make compile w/o warning, fixup from abartletts patch
[heimdal.git] / lib / asn1 / krb5.asn1
blob8edb0fde69753c0bfb55f328798ae2677651312c
1 -- $Id$
3 KERBEROS5 DEFINITIONS ::=
4 BEGIN
6 NAME-TYPE ::= INTEGER {
7         KRB5_NT_UNKNOWN(0),     -- Name type not known
8         KRB5_NT_PRINCIPAL(1),   -- Just the name of the principal as in
9         KRB5_NT_SRV_INST(2),    -- Service and other unique instance (krbtgt)
10         KRB5_NT_SRV_HST(3),     -- Service with host name as instance
11         KRB5_NT_SRV_XHST(4),    -- Service with host as remaining components
12         KRB5_NT_UID(5),         -- Unique ID
13         KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
14         KRB5_NT_SMTP_NAME(7),   -- Name in form of SMTP email name
15         KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
16         KRB5_NT_WELLKNOWN(11),  -- Wellknown
17         KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
18         KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
19         KRB5_NT_MS_PRINCIPAL_AND_ID(-129) -- NT style name and SID
22 -- message types
24 MESSAGE-TYPE ::= INTEGER {
25         krb-as-req(10), -- Request for initial authentication
26         krb-as-rep(11), -- Response to KRB_AS_REQ request
27         krb-tgs-req(12), -- Request for authentication based on TGT
28         krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
29         krb-ap-req(14), -- application request to server
30         krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
31         krb-safe(20), -- Safe (checksummed) application message
32         krb-priv(21), -- Private (encrypted) application message
33         krb-cred(22), -- Private (encrypted) message to forward credentials
34         krb-error(30) -- Error response
38 -- pa-data types
40 PADATA-TYPE ::= INTEGER {
41         KRB5-PADATA-NONE(0),
42         KRB5-PADATA-TGS-REQ(1),
43         KRB5-PADATA-AP-REQ(1),
44         KRB5-PADATA-ENC-TIMESTAMP(2),
45         KRB5-PADATA-PW-SALT(3),
46         KRB5-PADATA-ENC-UNIX-TIME(5),
47         KRB5-PADATA-SANDIA-SECUREID(6),
48         KRB5-PADATA-SESAME(7),
49         KRB5-PADATA-OSF-DCE(8),
50         KRB5-PADATA-CYBERSAFE-SECUREID(9),
51         KRB5-PADATA-AFS3-SALT(10),
52         KRB5-PADATA-ETYPE-INFO(11),
53         KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
54         KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
55         KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
56         KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
57         KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
58         KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
59         KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
60         KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
61         KRB5-PADATA-ETYPE-INFO2(19),
62         KRB5-PADATA-USE-SPECIFIED-KVNO(20),
63         KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
64         KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
65         KRB5-PADATA-GET-FROM-TYPED-DATA(22),
66         KRB5-PADATA-SAM-ETYPE-INFO(23),
67         KRB5-PADATA-SERVER-REFERRAL(25),
68         KRB5-PADATA-ALT-PRINC(24),              -- (crawdad@fnal.gov)
69         KRB5-PADATA-SAM-CHALLENGE2(30),         -- (kenh@pobox.com)
70         KRB5-PADATA-SAM-RESPONSE2(31),          -- (kenh@pobox.com)
71         KRB5-PA-EXTRA-TGT(41),                  -- Reserved extra TGT
72         KRB5-PADATA-TD-KRB-PRINCIPAL(102),      -- PrincipalName
73         KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
74         KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
75         KRB5-PADATA-TD-APP-DEFINED-ERROR(106),  -- application specific
76         KRB5-PADATA-TD-REQ-NONCE(107),          -- INTEGER
77         KRB5-PADATA-TD-REQ-SEQ(108),            -- INTEGER
78         KRB5-PADATA-PA-PAC-REQUEST(128),        -- jbrezak@exchange.microsoft.com
79         KRB5-PADATA-FOR-USER(129),              -- MS-KILE
80         KRB5-PADATA-FOR-X509-USER(130),         -- MS-KILE
81         KRB5-PADATA-FOR-CHECK-DUPS(131),        -- MS-KILE
82         KRB5-PADATA-AS-CHECKSUM(132),           -- MS-KILE
83         KRB5-PADATA-PK-AS-09-BINDING(132),      -- client send this to
84                                                 -- tell KDC that is supports
85                                                 -- the asCheckSum in the
86                                                 --  PK-AS-REP
87         KRB5-PADATA-CLIENT-CANONICALIZED(133),  -- referals
88         KRB5-PADATA-FX-COOKIE(133),             -- krb-wg-preauth-framework
89         KRB5-PADATA-AUTHENTICATION-SET(134),    -- krb-wg-preauth-framework
90         KRB5-PADATA-AUTH-SET-SELECTED(135),     -- krb-wg-preauth-framework
91         KRB5-PADATA-FX-FAST(136),               -- krb-wg-preauth-framework
92         KRB5-PADATA-FX-ERROR(137),              -- krb-wg-preauth-framework
93         KRB5-PADATA-ENCRYPTED-CHALLENGE(138),   -- krb-wg-preauth-framework
94         KRB5-PADATA-OTP-CHALLENGE(141),         -- (gareth.richards@rsa.com)
95         KRB5-PADATA-OTP-REQUEST(142),           -- (gareth.richards@rsa.com)
96         KBB5-PADATA-OTP-CONFIRM(143),           -- (gareth.richards@rsa.com)
97         KRB5-PADATA-OTP-PIN-CHANGE(144),        -- (gareth.richards@rsa.com)
98         KRB5-PADATA-EPAK-AS-REQ(145),
99         KRB5-PADATA-EPAK-AS-REP(146),
100         KRB5-PADATA-PKINIT-KX(147),             -- krb-wg-anon
101         KRB5-PADATA-PKU2U-NAME(148),            -- zhu-pku2u
102         KRB5-PADATA-SUPPORTED-ETYPES(165)       -- MS-KILE
105 AUTHDATA-TYPE ::= INTEGER {
106         KRB5-AUTHDATA-IF-RELEVANT(1),
107         KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
108         KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
109         KRB5-AUTHDATA-KDC-ISSUED(4),
110         KRB5-AUTHDATA-AND-OR(5),
111         KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
112         KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
113         KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
114         KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
115         KRB5-AUTHDATA-OSF-DCE(64),
116         KRB5-AUTHDATA-SESAME(65),
117         KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
118         KRB5-AUTHDATA-WIN2K-PAC(128),
119         KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
120         KRB5-AUTHDATA-SIGNTICKET-OLD(-17),
121         KRB5-AUTHDATA-SIGNTICKET(142)
124 -- checksumtypes
126 CKSUMTYPE ::= INTEGER {
127         CKSUMTYPE_NONE(0),
128         CKSUMTYPE_CRC32(1),
129         CKSUMTYPE_RSA_MD4(2),
130         CKSUMTYPE_RSA_MD4_DES(3),
131         CKSUMTYPE_DES_MAC(4),
132         CKSUMTYPE_DES_MAC_K(5),
133         CKSUMTYPE_RSA_MD4_DES_K(6),
134         CKSUMTYPE_RSA_MD5(7),
135         CKSUMTYPE_RSA_MD5_DES(8),
136         CKSUMTYPE_RSA_MD5_DES3(9),
137         CKSUMTYPE_SHA1_OTHER(10),
138         CKSUMTYPE_HMAC_SHA1_DES3(12),
139         CKSUMTYPE_SHA1(14),
140         CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
141         CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
142         CKSUMTYPE_GSSAPI(0x8003),
143         CKSUMTYPE_HMAC_MD5(-138),       -- unofficial microsoft number
144         CKSUMTYPE_HMAC_MD5_ENC(-1138)   -- even more unofficial
147 --enctypes
148 ENCTYPE ::= INTEGER {
149         ETYPE_NULL(0),
150         ETYPE_DES_CBC_CRC(1),
151         ETYPE_DES_CBC_MD4(2),
152         ETYPE_DES_CBC_MD5(3),
153         ETYPE_DES3_CBC_MD5(5),
154         ETYPE_OLD_DES3_CBC_SHA1(7),
155         ETYPE_SIGN_DSA_GENERATE(8),
156         ETYPE_ENCRYPT_RSA_PRIV(9),
157         ETYPE_ENCRYPT_RSA_PUB(10),
158         ETYPE_DES3_CBC_SHA1(16),        -- with key derivation
159         ETYPE_AES128_CTS_HMAC_SHA1_96(17),
160         ETYPE_AES256_CTS_HMAC_SHA1_96(18),
161         ETYPE_ARCFOUR_HMAC_MD5(23),
162         ETYPE_ARCFOUR_HMAC_MD5_56(24),
163         ETYPE_ENCTYPE_PK_CROSS(48),
164 -- some "old" windows types
165         ETYPE_ARCFOUR_MD4(-128),
166         ETYPE_ARCFOUR_HMAC_OLD(-133),
167         ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
168 -- these are for Heimdal internal use
169         ETYPE_DES_CBC_NONE(-0x1000),
170         ETYPE_DES3_CBC_NONE(-0x1001),
171         ETYPE_DES_CFB64_NONE(-0x1002),
172         ETYPE_DES_PCBC_NONE(-0x1003),
173         ETYPE_DIGEST_MD5_NONE(-0x1004),         -- private use, lukeh@padl.com
174         ETYPE_CRAM_MD5_NONE(-0x1005)            -- private use, lukeh@padl.com
180 -- this is sugar to make something ASN1 does not have: unsigned
182 krb5uint32 ::= INTEGER (0..4294967295)
183 krb5int32 ::= INTEGER (-2147483648..2147483647)
185 KerberosString  ::= GeneralString
187 Realm ::= GeneralString
188 PrincipalName ::= SEQUENCE {
189         name-type[0]            NAME-TYPE,
190         name-string[1]          SEQUENCE OF GeneralString
193 -- this is not part of RFC1510
194 Principal ::= SEQUENCE {
195         name[0]                 PrincipalName,
196         realm[1]                Realm
199 Principals ::= SEQUENCE OF Principal
201 HostAddress ::= SEQUENCE  {
202         addr-type[0]            krb5int32,
203         address[1]              OCTET STRING
206 -- This is from RFC1510.
208 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
209 --      addr-type[0]            krb5int32,
210 --      address[1]              OCTET STRING
211 -- }
213 -- This seems much better.
214 HostAddresses ::= SEQUENCE OF HostAddress
217 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
219 AuthorizationDataElement ::= SEQUENCE {
220         ad-type[0]              krb5int32,
221         ad-data[1]              OCTET STRING
224 AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
226 APOptions ::= BIT STRING {
227         reserved(0),
228         use-session-key(1),
229         mutual-required(2)
232 TicketFlags ::= BIT STRING {
233         reserved(0),
234         forwardable(1),
235         forwarded(2),
236         proxiable(3),
237         proxy(4),
238         may-postdate(5),
239         postdated(6),
240         invalid(7),
241         renewable(8),
242         initial(9),
243         pre-authent(10),
244         hw-authent(11),
245         transited-policy-checked(12),
246         ok-as-delegate(13),
247         anonymous(14)
250 KDCOptions ::= BIT STRING {
251         reserved(0),
252         forwardable(1),
253         forwarded(2),
254         proxiable(3),
255         proxy(4),
256         allow-postdate(5),
257         postdated(6),
258         unused7(7),
259         renewable(8),
260         unused9(9),
261         unused10(10),
262         unused11(11),
263         request-anonymous(14),
264         canonicalize(15),
265         constrained-delegation(16), -- ms extension
266         disable-transited-check(26),
267         renewable-ok(27),
268         enc-tkt-in-skey(28),
269         renew(30),
270         validate(31)
273 LR-TYPE ::= INTEGER {
274         LR_NONE(0),             -- no information
275         LR_INITIAL_TGT(1),      -- last initial TGT request
276         LR_INITIAL(2),          -- last initial request
277         LR_ISSUE_USE_TGT(3),    -- time of newest TGT used
278         LR_RENEWAL(4),          -- time of last renewal
279         LR_REQUEST(5),          -- time of last request (of any type)
280         LR_PW_EXPTIME(6),       -- expiration time of password
281         LR_ACCT_EXPTIME(7)      -- expiration time of account
284 LastReq ::= SEQUENCE OF SEQUENCE {
285         lr-type[0]              LR-TYPE,
286         lr-value[1]             KerberosTime
290 EncryptedData ::= SEQUENCE {
291         etype[0]                ENCTYPE, -- EncryptionType
292         kvno[1]                 krb5int32 OPTIONAL,
293         cipher[2]               OCTET STRING -- ciphertext
296 EncryptionKey ::= SEQUENCE {
297         keytype[0]              krb5int32,
298         keyvalue[1]             OCTET STRING
301 -- encoded Transited field
302 TransitedEncoding ::= SEQUENCE {
303         tr-type[0]              krb5int32, -- must be registered
304         contents[1]             OCTET STRING
307 Ticket ::= [APPLICATION 1] SEQUENCE {
308         tkt-vno[0]              krb5int32,
309         realm[1]                Realm,
310         sname[2]                PrincipalName,
311         enc-part[3]             EncryptedData
313 -- Encrypted part of ticket
314 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
315         flags[0]                TicketFlags,
316         key[1]                  EncryptionKey,
317         crealm[2]               Realm,
318         cname[3]                PrincipalName,
319         transited[4]            TransitedEncoding,
320         authtime[5]             KerberosTime,
321         starttime[6]            KerberosTime OPTIONAL,
322         endtime[7]              KerberosTime,
323         renew-till[8]           KerberosTime OPTIONAL,
324         caddr[9]                HostAddresses OPTIONAL,
325         authorization-data[10]  AuthorizationData OPTIONAL
328 Checksum ::= SEQUENCE {
329         cksumtype[0]            CKSUMTYPE,
330         checksum[1]             OCTET STRING
333 Authenticator ::= [APPLICATION 2] SEQUENCE    {
334         authenticator-vno[0]    krb5int32,
335         crealm[1]               Realm,
336         cname[2]                PrincipalName,
337         cksum[3]                Checksum OPTIONAL,
338         cusec[4]                krb5int32,
339         ctime[5]                KerberosTime,
340         subkey[6]               EncryptionKey OPTIONAL,
341         seq-number[7]           krb5uint32 OPTIONAL,
342         authorization-data[8]   AuthorizationData OPTIONAL
345 PA-DATA ::= SEQUENCE {
346         -- might be encoded AP-REQ
347         padata-type[1]          PADATA-TYPE,
348         padata-value[2]         OCTET STRING
351 ETYPE-INFO-ENTRY ::= SEQUENCE {
352         etype[0]                ENCTYPE,
353         salt[1]                 OCTET STRING OPTIONAL,
354         salttype[2]             krb5int32 OPTIONAL
357 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
359 ETYPE-INFO2-ENTRY ::= SEQUENCE {
360         etype[0]                ENCTYPE,
361         salt[1]                 KerberosString OPTIONAL,
362         s2kparams[2]            OCTET STRING OPTIONAL
365 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
367 METHOD-DATA ::= SEQUENCE OF PA-DATA
369 TypedData ::=   SEQUENCE {
370         data-type[0]            krb5int32,
371         data-value[1]           OCTET STRING OPTIONAL
374 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
376 KDC-REQ-BODY ::= SEQUENCE {
377         kdc-options[0]          KDCOptions,
378         cname[1]                PrincipalName OPTIONAL, -- Used only in AS-REQ
379         realm[2]                Realm,  -- Server's realm
380                                         -- Also client's in AS-REQ
381         sname[3]                PrincipalName OPTIONAL,
382         from[4]                 KerberosTime OPTIONAL,
383         till[5]                 KerberosTime OPTIONAL,
384         rtime[6]                KerberosTime OPTIONAL,
385         nonce[7]                krb5int32,
386         etype[8]                SEQUENCE OF ENCTYPE, -- EncryptionType,
387                                         -- in preference order
388         addresses[9]            HostAddresses OPTIONAL,
389         enc-authorization-data[10] EncryptedData OPTIONAL,
390                                         -- Encrypted AuthorizationData encoding
391         additional-tickets[11]  SEQUENCE OF Ticket OPTIONAL
394 KDC-REQ ::= SEQUENCE {
395         pvno[1]                 krb5int32,
396         msg-type[2]             MESSAGE-TYPE,
397         padata[3]               METHOD-DATA OPTIONAL,
398         req-body[4]             KDC-REQ-BODY
401 AS-REQ ::= [APPLICATION 10] KDC-REQ
402 TGS-REQ ::= [APPLICATION 12] KDC-REQ
404 -- padata-type ::= PA-ENC-TIMESTAMP
405 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
407 PA-ENC-TS-ENC ::= SEQUENCE {
408         patimestamp[0]          KerberosTime, -- client's time
409         pausec[1]               krb5int32 OPTIONAL
412 -- draft-brezak-win2k-krb-authz-01
413 PA-PAC-REQUEST ::= SEQUENCE {
414         include-pac[0]          BOOLEAN -- Indicates whether a PAC
415                                         -- should be included or not
418 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
419 PROV-SRV-LOCATION ::= GeneralString
421 KDC-REP ::= SEQUENCE {
422         pvno[0]                 krb5int32,
423         msg-type[1]             MESSAGE-TYPE,
424         padata[2]               METHOD-DATA OPTIONAL,
425         crealm[3]               Realm,
426         cname[4]                PrincipalName,
427         ticket[5]               Ticket,
428         enc-part[6]             EncryptedData
431 AS-REP ::= [APPLICATION 11] KDC-REP
432 TGS-REP ::= [APPLICATION 13] KDC-REP
434 EncKDCRepPart ::= SEQUENCE {
435         key[0]                  EncryptionKey,
436         last-req[1]             LastReq,
437         nonce[2]                krb5int32,
438         key-expiration[3]       KerberosTime OPTIONAL,
439         flags[4]                TicketFlags,
440         authtime[5]             KerberosTime,
441         starttime[6]            KerberosTime OPTIONAL,
442         endtime[7]              KerberosTime,
443         renew-till[8]           KerberosTime OPTIONAL,
444         srealm[9]               Realm,
445         sname[10]               PrincipalName,
446         caddr[11]               HostAddresses OPTIONAL,
447         encrypted-pa-data[12]   METHOD-DATA OPTIONAL
450 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
451 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
453 AP-REQ ::= [APPLICATION 14] SEQUENCE {
454         pvno[0]                 krb5int32,
455         msg-type[1]             MESSAGE-TYPE,
456         ap-options[2]           APOptions,
457         ticket[3]               Ticket,
458         authenticator[4]        EncryptedData
461 AP-REP ::= [APPLICATION 15] SEQUENCE {
462         pvno[0]                 krb5int32,
463         msg-type[1]             MESSAGE-TYPE,
464         enc-part[2]             EncryptedData
467 EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
468         ctime[0]                KerberosTime,
469         cusec[1]                krb5int32,
470         subkey[2]               EncryptionKey OPTIONAL,
471         seq-number[3]           krb5uint32 OPTIONAL
474 KRB-SAFE-BODY ::= SEQUENCE {
475         user-data[0]            OCTET STRING,
476         timestamp[1]            KerberosTime OPTIONAL,
477         usec[2]                 krb5int32 OPTIONAL,
478         seq-number[3]           krb5uint32 OPTIONAL,
479         s-address[4]            HostAddress OPTIONAL,
480         r-address[5]            HostAddress OPTIONAL
483 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
484         pvno[0]                 krb5int32,
485         msg-type[1]             MESSAGE-TYPE,
486         safe-body[2]            KRB-SAFE-BODY,
487         cksum[3]                Checksum
490 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
491         pvno[0]                 krb5int32,
492         msg-type[1]             MESSAGE-TYPE,
493         enc-part[3]             EncryptedData
495 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
496         user-data[0]            OCTET STRING,
497         timestamp[1]            KerberosTime OPTIONAL,
498         usec[2]                 krb5int32 OPTIONAL,
499         seq-number[3]           krb5uint32 OPTIONAL,
500         s-address[4]            HostAddress OPTIONAL, -- sender's addr
501         r-address[5]            HostAddress OPTIONAL  -- recip's addr
504 KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
505         pvno[0]                 krb5int32,
506         msg-type[1]             MESSAGE-TYPE, -- KRB_CRED
507         tickets[2]              SEQUENCE OF Ticket,
508         enc-part[3]             EncryptedData
511 KrbCredInfo ::= SEQUENCE {
512         key[0]                  EncryptionKey,
513         prealm[1]               Realm OPTIONAL,
514         pname[2]                PrincipalName OPTIONAL,
515         flags[3]                TicketFlags OPTIONAL,
516         authtime[4]             KerberosTime OPTIONAL,
517         starttime[5]            KerberosTime OPTIONAL,
518         endtime[6]              KerberosTime OPTIONAL,
519         renew-till[7]           KerberosTime OPTIONAL,
520         srealm[8]               Realm OPTIONAL,
521         sname[9]                PrincipalName OPTIONAL,
522         caddr[10]               HostAddresses OPTIONAL
525 EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
526         ticket-info[0]          SEQUENCE OF KrbCredInfo,
527         nonce[1]                krb5int32 OPTIONAL,
528         timestamp[2]            KerberosTime OPTIONAL,
529         usec[3]                 krb5int32 OPTIONAL,
530         s-address[4]            HostAddress OPTIONAL,
531         r-address[5]            HostAddress OPTIONAL
534 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
535         pvno[0]                 krb5int32,
536         msg-type[1]             MESSAGE-TYPE,
537         ctime[2]                KerberosTime OPTIONAL,
538         cusec[3]                krb5int32 OPTIONAL,
539         stime[4]                KerberosTime,
540         susec[5]                krb5int32,
541         error-code[6]           krb5int32,
542         crealm[7]               Realm OPTIONAL,
543         cname[8]                PrincipalName OPTIONAL,
544         realm[9]                Realm, -- Correct realm
545         sname[10]               PrincipalName, -- Correct name
546         e-text[11]              GeneralString OPTIONAL,
547         e-data[12]              OCTET STRING OPTIONAL
550 ChangePasswdDataMS ::= SEQUENCE {
551         newpasswd[0]            OCTET STRING,
552         targname[1]             PrincipalName OPTIONAL,
553         targrealm[2]            Realm OPTIONAL
556 EtypeList ::= SEQUENCE OF krb5int32
557         -- the client's proposed enctype list in
558         -- decreasing preference order, favorite choice first
560 krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
562 -- transited encodings
564 DOMAIN-X500-COMPRESS    krb5int32 ::= 1
566 -- authorization data primitives
568 AD-IF-RELEVANT ::= AuthorizationData
570 AD-KDCIssued ::= SEQUENCE {
571         ad-checksum[0]          Checksum,
572         i-realm[1]              Realm OPTIONAL,
573         i-sname[2]              PrincipalName OPTIONAL,
574         elements[3]             AuthorizationData
577 AD-AND-OR ::= SEQUENCE {
578         condition-count[0]      INTEGER,
579         elements[1]             AuthorizationData
582 AD-MANDATORY-FOR-KDC ::= AuthorizationData
584 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
586 PA-SAM-TYPE ::= INTEGER {
587         PA_SAM_TYPE_ENIGMA(1),          -- Enigma Logic
588         PA_SAM_TYPE_DIGI_PATH(2),       -- Digital Pathways
589         PA_SAM_TYPE_SKEY_K0(3),         -- S/key where  KDC has key 0
590         PA_SAM_TYPE_SKEY(4),            -- Traditional S/Key
591         PA_SAM_TYPE_SECURID(5),         -- Security Dynamics
592         PA_SAM_TYPE_CRYPTOCARD(6)       -- CRYPTOCard
595 PA-SAM-REDIRECT ::= HostAddresses
597 SAMFlags ::= BIT STRING {
598         use-sad-as-key(0),
599         send-encrypted-sad(1),
600         must-pk-encrypt-sad(2)
603 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
604         sam-type[0]             krb5int32,
605         sam-flags[1]            SAMFlags,
606         sam-type-name[2]        GeneralString OPTIONAL,
607         sam-track-id[3]         GeneralString OPTIONAL,
608         sam-challenge-label[4]  GeneralString OPTIONAL,
609         sam-challenge[5]        GeneralString OPTIONAL,
610         sam-response-prompt[6]  GeneralString OPTIONAL,
611         sam-pk-for-sad[7]       EncryptionKey OPTIONAL,
612         sam-nonce[8]            krb5int32,
613         sam-etype[9]            krb5int32,
614         ...
617 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
618         sam-body[0]             PA-SAM-CHALLENGE-2-BODY,
619         sam-cksum[1]            SEQUENCE OF Checksum, -- (1..MAX)
620         ...
623 PA-SAM-RESPONSE-2 ::= SEQUENCE {
624         sam-type[0]             krb5int32,
625         sam-flags[1]            SAMFlags,
626         sam-track-id[2]         GeneralString OPTIONAL,
627         sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
628         sam-nonce[4]            krb5int32,
629         ...
632 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
633         sam-nonce[0]            krb5int32,
634         sam-sad[1]              GeneralString OPTIONAL,
635         ...
638 PA-S4U2Self ::= SEQUENCE {
639         name[0]         PrincipalName,
640         realm[1]        Realm,
641         cksum[2]        Checksum,
642         auth[3]         GeneralString
645 -- never encoded on the wire, just used to checksum over
646 KRB5SignedPathData ::= SEQUENCE {
647         encticket[0]    EncTicketPart,
648         delegated[1]    Principals OPTIONAL
651 KRB5SignedPath ::= SEQUENCE {
652         -- DERcoded KRB5SignedPathData
653         -- krbtgt key (etype), KeyUsage = XXX
654         etype[0]        ENCTYPE,
655         cksum[1]        Checksum,
656         -- srvs delegated though
657         delegated[2]    Principals OPTIONAL
660 PA-ClientCanonicalizedNames ::= SEQUENCE{
661         requested-name  [0] PrincipalName,
662         mapped-name     [1] PrincipalName
665 PA-ClientCanonicalized ::= SEQUENCE {
666         names           [0] PA-ClientCanonicalizedNames,
667         canon-checksum  [1] Checksum
670 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
671         login-alias     [0] PrincipalName,
672         checksum        [1] Checksum
675 -- old ms referral
676 PA-SvrReferralData ::= SEQUENCE {
677         referred-name   [1] PrincipalName OPTIONAL,
678         referred-realm  [0] Realm
681 PA-SERVER-REFERRAL-DATA ::= EncryptedData
683 PA-ServerReferralData ::= SEQUENCE {
684         referred-realm          [0] Realm OPTIONAL,
685         true-principal-name     [1] PrincipalName OPTIONAL,
686         requested-principal-name [2] PrincipalName OPTIONAL,
687         referral-valid-until     [3] KerberosTime OPTIONAL,
688         ...
691 FastOptions ::= BIT STRING {
692             reserved(0),
693             hide-client-names(1),
694             kdc-follow--referrals(16)
697 KrbFastReq ::= SEQUENCE {
698         fast-options [0] FastOptions,
699         padata       [1] SEQUENCE OF PA-DATA,
700         req-body     [2] KDC-REQ-BODY,
701         ...
704 KrbFastArmor ::= SEQUENCE {
705         armor-type   [0] krb5int32,
706         armor-value  [1] OCTET STRING,
707         ...
710 KrbFastArmoredReq ::= SEQUENCE {
711         armor        [0] KrbFastArmor OPTIONAL,
712         req-checksum [1] Checksum,
713         enc-fast-req [2] EncryptedData -- KrbFastReq --
716 PA-FX-FAST-REQUEST ::= CHOICE {
717         armored-data [0] KrbFastArmoredReq,
718         ...
721 KrbFastFinished ::= SEQUENCE {
722         timestamp   [0] KerberosTime,
723         usec        [1] krb5int32,
724         crealm      [2] Realm,
725         cname       [3] PrincipalName,
726         checksum    [4] Checksum,
727         ticket-checksum [5] Checksum,
728         ...
731 KrbFastResponse ::= SEQUENCE {
732         padata      [0] SEQUENCE OF PA-DATA,
733         rep-key     [1] EncryptionKey OPTIONAL,
734         finished    [2] KrbFastFinished OPTIONAL,
735         ...
738 KrbFastArmoredRep ::= SEQUENCE {
739         enc-fast-rep      [0] EncryptedData, -- KrbFastResponse --
740         ...
743 PA-FX-FAST-REPLY ::= CHOICE {
744         armored-data [0] KrbFastArmoredRep,
745         ...
750 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1