00001 #ifndef _CSI_IDL_ 00002 #define _CSI_IDL_ 00003 00004 #pragma prefix "omg.org" 00005 00006 module CSI 00007 { 00008 // The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever. 00009 00010 const unsigned long OMGVMCID = 0x4F4D0; 00011 00012 // An X509CertificateChain contains an ASN.1 BER encoded SEQUENCE 00013 // [1..MAX] OF X.509 certificates encapsulated in a sequence of octets. The 00014 // subject's certificate shall come first in the list. Each following 00015 // certificate shall directly certify the one preceding it. The ASN.1 00016 // representation of Certificate is as defined in [IETF RFC 2459]. 00017 00018 typedef sequence <octet> X509CertificateChain; 00019 00020 // an X.501 type name or Distinguished Name encapsulated in a sequence of 00021 // octets containing the ASN.1 encoding. 00022 00023 typedef sequence <octet> X501DistinguishedName; 00024 00025 // UTF-8 Encoding of String 00026 00027 typedef sequence <octet> UTF8String; 00028 00029 // ASN.1 Encoding of an OBJECT IDENTIFIER 00030 00031 typedef sequence <octet> OID; 00032 00033 typedef sequence <OID> OIDList; 00034 00035 // A sequence of octets containing a GSStoken. Initial context tokens are 00036 // ASN.1 encoded as defined in [IETF RFC 2743] Section 3.1, 00037 // "Mechanism-Independent token Format", pp. 81-82. Initial context tokens 00038 // contain an ASN.1 tag followed by a token length, a mechanism identifier, 00039 // and a mechanism-specific token (i.e. a GSSUP::InitialContextToken). The 00040 // encoding of all other GSS tokens (e.g. error tokens and final context 00041 // tokens) is mechanism dependent. 00042 00043 typedef sequence <octet> GSSToken; 00044 00045 // An encoding of a GSS Mechanism-Independent Exported Name Object as 00046 // defined in [IETF RFC 2743] Section 3.2, "GSS Mechanism-Independent 00047 // Exported Name Object Format," p. 84. 00048 00049 typedef sequence <octet> GSS_NT_ExportedName; 00050 00051 typedef sequence <GSS_NT_ExportedName> GSS_NT_ExportedNameList; 00052 00053 // The MsgType enumeration defines the complete set of service context 00054 // message types used by the CSI context management protocols, including 00055 // those message types pertaining only to the stateful application of the 00056 // protocols (to insure proper alignment of the identifiers between 00057 // stateless and stateful implementations). Specifically, the 00058 // MTMessageInContext is not sent by stateless clients (although it may 00059 // be received by stateless targets). 00060 00061 typedef short MsgType; 00062 00063 const MsgType MTEstablishContext = 0; 00064 const MsgType MTCompleteEstablishContext = 1; 00065 const MsgType MTContextError = 4; 00066 const MsgType MTMessageInContext = 5; 00067 00068 // The ContextId type is used carry session identifiers. A stateless 00069 // application of the service context protocol is indicated by a session 00070 // identifier value of 0. 00071 00072 typedef unsigned long long ContextId; 00073 00074 // The AuthorizationElementType defines the contents and encoding of 00075 // the_element field of the AuthorizationElement. 00076 00077 // The high order 20-bits of each AuthorizationElementType constant 00078 // shall contain the Vendor Minor Codeset ID (VMCID) of the 00079 // organization that defined the element type. The low order 12 bits 00080 // shall contain the organization-scoped element type identifier. The 00081 // high-order 20 bits of all element types defined by the OMG shall 00082 // contain the VMCID allocated to the OMG (that is, 0x4F4D0). 00083 00084 typedef unsigned long AuthorizationElementType; 00085 00086 // An AuthorizationElementType of X509AttributeCertChain indicates that 00087 // the_element field of the AuthorizationElement contains an ASN.1 BER 00088 // SEQUENCE composed of an (X.509) AttributeCertificate followed by a 00089 // SEQUENCE OF (X.509) Certificate. The two-part SEQUENCE is encapsulated 00090 // in an octet stream. The chain of identity certificates is provided 00091 // to certify the attribute certificate. Each certificate in the chain 00092 // shall directly certify the one preceding it. The first certificate 00093 // in the chain shall certify the attribute certificate. The ASN.1 00094 // representation of (X.509) Certificate is as defined in [IETF RFC 2459]. 00095 // The ASN.1 representation of (X.509) AtributeCertificate is as defined 00096 // in [IETF ID PKIXAC]. 00097 00098 const AuthorizationElementType X509AttributeCertChain = OMGVMCID | 1; 00099 00100 typedef sequence <octet> AuthorizationElementContents; 00101 00102 // The AuthorizationElement contains one element of an authorization token. 00103 // Each element of an authorization token is logically a PAC. 00104 00105 struct AuthorizationElement 00106 { 00107 AuthorizationElementType the_type; 00108 AuthorizationElementContents the_element; 00109 }; 00110 00111 // The AuthorizationToken is made up of a sequence of 00112 // AuthorizationElements 00113 00114 typedef sequence <AuthorizationElement> AuthorizationToken; 00115 00116 typedef unsigned long IdentityTokenType; 00117 00118 // Additional standard identity token types shall only be defined by the 00119 // OMG. All IdentityTokenType constants shall be a power of 2. 00120 00121 const IdentityTokenType ITTAbsent = 0; 00122 const IdentityTokenType ITTAnonymous = 1; 00123 const IdentityTokenType ITTPrincipalName = 2; 00124 const IdentityTokenType ITTX509CertChain = 4; 00125 const IdentityTokenType ITTDistinguishedName = 8; 00126 00127 typedef sequence <octet> IdentityExtension; 00128 00129 union IdentityToken switch (IdentityTokenType) 00130 { 00131 case ITTAbsent: boolean absent; 00132 case ITTAnonymous: boolean anonymous; 00133 case ITTPrincipalName: GSS_NT_ExportedName principal_name; 00134 case ITTX509CertChain: X509CertificateChain certificate_chain; 00135 case ITTDistinguishedName: X501DistinguishedName dn; 00136 default: IdentityExtension id; 00137 }; 00138 00139 struct EstablishContext 00140 { 00141 ContextId client_context_id; 00142 AuthorizationToken authorization_token; 00143 IdentityToken identity_token; 00144 GSSToken client_authentication_token; 00145 }; 00146 00147 struct CompleteEstablishContext 00148 { 00149 ContextId client_context_id; 00150 boolean context_stateful; 00151 GSSToken final_context_token; 00152 }; 00153 00154 struct ContextError 00155 { 00156 ContextId client_context_id; 00157 long major_status; 00158 long minor_status; 00159 GSSToken error_token; 00160 }; 00161 00162 // Not sent by stateless clients. If received by a stateless server, a 00163 // ContextError message should be returned, indicating the session does 00164 // not exist. 00165 00166 struct MessageInContext 00167 { 00168 ContextId client_context_id; 00169 boolean discard_context; 00170 }; 00171 00172 union SASContextBody switch (MsgType) 00173 { 00174 case MTEstablishContext: EstablishContext establish_msg; 00175 case MTCompleteEstablishContext: CompleteEstablishContext complete_msg; 00176 case MTContextError: ContextError error_msg; 00177 case MTMessageInContext: MessageInContext in_context_msg; 00178 }; 00179 00180 // The following type represents the string representation of an ASN.1 00181 // OBJECT IDENTIFIER (OID). OIDs are represented by the string "oid:" 00182 // followed by the integer base 10 representation of the OID separated 00183 // by dots. For example, the OID corresponding to the OMG is represented 00184 // as: "oid:2.23.130" 00185 00186 typedef string StringOID; 00187 00188 // The GSS Object Identifier for the KRB5 mechanism is: 00189 // { iso(1) member-body(2) United States(840) mit(113554) infosys(1) 00190 // gssapi(2) krb5(2) } 00191 00192 const StringOID KRB5MechOID = "oid:1.2.840.113554.1.2.2"; 00193 00194 // The GSS Object Identifier for name objects of the Mechanism-idependent 00195 // Exported Name Object type is: 00196 // { iso(1) org(3) dod(6) internet(1) security(5) nametypes(6) 00197 // gss-api-exported-name(4) } 00198 00199 const StringOID GSS_NT_Export_Name_OID = "oid:1.3.6.1.5.6.4"; 00200 00201 // The GSS Object Identifier for the scoped-username name form is: 00202 // { iso-itu-t (2) international-organization (23) omg (130) security (1) 00203 // naming (2) scoped-username(1) } 00204 00205 const StringOID GSS_NT_Scoped_Username_OID = "oid:2.23.130.1.2.1"; 00206 00207 }; // CSI 00208 00209 #endif