| blob | 18278a14317d614fa259439fdab471e9fde7a24e |
1 -- kerberos.asn1 Kerberos ASN.1 Module
2 -- Copyright (C) 2002, 2003 Simon Josefsson
3 --
4 -- This file is part of Shishi.
5 --
6 -- Shishi is free software; you can redistribute it and/or modify
7 -- it under the terms of the GNU General Public License as published by
8 -- the Free Software Foundation; either version 2 of the License, or
9 -- (at your option) any later version.
10 --
11 -- Shishi is distributed in the hope that it will be useful,
12 -- but WITHOUT ANY WARRANTY; without even the implied warranty of
13 -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 -- GNU General Public License for more details.
15 --
16 -- You should have received a copy of the GNU General Public License
17 -- along with Shishi; if not, write to the Free Software
18 -- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 --
21 -- This module is based on the one given in appendix A of RFC1510bis
22 -- (draft-ietf-krb-wg-kerberos-clarifications-04.txt) which exhibits
23 -- no copyright notice, but is presumable owned by ISOC via IETF.
25 -- The modifications are to make libtasn1's parser accept it.
27 Kerberos5 {
28 iso(1) identified-organization(3) dod(6) internet(1)
29 security(5) kerberosV5(2) modules(4) krb5spec2(2)
30 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
32 -- OID arc for KerberosV5
33 --
34 -- This OID may be used to identify Kerberos protocol messages
35 -- encapsulated in other protocols.
36 --
37 -- This OID also designates the OID arc for KerberosV5-related OIDs.
38 --
39 -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
40 id-krb5 OBJECT IDENTIFIER ::= {
41 iso(1) identified-organization(3) dod(6) internet(1)
42 security(5) kerberosV5(2)
43 }
45 Int32 ::= INTEGER -- (-2147483648..2147483647)
46 -- signed values representable in 32 bits
48 UInt32 ::= INTEGER -- (0..4294967295)
49 -- unsigned 32 bit values
51 Microseconds ::= INTEGER -- (0..999999)
52 -- microseconds
54 KerberosString ::= GeneralString -- (IA5String)
56 Realm ::= KerberosString
58 PrincipalName ::= SEQUENCE {
59 name-type [0] Int32,
60 name-string [1] SEQUENCE OF KerberosString
61 }
63 KerberosTime ::= GeneralizedTime -- with no fractional seconds
65 HostAddress ::= SEQUENCE {
66 addr-type [0] Int32,
67 address [1] OCTET STRING
68 }
70 -- NOTE: HostAddresses is always used as an OPTIONAL field and
71 -- should not be empty.
72 HostAddresses -- NOTE: subtly different from rfc1510,
73 -- but has a value mapping and encodes the same
74 ::= SEQUENCE OF HostAddress
76 -- NOTE: AuthorizationData is always used as an OPTIONAL field and
77 -- should not be empty.
78 AuthorizationData ::= SEQUENCE OF SEQUENCE {
79 ad-type [0] Int32,
80 ad-data [1] OCTET STRING
81 }
83 PA-DATA ::= SEQUENCE {
84 -- NOTE: first tag is [1], not [0]
85 padata-type [1] Int32,
86 padata-value [2] OCTET STRING -- might be encoded AP-REQ
87 }
89 KerberosFlags ::= BIT STRING -- (SIZE (32..MAX)) minimum number of bits
90 -- shall be sent, but no fewer than 32
92 EncryptedData ::= SEQUENCE {
93 etype [0] Int32, -- EncryptionType --
94 kvno [1] UInt32 OPTIONAL,
95 cipher [2] OCTET STRING -- ciphertext
96 }
98 EncryptionKey ::= SEQUENCE {
99 keytype [0] Int32, -- actually encryption type --
100 keyvalue [1] OCTET STRING
101 }
103 Checksum ::= SEQUENCE {
104 cksumtype [0] Int32,
105 checksum [1] OCTET STRING
106 }
108 Ticket ::= [APPLICATION 1] SEQUENCE {
109 tkt-vno [0] INTEGER, -- (5)
110 realm [1] Realm,
111 sname [2] PrincipalName,
112 enc-part [3] EncryptedData -- EncTicketPart
113 }
115 -- Encrypted part of ticket
116 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
117 flags [0] TicketFlags,
118 key [1] EncryptionKey,
119 crealm [2] Realm,
120 cname [3] PrincipalName,
121 transited [4] TransitedEncoding,
122 authtime [5] KerberosTime,
123 starttime [6] KerberosTime OPTIONAL,
124 endtime [7] KerberosTime,
125 renew-till [8] KerberosTime OPTIONAL,
126 caddr [9] HostAddresses OPTIONAL,
127 authorization-data [10] AuthorizationData OPTIONAL
128 }
130 -- encoded Transited field
131 TransitedEncoding ::= SEQUENCE {
132 tr-type [0] Int32, -- must be registered --
133 contents [1] OCTET STRING
134 }
136 TicketFlags ::= KerberosFlags
137 -- reserved(0),
138 -- forwardable(1),
139 -- forwarded(2),
140 -- proxiable(3),
141 -- proxy(4),
142 -- may-postdate(5),
143 -- postdated(6),
144 -- invalid(7),
145 -- renewable(8),
146 -- initial(9),
147 -- pre-authent(10),
148 -- hw-authent(11),
149 -- the following are new since 1510
150 -- transited-policy-checked(12),
151 -- ok-as-delegate(13)
153 AS-REQ ::= [APPLICATION 10] KDC-REQ
155 TGS-REQ ::= [APPLICATION 12] KDC-REQ
157 KDC-REQ ::= SEQUENCE {
158 -- NOTE: first tag is [1], not [0]
159 pvno [1] INTEGER, -- (5)
160 msg-type [2] INTEGER, -- (10 - AS - | 12 - TGS -)
161 padata [3] SEQUENCE OF PA-DATA OPTIONAL,
162 -- NOTE: not empty --
163 req-body [4] KDC-REQ-BODY
164 }
166 KDC-REQ-BODY ::= SEQUENCE {
167 kdc-options [0] KDCOptions,
168 cname [1] PrincipalName OPTIONAL,
169 -- Used only in AS-REQ --
170 realm [2] Realm,
171 -- Server's realm
172 -- Also client's in AS-REQ --
173 sname [3] PrincipalName OPTIONAL,
174 from [4] KerberosTime OPTIONAL,
175 till [5] KerberosTime,
176 rtime [6] KerberosTime OPTIONAL,
177 nonce [7] UInt32,
178 etype [8] SEQUENCE OF Int32, -- EncryptionType
179 -- in preference order --
180 addresses [9] HostAddresses OPTIONAL,
181 enc-authorization-data [10] EncryptedData OPTIONAL, -- AuthorizationData --
182 additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
183 -- NOTE: not empty
184 }
186 KDCOptions ::= KerberosFlags
187 -- reserved(0),
188 -- forwardable(1),
189 -- forwarded(2),
190 -- proxiable(3),
191 -- proxy(4),
192 -- allow-postdate(5),
193 -- postdated(6),
194 -- unused7(7),
195 -- renewable(8),
196 -- unused9(9),
197 -- unused10(10),
198 -- opt-hardware-auth(11),
199 -- unused12(12),
200 -- unused13(13),
201 -- 15 is reserved for canonicalize
202 -- unused15(15),
203 -- 26 was unused in 1510
204 -- disable-transited-check(26),
205 --
206 -- renewable-ok(27),
207 -- enc-tkt-in-skey(28),
208 -- renew(30),
209 -- validate(31)
211 AS-REP ::= [APPLICATION 11] KDC-REP
213 TGS-REP ::= [APPLICATION 13] KDC-REP
215 KDC-REP ::= SEQUENCE {
216 pvno [0] INTEGER, -- (5)
217 msg-type [1] INTEGER, -- (11 - AS - | 13 - TGS -)
218 padata [2] SEQUENCE OF PA-DATA OPTIONAL,
219 -- NOTE: not empty --
220 crealm [3] Realm,
221 cname [4] PrincipalName,
222 ticket [5] Ticket,
223 enc-part [6] EncryptedData
224 -- EncASRepPart or EncTGSRepPart,
225 -- as appropriate
226 }
228 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
230 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
232 EncKDCRepPart ::= SEQUENCE {
233 key [0] EncryptionKey,
234 last-req [1] LastReq,
235 nonce [2] UInt32,
236 key-expiration [3] KerberosTime OPTIONAL,
237 flags [4] TicketFlags,
238 authtime [5] KerberosTime,
239 starttime [6] KerberosTime OPTIONAL,
240 endtime [7] KerberosTime,
241 renew-till [8] KerberosTime OPTIONAL,
242 srealm [9] Realm,
243 sname [10] PrincipalName,
244 caddr [11] HostAddresses OPTIONAL
245 }
247 LastReq ::= SEQUENCE OF SEQUENCE {
248 lr-type [0] Int32,
249 lr-value [1] KerberosTime
250 }
252 AP-REQ ::= [APPLICATION 14] SEQUENCE {
253 pvno [0] INTEGER, -- (5)
254 msg-type [1] INTEGER, -- (14)
255 ap-options [2] APOptions,
256 ticket [3] Ticket,
257 authenticator [4] EncryptedData -- Authenticator
258 }
260 APOptions ::= KerberosFlags
261 -- reserved(0),
262 -- use-session-key(1),
263 -- mutual-required(2)
265 -- Unencrypted authenticator
266 Authenticator ::= [APPLICATION 2] SEQUENCE {
267 authenticator-vno [0] INTEGER, -- (5)
268 crealm [1] Realm,
269 cname [2] PrincipalName,
270 cksum [3] Checksum OPTIONAL,
271 cusec [4] Microseconds,
272 ctime [5] KerberosTime,
273 subkey [6] EncryptionKey OPTIONAL,
274 seq-number [7] UInt32 OPTIONAL,
275 authorization-data [8] AuthorizationData OPTIONAL
276 }
278 AP-REP ::= [APPLICATION 15] SEQUENCE {
279 pvno [0] INTEGER, -- (5)
280 msg-type [1] INTEGER, -- (15)
281 enc-part [2] EncryptedData -- EncAPRepPart
282 }
284 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
285 ctime [0] KerberosTime,
286 cusec [1] Microseconds,
287 subkey [2] EncryptionKey OPTIONAL,
288 seq-number [3] UInt32 OPTIONAL
289 }
291 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
292 pvno [0] INTEGER, -- (5)
293 msg-type [1] INTEGER, -- (20)
294 safe-body [2] KRB-SAFE-BODY,
295 cksum [3] Checksum
296 }
298 KRB-SAFE-BODY ::= SEQUENCE {
299 user-data [0] OCTET STRING,
300 timestamp [1] KerberosTime OPTIONAL,
301 usec [2] Microseconds OPTIONAL,
302 seq-number [3] UInt32 OPTIONAL,
303 s-address [4] HostAddress,
304 r-address [5] HostAddress OPTIONAL
305 }
307 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
308 pvno [0] INTEGER, -- (5)
309 msg-type [1] INTEGER, -- (21)
310 -- NOTE: there is no [2] tag
311 enc-part [3] EncryptedData -- EncKrbPrivPart
312 }
314 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
315 user-data [0] OCTET STRING,
316 timestamp [1] KerberosTime OPTIONAL,
317 usec [2] Microseconds OPTIONAL,
318 seq-number [3] UInt32 OPTIONAL,
319 s-address [4] HostAddress, -- sender's addr --
320 r-address [5] HostAddress OPTIONAL -- recip's addr
321 }
323 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
324 pvno [0] INTEGER, -- (5)
325 msg-type [1] INTEGER, --- (22)
326 tickets [2] SEQUENCE OF Ticket,
327 enc-part [3] EncryptedData -- EncKrbCredPart
328 }
330 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
331 ticket-info [0] SEQUENCE OF KrbCredInfo,
332 nonce [1] UInt32 OPTIONAL,
333 timestamp [2] KerberosTime OPTIONAL,
334 usec [3] Microseconds OPTIONAL,
335 s-address [4] HostAddress OPTIONAL,
336 r-address [5] HostAddress OPTIONAL
337 }
339 KrbCredInfo ::= SEQUENCE {
340 key [0] EncryptionKey,
341 prealm [1] Realm OPTIONAL,
342 pname [2] PrincipalName OPTIONAL,
343 flags [3] TicketFlags OPTIONAL,
344 authtime [4] KerberosTime OPTIONAL,
345 starttime [5] KerberosTime OPTIONAL,
346 endtime [6] KerberosTime OPTIONAL,
347 renew-till [7] KerberosTime OPTIONAL,
348 srealm [8] Realm OPTIONAL,
349 sname [9] PrincipalName OPTIONAL,
350 caddr [10] HostAddresses OPTIONAL
351 }
353 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
354 pvno [0] INTEGER, -- (5)
355 msg-type [1] INTEGER, -- (30)
356 ctime [2] KerberosTime OPTIONAL,
357 cusec [3] Microseconds OPTIONAL,
358 stime [4] KerberosTime,
359 susec [5] Microseconds,
360 error-code [6] Int32,
361 crealm [7] Realm OPTIONAL,
362 cname [8] PrincipalName OPTIONAL,
363 realm [9] Realm, -- service realm --
364 sname [10] PrincipalName, -- service name --
365 e-text [11] KerberosString OPTIONAL,
366 e-data [12] OCTET STRING OPTIONAL
367 }
369 METHOD-DATA ::= SEQUENCE OF PA-DATA
371 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
372 data-type [0] INTEGER,
373 data-value [1] OCTET STRING OPTIONAL
374 }
376 -- preauth stuff follows
378 PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
380 PA-ENC-TS-ENC ::= SEQUENCE {
381 patimestamp [0] KerberosTime, -- client's time --
382 pausec [1] Microseconds OPTIONAL
383 }
385 ETYPE-INFO-ENTRY ::= SEQUENCE {
386 etype [0] Int32,
387 salt [1] OCTET STRING OPTIONAL
388 }
390 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
392 ETYPE-INFO2-ENTRY ::= SEQUENCE {
393 etype [0] Int32,
394 salt [1] KerberosString OPTIONAL,
395 s2kparams [2] OCTET STRING OPTIONAL
396 }
398 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
400 AD-IF-RELEVANT ::= AuthorizationData
402 AD-KDCIssued ::= SEQUENCE {
403 ad-checksum [0] Checksum,
404 i-realm [1] Realm OPTIONAL,
405 i-sname [2] PrincipalName OPTIONAL,
406 elements [3] AuthorizationData
407 }
409 AD-AND-OR ::= SEQUENCE {
410 condition-count [0] INTEGER,
411 elements [1] AuthorizationData
412 }
414 AD-MANDATORY-FOR-KDC ::= AuthorizationData
416 END