1 -- $Id: k5.asn1,v 1.28.2.1 2004/06/21 08:25:45 lha Exp $
3 KERBEROS5 DEFINITIONS ::=
6 NAME-TYPE ::= INTEGER {
7 KRB5_NT_UNKNOWN(0), -- Name type not known
8 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
9 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
10 KRB5_NT_SRV_HST(3), -- Service with host name as instance
11 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
12 KRB5_NT_UID(5), -- Unique ID
13 KRB5_NT_X500_PRINCIPAL(6) -- PKINIT
18 MESSAGE-TYPE ::= INTEGER {
19 krb-as-req(10), -- Request for initial authentication
20 krb-as-rep(11), -- Response to KRB_AS_REQ request
21 krb-tgs-req(12), -- Request for authentication based on TGT
22 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
23 krb-ap-req(14), -- application request to server
24 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
25 krb-safe(20), -- Safe (checksummed) application message
26 krb-priv(21), -- Private (encrypted) application message
27 krb-cred(22), -- Private (encrypted) message to forward credentials
28 krb-error(30) -- Error response
34 PADATA-TYPE ::= INTEGER {
36 KRB5-PADATA-TGS-REQ(1),
37 KRB5-PADATA-AP-REQ(1),
38 KRB5-PADATA-ENC-TIMESTAMP(2),
39 KRB5-PADATA-PW-SALT(3),
40 KRB5-PADATA-ENC-UNIX-TIME(5),
41 KRB5-PADATA-SANDIA-SECUREID(6),
42 KRB5-PADATA-SESAME(7),
43 KRB5-PADATA-OSF-DCE(8),
44 KRB5-PADATA-CYBERSAFE-SECUREID(9),
45 KRB5-PADATA-AFS3-SALT(10),
46 KRB5-PADATA-ETYPE-INFO(11),
47 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
48 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
49 KRB5-PADATA-PK-AS-REQ(14), -- (PKINIT)
50 KRB5-PADATA-PK-AS-REP(15), -- (PKINIT)
51 KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT)
52 KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT)
53 KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT)
54 KRB5-PADATA-ETYPE-INFO2(19),
55 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
56 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
57 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
58 KRB5-PADATA-SAM-ETYPE-INFO(23)
63 CKSUMTYPE ::= INTEGER {
67 CKSUMTYPE_RSA_MD4_DES(3),
69 CKSUMTYPE_DES_MAC_K(5),
70 CKSUMTYPE_RSA_MD4_DES_K(6),
72 CKSUMTYPE_RSA_MD5_DES(8),
73 CKSUMTYPE_RSA_MD5_DES3(9),
74 CKSUMTYPE_HMAC_SHA1_96_AES_128(10),
75 CKSUMTYPE_HMAC_SHA1_96_AES_256(11),
76 CKSUMTYPE_HMAC_SHA1_DES3(12),
77 CKSUMTYPE_SHA1(1000), -- correct value? 10 (9 also)
78 CKSUMTYPE_GSSAPI(0x8003),
79 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
80 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
89 ETYPE_DES3_CBC_MD5(5),
90 ETYPE_OLD_DES3_CBC_SHA1(7),
91 ETYPE_SIGN_DSA_GENERATE(8),
92 ETYPE_ENCRYPT_RSA_PRIV(9),
93 ETYPE_ENCRYPT_RSA_PUB(10),
94 ETYPE_DES3_CBC_SHA1(16), -- with key derivation
95 ETYPE_AES128_CTS_HMAC_SHA1_96(17),
96 ETYPE_AES256_CTS_HMAC_SHA1_96(18),
97 ETYPE_ARCFOUR_HMAC_MD5(23),
98 ETYPE_ARCFOUR_HMAC_MD5_56(24),
99 ETYPE_ENCTYPE_PK_CROSS(48),
100 -- these are for Heimdal internal use
101 ETYPE_DES_CBC_NONE(-0x1000),
102 ETYPE_DES3_CBC_NONE(-0x1001),
103 ETYPE_DES_CFB64_NONE(-0x1002),
104 ETYPE_DES_PCBC_NONE(-0x1003)
107 -- this is sugar to make something ASN1 does not have: unsigned
109 UNSIGNED ::= INTEGER (0..4294967295)
111 Realm ::= GeneralString
112 PrincipalName ::= SEQUENCE {
113 name-type[0] NAME-TYPE,
114 name-string[1] SEQUENCE OF GeneralString
117 -- this is not part of RFC1510
118 Principal ::= SEQUENCE {
119 name[0] PrincipalName,
123 HostAddress ::= SEQUENCE {
124 addr-type[0] INTEGER,
125 address[1] OCTET STRING
128 -- This is from RFC1510.
130 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
131 -- addr-type[0] INTEGER,
132 -- address[1] OCTET STRING
135 -- This seems much better.
136 HostAddresses ::= SEQUENCE OF HostAddress
139 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
141 AuthorizationData ::= SEQUENCE OF SEQUENCE {
143 ad-data[1] OCTET STRING
146 APOptions ::= BIT STRING {
152 TicketFlags ::= BIT STRING {
165 transited-policy-checked(12),
170 KDCOptions ::= BIT STRING {
183 request-anonymous(14),
185 disable-transited-check(26),
192 LR-TYPE ::= INTEGER {
193 LR_NONE(0), -- no information
194 LR_INITIAL_TGT(1), -- last initial TGT request
195 LR_INITIAL(2), -- last initial request
196 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
197 LR_RENEWAL(4), -- time of last renewal
198 LR_REQUEST(5), -- time of last request (of any type)
199 LR_PW_EXPTIME(6), -- expiration time of password
200 LR_ACCT_EXPTIME(7) -- expiration time of account
203 LastReq ::= SEQUENCE OF SEQUENCE {
205 lr-value[1] KerberosTime
209 EncryptedData ::= SEQUENCE {
210 etype[0] ENCTYPE, -- EncryptionType
211 kvno[1] INTEGER OPTIONAL,
212 cipher[2] OCTET STRING -- ciphertext
215 EncryptionKey ::= SEQUENCE {
217 keyvalue[1] OCTET STRING
220 -- encoded Transited field
221 TransitedEncoding ::= SEQUENCE {
222 tr-type[0] INTEGER, -- must be registered
223 contents[1] OCTET STRING
226 Ticket ::= [APPLICATION 1] SEQUENCE {
229 sname[2] PrincipalName,
230 enc-part[3] EncryptedData
232 -- Encrypted part of ticket
233 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
234 flags[0] TicketFlags,
235 key[1] EncryptionKey,
237 cname[3] PrincipalName,
238 transited[4] TransitedEncoding,
239 authtime[5] KerberosTime,
240 starttime[6] KerberosTime OPTIONAL,
241 endtime[7] KerberosTime,
242 renew-till[8] KerberosTime OPTIONAL,
243 caddr[9] HostAddresses OPTIONAL,
244 authorization-data[10] AuthorizationData OPTIONAL
247 Checksum ::= SEQUENCE {
248 cksumtype[0] CKSUMTYPE,
249 checksum[1] OCTET STRING
252 Authenticator ::= [APPLICATION 2] SEQUENCE {
253 authenticator-vno[0] INTEGER,
255 cname[2] PrincipalName,
256 cksum[3] Checksum OPTIONAL,
258 ctime[5] KerberosTime,
259 subkey[6] EncryptionKey OPTIONAL,
260 seq-number[7] UNSIGNED OPTIONAL,
261 authorization-data[8] AuthorizationData OPTIONAL
264 PA-DATA ::= SEQUENCE {
265 -- might be encoded AP-REQ
266 padata-type[1] PADATA-TYPE,
267 padata-value[2] OCTET STRING
270 ETYPE-INFO-ENTRY ::= SEQUENCE {
272 salt[1] OCTET STRING OPTIONAL,
273 salttype[2] INTEGER OPTIONAL
276 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
278 METHOD-DATA ::= SEQUENCE OF PA-DATA
280 KDC-REQ-BODY ::= SEQUENCE {
281 kdc-options[0] KDCOptions,
282 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
283 realm[2] Realm, -- Server's realm
284 -- Also client's in AS-REQ
285 sname[3] PrincipalName OPTIONAL,
286 from[4] KerberosTime OPTIONAL,
287 till[5] KerberosTime OPTIONAL,
288 rtime[6] KerberosTime OPTIONAL,
290 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
291 -- in preference order
292 addresses[9] HostAddresses OPTIONAL,
293 enc-authorization-data[10] EncryptedData OPTIONAL,
294 -- Encrypted AuthorizationData encoding
295 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
298 KDC-REQ ::= SEQUENCE {
300 msg-type[2] MESSAGE-TYPE,
301 padata[3] METHOD-DATA OPTIONAL,
302 req-body[4] KDC-REQ-BODY
305 AS-REQ ::= [APPLICATION 10] KDC-REQ
306 TGS-REQ ::= [APPLICATION 12] KDC-REQ
308 -- padata-type ::= PA-ENC-TIMESTAMP
309 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
311 PA-ENC-TS-ENC ::= SEQUENCE {
312 patimestamp[0] KerberosTime, -- client's time
313 pausec[1] INTEGER OPTIONAL
316 KDC-REP ::= SEQUENCE {
318 msg-type[1] MESSAGE-TYPE,
319 padata[2] METHOD-DATA OPTIONAL,
321 cname[4] PrincipalName,
323 enc-part[6] EncryptedData
326 AS-REP ::= [APPLICATION 11] KDC-REP
327 TGS-REP ::= [APPLICATION 13] KDC-REP
329 EncKDCRepPart ::= SEQUENCE {
330 key[0] EncryptionKey,
333 key-expiration[3] KerberosTime OPTIONAL,
334 flags[4] TicketFlags,
335 authtime[5] KerberosTime,
336 starttime[6] KerberosTime OPTIONAL,
337 endtime[7] KerberosTime,
338 renew-till[8] KerberosTime OPTIONAL,
340 sname[10] PrincipalName,
341 caddr[11] HostAddresses OPTIONAL
344 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
345 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
347 AP-REQ ::= [APPLICATION 14] SEQUENCE {
349 msg-type[1] MESSAGE-TYPE,
350 ap-options[2] APOptions,
352 authenticator[4] EncryptedData
355 AP-REP ::= [APPLICATION 15] SEQUENCE {
357 msg-type[1] MESSAGE-TYPE,
358 enc-part[2] EncryptedData
361 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
362 ctime[0] KerberosTime,
364 subkey[2] EncryptionKey OPTIONAL,
365 seq-number[3] UNSIGNED OPTIONAL
368 KRB-SAFE-BODY ::= SEQUENCE {
369 user-data[0] OCTET STRING,
370 timestamp[1] KerberosTime OPTIONAL,
371 usec[2] INTEGER OPTIONAL,
372 seq-number[3] UNSIGNED OPTIONAL,
373 s-address[4] HostAddress OPTIONAL,
374 r-address[5] HostAddress OPTIONAL
377 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
379 msg-type[1] MESSAGE-TYPE,
380 safe-body[2] KRB-SAFE-BODY,
384 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
386 msg-type[1] MESSAGE-TYPE,
387 enc-part[3] EncryptedData
389 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
390 user-data[0] OCTET STRING,
391 timestamp[1] KerberosTime OPTIONAL,
392 usec[2] INTEGER OPTIONAL,
393 seq-number[3] UNSIGNED OPTIONAL,
394 s-address[4] HostAddress OPTIONAL, -- sender's addr
395 r-address[5] HostAddress OPTIONAL -- recip's addr
398 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
400 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
401 tickets[2] SEQUENCE OF Ticket,
402 enc-part[3] EncryptedData
405 KrbCredInfo ::= SEQUENCE {
406 key[0] EncryptionKey,
407 prealm[1] Realm OPTIONAL,
408 pname[2] PrincipalName OPTIONAL,
409 flags[3] TicketFlags OPTIONAL,
410 authtime[4] KerberosTime OPTIONAL,
411 starttime[5] KerberosTime OPTIONAL,
412 endtime[6] KerberosTime OPTIONAL,
413 renew-till[7] KerberosTime OPTIONAL,
414 srealm[8] Realm OPTIONAL,
415 sname[9] PrincipalName OPTIONAL,
416 caddr[10] HostAddresses OPTIONAL
419 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
420 ticket-info[0] SEQUENCE OF KrbCredInfo,
421 nonce[1] INTEGER OPTIONAL,
422 timestamp[2] KerberosTime OPTIONAL,
423 usec[3] INTEGER OPTIONAL,
424 s-address[4] HostAddress OPTIONAL,
425 r-address[5] HostAddress OPTIONAL
428 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
430 msg-type[1] MESSAGE-TYPE,
431 ctime[2] KerberosTime OPTIONAL,
432 cusec[3] INTEGER OPTIONAL,
433 stime[4] KerberosTime,
435 error-code[6] INTEGER,
436 crealm[7] Realm OPTIONAL,
437 cname[8] PrincipalName OPTIONAL,
438 realm[9] Realm, -- Correct realm
439 sname[10] PrincipalName, -- Correct name
440 e-text[11] GeneralString OPTIONAL,
441 e-data[12] OCTET STRING OPTIONAL
444 ChangePasswdDataMS ::= SEQUENCE {
445 newpasswd[0] OCTET STRING,
446 targname[1] PrincipalName OPTIONAL,
447 targrealm[2] Realm OPTIONAL
450 pvno INTEGER ::= 5 -- current Kerberos protocol version number
452 -- transited encodings
454 DOMAIN-X500-COMPRESS INTEGER ::= 1
458 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1