STEP04 add KERB-AD-RESTRICTION-ENTRY
[metze/wireshark/wip.git] / epan / dissectors / asn1 / kerberos / k5.asn
1 -- Extracted from http://www.h5l.org/dist/src/heimdal-1.2.tar.gz
2 -- Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $
3 -- Commented out stuff already in KerberosV5Spec2.asn
4 KERBEROS5 DEFINITIONS ::=
5 BEGIN
6
7 NAME-TYPE ::= INTEGER {
8         kRB5-NT-UNKNOWN(0),     -- Name type not known
9         kRB5-NT-PRINCIPAL(1),   -- Just the name of the principal as in
10         kRB5-NT-SRV-INST(2),    -- Service and other unique instance (krbtgt)
11         kRB5-NT-SRV-HST(3),     -- Service with host name as instance
12         kRB5-NT-SRV-XHST(4),    -- Service with host as remaining components
13         kRB5-NT-UID(5),         -- Unique ID
14         kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
15         kRB5-NT-SMTP-NAME(7),   -- Name in form of SMTP email name
16         kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
17         kRB5-NT-WELLKNOWN(11),  -- Wellknown
18         kRB5-NT-SRV-HST-DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
19         kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
20         kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
21         kRB5-NT-MS-PRINCIPAL-AND-ID(-129), -- NT style name and SID
22         kRB5-NT-NTLM(-1200), -- NTLM name, realm is domain
23         kRB5-NT-X509-GENERAL-NAME(-1201), -- x509 general name (base64 encoded)
24         kRB5-NT-GSS-HOSTBASED-SERVICE(-1202), -- not used; remove
25         kRB5-NT-CACHE-UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
26         kRB5-NT-SRV-HST-NEEDS-CANON (-195894762) -- Internal: indicates that name canonicalization is needed
27 }
28
29 -- message types
30
31 MESSAGE-TYPE ::= INTEGER {
32         krb-as-req(10), -- Request for initial authentication
33         krb-as-rep(11), -- Response to KRB_AS_REQ request
34         krb-tgs-req(12), -- Request for authentication based on TGT
35         krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
36         krb-ap-req(14), -- application request to server
37         krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
38         krb-safe(20), -- Safe (checksummed) application message
39         krb-priv(21), -- Private (encrypted) application message
40         krb-cred(22), -- Private (encrypted) message to forward credentials
41         krb-error(30) -- Error response
42 }
43
44
45 -- pa-data types
46
47
48 PADATA-TYPE ::= INTEGER {
49         pA-NONE(0),
50         pA-TGS-REQ(1),                  -- [RFC4120]
51         pA-ENC-TIMESTAMP(2),            -- [RFC4120]
52         pA-PW-SALT(3),                  -- [RFC4120]
53         -- [reserved](4), --            -- [RFC6113]
54         pA-ENC-UNIX-TIME(5),            -- (deprecated) [RFC4120]
55         pA-SANDIA-SECUREID(6),          -- [RFC4120]
56         pA-SESAME(7),                   -- [RFC4120]
57         pA-OSF-DCE(8),                  -- [RFC4120]
58         pA-CYBERSAFE-SECUREID(9),       -- [RFC4120]
59         pA-AFS3-SALT(10),               -- [RFC4120] [RFC3961]
60         pA-ETYPE-INFO(11),              -- [RFC4120]
61         pA-SAM-CHALLENGE(12),           -- [KRB-WG.SAM]
62         pA-SAM-RESPONSE(13),            -- [KRB-WG.SAM]
63         pA-PK-AS-REQ-OLD(14),           -- [PK-INIT-1999]
64         pA-PK-AS-REP-OLD(15),           -- [PK-INIT-1999]
65         pA-PK-AS-REQ(16),               -- [RFC4556]
66         pA-PK-AS-REP(17),               -- [RFC4556]
67         pA-PK-OCSP-RESPONSE(18),        -- [RFC4557]
68         pA-ETYPE-INFO2(19),             -- [RFC4120]
69         pA-USE-SPECIFIED-KVNO(20),      -- [RFC4120]
70         pA-SVR-REFERRAL-INFO(20),       -- [REFERRALS]
71         pA-SAM-REDIRECT(21),            -- [KRB-WG.SAM]
72         pA-GET-FROM-TYPED-DATA(22),     -- (embedded in typed data) [RFC4120]
73         tD-PADATA(22),                  -- (embeds padata) [RFC4120]
74         pA-SAM-ETYPE-INFO(23),          -- (sam/otp) [KRB-WG.SAM]
75         pA-ALT-PRINC(24),               -- (crawdad@fnal.gov) [HW-AUTH]
76         pA-SERVER-REFERRAL(25),         -- [REFERRALS]
77         pA-SAM-CHALLENGE2(30),          -- (kenh@pobox.com) [KRB-WG.SAM]
78         pA-SAM-RESPONSE2(31),           -- (kenh@pobox.com) [KRB-WG.SAM]
79         pA-EXTRA-TGT(41),               -- Reserved extra TGT [RFC6113]
80         tD-PKINIT-CMS-CERTIFICATES(101),-- CertificateSet from CMS
81         tD-KRB-PRINCIPAL(102),          -- PrincipalName
82         tD-KRB-REALM(103),              -- Realm
83         tD-TRUSTED-CERTIFIERS(104),     -- [RFC4556]
84         tD-CERTIFICATE-INDEX(105),      -- [RFC4556]
85         tD-APP-DEFINED-ERROR(106),      -- Application specific [RFC6113]
86         tD-REQ-NONCE(107),              -- INTEGER [RFC6113]
87         tD-REQ-SEQ(108),                -- INTEGER [RFC6113]
88         tD-DH-PARAMETERS(109),          -- [RFC4556]
89         tD-CMS-DIGEST-ALGORITHMS(111),  -- [ALG-AGILITY]
90         tD-CERT-DIGEST-ALGORITHMS(112), -- [ALG-AGILITY]
91         pA-PAC-REQUEST(128),            -- [MS-KILE]
92         pA-FOR-USER(129),               -- [MS-KILE]
93         pA-FOR-X509-USER(130),          -- [MS-KILE]
94         pA-FOR-CHECK-DUPS(131),         -- [MS-KILE]
95         pA-AS-CHECKSUM(132),            -- [MS-KILE]
96         pA-FX-COOKIE(133),              -- [RFC6113]
97         pA-AUTHENTICATION-SET(134),     -- [RFC6113]
98         pA-AUTH-SET-SELECTED(135),      -- [RFC6113]
99         pA-FX-FAST(136),                -- [RFC6113]
100         pA-FX-ERROR(137),               -- [RFC6113]
101         pA-ENCRYPTED-CHALLENGE(138),    -- [RFC6113]
102         pA-OTP-CHALLENGE(141),          -- (gareth.richards@rsa.com) [OTP-PREAUTH]
103         pA-OTP-REQUEST(142),            -- (gareth.richards@rsa.com) [OTP-PREAUTH]
104         pA-OTP-CONFIRM(143),            -- (gareth.richards@rsa.com) [OTP-PREAUTH]
105         pA-OTP-PIN-CHANGE(144),         -- (gareth.richards@rsa.com) [OTP-PREAUTH]
106         pA-EPAK-AS-REQ(145),            -- (sshock@gmail.com) [RFC6113]
107         pA-EPAK-AS-REP(146),            -- (sshock@gmail.com) [RFC6113]
108         pA-PKINIT-KX(147),              -- [RFC6112]
109         pA-PKU2U-NAME(148),             -- [PKU2U]
110         pA-SUPPORTED-ETYPES(165),       -- [MS-KILE]
111         pA-EXTENDED-ERROR(166),         -- [MS-KILE]
112         pA-PAC-OPTIONS(167),            -- [MS-KILE]
113         pA-PROV-SRV-LOCATION(-1)        -- 0xffffffff (gint32)0xFF) packetcable stuff
114 }
115
116 AUTHDATA-TYPE ::= INTEGER {
117         aD-IF-RELEVANT(1),
118         aD-INTENDED-FOR-SERVER(2),
119         aD-INTENDED-FOR-APPLICATION-CLASS(3),
120         aD-KDC-ISSUED(4),
121         aD-AND-OR(5),
122         aD-MANDATORY-TICKET-EXTENSIONS(6),
123         aD-IN-TICKET-EXTENSIONS(7),
124         aD-MANDATORY-FOR-KDC(8),
125         aD-INITIAL-VERIFIED-CAS(9),
126         aD-OSF-DCE(64),
127         aD-SESAME(65),
128         aD-OSF-DCE-PKI-CERTID(66),
129         aD-authentication-strength(70), -- [RFC6113]
130         aD-fx-fast-armor(71),           -- [RFC6113]
131         aD-fx-fast-used(72),                    -- [RFC6113]
132         aD-WIN2K-PAC(128),                      -- [RFC4120] [MS-PAC]
133         aD-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
134         aD-TOKEN-RESTRICTIONS(141),             -- [MS-KILE]
135         aD-LOCAL(142),                  -- [MS-KILE]
136         aD-AP-OPTIONS(143),                     -- [MS-KILE]
137         aD-SIGNTICKET-OLDER(-17),
138         -- aD-SIGNTICKET-OLD(142),
139         aD-SIGNTICKET(512),
140 }
141
142 -- checksumtypes
143
144 CKSUMTYPE ::= INTEGER {
145         cKSUMTYPE-NONE(0),
146         cKSUMTYPE-CRC32(1),
147         cKSUMTYPE-RSA-MD4(2),
148         cKSUMTYPE-RSA-MD4-DES(3),
149         cKSUMTYPE-DES-MAC(4),
150         cKSUMTYPE-DES-MAC-K(5),
151         cKSUMTYPE-RSA-MD4-DES-K(6),
152         cKSUMTYPE-RSA-MD5(7),
153         cKSUMTYPE-RSA-MD5-DES(8),
154         cKSUMTYPE-RSA-MD5-DES3(9),
155         cKSUMTYPE-SHA1-OTHER(10),
156         cKSUMTYPE-HMAC-SHA1-DES3-KD(12),
157         cKSUMTYPE-HMAC-SHA1-DES3(13),
158         cKSUMTYPE-SHA1(14),
159         cKSUMTYPE-HMAC-SHA1-96-AES-128(15),
160         cKSUMTYPE-HMAC-SHA1-96-AES-256(16),
161         cKSUMTYPE-CMAC-CAMELLIA128(17),
162         cKSUMTYPE-CMAC-CAMELLIA256(18),
163         cKSUMTYPE-HMAC-SHA256-128-AES128(19),
164         cKSUMTYPE-HMAC-SHA384-192-AES256(20),
165         cKSUMTYPE-GSSAPI(--0x8003--32771),
166         cKSUMTYPE-HMAC-MD5(-138),       -- unofficial microsoft number
167         cKSUMTYPE-HMAC-MD5-ENC(-1138)   -- even more unofficial
168 }
169
170 --enctypes http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1
171 ENCTYPE ::= INTEGER {
172         eTYPE-NULL(0),
173         eTYPE-DES-CBC-CRC(1),
174         eTYPE-DES-CBC-MD4(2),
175         eTYPE-DES-CBC-MD5(3),
176         eTYPE-DES3-CBC-MD5(5),
177         eTYPE-OLD-DES3-CBC-SHA1(7),
178         eTYPE-SIGN-DSA-GENERATE(8),
179         eTYPE-DSA-SHA1(9),
180         eTYPE-RSA-MD5(10),
181         eTYPE-RSA-SHA1(11),
182         eTYPE-RC2-CBC(12),
183         eTYPE-RSA(13),
184         eTYPE-RSAES-OAEP(14),
185         eTYPE-DES-EDE3-CBC(15),
186         eTYPE-DES3-CBC-SHA1(16),        -- with key derivation
187         eTYPE-AES128-CTS-HMAC-SHA1-96(17),
188         eTYPE-AES256-CTS-HMAC-SHA1-96(18),
189         eTYPE-AES128-CTS-HMAC-SHA256-128(19), -- RFC 8009
190         eTYPE-AES256-CTS-HMAC-SHA384-192(20), -- RFC 8009
191         eTYPE-ARCFOUR-HMAC-MD5(23),
192         eTYPE-ARCFOUR-HMAC-MD5-56(24),
193         eTYPE-CAMELLIA128-CTS-CMAC(25),
194         eTYPE-CAMELLIA256-CTS-CMAC(26),
195         eTYPE-ENCTYPE-PK-CROSS(48),
196 -- some "old" windows types
197         eTYPE-ARCFOUR-MD4(-128),
198         eTYPE-ARCFOUR-HMAC-OLD(-133),
199         eTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
200 -- these are for Heimdal internal use
201 --      eTYPE-DES-CBC-NONE(-0x1000),
202         eTYPE-DES-CBC-NONE( -4096),
203 --      eTYPE-DES3-CBC-NONE(-0x1001),
204         eTYPE-DES3-CBC-NONE(-4097),
205 --      eTYPE-DES-CFB64-NONE(-0x1002),
206         eTYPE-DES-CFB64-NONE(-4098),
207 --      eTYPE-DES-PCBC-NONE(-0x1003),
208         eTYPE-DES-PCBC-NONE(-4099),
209 --      eTYPE-DIGEST-MD5-NONE(-0x1004),         - - private use, lukeh@padl.com
210         eTYPE-DIGEST-MD5-NONE(-4100),           -- private use, lukeh@padl.com
211 --      eTYPE-CRAM-MD5-NONE(-0x1005)            - - private use, lukeh@padl.com
212         eTYPE-CRAM-MD5-NONE(-4101)              -- private use, lukeh@padl.com
213 }
214
215 -- addr-types (WS extension )
216 ADDR-TYPE ::= INTEGER {
217     iPv4(2),
218     cHAOS(5),
219     xEROX(6),
220     iSO(7),
221     dECNET(12),
222     aPPLETALK(16),
223     nETBIOS(20),
224     iPv6(24)
225 }
226
227 -- error-codes (WS extension)
228 ERROR-CODE ::= INTEGER {
229 --error table constants 
230         eRR-NONE(0),
231         eRR-NAME-EXP(1),
232         eRR-SERVICE-EXP(2),
233         eRR-BAD-PVNO(3),
234         eRR-C-OLD-MAST-KVNO(4),
235         eRR-S-OLD-MAST-KVNO(5),
236         eRR-C-PRINCIPAL-UNKNOWN(6),
237         eRR-S-PRINCIPAL-UNKNOWN(7),
238         eRR-PRINCIPAL-NOT-UNIQUE(8),
239         eRR-NULL-KEY(9),
240         eRR-CANNOT-POSTDATE(10),
241         eRR-NEVER-VALID(11),
242         eRR-POLICY(12),
243         eRR-BADOPTION(13),
244         eRR-ETYPE-NOSUPP(14),
245         eRR-SUMTYPE-NOSUPP(15),
246         eRR-PADATA-TYPE-NOSUPP(16),
247         eRR-TRTYPE-NOSUPP(17),
248         eRR-CLIENT-REVOKED(18),
249         eRR-SERVICE-REVOKED(19),
250         eRR-TGT-REVOKED(20),
251         eRR-CLIENT-NOTYET(21),
252         eRR-SERVICE-NOTYET(22),
253         eRR-KEY-EXP(23),
254         eRR-PREAUTH-FAILED(24),
255         eRR-PREAUTH-REQUIRED(25),
256         eRR-SERVER-NOMATCH(26),
257         eRR-MUST-USE-USER2USER(27),
258         eRR-PATH-NOT-ACCEPTED(28),
259         eRR-SVC-UNAVAILABLE(29),
260         eRR-BAD-INTEGRITY(31),
261         eRR-TKT-EXPIRED(32),
262         eRR-TKT-NYV(33),
263         eRR-REPEAT(34),
264         eRR-NOT-US(35),
265         eRR-BADMATCH(36),
266         eRR-SKEW(37),
267         eRR-BADADDR(38),
268         eRR-BADVERSION(39),
269         eRR-MSG-TYPE(40),
270         eRR-MODIFIED(41),
271         eRR-BADORDER(42),
272         eRR-ILL-CR-TKT(43),
273         eRR-BADKEYVER(44),
274         eRR-NOKEY(45),
275         eRR-MUT-FAIL(46),
276         eRR-BADDIRECTION(47),
277         eRR-METHOD(48),
278         eRR-BADSEQ(49),
279         eRR-INAPP-CKSUM(50),
280         pATH-NOT-ACCEPTED(51),
281         eRR-RESPONSE-TOO-BIG(52),
282         eRR-GENERIC(60),
283         eRR-FIELD-TOOLONG(61),
284         eRROR-CLIENT-NOT-TRUSTED(62),
285         eRROR-KDC-NOT-TRUSTED(63),
286         eRROR-INVALID-SIG(64),
287         eRR-KEY-TOO-WEAK(65),
288         eRR-CERTIFICATE-MISMATCH(66),
289         eRR-NO-TGT(67),
290         eRR-WRONG-REALM(68),
291         eRR-USER-TO-USER-REQUIRED(69),
292         eRR-CANT-VERIFY-CERTIFICATE(70),
293         eRR-INVALID-CERTIFICATE(71),
294         eRR-REVOKED-CERTIFICATE(72),
295         eRR-REVOCATION-STATUS-UNKNOWN(73),
296         eRR-REVOCATION-STATUS-UNAVAILABLE(74),
297         eRR-CLIENT-NAME-MISMATCH(75),
298         eRR-KDC-NAME-MISMATCH(76)
299 }
300
301 -- this is sugar to make something ASN1 does not have: unsigned
302
303 Krb5uint32 ::= INTEGER (0..4294967295)
304 Krb5int32 ::= INTEGER (-2147483648..2147483647)
305
306 --KerberosString  ::= GeneralString
307
308 --Realm ::= GeneralString
309 --PrincipalName ::= SEQUENCE {
310 --      name-type[0]            NAME-TYPE,
311 --      name-string[1]          SEQUENCE OF GeneralString
312 --}
313
314 -- this is not part of RFC1510
315 Principal ::= SEQUENCE {
316         name[0]         PrincipalName,
317         realm[1]                Realm
318 }
319
320 --HostAddress ::= SEQUENCE  {
321 --      addr-type       [0]     Krb5int32,
322 --      address         [1]     OCTET STRING
323 --}
324
325 -- This is from RFC1510.
326 --
327 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
328 --      addr-type[0]            Krb5int32,
329 --      address[1]              OCTET STRING
330 -- }
331
332 -- This seems much better.
333 --HostAddresses ::= SEQUENCE OF HostAddress
334
335
336 --KerberosTime ::= GeneralizedTime - - Specifying UTC time zone (Z)
337
338 --AuthorizationDataElement ::= SEQUENCE {
339 --      ad-type[0]              Krb5int32,
340 --      ad-data[1]              OCTET STRING
341 --}
342
343 --AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
344
345 APOptions ::= BIT STRING {
346         reserved(0),
347         use-session-key(1),
348         mutual-required(2)
349 }
350
351 TicketFlags ::= BIT STRING {
352         reserved(0),
353         forwardable(1),
354         forwarded(2),
355         proxiable(3),
356         proxy(4),
357         may-postdate(5),
358         postdated(6),
359         invalid(7),
360         renewable(8),
361         initial(9),
362         pre-authent(10),
363         hw-authent(11),
364         transited-policy-checked(12),
365         ok-as-delegate(13),
366         unused(14),
367         enc-pa-rep(15),
368         anonymous(16)
369 }
370
371 KDCOptions ::= BIT STRING {
372         reserved(0),
373         forwardable(1),
374         forwarded(2),
375         proxiable(3),
376         proxy(4),
377         allow-postdate(5),
378         postdated(6),
379         unused7(7),
380         renewable(8),
381         unused9(9),
382         unused10(10),
383         opt-hardware-auth(11), -- taken from KerberosV5Spec2.asn
384         unused12(12),
385         unused13(13),
386         constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
387         canonicalize(15),
388         request-anonymous(16),
389         unused17(17),
390         unused18(18),
391         unused19(19),
392         unused20(20),
393         unused21(21),
394         unused22(22),
395         unused23(23),
396         unused24(24),
397         unused25(25),
398         disable-transited-check(26),
399         renewable-ok(27),
400         enc-tkt-in-skey(28),
401         unused29(29),
402         renew(30),
403         validate(31)
404 }
405
406 LR-TYPE ::= INTEGER {
407         lR-NONE(0),             -- no information
408         lR-INITIAL-TGT(1),      -- last initial TGT request
409         lR-INITIAL(2),          -- last initial request
410         lR-ISSUE-USE-TGT(3),    -- time of newest TGT used
411         lR-RENEWAL(4),          -- time of last renewal
412         lR-REQUEST(5),          -- time of last request (of any type)
413         lR-PW-EXPTIME(6),       -- expiration time of password
414         lR-ACCT-EXPTIME(7)      -- expiration time of account
415 }
416
417 --LastReq ::= SEQUENCE OF SEQUENCE {
418 --      lr-type[0]              LR-TYPE,
419 --      lr-value[1]             KerberosTime
420 --}
421
422
423 --EncryptedData ::= SEQUENCE {
424 --      etype[0]                ENCTYPE, - - EncryptionType
425 --      kvno[1]                 Krb5int32 OPTIONAL,
426 --      cipher[2]               OCTET STRING - - ciphertext
427 --}
428
429 --EncryptionKey ::= SEQUENCE {
430 --      keytype[0]              Krb5int32,
431 --      keyvalue[1]             OCTET STRING
432 --}
433
434 -- encoded Transited field
435 --TransitedEncoding ::= SEQUENCE {
436 --      tr-type[0]              Krb5int32, - - must be registered
437 --      contents[1]             OCTET STRING
438 --}
439
440 --Ticket ::= [APPLICATION 1] SEQUENCE {
441 --      tkt-vno[0]              Krb5int32,
442 --      realm[1]                Realm,
443 --      sname[2]                PrincipalName,
444 --      enc-part[3]             EncryptedData
445 --}
446 -- Encrypted part of ticket
447 --EncTicketPart ::= [APPLICATION 3] SEQUENCE {
448 --      flags[0]                TicketFlags,
449 --      key[1]                  EncryptionKey,
450 --      crealm[2]               Realm,
451 --      cname[3]                PrincipalName,
452 --      transited[4]            TransitedEncoding,
453 --      authtime[5]             KerberosTime,
454 --      starttime[6]            KerberosTime OPTIONAL,
455 --      endtime[7]              KerberosTime,
456 --      renew-till[8]           KerberosTime OPTIONAL,
457 --      caddr[9]                HostAddresses OPTIONAL,
458 --      authorization-data[10]  AuthorizationData OPTIONAL
459 --}
460
461 --Checksum ::= SEQUENCE {
462 --      cksumtype[0]            CKSUMTYPE,
463 --      checksum[1]             OCTET STRING
464 --}
465
466 --Authenticator ::= [APPLICATION 2] SEQUENCE    {
467 --      authenticator-vno[0]    Krb5int32,
468 --      crealm[1]               Realm,
469 --      cname[2]                PrincipalName,
470 --      cksum[3]                Checksum OPTIONAL,
471 --      cusec[4]                Krb5int32,
472 --      ctime[5]                KerberosTime,
473 --      subkey[6]               EncryptionKey OPTIONAL,
474 --      seq-number[7]           Krb5uint32 OPTIONAL,
475 --      authorization-data[8]   AuthorizationData OPTIONAL
476 --}
477
478 --PA-DATA ::= SEQUENCE {
479         -- might be encoded AP-REQ
480 --      padata-type[1]          PADATA-TYPE,
481 --      padata-value[2]         OCTET STRING
482 --}
483
484 --ETYPE-INFO-ENTRY ::= SEQUENCE {
485 --      etype[0]                ENCTYPE,
486 --      salt[1]                 OCTET STRING OPTIONAL,
487 --      salttype[2]             Krb5int32 OPTIONAL
488 --}
489
490 --ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
491
492 --ETYPE-INFO2-ENTRY ::= SEQUENCE {
493 --      etype[0]                ENCTYPE,
494 --      salt[1]                 KerberosString OPTIONAL,
495 --      s2kparams[2]            OCTET STRING OPTIONAL
496 --}
497
498 --ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
499
500 -- METHOD-DATA ::= SEQUENCE OF PA-DATA
501
502 --TypedData ::=   SEQUENCE {
503 --      data-type[0]            Krb5int32,
504 --      data-value[1]           OCTET STRING OPTIONAL
505 --}
506
507 --TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
508
509 --KDC-REQ-BODY ::= SEQUENCE {
510 --      kdc-options[0]          KDCOptions,
511 --      cname[1]                PrincipalName OPTIONAL, - - Used only in AS-REQ
512 --      realm[2]                Realm,  - - Server's realm
513                                         -- Also client's in AS-REQ
514 --      sname[3]                PrincipalName OPTIONAL,
515 --      from[4]                 KerberosTime OPTIONAL,
516 --      till[5]                 KerberosTime OPTIONAL,
517 --      rtime[6]                KerberosTime OPTIONAL,
518 --      nonce[7]                Krb5int32,
519 --      etype[8]                SEQUENCE OF ENCTYPE, - - EncryptionType,
520                                         -- in preference order
521 --      addresses[9]            HostAddresses OPTIONAL,
522 --      enc-authorization-data[10] EncryptedData OPTIONAL,
523                                         -- Encrypted AuthorizationData encoding
524 --      additional-tickets[11]  SEQUENCE OF Ticket OPTIONAL
525 --}
526
527 --KDC-REQ ::= SEQUENCE {
528 --      pvno[1]                 Krb5int32,
529 --      msg-type[2]             MESSAGE-TYPE,
530 --      padata[3]               METHOD-DATA OPTIONAL,
531 --      req-body[4]             KDC-REQ-BODY
532 --}
533
534 --AS-REQ ::= [APPLICATION 10] KDC-REQ
535 --TGS-REQ ::= [APPLICATION 12] KDC-REQ
536
537 -- padata-type ::= PA-ENC-TIMESTAMP
538 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
539
540 --PA-ENC-TS-ENC ::= SEQUENCE {
541 --      patimestamp[0]          KerberosTime, - - client's time
542 --      pausec[1]               Krb5int32 OPTIONAL
543 --}
544
545 -- draft-brezak-win2k-krb-authz-01
546 PA-PAC-REQUEST ::= SEQUENCE {
547         include-pac[0]          BOOLEAN -- Indicates whether a PAC 
548                                         -- should be included or not
549 }
550
551 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
552 PROV-SRV-LOCATION ::= GeneralString
553
554 --KDC-REP ::= SEQUENCE {
555 --      pvno[0]                 Krb5int32,
556 --      msg-type[1]             MESSAGE-TYPE,
557 --      padata[2]               METHOD-DATA OPTIONAL,
558 --      crealm[3]               Realm,
559 --      cname[4]                PrincipalName,
560 --      ticket[5]               Ticket,
561 --      enc-part[6]             EncryptedData
562 --}
563
564 --AS-REP ::= [APPLICATION 11] KDC-REP
565 --TGS-REP ::= [APPLICATION 13] KDC-REP
566
567 --EncKDCRepPart ::= SEQUENCE {
568 --      key[0]                  EncryptionKey,
569 --      last-req[1]             LastReq,
570 --      nonce[2]                Krb5int32,
571 --      key-expiration[3]       KerberosTime OPTIONAL,
572 --      flags[4]                TicketFlags,
573 --      authtime[5]             KerberosTime,
574 --      starttime[6]            KerberosTime OPTIONAL,
575 --      endtime[7]              KerberosTime,
576 --      renew-till[8]           KerberosTime OPTIONAL,
577 --      srealm[9]               Realm,
578 --      sname[10]               PrincipalName,
579 --      caddr[11]               HostAddresses OPTIONAL,
580 --      encrypted-pa-data[12]   METHOD-DATA OPTIONAL
581 --}
582
583 --EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
584 --EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
585
586 --AP-REQ ::= [APPLICATION 14] SEQUENCE {
587 --      pvno[0]                 Krb5int32,
588 --      msg-type[1]             MESSAGE-TYPE,
589 --      ap-options[2]           APOptions,
590 --      ticket[3]               Ticket,
591 --      authenticator[4]        EncryptedData
592 --}
593
594 --AP-REP ::= [APPLICATION 15] SEQUENCE {
595 --      pvno[0]                 Krb5int32,
596 --      msg-type[1]             MESSAGE-TYPE,
597 --      enc-part[2]             EncryptedData
598 --}
599
600 --EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
601 --      ctime[0]                KerberosTime,
602 --      cusec[1]                Krb5int32,
603 --      subkey[2]               EncryptionKey OPTIONAL,
604 --      seq-number[3]           Krb5uint32 OPTIONAL
605 --}
606
607 --KRB-SAFE-BODY ::= SEQUENCE {
608 --      user-data[0]            OCTET STRING,
609 --      timestamp[1]            KerberosTime OPTIONAL,
610 --      usec[2]                 Krb5int32 OPTIONAL,
611 --      seq-number[3]           Krb5uint32 OPTIONAL,
612 --      s-address[4]            HostAddress OPTIONAL,
613 --      r-address[5]            HostAddress OPTIONAL
614 --}
615
616 --KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
617 --      pvno[0]                 Krb5int32,
618 --      msg-type[1]             MESSAGE-TYPE,
619 --      safe-body[2]            KRB-SAFE-BODY,
620 --      cksum[3]                Checksum
621 --}
622
623 --KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
624 --      pvno[0]                 Krb5int32,
625 --      msg-type[1]             MESSAGE-TYPE,
626 --      enc-part[3]             EncryptedData
627 --}
628 --EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
629 --      user-data[0]            OCTET STRING,
630 --      timestamp[1]            KerberosTime OPTIONAL,
631 --      usec[2]                 Krb5int32 OPTIONAL,
632 --      seq-number[3]           Krb5uint32 OPTIONAL,
633 --      s-address[4]            HostAddress OPTIONAL, - - sender's addr
634 --      r-address[5]            HostAddress OPTIONAL  - - recip's addr
635 --}
636
637 --KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
638 --      pvno[0]                 Krb5int32,
639 --      msg-type[1]             MESSAGE-TYPE, - - KRB_CRED
640 --      tickets[2]              SEQUENCE OF Ticket,
641 --      enc-part[3]             EncryptedData
642 --}
643
644 --KrbCredInfo ::= SEQUENCE {
645 --      key[0]                  EncryptionKey,
646 --      prealm[1]               Realm OPTIONAL,
647 --      pname[2]                PrincipalName OPTIONAL,
648 --      flags[3]                TicketFlags OPTIONAL,
649 --      authtime[4]             KerberosTime OPTIONAL,
650 --      starttime[5]            KerberosTime OPTIONAL,
651 --      endtime[6]              KerberosTime OPTIONAL,
652 --      renew-till[7]           KerberosTime OPTIONAL,
653 --      srealm[8]               Realm OPTIONAL,
654 --      sname[9]                PrincipalName OPTIONAL,
655 --      caddr[10]               HostAddresses OPTIONAL
656 --}
657
658 --EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
659 --      ticket-info[0]          SEQUENCE OF KrbCredInfo,
660 --      nonce[1]                Krb5int32 OPTIONAL,
661 --      timestamp[2]            KerberosTime OPTIONAL,
662 --      usec[3]                 Krb5int32 OPTIONAL,
663 --      s-address[4]            HostAddress OPTIONAL,
664 --      r-address[5]            HostAddress OPTIONAL
665 --}
666
667 --KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
668 --      pvno[0]                 Krb5int32,
669 --      msg-type[1]             MESSAGE-TYPE,
670 --      ctime[2]                KerberosTime OPTIONAL,
671 --      cusec[3]                Krb5int32 OPTIONAL,
672 --      stime[4]                KerberosTime,
673 --      susec[5]                Krb5int32,
674 --      error-code[6]           Krb5int32,
675 --      crealm[7]               Realm OPTIONAL,
676 --      cname[8]                PrincipalName OPTIONAL,
677 --      realm[9]                Realm, - - Correct realm
678 --      sname[10]               PrincipalName, - - Correct name
679 --      e-text[11]              GeneralString OPTIONAL,
680 --      e-data[12]              OCTET STRING OPTIONAL
681 --}
682
683 ChangePasswdDataMS ::= SEQUENCE {
684         newpasswd[0]            OCTET STRING,
685         targname[1]             PrincipalName OPTIONAL,
686         targrealm[2]            Realm OPTIONAL
687 }
688
689 EtypeList ::= SEQUENCE OF Krb5int32
690         -- the client's proposed enctype list in
691         -- decreasing preference order, favorite choice first
692
693 --krb5-pvno Krb5int32 ::= 5 - - current Kerberos protocol version number
694
695 -- transited encodings
696
697 --DOMAIN-X500-COMPRESS  Krb5int32 ::= 1
698
699 -- authorization data primitives
700
701 --AD-IF-RELEVANT ::= AuthorizationData
702
703 --AD-KDCIssued ::= SEQUENCE {
704 --      ad-checksum[0]          Checksum,
705 --      i-realm[1]              Realm OPTIONAL,
706 --      i-sname[2]              PrincipalName OPTIONAL,
707 --      elements[3]             AuthorizationData
708 --}
709
710 --AD-AND-OR ::= SEQUENCE {
711 --      condition-count[0]      INTEGER,
712 --      elements[1]             AuthorizationData
713 --}
714
715 --AD-MANDATORY-FOR-KDC ::= AuthorizationData
716
717 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
718
719 PA-SAM-TYPE ::= INTEGER {
720         pA-SAM-TYPE-ENIGMA(1),          -- Enigma Logic
721         pA-SAM-TYPE-DIGI-PATH(2),       -- Digital Pathways
722         pA-SAM-TYPE-SKEY-K0(3),         -- S/key where  KDC has key 0
723         pA-SAM-TYPE-SKEY(4),            -- Traditional S/Key
724         pA-SAM-TYPE-SECURID(5),         -- Security Dynamics
725         pA-SAM-TYPE-CRYPTOCARD(6)       -- CRYPTOCard
726 }
727
728 PA-SAM-REDIRECT ::= HostAddresses
729
730 SAMFlags ::= BIT STRING {
731         use-sad-as-key(0),
732         send-encrypted-sad(1),
733         must-pk-encrypt-sad(2)
734 }
735
736 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
737         sam-type[0]             Krb5int32,
738         sam-flags[1]            SAMFlags,
739         sam-type-name[2]        GeneralString OPTIONAL,
740         sam-track-id[3]         GeneralString OPTIONAL,
741         sam-challenge-label[4]  GeneralString OPTIONAL,
742         sam-challenge[5]        GeneralString OPTIONAL,
743         sam-response-prompt[6]  GeneralString OPTIONAL,
744         sam-pk-for-sad[7]       EncryptionKey OPTIONAL,
745         sam-nonce[8]            Krb5int32,
746         sam-etype[9]            Krb5int32,
747         ...
748 }
749
750 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
751         sam-body[0]             PA-SAM-CHALLENGE-2-BODY,
752         sam-cksum[1]            SEQUENCE OF Checksum, -- (1..MAX)
753         ...
754 }
755
756 PA-SAM-RESPONSE-2 ::= SEQUENCE {
757         sam-type[0]             Krb5int32,
758         sam-flags[1]            SAMFlags,
759         sam-track-id[2]         GeneralString OPTIONAL,
760         sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
761         sam-nonce[4]            Krb5int32,
762         ...
763 }
764
765 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
766         sam-nonce[0]            Krb5int32,
767         sam-sad[1]              GeneralString OPTIONAL,
768         ...
769 }
770
771 PA-S4U2Self ::= SEQUENCE {
772         name[0]         PrincipalName,
773         realm[1]        Realm,
774         cksum[2]        Checksum,
775         auth[3]         GeneralString
776 }
777
778 KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
779
780 -- never encoded on the wire, just used to checksum over
781 KRB5SignedPathData ::= SEQUENCE {
782         encticket[0]    EncTicketPart,
783         delegated[1]    KRB5SignedPathPrincipals OPTIONAL
784 }
785
786 KRB5SignedPath ::= SEQUENCE {
787         -- DERcoded KRB5SignedPathData
788         -- krbtgt key (etype), KeyUsage = XXX 
789         etype[0]        ENCTYPE,
790         cksum[1]        Checksum,
791         -- srvs delegated though
792         delegated[2]    KRB5SignedPathPrincipals OPTIONAL
793 }
794
795 PA-ClientCanonicalizedNames ::= SEQUENCE{
796         requested-name  [0] PrincipalName,
797         mapped-name     [1] PrincipalName
798 }
799
800 PA-ClientCanonicalized ::= SEQUENCE {
801         names           [0] PA-ClientCanonicalizedNames,
802         canon-checksum  [1] Checksum
803 }
804
805 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
806         login-alias     [0] PrincipalName,
807         checksum        [1] Checksum
808 }
809
810 -- old ms referral
811 PA-SvrReferralData ::= SEQUENCE {
812         referred-name   [1] PrincipalName OPTIONAL,
813         referred-realm  [0] Realm
814 }
815
816 PA-SERVER-REFERRAL-DATA ::= EncryptedData
817
818 PA-ServerReferralData ::= SEQUENCE {
819         referred-realm          [0] Realm OPTIONAL,
820         true-principal-name     [1] PrincipalName OPTIONAL,
821         requested-principal-name [2] PrincipalName OPTIONAL,
822         referral-valid-until     [3] KerberosTime OPTIONAL,
823         ...
824 }
825 -- WS put extensions found elsewere here
826 -- http://msdn.microsoft.com/en-us/library/cc206948.aspx
827 --
828 KERB-PA-PAC-REQUEST ::= SEQUENCE { 
829 include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. 
830                        --If FALSE, and PAC present, remove PAC 
831
832
833 PAC-OptionFlags ::= BIT STRING {
834         claims(0),
835         branch-aware(1),
836         forward-to-full-dc(2),
837         resource-based-constrained-delegation(3)
838 }
839
840 -- [MS-KILE] and [MS-SFU]
841 PA-PAC-OPTIONS ::= SEQUENCE {
842         option-flags [0] PAC-OptionFlags
843 }
844
845 -- [MS-KILE]
846 KERB-AD-RESTRICTION-ENTRY ::= SEQUENCE {
847         restriction-type        [0] Int32,
848         restriction             [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
849 }
850
851 END
852
853 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1