diff options
Diffstat (limited to 'crypto/heimdal/lib/asn1/pkinit.asn1')
-rw-r--r-- | crypto/heimdal/lib/asn1/pkinit.asn1 | 287 |
1 files changed, 140 insertions, 147 deletions
diff --git a/crypto/heimdal/lib/asn1/pkinit.asn1 b/crypto/heimdal/lib/asn1/pkinit.asn1 index 92c5de7..989b265 100644 --- a/crypto/heimdal/lib/asn1/pkinit.asn1 +++ b/crypto/heimdal/lib/asn1/pkinit.asn1 @@ -1,189 +1,182 @@ +-- $Id$ -- + PKINIT DEFINITIONS ::= BEGIN -IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData - FROM krb5; -IMPORTS SignedData, EnvelopedData FROM CMS; -IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509; +IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5 + IssuerAndSerialNumber, ContentInfo FROM cms + SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459 + heim_any FROM heim; +id-pkinit OBJECT IDENTIFIER ::= + { iso (1) org (3) dod (6) internet (1) security (5) + kerberosv5 (2) pkinit (3) } --- 3.1 +id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 } +id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 } +id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 } +id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 } +id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 } -CertPrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF UTF8String -} +id-pkinit-san OBJECT IDENTIFIER ::= + { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) + x509-sanan(2) } +id-pkinit-ms-eku OBJECT IDENTIFIER ::= + { iso(1) org(3) dod(6) internet(1) private(4) + enterprise(1) microsoft(311) 20 2 2 } --- 3.2.2 +id-pkinit-ms-san OBJECT IDENTIFIER ::= + { iso(1) org(3) dod(6) internet(1) private(4) + enterprise(1) microsoft(311) 20 2 3 } +MS-UPN-SAN ::= UTF8String -TrustedCertifiers ::= SEQUENCE OF PrincipalName - -- X.500 name encoded as a principal name - -- see Section 3.1 -CertificateIndex ::= INTEGER - -- 0 = 1st certificate, - -- (in order of encoding) - -- 1 = 2nd certificate, etc +pa-pk-as-req INTEGER ::= 16 +pa-pk-as-rep INTEGER ::= 17 -PA-PK-AS-REP ::= CHOICE { - -- PA TYPE 15 - dhSignedData[0] SignedData, - -- Defined in CMS and used only with - -- Diffie-Hellman key exchange (if the - -- client public value was present in the - -- request). - -- This choice MUST be supported - -- by compliant implementations. - encKeyPack[1] EnvelopedData - -- Defined in CMS - -- The temporary key is encrypted - -- using the client public key - -- key - -- SignedReplyKeyPack, encrypted - -- with the temporary key, is also - -- included. -} - - - -KdcDHKeyInfo ::= SEQUENCE { - -- used only when utilizing Diffie-Hellman - nonce[0] INTEGER, - -- binds responce to the request - subjectPublicKey[2] BIT STRING - -- Equals public exponent (g^a mod p) - -- INTEGER encoded as payload of - -- BIT STRING +td-trusted-certifiers INTEGER ::= 104 +td-invalid-certificates INTEGER ::= 105 +td-dh-parameters INTEGER ::= 109 + +DHNonce ::= OCTET STRING + +KDFAlgorithmId ::= SEQUENCE { + kdf-id [0] OBJECT IDENTIFIER, + ... } -ReplyKeyPack ::= SEQUENCE { - -- not used for Diffie-Hellman - replyKey[0] EncryptionKey, - -- used to encrypt main reply - -- ENCTYPE is at least as strong as - -- ENCTYPE of session key - nonce[1] INTEGER - -- binds response to the request - -- must be same as the nonce - -- passed in the PKAuthenticator -} - --- subjectAltName EXTENSION ::= { --- SYNTAX GeneralNames --- IDENTIFIED BY id-ce-subjectAltName --- } - -OtherName ::= SEQUENCE { - type-id OBJECT IDENTIFIER, - value[0] OCTET STRING --- value[0] EXPLICIT ANY DEFINED BY type-id -} - -GeneralName ::= CHOICE { - otherName [0] OtherName, +TrustedCA ::= SEQUENCE { + caName [0] IMPLICIT OCTET STRING, + certificateSerialNumber [1] INTEGER OPTIONAL, + subjectKeyIdentifier [2] OCTET STRING OPTIONAL, ... } -GeneralNames ::= SEQUENCE -- SIZE(1..MAX) - OF GeneralName +ExternalPrincipalIdentifier ::= SEQUENCE { + subjectName [0] IMPLICIT OCTET STRING OPTIONAL, + issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, + subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, + ... +} -KerberosName ::= SEQUENCE { - realm[0] Realm, - -- as defined in RFC 1510 - principalName[1] CertPrincipalName - -- defined above +ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier + +PA-PK-AS-REQ ::= SEQUENCE { + signedAuthPack [0] IMPLICIT OCTET STRING, + trustedCertifiers [1] ExternalPrincipalIdentifiers OPTIONAL, + kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL, + ... } +PKAuthenticator ::= SEQUENCE { + cusec [0] INTEGER -- (0..999999) --, + ctime [1] KerberosTime, + nonce [2] INTEGER (0..4294967295), + paChecksum [3] OCTET STRING OPTIONAL, + ... +} --- krb5 OBJECT IDENTIFIER ::= { --- iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2) --- } +AuthPack ::= SEQUENCE { + pkAuthenticator [0] PKAuthenticator, + clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, + supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL, + clientDHNonce [3] DHNonce OPTIONAL, + ..., + supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL, + ... +} --- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } +TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers +TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers --- 3.2.1 +KRB5PrincipalName ::= SEQUENCE { + realm [0] Realm, + principalName [1] PrincipalName +} +AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier -IssuerAndSerialNumber ::= SEQUENCE { - issuer Name, - serialNumber CertificateSerialNumber +DHRepInfo ::= SEQUENCE { + dhSignedData [0] IMPLICIT OCTET STRING, + serverDHNonce [1] DHNonce OPTIONAL, + ..., + kdf [2] KDFAlgorithmId OPTIONAL, + ... } -TrustedCas ::= CHOICE { - principalName[0] KerberosName, - -- as defined below - caName[1] Name, - -- fully qualified X.500 name - -- as defined by X.509 - issuerAndSerial[2] IssuerAndSerialNumber - -- Since a CA may have a number of - -- certificates, only one of which - -- a client trusts +PA-PK-AS-REP ::= CHOICE { + dhInfo [0] DHRepInfo, + encKeyPack [1] IMPLICIT OCTET STRING, + ... } -PA-PK-AS-REQ ::= SEQUENCE { - -- PA TYPE 14 - signedAuthPack[0] SignedData, - -- defined in CMS [11] - -- AuthPack (below) defines the data - -- that is signed - trustedCertifiers[1] SEQUENCE OF TrustedCas OPTIONAL, - -- CAs that the client trusts - kdcCert[2] IssuerAndSerialNumber OPTIONAL, - -- as defined in CMS [11] - -- specifies a particular KDC - -- certificate if the client - -- already has it; - encryptionCert[3] IssuerAndSerialNumber OPTIONAL - -- For example, this may be the - -- client's Diffie-Hellman - -- certificate, or it may be the - -- client's RSA encryption - -- certificate. +KDCDHKeyInfo ::= SEQUENCE { + subjectPublicKey [0] BIT STRING, + nonce [1] INTEGER (0..4294967295), + dhKeyExpiration [2] KerberosTime OPTIONAL, + ... } -PKAuthenticator ::= SEQUENCE { - kdcName[0] PrincipalName, - kdcRealm[1] Realm, - cusec[2] INTEGER, - -- for replay prevention as in RFC1510 - ctime[3] KerberosTime, - -- for replay prevention as in RFC1510 - nonce[4] INTEGER +ReplyKeyPack ::= SEQUENCE { + replyKey [0] EncryptionKey, + asChecksum [1] Checksum, + ... } --- This is the real definition of AlgorithmIdentifier --- AlgorithmIdentifier ::= SEQUENCE { --- algorithm ALGORITHM.&id, --- parameters ALGORITHM.&Type --- } -- as specified by the X.509 recommendation[10] +TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier + --- But we'll use this one instead: +-- Windows compat glue -- -AlgorithmIdentifier ::= SEQUENCE { - algorithm OBJECT IDENTIFIER, - parameters CHOICE { - a INTEGER - } +PKAuthenticator-Win2k ::= SEQUENCE { + kdcName [0] PrincipalName, + kdcRealm [1] Realm, + cusec [2] INTEGER (0..4294967295), + ctime [3] KerberosTime, + nonce [4] INTEGER (-2147483648..2147483647) } +AuthPack-Win2k ::= SEQUENCE { + pkAuthenticator [0] PKAuthenticator-Win2k, + clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL +} -SubjectPublicKeyInfo ::= SEQUENCE { - algorithm AlgorithmIdentifier, - -- dhKeyAgreement - subjectPublicKey BIT STRING - -- for DH, equals - -- public exponent (INTEGER encoded - -- as payload of BIT STRING) -} -- as specified by the X.509 recommendation[10] +TrustedCA-Win2k ::= CHOICE { + caName [1] heim_any, + issuerAndSerial [2] IssuerAndSerialNumber +} -AuthPack ::= SEQUENCE { - pkAuthenticator[0] PKAuthenticator, - clientPublicValue[1] SubjectPublicKeyInfo OPTIONAL - -- if client is using Diffie-Hellman - -- (ephemeral-ephemeral only) +PA-PK-AS-REQ-Win2k ::= SEQUENCE { + signed-auth-pack [0] IMPLICIT OCTET STRING, + trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL, + kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, + encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL } +PA-PK-AS-REP-Win2k ::= CHOICE { + dhSignedData [0] IMPLICIT OCTET STRING, + encKeyPack [1] IMPLICIT OCTET STRING +} + + +KDCDHKeyInfo-Win2k ::= SEQUENCE { + nonce [0] INTEGER (-2147483648..2147483647), + subjectPublicKey [2] BIT STRING +} + +ReplyKeyPack-Win2k ::= SEQUENCE { + replyKey [0] EncryptionKey, + nonce [1] INTEGER (-2147483648..2147483647), + ... +} + +PkinitSuppPubInfo ::= SEQUENCE { + enctype [0] INTEGER (-2147483648..2147483647), + as-REQ [1] OCTET STRING, + pk-as-rep [2] OCTET STRING, + ticket [3] Ticket, + ... +} END |