1-- Id 2 3KERBEROS5 DEFINITIONS ::= 4BEGIN 5EXPORTS 6 AD-AND-OR, 7 AD-IF-RELEVANT, 8 AD-KDCIssued, 9 AD-LoginAlias, 10 AP-REP, 11 AP-REQ, 12 AS-REP, 13 AS-REQ, 14 AUTHDATA-TYPE, 15 Authenticator, 16 AuthorizationData, 17 AuthorizationDataElement, 18 CKSUMTYPE, 19 ChangePasswdDataMS, 20 Checksum, 21 ENCTYPE, 22 ETYPE-INFO, 23 ETYPE-INFO-ENTRY, 24 ETYPE-INFO2, 25 ETYPE-INFO2-ENTRY, 26 EncAPRepPart, 27 EncASRepPart, 28 EncKDCRepPart, 29 EncKrbCredPart, 30 EncKrbPrivPart, 31 EncTGSRepPart, 32 EncTicketPart, 33 EncryptedData, 34 EncryptionKey, 35 EtypeList, 36 HostAddress, 37 HostAddresses, 38 KDC-REQ-BODY, 39 KDCOptions, 40 KDC-REP, 41 KRB-CRED, 42 KRB-ERROR, 43 KRB-PRIV, 44 KRB-SAFE, 45 KRB-SAFE-BODY, 46 KRB5SignedPath, 47 KRB5SignedPathData, 48 KRB5SignedPathPrincipals, 49 KerberosString, 50 KerberosTime, 51 KrbCredInfo, 52 LR-TYPE, 53 LastReq, 54 METHOD-DATA, 55 NAME-TYPE, 56 PA-ClientCanonicalized, 57 PA-ClientCanonicalizedNames, 58 PA-DATA, 59 PA-ENC-TS-ENC, 60 PA-PAC-REQUEST, 61 PA-S4U2Self, 62 PA-SERVER-REFERRAL-DATA, 63 PA-ServerReferralData, 64 PA-SvrReferralData, 65 PADATA-TYPE, 66 PA-FX-FAST-REQUEST, 67 PA-FX-FAST-REPLY, 68 Principal, 69 PrincipalName, 70 Principals, 71 Realm, 72 TGS-REP, 73 TGS-REQ, 74 Ticket, 75 TicketFlags, 76 TransitedEncoding, 77 TypedData, 78 KrbFastResponse, 79 KrbFastFinished, 80 KrbFastReq, 81 KrbFastArmor, 82 KrbFastArmoredReq, 83 KDCFastState, 84 KDCFastCookie, 85 KDC-PROXY-MESSAGE, 86 KERB-TIMES, 87 KERB-CRED, 88 KERB-TGS-REQ-IN, 89 KERB-TGS-REQ-OUT, 90 KERB-ARMOR-SERVICE-REPLY 91 ; 92 93NAME-TYPE ::= INTEGER { 94 KRB5_NT_UNKNOWN(0), -- Name type not known 95 KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in 96 KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt) 97 KRB5_NT_SRV_HST(3), -- Service with host name as instance 98 KRB5_NT_SRV_XHST(4), -- Service with host as remaining components 99 KRB5_NT_UID(5), -- Unique ID 100 KRB5_NT_X500_PRINCIPAL(6), -- PKINIT 101 KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name 102 KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN 103 KRB5_NT_WELLKNOWN(11), -- Wellknown 104 KRB5_NT_SRV_HST_DOMAIN(12), -- Domain based service with host name as instance (RFC5179) 105 KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID 106 KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name 107 KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID 108 KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain 109 KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded) 110 KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), -- not used; remove 111 KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache 112 KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- Internal: indicates that name canonicalization is needed 113} 114 115-- message types 116 117MESSAGE-TYPE ::= INTEGER { 118 krb-as-req(10), -- Request for initial authentication 119 krb-as-rep(11), -- Response to KRB_AS_REQ request 120 krb-tgs-req(12), -- Request for authentication based on TGT 121 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request 122 krb-ap-req(14), -- application request to server 123 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL 124 krb-safe(20), -- Safe (checksummed) application message 125 krb-priv(21), -- Private (encrypted) application message 126 krb-cred(22), -- Private (encrypted) message to forward credentials 127 krb-error(30) -- Error response 128} 129 130 131-- pa-data types 132 133PADATA-TYPE ::= INTEGER { 134 KRB5-PADATA-NONE(0), 135 KRB5-PADATA-TGS-REQ(1), 136 KRB5-PADATA-AP-REQ(1), 137 KRB5-PADATA-ENC-TIMESTAMP(2), 138 KRB5-PADATA-PW-SALT(3), 139 KRB5-PADATA-ENC-UNIX-TIME(5), 140 KRB5-PADATA-SANDIA-SECUREID(6), 141 KRB5-PADATA-SESAME(7), 142 KRB5-PADATA-OSF-DCE(8), 143 KRB5-PADATA-CYBERSAFE-SECUREID(9), 144 KRB5-PADATA-AFS3-SALT(10), 145 KRB5-PADATA-ETYPE-INFO(11), 146 KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) 147 KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) 148 KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) 149 KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) 150 KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) 151 KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) 152 KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) 153 KRB5-PADATA-PA-PK-OCSP-RESPONSE(18), 154 KRB5-PADATA-ETYPE-INFO2(19), 155 KRB5-PADATA-USE-SPECIFIED-KVNO(20), 156 KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number 157 KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) 158 KRB5-PADATA-GET-FROM-TYPED-DATA(22), 159 KRB5-PADATA-SAM-ETYPE-INFO(23), 160 KRB5-PADATA-SERVER-REFERRAL(25), 161 KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) 162 KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) 163 KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) 164 KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT 165 KRB5-PADATA-FX-FAST-ARMOR(71), -- fast armor 166 KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName 167 KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT 168 KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT 169 KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific 170 KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER 171 KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER 172 KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com 173 KRB5-PADATA-FOR-USER(129), -- MS-KILE 174 KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE 175 KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE 176 KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE 177 KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to 178 -- tell KDC that is supports 179 -- the asCheckSum in the 180 -- PK-AS-REP 181 KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework 182 KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework 183 KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework 184 KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework 185 KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework 186 KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework 187 KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) 188 KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) 189 KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) 190 KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) 191 KRB5-PADATA-EPAK-AS-REQ(145), 192 KRB5-PADATA-EPAK-AS-REP(146), 193 KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon 194 KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u 195 KRB5-PADATA-REQ-ENC-PA-REP(149), -- 196 KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE 197} 198 199AUTHDATA-TYPE ::= INTEGER { 200 KRB5-AUTHDATA-IF-RELEVANT(1), 201 KRB5-AUTHDATA-INTENDED-FOR_SERVER(2), 202 KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), 203 KRB5-AUTHDATA-KDC-ISSUED(4), 204 KRB5-AUTHDATA-AND-OR(5), 205 KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), 206 KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), 207 KRB5-AUTHDATA-MANDATORY-FOR-KDC(8), 208 KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), 209 KRB5-AUTHDATA-OSF-DCE(64), 210 KRB5-AUTHDATA-SESAME(65), 211 KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), 212 KRB5-AUTHDATA-WIN2K-PAC(128), 213 KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only 214 KRB5-AUTHDATA-SIGNTICKET-OLDER(-17), 215 KRB5-AUTHDATA-SIGNTICKET-OLD(142), 216 KRB5-AUTHDATA-SIGNTICKET(512) 217} 218 219-- checksumtypes 220 221CKSUMTYPE ::= INTEGER { 222 CKSUMTYPE_NONE(0), 223 CKSUMTYPE_CRC32(1), 224 CKSUMTYPE_RSA_MD4(2), 225 CKSUMTYPE_RSA_MD4_DES(3), 226 CKSUMTYPE_DES_MAC(4), 227 CKSUMTYPE_DES_MAC_K(5), 228 CKSUMTYPE_RSA_MD4_DES_K(6), 229 CKSUMTYPE_RSA_MD5(7), 230 CKSUMTYPE_RSA_MD5_DES(8), 231 CKSUMTYPE_RSA_MD5_DES3(9), 232 CKSUMTYPE_SHA1_OTHER(10), 233 CKSUMTYPE_HMAC_SHA1_DES3(12), 234 CKSUMTYPE_SHA1(14), 235 CKSUMTYPE_HMAC_SHA1_96_AES_128(15), 236 CKSUMTYPE_HMAC_SHA1_96_AES_256(16), 237 CKSUMTYPE_HMAC_SHA256_128_AES128(19), 238 CKSUMTYPE_HMAC_SHA384_192_AES256(20), 239 CKSUMTYPE_GSSAPI(0x8003), 240 CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number 241 CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial 242} 243 244--enctypes 245ENCTYPE ::= INTEGER { 246 KRB5_ENCTYPE_NULL(0), 247 KRB5_ENCTYPE_DES_CBC_CRC(1), 248 KRB5_ENCTYPE_DES_CBC_MD4(2), 249 KRB5_ENCTYPE_DES_CBC_MD5(3), 250 KRB5_ENCTYPE_DES3_CBC_MD5(5), 251 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7), 252 KRB5_ENCTYPE_SIGN_DSA_GENERATE(8), 253 KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9), 254 KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10), 255 KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation 256 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17), 257 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18), 258 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128(19), 259 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192(20), 260 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23), 261 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24), 262 KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48), 263-- some "old" windows types 264 KRB5_ENCTYPE_ARCFOUR_MD4(-128), 265 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133), 266 KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135), 267-- these are for Heimdal internal use 268 KRB5_ENCTYPE_DES_CBC_NONE(-0x1000), 269 KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001), 270 KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002), 271 KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003), 272 KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com 273 KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com 274} 275 276 277 278 279-- this is sugar to make something ASN1 does not have: unsigned 280 281krb5uint32 ::= INTEGER (0..4294967295) 282krb5int32 ::= INTEGER (-2147483648..2147483647) 283 284KerberosString ::= GeneralString 285 286Realm ::= GeneralString 287PrincipalName ::= SEQUENCE { 288 name-type[0] NAME-TYPE, 289 name-string[1] SEQUENCE OF GeneralString 290} 291 292-- this is not part of RFC1510 293Principal ::= SEQUENCE { 294 name[0] PrincipalName, 295 realm[1] Realm 296} 297 298Principals ::= SEQUENCE OF Principal 299 300HostAddress ::= SEQUENCE { 301 addr-type[0] krb5int32, 302 address[1] OCTET STRING 303} 304 305-- This is from RFC1510. 306-- 307-- HostAddresses ::= SEQUENCE OF SEQUENCE { 308-- addr-type[0] krb5int32, 309-- address[1] OCTET STRING 310-- } 311 312-- This seems much better. 313HostAddresses ::= SEQUENCE OF HostAddress 314 315 316KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) 317 318AuthorizationDataElement ::= SEQUENCE { 319 ad-type[0] krb5int32, 320 ad-data[1] OCTET STRING 321} 322 323AuthorizationData ::= SEQUENCE OF AuthorizationDataElement 324 325APOptions ::= BIT STRING { 326 reserved(0), 327 use-session-key(1), 328 mutual-required(2) 329} 330 331TicketFlags ::= BIT STRING { 332 reserved(0), 333 forwardable(1), 334 forwarded(2), 335 proxiable(3), 336 proxy(4), 337 may-postdate(5), 338 postdated(6), 339 invalid(7), 340 renewable(8), 341 initial(9), 342 pre-authent(10), 343 hw-authent(11), 344 transited-policy-checked(12), 345 ok-as-delegate(13), 346 enc-pa-rep(15), 347 anonymous(16) 348} 349 350KDCOptions ::= BIT STRING { 351 reserved(0), 352 forwardable(1), 353 forwarded(2), 354 proxiable(3), 355 proxy(4), 356 allow-postdate(5), 357 postdated(6), 358 renewable(8), 359 cname-in-addl-tkt(14), -- ms extension 360 canonicalize(15), 361 request-anonymous(16), 362 disable-transited-check(26), 363 renewable-ok(27), 364 enc-tkt-in-skey(28), 365 renew(30), 366 validate(31) 367} 368 369LR-TYPE ::= INTEGER { 370 LR_NONE(0), -- no information 371 LR_INITIAL_TGT(1), -- last initial TGT request 372 LR_INITIAL(2), -- last initial request 373 LR_ISSUE_USE_TGT(3), -- time of newest TGT used 374 LR_RENEWAL(4), -- time of last renewal 375 LR_REQUEST(5), -- time of last request (of any type) 376 LR_PW_EXPTIME(6), -- expiration time of password 377 LR_ACCT_EXPTIME(7) -- expiration time of account 378} 379 380LastReq ::= SEQUENCE OF SEQUENCE { 381 lr-type[0] LR-TYPE, 382 lr-value[1] KerberosTime 383} 384 385 386EncryptedData ::= SEQUENCE { 387 etype[0] ENCTYPE, -- EncryptionType 388 kvno[1] krb5int32 OPTIONAL, 389 cipher[2] OCTET STRING -- ciphertext 390} 391 392EncryptionKey ::= SEQUENCE { 393 keytype[0] krb5int32, 394 keyvalue[1] OCTET STRING 395} 396 397-- encoded Transited field 398TransitedEncoding ::= SEQUENCE { 399 tr-type[0] krb5int32, -- must be registered 400 contents[1] OCTET STRING 401} 402 403Ticket ::= [APPLICATION 1] SEQUENCE { 404 tkt-vno[0] krb5int32, 405 realm[1] Realm, 406 sname[2] PrincipalName, 407 enc-part[3] EncryptedData 408} 409-- Encrypted part of ticket 410EncTicketPart ::= [APPLICATION 3] SEQUENCE { 411 flags[0] TicketFlags, 412 key[1] EncryptionKey, 413 crealm[2] Realm, 414 cname[3] PrincipalName, 415 transited[4] TransitedEncoding, 416 authtime[5] KerberosTime, 417 starttime[6] KerberosTime OPTIONAL, 418 endtime[7] KerberosTime, 419 renew-till[8] KerberosTime OPTIONAL, 420 caddr[9] HostAddresses OPTIONAL, 421 authorization-data[10] AuthorizationData OPTIONAL 422} 423 424Checksum ::= SEQUENCE { 425 cksumtype[0] CKSUMTYPE, 426 checksum[1] OCTET STRING 427} 428 429Authenticator ::= [APPLICATION 2] SEQUENCE { 430 authenticator-vno[0] krb5int32, 431 crealm[1] Realm, 432 cname[2] PrincipalName, 433 cksum[3] Checksum OPTIONAL, 434 cusec[4] krb5int32, 435 ctime[5] KerberosTime, 436 subkey[6] EncryptionKey OPTIONAL, 437 seq-number[7] krb5uint32 OPTIONAL, 438 authorization-data[8] AuthorizationData OPTIONAL 439} 440 441PA-DATA ::= SEQUENCE { 442 -- might be encoded AP-REQ 443 padata-type[1] PADATA-TYPE, 444 padata-value[2] OCTET STRING 445} 446 447ETYPE-INFO-ENTRY ::= SEQUENCE { 448 etype[0] ENCTYPE, 449 salt[1] OCTET STRING OPTIONAL, 450 salttype[2] krb5int32 OPTIONAL 451} 452 453ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY 454 455ETYPE-INFO2-ENTRY ::= SEQUENCE { 456 etype[0] ENCTYPE, 457 salt[1] KerberosString OPTIONAL, 458 s2kparams[2] OCTET STRING OPTIONAL 459} 460 461ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY 462 463METHOD-DATA ::= SEQUENCE OF PA-DATA 464 465TypedData ::= SEQUENCE { 466 data-type[0] krb5int32, 467 data-value[1] OCTET STRING OPTIONAL 468} 469 470TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData 471 472KDC-REQ-BODY ::= SEQUENCE { 473 kdc-options[0] KDCOptions, 474 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ 475 realm[2] Realm, -- Server's realm 476 -- Also client's in AS-REQ 477 sname[3] PrincipalName OPTIONAL, 478 from[4] KerberosTime OPTIONAL, 479 till[5] KerberosTime OPTIONAL, 480 rtime[6] KerberosTime OPTIONAL, 481 nonce[7] krb5int32, 482 etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, 483 -- in preference order 484 addresses[9] HostAddresses OPTIONAL, 485 enc-authorization-data[10] EncryptedData OPTIONAL, 486 -- Encrypted AuthorizationData encoding 487 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL 488} 489 490KDC-REQ ::= SEQUENCE { 491 pvno[1] krb5int32, 492 msg-type[2] MESSAGE-TYPE, 493 padata[3] METHOD-DATA OPTIONAL, 494 req-body[4] KDC-REQ-BODY 495} 496 497AS-REQ ::= [APPLICATION 10] KDC-REQ 498TGS-REQ ::= [APPLICATION 12] KDC-REQ 499 500-- padata-type ::= PA-ENC-TIMESTAMP 501-- padata-value ::= EncryptedData - PA-ENC-TS-ENC 502 503PA-ENC-TS-ENC ::= SEQUENCE { 504 patimestamp[0] KerberosTime, -- client's time 505 pausec[1] krb5int32 OPTIONAL 506} 507 508-- draft-brezak-win2k-krb-authz-01 509PA-PAC-REQUEST ::= SEQUENCE { 510 include-pac[0] BOOLEAN -- Indicates whether a PAC 511 -- should be included or not 512} 513 514-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf 515PROV-SRV-LOCATION ::= GeneralString 516 517KDC-REP ::= SEQUENCE { 518 pvno[0] krb5int32, 519 msg-type[1] MESSAGE-TYPE, 520 padata[2] METHOD-DATA OPTIONAL, 521 crealm[3] Realm, 522 cname[4] PrincipalName, 523 ticket[5] Ticket, 524 enc-part[6] EncryptedData 525} 526 527AS-REP ::= [APPLICATION 11] KDC-REP 528TGS-REP ::= [APPLICATION 13] KDC-REP 529 530EncKDCRepPart ::= SEQUENCE { 531 key[0] EncryptionKey, 532 last-req[1] LastReq, 533 nonce[2] krb5int32, 534 key-expiration[3] KerberosTime OPTIONAL, 535 flags[4] TicketFlags, 536 authtime[5] KerberosTime, 537 starttime[6] KerberosTime OPTIONAL, 538 endtime[7] KerberosTime, 539 renew-till[8] KerberosTime OPTIONAL, 540 srealm[9] Realm, 541 sname[10] PrincipalName, 542 caddr[11] HostAddresses OPTIONAL, 543 encrypted-pa-data[12] METHOD-DATA OPTIONAL 544} 545 546EncASRepPart ::= [APPLICATION 25] EncKDCRepPart 547EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart 548 549AP-REQ ::= [APPLICATION 14] SEQUENCE { 550 pvno[0] krb5int32, 551 msg-type[1] MESSAGE-TYPE, 552 ap-options[2] APOptions, 553 ticket[3] Ticket, 554 authenticator[4] EncryptedData 555} 556 557AP-REP ::= [APPLICATION 15] SEQUENCE { 558 pvno[0] krb5int32, 559 msg-type[1] MESSAGE-TYPE, 560 enc-part[2] EncryptedData 561} 562 563EncAPRepPart ::= [APPLICATION 27] SEQUENCE { 564 ctime[0] KerberosTime, 565 cusec[1] krb5int32, 566 subkey[2] EncryptionKey OPTIONAL, 567 seq-number[3] krb5uint32 OPTIONAL 568} 569 570KRB-SAFE-BODY ::= SEQUENCE { 571 user-data[0] OCTET STRING, 572 timestamp[1] KerberosTime OPTIONAL, 573 usec[2] krb5int32 OPTIONAL, 574 seq-number[3] krb5uint32 OPTIONAL, 575 s-address[4] HostAddress OPTIONAL, 576 r-address[5] HostAddress OPTIONAL 577} 578 579KRB-SAFE ::= [APPLICATION 20] SEQUENCE { 580 pvno[0] krb5int32, 581 msg-type[1] MESSAGE-TYPE, 582 safe-body[2] KRB-SAFE-BODY, 583 cksum[3] Checksum 584} 585 586KRB-PRIV ::= [APPLICATION 21] SEQUENCE { 587 pvno[0] krb5int32, 588 msg-type[1] MESSAGE-TYPE, 589 enc-part[3] EncryptedData 590} 591EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { 592 user-data[0] OCTET STRING, 593 timestamp[1] KerberosTime OPTIONAL, 594 usec[2] krb5int32 OPTIONAL, 595 seq-number[3] krb5uint32 OPTIONAL, 596 s-address[4] HostAddress OPTIONAL, -- sender's addr 597 r-address[5] HostAddress OPTIONAL -- recip's addr 598} 599 600KRB-CRED ::= [APPLICATION 22] SEQUENCE { 601 pvno[0] krb5int32, 602 msg-type[1] MESSAGE-TYPE, -- KRB_CRED 603 tickets[2] SEQUENCE OF Ticket, 604 enc-part[3] EncryptedData 605} 606 607KrbCredInfo ::= SEQUENCE { 608 key[0] EncryptionKey, 609 prealm[1] Realm OPTIONAL, 610 pname[2] PrincipalName OPTIONAL, 611 flags[3] TicketFlags OPTIONAL, 612 authtime[4] KerberosTime OPTIONAL, 613 starttime[5] KerberosTime OPTIONAL, 614 endtime[6] KerberosTime OPTIONAL, 615 renew-till[7] KerberosTime OPTIONAL, 616 srealm[8] Realm OPTIONAL, 617 sname[9] PrincipalName OPTIONAL, 618 caddr[10] HostAddresses OPTIONAL 619} 620 621EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { 622 ticket-info[0] SEQUENCE OF KrbCredInfo, 623 nonce[1] krb5int32 OPTIONAL, 624 timestamp[2] KerberosTime OPTIONAL, 625 usec[3] krb5int32 OPTIONAL, 626 s-address[4] HostAddress OPTIONAL, 627 r-address[5] HostAddress OPTIONAL 628} 629 630KRB-ERROR ::= [APPLICATION 30] SEQUENCE { 631 pvno[0] krb5int32, 632 msg-type[1] MESSAGE-TYPE, 633 ctime[2] KerberosTime OPTIONAL, 634 cusec[3] krb5int32 OPTIONAL, 635 stime[4] KerberosTime, 636 susec[5] krb5int32, 637 error-code[6] krb5int32, 638 crealm[7] Realm OPTIONAL, 639 cname[8] PrincipalName OPTIONAL, 640 realm[9] Realm, -- Correct realm 641 sname[10] PrincipalName, -- Correct name 642 e-text[11] GeneralString OPTIONAL, 643 e-data[12] OCTET STRING OPTIONAL 644} 645 646ChangePasswdDataMS ::= SEQUENCE { 647 newpasswd[0] OCTET STRING, 648 targname[1] PrincipalName OPTIONAL, 649 targrealm[2] Realm OPTIONAL 650} 651 652EtypeList ::= SEQUENCE OF ENCTYPE 653 -- the client's proposed enctype list in 654 -- decreasing preference order, favorite choice first 655 656krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number 657 658-- transited encodings 659 660DOMAIN-X500-COMPRESS krb5int32 ::= 1 661 662-- authorization data primitives 663 664AD-IF-RELEVANT ::= AuthorizationData 665 666AD-KDCIssued ::= SEQUENCE { 667 ad-checksum[0] Checksum, 668 i-realm[1] Realm OPTIONAL, 669 i-sname[2] PrincipalName OPTIONAL, 670 elements[3] AuthorizationData 671} 672 673AD-AND-OR ::= SEQUENCE { 674 condition-count[0] INTEGER, 675 elements[1] AuthorizationData 676} 677 678AD-MANDATORY-FOR-KDC ::= AuthorizationData 679 680-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 681 682PA-SAM-TYPE ::= INTEGER { 683 PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic 684 PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways 685 PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0 686 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key 687 PA_SAM_TYPE_SECURID(5), -- Security Dynamics 688 PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard 689} 690 691PA-SAM-REDIRECT ::= HostAddresses 692 693SAMFlags ::= BIT STRING { 694 use-sad-as-key(0), 695 send-encrypted-sad(1), 696 must-pk-encrypt-sad(2) 697} 698 699PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { 700 sam-type[0] krb5int32, 701 sam-flags[1] SAMFlags, 702 sam-type-name[2] GeneralString OPTIONAL, 703 sam-track-id[3] GeneralString OPTIONAL, 704 sam-challenge-label[4] GeneralString OPTIONAL, 705 sam-challenge[5] GeneralString OPTIONAL, 706 sam-response-prompt[6] GeneralString OPTIONAL, 707 sam-pk-for-sad[7] EncryptionKey OPTIONAL, 708 sam-nonce[8] krb5int32, 709 sam-etype[9] krb5int32, 710 ... 711} 712 713PA-SAM-CHALLENGE-2 ::= SEQUENCE { 714 sam-body[0] PA-SAM-CHALLENGE-2-BODY, 715 sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) 716 ... 717} 718 719PA-SAM-RESPONSE-2 ::= SEQUENCE { 720 sam-type[0] krb5int32, 721 sam-flags[1] SAMFlags, 722 sam-track-id[2] GeneralString OPTIONAL, 723 sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC 724 sam-nonce[4] krb5int32, 725 ... 726} 727 728PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { 729 sam-nonce[0] krb5int32, 730 sam-sad[1] GeneralString OPTIONAL, 731 ... 732} 733 734PA-S4U2Self ::= SEQUENCE { 735 name[0] PrincipalName, 736 realm[1] Realm, 737 cksum[2] Checksum, 738 auth[3] GeneralString 739} 740 741-- never encoded on the wire, just used to checksum over 742KRB5SignedPathData ::= SEQUENCE { 743 client[0] Principal OPTIONAL, 744 authtime[1] KerberosTime, 745 delegated[2] Principals OPTIONAL, 746 method_data[3] METHOD-DATA OPTIONAL 747} 748 749KRB5SignedPath ::= SEQUENCE { 750 -- DERcoded KRB5SignedPathData 751 -- krbtgt key (etype), KeyUsage = XXX 752 etype[0] ENCTYPE, 753 cksum[1] Checksum, 754 -- srvs delegated though 755 delegated[2] Principals OPTIONAL, 756 method_data[3] METHOD-DATA OPTIONAL 757} 758 759AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- 760 login-alias [0] PrincipalName, 761 checksum [1] Checksum 762} 763 764-- old ms referral 765PA-SvrReferralData ::= SEQUENCE { 766 referred-name [1] PrincipalName OPTIONAL, 767 referred-realm [0] Realm 768} 769 770PA-SERVER-REFERRAL-DATA ::= EncryptedData 771 772PA-ServerReferralData ::= SEQUENCE { 773 referred-realm [0] Realm OPTIONAL, 774 true-principal-name [1] PrincipalName OPTIONAL, 775 requested-principal-name [2] PrincipalName OPTIONAL, 776 referral-valid-until [3] KerberosTime OPTIONAL, 777 ... 778} 779 780FastOptions ::= BIT STRING { 781 reserved(0), 782 hide-client-names(1), 783 kdc-follow-referrals(16) 784} 785 786KrbFastReq ::= SEQUENCE { 787 fast-options [0] FastOptions, 788 padata [1] METHOD-DATA, 789 req-body [2] KDC-REQ-BODY, 790 ... 791} 792 793KrbFastArmor ::= SEQUENCE { 794 armor-type [0] krb5int32, 795 armor-value [1] OCTET STRING, 796 ... 797} 798 799KrbFastArmoredReq ::= SEQUENCE { 800 armor [0] KrbFastArmor OPTIONAL, 801 req-checksum [1] Checksum, 802 enc-fast-req [2] EncryptedData -- KrbFastReq -- 803} 804 805PA-FX-FAST-REQUEST ::= CHOICE { 806 armored-data [0] KrbFastArmoredReq, 807 ... 808} 809 810KrbFastFinished ::= SEQUENCE { 811 timestamp [0] KerberosTime, 812 usec [1] krb5int32, 813 crealm [2] Realm, 814 cname [3] PrincipalName, 815 ticket-checksum [4] Checksum, 816 ... 817} 818 819KrbFastResponse ::= SEQUENCE { 820 padata [0] METHOD-DATA, 821 strengthen-key [1] EncryptionKey OPTIONAL, 822 finished [2] KrbFastFinished OPTIONAL, 823 nonce [3] krb5uint32, 824 ... 825} 826 827KrbFastArmoredRep ::= SEQUENCE { 828 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 829 ... 830} 831 832PA-FX-FAST-REPLY ::= CHOICE { 833 armored-data [0] KrbFastArmoredRep, 834 ... 835} 836 837KDCFastFlags ::= BIT STRING { 838 use_reply_key(0), 839 reply_key_used(1), 840 reply_key_replaced(2), 841 kdc_verfied(3) 842} 843 844-- KDCFastState is stored in FX_COOKIE 845KDCFastState ::= SEQUENCE { 846 flags [0] KDCFastFlags, 847 expiration [1] GeneralizedTime, 848 fast-state [2] METHOD-DATA, 849 expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL 850} 851 852KDCFastCookie ::= SEQUENCE { 853 version [0] UTF8String, 854 cookie [1] EncryptedData 855} 856 857KDC-PROXY-MESSAGE ::= SEQUENCE { 858 kerb-message [0] OCTET STRING, 859 target-domain [1] Realm OPTIONAL, 860 dclocator-hint [2] INTEGER OPTIONAL 861} 862 863-- these messages are used in the GSSCred communication and is not part of Kerberos propper 864 865KERB-TIMES ::= SEQUENCE { 866 authtime [0] KerberosTime, 867 starttime [1] KerberosTime, 868 endtime [2] KerberosTime, 869 renew_till [3] KerberosTime 870} 871 872KERB-CRED ::= SEQUENCE { 873 client [0] Principal, 874 server [1] Principal, 875 keyblock [2] EncryptionKey, 876 times [3] KERB-TIMES, 877 ticket [4] OCTET STRING, 878 authdata [5] OCTET STRING, 879 addresses [6] HostAddresses, 880 flags [7] TicketFlags 881} 882 883KERB-TGS-REQ-IN ::= SEQUENCE { 884 cache [0] OCTET STRING SIZE (16), 885 addrs [1] HostAddresses, 886 flags [2] krb5uint32, 887 imp [3] Principal OPTIONAL, 888 ticket [4] OCTET STRING OPTIONAL, 889 in_cred [5] KERB-CRED, 890 krbtgt [6] KERB-CRED, 891 padata [7] METHOD-DATA 892} 893 894KERB-TGS-REQ-OUT ::= SEQUENCE { 895 subkey [0] EncryptionKey OPTIONAL, 896 t [1] TGS-REQ 897} 898 899 900 901KERB-TGS-REP-IN ::= SEQUENCE { 902 cache [0] OCTET STRING SIZE (16), 903 subkey [1] EncryptionKey OPTIONAL, 904 in_cred [2] KERB-CRED, 905 t [3] TGS-REP 906} 907 908KERB-TGS-REP-OUT ::= SEQUENCE { 909 cache [0] OCTET STRING SIZE (16), 910 cred [1] KERB-CRED, 911 subkey [2] EncryptionKey 912} 913 914KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE { 915 armor [0] KrbFastArmor, 916 armor-key [1] EncryptionKey 917} 918 919 920END 921 922-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 923