summaryrefslogtreecommitdiff
path: root/asn1/SpkmGssTokens.asn
blob: 02205bd64c255627bc969e9920bfc047b2a9537e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
-- Module SpkmGssTokens (RFC 2025:10/1996)
SpkmGssTokens {iso(1) identified-organization(3) dod(6) internet(1) security(5)
  mechanisms(5) spkm(1) spkmGssTokens(10)}
--
-- Copyright (C) The Internet Society (1996). This version of
-- this ASN.1 module is part of RFC 2025;
-- see the RFC itself for full legal notices.
--
DEFINITIONS IMPLICIT TAGS ::=
BEGIN

-- EXPORTS ALL 
IMPORTS
  Name
    FROM InformationFramework {joint-iso-itu-t(2) ds(5) module(1)
      informationFramework(1) 3}
  Certificate, CertificateList, CertificatePair, AlgorithmIdentifier, Validity
    FROM AuthenticationFramework {joint-iso-itu-t(2) ds(5) module(1)
      authenticationFramework(7) 3};

-- types 
SPKM-REQ ::= SEQUENCE {
  requestToken  REQ-TOKEN,
  certif-data   [0]  CertificationData OPTIONAL,
  auth-data     [1]  AuthorizationData OPTIONAL
}

CertificationData ::= SEQUENCE {
  certificationPath          [0]  CertificationPath OPTIONAL,
  certificateRevocationList  [1]  CertificateList OPTIONAL
} -- at least one of the above shall be present

CertificationPath ::= SEQUENCE {
  userKeyId          [0]  OCTET STRING OPTIONAL,
  userCertif         [1]  Certificate OPTIONAL,
  verifKeyId         [2]  OCTET STRING OPTIONAL,
  userVerifCertif    [3]  Certificate OPTIONAL,
  theCACertificates  [4]  SEQUENCE OF CertificatePair OPTIONAL
} -- Presence of [2] or [3] implies that [0] or [1] must also be

-- present.  Presence of [4] implies that at least one of [0], [1],
-- [2], and [3] must also be present.
REQ-TOKEN ::= SEQUENCE {
  req-contents   Req-contents,
  algId          AlgorithmIdentifier,
  req-integrity  Integrity -- "token" is Req-contents
}

Integrity ::= BIT STRING

-- If corresponding algId specifies a signing algorithm,
-- "Integrity" holds the result of applying the signing procedure
-- specified in algId to the BER-encoded octet string which results
-- from applying the hashing procedure (also specified in algId) to
-- the DER-encoded octets of "token".
-- Alternatively, if corresponding algId specifies a MACing
-- algorithm, "Integrity" holds the result of applying the MACing
-- procedure specified in algId to the DER-encoded octets of
-- "token"
Req-contents ::= SEQUENCE {
  tok-id        INTEGER(256), -- shall contain 0100 (hex)
  context-id    Random-Integer,
  pvno          BIT STRING,
  timestamp     UTCTime OPTIONAL, -- mandatory for SPKM-2
  randSrc       Random-Integer,
  targ-name     Name,
  src-name      [0]  Name OPTIONAL,
  req-data      Context-Data,
  validity      [1]  Validity OPTIONAL,
  key-estb-set  Key-Estb-Algs,
  key-estb-req  BIT STRING OPTIONAL,
  key-src-bind  OCTET STRING OPTIONAL
  -- This field must be present for the case of SPKM-2
  -- unilateral authen. if the K-ALG in use does not provide
  -- such a binding (but is optional for all other cases).
  -- The octet string holds the result of applying the
  -- mandatory hashing procedure (in MANDATORY I-ALG;
  -- see Section 2.1) as follows:  MD5(src || context_key),
  -- where "src" is the DER-encoded octets of src-name,
  -- "context-key" is the symmetric key (i.e., the
  -- unprotected version of what is transmitted in
  -- key-estb-req), and "||" is the concatenation operation.
}

Random-Integer ::= BIT STRING

Context-Data ::= SEQUENCE {
  channelId   ChannelId OPTIONAL,
  seq-number  INTEGER OPTIONAL,
  options     Options,
  conf-alg    Conf-Algs,
  intg-alg    Intg-Algs,
  owf-alg     OWF-Algs
}

ChannelId ::= OCTET STRING

Options ::= BIT STRING {
  delegation-state(0), mutual-state(1), replay-det-state(2), sequence-state(3),
  conf-avail(4), integ-avail(5), target-certif-data-required(6)}

Conf-Algs ::= CHOICE {
  algs  [0]  SEQUENCE OF AlgorithmIdentifier,
  null  [1]  NULL
}

Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier

OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier

Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier

SPKM-REP-TI ::= SEQUENCE {
  responseToken  REP-TI-TOKEN,
  certif-data    CertificationData OPTIONAL
  -- present if target-certif-data-required option was
} -- set to TRUE in SPKM-REQ

REP-TI-TOKEN ::= SEQUENCE {
  rep-ti-contents  Rep-ti-contents,
  algId            AlgorithmIdentifier,
  rep-ti-integ     Integrity -- "token" is Rep-ti-contents
}

Rep-ti-contents ::= SEQUENCE {
  tok-id        INTEGER(512), -- shall contain 0200 (hex)
  context-id    Random-Integer,
  pvno          [0]  BIT STRING OPTIONAL,
  timestamp     UTCTime OPTIONAL, -- mandatory for SPKM-2
  randTarg      Random-Integer,
  src-name      [1]  Name OPTIONAL,
  targ-name     Name,
  randSrc       Random-Integer,
  rep-data      Context-Data,
  validity      [2]  Validity OPTIONAL,
  key-estb-id   AlgorithmIdentifier OPTIONAL,
  key-estb-str  BIT STRING OPTIONAL
}

SPKM-REP-IT ::= SEQUENCE {
  responseToken  REP-IT-TOKEN,
  algId          AlgorithmIdentifier,
  rep-it-integ   Integrity -- "token" is REP-IT-TOKEN
}

REP-IT-TOKEN ::= SEQUENCE {
  tok-id        INTEGER(768), -- shall contain 0300 (hex)
  context-id    Random-Integer,
  randSrc       Random-Integer,
  randTarg      Random-Integer,
  targ-name     Name,
  src-name      Name OPTIONAL,
  key-estb-rep  BIT STRING OPTIONAL
}

SPKM-ERROR ::= SEQUENCE {
  errorToken  ERROR-TOKEN,
  algId       AlgorithmIdentifier,
  integrity   Integrity -- "token" is ERROR-TOKEN
}

ERROR-TOKEN ::= SEQUENCE {
  tok-id      INTEGER(1024), -- shall contain 0400 (hex)
  context-id  Random-Integer
}

SPKM-MIC ::= SEQUENCE {mic-header  Mic-Header,
                       int-cksum   BIT STRING
}

Mic-Header ::= SEQUENCE {
  tok-id      INTEGER(257), -- shall contain 0101 (hex)
  context-id  Random-Integer,
  int-alg     [0]  AlgorithmIdentifier OPTIONAL,
  snd-seq     [1]  SeqNum OPTIONAL
}

SeqNum ::= SEQUENCE {num      INTEGER,
                     dir-ind  BOOLEAN
}

SPKM-WRAP ::= SEQUENCE {wrap-header  Wrap-Header,
                        wrap-body    Wrap-Body
}

Wrap-Header ::= SEQUENCE {
  tok-id      INTEGER(513), -- shall contain 0201 (hex)
  context-id  Random-Integer,
  int-alg     [0]  AlgorithmIdentifier OPTIONAL,
  conf-alg    [1]  Conf-Alg OPTIONAL,
  snd-seq     [2]  SeqNum OPTIONAL
}

Wrap-Body ::= SEQUENCE {int-cksum  BIT STRING,
                        data       BIT STRING
}

Conf-Alg ::= CHOICE {algId  [0]  AlgorithmIdentifier,
                     null   [1]  NULL
}

SPKM-DEL ::= SEQUENCE {del-header  Del-Header,
                       int-cksum   BIT STRING
}

Del-Header ::= SEQUENCE {
  tok-id      INTEGER(769), -- shall contain 0301 (hex)
  context-id  Random-Integer,
  int-alg     [0]  AlgorithmIdentifier OPTIONAL,
  snd-seq     [1]  SeqNum OPTIONAL
}

-- other types 
-- from [RFC-1508] 
MechType ::= OBJECT IDENTIFIER

InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE {
  thisMech           MechType,
  innerContextToken  SPKMInnerContextToken
} -- when thisMech is SPKM-1 or SPKM-2

SPKMInnerContextToken ::= CHOICE {
  req     [0]  SPKM-REQ,
  rep-ti  [1]  SPKM-REP-TI,
  rep-it  [2]  SPKM-REP-IT,
  error   [3]  SPKM-ERROR,
  mic     [4]  SPKM-MIC,
  wrap    [5]  SPKM-WRAP,
  del     [6]  SPKM-DEL
}

-- from [RFC-1510] 
AuthorizationData ::=
  SEQUENCE OF SEQUENCE {ad-type  INTEGER,
                        ad-data  OCTET STRING}

-- object identifier assignments 
md5-DES-CBC OBJECT IDENTIFIER ::=
  {iso(1) identified-organization(3) dod(6) internet(1) security(5)
   integrity(3) md5-DES-CBC(1)}

sum64-DES-CBC OBJECT IDENTIFIER ::=
  {iso(1) identified-organization(3) dod(6) internet(1) security(5)
   integrity(3) sum64-DES-CBC(2)}

spkm-1 OBJECT IDENTIFIER ::=
  {iso(1) identified-organization(3) dod(6) internet(1) security(5)
   mechanisms(5) spkm(1) spkm-1(1)}

spkm-2 OBJECT IDENTIFIER ::=
  {iso(1) identified-organization(3) dod(6) internet(1) security(5)
   mechanisms(5) spkm(1) spkm-2(2)}

END

-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D