asn1/kerberos/KerberosV5Spec2.asn

--http://www.ietf.org/rfc/rfc4120.txt?number=4120
KerberosV5Spec2 {
        iso(1) identified-organization(3) dod(6) internet(1)
        security(5) kerberosV5(2) modules(4) krb5spec2(2)
} DEFINITIONS EXPLICIT TAGS ::= BEGIN

-- OID arc for KerberosV5
--
-- This OID may be used to identify Kerberos protocol messages
-- encapsulated in other protocols.
--
-- This OID also designates the OID arc for KerberosV5-related OIDs.
--
-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
-- WS construct
Applications ::= CHOICE {
	ticket			Ticket,				-- 1 --
	authenticator	Authenticator,		-- 2 --
	encTicketPart	EncTicketPart,		-- 3 --
	as-req			AS-REQ,				-- 10 --
	as-rep			AS-REP,				-- 11 --
	tgs-req			TGS-REQ,			-- 12 --
	tgs-rep			TGS-REP,			-- 13 --
	ap-req			AP-REQ,				-- 14 --
	ap-rep			AP-REP,				-- 15 --
	krb-safe		KRB-SAFE,			-- 20 --
	krb-priv		KRB-PRIV,			-- 21 --
	krb-cred		KRB-CRED,			-- 22 --
	encASRepPart	EncASRepPart,		-- 25 --
	encTGSRepPart	EncTGSRepPart,		-- 26 --
	encAPRepPart	EncAPRepPart,		-- 27 --
	encKrbPrivPart	ENC-KRB-PRIV-PART,	-- 28 --
	encKrbCredPart	EncKrbCredPart,		-- 29 --
	krb-error		KRB-ERROR			-- 30 --
	}
-- end WS construct
id-krb5         OBJECT IDENTIFIER ::= {
        iso(1) identified-organization(3) dod(6) internet(1)
        security(5) kerberosV5(2)
}

Int32           ::= INTEGER (-2147483648..2147483647)
                    -- signed values representable in 32 bits

UInt32          ::= INTEGER (0..4294967295)
                    -- unsigned 32 bit values

Microseconds    ::= INTEGER (0..999999)
                    -- microseconds

KerberosString  ::= GeneralString (IA5String)
CNameString  ::= GeneralString (IA5String)
SNameString  ::= GeneralString (IA5String)

Realm           ::= KerberosString

PrincipalName   ::= SEQUENCE {
--        name-type       [0] Int32, Use the translationj from krb5.asn (Heimdahl)
        name-type       [0] NAME-TYPE,
        name-string     [1] SEQUENCE OF KerberosString
}

CName   ::= SEQUENCE {
        name-type       [0] NAME-TYPE,
        cname-string    [1] SEQUENCE OF CNameString
}

SName   ::= SEQUENCE {
        name-type       [0] NAME-TYPE,
        sname-string    [1] SEQUENCE OF SNameString
}

KerberosTime    ::= GeneralizedTime -- with no fractional seconds

HostAddress     ::= SEQUENCE  {
--        addr-type       [0] Int32,
        addr-type       [0] ADDR-TYPE, --use k5.asn
        address         [1] OCTET STRING
}

-- NOTE: HostAddresses is always used as an OPTIONAL field and
-- should not be empty.
HostAddresses   -- NOTE: subtly different from rfc1510,
                -- but has a value mapping and encodes the same
        ::= SEQUENCE OF HostAddress

-- NOTE: AuthorizationData is always used as an OPTIONAL field and
-- should not be empty.
AuthorizationData       ::= SEQUENCE OF SEQUENCE {
        ad-type         [0] AUTHDATA-TYPE,
        ad-data         [1] OCTET STRING
}

PA-DATA         ::= SEQUENCE {
        -- NOTE: first tag is [1], not [0]
--        padata-type     [1] Int32, use k5.asn
        padata-type     [1] PADATA-TYPE,
        padata-value    [2] OCTET STRING -- might be encoded AP-REQ
}

KerberosFlags   ::= BIT STRING (SIZE (32..MAX))
                    -- minimum number of bits shall be sent,
                    -- but no fewer than 32

EncryptedData   ::= SEQUENCE {
--        etype   [0] Int32 - - EncryptionType - -, Use k5.asn
        etype   [0] ENCTYPE -- EncryptionType --,
        kvno    [1] UInt32 OPTIONAL,
        cipher  [2] OCTET STRING -- ciphertext
}

EncryptionKey   ::= SEQUENCE {
        keytype         [0] Int32 -- actually encryption type --,
        keyvalue        [1] OCTET STRING
}

Checksum        ::= SEQUENCE {
--        cksumtype       [0] Int32, Use k5.asn
        cksumtype       [0] CKSUMTYPE,
        checksum        [1] OCTET STRING
}

EncryptedTicketData   ::= SEQUENCE {
        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
        kvno    [1] UInt32 OPTIONAL,
        cipher  [2] OCTET STRING -- ciphertext
}

EncryptedAuthorizationData   ::= SEQUENCE {
        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
        kvno    [1] UInt32 OPTIONAL,
        cipher  [2] OCTET STRING -- ciphertext
}

EncryptedAuthenticator   ::= SEQUENCE {
        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
        kvno    [1] UInt32 OPTIONAL,
        cipher  [2] OCTET STRING -- ciphertext
}

EncryptedKDCREPData   ::= SEQUENCE {
        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
        kvno    [1] UInt32 OPTIONAL,
        cipher  [2] OCTET STRING -- ciphertext
}

EncryptedAPREPData   ::= SEQUENCE {
        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
        kvno    [1] UInt32 OPTIONAL,
        cipher  [2] OCTET STRING -- ciphertext
}

EncryptedKrbPrivData   ::= SEQUENCE {
        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
        kvno    [1] UInt32 OPTIONAL,
        cipher  [2] OCTET STRING -- ciphertext
}

EncryptedKrbCredData   ::= SEQUENCE {
        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
        kvno    [1] UInt32 OPTIONAL,
        cipher  [2] OCTET STRING -- ciphertext
}

Ticket          ::= [APPLICATION 1] SEQUENCE {
        tkt-vno         [0] INTEGER (5),
        realm           [1] Realm,
        sname           [2] SName,
        enc-part        [3] EncryptedTicketData
}

-- Encrypted part of ticket
EncTicketPart   ::= [APPLICATION 3] SEQUENCE {
        flags                   [0] TicketFlags,
        key                     [1] EncryptionKey,
        crealm                  [2] Realm,
        cname                   [3] CName,
        transited               [4] TransitedEncoding,
        authtime                [5] KerberosTime,
        starttime               [6] KerberosTime OPTIONAL,
        endtime                 [7] KerberosTime,
        renew-till              [8] KerberosTime OPTIONAL,
        caddr                   [9] HostAddresses OPTIONAL,
        authorization-data      [10] AuthorizationData OPTIONAL
}

-- encoded Transited field
TransitedEncoding       ::= SEQUENCE {
        tr-type         [0] Int32 -- must be registered --,
        contents        [1] OCTET STRING
}
-- Use the k5.asn def
-- TicketFlags     ::= KerberosFlags
        -- reserved(0),
        -- forwardable(1),
        -- forwarded(2),
        -- proxiable(3),
        -- proxy(4),
        -- may-postdate(5),
        -- postdated(6),
        -- invalid(7),
        -- renewable(8),
        -- initial(9),
        -- pre-authent(10),
        -- hw-authent(11),
-- the following are new since 1510
        -- transited-policy-checked(12),
        -- ok-as-delegate(13)

AS-REQ          ::= [APPLICATION 10] KDC-REQ

TGS-REQ         ::= [APPLICATION 12] KDC-REQ

KDC-REQ         ::= SEQUENCE {
        -- NOTE: first tag is [1], not [0]
        pvno            [1] INTEGER (5) ,
--        msg-type        [2] INTEGER (10 - - AS - - | 12 - - TGS - -),
--        msg-type        [2] INTEGER, use k5.asn
        msg-type        [2] MESSAGE-TYPE,
        padata          [3] SEQUENCE OF PA-DATA OPTIONAL
                            -- NOTE: not empty --,
        req-body        [4] KDC-REQ-BODY
}

KDC-REQ-BODY    ::= SEQUENCE {
        kdc-options             [0] KDCOptions,
        cname                   [1] CName OPTIONAL
                                    -- Used only in AS-REQ --,
        realm                   [2] Realm
                                    -- Server's realm
                                    -- Also client's in AS-REQ --,
        sname                   [3] SName OPTIONAL,
        from                    [4] KerberosTime OPTIONAL,

-- this field is not optional in the kerberos spec, however, in the packetcable spec it is optional
-- make it optional here since normal kerberos will still decode the pdu correctly.
        till                    [5] KerberosTime OPTIONAL,

        rtime                   [6] KerberosTime OPTIONAL,
        nonce                   [7] UInt32,
--        etype                   [8] SEQUENCE OF Int32 - - EncryptionType Use k5.asn
        etype                   [8] SEQUENCE OF ENCTYPE -- EncryptionType
                                    -- in preference order --,
        addresses               [9] HostAddresses OPTIONAL,
        enc-authorization-data  [10] EncryptedAuthorizationData OPTIONAL
                                    -- AuthorizationData --,
        additional-tickets      [11] SEQUENCE OF Ticket OPTIONAL
                                        -- NOTE: not empty
}

-- Use th k5.asn def
--KDCOptions      ::= KerberosFlags
        -- reserved(0),
        -- forwardable(1),
        -- forwarded(2),
        -- proxiable(3),
        -- proxy(4),
        -- allow-postdate(5),
        -- postdated(6),
        -- unused7(7),
        -- renewable(8),
        -- unused9(9),
        -- unused10(10),
        -- opt-hardware-auth(11),
        -- unused12(12),
        -- unused13(13),
-- 15 is reserved for canonicalize
        -- unused15(15),
-- 26 was unused in 1510
        -- disable-transited-check(26),
--
        -- renewable-ok(27),
        -- enc-tkt-in-skey(28),
        -- renew(30),
        -- validate(31)

AS-REP          ::= [APPLICATION 11] KDC-REP

TGS-REP         ::= [APPLICATION 13] KDC-REP


KDC-REP         ::= SEQUENCE {
        pvno            [0] INTEGER (5),
--        msg-type        [1] INTEGER (11 - - AS - - | 13 - - TGS - -),
--        msg-type        [1] INTEGER, use k5.asn
        msg-type        [1] MESSAGE-TYPE,
        padata          [2] SEQUENCE OF PA-DATA OPTIONAL
                                -- NOTE: not empty --,
        crealm          [3] Realm,
        cname           [4] CName,
        ticket          [5] Ticket,
        enc-part        [6] EncryptedKDCREPData
                                -- EncASRepPart or EncTGSRepPart,
                                -- as appropriate
}

EncASRepPart    ::= [APPLICATION 25] EncKDCRepPart

EncTGSRepPart   ::= [APPLICATION 26] EncKDCRepPart

EncKDCRepPart   ::= SEQUENCE {
        key             [0] EncryptionKey,
        last-req        [1] LastReq,
        nonce           [2] UInt32,
        key-expiration  [3] KerberosTime OPTIONAL,
        flags           [4] TicketFlags,
        authtime        [5] KerberosTime,
        starttime       [6] KerberosTime OPTIONAL,
        endtime         [7] KerberosTime,
        renew-till      [8] KerberosTime OPTIONAL,
        srealm          [9] Realm,
        sname           [10] SName,
        caddr           [11] HostAddresses OPTIONAL,
	    encrypted-pa-data[12]	METHOD-DATA OPTIONAL -- from k5.asn
}

LastReq         ::=     SEQUENCE OF SEQUENCE {
--        lr-type         [0] Int32, Use k5.asn
		lr-type         [0] LR-TYPE,
        lr-value        [1] KerberosTime
}

AP-REQ          ::= [APPLICATION 14] SEQUENCE {
        pvno            [0] INTEGER (5),
--        msg-type        [1] INTEGER (14), use k5.asn
        msg-type        [1] MESSAGE-TYPE,
        ap-options      [2] APOptions,
        ticket          [3] Ticket,
        authenticator   [4] EncryptedAuthenticator -- Authenticator
}
-- Use the krb5.asn def.
--APOptions       ::= KerberosFlags
        -- reserved(0),
        -- use-session-key(1),
        -- mutual-required(2)

-- Unencrypted authenticator
Authenticator   ::= [APPLICATION 2] SEQUENCE  {
        authenticator-vno       [0] INTEGER (5),
        crealm                  [1] Realm,
        cname                   [2] CName,
        cksum                   [3] Checksum OPTIONAL,
        cusec                   [4] Microseconds,
        ctime                   [5] KerberosTime,
        subkey                  [6] EncryptionKey OPTIONAL,
        seq-number              [7] UInt32 OPTIONAL,
        authorization-data      [8] AuthorizationData OPTIONAL
}

AP-REP          ::= [APPLICATION 15] SEQUENCE {
        pvno            [0] INTEGER (5),
--        msg-type        [1] INTEGER (15), Use k5.asn
        msg-type        [1] MESSAGE-TYPE,
        enc-part        [2] EncryptedAPREPData -- EncAPRepPart
}

EncAPRepPart    ::= [APPLICATION 27] SEQUENCE {
        ctime           [0] KerberosTime,
        cusec           [1] Microseconds,
        subkey          [2] EncryptionKey OPTIONAL,
        seq-number      [3] UInt32 OPTIONAL
}

KRB-SAFE        ::= [APPLICATION 20] SEQUENCE {
        pvno            [0] INTEGER (5),
--        msg-type        [1] INTEGER (20), use k5.asn
        msg-type        [1] MESSAGE-TYPE,
        safe-body       [2] KRB-SAFE-BODY,
        cksum           [3] Checksum
}

KRB-SAFE-BODY   ::= SEQUENCE {
        user-data       [0] OCTET STRING,
        timestamp       [1] KerberosTime OPTIONAL,
        usec            [2] Microseconds OPTIONAL,
        seq-number      [3] UInt32 OPTIONAL,
        s-address       [4] HostAddress OPTIONAL, -- XXX this one is OPTIONAL in packetcable?  but mandatory in kerberos
        r-address       [5] HostAddress OPTIONAL
}

KRB-PRIV        ::= [APPLICATION 21] SEQUENCE {
        pvno            [0] INTEGER (5),
--        msg-type        [1] INTEGER (21), Use k5.asn
        msg-type        [1] MESSAGE-TYPE,
                        -- NOTE: there is no [2] tag
        enc-part        [3] EncryptedKrbPrivData -- EncKrbPrivPart
}

ENC-KRB-PRIV-PART  ::= [APPLICATION 28] EncKrbPrivPart

EncKrbPrivPart  ::= SEQUENCE {
        user-data       [0] OCTET STRING,
        timestamp       [1] KerberosTime OPTIONAL,
        usec            [2] Microseconds OPTIONAL,
        seq-number      [3] UInt32 OPTIONAL,
        s-address       [4] HostAddress -- sender's addr --,
        r-address       [5] HostAddress OPTIONAL -- recip's addr
}

KRB-CRED        ::= [APPLICATION 22] SEQUENCE {
        pvno            [0] INTEGER (5),
--        msg-type        [1] INTEGER (22), use k5.asn
        msg-type        [1] MESSAGE-TYPE,
        tickets         [2] SEQUENCE OF Ticket,
        enc-part        [3] EncryptedKrbCredData -- EncKrbCredPart
}

EncKrbCredPart  ::= [APPLICATION 29] SEQUENCE {
        ticket-info     [0] SEQUENCE OF KrbCredInfo,
        nonce           [1] UInt32 OPTIONAL,
        timestamp       [2] KerberosTime OPTIONAL,
        usec            [3] Microseconds OPTIONAL,
        s-address       [4] HostAddress OPTIONAL,
        r-address       [5] HostAddress OPTIONAL
}

KrbCredInfo     ::= SEQUENCE {
        key             [0] EncryptionKey,
        prealm          [1] Realm OPTIONAL,
        pname           [2] PrincipalName OPTIONAL,
        flags           [3] TicketFlags OPTIONAL,
        authtime        [4] KerberosTime OPTIONAL,
        starttime       [5] KerberosTime OPTIONAL,
        endtime         [6] KerberosTime OPTIONAL,
        renew-till      [7] KerberosTime OPTIONAL,
        srealm          [8] Realm OPTIONAL,
        sname           [9] SName OPTIONAL,
        caddr           [10] HostAddresses OPTIONAL
}

KRB-ERROR       ::= [APPLICATION 30] SEQUENCE {
        pvno            [0] INTEGER (5),
--        msg-type        [1] INTEGER (30), use k5.asn
        msg-type        [1] MESSAGE-TYPE,
        ctime           [2] KerberosTime OPTIONAL,
        cusec           [3] Microseconds OPTIONAL,
        stime           [4] KerberosTime,
        susec           [5] Microseconds,
--        error-code      [6] Int32,
        error-code      [6] ERROR-CODE, -- Use k5.asn
        crealm          [7] Realm OPTIONAL,
        cname           [8] CName OPTIONAL,
        realm           [9] Realm -- service realm --,
        sname           [10] SName -- service name --,
        e-text          [11] KerberosString OPTIONAL,
        e-data          [12] OCTET STRING OPTIONAL,
        e-checksum      [13] Checksum OPTIONAL -- used by PacketCable
}

METHOD-DATA     ::= SEQUENCE OF PA-DATA

TYPED-DATA      ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
        data-type       [0] Int32,
        data-value      [1] OCTET STRING OPTIONAL
}

-- preauth stuff follows

PA-ENC-TIMESTAMP        ::= SEQUENCE {
        etype   [0] ENCTYPE -- EncryptionType --,
        kvno    [1] UInt32 OPTIONAL,
        cipher  [2] OCTET STRING -- ciphertext
}

PA-ENC-TS-ENC           ::= SEQUENCE {
        patimestamp     [0] KerberosTime -- client's time --,
        pausec          [1] Microseconds OPTIONAL
}

ETYPE-INFO-ENTRY        ::= SEQUENCE {
--        etype           [0] Int32, use k5.asn
        etype           [0] ENCTYPE,
        salt            [1] OCTET STRING OPTIONAL
}

ETYPE-INFO              ::= SEQUENCE OF ETYPE-INFO-ENTRY

ETYPE-INFO2-ENTRY       ::= SEQUENCE {
--        etype           [0] Int32, use k5.asn
        etype           [0] ENCTYPE,
        salt            [1] KerberosString OPTIONAL,
        s2kparams       [2] OCTET STRING OPTIONAL
}

ETYPE-INFO2             ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY

AD-IF-RELEVANT          ::= AuthorizationData

AD-KDCIssued            ::= SEQUENCE {
        ad-checksum     [0] Checksum,
        i-realm         [1] Realm OPTIONAL,
        i-sname         [2] SName OPTIONAL,
        elements        [3] AuthorizationData
}

AD-AND-OR               ::= SEQUENCE {
        condition-count [0] Int32,
        elements        [1] AuthorizationData
}

AD-MANDATORY-FOR-KDC    ::= AuthorizationData

TGT-REQ                 ::= SEQUENCE {
        pvno            [0] INTEGER (5),
        msg-type        [1] MESSAGE-TYPE (16),
        server-name     [2] PrincipalName OPTIONAL,
        realm           [3] Realm OPTIONAL
}

TGT-REP                 ::= SEQUENCE {
        pvno            [0] INTEGER (5),
        msg-type        [1] MESSAGE-TYPE (17),
        ticket          [2] Ticket
}

END