| blob | 18bce7eacafcc6dbcdbd05700b5620bc76f78d67 |
1 -- kerberos.asn1 - Kerberos ASN.1 schema
2 -- Copyright (C) 2002, 2003, 2004, 2006 Simon Josefsson
3 --
4 -- This file is part of Shishi.
5 --
6 -- Shishi is free software; you can redistribute it and/or modify
7 -- it under the terms of the GNU General Public License as published by
8 -- the Free Software Foundation; either version 2 of the License, or
9 -- (at your option) any later version.
10 --
11 -- Shishi is distributed in the hope that it will be useful,
12 -- but WITHOUT ANY WARRANTY; without even the implied warranty of
13 -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 -- GNU General Public License for more details.
15 --
16 -- You should have received a copy of the GNU General Public License
17 -- along with Shishi; if not, write to the Free Software Foundation,
18 -- Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
21 -- This rest of this file is taken from appendix A of RFC 4120,
22 -- http://www.ietf.org/rfc/rfc4120.txt (MD5
23 -- f95332f70f18eb9252756c7e2accc141), with two minor modifications
24 -- marked with "libtasn1 bug" below. RFC 4120 exhibit the ISOC
25 -- copyright, althought it does not cover the ASN.1 schema, see
26 -- discussions in the IETF IPR WG. I have acquired permission to use
27 -- the ASN.1 schema from RFC 4120 under the MIT/X11 license from all
28 -- authors but Tom Yu (as of April 2006). For prudence, asking the
29 -- Kerberos WG whether anyone else contributed significantly to the
30 -- ASN.1 schema also remains. Further, it seems the IETF IPR WG tend
31 -- to believe that code extracted from RFCs was intended to be
32 -- modifiable under RFC 3978, which would be sufficient for an ASN.1
33 -- schema such as this file, compare ipr-rules-update-07 and
34 -- <50E312B117033946BA23AA102C8134C62AB176@SDCPEXCCL2MX.wilmerhale.com>.
35 -- The IETF lawyer Jorge Contreras has said the following on this
36 -- topic: "Under RFC 3978, it is currently OK to modify code extracts
37 -- from RFCs.", see <44A91390.2030908@dial.pipex.com>.
40 KerberosV5Spec2 {
41 iso(1) identified-organization(3) dod(6) internet(1)
42 security(5) kerberosV5(2) modules(4) krb5spec2(2)
43 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
45 -- OID arc for KerberosV5
46 --
47 -- This OID may be used to identify Kerberos protocol messages
48 -- encapsulated in other protocols.
49 --
50 -- This OID also designates the OID arc for KerberosV5-related OIDs.
51 --
52 -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
53 id-krb5 OBJECT IDENTIFIER ::= {
54 iso(1) identified-organization(3) dod(6) internet(1)
55 security(5) kerberosV5(2)
56 }
58 Int32 ::= INTEGER -- libtasn1 bug: (-2147483648..2147483647)
59 -- signed values representable in 32 bits
61 UInt32 ::= INTEGER (0..4294967295)
62 -- unsigned 32 bit values
64 Microseconds ::= INTEGER (0..999999)
65 -- microseconds
67 KerberosString ::= GeneralString -- libtasn1 bug: (IA5String)
69 Realm ::= KerberosString
71 PrincipalName ::= SEQUENCE {
72 name-type [0] Int32,
73 name-string [1] SEQUENCE OF KerberosString
74 }
76 KerberosTime ::= GeneralizedTime -- with no fractional seconds
78 HostAddress ::= SEQUENCE {
79 addr-type [0] Int32,
80 address [1] OCTET STRING
81 }
83 -- NOTE: HostAddresses is always used as an OPTIONAL field and
84 -- should not be empty.
85 HostAddresses -- NOTE: subtly different from rfc1510,
86 -- but has a value mapping and encodes the same
87 ::= SEQUENCE OF HostAddress
89 -- NOTE: AuthorizationData is always used as an OPTIONAL field and
90 -- should not be empty.
91 AuthorizationData ::= SEQUENCE OF SEQUENCE {
92 ad-type [0] Int32,
93 ad-data [1] OCTET STRING
94 }
96 PA-DATA ::= SEQUENCE {
97 -- NOTE: first tag is [1], not [0]
98 padata-type [1] Int32,
99 padata-value [2] OCTET STRING -- might be encoded AP-REQ
100 }
102 KerberosFlags ::= BIT STRING (SIZE (32..MAX))
103 -- minimum number of bits shall be sent,
104 -- but no fewer than 32
106 EncryptedData ::= SEQUENCE {
107 etype [0] Int32 -- EncryptionType --,
108 kvno [1] UInt32 OPTIONAL,
109 cipher [2] OCTET STRING -- ciphertext
110 }
112 EncryptionKey ::= SEQUENCE {
113 keytype [0] Int32 -- actually encryption type --,
114 keyvalue [1] OCTET STRING
115 }
117 Checksum ::= SEQUENCE {
118 cksumtype [0] Int32,
119 checksum [1] OCTET STRING
120 }
122 Ticket ::= [APPLICATION 1] SEQUENCE {
123 tkt-vno [0] INTEGER (5),
124 realm [1] Realm,
125 sname [2] PrincipalName,
126 enc-part [3] EncryptedData -- EncTicketPart
127 }
129 -- Encrypted part of ticket
130 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
131 flags [0] TicketFlags,
132 key [1] EncryptionKey,
133 crealm [2] Realm,
134 cname [3] PrincipalName,
135 transited [4] TransitedEncoding,
136 authtime [5] KerberosTime,
137 starttime [6] KerberosTime OPTIONAL,
138 endtime [7] KerberosTime,
139 renew-till [8] KerberosTime OPTIONAL,
140 caddr [9] HostAddresses OPTIONAL,
141 authorization-data [10] AuthorizationData OPTIONAL
142 }
144 -- encoded Transited field
145 TransitedEncoding ::= SEQUENCE {
146 tr-type [0] Int32 -- must be registered --,
147 contents [1] OCTET STRING
148 }
150 TicketFlags ::= KerberosFlags
151 -- reserved(0),
152 -- forwardable(1),
153 -- forwarded(2),
154 -- proxiable(3),
155 -- proxy(4),
156 -- may-postdate(5),
157 -- postdated(6),
158 -- invalid(7),
159 -- renewable(8),
160 -- initial(9),
161 -- pre-authent(10),
162 -- hw-authent(11),
163 -- the following are new since 1510
164 -- transited-policy-checked(12),
165 -- ok-as-delegate(13)
167 AS-REQ ::= [APPLICATION 10] KDC-REQ
169 TGS-REQ ::= [APPLICATION 12] KDC-REQ
171 KDC-REQ ::= SEQUENCE {
172 -- NOTE: first tag is [1], not [0]
173 pvno [1] INTEGER (5) ,
174 msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
175 padata [3] SEQUENCE OF PA-DATA OPTIONAL
176 -- NOTE: not empty --,
177 req-body [4] KDC-REQ-BODY
178 }
180 KDC-REQ-BODY ::= SEQUENCE {
181 kdc-options [0] KDCOptions,
182 cname [1] PrincipalName OPTIONAL
183 -- Used only in AS-REQ --,
184 realm [2] Realm
185 -- Server's realm
186 -- Also client's in AS-REQ --,
187 sname [3] PrincipalName OPTIONAL,
188 from [4] KerberosTime OPTIONAL,
189 till [5] KerberosTime,
190 rtime [6] KerberosTime OPTIONAL,
191 nonce [7] UInt32,
192 etype [8] SEQUENCE OF Int32 -- EncryptionType
193 -- in preference order --,
194 addresses [9] HostAddresses OPTIONAL,
195 enc-authorization-data [10] EncryptedData OPTIONAL
196 -- AuthorizationData --,
197 additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
198 -- NOTE: not empty
199 }
201 KDCOptions ::= KerberosFlags
202 -- reserved(0),
203 -- forwardable(1),
204 -- forwarded(2),
205 -- proxiable(3),
206 -- proxy(4),
207 -- allow-postdate(5),
208 -- postdated(6),
209 -- unused7(7),
210 -- renewable(8),
211 -- unused9(9),
212 -- unused10(10),
213 -- opt-hardware-auth(11),
214 -- unused12(12),
215 -- unused13(13),
216 -- 15 is reserved for canonicalize
217 -- unused15(15),
218 -- 26 was unused in 1510
219 -- disable-transited-check(26),
220 --
221 -- renewable-ok(27),
222 -- enc-tkt-in-skey(28),
223 -- renew(30),
224 -- validate(31)
226 AS-REP ::= [APPLICATION 11] KDC-REP
228 TGS-REP ::= [APPLICATION 13] KDC-REP
230 KDC-REP ::= SEQUENCE {
231 pvno [0] INTEGER (5),
232 msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
233 padata [2] SEQUENCE OF PA-DATA OPTIONAL
234 -- NOTE: not empty --,
235 crealm [3] Realm,
236 cname [4] PrincipalName,
237 ticket [5] Ticket,
238 enc-part [6] EncryptedData
239 -- EncASRepPart or EncTGSRepPart,
240 -- as appropriate
241 }
243 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
245 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
247 EncKDCRepPart ::= SEQUENCE {
248 key [0] EncryptionKey,
249 last-req [1] LastReq,
250 nonce [2] UInt32,
251 key-expiration [3] KerberosTime OPTIONAL,
252 flags [4] TicketFlags,
253 authtime [5] KerberosTime,
254 starttime [6] KerberosTime OPTIONAL,
255 endtime [7] KerberosTime,
256 renew-till [8] KerberosTime OPTIONAL,
257 srealm [9] Realm,
258 sname [10] PrincipalName,
259 caddr [11] HostAddresses OPTIONAL
260 }
262 LastReq ::= SEQUENCE OF SEQUENCE {
263 lr-type [0] Int32,
264 lr-value [1] KerberosTime
265 }
267 AP-REQ ::= [APPLICATION 14] SEQUENCE {
268 pvno [0] INTEGER (5),
269 msg-type [1] INTEGER (14),
270 ap-options [2] APOptions,
271 ticket [3] Ticket,
272 authenticator [4] EncryptedData -- Authenticator
273 }
275 APOptions ::= KerberosFlags
276 -- reserved(0),
277 -- use-session-key(1),
278 -- mutual-required(2)
280 -- Unencrypted authenticator
281 Authenticator ::= [APPLICATION 2] SEQUENCE {
282 authenticator-vno [0] INTEGER (5),
283 crealm [1] Realm,
284 cname [2] PrincipalName,
285 cksum [3] Checksum OPTIONAL,
286 cusec [4] Microseconds,
287 ctime [5] KerberosTime,
288 subkey [6] EncryptionKey OPTIONAL,
289 seq-number [7] UInt32 OPTIONAL,
290 authorization-data [8] AuthorizationData OPTIONAL
291 }
293 AP-REP ::= [APPLICATION 15] SEQUENCE {
294 pvno [0] INTEGER (5),
295 msg-type [1] INTEGER (15),
296 enc-part [2] EncryptedData -- EncAPRepPart
297 }
299 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
300 ctime [0] KerberosTime,
301 cusec [1] Microseconds,
302 subkey [2] EncryptionKey OPTIONAL,
303 seq-number [3] UInt32 OPTIONAL
304 }
306 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
307 pvno [0] INTEGER (5),
308 msg-type [1] INTEGER (20),
309 safe-body [2] KRB-SAFE-BODY,
310 cksum [3] Checksum
311 }
313 KRB-SAFE-BODY ::= SEQUENCE {
314 user-data [0] OCTET STRING,
315 timestamp [1] KerberosTime OPTIONAL,
316 usec [2] Microseconds OPTIONAL,
317 seq-number [3] UInt32 OPTIONAL,
318 s-address [4] HostAddress,
319 r-address [5] HostAddress OPTIONAL
320 }
322 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
323 pvno [0] INTEGER (5),
324 msg-type [1] INTEGER (21),
325 -- NOTE: there is no [2] tag
326 enc-part [3] EncryptedData -- EncKrbPrivPart
327 }
329 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
330 user-data [0] OCTET STRING,
331 timestamp [1] KerberosTime OPTIONAL,
332 usec [2] Microseconds OPTIONAL,
333 seq-number [3] UInt32 OPTIONAL,
334 s-address [4] HostAddress -- sender's addr --,
335 r-address [5] HostAddress OPTIONAL -- recip's addr
336 }
338 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
339 pvno [0] INTEGER (5),
340 msg-type [1] INTEGER (22),
341 tickets [2] SEQUENCE OF Ticket,
342 enc-part [3] EncryptedData -- EncKrbCredPart
343 }
345 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
346 ticket-info [0] SEQUENCE OF KrbCredInfo,
347 nonce [1] UInt32 OPTIONAL,
348 timestamp [2] KerberosTime OPTIONAL,
349 usec [3] Microseconds OPTIONAL,
350 s-address [4] HostAddress OPTIONAL,
351 r-address [5] HostAddress OPTIONAL
352 }
354 KrbCredInfo ::= SEQUENCE {
355 key [0] EncryptionKey,
356 prealm [1] Realm OPTIONAL,
357 pname [2] PrincipalName OPTIONAL,
358 flags [3] TicketFlags OPTIONAL,
359 authtime [4] KerberosTime OPTIONAL,
360 starttime [5] KerberosTime OPTIONAL,
361 endtime [6] KerberosTime OPTIONAL,
362 renew-till [7] KerberosTime OPTIONAL,
363 srealm [8] Realm OPTIONAL,
364 sname [9] PrincipalName OPTIONAL,
365 caddr [10] HostAddresses OPTIONAL
366 }
368 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
369 pvno [0] INTEGER (5),
370 msg-type [1] INTEGER (30),
371 ctime [2] KerberosTime OPTIONAL,
372 cusec [3] Microseconds OPTIONAL,
373 stime [4] KerberosTime,
374 susec [5] Microseconds,
375 error-code [6] Int32,
376 crealm [7] Realm OPTIONAL,
377 cname [8] PrincipalName OPTIONAL,
378 realm [9] Realm -- service realm --,
379 sname [10] PrincipalName -- service name --,
380 e-text [11] KerberosString OPTIONAL,
381 e-data [12] OCTET STRING OPTIONAL
382 }
384 METHOD-DATA ::= SEQUENCE OF PA-DATA
386 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
387 data-type [0] Int32,
388 data-value [1] OCTET STRING OPTIONAL
389 }
391 -- preauth stuff follows
393 PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
395 PA-ENC-TS-ENC ::= SEQUENCE {
396 patimestamp [0] KerberosTime -- client's time --,
397 pausec [1] Microseconds OPTIONAL
398 }
400 ETYPE-INFO-ENTRY ::= SEQUENCE {
401 etype [0] Int32,
402 salt [1] OCTET STRING OPTIONAL
403 }
405 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
407 ETYPE-INFO2-ENTRY ::= SEQUENCE {
408 etype [0] Int32,
409 salt [1] KerberosString OPTIONAL,
410 s2kparams [2] OCTET STRING OPTIONAL
411 }
413 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
415 AD-IF-RELEVANT ::= AuthorizationData
417 AD-KDCIssued ::= SEQUENCE {
418 ad-checksum [0] Checksum,
419 i-realm [1] Realm OPTIONAL,
420 i-sname [2] PrincipalName OPTIONAL,
421 elements [3] AuthorizationData
422 }
424 AD-AND-OR ::= SEQUENCE {
425 condition-count [0] Int32,
426 elements [1] AuthorizationData
427 }
429 AD-MANDATORY-FOR-KDC ::= AuthorizationData
431 END