summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/lib/asn1/pkinit.asn1
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/lib/asn1/pkinit.asn1')
-rw-r--r--crypto/heimdal/lib/asn1/pkinit.asn1189
1 files changed, 189 insertions, 0 deletions
diff --git a/crypto/heimdal/lib/asn1/pkinit.asn1 b/crypto/heimdal/lib/asn1/pkinit.asn1
new file mode 100644
index 0000000..92c5de7
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/pkinit.asn1
@@ -0,0 +1,189 @@
+PKINIT DEFINITIONS ::= BEGIN
+
+IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData
+ FROM krb5;
+IMPORTS SignedData, EnvelopedData FROM CMS;
+IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509;
+
+
+-- 3.1
+
+CertPrincipalName ::= SEQUENCE {
+ name-type[0] INTEGER,
+ name-string[1] SEQUENCE OF UTF8String
+}
+
+
+-- 3.2.2
+
+
+TrustedCertifiers ::= SEQUENCE OF PrincipalName
+ -- X.500 name encoded as a principal name
+ -- see Section 3.1
+CertificateIndex ::= INTEGER
+ -- 0 = 1st certificate,
+ -- (in order of encoding)
+ -- 1 = 2nd certificate, etc
+
+PA-PK-AS-REP ::= CHOICE {
+ -- PA TYPE 15
+ dhSignedData[0] SignedData,
+ -- Defined in CMS and used only with
+ -- Diffie-Hellman key exchange (if the
+ -- client public value was present in the
+ -- request).
+ -- This choice MUST be supported
+ -- by compliant implementations.
+ encKeyPack[1] EnvelopedData
+ -- Defined in CMS
+ -- The temporary key is encrypted
+ -- using the client public key
+ -- key
+ -- SignedReplyKeyPack, encrypted
+ -- with the temporary key, is also
+ -- included.
+}
+
+
+
+KdcDHKeyInfo ::= SEQUENCE {
+ -- used only when utilizing Diffie-Hellman
+ nonce[0] INTEGER,
+ -- binds responce to the request
+ subjectPublicKey[2] BIT STRING
+ -- Equals public exponent (g^a mod p)
+ -- INTEGER encoded as payload of
+ -- BIT STRING
+}
+
+ReplyKeyPack ::= SEQUENCE {
+ -- not used for Diffie-Hellman
+ replyKey[0] EncryptionKey,
+ -- used to encrypt main reply
+ -- ENCTYPE is at least as strong as
+ -- ENCTYPE of session key
+ nonce[1] INTEGER
+ -- binds response to the request
+ -- must be same as the nonce
+ -- passed in the PKAuthenticator
+}
+
+-- subjectAltName EXTENSION ::= {
+-- SYNTAX GeneralNames
+-- IDENTIFIED BY id-ce-subjectAltName
+-- }
+
+OtherName ::= SEQUENCE {
+ type-id OBJECT IDENTIFIER,
+ value[0] OCTET STRING
+-- value[0] EXPLICIT ANY DEFINED BY type-id
+}
+
+GeneralName ::= CHOICE {
+ otherName [0] OtherName,
+ ...
+}
+
+GeneralNames ::= SEQUENCE -- SIZE(1..MAX)
+ OF GeneralName
+
+KerberosName ::= SEQUENCE {
+ realm[0] Realm,
+ -- as defined in RFC 1510
+ principalName[1] CertPrincipalName
+ -- defined above
+}
+
+
+-- krb5 OBJECT IDENTIFIER ::= {
+-- iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2)
+-- }
+
+-- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
+
+-- 3.2.1
+
+
+IssuerAndSerialNumber ::= SEQUENCE {
+ issuer Name,
+ serialNumber CertificateSerialNumber
+}
+
+TrustedCas ::= CHOICE {
+ principalName[0] KerberosName,
+ -- as defined below
+ caName[1] Name,
+ -- fully qualified X.500 name
+ -- as defined by X.509
+ issuerAndSerial[2] IssuerAndSerialNumber
+ -- Since a CA may have a number of
+ -- certificates, only one of which
+ -- a client trusts
+}
+
+PA-PK-AS-REQ ::= SEQUENCE {
+ -- PA TYPE 14
+ signedAuthPack[0] SignedData,
+ -- defined in CMS [11]
+ -- AuthPack (below) defines the data
+ -- that is signed
+ trustedCertifiers[1] SEQUENCE OF TrustedCas OPTIONAL,
+ -- CAs that the client trusts
+ kdcCert[2] IssuerAndSerialNumber OPTIONAL,
+ -- as defined in CMS [11]
+ -- specifies a particular KDC
+ -- certificate if the client
+ -- already has it;
+ encryptionCert[3] IssuerAndSerialNumber OPTIONAL
+ -- For example, this may be the
+ -- client's Diffie-Hellman
+ -- certificate, or it may be the
+ -- client's RSA encryption
+ -- certificate.
+}
+
+PKAuthenticator ::= SEQUENCE {
+ kdcName[0] PrincipalName,
+ kdcRealm[1] Realm,
+ cusec[2] INTEGER,
+ -- for replay prevention as in RFC1510
+ ctime[3] KerberosTime,
+ -- for replay prevention as in RFC1510
+ nonce[4] INTEGER
+}
+
+-- This is the real definition of AlgorithmIdentifier
+-- AlgorithmIdentifier ::= SEQUENCE {
+-- algorithm ALGORITHM.&id,
+-- parameters ALGORITHM.&Type
+-- } -- as specified by the X.509 recommendation[10]
+
+-- But we'll use this one instead:
+
+AlgorithmIdentifier ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER,
+ parameters CHOICE {
+ a INTEGER
+ }
+}
+
+
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ -- dhKeyAgreement
+ subjectPublicKey BIT STRING
+ -- for DH, equals
+ -- public exponent (INTEGER encoded
+ -- as payload of BIT STRING)
+} -- as specified by the X.509 recommendation[10]
+
+AuthPack ::= SEQUENCE {
+ pkAuthenticator[0] PKAuthenticator,
+ clientPublicValue[1] SubjectPublicKeyInfo OPTIONAL
+ -- if client is using Diffie-Hellman
+ -- (ephemeral-ephemeral only)
+}
+
+
+END
OpenPOWER on IntegriCloud