samba-mirror/python/samba/tests/krb5/rfc4120.asn1

-- Portions of these ASN.1 modules are structures are from RFC6113
-- authored by S. Hartman (Painless Security) and L. Zhu (Microsoft)
--
-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the
-- code. All rights reserved.
--
-- Redistribution and use in source and binary forms, with or without
-- modification, is permitted pursuant to, and subject to the license terms
-- contained in, the Simplified BSD License set forth in Section 4.c of the IETF
-- Trust’s Legal Provisions Relating to IETF Documents
-- (http://trustee.ietf.org/license-info).
--
-- BSD License:
--
-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved.
-- Redistribution and use in source and binary forms, with or without modification, are permitted provided
-- that the following conditions are met:
-- • Redistributions of source code must retain the above copyright notice, this list of conditions and
-- the following disclaimer.
--
-- • Redistributions in binary form must reproduce the above copyright notice, this list of conditions
-- and the following disclaimer in the documentation and/or other materials provided with the
-- distribution.
--
-- • Neither the name of Internet Society, IETF or IETF Trust, nor the names of specific contributors,
-- may be used to endorse or promote products derived from this software without specific prior written
-- permission.
-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
-- AND  ANY  EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-- ARE  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-- POSSIBILITY OF SUCH DAMAGE.
--

KerberosV5Spec2 {
        iso(1) identified-organization(3) dod(6) internet(1)
        security(5) kerberosV5(2) modules(4) krb5spec2(2)
} DEFINITIONS EXPLICIT TAGS ::= BEGIN

-- OID arc for KerberosV5
--
-- This OID may be used to identify Kerberos protocol messages
-- encapsulated in other protocols.
--
-- This OID also designates the OID arc for KerberosV5-related OIDs.
--
-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
id-krb5         OBJECT IDENTIFIER ::= {
        iso(1) identified-organization(3) dod(6) internet(1)
        security(5) kerberosV5(2)
}

Int32           ::= INTEGER (-2147483648..2147483647)
                    -- signed values representable in 32 bits

UInt32          ::= INTEGER (0..4294967295)
                    -- unsigned 32 bit values

Microseconds    ::= INTEGER (0..999999)
                    -- microseconds

--
-- asn1ate doesn't support 'GeneralString (IA5String)'
-- only 'GeneralString' or 'IA5String', on the wire
-- GeneralString is used.
--
-- KerberosString  ::= GeneralString (IA5String)
KerberosString  ::= GeneralString

Realm           ::= KerberosString

PrincipalName   ::= SEQUENCE {
        name-type       [0] NameType, -- Int32,
        name-string     [1] SEQUENCE OF KerberosString
}

NameType ::= Int32

KerberosTime    ::= GeneralizedTime -- with no fractional seconds

HostAddress     ::= SEQUENCE  {
        addr-type       [0] Int32,
        address         [1] OCTET STRING
}

-- NOTE: HostAddresses is always used as an OPTIONAL field and
-- should not be empty.
HostAddresses   -- NOTE: subtly different from rfc1510,
                -- but has a value mapping and encodes the same
        ::= SEQUENCE OF HostAddress

-- NOTE: AuthorizationData is always used as an OPTIONAL field and
-- should not be empty.
AuthorizationData       ::= SEQUENCE OF SEQUENCE {
        ad-type         [0] AuthDataType, -- Int32,
        ad-data         [1] OCTET STRING
}

AuthDataType ::= Int32

PA-DATA         ::= SEQUENCE {
        -- NOTE: first tag is [1], not [0]
        padata-type     [1] PADataType, -- Int32
        padata-value    [2] OCTET STRING -- might be encoded AP-REQ
}

PADataType ::= Int32

--
-- asn1ate doesn't support 'MAX' nor a lower range != 1.
-- We'll use a custom enodeValue() hooks for BitString
-- in order to encode them with at least 32-Bit.
--
-- KerberosFlags   ::= BIT STRING (SIZE (32..MAX))
KerberosFlags   ::= BIT STRING (SIZE (1..32))
                    -- minimum number of bits shall be sent,
                    -- but no fewer than 32

EncryptedData   ::= SEQUENCE {
        etype   [0] EncryptionType, --Int32 EncryptionType --
        kvno    [1] Int32 OPTIONAL,
        cipher  [2] OCTET STRING -- ciphertext
}

EncryptionKey   ::= SEQUENCE {
        keytype         [0] EncryptionType, -- Int32 actually encryption type --
        keyvalue        [1] OCTET STRING
}

Checksum        ::= SEQUENCE {
        cksumtype       [0] ChecksumType, -- Int32,
        checksum        [1] OCTET STRING
}

ChecksumType ::= Int32

Ticket          ::= [APPLICATION 1] SEQUENCE {
        tkt-vno         [0] INTEGER (5),
        realm           [1] Realm,
        sname           [2] PrincipalName,
        enc-part        [3] EncryptedData -- EncTicketPart
}

-- Encrypted part of ticket
EncTicketPart   ::= [APPLICATION 3] SEQUENCE {
        flags                   [0] TicketFlags,
        key                     [1] EncryptionKey,
        crealm                  [2] Realm,
        cname                   [3] PrincipalName,
        transited               [4] TransitedEncoding,
        authtime                [5] KerberosTime,
        starttime               [6] KerberosTime OPTIONAL,
        endtime                 [7] KerberosTime,
        renew-till              [8] KerberosTime OPTIONAL,
        caddr                   [9] HostAddresses OPTIONAL,
        authorization-data      [10] AuthorizationData OPTIONAL
}

-- encoded Transited field
TransitedEncoding       ::= SEQUENCE {
        tr-type         [0] Int32 -- must be registered --,
        contents        [1] OCTET STRING
}

TicketFlags     ::= KerberosFlags
        -- reserved(0),
        -- forwardable(1),
        -- forwarded(2),
        -- proxiable(3),
        -- proxy(4),
        -- may-postdate(5),
        -- postdated(6),
        -- invalid(7),
        -- renewable(8),
        -- initial(9),
        -- pre-authent(10),
        -- hw-authent(11),
-- the following are new since 1510
        -- transited-policy-checked(12),
        -- ok-as-delegate(13)
        -- enc-pa-rep(15)

AS-REQ          ::= [APPLICATION 10] KDC-REQ

TGS-REQ         ::= [APPLICATION 12] KDC-REQ

KDC-REQ         ::= SEQUENCE {
        -- NOTE: first tag is [1], not [0]
        pvno            [1] INTEGER (5) ,
        msg-type        [2] INTEGER (10 -- AS -- | 12 -- TGS --),
        padata          [3] SEQUENCE OF PA-DATA OPTIONAL
                            -- NOTE: not empty --,
        req-body        [4] KDC-REQ-BODY
}

KDC-REQ-BODY    ::= SEQUENCE {
        kdc-options             [0] KDCOptions,
        cname                   [1] PrincipalName OPTIONAL
                                    -- Used only in AS-REQ --,
        realm                   [2] Realm
                                    -- Server's realm
                                    -- Also client's in AS-REQ --,
        sname                   [3] PrincipalName OPTIONAL,
        from                    [4] KerberosTime OPTIONAL,
        till                    [5] KerberosTime,
        rtime                   [6] KerberosTime OPTIONAL,
        nonce                   [7] UInt32,
        etype                   [8] SEQUENCE OF EncryptionType -- Int32 - EncryptionType
                                    -- in preference order --,
        addresses               [9] HostAddresses OPTIONAL,
        enc-authorization-data  [10] EncryptedData OPTIONAL
                                    -- AuthorizationData --,
        additional-tickets      [11] SEQUENCE OF Ticket OPTIONAL
                                        -- NOTE: not empty
}

EncryptionType ::= Int32

KDCOptions      ::= KerberosFlags
        -- reserved(0),
        -- forwardable(1),
        -- forwarded(2),
        -- proxiable(3),
        -- proxy(4),
        -- allow-postdate(5),
        -- postdated(6),
        -- unused7(7),
        -- renewable(8),
        -- unused9(9),
        -- unused10(10),
        -- opt-hardware-auth(11),
        -- unused12(12),
        -- unused13(13),
-- Canonicalize is used in RFC 6806
        -- canonicalize(15),
-- 26 was unused in 1510
        -- disable-transited-check(26),
--
        -- renewable-ok(27),
        -- enc-tkt-in-skey(28),
        -- renew(30),
        -- validate(31)

AS-REP          ::= [APPLICATION 11] KDC-REP

TGS-REP         ::= [APPLICATION 13] KDC-REP

KDC-REP         ::= SEQUENCE {
        pvno            [0] INTEGER (5),
        msg-type        [1] INTEGER (11 -- AS -- | 13 -- TGS --),
        padata          [2] SEQUENCE OF PA-DATA OPTIONAL
                                -- NOTE: not empty --,
        crealm          [3] Realm,
        cname           [4] PrincipalName,
        ticket          [5] Ticket,
        enc-part        [6] EncryptedData
                                -- EncASRepPart or EncTGSRepPart,
                                -- as appropriate
}

EncASRepPart    ::= [APPLICATION 25] EncKDCRepPart

EncTGSRepPart   ::= [APPLICATION 26] EncKDCRepPart

EncKDCRepPart   ::= SEQUENCE {
        key             [0] EncryptionKey,
        last-req        [1] LastReq,
        nonce           [2] UInt32,
        key-expiration  [3] KerberosTime OPTIONAL,
        flags           [4] TicketFlags,
        authtime        [5] KerberosTime,
        starttime       [6] KerberosTime OPTIONAL,
        endtime         [7] KerberosTime,
        renew-till      [8] KerberosTime OPTIONAL,
        srealm          [9] Realm,
        sname           [10] PrincipalName,
        caddr           [11] HostAddresses OPTIONAL,
        encrypted-pa-data[12]	METHOD-DATA OPTIONAL
}

LastReq         ::=     SEQUENCE OF SEQUENCE {
        lr-type         [0] Int32,
        lr-value        [1] KerberosTime
}

AP-REQ          ::= [APPLICATION 14] SEQUENCE {
        pvno            [0] INTEGER (5),
        msg-type        [1] INTEGER (14),
        ap-options      [2] APOptions,
        ticket          [3] Ticket,
        authenticator   [4] EncryptedData -- Authenticator
}

APOptions       ::= KerberosFlags
        -- reserved(0),
        -- use-session-key(1),
        -- mutual-required(2)

-- Unencrypted authenticator
Authenticator   ::= [APPLICATION 2] SEQUENCE  {
        authenticator-vno       [0] INTEGER (5),
        crealm                  [1] Realm,
        cname                   [2] PrincipalName,
        cksum                   [3] Checksum OPTIONAL,
        cusec                   [4] Microseconds,
        ctime                   [5] KerberosTime,
        subkey                  [6] EncryptionKey OPTIONAL,
        seq-number              [7] UInt32 OPTIONAL,
        authorization-data      [8] AuthorizationData OPTIONAL
}

AP-REP          ::= [APPLICATION 15] SEQUENCE {
        pvno            [0] INTEGER (5),
        msg-type        [1] INTEGER (15),
        enc-part        [2] EncryptedData -- EncAPRepPart
}

EncAPRepPart    ::= [APPLICATION 27] SEQUENCE {
        ctime           [0] KerberosTime,
        cusec           [1] Microseconds,
        subkey          [2] EncryptionKey OPTIONAL,
        seq-number      [3] UInt32 OPTIONAL
}

KRB-SAFE        ::= [APPLICATION 20] SEQUENCE {
        pvno            [0] INTEGER (5),
        msg-type        [1] INTEGER (20),
        safe-body       [2] KRB-SAFE-BODY,
        cksum           [3] Checksum
}

KRB-SAFE-BODY   ::= SEQUENCE {
        user-data       [0] OCTET STRING,
        timestamp       [1] KerberosTime OPTIONAL,
        usec            [2] Microseconds OPTIONAL,
        seq-number      [3] UInt32 OPTIONAL,
        s-address       [4] HostAddress,
        r-address       [5] HostAddress OPTIONAL
}

KRB-PRIV        ::= [APPLICATION 21] SEQUENCE {
        pvno            [0] INTEGER (5),
        msg-type        [1] INTEGER (21),
                        -- NOTE: there is no [2] tag
        enc-part        [3] EncryptedData -- EncKrbPrivPart
}

EncKrbPrivPart  ::= [APPLICATION 28] SEQUENCE {
        user-data       [0] OCTET STRING,
        timestamp       [1] KerberosTime OPTIONAL,
        usec            [2] Microseconds OPTIONAL,
        seq-number      [3] UInt32 OPTIONAL,
        s-address       [4] HostAddress -- sender's addr --,
        r-address       [5] HostAddress OPTIONAL -- recip's addr
}

KRB-CRED        ::= [APPLICATION 22] SEQUENCE {
        pvno            [0] INTEGER (5),
        msg-type        [1] INTEGER (22),
        tickets         [2] SEQUENCE OF Ticket,
        enc-part        [3] EncryptedData -- EncKrbCredPart
}

EncKrbCredPart  ::= [APPLICATION 29] SEQUENCE {
        ticket-info     [0] SEQUENCE OF KrbCredInfo,
        nonce           [1] UInt32 OPTIONAL,
        timestamp       [2] KerberosTime OPTIONAL,
        usec            [3] Microseconds OPTIONAL,
        s-address       [4] HostAddress OPTIONAL,
        r-address       [5] HostAddress OPTIONAL
}

KrbCredInfo     ::= SEQUENCE {
        key             [0] EncryptionKey,
        prealm          [1] Realm OPTIONAL,
        pname           [2] PrincipalName OPTIONAL,
        flags           [3] TicketFlags OPTIONAL,
        authtime        [4] KerberosTime OPTIONAL,
        starttime       [5] KerberosTime OPTIONAL,
        endtime         [6] KerberosTime OPTIONAL,
        renew-till      [7] KerberosTime OPTIONAL,
        srealm          [8] Realm OPTIONAL,
        sname           [9] PrincipalName OPTIONAL,
        caddr           [10] HostAddresses OPTIONAL
}

KRB-ERROR       ::= [APPLICATION 30] SEQUENCE {
        pvno            [0] INTEGER (5),
        msg-type        [1] INTEGER (30),
        ctime           [2] KerberosTime OPTIONAL,
        cusec           [3] Microseconds OPTIONAL,
        stime           [4] KerberosTime,
        susec           [5] Microseconds,
        error-code      [6] Int32,
        crealm          [7] Realm OPTIONAL,
        cname           [8] PrincipalName OPTIONAL,
        realm           [9] Realm -- service realm --,
        sname           [10] PrincipalName -- service name --,
        e-text          [11] KerberosString OPTIONAL,
        e-data          [12] OCTET STRING OPTIONAL
}

METHOD-DATA     ::= SEQUENCE OF PA-DATA

--
-- asn1ate doesn't support 'MAX'
--
-- TYPED-DATA      ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
TYPED-DATA      ::= SEQUENCE SIZE (1..256) OF SEQUENCE {
        data-type       [0] Int32,
        data-value      [1] OCTET STRING OPTIONAL
}

-- preauth stuff follows

PA-ENC-TIMESTAMP        ::= EncryptedData -- PA-ENC-TS-ENC

PA-ENC-TS-ENC           ::= SEQUENCE {
        patimestamp     [0] KerberosTime -- client's time --,
        pausec          [1] Microseconds OPTIONAL
}

ETYPE-INFO-ENTRY        ::= SEQUENCE {
        etype           [0] EncryptionType, --Int32 EncryptionType --
        salt            [1] OCTET STRING OPTIONAL
}

ETYPE-INFO              ::= SEQUENCE OF ETYPE-INFO-ENTRY

ETYPE-INFO2-ENTRY       ::= SEQUENCE {
        etype           [0] EncryptionType, --Int32 EncryptionType --
        salt            [1] KerberosString OPTIONAL,
        s2kparams       [2] OCTET STRING OPTIONAL
}

ETYPE-INFO2             ::= SEQUENCE SIZE (1..256) OF ETYPE-INFO2-ENTRY

AD-IF-RELEVANT          ::= AuthorizationData

AD-KDCIssued            ::= SEQUENCE {
        ad-checksum     [0] Checksum,
        i-realm         [1] Realm OPTIONAL,
        i-sname         [2] PrincipalName OPTIONAL,
        elements        [3] AuthorizationData
}

AD-AND-OR               ::= SEQUENCE {
        condition-count [0] Int32,
        elements        [1] AuthorizationData
}

AD-MANDATORY-FOR-KDC    ::= AuthorizationData

-- S4U

PA-S4U2Self ::= SEQUENCE {
        name            [0] PrincipalName,
        realm           [1] Realm,
        cksum           [2] Checksum,
        auth            [3] KerberosString
}

--
--
-- MS-KILE Start

KERB-ERROR-DATA ::= SEQUENCE {
        data-type [1] KerbErrorDataType,
        data-value [2] OCTET STRING OPTIONAL
}

KerbErrorDataType ::= INTEGER

KERB-PA-PAC-REQUEST ::= SEQUENCE {
        include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC.
                               --If FALSE, and PAC present, remove PAC
}

KERB-LOCAL ::= OCTET STRING -- Implementation-specific data which MUST be
                            -- ignored if Kerberos client is not local.

KERB-AD-RESTRICTION-ENTRY ::= SEQUENCE {
        restriction-type [0] Int32,
        restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
}

PA-SUPPORTED-ENCTYPES ::= Int32 -- Supported Encryption Types Bit Field --

PACOptionFlags ::= KerberosFlags -- Claims (0)
                                 -- Branch Aware (1)
                                 -- Forward to Full DC (2)
                                 -- Resource Based Constrained Delegation (3)
PA-PAC-OPTIONS ::= SEQUENCE {
        options [0] PACOptionFlags
}
-- Note: KerberosFlags ::= BIT STRING (SIZE (32..MAX))
-- minimum number of bits shall be sent, but no fewer than 32

KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type --
KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey

FastOptions     ::= BIT STRING {
        reserved(0),
        hide-client-names(1),
        kdc-follow-referrals(16)
}

KrbFastReq      ::= SEQUENCE {
        fast-options    [0] FastOptions,
        padata          [1] SEQUENCE OF PA-DATA,
        req-body        [2] KDC-REQ-BODY,
        ...
}

KrbFastArmor    ::= SEQUENCE {
        armor-type      [0] Int32,
        armor-value     [1] OCTET STRING,
        ...
}

KrbFastArmoredReq ::= SEQUENCE {
        armor           [0] KrbFastArmor OPTIONAL,
        req-checksum    [1] Checksum,
        enc-fast-req    [2] EncryptedData -- KrbFastReq --
}

PA-FX-FAST-REQUEST ::= CHOICE {
        armored-data    [0] KrbFastArmoredReq,
        ...
}

KrbFastFinished ::= SEQUENCE {
        timestamp       [0] KerberosTime,
        usec            [1] Int32,
        crealm          [2] Realm,
        cname           [3] PrincipalName,
        ticket-checksum [4] Checksum,
        ...
}

KrbFastResponse ::= SEQUENCE {
        padata          [0] SEQUENCE OF PA-DATA,
                -- padata typed holes.
        strengthen-key  [1] EncryptionKey OPTIONAL,
                -- This, if present, strengthens the reply key for AS and
                -- TGS. MUST be present for TGS.
                -- MUST be absent in KRB-ERROR.
        finished        [2] KrbFastFinished OPTIONAL,
	        -- Present in AS or TGS reply; absent otherwise.
        nonce           [3] UInt32,
	        -- Nonce from the client request.
        ...
}

KrbFastArmoredRep ::= SEQUENCE {
        enc-fast-rep    [0] EncryptedData, -- KrbFastResponse --
        ...
}

PA-FX-FAST-REPLY ::= CHOICE {
        armored-data    [0] KrbFastArmoredRep,
        ...
}

ChangePasswdDataMS ::= SEQUENCE {
        newpasswd       [0] OCTET STRING,
        targname        [1] PrincipalName OPTIONAL,
        targrealm       [2] Realm OPTIONAL
}

-- MS-KILE End
--
--

--
--
-- prettyPrint values
--
--

NameTypeValues ::= INTEGER { -- Int32
        kRB5-NT-UNKNOWN(0),        -- Name type not known
        kRB5-NT-PRINCIPAL(1),      -- Just the name of the principal as in
        kRB5-NT-SRV-INST(2),       -- Service and other unique instance (krbtgt)
        kRB5-NT-SRV-HST(3),        -- Service with host name as instance
        kRB5-NT-SRV-XHST(4),       -- Service with host as remaining components
        kRB5-NT-UID(5),            -- Unique ID
        kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
        kRB5-NT-SMTP-NAME(7),      -- Name in form of SMTP email name
        kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
        kRB5-NT-WELLKNOWN(11),     -- Wellknown
        kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
        kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
        kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID
}
NameTypeSequence ::= SEQUENCE {
        dummy [0] NameTypeValues
}

TicketFlagsValues     ::= BIT STRING { -- KerberosFlags
        reserved(0),
        forwardable(1),
        forwarded(2),
        proxiable(3),
        proxy(4),
        may-postdate(5),
        postdated(6),
        invalid(7),
        renewable(8),
        initial(9),
        pre-authent(10),
        hw-authent(11),
-- the following are new since 1510
        transited-policy-checked(12),
        ok-as-delegate(13),
        enc-pa-rep(15)
}
TicketFlagsSequence ::= SEQUENCE {
        dummy [0] TicketFlagsValues
}

KDCOptionsValues      ::= BIT STRING { -- KerberosFlags
        reserved(0),
        forwardable(1),
        forwarded(2),
        proxiable(3),
        proxy(4),
        allow-postdate(5),
        postdated(6),
        unused7(7),
        renewable(8),
        unused9(9),
        unused10(10),
        opt-hardware-auth(11),
        unused12(12),
        unused13(13),
        cname-in-addl-tkt(14),
-- Canonicalize is used by RFC 6806
        canonicalize(15),
-- 26 was unused in 1510
        disable-transited-check(26),
--
        renewable-ok(27),
        enc-tkt-in-skey(28),
        renew(30),
        validate(31)
}
KDCOptionsSequence ::= SEQUENCE {
        dummy [0] KDCOptionsValues
}

APOptionsValues ::= BIT STRING { -- KerberosFlags
        reserved(0),
        use-session-key(1),
        mutual-required(2)
}
APOptionsSequence ::= SEQUENCE {
        dummy [0] APOptionsValues
}

MessageTypeValues ::= INTEGER {
        krb-as-req(10), -- Request for initial authentication
        krb-as-rep(11), -- Response to KRB_AS_REQ request
        krb-tgs-req(12), -- Request for authentication based on TGT
        krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
        krb-ap-req(14), -- application request to server
        krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
        krb-safe(20), -- Safe (checksummed) application message
        krb-priv(21), -- Private (encrypted) application message
        krb-cred(22), -- Private (encrypted) message to forward credentials
        krb-error(30) -- Error response
}
MessageTypeSequence ::= SEQUENCE {
        dummy [0] MessageTypeValues
}

PADataTypeValues ::= INTEGER {
	kRB5-PADATA-NONE(0),
	-- kRB5-PADATA-TGS-REQ(1),
	-- kRB5-PADATA-AP-REQ(1),
	kRB5-PADATA-KDC-REQ(1),
	kRB5-PADATA-ENC-TIMESTAMP(2),
	kRB5-PADATA-PW-SALT(3),
	kRB5-PADATA-ENC-UNIX-TIME(5),
	kRB5-PADATA-SANDIA-SECUREID(6),
	kRB5-PADATA-SESAME(7),
	kRB5-PADATA-OSF-DCE(8),
	kRB5-PADATA-CYBERSAFE-SECUREID(9),
	kRB5-PADATA-AFS3-SALT(10),
	kRB5-PADATA-ETYPE-INFO(11),
	kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
	kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
	kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
	kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
	-- kRB5-PADATA-PK-AS-REQ-WIN(15), - (PKINIT - old number)
	kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
	kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
	kRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
	kRB5-PADATA-ETYPE-INFO2(19),
	-- kRB5-PADATA-USE-SPECIFIED-KVNO(20),
	kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
	kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
	kRB5-PADATA-GET-FROM-TYPED-DATA(22),
	kRB5-PADATA-SAM-ETYPE-INFO(23),
	kRB5-PADATA-SERVER-REFERRAL(25),
	kRB5-PADATA-ALT-PRINC(24),		-- (crawdad@fnal.gov)
	kRB5-PADATA-SAM-CHALLENGE2(30),		-- (kenh@pobox.com)
	kRB5-PADATA-SAM-RESPONSE2(31),		-- (kenh@pobox.com)
	kRB5-PA-EXTRA-TGT(41),			-- Reserved extra TGT
	kRB5-PADATA-TD-KRB-PRINCIPAL(102),	-- PrincipalName
	kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
	kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
	kRB5-PADATA-TD-APP-DEFINED-ERROR(106),	-- application specific
	kRB5-PADATA-TD-REQ-NONCE(107),		-- INTEGER
	kRB5-PADATA-TD-REQ-SEQ(108),		-- INTEGER
	kRB5-PADATA-PA-PAC-REQUEST(128),	-- jbrezak@exchange.microsoft.com
	kRB5-PADATA-FOR-USER(129),		-- MS-KILE
	kRB5-PADATA-FOR-X509-USER(130),		-- MS-KILE
	kRB5-PADATA-FOR-CHECK-DUPS(131),	-- MS-KILE
	kRB5-PADATA-AS-CHECKSUM(132),		-- MS-KILE
	-- kRB5-PADATA-PK-AS-09-BINDING(132),	- client send this to
						-- tell KDC that is supports
						-- the asCheckSum in the
						--  PK-AS-REP
	kRB5-PADATA-FX-COOKIE(133),		-- krb-wg-preauth-framework
	kRB5-PADATA-AUTHENTICATION-SET(134),	-- krb-wg-preauth-framework
	kRB5-PADATA-AUTH-SET-SELECTED(135),	-- krb-wg-preauth-framework
	kRB5-PADATA-FX-FAST(136),		-- krb-wg-preauth-framework
	kRB5-PADATA-FX-ERROR(137),		-- krb-wg-preauth-framework
	kRB5-PADATA-ENCRYPTED-CHALLENGE(138),	-- krb-wg-preauth-framework
	kRB5-PADATA-OTP-CHALLENGE(141),		-- (gareth.richards@rsa.com)
	kRB5-PADATA-OTP-REQUEST(142),		-- (gareth.richards@rsa.com)
	kBB5-PADATA-OTP-CONFIRM(143),		-- (gareth.richards@rsa.com)
	kRB5-PADATA-OTP-PIN-CHANGE(144),	-- (gareth.richards@rsa.com)
	kRB5-PADATA-EPAK-AS-REQ(145),
	kRB5-PADATA-EPAK-AS-REP(146),
	kRB5-PADATA-PKINIT-KX(147),		-- krb-wg-anon
	kRB5-PADATA-PKU2U-NAME(148),		-- zhu-pku2u
	kRB5-PADATA-REQ-ENC-PA-REP(149),	--
	kRB5-PADATA-SUPPORTED-ETYPES(165),	-- MS-KILE
	kRB5-PADATA-PAC-OPTIONS(167),		-- MS-KILE
	kRB5-PADATA-GSS(655)			-- gss-preauth
}
PADataTypeSequence ::= SEQUENCE {
        dummy [0] PADataTypeValues
}

AuthDataTypeValues ::= INTEGER {
	kRB5-AUTHDATA-IF-RELEVANT(1),
	kRB5-AUTHDATA-INTENDED-FOR-SERVER(2),
	kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
	kRB5-AUTHDATA-KDC-ISSUED(4),
	kRB5-AUTHDATA-AND-OR(5),
	kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
	kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
	kRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
	kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
	kRB5-AUTHDATA-OSF-DCE(64),
	kRB5-AUTHDATA-SESAME(65),
	kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
	kRB5-AUTHDATA-WIN2K-PAC(128),
	kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
	kRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
	kRB5-AUTHDATA-SIGNTICKET-OLD(142),
	kRB5-AUTHDATA-SIGNTICKET(512)
}
AuthDataTypeSequence ::= SEQUENCE {
        dummy [0] AuthDataTypeValues
}

ChecksumTypeValues ::= INTEGER {
	kRB5-CKSUMTYPE-NONE(0),
	kRB5-CKSUMTYPE-CRC32(1),
	kRB5-CKSUMTYPE-RSA-MD4(2),
	kRB5-CKSUMTYPE-RSA-MD4-DES(3),
	kRB5-CKSUMTYPE-DES-MAC(4),
	kRB5-CKSUMTYPE-DES-MAC-K(5),
	kRB5-CKSUMTYPE-RSA-MD4-DES-K(6),
	kRB5-CKSUMTYPE-RSA-MD5(7),
	kRB5-CKSUMTYPE-RSA-MD5-DES(8),
	kRB5-CKSUMTYPE-RSA-MD5-DES3(9),
	kRB5-CKSUMTYPE-SHA1-OTHER(10),
	kRB5-CKSUMTYPE-HMAC-SHA1-DES3(12),
	kRB5-CKSUMTYPE-SHA1(14),
	kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128(15),
	kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256(16),
	kRB5-CKSUMTYPE-GSSAPI(32771), -- 0x8003
	kRB5-CKSUMTYPE-HMAC-MD5(-138),	-- unofficial microsoft number
	kRB5-CKSUMTYPE-HMAC-MD5-ENC(-1138)	-- even more unofficial
}
ChecksumTypeSequence ::= SEQUENCE {
        dummy [0] ChecksumTypeValues
}

EncryptionTypeValues ::= INTEGER {
	kRB5-ENCTYPE-NULL(0),
	kRB5-ENCTYPE-DES-CBC-CRC(1),
	kRB5-ENCTYPE-DES-CBC-MD4(2),
	kRB5-ENCTYPE-DES-CBC-MD5(3),
	kRB5-ENCTYPE-DES3-CBC-MD5(5),
	kRB5-ENCTYPE-OLD-DES3-CBC-SHA1(7),
	kRB5-ENCTYPE-SIGN-DSA-GENERATE(8),
	kRB5-ENCTYPE-ENCRYPT-RSA-PRIV(9),
	kRB5-ENCTYPE-ENCRYPT-RSA-PUB(10),
	kRB5-ENCTYPE-DES3-CBC-SHA1(16),	-- with key derivation
	kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96(17),
	kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96(18),
	kRB5-ENCTYPE-ARCFOUR-HMAC-MD5(23),
	kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56(24),
	kRB5-ENCTYPE-ENCTYPE-PK-CROSS(48),
-- some "old" windows types
	kRB5-ENCTYPE-ARCFOUR-MD4(-128),
	kRB5-ENCTYPE-ARCFOUR-HMAC-OLD(-133),
	kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
-- these are for Heimdal internal use
--	kRB5-ENCTYPE-DES-CBC-NONE(-0x1000),
--	kRB5-ENCTYPE-DES3-CBC-NONE(-0x1001),
--	kRB5-ENCTYPE-DES-CFB64-NONE(-0x1002),
--	kRB5-ENCTYPE-DES-PCBC-NONE(-0x1003),
--	kRB5-ENCTYPE-DIGEST-MD5-NONE(-0x1004),		- private use, lukeh@padl.com
--	kRB5-ENCTYPE-CRAM-MD5-NONE(-0x1005)		- private use, lukeh@padl.com
	kRB5-ENCTYPE-DUMMY(-1111)
}
EncryptionTypeSequence ::= SEQUENCE {
        dummy [0] EncryptionTypeValues
}

KerbErrorDataTypeValues ::= INTEGER {
        kERB-AP-ERR-TYPE-SKEW-RECOVERY(2),
        kERB-ERR-TYPE-EXTENDED(3)
}
KerbErrorDataTypeSequence ::= SEQUENCE {
        dummy [0] KerbErrorDataTypeValues
}

PACOptionFlagsValues ::= BIT STRING { -- KerberosFlags
        claims(0),
        branch-aware(1),
        forward-to-full-dc(2),
        resource-based-constrained-delegation(3)
}
PACOptionFlagsSequence ::= SEQUENCE {
        dummy [0] PACOptionFlagsValues
}

END