summaryrefslogtreecommitdiff
path: root/asn1include/EnhancedSecurity.asn1
diff options
context:
space:
mode:
Diffstat (limited to 'asn1include/EnhancedSecurity.asn1')
-rw-r--r--asn1include/EnhancedSecurity.asn1367
1 files changed, 367 insertions, 0 deletions
diff --git a/asn1include/EnhancedSecurity.asn1 b/asn1include/EnhancedSecurity.asn1
new file mode 100644
index 0000000..3879987
--- /dev/null
+++ b/asn1include/EnhancedSecurity.asn1
@@ -0,0 +1,367 @@
+-- Module EnhancedSecurity (X.501:02/2001)
+EnhancedSecurity {joint-iso-itu-t ds(5) module(1) enhancedSecurity(28) 4}
+DEFINITIONS IMPLICIT TAGS ::=
+BEGIN
+
+-- EXPORTS All
+IMPORTS
+ -- from ITU-T Rec. X.501 | ISO/IEC 9594-2
+ authenticationFramework, basicAccessControl, certificateExtensions,
+ id-at, id-avc, id-mr, informationFramework, upperBounds
+ FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
+ usefulDefinitions(0) 4}
+ Attribute, ATTRIBUTE, AttributeType, Context, CONTEXT, MATCHING-RULE,
+ Name, objectIdentifierMatch, SupportedAttributes
+ FROM InformationFramework {joint-iso-itu-t ds(5) module(1)
+ informationFramework(1) 4}
+ AttributeTypeAndValue
+ FROM BasicAccessControl {joint-iso-itu-t ds(5) module(1)
+ basicAccessControl(24) 4}
+ -- from ITU-T Rec. X.509 | ISO/IEC 9594-8
+ AlgorithmIdentifier, CertificateSerialNumber, ENCRYPTED{}, HASH{},
+ SIGNED{}
+ FROM AuthenticationFramework {joint-iso-itu-t ds(5) module(1)
+ authenticationFramework(7) 4}
+ GeneralName, KeyIdentifier
+ FROM CertificateExtensions {joint-iso-itu-t ds(5) module(1)
+ certificateExtensions(26) 4}
+ ub-privacy-mark-length
+ FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 4};
+
+-- from GULS
+-- SECURITY-TRANSFORMATION, PROTECTION-MAPPING, PROTECTED
+-- FROM Notation { joint-iso-ccitt genericULS (20) modules (1) notation (1) }
+--dirSignedTransformation, KEY-INFORMATION
+-- FROM GulsSecurityTransformations { joint-iso-ccitt genericULS (20) modules (1)
+-- gulsSecurityTransformations (3) }
+-- signed
+-- FROM GulsSecurityTransformations { joint-iso-ccitt genericULS (20) modules (1)
+-- dirProtectionMappings (4) };
+-- The "signed" Protection Mapping and associated "dirSignedTransformations" imported
+-- from the Generic Upper Layers Security specification (ITU-T Rec. X.830 | ISO/IEC 11586-1)
+-- results in identical encoding as the same data type used with the SIGNED as defined in
+-- ITU-T REC. X.509 | ISO/IEC 9594-8
+-- The three statements below are provided temporarily to allow signed operations to be supported as in edition 3.
+OPTIONALLY-PROTECTED{Type} ::= CHOICE {unsigned Type,
+ signed SIGNED{Type}
+}
+
+OPTIONALLY-PROTECTED-SEQ{Type} ::= CHOICE {
+ unsigned Type,
+ signed [0] SIGNED{Type}
+}
+
+-- The following out-commented ASN.1 specification are know to be erroneous and are therefore deprecated.
+-- genEncryptedTransform {KEY-INFORMATION: SupportedKIClasses } SECURITY-TRANSFORMATION ::=
+-- {
+-- IDENTIFIER { enhancedSecurity gen-encrypted(2) }
+-- INITIAL-ENCODING-RULES { joint-iso-itu-t asn1(1) ber(1) }
+-- This default for initial encoding rules may be overridden
+-- using a static protected parameter (initEncRules).
+-- XFORMED-DATA-TYPE SEQUENCE {
+-- initEncRules OBJECT IDENTIFIER DEFAULT { joint-iso-itu-t asn1(1) ber(1) },
+-- encAlgorithm AlgorithmIdentifier OPTIONAL, -- -- Identifies the encryption algorithm,
+-- keyInformation SEQUENCE {
+-- kiClass KEY-INFORMATION.&kiClass ({SupportedKIClasses}),
+-- keyInfo KEY-INFORMATION.&KiType ({SupportedKIClasses} {@kiClass})
+-- } OPTIONAL,
+-- Key information may assume various formats, governed by supported members
+-- of the KEY-INFORMATION information object class (defined in ITU-T
+-- Rec. X.830 | ISO/IEC 11586-1)
+-- encData BIT STRING ( CONSTRAINED BY {
+-- the encData value shall be generated following
+-- the procedure specified in 17.3.1-- -- })
+-- }
+-- }
+-- encrypted PROTECTION-MAPPING ::= {
+-- SECURITY-TRANSFORMATION { genEncryptedTransform } }
+-- signedAndEncrypt PROTECTION-MAPPING ::= {
+-- SECURITY-TRANSFORMATION { signedAndEncryptedTransform } }
+-- signedAndEncryptedTransform {KEY-INFORMATION: SupportedKIClasses}
+-- SECURITY-TRANSFORMATION ::= {
+-- IDENTIFIER { enhancedSecurity dir-encrypt-sign (1) }
+-- INITIAL-ENCODING-RULES { joint-iso-itu-t asn1 (1) ber-derived (2) distinguished-encoding (1) }
+-- XFORMED-DATA-TYPE
+-- PROTECTED
+-- {
+-- PROTECTED
+-- {
+-- ABSTRACT-SYNTAX.&Type,
+-- signed
+-- },
+-- encrypted
+-- }
+-- }
+-- OPTIONALLY-PROTECTED {ToBeProtected, PROTECTION-MAPPING:generalProtection} ::=
+-- CHOICE {
+-- toBeProtected ToBeProtected,
+--no DIRQOP specified for operation
+-- signed PROTECTED {ToBeProtected, signed},
+--DIRQOP is Signed
+-- protected [APPLICATION 0]
+-- PROTECTED { ToBeProtected, generalProtection } }
+--DIRQOP is other than Signed
+-- defaultDirQop ATTRIBUTE ::= {
+-- WITH SYNTAX OBJECT IDENTIFIER
+-- EQUALITY MATCHING RULE objectIdentifierMatch
+-- USAGE directoryOperation
+-- ID id-at-defaultDirQop }
+-- DIRQOP ::= CLASS
+-- This information object class is used to define the quality of protection
+-- required throughout directory operation.
+-- The Quality Of Protection can be signed, encrypted, signedAndEncrypt
+-- {
+-- &dirqop-Id OBJECT IDENTIFIER UNIQUE,
+-- &dirBindError-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dirErrors-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapReadArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapReadRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapCompareArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapCompareRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapListArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapListRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapSearchArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapSearchRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapAbandonArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapAbandonRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapAddEntryArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapAddEntryRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapRemoveEntryArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapRemoveEntryRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapModifyEntryArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapModifyEntryRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapModifyDNArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dapModifyDNRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dspChainedOp-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dispShadowAgreeInfo-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dispCoorShadowArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dispCoorShadowRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dispUpdateShadowArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dispUpdateShadowRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dispRequestShadowUpdateArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dispRequestShadowUpdateRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dopEstablishOpBindArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dopEstablishOpBindRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dopModifyOpBindArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dopModifyOpBindRes-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dopTermOpBindArg-QOP PROTECTION-MAPPING:protectionReqd,
+-- &dopTermOpBindRes-QOP PROTECTION-MAPPING:protectionReqd
+-- }
+-- WITH SYNTAX
+-- {
+-- DIRQOP-ID &dirqop-Id
+-- DIRECTORYBINDERROR-QOP &dirBindError-QOP
+-- DIRERRORS-QOP &dirErrors-QOP
+-- DAPREADARG-QOP &dapReadArg-QOP
+-- DAPREADRES-QOP &dapReadRes-QOP
+-- DAPCOMPAREARG-QOP &dapCompareArg-QOP
+-- DAPCOMPARERES-QOP &dapCompareRes-QOP
+-- DAPLISTARG-QOP &dapListArg-QOP
+-- DAPLISTRES-QOP &dapListRes-QOP
+-- DAPSEARCHARG-QOP &dapSearchArg-QOP
+-- DAPSEARCHRES-QOP &dapSearchRes-QOP
+-- DAPABANDONARG-QOP &dapAbandonArg-QOP
+-- DAPABANDONRES-QOP &dapAbandonRes-QOP
+-- DAPADDENTRYARG-QOP &dapAddEntryArg-QOP
+-- DAPADDENTRYRES-QOP &dapAddEntryRes-QOP
+-- DAPREMOVEENTRYARG-QOP &dapRemoveEntryArg-QOP
+-- DAPREMOVEENTRYRES-QOP &dapRemoveEntryRes-QOP
+-- DAPMODIFYENTRYARG-QOP &dapModifyEntryArg-QOP
+-- DAPMODIFYENTRYRES-QOP &dapModifyEntryRes-QOP
+-- DAPMODIFYDNARG-QOP &dapModifyDNArg-QOP
+-- DAPMODIFYDNRES-QOP &dapModifyDNRes-QOP
+-- DSPCHAINEDOP-QOP &dspChainedOp-QOP
+-- DISPSHADOWAGREEINFO-QOP &dispShadowAgreeInfo-QOP
+-- DISPCOORSHADOWARG-QOP &dispCoorShadowArg-QOP
+-- DISPCOORSHADOWRES-QOP &dispCoorShadowRes-QOP
+-- DISPUPDATESHADOWARG-QOP &dispUpdateShadowArg-QOP
+-- DISPUPDATESHADOWRES-QOP &dispUpdateShadowRes-QOP
+-- DISPREQUESTSHADOWUPDATEARG-QOP &dispRequestShadowUpdateArg-QOP
+-- DISPREQUESTSHADOWUPDATERES-QOP &dispRequestShadowUpdateRes-QOP
+-- DOPESTABLISHOPBINDARG-QOP &dopEstablishOpBindArg-QOP
+-- DOPESTABLISHOPBINDRES-QOP &dopEstablishOpBindRes-QOP
+-- DOPMODIFYOPBINDARG-QOP &dopModifyOpBindArg-QOP
+-- DOPMODIFYOPBINDRES-QOP &dopModifyOpBindRes-QOP
+-- DOPTERMINATEOPBINDARG-QOP &dopTermOpBindArg-QOP
+-- DOPTERMINATEOPBINDRES-QOP &dopTermOpBindRes-QOP
+--}
+attributeValueSecurityLabelContext CONTEXT ::= {
+ WITH SYNTAX
+ SignedSecurityLabel -- At most one security label context can be assigned to an
+ -- attribute value
+ ID id-avc-attributeValueSecurityLabelContext
+}
+
+SignedSecurityLabel ::=
+ SIGNED
+ {SEQUENCE {attHash HASH{AttributeTypeAndValue},
+ issuer Name OPTIONAL, -- name of labelling authority
+ keyIdentifier KeyIdentifier OPTIONAL,
+ securityLabel SecurityLabel}}
+
+SecurityLabel ::= SET {
+ security-policy-identifier SecurityPolicyIdentifier OPTIONAL,
+ security-classification SecurityClassification OPTIONAL,
+ privacy-mark PrivacyMark OPTIONAL,
+ security-categories SecurityCategories OPTIONAL
+}(ALL EXCEPT ({ --none, at least one component shall be presen--}))
+
+SecurityPolicyIdentifier ::= OBJECT IDENTIFIER
+
+SecurityClassification ::= INTEGER {
+ unmarked(0), unclassified(1), restricted(2), confidential(3), secret(4),
+ top-secret(5)}
+
+PrivacyMark ::= PrintableString(SIZE (1..ub-privacy-mark-length))
+
+SecurityCategories ::= SET SIZE (1..MAX) OF SecurityCategory
+
+clearance ATTRIBUTE ::= {WITH SYNTAX Clearance
+ ID id-at-clearance
+}
+
+Clearance ::= SEQUENCE {
+ policyId OBJECT IDENTIFIER,
+ classList ClassList DEFAULT {unclassified},
+ securityCategories SET SIZE (1..MAX) OF SecurityCategory OPTIONAL
+}
+
+ClassList ::= BIT STRING {
+ unmarked(0), unclassified(1), restricted(2), confidential(3), secret(4),
+ topSecret(5)}
+
+SecurityCategory ::= SEQUENCE {
+ type [0] SECURITY-CATEGORY.&id({SecurityCategoriesTable}),
+ value [1] EXPLICIT SECURITY-CATEGORY.&Type({SecurityCategoriesTable}{@type})
+}
+
+SECURITY-CATEGORY ::= TYPE-IDENTIFIER
+
+SecurityCategoriesTable SECURITY-CATEGORY ::=
+ {...}
+
+attributeIntegrityInfo ATTRIBUTE ::= {
+ WITH SYNTAX AttributeIntegrityInfo
+ ID id-at-attributeIntegrityInfo
+}
+
+AttributeIntegrityInfo ::=
+ SIGNED
+ {SEQUENCE {scope Scope, -- Identifies the attributes protected
+ signer Signer OPTIONAL, -- Authority or data originators name
+ attribsHash AttribsHash}} -- Hash value of protected attributes
+
+Signer ::= CHOICE {
+ thisEntry [0] EXPLICIT ThisEntry,
+ thirdParty [1] SpecificallyIdentified
+}
+
+ThisEntry ::= CHOICE {onlyOne NULL,
+ specific IssuerAndSerialNumber
+}
+
+IssuerAndSerialNumber ::= SEQUENCE {
+ issuer Name,
+ serial CertificateSerialNumber
+}
+
+SpecificallyIdentified ::= SEQUENCE {
+ name GeneralName,
+ issuer GeneralName OPTIONAL,
+ serial CertificateSerialNumber OPTIONAL
+}
+(WITH COMPONENTS {
+ ...,
+ issuer PRESENT,
+ serial PRESENT
+ } | (WITH COMPONENTS {
+ ...,
+ issuer ABSENT,
+ serial ABSENT
+ }))
+
+Scope ::= CHOICE {
+ wholeEntry [0] NULL, -- Signature protects all attribute values in this entry
+ selectedTypes [1] SelectedTypes
+ -- Signature protects all attribute values of the selected attribute types
+}
+
+SelectedTypes ::= SEQUENCE SIZE (1..MAX) OF AttributeType
+
+AttribsHash ::= HASH{SEQUENCE SIZE (1..MAX) OF Attribute}
+
+-- Attribute type and values with associated context values for the selected Scope
+attributeValueIntegrityInfoContext CONTEXT ::= {
+ WITH SYNTAX AttributeValueIntegrityInfo
+ ID id-avc-attributeValueIntegrityInfoContext
+}
+
+AttributeValueIntegrityInfo ::=
+ SIGNED
+ {SEQUENCE {signer Signer OPTIONAL, -- Authority or data originators name
+ aVIHash AVIHash}} -- Hash value of protected attribute
+
+AVIHash ::= HASH{AttributeTypeValueContexts}
+
+-- Attribute type and value with associated context values
+AttributeTypeValueContexts ::= SEQUENCE {
+ type ATTRIBUTE.&id({SupportedAttributes}),
+ value ATTRIBUTE.&Type({SupportedAttributes}{@type}),
+ contextList SET SIZE (1..MAX) OF Context OPTIONAL
+}
+
+-- The following out-commented ASN.1 specification are know to be erroneous and are therefore deprecated.
+-- EncryptedAttributeSyntax {AttributeSyntax} ::= SEQUENCE {
+-- keyInfo SEQUENCE OF KeyIdOrProtectedKey,
+-- encAlg AlgorithmIdentifier,
+-- encValue ENCRYPTED { AttributeSyntax } }
+-- KeyIdOrProtectedKey ::= SEQUENCE {
+-- keyIdentifier [0] KeyIdentifier OPTIONAL,
+-- protectedKeys [1] ProtectedKey OPTIONAL }
+-- At least one key identifier or protected key shall be present
+-- ProtectedKey ::= SEQUENCE {
+-- authReaders AuthReaders,-- -- if absent, use attribute in authorized reader entry
+-- keyEncAlg AlgorithmIdentifier OPTIONAL, -- -- algorithm to encrypt encAttrKey
+-- encAttKey EncAttKey }
+-- confidentiality key protected with authorized user's
+-- protection mechanism
+-- AuthReaders ::= SEQUENCE OF Name
+-- EncAttKey ::= PROTECTED {SymmetricKey, keyProtection}
+-- SymmetricKey ::= BIT STRING
+-- keyProtection PROTECTION-MAPPING ::= {
+-- SECURITY-TRANSFORMATION {genEncryption} }
+-- confKeyInfo ATTRIBUTE ::= {
+-- WITH SYNTAX ConfKeyInfo
+-- EQUALITY MATCHING RULE readerAndKeyIDMatch
+-- ID id-at-confKeyInfo }
+-- ConfKeyInfo ::= SEQUENCE {
+-- keyIdentifier KeyIdentifier,
+-- protectedKey ProtectedKey }
+-- readerAndKeyIDMatch MATCHING-RULE ::= {
+-- SYNTAX ReaderAndKeyIDAssertion
+-- ID id-mr-readerAndKeyIDMatch }
+-- ReaderAndKeyIDAssertion ::= SEQUENCE {
+-- keyIdentifier KeyIdentifier,
+-- authReaders AuthReaders OPTIONAL }
+-- Object identifier assignments
+-- attributes
+id-at-clearance OBJECT IDENTIFIER ::=
+ {id-at 55}
+
+-- id-at-defaultDirQop OBJECT IDENTIFIER ::= {id-at 56}
+id-at-attributeIntegrityInfo OBJECT IDENTIFIER ::=
+ {id-at 57}
+
+-- id-at-confKeyInfo OBJECT IDENTIFIER ::= {id-at 60}
+-- matching rules
+-- id-mr-readerAndKeyIDMatch OBJECT IDENTIFIER ::= {id-mr 43}
+-- contexts
+id-avc-attributeValueSecurityLabelContext OBJECT IDENTIFIER ::=
+ {id-avc 3}
+
+id-avc-attributeValueIntegrityInfoContext OBJECT IDENTIFIER ::= {id-avc 4}
+
+END -- EnhancedSecurity
+
+-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D
+