//tabstop=4 //*********************************************************************** // ORBAsec SL3 // ---------------------------------------------------------------------- // Copyright (C) 2001 Adiron, LLC. // All rights reserved. // ---------------------------------------------------------------------- // $Id$ //*********************************************************************** //*********************************************************************** /** * @note Some interfaces in this IDL module have been altered from the * original Adiron sources. */ //*********************************************************************** #ifndef _SecurityLevel3_ #define _SecurityLevel3_ #include "tao/Policy.pidl" #include "tao/TimeBase.pidl" #pragma prefix "adiron.com" /** * The Security Level 3 module contains the data definitions and * the Application Programmers Interface for dealing with the * ORBAsec SL3 Security, and the new CSIv2 Security Protocol, which has * been adopted by the OMG. *
* The SecurityLevel3 interfaces and its security data structures * are based on the Principal Calculus. This is a mathematical * model of representing principals for the use of access control * and auditing. *
* The SecurityLevel3 Security Service is represented by two objects * that are returned by the ORB's resolve_initial_reference call. * Those two objects are the SecurityManager and the SecurityCurrent. * Other objects associated with the security service emanate from * these two objects. *
* The SecurityLevel3 Security Service has a Credentials model. This * model, which is heavily based on the Principal Calculus, yields * an API for accessing principal information. The credentials * represent a principal's credentials, as well as the establishment * of security contexts between client and servers. *
* The SecurityLevel3 Security Service is currently CSIv2 Level 2 * compliant: *
* The Security Level 3 ORB Security Service does supports retention * of CSI state. Client Authentication information and Identity * assertion information is transmitted on each request. *
* The Security Level 3 ORB Security Service does not automatically * support endorsement at this time (CSIv2 Level 2 compliance), but * does give you facility to do so. */ module SecurityLevel3 { /** * The Adiron VMCID, which is used in Minor Error Codes, * Policy Tags, etc. */ const unsigned long ADIRON_VMCID = 0xA11C000; //------------------------------------------------------------- // Security Level 3 Data Representations // //------------------------------------------------------------- // // A Principal Name // A principal name always has a type, and a path of // name components. They are ordered from least significant // to most significant. For example, if a principal is represented // by a single X.509 certificate, the first element in the path // is the SubjectDN, and the second is the IssuerDN. // /** * A NameType is used for typing a PrincipalName data structure. * A NameType is a string that represents an ASN.1 * OBJECT IDENTIFIER. Its representation usually of the form * "oid:1.2.3.4". Other forms may be possible. It is used * for encoding name type identifiers, which are ASN.1 DER encoded * OBJECT IDENTIFIERs, in the CSI protocol. * @see NameComponent * @see NamePath * @see NameValue * @see PrincipalName */ typedef string NameType; /** * A NameComponent is an ordered component of a NamePath. The * least significant component is always the first component. * It is the type of a wstring to handle international character * values. * @see NameType * @see NamePath * @see NameValue * @see PrincipalName */ typedef wstring NameComponent; /** * A NamePath is an ordered collection of NameComponents, ordered * from the least significant to most significant. For example, * an identity that is defined by a certificate that has a * SubjectDN of "C=US,CN=Joe,O=Adiron" and an IssuerDN of * "C=US,CN=AdironCA,O=Adiron" will have the following * name components: *
* NameComponent[0] = "C=US,CN=Joe,O=Adiron" * NameComponent[1] = "C=US,CN=AdironCA,O=Adiron" ** @see NameType * @see NameComponent * @see NameValue * @see PrincipalName */ typedef sequence
* The type of a PrinAttribute is represented by a string. *
* Privilege Attribute Types, that might come from X.509 certificates * might be represented by OIDs. OIDs are represented as: *
* oid:n1.n2.n3.n4.n5.n6.... * for an OID where ni are non-negative integers. ** These OIDs are meant to be used to direct the "type-value" encoding * of a GSS-API ExportName, which uses an OID as a type that directs * the encoding of the value. *
* Example Environmental Attribute Types *
* SL3:ChannelIdentifier * SL3:LocalAddress * SL3:LocalPort * SL3:TransportMechanism * SL3:TLSCipherSuite ** @see PrinAttribute */ typedef string PrinAttributeType; /** * A PrinAttributeValue is a wide character string that encodes * or decodes the value of an attribute. An attempt is always * meant to represent an attribute's value in a human readable * string form. If the value cannot be decoded this way, and its * native form is binary, then it is represented in a Hex encoding * of the binary form. * @see PrinAttribute */ typedef wstring PrinAttributeValue; /** * A PrinAttribute is a "type-value" pair, usually attributed to * a Principal by some means, such as values stored in its certificate * or environmental concerns, such as the channel the principal was * authenticated over. * @see PrinAttribute */ struct PrinAttribute { PrinAttributeType the_type; PrinAttributeValue the_value; }; /** * A list of PrinAttributes. * @see PrinAttribute */ typedef sequence
* From GSS-Kerboeros RFC 1964: *
* 2.1.1. Kerberos Principal Name Form *
* This name form shall be represented by the Object Identifier {iso(1) * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) * krb5(2) krb5_name(1)}. */ const NameType NT_KerberosName = "oid:1.2.840.113554.1.2.2.1"; /** * An NT_X509DirectoryNamePath is a NameType that signifies that * the value of a PrincipalName is constructed from a chain * of certificates, such that the end entity is the least * significant position, with the subsequent issuers following * in order of signature. *
* The coding of the names is the string encoding of
* complete X.500 DN's, such as "C=US, CN=Joe, O=Adiron".
* There is no indication whether the last DN in the path is a
* "root", i.e. it's issuer is the same.
*/
const NameType NT_X509DirectoryNamePath = "SL3:X509DirectoryPathName";
/**
* The NT_Anonymous is a name type that specifies that the
* PrincipalName is representing the "anonymous" principal.
* Its value always as a single name component of "anonymous"
*/
const NameType NT_Anonymous = "SL3:anonymous";
/**
* The NT_StringName is a NameType that specifies that the
* PrincipalName is represented by a single NameComponent
* of name in a "scoped" name space. The name and scope
* are separated by a single "@" character. The escape character
* is "\". This string name as we call it is the same form
* used for the GSSUP (GSS-UserPassword NameType). This
* oid is the OID defined by the OMG CSIv2 specification. It
* is the value defined by the CSI::GSS_NT_Scoped_Username_OID
* constant.
*/
const NameType NT_StringName = "oid:2.23.130.1.2.1";
//
// Privileges
//
/**
* A ScopedPrivileges structure represents privileges that
* belong to a scope defined by a principal. This structure
* is used to represent a principal that is a privilege authority
* that issues privileges. Privileges are represented as
* PrinAttributes.
*/
struct ScopedPrivileges {
PrincipalName privilege_authority;
PrinAttributeList privileges;
};
/**
* A list of ScopedPrivileges
* @see ScopedPrivileges
*/
typedef sequence
* If the
* If the
* If the
* If the
* Important: This valuetype extends the Principal value type. The
*
* Important: This valuetype extends the Principal value type. The
*
* Statements are contained in the Credentials Objects. They
* represent pieces of evidence collected from which the security
* service deduces the Principal of the Credentials Objects.
*/
typedef unsigned long StatementType;
/**
* The Identity Statement Type.
*
* A statement of this type at least extends to the
* IdentityStatement valuetype, if not truncated
* @see IdentityStatement
*/
const StatementType ST_IdentityStatement = 1; //valuetype IdentityStatement
/**
* The Endorsement Statement Type.
*
* A statement of this type at least extends to the
* EndorsementStatement valuetype, if not truncated
* @see EndorsementStatement
*/
const StatementType ST_EndorsementStatement = 2; //valuetype EndorsementStatement
/**
* An encoding is a sequence of bytes.
*/
typedef sequence
* Statements carry their original encoding information, if
* they came from an encoding, such as list of X.509 identity
* certificates (i.e. a chain). The encoding type may be derivable
* from the encoding itself. For example, it's easy to tell the
* difference between a PEM encoded certificate, and a DER encoded
* certificate. Therefore, the encoding type may default to "Unknown".
* Other types may exist than the ones provided as constants in
* this module.
*/
typedef string EncodingType;
/**
* The ET_NoEncoding type signifies that the statement
* has been generated solely by the security service
* and has no encoding.
*/
const EncodingType ET_NoEncoding = "NoEncoding";
/**
* The ET_Unknown encoding type may always be used if the encoding
* type can only be figured out from encoding itself.
*/
const EncodingType ET_Unknown = "Unknown";
/**
* User Exception for a bad encoding.
*/
exception BadEncoding {};
/**
* User Exception for a bad or unsupported encoding type.
*/
exception BadEncodingType {};
/**
* The Statement Layer is the layer of the protocol or security
* service from which the statement emanated, derived, or was collected.
*/
typedef unsigned long StatementLayer;
/**
* Default type for a Statement Layer
*/
const StatementLayer SL_Unknown = 0;
/**
* The SL_Transport statement type signifies that the associated
* statement is derived from the transport layer, such as
* an X.509 Certificate from a TLS handshake.
*/
const StatementLayer SL_Transport = 1;
/**
* The SL_CSIAuthorization statement type signifies that the associated
* statement is derived from the CSI Authorization Layer in the CSIv2
* protocol.
*/
const StatementLayer SL_CSIAuthorization = 2;
/**
* The SL_CSIClientAuth statement type signifies that the associated
* statement is derived from the CSI Client Authentication Layer
* in the CSIv2 protocol.
*/
const StatementLayer SL_CSIClientAuth = 3;
/**
* The SL_CSIIdentity statement type signifies that the associated
* statement is derived from the CSI Identity Assertion Layer
* in the CSIv2 protocol.
*/
const StatementLayer SL_CSIIdentity = 4;
/**
* The SL_UserDefined statement layer signifies that the associate
* statement is derived or created by a user or some other
* entity than the security service.
*/
const StatementLayer SL_UserDefined = 5;
/**
* The Statement base type contains the information common
* to all statements. A statement has an "external" encoding, such
* as an X509 Certificate. Some statements may not have an encoding,
* but its extension may carry the pertinent marshable information,
* such as a PrincipalIdentityStatement for anonymous, which is
* generated by the security service.
*/
valuetype Statement {
/**
* This field contains an identifier of the
* service layer that generated the statement.
* The layer that generated or delivered
* the statement, i.e. Transport, CSIv2 Authentication,
* CSIv2 Authorization, or CSIv2 Identity Assertion.
*/
public StatementLayer the_layer;
/**
* The type of statement, which indicates its extension
* such as an Identity Statement or an Endorsement
* Statement.
*/
public StatementType the_type;
/**
* This field indicates the type of encoding.
* The encoding may be contrived, at the encoding
* may not exist, however, the extension of the
* statement type may contain data that can
* be marshaled across the wire. See the Principal
* Identity Statement.
*/
private EncodingType encoding_type;
/**
* The bytes of the encoding, if it exists.
*/
private Encoding the_encoding;
/**
* Returns the encoding type
*/
EncodingType get_encoding_type();
/**
* Returns an encoding of this statement. Some implementations
* may be able to convert. Using and encoding_type of
* ET_Unknown, will always yield the default encoding,
* if it exists. If the encoding does not exist,
* a successful return containing an empty
* sequence will result.
*/
Encoding get_encoding(
in EncodingType encoding_type
) raises (
BadEncodingType
);
/**
* This factory method allows users to create their
* own Statements from an encoding. The statements created
* by this factory method may have a type which is a further
* extension of the valuetype Statement.
*/
factory create(
in EncodingType encoding_type,
in Encoding the_encoding
);
};
typedef sequence
* An example of an identity statement is an X.509 certificate in
* which its attributes are exposed into the principal, such as
* privileges. This valuetype may also be further extended by the
* security service depending on its encoding and the capabilities
* of the security service.
*/
valuetype PrincipalIdentityStatement : IdentityStatement {
public Principal the_principal;
};
/**
* The Endorsement Statement is a statement that is used for
* authorization. An Endorsement statement endorses a
* principal with certain characteristics, such as privileges
* or the authority to act on behalf of another principal, sometimes
* called "delegation".
*
* According to our research, an endorsement statement may be a
* complex entity containing matching rules for the endorsement.
* An endorsement may have the following general form:
*
* This approach to authorization is a largely unexplored research
* topic. There are not many or well known encodings of endorsement
* statements. Therefore, we are reluctant to produce interfaces
* just yet, that go beyond the encoding. However, we do expose the
* Endorsement statement type, which may further direct the interpretation
* of it's encoding.
*/
valuetype EndorsementStatement : Statement {
/**
* This field contains a possibly well known identifier that
* may aid in the interpretation of the identity statement's
* encoding. It may be an empty string, which signifies that
* there is no known interpretation aid for the encoding, or
* that there is no encoding.
*/
public string interpretation_aid;
};
/**
* An X509IdentityStatement is one that extends the Principal Identity
* Statement. If one does get an X509 IdentityStatement, it is
* currently supported with IAIK in both DER and PEM formats.
*/
valuetype X509IdentityStatement : PrincipalIdentityStatement {
/**
* This factory method allows users to create their
* own X509Identity statements from an encoding.
*/
factory create(
in EncodingType encoding_type,
in Encoding the_encoding
);
};
typedef sequence
* Note that this Context Id is not directly related to the context
* defined in the CSIv2 specification.
*/
typedef string ContextId;
/**
* Credentials Usage
*
* Credentials Usage refers to the concept that Credentials may
* be used to initiate security context, accept security contexts,
* or do both. its values are used in the acquisition
* of credentials for the purpose of designating the abilities
* of the credentials acquired.
*/
typedef unsigned long CredentialsUsage;
/**
* The CU_Indefinite CredentialsUsage type is a value that
* signifies the default. Depending on some other acquisition
* arguments, the credentials usage may be able to be implicitly
* determined.
*/
const CredentialsUsage CU_Indefinite = 1;
/**
* The CU_None CredentialsUsage type is a value that states the
* credentials cannot be used to make or accept security
* contexts. ClientCredentials and TargetCredentials have
* this credentials usage.
*/
const CredentialsUsage CU_None = 2;
/**
* The CU_AcceptOnly CredentialsUsage type is a value that signifies
* that the credentials can only be used to accept the establishment
* of security contexts.
*/
const CredentialsUsage CU_AcceptOnly = 3;
/**
* The CU_InitiateOnly CredentialsUsage type is a value that signifies
* that the credentials can only be used to initiate the establishment
* of security contexts.
*/
const CredentialsUsage CU_InitiateOnly = 4;
/**
* The CU_InitiateAndAccept CredentialsUsage type is a value that
* signifies that the credentials can be used to both initiate
* and accept the establishment of security contexts.
*/
const CredentialsUsage CU_InitiateAndAccept = 5;
/**
* A CredsDirective is a directive on a invocation as to the
* effects of the initiated security context will have on the
* the accepting side. Please see ContextEstablishmentPolicy
* for is use in context with establishing security contexts.
* @see ContextEstablishmentPolicy
*/
typedef unsigned long CredsDirective;
/**
* The CD_Default CredsDirective is a value that signifies to
* use the capabilities of the selected credentials.
*/
const CredsDirective CD_Default = 0;
/**
* The CD_InvokeTarget CredsDirective is a value that signifies that
* the selected credentials should only be used in a simple
* invocation fashion. They shall not attempt to endorse or embody
* the target to act on its behalf.
*/
const CredsDirective CD_InvokeTarget = 1;
/**
* The CD_EndorseTarget CredsDirective is a value that signifies that
* the selected credentials, if capable, should attempt to endorse
* the target. In other words, it gives the accepting side the ability
* to act on behalf of the initiating side.
*/
const CredsDirective CD_EndorseTarget = 2;
/**
* The CD_EmbodyTarget CredsDirective is a value that signifies that
* the selected credentials, if capable, should attempt to embody
* the target. In other words, it gives the accepting side the ability
* to impersonate the initiating side.
*/
const CredsDirective CD_EmbodyTarget = 3;
/**
* A Feature Directive is a general directive used in policy that
* stipulates the of a particular feature. Such examples include,
* confidentiality, integrity, client authentication, etc.
*/
typedef long FeatureDirective;
/**
* The FD_DoNotUse FeatureDirective means definitely not to use
* the feature.
*/
const FeatureDirective FD_DoNotUse = -2;
/**
* The FD_DoNotUseIfPossible FeatureDirective means not to use
* the feature if it is possible. Note, some mechanisms may always
* use confidentiality.
*/
const FeatureDirective FD_DoNotUseIfPossible = -1;
/**
* The FD_UseDefault FeatureDirective means to use or not to use
* the feature depending on defaults.
*/
const FeatureDirective FD_UseDefault = 0;
/**
* The FD_UseIfPossible FeatureDirective means to use the feature
* if it is possible.
*/
const FeatureDirective FD_UseIfPossible = 1;
/**
* The FD_Use FeatureDirective means definitely to use the feature.
*/
const FeatureDirective FD_Use = 2;
/**
* The Initiator Type of the Initiator Side of the Credentials states
* the kind of Initiator it is. There are three types that mirror
* the type of Principal, Simple, Quoting, and Proxy, that the
* initiator intends to represent to a server while trying to
* establish a security context with the server.
*/
typedef unsigned long InitiatorType;
/**
* The IT_None InitiatorType is a value that is defined for
* completeness, and has no real use.
*/
const InitiatorType IT_None = 0;
/**
* The IT_Simple InitiatorType is a value that states that the
* initiator is a "Simple" Principal.
*/
const InitiatorType IT_Simple = 1;
/**
* The IT_Quoting InitiatorType is a value that states that the
* initiator will quote another principal to the server. This
* principal is denoted in the Principal Calculus as (A|B), i.e.
* A quoting B.
*/
const InitiatorType IT_Quoting = 2;
/**
* The IT_Proxy InitiatorType is a value that states that the
* initiator will quote another principal to the server along with
* getting or providing proof to the server that it can act on
* behalf of the quoted principals. This
* principal is denoted in the Principal Calculus as (A for B).
*/
const InitiatorType IT_Proxy = 3;
/**
* The CredsInitiator object is an object that is directly a
* member of a particular OwnCredentials object. It represents
* the "initiator" side of the credentials.
*/
local interface CredsInitiator {
/**
* The principal attribute contains a local view of the
* Principal that the Credentials intend to represent.
* Note that during context establishment, the actual establish
* client principal may be represented differently, especially
* with respect to environmental attributes. Some environmental
* attributes are a direct result of context establishment.
*/
readonly attribute Principal the_principal;
/**
* The supporting statements attribute contains a list of statements
* supporting the principal associated with this initiator.
*/
readonly attribute StatementList supporting_statements;
/**
* The restricted_resources attribute contains a list of
* resource names, by which the credentials initiator
* believes his authorizations apply.
*/
readonly attribute ResourceNameList restricted_resources;
/**
* The initiator_type attribute signifies the intent of the
* initiator as to the principal it presents for the
* security context establishment. It should correspond
* to the type of the Principal. However, it might be slightly
* different, because using CSIv2 Client Authentication
* technically creates a "QuotingPrincipal" however, the
* initiator type will still be simple as no CSIv2 Identity
* Assertion will be used in establishing the security
* context.
*/
readonly attribute InitiatorType initiator_type;
/**
* The supports_embodiment attribute is
* This object contains only the information used from the
*
* Any objects references that are binded to these
* credentials after you release them will become unusable.
*
* This operation is experimental.
*/
void release();
};
//--------------------------------------------------------------------
// Security Invocation Policy
//
//--------------------------------------------------------------------
/**
* The ContextEstablishmentPolicy policy object directs the
* establishment of security contexts with a target.
*
* The CredsDirective usage is the following:
*
* On using Own Credentials. The creds_ids name Own Credentials.
* Also, they restrict the invocation to use only certain credentials.
* If the cred_ids list is empty, then the own credentials for the
* invocation are selected from a default, which may be
* set on the thread or the ORB instance.
*/
local interface ContextEstablishmentPolicy : CORBA::Policy {
readonly attribute CredsDirective creds_directive;
readonly attribute OwnCredentialsList creds_list;
readonly attribute FeatureDirective use_client_auth;
readonly attribute FeatureDirective use_target_auth;
readonly attribute FeatureDirective use_confidentiality;
readonly attribute FeatureDirective use_integrity;
};
/**
* Type to be passed to ContextEstablishmentPolicy PolicyFactory
* through an Any.
*/
struct ContextEstablishmentPolicyArgument
{
CredsDirective creds_directive;
OwnCredentialsList creds_list;
FeatureDirective use_client_auth;
FeatureDirective use_target_auth;
FeatureDirective use_confidentiality;
FeatureDirective use_integrity;
};
/**
* The ContextEstablishmentPolicyType constant is
* holds value used to denote the ContextEstablishmentPolicy.
*/
const CORBA::PolicyType ContextEstablishmentPolicyType = ADIRON_VMCID | 1001;
/**
* The ObjectCredentialsPolicy object is placed on the policy list
* of a POA to indicate the own credentials
* that govern the accepting contexts for objects underneath
* that POA. The credentials listed here, only if they have Accepting
* capability, are used to created security components in the
* IOR of the object's reference when created.
*/
local interface ObjectCredentialsPolicy : CORBA::Policy {
readonly attribute OwnCredentialsList creds_list;
};
/**
* Type to be passed to ObjectCredentialsPolicy PolicyFactory
* through an Any.
*/
typedef OwnCredentialsList ObjectCredentialsPolicyArgument;
/**
* The ObjectCredentialsPolicyType constant is
* holds value used to denote the ObjectCredentialsPolicy.
*/
const CORBA::PolicyType ObjectCredentialsPolicyType = ADIRON_VMCID | 1002;
//--------------------------------------------------------------------
// Security Level 3 Credentials Acquisition Mechanism
//
//--------------------------------------------------------------------
/**
* Credentials are acquired by a Credentials Acquirer by some
* acquisition mechanism specified in the Credentials Curator.
* Acquisition methods are available on the curator. The
* specifics of arguments needed and the acquisition process
* are defined by the method itself.
*/
typedef string AcquisitionMethod;
typedef sequence
* If this operation in invoked when the
* The
* If this operation in invoked when the
* The following pseudo code describes the process of credentials
* acquisition using
* If the process of credentials acquisition is not completed upon
* the return of the
* If the process of credentials acquisition fails, it is up to the
* implementation to either throw a system exception or return a
*
* The
* If this policy is not put on an object reference, and the
*
* TransportSecurity::ObjectCredentialsPolicy
* is also not on the object references policy list,
* then the default credentials lists from the
*
* SecurityLevel3::CredentialsCurator
* and
*
* TransportSecurity::CredentialsCurator
* are used.
*/
ContextEstablishmentPolicy create_context_estab_policy(
in CredsDirective creds_directive,
in OwnCredentialsList creds_list,
in FeatureDirective use_client_auth,
in FeatureDirective use_target_auth,
in FeatureDirective use_confidentiality,
in FeatureDirective use_integrity
);
/**
* The create_object_creds_policy is a policy factory operation
* that creates the ObjectCredentialsPolicy object. This policy
* is solely for use with policies place on POAs with "POA.create_POA".
* It restricts the POAs use of credentials. If this policy is
* not put on a POA, and the
*
* TransportSecurity::ObjectCredentialsPolicy
* is also not on the POA policy list, then the default
* credentials lists from the
*
* SecurityLevel3::CredentialsCurator
* and
*
* TransportSecurity::CredentialsCurator
* are used.
*/
ObjectCredentialsPolicy create_object_creds_policy(
in OwnCredentialsList creds_list
);
};
/**
* The
* There is only one instance of this object per ORB instance.
* It is resolved by a call to
*
* The value of this attribute, if not null, represents the
* security context with a remote CSIv2 client.
* If the
* If the client is not CSIv2 based, there are no CSIv2 Client
* Credentials, and this attribute is null. In this case,
* the user should try the
* SimplePrincipal
is directly or indirectly
* (as part of a composite Principal
) in the
* ClientCredentials.client_principal
or
*
TargetCredentials.target_principal
field,
* the
authenticated
field indicates the authentication
* status of the SimplePrincipal
in the client or target
* principal, respectively.
* SimplePricipal
is directly or indirectly in
* the ClientCredentials.target_principal
* (or
TargetCredentials.client_principal
) field,
* the
authenticated
field indicates the target's
* (or client's belief) about its authentication status to the other
* party.
* SimplePrincipal
is directly or indirectly in
* the the_principal
field of the initiator or acceptor
* of OwnCredentials
, the authenticated
* field indicates the expectation of being authenticated to the other
* side of the communication when the initiator or acceptor is used.
* SimplePrincipal
is directly or indirectly in
* the the_principal
field of a
* PrincipalIdentityStatement
,
* the authenticated
field indicates only the
* "best effort" of knowing whether the principal has been possibly
* authenticated or not. In other word, if this field is
* TRUE
, it is for sure that the principal has been
* authenticated (or is expecting to be authenticated).
* If this field is FALSE
, the principal may or may not
* have been authenticated. The reason for this ambiguity is that
* a PrincipalIdentityStatement
may be created before
* the authentication of the principal being performed. In general,
* the authenticated
field of a
* SimplePrincipal
inside the the_principal
* field of a PrincipalIdentityStatement
should not be
* taken as a definite answer for the authentication status of the
* SimplePrincipal
.
*
* @see ClientCredentials.client_authentication
* @see ClientCredentials.target_authentication
* @see TargetCredentials.client_authentication
* @see TargetCredentials.target_authentication
*/
// For example, if a client uses the User/Password mechanism to
// communicate with a target, the client's OwnCredentials, created
// using a PasswordGenerator, will have the authenticated
// field in the principal in the initiator being true,
// although the client may not have been authenticated to the target.
//
public boolean authenticated;
/**
* This field contains the other name types, such as
* that appear in the X.509 alternate name fields.
*/
public PrincipalNameList alternate_names;
};
/**
* A ProxyPrincipal represents a principal that speaks for another.
* The principal is proved that it is authorized to speak for another.
* The system believes this, either by trust rules of its own,
* or by delivered endorsement from the principal such as
* Principal (B for A) where the endorsement takes the form
* in the Principal Calculus as (T says B serves A)
* where T is some entity trusted by the security service
* to make those statements.
* the_name
filed of this object will contain the name of the
* speaks_for
principal, as that is the name most access control
* systems would care about. Therefore, this value type can be
* truncated by access control systems that do not want to
* examine the principal in detail.
*/
valuetype ProxyPrincipal : /* truncatable */ Principal {
/**
* In a Proxy Principal of (A for B) the speaking
field
* represents the principal A.
*/
public Principal speaking;
/**
* In a Proxy Principal of (A for B) the speaks_for
field
* represents the principal B.
*/
public Principal speaks_for;
};
/**
* A QuotingPrincipal represents a principal that speaks for another.
* The principal is not proved that it is authorized to speak for another.
* The system derives principals like this based on statements in the
* Pricipal Calculus, such as "A says B says r", which results in the
* quoting principal (A|B) says r, where "r" is a statement, such as
* a CORBA request. The security service derives principals like
* this from the CSI Identity Assertion mechanism.
* the_name
filed of this object will contain the name of the
* quotes_for
principal, as that is the name most access control
* systems would care about. Therefore, this value type can be
* truncated by access control systems that do not want to
* examine the principal in detail.
*/
valuetype QuotingPrincipal : /* truncatable */ Principal {
/**
* In a Quoting Principal of (A|B) the speaking
field
* represents the principal A.
*/
public Principal speaking;
/**
* In a Quoting Principal of (A|B) the quotes_for
field
* represents the principal B.
*/
public Principal quotes_for;
};
//
// Statements
//
/**
* A Statement is a value type that has extensions which
* represent the different relevant data directed by its StatementType.
* There are two basic Statement Types, an IdentityStatement and
* an EndorsementStatement. An identity statement is a statement that
* asserts an identity. It may represent a the components of
* an X.509 certificate during an authentication. An EndorsementStatement
* may represent the contents of an X.509 AttributeCertificate or
* some other notion of an endorsement, such as a certificate in
* BizTalk XML.
*
* I says Principal A matching [(P1 with [p1,...,pn]) or ....]
* speaks_for
* Principal B matching [(T1 with [t1,...,tn]) or ... ]
* has [s1,...,sm]
* on Resources matching [R1, .... Rn]
*
* Actual semantic reduction of principals is directed by the
* the matching rules, and may depend on other statements as well,
* such as local trust rules in the security service configuration.
* Also, much of the capability of an endorsement statement is
* dependent on its encoding.
* TRUE
if these credentials
* can be directed by use of the CredsDirective, to give the
* the accepting end of a context establishment the ability
* to impersonate this initiator principal.
*/
readonly attribute boolean supports_embodiment;
/**
* The supports_endorsement attribute is TRUE
if these credentials
* can be directed by use of the CredsDirective, to endorse
* the accepting end of a context establishment to act
* on behalf of this initiator principal.
*/
readonly attribute boolean supports_endorsement;
/**
* The supports_quoting attribute is TRUE
if these credentials
* can be directed by use of the CredsDirective, to simply
* quote another principal on top of these credentials.
*/
readonly attribute boolean supports_quoting;
/**
* The expiry_time attribute denotes the time that these
* credentials expire.
*/
readonly attribute TimeBase::UtcT expiry_time;
};
/**
* The CredsAcceptor object is an object that is directly a
* member of a particular OwnCredentials object. It represents
* the "acceptor" side of the credentials.
*/
local interface CredsAcceptor {
/**
* The principal attribute contains a local view of the
* Principal that the Credentials intend to represent.
* Note that during context establishment, the actual establish
* target principal may be represented differently, especially
* with respect to environmental attributes. Some environmental
* attributes are a direct result of context establishment.
*/
readonly attribute SecurityLevel3::Principal the_principal;
/**
* The supporting_statements attribute contains a list of statements
* supporting the principal associated with this acceptor.
*/
readonly attribute SecurityLevel3::StatementList supporting_statements;
/**
* The restricted_resources attribute contains a list of
* resource names, by which the credentials initiator
* believes his authorizations apply.
*/
readonly attribute ResourceNameList restricted_resources;
/**
* The accepts_endorsement attribute is TRUE
if these credentials
* supports and accepts CSIv2 endorsement information.
*/
readonly attribute boolean accepts_endorsement;
/**
* The accepts_quoting attribute is TRUE
if these credentials
* supports and accepts CSIv2 Identity Assertion information.
*/
readonly attribute boolean accepts_quoting;
/**
* The expiry_time attribute denotes the time that these
* credentials expire.
*/
readonly attribute TimeBase::UtcT expiry_time;
};
/**
* This type is used to identify listeners for removal.
* A Listener identity will be assigned to a listener when
* it is assigned to a particular object.
*/
typedef string ListenerId;
/**
* This local interface is used to notify the user when the credentials
* have been relinquished. When credentials are "released" they may
* stay around until their work is finished. At that point they
* will be relinquished. Also, if the underlying transport credentials
* are released, then the SecurityLevel3 Credentials get released
* as well. This listener will get informed of this event.
*/
local interface RelinquishedCredentialsListener {
void relinquished_notify(
in CredentialsId creds_id
);
};
/**
* The Credentials base interface contains the common items for
* the different types of credentials.
* @see OwnCredentials
* @see ClientCredentials
* @see TargetCredentials
*/
local interface Credentials {
/**
* The creds_id attribute contains a system generated
* identifier with which can uniquely reference the credentials
* object.
*/
readonly attribute CredentialsId creds_id;
/**
* The creds_type stipulates the type of credentials, i.e.
* to which type of credentials it may be narrowed, e.g.,
* Own, Client, or Target.
*/
readonly attribute CredentialsType creds_type;
/**
* The creds_usage attribute stipulates the intended usage of the
* credentials. For OwnCredentials, it will be one of
* CU_AcceptOnly, CU_Initiate, CU_InitiateAndAccept.
* For ClientCredentials and TargetCredentials it will be
* CU_None.
*/
readonly attribute CredentialsUsage creds_usage;
/**
* The expiry_time attribute denotes the time that these
* credentials expire.
*/
readonly attribute TimeBase::UtcT expiry_time;
/**
* The creds_state attribute contains the
* validity state of the credentials.
*/
readonly attribute CredentialsState creds_state;
/**
* Add a listener that will get notified when the
* OwnCredentials are finally done with any pending
* work and are relinquished by the security service.
*/
ListenerId add_relinquished_listener(
in RelinquishedCredentialsListener listener
);
/**
* Removes a listener. This function raises a BAD_PARAM
* exception if the listener is not registered.
*/
void remove_relinquished_listener(
in ListenerId id
);
};
/**
* A list of credentials.
*/
typedef sequenceSecurityLevel3::SecurityCurrent
object,
* as it is thread based.
* OwnCredentials
that was pertinent in establishing the
* context. There is a pointer back to that OwnCredentials
* object. Once this context is created, its attributes are guaranteed
* not to change.
*/
local interface ClientCredentials : Credentials {
/**
* The context_id attribute contains a system generated unique identifier
* for the context,
*/
readonly attribute ContextId context_id;
/**
* The client_principal attribute contains the principal that
* the security service can deduce is the client from the
* information and mechanisms used.
*/
readonly attribute Principal client_principal;
/**
* The client_supporting_statements attribute contains the statements that
* delivered from CSIv2 protocol along with any from the associated
* OwnCredentials that are used to deduce the client principal.
*/
readonly attribute StatementList client_supporting_statements;
/**
* The client_restricted_resources attribute contains the names of the
* resources that the security service deduces from the CSIv2
* information and information from the associated OwnCredentials.
*/
readonly attribute ResourceNameList client_restricted_resources;
/**
* The target_principal attribute contains the exact principal that
* the security service believes is representative of the
* clients version of the target's principal.
*/
readonly attribute Principal target_principal;
/**
* The target_supporting_statements attribute contains the statements that
* support the deduction of the target principal.
*/
readonly attribute StatementList target_supporting_statements;
/**
* The target_restricted_resources attribute contains names of resources
* on which the target is restricted. This information may come
* from the OwnCredentials.
*/
readonly attribute ResourceNameList target_restricted_resources;
/**
* This attribute refers to the OwnCredentials that were used in
* establishing the security context.
*/
readonly attribute OwnCredentials parent_credentials;
/**
* This attribute is TRUE
if the target has
* authenticated the client, either over the transport, or at
* the CSIv2 Client Authentication layer.
*/
readonly attribute boolean client_authentication;
/**
* This attribute is TRUE
if the target believes that
* the client has authenticated the target over the transport.
*/
readonly attribute boolean target_authentication;
/**
* This attribute is TRUE
if the context is providing
* confidentiality protection.
*/
readonly attribute boolean confidentiality;
/**
* This attribute is TRUE
if the context is providing
* integrity protection.
*/
readonly attribute boolean integrity;
};
/**
* The TargetCredentials object is created as the result of accepting a
* security context for a target. It represents that context.
* It contains only the information used from the OwnCredentials
* that was pertinent in establishing the context.
* There is a pointer back to that OwnCredentials object.
* Once this context is created, its attributes are guaranteed
* not to change.
*/
local interface TargetCredentials : Credentials {
/**
* The context_id attribute contains a system generated
* unique identifier for the context.
*/
readonly attribute ContextId context_id;
/**
* The client_principal attribute contains the principal that
* the security service believe is the target's
* ClientCredentials client_principal attribute.
*/
readonly attribute Principal client_principal;
/**
* The client_supporting_statements attribute contains the
* statements that support the deduction of the client principal.
*/
readonly attribute StatementList client_supporting_statements;
/**
* The client_restricted_resources attribute contains names of
* resources on which the client believes the client is restricted.
* This information may be derived from newly acquired endorsement
* information.
*/
readonly attribute ResourceNameList client_restricted_resources;
/**
* The target_principal attribute contains the exact principal that
* the security service deduces to be the target.
*/
readonly attribute Principal target_principal;
/**
* The target_supporting_statements attribute contains the statements
* that support the deduction of the target principal.
*/
readonly attribute StatementList target_supporting_statements;
/**
* The target_restricted_resources attribute contains names of
* resources on which the target is restricted. This information
* may not be available.
*/
readonly attribute ResourceNameList target_restricted_resources;
/**
* The parent_credentials attribute refers to the OwnCredentials
* that were used in establishing the security context.
*/
readonly attribute OwnCredentials parent_credentials;
/**
* The client_authentication attribute is TRUE
if the client
* believes that the target has authenticated the client, either
* over the transport, or at the CSIv2 Client Authentication layer.
*/
readonly attribute boolean client_authentication;
/**
* The target_authentication attribute is TRUE
if the client has
* authenticated the target over the transport.
*/
readonly attribute boolean target_authentication;
/**
* The confidentiality attribute is TRUE
if the context is
* providing confidentiality protection.
*/
readonly attribute boolean confidentiality;
/**
* The integrity attribute is TRUE
if the context is providing
* integrity protection.
*/
readonly attribute boolean integrity;
/**
* The target_embodied attribute is TRUE
if the security service
* believes that the target is embodied to impersonate the client
* side principal.
*/
readonly attribute boolean target_embodied;
/**
* The target_endorsed attribute is TRUE
if the security service
* believes that the target is endorsed to act on behalf of the
* client side principal.
*/
readonly attribute boolean target_endorsed;
/**
* The release operation indicates to the CSIv2 protocol, that if
* state is being retained for these credentials, they
* will be discarded with the pending next request that
* may have not yet gone out.
*
*
* current_status
attribute contains
* the AQST_Continued
value,
* this operation returns, if necessary and supported
* by the acquisition method, any data that may direct the
* acquisition.
* current_status
* attribute does not have the AQST_Continued
value,
* a BAD_INV_ORDER
exception will be raised.
*/
any get_continuation_data();
/**
* This operation continues the acquisition. The argument
* data is dependent on the acquisition method.
*/
AcquisitionStatus continue_acquisition(
in any acquisition_arguments
);
/**
* Once the current_status
attribute has the
* AQST_Succeeded
value, a call to this operation
* is used to retrieve the acquired OwnCredentials
* and, optionally, place the credentials on the curator's default own
* credentials list (for use with default ContextEstablishmentPolicy
* and ObjectCredentialsPolicy).
* CredentialsAcquirer
object is destroyed after
* this call.
* Any operation called on a destroyed CredentialsAcquirer
* raises a BAD_INV_ORDER
exception.
* current_status
* attribute does not have the AQST_Succeeded
value,
* a BAD_INV_ORDER
exception will be raised.
*
* @param on_list TRUE
if these credentials go on the
* default own credentials list of the
* CredentialsCurator
.
*/
OwnCredentials get_credentials(
in boolean on_list
);
/**
* This operation is used to destroy the
* CredentialsAcquirer
object before
* get_credentials
is called.
* Any operation called on a destroyed CredentialsAcquirer
* raises a BAD_INV_ORDER
exception.
*/
void destroy();
};
/**
* The CredentialsCurator
object is a single object per an ORB
* instance's Security Service. It has the ability to create
* CredentialsAcquirer
s and keeps a list of active default
* credentials. It is resolved by a call to
*
* ORB.resolve_initial_references("SecurityLevel3:CredentialsCurator");
*
* Or it may be retrieved from the SecurityManager
's
* credentials_curator
attribute.
* CredentialsCurator
.
*
* // Resolve the Credentials Curator
* CredentialsCurator curator = ....
* resolve_initial_references("SecurityLevel3:CredentialsCurator");
*
* // Build up an acquisition argument (e.g., using SL3CSI::CSIArgBuilder)
* Any arg = ...
*
* // Acquire credentials and get a Credentials Acquirer
* CredentialsAcquirer acquirer =
* curator.acquire_credentials("SL3CSIAQArgs",arg);
*
* // Get credentials and destroy the Credentials Acquirer
* OwnCredentials own = acquirer.get_credentials(false);
*
*/
local interface CredentialsCurator {
/**
* This attribute contains a list of
* acquisition methods that are supported. Method identifiers
* are defined in modules that signify their support.
*
* @see "SL3CSI"
* @see "SL3TLS"
* @see "SL3TCPIP"
* @see "SL3KRB5"
*/
readonly attribute SecurityLevel3::AcquisitionMethodList
supported_methods;
/**
* This operation starts the process of credentials acquisition and
* create a CredentialsAcquirer
for a particular
* acquisition method. It takes an initial set of arguments for
* the acquisition. The content of the arguments are based on the
* acquisiton method. Depending on the method, it is possible that
* the credentials may be immediately available from a call to
* get_credentials
on the returned
* CredentialsAcquirer
.
* acquire_credentials
operation,
* the returned CredentialsAcquirer
object shall have
* its current_status
at AQST_Continued
.
* In this case, the get_continuation_data
and
* continue_acquisition
operations shall be used to
* complete the credentials acquisition process.
* CredentialsAcquirer
with the AQST_Failed
* status.
* acquisition_arguments
parameter is a CORBA
* any
that is constructed according to the acquisition
* method used. The ArgumentFactory
from the
* SL3AQArgs
module is a local object that helps
* immensely with the construction of this complex argument.
* Extensions of that object are defined in their own separate
* modules that pertain to the particular acquisition mechanism,
* such as the SL3CSI, SL3TLS, SL3TCPIP, SL3KRB5 modules.
*
* @param acquisition_method
* The identifier of the desired acquisition method.
* A CORBA BAD_PARAM
exception will be raised
* if the named method is not supported.
* @param acquisition_arguments
* The argument of the desired acquisition method.
* This CORBA any
type is constructed according
* to the particular acquisition method.
*
* @see "SL3AQArgs"
* @see "SL3CSI"
* @see "SL3TLS"
* @see "SL3TCPIP"
* @see "SL3KRB5"
*/
CredentialsAcquirer acquire_credentials(
in SecurityLevel3::AcquisitionMethod acquisition_method,
in any acquisition_arguments
);
/**
* The Curator's Default Own Credentials list.
*/
readonly attribute OwnCredentialsList default_creds_list;
/**
* The Curator's ids of the credentials on the default list.
*/
readonly attribute CredentialsIdList default_creds_ids;
/**
* This operation retrieves Own Credentials by identifier.
* It is not required that the identifier name a credentials
* on the default_credentials_list. The Curator keeps track
* of all OwnCredentials it creates, until they are explicitly
* released.
*/
OwnCredentials get_own_credentials(
in CredentialsId credentials_id
);
/**
* This operation releases credentials from the default_creds_list,
* if there, and also disables the credentials from further use,
* provided that all their pending work is done.
*/
void release_own_credentials (
in CredentialsId credentials_id
);
};
//--------------------------------------------------------------------
// Security Service ORB Objects
// Retrieved from the ORB by "resolve_initial_references".
//
//--------------------------------------------------------------------
/**
* The SecurityManager
object represents the Security Level 3
* Security Service. There is one object of this type per ORB
* instance. It is resolved by a call to
*
* ORB.resolve_initial_references("SecurityLevel3:SecurityManager");
*
*/
local interface SecurityManager {
/**
* The credentials_curator attribute contains the reference
* to the SecurityLevel3 Credentials Curator. There is only
* one instance per ORB.
*/
readonly attribute CredentialsCurator credentials_curator;
/**
* The get_target_credentials operation retrieves the
* TargetCredentials that represents a CSIv2 security association
* with a Target. This operation causes communication with
* the target in order to establish a security context.
*/
TargetCredentials get_target_credentials(
in Object the_object
);
/**
* The create_context_estab_policy operation is a policy factory
* operation that creates the Security Level 3
* ContextEstablishmentPolicy object. This policy is placed on
* the policy override lists of object references to direct
* the security characteristics when communicating through
* that object reference.
* SecurityCurrent
object references thread specific
* data pertaining to the security service. It is used to retrieve
* the client's credentials during an invocation on the server side.
*
* ORB.resolve_initial_references("SecurityLevel3:SecurityCurrent");
*
*/
local interface SecurityCurrent {
/**
* From inside the execution of a target object implementation,
* this attribute contains the representation of the remote client's
* credentials. This attribute is null if the client is not CSIv2
* based, or the client is from a collocated call.
* request_is_local
attribute is
FALSE
,
* the current thread of execution is directly servicing a remote
* request for the target object within the target's implemenation.
* If the request_is_local
attribute is TRUE
,
* the current thread of execution is servicing an ORB mediated call
* on a collocated object.
*