config root man

Current Path : /usr/src/crypto/heimdal/lib/asn1/

FreeBSD hs32.drive.ne.jp 9.1-RELEASE FreeBSD 9.1-RELEASE #1: Wed Jan 14 12:18:08 JST 2015 root@hs32.drive.ne.jp:/sys/amd64/compile/hs32 amd64
Upload File :
Current File : //usr/src/crypto/heimdal/lib/asn1/k5.asn1

-- $Id: k5.asn1 21965 2007-10-18 18:24:36Z lha $

KERBEROS5 DEFINITIONS ::=
BEGIN

NAME-TYPE ::= INTEGER {
	KRB5_NT_UNKNOWN(0),	-- Name type not known
	KRB5_NT_PRINCIPAL(1),	-- Just the name of the principal as in
	KRB5_NT_SRV_INST(2),	-- Service and other unique instance (krbtgt)
	KRB5_NT_SRV_HST(3),	-- Service with host name as instance
	KRB5_NT_SRV_XHST(4),	-- Service with host as remaining components
	KRB5_NT_UID(5),		-- Unique ID
	KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
	KRB5_NT_SMTP_NAME(7),	-- Name in form of SMTP email name
	KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
	KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
	KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
	KRB5_NT_MS_PRINCIPAL_AND_ID(-129) -- NT style name and SID
}

-- message types

MESSAGE-TYPE ::= INTEGER {
	krb-as-req(10), -- Request for initial authentication
	krb-as-rep(11), -- Response to KRB_AS_REQ request
	krb-tgs-req(12), -- Request for authentication based on TGT
	krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
	krb-ap-req(14), -- application request to server
	krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
	krb-safe(20), -- Safe (checksummed) application message
	krb-priv(21), -- Private (encrypted) application message
	krb-cred(22), -- Private (encrypted) message to forward credentials
	krb-error(30) -- Error response
}


-- pa-data types

PADATA-TYPE ::= INTEGER {
	KRB5-PADATA-NONE(0),
	KRB5-PADATA-TGS-REQ(1),
	KRB5-PADATA-AP-REQ(1),
	KRB5-PADATA-ENC-TIMESTAMP(2),
	KRB5-PADATA-PW-SALT(3),
	KRB5-PADATA-ENC-UNIX-TIME(5),
	KRB5-PADATA-SANDIA-SECUREID(6),
	KRB5-PADATA-SESAME(7),
	KRB5-PADATA-OSF-DCE(8),
	KRB5-PADATA-CYBERSAFE-SECUREID(9),
	KRB5-PADATA-AFS3-SALT(10),
	KRB5-PADATA-ETYPE-INFO(11),
	KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
	KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
	KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
	KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
	KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
	KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
	KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
	KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
	KRB5-PADATA-ETYPE-INFO2(19),
	KRB5-PADATA-USE-SPECIFIED-KVNO(20),
	KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
	KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
	KRB5-PADATA-GET-FROM-TYPED-DATA(22),
	KRB5-PADATA-SAM-ETYPE-INFO(23),
	KRB5-PADATA-SERVER-REFERRAL(25),
	KRB5-PADATA-TD-KRB-PRINCIPAL(102),	-- PrincipalName
	KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
	KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
	KRB5-PADATA-TD-APP-DEFINED-ERROR(106),	-- application specific
	KRB5-PADATA-TD-REQ-NONCE(107),		-- INTEGER
	KRB5-PADATA-TD-REQ-SEQ(108),		-- INTEGER
	KRB5-PADATA-PA-PAC-REQUEST(128),	-- jbrezak@exchange.microsoft.com
	KRB5-PADATA-S4U2SELF(129),
	KRB5-PADATA-PK-AS-09-BINDING(132),	-- client send this to 
						-- tell KDC that is supports 
						-- the asCheckSum in the
						--  PK-AS-REP
	KRB5-PADATA-CLIENT-CANONICALIZED(133)	-- 
}

AUTHDATA-TYPE ::= INTEGER {
	KRB5-AUTHDATA-IF-RELEVANT(1),
	KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
	KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
	KRB5-AUTHDATA-KDC-ISSUED(4),
	KRB5-AUTHDATA-AND-OR(5),
	KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
	KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
	KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
	KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
	KRB5-AUTHDATA-OSF-DCE(64),
	KRB5-AUTHDATA-SESAME(65),
	KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
	KRB5-AUTHDATA-WIN2K-PAC(128),
	KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
	KRB5-AUTHDATA-SIGNTICKET(-17)
}

-- checksumtypes

CKSUMTYPE ::= INTEGER {
	CKSUMTYPE_NONE(0),
	CKSUMTYPE_CRC32(1),
	CKSUMTYPE_RSA_MD4(2),
	CKSUMTYPE_RSA_MD4_DES(3),
	CKSUMTYPE_DES_MAC(4),
	CKSUMTYPE_DES_MAC_K(5),
	CKSUMTYPE_RSA_MD4_DES_K(6),
	CKSUMTYPE_RSA_MD5(7),
	CKSUMTYPE_RSA_MD5_DES(8),
	CKSUMTYPE_RSA_MD5_DES3(9),
	CKSUMTYPE_SHA1_OTHER(10),
	CKSUMTYPE_HMAC_SHA1_DES3(12),
	CKSUMTYPE_SHA1(14),
	CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
	CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
	CKSUMTYPE_GSSAPI(0x8003),
	CKSUMTYPE_HMAC_MD5(-138),	-- unofficial microsoft number
	CKSUMTYPE_HMAC_MD5_ENC(-1138)	-- even more unofficial
}

--enctypes
ENCTYPE ::= INTEGER {
	ETYPE_NULL(0),
	ETYPE_DES_CBC_CRC(1),
	ETYPE_DES_CBC_MD4(2),
	ETYPE_DES_CBC_MD5(3),
	ETYPE_DES3_CBC_MD5(5),
	ETYPE_OLD_DES3_CBC_SHA1(7),
	ETYPE_SIGN_DSA_GENERATE(8),
	ETYPE_ENCRYPT_RSA_PRIV(9),
	ETYPE_ENCRYPT_RSA_PUB(10),
	ETYPE_DES3_CBC_SHA1(16),	-- with key derivation
	ETYPE_AES128_CTS_HMAC_SHA1_96(17),
	ETYPE_AES256_CTS_HMAC_SHA1_96(18),
	ETYPE_ARCFOUR_HMAC_MD5(23),
	ETYPE_ARCFOUR_HMAC_MD5_56(24),
	ETYPE_ENCTYPE_PK_CROSS(48),
-- some "old" windows types
	ETYPE_ARCFOUR_MD4(-128),
	ETYPE_ARCFOUR_HMAC_OLD(-133),
	ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
-- these are for Heimdal internal use
	ETYPE_DES_CBC_NONE(-0x1000),
	ETYPE_DES3_CBC_NONE(-0x1001),
	ETYPE_DES_CFB64_NONE(-0x1002),
	ETYPE_DES_PCBC_NONE(-0x1003),
	ETYPE_DIGEST_MD5_NONE(-0x1004),		-- private use, lukeh@padl.com
	ETYPE_CRAM_MD5_NONE(-0x1005)		-- private use, lukeh@padl.com
}




-- this is sugar to make something ASN1 does not have: unsigned

krb5uint32 ::= INTEGER (0..4294967295)
krb5int32 ::= INTEGER (-2147483648..2147483647)

KerberosString  ::= GeneralString

Realm ::= GeneralString
PrincipalName ::= SEQUENCE {
	name-type[0]		NAME-TYPE,
	name-string[1]		SEQUENCE OF GeneralString
}

-- this is not part of RFC1510
Principal ::= SEQUENCE {
	name[0]			PrincipalName,
	realm[1]		Realm
}

HostAddress ::= SEQUENCE  {
	addr-type[0]		krb5int32,
	address[1]		OCTET STRING
}

-- This is from RFC1510.
--
-- HostAddresses ::= SEQUENCE OF SEQUENCE {
-- 	addr-type[0]		krb5int32,
--	address[1]		OCTET STRING
-- }

-- This seems much better.
HostAddresses ::= SEQUENCE OF HostAddress


KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)

AuthorizationDataElement ::= SEQUENCE {
	ad-type[0]		krb5int32,
	ad-data[1]		OCTET STRING
}

AuthorizationData ::= SEQUENCE OF AuthorizationDataElement

APOptions ::= BIT STRING {
	reserved(0),
	use-session-key(1),
	mutual-required(2)
}

TicketFlags ::= BIT STRING {
	reserved(0),
	forwardable(1),
	forwarded(2),
	proxiable(3),
	proxy(4),
	may-postdate(5),
	postdated(6),
	invalid(7),
	renewable(8),
	initial(9),
	pre-authent(10),
	hw-authent(11),
	transited-policy-checked(12),
	ok-as-delegate(13),
	anonymous(14)
}

KDCOptions ::= BIT STRING {
	reserved(0),
	forwardable(1),
	forwarded(2),
	proxiable(3),
	proxy(4),
	allow-postdate(5),
	postdated(6),
	unused7(7),
	renewable(8),
	unused9(9),
	unused10(10),
	unused11(11),
	request-anonymous(14),
	canonicalize(15),
	constrained-delegation(16), -- ms extension
	disable-transited-check(26),
	renewable-ok(27),
	enc-tkt-in-skey(28),
	renew(30),
	validate(31)
}

LR-TYPE ::= INTEGER {
	LR_NONE(0),		-- no information
	LR_INITIAL_TGT(1),	-- last initial TGT request
	LR_INITIAL(2),		-- last initial request
	LR_ISSUE_USE_TGT(3),	-- time of newest TGT used
	LR_RENEWAL(4),		-- time of last renewal
	LR_REQUEST(5),		-- time of last request (of any type)
	LR_PW_EXPTIME(6),	-- expiration time of password
	LR_ACCT_EXPTIME(7)	-- expiration time of account
}

LastReq ::= SEQUENCE OF SEQUENCE {
	lr-type[0]		LR-TYPE,
	lr-value[1]		KerberosTime
}


EncryptedData ::= SEQUENCE {
	etype[0] 		ENCTYPE, -- EncryptionType
	kvno[1]			krb5int32 OPTIONAL,
	cipher[2]		OCTET STRING -- ciphertext
}

EncryptionKey ::= SEQUENCE {
	keytype[0]		krb5int32,
	keyvalue[1]		OCTET STRING
}

-- encoded Transited field
TransitedEncoding ::= SEQUENCE {
	tr-type[0]		krb5int32, -- must be registered
	contents[1]		OCTET STRING
}

Ticket ::= [APPLICATION 1] SEQUENCE {
	tkt-vno[0]		krb5int32,
	realm[1]		Realm,
	sname[2]		PrincipalName,
	enc-part[3]		EncryptedData
}
-- Encrypted part of ticket
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
	flags[0]		TicketFlags,
	key[1]			EncryptionKey,
	crealm[2]		Realm,
	cname[3]		PrincipalName,
	transited[4]		TransitedEncoding,
	authtime[5]		KerberosTime,
	starttime[6]		KerberosTime OPTIONAL,
	endtime[7]		KerberosTime,
	renew-till[8]		KerberosTime OPTIONAL,
	caddr[9]		HostAddresses OPTIONAL,
	authorization-data[10]	AuthorizationData OPTIONAL
}

Checksum ::= SEQUENCE {
	cksumtype[0]		CKSUMTYPE,
	checksum[1]		OCTET STRING
}

Authenticator ::= [APPLICATION 2] SEQUENCE    {
	authenticator-vno[0]	krb5int32,
	crealm[1]		Realm,
	cname[2]		PrincipalName,
	cksum[3]		Checksum OPTIONAL,
	cusec[4]		krb5int32,
	ctime[5]		KerberosTime,
	subkey[6]		EncryptionKey OPTIONAL,
	seq-number[7]		krb5uint32 OPTIONAL,
	authorization-data[8]	AuthorizationData OPTIONAL
}

PA-DATA ::= SEQUENCE {
	-- might be encoded AP-REQ
	padata-type[1]		PADATA-TYPE,
	padata-value[2]		OCTET STRING
}

ETYPE-INFO-ENTRY ::= SEQUENCE {
	etype[0]		ENCTYPE,
	salt[1]			OCTET STRING OPTIONAL,
	salttype[2]		krb5int32 OPTIONAL
}

ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY

ETYPE-INFO2-ENTRY ::= SEQUENCE {
	etype[0]		ENCTYPE,
	salt[1]			KerberosString OPTIONAL,
	s2kparams[2]		OCTET STRING OPTIONAL
}

ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY

METHOD-DATA ::= SEQUENCE OF PA-DATA

TypedData ::=   SEQUENCE {
	data-type[0]		krb5int32,
	data-value[1]		OCTET STRING OPTIONAL
}

TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData

KDC-REQ-BODY ::= SEQUENCE {
	kdc-options[0]		KDCOptions,
	cname[1]		PrincipalName OPTIONAL, -- Used only in AS-REQ
	realm[2]		Realm,	-- Server's realm
					-- Also client's in AS-REQ
	sname[3]		PrincipalName OPTIONAL,
	from[4]			KerberosTime OPTIONAL,
	till[5]			KerberosTime OPTIONAL,
	rtime[6]		KerberosTime OPTIONAL,
	nonce[7]		krb5int32,
	etype[8]		SEQUENCE OF ENCTYPE, -- EncryptionType,
					-- in preference order
	addresses[9]		HostAddresses OPTIONAL,
	enc-authorization-data[10] EncryptedData OPTIONAL,
					-- Encrypted AuthorizationData encoding
	additional-tickets[11]	SEQUENCE OF Ticket OPTIONAL
}

KDC-REQ ::= SEQUENCE {
	pvno[1]			krb5int32,
	msg-type[2]		MESSAGE-TYPE,
	padata[3]		METHOD-DATA OPTIONAL,
	req-body[4]		KDC-REQ-BODY
}

AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ

-- padata-type ::= PA-ENC-TIMESTAMP
-- padata-value ::= EncryptedData - PA-ENC-TS-ENC

PA-ENC-TS-ENC ::= SEQUENCE {
	patimestamp[0]		KerberosTime, -- client's time
	pausec[1]		krb5int32 OPTIONAL
}

-- draft-brezak-win2k-krb-authz-01
PA-PAC-REQUEST ::= SEQUENCE {
	include-pac[0]		BOOLEAN -- Indicates whether a PAC 
					-- should be included or not
}

-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
PROV-SRV-LOCATION ::= GeneralString

KDC-REP ::= SEQUENCE {
	pvno[0]			krb5int32,
	msg-type[1]		MESSAGE-TYPE,
	padata[2]		METHOD-DATA OPTIONAL,
	crealm[3]		Realm,
	cname[4]		PrincipalName,
	ticket[5]		Ticket,
	enc-part[6]		EncryptedData
}

AS-REP ::= [APPLICATION 11] KDC-REP
TGS-REP ::= [APPLICATION 13] KDC-REP

EncKDCRepPart ::= SEQUENCE {
	key[0]			EncryptionKey,
	last-req[1]		LastReq,
	nonce[2]		krb5int32,
	key-expiration[3]	KerberosTime OPTIONAL,
	flags[4]		TicketFlags,
	authtime[5]		KerberosTime,
	starttime[6]		KerberosTime OPTIONAL,
	endtime[7]		KerberosTime,
	renew-till[8]		KerberosTime OPTIONAL,
	srealm[9]		Realm,
	sname[10]		PrincipalName,
	caddr[11]		HostAddresses OPTIONAL,
	encrypted-pa-data[12]	METHOD-DATA OPTIONAL
}

EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart

AP-REQ ::= [APPLICATION 14] SEQUENCE {
	pvno[0]			krb5int32,
	msg-type[1]		MESSAGE-TYPE,
	ap-options[2]		APOptions,
	ticket[3]		Ticket,
	authenticator[4]	EncryptedData
}

AP-REP ::= [APPLICATION 15] SEQUENCE {
	pvno[0]			krb5int32,
	msg-type[1]		MESSAGE-TYPE,
	enc-part[2]		EncryptedData
}

EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
	ctime[0]		KerberosTime,
	cusec[1]		krb5int32,
	subkey[2]		EncryptionKey OPTIONAL,
	seq-number[3]		krb5uint32 OPTIONAL
}

KRB-SAFE-BODY ::= SEQUENCE {
	user-data[0]		OCTET STRING,
	timestamp[1]		KerberosTime OPTIONAL,
	usec[2]			krb5int32 OPTIONAL,
	seq-number[3]		krb5uint32 OPTIONAL,
	s-address[4]		HostAddress OPTIONAL,
	r-address[5]		HostAddress OPTIONAL
}

KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
	pvno[0]			krb5int32,
	msg-type[1]		MESSAGE-TYPE,
	safe-body[2]		KRB-SAFE-BODY,
	cksum[3]		Checksum
}

KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
	pvno[0]			krb5int32,
	msg-type[1]		MESSAGE-TYPE,
	enc-part[3]		EncryptedData
}
EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
	user-data[0]		OCTET STRING,
	timestamp[1]		KerberosTime OPTIONAL,
	usec[2]			krb5int32 OPTIONAL,
	seq-number[3]		krb5uint32 OPTIONAL,
	s-address[4]		HostAddress OPTIONAL, -- sender's addr
	r-address[5]		HostAddress OPTIONAL  -- recip's addr
}

KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
	pvno[0]			krb5int32,
	msg-type[1]		MESSAGE-TYPE, -- KRB_CRED
	tickets[2]		SEQUENCE OF Ticket,
	enc-part[3]		EncryptedData
}

KrbCredInfo ::= SEQUENCE {
	key[0]			EncryptionKey,
	prealm[1]		Realm OPTIONAL,
	pname[2]		PrincipalName OPTIONAL,
	flags[3]		TicketFlags OPTIONAL,
	authtime[4]		KerberosTime OPTIONAL,
	starttime[5]		KerberosTime OPTIONAL,
	endtime[6] 		KerberosTime OPTIONAL,
	renew-till[7]		KerberosTime OPTIONAL,
	srealm[8]		Realm OPTIONAL,
	sname[9]		PrincipalName OPTIONAL,
	caddr[10]		HostAddresses OPTIONAL
}

EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
	ticket-info[0]		SEQUENCE OF KrbCredInfo,
	nonce[1]		krb5int32 OPTIONAL,
	timestamp[2]		KerberosTime OPTIONAL,
	usec[3]			krb5int32 OPTIONAL,
	s-address[4]		HostAddress OPTIONAL,
	r-address[5]		HostAddress OPTIONAL
}

KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
	pvno[0]			krb5int32,
	msg-type[1]		MESSAGE-TYPE,
	ctime[2]		KerberosTime OPTIONAL,
	cusec[3]		krb5int32 OPTIONAL,
	stime[4]		KerberosTime,
	susec[5]		krb5int32,
	error-code[6]		krb5int32,
	crealm[7]		Realm OPTIONAL,
	cname[8]		PrincipalName OPTIONAL,
	realm[9]		Realm, -- Correct realm
	sname[10]		PrincipalName, -- Correct name
	e-text[11]		GeneralString OPTIONAL,
	e-data[12]		OCTET STRING OPTIONAL
}

ChangePasswdDataMS ::= SEQUENCE {
	newpasswd[0]		OCTET STRING,
	targname[1]		PrincipalName OPTIONAL,
	targrealm[2]		Realm OPTIONAL
}

EtypeList ::= SEQUENCE OF krb5int32
	-- the client's proposed enctype list in
	-- decreasing preference order, favorite choice first

krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number

-- transited encodings

DOMAIN-X500-COMPRESS	krb5int32 ::= 1

-- authorization data primitives

AD-IF-RELEVANT ::= AuthorizationData

AD-KDCIssued ::= SEQUENCE {
	ad-checksum[0]		Checksum,
	i-realm[1]		Realm OPTIONAL,
	i-sname[2]		PrincipalName OPTIONAL,
	elements[3]		AuthorizationData
}

AD-AND-OR ::= SEQUENCE {
	condition-count[0]	INTEGER,
	elements[1]		AuthorizationData
}

AD-MANDATORY-FOR-KDC ::= AuthorizationData

-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2

PA-SAM-TYPE ::= INTEGER {
	PA_SAM_TYPE_ENIGMA(1),		-- Enigma Logic
	PA_SAM_TYPE_DIGI_PATH(2),	-- Digital Pathways
	PA_SAM_TYPE_SKEY_K0(3),		-- S/key where  KDC has key 0
	PA_SAM_TYPE_SKEY(4),		-- Traditional S/Key
	PA_SAM_TYPE_SECURID(5),		-- Security Dynamics
	PA_SAM_TYPE_CRYPTOCARD(6)	-- CRYPTOCard
}

PA-SAM-REDIRECT ::= HostAddresses

SAMFlags ::= BIT STRING {
	use-sad-as-key(0),
	send-encrypted-sad(1),
	must-pk-encrypt-sad(2)
}

PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
	sam-type[0]		krb5int32,
	sam-flags[1]		SAMFlags,
	sam-type-name[2]	GeneralString OPTIONAL,
	sam-track-id[3]		GeneralString OPTIONAL,
	sam-challenge-label[4]	GeneralString OPTIONAL,
	sam-challenge[5]	GeneralString OPTIONAL,
	sam-response-prompt[6]	GeneralString OPTIONAL,
	sam-pk-for-sad[7]	EncryptionKey OPTIONAL,
	sam-nonce[8]		krb5int32,
	sam-etype[9]		krb5int32,
	...
}

PA-SAM-CHALLENGE-2 ::= SEQUENCE {
	sam-body[0]		PA-SAM-CHALLENGE-2-BODY,
	sam-cksum[1]		SEQUENCE OF Checksum, -- (1..MAX)
	...
}

PA-SAM-RESPONSE-2 ::= SEQUENCE {
	sam-type[0]		krb5int32,
	sam-flags[1]		SAMFlags,
	sam-track-id[2]		GeneralString OPTIONAL,
	sam-enc-nonce-or-sad[3]	EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
	sam-nonce[4]		krb5int32,
	...
}

PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
	sam-nonce[0]		krb5int32,
	sam-sad[1]		GeneralString OPTIONAL,
	...
}

PA-S4U2Self ::= SEQUENCE {
	name[0]		PrincipalName,
        realm[1]	Realm,
        cksum[2]	Checksum,
        auth[3]		GeneralString
}

KRB5SignedPathPrincipals ::= SEQUENCE OF Principal

-- never encoded on the wire, just used to checksum over
KRB5SignedPathData ::= SEQUENCE {
	encticket[0]	EncTicketPart,
	delegated[1]	KRB5SignedPathPrincipals OPTIONAL
}

KRB5SignedPath ::= SEQUENCE {
	-- DERcoded KRB5SignedPathData
	-- krbtgt key (etype), KeyUsage = XXX 
	etype[0]	ENCTYPE,
	cksum[1]	Checksum,
	-- srvs delegated though
	delegated[2]	KRB5SignedPathPrincipals OPTIONAL
}

PA-ClientCanonicalizedNames ::= SEQUENCE{
	requested-name [0] PrincipalName,
	real-name      [1] PrincipalName
}

PA-ClientCanonicalized ::= SEQUENCE {
	names          [0] PA-ClientCanonicalizedNames,
	canon-checksum [1] Checksum
}

AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
	login-alias  [0] PrincipalName,
	checksum     [1] Checksum
}

-- old ms referral
PA-SvrReferralData ::= SEQUENCE {
	referred-name   [1] PrincipalName OPTIONAL,
	referred-realm  [0] Realm
}

END

-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1

Man Man