From commits-return-25727-apmail-directory-commits-archive=directory.apache.org@directory.apache.org Fri May 07 17:12:23 2010 Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 94459 invoked from network); 7 May 2010 17:12:23 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 7 May 2010 17:12:23 -0000 Received: (qmail 70930 invoked by uid 500); 7 May 2010 17:12:23 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 70889 invoked by uid 500); 7 May 2010 17:12:23 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 70882 invoked by uid 99); 7 May 2010 17:12:23 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 May 2010 17:12:23 +0000 X-ASF-Spam-Status: No, hits=-1328.3 required=10.0 tests=ALL_TRUSTED,AWL,HTML_MESSAGE,MIME_HTML_ONLY X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 May 2010 17:12:20 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o47HC0Yx028585 for ; Fri, 7 May 2010 17:12:00 GMT Date: Fri, 7 May 2010 13:12:00 -0400 (EDT) From: confluence@apache.org To: commits@directory.apache.org Message-ID: <3174011.2083.1273252320178.JavaMail.confluence@thor> Subject: [CONF] Apache Directory ASN.1 Documentation > Kerberos MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Auto-Submitted: auto-generated

Kerberos

Page added by Emmanuel L=C3=A9charny


KerberosV5Spec2

Unknown macro: { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) modules(4) krb5spec2(2) }

DEFINITIONS EXPLICIT TAGS ::=3D BEGIN

– OID arc for KerberosV5

-- This OID may be used to identify Kerberos protocol messages
– encapsulated in other protocols.

-- This OID also designates the OID arc for KerberosV5-related OIDs.

-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
id-krb5 OBJECT IDENTIFIER ::=3D

Unknown macro: { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) }

Int32 ::=3D INTEGER (-2147483648..2147483647)
– signed values representable in 32 bits

UInt32 ::=3D INTEGER (0..4294967295)
– unsigned 32 bit values

Microseconds ::=3D INTEGER (0..999999)
– microseconds

KerberosString ::=3D GeneralString (IA5String)

Realm ::=3D KerberosString

PrincipalName ::=3D SEQUENCE

Unknown macro: { name-type [0] Int32, name-string [1] SEQUENCE OF KerberosString }

KerberosTime ::=3D GeneralizedTime – with no fractional seconds=

HostAddress ::=3D SEQUENCE

Unknown macro: { addr-type [0] Int32, address [1] OCTET STRING }

– NOTE: HostAddresses is always used as an OPTIONAL field and
– should not be empty.
HostAddresses – NOTE: subtly different from rfc1510,

Neuman, et al. Standards Track = Page 123

RFC 4120 Kerberos V5 July 2005=

– but has a value mapping and encodes the same
::=3D SEQUENCE OF HostAddress

– NOTE: AuthorizationData is always used as an OPTIONAL field and<= br/> – should not be empty.
AuthorizationData ::=3D SEQUENCE OF SEQUENCE

Unknown macro: { ad-type [0] Int32, ad-data [1] OCTET STRING }

PA-DATA ::=3D SEQUENCE

Unknown macro: { -- NOTE}

KerberosFlags ::=3D BIT STRING (SIZE (32..MAX))
– minimum number of bits shall be sent,
– but no fewer than 32

EncryptedData ::=3D SEQUENCE

Unknown macro: { etype [0] Int32 -- EncryptionType --, kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext }

EncryptionKey ::=3D SEQUENCE

Unknown macro: { keytype [0] Int32 -- actually encryption type --, keyvalue [1] OCTET STRING }

Checksum ::=3D SEQUENCE

Unknown macro: { cksumtype [0] Int32, checksum [1] OCTET STRING }

Ticket ::=3D APPLICATION 1 SEQUENCE

Unknown macro: { tkt-vno [0] INTEGER (5), realm [1] Realm, sname [2] PrincipalName, enc-part [3] EncryptedData -- EncTicketPart }

– Encrypted part of ticket
EncTicketPart ::=3D APPLICATION 3 SEQUENCE

Unknown macro: { flags [0] TicketFlags, key [1] EncryptionKey, crealm [2] Realm, Neuman, et al. Standards Track [Page 124] =0C RFC 4120 Kerberos V5 July 2005 cname [3] PrincipalName, transited [4] TransitedEncoding, authtime [5] KerberosTime, starttime [6] KerberosTime OPTIONAL, endtime [7] KerberosTime, renew-till [8] KerberosTime OPTIONAL, caddr [9] HostAddresses OPTIONAL, authorization-data [10] AuthorizationData OPTIONAL }

– encoded Transited field
TransitedEncoding ::=3D SEQUENCE

Unknown macro: { tr-type [0] Int32 -- must be registered --, contents [1] OCTET STRING }

TicketFlags ::=3D KerberosFlags
– reserved(0),
– forwardable(1),
– forwarded(2),
– proxiable(3),
– proxy(4),
– may-postdate(5),
– postdated(6),
– invalid(7),
– renewable(8),
– initial(9),
– pre-authent(10),
– hw-authent(11),
– the following are new since 1510
– transited-policy-checked(12),
– ok-as-delegate(13)

AS-REQ ::=3D APPLICATION 10 KDC-REQ

TGS-REQ ::=3D APPLICATION 12 KDC-REQ

KDC-REQ ::=3D SEQUENCE

Unknown macro: { -- NOTE}

KDC-REQ-BODY ::=3D SEQUENCE

Unknown macro: { kdc-options [0] KDCOptions, Neuman, et al. Standards Track [Page 125] =0C RFC 4120 Kerberos V5 July 2005 cname [1] PrincipalName OPTIONAL -- Used only in AS-REQ --, realm [2] Realm -- Server's realm -- Also client's in AS-REQ --, sname [3] PrincipalName OPTIONAL, from [4] KerberosTime OPTIONAL, till [5] KerberosTime, rtime [6] KerberosTime OPTIONAL, nonce [7] UInt32, etype [8] SEQUENCE OF Int32 -- EncryptionType -- in preference order --, addresses [9] HostAddresses OPTIONAL, enc-authorization-data [10] EncryptedData OPTIONAL -- AuthorizationData --, additional-tickets [11] SEQUENCE OF Ticket OPTIONAL -- NOTE}

KDCOptions ::=3D KerberosFlags
– reserved(0),
– forwardable(1),
– forwarded(2),
– proxiable(3),
– proxy(4),
– allow-postdate(5),
– postdated(6),
– unused7(7),
– renewable(8),
– unused9(9),
– unused10(10),
– opt-hardware-auth(11),
– unused12(12),
– unused13(13),
– 15 is reserved for canonicalize
– unused15(15),
– 26 was unused in 1510
– disable-transited-check(26),

– renewable-ok(27),
– enc-tkt-in-skey(28),
– renew(30),
– validate(31)

AS-REP ::=3D APPLICATION 11 KDC-REP

TGS-REP ::=3D APPLICATION 13 KDC-REP

Neuman, et al. Standards Track = Page 126

RFC 4120 Kerberos V5 July 2005=

KDC-REP ::=3D SEQUENCE

Unknown macro: { pvno [0] INTEGER (5), msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --), padata [2] SEQUENCE OF PA-DATA OPTIONAL -- NOTE}

EncASRepPart ::=3D APPLICATION 25 EncKDCRepPart

EncTGSRepPart ::=3D APPLICATION 26 EncKDCRepPart

EncKDCRepPart ::=3D SEQUENCE

Unknown macro: { key [0] EncryptionKey, last-req [1] LastReq, nonce [2] UInt32, key-expiration [3] KerberosTime OPTIONAL, flags [4] TicketFlags, authtime [5] KerberosTime, starttime [6] KerberosTime OPTIONAL, endtime [7] KerberosTime, renew-till [8] KerberosTime OPTIONAL, srealm [9] Realm, sname [10] PrincipalName, caddr [11] HostAddresses OPTIONAL }

LastReq ::=3D SEQUENCE OF SEQUENCE

Unknown macro: { lr-type [0] Int32, lr-value [1] KerberosTime }

AP-REQ ::=3D APPLICATION 14 SEQUENCE

Unknown macro: { pvno [0] INTEGER (5), msg-type [1] INTEGER (14), ap-options [2] APOptions, ticket [3] Ticket, authenticator [4] EncryptedData -- Authenticator }

APOptions ::=3D KerberosFlags
– reserved(0),
– use-session-key(1),

Neuman, et al. Standards Track = Page 127

RFC 4120 Kerberos V5 July 2005=

– mutual-required(2)

– Unencrypted authenticator
Authenticator ::=3D APPLICATION 2 SEQUENCE

Unknown macro: { authenticator-vno [0] INTEGER (5), crealm [1] Realm, cname [2] PrincipalName, cksum [3] Checksum OPTIONAL, cusec [4] Microseconds, ctime [5] KerberosTime, subkey [6] EncryptionKey OPTIONAL, seq-number [7] UInt32 OPTIONAL, authorization-data [8] AuthorizationData OPTIONAL }

AP-REP ::=3D APPLICATION 15 SEQUENCE

Unknown macro: { pvno [0] INTEGER (5), msg-type [1] INTEGER (15), enc-part [2] EncryptedData -- EncAPRepPart }

EncAPRepPart ::=3D APPLICATION 27 SEQUENCE

Unknown macro: { ctime [0] KerberosTime, cusec [1] Microseconds, subkey [2] EncryptionKey OPTIONAL, seq-number [3] UInt32 OPTIONAL }

KRB-SAFE ::=3D APPLICATION 20 SEQUENCE

Unknown macro: { pvno [0] INTEGER (5), msg-type [1] INTEGER (20), safe-body [2] KRB-SAFE-BODY, cksum [3] Checksum }

KRB-SAFE-BODY ::=3D SEQUENCE

Unknown macro: { user-data [0] OCTET STRING, timestamp [1] KerberosTime OPTIONAL, usec [2] Microseconds OPTIONAL, seq-number [3] UInt32 OPTIONAL, s-address [4] HostAddress, r-address [5] HostAddress OPTIONAL }

KRB-PRIV ::=3D APPLICATION 21 SEQUENCE

Unknown macro: { pvno [0] INTEGER (5), msg-type [1] INTEGER (21), -- NOTE}

EncKrbPrivPart ::=3D APPLICATION 28 SEQUENCE

Unknown macro: { user-data [0] OCTET STRING, timestamp [1] KerberosTime OPTIONAL, usec [2] Microseconds OPTIONAL, seq-number [3] UInt32 OPTIONAL, s-address [4] HostAddress -- sender's addr --, r-address [5] HostAddress OPTIONAL -- recip's addr }

KRB-CRED ::=3D APPLICATION 22 SEQUENCE

Unknown macro: { pvno [0] INTEGER (5), msg-type [1] INTEGER (22), tickets [2] SEQUENCE OF Ticket, enc-part [3] EncryptedData -- EncKrbCredPart }

EncKrbCredPart ::=3D APPLICATION 29 SEQUENCE

Unknown macro: { ticket-info [0] SEQUENCE OF KrbCredInfo, nonce [1] UInt32 OPTIONAL, timestamp [2] KerberosTime OPTIONAL, usec [3] Microseconds OPTIONAL, s-address [4] HostAddress OPTIONAL, r-address [5] HostAddress OPTIONAL }

KrbCredInfo ::=3D SEQUENCE

Unknown macro: { key [0] EncryptionKey, prealm [1] Realm OPTIONAL, pname [2] PrincipalName OPTIONAL, flags [3] TicketFlags OPTIONAL, authtime [4] KerberosTime OPTIONAL, starttime [5] KerberosTime OPTIONAL, endtime [6] KerberosTime OPTIONAL, renew-till [7] KerberosTime OPTIONAL, srealm [8] Realm OPTIONAL, sname [9] PrincipalName OPTIONAL, caddr [10] HostAddresses OPTIONAL }

KRB-ERROR ::=3D APPLICATION 30 SEQUENCE

Unknown macro: { pvno [0] INTEGER (5), msg-type [1] INTEGER (30), ctime [2] KerberosTime OPTIONAL, cusec [3] Microseconds OPTIONAL, stime [4] KerberosTime, Neuman, et al. Standards Track [Page 129] =0C RFC 4120 Kerberos V5 July 2005 susec [5] Microseconds, error-code [6] Int32, crealm [7] Realm OPTIONAL, cname [8] PrincipalName OPTIONAL, realm [9] Realm -- service realm --, sname [10] PrincipalName -- service name --, e-text [11] KerberosString OPTIONAL, e-data [12] OCTET STRING OPTIONAL }

METHOD-DATA ::=3D SEQUENCE OF PA-DATA

TYPED-DATA ::=3D SEQUENCE SIZE (1..MAX) OF SEQUENCE

Unknown macro: { data-type [0] Int32, data-value [1] OCTET STRING OPTIONAL }

– preauth stuff follows

PA-ENC-TIMESTAMP ::=3D EncryptedData – PA-ENC-TS-ENC

PA-ENC-TS-ENC ::=3D SEQUENCE

Unknown macro: { patimestamp [0] KerberosTime -- client's time --, pausec [1] Microseconds OPTIONAL }

ETYPE-INFO-ENTRY ::=3D SEQUENCE

Unknown macro: { etype [0] Int32, salt [1] OCTET STRING OPTIONAL }

ETYPE-INFO ::=3D SEQUENCE OF ETYPE-INFO-ENTRY

ETYPE-INFO2-ENTRY ::=3D SEQUENCE

Unknown macro: { etype [0] Int32, salt [1] KerberosString OPTIONAL, s2kparams [2] OCTET STRING OPTIONAL }

ETYPE-INFO2 ::=3D SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTR= Y

AD-IF-RELEVANT ::=3D AuthorizationData

AD-KDCIssued ::=3D SEQUENCE

Unknown macro: { ad-checksum [0] Checksum, i-realm [1] Realm OPTIONAL, i-sname [2] PrincipalName OPTIONAL, elements [3] AuthorizationData Neuman, et al. Standards Track [Page 130] =0C RFC 4120 Kerberos V5 July 2005 }

AD-AND-OR ::=3D SEQUENCE

Unknown macro: { condition-count [0] Int32, elements [1] AuthorizationData }

AD-MANDATORY-FOR-KDC ::=3D AuthorizationData

END