FW: Help required on Kerberos Message structure

John Hascall john at iastate.edu
Thu Apr 24 15:50:27 EDT 2008

> Hi,
> I am trying to implement synthetic client for kerberos implementation. Please
 can you help me on how to create the AS-REQ message structure and also TGS-REQ
 message structure. I mean what's the structure of AS-REQ and TGS-REQ. This str
uctures are specified in RFC using ASN.1 notation. Can u give me the same struc
ture in c language data types.  Please do reply to this message. Use this alias
 to reply to me(v-asjai at microsoft.com<mailto:v-asjai at microsoft.com>).

There is not really a mapping between the ASN.1 notation
(and more importantly the ASN.1 "data on the wire" representation)
and any particular C structures.  About as close as you're going to
come is:

  struct thing {
      struct thing *next;
      unsigned char tag;
      unsigned int  length;
      void *        data;	/* depending on tag might point to another */
  };                            /* struct thing or to some primitive data */

Because, on the wire ASN.1 is essentally:


where the tag tells how the data is interpreted.
Many tags are CONSTRUCTED (i.e., "container") tags
which means their data is itself interpreted as
one or more <tag><length><data> sequences as well.
Tags which are not containers are PRIMITIVE tags
(integers, strings, datetimes, etc).

Tags are one byte.  You can tell a CONSTRUCTED tag
by the fact that the 0x20 bit is set.  The length
is one or more bytes.  A length byte with the 0x80
bit clear is the actual length.  If the 0x80 bit
is set, than the rest of the byte is the count
of length bytes to follow. For example:

  0x22 == length of 38 decimal
  0x82 == 2 length bytes follow, MSB first
          0x82 0x03 0x04 == 772 decimal, aka (3<<8) + 4

So if a Kerberos packet starts like:

        0x0010:                                6d82 01ec  ...\......+.m...
        0x0020:  3082 01e8 a003 0201 05a1 0302 010d a30d  0...............
        0x0030:  1b0b 4941 5354 4154 452e 4544 55  ...

Then that's:
                                                           //tag, len, data
APPLICATION[13]<492> {                                     // 62, 8201ec, ...
        SEQUENCE<488> {                                    // 30, 8201e8, ...
                CONTEXT[0]<3> {                            // a0, 03, ...
                        INTEGER<1> = 5                     // 02, 01, 05
                CONTEXT[1]<3> {                            // a1, 03, ...
                        INTEGER<1> = 13                    // 02, 01, 0d
                CONTEXT[3]<13> {                           // a3, 0d, ...
                        GENERALSTRING<11> = "IASTATE.EDU"  // 1b, 0b, 49..55

Hope this is some help,

More information about the Kerberos mailing list