1-- $Id$ -- 2 3PKINIT DEFINITIONS ::= BEGIN 4 5IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5 6 IssuerAndSerialNumber, ContentInfo FROM cms 7 SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459 8 heim_any FROM heim; 9 10id-pkinit OBJECT IDENTIFIER ::= 11 { iso (1) org (3) dod (6) internet (1) security (5) 12 kerberosv5 (2) pkinit (3) } 13 14id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 } 15id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 } 16id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 } 17id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 } 18id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 } 19 20id-apple-system-id OBJECT IDENTIFIER ::= { 1 2 840 113635 100 4 4 } 21 22id-pkinit-kdf OBJECT IDENTIFIER ::= { id-pkinit 6 } 23id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER ::= { id-pkinit-kdf 1 } 24id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 } 25id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 } 26 27id-pkinit-san OBJECT IDENTIFIER ::= 28 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 29 x509-sanan(2) } 30 31id-pkinit-ms-eku OBJECT IDENTIFIER ::= 32 { iso(1) org(3) dod(6) internet(1) private(4) 33 enterprise(1) microsoft(311) 20 2 2 } 34 35id-pkinit-ms-san OBJECT IDENTIFIER ::= 36 { iso(1) org(3) dod(6) internet(1) private(4) 37 enterprise(1) microsoft(311) 20 2 3 } 38 39MS-UPN-SAN ::= UTF8String 40 41pa-pk-as-req INTEGER ::= 16 42pa-pk-as-rep INTEGER ::= 17 43 44td-trusted-certifiers INTEGER ::= 104 45td-invalid-certificates INTEGER ::= 105 46td-dh-parameters INTEGER ::= 109 47 48DHNonce ::= OCTET STRING 49 50KDFAlgorithmId ::= SEQUENCE { 51 kdf-id [0] OBJECT IDENTIFIER, 52 ... 53} 54 55TrustedCA ::= SEQUENCE { 56 caName [0] IMPLICIT OCTET STRING, 57 certificateSerialNumber [1] INTEGER OPTIONAL, 58 subjectKeyIdentifier [2] OCTET STRING OPTIONAL, 59 ... 60} 61 62ExternalPrincipalIdentifier ::= SEQUENCE { 63 subjectName [0] IMPLICIT OCTET STRING OPTIONAL, 64 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, 65 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, 66 ... 67} 68 69ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier 70 71PA-PK-AS-REQ ::= SEQUENCE { 72 signedAuthPack [0] IMPLICIT OCTET STRING, 73 trustedCertifiers [1] ExternalPrincipalIdentifiers OPTIONAL, 74 kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL, 75 ... 76} 77 78PKAuthenticator ::= SEQUENCE { 79 cusec [0] INTEGER -- (0..999999) --, 80 ctime [1] KerberosTime, 81 nonce [2] INTEGER (0..4294967295), 82 paChecksum [3] OCTET STRING OPTIONAL, 83 ... 84} 85 86AuthPack ::= SEQUENCE { 87 pkAuthenticator [0] PKAuthenticator, 88 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, 89 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL, 90 clientDHNonce [3] DHNonce OPTIONAL, 91 ..., 92 supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL, 93 ... 94} 95 96TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers 97TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers 98 99KRB5PrincipalName ::= SEQUENCE { 100 realm [0] Realm, 101 principalName [1] PrincipalName 102} 103 104AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier 105 106DHRepInfo ::= SEQUENCE { 107 dhSignedData [0] IMPLICIT OCTET STRING, 108 serverDHNonce [1] DHNonce OPTIONAL, 109 ..., 110 kdf [2] KDFAlgorithmId OPTIONAL, 111 ... 112} 113 114PA-PK-AS-REP ::= CHOICE { 115 dhInfo [0] DHRepInfo, 116 encKeyPack [1] IMPLICIT OCTET STRING, 117 ... 118} 119 120KDCDHKeyInfo ::= SEQUENCE { 121 subjectPublicKey [0] BIT STRING, 122 nonce [1] INTEGER (0..4294967295), 123 dhKeyExpiration [2] KerberosTime OPTIONAL, 124 ... 125} 126 127ReplyKeyPack ::= SEQUENCE { 128 replyKey [0] EncryptionKey, 129 asChecksum [1] Checksum, 130 ... 131} 132 133TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier 134 135 136-- Windows compat glue -- 137 138PKAuthenticator-Win2k ::= SEQUENCE { 139 kdcName [0] PrincipalName, 140 kdcRealm [1] Realm, 141 cusec [2] INTEGER (0..4294967295), 142 ctime [3] KerberosTime, 143 nonce [4] INTEGER (-2147483648..2147483647) 144} 145 146AuthPack-Win2k ::= SEQUENCE { 147 pkAuthenticator [0] PKAuthenticator-Win2k, 148 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL 149} 150 151 152TrustedCA-Win2k ::= CHOICE { 153 caName [1] heim_any, 154 issuerAndSerial [2] IssuerAndSerialNumber 155} 156 157PA-PK-AS-REQ-Win2k ::= SEQUENCE { 158 signed-auth-pack [0] IMPLICIT OCTET STRING, 159 trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL, 160 kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, 161 encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL 162} 163 164PA-PK-AS-REP-Win2k ::= CHOICE { 165 dhSignedData [0] IMPLICIT OCTET STRING, 166 encKeyPack [1] IMPLICIT OCTET STRING 167} 168 169KDCDHKeyInfo-Win2k ::= SEQUENCE { 170 nonce [0] INTEGER (-2147483648..2147483647), 171 subjectPublicKey [2] BIT STRING 172} 173 174ReplyKeyPack-Win2k ::= SEQUENCE { 175 replyKey [0] EncryptionKey, 176 nonce [1] INTEGER (-2147483648..2147483647), 177 ... 178} 179 180PA-PK-AS-REP-BTMM ::= SEQUENCE { 181 dhSignedData [0] heim_any OPTIONAL, 182 encKeyPack [1] heim_any OPTIONAL 183} 184 185 186PkinitSP80056AOtherInfo ::= SEQUENCE { 187 algorithmID AlgorithmIdentifier, 188 partyUInfo [0] OCTET STRING, 189 partyVInfo [1] OCTET STRING, 190 suppPubInfo [2] OCTET STRING OPTIONAL, 191 suppPrivInfo [3] OCTET STRING OPTIONAL 192} 193 194PkinitSuppPubInfo ::= SEQUENCE { 195 enctype [0] INTEGER (-2147483648..2147483647), 196 as-REQ [1] OCTET STRING, 197 pk-as-rep [2] OCTET STRING, 198 ticket [3] Ticket, 199 ... 200} 201 202END 203