1KerberosV5-PK-INIT-Agility-SPEC { 2 iso(1) identified-organization(3) dod(6) internet(1) 3 security(5) kerberosV5(2) modules(4) pkinit(5) agility (1) 4} DEFINITIONS EXPLICIT TAGS ::= BEGIN 5 6IMPORTS 7 AlgorithmIdentifier, SubjectPublicKeyInfo 8 FROM PKIX1Explicit88 { iso (1) 9 identified-organization (3) dod (6) internet (1) 10 security (5) mechanisms (5) pkix (7) id-mod (0) 11 id-pkix1-explicit (18) } 12 -- As defined in RFC 3280. 13 14 Ticket, Int32, Realm, EncryptionKey, Checksum 15 FROM KerberosV5Spec2 { iso(1) identified-organization(3) 16 dod(6) internet(1) security(5) kerberosV5(2) 17 modules(4) krb5spec2(2) } 18 -- as defined in RFC 4120. 19 20 PKAuthenticator, DHNonce 21 FROM KerberosV5-PK-INIT-SPEC { 22 iso(1) identified-organization(3) dod(6) internet(1) 23 security(5) kerberosV5(2) modules(4) pkinit(5) }; 24 -- as defined in RFC 4556. 25 26TD-CMS-DIGEST-ALGORITHMS-DATA ::= SEQUENCE OF 27 AlgorithmIdentifier 28 -- Contains the list of CMS algorithm [RFC3852] 29 -- identifiers that identify the digest algorithms 30 -- acceptable by the KDC for signing CMS data in 31 -- the order of decreasing preference. 32 33TD-CERT-DIGEST-ALGORITHMS-DATA ::= SEQUENCE { 34 allowedAlgorithms [0] SEQUENCE OF AlgorithmIdentifier, 35 -- Contains the list of CMS algorithm [RFC3852] 36 -- identifiers that identify the digest algorithms 37 -- that are used by the CA to sign the client's 38 -- X.509 certificate and acceptable by the KDC in 39 -- the process of validating the client's X.509 40 -- certificate, in the order of decreasing 41 -- preference. 42 rejectedAlgorithm [1] AlgorithmIdentifier OPTIONAL, 43 -- This identifies the digest algorithm that was 44 -- used to sign the client's X.509 certificate and 45 -- has been rejected by the KDC in the process of 46 -- validating the client's X.509 certificate 47 -- [RFC3280]. 48 ... 49} 50 51OtherInfo ::= SEQUENCE { 52 algorithmID AlgorithmIdentifier, 53 partyUInfo [0] OCTET STRING, 54 partyVInfo [1] OCTET STRING, 55 suppPubInfo [2] OCTET STRING OPTIONAL, 56 suppPrivInfo [3] OCTET STRING OPTIONAL 57} 58 59PkinitSuppPubInfo ::= SEQUENCE { 60 enctype [0] Int32, 61 -- The enctype of the AS reply key. 62 as-REQ [1] OCTET STRING, 63 -- This contains the AS-REQ in the request. 64 pk-as-rep [2] OCTET STRING, 65 -- Contains the DER encoding of the type 66 -- PA-PK-AS-REP [RFC4556] in the KDC reply. 67 ... 68} 69 70-- Renamed from AuthPack to allow asn1c to process this and pkinit.asn1 71AuthPack2 ::= SEQUENCE { 72 pkAuthenticator [0] PKAuthenticator, 73 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, 74 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier 75 OPTIONAL, 76 clientDHNonce [3] DHNonce OPTIONAL, 77 ..., 78 supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL, 79 -- Contains an unordered set of KDFs supported by the 80 -- client. 81 ... 82} 83 84KDFAlgorithmId ::= SEQUENCE { 85 kdf-id [0] OBJECT IDENTIFIER, 86 -- The object identifier of the KDF 87 ... 88} 89 90-- Renamed from DHRepInfo to allow asn1c to process this and pkinit.asn1 91DHRepInfo2 ::= SEQUENCE { 92 dhSignedData [0] IMPLICIT OCTET STRING, 93 serverDHNonce [1] DHNonce OPTIONAL, 94 ..., 95 kdf [2] KDFAlgorithmId OPTIONAL, 96 -- The KDF picked by the KDC. 97 ... 98} 99END 100