1 -- $Id: k5.asn1,v 1.43 2005/06/17 04:58:59 lha Exp $
3 KERBEROS5 DEFINITIONS ::=
6 NAME-TYPE ::= INTEGER {
7 KRB5_NT_UNKNOWN(0), -- Name type not known
8 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
9 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
10 KRB5_NT_SRV_HST(3), -- Service with host name as instance
11 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
12 KRB5_NT_UID(5), -- Unique ID
13 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
14 KRB5_NT_ENTERPRISE(10) -- May be mapped to principal name
19 MESSAGE-TYPE ::= INTEGER {
20 krb-as-req(10), -- Request for initial authentication
21 krb-as-rep(11), -- Response to KRB_AS_REQ request
22 krb-tgs-req(12), -- Request for authentication based on TGT
23 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
24 krb-ap-req(14), -- application request to server
25 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
26 krb-safe(20), -- Safe (checksummed) application message
27 krb-priv(21), -- Private (encrypted) application message
28 krb-cred(22), -- Private (encrypted) message to forward credentials
29 krb-error(30) -- Error response
35 PADATA-TYPE ::= INTEGER {
37 KRB5-PADATA-TGS-REQ(1),
38 KRB5-PADATA-AP-REQ(1),
39 KRB5-PADATA-ENC-TIMESTAMP(2),
40 KRB5-PADATA-PW-SALT(3),
41 KRB5-PADATA-ENC-UNIX-TIME(5),
42 KRB5-PADATA-SANDIA-SECUREID(6),
43 KRB5-PADATA-SESAME(7),
44 KRB5-PADATA-OSF-DCE(8),
45 KRB5-PADATA-CYBERSAFE-SECUREID(9),
46 KRB5-PADATA-AFS3-SALT(10),
47 KRB5-PADATA-ETYPE-INFO(11),
48 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
49 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
50 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
51 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
52 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
53 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
54 KRB5-PADATA-ETYPE-INFO2(19),
55 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
56 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
57 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
58 KRB5-PADATA-SAM-ETYPE-INFO(23),
59 KRB5-PADATA-SERVER-REFERRAL(25),
60 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
61 KRB5-PADATA-TD-KRB-REALM(103), -- Realm
62 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
63 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
64 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
65 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
66 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
67 KRB5-PADATA-PA-PAC-REQUEST(128) -- jbrezak@exchange.microsoft.com
70 AUTHDATA-TYPE ::= INTEGER {
71 KRB5-AUTHDATA-IF-RELEVANT(1),
72 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
73 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
74 KRB5-AUTHDATA-KDC-ISSUED(4),
75 KRB5-AUTHDATA-AND-OR(5),
76 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
77 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
78 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
79 KRB5-AUTHDATA-OSF-DCE(64),
80 KRB5-AUTHDATA-SESAME(65),
81 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
82 KRB5-AUTHDATA-WIN2K-PAC(128),
83 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129) -- Authenticator only
88 CKSUMTYPE ::= INTEGER {
92 CKSUMTYPE_RSA_MD4_DES(3),
94 CKSUMTYPE_DES_MAC_K(5),
95 CKSUMTYPE_RSA_MD4_DES_K(6),
97 CKSUMTYPE_RSA_MD5_DES(8),
98 CKSUMTYPE_RSA_MD5_DES3(9),
99 CKSUMTYPE_SHA1_OTHER(10),
100 CKSUMTYPE_HMAC_SHA1_DES3(12),
102 CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
103 CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
104 CKSUMTYPE_GSSAPI(0x8003),
105 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
106 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
110 ENCTYPE ::= INTEGER {
112 ETYPE_DES_CBC_CRC(1),
113 ETYPE_DES_CBC_MD4(2),
114 ETYPE_DES_CBC_MD5(3),
115 ETYPE_DES3_CBC_MD5(5),
116 ETYPE_OLD_DES3_CBC_SHA1(7),
117 ETYPE_SIGN_DSA_GENERATE(8),
118 ETYPE_ENCRYPT_RSA_PRIV(9),
119 ETYPE_ENCRYPT_RSA_PUB(10),
120 ETYPE_DES3_CBC_SHA1(16), -- with key derivation
121 ETYPE_AES128_CTS_HMAC_SHA1_96(17),
122 ETYPE_AES256_CTS_HMAC_SHA1_96(18),
123 ETYPE_ARCFOUR_HMAC_MD5(23),
124 ETYPE_ARCFOUR_HMAC_MD5_56(24),
125 ETYPE_ENCTYPE_PK_CROSS(48),
126 -- these are for Heimdal internal use
127 ETYPE_DES_CBC_NONE(-0x1000),
128 ETYPE_DES3_CBC_NONE(-0x1001),
129 ETYPE_DES_CFB64_NONE(-0x1002),
130 ETYPE_DES_PCBC_NONE(-0x1003),
131 ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
132 ETYPE_CRAM_MD5_NONE(-0x1005), -- private use, lukeh@padl.com
133 ETYPE_RC2_CBC_NONE(-0x1006),
134 ETYPE_AES128_CBC_NONE(-0x1007),
135 ETYPE_AES192_CBC_NONE(-0x1008),
136 ETYPE_AES256_CBC_NONE(-0x1009),
137 ETYPE_DES3_CBC_NONE_CMS(-0x100a)
140 -- this is sugar to make something ASN1 does not have: unsigned
142 UNSIGNED ::= INTEGER (0..4294967295)
144 KerberosString ::= GeneralString
146 Realm ::= GeneralString
147 PrincipalName ::= SEQUENCE {
148 name-type[0] NAME-TYPE,
149 name-string[1] SEQUENCE OF GeneralString
152 -- this is not part of RFC1510
153 Principal ::= SEQUENCE {
154 name[0] PrincipalName,
158 HostAddress ::= SEQUENCE {
159 addr-type[0] INTEGER,
160 address[1] OCTET STRING
163 -- This is from RFC1510.
165 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
166 -- addr-type[0] INTEGER,
167 -- address[1] OCTET STRING
170 -- This seems much better.
171 HostAddresses ::= SEQUENCE OF HostAddress
174 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
176 AuthorizationData ::= SEQUENCE OF SEQUENCE {
178 ad-data[1] OCTET STRING
181 APOptions ::= BIT STRING {
187 TicketFlags ::= BIT STRING {
200 transited-policy-checked(12),
205 KDCOptions ::= BIT STRING {
218 request-anonymous(14),
220 disable-transited-check(26),
227 LR-TYPE ::= INTEGER {
228 LR_NONE(0), -- no information
229 LR_INITIAL_TGT(1), -- last initial TGT request
230 LR_INITIAL(2), -- last initial request
231 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
232 LR_RENEWAL(4), -- time of last renewal
233 LR_REQUEST(5), -- time of last request (of any type)
234 LR_PW_EXPTIME(6), -- expiration time of password
235 LR_ACCT_EXPTIME(7) -- expiration time of account
238 LastReq ::= SEQUENCE OF SEQUENCE {
240 lr-value[1] KerberosTime
244 EncryptedData ::= SEQUENCE {
245 etype[0] ENCTYPE, -- EncryptionType
246 kvno[1] INTEGER OPTIONAL,
247 cipher[2] OCTET STRING -- ciphertext
250 EncryptionKey ::= SEQUENCE {
252 keyvalue[1] OCTET STRING
255 -- encoded Transited field
256 TransitedEncoding ::= SEQUENCE {
257 tr-type[0] INTEGER, -- must be registered
258 contents[1] OCTET STRING
261 Ticket ::= [APPLICATION 1] SEQUENCE {
264 sname[2] PrincipalName,
265 enc-part[3] EncryptedData
267 -- Encrypted part of ticket
268 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
269 flags[0] TicketFlags,
270 key[1] EncryptionKey,
272 cname[3] PrincipalName,
273 transited[4] TransitedEncoding,
274 authtime[5] KerberosTime,
275 starttime[6] KerberosTime OPTIONAL,
276 endtime[7] KerberosTime,
277 renew-till[8] KerberosTime OPTIONAL,
278 caddr[9] HostAddresses OPTIONAL,
279 authorization-data[10] AuthorizationData OPTIONAL
282 Checksum ::= SEQUENCE {
283 cksumtype[0] CKSUMTYPE,
284 checksum[1] OCTET STRING
287 Authenticator ::= [APPLICATION 2] SEQUENCE {
288 authenticator-vno[0] INTEGER,
290 cname[2] PrincipalName,
291 cksum[3] Checksum OPTIONAL,
293 ctime[5] KerberosTime,
294 subkey[6] EncryptionKey OPTIONAL,
295 seq-number[7] UNSIGNED OPTIONAL,
296 authorization-data[8] AuthorizationData OPTIONAL
299 PA-DATA ::= SEQUENCE {
300 -- might be encoded AP-REQ
301 padata-type[1] PADATA-TYPE,
302 padata-value[2] OCTET STRING
305 ETYPE-INFO-ENTRY ::= SEQUENCE {
307 salt[1] OCTET STRING OPTIONAL,
308 salttype[2] INTEGER OPTIONAL
311 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
313 ETYPE-INFO2-ENTRY ::= SEQUENCE {
315 salt[1] KerberosString OPTIONAL,
316 s2kparams[2] OCTET STRING OPTIONAL
319 ETYPE-INFO2 ::= SEQUENCE OF ETYPE-INFO2-ENTRY
321 METHOD-DATA ::= SEQUENCE OF PA-DATA
323 KDC-REQ-BODY ::= SEQUENCE {
324 kdc-options[0] KDCOptions,
325 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
326 realm[2] Realm, -- Server's realm
327 -- Also client's in AS-REQ
328 sname[3] PrincipalName OPTIONAL,
329 from[4] KerberosTime OPTIONAL,
330 till[5] KerberosTime OPTIONAL,
331 rtime[6] KerberosTime OPTIONAL,
333 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
334 -- in preference order
335 addresses[9] HostAddresses OPTIONAL,
336 enc-authorization-data[10] EncryptedData OPTIONAL,
337 -- Encrypted AuthorizationData encoding
338 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
341 KDC-REQ ::= SEQUENCE {
343 msg-type[2] MESSAGE-TYPE,
344 padata[3] METHOD-DATA OPTIONAL,
345 req-body[4] KDC-REQ-BODY
348 AS-REQ ::= [APPLICATION 10] KDC-REQ
349 TGS-REQ ::= [APPLICATION 12] KDC-REQ
351 -- padata-type ::= PA-ENC-TIMESTAMP
352 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
354 PA-ENC-TS-ENC ::= SEQUENCE {
355 patimestamp[0] KerberosTime, -- client's time
356 pausec[1] INTEGER OPTIONAL
359 -- draft-brezak-win2k-krb-authz-01
360 PA-PAC-REQUEST ::= SEQUENCE {
361 include-pac[0] BOOLEAN -- Indicates whether a PAC
362 -- should be included or not
365 KDC-REP ::= SEQUENCE {
367 msg-type[1] MESSAGE-TYPE,
368 padata[2] METHOD-DATA OPTIONAL,
370 cname[4] PrincipalName,
372 enc-part[6] EncryptedData
375 AS-REP ::= [APPLICATION 11] KDC-REP
376 TGS-REP ::= [APPLICATION 13] KDC-REP
378 EncKDCRepPart ::= SEQUENCE {
379 key[0] EncryptionKey,
382 key-expiration[3] KerberosTime OPTIONAL,
383 flags[4] TicketFlags,
384 authtime[5] KerberosTime,
385 starttime[6] KerberosTime OPTIONAL,
386 endtime[7] KerberosTime,
387 renew-till[8] KerberosTime OPTIONAL,
389 sname[10] PrincipalName,
390 caddr[11] HostAddresses OPTIONAL
393 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
394 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
396 AP-REQ ::= [APPLICATION 14] SEQUENCE {
398 msg-type[1] MESSAGE-TYPE,
399 ap-options[2] APOptions,
401 authenticator[4] EncryptedData
404 AP-REP ::= [APPLICATION 15] SEQUENCE {
406 msg-type[1] MESSAGE-TYPE,
407 enc-part[2] EncryptedData
410 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
411 ctime[0] KerberosTime,
413 subkey[2] EncryptionKey OPTIONAL,
414 seq-number[3] UNSIGNED OPTIONAL
417 KRB-SAFE-BODY ::= SEQUENCE {
418 user-data[0] OCTET STRING,
419 timestamp[1] KerberosTime OPTIONAL,
420 usec[2] INTEGER OPTIONAL,
421 seq-number[3] UNSIGNED OPTIONAL,
422 s-address[4] HostAddress OPTIONAL,
423 r-address[5] HostAddress OPTIONAL
426 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
428 msg-type[1] MESSAGE-TYPE,
429 safe-body[2] KRB-SAFE-BODY,
433 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
435 msg-type[1] MESSAGE-TYPE,
436 enc-part[3] EncryptedData
438 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
439 user-data[0] OCTET STRING,
440 timestamp[1] KerberosTime OPTIONAL,
441 usec[2] INTEGER OPTIONAL,
442 seq-number[3] UNSIGNED OPTIONAL,
443 s-address[4] HostAddress OPTIONAL, -- sender's addr
444 r-address[5] HostAddress OPTIONAL -- recip's addr
447 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
449 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
450 tickets[2] SEQUENCE OF Ticket,
451 enc-part[3] EncryptedData
454 KrbCredInfo ::= SEQUENCE {
455 key[0] EncryptionKey,
456 prealm[1] Realm OPTIONAL,
457 pname[2] PrincipalName OPTIONAL,
458 flags[3] TicketFlags OPTIONAL,
459 authtime[4] KerberosTime OPTIONAL,
460 starttime[5] KerberosTime OPTIONAL,
461 endtime[6] KerberosTime OPTIONAL,
462 renew-till[7] KerberosTime OPTIONAL,
463 srealm[8] Realm OPTIONAL,
464 sname[9] PrincipalName OPTIONAL,
465 caddr[10] HostAddresses OPTIONAL
468 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
469 ticket-info[0] SEQUENCE OF KrbCredInfo,
470 nonce[1] INTEGER OPTIONAL,
471 timestamp[2] KerberosTime OPTIONAL,
472 usec[3] INTEGER OPTIONAL,
473 s-address[4] HostAddress OPTIONAL,
474 r-address[5] HostAddress OPTIONAL
477 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
479 msg-type[1] MESSAGE-TYPE,
480 ctime[2] KerberosTime OPTIONAL,
481 cusec[3] INTEGER OPTIONAL,
482 stime[4] KerberosTime,
484 error-code[6] INTEGER,
485 crealm[7] Realm OPTIONAL,
486 cname[8] PrincipalName OPTIONAL,
487 realm[9] Realm, -- Correct realm
488 sname[10] PrincipalName, -- Correct name
489 e-text[11] GeneralString OPTIONAL,
490 e-data[12] OCTET STRING OPTIONAL
493 ChangePasswdDataMS ::= SEQUENCE {
494 newpasswd[0] OCTET STRING,
495 targname[1] PrincipalName OPTIONAL,
496 targrealm[2] Realm OPTIONAL
499 EtypeList ::= SEQUENCE OF INTEGER
500 -- the client's proposed enctype list in
501 -- decreasing preference order, favorite choice first
503 krb5-pvno INTEGER ::= 5 -- current Kerberos protocol version number
505 -- transited encodings
507 DOMAIN-X500-COMPRESS INTEGER ::= 1
509 -- authorization data primitives
511 AD-IF-RELEVANT ::= AuthorizationData
513 AD-KDCIssued ::= SEQUENCE {
514 ad-checksum[0] Checksum,
515 i-realm[1] Realm OPTIONAL,
516 i-sname[2] PrincipalName OPTIONAL,
517 elements[3] AuthorizationData
520 AD-AND-OR ::= SEQUENCE {
521 condition-count[0] INTEGER,
522 elements[1] AuthorizationData
525 AD-MANDATORY-FOR-KDC ::= AuthorizationData
527 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
529 PA-SAM-TYPE ::= INTEGER {
530 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
531 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
532 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
533 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
534 PA_SAM_TYPE_SECURID(5), -- Security Dynamics
535 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
538 PA-SAM-REDIRECT ::= HostAddresses
540 SAMFlags ::= BIT STRING {
542 send-encrypted-sad(1),
543 must-pk-encrypt-sad(2)
546 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
548 sam-flags[1] SAMFlags,
549 sam-type-name[2] GeneralString OPTIONAL,
550 sam-track-id[3] GeneralString OPTIONAL,
551 sam-challenge-label[4] GeneralString OPTIONAL,
552 sam-challenge[5] GeneralString OPTIONAL,
553 sam-response-prompt[6] GeneralString OPTIONAL,
554 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
555 sam-nonce[8] INTEGER,
556 sam-etype[9] INTEGER,
560 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
561 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
562 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
566 PA-SAM-RESPONSE-2 ::= SEQUENCE {
568 sam-flags[1] SAMFlags,
569 sam-track-id[2] GeneralString OPTIONAL,
570 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
571 sam-nonce[4] INTEGER,
575 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
576 sam-nonce[0] INTEGER,
577 sam-sad[1] GeneralString OPTIONAL,
581 RC2CBCParameter ::= SEQUENCE {
582 rc2ParameterVersion [0] INTEGER,
583 iv [1] OCTET STRING -- exactly 8 octets
586 CBCParameter ::= OCTET STRING
590 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1