| blob | 12986ea4e06455822cb7449a4ec7ee39fa8d37fa |
1 -- $Id$
3 KERBEROS5 DEFINITIONS ::=
4 BEGIN
5 EXPORTS
6 AD-AND-OR,
7 AD-IF-RELEVANT,
8 AD-KDCIssued,
9 AD-LoginAlias,
10 AP-REP,
11 AP-REQ,
12 AS-REP,
13 AS-REQ,
14 AUTHDATA-TYPE,
15 Authenticator,
16 AuthorizationData,
17 AuthorizationDataElement,
18 CKSUMTYPE,
19 ChangePasswdDataMS,
20 Checksum,
21 ENCTYPE,
22 ETYPE-INFO,
23 ETYPE-INFO-ENTRY,
24 ETYPE-INFO2,
25 ETYPE-INFO2-ENTRY,
26 EncAPRepPart,
27 EncASRepPart,
28 EncKDCRepPart,
29 EncKrbCredPart,
30 EncKrbPrivPart,
31 EncTGSRepPart,
32 EncTicketPart,
33 EncryptedData,
34 EncryptionKey,
35 EtypeList,
36 HostAddress,
37 HostAddresses,
38 KDC-REQ-BODY,
39 KDCOptions,
40 KDC-REP,
41 KRB-CRED,
42 KRB-ERROR,
43 KRB-PRIV,
44 KRB-SAFE,
45 KRB-SAFE-BODY,
46 KRB5SignedPath,
47 KRB5SignedPathData,
48 KRB5SignedPathPrincipals,
49 KerberosString,
50 KerberosTime,
51 KrbCredInfo,
52 LR-TYPE,
53 LastReq,
54 METHOD-DATA,
55 NAME-TYPE,
56 PA-ClientCanonicalized,
57 PA-ClientCanonicalizedNames,
58 PA-DATA,
59 PA-ENC-TS-ENC,
60 PA-PAC-REQUEST,
61 PA-S4U2Self,
62 PA-SERVER-REFERRAL-DATA,
63 PA-ServerReferralData,
64 PA-SvrReferralData,
65 PADATA-TYPE,
66 PA-FX-FAST-REQUEST,
67 PA-FX-FAST-REPLY,
68 Principal,
69 PrincipalName,
70 Principals,
71 Realm,
72 TGS-REP,
73 TGS-REQ,
74 Ticket,
75 TicketFlags,
76 TransitedEncoding,
77 TypedData,
78 KrbFastResponse,
79 KrbFastFinished,
80 KrbFastReq,
81 KrbFastArmor,
82 KDCFastState,
83 KDCFastCookie,
84 KDC-PROXY-MESSAGE,
85 KERB-TIMES,
86 KERB-CRED,
87 KERB-TGS-REQ-IN,
88 KERB-TGS-REQ-OUT,
89 KERB-ARMOR-SERVICE-REPLY
90 ;
92 NAME-TYPE ::= INTEGER {
93 KRB5_NT_UNKNOWN(0), -- Name type not known
94 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
95 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
96 KRB5_NT_SRV_HST(3), -- Service with host name as instance
97 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
98 KRB5_NT_UID(5), -- Unique ID
99 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
100 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
101 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
102 KRB5_NT_WELLKNOWN(11), -- Wellknown
103 KRB5_NT_SRV_HST_DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
104 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
105 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
106 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
107 KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain
108 KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded)
109 KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), -- not used; remove
110 KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
111 KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- Internal: indicates that name canonicalization is needed
112 }
114 -- message types
116 MESSAGE-TYPE ::= INTEGER {
117 krb-as-req(10), -- Request for initial authentication
118 krb-as-rep(11), -- Response to KRB_AS_REQ request
119 krb-tgs-req(12), -- Request for authentication based on TGT
120 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
121 krb-ap-req(14), -- application request to server
122 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
123 krb-safe(20), -- Safe (checksummed) application message
124 krb-priv(21), -- Private (encrypted) application message
125 krb-cred(22), -- Private (encrypted) message to forward credentials
126 krb-error(30) -- Error response
127 }
130 -- pa-data types
132 PADATA-TYPE ::= INTEGER {
133 KRB5-PADATA-NONE(0),
134 KRB5-PADATA-TGS-REQ(1),
135 KRB5-PADATA-AP-REQ(1),
136 KRB5-PADATA-ENC-TIMESTAMP(2),
137 KRB5-PADATA-PW-SALT(3),
138 KRB5-PADATA-ENC-UNIX-TIME(5),
139 KRB5-PADATA-SANDIA-SECUREID(6),
140 KRB5-PADATA-SESAME(7),
141 KRB5-PADATA-OSF-DCE(8),
142 KRB5-PADATA-CYBERSAFE-SECUREID(9),
143 KRB5-PADATA-AFS3-SALT(10),
144 KRB5-PADATA-ETYPE-INFO(11),
145 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
146 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
147 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
148 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
149 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
150 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
151 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
152 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
153 KRB5-PADATA-ETYPE-INFO2(19),
154 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
155 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
156 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
157 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
158 KRB5-PADATA-SAM-ETYPE-INFO(23),
159 KRB5-PADATA-SERVER-REFERRAL(25),
160 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
161 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
162 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
163 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
164 KRB5-PADATA-FX-FAST-ARMOR(71), -- fast armor
165 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
166 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
167 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
168 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
169 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
170 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
171 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
172 KRB5-PADATA-FOR-USER(129), -- MS-KILE
173 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
174 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
175 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
176 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
177 -- tell KDC that is supports
178 -- the asCheckSum in the
179 -- PK-AS-REP
180 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
181 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
182 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
183 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
184 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
185 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
186 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
187 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
188 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
189 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
190 KRB5-PADATA-EPAK-AS-REQ(145),
191 KRB5-PADATA-EPAK-AS-REP(146),
192 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
193 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
194 KRB5-PADATA-REQ-ENC-PA-REP(149), --
195 KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE
196 }
198 AUTHDATA-TYPE ::= INTEGER {
199 KRB5-AUTHDATA-IF-RELEVANT(1),
200 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
201 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
202 KRB5-AUTHDATA-KDC-ISSUED(4),
203 KRB5-AUTHDATA-AND-OR(5),
204 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
205 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
206 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
207 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
208 KRB5-AUTHDATA-OSF-DCE(64),
209 KRB5-AUTHDATA-SESAME(65),
210 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
211 KRB5-AUTHDATA-WIN2K-PAC(128),
212 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
213 KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
214 KRB5-AUTHDATA-SIGNTICKET-OLD(142),
215 KRB5-AUTHDATA-SIGNTICKET(512)
216 }
218 -- checksumtypes
220 CKSUMTYPE ::= INTEGER {
221 CKSUMTYPE_NONE(0),
222 CKSUMTYPE_CRC32(1),
223 CKSUMTYPE_RSA_MD4(2),
224 CKSUMTYPE_RSA_MD4_DES(3),
225 CKSUMTYPE_DES_MAC(4),
226 CKSUMTYPE_DES_MAC_K(5),
227 CKSUMTYPE_RSA_MD4_DES_K(6),
228 CKSUMTYPE_RSA_MD5(7),
229 CKSUMTYPE_RSA_MD5_DES(8),
230 CKSUMTYPE_RSA_MD5_DES3(9),
231 CKSUMTYPE_SHA1_OTHER(10),
232 CKSUMTYPE_HMAC_SHA1_DES3(12),
233 CKSUMTYPE_SHA1(14),
234 CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
235 CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
236 CKSUMTYPE_HMAC_SHA256_128_AES128(19),
237 CKSUMTYPE_HMAC_SHA384_192_AES256(20),
238 CKSUMTYPE_GSSAPI(0x8003),
239 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
240 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
241 }
243 --enctypes
244 ENCTYPE ::= INTEGER {
245 KRB5_ENCTYPE_NULL(0),
246 KRB5_ENCTYPE_DES_CBC_CRC(1),
247 KRB5_ENCTYPE_DES_CBC_MD4(2),
248 KRB5_ENCTYPE_DES_CBC_MD5(3),
249 KRB5_ENCTYPE_DES3_CBC_MD5(5),
250 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
251 KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
252 KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
253 KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
254 KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation
255 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
256 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
257 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128(19),
258 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192(20),
259 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
260 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
261 KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
262 -- some "old" windows types
263 KRB5_ENCTYPE_ARCFOUR_MD4(-128),
264 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
265 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
266 -- these are for Heimdal internal use
267 KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
268 KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
269 KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
270 KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
271 KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
272 KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
273 }
278 -- this is sugar to make something ASN1 does not have: unsigned
280 krb5uint32 ::= INTEGER (0..4294967295)
281 krb5int32 ::= INTEGER (-2147483648..2147483647)
283 KerberosString ::= GeneralString
285 Realm ::= GeneralString
286 PrincipalName ::= SEQUENCE {
287 name-type[0] NAME-TYPE,
288 name-string[1] SEQUENCE OF GeneralString
289 }
291 -- this is not part of RFC1510
292 Principal ::= SEQUENCE {
293 name[0] PrincipalName,
294 realm[1] Realm
295 }
297 Principals ::= SEQUENCE OF Principal
299 HostAddress ::= SEQUENCE {
300 addr-type[0] krb5int32,
301 address[1] OCTET STRING
302 }
304 -- This is from RFC1510.
305 --
306 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
307 -- addr-type[0] krb5int32,
308 -- address[1] OCTET STRING
309 -- }
311 -- This seems much better.
312 HostAddresses ::= SEQUENCE OF HostAddress
315 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
317 AuthorizationDataElement ::= SEQUENCE {
318 ad-type[0] krb5int32,
319 ad-data[1] OCTET STRING
320 }
322 AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
324 APOptions ::= BIT STRING {
325 reserved(0),
326 use-session-key(1),
327 mutual-required(2)
328 }
330 TicketFlags ::= BIT STRING {
331 reserved(0),
332 forwardable(1),
333 forwarded(2),
334 proxiable(3),
335 proxy(4),
336 may-postdate(5),
337 postdated(6),
338 invalid(7),
339 renewable(8),
340 initial(9),
341 pre-authent(10),
342 hw-authent(11),
343 transited-policy-checked(12),
344 ok-as-delegate(13),
345 enc-pa-rep(15),
346 anonymous(16)
347 }
349 KDCOptions ::= BIT STRING {
350 reserved(0),
351 forwardable(1),
352 forwarded(2),
353 proxiable(3),
354 proxy(4),
355 allow-postdate(5),
356 postdated(6),
357 renewable(8),
358 constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
359 canonicalize(15),
360 request-anonymous(16),
361 disable-transited-check(26),
362 renewable-ok(27),
363 enc-tkt-in-skey(28),
364 renew(30),
365 validate(31)
366 }
368 LR-TYPE ::= INTEGER {
369 LR_NONE(0), -- no information
370 LR_INITIAL_TGT(1), -- last initial TGT request
371 LR_INITIAL(2), -- last initial request
372 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
373 LR_RENEWAL(4), -- time of last renewal
374 LR_REQUEST(5), -- time of last request (of any type)
375 LR_PW_EXPTIME(6), -- expiration time of password
376 LR_ACCT_EXPTIME(7) -- expiration time of account
377 }
379 LastReq ::= SEQUENCE OF SEQUENCE {
380 lr-type[0] LR-TYPE,
381 lr-value[1] KerberosTime
382 }
385 EncryptedData ::= SEQUENCE {
386 etype[0] ENCTYPE, -- EncryptionType
387 kvno[1] krb5int32 OPTIONAL,
388 cipher[2] OCTET STRING -- ciphertext
389 }
391 EncryptionKey ::= SEQUENCE {
392 keytype[0] krb5int32,
393 keyvalue[1] OCTET STRING
394 }
396 -- encoded Transited field
397 TransitedEncoding ::= SEQUENCE {
398 tr-type[0] krb5int32, -- must be registered
399 contents[1] OCTET STRING
400 }
402 Ticket ::= [APPLICATION 1] SEQUENCE {
403 tkt-vno[0] krb5int32,
404 realm[1] Realm,
405 sname[2] PrincipalName,
406 enc-part[3] EncryptedData
407 }
408 -- Encrypted part of ticket
409 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
410 flags[0] TicketFlags,
411 key[1] EncryptionKey,
412 crealm[2] Realm,
413 cname[3] PrincipalName,
414 transited[4] TransitedEncoding,
415 authtime[5] KerberosTime,
416 starttime[6] KerberosTime OPTIONAL,
417 endtime[7] KerberosTime,
418 renew-till[8] KerberosTime OPTIONAL,
419 caddr[9] HostAddresses OPTIONAL,
420 authorization-data[10] AuthorizationData OPTIONAL
421 }
423 Checksum ::= SEQUENCE {
424 cksumtype[0] CKSUMTYPE,
425 checksum[1] OCTET STRING
426 }
428 Authenticator ::= [APPLICATION 2] SEQUENCE {
429 authenticator-vno[0] krb5int32,
430 crealm[1] Realm,
431 cname[2] PrincipalName,
432 cksum[3] Checksum OPTIONAL,
433 cusec[4] krb5int32,
434 ctime[5] KerberosTime,
435 subkey[6] EncryptionKey OPTIONAL,
436 seq-number[7] krb5uint32 OPTIONAL,
437 authorization-data[8] AuthorizationData OPTIONAL
438 }
440 PA-DATA ::= SEQUENCE {
441 -- might be encoded AP-REQ
442 padata-type[1] PADATA-TYPE,
443 padata-value[2] OCTET STRING
444 }
446 ETYPE-INFO-ENTRY ::= SEQUENCE {
447 etype[0] ENCTYPE,
448 salt[1] OCTET STRING OPTIONAL,
449 salttype[2] krb5int32 OPTIONAL
450 }
452 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
454 ETYPE-INFO2-ENTRY ::= SEQUENCE {
455 etype[0] ENCTYPE,
456 salt[1] KerberosString OPTIONAL,
457 s2kparams[2] OCTET STRING OPTIONAL
458 }
460 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
462 METHOD-DATA ::= SEQUENCE OF PA-DATA
464 TypedData ::= SEQUENCE {
465 data-type[0] krb5int32,
466 data-value[1] OCTET STRING OPTIONAL
467 }
469 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
471 KDC-REQ-BODY ::= SEQUENCE {
472 kdc-options[0] KDCOptions,
473 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
474 realm[2] Realm, -- Server's realm
475 -- Also client's in AS-REQ
476 sname[3] PrincipalName OPTIONAL,
477 from[4] KerberosTime OPTIONAL,
478 till[5] KerberosTime OPTIONAL,
479 rtime[6] KerberosTime OPTIONAL,
480 nonce[7] krb5int32,
481 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
482 -- in preference order
483 addresses[9] HostAddresses OPTIONAL,
484 enc-authorization-data[10] EncryptedData OPTIONAL,
485 -- Encrypted AuthorizationData encoding
486 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
487 }
489 KDC-REQ ::= SEQUENCE {
490 pvno[1] krb5int32,
491 msg-type[2] MESSAGE-TYPE,
492 padata[3] METHOD-DATA OPTIONAL,
493 req-body[4] KDC-REQ-BODY
494 }
496 AS-REQ ::= [APPLICATION 10] KDC-REQ
497 TGS-REQ ::= [APPLICATION 12] KDC-REQ
499 -- padata-type ::= PA-ENC-TIMESTAMP
500 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
502 PA-ENC-TS-ENC ::= SEQUENCE {
503 patimestamp[0] KerberosTime, -- client's time
504 pausec[1] krb5int32 OPTIONAL
505 }
507 -- draft-brezak-win2k-krb-authz-01
508 PA-PAC-REQUEST ::= SEQUENCE {
509 include-pac[0] BOOLEAN -- Indicates whether a PAC
510 -- should be included or not
511 }
513 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
514 PROV-SRV-LOCATION ::= GeneralString
516 KDC-REP ::= SEQUENCE {
517 pvno[0] krb5int32,
518 msg-type[1] MESSAGE-TYPE,
519 padata[2] METHOD-DATA OPTIONAL,
520 crealm[3] Realm,
521 cname[4] PrincipalName,
522 ticket[5] Ticket,
523 enc-part[6] EncryptedData
524 }
526 AS-REP ::= [APPLICATION 11] KDC-REP
527 TGS-REP ::= [APPLICATION 13] KDC-REP
529 EncKDCRepPart ::= SEQUENCE {
530 key[0] EncryptionKey,
531 last-req[1] LastReq,
532 nonce[2] krb5int32,
533 key-expiration[3] KerberosTime OPTIONAL,
534 flags[4] TicketFlags,
535 authtime[5] KerberosTime,
536 starttime[6] KerberosTime OPTIONAL,
537 endtime[7] KerberosTime,
538 renew-till[8] KerberosTime OPTIONAL,
539 srealm[9] Realm,
540 sname[10] PrincipalName,
541 caddr[11] HostAddresses OPTIONAL,
542 encrypted-pa-data[12] METHOD-DATA OPTIONAL
543 }
545 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
546 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
548 AP-REQ ::= [APPLICATION 14] SEQUENCE {
549 pvno[0] krb5int32,
550 msg-type[1] MESSAGE-TYPE,
551 ap-options[2] APOptions,
552 ticket[3] Ticket,
553 authenticator[4] EncryptedData
554 }
556 AP-REP ::= [APPLICATION 15] SEQUENCE {
557 pvno[0] krb5int32,
558 msg-type[1] MESSAGE-TYPE,
559 enc-part[2] EncryptedData
560 }
562 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
563 ctime[0] KerberosTime,
564 cusec[1] krb5int32,
565 subkey[2] EncryptionKey OPTIONAL,
566 seq-number[3] krb5uint32 OPTIONAL
567 }
569 KRB-SAFE-BODY ::= SEQUENCE {
570 user-data[0] OCTET STRING,
571 timestamp[1] KerberosTime OPTIONAL,
572 usec[2] krb5int32 OPTIONAL,
573 seq-number[3] krb5uint32 OPTIONAL,
574 s-address[4] HostAddress OPTIONAL,
575 r-address[5] HostAddress OPTIONAL
576 }
578 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
579 pvno[0] krb5int32,
580 msg-type[1] MESSAGE-TYPE,
581 safe-body[2] KRB-SAFE-BODY,
582 cksum[3] Checksum
583 }
585 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
586 pvno[0] krb5int32,
587 msg-type[1] MESSAGE-TYPE,
588 enc-part[3] EncryptedData
589 }
590 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
591 user-data[0] OCTET STRING,
592 timestamp[1] KerberosTime OPTIONAL,
593 usec[2] krb5int32 OPTIONAL,
594 seq-number[3] krb5uint32 OPTIONAL,
595 s-address[4] HostAddress OPTIONAL, -- sender's addr
596 r-address[5] HostAddress OPTIONAL -- recip's addr
597 }
599 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
600 pvno[0] krb5int32,
601 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
602 tickets[2] SEQUENCE OF Ticket,
603 enc-part[3] EncryptedData
604 }
606 KrbCredInfo ::= SEQUENCE {
607 key[0] EncryptionKey,
608 prealm[1] Realm OPTIONAL,
609 pname[2] PrincipalName OPTIONAL,
610 flags[3] TicketFlags OPTIONAL,
611 authtime[4] KerberosTime OPTIONAL,
612 starttime[5] KerberosTime OPTIONAL,
613 endtime[6] KerberosTime OPTIONAL,
614 renew-till[7] KerberosTime OPTIONAL,
615 srealm[8] Realm OPTIONAL,
616 sname[9] PrincipalName OPTIONAL,
617 caddr[10] HostAddresses OPTIONAL
618 }
620 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
621 ticket-info[0] SEQUENCE OF KrbCredInfo,
622 nonce[1] krb5int32 OPTIONAL,
623 timestamp[2] KerberosTime OPTIONAL,
624 usec[3] krb5int32 OPTIONAL,
625 s-address[4] HostAddress OPTIONAL,
626 r-address[5] HostAddress OPTIONAL
627 }
629 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
630 pvno[0] krb5int32,
631 msg-type[1] MESSAGE-TYPE,
632 ctime[2] KerberosTime OPTIONAL,
633 cusec[3] krb5int32 OPTIONAL,
634 stime[4] KerberosTime,
635 susec[5] krb5int32,
636 error-code[6] krb5int32,
637 crealm[7] Realm OPTIONAL,
638 cname[8] PrincipalName OPTIONAL,
639 realm[9] Realm, -- Correct realm
640 sname[10] PrincipalName, -- Correct name
641 e-text[11] GeneralString OPTIONAL,
642 e-data[12] OCTET STRING OPTIONAL
643 }
645 ChangePasswdDataMS ::= SEQUENCE {
646 newpasswd[0] OCTET STRING,
647 targname[1] PrincipalName OPTIONAL,
648 targrealm[2] Realm OPTIONAL
649 }
651 EtypeList ::= SEQUENCE OF ENCTYPE
652 -- the client's proposed enctype list in
653 -- decreasing preference order, favorite choice first
655 krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
657 -- transited encodings
659 DOMAIN-X500-COMPRESS krb5int32 ::= 1
661 -- authorization data primitives
663 AD-IF-RELEVANT ::= AuthorizationData
665 AD-KDCIssued ::= SEQUENCE {
666 ad-checksum[0] Checksum,
667 i-realm[1] Realm OPTIONAL,
668 i-sname[2] PrincipalName OPTIONAL,
669 elements[3] AuthorizationData
670 }
672 AD-AND-OR ::= SEQUENCE {
673 condition-count[0] INTEGER,
674 elements[1] AuthorizationData
675 }
677 AD-MANDATORY-FOR-KDC ::= AuthorizationData
679 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
681 PA-SAM-TYPE ::= INTEGER {
682 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
683 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
684 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
685 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
686 PA_SAM_TYPE_SECURID(5), -- Security Dynamics
687 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
688 }
690 PA-SAM-REDIRECT ::= HostAddresses
692 SAMFlags ::= BIT STRING {
693 use-sad-as-key(0),
694 send-encrypted-sad(1),
695 must-pk-encrypt-sad(2)
696 }
698 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
699 sam-type[0] krb5int32,
700 sam-flags[1] SAMFlags,
701 sam-type-name[2] GeneralString OPTIONAL,
702 sam-track-id[3] GeneralString OPTIONAL,
703 sam-challenge-label[4] GeneralString OPTIONAL,
704 sam-challenge[5] GeneralString OPTIONAL,
705 sam-response-prompt[6] GeneralString OPTIONAL,
706 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
707 sam-nonce[8] krb5int32,
708 sam-etype[9] krb5int32,
709 ...
710 }
712 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
713 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
714 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
715 ...
716 }
718 PA-SAM-RESPONSE-2 ::= SEQUENCE {
719 sam-type[0] krb5int32,
720 sam-flags[1] SAMFlags,
721 sam-track-id[2] GeneralString OPTIONAL,
722 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
723 sam-nonce[4] krb5int32,
724 ...
725 }
727 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
728 sam-nonce[0] krb5int32,
729 sam-sad[1] GeneralString OPTIONAL,
730 ...
731 }
733 PA-S4U2Self ::= SEQUENCE {
734 name[0] PrincipalName,
735 realm[1] Realm,
736 cksum[2] Checksum,
737 auth[3] GeneralString
738 }
740 -- never encoded on the wire, just used to checksum over
741 KRB5SignedPathData ::= SEQUENCE {
742 client[0] Principal OPTIONAL,
743 authtime[1] KerberosTime,
744 delegated[2] Principals OPTIONAL,
745 method_data[3] METHOD-DATA OPTIONAL
746 }
748 KRB5SignedPath ::= SEQUENCE {
749 -- DERcoded KRB5SignedPathData
750 -- krbtgt key (etype), KeyUsage = XXX
751 etype[0] ENCTYPE,
752 cksum[1] Checksum,
753 -- srvs delegated though
754 delegated[2] Principals OPTIONAL,
755 method_data[3] METHOD-DATA OPTIONAL
756 }
758 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
759 login-alias [0] PrincipalName,
760 checksum [1] Checksum
761 }
763 -- old ms referral
764 PA-SvrReferralData ::= SEQUENCE {
765 referred-name [1] PrincipalName OPTIONAL,
766 referred-realm [0] Realm
767 }
769 PA-SERVER-REFERRAL-DATA ::= EncryptedData
771 PA-ServerReferralData ::= SEQUENCE {
772 referred-realm [0] Realm OPTIONAL,
773 true-principal-name [1] PrincipalName OPTIONAL,
774 requested-principal-name [2] PrincipalName OPTIONAL,
775 referral-valid-until [3] KerberosTime OPTIONAL,
776 ...
777 }
779 FastOptions ::= BIT STRING {
780 reserved(0),
781 hide-client-names(1),
782 kdc-follow-referrals(16)
783 }
785 KrbFastReq ::= SEQUENCE {
786 fast-options [0] FastOptions,
787 padata [1] METHOD-DATA,
788 req-body [2] KDC-REQ-BODY,
789 ...
790 }
792 KrbFastArmor ::= SEQUENCE {
793 armor-type [0] krb5int32,
794 armor-value [1] OCTET STRING,
795 ...
796 }
798 KrbFastArmoredReq ::= SEQUENCE {
799 armor [0] KrbFastArmor OPTIONAL,
800 req-checksum [1] Checksum,
801 enc-fast-req [2] EncryptedData -- KrbFastReq --
802 }
804 PA-FX-FAST-REQUEST ::= CHOICE {
805 armored-data [0] KrbFastArmoredReq,
806 ...
807 }
809 KrbFastFinished ::= SEQUENCE {
810 timestamp [0] KerberosTime,
811 usec [1] krb5int32,
812 crealm [2] Realm,
813 cname [3] PrincipalName,
814 ticket-checksum [4] Checksum,
815 ...
816 }
818 KrbFastResponse ::= SEQUENCE {
819 padata [0] METHOD-DATA,
820 strengthen-key [1] EncryptionKey OPTIONAL,
821 finished [2] KrbFastFinished OPTIONAL,
822 nonce [3] krb5uint32,
823 ...
824 }
826 KrbFastArmoredRep ::= SEQUENCE {
827 enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
828 ...
829 }
831 PA-FX-FAST-REPLY ::= CHOICE {
832 armored-data [0] KrbFastArmoredRep,
833 ...
834 }
836 KDCFastFlags ::= BIT STRING {
837 use_reply_key(0),
838 reply_key_used(1),
839 reply_key_replaced(2),
840 kdc_verfied(3)
841 }
843 -- KDCFastState is stored in FX_COOKIE
844 KDCFastState ::= SEQUENCE {
845 flags [0] KDCFastFlags,
846 expiration [1] GeneralizedTime,
847 fast-state [2] METHOD-DATA,
848 expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL
849 }
851 KDCFastCookie ::= SEQUENCE {
852 version [0] UTF8String,
853 cookie [1] EncryptedData
854 }
856 KDC-PROXY-MESSAGE ::= SEQUENCE {
857 kerb-message [0] OCTET STRING,
858 target-domain [1] Realm OPTIONAL,
859 dclocator-hint [2] INTEGER OPTIONAL
860 }
862 -- these messages are used in the GSSCred communication and is not part of Kerberos propper
864 KERB-TIMES ::= SEQUENCE {
865 authtime [0] KerberosTime,
866 starttime [1] KerberosTime,
867 endtime [2] KerberosTime,
868 renew_till [3] KerberosTime
869 }
871 KERB-CRED ::= SEQUENCE {
872 client [0] Principal,
873 server [1] Principal,
874 keyblock [2] EncryptionKey,
875 times [3] KERB-TIMES,
876 ticket [4] OCTET STRING,
877 authdata [5] OCTET STRING,
878 addresses [6] HostAddresses,
879 flags [7] TicketFlags
880 }
882 KERB-TGS-REQ-IN ::= SEQUENCE {
883 cache [0] OCTET STRING SIZE (16),
884 addrs [1] HostAddresses,
885 flags [2] krb5uint32,
886 imp [3] Principal OPTIONAL,
887 ticket [4] OCTET STRING OPTIONAL,
888 in_cred [5] KERB-CRED,
889 krbtgt [6] KERB-CRED,
890 padata [7] METHOD-DATA
891 }
893 KERB-TGS-REQ-OUT ::= SEQUENCE {
894 subkey [0] EncryptionKey OPTIONAL,
895 t [1] TGS-REQ
896 }
900 KERB-TGS-REP-IN ::= SEQUENCE {
901 cache [0] OCTET STRING SIZE (16),
902 subkey [1] EncryptionKey OPTIONAL,
903 in_cred [2] KERB-CRED,
904 t [3] TGS-REP
905 }
907 KERB-TGS-REP-OUT ::= SEQUENCE {
908 cache [0] OCTET STRING SIZE (16),
909 cred [1] KERB-CRED,
910 subkey [2] EncryptionKey
911 }
913 KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE {
914 armor [0] KrbFastArmor,
915 armor-key [1] EncryptionKey
916 }
919 END
921 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1