src/lib/krb5/asn.1/KRB5-asn.py

   1 -- lib/krb5/asn.1/KRB5-asn.py
   2 --
   3 -- Copyright 1989 by the Massachusetts Institute of Technology.
   4 --
   5 -- Export of this software from the United States of America may
   6 --   require a specific license from the United States Government.
   7 --   It is the responsibility of any person or organization contemplating
   8 --   export to obtain such a license before exporting.
   9 --
  10 -- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  11 -- distribute this software and its documentation for any purpose and
  12 -- without fee is hereby granted, provided that the above copyright
  13 -- notice appear in all copies and that both that copyright notice and
  14 -- this permission notice appear in supporting documentation, and that
  15 -- the name of M.I.T. not be used in advertising or publicity pertaining
  16 -- to distribution of the software without specific, written prior
  17 -- permission.  Furthermore if you modify this software you must label
  18 -- your software as modified software and not distribute it in such a
  19 -- fashion that it might be confused with the original M.I.T. software.
  20 -- M.I.T. makes no representations about the suitability of
  21 -- this software for any purpose.  It is provided "as is" without express
  22 -- or implied warranty.
  23 --
  24 -- ASN.1 definitions for the kerberos network objects
  25 --
  26 -- Do not change the order of any structure containing some
  27 -- element_KRB5_xx unless the corresponding translation code is also
  28 -- changed.
  29 --
  30
  31 KRB5 DEFINITIONS ::=
  32 BEGIN
  33
  34 -- needed to do the Right Thing with pepsy; this isn't a valid ASN.1
  35 -- token, however.
  36
  37 SECTIONS encode decode none
  38
  39 -- the order of stuff in this file matches the order in the draft RFC
  40
  41 Realm ::= GeneralString
  42
  43 HostAddress ::= SEQUENCE  {
  44         addr-type[0]                    INTEGER,
  45         address[1]                      OCTET STRING
  46 }
  47
  48 HostAddresses ::=       SEQUENCE OF SEQUENCE {
  49         addr-type[0]    INTEGER,
  50         address[1]      OCTET STRING
  51 }
  52
  53 AuthorizationData ::=   SEQUENCE OF SEQUENCE {
  54         ad-type[0]      INTEGER,
  55         ad-data[1]      OCTET STRING
  56 }
  57
  58 KDCOptions ::= BIT STRING {
  59         reserved(0),
  60         forwardable(1),
  61         forwarded(2),
  62         proxiable(3),
  63         proxy(4),
  64         allow-postdate(5),
  65         postdated(6),
  66         unused7(7),
  67         renewable(8),
  68         unused9(9),
  69         renewable-ok(27),
  70         enc-tkt-in-skey(28),
  71         renew(30),
  72         validate(31)
  73 }
  74
  75 LastReq ::=     SEQUENCE OF SEQUENCE {
  76         lr-type[0]      INTEGER,
  77         lr-value[1]     KerberosTime
  78 }
  79
  80 KerberosTime ::=        GeneralizedTime -- Specifying UTC time zone (Z)
  81
  82 PrincipalName ::= SEQUENCE{
  83         name-type[0]    INTEGER,
  84         name-string[1]  SEQUENCE OF GeneralString
  85 }
  86
  87 Ticket ::=      [APPLICATION 1] SEQUENCE {
  88         tkt-vno[0]      INTEGER,
  89         realm[1]        Realm,
  90         sname[2]        PrincipalName,
  91         enc-part[3]     EncryptedData   -- EncTicketPart
  92 }
  93
  94 TransitedEncoding ::= SEQUENCE {
  95         tr-type[0]      INTEGER, -- Only supported value is 1 == DOMAIN-COMPRESS
  96         contents[1]     OCTET STRING
  97 }
  98
  99 -- Encrypted part of ticket
 100 EncTicketPart ::=       [APPLICATION 3] SEQUENCE {
 101         flags[0]        TicketFlags,
 102         key[1]          EncryptionKey,
 103         crealm[2]       Realm,
 104         cname[3]        PrincipalName,
 105         transited[4]    TransitedEncoding,
 106         authtime[5]     KerberosTime,
 107         starttime[6]    KerberosTime OPTIONAL,
 108         endtime[7]      KerberosTime,
 109         renew-till[8]   KerberosTime OPTIONAL,
 110         caddr[9]        HostAddresses OPTIONAL,
 111         authorization-data[10]  AuthorizationData OPTIONAL
 112 }
 113
 114 -- Unencrypted authenticator
 115 Authenticator ::=       [APPLICATION 2] SEQUENCE  {
 116         authenticator-vno[0]    INTEGER,
 117         crealm[1]               Realm,
 118         cname[2]                PrincipalName,
 119         cksum[3]                Checksum OPTIONAL,
 120         cusec[4]                INTEGER,
 121         ctime[5]                KerberosTime,
 122         subkey[6]               EncryptionKey OPTIONAL,
 123         seq-number[7]           INTEGER OPTIONAL,
 124         authorization-data[8]   AuthorizationData OPTIONAL
 125 }
 126
 127 TicketFlags ::= BIT STRING {
 128         reserved(0),
 129         forwardable(1),
 130         forwarded(2),
 131         proxiable(3),
 132         proxy(4),
 133         may-postdate(5),
 134         postdated(6),
 135         invalid(7),
 136         renewable(8),
 137         initial(9)
 138 }
 139
 140 AS-REQ ::= [APPLICATION 10] KDC-REQ
 141 TGS-REQ ::= [APPLICATION 12] KDC-REQ
 142
 143 KDC-REQ ::= SEQUENCE {
 144         pvno[1]         INTEGER,
 145         msg-type[2]     INTEGER,
 146         padata[3]       SEQUENCE OF PA-DATA OPTIONAL,
 147         req-body[4]     KDC-REQ-BODY
 148 }
 149
 150 PA-DATA ::= SEQUENCE {
 151         padata-type[1]  INTEGER,
 152         pa-data[2]      OCTET STRING -- might be encoded AP-REQ
 153 }
 154
 155 KDC-REQ-BODY ::=        SEQUENCE {
 156          kdc-options[0] KDCOptions,
 157          cname[1]       PrincipalName OPTIONAL, -- Used only in AS-REQ
 158          realm[2]       Realm, -- Server's realm  Also client's in AS-REQ
 159          sname[3]       PrincipalName OPTIONAL,
 160          from[4]        KerberosTime OPTIONAL,
 161          till[5]        KerberosTime,
 162          rtime[6]       KerberosTime OPTIONAL,
 163          nonce[7]       INTEGER,
 164          etype[8]       SEQUENCE OF INTEGER, -- EncryptionType,
 165                         -- in preference order
 166          addresses[9]   HostAddresses OPTIONAL,
 167          enc-authorization-data[10]     EncryptedData OPTIONAL,
 168                         -- AuthorizationData
 169          additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
 170 }
 171
 172 AS-REP ::= [APPLICATION 11] KDC-REP
 173 TGS-REP ::= [APPLICATION 13] KDC-REP
 174 KDC-REP ::= SEQUENCE {
 175         pvno[0]                         INTEGER,
 176         msg-type[1]                     INTEGER,
 177         padata[2]                       SEQUENCE OF PA-DATA OPTIONAL,
 178         crealm[3]                       Realm,
 179         cname[4]                        PrincipalName,
 180         ticket[5]                       Ticket,         -- Ticket
 181         enc-part[6]                     EncryptedData   -- EncKDCRepPart
 182 }
 183
 184 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
 185 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
 186 EncKDCRepPart ::=  SEQUENCE {
 187         key[0]          EncryptionKey,
 188         last-req[1]     LastReq,
 189         nonce[2]        INTEGER,
 190         key-expiration[3]       KerberosTime OPTIONAL,
 191         flags[4]        TicketFlags,
 192         authtime[5]     KerberosTime,
 193         starttime[6]    KerberosTime OPTIONAL,
 194         endtime[7]      KerberosTime,
 195         renew-till[8]   KerberosTime OPTIONAL,
 196         srealm[9]       Realm,
 197         sname[10]       PrincipalName,
 198         caddr[11]       HostAddresses OPTIONAL
 199 }
 200
 201 AP-REQ ::= [APPLICATION 14] SEQUENCE {
 202         pvno[0]                         INTEGER,
 203         msg-type[1]                     INTEGER,
 204         ap-options[2]                   APOptions,
 205         ticket[3]                       Ticket,
 206         authenticator[4]                EncryptedData   -- Authenticator
 207 }
 208
 209 APOptions ::= BIT STRING {
 210         reserved(0),
 211         use-session-key(1),
 212         mutual-required(2)
 213 }
 214
 215 AP-REP ::= [APPLICATION 15] SEQUENCE {
 216         pvno[0]                         INTEGER,
 217         msg-type[1]                     INTEGER,
 218         enc-part[2]                     EncryptedData   -- EncAPRepPart
 219 }
 220
 221 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
 222         ctime[0]                        KerberosTime,
 223         cusec[1]                        INTEGER,
 224         subkey[2]                       EncryptionKey OPTIONAL,
 225         seq-number[3]                   INTEGER OPTIONAL
 226 }
 227
 228 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
 229         pvno[0]                         INTEGER,
 230         msg-type[1]                     INTEGER,
 231         safe-body[2]                    KRB-SAFE-BODY,
 232         cksum[3]                        Checksum
 233 }
 234
 235 KRB-SAFE-BODY ::= SEQUENCE {
 236         user-data[0]                    OCTET STRING,
 237         timestamp[1]                    KerberosTime OPTIONAL,
 238         usec[2]                         INTEGER OPTIONAL,
 239         seq-number[3]                   INTEGER OPTIONAL,
 240         s-address[4]                    HostAddress,    -- sender's addr
 241         r-address[5]                    HostAddress OPTIONAL -- recip's addr
 242 }
 243
 244 KRB-PRIV ::=    [APPLICATION 21] SEQUENCE {
 245         pvno[0]         INTEGER,
 246         msg-type[1]     INTEGER,
 247         enc-part[3]     EncryptedData   -- EncKrbPrivPart
 248 }
 249
 250 EncKrbPrivPart ::=      [APPLICATION 28] SEQUENCE {
 251         user-data[0]    OCTET STRING,
 252         timestamp[1]    KerberosTime OPTIONAL,
 253         usec[2]         INTEGER OPTIONAL,
 254         seq-number[3]   INTEGER OPTIONAL,
 255         s-address[4]    HostAddress,    -- sender's addr
 256         r-address[5]    HostAddress OPTIONAL    -- recip's addr
 257 }
 258
 259 -- The KRB-CRED message allows easy forwarding of credentials.
 260
 261 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
 262         pvno[0]         INTEGER,
 263         msg-type[1]     INTEGER, -- KRB_CRED
 264         tickets[2]      SEQUENCE OF Ticket,
 265         enc-part[3]     EncryptedData -- EncKrbCredPart
 266 }
 267
 268 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
 269         ticket-info[0]  SEQUENCE OF KRB-CRED-INFO,
 270         nonce[1]        INTEGER OPTIONAL,
 271         timestamp[2]    KerberosTime OPTIONAL,
 272         usec[3]         INTEGER OPTIONAL,
 273         s-address[4]    HostAddress OPTIONAL,
 274         r-address[5]    HostAddress OPTIONAL
 275 }
 276
 277 KRB-CRED-INFO   ::=     SEQUENCE {
 278         key[0]          EncryptionKey,
 279         prealm[1]       Realm OPTIONAL,
 280         pname[2]        PrincipalName OPTIONAL,
 281         flags[3]        TicketFlags OPTIONAL,
 282         authtime[4]     KerberosTime OPTIONAL,
 283         starttime[5]    KerberosTime OPTIONAL,
 284         endtime[6]      KerberosTime OPTIONAL,
 285         renew-till[7]   KerberosTime OPTIONAL,
 286         srealm[8]       Realm OPTIONAL,
 287         sname[9]        PrincipalName OPTIONAL,
 288         caddr[10]       HostAddresses OPTIONAL
 289 }
 290
 291 KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
 292         pvno[0]         INTEGER,
 293         msg-type[1]     INTEGER,
 294         ctime[2]        KerberosTime OPTIONAL,
 295         cusec[3]        INTEGER OPTIONAL,
 296         stime[4]        KerberosTime,
 297         susec[5]        INTEGER,
 298         error-code[6]   INTEGER,
 299         crealm[7]       Realm OPTIONAL,
 300         cname[8]        PrincipalName OPTIONAL,
 301         realm[9]        Realm, -- Correct realm
 302         sname[10]       PrincipalName, -- Correct name
 303         e-text[11]      GeneralString OPTIONAL,
 304         e-data[12]      OCTET STRING OPTIONAL
 305 }
 306
 307 EncryptedData ::=       SEQUENCE {
 308         etype[0]        INTEGER, -- EncryptionType
 309         kvno[1]         INTEGER OPTIONAL,
 310         cipher[2]       OCTET STRING -- CipherText
 311 }
 312
 313 EncryptionKey ::= SEQUENCE {
 314         keytype[0]                      INTEGER,
 315         keyvalue[1]                     OCTET STRING
 316 }
 317
 318 Checksum ::= SEQUENCE {
 319         cksumtype[0]                    INTEGER,
 320         checksum[1]                     OCTET STRING
 321 }
 322
 323 METHOD-DATA ::= SEQUENCE {
 324         method-type[0]  INTEGER,
 325         method-data[1]  OCTET STRING OPTIONAL
 326 }
 327
 328 ETYPE-INFO-ENTRY ::= SEQUENCE {
 329         etype[0]        INTEGER,
 330         salt[1]         OCTET STRING OPTIONAL
 331 }
 332
 333 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
 334
 335 PA-ENC-TS-ENC   ::= SEQUENCE {
 336        patimestamp[0]               KerberosTime, -- client's time
 337        pausec[1]                    INTEGER OPTIONAL
 338 }
 339
 340 -- These ASN.1 definitions are NOT part of the official Kerberos protocol...
 341
 342 -- New ASN.1 definitions for the kadmin protocol.
 343 -- Originally contributed from the Sandia modifications
 344
 345 PasswdSequence ::= SEQUENCE {
 346         passwd[0]                       OCTET STRING,
 347         phrase[1]                       OCTET STRING
 348 }
 349
 350 PasswdData ::= SEQUENCE {
 351         passwd-sequence-count[0]        INTEGER,
 352         passwd-sequence[1]              SEQUENCE OF PasswdSequence
 353 }
 354
 355 -- encodings from
 356 -- Integrating Single-use Authentication Mechanisms with Kerberos
 357
 358 PA-SAM-CHALLENGE ::= SEQUENCE {
 359     sam-type[0]                 INTEGER,
 360     sam-flags[1]                SAMFlags,
 361     sam-type-name[2]            GeneralString OPTIONAL,
 362     sam-track-id[3]             GeneralString OPTIONAL,
 363     sam-challenge-label[4]      GeneralString OPTIONAL,
 364     sam-challenge[5]            GeneralString OPTIONAL,
 365     sam-response-prompt[6]      GeneralString OPTIONAL,
 366     sam-pk-for-sad[7]           OCTET STRING OPTIONAL,
 367     sam-nonce[8]                INTEGER OPTIONAL,
 368     sam-cksum[9]                Checksum OPTIONAL
 369 }
 370
 371 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
 372     sam-body[0]                 PA-SAM-CHALLENGE-2-BODY,
 373     sam-cksum[1]                SEQUENCE (1..MAX) OF Checksum,
 374     ...
 375 }
 376
 377 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
 378     sam-type[0]                 INTEGER,
 379     sam-flags[1]                SAMFlags,
 380     sam-type-name[2]            GeneralString OPTIONAL,
 381     sam-track-id[3]             GeneralString OPTIONAL,
 382     sam-challenge-label[4]      GeneralString OPTIONAL,
 383     sam-challenge[5]            GeneralString OPTIONAL,
 384     sam-response-prompt[6]      GeneralString OPTIONAL,
 385     sam-pk-for-sad[7]           EncryptionKey OPTIONAL,
 386     sam-nonce[8]                INTEGER,
 387     sam-etype[9]                INTEGER,
 388     ...
 389 }
 390
 391 -- these are [0].. [2] in the draft
 392 SAMFlags ::= BIT STRING (SIZE (32..MAX))
 393     -- use-sad-as-key(0)
 394     -- send-encrypted-sad(1)
 395     -- must-pk-encrypt-sad(2)
 396
 397 PA-SAM-RESPONSE ::= SEQUENCE {
 398     sam-type[0]                 INTEGER,
 399     sam-flags[1]                SAMFlags,
 400     sam-track-id[2]             GeneralString OPTIONAL,
 401     -- sam-enc-key is reserved for future use, so I'm making it OPTIONAL - mwe
 402     sam-enc-key[3]              EncryptedData,
 403                                    -- PA-ENC-SAM-KEY
 404     sam-enc-nonce-or-ts[4]      EncryptedData,
 405                                    -- PA-ENC-SAM-RESPONSE-ENC
 406     sam-nonce[5]                INTEGER OPTIONAL,
 407     sam-patimestamp[6]          KerberosTime OPTIONAL
 408 }
 409
 410 PA-SAM-RESPONSE-2 ::= SEQUENCE {
 411     sam-type[0]                 INTEGER,
 412     sam-flags[1]                SAMFlags,
 413     sam-track-id[2]             GeneralString OPTIONAL,
 414     sam-enc-nonce-or-sad[3]     EncryptedData,
 415                                    -- PA-ENC-SAM-RESPONSE-ENC
 416     sam-nonce[4]                INTEGER,
 417     ...
 418 }
 419
 420 PA-ENC-SAM-KEY ::= SEQUENCE {
 421              sam-key[0]                 EncryptionKey
 422 }
 423
 424 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
 425      sam-nonce[0]               INTEGER OPTIONAL,
 426      sam-timestamp[1]           KerberosTime OPTIONAL,
 427      sam-usec[2]                INTEGER OPTIONAL,
 428      sam-passcode[3]            GeneralString OPTIONAL
 429 }
 430
 431 PA-ENC-SAM-RESPONSE-ENC-2 ::= SEQUENCE {
 432      sam-nonce[0]               INTEGER,
 433      sam-sad[1]                 GeneralString OPTIONAL,
 434      ...
 435 }
 436 END