diff --git a/lib/gssapi/krb5/spkm.asn1 b/lib/gssapi/krb5/spkm.asn1
new file mode 100644
index 000000000..5c14196a4
--- /dev/null
+++ b/lib/gssapi/krb5/spkm.asn1
@@ -0,0 +1,240 @@
+-- from rfc2025
+-- $Id$
+
+SpkmGssTokens DEFINITIONS ::=
+BEGIN
+
+IMPORTS AlgorithmIdentifier, Validity,
+	Attribute, Certificate, CertificateList, CertificatePair, Name
+	FROM rfc2459
+	AuthorizationData FROM krb5;
+
+SPKM-REQ ::= SEQUENCE {
+	requestToken      REQ-TOKEN,
+	certif-data [0]   CertificationData OPTIONAL,
+	auth-data [1]     AuthorizationData OPTIONAL
+}
+
+
+CertificationData ::= SEQUENCE {
+	certificationPath [0]	  CertificationPath OPTIONAL,
+	certificateRevocationList [1]  CertificateList OPTIONAL
+} -- at least one of the above shall be present
+
+
+CertificationPath ::= SEQUENCE {
+	userKeyId [0]	 OCTET STRING OPTIONAL,
+	userCertif [1]	Certificate OPTIONAL,
+	verifKeyId [2]	OCTET STRING OPTIONAL,
+	userVerifCertif [3]   Certificate OPTIONAL,
+	theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL
+} -- Presence of [2] or [3] implies that [0] or [1] must also be
+  -- present.  Presence of [4] implies that at least one of [0], [1],
+  -- [2], and [3] must also be present.
+
+REQ-TOKEN ::= SEQUENCE {
+	req-contents     Req-contents,
+	algId	    AlgorithmIdentifier,
+	req-integrity    Integrity  -- "token" is Req-contents
+}
+
+Integrity ::= BIT STRING
+  -- If corresponding algId specifies a signing algorithm,
+  -- "Integrity" holds the result of applying the signing procedure
+  -- specified in algId to the BER-encoded octet string which results
+  -- from applying the hashing procedure (also specified in algId) to
+  -- the DER-encoded octets of "token".
+  -- Alternatively, if corresponding algId specifies a MACing
+  -- algorithm, "Integrity" holds the result of applying the MACing
+  -- procedure specified in algId to the DER-encoded octets of
+  -- "token"
+
+Req-contents ::= SEQUENCE {
+	tok-id	   INTEGER --(256)--,  -- shall contain 0100 (hex)
+	context-id       Random-Integer,
+	pvno	     BIT STRING,
+	timestamp	UTCTime OPTIONAL, -- mandatory for SPKM-2
+	randSrc	  Random-Integer,
+	targ-name	Name,
+	src-name [0]     Name OPTIONAL,
+	req-data	 Context-Data,
+	validity [1]     Validity OPTIONAL,
+	key-estb-set     Key-Estb-Algs,
+	key-estb-req     BIT STRING OPTIONAL,
+	key-src-bind     OCTET STRING OPTIONAL
+	   -- This field must be present for the case of SPKM-2
+	   -- unilateral authen. if the K-ALG in use does not provide
+	   -- such a binding (but is optional for all other cases).
+	   -- The octet string holds the result of applying the
+	   -- mandatory hashing procedure (in MANDATORY I-ALG;
+	   -- see Section 2.1) as follows:  MD5(src || context_key),
+	   -- where "src" is the DER-encoded octets of src-name,
+	   -- "context-key" is the symmetric key (i.e., the
+	   -- unprotected version of what is transmitted in
+	   -- key-estb-req), and "||" is the concatenation operation.
+}
+
+Random-Integer ::= BIT STRING
+
+Context-Data ::= SEQUENCE {
+	channelId       ChannelId OPTIONAL,
+	seq-number      INTEGER OPTIONAL,
+	options	 Options,
+	conf-alg	Conf-Algs,
+	intg-alg	Intg-Algs,
+	owf-alg	 OWF-Algs
+}
+
+ChannelId ::= OCTET STRING
+
+Options ::= BIT STRING {
+	delegation-state (0),
+	mutual-state (1),
+	replay-det-state (2),
+	sequence-state (3),
+	conf-avail (4),
+	integ-avail (5),
+	target-certif-data-required (6)
+}
+
+Conf-Algs ::= CHOICE {
+	algs [0]	 SEQUENCE OF AlgorithmIdentifier,
+	null [1]	 NULL
+}
+
+Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier
+
+OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier
+
+Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier
+
+
+SPKM-REP-TI ::= SEQUENCE {
+	responseToken    REP-TI-TOKEN,
+	certif-data      CertificationData OPTIONAL
+	  -- present if target-certif-data-required option was
+}	 -- set to TRUE in SPKM-REQ
+
+REP-TI-TOKEN ::= SEQUENCE {
+	rep-ti-contents  Rep-ti-contents,
+	algId	    AlgorithmIdentifier,
+	rep-ti-integ     Integrity  -- "token" is Rep-ti-contents
+}
+
+Rep-ti-contents ::= SEQUENCE {
+	tok-id	   INTEGER --(512)--,   -- shall contain 0200 (hex)
+	context-id       Random-Integer,
+	pvno [0]	 BIT STRING OPTIONAL,
+	timestamp	UTCTime OPTIONAL, -- mandatory for SPKM-2
+	randTarg	 Random-Integer,
+	src-name [1]     Name OPTIONAL,
+	targ-name	Name,
+	randSrc	  Random-Integer,
+	rep-data	 Context-Data,
+	validity [2]     Validity  OPTIONAL,
+	key-estb-id      AlgorithmIdentifier OPTIONAL,
+	key-estb-str     BIT STRING OPTIONAL
+}
+
+SPKM-REP-IT ::= SEQUENCE {
+	responseToken    REP-IT-TOKEN,
+	algId	    AlgorithmIdentifier,
+	rep-it-integ     Integrity  -- "token" is REP-IT-TOKEN
+}
+
+REP-IT-TOKEN ::= SEQUENCE {
+	tok-id	   INTEGER --(768)--,  -- shall contain 0300 (hex)
+	context-id       Random-Integer,
+	randSrc	  Random-Integer,
+	randTarg	 Random-Integer,
+	targ-name	Name,
+	src-name	 Name OPTIONAL,
+	key-estb-rep     BIT STRING OPTIONAL
+}
+
+SPKM-ERROR ::= SEQUENCE {
+	errorToken       ERROR-TOKEN,
+	algId	    AlgorithmIdentifier,
+	integrity	Integrity  -- "token" is ERROR-TOKEN
+}
+
+ERROR-TOKEN ::=   SEQUENCE {
+	tok-id	   INTEGER --(1024)--, -- shall contain 0400 (hex)
+	context-id       Random-Integer
+}
+
+SPKM-MIC ::= SEQUENCE {
+	mic-header       Mic-Header,
+	int-cksum	BIT STRING
+}
+
+Mic-Header ::= SEQUENCE {
+	tok-id	   INTEGER --(257)--, -- shall contain 0101 (hex)
+	context-id       Random-Integer,
+	int-alg [0]      AlgorithmIdentifier OPTIONAL,
+	snd-seq [1]      SeqNum OPTIONAL
+}
+
+SeqNum ::= SEQUENCE {
+	num	      INTEGER,
+	dir-ind	  BOOLEAN
+}
+
+SPKM-WRAP ::= SEQUENCE {
+	wrap-header       Wrap-Header,
+	wrap-body	 Wrap-Body
+}
+
+Wrap-Header ::= SEQUENCE {
+	tok-id	   INTEGER --(513)--, -- shall contain 0201 (hex)
+	context-id       Random-Integer,
+	int-alg [0]      AlgorithmIdentifier OPTIONAL,
+	conf-alg [1]     Conf-Alg OPTIONAL,
+	snd-seq [2]      SeqNum OPTIONAL
+}
+
+Wrap-Body ::= SEQUENCE {
+	int-cksum	BIT STRING,
+	data	     BIT STRING
+}
+
+Conf-Alg ::= CHOICE {
+	algId [0]	AlgorithmIdentifier,
+	null [1]	 NULL
+}
+
+
+SPKM-DEL ::= SEQUENCE {
+	del-header       Del-Header,
+	int-cksum	BIT STRING
+}
+
+Del-Header ::= SEQUENCE {
+	tok-id	   INTEGER --(769)--, -- shall contain 0301 (hex)
+	context-id       Random-Integer,
+	int-alg [0]      AlgorithmIdentifier OPTIONAL,
+	snd-seq [1]      SeqNum OPTIONAL
+}
+
+
+-- other types --
+
+MechType ::= OBJECT IDENTIFIER
+
+SPKMInnerContextToken ::= CHOICE {
+	req    [0] SPKM-REQ,
+	rep-ti [1] SPKM-REP-TI,
+	rep-it [2] SPKM-REP-IT,
+	error  [3] SPKM-ERROR,
+	mic    [4] SPKM-MIC,
+	wrap   [5] SPKM-WRAP,
+	del    [6] SPKM-DEL
+}
+
+InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE {
+	thisMech	      MechType,
+	innerContextToken     SPKMInnerContextToken
+}     -- when thisMech is SPKM-1 or SPKM-2
+
+
+END
diff --git a/lib/gssapi/spkm.asn1 b/lib/gssapi/spkm.asn1
new file mode 100644
index 000000000..5c14196a4
--- /dev/null
+++ b/lib/gssapi/spkm.asn1
@@ -0,0 +1,240 @@
+-- from rfc2025
+-- $Id$
+
+SpkmGssTokens DEFINITIONS ::=
+BEGIN
+
+IMPORTS AlgorithmIdentifier, Validity,
+	Attribute, Certificate, CertificateList, CertificatePair, Name
+	FROM rfc2459
+	AuthorizationData FROM krb5;
+
+SPKM-REQ ::= SEQUENCE {
+	requestToken      REQ-TOKEN,
+	certif-data [0]   CertificationData OPTIONAL,
+	auth-data [1]     AuthorizationData OPTIONAL
+}
+
+
+CertificationData ::= SEQUENCE {
+	certificationPath [0]	  CertificationPath OPTIONAL,
+	certificateRevocationList [1]  CertificateList OPTIONAL
+} -- at least one of the above shall be present
+
+
+CertificationPath ::= SEQUENCE {
+	userKeyId [0]	 OCTET STRING OPTIONAL,
+	userCertif [1]	Certificate OPTIONAL,
+	verifKeyId [2]	OCTET STRING OPTIONAL,
+	userVerifCertif [3]   Certificate OPTIONAL,
+	theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL
+} -- Presence of [2] or [3] implies that [0] or [1] must also be
+  -- present.  Presence of [4] implies that at least one of [0], [1],
+  -- [2], and [3] must also be present.
+
+REQ-TOKEN ::= SEQUENCE {
+	req-contents     Req-contents,
+	algId	    AlgorithmIdentifier,
+	req-integrity    Integrity  -- "token" is Req-contents
+}
+
+Integrity ::= BIT STRING
+  -- If corresponding algId specifies a signing algorithm,
+  -- "Integrity" holds the result of applying the signing procedure
+  -- specified in algId to the BER-encoded octet string which results
+  -- from applying the hashing procedure (also specified in algId) to
+  -- the DER-encoded octets of "token".
+  -- Alternatively, if corresponding algId specifies a MACing
+  -- algorithm, "Integrity" holds the result of applying the MACing
+  -- procedure specified in algId to the DER-encoded octets of
+  -- "token"
+
+Req-contents ::= SEQUENCE {
+	tok-id	   INTEGER --(256)--,  -- shall contain 0100 (hex)
+	context-id       Random-Integer,
+	pvno	     BIT STRING,
+	timestamp	UTCTime OPTIONAL, -- mandatory for SPKM-2
+	randSrc	  Random-Integer,
+	targ-name	Name,
+	src-name [0]     Name OPTIONAL,
+	req-data	 Context-Data,
+	validity [1]     Validity OPTIONAL,
+	key-estb-set     Key-Estb-Algs,
+	key-estb-req     BIT STRING OPTIONAL,
+	key-src-bind     OCTET STRING OPTIONAL
+	   -- This field must be present for the case of SPKM-2
+	   -- unilateral authen. if the K-ALG in use does not provide
+	   -- such a binding (but is optional for all other cases).
+	   -- The octet string holds the result of applying the
+	   -- mandatory hashing procedure (in MANDATORY I-ALG;
+	   -- see Section 2.1) as follows:  MD5(src || context_key),
+	   -- where "src" is the DER-encoded octets of src-name,
+	   -- "context-key" is the symmetric key (i.e., the
+	   -- unprotected version of what is transmitted in
+	   -- key-estb-req), and "||" is the concatenation operation.
+}
+
+Random-Integer ::= BIT STRING
+
+Context-Data ::= SEQUENCE {
+	channelId       ChannelId OPTIONAL,
+	seq-number      INTEGER OPTIONAL,
+	options	 Options,
+	conf-alg	Conf-Algs,
+	intg-alg	Intg-Algs,
+	owf-alg	 OWF-Algs
+}
+
+ChannelId ::= OCTET STRING
+
+Options ::= BIT STRING {
+	delegation-state (0),
+	mutual-state (1),
+	replay-det-state (2),
+	sequence-state (3),
+	conf-avail (4),
+	integ-avail (5),
+	target-certif-data-required (6)
+}
+
+Conf-Algs ::= CHOICE {
+	algs [0]	 SEQUENCE OF AlgorithmIdentifier,
+	null [1]	 NULL
+}
+
+Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier
+
+OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier
+
+Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier
+
+
+SPKM-REP-TI ::= SEQUENCE {
+	responseToken    REP-TI-TOKEN,
+	certif-data      CertificationData OPTIONAL
+	  -- present if target-certif-data-required option was
+}	 -- set to TRUE in SPKM-REQ
+
+REP-TI-TOKEN ::= SEQUENCE {
+	rep-ti-contents  Rep-ti-contents,
+	algId	    AlgorithmIdentifier,
+	rep-ti-integ     Integrity  -- "token" is Rep-ti-contents
+}
+
+Rep-ti-contents ::= SEQUENCE {
+	tok-id	   INTEGER --(512)--,   -- shall contain 0200 (hex)
+	context-id       Random-Integer,
+	pvno [0]	 BIT STRING OPTIONAL,
+	timestamp	UTCTime OPTIONAL, -- mandatory for SPKM-2
+	randTarg	 Random-Integer,
+	src-name [1]     Name OPTIONAL,
+	targ-name	Name,
+	randSrc	  Random-Integer,
+	rep-data	 Context-Data,
+	validity [2]     Validity  OPTIONAL,
+	key-estb-id      AlgorithmIdentifier OPTIONAL,
+	key-estb-str     BIT STRING OPTIONAL
+}
+
+SPKM-REP-IT ::= SEQUENCE {
+	responseToken    REP-IT-TOKEN,
+	algId	    AlgorithmIdentifier,
+	rep-it-integ     Integrity  -- "token" is REP-IT-TOKEN
+}
+
+REP-IT-TOKEN ::= SEQUENCE {
+	tok-id	   INTEGER --(768)--,  -- shall contain 0300 (hex)
+	context-id       Random-Integer,
+	randSrc	  Random-Integer,
+	randTarg	 Random-Integer,
+	targ-name	Name,
+	src-name	 Name OPTIONAL,
+	key-estb-rep     BIT STRING OPTIONAL
+}
+
+SPKM-ERROR ::= SEQUENCE {
+	errorToken       ERROR-TOKEN,
+	algId	    AlgorithmIdentifier,
+	integrity	Integrity  -- "token" is ERROR-TOKEN
+}
+
+ERROR-TOKEN ::=   SEQUENCE {
+	tok-id	   INTEGER --(1024)--, -- shall contain 0400 (hex)
+	context-id       Random-Integer
+}
+
+SPKM-MIC ::= SEQUENCE {
+	mic-header       Mic-Header,
+	int-cksum	BIT STRING
+}
+
+Mic-Header ::= SEQUENCE {
+	tok-id	   INTEGER --(257)--, -- shall contain 0101 (hex)
+	context-id       Random-Integer,
+	int-alg [0]      AlgorithmIdentifier OPTIONAL,
+	snd-seq [1]      SeqNum OPTIONAL
+}
+
+SeqNum ::= SEQUENCE {
+	num	      INTEGER,
+	dir-ind	  BOOLEAN
+}
+
+SPKM-WRAP ::= SEQUENCE {
+	wrap-header       Wrap-Header,
+	wrap-body	 Wrap-Body
+}
+
+Wrap-Header ::= SEQUENCE {
+	tok-id	   INTEGER --(513)--, -- shall contain 0201 (hex)
+	context-id       Random-Integer,
+	int-alg [0]      AlgorithmIdentifier OPTIONAL,
+	conf-alg [1]     Conf-Alg OPTIONAL,
+	snd-seq [2]      SeqNum OPTIONAL
+}
+
+Wrap-Body ::= SEQUENCE {
+	int-cksum	BIT STRING,
+	data	     BIT STRING
+}
+
+Conf-Alg ::= CHOICE {
+	algId [0]	AlgorithmIdentifier,
+	null [1]	 NULL
+}
+
+
+SPKM-DEL ::= SEQUENCE {
+	del-header       Del-Header,
+	int-cksum	BIT STRING
+}
+
+Del-Header ::= SEQUENCE {
+	tok-id	   INTEGER --(769)--, -- shall contain 0301 (hex)
+	context-id       Random-Integer,
+	int-alg [0]      AlgorithmIdentifier OPTIONAL,
+	snd-seq [1]      SeqNum OPTIONAL
+}
+
+
+-- other types --
+
+MechType ::= OBJECT IDENTIFIER
+
+SPKMInnerContextToken ::= CHOICE {
+	req    [0] SPKM-REQ,
+	rep-ti [1] SPKM-REP-TI,
+	rep-it [2] SPKM-REP-IT,
+	error  [3] SPKM-ERROR,
+	mic    [4] SPKM-MIC,
+	wrap   [5] SPKM-WRAP,
+	del    [6] SPKM-DEL
+}
+
+InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE {
+	thisMech	      MechType,
+	innerContextToken     SPKMInnerContextToken
+}     -- when thisMech is SPKM-1 or SPKM-2
+
+
+END