-- $Id: k5.asn1,v 1.28.2.1 2004/06/21 08:25:45 lha Exp $ KERBEROS5 DEFINITIONS ::= BEGIN NAME-TYPE ::= INTEGER { KRB5_NT_UNKNOWN(0), -- Name type not known KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt) KRB5_NT_SRV_HST(3), -- Service with host name as instance KRB5_NT_SRV_XHST(4), -- Service with host as remaining components KRB5_NT_UID(5), -- Unique ID KRB5_NT_X500_PRINCIPAL(6) -- PKINIT } -- message types MESSAGE-TYPE ::= INTEGER { krb-as-req(10), -- Request for initial authentication krb-as-rep(11), -- Response to KRB_AS_REQ request krb-tgs-req(12), -- Request for authentication based on TGT krb-tgs-rep(13), -- Response to KRB_TGS_REQ request krb-ap-req(14), -- application request to server krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL krb-safe(20), -- Safe (checksummed) application message krb-priv(21), -- Private (encrypted) application message krb-cred(22), -- Private (encrypted) message to forward credentials krb-error(30) -- Error response } -- pa-data types PADATA-TYPE ::= INTEGER { KRB5-PADATA-NONE(0), KRB5-PADATA-TGS-REQ(1), KRB5-PADATA-AP-REQ(1), KRB5-PADATA-ENC-TIMESTAMP(2), KRB5-PADATA-PW-SALT(3), KRB5-PADATA-ENC-UNIX-TIME(5), KRB5-PADATA-SANDIA-SECUREID(6), KRB5-PADATA-SESAME(7), KRB5-PADATA-OSF-DCE(8), KRB5-PADATA-CYBERSAFE-SECUREID(9), KRB5-PADATA-AFS3-SALT(10), KRB5-PADATA-ETYPE-INFO(11), KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) KRB5-PADATA-PK-AS-REQ(14), -- (PKINIT) KRB5-PADATA-PK-AS-REP(15), -- (PKINIT) KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT) KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT) KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT) KRB5-PADATA-ETYPE-INFO2(19), KRB5-PADATA-USE-SPECIFIED-KVNO(20), KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) KRB5-PADATA-GET-FROM-TYPED-DATA(22), KRB5-PADATA-SAM-ETYPE-INFO(23) } -- checksumtypes CKSUMTYPE ::= INTEGER { CKSUMTYPE_NONE(0), CKSUMTYPE_CRC32(1), CKSUMTYPE_RSA_MD4(2), CKSUMTYPE_RSA_MD4_DES(3), CKSUMTYPE_DES_MAC(4), CKSUMTYPE_DES_MAC_K(5), CKSUMTYPE_RSA_MD4_DES_K(6), CKSUMTYPE_RSA_MD5(7), CKSUMTYPE_RSA_MD5_DES(8), CKSUMTYPE_RSA_MD5_DES3(9), CKSUMTYPE_HMAC_SHA1_96_AES_128(10), CKSUMTYPE_HMAC_SHA1_96_AES_256(11), CKSUMTYPE_HMAC_SHA1_DES3(12), CKSUMTYPE_SHA1(1000), -- correct value? 10 (9 also) CKSUMTYPE_GSSAPI(0x8003), CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial } --enctypes ENCTYPE ::= INTEGER { ETYPE_NULL(0), ETYPE_DES_CBC_CRC(1), ETYPE_DES_CBC_MD4(2), ETYPE_DES_CBC_MD5(3), ETYPE_DES3_CBC_MD5(5), ETYPE_OLD_DES3_CBC_SHA1(7), ETYPE_SIGN_DSA_GENERATE(8), ETYPE_ENCRYPT_RSA_PRIV(9), ETYPE_ENCRYPT_RSA_PUB(10), ETYPE_DES3_CBC_SHA1(16), -- with key derivation ETYPE_AES128_CTS_HMAC_SHA1_96(17), ETYPE_AES256_CTS_HMAC_SHA1_96(18), ETYPE_ARCFOUR_HMAC_MD5(23), ETYPE_ARCFOUR_HMAC_MD5_56(24), ETYPE_ENCTYPE_PK_CROSS(48), -- these are for Heimdal internal use ETYPE_DES_CBC_NONE(-0x1000), ETYPE_DES3_CBC_NONE(-0x1001), ETYPE_DES_CFB64_NONE(-0x1002), ETYPE_DES_PCBC_NONE(-0x1003) } -- this is sugar to make something ASN1 does not have: unsigned UNSIGNED ::= INTEGER (0..4294967295) Realm ::= GeneralString PrincipalName ::= SEQUENCE { name-type[0] NAME-TYPE, name-string[1] SEQUENCE OF GeneralString } -- this is not part of RFC1510 Principal ::= SEQUENCE { name[0] PrincipalName, realm[1] Realm } HostAddress ::= SEQUENCE { addr-type[0] INTEGER, address[1] OCTET STRING } -- This is from RFC1510. -- -- HostAddresses ::= SEQUENCE OF SEQUENCE { -- addr-type[0] INTEGER, -- address[1] OCTET STRING -- } -- This seems much better. HostAddresses ::= SEQUENCE OF HostAddress KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) AuthorizationData ::= SEQUENCE OF SEQUENCE { ad-type[0] INTEGER, ad-data[1] OCTET STRING } APOptions ::= BIT STRING { reserved(0), use-session-key(1), mutual-required(2) } TicketFlags ::= BIT STRING { reserved(0), forwardable(1), forwarded(2), proxiable(3), proxy(4), may-postdate(5), postdated(6), invalid(7), renewable(8), initial(9), pre-authent(10), hw-authent(11), transited-policy-checked(12), ok-as-delegate(13), anonymous(14) } KDCOptions ::= BIT STRING { reserved(0), forwardable(1), forwarded(2), proxiable(3), proxy(4), allow-postdate(5), postdated(6), unused7(7), renewable(8), unused9(9), unused10(10), unused11(11), request-anonymous(14), canonicalize(15), disable-transited-check(26), renewable-ok(27), enc-tkt-in-skey(28), renew(30), validate(31) } LR-TYPE ::= INTEGER { LR_NONE(0), -- no information LR_INITIAL_TGT(1), -- last initial TGT request LR_INITIAL(2), -- last initial request LR_ISSUE_USE_TGT(3), -- time of newest TGT used LR_RENEWAL(4), -- time of last renewal LR_REQUEST(5), -- time of last request (of any type) LR_PW_EXPTIME(6), -- expiration time of password LR_ACCT_EXPTIME(7) -- expiration time of account } LastReq ::= SEQUENCE OF SEQUENCE { lr-type[0] LR-TYPE, lr-value[1] KerberosTime } EncryptedData ::= SEQUENCE { etype[0] ENCTYPE, -- EncryptionType kvno[1] INTEGER OPTIONAL, cipher[2] OCTET STRING -- ciphertext } EncryptionKey ::= SEQUENCE { keytype[0] INTEGER, keyvalue[1] OCTET STRING } -- encoded Transited field TransitedEncoding ::= SEQUENCE { tr-type[0] INTEGER, -- must be registered contents[1] OCTET STRING } Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno[0] INTEGER, realm[1] Realm, sname[2] PrincipalName, enc-part[3] EncryptedData } -- Encrypted part of ticket EncTicketPart ::= [APPLICATION 3] SEQUENCE { flags[0] TicketFlags, key[1] EncryptionKey, crealm[2] Realm, cname[3] PrincipalName, transited[4] TransitedEncoding, authtime[5] KerberosTime, starttime[6] KerberosTime OPTIONAL, endtime[7] KerberosTime, renew-till[8] KerberosTime OPTIONAL, caddr[9] HostAddresses OPTIONAL, authorization-data[10] AuthorizationData OPTIONAL } Checksum ::= SEQUENCE { cksumtype[0] CKSUMTYPE, checksum[1] OCTET STRING } Authenticator ::= [APPLICATION 2] SEQUENCE { authenticator-vno[0] INTEGER, crealm[1] Realm, cname[2] PrincipalName, cksum[3] Checksum OPTIONAL, cusec[4] INTEGER, ctime[5] KerberosTime, subkey[6] EncryptionKey OPTIONAL, seq-number[7] UNSIGNED OPTIONAL, authorization-data[8] AuthorizationData OPTIONAL } PA-DATA ::= SEQUENCE { -- might be encoded AP-REQ padata-type[1] PADATA-TYPE, padata-value[2] OCTET STRING } ETYPE-INFO-ENTRY ::= SEQUENCE { etype[0] ENCTYPE, salt[1] OCTET STRING OPTIONAL, salttype[2] INTEGER OPTIONAL } ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY METHOD-DATA ::= SEQUENCE OF PA-DATA KDC-REQ-BODY ::= SEQUENCE { kdc-options[0] KDCOptions, cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ realm[2] Realm, -- Server's realm -- Also client's in AS-REQ sname[3] PrincipalName OPTIONAL, from[4] KerberosTime OPTIONAL, till[5] KerberosTime OPTIONAL, rtime[6] KerberosTime OPTIONAL, nonce[7] INTEGER, etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, -- in preference order addresses[9] HostAddresses OPTIONAL, enc-authorization-data[10] EncryptedData OPTIONAL, -- Encrypted AuthorizationData encoding additional-tickets[11] SEQUENCE OF Ticket OPTIONAL } KDC-REQ ::= SEQUENCE { pvno[1] INTEGER, msg-type[2] MESSAGE-TYPE, padata[3] METHOD-DATA OPTIONAL, req-body[4] KDC-REQ-BODY } AS-REQ ::= [APPLICATION 10] KDC-REQ TGS-REQ ::= [APPLICATION 12] KDC-REQ -- padata-type ::= PA-ENC-TIMESTAMP -- padata-value ::= EncryptedData - PA-ENC-TS-ENC PA-ENC-TS-ENC ::= SEQUENCE { patimestamp[0] KerberosTime, -- client's time pausec[1] INTEGER OPTIONAL } KDC-REP ::= SEQUENCE { pvno[0] INTEGER, msg-type[1] MESSAGE-TYPE, padata[2] METHOD-DATA OPTIONAL, crealm[3] Realm, cname[4] PrincipalName, ticket[5] Ticket, enc-part[6] EncryptedData } AS-REP ::= [APPLICATION 11] KDC-REP TGS-REP ::= [APPLICATION 13] KDC-REP EncKDCRepPart ::= SEQUENCE { key[0] EncryptionKey, last-req[1] LastReq, nonce[2] INTEGER, key-expiration[3] KerberosTime OPTIONAL, flags[4] TicketFlags, authtime[5] KerberosTime, starttime[6] KerberosTime OPTIONAL, endtime[7] KerberosTime, renew-till[8] KerberosTime OPTIONAL, srealm[9] Realm, sname[10] PrincipalName, caddr[11] HostAddresses OPTIONAL } EncASRepPart ::= [APPLICATION 25] EncKDCRepPart EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart AP-REQ ::= [APPLICATION 14] SEQUENCE { pvno[0] INTEGER, msg-type[1] MESSAGE-TYPE, ap-options[2] APOptions, ticket[3] Ticket, authenticator[4] EncryptedData } AP-REP ::= [APPLICATION 15] SEQUENCE { pvno[0] INTEGER, msg-type[1] MESSAGE-TYPE, enc-part[2] EncryptedData } EncAPRepPart ::= [APPLICATION 27] SEQUENCE { ctime[0] KerberosTime, cusec[1] INTEGER, subkey[2] EncryptionKey OPTIONAL, seq-number[3] UNSIGNED OPTIONAL } KRB-SAFE-BODY ::= SEQUENCE { user-data[0] OCTET STRING, timestamp[1] KerberosTime OPTIONAL, usec[2] INTEGER OPTIONAL, seq-number[3] UNSIGNED OPTIONAL, s-address[4] HostAddress OPTIONAL, r-address[5] HostAddress OPTIONAL } KRB-SAFE ::= [APPLICATION 20] SEQUENCE { pvno[0] INTEGER, msg-type[1] MESSAGE-TYPE, safe-body[2] KRB-SAFE-BODY, cksum[3] Checksum } KRB-PRIV ::= [APPLICATION 21] SEQUENCE { pvno[0] INTEGER, msg-type[1] MESSAGE-TYPE, enc-part[3] EncryptedData } EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { user-data[0] OCTET STRING, timestamp[1] KerberosTime OPTIONAL, usec[2] INTEGER OPTIONAL, seq-number[3] UNSIGNED OPTIONAL, s-address[4] HostAddress OPTIONAL, -- sender's addr r-address[5] HostAddress OPTIONAL -- recip's addr } KRB-CRED ::= [APPLICATION 22] SEQUENCE { pvno[0] INTEGER, msg-type[1] MESSAGE-TYPE, -- KRB_CRED tickets[2] SEQUENCE OF Ticket, enc-part[3] EncryptedData } KrbCredInfo ::= SEQUENCE { key[0] EncryptionKey, prealm[1] Realm OPTIONAL, pname[2] PrincipalName OPTIONAL, flags[3] TicketFlags OPTIONAL, authtime[4] KerberosTime OPTIONAL, starttime[5] KerberosTime OPTIONAL, endtime[6] KerberosTime OPTIONAL, renew-till[7] KerberosTime OPTIONAL, srealm[8] Realm OPTIONAL, sname[9] PrincipalName OPTIONAL, caddr[10] HostAddresses OPTIONAL } EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { ticket-info[0] SEQUENCE OF KrbCredInfo, nonce[1] INTEGER OPTIONAL, timestamp[2] KerberosTime OPTIONAL, usec[3] INTEGER OPTIONAL, s-address[4] HostAddress OPTIONAL, r-address[5] HostAddress OPTIONAL } KRB-ERROR ::= [APPLICATION 30] SEQUENCE { pvno[0] INTEGER, msg-type[1] MESSAGE-TYPE, ctime[2] KerberosTime OPTIONAL, cusec[3] INTEGER OPTIONAL, stime[4] KerberosTime, susec[5] INTEGER, error-code[6] INTEGER, crealm[7] Realm OPTIONAL, cname[8] PrincipalName OPTIONAL, realm[9] Realm, -- Correct realm sname[10] PrincipalName, -- Correct name e-text[11] GeneralString OPTIONAL, e-data[12] OCTET STRING OPTIONAL } ChangePasswdDataMS ::= SEQUENCE { newpasswd[0] OCTET STRING, targname[1] PrincipalName OPTIONAL, targrealm[2] Realm OPTIONAL } pvno INTEGER ::= 5 -- current Kerberos protocol version number -- transited encodings DOMAIN-X500-COMPRESS INTEGER ::= 1 END -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1