diff options
Diffstat (limited to 'TAO/orbsvcs/orbsvcs/CSI.idl')
| -rw-r--r-- | TAO/orbsvcs/orbsvcs/CSI.idl | 201 |
1 files changed, 201 insertions, 0 deletions
diff --git a/TAO/orbsvcs/orbsvcs/CSI.idl b/TAO/orbsvcs/orbsvcs/CSI.idl new file mode 100644 index 00000000000..bf19d332c1e --- /dev/null +++ b/TAO/orbsvcs/orbsvcs/CSI.idl @@ -0,0 +1,201 @@ +// -*- IDL -*- + +//============================================================================= +/** + * @file CSI.idl + * + * $Id$ + * + * @author Object Management Group + */ +//============================================================================= + + +#ifndef _CSI_IDL_ +#define _CSI_IDL_ + +// #include <IOP.idl> +#include "tao/IOP_IOR.pidl" + +module IOP +{ + const ServiceId SecurityAttributeService = 15; +}; + +module CSI { + typeprefix CSI "omg.org"; + + // The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever. + const unsigned long OMGVMCID = 0x4F4D0; + + // An X509CertificateChain contains an ASN.1 BER encoded SEQUENCE + // [1..MAX] OF X.509 certificates encapsulated in a sequence of octets. The + // subject's certificate shall come first in the list. Each following + // certificate shall directly certify the one preceding it. The ASN.1 + // representation of Certificate is as defined in [IETF RFC 2459]. + typedef sequence <octet> X509CertificateChain; + + // an X.501 type name or Distinguished Name encapsulated in a sequence of + // octets containing the ASN.1 encoding. + typedef sequence <octet> X501DistinguishedName; + + // UTF-8 Encoding of String + typedef sequence <octet> UTF8String; + + // ASN.1 Encoding of an OBJECT IDENTIFIER + typedef sequence <octet> OID; + typedef sequence <OID> OIDList; + + // A sequence of octets containing a GSStoken. Initial context tokens are + // ASN.1 encoded as defined in [IETF RFC 2743] Section 3.1, + // "Mechanism-Independent token Format", pp. 81-82. Initial context tokens + // contain an ASN.1 tag followed by a token length, a mechanism identifier, + // and a mechanism-specific token (i.e. a GSSUP::InitialContextToken). The + // encoding of all other GSS tokens (e.g. error tokens and final context + // tokens) is mechanism dependent. + typedef sequence <octet> GSSToken; + + // An encoding of a GSS Mechanism-Independent Exported Name Object as + // defined in [IETF RFC 2743] Section 3.2, "GSS Mechanism-Independent + // Exported Name Object Format," p. 84. + typedef sequence <octet> GSS_NT_ExportedName; + typedef sequence <GSS_NT_ExportedName> GSS_NT_ExportedNameList; + + // The MsgType enumeration defines the complete set of service context + // message types used by the CSI context management protocols, including + // those message types pertaining only to the stateful application of the + // protocols (to insure proper alignment of the identifiers between + // stateless and stateful implementations). Specifically, the + // MTMessageInContext is not sent by stateless clients (although it may + // be received by stateless targets). + typedef short MsgType; + + const MsgType MTEstablishContext = 0; + const MsgType MTCompleteEstablishContext = 1; + const MsgType MTContextError = 4; + const MsgType MTMessageInContext = 5; + + // The ContextId type is used carry session identifiers. A stateless + // application of the service context protocol is indicated by a session + // identifier value of 0. + typedef unsigned long long ContextId; + + // The AuthorizationElementType defines the contents and encoding of + // the_element field of the AuthorizationElement. + // The high order 20-bits of each AuthorizationElementType constant + // shall contain the Vendor Minor Codeset ID (VMCID) of the + // organization that defined the element type. The low order 12 bits + // shall contain the organization-scoped element type identifier. The + // high-order 20 bits of all element types defined by the OMG shall + // contain the VMCID allocated to the OMG (that is, 0x4F4D0). + typedef unsigned long AuthorizationElementType; + + // An AuthorizationElementType of X509AttributeCertChain indicates + // that the_element field of the AuthorizationElement contains an + // ASN.1 BER SEQUENCE composed of an (X.509) AttributeCertificate + // followed by a SEQUENCE OF (X.509) Certificate. The two-part + // SEQUENCE is encapsulated in an octet stream. The chain of + // identity certificates is provided to certify the attribute + // certificate. Each certificate in the chain shall directly certify + // the one preceding it. The first certificate in the chain shall + // certify the attribute certificate. The ASN.1 representation of + // (X.509) Certificate is as defined in [IETF RFC 2459]. The ASN.1 + // representation of (X.509) AttributeCertificate is as defined in + // [IETF ID PKIXAC]. + const AuthorizationElementType X509AttributeCertChain = OMGVMCID | 1; + + typedef sequence <octet> AuthorizationElementContents; + + // The AuthorizationElement contains one element of an authorization token. + // Each element of an authorization token is logically a PAC. + struct AuthorizationElement { + AuthorizationElementType the_type; + AuthorizationElementContents the_element; + }; + + // The AuthorizationToken is made up of a sequence of + // AuthorizationElements + typedef sequence <AuthorizationElement> AuthorizationToken; + typedef unsigned long IdentityTokenType; + + // Additional standard identity token types shall only be defined by the + // OMG. All IdentityTokenType constants shall be a power of 2. + const IdentityTokenType ITTAbsent = 0; + const IdentityTokenType ITTAnonymous = 1; + const IdentityTokenType ITTPrincipalName = 2; + const IdentityTokenType ITTX509CertChain = 4; + const IdentityTokenType ITTDistinguishedName = 8; + + typedef sequence <octet> IdentityExtension; + + union IdentityToken switch ( IdentityTokenType ) { + case ITTAbsent: boolean absent; + case ITTAnonymous: boolean anonymous; + case ITTPrincipalName: GSS_NT_ExportedName principal_name; + case ITTX509CertChain: X509CertificateChain certificate_chain; + case ITTDistinguishedName: X501DistinguishedName dn; + default: IdentityExtension id; + }; + + struct EstablishContext { + ContextId client_context_id; + AuthorizationToken authorization_token; + IdentityToken identity_token; + GSSToken client_authentication_token; + }; + + struct CompleteEstablishContext { + ContextId client_context_id; + boolean context_stateful; + GSSToken final_context_token; + }; + + struct ContextError { + ContextId client_context_id; + long major_status; + long minor_status; + GSSToken error_token; + }; + + // Not sent by stateless clients. If received by a stateless server, a + // ContextError message should be returned, indicating the session does + // not exist. + struct MessageInContext { + ContextId client_context_id; + boolean discard_context; + }; + + union SASContextBody switch ( MsgType ) { + case MTEstablishContext: EstablishContext establish_msg; + case MTCompleteEstablishContext: CompleteEstablishContext + complete_msg; + case MTContextError: ContextError error_msg; + case MTMessageInContext: MessageInContext in_context_msg; + }; + + // The following type represents the string representation of an ASN.1 + // OBJECT IDENTIFIER (OID). OIDs are represented by the string "oid:" + // followed by the integer base 10 representation of the OID separated + // by dots. For example, the OID corresponding to the OMG is represented + // as: "oid:2.23.130" + typedef string StringOID; + + // The GSS Object Identifier for the KRB5 mechanism is: + // { iso(1) member-body(2) United States(840) mit(113554) infosys(1) + // gssapi(2) krb5(2) } + const StringOID KRB5MechOID = "oid:1.2.840.113554.1.2.2"; + + // The GSS Object Identifier for name objects of the Mechanism-independent + // Exported Name Object type is: + // { iso(1) org(3) dod(6) internet(1) security(5) nametypes(6) + // gss-api-exported-name(4) } + const StringOID GSS_NT_Export_Name_OID = "oid:1.3.6.1.5.6.4"; + + // The GSS Object Identifier for the scoped-username name form is: + // { iso-itu-t (2) international-organization (23) omg (130) security (1) + // naming (2) scoped-username(1) } + const StringOID GSS_NT_Scoped_Username_OID = "oid:2.23.130.1.2.1"; + +}; // CSI + +#endif |