-- Extracted from http://www.h5l.org/dist/src/heimdal-1.2.tar.gz -- Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $ -- Commented out stuff already in KerberosV5Spec2.asn -- $Id$ KERBEROS5 DEFINITIONS ::= BEGIN NAME-TYPE ::= INTEGER { kRB5-NT-UNKNOWN(0), -- Name type not known kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt) kRB5-NT-SRV-HST(3), -- Service with host name as instance kRB5-NT-SRV-XHST(4), -- Service with host as remaining components kRB5-NT-UID(5), -- Unique ID kRB5-NT-X500-PRINCIPAL(6), -- PKINIT kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID } -- message types MESSAGE-TYPE ::= INTEGER { krb-as-req(10), -- Request for initial authentication krb-as-rep(11), -- Response to KRB_AS_REQ request krb-tgs-req(12), -- Request for authentication based on TGT krb-tgs-rep(13), -- Response to KRB_TGS_REQ request krb-ap-req(14), -- application request to server krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL krb-safe(20), -- Safe (checksummed) application message krb-priv(21), -- Private (encrypted) application message krb-cred(22), -- Private (encrypted) message to forward credentials krb-error(30) -- Error response } -- pa-data types PADATA-TYPE ::= INTEGER { kRB5-PADATA-NONE(0), kRB5-PADATA-TGS-REQ(1), kRB5-PADATA-AP-REQ(1), kRB5-PADATA-ENC-TIMESTAMP(2), kRB5-PADATA-PW-SALT(3), kRB5-PADATA-ENC-UNIX-TIME(5), kRB5-PADATA-SANDIA-SECUREID(6), kRB5-PADATA-SESAME(7), kRB5-PADATA-OSF-DCE(8), kRB5-PADATA-CYBERSAFE-SECUREID(9), kRB5-PADATA-AFS3-SALT(10), kRB5-PADATA-ETYPE-INFO(11), kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) kRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) kRB5-PADATA-PA-PK-OCSP-RESPONSE(18), kRB5-PADATA-ETYPE-INFO2(19), kRB5-PADATA-USE-SPECIFIED-KVNO(20), kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) kRB5-PADATA-GET-FROM-TYPED-DATA(22), kRB5-PADATA-SAM-ETYPE-INFO(23), kRB5-PADATA-SERVER-REFERRAL(25), kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com kRB5-PADATA-S4U2SELF(129), kRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to -- tell KDC that is supports -- the asCheckSum in the -- PK-AS-REP kRB5-PADATA-CLIENT-CANONICALIZED(133) -- } AUTHDATA-TYPE ::= INTEGER { kRB5-AUTHDATA-IF-RELEVANT(1), kRB5-AUTHDATA-INTENDED-FOR-SERVER(2), kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), kRB5-AUTHDATA-KDC-ISSUED(4), kRB5-AUTHDATA-AND-OR(5), kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), kRB5-AUTHDATA-MANDATORY-FOR-KDC(8), kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), kRB5-AUTHDATA-OSF-DCE(64), kRB5-AUTHDATA-SESAME(65), kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), kRB5-AUTHDATA-WIN2K-PAC(128), kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only kRB5-AUTHDATA-SIGNTICKET(-17) } -- checksumtypes CKSUMTYPE ::= INTEGER { cKSUMTYPE-NONE(0), cKSUMTYPE-CRC32(1), cKSUMTYPE-RSA-MD4(2), cKSUMTYPE-RSA-MD4-DES(3), cKSUMTYPE-DES-MAC(4), cKSUMTYPE-DES-MAC-K(5), cKSUMTYPE-RSA-MD4-DES-K(6), cKSUMTYPE-RSA-MD5(7), cKSUMTYPE-RSA-MD5-DES(8), cKSUMTYPE-RSA-MD5-DES3(9), cKSUMTYPE-SHA1-OTHER(10), cKSUMTYPE-HMAC-SHA1-DES3(12), cKSUMTYPE-SHA1(14), cKSUMTYPE-HMAC-SHA1-96-AES-128(15), cKSUMTYPE-HMAC-SHA1-96-AES-256(16), cKSUMTYPE-GSSAPI(--0x8003--32771), cKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number cKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial } --enctypes ENCTYPE ::= INTEGER { eTYPE-NULL(0), eTYPE-DES-CBC-CRC(1), eTYPE-DES-CBC-MD4(2), eTYPE-DES-CBC-MD5(3), eTYPE-DES3-CBC-MD5(5), eTYPE-OLD-DES3-CBC-SHA1(7), eTYPE-SIGN-DSA-GENERATE(8), eTYPE-ENCRYPT-RSA-PRIV(9), eTYPE-ENCRYPT-RSA-PUB(10), eTYPE-DES3-CBC-SHA1(16), -- with key derivation eTYPE-AES128-CTS-HMAC-SHA1-96(17), eTYPE-AES256-CTS-HMAC-SHA1-96(18), eTYPE-ARCFOUR-HMAC-MD5(23), eTYPE-ARCFOUR-HMAC-MD5-56(24), eTYPE-ENCTYPE-PK-CROSS(48), -- some "old" windows types eTYPE-ARCFOUR-MD4(-128), eTYPE-ARCFOUR-HMAC-OLD(-133), eTYPE-ARCFOUR-HMAC-OLD-EXP(-135), -- these are for Heimdal internal use -- eTYPE-DES-CBC-NONE(-0x1000), eTYPE-DES-CBC-NONE( -4096), -- eTYPE-DES3-CBC-NONE(-0x1001), eTYPE-DES3-CBC-NONE(-4097), -- eTYPE-DES-CFB64-NONE(-0x1002), eTYPE-DES-CFB64-NONE(-4098), -- eTYPE-DES-PCBC-NONE(-0x1003), eTYPE-DES-PCBC-NONE(-4099), -- eTYPE-DIGEST-MD5-NONE(-0x1004), - - private use, lukeh@padl.com eTYPE-DIGEST-MD5-NONE(-4100), -- private use, lukeh@padl.com -- eTYPE-CRAM-MD5-NONE(-0x1005) - - private use, lukeh@padl.com eTYPE-CRAM-MD5-NONE(-4101) -- private use, lukeh@padl.com } -- addr-types (WS extension ) ADDR-TYPE ::= INTEGER { iPv4(2), cHAOS(5), xEROX(6), iSO(7), dECNET(12), aPPLETALK(16), nETBIOS(20), iPv6(24) } -- error-codes (WS extension) ERROR-CODE ::= INTEGER { --error table constants eRR-NONE(0), eRR-NAME-EXP(1), eRR-SERVICE-EXP(2), eRR-BAD-PVNO(3), eRR-C-OLD-MAST-KVNO(4), eRR-S-OLD-MAST-KVNO(5), eRR-C-PRINCIPAL-UNKNOWN(6), eRR-S-PRINCIPAL-UNKNOWN(7), eRR-PRINCIPAL-NOT-UNIQUE(8), eRR-NULL-KEY(9), eRR-CANNOT-POSTDATE(10), eRR-NEVER-VALID(11), eRR-POLICY(12), eRR-BADOPTION(13), eRR-ETYPE-NOSUPP(14), eRR-SUMTYPE-NOSUPP(15), eRR-PADATA-TYPE-NOSUPP(16), eRR-TRTYPE-NOSUPP(17), eRR-CLIENT-REVOKED(18), eRR-SERVICE-REVOKED(19), eRR-TGT-REVOKED(20), eRR-CLIENT-NOTYET(21), eRR-SERVICE-NOTYET(22), eRR-KEY-EXP(23), eRR-PREAUTH-FAILED(24), eRR-PREAUTH-REQUIRED(25), eRR-SERVER-NOMATCH(26), eRR-MUST-USE-USER2USER(27), eRR-PATH-NOT-ACCEPTED(28), eRR-SVC-UNAVAILABLE(29), eRR-BAD-INTEGRITY(31), eRR-TKT-EXPIRED(32), eRR-TKT-NYV(33), eRR-REPEAT(34), eRR-NOT-US(35), eRR-BADMATCH(36), eRR-SKEW(37), eRR-BADADDR(38), eRR-BADVERSION(39), eRR-MSG-TYPE(40), eRR-MODIFIED(41), eRR-BADORDER(42), eRR-ILL-CR-TKT(43), eRR-BADKEYVER(44), eRR-NOKEY(45), eRR-MUT-FAIL(46), eRR-BADDIRECTION(47), eRR-METHOD(48), eRR-BADSEQ(49), eRR-INAPP-CKSUM(50), pATH-NOT-ACCEPTED(51), eRR-RESPONSE-TOO-BIG(52), eRR-GENERIC(60), eRR-FIELD-TOOLONG(61), eRROR-CLIENT-NOT-TRUSTED(62), eRROR-KDC-NOT-TRUSTED(63), eRROR-INVALID-SIG(64), eRR-KEY-TOO-WEAK(65), eRR-CERTIFICATE-MISMATCH(66), eRR-NO-TGT(67), eRR-WRONG-REALM(68), eRR-USER-TO-USER-REQUIRED(69), eRR-CANT-VERIFY-CERTIFICATE(70), eRR-INVALID-CERTIFICATE(71), eRR-REVOKED-CERTIFICATE(72), eRR-REVOCATION-STATUS-UNKNOWN(73), eRR-REVOCATION-STATUS-UNAVAILABLE(74), eRR-CLIENT-NAME-MISMATCH(75), eRR-KDC-NAME-MISMATCH(76) } -- this is sugar to make something ASN1 does not have: unsigned Krb5uint32 ::= INTEGER (0..4294967295) Krb5int32 ::= INTEGER (-2147483648..2147483647) --KerberosString ::= GeneralString --Realm ::= GeneralString --PrincipalName ::= SEQUENCE { -- name-type[0] NAME-TYPE, -- name-string[1] SEQUENCE OF GeneralString --} -- this is not part of RFC1510 Principal ::= SEQUENCE { name[0] PrincipalName, realm[1] Realm } --HostAddress ::= SEQUENCE { -- addr-type [0] Krb5int32, -- address [1] OCTET STRING --} -- This is from RFC1510. -- -- HostAddresses ::= SEQUENCE OF SEQUENCE { -- addr-type[0] Krb5int32, -- address[1] OCTET STRING -- } -- This seems much better. --HostAddresses ::= SEQUENCE OF HostAddress --KerberosTime ::= GeneralizedTime - - Specifying UTC time zone (Z) --AuthorizationDataElement ::= SEQUENCE { -- ad-type[0] Krb5int32, -- ad-data[1] OCTET STRING --} --AuthorizationData ::= SEQUENCE OF AuthorizationDataElement APOptions ::= BIT STRING { reserved(0), use-session-key(1), mutual-required(2) } TicketFlags ::= BIT STRING { reserved(0), forwardable(1), forwarded(2), proxiable(3), proxy(4), may-postdate(5), postdated(6), invalid(7), renewable(8), initial(9), pre-authent(10), hw-authent(11), transited-policy-checked(12), ok-as-delegate(13), anonymous(14) } KDCOptions ::= BIT STRING { reserved(0), forwardable(1), forwarded(2), proxiable(3), proxy(4), allow-postdate(5), postdated(6), unused7(7), renewable(8), unused9(9), unused10(10), opt-hardware-auth(11), -- taken from KerberosV5Spec2.asn request-anonymous(14), canonicalize(15), constrained-delegation(16), -- ms extension disable-transited-check(26), renewable-ok(27), enc-tkt-in-skey(28), renew(30), validate(31) } LR-TYPE ::= INTEGER { lR-NONE(0), -- no information lR-INITIAL-TGT(1), -- last initial TGT request lR-INITIAL(2), -- last initial request lR-ISSUE-USE-TGT(3), -- time of newest TGT used lR-RENEWAL(4), -- time of last renewal lR-REQUEST(5), -- time of last request (of any type) lR-PW-EXPTIME(6), -- expiration time of password lR-ACCT-EXPTIME(7) -- expiration time of account } --LastReq ::= SEQUENCE OF SEQUENCE { -- lr-type[0] LR-TYPE, -- lr-value[1] KerberosTime --} --EncryptedData ::= SEQUENCE { -- etype[0] ENCTYPE, - - EncryptionType -- kvno[1] Krb5int32 OPTIONAL, -- cipher[2] OCTET STRING - - ciphertext --} --EncryptionKey ::= SEQUENCE { -- keytype[0] Krb5int32, -- keyvalue[1] OCTET STRING --} -- encoded Transited field --TransitedEncoding ::= SEQUENCE { -- tr-type[0] Krb5int32, - - must be registered -- contents[1] OCTET STRING --} --Ticket ::= [APPLICATION 1] SEQUENCE { -- tkt-vno[0] Krb5int32, -- realm[1] Realm, -- sname[2] PrincipalName, -- enc-part[3] EncryptedData --} -- Encrypted part of ticket --EncTicketPart ::= [APPLICATION 3] SEQUENCE { -- flags[0] TicketFlags, -- key[1] EncryptionKey, -- crealm[2] Realm, -- cname[3] PrincipalName, -- transited[4] TransitedEncoding, -- authtime[5] KerberosTime, -- starttime[6] KerberosTime OPTIONAL, -- endtime[7] KerberosTime, -- renew-till[8] KerberosTime OPTIONAL, -- caddr[9] HostAddresses OPTIONAL, -- authorization-data[10] AuthorizationData OPTIONAL --} --Checksum ::= SEQUENCE { -- cksumtype[0] CKSUMTYPE, -- checksum[1] OCTET STRING --} --Authenticator ::= [APPLICATION 2] SEQUENCE { -- authenticator-vno[0] Krb5int32, -- crealm[1] Realm, -- cname[2] PrincipalName, -- cksum[3] Checksum OPTIONAL, -- cusec[4] Krb5int32, -- ctime[5] KerberosTime, -- subkey[6] EncryptionKey OPTIONAL, -- seq-number[7] Krb5uint32 OPTIONAL, -- authorization-data[8] AuthorizationData OPTIONAL --} --PA-DATA ::= SEQUENCE { -- might be encoded AP-REQ -- padata-type[1] PADATA-TYPE, -- padata-value[2] OCTET STRING --} --ETYPE-INFO-ENTRY ::= SEQUENCE { -- etype[0] ENCTYPE, -- salt[1] OCTET STRING OPTIONAL, -- salttype[2] Krb5int32 OPTIONAL --} --ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY --ETYPE-INFO2-ENTRY ::= SEQUENCE { -- etype[0] ENCTYPE, -- salt[1] KerberosString OPTIONAL, -- s2kparams[2] OCTET STRING OPTIONAL --} --ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY -- METHOD-DATA ::= SEQUENCE OF PA-DATA --TypedData ::= SEQUENCE { -- data-type[0] Krb5int32, -- data-value[1] OCTET STRING OPTIONAL --} --TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData --KDC-REQ-BODY ::= SEQUENCE { -- kdc-options[0] KDCOptions, -- cname[1] PrincipalName OPTIONAL, - - Used only in AS-REQ -- realm[2] Realm, - - Server's realm -- Also client's in AS-REQ -- sname[3] PrincipalName OPTIONAL, -- from[4] KerberosTime OPTIONAL, -- till[5] KerberosTime OPTIONAL, -- rtime[6] KerberosTime OPTIONAL, -- nonce[7] Krb5int32, -- etype[8] SEQUENCE OF ENCTYPE, - - EncryptionType, -- in preference order -- addresses[9] HostAddresses OPTIONAL, -- enc-authorization-data[10] EncryptedData OPTIONAL, -- Encrypted AuthorizationData encoding -- additional-tickets[11] SEQUENCE OF Ticket OPTIONAL --} --KDC-REQ ::= SEQUENCE { -- pvno[1] Krb5int32, -- msg-type[2] MESSAGE-TYPE, -- padata[3] METHOD-DATA OPTIONAL, -- req-body[4] KDC-REQ-BODY --} --AS-REQ ::= [APPLICATION 10] KDC-REQ --TGS-REQ ::= [APPLICATION 12] KDC-REQ -- padata-type ::= PA-ENC-TIMESTAMP -- padata-value ::= EncryptedData - PA-ENC-TS-ENC --PA-ENC-TS-ENC ::= SEQUENCE { -- patimestamp[0] KerberosTime, - - client's time -- pausec[1] Krb5int32 OPTIONAL --} -- draft-brezak-win2k-krb-authz-01 PA-PAC-REQUEST ::= SEQUENCE { include-pac[0] BOOLEAN -- Indicates whether a PAC -- should be included or not } -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf PROV-SRV-LOCATION ::= GeneralString --KDC-REP ::= SEQUENCE { -- pvno[0] Krb5int32, -- msg-type[1] MESSAGE-TYPE, -- padata[2] METHOD-DATA OPTIONAL, -- crealm[3] Realm, -- cname[4] PrincipalName, -- ticket[5] Ticket, -- enc-part[6] EncryptedData --} --AS-REP ::= [APPLICATION 11] KDC-REP --TGS-REP ::= [APPLICATION 13] KDC-REP --EncKDCRepPart ::= SEQUENCE { -- key[0] EncryptionKey, -- last-req[1] LastReq, -- nonce[2] Krb5int32, -- key-expiration[3] KerberosTime OPTIONAL, -- flags[4] TicketFlags, -- authtime[5] KerberosTime, -- starttime[6] KerberosTime OPTIONAL, -- endtime[7] KerberosTime, -- renew-till[8] KerberosTime OPTIONAL, -- srealm[9] Realm, -- sname[10] PrincipalName, -- caddr[11] HostAddresses OPTIONAL, -- encrypted-pa-data[12] METHOD-DATA OPTIONAL --} --EncASRepPart ::= [APPLICATION 25] EncKDCRepPart --EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart --AP-REQ ::= [APPLICATION 14] SEQUENCE { -- pvno[0] Krb5int32, -- msg-type[1] MESSAGE-TYPE, -- ap-options[2] APOptions, -- ticket[3] Ticket, -- authenticator[4] EncryptedData --} --AP-REP ::= [APPLICATION 15] SEQUENCE { -- pvno[0] Krb5int32, -- msg-type[1] MESSAGE-TYPE, -- enc-part[2] EncryptedData --} --EncAPRepPart ::= [APPLICATION 27] SEQUENCE { -- ctime[0] KerberosTime, -- cusec[1] Krb5int32, -- subkey[2] EncryptionKey OPTIONAL, -- seq-number[3] Krb5uint32 OPTIONAL --} --KRB-SAFE-BODY ::= SEQUENCE { -- user-data[0] OCTET STRING, -- timestamp[1] KerberosTime OPTIONAL, -- usec[2] Krb5int32 OPTIONAL, -- seq-number[3] Krb5uint32 OPTIONAL, -- s-address[4] HostAddress OPTIONAL, -- r-address[5] HostAddress OPTIONAL --} --KRB-SAFE ::= [APPLICATION 20] SEQUENCE { -- pvno[0] Krb5int32, -- msg-type[1] MESSAGE-TYPE, -- safe-body[2] KRB-SAFE-BODY, -- cksum[3] Checksum --} --KRB-PRIV ::= [APPLICATION 21] SEQUENCE { -- pvno[0] Krb5int32, -- msg-type[1] MESSAGE-TYPE, -- enc-part[3] EncryptedData --} --EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { -- user-data[0] OCTET STRING, -- timestamp[1] KerberosTime OPTIONAL, -- usec[2] Krb5int32 OPTIONAL, -- seq-number[3] Krb5uint32 OPTIONAL, -- s-address[4] HostAddress OPTIONAL, - - sender's addr -- r-address[5] HostAddress OPTIONAL - - recip's addr --} --KRB-CRED ::= [APPLICATION 22] SEQUENCE { -- pvno[0] Krb5int32, -- msg-type[1] MESSAGE-TYPE, - - KRB_CRED -- tickets[2] SEQUENCE OF Ticket, -- enc-part[3] EncryptedData --} --KrbCredInfo ::= SEQUENCE { -- key[0] EncryptionKey, -- prealm[1] Realm OPTIONAL, -- pname[2] PrincipalName OPTIONAL, -- flags[3] TicketFlags OPTIONAL, -- authtime[4] KerberosTime OPTIONAL, -- starttime[5] KerberosTime OPTIONAL, -- endtime[6] KerberosTime OPTIONAL, -- renew-till[7] KerberosTime OPTIONAL, -- srealm[8] Realm OPTIONAL, -- sname[9] PrincipalName OPTIONAL, -- caddr[10] HostAddresses OPTIONAL --} --EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { -- ticket-info[0] SEQUENCE OF KrbCredInfo, -- nonce[1] Krb5int32 OPTIONAL, -- timestamp[2] KerberosTime OPTIONAL, -- usec[3] Krb5int32 OPTIONAL, -- s-address[4] HostAddress OPTIONAL, -- r-address[5] HostAddress OPTIONAL --} --KRB-ERROR ::= [APPLICATION 30] SEQUENCE { -- pvno[0] Krb5int32, -- msg-type[1] MESSAGE-TYPE, -- ctime[2] KerberosTime OPTIONAL, -- cusec[3] Krb5int32 OPTIONAL, -- stime[4] KerberosTime, -- susec[5] Krb5int32, -- error-code[6] Krb5int32, -- crealm[7] Realm OPTIONAL, -- cname[8] PrincipalName OPTIONAL, -- realm[9] Realm, - - Correct realm -- sname[10] PrincipalName, - - Correct name -- e-text[11] GeneralString OPTIONAL, -- e-data[12] OCTET STRING OPTIONAL --} ChangePasswdDataMS ::= SEQUENCE { newpasswd[0] OCTET STRING, targname[1] PrincipalName OPTIONAL, targrealm[2] Realm OPTIONAL } EtypeList ::= SEQUENCE OF Krb5int32 -- the client's proposed enctype list in -- decreasing preference order, favorite choice first --krb5-pvno Krb5int32 ::= 5 - - current Kerberos protocol version number -- transited encodings --DOMAIN-X500-COMPRESS Krb5int32 ::= 1 -- authorization data primitives --AD-IF-RELEVANT ::= AuthorizationData --AD-KDCIssued ::= SEQUENCE { -- ad-checksum[0] Checksum, -- i-realm[1] Realm OPTIONAL, -- i-sname[2] PrincipalName OPTIONAL, -- elements[3] AuthorizationData --} --AD-AND-OR ::= SEQUENCE { -- condition-count[0] INTEGER, -- elements[1] AuthorizationData --} --AD-MANDATORY-FOR-KDC ::= AuthorizationData -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 PA-SAM-TYPE ::= INTEGER { pA-SAM-TYPE-ENIGMA(1), -- Enigma Logic pA-SAM-TYPE-DIGI-PATH(2), -- Digital Pathways pA-SAM-TYPE-SKEY-K0(3), -- S/key where KDC has key 0 pA-SAM-TYPE-SKEY(4), -- Traditional S/Key pA-SAM-TYPE-SECURID(5), -- Security Dynamics pA-SAM-TYPE-CRYPTOCARD(6) -- CRYPTOCard } PA-SAM-REDIRECT ::= HostAddresses SAMFlags ::= BIT STRING { use-sad-as-key(0), send-encrypted-sad(1), must-pk-encrypt-sad(2) } PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { sam-type[0] Krb5int32, sam-flags[1] SAMFlags, sam-type-name[2] GeneralString OPTIONAL, sam-track-id[3] GeneralString OPTIONAL, sam-challenge-label[4] GeneralString OPTIONAL, sam-challenge[5] GeneralString OPTIONAL, sam-response-prompt[6] GeneralString OPTIONAL, sam-pk-for-sad[7] EncryptionKey OPTIONAL, sam-nonce[8] Krb5int32, sam-etype[9] Krb5int32, ... } PA-SAM-CHALLENGE-2 ::= SEQUENCE { sam-body[0] PA-SAM-CHALLENGE-2-BODY, sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) ... } PA-SAM-RESPONSE-2 ::= SEQUENCE { sam-type[0] Krb5int32, sam-flags[1] SAMFlags, sam-track-id[2] GeneralString OPTIONAL, sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC sam-nonce[4] Krb5int32, ... } PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { sam-nonce[0] Krb5int32, sam-sad[1] GeneralString OPTIONAL, ... } PA-S4U2Self ::= SEQUENCE { name[0] PrincipalName, realm[1] Realm, cksum[2] Checksum, auth[3] GeneralString } KRB5SignedPathPrincipals ::= SEQUENCE OF Principal -- never encoded on the wire, just used to checksum over KRB5SignedPathData ::= SEQUENCE { encticket[0] EncTicketPart, delegated[1] KRB5SignedPathPrincipals OPTIONAL } KRB5SignedPath ::= SEQUENCE { -- DERcoded KRB5SignedPathData -- krbtgt key (etype), KeyUsage = XXX etype[0] ENCTYPE, cksum[1] Checksum, -- srvs delegated though delegated[2] KRB5SignedPathPrincipals OPTIONAL } PA-ClientCanonicalizedNames ::= SEQUENCE{ requested-name [0] PrincipalName, mapped-name [1] PrincipalName } PA-ClientCanonicalized ::= SEQUENCE { names [0] PA-ClientCanonicalizedNames, canon-checksum [1] Checksum } AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- login-alias [0] PrincipalName, checksum [1] Checksum } -- old ms referral PA-SvrReferralData ::= SEQUENCE { referred-name [1] PrincipalName OPTIONAL, referred-realm [0] Realm } PA-SERVER-REFERRAL-DATA ::= EncryptedData PA-ServerReferralData ::= SEQUENCE { referred-realm [0] Realm OPTIONAL, true-principal-name [1] PrincipalName OPTIONAL, requested-principal-name [2] PrincipalName OPTIONAL, referral-valid-until [3] KerberosTime OPTIONAL, ... } -- WS put extensions found elsewere here -- http://msdn.microsoft.com/en-us/library/cc206948.aspx -- KERB-PA-PAC-REQUEST ::= SEQUENCE { include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. --If FALSE, and PAC present, remove PAC } END -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1