digest.asn1 revision 178825 
1241823Smarcel-- $Id: digest.asn1 22152 2007-12-04 19:59:18Z lha $
2241823Smarcel
3241823SmarcelDIGEST DEFINITIONS ::=
4241823SmarcelBEGIN
5
6IMPORTS EncryptedData, Principal FROM krb5;
7
8DigestTypes ::= BIT STRING {
9	ntlm-v1(0),
10	ntlm-v1-session(1),
11	ntlm-v2(2),
12	digest-md5(3),
13	chap-md5(4),
14	ms-chap-v2(5)
15}
16
17DigestInit ::= SEQUENCE {
18    type		UTF8String, -- http, sasl, chap, cram-md5 --
19    channel		[0] SEQUENCE {
20    	cb-type		UTF8String,
21    	cb-binding	UTF8String
22    } OPTIONAL,
23    hostname		[1] UTF8String OPTIONAL -- for chap/cram-md5
24}
25
26DigestInitReply ::= SEQUENCE {
27    nonce		UTF8String,	-- service nonce/challange
28    opaque		UTF8String,	-- server state
29    identifier		[0] UTF8String OPTIONAL
30}
31
32
33DigestRequest ::= SEQUENCE  {
34    type		UTF8String, -- http, sasl-md5, chap, cram-md5 --
35    digest		UTF8String, -- http:md5/md5-sess sasl:clear/int/conf --
36    username		UTF8String, -- username user used
37    responseData	UTF8String, -- client response
38    authid		[0] UTF8String OPTIONAL,
39    authentication-user	[1] Principal OPTIONAL, -- principal to get key from
40    realm		[2] UTF8String OPTIONAL,
41    method		[3] UTF8String OPTIONAL,
42    uri			[4] UTF8String OPTIONAL,
43    serverNonce		UTF8String, -- same as "DigestInitReply.nonce"
44    clientNonce		[5] UTF8String OPTIONAL,
45    nonceCount		[6] UTF8String OPTIONAL,
46    qop			[7] UTF8String OPTIONAL,
47    identifier		[8] UTF8String OPTIONAL,
48    hostname		[9] UTF8String OPTIONAL,
49    opaque		UTF8String -- same as "DigestInitReply.opaque"
50}
51-- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key))
52-- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding)
53
54
55DigestError ::= SEQUENCE {
56    reason		UTF8String,
57    code		INTEGER (-2147483648..2147483647)
58}
59
60DigestResponse ::= SEQUENCE  {
61    success		BOOLEAN,
62    rsp			[0] UTF8String OPTIONAL,
63    tickets		[1] SEQUENCE OF OCTET STRING OPTIONAL,
64    channel		[2] SEQUENCE {
65    	cb-type		UTF8String,
66    	cb-binding	UTF8String
67    } OPTIONAL,
68    session-key		[3] OCTET STRING OPTIONAL
69}
70
71NTLMInit ::= SEQUENCE {
72    flags		[0] INTEGER (0..4294967295),
73    hostname		[1] UTF8String OPTIONAL,
74    domain		[1] UTF8String OPTIONAL
75}
76
77NTLMInitReply ::= SEQUENCE {
78    flags		[0] INTEGER (0..4294967295),
79    opaque		[1] OCTET STRING,
80    targetname		[2] UTF8String,
81    challange		[3] OCTET STRING,
82    targetinfo		[4] OCTET STRING OPTIONAL
83}
84
85NTLMRequest ::= SEQUENCE {
86    flags		[0] INTEGER (0..4294967295),
87    opaque		[1] OCTET STRING,
88    username		[2] UTF8String,
89    targetname		[3] UTF8String,
90    targetinfo		[4] OCTET STRING OPTIONAL,
91    lm			[5] OCTET STRING,
92    ntlm		[6] OCTET STRING,
93    sessionkey		[7] OCTET STRING OPTIONAL
94}
95
96NTLMResponse ::= SEQUENCE {
97    success		[0] BOOLEAN,
98    flags		[1] INTEGER (0..4294967295),
99    sessionkey		[2] OCTET STRING OPTIONAL,
100    tickets		[3] SEQUENCE OF OCTET STRING OPTIONAL
101}
102
103DigestReqInner ::= CHOICE {
104    init		[0] DigestInit,
105    digestRequest	[1] DigestRequest,
106    ntlmInit		[2] NTLMInit,
107    ntlmRequest		[3] NTLMRequest,
108    supportedMechs	[4] NULL
109}
110
111DigestREQ ::= [APPLICATION 128] SEQUENCE {
112    apReq		[0] OCTET STRING,
113    innerReq		[1] EncryptedData
114}
115
116DigestRepInner ::= CHOICE {
117    error		[0] DigestError,
118    initReply		[1] DigestInitReply,
119    response		[2] DigestResponse,
120    ntlmInitReply	[3] NTLMInitReply,
121    ntlmResponse	[4] NTLMResponse,
122    supportedMechs	[5] DigestTypes,
123    ...
124}
125
126DigestREP ::= [APPLICATION 129] SEQUENCE {
127    apRep		[0] OCTET STRING,
128    innerRep		[1] EncryptedData
129}
130
131
132-- HTTP
133
134-- md5
135-- A1 = unq(username-value) ":" unq(realm-value) ":" passwd
136-- md5-sess
137-- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value))
138
139-- qop == auth
140-- A2 = Method ":" digest-uri-value
141-- qop == auth-int
142-- A2 = Method ":" digest-uri-value ":" H(entity-body) 
143
144-- request-digest  = HEX(KD(HEX(H(A1)),
145--    unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2))))
146-- no "qop"
147-- request-digest  = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2))))
148
149
150-- SASL:
151-- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } )
152-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) }
153-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) }
154
155-- A2 = "AUTHENTICATE:", ":", digest-uri-value
156-- qop == auth-int,auth-conf
157-- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000"
158
159-- response-value = HEX( KD ( HEX(H(A1)),
160--                 { unq(nonce-value), ":" nc-value, ":",
161--                   unq(cnonce-value), ":", qop-value, ":",
162--                   HEX(H(A2)) }))
163
164END
165