mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
654 lines
24 KiB
654 lines
24 KiB
-- $Source: /mit/krb5/.cvsroot/src/lib/krb5/asn.1/KRB5-asn.py,v $
|
|
-- $Author: tytso $
|
|
-- $Id: KRB5-asn.py,v 5.25 1993/09/22 00:42:36 tytso Exp $
|
|
--
|
|
-- Copyright 1989 by the Massachusetts Institute of Technology.
|
|
--
|
|
-- Export of this software from the United States of America may
|
|
-- require a specific license from the United States Government.
|
|
-- It is the responsibility of any person or organization contemplating
|
|
-- export to obtain such a license before exporting.
|
|
--
|
|
-- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
-- distribute this software and its documentation for any purpose and
|
|
-- without fee is hereby granted, provided that the above copyright
|
|
-- notice appear in all copies and that both that copyright notice and
|
|
-- this permission notice appear in supporting documentation, and that
|
|
-- the name of M.I.T. not be used in advertising or publicity pertaining
|
|
-- to distribution of the software without specific, written prior
|
|
-- permission. M.I.T. makes no representations about the suitability of
|
|
-- this software for any purpose. It is provided "as is" without express
|
|
-- or implied warranty.
|
|
--
|
|
-- ASN.1 definitions for the kerberos network objects
|
|
--
|
|
-- Do not change the order of any structure containing some
|
|
-- element_KRB5_xx unless the corresponding translation code is also
|
|
-- changed.
|
|
--
|
|
|
|
--#SS.basic slinked--
|
|
--#SS.sized array--
|
|
--#SS.struct extra-ptr-type--
|
|
|
|
KRB5 DEFINITIONS EXPLICIT TAGS ::=
|
|
BEGIN
|
|
|
|
-- needed to do the Right Thing with pepsy; this isn't a valid ASN.1
|
|
-- token, however.
|
|
|
|
-- SECTIONS encode decode none
|
|
|
|
-- the order of stuff in this file matches the order in the draft RFC
|
|
|
|
KERB-REALM ::= GeneralString
|
|
|
|
KERB-HOST-ADDRESS ::= SEQUENCE {
|
|
addr-type[0] INTEGER,
|
|
address[1] OCTET STRING
|
|
}
|
|
|
|
PKERB-HOST-ADDRESSES ::= SEQUENCE OF SEQUENCE {
|
|
address-type[0] INTEGER,
|
|
address[1] OCTET STRING
|
|
}
|
|
|
|
PKERB-AUTHORIZATION-DATA ::= SEQUENCE OF SEQUENCE {
|
|
auth-data-type[0] INTEGER,
|
|
auth-data[1] OCTET STRING
|
|
}
|
|
|
|
-- A list of auth data for separate packing
|
|
|
|
PKERB-AUTHORIZATION-DATA-LIST ::= PKERB-AUTHORIZATION-DATA --#public--
|
|
|
|
|
|
KERB-KDC-OPTIONS ::= BIT STRING
|
|
|
|
PKERB-LAST-REQUEST ::= SEQUENCE OF SEQUENCE {
|
|
last-request-type[0] INTEGER,
|
|
last-request-value[1] KERB-TIME
|
|
}
|
|
|
|
KERB-TIME ::= GeneralizedTime -- Specifying UTC time zone (Z)
|
|
|
|
|
|
KERB-PRINCIPAL-NAME ::= SEQUENCE{
|
|
name-type[0] INTEGER,
|
|
name-string[1] SEQUENCE OF GeneralString
|
|
}
|
|
|
|
KERB-SEQUENCE-NUMBER-LARGE ::= INTEGER (-2147483648..4294967295)
|
|
KERB-SEQUENCE-NUMBER ::= INTEGER (0..4294967295)
|
|
|
|
PKERB-TICKET-EXTENSIONS ::= SEQUENCE OF SEQUENCE {
|
|
te-type[0] INTEGER,
|
|
te-data[1] OCTET STRING
|
|
}
|
|
|
|
KERB-TICKET ::= [APPLICATION 1] SEQUENCE {
|
|
ticket-version[0] INTEGER,
|
|
realm[1] KERB-REALM,
|
|
server-name[2] KERB-PRINCIPAL-NAME,
|
|
encrypted-part[3] KERB-ENCRYPTED-DATA, -- EncTicketPart
|
|
ticket-extensions[4] PKERB-TICKET-EXTENSIONS OPTIONAL
|
|
} --#public--
|
|
|
|
KERB-TRANSITED-ENCODING ::= SEQUENCE {
|
|
transited-type[0] INTEGER, -- Only supported value is 1 == DOMAIN-COMPRESS
|
|
contents[1] OCTET STRING
|
|
}
|
|
|
|
-- Encrypted part of ticket
|
|
|
|
KERB-ENCRYPTED-TICKET ::= [APPLICATION 3] SEQUENCE {
|
|
flags[0] KERB-TICKET-FLAGS,
|
|
key[1] KERB-ENCRYPTION-KEY,
|
|
client-realm[2] KERB-REALM,
|
|
client-name[3] KERB-PRINCIPAL-NAME,
|
|
transited[4] KERB-TRANSITED-ENCODING,
|
|
authtime[5] KERB-TIME,
|
|
starttime[6] KERB-TIME OPTIONAL,
|
|
endtime[7] KERB-TIME,
|
|
renew-until[8] KERB-TIME OPTIONAL,
|
|
client-addresses[9] PKERB-HOST-ADDRESSES OPTIONAL,
|
|
authorization-data[10] PKERB-AUTHORIZATION-DATA OPTIONAL
|
|
}
|
|
|
|
-- Unencrypted authenticator
|
|
|
|
KERB-AUTHENTICATOR ::= [APPLICATION 2] SEQUENCE {
|
|
authenticator-version[0] INTEGER,
|
|
client-realm[1] KERB-REALM,
|
|
client-name[2] KERB-PRINCIPAL-NAME,
|
|
checksum[3] KERB-CHECKSUM OPTIONAL,
|
|
client-usec[4] INTEGER,
|
|
client-time[5] KERB-TIME,
|
|
subkey[6] KERB-ENCRYPTION-KEY OPTIONAL,
|
|
sequence-number[7] KERB-SEQUENCE-NUMBER-LARGE OPTIONAL,
|
|
authorization-data[8] PKERB-AUTHORIZATION-DATA OPTIONAL
|
|
}
|
|
|
|
|
|
KERB-TICKET-FLAGS ::= BIT STRING
|
|
|
|
KERB-AS-REQUEST ::= [APPLICATION 10] KERB-KDC-REQUEST
|
|
KERB-TGS-REQUEST ::= [APPLICATION 12] KERB-KDC-REQUEST
|
|
|
|
KERB-KDC-REQUEST ::= SEQUENCE {
|
|
version[1] INTEGER,
|
|
message-type[2] INTEGER,
|
|
preauth-data[3] SEQUENCE OF KERB-PA-DATA OPTIONAL,
|
|
request-body[4] KERB-KDC-REQUEST-BODY
|
|
}
|
|
|
|
KERB-PA-DATA ::= SEQUENCE {
|
|
preauth-data-type[1] INTEGER,
|
|
preauth-data[2] OCTET STRING -- might be encoded AP-REQUEST
|
|
}
|
|
|
|
PKERB-PREAUTH-DATA-LIST ::= SEQUENCE OF KERB-PA-DATA
|
|
|
|
-- Give this an application number so we can separately encode it and checksum
|
|
-- it.
|
|
|
|
KERB-MARSHALLED-REQUEST-BODY ::= KERB-KDC-REQUEST-BODY
|
|
|
|
KERB-KDC-REQUEST-BODY ::= SEQUENCE {
|
|
kdc-options[0] KERB-KDC-OPTIONS,
|
|
client-name[1] KERB-PRINCIPAL-NAME OPTIONAL, -- Used only in AS-REQUEST
|
|
realm[2] KERB-REALM, -- Server's realm Also client's in AS-REQUEST
|
|
server-name[3] KERB-PRINCIPAL-NAME OPTIONAL,
|
|
starttime[4] KERB-TIME OPTIONAL,
|
|
endtime[5] KERB-TIME,
|
|
renew-until[6] KERB-TIME OPTIONAL,
|
|
nonce[7] INTEGER,
|
|
encryption-type[8] SEQUENCE OF INTEGER, -- EncryptionType,
|
|
-- in preference order
|
|
addresses[9] PKERB-HOST-ADDRESSES OPTIONAL,
|
|
enc-authorization-data[10] KERB-ENCRYPTED-DATA OPTIONAL,
|
|
-- KERB-AUTHORIZATION-DATA
|
|
additional-tickets[11] SEQUENCE OF KERB-TICKET OPTIONAL
|
|
}
|
|
|
|
KERB-AS-REPLY ::= [APPLICATION 11] KERB-KDC-REPLY
|
|
KERB-TGS-REPLY ::= [APPLICATION 13] KERB-KDC-REPLY
|
|
|
|
|
|
KERB-KDC-REPLY ::= SEQUENCE {
|
|
version[0] INTEGER,
|
|
message-type[1] INTEGER,
|
|
preauth-data[2] SEQUENCE OF KERB-PA-DATA OPTIONAL,
|
|
client-realm[3] KERB-REALM,
|
|
client-name[4] KERB-PRINCIPAL-NAME,
|
|
ticket[5] KERB-TICKET, -- KERB-TICKET
|
|
encrypted-part[6] KERB-ENCRYPTED-DATA -- KERB-ENCRYPTED-KDC-REPLY
|
|
}
|
|
|
|
KERB-ENCRYPTED-AS-REPLY ::= [APPLICATION 25] KERB-ENCRYPTED-KDC-REPLY
|
|
KERB-ENCRYPTED-TGS-REPLY ::= [APPLICATION 26] KERB-ENCRYPTED-KDC-REPLY
|
|
|
|
|
|
KERB-ENCRYPTED-KDC-REPLY ::= SEQUENCE {
|
|
session-key[0] KERB-ENCRYPTION-KEY,
|
|
last-request[1] PKERB-LAST-REQUEST,
|
|
nonce[2] INTEGER,
|
|
key-expiration[3] KERB-TIME OPTIONAL,
|
|
flags[4] KERB-TICKET-FLAGS,
|
|
authtime[5] KERB-TIME,
|
|
starttime[6] KERB-TIME OPTIONAL,
|
|
endtime[7] KERB-TIME,
|
|
renew-until[8] KERB-TIME OPTIONAL,
|
|
server-realm[9] KERB-REALM,
|
|
server-name[10] KERB-PRINCIPAL-NAME,
|
|
client-addresses[11] PKERB-HOST-ADDRESSES OPTIONAL,
|
|
encrypted-pa-data[12] SEQUENCE OF KERB-PA-DATA OPTIONAL
|
|
|
|
}
|
|
|
|
|
|
KERB-AP-REQUEST ::= [APPLICATION 14] SEQUENCE {
|
|
version[0] INTEGER,
|
|
message-type[1] INTEGER,
|
|
ap-options[2] KERB-AP-OPTIONS,
|
|
ticket[3] KERB-TICKET,
|
|
authenticator[4] KERB-ENCRYPTED-DATA -- Authenticator
|
|
}
|
|
|
|
KERB-AP-OPTIONS ::= BIT STRING
|
|
|
|
KERB-AP-REPLY ::= [APPLICATION 15] SEQUENCE {
|
|
version[0] INTEGER,
|
|
message-type[1] INTEGER,
|
|
encrypted-part[2] KERB-ENCRYPTED-DATA -- EncAPRepPart
|
|
}
|
|
|
|
KERB-ENCRYPTED-AP-REPLY ::= [APPLICATION 27] SEQUENCE {
|
|
client-time[0] KERB-TIME,
|
|
client-usec[1] INTEGER,
|
|
subkey[2] KERB-ENCRYPTION-KEY OPTIONAL,
|
|
sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL
|
|
}
|
|
|
|
|
|
KERB-SAFE-MESSAGE ::= [APPLICATION 20] SEQUENCE {
|
|
version[0] INTEGER,
|
|
message-type[1] INTEGER,
|
|
safe-body[2] KERB-SAFE-BODY,
|
|
checksum[3] KERB-CHECKSUM
|
|
}
|
|
|
|
KERB-SAFE-BODY ::= SEQUENCE {
|
|
user-data[0] OCTET STRING,
|
|
timestamp[1] KERB-TIME OPTIONAL,
|
|
usec[2] INTEGER OPTIONAL,
|
|
sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL,
|
|
sender-address[4] KERB-HOST-ADDRESS, -- sender's addr
|
|
recipient-address[5] KERB-HOST-ADDRESS OPTIONAL -- recip's addr
|
|
}
|
|
|
|
KERB-PRIV-MESSAGE ::= [APPLICATION 21] SEQUENCE {
|
|
version[0] INTEGER,
|
|
message-type[1] INTEGER,
|
|
encrypted-part[3] KERB-ENCRYPTED-DATA -- EncKrbPrivPart
|
|
}
|
|
|
|
KERB-ENCRYPTED-PRIV ::= [APPLICATION 28] SEQUENCE {
|
|
user-data[0] OCTET STRING,
|
|
timestamp[1] KERB-TIME OPTIONAL,
|
|
usec[2] INTEGER OPTIONAL,
|
|
sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL,
|
|
sender-address[4] KERB-HOST-ADDRESS, -- sender's addr
|
|
recipient-address[5] KERB-HOST-ADDRESS OPTIONAL -- recip's addr
|
|
}
|
|
|
|
|
|
|
|
-- The KERB-CRED message allows easy forwarding of credentials.
|
|
|
|
KERB-CRED ::= [APPLICATION 22] SEQUENCE {
|
|
version[0] INTEGER,
|
|
message-type[1] INTEGER, -- KRB_CRED
|
|
tickets[2] SEQUENCE OF KERB-TICKET,
|
|
encrypted-part[3] KERB-ENCRYPTED-DATA -- EncKrbCredPart
|
|
}
|
|
|
|
KERB-ENCRYPTED-CRED ::= [APPLICATION 29] SEQUENCE {
|
|
ticket-info[0] SEQUENCE OF KERB-CRED-INFO,
|
|
nonce[1] INTEGER OPTIONAL,
|
|
timestamp[2] KERB-TIME OPTIONAL,
|
|
usec[3] INTEGER OPTIONAL,
|
|
sender-address[4] KERB-HOST-ADDRESS OPTIONAL,
|
|
recipient-address[5] KERB-HOST-ADDRESS OPTIONAL
|
|
}
|
|
|
|
KERB-CRED-INFO ::= SEQUENCE {
|
|
key[0] KERB-ENCRYPTION-KEY,
|
|
principal-realm[1] KERB-REALM OPTIONAL,
|
|
principal-name[2] KERB-PRINCIPAL-NAME OPTIONAL,
|
|
flags[3] KERB-TICKET-FLAGS OPTIONAL,
|
|
authtime[4] KERB-TIME OPTIONAL,
|
|
starttime[5] KERB-TIME OPTIONAL,
|
|
endtime[6] KERB-TIME OPTIONAL,
|
|
renew-until[7] KERB-TIME OPTIONAL,
|
|
service-realm[8] KERB-REALM OPTIONAL,
|
|
service-name[9] KERB-PRINCIPAL-NAME OPTIONAL,
|
|
client-addresses[10] PKERB-HOST-ADDRESSES OPTIONAL
|
|
}
|
|
|
|
|
|
KERB-ERROR ::= [APPLICATION 30] SEQUENCE {
|
|
version[0] INTEGER,
|
|
message-type[1] INTEGER,
|
|
client-time[2] KERB-TIME OPTIONAL,
|
|
client-usec[3] INTEGER OPTIONAL,
|
|
server-time[4] KERB-TIME,
|
|
server-usec[5] INTEGER,
|
|
error-code[6] INTEGER,
|
|
client-realm[7] KERB-REALM OPTIONAL,
|
|
client-name[8] KERB-PRINCIPAL-NAME OPTIONAL,
|
|
realm[9] KERB-REALM, -- Correct realm
|
|
server-name[10] KERB-PRINCIPAL-NAME, -- Correct name
|
|
error-text[11] GeneralString --#lenptr-- OPTIONAL,
|
|
error-data[12] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
KERB-ENCRYPTED-DATA ::= SEQUENCE {
|
|
encryption-type[0] INTEGER, -- EncryptionType
|
|
version[1] INTEGER OPTIONAL,
|
|
cipher-text[2] OCTET STRING -- CipherText
|
|
} --#public--
|
|
|
|
KERB-ENCRYPTION-KEY ::= SEQUENCE {
|
|
keytype[0] INTEGER,
|
|
keyvalue[1] OCTET STRING
|
|
} --#public--
|
|
|
|
KERB-CHECKSUM ::= SEQUENCE {
|
|
checksum-type[0] INTEGER,
|
|
checksum[1] OCTET STRING
|
|
} --#public--
|
|
|
|
KERB-ENCRYPTED-TIMESTAMP ::= SEQUENCE {
|
|
timestamp[0] KERB-TIME, -- client's time
|
|
usec[1] INTEGER OPTIONAL
|
|
}
|
|
|
|
KERB-SALTED-ENCRYPTED-TIMESTAMP ::= SEQUENCE {
|
|
timestamp[0] KERB-TIME, -- client's time
|
|
usec[1] INTEGER OPTIONAL,
|
|
salt[2] OCTET STRING
|
|
}
|
|
|
|
KERB-ETYPE-INFO-ENTRY ::= SEQUENCE {
|
|
encryption-type[0] INTEGER,
|
|
salt[1] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY
|
|
|
|
--
|
|
--
|
|
-- User-to-User data types
|
|
--
|
|
--
|
|
|
|
KERB-TGT-REQUEST ::= SEQUENCE {
|
|
version[0] INTEGER,
|
|
message-type[1] INTEGER,
|
|
server-name[2] KERB-PRINCIPAL-NAME OPTIONAL,
|
|
server-realm[3] KERB-REALM OPTIONAL
|
|
}
|
|
|
|
KERB-TGT-REPLY ::= SEQUENCE {
|
|
version[0] INTEGER,
|
|
message-type[1] INTEGER,
|
|
ticket[2] KERB-TICKET
|
|
}
|
|
|
|
|
|
--
|
|
--
|
|
-- PKINT data types
|
|
--
|
|
--
|
|
|
|
-- new for PKINIT
|
|
|
|
|
|
KERB-PKCS-SIGNATURE ::= SEQUENCE {
|
|
encryption-type [0] INTEGER,
|
|
-- algorithm for PKCS key encryption
|
|
signature [1] OCTET STRING
|
|
}
|
|
|
|
NOCOPYANY ::= ANY --#nomemcpy--
|
|
|
|
KERB-ALGORITHM-IDENTIFIER::= SEQUENCE {
|
|
algorithm OBJECT IDENTIFIER,
|
|
parameters NOCOPYANY OPTIONAL
|
|
}
|
|
|
|
KERB-SIGNATURE ::= SEQUENCE {
|
|
signature-algorithm [0] KERB-ALGORITHM-IDENTIFIER,
|
|
pkcs-signature [1] BIT STRING
|
|
}
|
|
|
|
KERB-PA-PK-AS-REP ::= CHOICE {
|
|
-- PA TYPE 15
|
|
dh-signed-data [0] IMPLICIT OCTET STRING,
|
|
-- pkcs-7 signed data, used for DH key exchange
|
|
key-package [1] IMPLICIT OCTET STRING
|
|
-- pkcs-7 enveloped data, containing
|
|
-- KERB-REPLY-KEY-PACKAGE
|
|
}
|
|
|
|
KERB-PA-PK-AS-REP2 ::= SEQUENCE {
|
|
-- PA TYPE 15
|
|
key-package [0] KERB-ENCRYPTED-DATA OPTIONAL,
|
|
-- of type KERB-ENCRYPTED-SIGNED-REPLY-KEY-PACKAGE
|
|
-- using the temporary key in temp-key-package.
|
|
-- used with kerberos-pk encryption
|
|
temp-key-package [1] KERB-ENVELOPED-KEY-PACKAGE,
|
|
-- contains type KERB-ENCRYPTED-SIGNED-REPLY-KEY-PACKAGE
|
|
-- temporary key encrpyted with
|
|
-- client public key or diffie-hellman key
|
|
signed-kdc-public-value [2] KERB-SIGNED-KDC-PUBLIC-VALUE OPTIONAL,
|
|
-- if one was passed in request
|
|
kdc-cert [3] SEQUENCE OF KERB-CERTIFICATE OPTIONAL
|
|
-- the KDC's certificate
|
|
-- optionally followed by that
|
|
-- certificate's certifier chain
|
|
}
|
|
|
|
KERB-ENVELOPED-KEY-PACKAGE ::= CHOICE {
|
|
encrypted-data [1] KERB-ENCRYPTED-DATA,
|
|
-- of type TmpKeyPack, not defined here
|
|
pkinit-enveloped-data [4] IMPLICIT OCTET STRING
|
|
-- pkcs-7 enveloped data
|
|
}
|
|
|
|
KERB-SIGNED-REPLY-KEY-PACKAGE ::= SEQUENCE {
|
|
reply-key-package [0] KERB-REPLY-KEY-PACKAGE2,
|
|
reply-key-signature [1] KERB-SIGNATURE
|
|
-- of replyEncKeyPack
|
|
-- using KDC's private key
|
|
}
|
|
|
|
KERB-REPLY-KEY-PACKAGE2 ::= SEQUENCE {
|
|
reply-key [0] KERB-ENCRYPTION-KEY,
|
|
-- used to encrypt main reply
|
|
nonce [1] INTEGER,
|
|
-- binds response to the request
|
|
-- must be same as the nonce
|
|
-- passed in the PKAuthenticator
|
|
subject-public-key [2] BIT STRING OPTIONAL
|
|
-- included only when using diffie-hellman
|
|
-- equals public exponent
|
|
} --#public--
|
|
|
|
KERB-REPLY-KEY-PACKAGE ::= SEQUENCE {
|
|
reply-key [0] KERB-ENCRYPTION-KEY,
|
|
-- used to encrypt main reply
|
|
nonce [1] INTEGER
|
|
-- binds response to the request
|
|
-- must be same as the nonce
|
|
-- passed in the PKAuthenticator
|
|
} --#public--
|
|
|
|
|
|
KERB-KDC-DH-KEY-INFO ::= SEQUENCE {
|
|
nonce [0] INTEGER,
|
|
-- binds response to request
|
|
subject-public-key [1] BIT STRING
|
|
-- Equals public exponent (g^a mod p)
|
|
-- INTEGER encoded as payload of
|
|
-- BIT STRING
|
|
}
|
|
|
|
KERB-SIGNED-KDC-PUBLIC-VALUE ::= SEQUENCE {
|
|
kdc-public-value [0] KERB-SUBJECT-PUBLIC-KEY-INFO,
|
|
-- as described above
|
|
kdc-public-value-sig [1] KERB-SIGNATURE
|
|
-- of kdcPublicValue
|
|
-- using KDC's private key
|
|
}
|
|
|
|
KERB-PA-PK-AS-REQ2 ::= SEQUENCE {
|
|
-- PA TYPE 14
|
|
signed-auth-pack [0] KERB-SIGNED-AUTH-PACKAGE,
|
|
user-certs [1] SEQUENCE OF KERB-CERTIFICATE OPTIONAL,
|
|
-- the user's certificate chain
|
|
trusted-certifiers [2] SEQUENCE OF KERB-PRINCIPAL-NAME OPTIONAL,
|
|
-- CAs that the client trusts
|
|
serial-number [3] KERB-CERTIFICATE-SERIAL-NUMBER OPTIONAL
|
|
-- specifying a particalu cert if the client
|
|
-- already has it, must be accompanied by a
|
|
-- single trusted-certifier
|
|
}
|
|
|
|
KERB-PA-PK-AS-REQ ::= SEQUENCE {
|
|
-- PA TYPE 14
|
|
signed-auth-pack [0] IMPLICIT OCTET STRING,
|
|
-- SignedData
|
|
trusted-certifiers [2] SEQUENCE OF KERB-TRUSTED-CAS OPTIONAL,
|
|
-- CAs that the client trusts
|
|
kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
|
|
-- an IssuerAndSerialNumber, specifies a
|
|
-- particular KDC cert if the client
|
|
-- has it, must be accompanied by a
|
|
-- single trusted-certifier
|
|
encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
|
|
-- If the client cert can't be used for
|
|
-- encryption. For example, this may
|
|
-- be a Diffie-Hellman cert
|
|
|
|
}
|
|
|
|
KERB-TRUSTED-CAS ::= CHOICE {
|
|
principal-name [0] KERB-KERBEROS-NAME,
|
|
-- principal name and realm
|
|
ca-name [1] IMPLICIT OCTET STRING,
|
|
-- real type is 'Name',
|
|
-- fully qualified X.500 name
|
|
-- as defined by X.509
|
|
issuer-and-serial [2] IMPLICIT OCTET STRING
|
|
-- since a CA may have a number of certs,
|
|
-- only one of which a client trusts
|
|
}
|
|
|
|
KERB-KERBEROS-NAME ::= SEQUENCE {
|
|
realm [0] KERB-REALM,
|
|
-- as defined in RFC1510
|
|
principal-name [1] KERB-PRINCIPAL-NAME
|
|
-- as defined in RFC1510
|
|
}
|
|
|
|
|
|
KERB-CERTIFICATE-SERIAL-NUMBER ::= INTEGER
|
|
-- as specified by PKCS 6
|
|
|
|
KERB-SIGNED-AUTH-PACKAGE ::= SEQUENCE {
|
|
auth-package [0] KERB-AUTH-PACKAGE,
|
|
auth-package-signature [1] KERB-SIGNATURE
|
|
-- of auth-package
|
|
-- using user's private key
|
|
}
|
|
|
|
KERB-AUTH-PACKAGE ::= SEQUENCE {
|
|
pk-authenticator [0] KERB-PK-AUTHENTICATOR,
|
|
client-public-value [1] KERB-SUBJECT-PUBLIC-KEY-INFO OPTIONAL
|
|
-- if client is using Diffie-Hellman
|
|
} --#public--
|
|
|
|
KERB-PK-AUTHENTICATOR ::= SEQUENCE {
|
|
kdc-name [0] KERB-PRINCIPAL-NAME,
|
|
kdc-realm [1] KERB-REALM,
|
|
cusec [2] INTEGER,
|
|
-- for replay prevention
|
|
client-time [3] KERB-TIME,
|
|
-- for replay prevention
|
|
nonce [4] INTEGER
|
|
}
|
|
|
|
KERB-SUBJECT-PUBLIC-KEY-INFO ::= SEQUENCE {
|
|
algorithm [0] KERB-ALGORITHM-IDENTIFIER,
|
|
subjectPublicKey [1] BIT STRING
|
|
-- for DH, equals
|
|
-- public exponent (INTEGER encoded
|
|
-- as payload of BIT STRING)
|
|
} -- as specified by the X.509 recommendation [9]
|
|
|
|
|
|
KERB-DH-PARAMTER ::= SEQUENCE {
|
|
prime [0] INTEGER,
|
|
-- p
|
|
base [1] INTEGER,
|
|
-- g
|
|
private-value-length [2] INTEGER OPTIONAL
|
|
}
|
|
|
|
KERB-CERTIFICATE ::= SEQUENCE {
|
|
cert-type [0] INTEGER,
|
|
-- type of certificate
|
|
-- 1 = X.509v3 (DER encoding)
|
|
-- 2 = PGP (per PGP specification)
|
|
cert-data [1] OCTET STRING
|
|
-- actual certificate
|
|
-- type determined by certType
|
|
}
|
|
|
|
KERB-TYPED-DATA ::= SEQUENCE {
|
|
data-type [0] INTEGER,
|
|
data-value [1] OCTET STRING
|
|
}
|
|
|
|
--
|
|
--
|
|
-- Authorization data types
|
|
--
|
|
--
|
|
|
|
KERB-KDC-ISSUED-AUTH-DATA ::= SEQUENCE {
|
|
checksum [0] KERB-SIGNATURE,
|
|
elements [1] SEQUENCE OF KERB-PA-DATA
|
|
} --#public--
|
|
|
|
KERB-PA-SERV-REFERRAL ::= SEQUENCE {
|
|
referred-server-name[1] KERB-PRINCIPAL-NAME OPTIONAL,
|
|
referred-server-realm[0] KERB-REALM
|
|
} --#public--
|
|
|
|
--
|
|
-- PA data type for indicating whether a PAC should be included or
|
|
-- removed.
|
|
--
|
|
|
|
KERB-PA-PAC-REQUEST ::= SEQUENCE {
|
|
include-pac[0] BOOLEAN -- if TRUE, and no pac present,
|
|
-- include PAC. If FALSE, and pac
|
|
-- PAC present, remove PAC
|
|
} --#public--
|
|
|
|
PKERB-IF-RELEVANT-AUTH-DATA ::= PKERB-AUTHORIZATION-DATA --#public--
|
|
|
|
|
|
KERB-CHANGE-PASSWORD-DATA ::= SEQUENCE {
|
|
new-password[0] OCTET STRING,
|
|
target-name[1] KERB-PRINCIPAL-NAME OPTIONAL,
|
|
target-realm[2] KERB-REALM OPTIONAL
|
|
} --#public--
|
|
|
|
|
|
KERB-ERROR-METHOD-DATA ::= SEQUENCE {
|
|
data-type [1] INTEGER,
|
|
data-value [2] OCTET STRING OPTIONAL
|
|
} --#public--
|
|
|
|
KERB-EXT-ERROR ::= SEQUENCE {
|
|
status[0] INTEGER, -- NTStatus code
|
|
klininfo[1] INTEGER, -- klin macro info
|
|
flags[2] INTEGER -- used for passing extra info
|
|
}
|
|
|
|
TYPED-DATA ::= SEQUENCE OF KERB-TYPED-DATA --#public--
|
|
|
|
--
|
|
-- For ServiceForUserToSelf requests
|
|
-- PA Type 21
|
|
--
|
|
|
|
KERB-PA-FOR-USER ::= SEQUENCE {
|
|
-- PA TYPE 21
|
|
client-realm [0] KERB-REALM,
|
|
client-name [1] KERB-PRINCIPAL-NAME
|
|
}--#public--
|
|
|
|
|
|
END
|
|
|
|
|
|
|
|
|
|
|
|
|