1 PKINIT DEFINITIONS ::= BEGIN
3 IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData
5 IMPORTS SignedData, EnvelopedData FROM CMS;
6 IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509;
11 CertPrincipalName ::= SEQUENCE {
13 name-string[1] SEQUENCE OF UTF8String
20 TrustedCertifiers ::= SEQUENCE OF PrincipalName
21 -- X.500 name encoded as a principal name
23 CertificateIndex ::= INTEGER
24 -- 0 = 1st certificate,
25 -- (in order of encoding)
26 -- 1 = 2nd certificate, etc
28 PA-PK-AS-REP ::= CHOICE {
30 dhSignedData[0] SignedData,
31 -- Defined in CMS and used only with
32 -- Diffie-Hellman key exchange (if the
33 -- client public value was present in the
35 -- This choice MUST be supported
36 -- by compliant implementations.
37 encKeyPack[1] EnvelopedData
39 -- The temporary key is encrypted
40 -- using the client public key
42 -- SignedReplyKeyPack, encrypted
43 -- with the temporary key, is also
49 KdcDHKeyInfo ::= SEQUENCE {
50 -- used only when utilizing Diffie-Hellman
52 -- binds responce to the request
53 subjectPublicKey[2] BIT STRING
54 -- Equals public exponent (g^a mod p)
55 -- INTEGER encoded as payload of
59 ReplyKeyPack ::= SEQUENCE {
60 -- not used for Diffie-Hellman
61 replyKey[0] EncryptionKey,
62 -- used to encrypt main reply
63 -- ENCTYPE is at least as strong as
64 -- ENCTYPE of session key
66 -- binds response to the request
67 -- must be same as the nonce
68 -- passed in the PKAuthenticator
71 -- subjectAltName EXTENSION ::= {
72 -- SYNTAX GeneralNames
73 -- IDENTIFIED BY id-ce-subjectAltName
76 OtherName ::= SEQUENCE {
77 type-id OBJECT IDENTIFIER,
79 -- value[0] EXPLICIT ANY DEFINED BY type-id
82 GeneralName ::= CHOICE {
83 otherName [0] OtherName,
87 GeneralNames ::= SEQUENCE -- SIZE(1..MAX)
90 KerberosName ::= SEQUENCE {
92 -- as defined in RFC 1510
93 principalName[1] CertPrincipalName
98 -- krb5 OBJECT IDENTIFIER ::= {
99 -- iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2)
102 -- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
107 IssuerAndSerialNumber ::= SEQUENCE {
109 serialNumber CertificateSerialNumber
112 TrustedCas ::= CHOICE {
113 principalName[0] KerberosName,
116 -- fully qualified X.500 name
117 -- as defined by X.509
118 issuerAndSerial[2] IssuerAndSerialNumber
119 -- Since a CA may have a number of
120 -- certificates, only one of which
124 PA-PK-AS-REQ ::= SEQUENCE {
126 signedAuthPack[0] SignedData,
127 -- defined in CMS [11]
128 -- AuthPack (below) defines the data
130 trustedCertifiers[1] SEQUENCE OF TrustedCas OPTIONAL,
131 -- CAs that the client trusts
132 kdcCert[2] IssuerAndSerialNumber OPTIONAL,
133 -- as defined in CMS [11]
134 -- specifies a particular KDC
135 -- certificate if the client
137 encryptionCert[3] IssuerAndSerialNumber OPTIONAL
138 -- For example, this may be the
139 -- client's Diffie-Hellman
140 -- certificate, or it may be the
141 -- client's RSA encryption
145 PKAuthenticator ::= SEQUENCE {
146 kdcName[0] PrincipalName,
149 -- for replay prevention as in RFC1510
150 ctime[3] KerberosTime,
151 -- for replay prevention as in RFC1510
155 -- This is the real definition of AlgorithmIdentifier
156 -- AlgorithmIdentifier ::= SEQUENCE {
157 -- algorithm ALGORITHM.&id,
158 -- parameters ALGORITHM.&Type
159 -- } -- as specified by the X.509 recommendation[10]
161 -- But we'll use this one instead:
163 AlgorithmIdentifier ::= SEQUENCE {
164 algorithm OBJECT IDENTIFIER,
172 SubjectPublicKeyInfo ::= SEQUENCE {
173 algorithm AlgorithmIdentifier,
175 subjectPublicKey BIT STRING
177 -- public exponent (INTEGER encoded
178 -- as payload of BIT STRING)
179 } -- as specified by the X.509 recommendation[10]
181 AuthPack ::= SEQUENCE {
182 pkAuthenticator[0] PKAuthenticator,
183 clientPublicValue[1] SubjectPublicKeyInfo OPTIONAL
184 -- if client is using Diffie-Hellman
185 -- (ephemeral-ephemeral only)