1--http://www.ietf.org/rfc/rfc4120.txt?number=4120 2KerberosV5Spec2 { 3 iso(1) identified-organization(3) dod(6) internet(1) 4 security(5) kerberosV5(2) modules(4) krb5spec2(2) 5} DEFINITIONS EXPLICIT TAGS ::= BEGIN 6 7-- OID arc for KerberosV5 8-- 9-- This OID may be used to identify Kerberos protocol messages 10-- encapsulated in other protocols. 11-- 12-- This OID also designates the OID arc for KerberosV5-related OIDs. 13-- 14-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. 15-- WS construct 16Applications ::= CHOICE { 17 ticket Ticket, -- 1 -- 18 authenticator Authenticator, -- 2 -- 19 encTicketPart EncTicketPart, -- 3 -- 20 as-req AS-REQ, -- 10 -- 21 as-rep AS-REP, -- 11 -- 22 tgs-req TGS-REQ, -- 12 -- 23 tgs-rep TGS-REP, -- 13 -- 24 ap-req AP-REQ, -- 14 -- 25 ap-rep AP-REP, -- 15 -- 26 krb-safe KRB-SAFE, -- 20 -- 27 krb-priv KRB-PRIV, -- 21 -- 28 krb-cred KRB-CRED, -- 22 -- 29 encASRepPart EncASRepPart, -- 25 -- 30 encTGSRepPart EncTGSRepPart, -- 26 -- 31 encAPRepPart EncAPRepPart, -- 27 -- 32 encKrbPrivPart ENC-KRB-PRIV-PART, -- 28 -- 33 encKrbCredPart EncKrbCredPart, -- 29 -- 34 krb-error KRB-ERROR -- 30 -- 35 } 36-- end WS construct 37id-krb5 OBJECT IDENTIFIER ::= { 38 iso(1) identified-organization(3) dod(6) internet(1) 39 security(5) kerberosV5(2) 40} 41 42Int32 ::= INTEGER (-2147483648..2147483647) 43 -- signed values representable in 32 bits 44 45UInt32 ::= INTEGER (0..4294967295) 46 -- unsigned 32 bit values 47 48Microseconds ::= INTEGER (0..999999) 49 -- microseconds 50 51KerberosString ::= GeneralString (IA5String) 52CNameString ::= GeneralString (IA5String) 53SNameString ::= GeneralString (IA5String) 54 55Realm ::= KerberosString 56 57PrincipalName ::= SEQUENCE { 58-- name-type [0] Int32, Use the translationj from krb5.asn (Heimdahl) 59 name-type [0] NAME-TYPE, 60 name-string [1] SEQUENCE OF KerberosString 61} 62 63CName ::= SEQUENCE { 64 name-type [0] NAME-TYPE, 65 cname-string [1] SEQUENCE OF CNameString 66} 67 68SName ::= SEQUENCE { 69 name-type [0] NAME-TYPE, 70 sname-string [1] SEQUENCE OF SNameString 71} 72 73KerberosTime ::= GeneralizedTime -- with no fractional seconds 74 75HostAddress ::= SEQUENCE { 76-- addr-type [0] Int32, 77 addr-type [0] ADDR-TYPE, --use k5.asn 78 address [1] OCTET STRING 79} 80 81-- NOTE: HostAddresses is always used as an OPTIONAL field and 82-- should not be empty. 83HostAddresses -- NOTE: subtly different from rfc1510, 84 -- but has a value mapping and encodes the same 85 ::= SEQUENCE OF HostAddress 86 87-- NOTE: AuthorizationData is always used as an OPTIONAL field and 88-- should not be empty. 89AuthorizationData ::= SEQUENCE OF SEQUENCE { 90 ad-type [0] AUTHDATA-TYPE, 91 ad-data [1] OCTET STRING 92} 93 94PA-DATA ::= SEQUENCE { 95 -- NOTE: first tag is [1], not [0] 96-- padata-type [1] Int32, use k5.asn 97 padata-type [1] PADATA-TYPE, 98 padata-value [2] OCTET STRING -- might be encoded AP-REQ 99} 100 101KerberosFlags ::= BIT STRING (SIZE (32..MAX)) 102 -- minimum number of bits shall be sent, 103 -- but no fewer than 32 104 105EncryptedData ::= SEQUENCE { 106-- etype [0] Int32 - - EncryptionType - -, Use k5.asn 107 etype [0] ENCTYPE -- EncryptionType --, 108 kvno [1] UInt32 OPTIONAL, 109 cipher [2] OCTET STRING -- ciphertext 110} 111 112EncryptionKey ::= SEQUENCE { 113 keytype [0] Int32 -- actually encryption type --, 114 keyvalue [1] OCTET STRING 115} 116 117Checksum ::= SEQUENCE { 118-- cksumtype [0] Int32, Use k5.asn 119 cksumtype [0] CKSUMTYPE, 120 checksum [1] OCTET STRING 121} 122 123EncryptedTicketData ::= SEQUENCE { 124 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn 125 kvno [1] UInt32 OPTIONAL, 126 cipher [2] OCTET STRING -- ciphertext 127} 128 129EncryptedAuthorizationData ::= SEQUENCE { 130 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn 131 kvno [1] UInt32 OPTIONAL, 132 cipher [2] OCTET STRING -- ciphertext 133} 134 135EncryptedAuthenticator ::= SEQUENCE { 136 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn 137 kvno [1] UInt32 OPTIONAL, 138 cipher [2] OCTET STRING -- ciphertext 139} 140 141EncryptedKDCREPData ::= SEQUENCE { 142 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn 143 kvno [1] UInt32 OPTIONAL, 144 cipher [2] OCTET STRING -- ciphertext 145} 146 147EncryptedAPREPData ::= SEQUENCE { 148 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn 149 kvno [1] UInt32 OPTIONAL, 150 cipher [2] OCTET STRING -- ciphertext 151} 152 153EncryptedKrbPrivData ::= SEQUENCE { 154 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn 155 kvno [1] UInt32 OPTIONAL, 156 cipher [2] OCTET STRING -- ciphertext 157} 158 159EncryptedKrbCredData ::= SEQUENCE { 160 etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn 161 kvno [1] UInt32 OPTIONAL, 162 cipher [2] OCTET STRING -- ciphertext 163} 164 165Ticket ::= [APPLICATION 1] SEQUENCE { 166 tkt-vno [0] INTEGER (5), 167 realm [1] Realm, 168 sname [2] SName, 169 enc-part [3] EncryptedTicketData 170} 171 172-- Encrypted part of ticket 173EncTicketPart ::= [APPLICATION 3] SEQUENCE { 174 flags [0] TicketFlags, 175 key [1] EncryptionKey, 176 crealm [2] Realm, 177 cname [3] CName, 178 transited [4] TransitedEncoding, 179 authtime [5] KerberosTime, 180 starttime [6] KerberosTime OPTIONAL, 181 endtime [7] KerberosTime, 182 renew-till [8] KerberosTime OPTIONAL, 183 caddr [9] HostAddresses OPTIONAL, 184 authorization-data [10] AuthorizationData OPTIONAL 185} 186 187-- encoded Transited field 188TransitedEncoding ::= SEQUENCE { 189 tr-type [0] Int32 -- must be registered --, 190 contents [1] OCTET STRING 191} 192-- Use the k5.asn def 193-- TicketFlags ::= KerberosFlags 194 -- reserved(0), 195 -- forwardable(1), 196 -- forwarded(2), 197 -- proxiable(3), 198 -- proxy(4), 199 -- may-postdate(5), 200 -- postdated(6), 201 -- invalid(7), 202 -- renewable(8), 203 -- initial(9), 204 -- pre-authent(10), 205 -- hw-authent(11), 206-- the following are new since 1510 207 -- transited-policy-checked(12), 208 -- ok-as-delegate(13) 209 210AS-REQ ::= [APPLICATION 10] KDC-REQ 211 212TGS-REQ ::= [APPLICATION 12] KDC-REQ 213 214KDC-REQ ::= SEQUENCE { 215 -- NOTE: first tag is [1], not [0] 216 pvno [1] INTEGER (5) , 217-- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -), 218-- msg-type [2] INTEGER, use k5.asn 219 msg-type [2] MESSAGE-TYPE, 220 padata [3] SEQUENCE OF PA-DATA OPTIONAL 221 -- NOTE: not empty --, 222 req-body [4] KDC-REQ-BODY 223} 224 225KDC-REQ-BODY ::= SEQUENCE { 226 kdc-options [0] KDCOptions, 227 cname [1] CName OPTIONAL 228 -- Used only in AS-REQ --, 229 realm [2] Realm 230 -- Server's realm 231 -- Also client's in AS-REQ --, 232 sname [3] SName OPTIONAL, 233 from [4] KerberosTime OPTIONAL, 234 235-- this field is not optional in the kerberos spec, however, in the packetcable spec it is optional 236-- make it optional here since normal kerberos will still decode the pdu correctly. 237 till [5] KerberosTime OPTIONAL, 238 239 rtime [6] KerberosTime OPTIONAL, 240 nonce [7] UInt32, 241-- etype [8] SEQUENCE OF Int32 - - EncryptionType Use k5.asn 242 etype [8] SEQUENCE OF ENCTYPE -- EncryptionType 243 -- in preference order --, 244 addresses [9] HostAddresses OPTIONAL, 245 enc-authorization-data [10] EncryptedAuthorizationData OPTIONAL 246 -- AuthorizationData --, 247 additional-tickets [11] SEQUENCE OF Ticket OPTIONAL 248 -- NOTE: not empty 249} 250 251-- Use th k5.asn def 252--KDCOptions ::= KerberosFlags 253 -- reserved(0), 254 -- forwardable(1), 255 -- forwarded(2), 256 -- proxiable(3), 257 -- proxy(4), 258 -- allow-postdate(5), 259 -- postdated(6), 260 -- unused7(7), 261 -- renewable(8), 262 -- unused9(9), 263 -- unused10(10), 264 -- opt-hardware-auth(11), 265 -- unused12(12), 266 -- unused13(13), 267-- 15 is reserved for canonicalize 268 -- unused15(15), 269-- 26 was unused in 1510 270 -- disable-transited-check(26), 271-- 272 -- renewable-ok(27), 273 -- enc-tkt-in-skey(28), 274 -- renew(30), 275 -- validate(31) 276 277AS-REP ::= [APPLICATION 11] KDC-REP 278 279TGS-REP ::= [APPLICATION 13] KDC-REP 280 281 282KDC-REP ::= SEQUENCE { 283 pvno [0] INTEGER (5), 284-- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -), 285-- msg-type [1] INTEGER, use k5.asn 286 msg-type [1] MESSAGE-TYPE, 287 padata [2] SEQUENCE OF PA-DATA OPTIONAL 288 -- NOTE: not empty --, 289 crealm [3] Realm, 290 cname [4] CName, 291 ticket [5] Ticket, 292 enc-part [6] EncryptedKDCREPData 293 -- EncASRepPart or EncTGSRepPart, 294 -- as appropriate 295} 296 297EncASRepPart ::= [APPLICATION 25] EncKDCRepPart 298 299EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart 300 301EncKDCRepPart ::= SEQUENCE { 302 key [0] EncryptionKey, 303 last-req [1] LastReq, 304 nonce [2] UInt32, 305 key-expiration [3] KerberosTime OPTIONAL, 306 flags [4] TicketFlags, 307 authtime [5] KerberosTime, 308 starttime [6] KerberosTime OPTIONAL, 309 endtime [7] KerberosTime, 310 renew-till [8] KerberosTime OPTIONAL, 311 srealm [9] Realm, 312 sname [10] SName, 313 caddr [11] HostAddresses OPTIONAL, 314 encrypted-pa-data[12] METHOD-DATA OPTIONAL -- from k5.asn 315} 316 317LastReq ::= SEQUENCE OF SEQUENCE { 318-- lr-type [0] Int32, Use k5.asn 319 lr-type [0] LR-TYPE, 320 lr-value [1] KerberosTime 321} 322 323AP-REQ ::= [APPLICATION 14] SEQUENCE { 324 pvno [0] INTEGER (5), 325-- msg-type [1] INTEGER (14), use k5.asn 326 msg-type [1] MESSAGE-TYPE, 327 ap-options [2] APOptions, 328 ticket [3] Ticket, 329 authenticator [4] EncryptedAuthenticator -- Authenticator 330} 331-- Use the krb5.asn def. 332--APOptions ::= KerberosFlags 333 -- reserved(0), 334 -- use-session-key(1), 335 -- mutual-required(2) 336 337-- Unencrypted authenticator 338Authenticator ::= [APPLICATION 2] SEQUENCE { 339 authenticator-vno [0] INTEGER (5), 340 crealm [1] Realm, 341 cname [2] CName, 342 cksum [3] Checksum OPTIONAL, 343 cusec [4] Microseconds, 344 ctime [5] KerberosTime, 345 subkey [6] EncryptionKey OPTIONAL, 346 seq-number [7] UInt32 OPTIONAL, 347 authorization-data [8] AuthorizationData OPTIONAL 348} 349 350AP-REP ::= [APPLICATION 15] SEQUENCE { 351 pvno [0] INTEGER (5), 352-- msg-type [1] INTEGER (15), Use k5.asn 353 msg-type [1] MESSAGE-TYPE, 354 enc-part [2] EncryptedAPREPData -- EncAPRepPart 355} 356 357EncAPRepPart ::= [APPLICATION 27] SEQUENCE { 358 ctime [0] KerberosTime, 359 cusec [1] Microseconds, 360 subkey [2] EncryptionKey OPTIONAL, 361 seq-number [3] UInt32 OPTIONAL 362} 363 364KRB-SAFE ::= [APPLICATION 20] SEQUENCE { 365 pvno [0] INTEGER (5), 366-- msg-type [1] INTEGER (20), use k5.asn 367 msg-type [1] MESSAGE-TYPE, 368 safe-body [2] KRB-SAFE-BODY, 369 cksum [3] Checksum 370} 371 372KRB-SAFE-BODY ::= SEQUENCE { 373 user-data [0] OCTET STRING, 374 timestamp [1] KerberosTime OPTIONAL, 375 usec [2] Microseconds OPTIONAL, 376 seq-number [3] UInt32 OPTIONAL, 377 s-address [4] HostAddress OPTIONAL, -- XXX this one is OPTIONAL in packetcable? but mandatory in kerberos 378 r-address [5] HostAddress OPTIONAL 379} 380 381KRB-PRIV ::= [APPLICATION 21] SEQUENCE { 382 pvno [0] INTEGER (5), 383-- msg-type [1] INTEGER (21), Use k5.asn 384 msg-type [1] MESSAGE-TYPE, 385 -- NOTE: there is no [2] tag 386 enc-part [3] EncryptedKrbPrivData -- EncKrbPrivPart 387} 388 389ENC-KRB-PRIV-PART ::= [APPLICATION 28] EncKrbPrivPart 390 391EncKrbPrivPart ::= SEQUENCE { 392 user-data [0] OCTET STRING, 393 timestamp [1] KerberosTime OPTIONAL, 394 usec [2] Microseconds OPTIONAL, 395 seq-number [3] UInt32 OPTIONAL, 396 s-address [4] HostAddress -- sender's addr --, 397 r-address [5] HostAddress OPTIONAL -- recip's addr 398} 399 400KRB-CRED ::= [APPLICATION 22] SEQUENCE { 401 pvno [0] INTEGER (5), 402-- msg-type [1] INTEGER (22), use k5.asn 403 msg-type [1] MESSAGE-TYPE, 404 tickets [2] SEQUENCE OF Ticket, 405 enc-part [3] EncryptedKrbCredData -- EncKrbCredPart 406} 407 408EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { 409 ticket-info [0] SEQUENCE OF KrbCredInfo, 410 nonce [1] UInt32 OPTIONAL, 411 timestamp [2] KerberosTime OPTIONAL, 412 usec [3] Microseconds OPTIONAL, 413 s-address [4] HostAddress OPTIONAL, 414 r-address [5] HostAddress OPTIONAL 415} 416 417KrbCredInfo ::= SEQUENCE { 418 key [0] EncryptionKey, 419 prealm [1] Realm OPTIONAL, 420 pname [2] PrincipalName OPTIONAL, 421 flags [3] TicketFlags OPTIONAL, 422 authtime [4] KerberosTime OPTIONAL, 423 starttime [5] KerberosTime OPTIONAL, 424 endtime [6] KerberosTime OPTIONAL, 425 renew-till [7] KerberosTime OPTIONAL, 426 srealm [8] Realm OPTIONAL, 427 sname [9] SName OPTIONAL, 428 caddr [10] HostAddresses OPTIONAL 429} 430 431KRB-ERROR ::= [APPLICATION 30] SEQUENCE { 432 pvno [0] INTEGER (5), 433-- msg-type [1] INTEGER (30), use k5.asn 434 msg-type [1] MESSAGE-TYPE, 435 ctime [2] KerberosTime OPTIONAL, 436 cusec [3] Microseconds OPTIONAL, 437 stime [4] KerberosTime, 438 susec [5] Microseconds, 439-- error-code [6] Int32, 440 error-code [6] ERROR-CODE, -- Use k5.asn 441 crealm [7] Realm OPTIONAL, 442 cname [8] CName OPTIONAL, 443 realm [9] Realm -- service realm --, 444 sname [10] SName -- service name --, 445 e-text [11] KerberosString OPTIONAL, 446 e-data [12] OCTET STRING OPTIONAL, 447 e-checksum [13] Checksum OPTIONAL -- used by PacketCable 448} 449 450METHOD-DATA ::= SEQUENCE OF PA-DATA 451 452TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { 453 data-type [0] Int32, 454 data-value [1] OCTET STRING OPTIONAL 455} 456 457-- preauth stuff follows 458 459PA-ENC-TIMESTAMP ::= SEQUENCE { 460 etype [0] ENCTYPE -- EncryptionType --, 461 kvno [1] UInt32 OPTIONAL, 462 cipher [2] OCTET STRING -- ciphertext 463} 464 465PA-ENC-TS-ENC ::= SEQUENCE { 466 patimestamp [0] KerberosTime -- client's time --, 467 pausec [1] Microseconds OPTIONAL 468} 469 470ETYPE-INFO-ENTRY ::= SEQUENCE { 471-- etype [0] Int32, use k5.asn 472 etype [0] ENCTYPE, 473 salt [1] OCTET STRING OPTIONAL 474} 475 476ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY 477 478ETYPE-INFO2-ENTRY ::= SEQUENCE { 479-- etype [0] Int32, use k5.asn 480 etype [0] ENCTYPE, 481 salt [1] KerberosString OPTIONAL, 482 s2kparams [2] OCTET STRING OPTIONAL 483} 484 485ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY 486 487AD-IF-RELEVANT ::= AuthorizationData 488 489AD-KDCIssued ::= SEQUENCE { 490 ad-checksum [0] Checksum, 491 i-realm [1] Realm OPTIONAL, 492 i-sname [2] SName OPTIONAL, 493 elements [3] AuthorizationData 494} 495 496AD-AND-OR ::= SEQUENCE { 497 condition-count [0] Int32, 498 elements [1] AuthorizationData 499} 500 501AD-MANDATORY-FOR-KDC ::= AuthorizationData 502 503TGT-REQ ::= SEQUENCE { 504 pvno [0] INTEGER (5), 505 msg-type [1] MESSAGE-TYPE (16), 506 server-name [2] PrincipalName OPTIONAL, 507 realm [3] Realm OPTIONAL 508} 509 510TGT-REP ::= SEQUENCE { 511 pvno [0] INTEGER (5), 512 msg-type [1] MESSAGE-TYPE (17), 513 ticket [2] Ticket 514} 515 516END 517