| blob | f53f855238299659065ccdef7dcce62aeb803e9f |
1 --http://www.ietf.org/rfc/rfc4120.txt?number=4120
2 KerberosV5Spec2 {
3 iso(1) identified-organization(3) dod(6) internet(1)
4 security(5) kerberosV5(2) modules(4) krb5spec2(2)
5 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
7 -- OID arc for KerberosV5
8 --
9 -- This OID may be used to identify Kerberos protocol messages
10 -- encapsulated in other protocols.
11 --
12 -- This OID also designates the OID arc for KerberosV5-related OIDs.
13 --
14 -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
15 -- WS construct
16 Applications ::= CHOICE {
17 ticket Ticket, -- 1 --
18 authenticator Authenticator, -- 2 --
19 encTicketPart EncTicketPart, -- 3 --
20 as-req AS-REQ, -- 10 --
21 as-rep AS-REP, -- 11 --
22 tgs-req TGS-REQ, -- 12 --
23 tgs-rep TGS-REP, -- 13 --
24 ap-req AP-REQ, -- 14 --
25 ap-rep AP-REP, -- 15 --
26 krb-safe KRB-SAFE, -- 20 --
27 krb-priv KRB-PRIV, -- 21 --
28 krb-cred KRB-CRED, -- 22 --
29 encASRepPart EncASRepPart, -- 25 --
30 encTGSRepPart EncTGSRepPart, -- 26 --
31 encAPRepPart EncAPRepPart, -- 27 --
32 encKrbPrivPart ENC-KRB-PRIV-PART, -- 28 --
33 encKrbCredPart EncKrbCredPart, -- 29 --
34 krb-error KRB-ERROR -- 30 --
35 }
36 -- end WS construct
37 id-krb5 OBJECT IDENTIFIER ::= {
38 iso(1) identified-organization(3) dod(6) internet(1)
39 security(5) kerberosV5(2)
40 }
42 Int32 ::= INTEGER (-2147483648..2147483647)
43 -- signed values representable in 32 bits
45 UInt32 ::= INTEGER (0..4294967295)
46 -- unsigned 32 bit values
48 Microseconds ::= INTEGER (0..999999)
49 -- microseconds
51 KerberosString ::= GeneralString (IA5String)
52 CNameString ::= GeneralString (IA5String)
53 SNameString ::= GeneralString (IA5String)
55 Realm ::= KerberosString
57 PrincipalName ::= SEQUENCE {
58 -- name-type [0] Int32, Use the translationj from krb5.asn (Heimdahl)
59 name-type [0] NAME-TYPE,
60 name-string [1] SEQUENCE OF KerberosString
61 }
63 CName ::= SEQUENCE {
64 name-type [0] NAME-TYPE,
65 cname-string [1] SEQUENCE OF CNameString
66 }
68 SName ::= SEQUENCE {
69 name-type [0] NAME-TYPE,
70 sname-string [1] SEQUENCE OF SNameString
71 }
73 KerberosTime ::= GeneralizedTime -- with no fractional seconds
75 HostAddress ::= SEQUENCE {
76 -- addr-type [0] Int32,
77 addr-type [0] ADDR-TYPE, --use k5.asn
78 address [1] OCTET STRING
79 }
81 -- NOTE: HostAddresses is always used as an OPTIONAL field and
82 -- should not be empty.
83 HostAddresses -- NOTE: subtly different from rfc1510,
84 -- but has a value mapping and encodes the same
85 ::= SEQUENCE OF HostAddress
87 -- NOTE: AuthorizationData is always used as an OPTIONAL field and
88 -- should not be empty.
89 AuthorizationData ::= SEQUENCE OF SEQUENCE {
90 ad-type [0] AUTHDATA-TYPE,
91 ad-data [1] OCTET STRING
92 }
94 PA-DATA ::= SEQUENCE {
95 -- NOTE: first tag is [1], not [0]
96 -- padata-type [1] Int32, use k5.asn
97 padata-type [1] PADATA-TYPE,
98 padata-value [2] OCTET STRING -- might be encoded AP-REQ
99 }
101 KerberosFlags ::= BIT STRING (SIZE (32..MAX))
102 -- minimum number of bits shall be sent,
103 -- but no fewer than 32
105 EncryptedData ::= SEQUENCE {
106 -- etype [0] Int32 - - EncryptionType - -, Use k5.asn
107 etype [0] ENCTYPE -- EncryptionType --,
108 kvno [1] UInt32 OPTIONAL,
109 cipher [2] OCTET STRING -- ciphertext
110 }
112 EncryptionKey ::= SEQUENCE {
113 keytype [0] Int32 -- actually encryption type --,
114 keyvalue [1] OCTET STRING
115 }
117 Checksum ::= SEQUENCE {
118 -- cksumtype [0] Int32, Use k5.asn
119 cksumtype [0] CKSUMTYPE,
120 checksum [1] OCTET STRING
121 }
123 EncryptedTicketData ::= SEQUENCE {
124 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
125 kvno [1] UInt32 OPTIONAL,
126 cipher [2] OCTET STRING -- ciphertext
127 }
129 EncryptedAuthorizationData ::= SEQUENCE {
130 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
131 kvno [1] UInt32 OPTIONAL,
132 cipher [2] OCTET STRING -- ciphertext
133 }
135 EncryptedAuthenticator ::= SEQUENCE {
136 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
137 kvno [1] UInt32 OPTIONAL,
138 cipher [2] OCTET STRING -- ciphertext
139 }
141 EncryptedKDCREPData ::= SEQUENCE {
142 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
143 kvno [1] UInt32 OPTIONAL,
144 cipher [2] OCTET STRING -- ciphertext
145 }
147 EncryptedAPREPData ::= SEQUENCE {
148 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
149 kvno [1] UInt32 OPTIONAL,
150 cipher [2] OCTET STRING -- ciphertext
151 }
153 EncryptedKrbPrivData ::= SEQUENCE {
154 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
155 kvno [1] UInt32 OPTIONAL,
156 cipher [2] OCTET STRING -- ciphertext
157 }
159 EncryptedKrbCredData ::= SEQUENCE {
160 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
161 kvno [1] UInt32 OPTIONAL,
162 cipher [2] OCTET STRING -- ciphertext
163 }
165 Ticket ::= [APPLICATION 1] SEQUENCE {
166 tkt-vno [0] INTEGER (5),
167 realm [1] Realm,
168 sname [2] SName,
169 enc-part [3] EncryptedTicketData
170 }
172 -- Encrypted part of ticket
173 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
174 flags [0] TicketFlags,
175 key [1] EncryptionKey,
176 crealm [2] Realm,
177 cname [3] CName,
178 transited [4] TransitedEncoding,
179 authtime [5] KerberosTime,
180 starttime [6] KerberosTime OPTIONAL,
181 endtime [7] KerberosTime,
182 renew-till [8] KerberosTime OPTIONAL,
183 caddr [9] HostAddresses OPTIONAL,
184 authorization-data [10] AuthorizationData OPTIONAL
185 }
187 -- encoded Transited field
188 TransitedEncoding ::= SEQUENCE {
189 tr-type [0] Int32 -- must be registered --,
190 contents [1] OCTET STRING
191 }
192 -- Use the k5.asn def
193 -- TicketFlags ::= KerberosFlags
194 -- reserved(0),
195 -- forwardable(1),
196 -- forwarded(2),
197 -- proxiable(3),
198 -- proxy(4),
199 -- may-postdate(5),
200 -- postdated(6),
201 -- invalid(7),
202 -- renewable(8),
203 -- initial(9),
204 -- pre-authent(10),
205 -- hw-authent(11),
206 -- the following are new since 1510
207 -- transited-policy-checked(12),
208 -- ok-as-delegate(13)
210 AS-REQ ::= [APPLICATION 10] KDC-REQ
212 TGS-REQ ::= [APPLICATION 12] KDC-REQ
214 KDC-REQ ::= SEQUENCE {
215 -- NOTE: first tag is [1], not [0]
216 pvno [1] INTEGER (5) ,
217 -- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -),
218 -- msg-type [2] INTEGER, use k5.asn
219 msg-type [2] MESSAGE-TYPE,
220 padata [3] SEQUENCE OF PA-DATA OPTIONAL
221 -- NOTE: not empty --,
222 req-body [4] KDC-REQ-BODY
223 }
225 KDC-REQ-BODY ::= SEQUENCE {
226 kdc-options [0] KDCOptions,
227 cname [1] CName OPTIONAL
228 -- Used only in AS-REQ --,
229 realm [2] Realm
230 -- Server's realm
231 -- Also client's in AS-REQ --,
232 sname [3] SName OPTIONAL,
233 from [4] KerberosTime OPTIONAL,
235 -- this field is not optional in the kerberos spec, however, in the packetcable spec it is optional
236 -- make it optional here since normal kerberos will still decode the pdu correctly.
237 till [5] KerberosTime OPTIONAL,
239 rtime [6] KerberosTime OPTIONAL,
240 nonce [7] UInt32,
241 -- etype [8] SEQUENCE OF Int32 - - EncryptionType Use k5.asn
242 etype [8] SEQUENCE OF ENCTYPE -- EncryptionType
243 -- in preference order --,
244 addresses [9] HostAddresses OPTIONAL,
245 enc-authorization-data [10] EncryptedAuthorizationData OPTIONAL
246 -- AuthorizationData --,
247 additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
248 -- NOTE: not empty
249 }
251 -- Use th k5.asn def
252 --KDCOptions ::= KerberosFlags
253 -- reserved(0),
254 -- forwardable(1),
255 -- forwarded(2),
256 -- proxiable(3),
257 -- proxy(4),
258 -- allow-postdate(5),
259 -- postdated(6),
260 -- unused7(7),
261 -- renewable(8),
262 -- unused9(9),
263 -- unused10(10),
264 -- opt-hardware-auth(11),
265 -- unused12(12),
266 -- unused13(13),
267 -- 15 is reserved for canonicalize
268 -- unused15(15),
269 -- 26 was unused in 1510
270 -- disable-transited-check(26),
271 --
272 -- renewable-ok(27),
273 -- enc-tkt-in-skey(28),
274 -- renew(30),
275 -- validate(31)
277 AS-REP ::= [APPLICATION 11] KDC-REP
279 TGS-REP ::= [APPLICATION 13] KDC-REP
282 KDC-REP ::= SEQUENCE {
283 pvno [0] INTEGER (5),
284 -- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -),
285 -- msg-type [1] INTEGER, use k5.asn
286 msg-type [1] MESSAGE-TYPE,
287 padata [2] SEQUENCE OF PA-DATA OPTIONAL
288 -- NOTE: not empty --,
289 crealm [3] Realm,
290 cname [4] CName,
291 ticket [5] Ticket,
292 enc-part [6] EncryptedKDCREPData
293 -- EncASRepPart or EncTGSRepPart,
294 -- as appropriate
295 }
297 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
299 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
301 EncKDCRepPart ::= SEQUENCE {
302 key [0] EncryptionKey,
303 last-req [1] LastReq,
304 nonce [2] UInt32,
305 key-expiration [3] KerberosTime OPTIONAL,
306 flags [4] TicketFlags,
307 authtime [5] KerberosTime,
308 starttime [6] KerberosTime OPTIONAL,
309 endtime [7] KerberosTime,
310 renew-till [8] KerberosTime OPTIONAL,
311 srealm [9] Realm,
312 sname [10] SName,
313 caddr [11] HostAddresses OPTIONAL,
314 encrypted-pa-data[12] METHOD-DATA OPTIONAL -- from k5.asn
315 }
317 LastReq ::= SEQUENCE OF SEQUENCE {
318 -- lr-type [0] Int32, Use k5.asn
319 lr-type [0] LR-TYPE,
320 lr-value [1] KerberosTime
321 }
323 AP-REQ ::= [APPLICATION 14] SEQUENCE {
324 pvno [0] INTEGER (5),
325 -- msg-type [1] INTEGER (14), use k5.asn
326 msg-type [1] MESSAGE-TYPE,
327 ap-options [2] APOptions,
328 ticket [3] Ticket,
329 authenticator [4] EncryptedAuthenticator -- Authenticator
330 }
331 -- Use the krb5.asn def.
332 --APOptions ::= KerberosFlags
333 -- reserved(0),
334 -- use-session-key(1),
335 -- mutual-required(2)
337 -- Unencrypted authenticator
338 Authenticator ::= [APPLICATION 2] SEQUENCE {
339 authenticator-vno [0] INTEGER (5),
340 crealm [1] Realm,
341 cname [2] CName,
342 cksum [3] Checksum OPTIONAL,
343 cusec [4] Microseconds,
344 ctime [5] KerberosTime,
345 subkey [6] EncryptionKey OPTIONAL,
346 seq-number [7] UInt32 OPTIONAL,
347 authorization-data [8] AuthorizationData OPTIONAL
348 }
350 AP-REP ::= [APPLICATION 15] SEQUENCE {
351 pvno [0] INTEGER (5),
352 -- msg-type [1] INTEGER (15), Use k5.asn
353 msg-type [1] MESSAGE-TYPE,
354 enc-part [2] EncryptedAPREPData -- EncAPRepPart
355 }
357 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
358 ctime [0] KerberosTime,
359 cusec [1] Microseconds,
360 subkey [2] EncryptionKey OPTIONAL,
361 seq-number [3] UInt32 OPTIONAL
362 }
364 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
365 pvno [0] INTEGER (5),
366 -- msg-type [1] INTEGER (20), use k5.asn
367 msg-type [1] MESSAGE-TYPE,
368 safe-body [2] KRB-SAFE-BODY,
369 cksum [3] Checksum
370 }
372 KRB-SAFE-BODY ::= SEQUENCE {
373 user-data [0] OCTET STRING,
374 timestamp [1] KerberosTime OPTIONAL,
375 usec [2] Microseconds OPTIONAL,
376 seq-number [3] UInt32 OPTIONAL,
377 s-address [4] HostAddress OPTIONAL, -- XXX this one is OPTIONAL in packetcable? but mandatory in kerberos
378 r-address [5] HostAddress OPTIONAL
379 }
381 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
382 pvno [0] INTEGER (5),
383 -- msg-type [1] INTEGER (21), Use k5.asn
384 msg-type [1] MESSAGE-TYPE,
385 -- NOTE: there is no [2] tag
386 enc-part [3] EncryptedKrbPrivData -- EncKrbPrivPart
387 }
389 ENC-KRB-PRIV-PART ::= [APPLICATION 28] EncKrbPrivPart
391 EncKrbPrivPart ::= SEQUENCE {
392 user-data [0] OCTET STRING,
393 timestamp [1] KerberosTime OPTIONAL,
394 usec [2] Microseconds OPTIONAL,
395 seq-number [3] UInt32 OPTIONAL,
396 s-address [4] HostAddress -- sender's addr --,
397 r-address [5] HostAddress OPTIONAL -- recip's addr
398 }
400 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
401 pvno [0] INTEGER (5),
402 -- msg-type [1] INTEGER (22), use k5.asn
403 msg-type [1] MESSAGE-TYPE,
404 tickets [2] SEQUENCE OF Ticket,
405 enc-part [3] EncryptedKrbCredData -- EncKrbCredPart
406 }
408 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
409 ticket-info [0] SEQUENCE OF KrbCredInfo,
410 nonce [1] UInt32 OPTIONAL,
411 timestamp [2] KerberosTime OPTIONAL,
412 usec [3] Microseconds OPTIONAL,
413 s-address [4] HostAddress OPTIONAL,
414 r-address [5] HostAddress OPTIONAL
415 }
417 KrbCredInfo ::= SEQUENCE {
418 key [0] EncryptionKey,
419 prealm [1] Realm OPTIONAL,
420 pname [2] PrincipalName OPTIONAL,
421 flags [3] TicketFlags OPTIONAL,
422 authtime [4] KerberosTime OPTIONAL,
423 starttime [5] KerberosTime OPTIONAL,
424 endtime [6] KerberosTime OPTIONAL,
425 renew-till [7] KerberosTime OPTIONAL,
426 srealm [8] Realm OPTIONAL,
427 sname [9] SName OPTIONAL,
428 caddr [10] HostAddresses OPTIONAL
429 }
431 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
432 pvno [0] INTEGER (5),
433 -- msg-type [1] INTEGER (30), use k5.asn
434 msg-type [1] MESSAGE-TYPE,
435 ctime [2] KerberosTime OPTIONAL,
436 cusec [3] Microseconds OPTIONAL,
437 stime [4] KerberosTime,
438 susec [5] Microseconds,
439 -- error-code [6] Int32,
440 error-code [6] ERROR-CODE, -- Use k5.asn
441 crealm [7] Realm OPTIONAL,
442 cname [8] CName OPTIONAL,
443 realm [9] Realm -- service realm --,
444 sname [10] SName -- service name --,
445 e-text [11] KerberosString OPTIONAL,
446 e-data [12] OCTET STRING OPTIONAL,
447 e-checksum [13] Checksum OPTIONAL -- used by PacketCable
448 }
450 METHOD-DATA ::= SEQUENCE OF PA-DATA
452 TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
453 data-type [0] Int32,
454 data-value [1] OCTET STRING OPTIONAL
455 }
457 -- preauth stuff follows
459 PA-ENC-TIMESTAMP ::= SEQUENCE {
460 etype [0] ENCTYPE -- EncryptionType --,
461 kvno [1] UInt32 OPTIONAL,
462 cipher [2] OCTET STRING -- ciphertext
463 }
465 PA-ENC-TS-ENC ::= SEQUENCE {
466 patimestamp [0] KerberosTime -- client's time --,
467 pausec [1] Microseconds OPTIONAL
468 }
470 ETYPE-INFO-ENTRY ::= SEQUENCE {
471 -- etype [0] Int32, use k5.asn
472 etype [0] ENCTYPE,
473 salt [1] OCTET STRING OPTIONAL
474 }
476 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
478 ETYPE-INFO2-ENTRY ::= SEQUENCE {
479 -- etype [0] Int32, use k5.asn
480 etype [0] ENCTYPE,
481 salt [1] KerberosString OPTIONAL,
482 s2kparams [2] OCTET STRING OPTIONAL
483 }
485 ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
487 AD-IF-RELEVANT ::= AuthorizationData
489 AD-KDCIssued ::= SEQUENCE {
490 ad-checksum [0] Checksum,
491 i-realm [1] Realm OPTIONAL,
492 i-sname [2] SName OPTIONAL,
493 elements [3] AuthorizationData
494 }
496 AD-AND-OR ::= SEQUENCE {
497 condition-count [0] Int32,
498 elements [1] AuthorizationData
499 }
501 AD-MANDATORY-FOR-KDC ::= AuthorizationData
503 TGT-REQ ::= SEQUENCE {
504 pvno [0] INTEGER (5),
505 msg-type [1] MESSAGE-TYPE (16),
506 server-name [2] PrincipalName OPTIONAL,
507 realm [3] Realm OPTIONAL
508 }
510 TGT-REP ::= SEQUENCE {
511 pvno [0] INTEGER (5),
512 msg-type [1] MESSAGE-TYPE (17),
513 ticket [2] Ticket
514 }
516 END