/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ #ifndef _CSI_IDL_ #define _CSI_IDL_ #pragma prefix "omg.org" module CSI { // The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever. const unsigned long OMGVMCID = 0x4F4D0; // An X509CertificateChain contains an ASN.1 BER encoded SEQUENCE // [1..MAX] OF X.509 certificates encapsulated in a sequence of octets. The // subject’s certificate shall come first in the list. Each following // certificate shall directly certify the one preceding it. The ASN.1 // representation of Certificate is as defined in [IETF RFC 2459]. typedef sequence X509CertificateChain; // an X.501 type name or Distinguished Name encapsulated in a sequence of // octets containing the ASN.1 encoding. typedef sequence X501DistinguishedName; // UTF-8 Encoding of String typedef sequence UTF8String; // ASN.1 Encoding of an OBJECT IDENTIFIER typedef sequence OID; typedef sequence OIDList; // A sequence of octets containing a GSStoken. Initial context tokens are // ASN.1 encoded as defined in [IETF RFC 2743] Section 3.1, // "Mechanism-Independent token Format", pp. 81-82. Initial context tokens // contain an ASN.1 tag followed by a token length, a mechanism identifier, // and a mechanism-specific token (i.e. a GSSUP::InitialContextToken). The // encoding of all other GSS tokens (e.g. error tokens and final context // tokens) is mechanism dependent. typedef sequence GSSToken; // An encoding of a GSS Mechanism-Independent Exported Name Object as // defined in [IETF RFC 2743] Section 3.2, "GSS Mechanism-Independent // Exported Name Object Format," p. 84. typedef sequence GSS_NT_ExportedName; typedef sequence GSS_NT_ExportedNameList; // The MsgType enumeration defines the complete set of service context // message types used by the CSI context management protocols, including // those message types pertaining only to the stateful application of the // protocols (to insure proper alignment of the identifiers between // stateless and stateful implementations). Specifically, the // MTMessageInContext is not sent by stateless clients (although it may // be received by stateless targets). typedef short MsgType; const MsgType MTEstablishContext = 0; const MsgType MTCompleteEstablishContext = 1; const MsgType MTContextError = 4; const MsgType MTMessageInContext = 5; // The ContextId type is used carry session identifiers. A stateless // application of the service context protocol is indicated by a session // identifier value of 0. typedef unsigned long long ContextId; // The AuthorizationElementType defines the contents and encoding of // the_element field of the AuthorizationElement. // The high order 20-bits of each AuthorizationElementType constant // shall contain the Vendor Minor Codeset ID (VMCID) of the // organization that defined the element type. The low order 12 bits // shall contain the organization-scoped element type identifier. The // high-order 20 bits of all element types defined by the OMG shall // contain the VMCID allocated to the OMG (that is, 0x4F4D0). typedef unsigned long AuthorizationElementType; // An AuthorizationElementType of X509AttributeCertChain indicates that // the_element field of the AuthorizationElement contains an ASN.1 BER // SEQUENCE composed of an (X.509) AttributeCertificate followed by a // SEQUENCE OF (X.509) Certificate. The two-part SEQUENCE is encapsulated // in an octet stream. The chain of identity certificates is provided // to certify the attribute certificate. Each certificate in the chain // shall directly certify the one preceding it. The first certificate // in the chain shall certify the attribute certificate. The ASN.1 // representation of (X.509) Certificate is as defined in [IETF RFC 2459]. // The ASN.1 representation of (X.509) AtributeCertificate is as defined // in [IETF ID PKIXAC]. const AuthorizationElementType X509AttributeCertChain = OMGVMCID | 1; typedef sequence AuthorizationElementContents; // The AuthorizationElement contains one element of an authorization token. // Each element of an authorization token is logically a PAC. struct AuthorizationElement { AuthorizationElementType the_type; AuthorizationElementContents the_element; }; // The AuthorizationToken is made up of a sequence of // AuthorizationElements typedef sequence AuthorizationToken; typedef unsigned long IdentityTokenType; // Additional standard identity token types shall only be defined by the // OMG. All IdentityTokenType constants shall be a power of 2. const IdentityTokenType ITTAbsent = 0; const IdentityTokenType ITTAnonymous = 1; const IdentityTokenType ITTPrincipalName = 2; const IdentityTokenType ITTX509CertChain = 4; const IdentityTokenType ITTDistinguishedName = 8; typedef sequence IdentityExtension; union IdentityToken switch ( IdentityTokenType ) { case ITTAbsent: boolean absent; case ITTAnonymous: boolean anonymous; case ITTPrincipalName: GSS_NT_ExportedName principal_name; case ITTX509CertChain: X509CertificateChain certificate_chain; case ITTDistinguishedName: X501DistinguishedName dn; default: IdentityExtension id; }; struct EstablishContext { ContextId client_context_id; AuthorizationToken authorization_token; IdentityToken identity_token; GSSToken client_authentication_token; }; struct CompleteEstablishContext { ContextId client_context_id; boolean context_stateful; GSSToken final_context_token; }; struct ContextError { ContextId client_context_id; long major_status; long minor_status; GSSToken error_token; }; // Not sent by stateless clients. If received by a stateless server, a // ContextError message should be returned, indicating the session does // not exist. struct MessageInContext { ContextId client_context_id; boolean discard_context; }; union SASContextBody switch ( MsgType ) { case MTEstablishContext: EstablishContext establish_msg; case MTCompleteEstablishContext: CompleteEstablishContext complete_msg; case MTContextError: ContextError error_msg; case MTMessageInContext: MessageInContext in_context_msg; }; // The following type represents the string representation of an ASN.1 // OBJECT IDENTIFIER (OID). OIDs are represented by the string "oid:" // followed by the integer base 10 representation of the OID separated // by dots. For example, the OID corresponding to the OMG is represented // as: "oid:2.23.130" typedef string StringOID; // The GSS Object Identifier for the KRB5 mechanism is: // { iso(1) member-body(2) United States(840) mit(113554) infosys(1) // gssapi(2) krb5(2) } const StringOID KRB5MechOID = "oid:1.2.840.113554.1.2.2"; // The GSS Object Identifier for name objects of the Mechanism-independent // Exported Name Object type is: // { iso(1) org(3) dod(6) internet(1) security(5) nametypes(6) // gss-api-exported-name(4) } const StringOID GSS_NT_Export_Name_OID = "oid:1.3.6.1.5.6.4"; // The GSS Object Identifier for the scoped-username name form is: // { iso-itu-t (2) international-organization (23) omg (130) security (1) // naming (2) scoped-username(1) } const StringOID GSS_NT_Scoped_Username_OID = "oid:2.23.130.1.2.1"; }; // CSI #endif