freebsd-skq/crypto/heimdal/lib/asn1/pkinit.asn1

-- $Id$ --

PKINIT DEFINITIONS ::= BEGIN

IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
	IssuerAndSerialNumber, ContentInfo FROM cms
	SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
	heim_any FROM heim;

id-pkinit OBJECT IDENTIFIER ::=
  { iso (1) org (3) dod (6) internet (1) security (5)
    kerberosv5 (2) pkinit (3) }

id-pkauthdata  OBJECT IDENTIFIER  ::= { id-pkinit 1 }
id-pkdhkeydata OBJECT IDENTIFIER  ::= { id-pkinit 2 }
id-pkrkeydata  OBJECT IDENTIFIER  ::= { id-pkinit 3 }
id-pkekuoid    OBJECT IDENTIFIER  ::= { id-pkinit 4 }
id-pkkdcekuoid OBJECT IDENTIFIER  ::= { id-pkinit 5 }

id-pkinit-kdf OBJECT IDENTIFIER           ::= { id-pkinit 6 }
id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER   ::= { id-pkinit-kdf 1 }
id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }

id-pkinit-san	OBJECT IDENTIFIER ::=
  { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
    x509-sanan(2) }

id-pkinit-ms-eku OBJECT IDENTIFIER ::=
  { iso(1) org(3) dod(6) internet(1) private(4)
    enterprise(1) microsoft(311) 20 2 2 }

id-pkinit-ms-san OBJECT IDENTIFIER ::=
  { iso(1) org(3) dod(6) internet(1) private(4)
    enterprise(1) microsoft(311) 20 2 3 }

MS-UPN-SAN ::= UTF8String

pa-pk-as-req INTEGER ::=                  16
pa-pk-as-rep INTEGER ::=                  17

td-trusted-certifiers INTEGER ::=        104
td-invalid-certificates INTEGER ::=      105
td-dh-parameters INTEGER ::=             109

DHNonce ::= OCTET STRING

KDFAlgorithmId ::= SEQUENCE {
       kdf-id            [0] OBJECT IDENTIFIER,
       ...
}

TrustedCA ::= SEQUENCE {
	caName                  [0] IMPLICIT OCTET STRING,
	certificateSerialNumber [1] INTEGER OPTIONAL,
	subjectKeyIdentifier    [2] OCTET STRING OPTIONAL,
	...
}

ExternalPrincipalIdentifier ::= SEQUENCE {
	subjectName		[0] IMPLICIT OCTET STRING OPTIONAL,
	issuerAndSerialNumber	[1] IMPLICIT OCTET STRING OPTIONAL,
	subjectKeyIdentifier	[2] IMPLICIT OCTET STRING OPTIONAL,
	...
}

ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier

PA-PK-AS-REQ ::= SEQUENCE {
        signedAuthPack          [0] IMPLICIT OCTET STRING,
        trustedCertifiers       [1] ExternalPrincipalIdentifiers OPTIONAL,
	kdcPkId                 [2] IMPLICIT OCTET STRING OPTIONAL,
	...
}

PKAuthenticator ::= SEQUENCE {
	cusec                   [0] INTEGER -- (0..999999) --,
	ctime                   [1] KerberosTime,
	nonce                   [2] INTEGER (0..4294967295),
	paChecksum              [3] OCTET STRING OPTIONAL,
	...
}

AuthPack ::= SEQUENCE {
	pkAuthenticator         [0] PKAuthenticator,
	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL,
	supportedCMSTypes       [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
	clientDHNonce           [3] DHNonce OPTIONAL,
	...,
	supportedKDFs		[4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
	...
}

TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers

KRB5PrincipalName ::= SEQUENCE {
	realm                   [0] Realm,
	principalName           [1] PrincipalName
}

AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier

DHRepInfo ::= SEQUENCE {
	dhSignedData            [0] IMPLICIT OCTET STRING,
	serverDHNonce           [1] DHNonce OPTIONAL,
	...,
	kdf			[2] KDFAlgorithmId OPTIONAL,
	...
}

PA-PK-AS-REP ::= CHOICE {
	dhInfo                  [0] DHRepInfo,
	encKeyPack              [1] IMPLICIT OCTET STRING,
	...
}

KDCDHKeyInfo ::= SEQUENCE {
	subjectPublicKey        [0] BIT STRING,
	nonce                   [1] INTEGER (0..4294967295),
	dhKeyExpiration         [2] KerberosTime OPTIONAL,
	...
}

ReplyKeyPack ::= SEQUENCE {
	replyKey                [0] EncryptionKey,
	asChecksum		[1] Checksum,
	...
}

TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier


-- Windows compat glue --

PKAuthenticator-Win2k ::= SEQUENCE {
	kdcName			[0] PrincipalName,
	kdcRealm		[1] Realm,
	cusec			[2] INTEGER (0..4294967295),
	ctime			[3] KerberosTime,
	nonce                   [4] INTEGER (-2147483648..2147483647)
}

AuthPack-Win2k ::= SEQUENCE {
	pkAuthenticator         [0] PKAuthenticator-Win2k,
	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
}


TrustedCA-Win2k ::= CHOICE {
	caName                  [1] heim_any,
	issuerAndSerial         [2] IssuerAndSerialNumber
}

PA-PK-AS-REQ-Win2k ::= SEQUENCE {
	signed-auth-pack	[0] IMPLICIT OCTET STRING,
	trusted-certifiers	[2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
	kdc-cert		[3] IMPLICIT OCTET STRING OPTIONAL,
	encryption-cert		[4] IMPLICIT OCTET STRING OPTIONAL
}

PA-PK-AS-REP-Win2k ::= CHOICE {
	dhSignedData		[0] IMPLICIT OCTET STRING,
	encKeyPack		[1] IMPLICIT OCTET STRING
}

KDCDHKeyInfo-Win2k ::= SEQUENCE {
	nonce			[0] INTEGER (-2147483648..2147483647),
	subjectPublicKey	[2] BIT STRING
}

ReplyKeyPack-Win2k ::= SEQUENCE {
        replyKey                [0] EncryptionKey,
        nonce                   [1] INTEGER (-2147483648..2147483647),
	...
}

PA-PK-AS-REP-BTMM ::= SEQUENCE {
	dhSignedData		[0] heim_any OPTIONAL,
	encKeyPack		[1] heim_any OPTIONAL
}


PkinitSP80056AOtherInfo ::= SEQUENCE {
	algorithmID   AlgorithmIdentifier,
	partyUInfo     [0] OCTET STRING,
	partyVInfo     [1] OCTET STRING,
	suppPubInfo    [2] OCTET STRING OPTIONAL,
	suppPrivInfo   [3] OCTET STRING OPTIONAL
}

PkinitSuppPubInfo ::= SEQUENCE {
       enctype           [0] INTEGER (-2147483648..2147483647),
       as-REQ            [1] OCTET STRING,
       pk-as-rep         [2] OCTET STRING,
       ticket            [3] Ticket,
       ...
}

END