forked from osmocom/wireshark
43e892e985
dissector for Novell's PKIS certificate extensions from me clean up the $Id$ tags remove packet-pkis(-template).h remove ASN.1 definitions that cause compiler warnings (OID, SecurityLabelType2) move the dissector to the clean ASN.1 dissectors support CMake build change the name to novell_pkis https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9597 svn path=/trunk/; revision=54508
284 lines
11 KiB
Groff
284 lines
11 KiB
Groff
-- from pkisv10.pdf
|
||
-- you can find this document at https://web.archive.org/web/19990224174228/http://www.developer.novell.com/repository/attributes/certattrs_v10.htm
|
||
|
||
PKIS { joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719) } DEFINITIONS IMPLICIT TAGS ::=
|
||
BEGIN
|
||
|
||
-- ASN.1 Definition of Useful Attributes
|
||
|
||
-- The following are useful Novell OIDs, etc.
|
||
novell OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719)}
|
||
applications OBJECT IDENTIFIER ::= {novell applications(1) }
|
||
pki OBJECT IDENTIFIER ::= {applications pki(9) }
|
||
pkiAttributeType OBJECT IDENTIFIER ::= {pki at(4) }
|
||
pkiAttributeSyntax OBJECT IDENTIFIER ::= {pki at(5) }
|
||
pkiObjectClass OBJECT IDENTIFIER ::= {pki at(6) }
|
||
|
||
-- The following unique PKI attributes are hereby defined under the novell applications pki arc:
|
||
pa-sa OBJECT IDENTIFIER ::= { pkiAttributeType (1) }
|
||
-- securityAttributes
|
||
-- 2.16.840.113719.1.9.4.1
|
||
|
||
pa-rl OBJECT IDENTIFIER ::= { pkiAttributeType (2) }
|
||
-- relianceLimit
|
||
-- 2.16.840.113719.1.9.4.2
|
||
|
||
SecurityAttributes ::= SEQUENCE {
|
||
versionNumber OCTET STRING (SIZE (2)),
|
||
-- The initial value should be (01 00)
|
||
-- The first octet is the major version,
|
||
-- the second octet is the minor version number.
|
||
nSI BOOLEAN (TRUE),
|
||
-- NSI = “Nonverified Subscriber Information”
|
||
-- If FALSE, it means that the CA issuing
|
||
-- a certificate HAS verified the validity
|
||
-- of ALL of the values contained
|
||
-- within the Novell Security Attributes
|
||
-- using appropriate means as defined
|
||
-- for example in their Certificate Policy
|
||
-- and/or Certificate Practice Statement
|
||
-- If TRUE, it means that the subscriber
|
||
-- requesting the certificate has represented
|
||
-- to the CA that the extension defined
|
||
-- is valid and correct, but that the CA
|
||
-- has not independently validated the accuracy
|
||
-- of the attribute. Note that in no case may
|
||
-- the CA issue a certificate containing an
|
||
-- extension which it has reason to
|
||
-- believe is not accurate at the time of
|
||
-- issuance, except for test certificates
|
||
-- which are identified as such in the
|
||
-- Certificate class attribute (by setting
|
||
-- the certificateValid flag to FALSE.)
|
||
securityTM PrintableString ("Novell Security Attribute(tm)"),
|
||
-- Note: Since the “Novell Security
|
||
-- Attribute(tm)” string is trademarked, if
|
||
-- it is displayed visually to the user it
|
||
-- must be presented exactly as shown,
|
||
-- in English, even in non-English
|
||
-- implementations. A translation of the
|
||
-- phrase may be displayed to the user
|
||
-- in addition, if desired.
|
||
-- Vendors who license the use of the term
|
||
-- must agree to check for the presence of
|
||
-- this string in any attribute defined (by its
|
||
-- OID) as a Novell Security attribute
|
||
uriReference IA5String,
|
||
-- The initial value should be set to (“http://developer.novell.com/repository/attributes/certattrs_v10.htm”),
|
||
-- This attribute will be included in all
|
||
-- NICI and PKIS certificates.
|
||
-- Novell will maintain a copy of this
|
||
-- document or other suitable definition
|
||
-- at that location.
|
||
gLBExtensions GLBExtensions
|
||
}
|
||
|
||
GLBExtensions::=SEQUENCE{
|
||
-- These are the extensions over which the
|
||
-- Greatest Lower Bound is computed within NICI.
|
||
keyQuality [0] IMPLICIT KeyQuality,
|
||
cryptoProcessQuality [1] IMPLICIT CryptoProcessQuality,
|
||
certificateClass [2] IMPLICIT CertificateClass,
|
||
enterpriseId [3] IMPLICIT EnterpriseId
|
||
}
|
||
|
||
-- ASN.1 Definitions of Key Quality and Crypto Process Quality Attributes:
|
||
KeyQuality ::= Quality
|
||
CryptoProcessQuality ::= Quality
|
||
|
||
Quality ::= SEQUENCE {
|
||
enforceQuality BOOLEAN,
|
||
-- If TRUE, the explicit attributes compusecQuality,
|
||
-- cryptoQuality, and keyStorageQuality, plus the
|
||
-- implicit attributes algorithmType and keyLength
|
||
-- are either enforced at all times, or a dynamic low
|
||
-- water mark (Greatest Lower Bound)may be maintained.
|
||
-- I.e., if enforceQuality is TRUE for the
|
||
-- keyQuality attribute, the key must never be
|
||
-- allowed to be transported to and/or used on any
|
||
-- platform that does not meet the minimum
|
||
-- criteria, and hence enforceQuality must be TRUE for
|
||
-- the cryptoProcessQuality as well
|
||
-- If enforceQuality is FALSE for keyQuality, but
|
||
-- TRUE for cryptoProcessQuality, then the
|
||
-- operating system has not enforced the criteria
|
||
-- in any technical sense, but the subscriber
|
||
-- is nonetheless representing that the minimum
|
||
-- criteria will be maintained,
|
||
-- e.g., by manual or procedural controls.
|
||
-- For PKIS and NICI versions 1.0, enforceQuality
|
||
-- must be set to FALSE in the keyQuality attribute.
|
||
compusecQuality CompusecQuality,
|
||
cryptoQuality CryptoQuality,
|
||
keyStorageQuality INTEGER (0..255) -- See definitions in Appendix C
|
||
}
|
||
|
||
CompusecQuality ::= SEQUENCE SIZE (1..1)
|
||
OF CompusecQualityPair
|
||
-- Multiple pairs of {Criteria, Rating} are allowed
|
||
-- In the first release, only one pair(TCSEC criteria)is provided
|
||
|
||
CompusecQualityPair ::= SEQUENCE {
|
||
compusecCriteria INTEGER(0..255),
|
||
-- The default should be 1, but DEFAULT implies OPTIONAL, which
|
||
-- is not the intent. So the value has to be coded explicitly.
|
||
-- 0= Reserved (encoding error)
|
||
-- 1= Trusted Computer Security Evaluation Criteria (TCSEC)
|
||
-- 2= International Trusted Security Evaluation Criteria (ITSEC)
|
||
-- 3= Common Criteria
|
||
-- all others reserved
|
||
compusecRating INTEGER (0..255)
|
||
-- the compusecRating is in accordance with the specified
|
||
-- compusecCriteria for each pair in the sequence
|
||
-- Defined values for ratings for components and systems formally
|
||
-- evaluated in accordance with the Trusted Computer Security
|
||
-- Evaluation Criteria and the Trusted Network Interpretation
|
||
-- (Red Book) are provided in Appendix A.
|
||
}
|
||
|
||
CryptoQuality ::= SEQUENCE SIZE (1..1)
|
||
OF CryptoQualityPair
|
||
-- Multiple pairs of {Criteria, Rating} are allowed.
|
||
-- In the initial release, only one pair is provided.
|
||
|
||
CryptoQualityPair ::= SEQUENCE {
|
||
cryptoModuleCriteria INTEGER(0..255),
|
||
-- The default should be 1, but DEFAULT implies OPTIONAL, which
|
||
-- is not the intent. So the value has to be coded explicitly.
|
||
-- 1 = FIPS 140-1
|
||
-- all others reserved
|
||
cryptoModuleRating INTEGER (0..255)
|
||
-- the cryptoModuleRating value is in accordance with
|
||
-- the specified cryptoModuleCriteria for each pair
|
||
-- FIPS 140-1 ratings definitions:
|
||
-- 0 = Reserved (encoding error)
|
||
-- 1 = unevaluated/unknown,
|
||
-- all others—see Appendix B
|
||
}
|
||
|
||
-- ASN.1 Definition of Certificate Class Attribute:
|
||
|
||
CertificateClass ::= SEQUENCE {
|
||
classValue INTEGER (0..255),
|
||
-- Defined class values are contained in Appendix C
|
||
certificateValid BOOLEAN
|
||
-- The default should be true, but DEFAULT is OPTIONAL
|
||
-- which would make the GLB computation awkward.
|
||
-- See Section 5 and the footnote for a discussion.
|
||
}
|
||
|
||
-- ASN.1 Definition of Enterprise Identifier Attribute:
|
||
|
||
EnterpriseId ::= SEQUENCE {
|
||
rootLabel [0] IMPLICIT SecurityLabelType1,
|
||
registryLabel [1] IMPLICIT SecurityLabelType1,
|
||
enterpriseLabel [2] IMPLICIT SEQUENCE SIZE (1..1) OF SecurityLabelType1
|
||
}
|
||
|
||
SecurityLabelType1 ::= SEQUENCE {
|
||
labelType1 INTEGER (0..255),
|
||
-- The default should be 2, but DEFAULT implies OPTIONAL, which
|
||
-- is not the intent. So the value has to be coded explicitly.
|
||
-- Note that the label type for Version 1
|
||
-- of Graded Authentication is 0 or 1.
|
||
-- Byte sizes and reserved fields are omitted,
|
||
-- because they are derivable from the ASN.1.
|
||
secrecyLevel1 INTEGER (0..255),
|
||
-- The default should be 0, but DEFAULT implies OPTIONAL, which
|
||
-- is not the intent. So the value has to be coded explicitly.
|
||
-- 0 = low secrecy, 255 = high secrecy
|
||
-- It seems highly unlikely anyone would ever
|
||
-- need more than 255 secrecy levels
|
||
integrityLevel1 INTEGER (0..255),
|
||
-- The default should be 0, but DEFAULT implies OPTIONAL, which
|
||
-- is not the intent. So the value has to be coded explicitly.
|
||
-- NOTE! 255 = low integrity, 0 = high integrity!
|
||
-- It seems highly unlikely anyone would ever
|
||
-- need more than 255 integrity levels
|
||
secrecyCategories1 BIT STRING (SIZE(96)),
|
||
-- The default should be FALSE, but DEFAULT implies OPTIONAL,
|
||
-- which is not the intent. So the value has to be coded
|
||
-- explicitly.
|
||
-- 96 secrecy categories, 0 origin indexing
|
||
integrityCategories1 BIT STRING (SIZE(64)),
|
||
-- The default should be FALSE, but DEFAULT implies OPTIONAL,
|
||
-- which is not the intent. So the value has to be coded
|
||
-- explicitly.
|
||
-- 64 integrity categories, 0 origin indexing
|
||
secrecySingletons1 Singletons,
|
||
integritySingletons1 Singletons
|
||
}
|
||
|
||
-- (removed the unused definition of SecurityLabelType2)
|
||
|
||
Singletons ::= SEQUENCE SIZE (1..16) OF SingletonChoice
|
||
-- Presently up to 16 singletons or singleton ranges
|
||
-- can be defined within one security label. This
|
||
-- is completely arbitrary and can be easily changed,
|
||
-- but it seems reasonable. Note that no more space
|
||
-- is taken in the ASN.1 DER encoding than is actually
|
||
-- required.
|
||
|
||
SingletonChoice ::= CHOICE {
|
||
uniqueSingleton INTEGER (0..9223372036854775807),
|
||
-- The implied value of the singleton being
|
||
-- specified in this case is TRUE.
|
||
-- Note that there isn’t any way to set a
|
||
-- singleton value to FALSE, except by using the
|
||
-- SingletonRange functions with identical lower
|
||
-- and upper bounds.
|
||
singletonRange SingletonRange
|
||
}
|
||
|
||
SingletonRange ::= SEQUENCE {
|
||
singletonLowerBound INTEGER (0..9223372036854775807),
|
||
-- The default should be 0, but DEFAULT implies OPTIONAL,
|
||
-- which is not the intent. So the value has to be coded
|
||
-- explicitly.
|
||
-- Lower bound of a range of singletons
|
||
-- to be set to the singletonValue specified
|
||
|
||
singletonUpperBound INTEGER (0..9223372036854775807),
|
||
-- The default should be 9223372036854775807,
|
||
-- but DEFAULT implies OPTIONAL,
|
||
-- which is not the intent. So the value has to be coded
|
||
-- explicitly.
|
||
-- Upper bound of a range of singletons
|
||
-- to be set to the singletonValue specified
|
||
singletonValue BOOLEAN
|
||
-- An entire range of singletons can be set to
|
||
-- either TRUE or FALSE.
|
||
-- Note that singletonRanges are allowed to overlap,
|
||
-- and in particular that a uniqueSingleton can
|
||
-- reset a singleton value already set by a
|
||
-- singletonRange, and vice versa.
|
||
-- The uniqueSingleton and singletonRanges are applied
|
||
-- consecutively, from the lower bound of SEQUENCE (1)
|
||
-- to the upper bound.
|
||
}
|
||
|
||
-- ASN.1 Definition of Reliance Limit Attribute:
|
||
|
||
-- relianceLimits EXTENSION ::= { SYNTAX RelianceLimits IDENTIFIED BY {pa-rl) }
|
||
-- 2.16.840.113719.1.9.4.2
|
||
|
||
RelianceLimits ::= SEQUENCE {
|
||
perTransactionLimit MonetaryValue,
|
||
perCertificateLimit MonetaryValue
|
||
}
|
||
|
||
MonetaryValue ::= SEQUENCE { -- from SET and draft ANSI X9.45
|
||
currency Currency,
|
||
amount INTEGER, -- value is amount * (10 ** amtExp10), an exact representation
|
||
amtExp10 INTEGER
|
||
}
|
||
|
||
Currency ::= INTEGER (1..999)
|
||
-- currency denomination from ISO 4217
|
||
-- cf. Appendix E for the numeric currency codes and their
|
||
-- alphabetic (display) equivalents.
|
||
-- US Dollar (USD) is 840.
|
||
-- Euro (EUR) is 978.
|
||
|
||
END
|