summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/lib/asn1/k5.asn1
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/lib/asn1/k5.asn1')
-rw-r--r--crypto/heimdal/lib/asn1/k5.asn1303
1 files changed, 252 insertions, 51 deletions
diff --git a/crypto/heimdal/lib/asn1/k5.asn1 b/crypto/heimdal/lib/asn1/k5.asn1
index d9be266..18f1e15 100644
--- a/crypto/heimdal/lib/asn1/k5.asn1
+++ b/crypto/heimdal/lib/asn1/k5.asn1
@@ -1,4 +1,4 @@
--- $Id: k5.asn1,v 1.28.2.1 2004/06/21 08:25:45 lha Exp $
+-- $Id: k5.asn1 21965 2007-10-18 18:24:36Z lha $
KERBEROS5 DEFINITIONS ::=
BEGIN
@@ -10,7 +10,12 @@ NAME-TYPE ::= INTEGER {
KRB5_NT_SRV_HST(3), -- Service with host name as instance
KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
KRB5_NT_UID(5), -- Unique ID
- KRB5_NT_X500_PRINCIPAL(6) -- PKINIT
+ KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
+ KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
+ KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
+ KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
+ KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
+ KRB5_NT_MS_PRINCIPAL_AND_ID(-129) -- NT style name and SID
}
-- message types
@@ -46,16 +51,50 @@ PADATA-TYPE ::= INTEGER {
KRB5-PADATA-ETYPE-INFO(11),
KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
- KRB5-PADATA-PK-AS-REQ(14), -- (PKINIT)
- KRB5-PADATA-PK-AS-REP(15), -- (PKINIT)
- KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT)
- KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT)
- KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT)
+ KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
+ KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
+ KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
+ KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
+ KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
+ KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
KRB5-PADATA-ETYPE-INFO2(19),
KRB5-PADATA-USE-SPECIFIED-KVNO(20),
+ KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
KRB5-PADATA-GET-FROM-TYPED-DATA(22),
- KRB5-PADATA-SAM-ETYPE-INFO(23)
+ KRB5-PADATA-SAM-ETYPE-INFO(23),
+ KRB5-PADATA-SERVER-REFERRAL(25),
+ KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
+ KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
+ KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
+ KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
+ KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
+ KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
+ KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
+ KRB5-PADATA-S4U2SELF(129),
+ KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
+ -- tell KDC that is supports
+ -- the asCheckSum in the
+ -- PK-AS-REP
+ KRB5-PADATA-CLIENT-CANONICALIZED(133) --
+}
+
+AUTHDATA-TYPE ::= INTEGER {
+ KRB5-AUTHDATA-IF-RELEVANT(1),
+ KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
+ KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
+ KRB5-AUTHDATA-KDC-ISSUED(4),
+ KRB5-AUTHDATA-AND-OR(5),
+ KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
+ KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
+ KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
+ KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
+ KRB5-AUTHDATA-OSF-DCE(64),
+ KRB5-AUTHDATA-SESAME(65),
+ KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
+ KRB5-AUTHDATA-WIN2K-PAC(128),
+ KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
+ KRB5-AUTHDATA-SIGNTICKET(-17)
}
-- checksumtypes
@@ -71,10 +110,11 @@ CKSUMTYPE ::= INTEGER {
CKSUMTYPE_RSA_MD5(7),
CKSUMTYPE_RSA_MD5_DES(8),
CKSUMTYPE_RSA_MD5_DES3(9),
- CKSUMTYPE_HMAC_SHA1_96_AES_128(10),
- CKSUMTYPE_HMAC_SHA1_96_AES_256(11),
+ CKSUMTYPE_SHA1_OTHER(10),
CKSUMTYPE_HMAC_SHA1_DES3(12),
- CKSUMTYPE_SHA1(1000), -- correct value? 10 (9 also)
+ CKSUMTYPE_SHA1(14),
+ CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
+ CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
CKSUMTYPE_GSSAPI(0x8003),
CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
@@ -97,16 +137,28 @@ ENCTYPE ::= INTEGER {
ETYPE_ARCFOUR_HMAC_MD5(23),
ETYPE_ARCFOUR_HMAC_MD5_56(24),
ETYPE_ENCTYPE_PK_CROSS(48),
+-- some "old" windows types
+ ETYPE_ARCFOUR_MD4(-128),
+ ETYPE_ARCFOUR_HMAC_OLD(-133),
+ ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
-- these are for Heimdal internal use
ETYPE_DES_CBC_NONE(-0x1000),
ETYPE_DES3_CBC_NONE(-0x1001),
ETYPE_DES_CFB64_NONE(-0x1002),
- ETYPE_DES_PCBC_NONE(-0x1003)
+ ETYPE_DES_PCBC_NONE(-0x1003),
+ ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
+ ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
}
+
+
+
-- this is sugar to make something ASN1 does not have: unsigned
-UNSIGNED ::= INTEGER (0..4294967295)
+krb5uint32 ::= INTEGER (0..4294967295)
+krb5int32 ::= INTEGER (-2147483648..2147483647)
+
+KerberosString ::= GeneralString
Realm ::= GeneralString
PrincipalName ::= SEQUENCE {
@@ -121,14 +173,14 @@ Principal ::= SEQUENCE {
}
HostAddress ::= SEQUENCE {
- addr-type[0] INTEGER,
+ addr-type[0] krb5int32,
address[1] OCTET STRING
}
-- This is from RFC1510.
--
-- HostAddresses ::= SEQUENCE OF SEQUENCE {
--- addr-type[0] INTEGER,
+-- addr-type[0] krb5int32,
-- address[1] OCTET STRING
-- }
@@ -138,11 +190,13 @@ HostAddresses ::= SEQUENCE OF HostAddress
KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
-AuthorizationData ::= SEQUENCE OF SEQUENCE {
- ad-type[0] INTEGER,
+AuthorizationDataElement ::= SEQUENCE {
+ ad-type[0] krb5int32,
ad-data[1] OCTET STRING
}
+AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
+
APOptions ::= BIT STRING {
reserved(0),
use-session-key(1),
@@ -182,6 +236,7 @@ KDCOptions ::= BIT STRING {
unused11(11),
request-anonymous(14),
canonicalize(15),
+ constrained-delegation(16), -- ms extension
disable-transited-check(26),
renewable-ok(27),
enc-tkt-in-skey(28),
@@ -208,23 +263,23 @@ LastReq ::= SEQUENCE OF SEQUENCE {
EncryptedData ::= SEQUENCE {
etype[0] ENCTYPE, -- EncryptionType
- kvno[1] INTEGER OPTIONAL,
+ kvno[1] krb5int32 OPTIONAL,
cipher[2] OCTET STRING -- ciphertext
}
EncryptionKey ::= SEQUENCE {
- keytype[0] INTEGER,
+ keytype[0] krb5int32,
keyvalue[1] OCTET STRING
}
-- encoded Transited field
TransitedEncoding ::= SEQUENCE {
- tr-type[0] INTEGER, -- must be registered
+ tr-type[0] krb5int32, -- must be registered
contents[1] OCTET STRING
}
Ticket ::= [APPLICATION 1] SEQUENCE {
- tkt-vno[0] INTEGER,
+ tkt-vno[0] krb5int32,
realm[1] Realm,
sname[2] PrincipalName,
enc-part[3] EncryptedData
@@ -250,16 +305,16 @@ Checksum ::= SEQUENCE {
}
Authenticator ::= [APPLICATION 2] SEQUENCE {
- authenticator-vno[0] INTEGER,
+ authenticator-vno[0] krb5int32,
crealm[1] Realm,
cname[2] PrincipalName,
cksum[3] Checksum OPTIONAL,
- cusec[4] INTEGER,
+ cusec[4] krb5int32,
ctime[5] KerberosTime,
subkey[6] EncryptionKey OPTIONAL,
- seq-number[7] UNSIGNED OPTIONAL,
+ seq-number[7] krb5uint32 OPTIONAL,
authorization-data[8] AuthorizationData OPTIONAL
- }
+}
PA-DATA ::= SEQUENCE {
-- might be encoded AP-REQ
@@ -270,13 +325,28 @@ PA-DATA ::= SEQUENCE {
ETYPE-INFO-ENTRY ::= SEQUENCE {
etype[0] ENCTYPE,
salt[1] OCTET STRING OPTIONAL,
- salttype[2] INTEGER OPTIONAL
+ salttype[2] krb5int32 OPTIONAL
}
ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+ETYPE-INFO2-ENTRY ::= SEQUENCE {
+ etype[0] ENCTYPE,
+ salt[1] KerberosString OPTIONAL,
+ s2kparams[2] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
METHOD-DATA ::= SEQUENCE OF PA-DATA
+TypedData ::= SEQUENCE {
+ data-type[0] krb5int32,
+ data-value[1] OCTET STRING OPTIONAL
+}
+
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
+
KDC-REQ-BODY ::= SEQUENCE {
kdc-options[0] KDCOptions,
cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
@@ -286,7 +356,7 @@ KDC-REQ-BODY ::= SEQUENCE {
from[4] KerberosTime OPTIONAL,
till[5] KerberosTime OPTIONAL,
rtime[6] KerberosTime OPTIONAL,
- nonce[7] INTEGER,
+ nonce[7] krb5int32,
etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
-- in preference order
addresses[9] HostAddresses OPTIONAL,
@@ -296,7 +366,7 @@ KDC-REQ-BODY ::= SEQUENCE {
}
KDC-REQ ::= SEQUENCE {
- pvno[1] INTEGER,
+ pvno[1] krb5int32,
msg-type[2] MESSAGE-TYPE,
padata[3] METHOD-DATA OPTIONAL,
req-body[4] KDC-REQ-BODY
@@ -310,11 +380,20 @@ TGS-REQ ::= [APPLICATION 12] KDC-REQ
PA-ENC-TS-ENC ::= SEQUENCE {
patimestamp[0] KerberosTime, -- client's time
- pausec[1] INTEGER OPTIONAL
+ pausec[1] krb5int32 OPTIONAL
}
+-- draft-brezak-win2k-krb-authz-01
+PA-PAC-REQUEST ::= SEQUENCE {
+ include-pac[0] BOOLEAN -- Indicates whether a PAC
+ -- should be included or not
+}
+
+-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
+PROV-SRV-LOCATION ::= GeneralString
+
KDC-REP ::= SEQUENCE {
- pvno[0] INTEGER,
+ pvno[0] krb5int32,
msg-type[1] MESSAGE-TYPE,
padata[2] METHOD-DATA OPTIONAL,
crealm[3] Realm,
@@ -329,7 +408,7 @@ TGS-REP ::= [APPLICATION 13] KDC-REP
EncKDCRepPart ::= SEQUENCE {
key[0] EncryptionKey,
last-req[1] LastReq,
- nonce[2] INTEGER,
+ nonce[2] krb5int32,
key-expiration[3] KerberosTime OPTIONAL,
flags[4] TicketFlags,
authtime[5] KerberosTime,
@@ -338,14 +417,15 @@ EncKDCRepPart ::= SEQUENCE {
renew-till[8] KerberosTime OPTIONAL,
srealm[9] Realm,
sname[10] PrincipalName,
- caddr[11] HostAddresses OPTIONAL
+ caddr[11] HostAddresses OPTIONAL,
+ encrypted-pa-data[12] METHOD-DATA OPTIONAL
}
EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
AP-REQ ::= [APPLICATION 14] SEQUENCE {
- pvno[0] INTEGER,
+ pvno[0] krb5int32,
msg-type[1] MESSAGE-TYPE,
ap-options[2] APOptions,
ticket[3] Ticket,
@@ -353,50 +433,50 @@ AP-REQ ::= [APPLICATION 14] SEQUENCE {
}
AP-REP ::= [APPLICATION 15] SEQUENCE {
- pvno[0] INTEGER,
+ pvno[0] krb5int32,
msg-type[1] MESSAGE-TYPE,
enc-part[2] EncryptedData
}
EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
ctime[0] KerberosTime,
- cusec[1] INTEGER,
+ cusec[1] krb5int32,
subkey[2] EncryptionKey OPTIONAL,
- seq-number[3] UNSIGNED OPTIONAL
+ seq-number[3] krb5uint32 OPTIONAL
}
KRB-SAFE-BODY ::= SEQUENCE {
user-data[0] OCTET STRING,
timestamp[1] KerberosTime OPTIONAL,
- usec[2] INTEGER OPTIONAL,
- seq-number[3] UNSIGNED OPTIONAL,
+ usec[2] krb5int32 OPTIONAL,
+ seq-number[3] krb5uint32 OPTIONAL,
s-address[4] HostAddress OPTIONAL,
r-address[5] HostAddress OPTIONAL
}
KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
- pvno[0] INTEGER,
+ pvno[0] krb5int32,
msg-type[1] MESSAGE-TYPE,
safe-body[2] KRB-SAFE-BODY,
cksum[3] Checksum
}
KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
- pvno[0] INTEGER,
+ pvno[0] krb5int32,
msg-type[1] MESSAGE-TYPE,
enc-part[3] EncryptedData
}
EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
user-data[0] OCTET STRING,
timestamp[1] KerberosTime OPTIONAL,
- usec[2] INTEGER OPTIONAL,
- seq-number[3] UNSIGNED OPTIONAL,
+ usec[2] krb5int32 OPTIONAL,
+ seq-number[3] krb5uint32 OPTIONAL,
s-address[4] HostAddress OPTIONAL, -- sender's addr
r-address[5] HostAddress OPTIONAL -- recip's addr
}
KRB-CRED ::= [APPLICATION 22] SEQUENCE {
- pvno[0] INTEGER,
+ pvno[0] krb5int32,
msg-type[1] MESSAGE-TYPE, -- KRB_CRED
tickets[2] SEQUENCE OF Ticket,
enc-part[3] EncryptedData
@@ -418,21 +498,21 @@ KrbCredInfo ::= SEQUENCE {
EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
ticket-info[0] SEQUENCE OF KrbCredInfo,
- nonce[1] INTEGER OPTIONAL,
+ nonce[1] krb5int32 OPTIONAL,
timestamp[2] KerberosTime OPTIONAL,
- usec[3] INTEGER OPTIONAL,
+ usec[3] krb5int32 OPTIONAL,
s-address[4] HostAddress OPTIONAL,
r-address[5] HostAddress OPTIONAL
}
KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
- pvno[0] INTEGER,
+ pvno[0] krb5int32,
msg-type[1] MESSAGE-TYPE,
ctime[2] KerberosTime OPTIONAL,
- cusec[3] INTEGER OPTIONAL,
+ cusec[3] krb5int32 OPTIONAL,
stime[4] KerberosTime,
- susec[5] INTEGER,
- error-code[6] INTEGER,
+ susec[5] krb5int32,
+ error-code[6] krb5int32,
crealm[7] Realm OPTIONAL,
cname[8] PrincipalName OPTIONAL,
realm[9] Realm, -- Correct realm
@@ -447,11 +527,132 @@ ChangePasswdDataMS ::= SEQUENCE {
targrealm[2] Realm OPTIONAL
}
-pvno INTEGER ::= 5 -- current Kerberos protocol version number
+EtypeList ::= SEQUENCE OF krb5int32
+ -- the client's proposed enctype list in
+ -- decreasing preference order, favorite choice first
+
+krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
-- transited encodings
-DOMAIN-X500-COMPRESS INTEGER ::= 1
+DOMAIN-X500-COMPRESS krb5int32 ::= 1
+
+-- authorization data primitives
+
+AD-IF-RELEVANT ::= AuthorizationData
+
+AD-KDCIssued ::= SEQUENCE {
+ ad-checksum[0] Checksum,
+ i-realm[1] Realm OPTIONAL,
+ i-sname[2] PrincipalName OPTIONAL,
+ elements[3] AuthorizationData
+}
+
+AD-AND-OR ::= SEQUENCE {
+ condition-count[0] INTEGER,
+ elements[1] AuthorizationData
+}
+
+AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
+
+PA-SAM-TYPE ::= INTEGER {
+ PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
+ PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
+ PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
+ PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
+ PA_SAM_TYPE_SECURID(5), -- Security Dynamics
+ PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
+}
+
+PA-SAM-REDIRECT ::= HostAddresses
+
+SAMFlags ::= BIT STRING {
+ use-sad-as-key(0),
+ send-encrypted-sad(1),
+ must-pk-encrypt-sad(2)
+}
+
+PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
+ sam-type[0] krb5int32,
+ sam-flags[1] SAMFlags,
+ sam-type-name[2] GeneralString OPTIONAL,
+ sam-track-id[3] GeneralString OPTIONAL,
+ sam-challenge-label[4] GeneralString OPTIONAL,
+ sam-challenge[5] GeneralString OPTIONAL,
+ sam-response-prompt[6] GeneralString OPTIONAL,
+ sam-pk-for-sad[7] EncryptionKey OPTIONAL,
+ sam-nonce[8] krb5int32,
+ sam-etype[9] krb5int32,
+ ...
+}
+
+PA-SAM-CHALLENGE-2 ::= SEQUENCE {
+ sam-body[0] PA-SAM-CHALLENGE-2-BODY,
+ sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
+ ...
+}
+
+PA-SAM-RESPONSE-2 ::= SEQUENCE {
+ sam-type[0] krb5int32,
+ sam-flags[1] SAMFlags,
+ sam-track-id[2] GeneralString OPTIONAL,
+ sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
+ sam-nonce[4] krb5int32,
+ ...
+}
+
+PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
+ sam-nonce[0] krb5int32,
+ sam-sad[1] GeneralString OPTIONAL,
+ ...
+}
+
+PA-S4U2Self ::= SEQUENCE {
+ name[0] PrincipalName,
+ realm[1] Realm,
+ cksum[2] Checksum,
+ auth[3] GeneralString
+}
+
+KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
+
+-- never encoded on the wire, just used to checksum over
+KRB5SignedPathData ::= SEQUENCE {
+ encticket[0] EncTicketPart,
+ delegated[1] KRB5SignedPathPrincipals OPTIONAL
+}
+
+KRB5SignedPath ::= SEQUENCE {
+ -- DERcoded KRB5SignedPathData
+ -- krbtgt key (etype), KeyUsage = XXX
+ etype[0] ENCTYPE,
+ cksum[1] Checksum,
+ -- srvs delegated though
+ delegated[2] KRB5SignedPathPrincipals OPTIONAL
+}
+
+PA-ClientCanonicalizedNames ::= SEQUENCE{
+ requested-name [0] PrincipalName,
+ real-name [1] PrincipalName
+}
+
+PA-ClientCanonicalized ::= SEQUENCE {
+ names [0] PA-ClientCanonicalizedNames,
+ canon-checksum [1] Checksum
+}
+
+AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
+ login-alias [0] PrincipalName,
+ checksum [1] Checksum
+}
+
+-- old ms referral
+PA-SvrReferralData ::= SEQUENCE {
+ referred-name [1] PrincipalName OPTIONAL,
+ referred-realm [0] Realm
+}
END
OpenPOWER on IntegriCloud