3
PKINIT DEFINITIONS ::= BEGIN
5
IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
6
IssuerAndSerialNumber, ContentInfo FROM cms
7
SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
10
id-pkinit OBJECT IDENTIFIER ::=
11
{ iso (1) org (3) dod (6) internet (1) security (5)
12
kerberosv5 (2) pkinit (3) }
14
id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 }
15
id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 }
16
id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 }
17
id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 }
18
id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 }
20
id-pkinit-kdf OBJECT IDENTIFIER ::= { id-pkinit 6 }
21
id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER ::= { id-pkinit-kdf 1 }
22
id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
23
id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }
25
id-pkinit-san OBJECT IDENTIFIER ::=
26
{ iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
29
id-pkinit-ms-eku OBJECT IDENTIFIER ::=
30
{ iso(1) org(3) dod(6) internet(1) private(4)
31
enterprise(1) microsoft(311) 20 2 2 }
33
id-pkinit-ms-san OBJECT IDENTIFIER ::=
34
{ iso(1) org(3) dod(6) internet(1) private(4)
35
enterprise(1) microsoft(311) 20 2 3 }
37
MS-UPN-SAN ::= UTF8String
39
pa-pk-as-req INTEGER ::= 16
40
pa-pk-as-rep INTEGER ::= 17
42
td-trusted-certifiers INTEGER ::= 104
43
td-invalid-certificates INTEGER ::= 105
44
td-dh-parameters INTEGER ::= 109
46
DHNonce ::= OCTET STRING
48
KDFAlgorithmId ::= SEQUENCE {
49
kdf-id [0] OBJECT IDENTIFIER,
53
TrustedCA ::= SEQUENCE {
54
caName [0] IMPLICIT OCTET STRING,
55
certificateSerialNumber [1] INTEGER OPTIONAL,
56
subjectKeyIdentifier [2] OCTET STRING OPTIONAL,
60
ExternalPrincipalIdentifier ::= SEQUENCE {
61
subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
62
issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
63
subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
67
ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
69
PA-PK-AS-REQ ::= SEQUENCE {
70
signedAuthPack [0] IMPLICIT OCTET STRING,
71
trustedCertifiers [1] ExternalPrincipalIdentifiers OPTIONAL,
72
kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL,
76
PKAuthenticator ::= SEQUENCE {
77
cusec [0] INTEGER -- (0..999999) --,
78
ctime [1] KerberosTime,
79
nonce [2] INTEGER (0..4294967295),
80
paChecksum [3] OCTET STRING OPTIONAL,
84
AuthPack ::= SEQUENCE {
85
pkAuthenticator [0] PKAuthenticator,
86
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
87
supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
88
clientDHNonce [3] DHNonce OPTIONAL,
90
supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
94
TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
95
TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
97
KRB5PrincipalName ::= SEQUENCE {
99
principalName [1] PrincipalName
102
AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
104
DHRepInfo ::= SEQUENCE {
105
dhSignedData [0] IMPLICIT OCTET STRING,
106
serverDHNonce [1] DHNonce OPTIONAL,
108
kdf [2] KDFAlgorithmId OPTIONAL,
112
PA-PK-AS-REP ::= CHOICE {
113
dhInfo [0] DHRepInfo,
114
encKeyPack [1] IMPLICIT OCTET STRING,
118
KDCDHKeyInfo ::= SEQUENCE {
119
subjectPublicKey [0] BIT STRING,
120
nonce [1] INTEGER (0..4294967295),
121
dhKeyExpiration [2] KerberosTime OPTIONAL,
125
ReplyKeyPack ::= SEQUENCE {
126
replyKey [0] EncryptionKey,
127
asChecksum [1] Checksum,
131
TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
134
-- Windows compat glue --
136
PKAuthenticator-Win2k ::= SEQUENCE {
137
kdcName [0] PrincipalName,
139
cusec [2] INTEGER (0..4294967295),
140
ctime [3] KerberosTime,
141
nonce [4] INTEGER (-2147483648..2147483647)
144
AuthPack-Win2k ::= SEQUENCE {
145
pkAuthenticator [0] PKAuthenticator-Win2k,
146
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
150
TrustedCA-Win2k ::= CHOICE {
152
issuerAndSerial [2] IssuerAndSerialNumber
155
PA-PK-AS-REQ-Win2k ::= SEQUENCE {
156
signed-auth-pack [0] IMPLICIT OCTET STRING,
157
trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
158
kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
159
encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
162
PA-PK-AS-REP-Win2k ::= CHOICE {
163
dhSignedData [0] IMPLICIT OCTET STRING,
164
encKeyPack [1] IMPLICIT OCTET STRING
168
KDCDHKeyInfo-Win2k ::= SEQUENCE {
169
nonce [0] INTEGER (-2147483648..2147483647),
170
subjectPublicKey [2] BIT STRING
173
ReplyKeyPack-Win2k ::= SEQUENCE {
174
replyKey [0] EncryptionKey,
175
nonce [1] INTEGER (-2147483648..2147483647),
179
PkinitSP80056AOtherInfo ::= SEQUENCE {
180
algorithmID AlgorithmIdentifier,
181
partyUInfo [0] OCTET STRING,
182
partyVInfo [1] OCTET STRING,
183
suppPubInfo [2] OCTET STRING OPTIONAL,
184
suppPrivInfo [3] OCTET STRING OPTIONAL
187
PkinitSuppPubInfo ::= SEQUENCE {
188
enctype [0] INTEGER (-2147483648..2147483647),
189
as-REQ [1] OCTET STRING,
190
pk-as-rep [2] OCTET STRING,