synta 0.2.5

ASN.1 parser, decoder, and encoder library with DER/BER support and C FFI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

# PKINIT Protocol Types


All PKINIT classes in `synta.krb5` are frozen (immutable after construction). Each provides
a `from_der(data: bytes)` static method for parsing. Fields that are OPTIONAL in the ASN.1
schema are exposed as `... | None`.

```python
import synta.krb5 as krb5
```

## EncryptionKey

RFC 3961 §2 encryption key structure.

```python
class EncryptionKey:
    @staticmethod
    def from_der(data: bytes) -> EncryptionKey: ...
    keytype: int        # Kerberos etype number
    keyvalue: bytes     # raw key material
```

## Checksum

RFC 3961 §4 checksum structure.

```python
class Checksum:
    @staticmethod
    def from_der(data: bytes) -> Checksum: ...
    cksumtype: int      # checksum type
    checksum: bytes     # raw checksum bytes
```

## KDFAlgorithmId

RFC 8636 §3.1 KDF algorithm identifier.

```python
class KDFAlgorithmId:
    @staticmethod
    def from_der(data: bytes) -> KDFAlgorithmId: ...
    kdf_id: ObjectIdentifier    # KDF algorithm OID
```

## IssuerAndSerialNumber

RFC 4556 §3.2.2 — identifies a certificate by issuer name and serial number.

```python
class IssuerAndSerialNumber:
    @staticmethod
    def from_der(data: bytes) -> IssuerAndSerialNumber: ...
    issuer: bytes           # DER-encoded Name SEQUENCE
    serial_number: int      # certificate serial number
```

## ExternalPrincipalIdentifier

RFC 4556 §3.2.2 — identifies a client certificate by one of three optional methods.

```python
class ExternalPrincipalIdentifier:
    @staticmethod
    def from_der(data: bytes) -> ExternalPrincipalIdentifier: ...
    subject_name: bytes | None                               # DER of subject Name
    issuer_and_serial_number: IssuerAndSerialNumber | None
    subject_key_identifier: bytes | None                     # raw SKI bytes
```

## PKAuthenticator

RFC 4556 §3.2.1 — client proof of liveness in AS-REQ.

```python
class PKAuthenticator:
    @staticmethod
    def from_der(data: bytes) -> PKAuthenticator: ...
    cusec: int              # microseconds component (0–999999)
    ctime: str              # client time as "YYYYMMDDHHMMSSz"
    nonce: int
    pa_checksum: bytes | None      # SHA-1 checksum of AS-REQ
    freshness_token: bytes | None  # RFC 8070 freshness token
```

## AuthPack

RFC 4556 §3.2.1 — content signed by the client.

```python
class AuthPack:
    @staticmethod
    def from_der(data: bytes) -> AuthPack: ...
    pk_authenticator: PKAuthenticator
    client_public_value: bytes | None       # DER SubjectPublicKeyInfo
    supported_cmstypes: bytes | None        # DER AlgorithmIdentifiers
    client_dhnonce: bytes | None
    supported_kdfs: list[KDFAlgorithmId] | None   # RFC 8636 KDF list
```

## PaPkAsReq

RFC 4556 §3.2.2 — PKINIT pre-authentication request.

```python
class PaPkAsReq:
    @staticmethod
    def from_der(data: bytes) -> PaPkAsReq: ...
    signed_auth_pack: bytes                          # CMS SignedData wrapping AuthPack
    trusted_certifiers: list[ExternalPrincipalIdentifier] | None
    kdc_pk_id: bytes | None                          # raw SKI bytes for KDC certificate
```

## DHRepInfo

RFC 4556 §3.2.4 — KDC Diffie-Hellman reply data.

```python
class DHRepInfo:
    @staticmethod
    def from_der(data: bytes) -> DHRepInfo: ...
    dh_signed_data: bytes               # CMS SignedData wrapping KDCDHKeyInfo
    server_dhnonce: bytes | None
```

## KDCDHKeyInfo

RFC 4556 §3.2.4 — KDC DH public key and nonce.

```python
class KDCDHKeyInfo:
    @staticmethod
    def from_der(data: bytes) -> KDCDHKeyInfo: ...
    subject_public_key: bytes       # BIT STRING payload bytes (KDC DH public key)
    nonce: int
    dh_key_expiration: str | None   # "YYYYMMDDHHMMSSz"
```

## ReplyKeyPack

RFC 4556 §3.2.3 — session key and checksum from KDC (Diffie-Hellman-less path).

```python
class ReplyKeyPack:
    @staticmethod
    def from_der(data: bytes) -> ReplyKeyPack: ...
    reply_key: EncryptionKey    # the session key
    as_checksum: Checksum       # checksum over the AS-REQ
```

## PaPkAsRep

RFC 4556 §3.2.4 — PKINIT pre-authentication reply (CHOICE type).

```python
class PaPkAsRep:
    @staticmethod
    def from_der(data: bytes) -> PaPkAsRep: ...
    variant: str                    # "DhInfo" or "EncKeyPack"
    dh_info: DHRepInfo | None
    enc_key_pack: bytes | None      # CMS EnvelopedData bytes
```

See also [Kerberos V5 Types](krb5.md) for constants and [Krb5PrincipalName](krb5-principal.md)
for principal name encoding.