freebsd-skq/crypto/heimdal/lib/asn1/pkinit.asn1
2001-02-13 16:46:19 +00:00

190 lines
4.3 KiB
Groff

PKINIT DEFINITIONS ::= BEGIN
IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData
FROM krb5;
IMPORTS SignedData, EnvelopedData FROM CMS;
IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509;
-- 3.1
CertPrincipalName ::= SEQUENCE {
name-type[0] INTEGER,
name-string[1] SEQUENCE OF UTF8String
}
-- 3.2.2
TrustedCertifiers ::= SEQUENCE OF PrincipalName
-- X.500 name encoded as a principal name
-- see Section 3.1
CertificateIndex ::= INTEGER
-- 0 = 1st certificate,
-- (in order of encoding)
-- 1 = 2nd certificate, etc
PA-PK-AS-REP ::= CHOICE {
-- PA TYPE 15
dhSignedData[0] SignedData,
-- Defined in CMS and used only with
-- Diffie-Hellman key exchange (if the
-- client public value was present in the
-- request).
-- This choice MUST be supported
-- by compliant implementations.
encKeyPack[1] EnvelopedData
-- Defined in CMS
-- The temporary key is encrypted
-- using the client public key
-- key
-- SignedReplyKeyPack, encrypted
-- with the temporary key, is also
-- included.
}
KdcDHKeyInfo ::= SEQUENCE {
-- used only when utilizing Diffie-Hellman
nonce[0] INTEGER,
-- binds responce to the request
subjectPublicKey[2] BIT STRING
-- Equals public exponent (g^a mod p)
-- INTEGER encoded as payload of
-- BIT STRING
}
ReplyKeyPack ::= SEQUENCE {
-- not used for Diffie-Hellman
replyKey[0] EncryptionKey,
-- used to encrypt main reply
-- ENCTYPE is at least as strong as
-- ENCTYPE of session key
nonce[1] INTEGER
-- binds response to the request
-- must be same as the nonce
-- passed in the PKAuthenticator
}
-- subjectAltName EXTENSION ::= {
-- SYNTAX GeneralNames
-- IDENTIFIED BY id-ce-subjectAltName
-- }
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value[0] OCTET STRING
-- value[0] EXPLICIT ANY DEFINED BY type-id
}
GeneralName ::= CHOICE {
otherName [0] OtherName,
...
}
GeneralNames ::= SEQUENCE -- SIZE(1..MAX)
OF GeneralName
KerberosName ::= SEQUENCE {
realm[0] Realm,
-- as defined in RFC 1510
principalName[1] CertPrincipalName
-- defined above
}
-- krb5 OBJECT IDENTIFIER ::= {
-- iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2)
-- }
-- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
-- 3.2.1
IssuerAndSerialNumber ::= SEQUENCE {
issuer Name,
serialNumber CertificateSerialNumber
}
TrustedCas ::= CHOICE {
principalName[0] KerberosName,
-- as defined below
caName[1] Name,
-- fully qualified X.500 name
-- as defined by X.509
issuerAndSerial[2] IssuerAndSerialNumber
-- Since a CA may have a number of
-- certificates, only one of which
-- a client trusts
}
PA-PK-AS-REQ ::= SEQUENCE {
-- PA TYPE 14
signedAuthPack[0] SignedData,
-- defined in CMS [11]
-- AuthPack (below) defines the data
-- that is signed
trustedCertifiers[1] SEQUENCE OF TrustedCas OPTIONAL,
-- CAs that the client trusts
kdcCert[2] IssuerAndSerialNumber OPTIONAL,
-- as defined in CMS [11]
-- specifies a particular KDC
-- certificate if the client
-- already has it;
encryptionCert[3] IssuerAndSerialNumber OPTIONAL
-- For example, this may be the
-- client's Diffie-Hellman
-- certificate, or it may be the
-- client's RSA encryption
-- certificate.
}
PKAuthenticator ::= SEQUENCE {
kdcName[0] PrincipalName,
kdcRealm[1] Realm,
cusec[2] INTEGER,
-- for replay prevention as in RFC1510
ctime[3] KerberosTime,
-- for replay prevention as in RFC1510
nonce[4] INTEGER
}
-- This is the real definition of AlgorithmIdentifier
-- AlgorithmIdentifier ::= SEQUENCE {
-- algorithm ALGORITHM.&id,
-- parameters ALGORITHM.&Type
-- } -- as specified by the X.509 recommendation[10]
-- But we'll use this one instead:
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters CHOICE {
a INTEGER
}
}
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
-- dhKeyAgreement
subjectPublicKey BIT STRING
-- for DH, equals
-- public exponent (INTEGER encoded
-- as payload of BIT STRING)
} -- as specified by the X.509 recommendation[10]
AuthPack ::= SEQUENCE {
pkAuthenticator[0] PKAuthenticator,
clientPublicValue[1] SubjectPublicKeyInfo OPTIONAL
-- if client is using Diffie-Hellman
-- (ephemeral-ephemeral only)
}
END