1 -- Extracted from http://www.h5l.org/dist/src/heimdal-1.2.tar.gz
2 -- Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $
3 -- Commented out stuff already in KerberosV5Spec2.asn
4 KERBEROS5 DEFINITIONS ::=
7 NAME-TYPE ::= INTEGER {
8 kRB5-NT-UNKNOWN(0), -- Name type not known
9 kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in
10 kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt)
11 kRB5-NT-SRV-HST(3), -- Service with host name as instance
12 kRB5-NT-SRV-XHST(4), -- Service with host as remaining components
13 kRB5-NT-UID(5), -- Unique ID
14 kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
15 kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name
16 kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
17 kRB5-NT-WELLKNOWN(11), -- Wellknown
18 kRB5-NT-SRV-HST-DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
19 kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
20 kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
21 kRB5-NT-MS-PRINCIPAL-AND-ID(-129), -- NT style name and SID
22 kRB5-NT-NTLM(-1200), -- NTLM name, realm is domain
23 kRB5-NT-X509-GENERAL-NAME(-1201), -- x509 general name (base64 encoded)
24 kRB5-NT-GSS-HOSTBASED-SERVICE(-1202), -- not used; remove
25 kRB5-NT-CACHE-UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
26 kRB5-NT-SRV-HST-NEEDS-CANON (-195894762) -- Internal: indicates that name canonicalization is needed
31 MESSAGE-TYPE ::= INTEGER {
32 krb-as-req(10), -- Request for initial authentication
33 krb-as-rep(11), -- Response to KRB_AS_REQ request
34 krb-tgs-req(12), -- Request for authentication based on TGT
35 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
36 krb-ap-req(14), -- application request to server
37 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
38 krb-safe(20), -- Safe (checksummed) application message
39 krb-priv(21), -- Private (encrypted) application message
40 krb-cred(22), -- Private (encrypted) message to forward credentials
41 krb-error(30) -- Error response
48 PADATA-TYPE ::= INTEGER {
50 pA-TGS-REQ(1), -- [RFC4120]
51 pA-ENC-TIMESTAMP(2), -- [RFC4120]
52 pA-PW-SALT(3), -- [RFC4120]
53 -- [reserved](4), -- -- [RFC6113]
54 pA-ENC-UNIX-TIME(5), -- (deprecated) [RFC4120]
55 pA-SANDIA-SECUREID(6), -- [RFC4120]
56 pA-SESAME(7), -- [RFC4120]
57 pA-OSF-DCE(8), -- [RFC4120]
58 pA-CYBERSAFE-SECUREID(9), -- [RFC4120]
59 pA-AFS3-SALT(10), -- [RFC4120] [RFC3961]
60 pA-ETYPE-INFO(11), -- [RFC4120]
61 pA-SAM-CHALLENGE(12), -- [KRB-WG.SAM]
62 pA-SAM-RESPONSE(13), -- [KRB-WG.SAM]
63 pA-PK-AS-REQ-OLD(14), -- [PK-INIT-1999]
64 pA-PK-AS-REP-OLD(15), -- [PK-INIT-1999]
65 pA-PK-AS-REQ(16), -- [RFC4556]
66 pA-PK-AS-REP(17), -- [RFC4556]
67 pA-PK-OCSP-RESPONSE(18), -- [RFC4557]
68 pA-ETYPE-INFO2(19), -- [RFC4120]
69 pA-USE-SPECIFIED-KVNO(20), -- [RFC4120]
70 pA-SVR-REFERRAL-INFO(20), -- [REFERRALS]
71 pA-SAM-REDIRECT(21), -- [KRB-WG.SAM]
72 pA-GET-FROM-TYPED-DATA(22), -- (embedded in typed data) [RFC4120]
73 tD-PADATA(22), -- (embeds padata) [RFC4120]
74 pA-SAM-ETYPE-INFO(23), -- (sam/otp) [KRB-WG.SAM]
75 pA-ALT-PRINC(24), -- (crawdad@fnal.gov) [HW-AUTH]
76 pA-SERVER-REFERRAL(25), -- [REFERRALS]
77 pA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) [KRB-WG.SAM]
78 pA-SAM-RESPONSE2(31), -- (kenh@pobox.com) [KRB-WG.SAM]
79 pA-EXTRA-TGT(41), -- Reserved extra TGT [RFC6113]
80 tD-PKINIT-CMS-CERTIFICATES(101),-- CertificateSet from CMS
81 tD-KRB-PRINCIPAL(102), -- PrincipalName
82 tD-KRB-REALM(103), -- Realm
83 tD-TRUSTED-CERTIFIERS(104), -- [RFC4556]
84 tD-CERTIFICATE-INDEX(105), -- [RFC4556]
85 tD-APP-DEFINED-ERROR(106), -- Application specific [RFC6113]
86 tD-REQ-NONCE(107), -- INTEGER [RFC6113]
87 tD-REQ-SEQ(108), -- INTEGER [RFC6113]
88 tD-DH-PARAMETERS(109), -- [RFC4556]
89 tD-CMS-DIGEST-ALGORITHMS(111), -- [ALG-AGILITY]
90 tD-CERT-DIGEST-ALGORITHMS(112), -- [ALG-AGILITY]
91 pA-PAC-REQUEST(128), -- [MS-KILE]
92 pA-FOR-USER(129), -- [MS-KILE]
93 pA-FOR-X509-USER(130), -- [MS-KILE]
94 pA-FOR-CHECK-DUPS(131), -- [MS-KILE]
95 pA-AS-CHECKSUM(132), -- [MS-KILE]
96 pA-FX-COOKIE(133), -- [RFC6113]
97 pA-AUTHENTICATION-SET(134), -- [RFC6113]
98 pA-AUTH-SET-SELECTED(135), -- [RFC6113]
99 pA-FX-FAST(136), -- [RFC6113]
100 pA-FX-ERROR(137), -- [RFC6113]
101 pA-ENCRYPTED-CHALLENGE(138), -- [RFC6113]
102 pA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) [OTP-PREAUTH]
103 pA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) [OTP-PREAUTH]
104 pA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) [OTP-PREAUTH]
105 pA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) [OTP-PREAUTH]
106 pA-EPAK-AS-REQ(145), -- (sshock@gmail.com) [RFC6113]
107 pA-EPAK-AS-REP(146), -- (sshock@gmail.com) [RFC6113]
108 pA-PKINIT-KX(147), -- [RFC6112]
109 pA-PKU2U-NAME(148), -- [PKU2U]
110 pA-REQ-ENC-PA-REP(149), -- [RFC6806]
111 pA-SUPPORTED-ETYPES(165), -- [MS-KILE]
112 pA-EXTENDED-ERROR(166), -- [MS-KILE]
113 pA-PAC-OPTIONS(167), -- [MS-KILE]
114 pA-PROV-SRV-LOCATION(-1) -- 0xffffffff (gint32)0xFF) packetcable stuff
117 AUTHDATA-TYPE ::= INTEGER {
119 aD-INTENDED-FOR-SERVER(2),
120 aD-INTENDED-FOR-APPLICATION-CLASS(3),
123 aD-MANDATORY-TICKET-EXTENSIONS(6),
124 aD-IN-TICKET-EXTENSIONS(7),
125 aD-MANDATORY-FOR-KDC(8),
126 aD-INITIAL-VERIFIED-CAS(9),
129 aD-OSF-DCE-PKI-CERTID(66),
130 aD-authentication-strength(70), -- [RFC6113]
131 aD-fx-fast-armor(71), -- [RFC6113]
132 aD-fx-fast-used(72), -- [RFC6113]
133 aD-WIN2K-PAC(128), -- [RFC4120] [MS-PAC]
134 aD-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
135 aD-TOKEN-RESTRICTIONS(141), -- [MS-KILE]
136 aD-LOCAL(142), -- [MS-KILE]
137 aD-AP-OPTIONS(143), -- [MS-KILE]
138 aD-SIGNTICKET-OLDER(-17),
139 -- aD-SIGNTICKET-OLD(142),
145 CKSUMTYPE ::= INTEGER {
148 cKSUMTYPE-RSA-MD4(2),
149 cKSUMTYPE-RSA-MD4-DES(3),
150 cKSUMTYPE-DES-MAC(4),
151 cKSUMTYPE-DES-MAC-K(5),
152 cKSUMTYPE-RSA-MD4-DES-K(6),
153 cKSUMTYPE-RSA-MD5(7),
154 cKSUMTYPE-RSA-MD5-DES(8),
155 cKSUMTYPE-RSA-MD5-DES3(9),
156 cKSUMTYPE-SHA1-OTHER(10),
157 cKSUMTYPE-HMAC-SHA1-DES3-KD(12),
158 cKSUMTYPE-HMAC-SHA1-DES3(13),
160 cKSUMTYPE-HMAC-SHA1-96-AES-128(15),
161 cKSUMTYPE-HMAC-SHA1-96-AES-256(16),
162 cKSUMTYPE-CMAC-CAMELLIA128(17),
163 cKSUMTYPE-CMAC-CAMELLIA256(18),
164 cKSUMTYPE-HMAC-SHA256-128-AES128(19),
165 cKSUMTYPE-HMAC-SHA384-192-AES256(20),
166 cKSUMTYPE-GSSAPI(--0x8003--32771),
167 cKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number
168 cKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial
171 --enctypes http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1
172 ENCTYPE ::= INTEGER {
174 eTYPE-DES-CBC-CRC(1),
175 eTYPE-DES-CBC-MD4(2),
176 eTYPE-DES-CBC-MD5(3),
177 eTYPE-DES3-CBC-MD5(5),
178 eTYPE-OLD-DES3-CBC-SHA1(7),
179 eTYPE-SIGN-DSA-GENERATE(8),
185 eTYPE-RSAES-OAEP(14),
186 eTYPE-DES-EDE3-CBC(15),
187 eTYPE-DES3-CBC-SHA1(16), -- with key derivation
188 eTYPE-AES128-CTS-HMAC-SHA1-96(17),
189 eTYPE-AES256-CTS-HMAC-SHA1-96(18),
190 eTYPE-AES128-CTS-HMAC-SHA256-128(19), -- RFC 8009
191 eTYPE-AES256-CTS-HMAC-SHA384-192(20), -- RFC 8009
192 eTYPE-ARCFOUR-HMAC-MD5(23),
193 eTYPE-ARCFOUR-HMAC-MD5-56(24),
194 eTYPE-CAMELLIA128-CTS-CMAC(25),
195 eTYPE-CAMELLIA256-CTS-CMAC(26),
196 eTYPE-ENCTYPE-PK-CROSS(48),
197 -- some "old" windows types
198 eTYPE-ARCFOUR-MD4(-128),
199 eTYPE-ARCFOUR-HMAC-OLD(-133),
200 eTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
201 -- these are for Heimdal internal use
202 -- eTYPE-DES-CBC-NONE(-0x1000),
203 eTYPE-DES-CBC-NONE( -4096),
204 -- eTYPE-DES3-CBC-NONE(-0x1001),
205 eTYPE-DES3-CBC-NONE(-4097),
206 -- eTYPE-DES-CFB64-NONE(-0x1002),
207 eTYPE-DES-CFB64-NONE(-4098),
208 -- eTYPE-DES-PCBC-NONE(-0x1003),
209 eTYPE-DES-PCBC-NONE(-4099),
210 -- eTYPE-DIGEST-MD5-NONE(-0x1004), - - private use, lukeh@padl.com
211 eTYPE-DIGEST-MD5-NONE(-4100), -- private use, lukeh@padl.com
212 -- eTYPE-CRAM-MD5-NONE(-0x1005) - - private use, lukeh@padl.com
213 eTYPE-CRAM-MD5-NONE(-4101) -- private use, lukeh@padl.com
216 -- addr-types (WS extension )
217 ADDR-TYPE ::= INTEGER {
228 -- error-codes (WS extension)
229 ERROR-CODE ::= INTEGER {
230 --error table constants
235 eRR-C-OLD-MAST-KVNO(4),
236 eRR-S-OLD-MAST-KVNO(5),
237 eRR-C-PRINCIPAL-UNKNOWN(6),
238 eRR-S-PRINCIPAL-UNKNOWN(7),
239 eRR-PRINCIPAL-NOT-UNIQUE(8),
241 eRR-CANNOT-POSTDATE(10),
245 eRR-ETYPE-NOSUPP(14),
246 eRR-SUMTYPE-NOSUPP(15),
247 eRR-PADATA-TYPE-NOSUPP(16),
248 eRR-TRTYPE-NOSUPP(17),
249 eRR-CLIENT-REVOKED(18),
250 eRR-SERVICE-REVOKED(19),
252 eRR-CLIENT-NOTYET(21),
253 eRR-SERVICE-NOTYET(22),
255 eRR-PREAUTH-FAILED(24),
256 eRR-PREAUTH-REQUIRED(25),
257 eRR-SERVER-NOMATCH(26),
258 eRR-MUST-USE-USER2USER(27),
259 eRR-PATH-NOT-ACCEPTED(28),
260 eRR-SVC-UNAVAILABLE(29),
261 eRR-BAD-INTEGRITY(31),
277 eRR-BADDIRECTION(47),
281 pATH-NOT-ACCEPTED(51),
282 eRR-RESPONSE-TOO-BIG(52),
284 eRR-FIELD-TOOLONG(61),
285 eRROR-CLIENT-NOT-TRUSTED(62),
286 eRROR-KDC-NOT-TRUSTED(63),
287 eRROR-INVALID-SIG(64),
288 eRR-KEY-TOO-WEAK(65),
289 eRR-CERTIFICATE-MISMATCH(66),
292 eRR-USER-TO-USER-REQUIRED(69),
293 eRR-CANT-VERIFY-CERTIFICATE(70),
294 eRR-INVALID-CERTIFICATE(71),
295 eRR-REVOKED-CERTIFICATE(72),
296 eRR-REVOCATION-STATUS-UNKNOWN(73),
297 eRR-REVOCATION-STATUS-UNAVAILABLE(74),
298 eRR-CLIENT-NAME-MISMATCH(75),
299 eRR-KDC-NAME-MISMATCH(76)
302 -- this is sugar to make something ASN1 does not have: unsigned
304 Krb5uint32 ::= INTEGER (0..4294967295)
305 Krb5int32 ::= INTEGER (-2147483648..2147483647)
307 --KerberosString ::= GeneralString
309 --Realm ::= GeneralString
310 --PrincipalName ::= SEQUENCE {
311 -- name-type[0] NAME-TYPE,
312 -- name-string[1] SEQUENCE OF GeneralString
315 -- this is not part of RFC1510
316 Principal ::= SEQUENCE {
317 name[0] PrincipalName,
321 --HostAddress ::= SEQUENCE {
322 -- addr-type [0] Krb5int32,
323 -- address [1] OCTET STRING
326 -- This is from RFC1510.
328 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
329 -- addr-type[0] Krb5int32,
330 -- address[1] OCTET STRING
333 -- This seems much better.
334 --HostAddresses ::= SEQUENCE OF HostAddress
337 --KerberosTime ::= GeneralizedTime - - Specifying UTC time zone (Z)
339 --AuthorizationDataElement ::= SEQUENCE {
340 -- ad-type[0] Krb5int32,
341 -- ad-data[1] OCTET STRING
344 --AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
346 APOptions ::= BIT STRING {
352 TicketFlags ::= BIT STRING {
365 transited-policy-checked(12),
372 KDCOptions ::= BIT STRING {
384 opt-hardware-auth(11), -- taken from KerberosV5Spec2.asn
387 constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
389 request-anonymous(16),
399 disable-transited-check(26),
407 LR-TYPE ::= INTEGER {
408 lR-NONE(0), -- no information
409 lR-INITIAL-TGT(1), -- last initial TGT request
410 lR-INITIAL(2), -- last initial request
411 lR-ISSUE-USE-TGT(3), -- time of newest TGT used
412 lR-RENEWAL(4), -- time of last renewal
413 lR-REQUEST(5), -- time of last request (of any type)
414 lR-PW-EXPTIME(6), -- expiration time of password
415 lR-ACCT-EXPTIME(7) -- expiration time of account
418 --LastReq ::= SEQUENCE OF SEQUENCE {
419 -- lr-type[0] LR-TYPE,
420 -- lr-value[1] KerberosTime
424 --EncryptedData ::= SEQUENCE {
425 -- etype[0] ENCTYPE, - - EncryptionType
426 -- kvno[1] Krb5int32 OPTIONAL,
427 -- cipher[2] OCTET STRING - - ciphertext
430 --EncryptionKey ::= SEQUENCE {
431 -- keytype[0] Krb5int32,
432 -- keyvalue[1] OCTET STRING
435 -- encoded Transited field
436 --TransitedEncoding ::= SEQUENCE {
437 -- tr-type[0] Krb5int32, - - must be registered
438 -- contents[1] OCTET STRING
441 --Ticket ::= [APPLICATION 1] SEQUENCE {
442 -- tkt-vno[0] Krb5int32,
444 -- sname[2] PrincipalName,
445 -- enc-part[3] EncryptedData
447 -- Encrypted part of ticket
448 --EncTicketPart ::= [APPLICATION 3] SEQUENCE {
449 -- flags[0] TicketFlags,
450 -- key[1] EncryptionKey,
452 -- cname[3] PrincipalName,
453 -- transited[4] TransitedEncoding,
454 -- authtime[5] KerberosTime,
455 -- starttime[6] KerberosTime OPTIONAL,
456 -- endtime[7] KerberosTime,
457 -- renew-till[8] KerberosTime OPTIONAL,
458 -- caddr[9] HostAddresses OPTIONAL,
459 -- authorization-data[10] AuthorizationData OPTIONAL
462 --Checksum ::= SEQUENCE {
463 -- cksumtype[0] CKSUMTYPE,
464 -- checksum[1] OCTET STRING
467 --Authenticator ::= [APPLICATION 2] SEQUENCE {
468 -- authenticator-vno[0] Krb5int32,
470 -- cname[2] PrincipalName,
471 -- cksum[3] Checksum OPTIONAL,
472 -- cusec[4] Krb5int32,
473 -- ctime[5] KerberosTime,
474 -- subkey[6] EncryptionKey OPTIONAL,
475 -- seq-number[7] Krb5uint32 OPTIONAL,
476 -- authorization-data[8] AuthorizationData OPTIONAL
479 --PA-DATA ::= SEQUENCE {
480 -- might be encoded AP-REQ
481 -- padata-type[1] PADATA-TYPE,
482 -- padata-value[2] OCTET STRING
485 --ETYPE-INFO-ENTRY ::= SEQUENCE {
487 -- salt[1] OCTET STRING OPTIONAL,
488 -- salttype[2] Krb5int32 OPTIONAL
491 --ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
493 --ETYPE-INFO2-ENTRY ::= SEQUENCE {
495 -- salt[1] KerberosString OPTIONAL,
496 -- s2kparams[2] OCTET STRING OPTIONAL
499 --ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
501 -- METHOD-DATA ::= SEQUENCE OF PA-DATA
503 --TypedData ::= SEQUENCE {
504 -- data-type[0] Krb5int32,
505 -- data-value[1] OCTET STRING OPTIONAL
508 --TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
510 --KDC-REQ-BODY ::= SEQUENCE {
511 -- kdc-options[0] KDCOptions,
512 -- cname[1] PrincipalName OPTIONAL, - - Used only in AS-REQ
513 -- realm[2] Realm, - - Server's realm
514 -- Also client's in AS-REQ
515 -- sname[3] PrincipalName OPTIONAL,
516 -- from[4] KerberosTime OPTIONAL,
517 -- till[5] KerberosTime OPTIONAL,
518 -- rtime[6] KerberosTime OPTIONAL,
519 -- nonce[7] Krb5int32,
520 -- etype[8] SEQUENCE OF ENCTYPE, - - EncryptionType,
521 -- in preference order
522 -- addresses[9] HostAddresses OPTIONAL,
523 -- enc-authorization-data[10] EncryptedData OPTIONAL,
524 -- Encrypted AuthorizationData encoding
525 -- additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
528 --KDC-REQ ::= SEQUENCE {
529 -- pvno[1] Krb5int32,
530 -- msg-type[2] MESSAGE-TYPE,
531 -- padata[3] METHOD-DATA OPTIONAL,
532 -- req-body[4] KDC-REQ-BODY
535 --AS-REQ ::= [APPLICATION 10] KDC-REQ
536 --TGS-REQ ::= [APPLICATION 12] KDC-REQ
538 -- padata-type ::= PA-ENC-TIMESTAMP
539 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
541 --PA-ENC-TS-ENC ::= SEQUENCE {
542 -- patimestamp[0] KerberosTime, - - client's time
543 -- pausec[1] Krb5int32 OPTIONAL
546 -- draft-brezak-win2k-krb-authz-01
547 PA-PAC-REQUEST ::= SEQUENCE {
548 include-pac[0] BOOLEAN -- Indicates whether a PAC
549 -- should be included or not
552 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
553 PROV-SRV-LOCATION ::= GeneralString
555 --KDC-REP ::= SEQUENCE {
556 -- pvno[0] Krb5int32,
557 -- msg-type[1] MESSAGE-TYPE,
558 -- padata[2] METHOD-DATA OPTIONAL,
560 -- cname[4] PrincipalName,
562 -- enc-part[6] EncryptedData
565 --AS-REP ::= [APPLICATION 11] KDC-REP
566 --TGS-REP ::= [APPLICATION 13] KDC-REP
568 --EncKDCRepPart ::= SEQUENCE {
569 -- key[0] EncryptionKey,
570 -- last-req[1] LastReq,
571 -- nonce[2] Krb5int32,
572 -- key-expiration[3] KerberosTime OPTIONAL,
573 -- flags[4] TicketFlags,
574 -- authtime[5] KerberosTime,
575 -- starttime[6] KerberosTime OPTIONAL,
576 -- endtime[7] KerberosTime,
577 -- renew-till[8] KerberosTime OPTIONAL,
579 -- sname[10] PrincipalName,
580 -- caddr[11] HostAddresses OPTIONAL,
581 -- encrypted-pa-data[12] METHOD-DATA OPTIONAL
584 --EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
585 --EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
587 --AP-REQ ::= [APPLICATION 14] SEQUENCE {
588 -- pvno[0] Krb5int32,
589 -- msg-type[1] MESSAGE-TYPE,
590 -- ap-options[2] APOptions,
592 -- authenticator[4] EncryptedData
595 --AP-REP ::= [APPLICATION 15] SEQUENCE {
596 -- pvno[0] Krb5int32,
597 -- msg-type[1] MESSAGE-TYPE,
598 -- enc-part[2] EncryptedData
601 --EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
602 -- ctime[0] KerberosTime,
603 -- cusec[1] Krb5int32,
604 -- subkey[2] EncryptionKey OPTIONAL,
605 -- seq-number[3] Krb5uint32 OPTIONAL
608 --KRB-SAFE-BODY ::= SEQUENCE {
609 -- user-data[0] OCTET STRING,
610 -- timestamp[1] KerberosTime OPTIONAL,
611 -- usec[2] Krb5int32 OPTIONAL,
612 -- seq-number[3] Krb5uint32 OPTIONAL,
613 -- s-address[4] HostAddress OPTIONAL,
614 -- r-address[5] HostAddress OPTIONAL
617 --KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
618 -- pvno[0] Krb5int32,
619 -- msg-type[1] MESSAGE-TYPE,
620 -- safe-body[2] KRB-SAFE-BODY,
624 --KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
625 -- pvno[0] Krb5int32,
626 -- msg-type[1] MESSAGE-TYPE,
627 -- enc-part[3] EncryptedData
629 --EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
630 -- user-data[0] OCTET STRING,
631 -- timestamp[1] KerberosTime OPTIONAL,
632 -- usec[2] Krb5int32 OPTIONAL,
633 -- seq-number[3] Krb5uint32 OPTIONAL,
634 -- s-address[4] HostAddress OPTIONAL, - - sender's addr
635 -- r-address[5] HostAddress OPTIONAL - - recip's addr
638 --KRB-CRED ::= [APPLICATION 22] SEQUENCE {
639 -- pvno[0] Krb5int32,
640 -- msg-type[1] MESSAGE-TYPE, - - KRB_CRED
641 -- tickets[2] SEQUENCE OF Ticket,
642 -- enc-part[3] EncryptedData
645 --KrbCredInfo ::= SEQUENCE {
646 -- key[0] EncryptionKey,
647 -- prealm[1] Realm OPTIONAL,
648 -- pname[2] PrincipalName OPTIONAL,
649 -- flags[3] TicketFlags OPTIONAL,
650 -- authtime[4] KerberosTime OPTIONAL,
651 -- starttime[5] KerberosTime OPTIONAL,
652 -- endtime[6] KerberosTime OPTIONAL,
653 -- renew-till[7] KerberosTime OPTIONAL,
654 -- srealm[8] Realm OPTIONAL,
655 -- sname[9] PrincipalName OPTIONAL,
656 -- caddr[10] HostAddresses OPTIONAL
659 --EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
660 -- ticket-info[0] SEQUENCE OF KrbCredInfo,
661 -- nonce[1] Krb5int32 OPTIONAL,
662 -- timestamp[2] KerberosTime OPTIONAL,
663 -- usec[3] Krb5int32 OPTIONAL,
664 -- s-address[4] HostAddress OPTIONAL,
665 -- r-address[5] HostAddress OPTIONAL
668 --KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
669 -- pvno[0] Krb5int32,
670 -- msg-type[1] MESSAGE-TYPE,
671 -- ctime[2] KerberosTime OPTIONAL,
672 -- cusec[3] Krb5int32 OPTIONAL,
673 -- stime[4] KerberosTime,
674 -- susec[5] Krb5int32,
675 -- error-code[6] Krb5int32,
676 -- crealm[7] Realm OPTIONAL,
677 -- cname[8] PrincipalName OPTIONAL,
678 -- realm[9] Realm, - - Correct realm
679 -- sname[10] PrincipalName, - - Correct name
680 -- e-text[11] GeneralString OPTIONAL,
681 -- e-data[12] OCTET STRING OPTIONAL
684 ChangePasswdDataMS ::= SEQUENCE {
685 newpasswd[0] OCTET STRING,
686 targname[1] PrincipalName OPTIONAL,
687 targrealm[2] Realm OPTIONAL
690 EtypeList ::= SEQUENCE OF Krb5int32
691 -- the client's proposed enctype list in
692 -- decreasing preference order, favorite choice first
694 --krb5-pvno Krb5int32 ::= 5 - - current Kerberos protocol version number
696 -- transited encodings
698 --DOMAIN-X500-COMPRESS Krb5int32 ::= 1
700 -- authorization data primitives
702 --AD-IF-RELEVANT ::= AuthorizationData
704 --AD-KDCIssued ::= SEQUENCE {
705 -- ad-checksum[0] Checksum,
706 -- i-realm[1] Realm OPTIONAL,
707 -- i-sname[2] PrincipalName OPTIONAL,
708 -- elements[3] AuthorizationData
711 --AD-AND-OR ::= SEQUENCE {
712 -- condition-count[0] INTEGER,
713 -- elements[1] AuthorizationData
716 --AD-MANDATORY-FOR-KDC ::= AuthorizationData
718 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
720 PA-SAM-TYPE ::= INTEGER {
721 pA-SAM-TYPE-ENIGMA(1), -- Enigma Logic
722 pA-SAM-TYPE-DIGI-PATH(2), -- Digital Pathways
723 pA-SAM-TYPE-SKEY-K0(3), -- S/key where KDC has key 0
724 pA-SAM-TYPE-SKEY(4), -- Traditional S/Key
725 pA-SAM-TYPE-SECURID(5), -- Security Dynamics
726 pA-SAM-TYPE-CRYPTOCARD(6) -- CRYPTOCard
729 PA-SAM-REDIRECT ::= HostAddresses
731 SAMFlags ::= BIT STRING {
733 send-encrypted-sad(1),
734 must-pk-encrypt-sad(2)
737 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
738 sam-type[0] Krb5int32,
739 sam-flags[1] SAMFlags,
740 sam-type-name[2] GeneralString OPTIONAL,
741 sam-track-id[3] GeneralString OPTIONAL,
742 sam-challenge-label[4] GeneralString OPTIONAL,
743 sam-challenge[5] GeneralString OPTIONAL,
744 sam-response-prompt[6] GeneralString OPTIONAL,
745 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
746 sam-nonce[8] Krb5int32,
747 sam-etype[9] Krb5int32,
751 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
752 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
753 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
757 PA-SAM-RESPONSE-2 ::= SEQUENCE {
758 sam-type[0] Krb5int32,
759 sam-flags[1] SAMFlags,
760 sam-track-id[2] GeneralString OPTIONAL,
761 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
762 sam-nonce[4] Krb5int32,
766 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
767 sam-nonce[0] Krb5int32,
768 sam-sad[1] GeneralString OPTIONAL,
772 PA-S4U2Self ::= SEQUENCE {
773 name[0] PrincipalName,
776 auth[3] GeneralString
779 PA-S4U-X509-USER::= SEQUENCE {
780 user-id[0] S4UUserID,
784 S4UUserID ::= SEQUENCE {
785 nonce [0] UInt32, -- the nonce in KDC-REQ-BODY
786 cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints
788 subject-certificate [3] OCTET STRING OPTIONAL,
789 options [4] BIT STRING OPTIONAL,
793 KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
795 -- never encoded on the wire, just used to checksum over
796 KRB5SignedPathData ::= SEQUENCE {
797 encticket[0] EncTicketPart,
798 delegated[1] KRB5SignedPathPrincipals OPTIONAL
801 KRB5SignedPath ::= SEQUENCE {
802 -- DERcoded KRB5SignedPathData
803 -- krbtgt key (etype), KeyUsage = XXX
806 -- srvs delegated though
807 delegated[2] KRB5SignedPathPrincipals OPTIONAL
810 PA-ClientCanonicalizedNames ::= SEQUENCE{
811 requested-name [0] PrincipalName,
812 mapped-name [1] PrincipalName
815 PA-ClientCanonicalized ::= SEQUENCE {
816 names [0] PA-ClientCanonicalizedNames,
817 canon-checksum [1] Checksum
820 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
821 login-alias [0] PrincipalName,
822 checksum [1] Checksum
826 PA-SvrReferralData ::= SEQUENCE {
827 referred-name [1] PrincipalName OPTIONAL,
828 referred-realm [0] Realm
831 PA-SERVER-REFERRAL-DATA ::= EncryptedData
833 PA-ServerReferralData ::= SEQUENCE {
834 referred-realm [0] Realm OPTIONAL,
835 true-principal-name [1] PrincipalName OPTIONAL,
836 requested-principal-name [2] PrincipalName OPTIONAL,
837 referral-valid-until [3] KerberosTime OPTIONAL,
840 -- WS put extensions found elsewere here
841 -- http://msdn.microsoft.com/en-us/library/cc206948.aspx
843 KERB-PA-PAC-REQUEST ::= SEQUENCE {
844 include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC.
845 --If FALSE, and PAC present, remove PAC
848 PAC-OptionFlags ::= BIT STRING {
851 forward-to-full-dc(2),
852 resource-based-constrained-delegation(3)
855 -- [MS-KILE] and [MS-SFU]
856 PA-PAC-OPTIONS ::= SEQUENCE {
857 option-flags [0] PAC-OptionFlags
861 -- captures show that [UNIVERSAL 16] is required to parse it
862 KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE {
863 restriction-type [0] Int32,
864 restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
869 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1