| blob | a8a36ab3d4afa24cacac6190aa612fc890bfde5f |
1 -- $Id: k5.asn1,v 1.8 2008/03/22 08:37:04 mlelstv Exp $
3 KERBEROS5 DEFINITIONS ::=
4 BEGIN
6 NAME-TYPE ::= INTEGER {
7 KRB5_NT_UNKNOWN(0), -- Name type not known
8 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
9 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
10 KRB5_NT_SRV_HST(3), -- Service with host name as instance
11 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
12 KRB5_NT_UID(5), -- Unique ID
13 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
14 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name
15 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
16 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
17 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
18 KRB5_NT_MS_PRINCIPAL_AND_ID(-129) -- NT style name and SID
19 }
21 -- message types
23 MESSAGE-TYPE ::= INTEGER {
24 krb-as-req(10), -- Request for initial authentication
25 krb-as-rep(11), -- Response to KRB_AS_REQ request
26 krb-tgs-req(12), -- Request for authentication based on TGT
27 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
28 krb-ap-req(14), -- application request to server
29 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
30 krb-safe(20), -- Safe (checksummed) application message
31 krb-priv(21), -- Private (encrypted) application message
32 krb-cred(22), -- Private (encrypted) message to forward credentials
33 krb-error(30) -- Error response
34 }
37 -- pa-data types
39 PADATA-TYPE ::= INTEGER {
40 KRB5-PADATA-NONE(0),
41 KRB5-PADATA-TGS-REQ(1),
42 KRB5-PADATA-AP-REQ(1),
43 KRB5-PADATA-ENC-TIMESTAMP(2),
44 KRB5-PADATA-PW-SALT(3),
45 KRB5-PADATA-ENC-UNIX-TIME(5),
46 KRB5-PADATA-SANDIA-SECUREID(6),
47 KRB5-PADATA-SESAME(7),
48 KRB5-PADATA-OSF-DCE(8),
49 KRB5-PADATA-CYBERSAFE-SECUREID(9),
50 KRB5-PADATA-AFS3-SALT(10),
51 KRB5-PADATA-ETYPE-INFO(11),
52 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
53 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
54 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
55 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
56 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
57 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
58 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
59 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
60 KRB5-PADATA-ETYPE-INFO2(19),
61 KRB5-PADATA-USE-SPECIFIED-KVNO(20),
62 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
63 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
64 KRB5-PADATA-GET-FROM-TYPED-DATA(22),
65 KRB5-PADATA-SAM-ETYPE-INFO(23),
66 KRB5-PADATA-SERVER-REFERRAL(25),
67 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
68 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
69 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
70 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
71 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
72 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
73 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
74 KRB5-PADATA-S4U2SELF(129),
75 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
76 -- tell KDC that is supports
77 -- the asCheckSum in the
78 -- PK-AS-REP
79 KRB5-PADATA-CLIENT-CANONICALIZED(133) --
80 }
82 AUTHDATA-TYPE ::= INTEGER {
83 KRB5-AUTHDATA-IF-RELEVANT(1),
84 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
85 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
86 KRB5-AUTHDATA-KDC-ISSUED(4),
87 KRB5-AUTHDATA-AND-OR(5),
88 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
89 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
90 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
91 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
92 KRB5-AUTHDATA-OSF-DCE(64),
93 KRB5-AUTHDATA-SESAME(65),
94 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
95 KRB5-AUTHDATA-WIN2K-PAC(128),
96 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
97 KRB5-AUTHDATA-SIGNTICKET(-17)
98 }
100 -- checksumtypes
102 CKSUMTYPE ::= INTEGER {
103 CKSUMTYPE_NONE(0),
104 CKSUMTYPE_CRC32(1),
105 CKSUMTYPE_RSA_MD4(2),
106 CKSUMTYPE_RSA_MD4_DES(3),
107 CKSUMTYPE_DES_MAC(4),
108 CKSUMTYPE_DES_MAC_K(5),
109 CKSUMTYPE_RSA_MD4_DES_K(6),
110 CKSUMTYPE_RSA_MD5(7),
111 CKSUMTYPE_RSA_MD5_DES(8),
112 CKSUMTYPE_RSA_MD5_DES3(9),
113 CKSUMTYPE_SHA1_OTHER(10),
114 CKSUMTYPE_HMAC_SHA1_DES3(12),
115 CKSUMTYPE_SHA1(14),
116 CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
117 CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
118 CKSUMTYPE_GSSAPI(0x8003),
119 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
120 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
121 }
123 --enctypes
124 ENCTYPE ::= INTEGER {
125 ETYPE_NULL(0),
126 ETYPE_DES_CBC_CRC(1),
127 ETYPE_DES_CBC_MD4(2),
128 ETYPE_DES_CBC_MD5(3),
129 ETYPE_DES3_CBC_MD5(5),
130 ETYPE_OLD_DES3_CBC_SHA1(7),
131 ETYPE_SIGN_DSA_GENERATE(8),
132 ETYPE_ENCRYPT_RSA_PRIV(9),
133 ETYPE_ENCRYPT_RSA_PUB(10),
134 ETYPE_DES3_CBC_SHA1(16), -- with key derivation
135 ETYPE_AES128_CTS_HMAC_SHA1_96(17),
136 ETYPE_AES256_CTS_HMAC_SHA1_96(18),
137 ETYPE_ARCFOUR_HMAC_MD5(23),
138 ETYPE_ARCFOUR_HMAC_MD5_56(24),
139 ETYPE_ENCTYPE_PK_CROSS(48),
140 -- some "old" windows types
141 ETYPE_ARCFOUR_MD4(-128),
142 ETYPE_ARCFOUR_HMAC_OLD(-133),
143 ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
144 -- these are for Heimdal internal use
145 ETYPE_DES_CBC_NONE(-0x1000),
146 ETYPE_DES3_CBC_NONE(-0x1001),
147 ETYPE_DES_CFB64_NONE(-0x1002),
148 ETYPE_DES_PCBC_NONE(-0x1003),
149 ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
150 ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
151 }
156 -- this is sugar to make something ASN1 does not have: unsigned
158 krb5uint32 ::= INTEGER (0..4294967295)
159 krb5int32 ::= INTEGER (-2147483648..2147483647)
161 KerberosString ::= GeneralString
163 Realm ::= GeneralString
164 PrincipalName ::= SEQUENCE {
165 name-type[0] NAME-TYPE,
166 name-string[1] SEQUENCE OF GeneralString
167 }
169 -- this is not part of RFC1510
170 Principal ::= SEQUENCE {
171 name[0] PrincipalName,
172 realm[1] Realm
173 }
175 HostAddress ::= SEQUENCE {
176 addr-type[0] krb5int32,
177 address[1] OCTET STRING
178 }
180 -- This is from RFC1510.
181 --
182 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
183 -- addr-type[0] krb5int32,
184 -- address[1] OCTET STRING
185 -- }
187 -- This seems much better.
188 HostAddresses ::= SEQUENCE OF HostAddress
191 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
193 AuthorizationDataElement ::= SEQUENCE {
194 ad-type[0] krb5int32,
195 ad-data[1] OCTET STRING
196 }
198 AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
200 APOptions ::= BIT STRING {
201 reserved(0),
202 use-session-key(1),
203 mutual-required(2)
204 }
206 TicketFlags ::= BIT STRING {
207 reserved(0),
208 forwardable(1),
209 forwarded(2),
210 proxiable(3),
211 proxy(4),
212 may-postdate(5),
213 postdated(6),
214 invalid(7),
215 renewable(8),
216 initial(9),
217 pre-authent(10),
218 hw-authent(11),
219 transited-policy-checked(12),
220 ok-as-delegate(13),
221 anonymous(14)
222 }
224 KDCOptions ::= BIT STRING {
225 reserved(0),
226 forwardable(1),
227 forwarded(2),
228 proxiable(3),
229 proxy(4),
230 allow-postdate(5),
231 postdated(6),
232 unused7(7),
233 renewable(8),
234 unused9(9),
235 unused10(10),
236 unused11(11),
237 request-anonymous(14),
238 canonicalize(15),
239 constrained-delegation(16), -- ms extension
240 disable-transited-check(26),
241 renewable-ok(27),
242 enc-tkt-in-skey(28),
243 renew(30),
244 validate(31)
245 }
247 LR-TYPE ::= INTEGER {
248 LR_NONE(0), -- no information
249 LR_INITIAL_TGT(1), -- last initial TGT request
250 LR_INITIAL(2), -- last initial request
251 LR_ISSUE_USE_TGT(3), -- time of newest TGT used
252 LR_RENEWAL(4), -- time of last renewal
253 LR_REQUEST(5), -- time of last request (of any type)
254 LR_PW_EXPTIME(6), -- expiration time of password
255 LR_ACCT_EXPTIME(7) -- expiration time of account
256 }
258 LastReq ::= SEQUENCE OF SEQUENCE {
259 lr-type[0] LR-TYPE,
260 lr-value[1] KerberosTime
261 }
264 EncryptedData ::= SEQUENCE {
265 etype[0] ENCTYPE, -- EncryptionType
266 kvno[1] krb5int32 OPTIONAL,
267 cipher[2] OCTET STRING -- ciphertext
268 }
270 EncryptionKey ::= SEQUENCE {
271 keytype[0] krb5int32,
272 keyvalue[1] OCTET STRING
273 }
275 -- encoded Transited field
276 TransitedEncoding ::= SEQUENCE {
277 tr-type[0] krb5int32, -- must be registered
278 contents[1] OCTET STRING
279 }
281 Ticket ::= [APPLICATION 1] SEQUENCE {
282 tkt-vno[0] krb5int32,
283 realm[1] Realm,
284 sname[2] PrincipalName,
285 enc-part[3] EncryptedData
286 }
287 -- Encrypted part of ticket
288 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
289 flags[0] TicketFlags,
290 key[1] EncryptionKey,
291 crealm[2] Realm,
292 cname[3] PrincipalName,
293 transited[4] TransitedEncoding,
294 authtime[5] KerberosTime,
295 starttime[6] KerberosTime OPTIONAL,
296 endtime[7] KerberosTime,
297 renew-till[8] KerberosTime OPTIONAL,
298 caddr[9] HostAddresses OPTIONAL,
299 authorization-data[10] AuthorizationData OPTIONAL
300 }
302 Checksum ::= SEQUENCE {
303 cksumtype[0] CKSUMTYPE,
304 checksum[1] OCTET STRING
305 }
307 Authenticator ::= [APPLICATION 2] SEQUENCE {
308 authenticator-vno[0] krb5int32,
309 crealm[1] Realm,
310 cname[2] PrincipalName,
311 cksum[3] Checksum OPTIONAL,
312 cusec[4] krb5int32,
313 ctime[5] KerberosTime,
314 subkey[6] EncryptionKey OPTIONAL,
315 seq-number[7] krb5uint32 OPTIONAL,
316 authorization-data[8] AuthorizationData OPTIONAL
317 }
319 PA-DATA ::= SEQUENCE {
320 -- might be encoded AP-REQ
321 padata-type[1] PADATA-TYPE,
322 padata-value[2] OCTET STRING
323 }
325 ETYPE-INFO-ENTRY ::= SEQUENCE {
326 etype[0] ENCTYPE,
327 salt[1] OCTET STRING OPTIONAL,
328 salttype[2] krb5int32 OPTIONAL
329 }
331 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
333 ETYPE-INFO2-ENTRY ::= SEQUENCE {
334 etype[0] ENCTYPE,
335 salt[1] KerberosString OPTIONAL,
336 s2kparams[2] OCTET STRING OPTIONAL
337 }
339 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
341 METHOD-DATA ::= SEQUENCE OF PA-DATA
343 TypedData ::= SEQUENCE {
344 data-type[0] krb5int32,
345 data-value[1] OCTET STRING OPTIONAL
346 }
348 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
350 KDC-REQ-BODY ::= SEQUENCE {
351 kdc-options[0] KDCOptions,
352 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
353 realm[2] Realm, -- Server's realm
354 -- Also client's in AS-REQ
355 sname[3] PrincipalName OPTIONAL,
356 from[4] KerberosTime OPTIONAL,
357 till[5] KerberosTime OPTIONAL,
358 rtime[6] KerberosTime OPTIONAL,
359 nonce[7] krb5int32,
360 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
361 -- in preference order
362 addresses[9] HostAddresses OPTIONAL,
363 enc-authorization-data[10] EncryptedData OPTIONAL,
364 -- Encrypted AuthorizationData encoding
365 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
366 }
368 KDC-REQ ::= SEQUENCE {
369 pvno[1] krb5int32,
370 msg-type[2] MESSAGE-TYPE,
371 padata[3] METHOD-DATA OPTIONAL,
372 req-body[4] KDC-REQ-BODY
373 }
375 AS-REQ ::= [APPLICATION 10] KDC-REQ
376 TGS-REQ ::= [APPLICATION 12] KDC-REQ
378 -- padata-type ::= PA-ENC-TIMESTAMP
379 -- padata-value ::= EncryptedData - PA-ENC-TS-ENC
381 PA-ENC-TS-ENC ::= SEQUENCE {
382 patimestamp[0] KerberosTime, -- client's time
383 pausec[1] krb5int32 OPTIONAL
384 }
386 -- draft-brezak-win2k-krb-authz-01
387 PA-PAC-REQUEST ::= SEQUENCE {
388 include-pac[0] BOOLEAN -- Indicates whether a PAC
389 -- should be included or not
390 }
392 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
393 PROV-SRV-LOCATION ::= GeneralString
395 KDC-REP ::= SEQUENCE {
396 pvno[0] krb5int32,
397 msg-type[1] MESSAGE-TYPE,
398 padata[2] METHOD-DATA OPTIONAL,
399 crealm[3] Realm,
400 cname[4] PrincipalName,
401 ticket[5] Ticket,
402 enc-part[6] EncryptedData
403 }
405 AS-REP ::= [APPLICATION 11] KDC-REP
406 TGS-REP ::= [APPLICATION 13] KDC-REP
408 EncKDCRepPart ::= SEQUENCE {
409 key[0] EncryptionKey,
410 last-req[1] LastReq,
411 nonce[2] krb5int32,
412 key-expiration[3] KerberosTime OPTIONAL,
413 flags[4] TicketFlags,
414 authtime[5] KerberosTime,
415 starttime[6] KerberosTime OPTIONAL,
416 endtime[7] KerberosTime,
417 renew-till[8] KerberosTime OPTIONAL,
418 srealm[9] Realm,
419 sname[10] PrincipalName,
420 caddr[11] HostAddresses OPTIONAL,
421 encrypted-pa-data[12] METHOD-DATA OPTIONAL
422 }
424 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
425 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
427 AP-REQ ::= [APPLICATION 14] SEQUENCE {
428 pvno[0] krb5int32,
429 msg-type[1] MESSAGE-TYPE,
430 ap-options[2] APOptions,
431 ticket[3] Ticket,
432 authenticator[4] EncryptedData
433 }
435 AP-REP ::= [APPLICATION 15] SEQUENCE {
436 pvno[0] krb5int32,
437 msg-type[1] MESSAGE-TYPE,
438 enc-part[2] EncryptedData
439 }
441 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
442 ctime[0] KerberosTime,
443 cusec[1] krb5int32,
444 subkey[2] EncryptionKey OPTIONAL,
445 seq-number[3] krb5uint32 OPTIONAL
446 }
448 KRB-SAFE-BODY ::= SEQUENCE {
449 user-data[0] OCTET STRING,
450 timestamp[1] KerberosTime OPTIONAL,
451 usec[2] krb5int32 OPTIONAL,
452 seq-number[3] krb5uint32 OPTIONAL,
453 s-address[4] HostAddress OPTIONAL,
454 r-address[5] HostAddress OPTIONAL
455 }
457 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
458 pvno[0] krb5int32,
459 msg-type[1] MESSAGE-TYPE,
460 safe-body[2] KRB-SAFE-BODY,
461 cksum[3] Checksum
462 }
464 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
465 pvno[0] krb5int32,
466 msg-type[1] MESSAGE-TYPE,
467 enc-part[3] EncryptedData
468 }
469 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
470 user-data[0] OCTET STRING,
471 timestamp[1] KerberosTime OPTIONAL,
472 usec[2] krb5int32 OPTIONAL,
473 seq-number[3] krb5uint32 OPTIONAL,
474 s-address[4] HostAddress OPTIONAL, -- sender's addr
475 r-address[5] HostAddress OPTIONAL -- recip's addr
476 }
478 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
479 pvno[0] krb5int32,
480 msg-type[1] MESSAGE-TYPE, -- KRB_CRED
481 tickets[2] SEQUENCE OF Ticket,
482 enc-part[3] EncryptedData
483 }
485 KrbCredInfo ::= SEQUENCE {
486 key[0] EncryptionKey,
487 prealm[1] Realm OPTIONAL,
488 pname[2] PrincipalName OPTIONAL,
489 flags[3] TicketFlags OPTIONAL,
490 authtime[4] KerberosTime OPTIONAL,
491 starttime[5] KerberosTime OPTIONAL,
492 endtime[6] KerberosTime OPTIONAL,
493 renew-till[7] KerberosTime OPTIONAL,
494 srealm[8] Realm OPTIONAL,
495 sname[9] PrincipalName OPTIONAL,
496 caddr[10] HostAddresses OPTIONAL
497 }
499 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
500 ticket-info[0] SEQUENCE OF KrbCredInfo,
501 nonce[1] krb5int32 OPTIONAL,
502 timestamp[2] KerberosTime OPTIONAL,
503 usec[3] krb5int32 OPTIONAL,
504 s-address[4] HostAddress OPTIONAL,
505 r-address[5] HostAddress OPTIONAL
506 }
508 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
509 pvno[0] krb5int32,
510 msg-type[1] MESSAGE-TYPE,
511 ctime[2] KerberosTime OPTIONAL,
512 cusec[3] krb5int32 OPTIONAL,
513 stime[4] KerberosTime,
514 susec[5] krb5int32,
515 error-code[6] krb5int32,
516 crealm[7] Realm OPTIONAL,
517 cname[8] PrincipalName OPTIONAL,
518 realm[9] Realm, -- Correct realm
519 sname[10] PrincipalName, -- Correct name
520 e-text[11] GeneralString OPTIONAL,
521 e-data[12] OCTET STRING OPTIONAL
522 }
524 ChangePasswdDataMS ::= SEQUENCE {
525 newpasswd[0] OCTET STRING,
526 targname[1] PrincipalName OPTIONAL,
527 targrealm[2] Realm OPTIONAL
528 }
530 EtypeList ::= SEQUENCE OF krb5int32
531 -- the client's proposed enctype list in
532 -- decreasing preference order, favorite choice first
534 krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
536 -- transited encodings
538 DOMAIN-X500-COMPRESS krb5int32 ::= 1
540 -- authorization data primitives
542 AD-IF-RELEVANT ::= AuthorizationData
544 AD-KDCIssued ::= SEQUENCE {
545 ad-checksum[0] Checksum,
546 i-realm[1] Realm OPTIONAL,
547 i-sname[2] PrincipalName OPTIONAL,
548 elements[3] AuthorizationData
549 }
551 AD-AND-OR ::= SEQUENCE {
552 condition-count[0] INTEGER,
553 elements[1] AuthorizationData
554 }
556 AD-MANDATORY-FOR-KDC ::= AuthorizationData
558 -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
560 PA-SAM-TYPE ::= INTEGER {
561 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic
562 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways
563 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0
564 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key
565 PA_SAM_TYPE_SECURID(5), -- Security Dynamics
566 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard
567 }
569 PA-SAM-REDIRECT ::= HostAddresses
571 SAMFlags ::= BIT STRING {
572 use-sad-as-key(0),
573 send-encrypted-sad(1),
574 must-pk-encrypt-sad(2)
575 }
577 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
578 sam-type[0] krb5int32,
579 sam-flags[1] SAMFlags,
580 sam-type-name[2] GeneralString OPTIONAL,
581 sam-track-id[3] GeneralString OPTIONAL,
582 sam-challenge-label[4] GeneralString OPTIONAL,
583 sam-challenge[5] GeneralString OPTIONAL,
584 sam-response-prompt[6] GeneralString OPTIONAL,
585 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
586 sam-nonce[8] krb5int32,
587 sam-etype[9] krb5int32,
588 ...
589 }
591 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
592 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
593 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
594 ...
595 }
597 PA-SAM-RESPONSE-2 ::= SEQUENCE {
598 sam-type[0] krb5int32,
599 sam-flags[1] SAMFlags,
600 sam-track-id[2] GeneralString OPTIONAL,
601 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
602 sam-nonce[4] krb5int32,
603 ...
604 }
606 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
607 sam-nonce[0] krb5int32,
608 sam-sad[1] GeneralString OPTIONAL,
609 ...
610 }
612 PA-S4U2Self ::= SEQUENCE {
613 name[0] PrincipalName,
614 realm[1] Realm,
615 cksum[2] Checksum,
616 auth[3] GeneralString
617 }
619 KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
621 -- never encoded on the wire, just used to checksum over
622 KRB5SignedPathData ::= SEQUENCE {
623 encticket[0] EncTicketPart,
624 delegated[1] KRB5SignedPathPrincipals OPTIONAL
625 }
627 KRB5SignedPath ::= SEQUENCE {
628 -- DERcoded KRB5SignedPathData
629 -- krbtgt key (etype), KeyUsage = XXX
630 etype[0] ENCTYPE,
631 cksum[1] Checksum,
632 -- srvs delegated though
633 delegated[2] KRB5SignedPathPrincipals OPTIONAL
634 }
636 PA-ClientCanonicalizedNames ::= SEQUENCE{
637 requested-name [0] PrincipalName,
638 real-name [1] PrincipalName
639 }
641 PA-ClientCanonicalized ::= SEQUENCE {
642 names [0] PA-ClientCanonicalizedNames,
643 canon-checksum [1] Checksum
644 }
646 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
647 login-alias [0] PrincipalName,
648 checksum [1] Checksum
649 }
651 -- old ms referral
652 PA-SvrReferralData ::= SEQUENCE {
653 referred-name [1] PrincipalName OPTIONAL,
654 referred-realm [0] Realm
655 }
657 END
659 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1