diff options
Diffstat (limited to 'epan/dissectors/asn1/kerberos/k5.asn')
| -rw-r--r-- | epan/dissectors/asn1/kerberos/k5.asn | 775 |
1 files changed, 775 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/kerberos/k5.asn b/epan/dissectors/asn1/kerberos/k5.asn new file mode 100644 index 0000000000..dde61ec87f --- /dev/null +++ b/epan/dissectors/asn1/kerberos/k5.asn @@ -0,0 +1,775 @@ +-- Extracted from http://www.h5l.org/dist/src/heimdal-1.2.tar.gz +-- Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $ +-- Commented out stuff already in KerberosV5Spec2.asn +KERBEROS5 DEFINITIONS ::= +BEGIN + +NAME-TYPE ::= INTEGER { + kRB5-NT-UNKNOWN(0), -- Name type not known + kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in + kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt) + kRB5-NT-SRV-HST(3), -- Service with host name as instance + kRB5-NT-SRV-XHST(4), -- Service with host as remaining components + kRB5-NT-UID(5), -- Unique ID + kRB5-NT-X500-PRINCIPAL(6), -- PKINIT + kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name + kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN + kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID + kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name + kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID +} + +-- message types + +MESSAGE-TYPE ::= INTEGER { + krb-as-req(10), -- Request for initial authentication + krb-as-rep(11), -- Response to KRB_AS_REQ request + krb-tgs-req(12), -- Request for authentication based on TGT + krb-tgs-rep(13), -- Response to KRB_TGS_REQ request + krb-ap-req(14), -- application request to server + krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL + krb-safe(20), -- Safe (checksummed) application message + krb-priv(21), -- Private (encrypted) application message + krb-cred(22), -- Private (encrypted) message to forward credentials + krb-error(30) -- Error response +} + + +-- pa-data types + +PADATA-TYPE ::= INTEGER { + kRB5-PADATA-NONE(0), + kRB5-PADATA-TGS-REQ(1), + kRB5-PADATA-AP-REQ(1), + kRB5-PADATA-ENC-TIMESTAMP(2), + kRB5-PADATA-PW-SALT(3), + kRB5-PADATA-ENC-UNIX-TIME(5), + kRB5-PADATA-SANDIA-SECUREID(6), + kRB5-PADATA-SESAME(7), + kRB5-PADATA-OSF-DCE(8), + kRB5-PADATA-CYBERSAFE-SECUREID(9), + kRB5-PADATA-AFS3-SALT(10), + kRB5-PADATA-ETYPE-INFO(11), + kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) + kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) + kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) + kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) + kRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) + kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) + kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) + kRB5-PADATA-PA-PK-OCSP-RESPONSE(18), + kRB5-PADATA-ETYPE-INFO2(19), + kRB5-PADATA-USE-SPECIFIED-KVNO(20), + kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number + kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) + kRB5-PADATA-GET-FROM-TYPED-DATA(22), + kRB5-PADATA-SAM-ETYPE-INFO(23), + kRB5-PADATA-SERVER-REFERRAL(25), + kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName + kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT + kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT + kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific + kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER + kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER + kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com + kRB5-PADATA-S4U2SELF(129), + kRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to + -- tell KDC that is supports + -- the asCheckSum in the + -- PK-AS-REP + kRB5-PADATA-CLIENT-CANONICALIZED(133) -- +} + +AUTHDATA-TYPE ::= INTEGER { + kRB5-AUTHDATA-IF-RELEVANT(1), + kRB5-AUTHDATA-INTENDED-FOR-SERVER(2), + kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), + kRB5-AUTHDATA-KDC-ISSUED(4), + kRB5-AUTHDATA-AND-OR(5), + kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), + kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), + kRB5-AUTHDATA-MANDATORY-FOR-KDC(8), + kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), + kRB5-AUTHDATA-OSF-DCE(64), + kRB5-AUTHDATA-SESAME(65), + kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), + kRB5-AUTHDATA-WIN2K-PAC(128), + kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only + kRB5-AUTHDATA-SIGNTICKET(-17) +} + +-- checksumtypes + +CKSUMTYPE ::= INTEGER { + cKSUMTYPE-NONE(0), + cKSUMTYPE-CRC32(1), + cKSUMTYPE-RSA-MD4(2), + cKSUMTYPE-RSA-MD4-DES(3), + cKSUMTYPE-DES-MAC(4), + cKSUMTYPE-DES-MAC-K(5), + cKSUMTYPE-RSA-MD4-DES-K(6), + cKSUMTYPE-RSA-MD5(7), + cKSUMTYPE-RSA-MD5-DES(8), + cKSUMTYPE-RSA-MD5-DES3(9), + cKSUMTYPE-SHA1-OTHER(10), + cKSUMTYPE-HMAC-SHA1-DES3-KD(12), + cKSUMTYPE-HMAC-SHA1-DES3(13), + cKSUMTYPE-SHA1(14), + cKSUMTYPE-HMAC-SHA1-96-AES-128(15), + cKSUMTYPE-HMAC-SHA1-96-AES-256(16), + cKSUMTYPE-CMAC-CAMELLIA128(17), + cKSUMTYPE-CMAC-CAMELLIA256(18), + cKSUMTYPE-GSSAPI(--0x8003--32771), + cKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number + cKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial +} + +--enctypes +ENCTYPE ::= INTEGER { + eTYPE-NULL(0), + eTYPE-DES-CBC-CRC(1), + eTYPE-DES-CBC-MD4(2), + eTYPE-DES-CBC-MD5(3), + eTYPE-DES3-CBC-MD5(5), + eTYPE-OLD-DES3-CBC-SHA1(7), + eTYPE-SIGN-DSA-GENERATE(8), + eTYPE-DSA-SHA1(9), + eTYPE-RSA-MD5(10), + eTYPE-RSA-SHA1(11), + eTYPE-RC2-CBC(12), + eTYPE-RSA(13), + eTYPE-RSAES-OAEP(14), + eTYPE-DES-EDE3-CBC(15), + eTYPE-DES3-CBC-SHA1(16), -- with key derivation + eTYPE-AES128-CTS-HMAC-SHA1-96(17), + eTYPE-AES256-CTS-HMAC-SHA1-96(18), + eTYPE-ARCFOUR-HMAC-MD5(23), + eTYPE-ARCFOUR-HMAC-MD5-56(24), + eTYPE-CAMELLIA128-CTS-CMAC(25), + eTYPE-CAMELLIA256-CTS-CMAC(26), + eTYPE-ENCTYPE-PK-CROSS(48), +-- some "old" windows types + eTYPE-ARCFOUR-MD4(-128), + eTYPE-ARCFOUR-HMAC-OLD(-133), + eTYPE-ARCFOUR-HMAC-OLD-EXP(-135), +-- these are for Heimdal internal use +-- eTYPE-DES-CBC-NONE(-0x1000), + eTYPE-DES-CBC-NONE( -4096), +-- eTYPE-DES3-CBC-NONE(-0x1001), + eTYPE-DES3-CBC-NONE(-4097), +-- eTYPE-DES-CFB64-NONE(-0x1002), + eTYPE-DES-CFB64-NONE(-4098), +-- eTYPE-DES-PCBC-NONE(-0x1003), + eTYPE-DES-PCBC-NONE(-4099), +-- eTYPE-DIGEST-MD5-NONE(-0x1004), - - private use, lukeh@padl.com + eTYPE-DIGEST-MD5-NONE(-4100), -- private use, lukeh@padl.com +-- eTYPE-CRAM-MD5-NONE(-0x1005) - - private use, lukeh@padl.com + eTYPE-CRAM-MD5-NONE(-4101) -- private use, lukeh@padl.com +} + +-- addr-types (WS extension ) +ADDR-TYPE ::= INTEGER { + iPv4(2), + cHAOS(5), + xEROX(6), + iSO(7), + dECNET(12), + aPPLETALK(16), + nETBIOS(20), + iPv6(24) +} + +-- error-codes (WS extension) +ERROR-CODE ::= INTEGER { +--error table constants + eRR-NONE(0), + eRR-NAME-EXP(1), + eRR-SERVICE-EXP(2), + eRR-BAD-PVNO(3), + eRR-C-OLD-MAST-KVNO(4), + eRR-S-OLD-MAST-KVNO(5), + eRR-C-PRINCIPAL-UNKNOWN(6), + eRR-S-PRINCIPAL-UNKNOWN(7), + eRR-PRINCIPAL-NOT-UNIQUE(8), + eRR-NULL-KEY(9), + eRR-CANNOT-POSTDATE(10), + eRR-NEVER-VALID(11), + eRR-POLICY(12), + eRR-BADOPTION(13), + eRR-ETYPE-NOSUPP(14), + eRR-SUMTYPE-NOSUPP(15), + eRR-PADATA-TYPE-NOSUPP(16), + eRR-TRTYPE-NOSUPP(17), + eRR-CLIENT-REVOKED(18), + eRR-SERVICE-REVOKED(19), + eRR-TGT-REVOKED(20), + eRR-CLIENT-NOTYET(21), + eRR-SERVICE-NOTYET(22), + eRR-KEY-EXP(23), + eRR-PREAUTH-FAILED(24), + eRR-PREAUTH-REQUIRED(25), + eRR-SERVER-NOMATCH(26), + eRR-MUST-USE-USER2USER(27), + eRR-PATH-NOT-ACCEPTED(28), + eRR-SVC-UNAVAILABLE(29), + eRR-BAD-INTEGRITY(31), + eRR-TKT-EXPIRED(32), + eRR-TKT-NYV(33), + eRR-REPEAT(34), + eRR-NOT-US(35), + eRR-BADMATCH(36), + eRR-SKEW(37), + eRR-BADADDR(38), + eRR-BADVERSION(39), + eRR-MSG-TYPE(40), + eRR-MODIFIED(41), + eRR-BADORDER(42), + eRR-ILL-CR-TKT(43), + eRR-BADKEYVER(44), + eRR-NOKEY(45), + eRR-MUT-FAIL(46), + eRR-BADDIRECTION(47), + eRR-METHOD(48), + eRR-BADSEQ(49), + eRR-INAPP-CKSUM(50), + pATH-NOT-ACCEPTED(51), + eRR-RESPONSE-TOO-BIG(52), + eRR-GENERIC(60), + eRR-FIELD-TOOLONG(61), + eRROR-CLIENT-NOT-TRUSTED(62), + eRROR-KDC-NOT-TRUSTED(63), + eRROR-INVALID-SIG(64), + eRR-KEY-TOO-WEAK(65), + eRR-CERTIFICATE-MISMATCH(66), + eRR-NO-TGT(67), + eRR-WRONG-REALM(68), + eRR-USER-TO-USER-REQUIRED(69), + eRR-CANT-VERIFY-CERTIFICATE(70), + eRR-INVALID-CERTIFICATE(71), + eRR-REVOKED-CERTIFICATE(72), + eRR-REVOCATION-STATUS-UNKNOWN(73), + eRR-REVOCATION-STATUS-UNAVAILABLE(74), + eRR-CLIENT-NAME-MISMATCH(75), + eRR-KDC-NAME-MISMATCH(76) +} + +-- this is sugar to make something ASN1 does not have: unsigned + +Krb5uint32 ::= INTEGER (0..4294967295) +Krb5int32 ::= INTEGER (-2147483648..2147483647) + +--KerberosString ::= GeneralString + +--Realm ::= GeneralString +--PrincipalName ::= SEQUENCE { +-- name-type[0] NAME-TYPE, +-- name-string[1] SEQUENCE OF GeneralString +--} + +-- this is not part of RFC1510 +Principal ::= SEQUENCE { + name[0] PrincipalName, + realm[1] Realm +} + +--HostAddress ::= SEQUENCE { +-- addr-type [0] Krb5int32, +-- address [1] OCTET STRING +--} + +-- This is from RFC1510. +-- +-- HostAddresses ::= SEQUENCE OF SEQUENCE { +-- addr-type[0] Krb5int32, +-- address[1] OCTET STRING +-- } + +-- This seems much better. +--HostAddresses ::= SEQUENCE OF HostAddress + + +--KerberosTime ::= GeneralizedTime - - Specifying UTC time zone (Z) + +--AuthorizationDataElement ::= SEQUENCE { +-- ad-type[0] Krb5int32, +-- ad-data[1] OCTET STRING +--} + +--AuthorizationData ::= SEQUENCE OF AuthorizationDataElement + +APOptions ::= BIT STRING { + reserved(0), + use-session-key(1), + mutual-required(2) +} + +TicketFlags ::= BIT STRING { + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + may-postdate(5), + postdated(6), + invalid(7), + renewable(8), + initial(9), + pre-authent(10), + hw-authent(11), + transited-policy-checked(12), + ok-as-delegate(13), + anonymous(14) +} + +KDCOptions ::= BIT STRING { + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + allow-postdate(5), + postdated(6), + unused7(7), + renewable(8), + unused9(9), + unused10(10), + opt-hardware-auth(11), -- taken from KerberosV5Spec2.asn + request-anonymous(14), + canonicalize(15), + constrained-delegation(16), -- ms extension + disable-transited-check(26), + renewable-ok(27), + enc-tkt-in-skey(28), + renew(30), + validate(31) +} + +LR-TYPE ::= INTEGER { + lR-NONE(0), -- no information + lR-INITIAL-TGT(1), -- last initial TGT request + lR-INITIAL(2), -- last initial request + lR-ISSUE-USE-TGT(3), -- time of newest TGT used + lR-RENEWAL(4), -- time of last renewal + lR-REQUEST(5), -- time of last request (of any type) + lR-PW-EXPTIME(6), -- expiration time of password + lR-ACCT-EXPTIME(7) -- expiration time of account +} + +--LastReq ::= SEQUENCE OF SEQUENCE { +-- lr-type[0] LR-TYPE, +-- lr-value[1] KerberosTime +--} + + +--EncryptedData ::= SEQUENCE { +-- etype[0] ENCTYPE, - - EncryptionType +-- kvno[1] Krb5int32 OPTIONAL, +-- cipher[2] OCTET STRING - - ciphertext +--} + +--EncryptionKey ::= SEQUENCE { +-- keytype[0] Krb5int32, +-- keyvalue[1] OCTET STRING +--} + +-- encoded Transited field +--TransitedEncoding ::= SEQUENCE { +-- tr-type[0] Krb5int32, - - must be registered +-- contents[1] OCTET STRING +--} + +--Ticket ::= [APPLICATION 1] SEQUENCE { +-- tkt-vno[0] Krb5int32, +-- realm[1] Realm, +-- sname[2] PrincipalName, +-- enc-part[3] EncryptedData +--} +-- Encrypted part of ticket +--EncTicketPart ::= [APPLICATION 3] SEQUENCE { +-- flags[0] TicketFlags, +-- key[1] EncryptionKey, +-- crealm[2] Realm, +-- cname[3] PrincipalName, +-- transited[4] TransitedEncoding, +-- authtime[5] KerberosTime, +-- starttime[6] KerberosTime OPTIONAL, +-- endtime[7] KerberosTime, +-- renew-till[8] KerberosTime OPTIONAL, +-- caddr[9] HostAddresses OPTIONAL, +-- authorization-data[10] AuthorizationData OPTIONAL +--} + +--Checksum ::= SEQUENCE { +-- cksumtype[0] CKSUMTYPE, +-- checksum[1] OCTET STRING +--} + +--Authenticator ::= [APPLICATION 2] SEQUENCE { +-- authenticator-vno[0] Krb5int32, +-- crealm[1] Realm, +-- cname[2] PrincipalName, +-- cksum[3] Checksum OPTIONAL, +-- cusec[4] Krb5int32, +-- ctime[5] KerberosTime, +-- subkey[6] EncryptionKey OPTIONAL, +-- seq-number[7] Krb5uint32 OPTIONAL, +-- authorization-data[8] AuthorizationData OPTIONAL +--} + +--PA-DATA ::= SEQUENCE { + -- might be encoded AP-REQ +-- padata-type[1] PADATA-TYPE, +-- padata-value[2] OCTET STRING +--} + +--ETYPE-INFO-ENTRY ::= SEQUENCE { +-- etype[0] ENCTYPE, +-- salt[1] OCTET STRING OPTIONAL, +-- salttype[2] Krb5int32 OPTIONAL +--} + +--ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + +--ETYPE-INFO2-ENTRY ::= SEQUENCE { +-- etype[0] ENCTYPE, +-- salt[1] KerberosString OPTIONAL, +-- s2kparams[2] OCTET STRING OPTIONAL +--} + +--ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY + +-- METHOD-DATA ::= SEQUENCE OF PA-DATA + +--TypedData ::= SEQUENCE { +-- data-type[0] Krb5int32, +-- data-value[1] OCTET STRING OPTIONAL +--} + +--TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData + +--KDC-REQ-BODY ::= SEQUENCE { +-- kdc-options[0] KDCOptions, +-- cname[1] PrincipalName OPTIONAL, - - Used only in AS-REQ +-- realm[2] Realm, - - Server's realm + -- Also client's in AS-REQ +-- sname[3] PrincipalName OPTIONAL, +-- from[4] KerberosTime OPTIONAL, +-- till[5] KerberosTime OPTIONAL, +-- rtime[6] KerberosTime OPTIONAL, +-- nonce[7] Krb5int32, +-- etype[8] SEQUENCE OF ENCTYPE, - - EncryptionType, + -- in preference order +-- addresses[9] HostAddresses OPTIONAL, +-- enc-authorization-data[10] EncryptedData OPTIONAL, + -- Encrypted AuthorizationData encoding +-- additional-tickets[11] SEQUENCE OF Ticket OPTIONAL +--} + +--KDC-REQ ::= SEQUENCE { +-- pvno[1] Krb5int32, +-- msg-type[2] MESSAGE-TYPE, +-- padata[3] METHOD-DATA OPTIONAL, +-- req-body[4] KDC-REQ-BODY +--} + +--AS-REQ ::= [APPLICATION 10] KDC-REQ +--TGS-REQ ::= [APPLICATION 12] KDC-REQ + +-- padata-type ::= PA-ENC-TIMESTAMP +-- padata-value ::= EncryptedData - PA-ENC-TS-ENC + +--PA-ENC-TS-ENC ::= SEQUENCE { +-- patimestamp[0] KerberosTime, - - client's time +-- pausec[1] Krb5int32 OPTIONAL +--} + +-- draft-brezak-win2k-krb-authz-01 +PA-PAC-REQUEST ::= SEQUENCE { + include-pac[0] BOOLEAN -- Indicates whether a PAC + -- should be included or not +} + +-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf +PROV-SRV-LOCATION ::= GeneralString + +--KDC-REP ::= SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- padata[2] METHOD-DATA OPTIONAL, +-- crealm[3] Realm, +-- cname[4] PrincipalName, +-- ticket[5] Ticket, +-- enc-part[6] EncryptedData +--} + +--AS-REP ::= [APPLICATION 11] KDC-REP +--TGS-REP ::= [APPLICATION 13] KDC-REP + +--EncKDCRepPart ::= SEQUENCE { +-- key[0] EncryptionKey, +-- last-req[1] LastReq, +-- nonce[2] Krb5int32, +-- key-expiration[3] KerberosTime OPTIONAL, +-- flags[4] TicketFlags, +-- authtime[5] KerberosTime, +-- starttime[6] KerberosTime OPTIONAL, +-- endtime[7] KerberosTime, +-- renew-till[8] KerberosTime OPTIONAL, +-- srealm[9] Realm, +-- sname[10] PrincipalName, +-- caddr[11] HostAddresses OPTIONAL, +-- encrypted-pa-data[12] METHOD-DATA OPTIONAL +--} + +--EncASRepPart ::= [APPLICATION 25] EncKDCRepPart +--EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + +--AP-REQ ::= [APPLICATION 14] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- ap-options[2] APOptions, +-- ticket[3] Ticket, +-- authenticator[4] EncryptedData +--} + +--AP-REP ::= [APPLICATION 15] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- enc-part[2] EncryptedData +--} + +--EncAPRepPart ::= [APPLICATION 27] SEQUENCE { +-- ctime[0] KerberosTime, +-- cusec[1] Krb5int32, +-- subkey[2] EncryptionKey OPTIONAL, +-- seq-number[3] Krb5uint32 OPTIONAL +--} + +--KRB-SAFE-BODY ::= SEQUENCE { +-- user-data[0] OCTET STRING, +-- timestamp[1] KerberosTime OPTIONAL, +-- usec[2] Krb5int32 OPTIONAL, +-- seq-number[3] Krb5uint32 OPTIONAL, +-- s-address[4] HostAddress OPTIONAL, +-- r-address[5] HostAddress OPTIONAL +--} + +--KRB-SAFE ::= [APPLICATION 20] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- safe-body[2] KRB-SAFE-BODY, +-- cksum[3] Checksum +--} + +--KRB-PRIV ::= [APPLICATION 21] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- enc-part[3] EncryptedData +--} +--EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { +-- user-data[0] OCTET STRING, +-- timestamp[1] KerberosTime OPTIONAL, +-- usec[2] Krb5int32 OPTIONAL, +-- seq-number[3] Krb5uint32 OPTIONAL, +-- s-address[4] HostAddress OPTIONAL, - - sender's addr +-- r-address[5] HostAddress OPTIONAL - - recip's addr +--} + +--KRB-CRED ::= [APPLICATION 22] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, - - KRB_CRED +-- tickets[2] SEQUENCE OF Ticket, +-- enc-part[3] EncryptedData +--} + +--KrbCredInfo ::= SEQUENCE { +-- key[0] EncryptionKey, +-- prealm[1] Realm OPTIONAL, +-- pname[2] PrincipalName OPTIONAL, +-- flags[3] TicketFlags OPTIONAL, +-- authtime[4] KerberosTime OPTIONAL, +-- starttime[5] KerberosTime OPTIONAL, +-- endtime[6] KerberosTime OPTIONAL, +-- renew-till[7] KerberosTime OPTIONAL, +-- srealm[8] Realm OPTIONAL, +-- sname[9] PrincipalName OPTIONAL, +-- caddr[10] HostAddresses OPTIONAL +--} + +--EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { +-- ticket-info[0] SEQUENCE OF KrbCredInfo, +-- nonce[1] Krb5int32 OPTIONAL, +-- timestamp[2] KerberosTime OPTIONAL, +-- usec[3] Krb5int32 OPTIONAL, +-- s-address[4] HostAddress OPTIONAL, +-- r-address[5] HostAddress OPTIONAL +--} + +--KRB-ERROR ::= [APPLICATION 30] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- ctime[2] KerberosTime OPTIONAL, +-- cusec[3] Krb5int32 OPTIONAL, +-- stime[4] KerberosTime, +-- susec[5] Krb5int32, +-- error-code[6] Krb5int32, +-- crealm[7] Realm OPTIONAL, +-- cname[8] PrincipalName OPTIONAL, +-- realm[9] Realm, - - Correct realm +-- sname[10] PrincipalName, - - Correct name +-- e-text[11] GeneralString OPTIONAL, +-- e-data[12] OCTET STRING OPTIONAL +--} + +ChangePasswdDataMS ::= SEQUENCE { + newpasswd[0] OCTET STRING, + targname[1] PrincipalName OPTIONAL, + targrealm[2] Realm OPTIONAL +} + +EtypeList ::= SEQUENCE OF Krb5int32 + -- the client's proposed enctype list in + -- decreasing preference order, favorite choice first + +--krb5-pvno Krb5int32 ::= 5 - - current Kerberos protocol version number + +-- transited encodings + +--DOMAIN-X500-COMPRESS Krb5int32 ::= 1 + +-- authorization data primitives + +--AD-IF-RELEVANT ::= AuthorizationData + +--AD-KDCIssued ::= SEQUENCE { +-- ad-checksum[0] Checksum, +-- i-realm[1] Realm OPTIONAL, +-- i-sname[2] PrincipalName OPTIONAL, +-- elements[3] AuthorizationData +--} + +--AD-AND-OR ::= SEQUENCE { +-- condition-count[0] INTEGER, +-- elements[1] AuthorizationData +--} + +--AD-MANDATORY-FOR-KDC ::= AuthorizationData + +-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 + +PA-SAM-TYPE ::= INTEGER { + pA-SAM-TYPE-ENIGMA(1), -- Enigma Logic + pA-SAM-TYPE-DIGI-PATH(2), -- Digital Pathways + pA-SAM-TYPE-SKEY-K0(3), -- S/key where KDC has key 0 + pA-SAM-TYPE-SKEY(4), -- Traditional S/Key + pA-SAM-TYPE-SECURID(5), -- Security Dynamics + pA-SAM-TYPE-CRYPTOCARD(6) -- CRYPTOCard +} + +PA-SAM-REDIRECT ::= HostAddresses + +SAMFlags ::= BIT STRING { + use-sad-as-key(0), + send-encrypted-sad(1), + must-pk-encrypt-sad(2) +} + +PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { + sam-type[0] Krb5int32, + sam-flags[1] SAMFlags, + sam-type-name[2] GeneralString OPTIONAL, + sam-track-id[3] GeneralString OPTIONAL, + sam-challenge-label[4] GeneralString OPTIONAL, + sam-challenge[5] GeneralString OPTIONAL, + sam-response-prompt[6] GeneralString OPTIONAL, + sam-pk-for-sad[7] EncryptionKey OPTIONAL, + sam-nonce[8] Krb5int32, + sam-etype[9] Krb5int32, + ... +} + +PA-SAM-CHALLENGE-2 ::= SEQUENCE { + sam-body[0] PA-SAM-CHALLENGE-2-BODY, + sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) + ... +} + +PA-SAM-RESPONSE-2 ::= SEQUENCE { + sam-type[0] Krb5int32, + sam-flags[1] SAMFlags, + sam-track-id[2] GeneralString OPTIONAL, + sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC + sam-nonce[4] Krb5int32, + ... +} + +PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { + sam-nonce[0] Krb5int32, + sam-sad[1] GeneralString OPTIONAL, + ... +} + +PA-S4U2Self ::= SEQUENCE { + name[0] PrincipalName, + realm[1] Realm, + cksum[2] Checksum, + auth[3] GeneralString +} + +KRB5SignedPathPrincipals ::= SEQUENCE OF Principal + +-- never encoded on the wire, just used to checksum over +KRB5SignedPathData ::= SEQUENCE { + encticket[0] EncTicketPart, + delegated[1] KRB5SignedPathPrincipals OPTIONAL +} + +KRB5SignedPath ::= SEQUENCE { + -- DERcoded KRB5SignedPathData + -- krbtgt key (etype), KeyUsage = XXX + etype[0] ENCTYPE, + cksum[1] Checksum, + -- srvs delegated though + delegated[2] KRB5SignedPathPrincipals OPTIONAL +} + +PA-ClientCanonicalizedNames ::= SEQUENCE{ + requested-name [0] PrincipalName, + mapped-name [1] PrincipalName +} + +PA-ClientCanonicalized ::= SEQUENCE { + names [0] PA-ClientCanonicalizedNames, + canon-checksum [1] Checksum +} + +AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- + login-alias [0] PrincipalName, + checksum [1] Checksum +} + +-- old ms referral +PA-SvrReferralData ::= SEQUENCE { + referred-name [1] PrincipalName OPTIONAL, + referred-realm [0] Realm +} + +PA-SERVER-REFERRAL-DATA ::= EncryptedData + +PA-ServerReferralData ::= SEQUENCE { + referred-realm [0] Realm OPTIONAL, + true-principal-name [1] PrincipalName OPTIONAL, + requested-principal-name [2] PrincipalName OPTIONAL, + referral-valid-until [3] KerberosTime OPTIONAL, + ... +} +-- WS put extensions found elsewere here +-- http://msdn.microsoft.com/en-us/library/cc206948.aspx +-- +KERB-PA-PAC-REQUEST ::= SEQUENCE { +include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. + --If FALSE, and PAC present, remove PAC +} +END + +-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 |