xref: /freebsd/crypto/heimdal/lib/asn1/pkinit.asn1 (revision aa0a1e58) 
1-- $Id$ --
2
3PKINIT DEFINITIONS ::= BEGIN
4
5IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
6	IssuerAndSerialNumber, ContentInfo FROM cms
7	SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
8	heim_any FROM heim;
9
10id-pkinit OBJECT IDENTIFIER ::=
11  { iso (1) org (3) dod (6) internet (1) security (5)
12    kerberosv5 (2) pkinit (3) }
13
14id-pkauthdata  OBJECT IDENTIFIER  ::= { id-pkinit 1 }
15id-pkdhkeydata OBJECT IDENTIFIER  ::= { id-pkinit 2 }
16id-pkrkeydata  OBJECT IDENTIFIER  ::= { id-pkinit 3 }
17id-pkekuoid    OBJECT IDENTIFIER  ::= { id-pkinit 4 }
18id-pkkdcekuoid OBJECT IDENTIFIER  ::= { id-pkinit 5 }
19
20id-pkinit-san	OBJECT IDENTIFIER ::=
21  { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
22    x509-sanan(2) }
23
24id-pkinit-ms-eku OBJECT IDENTIFIER ::=
25  { iso(1) org(3) dod(6) internet(1) private(4)
26    enterprise(1) microsoft(311) 20 2 2 }
27
28id-pkinit-ms-san OBJECT IDENTIFIER ::=
29  { iso(1) org(3) dod(6) internet(1) private(4)
30    enterprise(1) microsoft(311) 20 2 3 }
31
32MS-UPN-SAN ::= UTF8String
33
34pa-pk-as-req INTEGER ::=                  16
35pa-pk-as-rep INTEGER ::=                  17
36
37td-trusted-certifiers INTEGER ::=        104
38td-invalid-certificates INTEGER ::=      105
39td-dh-parameters INTEGER ::=             109
40
41DHNonce ::= OCTET STRING
42
43KDFAlgorithmId ::= SEQUENCE {
44       kdf-id            [0] OBJECT IDENTIFIER,
45       ...
46}
47
48TrustedCA ::= SEQUENCE {
49	caName                  [0] IMPLICIT OCTET STRING,
50	certificateSerialNumber [1] INTEGER OPTIONAL,
51	subjectKeyIdentifier    [2] OCTET STRING OPTIONAL,
52	...
53}
54
55ExternalPrincipalIdentifier ::= SEQUENCE {
56	subjectName		[0] IMPLICIT OCTET STRING OPTIONAL,
57	issuerAndSerialNumber	[1] IMPLICIT OCTET STRING OPTIONAL,
58	subjectKeyIdentifier	[2] IMPLICIT OCTET STRING OPTIONAL,
59	...
60}
61
62ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
63
64PA-PK-AS-REQ ::= SEQUENCE {
65        signedAuthPack          [0] IMPLICIT OCTET STRING,
66        trustedCertifiers       [1] ExternalPrincipalIdentifiers OPTIONAL,
67	kdcPkId                 [2] IMPLICIT OCTET STRING OPTIONAL,
68	...
69}
70
71PKAuthenticator ::= SEQUENCE {
72	cusec                   [0] INTEGER -- (0..999999) --,
73	ctime                   [1] KerberosTime,
74	nonce                   [2] INTEGER (0..4294967295),
75	paChecksum              [3] OCTET STRING OPTIONAL,
76	...
77}
78
79AuthPack ::= SEQUENCE {
80	pkAuthenticator         [0] PKAuthenticator,
81	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL,
82	supportedCMSTypes       [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
83	clientDHNonce           [3] DHNonce OPTIONAL,
84	...,
85	supportedKDFs		[4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
86	...
87}
88
89TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
90TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
91
92KRB5PrincipalName ::= SEQUENCE {
93	realm                   [0] Realm,
94	principalName           [1] PrincipalName
95}
96
97AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
98
99DHRepInfo ::= SEQUENCE {
100	dhSignedData            [0] IMPLICIT OCTET STRING,
101	serverDHNonce           [1] DHNonce OPTIONAL,
102	...,
103	kdf			[2] KDFAlgorithmId OPTIONAL,
104	...
105}
106
107PA-PK-AS-REP ::= CHOICE {
108	dhInfo                  [0] DHRepInfo,
109	encKeyPack              [1] IMPLICIT OCTET STRING,
110	...
111}
112
113KDCDHKeyInfo ::= SEQUENCE {
114	subjectPublicKey        [0] BIT STRING,
115	nonce                   [1] INTEGER (0..4294967295),
116	dhKeyExpiration         [2] KerberosTime OPTIONAL,
117	...
118}
119
120ReplyKeyPack ::= SEQUENCE {
121	replyKey                [0] EncryptionKey,
122	asChecksum		[1] Checksum,
123	...
124}
125
126TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
127
128
129-- Windows compat glue --
130
131PKAuthenticator-Win2k ::= SEQUENCE {
132	kdcName			[0] PrincipalName,
133	kdcRealm		[1] Realm,
134	cusec			[2] INTEGER (0..4294967295),
135	ctime			[3] KerberosTime,
136	nonce                   [4] INTEGER (-2147483648..2147483647)
137}
138
139AuthPack-Win2k ::= SEQUENCE {
140	pkAuthenticator         [0] PKAuthenticator-Win2k,
141	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
142}
143
144
145TrustedCA-Win2k ::= CHOICE {
146	caName                  [1] heim_any,
147	issuerAndSerial         [2] IssuerAndSerialNumber
148}
149
150PA-PK-AS-REQ-Win2k ::= SEQUENCE {
151	signed-auth-pack	[0] IMPLICIT OCTET STRING,
152	trusted-certifiers	[2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
153	kdc-cert		[3] IMPLICIT OCTET STRING OPTIONAL,
154	encryption-cert		[4] IMPLICIT OCTET STRING OPTIONAL
155}
156
157PA-PK-AS-REP-Win2k ::= CHOICE {
158	dhSignedData		[0] IMPLICIT OCTET STRING,
159	encKeyPack		[1] IMPLICIT OCTET STRING
160}
161
162
163KDCDHKeyInfo-Win2k ::= SEQUENCE {
164	nonce			[0] INTEGER (-2147483648..2147483647),
165	subjectPublicKey	[2] BIT STRING
166}
167
168ReplyKeyPack-Win2k ::= SEQUENCE {
169        replyKey                [0] EncryptionKey,
170        nonce                   [1] INTEGER (-2147483648..2147483647),
171	...
172}
173
174PkinitSuppPubInfo ::= SEQUENCE {
175       enctype           [0] INTEGER (-2147483648..2147483647),
176       as-REQ            [1] OCTET STRING,
177       pk-as-rep         [2] OCTET STRING,
178       ticket            [3] Ticket,
179       ...
180}
181
182END
183