-- $Id$ --
PKINIT DEFINITIONS ::= BEGIN
IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
IssuerAndSerialNumber, ContentInfo FROM cms
SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
heim_any FROM heim;
id-pkinit OBJECT IDENTIFIER ::=
{ iso (1) org (3) dod (6) internet (1) security (5)
kerberosv5 (2) pkinit (3) }
id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 }
id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 }
id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 }
id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 }
id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 }
id-pkinit-kdf OBJECT IDENTIFIER ::= { id-pkinit 6 }
id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER ::= { id-pkinit-kdf 1 }
id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }
id-pkinit-san OBJECT IDENTIFIER ::=
{ iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
x509-sanan(2) }
id-pkinit-ms-eku OBJECT IDENTIFIER ::=
{ iso(1) org(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 20 2 2 }
id-pkinit-ms-san OBJECT IDENTIFIER ::=
{ iso(1) org(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 20 2 3 }
MS-UPN-SAN ::= UTF8String
pa-pk-as-req INTEGER ::= 16
pa-pk-as-rep INTEGER ::= 17
td-trusted-certifiers INTEGER ::= 104
td-invalid-certificates INTEGER ::= 105
td-dh-parameters INTEGER ::= 109
DHNonce ::= OCTET STRING
KDFAlgorithmId ::= SEQUENCE {
kdf-id [0] OBJECT IDENTIFIER,
...
}
TrustedCA ::= SEQUENCE {
caName [0] IMPLICIT OCTET STRING,
certificateSerialNumber [1] INTEGER OPTIONAL,
subjectKeyIdentifier [2] OCTET STRING OPTIONAL,
...
}
ExternalPrincipalIdentifier ::= SEQUENCE {
subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
...
}
ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
PA-PK-AS-REQ ::= SEQUENCE {
signedAuthPack [0] IMPLICIT OCTET STRING,
trustedCertifiers [1] ExternalPrincipalIdentifiers OPTIONAL,
kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL,
...
}
PKAuthenticator ::= SEQUENCE {
cusec [0] INTEGER -- (0..999999) --,
ctime [1] KerberosTime,
nonce [2] INTEGER (0..4294967295),
paChecksum [3] OCTET STRING OPTIONAL,
...
}
AuthPack ::= SEQUENCE {
pkAuthenticator [0] PKAuthenticator,
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
clientDHNonce [3] DHNonce OPTIONAL,
...,
supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
...
}
TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
KRB5PrincipalName ::= SEQUENCE {
realm [0] Realm,
principalName [1] PrincipalName
}
AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
DHRepInfo ::= SEQUENCE {
dhSignedData [0] IMPLICIT OCTET STRING,
serverDHNonce [1] DHNonce OPTIONAL,
...,
kdf [2] KDFAlgorithmId OPTIONAL,
...
}
PA-PK-AS-REP ::= CHOICE {
dhInfo [0] DHRepInfo,
encKeyPack [1] IMPLICIT OCTET STRING,
...
}
KDCDHKeyInfo ::= SEQUENCE {
subjectPublicKey [0] BIT STRING,
nonce [1] INTEGER (0..4294967295),
dhKeyExpiration [2] KerberosTime OPTIONAL,
...
}
ReplyKeyPack ::= SEQUENCE {
replyKey [0] EncryptionKey,
asChecksum [1] Checksum,
...
}
TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
-- Windows compat glue --
PKAuthenticator-Win2k ::= SEQUENCE {
kdcName [0] PrincipalName,
kdcRealm [1] Realm,
cusec [2] INTEGER (0..4294967295),
ctime [3] KerberosTime,
nonce [4] INTEGER (-2147483648..2147483647)
}
AuthPack-Win2k ::= SEQUENCE {
pkAuthenticator [0] PKAuthenticator-Win2k,
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
}
TrustedCA-Win2k ::= CHOICE {
caName [1] heim_any,
issuerAndSerial [2] IssuerAndSerialNumber
}
PA-PK-AS-REQ-Win2k ::= SEQUENCE {
signed-auth-pack [0] IMPLICIT OCTET STRING,
trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
}
PA-PK-AS-REP-Win2k ::= CHOICE {
dhSignedData [0] IMPLICIT OCTET STRING,
encKeyPack [1] IMPLICIT OCTET STRING
}
KDCDHKeyInfo-Win2k ::= SEQUENCE {
nonce [0] INTEGER (-2147483648..2147483647),
subjectPublicKey [2] BIT STRING
}
ReplyKeyPack-Win2k ::= SEQUENCE {
replyKey [0] EncryptionKey,
nonce [1] INTEGER (-2147483648..2147483647),
...
}
PA-PK-AS-REP-BTMM ::= SEQUENCE {
dhSignedData [0] heim_any OPTIONAL,
encKeyPack [1] heim_any OPTIONAL
}
PkinitSP80056AOtherInfo ::= SEQUENCE {
algorithmID AlgorithmIdentifier,
partyUInfo [0] OCTET STRING,
partyVInfo [1] OCTET STRING,
suppPubInfo [2] OCTET STRING OPTIONAL,
suppPrivInfo [3] OCTET STRING OPTIONAL
}
PkinitSuppPubInfo ::= SEQUENCE {
enctype [0] INTEGER (-2147483648..2147483647),
as-REQ [1] OCTET STRING,
pk-as-rep [2] OCTET STRING,
ticket [3] Ticket,
...
}
END