1-- $Id$ 2 3KERBEROS5 DEFINITIONS ::= 4BEGIN 5EXPORTS 6 AD-AND-OR, 7 AD-IF-RELEVANT, 8 AD-KDCIssued, 9 AD-LoginAlias, 10 AP-REP, 11 AP-REQ, 12 AS-REP, 13 AS-REQ, 14 AUTHDATA-TYPE, 15 Authenticator, 16 AuthorizationData, 17 AuthorizationDataElement, 18 CKSUMTYPE, 19 ChangePasswdDataMS, 20 Checksum, 21 ENCTYPE, 22 ETYPE-INFO, 23 ETYPE-INFO-ENTRY, 24 ETYPE-INFO2, 25 ETYPE-INFO2-ENTRY, 26 EncAPRepPart, 27 EncASRepPart, 28 EncKDCRepPart, 29 EncKrbCredPart, 30 EncKrbPrivPart, 31 EncTGSRepPart, 32 EncTicketPart, 33 EncryptedData, 34 EncryptionKey, 35 EtypeList, 36 HostAddress, 37 HostAddresses, 38 KDC-REQ-BODY, 39 KDCOptions, 40 KDC-REP, 41 KRB-CRED, 42 KRB-ERROR, 43 KRB-PRIV, 44 KRB-SAFE, 45 KRB-SAFE-BODY, 46 KRB5SignedPath, 47 KRB5SignedPathData, 48 KRB5SignedPathPrincipals, 49 KerberosString, 50 KerberosTime, 51 KrbCredInfo, 52 LR-TYPE, 53 LastReq, 54 METHOD-DATA, 55 NAME-TYPE, 56 PA-ClientCanonicalized, 57 PA-ClientCanonicalizedNames, 58 PA-DATA, 59 PA-ENC-TS-ENC, 60 PA-PAC-REQUEST, 61 PA-S4U2Self, 62 PA-SERVER-REFERRAL-DATA, 63 PA-ServerReferralData, 64 PA-SvrReferralData, 65 PADATA-TYPE, 66 PA-FX-FAST-REQUEST, 67 PA-FX-FAST-REPLY, 68 Principal, 69 PrincipalName, 70 Principals, 71 Realm, 72 TGS-REP, 73 TGS-REQ, 74 Ticket, 75 TicketFlags, 76 TransitedEncoding, 77 TypedData, 78 KrbFastResponse, 79 KrbFastFinished, 80 KrbFastReq, 81 KrbFastArmor, 82 KDCFastState, 83 KDCFastCookie, 84 KDC-PROXY-MESSAGE, 85 KERB-TIMES, 86 KERB-CRED, 87 KERB-TGS-REQ-IN, 88 KERB-TGS-REQ-OUT 89 ; 90 91NAME-TYPE ::= INTEGER { 92 KRB5_NT_UNKNOWN(0), -- Name type not known 93 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in 94 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt) 95 KRB5_NT_SRV_HST(3), -- Service with host name as instance 96 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components 97 KRB5_NT_UID(5), -- Unique ID 98 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT 99 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name 100 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN 101 KRB5_NT_WELLKNOWN(11), -- Wellknown 102 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID 103 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name 104 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID 105 KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain 106 KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded) 107 KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), 108 KRB5_NT_CACHE_UUID(-1203) -- name is actually a uuid pointing to ccache, use client name in cache 109} 110 111-- message types 112 113MESSAGE-TYPE ::= INTEGER { 114 krb-as-req(10), -- Request for initial authentication 115 krb-as-rep(11), -- Response to KRB_AS_REQ request 116 krb-tgs-req(12), -- Request for authentication based on TGT 117 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request 118 krb-ap-req(14), -- application request to server 119 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL 120 krb-safe(20), -- Safe (checksummed) application message 121 krb-priv(21), -- Private (encrypted) application message 122 krb-cred(22), -- Private (encrypted) message to forward credentials 123 krb-error(30) -- Error response 124} 125 126 127-- pa-data types 128 129PADATA-TYPE ::= INTEGER { 130 KRB5-PADATA-NONE(0), 131 KRB5-PADATA-TGS-REQ(1), 132 KRB5-PADATA-AP-REQ(1), 133 KRB5-PADATA-ENC-TIMESTAMP(2), 134 KRB5-PADATA-PW-SALT(3), 135 KRB5-PADATA-ENC-UNIX-TIME(5), 136 KRB5-PADATA-SANDIA-SECUREID(6), 137 KRB5-PADATA-SESAME(7), 138 KRB5-PADATA-OSF-DCE(8), 139 KRB5-PADATA-CYBERSAFE-SECUREID(9), 140 KRB5-PADATA-AFS3-SALT(10), 141 KRB5-PADATA-ETYPE-INFO(11), 142 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) 143 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) 144 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) 145 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) 146 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) 147 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) 148 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) 149 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18), 150 KRB5-PADATA-ETYPE-INFO2(19), 151 KRB5-PADATA-USE-SPECIFIED-KVNO(20), 152 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number 153 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) 154 KRB5-PADATA-GET-FROM-TYPED-DATA(22), 155 KRB5-PADATA-SAM-ETYPE-INFO(23), 156 KRB5-PADATA-SERVER-REFERRAL(25), 157 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) 158 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) 159 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) 160 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT 161 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName 162 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT 163 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT 164 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific 165 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER 166 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER 167 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com 168 KRB5-PADATA-FOR-USER(129), -- MS-KILE 169 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE 170 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE 171 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE 172 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to 173 -- tell KDC that is supports 174 -- the asCheckSum in the 175 -- PK-AS-REP 176 KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals 177 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework 178 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework 179 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework 180 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework 181 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework 182 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework 183 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) 184 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) 185 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) 186 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) 187 KRB5-PADATA-EPAK-AS-REQ(145), 188 KRB5-PADATA-EPAK-AS-REP(146), 189 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon 190 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u 191 KRB5-PADATA-REQ-ENC-PA-REP(149), -- 192 KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE 193} 194 195AUTHDATA-TYPE ::= INTEGER { 196 KRB5-AUTHDATA-IF-RELEVANT(1), 197 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2), 198 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), 199 KRB5-AUTHDATA-KDC-ISSUED(4), 200 KRB5-AUTHDATA-AND-OR(5), 201 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), 202 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), 203 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8), 204 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), 205 KRB5-AUTHDATA-OSF-DCE(64), 206 KRB5-AUTHDATA-SESAME(65), 207 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), 208 KRB5-AUTHDATA-WIN2K-PAC(128), 209 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only 210 KRB5-AUTHDATA-SIGNTICKET-OLDER(-17), 211 KRB5-AUTHDATA-SIGNTICKET-OLD(142), 212 KRB5-AUTHDATA-SIGNTICKET(512) 213} 214 215-- checksumtypes 216 217CKSUMTYPE ::= INTEGER { 218 CKSUMTYPE_NONE(0), 219 CKSUMTYPE_CRC32(1), 220 CKSUMTYPE_RSA_MD4(2), 221 CKSUMTYPE_RSA_MD4_DES(3), 222 CKSUMTYPE_DES_MAC(4), 223 CKSUMTYPE_DES_MAC_K(5), 224 CKSUMTYPE_RSA_MD4_DES_K(6), 225 CKSUMTYPE_RSA_MD5(7), 226 CKSUMTYPE_RSA_MD5_DES(8), 227 CKSUMTYPE_RSA_MD5_DES3(9), 228 CKSUMTYPE_SHA1_OTHER(10), 229 CKSUMTYPE_HMAC_SHA1_DES3(12), 230 CKSUMTYPE_SHA1(14), 231 CKSUMTYPE_HMAC_SHA1_96_AES_128(15), 232 CKSUMTYPE_HMAC_SHA1_96_AES_256(16), 233 CKSUMTYPE_GSSAPI(0x8003), 234 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number 235 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial 236} 237 238--enctypes 239ENCTYPE ::= INTEGER { 240 KRB5_ENCTYPE_NULL(0), 241 KRB5_ENCTYPE_DES_CBC_CRC(1), 242 KRB5_ENCTYPE_DES_CBC_MD4(2), 243 KRB5_ENCTYPE_DES_CBC_MD5(3), 244 KRB5_ENCTYPE_DES3_CBC_MD5(5), 245 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7), 246 KRB5_ENCTYPE_SIGN_DSA_GENERATE(8), 247 KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9), 248 KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10), 249 KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation 250 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17), 251 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18), 252 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23), 253 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24), 254 KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48), 255-- some "old" windows types 256 KRB5_ENCTYPE_ARCFOUR_MD4(-128), 257 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133), 258 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135), 259-- these are for Heimdal internal use 260 KRB5_ENCTYPE_DES_CBC_NONE(-0x1000), 261 KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001), 262 KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002), 263 KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003), 264 KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com 265 KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com 266} 267 268 269 270 271-- this is sugar to make something ASN1 does not have: unsigned 272 273krb5uint32 ::= INTEGER (0..4294967295) 274krb5int32 ::= INTEGER (-2147483648..2147483647) 275 276KerberosString ::= GeneralString 277 278Realm ::= GeneralString 279PrincipalName ::= SEQUENCE { 280 name-type[0] NAME-TYPE, 281 name-string[1] SEQUENCE OF GeneralString 282} 283 284-- this is not part of RFC1510 285Principal ::= SEQUENCE { 286 name[0] PrincipalName, 287 realm[1] Realm 288} 289 290Principals ::= SEQUENCE OF Principal 291 292HostAddress ::= SEQUENCE { 293 addr-type[0] krb5int32, 294 address[1] OCTET STRING 295} 296 297-- This is from RFC1510. 298-- 299-- HostAddresses ::= SEQUENCE OF SEQUENCE { 300-- addr-type[0] krb5int32, 301-- address[1] OCTET STRING 302-- } 303 304-- This seems much better. 305HostAddresses ::= SEQUENCE OF HostAddress 306 307 308KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) 309 310AuthorizationDataElement ::= SEQUENCE { 311 ad-type[0] krb5int32, 312 ad-data[1] OCTET STRING 313} 314 315AuthorizationData ::= SEQUENCE OF AuthorizationDataElement 316 317APOptions ::= BIT STRING { 318 reserved(0), 319 use-session-key(1), 320 mutual-required(2) 321} 322 323TicketFlags ::= BIT STRING { 324 reserved(0), 325 forwardable(1), 326 forwarded(2), 327 proxiable(3), 328 proxy(4), 329 may-postdate(5), 330 postdated(6), 331 invalid(7), 332 renewable(8), 333 initial(9), 334 pre-authent(10), 335 hw-authent(11), 336 transited-policy-checked(12), 337 ok-as-delegate(13), 338 anonymous(14), 339 enc-pa-rep(15) 340} 341 342KDCOptions ::= BIT STRING { 343 reserved(0), 344 forwardable(1), 345 forwarded(2), 346 proxiable(3), 347 proxy(4), 348 allow-postdate(5), 349 postdated(6), 350 renewable(8), 351 request-anonymous(14), 352 canonicalize(15), 353 constrained-delegation(16), -- ms extension 354 disable-transited-check(26), 355 renewable-ok(27), 356 enc-tkt-in-skey(28), 357 renew(30), 358 validate(31) 359} 360 361LR-TYPE ::= INTEGER { 362 LR_NONE(0), -- no information 363 LR_INITIAL_TGT(1), -- last initial TGT request 364 LR_INITIAL(2), -- last initial request 365 LR_ISSUE_USE_TGT(3), -- time of newest TGT used 366 LR_RENEWAL(4), -- time of last renewal 367 LR_REQUEST(5), -- time of last request (of any type) 368 LR_PW_EXPTIME(6), -- expiration time of password 369 LR_ACCT_EXPTIME(7) -- expiration time of account 370} 371 372LastReq ::= SEQUENCE OF SEQUENCE { 373 lr-type[0] LR-TYPE, 374 lr-value[1] KerberosTime 375} 376 377 378EncryptedData ::= SEQUENCE { 379 etype[0] ENCTYPE, -- EncryptionType 380 kvno[1] krb5int32 OPTIONAL, 381 cipher[2] OCTET STRING -- ciphertext 382} 383 384EncryptionKey ::= SEQUENCE { 385 keytype[0] krb5int32, 386 keyvalue[1] OCTET STRING 387} 388 389-- encoded Transited field 390TransitedEncoding ::= SEQUENCE { 391 tr-type[0] krb5int32, -- must be registered 392 contents[1] OCTET STRING 393} 394 395Ticket ::= [APPLICATION 1] SEQUENCE { 396 tkt-vno[0] krb5int32, 397 realm[1] Realm, 398 sname[2] PrincipalName, 399 enc-part[3] EncryptedData 400} 401-- Encrypted part of ticket 402EncTicketPart ::= [APPLICATION 3] SEQUENCE { 403 flags[0] TicketFlags, 404 key[1] EncryptionKey, 405 crealm[2] Realm, 406 cname[3] PrincipalName, 407 transited[4] TransitedEncoding, 408 authtime[5] KerberosTime, 409 starttime[6] KerberosTime OPTIONAL, 410 endtime[7] KerberosTime, 411 renew-till[8] KerberosTime OPTIONAL, 412 caddr[9] HostAddresses OPTIONAL, 413 authorization-data[10] AuthorizationData OPTIONAL 414} 415 416Checksum ::= SEQUENCE { 417 cksumtype[0] CKSUMTYPE, 418 checksum[1] OCTET STRING 419} 420 421Authenticator ::= [APPLICATION 2] SEQUENCE { 422 authenticator-vno[0] krb5int32, 423 crealm[1] Realm, 424 cname[2] PrincipalName, 425 cksum[3] Checksum OPTIONAL, 426 cusec[4] krb5int32, 427 ctime[5] KerberosTime, 428 subkey[6] EncryptionKey OPTIONAL, 429 seq-number[7] krb5uint32 OPTIONAL, 430 authorization-data[8] AuthorizationData OPTIONAL 431} 432 433PA-DATA ::= SEQUENCE { 434 -- might be encoded AP-REQ 435 padata-type[1] PADATA-TYPE, 436 padata-value[2] OCTET STRING 437} 438 439ETYPE-INFO-ENTRY ::= SEQUENCE { 440 etype[0] ENCTYPE, 441 salt[1] OCTET STRING OPTIONAL, 442 salttype[2] krb5int32 OPTIONAL 443} 444 445ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY 446 447ETYPE-INFO2-ENTRY ::= SEQUENCE { 448 etype[0] ENCTYPE, 449 salt[1] KerberosString OPTIONAL, 450 s2kparams[2] OCTET STRING OPTIONAL 451} 452 453ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY 454 455METHOD-DATA ::= SEQUENCE OF PA-DATA 456 457TypedData ::= SEQUENCE { 458 data-type[0] krb5int32, 459 data-value[1] OCTET STRING OPTIONAL 460} 461 462TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData 463 464KDC-REQ-BODY ::= SEQUENCE { 465 kdc-options[0] KDCOptions, 466 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ 467 realm[2] Realm, -- Server's realm 468 -- Also client's in AS-REQ 469 sname[3] PrincipalName OPTIONAL, 470 from[4] KerberosTime OPTIONAL, 471 till[5] KerberosTime OPTIONAL, 472 rtime[6] KerberosTime OPTIONAL, 473 nonce[7] krb5int32, 474 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, 475 -- in preference order 476 addresses[9] HostAddresses OPTIONAL, 477 enc-authorization-data[10] EncryptedData OPTIONAL, 478 -- Encrypted AuthorizationData encoding 479 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL 480} 481 482KDC-REQ ::= SEQUENCE { 483 pvno[1] krb5int32, 484 msg-type[2] MESSAGE-TYPE, 485 padata[3] METHOD-DATA OPTIONAL, 486 req-body[4] KDC-REQ-BODY 487} 488 489AS-REQ ::= [APPLICATION 10] KDC-REQ 490TGS-REQ ::= [APPLICATION 12] KDC-REQ 491 492-- padata-type ::= PA-ENC-TIMESTAMP 493-- padata-value ::= EncryptedData - PA-ENC-TS-ENC 494 495PA-ENC-TS-ENC ::= SEQUENCE { 496 patimestamp[0] KerberosTime, -- client's time 497 pausec[1] krb5int32 OPTIONAL 498} 499 500-- draft-brezak-win2k-krb-authz-01 501PA-PAC-REQUEST ::= SEQUENCE { 502 include-pac[0] BOOLEAN -- Indicates whether a PAC 503 -- should be included or not 504} 505 506-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf 507PROV-SRV-LOCATION ::= GeneralString 508 509KDC-REP ::= SEQUENCE { 510 pvno[0] krb5int32, 511 msg-type[1] MESSAGE-TYPE, 512 padata[2] METHOD-DATA OPTIONAL, 513 crealm[3] Realm, 514 cname[4] PrincipalName, 515 ticket[5] Ticket, 516 enc-part[6] EncryptedData 517} 518 519AS-REP ::= [APPLICATION 11] KDC-REP 520TGS-REP ::= [APPLICATION 13] KDC-REP 521 522EncKDCRepPart ::= SEQUENCE { 523 key[0] EncryptionKey, 524 last-req[1] LastReq, 525 nonce[2] krb5int32, 526 key-expiration[3] KerberosTime OPTIONAL, 527 flags[4] TicketFlags, 528 authtime[5] KerberosTime, 529 starttime[6] KerberosTime OPTIONAL, 530 endtime[7] KerberosTime, 531 renew-till[8] KerberosTime OPTIONAL, 532 srealm[9] Realm, 533 sname[10] PrincipalName, 534 caddr[11] HostAddresses OPTIONAL, 535 encrypted-pa-data[12] METHOD-DATA OPTIONAL 536} 537 538EncASRepPart ::= [APPLICATION 25] EncKDCRepPart 539EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart 540 541AP-REQ ::= [APPLICATION 14] SEQUENCE { 542 pvno[0] krb5int32, 543 msg-type[1] MESSAGE-TYPE, 544 ap-options[2] APOptions, 545 ticket[3] Ticket, 546 authenticator[4] EncryptedData 547} 548 549AP-REP ::= [APPLICATION 15] SEQUENCE { 550 pvno[0] krb5int32, 551 msg-type[1] MESSAGE-TYPE, 552 enc-part[2] EncryptedData 553} 554 555EncAPRepPart ::= [APPLICATION 27] SEQUENCE { 556 ctime[0] KerberosTime, 557 cusec[1] krb5int32, 558 subkey[2] EncryptionKey OPTIONAL, 559 seq-number[3] krb5uint32 OPTIONAL 560} 561 562KRB-SAFE-BODY ::= SEQUENCE { 563 user-data[0] OCTET STRING, 564 timestamp[1] KerberosTime OPTIONAL, 565 usec[2] krb5int32 OPTIONAL, 566 seq-number[3] krb5uint32 OPTIONAL, 567 s-address[4] HostAddress OPTIONAL, 568 r-address[5] HostAddress OPTIONAL 569} 570 571KRB-SAFE ::= [APPLICATION 20] SEQUENCE { 572 pvno[0] krb5int32, 573 msg-type[1] MESSAGE-TYPE, 574 safe-body[2] KRB-SAFE-BODY, 575 cksum[3] Checksum 576} 577 578KRB-PRIV ::= [APPLICATION 21] SEQUENCE { 579 pvno[0] krb5int32, 580 msg-type[1] MESSAGE-TYPE, 581 enc-part[3] EncryptedData 582} 583EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { 584 user-data[0] OCTET STRING, 585 timestamp[1] KerberosTime OPTIONAL, 586 usec[2] krb5int32 OPTIONAL, 587 seq-number[3] krb5uint32 OPTIONAL, 588 s-address[4] HostAddress OPTIONAL, -- sender's addr 589 r-address[5] HostAddress OPTIONAL -- recip's addr 590} 591 592KRB-CRED ::= [APPLICATION 22] SEQUENCE { 593 pvno[0] krb5int32, 594 msg-type[1] MESSAGE-TYPE, -- KRB_CRED 595 tickets[2] SEQUENCE OF Ticket, 596 enc-part[3] EncryptedData 597} 598 599KrbCredInfo ::= SEQUENCE { 600 key[0] EncryptionKey, 601 prealm[1] Realm OPTIONAL, 602 pname[2] PrincipalName OPTIONAL, 603 flags[3] TicketFlags OPTIONAL, 604 authtime[4] KerberosTime OPTIONAL, 605 starttime[5] KerberosTime OPTIONAL, 606 endtime[6] KerberosTime OPTIONAL, 607 renew-till[7] KerberosTime OPTIONAL, 608 srealm[8] Realm OPTIONAL, 609 sname[9] PrincipalName OPTIONAL, 610 caddr[10] HostAddresses OPTIONAL 611} 612 613EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { 614 ticket-info[0] SEQUENCE OF KrbCredInfo, 615 nonce[1] krb5int32 OPTIONAL, 616 timestamp[2] KerberosTime OPTIONAL, 617 usec[3] krb5int32 OPTIONAL, 618 s-address[4] HostAddress OPTIONAL, 619 r-address[5] HostAddress OPTIONAL 620} 621 622KRB-ERROR ::= [APPLICATION 30] SEQUENCE { 623 pvno[0] krb5int32, 624 msg-type[1] MESSAGE-TYPE, 625 ctime[2] KerberosTime OPTIONAL, 626 cusec[3] krb5int32 OPTIONAL, 627 stime[4] KerberosTime, 628 susec[5] krb5int32, 629 error-code[6] krb5int32, 630 crealm[7] Realm OPTIONAL, 631 cname[8] PrincipalName OPTIONAL, 632 realm[9] Realm, -- Correct realm 633 sname[10] PrincipalName, -- Correct name 634 e-text[11] GeneralString OPTIONAL, 635 e-data[12] OCTET STRING OPTIONAL 636} 637 638ChangePasswdDataMS ::= SEQUENCE { 639 newpasswd[0] OCTET STRING, 640 targname[1] PrincipalName OPTIONAL, 641 targrealm[2] Realm OPTIONAL 642} 643 644EtypeList ::= SEQUENCE OF ENCTYPE 645 -- the client's proposed enctype list in 646 -- decreasing preference order, favorite choice first 647 648krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number 649 650-- transited encodings 651 652DOMAIN-X500-COMPRESS krb5int32 ::= 1 653 654-- authorization data primitives 655 656AD-IF-RELEVANT ::= AuthorizationData 657 658AD-KDCIssued ::= SEQUENCE { 659 ad-checksum[0] Checksum, 660 i-realm[1] Realm OPTIONAL, 661 i-sname[2] PrincipalName OPTIONAL, 662 elements[3] AuthorizationData 663} 664 665AD-AND-OR ::= SEQUENCE { 666 condition-count[0] INTEGER, 667 elements[1] AuthorizationData 668} 669 670AD-MANDATORY-FOR-KDC ::= AuthorizationData 671 672-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 673 674PA-SAM-TYPE ::= INTEGER { 675 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic 676 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways 677 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0 678 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key 679 PA_SAM_TYPE_SECURID(5), -- Security Dynamics 680 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard 681} 682 683PA-SAM-REDIRECT ::= HostAddresses 684 685SAMFlags ::= BIT STRING { 686 use-sad-as-key(0), 687 send-encrypted-sad(1), 688 must-pk-encrypt-sad(2) 689} 690 691PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { 692 sam-type[0] krb5int32, 693 sam-flags[1] SAMFlags, 694 sam-type-name[2] GeneralString OPTIONAL, 695 sam-track-id[3] GeneralString OPTIONAL, 696 sam-challenge-label[4] GeneralString OPTIONAL, 697 sam-challenge[5] GeneralString OPTIONAL, 698 sam-response-prompt[6] GeneralString OPTIONAL, 699 sam-pk-for-sad[7] EncryptionKey OPTIONAL, 700 sam-nonce[8] krb5int32, 701 sam-etype[9] krb5int32, 702 ... 703} 704 705PA-SAM-CHALLENGE-2 ::= SEQUENCE { 706 sam-body[0] PA-SAM-CHALLENGE-2-BODY, 707 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) 708 ... 709} 710 711PA-SAM-RESPONSE-2 ::= SEQUENCE { 712 sam-type[0] krb5int32, 713 sam-flags[1] SAMFlags, 714 sam-track-id[2] GeneralString OPTIONAL, 715 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC 716 sam-nonce[4] krb5int32, 717 ... 718} 719 720PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { 721 sam-nonce[0] krb5int32, 722 sam-sad[1] GeneralString OPTIONAL, 723 ... 724} 725 726PA-S4U2Self ::= SEQUENCE { 727 name[0] PrincipalName, 728 realm[1] Realm, 729 cksum[2] Checksum, 730 auth[3] GeneralString 731} 732 733-- never encoded on the wire, just used to checksum over 734KRB5SignedPathData ::= SEQUENCE { 735 client[0] Principal OPTIONAL, 736 authtime[1] KerberosTime, 737 delegated[2] Principals OPTIONAL, 738 method_data[3] METHOD-DATA OPTIONAL 739} 740 741KRB5SignedPath ::= SEQUENCE { 742 -- DERcoded KRB5SignedPathData 743 -- krbtgt key (etype), KeyUsage = XXX 744 etype[0] ENCTYPE, 745 cksum[1] Checksum, 746 -- srvs delegated though 747 delegated[2] Principals OPTIONAL, 748 method_data[3] METHOD-DATA OPTIONAL 749} 750 751PA-ClientCanonicalizedNames ::= SEQUENCE{ 752 requested-name [0] PrincipalName, 753 mapped-name [1] PrincipalName 754} 755 756PA-ClientCanonicalized ::= SEQUENCE { 757 names [0] PA-ClientCanonicalizedNames, 758 canon-checksum [1] Checksum 759} 760 761AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- 762 login-alias [0] PrincipalName, 763 checksum [1] Checksum 764} 765 766-- old ms referral 767PA-SvrReferralData ::= SEQUENCE { 768 referred-name [1] PrincipalName OPTIONAL, 769 referred-realm [0] Realm 770} 771 772PA-SERVER-REFERRAL-DATA ::= EncryptedData 773 774PA-ServerReferralData ::= SEQUENCE { 775 referred-realm [0] Realm OPTIONAL, 776 true-principal-name [1] PrincipalName OPTIONAL, 777 requested-principal-name [2] PrincipalName OPTIONAL, 778 referral-valid-until [3] KerberosTime OPTIONAL, 779 ... 780} 781 782FastOptions ::= BIT STRING { 783 reserved(0), 784 hide-client-names(1), 785 kdc-follow-referrals(16) 786} 787 788KrbFastReq ::= SEQUENCE { 789 fast-options [0] FastOptions, 790 padata [1] METHOD-DATA, 791 req-body [2] KDC-REQ-BODY, 792 ... 793} 794 795KrbFastArmor ::= SEQUENCE { 796 armor-type [0] krb5int32, 797 armor-value [1] OCTET STRING, 798 ... 799} 800 801KrbFastArmoredReq ::= SEQUENCE { 802 armor [0] KrbFastArmor OPTIONAL, 803 req-checksum [1] Checksum, 804 enc-fast-req [2] EncryptedData -- KrbFastReq -- 805} 806 807PA-FX-FAST-REQUEST ::= CHOICE { 808 armored-data [0] KrbFastArmoredReq, 809 ... 810} 811 812KrbFastFinished ::= SEQUENCE { 813 timestamp [0] KerberosTime, 814 usec [1] krb5int32, 815 crealm [2] Realm, 816 cname [3] PrincipalName, 817 ticket-checksum [4] Checksum, 818 ... 819} 820 821KrbFastResponse ::= SEQUENCE { 822 padata [0] METHOD-DATA, 823 strengthen-key [1] EncryptionKey OPTIONAL, 824 finished [2] KrbFastFinished OPTIONAL, 825 nonce [3] krb5uint32, 826 ... 827} 828 829KrbFastArmoredRep ::= SEQUENCE { 830 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 831 ... 832} 833 834PA-FX-FAST-REPLY ::= CHOICE { 835 armored-data [0] KrbFastArmoredRep, 836 ... 837} 838 839KDCFastFlags ::= BIT STRING { 840 use_reply_key(0), 841 reply_key_used(1), 842 reply_key_replaced(2), 843 kdc_verfied(3) 844} 845 846-- KDCFastState is stored in FX_COOKIE 847KDCFastState ::= SEQUENCE { 848 flags [0] KDCFastFlags, 849 expiration [1] GeneralizedTime, 850 fast-state [2] METHOD-DATA, 851 expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL 852} 853 854KDCFastCookie ::= SEQUENCE { 855 version [0] UTF8String, 856 cookie [1] EncryptedData 857} 858 859KDC-PROXY-MESSAGE ::= SEQUENCE { 860 kerb-message [0] OCTET STRING, 861 target-domain [1] Realm OPTIONAL, 862 dclocator-hint [2] INTEGER OPTIONAL 863} 864 865-- these messages are used in the GSSCred communication and is not part of Kerberos propper 866 867KERB-TIMES ::= SEQUENCE { 868 authtime [0] KerberosTime, 869 starttime [1] KerberosTime, 870 endtime [2] KerberosTime, 871 renew_till [3] KerberosTime 872} 873 874KERB-CRED ::= SEQUENCE { 875 client [0] Principal, 876 server [1] Principal, 877 keyblock [2] EncryptionKey, 878 times [3] KERB-TIMES, 879 ticket [4] OCTET STRING, 880 authdata [5] OCTET STRING, 881 addresses [6] HostAddresses, 882 flags [7] TicketFlags 883} 884 885KERB-TGS-REQ-IN ::= SEQUENCE { 886 cache [0] OCTET STRING SIZE (16), 887 addrs [1] HostAddresses, 888 flags [2] krb5uint32, 889 imp [3] Principal OPTIONAL, 890 ticket [4] OCTET STRING OPTIONAL, 891 in_cred [5] KERB-CRED, 892 krbtgt [6] KERB-CRED, 893 padata [7] METHOD-DATA 894} 895 896KERB-TGS-REQ-OUT ::= SEQUENCE { 897 subkey [0] EncryptionKey OPTIONAL, 898 t [1] TGS-REQ 899} 900 901 902 903KERB-TGS-REP-IN ::= SEQUENCE { 904 cache [0] OCTET STRING SIZE (16), 905 subkey [1] EncryptionKey OPTIONAL, 906 in_cred [2] KERB-CRED, 907 t [3] TGS-REP 908} 909 910KERB-TGS-REP-OUT ::= SEQUENCE { 911 cache [0] OCTET STRING SIZE (16), 912 cred [1] KERB-CRED, 913 subkey [2] EncryptionKey 914} 915 916 917END 918 919-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 920