EnhancedSecurity {joint-iso-itu-t ds(5) modules(1) enhancedSecurity(28) 5}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN

-- EXPORTS All 
IMPORTS
  -- from ITU-T Rec. X.501 | ISO/IEC 9594-2
  authenticationFramework, basicAccessControl, certificateExtensions, 
    id-at, id-avc, id-mr, id-oc, informationFramework, upperBounds
    FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
      usefulDefinitions(0) 5}
  Attribute, ATTRIBUTE, AttributeType, Context, CONTEXT, MATCHING-RULE, 
    Name, OBJECT-CLASS, objectIdentifierMatch, SupportedAttributes, top
    FROM InformationFramework informationFramework
  AttributeTypeAndValue
    FROM BasicAccessControl basicAccessControl
  -- from ITU-T Rec. X.509 | ISO/IEC 9594-8
  AlgorithmIdentifier, CertificateSerialNumber, HASH{}, SIGNED{}
    FROM AuthenticationFramework authenticationFramework
  GeneralName, KeyIdentifier
    FROM CertificateExtensions certificateExtensions
  ub-privacy-mark-length
    FROM UpperBounds upperBounds;

OPTIONALLY-PROTECTED{Type} ::= CHOICE {unsigned  Type,
                                       signed    SIGNED{Type}
}

OPTIONALLY-PROTECTED-SEQ{Type} ::= CHOICE {
  unsigned  Type,
  signed    [0]  SIGNED{Type}
}

attributeValueSecurityLabelContext CONTEXT ::= {
  WITH SYNTAX
    SignedSecurityLabel --  At most one security label context can be assigned to an
  --  attribute value
  ID           id-avc-attributeValueSecurityLabelContext
}

SignedSecurityLabel ::=
  SIGNED
    {SEQUENCE {attHash        HASH{AttributeTypeAndValue},
               issuer         Name OPTIONAL, -- name of labelling authority
               keyIdentifier  KeyIdentifier OPTIONAL,
               securityLabel  SecurityLabel}}

SecurityLabel ::= SET {
  security-policy-identifier  SecurityPolicyIdentifier OPTIONAL,
  security-classification     SecurityClassification OPTIONAL,
  privacy-mark                PrivacyMark OPTIONAL,
  security-categories         SecurityCategories OPTIONAL
}(ALL EXCEPT ({ -- none, at least one component shall be present --}))

SecurityPolicyIdentifier ::= OBJECT IDENTIFIER

SecurityClassification ::= INTEGER {
  unmarked(0), unclassified(1), restricted(2), confidential(3), secret(4),
  top-secret(5)}

PrivacyMark ::= PrintableString(SIZE (1..ub-privacy-mark-length))

SecurityCategories ::= SET SIZE (1..MAX) OF SecurityCategory

clearance ATTRIBUTE ::= {WITH SYNTAX  Clearance
                         ID           id-at-clearance
}

Clearance ::= SEQUENCE {
  policyId            OBJECT IDENTIFIER,
  classList           ClassList DEFAULT {unclassified},
  securityCategories  SET SIZE (1..MAX) OF SecurityCategory OPTIONAL
}

ClassList ::= BIT STRING {
  unmarked(0), unclassified(1), restricted(2), confidential(3), secret(4),
  topSecret(5)}

SecurityCategory ::= SEQUENCE {
  type   [0]  SECURITY-CATEGORY.&id({SecurityCategoriesTable}),
  value
    [1] EXPLICIT SECURITY-CATEGORY.&Type({SecurityCategoriesTable}{@type})
}

SECURITY-CATEGORY ::= TYPE-IDENTIFIER

SecurityCategoriesTable SECURITY-CATEGORY ::=
  {...}

attributeIntegrityInfo ATTRIBUTE ::= {
  WITH SYNTAX   AttributeIntegrityInfo
  SINGLE VALUE  TRUE
  ID            id-at-attributeIntegrityInfo
}

integrityInfo OBJECT-CLASS ::= {
  SUBCLASS OF   {top}
  KIND          auxiliary
  MUST CONTAIN  {attributeIntegrityInfo}
  ID            id-oc-integrityInfo
}

AttributeIntegrityInfo ::=
  SIGNED
    {SEQUENCE {scope        Scope, -- Identifies the attributes protected
               signer       Signer OPTIONAL, -- Authority or data originators name
               attribsHash  AttribsHash}} -- Hash value of protected attributes

Signer ::= CHOICE {
  thisEntry   [0] EXPLICIT ThisEntry,
  thirdParty  [1]  SpecificallyIdentified
}

ThisEntry ::= CHOICE {onlyOne   NULL,
                      specific  IssuerAndSerialNumber
}

IssuerAndSerialNumber ::= SEQUENCE {
  issuer  Name,
  serial  CertificateSerialNumber
}

SpecificallyIdentified ::= SEQUENCE {
  name    GeneralName,
  issuer  GeneralName OPTIONAL,
  serial  CertificateSerialNumber OPTIONAL
}
(WITH COMPONENTS {
   ...,
   issuer  PRESENT,
   serial  PRESENT
 } | (WITH COMPONENTS {
        ...,
        issuer  ABSENT,
        serial  ABSENT
      }))

Scope ::= CHOICE {
  wholeEntry     [0]  NULL, -- Signature protects all attribute values in this entry
  selectedTypes  [1]  SelectedTypes
  -- Signature protects all attribute values of the selected attribute types 
}

SelectedTypes ::= SEQUENCE SIZE (1..MAX) OF AttributeType

AttribsHash ::= HASH{SEQUENCE SIZE (1..MAX) OF Attribute}

-- Attribute type and values with associated context values for the selected Scope
attributeValueIntegrityInfoContext CONTEXT ::= {
  WITH SYNTAX  AttributeValueIntegrityInfo
  ID           id-avc-attributeValueIntegrityInfoContext
}

AttributeValueIntegrityInfo ::=
  SIGNED
    {SEQUENCE {signer   Signer OPTIONAL, -- Authority or data originators name
               aVIHash  AVIHash}} -- Hash value of protected attribute

AVIHash ::= HASH{AttributeTypeValueContexts}

-- Attribute type and value with associated context values
AttributeTypeValueContexts ::= SEQUENCE {
  type         ATTRIBUTE.&id({SupportedAttributes}),
  value        ATTRIBUTE.&Type({SupportedAttributes}{@type}),
  contextList  SET SIZE (1..MAX) OF Context OPTIONAL
}

-- Object identifier assignments 
id-oc-integrityInfo OBJECT IDENTIFIER ::=
  {id-oc 40}

-- attributes 
id-at-clearance OBJECT IDENTIFIER ::= {id-at 55}

-- id-at-defaultDirQop						OBJECT IDENTIFIER	::=	{id-at 56}
id-at-attributeIntegrityInfo OBJECT IDENTIFIER ::=
  {id-at 57}

-- id-at-confKeyInfo						OBJECT IDENTIFIER	::=	{id-at 60}
-- matching rules 
-- id-mr-readerAndKeyIDMatch				OBJECT IDENTIFIER	::=	{id-mr 43}
-- contexts
id-avc-attributeValueSecurityLabelContext OBJECT IDENTIFIER ::=
  {id-avc 3}

id-avc-attributeValueIntegrityInfoContext OBJECT IDENTIFIER ::= {id-avc 4}

END -- EnhancedSecurity