3 PKINIT DEFINITIONS ::= BEGIN
5 IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
6 IssuerAndSerialNumber FROM cms
7 SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
10 id-pkinit OBJECT IDENTIFIER ::=
11 { iso (1) org (3) dod (6) internet (1) security (5)
12 kerberosv5 (2) pkinit (3) }
14 id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 }
15 id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 }
16 id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 }
17 id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 }
18 id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 }
20 id-heim-eku-pkinit-certlife-is-max-life OBJECT IDENTIFIER ::=
21 { iso(1) member-body(2) se(752) su(43) heim-pkix(16) 3 }
23 id-apple-system-id OBJECT IDENTIFIER ::= { 1 2 840 113635 100 4 4 }
25 id-pkinit-kdf OBJECT IDENTIFIER ::= { id-pkinit 6 }
26 id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER ::= { id-pkinit-kdf 1 }
27 id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
28 id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }
30 id-pkinit-san OBJECT IDENTIFIER ::=
31 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
34 id-pkinit-ms-eku OBJECT IDENTIFIER ::=
35 { iso(1) org(3) dod(6) internet(1) private(4)
36 enterprise(1) microsoft(311) 20 2 2 }
38 id-pkinit-ms-san OBJECT IDENTIFIER ::=
39 { iso(1) org(3) dod(6) internet(1) private(4)
40 enterprise(1) microsoft(311) 20 2 3 }
42 MS-UPN-SAN ::= UTF8String
44 pa-pk-as-req INTEGER ::= 16
45 pa-pk-as-rep INTEGER ::= 17
47 td-trusted-certifiers INTEGER ::= 104
48 td-invalid-certificates INTEGER ::= 105
49 td-dh-parameters INTEGER ::= 109
51 DHNonce ::= OCTET STRING
53 KDFAlgorithmId ::= SEQUENCE {
54 kdf-id [0] OBJECT IDENTIFIER,
58 TrustedCA ::= SEQUENCE {
59 caName [0] IMPLICIT OCTET STRING,
60 certificateSerialNumber [1] INTEGER OPTIONAL,
61 subjectKeyIdentifier [2] OCTET STRING OPTIONAL,
65 ExternalPrincipalIdentifier ::= SEQUENCE {
66 subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
67 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
68 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
72 ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
74 PA-PK-AS-REQ ::= SEQUENCE {
75 signedAuthPack [0] IMPLICIT OCTET STRING,
76 trustedCertifiers [1] ExternalPrincipalIdentifiers OPTIONAL,
77 kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL,
81 PKAuthenticator ::= SEQUENCE {
82 cusec [0] INTEGER -- (0..999999) --,
83 ctime [1] KerberosTime,
84 nonce [2] INTEGER (0..4294967295),
85 paChecksum [3] OCTET STRING OPTIONAL,
89 AuthPack ::= SEQUENCE {
90 pkAuthenticator [0] PKAuthenticator,
91 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
92 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
93 clientDHNonce [3] DHNonce OPTIONAL,
95 supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
99 TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
100 TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
102 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
104 DHRepInfo ::= SEQUENCE {
105 dhSignedData [0] IMPLICIT OCTET STRING,
106 serverDHNonce [1] DHNonce OPTIONAL,
108 kdf [2] KDFAlgorithmId OPTIONAL,
112 PA-PK-AS-REP ::= CHOICE {
113 dhInfo [0] DHRepInfo,
114 encKeyPack [1] IMPLICIT OCTET STRING,
118 KDCDHKeyInfo ::= SEQUENCE {
119 subjectPublicKey [0] BIT STRING,
120 nonce [1] INTEGER (0..4294967295),
121 dhKeyExpiration [2] KerberosTime OPTIONAL,
125 ReplyKeyPack ::= SEQUENCE {
126 replyKey [0] EncryptionKey,
127 asChecksum [1] Checksum,
131 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
134 -- Windows compat glue --
136 PKAuthenticator-Win2k ::= SEQUENCE {
137 kdcName [0] PrincipalName,
139 cusec [2] INTEGER (0..4294967295),
140 ctime [3] KerberosTime,
141 nonce [4] INTEGER (-2147483648..2147483647)
144 AuthPack-Win2k ::= SEQUENCE {
145 pkAuthenticator [0] PKAuthenticator-Win2k,
146 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
150 TrustedCA-Win2k ::= CHOICE {
152 issuerAndSerial [2] IssuerAndSerialNumber
155 PA-PK-AS-REQ-Win2k ::= SEQUENCE {
156 signed-auth-pack [0] IMPLICIT OCTET STRING,
157 trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
158 kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
159 encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
162 PA-PK-AS-REP-Win2k ::= CHOICE {
163 dhSignedData [0] IMPLICIT OCTET STRING,
164 encKeyPack [1] IMPLICIT OCTET STRING
167 KDCDHKeyInfo-Win2k ::= SEQUENCE {
168 nonce [0] INTEGER (-2147483648..2147483647),
169 subjectPublicKey [2] BIT STRING
172 ReplyKeyPack-Win2k ::= SEQUENCE {
173 replyKey [0] EncryptionKey,
174 nonce [1] INTEGER (-2147483648..2147483647),
178 PA-PK-AS-REP-BTMM ::= SEQUENCE {
179 dhSignedData [0] HEIM_ANY OPTIONAL,
180 encKeyPack [1] HEIM_ANY OPTIONAL
184 PkinitSP80056AOtherInfo ::= SEQUENCE {
185 algorithmID AlgorithmIdentifier,
186 partyUInfo [0] OCTET STRING,
187 partyVInfo [1] OCTET STRING,
188 suppPubInfo [2] OCTET STRING OPTIONAL,
189 suppPrivInfo [3] OCTET STRING OPTIONAL
192 PkinitSuppPubInfo ::= SEQUENCE {
193 enctype [0] INTEGER (-2147483648..2147483647),
194 as-REQ [1] OCTET STRING,
195 pk-as-rep [2] OCTET STRING,