| blob | adc09ac68099c1e88fd4abd7ba8c3ca1f140f140 |
1 -- $Id$
3 KERBEROS5 DEFINITIONS ::=
4 BEGIN
6 NAME-TYPE ::= INTEGER {
7 KRB5_NT_UNKNOWN(0), -- Name type not known
8 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
9 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
10 KRB5_NT_SRV_HST(3), -- Service with host name as instance
11 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
12 KRB5_NT_UID(5), -- Unique ID
13 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
14 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
15 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
16 KRB5_NT_WELLKNOWN(11), -- Wellknown
17 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
18 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
19 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
20 KRB5_NT_NTLM(-1200) -- NTLM name, realm is domain
21 }
23 -- message types
25 MESSAGE-TYPE ::= INTEGER {
26 krb-as-req(10), -- Request for initial authentication
27 krb-as-rep(11), -- Response to KRB_AS_REQ request
28 krb-tgs-req(12), -- Request for authentication based on TGT
29 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
30 krb-ap-req(14), -- application request to server
31 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
32 krb-safe(20), -- Safe (checksummed) application message
33 krb-priv(21), -- Private (encrypted) application message
34 krb-cred(22), -- Private (encrypted) message to forward credentials
35 krb-error(30) -- Error response
36 }
39 -- pa-data types
41 PADATA-TYPE ::= INTEGER {
42 KRB5-PADATA-NONE(0),
43 KRB5-PADATA-TGS-REQ(1),
44 KRB5-PADATA-AP-REQ(1),
45 KRB5-PADATA-ENC-TIMESTAMP(2),
46 KRB5-PADATA-PW-SALT(3),
47 KRB5-PADATA-ENC-UNIX-TIME(5),
48 KRB5-PADATA-SANDIA-SECUREID(6),
49 KRB5-PADATA-SESAME(7),
50 KRB5-PADATA-OSF-DCE(8),
51 KRB5-PADATA-CYBERSAFE-SECUREID(9),
52 KRB5-PADATA-AFS3-SALT(10),
53 KRB5-PADATA-ETYPE-INFO(11),
54 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
55 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
56 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
57 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
58 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
59 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
60 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
61 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
62 KRB5-PADATA-ETYPE-INFO2(19),
63 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
64 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
65 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
66 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
67 KRB5-PADATA-SAM-ETYPE-INFO(23),
68 KRB5-PADATA-SERVER-REFERRAL(25),
69 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
70 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
71 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
72 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
73 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
74 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
75 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
76 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
77 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
78 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
79 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
80 KRB5-PADATA-FOR-USER(129), -- MS-KILE
81 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
82 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
83 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
84 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
85 -- tell KDC that is supports
86 -- the asCheckSum in the
87 -- PK-AS-REP
88 KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals
89 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
90 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
91 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
92 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
93 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
94 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
95 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
96 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
97 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
98 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
99 KRB5-PADATA-EPAK-AS-REQ(145),
100 KRB5-PADATA-EPAK-AS-REP(146),
101 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
102 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
103 KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE
104 }
106 AUTHDATA-TYPE ::= INTEGER {
107 KRB5-AUTHDATA-IF-RELEVANT(1),
108 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
109 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
110 KRB5-AUTHDATA-KDC-ISSUED(4),
111 KRB5-AUTHDATA-AND-OR(5),
112 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
113 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
114 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
115 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
116 KRB5-AUTHDATA-OSF-DCE(64),
117 KRB5-AUTHDATA-SESAME(65),
118 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
119 KRB5-AUTHDATA-WIN2K-PAC(128),
120 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
121 KRB5-AUTHDATA-SIGNTICKET-OLD(-17),
122 KRB5-AUTHDATA-SIGNTICKET(142)
123 }
125 -- checksumtypes
127 CKSUMTYPE ::= INTEGER {
128 CKSUMTYPE_NONE(0),
129 CKSUMTYPE_CRC32(1),
130 CKSUMTYPE_RSA_MD4(2),
131 CKSUMTYPE_RSA_MD4_DES(3),
132 CKSUMTYPE_DES_MAC(4),
133 CKSUMTYPE_DES_MAC_K(5),
134 CKSUMTYPE_RSA_MD4_DES_K(6),
135 CKSUMTYPE_RSA_MD5(7),
136 CKSUMTYPE_RSA_MD5_DES(8),
137 CKSUMTYPE_RSA_MD5_DES3(9),
138 CKSUMTYPE_SHA1_OTHER(10),
139 CKSUMTYPE_HMAC_SHA1_DES3(12),
140 CKSUMTYPE_SHA1(14),
141 CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
142 CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
143 CKSUMTYPE_GSSAPI(0x8003),
144 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
145 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
146 }
148 --enctypes
149 ENCTYPE ::= INTEGER {
150 ETYPE_NULL(0),
151 ETYPE_DES_CBC_CRC(1),
152 ETYPE_DES_CBC_MD4(2),
153 ETYPE_DES_CBC_MD5(3),
154 ETYPE_DES3_CBC_MD5(5),
155 ETYPE_OLD_DES3_CBC_SHA1(7),
156 ETYPE_SIGN_DSA_GENERATE(8),
157 ETYPE_ENCRYPT_RSA_PRIV(9),
158 ETYPE_ENCRYPT_RSA_PUB(10),
159 ETYPE_DES3_CBC_SHA1(16), -- with key derivation
160 ETYPE_AES128_CTS_HMAC_SHA1_96(17),
161 ETYPE_AES256_CTS_HMAC_SHA1_96(18),
162 ETYPE_ARCFOUR_HMAC_MD5(23),
163 ETYPE_ARCFOUR_HMAC_MD5_56(24),
164 ETYPE_ENCTYPE_PK_CROSS(48),
165 -- some "old" windows types
166 ETYPE_ARCFOUR_MD4(-128),
167 ETYPE_ARCFOUR_HMAC_OLD(-133),
168 ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
169 -- these are for Heimdal internal use
170 ETYPE_DES_CBC_NONE(-0x1000),
171 ETYPE_DES3_CBC_NONE(-0x1001),
172 ETYPE_DES_CFB64_NONE(-0x1002),
173 ETYPE_DES_PCBC_NONE(-0x1003),
174 ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
175 ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
176 }
181 -- this is sugar to make something ASN1 does not have: unsigned
183 krb5uint32 ::= INTEGER (0..4294967295)
184 krb5int32 ::= INTEGER (-2147483648..2147483647)
186 KerberosString ::= GeneralString
188 Realm ::= GeneralString
189 PrincipalName ::= SEQUENCE {
190 name-type[0] NAME-TYPE,
191 name-string[1] SEQUENCE OF GeneralString
192 }
194 -- this is not part of RFC1510
195 Principal ::= SEQUENCE {
196 name[0] PrincipalName,
197 realm[1] Realm
198 }
200 Principals ::= SEQUENCE OF Principal
202 HostAddress ::= SEQUENCE {
203 addr-type[0] krb5int32,
204 address[1] OCTET STRING
205 }
207 -- This is from RFC1510.
208 --
209 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
210 -- addr-type[0] krb5int32,
211 -- address[1] OCTET STRING
212 -- }
214 -- This seems much better.
215 HostAddresses ::= SEQUENCE OF HostAddress
218 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
220 AuthorizationDataElement ::= SEQUENCE {
221 ad-type[0] krb5int32,
222 ad-data[1] OCTET STRING
223 }
225 AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
227 APOptions ::= BIT STRING {
228 reserved(0),
229 use-session-key(1),
230 mutual-required(2)
231 }
233 TicketFlags ::= BIT STRING {
234 reserved(0),
235 forwardable(1),
236 forwarded(2),
237 proxiable(3),
238 proxy(4),
239 may-postdate(5),
240 postdated(6),
241 invalid(7),
242 renewable(8),
243 initial(9),
244 pre-authent(10),
245 hw-authent(11),
246 transited-policy-checked(12),
247 ok-as-delegate(13),
248 anonymous(14)
249 }
251 KDCOptions ::= BIT STRING {
252 reserved(0),
253 forwardable(1),
254 forwarded(2),
255 proxiable(3),
256 proxy(4),
257 allow-postdate(5),
258 postdated(6),
259 unused7(7),
260 renewable(8),
261 unused9(9),
262 unused10(10),
263 unused11(11),
264 request-anonymous(14),
265 canonicalize(15),
266 constrained-delegation(16), -- ms extension
267 disable-transited-check(26),
268 renewable-ok(27),
269 enc-tkt-in-skey(28),
270 renew(30),
271 validate(31)
272 }
274 LR-TYPE ::= INTEGER {
275 LR_NONE(0), -- no information
276 LR_INITIAL_TGT(1), -- last initial TGT request
277 LR_INITIAL(2), -- last initial request
278 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
279 LR_RENEWAL(4), -- time of last renewal
280 LR_REQUEST(5), -- time of last request (of any type)
281 LR_PW_EXPTIME(6), -- expiration time of password
282 LR_ACCT_EXPTIME(7) -- expiration time of account
283 }
285 LastReq ::= SEQUENCE OF SEQUENCE {
286 lr-type[0] LR-TYPE,
287 lr-value[1] KerberosTime
288 }
291 EncryptedData ::= SEQUENCE {
292 etype[0] ENCTYPE, -- EncryptionType
293 kvno[1] krb5int32 OPTIONAL,
294 cipher[2] OCTET STRING -- ciphertext
295 }
297 EncryptionKey ::= SEQUENCE {
298 keytype[0] krb5int32,
299 keyvalue[1] OCTET STRING
300 }
302 -- encoded Transited field
303 TransitedEncoding ::= SEQUENCE {
304 tr-type[0] krb5int32, -- must be registered
305 contents[1] OCTET STRING
306 }
308 Ticket ::= [APPLICATION 1] SEQUENCE {
309 tkt-vno[0] krb5int32,
310 realm[1] Realm,
311 sname[2] PrincipalName,
312 enc-part[3] EncryptedData
313 }
314 -- Encrypted part of ticket
315 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
316 flags[0] TicketFlags,
317 key[1] EncryptionKey,
318 crealm[2] Realm,
319 cname[3] PrincipalName,
320 transited[4] TransitedEncoding,
321 authtime[5] KerberosTime,
322 starttime[6] KerberosTime OPTIONAL,
323 endtime[7] KerberosTime,
324 renew-till[8] KerberosTime OPTIONAL,
325 caddr[9] HostAddresses OPTIONAL,
326 authorization-data[10] AuthorizationData OPTIONAL
327 }
329 Checksum ::= SEQUENCE {
330 cksumtype[0] CKSUMTYPE,
331 checksum[1] OCTET STRING
332 }
334 Authenticator ::= [APPLICATION 2] SEQUENCE {
335 authenticator-vno[0] krb5int32,
336 crealm[1] Realm,
337 cname[2] PrincipalName,
338 cksum[3] Checksum OPTIONAL,
339 cusec[4] krb5int32,
340 ctime[5] KerberosTime,
341 subkey[6] EncryptionKey OPTIONAL,
342 seq-number[7] krb5uint32 OPTIONAL,
343 authorization-data[8] AuthorizationData OPTIONAL
344 }
346 PA-DATA ::= SEQUENCE {
347 -- might be encoded AP-REQ
348 padata-type[1] PADATA-TYPE,
349 padata-value[2] OCTET STRING
350 }
352 ETYPE-INFO-ENTRY ::= SEQUENCE {
353 etype[0] ENCTYPE,
354 salt[1] OCTET STRING OPTIONAL,
355 salttype[2] krb5int32 OPTIONAL
356 }
358 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
360 ETYPE-INFO2-ENTRY ::= SEQUENCE {
361 etype[0] ENCTYPE,
362 salt[1] KerberosString OPTIONAL,
363 s2kparams[2] OCTET STRING OPTIONAL
364 }
366 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
368 METHOD-DATA ::= SEQUENCE OF PA-DATA
370 TypedData ::= SEQUENCE {
371 data-type[0] krb5int32,
372 data-value[1] OCTET STRING OPTIONAL
373 }
375 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
377 KDC-REQ-BODY ::= SEQUENCE {
378 kdc-options[0] KDCOptions,
379 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
380 realm[2] Realm, -- Server's realm
381 -- Also client's in AS-REQ
382 sname[3] PrincipalName OPTIONAL,
383 from[4] KerberosTime OPTIONAL,
384 till[5] KerberosTime OPTIONAL,
385 rtime[6] KerberosTime OPTIONAL,
386 nonce[7] krb5int32,
387 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
388 -- in preference order
389 addresses[9] HostAddresses OPTIONAL,
390 enc-authorization-data[10] EncryptedData OPTIONAL,
391 -- Encrypted AuthorizationData encoding
392 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
393 }
395 KDC-REQ ::= SEQUENCE {
396 pvno[1] krb5int32,
397 msg-type[2] MESSAGE-TYPE,
398 padata[3] METHOD-DATA OPTIONAL,
399 req-body[4] KDC-REQ-BODY
400 }
402 AS-REQ ::= [APPLICATION 10] KDC-REQ
403 TGS-REQ ::= [APPLICATION 12] KDC-REQ
405 -- padata-type ::= PA-ENC-TIMESTAMP
406 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
408 PA-ENC-TS-ENC ::= SEQUENCE {
409 patimestamp[0] KerberosTime, -- client's time
410 pausec[1] krb5int32 OPTIONAL
411 }
413 -- draft-brezak-win2k-krb-authz-01
414 PA-PAC-REQUEST ::= SEQUENCE {
415 include-pac[0] BOOLEAN -- Indicates whether a PAC
416 -- should be included or not
417 }
419 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
420 PROV-SRV-LOCATION ::= GeneralString
422 KDC-REP ::= SEQUENCE {
423 pvno[0] krb5int32,
424 msg-type[1] MESSAGE-TYPE,
425 padata[2] METHOD-DATA OPTIONAL,
426 crealm[3] Realm,
427 cname[4] PrincipalName,
428 ticket[5] Ticket,
429 enc-part[6] EncryptedData
430 }
432 AS-REP ::= [APPLICATION 11] KDC-REP
433 TGS-REP ::= [APPLICATION 13] KDC-REP
435 EncKDCRepPart ::= SEQUENCE {
436 key[0] EncryptionKey,
437 last-req[1] LastReq,
438 nonce[2] krb5int32,
439 key-expiration[3] KerberosTime OPTIONAL,
440 flags[4] TicketFlags,
441 authtime[5] KerberosTime,
442 starttime[6] KerberosTime OPTIONAL,
443 endtime[7] KerberosTime,
444 renew-till[8] KerberosTime OPTIONAL,
445 srealm[9] Realm,
446 sname[10] PrincipalName,
447 caddr[11] HostAddresses OPTIONAL,
448 encrypted-pa-data[12] METHOD-DATA OPTIONAL
449 }
451 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
452 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
454 AP-REQ ::= [APPLICATION 14] SEQUENCE {
455 pvno[0] krb5int32,
456 msg-type[1] MESSAGE-TYPE,
457 ap-options[2] APOptions,
458 ticket[3] Ticket,
459 authenticator[4] EncryptedData
460 }
462 AP-REP ::= [APPLICATION 15] SEQUENCE {
463 pvno[0] krb5int32,
464 msg-type[1] MESSAGE-TYPE,
465 enc-part[2] EncryptedData
466 }
468 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
469 ctime[0] KerberosTime,
470 cusec[1] krb5int32,
471 subkey[2] EncryptionKey OPTIONAL,
472 seq-number[3] krb5uint32 OPTIONAL
473 }
475 KRB-SAFE-BODY ::= SEQUENCE {
476 user-data[0] OCTET STRING,
477 timestamp[1] KerberosTime OPTIONAL,
478 usec[2] krb5int32 OPTIONAL,
479 seq-number[3] krb5uint32 OPTIONAL,
480 s-address[4] HostAddress OPTIONAL,
481 r-address[5] HostAddress OPTIONAL
482 }
484 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
485 pvno[0] krb5int32,
486 msg-type[1] MESSAGE-TYPE,
487 safe-body[2] KRB-SAFE-BODY,
488 cksum[3] Checksum
489 }
491 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
492 pvno[0] krb5int32,
493 msg-type[1] MESSAGE-TYPE,
494 enc-part[3] EncryptedData
495 }
496 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
497 user-data[0] OCTET STRING,
498 timestamp[1] KerberosTime OPTIONAL,
499 usec[2] krb5int32 OPTIONAL,
500 seq-number[3] krb5uint32 OPTIONAL,
501 s-address[4] HostAddress OPTIONAL, -- sender's addr
502 r-address[5] HostAddress OPTIONAL -- recip's addr
503 }
505 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
506 pvno[0] krb5int32,
507 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
508 tickets[2] SEQUENCE OF Ticket,
509 enc-part[3] EncryptedData
510 }
512 KrbCredInfo ::= SEQUENCE {
513 key[0] EncryptionKey,
514 prealm[1] Realm OPTIONAL,
515 pname[2] PrincipalName OPTIONAL,
516 flags[3] TicketFlags OPTIONAL,
517 authtime[4] KerberosTime OPTIONAL,
518 starttime[5] KerberosTime OPTIONAL,
519 endtime[6] KerberosTime OPTIONAL,
520 renew-till[7] KerberosTime OPTIONAL,
521 srealm[8] Realm OPTIONAL,
522 sname[9] PrincipalName OPTIONAL,
523 caddr[10] HostAddresses OPTIONAL
524 }
526 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
527 ticket-info[0] SEQUENCE OF KrbCredInfo,
528 nonce[1] krb5int32 OPTIONAL,
529 timestamp[2] KerberosTime OPTIONAL,
530 usec[3] krb5int32 OPTIONAL,
531 s-address[4] HostAddress OPTIONAL,
532 r-address[5] HostAddress OPTIONAL
533 }
535 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
536 pvno[0] krb5int32,
537 msg-type[1] MESSAGE-TYPE,
538 ctime[2] KerberosTime OPTIONAL,
539 cusec[3] krb5int32 OPTIONAL,
540 stime[4] KerberosTime,
541 susec[5] krb5int32,
542 error-code[6] krb5int32,
543 crealm[7] Realm OPTIONAL,
544 cname[8] PrincipalName OPTIONAL,
545 realm[9] Realm, -- Correct realm
546 sname[10] PrincipalName, -- Correct name
547 e-text[11] GeneralString OPTIONAL,
548 e-data[12] OCTET STRING OPTIONAL
549 }
551 ChangePasswdDataMS ::= SEQUENCE {
552 newpasswd[0] OCTET STRING,
553 targname[1] PrincipalName OPTIONAL,
554 targrealm[2] Realm OPTIONAL
555 }
557 EtypeList ::= SEQUENCE OF krb5int32
558 -- the client's proposed enctype list in
559 -- decreasing preference order, favorite choice first
561 krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
563 -- transited encodings
565 DOMAIN-X500-COMPRESS krb5int32 ::= 1
567 -- authorization data primitives
569 AD-IF-RELEVANT ::= AuthorizationData
571 AD-KDCIssued ::= SEQUENCE {
572 ad-checksum[0] Checksum,
573 i-realm[1] Realm OPTIONAL,
574 i-sname[2] PrincipalName OPTIONAL,
575 elements[3] AuthorizationData
576 }
578 AD-AND-OR ::= SEQUENCE {
579 condition-count[0] INTEGER,
580 elements[1] AuthorizationData
581 }
583 AD-MANDATORY-FOR-KDC ::= AuthorizationData
585 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
587 PA-SAM-TYPE ::= INTEGER {
588 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
589 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
590 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
591 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
592 PA_SAM_TYPE_SECURID(5), -- Security Dynamics
593 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
594 }
596 PA-SAM-REDIRECT ::= HostAddresses
598 SAMFlags ::= BIT STRING {
599 use-sad-as-key(0),
600 send-encrypted-sad(1),
601 must-pk-encrypt-sad(2)
602 }
604 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
605 sam-type[0] krb5int32,
606 sam-flags[1] SAMFlags,
607 sam-type-name[2] GeneralString OPTIONAL,
608 sam-track-id[3] GeneralString OPTIONAL,
609 sam-challenge-label[4] GeneralString OPTIONAL,
610 sam-challenge[5] GeneralString OPTIONAL,
611 sam-response-prompt[6] GeneralString OPTIONAL,
612 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
613 sam-nonce[8] krb5int32,
614 sam-etype[9] krb5int32,
615 ...
616 }
618 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
619 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
620 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
621 ...
622 }
624 PA-SAM-RESPONSE-2 ::= SEQUENCE {
625 sam-type[0] krb5int32,
626 sam-flags[1] SAMFlags,
627 sam-track-id[2] GeneralString OPTIONAL,
628 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
629 sam-nonce[4] krb5int32,
630 ...
631 }
633 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
634 sam-nonce[0] krb5int32,
635 sam-sad[1] GeneralString OPTIONAL,
636 ...
637 }
639 PA-S4U2Self ::= SEQUENCE {
640 name[0] PrincipalName,
641 realm[1] Realm,
642 cksum[2] Checksum,
643 auth[3] GeneralString
644 }
646 -- never encoded on the wire, just used to checksum over
647 KRB5SignedPathData ::= SEQUENCE {
648 client[0] Principal OPTIONAL,
649 authtime[1] KerberosTime,
650 delegated[2] Principals OPTIONAL,
651 method_data[3] METHOD-DATA OPTIONAL
652 }
654 KRB5SignedPath ::= SEQUENCE {
655 -- DERcoded KRB5SignedPathData
656 -- krbtgt key (etype), KeyUsage = XXX
657 etype[0] ENCTYPE,
658 cksum[1] Checksum,
659 -- srvs delegated though
660 delegated[2] Principals OPTIONAL,
661 method_data[3] METHOD-DATA OPTIONAL
662 }
664 PA-ClientCanonicalizedNames ::= SEQUENCE{
665 requested-name [0] PrincipalName,
666 mapped-name [1] PrincipalName
667 }
669 PA-ClientCanonicalized ::= SEQUENCE {
670 names [0] PA-ClientCanonicalizedNames,
671 canon-checksum [1] Checksum
672 }
674 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
675 login-alias [0] PrincipalName,
676 checksum [1] Checksum
677 }
679 -- old ms referral
680 PA-SvrReferralData ::= SEQUENCE {
681 referred-name [1] PrincipalName OPTIONAL,
682 referred-realm [0] Realm
683 }
685 PA-SERVER-REFERRAL-DATA ::= EncryptedData
687 PA-ServerReferralData ::= SEQUENCE {
688 referred-realm [0] Realm OPTIONAL,
689 true-principal-name [1] PrincipalName OPTIONAL,
690 requested-principal-name [2] PrincipalName OPTIONAL,
691 referral-valid-until [3] KerberosTime OPTIONAL,
692 ...
693 }
695 FastOptions ::= BIT STRING {
696 reserved(0),
697 hide-client-names(1),
698 kdc-follow--referrals(16)
699 }
701 KrbFastReq ::= SEQUENCE {
702 fast-options [0] FastOptions,
703 padata [1] SEQUENCE OF PA-DATA,
704 req-body [2] KDC-REQ-BODY,
705 ...
706 }
708 KrbFastArmor ::= SEQUENCE {
709 armor-type [0] krb5int32,
710 armor-value [1] OCTET STRING,
711 ...
712 }
714 KrbFastArmoredReq ::= SEQUENCE {
715 armor [0] KrbFastArmor OPTIONAL,
716 req-checksum [1] Checksum,
717 enc-fast-req [2] EncryptedData -- KrbFastReq --
718 }
720 PA-FX-FAST-REQUEST ::= CHOICE {
721 armored-data [0] KrbFastArmoredReq,
722 ...
723 }
725 KrbFastFinished ::= SEQUENCE {
726 timestamp [0] KerberosTime,
727 usec [1] krb5int32,
728 crealm [2] Realm,
729 cname [3] PrincipalName,
730 checksum [4] Checksum,
731 ticket-checksum [5] Checksum,
732 ...
733 }
735 KrbFastResponse ::= SEQUENCE {
736 padata [0] SEQUENCE OF PA-DATA,
737 rep-key [1] EncryptionKey OPTIONAL,
738 finished [2] KrbFastFinished OPTIONAL,
739 ...
740 }
742 KrbFastArmoredRep ::= SEQUENCE {
743 enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
744 ...
745 }
747 PA-FX-FAST-REPLY ::= CHOICE {
748 armored-data [0] KrbFastArmoredRep,
749 ...
750 }
752 END
754 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1