osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
wireshark/epan/dissectors/asn1/kerberos/k5.asn

889 lines
24 KiB
Groff
Raw Blame History

-- Extracted from http://www.h5l.org/dist/src/heimdal-1.2.tar.gz
-- Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $
-- Commented out stuff already in KerberosV5Spec2.asn
KERBEROS5 DEFINITIONS ::=
BEGIN
NAME-TYPE ::= INTEGER {
kRB5-NT-UNKNOWN(0), -- Name type not known
kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in
kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt)
kRB5-NT-SRV-HST(3), -- Service with host name as instance
kRB5-NT-SRV-XHST(4), -- Service with host as remaining components
kRB5-NT-UID(5), -- Unique ID
kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name
kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
kRB5-NT-WELLKNOWN(11), -- Wellknown
kRB5-NT-SRV-HST-DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
kRB5-NT-MS-PRINCIPAL-AND-ID(-129), -- NT style name and SID
kRB5-NT-NTLM(-1200), -- NTLM name, realm is domain
kRB5-NT-X509-GENERAL-NAME(-1201), -- x509 general name (base64 encoded)
kRB5-NT-GSS-HOSTBASED-SERVICE(-1202), -- not used; remove
kRB5-NT-CACHE-UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
kRB5-NT-SRV-HST-NEEDS-CANON (-195894762) -- Internal: indicates that name canonicalization is needed
}
-- message types
MESSAGE-TYPE ::= INTEGER {
krb-as-req(10), -- Request for initial authentication
krb-as-rep(11), -- Response to KRB_AS_REQ request
krb-tgs-req(12), -- Request for authentication based on TGT
krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
krb-ap-req(14), -- application request to server
krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
krb-tgt-req(16), -- TGT-REQ used in U2U
krb-tgt-rep(17), -- TGT-REP used in U2U
krb-safe(20), -- Safe (checksummed) application message
krb-priv(21), -- Private (encrypted) application message
krb-cred(22), -- Private (encrypted) message to forward credentials
krb-error(30) -- Error response
}
-- pa-data types
PADATA-TYPE ::= INTEGER {
pA-NONE(0),
pA-TGS-REQ(1), -- [RFC4120]
pA-ENC-TIMESTAMP(2), -- [RFC4120]
pA-PW-SALT(3), -- [RFC4120]
-- [reserved](4), -- -- [RFC6113]
pA-ENC-UNIX-TIME(5), -- (deprecated) [RFC4120]
pA-SANDIA-SECUREID(6), -- [RFC4120]
pA-SESAME(7), -- [RFC4120]
pA-OSF-DCE(8), -- [RFC4120]
pA-CYBERSAFE-SECUREID(9), -- [RFC4120]
pA-AFS3-SALT(10), -- [RFC4120] [RFC3961]
pA-ETYPE-INFO(11), -- [RFC4120]
pA-SAM-CHALLENGE(12), -- [KRB-WG.SAM]
pA-SAM-RESPONSE(13), -- [KRB-WG.SAM]
pA-PK-AS-REQ-19(14), -- [PK-INIT-1999]
pA-PK-AS-REP-19(15), -- [PK-INIT-1999]
pA-PK-AS-REQ(16), -- [RFC4556]
pA-PK-AS-REP(17), -- [RFC4556]
pA-PK-OCSP-RESPONSE(18), -- [RFC4557]
pA-ETYPE-INFO2(19), -- [RFC4120]
pA-USE-SPECIFIED-KVNO(20), -- [RFC4120]
-- pA-SVR-REFERRAL-INFO(20), -- -- [REFERRALS]
pA-SAM-REDIRECT(21), -- [KRB-WG.SAM]
pA-GET-FROM-TYPED-DATA(22), -- (embedded in typed data) [RFC4120]
tD-PADATA(22), -- (embeds padata) [RFC4120]
pA-SAM-ETYPE-INFO(23), -- (sam/otp) [KRB-WG.SAM]
pA-ALT-PRINC(24), -- (crawdad@fnal.gov) [HW-AUTH]
pA-SERVER-REFERRAL(25), -- [REFERRALS]
pA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) [KRB-WG.SAM]
pA-SAM-RESPONSE2(31), -- (kenh@pobox.com) [KRB-WG.SAM]
pA-EXTRA-TGT(41), -- Reserved extra TGT [RFC6113]
-- pA-FX-FAST-ARMOR(71), -- -- fast armor
tD-PKINIT-CMS-CERTIFICATES(101),-- CertificateSet from CMS
tD-KRB-PRINCIPAL(102), -- PrincipalName
tD-KRB-REALM(103), -- Realm
tD-TRUSTED-CERTIFIERS(104), -- [RFC4556]
tD-CERTIFICATE-INDEX(105), -- [RFC4556]
tD-APP-DEFINED-ERROR(106), -- Application specific [RFC6113]
tD-REQ-NONCE(107), -- INTEGER [RFC6113]
tD-REQ-SEQ(108), -- INTEGER [RFC6113]
tD-DH-PARAMETERS(109), -- [RFC4556]
tD-CMS-DIGEST-ALGORITHMS(111), -- [ALG-AGILITY]
tD-CERT-DIGEST-ALGORITHMS(112), -- [ALG-AGILITY]
pA-PAC-REQUEST(128), -- [MS-KILE]
pA-FOR-USER(129), -- [MS-KILE]
pA-FOR-X509-USER(130), -- [MS-KILE]
pA-FOR-CHECK-DUPS(131), -- [MS-KILE]
-- pA-AS-CHECKSUM(132), -- -- [MS-KILE]
pA-PK-AS-09-BINDING(132), -- client send this to
-- tell KDC that is supports
-- the asCheckSum in the
-- PK-AS-REP
pA-FX-COOKIE(133), -- [RFC6113]
pA-AUTHENTICATION-SET(134), -- [RFC6113]
pA-AUTH-SET-SELECTED(135), -- [RFC6113]
pA-FX-FAST(136), -- [RFC6113]
pA-FX-ERROR(137), -- [RFC6113]
pA-ENCRYPTED-CHALLENGE(138), -- [RFC6113]
pA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) [OTP-PREAUTH]
pA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) [OTP-PREAUTH]
pA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) [OTP-PREAUTH]
pA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) [OTP-PREAUTH]
pA-EPAK-AS-REQ(145), -- (sshock@gmail.com) [RFC6113]
pA-EPAK-AS-REP(146), -- (sshock@gmail.com) [RFC6113]
pA-PKINIT-KX(147), -- [RFC6112]
pA-PKU2U-NAME(148), -- [PKU2U]
pA-REQ-ENC-PA-REP(149), -- [RFC6806]
pA-SPAKE(151), -- draft-ietf-kitten-krb-spake-preauth-09
pA-KERB-KEY-LIST-REQ(161), -- [MS-KILE]
pA-KERB-KEY-LIST-REP(162), -- [MS-KILE]
pA-SUPPORTED-ETYPES(165), -- [MS-KILE]
pA-EXTENDED-ERROR(166), -- [MS-KILE]
pA-PAC-OPTIONS(167), -- [MS-KILE]
pA-PROV-SRV-LOCATION(-1) -- 0xffffffff (gint32)0xFF) packetcable stuff
}
AUTHDATA-TYPE ::= INTEGER {
aD-IF-RELEVANT(1),
aD-INTENDED-FOR-SERVER(2),
aD-INTENDED-FOR-APPLICATION-CLASS(3),
aD-KDC-ISSUED(4),
aD-AND-OR(5),
aD-MANDATORY-TICKET-EXTENSIONS(6),
aD-IN-TICKET-EXTENSIONS(7),
aD-MANDATORY-FOR-KDC(8),
aD-INITIAL-VERIFIED-CAS(9),
aD-OSF-DCE(64),
aD-SESAME(65),
aD-OSF-DCE-PKI-CERTID(66),
aD-authentication-strength(70), -- [RFC6113]
aD-fx-fast-armor(71), -- [RFC6113]
aD-fx-fast-used(72), -- [RFC6113]
aD-WIN2K-PAC(128), -- [RFC4120] [MS-PAC]
aD-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
aD-TOKEN-RESTRICTIONS(141), -- [MS-KILE]
aD-LOCAL(142), -- [MS-KILE]
aD-AP-OPTIONS(143), -- [MS-KILE]
aD-TARGET-PRINCIPAL(144), -- [MS-KILE]
aD-SIGNTICKET-OLDER(-17),
-- aD-SIGNTICKET-OLD(142),
aD-SIGNTICKET(512)
}
-- checksumtypes
CKSUMTYPE ::= INTEGER {
cKSUMTYPE-NONE(0),
cKSUMTYPE-CRC32(1),
cKSUMTYPE-RSA-MD4(2),
cKSUMTYPE-RSA-MD4-DES(3),
cKSUMTYPE-DES-MAC(4),
cKSUMTYPE-DES-MAC-K(5),
cKSUMTYPE-RSA-MD4-DES-K(6),
cKSUMTYPE-RSA-MD5(7),
cKSUMTYPE-RSA-MD5-DES(8),
cKSUMTYPE-RSA-MD5-DES3(9),
cKSUMTYPE-SHA1-OTHER(10),
cKSUMTYPE-HMAC-SHA1-DES3-KD(12),
cKSUMTYPE-HMAC-SHA1-DES3(13),
cKSUMTYPE-SHA1(14),
cKSUMTYPE-HMAC-SHA1-96-AES-128(15),
cKSUMTYPE-HMAC-SHA1-96-AES-256(16),
cKSUMTYPE-CMAC-CAMELLIA128(17),
cKSUMTYPE-CMAC-CAMELLIA256(18),
cKSUMTYPE-HMAC-SHA256-128-AES128(19),
cKSUMTYPE-HMAC-SHA384-192-AES256(20),
cKSUMTYPE-GSSAPI(--0x8003--32771),
cKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number
cKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial
}
--enctypes https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1
ENCTYPE ::= INTEGER {
eTYPE-NULL(0),
eTYPE-DES-CBC-CRC(1),
eTYPE-DES-CBC-MD4(2),
eTYPE-DES-CBC-MD5(3),
eTYPE-DES3-CBC-MD5(5),
eTYPE-OLD-DES3-CBC-SHA1(7),
eTYPE-SIGN-DSA-GENERATE(8),
eTYPE-DSA-SHA1(9),
eTYPE-RSA-MD5(10),
eTYPE-RSA-SHA1(11),
eTYPE-RC2-CBC(12),
eTYPE-RSA(13),
eTYPE-RSAES-OAEP(14),
eTYPE-DES-EDE3-CBC(15),
eTYPE-DES3-CBC-SHA1(16), -- with key derivation
eTYPE-AES128-CTS-HMAC-SHA1-96(17),
eTYPE-AES256-CTS-HMAC-SHA1-96(18),
eTYPE-AES128-CTS-HMAC-SHA256-128(19), -- RFC 8009
eTYPE-AES256-CTS-HMAC-SHA384-192(20), -- RFC 8009
eTYPE-ARCFOUR-HMAC-MD5(23),
eTYPE-ARCFOUR-HMAC-MD5-56(24),
eTYPE-CAMELLIA128-CTS-CMAC(25),
eTYPE-CAMELLIA256-CTS-CMAC(26),
eTYPE-ENCTYPE-PK-CROSS(48),
-- some "old" windows types
eTYPE-ARCFOUR-MD4(-128),
eTYPE-ARCFOUR-HMAC-OLD(-133),
eTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
-- these are for Heimdal internal use
-- eTYPE-DES-CBC-NONE(-0x1000),
eTYPE-DES-CBC-NONE( -4096),
-- eTYPE-DES3-CBC-NONE(-0x1001),
eTYPE-DES3-CBC-NONE(-4097),
-- eTYPE-DES-CFB64-NONE(-0x1002),
eTYPE-DES-CFB64-NONE(-4098),
-- eTYPE-DES-PCBC-NONE(-0x1003),
eTYPE-DES-PCBC-NONE(-4099),
-- eTYPE-DIGEST-MD5-NONE(-0x1004), - - private use, lukeh@padl.com
eTYPE-DIGEST-MD5-NONE(-4100), -- private use, lukeh@padl.com
-- eTYPE-CRAM-MD5-NONE(-0x1005) - - private use, lukeh@padl.com
eTYPE-CRAM-MD5-NONE(-4101) -- private use, lukeh@padl.com
}
-- addr-types (WS extension )
ADDR-TYPE ::= INTEGER {
iPv4(2),
cHAOS(5),
xEROX(6),
iSO(7),
dECNET(12),
aPPLETALK(16),
nETBIOS(20),
iPv6(24)
}
-- error-codes (WS extension)
ERROR-CODE ::= INTEGER {
--error table constants
eRR-NONE(0),
eRR-NAME-EXP(1),
eRR-SERVICE-EXP(2),
eRR-BAD-PVNO(3),
eRR-C-OLD-MAST-KVNO(4),
eRR-S-OLD-MAST-KVNO(5),
eRR-C-PRINCIPAL-UNKNOWN(6),
eRR-S-PRINCIPAL-UNKNOWN(7),
eRR-PRINCIPAL-NOT-UNIQUE(8),
eRR-NULL-KEY(9),
eRR-CANNOT-POSTDATE(10),
eRR-NEVER-VALID(11),
eRR-POLICY(12),
eRR-BADOPTION(13),
eRR-ETYPE-NOSUPP(14),
eRR-SUMTYPE-NOSUPP(15),
eRR-PADATA-TYPE-NOSUPP(16),
eRR-TRTYPE-NOSUPP(17),
eRR-CLIENT-REVOKED(18),
eRR-SERVICE-REVOKED(19),
eRR-TGT-REVOKED(20),
eRR-CLIENT-NOTYET(21),
eRR-SERVICE-NOTYET(22),
eRR-KEY-EXP(23),
eRR-PREAUTH-FAILED(24),
eRR-PREAUTH-REQUIRED(25),
eRR-SERVER-NOMATCH(26),
eRR-MUST-USE-USER2USER(27),
eRR-PATH-NOT-ACCEPTED(28),
eRR-SVC-UNAVAILABLE(29),
eRR-BAD-INTEGRITY(31),
eRR-TKT-EXPIRED(32),
eRR-TKT-NYV(33),
eRR-REPEAT(34),
eRR-NOT-US(35),
eRR-BADMATCH(36),
eRR-SKEW(37),
eRR-BADADDR(38),
eRR-BADVERSION(39),
eRR-MSG-TYPE(40),
eRR-MODIFIED(41),
eRR-BADORDER(42),
eRR-ILL-CR-TKT(43),
eRR-BADKEYVER(44),
eRR-NOKEY(45),
eRR-MUT-FAIL(46),
eRR-BADDIRECTION(47),
eRR-METHOD(48),
eRR-BADSEQ(49),
eRR-INAPP-CKSUM(50),
pATH-NOT-ACCEPTED(51),
eRR-RESPONSE-TOO-BIG(52),
eRR-GENERIC(60),
eRR-FIELD-TOOLONG(61),
eRROR-CLIENT-NOT-TRUSTED(62),
eRROR-KDC-NOT-TRUSTED(63),
eRROR-INVALID-SIG(64),
eRR-KEY-TOO-WEAK(65),
eRR-CERTIFICATE-MISMATCH(66),
eRR-NO-TGT(67),
eRR-WRONG-REALM(68),
eRR-USER-TO-USER-REQUIRED(69),
eRR-CANT-VERIFY-CERTIFICATE(70),
eRR-INVALID-CERTIFICATE(71),
eRR-REVOKED-CERTIFICATE(72),
eRR-REVOCATION-STATUS-UNKNOWN(73),
eRR-REVOCATION-STATUS-UNAVAILABLE(74),
eRR-CLIENT-NAME-MISMATCH(75),
eRR-KDC-NAME-MISMATCH(76)
}
-- this is sugar to make something ASN1 does not have: unsigned
Krb5uint32 ::= INTEGER (0..4294967295)
Krb5int32 ::= INTEGER (-2147483648..2147483647)
--KerberosString ::= GeneralString
--Realm ::= GeneralString
--PrincipalName ::= SEQUENCE {
-- name-type[0] NAME-TYPE,
-- name-string[1] SEQUENCE OF GeneralString
--}
-- this is not part of RFC1510
Principal ::= SEQUENCE {
name[0] PrincipalName,
realm[1] Realm
}
--HostAddress ::= SEQUENCE {
-- addr-type [0] Krb5int32,
-- address [1] OCTET STRING
--}
-- This is from RFC1510.
--
-- HostAddresses ::= SEQUENCE OF SEQUENCE {
-- addr-type[0] Krb5int32,
-- address[1] OCTET STRING
-- }
-- This seems much better.
--HostAddresses ::= SEQUENCE OF HostAddress
--KerberosTime ::= GeneralizedTime - - Specifying UTC time zone (Z)
--AuthorizationDataElement ::= SEQUENCE {
-- ad-type[0] Krb5int32,
-- ad-data[1] OCTET STRING
--}
--AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
APOptions ::= BIT STRING {
reserved(0),
use-session-key(1),
mutual-required(2)
}
TicketFlags ::= BIT STRING {
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
may-postdate(5),
postdated(6),
invalid(7),
renewable(8),
initial(9),
pre-authent(10),
hw-authent(11),
transited-policy-checked(12),
ok-as-delegate(13),
unused(14),
enc-pa-rep(15),
anonymous(16)
}
KDCOptions ::= BIT STRING {
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
allow-postdate(5),
postdated(6),
unused7(7),
renewable(8),
unused9(9),
unused10(10),
opt-hardware-auth(11), -- taken from KerberosV5Spec2.asn
unused12(12),
unused13(13),
constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
canonicalize(15),
request-anonymous(16),
unused17(17),
unused18(18),
unused19(19),
unused20(20),
unused21(21),
unused22(22),
unused23(23),
unused24(24),
unused25(25),
disable-transited-check(26),
renewable-ok(27),
enc-tkt-in-skey(28),
unused29(29),
renew(30),
validate(31)
}
LR-TYPE ::= INTEGER {
lR-NONE(0), -- no information
lR-INITIAL-TGT(1), -- last initial TGT request
lR-INITIAL(2), -- last initial request
lR-ISSUE-USE-TGT(3), -- time of newest TGT used
lR-RENEWAL(4), -- time of last renewal
lR-REQUEST(5), -- time of last request (of any type)
lR-PW-EXPTIME(6), -- expiration time of password
lR-ACCT-EXPTIME(7) -- expiration time of account
}
--LastReq ::= SEQUENCE OF SEQUENCE {
-- lr-type[0] LR-TYPE,
-- lr-value[1] KerberosTime
--}
--EncryptedData ::= SEQUENCE {
-- etype[0] ENCTYPE, - - EncryptionType
-- kvno[1] Krb5int32 OPTIONAL,
-- cipher[2] OCTET STRING - - ciphertext
--}
--EncryptionKey ::= SEQUENCE {
-- keytype[0] Krb5int32,
-- keyvalue[1] OCTET STRING
--}
-- encoded Transited field
--TransitedEncoding ::= SEQUENCE {
-- tr-type[0] Krb5int32, - - must be registered
-- contents[1] OCTET STRING
--}
--Ticket ::= [APPLICATION 1] SEQUENCE {
-- tkt-vno[0] Krb5int32,
-- realm[1] Realm,
-- sname[2] PrincipalName,
-- enc-part[3] EncryptedData
--}
-- Encrypted part of ticket
--EncTicketPart ::= [APPLICATION 3] SEQUENCE {
-- flags[0] TicketFlags,
-- key[1] EncryptionKey,
-- crealm[2] Realm,
-- cname[3] PrincipalName,
-- transited[4] TransitedEncoding,
-- authtime[5] KerberosTime,
-- starttime[6] KerberosTime OPTIONAL,
-- endtime[7] KerberosTime,
-- renew-till[8] KerberosTime OPTIONAL,
-- caddr[9] HostAddresses OPTIONAL,
-- authorization-data[10] AuthorizationData OPTIONAL
--}
--Checksum ::= SEQUENCE {
-- cksumtype[0] CKSUMTYPE,
-- checksum[1] OCTET STRING
--}
--Authenticator ::= [APPLICATION 2] SEQUENCE {
-- authenticator-vno[0] Krb5int32,
-- crealm[1] Realm,
-- cname[2] PrincipalName,
-- cksum[3] Checksum OPTIONAL,
-- cusec[4] Krb5int32,
-- ctime[5] KerberosTime,
-- subkey[6] EncryptionKey OPTIONAL,
-- seq-number[7] Krb5uint32 OPTIONAL,
-- authorization-data[8] AuthorizationData OPTIONAL
--}
--PA-DATA ::= SEQUENCE {
-- might be encoded AP-REQ
-- padata-type[1] PADATA-TYPE,
-- padata-value[2] OCTET STRING
--}
--ETYPE-INFO-ENTRY ::= SEQUENCE {
-- etype[0] ENCTYPE,
-- salt[1] OCTET STRING OPTIONAL,
-- salttype[2] Krb5int32 OPTIONAL
--}
--ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
--ETYPE-INFO2-ENTRY ::= SEQUENCE {
-- etype[0] ENCTYPE,
-- salt[1] KerberosString OPTIONAL,
-- s2kparams[2] OCTET STRING OPTIONAL
--}
--ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
-- METHOD-DATA ::= SEQUENCE OF PA-DATA
--TypedData ::= SEQUENCE {
-- data-type[0] Krb5int32,
-- data-value[1] OCTET STRING OPTIONAL
--}
--TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
--KDC-REQ-BODY ::= SEQUENCE {
-- kdc-options[0] KDCOptions,
-- cname[1] PrincipalName OPTIONAL, - - Used only in AS-REQ
-- realm[2] Realm, - - Server's realm
-- Also client's in AS-REQ
-- sname[3] PrincipalName OPTIONAL,
-- from[4] KerberosTime OPTIONAL,
-- till[5] KerberosTime OPTIONAL,
-- rtime[6] KerberosTime OPTIONAL,
-- nonce[7] Krb5int32,
-- etype[8] SEQUENCE OF ENCTYPE, - - EncryptionType,
-- in preference order
-- addresses[9] HostAddresses OPTIONAL,
-- enc-authorization-data[10] EncryptedData OPTIONAL,
-- Encrypted AuthorizationData encoding
-- additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
--}
--KDC-REQ ::= SEQUENCE {
-- pvno[1] Krb5int32,
-- msg-type[2] MESSAGE-TYPE,
-- padata[3] METHOD-DATA OPTIONAL,
-- req-body[4] KDC-REQ-BODY
--}
--AS-REQ ::= [APPLICATION 10] KDC-REQ
--TGS-REQ ::= [APPLICATION 12] KDC-REQ
-- padata-type ::= PA-ENC-TIMESTAMP
-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
--PA-ENC-TS-ENC ::= SEQUENCE {
-- patimestamp[0] KerberosTime, - - client's time
-- pausec[1] Krb5int32 OPTIONAL
--}
-- WS put extensions found elsewhere here
-- draft-brezak-win2k-krb-authz-01
-- MS-KILE: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile
-- MS-SFU: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu
PA-PAC-REQUEST ::= SEQUENCE {
include-pac[0] BOOLEAN -- Indicates whether a PAC
-- should be included or not
}
-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
PROV-SRV-LOCATION ::= GeneralString
--KDC-REP ::= SEQUENCE {
-- pvno[0] Krb5int32,
-- msg-type[1] MESSAGE-TYPE,
-- padata[2] METHOD-DATA OPTIONAL,
-- crealm[3] Realm,
-- cname[4] PrincipalName,
-- ticket[5] Ticket,
-- enc-part[6] EncryptedData
--}
--AS-REP ::= [APPLICATION 11] KDC-REP
--TGS-REP ::= [APPLICATION 13] KDC-REP
--EncKDCRepPart ::= SEQUENCE {
-- key[0] EncryptionKey,
-- last-req[1] LastReq,
-- nonce[2] Krb5int32,
-- key-expiration[3] KerberosTime OPTIONAL,
-- flags[4] TicketFlags,
-- authtime[5] KerberosTime,
-- starttime[6] KerberosTime OPTIONAL,
-- endtime[7] KerberosTime,
-- renew-till[8] KerberosTime OPTIONAL,
-- srealm[9] Realm,
-- sname[10] PrincipalName,
-- caddr[11] HostAddresses OPTIONAL,
-- encrypted-pa-data[12] METHOD-DATA OPTIONAL
--}
--EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
--EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
--AP-REQ ::= [APPLICATION 14] SEQUENCE {
-- pvno[0] Krb5int32,
-- msg-type[1] MESSAGE-TYPE,
-- ap-options[2] APOptions,
-- ticket[3] Ticket,
-- authenticator[4] EncryptedData
--}
--AP-REP ::= [APPLICATION 15] SEQUENCE {
-- pvno[0] Krb5int32,
-- msg-type[1] MESSAGE-TYPE,
-- enc-part[2] EncryptedData
--}
--EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
-- ctime[0] KerberosTime,
-- cusec[1] Krb5int32,
-- subkey[2] EncryptionKey OPTIONAL,
-- seq-number[3] Krb5uint32 OPTIONAL
--}
--KRB-SAFE-BODY ::= SEQUENCE {
-- user-data[0] OCTET STRING,
-- timestamp[1] KerberosTime OPTIONAL,
-- usec[2] Krb5int32 OPTIONAL,
-- seq-number[3] Krb5uint32 OPTIONAL,
-- s-address[4] HostAddress OPTIONAL,
-- r-address[5] HostAddress OPTIONAL
--}
--KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
-- pvno[0] Krb5int32,
-- msg-type[1] MESSAGE-TYPE,
-- safe-body[2] KRB-SAFE-BODY,
-- cksum[3] Checksum
--}
--KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
-- pvno[0] Krb5int32,
-- msg-type[1] MESSAGE-TYPE,
-- enc-part[3] EncryptedData
--}
--EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
-- user-data[0] OCTET STRING,
-- timestamp[1] KerberosTime OPTIONAL,
-- usec[2] Krb5int32 OPTIONAL,
-- seq-number[3] Krb5uint32 OPTIONAL,
-- s-address[4] HostAddress OPTIONAL, - - sender's addr
-- r-address[5] HostAddress OPTIONAL - - recip's addr
--}
--KRB-CRED ::= [APPLICATION 22] SEQUENCE {
-- pvno[0] Krb5int32,
-- msg-type[1] MESSAGE-TYPE, - - KRB_CRED
-- tickets[2] SEQUENCE OF Ticket,
-- enc-part[3] EncryptedData
--}
--KrbCredInfo ::= SEQUENCE {
-- key[0] EncryptionKey,
-- prealm[1] Realm OPTIONAL,
-- pname[2] PrincipalName OPTIONAL,
-- flags[3] TicketFlags OPTIONAL,
-- authtime[4] KerberosTime OPTIONAL,
-- starttime[5] KerberosTime OPTIONAL,
-- endtime[6] KerberosTime OPTIONAL,
-- renew-till[7] KerberosTime OPTIONAL,
-- srealm[8] Realm OPTIONAL,
-- sname[9] PrincipalName OPTIONAL,
-- caddr[10] HostAddresses OPTIONAL
--}
--EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
-- ticket-info[0] SEQUENCE OF KrbCredInfo,
-- nonce[1] Krb5int32 OPTIONAL,
-- timestamp[2] KerberosTime OPTIONAL,
-- usec[3] Krb5int32 OPTIONAL,
-- s-address[4] HostAddress OPTIONAL,
-- r-address[5] HostAddress OPTIONAL
--}
--KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
-- pvno[0] Krb5int32,
-- msg-type[1] MESSAGE-TYPE,
-- ctime[2] KerberosTime OPTIONAL,
-- cusec[3] Krb5int32 OPTIONAL,
-- stime[4] KerberosTime,
-- susec[5] Krb5int32,
-- error-code[6] Krb5int32,
-- crealm[7] Realm OPTIONAL,
-- cname[8] PrincipalName OPTIONAL,
-- realm[9] Realm, - - Correct realm
-- sname[10] PrincipalName, - - Correct name
-- e-text[11] GeneralString OPTIONAL,
-- e-data[12] OCTET STRING OPTIONAL
--}
ChangePasswdDataMS ::= SEQUENCE {
newpasswd[0] OCTET STRING,
targname[1] PrincipalName OPTIONAL,
targrealm[2] Realm OPTIONAL
}
EtypeList ::= SEQUENCE OF Krb5int32
-- the client's proposed enctype list in
-- decreasing preference order, favorite choice first
--krb5-pvno Krb5int32 ::= 5 - - current Kerberos protocol version number
-- transited encodings
--DOMAIN-X500-COMPRESS Krb5int32 ::= 1
-- authorization data primitives
--AD-IF-RELEVANT ::= AuthorizationData
--AD-KDCIssued ::= SEQUENCE {
-- ad-checksum[0] Checksum,
-- i-realm[1] Realm OPTIONAL,
-- i-sname[2] PrincipalName OPTIONAL,
-- elements[3] AuthorizationData
--}
--AD-AND-OR ::= SEQUENCE {
-- condition-count[0] INTEGER,
-- elements[1] AuthorizationData
--}
--AD-MANDATORY-FOR-KDC ::= AuthorizationData
-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
PA-SAM-TYPE ::= INTEGER {
pA-SAM-TYPE-ENIGMA(1), -- Enigma Logic
pA-SAM-TYPE-DIGI-PATH(2), -- Digital Pathways
pA-SAM-TYPE-SKEY-K0(3), -- S/key where KDC has key 0
pA-SAM-TYPE-SKEY(4), -- Traditional S/Key
pA-SAM-TYPE-SECURID(5), -- Security Dynamics
pA-SAM-TYPE-CRYPTOCARD(6) -- CRYPTOCard
}
PA-SAM-REDIRECT ::= HostAddresses
SAMFlags ::= BIT STRING {
use-sad-as-key(0),
send-encrypted-sad(1),
must-pk-encrypt-sad(2)
}
PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
sam-type[0] Krb5int32,
sam-flags[1] SAMFlags,
sam-type-name[2] GeneralString OPTIONAL,
sam-track-id[3] GeneralString OPTIONAL,
sam-challenge-label[4] GeneralString OPTIONAL,
sam-challenge[5] GeneralString OPTIONAL,
sam-response-prompt[6] GeneralString OPTIONAL,
sam-pk-for-sad[7] EncryptionKey OPTIONAL,
sam-nonce[8] Krb5int32,
sam-etype[9] Krb5int32,
...
}
PA-SAM-CHALLENGE-2 ::= SEQUENCE {
sam-body[0] PA-SAM-CHALLENGE-2-BODY,
sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
...
}
PA-SAM-RESPONSE-2 ::= SEQUENCE {
sam-type[0] Krb5int32,
sam-flags[1] SAMFlags,
sam-track-id[2] GeneralString OPTIONAL,
sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
sam-nonce[4] Krb5int32,
...
}
PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
sam-nonce[0] Krb5int32,
sam-sad[1] GeneralString OPTIONAL,
...
}
PA-S4U2Self ::= SEQUENCE {
name[0] PrincipalName,
realm[1] Realm,
cksum[2] Checksum,
auth[3] GeneralString
}
PA-S4U-X509-USER::= SEQUENCE {
user-id[0] S4UUserID,
checksum[1] Checksum
}
S4UUserID ::= SEQUENCE {
nonce [0] UInt32, -- the nonce in KDC-REQ-BODY
cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints
crealm [2] Realm,
subject-certificate [3] OCTET STRING OPTIONAL,
options [4] BIT STRING OPTIONAL,
...
}
KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
-- never encoded on the wire, just used to checksum over
KRB5SignedPathData ::= SEQUENCE {
encticket[0] EncTicketPart,
delegated[1] KRB5SignedPathPrincipals OPTIONAL
}
KRB5SignedPath ::= SEQUENCE {
-- DERcoded KRB5SignedPathData
-- krbtgt key (etype), KeyUsage = XXX
etype[0] ENCTYPE,
cksum[1] Checksum,
-- srvs delegated though
delegated[2] KRB5SignedPathPrincipals OPTIONAL
}
PA-ClientCanonicalizedNames ::= SEQUENCE{
requested-name [0] PrincipalName,
mapped-name [1] PrincipalName
}
PA-ClientCanonicalized ::= SEQUENCE {
names [0] PA-ClientCanonicalizedNames,
canon-checksum [1] Checksum
}
AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
login-alias [0] PrincipalName,
checksum [1] Checksum
}
-- old ms referral
PA-SvrReferralData ::= SEQUENCE {
referred-name [1] PrincipalName OPTIONAL,
referred-realm [0] Realm
}
PA-SERVER-REFERRAL-DATA ::= EncryptedData
PA-ServerReferralData ::= SEQUENCE {
referred-realm [0] Realm OPTIONAL,
true-principal-name [1] PrincipalName OPTIONAL,
requested-principal-name [2] PrincipalName OPTIONAL,
referral-valid-until [3] KerberosTime OPTIONAL,
...
}
PAC-OPTIONS-FLAGS ::= BIT STRING {
claims(0),
branch-aware(1),
forward-to-full-dc(2),
resource-based-constrained-delegation(3)
}
PA-PAC-OPTIONS ::= SEQUENCE {
flags [0] PAC-OPTIONS-FLAGS
}
-- [MS-KILE]
-- captures show that [UNIVERSAL 16] is required to parse it
KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE {
restriction-type [0] Int32,
restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
}
-- [MS-KILE]
-- Section 2.2.11
PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE
-- Section 2.2.12
-- This is EncryptionKey but we're redefining it so it's named
PA-KERB-KEY-LIST-REP-Key ::= EncryptionKey
PA-KERB-KEY-LIST-REP ::= SEQUENCE OF PA-KERB-KEY-LIST-REP-Key
END
-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
Reference in New Issue View Git Blame Copy Permalink