1 -- $Id: k5.asn1,v 1.46 2005/08/22 19:09:25 lha Exp $
3 KERBEROS5 DEFINITIONS ::=
6 NAME-TYPE ::= INTEGER {
7 KRB5_NT_UNKNOWN(0), -- Name type not known
8 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
9 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
10 KRB5_NT_SRV_HST(3), -- Service with host name as instance
11 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
12 KRB5_NT_UID(5), -- Unique ID
13 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
14 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
15 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
16 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
17 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
18 KRB5_NT_MS_PRINCIPAL_AND_ID(-129) -- NT style name and SID
23 MESSAGE-TYPE ::= INTEGER {
24 krb-as-req(10), -- Request for initial authentication
25 krb-as-rep(11), -- Response to KRB_AS_REQ request
26 krb-tgs-req(12), -- Request for authentication based on TGT
27 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
28 krb-ap-req(14), -- application request to server
29 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
30 krb-safe(20), -- Safe (checksummed) application message
31 krb-priv(21), -- Private (encrypted) application message
32 krb-cred(22), -- Private (encrypted) message to forward credentials
33 krb-error(30) -- Error response
39 PADATA-TYPE ::= INTEGER {
41 KRB5-PADATA-TGS-REQ(1),
42 KRB5-PADATA-AP-REQ(1),
43 KRB5-PADATA-ENC-TIMESTAMP(2),
44 KRB5-PADATA-PW-SALT(3),
45 KRB5-PADATA-ENC-UNIX-TIME(5),
46 KRB5-PADATA-SANDIA-SECUREID(6),
47 KRB5-PADATA-SESAME(7),
48 KRB5-PADATA-OSF-DCE(8),
49 KRB5-PADATA-CYBERSAFE-SECUREID(9),
50 KRB5-PADATA-AFS3-SALT(10),
51 KRB5-PADATA-ETYPE-INFO(11),
52 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
53 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
54 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
55 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
56 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
57 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
58 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
59 KRB5-PADATA-ETYPE-INFO2(19),
60 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
61 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
62 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
63 KRB5-PADATA-SAM-ETYPE-INFO(23),
64 KRB5-PADATA-SERVER-REFERRAL(25),
65 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
66 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
67 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
68 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
69 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
70 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
71 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
72 KRB5-PADATA-PK-AS-09-BINDING(132) -- client send this to
73 -- tell KDC that is supports
74 -- the asCheckSum in the
78 AUTHDATA-TYPE ::= INTEGER {
79 KRB5-AUTHDATA-IF-RELEVANT(1),
80 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
81 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
82 KRB5-AUTHDATA-KDC-ISSUED(4),
83 KRB5-AUTHDATA-AND-OR(5),
84 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
85 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
86 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
87 KRB5-AUTHDATA-OSF-DCE(64),
88 KRB5-AUTHDATA-SESAME(65),
89 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
90 KRB5-AUTHDATA-WIN2K-PAC(128),
91 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129) -- Authenticator only
96 CKSUMTYPE ::= INTEGER {
100 CKSUMTYPE_RSA_MD4_DES(3),
101 CKSUMTYPE_DES_MAC(4),
102 CKSUMTYPE_DES_MAC_K(5),
103 CKSUMTYPE_RSA_MD4_DES_K(6),
104 CKSUMTYPE_RSA_MD5(7),
105 CKSUMTYPE_RSA_MD5_DES(8),
106 CKSUMTYPE_RSA_MD5_DES3(9),
107 CKSUMTYPE_SHA1_OTHER(10),
108 CKSUMTYPE_HMAC_SHA1_DES3(12),
110 CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
111 CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
112 CKSUMTYPE_GSSAPI(0x8003),
113 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
114 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
118 ENCTYPE ::= INTEGER {
120 ETYPE_DES_CBC_CRC(1),
121 ETYPE_DES_CBC_MD4(2),
122 ETYPE_DES_CBC_MD5(3),
123 ETYPE_DES3_CBC_MD5(5),
124 ETYPE_OLD_DES3_CBC_SHA1(7),
125 ETYPE_SIGN_DSA_GENERATE(8),
126 ETYPE_ENCRYPT_RSA_PRIV(9),
127 ETYPE_ENCRYPT_RSA_PUB(10),
128 ETYPE_DES3_CBC_SHA1(16), -- with key derivation
129 ETYPE_AES128_CTS_HMAC_SHA1_96(17),
130 ETYPE_AES256_CTS_HMAC_SHA1_96(18),
131 ETYPE_ARCFOUR_HMAC_MD5(23),
132 ETYPE_ARCFOUR_HMAC_MD5_56(24),
133 ETYPE_ENCTYPE_PK_CROSS(48),
134 -- these are for Heimdal internal use
135 ETYPE_DES_CBC_NONE(-0x1000),
136 ETYPE_DES3_CBC_NONE(-0x1001),
137 ETYPE_DES_CFB64_NONE(-0x1002),
138 ETYPE_DES_PCBC_NONE(-0x1003),
139 ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
140 ETYPE_CRAM_MD5_NONE(-0x1005), -- private use, lukeh@padl.com
141 ETYPE_RC2_CBC_NONE(-0x1006),
142 ETYPE_AES128_CBC_NONE(-0x1007),
143 ETYPE_AES192_CBC_NONE(-0x1008),
144 ETYPE_AES256_CBC_NONE(-0x1009),
145 ETYPE_DES3_CBC_NONE_CMS(-0x100a)
151 -- this is sugar to make something ASN1 does not have: unsigned
153 krb5uint32 ::= INTEGER (0..4294967295)
154 krb5int32 ::= INTEGER (-2147483648..2147483647)
156 KerberosString ::= GeneralString
158 Realm ::= GeneralString
159 PrincipalName ::= SEQUENCE {
160 name-type[0] NAME-TYPE,
161 name-string[1] SEQUENCE OF GeneralString
164 -- this is not part of RFC1510
165 Principal ::= SEQUENCE {
166 name[0] PrincipalName,
170 HostAddress ::= SEQUENCE {
171 addr-type[0] krb5int32,
172 address[1] OCTET STRING
175 -- This is from RFC1510.
177 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
178 -- addr-type[0] krb5int32,
179 -- address[1] OCTET STRING
182 -- This seems much better.
183 HostAddresses ::= SEQUENCE OF HostAddress
186 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
188 AuthorizationData ::= SEQUENCE OF SEQUENCE {
189 ad-type[0] krb5int32,
190 ad-data[1] OCTET STRING
193 APOptions ::= BIT STRING {
199 TicketFlags ::= BIT STRING {
212 transited-policy-checked(12),
217 KDCOptions ::= BIT STRING {
230 request-anonymous(14),
232 disable-transited-check(26),
239 LR-TYPE ::= INTEGER {
240 LR_NONE(0), -- no information
241 LR_INITIAL_TGT(1), -- last initial TGT request
242 LR_INITIAL(2), -- last initial request
243 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
244 LR_RENEWAL(4), -- time of last renewal
245 LR_REQUEST(5), -- time of last request (of any type)
246 LR_PW_EXPTIME(6), -- expiration time of password
247 LR_ACCT_EXPTIME(7) -- expiration time of account
250 LastReq ::= SEQUENCE OF SEQUENCE {
252 lr-value[1] KerberosTime
256 EncryptedData ::= SEQUENCE {
257 etype[0] ENCTYPE, -- EncryptionType
258 kvno[1] krb5int32 OPTIONAL,
259 cipher[2] OCTET STRING -- ciphertext
262 EncryptionKey ::= SEQUENCE {
263 keytype[0] krb5int32,
264 keyvalue[1] OCTET STRING
267 -- encoded Transited field
268 TransitedEncoding ::= SEQUENCE {
269 tr-type[0] krb5int32, -- must be registered
270 contents[1] OCTET STRING
273 Ticket ::= [APPLICATION 1] SEQUENCE {
274 tkt-vno[0] krb5int32,
276 sname[2] PrincipalName,
277 enc-part[3] EncryptedData
279 -- Encrypted part of ticket
280 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
281 flags[0] TicketFlags,
282 key[1] EncryptionKey,
284 cname[3] PrincipalName,
285 transited[4] TransitedEncoding,
286 authtime[5] KerberosTime,
287 starttime[6] KerberosTime OPTIONAL,
288 endtime[7] KerberosTime,
289 renew-till[8] KerberosTime OPTIONAL,
290 caddr[9] HostAddresses OPTIONAL,
291 authorization-data[10] AuthorizationData OPTIONAL
294 Checksum ::= SEQUENCE {
295 cksumtype[0] CKSUMTYPE,
296 checksum[1] OCTET STRING
299 Authenticator ::= [APPLICATION 2] SEQUENCE {
300 authenticator-vno[0] krb5int32,
302 cname[2] PrincipalName,
303 cksum[3] Checksum OPTIONAL,
305 ctime[5] KerberosTime,
306 subkey[6] EncryptionKey OPTIONAL,
307 seq-number[7] krb5uint32 OPTIONAL,
308 authorization-data[8] AuthorizationData OPTIONAL
311 PA-DATA ::= SEQUENCE {
312 -- might be encoded AP-REQ
313 padata-type[1] PADATA-TYPE,
314 padata-value[2] OCTET STRING
317 ETYPE-INFO-ENTRY ::= SEQUENCE {
319 salt[1] OCTET STRING OPTIONAL,
320 salttype[2] krb5int32 OPTIONAL
323 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
325 ETYPE-INFO2-ENTRY ::= SEQUENCE {
327 salt[1] KerberosString OPTIONAL,
328 s2kparams[2] OCTET STRING OPTIONAL
331 ETYPE-INFO2 ::= SEQUENCE OF ETYPE-INFO2-ENTRY
333 METHOD-DATA ::= SEQUENCE OF PA-DATA
335 TypedData ::= SEQUENCE {
336 data-type[0] krb5int32,
337 data-value[1] OCTET STRING OPTIONAL
340 TYPED-DATA ::= SEQUENCE OF TypedData
342 KDC-REQ-BODY ::= SEQUENCE {
343 kdc-options[0] KDCOptions,
344 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
345 realm[2] Realm, -- Server's realm
346 -- Also client's in AS-REQ
347 sname[3] PrincipalName OPTIONAL,
348 from[4] KerberosTime OPTIONAL,
349 till[5] KerberosTime OPTIONAL,
350 rtime[6] KerberosTime OPTIONAL,
352 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
353 -- in preference order
354 addresses[9] HostAddresses OPTIONAL,
355 enc-authorization-data[10] EncryptedData OPTIONAL,
356 -- Encrypted AuthorizationData encoding
357 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
360 KDC-REQ ::= SEQUENCE {
362 msg-type[2] MESSAGE-TYPE,
363 padata[3] METHOD-DATA OPTIONAL,
364 req-body[4] KDC-REQ-BODY
367 AS-REQ ::= [APPLICATION 10] KDC-REQ
368 TGS-REQ ::= [APPLICATION 12] KDC-REQ
370 -- padata-type ::= PA-ENC-TIMESTAMP
371 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
373 PA-ENC-TS-ENC ::= SEQUENCE {
374 patimestamp[0] KerberosTime, -- client's time
375 pausec[1] krb5int32 OPTIONAL
378 -- draft-brezak-win2k-krb-authz-01
379 PA-PAC-REQUEST ::= SEQUENCE {
380 include-pac[0] BOOLEAN -- Indicates whether a PAC
381 -- should be included or not
384 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
385 PROV-SRV-LOCATION ::= GeneralString
387 KDC-REP ::= SEQUENCE {
389 msg-type[1] MESSAGE-TYPE,
390 padata[2] METHOD-DATA OPTIONAL,
392 cname[4] PrincipalName,
394 enc-part[6] EncryptedData
397 AS-REP ::= [APPLICATION 11] KDC-REP
398 TGS-REP ::= [APPLICATION 13] KDC-REP
400 EncKDCRepPart ::= SEQUENCE {
401 key[0] EncryptionKey,
404 key-expiration[3] KerberosTime OPTIONAL,
405 flags[4] TicketFlags,
406 authtime[5] KerberosTime,
407 starttime[6] KerberosTime OPTIONAL,
408 endtime[7] KerberosTime,
409 renew-till[8] KerberosTime OPTIONAL,
411 sname[10] PrincipalName,
412 caddr[11] HostAddresses OPTIONAL
415 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
416 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
418 AP-REQ ::= [APPLICATION 14] SEQUENCE {
420 msg-type[1] MESSAGE-TYPE,
421 ap-options[2] APOptions,
423 authenticator[4] EncryptedData
426 AP-REP ::= [APPLICATION 15] SEQUENCE {
428 msg-type[1] MESSAGE-TYPE,
429 enc-part[2] EncryptedData
432 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
433 ctime[0] KerberosTime,
435 subkey[2] EncryptionKey OPTIONAL,
436 seq-number[3] krb5uint32 OPTIONAL
439 KRB-SAFE-BODY ::= SEQUENCE {
440 user-data[0] OCTET STRING,
441 timestamp[1] KerberosTime OPTIONAL,
442 usec[2] krb5int32 OPTIONAL,
443 seq-number[3] krb5uint32 OPTIONAL,
444 s-address[4] HostAddress OPTIONAL,
445 r-address[5] HostAddress OPTIONAL
448 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
450 msg-type[1] MESSAGE-TYPE,
451 safe-body[2] KRB-SAFE-BODY,
455 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
457 msg-type[1] MESSAGE-TYPE,
458 enc-part[3] EncryptedData
460 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
461 user-data[0] OCTET STRING,
462 timestamp[1] KerberosTime OPTIONAL,
463 usec[2] krb5int32 OPTIONAL,
464 seq-number[3] krb5uint32 OPTIONAL,
465 s-address[4] HostAddress OPTIONAL, -- sender's addr
466 r-address[5] HostAddress OPTIONAL -- recip's addr
469 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
471 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
472 tickets[2] SEQUENCE OF Ticket,
473 enc-part[3] EncryptedData
476 KrbCredInfo ::= SEQUENCE {
477 key[0] EncryptionKey,
478 prealm[1] Realm OPTIONAL,
479 pname[2] PrincipalName OPTIONAL,
480 flags[3] TicketFlags OPTIONAL,
481 authtime[4] KerberosTime OPTIONAL,
482 starttime[5] KerberosTime OPTIONAL,
483 endtime[6] KerberosTime OPTIONAL,
484 renew-till[7] KerberosTime OPTIONAL,
485 srealm[8] Realm OPTIONAL,
486 sname[9] PrincipalName OPTIONAL,
487 caddr[10] HostAddresses OPTIONAL
490 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
491 ticket-info[0] SEQUENCE OF KrbCredInfo,
492 nonce[1] krb5int32 OPTIONAL,
493 timestamp[2] KerberosTime OPTIONAL,
494 usec[3] krb5int32 OPTIONAL,
495 s-address[4] HostAddress OPTIONAL,
496 r-address[5] HostAddress OPTIONAL
499 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
501 msg-type[1] MESSAGE-TYPE,
502 ctime[2] KerberosTime OPTIONAL,
503 cusec[3] krb5int32 OPTIONAL,
504 stime[4] KerberosTime,
506 error-code[6] krb5int32,
507 crealm[7] Realm OPTIONAL,
508 cname[8] PrincipalName OPTIONAL,
509 realm[9] Realm, -- Correct realm
510 sname[10] PrincipalName, -- Correct name
511 e-text[11] GeneralString OPTIONAL,
512 e-data[12] OCTET STRING OPTIONAL
515 ChangePasswdDataMS ::= SEQUENCE {
516 newpasswd[0] OCTET STRING,
517 targname[1] PrincipalName OPTIONAL,
518 targrealm[2] Realm OPTIONAL
521 EtypeList ::= SEQUENCE OF krb5int32
522 -- the client's proposed enctype list in
523 -- decreasing preference order, favorite choice first
525 krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
527 -- transited encodings
529 DOMAIN-X500-COMPRESS krb5int32 ::= 1
531 -- authorization data primitives
533 AD-IF-RELEVANT ::= AuthorizationData
535 AD-KDCIssued ::= SEQUENCE {
536 ad-checksum[0] Checksum,
537 i-realm[1] Realm OPTIONAL,
538 i-sname[2] PrincipalName OPTIONAL,
539 elements[3] AuthorizationData
542 AD-AND-OR ::= SEQUENCE {
543 condition-count[0] INTEGER,
544 elements[1] AuthorizationData
547 AD-MANDATORY-FOR-KDC ::= AuthorizationData
549 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
551 PA-SAM-TYPE ::= INTEGER {
552 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
553 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
554 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
555 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
556 PA_SAM_TYPE_SECURID(5), -- Security Dynamics
557 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
560 PA-SAM-REDIRECT ::= HostAddresses
562 SAMFlags ::= BIT STRING {
564 send-encrypted-sad(1),
565 must-pk-encrypt-sad(2)
568 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
569 sam-type[0] krb5int32,
570 sam-flags[1] SAMFlags,
571 sam-type-name[2] GeneralString OPTIONAL,
572 sam-track-id[3] GeneralString OPTIONAL,
573 sam-challenge-label[4] GeneralString OPTIONAL,
574 sam-challenge[5] GeneralString OPTIONAL,
575 sam-response-prompt[6] GeneralString OPTIONAL,
576 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
577 sam-nonce[8] krb5int32,
578 sam-etype[9] krb5int32,
582 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
583 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
584 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
588 PA-SAM-RESPONSE-2 ::= SEQUENCE {
589 sam-type[0] krb5int32,
590 sam-flags[1] SAMFlags,
591 sam-track-id[2] GeneralString OPTIONAL,
592 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
593 sam-nonce[4] krb5int32,
597 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
598 sam-nonce[0] krb5int32,
599 sam-sad[1] GeneralString OPTIONAL,
603 -- This is really part of CMS, but its here because KCRYPTO provides
604 -- the crypto framework for CMS glue in heimdal.
606 RC2CBCParameter ::= SEQUENCE {
607 rc2ParameterVersion krb5int32,
608 iv OCTET STRING -- exactly 8 octets
611 CBCParameter ::= OCTET STRING
616 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1