directory-commits mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	conflue...@apache.org
Subject	[CONF] Apache Directory ASN.1 Documentation > Kerberos
Date	Fri, 07 May 2010 17:17:00 GMT
<html> <head> <base href="http://cwiki.apache.org/confluence"> <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=DIRxASN1&forWysiwyg=true" type="text/css"> </head> <body style="background: white;" bgcolor="white" class="email-body"> <div id="pageContent"> <div id="notificationFormat"> <div class="wiki-content"> <div class="email"> <h2><a href="http://cwiki.apache.org/confluence/display/DIRxASN1/Kerberos">Kerberos</a></h2> <h4>Page <b>edited</b> by <a href="http://cwiki.apache.org/confluence/display/~elecharny">Emmanuel Lécharny</a> </h4> <br/> <h4>Changes (10)</h4> <div id="page-diffs"> <table class="diff" cellpadding="0" cellspacing="0"> <tr><td class="diff-added-lines" style="background-color: #dfd;">{noformat} <br></td></tr> <tr><td class="diff-unchanged" >KerberosV5Spec2 { <br> iso(1) identified-organization(3) dod(6) internet(1) <br></td></tr> <tr><td class="diff-snipped" >...<br></td></tr> <tr><td class="diff-unchanged" >-- should not be empty. <br>HostAddresses -- NOTE: subtly different from rfc1510, <br></td></tr> <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"> <br> <br> <br>Neuman, et al. Standards Track [Page 123] <br> <br>RFC 4120 Kerberos V5 July 2005 <br> <br> <br></td></tr> <tr><td class="diff-unchanged" > -- but has a value mapping and encodes the same <br> ::= SEQUENCE OF HostAddress <br></td></tr> <tr><td class="diff-snipped" >...<br></td></tr> <tr><td class="diff-unchanged" > key [1] EncryptionKey, <br> crealm [2] Realm, <br></td></tr> <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"> <br> <br> <br>Neuman, et al. Standards Track [Page 124] <br> <br>RFC 4120 Kerberos V5 July 2005 <br> <br> <br></td></tr> <tr><td class="diff-unchanged" > cname [3] PrincipalName, <br> transited [4] TransitedEncoding, <br></td></tr> <tr><td class="diff-snipped" >...<br></td></tr> <tr><td class="diff-unchanged" >KDC-REQ-BODY ::= SEQUENCE { <br> kdc-options [0] KDCOptions, <br></td></tr> <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"> <br> <br> <br>Neuman, et al. Standards Track [Page 125] <br> <br>RFC 4120 Kerberos V5 July 2005 <br> <br> <br></td></tr> <tr><td class="diff-unchanged" > cname [1] PrincipalName OPTIONAL <br> -- Used only in AS-REQ --, <br></td></tr> <tr><td class="diff-snipped" >...<br></td></tr> <tr><td class="diff-unchanged" >TGS-REP ::= [APPLICATION 13] KDC-REP <br> <br></td></tr> <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"> <br> <br> <br>Neuman, et al. Standards Track [Page 126] <br> <br>RFC 4120 Kerberos V5 July 2005 <br> <br> <br></td></tr> <tr><td class="diff-unchanged" >KDC-REP ::= SEQUENCE { <br> pvno [0] INTEGER (5), <br></td></tr> <tr><td class="diff-snipped" >...<br></td></tr> <tr><td class="diff-unchanged" > -- reserved(0), <br> -- use-session-key(1), <br></td></tr> <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"> <br> <br> <br>Neuman, et al. Standards Track [Page 127] <br> <br>RFC 4120 Kerberos V5 July 2005 <br> <br> <br></td></tr> <tr><td class="diff-unchanged" > -- mutual-required(2) <br> <br></td></tr> <tr><td class="diff-snipped" >...<br></td></tr> <tr><td class="diff-unchanged" > msg-type [1] INTEGER (21), <br> -- NOTE: there is no [2] tag <br></td></tr> <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"> <br> <br> <br>Neuman, et al. Standards Track [Page 128] <br> <br>RFC 4120 Kerberos V5 July 2005 <br> <br> <br></td></tr> <tr><td class="diff-unchanged" > enc-part [3] EncryptedData -- EncKrbPrivPart <br>} <br></td></tr> <tr><td class="diff-snipped" >...<br></td></tr> <tr><td class="diff-unchanged" > cusec [3] Microseconds OPTIONAL, <br> stime [4] KerberosTime, <br></td></tr> <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"> <br> <br> <br>Neuman, et al. Standards Track [Page 129] <br> <br>RFC 4120 Kerberos V5 July 2005 <br> <br> <br></td></tr> <tr><td class="diff-unchanged" > susec [5] Microseconds, <br> error-code [6] Int32, <br></td></tr> <tr><td class="diff-snipped" >...<br></td></tr> <tr><td class="diff-unchanged" > i-sname [2] PrincipalName OPTIONAL, <br> elements [3] AuthorizationData <br></td></tr> <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"> <br> <br> <br>Neuman, et al. Standards Track [Page 130] <br> <br>RFC 4120 Kerberos V5 July 2005 <br> <br> <br></td></tr> <tr><td class="diff-unchanged" >} <br> <br></td></tr> <tr><td class="diff-snipped" >...<br></td></tr> <tr><td class="diff-unchanged" > <br>END <br></td></tr> <tr><td class="diff-added-lines" style="background-color: #dfd;">{noformat} <br></td></tr> </table> </div> <h4>Full Content</h4> <div class="notificationGreySide"> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>KerberosV5Spec2 { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) modules(4) krb5spec2(2) } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- OID arc for KerberosV5 -- -- This OID may be used to identify Kerberos protocol messages -- encapsulated in other protocols. -- -- This OID also designates the OID arc for KerberosV5-related OIDs. -- -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. id-krb5 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) } Int32 ::= INTEGER (-2147483648..2147483647) -- signed values representable in 32 bits UInt32 ::= INTEGER (0..4294967295) -- unsigned 32 bit values Microseconds ::= INTEGER (0..999999) -- microseconds KerberosString ::= GeneralString (IA5String) Realm ::= KerberosString PrincipalName ::= SEQUENCE { name-type [0] Int32, name-string [1] SEQUENCE OF KerberosString } KerberosTime ::= GeneralizedTime -- with no fractional seconds HostAddress ::= SEQUENCE { addr-type [0] Int32, address [1] OCTET STRING } -- NOTE: HostAddresses is always used as an OPTIONAL field and -- should not be empty. HostAddresses -- NOTE: subtly different from rfc1510, -- but has a value mapping and encodes the same ::= SEQUENCE OF HostAddress -- NOTE: AuthorizationData is always used as an OPTIONAL field and -- should not be empty. AuthorizationData ::= SEQUENCE OF SEQUENCE { ad-type [0] Int32, ad-data [1] OCTET STRING } PA-DATA ::= SEQUENCE { -- NOTE: first tag is [1], not [0] padata-type [1] Int32, padata-value [2] OCTET STRING -- might be encoded AP-REQ } KerberosFlags ::= BIT STRING (SIZE (32..MAX)) -- minimum number of bits shall be sent, -- but no fewer than 32 EncryptedData ::= SEQUENCE { etype [0] Int32 -- EncryptionType --, kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } EncryptionKey ::= SEQUENCE { keytype [0] Int32 -- actually encryption type --, keyvalue [1] OCTET STRING } Checksum ::= SEQUENCE { cksumtype [0] Int32, checksum [1] OCTET STRING } Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno [0] INTEGER (5), realm [1] Realm, sname [2] PrincipalName, enc-part [3] EncryptedData -- EncTicketPart } -- Encrypted part of ticket EncTicketPart ::= [APPLICATION 3] SEQUENCE { flags [0] TicketFlags, key [1] EncryptionKey, crealm [2] Realm, cname [3] PrincipalName, transited [4] TransitedEncoding, authtime [5] KerberosTime, starttime [6] KerberosTime OPTIONAL, endtime [7] KerberosTime, renew-till [8] KerberosTime OPTIONAL, caddr [9] HostAddresses OPTIONAL, authorization-data [10] AuthorizationData OPTIONAL } -- encoded Transited field TransitedEncoding ::= SEQUENCE { tr-type [0] Int32 -- must be registered --, contents [1] OCTET STRING } TicketFlags ::= KerberosFlags -- reserved(0), -- forwardable(1), -- forwarded(2), -- proxiable(3), -- proxy(4), -- may-postdate(5), -- postdated(6), -- invalid(7), -- renewable(8), -- initial(9), -- pre-authent(10), -- hw-authent(11), -- the following are new since 1510 -- transited-policy-checked(12), -- ok-as-delegate(13) AS-REQ ::= [APPLICATION 10] KDC-REQ TGS-REQ ::= [APPLICATION 12] KDC-REQ KDC-REQ ::= SEQUENCE { -- NOTE: first tag is [1], not [0] pvno [1] INTEGER (5) , msg-type [2] INTEGER (10 -- AS -- \| 12 -- TGS --), padata [3] SEQUENCE OF PA-DATA OPTIONAL -- NOTE: not empty --, req-body [4] KDC-REQ-BODY } KDC-REQ-BODY ::= SEQUENCE { kdc-options [0] KDCOptions, cname [1] PrincipalName OPTIONAL -- Used only in AS-REQ --, realm [2] Realm -- Server's realm -- Also client's in AS-REQ --, sname [3] PrincipalName OPTIONAL, from [4] KerberosTime OPTIONAL, till [5] KerberosTime, rtime [6] KerberosTime OPTIONAL, nonce [7] UInt32, etype [8] SEQUENCE OF Int32 -- EncryptionType -- in preference order --, addresses [9] HostAddresses OPTIONAL, enc-authorization-data [10] EncryptedData OPTIONAL -- AuthorizationData --, additional-tickets [11] SEQUENCE OF Ticket OPTIONAL -- NOTE: not empty } KDCOptions ::= KerberosFlags -- reserved(0), -- forwardable(1), -- forwarded(2), -- proxiable(3), -- proxy(4), -- allow-postdate(5), -- postdated(6), -- unused7(7), -- renewable(8), -- unused9(9), -- unused10(10), -- opt-hardware-auth(11), -- unused12(12), -- unused13(13), -- 15 is reserved for canonicalize -- unused15(15), -- 26 was unused in 1510 -- disable-transited-check(26), -- -- renewable-ok(27), -- enc-tkt-in-skey(28), -- renew(30), -- validate(31) AS-REP ::= [APPLICATION 11] KDC-REP TGS-REP ::= [APPLICATION 13] KDC-REP KDC-REP ::= SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (11 -- AS -- \| 13 -- TGS --), padata [2] SEQUENCE OF PA-DATA OPTIONAL -- NOTE: not empty --, crealm [3] Realm, cname [4] PrincipalName, ticket [5] Ticket, enc-part [6] EncryptedData -- EncASRepPart or EncTGSRepPart, -- as appropriate } EncASRepPart ::= [APPLICATION 25] EncKDCRepPart EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart EncKDCRepPart ::= SEQUENCE { key [0] EncryptionKey, last-req [1] LastReq, nonce [2] UInt32, key-expiration [3] KerberosTime OPTIONAL, flags [4] TicketFlags, authtime [5] KerberosTime, starttime [6] KerberosTime OPTIONAL, endtime [7] KerberosTime, renew-till [8] KerberosTime OPTIONAL, srealm [9] Realm, sname [10] PrincipalName, caddr [11] HostAddresses OPTIONAL } LastReq ::= SEQUENCE OF SEQUENCE { lr-type [0] Int32, lr-value [1] KerberosTime } AP-REQ ::= [APPLICATION 14] SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (14), ap-options [2] APOptions, ticket [3] Ticket, authenticator [4] EncryptedData -- Authenticator } APOptions ::= KerberosFlags -- reserved(0), -- use-session-key(1), -- mutual-required(2) -- Unencrypted authenticator Authenticator ::= [APPLICATION 2] SEQUENCE { authenticator-vno [0] INTEGER (5), crealm [1] Realm, cname [2] PrincipalName, cksum [3] Checksum OPTIONAL, cusec [4] Microseconds, ctime [5] KerberosTime, subkey [6] EncryptionKey OPTIONAL, seq-number [7] UInt32 OPTIONAL, authorization-data [8] AuthorizationData OPTIONAL } AP-REP ::= [APPLICATION 15] SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (15), enc-part [2] EncryptedData -- EncAPRepPart } EncAPRepPart ::= [APPLICATION 27] SEQUENCE { ctime [0] KerberosTime, cusec [1] Microseconds, subkey [2] EncryptionKey OPTIONAL, seq-number [3] UInt32 OPTIONAL } KRB-SAFE ::= [APPLICATION 20] SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (20), safe-body [2] KRB-SAFE-BODY, cksum [3] Checksum } KRB-SAFE-BODY ::= SEQUENCE { user-data [0] OCTET STRING, timestamp [1] KerberosTime OPTIONAL, usec [2] Microseconds OPTIONAL, seq-number [3] UInt32 OPTIONAL, s-address [4] HostAddress, r-address [5] HostAddress OPTIONAL } KRB-PRIV ::= [APPLICATION 21] SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (21), -- NOTE: there is no [2] tag enc-part [3] EncryptedData -- EncKrbPrivPart } EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { user-data [0] OCTET STRING, timestamp [1] KerberosTime OPTIONAL, usec [2] Microseconds OPTIONAL, seq-number [3] UInt32 OPTIONAL, s-address [4] HostAddress -- sender's addr --, r-address [5] HostAddress OPTIONAL -- recip's addr } KRB-CRED ::= [APPLICATION 22] SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (22), tickets [2] SEQUENCE OF Ticket, enc-part [3] EncryptedData -- EncKrbCredPart } EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { ticket-info [0] SEQUENCE OF KrbCredInfo, nonce [1] UInt32 OPTIONAL, timestamp [2] KerberosTime OPTIONAL, usec [3] Microseconds OPTIONAL, s-address [4] HostAddress OPTIONAL, r-address [5] HostAddress OPTIONAL } KrbCredInfo ::= SEQUENCE { key [0] EncryptionKey, prealm [1] Realm OPTIONAL, pname [2] PrincipalName OPTIONAL, flags [3] TicketFlags OPTIONAL, authtime [4] KerberosTime OPTIONAL, starttime [5] KerberosTime OPTIONAL, endtime [6] KerberosTime OPTIONAL, renew-till [7] KerberosTime OPTIONAL, srealm [8] Realm OPTIONAL, sname [9] PrincipalName OPTIONAL, caddr [10] HostAddresses OPTIONAL } KRB-ERROR ::= [APPLICATION 30] SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (30), ctime [2] KerberosTime OPTIONAL, cusec [3] Microseconds OPTIONAL, stime [4] KerberosTime, susec [5] Microseconds, error-code [6] Int32, crealm [7] Realm OPTIONAL, cname [8] PrincipalName OPTIONAL, realm [9] Realm -- service realm --, sname [10] PrincipalName -- service name --, e-text [11] KerberosString OPTIONAL, e-data [12] OCTET STRING OPTIONAL } METHOD-DATA ::= SEQUENCE OF PA-DATA TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { data-type [0] Int32, data-value [1] OCTET STRING OPTIONAL } -- preauth stuff follows PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC PA-ENC-TS-ENC ::= SEQUENCE { patimestamp [0] KerberosTime -- client's time --, pausec [1] Microseconds OPTIONAL } ETYPE-INFO-ENTRY ::= SEQUENCE { etype [0] Int32, salt [1] OCTET STRING OPTIONAL } ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY ETYPE-INFO2-ENTRY ::= SEQUENCE { etype [0] Int32, salt [1] KerberosString OPTIONAL, s2kparams [2] OCTET STRING OPTIONAL } ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY AD-IF-RELEVANT ::= AuthorizationData AD-KDCIssued ::= SEQUENCE { ad-checksum [0] Checksum, i-realm [1] Realm OPTIONAL, i-sname [2] PrincipalName OPTIONAL, elements [3] AuthorizationData } AD-AND-OR ::= SEQUENCE { condition-count [0] Int32, elements [1] AuthorizationData } AD-MANDATORY-FOR-KDC ::= AuthorizationData END </pre> </div></div> </div> <div id="commentsSection" class="wiki-content pageSection"> <div style="float: right;"> <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action" class="grey">Change Notification Preferences</a> </div> <a href="http://cwiki.apache.org/confluence/display/DIRxASN1/Kerberos">View Online</a> \| <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=20644895&revisedVersion=2&originalVersion=1">View Changes</a> </div> </div> </div> </div> </div> </body> </html>
Mime	Unnamed text/html (inline, Quoted Printable, 20945 bytes)
	View raw message