windows-nt/Source/XPSP1/NT/ds/security/protocols/kerberos/asn1/krb5.asn

655 lines
24 KiB
Plaintext
Raw Permalink Normal View History

2020-09-26 03:20:57 -05:00
-- $Source: /mit/krb5/.cvsroot/src/lib/krb5/asn.1/KRB5-asn.py,v $
-- $Author: tytso $
-- $Id: KRB5-asn.py,v 5.25 1993/09/22 00:42:36 tytso Exp $
--
-- Copyright 1989 by the Massachusetts Institute of Technology.
--
-- Export of this software from the United States of America may
-- require a specific license from the United States Government.
-- It is the responsibility of any person or organization contemplating
-- export to obtain such a license before exporting.
--
-- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-- distribute this software and its documentation for any purpose and
-- without fee is hereby granted, provided that the above copyright
-- notice appear in all copies and that both that copyright notice and
-- this permission notice appear in supporting documentation, and that
-- the name of M.I.T. not be used in advertising or publicity pertaining
-- to distribution of the software without specific, written prior
-- permission. M.I.T. makes no representations about the suitability of
-- this software for any purpose. It is provided "as is" without express
-- or implied warranty.
--
-- ASN.1 definitions for the kerberos network objects
--
-- Do not change the order of any structure containing some
-- element_KRB5_xx unless the corresponding translation code is also
-- changed.
--
--#SS.basic slinked--
--#SS.sized array--
--#SS.struct extra-ptr-type--
KRB5 DEFINITIONS EXPLICIT TAGS ::=
BEGIN
-- needed to do the Right Thing with pepsy; this isn't a valid ASN.1
-- token, however.
-- SECTIONS encode decode none
-- the order of stuff in this file matches the order in the draft RFC
KERB-REALM ::= GeneralString
KERB-HOST-ADDRESS ::= SEQUENCE {
addr-type[0] INTEGER,
address[1] OCTET STRING
}
PKERB-HOST-ADDRESSES ::= SEQUENCE OF SEQUENCE {
address-type[0] INTEGER,
address[1] OCTET STRING
}
PKERB-AUTHORIZATION-DATA ::= SEQUENCE OF SEQUENCE {
auth-data-type[0] INTEGER,
auth-data[1] OCTET STRING
}
-- A list of auth data for separate packing
PKERB-AUTHORIZATION-DATA-LIST ::= PKERB-AUTHORIZATION-DATA --#public--
KERB-KDC-OPTIONS ::= BIT STRING
PKERB-LAST-REQUEST ::= SEQUENCE OF SEQUENCE {
last-request-type[0] INTEGER,
last-request-value[1] KERB-TIME
}
KERB-TIME ::= GeneralizedTime -- Specifying UTC time zone (Z)
KERB-PRINCIPAL-NAME ::= SEQUENCE{
name-type[0] INTEGER,
name-string[1] SEQUENCE OF GeneralString
}
KERB-SEQUENCE-NUMBER-LARGE ::= INTEGER (-2147483648..4294967295)
KERB-SEQUENCE-NUMBER ::= INTEGER (0..4294967295)
PKERB-TICKET-EXTENSIONS ::= SEQUENCE OF SEQUENCE {
te-type[0] INTEGER,
te-data[1] OCTET STRING
}
KERB-TICKET ::= [APPLICATION 1] SEQUENCE {
ticket-version[0] INTEGER,
realm[1] KERB-REALM,
server-name[2] KERB-PRINCIPAL-NAME,
encrypted-part[3] KERB-ENCRYPTED-DATA, -- EncTicketPart
ticket-extensions[4] PKERB-TICKET-EXTENSIONS OPTIONAL
} --#public--
KERB-TRANSITED-ENCODING ::= SEQUENCE {
transited-type[0] INTEGER, -- Only supported value is 1 == DOMAIN-COMPRESS
contents[1] OCTET STRING
}
-- Encrypted part of ticket
KERB-ENCRYPTED-TICKET ::= [APPLICATION 3] SEQUENCE {
flags[0] KERB-TICKET-FLAGS,
key[1] KERB-ENCRYPTION-KEY,
client-realm[2] KERB-REALM,
client-name[3] KERB-PRINCIPAL-NAME,
transited[4] KERB-TRANSITED-ENCODING,
authtime[5] KERB-TIME,
starttime[6] KERB-TIME OPTIONAL,
endtime[7] KERB-TIME,
renew-until[8] KERB-TIME OPTIONAL,
client-addresses[9] PKERB-HOST-ADDRESSES OPTIONAL,
authorization-data[10] PKERB-AUTHORIZATION-DATA OPTIONAL
}
-- Unencrypted authenticator
KERB-AUTHENTICATOR ::= [APPLICATION 2] SEQUENCE {
authenticator-version[0] INTEGER,
client-realm[1] KERB-REALM,
client-name[2] KERB-PRINCIPAL-NAME,
checksum[3] KERB-CHECKSUM OPTIONAL,
client-usec[4] INTEGER,
client-time[5] KERB-TIME,
subkey[6] KERB-ENCRYPTION-KEY OPTIONAL,
sequence-number[7] KERB-SEQUENCE-NUMBER-LARGE OPTIONAL,
authorization-data[8] PKERB-AUTHORIZATION-DATA OPTIONAL
}
KERB-TICKET-FLAGS ::= BIT STRING
KERB-AS-REQUEST ::= [APPLICATION 10] KERB-KDC-REQUEST
KERB-TGS-REQUEST ::= [APPLICATION 12] KERB-KDC-REQUEST
KERB-KDC-REQUEST ::= SEQUENCE {
version[1] INTEGER,
message-type[2] INTEGER,
preauth-data[3] SEQUENCE OF KERB-PA-DATA OPTIONAL,
request-body[4] KERB-KDC-REQUEST-BODY
}
KERB-PA-DATA ::= SEQUENCE {
preauth-data-type[1] INTEGER,
preauth-data[2] OCTET STRING -- might be encoded AP-REQUEST
}
PKERB-PREAUTH-DATA-LIST ::= SEQUENCE OF KERB-PA-DATA
-- Give this an application number so we can separately encode it and checksum
-- it.
KERB-MARSHALLED-REQUEST-BODY ::= KERB-KDC-REQUEST-BODY
KERB-KDC-REQUEST-BODY ::= SEQUENCE {
kdc-options[0] KERB-KDC-OPTIONS,
client-name[1] KERB-PRINCIPAL-NAME OPTIONAL, -- Used only in AS-REQUEST
realm[2] KERB-REALM, -- Server's realm Also client's in AS-REQUEST
server-name[3] KERB-PRINCIPAL-NAME OPTIONAL,
starttime[4] KERB-TIME OPTIONAL,
endtime[5] KERB-TIME,
renew-until[6] KERB-TIME OPTIONAL,
nonce[7] INTEGER,
encryption-type[8] SEQUENCE OF INTEGER, -- EncryptionType,
-- in preference order
addresses[9] PKERB-HOST-ADDRESSES OPTIONAL,
enc-authorization-data[10] KERB-ENCRYPTED-DATA OPTIONAL,
-- KERB-AUTHORIZATION-DATA
additional-tickets[11] SEQUENCE OF KERB-TICKET OPTIONAL
}
KERB-AS-REPLY ::= [APPLICATION 11] KERB-KDC-REPLY
KERB-TGS-REPLY ::= [APPLICATION 13] KERB-KDC-REPLY
KERB-KDC-REPLY ::= SEQUENCE {
version[0] INTEGER,
message-type[1] INTEGER,
preauth-data[2] SEQUENCE OF KERB-PA-DATA OPTIONAL,
client-realm[3] KERB-REALM,
client-name[4] KERB-PRINCIPAL-NAME,
ticket[5] KERB-TICKET, -- KERB-TICKET
encrypted-part[6] KERB-ENCRYPTED-DATA -- KERB-ENCRYPTED-KDC-REPLY
}
KERB-ENCRYPTED-AS-REPLY ::= [APPLICATION 25] KERB-ENCRYPTED-KDC-REPLY
KERB-ENCRYPTED-TGS-REPLY ::= [APPLICATION 26] KERB-ENCRYPTED-KDC-REPLY
KERB-ENCRYPTED-KDC-REPLY ::= SEQUENCE {
session-key[0] KERB-ENCRYPTION-KEY,
last-request[1] PKERB-LAST-REQUEST,
nonce[2] INTEGER,
key-expiration[3] KERB-TIME OPTIONAL,
flags[4] KERB-TICKET-FLAGS,
authtime[5] KERB-TIME,
starttime[6] KERB-TIME OPTIONAL,
endtime[7] KERB-TIME,
renew-until[8] KERB-TIME OPTIONAL,
server-realm[9] KERB-REALM,
server-name[10] KERB-PRINCIPAL-NAME,
client-addresses[11] PKERB-HOST-ADDRESSES OPTIONAL,
encrypted-pa-data[12] SEQUENCE OF KERB-PA-DATA OPTIONAL
}
KERB-AP-REQUEST ::= [APPLICATION 14] SEQUENCE {
version[0] INTEGER,
message-type[1] INTEGER,
ap-options[2] KERB-AP-OPTIONS,
ticket[3] KERB-TICKET,
authenticator[4] KERB-ENCRYPTED-DATA -- Authenticator
}
KERB-AP-OPTIONS ::= BIT STRING
KERB-AP-REPLY ::= [APPLICATION 15] SEQUENCE {
version[0] INTEGER,
message-type[1] INTEGER,
encrypted-part[2] KERB-ENCRYPTED-DATA -- EncAPRepPart
}
KERB-ENCRYPTED-AP-REPLY ::= [APPLICATION 27] SEQUENCE {
client-time[0] KERB-TIME,
client-usec[1] INTEGER,
subkey[2] KERB-ENCRYPTION-KEY OPTIONAL,
sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL
}
KERB-SAFE-MESSAGE ::= [APPLICATION 20] SEQUENCE {
version[0] INTEGER,
message-type[1] INTEGER,
safe-body[2] KERB-SAFE-BODY,
checksum[3] KERB-CHECKSUM
}
KERB-SAFE-BODY ::= SEQUENCE {
user-data[0] OCTET STRING,
timestamp[1] KERB-TIME OPTIONAL,
usec[2] INTEGER OPTIONAL,
sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL,
sender-address[4] KERB-HOST-ADDRESS, -- sender's addr
recipient-address[5] KERB-HOST-ADDRESS OPTIONAL -- recip's addr
}
KERB-PRIV-MESSAGE ::= [APPLICATION 21] SEQUENCE {
version[0] INTEGER,
message-type[1] INTEGER,
encrypted-part[3] KERB-ENCRYPTED-DATA -- EncKrbPrivPart
}
KERB-ENCRYPTED-PRIV ::= [APPLICATION 28] SEQUENCE {
user-data[0] OCTET STRING,
timestamp[1] KERB-TIME OPTIONAL,
usec[2] INTEGER OPTIONAL,
sequence-number[3] KERB-SEQUENCE-NUMBER OPTIONAL,
sender-address[4] KERB-HOST-ADDRESS, -- sender's addr
recipient-address[5] KERB-HOST-ADDRESS OPTIONAL -- recip's addr
}
-- The KERB-CRED message allows easy forwarding of credentials.
KERB-CRED ::= [APPLICATION 22] SEQUENCE {
version[0] INTEGER,
message-type[1] INTEGER, -- KRB_CRED
tickets[2] SEQUENCE OF KERB-TICKET,
encrypted-part[3] KERB-ENCRYPTED-DATA -- EncKrbCredPart
}
KERB-ENCRYPTED-CRED ::= [APPLICATION 29] SEQUENCE {
ticket-info[0] SEQUENCE OF KERB-CRED-INFO,
nonce[1] INTEGER OPTIONAL,
timestamp[2] KERB-TIME OPTIONAL,
usec[3] INTEGER OPTIONAL,
sender-address[4] KERB-HOST-ADDRESS OPTIONAL,
recipient-address[5] KERB-HOST-ADDRESS OPTIONAL
}
KERB-CRED-INFO ::= SEQUENCE {
key[0] KERB-ENCRYPTION-KEY,
principal-realm[1] KERB-REALM OPTIONAL,
principal-name[2] KERB-PRINCIPAL-NAME OPTIONAL,
flags[3] KERB-TICKET-FLAGS OPTIONAL,
authtime[4] KERB-TIME OPTIONAL,
starttime[5] KERB-TIME OPTIONAL,
endtime[6] KERB-TIME OPTIONAL,
renew-until[7] KERB-TIME OPTIONAL,
service-realm[8] KERB-REALM OPTIONAL,
service-name[9] KERB-PRINCIPAL-NAME OPTIONAL,
client-addresses[10] PKERB-HOST-ADDRESSES OPTIONAL
}
KERB-ERROR ::= [APPLICATION 30] SEQUENCE {
version[0] INTEGER,
message-type[1] INTEGER,
client-time[2] KERB-TIME OPTIONAL,
client-usec[3] INTEGER OPTIONAL,
server-time[4] KERB-TIME,
server-usec[5] INTEGER,
error-code[6] INTEGER,
client-realm[7] KERB-REALM OPTIONAL,
client-name[8] KERB-PRINCIPAL-NAME OPTIONAL,
realm[9] KERB-REALM, -- Correct realm
server-name[10] KERB-PRINCIPAL-NAME, -- Correct name
error-text[11] GeneralString --#lenptr-- OPTIONAL,
error-data[12] OCTET STRING OPTIONAL
}
KERB-ENCRYPTED-DATA ::= SEQUENCE {
encryption-type[0] INTEGER, -- EncryptionType
version[1] INTEGER OPTIONAL,
cipher-text[2] OCTET STRING -- CipherText
} --#public--
KERB-ENCRYPTION-KEY ::= SEQUENCE {
keytype[0] INTEGER,
keyvalue[1] OCTET STRING
} --#public--
KERB-CHECKSUM ::= SEQUENCE {
checksum-type[0] INTEGER,
checksum[1] OCTET STRING
} --#public--
KERB-ENCRYPTED-TIMESTAMP ::= SEQUENCE {
timestamp[0] KERB-TIME, -- client's time
usec[1] INTEGER OPTIONAL
}
KERB-SALTED-ENCRYPTED-TIMESTAMP ::= SEQUENCE {
timestamp[0] KERB-TIME, -- client's time
usec[1] INTEGER OPTIONAL,
salt[2] OCTET STRING
}
KERB-ETYPE-INFO-ENTRY ::= SEQUENCE {
encryption-type[0] INTEGER,
salt[1] OCTET STRING OPTIONAL
}
PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY
--
--
-- User-to-User data types
--
--
KERB-TGT-REQUEST ::= SEQUENCE {
version[0] INTEGER,
message-type[1] INTEGER,
server-name[2] KERB-PRINCIPAL-NAME OPTIONAL,
server-realm[3] KERB-REALM OPTIONAL
}
KERB-TGT-REPLY ::= SEQUENCE {
version[0] INTEGER,
message-type[1] INTEGER,
ticket[2] KERB-TICKET
}
--
--
-- PKINT data types
--
--
-- new for PKINIT
KERB-PKCS-SIGNATURE ::= SEQUENCE {
encryption-type [0] INTEGER,
-- algorithm for PKCS key encryption
signature [1] OCTET STRING
}
NOCOPYANY ::= ANY --#nomemcpy--
KERB-ALGORITHM-IDENTIFIER::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters NOCOPYANY OPTIONAL
}
KERB-SIGNATURE ::= SEQUENCE {
signature-algorithm [0] KERB-ALGORITHM-IDENTIFIER,
pkcs-signature [1] BIT STRING
}
KERB-PA-PK-AS-REP ::= CHOICE {
-- PA TYPE 15
dh-signed-data [0] IMPLICIT OCTET STRING,
-- pkcs-7 signed data, used for DH key exchange
key-package [1] IMPLICIT OCTET STRING
-- pkcs-7 enveloped data, containing
-- KERB-REPLY-KEY-PACKAGE
}
KERB-PA-PK-AS-REP2 ::= SEQUENCE {
-- PA TYPE 15
key-package [0] KERB-ENCRYPTED-DATA OPTIONAL,
-- of type KERB-ENCRYPTED-SIGNED-REPLY-KEY-PACKAGE
-- using the temporary key in temp-key-package.
-- used with kerberos-pk encryption
temp-key-package [1] KERB-ENVELOPED-KEY-PACKAGE,
-- contains type KERB-ENCRYPTED-SIGNED-REPLY-KEY-PACKAGE
-- temporary key encrpyted with
-- client public key or diffie-hellman key
signed-kdc-public-value [2] KERB-SIGNED-KDC-PUBLIC-VALUE OPTIONAL,
-- if one was passed in request
kdc-cert [3] SEQUENCE OF KERB-CERTIFICATE OPTIONAL
-- the KDC's certificate
-- optionally followed by that
-- certificate's certifier chain
}
KERB-ENVELOPED-KEY-PACKAGE ::= CHOICE {
encrypted-data [1] KERB-ENCRYPTED-DATA,
-- of type TmpKeyPack, not defined here
pkinit-enveloped-data [4] IMPLICIT OCTET STRING
-- pkcs-7 enveloped data
}
KERB-SIGNED-REPLY-KEY-PACKAGE ::= SEQUENCE {
reply-key-package [0] KERB-REPLY-KEY-PACKAGE2,
reply-key-signature [1] KERB-SIGNATURE
-- of replyEncKeyPack
-- using KDC's private key
}
KERB-REPLY-KEY-PACKAGE2 ::= SEQUENCE {
reply-key [0] KERB-ENCRYPTION-KEY,
-- used to encrypt main reply
nonce [1] INTEGER,
-- binds response to the request
-- must be same as the nonce
-- passed in the PKAuthenticator
subject-public-key [2] BIT STRING OPTIONAL
-- included only when using diffie-hellman
-- equals public exponent
} --#public--
KERB-REPLY-KEY-PACKAGE ::= SEQUENCE {
reply-key [0] KERB-ENCRYPTION-KEY,
-- used to encrypt main reply
nonce [1] INTEGER
-- binds response to the request
-- must be same as the nonce
-- passed in the PKAuthenticator
} --#public--
KERB-KDC-DH-KEY-INFO ::= SEQUENCE {
nonce [0] INTEGER,
-- binds response to request
subject-public-key [1] BIT STRING
-- Equals public exponent (g^a mod p)
-- INTEGER encoded as payload of
-- BIT STRING
}
KERB-SIGNED-KDC-PUBLIC-VALUE ::= SEQUENCE {
kdc-public-value [0] KERB-SUBJECT-PUBLIC-KEY-INFO,
-- as described above
kdc-public-value-sig [1] KERB-SIGNATURE
-- of kdcPublicValue
-- using KDC's private key
}
KERB-PA-PK-AS-REQ2 ::= SEQUENCE {
-- PA TYPE 14
signed-auth-pack [0] KERB-SIGNED-AUTH-PACKAGE,
user-certs [1] SEQUENCE OF KERB-CERTIFICATE OPTIONAL,
-- the user's certificate chain
trusted-certifiers [2] SEQUENCE OF KERB-PRINCIPAL-NAME OPTIONAL,
-- CAs that the client trusts
serial-number [3] KERB-CERTIFICATE-SERIAL-NUMBER OPTIONAL
-- specifying a particalu cert if the client
-- already has it, must be accompanied by a
-- single trusted-certifier
}
KERB-PA-PK-AS-REQ ::= SEQUENCE {
-- PA TYPE 14
signed-auth-pack [0] IMPLICIT OCTET STRING,
-- SignedData
trusted-certifiers [2] SEQUENCE OF KERB-TRUSTED-CAS OPTIONAL,
-- CAs that the client trusts
kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
-- an IssuerAndSerialNumber, specifies a
-- particular KDC cert if the client
-- has it, must be accompanied by a
-- single trusted-certifier
encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
-- If the client cert can't be used for
-- encryption. For example, this may
-- be a Diffie-Hellman cert
}
KERB-TRUSTED-CAS ::= CHOICE {
principal-name [0] KERB-KERBEROS-NAME,
-- principal name and realm
ca-name [1] IMPLICIT OCTET STRING,
-- real type is 'Name',
-- fully qualified X.500 name
-- as defined by X.509
issuer-and-serial [2] IMPLICIT OCTET STRING
-- since a CA may have a number of certs,
-- only one of which a client trusts
}
KERB-KERBEROS-NAME ::= SEQUENCE {
realm [0] KERB-REALM,
-- as defined in RFC1510
principal-name [1] KERB-PRINCIPAL-NAME
-- as defined in RFC1510
}
KERB-CERTIFICATE-SERIAL-NUMBER ::= INTEGER
-- as specified by PKCS 6
KERB-SIGNED-AUTH-PACKAGE ::= SEQUENCE {
auth-package [0] KERB-AUTH-PACKAGE,
auth-package-signature [1] KERB-SIGNATURE
-- of auth-package
-- using user's private key
}
KERB-AUTH-PACKAGE ::= SEQUENCE {
pk-authenticator [0] KERB-PK-AUTHENTICATOR,
client-public-value [1] KERB-SUBJECT-PUBLIC-KEY-INFO OPTIONAL
-- if client is using Diffie-Hellman
} --#public--
KERB-PK-AUTHENTICATOR ::= SEQUENCE {
kdc-name [0] KERB-PRINCIPAL-NAME,
kdc-realm [1] KERB-REALM,
cusec [2] INTEGER,
-- for replay prevention
client-time [3] KERB-TIME,
-- for replay prevention
nonce [4] INTEGER
}
KERB-SUBJECT-PUBLIC-KEY-INFO ::= SEQUENCE {
algorithm [0] KERB-ALGORITHM-IDENTIFIER,
subjectPublicKey [1] BIT STRING
-- for DH, equals
-- public exponent (INTEGER encoded
-- as payload of BIT STRING)
} -- as specified by the X.509 recommendation [9]
KERB-DH-PARAMTER ::= SEQUENCE {
prime [0] INTEGER,
-- p
base [1] INTEGER,
-- g
private-value-length [2] INTEGER OPTIONAL
}
KERB-CERTIFICATE ::= SEQUENCE {
cert-type [0] INTEGER,
-- type of certificate
-- 1 = X.509v3 (DER encoding)
-- 2 = PGP (per PGP specification)
cert-data [1] OCTET STRING
-- actual certificate
-- type determined by certType
}
KERB-TYPED-DATA ::= SEQUENCE {
data-type [0] INTEGER,
data-value [1] OCTET STRING
}
--
--
-- Authorization data types
--
--
KERB-KDC-ISSUED-AUTH-DATA ::= SEQUENCE {
checksum [0] KERB-SIGNATURE,
elements [1] SEQUENCE OF KERB-PA-DATA
} --#public--
KERB-PA-SERV-REFERRAL ::= SEQUENCE {
referred-server-name[1] KERB-PRINCIPAL-NAME OPTIONAL,
referred-server-realm[0] KERB-REALM
} --#public--
--
-- PA data type for indicating whether a PAC should be included or
-- removed.
--
KERB-PA-PAC-REQUEST ::= SEQUENCE {
include-pac[0] BOOLEAN -- if TRUE, and no pac present,
-- include PAC. If FALSE, and pac
-- PAC present, remove PAC
} --#public--
PKERB-IF-RELEVANT-AUTH-DATA ::= PKERB-AUTHORIZATION-DATA --#public--
KERB-CHANGE-PASSWORD-DATA ::= SEQUENCE {
new-password[0] OCTET STRING,
target-name[1] KERB-PRINCIPAL-NAME OPTIONAL,
target-realm[2] KERB-REALM OPTIONAL
} --#public--
KERB-ERROR-METHOD-DATA ::= SEQUENCE {
data-type [1] INTEGER,
data-value [2] OCTET STRING OPTIONAL
} --#public--
KERB-EXT-ERROR ::= SEQUENCE {
status[0] INTEGER, -- NTStatus code
klininfo[1] INTEGER, -- klin macro info
flags[2] INTEGER -- used for passing extra info
}
TYPED-DATA ::= SEQUENCE OF KERB-TYPED-DATA --#public--
--
-- For ServiceForUserToSelf requests
-- PA Type 21
--
KERB-PA-FOR-USER ::= SEQUENCE {
-- PA TYPE 21
client-realm [0] KERB-REALM,
client-name [1] KERB-PRINCIPAL-NAME
}--#public--
END