x

[heimdal.git] / lib / gssapi / krb5 / spkm.asn1

-- from rfc2025
-- $Id$

SpkmGssTokens DEFINITIONS ::=
BEGIN

IMPORTS AlgorithmIdentifier, Validity,
        Attribute, Certificate, CertificateList, CertificatePair, Name
        FROM rfc2459
        AuthorizationData FROM krb5;

SPKM-REQ ::= SEQUENCE {
        requestToken      REQ-TOKEN,
        certif-data [0]   CertificationData OPTIONAL,
        auth-data [1]     AuthorizationData OPTIONAL
}


CertificationData ::= SEQUENCE {
        certificationPath [0]     CertificationPath OPTIONAL,
        certificateRevocationList [1]  CertificateList OPTIONAL
} -- at least one of the above shall be present


CertificationPath ::= SEQUENCE {
        userKeyId [0]    OCTET STRING OPTIONAL,
        userCertif [1]  Certificate OPTIONAL,
        verifKeyId [2]  OCTET STRING OPTIONAL,
        userVerifCertif [3]   Certificate OPTIONAL,
        theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL
} -- Presence of [2] or [3] implies that [0] or [1] must also be
  -- present.  Presence of [4] implies that at least one of [0], [1],
  -- [2], and [3] must also be present.

REQ-TOKEN ::= SEQUENCE {
        req-contents     Req-contents,
        algId       AlgorithmIdentifier,
        req-integrity    Integrity  -- "token" is Req-contents
}

Integrity ::= BIT STRING
  -- If corresponding algId specifies a signing algorithm,
  -- "Integrity" holds the result of applying the signing procedure
  -- specified in algId to the BER-encoded octet string which results
  -- from applying the hashing procedure (also specified in algId) to
  -- the DER-encoded octets of "token".
  -- Alternatively, if corresponding algId specifies a MACing
  -- algorithm, "Integrity" holds the result of applying the MACing
  -- procedure specified in algId to the DER-encoded octets of
  -- "token"

Req-contents ::= SEQUENCE {
        tok-id     INTEGER --(256)--,  -- shall contain 0100 (hex)
        context-id       Random-Integer,
        pvno         BIT STRING,
        timestamp       UTCTime OPTIONAL, -- mandatory for SPKM-2
        randSrc   Random-Integer,
        targ-name       Name,
        src-name [0]     Name OPTIONAL,
        req-data         Context-Data,
        validity [1]     Validity OPTIONAL,
        key-estb-set     Key-Estb-Algs,
        key-estb-req     BIT STRING OPTIONAL,
        key-src-bind     OCTET STRING OPTIONAL
           -- This field must be present for the case of SPKM-2
           -- unilateral authen. if the K-ALG in use does not provide
           -- such a binding (but is optional for all other cases).
           -- The octet string holds the result of applying the
           -- mandatory hashing procedure (in MANDATORY I-ALG;
           -- see Section 2.1) as follows:  MD5(src || context_key),
           -- where "src" is the DER-encoded octets of src-name,
           -- "context-key" is the symmetric key (i.e., the
           -- unprotected version of what is transmitted in
           -- key-estb-req), and "||" is the concatenation operation.
}

Random-Integer ::= BIT STRING

Context-Data ::= SEQUENCE {
        channelId       ChannelId OPTIONAL,
        seq-number      INTEGER OPTIONAL,
        options  Options,
        conf-alg        Conf-Algs,
        intg-alg        Intg-Algs,
        owf-alg  OWF-Algs
}

ChannelId ::= OCTET STRING

Options ::= BIT STRING {
        delegation-state (0),
        mutual-state (1),
        replay-det-state (2),
        sequence-state (3),
        conf-avail (4),
        integ-avail (5),
        target-certif-data-required (6)
}

Conf-Algs ::= CHOICE {
        algs [0]         SEQUENCE OF AlgorithmIdentifier,
        null [1]         NULL
}

Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier

OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier

Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier


SPKM-REP-TI ::= SEQUENCE {
        responseToken    REP-TI-TOKEN,
        certif-data      CertificationData OPTIONAL
          -- present if target-certif-data-required option was
}        -- set to TRUE in SPKM-REQ

REP-TI-TOKEN ::= SEQUENCE {
        rep-ti-contents  Rep-ti-contents,
        algId       AlgorithmIdentifier,
        rep-ti-integ     Integrity  -- "token" is Rep-ti-contents
}

Rep-ti-contents ::= SEQUENCE {
        tok-id     INTEGER --(512)--,   -- shall contain 0200 (hex)
        context-id       Random-Integer,
        pvno [0]         BIT STRING OPTIONAL,
        timestamp       UTCTime OPTIONAL, -- mandatory for SPKM-2
        randTarg         Random-Integer,
        src-name [1]     Name OPTIONAL,
        targ-name       Name,
        randSrc   Random-Integer,
        rep-data         Context-Data,
        validity [2]     Validity  OPTIONAL,
        key-estb-id      AlgorithmIdentifier OPTIONAL,
        key-estb-str     BIT STRING OPTIONAL
}

SPKM-REP-IT ::= SEQUENCE {
        responseToken    REP-IT-TOKEN,
        algId       AlgorithmIdentifier,
        rep-it-integ     Integrity  -- "token" is REP-IT-TOKEN
}

REP-IT-TOKEN ::= SEQUENCE {
        tok-id     INTEGER --(768)--,  -- shall contain 0300 (hex)
        context-id       Random-Integer,
        randSrc   Random-Integer,
        randTarg         Random-Integer,
        targ-name       Name,
        src-name         Name OPTIONAL,
        key-estb-rep     BIT STRING OPTIONAL
}

SPKM-ERROR ::= SEQUENCE {
        errorToken       ERROR-TOKEN,
        algId       AlgorithmIdentifier,
        integrity       Integrity  -- "token" is ERROR-TOKEN
}

ERROR-TOKEN ::=   SEQUENCE {
        tok-id     INTEGER --(1024)--, -- shall contain 0400 (hex)
        context-id       Random-Integer
}

SPKM-MIC ::= SEQUENCE {
        mic-header       Mic-Header,
        int-cksum       BIT STRING
}

Mic-Header ::= SEQUENCE {
        tok-id     INTEGER --(257)--, -- shall contain 0101 (hex)
        context-id       Random-Integer,
        int-alg [0]      AlgorithmIdentifier OPTIONAL,
        snd-seq [1]      SeqNum OPTIONAL
}

SeqNum ::= SEQUENCE {
        num           INTEGER,
        dir-ind   BOOLEAN
}

SPKM-WRAP ::= SEQUENCE {
        wrap-header       Wrap-Header,
        wrap-body        Wrap-Body
}

Wrap-Header ::= SEQUENCE {
        tok-id     INTEGER --(513)--, -- shall contain 0201 (hex)
        context-id       Random-Integer,
        int-alg [0]      AlgorithmIdentifier OPTIONAL,
        conf-alg [1]     Conf-Alg OPTIONAL,
        snd-seq [2]      SeqNum OPTIONAL
}

Wrap-Body ::= SEQUENCE {
        int-cksum       BIT STRING,
        data         BIT STRING
}

Conf-Alg ::= CHOICE {
        algId [0]       AlgorithmIdentifier,
        null [1]         NULL
}


SPKM-DEL ::= SEQUENCE {
        del-header       Del-Header,
        int-cksum       BIT STRING
}

Del-Header ::= SEQUENCE {
        tok-id     INTEGER --(769)--, -- shall contain 0301 (hex)
        context-id       Random-Integer,
        int-alg [0]      AlgorithmIdentifier OPTIONAL,
        snd-seq [1]      SeqNum OPTIONAL
}


-- other types --

MechType ::= OBJECT IDENTIFIER

SPKMInnerContextToken ::= CHOICE {
        req    [0] SPKM-REQ,
        rep-ti [1] SPKM-REP-TI,
        rep-it [2] SPKM-REP-IT,
        error  [3] SPKM-ERROR,
        mic    [4] SPKM-MIC,
        wrap   [5] SPKM-WRAP,
        del    [6] SPKM-DEL
}

InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE {
        thisMech              MechType,
        innerContextToken     SPKMInnerContextToken
}     -- when thisMech is SPKM-1 or SPKM-2


END