1 OTPKerberos 2 DEFINITIONS IMPLICIT TAGS ::= 3 BEGIN 4 5 IMPORTS 6 7 KerberosTime, KerberosFlags, EncryptionKey, Int32, 8 EncryptedData, LastReq, KerberosString 9 FROM KerberosV5Spec2 {iso(1) identified-organization(3) 10 dod(6) internet(1) security(5) 11 kerberosV5(2) modules(4) krb5spec2(2)} 12 -- as defined in RFC 4120. 13 AlgorithmIdentifier 14 FROM PKIX1Explicit88 { iso (1) identified-organization (3) 15 dod (6) internet (1) 16 security (5) mechanisms (5) pkix (7) 17 id-mod (0) id-pkix1-explicit (18) }; 18 -- As defined in RFC 5280. 19 20 PA-OTP-CHALLENGE ::= SEQUENCE { 21 nonce [0] OCTET STRING, 22 otp-service [1] UTF8String OPTIONAL, 23 otp-tokenInfo [2] SEQUENCE (SIZE(1..MAX)) OF 24 OTP-TOKENINFO, 25 salt [3] KerberosString OPTIONAL, 26 s2kparams [4] OCTET STRING OPTIONAL, 27 ... 28 } 29 30 OTP-TOKENINFO ::= SEQUENCE { 31 flags [0] OTPFlags, 32 otp-vendor [1] UTF8String OPTIONAL, 33 otp-challenge [2] OCTET STRING (SIZE(1..MAX)) 34 OPTIONAL, 35 otp-length [3] Int32 OPTIONAL, 36 otp-format [4] OTPFormat OPTIONAL, 37 otp-tokenID [5] OCTET STRING OPTIONAL, 38 otp-algID [6] AnyURI OPTIONAL, 39 supportedHashAlg [7] SEQUENCE OF AlgorithmIdentifier 40 OPTIONAL, 41 iterationCount [8] Int32 OPTIONAL, 42 ... 43 } 44 45 OTPFormat ::= INTEGER { 46 decimal(0), 47 hexadecimal(1), 48 alphanumeric(2), 49 binary(3), 50 base64(4) 51 } 52 53 OTPFlags ::= KerberosFlags 54 -- reserved(0), 55 -- nextOTP(1), 56 -- combine(2), 57 -- collect-pin(3), 58 -- do-not-collect-pin(4), 59 -- must-encrypt-nonce (5), 60 -- separate-pin-required (6), 61 -- check-digit (7) 62 63 PA-OTP-REQUEST ::= SEQUENCE { 64 flags [0] OTPFlags, 65 nonce [1] OCTET STRING OPTIONAL, 66 encData [2] EncryptedData, 67 -- PA-OTP-ENC-REQUEST or PA-ENC-TS-ENC 68 -- Key usage of KEY_USAGE_OTP_REQUEST 69 hashAlg [3] AlgorithmIdentifier OPTIONAL, 70 iterationCount [4] Int32 OPTIONAL, 71 otp-value [5] OCTET STRING OPTIONAL, 72 otp-pin [6] UTF8String OPTIONAL, 73 otp-challenge [7] OCTET STRING (SIZE(1..MAX)) OPTIONAL, 74 otp-time [8] KerberosTime OPTIONAL, 75 otp-counter [9] OCTET STRING OPTIONAL, 76 otp-format [10] OTPFormat OPTIONAL, 77 otp-tokenID [11] OCTET STRING OPTIONAL, 78 otp-algID [12] AnyURI OPTIONAL, 79 otp-vendor [13] UTF8String OPTIONAL, 80 ... 81 } 82 83 PA-OTP-ENC-REQUEST ::= SEQUENCE { 84 nonce [0] OCTET STRING, 85 ... 86 } 87 88 89 PA-OTP-PIN-CHANGE ::= SEQUENCE { 90 flags [0] PinFlags, 91 pin [1] UTF8String OPTIONAL, 92 minLength [2] INTEGER OPTIONAL, 93 maxLength [3] INTEGER OPTIONAL, 94 last-req [4] LastReq OPTIONAL, 95 format [5] OTPFormat OPTIONAL, 96 ... 97 } 98 99 PinFlags ::= KerberosFlags 100 -- reserved(0), 101 -- systemSetPin(1), 102 -- mandatory(2) 103 104 AnyURI ::= UTF8String 105 (CONSTRAINED BY { 106 -- MUST be a valid URI in accordance with IETF RFC 2396 107 }) 108 109 END 110