--http://www.ietf.org/rfc/rfc4120.txt?number=4120 KerberosV5Spec2 { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) modules(4) krb5spec2(2) } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- OID arc for KerberosV5 -- -- This OID may be used to identify Kerberos protocol messages -- encapsulated in other protocols. -- -- This OID also designates the OID arc for KerberosV5-related OIDs. -- -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. -- WS construct Applications ::= CHOICE { ticket Ticket, -- 1 -- authenticator Authenticator, -- 2 -- encTicketPart EncTicketPart, -- 3 -- as-req AS-REQ, -- 10 -- as-rep AS-REP, -- 11 -- tgs-req TGS-REQ, -- 12 -- tgs-rep TGS-REP, -- 13 -- ap-req AP-REQ, -- 14 -- ap-rep AP-REP, -- 15 -- krb-safe KRB-SAFE, -- 20 -- krb-priv KRB-PRIV, -- 21 -- krb-cred KRB-CRED, -- 22 -- encASRepPart EncASRepPart, -- 25 -- encTGSRepPart EncTGSRepPart, -- 26 -- encAPRepPart EncAPRepPart, -- 27 -- encKrbPrivPart ENC-KRB-PRIV-PART, -- 28 -- encKrbCredPart EncKrbCredPart, -- 29 -- krb-error KRB-ERROR -- 30 -- } -- end WS construct id-krb5 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) } Int32 ::= INTEGER (-2147483648..2147483647) -- signed values representable in 32 bits UInt32 ::= INTEGER (0..4294967295) -- unsigned 32 bit values Microseconds ::= INTEGER (0..999999) -- microseconds KerberosString ::= GeneralString (IA5String) Realm ::= KerberosString PrincipalName ::= SEQUENCE { -- name-type [0] Int32, Use the translationj from krb5.asn (Heimdahl) name-type [0] NAME-TYPE, name-string [1] SEQUENCE OF KerberosString } KerberosTime ::= GeneralizedTime -- with no fractional seconds HostAddress ::= SEQUENCE { -- addr-type [0] Int32, addr-type [0] ADDR-TYPE, --use k5.asn address [1] OCTET STRING } -- NOTE: HostAddresses is always used as an OPTIONAL field and -- should not be empty. HostAddresses -- NOTE: subtly different from rfc1510, -- but has a value mapping and encodes the same ::= SEQUENCE OF HostAddress -- NOTE: AuthorizationData is always used as an OPTIONAL field and -- should not be empty. AuthorizationData ::= SEQUENCE OF SEQUENCE { ad-type [0] Int32, ad-data [1] OCTET STRING } PA-DATA ::= SEQUENCE { -- NOTE: first tag is [1], not [0] -- padata-type [1] Int32, use k5.asn padata-type [1] PADATA-TYPE, padata-value [2] OCTET STRING -- might be encoded AP-REQ } KerberosFlags ::= BIT STRING (SIZE (32..MAX)) -- minimum number of bits shall be sent, -- but no fewer than 32 EncryptedData ::= SEQUENCE { -- etype [0] Int32 - - EncryptionType - -, Use k5.asn etype [0] ENCTYPE -- EncryptionType --, kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } EncryptionKey ::= SEQUENCE { keytype [0] Int32 -- actually encryption type --, keyvalue [1] OCTET STRING } Checksum ::= SEQUENCE { -- cksumtype [0] Int32, Use k5.asn cksumtype [0] CKSUMTYPE, checksum [1] OCTET STRING } EncryptedTicketData ::= SEQUENCE { etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } EncryptedAuthorizationData ::= SEQUENCE { etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } EncryptedKDCREPData ::= SEQUENCE { etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } EncryptedAPREPData ::= SEQUENCE { etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } EncryptedKrbPrivData ::= SEQUENCE { etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } EncryptedKrbCredData ::= SEQUENCE { etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno [0] INTEGER (5), realm [1] Realm, sname [2] PrincipalName, enc-part [3] EncryptedTicketData } -- Encrypted part of ticket EncTicketPart ::= [APPLICATION 3] SEQUENCE { flags [0] TicketFlags, key [1] EncryptionKey, crealm [2] Realm, cname [3] PrincipalName, transited [4] TransitedEncoding, authtime [5] KerberosTime, starttime [6] KerberosTime OPTIONAL, endtime [7] KerberosTime, renew-till [8] KerberosTime OPTIONAL, caddr [9] HostAddresses OPTIONAL, authorization-data [10] AuthorizationData OPTIONAL } -- encoded Transited field TransitedEncoding ::= SEQUENCE { tr-type [0] Int32 -- must be registered --, contents [1] OCTET STRING } -- Use the k5.asn def -- TicketFlags ::= KerberosFlags -- reserved(0), -- forwardable(1), -- forwarded(2), -- proxiable(3), -- proxy(4), -- may-postdate(5), -- postdated(6), -- invalid(7), -- renewable(8), -- initial(9), -- pre-authent(10), -- hw-authent(11), -- the following are new since 1510 -- transited-policy-checked(12), -- ok-as-delegate(13) AS-REQ ::= [APPLICATION 10] KDC-REQ TGS-REQ ::= [APPLICATION 12] KDC-REQ KDC-REQ ::= SEQUENCE { -- NOTE: first tag is [1], not [0] pvno [1] INTEGER (5) , -- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -), -- msg-type [2] INTEGER, use k5.asn msg-type [2] MESSAGE-TYPE, padata [3] SEQUENCE OF PA-DATA OPTIONAL -- NOTE: not empty --, req-body [4] KDC-REQ-BODY } KDC-REQ-BODY ::= SEQUENCE { kdc-options [0] KDCOptions, cname [1] PrincipalName OPTIONAL -- Used only in AS-REQ --, realm [2] Realm -- Server's realm -- Also client's in AS-REQ --, sname [3] PrincipalName OPTIONAL, from [4] KerberosTime OPTIONAL, -- this field is not optional in the kerberos spec, however, in the packetcable spec it is optional -- make it optional here since normal kerberos will still decode the pdu correctly. till [5] KerberosTime OPTIONAL, rtime [6] KerberosTime OPTIONAL, nonce [7] UInt32, -- etype [8] SEQUENCE OF Int32 - - EncryptionType Use k5.asn etype [8] SEQUENCE OF ENCTYPE -- EncryptionType -- in preference order --, addresses [9] HostAddresses OPTIONAL, enc-authorization-data [10] EncryptedAuthorizationData OPTIONAL -- AuthorizationData --, additional-tickets [11] SEQUENCE OF Ticket OPTIONAL -- NOTE: not empty } -- Use th k5.asn def --KDCOptions ::= KerberosFlags -- reserved(0), -- forwardable(1), -- forwarded(2), -- proxiable(3), -- proxy(4), -- allow-postdate(5), -- postdated(6), -- unused7(7), -- renewable(8), -- unused9(9), -- unused10(10), -- opt-hardware-auth(11), -- unused12(12), -- unused13(13), -- 15 is reserved for canonicalize -- unused15(15), -- 26 was unused in 1510 -- disable-transited-check(26), -- -- renewable-ok(27), -- enc-tkt-in-skey(28), -- renew(30), -- validate(31) AS-REP ::= [APPLICATION 11] KDC-REP TGS-REP ::= [APPLICATION 13] KDC-REP KDC-REP ::= SEQUENCE { pvno [0] INTEGER (5), -- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -), -- msg-type [1] INTEGER, use k5.asn msg-type [1] MESSAGE-TYPE, padata [2] SEQUENCE OF PA-DATA OPTIONAL -- NOTE: not empty --, crealm [3] Realm, cname [4] PrincipalName, ticket [5] Ticket, enc-part [6] EncryptedKDCREPData -- EncASRepPart or EncTGSRepPart, -- as appropriate } EncASRepPart ::= [APPLICATION 25] EncKDCRepPart EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart EncKDCRepPart ::= SEQUENCE { key [0] EncryptionKey, last-req [1] LastReq, nonce [2] UInt32, key-expiration [3] KerberosTime OPTIONAL, flags [4] TicketFlags, authtime [5] KerberosTime, starttime [6] KerberosTime OPTIONAL, endtime [7] KerberosTime, renew-till [8] KerberosTime OPTIONAL, srealm [9] Realm, sname [10] PrincipalName, caddr [11] HostAddresses OPTIONAL, encrypted-pa-data[12] METHOD-DATA OPTIONAL -- from k5.asn } LastReq ::= SEQUENCE OF SEQUENCE { -- lr-type [0] Int32, Use k5.asn lr-type [0] LR-TYPE, lr-value [1] KerberosTime } AP-REQ ::= [APPLICATION 14] SEQUENCE { pvno [0] INTEGER (5), -- msg-type [1] INTEGER (14), use k5.asn msg-type [1] MESSAGE-TYPE, ap-options [2] APOptions, ticket [3] Ticket, authenticator [4] EncryptedAuthorizationData -- Authenticator } -- Use the krb5.asn def. --APOptions ::= KerberosFlags -- reserved(0), -- use-session-key(1), -- mutual-required(2) -- Unencrypted authenticator Authenticator ::= [APPLICATION 2] SEQUENCE { authenticator-vno [0] INTEGER (5), crealm [1] Realm, cname [2] PrincipalName, cksum [3] Checksum OPTIONAL, cusec [4] Microseconds, ctime [5] KerberosTime, subkey [6] EncryptionKey OPTIONAL, seq-number [7] UInt32 OPTIONAL, authorization-data [8] AuthorizationData OPTIONAL } AP-REP ::= [APPLICATION 15] SEQUENCE { pvno [0] INTEGER (5), -- msg-type [1] INTEGER (15), Use k5.asn msg-type [1] MESSAGE-TYPE, enc-part [2] EncryptedAPREPData -- EncAPRepPart } EncAPRepPart ::= [APPLICATION 27] SEQUENCE { ctime [0] KerberosTime, cusec [1] Microseconds, subkey [2] EncryptionKey OPTIONAL, seq-number [3] UInt32 OPTIONAL } KRB-SAFE ::= [APPLICATION 20] SEQUENCE { pvno [0] INTEGER (5), -- msg-type [1] INTEGER (20), use k5.asn msg-type [1] MESSAGE-TYPE, safe-body [2] KRB-SAFE-BODY, cksum [3] Checksum } KRB-SAFE-BODY ::= SEQUENCE { user-data [0] OCTET STRING, timestamp [1] KerberosTime OPTIONAL, usec [2] Microseconds OPTIONAL, seq-number [3] UInt32 OPTIONAL, s-address [4] HostAddress OPTIONAL, -- XXX this one is OPTIONAL in packetcable? but mandatory in kerberos r-address [5] HostAddress OPTIONAL } KRB-PRIV ::= [APPLICATION 21] SEQUENCE { pvno [0] INTEGER (5), -- msg-type [1] INTEGER (21), Use k5.asn msg-type [1] MESSAGE-TYPE, -- NOTE: there is no [2] tag enc-part [3] EncryptedKrbPrivData -- EncKrbPrivPart } ENC-KRB-PRIV-PART ::= [APPLICATION 28] EncKrbPrivPart EncKrbPrivPart ::= SEQUENCE { user-data [0] OCTET STRING, timestamp [1] KerberosTime OPTIONAL, usec [2] Microseconds OPTIONAL, seq-number [3] UInt32 OPTIONAL, s-address [4] HostAddress -- sender's addr --, r-address [5] HostAddress OPTIONAL -- recip's addr } KRB-CRED ::= [APPLICATION 22] SEQUENCE { pvno [0] INTEGER (5), -- msg-type [1] INTEGER (22), use k5.asn msg-type [1] MESSAGE-TYPE, tickets [2] SEQUENCE OF Ticket, enc-part [3] EncryptedKrbCredData -- EncKrbCredPart } EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { ticket-info [0] SEQUENCE OF KrbCredInfo, nonce [1] UInt32 OPTIONAL, timestamp [2] KerberosTime OPTIONAL, usec [3] Microseconds OPTIONAL, s-address [4] HostAddress OPTIONAL, r-address [5] HostAddress OPTIONAL } KrbCredInfo ::= SEQUENCE { key [0] EncryptionKey, prealm [1] Realm OPTIONAL, pname [2] PrincipalName OPTIONAL, flags [3] TicketFlags OPTIONAL, authtime [4] KerberosTime OPTIONAL, starttime [5] KerberosTime OPTIONAL, endtime [6] KerberosTime OPTIONAL, renew-till [7] KerberosTime OPTIONAL, srealm [8] Realm OPTIONAL, sname [9] PrincipalName OPTIONAL, caddr [10] HostAddresses OPTIONAL } KRB-ERROR ::= [APPLICATION 30] SEQUENCE { pvno [0] INTEGER (5), -- msg-type [1] INTEGER (30), use k5.asn msg-type [1] MESSAGE-TYPE, ctime [2] KerberosTime OPTIONAL, cusec [3] Microseconds OPTIONAL, stime [4] KerberosTime, susec [5] Microseconds, -- error-code [6] Int32, error-code [6] ERROR-CODE, -- Use k5.asn crealm [7] Realm OPTIONAL, cname [8] PrincipalName OPTIONAL, realm [9] Realm -- service realm --, sname [10] PrincipalName -- service name --, e-text [11] KerberosString OPTIONAL, e-data [12] OCTET STRING OPTIONAL, e-checksum [13] Checksum OPTIONAL -- used by PacketCable } METHOD-DATA ::= SEQUENCE OF PA-DATA TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { data-type [0] Int32, data-value [1] OCTET STRING OPTIONAL } -- preauth stuff follows PA-ENC-TIMESTAMP ::= SEQUENCE { etype [0] ENCTYPE -- EncryptionType --, kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } PA-ENC-TS-ENC ::= SEQUENCE { patimestamp [0] KerberosTime -- client's time --, pausec [1] Microseconds OPTIONAL } ETYPE-INFO-ENTRY ::= SEQUENCE { -- etype [0] Int32, use k5.asn etype [0] ENCTYPE, salt [1] OCTET STRING OPTIONAL } ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY ETYPE-INFO2-ENTRY ::= SEQUENCE { -- etype [0] Int32, use k5.asn etype [0] ENCTYPE, salt [1] KerberosString OPTIONAL, s2kparams [2] OCTET STRING OPTIONAL } ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY AD-IF-RELEVANT ::= AuthorizationData AD-KDCIssued ::= SEQUENCE { ad-checksum [0] Checksum, i-realm [1] Realm OPTIONAL, i-sname [2] PrincipalName OPTIONAL, elements [3] AuthorizationData } AD-AND-OR ::= SEQUENCE { condition-count [0] Int32, elements [1] AuthorizationData } AD-MANDATORY-FOR-KDC ::= AuthorizationData END