freebsd-dev/crypto/heimdal/lib/asn1/k5.asn1

452 lines
11 KiB
Plaintext
Raw Normal View History

2003-10-09 19:36:20 +00:00
-- $Id: k5.asn1,v 1.28 2003/01/15 03:13:47 lha Exp $
2001-02-13 16:46:19 +00:00
KERBEROS5 DEFINITIONS ::=
BEGIN
2001-02-13 16:46:19 +00:00
NAME-TYPE ::= INTEGER {
KRB5_NT_UNKNOWN(0), -- Name type not known
KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in
KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt)
KRB5_NT_SRV_HST(3), -- Service with host name as instance
KRB5_NT_SRV_XHST(4), -- Service with host as remaining components
KRB5_NT_UID(5), -- Unique ID
KRB5_NT_X500_PRINCIPAL(6) -- PKINIT
}
-- message types
MESSAGE-TYPE ::= INTEGER {
krb-as-req(10), -- Request for initial authentication
krb-as-rep(11), -- Response to KRB_AS_REQ request
krb-tgs-req(12), -- Request for authentication based on TGT
krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
krb-ap-req(14), -- application request to server
krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
krb-safe(20), -- Safe (checksummed) application message
krb-priv(21), -- Private (encrypted) application message
krb-cred(22), -- Private (encrypted) message to forward credentials
krb-error(30) -- Error response
}
-- pa-data types
PADATA-TYPE ::= INTEGER {
KRB5-PADATA-NONE(0),
KRB5-PADATA-TGS-REQ(1),
KRB5-PADATA-AP-REQ(1),
KRB5-PADATA-ENC-TIMESTAMP(2),
KRB5-PADATA-PW-SALT(3),
KRB5-PADATA-ENC-UNIX-TIME(5),
KRB5-PADATA-SANDIA-SECUREID(6),
KRB5-PADATA-SESAME(7),
KRB5-PADATA-OSF-DCE(8),
KRB5-PADATA-CYBERSAFE-SECUREID(9),
KRB5-PADATA-AFS3-SALT(10),
KRB5-PADATA-ETYPE-INFO(11),
KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
KRB5-PADATA-PK-AS-REQ(14), -- (PKINIT)
KRB5-PADATA-PK-AS-REP(15), -- (PKINIT)
KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT)
KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT)
KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT)
KRB5-PADATA-USE-SPECIFIED-KVNO(20),
KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
KRB5-PADATA-GET-FROM-TYPED-DATA(22),
KRB5-PADATA-SAM-ETYPE-INFO(23)
}
-- checksumtypes
CKSUMTYPE ::= INTEGER {
CKSUMTYPE_NONE(0),
CKSUMTYPE_CRC32(1),
CKSUMTYPE_RSA_MD4(2),
CKSUMTYPE_RSA_MD4_DES(3),
CKSUMTYPE_DES_MAC(4),
CKSUMTYPE_DES_MAC_K(5),
CKSUMTYPE_RSA_MD4_DES_K(6),
CKSUMTYPE_RSA_MD5(7),
CKSUMTYPE_RSA_MD5_DES(8),
CKSUMTYPE_RSA_MD5_DES3(9),
2003-10-09 19:36:20 +00:00
CKSUMTYPE_HMAC_SHA1_96_AES_128(10),
CKSUMTYPE_HMAC_SHA1_96_AES_256(11),
2001-02-13 16:46:19 +00:00
CKSUMTYPE_HMAC_SHA1_DES3(12),
CKSUMTYPE_SHA1(1000), -- correct value? 10 (9 also)
CKSUMTYPE_GSSAPI(0x8003),
2001-02-13 16:46:19 +00:00
CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number
CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial
}
2001-06-21 02:12:07 +00:00
--enctypes
ENCTYPE ::= INTEGER {
ETYPE_NULL(0),
ETYPE_DES_CBC_CRC(1),
ETYPE_DES_CBC_MD4(2),
ETYPE_DES_CBC_MD5(3),
ETYPE_DES3_CBC_MD5(5),
ETYPE_OLD_DES3_CBC_SHA1(7),
ETYPE_SIGN_DSA_GENERATE(8),
ETYPE_ENCRYPT_RSA_PRIV(9),
ETYPE_ENCRYPT_RSA_PUB(10),
ETYPE_DES3_CBC_SHA1(16), -- with key derivation
2003-10-09 19:36:20 +00:00
ETYPE_AES128_CTS_HMAC_SHA1_96(17),
ETYPE_AES256_CTS_HMAC_SHA1_96(18),
2001-06-21 02:12:07 +00:00
ETYPE_ARCFOUR_HMAC_MD5(23),
ETYPE_ARCFOUR_HMAC_MD5_56(24),
ETYPE_ENCTYPE_PK_CROSS(48),
-- these are for Heimdal internal use
ETYPE_DES_CBC_NONE(-0x1000),
ETYPE_DES3_CBC_NONE(-0x1001),
ETYPE_DES_CFB64_NONE(-0x1002),
ETYPE_DES_PCBC_NONE(-0x1003)
2001-06-21 02:12:07 +00:00
}
2001-02-13 16:46:19 +00:00
-- this is sugar to make something ASN1 does not have: unsigned
UNSIGNED ::= INTEGER (0..4294967295)
Realm ::= GeneralString
PrincipalName ::= SEQUENCE {
2001-02-13 16:46:19 +00:00
name-type[0] NAME-TYPE,
name-string[1] SEQUENCE OF GeneralString
}
-- this is not part of RFC1510
Principal ::= SEQUENCE {
name[0] PrincipalName,
realm[1] Realm
}
HostAddress ::= SEQUENCE {
addr-type[0] INTEGER,
address[1] OCTET STRING
}
-- This is from RFC1510.
--
-- HostAddresses ::= SEQUENCE OF SEQUENCE {
-- addr-type[0] INTEGER,
-- address[1] OCTET STRING
-- }
-- This seems much better.
HostAddresses ::= SEQUENCE OF HostAddress
KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
AuthorizationData ::= SEQUENCE OF SEQUENCE {
ad-type[0] INTEGER,
ad-data[1] OCTET STRING
}
APOptions ::= BIT STRING {
reserved(0),
use-session-key(1),
mutual-required(2)
}
TicketFlags ::= BIT STRING {
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
may-postdate(5),
postdated(6),
invalid(7),
renewable(8),
initial(9),
pre-authent(10),
hw-authent(11),
transited-policy-checked(12),
ok-as-delegate(13),
anonymous(14)
}
KDCOptions ::= BIT STRING {
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
allow-postdate(5),
postdated(6),
unused7(7),
renewable(8),
unused9(9),
unused10(10),
unused11(11),
request-anonymous(14),
2001-02-13 16:46:19 +00:00
canonicalize(15),
disable-transited-check(26),
renewable-ok(27),
enc-tkt-in-skey(28),
renew(30),
validate(31)
}
2001-06-21 02:12:07 +00:00
LR-TYPE ::= INTEGER {
LR_NONE(0), -- no information
LR_INITIAL_TGT(1), -- last initial TGT request
LR_INITIAL(2), -- last initial request
LR_ISSUE_USE_TGT(3), -- time of newest TGT used
LR_RENEWAL(4), -- time of last renewal
LR_REQUEST(5), -- time of last request (of any type)
LR_PW_EXPTIME(6), -- expiration time of password
LR_ACCT_EXPTIME(7) -- expiration time of account
}
LastReq ::= SEQUENCE OF SEQUENCE {
2001-06-21 02:12:07 +00:00
lr-type[0] LR-TYPE,
lr-value[1] KerberosTime
}
2001-06-21 02:12:07 +00:00
EncryptedData ::= SEQUENCE {
2001-06-21 02:12:07 +00:00
etype[0] ENCTYPE, -- EncryptionType
kvno[1] INTEGER OPTIONAL,
cipher[2] OCTET STRING -- ciphertext
}
EncryptionKey ::= SEQUENCE {
keytype[0] INTEGER,
keyvalue[1] OCTET STRING
}
-- encoded Transited field
TransitedEncoding ::= SEQUENCE {
tr-type[0] INTEGER, -- must be registered
contents[1] OCTET STRING
}
Ticket ::= [APPLICATION 1] SEQUENCE {
tkt-vno[0] INTEGER,
realm[1] Realm,
sname[2] PrincipalName,
enc-part[3] EncryptedData
}
-- Encrypted part of ticket
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
flags[0] TicketFlags,
key[1] EncryptionKey,
crealm[2] Realm,
cname[3] PrincipalName,
transited[4] TransitedEncoding,
authtime[5] KerberosTime,
starttime[6] KerberosTime OPTIONAL,
endtime[7] KerberosTime,
renew-till[8] KerberosTime OPTIONAL,
caddr[9] HostAddresses OPTIONAL,
authorization-data[10] AuthorizationData OPTIONAL
}
Checksum ::= SEQUENCE {
2001-02-13 16:46:19 +00:00
cksumtype[0] CKSUMTYPE,
checksum[1] OCTET STRING
}
Authenticator ::= [APPLICATION 2] SEQUENCE {
authenticator-vno[0] INTEGER,
crealm[1] Realm,
cname[2] PrincipalName,
cksum[3] Checksum OPTIONAL,
cusec[4] INTEGER,
ctime[5] KerberosTime,
subkey[6] EncryptionKey OPTIONAL,
2001-02-13 16:46:19 +00:00
seq-number[7] UNSIGNED OPTIONAL,
authorization-data[8] AuthorizationData OPTIONAL
}
PA-DATA ::= SEQUENCE {
-- might be encoded AP-REQ
2001-02-13 16:46:19 +00:00
padata-type[1] PADATA-TYPE,
padata-value[2] OCTET STRING
}
ETYPE-INFO-ENTRY ::= SEQUENCE {
2001-06-21 02:12:07 +00:00
etype[0] ENCTYPE,
salt[1] OCTET STRING OPTIONAL,
salttype[2] INTEGER OPTIONAL
}
ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
METHOD-DATA ::= SEQUENCE OF PA-DATA
KDC-REQ-BODY ::= SEQUENCE {
kdc-options[0] KDCOptions,
cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
realm[2] Realm, -- Server's realm
-- Also client's in AS-REQ
sname[3] PrincipalName OPTIONAL,
from[4] KerberosTime OPTIONAL,
till[5] KerberosTime OPTIONAL,
rtime[6] KerberosTime OPTIONAL,
nonce[7] INTEGER,
2001-06-21 02:12:07 +00:00
etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
-- in preference order
addresses[9] HostAddresses OPTIONAL,
enc-authorization-data[10] EncryptedData OPTIONAL,
-- Encrypted AuthorizationData encoding
additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
}
KDC-REQ ::= SEQUENCE {
pvno[1] INTEGER,
2001-02-13 16:46:19 +00:00
msg-type[2] MESSAGE-TYPE,
padata[3] METHOD-DATA OPTIONAL,
req-body[4] KDC-REQ-BODY
}
AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ
-- padata-type ::= PA-ENC-TIMESTAMP
-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
PA-ENC-TS-ENC ::= SEQUENCE {
patimestamp[0] KerberosTime, -- client's time
pausec[1] INTEGER OPTIONAL
}
KDC-REP ::= SEQUENCE {
pvno[0] INTEGER,
2001-02-13 16:46:19 +00:00
msg-type[1] MESSAGE-TYPE,
padata[2] METHOD-DATA OPTIONAL,
crealm[3] Realm,
cname[4] PrincipalName,
ticket[5] Ticket,
enc-part[6] EncryptedData
}
AS-REP ::= [APPLICATION 11] KDC-REP
TGS-REP ::= [APPLICATION 13] KDC-REP
EncKDCRepPart ::= SEQUENCE {
key[0] EncryptionKey,
last-req[1] LastReq,
nonce[2] INTEGER,
key-expiration[3] KerberosTime OPTIONAL,
flags[4] TicketFlags,
authtime[5] KerberosTime,
starttime[6] KerberosTime OPTIONAL,
endtime[7] KerberosTime,
renew-till[8] KerberosTime OPTIONAL,
srealm[9] Realm,
sname[10] PrincipalName,
caddr[11] HostAddresses OPTIONAL
}
EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
AP-REQ ::= [APPLICATION 14] SEQUENCE {
pvno[0] INTEGER,
2001-02-13 16:46:19 +00:00
msg-type[1] MESSAGE-TYPE,
ap-options[2] APOptions,
ticket[3] Ticket,
authenticator[4] EncryptedData
}
AP-REP ::= [APPLICATION 15] SEQUENCE {
pvno[0] INTEGER,
2001-02-13 16:46:19 +00:00
msg-type[1] MESSAGE-TYPE,
enc-part[2] EncryptedData
}
EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
ctime[0] KerberosTime,
cusec[1] INTEGER,
subkey[2] EncryptionKey OPTIONAL,
2001-02-13 16:46:19 +00:00
seq-number[3] UNSIGNED OPTIONAL
}
KRB-SAFE-BODY ::= SEQUENCE {
user-data[0] OCTET STRING,
timestamp[1] KerberosTime OPTIONAL,
usec[2] INTEGER OPTIONAL,
2001-02-13 16:46:19 +00:00
seq-number[3] UNSIGNED OPTIONAL,
s-address[4] HostAddress OPTIONAL,
r-address[5] HostAddress OPTIONAL
}
KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
pvno[0] INTEGER,
2001-02-13 16:46:19 +00:00
msg-type[1] MESSAGE-TYPE,
safe-body[2] KRB-SAFE-BODY,
cksum[3] Checksum
}
KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
pvno[0] INTEGER,
2001-02-13 16:46:19 +00:00
msg-type[1] MESSAGE-TYPE,
enc-part[3] EncryptedData
}
EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
user-data[0] OCTET STRING,
timestamp[1] KerberosTime OPTIONAL,
usec[2] INTEGER OPTIONAL,
2001-02-13 16:46:19 +00:00
seq-number[3] UNSIGNED OPTIONAL,
s-address[4] HostAddress OPTIONAL, -- sender's addr
r-address[5] HostAddress OPTIONAL -- recip's addr
}
KRB-CRED ::= [APPLICATION 22] SEQUENCE {
pvno[0] INTEGER,
2001-02-13 16:46:19 +00:00
msg-type[1] MESSAGE-TYPE, -- KRB_CRED
tickets[2] SEQUENCE OF Ticket,
enc-part[3] EncryptedData
}
KrbCredInfo ::= SEQUENCE {
key[0] EncryptionKey,
prealm[1] Realm OPTIONAL,
pname[2] PrincipalName OPTIONAL,
flags[3] TicketFlags OPTIONAL,
authtime[4] KerberosTime OPTIONAL,
starttime[5] KerberosTime OPTIONAL,
endtime[6] KerberosTime OPTIONAL,
renew-till[7] KerberosTime OPTIONAL,
srealm[8] Realm OPTIONAL,
sname[9] PrincipalName OPTIONAL,
caddr[10] HostAddresses OPTIONAL
}
EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
ticket-info[0] SEQUENCE OF KrbCredInfo,
nonce[1] INTEGER OPTIONAL,
timestamp[2] KerberosTime OPTIONAL,
usec[3] INTEGER OPTIONAL,
s-address[4] HostAddress OPTIONAL,
r-address[5] HostAddress OPTIONAL
}
KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
pvno[0] INTEGER,
2001-02-13 16:46:19 +00:00
msg-type[1] MESSAGE-TYPE,
ctime[2] KerberosTime OPTIONAL,
cusec[3] INTEGER OPTIONAL,
stime[4] KerberosTime,
susec[5] INTEGER,
error-code[6] INTEGER,
crealm[7] Realm OPTIONAL,
cname[8] PrincipalName OPTIONAL,
realm[9] Realm, -- Correct realm
sname[10] PrincipalName, -- Correct name
e-text[11] GeneralString OPTIONAL,
e-data[12] OCTET STRING OPTIONAL
}
pvno INTEGER ::= 5 -- current Kerberos protocol version number
-- transited encodings
DOMAIN-X500-COMPRESS INTEGER ::= 1
END
-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1