1
-- Module SpkmGssTokens (RFC 2025:10/1996)
2
SpkmGssTokens {iso(1) identified-organization(3) dod(6) internet(1) security(5)
3
mechanisms(5) spkm(1) spkmGssTokens(10)}
5
-- Copyright (C) The Internet Society (1996). This version of
6
-- this ASN.1 module is part of RFC 2025;
7
-- see the RFC itself for full legal notices.
9
DEFINITIONS IMPLICIT TAGS ::=
15
FROM InformationFramework {joint-iso-itu-t(2) ds(5) module(1)
16
informationFramework(1) 3}
17
Certificate, CertificateList, CertificatePair, AlgorithmIdentifier, Validity
18
FROM AuthenticationFramework {joint-iso-itu-t(2) ds(5) module(1)
19
authenticationFramework(7) 3};
22
SPKM-REQ ::= SEQUENCE {
23
requestToken REQ-TOKEN,
24
certif-data [0] CertificationData OPTIONAL,
25
auth-data [1] AuthorizationData OPTIONAL
28
CertificationData ::= SEQUENCE {
29
certificationPath [0] CertificationPath OPTIONAL,
30
certificateRevocationList [1] CertificateList OPTIONAL
31
} -- at least one of the above shall be present
33
CertificationPath ::= SEQUENCE {
34
userKeyId [0] OCTET STRING OPTIONAL,
35
userCertif [1] Certificate OPTIONAL,
36
verifKeyId [2] OCTET STRING OPTIONAL,
37
userVerifCertif [3] Certificate OPTIONAL,
38
theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL
39
} -- Presence of [2] or [3] implies that [0] or [1] must also be
41
-- present. Presence of [4] implies that at least one of [0], [1],
42
-- [2], and [3] must also be present.
43
REQ-TOKEN ::= SEQUENCE {
44
req-contents Req-contents,
45
algId AlgorithmIdentifier,
46
req-integrity Integrity -- "token" is Req-contents
49
Integrity ::= BIT STRING
51
-- If corresponding algId specifies a signing algorithm,
52
-- "Integrity" holds the result of applying the signing procedure
53
-- specified in algId to the BER-encoded octet string which results
54
-- from applying the hashing procedure (also specified in algId) to
55
-- the DER-encoded octets of "token".
56
-- Alternatively, if corresponding algId specifies a MACing
57
-- algorithm, "Integrity" holds the result of applying the MACing
58
-- procedure specified in algId to the DER-encoded octets of
60
Req-contents ::= SEQUENCE {
61
tok-id INTEGER(256), -- shall contain 0100 (hex)
62
context-id Random-Integer,
64
timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2
65
randSrc Random-Integer,
67
src-name [0] Name OPTIONAL,
68
req-data Context-Data,
69
validity [1] Validity OPTIONAL,
70
key-estb-set Key-Estb-Algs,
71
key-estb-req BIT STRING OPTIONAL,
72
key-src-bind OCTET STRING OPTIONAL
73
-- This field must be present for the case of SPKM-2
74
-- unilateral authen. if the K-ALG in use does not provide
75
-- such a binding (but is optional for all other cases).
76
-- The octet string holds the result of applying the
77
-- mandatory hashing procedure (in MANDATORY I-ALG;
78
-- see Section 2.1) as follows: MD5(src || context_key),
79
-- where "src" is the DER-encoded octets of src-name,
80
-- "context-key" is the symmetric key (i.e., the
81
-- unprotected version of what is transmitted in
82
-- key-estb-req), and "||" is the concatenation operation.
85
Random-Integer ::= BIT STRING
87
Context-Data ::= SEQUENCE {
88
channelId ChannelId OPTIONAL,
89
seq-number INTEGER OPTIONAL,
96
ChannelId ::= OCTET STRING
98
Options ::= BIT STRING {
99
delegation-state(0), mutual-state(1), replay-det-state(2), sequence-state(3),
100
conf-avail(4), integ-avail(5), target-certif-data-required(6)}
102
Conf-Algs ::= CHOICE {
103
algs [0] SEQUENCE OF AlgorithmIdentifier,
107
Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier
109
OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier
111
Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier
113
SPKM-REP-TI ::= SEQUENCE {
114
responseToken REP-TI-TOKEN,
115
certif-data CertificationData OPTIONAL
116
-- present if target-certif-data-required option was
117
} -- set to TRUE in SPKM-REQ
119
REP-TI-TOKEN ::= SEQUENCE {
120
rep-ti-contents Rep-ti-contents,
121
algId AlgorithmIdentifier,
122
rep-ti-integ Integrity -- "token" is Rep-ti-contents
125
Rep-ti-contents ::= SEQUENCE {
126
tok-id INTEGER(512), -- shall contain 0200 (hex)
127
context-id Random-Integer,
128
pvno [0] BIT STRING OPTIONAL,
129
timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2
130
randTarg Random-Integer,
131
src-name [1] Name OPTIONAL,
133
randSrc Random-Integer,
134
rep-data Context-Data,
135
validity [2] Validity OPTIONAL,
136
key-estb-id AlgorithmIdentifier OPTIONAL,
137
key-estb-str BIT STRING OPTIONAL
140
SPKM-REP-IT ::= SEQUENCE {
141
responseToken REP-IT-TOKEN,
142
algId AlgorithmIdentifier,
143
rep-it-integ Integrity -- "token" is REP-IT-TOKEN
146
REP-IT-TOKEN ::= SEQUENCE {
147
tok-id INTEGER(768), -- shall contain 0300 (hex)
148
context-id Random-Integer,
149
randSrc Random-Integer,
150
randTarg Random-Integer,
152
src-name Name OPTIONAL,
153
key-estb-rep BIT STRING OPTIONAL
156
SPKM-ERROR ::= SEQUENCE {
157
errorToken ERROR-TOKEN,
158
algId AlgorithmIdentifier,
159
integrity Integrity -- "token" is ERROR-TOKEN
162
ERROR-TOKEN ::= SEQUENCE {
163
tok-id INTEGER(1024), -- shall contain 0400 (hex)
164
context-id Random-Integer
167
SPKM-MIC ::= SEQUENCE {mic-header Mic-Header,
171
Mic-Header ::= SEQUENCE {
172
tok-id INTEGER(257), -- shall contain 0101 (hex)
173
context-id Random-Integer,
174
int-alg [0] AlgorithmIdentifier OPTIONAL,
175
snd-seq [1] SeqNum OPTIONAL
178
SeqNum ::= SEQUENCE {num INTEGER,
182
SPKM-WRAP ::= SEQUENCE {wrap-header Wrap-Header,
186
Wrap-Header ::= SEQUENCE {
187
tok-id INTEGER(513), -- shall contain 0201 (hex)
188
context-id Random-Integer,
189
int-alg [0] AlgorithmIdentifier OPTIONAL,
190
conf-alg [1] Conf-Alg OPTIONAL,
191
snd-seq [2] SeqNum OPTIONAL
194
Wrap-Body ::= SEQUENCE {int-cksum BIT STRING,
198
Conf-Alg ::= CHOICE {algId [0] AlgorithmIdentifier,
202
SPKM-DEL ::= SEQUENCE {del-header Del-Header,
206
Del-Header ::= SEQUENCE {
207
tok-id INTEGER(769), -- shall contain 0301 (hex)
208
context-id Random-Integer,
209
int-alg [0] AlgorithmIdentifier OPTIONAL,
210
snd-seq [1] SeqNum OPTIONAL
215
MechType ::= OBJECT IDENTIFIER
217
InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE {
219
innerContextToken SPKMInnerContextToken
220
} -- when thisMech is SPKM-1 or SPKM-2
222
SPKMInnerContextToken ::= CHOICE {
224
rep-ti [1] SPKM-REP-TI,
225
rep-it [2] SPKM-REP-IT,
226
error [3] SPKM-ERROR,
233
AuthorizationData ::=
234
SEQUENCE OF SEQUENCE {ad-type INTEGER,
235
ad-data OCTET STRING}
237
-- object identifier assignments
238
md5-DES-CBC OBJECT IDENTIFIER ::=
239
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
240
integrity(3) md5-DES-CBC(1)}
242
sum64-DES-CBC OBJECT IDENTIFIER ::=
243
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
244
integrity(3) sum64-DES-CBC(2)}
246
spkm-1 OBJECT IDENTIFIER ::=
247
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
248
mechanisms(5) spkm(1) spkm-1(1)}
250
spkm-2 OBJECT IDENTIFIER ::=
251
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
252
mechanisms(5) spkm(1) spkm-2(2)}
256
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D