KERBEROS5 DEFINITIONS ::=
BEGIN

nt-unknown INTEGER ::= 0 -- Name type not known
nt-principal INTEGER ::= 1 -- Just the name of the principal as in
nt-srv-inst INTEGER ::= 2 -- Service and other unique instance (krbtgt)
nt-srv-hst INTEGER ::= 3 -- Service with host name as instance
nt-srv-xhst INTEGER ::= 4 -- Service with host as remaining components
nt-uid INTEGER ::= 5 -- Unique ID

Realm ::= GeneralString
PrincipalName ::= SEQUENCE {
	name-type[0]		INTEGER,
	name-string[1]		SEQUENCE OF GeneralString
}

-- this is not part of RFC1510
Principal ::= SEQUENCE {
	name[0]			PrincipalName,
	realm[1]		Realm
}

HostAddress ::= SEQUENCE  {
	addr-type[0]		INTEGER,
	address[1]		OCTET STRING
}

-- This is from RFC1510.
--
-- HostAddresses ::= SEQUENCE OF SEQUENCE {
-- 	addr-type[0]		INTEGER,
--	address[1]		OCTET STRING
-- }

-- This seems much better.
HostAddresses ::= SEQUENCE OF HostAddress


KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)

AuthorizationData ::= SEQUENCE OF SEQUENCE {
	ad-type[0]		INTEGER,
	ad-data[1]		OCTET STRING
}

APOptions ::= BIT STRING {
	reserved(0),
	use-session-key(1),
	mutual-required(2)
}

TicketFlags ::= BIT STRING {
	reserved(0),
	forwardable(1),
	forwarded(2),
	proxiable(3),
	proxy(4),
	may-postdate(5),
	postdated(6),
	invalid(7),
	renewable(8),
	initial(9),
	pre-authent(10),
	hw-authent(11),
	transited-policy-checked(12),
	ok-as-delegate(13),
	anonymous(14)
}

KDCOptions ::= BIT STRING {
	reserved(0),
	forwardable(1),
	forwarded(2),
	proxiable(3),
	proxy(4),
	allow-postdate(5),
	postdated(6),
	unused7(7),
	renewable(8),
	unused9(9),
	unused10(10),
	unused11(11),
	request-anonymous(14),
	disable-transited-check(26),
	renewable-ok(27),
	enc-tkt-in-skey(28),
	renew(30),
	validate(31)
}


LastReq ::= SEQUENCE OF SEQUENCE {
	lr-type[0]		INTEGER,
	lr-value[1]		KerberosTime
}

EncryptedData ::= SEQUENCE {
	etype[0] 		INTEGER, -- EncryptionType
	kvno[1]			INTEGER OPTIONAL,
	cipher[2]		OCTET STRING -- ciphertext
}

EncryptionKey ::= SEQUENCE {
	keytype[0]		INTEGER,
	keyvalue[1]		OCTET STRING
}

-- encoded Transited field
TransitedEncoding ::= SEQUENCE {
	tr-type[0]		INTEGER, -- must be registered
	contents[1]		OCTET STRING
}

Ticket ::= [APPLICATION 1] SEQUENCE {
	tkt-vno[0]		INTEGER,
	realm[1]		Realm,
	sname[2]		PrincipalName,
	enc-part[3]		EncryptedData
}
-- Encrypted part of ticket
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
	flags[0]		TicketFlags,
	key[1]			EncryptionKey,
	crealm[2]		Realm,
	cname[3]		PrincipalName,
	transited[4]		TransitedEncoding,
	authtime[5]		KerberosTime,
	starttime[6]		KerberosTime OPTIONAL,
	endtime[7]		KerberosTime,
	renew-till[8]		KerberosTime OPTIONAL,
	caddr[9]		HostAddresses OPTIONAL,
	authorization-data[10]	AuthorizationData OPTIONAL
}

Checksum ::= SEQUENCE {
	cksumtype[0]		INTEGER,
	checksum[1]		OCTET STRING
}

Authenticator ::= [APPLICATION 2] SEQUENCE    {
	authenticator-vno[0]	INTEGER,
	crealm[1]		Realm,
	cname[2]		PrincipalName,
	cksum[3]		Checksum OPTIONAL,
	cusec[4]		INTEGER,
	ctime[5]		KerberosTime,
	subkey[6]		EncryptionKey OPTIONAL,
	seq-number[7]		INTEGER OPTIONAL,
	authorization-data[8]	AuthorizationData OPTIONAL
	}

PA-DATA ::= SEQUENCE {
	-- might be encoded AP-REQ
	padata-type[1]		INTEGER,
	padata-value[2]		OCTET STRING
}

ETYPE-INFO-ENTRY ::= SEQUENCE {
	etype[0]		INTEGER,
	salt[1]			OCTET STRING OPTIONAL,
	salttype[2]		INTEGER OPTIONAL
}

ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY

METHOD-DATA ::= SEQUENCE OF PA-DATA

KDC-REQ-BODY ::= SEQUENCE {
	kdc-options[0]		KDCOptions,
	cname[1]		PrincipalName OPTIONAL, -- Used only in AS-REQ
	realm[2]		Realm,	-- Server's realm
					-- Also client's in AS-REQ
	sname[3]		PrincipalName OPTIONAL,
	from[4]			KerberosTime OPTIONAL,
	till[5]			KerberosTime OPTIONAL,
	rtime[6]		KerberosTime OPTIONAL,
	nonce[7]		INTEGER,
	etype[8]		SEQUENCE OF INTEGER, -- EncryptionType,
					-- in preference order
	addresses[9]		HostAddresses OPTIONAL,
	enc-authorization-data[10] EncryptedData OPTIONAL,
					-- Encrypted AuthorizationData encoding
	additional-tickets[11]	SEQUENCE OF Ticket OPTIONAL
}

KDC-REQ ::= SEQUENCE {
	pvno[1]			INTEGER,
	msg-type[2]		INTEGER,
	padata[3]		METHOD-DATA OPTIONAL,
	req-body[4]		KDC-REQ-BODY
}

AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ

-- padata-type ::= PA-ENC-TIMESTAMP
-- padata-value ::= EncryptedData - PA-ENC-TS-ENC

PA-ENC-TS-ENC ::= SEQUENCE {
	patimestamp[0]		KerberosTime, -- client's time
	pausec[1]		INTEGER OPTIONAL
}

KDC-REP ::= SEQUENCE {
	pvno[0]			INTEGER,
	msg-type[1]		INTEGER,
	padata[2]		METHOD-DATA OPTIONAL,
	crealm[3]		Realm,
	cname[4]		PrincipalName,
	ticket[5]		Ticket,
	enc-part[6]		EncryptedData
}

AS-REP ::= [APPLICATION 11] KDC-REP
TGS-REP ::= [APPLICATION 13] KDC-REP

EncKDCRepPart ::= SEQUENCE {
	key[0]			EncryptionKey,
	last-req[1]		LastReq,
	nonce[2]		INTEGER,
	key-expiration[3]	KerberosTime OPTIONAL,
	flags[4]		TicketFlags,
	authtime[5]		KerberosTime,
	starttime[6]		KerberosTime OPTIONAL,
	endtime[7]		KerberosTime,
	renew-till[8]		KerberosTime OPTIONAL,
	srealm[9]		Realm,
	sname[10]		PrincipalName,
	caddr[11]		HostAddresses OPTIONAL
}

EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart

AP-REQ ::= [APPLICATION 14] SEQUENCE {
	pvno[0]			INTEGER,
	msg-type[1]		INTEGER,
	ap-options[2]		APOptions,
	ticket[3]		Ticket,
	authenticator[4]	EncryptedData
}

AP-REP ::= [APPLICATION 15] SEQUENCE {
	pvno[0]			INTEGER,
	msg-type[1]		INTEGER,
	enc-part[2]		EncryptedData
}

EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
	ctime[0]		KerberosTime,
	cusec[1]		INTEGER,
	subkey[2]		EncryptionKey OPTIONAL,
	seq-number[3]		INTEGER OPTIONAL
}

KRB-SAFE-BODY ::= SEQUENCE {
	user-data[0]		OCTET STRING,
	timestamp[1]		KerberosTime OPTIONAL,
	usec[2]			INTEGER OPTIONAL,
	seq-number[3]		INTEGER OPTIONAL,
	s-address[4]		HostAddress OPTIONAL,
	r-address[5]		HostAddress OPTIONAL
}

KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
	pvno[0]			INTEGER,
	msg-type[1]		INTEGER,
	safe-body[2]		KRB-SAFE-BODY,
	cksum[3]		Checksum
}

KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
	pvno[0]			INTEGER,
	msg-type[1]		INTEGER,
	enc-part[3]		EncryptedData
}
EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
	user-data[0]		OCTET STRING,
	timestamp[1]		KerberosTime OPTIONAL,
	usec[2]			INTEGER OPTIONAL,
	seq-number[3]		INTEGER OPTIONAL,
	s-address[4]		HostAddress OPTIONAL, -- sender's addr
	r-address[5]		HostAddress OPTIONAL  -- recip's addr
}

KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
	pvno[0]			INTEGER,
	msg-type[1]		INTEGER, -- KRB_CRED
	tickets[2]		SEQUENCE OF Ticket,
	enc-part[3]		EncryptedData
}

KrbCredInfo ::= SEQUENCE {
	key[0]			EncryptionKey,
	prealm[1]		Realm OPTIONAL,
	pname[2]		PrincipalName OPTIONAL,
	flags[3]		TicketFlags OPTIONAL,
	authtime[4]		KerberosTime OPTIONAL,
	starttime[5]		KerberosTime OPTIONAL,
	endtime[6] 		KerberosTime OPTIONAL,
	renew-till[7]		KerberosTime OPTIONAL,
	srealm[8]		Realm OPTIONAL,
	sname[9]		PrincipalName OPTIONAL,
	caddr[10]		HostAddresses OPTIONAL
}

EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
	ticket-info[0]		SEQUENCE OF KrbCredInfo,
	nonce[1]		INTEGER OPTIONAL,
	timestamp[2]		KerberosTime OPTIONAL,
	usec[3]			INTEGER OPTIONAL,
	s-address[4]		HostAddress OPTIONAL,
	r-address[5]		HostAddress OPTIONAL
}

KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
	pvno[0]			INTEGER,
	msg-type[1]		INTEGER,
	ctime[2]		KerberosTime OPTIONAL,
	cusec[3]		INTEGER OPTIONAL,
	stime[4]		KerberosTime,
	susec[5]		INTEGER,
	error-code[6]		INTEGER,
	crealm[7]		Realm OPTIONAL,
	cname[8]		PrincipalName OPTIONAL,
	realm[9]		Realm, -- Correct realm
	sname[10]		PrincipalName, -- Correct name
	e-text[11]		GeneralString OPTIONAL,
	e-data[12]		OCTET STRING OPTIONAL
}

pvno INTEGER ::= 5 -- current Kerberos protocol version number

-- message types

krb-as-req INTEGER ::= 10 -- Request for initial authentication
krb-as-rep INTEGER ::= 11 -- Response to KRB_AS_REQ request
krb-tgs-req INTEGER ::= 12 -- Request for authentication based on TGT
krb-tgs-rep INTEGER ::= 13 -- Response to KRB_TGS_REQ request
krb-ap-req INTEGER ::= 14 -- application request to server
krb-ap-rep INTEGER ::= 15 -- Response to KRB_AP_REQ_MUTUAL
krb-safe INTEGER ::= 20 -- Safe (checksummed) application message
krb-priv INTEGER ::= 21 -- Private (encrypted) application message
krb-cred INTEGER ::= 22 -- Private (encrypted) message to forward credentials
krb-error INTEGER ::= 30 -- Error response

-- pa-data types

pa-tgs-req		INTEGER ::= 1
pa-enc-timestamp	INTEGER ::= 2
pa-pw-salt		INTEGER ::= 3
pa-enc-unix-time	INTEGER ::= 5
pa-sandia-secureid	INTEGER ::= 6
pa-sesame		INTEGER ::= 7
pa-osf-dce		INTEGER ::= 8
pa-cybersafe-secureid	INTEGER ::= 9
pa-afs3-salt		INTEGER ::= 10
pa-etype-info		INTEGER ::= 11
sam-challenge		INTEGER ::= 12 -- (sam/otp)
sam-response		INTEGER ::= 13 -- (sam/otp)
pa-pk-as-req		INTEGER ::= 14 -- (pkinit)
pa-pk-as-rep		INTEGER ::= 15 -- (pkinit)
pa-pk-as-sign		INTEGER ::= 16 -- (pkinit)
pa-pk-key-req		INTEGER ::= 17 -- (pkinit)
pa-pk-key-rep		INTEGER ::= 18 -- (pkinit)
-- checksumtypes

CRC32 			INTEGER ::= 1
rsa-md4 		INTEGER ::= 2
rsa-md4-des		INTEGER ::= 3
des-mac			INTEGER ::= 4
des-mac-k 		INTEGER ::= 5
rsa-md4-des-k		INTEGER ::= 6
rsa-md5			INTEGER ::= 7
rsa-md5-des		INTEGER ::= 8
rsa-md5-des3		INTEGER ::= 9
hmac-sha1-des3		INTEGER ::= 12

-- transited encodings

DOMAIN-X500-COMPRESS	INTEGER ::= 1

END

-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1