pkinit.asn1 revision 72445
1PKINIT DEFINITIONS ::= BEGIN 2 3IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData 4 FROM krb5; 5IMPORTS SignedData, EnvelopedData FROM CMS; 6IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509; 7 8 9-- 3.1 10 11CertPrincipalName ::= SEQUENCE { 12 name-type[0] INTEGER, 13 name-string[1] SEQUENCE OF UTF8String 14} 15 16 17-- 3.2.2 18 19 20TrustedCertifiers ::= SEQUENCE OF PrincipalName 21 -- X.500 name encoded as a principal name 22 -- see Section 3.1 23CertificateIndex ::= INTEGER 24 -- 0 = 1st certificate, 25 -- (in order of encoding) 26 -- 1 = 2nd certificate, etc 27 28PA-PK-AS-REP ::= CHOICE { 29 -- PA TYPE 15 30 dhSignedData[0] SignedData, 31 -- Defined in CMS and used only with 32 -- Diffie-Hellman key exchange (if the 33 -- client public value was present in the 34 -- request). 35 -- This choice MUST be supported 36 -- by compliant implementations. 37 encKeyPack[1] EnvelopedData 38 -- Defined in CMS 39 -- The temporary key is encrypted 40 -- using the client public key 41 -- key 42 -- SignedReplyKeyPack, encrypted 43 -- with the temporary key, is also 44 -- included. 45} 46 47 48 49KdcDHKeyInfo ::= SEQUENCE { 50 -- used only when utilizing Diffie-Hellman 51 nonce[0] INTEGER, 52 -- binds responce to the request 53 subjectPublicKey[2] BIT STRING 54 -- Equals public exponent (g^a mod p) 55 -- INTEGER encoded as payload of 56 -- BIT STRING 57} 58 59ReplyKeyPack ::= SEQUENCE { 60 -- not used for Diffie-Hellman 61 replyKey[0] EncryptionKey, 62 -- used to encrypt main reply 63 -- ENCTYPE is at least as strong as 64 -- ENCTYPE of session key 65 nonce[1] INTEGER 66 -- binds response to the request 67 -- must be same as the nonce 68 -- passed in the PKAuthenticator 69} 70 71-- subjectAltName EXTENSION ::= { 72-- SYNTAX GeneralNames 73-- IDENTIFIED BY id-ce-subjectAltName 74-- } 75 76OtherName ::= SEQUENCE { 77 type-id OBJECT IDENTIFIER, 78 value[0] OCTET STRING 79-- value[0] EXPLICIT ANY DEFINED BY type-id 80} 81 82GeneralName ::= CHOICE { 83 otherName [0] OtherName, 84 ... 85} 86 87GeneralNames ::= SEQUENCE -- SIZE(1..MAX) 88 OF GeneralName 89 90KerberosName ::= SEQUENCE { 91 realm[0] Realm, 92 -- as defined in RFC 1510 93 principalName[1] CertPrincipalName 94 -- defined above 95} 96 97 98-- krb5 OBJECT IDENTIFIER ::= { 99-- iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2) 100-- } 101 102-- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } 103 104-- 3.2.1 105 106 107IssuerAndSerialNumber ::= SEQUENCE { 108 issuer Name, 109 serialNumber CertificateSerialNumber 110} 111 112TrustedCas ::= CHOICE { 113 principalName[0] KerberosName, 114 -- as defined below 115 caName[1] Name, 116 -- fully qualified X.500 name 117 -- as defined by X.509 118 issuerAndSerial[2] IssuerAndSerialNumber 119 -- Since a CA may have a number of 120 -- certificates, only one of which 121 -- a client trusts 122} 123 124PA-PK-AS-REQ ::= SEQUENCE { 125 -- PA TYPE 14 126 signedAuthPack[0] SignedData, 127 -- defined in CMS [11] 128 -- AuthPack (below) defines the data 129 -- that is signed 130 trustedCertifiers[1] SEQUENCE OF TrustedCas OPTIONAL, 131 -- CAs that the client trusts 132 kdcCert[2] IssuerAndSerialNumber OPTIONAL, 133 -- as defined in CMS [11] 134 -- specifies a particular KDC 135 -- certificate if the client 136 -- already has it; 137 encryptionCert[3] IssuerAndSerialNumber OPTIONAL 138 -- For example, this may be the 139 -- client's Diffie-Hellman 140 -- certificate, or it may be the 141 -- client's RSA encryption 142 -- certificate. 143} 144 145PKAuthenticator ::= SEQUENCE { 146 kdcName[0] PrincipalName, 147 kdcRealm[1] Realm, 148 cusec[2] INTEGER, 149 -- for replay prevention as in RFC1510 150 ctime[3] KerberosTime, 151 -- for replay prevention as in RFC1510 152 nonce[4] INTEGER 153} 154 155-- This is the real definition of AlgorithmIdentifier 156-- AlgorithmIdentifier ::= SEQUENCE { 157-- algorithm ALGORITHM.&id, 158-- parameters ALGORITHM.&Type 159-- } -- as specified by the X.509 recommendation[10] 160 161-- But we'll use this one instead: 162 163AlgorithmIdentifier ::= SEQUENCE { 164 algorithm OBJECT IDENTIFIER, 165 parameters CHOICE { 166 a INTEGER 167 } 168} 169 170 171 172SubjectPublicKeyInfo ::= SEQUENCE { 173 algorithm AlgorithmIdentifier, 174 -- dhKeyAgreement 175 subjectPublicKey BIT STRING 176 -- for DH, equals 177 -- public exponent (INTEGER encoded 178 -- as payload of BIT STRING) 179} -- as specified by the X.509 recommendation[10] 180 181AuthPack ::= SEQUENCE { 182 pkAuthenticator[0] PKAuthenticator, 183 clientPublicValue[1] SubjectPublicKeyInfo OPTIONAL 184 -- if client is using Diffie-Hellman 185 -- (ephemeral-ephemeral only) 186} 187 188 189END 190