3 PKINIT DEFINITIONS ::= BEGIN
5 IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum FROM krb5
6 IssuerAndSerialNumber, ContentInfo FROM cms
7 SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
10 id-pkinit OBJECT IDENTIFIER ::=
11 { iso (1) org (3) dod (6) internet (1) security (5)
12 kerberosv5 (2) pkinit (3) }
14 id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 }
15 id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 }
16 id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 }
17 id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 }
18 id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 }
20 id-pkinit-san OBJECT IDENTIFIER ::=
21 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
24 id-pkinit-ms-eku OBJECT IDENTIFIER ::=
25 { iso(1) org(3) dod(6) internet(1) private(4)
26 enterprise(1) microsoft(311) 20 2 2 }
28 id-pkinit-ms-san OBJECT IDENTIFIER ::=
29 { iso(1) org(3) dod(6) internet(1) private(4)
30 enterprise(1) microsoft(311) 20 2 3 }
32 MS-UPN-SAN ::= UTF8String
34 pa-pk-as-req INTEGER ::= 16
35 pa-pk-as-rep INTEGER ::= 17
37 td-trusted-certifiers INTEGER ::= 104
38 td-invalid-certificates INTEGER ::= 105
39 td-dh-parameters INTEGER ::= 109
41 DHNonce ::= OCTET STRING
43 TrustedCA ::= SEQUENCE {
44 caName [0] IMPLICIT OCTET STRING,
45 certificateSerialNumber [1] INTEGER OPTIONAL,
46 subjectKeyIdentifier [2] OCTET STRING OPTIONAL,
50 ExternalPrincipalIdentifier ::= SEQUENCE {
51 subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
52 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
53 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
57 ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
59 PA-PK-AS-REQ ::= SEQUENCE {
60 signedAuthPack [0] IMPLICIT OCTET STRING,
61 trustedCertifiers [1] ExternalPrincipalIdentifiers OPTIONAL,
62 kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL,
66 PKAuthenticator ::= SEQUENCE {
67 cusec [0] INTEGER -- (0..999999) --,
68 ctime [1] KerberosTime,
69 nonce [2] INTEGER (0..4294967295),
70 paChecksum [3] OCTET STRING OPTIONAL,
74 AuthPack ::= SEQUENCE {
75 pkAuthenticator [0] PKAuthenticator,
76 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
77 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
78 clientDHNonce [3] DHNonce OPTIONAL,
82 TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
83 TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
85 KRB5PrincipalName ::= SEQUENCE {
87 principalName [1] PrincipalName
90 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
93 DHRepInfo ::= SEQUENCE {
94 dhSignedData [0] IMPLICIT OCTET STRING,
95 serverDHNonce [1] DHNonce OPTIONAL
98 PA-PK-AS-REP ::= CHOICE {
100 encKeyPack [1] IMPLICIT OCTET STRING,
104 KDCDHKeyInfo ::= SEQUENCE {
105 subjectPublicKey [0] BIT STRING,
106 nonce [1] INTEGER (0..4294967295),
107 dhKeyExpiration [2] KerberosTime OPTIONAL,
111 ReplyKeyPack ::= SEQUENCE {
112 replyKey [0] EncryptionKey,
113 asChecksum [1] Checksum,
117 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
120 -- Windows compat glue --
122 PKAuthenticator-Win2k ::= SEQUENCE {
123 kdcName [0] PrincipalName,
125 cusec [2] INTEGER (0..4294967295),
126 ctime [3] KerberosTime,
127 nonce [4] INTEGER (-2147483648..2147483647)
130 AuthPack-Win2k ::= SEQUENCE {
131 pkAuthenticator [0] PKAuthenticator-Win2k,
132 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
136 TrustedCA-Win2k ::= CHOICE {
138 issuerAndSerial [2] IssuerAndSerialNumber
141 PA-PK-AS-REQ-Win2k ::= SEQUENCE {
142 signed-auth-pack [0] IMPLICIT OCTET STRING,
143 trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
144 kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
145 encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
148 PA-PK-AS-REP-Win2k ::= CHOICE {
149 dhSignedData [0] IMPLICIT OCTET STRING,
150 encKeyPack [1] IMPLICIT OCTET STRING
154 KDCDHKeyInfo-Win2k ::= SEQUENCE {
155 nonce [0] INTEGER (-2147483648..2147483647),
156 subjectPublicKey [2] BIT STRING
159 ReplyKeyPack-Win2k ::= SEQUENCE {
160 replyKey [0] EncryptionKey,
161 nonce [1] INTEGER (-2147483648..2147483647),