#ifndef _CSI_IDL_ | |
#define _CSI_IDL_ | |
#pragma prefix "omg.org" | |
#include <IOP.idl> | |
module IOP { | |
const ServiceId SecurityAttributeService = 15; | |
}; | |
module CSI { | |
// The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever. | |
const unsigned long OMGVMCID = 0x4F4D0; | |
// An X509CertificateChain contains an ASN.1 BER encoded SEQUENCE | |
// [1..MAX] OF X.509 certificates encapsulated in a sequence of octets. The | |
// subject's certificate shall come first in the list. Each following | |
// certificate shall directly certify the one preceding it. The ASN.1 | |
// representation of Certificate is as defined in [IETF RFC 2459]. | |
typedef sequence <octet> X509CertificateChain; | |
// an X.501 type name or Distinguished Name encapsulated in a sequence of | |
// octets containing the ASN.1 encoding. | |
typedef sequence <octet> X501DistinguishedName; | |
// UTF-8 Encoding of String | |
typedef sequence <octet> UTF8String; | |
// ASN.1 Encoding of an OBJECT IDENTIFIER | |
typedef sequence <octet> OID; | |
typedef sequence <OID> OIDList; | |
// A sequence of octets containing a GSStoken. Initial context tokens are | |
// ASN.1 encoded as defined in [IETF RFC 2743] Section 3.1, | |
// "Mechanism-Independent token Format", pp. 81-82. Initial context tokens | |
// contain an ASN.1 tag followed by a token length, a mechanism identifier, | |
// and a mechanism-specific token (i.e. a GSSUP::InitialContextToken). The | |
// encoding of all other GSS tokens (e.g. error tokens and final context | |
// tokens) is mechanism dependent. | |
typedef sequence <octet> GSSToken; | |
// An encoding of a GSS Mechanism-Independent Exported Name Object as | |
// defined in [IETF RFC 2743] Section 3.2, "GSS Mechanism-Independent | |
// Exported Name Object Format," p. 84. | |
typedef sequence <octet> GSS_NT_ExportedName; | |
typedef sequence <GSS_NT_ExportedName> GSS_NT_ExportedNameList; | |
// The MsgType enumeration defines the complete set of service context | |
// message types used by the CSI context management protocols, including | |
// those message types pertaining only to the stateful application of the | |
// protocols (to insure proper alignment of the identifiers between | |
// stateless and stateful implementations). Specifically, the | |
// MTMessageInContext is not sent by stateless clients (although it may | |
// be received by stateless targets). | |
typedef short MsgType; | |
const MsgType MTEstablishContext = 0; | |
const MsgType MTCompleteEstablishContext = 1; | |
const MsgType MTContextError = 4; | |
const MsgType MTMessageInContext = 5; | |
// The ContextId type is used carry session identifiers. A stateless | |
// application of the service context protocol is indicated by a session | |
// identifier value of 0. | |
typedef unsigned long long ContextId; | |
// The AuthorizationElementType defines the contents and encoding of | |
// the_element field of the AuthorizationElement. | |
// The high order 20-bits of each AuthorizationElementType constant | |
// shall contain the Vendor Minor Codeset ID (VMCID) of the | |
// organization that defined the element type. The low order 12 bits | |
// shall contain the organization-scoped element type identifier. The | |
// high-order 20 bits of all element types defined by the OMG shall | |
// contain the VMCID allocated to the OMG (that is, 0x4F4D0). | |
typedef unsigned long AuthorizationElementType; | |
// An AuthorizationElementType of X509AttributeCertChain indicates that | |
// the_element field of the AuthorizationElement contains an ASN.1 BER | |
// SEQUENCE composed of an (X.509) AttributeCertificate followed by a | |
// SEQUENCE OF (X.509) Certificate. The two-part SEQUENCE is encapsulated | |
// in an octet stream. The chain of identity certificates is provided | |
// to certify the attribute certificate. Each certificate in the chain | |
// shall directly certify the one preceding it. The first certificate | |
// in the chain shall certify the attribute certificate. The ASN.1 | |
// representation of (X.509) Certificate is as defined in [IETF RFC 2459]. | |
// The ASN.1 representation of (X.509) AtributeCertificate is as defined | |
// in [IETF ID PKIXAC]. | |
const AuthorizationElementType X509AttributeCertChain = OMGVMCID | 1; | |
typedef sequence <octet> AuthorizationElementContents; | |
// The AuthorizationElement contains one element of an authorization token. | |
// Each element of an authorization token is logically a PAC. | |
struct AuthorizationElement { | |
AuthorizationElementType the_type; | |
AuthorizationElementContents the_element; | |
}; | |
// The AuthorizationToken is made up of a sequence of | |
// AuthorizationElements | |
typedef sequence <AuthorizationElement> AuthorizationToken; | |
typedef unsigned long IdentityTokenType; | |
// Additional standard identity token types shall only be defined by the | |
// OMG. All IdentityTokenType constants shall be a power of 2. | |
const IdentityTokenType ITTAbsent = 0; | |
const IdentityTokenType ITTAnonymous = 1; | |
const IdentityTokenType ITTPrincipalName = 2; | |
const IdentityTokenType ITTX509CertChain = 4; | |
const IdentityTokenType ITTDistinguishedName = 8; | |
typedef sequence <octet> IdentityExtension; | |
union IdentityToken switch ( IdentityTokenType ) { | |
case ITTAbsent: boolean absent; | |
case ITTAnonymous: boolean anonymous; | |
case ITTPrincipalName: GSS_NT_ExportedName principal_name; | |
case ITTX509CertChain: X509CertificateChain certificate_chain; | |
case ITTDistinguishedName: X501DistinguishedName dn; | |
default: IdentityExtension id; | |
}; | |
struct EstablishContext { | |
ContextId client_context_id; | |
AuthorizationToken authorization_token; | |
IdentityToken identity_token; | |
GSSToken client_authentication_token; | |
}; | |
struct CompleteEstablishContext { | |
ContextId client_context_id; | |
boolean context_stateful; | |
GSSToken final_context_token; | |
}; | |
struct ContextError { | |
ContextId client_context_id; | |
long major_status; | |
long minor_status; | |
GSSToken error_token; | |
}; | |
// Not sent by stateless clients. If received by a stateless server, a | |
// ContextError message should be returned, indicating the session does | |
// not exist. | |
struct MessageInContext { | |
ContextId client_context_id; | |
boolean discard_context; | |
}; | |
union SASContextBody switch ( MsgType ) { | |
case MTEstablishContext: EstablishContext establish_msg; | |
case MTCompleteEstablishContext: CompleteEstablishContext | |
complete_msg; | |
case MTContextError: ContextError error_msg; | |
case MTMessageInContext: MessageInContext in_context_msg; | |
}; | |
// The following type represents the string representation of an ASN.1 | |
// OBJECT IDENTIFIER (OID). OIDs are represented by the string "oid:" | |
// followed by the integer base 10 representation of the OID separated | |
// by dots. For example, the OID corresponding to the OMG is represented | |
// as: "oid:2.23.130" | |
typedef string StringOID; | |
// The GSS Object Identifier for the KRB5 mechanism is: | |
// { iso(1) member-body(2) United States(840) mit(113554) infosys(1) | |
// gssapi(2) krb5(2) } | |
const StringOID KRB5MechOID = "oid:1.2.840.113554.1.2.2"; | |
// The GSS Object Identifier for name objects of the Mechanism-independent | |
// Exported Name Object type is: | |
// { iso(1) org(3) dod(6) internet(1) security(5) nametypes(6) | |
// gss-api-exported-name(4) } | |
const StringOID GSS_NT_Export_Name_OID = "oid:1.3.6.1.5.6.4"; | |
// The GSS Object Identifier for the scoped-username name form is: | |
// { iso-itu-t (2) international-organization (23) omg (130) security (1) | |
// naming (2) scoped-username(1) } | |
const StringOID GSS_NT_Scoped_Username_OID = "oid:2.23.130.1.2.1"; | |
}; // CSI | |
#endif |