1 KerberosV5-PK-INIT-Agility-SPEC {
2 iso(1) identified-organization(3) dod(6) internet(1)
3 security(5) kerberosV5(2) modules(4) pkinit(5) agility (1)
4 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
7 AlgorithmIdentifier, SubjectPublicKeyInfo
8 FROM PKIX1Explicit88 { iso (1)
9 identified-organization (3) dod (6) internet (1)
10 security (5) mechanisms (5) pkix (7) id-mod (0)
11 id-pkix1-explicit (18) }
12 -- As defined in RFC 3280.
14 Ticket, Int32, Realm, EncryptionKey, Checksum
15 FROM KerberosV5Spec2 { iso(1) identified-organization(3)
16 dod(6) internet(1) security(5) kerberosV5(2)
17 modules(4) krb5spec2(2) }
18 -- as defined in RFC 4120.
20 PKAuthenticator, DHNonce
21 FROM KerberosV5-PK-INIT-SPEC {
22 iso(1) identified-organization(3) dod(6) internet(1)
23 security(5) kerberosV5(2) modules(4) pkinit(5) };
24 -- as defined in RFC 4556.
26 TD-CMS-DIGEST-ALGORITHMS-DATA ::= SEQUENCE OF
28 -- Contains the list of CMS algorithm [RFC3852]
29 -- identifiers that identify the digest algorithms
30 -- acceptable by the KDC for signing CMS data in
31 -- the order of decreasing preference.
33 TD-CERT-DIGEST-ALGORITHMS-DATA ::= SEQUENCE {
34 allowedAlgorithms [0] SEQUENCE OF AlgorithmIdentifier,
35 -- Contains the list of CMS algorithm [RFC3852]
36 -- identifiers that identify the digest algorithms
37 -- that are used by the CA to sign the client's
38 -- X.509 certificate and acceptable by the KDC in
39 -- the process of validating the client's X.509
40 -- certificate, in the order of decreasing
42 rejectedAlgorithm [1] AlgorithmIdentifier OPTIONAL,
43 -- This identifies the digest algorithm that was
44 -- used to sign the client's X.509 certificate and
45 -- has been rejected by the KDC in the process of
46 -- validating the client's X.509 certificate
51 OtherInfo ::= SEQUENCE {
52 algorithmID AlgorithmIdentifier,
53 partyUInfo [0] OCTET STRING,
54 partyVInfo [1] OCTET STRING,
55 suppPubInfo [2] OCTET STRING OPTIONAL,
56 suppPrivInfo [3] OCTET STRING OPTIONAL
59 PkinitSuppPubInfo ::= SEQUENCE {
61 -- The enctype of the AS reply key.
62 as-REQ [1] OCTET STRING,
63 -- This contains the AS-REQ in the request.
64 pk-as-rep [2] OCTET STRING,
65 -- Contains the DER encoding of the type
66 -- PA-PK-AS-REP [RFC4556] in the KDC reply.
70 -- Renamed from AuthPack to allow asn1c to process this and pkinit.asn1
71 AuthPack2 ::= SEQUENCE {
72 pkAuthenticator [0] PKAuthenticator,
73 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
74 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
76 clientDHNonce [3] DHNonce OPTIONAL,
78 supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
79 -- Contains an unordered set of KDFs supported by the
84 KDFAlgorithmId ::= SEQUENCE {
85 kdf-id [0] OBJECT IDENTIFIER,
86 -- The object identifier of the KDF
90 -- Renamed from DHRepInfo to allow asn1c to process this and pkinit.asn1
91 DHRepInfo2 ::= SEQUENCE {
92 dhSignedData [0] IMPLICIT OCTET STRING,
93 serverDHNonce [1] DHNonce OPTIONAL,
95 kdf [2] KDFAlgorithmId OPTIONAL,
96 -- The KDF picked by the KDC.