1226031Sstas-- $Id$ 2226031Sstas 3226031SstasKERBEROS5 DEFINITIONS ::= 4226031SstasBEGIN 5226031SstasEXPORTS 6226031Sstas AD-AND-OR, 7226031Sstas AD-IF-RELEVANT, 8226031Sstas AD-KDCIssued, 9226031Sstas AD-LoginAlias, 10226031Sstas AP-REP, 11226031Sstas AP-REQ, 12226031Sstas AS-REP, 13226031Sstas AS-REQ, 14226031Sstas AUTHDATA-TYPE, 15226031Sstas Authenticator, 16226031Sstas AuthorizationData, 17226031Sstas AuthorizationDataElement, 18226031Sstas CKSUMTYPE, 19226031Sstas ChangePasswdDataMS, 20226031Sstas Checksum, 21226031Sstas ENCTYPE, 22226031Sstas ETYPE-INFO, 23226031Sstas ETYPE-INFO-ENTRY, 24226031Sstas ETYPE-INFO2, 25226031Sstas ETYPE-INFO2-ENTRY, 26226031Sstas EncAPRepPart, 27226031Sstas EncASRepPart, 28226031Sstas EncKDCRepPart, 29226031Sstas EncKrbCredPart, 30226031Sstas EncKrbPrivPart, 31226031Sstas EncTGSRepPart, 32226031Sstas EncTicketPart, 33226031Sstas EncryptedData, 34226031Sstas EncryptionKey, 35226031Sstas EtypeList, 36226031Sstas HostAddress, 37226031Sstas HostAddresses, 38226031Sstas KDC-REQ-BODY, 39226031Sstas KDCOptions, 40226031Sstas KDC-REP, 41226031Sstas KRB-CRED, 42226031Sstas KRB-ERROR, 43226031Sstas KRB-PRIV, 44226031Sstas KRB-SAFE, 45226031Sstas KRB-SAFE-BODY, 46226031Sstas KRB5SignedPath, 47226031Sstas KRB5SignedPathData, 48226031Sstas KRB5SignedPathPrincipals, 49226031Sstas KerberosString, 50226031Sstas KerberosTime, 51226031Sstas KrbCredInfo, 52226031Sstas LR-TYPE, 53226031Sstas LastReq, 54226031Sstas METHOD-DATA, 55226031Sstas NAME-TYPE, 56226031Sstas PA-ClientCanonicalized, 57226031Sstas PA-ClientCanonicalizedNames, 58226031Sstas PA-DATA, 59226031Sstas PA-ENC-TS-ENC, 60226031Sstas PA-PAC-REQUEST, 61226031Sstas PA-S4U2Self, 62226031Sstas PA-SERVER-REFERRAL-DATA, 63226031Sstas PA-ServerReferralData, 64226031Sstas PA-SvrReferralData, 65226031Sstas PADATA-TYPE, 66226031Sstas Principal, 67226031Sstas PrincipalName, 68226031Sstas Principals, 69226031Sstas Realm, 70226031Sstas TGS-REP, 71226031Sstas TGS-REQ, 72226031Sstas Ticket, 73226031Sstas TicketFlags, 74226031Sstas TransitedEncoding, 75226031Sstas TypedData 76226031Sstas ; 77226031Sstas 78226031SstasNAME-TYPE ::= INTEGER { 79226031Sstas KRB5_NT_UNKNOWN(0), -- Name type not known 80226031Sstas KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in 81226031Sstas KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt) 82226031Sstas KRB5_NT_SRV_HST(3), -- Service with host name as instance 83226031Sstas KRB5_NT_SRV_XHST(4), -- Service with host as remaining components 84226031Sstas KRB5_NT_UID(5), -- Unique ID 85226031Sstas KRB5_NT_X500_PRINCIPAL(6), -- PKINIT 86226031Sstas KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name 87226031Sstas KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN 88226031Sstas KRB5_NT_WELLKNOWN(11), -- Wellknown 89226031Sstas KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID 90226031Sstas KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name 91226031Sstas KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID 92226031Sstas KRB5_NT_NTLM(-1200) -- NTLM name, realm is domain 93226031Sstas} 94226031Sstas 95226031Sstas-- message types 96226031Sstas 97226031SstasMESSAGE-TYPE ::= INTEGER { 98226031Sstas krb-as-req(10), -- Request for initial authentication 99226031Sstas krb-as-rep(11), -- Response to KRB_AS_REQ request 100226031Sstas krb-tgs-req(12), -- Request for authentication based on TGT 101226031Sstas krb-tgs-rep(13), -- Response to KRB_TGS_REQ request 102226031Sstas krb-ap-req(14), -- application request to server 103226031Sstas krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL 104226031Sstas krb-safe(20), -- Safe (checksummed) application message 105226031Sstas krb-priv(21), -- Private (encrypted) application message 106226031Sstas krb-cred(22), -- Private (encrypted) message to forward credentials 107226031Sstas krb-error(30) -- Error response 108226031Sstas} 109226031Sstas 110226031Sstas 111226031Sstas-- pa-data types 112226031Sstas 113226031SstasPADATA-TYPE ::= INTEGER { 114226031Sstas KRB5-PADATA-NONE(0), 115226031Sstas KRB5-PADATA-TGS-REQ(1), 116226031Sstas KRB5-PADATA-AP-REQ(1), 117226031Sstas KRB5-PADATA-ENC-TIMESTAMP(2), 118226031Sstas KRB5-PADATA-PW-SALT(3), 119226031Sstas KRB5-PADATA-ENC-UNIX-TIME(5), 120226031Sstas KRB5-PADATA-SANDIA-SECUREID(6), 121226031Sstas KRB5-PADATA-SESAME(7), 122226031Sstas KRB5-PADATA-OSF-DCE(8), 123226031Sstas KRB5-PADATA-CYBERSAFE-SECUREID(9), 124226031Sstas KRB5-PADATA-AFS3-SALT(10), 125226031Sstas KRB5-PADATA-ETYPE-INFO(11), 126226031Sstas KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) 127226031Sstas KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) 128226031Sstas KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) 129226031Sstas KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) 130226031Sstas KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) 131226031Sstas KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) 132226031Sstas KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) 133226031Sstas KRB5-PADATA-PA-PK-OCSP-RESPONSE(18), 134226031Sstas KRB5-PADATA-ETYPE-INFO2(19), 135226031Sstas KRB5-PADATA-USE-SPECIFIED-KVNO(20), 136226031Sstas KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number 137226031Sstas KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) 138226031Sstas KRB5-PADATA-GET-FROM-TYPED-DATA(22), 139226031Sstas KRB5-PADATA-SAM-ETYPE-INFO(23), 140226031Sstas KRB5-PADATA-SERVER-REFERRAL(25), 141226031Sstas KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) 142226031Sstas KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) 143226031Sstas KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) 144226031Sstas KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT 145226031Sstas KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName 146226031Sstas KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT 147226031Sstas KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT 148226031Sstas KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific 149226031Sstas KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER 150226031Sstas KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER 151226031Sstas KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com 152226031Sstas KRB5-PADATA-FOR-USER(129), -- MS-KILE 153226031Sstas KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE 154226031Sstas KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE 155226031Sstas KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE 156226031Sstas KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to 157226031Sstas -- tell KDC that is supports 158226031Sstas -- the asCheckSum in the 159226031Sstas -- PK-AS-REP 160226031Sstas KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals 161226031Sstas KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework 162226031Sstas KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework 163226031Sstas KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework 164226031Sstas KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework 165226031Sstas KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework 166226031Sstas KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework 167226031Sstas KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) 168226031Sstas KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) 169226031Sstas KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) 170226031Sstas KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) 171226031Sstas KRB5-PADATA-EPAK-AS-REQ(145), 172226031Sstas KRB5-PADATA-EPAK-AS-REP(146), 173226031Sstas KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon 174226031Sstas KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u 175226031Sstas KRB5-PADATA-REQ-ENC-PA-REP(149), -- 176226031Sstas KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE 177226031Sstas} 178226031Sstas 179226031SstasAUTHDATA-TYPE ::= INTEGER { 180226031Sstas KRB5-AUTHDATA-IF-RELEVANT(1), 181226031Sstas KRB5-AUTHDATA-INTENDED-FOR_SERVER(2), 182226031Sstas KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), 183226031Sstas KRB5-AUTHDATA-KDC-ISSUED(4), 184226031Sstas KRB5-AUTHDATA-AND-OR(5), 185226031Sstas KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), 186226031Sstas KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), 187226031Sstas KRB5-AUTHDATA-MANDATORY-FOR-KDC(8), 188226031Sstas KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), 189226031Sstas KRB5-AUTHDATA-OSF-DCE(64), 190226031Sstas KRB5-AUTHDATA-SESAME(65), 191226031Sstas KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), 192226031Sstas KRB5-AUTHDATA-WIN2K-PAC(128), 193226031Sstas KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only 194226031Sstas KRB5-AUTHDATA-SIGNTICKET-OLDER(-17), 195226031Sstas KRB5-AUTHDATA-SIGNTICKET-OLD(142), 196226031Sstas KRB5-AUTHDATA-SIGNTICKET(512) 197226031Sstas} 198226031Sstas 199226031Sstas-- checksumtypes 200226031Sstas 201226031SstasCKSUMTYPE ::= INTEGER { 202226031Sstas CKSUMTYPE_NONE(0), 203226031Sstas CKSUMTYPE_CRC32(1), 204226031Sstas CKSUMTYPE_RSA_MD4(2), 205226031Sstas CKSUMTYPE_RSA_MD4_DES(3), 206226031Sstas CKSUMTYPE_DES_MAC(4), 207226031Sstas CKSUMTYPE_DES_MAC_K(5), 208226031Sstas CKSUMTYPE_RSA_MD4_DES_K(6), 209226031Sstas CKSUMTYPE_RSA_MD5(7), 210226031Sstas CKSUMTYPE_RSA_MD5_DES(8), 211226031Sstas CKSUMTYPE_RSA_MD5_DES3(9), 212226031Sstas CKSUMTYPE_SHA1_OTHER(10), 213226031Sstas CKSUMTYPE_HMAC_SHA1_DES3(12), 214226031Sstas CKSUMTYPE_SHA1(14), 215226031Sstas CKSUMTYPE_HMAC_SHA1_96_AES_128(15), 216226031Sstas CKSUMTYPE_HMAC_SHA1_96_AES_256(16), 217226031Sstas CKSUMTYPE_GSSAPI(0x8003), 218226031Sstas CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number 219226031Sstas CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial 220226031Sstas} 221226031Sstas 222226031Sstas--enctypes 223226031SstasENCTYPE ::= INTEGER { 224226031Sstas KRB5_ENCTYPE_NULL(0), 225226031Sstas KRB5_ENCTYPE_DES_CBC_CRC(1), 226226031Sstas KRB5_ENCTYPE_DES_CBC_MD4(2), 227226031Sstas KRB5_ENCTYPE_DES_CBC_MD5(3), 228226031Sstas KRB5_ENCTYPE_DES3_CBC_MD5(5), 229226031Sstas KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7), 230226031Sstas KRB5_ENCTYPE_SIGN_DSA_GENERATE(8), 231226031Sstas KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9), 232226031Sstas KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10), 233226031Sstas KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation 234226031Sstas KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17), 235226031Sstas KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18), 236226031Sstas KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23), 237226031Sstas KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24), 238226031Sstas KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48), 239226031Sstas-- some "old" windows types 240226031Sstas KRB5_ENCTYPE_ARCFOUR_MD4(-128), 241226031Sstas KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133), 242226031Sstas KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135), 243226031Sstas-- these are for Heimdal internal use 244226031Sstas KRB5_ENCTYPE_DES_CBC_NONE(-0x1000), 245226031Sstas KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001), 246226031Sstas KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002), 247226031Sstas KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003), 248226031Sstas KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com 249226031Sstas KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com 250226031Sstas} 251226031Sstas 252226031Sstas 253226031Sstas 254226031Sstas 255226031Sstas-- this is sugar to make something ASN1 does not have: unsigned 256226031Sstas 257226031Sstaskrb5uint32 ::= INTEGER (0..4294967295) 258226031Sstaskrb5int32 ::= INTEGER (-2147483648..2147483647) 259226031Sstas 260226031SstasKerberosString ::= GeneralString 261226031Sstas 262226031SstasRealm ::= GeneralString 263226031SstasPrincipalName ::= SEQUENCE { 264226031Sstas name-type[0] NAME-TYPE, 265226031Sstas name-string[1] SEQUENCE OF GeneralString 266226031Sstas} 267226031Sstas 268226031Sstas-- this is not part of RFC1510 269226031SstasPrincipal ::= SEQUENCE { 270226031Sstas name[0] PrincipalName, 271226031Sstas realm[1] Realm 272226031Sstas} 273226031Sstas 274226031SstasPrincipals ::= SEQUENCE OF Principal 275226031Sstas 276226031SstasHostAddress ::= SEQUENCE { 277226031Sstas addr-type[0] krb5int32, 278226031Sstas address[1] OCTET STRING 279226031Sstas} 280226031Sstas 281226031Sstas-- This is from RFC1510. 282226031Sstas-- 283226031Sstas-- HostAddresses ::= SEQUENCE OF SEQUENCE { 284226031Sstas-- addr-type[0] krb5int32, 285226031Sstas-- address[1] OCTET STRING 286226031Sstas-- } 287226031Sstas 288226031Sstas-- This seems much better. 289226031SstasHostAddresses ::= SEQUENCE OF HostAddress 290226031Sstas 291226031Sstas 292226031SstasKerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) 293226031Sstas 294226031SstasAuthorizationDataElement ::= SEQUENCE { 295226031Sstas ad-type[0] krb5int32, 296226031Sstas ad-data[1] OCTET STRING 297226031Sstas} 298226031Sstas 299226031SstasAuthorizationData ::= SEQUENCE OF AuthorizationDataElement 300226031Sstas 301226031SstasAPOptions ::= BIT STRING { 302226031Sstas reserved(0), 303226031Sstas use-session-key(1), 304226031Sstas mutual-required(2) 305226031Sstas} 306226031Sstas 307226031SstasTicketFlags ::= BIT STRING { 308226031Sstas reserved(0), 309226031Sstas forwardable(1), 310226031Sstas forwarded(2), 311226031Sstas proxiable(3), 312226031Sstas proxy(4), 313226031Sstas may-postdate(5), 314226031Sstas postdated(6), 315226031Sstas invalid(7), 316226031Sstas renewable(8), 317226031Sstas initial(9), 318226031Sstas pre-authent(10), 319226031Sstas hw-authent(11), 320226031Sstas transited-policy-checked(12), 321226031Sstas ok-as-delegate(13), 322226031Sstas anonymous(14), 323226031Sstas enc-pa-rep(15) 324226031Sstas} 325226031Sstas 326226031SstasKDCOptions ::= BIT STRING { 327226031Sstas reserved(0), 328226031Sstas forwardable(1), 329226031Sstas forwarded(2), 330226031Sstas proxiable(3), 331226031Sstas proxy(4), 332226031Sstas allow-postdate(5), 333226031Sstas postdated(6), 334226031Sstas renewable(8), 335226031Sstas request-anonymous(14), 336226031Sstas canonicalize(15), 337226031Sstas constrained-delegation(16), -- ms extension 338226031Sstas disable-transited-check(26), 339226031Sstas renewable-ok(27), 340226031Sstas enc-tkt-in-skey(28), 341226031Sstas renew(30), 342226031Sstas validate(31) 343226031Sstas} 344226031Sstas 345226031SstasLR-TYPE ::= INTEGER { 346226031Sstas LR_NONE(0), -- no information 347226031Sstas LR_INITIAL_TGT(1), -- last initial TGT request 348226031Sstas LR_INITIAL(2), -- last initial request 349226031Sstas LR_ISSUE_USE_TGT(3), -- time of newest TGT used 350226031Sstas LR_RENEWAL(4), -- time of last renewal 351226031Sstas LR_REQUEST(5), -- time of last request (of any type) 352226031Sstas LR_PW_EXPTIME(6), -- expiration time of password 353226031Sstas LR_ACCT_EXPTIME(7) -- expiration time of account 354226031Sstas} 355226031Sstas 356226031SstasLastReq ::= SEQUENCE OF SEQUENCE { 357226031Sstas lr-type[0] LR-TYPE, 358226031Sstas lr-value[1] KerberosTime 359226031Sstas} 360226031Sstas 361226031Sstas 362226031SstasEncryptedData ::= SEQUENCE { 363226031Sstas etype[0] ENCTYPE, -- EncryptionType 364226031Sstas kvno[1] krb5uint32 OPTIONAL, 365226031Sstas cipher[2] OCTET STRING -- ciphertext 366226031Sstas} 367226031Sstas 368226031SstasEncryptionKey ::= SEQUENCE { 369226031Sstas keytype[0] krb5int32, 370226031Sstas keyvalue[1] OCTET STRING 371226031Sstas} 372226031Sstas 373226031Sstas-- encoded Transited field 374226031SstasTransitedEncoding ::= SEQUENCE { 375226031Sstas tr-type[0] krb5int32, -- must be registered 376226031Sstas contents[1] OCTET STRING 377226031Sstas} 378226031Sstas 379226031SstasTicket ::= [APPLICATION 1] SEQUENCE { 380226031Sstas tkt-vno[0] krb5int32, 381226031Sstas realm[1] Realm, 382226031Sstas sname[2] PrincipalName, 383226031Sstas enc-part[3] EncryptedData 384226031Sstas} 385226031Sstas-- Encrypted part of ticket 386226031SstasEncTicketPart ::= [APPLICATION 3] SEQUENCE { 387226031Sstas flags[0] TicketFlags, 388226031Sstas key[1] EncryptionKey, 389226031Sstas crealm[2] Realm, 390226031Sstas cname[3] PrincipalName, 391226031Sstas transited[4] TransitedEncoding, 392226031Sstas authtime[5] KerberosTime, 393226031Sstas starttime[6] KerberosTime OPTIONAL, 394226031Sstas endtime[7] KerberosTime, 395226031Sstas renew-till[8] KerberosTime OPTIONAL, 396226031Sstas caddr[9] HostAddresses OPTIONAL, 397226031Sstas authorization-data[10] AuthorizationData OPTIONAL 398226031Sstas} 399226031Sstas 400226031SstasChecksum ::= SEQUENCE { 401226031Sstas cksumtype[0] CKSUMTYPE, 402226031Sstas checksum[1] OCTET STRING 403226031Sstas} 404226031Sstas 405226031SstasAuthenticator ::= [APPLICATION 2] SEQUENCE { 406226031Sstas authenticator-vno[0] krb5int32, 407226031Sstas crealm[1] Realm, 408226031Sstas cname[2] PrincipalName, 409226031Sstas cksum[3] Checksum OPTIONAL, 410226031Sstas cusec[4] krb5int32, 411226031Sstas ctime[5] KerberosTime, 412226031Sstas subkey[6] EncryptionKey OPTIONAL, 413226031Sstas seq-number[7] krb5uint32 OPTIONAL, 414226031Sstas authorization-data[8] AuthorizationData OPTIONAL 415226031Sstas} 416226031Sstas 417226031SstasPA-DATA ::= SEQUENCE { 418226031Sstas -- might be encoded AP-REQ 419226031Sstas padata-type[1] PADATA-TYPE, 420226031Sstas padata-value[2] OCTET STRING 421226031Sstas} 422226031Sstas 423226031SstasETYPE-INFO-ENTRY ::= SEQUENCE { 424226031Sstas etype[0] ENCTYPE, 425226031Sstas salt[1] OCTET STRING OPTIONAL, 426226031Sstas salttype[2] krb5int32 OPTIONAL 427226031Sstas} 428226031Sstas 429226031SstasETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY 430226031Sstas 431226031SstasETYPE-INFO2-ENTRY ::= SEQUENCE { 432226031Sstas etype[0] ENCTYPE, 433226031Sstas salt[1] KerberosString OPTIONAL, 434226031Sstas s2kparams[2] OCTET STRING OPTIONAL 435226031Sstas} 436226031Sstas 437226031SstasETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY 438226031Sstas 439226031SstasMETHOD-DATA ::= SEQUENCE OF PA-DATA 440226031Sstas 441226031SstasTypedData ::= SEQUENCE { 442226031Sstas data-type[0] krb5int32, 443226031Sstas data-value[1] OCTET STRING OPTIONAL 444226031Sstas} 445226031Sstas 446226031SstasTYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData 447226031Sstas 448226031SstasKDC-REQ-BODY ::= SEQUENCE { 449226031Sstas kdc-options[0] KDCOptions, 450226031Sstas cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ 451226031Sstas realm[2] Realm, -- Server's realm 452226031Sstas -- Also client's in AS-REQ 453226031Sstas sname[3] PrincipalName OPTIONAL, 454226031Sstas from[4] KerberosTime OPTIONAL, 455226031Sstas till[5] KerberosTime OPTIONAL, 456226031Sstas rtime[6] KerberosTime OPTIONAL, 457226031Sstas nonce[7] krb5int32, 458226031Sstas etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, 459226031Sstas -- in preference order 460226031Sstas addresses[9] HostAddresses OPTIONAL, 461226031Sstas enc-authorization-data[10] EncryptedData OPTIONAL, 462226031Sstas -- Encrypted AuthorizationData encoding 463226031Sstas additional-tickets[11] SEQUENCE OF Ticket OPTIONAL 464226031Sstas} 465226031Sstas 466226031SstasKDC-REQ ::= SEQUENCE { 467226031Sstas pvno[1] krb5int32, 468226031Sstas msg-type[2] MESSAGE-TYPE, 469226031Sstas padata[3] METHOD-DATA OPTIONAL, 470226031Sstas req-body[4] KDC-REQ-BODY 471226031Sstas} 472226031Sstas 473226031SstasAS-REQ ::= [APPLICATION 10] KDC-REQ 474226031SstasTGS-REQ ::= [APPLICATION 12] KDC-REQ 475226031Sstas 476226031Sstas-- padata-type ::= PA-ENC-TIMESTAMP 477226031Sstas-- padata-value ::= EncryptedData - PA-ENC-TS-ENC 478226031Sstas 479226031SstasPA-ENC-TS-ENC ::= SEQUENCE { 480226031Sstas patimestamp[0] KerberosTime, -- client's time 481226031Sstas pausec[1] krb5int32 OPTIONAL 482226031Sstas} 483226031Sstas 484226031Sstas-- draft-brezak-win2k-krb-authz-01 485226031SstasPA-PAC-REQUEST ::= SEQUENCE { 486226031Sstas include-pac[0] BOOLEAN -- Indicates whether a PAC 487226031Sstas -- should be included or not 488226031Sstas} 489226031Sstas 490226031Sstas-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf 491226031SstasPROV-SRV-LOCATION ::= GeneralString 492226031Sstas 493226031SstasKDC-REP ::= SEQUENCE { 494226031Sstas pvno[0] krb5int32, 495226031Sstas msg-type[1] MESSAGE-TYPE, 496226031Sstas padata[2] METHOD-DATA OPTIONAL, 497226031Sstas crealm[3] Realm, 498226031Sstas cname[4] PrincipalName, 499226031Sstas ticket[5] Ticket, 500226031Sstas enc-part[6] EncryptedData 501226031Sstas} 502226031Sstas 503226031SstasAS-REP ::= [APPLICATION 11] KDC-REP 504226031SstasTGS-REP ::= [APPLICATION 13] KDC-REP 505226031Sstas 506226031SstasEncKDCRepPart ::= SEQUENCE { 507226031Sstas key[0] EncryptionKey, 508226031Sstas last-req[1] LastReq, 509226031Sstas nonce[2] krb5int32, 510226031Sstas key-expiration[3] KerberosTime OPTIONAL, 511226031Sstas flags[4] TicketFlags, 512226031Sstas authtime[5] KerberosTime, 513226031Sstas starttime[6] KerberosTime OPTIONAL, 514226031Sstas endtime[7] KerberosTime, 515226031Sstas renew-till[8] KerberosTime OPTIONAL, 516226031Sstas srealm[9] Realm, 517226031Sstas sname[10] PrincipalName, 518226031Sstas caddr[11] HostAddresses OPTIONAL, 519226031Sstas encrypted-pa-data[12] METHOD-DATA OPTIONAL 520226031Sstas} 521226031Sstas 522226031SstasEncASRepPart ::= [APPLICATION 25] EncKDCRepPart 523226031SstasEncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart 524226031Sstas 525226031SstasAP-REQ ::= [APPLICATION 14] SEQUENCE { 526226031Sstas pvno[0] krb5int32, 527226031Sstas msg-type[1] MESSAGE-TYPE, 528226031Sstas ap-options[2] APOptions, 529226031Sstas ticket[3] Ticket, 530226031Sstas authenticator[4] EncryptedData 531226031Sstas} 532226031Sstas 533226031SstasAP-REP ::= [APPLICATION 15] SEQUENCE { 534226031Sstas pvno[0] krb5int32, 535226031Sstas msg-type[1] MESSAGE-TYPE, 536226031Sstas enc-part[2] EncryptedData 537226031Sstas} 538226031Sstas 539226031SstasEncAPRepPart ::= [APPLICATION 27] SEQUENCE { 540226031Sstas ctime[0] KerberosTime, 541226031Sstas cusec[1] krb5int32, 542226031Sstas subkey[2] EncryptionKey OPTIONAL, 543226031Sstas seq-number[3] krb5uint32 OPTIONAL 544226031Sstas} 545226031Sstas 546226031SstasKRB-SAFE-BODY ::= SEQUENCE { 547226031Sstas user-data[0] OCTET STRING, 548226031Sstas timestamp[1] KerberosTime OPTIONAL, 549226031Sstas usec[2] krb5int32 OPTIONAL, 550226031Sstas seq-number[3] krb5uint32 OPTIONAL, 551226031Sstas s-address[4] HostAddress OPTIONAL, 552226031Sstas r-address[5] HostAddress OPTIONAL 553226031Sstas} 554226031Sstas 555226031SstasKRB-SAFE ::= [APPLICATION 20] SEQUENCE { 556226031Sstas pvno[0] krb5int32, 557226031Sstas msg-type[1] MESSAGE-TYPE, 558226031Sstas safe-body[2] KRB-SAFE-BODY, 559226031Sstas cksum[3] Checksum 560226031Sstas} 561226031Sstas 562226031SstasKRB-PRIV ::= [APPLICATION 21] SEQUENCE { 563226031Sstas pvno[0] krb5int32, 564226031Sstas msg-type[1] MESSAGE-TYPE, 565226031Sstas enc-part[3] EncryptedData 566226031Sstas} 567226031SstasEncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { 568226031Sstas user-data[0] OCTET STRING, 569226031Sstas timestamp[1] KerberosTime OPTIONAL, 570226031Sstas usec[2] krb5int32 OPTIONAL, 571226031Sstas seq-number[3] krb5uint32 OPTIONAL, 572226031Sstas s-address[4] HostAddress OPTIONAL, -- sender's addr 573226031Sstas r-address[5] HostAddress OPTIONAL -- recip's addr 574226031Sstas} 575226031Sstas 576226031SstasKRB-CRED ::= [APPLICATION 22] SEQUENCE { 577226031Sstas pvno[0] krb5int32, 578226031Sstas msg-type[1] MESSAGE-TYPE, -- KRB_CRED 579226031Sstas tickets[2] SEQUENCE OF Ticket, 580226031Sstas enc-part[3] EncryptedData 581226031Sstas} 582226031Sstas 583226031SstasKrbCredInfo ::= SEQUENCE { 584226031Sstas key[0] EncryptionKey, 585226031Sstas prealm[1] Realm OPTIONAL, 586226031Sstas pname[2] PrincipalName OPTIONAL, 587226031Sstas flags[3] TicketFlags OPTIONAL, 588226031Sstas authtime[4] KerberosTime OPTIONAL, 589226031Sstas starttime[5] KerberosTime OPTIONAL, 590226031Sstas endtime[6] KerberosTime OPTIONAL, 591226031Sstas renew-till[7] KerberosTime OPTIONAL, 592226031Sstas srealm[8] Realm OPTIONAL, 593226031Sstas sname[9] PrincipalName OPTIONAL, 594226031Sstas caddr[10] HostAddresses OPTIONAL 595226031Sstas} 596226031Sstas 597226031SstasEncKrbCredPart ::= [APPLICATION 29] SEQUENCE { 598226031Sstas ticket-info[0] SEQUENCE OF KrbCredInfo, 599226031Sstas nonce[1] krb5int32 OPTIONAL, 600226031Sstas timestamp[2] KerberosTime OPTIONAL, 601226031Sstas usec[3] krb5int32 OPTIONAL, 602226031Sstas s-address[4] HostAddress OPTIONAL, 603226031Sstas r-address[5] HostAddress OPTIONAL 604226031Sstas} 605226031Sstas 606226031SstasKRB-ERROR ::= [APPLICATION 30] SEQUENCE { 607226031Sstas pvno[0] krb5int32, 608226031Sstas msg-type[1] MESSAGE-TYPE, 609226031Sstas ctime[2] KerberosTime OPTIONAL, 610226031Sstas cusec[3] krb5int32 OPTIONAL, 611226031Sstas stime[4] KerberosTime, 612226031Sstas susec[5] krb5int32, 613226031Sstas error-code[6] krb5int32, 614226031Sstas crealm[7] Realm OPTIONAL, 615226031Sstas cname[8] PrincipalName OPTIONAL, 616226031Sstas realm[9] Realm, -- Correct realm 617226031Sstas sname[10] PrincipalName, -- Correct name 618226031Sstas e-text[11] GeneralString OPTIONAL, 619226031Sstas e-data[12] OCTET STRING OPTIONAL 620226031Sstas} 621226031Sstas 622226031SstasChangePasswdDataMS ::= SEQUENCE { 623226031Sstas newpasswd[0] OCTET STRING, 624226031Sstas targname[1] PrincipalName OPTIONAL, 625226031Sstas targrealm[2] Realm OPTIONAL 626226031Sstas} 627226031Sstas 628226031SstasEtypeList ::= SEQUENCE OF ENCTYPE 629226031Sstas -- the client's proposed enctype list in 630226031Sstas -- decreasing preference order, favorite choice first 631226031Sstas 632226031Sstaskrb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number 633226031Sstas 634226031Sstas-- transited encodings 635226031Sstas 636226031SstasDOMAIN-X500-COMPRESS krb5int32 ::= 1 637226031Sstas 638226031Sstas-- authorization data primitives 639226031Sstas 640226031SstasAD-IF-RELEVANT ::= AuthorizationData 641226031Sstas 642226031SstasAD-KDCIssued ::= SEQUENCE { 643226031Sstas ad-checksum[0] Checksum, 644226031Sstas i-realm[1] Realm OPTIONAL, 645226031Sstas i-sname[2] PrincipalName OPTIONAL, 646226031Sstas elements[3] AuthorizationData 647226031Sstas} 648226031Sstas 649226031SstasAD-AND-OR ::= SEQUENCE { 650226031Sstas condition-count[0] INTEGER, 651226031Sstas elements[1] AuthorizationData 652226031Sstas} 653226031Sstas 654226031SstasAD-MANDATORY-FOR-KDC ::= AuthorizationData 655226031Sstas 656226031Sstas-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 657226031Sstas 658226031SstasPA-SAM-TYPE ::= INTEGER { 659226031Sstas PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic 660226031Sstas PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways 661226031Sstas PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0 662226031Sstas PA_SAM_TYPE_SKEY(4), -- Traditional S/Key 663226031Sstas PA_SAM_TYPE_SECURID(5), -- Security Dynamics 664226031Sstas PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard 665226031Sstas} 666226031Sstas 667226031SstasPA-SAM-REDIRECT ::= HostAddresses 668226031Sstas 669226031SstasSAMFlags ::= BIT STRING { 670226031Sstas use-sad-as-key(0), 671226031Sstas send-encrypted-sad(1), 672226031Sstas must-pk-encrypt-sad(2) 673226031Sstas} 674226031Sstas 675226031SstasPA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { 676226031Sstas sam-type[0] krb5int32, 677226031Sstas sam-flags[1] SAMFlags, 678226031Sstas sam-type-name[2] GeneralString OPTIONAL, 679226031Sstas sam-track-id[3] GeneralString OPTIONAL, 680226031Sstas sam-challenge-label[4] GeneralString OPTIONAL, 681226031Sstas sam-challenge[5] GeneralString OPTIONAL, 682226031Sstas sam-response-prompt[6] GeneralString OPTIONAL, 683226031Sstas sam-pk-for-sad[7] EncryptionKey OPTIONAL, 684226031Sstas sam-nonce[8] krb5int32, 685226031Sstas sam-etype[9] krb5int32, 686226031Sstas ... 687226031Sstas} 688226031Sstas 689226031SstasPA-SAM-CHALLENGE-2 ::= SEQUENCE { 690226031Sstas sam-body[0] PA-SAM-CHALLENGE-2-BODY, 691226031Sstas sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) 692226031Sstas ... 693226031Sstas} 694226031Sstas 695226031SstasPA-SAM-RESPONSE-2 ::= SEQUENCE { 696226031Sstas sam-type[0] krb5int32, 697226031Sstas sam-flags[1] SAMFlags, 698226031Sstas sam-track-id[2] GeneralString OPTIONAL, 699226031Sstas sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC 700226031Sstas sam-nonce[4] krb5int32, 701226031Sstas ... 702226031Sstas} 703226031Sstas 704226031SstasPA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { 705226031Sstas sam-nonce[0] krb5int32, 706226031Sstas sam-sad[1] GeneralString OPTIONAL, 707226031Sstas ... 708226031Sstas} 709226031Sstas 710226031SstasPA-S4U2Self ::= SEQUENCE { 711226031Sstas name[0] PrincipalName, 712226031Sstas realm[1] Realm, 713226031Sstas cksum[2] Checksum, 714226031Sstas auth[3] GeneralString 715226031Sstas} 716226031Sstas 717226031Sstas-- never encoded on the wire, just used to checksum over 718226031SstasKRB5SignedPathData ::= SEQUENCE { 719226031Sstas client[0] Principal OPTIONAL, 720226031Sstas authtime[1] KerberosTime, 721226031Sstas delegated[2] Principals OPTIONAL, 722226031Sstas method_data[3] METHOD-DATA OPTIONAL 723226031Sstas} 724226031Sstas 725226031SstasKRB5SignedPath ::= SEQUENCE { 726226031Sstas -- DERcoded KRB5SignedPathData 727226031Sstas -- krbtgt key (etype), KeyUsage = XXX 728226031Sstas etype[0] ENCTYPE, 729226031Sstas cksum[1] Checksum, 730226031Sstas -- srvs delegated though 731226031Sstas delegated[2] Principals OPTIONAL, 732226031Sstas method_data[3] METHOD-DATA OPTIONAL 733226031Sstas} 734226031Sstas 735226031SstasPA-ClientCanonicalizedNames ::= SEQUENCE{ 736226031Sstas requested-name [0] PrincipalName, 737226031Sstas mapped-name [1] PrincipalName 738226031Sstas} 739226031Sstas 740226031SstasPA-ClientCanonicalized ::= SEQUENCE { 741226031Sstas names [0] PA-ClientCanonicalizedNames, 742226031Sstas canon-checksum [1] Checksum 743226031Sstas} 744226031Sstas 745226031SstasAD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- 746226031Sstas login-alias [0] PrincipalName, 747226031Sstas checksum [1] Checksum 748226031Sstas} 749226031Sstas 750226031Sstas-- old ms referral 751226031SstasPA-SvrReferralData ::= SEQUENCE { 752226031Sstas referred-name [1] PrincipalName OPTIONAL, 753226031Sstas referred-realm [0] Realm 754226031Sstas} 755226031Sstas 756226031SstasPA-SERVER-REFERRAL-DATA ::= EncryptedData 757226031Sstas 758226031SstasPA-ServerReferralData ::= SEQUENCE { 759226031Sstas referred-realm [0] Realm OPTIONAL, 760226031Sstas true-principal-name [1] PrincipalName OPTIONAL, 761226031Sstas requested-principal-name [2] PrincipalName OPTIONAL, 762226031Sstas referral-valid-until [3] KerberosTime OPTIONAL, 763226031Sstas ... 764226031Sstas} 765226031Sstas 766226031SstasFastOptions ::= BIT STRING { 767226031Sstas reserved(0), 768226031Sstas hide-client-names(1), 769226031Sstas kdc-follow--referrals(16) 770226031Sstas} 771226031Sstas 772226031SstasKrbFastReq ::= SEQUENCE { 773226031Sstas fast-options [0] FastOptions, 774226031Sstas padata [1] SEQUENCE OF PA-DATA, 775226031Sstas req-body [2] KDC-REQ-BODY, 776226031Sstas ... 777226031Sstas} 778226031Sstas 779226031SstasKrbFastArmor ::= SEQUENCE { 780226031Sstas armor-type [0] krb5int32, 781226031Sstas armor-value [1] OCTET STRING, 782226031Sstas ... 783226031Sstas} 784226031Sstas 785226031SstasKrbFastArmoredReq ::= SEQUENCE { 786226031Sstas armor [0] KrbFastArmor OPTIONAL, 787226031Sstas req-checksum [1] Checksum, 788226031Sstas enc-fast-req [2] EncryptedData -- KrbFastReq -- 789226031Sstas} 790226031Sstas 791226031SstasPA-FX-FAST-REQUEST ::= CHOICE { 792226031Sstas armored-data [0] KrbFastArmoredReq, 793226031Sstas ... 794226031Sstas} 795226031Sstas 796226031SstasKrbFastFinished ::= SEQUENCE { 797226031Sstas timestamp [0] KerberosTime, 798226031Sstas usec [1] krb5int32, 799226031Sstas crealm [2] Realm, 800226031Sstas cname [3] PrincipalName, 801226031Sstas checksum [4] Checksum, 802226031Sstas ticket-checksum [5] Checksum, 803226031Sstas ... 804226031Sstas} 805226031Sstas 806226031SstasKrbFastResponse ::= SEQUENCE { 807226031Sstas padata [0] SEQUENCE OF PA-DATA, 808226031Sstas rep-key [1] EncryptionKey OPTIONAL, 809226031Sstas finished [2] KrbFastFinished OPTIONAL, 810226031Sstas ... 811226031Sstas} 812226031Sstas 813226031SstasKrbFastArmoredRep ::= SEQUENCE { 814226031Sstas enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 815226031Sstas ... 816226031Sstas} 817226031Sstas 818226031SstasPA-FX-FAST-REPLY ::= CHOICE { 819226031Sstas armored-data [0] KrbFastArmoredRep, 820226031Sstas ... 821226031Sstas} 822226031Sstas 823226031SstasEND 824226031Sstas 825226031Sstas-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 826