Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

658 lines
25 KiB

  1. -- $Source: /mit/krb5/.cvsroot/src/lib/krb5/asn.1/KRB5-asn.py,v $
  2. -- $Author: tytso $
  3. -- $Id: KRB5-asn.py,v 5.25 1993/09/22 00:42:36 tytso Exp $
  4. --
  5. -- Copyright 1989 by the Massachusetts Institute of Technology.
  6. --
  7. -- Export of this software from the United States of America may
  8. -- require a specific license from the United States Government.
  9. -- It is the responsibility of any person or organization contemplating
  10. -- export to obtain such a license before exporting.
  11. --
  12. -- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  13. -- distribute this software and its documentation for any purpose and
  14. -- without fee is hereby granted, provided that the above copyright
  15. -- notice appear in all copies and that both that copyright notice and
  16. -- this permission notice appear in supporting documentation, and that
  17. -- the name of M.I.T. not be used in advertising or publicity pertaining
  18. -- to distribution of the software without specific, written prior
  19. -- permission. M.I.T. makes no representations about the suitability of
  20. -- this software for any purpose. It is provided "as is" without express
  21. -- or implied warranty.
  22. --
  23. -- ASN.1 definitions for the kerberos network objects
  24. --
  25. -- Do not change the order of any structure containing some
  26. -- element_KRB5_xx unless the corresponding translation code is also
  27. -- changed.
  28. --
  29. --#SS.basic slinked--
  30. --#SS.sized array--
  31. --#SS.struct extra-ptr-type--
  32. KRB5 DEFINITIONS EXPLICIT TAGS ::=
  33. BEGIN
  34. -- needed to do the Right Thing with pepsy; this isn't a valid ASN.1
  35. -- token, however.
  36. -- SECTIONS encode decode none
  37. -- the order of stuff in this file matches the order in the draft RFC
  38. KERB-REALM ::= GeneralString
  39. KERB-HOST-ADDRESS ::= SEQUENCE {
  40. addr-type[0] INTEGER,
  41. address[1] OCTET STRING
  42. }
  43. PKERB-HOST-ADDRESSES ::= SEQUENCE OF SEQUENCE {
  44. address-type[0] INTEGER,
  45. address[1] OCTET STRING
  46. }
  47. PKERB-AUTHORIZATION-DATA ::= SEQUENCE OF SEQUENCE {
  48. auth-data-type[0] INTEGER,
  49. auth-data[1] OCTET STRING
  50. }
  51. -- A list of auth data for separate packing
  52. PKERB-AUTHORIZATION-DATA-LIST ::= PKERB-AUTHORIZATION-DATA --#public--
  53. KERB-KDC-OPTIONS ::= BIT STRING
  54. PKERB-LAST-REQUEST ::= SEQUENCE OF SEQUENCE {
  55. last-request-type[0] INTEGER,
  56. last-request-value[1] KERB-TIME
  57. }
  58. KERB-TIME ::= GeneralizedTime -- Specifying UTC time zone (Z)
  59. KERB-PRINCIPAL-NAME ::= SEQUENCE{
  60. name-type[0] INTEGER,
  61. name-string[1] SEQUENCE OF GeneralString
  62. }
  63. KERB-SEQUENCE-NUMBER-LARGE ::= INTEGER (-2147483648..4294967295)
  64. KERB-SEQUENCE-NUMBER ::= INTEGER (0..4294967295)
  65. PKERB-TICKET-EXTENSIONS ::= SEQUENCE OF SEQUENCE {
  66. te-type[0] INTEGER,
  67. te-data[1] OCTET STRING
  68. }
  69. KERB-TICKET ::= [APPLICATION 1] SEQUENCE {
  70. ticket-version[0] INTEGER,
  71. realm[1] KERB-REALM,
  72. server-name[2] KERB-PRINCIPAL-NAME,
  73. encrypted-part[3] KERB-ENCRYPTED-DATA, -- EncTicketPart
  74. ticket-extensions[4] PKERB-TICKET-EXTENSIONS OPTIONAL
  75. } --#public--
  76. KERB-TRANSITED-ENCODING ::= SEQUENCE {
  77. transited-type[0] INTEGER, -- Only supported value is 1 == DOMAIN-COMPRESS
  78. contents[1] OCTET STRING
  79. }
  80. -- Encrypted part of ticket
  81. KERB-ENCRYPTED-TICKET ::= [APPLICATION 3] SEQUENCE {
  82. flags[0] KERB-TICKET-FLAGS,
  83. key[1] KERB-ENCRYPTION-KEY,
  84. client-realm[2] KERB-REALM,
  85. client-name[3] KERB-PRINCIPAL-NAME,
  86. transited[4] KERB-TRANSITED-ENCODING,
  87. authtime[5] KERB-TIME,
  88. starttime[6] KERB-TIME OPTIONAL,
  89. endtime[7] KERB-TIME,
  90. renew-until[8] KERB-TIME OPTIONAL,
  91. client-addresses[9] PKERB-HOST-ADDRESSES OPTIONAL,
  92. authorization-data[10] PKERB-AUTHORIZATION-DATA OPTIONAL
  93. }
  94. -- Unencrypted authenticator
  95. KERB-AUTHENTICATOR ::= [APPLICATION 2] SEQUENCE {
  96. authenticator-version[0] INTEGER,
  97. client-realm[1] KERB-REALM,
  98. client-name[2] KERB-PRINCIPAL-NAME,
  99. checksum[3] KERB-CHECKSUM OPTIONAL,
  100. client-usec[4] INTEGER,
  101. client-time[5] KERB-TIME,
  102. subkey[6] KERB-ENCRYPTION-KEY OPTIONAL,
  103. sequence-number[7] KERB-SEQUENCE-NUMBER-LARGE OPTIONAL,
  104. authorization-data[8] PKERB-AUTHORIZATION-DATA OPTIONAL
  105. }
  106. KERB-TICKET-FLAGS ::= BIT STRING
  107. KERB-AS-REQUEST ::= [APPLICATION 10] KERB-KDC-REQUEST
  108. KERB-TGS-REQUEST ::= [APPLICATION 12] KERB-KDC-REQUEST
  109. KERB-KDC-REQUEST ::= SEQUENCE {
  110. version[1] INTEGER,
  111. message-type[2] INTEGER,
  112. preauth-data[3] SEQUENCE OF KERB-PA-DATA OPTIONAL,
  113. request-body[4] KERB-KDC-REQUEST-BODY
  114. }
  115. KERB-PA-DATA ::= SEQUENCE {
  116. preauth-data-type[1] INTEGER,
  117. preauth-data[2] OCTET STRING -- might be encoded AP-REQUEST
  118. }
  119. PKERB-PREAUTH-DATA-LIST ::= SEQUENCE OF KERB-PA-DATA
  120. -- Give this an application number so we can separately encode it and checksum
  121. -- it.
  122. KERB-MARSHALLED-REQUEST-BODY ::= KERB-KDC-REQUEST-BODY
  123. KERB-KDC-REQUEST-BODY ::= SEQUENCE {
  124. kdc-options[0] KERB-KDC-OPTIONS,
  125. client-name[1] KERB-PRINCIPAL-NAME OPTIONAL, -- Used only in AS-REQUEST
  126. realm[2] KERB-REALM, -- Server's realm Also client's in AS-REQUEST
  127. server-name[3] KERB-PRINCIPAL-NAME OPTIONAL,
  128. starttime[4] KERB-TIME OPTIONAL,
  129. endtime[5] KERB-TIME,
  130. renew-until[6] KERB-TIME OPTIONAL,
  131. nonce[7] INTEGER,
  132. encryption-type[8] SEQUENCE OF INTEGER, -- EncryptionType,
  133. -- in preference order
  134. addresses[9] PKERB-HOST-ADDRESSES OPTIONAL,
  135. enc-authorization-data[10] KERB-ENCRYPTED-DATA OPTIONAL,
  136. -- KERB-AUTHORIZATION-DATA
  137. additional-tickets[11] SEQUENCE OF KERB-TICKET OPTIONAL
  138. }
  139. KERB-AS-REPLY ::= [APPLICATION 11] KERB-KDC-REPLY
  140. KERB-TGS-REPLY ::= [APPLICATION 13] KERB-KDC-REPLY
  141. KERB-KDC-REPLY ::= SEQUENCE {
  142. version[0] INTEGER,
  143. message-type[1] INTEGER,
  144. preauth-data[2] SEQUENCE OF KERB-PA-DATA OPTIONAL,
  145. client-realm[3] KERB-REALM,
  146. client-name[4] KERB-PRINCIPAL-NAME,
  147. ticket[5] KERB-TICKET, -- KERB-TICKET
  148. encrypted-part[6] KERB-ENCRYPTED-DATA -- KERB-ENCRYPTED-KDC-REPLY
  149. }
  150. KERB-ENCRYPTED-AS-REPLY ::= [APPLICATION 25] KERB-ENCRYPTED-KDC-REPLY
  151. KERB-ENCRYPTED-TGS-REPLY ::= [APPLICATION 26] KERB-ENCRYPTED-KDC-REPLY
  152. KERB-ENCRYPTED-KDC-REPLY ::= SEQUENCE {
  153. session-key[0] KERB-ENCRYPTION-KEY,
  154. last-request[1] PKERB-LAST-REQUEST,
  155. nonce[2] INTEGER,
  156. key-expiration[3] KERB-TIME OPTIONAL,
  157. flags[4] KERB-TICKET-FLAGS,
  158. authtime[5] KERB-TIME,
  159. starttime[6] KERB-TIME OPTIONAL,
  160. endtime[7] KERB-TIME,
  161. renew-until[8] KERB-TIME OPTIONAL,
  162. server-realm[9] KERB-REALM,
  163. server-name[10] KERB-PRINCIPAL-NAME,
  164. client-addresses[11] PKERB-HOST-ADDRESSES OPTIONAL,
  165. encrypted-pa-data[12] SEQUENCE OF KERB-PA-DATA OPTIONAL
  166. }
  167. KERB-AP-REQUEST ::= [APPLICATION 14] SEQUENCE {
  168. version[0] INTEGER,
  169. message-type[1] INTEGER,
  170. ap-options[2] KERB-AP-OPTIONS,
  171. ticket[3] KERB-TICKET,
  172. authenticator[4] KERB-ENCRYPTED-DATA -- Authenticator
  173. }
  174. KERB-AP-OPTIONS ::= BIT STRING
  175. KERB-AP-REPLY ::= [APPLICATION 15] SEQUENCE {
  176. version[0] INTEGER,
  177. message-type[1] INTEGER,
  178. encrypted-part[2] KERB-ENCRYPTED-DATA -- EncAPRepPart
  179. }
  180. KERB-ENCRYPTED-AP-REPLY ::= [APPLICATION 27] SEQUENCE {
  181. client-time[0] KERB-TIME,
  182. client-usec[1] INTEGER,
  183. subkey[2] KERB-ENCRYPTION-KEY OPTIONAL,
  184. sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL
  185. }
  186. KERB-SAFE-MESSAGE ::= [APPLICATION 20] SEQUENCE {
  187. version[0] INTEGER,
  188. message-type[1] INTEGER,
  189. safe-body[2] KERB-SAFE-BODY,
  190. checksum[3] KERB-CHECKSUM
  191. }
  192. KERB-SAFE-BODY ::= SEQUENCE {
  193. user-data[0] OCTET STRING,
  194. timestamp[1] KERB-TIME OPTIONAL,
  195. usec[2] INTEGER OPTIONAL,
  196. sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL,
  197. sender-address[4] KERB-HOST-ADDRESS, -- sender's addr
  198. recipient-address[5] KERB-HOST-ADDRESS OPTIONAL -- recip's addr
  199. }
  200. KERB-PRIV-MESSAGE ::= [APPLICATION 21] SEQUENCE {
  201. version[0] INTEGER,
  202. message-type[1] INTEGER,
  203. encrypted-part[3] KERB-ENCRYPTED-DATA -- EncKrbPrivPart
  204. }
  205. KERB-ENCRYPTED-PRIV ::= [APPLICATION 28] SEQUENCE {
  206. user-data[0] OCTET STRING,
  207. timestamp[1] KERB-TIME OPTIONAL,
  208. usec[2] INTEGER OPTIONAL,
  209. sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL,
  210. sender-address[4] KERB-HOST-ADDRESS, -- sender's addr
  211. recipient-address[5] KERB-HOST-ADDRESS OPTIONAL -- recip's addr
  212. }
  213. -- The KERB-CRED message allows easy forwarding of credentials.
  214. KERB-CRED ::= [APPLICATION 22] SEQUENCE {
  215. version[0] INTEGER,
  216. message-type[1] INTEGER, -- KRB_CRED
  217. tickets[2] SEQUENCE OF KERB-TICKET,
  218. encrypted-part[3] KERB-ENCRYPTED-DATA -- EncKrbCredPart
  219. }
  220. KERB-ENCRYPTED-CRED ::= [APPLICATION 29] SEQUENCE {
  221. ticket-info[0] SEQUENCE OF KERB-CRED-INFO,
  222. nonce[1] INTEGER OPTIONAL,
  223. timestamp[2] KERB-TIME OPTIONAL,
  224. usec[3] INTEGER OPTIONAL,
  225. sender-address[4] KERB-HOST-ADDRESS OPTIONAL,
  226. recipient-address[5] KERB-HOST-ADDRESS OPTIONAL
  227. }
  228. KERB-CRED-INFO ::= SEQUENCE {
  229. key[0] KERB-ENCRYPTION-KEY,
  230. principal-realm[1] KERB-REALM OPTIONAL,
  231. principal-name[2] KERB-PRINCIPAL-NAME OPTIONAL,
  232. flags[3] KERB-TICKET-FLAGS OPTIONAL,
  233. authtime[4] KERB-TIME OPTIONAL,
  234. starttime[5] KERB-TIME OPTIONAL,
  235. endtime[6] KERB-TIME OPTIONAL,
  236. renew-until[7] KERB-TIME OPTIONAL,
  237. service-realm[8] KERB-REALM OPTIONAL,
  238. service-name[9] KERB-PRINCIPAL-NAME OPTIONAL,
  239. client-addresses[10] PKERB-HOST-ADDRESSES OPTIONAL
  240. }
  241. KERB-ERROR ::= [APPLICATION 30] SEQUENCE {
  242. version[0] INTEGER,
  243. message-type[1] INTEGER,
  244. client-time[2] KERB-TIME OPTIONAL,
  245. client-usec[3] INTEGER OPTIONAL,
  246. server-time[4] KERB-TIME,
  247. server-usec[5] INTEGER,
  248. error-code[6] INTEGER,
  249. client-realm[7] KERB-REALM OPTIONAL,
  250. client-name[8] KERB-PRINCIPAL-NAME OPTIONAL,
  251. realm[9] KERB-REALM, -- Correct realm
  252. server-name[10] KERB-PRINCIPAL-NAME, -- Correct name
  253. error-text[11] GeneralString --#lenptr-- OPTIONAL,
  254. error-data[12] OCTET STRING OPTIONAL
  255. }
  256. KERB-ENCRYPTED-DATA ::= SEQUENCE {
  257. encryption-type[0] INTEGER, -- EncryptionType
  258. version[1] INTEGER OPTIONAL,
  259. cipher-text[2] OCTET STRING -- CipherText
  260. } --#public--
  261. KERB-ENCRYPTION-KEY ::= SEQUENCE {
  262. keytype[0] INTEGER,
  263. keyvalue[1] OCTET STRING
  264. } --#public--
  265. KERB-CHECKSUM ::= SEQUENCE {
  266. checksum-type[0] INTEGER,
  267. checksum[1] OCTET STRING
  268. } --#public--
  269. KERB-ENCRYPTED-TIMESTAMP ::= SEQUENCE {
  270. timestamp[0] KERB-TIME, -- client's time
  271. usec[1] INTEGER OPTIONAL
  272. }
  273. KERB-SALTED-ENCRYPTED-TIMESTAMP ::= SEQUENCE {
  274. timestamp[0] KERB-TIME, -- client's time
  275. usec[1] INTEGER OPTIONAL,
  276. salt[2] OCTET STRING
  277. }
  278. KERB-ETYPE-INFO-ENTRY ::= SEQUENCE {
  279. encryption-type[0] INTEGER,
  280. salt[1] OCTET STRING OPTIONAL
  281. }
  282. PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY
  283. --
  284. --
  285. -- User-to-User data types
  286. --
  287. --
  288. KERB-TGT-REQUEST ::= SEQUENCE {
  289. version[0] INTEGER,
  290. message-type[1] INTEGER,
  291. server-name[2] KERB-PRINCIPAL-NAME OPTIONAL,
  292. server-realm[3] KERB-REALM OPTIONAL
  293. }
  294. KERB-TGT-REPLY ::= SEQUENCE {
  295. version[0] INTEGER,
  296. message-type[1] INTEGER,
  297. ticket[2] KERB-TICKET
  298. }
  299. --
  300. --
  301. -- PKINT data types
  302. --
  303. --
  304. -- new for PKINIT
  305. KERB-PKCS-SIGNATURE ::= SEQUENCE {
  306. encryption-type [0] INTEGER,
  307. -- algorithm for PKCS key encryption
  308. signature [1] OCTET STRING
  309. }
  310. NOCOPYANY ::= ANY --#nomemcpy--
  311. KERB-ALGORITHM-IDENTIFIER::= SEQUENCE {
  312. algorithm OBJECT IDENTIFIER,
  313. parameters NOCOPYANY OPTIONAL
  314. }
  315. KERB-SIGNATURE ::= SEQUENCE {
  316. signature-algorithm [0] KERB-ALGORITHM-IDENTIFIER,
  317. pkcs-signature [1] BIT STRING
  318. }
  319. KERB-PA-PK-AS-REP ::= CHOICE {
  320. -- PA TYPE 15
  321. dh-signed-data [0] IMPLICIT OCTET STRING,
  322. -- pkcs-7 signed data, used for DH key exchange
  323. key-package [1] IMPLICIT OCTET STRING
  324. -- pkcs-7 enveloped data, containing
  325. -- KERB-REPLY-KEY-PACKAGE
  326. }
  327. KERB-PA-PK-AS-REP2 ::= SEQUENCE {
  328. -- PA TYPE 15
  329. key-package [0] KERB-ENCRYPTED-DATA OPTIONAL,
  330. -- of type KERB-ENCRYPTED-SIGNED-REPLY-KEY-PACKAGE
  331. -- using the temporary key in temp-key-package.
  332. -- used with kerberos-pk encryption
  333. temp-key-package [1] KERB-ENVELOPED-KEY-PACKAGE,
  334. -- contains type KERB-ENCRYPTED-SIGNED-REPLY-KEY-PACKAGE
  335. -- temporary key encrpyted with
  336. -- client public key or diffie-hellman key
  337. signed-kdc-public-value [2] KERB-SIGNED-KDC-PUBLIC-VALUE OPTIONAL,
  338. -- if one was passed in request
  339. kdc-cert [3] SEQUENCE OF KERB-CERTIFICATE OPTIONAL
  340. -- the KDC's certificate
  341. -- optionally followed by that
  342. -- certificate's certifier chain
  343. }
  344. KERB-ENVELOPED-KEY-PACKAGE ::= CHOICE {
  345. encrypted-data [1] KERB-ENCRYPTED-DATA,
  346. -- of type TmpKeyPack, not defined here
  347. pkinit-enveloped-data [4] IMPLICIT OCTET STRING
  348. -- pkcs-7 enveloped data
  349. }
  350. KERB-SIGNED-REPLY-KEY-PACKAGE ::= SEQUENCE {
  351. reply-key-package [0] KERB-REPLY-KEY-PACKAGE2,
  352. reply-key-signature [1] KERB-SIGNATURE
  353. -- of replyEncKeyPack
  354. -- using KDC's private key
  355. }
  356. KERB-REPLY-KEY-PACKAGE2 ::= SEQUENCE {
  357. reply-key [0] KERB-ENCRYPTION-KEY,
  358. -- used to encrypt main reply
  359. nonce [1] INTEGER,
  360. -- binds response to the request
  361. -- must be same as the nonce
  362. -- passed in the PKAuthenticator
  363. subject-public-key [2] BIT STRING OPTIONAL
  364. -- included only when using diffie-hellman
  365. -- equals public exponent
  366. } --#public--
  367. KERB-REPLY-KEY-PACKAGE ::= SEQUENCE {
  368. reply-key [0] KERB-ENCRYPTION-KEY,
  369. -- used to encrypt main reply
  370. nonce [1] INTEGER
  371. -- binds response to the request
  372. -- must be same as the nonce
  373. -- passed in the PKAuthenticator
  374. } --#public--
  375. KERB-KDC-DH-KEY-INFO ::= SEQUENCE {
  376. nonce [0] INTEGER,
  377. -- binds response to request
  378. subject-public-key [1] BIT STRING
  379. -- Equals public exponent (g^a mod p)
  380. -- INTEGER encoded as payload of
  381. -- BIT STRING
  382. }
  383. KERB-SIGNED-KDC-PUBLIC-VALUE ::= SEQUENCE {
  384. kdc-public-value [0] KERB-SUBJECT-PUBLIC-KEY-INFO,
  385. -- as described above
  386. kdc-public-value-sig [1] KERB-SIGNATURE
  387. -- of kdcPublicValue
  388. -- using KDC's private key
  389. }
  390. KERB-PA-PK-AS-REQ2 ::= SEQUENCE {
  391. -- PA TYPE 14
  392. signed-auth-pack [0] KERB-SIGNED-AUTH-PACKAGE,
  393. user-certs [1] SEQUENCE OF KERB-CERTIFICATE OPTIONAL,
  394. -- the user's certificate chain
  395. trusted-certifiers [2] SEQUENCE OF KERB-PRINCIPAL-NAME OPTIONAL,
  396. -- CAs that the client trusts
  397. serial-number [3] KERB-CERTIFICATE-SERIAL-NUMBER OPTIONAL
  398. -- specifying a particalu cert if the client
  399. -- already has it, must be accompanied by a
  400. -- single trusted-certifier
  401. }
  402. KERB-PA-PK-AS-REQ ::= SEQUENCE {
  403. -- PA TYPE 14
  404. signed-auth-pack [0] IMPLICIT OCTET STRING,
  405. -- SignedData
  406. trusted-certifiers [2] SEQUENCE OF KERB-TRUSTED-CAS OPTIONAL,
  407. -- CAs that the client trusts
  408. kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
  409. -- an IssuerAndSerialNumber, specifies a
  410. -- particular KDC cert if the client
  411. -- has it, must be accompanied by a
  412. -- single trusted-certifier
  413. encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
  414. -- If the client cert can't be used for
  415. -- encryption. For example, this may
  416. -- be a Diffie-Hellman cert
  417. }
  418. KERB-TRUSTED-CAS ::= CHOICE {
  419. principal-name [0] KERB-KERBEROS-NAME,
  420. -- principal name and realm
  421. ca-name [1] IMPLICIT OCTET STRING,
  422. -- real type is 'Name',
  423. -- fully qualified X.500 name
  424. -- as defined by X.509
  425. issuer-and-serial [2] IMPLICIT OCTET STRING
  426. -- since a CA may have a number of certs,
  427. -- only one of which a client trusts
  428. }
  429. KERB-KERBEROS-NAME ::= SEQUENCE {
  430. realm [0] KERB-REALM,
  431. -- as defined in RFC1510
  432. principal-name [1] KERB-PRINCIPAL-NAME
  433. -- as defined in RFC1510
  434. }
  435. KERB-CERTIFICATE-SERIAL-NUMBER ::= INTEGER
  436. -- as specified by PKCS 6
  437. KERB-SIGNED-AUTH-PACKAGE ::= SEQUENCE {
  438. auth-package [0] KERB-AUTH-PACKAGE,
  439. auth-package-signature [1] KERB-SIGNATURE
  440. -- of auth-package
  441. -- using user's private key
  442. }
  443. KERB-AUTH-PACKAGE ::= SEQUENCE {
  444. pk-authenticator [0] KERB-PK-AUTHENTICATOR,
  445. client-public-value [1] KERB-SUBJECT-PUBLIC-KEY-INFO OPTIONAL
  446. -- if client is using Diffie-Hellman
  447. } --#public--
  448. KERB-PK-AUTHENTICATOR ::= SEQUENCE {
  449. kdc-name [0] KERB-PRINCIPAL-NAME,
  450. kdc-realm [1] KERB-REALM,
  451. cusec [2] INTEGER,
  452. -- for replay prevention
  453. client-time [3] KERB-TIME,
  454. -- for replay prevention
  455. nonce [4] INTEGER
  456. }
  457. KERB-SUBJECT-PUBLIC-KEY-INFO ::= SEQUENCE {
  458. algorithm [0] KERB-ALGORITHM-IDENTIFIER,
  459. subjectPublicKey [1] BIT STRING
  460. -- for DH, equals
  461. -- public exponent (INTEGER encoded
  462. -- as payload of BIT STRING)
  463. } -- as specified by the X.509 recommendation [9]
  464. KERB-DH-PARAMTER ::= SEQUENCE {
  465. prime [0] INTEGER,
  466. -- p
  467. base [1] INTEGER,
  468. -- g
  469. private-value-length [2] INTEGER OPTIONAL
  470. }
  471. KERB-CERTIFICATE ::= SEQUENCE {
  472. cert-type [0] INTEGER,
  473. -- type of certificate
  474. -- 1 = X.509v3 (DER encoding)
  475. -- 2 = PGP (per PGP specification)
  476. cert-data [1] OCTET STRING
  477. -- actual certificate
  478. -- type determined by certType
  479. }
  480. KERB-TYPED-DATA ::= SEQUENCE {
  481. data-type [0] INTEGER,
  482. data-value [1] OCTET STRING
  483. }
  484. --
  485. --
  486. -- Authorization data types
  487. --
  488. --
  489. KERB-KDC-ISSUED-AUTH-DATA ::= SEQUENCE {
  490. checksum [0] KERB-SIGNATURE,
  491. elements [1] SEQUENCE OF KERB-PA-DATA
  492. } --#public--
  493. KERB-PA-SERV-REFERRAL ::= SEQUENCE {
  494. referred-server-name[1] KERB-PRINCIPAL-NAME OPTIONAL,
  495. referred-server-realm[0] KERB-REALM
  496. } --#public--
  497. --
  498. -- PA data type for indicating whether a PAC should be included or
  499. -- removed.
  500. --
  501. KERB-PA-PAC-REQUEST ::= SEQUENCE {
  502. include-pac[0] BOOLEAN -- if TRUE, and no pac present,
  503. -- include PAC. If FALSE, and pac
  504. -- PAC present, remove PAC
  505. } --#public--
  506. PKERB-IF-RELEVANT-AUTH-DATA ::= PKERB-AUTHORIZATION-DATA --#public--
  507. KERB-CHANGE-PASSWORD-DATA ::= SEQUENCE {
  508. new-password[0] OCTET STRING,
  509. target-name[1] KERB-PRINCIPAL-NAME OPTIONAL,
  510. target-realm[2] KERB-REALM OPTIONAL
  511. } --#public--
  512. KERB-ERROR-METHOD-DATA ::= SEQUENCE {
  513. data-type [1] INTEGER,
  514. data-value [2] OCTET STRING OPTIONAL
  515. } --#public--
  516. KERB-EXT-ERROR ::= SEQUENCE {
  517. status[0] INTEGER, -- NTStatus code
  518. klininfo[1] INTEGER, -- klin macro info
  519. flags[2] INTEGER -- used for passing extra info
  520. }
  521. TYPED-DATA ::= SEQUENCE OF KERB-TYPED-DATA --#public--
  522. --
  523. -- For ServiceForUserToSelf requests
  524. -- PA Type 21
  525. --
  526. KERB-PA-FOR-USER ::= SEQUENCE {
  527. -- PA TYPE 129
  528. userName [0] KERB-PRINCIPAL-NAME,
  529. userRealm [1] KERB-REALM,
  530. cksum [2] KERB-CHECKSUM,
  531. authentication-package [3] GeneralString,
  532. authorization-data [4] OCTET STRING OPTIONAL,
  533. ...
  534. }--#public--
  535. END