xref: /freebsd/crypto/heimdal/lib/asn1/krb5.asn1 (revision f39bffc62c1395bde25d152c7f68fdf7cbaab414)
1-- $Id$
2
3KERBEROS5 DEFINITIONS ::=
4BEGIN
5EXPORTS
6	AD-AND-OR,
7	AD-IF-RELEVANT,
8	AD-KDCIssued,
9	AD-LoginAlias,
10	AP-REP,
11	AP-REQ,
12	AS-REP,
13	AS-REQ,
14	AUTHDATA-TYPE,
15	Authenticator,
16	AuthorizationData,
17	AuthorizationDataElement,
18	CKSUMTYPE,
19	ChangePasswdDataMS,
20	Checksum,
21	ENCTYPE,
22	ETYPE-INFO,
23	ETYPE-INFO-ENTRY,
24	ETYPE-INFO2,
25	ETYPE-INFO2-ENTRY,
26	EncAPRepPart,
27	EncASRepPart,
28	EncKDCRepPart,
29	EncKrbCredPart,
30	EncKrbPrivPart,
31	EncTGSRepPart,
32	EncTicketPart,
33	EncryptedData,
34	EncryptionKey,
35	EtypeList,
36	HostAddress,
37	HostAddresses,
38	KDC-REQ-BODY,
39	KDCOptions,
40	KDC-REP,
41	KRB-CRED,
42	KRB-ERROR,
43	KRB-PRIV,
44	KRB-SAFE,
45	KRB-SAFE-BODY,
46	KRB5SignedPath,
47	KRB5SignedPathData,
48	KRB5SignedPathPrincipals,
49	KerberosString,
50	KerberosTime,
51	KrbCredInfo,
52	LR-TYPE,
53	LastReq,
54	METHOD-DATA,
55	NAME-TYPE,
56	PA-ClientCanonicalized,
57	PA-ClientCanonicalizedNames,
58	PA-DATA,
59	PA-ENC-TS-ENC,
60	PA-PAC-REQUEST,
61	PA-S4U2Self,
62	PA-SERVER-REFERRAL-DATA,
63	PA-ServerReferralData,
64	PA-SvrReferralData,
65	PADATA-TYPE,
66	Principal,
67	PrincipalName,
68	Principals,
69	Realm,
70	TGS-REP,
71	TGS-REQ,
72	Ticket,
73	TicketFlags,
74	TransitedEncoding,
75	TypedData
76	;
77
78NAME-TYPE ::= INTEGER {
79	KRB5_NT_UNKNOWN(0),	-- Name type not known
80	KRB5_NT_PRINCIPAL(1),	-- Just the name of the principal as in
81	KRB5_NT_SRV_INST(2),	-- Service and other unique instance (krbtgt)
82	KRB5_NT_SRV_HST(3),	-- Service with host name as instance
83	KRB5_NT_SRV_XHST(4),	-- Service with host as remaining components
84	KRB5_NT_UID(5),		-- Unique ID
85	KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
86	KRB5_NT_SMTP_NAME(7),	-- Name in form of SMTP email name
87	KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
88	KRB5_NT_WELLKNOWN(11),	-- Wellknown
89	KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
90	KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
91	KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
92	KRB5_NT_NTLM(-1200) -- NTLM name, realm is domain
93}
94
95-- message types
96
97MESSAGE-TYPE ::= INTEGER {
98	krb-as-req(10), -- Request for initial authentication
99	krb-as-rep(11), -- Response to KRB_AS_REQ request
100	krb-tgs-req(12), -- Request for authentication based on TGT
101	krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
102	krb-ap-req(14), -- application request to server
103	krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
104	krb-safe(20), -- Safe (checksummed) application message
105	krb-priv(21), -- Private (encrypted) application message
106	krb-cred(22), -- Private (encrypted) message to forward credentials
107	krb-error(30) -- Error response
108}
109
110
111-- pa-data types
112
113PADATA-TYPE ::= INTEGER {
114	KRB5-PADATA-NONE(0),
115	KRB5-PADATA-TGS-REQ(1),
116	KRB5-PADATA-AP-REQ(1),
117	KRB5-PADATA-ENC-TIMESTAMP(2),
118	KRB5-PADATA-PW-SALT(3),
119	KRB5-PADATA-ENC-UNIX-TIME(5),
120	KRB5-PADATA-SANDIA-SECUREID(6),
121	KRB5-PADATA-SESAME(7),
122	KRB5-PADATA-OSF-DCE(8),
123	KRB5-PADATA-CYBERSAFE-SECUREID(9),
124	KRB5-PADATA-AFS3-SALT(10),
125	KRB5-PADATA-ETYPE-INFO(11),
126	KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
127	KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
128	KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
129	KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
130	KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
131	KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
132	KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
133	KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
134	KRB5-PADATA-ETYPE-INFO2(19),
135	KRB5-PADATA-USE-SPECIFIED-KVNO(20),
136	KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
137	KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
138	KRB5-PADATA-GET-FROM-TYPED-DATA(22),
139	KRB5-PADATA-SAM-ETYPE-INFO(23),
140	KRB5-PADATA-SERVER-REFERRAL(25),
141	KRB5-PADATA-ALT-PRINC(24),		-- (crawdad@fnal.gov)
142	KRB5-PADATA-SAM-CHALLENGE2(30),		-- (kenh@pobox.com)
143	KRB5-PADATA-SAM-RESPONSE2(31),		-- (kenh@pobox.com)
144	KRB5-PA-EXTRA-TGT(41),			-- Reserved extra TGT
145	KRB5-PADATA-TD-KRB-PRINCIPAL(102),	-- PrincipalName
146	KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
147	KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
148	KRB5-PADATA-TD-APP-DEFINED-ERROR(106),	-- application specific
149	KRB5-PADATA-TD-REQ-NONCE(107),		-- INTEGER
150	KRB5-PADATA-TD-REQ-SEQ(108),		-- INTEGER
151	KRB5-PADATA-PA-PAC-REQUEST(128),	-- jbrezak@exchange.microsoft.com
152	KRB5-PADATA-FOR-USER(129),		-- MS-KILE
153	KRB5-PADATA-FOR-X509-USER(130),		-- MS-KILE
154	KRB5-PADATA-FOR-CHECK-DUPS(131),	-- MS-KILE
155	KRB5-PADATA-AS-CHECKSUM(132),		-- MS-KILE
156	KRB5-PADATA-PK-AS-09-BINDING(132),	-- client send this to
157						-- tell KDC that is supports
158						-- the asCheckSum in the
159						--  PK-AS-REP
160	KRB5-PADATA-CLIENT-CANONICALIZED(133),	-- referals
161	KRB5-PADATA-FX-COOKIE(133),		-- krb-wg-preauth-framework
162	KRB5-PADATA-AUTHENTICATION-SET(134),	-- krb-wg-preauth-framework
163	KRB5-PADATA-AUTH-SET-SELECTED(135),	-- krb-wg-preauth-framework
164	KRB5-PADATA-FX-FAST(136),		-- krb-wg-preauth-framework
165	KRB5-PADATA-FX-ERROR(137),		-- krb-wg-preauth-framework
166	KRB5-PADATA-ENCRYPTED-CHALLENGE(138),	-- krb-wg-preauth-framework
167	KRB5-PADATA-OTP-CHALLENGE(141),		-- (gareth.richards@rsa.com)
168	KRB5-PADATA-OTP-REQUEST(142),		-- (gareth.richards@rsa.com)
169	KBB5-PADATA-OTP-CONFIRM(143),		-- (gareth.richards@rsa.com)
170	KRB5-PADATA-OTP-PIN-CHANGE(144),	-- (gareth.richards@rsa.com)
171	KRB5-PADATA-EPAK-AS-REQ(145),
172	KRB5-PADATA-EPAK-AS-REP(146),
173	KRB5-PADATA-PKINIT-KX(147),		-- krb-wg-anon
174	KRB5-PADATA-PKU2U-NAME(148),		-- zhu-pku2u
175	KRB5-PADATA-REQ-ENC-PA-REP(149),	--
176	KRB5-PADATA-SUPPORTED-ETYPES(165)	-- MS-KILE
177}
178
179AUTHDATA-TYPE ::= INTEGER {
180	KRB5-AUTHDATA-IF-RELEVANT(1),
181	KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
182	KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
183	KRB5-AUTHDATA-KDC-ISSUED(4),
184	KRB5-AUTHDATA-AND-OR(5),
185	KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
186	KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
187	KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
188	KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
189	KRB5-AUTHDATA-OSF-DCE(64),
190	KRB5-AUTHDATA-SESAME(65),
191	KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
192	KRB5-AUTHDATA-WIN2K-PAC(128),
193	KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
194	KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
195	KRB5-AUTHDATA-SIGNTICKET-OLD(142),
196	KRB5-AUTHDATA-SIGNTICKET(512)
197}
198
199-- checksumtypes
200
201CKSUMTYPE ::= INTEGER {
202	CKSUMTYPE_NONE(0),
203	CKSUMTYPE_CRC32(1),
204	CKSUMTYPE_RSA_MD4(2),
205	CKSUMTYPE_RSA_MD4_DES(3),
206	CKSUMTYPE_DES_MAC(4),
207	CKSUMTYPE_DES_MAC_K(5),
208	CKSUMTYPE_RSA_MD4_DES_K(6),
209	CKSUMTYPE_RSA_MD5(7),
210	CKSUMTYPE_RSA_MD5_DES(8),
211	CKSUMTYPE_RSA_MD5_DES3(9),
212	CKSUMTYPE_SHA1_OTHER(10),
213	CKSUMTYPE_HMAC_SHA1_DES3(12),
214	CKSUMTYPE_SHA1(14),
215	CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
216	CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
217	CKSUMTYPE_GSSAPI(0x8003),
218	CKSUMTYPE_HMAC_MD5(-138),	-- unofficial microsoft number
219	CKSUMTYPE_HMAC_MD5_ENC(-1138)	-- even more unofficial
220}
221
222--enctypes
223ENCTYPE ::= INTEGER {
224	KRB5_ENCTYPE_NULL(0),
225	KRB5_ENCTYPE_DES_CBC_CRC(1),
226	KRB5_ENCTYPE_DES_CBC_MD4(2),
227	KRB5_ENCTYPE_DES_CBC_MD5(3),
228	KRB5_ENCTYPE_DES3_CBC_MD5(5),
229	KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
230	KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
231	KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
232	KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
233	KRB5_ENCTYPE_DES3_CBC_SHA1(16),	-- with key derivation
234	KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
235	KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
236	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
237	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
238	KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
239-- some "old" windows types
240	KRB5_ENCTYPE_ARCFOUR_MD4(-128),
241	KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
242	KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
243-- these are for Heimdal internal use
244	KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
245	KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
246	KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
247	KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
248	KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004),		-- private use, lukeh@padl.com
249	KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005)		-- private use, lukeh@padl.com
250}
251
252
253
254
255-- this is sugar to make something ASN1 does not have: unsigned
256
257krb5uint32 ::= INTEGER (0..4294967295)
258krb5int32 ::= INTEGER (-2147483648..2147483647)
259
260KerberosString  ::= GeneralString
261
262Realm ::= GeneralString
263PrincipalName ::= SEQUENCE {
264	name-type[0]		NAME-TYPE,
265	name-string[1]		SEQUENCE OF GeneralString
266}
267
268-- this is not part of RFC1510
269Principal ::= SEQUENCE {
270	name[0]			PrincipalName,
271	realm[1]		Realm
272}
273
274Principals ::= SEQUENCE OF Principal
275
276HostAddress ::= SEQUENCE  {
277	addr-type[0]		krb5int32,
278	address[1]		OCTET STRING
279}
280
281-- This is from RFC1510.
282--
283-- HostAddresses ::= SEQUENCE OF SEQUENCE {
284-- 	addr-type[0]		krb5int32,
285--	address[1]		OCTET STRING
286-- }
287
288-- This seems much better.
289HostAddresses ::= SEQUENCE OF HostAddress
290
291
292KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
293
294AuthorizationDataElement ::= SEQUENCE {
295	ad-type[0]		krb5int32,
296	ad-data[1]		OCTET STRING
297}
298
299AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
300
301APOptions ::= BIT STRING {
302	reserved(0),
303	use-session-key(1),
304	mutual-required(2)
305}
306
307TicketFlags ::= BIT STRING {
308	reserved(0),
309	forwardable(1),
310	forwarded(2),
311	proxiable(3),
312	proxy(4),
313	may-postdate(5),
314	postdated(6),
315	invalid(7),
316	renewable(8),
317	initial(9),
318	pre-authent(10),
319	hw-authent(11),
320	transited-policy-checked(12),
321	ok-as-delegate(13),
322	anonymous(14),
323	enc-pa-rep(15)
324}
325
326KDCOptions ::= BIT STRING {
327	reserved(0),
328	forwardable(1),
329	forwarded(2),
330	proxiable(3),
331	proxy(4),
332	allow-postdate(5),
333	postdated(6),
334	renewable(8),
335	request-anonymous(14),
336	canonicalize(15),
337	constrained-delegation(16), -- ms extension
338	disable-transited-check(26),
339	renewable-ok(27),
340	enc-tkt-in-skey(28),
341	renew(30),
342	validate(31)
343}
344
345LR-TYPE ::= INTEGER {
346	LR_NONE(0),		-- no information
347	LR_INITIAL_TGT(1),	-- last initial TGT request
348	LR_INITIAL(2),		-- last initial request
349	LR_ISSUE_USE_TGT(3),	-- time of newest TGT used
350	LR_RENEWAL(4),		-- time of last renewal
351	LR_REQUEST(5),		-- time of last request (of any type)
352	LR_PW_EXPTIME(6),	-- expiration time of password
353	LR_ACCT_EXPTIME(7)	-- expiration time of account
354}
355
356LastReq ::= SEQUENCE OF SEQUENCE {
357	lr-type[0]		LR-TYPE,
358	lr-value[1]		KerberosTime
359}
360
361
362EncryptedData ::= SEQUENCE {
363	etype[0] 		ENCTYPE, -- EncryptionType
364	kvno[1]			krb5uint32 OPTIONAL,
365	cipher[2]		OCTET STRING -- ciphertext
366}
367
368EncryptionKey ::= SEQUENCE {
369	keytype[0]		krb5int32,
370	keyvalue[1]		OCTET STRING
371}
372
373-- encoded Transited field
374TransitedEncoding ::= SEQUENCE {
375	tr-type[0]		krb5int32, -- must be registered
376	contents[1]		OCTET STRING
377}
378
379Ticket ::= [APPLICATION 1] SEQUENCE {
380	tkt-vno[0]		krb5int32,
381	realm[1]		Realm,
382	sname[2]		PrincipalName,
383	enc-part[3]		EncryptedData
384}
385-- Encrypted part of ticket
386EncTicketPart ::= [APPLICATION 3] SEQUENCE {
387	flags[0]		TicketFlags,
388	key[1]			EncryptionKey,
389	crealm[2]		Realm,
390	cname[3]		PrincipalName,
391	transited[4]		TransitedEncoding,
392	authtime[5]		KerberosTime,
393	starttime[6]		KerberosTime OPTIONAL,
394	endtime[7]		KerberosTime,
395	renew-till[8]		KerberosTime OPTIONAL,
396	caddr[9]		HostAddresses OPTIONAL,
397	authorization-data[10]	AuthorizationData OPTIONAL
398}
399
400Checksum ::= SEQUENCE {
401	cksumtype[0]		CKSUMTYPE,
402	checksum[1]		OCTET STRING
403}
404
405Authenticator ::= [APPLICATION 2] SEQUENCE    {
406	authenticator-vno[0]	krb5int32,
407	crealm[1]		Realm,
408	cname[2]		PrincipalName,
409	cksum[3]		Checksum OPTIONAL,
410	cusec[4]		krb5int32,
411	ctime[5]		KerberosTime,
412	subkey[6]		EncryptionKey OPTIONAL,
413	seq-number[7]		krb5uint32 OPTIONAL,
414	authorization-data[8]	AuthorizationData OPTIONAL
415}
416
417PA-DATA ::= SEQUENCE {
418	-- might be encoded AP-REQ
419	padata-type[1]		PADATA-TYPE,
420	padata-value[2]		OCTET STRING
421}
422
423ETYPE-INFO-ENTRY ::= SEQUENCE {
424	etype[0]		ENCTYPE,
425	salt[1]			OCTET STRING OPTIONAL,
426	salttype[2]		krb5int32 OPTIONAL
427}
428
429ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
430
431ETYPE-INFO2-ENTRY ::= SEQUENCE {
432	etype[0]		ENCTYPE,
433	salt[1]			KerberosString OPTIONAL,
434	s2kparams[2]		OCTET STRING OPTIONAL
435}
436
437ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
438
439METHOD-DATA ::= SEQUENCE OF PA-DATA
440
441TypedData ::=   SEQUENCE {
442	data-type[0]		krb5int32,
443	data-value[1]		OCTET STRING OPTIONAL
444}
445
446TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
447
448KDC-REQ-BODY ::= SEQUENCE {
449	kdc-options[0]		KDCOptions,
450	cname[1]		PrincipalName OPTIONAL, -- Used only in AS-REQ
451	realm[2]		Realm,	-- Server's realm
452					-- Also client's in AS-REQ
453	sname[3]		PrincipalName OPTIONAL,
454	from[4]			KerberosTime OPTIONAL,
455	till[5]			KerberosTime OPTIONAL,
456	rtime[6]		KerberosTime OPTIONAL,
457	nonce[7]		krb5int32,
458	etype[8]		SEQUENCE OF ENCTYPE, -- EncryptionType,
459					-- in preference order
460	addresses[9]		HostAddresses OPTIONAL,
461	enc-authorization-data[10] EncryptedData OPTIONAL,
462					-- Encrypted AuthorizationData encoding
463	additional-tickets[11]	SEQUENCE OF Ticket OPTIONAL
464}
465
466KDC-REQ ::= SEQUENCE {
467	pvno[1]			krb5int32,
468	msg-type[2]		MESSAGE-TYPE,
469	padata[3]		METHOD-DATA OPTIONAL,
470	req-body[4]		KDC-REQ-BODY
471}
472
473AS-REQ ::= [APPLICATION 10] KDC-REQ
474TGS-REQ ::= [APPLICATION 12] KDC-REQ
475
476-- padata-type ::= PA-ENC-TIMESTAMP
477-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
478
479PA-ENC-TS-ENC ::= SEQUENCE {
480	patimestamp[0]		KerberosTime, -- client's time
481	pausec[1]		krb5int32 OPTIONAL
482}
483
484-- draft-brezak-win2k-krb-authz-01
485PA-PAC-REQUEST ::= SEQUENCE {
486	include-pac[0]		BOOLEAN -- Indicates whether a PAC
487					-- should be included or not
488}
489
490-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
491PROV-SRV-LOCATION ::= GeneralString
492
493KDC-REP ::= SEQUENCE {
494	pvno[0]			krb5int32,
495	msg-type[1]		MESSAGE-TYPE,
496	padata[2]		METHOD-DATA OPTIONAL,
497	crealm[3]		Realm,
498	cname[4]		PrincipalName,
499	ticket[5]		Ticket,
500	enc-part[6]		EncryptedData
501}
502
503AS-REP ::= [APPLICATION 11] KDC-REP
504TGS-REP ::= [APPLICATION 13] KDC-REP
505
506EncKDCRepPart ::= SEQUENCE {
507	key[0]			EncryptionKey,
508	last-req[1]		LastReq,
509	nonce[2]		krb5int32,
510	key-expiration[3]	KerberosTime OPTIONAL,
511	flags[4]		TicketFlags,
512	authtime[5]		KerberosTime,
513	starttime[6]		KerberosTime OPTIONAL,
514	endtime[7]		KerberosTime,
515	renew-till[8]		KerberosTime OPTIONAL,
516	srealm[9]		Realm,
517	sname[10]		PrincipalName,
518	caddr[11]		HostAddresses OPTIONAL,
519	encrypted-pa-data[12]	METHOD-DATA OPTIONAL
520}
521
522EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
523EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
524
525AP-REQ ::= [APPLICATION 14] SEQUENCE {
526	pvno[0]			krb5int32,
527	msg-type[1]		MESSAGE-TYPE,
528	ap-options[2]		APOptions,
529	ticket[3]		Ticket,
530	authenticator[4]	EncryptedData
531}
532
533AP-REP ::= [APPLICATION 15] SEQUENCE {
534	pvno[0]			krb5int32,
535	msg-type[1]		MESSAGE-TYPE,
536	enc-part[2]		EncryptedData
537}
538
539EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
540	ctime[0]		KerberosTime,
541	cusec[1]		krb5int32,
542	subkey[2]		EncryptionKey OPTIONAL,
543	seq-number[3]		krb5uint32 OPTIONAL
544}
545
546KRB-SAFE-BODY ::= SEQUENCE {
547	user-data[0]		OCTET STRING,
548	timestamp[1]		KerberosTime OPTIONAL,
549	usec[2]			krb5int32 OPTIONAL,
550	seq-number[3]		krb5uint32 OPTIONAL,
551	s-address[4]		HostAddress OPTIONAL,
552	r-address[5]		HostAddress OPTIONAL
553}
554
555KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
556	pvno[0]			krb5int32,
557	msg-type[1]		MESSAGE-TYPE,
558	safe-body[2]		KRB-SAFE-BODY,
559	cksum[3]		Checksum
560}
561
562KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
563	pvno[0]			krb5int32,
564	msg-type[1]		MESSAGE-TYPE,
565	enc-part[3]		EncryptedData
566}
567EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
568	user-data[0]		OCTET STRING,
569	timestamp[1]		KerberosTime OPTIONAL,
570	usec[2]			krb5int32 OPTIONAL,
571	seq-number[3]		krb5uint32 OPTIONAL,
572	s-address[4]		HostAddress OPTIONAL, -- sender's addr
573	r-address[5]		HostAddress OPTIONAL  -- recip's addr
574}
575
576KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
577	pvno[0]			krb5int32,
578	msg-type[1]		MESSAGE-TYPE, -- KRB_CRED
579	tickets[2]		SEQUENCE OF Ticket,
580	enc-part[3]		EncryptedData
581}
582
583KrbCredInfo ::= SEQUENCE {
584	key[0]			EncryptionKey,
585	prealm[1]		Realm OPTIONAL,
586	pname[2]		PrincipalName OPTIONAL,
587	flags[3]		TicketFlags OPTIONAL,
588	authtime[4]		KerberosTime OPTIONAL,
589	starttime[5]		KerberosTime OPTIONAL,
590	endtime[6] 		KerberosTime OPTIONAL,
591	renew-till[7]		KerberosTime OPTIONAL,
592	srealm[8]		Realm OPTIONAL,
593	sname[9]		PrincipalName OPTIONAL,
594	caddr[10]		HostAddresses OPTIONAL
595}
596
597EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
598	ticket-info[0]		SEQUENCE OF KrbCredInfo,
599	nonce[1]		krb5int32 OPTIONAL,
600	timestamp[2]		KerberosTime OPTIONAL,
601	usec[3]			krb5int32 OPTIONAL,
602	s-address[4]		HostAddress OPTIONAL,
603	r-address[5]		HostAddress OPTIONAL
604}
605
606KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
607	pvno[0]			krb5int32,
608	msg-type[1]		MESSAGE-TYPE,
609	ctime[2]		KerberosTime OPTIONAL,
610	cusec[3]		krb5int32 OPTIONAL,
611	stime[4]		KerberosTime,
612	susec[5]		krb5int32,
613	error-code[6]		krb5int32,
614	crealm[7]		Realm OPTIONAL,
615	cname[8]		PrincipalName OPTIONAL,
616	realm[9]		Realm, -- Correct realm
617	sname[10]		PrincipalName, -- Correct name
618	e-text[11]		GeneralString OPTIONAL,
619	e-data[12]		OCTET STRING OPTIONAL
620}
621
622ChangePasswdDataMS ::= SEQUENCE {
623	newpasswd[0]		OCTET STRING,
624	targname[1]		PrincipalName OPTIONAL,
625	targrealm[2]		Realm OPTIONAL
626}
627
628EtypeList ::= SEQUENCE OF ENCTYPE
629	-- the client's proposed enctype list in
630	-- decreasing preference order, favorite choice first
631
632krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
633
634-- transited encodings
635
636DOMAIN-X500-COMPRESS	krb5int32 ::= 1
637
638-- authorization data primitives
639
640AD-IF-RELEVANT ::= AuthorizationData
641
642AD-KDCIssued ::= SEQUENCE {
643	ad-checksum[0]		Checksum,
644	i-realm[1]		Realm OPTIONAL,
645	i-sname[2]		PrincipalName OPTIONAL,
646	elements[3]		AuthorizationData
647}
648
649AD-AND-OR ::= SEQUENCE {
650	condition-count[0]	INTEGER,
651	elements[1]		AuthorizationData
652}
653
654AD-MANDATORY-FOR-KDC ::= AuthorizationData
655
656-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
657
658PA-SAM-TYPE ::= INTEGER {
659	PA_SAM_TYPE_ENIGMA(1),		-- Enigma Logic
660	PA_SAM_TYPE_DIGI_PATH(2),	-- Digital Pathways
661	PA_SAM_TYPE_SKEY_K0(3),		-- S/key where  KDC has key 0
662	PA_SAM_TYPE_SKEY(4),		-- Traditional S/Key
663	PA_SAM_TYPE_SECURID(5),		-- Security Dynamics
664	PA_SAM_TYPE_CRYPTOCARD(6)	-- CRYPTOCard
665}
666
667PA-SAM-REDIRECT ::= HostAddresses
668
669SAMFlags ::= BIT STRING {
670	use-sad-as-key(0),
671	send-encrypted-sad(1),
672	must-pk-encrypt-sad(2)
673}
674
675PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
676	sam-type[0]		krb5int32,
677	sam-flags[1]		SAMFlags,
678	sam-type-name[2]	GeneralString OPTIONAL,
679	sam-track-id[3]		GeneralString OPTIONAL,
680	sam-challenge-label[4]	GeneralString OPTIONAL,
681	sam-challenge[5]	GeneralString OPTIONAL,
682	sam-response-prompt[6]	GeneralString OPTIONAL,
683	sam-pk-for-sad[7]	EncryptionKey OPTIONAL,
684	sam-nonce[8]		krb5int32,
685	sam-etype[9]		krb5int32,
686	...
687}
688
689PA-SAM-CHALLENGE-2 ::= SEQUENCE {
690	sam-body[0]		PA-SAM-CHALLENGE-2-BODY,
691	sam-cksum[1]		SEQUENCE OF Checksum, -- (1..MAX)
692	...
693}
694
695PA-SAM-RESPONSE-2 ::= SEQUENCE {
696	sam-type[0]		krb5int32,
697	sam-flags[1]		SAMFlags,
698	sam-track-id[2]		GeneralString OPTIONAL,
699	sam-enc-nonce-or-sad[3]	EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
700	sam-nonce[4]		krb5int32,
701	...
702}
703
704PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
705	sam-nonce[0]		krb5int32,
706	sam-sad[1]		GeneralString OPTIONAL,
707	...
708}
709
710PA-S4U2Self ::= SEQUENCE {
711	name[0]		PrincipalName,
712        realm[1]	Realm,
713        cksum[2]	Checksum,
714        auth[3]		GeneralString
715}
716
717-- never encoded on the wire, just used to checksum over
718KRB5SignedPathData ::= SEQUENCE {
719	client[0]	Principal OPTIONAL,
720	authtime[1]	KerberosTime,
721	delegated[2]	Principals OPTIONAL,
722	method_data[3]  METHOD-DATA OPTIONAL
723}
724
725KRB5SignedPath ::= SEQUENCE {
726	-- DERcoded KRB5SignedPathData
727	-- krbtgt key (etype), KeyUsage = XXX
728	etype[0]	ENCTYPE,
729	cksum[1]	Checksum,
730	-- srvs delegated though
731	delegated[2]	Principals OPTIONAL,
732	method_data[3]  METHOD-DATA OPTIONAL
733}
734
735PA-ClientCanonicalizedNames ::= SEQUENCE{
736	requested-name	[0] PrincipalName,
737	mapped-name	[1] PrincipalName
738}
739
740PA-ClientCanonicalized ::= SEQUENCE {
741	names		[0] PA-ClientCanonicalizedNames,
742	canon-checksum	[1] Checksum
743}
744
745AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
746	login-alias	[0] PrincipalName,
747	checksum	[1] Checksum
748}
749
750-- old ms referral
751PA-SvrReferralData ::= SEQUENCE {
752	referred-name   [1] PrincipalName OPTIONAL,
753	referred-realm  [0] Realm
754}
755
756PA-SERVER-REFERRAL-DATA ::= EncryptedData
757
758PA-ServerReferralData ::= SEQUENCE {
759	referred-realm		[0] Realm OPTIONAL,
760	true-principal-name	[1] PrincipalName OPTIONAL,
761	requested-principal-name [2] PrincipalName OPTIONAL,
762	referral-valid-until     [3] KerberosTime OPTIONAL,
763	...
764}
765
766FastOptions ::= BIT STRING {
767	    reserved(0),
768	    hide-client-names(1),
769	    kdc-follow--referrals(16)
770}
771
772KrbFastReq ::= SEQUENCE {
773	fast-options [0] FastOptions,
774	padata       [1] SEQUENCE OF PA-DATA,
775	req-body     [2] KDC-REQ-BODY,
776	...
777}
778
779KrbFastArmor ::= SEQUENCE {
780	armor-type   [0] krb5int32,
781	armor-value  [1] OCTET STRING,
782        ...
783}
784
785KrbFastArmoredReq ::= SEQUENCE {
786	armor        [0] KrbFastArmor OPTIONAL,
787	req-checksum [1] Checksum,
788	enc-fast-req [2] EncryptedData -- KrbFastReq --
789}
790
791PA-FX-FAST-REQUEST ::= CHOICE {
792	armored-data [0] KrbFastArmoredReq,
793	...
794}
795
796KrbFastFinished ::= SEQUENCE {
797	timestamp   [0] KerberosTime,
798	usec        [1] krb5int32,
799	crealm      [2] Realm,
800	cname       [3] PrincipalName,
801	checksum    [4] Checksum,
802	ticket-checksum [5] Checksum,
803	...
804}
805
806KrbFastResponse ::= SEQUENCE {
807	padata      [0] SEQUENCE OF PA-DATA,
808	rep-key     [1] EncryptionKey OPTIONAL,
809	finished    [2] KrbFastFinished OPTIONAL,
810	...
811}
812
813KrbFastArmoredRep ::= SEQUENCE {
814	enc-fast-rep      [0] EncryptedData, -- KrbFastResponse --
815	...
816}
817
818PA-FX-FAST-REPLY ::= CHOICE {
819	armored-data [0] KrbFastArmoredRep,
820	...
821}
822
823END
824
825-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
826