4 SpkmGssTokens DEFINITIONS ::=
7 IMPORTS AlgorithmIdentifier, Validity,
8 Attribute, Certificate, CertificateList, CertificatePair, Name
10 AuthorizationData FROM krb5;
12 SPKM-REQ ::= SEQUENCE {
13 requestToken REQ-TOKEN,
14 certif-data [0] CertificationData OPTIONAL,
15 auth-data [1] AuthorizationData OPTIONAL
19 CertificationData ::= SEQUENCE {
20 certificationPath [0] CertificationPath OPTIONAL,
21 certificateRevocationList [1] CertificateList OPTIONAL
22 } -- at least one of the above shall be present
25 CertificationPath ::= SEQUENCE {
26 userKeyId [0] OCTET STRING OPTIONAL,
27 userCertif [1] Certificate OPTIONAL,
28 verifKeyId [2] OCTET STRING OPTIONAL,
29 userVerifCertif [3] Certificate OPTIONAL,
30 theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL
31 } -- Presence of [2] or [3] implies that [0] or [1] must also be
32 -- present. Presence of [4] implies that at least one of [0], [1],
33 -- [2], and [3] must also be present.
35 REQ-TOKEN ::= SEQUENCE {
36 req-contents Req-contents,
37 algId AlgorithmIdentifier,
38 req-integrity Integrity -- "token" is Req-contents
41 Integrity ::= BIT STRING
42 -- If corresponding algId specifies a signing algorithm,
43 -- "Integrity" holds the result of applying the signing procedure
44 -- specified in algId to the BER-encoded octet string which results
45 -- from applying the hashing procedure (also specified in algId) to
46 -- the DER-encoded octets of "token".
47 -- Alternatively, if corresponding algId specifies a MACing
48 -- algorithm, "Integrity" holds the result of applying the MACing
49 -- procedure specified in algId to the DER-encoded octets of
52 Req-contents ::= SEQUENCE {
53 tok-id INTEGER --(256)--, -- shall contain 0100 (hex)
54 context-id Random-Integer,
56 timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2
57 randSrc Random-Integer,
59 src-name [0] Name OPTIONAL,
60 req-data Context-Data,
61 validity [1] Validity OPTIONAL,
62 key-estb-set Key-Estb-Algs,
63 key-estb-req BIT STRING OPTIONAL,
64 key-src-bind OCTET STRING OPTIONAL
65 -- This field must be present for the case of SPKM-2
66 -- unilateral authen. if the K-ALG in use does not provide
67 -- such a binding (but is optional for all other cases).
68 -- The octet string holds the result of applying the
69 -- mandatory hashing procedure (in MANDATORY I-ALG;
70 -- see Section 2.1) as follows: MD5(src || context_key),
71 -- where "src" is the DER-encoded octets of src-name,
72 -- "context-key" is the symmetric key (i.e., the
73 -- unprotected version of what is transmitted in
74 -- key-estb-req), and "||" is the concatenation operation.
77 Random-Integer ::= BIT STRING
79 Context-Data ::= SEQUENCE {
80 channelId ChannelId OPTIONAL,
81 seq-number INTEGER OPTIONAL,
88 ChannelId ::= OCTET STRING
90 Options ::= BIT STRING {
97 target-certif-data-required (6)
100 Conf-Algs ::= CHOICE {
101 algs [0] SEQUENCE OF AlgorithmIdentifier,
105 Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier
107 OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier
109 Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier
112 SPKM-REP-TI ::= SEQUENCE {
113 responseToken REP-TI-TOKEN,
114 certif-data CertificationData OPTIONAL
115 -- present if target-certif-data-required option was
116 } -- set to TRUE in SPKM-REQ
118 REP-TI-TOKEN ::= SEQUENCE {
119 rep-ti-contents Rep-ti-contents,
120 algId AlgorithmIdentifier,
121 rep-ti-integ Integrity -- "token" is Rep-ti-contents
124 Rep-ti-contents ::= SEQUENCE {
125 tok-id INTEGER --(512)--, -- shall contain 0200 (hex)
126 context-id Random-Integer,
127 pvno [0] BIT STRING OPTIONAL,
128 timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2
129 randTarg Random-Integer,
130 src-name [1] Name OPTIONAL,
132 randSrc Random-Integer,
133 rep-data Context-Data,
134 validity [2] Validity OPTIONAL,
135 key-estb-id AlgorithmIdentifier OPTIONAL,
136 key-estb-str BIT STRING OPTIONAL
139 SPKM-REP-IT ::= SEQUENCE {
140 responseToken REP-IT-TOKEN,
141 algId AlgorithmIdentifier,
142 rep-it-integ Integrity -- "token" is REP-IT-TOKEN
145 REP-IT-TOKEN ::= SEQUENCE {
146 tok-id INTEGER --(768)--, -- shall contain 0300 (hex)
147 context-id Random-Integer,
148 randSrc Random-Integer,
149 randTarg Random-Integer,
151 src-name Name OPTIONAL,
152 key-estb-rep BIT STRING OPTIONAL
155 SPKM-ERROR ::= SEQUENCE {
156 errorToken ERROR-TOKEN,
157 algId AlgorithmIdentifier,
158 integrity Integrity -- "token" is ERROR-TOKEN
161 ERROR-TOKEN ::= SEQUENCE {
162 tok-id INTEGER --(1024)--, -- shall contain 0400 (hex)
163 context-id Random-Integer
166 SPKM-MIC ::= SEQUENCE {
167 mic-header Mic-Header,
171 Mic-Header ::= SEQUENCE {
172 tok-id INTEGER --(257)--, -- shall contain 0101 (hex)
173 context-id Random-Integer,
174 int-alg [0] AlgorithmIdentifier OPTIONAL,
175 snd-seq [1] SeqNum OPTIONAL
178 SeqNum ::= SEQUENCE {
183 SPKM-WRAP ::= SEQUENCE {
184 wrap-header Wrap-Header,
188 Wrap-Header ::= SEQUENCE {
189 tok-id INTEGER --(513)--, -- shall contain 0201 (hex)
190 context-id Random-Integer,
191 int-alg [0] AlgorithmIdentifier OPTIONAL,
192 conf-alg [1] Conf-Alg OPTIONAL,
193 snd-seq [2] SeqNum OPTIONAL
196 Wrap-Body ::= SEQUENCE {
197 int-cksum BIT STRING,
201 Conf-Alg ::= CHOICE {
202 algId [0] AlgorithmIdentifier,
207 SPKM-DEL ::= SEQUENCE {
208 del-header Del-Header,
212 Del-Header ::= SEQUENCE {
213 tok-id INTEGER --(769)--, -- shall contain 0301 (hex)
214 context-id Random-Integer,
215 int-alg [0] AlgorithmIdentifier OPTIONAL,
216 snd-seq [1] SeqNum OPTIONAL
222 MechType ::= OBJECT IDENTIFIER
224 SPKMInnerContextToken ::= CHOICE {
226 rep-ti [1] SPKM-REP-TI,
227 rep-it [2] SPKM-REP-IT,
228 error [3] SPKM-ERROR,
234 InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE {
236 innerContextToken SPKMInnerContextToken
237 } -- when thisMech is SPKM-1 or SPKM-2