Test source name (and make the acceptor in ntlm gss mech useful).

[heimdal.git] / lib / asn1 / pkinit.asn1

-- $Id$ --

PKINIT DEFINITIONS ::= BEGIN

IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
        IssuerAndSerialNumber, ContentInfo FROM cms
        SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
        heim_any FROM heim;

id-pkinit OBJECT IDENTIFIER ::=
  { iso (1) org (3) dod (6) internet (1) security (5)
    kerberosv5 (2) pkinit (3) }

id-pkauthdata  OBJECT IDENTIFIER  ::= { id-pkinit 1 }
id-pkdhkeydata OBJECT IDENTIFIER  ::= { id-pkinit 2 }
id-pkrkeydata  OBJECT IDENTIFIER  ::= { id-pkinit 3 }
id-pkekuoid    OBJECT IDENTIFIER  ::= { id-pkinit 4 }
id-pkkdcekuoid OBJECT IDENTIFIER  ::= { id-pkinit 5 }

id-pkinit-san   OBJECT IDENTIFIER ::=
  { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
    x509-sanan(2) }

id-pkinit-ms-eku OBJECT IDENTIFIER ::=
  { iso(1) org(3) dod(6) internet(1) private(4) 
    enterprise(1) microsoft(311) 20 2 2 }

id-pkinit-ms-san OBJECT IDENTIFIER ::=
  { iso(1) org(3) dod(6) internet(1) private(4) 
    enterprise(1) microsoft(311) 20 2 3 }

MS-UPN-SAN ::= UTF8String

pa-pk-as-req INTEGER ::=                  16
pa-pk-as-rep INTEGER ::=                  17

td-trusted-certifiers INTEGER ::=        104
td-invalid-certificates INTEGER ::=      105
td-dh-parameters INTEGER ::=             109

DHNonce ::= OCTET STRING

KDFAlgorithmId ::= SEQUENCE {
       kdf-id            [0] OBJECT IDENTIFIER,
       ...
}

TrustedCA ::= SEQUENCE {
        caName                  [0] IMPLICIT OCTET STRING,
        certificateSerialNumber [1] INTEGER OPTIONAL,
        subjectKeyIdentifier    [2] OCTET STRING OPTIONAL,
        ...
}

ExternalPrincipalIdentifier ::= SEQUENCE {
        subjectName             [0] IMPLICIT OCTET STRING OPTIONAL,
        issuerAndSerialNumber   [1] IMPLICIT OCTET STRING OPTIONAL,
        subjectKeyIdentifier    [2] IMPLICIT OCTET STRING OPTIONAL,
        ...
}

ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier

PA-PK-AS-REQ ::= SEQUENCE {
        signedAuthPack          [0] IMPLICIT OCTET STRING,
        trustedCertifiers       [1] ExternalPrincipalIdentifiers OPTIONAL,
        kdcPkId                 [2] IMPLICIT OCTET STRING OPTIONAL,
        ...
}

PKAuthenticator ::= SEQUENCE {
        cusec                   [0] INTEGER -- (0..999999) --,
        ctime                   [1] KerberosTime,
        nonce                   [2] INTEGER (0..4294967295),
        paChecksum              [3] OCTET STRING OPTIONAL,
        ...
}

AuthPack ::= SEQUENCE {
        pkAuthenticator         [0] PKAuthenticator,
        clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL,
        supportedCMSTypes       [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
        clientDHNonce           [3] DHNonce OPTIONAL,
        ...,
        supportedKDFs           [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
        ...
}

TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers

KRB5PrincipalName ::= SEQUENCE {
        realm                   [0] Realm,
        principalName           [1] PrincipalName
}

AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier

DHRepInfo ::= SEQUENCE {
        dhSignedData            [0] IMPLICIT OCTET STRING,
        serverDHNonce           [1] DHNonce OPTIONAL,
        ...,
        kdf                     [2] KDFAlgorithmId OPTIONAL,
        ...
}

PA-PK-AS-REP ::= CHOICE {
        dhInfo                  [0] DHRepInfo,
        encKeyPack              [1] IMPLICIT OCTET STRING,
        ...
}

KDCDHKeyInfo ::= SEQUENCE {
        subjectPublicKey        [0] BIT STRING,
        nonce                   [1] INTEGER (0..4294967295),
        dhKeyExpiration         [2] KerberosTime OPTIONAL,
        ...
}

ReplyKeyPack ::= SEQUENCE {
        replyKey                [0] EncryptionKey,
        asChecksum              [1] Checksum,
        ...
}

TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier


-- Windows compat glue --

PKAuthenticator-Win2k ::= SEQUENCE {
        kdcName                 [0] PrincipalName,
        kdcRealm                [1] Realm,
        cusec                   [2] INTEGER (0..4294967295),
        ctime                   [3] KerberosTime,
        nonce                   [4] INTEGER (-2147483648..2147483647)
}

AuthPack-Win2k ::= SEQUENCE {
        pkAuthenticator         [0] PKAuthenticator-Win2k,
        clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
}


TrustedCA-Win2k ::= CHOICE {
        caName                  [1] heim_any,
        issuerAndSerial         [2] IssuerAndSerialNumber
}

PA-PK-AS-REQ-Win2k ::= SEQUENCE { 
        signed-auth-pack        [0] IMPLICIT OCTET STRING, 
        trusted-certifiers      [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL, 
        kdc-cert                [3] IMPLICIT OCTET STRING OPTIONAL, 
        encryption-cert         [4] IMPLICIT OCTET STRING OPTIONAL
}

PA-PK-AS-REP-Win2k ::= CHOICE {
        dhSignedData            [0] IMPLICIT OCTET STRING, 
        encKeyPack              [1] IMPLICIT OCTET STRING
}


KDCDHKeyInfo-Win2k ::= SEQUENCE {
        nonce                   [0] INTEGER (-2147483648..2147483647),
        subjectPublicKey        [2] BIT STRING
}

ReplyKeyPack-Win2k ::= SEQUENCE {
        replyKey                [0] EncryptionKey,
        nonce                   [1] INTEGER (-2147483648..2147483647),
        ...
}

PkinitSuppPubInfo ::= SEQUENCE {
       enctype           [0] INTEGER (-2147483648..2147483647),
       as-REQ            [1] OCTET STRING,
       pk-as-rep         [2] OCTET STRING,
       ticket            [3] Ticket,
       ...
}

END