1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
|
// -*- IDL -*-
//=============================================================================
/**
* @file CSI.idl
*
* @author Object Management Group
*/
//=============================================================================
#ifndef _CSI_IDL_
#define _CSI_IDL_
#include "tao/IOP.pidl"
module IOP
{
const ServiceId SecurityAttributeService = 15;
};
module CSI {
typeprefix CSI "omg.org";
// The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever.
const unsigned long OMGVMCID = 0x4F4D0;
// An X509CertificateChain contains an ASN.1 BER encoded SEQUENCE
// [1..MAX] OF X.509 certificates encapsulated in a sequence of octets. The
// subject's certificate shall come first in the list. Each following
// certificate shall directly certify the one preceding it. The ASN.1
// representation of Certificate is as defined in [IETF RFC 2459].
typedef sequence <octet> X509CertificateChain;
// an X.501 type name or Distinguished Name encapsulated in a sequence of
// octets containing the ASN.1 encoding.
typedef sequence <octet> X501DistinguishedName;
// UTF-8 Encoding of String
typedef sequence <octet> UTF8String;
// ASN.1 Encoding of an OBJECT IDENTIFIER
typedef sequence <octet> OID;
typedef sequence <OID> OIDList;
// A sequence of octets containing a GSStoken. Initial context tokens are
// ASN.1 encoded as defined in [IETF RFC 2743] Section 3.1,
// "Mechanism-Independent token Format", pp. 81-82. Initial context tokens
// contain an ASN.1 tag followed by a token length, a mechanism identifier,
// and a mechanism-specific token (i.e. a GSSUP::InitialContextToken). The
// encoding of all other GSS tokens (e.g. error tokens and final context
// tokens) is mechanism dependent.
typedef sequence <octet> GSSToken;
// An encoding of a GSS Mechanism-Independent Exported Name Object as
// defined in [IETF RFC 2743] Section 3.2, "GSS Mechanism-Independent
// Exported Name Object Format," p. 84.
typedef sequence <octet> GSS_NT_ExportedName;
typedef sequence <GSS_NT_ExportedName> GSS_NT_ExportedNameList;
// The MsgType enumeration defines the complete set of service context
// message types used by the CSI context management protocols, including
// those message types pertaining only to the stateful application of the
// protocols (to insure proper alignment of the identifiers between
// stateless and stateful implementations). Specifically, the
// MTMessageInContext is not sent by stateless clients (although it may
// be received by stateless targets).
typedef short MsgType;
const MsgType MTEstablishContext = 0;
const MsgType MTCompleteEstablishContext = 1;
const MsgType MTContextError = 4;
const MsgType MTMessageInContext = 5;
// The ContextId type is used carry session identifiers. A stateless
// application of the service context protocol is indicated by a session
// identifier value of 0.
typedef unsigned long long ContextId;
// The AuthorizationElementType defines the contents and encoding of
// the_element field of the AuthorizationElement.
// The high order 20-bits of each AuthorizationElementType constant
// shall contain the Vendor Minor Codeset ID (VMCID) of the
// organization that defined the element type. The low order 12 bits
// shall contain the organization-scoped element type identifier. The
// high-order 20 bits of all element types defined by the OMG shall
// contain the VMCID allocated to the OMG (that is, 0x4F4D0).
typedef unsigned long AuthorizationElementType;
// An AuthorizationElementType of X509AttributeCertChain indicates
// that the_element field of the AuthorizationElement contains an
// ASN.1 BER SEQUENCE composed of an (X.509) AttributeCertificate
// followed by a SEQUENCE OF (X.509) Certificate. The two-part
// SEQUENCE is encapsulated in an octet stream. The chain of
// identity certificates is provided to certify the attribute
// certificate. Each certificate in the chain shall directly certify
// the one preceding it. The first certificate in the chain shall
// certify the attribute certificate. The ASN.1 representation of
// (X.509) Certificate is as defined in [IETF RFC 2459]. The ASN.1
// representation of (X.509) AttributeCertificate is as defined in
// [IETF ID PKIXAC].
const AuthorizationElementType X509AttributeCertChain = OMGVMCID | 1;
typedef sequence <octet> AuthorizationElementContents;
// The AuthorizationElement contains one element of an authorization token.
// Each element of an authorization token is logically a PAC.
struct AuthorizationElement {
AuthorizationElementType the_type;
AuthorizationElementContents the_element;
};
// The AuthorizationToken is made up of a sequence of
// AuthorizationElements
typedef sequence <AuthorizationElement> AuthorizationToken;
typedef unsigned long IdentityTokenType;
// Additional standard identity token types shall only be defined by the
// OMG. All IdentityTokenType constants shall be a power of 2.
const IdentityTokenType ITTAbsent = 0;
const IdentityTokenType ITTAnonymous = 1;
const IdentityTokenType ITTPrincipalName = 2;
const IdentityTokenType ITTX509CertChain = 4;
const IdentityTokenType ITTDistinguishedName = 8;
typedef sequence <octet> IdentityExtension;
union IdentityToken switch ( IdentityTokenType ) {
case ITTAbsent: boolean absent;
case ITTAnonymous: boolean anonymous;
case ITTPrincipalName: GSS_NT_ExportedName principal_name;
case ITTX509CertChain: X509CertificateChain certificate_chain;
case ITTDistinguishedName: X501DistinguishedName dn;
default: IdentityExtension id;
};
struct EstablishContext {
ContextId client_context_id;
AuthorizationToken authorization_token;
IdentityToken identity_token;
GSSToken client_authentication_token;
};
struct CompleteEstablishContext {
ContextId client_context_id;
boolean context_stateful;
GSSToken final_context_token;
};
struct ContextError {
ContextId client_context_id;
long major_status;
long minor_status;
GSSToken error_token;
};
// Not sent by stateless clients. If received by a stateless server, a
// ContextError message should be returned, indicating the session does
// not exist.
struct MessageInContext {
ContextId client_context_id;
boolean discard_context;
};
union SASContextBody switch ( MsgType ) {
case MTEstablishContext: EstablishContext establish_msg;
case MTCompleteEstablishContext: CompleteEstablishContext
complete_msg;
case MTContextError: ContextError error_msg;
case MTMessageInContext: MessageInContext in_context_msg;
};
// The following type represents the string representation of an ASN.1
// OBJECT IDENTIFIER (OID). OIDs are represented by the string "oid:"
// followed by the integer base 10 representation of the OID separated
// by dots. For example, the OID corresponding to the OMG is represented
// as: "oid:2.23.130"
typedef string StringOID;
// The GSS Object Identifier for the KRB5 mechanism is:
// { iso(1) member-body(2) United States(840) mit(113554) infosys(1)
// gssapi(2) krb5(2) }
const StringOID KRB5MechOID = "oid:1.2.840.113554.1.2.2";
// The GSS Object Identifier for name objects of the Mechanism-independent
// Exported Name Object type is:
// { iso(1) org(3) dod(6) internet(1) security(5) nametypes(6)
// gss-api-exported-name(4) }
const StringOID GSS_NT_Export_Name_OID = "oid:1.3.6.1.5.6.4";
// The GSS Object Identifier for the scoped-username name form is:
// { iso-itu-t (2) international-organization (23) omg (130) security (1)
// naming (2) scoped-username(1) }
const StringOID GSS_NT_Scoped_Username_OID = "oid:2.23.130.1.2.1";
}; // CSI
#endif
|
