path: root/third_party/heimdal/lib/asn1/krb5.asn1

-- $Id$

KERBEROS5 DEFINITIONS ::=
BEGIN
EXPORTS
	AD-AND-OR,
	AD-IF-RELEVANT,
	AD-KDCIssued,
	AD-LoginAlias,
	AP-REP,
	AP-REQ,
	AS-REP,
	AS-REQ,
	AUTHDATA-TYPE,
	Authenticator,
	AuthorizationData,
	AuthorizationDataElement,
	CKSUMTYPE,
	ChangePasswdDataMS,
	Checksum,
        CompositePrincipal,
	ENCTYPE,
	ETYPE-INFO,
	ETYPE-INFO-ENTRY,
	ETYPE-INFO2,
	ETYPE-INFO2-ENTRY,
	EncAPRepPart,
	EncASRepPart,
	EncKDCRepPart,
	EncKrbCredPart,
	EncKrbPrivPart,
	EncTGSRepPart,
	EncTicketPart,
	EncryptedData,
	EncryptionKey,
	EtypeList,
	HostAddress,
	HostAddresses,
	KDC-REQ-BODY,
	KDCOptions,
	KDC-REP,
	KRB-CRED,
	KRB-ERROR,
	KRB-PRIV,
	KRB-SAFE,
	KRB-SAFE-BODY,
	KerberosString,
	KerberosTime,
	KrbCredInfo,
	LR-TYPE,
	LastReq,
	METHOD-DATA,
	NAME-TYPE,
	PA-ClientCanonicalized,
	PA-ClientCanonicalizedNames,
	PA-DATA,
	PA-ENC-TS-ENC,
	PA-KERB-KEY-LIST-REP,
	PA-KERB-KEY-LIST-REQ,
	PA-PAC-OPTIONS,
	PA-PAC-REQUEST,
	PA-S4U2Self,
	PA-S4U-X509-USER,
	PA-SERVER-REFERRAL-DATA,
	PA-ServerReferralData,
	PA-SvrReferralData,
	PADATA-TYPE,
	PA-FX-FAST-REQUEST,
	PA-FX-FAST-REPLY,
	Principal,
	PrincipalName,
	Principals,
	Realm,
	TGS-REP,
	TGS-REQ,
	Ticket,
	TicketFlags,
	TransitedEncoding,
	TypedData,
	KrbFastResponse,
	KrbFastFinished,
	KrbFastReq,
	KrbFastArmor,
	KrbFastArmoredReq,
	KDCFastState,
	KDCFastCookie,
	KDC-PROXY-MESSAGE,
	KERB-AD-RESTRICTION-ENTRY,
	KERB-TIMES,
	KERB-CRED,
	KERB-TGS-REQ-IN,
	KERB-TGS-REQ-OUT,
	KERB-ARMOR-SERVICE-REPLY,
	KERB-ERROR-DATA
	;

NAME-TYPE ::= INTEGER {
	KRB5_NT_UNKNOWN(0),	-- Name type not known
	KRB5_NT_PRINCIPAL(1),	-- Just the name of the principal as in
	KRB5_NT_SRV_INST(2),	-- Service and other unique instance (krbtgt)
	KRB5_NT_SRV_HST(3),	-- Service with host name as instance
	KRB5_NT_SRV_XHST(4),	-- Service with host as remaining components
	KRB5_NT_UID(5),		-- Unique ID
	KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
	KRB5_NT_SMTP_NAME(7),	-- Name in form of SMTP email name
	KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
	KRB5_NT_WELLKNOWN(11),	-- Wellknown
	KRB5_NT_SRV_HST_DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
	KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
	KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
	KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
	KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain
	KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded)
	KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), -- not used; remove
	KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
	KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- Internal: indicates that name canonicalization is needed
}

-- message types

MESSAGE-TYPE ::= INTEGER {
	krb-as-req(10), -- Request for initial authentication
	krb-as-rep(11), -- Response to KRB_AS_REQ request
	krb-tgs-req(12), -- Request for authentication based on TGT
	krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
	krb-ap-req(14), -- application request to server
	krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
	krb-safe(20), -- Safe (checksummed) application message
	krb-priv(21), -- Private (encrypted) application message
	krb-cred(22), -- Private (encrypted) message to forward credentials
	krb-error(30) -- Error response
}


-- pa-data types

PADATA-TYPE ::= INTEGER {
	KRB5-PADATA-NONE(0),
	KRB5-PADATA-TGS-REQ(1),
	KRB5-PADATA-AP-REQ(1),
	KRB5-PADATA-ENC-TIMESTAMP(2),
	KRB5-PADATA-PW-SALT(3),
	KRB5-PADATA-ENC-UNIX-TIME(5),
	KRB5-PADATA-SANDIA-SECUREID(6),
	KRB5-PADATA-SESAME(7),
	KRB5-PADATA-OSF-DCE(8),
	KRB5-PADATA-CYBERSAFE-SECUREID(9),
	KRB5-PADATA-AFS3-SALT(10),
	KRB5-PADATA-ETYPE-INFO(11),
	KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
	KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
	KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
	KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
	KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
	KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
	KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
	KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
	KRB5-PADATA-ETYPE-INFO2(19),
	KRB5-PADATA-USE-SPECIFIED-KVNO(20),
	KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
	KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
	KRB5-PADATA-GET-FROM-TYPED-DATA(22),
	KRB5-PADATA-SAM-ETYPE-INFO(23),
	KRB5-PADATA-SERVER-REFERRAL(25),
	KRB5-PADATA-ALT-PRINC(24),		-- (crawdad@fnal.gov)
	KRB5-PADATA-SAM-CHALLENGE2(30),		-- (kenh@pobox.com)
	KRB5-PADATA-SAM-RESPONSE2(31),		-- (kenh@pobox.com)
	KRB5-PA-EXTRA-TGT(41),			-- Reserved extra TGT
	KRB5-PADATA-FX-FAST-ARMOR(71),		-- fast armor
	KRB5-PADATA-TD-KRB-PRINCIPAL(102),	-- PrincipalName
	KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
	KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
	KRB5-PADATA-TD-APP-DEFINED-ERROR(106),	-- application specific
	KRB5-PADATA-TD-REQ-NONCE(107),		-- INTEGER
	KRB5-PADATA-TD-REQ-SEQ(108),		-- INTEGER
	KRB5-PADATA-PA-PAC-REQUEST(128),	-- jbrezak@exchange.microsoft.com
	KRB5-PADATA-FOR-USER(129),		-- MS-KILE
	KRB5-PADATA-FOR-X509-USER(130),		-- MS-KILE
	KRB5-PADATA-FOR-CHECK-DUPS(131),	-- MS-KILE
	KRB5-PADATA-AS-CHECKSUM(132),		-- MS-KILE
	KRB5-PADATA-PK-AS-09-BINDING(132),	-- client send this to
						-- tell KDC that is supports
						-- the asCheckSum in the
						--  PK-AS-REP
	KRB5-PADATA-FX-COOKIE(133),		-- krb-wg-preauth-framework
	KRB5-PADATA-AUTHENTICATION-SET(134),	-- krb-wg-preauth-framework
	KRB5-PADATA-AUTH-SET-SELECTED(135),	-- krb-wg-preauth-framework
	KRB5-PADATA-FX-FAST(136),		-- krb-wg-preauth-framework
	KRB5-PADATA-FX-ERROR(137),		-- krb-wg-preauth-framework
	KRB5-PADATA-ENCRYPTED-CHALLENGE(138),	-- krb-wg-preauth-framework
	KRB5-PADATA-OTP-CHALLENGE(141),		-- (gareth.richards@rsa.com)
	KRB5-PADATA-OTP-REQUEST(142),		-- (gareth.richards@rsa.com)
	KBB5-PADATA-OTP-CONFIRM(143),		-- (gareth.richards@rsa.com)
	KRB5-PADATA-OTP-PIN-CHANGE(144),	-- (gareth.richards@rsa.com)
	KRB5-PADATA-EPAK-AS-REQ(145),
	KRB5-PADATA-EPAK-AS-REP(146),
	KRB5-PADATA-PKINIT-KX(147),		-- krb-wg-anon
	KRB5-PADATA-PKU2U-NAME(148),		-- zhu-pku2u
	KRB5-PADATA-REQ-ENC-PA-REP(149),	--
	KRB5-PADATA-AS-FRESHNESS(150),		-- RFC 8070
	KER5-PADATA-KERB-KEY-LIST-REQ(161),	-- MS-KILE
	KER5-PADATA-KERB-PAKEY-LIST-REP(162),	-- MS-KILE
	KRB5-PADATA-SUPPORTED-ETYPES(165),	-- MS-KILE
	KRB5-PADATA-PAC-OPTIONS(167),		-- MS-KILE
	KRB5-PADATA-GSS(655)			-- krb-wg-gss-preauth

}

AUTHDATA-TYPE ::= INTEGER {
	KRB5-AUTHDATA-IF-RELEVANT(1),
	KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
	KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
	KRB5-AUTHDATA-KDC-ISSUED(4),
	KRB5-AUTHDATA-AND-OR(5),
	KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
	KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
	KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
	KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
	KRB5-AUTHDATA-OSF-DCE(64),
	KRB5-AUTHDATA-SESAME(65),
	KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
	KRB5-AUTHDATA-AUTHENTICATION-STRENGTH(70),
	KRB5-AUTHDATA-FX-FAST-ARMOR(71),
	KRB5-AUTHDATA-FX-FAST-USED(72),
	KRB5-AUTHDATA-WIN2K-PAC(128),
	KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
	KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
	KRB5-AUTHDATA-SIGNTICKET-OLD(142),
	KRB5-AUTHDATA-SIGNTICKET(512),
	KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised
	KRB5-AUTHDATA-KERB-LOCAL(141),		-- MS-KILE
	KRB5-AUTHDATA-TOKEN-RESTRICTIONS(142),	-- MS-KILE
	KRB5-AUTHDATA-AP-OPTIONS(143),		-- MS-KILE
	KRB5-AUTHDATA-TARGET-PRINCIPAL(144),	-- MS-KILE
        -- N.B. these assignments have not been confirmed yet.
        --
        -- DO NOT USE in production yet!
	KRB5-AUTHDATA-ON-BEHALF-OF(580),      -- UTF8String princ name
	KRB5-AUTHDATA-BEARER-TOKEN-JWT(581),  -- JWT token
	KRB5-AUTHDATA-BEARER-TOKEN-SAML(582), -- SAML token
	KRB5-AUTHDATA-BEARER-TOKEN-OIDC(583), -- OIDC token
	KRB5-AUTHDATA-CSR-AUTHORIZED(584),     -- Proxy has authorized client
                                              -- to requested exts in CSR
	KRB5-AUTHDATA-GSS-COMPOSITE-NAME(655) -- gss_export_name_composite
}

-- checksumtypes

CKSUMTYPE ::= INTEGER {
	CKSUMTYPE_NONE(0),
	CKSUMTYPE_CRC32(1),
	CKSUMTYPE_RSA_MD4(2),
	CKSUMTYPE_RSA_MD4_DES(3),
	CKSUMTYPE_DES_MAC(4),
	CKSUMTYPE_DES_MAC_K(5),
	CKSUMTYPE_RSA_MD4_DES_K(6),
	CKSUMTYPE_RSA_MD5(7),
	CKSUMTYPE_RSA_MD5_DES(8),
	CKSUMTYPE_RSA_MD5_DES3(9),
	CKSUMTYPE_SHA1_OTHER(10),
	CKSUMTYPE_HMAC_SHA1_DES3(12),
	CKSUMTYPE_SHA1(14),
	CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
	CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
	CKSUMTYPE_HMAC_SHA256_128_AES128(19),
	CKSUMTYPE_HMAC_SHA384_192_AES256(20),
	CKSUMTYPE_GSSAPI(0x8003),
	CKSUMTYPE_HMAC_MD5(-138),	-- unofficial microsoft number
	CKSUMTYPE_HMAC_MD5_ENC(-1138),	-- even more unofficial
	CKSUMTYPE_SHA256(-21),
	CKSUMTYPE_SHA384(-22),
	CKSUMTYPE_SHA512(-23)
}

--enctypes
ENCTYPE ::= INTEGER {
	KRB5_ENCTYPE_NULL(0),
	KRB5_ENCTYPE_DES_CBC_CRC(1),
	KRB5_ENCTYPE_DES_CBC_MD4(2),
	KRB5_ENCTYPE_DES_CBC_MD5(3),
	KRB5_ENCTYPE_DES3_CBC_MD5(5),
	KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
	KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
	KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
	KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
	KRB5_ENCTYPE_DES3_CBC_SHA1(16),	-- with key derivation
	KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
	KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
	KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128(19),
	KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192(20),
	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
	KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
-- some "old" windows types
	KRB5_ENCTYPE_ARCFOUR_MD4(-128),
	KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
	KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
-- these are for Heimdal internal use
	KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
	KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
	KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
	KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
	KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004),		-- private use, lukeh@padl.com
	KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005)		-- private use, lukeh@padl.com
}




-- this is sugar to make something ASN1 does not have: unsigned

Krb5UInt32 ::= INTEGER (0..4294967295)
Krb5Int32 ::= INTEGER (-2147483648..2147483647)

KerberosString  ::= GeneralString

Realm ::= GeneralString
PrincipalName ::= SEQUENCE {
	name-type[0]		NAME-TYPE,
	name-string[1]		SEQUENCE OF GeneralString
}

HostAddress ::= SEQUENCE  {
	addr-type[0]		Krb5Int32,
	address[1]		OCTET STRING
}

-- This is from RFC1510.
--
-- HostAddresses ::= SEQUENCE OF SEQUENCE {
-- 	addr-type[0]		Krb5Int32,
--	address[1]		OCTET STRING
-- }

-- This seems much better.
HostAddresses ::= SEQUENCE OF HostAddress


KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)

AuthorizationDataElement ::= SEQUENCE {
	ad-type[0]		Krb5Int32,
	ad-data[1]		OCTET STRING
}

AuthorizationData ::= SEQUENCE OF AuthorizationDataElement

APOptions ::= BIT STRING {
	reserved(0),
	use-session-key(1),
	mutual-required(2)
}

TicketFlags ::= BIT STRING {
	reserved(0),
	forwardable(1),
	forwarded(2),
	proxiable(3),
	proxy(4),
	may-postdate(5),
	postdated(6),
	invalid(7),
	renewable(8),
	initial(9),
	pre-authent(10),
	hw-authent(11),
	transited-policy-checked(12),
	ok-as-delegate(13),
	enc-pa-rep(15),
	anonymous(16)
}

KDCOptions ::= BIT STRING {
	reserved(0),
	forwardable(1),
	forwarded(2),
	proxiable(3),
	proxy(4),
	allow-postdate(5),
	postdated(6),
	renewable(8),
	cname-in-addl-tkt(14), -- ms extension
	canonicalize(15),
	request-anonymous(16),
	disable-transited-check(26),
	renewable-ok(27),
	enc-tkt-in-skey(28),
	renew(30),
	validate(31)
}

LR-TYPE ::= INTEGER {
	LR_NONE(0),		-- no information
	LR_INITIAL_TGT(1),	-- last initial TGT request
	LR_INITIAL(2),		-- last initial request
	LR_ISSUE_USE_TGT(3),	-- time of newest TGT used
	LR_RENEWAL(4),		-- time of last renewal
	LR_REQUEST(5),		-- time of last request (of any type)
	LR_PW_EXPTIME(6),	-- expiration time of password
	LR_ACCT_EXPTIME(7)	-- expiration time of account
}

LastReq ::= SEQUENCE OF SEQUENCE {
	lr-type[0]		LR-TYPE,
	lr-value[1]		KerberosTime
}


EncryptedData ::= SEQUENCE {
	etype[0] 		ENCTYPE, -- EncryptionType
	kvno[1]			Krb5Int32 OPTIONAL,
	cipher[2]		OCTET STRING -- ciphertext
}

EncryptionKey ::= SEQUENCE {
	keytype[0]		Krb5Int32,
	keyvalue[1]		OCTET STRING
}

-- encoded Transited field
TransitedEncoding ::= SEQUENCE {
	tr-type[0]		Krb5Int32, -- must be registered
	contents[1]		OCTET STRING
}

Ticket ::= [APPLICATION 1] SEQUENCE {
	tkt-vno[0]		Krb5Int32,
	realm[1]		Realm,
	sname[2]		PrincipalName,
	enc-part[3]		EncryptedData
}
-- Encrypted part of ticket
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
	flags[0]		TicketFlags,
	key[1]			EncryptionKey,
	crealm[2]		Realm,
	cname[3]		PrincipalName,
	transited[4]		TransitedEncoding,
	authtime[5]		KerberosTime,
	starttime[6]		KerberosTime OPTIONAL,
	endtime[7]		KerberosTime,
	renew-till[8]		KerberosTime OPTIONAL,
	caddr[9]		HostAddresses OPTIONAL,
	authorization-data[10]	AuthorizationData OPTIONAL
}

Checksum ::= SEQUENCE {
	cksumtype[0]		CKSUMTYPE,
	checksum[1]		OCTET STRING
}

-- For GSS name attributes [RFC6680] we'll decorate Principal (which is not an
-- RFC4120 type, but which we use a) in HDB, b) in the API as that which
-- krb5_principal points to) with PrincipalNameAttrs.
--
-- Attributes have three possible sources in Heimdal Kerberos at this time:
--
--  - the EncKDCRepPart (for the client's attributes on the client side)
--  - the EncTicketPart (for the client's attributes on the server side)
--  - the Authenticator's AuthorizationData (if any; server-side)
--
-- In principle there can be more:
--
--  - locally-set (asserted) attributes
--  - locally-looked-up attributes (e.g., in LDAP)
--  - locally-transformed attributes (e.g., local groups, filtered SIDs from a
--    PAC, etc.)
--
-- We could also cache "cooked" attributes as reported by the RFC6680 API given
-- the sources we have.
--
-- For now we'll only support authenticated attributes where those come from
-- the KDC, and attributes asserted in Authenticator authz-data.
PrincipalNameAttrSrc ::= CHOICE {
        enc-kdc-rep-part    [0] EncKDCRepPart,  -- minus session key
        enc-ticket-part     [1] EncTicketPart   -- minus session key
}
PrincipalNameAttrs ::= SEQUENCE {
        -- True if this name was authenticated via an AP-REQ or a KDC-REP
        authenticated       [0]     BOOLEAN,
        -- These are compiled from the Ticket, KDC-REP, and/or Authenticator
        source              [1]     PrincipalNameAttrSrc OPTIONAL,
        authenticator-ad    [2]     AuthorizationData OPTIONAL,
        -- For the server on the client side we should keep track of the
        -- transit path taken to reach it (if absent -> unknown).
        --
        -- We don't learn much more about the server from the KDC.
        peer-realm          [3]     Realm OPTIONAL,
        transited           [4]     TransitedEncoding OPTIONAL,
        -- True if the PAC was verified
        pac-verified        [5]     BOOLEAN,
        -- True if any AD-KDC-ISSUEDs in the Ticket were validated
        kdc-issued-verified [6]     BOOLEAN,
        -- TODO: Add requested attributes, for gss_set_name_attribute(), which
        --       should cause corresponding authz-data elements to be added to
        --       any TGS-REQ or to the AP-REQ's Authenticator as appropriate.
        want-ad             [7]     AuthorizationData OPTIONAL
}
-- This is our type for exported composite name tokens for GSS [RFC6680].
-- It's the same as Principal (below) as decorated with (see krb5.opt file and
-- asn1_compile usage), except it's not decorated, so the name attributes are
-- encoded/decoded.
CompositePrincipal ::= [APPLICATION 48] SEQUENCE {
	name[0]			PrincipalName,
	realm[1]		Realm,
        nameattrs[2]            PrincipalNameAttrs OPTIONAL
}

-- This is not part of RFC1510/RFC4120.  We use this internally as our
-- krb5_principal (which is a typedef of *Principal), and in HDB entries.
Principal ::= SEQUENCE {
	name[0]			PrincipalName,
	realm[1]		Realm
        -- This will be decorated with an optional nameattrs field of
        -- PrincipalNameAttrs type that doesn't get encoded.  Same as
        -- CompositePrincipal above, except that CompositePrincipal's
        -- nameattrs field does get encoded, while Principal's does not:
        --
        -- nameattrs[2]         PrincipalNameAttrs OPTIONAL
}

Principals ::= SEQUENCE OF Principal

Authenticator ::= [APPLICATION 2] SEQUENCE    {
	authenticator-vno[0]	Krb5Int32,
	crealm[1]		Realm,
	cname[2]		PrincipalName,
	cksum[3]		Checksum OPTIONAL,
	cusec[4]		Krb5Int32,
	ctime[5]		KerberosTime,
	subkey[6]		EncryptionKey OPTIONAL,
	seq-number[7]		Krb5UInt32 OPTIONAL,
	authorization-data[8]	AuthorizationData OPTIONAL
}

PA-DATA ::= SEQUENCE {
	-- might be encoded AP-REQ
	padata-type[1]		PADATA-TYPE,
	padata-value[2]		OCTET STRING
}

ETYPE-INFO-ENTRY ::= SEQUENCE {
	etype[0]		ENCTYPE,
	salt[1]			OCTET STRING OPTIONAL,
	salttype[2]		Krb5Int32 OPTIONAL
}

ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY

ETYPE-INFO2-ENTRY ::= SEQUENCE {
	etype[0]		ENCTYPE,
	salt[1]			KerberosString OPTIONAL,
	s2kparams[2]		OCTET STRING OPTIONAL
}

ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY

METHOD-DATA ::= SEQUENCE OF PA-DATA

TypedData ::=   SEQUENCE {
	data-type[0]		Krb5Int32,
	data-value[1]		OCTET STRING OPTIONAL
}

TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData

KDC-REQ-BODY ::= SEQUENCE {
	kdc-options[0]		KDCOptions,
	cname[1]		PrincipalName OPTIONAL, -- Used only in AS-REQ
	realm[2]		Realm,	-- Server's realm
					-- Also client's in AS-REQ
	sname[3]		PrincipalName OPTIONAL,
	from[4]			KerberosTime OPTIONAL,
	till[5]			KerberosTime OPTIONAL,
	rtime[6]		KerberosTime OPTIONAL,
	nonce[7]		Krb5Int32,
	etype[8]		SEQUENCE OF ENCTYPE, -- EncryptionType,
					-- in preference order
	addresses[9]		HostAddresses OPTIONAL,
	enc-authorization-data[10] EncryptedData OPTIONAL,
					-- Encrypted AuthorizationData encoding
	additional-tickets[11]	SEQUENCE OF Ticket OPTIONAL
}

KDC-REQ ::= SEQUENCE {
	pvno[1]			Krb5Int32,
	msg-type[2]		MESSAGE-TYPE,
	padata[3]		METHOD-DATA OPTIONAL,
	req-body[4]		KDC-REQ-BODY
}

AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ

-- padata-type ::= PA-ENC-TIMESTAMP
-- padata-value ::= EncryptedData - PA-ENC-TS-ENC

PA-ENC-TS-ENC ::= SEQUENCE {
	patimestamp[0]		KerberosTime, -- client's time
	pausec[1]		Krb5Int32 OPTIONAL
}

-- draft-brezak-win2k-krb-authz-01
PA-PAC-REQUEST ::= SEQUENCE {
	include-pac[0]		BOOLEAN -- Indicates whether a PAC
					-- should be included or not
}

-- MS-KILE

KERB-ERROR-DATA ::= SEQUENCE {
        data-type [1] KerbErrorDataType,
        data-value [2] OCTET STRING OPTIONAL
}

KerbErrorDataType ::= INTEGER {
        kERB-AP-ERR-TYPE-SKEW-RECOVERY(2),
        kERB-ERR-TYPE-EXTENDED(3)
}

-- MS-KILE/MS-SFU
PAC-OPTIONS-FLAGS ::= BIT STRING {
	claims(0),
	branch-aware(1),
	forward-to-full-dc(2),
	resource-based-constrained-delegation(3)
}

-- MS-KILE
PA-PAC-OPTIONS ::= SEQUENCE {
	flags [0] PAC-OPTIONS-FLAGS
}

-- MS-KILE
-- captures show that [UNIVERSAL 16] is required to parse it
KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE {
	restriction-type	[0] Krb5Int32,
	restriction		[1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
}

-- MS-KILE Section 2.2.11
PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE

-- MS-KILE Section 2.2.12

PA-KERB-KEY-LIST-REP ::= SEQUENCE OF ENCTYPE -- EncryptionType,

-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
PROV-SRV-LOCATION ::= GeneralString

KDC-REP ::= SEQUENCE {
	pvno[0]			Krb5Int32,
	msg-type[1]		MESSAGE-TYPE,
	padata[2]		METHOD-DATA OPTIONAL,
	crealm[3]		Realm,
	cname[4]		PrincipalName,
	ticket[5]		Ticket,
	enc-part[6]		EncryptedData
}

AS-REP ::= [APPLICATION 11] KDC-REP
TGS-REP ::= [APPLICATION 13] KDC-REP

EncKDCRepPart ::= SEQUENCE {
	key[0]			EncryptionKey,
	last-req[1]		LastReq,
	nonce[2]		Krb5Int32,
	key-expiration[3]	KerberosTime OPTIONAL,
	flags[4]		TicketFlags,
	authtime[5]		KerberosTime,
	starttime[6]		KerberosTime OPTIONAL,
	endtime[7]		KerberosTime,
	renew-till[8]		KerberosTime OPTIONAL,
	srealm[9]		Realm,
	sname[10]		PrincipalName,
	caddr[11]		HostAddresses OPTIONAL,
	encrypted-pa-data[12]	METHOD-DATA OPTIONAL
}

EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart

AP-REQ ::= [APPLICATION 14] SEQUENCE {
	pvno[0]			Krb5Int32,
	msg-type[1]		MESSAGE-TYPE,
	ap-options[2]		APOptions,
	ticket[3]		Ticket,
	authenticator[4]	EncryptedData
}

AP-REP ::= [APPLICATION 15] SEQUENCE {
	pvno[0]			Krb5Int32,
	msg-type[1]		MESSAGE-TYPE,
	enc-part[2]		EncryptedData
}

EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
	ctime[0]		KerberosTime,
	cusec[1]		Krb5Int32,
	subkey[2]		EncryptionKey OPTIONAL,
	seq-number[3]		Krb5UInt32 OPTIONAL
}

KRB-SAFE-BODY ::= SEQUENCE {
	user-data[0]		OCTET STRING,
	timestamp[1]		KerberosTime OPTIONAL,
	usec[2]			Krb5Int32 OPTIONAL,
	seq-number[3]		Krb5UInt32 OPTIONAL,
	s-address[4]		HostAddress OPTIONAL,
	r-address[5]		HostAddress OPTIONAL
}

KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
	pvno[0]			Krb5Int32,
	msg-type[1]		MESSAGE-TYPE,
	safe-body[2]		KRB-SAFE-BODY,
	cksum[3]		Checksum
}

KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
	pvno[0]			Krb5Int32,
	msg-type[1]		MESSAGE-TYPE,
	enc-part[3]		EncryptedData
}
EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
	user-data[0]		OCTET STRING,
	timestamp[1]		KerberosTime OPTIONAL,
	usec[2]			Krb5Int32 OPTIONAL,
	seq-number[3]		Krb5UInt32 OPTIONAL,
	s-address[4]		HostAddress OPTIONAL, -- sender's addr
	r-address[5]		HostAddress OPTIONAL  -- recip's addr
}

KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
	pvno[0]			Krb5Int32,
	msg-type[1]		MESSAGE-TYPE, -- KRB_CRED
	tickets[2]		SEQUENCE OF Ticket,
	enc-part[3]		EncryptedData
}

KrbCredInfo ::= SEQUENCE {
	key[0]			EncryptionKey,
	prealm[1]		Realm OPTIONAL,
	pname[2]		PrincipalName OPTIONAL,
	flags[3]		TicketFlags OPTIONAL,
	authtime[4]		KerberosTime OPTIONAL,
	starttime[5]		KerberosTime OPTIONAL,
	endtime[6] 		KerberosTime OPTIONAL,
	renew-till[7]		KerberosTime OPTIONAL,
	srealm[8]		Realm OPTIONAL,
	sname[9]		PrincipalName OPTIONAL,
	caddr[10]		HostAddresses OPTIONAL
}

EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
	ticket-info[0]		SEQUENCE OF KrbCredInfo,
	nonce[1]		Krb5Int32 OPTIONAL,
	timestamp[2]		KerberosTime OPTIONAL,
	usec[3]			Krb5Int32 OPTIONAL,
	s-address[4]		HostAddress OPTIONAL,
	r-address[5]		HostAddress OPTIONAL
}

KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
	pvno[0]			Krb5Int32,
	msg-type[1]		MESSAGE-TYPE,
	ctime[2]		KerberosTime OPTIONAL,
	cusec[3]		Krb5Int32 OPTIONAL,
	stime[4]		KerberosTime,
	susec[5]		Krb5Int32,
	error-code[6]		Krb5Int32,
	crealm[7]		Realm OPTIONAL,
	cname[8]		PrincipalName OPTIONAL,
	realm[9]		Realm, -- Correct realm
	sname[10]		PrincipalName, -- Correct name
	e-text[11]		GeneralString OPTIONAL,
	e-data[12]		OCTET STRING OPTIONAL
}

ChangePasswdDataMS ::= SEQUENCE {
	newpasswd[0]		OCTET STRING,
	targname[1]		PrincipalName OPTIONAL,
	targrealm[2]		Realm OPTIONAL
}

EtypeList ::= SEQUENCE OF ENCTYPE
	-- the client's proposed enctype list in
	-- decreasing preference order, favorite choice first

krb5-pvno Krb5Int32 ::= 5 -- current Kerberos protocol version number

-- transited encodings

domain-X500-Compress	Krb5Int32 ::= 1

-- authorization data primitives

AD-IF-RELEVANT ::= AuthorizationData

AD-KDCIssued ::= SEQUENCE {
	ad-checksum[0]		Checksum,
	i-realm[1]		Realm OPTIONAL,
	i-sname[2]		PrincipalName OPTIONAL,
	elements[3]		AuthorizationData
}

AD-AND-OR ::= SEQUENCE {
	condition-count[0]	Krb5Int32,
	elements[1]		AuthorizationData
}

AD-MANDATORY-FOR-KDC ::= AuthorizationData

-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2

PA-SAM-TYPE ::= INTEGER {
	PA_SAM_TYPE_ENIGMA(1),		-- Enigma Logic
	PA_SAM_TYPE_DIGI_PATH(2),	-- Digital Pathways
	PA_SAM_TYPE_SKEY_K0(3),		-- S/key where  KDC has key 0
	PA_SAM_TYPE_SKEY(4),		-- Traditional S/Key
	PA_SAM_TYPE_SECURID(5),		-- Security Dynamics
	PA_SAM_TYPE_CRYPTOCARD(6)	-- CRYPTOCard
}

PA-SAM-REDIRECT ::= HostAddresses

SAMFlags ::= BIT STRING {
	use-sad-as-key(0),
	send-encrypted-sad(1),
	must-pk-encrypt-sad(2)
}

PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
	sam-type[0]		Krb5Int32,
	sam-flags[1]		SAMFlags,
	sam-type-name[2]	GeneralString OPTIONAL,
	sam-track-id[3]		GeneralString OPTIONAL,
	sam-challenge-label[4]	GeneralString OPTIONAL,
	sam-challenge[5]	GeneralString OPTIONAL,
	sam-response-prompt[6]	GeneralString OPTIONAL,
	sam-pk-for-sad[7]	EncryptionKey OPTIONAL,
	sam-nonce[8]		Krb5Int32,
	sam-etype[9]		Krb5Int32,
	...
}

PA-SAM-CHALLENGE-2 ::= SEQUENCE {
	sam-body[0]		PA-SAM-CHALLENGE-2-BODY,
	sam-cksum[1]		SEQUENCE OF Checksum, -- (1..MAX)
	...
}

PA-SAM-RESPONSE-2 ::= SEQUENCE {
	sam-type[0]		Krb5Int32,
	sam-flags[1]		SAMFlags,
	sam-track-id[2]		GeneralString OPTIONAL,
	sam-enc-nonce-or-sad[3]	EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
	sam-nonce[4]		Krb5Int32,
	...
}

PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
	sam-nonce[0]		Krb5Int32,
	sam-sad[1]		GeneralString OPTIONAL,
	...
}

PA-S4U2Self ::= SEQUENCE {
	name[0]		PrincipalName,
        realm[1]	Realm,
        cksum[2]	Checksum,
        auth[3]		GeneralString
}

PA-S4U-X509-USER::= SEQUENCE {
	user-id[0] S4UUserID,
	checksum[1] Checksum
}

S4UUserID ::= SEQUENCE {
	nonce [0] Krb5UInt32, -- the nonce in KDC-REQ-BODY
	cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints
	crealm [2] Realm,
	subject-certificate [3] OCTET STRING OPTIONAL,
	options [4] BIT STRING OPTIONAL,
	...
}

AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
	login-alias	[0] PrincipalName,
	checksum	[1] Checksum
}

-- old ms referral
PA-SvrReferralData ::= SEQUENCE {
	referred-name   [1] PrincipalName OPTIONAL,
	referred-realm  [0] Realm
}

PA-SERVER-REFERRAL-DATA ::= EncryptedData

PA-ServerReferralData ::= SEQUENCE {
	referred-realm		[0] Realm OPTIONAL,
	true-principal-name	[1] PrincipalName OPTIONAL,
	requested-principal-name [2] PrincipalName OPTIONAL,
	referral-valid-until     [3] KerberosTime OPTIONAL,
	...
}

FastOptions ::= BIT STRING {
	    reserved(0),
	    hide-client-names(1),
	    critical2(2),
	    critical3(3),
	    critical4(4),
	    critical5(5),
	    critical6(6),
	    critical7(7),
	    critical8(8),
	    critical9(9),
	    critical10(10),
	    critical11(11),
	    critical12(12),
	    critical13(13),
	    critical14(14),
	    critical15(15),
	    kdc-follow-referrals(16)
}

KrbFastReq ::= SEQUENCE {
	fast-options [0] FastOptions,
	padata       [1] METHOD-DATA,
	req-body     [2] KDC-REQ-BODY,
	...
}

KrbFastArmor ::= SEQUENCE {
	armor-type   [0] Krb5Int32,
	armor-value  [1] OCTET STRING,
        ...
}

KrbFastArmoredReq ::= SEQUENCE {
	armor        [0] KrbFastArmor OPTIONAL,
	req-checksum [1] Checksum,
	enc-fast-req [2] EncryptedData -- KrbFastReq --
}

PA-FX-FAST-REQUEST ::= CHOICE {
	armored-data [0] KrbFastArmoredReq,
	...
}

KrbFastFinished ::= SEQUENCE {
	timestamp   [0] KerberosTime,
	usec        [1] Krb5Int32,
	crealm      [2] Realm,
	cname       [3] PrincipalName,
	ticket-checksum [4] Checksum,
	...
}

KrbFastResponse ::= SEQUENCE {
	padata      	[0] METHOD-DATA,
        strengthen-key	[1] EncryptionKey OPTIONAL,
	finished	[2] KrbFastFinished OPTIONAL,
        nonce		[3] Krb5UInt32,
	...
}

KrbFastArmoredRep ::= SEQUENCE {
	enc-fast-rep      [0] EncryptedData, -- KrbFastResponse --
	...
}

PA-FX-FAST-REPLY ::= CHOICE {
	armored-data [0] KrbFastArmoredRep,
	...
}

KDCFastFlags ::= BIT STRING {
	use-reply-key(0),
	reply-key-used(1),
	reply-key-replaced(2),
	kdc-verified(3),
	requested-hidden-names(4)
}

-- KDCFastState is stored in FX_COOKIE
KDCFastState ::= SEQUENCE {
	flags [0] KDCFastFlags,
	expiration [1] GeneralizedTime,
	fast-state [2] METHOD-DATA,
	expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL
}

KDCFastCookie ::= SEQUENCE {
	version [0] UTF8String,
	cookie [1] EncryptedData
}

KDC-PROXY-MESSAGE ::= SEQUENCE {
	kerb-message	[0] OCTET STRING,
	target-domain	[1] Realm OPTIONAL,
	dclocator-hint	[2] INTEGER OPTIONAL
}

-- these messages are used in the GSSCred communication and is not part of Kerberos propper

KERB-TIMES ::= SEQUENCE {
	authtime	[0] KerberosTime,
	starttime	[1] KerberosTime,
	endtime		[2] KerberosTime,
	renew_till	[3] KerberosTime
}

KERB-CRED ::= SEQUENCE {
	client		[0] Principal,
	server		[1] Principal,
	keyblock	[2] EncryptionKey,
	times		[3] KERB-TIMES,
	ticket		[4] OCTET STRING,
	authdata	[5] OCTET STRING,
	addresses	[6] HostAddresses,
	flags		[7] TicketFlags
}

KERB-TGS-REQ-IN ::= SEQUENCE {
	cache		[0] OCTET STRING SIZE (16),
	addrs		[1] HostAddresses,
	flags		[2] Krb5UInt32,
	imp		[3] Principal OPTIONAL,
	ticket		[4] OCTET STRING OPTIONAL,
	in_cred		[5] KERB-CRED,
	krbtgt		[6] KERB-CRED,
	padata		[7] METHOD-DATA
}

KERB-TGS-REQ-OUT ::= SEQUENCE {
	subkey		[0] EncryptionKey OPTIONAL,
	t		[1] TGS-REQ
}



KERB-TGS-REP-IN ::= SEQUENCE {
	cache		[0] OCTET STRING SIZE (16),
	subkey		[1] EncryptionKey OPTIONAL,
	in_cred		[2] KERB-CRED,
	t		[3] TGS-REP
}

KERB-TGS-REP-OUT ::= SEQUENCE {
	cache		[0] OCTET STRING SIZE (16),
	cred		[1] KERB-CRED,
	subkey		[2] EncryptionKey
}

KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE {
	armor		[0] KrbFastArmor,
	armor-key	[1] EncryptionKey
}

END

-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1