sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code
6ba69da8d3
samba-mirror/python/samba/tests/krb5/rfc4120.asn1
Joseph Sutton dbfb19b7f9 tests/krb5: Remove redundant definitions 
These items are already defined elsewhere.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-21 20:21:34 +00:00

1909 lines
60 KiB
Groff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

-- Portions of these ASN.1 modules are structures from RFC6113
-- authored by S. Hartman (Painless Security) and L. Zhu (Microsoft)
--
-- Portions of these ASN.1 modules are structures from RFC4556
-- authored by L. Zhu (Microsoft Corporation) and B. Tung (Aerospace
-- Corporation)
--
-- Portions of these ASN.1 modules are structures from RFC5280
-- authored by D. Cooper (NIST), S. Santesson (Microsoft),
-- S. Farrell (Trinity College Dublin), S. Boeyen (Entrust),
-- R. Housley (Vigil Security), W. Polk (NIST)
--
-- Portions of these ASN.1 modules are structures from RFC0817
-- authored by K. Moriarty, Ed. (EMC Corporation)
-- B. Kaliski (Verisign), J. Jonsson (Subset AB), A. Rusch (RSA)
-- Portions of these ASN.1 modules are structures from RFC0818
-- authored by K. Moriarty, Ed. (Dell EMC), B. Kaliski (Verisign)
-- A. Rusch (RSA)
--
-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the
-- code. All rights reserved.
--
-- Redistribution and use in source and binary forms, with or without
-- modification, is permitted pursuant to, and subject to the license terms
-- contained in, the Simplified BSD License set forth in Section 4.c of the IETF
-- Trusts Legal Provisions Relating to IETF Documents
-- (http://trustee.ietf.org/license-info).
--
-- BSD License:
--
-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved.
-- Redistribution and use in source and binary forms, with or without modification, are permitted provided
-- that the following conditions are met:
-- • Redistributions of source code must retain the above copyright notice, this list of conditions and
-- the following disclaimer.
--
-- • Redistributions in binary form must reproduce the above copyright notice, this list of conditions
-- and the following disclaimer in the documentation and/or other materials provided with the
-- distribution.
--
-- • Neither the name of Internet Society, IETF or IETF Trust, nor the names of specific contributors,
-- may be used to endorse or promote products derived from this software without specific prior written
-- permission.
-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-- POSSIBILITY OF SUCH DAMAGE.
--
--
-- Portions of these ASN.1 modules are from Microsoft's MS-WCCE and MS-KILE
-- from the Microsoft Open Specifications Documentation.
--
-- Intellectual Property Rights Notice for Open Specifications Documentation
--
-- * Technical Documentation. Microsoft publishes Open Specifications
-- documentation (“this documentation”) for protocols, file formats,
-- data portability, computer languages, and standards
-- support. Additionally, overview documents cover inter-protocol
-- relationships and interactions.
--
-- * Copyrights. This documentation is covered by Microsoft
-- copyrights. Regardless of any other terms that are contained in
-- the terms of use for the Microsoft website that hosts this
-- documentation, you can make copies of it in order to develop
-- implementations of the technologies that are described in this
-- documentation and can distribute portions of it in your
-- implementations that use these technologies or in your
-- documentation as necessary to properly document the
-- implementation. You can also distribute in your implementation,
-- with or without modification, any schemas, IDLs, or code samples
-- that are included in the documentation. This permission also
-- applies to any documents that are referenced in the Open
-- Specifications documentation.
--
-- * No Trade Secrets. Microsoft does not claim any trade secret rights
-- in this documentation.
--
-- * Patents. Microsoft has patents that might cover your
-- implementations of the technologies described in the Open
-- Specifications documentation. Neither this notice nor Microsoft's
-- delivery of this documentation grants any licenses under those
-- patents or any other Microsoft patents. However, a given Open
-- Specifications document might be covered by the Microsoft Open
-- Specifications Promise or the Microsoft Community Promise. If you
-- would prefer a written license, or if the technologies described
-- in this documentation are not covered by the Open Specifications
-- Promise or Community Promise, as applicable, patent licenses are
-- available by contacting iplg@microsoft.com.
--
-- * License Programs. To see all of the protocols in scope under a
-- specific license program and the associated patents, visit the
-- Patent Map.
--
-- * Trademarks. The names of companies and products contained in this
-- documentation might be covered by trademarks or similar
-- intellectual property rights. This notice does not grant any
-- licenses under those rights. For a list of Microsoft trademarks,
-- visit www.microsoft.com/trademarks.
--
-- * Fictitious Names. The example companies, organizations, products,
-- domain names, email addresses, logos, people, places, and events
-- that are depicted in this documentation are fictitious. No
-- association with any real company, organization, product, domain
-- name, email address, logo, person, place, or event is intended or
-- should be inferred.
--
-- Reservation of Rights. All other rights are reserved, and this notice
-- does not grant any rights other than as specifically described above,
-- whether by implication, estoppel, or otherwise.
--
-- Tools. The Open Specifications documentation does not require the use
-- of Microsoft programming tools or programming environments in order
-- for you to develop an implementation. If you have access to Microsoft
-- programming tools and environments, you are free to take advantage of
-- them. Certain Open Specifications documents are intended for use in
-- conjunction with publicly available standards specifications and
-- network programming art and, as such, assume that the reader either
-- is familiar with the aforementioned material or has immediate access
-- to it.
--
-- Support. For questions and support, please contact dochelp@microsoft.com
-- The above is the IPR notice from MS-KILE
KerberosV5Spec2 {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosV5(2) modules(4) krb5spec2(2)
} DEFINITIONS EXPLICIT TAGS ::= BEGIN
-- OID arc for KerberosV5
--
-- This OID may be used to identify Kerberos protocol messages
-- encapsulated in other protocols.
--
-- This OID also designates the OID arc for KerberosV5-related OIDs.
--
-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
id-krb5 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosV5(2)
}
Int32 ::= INTEGER (-2147483648..2147483647)
-- signed values representable in 32 bits
UInt32 ::= INTEGER (0..4294967295)
-- unsigned 32 bit values
Microseconds ::= INTEGER (0..999999)
-- microseconds
--
-- asn1ate doesn't support 'GeneralString (IA5String)'
-- only 'GeneralString' or 'IA5String', on the wire
-- GeneralString is used.
--
-- KerberosString ::= GeneralString (IA5String)
KerberosString ::= GeneralString
Realm ::= KerberosString
PrincipalName ::= SEQUENCE {
name-type [0] NameType, -- Int32,
name-string [1] SEQUENCE OF KerberosString
}
NameType ::= Int32
KerberosTime ::= GeneralizedTime -- with no fractional seconds
HostAddress ::= SEQUENCE {
addr-type [0] Int32,
address [1] OCTET STRING
}
-- NOTE: HostAddresses is always used as an OPTIONAL field and
-- should not be empty.
HostAddresses -- NOTE: subtly different from rfc1510,
-- but has a value mapping and encodes the same
::= SEQUENCE OF HostAddress
-- NOTE: AuthorizationData is always used as an OPTIONAL field and
-- should not be empty.
AuthorizationData ::= SEQUENCE OF SEQUENCE {
ad-type [0] AuthDataType, -- Int32,
ad-data [1] OCTET STRING
}
AuthDataType ::= Int32
PA-DATA ::= SEQUENCE {
-- NOTE: first tag is [1], not [0]
padata-type [1] PADataType, -- Int32
padata-value [2] OCTET STRING -- might be encoded AP-REQ
}
PADataType ::= Int32
--
-- asn1ate doesn't support 'MAX' nor a lower range != 1.
-- We'll use a custom enodeValue() hooks for BitString
-- in order to encode them with at least 32-Bit.
--
-- KerberosFlags ::= BIT STRING (SIZE (32..MAX))
KerberosFlags ::= BIT STRING (SIZE (1..32))
-- minimum number of bits shall be sent,
-- but no fewer than 32
EncryptedData ::= SEQUENCE {
etype [0] EncryptionType, --Int32 EncryptionType --
kvno [1] Int32 OPTIONAL,
cipher [2] OCTET STRING -- ciphertext
}
EncryptionKey ::= SEQUENCE {
keytype [0] EncryptionType, -- Int32 actually encryption type --
keyvalue [1] OCTET STRING
}
Checksum ::= SEQUENCE {
cksumtype [0] ChecksumType, -- Int32,
checksum [1] OCTET STRING
}
ChecksumType ::= Int32
Ticket ::= [APPLICATION 1] SEQUENCE {
tkt-vno [0] INTEGER (5),
realm [1] Realm,
sname [2] PrincipalName,
enc-part [3] EncryptedData -- EncTicketPart
}
-- Encrypted part of ticket
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
flags [0] TicketFlags,
key [1] EncryptionKey,
crealm [2] Realm,
cname [3] PrincipalName,
transited [4] TransitedEncoding,
authtime [5] KerberosTime,
starttime [6] KerberosTime OPTIONAL,
endtime [7] KerberosTime,
renew-till [8] KerberosTime OPTIONAL,
caddr [9] HostAddresses OPTIONAL,
authorization-data [10] AuthorizationData OPTIONAL
}
-- encoded Transited field
TransitedEncoding ::= SEQUENCE {
tr-type [0] Int32 -- must be registered --,
contents [1] OCTET STRING
}
TicketFlags ::= KerberosFlags
-- reserved(0),
-- forwardable(1),
-- forwarded(2),
-- proxiable(3),
-- proxy(4),
-- may-postdate(5),
-- postdated(6),
-- invalid(7),
-- renewable(8),
-- initial(9),
-- pre-authent(10),
-- hw-authent(11),
-- the following are new since 1510
-- transited-policy-checked(12),
-- ok-as-delegate(13)
-- enc-pa-rep(15)
AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ
KDC-REQ ::= SEQUENCE {
-- NOTE: first tag is [1], not [0]
pvno [1] INTEGER (5) ,
msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
padata [3] SEQUENCE OF PA-DATA OPTIONAL
-- NOTE: not empty --,
req-body [4] KDC-REQ-BODY
}
KDC-REQ-BODY ::= SEQUENCE {
kdc-options [0] KDCOptions,
cname [1] PrincipalName OPTIONAL
-- Used only in AS-REQ --,
realm [2] Realm
-- Server's realm
-- Also client's in AS-REQ --,
sname [3] PrincipalName OPTIONAL,
from [4] KerberosTime OPTIONAL,
till [5] KerberosTime,
rtime [6] KerberosTime OPTIONAL,
nonce [7] UInt32,
etype [8] SEQUENCE OF EncryptionType -- Int32 - EncryptionType
-- in preference order --,
addresses [9] HostAddresses OPTIONAL,
enc-authorization-data [10] EncryptedData OPTIONAL
-- AuthorizationData --,
additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
-- NOTE: not empty
}
EncryptionType ::= Int32
KDCOptions ::= KerberosFlags
-- reserved(0),
-- forwardable(1),
-- forwarded(2),
-- proxiable(3),
-- proxy(4),
-- allow-postdate(5),
-- postdated(6),
-- unused7(7),
-- renewable(8),
-- unused9(9),
-- unused10(10),
-- opt-hardware-auth(11),
-- unused12(12),
-- unused13(13),
-- Canonicalize is used in RFC 6806
-- canonicalize(15),
-- 26 was unused in 1510
-- disable-transited-check(26),
--
-- renewable-ok(27),
-- enc-tkt-in-skey(28),
-- renew(30),
-- validate(31)
AS-REP ::= [APPLICATION 11] KDC-REP
TGS-REP ::= [APPLICATION 13] KDC-REP
KDC-REP ::= SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
padata [2] SEQUENCE OF PA-DATA OPTIONAL
-- NOTE: not empty --,
crealm [3] Realm,
cname [4] PrincipalName,
ticket [5] Ticket,
enc-part [6] EncryptedData
-- EncASRepPart or EncTGSRepPart,
-- as appropriate
}
EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
EncKDCRepPart ::= SEQUENCE {
key [0] EncryptionKey,
last-req [1] LastReq,
nonce [2] UInt32,
key-expiration [3] KerberosTime OPTIONAL,
flags [4] TicketFlags,
authtime [5] KerberosTime,
starttime [6] KerberosTime OPTIONAL,
endtime [7] KerberosTime,
renew-till [8] KerberosTime OPTIONAL,
srealm [9] Realm,
sname [10] PrincipalName,
caddr [11] HostAddresses OPTIONAL,
encrypted-pa-data[12] METHOD-DATA OPTIONAL
}
LastReq ::= SEQUENCE OF SEQUENCE {
lr-type [0] Int32,
lr-value [1] KerberosTime
}
AP-REQ ::= [APPLICATION 14] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (14),
ap-options [2] APOptions,
ticket [3] Ticket,
authenticator [4] EncryptedData -- Authenticator
}
APOptions ::= KerberosFlags
-- reserved(0),
-- use-session-key(1),
-- mutual-required(2)
-- Unencrypted authenticator
Authenticator ::= [APPLICATION 2] SEQUENCE {
authenticator-vno [0] INTEGER (5),
crealm [1] Realm,
cname [2] PrincipalName,
cksum [3] Checksum OPTIONAL,
cusec [4] Microseconds,
ctime [5] KerberosTime,
subkey [6] EncryptionKey OPTIONAL,
seq-number [7] UInt32 OPTIONAL,
authorization-data [8] AuthorizationData OPTIONAL
}
AP-REP ::= [APPLICATION 15] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (15),
enc-part [2] EncryptedData -- EncAPRepPart
}
EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
ctime [0] KerberosTime,
cusec [1] Microseconds,
subkey [2] EncryptionKey OPTIONAL,
seq-number [3] UInt32 OPTIONAL
}
KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (20),
safe-body [2] KRB-SAFE-BODY,
cksum [3] Checksum
}
KRB-SAFE-BODY ::= SEQUENCE {
user-data [0] OCTET STRING,
timestamp [1] KerberosTime OPTIONAL,
usec [2] Microseconds OPTIONAL,
seq-number [3] UInt32 OPTIONAL,
s-address [4] HostAddress,
r-address [5] HostAddress OPTIONAL
}
KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (21),
-- NOTE: there is no [2] tag
enc-part [3] EncryptedData -- EncKrbPrivPart
}
EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
user-data [0] OCTET STRING,
timestamp [1] KerberosTime OPTIONAL,
usec [2] Microseconds OPTIONAL,
seq-number [3] UInt32 OPTIONAL,
s-address [4] HostAddress -- sender's addr --,
r-address [5] HostAddress OPTIONAL -- recip's addr
}
KRB-CRED ::= [APPLICATION 22] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (22),
tickets [2] SEQUENCE OF Ticket,
enc-part [3] EncryptedData -- EncKrbCredPart
}
EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
ticket-info [0] SEQUENCE OF KrbCredInfo,
nonce [1] UInt32 OPTIONAL,
timestamp [2] KerberosTime OPTIONAL,
usec [3] Microseconds OPTIONAL,
s-address [4] HostAddress OPTIONAL,
r-address [5] HostAddress OPTIONAL
}
KrbCredInfo ::= SEQUENCE {
key [0] EncryptionKey,
prealm [1] Realm OPTIONAL,
pname [2] PrincipalName OPTIONAL,
flags [3] TicketFlags OPTIONAL,
authtime [4] KerberosTime OPTIONAL,
starttime [5] KerberosTime OPTIONAL,
endtime [6] KerberosTime OPTIONAL,
renew-till [7] KerberosTime OPTIONAL,
srealm [8] Realm OPTIONAL,
sname [9] PrincipalName OPTIONAL,
caddr [10] HostAddresses OPTIONAL
}
KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (30),
ctime [2] KerberosTime OPTIONAL,
cusec [3] Microseconds OPTIONAL,
stime [4] KerberosTime,
susec [5] Microseconds,
error-code [6] Int32,
crealm [7] Realm OPTIONAL,
cname [8] PrincipalName OPTIONAL,
realm [9] Realm -- service realm --,
sname [10] PrincipalName -- service name --,
e-text [11] KerberosString OPTIONAL,
e-data [12] OCTET STRING OPTIONAL
}
METHOD-DATA ::= SEQUENCE OF PA-DATA
--
-- asn1ate doesn't support 'MAX'
--
-- TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
TYPED-DATA ::= SEQUENCE SIZE (1..256) OF SEQUENCE {
data-type [0] Int32,
data-value [1] OCTET STRING OPTIONAL
}
-- preauth stuff follows
PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
PA-ENC-TS-ENC ::= SEQUENCE {
patimestamp [0] KerberosTime -- client's time --,
pausec [1] Microseconds OPTIONAL
}
ETYPE-INFO-ENTRY ::= SEQUENCE {
etype [0] EncryptionType, --Int32 EncryptionType --
salt [1] OCTET STRING OPTIONAL
}
ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
ETYPE-INFO2-ENTRY ::= SEQUENCE {
etype [0] EncryptionType, --Int32 EncryptionType --
salt [1] KerberosString OPTIONAL,
s2kparams [2] OCTET STRING OPTIONAL
}
ETYPE-INFO2 ::= SEQUENCE SIZE (1..256) OF ETYPE-INFO2-ENTRY
AD-IF-RELEVANT ::= AuthorizationData
AD-KDCIssued ::= SEQUENCE {
ad-checksum [0] Checksum,
i-realm [1] Realm OPTIONAL,
i-sname [2] PrincipalName OPTIONAL,
elements [3] AuthorizationData
}
AD-AND-OR ::= SEQUENCE {
condition-count [0] Int32,
elements [1] AuthorizationData
}
AD-MANDATORY-FOR-KDC ::= AuthorizationData
-- S4U
PA-S4U2Self ::= SEQUENCE {
name [0] PrincipalName,
realm [1] Realm,
cksum [2] Checksum,
auth [3] KerberosString
}
-- PK-INIT
-- (from RFC 1422)
-- asn1ate doesnt support SIGNED.
-- CertificateRevocationList ::= SIGNED SEQUENCE {
CertificateRevocationList ::= SEQUENCE {
signature AlgorithmIdentifier,
issuer Name,
lastUpdate UTCTime,
nextUpdate UTCTime,
revokedCertificates
SEQUENCE OF CRLEntry OPTIONAL
}
CRLEntry ::= SEQUENCE{
userCertificate SerialNumber,
revocationDate UTCTime
}
-- Not actually defined in an RFC.
SerialNumber ::= INTEGER
-- (from RFC 2315)
SignedData-RFC2315 ::= SEQUENCE {
version Version-RFC2315,
digestAlgorithms DigestAlgorithmIdentifiers,
contentInfo ContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos
}
Version-RFC2315 ::= INTEGER
ContentInfo ::= SEQUENCE {
contentType ContentType,
content
[0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}
ExtendedCertificatesAndCertificates ::=
SET OF ExtendedCertificateOrCertificate
ExtendedCertificateOrCertificate ::= CHOICE {
certificate Certificate, -- X.509
extendedCertificate [0] IMPLICIT ExtendedCertificate
}
CertificateRevocationLists ::=
SET OF CertificateRevocationList
-- (from RFC 3279)
DomainParameters ::= SEQUENCE {
p INTEGER, -- odd prime, p=jq +1
g INTEGER, -- generator, g
-- Note: RFC 3279 does not mention that q is optional.
q INTEGER OPTIONAL, -- factor of p-1
j INTEGER OPTIONAL, -- subgroup factor
validationParms ValidationParms OPTIONAL
}
ValidationParms ::= SEQUENCE {
seed BIT STRING,
pgenCounter INTEGER
}
DHPublicKey ::= INTEGER -- public key, y = g^x mod p
dhpublicnumber OBJECT IDENTIFIER ::= {
iso(1) member-body(2)
us(840) ansi-x942(10046) number-type(2) 1
}
md2 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 2
}
md5 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 5
}
id-sha1 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) oiw(14) secsig(3)
algorithms(2) 26
}
-- (from RFC 3281)
AttributeCertificate ::= SEQUENCE {
acinfo AttributeCertificateInfo,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
AttributeCertificateInfo ::= SEQUENCE {
version AttCertVersion, -- version is v2
holder Holder,
issuer AttCertIssuer,
signature AlgorithmIdentifier,
serialNumber CertificateSerialNumber,
attrCertValidityPeriod AttCertValidityPeriod,
attributes SEQUENCE OF Attribute,
issuerUniqueID UniqueIdentifier OPTIONAL,
extensions Extensions OPTIONAL
}
AttCertVersion ::= INTEGER { v2(1) }
Holder ::= SEQUENCE {
baseCertificateID [0] IssuerSerial OPTIONAL,
entityName [1] GeneralNames OPTIONAL,
objectDigestInfo [2] ObjectDigestInfo OPTIONAL
}
ObjectDigestInfo ::= SEQUENCE {
digestedObjectType ENUMERATED {
publicKey (0),
publicKeyCert (1),
otherObjectTypes (2)
},
-- otherObjectTypes MUST NOT
-- be used in this profile
otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
digestAlgorithm AlgorithmIdentifier,
objectDigest BIT STRING
}
-- (from RFC 3370)
sha1WithRSAEncryption OBJECT IDENTIFIER ::= {
iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5
}
-- (from RFC 4556)
id-pkinit OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosv5(2) pkinit (3)
}
id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 }
id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 }
id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 }
PA-PK-AS-REQ ::= SEQUENCE {
signedAuthPack [0] IMPLICIT OCTET STRING,
trustedCertifiers [1] SEQUENCE OF
ExternalPrincipalIdentifier OPTIONAL,
kdcPkId [2] IMPLICIT OCTET STRING
OPTIONAL,
...
}
DHNonce ::= OCTET STRING
ExternalPrincipalIdentifier ::= SEQUENCE {
subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
...
}
AuthPack ::= SEQUENCE {
pkAuthenticator [0] PKAuthenticator,
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
OPTIONAL,
clientDHNonce [3] DHNonce OPTIONAL,
...
}
PKAuthenticator ::= SEQUENCE {
cusec [0] INTEGER (0..999999),
ctime [1] KerberosTime,
nonce [2] INTEGER (0..4294967295),
paChecksum [3] OCTET STRING OPTIONAL,
freshnessToken [4] OCTET STRING OPTIONAL,
...
}
TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF ExternalPrincipalIdentifier
TD-INVALID-CERTIFICATES ::= SEQUENCE OF ExternalPrincipalIdentifier
KRB5PrincipalName ::= SEQUENCE {
realm [0] Realm,
principalName [1] PrincipalName
}
AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
PA-PK-AS-REP ::= CHOICE {
dhInfo [0] DHRepInfo,
encKeyPack [1] IMPLICIT OCTET STRING,
...
}
DHRepInfo ::= SEQUENCE {
dhSignedData [0] IMPLICIT OCTET STRING,
serverDHNonce [1] DHNonce OPTIONAL,
...
}
KDCDHKeyInfo ::= SEQUENCE {
subjectPublicKey [0] BIT STRING,
nonce [1] INTEGER (0..4294967295),
dhKeyExpiration [2] KerberosTime OPTIONAL,
...
}
ReplyKeyPack ::= SEQUENCE {
replyKey [0] EncryptionKey,
asChecksum [1] Checksum,
...
}
TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
-- (from RFC 5755)
Attribute ::= SEQUENCE {
type AttributeType,
values SET OF AttributeValue
-- at least one value is required
}
AttCertIssuer ::= CHOICE {
v1Form GeneralNames, -- MUST NOT be used in this
-- profile
v2Form [0] V2Form -- v2 only
}
V2Form ::= SEQUENCE {
issuerName GeneralNames OPTIONAL,
baseCertificateID [0] IssuerSerial OPTIONAL,
objectDigestInfo [1] ObjectDigestInfo OPTIONAL
-- issuerName MUST be present in this profile
-- baseCertificateID and objectDigestInfo MUST NOT
-- be present in this profile
}
IssuerSerial ::= SEQUENCE {
issuer GeneralNames,
serial CertificateSerialNumber,
issuerUID UniqueIdentifier OPTIONAL
}
AttCertValidityPeriod ::= SEQUENCE {
notBeforeTime GeneralizedTime,
notAfterTime GeneralizedTime
}
-- (from RFC 5280)
id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }
id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
SubjectAltName ::= GeneralNames
--
-- asn1ate doesnt support MAX.
--
-- GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralNames ::= SEQUENCE SIZE (1..256) OF GeneralName
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER
}
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id
}
EDIPartyName ::= SEQUENCE {
nameAssigner [0] DirectoryString OPTIONAL,
partyName [1] DirectoryString
}
Name ::= CHOICE { -- only one possibility for now --
rdnSequence RDNSequence
}
DirectoryString ::= CHOICE {
--
-- asn1ate doesnt support MAX.
--
-- teletexString TeletexString (SIZE (1..MAX)),
-- printableString PrintableString (SIZE (1..MAX)),
-- universalString UniversalString (SIZE (1..MAX)),
-- utf8String UTF8String (SIZE (1..MAX)),
-- bmpString BMPString (SIZE (1..MAX))
teletexString TeletexString (SIZE (1..256)),
printableString PrintableString (SIZE (1..256)),
universalString UniversalString (SIZE (1..256)),
utf8String UTF8String (SIZE (1..256)),
bmpString BMPString (SIZE (1..256))
}
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
TBSCertificate ::= SEQUENCE {
--
-- asn1ate doesnt support v1.
--
-- version [0] EXPLICIT Version DEFAULT v1,
version [0] EXPLICIT Version DEFAULT 1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version MUST be v3
}
Version ::= INTEGER { v1(0), v2(1), v3(2) }
CertificateSerialNumber ::= INTEGER
Validity ::= SEQUENCE {
notBefore Time,
notAfter Time
}
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime
}
UniqueIdentifier ::= BIT STRING
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING
}
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
ORAddress ::= SEQUENCE {
built-in-standard-attributes BuiltInStandardAttributes,
built-in-domain-defined-attributes
BuiltInDomainDefinedAttributes OPTIONAL,
-- see also teletex-domain-defined-attributes
extension-attributes ExtensionAttributes OPTIONAL
}
BuiltInStandardAttributes ::= SEQUENCE {
country-name CountryName OPTIONAL,
administration-domain-name AdministrationDomainName OPTIONAL,
network-address [0] IMPLICIT NetworkAddress OPTIONAL,
-- see also extended-network-address
terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL,
private-domain-name [2] PrivateDomainName OPTIONAL,
organization-name [3] IMPLICIT OrganizationName OPTIONAL,
-- see also teletex-organization-name
numeric-user-identifier [4] IMPLICIT NumericUserIdentifier
OPTIONAL,
personal-name [5] IMPLICIT PersonalName OPTIONAL,
-- see also teletex-personal-name
organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
OPTIONAL
-- see also teletex-organizational-unit-names
}
CountryName ::= [APPLICATION 1] CHOICE {
x121-dcc-code NumericString
(SIZE (ub-country-name-numeric-length)),
iso-3166-alpha2-code PrintableString
(SIZE (ub-country-name-alpha-length))
}
AdministrationDomainName ::= [APPLICATION 2] CHOICE {
numeric NumericString (SIZE (0..ub-domain-name-length)),
printable PrintableString (SIZE (0..ub-domain-name-length))
}
NetworkAddress ::= X121Address -- see also extended-network-address
X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
PrivateDomainName ::= CHOICE {
numeric NumericString (SIZE (1..ub-domain-name-length)),
printable PrintableString (SIZE (1..ub-domain-name-length))
}
OrganizationName ::= PrintableString
(SIZE (1..ub-organization-name-length))
-- see also teletex-organization-name
NumericUserIdentifier ::= NumericString
(SIZE (1..ub-numeric-user-id-length))
PersonalName ::= SET {
surname [0] IMPLICIT PrintableString
(SIZE (1..ub-surname-length)),
given-name [1] IMPLICIT PrintableString
(SIZE (1..ub-given-name-length)) OPTIONAL,
initials [2] IMPLICIT PrintableString
(SIZE (1..ub-initials-length)) OPTIONAL,
generation-qualifier [3] IMPLICIT PrintableString
(SIZE (1..ub-generation-qualifier-length))
OPTIONAL
}
-- see also teletex-personal-name
OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
OF OrganizationalUnitName
-- see also teletex-organizational-unit-names
OrganizationalUnitName ::= PrintableString (SIZE
(1..ub-organizational-unit-name-length))
BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
(1..ub-domain-defined-attributes) OF
BuiltInDomainDefinedAttribute
BuiltInDomainDefinedAttribute ::= SEQUENCE {
type PrintableString (SIZE
(1..ub-domain-defined-attribute-type-length)),
value PrintableString (SIZE
(1..ub-domain-defined-attribute-value-length))
}
ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
ExtensionAttribute
ExtensionAttribute ::= SEQUENCE {
extension-attribute-type [0] IMPLICIT INTEGER
(0..ub-extension-attributes),
extension-attribute-value [1]
ANY DEFINED BY extension-attribute-type
}
--
-- asn1ate doesnt support MAX.
--
-- Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extensions ::= SEQUENCE SIZE (1..256) OF Extension
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
-- contains the DER encoding of an ASN.1 value
-- corresponding to the extension type identified
-- by extnID
}
CertificateList ::= SEQUENCE {
tbsCertList TBSCertList,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
TBSCertList ::= SEQUENCE {
version Version OPTIONAL,
-- if present, MUST be v2
signature AlgorithmIdentifier,
issuer Name,
thisUpdate Time,
nextUpdate Time OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate Time,
crlEntryExtensions Extensions OPTIONAL
-- if present, version MUST be v2
} OPTIONAL,
crlExtensions [0] EXPLICIT Extensions OPTIONAL
-- if present, version MUST be v2
}
ub-name INTEGER ::= 32768
ub-common-name INTEGER ::= 64
ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128
ub-organization-name INTEGER ::= 64
ub-organizational-unit-name INTEGER ::= 64
ub-title INTEGER ::= 64
ub-serial-number INTEGER ::= 64
ub-match INTEGER ::= 128
ub-emailaddress-length INTEGER ::= 255
ub-common-name-length INTEGER ::= 64
ub-country-name-alpha-length INTEGER ::= 2
ub-country-name-numeric-length INTEGER ::= 3
ub-domain-defined-attributes INTEGER ::= 4
ub-domain-defined-attribute-type-length INTEGER ::= 8
ub-domain-defined-attribute-value-length INTEGER ::= 128
ub-domain-name-length INTEGER ::= 16
ub-extension-attributes INTEGER ::= 256
ub-e163-4-number-length INTEGER ::= 15
ub-e163-4-sub-address-length INTEGER ::= 40
ub-generation-qualifier-length INTEGER ::= 3
ub-given-name-length INTEGER ::= 16
ub-initials-length INTEGER ::= 5
ub-integer-options INTEGER ::= 256
ub-numeric-user-id-length INTEGER ::= 32
ub-organization-name-length INTEGER ::= 64
ub-organizational-unit-name-length INTEGER ::= 32
ub-organizational-units INTEGER ::= 4
ub-pds-name-length INTEGER ::= 16
ub-pds-parameter-length INTEGER ::= 30
ub-pds-physical-address-lines INTEGER ::= 6
ub-postal-code-length INTEGER ::= 16
ub-pseudonym INTEGER ::= 128
ub-surname-length INTEGER ::= 40
ub-terminal-id-length INTEGER ::= 24
ub-unformatted-address-length INTEGER ::= 180
ub-x121-address-length INTEGER ::= 16
--
-- asn1ate doesnt support MAX.
--
-- RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
RelativeDistinguishedName ::= SET SIZE (1..256) OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue
}
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY -- DEFINED BY AttributeType
-- (from RFC 5652)
ContentType ::= OBJECT IDENTIFIER
RevocationInfoChoices ::= SET OF RevocationInfoChoice
RevocationInfoChoice ::= CHOICE {
crl CertificateList,
other [1] IMPLICIT OtherRevocationInfoFormat
}
OtherRevocationInfoFormat ::= SEQUENCE {
otherRevInfoFormat OBJECT IDENTIFIER,
otherRevInfo ANY DEFINED BY otherRevInfoFormat
}
AttributeCertificateV1 ::= SEQUENCE {
acInfo AttributeCertificateInfoV1,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING
}
AttributeCertificateInfoV1 ::= SEQUENCE {
--
-- asn1ate doesnt support v1.
--
-- version AttCertVersionV1 DEFAULT v1,
version AttCertVersionV1 DEFAULT 1,
subject CHOICE {
baseCertificateID [0] IssuerSerial,
-- associated with a Public Key Certificate
subjectName [1] GeneralNames },
-- associated with a name
issuer GeneralNames,
signature AlgorithmIdentifier,
serialNumber CertificateSerialNumber,
attCertValidityPeriod AttCertValidityPeriod,
attributes SEQUENCE OF Attribute,
issuerUniqueID UniqueIdentifier OPTIONAL,
extensions Extensions OPTIONAL
}
AttCertVersionV1 ::= INTEGER { v1(0) }
ExtendedCertificate ::= SEQUENCE {
extendedCertificateInfo ExtendedCertificateInfo,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature Signature
}
ExtendedCertificateInfo ::= SEQUENCE {
version CMSVersion,
certificate Certificate,
attributes UnauthAttributes
}
CertificateChoices ::= CHOICE {
certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
v1AttrCert [1] IMPLICIT AttributeCertificateV1, -- Obsolete
v2AttrCert [2] IMPLICIT AttributeCertificateV2,
other [3] IMPLICIT OtherCertificateFormat
}
AttributeCertificateV2 ::= AttributeCertificate
OtherCertificateFormat ::= SEQUENCE {
otherCertFormat OBJECT IDENTIFIER,
otherCert ANY DEFINED BY otherCertFormat
}
CertificateSet ::= SET OF CertificateChoices
IssuerAndSerialNumber ::= SEQUENCE {
issuer Name,
serialNumber CertificateSerialNumber
}
CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL
}
SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier
}
SubjectKeyIdentifier ::= OCTET STRING
--
-- asn1ate doesnt support MAX.
--
-- SignedAttributes ::= SET SIZE (1..MAX) OF Attribute
SignedAttributes ::= SET SIZE (1..256) OF Attribute
--
-- asn1ate doesnt support MAX.
--
-- UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute
UnsignedAttributes ::= SET SIZE (1..256) OF Attribute
SignatureValue ::= OCTET STRING
SignedData ::= SEQUENCE {
version CMSVersion,
digestAlgorithms DigestAlgorithmIdentifiers,
encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos
}
DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
SignerInfos ::= SET OF SignerInfo
EncapsulatedContentInfo ::= SEQUENCE {
eContentType ContentType,
eContent [0] EXPLICIT OCTET STRING OPTIONAL
}
EnvelopedData ::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo,
unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL
}
OriginatorInfo ::= SEQUENCE {
certs [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL
}
--
-- asn1ate doesn't support 'MAX'
--
-- RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
RecipientInfos ::= SET SIZE (1..256) OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE {
contentType ContentType,
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL
}
EncryptedContent ::= OCTET STRING
--
-- asn1ate doesn't support 'MAX'
--
-- UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
UnprotectedAttributes ::= SET SIZE (1..256) OF Attribute
RecipientInfo ::= CHOICE {
ktri KeyTransRecipientInfo,
kari [1] KeyAgreeRecipientInfo,
kekri [2] KEKRecipientInfo,
pwri [3] PasswordRecipientInfo,
ori [4] OtherRecipientInfo
}
EncryptedKey ::= OCTET STRING
KeyTransRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0 or 2
rid RecipientIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey
}
RecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier
}
KeyAgreeRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 3
originator [0] EXPLICIT OriginatorIdentifierOrKey,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
recipientEncryptedKeys RecipientEncryptedKeys
}
OriginatorIdentifierOrKey ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier,
originatorKey [1] OriginatorPublicKey
}
OriginatorPublicKey ::= SEQUENCE {
algorithm AlgorithmIdentifier,
publicKey BIT STRING
}
RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
RecipientEncryptedKey ::= SEQUENCE {
rid KeyAgreeRecipientIdentifier,
encryptedKey EncryptedKey
}
KeyAgreeRecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] IMPLICIT RecipientKeyIdentifier
}
RecipientKeyIdentifier ::= SEQUENCE {
subjectKeyIdentifier SubjectKeyIdentifier,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL
}
KEKRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 4
kekid KEKIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey
}
KEKIdentifier ::= SEQUENCE {
keyIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL
}
PasswordRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0
keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier
OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey
}
OtherRecipientInfo ::= SEQUENCE {
oriType OBJECT IDENTIFIER,
oriValue ANY DEFINED BY oriType
}
UserKeyingMaterial ::= OCTET STRING
OtherKeyAttribute ::= SEQUENCE {
keyAttrId OBJECT IDENTIFIER,
keyAttr ANY DEFINED BY keyAttrId OPTIONAL
}
MessageDigest ::= OCTET STRING
id-data OBJECT IDENTIFIER ::= {
iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1
}
id-signedData OBJECT IDENTIFIER ::= {
iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2
}
id-envelopedData OBJECT IDENTIFIER ::= {
iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3
}
id-contentType OBJECT IDENTIFIER ::= {
iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3
}
id-messageDigest OBJECT IDENTIFIER ::= {
iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4
}
--
-- asn1ate doesnt support MAX.
--
-- UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
UnauthAttributes ::= SET SIZE (1..256) OF Attribute
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
Signature ::= BIT STRING
-- Other PK-INIT definitions
id-pkcs1-sha256WithRSAEncryption OBJECT IDENTIFIER ::= {
iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1)
label-less(1) label-less(11)
}
MS-UPN-SAN ::= UTF8String
CMSCBCParameter ::= OCTET STRING
-- (from MS-WCCE)
szOID-NTDS-CA-SECURITY-EXT OBJECT IDENTIFIER ::= {
iso(1) org(3) dod(6) internet(1) private(4) enterprise(1)
microsoft(311) directory-service(25) 2
}
szOID-NTDS-OBJECTSID OBJECT IDENTIFIER ::= {
iso(1) org(3) dod(6) internet(1) private(4) enterprise(1)
microsoft(311) directory-service(25) 2 1
}
-- (from RFC 8017)
rsaEncryption OBJECT IDENTIFIER ::= {
iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1
}
id-sha512 OBJECT IDENTIFIER ::= {
joint-iso-itu-t (2) country (16) us (840) organization (1)
gov (101) csor (3) nistalgorithm (4) hashalgs (2) 3
}
-- (from RFC 8018)
nistAlgorithms OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) country(16)
us(840) organization(1)
gov(101) csor(3) 4}
aes OBJECT IDENTIFIER ::= { nistAlgorithms 1 }
aes256-CBC-PAD OBJECT IDENTIFIER ::= { aes 42 }
rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549}
encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
-- Windows 2000 PK-INIT definitions
PKAuthenticator-Win2k ::= SEQUENCE {
kdcName [0] PrincipalName,
kdcRealm [1] Realm,
cusec [2] INTEGER (0..4294967295),
ctime [3] KerberosTime,
nonce [4] INTEGER (-2147483648..2147483647)
}
AuthPack-Win2k ::= SEQUENCE {
pkAuthenticator [0] PKAuthenticator-Win2k
}
TrustedCA-Win2k ::= CHOICE {
caName [1] ANY,
issuerAndSerial [2] IssuerAndSerialNumber
}
PA-PK-AS-REQ-Win2k ::= SEQUENCE {
signedAuthPack [0] IMPLICIT OCTET STRING,
trustedCertifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
kdcCert [3] IMPLICIT OCTET STRING OPTIONAL,
encryptionCert [4] IMPLICIT OCTET STRING OPTIONAL,
...
}
PA-PK-AS-REP-Win2k ::= CHOICE {
dhSignedData [0] IMPLICIT OCTET STRING,
encKeyPack [1] IMPLICIT OCTET STRING
}
ReplyKeyPack-Win2k ::= SEQUENCE {
replyKey [0] EncryptionKey,
nonce [1] INTEGER (-2147483648..2147483647),
...
}
--
id-pkinit-ms-san OBJECT IDENTIFIER ::= {
iso(1) org(3) dod(6) internet(1) private(4) enterprise(1)
microsoft(311) 20 2 3
}
kdc-authentication OBJECT IDENTIFIER ::= { id-pkinit keyPurposeKdc(5) }
smartcard-logon OBJECT IDENTIFIER ::= {
iso(1) org(3) dod(6) internet(1) private(4) enterprise(1)
microsoft(311) 20 2 2
}
CMSAttributes ::= SET OF Attribute
--
--
-- MS-KILE Start
KERB-ERROR-DATA ::= SEQUENCE {
data-type [1] KerbErrorDataType,
data-value [2] OCTET STRING OPTIONAL
}
KerbErrorDataType ::= INTEGER
KERB-PA-PAC-REQUEST ::= SEQUENCE {
include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC.
--If FALSE, and PAC present, remove PAC
}
KERB-LOCAL ::= OCTET STRING -- Implementation-specific data which MUST be
-- ignored if Kerberos client is not local.
KERB-AD-RESTRICTION-ENTRY ::= SEQUENCE {
restriction-type [0] Int32,
restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
}
PA-SUPPORTED-ENCTYPES ::= Int32 -- Supported Encryption Types Bit Field --
PACOptionFlags ::= KerberosFlags -- Claims (0)
-- Branch Aware (1)
-- Forward to Full DC (2)
-- Resource Based Constrained Delegation (3)
PA-PAC-OPTIONS ::= SEQUENCE {
options [0] PACOptionFlags
}
-- Note: KerberosFlags ::= BIT STRING (SIZE (32..MAX))
-- minimum number of bits shall be sent, but no fewer than 32
KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type --
KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey
FastOptions ::= BIT STRING {
reserved(0),
hide-client-names(1),
kdc-follow-referrals(16)
}
KrbFastReq ::= SEQUENCE {
fast-options [0] FastOptions,
padata [1] SEQUENCE OF PA-DATA,
req-body [2] KDC-REQ-BODY,
...
}
KrbFastArmor ::= SEQUENCE {
armor-type [0] Int32,
armor-value [1] OCTET STRING,
...
}
KrbFastArmoredReq ::= SEQUENCE {
armor [0] KrbFastArmor OPTIONAL,
req-checksum [1] Checksum,
enc-fast-req [2] EncryptedData -- KrbFastReq --
}
PA-FX-FAST-REQUEST ::= CHOICE {
armored-data [0] KrbFastArmoredReq,
...
}
KrbFastFinished ::= SEQUENCE {
timestamp [0] KerberosTime,
usec [1] Int32,
crealm [2] Realm,
cname [3] PrincipalName,
ticket-checksum [4] Checksum,
...
}
KrbFastResponse ::= SEQUENCE {
padata [0] SEQUENCE OF PA-DATA,
-- padata typed holes.
strengthen-key [1] EncryptionKey OPTIONAL,
-- This, if present, strengthens the reply key for AS and
-- TGS. MUST be present for TGS.
-- MUST be absent in KRB-ERROR.
finished [2] KrbFastFinished OPTIONAL,
-- Present in AS or TGS reply; absent otherwise.
nonce [3] UInt32,
-- Nonce from the client request.
...
}
KrbFastArmoredRep ::= SEQUENCE {
enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
...
}
PA-FX-FAST-REPLY ::= CHOICE {
armored-data [0] KrbFastArmoredRep,
...
}
ChangePasswdDataMS ::= SEQUENCE {
newpasswd [0] OCTET STRING,
targname [1] PrincipalName OPTIONAL,
targrealm [2] Realm OPTIONAL
}
-- MS-KILE End
--
--
--
--
-- prettyPrint values
--
--
NameTypeValues ::= INTEGER { -- Int32
kRB5-NT-UNKNOWN(0), -- Name type not known
kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in
kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt)
kRB5-NT-SRV-HST(3), -- Service with host name as instance
kRB5-NT-SRV-XHST(4), -- Service with host as remaining components
kRB5-NT-UID(5), -- Unique ID
kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name
kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
kRB5-NT-WELLKNOWN(11), -- Wellknown
kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID
}
NameTypeSequence ::= SEQUENCE {
dummy [0] NameTypeValues
}
TicketFlagsValues ::= BIT STRING { -- KerberosFlags
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
may-postdate(5),
postdated(6),
invalid(7),
renewable(8),
initial(9),
pre-authent(10),
hw-authent(11),
-- the following are new since 1510
transited-policy-checked(12),
ok-as-delegate(13),
enc-pa-rep(15)
}
TicketFlagsSequence ::= SEQUENCE {
dummy [0] TicketFlagsValues
}
KDCOptionsValues ::= BIT STRING { -- KerberosFlags
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
allow-postdate(5),
postdated(6),
unused7(7),
renewable(8),
unused9(9),
unused10(10),
opt-hardware-auth(11),
unused12(12),
unused13(13),
cname-in-addl-tkt(14),
-- Canonicalize is used by RFC 6806
canonicalize(15),
-- 26 was unused in 1510
disable-transited-check(26),
--
renewable-ok(27),
enc-tkt-in-skey(28),
renew(30),
validate(31)
}
KDCOptionsSequence ::= SEQUENCE {
dummy [0] KDCOptionsValues
}
APOptionsValues ::= BIT STRING { -- KerberosFlags
reserved(0),
use-session-key(1),
mutual-required(2)
}
APOptionsSequence ::= SEQUENCE {
dummy [0] APOptionsValues
}
MessageTypeValues ::= INTEGER {
krb-as-req(10), -- Request for initial authentication
krb-as-rep(11), -- Response to KRB_AS_REQ request
krb-tgs-req(12), -- Request for authentication based on TGT
krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
krb-ap-req(14), -- application request to server
krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
krb-safe(20), -- Safe (checksummed) application message
krb-priv(21), -- Private (encrypted) application message
krb-cred(22), -- Private (encrypted) message to forward credentials
krb-error(30) -- Error response
}
MessageTypeSequence ::= SEQUENCE {
dummy [0] MessageTypeValues
}
PADataTypeValues ::= INTEGER {
kRB5-PADATA-NONE(0),
-- kRB5-PADATA-TGS-REQ(1),
-- kRB5-PADATA-AP-REQ(1),
kRB5-PADATA-KDC-REQ(1),
kRB5-PADATA-ENC-TIMESTAMP(2),
kRB5-PADATA-PW-SALT(3),
kRB5-PADATA-ENC-UNIX-TIME(5),
kRB5-PADATA-SANDIA-SECUREID(6),
kRB5-PADATA-SESAME(7),
kRB5-PADATA-OSF-DCE(8),
kRB5-PADATA-CYBERSAFE-SECUREID(9),
kRB5-PADATA-AFS3-SALT(10),
kRB5-PADATA-ETYPE-INFO(11),
kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
-- kRB5-PADATA-PK-AS-REQ-WIN(15), - (PKINIT - old number)
kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
kRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
kRB5-PADATA-ETYPE-INFO2(19),
-- kRB5-PADATA-USE-SPECIFIED-KVNO(20),
kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
kRB5-PADATA-GET-FROM-TYPED-DATA(22),
kRB5-PADATA-SAM-ETYPE-INFO(23),
kRB5-PADATA-SERVER-REFERRAL(25),
kRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
kRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
kRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
kRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
kRB5-PADATA-FOR-USER(129), -- MS-KILE
kRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
kRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
kRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
-- kRB5-PADATA-PK-AS-09-BINDING(132), - client send this to
-- tell KDC that is supports
-- the asCheckSum in the
-- PK-AS-REP
kRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
kRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
kRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
kRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
kRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
kRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
kRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
kRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
kBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
kRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
kRB5-PADATA-EPAK-AS-REQ(145),
kRB5-PADATA-EPAK-AS-REP(146),
kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
kRB5-PADATA-REQ-ENC-PA-REP(149), --
kRB5-PADATA-AS-FRESHNESS(150), -- RFC 8070
kRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE
kRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE
kRB5-PADATA-GSS(655) -- gss-preauth
}
PADataTypeSequence ::= SEQUENCE {
dummy [0] PADataTypeValues
}
AuthDataTypeValues ::= INTEGER {
kRB5-AUTHDATA-IF-RELEVANT(1),
kRB5-AUTHDATA-INTENDED-FOR-SERVER(2),
kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
kRB5-AUTHDATA-KDC-ISSUED(4),
kRB5-AUTHDATA-AND-OR(5),
kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
kRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
kRB5-AUTHDATA-OSF-DCE(64),
kRB5-AUTHDATA-SESAME(65),
kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
kRB5-AUTHDATA-WIN2K-PAC(128),
kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
kRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
kRB5-AUTHDATA-SIGNTICKET-OLD(142),
kRB5-AUTHDATA-SIGNTICKET(512)
}
AuthDataTypeSequence ::= SEQUENCE {
dummy [0] AuthDataTypeValues
}
ChecksumTypeValues ::= INTEGER {
kRB5-CKSUMTYPE-NONE(0),
kRB5-CKSUMTYPE-CRC32(1),
kRB5-CKSUMTYPE-RSA-MD4(2),
kRB5-CKSUMTYPE-RSA-MD4-DES(3),
kRB5-CKSUMTYPE-DES-MAC(4),
kRB5-CKSUMTYPE-DES-MAC-K(5),
kRB5-CKSUMTYPE-RSA-MD4-DES-K(6),
kRB5-CKSUMTYPE-RSA-MD5(7),
kRB5-CKSUMTYPE-RSA-MD5-DES(8),
kRB5-CKSUMTYPE-RSA-MD5-DES3(9),
kRB5-CKSUMTYPE-SHA1-OTHER(10),
kRB5-CKSUMTYPE-HMAC-SHA1-DES3(12),
kRB5-CKSUMTYPE-SHA1(14),
kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128(15),
kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256(16),
kRB5-CKSUMTYPE-GSSAPI(32771), -- 0x8003
kRB5-CKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number
kRB5-CKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial
}
ChecksumTypeSequence ::= SEQUENCE {
dummy [0] ChecksumTypeValues
}
EncryptionTypeValues ::= INTEGER {
kRB5-ENCTYPE-NULL(0),
kRB5-ENCTYPE-DES-CBC-CRC(1),
kRB5-ENCTYPE-DES-CBC-MD4(2),
kRB5-ENCTYPE-DES-CBC-MD5(3),
kRB5-ENCTYPE-DES3-CBC-MD5(5),
kRB5-ENCTYPE-OLD-DES3-CBC-SHA1(7),
kRB5-ENCTYPE-SIGN-DSA-GENERATE(8),
kRB5-ENCTYPE-ENCRYPT-RSA-PRIV(9),
kRB5-ENCTYPE-ENCRYPT-RSA-PUB(10),
kRB5-ENCTYPE-DES3-CBC-SHA1(16), -- with key derivation
kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96(17),
kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96(18),
kRB5-ENCTYPE-ARCFOUR-HMAC-MD5(23),
kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56(24),
kRB5-ENCTYPE-ENCTYPE-PK-CROSS(48),
-- some "old" windows types
kRB5-ENCTYPE-ARCFOUR-MD4(-128),
kRB5-ENCTYPE-ARCFOUR-HMAC-OLD(-133),
kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
-- these are for Heimdal internal use
-- kRB5-ENCTYPE-DES-CBC-NONE(-0x1000),
-- kRB5-ENCTYPE-DES3-CBC-NONE(-0x1001),
-- kRB5-ENCTYPE-DES-CFB64-NONE(-0x1002),
-- kRB5-ENCTYPE-DES-PCBC-NONE(-0x1003),
-- kRB5-ENCTYPE-DIGEST-MD5-NONE(-0x1004), - private use, lukeh@padl.com
-- kRB5-ENCTYPE-CRAM-MD5-NONE(-0x1005) - private use, lukeh@padl.com
kRB5-ENCTYPE-DUMMY(-1111)
}
EncryptionTypeSequence ::= SEQUENCE {
dummy [0] EncryptionTypeValues
}
KerbErrorDataTypeValues ::= INTEGER {
kERB-AP-ERR-TYPE-SKEW-RECOVERY(2),
kERB-ERR-TYPE-EXTENDED(3)
}
KerbErrorDataTypeSequence ::= SEQUENCE {
dummy [0] KerbErrorDataTypeValues
}
PACOptionFlagsValues ::= BIT STRING { -- KerberosFlags
claims(0),
branch-aware(1),
forward-to-full-dc(2),
resource-based-constrained-delegation(3)
}
PACOptionFlagsSequence ::= SEQUENCE {
dummy [0] PACOptionFlagsValues
}
END
View Git Blame Copy Permalink