Create releng/7.2 from stable/7 in preparation for 7.2-RELEASE.

[FreeBSD/releng/7.2.git] / crypto / heimdal / lib / asn1 / k5.asn1

-- $Id: k5.asn1,v 1.28.2.1 2004/06/21 08:25:45 lha Exp $

KERBEROS5 DEFINITIONS ::=
BEGIN

NAME-TYPE ::= INTEGER {
        KRB5_NT_UNKNOWN(0),     -- Name type not known
        KRB5_NT_PRINCIPAL(1),   -- Just the name of the principal as in
        KRB5_NT_SRV_INST(2),    -- Service and other unique instance (krbtgt)
        KRB5_NT_SRV_HST(3),     -- Service with host name as instance
        KRB5_NT_SRV_XHST(4),    -- Service with host as remaining components
        KRB5_NT_UID(5),         -- Unique ID
        KRB5_NT_X500_PRINCIPAL(6) -- PKINIT
}

-- message types

MESSAGE-TYPE ::= INTEGER {
        krb-as-req(10), -- Request for initial authentication
        krb-as-rep(11), -- Response to KRB_AS_REQ request
        krb-tgs-req(12), -- Request for authentication based on TGT
        krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
        krb-ap-req(14), -- application request to server
        krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
        krb-safe(20), -- Safe (checksummed) application message
        krb-priv(21), -- Private (encrypted) application message
        krb-cred(22), -- Private (encrypted) message to forward credentials
        krb-error(30) -- Error response
}


-- pa-data types

PADATA-TYPE ::= INTEGER {
        KRB5-PADATA-NONE(0),
        KRB5-PADATA-TGS-REQ(1),
        KRB5-PADATA-AP-REQ(1),
        KRB5-PADATA-ENC-TIMESTAMP(2),
        KRB5-PADATA-PW-SALT(3),
        KRB5-PADATA-ENC-UNIX-TIME(5),
        KRB5-PADATA-SANDIA-SECUREID(6),
        KRB5-PADATA-SESAME(7),
        KRB5-PADATA-OSF-DCE(8),
        KRB5-PADATA-CYBERSAFE-SECUREID(9),
        KRB5-PADATA-AFS3-SALT(10),
        KRB5-PADATA-ETYPE-INFO(11),
        KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
        KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
        KRB5-PADATA-PK-AS-REQ(14), -- (PKINIT)
        KRB5-PADATA-PK-AS-REP(15), -- (PKINIT)
        KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT)
        KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT)
        KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT)
        KRB5-PADATA-ETYPE-INFO2(19),
        KRB5-PADATA-USE-SPECIFIED-KVNO(20),
        KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
        KRB5-PADATA-GET-FROM-TYPED-DATA(22),
        KRB5-PADATA-SAM-ETYPE-INFO(23)
}

-- checksumtypes

CKSUMTYPE ::= INTEGER {
        CKSUMTYPE_NONE(0),
        CKSUMTYPE_CRC32(1),
        CKSUMTYPE_RSA_MD4(2),
        CKSUMTYPE_RSA_MD4_DES(3),
        CKSUMTYPE_DES_MAC(4),
        CKSUMTYPE_DES_MAC_K(5),
        CKSUMTYPE_RSA_MD4_DES_K(6),
        CKSUMTYPE_RSA_MD5(7),
        CKSUMTYPE_RSA_MD5_DES(8),
        CKSUMTYPE_RSA_MD5_DES3(9),
        CKSUMTYPE_HMAC_SHA1_96_AES_128(10),
        CKSUMTYPE_HMAC_SHA1_96_AES_256(11),
        CKSUMTYPE_HMAC_SHA1_DES3(12),
        CKSUMTYPE_SHA1(1000),           -- correct value? 10 (9 also)
        CKSUMTYPE_GSSAPI(0x8003),
        CKSUMTYPE_HMAC_MD5(-138),       -- unofficial microsoft number
        CKSUMTYPE_HMAC_MD5_ENC(-1138)   -- even more unofficial
}

--enctypes
ENCTYPE ::= INTEGER {
        ETYPE_NULL(0),
        ETYPE_DES_CBC_CRC(1),
        ETYPE_DES_CBC_MD4(2),
        ETYPE_DES_CBC_MD5(3),
        ETYPE_DES3_CBC_MD5(5),
        ETYPE_OLD_DES3_CBC_SHA1(7),
        ETYPE_SIGN_DSA_GENERATE(8),
        ETYPE_ENCRYPT_RSA_PRIV(9),
        ETYPE_ENCRYPT_RSA_PUB(10),
        ETYPE_DES3_CBC_SHA1(16),        -- with key derivation
        ETYPE_AES128_CTS_HMAC_SHA1_96(17),
        ETYPE_AES256_CTS_HMAC_SHA1_96(18),
        ETYPE_ARCFOUR_HMAC_MD5(23),
        ETYPE_ARCFOUR_HMAC_MD5_56(24),
        ETYPE_ENCTYPE_PK_CROSS(48),
-- these are for Heimdal internal use
        ETYPE_DES_CBC_NONE(-0x1000),
        ETYPE_DES3_CBC_NONE(-0x1001),
        ETYPE_DES_CFB64_NONE(-0x1002),
        ETYPE_DES_PCBC_NONE(-0x1003)
}

-- this is sugar to make something ASN1 does not have: unsigned

UNSIGNED ::= INTEGER (0..4294967295)

Realm ::= GeneralString
PrincipalName ::= SEQUENCE {
        name-type[0]            NAME-TYPE,
        name-string[1]          SEQUENCE OF GeneralString
}

-- this is not part of RFC1510
Principal ::= SEQUENCE {
        name[0]                 PrincipalName,
        realm[1]                Realm
}

HostAddress ::= SEQUENCE  {
        addr-type[0]            INTEGER,
        address[1]              OCTET STRING
}

-- This is from RFC1510.
--
-- HostAddresses ::= SEQUENCE OF SEQUENCE {
--      addr-type[0]            INTEGER,
--      address[1]              OCTET STRING
-- }

-- This seems much better.
HostAddresses ::= SEQUENCE OF HostAddress


KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)

AuthorizationData ::= SEQUENCE OF SEQUENCE {
        ad-type[0]              INTEGER,
        ad-data[1]              OCTET STRING
}

APOptions ::= BIT STRING {
        reserved(0),
        use-session-key(1),
        mutual-required(2)
}

TicketFlags ::= BIT STRING {
        reserved(0),
        forwardable(1),
        forwarded(2),
        proxiable(3),
        proxy(4),
        may-postdate(5),
        postdated(6),
        invalid(7),
        renewable(8),
        initial(9),
        pre-authent(10),
        hw-authent(11),
        transited-policy-checked(12),
        ok-as-delegate(13),
        anonymous(14)
}

KDCOptions ::= BIT STRING {
        reserved(0),
        forwardable(1),
        forwarded(2),
        proxiable(3),
        proxy(4),
        allow-postdate(5),
        postdated(6),
        unused7(7),
        renewable(8),
        unused9(9),
        unused10(10),
        unused11(11),
        request-anonymous(14),
        canonicalize(15),
        disable-transited-check(26),
        renewable-ok(27),
        enc-tkt-in-skey(28),
        renew(30),
        validate(31)
}

LR-TYPE ::= INTEGER {
        LR_NONE(0),             -- no information
        LR_INITIAL_TGT(1),      -- last initial TGT request
        LR_INITIAL(2),          -- last initial request
        LR_ISSUE_USE_TGT(3),    -- time of newest TGT used
        LR_RENEWAL(4),          -- time of last renewal
        LR_REQUEST(5),          -- time of last request (of any type)
        LR_PW_EXPTIME(6),       -- expiration time of password
        LR_ACCT_EXPTIME(7)      -- expiration time of account
}

LastReq ::= SEQUENCE OF SEQUENCE {
        lr-type[0]              LR-TYPE,
        lr-value[1]             KerberosTime
}


EncryptedData ::= SEQUENCE {
        etype[0]                ENCTYPE, -- EncryptionType
        kvno[1]                 INTEGER OPTIONAL,
        cipher[2]               OCTET STRING -- ciphertext
}

EncryptionKey ::= SEQUENCE {
        keytype[0]              INTEGER,
        keyvalue[1]             OCTET STRING
}

-- encoded Transited field
TransitedEncoding ::= SEQUENCE {
        tr-type[0]              INTEGER, -- must be registered
        contents[1]             OCTET STRING
}

Ticket ::= [APPLICATION 1] SEQUENCE {
        tkt-vno[0]              INTEGER,
        realm[1]                Realm,
        sname[2]                PrincipalName,
        enc-part[3]             EncryptedData
}
-- Encrypted part of ticket
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
        flags[0]                TicketFlags,
        key[1]                  EncryptionKey,
        crealm[2]               Realm,
        cname[3]                PrincipalName,
        transited[4]            TransitedEncoding,
        authtime[5]             KerberosTime,
        starttime[6]            KerberosTime OPTIONAL,
        endtime[7]              KerberosTime,
        renew-till[8]           KerberosTime OPTIONAL,
        caddr[9]                HostAddresses OPTIONAL,
        authorization-data[10]  AuthorizationData OPTIONAL
}

Checksum ::= SEQUENCE {
        cksumtype[0]            CKSUMTYPE,
        checksum[1]             OCTET STRING
}

Authenticator ::= [APPLICATION 2] SEQUENCE    {
        authenticator-vno[0]    INTEGER,
        crealm[1]               Realm,
        cname[2]                PrincipalName,
        cksum[3]                Checksum OPTIONAL,
        cusec[4]                INTEGER,
        ctime[5]                KerberosTime,
        subkey[6]               EncryptionKey OPTIONAL,
        seq-number[7]           UNSIGNED OPTIONAL,
        authorization-data[8]   AuthorizationData OPTIONAL
        }

PA-DATA ::= SEQUENCE {
        -- might be encoded AP-REQ
        padata-type[1]          PADATA-TYPE,
        padata-value[2]         OCTET STRING
}

ETYPE-INFO-ENTRY ::= SEQUENCE {
        etype[0]                ENCTYPE,
        salt[1]                 OCTET STRING OPTIONAL,
        salttype[2]             INTEGER OPTIONAL
}

ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY

METHOD-DATA ::= SEQUENCE OF PA-DATA

KDC-REQ-BODY ::= SEQUENCE {
        kdc-options[0]          KDCOptions,
        cname[1]                PrincipalName OPTIONAL, -- Used only in AS-REQ
        realm[2]                Realm,  -- Server's realm
                                        -- Also client's in AS-REQ
        sname[3]                PrincipalName OPTIONAL,
        from[4]                 KerberosTime OPTIONAL,
        till[5]                 KerberosTime OPTIONAL,
        rtime[6]                KerberosTime OPTIONAL,
        nonce[7]                INTEGER,
        etype[8]                SEQUENCE OF ENCTYPE, -- EncryptionType,
                                        -- in preference order
        addresses[9]            HostAddresses OPTIONAL,
        enc-authorization-data[10] EncryptedData OPTIONAL,
                                        -- Encrypted AuthorizationData encoding
        additional-tickets[11]  SEQUENCE OF Ticket OPTIONAL
}

KDC-REQ ::= SEQUENCE {
        pvno[1]                 INTEGER,
        msg-type[2]             MESSAGE-TYPE,
        padata[3]               METHOD-DATA OPTIONAL,
        req-body[4]             KDC-REQ-BODY
}

AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ

-- padata-type ::= PA-ENC-TIMESTAMP
-- padata-value ::= EncryptedData - PA-ENC-TS-ENC

PA-ENC-TS-ENC ::= SEQUENCE {
        patimestamp[0]          KerberosTime, -- client's time
        pausec[1]               INTEGER OPTIONAL
}

KDC-REP ::= SEQUENCE {
        pvno[0]                 INTEGER,
        msg-type[1]             MESSAGE-TYPE,
        padata[2]               METHOD-DATA OPTIONAL,
        crealm[3]               Realm,
        cname[4]                PrincipalName,
        ticket[5]               Ticket,
        enc-part[6]             EncryptedData
}

AS-REP ::= [APPLICATION 11] KDC-REP
TGS-REP ::= [APPLICATION 13] KDC-REP

EncKDCRepPart ::= SEQUENCE {
        key[0]                  EncryptionKey,
        last-req[1]             LastReq,
        nonce[2]                INTEGER,
        key-expiration[3]       KerberosTime OPTIONAL,
        flags[4]                TicketFlags,
        authtime[5]             KerberosTime,
        starttime[6]            KerberosTime OPTIONAL,
        endtime[7]              KerberosTime,
        renew-till[8]           KerberosTime OPTIONAL,
        srealm[9]               Realm,
        sname[10]               PrincipalName,
        caddr[11]               HostAddresses OPTIONAL
}

EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart

AP-REQ ::= [APPLICATION 14] SEQUENCE {
        pvno[0]                 INTEGER,
        msg-type[1]             MESSAGE-TYPE,
        ap-options[2]           APOptions,
        ticket[3]               Ticket,
        authenticator[4]        EncryptedData
}

AP-REP ::= [APPLICATION 15] SEQUENCE {
        pvno[0]                 INTEGER,
        msg-type[1]             MESSAGE-TYPE,
        enc-part[2]             EncryptedData
}

EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
        ctime[0]                KerberosTime,
        cusec[1]                INTEGER,
        subkey[2]               EncryptionKey OPTIONAL,
        seq-number[3]           UNSIGNED OPTIONAL
}

KRB-SAFE-BODY ::= SEQUENCE {
        user-data[0]            OCTET STRING,
        timestamp[1]            KerberosTime OPTIONAL,
        usec[2]                 INTEGER OPTIONAL,
        seq-number[3]           UNSIGNED OPTIONAL,
        s-address[4]            HostAddress OPTIONAL,
        r-address[5]            HostAddress OPTIONAL
}

KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
        pvno[0]                 INTEGER,
        msg-type[1]             MESSAGE-TYPE,
        safe-body[2]            KRB-SAFE-BODY,
        cksum[3]                Checksum
}

KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
        pvno[0]                 INTEGER,
        msg-type[1]             MESSAGE-TYPE,
        enc-part[3]             EncryptedData
}
EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
        user-data[0]            OCTET STRING,
        timestamp[1]            KerberosTime OPTIONAL,
        usec[2]                 INTEGER OPTIONAL,
        seq-number[3]           UNSIGNED OPTIONAL,
        s-address[4]            HostAddress OPTIONAL, -- sender's addr
        r-address[5]            HostAddress OPTIONAL  -- recip's addr
}

KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
        pvno[0]                 INTEGER,
        msg-type[1]             MESSAGE-TYPE, -- KRB_CRED
        tickets[2]              SEQUENCE OF Ticket,
        enc-part[3]             EncryptedData
}

KrbCredInfo ::= SEQUENCE {
        key[0]                  EncryptionKey,
        prealm[1]               Realm OPTIONAL,
        pname[2]                PrincipalName OPTIONAL,
        flags[3]                TicketFlags OPTIONAL,
        authtime[4]             KerberosTime OPTIONAL,
        starttime[5]            KerberosTime OPTIONAL,
        endtime[6]              KerberosTime OPTIONAL,
        renew-till[7]           KerberosTime OPTIONAL,
        srealm[8]               Realm OPTIONAL,
        sname[9]                PrincipalName OPTIONAL,
        caddr[10]               HostAddresses OPTIONAL
}

EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
        ticket-info[0]          SEQUENCE OF KrbCredInfo,
        nonce[1]                INTEGER OPTIONAL,
        timestamp[2]            KerberosTime OPTIONAL,
        usec[3]                 INTEGER OPTIONAL,
        s-address[4]            HostAddress OPTIONAL,
        r-address[5]            HostAddress OPTIONAL
}

KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
        pvno[0]                 INTEGER,
        msg-type[1]             MESSAGE-TYPE,
        ctime[2]                KerberosTime OPTIONAL,
        cusec[3]                INTEGER OPTIONAL,
        stime[4]                KerberosTime,
        susec[5]                INTEGER,
        error-code[6]           INTEGER,
        crealm[7]               Realm OPTIONAL,
        cname[8]                PrincipalName OPTIONAL,
        realm[9]                Realm, -- Correct realm
        sname[10]               PrincipalName, -- Correct name
        e-text[11]              GeneralString OPTIONAL,
        e-data[12]              OCTET STRING OPTIONAL
}

ChangePasswdDataMS ::= SEQUENCE {
        newpasswd[0]            OCTET STRING,
        targname[1]             PrincipalName OPTIONAL,
        targrealm[2]            Realm OPTIONAL
}

pvno INTEGER ::= 5 -- current Kerberos protocol version number

-- transited encodings

DOMAIN-X500-COMPRESS    INTEGER ::= 1

END

-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1