--NOTE: we have to accommodate BOTH existing users of early drafts, such as --packetcable as well as new users once the protocol is standardized. -- --This asn1 file is based on draft-ietf-cat-kerberos-pk-init-20.txt --but has been modified to accommodate the Wireshark asn2wrs compiler --and our environment -- --new structures are uncommented and added on demand as they are required -- --Copyright (C) The Internet Society (2004). This document is subject --to the rights, licenses and restrictions contained in BCP 78, and --except as set forth therein, the authors retain all their rights. -- -- --This document and the information contained herein are provided on an --"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS --OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET --ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, --INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE --INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED --WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. -- KerberosV5-PK-INIT-SPEC { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) modules(4) pkinit(5) } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS SubjectPublicKeyInfo, AlgorithmIdentifier, Name FROM PKIX1Explicit88 { iso (1) identified-organization (3) dod (6) internet (1) security (5) mechanisms (5) pkix (7) id-mod (0) id-pkix1-explicit (18) } ContentInfo, IssuerAndSerialNumber FROM CryptographicMessageSyntax { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1) } KerberosTime, TYPED-DATA, PrincipalName, Realm, EncryptionKey FROM KerberosV5Spec2 { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) modules(4) krb5spec2(2) } ; -- id-pkinit OBJECT IDENTIFIER ::= -- { iso (1) org (3) dod (6) internet (1) security (5) -- kerberosv5 (2) pkinit (3) } -- -- -- id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 } -- id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 } -- id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 } -- id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 } -- id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 } -- -- -- pa-pk-as-req INTEGER ::= TBD -- pa-pk-as-rep INTEGER ::= TBD -- pa-pk-ocsp-req INTEGER ::= TBD -- pa-pk-ocsp-rep INTEGER ::= TBD -- -- -- ad-initial-verified-cas INTEGER ::= TBD -- -- -- td-dh-parameters INTEGER ::= TBD -- td-trusted-certifiers INTEGER ::= 104 -- td-certificate-index INTEGER ::= 105 PaPkAsReq ::= SEQUENCE { signedAuthPack [0] ContentInfo, trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, kdcCert [2] IssuerAndSerialNumber OPTIONAL, ... } TrustedCA ::= CHOICE { caName [0] Name, issuerAndSerial [2] IssuerAndSerialNumber, ... } DHNonce ::= OCTET STRING AuthPack ::= SEQUENCE { pkAuthenticator [0] PKAuthenticator, clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL, clientDHNonce [3] DHNonce OPTIONAL, ... } PKAuthenticator ::= SEQUENCE { cusec [0] INTEGER, ctime [1] KerberosTime, nonce [2] INTEGER (0..4294967295), -- paChecksum [3] Checksum, # changed during draft-ietf-cat-kerberos-pk-init* from Checksum to OCTET STRING OPTIONAL paChecksum [3] OCTET STRING OPTIONAL, ... } -- -- TrustedCertifiers ::= SEQUENCE OF Name -- -- -- CertificateIndex ::= IssuerAndSerialNumber -- -- KRB5PrincipalName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } -- -- -- InitialVerifiedCAs ::= SEQUENCE OF SEQUENCE { -- ca [0] Name, -- validated [1] BOOLEAN, -- ... -- } -- PaPkAsRep ::= CHOICE { dhSignedData [0] ContentInfo, encKeyPack [1] ContentInfo, ... } KDCDHKeyInfo ::= SEQUENCE { subjectPublicKey [0] BIT STRING, nonce [1] INTEGER, dhKeyExpiration [2] KerberosTime OPTIONAL, ... } -- -- ReplyKeyPack ::= SEQUENCE { -- replyKey [0] EncryptionKey, -- nonce [1] INTEGER (0..4294967295), -- ... -- } -- Windows compat glue -- PKAuthenticator-Win2k ::= SEQUENCE { kdcName [0] PrincipalName, kdcRealm [1] Realm, cusec [2] INTEGER (0..4294967295), ctime [3] KerberosTime, nonce [4] INTEGER (-2147483648..2147483647), ... } PA-PK-AS-REQ-Win2k ::= SEQUENCE { signed-auth-pack [0] ContentInfo, trusted-certifiers [2] SEQUENCE OF TrustedCA OPTIONAL, kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL, ... } PA-PK-AS-REP-Win2k ::= PaPkAsRep END