b838707d0e
Highlighs for the compiler is support for CHOICE and in general better support for tags. This compiler support most of what is needed for PK-INIT, LDAP, X.509, PKCS-12 and many other protocols. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15617 ec53bebd-3082-4978-b11e-865c3cabbd6b
172 lines
4.6 KiB
Groff
172 lines
4.6 KiB
Groff
-- $Id$ --
|
|
|
|
PKINIT DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum FROM krb5
|
|
IssuerAndSerialNumber, ContentInfo FROM cms
|
|
SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
|
|
heim_any FROM heim;
|
|
|
|
id-pkinit OBJECT IDENTIFIER ::=
|
|
{ iso (1) org (3) dod (6) internet (1) security (5)
|
|
kerberosv5 (2) pkinit (3) }
|
|
|
|
id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 }
|
|
id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 }
|
|
id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 }
|
|
id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 }
|
|
id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 }
|
|
|
|
pa-pk-as-req INTEGER ::= 16
|
|
pa-pk-as-rep INTEGER ::= 17
|
|
|
|
ad-initial-verified-cas INTEGER ::= 9
|
|
|
|
td-trusted-certifiers INTEGER ::= 104
|
|
td-invalid-certificates INTEGER ::= 105
|
|
td-dh-parameters INTEGER ::= 109
|
|
|
|
DHNonce ::= OCTET STRING
|
|
|
|
TrustedCA ::= SEQUENCE {
|
|
caName [0] IMPLICIT OCTET STRING,
|
|
certificateSerialNumber [1] INTEGER OPTIONAL,
|
|
subjectKeyIdentifier [2] OCTET STRING OPTIONAL,
|
|
...
|
|
}
|
|
|
|
PA-PK-AS-REQ ::= SEQUENCE {
|
|
signedAuthPack [0] IMPLICIT OCTET STRING,
|
|
trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL,
|
|
kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL,
|
|
...
|
|
}
|
|
|
|
PKAuthenticator ::= SEQUENCE {
|
|
cusec [0] INTEGER -- (0..999999) --,
|
|
ctime [1] KerberosTime,
|
|
nonce [2] INTEGER (0..4294967295),
|
|
paChecksum [3] OCTET STRING,
|
|
...
|
|
}
|
|
|
|
AuthPack ::= SEQUENCE {
|
|
pkAuthenticator [0] PKAuthenticator,
|
|
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
|
|
supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
|
|
clientDHNonce [3] DHNonce OPTIONAL,
|
|
...
|
|
}
|
|
|
|
TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF TrustedCA
|
|
TD-INVALID-CERTIFICATES ::= SEQUENCE OF OCTET STRING
|
|
|
|
KRB5PrincipalName ::= SEQUENCE {
|
|
realm [0] Realm,
|
|
principalName [1] PrincipalName
|
|
}
|
|
|
|
AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF TrustedCA
|
|
|
|
|
|
DHRepInfo ::= SEQUENCE {
|
|
dhSignedData [0] IMPLICIT OCTET STRING,
|
|
serverDHNonce [1] DHNonce OPTIONAL
|
|
}
|
|
|
|
PA-PK-AS-REP ::= CHOICE {
|
|
dhInfo [0] DHRepInfo,
|
|
encKeyPack [1] IMPLICIT OCTET STRING,
|
|
...
|
|
}
|
|
|
|
KDCDHKeyInfo ::= SEQUENCE {
|
|
subjectPublicKey [0] BIT STRING,
|
|
nonce [1] INTEGER (0..4294967295),
|
|
dhKeyExpiration [2] KerberosTime OPTIONAL,
|
|
...
|
|
}
|
|
|
|
ReplyKeyPack ::= SEQUENCE {
|
|
replyKey [0] EncryptionKey,
|
|
nonce [1] INTEGER (0..4294967295),
|
|
...
|
|
}
|
|
|
|
TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
|
|
|
|
|
|
-- Windows and pk-init-19 compat glue --
|
|
|
|
PKAuthenticator-Win2k ::= SEQUENCE {
|
|
kdcName [0] PrincipalName,
|
|
kdcRealm [1] Realm,
|
|
cusec [2] INTEGER (0..4294967295),
|
|
ctime [3] KerberosTime,
|
|
nonce [4] INTEGER (-2147483648..2147483647)
|
|
}
|
|
|
|
AuthPack-Win2k ::= SEQUENCE {
|
|
pkAuthenticator [0] PKAuthenticator-Win2k,
|
|
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
|
|
}
|
|
|
|
|
|
PA-PK-AS-REP-Win2k ::= CHOICE {
|
|
dhSignedData [0] IMPLICIT OCTET STRING,
|
|
encKeyPack [1] IMPLICIT OCTET STRING
|
|
}
|
|
|
|
|
|
KDCDHKeyInfo-Win2k ::= SEQUENCE {
|
|
nonce [0] INTEGER (-2147483648..2147483647),
|
|
subjectPublicKey [2] BIT STRING
|
|
}
|
|
|
|
TrustedCA-19 ::= CHOICE {
|
|
caName [1] heim_any,
|
|
issuerAndSerial [2] IssuerAndSerialNumber
|
|
}
|
|
|
|
PA-PK-AS-REQ-19 ::= SEQUENCE { -- PAType 14
|
|
signedAuthPack [0] ContentInfo, -- AuthPack
|
|
trustedCertifiers [1] SEQUENCE OF TrustedCA-19 OPTIONAL,
|
|
kdcCert [2] IssuerAndSerialNumber OPTIONAL,
|
|
encryptionCert [3] IssuerAndSerialNumber OPTIONAL,
|
|
...
|
|
}
|
|
|
|
PA-PK-AS-REQ-Win2k ::= SEQUENCE {
|
|
signed-auth-pack [0] IMPLICIT OCTET STRING,
|
|
trusted-certifiers [2] SEQUENCE OF TrustedCA-19 OPTIONAL,
|
|
kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
|
|
encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
|
|
}
|
|
|
|
PKAuthenticator-19 ::= SEQUENCE {
|
|
cusec [0] INTEGER (0..4294967295),
|
|
ctime [1] KerberosTime,
|
|
nonce [2] INTEGER (0..4294967295),
|
|
paChecksum [3] Checksum,
|
|
...
|
|
}
|
|
|
|
AuthPack-19 ::= SEQUENCE {
|
|
pkAuthenticator [0] PKAuthenticator-19,
|
|
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
|
|
}
|
|
|
|
PA-PK-AS-REP-19 ::= CHOICE {
|
|
dhSignedData [0] ContentInfo,
|
|
encKeyPack [1] ContentInfo,
|
|
...
|
|
}
|
|
|
|
ReplyKeyPack-19 ::= SEQUENCE {
|
|
replyKey [0] EncryptionKey,
|
|
nonce [1] INTEGER (0..4294967295),
|
|
...
|
|
}
|
|
|
|
END
|