[abartlet/samba.git/.git] / source4 / heimdal / lib / asn1 / krb5.asn1

-- $Id$

KERBEROS5 DEFINITIONS ::=
BEGIN

NAME-TYPE ::= INTEGER {
        KRB5_NT_UNKNOWN(0),     -- Name type not known
        KRB5_NT_PRINCIPAL(1),   -- Just the name of the principal as in
        KRB5_NT_SRV_INST(2),    -- Service and other unique instance (krbtgt)
        KRB5_NT_SRV_HST(3),     -- Service with host name as instance
        KRB5_NT_SRV_XHST(4),    -- Service with host as remaining components
        KRB5_NT_UID(5),         -- Unique ID
        KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
        KRB5_NT_SMTP_NAME(7),   -- Name in form of SMTP email name
        KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
        KRB5_NT_WELLKNOWN(11),  -- Wellknown
        KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
        KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
        KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
        KRB5_NT_NTLM(-1200) -- NTLM name, realm is domain
}

-- message types

MESSAGE-TYPE ::= INTEGER {
        krb-as-req(10), -- Request for initial authentication
        krb-as-rep(11), -- Response to KRB_AS_REQ request
        krb-tgs-req(12), -- Request for authentication based on TGT
        krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
        krb-ap-req(14), -- application request to server
        krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
        krb-safe(20), -- Safe (checksummed) application message
        krb-priv(21), -- Private (encrypted) application message
        krb-cred(22), -- Private (encrypted) message to forward credentials
        krb-error(30) -- Error response
}


-- pa-data types

PADATA-TYPE ::= INTEGER {
        KRB5-PADATA-NONE(0),
        KRB5-PADATA-TGS-REQ(1),
        KRB5-PADATA-AP-REQ(1),
        KRB5-PADATA-ENC-TIMESTAMP(2),
        KRB5-PADATA-PW-SALT(3),
        KRB5-PADATA-ENC-UNIX-TIME(5),
        KRB5-PADATA-SANDIA-SECUREID(6),
        KRB5-PADATA-SESAME(7),
        KRB5-PADATA-OSF-DCE(8),
        KRB5-PADATA-CYBERSAFE-SECUREID(9),
        KRB5-PADATA-AFS3-SALT(10),
        KRB5-PADATA-ETYPE-INFO(11),
        KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
        KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
        KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
        KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
        KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
        KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
        KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
        KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
        KRB5-PADATA-ETYPE-INFO2(19),
        KRB5-PADATA-USE-SPECIFIED-KVNO(20),
        KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
        KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
        KRB5-PADATA-GET-FROM-TYPED-DATA(22),
        KRB5-PADATA-SAM-ETYPE-INFO(23),
        KRB5-PADATA-SERVER-REFERRAL(25),
        KRB5-PADATA-ALT-PRINC(24),              -- (crawdad@fnal.gov)
        KRB5-PADATA-SAM-CHALLENGE2(30),         -- (kenh@pobox.com)
        KRB5-PADATA-SAM-RESPONSE2(31),          -- (kenh@pobox.com)
        KRB5-PA-EXTRA-TGT(41),                  -- Reserved extra TGT
        KRB5-PADATA-TD-KRB-PRINCIPAL(102),      -- PrincipalName
        KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
        KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
        KRB5-PADATA-TD-APP-DEFINED-ERROR(106),  -- application specific
        KRB5-PADATA-TD-REQ-NONCE(107),          -- INTEGER
        KRB5-PADATA-TD-REQ-SEQ(108),            -- INTEGER
        KRB5-PADATA-PA-PAC-REQUEST(128),        -- jbrezak@exchange.microsoft.com
        KRB5-PADATA-FOR-USER(129),              -- MS-KILE
        KRB5-PADATA-FOR-X509-USER(130),         -- MS-KILE
        KRB5-PADATA-FOR-CHECK-DUPS(131),        -- MS-KILE
        KRB5-PADATA-AS-CHECKSUM(132),           -- MS-KILE
        KRB5-PADATA-PK-AS-09-BINDING(132),      -- client send this to
                                                -- tell KDC that is supports
                                                -- the asCheckSum in the
                                                --  PK-AS-REP
        KRB5-PADATA-CLIENT-CANONICALIZED(133),  -- referals
        KRB5-PADATA-FX-COOKIE(133),             -- krb-wg-preauth-framework
        KRB5-PADATA-AUTHENTICATION-SET(134),    -- krb-wg-preauth-framework
        KRB5-PADATA-AUTH-SET-SELECTED(135),     -- krb-wg-preauth-framework
        KRB5-PADATA-FX-FAST(136),               -- krb-wg-preauth-framework
        KRB5-PADATA-FX-ERROR(137),              -- krb-wg-preauth-framework
        KRB5-PADATA-ENCRYPTED-CHALLENGE(138),   -- krb-wg-preauth-framework
        KRB5-PADATA-OTP-CHALLENGE(141),         -- (gareth.richards@rsa.com)
        KRB5-PADATA-OTP-REQUEST(142),           -- (gareth.richards@rsa.com)
        KBB5-PADATA-OTP-CONFIRM(143),           -- (gareth.richards@rsa.com)
        KRB5-PADATA-OTP-PIN-CHANGE(144),        -- (gareth.richards@rsa.com)
        KRB5-PADATA-EPAK-AS-REQ(145),
        KRB5-PADATA-EPAK-AS-REP(146),
        KRB5-PADATA-PKINIT-KX(147),             -- krb-wg-anon
        KRB5-PADATA-PKU2U-NAME(148),            -- zhu-pku2u
        KRB5-PADATA-SUPPORTED-ETYPES(165)       -- MS-KILE
}

AUTHDATA-TYPE ::= INTEGER {
        KRB5-AUTHDATA-IF-RELEVANT(1),
        KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
        KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
        KRB5-AUTHDATA-KDC-ISSUED(4),
        KRB5-AUTHDATA-AND-OR(5),
        KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
        KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
        KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
        KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
        KRB5-AUTHDATA-OSF-DCE(64),
        KRB5-AUTHDATA-SESAME(65),
        KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
        KRB5-AUTHDATA-WIN2K-PAC(128),
        KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
        KRB5-AUTHDATA-SIGNTICKET-OLD(-17),
        KRB5-AUTHDATA-SIGNTICKET(142)
}

-- checksumtypes

CKSUMTYPE ::= INTEGER {
        CKSUMTYPE_NONE(0),
        CKSUMTYPE_CRC32(1),
        CKSUMTYPE_RSA_MD4(2),
        CKSUMTYPE_RSA_MD4_DES(3),
        CKSUMTYPE_DES_MAC(4),
        CKSUMTYPE_DES_MAC_K(5),
        CKSUMTYPE_RSA_MD4_DES_K(6),
        CKSUMTYPE_RSA_MD5(7),
        CKSUMTYPE_RSA_MD5_DES(8),
        CKSUMTYPE_RSA_MD5_DES3(9),
        CKSUMTYPE_SHA1_OTHER(10),
        CKSUMTYPE_HMAC_SHA1_DES3(12),
        CKSUMTYPE_SHA1(14),
        CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
        CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
        CKSUMTYPE_GSSAPI(0x8003),
        CKSUMTYPE_HMAC_MD5(-138),       -- unofficial microsoft number
        CKSUMTYPE_HMAC_MD5_ENC(-1138)   -- even more unofficial
}

--enctypes
ENCTYPE ::= INTEGER {
        ETYPE_NULL(0),
        ETYPE_DES_CBC_CRC(1),
        ETYPE_DES_CBC_MD4(2),
        ETYPE_DES_CBC_MD5(3),
        ETYPE_DES3_CBC_MD5(5),
        ETYPE_OLD_DES3_CBC_SHA1(7),
        ETYPE_SIGN_DSA_GENERATE(8),
        ETYPE_ENCRYPT_RSA_PRIV(9),
        ETYPE_ENCRYPT_RSA_PUB(10),
        ETYPE_DES3_CBC_SHA1(16),        -- with key derivation
        ETYPE_AES128_CTS_HMAC_SHA1_96(17),
        ETYPE_AES256_CTS_HMAC_SHA1_96(18),
        ETYPE_ARCFOUR_HMAC_MD5(23),
        ETYPE_ARCFOUR_HMAC_MD5_56(24),
        ETYPE_ENCTYPE_PK_CROSS(48),
-- some "old" windows types
        ETYPE_ARCFOUR_MD4(-128),
        ETYPE_ARCFOUR_HMAC_OLD(-133),
        ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
-- these are for Heimdal internal use
        ETYPE_DES_CBC_NONE(-0x1000),
        ETYPE_DES3_CBC_NONE(-0x1001),
        ETYPE_DES_CFB64_NONE(-0x1002),
        ETYPE_DES_PCBC_NONE(-0x1003),
        ETYPE_DIGEST_MD5_NONE(-0x1004),         -- private use, lukeh@padl.com
        ETYPE_CRAM_MD5_NONE(-0x1005)            -- private use, lukeh@padl.com
}




-- this is sugar to make something ASN1 does not have: unsigned

krb5uint32 ::= INTEGER (0..4294967295)
krb5int32 ::= INTEGER (-2147483648..2147483647)

KerberosString  ::= GeneralString

Realm ::= GeneralString
PrincipalName ::= SEQUENCE {
        name-type[0]            NAME-TYPE,
        name-string[1]          SEQUENCE OF GeneralString
}

-- this is not part of RFC1510
Principal ::= SEQUENCE {
        name[0]                 PrincipalName,
        realm[1]                Realm
}

Principals ::= SEQUENCE OF Principal

HostAddress ::= SEQUENCE  {
        addr-type[0]            krb5int32,
        address[1]              OCTET STRING
}

-- This is from RFC1510.
--
-- HostAddresses ::= SEQUENCE OF SEQUENCE {
--      addr-type[0]            krb5int32,
--      address[1]              OCTET STRING
-- }

-- This seems much better.
HostAddresses ::= SEQUENCE OF HostAddress


KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)

AuthorizationDataElement ::= SEQUENCE {
        ad-type[0]              krb5int32,
        ad-data[1]              OCTET STRING
}

AuthorizationData ::= SEQUENCE OF AuthorizationDataElement

APOptions ::= BIT STRING {
        reserved(0),
        use-session-key(1),
        mutual-required(2)
}

TicketFlags ::= BIT STRING {
        reserved(0),
        forwardable(1),
        forwarded(2),
        proxiable(3),
        proxy(4),
        may-postdate(5),
        postdated(6),
        invalid(7),
        renewable(8),
        initial(9),
        pre-authent(10),
        hw-authent(11),
        transited-policy-checked(12),
        ok-as-delegate(13),
        anonymous(14)
}

KDCOptions ::= BIT STRING {
        reserved(0),
        forwardable(1),
        forwarded(2),
        proxiable(3),
        proxy(4),
        allow-postdate(5),
        postdated(6),
        unused7(7),
        renewable(8),
        unused9(9),
        unused10(10),
        unused11(11),
        request-anonymous(14),
        canonicalize(15),
        constrained-delegation(16), -- ms extension
        disable-transited-check(26),
        renewable-ok(27),
        enc-tkt-in-skey(28),
        renew(30),
        validate(31)
}

LR-TYPE ::= INTEGER {
        LR_NONE(0),             -- no information
        LR_INITIAL_TGT(1),      -- last initial TGT request
        LR_INITIAL(2),          -- last initial request
        LR_ISSUE_USE_TGT(3),    -- time of newest TGT used
        LR_RENEWAL(4),          -- time of last renewal
        LR_REQUEST(5),          -- time of last request (of any type)
        LR_PW_EXPTIME(6),       -- expiration time of password
        LR_ACCT_EXPTIME(7)      -- expiration time of account
}

LastReq ::= SEQUENCE OF SEQUENCE {
        lr-type[0]              LR-TYPE,
        lr-value[1]             KerberosTime
}


EncryptedData ::= SEQUENCE {
        etype[0]                ENCTYPE, -- EncryptionType
        kvno[1]                 krb5int32 OPTIONAL,
        cipher[2]               OCTET STRING -- ciphertext
}

EncryptionKey ::= SEQUENCE {
        keytype[0]              krb5int32,
        keyvalue[1]             OCTET STRING
}

-- encoded Transited field
TransitedEncoding ::= SEQUENCE {
        tr-type[0]              krb5int32, -- must be registered
        contents[1]             OCTET STRING
}

Ticket ::= [APPLICATION 1] SEQUENCE {
        tkt-vno[0]              krb5int32,
        realm[1]                Realm,
        sname[2]                PrincipalName,
        enc-part[3]             EncryptedData
}
-- Encrypted part of ticket
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
        flags[0]                TicketFlags,
        key[1]                  EncryptionKey,
        crealm[2]               Realm,
        cname[3]                PrincipalName,
        transited[4]            TransitedEncoding,
        authtime[5]             KerberosTime,
        starttime[6]            KerberosTime OPTIONAL,
        endtime[7]              KerberosTime,
        renew-till[8]           KerberosTime OPTIONAL,
        caddr[9]                HostAddresses OPTIONAL,
        authorization-data[10]  AuthorizationData OPTIONAL
}

Checksum ::= SEQUENCE {
        cksumtype[0]            CKSUMTYPE,
        checksum[1]             OCTET STRING
}

Authenticator ::= [APPLICATION 2] SEQUENCE    {
        authenticator-vno[0]    krb5int32,
        crealm[1]               Realm,
        cname[2]                PrincipalName,
        cksum[3]                Checksum OPTIONAL,
        cusec[4]                krb5int32,
        ctime[5]                KerberosTime,
        subkey[6]               EncryptionKey OPTIONAL,
        seq-number[7]           krb5uint32 OPTIONAL,
        authorization-data[8]   AuthorizationData OPTIONAL
}

PA-DATA ::= SEQUENCE {
        -- might be encoded AP-REQ
        padata-type[1]          PADATA-TYPE,
        padata-value[2]         OCTET STRING
}

ETYPE-INFO-ENTRY ::= SEQUENCE {
        etype[0]                ENCTYPE,
        salt[1]                 OCTET STRING OPTIONAL,
        salttype[2]             krb5int32 OPTIONAL
}

ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY

ETYPE-INFO2-ENTRY ::= SEQUENCE {
        etype[0]                ENCTYPE,
        salt[1]                 KerberosString OPTIONAL,
        s2kparams[2]            OCTET STRING OPTIONAL
}

ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY

METHOD-DATA ::= SEQUENCE OF PA-DATA

TypedData ::=   SEQUENCE {
        data-type[0]            krb5int32,
        data-value[1]           OCTET STRING OPTIONAL
}

TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData

KDC-REQ-BODY ::= SEQUENCE {
        kdc-options[0]          KDCOptions,
        cname[1]                PrincipalName OPTIONAL, -- Used only in AS-REQ
        realm[2]                Realm,  -- Server's realm
                                        -- Also client's in AS-REQ
        sname[3]                PrincipalName OPTIONAL,
        from[4]                 KerberosTime OPTIONAL,
        till[5]                 KerberosTime OPTIONAL,
        rtime[6]                KerberosTime OPTIONAL,
        nonce[7]                krb5int32,
        etype[8]                SEQUENCE OF ENCTYPE, -- EncryptionType,
                                        -- in preference order
        addresses[9]            HostAddresses OPTIONAL,
        enc-authorization-data[10] EncryptedData OPTIONAL,
                                        -- Encrypted AuthorizationData encoding
        additional-tickets[11]  SEQUENCE OF Ticket OPTIONAL
}

KDC-REQ ::= SEQUENCE {
        pvno[1]                 krb5int32,
        msg-type[2]             MESSAGE-TYPE,
        padata[3]               METHOD-DATA OPTIONAL,
        req-body[4]             KDC-REQ-BODY
}

AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ

-- padata-type ::= PA-ENC-TIMESTAMP
-- padata-value ::= EncryptedData - PA-ENC-TS-ENC

PA-ENC-TS-ENC ::= SEQUENCE {
        patimestamp[0]          KerberosTime, -- client's time
        pausec[1]               krb5int32 OPTIONAL
}

-- draft-brezak-win2k-krb-authz-01
PA-PAC-REQUEST ::= SEQUENCE {
        include-pac[0]          BOOLEAN -- Indicates whether a PAC
                                        -- should be included or not
}

-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
PROV-SRV-LOCATION ::= GeneralString

KDC-REP ::= SEQUENCE {
        pvno[0]                 krb5int32,
        msg-type[1]             MESSAGE-TYPE,
        padata[2]               METHOD-DATA OPTIONAL,
        crealm[3]               Realm,
        cname[4]                PrincipalName,
        ticket[5]               Ticket,
        enc-part[6]             EncryptedData
}

AS-REP ::= [APPLICATION 11] KDC-REP
TGS-REP ::= [APPLICATION 13] KDC-REP

EncKDCRepPart ::= SEQUENCE {
        key[0]                  EncryptionKey,
        last-req[1]             LastReq,
        nonce[2]                krb5int32,
        key-expiration[3]       KerberosTime OPTIONAL,
        flags[4]                TicketFlags,
        authtime[5]             KerberosTime,
        starttime[6]            KerberosTime OPTIONAL,
        endtime[7]              KerberosTime,
        renew-till[8]           KerberosTime OPTIONAL,
        srealm[9]               Realm,
        sname[10]               PrincipalName,
        caddr[11]               HostAddresses OPTIONAL,
        encrypted-pa-data[12]   METHOD-DATA OPTIONAL
}

EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart

AP-REQ ::= [APPLICATION 14] SEQUENCE {
        pvno[0]                 krb5int32,
        msg-type[1]             MESSAGE-TYPE,
        ap-options[2]           APOptions,
        ticket[3]               Ticket,
        authenticator[4]        EncryptedData
}

AP-REP ::= [APPLICATION 15] SEQUENCE {
        pvno[0]                 krb5int32,
        msg-type[1]             MESSAGE-TYPE,
        enc-part[2]             EncryptedData
}

EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
        ctime[0]                KerberosTime,
        cusec[1]                krb5int32,
        subkey[2]               EncryptionKey OPTIONAL,
        seq-number[3]           krb5uint32 OPTIONAL
}

KRB-SAFE-BODY ::= SEQUENCE {
        user-data[0]            OCTET STRING,
        timestamp[1]            KerberosTime OPTIONAL,
        usec[2]                 krb5int32 OPTIONAL,
        seq-number[3]           krb5uint32 OPTIONAL,
        s-address[4]            HostAddress OPTIONAL,
        r-address[5]            HostAddress OPTIONAL
}

KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
        pvno[0]                 krb5int32,
        msg-type[1]             MESSAGE-TYPE,
        safe-body[2]            KRB-SAFE-BODY,
        cksum[3]                Checksum
}

KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
        pvno[0]                 krb5int32,
        msg-type[1]             MESSAGE-TYPE,
        enc-part[3]             EncryptedData
}
EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
        user-data[0]            OCTET STRING,
        timestamp[1]            KerberosTime OPTIONAL,
        usec[2]                 krb5int32 OPTIONAL,
        seq-number[3]           krb5uint32 OPTIONAL,
        s-address[4]            HostAddress OPTIONAL, -- sender's addr
        r-address[5]            HostAddress OPTIONAL  -- recip's addr
}

KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
        pvno[0]                 krb5int32,
        msg-type[1]             MESSAGE-TYPE, -- KRB_CRED
        tickets[2]              SEQUENCE OF Ticket,
        enc-part[3]             EncryptedData
}

KrbCredInfo ::= SEQUENCE {
        key[0]                  EncryptionKey,
        prealm[1]               Realm OPTIONAL,
        pname[2]                PrincipalName OPTIONAL,
        flags[3]                TicketFlags OPTIONAL,
        authtime[4]             KerberosTime OPTIONAL,
        starttime[5]            KerberosTime OPTIONAL,
        endtime[6]              KerberosTime OPTIONAL,
        renew-till[7]           KerberosTime OPTIONAL,
        srealm[8]               Realm OPTIONAL,
        sname[9]                PrincipalName OPTIONAL,
        caddr[10]               HostAddresses OPTIONAL
}

EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
        ticket-info[0]          SEQUENCE OF KrbCredInfo,
        nonce[1]                krb5int32 OPTIONAL,
        timestamp[2]            KerberosTime OPTIONAL,
        usec[3]                 krb5int32 OPTIONAL,
        s-address[4]            HostAddress OPTIONAL,
        r-address[5]            HostAddress OPTIONAL
}

KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
        pvno[0]                 krb5int32,
        msg-type[1]             MESSAGE-TYPE,
        ctime[2]                KerberosTime OPTIONAL,
        cusec[3]                krb5int32 OPTIONAL,
        stime[4]                KerberosTime,
        susec[5]                krb5int32,
        error-code[6]           krb5int32,
        crealm[7]               Realm OPTIONAL,
        cname[8]                PrincipalName OPTIONAL,
        realm[9]                Realm, -- Correct realm
        sname[10]               PrincipalName, -- Correct name
        e-text[11]              GeneralString OPTIONAL,
        e-data[12]              OCTET STRING OPTIONAL
}

ChangePasswdDataMS ::= SEQUENCE {
        newpasswd[0]            OCTET STRING,
        targname[1]             PrincipalName OPTIONAL,
        targrealm[2]            Realm OPTIONAL
}

EtypeList ::= SEQUENCE OF krb5int32
        -- the client's proposed enctype list in
        -- decreasing preference order, favorite choice first

krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number

-- transited encodings

DOMAIN-X500-COMPRESS    krb5int32 ::= 1

-- authorization data primitives

AD-IF-RELEVANT ::= AuthorizationData

AD-KDCIssued ::= SEQUENCE {
        ad-checksum[0]          Checksum,
        i-realm[1]              Realm OPTIONAL,
        i-sname[2]              PrincipalName OPTIONAL,
        elements[3]             AuthorizationData
}

AD-AND-OR ::= SEQUENCE {
        condition-count[0]      INTEGER,
        elements[1]             AuthorizationData
}

AD-MANDATORY-FOR-KDC ::= AuthorizationData

-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2

PA-SAM-TYPE ::= INTEGER {
        PA_SAM_TYPE_ENIGMA(1),          -- Enigma Logic
        PA_SAM_TYPE_DIGI_PATH(2),       -- Digital Pathways
        PA_SAM_TYPE_SKEY_K0(3),         -- S/key where  KDC has key 0
        PA_SAM_TYPE_SKEY(4),            -- Traditional S/Key
        PA_SAM_TYPE_SECURID(5),         -- Security Dynamics
        PA_SAM_TYPE_CRYPTOCARD(6)       -- CRYPTOCard
}

PA-SAM-REDIRECT ::= HostAddresses

SAMFlags ::= BIT STRING {
        use-sad-as-key(0),
        send-encrypted-sad(1),
        must-pk-encrypt-sad(2)
}

PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
        sam-type[0]             krb5int32,
        sam-flags[1]            SAMFlags,
        sam-type-name[2]        GeneralString OPTIONAL,
        sam-track-id[3]         GeneralString OPTIONAL,
        sam-challenge-label[4]  GeneralString OPTIONAL,
        sam-challenge[5]        GeneralString OPTIONAL,
        sam-response-prompt[6]  GeneralString OPTIONAL,
        sam-pk-for-sad[7]       EncryptionKey OPTIONAL,
        sam-nonce[8]            krb5int32,
        sam-etype[9]            krb5int32,
        ...
}

PA-SAM-CHALLENGE-2 ::= SEQUENCE {
        sam-body[0]             PA-SAM-CHALLENGE-2-BODY,
        sam-cksum[1]            SEQUENCE OF Checksum, -- (1..MAX)
        ...
}

PA-SAM-RESPONSE-2 ::= SEQUENCE {
        sam-type[0]             krb5int32,
        sam-flags[1]            SAMFlags,
        sam-track-id[2]         GeneralString OPTIONAL,
        sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
        sam-nonce[4]            krb5int32,
        ...
}

PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
        sam-nonce[0]            krb5int32,
        sam-sad[1]              GeneralString OPTIONAL,
        ...
}

PA-S4U2Self ::= SEQUENCE {
        name[0]         PrincipalName,
        realm[1]        Realm,
        cksum[2]        Checksum,
        auth[3]         GeneralString
}

-- never encoded on the wire, just used to checksum over
KRB5SignedPathData ::= SEQUENCE {
        encticket[0]    EncTicketPart,
        delegated[1]    Principals OPTIONAL
}

KRB5SignedPath ::= SEQUENCE {
        -- DERcoded KRB5SignedPathData
        -- krbtgt key (etype), KeyUsage = XXX
        etype[0]        ENCTYPE,
        cksum[1]        Checksum,
        -- srvs delegated though
        delegated[2]    Principals OPTIONAL
}

PA-ClientCanonicalizedNames ::= SEQUENCE{
        requested-name  [0] PrincipalName,
        mapped-name     [1] PrincipalName
}

PA-ClientCanonicalized ::= SEQUENCE {
        names           [0] PA-ClientCanonicalizedNames,
        canon-checksum  [1] Checksum
}

AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
        login-alias     [0] PrincipalName,
        checksum        [1] Checksum
}

-- old ms referral
PA-SvrReferralData ::= SEQUENCE {
        referred-name   [1] PrincipalName OPTIONAL,
        referred-realm  [0] Realm
}

PA-SERVER-REFERRAL-DATA ::= EncryptedData

PA-ServerReferralData ::= SEQUENCE {
        referred-realm          [0] Realm OPTIONAL,
        true-principal-name     [1] PrincipalName OPTIONAL,
        requested-principal-name [2] PrincipalName OPTIONAL,
        referral-valid-until     [3] KerberosTime OPTIONAL,
        ...
}

FastOptions ::= BIT STRING {
            reserved(0),
            hide-client-names(1),
            kdc-follow--referrals(16)
}

KrbFastReq ::= SEQUENCE {
        fast-options [0] FastOptions,
        padata       [1] SEQUENCE OF PA-DATA,
        req-body     [2] KDC-REQ-BODY,
        ...
}

KrbFastArmor ::= SEQUENCE {
        armor-type   [0] krb5int32,
        armor-value  [1] OCTET STRING,
        ...
}

KrbFastArmoredReq ::= SEQUENCE {
        armor        [0] KrbFastArmor OPTIONAL,
        req-checksum [1] Checksum,
        enc-fast-req [2] EncryptedData -- KrbFastReq --
}

PA-FX-FAST-REQUEST ::= CHOICE {
        armored-data [0] KrbFastArmoredReq,
        ...
}

KrbFastFinished ::= SEQUENCE {
        timestamp   [0] KerberosTime,
        usec        [1] krb5int32,
        crealm      [2] Realm,
        cname       [3] PrincipalName,
        checksum    [4] Checksum,
        ticket-checksum [5] Checksum,
        ...
}

KrbFastResponse ::= SEQUENCE {
        padata      [0] SEQUENCE OF PA-DATA,
        rep-key     [1] EncryptionKey OPTIONAL,
        finished    [2] KrbFastFinished OPTIONAL,
        ...
}

KrbFastArmoredRep ::= SEQUENCE {
        enc-fast-rep      [0] EncryptedData, -- KrbFastResponse --
        ...
}

PA-FX-FAST-REPLY ::= CHOICE {
        armored-data [0] KrbFastArmoredRep,
        ...
}

END

-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1