1 -- kerberos.asn1 - Kerberos ASN.1 schema
2 -- Copyright (C) 2002, 2003, 2004, 2006, 2007 Simon Josefsson
4 -- This file is part of Shishi.
6 -- Shishi is free software; you can redistribute it and/or modify it
7 -- under the terms of the GNU General Public License as published by
8 -- the Free Software Foundation; either version 3 of the License, or
9 -- (at your option) any later version.
11 -- Shishi is distributed in the hope that it will be useful, but
12 -- WITHOUT ANY WARRANTY; without even the implied warranty of
13 -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 -- General Public License for more details.
16 -- You should have received a copy of the GNU General Public License
17 -- along with Shishi; if not, see http://www.gnu.org/licenses or write
18 -- to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
19 -- Floor, Boston, MA 02110-1301, USA
22 -- This rest of this file is taken from appendix A of RFC 4120,
23 -- http://www.ietf.org/rfc/rfc4120.txt (MD5
24 -- f95332f70f18eb9252756c7e2accc141), with two minor modifications
25 -- marked with "libtasn1 bug" below. RFC 4120 exhibit the ISOC
26 -- copyright, althought it does not cover the ASN.1 schema, see
27 -- discussions in the IETF IPR WG. I have acquired permission to use
28 -- the ASN.1 schema from RFC 4120 under the MIT/X11 license from all
29 -- authors but Tom Yu (as of April 2006). For prudence, asking the
30 -- Kerberos WG whether anyone else contributed significantly to the
31 -- ASN.1 schema also remains. Further, it seems the IETF IPR WG tend
32 -- to believe that code extracted from RFCs was intended to be
33 -- modifiable under RFC 3978, which would be sufficient for an ASN.1
34 -- schema such as this file, compare ipr-rules-update-07 and
35 -- <50E312B117033946BA23AA102C8134C62AB176@SDCPEXCCL2MX.wilmerhale.com>.
36 -- The IETF lawyer Jorge Contreras has said the following on this
37 -- topic: "Under RFC 3978, it is currently OK to modify code extracts
38 -- from RFCs.", see <44A91390.2030908@dial.pipex.com>.
42 iso(1) identified-organization(3) dod(6) internet(1)
43 security(5) kerberosV5(2) modules(4) krb5spec2(2)
44 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
46 -- OID arc for KerberosV5
48 -- This OID may be used to identify Kerberos protocol messages
49 -- encapsulated in other protocols.
51 -- This OID also designates the OID arc for KerberosV5-related OIDs.
53 -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
54 id-krb5 OBJECT IDENTIFIER ::= {
55 iso(1) identified-organization(3) dod(6) internet(1)
56 security(5) kerberosV5(2)
59 Int32 ::= INTEGER -- libtasn1 bug: (-2147483648..2147483647)
60 -- signed values representable in 32 bits
62 UInt32 ::= INTEGER (0..4294967295)
63 -- unsigned 32 bit values
65 Microseconds ::= INTEGER (0..999999)
68 KerberosString ::= GeneralString -- libtasn1 bug: (IA5String)
70 Realm ::= KerberosString
72 PrincipalName ::= SEQUENCE {
74 name-string [1] SEQUENCE OF KerberosString
77 KerberosTime ::= GeneralizedTime -- with no fractional seconds
79 HostAddress ::= SEQUENCE {
81 address [1] OCTET STRING
84 -- NOTE: HostAddresses is always used as an OPTIONAL field and
85 -- should not be empty.
86 HostAddresses -- NOTE: subtly different from rfc1510,
87 -- but has a value mapping and encodes the same
88 ::= SEQUENCE OF HostAddress
90 -- NOTE: AuthorizationData is always used as an OPTIONAL field and
91 -- should not be empty.
92 AuthorizationData ::= SEQUENCE OF SEQUENCE {
94 ad-data [1] OCTET STRING
97 PA-DATA ::= SEQUENCE {
98 -- NOTE: first tag is [1], not [0]
99 padata-type [1] Int32,
100 padata-value [2] OCTET STRING -- might be encoded AP-REQ
103 KerberosFlags ::= BIT STRING (SIZE (32..MAX))
104 -- minimum number of bits shall be sent,
105 -- but no fewer than 32
107 EncryptedData ::= SEQUENCE {
108 etype [0] Int32 -- EncryptionType --,
109 kvno [1] UInt32 OPTIONAL,
110 cipher [2] OCTET STRING -- ciphertext
113 EncryptionKey ::= SEQUENCE {
114 keytype [0] Int32 -- actually encryption type --,
115 keyvalue [1] OCTET STRING
118 Checksum ::= SEQUENCE {
120 checksum [1] OCTET STRING
123 Ticket ::= [APPLICATION 1] SEQUENCE {
124 tkt-vno [0] INTEGER (5),
126 sname [2] PrincipalName,
127 enc-part [3] EncryptedData -- EncTicketPart
130 -- Encrypted part of ticket
131 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
132 flags [0] TicketFlags,
133 key [1] EncryptionKey,
135 cname [3] PrincipalName,
136 transited [4] TransitedEncoding,
137 authtime [5] KerberosTime,
138 starttime [6] KerberosTime OPTIONAL,
139 endtime [7] KerberosTime,
140 renew-till [8] KerberosTime OPTIONAL,
141 caddr [9] HostAddresses OPTIONAL,
142 authorization-data [10] AuthorizationData OPTIONAL
145 -- encoded Transited field
146 TransitedEncoding ::= SEQUENCE {
147 tr-type [0] Int32 -- must be registered --,
148 contents [1] OCTET STRING
151 TicketFlags ::= KerberosFlags
164 -- the following are new since 1510
165 -- transited-policy-checked(12),
166 -- ok-as-delegate(13)
168 AS-REQ ::= [APPLICATION 10] KDC-REQ
170 TGS-REQ ::= [APPLICATION 12] KDC-REQ
172 KDC-REQ ::= SEQUENCE {
173 -- NOTE: first tag is [1], not [0]
174 pvno [1] INTEGER (5) ,
175 msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
176 padata [3] SEQUENCE OF PA-DATA OPTIONAL
177 -- NOTE: not empty --,
178 req-body [4] KDC-REQ-BODY
181 KDC-REQ-BODY ::= SEQUENCE {
182 kdc-options [0] KDCOptions,
183 cname [1] PrincipalName OPTIONAL
184 -- Used only in AS-REQ --,
187 -- Also client's in AS-REQ --,
188 sname [3] PrincipalName OPTIONAL,
189 from [4] KerberosTime OPTIONAL,
190 till [5] KerberosTime,
191 rtime [6] KerberosTime OPTIONAL,
193 etype [8] SEQUENCE OF Int32 -- EncryptionType
194 -- in preference order --,
195 addresses [9] HostAddresses OPTIONAL,
196 enc-authorization-data [10] EncryptedData OPTIONAL
197 -- AuthorizationData --,
198 additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
202 KDCOptions ::= KerberosFlags
208 -- allow-postdate(5),
214 -- opt-hardware-auth(11),
217 -- 15 is reserved for canonicalize
219 -- 26 was unused in 1510
220 -- disable-transited-check(26),
223 -- enc-tkt-in-skey(28),
227 AS-REP ::= [APPLICATION 11] KDC-REP
229 TGS-REP ::= [APPLICATION 13] KDC-REP
231 KDC-REP ::= SEQUENCE {
232 pvno [0] INTEGER (5),
233 msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
234 padata [2] SEQUENCE OF PA-DATA OPTIONAL
235 -- NOTE: not empty --,
237 cname [4] PrincipalName,
239 enc-part [6] EncryptedData
240 -- EncASRepPart or EncTGSRepPart,
244 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
246 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
248 EncKDCRepPart ::= SEQUENCE {
249 key [0] EncryptionKey,
250 last-req [1] LastReq,
252 key-expiration [3] KerberosTime OPTIONAL,
253 flags [4] TicketFlags,
254 authtime [5] KerberosTime,
255 starttime [6] KerberosTime OPTIONAL,
256 endtime [7] KerberosTime,
257 renew-till [8] KerberosTime OPTIONAL,
259 sname [10] PrincipalName,
260 caddr [11] HostAddresses OPTIONAL
263 LastReq ::= SEQUENCE OF SEQUENCE {
265 lr-value [1] KerberosTime
268 AP-REQ ::= [APPLICATION 14] SEQUENCE {
269 pvno [0] INTEGER (5),
270 msg-type [1] INTEGER (14),
271 ap-options [2] APOptions,
273 authenticator [4] EncryptedData -- Authenticator
276 APOptions ::= KerberosFlags
278 -- use-session-key(1),
279 -- mutual-required(2)
281 -- Unencrypted authenticator
282 Authenticator ::= [APPLICATION 2] SEQUENCE {
283 authenticator-vno [0] INTEGER (5),
285 cname [2] PrincipalName,
286 cksum [3] Checksum OPTIONAL,
287 cusec [4] Microseconds,
288 ctime [5] KerberosTime,
289 subkey [6] EncryptionKey OPTIONAL,
290 seq-number [7] UInt32 OPTIONAL,
291 authorization-data [8] AuthorizationData OPTIONAL
294 AP-REP ::= [APPLICATION 15] SEQUENCE {
295 pvno [0] INTEGER (5),
296 msg-type [1] INTEGER (15),
297 enc-part [2] EncryptedData -- EncAPRepPart
300 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
301 ctime [0] KerberosTime,
302 cusec [1] Microseconds,
303 subkey [2] EncryptionKey OPTIONAL,
304 seq-number [3] UInt32 OPTIONAL
307 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
308 pvno [0] INTEGER (5),
309 msg-type [1] INTEGER (20),
310 safe-body [2] KRB-SAFE-BODY,
314 KRB-SAFE-BODY ::= SEQUENCE {
315 user-data [0] OCTET STRING,
316 timestamp [1] KerberosTime OPTIONAL,
317 usec [2] Microseconds OPTIONAL,
318 seq-number [3] UInt32 OPTIONAL,
319 s-address [4] HostAddress,
320 r-address [5] HostAddress OPTIONAL
323 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
324 pvno [0] INTEGER (5),
325 msg-type [1] INTEGER (21),
326 -- NOTE: there is no [2] tag
327 enc-part [3] EncryptedData -- EncKrbPrivPart
330 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
331 user-data [0] OCTET STRING,
332 timestamp [1] KerberosTime OPTIONAL,
333 usec [2] Microseconds OPTIONAL,
334 seq-number [3] UInt32 OPTIONAL,
335 s-address [4] HostAddress -- sender's addr --,
336 r-address [5] HostAddress OPTIONAL -- recip's addr
339 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
340 pvno [0] INTEGER (5),
341 msg-type [1] INTEGER (22),
342 tickets [2] SEQUENCE OF Ticket,
343 enc-part [3] EncryptedData -- EncKrbCredPart
346 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
347 ticket-info [0] SEQUENCE OF KrbCredInfo,
348 nonce [1] UInt32 OPTIONAL,
349 timestamp [2] KerberosTime OPTIONAL,
350 usec [3] Microseconds OPTIONAL,
351 s-address [4] HostAddress OPTIONAL,
352 r-address [5] HostAddress OPTIONAL
355 KrbCredInfo ::= SEQUENCE {
356 key [0] EncryptionKey,
357 prealm [1] Realm OPTIONAL,
358 pname [2] PrincipalName OPTIONAL,
359 flags [3] TicketFlags OPTIONAL,
360 authtime [4] KerberosTime OPTIONAL,
361 starttime [5] KerberosTime OPTIONAL,
362 endtime [6] KerberosTime OPTIONAL,
363 renew-till [7] KerberosTime OPTIONAL,
364 srealm [8] Realm OPTIONAL,
365 sname [9] PrincipalName OPTIONAL,
366 caddr [10] HostAddresses OPTIONAL
369 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
370 pvno [0] INTEGER (5),
371 msg-type [1] INTEGER (30),
372 ctime [2] KerberosTime OPTIONAL,
373 cusec [3] Microseconds OPTIONAL,
374 stime [4] KerberosTime,
375 susec [5] Microseconds,
376 error-code [6] Int32,
377 crealm [7] Realm OPTIONAL,
378 cname [8] PrincipalName OPTIONAL,
379 realm [9] Realm -- service realm --,
380 sname [10] PrincipalName -- service name --,
381 e-text [11] KerberosString OPTIONAL,
382 e-data [12] OCTET STRING OPTIONAL
385 METHOD-DATA ::= SEQUENCE OF PA-DATA
387 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
389 data-value [1] OCTET STRING OPTIONAL
392 -- preauth stuff follows
394 PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
396 PA-ENC-TS-ENC ::= SEQUENCE {
397 patimestamp [0] KerberosTime -- client's time --,
398 pausec [1] Microseconds OPTIONAL
401 ETYPE-INFO-ENTRY ::= SEQUENCE {
403 salt [1] OCTET STRING OPTIONAL
406 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
408 ETYPE-INFO2-ENTRY ::= SEQUENCE {
410 salt [1] KerberosString OPTIONAL,
411 s2kparams [2] OCTET STRING OPTIONAL
414 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
416 AD-IF-RELEVANT ::= AuthorizationData
418 AD-KDCIssued ::= SEQUENCE {
419 ad-checksum [0] Checksum,
420 i-realm [1] Realm OPTIONAL,
421 i-sname [2] PrincipalName OPTIONAL,
422 elements [3] AuthorizationData
425 AD-AND-OR ::= SEQUENCE {
426 condition-count [0] Int32,
427 elements [1] AuthorizationData
430 AD-MANDATORY-FOR-KDC ::= AuthorizationData