1*7f2fe78bSCy SchubertKerberosV5Spec2 { 2*7f2fe78bSCy Schubert iso(1) identified-organization(3) dod(6) internet(1) 3*7f2fe78bSCy Schubert security(5) kerberosV5(2) modules(4) krb5spec2(2) 4*7f2fe78bSCy Schubert} DEFINITIONS EXPLICIT TAGS ::= BEGIN 5*7f2fe78bSCy Schubert 6*7f2fe78bSCy Schubert-- OID arc for KerberosV5 7*7f2fe78bSCy Schubert-- 8*7f2fe78bSCy Schubert-- This OID may be used to identify Kerberos protocol messages 9*7f2fe78bSCy Schubert-- encapsulated in other protocols. 10*7f2fe78bSCy Schubert-- 11*7f2fe78bSCy Schubert-- This OID also designates the OID arc for KerberosV5-related OIDs. 12*7f2fe78bSCy Schubert-- 13*7f2fe78bSCy Schubert-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. 14*7f2fe78bSCy Schubertid-krb5 OBJECT IDENTIFIER ::= { 15*7f2fe78bSCy Schubert iso(1) identified-organization(3) dod(6) internet(1) 16*7f2fe78bSCy Schubert security(5) kerberosV5(2) 17*7f2fe78bSCy Schubert} 18*7f2fe78bSCy Schubert 19*7f2fe78bSCy SchubertInt32 ::= INTEGER (-2147483648..2147483647) 20*7f2fe78bSCy Schubert -- signed values representable in 32 bits 21*7f2fe78bSCy Schubert 22*7f2fe78bSCy SchubertUInt32 ::= INTEGER (0..4294967295) 23*7f2fe78bSCy Schubert -- unsigned 32 bit values 24*7f2fe78bSCy Schubert 25*7f2fe78bSCy SchubertMicroseconds ::= INTEGER (0..999999) 26*7f2fe78bSCy Schubert -- microseconds 27*7f2fe78bSCy Schubert 28*7f2fe78bSCy SchubertKerberosString ::= GeneralString -- (IA5String) 29*7f2fe78bSCy Schubert 30*7f2fe78bSCy SchubertRealm ::= KerberosString 31*7f2fe78bSCy Schubert 32*7f2fe78bSCy SchubertPrincipalName ::= SEQUENCE { 33*7f2fe78bSCy Schubert name-type [0] Int32, 34*7f2fe78bSCy Schubert name-string [1] SEQUENCE OF KerberosString 35*7f2fe78bSCy Schubert} 36*7f2fe78bSCy Schubert 37*7f2fe78bSCy SchubertKerberosTime ::= GeneralizedTime -- with no fractional seconds 38*7f2fe78bSCy Schubert 39*7f2fe78bSCy SchubertHostAddress ::= SEQUENCE { 40*7f2fe78bSCy Schubert addr-type [0] Int32, 41*7f2fe78bSCy Schubert address [1] OCTET STRING 42*7f2fe78bSCy Schubert} 43*7f2fe78bSCy Schubert 44*7f2fe78bSCy Schubert-- NOTE: HostAddresses is always used as an OPTIONAL field and 45*7f2fe78bSCy Schubert-- should not be empty. 46*7f2fe78bSCy SchubertHostAddresses -- NOTE: subtly different from rfc1510, 47*7f2fe78bSCy Schubert -- but has a value mapping and encodes the same 48*7f2fe78bSCy Schubert ::= SEQUENCE OF HostAddress 49*7f2fe78bSCy Schubert 50*7f2fe78bSCy Schubert-- NOTE: AuthorizationData is always used as an OPTIONAL field and 51*7f2fe78bSCy Schubert-- should not be empty. 52*7f2fe78bSCy SchubertAuthorizationData ::= SEQUENCE OF SEQUENCE { 53*7f2fe78bSCy Schubert ad-type [0] Int32, 54*7f2fe78bSCy Schubert ad-data [1] OCTET STRING 55*7f2fe78bSCy Schubert} 56*7f2fe78bSCy Schubert 57*7f2fe78bSCy SchubertPA-DATA ::= SEQUENCE { 58*7f2fe78bSCy Schubert -- NOTE: first tag is [1], not [0] 59*7f2fe78bSCy Schubert padata-type [1] Int32, 60*7f2fe78bSCy Schubert padata-value [2] OCTET STRING -- might be encoded AP-REQ 61*7f2fe78bSCy Schubert} 62*7f2fe78bSCy Schubert 63*7f2fe78bSCy SchubertKerberosFlags ::= BIT STRING (SIZE (32..MAX)) 64*7f2fe78bSCy Schubert -- minimum number of bits shall be sent, 65*7f2fe78bSCy Schubert -- but no fewer than 32 66*7f2fe78bSCy Schubert 67*7f2fe78bSCy SchubertEncryptedData ::= SEQUENCE { 68*7f2fe78bSCy Schubert etype [0] Int32 -- EncryptionType --, 69*7f2fe78bSCy Schubert kvno [1] UInt32 OPTIONAL, 70*7f2fe78bSCy Schubert cipher [2] OCTET STRING -- ciphertext 71*7f2fe78bSCy Schubert} 72*7f2fe78bSCy Schubert 73*7f2fe78bSCy SchubertEncryptionKey ::= SEQUENCE { 74*7f2fe78bSCy Schubert keytype [0] Int32 -- actually encryption type --, 75*7f2fe78bSCy Schubert keyvalue [1] OCTET STRING 76*7f2fe78bSCy Schubert} 77*7f2fe78bSCy Schubert 78*7f2fe78bSCy SchubertChecksum ::= SEQUENCE { 79*7f2fe78bSCy Schubert cksumtype [0] Int32, 80*7f2fe78bSCy Schubert checksum [1] OCTET STRING 81*7f2fe78bSCy Schubert} 82*7f2fe78bSCy Schubert 83*7f2fe78bSCy SchubertTicket ::= [APPLICATION 1] SEQUENCE { 84*7f2fe78bSCy Schubert tkt-vno [0] INTEGER (5), 85*7f2fe78bSCy Schubert realm [1] Realm, 86*7f2fe78bSCy Schubert sname [2] PrincipalName, 87*7f2fe78bSCy Schubert enc-part [3] EncryptedData -- EncTicketPart 88*7f2fe78bSCy Schubert} 89*7f2fe78bSCy Schubert 90*7f2fe78bSCy Schubert-- Encrypted part of ticket 91*7f2fe78bSCy SchubertEncTicketPart ::= [APPLICATION 3] SEQUENCE { 92*7f2fe78bSCy Schubert flags [0] TicketFlags, 93*7f2fe78bSCy Schubert key [1] EncryptionKey, 94*7f2fe78bSCy Schubert crealm [2] Realm, 95*7f2fe78bSCy Schubert cname [3] PrincipalName, 96*7f2fe78bSCy Schubert transited [4] TransitedEncoding, 97*7f2fe78bSCy Schubert authtime [5] KerberosTime, 98*7f2fe78bSCy Schubert starttime [6] KerberosTime OPTIONAL, 99*7f2fe78bSCy Schubert endtime [7] KerberosTime, 100*7f2fe78bSCy Schubert renew-till [8] KerberosTime OPTIONAL, 101*7f2fe78bSCy Schubert caddr [9] HostAddresses OPTIONAL, 102*7f2fe78bSCy Schubert authorization-data [10] AuthorizationData OPTIONAL 103*7f2fe78bSCy Schubert} 104*7f2fe78bSCy Schubert 105*7f2fe78bSCy Schubert-- encoded Transited field 106*7f2fe78bSCy SchubertTransitedEncoding ::= SEQUENCE { 107*7f2fe78bSCy Schubert tr-type [0] Int32 -- must be registered --, 108*7f2fe78bSCy Schubert contents [1] OCTET STRING 109*7f2fe78bSCy Schubert} 110*7f2fe78bSCy Schubert 111*7f2fe78bSCy SchubertTicketFlags ::= KerberosFlags 112*7f2fe78bSCy Schubert -- reserved(0), 113*7f2fe78bSCy Schubert -- forwardable(1), 114*7f2fe78bSCy Schubert -- forwarded(2), 115*7f2fe78bSCy Schubert -- proxiable(3), 116*7f2fe78bSCy Schubert -- proxy(4), 117*7f2fe78bSCy Schubert -- may-postdate(5), 118*7f2fe78bSCy Schubert -- postdated(6), 119*7f2fe78bSCy Schubert -- invalid(7), 120*7f2fe78bSCy Schubert -- renewable(8), 121*7f2fe78bSCy Schubert -- initial(9), 122*7f2fe78bSCy Schubert -- pre-authent(10), 123*7f2fe78bSCy Schubert -- hw-authent(11), 124*7f2fe78bSCy Schubert-- the following are new since 1510 125*7f2fe78bSCy Schubert -- transited-policy-checked(12), 126*7f2fe78bSCy Schubert -- ok-as-delegate(13) 127*7f2fe78bSCy Schubert 128*7f2fe78bSCy SchubertAS-REQ ::= [APPLICATION 10] KDC-REQ 129*7f2fe78bSCy Schubert 130*7f2fe78bSCy SchubertTGS-REQ ::= [APPLICATION 12] KDC-REQ 131*7f2fe78bSCy Schubert 132*7f2fe78bSCy SchubertKDC-REQ ::= SEQUENCE { 133*7f2fe78bSCy Schubert -- NOTE: first tag is [1], not [0] 134*7f2fe78bSCy Schubert pvno [1] INTEGER (5) , 135*7f2fe78bSCy Schubert msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), 136*7f2fe78bSCy Schubert padata [3] SEQUENCE OF PA-DATA OPTIONAL 137*7f2fe78bSCy Schubert -- NOTE: not empty --, 138*7f2fe78bSCy Schubert req-body [4] KDC-REQ-BODY 139*7f2fe78bSCy Schubert} 140*7f2fe78bSCy Schubert 141*7f2fe78bSCy SchubertKDC-REQ-BODY ::= SEQUENCE { 142*7f2fe78bSCy Schubert kdc-options [0] KDCOptions, 143*7f2fe78bSCy Schubert cname [1] PrincipalName OPTIONAL 144*7f2fe78bSCy Schubert -- Used only in AS-REQ --, 145*7f2fe78bSCy Schubert realm [2] Realm 146*7f2fe78bSCy Schubert -- Server's realm 147*7f2fe78bSCy Schubert -- Also client's in AS-REQ --, 148*7f2fe78bSCy Schubert sname [3] PrincipalName OPTIONAL, 149*7f2fe78bSCy Schubert from [4] KerberosTime OPTIONAL, 150*7f2fe78bSCy Schubert till [5] KerberosTime, 151*7f2fe78bSCy Schubert rtime [6] KerberosTime OPTIONAL, 152*7f2fe78bSCy Schubert nonce [7] UInt32, 153*7f2fe78bSCy Schubert etype [8] SEQUENCE OF Int32 -- EncryptionType 154*7f2fe78bSCy Schubert -- in preference order --, 155*7f2fe78bSCy Schubert addresses [9] HostAddresses OPTIONAL, 156*7f2fe78bSCy Schubert enc-authorization-data [10] EncryptedData OPTIONAL 157*7f2fe78bSCy Schubert -- AuthorizationData --, 158*7f2fe78bSCy Schubert additional-tickets [11] SEQUENCE OF Ticket OPTIONAL 159*7f2fe78bSCy Schubert -- NOTE: not empty 160*7f2fe78bSCy Schubert} 161*7f2fe78bSCy Schubert 162*7f2fe78bSCy SchubertKDCOptions ::= KerberosFlags 163*7f2fe78bSCy Schubert -- reserved(0), 164*7f2fe78bSCy Schubert -- forwardable(1), 165*7f2fe78bSCy Schubert -- forwarded(2), 166*7f2fe78bSCy Schubert -- proxiable(3), 167*7f2fe78bSCy Schubert -- proxy(4), 168*7f2fe78bSCy Schubert -- allow-postdate(5), 169*7f2fe78bSCy Schubert -- postdated(6), 170*7f2fe78bSCy Schubert -- unused7(7), 171*7f2fe78bSCy Schubert -- renewable(8), 172*7f2fe78bSCy Schubert -- unused9(9), 173*7f2fe78bSCy Schubert -- unused10(10), 174*7f2fe78bSCy Schubert -- opt-hardware-auth(11), 175*7f2fe78bSCy Schubert -- unused12(12), 176*7f2fe78bSCy Schubert -- unused13(13), 177*7f2fe78bSCy Schubert-- 15 is reserved for canonicalize 178*7f2fe78bSCy Schubert -- unused15(15), 179*7f2fe78bSCy Schubert-- 26 was unused in 1510 180*7f2fe78bSCy Schubert -- disable-transited-check(26), 181*7f2fe78bSCy Schubert-- 182*7f2fe78bSCy Schubert -- renewable-ok(27), 183*7f2fe78bSCy Schubert -- enc-tkt-in-skey(28), 184*7f2fe78bSCy Schubert -- renew(30), 185*7f2fe78bSCy Schubert -- validate(31) 186*7f2fe78bSCy Schubert 187*7f2fe78bSCy SchubertAS-REP ::= [APPLICATION 11] KDC-REP 188*7f2fe78bSCy Schubert 189*7f2fe78bSCy SchubertTGS-REP ::= [APPLICATION 13] KDC-REP 190*7f2fe78bSCy Schubert 191*7f2fe78bSCy SchubertKDC-REP ::= SEQUENCE { 192*7f2fe78bSCy Schubert pvno [0] INTEGER (5), 193*7f2fe78bSCy Schubert msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --), 194*7f2fe78bSCy Schubert padata [2] SEQUENCE OF PA-DATA OPTIONAL 195*7f2fe78bSCy Schubert -- NOTE: not empty --, 196*7f2fe78bSCy Schubert crealm [3] Realm, 197*7f2fe78bSCy Schubert cname [4] PrincipalName, 198*7f2fe78bSCy Schubert ticket [5] Ticket, 199*7f2fe78bSCy Schubert enc-part [6] EncryptedData 200*7f2fe78bSCy Schubert -- EncASRepPart or EncTGSRepPart, 201*7f2fe78bSCy Schubert -- as appropriate 202*7f2fe78bSCy Schubert} 203*7f2fe78bSCy Schubert 204*7f2fe78bSCy SchubertEncASRepPart ::= [APPLICATION 25] EncKDCRepPart 205*7f2fe78bSCy Schubert 206*7f2fe78bSCy SchubertEncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart 207*7f2fe78bSCy Schubert 208*7f2fe78bSCy SchubertEncKDCRepPart ::= SEQUENCE { 209*7f2fe78bSCy Schubert key [0] EncryptionKey, 210*7f2fe78bSCy Schubert last-req [1] LastReq, 211*7f2fe78bSCy Schubert nonce [2] UInt32, 212*7f2fe78bSCy Schubert key-expiration [3] KerberosTime OPTIONAL, 213*7f2fe78bSCy Schubert flags [4] TicketFlags, 214*7f2fe78bSCy Schubert authtime [5] KerberosTime, 215*7f2fe78bSCy Schubert starttime [6] KerberosTime OPTIONAL, 216*7f2fe78bSCy Schubert endtime [7] KerberosTime, 217*7f2fe78bSCy Schubert renew-till [8] KerberosTime OPTIONAL, 218*7f2fe78bSCy Schubert srealm [9] Realm, 219*7f2fe78bSCy Schubert sname [10] PrincipalName, 220*7f2fe78bSCy Schubert caddr [11] HostAddresses OPTIONAL 221*7f2fe78bSCy Schubert} 222*7f2fe78bSCy Schubert 223*7f2fe78bSCy SchubertLastReq ::= SEQUENCE OF SEQUENCE { 224*7f2fe78bSCy Schubert lr-type [0] Int32, 225*7f2fe78bSCy Schubert lr-value [1] KerberosTime 226*7f2fe78bSCy Schubert} 227*7f2fe78bSCy Schubert 228*7f2fe78bSCy SchubertAP-REQ ::= [APPLICATION 14] SEQUENCE { 229*7f2fe78bSCy Schubert pvno [0] INTEGER (5), 230*7f2fe78bSCy Schubert msg-type [1] INTEGER (14), 231*7f2fe78bSCy Schubert ap-options [2] APOptions, 232*7f2fe78bSCy Schubert ticket [3] Ticket, 233*7f2fe78bSCy Schubert authenticator [4] EncryptedData -- Authenticator 234*7f2fe78bSCy Schubert} 235*7f2fe78bSCy Schubert 236*7f2fe78bSCy SchubertAPOptions ::= KerberosFlags 237*7f2fe78bSCy Schubert -- reserved(0), 238*7f2fe78bSCy Schubert -- use-session-key(1), 239*7f2fe78bSCy Schubert -- mutual-required(2) 240*7f2fe78bSCy Schubert 241*7f2fe78bSCy Schubert-- Unencrypted authenticator 242*7f2fe78bSCy SchubertAuthenticator ::= [APPLICATION 2] SEQUENCE { 243*7f2fe78bSCy Schubert authenticator-vno [0] INTEGER (5), 244*7f2fe78bSCy Schubert crealm [1] Realm, 245*7f2fe78bSCy Schubert cname [2] PrincipalName, 246*7f2fe78bSCy Schubert cksum [3] Checksum OPTIONAL, 247*7f2fe78bSCy Schubert cusec [4] Microseconds, 248*7f2fe78bSCy Schubert ctime [5] KerberosTime, 249*7f2fe78bSCy Schubert subkey [6] EncryptionKey OPTIONAL, 250*7f2fe78bSCy Schubert seq-number [7] UInt32 OPTIONAL, 251*7f2fe78bSCy Schubert authorization-data [8] AuthorizationData OPTIONAL 252*7f2fe78bSCy Schubert} 253*7f2fe78bSCy Schubert 254*7f2fe78bSCy SchubertAP-REP ::= [APPLICATION 15] SEQUENCE { 255*7f2fe78bSCy Schubert pvno [0] INTEGER (5), 256*7f2fe78bSCy Schubert msg-type [1] INTEGER (15), 257*7f2fe78bSCy Schubert enc-part [2] EncryptedData -- EncAPRepPart 258*7f2fe78bSCy Schubert} 259*7f2fe78bSCy Schubert 260*7f2fe78bSCy SchubertEncAPRepPart ::= [APPLICATION 27] SEQUENCE { 261*7f2fe78bSCy Schubert ctime [0] KerberosTime, 262*7f2fe78bSCy Schubert cusec [1] Microseconds, 263*7f2fe78bSCy Schubert subkey [2] EncryptionKey OPTIONAL, 264*7f2fe78bSCy Schubert seq-number [3] UInt32 OPTIONAL 265*7f2fe78bSCy Schubert} 266*7f2fe78bSCy Schubert 267*7f2fe78bSCy SchubertKRB-SAFE ::= [APPLICATION 20] SEQUENCE { 268*7f2fe78bSCy Schubert pvno [0] INTEGER (5), 269*7f2fe78bSCy Schubert msg-type [1] INTEGER (20), 270*7f2fe78bSCy Schubert safe-body [2] KRB-SAFE-BODY, 271*7f2fe78bSCy Schubert cksum [3] Checksum 272*7f2fe78bSCy Schubert} 273*7f2fe78bSCy Schubert 274*7f2fe78bSCy SchubertKRB-SAFE-BODY ::= SEQUENCE { 275*7f2fe78bSCy Schubert user-data [0] OCTET STRING, 276*7f2fe78bSCy Schubert timestamp [1] KerberosTime OPTIONAL, 277*7f2fe78bSCy Schubert usec [2] Microseconds OPTIONAL, 278*7f2fe78bSCy Schubert seq-number [3] UInt32 OPTIONAL, 279*7f2fe78bSCy Schubert s-address [4] HostAddress, 280*7f2fe78bSCy Schubert r-address [5] HostAddress OPTIONAL 281*7f2fe78bSCy Schubert} 282*7f2fe78bSCy Schubert 283*7f2fe78bSCy SchubertKRB-PRIV ::= [APPLICATION 21] SEQUENCE { 284*7f2fe78bSCy Schubert pvno [0] INTEGER (5), 285*7f2fe78bSCy Schubert msg-type [1] INTEGER (21), 286*7f2fe78bSCy Schubert -- NOTE: there is no [2] tag 287*7f2fe78bSCy Schubert enc-part [3] EncryptedData -- EncKrbPrivPart 288*7f2fe78bSCy Schubert} 289*7f2fe78bSCy Schubert 290*7f2fe78bSCy SchubertEncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { 291*7f2fe78bSCy Schubert user-data [0] OCTET STRING, 292*7f2fe78bSCy Schubert timestamp [1] KerberosTime OPTIONAL, 293*7f2fe78bSCy Schubert usec [2] Microseconds OPTIONAL, 294*7f2fe78bSCy Schubert seq-number [3] UInt32 OPTIONAL, 295*7f2fe78bSCy Schubert s-address [4] HostAddress -- sender's addr --, 296*7f2fe78bSCy Schubert r-address [5] HostAddress OPTIONAL -- recip's addr 297*7f2fe78bSCy Schubert} 298*7f2fe78bSCy Schubert 299*7f2fe78bSCy SchubertKRB-CRED ::= [APPLICATION 22] SEQUENCE { 300*7f2fe78bSCy Schubert pvno [0] INTEGER (5), 301*7f2fe78bSCy Schubert msg-type [1] INTEGER (22), 302*7f2fe78bSCy Schubert tickets [2] SEQUENCE OF Ticket, 303*7f2fe78bSCy Schubert enc-part [3] EncryptedData -- EncKrbCredPart 304*7f2fe78bSCy Schubert} 305*7f2fe78bSCy Schubert 306*7f2fe78bSCy SchubertEncKrbCredPart ::= [APPLICATION 29] SEQUENCE { 307*7f2fe78bSCy Schubert ticket-info [0] SEQUENCE OF KrbCredInfo, 308*7f2fe78bSCy Schubert nonce [1] UInt32 OPTIONAL, 309*7f2fe78bSCy Schubert timestamp [2] KerberosTime OPTIONAL, 310*7f2fe78bSCy Schubert usec [3] Microseconds OPTIONAL, 311*7f2fe78bSCy Schubert s-address [4] HostAddress OPTIONAL, 312*7f2fe78bSCy Schubert r-address [5] HostAddress OPTIONAL 313*7f2fe78bSCy Schubert} 314*7f2fe78bSCy Schubert 315*7f2fe78bSCy SchubertKrbCredInfo ::= SEQUENCE { 316*7f2fe78bSCy Schubert key [0] EncryptionKey, 317*7f2fe78bSCy Schubert prealm [1] Realm OPTIONAL, 318*7f2fe78bSCy Schubert pname [2] PrincipalName OPTIONAL, 319*7f2fe78bSCy Schubert flags [3] TicketFlags OPTIONAL, 320*7f2fe78bSCy Schubert authtime [4] KerberosTime OPTIONAL, 321*7f2fe78bSCy Schubert starttime [5] KerberosTime OPTIONAL, 322*7f2fe78bSCy Schubert endtime [6] KerberosTime OPTIONAL, 323*7f2fe78bSCy Schubert renew-till [7] KerberosTime OPTIONAL, 324*7f2fe78bSCy Schubert srealm [8] Realm OPTIONAL, 325*7f2fe78bSCy Schubert sname [9] PrincipalName OPTIONAL, 326*7f2fe78bSCy Schubert caddr [10] HostAddresses OPTIONAL 327*7f2fe78bSCy Schubert} 328*7f2fe78bSCy Schubert 329*7f2fe78bSCy SchubertKRB-ERROR ::= [APPLICATION 30] SEQUENCE { 330*7f2fe78bSCy Schubert pvno [0] INTEGER (5), 331*7f2fe78bSCy Schubert msg-type [1] INTEGER (30), 332*7f2fe78bSCy Schubert ctime [2] KerberosTime OPTIONAL, 333*7f2fe78bSCy Schubert cusec [3] Microseconds OPTIONAL, 334*7f2fe78bSCy Schubert stime [4] KerberosTime, 335*7f2fe78bSCy Schubert susec [5] Microseconds, 336*7f2fe78bSCy Schubert error-code [6] Int32, 337*7f2fe78bSCy Schubert crealm [7] Realm OPTIONAL, 338*7f2fe78bSCy Schubert cname [8] PrincipalName OPTIONAL, 339*7f2fe78bSCy Schubert realm [9] Realm -- service realm --, 340*7f2fe78bSCy Schubert sname [10] PrincipalName -- service name --, 341*7f2fe78bSCy Schubert e-text [11] KerberosString OPTIONAL, 342*7f2fe78bSCy Schubert e-data [12] OCTET STRING OPTIONAL 343*7f2fe78bSCy Schubert} 344*7f2fe78bSCy Schubert 345*7f2fe78bSCy SchubertMETHOD-DATA ::= SEQUENCE OF PA-DATA 346*7f2fe78bSCy Schubert 347*7f2fe78bSCy SchubertTYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { 348*7f2fe78bSCy Schubert data-type [0] Int32, 349*7f2fe78bSCy Schubert data-value [1] OCTET STRING OPTIONAL 350*7f2fe78bSCy Schubert} 351*7f2fe78bSCy Schubert 352*7f2fe78bSCy Schubert-- preauth stuff follows 353*7f2fe78bSCy Schubert 354*7f2fe78bSCy SchubertPA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC 355*7f2fe78bSCy Schubert 356*7f2fe78bSCy SchubertPA-ENC-TS-ENC ::= SEQUENCE { 357*7f2fe78bSCy Schubert patimestamp [0] KerberosTime -- client's time --, 358*7f2fe78bSCy Schubert pausec [1] Microseconds OPTIONAL 359*7f2fe78bSCy Schubert} 360*7f2fe78bSCy Schubert 361*7f2fe78bSCy SchubertETYPE-INFO-ENTRY ::= SEQUENCE { 362*7f2fe78bSCy Schubert etype [0] Int32, 363*7f2fe78bSCy Schubert salt [1] OCTET STRING OPTIONAL 364*7f2fe78bSCy Schubert} 365*7f2fe78bSCy Schubert 366*7f2fe78bSCy SchubertETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY 367*7f2fe78bSCy Schubert 368*7f2fe78bSCy SchubertETYPE-INFO2-ENTRY ::= SEQUENCE { 369*7f2fe78bSCy Schubert etype [0] Int32, 370*7f2fe78bSCy Schubert salt [1] KerberosString OPTIONAL, 371*7f2fe78bSCy Schubert s2kparams [2] OCTET STRING OPTIONAL 372*7f2fe78bSCy Schubert} 373*7f2fe78bSCy Schubert 374*7f2fe78bSCy SchubertETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY 375*7f2fe78bSCy Schubert 376*7f2fe78bSCy SchubertAD-IF-RELEVANT ::= AuthorizationData 377*7f2fe78bSCy Schubert 378*7f2fe78bSCy SchubertAD-KDCIssued ::= SEQUENCE { 379*7f2fe78bSCy Schubert ad-checksum [0] Checksum, 380*7f2fe78bSCy Schubert i-realm [1] Realm OPTIONAL, 381*7f2fe78bSCy Schubert i-sname [2] PrincipalName OPTIONAL, 382*7f2fe78bSCy Schubert elements [3] AuthorizationData 383*7f2fe78bSCy Schubert} 384*7f2fe78bSCy Schubert 385*7f2fe78bSCy SchubertAD-AND-OR ::= SEQUENCE { 386*7f2fe78bSCy Schubert condition-count [0] Int32, 387*7f2fe78bSCy Schubert elements [1] AuthorizationData 388*7f2fe78bSCy Schubert} 389*7f2fe78bSCy Schubert 390*7f2fe78bSCy SchubertAD-MANDATORY-FOR-KDC ::= AuthorizationData 391*7f2fe78bSCy Schubert 392*7f2fe78bSCy SchubertEND 393