xref: /freebsd/crypto/heimdal/lib/asn1/pkinit.asn1 (revision dda5b39711dab90ae1c5624bdd6ff7453177df31)
1-- $Id$ --
2
3PKINIT DEFINITIONS ::= BEGIN
4
5IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
6	IssuerAndSerialNumber, ContentInfo FROM cms
7	SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
8	heim_any FROM heim;
9
10id-pkinit OBJECT IDENTIFIER ::=
11  { iso (1) org (3) dod (6) internet (1) security (5)
12    kerberosv5 (2) pkinit (3) }
13
14id-pkauthdata  OBJECT IDENTIFIER  ::= { id-pkinit 1 }
15id-pkdhkeydata OBJECT IDENTIFIER  ::= { id-pkinit 2 }
16id-pkrkeydata  OBJECT IDENTIFIER  ::= { id-pkinit 3 }
17id-pkekuoid    OBJECT IDENTIFIER  ::= { id-pkinit 4 }
18id-pkkdcekuoid OBJECT IDENTIFIER  ::= { id-pkinit 5 }
19
20id-pkinit-kdf OBJECT IDENTIFIER           ::= { id-pkinit 6 }
21id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER   ::= { id-pkinit-kdf 1 }
22id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
23id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }
24
25id-pkinit-san	OBJECT IDENTIFIER ::=
26  { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
27    x509-sanan(2) }
28
29id-pkinit-ms-eku OBJECT IDENTIFIER ::=
30  { iso(1) org(3) dod(6) internet(1) private(4)
31    enterprise(1) microsoft(311) 20 2 2 }
32
33id-pkinit-ms-san OBJECT IDENTIFIER ::=
34  { iso(1) org(3) dod(6) internet(1) private(4)
35    enterprise(1) microsoft(311) 20 2 3 }
36
37MS-UPN-SAN ::= UTF8String
38
39pa-pk-as-req INTEGER ::=                  16
40pa-pk-as-rep INTEGER ::=                  17
41
42td-trusted-certifiers INTEGER ::=        104
43td-invalid-certificates INTEGER ::=      105
44td-dh-parameters INTEGER ::=             109
45
46DHNonce ::= OCTET STRING
47
48KDFAlgorithmId ::= SEQUENCE {
49       kdf-id            [0] OBJECT IDENTIFIER,
50       ...
51}
52
53TrustedCA ::= SEQUENCE {
54	caName                  [0] IMPLICIT OCTET STRING,
55	certificateSerialNumber [1] INTEGER OPTIONAL,
56	subjectKeyIdentifier    [2] OCTET STRING OPTIONAL,
57	...
58}
59
60ExternalPrincipalIdentifier ::= SEQUENCE {
61	subjectName		[0] IMPLICIT OCTET STRING OPTIONAL,
62	issuerAndSerialNumber	[1] IMPLICIT OCTET STRING OPTIONAL,
63	subjectKeyIdentifier	[2] IMPLICIT OCTET STRING OPTIONAL,
64	...
65}
66
67ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
68
69PA-PK-AS-REQ ::= SEQUENCE {
70        signedAuthPack          [0] IMPLICIT OCTET STRING,
71        trustedCertifiers       [1] ExternalPrincipalIdentifiers OPTIONAL,
72	kdcPkId                 [2] IMPLICIT OCTET STRING OPTIONAL,
73	...
74}
75
76PKAuthenticator ::= SEQUENCE {
77	cusec                   [0] INTEGER -- (0..999999) --,
78	ctime                   [1] KerberosTime,
79	nonce                   [2] INTEGER (0..4294967295),
80	paChecksum              [3] OCTET STRING OPTIONAL,
81	...
82}
83
84AuthPack ::= SEQUENCE {
85	pkAuthenticator         [0] PKAuthenticator,
86	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL,
87	supportedCMSTypes       [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
88	clientDHNonce           [3] DHNonce OPTIONAL,
89	...,
90	supportedKDFs		[4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
91	...
92}
93
94TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
95TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
96
97KRB5PrincipalName ::= SEQUENCE {
98	realm                   [0] Realm,
99	principalName           [1] PrincipalName
100}
101
102AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
103
104DHRepInfo ::= SEQUENCE {
105	dhSignedData            [0] IMPLICIT OCTET STRING,
106	serverDHNonce           [1] DHNonce OPTIONAL,
107	...,
108	kdf			[2] KDFAlgorithmId OPTIONAL,
109	...
110}
111
112PA-PK-AS-REP ::= CHOICE {
113	dhInfo                  [0] DHRepInfo,
114	encKeyPack              [1] IMPLICIT OCTET STRING,
115	...
116}
117
118KDCDHKeyInfo ::= SEQUENCE {
119	subjectPublicKey        [0] BIT STRING,
120	nonce                   [1] INTEGER (0..4294967295),
121	dhKeyExpiration         [2] KerberosTime OPTIONAL,
122	...
123}
124
125ReplyKeyPack ::= SEQUENCE {
126	replyKey                [0] EncryptionKey,
127	asChecksum		[1] Checksum,
128	...
129}
130
131TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
132
133
134-- Windows compat glue --
135
136PKAuthenticator-Win2k ::= SEQUENCE {
137	kdcName			[0] PrincipalName,
138	kdcRealm		[1] Realm,
139	cusec			[2] INTEGER (0..4294967295),
140	ctime			[3] KerberosTime,
141	nonce                   [4] INTEGER (-2147483648..2147483647)
142}
143
144AuthPack-Win2k ::= SEQUENCE {
145	pkAuthenticator         [0] PKAuthenticator-Win2k,
146	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
147}
148
149
150TrustedCA-Win2k ::= CHOICE {
151	caName                  [1] heim_any,
152	issuerAndSerial         [2] IssuerAndSerialNumber
153}
154
155PA-PK-AS-REQ-Win2k ::= SEQUENCE {
156	signed-auth-pack	[0] IMPLICIT OCTET STRING,
157	trusted-certifiers	[2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
158	kdc-cert		[3] IMPLICIT OCTET STRING OPTIONAL,
159	encryption-cert		[4] IMPLICIT OCTET STRING OPTIONAL
160}
161
162PA-PK-AS-REP-Win2k ::= CHOICE {
163	dhSignedData		[0] IMPLICIT OCTET STRING,
164	encKeyPack		[1] IMPLICIT OCTET STRING
165}
166
167KDCDHKeyInfo-Win2k ::= SEQUENCE {
168	nonce			[0] INTEGER (-2147483648..2147483647),
169	subjectPublicKey	[2] BIT STRING
170}
171
172ReplyKeyPack-Win2k ::= SEQUENCE {
173        replyKey                [0] EncryptionKey,
174        nonce                   [1] INTEGER (-2147483648..2147483647),
175	...
176}
177
178PA-PK-AS-REP-BTMM ::= SEQUENCE {
179	dhSignedData		[0] heim_any OPTIONAL,
180	encKeyPack		[1] heim_any OPTIONAL
181}
182
183
184PkinitSP80056AOtherInfo ::= SEQUENCE {
185	algorithmID   AlgorithmIdentifier,
186	partyUInfo     [0] OCTET STRING,
187	partyVInfo     [1] OCTET STRING,
188	suppPubInfo    [2] OCTET STRING OPTIONAL,
189	suppPrivInfo   [3] OCTET STRING OPTIONAL
190}
191
192PkinitSuppPubInfo ::= SEQUENCE {
193       enctype           [0] INTEGER (-2147483648..2147483647),
194       as-REQ            [1] OCTET STRING,
195       pk-as-rep         [2] OCTET STRING,
196       ticket            [3] Ticket,
197       ...
198}
199
200END
201