-- $Source: /mit/krb5/.cvsroot/src/lib/krb5/asn.1/KRB5-asn.py,v $ -- $Author: tytso $ -- $Id: KRB5-asn.py,v 5.25 1993/09/22 00:42:36 tytso Exp $ -- -- Copyright 1989 by the Massachusetts Institute of Technology. -- -- Export of this software from the United States of America may -- require a specific license from the United States Government. -- It is the responsibility of any person or organization contemplating -- export to obtain such a license before exporting. -- -- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -- distribute this software and its documentation for any purpose and -- without fee is hereby granted, provided that the above copyright -- notice appear in all copies and that both that copyright notice and -- this permission notice appear in supporting documentation, and that -- the name of M.I.T. not be used in advertising or publicity pertaining -- to distribution of the software without specific, written prior -- permission. M.I.T. makes no representations about the suitability of -- this software for any purpose. It is provided "as is" without express -- or implied warranty. -- -- ASN.1 definitions for the kerberos network objects -- -- Do not change the order of any structure containing some -- element_KRB5_xx unless the corresponding translation code is also -- changed. -- --#SS.basic slinked-- --#SS.sized array-- --#SS.struct extra-ptr-type-- KRB5 DEFINITIONS EXPLICIT TAGS ::= BEGIN -- needed to do the Right Thing with pepsy; this isn't a valid ASN.1 -- token, however. -- SECTIONS encode decode none -- the order of stuff in this file matches the order in the draft RFC KERB-REALM ::= GeneralString KERB-HOST-ADDRESS ::= SEQUENCE { addr-type[0] INTEGER, address[1] OCTET STRING } PKERB-HOST-ADDRESSES ::= SEQUENCE OF SEQUENCE { address-type[0] INTEGER, address[1] OCTET STRING } PKERB-AUTHORIZATION-DATA ::= SEQUENCE OF SEQUENCE { auth-data-type[0] INTEGER, auth-data[1] OCTET STRING } -- A list of auth data for separate packing PKERB-AUTHORIZATION-DATA-LIST ::= PKERB-AUTHORIZATION-DATA --#public-- KERB-KDC-OPTIONS ::= BIT STRING PKERB-LAST-REQUEST ::= SEQUENCE OF SEQUENCE { last-request-type[0] INTEGER, last-request-value[1] KERB-TIME } KERB-TIME ::= GeneralizedTime -- Specifying UTC time zone (Z) KERB-PRINCIPAL-NAME ::= SEQUENCE{ name-type[0] INTEGER, name-string[1] SEQUENCE OF GeneralString } KERB-SEQUENCE-NUMBER-LARGE ::= INTEGER (-2147483648..4294967295) KERB-SEQUENCE-NUMBER ::= INTEGER (0..4294967295) PKERB-TICKET-EXTENSIONS ::= SEQUENCE OF SEQUENCE { te-type[0] INTEGER, te-data[1] OCTET STRING } KERB-TICKET ::= [APPLICATION 1] SEQUENCE { ticket-version[0] INTEGER, realm[1] KERB-REALM, server-name[2] KERB-PRINCIPAL-NAME, encrypted-part[3] KERB-ENCRYPTED-DATA, -- EncTicketPart ticket-extensions[4] PKERB-TICKET-EXTENSIONS OPTIONAL } --#public-- KERB-TRANSITED-ENCODING ::= SEQUENCE { transited-type[0] INTEGER, -- Only supported value is 1 == DOMAIN-COMPRESS contents[1] OCTET STRING } -- Encrypted part of ticket KERB-ENCRYPTED-TICKET ::= [APPLICATION 3] SEQUENCE { flags[0] KERB-TICKET-FLAGS, key[1] KERB-ENCRYPTION-KEY, client-realm[2] KERB-REALM, client-name[3] KERB-PRINCIPAL-NAME, transited[4] KERB-TRANSITED-ENCODING, authtime[5] KERB-TIME, starttime[6] KERB-TIME OPTIONAL, endtime[7] KERB-TIME, renew-until[8] KERB-TIME OPTIONAL, client-addresses[9] PKERB-HOST-ADDRESSES OPTIONAL, authorization-data[10] PKERB-AUTHORIZATION-DATA OPTIONAL } -- Unencrypted authenticator KERB-AUTHENTICATOR ::= [APPLICATION 2] SEQUENCE { authenticator-version[0] INTEGER, client-realm[1] KERB-REALM, client-name[2] KERB-PRINCIPAL-NAME, checksum[3] KERB-CHECKSUM OPTIONAL, client-usec[4] INTEGER, client-time[5] KERB-TIME, subkey[6] KERB-ENCRYPTION-KEY OPTIONAL, sequence-number[7] KERB-SEQUENCE-NUMBER-LARGE OPTIONAL, authorization-data[8] PKERB-AUTHORIZATION-DATA OPTIONAL } KERB-TICKET-FLAGS ::= BIT STRING KERB-AS-REQUEST ::= [APPLICATION 10] KERB-KDC-REQUEST KERB-TGS-REQUEST ::= [APPLICATION 12] KERB-KDC-REQUEST KERB-KDC-REQUEST ::= SEQUENCE { version[1] INTEGER, message-type[2] INTEGER, preauth-data[3] SEQUENCE OF KERB-PA-DATA OPTIONAL, request-body[4] KERB-KDC-REQUEST-BODY } KERB-PA-DATA ::= SEQUENCE { preauth-data-type[1] INTEGER, preauth-data[2] OCTET STRING -- might be encoded AP-REQUEST } PKERB-PREAUTH-DATA-LIST ::= SEQUENCE OF KERB-PA-DATA -- Give this an application number so we can separately encode it and checksum -- it. KERB-MARSHALLED-REQUEST-BODY ::= KERB-KDC-REQUEST-BODY KERB-KDC-REQUEST-BODY ::= SEQUENCE { kdc-options[0] KERB-KDC-OPTIONS, client-name[1] KERB-PRINCIPAL-NAME OPTIONAL, -- Used only in AS-REQUEST realm[2] KERB-REALM, -- Server's realm Also client's in AS-REQUEST server-name[3] KERB-PRINCIPAL-NAME OPTIONAL, starttime[4] KERB-TIME OPTIONAL, endtime[5] KERB-TIME, renew-until[6] KERB-TIME OPTIONAL, nonce[7] INTEGER, encryption-type[8] SEQUENCE OF INTEGER, -- EncryptionType, -- in preference order addresses[9] PKERB-HOST-ADDRESSES OPTIONAL, enc-authorization-data[10] KERB-ENCRYPTED-DATA OPTIONAL, -- KERB-AUTHORIZATION-DATA additional-tickets[11] SEQUENCE OF KERB-TICKET OPTIONAL } KERB-AS-REPLY ::= [APPLICATION 11] KERB-KDC-REPLY KERB-TGS-REPLY ::= [APPLICATION 13] KERB-KDC-REPLY KERB-KDC-REPLY ::= SEQUENCE { version[0] INTEGER, message-type[1] INTEGER, preauth-data[2] SEQUENCE OF KERB-PA-DATA OPTIONAL, client-realm[3] KERB-REALM, client-name[4] KERB-PRINCIPAL-NAME, ticket[5] KERB-TICKET, -- KERB-TICKET encrypted-part[6] KERB-ENCRYPTED-DATA -- KERB-ENCRYPTED-KDC-REPLY } KERB-ENCRYPTED-AS-REPLY ::= [APPLICATION 25] KERB-ENCRYPTED-KDC-REPLY KERB-ENCRYPTED-TGS-REPLY ::= [APPLICATION 26] KERB-ENCRYPTED-KDC-REPLY KERB-ENCRYPTED-KDC-REPLY ::= SEQUENCE { session-key[0] KERB-ENCRYPTION-KEY, last-request[1] PKERB-LAST-REQUEST, nonce[2] INTEGER, key-expiration[3] KERB-TIME OPTIONAL, flags[4] KERB-TICKET-FLAGS, authtime[5] KERB-TIME, starttime[6] KERB-TIME OPTIONAL, endtime[7] KERB-TIME, renew-until[8] KERB-TIME OPTIONAL, server-realm[9] KERB-REALM, server-name[10] KERB-PRINCIPAL-NAME, client-addresses[11] PKERB-HOST-ADDRESSES OPTIONAL, encrypted-pa-data[12] SEQUENCE OF KERB-PA-DATA OPTIONAL } KERB-AP-REQUEST ::= [APPLICATION 14] SEQUENCE { version[0] INTEGER, message-type[1] INTEGER, ap-options[2] KERB-AP-OPTIONS, ticket[3] KERB-TICKET, authenticator[4] KERB-ENCRYPTED-DATA -- Authenticator } KERB-AP-OPTIONS ::= BIT STRING KERB-AP-REPLY ::= [APPLICATION 15] SEQUENCE { version[0] INTEGER, message-type[1] INTEGER, encrypted-part[2] KERB-ENCRYPTED-DATA -- EncAPRepPart } KERB-ENCRYPTED-AP-REPLY ::= [APPLICATION 27] SEQUENCE { client-time[0] KERB-TIME, client-usec[1] INTEGER, subkey[2] KERB-ENCRYPTION-KEY OPTIONAL, sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL } KERB-SAFE-MESSAGE ::= [APPLICATION 20] SEQUENCE { version[0] INTEGER, message-type[1] INTEGER, safe-body[2] KERB-SAFE-BODY, checksum[3] KERB-CHECKSUM } KERB-SAFE-BODY ::= SEQUENCE { user-data[0] OCTET STRING, timestamp[1] KERB-TIME OPTIONAL, usec[2] INTEGER OPTIONAL, sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL, sender-address[4] KERB-HOST-ADDRESS, -- sender's addr recipient-address[5] KERB-HOST-ADDRESS OPTIONAL -- recip's addr } KERB-PRIV-MESSAGE ::= [APPLICATION 21] SEQUENCE { version[0] INTEGER, message-type[1] INTEGER, encrypted-part[3] KERB-ENCRYPTED-DATA -- EncKrbPrivPart } KERB-ENCRYPTED-PRIV ::= [APPLICATION 28] SEQUENCE { user-data[0] OCTET STRING, timestamp[1] KERB-TIME OPTIONAL, usec[2] INTEGER OPTIONAL, sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL, sender-address[4] KERB-HOST-ADDRESS, -- sender's addr recipient-address[5] KERB-HOST-ADDRESS OPTIONAL -- recip's addr } -- The KERB-CRED message allows easy forwarding of credentials. KERB-CRED ::= [APPLICATION 22] SEQUENCE { version[0] INTEGER, message-type[1] INTEGER, -- KRB_CRED tickets[2] SEQUENCE OF KERB-TICKET, encrypted-part[3] KERB-ENCRYPTED-DATA -- EncKrbCredPart } KERB-ENCRYPTED-CRED ::= [APPLICATION 29] SEQUENCE { ticket-info[0] SEQUENCE OF KERB-CRED-INFO, nonce[1] INTEGER OPTIONAL, timestamp[2] KERB-TIME OPTIONAL, usec[3] INTEGER OPTIONAL, sender-address[4] KERB-HOST-ADDRESS OPTIONAL, recipient-address[5] KERB-HOST-ADDRESS OPTIONAL } KERB-CRED-INFO ::= SEQUENCE { key[0] KERB-ENCRYPTION-KEY, principal-realm[1] KERB-REALM OPTIONAL, principal-name[2] KERB-PRINCIPAL-NAME OPTIONAL, flags[3] KERB-TICKET-FLAGS OPTIONAL, authtime[4] KERB-TIME OPTIONAL, starttime[5] KERB-TIME OPTIONAL, endtime[6] KERB-TIME OPTIONAL, renew-until[7] KERB-TIME OPTIONAL, service-realm[8] KERB-REALM OPTIONAL, service-name[9] KERB-PRINCIPAL-NAME OPTIONAL, client-addresses[10] PKERB-HOST-ADDRESSES OPTIONAL } KERB-ERROR ::= [APPLICATION 30] SEQUENCE { version[0] INTEGER, message-type[1] INTEGER, client-time[2] KERB-TIME OPTIONAL, client-usec[3] INTEGER OPTIONAL, server-time[4] KERB-TIME, server-usec[5] INTEGER, error-code[6] INTEGER, client-realm[7] KERB-REALM OPTIONAL, client-name[8] KERB-PRINCIPAL-NAME OPTIONAL, realm[9] KERB-REALM, -- Correct realm server-name[10] KERB-PRINCIPAL-NAME, -- Correct name error-text[11] GeneralString --#lenptr-- OPTIONAL, error-data[12] OCTET STRING OPTIONAL } KERB-ENCRYPTED-DATA ::= SEQUENCE { encryption-type[0] INTEGER, -- EncryptionType version[1] INTEGER OPTIONAL, cipher-text[2] OCTET STRING -- CipherText } --#public-- KERB-ENCRYPTION-KEY ::= SEQUENCE { keytype[0] INTEGER, keyvalue[1] OCTET STRING } --#public-- KERB-CHECKSUM ::= SEQUENCE { checksum-type[0] INTEGER, checksum[1] OCTET STRING } --#public-- KERB-ENCRYPTED-TIMESTAMP ::= SEQUENCE { timestamp[0] KERB-TIME, -- client's time usec[1] INTEGER OPTIONAL } KERB-SALTED-ENCRYPTED-TIMESTAMP ::= SEQUENCE { timestamp[0] KERB-TIME, -- client's time usec[1] INTEGER OPTIONAL, salt[2] OCTET STRING } KERB-ETYPE-INFO-ENTRY ::= SEQUENCE { encryption-type[0] INTEGER, salt[1] OCTET STRING OPTIONAL } PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY -- -- -- User-to-User data types -- -- KERB-TGT-REQUEST ::= SEQUENCE { version[0] INTEGER, message-type[1] INTEGER, server-name[2] KERB-PRINCIPAL-NAME OPTIONAL, server-realm[3] KERB-REALM OPTIONAL } KERB-TGT-REPLY ::= SEQUENCE { version[0] INTEGER, message-type[1] INTEGER, ticket[2] KERB-TICKET } -- -- -- PKINT data types -- -- -- new for PKINIT KERB-PKCS-SIGNATURE ::= SEQUENCE { encryption-type [0] INTEGER, -- algorithm for PKCS key encryption signature [1] OCTET STRING } NOCOPYANY ::= ANY --#nomemcpy-- KERB-ALGORITHM-IDENTIFIER::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters NOCOPYANY OPTIONAL } KERB-SIGNATURE ::= SEQUENCE { signature-algorithm [0] KERB-ALGORITHM-IDENTIFIER, pkcs-signature [1] BIT STRING } KERB-PA-PK-AS-REP ::= CHOICE { -- PA TYPE 15 dh-signed-data [0] IMPLICIT OCTET STRING, -- pkcs-7 signed data, used for DH key exchange key-package [1] IMPLICIT OCTET STRING -- pkcs-7 enveloped data, containing -- KERB-REPLY-KEY-PACKAGE } KERB-PA-PK-AS-REP2 ::= SEQUENCE { -- PA TYPE 15 key-package [0] KERB-ENCRYPTED-DATA OPTIONAL, -- of type KERB-ENCRYPTED-SIGNED-REPLY-KEY-PACKAGE -- using the temporary key in temp-key-package. -- used with kerberos-pk encryption temp-key-package [1] KERB-ENVELOPED-KEY-PACKAGE, -- contains type KERB-ENCRYPTED-SIGNED-REPLY-KEY-PACKAGE -- temporary key encrpyted with -- client public key or diffie-hellman key signed-kdc-public-value [2] KERB-SIGNED-KDC-PUBLIC-VALUE OPTIONAL, -- if one was passed in request kdc-cert [3] SEQUENCE OF KERB-CERTIFICATE OPTIONAL -- the KDC's certificate -- optionally followed by that -- certificate's certifier chain } KERB-ENVELOPED-KEY-PACKAGE ::= CHOICE { encrypted-data [1] KERB-ENCRYPTED-DATA, -- of type TmpKeyPack, not defined here pkinit-enveloped-data [4] IMPLICIT OCTET STRING -- pkcs-7 enveloped data } KERB-SIGNED-REPLY-KEY-PACKAGE ::= SEQUENCE { reply-key-package [0] KERB-REPLY-KEY-PACKAGE2, reply-key-signature [1] KERB-SIGNATURE -- of replyEncKeyPack -- using KDC's private key } KERB-REPLY-KEY-PACKAGE2 ::= SEQUENCE { reply-key [0] KERB-ENCRYPTION-KEY, -- used to encrypt main reply nonce [1] INTEGER, -- binds response to the request -- must be same as the nonce -- passed in the PKAuthenticator subject-public-key [2] BIT STRING OPTIONAL -- included only when using diffie-hellman -- equals public exponent } --#public-- KERB-REPLY-KEY-PACKAGE ::= SEQUENCE { reply-key [0] KERB-ENCRYPTION-KEY, -- used to encrypt main reply nonce [1] INTEGER -- binds response to the request -- must be same as the nonce -- passed in the PKAuthenticator } --#public-- KERB-KDC-DH-KEY-INFO ::= SEQUENCE { nonce [0] INTEGER, -- binds response to request subject-public-key [1] BIT STRING -- Equals public exponent (g^a mod p) -- INTEGER encoded as payload of -- BIT STRING } KERB-SIGNED-KDC-PUBLIC-VALUE ::= SEQUENCE { kdc-public-value [0] KERB-SUBJECT-PUBLIC-KEY-INFO, -- as described above kdc-public-value-sig [1] KERB-SIGNATURE -- of kdcPublicValue -- using KDC's private key } KERB-PA-PK-AS-REQ2 ::= SEQUENCE { -- PA TYPE 14 signed-auth-pack [0] KERB-SIGNED-AUTH-PACKAGE, user-certs [1] SEQUENCE OF KERB-CERTIFICATE OPTIONAL, -- the user's certificate chain trusted-certifiers [2] SEQUENCE OF KERB-PRINCIPAL-NAME OPTIONAL, -- CAs that the client trusts serial-number [3] KERB-CERTIFICATE-SERIAL-NUMBER OPTIONAL -- specifying a particalu cert if the client -- already has it, must be accompanied by a -- single trusted-certifier } KERB-PA-PK-AS-REQ ::= SEQUENCE { -- PA TYPE 14 signed-auth-pack [0] IMPLICIT OCTET STRING, -- SignedData trusted-certifiers [2] SEQUENCE OF KERB-TRUSTED-CAS OPTIONAL, -- CAs that the client trusts kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, -- an IssuerAndSerialNumber, specifies a -- particular KDC cert if the client -- has it, must be accompanied by a -- single trusted-certifier encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL -- If the client cert can't be used for -- encryption. For example, this may -- be a Diffie-Hellman cert } KERB-TRUSTED-CAS ::= CHOICE { principal-name [0] KERB-KERBEROS-NAME, -- principal name and realm ca-name [1] IMPLICIT OCTET STRING, -- real type is 'Name', -- fully qualified X.500 name -- as defined by X.509 issuer-and-serial [2] IMPLICIT OCTET STRING -- since a CA may have a number of certs, -- only one of which a client trusts } KERB-KERBEROS-NAME ::= SEQUENCE { realm [0] KERB-REALM, -- as defined in RFC1510 principal-name [1] KERB-PRINCIPAL-NAME -- as defined in RFC1510 } KERB-CERTIFICATE-SERIAL-NUMBER ::= INTEGER -- as specified by PKCS 6 KERB-SIGNED-AUTH-PACKAGE ::= SEQUENCE { auth-package [0] KERB-AUTH-PACKAGE, auth-package-signature [1] KERB-SIGNATURE -- of auth-package -- using user's private key } KERB-AUTH-PACKAGE ::= SEQUENCE { pk-authenticator [0] KERB-PK-AUTHENTICATOR, client-public-value [1] KERB-SUBJECT-PUBLIC-KEY-INFO OPTIONAL -- if client is using Diffie-Hellman } --#public-- KERB-PK-AUTHENTICATOR ::= SEQUENCE { kdc-name [0] KERB-PRINCIPAL-NAME, kdc-realm [1] KERB-REALM, cusec [2] INTEGER, -- for replay prevention client-time [3] KERB-TIME, -- for replay prevention nonce [4] INTEGER } KERB-SUBJECT-PUBLIC-KEY-INFO ::= SEQUENCE { algorithm [0] KERB-ALGORITHM-IDENTIFIER, subjectPublicKey [1] BIT STRING -- for DH, equals -- public exponent (INTEGER encoded -- as payload of BIT STRING) } -- as specified by the X.509 recommendation [9] KERB-DH-PARAMTER ::= SEQUENCE { prime [0] INTEGER, -- p base [1] INTEGER, -- g private-value-length [2] INTEGER OPTIONAL } KERB-CERTIFICATE ::= SEQUENCE { cert-type [0] INTEGER, -- type of certificate -- 1 = X.509v3 (DER encoding) -- 2 = PGP (per PGP specification) cert-data [1] OCTET STRING -- actual certificate -- type determined by certType } KERB-TYPED-DATA ::= SEQUENCE { data-type [0] INTEGER, data-value [1] OCTET STRING } -- -- -- Authorization data types -- -- KERB-KDC-ISSUED-AUTH-DATA ::= SEQUENCE { checksum [0] KERB-SIGNATURE, elements [1] SEQUENCE OF KERB-PA-DATA } --#public-- KERB-PA-SERV-REFERRAL ::= SEQUENCE { referred-server-name[1] KERB-PRINCIPAL-NAME OPTIONAL, referred-server-realm[0] KERB-REALM } --#public-- -- -- PA data type for indicating whether a PAC should be included or -- removed. -- KERB-PA-PAC-REQUEST ::= SEQUENCE { include-pac[0] BOOLEAN -- if TRUE, and no pac present, -- include PAC. If FALSE, and pac -- PAC present, remove PAC } --#public-- PKERB-IF-RELEVANT-AUTH-DATA ::= PKERB-AUTHORIZATION-DATA --#public-- KERB-CHANGE-PASSWORD-DATA ::= SEQUENCE { new-password[0] OCTET STRING, target-name[1] KERB-PRINCIPAL-NAME OPTIONAL, target-realm[2] KERB-REALM OPTIONAL } --#public-- KERB-ERROR-METHOD-DATA ::= SEQUENCE { data-type [1] INTEGER, data-value [2] OCTET STRING OPTIONAL } --#public-- KERB-EXT-ERROR ::= SEQUENCE { status[0] INTEGER, -- NTStatus code klininfo[1] INTEGER, -- klin macro info flags[2] INTEGER -- used for passing extra info } TYPED-DATA ::= SEQUENCE OF KERB-TYPED-DATA --#public-- -- -- For ServiceForUserToSelf requests -- PA Type 21 -- KERB-PA-FOR-USER ::= SEQUENCE { -- PA TYPE 129 userName [0] KERB-PRINCIPAL-NAME, userRealm [1] KERB-REALM, cksum [2] KERB-CHECKSUM, authentication-package [3] GeneralString, authorization-data [4] OCTET STRING OPTIONAL, ... }--#public-- END