1-- lib/krb5/asn.1/KRB5-asn.py 2-- 3-- Copyright 1989 by the Massachusetts Institute of Technology. 4-- 5-- Export of this software from the United States of America may 6-- require a specific license from the United States Government. 7-- It is the responsibility of any person or organization contemplating 8-- export to obtain such a license before exporting. 9-- 10-- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 11-- distribute this software and its documentation for any purpose and 12-- without fee is hereby granted, provided that the above copyright 13-- notice appear in all copies and that both that copyright notice and 14-- this permission notice appear in supporting documentation, and that 15-- the name of M.I.T. not be used in advertising or publicity pertaining 16-- to distribution of the software without specific, written prior 17-- permission. Furthermore if you modify this software you must label 18-- your software as modified software and not distribute it in such a 19-- fashion that it might be confused with the original M.I.T. software. 20-- M.I.T. makes no representations about the suitability of 21-- this software for any purpose. It is provided "as is" without express 22-- or implied warranty. 23-- 24-- ASN.1 definitions for the kerberos network objects 25-- 26-- Do not change the order of any structure containing some 27-- element_KRB5_xx unless the corresponding translation code is also 28-- changed. 29-- 30 31KRB5 DEFINITIONS ::= 32BEGIN 33 34-- needed to do the Right Thing with pepsy; this isn't a valid ASN.1 35-- token, however. 36 37SECTIONS encode decode none 38 39-- the order of stuff in this file matches the order in the draft RFC 40 41Realm ::= GeneralString 42 43HostAddress ::= SEQUENCE { 44 addr-type[0] INTEGER, 45 address[1] OCTET STRING 46} 47 48HostAddresses ::= SEQUENCE OF SEQUENCE { 49 addr-type[0] INTEGER, 50 address[1] OCTET STRING 51} 52 53AuthorizationData ::= SEQUENCE OF SEQUENCE { 54 ad-type[0] INTEGER, 55 ad-data[1] OCTET STRING 56} 57 58KDCOptions ::= BIT STRING { 59 reserved(0), 60 forwardable(1), 61 forwarded(2), 62 proxiable(3), 63 proxy(4), 64 allow-postdate(5), 65 postdated(6), 66 unused7(7), 67 renewable(8), 68 unused9(9), 69 renewable-ok(27), 70 enc-tkt-in-skey(28), 71 renew(30), 72 validate(31) 73} 74 75LastReq ::= SEQUENCE OF SEQUENCE { 76 lr-type[0] INTEGER, 77 lr-value[1] KerberosTime 78} 79 80KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) 81 82PrincipalName ::= SEQUENCE{ 83 name-type[0] INTEGER, 84 name-string[1] SEQUENCE OF GeneralString 85} 86 87Ticket ::= [APPLICATION 1] SEQUENCE { 88 tkt-vno[0] INTEGER, 89 realm[1] Realm, 90 sname[2] PrincipalName, 91 enc-part[3] EncryptedData -- EncTicketPart 92} 93 94TransitedEncoding ::= SEQUENCE { 95 tr-type[0] INTEGER, -- Only supported value is 1 == DOMAIN-COMPRESS 96 contents[1] OCTET STRING 97} 98 99-- Encrypted part of ticket 100EncTicketPart ::= [APPLICATION 3] SEQUENCE { 101 flags[0] TicketFlags, 102 key[1] EncryptionKey, 103 crealm[2] Realm, 104 cname[3] PrincipalName, 105 transited[4] TransitedEncoding, 106 authtime[5] KerberosTime, 107 starttime[6] KerberosTime OPTIONAL, 108 endtime[7] KerberosTime, 109 renew-till[8] KerberosTime OPTIONAL, 110 caddr[9] HostAddresses OPTIONAL, 111 authorization-data[10] AuthorizationData OPTIONAL 112} 113 114-- Unencrypted authenticator 115Authenticator ::= [APPLICATION 2] SEQUENCE { 116 authenticator-vno[0] INTEGER, 117 crealm[1] Realm, 118 cname[2] PrincipalName, 119 cksum[3] Checksum OPTIONAL, 120 cusec[4] INTEGER, 121 ctime[5] KerberosTime, 122 subkey[6] EncryptionKey OPTIONAL, 123 seq-number[7] INTEGER OPTIONAL, 124 authorization-data[8] AuthorizationData OPTIONAL 125} 126 127TicketFlags ::= BIT STRING { 128 reserved(0), 129 forwardable(1), 130 forwarded(2), 131 proxiable(3), 132 proxy(4), 133 may-postdate(5), 134 postdated(6), 135 invalid(7), 136 renewable(8), 137 initial(9) 138} 139 140AS-REQ ::= [APPLICATION 10] KDC-REQ 141TGS-REQ ::= [APPLICATION 12] KDC-REQ 142 143KDC-REQ ::= SEQUENCE { 144 pvno[1] INTEGER, 145 msg-type[2] INTEGER, 146 padata[3] SEQUENCE OF PA-DATA OPTIONAL, 147 req-body[4] KDC-REQ-BODY 148} 149 150PA-DATA ::= SEQUENCE { 151 padata-type[1] INTEGER, 152 pa-data[2] OCTET STRING -- might be encoded AP-REQ 153} 154 155KDC-REQ-BODY ::= SEQUENCE { 156 kdc-options[0] KDCOptions, 157 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ 158 realm[2] Realm, -- Server's realm Also client's in AS-REQ 159 sname[3] PrincipalName OPTIONAL, 160 from[4] KerberosTime OPTIONAL, 161 till[5] KerberosTime, 162 rtime[6] KerberosTime OPTIONAL, 163 nonce[7] INTEGER, 164 etype[8] SEQUENCE OF INTEGER, -- EncryptionType, 165 -- in preference order 166 addresses[9] HostAddresses OPTIONAL, 167 enc-authorization-data[10] EncryptedData OPTIONAL, 168 -- AuthorizationData 169 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL 170} 171 172AS-REP ::= [APPLICATION 11] KDC-REP 173TGS-REP ::= [APPLICATION 13] KDC-REP 174KDC-REP ::= SEQUENCE { 175 pvno[0] INTEGER, 176 msg-type[1] INTEGER, 177 padata[2] SEQUENCE OF PA-DATA OPTIONAL, 178 crealm[3] Realm, 179 cname[4] PrincipalName, 180 ticket[5] Ticket, -- Ticket 181 enc-part[6] EncryptedData -- EncKDCRepPart 182} 183 184EncASRepPart ::= [APPLICATION 25] EncKDCRepPart 185EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart 186EncKDCRepPart ::= SEQUENCE { 187 key[0] EncryptionKey, 188 last-req[1] LastReq, 189 nonce[2] INTEGER, 190 key-expiration[3] KerberosTime OPTIONAL, 191 flags[4] TicketFlags, 192 authtime[5] KerberosTime, 193 starttime[6] KerberosTime OPTIONAL, 194 endtime[7] KerberosTime, 195 renew-till[8] KerberosTime OPTIONAL, 196 srealm[9] Realm, 197 sname[10] PrincipalName, 198 caddr[11] HostAddresses OPTIONAL 199} 200 201AP-REQ ::= [APPLICATION 14] SEQUENCE { 202 pvno[0] INTEGER, 203 msg-type[1] INTEGER, 204 ap-options[2] APOptions, 205 ticket[3] Ticket, 206 authenticator[4] EncryptedData -- Authenticator 207} 208 209APOptions ::= BIT STRING { 210 reserved(0), 211 use-session-key(1), 212 mutual-required(2) 213} 214 215AP-REP ::= [APPLICATION 15] SEQUENCE { 216 pvno[0] INTEGER, 217 msg-type[1] INTEGER, 218 enc-part[2] EncryptedData -- EncAPRepPart 219} 220 221EncAPRepPart ::= [APPLICATION 27] SEQUENCE { 222 ctime[0] KerberosTime, 223 cusec[1] INTEGER, 224 subkey[2] EncryptionKey OPTIONAL, 225 seq-number[3] INTEGER OPTIONAL 226} 227 228KRB-SAFE ::= [APPLICATION 20] SEQUENCE { 229 pvno[0] INTEGER, 230 msg-type[1] INTEGER, 231 safe-body[2] KRB-SAFE-BODY, 232 cksum[3] Checksum 233} 234 235KRB-SAFE-BODY ::= SEQUENCE { 236 user-data[0] OCTET STRING, 237 timestamp[1] KerberosTime OPTIONAL, 238 usec[2] INTEGER OPTIONAL, 239 seq-number[3] INTEGER OPTIONAL, 240 s-address[4] HostAddress, -- sender's addr 241 r-address[5] HostAddress OPTIONAL -- recip's addr 242} 243 244KRB-PRIV ::= [APPLICATION 21] SEQUENCE { 245 pvno[0] INTEGER, 246 msg-type[1] INTEGER, 247 enc-part[3] EncryptedData -- EncKrbPrivPart 248} 249 250EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { 251 user-data[0] OCTET STRING, 252 timestamp[1] KerberosTime OPTIONAL, 253 usec[2] INTEGER OPTIONAL, 254 seq-number[3] INTEGER OPTIONAL, 255 s-address[4] HostAddress, -- sender's addr 256 r-address[5] HostAddress OPTIONAL -- recip's addr 257} 258 259-- The KRB-CRED message allows easy forwarding of credentials. 260 261KRB-CRED ::= [APPLICATION 22] SEQUENCE { 262 pvno[0] INTEGER, 263 msg-type[1] INTEGER, -- KRB_CRED 264 tickets[2] SEQUENCE OF Ticket, 265 enc-part[3] EncryptedData -- EncKrbCredPart 266} 267 268EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { 269 ticket-info[0] SEQUENCE OF KRB-CRED-INFO, 270 nonce[1] INTEGER OPTIONAL, 271 timestamp[2] KerberosTime OPTIONAL, 272 usec[3] INTEGER OPTIONAL, 273 s-address[4] HostAddress OPTIONAL, 274 r-address[5] HostAddress OPTIONAL 275} 276 277KRB-CRED-INFO ::= SEQUENCE { 278 key[0] EncryptionKey, 279 prealm[1] Realm OPTIONAL, 280 pname[2] PrincipalName OPTIONAL, 281 flags[3] TicketFlags OPTIONAL, 282 authtime[4] KerberosTime OPTIONAL, 283 starttime[5] KerberosTime OPTIONAL, 284 endtime[6] KerberosTime OPTIONAL, 285 renew-till[7] KerberosTime OPTIONAL, 286 srealm[8] Realm OPTIONAL, 287 sname[9] PrincipalName OPTIONAL, 288 caddr[10] HostAddresses OPTIONAL 289} 290 291KRB-ERROR ::= [APPLICATION 30] SEQUENCE { 292 pvno[0] INTEGER, 293 msg-type[1] INTEGER, 294 ctime[2] KerberosTime OPTIONAL, 295 cusec[3] INTEGER OPTIONAL, 296 stime[4] KerberosTime, 297 susec[5] INTEGER, 298 error-code[6] INTEGER, 299 crealm[7] Realm OPTIONAL, 300 cname[8] PrincipalName OPTIONAL, 301 realm[9] Realm, -- Correct realm 302 sname[10] PrincipalName, -- Correct name 303 e-text[11] GeneralString OPTIONAL, 304 e-data[12] OCTET STRING OPTIONAL 305} 306 307EncryptedData ::= SEQUENCE { 308 etype[0] INTEGER, -- EncryptionType 309 kvno[1] INTEGER OPTIONAL, 310 cipher[2] OCTET STRING -- CipherText 311} 312 313EncryptionKey ::= SEQUENCE { 314 keytype[0] INTEGER, 315 keyvalue[1] OCTET STRING 316} 317 318Checksum ::= SEQUENCE { 319 cksumtype[0] INTEGER, 320 checksum[1] OCTET STRING 321} 322 323METHOD-DATA ::= SEQUENCE { 324 method-type[0] INTEGER, 325 method-data[1] OCTET STRING OPTIONAL 326} 327 328ETYPE-INFO-ENTRY ::= SEQUENCE { 329 etype[0] INTEGER, 330 salt[1] OCTET STRING OPTIONAL 331} 332 333ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY 334 335PA-ENC-TS-ENC ::= SEQUENCE { 336 patimestamp[0] KerberosTime, -- client's time 337 pausec[1] INTEGER OPTIONAL 338} 339 340-- These ASN.1 definitions are NOT part of the official Kerberos protocol... 341 342-- New ASN.1 definitions for the kadmin protocol. 343-- Originally contributed from the Sandia modifications 344 345PasswdSequence ::= SEQUENCE { 346 passwd[0] OCTET STRING, 347 phrase[1] OCTET STRING 348} 349 350PasswdData ::= SEQUENCE { 351 passwd-sequence-count[0] INTEGER, 352 passwd-sequence[1] SEQUENCE OF PasswdSequence 353} 354 355-- encodings from 356-- Integrating Single-use Authentication Mechanisms with Kerberos 357 358PA-SAM-CHALLENGE ::= SEQUENCE { 359 sam-type[0] INTEGER, 360 sam-flags[1] SAMFlags, 361 sam-type-name[2] GeneralString OPTIONAL, 362 sam-track-id[3] GeneralString OPTIONAL, 363 sam-challenge-label[4] GeneralString OPTIONAL, 364 sam-challenge[5] GeneralString OPTIONAL, 365 sam-response-prompt[6] GeneralString OPTIONAL, 366 sam-pk-for-sad[7] OCTET STRING OPTIONAL, 367 sam-nonce[8] INTEGER OPTIONAL, 368 sam-cksum[9] Checksum OPTIONAL 369} 370 371PA-SAM-CHALLENGE-2 ::= SEQUENCE { 372 sam-body[0] PA-SAM-CHALLENGE-2-BODY, 373 sam-cksum[1] SEQUENCE (1..MAX) OF Checksum, 374 ... 375} 376 377PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { 378 sam-type[0] INTEGER, 379 sam-flags[1] SAMFlags, 380 sam-type-name[2] GeneralString OPTIONAL, 381 sam-track-id[3] GeneralString OPTIONAL, 382 sam-challenge-label[4] GeneralString OPTIONAL, 383 sam-challenge[5] GeneralString OPTIONAL, 384 sam-response-prompt[6] GeneralString OPTIONAL, 385 sam-pk-for-sad[7] EncryptionKey OPTIONAL, 386 sam-nonce[8] INTEGER, 387 sam-etype[9] INTEGER, 388 ... 389} 390 391-- these are [0].. [2] in the draft 392SAMFlags ::= BIT STRING (SIZE (32..MAX)) 393 -- use-sad-as-key(0) 394 -- send-encrypted-sad(1) 395 -- must-pk-encrypt-sad(2) 396 397PA-SAM-RESPONSE ::= SEQUENCE { 398 sam-type[0] INTEGER, 399 sam-flags[1] SAMFlags, 400 sam-track-id[2] GeneralString OPTIONAL, 401 -- sam-enc-key is reserved for future use, so I'm making it OPTIONAL - mwe 402 sam-enc-key[3] EncryptedData, 403 -- PA-ENC-SAM-KEY 404 sam-enc-nonce-or-ts[4] EncryptedData, 405 -- PA-ENC-SAM-RESPONSE-ENC 406 sam-nonce[5] INTEGER OPTIONAL, 407 sam-patimestamp[6] KerberosTime OPTIONAL 408} 409 410PA-SAM-RESPONSE-2 ::= SEQUENCE { 411 sam-type[0] INTEGER, 412 sam-flags[1] SAMFlags, 413 sam-track-id[2] GeneralString OPTIONAL, 414 sam-enc-nonce-or-sad[3] EncryptedData, 415 -- PA-ENC-SAM-RESPONSE-ENC 416 sam-nonce[4] INTEGER, 417 ... 418} 419 420PA-ENC-SAM-KEY ::= SEQUENCE { 421 sam-key[0] EncryptionKey 422} 423 424PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { 425 sam-nonce[0] INTEGER OPTIONAL, 426 sam-timestamp[1] KerberosTime OPTIONAL, 427 sam-usec[2] INTEGER OPTIONAL, 428 sam-passcode[3] GeneralString OPTIONAL 429} 430 431PA-ENC-SAM-RESPONSE-ENC-2 ::= SEQUENCE { 432 sam-nonce[0] INTEGER, 433 sam-sad[1] GeneralString OPTIONAL, 434 ... 435} 436END 437