1 -- lib/krb5/asn.1/KRB5-asn.py
3 -- Copyright 1989 by the Massachusetts Institute of Technology.
5 -- Export of this software from the United States of America may
6 -- require a specific license from the United States Government.
7 -- It is the responsibility of any person or organization contemplating
8 -- export to obtain such a license before exporting.
10 -- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
11 -- distribute this software and its documentation for any purpose and
12 -- without fee is hereby granted, provided that the above copyright
13 -- notice appear in all copies and that both that copyright notice and
14 -- this permission notice appear in supporting documentation, and that
15 -- the name of M.I.T. not be used in advertising or publicity pertaining
16 -- to distribution of the software without specific, written prior
17 -- permission. Furthermore if you modify this software you must label
18 -- your software as modified software and not distribute it in such a
19 -- fashion that it might be confused with the original M.I.T. software.
20 -- M.I.T. makes no representations about the suitability of
21 -- this software for any purpose. It is provided "as is" without express
22 -- or implied warranty.
24 -- ASN.1 definitions for the kerberos network objects
26 -- Do not change the order of any structure containing some
27 -- element_KRB5_xx unless the corresponding translation code is also
34 -- needed to do the Right Thing with pepsy; this isn't a valid ASN.1
37 SECTIONS encode decode none
39 -- the order of stuff in this file matches the order in the draft RFC
41 Realm ::= GeneralString
43 HostAddress ::= SEQUENCE {
45 address[1] OCTET STRING
48 HostAddresses ::= SEQUENCE OF SEQUENCE {
50 address[1] OCTET STRING
53 AuthorizationData ::= SEQUENCE OF SEQUENCE {
55 ad-data[1] OCTET STRING
58 KDCOptions ::= BIT STRING {
75 LastReq ::= SEQUENCE OF SEQUENCE {
77 lr-value[1] KerberosTime
80 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
82 PrincipalName ::= SEQUENCE{
84 name-string[1] SEQUENCE OF GeneralString
87 Ticket ::= [APPLICATION 1] SEQUENCE {
90 sname[2] PrincipalName,
91 enc-part[3] EncryptedData -- EncTicketPart
94 TransitedEncoding ::= SEQUENCE {
95 tr-type[0] INTEGER, -- Only supported value is 1 == DOMAIN-COMPRESS
96 contents[1] OCTET STRING
99 -- Encrypted part of ticket
100 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
101 flags[0] TicketFlags,
102 key[1] EncryptionKey,
104 cname[3] PrincipalName,
105 transited[4] TransitedEncoding,
106 authtime[5] KerberosTime,
107 starttime[6] KerberosTime OPTIONAL,
108 endtime[7] KerberosTime,
109 renew-till[8] KerberosTime OPTIONAL,
110 caddr[9] HostAddresses OPTIONAL,
111 authorization-data[10] AuthorizationData OPTIONAL
114 -- Unencrypted authenticator
115 Authenticator ::= [APPLICATION 2] SEQUENCE {
116 authenticator-vno[0] INTEGER,
118 cname[2] PrincipalName,
119 cksum[3] Checksum OPTIONAL,
121 ctime[5] KerberosTime,
122 subkey[6] EncryptionKey OPTIONAL,
123 seq-number[7] INTEGER OPTIONAL,
124 authorization-data[8] AuthorizationData OPTIONAL
127 TicketFlags ::= BIT STRING {
140 AS-REQ ::= [APPLICATION 10] KDC-REQ
141 TGS-REQ ::= [APPLICATION 12] KDC-REQ
143 KDC-REQ ::= SEQUENCE {
146 padata[3] SEQUENCE OF PA-DATA OPTIONAL,
147 req-body[4] KDC-REQ-BODY
150 PA-DATA ::= SEQUENCE {
151 padata-type[1] INTEGER,
152 pa-data[2] OCTET STRING -- might be encoded AP-REQ
155 KDC-REQ-BODY ::= SEQUENCE {
156 kdc-options[0] KDCOptions,
157 cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
158 realm[2] Realm, -- Server's realm Also client's in AS-REQ
159 sname[3] PrincipalName OPTIONAL,
160 from[4] KerberosTime OPTIONAL,
161 till[5] KerberosTime,
162 rtime[6] KerberosTime OPTIONAL,
164 etype[8] SEQUENCE OF INTEGER, -- EncryptionType,
165 -- in preference order
166 addresses[9] HostAddresses OPTIONAL,
167 enc-authorization-data[10] EncryptedData OPTIONAL,
169 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
172 AS-REP ::= [APPLICATION 11] KDC-REP
173 TGS-REP ::= [APPLICATION 13] KDC-REP
174 KDC-REP ::= SEQUENCE {
177 padata[2] SEQUENCE OF PA-DATA OPTIONAL,
179 cname[4] PrincipalName,
180 ticket[5] Ticket, -- Ticket
181 enc-part[6] EncryptedData -- EncKDCRepPart
184 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
185 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
186 EncKDCRepPart ::= SEQUENCE {
187 key[0] EncryptionKey,
190 key-expiration[3] KerberosTime OPTIONAL,
191 flags[4] TicketFlags,
192 authtime[5] KerberosTime,
193 starttime[6] KerberosTime OPTIONAL,
194 endtime[7] KerberosTime,
195 renew-till[8] KerberosTime OPTIONAL,
197 sname[10] PrincipalName,
198 caddr[11] HostAddresses OPTIONAL
201 AP-REQ ::= [APPLICATION 14] SEQUENCE {
204 ap-options[2] APOptions,
206 authenticator[4] EncryptedData -- Authenticator
209 APOptions ::= BIT STRING {
215 AP-REP ::= [APPLICATION 15] SEQUENCE {
218 enc-part[2] EncryptedData -- EncAPRepPart
221 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
222 ctime[0] KerberosTime,
224 subkey[2] EncryptionKey OPTIONAL,
225 seq-number[3] INTEGER OPTIONAL
228 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
231 safe-body[2] KRB-SAFE-BODY,
235 KRB-SAFE-BODY ::= SEQUENCE {
236 user-data[0] OCTET STRING,
237 timestamp[1] KerberosTime OPTIONAL,
238 usec[2] INTEGER OPTIONAL,
239 seq-number[3] INTEGER OPTIONAL,
240 s-address[4] HostAddress, -- sender's addr
241 r-address[5] HostAddress OPTIONAL -- recip's addr
244 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
247 enc-part[3] EncryptedData -- EncKrbPrivPart
250 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
251 user-data[0] OCTET STRING,
252 timestamp[1] KerberosTime OPTIONAL,
253 usec[2] INTEGER OPTIONAL,
254 seq-number[3] INTEGER OPTIONAL,
255 s-address[4] HostAddress, -- sender's addr
256 r-address[5] HostAddress OPTIONAL -- recip's addr
259 -- The KRB-CRED message allows easy forwarding of credentials.
261 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
263 msg-type[1] INTEGER, -- KRB_CRED
264 tickets[2] SEQUENCE OF Ticket,
265 enc-part[3] EncryptedData -- EncKrbCredPart
268 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
269 ticket-info[0] SEQUENCE OF KRB-CRED-INFO,
270 nonce[1] INTEGER OPTIONAL,
271 timestamp[2] KerberosTime OPTIONAL,
272 usec[3] INTEGER OPTIONAL,
273 s-address[4] HostAddress OPTIONAL,
274 r-address[5] HostAddress OPTIONAL
277 KRB-CRED-INFO ::= SEQUENCE {
278 key[0] EncryptionKey,
279 prealm[1] Realm OPTIONAL,
280 pname[2] PrincipalName OPTIONAL,
281 flags[3] TicketFlags OPTIONAL,
282 authtime[4] KerberosTime OPTIONAL,
283 starttime[5] KerberosTime OPTIONAL,
284 endtime[6] KerberosTime OPTIONAL,
285 renew-till[7] KerberosTime OPTIONAL,
286 srealm[8] Realm OPTIONAL,
287 sname[9] PrincipalName OPTIONAL,
288 caddr[10] HostAddresses OPTIONAL
291 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
294 ctime[2] KerberosTime OPTIONAL,
295 cusec[3] INTEGER OPTIONAL,
296 stime[4] KerberosTime,
298 error-code[6] INTEGER,
299 crealm[7] Realm OPTIONAL,
300 cname[8] PrincipalName OPTIONAL,
301 realm[9] Realm, -- Correct realm
302 sname[10] PrincipalName, -- Correct name
303 e-text[11] GeneralString OPTIONAL,
304 e-data[12] OCTET STRING OPTIONAL
307 EncryptedData ::= SEQUENCE {
308 etype[0] INTEGER, -- EncryptionType
309 kvno[1] INTEGER OPTIONAL,
310 cipher[2] OCTET STRING -- CipherText
313 EncryptionKey ::= SEQUENCE {
315 keyvalue[1] OCTET STRING
318 Checksum ::= SEQUENCE {
319 cksumtype[0] INTEGER,
320 checksum[1] OCTET STRING
323 METHOD-DATA ::= SEQUENCE {
324 method-type[0] INTEGER,
325 method-data[1] OCTET STRING OPTIONAL
328 ETYPE-INFO-ENTRY ::= SEQUENCE {
330 salt[1] OCTET STRING OPTIONAL
333 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
335 PA-ENC-TS-ENC ::= SEQUENCE {
336 patimestamp[0] KerberosTime, -- client's time
337 pausec[1] INTEGER OPTIONAL
340 -- These ASN.1 definitions are NOT part of the official Kerberos protocol...
342 -- New ASN.1 definitions for the kadmin protocol.
343 -- Originally contributed from the Sandia modifications
345 PasswdSequence ::= SEQUENCE {
346 passwd[0] OCTET STRING,
347 phrase[1] OCTET STRING
350 PasswdData ::= SEQUENCE {
351 passwd-sequence-count[0] INTEGER,
352 passwd-sequence[1] SEQUENCE OF PasswdSequence
356 -- Integrating Single-use Authentication Mechanisms with Kerberos
358 PA-SAM-CHALLENGE ::= SEQUENCE {
360 sam-flags[1] SAMFlags,
361 sam-type-name[2] GeneralString OPTIONAL,
362 sam-track-id[3] GeneralString OPTIONAL,
363 sam-challenge-label[4] GeneralString OPTIONAL,
364 sam-challenge[5] GeneralString OPTIONAL,
365 sam-response-prompt[6] GeneralString OPTIONAL,
366 sam-pk-for-sad[7] OCTET STRING OPTIONAL,
367 sam-nonce[8] INTEGER OPTIONAL,
368 sam-cksum[9] Checksum OPTIONAL
371 PA-SAM-CHALLENGE-2 ::= SEQUENCE {
372 sam-body[0] PA-SAM-CHALLENGE-2-BODY,
373 sam-cksum[1] SEQUENCE (1..MAX) OF Checksum,
377 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
379 sam-flags[1] SAMFlags,
380 sam-type-name[2] GeneralString OPTIONAL,
381 sam-track-id[3] GeneralString OPTIONAL,
382 sam-challenge-label[4] GeneralString OPTIONAL,
383 sam-challenge[5] GeneralString OPTIONAL,
384 sam-response-prompt[6] GeneralString OPTIONAL,
385 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
386 sam-nonce[8] INTEGER,
387 sam-etype[9] INTEGER,
391 -- these are [0].. [2] in the draft
392 SAMFlags ::= BIT STRING (SIZE (32..MAX))
394 -- send-encrypted-sad(1)
395 -- must-pk-encrypt-sad(2)
397 PA-SAM-RESPONSE ::= SEQUENCE {
399 sam-flags[1] SAMFlags,
400 sam-track-id[2] GeneralString OPTIONAL,
401 -- sam-enc-key is reserved for future use, so I'm making it OPTIONAL - mwe
402 sam-enc-key[3] EncryptedData,
404 sam-enc-nonce-or-ts[4] EncryptedData,
405 -- PA-ENC-SAM-RESPONSE-ENC
406 sam-nonce[5] INTEGER OPTIONAL,
407 sam-patimestamp[6] KerberosTime OPTIONAL
410 PA-SAM-RESPONSE-2 ::= SEQUENCE {
412 sam-flags[1] SAMFlags,
413 sam-track-id[2] GeneralString OPTIONAL,
414 sam-enc-nonce-or-sad[3] EncryptedData,
415 -- PA-ENC-SAM-RESPONSE-ENC
416 sam-nonce[4] INTEGER,
420 PA-ENC-SAM-KEY ::= SEQUENCE {
421 sam-key[0] EncryptionKey
424 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
425 sam-nonce[0] INTEGER OPTIONAL,
426 sam-timestamp[1] KerberosTime OPTIONAL,
427 sam-usec[2] INTEGER OPTIONAL,
428 sam-passcode[3] GeneralString OPTIONAL
431 PA-ENC-SAM-RESPONSE-ENC-2 ::= SEQUENCE {
432 sam-nonce[0] INTEGER,
433 sam-sad[1] GeneralString OPTIONAL,