diff --git a/lib/asn1/pkinit.asn1 b/lib/asn1/pkinit.asn1 new file mode 100644 index 000000000..92c5de75d --- /dev/null +++ b/lib/asn1/pkinit.asn1 @@ -0,0 +1,189 @@ +PKINIT DEFINITIONS ::= BEGIN + +IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData + FROM krb5; +IMPORTS SignedData, EnvelopedData FROM CMS; +IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509; + + +-- 3.1 + +CertPrincipalName ::= SEQUENCE { + name-type[0] INTEGER, + name-string[1] SEQUENCE OF UTF8String +} + + +-- 3.2.2 + + +TrustedCertifiers ::= SEQUENCE OF PrincipalName + -- X.500 name encoded as a principal name + -- see Section 3.1 +CertificateIndex ::= INTEGER + -- 0 = 1st certificate, + -- (in order of encoding) + -- 1 = 2nd certificate, etc + +PA-PK-AS-REP ::= CHOICE { + -- PA TYPE 15 + dhSignedData[0] SignedData, + -- Defined in CMS and used only with + -- Diffie-Hellman key exchange (if the + -- client public value was present in the + -- request). + -- This choice MUST be supported + -- by compliant implementations. + encKeyPack[1] EnvelopedData + -- Defined in CMS + -- The temporary key is encrypted + -- using the client public key + -- key + -- SignedReplyKeyPack, encrypted + -- with the temporary key, is also + -- included. +} + + + +KdcDHKeyInfo ::= SEQUENCE { + -- used only when utilizing Diffie-Hellman + nonce[0] INTEGER, + -- binds responce to the request + subjectPublicKey[2] BIT STRING + -- Equals public exponent (g^a mod p) + -- INTEGER encoded as payload of + -- BIT STRING +} + +ReplyKeyPack ::= SEQUENCE { + -- not used for Diffie-Hellman + replyKey[0] EncryptionKey, + -- used to encrypt main reply + -- ENCTYPE is at least as strong as + -- ENCTYPE of session key + nonce[1] INTEGER + -- binds response to the request + -- must be same as the nonce + -- passed in the PKAuthenticator +} + +-- subjectAltName EXTENSION ::= { +-- SYNTAX GeneralNames +-- IDENTIFIED BY id-ce-subjectAltName +-- } + +OtherName ::= SEQUENCE { + type-id OBJECT IDENTIFIER, + value[0] OCTET STRING +-- value[0] EXPLICIT ANY DEFINED BY type-id +} + +GeneralName ::= CHOICE { + otherName [0] OtherName, + ... +} + +GeneralNames ::= SEQUENCE -- SIZE(1..MAX) + OF GeneralName + +KerberosName ::= SEQUENCE { + realm[0] Realm, + -- as defined in RFC 1510 + principalName[1] CertPrincipalName + -- defined above +} + + +-- krb5 OBJECT IDENTIFIER ::= { +-- iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2) +-- } + +-- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } + +-- 3.2.1 + + +IssuerAndSerialNumber ::= SEQUENCE { + issuer Name, + serialNumber CertificateSerialNumber +} + +TrustedCas ::= CHOICE { + principalName[0] KerberosName, + -- as defined below + caName[1] Name, + -- fully qualified X.500 name + -- as defined by X.509 + issuerAndSerial[2] IssuerAndSerialNumber + -- Since a CA may have a number of + -- certificates, only one of which + -- a client trusts +} + +PA-PK-AS-REQ ::= SEQUENCE { + -- PA TYPE 14 + signedAuthPack[0] SignedData, + -- defined in CMS [11] + -- AuthPack (below) defines the data + -- that is signed + trustedCertifiers[1] SEQUENCE OF TrustedCas OPTIONAL, + -- CAs that the client trusts + kdcCert[2] IssuerAndSerialNumber OPTIONAL, + -- as defined in CMS [11] + -- specifies a particular KDC + -- certificate if the client + -- already has it; + encryptionCert[3] IssuerAndSerialNumber OPTIONAL + -- For example, this may be the + -- client's Diffie-Hellman + -- certificate, or it may be the + -- client's RSA encryption + -- certificate. +} + +PKAuthenticator ::= SEQUENCE { + kdcName[0] PrincipalName, + kdcRealm[1] Realm, + cusec[2] INTEGER, + -- for replay prevention as in RFC1510 + ctime[3] KerberosTime, + -- for replay prevention as in RFC1510 + nonce[4] INTEGER +} + +-- This is the real definition of AlgorithmIdentifier +-- AlgorithmIdentifier ::= SEQUENCE { +-- algorithm ALGORITHM.&id, +-- parameters ALGORITHM.&Type +-- } -- as specified by the X.509 recommendation[10] + +-- But we'll use this one instead: + +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters CHOICE { + a INTEGER + } +} + + + +SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier, + -- dhKeyAgreement + subjectPublicKey BIT STRING + -- for DH, equals + -- public exponent (INTEGER encoded + -- as payload of BIT STRING) +} -- as specified by the X.509 recommendation[10] + +AuthPack ::= SEQUENCE { + pkAuthenticator[0] PKAuthenticator, + clientPublicValue[1] SubjectPublicKeyInfo OPTIONAL + -- if client is using Diffie-Hellman + -- (ephemeral-ephemeral only) +} + + +END diff --git a/lib/asn1/rfc2459.asn1 b/lib/asn1/rfc2459.asn1 new file mode 100644 index 000000000..c9adec609 --- /dev/null +++ b/lib/asn1/rfc2459.asn1 @@ -0,0 +1,21 @@ +RFC2459 DEFINITIONS ::= BEGIN + +AttributeType ::= OBJECT-IDENTIFIER + +AttributeValue ::= OCTET STRING --ANY DEFINED BY AttributeType + +AttributeTypeAndValue ::= SEQUENCE { + type AttributeType, + value AttributeValue +} + +RelativeDistinguishedName ::= --SET +SEQUENCE OF AttributeTypeAndValue + +RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + +Name ::= CHOICE { -- RFC2459 + x RDNSequence +} + +END \ No newline at end of file diff --git a/lib/asn1/x509.asn1 b/lib/asn1/x509.asn1 new file mode 100644 index 000000000..4a15844c8 --- /dev/null +++ b/lib/asn1/x509.asn1 @@ -0,0 +1,23 @@ +X509 DEFINITIONS ::= BEGIN + +CertificateSerialNumber ::= INTEGER -- X.509 '97 + +AttributeType ::= OBJECT-IDENTIFIER + +AttributeValue ::= OCTET STRING --ANY DEFINED BY AttributeType + +AttributeTypeAndValue ::= SEQUENCE { + type AttributeType, + value AttributeValue +} + +RelativeDistinguishedName ::= --SET +SEQUENCE OF AttributeTypeAndValue + +RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + +Name ::= CHOICE { -- RFC2459 + x RDNSequence +} + +END \ No newline at end of file