255 lines
7.7 KiB
Groff
255 lines
7.7 KiB
Groff
SpkmGssTokens {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) spkm(1) spkmGssTokens(10)}
|
|
|
|
DEFINITIONS IMPLICIT TAGS ::=
|
|
|
|
BEGIN
|
|
|
|
-- EXPORTS ALL
|
|
|
|
IMPORTS
|
|
Name
|
|
FROM InformationFramework {joint-iso-itu-t(2) ds(5) module(1)
|
|
informationFramework(1) 7}
|
|
|
|
Certificate, CertificateList, CertificatePair, AlgorithmIdentifier{},
|
|
SupportedAlgorithms, Validity
|
|
FROM AuthenticationFramework {joint-iso-itu-t(2) ds(5) module(1)
|
|
authenticationFramework(7) 7};
|
|
|
|
-- types
|
|
|
|
SPKM-REQ ::= SEQUENCE {
|
|
requestToken REQ-TOKEN,
|
|
certif-data [0] CertificationData OPTIONAL,
|
|
auth-data [1] AuthorizationData OPTIONAL
|
|
}
|
|
|
|
CertificationData ::= SEQUENCE {
|
|
certificationPath [0] CertificationPath OPTIONAL,
|
|
certificateRevocationList [1] CertificateList OPTIONAL
|
|
} -- at least one of the above shall be present
|
|
|
|
CertificationPath ::= SEQUENCE {
|
|
userKeyId [0] OCTET STRING OPTIONAL,
|
|
userCertif [1] Certificate OPTIONAL,
|
|
verifKeyId [2] OCTET STRING OPTIONAL,
|
|
userVerifCertif [3] Certificate OPTIONAL,
|
|
theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL
|
|
} -- Presence of [2] or [3] implies that [0] or [1] must also be
|
|
-- present. Presence of [4] implies that at least one of [0], [1],
|
|
-- [2], and [3] must also be present.
|
|
|
|
REQ-TOKEN ::= SEQUENCE {
|
|
req-contents Req-contents,
|
|
algId AlgorithmIdentifier{{SupportedAlgorithms}},
|
|
req-integrity Integrity -- "token" is Req-contents
|
|
}
|
|
|
|
Integrity ::= BIT STRING
|
|
|
|
-- If corresponding algId specifies a signing algorithm,
|
|
-- "Integrity" holds the result of applying the signing procedure
|
|
-- specified in algId to the BER-encoded octet string which results
|
|
-- from applying the hashing procedure (also specified in algId) to
|
|
-- the DER-encoded octets of "token".
|
|
-- Alternatively, if corresponding algId specifies a MACing
|
|
-- algorithm, "Integrity" holds the result of applying the MACing
|
|
-- procedure specified in algId to the DER-encoded octets of
|
|
-- "token"
|
|
|
|
Req-contents ::= SEQUENCE {
|
|
tok-id INTEGER(256), -- shall contain 0100 (hex)
|
|
context-id Random-Integer,
|
|
pvno BIT STRING,
|
|
timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2
|
|
randSrc Random-Integer,
|
|
targ-name Name,
|
|
src-name [0] Name OPTIONAL,
|
|
req-data Context-Data,
|
|
validity [1] Validity OPTIONAL,
|
|
key-estb-set Key-Estb-Algs,
|
|
key-estb-req BIT STRING OPTIONAL,
|
|
key-src-bind OCTET STRING OPTIONAL
|
|
-- This field must be present for the case of SPKM-2
|
|
-- unilateral authen. if the K-ALG in use does not provide
|
|
-- such a binding (but is optional for all other cases).
|
|
-- The octet string holds the result of applying the
|
|
-- mandatory hashing procedure (in MANDATORY I-ALG;
|
|
-- see Section 2.1) as follows: MD5(src || context_key),
|
|
-- where "src" is the DER-encoded octets of src-name,
|
|
-- "context-key" is the symmetric key (i.e., the
|
|
-- unprotected version of what is transmitted in
|
|
-- key-estb-req), and "||" is the concatenation operation.
|
|
}
|
|
|
|
Random-Integer ::= BIT STRING
|
|
|
|
Context-Data ::= SEQUENCE {
|
|
channelId ChannelId OPTIONAL,
|
|
seq-number INTEGER OPTIONAL,
|
|
options Options,
|
|
conf-alg Conf-Algs,
|
|
intg-alg Intg-Algs,
|
|
owf-alg OWF-Algs
|
|
}
|
|
|
|
ChannelId ::= OCTET STRING
|
|
|
|
Options ::= BIT STRING {
|
|
delegation-state(0), mutual-state(1), replay-det-state(2), sequence-state(3),
|
|
conf-avail(4), integ-avail(5), target-certif-data-required(6)}
|
|
|
|
Conf-Algs ::= CHOICE {
|
|
algs [0] SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}},
|
|
null [1] NULL
|
|
}
|
|
|
|
Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}}
|
|
|
|
OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}}
|
|
|
|
Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}}
|
|
|
|
SPKM-REP-TI ::= SEQUENCE {
|
|
responseToken REP-TI-TOKEN,
|
|
certif-data CertificationData OPTIONAL
|
|
-- present if target-certif-data-required option was
|
|
} -- set to TRUE in SPKM-REQ
|
|
|
|
REP-TI-TOKEN ::= SEQUENCE {
|
|
rep-ti-contents Rep-ti-contents,
|
|
algId AlgorithmIdentifier{{SupportedAlgorithms}},
|
|
rep-ti-integ Integrity -- "token" is Rep-ti-contents
|
|
}
|
|
|
|
Rep-ti-contents ::= SEQUENCE {
|
|
tok-id INTEGER(512), -- shall contain 0200 (hex)
|
|
context-id Random-Integer,
|
|
pvno [0] BIT STRING OPTIONAL,
|
|
timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2
|
|
randTarg Random-Integer,
|
|
src-name [1] Name OPTIONAL,
|
|
targ-name Name,
|
|
randSrc Random-Integer,
|
|
rep-data Context-Data,
|
|
validity [2] Validity OPTIONAL,
|
|
key-estb-id AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL,
|
|
key-estb-str BIT STRING OPTIONAL
|
|
}
|
|
|
|
SPKM-REP-IT ::= SEQUENCE {
|
|
responseToken REP-IT-TOKEN,
|
|
algId AlgorithmIdentifier{{SupportedAlgorithms}},
|
|
rep-it-integ Integrity -- "token" is REP-IT-TOKEN
|
|
}
|
|
|
|
REP-IT-TOKEN ::= SEQUENCE {
|
|
tok-id INTEGER(768), -- shall contain 0300 (hex)
|
|
context-id Random-Integer,
|
|
randSrc Random-Integer,
|
|
randTarg Random-Integer,
|
|
targ-name Name,
|
|
src-name Name OPTIONAL,
|
|
key-estb-rep BIT STRING OPTIONAL
|
|
}
|
|
|
|
SPKM-ERROR ::= SEQUENCE {
|
|
errorToken ERROR-TOKEN,
|
|
algId AlgorithmIdentifier{{SupportedAlgorithms}},
|
|
integrity Integrity -- "token" is ERROR-TOKEN
|
|
}
|
|
|
|
ERROR-TOKEN ::= SEQUENCE {
|
|
tok-id INTEGER(1024), -- shall contain 0400 (hex)
|
|
context-id Random-Integer
|
|
}
|
|
|
|
SPKM-MIC ::= SEQUENCE {mic-header Mic-Header,
|
|
int-cksum BIT STRING
|
|
}
|
|
|
|
Mic-Header ::= SEQUENCE {
|
|
tok-id INTEGER(257), -- shall contain 0101 (hex)
|
|
context-id Random-Integer,
|
|
int-alg [0] AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL,
|
|
snd-seq [1] SeqNum OPTIONAL
|
|
}
|
|
|
|
SeqNum ::= SEQUENCE {num INTEGER,
|
|
dir-ind BOOLEAN
|
|
}
|
|
|
|
SPKM-WRAP ::= SEQUENCE {wrap-header Wrap-Header,
|
|
wrap-body Wrap-Body
|
|
}
|
|
|
|
Wrap-Header ::= SEQUENCE {
|
|
tok-id INTEGER(513), -- shall contain 0201 (hex)
|
|
context-id Random-Integer,
|
|
int-alg [0] AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL,
|
|
conf-alg [1] Conf-Alg OPTIONAL,
|
|
snd-seq [2] SeqNum OPTIONAL
|
|
}
|
|
|
|
Wrap-Body ::= SEQUENCE {int-cksum BIT STRING,
|
|
data BIT STRING
|
|
}
|
|
|
|
Conf-Alg ::= CHOICE {
|
|
algId [0] AlgorithmIdentifier{{SupportedAlgorithms}},
|
|
null [1] NULL
|
|
}
|
|
|
|
SPKM-DEL ::= SEQUENCE {del-header Del-Header,
|
|
int-cksum BIT STRING
|
|
}
|
|
|
|
Del-Header ::= SEQUENCE {
|
|
tok-id INTEGER(769), -- shall contain 0301 (hex)
|
|
context-id Random-Integer,
|
|
int-alg [0] AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL,
|
|
snd-seq [1] SeqNum OPTIONAL
|
|
}
|
|
|
|
-- other types
|
|
-- from [RFC-1508]
|
|
MechType ::= OBJECT IDENTIFIER
|
|
|
|
InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE {
|
|
thisMech MechType,
|
|
innerContextToken SPKMInnerContextToken
|
|
} -- when thisMech is SPKM-1 or SPKM-2
|
|
|
|
SPKMInnerContextToken ::= CHOICE {
|
|
req [0] SPKM-REQ,
|
|
rep-ti [1] SPKM-REP-TI,
|
|
rep-it [2] SPKM-REP-IT,
|
|
error [3] SPKM-ERROR,
|
|
mic [4] SPKM-MIC,
|
|
wrap [5] SPKM-WRAP,
|
|
del [6] SPKM-DEL
|
|
}
|
|
|
|
-- from [RFC-1510]
|
|
AuthorizationData ::=
|
|
SEQUENCE OF SEQUENCE {ad-type INTEGER,
|
|
ad-data OCTET STRING}
|
|
|
|
-- object identifier assignments
|
|
md5-DES-CBC OBJECT IDENTIFIER ::=
|
|
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
integrity(3) md5-DES-CBC(1)}
|
|
|
|
sum64-DES-CBC OBJECT IDENTIFIER ::=
|
|
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
integrity(3) sum64-DES-CBC(2)}
|
|
|
|
spkm-1 OBJECT IDENTIFIER ::=
|
|
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
mechanisms(5) spkm(1) spkm-1(1)}
|
|
|
|
spkm-2 OBJECT IDENTIFIER ::=
|
|
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
mechanisms(5) spkm(1) spkm-2(2)}
|
|
|
|
END -- SpkmGssTokens |