-- Module EnhancedSecurity (X.501:02/2001) EnhancedSecurity {joint-iso-itu-t ds(5) module(1) enhancedSecurity(28) 4} DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS All IMPORTS -- from ITU-T Rec. X.501 | ISO/IEC 9594-2 authenticationFramework, basicAccessControl, certificateExtensions, id-at, id-avc, id-mr, informationFramework, upperBounds FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 4} Attribute, ATTRIBUTE, AttributeType, Context, CONTEXT, MATCHING-RULE, Name, objectIdentifierMatch, SupportedAttributes FROM InformationFramework {joint-iso-itu-t ds(5) module(1) informationFramework(1) 4} AttributeTypeAndValue FROM BasicAccessControl {joint-iso-itu-t ds(5) module(1) basicAccessControl(24) 4} -- from ITU-T Rec. X.509 | ISO/IEC 9594-8 AlgorithmIdentifier, CertificateSerialNumber, ENCRYPTED{}, HASH{}, SIGNED{} FROM AuthenticationFramework {joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 4} GeneralName, KeyIdentifier FROM CertificateExtensions {joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 4} ub-privacy-mark-length FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 4}; -- from GULS -- SECURITY-TRANSFORMATION, PROTECTION-MAPPING, PROTECTED -- FROM Notation { joint-iso-ccitt genericULS (20) modules (1) notation (1) } --dirSignedTransformation, KEY-INFORMATION -- FROM GulsSecurityTransformations { joint-iso-ccitt genericULS (20) modules (1) -- gulsSecurityTransformations (3) } -- signed -- FROM GulsSecurityTransformations { joint-iso-ccitt genericULS (20) modules (1) -- dirProtectionMappings (4) }; -- The "signed" Protection Mapping and associated "dirSignedTransformations" imported -- from the Generic Upper Layers Security specification (ITU-T Rec. X.830 | ISO/IEC 11586-1) -- results in identical encoding as the same data type used with the SIGNED as defined in -- ITU-T REC. X.509 | ISO/IEC 9594-8 -- The three statements below are provided temporarily to allow signed operations to be supported as in edition 3. OPTIONALLY-PROTECTED{Type} ::= CHOICE {unsigned Type, signed SIGNED{Type} } OPTIONALLY-PROTECTED-SEQ{Type} ::= CHOICE { unsigned Type, signed [0] SIGNED{Type} } -- The following out-commented ASN.1 specification are know to be erroneous and are therefore deprecated. -- genEncryptedTransform {KEY-INFORMATION: SupportedKIClasses } SECURITY-TRANSFORMATION ::= -- { -- IDENTIFIER { enhancedSecurity gen-encrypted(2) } -- INITIAL-ENCODING-RULES { joint-iso-itu-t asn1(1) ber(1) } -- This default for initial encoding rules may be overridden -- using a static protected parameter (initEncRules). -- XFORMED-DATA-TYPE SEQUENCE { -- initEncRules OBJECT IDENTIFIER DEFAULT { joint-iso-itu-t asn1(1) ber(1) }, -- encAlgorithm AlgorithmIdentifier OPTIONAL, -- -- Identifies the encryption algorithm, -- keyInformation SEQUENCE { -- kiClass KEY-INFORMATION.&kiClass ({SupportedKIClasses}), -- keyInfo KEY-INFORMATION.&KiType ({SupportedKIClasses} {@kiClass}) -- } OPTIONAL, -- Key information may assume various formats, governed by supported members -- of the KEY-INFORMATION information object class (defined in ITU-T -- Rec. X.830 | ISO/IEC 11586-1) -- encData BIT STRING ( CONSTRAINED BY { -- the encData value shall be generated following -- the procedure specified in 17.3.1-- -- }) -- } -- } -- encrypted PROTECTION-MAPPING ::= { -- SECURITY-TRANSFORMATION { genEncryptedTransform } } -- signedAndEncrypt PROTECTION-MAPPING ::= { -- SECURITY-TRANSFORMATION { signedAndEncryptedTransform } } -- signedAndEncryptedTransform {KEY-INFORMATION: SupportedKIClasses} -- SECURITY-TRANSFORMATION ::= { -- IDENTIFIER { enhancedSecurity dir-encrypt-sign (1) } -- INITIAL-ENCODING-RULES { joint-iso-itu-t asn1 (1) ber-derived (2) distinguished-encoding (1) } -- XFORMED-DATA-TYPE -- PROTECTED -- { -- PROTECTED -- { -- ABSTRACT-SYNTAX.&Type, -- signed -- }, -- encrypted -- } -- } -- OPTIONALLY-PROTECTED {ToBeProtected, PROTECTION-MAPPING:generalProtection} ::= -- CHOICE { -- toBeProtected ToBeProtected, --no DIRQOP specified for operation -- signed PROTECTED {ToBeProtected, signed}, --DIRQOP is Signed -- protected [APPLICATION 0] -- PROTECTED { ToBeProtected, generalProtection } } --DIRQOP is other than Signed -- defaultDirQop ATTRIBUTE ::= { -- WITH SYNTAX OBJECT IDENTIFIER -- EQUALITY MATCHING RULE objectIdentifierMatch -- USAGE directoryOperation -- ID id-at-defaultDirQop } -- DIRQOP ::= CLASS -- This information object class is used to define the quality of protection -- required throughout directory operation. -- The Quality Of Protection can be signed, encrypted, signedAndEncrypt -- { -- &dirqop-Id OBJECT IDENTIFIER UNIQUE, -- &dirBindError-QOP PROTECTION-MAPPING:protectionReqd, -- &dirErrors-QOP PROTECTION-MAPPING:protectionReqd, -- &dapReadArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dapReadRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dapCompareArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dapCompareRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dapListArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dapListRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dapSearchArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dapSearchRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dapAbandonArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dapAbandonRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dapAddEntryArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dapAddEntryRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dapRemoveEntryArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dapRemoveEntryRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dapModifyEntryArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dapModifyEntryRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dapModifyDNArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dapModifyDNRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dspChainedOp-QOP PROTECTION-MAPPING:protectionReqd, -- &dispShadowAgreeInfo-QOP PROTECTION-MAPPING:protectionReqd, -- &dispCoorShadowArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dispCoorShadowRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dispUpdateShadowArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dispUpdateShadowRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dispRequestShadowUpdateArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dispRequestShadowUpdateRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dopEstablishOpBindArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dopEstablishOpBindRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dopModifyOpBindArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dopModifyOpBindRes-QOP PROTECTION-MAPPING:protectionReqd, -- &dopTermOpBindArg-QOP PROTECTION-MAPPING:protectionReqd, -- &dopTermOpBindRes-QOP PROTECTION-MAPPING:protectionReqd -- } -- WITH SYNTAX -- { -- DIRQOP-ID &dirqop-Id -- DIRECTORYBINDERROR-QOP &dirBindError-QOP -- DIRERRORS-QOP &dirErrors-QOP -- DAPREADARG-QOP &dapReadArg-QOP -- DAPREADRES-QOP &dapReadRes-QOP -- DAPCOMPAREARG-QOP &dapCompareArg-QOP -- DAPCOMPARERES-QOP &dapCompareRes-QOP -- DAPLISTARG-QOP &dapListArg-QOP -- DAPLISTRES-QOP &dapListRes-QOP -- DAPSEARCHARG-QOP &dapSearchArg-QOP -- DAPSEARCHRES-QOP &dapSearchRes-QOP -- DAPABANDONARG-QOP &dapAbandonArg-QOP -- DAPABANDONRES-QOP &dapAbandonRes-QOP -- DAPADDENTRYARG-QOP &dapAddEntryArg-QOP -- DAPADDENTRYRES-QOP &dapAddEntryRes-QOP -- DAPREMOVEENTRYARG-QOP &dapRemoveEntryArg-QOP -- DAPREMOVEENTRYRES-QOP &dapRemoveEntryRes-QOP -- DAPMODIFYENTRYARG-QOP &dapModifyEntryArg-QOP -- DAPMODIFYENTRYRES-QOP &dapModifyEntryRes-QOP -- DAPMODIFYDNARG-QOP &dapModifyDNArg-QOP -- DAPMODIFYDNRES-QOP &dapModifyDNRes-QOP -- DSPCHAINEDOP-QOP &dspChainedOp-QOP -- DISPSHADOWAGREEINFO-QOP &dispShadowAgreeInfo-QOP -- DISPCOORSHADOWARG-QOP &dispCoorShadowArg-QOP -- DISPCOORSHADOWRES-QOP &dispCoorShadowRes-QOP -- DISPUPDATESHADOWARG-QOP &dispUpdateShadowArg-QOP -- DISPUPDATESHADOWRES-QOP &dispUpdateShadowRes-QOP -- DISPREQUESTSHADOWUPDATEARG-QOP &dispRequestShadowUpdateArg-QOP -- DISPREQUESTSHADOWUPDATERES-QOP &dispRequestShadowUpdateRes-QOP -- DOPESTABLISHOPBINDARG-QOP &dopEstablishOpBindArg-QOP -- DOPESTABLISHOPBINDRES-QOP &dopEstablishOpBindRes-QOP -- DOPMODIFYOPBINDARG-QOP &dopModifyOpBindArg-QOP -- DOPMODIFYOPBINDRES-QOP &dopModifyOpBindRes-QOP -- DOPTERMINATEOPBINDARG-QOP &dopTermOpBindArg-QOP -- DOPTERMINATEOPBINDRES-QOP &dopTermOpBindRes-QOP --} attributeValueSecurityLabelContext CONTEXT ::= { WITH SYNTAX SignedSecurityLabel -- At most one security label context can be assigned to an -- attribute value ID id-avc-attributeValueSecurityLabelContext } SignedSecurityLabel ::= SIGNED {SEQUENCE {attHash HASH{AttributeTypeAndValue}, issuer Name OPTIONAL, -- name of labelling authority keyIdentifier KeyIdentifier OPTIONAL, securityLabel SecurityLabel}} SecurityLabel ::= SET { security-policy-identifier SecurityPolicyIdentifier OPTIONAL, security-classification SecurityClassification OPTIONAL, privacy-mark PrivacyMark OPTIONAL, security-categories SecurityCategories OPTIONAL }(ALL EXCEPT ({ --none, at least one component shall be presen--})) SecurityPolicyIdentifier ::= OBJECT IDENTIFIER SecurityClassification ::= INTEGER { unmarked(0), unclassified(1), restricted(2), confidential(3), secret(4), top-secret(5)} PrivacyMark ::= PrintableString(SIZE (1..ub-privacy-mark-length)) SecurityCategories ::= SET SIZE (1..MAX) OF SecurityCategory clearance ATTRIBUTE ::= {WITH SYNTAX Clearance ID id-at-clearance } Clearance ::= SEQUENCE { policyId OBJECT IDENTIFIER, classList ClassList DEFAULT {unclassified}, securityCategories SET SIZE (1..MAX) OF SecurityCategory OPTIONAL } ClassList ::= BIT STRING { unmarked(0), unclassified(1), restricted(2), confidential(3), secret(4), topSecret(5)} SecurityCategory ::= SEQUENCE { type [0] SECURITY-CATEGORY.&id({SecurityCategoriesTable}), value [1] EXPLICIT SECURITY-CATEGORY.&Type({SecurityCategoriesTable}{@type}) } SECURITY-CATEGORY ::= TYPE-IDENTIFIER SecurityCategoriesTable SECURITY-CATEGORY ::= {...} attributeIntegrityInfo ATTRIBUTE ::= { WITH SYNTAX AttributeIntegrityInfo ID id-at-attributeIntegrityInfo } AttributeIntegrityInfo ::= SIGNED {SEQUENCE {scope Scope, -- Identifies the attributes protected signer Signer OPTIONAL, -- Authority or data originators name attribsHash AttribsHash}} -- Hash value of protected attributes Signer ::= CHOICE { thisEntry [0] EXPLICIT ThisEntry, thirdParty [1] SpecificallyIdentified } ThisEntry ::= CHOICE {onlyOne NULL, specific IssuerAndSerialNumber } IssuerAndSerialNumber ::= SEQUENCE { issuer Name, serial CertificateSerialNumber } SpecificallyIdentified ::= SEQUENCE { name GeneralName, issuer GeneralName OPTIONAL, serial CertificateSerialNumber OPTIONAL } (WITH COMPONENTS { ..., issuer PRESENT, serial PRESENT } | (WITH COMPONENTS { ..., issuer ABSENT, serial ABSENT })) Scope ::= CHOICE { wholeEntry [0] NULL, -- Signature protects all attribute values in this entry selectedTypes [1] SelectedTypes -- Signature protects all attribute values of the selected attribute types } SelectedTypes ::= SEQUENCE SIZE (1..MAX) OF AttributeType AttribsHash ::= HASH{SEQUENCE SIZE (1..MAX) OF Attribute} -- Attribute type and values with associated context values for the selected Scope attributeValueIntegrityInfoContext CONTEXT ::= { WITH SYNTAX AttributeValueIntegrityInfo ID id-avc-attributeValueIntegrityInfoContext } AttributeValueIntegrityInfo ::= SIGNED {SEQUENCE {signer Signer OPTIONAL, -- Authority or data originators name aVIHash AVIHash}} -- Hash value of protected attribute AVIHash ::= HASH{AttributeTypeValueContexts} -- Attribute type and value with associated context values AttributeTypeValueContexts ::= SEQUENCE { type ATTRIBUTE.&id({SupportedAttributes}), value ATTRIBUTE.&Type({SupportedAttributes}{@type}), contextList SET SIZE (1..MAX) OF Context OPTIONAL } -- The following out-commented ASN.1 specification are know to be erroneous and are therefore deprecated. -- EncryptedAttributeSyntax {AttributeSyntax} ::= SEQUENCE { -- keyInfo SEQUENCE OF KeyIdOrProtectedKey, -- encAlg AlgorithmIdentifier, -- encValue ENCRYPTED { AttributeSyntax } } -- KeyIdOrProtectedKey ::= SEQUENCE { -- keyIdentifier [0] KeyIdentifier OPTIONAL, -- protectedKeys [1] ProtectedKey OPTIONAL } -- At least one key identifier or protected key shall be present -- ProtectedKey ::= SEQUENCE { -- authReaders AuthReaders,-- -- if absent, use attribute in authorized reader entry -- keyEncAlg AlgorithmIdentifier OPTIONAL, -- -- algorithm to encrypt encAttrKey -- encAttKey EncAttKey } -- confidentiality key protected with authorized user's -- protection mechanism -- AuthReaders ::= SEQUENCE OF Name -- EncAttKey ::= PROTECTED {SymmetricKey, keyProtection} -- SymmetricKey ::= BIT STRING -- keyProtection PROTECTION-MAPPING ::= { -- SECURITY-TRANSFORMATION {genEncryption} } -- confKeyInfo ATTRIBUTE ::= { -- WITH SYNTAX ConfKeyInfo -- EQUALITY MATCHING RULE readerAndKeyIDMatch -- ID id-at-confKeyInfo } -- ConfKeyInfo ::= SEQUENCE { -- keyIdentifier KeyIdentifier, -- protectedKey ProtectedKey } -- readerAndKeyIDMatch MATCHING-RULE ::= { -- SYNTAX ReaderAndKeyIDAssertion -- ID id-mr-readerAndKeyIDMatch } -- ReaderAndKeyIDAssertion ::= SEQUENCE { -- keyIdentifier KeyIdentifier, -- authReaders AuthReaders OPTIONAL } -- Object identifier assignments -- attributes id-at-clearance OBJECT IDENTIFIER ::= {id-at 55} -- id-at-defaultDirQop OBJECT IDENTIFIER ::= {id-at 56} id-at-attributeIntegrityInfo OBJECT IDENTIFIER ::= {id-at 57} -- id-at-confKeyInfo OBJECT IDENTIFIER ::= {id-at 60} -- matching rules -- id-mr-readerAndKeyIDMatch OBJECT IDENTIFIER ::= {id-mr 43} -- contexts id-avc-attributeValueSecurityLabelContext OBJECT IDENTIFIER ::= {id-avc 3} id-avc-attributeValueIntegrityInfoContext OBJECT IDENTIFIER ::= {id-avc 4} END -- EnhancedSecurity -- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D