-- $Id$ KERBEROS5 DEFINITIONS ::= BEGIN EXPORTS AD-AND-OR, AD-IF-RELEVANT, AD-KDCIssued, AD-LoginAlias, AP-REP, AP-REQ, AS-REP, AS-REQ, AUTHDATA-TYPE, Authenticator, AuthorizationData, AuthorizationDataElement, CKSUMTYPE, ChangePasswdDataMS, Checksum, CompositePrincipal, ENCTYPE, ETYPE-INFO, ETYPE-INFO-ENTRY, ETYPE-INFO2, ETYPE-INFO2-ENTRY, EncAPRepPart, EncASRepPart, EncKDCRepPart, EncKrbCredPart, EncKrbPrivPart, EncTGSRepPart, EncTicketPart, EncryptedData, EncryptionKey, EtypeList, HostAddress, HostAddresses, KDC-REQ-BODY, KDCOptions, KDC-REP, KRB-CRED, KRB-ERROR, KRB-PRIV, KRB-SAFE, KRB-SAFE-BODY, KerberosString, KerberosTime, KrbCredInfo, LR-TYPE, LastReq, METHOD-DATA, NAME-TYPE, PA-ClientCanonicalized, PA-ClientCanonicalizedNames, PA-DATA, PA-ENC-TS-ENC, PA-KERB-KEY-LIST-REP, PA-KERB-KEY-LIST-REQ, PA-PAC-OPTIONS, PA-PAC-REQUEST, PA-S4U2Self, PA-S4U-X509-USER, PA-SERVER-REFERRAL-DATA, PA-ServerReferralData, PA-SvrReferralData, PADATA-TYPE, PA-FX-FAST-REQUEST, PA-FX-FAST-REPLY, Principal, PrincipalName, Principals, Realm, TGS-REP, TGS-REQ, Ticket, TicketFlags, TransitedEncoding, TypedData, KrbFastResponse, KrbFastFinished, KrbFastReq, KrbFastArmor, KrbFastArmoredReq, KDCFastState, KDCFastCookie, KDC-PROXY-MESSAGE, KERB-AD-RESTRICTION-ENTRY, KERB-TIMES, KERB-CRED, KERB-TGS-REQ-IN, KERB-TGS-REQ-OUT, KERB-ARMOR-SERVICE-REPLY ; NAME-TYPE ::= INTEGER { KRB5_NT_UNKNOWN(0), -- Name type not known KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt) KRB5_NT_SRV_HST(3), -- Service with host name as instance KRB5_NT_SRV_XHST(4), -- Service with host as remaining components KRB5_NT_UID(5), -- Unique ID KRB5_NT_X500_PRINCIPAL(6), -- PKINIT KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN KRB5_NT_WELLKNOWN(11), -- Wellknown KRB5_NT_SRV_HST_DOMAIN(12), -- Domain based service with host name as instance (RFC5179) KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded) KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), -- not used; remove KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- Internal: indicates that name canonicalization is needed } -- message types MESSAGE-TYPE ::= INTEGER { krb-as-req(10), -- Request for initial authentication krb-as-rep(11), -- Response to KRB_AS_REQ request krb-tgs-req(12), -- Request for authentication based on TGT krb-tgs-rep(13), -- Response to KRB_TGS_REQ request krb-ap-req(14), -- application request to server krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL krb-safe(20), -- Safe (checksummed) application message krb-priv(21), -- Private (encrypted) application message krb-cred(22), -- Private (encrypted) message to forward credentials krb-error(30) -- Error response } -- pa-data types PADATA-TYPE ::= INTEGER { KRB5-PADATA-NONE(0), KRB5-PADATA-TGS-REQ(1), KRB5-PADATA-AP-REQ(1), KRB5-PADATA-ENC-TIMESTAMP(2), KRB5-PADATA-PW-SALT(3), KRB5-PADATA-ENC-UNIX-TIME(5), KRB5-PADATA-SANDIA-SECUREID(6), KRB5-PADATA-SESAME(7), KRB5-PADATA-OSF-DCE(8), KRB5-PADATA-CYBERSAFE-SECUREID(9), KRB5-PADATA-AFS3-SALT(10), KRB5-PADATA-ETYPE-INFO(11), KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) KRB5-PADATA-PA-PK-OCSP-RESPONSE(18), KRB5-PADATA-ETYPE-INFO2(19), KRB5-PADATA-USE-SPECIFIED-KVNO(20), KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) KRB5-PADATA-GET-FROM-TYPED-DATA(22), KRB5-PADATA-SAM-ETYPE-INFO(23), KRB5-PADATA-SERVER-REFERRAL(25), KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT KRB5-PADATA-FX-FAST-ARMOR(71), -- fast armor KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com KRB5-PADATA-FOR-USER(129), -- MS-KILE KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to -- tell KDC that is supports -- the asCheckSum in the -- PK-AS-REP KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) KRB5-PADATA-EPAK-AS-REQ(145), KRB5-PADATA-EPAK-AS-REP(146), KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u KRB5-PADATA-REQ-ENC-PA-REP(149), -- KER5-PADATA-KERB-KEY-LIST-REQ(161), -- MS-KILE KER5-PADATA-KERB-PAKEY-LIST-REP(162), -- MS-KILE KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE KRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE KRB5-PADATA-GSS(655) -- krb-wg-gss-preauth } AUTHDATA-TYPE ::= INTEGER { KRB5-AUTHDATA-IF-RELEVANT(1), KRB5-AUTHDATA-INTENDED-FOR_SERVER(2), KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), KRB5-AUTHDATA-KDC-ISSUED(4), KRB5-AUTHDATA-AND-OR(5), KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), KRB5-AUTHDATA-MANDATORY-FOR-KDC(8), KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), KRB5-AUTHDATA-OSF-DCE(64), KRB5-AUTHDATA-SESAME(65), KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), KRB5-AUTHDATA-AUTHENTICATION-STRENGTH(70), KRB5-AUTHDATA-FX-FAST-ARMOR(71), KRB5-AUTHDATA-FX-FAST-USED(72), KRB5-AUTHDATA-WIN2K-PAC(128), KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only KRB5-AUTHDATA-SIGNTICKET-OLDER(-17), KRB5-AUTHDATA-SIGNTICKET-OLD(142), KRB5-AUTHDATA-SIGNTICKET(512), KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised KRB5-AUTHDATA-KERB-LOCAL(141), -- MS-KILE KRB5-AUTHDATA-TOKEN-RESTRICTIONS(142), -- MS-KILE KRB5-AUTHDATA-AP-OPTIONS(143), -- MS-KILE KRB5-AUTHDATA-TARGET-PRINCIPAL(144), -- MS-KILE -- N.B. these assignments have not been confirmed yet. -- -- DO NOT USE in production yet! KRB5-AUTHDATA-ON-BEHALF-OF(580), -- UTF8String princ name KRB5-AUTHDATA-BEARER-TOKEN-JWT(581), -- JWT token KRB5-AUTHDATA-BEARER-TOKEN-SAML(582), -- SAML token KRB5-AUTHDATA-BEARER-TOKEN-OIDC(583), -- OIDC token KRB5-AUTHDATA-CSR-AUTHORIZED(584), -- Proxy has authorized client -- to requested exts in CSR KRB5-AUTHDATA-GSS-COMPOSITE-NAME(655) -- gss_export_name_composite } -- checksumtypes CKSUMTYPE ::= INTEGER { CKSUMTYPE_NONE(0), CKSUMTYPE_CRC32(1), CKSUMTYPE_RSA_MD4(2), CKSUMTYPE_RSA_MD4_DES(3), CKSUMTYPE_DES_MAC(4), CKSUMTYPE_DES_MAC_K(5), CKSUMTYPE_RSA_MD4_DES_K(6), CKSUMTYPE_RSA_MD5(7), CKSUMTYPE_RSA_MD5_DES(8), CKSUMTYPE_RSA_MD5_DES3(9), CKSUMTYPE_SHA1_OTHER(10), CKSUMTYPE_HMAC_SHA1_DES3(12), CKSUMTYPE_SHA1(14), CKSUMTYPE_HMAC_SHA1_96_AES_128(15), CKSUMTYPE_HMAC_SHA1_96_AES_256(16), CKSUMTYPE_HMAC_SHA256_128_AES128(19), CKSUMTYPE_HMAC_SHA384_192_AES256(20), CKSUMTYPE_GSSAPI(0x8003), CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number CKSUMTYPE_HMAC_MD5_ENC(-1138), -- even more unofficial CKSUMTYPE_SHA256(-21), CKSUMTYPE_SHA384(-22), CKSUMTYPE_SHA512(-23) } --enctypes ENCTYPE ::= INTEGER { KRB5_ENCTYPE_NULL(0), KRB5_ENCTYPE_DES_CBC_CRC(1), KRB5_ENCTYPE_DES_CBC_MD4(2), KRB5_ENCTYPE_DES_CBC_MD5(3), KRB5_ENCTYPE_DES3_CBC_MD5(5), KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7), KRB5_ENCTYPE_SIGN_DSA_GENERATE(8), KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9), KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10), KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17), KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18), KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128(19), KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192(20), KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23), KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24), KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48), -- some "old" windows types KRB5_ENCTYPE_ARCFOUR_MD4(-128), KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133), KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135), -- these are for Heimdal internal use KRB5_ENCTYPE_DES_CBC_NONE(-0x1000), KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001), KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002), KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003), KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com } -- this is sugar to make something ASN1 does not have: unsigned Krb5UInt32 ::= INTEGER (0..4294967295) Krb5Int32 ::= INTEGER (-2147483648..2147483647) KerberosString ::= GeneralString Realm ::= GeneralString PrincipalName ::= SEQUENCE { name-type[0] NAME-TYPE, name-string[1] SEQUENCE OF GeneralString } HostAddress ::= SEQUENCE { addr-type[0] Krb5Int32, address[1] OCTET STRING } -- This is from RFC1510. -- -- HostAddresses ::= SEQUENCE OF SEQUENCE { -- addr-type[0] Krb5Int32, -- address[1] OCTET STRING -- } -- This seems much better. HostAddresses ::= SEQUENCE OF HostAddress KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) AuthorizationDataElement ::= SEQUENCE { ad-type[0] Krb5Int32, ad-data[1] OCTET STRING } AuthorizationData ::= SEQUENCE OF AuthorizationDataElement APOptions ::= BIT STRING { reserved(0), use-session-key(1), mutual-required(2) } TicketFlags ::= BIT STRING { reserved(0), forwardable(1), forwarded(2), proxiable(3), proxy(4), may-postdate(5), postdated(6), invalid(7), renewable(8), initial(9), pre-authent(10), hw-authent(11), transited-policy-checked(12), ok-as-delegate(13), enc-pa-rep(15), anonymous(16) } KDCOptions ::= BIT STRING { reserved(0), forwardable(1), forwarded(2), proxiable(3), proxy(4), allow-postdate(5), postdated(6), renewable(8), cname-in-addl-tkt(14), -- ms extension canonicalize(15), request-anonymous(16), disable-transited-check(26), renewable-ok(27), enc-tkt-in-skey(28), renew(30), validate(31) } LR-TYPE ::= INTEGER { LR_NONE(0), -- no information LR_INITIAL_TGT(1), -- last initial TGT request LR_INITIAL(2), -- last initial request LR_ISSUE_USE_TGT(3), -- time of newest TGT used LR_RENEWAL(4), -- time of last renewal LR_REQUEST(5), -- time of last request (of any type) LR_PW_EXPTIME(6), -- expiration time of password LR_ACCT_EXPTIME(7) -- expiration time of account } LastReq ::= SEQUENCE OF SEQUENCE { lr-type[0] LR-TYPE, lr-value[1] KerberosTime } EncryptedData ::= SEQUENCE { etype[0] ENCTYPE, -- EncryptionType kvno[1] Krb5Int32 OPTIONAL, cipher[2] OCTET STRING -- ciphertext } EncryptionKey ::= SEQUENCE { keytype[0] Krb5Int32, keyvalue[1] OCTET STRING } -- encoded Transited field TransitedEncoding ::= SEQUENCE { tr-type[0] Krb5Int32, -- must be registered contents[1] OCTET STRING } Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno[0] Krb5Int32, realm[1] Realm, sname[2] PrincipalName, enc-part[3] EncryptedData } -- Encrypted part of ticket EncTicketPart ::= [APPLICATION 3] SEQUENCE { flags[0] TicketFlags, key[1] EncryptionKey, crealm[2] Realm, cname[3] PrincipalName, transited[4] TransitedEncoding, authtime[5] KerberosTime, starttime[6] KerberosTime OPTIONAL, endtime[7] KerberosTime, renew-till[8] KerberosTime OPTIONAL, caddr[9] HostAddresses OPTIONAL, authorization-data[10] AuthorizationData OPTIONAL } Checksum ::= SEQUENCE { cksumtype[0] CKSUMTYPE, checksum[1] OCTET STRING } -- For GSS name attributes [RFC6680] we'll decorate Principal (which is not an -- RFC4120 type, but which we use a) in HDB, b) in the API as that which -- krb5_principal points to) with PrincipalNameAttrs. -- -- Attributes have three possible sources in Heimdal Kerberos at this time: -- -- - the EncKDCRepPart (for the client's attributes on the client side) -- - the EncTicketPart (for the client's attributes on the server side) -- - the Authenticator's AuthorizationData (if any; server-side) -- -- In principle there can be more: -- -- - locally-set (asserted) attributes -- - locally-looked-up attributes (e.g., in LDAP) -- - locally-transformed attributes (e.g., local groups, filtered SIDs from a -- PAC, etc.) -- -- We could also cache "cooked" attributes as reported by the RFC6680 API given -- the sources we have. -- -- For now we'll only support authenticated attributes where those come from -- the KDC, and attributes asserted in Authenticator authz-data. PrincipalNameAttrSrc ::= CHOICE { enc-kdc-rep-part [0] EncKDCRepPart, -- minus session key enc-ticket-part [1] EncTicketPart -- minus session key } PrincipalNameAttrs ::= SEQUENCE { -- True if this name was authenticated via an AP-REQ or a KDC-REP authenticated [0] BOOLEAN, -- These are compiled from the Ticket, KDC-REP, and/or Authenticator source [1] PrincipalNameAttrSrc OPTIONAL, authenticator-ad [2] AuthorizationData OPTIONAL, -- For the server on the client side we should keep track of the -- transit path taken to reach it (if absent -> unknown). -- -- We don't learn much more about the server from the KDC. peer-realm [3] Realm OPTIONAL, transited [4] TransitedEncoding OPTIONAL, -- True if the PAC was verified pac-verified [5] BOOLEAN, -- True if any AD-KDC-ISSUEDs in the Ticket were validated kdc-issued-verified [6] BOOLEAN, -- TODO: Add requested attributes, for gss_set_name_attribute(), which -- should cause corresponding authz-data elements to be added to -- any TGS-REQ or to the AP-REQ's Authenticator as appropriate. want-ad [7] AuthorizationData OPTIONAL } -- This is our type for exported composite name tokens for GSS [RFC6680]. -- It's the same as Principal (below) as decorated with (see krb5.opt file and -- asn1_compile usage), except it's not decorated, so the name attributes are -- encoded/decoded. CompositePrincipal ::= [APPLICATION 48] SEQUENCE { name[0] PrincipalName, realm[1] Realm, nameattrs[2] PrincipalNameAttrs OPTIONAL } -- This is not part of RFC1510/RFC4120. We use this internally as our -- krb5_principal (which is a typedef of *Principal), and in HDB entries. Principal ::= SEQUENCE { name[0] PrincipalName, realm[1] Realm -- This will be decorated with an optional nameattrs field of -- PrincipalNameAttrs type that doesn't get encoded. Same as -- CompositePrincipal above, except that CompositePrincipal's -- nameattrs field does get encoded, while Principal's does not: -- -- nameattrs[2] PrincipalNameAttrs OPTIONAL } Principals ::= SEQUENCE OF Principal Authenticator ::= [APPLICATION 2] SEQUENCE { authenticator-vno[0] Krb5Int32, crealm[1] Realm, cname[2] PrincipalName, cksum[3] Checksum OPTIONAL, cusec[4] Krb5Int32, ctime[5] KerberosTime, subkey[6] EncryptionKey OPTIONAL, seq-number[7] Krb5UInt32 OPTIONAL, authorization-data[8] AuthorizationData OPTIONAL } PA-DATA ::= SEQUENCE { -- might be encoded AP-REQ padata-type[1] PADATA-TYPE, padata-value[2] OCTET STRING } ETYPE-INFO-ENTRY ::= SEQUENCE { etype[0] ENCTYPE, salt[1] OCTET STRING OPTIONAL, salttype[2] Krb5Int32 OPTIONAL } ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY ETYPE-INFO2-ENTRY ::= SEQUENCE { etype[0] ENCTYPE, salt[1] KerberosString OPTIONAL, s2kparams[2] OCTET STRING OPTIONAL } ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY METHOD-DATA ::= SEQUENCE OF PA-DATA TypedData ::= SEQUENCE { data-type[0] Krb5Int32, data-value[1] OCTET STRING OPTIONAL } TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData KDC-REQ-BODY ::= SEQUENCE { kdc-options[0] KDCOptions, cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ realm[2] Realm, -- Server's realm -- Also client's in AS-REQ sname[3] PrincipalName OPTIONAL, from[4] KerberosTime OPTIONAL, till[5] KerberosTime OPTIONAL, rtime[6] KerberosTime OPTIONAL, nonce[7] Krb5Int32, etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, -- in preference order addresses[9] HostAddresses OPTIONAL, enc-authorization-data[10] EncryptedData OPTIONAL, -- Encrypted AuthorizationData encoding additional-tickets[11] SEQUENCE OF Ticket OPTIONAL } KDC-REQ ::= SEQUENCE { pvno[1] Krb5Int32, msg-type[2] MESSAGE-TYPE, padata[3] METHOD-DATA OPTIONAL, req-body[4] KDC-REQ-BODY } AS-REQ ::= [APPLICATION 10] KDC-REQ TGS-REQ ::= [APPLICATION 12] KDC-REQ -- padata-type ::= PA-ENC-TIMESTAMP -- padata-value ::= EncryptedData - PA-ENC-TS-ENC PA-ENC-TS-ENC ::= SEQUENCE { patimestamp[0] KerberosTime, -- client's time pausec[1] Krb5Int32 OPTIONAL } -- draft-brezak-win2k-krb-authz-01 PA-PAC-REQUEST ::= SEQUENCE { include-pac[0] BOOLEAN -- Indicates whether a PAC -- should be included or not } -- MS-KILE/MS-SFU PAC-OPTIONS-FLAGS ::= BIT STRING { claims(0), branch-aware(1), forward-to-full-dc(2), resource-based-constrained-delegation(3) } -- MS-KILE PA-PAC-OPTIONS ::= SEQUENCE { flags [0] PAC-OPTIONS-FLAGS } -- MS-KILE -- captures show that [UNIVERSAL 16] is required to parse it KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE { restriction-type [0] Krb5Int32, restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure } -- MS-KILE Section 2.2.11 PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE -- MS-KILE Section 2.2.12 PA-KERB-KEY-LIST-REP ::= SEQUENCE OF ENCTYPE -- EncryptionType, -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf PROV-SRV-LOCATION ::= GeneralString KDC-REP ::= SEQUENCE { pvno[0] Krb5Int32, msg-type[1] MESSAGE-TYPE, padata[2] METHOD-DATA OPTIONAL, crealm[3] Realm, cname[4] PrincipalName, ticket[5] Ticket, enc-part[6] EncryptedData } AS-REP ::= [APPLICATION 11] KDC-REP TGS-REP ::= [APPLICATION 13] KDC-REP EncKDCRepPart ::= SEQUENCE { key[0] EncryptionKey, last-req[1] LastReq, nonce[2] Krb5Int32, key-expiration[3] KerberosTime OPTIONAL, flags[4] TicketFlags, authtime[5] KerberosTime, starttime[6] KerberosTime OPTIONAL, endtime[7] KerberosTime, renew-till[8] KerberosTime OPTIONAL, srealm[9] Realm, sname[10] PrincipalName, caddr[11] HostAddresses OPTIONAL, encrypted-pa-data[12] METHOD-DATA OPTIONAL } EncASRepPart ::= [APPLICATION 25] EncKDCRepPart EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart AP-REQ ::= [APPLICATION 14] SEQUENCE { pvno[0] Krb5Int32, msg-type[1] MESSAGE-TYPE, ap-options[2] APOptions, ticket[3] Ticket, authenticator[4] EncryptedData } AP-REP ::= [APPLICATION 15] SEQUENCE { pvno[0] Krb5Int32, msg-type[1] MESSAGE-TYPE, enc-part[2] EncryptedData } EncAPRepPart ::= [APPLICATION 27] SEQUENCE { ctime[0] KerberosTime, cusec[1] Krb5Int32, subkey[2] EncryptionKey OPTIONAL, seq-number[3] Krb5UInt32 OPTIONAL } KRB-SAFE-BODY ::= SEQUENCE { user-data[0] OCTET STRING, timestamp[1] KerberosTime OPTIONAL, usec[2] Krb5Int32 OPTIONAL, seq-number[3] Krb5UInt32 OPTIONAL, s-address[4] HostAddress OPTIONAL, r-address[5] HostAddress OPTIONAL } KRB-SAFE ::= [APPLICATION 20] SEQUENCE { pvno[0] Krb5Int32, msg-type[1] MESSAGE-TYPE, safe-body[2] KRB-SAFE-BODY, cksum[3] Checksum } KRB-PRIV ::= [APPLICATION 21] SEQUENCE { pvno[0] Krb5Int32, msg-type[1] MESSAGE-TYPE, enc-part[3] EncryptedData } EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { user-data[0] OCTET STRING, timestamp[1] KerberosTime OPTIONAL, usec[2] Krb5Int32 OPTIONAL, seq-number[3] Krb5UInt32 OPTIONAL, s-address[4] HostAddress OPTIONAL, -- sender's addr r-address[5] HostAddress OPTIONAL -- recip's addr } KRB-CRED ::= [APPLICATION 22] SEQUENCE { pvno[0] Krb5Int32, msg-type[1] MESSAGE-TYPE, -- KRB_CRED tickets[2] SEQUENCE OF Ticket, enc-part[3] EncryptedData } KrbCredInfo ::= SEQUENCE { key[0] EncryptionKey, prealm[1] Realm OPTIONAL, pname[2] PrincipalName OPTIONAL, flags[3] TicketFlags OPTIONAL, authtime[4] KerberosTime OPTIONAL, starttime[5] KerberosTime OPTIONAL, endtime[6] KerberosTime OPTIONAL, renew-till[7] KerberosTime OPTIONAL, srealm[8] Realm OPTIONAL, sname[9] PrincipalName OPTIONAL, caddr[10] HostAddresses OPTIONAL } EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { ticket-info[0] SEQUENCE OF KrbCredInfo, nonce[1] Krb5Int32 OPTIONAL, timestamp[2] KerberosTime OPTIONAL, usec[3] Krb5Int32 OPTIONAL, s-address[4] HostAddress OPTIONAL, r-address[5] HostAddress OPTIONAL } KRB-ERROR ::= [APPLICATION 30] SEQUENCE { pvno[0] Krb5Int32, msg-type[1] MESSAGE-TYPE, ctime[2] KerberosTime OPTIONAL, cusec[3] Krb5Int32 OPTIONAL, stime[4] KerberosTime, susec[5] Krb5Int32, error-code[6] Krb5Int32, crealm[7] Realm OPTIONAL, cname[8] PrincipalName OPTIONAL, realm[9] Realm, -- Correct realm sname[10] PrincipalName, -- Correct name e-text[11] GeneralString OPTIONAL, e-data[12] OCTET STRING OPTIONAL } ChangePasswdDataMS ::= SEQUENCE { newpasswd[0] OCTET STRING, targname[1] PrincipalName OPTIONAL, targrealm[2] Realm OPTIONAL } EtypeList ::= SEQUENCE OF ENCTYPE -- the client's proposed enctype list in -- decreasing preference order, favorite choice first krb5-pvno Krb5Int32 ::= 5 -- current Kerberos protocol version number -- transited encodings domain-X500-Compress Krb5Int32 ::= 1 -- authorization data primitives AD-IF-RELEVANT ::= AuthorizationData AD-KDCIssued ::= SEQUENCE { ad-checksum[0] Checksum, i-realm[1] Realm OPTIONAL, i-sname[2] PrincipalName OPTIONAL, elements[3] AuthorizationData } AD-AND-OR ::= SEQUENCE { condition-count[0] Krb5Int32, elements[1] AuthorizationData } AD-MANDATORY-FOR-KDC ::= AuthorizationData -- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 PA-SAM-TYPE ::= INTEGER { PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0 PA_SAM_TYPE_SKEY(4), -- Traditional S/Key PA_SAM_TYPE_SECURID(5), -- Security Dynamics PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard } PA-SAM-REDIRECT ::= HostAddresses SAMFlags ::= BIT STRING { use-sad-as-key(0), send-encrypted-sad(1), must-pk-encrypt-sad(2) } PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { sam-type[0] Krb5Int32, sam-flags[1] SAMFlags, sam-type-name[2] GeneralString OPTIONAL, sam-track-id[3] GeneralString OPTIONAL, sam-challenge-label[4] GeneralString OPTIONAL, sam-challenge[5] GeneralString OPTIONAL, sam-response-prompt[6] GeneralString OPTIONAL, sam-pk-for-sad[7] EncryptionKey OPTIONAL, sam-nonce[8] Krb5Int32, sam-etype[9] Krb5Int32, ... } PA-SAM-CHALLENGE-2 ::= SEQUENCE { sam-body[0] PA-SAM-CHALLENGE-2-BODY, sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) ... } PA-SAM-RESPONSE-2 ::= SEQUENCE { sam-type[0] Krb5Int32, sam-flags[1] SAMFlags, sam-track-id[2] GeneralString OPTIONAL, sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC sam-nonce[4] Krb5Int32, ... } PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { sam-nonce[0] Krb5Int32, sam-sad[1] GeneralString OPTIONAL, ... } PA-S4U2Self ::= SEQUENCE { name[0] PrincipalName, realm[1] Realm, cksum[2] Checksum, auth[3] GeneralString } PA-S4U-X509-USER::= SEQUENCE { user-id[0] S4UUserID, checksum[1] Checksum } S4UUserID ::= SEQUENCE { nonce [0] Krb5UInt32, -- the nonce in KDC-REQ-BODY cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints crealm [2] Realm, subject-certificate [3] OCTET STRING OPTIONAL, options [4] BIT STRING OPTIONAL, ... } AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- login-alias [0] PrincipalName, checksum [1] Checksum } -- old ms referral PA-SvrReferralData ::= SEQUENCE { referred-name [1] PrincipalName OPTIONAL, referred-realm [0] Realm } PA-SERVER-REFERRAL-DATA ::= EncryptedData PA-ServerReferralData ::= SEQUENCE { referred-realm [0] Realm OPTIONAL, true-principal-name [1] PrincipalName OPTIONAL, requested-principal-name [2] PrincipalName OPTIONAL, referral-valid-until [3] KerberosTime OPTIONAL, ... } FastOptions ::= BIT STRING { reserved(0), hide-client-names(1), critical2(2), critical3(3), critical4(4), critical5(5), critical6(6), critical7(7), critical8(8), critical9(9), critical10(10), critical11(11), critical12(12), critical13(13), critical14(14), critical15(15), kdc-follow-referrals(16) } KrbFastReq ::= SEQUENCE { fast-options [0] FastOptions, padata [1] METHOD-DATA, req-body [2] KDC-REQ-BODY, ... } KrbFastArmor ::= SEQUENCE { armor-type [0] Krb5Int32, armor-value [1] OCTET STRING, ... } KrbFastArmoredReq ::= SEQUENCE { armor [0] KrbFastArmor OPTIONAL, req-checksum [1] Checksum, enc-fast-req [2] EncryptedData -- KrbFastReq -- } PA-FX-FAST-REQUEST ::= CHOICE { armored-data [0] KrbFastArmoredReq, ... } KrbFastFinished ::= SEQUENCE { timestamp [0] KerberosTime, usec [1] Krb5Int32, crealm [2] Realm, cname [3] PrincipalName, ticket-checksum [4] Checksum, ... } KrbFastResponse ::= SEQUENCE { padata [0] METHOD-DATA, strengthen-key [1] EncryptionKey OPTIONAL, finished [2] KrbFastFinished OPTIONAL, nonce [3] Krb5UInt32, ... } KrbFastArmoredRep ::= SEQUENCE { enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- ... } PA-FX-FAST-REPLY ::= CHOICE { armored-data [0] KrbFastArmoredRep, ... } KDCFastFlags ::= BIT STRING { use-reply-key(0), reply-key-used(1), reply-key-replaced(2), kdc-verified(3), requested-hidden-names(4) } -- KDCFastState is stored in FX_COOKIE KDCFastState ::= SEQUENCE { flags [0] KDCFastFlags, expiration [1] GeneralizedTime, fast-state [2] METHOD-DATA, expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL } KDCFastCookie ::= SEQUENCE { version [0] UTF8String, cookie [1] EncryptedData } KDC-PROXY-MESSAGE ::= SEQUENCE { kerb-message [0] OCTET STRING, target-domain [1] Realm OPTIONAL, dclocator-hint [2] INTEGER OPTIONAL } -- these messages are used in the GSSCred communication and is not part of Kerberos propper KERB-TIMES ::= SEQUENCE { authtime [0] KerberosTime, starttime [1] KerberosTime, endtime [2] KerberosTime, renew_till [3] KerberosTime } KERB-CRED ::= SEQUENCE { client [0] Principal, server [1] Principal, keyblock [2] EncryptionKey, times [3] KERB-TIMES, ticket [4] OCTET STRING, authdata [5] OCTET STRING, addresses [6] HostAddresses, flags [7] TicketFlags } KERB-TGS-REQ-IN ::= SEQUENCE { cache [0] OCTET STRING SIZE (16), addrs [1] HostAddresses, flags [2] Krb5UInt32, imp [3] Principal OPTIONAL, ticket [4] OCTET STRING OPTIONAL, in_cred [5] KERB-CRED, krbtgt [6] KERB-CRED, padata [7] METHOD-DATA } KERB-TGS-REQ-OUT ::= SEQUENCE { subkey [0] EncryptionKey OPTIONAL, t [1] TGS-REQ } KERB-TGS-REP-IN ::= SEQUENCE { cache [0] OCTET STRING SIZE (16), subkey [1] EncryptionKey OPTIONAL, in_cred [2] KERB-CRED, t [3] TGS-REP } KERB-TGS-REP-OUT ::= SEQUENCE { cache [0] OCTET STRING SIZE (16), cred [1] KERB-CRED, subkey [2] EncryptionKey } KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE { armor [0] KrbFastArmor, armor-key [1] EncryptionKey } END -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1