1-- $Id$ 2 3KERBEROS5 DEFINITIONS ::= 4BEGIN 5EXPORTS 6 AD-AND-OR, 7 AD-IF-RELEVANT, 8 AD-KDCIssued, 9 AD-LoginAlias, 10 AP-REP, 11 AP-REQ, 12 AS-REP, 13 AS-REQ, 14 AUTHDATA-TYPE, 15 Authenticator, 16 AuthorizationData, 17 AuthorizationDataElement, 18 CKSUMTYPE, 19 ChangePasswdDataMS, 20 Checksum, 21 ENCTYPE, 22 ETYPE-INFO, 23 ETYPE-INFO-ENTRY, 24 ETYPE-INFO2, 25 ETYPE-INFO2-ENTRY, 26 EncAPRepPart, 27 EncASRepPart, 28 EncKDCRepPart, 29 EncKrbCredPart, 30 EncKrbPrivPart, 31 EncTGSRepPart, 32 EncTicketPart, 33 EncryptedData, 34 EncryptionKey, 35 EtypeList, 36 HostAddress, 37 HostAddresses, 38 KDC-REQ-BODY, 39 KDCOptions, 40 KDC-REP, 41 KRB-CRED, 42 KRB-ERROR, 43 KRB-PRIV, 44 KRB-SAFE, 45 KRB-SAFE-BODY, 46 KRB5SignedPath, 47 KRB5SignedPathData, 48 KRB5SignedPathPrincipals, 49 KerberosString, 50 KerberosTime, 51 KrbCredInfo, 52 LR-TYPE, 53 LastReq, 54 METHOD-DATA, 55 NAME-TYPE, 56 PA-ClientCanonicalized, 57 PA-ClientCanonicalizedNames, 58 PA-DATA, 59 PA-ENC-TS-ENC, 60 PA-PAC-REQUEST, 61 PA-S4U2Self, 62 PA-SERVER-REFERRAL-DATA, 63 PA-ServerReferralData, 64 PA-SvrReferralData, 65 PADATA-TYPE, 66 Principal, 67 PrincipalName, 68 Principals, 69 Realm, 70 TGS-REP, 71 TGS-REQ, 72 Ticket, 73 TicketFlags, 74 TransitedEncoding, 75 TypedData 76 ; 77 78NAME-TYPE ::= INTEGER { 79 KRB5_NT_UNKNOWN(0), -- Name type not known 80 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in 81 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt) 82 KRB5_NT_SRV_HST(3), -- Service with host name as instance 83 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components 84 KRB5_NT_UID(5), -- Unique ID 85 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT 86 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name 87 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN 88 KRB5_NT_WELLKNOWN(11), -- Wellknown 89 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID 90 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name 91 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID 92 KRB5_NT_NTLM(-1200) -- NTLM name, realm is domain 93} 94 95-- message types 96 97MESSAGE-TYPE ::= INTEGER { 98 krb-as-req(10), -- Request for initial authentication 99 krb-as-rep(11), -- Response to KRB_AS_REQ request 100 krb-tgs-req(12), -- Request for authentication based on TGT 101 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request 102 krb-ap-req(14), -- application request to server 103 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL 104 krb-safe(20), -- Safe (checksummed) application message 105 krb-priv(21), -- Private (encrypted) application message 106 krb-cred(22), -- Private (encrypted) message to forward credentials 107 krb-error(30) -- Error response 108} 109 110 111-- pa-data types 112 113PADATA-TYPE ::= INTEGER { 114 KRB5-PADATA-NONE(0), 115 KRB5-PADATA-TGS-REQ(1), 116 KRB5-PADATA-AP-REQ(1), 117 KRB5-PADATA-ENC-TIMESTAMP(2), 118 KRB5-PADATA-PW-SALT(3), 119 KRB5-PADATA-ENC-UNIX-TIME(5), 120 KRB5-PADATA-SANDIA-SECUREID(6), 121 KRB5-PADATA-SESAME(7), 122 KRB5-PADATA-OSF-DCE(8), 123 KRB5-PADATA-CYBERSAFE-SECUREID(9), 124 KRB5-PADATA-AFS3-SALT(10), 125 KRB5-PADATA-ETYPE-INFO(11), 126 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) 127 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) 128 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) 129 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) 130 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) 131 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) 132 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) 133 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18), 134 KRB5-PADATA-ETYPE-INFO2(19), 135 KRB5-PADATA-USE-SPECIFIED-KVNO(20), 136 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number 137 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) 138 KRB5-PADATA-GET-FROM-TYPED-DATA(22), 139 KRB5-PADATA-SAM-ETYPE-INFO(23), 140 KRB5-PADATA-SERVER-REFERRAL(25), 141 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) 142 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) 143 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) 144 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT 145 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName 146 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT 147 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT 148 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific 149 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER 150 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER 151 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com 152 KRB5-PADATA-FOR-USER(129), -- MS-KILE 153 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE 154 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE 155 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE 156 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to 157 -- tell KDC that is supports 158 -- the asCheckSum in the 159 -- PK-AS-REP 160 KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals 161 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework 162 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework 163 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework 164 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework 165 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework 166 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework 167 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) 168 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) 169 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) 170 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) 171 KRB5-PADATA-EPAK-AS-REQ(145), 172 KRB5-PADATA-EPAK-AS-REP(146), 173 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon 174 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u 175 KRB5-PADATA-REQ-ENC-PA-REP(149), -- 176 KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE 177} 178 179AUTHDATA-TYPE ::= INTEGER { 180 KRB5-AUTHDATA-IF-RELEVANT(1), 181 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2), 182 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), 183 KRB5-AUTHDATA-KDC-ISSUED(4), 184 KRB5-AUTHDATA-AND-OR(5), 185 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), 186 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), 187 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8), 188 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), 189 KRB5-AUTHDATA-OSF-DCE(64), 190 KRB5-AUTHDATA-SESAME(65), 191 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), 192 KRB5-AUTHDATA-WIN2K-PAC(128), 193 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only 194 KRB5-AUTHDATA-SIGNTICKET-OLDER(-17), 195 KRB5-AUTHDATA-SIGNTICKET-OLD(142), 196 KRB5-AUTHDATA-SIGNTICKET(512) 197} 198 199-- checksumtypes 200 201CKSUMTYPE ::= INTEGER { 202 CKSUMTYPE_NONE(0), 203 CKSUMTYPE_CRC32(1), 204 CKSUMTYPE_RSA_MD4(2), 205 CKSUMTYPE_RSA_MD4_DES(3), 206 CKSUMTYPE_DES_MAC(4), 207 CKSUMTYPE_DES_MAC_K(5), 208 CKSUMTYPE_RSA_MD4_DES_K(6), 209 CKSUMTYPE_RSA_MD5(7), 210 CKSUMTYPE_RSA_MD5_DES(8), 211 CKSUMTYPE_RSA_MD5_DES3(9), 212 CKSUMTYPE_SHA1_OTHER(10), 213 CKSUMTYPE_HMAC_SHA1_DES3(12), 214 CKSUMTYPE_SHA1(14), 215 CKSUMTYPE_HMAC_SHA1_96_AES_128(15), 216 CKSUMTYPE_HMAC_SHA1_96_AES_256(16), 217 CKSUMTYPE_GSSAPI(0x8003), 218 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number 219 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial 220} 221 222--enctypes 223ENCTYPE ::= INTEGER { 224 KRB5_ENCTYPE_NULL(0), 225 KRB5_ENCTYPE_DES_CBC_CRC(1), 226 KRB5_ENCTYPE_DES_CBC_MD4(2), 227 KRB5_ENCTYPE_DES_CBC_MD5(3), 228 KRB5_ENCTYPE_DES3_CBC_MD5(5), 229 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7), 230 KRB5_ENCTYPE_SIGN_DSA_GENERATE(8), 231 KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9), 232 KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10), 233 KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation 234 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17), 235 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18), 236 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23), 237 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24), 238 KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48), 239-- some "old" windows types 240 KRB5_ENCTYPE_ARCFOUR_MD4(-128), 241 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133), 242 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135), 243-- these are for Heimdal internal use 244 KRB5_ENCTYPE_DES_CBC_NONE(-0x1000), 245 KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001), 246 KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002), 247 KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003), 248 KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com 249 KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com 250} 251 252 253 254 255-- this is sugar to make something ASN1 does not have: unsigned 256 257krb5uint32 ::= INTEGER (0..4294967295) 258krb5int32 ::= INTEGER (-2147483648..2147483647) 259 260KerberosString ::= GeneralString 261 262Realm ::= GeneralString 263PrincipalName ::= SEQUENCE { 264 name-type[0] NAME-TYPE, 265 name-string[1] SEQUENCE OF GeneralString 266} 267 268-- this is not part of RFC1510 269Principal ::= SEQUENCE { 270 name[0] PrincipalName, 271 realm[1] Realm 272} 273 274Principals ::= SEQUENCE OF Principal 275 276HostAddress ::= SEQUENCE { 277 addr-type[0] krb5int32, 278 address[1] OCTET STRING 279} 280 281-- This is from RFC1510. 282-- 283-- HostAddresses ::= SEQUENCE OF SEQUENCE { 284-- addr-type[0] krb5int32, 285-- address[1] OCTET STRING 286-- } 287 288-- This seems much better. 289HostAddresses ::= SEQUENCE OF HostAddress 290 291 292KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) 293 294AuthorizationDataElement ::= SEQUENCE { 295 ad-type[0] krb5int32, 296 ad-data[1] OCTET STRING 297} 298 299AuthorizationData ::= SEQUENCE OF AuthorizationDataElement 300 301APOptions ::= BIT STRING { 302 reserved(0), 303 use-session-key(1), 304 mutual-required(2) 305} 306 307TicketFlags ::= BIT STRING { 308 reserved(0), 309 forwardable(1), 310 forwarded(2), 311 proxiable(3), 312 proxy(4), 313 may-postdate(5), 314 postdated(6), 315 invalid(7), 316 renewable(8), 317 initial(9), 318 pre-authent(10), 319 hw-authent(11), 320 transited-policy-checked(12), 321 ok-as-delegate(13), 322 anonymous(14), 323 enc-pa-rep(15) 324} 325 326KDCOptions ::= BIT STRING { 327 reserved(0), 328 forwardable(1), 329 forwarded(2), 330 proxiable(3), 331 proxy(4), 332 allow-postdate(5), 333 postdated(6), 334 renewable(8), 335 request-anonymous(14), 336 canonicalize(15), 337 constrained-delegation(16), -- ms extension 338 disable-transited-check(26), 339 renewable-ok(27), 340 enc-tkt-in-skey(28), 341 renew(30), 342 validate(31) 343} 344 345LR-TYPE ::= INTEGER { 346 LR_NONE(0), -- no information 347 LR_INITIAL_TGT(1), -- last initial TGT request 348 LR_INITIAL(2), -- last initial request 349 LR_ISSUE_USE_TGT(3), -- time of newest TGT used 350 LR_RENEWAL(4), -- time of last renewal 351 LR_REQUEST(5), -- time of last request (of any type) 352 LR_PW_EXPTIME(6), -- expiration time of password 353 LR_ACCT_EXPTIME(7) -- expiration time of account 354} 355 356LastReq ::= SEQUENCE OF SEQUENCE { 357 lr-type[0] LR-TYPE, 358 lr-value[1] KerberosTime 359} 360 361 362EncryptedData ::= SEQUENCE { 363 etype[0] ENCTYPE, -- EncryptionType 364 kvno[1] krb5uint32 OPTIONAL, 365 cipher[2] OCTET STRING -- ciphertext 366} 367 368EncryptionKey ::= SEQUENCE { 369 keytype[0] krb5int32, 370 keyvalue[1] OCTET STRING 371} 372 373-- encoded Transited field 374TransitedEncoding ::= SEQUENCE { 375 tr-type[0] krb5int32, -- must be registered 376 contents[1] OCTET STRING 377} 378 379Ticket ::= [APPLICATION 1] SEQUENCE { 380 tkt-vno[0] krb5int32, 381 realm[1] Realm, 382 sname[2] PrincipalName, 383 enc-part[3] EncryptedData 384} 385-- Encrypted part of ticket 386EncTicketPart ::= [APPLICATION 3] SEQUENCE { 387 flags[0] TicketFlags, 388 key[1] EncryptionKey, 389 crealm[2] Realm, 390 cname[3] PrincipalName, 391 transited[4] TransitedEncoding, 392 authtime[5] KerberosTime, 393 starttime[6] KerberosTime OPTIONAL, 394 endtime[7] KerberosTime, 395 renew-till[8] KerberosTime OPTIONAL, 396 caddr[9] HostAddresses OPTIONAL, 397 authorization-data[10] AuthorizationData OPTIONAL 398} 399 400Checksum ::= SEQUENCE { 401 cksumtype[0] CKSUMTYPE, 402 checksum[1] OCTET STRING 403} 404 405Authenticator ::= [APPLICATION 2] SEQUENCE { 406 authenticator-vno[0] krb5int32, 407 crealm[1] Realm, 408 cname[2] PrincipalName, 409 cksum[3] Checksum OPTIONAL, 410 cusec[4] krb5int32, 411 ctime[5] KerberosTime, 412 subkey[6] EncryptionKey OPTIONAL, 413 seq-number[7] krb5uint32 OPTIONAL, 414 authorization-data[8] AuthorizationData OPTIONAL 415} 416 417PA-DATA ::= SEQUENCE { 418 -- might be encoded AP-REQ 419 padata-type[1] PADATA-TYPE, 420 padata-value[2] OCTET STRING 421} 422 423ETYPE-INFO-ENTRY ::= SEQUENCE { 424 etype[0] ENCTYPE, 425 salt[1] OCTET STRING OPTIONAL, 426 salttype[2] krb5int32 OPTIONAL 427} 428 429ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY 430 431ETYPE-INFO2-ENTRY ::= SEQUENCE { 432 etype[0] ENCTYPE, 433 salt[1] KerberosString OPTIONAL, 434 s2kparams[2] OCTET STRING OPTIONAL 435} 436 437ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY 438 439METHOD-DATA ::= SEQUENCE OF PA-DATA 440 441TypedData ::= SEQUENCE { 442 data-type[0] krb5int32, 443 data-value[1] OCTET STRING OPTIONAL 444} 445 446TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData 447 448KDC-REQ-BODY ::= SEQUENCE { 449 kdc-options[0] KDCOptions, 450 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ 451 realm[2] Realm, -- Server's realm 452 -- Also client's in AS-REQ 453 sname[3] PrincipalName OPTIONAL, 454 from[4] KerberosTime OPTIONAL, 455 till[5] KerberosTime OPTIONAL, 456 rtime[6] KerberosTime OPTIONAL, 457 nonce[7] krb5int32, 458 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, 459 -- in preference order 460 addresses[9] HostAddresses OPTIONAL, 461 enc-authorization-data[10] EncryptedData OPTIONAL, 462 -- Encrypted AuthorizationData encoding 463 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL 464} 465 466KDC-REQ ::= SEQUENCE { 467 pvno[1] krb5int32, 468 msg-type[2] MESSAGE-TYPE, 469 padata[3] METHOD-DATA OPTIONAL, 470 req-body[4] KDC-REQ-BODY 471} 472 473AS-REQ ::= [APPLICATION 10] KDC-REQ 474TGS-REQ ::= [APPLICATION 12] KDC-REQ 475 476-- padata-type ::= PA-ENC-TIMESTAMP 477-- padata-value ::= EncryptedData - PA-ENC-TS-ENC 478 479PA-ENC-TS-ENC ::= SEQUENCE { 480 patimestamp[0] KerberosTime, -- client's time 481 pausec[1] krb5int32 OPTIONAL 482} 483 484-- draft-brezak-win2k-krb-authz-01 485PA-PAC-REQUEST ::= SEQUENCE { 486 include-pac[0] BOOLEAN -- Indicates whether a PAC 487 -- should be included or not 488} 489 490-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf 491PROV-SRV-LOCATION ::= GeneralString 492 493KDC-REP ::= SEQUENCE { 494 pvno[0] krb5int32, 495 msg-type[1] MESSAGE-TYPE, 496 padata[2] METHOD-DATA OPTIONAL, 497 crealm[3] Realm, 498 cname[4] PrincipalName, 499 ticket[5] Ticket, 500 enc-part[6] EncryptedData 501} 502 503AS-REP ::= [APPLICATION 11] KDC-REP 504TGS-REP ::= [APPLICATION 13] KDC-REP 505 506EncKDCRepPart ::= SEQUENCE { 507 key[0] EncryptionKey, 508 last-req[1] LastReq, 509 nonce[2] krb5int32, 510 key-expiration[3] KerberosTime OPTIONAL, 511 flags[4] TicketFlags, 512 authtime[5] KerberosTime, 513 starttime[6] KerberosTime OPTIONAL, 514 endtime[7] KerberosTime, 515 renew-till[8] KerberosTime OPTIONAL, 516 srealm[9] Realm, 517 sname[10] PrincipalName, 518 caddr[11] HostAddresses OPTIONAL, 519 encrypted-pa-data[12] METHOD-DATA OPTIONAL 520} 521 522EncASRepPart ::= [APPLICATION 25] EncKDCRepPart 523EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart 524 525AP-REQ ::= [APPLICATION 14] SEQUENCE { 526 pvno[0] krb5int32, 527 msg-type[1] MESSAGE-TYPE, 528 ap-options[2] APOptions, 529 ticket[3] Ticket, 530 authenticator[4] EncryptedData 531} 532 533AP-REP ::= [APPLICATION 15] SEQUENCE { 534 pvno[0] krb5int32, 535 msg-type[1] MESSAGE-TYPE, 536 enc-part[2] EncryptedData 537} 538 539EncAPRepPart ::= [APPLICATION 27] SEQUENCE { 540 ctime[0] KerberosTime, 541 cusec[1] krb5int32, 542 subkey[2] EncryptionKey OPTIONAL, 543 seq-number[3] krb5uint32 OPTIONAL 544} 545 546KRB-SAFE-BODY ::= SEQUENCE { 547 user-data[0] OCTET STRING, 548 timestamp[1] KerberosTime OPTIONAL, 549 usec[2] krb5int32 OPTIONAL, 550 seq-number[3] krb5uint32 OPTIONAL, 551 s-address[4] HostAddress OPTIONAL, 552 r-address[5] HostAddress OPTIONAL 553} 554 555KRB-SAFE ::= [APPLICATION 20] SEQUENCE { 556 pvno[0] krb5int32, 557 msg-type[1] MESSAGE-TYPE, 558 safe-body[2] KRB-SAFE-BODY, 559 cksum[3] Checksum 560} 561 562KRB-PRIV ::= [APPLICATION 21] SEQUENCE { 563 pvno[0] krb5int32, 564 msg-type[1] MESSAGE-TYPE, 565 enc-part[3] EncryptedData 566} 567EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { 568 user-data[0] OCTET STRING, 569 timestamp[1] KerberosTime OPTIONAL, 570 usec[2] krb5int32 OPTIONAL, 571 seq-number[3] krb5uint32 OPTIONAL, 572 s-address[4] HostAddress OPTIONAL, -- sender's addr 573 r-address[5] HostAddress OPTIONAL -- recip's addr 574} 575 576KRB-CRED ::= [APPLICATION 22] SEQUENCE { 577 pvno[0] krb5int32, 578 msg-type[1] MESSAGE-TYPE, -- KRB_CRED 579 tickets[2] SEQUENCE OF Ticket, 580 enc-part[3] EncryptedData 581} 582 583KrbCredInfo ::= SEQUENCE { 584 key[0] EncryptionKey, 585 prealm[1] Realm OPTIONAL, 586 pname[2] PrincipalName OPTIONAL, 587 flags[3] TicketFlags OPTIONAL, 588 authtime[4] KerberosTime OPTIONAL, 589 starttime[5] KerberosTime OPTIONAL, 590 endtime[6] KerberosTime OPTIONAL, 591 renew-till[7] KerberosTime OPTIONAL, 592 srealm[8] Realm OPTIONAL, 593 sname[9] PrincipalName OPTIONAL, 594 caddr[10] HostAddresses OPTIONAL 595} 596 597EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { 598 ticket-info[0] SEQUENCE OF KrbCredInfo, 599 nonce[1] krb5int32 OPTIONAL, 600 timestamp[2] KerberosTime OPTIONAL, 601 usec[3] krb5int32 OPTIONAL, 602 s-address[4] HostAddress OPTIONAL, 603 r-address[5] HostAddress OPTIONAL 604} 605 606KRB-ERROR ::= [APPLICATION 30] SEQUENCE { 607 pvno[0] krb5int32, 608 msg-type[1] MESSAGE-TYPE, 609 ctime[2] KerberosTime OPTIONAL, 610 cusec[3] krb5int32 OPTIONAL, 611 stime[4] KerberosTime, 612 susec[5] krb5int32, 613 error-code[6] krb5int32, 614 crealm[7] Realm OPTIONAL, 615 cname[8] PrincipalName OPTIONAL, 616 realm[9] Realm, -- Correct realm 617 sname[10] PrincipalName, -- Correct name 618 e-text[11] GeneralString OPTIONAL, 619 e-data[12] OCTET STRING OPTIONAL 620} 621 622ChangePasswdDataMS ::= SEQUENCE { 623 newpasswd[0] OCTET STRING, 624 targname[1] PrincipalName OPTIONAL, 625 targrealm[2] Realm OPTIONAL 626} 627 628EtypeList ::= SEQUENCE OF ENCTYPE 629 -- the client's proposed enctype list in 630 -- decreasing preference order, favorite choice first 631 632krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number 633 634-- transited encodings 635 636DOMAIN-X500-COMPRESS krb5int32 ::= 1 637 638-- authorization data primitives 639 640AD-IF-RELEVANT ::= AuthorizationData 641 642AD-KDCIssued ::= SEQUENCE { 643 ad-checksum[0] Checksum, 644 i-realm[1] Realm OPTIONAL, 645 i-sname[2] PrincipalName OPTIONAL, 646 elements[3] AuthorizationData 647} 648 649AD-AND-OR ::= SEQUENCE { 650 condition-count[0] INTEGER, 651 elements[1] AuthorizationData 652} 653 654AD-MANDATORY-FOR-KDC ::= AuthorizationData 655 656-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 657 658PA-SAM-TYPE ::= INTEGER { 659 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic 660 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways 661 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0 662 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key 663 PA_SAM_TYPE_SECURID(5), -- Security Dynamics 664 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard 665} 666 667PA-SAM-REDIRECT ::= HostAddresses 668 669SAMFlags ::= BIT STRING { 670 use-sad-as-key(0), 671 send-encrypted-sad(1), 672 must-pk-encrypt-sad(2) 673} 674 675PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { 676 sam-type[0] krb5int32, 677 sam-flags[1] SAMFlags, 678 sam-type-name[2] GeneralString OPTIONAL, 679 sam-track-id[3] GeneralString OPTIONAL, 680 sam-challenge-label[4] GeneralString OPTIONAL, 681 sam-challenge[5] GeneralString OPTIONAL, 682 sam-response-prompt[6] GeneralString OPTIONAL, 683 sam-pk-for-sad[7] EncryptionKey OPTIONAL, 684 sam-nonce[8] krb5int32, 685 sam-etype[9] krb5int32, 686 ... 687} 688 689PA-SAM-CHALLENGE-2 ::= SEQUENCE { 690 sam-body[0] PA-SAM-CHALLENGE-2-BODY, 691 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) 692 ... 693} 694 695PA-SAM-RESPONSE-2 ::= SEQUENCE { 696 sam-type[0] krb5int32, 697 sam-flags[1] SAMFlags, 698 sam-track-id[2] GeneralString OPTIONAL, 699 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC 700 sam-nonce[4] krb5int32, 701 ... 702} 703 704PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { 705 sam-nonce[0] krb5int32, 706 sam-sad[1] GeneralString OPTIONAL, 707 ... 708} 709 710PA-S4U2Self ::= SEQUENCE { 711 name[0] PrincipalName, 712 realm[1] Realm, 713 cksum[2] Checksum, 714 auth[3] GeneralString 715} 716 717-- never encoded on the wire, just used to checksum over 718KRB5SignedPathData ::= SEQUENCE { 719 client[0] Principal OPTIONAL, 720 authtime[1] KerberosTime, 721 delegated[2] Principals OPTIONAL, 722 method_data[3] METHOD-DATA OPTIONAL 723} 724 725KRB5SignedPath ::= SEQUENCE { 726 -- DERcoded KRB5SignedPathData 727 -- krbtgt key (etype), KeyUsage = XXX 728 etype[0] ENCTYPE, 729 cksum[1] Checksum, 730 -- srvs delegated though 731 delegated[2] Principals OPTIONAL, 732 method_data[3] METHOD-DATA OPTIONAL 733} 734 735PA-ClientCanonicalizedNames ::= SEQUENCE{ 736 requested-name [0] PrincipalName, 737 mapped-name [1] PrincipalName 738} 739 740PA-ClientCanonicalized ::= SEQUENCE { 741 names [0] PA-ClientCanonicalizedNames, 742 canon-checksum [1] Checksum 743} 744 745AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- 746 login-alias [0] PrincipalName, 747 checksum [1] Checksum 748} 749 750-- old ms referral 751PA-SvrReferralData ::= SEQUENCE { 752 referred-name [1] PrincipalName OPTIONAL, 753 referred-realm [0] Realm 754} 755 756PA-SERVER-REFERRAL-DATA ::= EncryptedData 757 758PA-ServerReferralData ::= SEQUENCE { 759 referred-realm [0] Realm OPTIONAL, 760 true-principal-name [1] PrincipalName OPTIONAL, 761 requested-principal-name [2] PrincipalName OPTIONAL, 762 referral-valid-until [3] KerberosTime OPTIONAL, 763 ... 764} 765 766FastOptions ::= BIT STRING { 767 reserved(0), 768 hide-client-names(1), 769 kdc-follow--referrals(16) 770} 771 772KrbFastReq ::= SEQUENCE { 773 fast-options [0] FastOptions, 774 padata [1] SEQUENCE OF PA-DATA, 775 req-body [2] KDC-REQ-BODY, 776 ... 777} 778 779KrbFastArmor ::= SEQUENCE { 780 armor-type [0] krb5int32, 781 armor-value [1] OCTET STRING, 782 ... 783} 784 785KrbFastArmoredReq ::= SEQUENCE { 786 armor [0] KrbFastArmor OPTIONAL, 787 req-checksum [1] Checksum, 788 enc-fast-req [2] EncryptedData -- KrbFastReq -- 789} 790 791PA-FX-FAST-REQUEST ::= CHOICE { 792 armored-data [0] KrbFastArmoredReq, 793 ... 794} 795 796KrbFastFinished ::= SEQUENCE { 797 timestamp [0] KerberosTime, 798 usec [1] krb5int32, 799 crealm [2] Realm, 800 cname [3] PrincipalName, 801 checksum [4] Checksum, 802 ticket-checksum [5] Checksum, 803 ... 804} 805 806KrbFastResponse ::= SEQUENCE { 807 padata [0] SEQUENCE OF PA-DATA, 808 rep-key [1] EncryptionKey OPTIONAL, 809 finished [2] KrbFastFinished OPTIONAL, 810 ... 811} 812 813KrbFastArmoredRep ::= SEQUENCE { 814 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 815 ... 816} 817 818PA-FX-FAST-REPLY ::= CHOICE { 819 armored-data [0] KrbFastArmoredRep, 820 ... 821} 822 823END 824 825-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 826