1 -- - This is Appendix A from RFC1510bis with some cosmetic changes
2 -- - done in order to make it parse with the buggy libtasn1 parser.
5 iso(1) identified-organization(3) dod(6) internet(1)
6 security(5) kerberosV5(2) modules(4) krb5spec2(2)
7 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
9 -- OID arc for KerberosV5
11 -- This OID may be used to identify Kerberos protocol messages
12 -- encapsulated in other protocols.
14 -- This OID also designates the OID arc for KerberosV5-related OIDs.
16 -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
17 id-krb5 OBJECT IDENTIFIER ::= {
18 iso(1) identified-organization(3) dod(6) internet(1)
19 security(5) kerberosV5(2)
22 Int32 ::= INTEGER -- (-2147483648..2147483647)
23 -- signed values representable in 32 bits
25 UInt32 ::= INTEGER -- (0..4294967295)
26 -- unsigned 32 bit values
28 Microseconds ::= INTEGER -- (0..999999)
31 KerberosString ::= GeneralString -- (IA5String)
33 Realm ::= KerberosString
35 PrincipalName ::= SEQUENCE {
37 name-string [1] SEQUENCE OF KerberosString
40 KerberosTime ::= GeneralizedTime -- with no fractional seconds
42 HostAddress ::= SEQUENCE {
44 address [1] OCTET STRING
47 -- NOTE: HostAddresses is always used as an OPTIONAL field and
48 -- should not be empty.
49 HostAddresses -- NOTE: subtly different from rfc1510,
50 -- but has a value mapping and encodes the same
51 ::= SEQUENCE OF HostAddress
53 -- NOTE: AuthorizationData is always used as an OPTIONAL field and
54 -- should not be empty.
55 AuthorizationData ::= SEQUENCE OF SEQUENCE {
57 ad-data [1] OCTET STRING
60 PA-DATA ::= SEQUENCE {
61 -- NOTE: first tag is [1], not [0]
62 padata-type [1] Int32,
63 padata-value [2] OCTET STRING -- might be encoded AP-REQ
66 KerberosFlags ::= BIT STRING -- (SIZE (32..MAX)) minimum number of bits
67 -- shall be sent, but no fewer than 32
69 EncryptedData ::= SEQUENCE {
70 etype [0] Int32, -- EncryptionType --
71 kvno [1] UInt32 OPTIONAL,
72 cipher [2] OCTET STRING -- ciphertext
75 EncryptionKey ::= SEQUENCE {
76 keytype [0] Int32, -- actually encryption type --
77 keyvalue [1] OCTET STRING
80 Checksum ::= SEQUENCE {
82 checksum [1] OCTET STRING
85 Ticket ::= [APPLICATION 1] SEQUENCE {
86 tkt-vno [0] INTEGER, -- (5)
88 sname [2] PrincipalName,
89 enc-part [3] EncryptedData -- EncTicketPart
92 -- Encrypted part of ticket
93 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
94 flags [0] TicketFlags,
95 key [1] EncryptionKey,
97 cname [3] PrincipalName,
98 transited [4] TransitedEncoding,
99 authtime [5] KerberosTime,
100 starttime [6] KerberosTime OPTIONAL,
101 endtime [7] KerberosTime,
102 renew-till [8] KerberosTime OPTIONAL,
103 caddr [9] HostAddresses OPTIONAL,
104 authorization-data [10] AuthorizationData OPTIONAL
107 -- encoded Transited field
108 TransitedEncoding ::= SEQUENCE {
109 tr-type [0] Int32, -- must be registered --
110 contents [1] OCTET STRING
113 TicketFlags ::= KerberosFlags
126 -- the following are new since 1510
127 -- transited-policy-checked(12),
128 -- ok-as-delegate(13)
130 AS-REQ ::= [APPLICATION 10] KDC-REQ
132 TGS-REQ ::= [APPLICATION 12] KDC-REQ
134 KDC-REQ ::= SEQUENCE {
135 -- NOTE: first tag is [1], not [0]
136 pvno [1] INTEGER, -- (5)
137 msg-type [2] INTEGER, -- (10 - AS - | 12 - TGS -)
138 padata [3] SEQUENCE OF PA-DATA OPTIONAL,
139 -- NOTE: not empty --
140 req-body [4] KDC-REQ-BODY
143 KDC-REQ-BODY ::= SEQUENCE {
144 kdc-options [0] KDCOptions,
145 cname [1] PrincipalName OPTIONAL,
146 -- Used only in AS-REQ --
149 -- Also client's in AS-REQ --
150 sname [3] PrincipalName OPTIONAL,
151 from [4] KerberosTime OPTIONAL,
152 till [5] KerberosTime,
153 rtime [6] KerberosTime OPTIONAL,
155 etype [8] SEQUENCE OF Int32, -- EncryptionType
156 -- in preference order --
157 addresses [9] HostAddresses OPTIONAL,
158 enc-authorization-data [10] EncryptedData OPTIONAL, -- AuthorizationData --
159 additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
163 KDCOptions ::= KerberosFlags
169 -- allow-postdate(5),
175 -- opt-hardware-auth(11),
178 -- 15 is reserved for canonicalize
180 -- 26 was unused in 1510
181 -- disable-transited-check(26),
184 -- enc-tkt-in-skey(28),
188 AS-REP ::= [APPLICATION 11] KDC-REP
190 TGS-REP ::= [APPLICATION 13] KDC-REP
192 KDC-REP ::= SEQUENCE {
193 pvno [0] INTEGER, -- (5)
194 msg-type [1] INTEGER, -- (11 - AS - | 13 - TGS -)
195 padata [2] SEQUENCE OF PA-DATA OPTIONAL,
196 -- NOTE: not empty --
198 cname [4] PrincipalName,
200 enc-part [6] EncryptedData
201 -- EncASRepPart or EncTGSRepPart,
205 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
207 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
209 EncKDCRepPart ::= SEQUENCE {
210 key [0] EncryptionKey,
211 last-req [1] LastReq,
213 key-expiration [3] KerberosTime OPTIONAL,
214 flags [4] TicketFlags,
215 authtime [5] KerberosTime,
216 starttime [6] KerberosTime OPTIONAL,
217 endtime [7] KerberosTime,
218 renew-till [8] KerberosTime OPTIONAL,
220 sname [10] PrincipalName,
221 caddr [11] HostAddresses OPTIONAL
224 LastReq ::= SEQUENCE OF SEQUENCE {
226 lr-value [1] KerberosTime
229 AP-REQ ::= [APPLICATION 14] SEQUENCE {
230 pvno [0] INTEGER, -- (5)
231 msg-type [1] INTEGER, -- (14)
232 ap-options [2] APOptions,
234 authenticator [4] EncryptedData -- Authenticator
237 APOptions ::= KerberosFlags
239 -- use-session-key(1),
240 -- mutual-required(2)
242 -- Unencrypted authenticator
243 Authenticator ::= [APPLICATION 2] SEQUENCE {
244 authenticator-vno [0] INTEGER, -- (5)
246 cname [2] PrincipalName,
247 cksum [3] Checksum OPTIONAL,
248 cusec [4] Microseconds,
249 ctime [5] KerberosTime,
250 subkey [6] EncryptionKey OPTIONAL,
251 seq-number [7] UInt32 OPTIONAL,
252 authorization-data [8] AuthorizationData OPTIONAL
255 AP-REP ::= [APPLICATION 15] SEQUENCE {
256 pvno [0] INTEGER, -- (5)
257 msg-type [1] INTEGER, -- (15)
258 enc-part [2] EncryptedData -- EncAPRepPart
261 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
262 ctime [0] KerberosTime,
263 cusec [1] Microseconds,
264 subkey [2] EncryptionKey OPTIONAL,
265 seq-number [3] UInt32 OPTIONAL
268 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
269 pvno [0] INTEGER, -- (5)
270 msg-type [1] INTEGER, -- (20)
271 safe-body [2] KRB-SAFE-BODY,
275 KRB-SAFE-BODY ::= SEQUENCE {
276 user-data [0] OCTET STRING,
277 timestamp [1] KerberosTime OPTIONAL,
278 usec [2] Microseconds OPTIONAL,
279 seq-number [3] UInt32 OPTIONAL,
280 s-address [4] HostAddress,
281 r-address [5] HostAddress OPTIONAL
284 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
285 pvno [0] INTEGER, -- (5)
286 msg-type [1] INTEGER, -- (21)
287 -- NOTE: there is no [2] tag
288 enc-part [3] EncryptedData -- EncKrbPrivPart
291 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
292 user-data [0] OCTET STRING,
293 timestamp [1] KerberosTime OPTIONAL,
294 usec [2] Microseconds OPTIONAL,
295 seq-number [3] UInt32 OPTIONAL,
296 s-address [4] HostAddress, -- sender's addr --
297 r-address [5] HostAddress OPTIONAL -- recip's addr
300 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
301 pvno [0] INTEGER, -- (5)
302 msg-type [1] INTEGER, --- (22)
303 tickets [2] SEQUENCE OF Ticket,
304 enc-part [3] EncryptedData -- EncKrbCredPart
307 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
308 ticket-info [0] SEQUENCE OF KrbCredInfo,
309 nonce [1] UInt32 OPTIONAL,
310 timestamp [2] KerberosTime OPTIONAL,
311 usec [3] Microseconds OPTIONAL,
312 s-address [4] HostAddress OPTIONAL,
313 r-address [5] HostAddress OPTIONAL
316 KrbCredInfo ::= SEQUENCE {
317 key [0] EncryptionKey,
318 prealm [1] Realm OPTIONAL,
319 pname [2] PrincipalName OPTIONAL,
320 flags [3] TicketFlags OPTIONAL,
321 authtime [4] KerberosTime OPTIONAL,
322 starttime [5] KerberosTime OPTIONAL,
323 endtime [6] KerberosTime OPTIONAL,
324 renew-till [7] KerberosTime OPTIONAL,
325 srealm [8] Realm OPTIONAL,
326 sname [9] PrincipalName OPTIONAL,
327 caddr [10] HostAddresses OPTIONAL
330 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
331 pvno [0] INTEGER, -- (5)
332 msg-type [1] INTEGER, -- (30)
333 ctime [2] KerberosTime OPTIONAL,
334 cusec [3] Microseconds OPTIONAL,
335 stime [4] KerberosTime,
336 susec [5] Microseconds,
337 error-code [6] Int32,
338 crealm [7] Realm OPTIONAL,
339 cname [8] PrincipalName OPTIONAL,
340 realm [9] Realm, -- service realm --
341 sname [10] PrincipalName, -- service name --
342 e-text [11] KerberosString OPTIONAL,
343 e-data [12] OCTET STRING OPTIONAL
346 METHOD-DATA ::= SEQUENCE OF PA-DATA
348 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
349 data-type [0] INTEGER,
350 data-value [1] OCTET STRING OPTIONAL
353 -- preauth stuff follows
355 PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
357 PA-ENC-TS-ENC ::= SEQUENCE {
358 patimestamp [0] KerberosTime, -- client's time --
359 pausec [1] Microseconds OPTIONAL
362 ETYPE-INFO-ENTRY ::= SEQUENCE {
364 salt [1] OCTET STRING OPTIONAL
367 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
369 ETYPE-INFO2-ENTRY ::= SEQUENCE {
371 salt [1] KerberosString OPTIONAL,
372 s2kparams [2] OCTET STRING OPTIONAL
375 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
377 AD-IF-RELEVANT ::= AuthorizationData
379 AD-KDCIssued ::= SEQUENCE {
380 ad-checksum [0] Checksum,
381 i-realm [1] Realm OPTIONAL,
382 i-sname [2] PrincipalName OPTIONAL,
383 elements [3] AuthorizationData
386 AD-AND-OR ::= SEQUENCE {
387 condition-count [0] INTEGER,
388 elements [1] AuthorizationData
391 AD-MANDATORY-FOR-KDC ::= AuthorizationData