1-- $Id$ 2 3KERBEROS5 DEFINITIONS ::= 4BEGIN 5EXPORTS 6 AD-AND-OR, 7 AD-IF-RELEVANT, 8 AD-KDCIssued, 9 AD-LoginAlias, 10 AP-REP, 11 AP-REQ, 12 AS-REP, 13 AS-REQ, 14 AUTHDATA-TYPE, 15 Authenticator, 16 AuthorizationData, 17 AuthorizationDataElement, 18 CKSUMTYPE, 19 ChangePasswdDataMS, 20 Checksum, 21 ENCTYPE, 22 ETYPE-INFO, 23 ETYPE-INFO-ENTRY, 24 ETYPE-INFO2, 25 ETYPE-INFO2-ENTRY, 26 EncAPRepPart, 27 EncASRepPart, 28 EncKDCRepPart, 29 EncKrbCredPart, 30 EncKrbPrivPart, 31 EncTGSRepPart, 32 EncTicketPart, 33 EncryptedData, 34 EncryptionKey, 35 EtypeList, 36 HostAddress, 37 HostAddresses, 38 KDC-REQ-BODY, 39 KDCOptions, 40 KDC-REP, 41 KRB-CRED, 42 KRB-ERROR, 43 KRB-PRIV, 44 KRB-SAFE, 45 KRB-SAFE-BODY, 46 KRB5SignedPath, 47 KRB5SignedPathData, 48 KRB5SignedPathPrincipals, 49 KerberosString, 50 KerberosTime, 51 KrbCredInfo, 52 LR-TYPE, 53 LastReq, 54 METHOD-DATA, 55 NAME-TYPE, 56 PA-ClientCanonicalized, 57 PA-ClientCanonicalizedNames, 58 PA-DATA, 59 PA-ENC-TS-ENC, 60 PA-PAC-REQUEST, 61 PA-S4U2Self, 62 PA-SERVER-REFERRAL-DATA, 63 PA-ServerReferralData, 64 PA-SvrReferralData, 65 PADATA-TYPE, 66 PA-FX-FAST-REQUEST, 67 PA-FX-FAST-REPLY, 68 Principal, 69 PrincipalName, 70 Principals, 71 Realm, 72 TGS-REP, 73 TGS-REQ, 74 Ticket, 75 TicketFlags, 76 TransitedEncoding, 77 TypedData, 78 KrbFastResponse, 79 KrbFastFinished, 80 KrbFastReq, 81 KrbFastArmor, 82 KDCFastState, 83 KDCFastCookie, 84 KDCSRPState, 85 KDC-PROXY-MESSAGE, 86 KERB-TIMES, 87 KERB-CRED, 88 KERB-TGS-REQ-IN, 89 KERB-TGS-REQ-OUT, 90 KERB-ARMOR-SERVICE-REPLY, 91 KERB-ERROR-DATA, 92 PA-SAM-CHALLENGE-2, 93 PA-SAM-REDIRECT, 94 KERB-ERROR-NUMBER, 95 KERB-TGS-REP-IN, 96 PROV-SRV-LOCATION, 97 TYPED-DATA, 98 krb5-pvno, 99 KERB-TGS-REP-OUT, 100 PA-ENC-SAM-RESPONSE-ENC, 101 PA-SAM-RESPONSE-2, 102 AD-MANDATORY-FOR-KDC, 103 PA-SAM-TYPE, 104 KRB5-SRP-GROUP, 105 KRB5-SRP-PA, 106 KRB5-SRP-PA-ANNOUNCE, 107 KRB5-SRP-PA-INIT, 108 KRB5-SRP-PA-SERVER-CHALLENGE, 109 KRB5-SRP-PA-CLIENT-RESPONSE, 110 KRB5-SRP-PA-SERVER-VERIFIER 111 ; 112 113NAME-TYPE ::= INTEGER { 114 KRB5_NT_UNKNOWN(0), -- Name type not known 115 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in 116 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt) 117 KRB5_NT_SRV_HST(3), -- Service with host name as instance 118 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components 119 KRB5_NT_UID(5), -- Unique ID 120 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT 121 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name 122 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN 123 KRB5_NT_WELLKNOWN(11), -- Wellknown 124 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID 125 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name 126 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID 127 KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain 128 KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded) 129 KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), 130 KRB5_NT_CACHE_UUID(-1203) -- name is actually a uuid pointing to ccache, use client name in cache 131} 132 133-- message types 134 135MESSAGE-TYPE ::= INTEGER { 136 krb-as-req(10), -- Request for initial authentication 137 krb-as-rep(11), -- Response to KRB_AS_REQ request 138 krb-tgs-req(12), -- Request for authentication based on TGT 139 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request 140 krb-ap-req(14), -- application request to server 141 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL 142 krb-safe(20), -- Safe (checksummed) application message 143 krb-priv(21), -- Private (encrypted) application message 144 krb-cred(22), -- Private (encrypted) message to forward credentials 145 krb-error(30) -- Error response 146} 147 148 149-- pa-data types 150 151PADATA-TYPE ::= INTEGER { 152 KRB5-PADATA-NONE(0), 153 KRB5-PADATA-TGS-REQ(1), 154 KRB5-PADATA-AP-REQ(1), 155 KRB5-PADATA-ENC-TIMESTAMP(2), 156 KRB5-PADATA-PW-SALT(3), 157 KRB5-PADATA-ENC-UNIX-TIME(5), 158 KRB5-PADATA-SANDIA-SECUREID(6), 159 KRB5-PADATA-SESAME(7), 160 KRB5-PADATA-OSF-DCE(8), 161 KRB5-PADATA-CYBERSAFE-SECUREID(9), 162 KRB5-PADATA-AFS3-SALT(10), 163 KRB5-PADATA-ETYPE-INFO(11), 164 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) 165 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) 166 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) 167 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) 168 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) 169 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) 170 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) 171 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18), 172 KRB5-PADATA-ETYPE-INFO2(19), 173 KRB5-PADATA-USE-SPECIFIED-KVNO(20), 174 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number 175 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) 176 KRB5-PADATA-GET-FROM-TYPED-DATA(22), 177 KRB5-PADATA-SAM-ETYPE-INFO(23), 178 KRB5-PADATA-SERVER-REFERRAL(25), 179 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) 180 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) 181 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) 182 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT 183 KRB5-PADATA-FX-FAST-ARMOR(71), -- fast armor 184 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName 185 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT 186 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT 187 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific 188 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER 189 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER 190 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com 191 KRB5-PADATA-FOR-USER(129), -- MS-KILE 192 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE 193 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE 194 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE 195 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to 196 -- tell KDC that is supports 197 -- the asCheckSum in the 198 -- PK-AS-REP 199 KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals 200 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework 201 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework 202 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework 203 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework 204 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework 205 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework 206 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) 207 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) 208 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) 209 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) 210 KRB5-PADATA-EPAK-AS-REQ(145), 211 KRB5-PADATA-EPAK-AS-REP(146), 212 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon 213 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u 214 KRB5-PADATA-REQ-ENC-PA-REP(149), -- 215 KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE 216 KRB5-PADATA-SRP(250) -- lha@apple.com 217} 218 219AUTHDATA-TYPE ::= INTEGER { 220 KRB5-AUTHDATA-IF-RELEVANT(1), 221 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2), 222 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), 223 KRB5-AUTHDATA-KDC-ISSUED(4), 224 KRB5-AUTHDATA-AND-OR(5), 225 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), 226 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), 227 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8), 228 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), 229 KRB5-AUTHDATA-OSF-DCE(64), 230 KRB5-AUTHDATA-SESAME(65), 231 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), 232 KRB5-AUTHDATA-WIN2K-PAC(128), 233 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only 234 KRB5-AUTHDATA-SIGNTICKET-OLDER(-17), 235 KRB5-AUTHDATA-SIGNTICKET-OLD(142), 236 KRB5-AUTHDATA-SIGNTICKET(512) 237} 238 239-- checksumtypes 240 241CKSUMTYPE ::= INTEGER { 242 CKSUMTYPE_NONE(0), 243 CKSUMTYPE_CRC32(1), 244 CKSUMTYPE_RSA_MD4(2), 245 CKSUMTYPE_RSA_MD4_DES(3), 246 CKSUMTYPE_DES_MAC(4), 247 CKSUMTYPE_DES_MAC_K(5), 248 CKSUMTYPE_RSA_MD4_DES_K(6), 249 CKSUMTYPE_RSA_MD5(7), 250 CKSUMTYPE_RSA_MD5_DES(8), 251 CKSUMTYPE_RSA_MD5_DES3(9), 252 CKSUMTYPE_SHA1_OTHER(10), 253 CKSUMTYPE_HMAC_SHA1_DES3(12), 254 CKSUMTYPE_SHA1(14), 255 CKSUMTYPE_HMAC_SHA1_96_AES_128(15), 256 CKSUMTYPE_HMAC_SHA1_96_AES_256(16), 257 CKSUMTYPE_GSSAPI(0x8003), 258 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number 259 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial 260} 261 262--enctypes 263ENCTYPE ::= INTEGER { 264 KRB5_ENCTYPE_NULL(0), 265 KRB5_ENCTYPE_DES_CBC_CRC(1), 266 KRB5_ENCTYPE_DES_CBC_MD4(2), 267 KRB5_ENCTYPE_DES_CBC_MD5(3), 268 KRB5_ENCTYPE_DES3_CBC_MD5(5), 269 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7), 270 KRB5_ENCTYPE_SIGN_DSA_GENERATE(8), 271 KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9), 272 KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10), 273 KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation 274 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17), 275 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18), 276 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23), 277 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24), 278 KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48), 279-- some "old" windows types 280 KRB5_ENCTYPE_ARCFOUR_MD4(-128), 281 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133), 282 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135), 283-- these are for Heimdal internal use 284 KRB5_ENCTYPE_DES_CBC_NONE(-0x1000), 285 KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001), 286 KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002), 287 KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003), 288 KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com 289 KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com 290} 291 292KRB5-SRP-GROUP ::= INTEGER { 293 KRB5_SRP_GROUP_INVALID(0), 294 KRB5_SRP_GROUP_RFC5054_4096_PBKDF2_SHA512(1) 295} 296 297-- this is sugar to make something ASN1 does not have: unsigned 298 299krb5uint32 ::= INTEGER (0..4294967295) 300krb5int32 ::= INTEGER (-2147483648..2147483647) 301 302KerberosString ::= GeneralString 303 304Realm ::= GeneralString 305PrincipalName ::= SEQUENCE { 306 name-type[0] NAME-TYPE, 307 name-string[1] SEQUENCE OF GeneralString 308} 309 310-- this is not part of RFC1510 311Principal ::= SEQUENCE { 312 name[0] PrincipalName, 313 realm[1] Realm 314} 315 316Principals ::= SEQUENCE OF Principal 317 318HostAddress ::= SEQUENCE { 319 addr-type[0] krb5int32, 320 address[1] OCTET STRING 321} 322 323-- This is from RFC1510. 324-- 325-- HostAddresses ::= SEQUENCE OF SEQUENCE { 326-- addr-type[0] krb5int32, 327-- address[1] OCTET STRING 328-- } 329 330-- This seems much better. 331HostAddresses ::= SEQUENCE OF HostAddress 332 333 334KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) 335 336AuthorizationDataElement ::= SEQUENCE { 337 ad-type[0] krb5int32, 338 ad-data[1] OCTET STRING 339} 340 341AuthorizationData ::= SEQUENCE OF AuthorizationDataElement 342 343APOptions ::= BIT STRING { 344 reserved(0), 345 use-session-key(1), 346 mutual-required(2) 347} 348 349TicketFlags ::= BIT STRING { 350 reserved(0), 351 forwardable(1), 352 forwarded(2), 353 proxiable(3), 354 proxy(4), 355 may-postdate(5), 356 postdated(6), 357 invalid(7), 358 renewable(8), 359 initial(9), 360 pre-authent(10), 361 hw-authent(11), 362 transited-policy-checked(12), 363 ok-as-delegate(13), 364 anonymous(14), 365 enc-pa-rep(15) 366} 367 368KDCOptions ::= BIT STRING { 369 reserved(0), 370 forwardable(1), 371 forwarded(2), 372 proxiable(3), 373 proxy(4), 374 allow-postdate(5), 375 postdated(6), 376 renewable(8), 377 canonicalize(15), 378 request-anonymous(16), -- constrained-delegation(16) msft extension 379 disable-transited-check(26), 380 renewable-ok(27), 381 enc-tkt-in-skey(28), 382 renew(30), 383 validate(31) 384} 385 386LR-TYPE ::= INTEGER { 387 LR_NONE(0), -- no information 388 LR_INITIAL_TGT(1), -- last initial TGT request 389 LR_INITIAL(2), -- last initial request 390 LR_ISSUE_USE_TGT(3), -- time of newest TGT used 391 LR_RENEWAL(4), -- time of last renewal 392 LR_REQUEST(5), -- time of last request (of any type) 393 LR_PW_EXPTIME(6), -- expiration time of password 394 LR_ACCT_EXPTIME(7) -- expiration time of account 395} 396 397LastReq ::= SEQUENCE OF SEQUENCE { 398 lr-type[0] LR-TYPE, 399 lr-value[1] KerberosTime 400} 401 402 403EncryptedData ::= SEQUENCE { 404 etype[0] ENCTYPE, -- EncryptionType 405 kvno[1] krb5int32 OPTIONAL, 406 cipher[2] OCTET STRING -- ciphertext 407} 408 409EncryptionKey ::= SEQUENCE { 410 keytype[0] krb5int32, 411 keyvalue[1] OCTET STRING 412} 413 414-- encoded Transited field 415TransitedEncoding ::= SEQUENCE { 416 tr-type[0] krb5int32, -- must be registered 417 contents[1] OCTET STRING 418} 419 420Ticket ::= [APPLICATION 1] SEQUENCE { 421 tkt-vno[0] krb5int32, 422 realm[1] Realm, 423 sname[2] PrincipalName, 424 enc-part[3] EncryptedData 425} 426-- Encrypted part of ticket 427EncTicketPart ::= [APPLICATION 3] SEQUENCE { 428 flags[0] TicketFlags, 429 key[1] EncryptionKey, 430 crealm[2] Realm, 431 cname[3] PrincipalName, 432 transited[4] TransitedEncoding, 433 authtime[5] KerberosTime, 434 starttime[6] KerberosTime OPTIONAL, 435 endtime[7] KerberosTime, 436 renew-till[8] KerberosTime OPTIONAL, 437 caddr[9] HostAddresses OPTIONAL, 438 authorization-data[10] AuthorizationData OPTIONAL 439} 440 441Checksum ::= SEQUENCE { 442 cksumtype[0] CKSUMTYPE, 443 checksum[1] OCTET STRING 444} 445 446Authenticator ::= [APPLICATION 2] SEQUENCE { 447 authenticator-vno[0] krb5int32, 448 crealm[1] Realm, 449 cname[2] PrincipalName, 450 cksum[3] Checksum OPTIONAL, 451 cusec[4] krb5int32, 452 ctime[5] KerberosTime, 453 subkey[6] EncryptionKey OPTIONAL, 454 seq-number[7] krb5uint32 OPTIONAL, 455 authorization-data[8] AuthorizationData OPTIONAL 456} 457 458PA-DATA ::= SEQUENCE { 459 -- might be encoded AP-REQ 460 padata-type[1] PADATA-TYPE, 461 padata-value[2] OCTET STRING 462} 463 464ETYPE-INFO-ENTRY ::= SEQUENCE { 465 etype[0] ENCTYPE, 466 salt[1] OCTET STRING OPTIONAL, 467 salttype[2] krb5int32 OPTIONAL 468} 469 470ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY 471 472ETYPE-INFO2-ENTRY ::= SEQUENCE { 473 etype[0] ENCTYPE, 474 salt[1] KerberosString OPTIONAL, 475 s2kparams[2] OCTET STRING OPTIONAL 476} 477 478ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY 479 480METHOD-DATA ::= SEQUENCE OF PA-DATA 481 482TypedData ::= SEQUENCE { 483 data-type[0] krb5int32, 484 data-value[1] OCTET STRING OPTIONAL 485} 486 487TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData 488 489KDC-REQ-BODY ::= SEQUENCE { 490 kdc-options[0] KDCOptions, 491 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ 492 realm[2] Realm, -- Server's realm 493 -- Also client's in AS-REQ 494 sname[3] PrincipalName OPTIONAL, 495 from[4] KerberosTime OPTIONAL, 496 till[5] KerberosTime OPTIONAL, 497 rtime[6] KerberosTime OPTIONAL, 498 nonce[7] krb5int32, 499 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, 500 -- in preference order 501 addresses[9] HostAddresses OPTIONAL, 502 enc-authorization-data[10] EncryptedData OPTIONAL, 503 -- Encrypted AuthorizationData encoding 504 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL 505} 506 507KDC-REQ ::= SEQUENCE { 508 pvno[1] krb5int32, 509 msg-type[2] MESSAGE-TYPE, 510 padata[3] METHOD-DATA OPTIONAL, 511 req-body[4] KDC-REQ-BODY 512} 513 514AS-REQ ::= [APPLICATION 10] KDC-REQ 515TGS-REQ ::= [APPLICATION 12] KDC-REQ 516 517-- padata-type ::= PA-ENC-TIMESTAMP 518-- padata-value ::= EncryptedData - PA-ENC-TS-ENC 519 520PA-ENC-TS-ENC ::= SEQUENCE { 521 patimestamp[0] KerberosTime, -- client's time 522 pausec[1] krb5int32 OPTIONAL 523} 524 525-- draft-brezak-win2k-krb-authz-01 526PA-PAC-REQUEST ::= SEQUENCE { 527 include-pac[0] BOOLEAN -- Indicates whether a PAC 528 -- should be included or not 529} 530 531-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf 532PROV-SRV-LOCATION ::= GeneralString 533 534KDC-REP ::= SEQUENCE { 535 pvno[0] krb5int32, 536 msg-type[1] MESSAGE-TYPE, 537 padata[2] METHOD-DATA OPTIONAL, 538 crealm[3] Realm, 539 cname[4] PrincipalName, 540 ticket[5] Ticket, 541 enc-part[6] EncryptedData 542} 543 544AS-REP ::= [APPLICATION 11] KDC-REP 545TGS-REP ::= [APPLICATION 13] KDC-REP 546 547EncKDCRepPart ::= SEQUENCE { 548 key[0] EncryptionKey, 549 last-req[1] LastReq, 550 nonce[2] krb5int32, 551 key-expiration[3] KerberosTime OPTIONAL, 552 flags[4] TicketFlags, 553 authtime[5] KerberosTime, 554 starttime[6] KerberosTime OPTIONAL, 555 endtime[7] KerberosTime, 556 renew-till[8] KerberosTime OPTIONAL, 557 srealm[9] Realm, 558 sname[10] PrincipalName, 559 caddr[11] HostAddresses OPTIONAL, 560 encrypted-pa-data[12] METHOD-DATA OPTIONAL 561} 562 563EncASRepPart ::= [APPLICATION 25] EncKDCRepPart 564EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart 565 566AP-REQ ::= [APPLICATION 14] SEQUENCE { 567 pvno[0] krb5int32, 568 msg-type[1] MESSAGE-TYPE, 569 ap-options[2] APOptions, 570 ticket[3] Ticket, 571 authenticator[4] EncryptedData 572} 573 574AP-REP ::= [APPLICATION 15] SEQUENCE { 575 pvno[0] krb5int32, 576 msg-type[1] MESSAGE-TYPE, 577 enc-part[2] EncryptedData 578} 579 580EncAPRepPart ::= [APPLICATION 27] SEQUENCE { 581 ctime[0] KerberosTime, 582 cusec[1] krb5int32, 583 subkey[2] EncryptionKey OPTIONAL, 584 seq-number[3] krb5uint32 OPTIONAL 585} 586 587KRB-SAFE-BODY ::= SEQUENCE { 588 user-data[0] OCTET STRING, 589 timestamp[1] KerberosTime OPTIONAL, 590 usec[2] krb5int32 OPTIONAL, 591 seq-number[3] krb5uint32 OPTIONAL, 592 s-address[4] HostAddress OPTIONAL, 593 r-address[5] HostAddress OPTIONAL 594} 595 596KRB-SAFE ::= [APPLICATION 20] SEQUENCE { 597 pvno[0] krb5int32, 598 msg-type[1] MESSAGE-TYPE, 599 safe-body[2] KRB-SAFE-BODY, 600 cksum[3] Checksum 601} 602 603KRB-PRIV ::= [APPLICATION 21] SEQUENCE { 604 pvno[0] krb5int32, 605 msg-type[1] MESSAGE-TYPE, 606 enc-part[3] EncryptedData 607} 608EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { 609 user-data[0] OCTET STRING, 610 timestamp[1] KerberosTime OPTIONAL, 611 usec[2] krb5int32 OPTIONAL, 612 seq-number[3] krb5uint32 OPTIONAL, 613 s-address[4] HostAddress OPTIONAL, -- sender's addr 614 r-address[5] HostAddress OPTIONAL -- recip's addr 615} 616 617KRB-CRED ::= [APPLICATION 22] SEQUENCE { 618 pvno[0] krb5int32, 619 msg-type[1] MESSAGE-TYPE, -- KRB_CRED 620 tickets[2] SEQUENCE OF Ticket, 621 enc-part[3] EncryptedData 622} 623 624KrbCredInfo ::= SEQUENCE { 625 key[0] EncryptionKey, 626 prealm[1] Realm OPTIONAL, 627 pname[2] PrincipalName OPTIONAL, 628 flags[3] TicketFlags OPTIONAL, 629 authtime[4] KerberosTime OPTIONAL, 630 starttime[5] KerberosTime OPTIONAL, 631 endtime[6] KerberosTime OPTIONAL, 632 renew-till[7] KerberosTime OPTIONAL, 633 srealm[8] Realm OPTIONAL, 634 sname[9] PrincipalName OPTIONAL, 635 caddr[10] HostAddresses OPTIONAL 636} 637 638EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { 639 ticket-info[0] SEQUENCE OF KrbCredInfo, 640 nonce[1] krb5int32 OPTIONAL, 641 timestamp[2] KerberosTime OPTIONAL, 642 usec[3] krb5int32 OPTIONAL, 643 s-address[4] HostAddress OPTIONAL, 644 r-address[5] HostAddress OPTIONAL 645} 646 647KRB-ERROR ::= [APPLICATION 30] SEQUENCE { 648 pvno[0] krb5int32, 649 msg-type[1] MESSAGE-TYPE, 650 ctime[2] KerberosTime OPTIONAL, 651 cusec[3] krb5int32 OPTIONAL, 652 stime[4] KerberosTime, 653 susec[5] krb5int32, 654 error-code[6] krb5int32, 655 crealm[7] Realm OPTIONAL, 656 cname[8] PrincipalName OPTIONAL, 657 realm[9] Realm, -- Correct realm 658 sname[10] PrincipalName, -- Correct name 659 e-text[11] GeneralString OPTIONAL, 660 e-data[12] OCTET STRING OPTIONAL 661} 662 663ChangePasswdDataMS ::= SEQUENCE { 664 newpasswd[0] OCTET STRING, 665 targname[1] PrincipalName OPTIONAL, 666 targrealm[2] Realm OPTIONAL 667} 668 669EtypeList ::= SEQUENCE OF ENCTYPE 670 -- the client's proposed enctype list in 671 -- decreasing preference order, favorite choice first 672 673krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number 674 675-- transited encodings 676 677DOMAIN-X500-COMPRESS krb5int32 ::= 1 678 679-- authorization data primitives 680 681AD-IF-RELEVANT ::= AuthorizationData 682 683AD-KDCIssued ::= SEQUENCE { 684 ad-checksum[0] Checksum, 685 i-realm[1] Realm OPTIONAL, 686 i-sname[2] PrincipalName OPTIONAL, 687 elements[3] AuthorizationData 688} 689 690AD-AND-OR ::= SEQUENCE { 691 condition-count[0] INTEGER, 692 elements[1] AuthorizationData 693} 694 695AD-MANDATORY-FOR-KDC ::= AuthorizationData 696 697-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 698 699PA-SAM-TYPE ::= INTEGER { 700 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic 701 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways 702 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0 703 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key 704 PA_SAM_TYPE_SECURID(5), -- Security Dynamics 705 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard 706} 707 708PA-SAM-REDIRECT ::= HostAddresses 709 710SAMFlags ::= BIT STRING { 711 use-sad-as-key(0), 712 send-encrypted-sad(1), 713 must-pk-encrypt-sad(2) 714} 715 716PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { 717 sam-type[0] krb5int32, 718 sam-flags[1] SAMFlags, 719 sam-type-name[2] GeneralString OPTIONAL, 720 sam-track-id[3] GeneralString OPTIONAL, 721 sam-challenge-label[4] GeneralString OPTIONAL, 722 sam-challenge[5] GeneralString OPTIONAL, 723 sam-response-prompt[6] GeneralString OPTIONAL, 724 sam-pk-for-sad[7] EncryptionKey OPTIONAL, 725 sam-nonce[8] krb5int32, 726 sam-etype[9] krb5int32, 727 ... 728} 729 730PA-SAM-CHALLENGE-2 ::= SEQUENCE { 731 sam-body[0] PA-SAM-CHALLENGE-2-BODY, 732 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) 733 ... 734} 735 736PA-SAM-RESPONSE-2 ::= SEQUENCE { 737 sam-type[0] krb5int32, 738 sam-flags[1] SAMFlags, 739 sam-track-id[2] GeneralString OPTIONAL, 740 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC 741 sam-nonce[4] krb5int32, 742 ... 743} 744 745PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { 746 sam-nonce[0] krb5int32, 747 sam-sad[1] GeneralString OPTIONAL, 748 ... 749} 750 751PA-S4U2Self ::= SEQUENCE { 752 name[0] PrincipalName, 753 realm[1] Realm, 754 cksum[2] Checksum, 755 auth[3] GeneralString 756} 757 758-- never encoded on the wire, just used to checksum over 759KRB5SignedPathData ::= SEQUENCE { 760 client[0] Principal OPTIONAL, 761 authtime[1] KerberosTime, 762 delegated[2] Principals OPTIONAL, 763 method_data[3] METHOD-DATA OPTIONAL 764} 765 766KRB5SignedPath ::= SEQUENCE { 767 -- DERcoded KRB5SignedPathData 768 -- krbtgt key (etype), KeyUsage = XXX 769 etype[0] ENCTYPE, 770 cksum[1] Checksum, 771 -- srvs delegated though 772 delegated[2] Principals OPTIONAL, 773 method_data[3] METHOD-DATA OPTIONAL 774} 775 776PA-ClientCanonicalizedNames ::= SEQUENCE{ 777 requested-name [0] PrincipalName, 778 mapped-name [1] PrincipalName 779} 780 781PA-ClientCanonicalized ::= SEQUENCE { 782 names [0] PA-ClientCanonicalizedNames, 783 canon-checksum [1] Checksum 784} 785 786AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- 787 login-alias [0] PrincipalName, 788 checksum [1] Checksum 789} 790 791-- old ms referral 792PA-SvrReferralData ::= SEQUENCE { 793 referred-name [1] PrincipalName OPTIONAL, 794 referred-realm [0] Realm 795} 796 797PA-SERVER-REFERRAL-DATA ::= EncryptedData 798 799PA-ServerReferralData ::= SEQUENCE { 800 referred-realm [0] Realm OPTIONAL, 801 true-principal-name [1] PrincipalName OPTIONAL, 802 requested-principal-name [2] PrincipalName OPTIONAL, 803 referral-valid-until [3] KerberosTime OPTIONAL, 804 ... 805} 806 807FastOptions ::= BIT STRING { 808 reserved(0), 809 hide-client-names(1), 810 kdc-follow-referrals(16) 811} 812 813KrbFastReq ::= SEQUENCE { 814 fast-options [0] FastOptions, 815 padata [1] METHOD-DATA, 816 req-body [2] KDC-REQ-BODY, 817 ... 818} 819 820KrbFastArmor ::= SEQUENCE { 821 armor-type [0] krb5int32, 822 armor-value [1] OCTET STRING, 823 ... 824} 825 826KrbFastArmoredReq ::= SEQUENCE { 827 armor [0] KrbFastArmor OPTIONAL, 828 req-checksum [1] Checksum, 829 enc-fast-req [2] EncryptedData -- KrbFastReq -- 830} 831 832PA-FX-FAST-REQUEST ::= CHOICE { 833 armored-data [0] KrbFastArmoredReq, 834 ... 835} 836 837KrbFastFinished ::= SEQUENCE { 838 timestamp [0] KerberosTime, 839 usec [1] krb5int32, 840 crealm [2] Realm, 841 cname [3] PrincipalName, 842 ticket-checksum [4] Checksum, 843 ... 844} 845 846KrbFastResponse ::= SEQUENCE { 847 padata [0] METHOD-DATA, 848 strengthen-key [1] EncryptionKey OPTIONAL, 849 finished [2] KrbFastFinished OPTIONAL, 850 nonce [3] krb5uint32, 851 ... 852} 853 854KrbFastArmoredRep ::= SEQUENCE { 855 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 856 ... 857} 858 859PA-FX-FAST-REPLY ::= CHOICE { 860 armored-data [0] KrbFastArmoredRep, 861 ... 862} 863 864KDCFastFlags ::= BIT STRING { 865 use-reply-key(0), 866 reply-key-used(1), 867 reply-key-replaced(2), 868 kdc-verfied(3), 869 requested-hidden-names(4) 870 871} 872 873KDCSRPState ::= SEQUENCE { 874 pa-announce [0] OCTET STRING, 875 group [1] KRB5-SRP-GROUP, 876 m [2] OCTET STRING, 877 hamk [3] OCTET STRING, 878 k [4] OCTET STRING 879} 880 881KDCFastPAState ::= SEQUENCE { 882 srp [0] KDCSRPState OPTIONAL 883} 884 885-- KDCFastState is stored in FX_COOKIE 886KDCFastState ::= SEQUENCE { 887 flags [0] KDCFastFlags, 888 expiration [1] GeneralizedTime, 889 expected-pa-types [2] SEQUENCE OF PADATA-TYPE OPTIONAL, 890 pa-state [3] KDCFastPAState 891} 892 893KDCFastCookie ::= SEQUENCE { 894 version [0] krb5uint32, 895 realm [1] UTF8String, 896 cookie [2] EncryptedData 897} 898 899KDC-PROXY-MESSAGE ::= SEQUENCE { 900 kerb-message [0] OCTET STRING, 901 target-domain [1] Realm OPTIONAL, 902 dclocator-hint [2] INTEGER OPTIONAL 903} 904 905-- these messages are used in the GSSCred communication and is not part of Kerberos propper 906 907KERB-TIMES ::= SEQUENCE { 908 authtime [0] KerberosTime, 909 starttime [1] KerberosTime, 910 endtime [2] KerberosTime, 911 renew_till [3] KerberosTime 912} 913 914KERB-CRED ::= SEQUENCE { 915 client [0] Principal, 916 server [1] Principal, 917 keyblock [2] EncryptionKey, 918 times [3] KERB-TIMES, 919 ticket [4] OCTET STRING, 920 authdata [5] OCTET STRING, 921 addresses [6] HostAddresses, 922 flags [7] TicketFlags 923} 924 925KERB-TGS-REQ-IN ::= SEQUENCE { 926 cache [0] OCTET STRING SIZE (16), 927 addrs [1] HostAddresses, 928 flags [2] krb5uint32, 929 imp [3] Principal OPTIONAL, 930 ticket [4] OCTET STRING OPTIONAL, 931 in_cred [5] KERB-CRED, 932 krbtgt [6] KERB-CRED, 933 padata [7] METHOD-DATA 934} 935 936KERB-TGS-REQ-OUT ::= SEQUENCE { 937 subkey [0] EncryptionKey OPTIONAL, 938 t [1] TGS-REQ 939} 940 941 942 943KERB-TGS-REP-IN ::= SEQUENCE { 944 cache [0] OCTET STRING SIZE (16), 945 subkey [1] EncryptionKey OPTIONAL, 946 in_cred [2] KERB-CRED, 947 t [3] TGS-REP 948} 949 950KERB-TGS-REP-OUT ::= SEQUENCE { 951 cache [0] OCTET STRING SIZE (16), 952 cred [1] KERB-CRED, 953 subkey [2] EncryptionKey 954} 955 956KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE { 957 armor [0] KrbFastArmor, 958 armor-key [1] EncryptionKey 959} 960 961-- [MS-KILE] 2.2.1 962 963KERB-ERROR-NUMBER ::= INTEGER { 964 KRB5_AP_ERR_WINDOWS_ERROR_CODE(1), 965 KRB5_AP_ERR_TYPE_SKEW_RECOVERY(2) 966} 967 968KERB-ERROR-DATA ::= SEQUENCE { 969 data-type [1] krb5int32, 970 data-value [2] OCTET STRING OPTIONAL 971} 972 973-- [SRP] 974 975KRB5-SRP-PA ::= SEQUENCE { 976 group [0] KRB5-SRP-GROUP, 977 salt [1] OCTET STRING, 978 iterations [2] krb5uint32 979} 980 981KRB5-SRP-PA-ANNOUNCE ::= SEQUENCE { 982 groups [0] SET OF KRB5-SRP-PA, -- allowed groups and their salt 983 as-req [1] Checksum -- an unkeyed checksum of the AS-REQ using 984 -- an non weak checksum type that the KDC support 985 -- given the list of etype from the client 986} 987 988KRB5-SRP-PA-INIT ::= [APPLICATION 0] SEQUENCE { 989 group [0] krb5uint32, 990 a [1] OCTET STRING 991} 992 993KRB5-SRP-PA-SERVER-CHALLENGE ::= [APPLICATION 1] OCTET STRING -- b 994 995KRB5-SRP-PA-CLIENT-RESPONSE ::= [APPLICATION 2] OCTET STRING -- m 996 997KRB5-SRP-PA-SERVER-VERIFIER ::= [APPLICATION 3] OCTET STRING -- hamk 998 999END 1000 1001-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 1002