1 -- $Id: k5.asn1,v 1.27 2002/09/03 17:32:09 joda Exp $
3 KERBEROS5 DEFINITIONS ::=
6 NAME-TYPE ::= INTEGER {
7 KRB5_NT_UNKNOWN(0), -- Name type not known
8 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
9 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
10 KRB5_NT_SRV_HST(3), -- Service with host name as instance
11 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
12 KRB5_NT_UID(5), -- Unique ID
13 KRB5_NT_X500_PRINCIPAL(6) -- PKINIT
18 MESSAGE-TYPE ::= INTEGER {
19 krb-as-req(10), -- Request for initial authentication
20 krb-as-rep(11), -- Response to KRB_AS_REQ request
21 krb-tgs-req(12), -- Request for authentication based on TGT
22 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
23 krb-ap-req(14), -- application request to server
24 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
25 krb-safe(20), -- Safe (checksummed) application message
26 krb-priv(21), -- Private (encrypted) application message
27 krb-cred(22), -- Private (encrypted) message to forward credentials
28 krb-error(30) -- Error response
34 PADATA-TYPE ::= INTEGER {
36 KRB5-PADATA-TGS-REQ(1),
37 KRB5-PADATA-AP-REQ(1),
38 KRB5-PADATA-ENC-TIMESTAMP(2),
39 KRB5-PADATA-PW-SALT(3),
40 KRB5-PADATA-ENC-UNIX-TIME(5),
41 KRB5-PADATA-SANDIA-SECUREID(6),
42 KRB5-PADATA-SESAME(7),
43 KRB5-PADATA-OSF-DCE(8),
44 KRB5-PADATA-CYBERSAFE-SECUREID(9),
45 KRB5-PADATA-AFS3-SALT(10),
46 KRB5-PADATA-ETYPE-INFO(11),
47 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
48 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
49 KRB5-PADATA-PK-AS-REQ(14), -- (PKINIT)
50 KRB5-PADATA-PK-AS-REP(15), -- (PKINIT)
51 KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT)
52 KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT)
53 KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT)
54 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
55 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
56 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
57 KRB5-PADATA-SAM-ETYPE-INFO(23)
62 CKSUMTYPE ::= INTEGER {
66 CKSUMTYPE_RSA_MD4_DES(3),
68 CKSUMTYPE_DES_MAC_K(5),
69 CKSUMTYPE_RSA_MD4_DES_K(6),
71 CKSUMTYPE_RSA_MD5_DES(8),
72 CKSUMTYPE_RSA_MD5_DES3(9),
73 -- CKSUMTYPE_SHA1(10),
74 CKSUMTYPE_HMAC_SHA1_DES3(12),
75 CKSUMTYPE_SHA1(1000), -- correct value? 10 (9 also)
76 CKSUMTYPE_GSSAPI(0x8003),
77 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
78 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
87 ETYPE_DES3_CBC_MD5(5),
88 ETYPE_OLD_DES3_CBC_SHA1(7),
89 ETYPE_SIGN_DSA_GENERATE(8),
90 ETYPE_ENCRYPT_RSA_PRIV(9),
91 ETYPE_ENCRYPT_RSA_PUB(10),
92 ETYPE_DES3_CBC_SHA1(16), -- with key derivation
93 ETYPE_ARCFOUR_HMAC_MD5(23),
94 ETYPE_ARCFOUR_HMAC_MD5_56(24),
95 ETYPE_ENCTYPE_PK_CROSS(48),
96 -- these are for Heimdal internal use
97 ETYPE_DES_CBC_NONE(-0x1000),
98 ETYPE_DES3_CBC_NONE(-0x1001),
99 ETYPE_DES_CFB64_NONE(-0x1002),
100 ETYPE_DES_PCBC_NONE(-0x1003)
103 -- this is sugar to make something ASN1 does not have: unsigned
105 UNSIGNED ::= INTEGER (0..4294967295)
107 Realm ::= GeneralString
108 PrincipalName ::= SEQUENCE {
109 name-type[0] NAME-TYPE,
110 name-string[1] SEQUENCE OF GeneralString
113 -- this is not part of RFC1510
114 Principal ::= SEQUENCE {
115 name[0] PrincipalName,
119 HostAddress ::= SEQUENCE {
120 addr-type[0] INTEGER,
121 address[1] OCTET STRING
124 -- This is from RFC1510.
126 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
127 -- addr-type[0] INTEGER,
128 -- address[1] OCTET STRING
131 -- This seems much better.
132 HostAddresses ::= SEQUENCE OF HostAddress
135 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
137 AuthorizationData ::= SEQUENCE OF SEQUENCE {
139 ad-data[1] OCTET STRING
142 APOptions ::= BIT STRING {
148 TicketFlags ::= BIT STRING {
161 transited-policy-checked(12),
166 KDCOptions ::= BIT STRING {
179 request-anonymous(14),
181 disable-transited-check(26),
188 LR-TYPE ::= INTEGER {
189 LR_NONE(0), -- no information
190 LR_INITIAL_TGT(1), -- last initial TGT request
191 LR_INITIAL(2), -- last initial request
192 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
193 LR_RENEWAL(4), -- time of last renewal
194 LR_REQUEST(5), -- time of last request (of any type)
195 LR_PW_EXPTIME(6), -- expiration time of password
196 LR_ACCT_EXPTIME(7) -- expiration time of account
199 LastReq ::= SEQUENCE OF SEQUENCE {
201 lr-value[1] KerberosTime
205 EncryptedData ::= SEQUENCE {
206 etype[0] ENCTYPE, -- EncryptionType
207 kvno[1] INTEGER OPTIONAL,
208 cipher[2] OCTET STRING -- ciphertext
211 EncryptionKey ::= SEQUENCE {
213 keyvalue[1] OCTET STRING
216 -- encoded Transited field
217 TransitedEncoding ::= SEQUENCE {
218 tr-type[0] INTEGER, -- must be registered
219 contents[1] OCTET STRING
222 Ticket ::= [APPLICATION 1] SEQUENCE {
225 sname[2] PrincipalName,
226 enc-part[3] EncryptedData
228 -- Encrypted part of ticket
229 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
230 flags[0] TicketFlags,
231 key[1] EncryptionKey,
233 cname[3] PrincipalName,
234 transited[4] TransitedEncoding,
235 authtime[5] KerberosTime,
236 starttime[6] KerberosTime OPTIONAL,
237 endtime[7] KerberosTime,
238 renew-till[8] KerberosTime OPTIONAL,
239 caddr[9] HostAddresses OPTIONAL,
240 authorization-data[10] AuthorizationData OPTIONAL
243 Checksum ::= SEQUENCE {
244 cksumtype[0] CKSUMTYPE,
245 checksum[1] OCTET STRING
248 Authenticator ::= [APPLICATION 2] SEQUENCE {
249 authenticator-vno[0] INTEGER,
251 cname[2] PrincipalName,
252 cksum[3] Checksum OPTIONAL,
254 ctime[5] KerberosTime,
255 subkey[6] EncryptionKey OPTIONAL,
256 seq-number[7] UNSIGNED OPTIONAL,
257 authorization-data[8] AuthorizationData OPTIONAL
260 PA-DATA ::= SEQUENCE {
261 -- might be encoded AP-REQ
262 padata-type[1] PADATA-TYPE,
263 padata-value[2] OCTET STRING
266 ETYPE-INFO-ENTRY ::= SEQUENCE {
268 salt[1] OCTET STRING OPTIONAL,
269 salttype[2] INTEGER OPTIONAL
272 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
274 METHOD-DATA ::= SEQUENCE OF PA-DATA
276 KDC-REQ-BODY ::= SEQUENCE {
277 kdc-options[0] KDCOptions,
278 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
279 realm[2] Realm, -- Server's realm
280 -- Also client's in AS-REQ
281 sname[3] PrincipalName OPTIONAL,
282 from[4] KerberosTime OPTIONAL,
283 till[5] KerberosTime OPTIONAL,
284 rtime[6] KerberosTime OPTIONAL,
286 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
287 -- in preference order
288 addresses[9] HostAddresses OPTIONAL,
289 enc-authorization-data[10] EncryptedData OPTIONAL,
290 -- Encrypted AuthorizationData encoding
291 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
294 KDC-REQ ::= SEQUENCE {
296 msg-type[2] MESSAGE-TYPE,
297 padata[3] METHOD-DATA OPTIONAL,
298 req-body[4] KDC-REQ-BODY
301 AS-REQ ::= [APPLICATION 10] KDC-REQ
302 TGS-REQ ::= [APPLICATION 12] KDC-REQ
304 -- padata-type ::= PA-ENC-TIMESTAMP
305 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
307 PA-ENC-TS-ENC ::= SEQUENCE {
308 patimestamp[0] KerberosTime, -- client's time
309 pausec[1] INTEGER OPTIONAL
312 KDC-REP ::= SEQUENCE {
314 msg-type[1] MESSAGE-TYPE,
315 padata[2] METHOD-DATA OPTIONAL,
317 cname[4] PrincipalName,
319 enc-part[6] EncryptedData
322 AS-REP ::= [APPLICATION 11] KDC-REP
323 TGS-REP ::= [APPLICATION 13] KDC-REP
325 EncKDCRepPart ::= SEQUENCE {
326 key[0] EncryptionKey,
329 key-expiration[3] KerberosTime OPTIONAL,
330 flags[4] TicketFlags,
331 authtime[5] KerberosTime,
332 starttime[6] KerberosTime OPTIONAL,
333 endtime[7] KerberosTime,
334 renew-till[8] KerberosTime OPTIONAL,
336 sname[10] PrincipalName,
337 caddr[11] HostAddresses OPTIONAL
340 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
341 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
343 AP-REQ ::= [APPLICATION 14] SEQUENCE {
345 msg-type[1] MESSAGE-TYPE,
346 ap-options[2] APOptions,
348 authenticator[4] EncryptedData
351 AP-REP ::= [APPLICATION 15] SEQUENCE {
353 msg-type[1] MESSAGE-TYPE,
354 enc-part[2] EncryptedData
357 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
358 ctime[0] KerberosTime,
360 subkey[2] EncryptionKey OPTIONAL,
361 seq-number[3] UNSIGNED OPTIONAL
364 KRB-SAFE-BODY ::= SEQUENCE {
365 user-data[0] OCTET STRING,
366 timestamp[1] KerberosTime OPTIONAL,
367 usec[2] INTEGER OPTIONAL,
368 seq-number[3] UNSIGNED OPTIONAL,
369 s-address[4] HostAddress OPTIONAL,
370 r-address[5] HostAddress OPTIONAL
373 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
375 msg-type[1] MESSAGE-TYPE,
376 safe-body[2] KRB-SAFE-BODY,
380 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
382 msg-type[1] MESSAGE-TYPE,
383 enc-part[3] EncryptedData
385 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
386 user-data[0] OCTET STRING,
387 timestamp[1] KerberosTime OPTIONAL,
388 usec[2] INTEGER OPTIONAL,
389 seq-number[3] UNSIGNED OPTIONAL,
390 s-address[4] HostAddress OPTIONAL, -- sender's addr
391 r-address[5] HostAddress OPTIONAL -- recip's addr
394 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
396 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
397 tickets[2] SEQUENCE OF Ticket,
398 enc-part[3] EncryptedData
401 KrbCredInfo ::= SEQUENCE {
402 key[0] EncryptionKey,
403 prealm[1] Realm OPTIONAL,
404 pname[2] PrincipalName OPTIONAL,
405 flags[3] TicketFlags OPTIONAL,
406 authtime[4] KerberosTime OPTIONAL,
407 starttime[5] KerberosTime OPTIONAL,
408 endtime[6] KerberosTime OPTIONAL,
409 renew-till[7] KerberosTime OPTIONAL,
410 srealm[8] Realm OPTIONAL,
411 sname[9] PrincipalName OPTIONAL,
412 caddr[10] HostAddresses OPTIONAL
415 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
416 ticket-info[0] SEQUENCE OF KrbCredInfo,
417 nonce[1] INTEGER OPTIONAL,
418 timestamp[2] KerberosTime OPTIONAL,
419 usec[3] INTEGER OPTIONAL,
420 s-address[4] HostAddress OPTIONAL,
421 r-address[5] HostAddress OPTIONAL
424 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
426 msg-type[1] MESSAGE-TYPE,
427 ctime[2] KerberosTime OPTIONAL,
428 cusec[3] INTEGER OPTIONAL,
429 stime[4] KerberosTime,
431 error-code[6] INTEGER,
432 crealm[7] Realm OPTIONAL,
433 cname[8] PrincipalName OPTIONAL,
434 realm[9] Realm, -- Correct realm
435 sname[10] PrincipalName, -- Correct name
436 e-text[11] GeneralString OPTIONAL,
437 e-data[12] OCTET STRING OPTIONAL
440 pvno INTEGER ::= 5 -- current Kerberos protocol version number
442 -- transited encodings
444 DOMAIN-X500-COMPRESS INTEGER ::= 1
448 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1