCE {
566 user-data[0] OCTET STRING,
567 timestamp[1] KerberosTime OPTIONAL,
568 usec[2] krb5int32 OPTIONAL,
569 seq-number[3] krb5uint32 OPTIONAL,
570 s-address[4] HostAddress OPTIONAL,
571 r-address[5] HostAddress OPTIONAL
574 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
576 msg-type[1] MESSAGE-TYPE,
577 safe-body[2] KRB-SAFE-BODY,
581 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
583 msg-type[1] MESSAGE-TYPE,
584 enc-part[3] EncryptedData
586 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
587 user-data[0] OCTET STRING,
588 timestamp[1] KerberosTime OPTIONAL,
589 usec[2] krb5int32 OPTIONAL,
590 seq-number[3] krb5uint32 OPTIONAL,
591 s-address[4] HostAddress OPTIONAL, -- sender's addr
592 r-address[5] HostAddress OPTIONAL -- recip's addr
595 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
597 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
598 tickets[2] SEQUENCE OF Ticket,
599 enc-part[3] EncryptedData
602 KrbCredInfo ::= SEQUENCE {
603 key[0] EncryptionKey,
604 prealm[1] Realm OPTIONAL,
605 pname[2] PrincipalName OPTIONAL,
606 flags[3] TicketFlags OPTIONAL,
607 authtime[4] KerberosTime OPTIONAL,
608 starttime[5] KerberosTime OPTIONAL,
609 endtime[6] KerberosTime OPTIONAL,
610 renew-till[7] KerberosTime OPTIONAL,
611 srealm[8] Realm OPTIONAL,
612 sname[9] PrincipalName OPTIONAL,
613 caddr[10] HostAddresses OPTIONAL
616 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
617 ticket-info[0] SEQUENCE OF KrbCredInfo,
618 nonce[1] krb5int32 OPTIONAL,
619 timestamp[2] KerberosTime OPTIONAL,
620 usec[3] krb5int32 OPTIONAL,
621 s-address[4] HostAddress OPTIONAL,
622 r-address[5] HostAddress OPTIONAL
625 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
627 msg-type[1] MESSAGE-TYPE,
628 ctime[2] KerberosTime OPTIONAL,
629 cusec[3] krb5int32 OPTIONAL,
630 stime[4] KerberosTime,
632 error-code[6] krb5int32,
633 crealm[7] Realm OPTIONAL,
634 cname[8] PrincipalName OPTIONAL,
635 realm[9] Realm, -- Correct realm
636 sname[10] PrincipalName, -- Correct name
637 e-text[11] GeneralString OPTIONAL,
638 e-data[12] OCTET STRING OPTIONAL
641 ChangePasswdDataMS ::= SEQUENCE {
642 newpasswd[0] OCTET STRING,
643 targname[1] PrincipalName OPTIONAL,
644 targrealm[2] Realm OPTIONAL
647 EtypeList ::= SEQUENCE OF ENCTYPE
648 -- the client's proposed enctype list in
649 -- decreasing preference order, favorite choice first
651 krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
653 -- transited encodings
655 DOMAIN-X500-COMPRESS krb5int32 ::= 1
657 -- authorization data primitives
659 AD-IF-RELEVANT ::= AuthorizationData
661 AD-KDCIssued ::= SEQUENCE {
662 ad-checksum[0] Checksum,
663 i-realm[1] Realm OPTIONAL,
664 i-sname[2] PrincipalName OPTIONAL,
665 elements[3] AuthorizationData
668 AD-AND-OR ::= SEQUENCE {
669 condition-count[0] INTEGER,
670 elements[1] AuthorizationData
673 AD-MANDATORY-FOR-KDC ::= AuthorizationData
675 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
677 PA-SAM-TYPE ::= INTEGER {
678 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
679 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
680 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
681 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
682 PA_SAM_TYPE_SECURID(5), -- Security Dynamics
683 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
686 PA-SAM-REDIRECT ::= HostAddresses
688 SAMFlags ::= BIT STRING {
690 send-encrypted-sad(1),
691 must-pk-encrypt-sad(2)
694 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
695 sam-type[0] krb5int32,
696 sam-flags[1] SAMFlags,
697 sam-type-name[2] GeneralString OPTIONAL,
698 sam-track-id[3] GeneralString OPTIONAL,
699 sam-challenge-label[4] GeneralString OPTIONAL,
700 sam-challenge[5] GeneralString OPTIONAL,
701 sam-response-prompt[6] GeneralString OPTIONAL,
702 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
703 sam-nonce[8] krb5int32,
704 sam-etype[9] krb5int32,
708 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
709 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
710 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
714 PA-SAM-RESPONSE-2 ::= SEQUENCE {
715 sam-type[0] krb5int32,
716 sam-flags[1] SAMFlags,
717 sam-track-id[2] GeneralString OPTIONAL,
718 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
719 sam-nonce[4] krb5int32,
723 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
724 sam-nonce[0] krb5int32,
725 sam-sad[1] GeneralString OPTIONAL,
729 PA-S4U2Self ::= SEQUENCE {
730 name[0] PrincipalName,
733 auth[3] GeneralString
736 -- never encoded on the wire, just used to checksum over
737 KRB5SignedPathData ::= SEQUENCE {
738 client[0] Principal OPTIONAL,
739 authtime[1] KerberosTime,
740 delegated[2] Principals OPTIONAL,
741 method_data[3] METHOD-DATA OPTIONAL
744 KRB5SignedPath ::= SEQUENCE {
745 -- DERcoded KRB5SignedPathData
746 -- krbtgt key (etype), KeyUsage = XXX
749 -- srvs delegated though
750 delegated[2] Principals OPTIONAL,
751 method_data[3] METHOD-DATA OPTIONAL
754 PA-ClientCanonicalizedNames ::= SEQUENCE{
755 requested-name [0] PrincipalName,
756 mapped-name [1] PrincipalName
759 PA-ClientCanonicalized ::= SEQUENCE {
760 names [0] PA-ClientCanonicalizedNames,
761 canon-checksum [1] Checksum
764 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
765 login-alias [0] PrincipalName,
766 checksum [1] Checksum
770 PA-SvrReferralData ::= SEQUENCE {
771 referred-name [1] PrincipalName OPTIONAL,
772 referred-realm [0] Realm
775 PA-SERVER-REFERRAL-DATA ::= EncryptedData
777 PA-ServerReferralData ::= SEQUENCE {
778 referred-realm [0] Realm OPTIONAL,
779 true-principal-name [1] PrincipalName OPTIONAL,
780 requested-principal-name [2] PrincipalName OPTIONAL,
781 referral-valid-until [3] KerberosTime OPTIONAL,
785 FastOptions ::= BIT STRING {
787 hide-client-names(1),
788 kdc-follow-referrals(16)
791 KrbFastReq ::= SEQUENCE {
792 fast-options [0] FastOptions,
793 padata [1] METHOD-DATA,
794 req-body [2] KDC-REQ-BODY,
798 KrbFastArmor ::= SEQUENCE {
799 armor-type [0] krb5int32,
800 armor-value [1] OCTET STRING,
804 KrbFastArmoredReq ::= SEQUENCE {
805 armor [0] KrbFastArmor OPTIONAL,
806 req-checksum [1] Checksum,
807 enc-fast-req [2] EncryptedData -- KrbFastReq --
810 PA-FX-FAST-REQUEST ::= CHOICE {
811 armored-data [0] KrbFastArmoredReq,
815 KrbFastFinished ::= SEQUENCE {
816 timestamp [0] KerberosTime,
819 cname [3] PrincipalName,
820 ticket-checksum [4] Checksum,
824 KrbFastResponse ::= SEQUENCE {
825 padata [0] METHOD-DATA,
826 strengthen-key [1] EncryptionKey OPTIONAL,
827 finished [2] KrbFastFinished OPTIONAL,
828 nonce [3] krb5uint32,
832 KrbFastArmoredRep ::= SEQUENCE {
833 enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
837 PA-FX-FAST-REPLY ::= CHOICE {
838 armored-data [0] KrbFastArmoredRep,
842 KDCFastFlags ::= BIT STRING {
845 reply_key_replaced(2),
849 -- KDCFastState is stored in FX_COOKIE
850 KDCFastState ::= SEQUENCE {
851 flags [0] KDCFastFlags,
852 expiration [1] GeneralizedTime,
853 fast-state [2] METHOD-DATA,
854 expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL
857 KDCFastCookie ::= SEQUENCE {
858 version [0] UTF8String,
859 cookie [1] EncryptedData
862 KDC-PROXY-MESSAGE ::= SEQUENCE {
863 kerb-message [0] OCTET STRING,
864 target-domain [1] Realm OPTIONAL,
865 dclocator-hint [2] INTEGER OPTIONAL
868 -- these messages are used in the GSSCred communication and is not part of Kerberos propper
870 KERB-TIMES ::= SEQUENCE {
871 authtime [0] KerberosTime,
872 starttime [1] KerberosTime,
873 endtime [2] KerberosTime,
874 renew_till [3] KerberosTime
877 KERB-CRED ::= SEQUENCE {
878 client [0] Principal,
879 server [1] Principal,
880 keyblock [2] EncryptionKey,
881 times [3] KERB-TIMES,
882 ticket [4] OCTET STRING,
883 authdata [5] OCTET STRING,
884 addresses [6] HostAddresses,
885 flags [7] TicketFlags
888 KERB-TGS-REQ-IN ::= SEQUENCE {
889 cache [0] OCTET STRING SIZE (16),
890 addrs [1] HostAddresses,
891 flags [2] krb5uint32,
892 imp [3] Principal OPTIONAL,
893 ticket [4] OCTET STRING OPTIONAL,
894 in_cred [5] KERB-CRED,
895 krbtgt [6] KERB-CRED,
896 padata [7] METHOD-DATA
899 KERB-TGS-REQ-OUT ::= SEQUENCE {
900 subkey [0] EncryptionKey OPTIONAL,
906 KERB-TGS-REP-IN ::= SEQUENCE {
907 cache [0] OCTET STRING SIZE (16),
908 subkey [1] EncryptionKey OPTIONAL,
909 in_cred [2] KERB-CRED,
913 KERB-TGS-REP-OUT ::= SEQUENCE {
914 cache [0] OCTET STRING SIZE (16),
916 subkey [2] EncryptionKey
919 KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE {
920 armor [0] KrbFastArmor,
921 armor-key [1] EncryptionKey
927 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1