-- ASN module extracted from ITU-T X.511 (10/2016)

SpkmGssTokens {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) spkm(1) spkmGssTokens(10)} DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL IMPORTS Name FROM InformationFramework {joint-iso-itu-t(2) ds(5) module(1) informationFramework(1) 7} Certificate, CertificateList, CertificatePair, AlgorithmIdentifier{}, SupportedAlgorithms, Validity FROM AuthenticationFramework {joint-iso-itu-t(2) ds(5) module(1) authenticationFramework(7) 7}; -- types SPKM-REQ ::= SEQUENCE { requestToken REQ-TOKEN, certif-data [0] CertificationData OPTIONAL, auth-data [1] AuthorizationData OPTIONAL } CertificationData ::= SEQUENCE { certificationPath [0] CertificationPath OPTIONAL, certificateRevocationList [1] CertificateList OPTIONAL } -- at least one of the above shall be present CertificationPath ::= SEQUENCE { userKeyId [0] OCTET STRING OPTIONAL, userCertif [1] Certificate OPTIONAL, verifKeyId [2] OCTET STRING OPTIONAL, userVerifCertif [3] Certificate OPTIONAL, theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL } -- Presence of [2] or [3] implies that [0] or [1] must also be -- present. Presence of [4] implies that at least one of [0], [1], -- [2], and [3] must also be present. REQ-TOKEN ::= SEQUENCE { req-contents Req-contents, algId AlgorithmIdentifier{{SupportedAlgorithms}}, req-integrity Integrity -- "token" is Req-contents } Integrity ::= BIT STRING -- If corresponding algId specifies a signing algorithm, -- "Integrity" holds the result of applying the signing procedure -- specified in algId to the BER-encoded octet string which results -- from applying the hashing procedure (also specified in algId) to -- the DER-encoded octets of "token". -- Alternatively, if corresponding algId specifies a MACing -- algorithm, "Integrity" holds the result of applying the MACing -- procedure specified in algId to the DER-encoded octets of -- "token" Req-contents ::= SEQUENCE { tok-id INTEGER(256), -- shall contain 0100 (hex) context-id Random-Integer, pvno BIT STRING, timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2 randSrc Random-Integer, targ-name Name, src-name [0] Name OPTIONAL, req-data Context-Data, validity [1] Validity OPTIONAL, key-estb-set Key-Estb-Algs, key-estb-req BIT STRING OPTIONAL, key-src-bind OCTET STRING OPTIONAL -- This field must be present for the case of SPKM-2 -- unilateral authen. if the K-ALG in use does not provide -- such a binding (but is optional for all other cases). -- The octet string holds the result of applying the -- mandatory hashing procedure (in MANDATORY I-ALG; -- see Section 2.1) as follows: MD5(src || context_key), -- where "src" is the DER-encoded octets of src-name, -- "context-key" is the symmetric key (i.e., the -- unprotected version of what is transmitted in -- key-estb-req), and "||" is the concatenation operation. } Random-Integer ::= BIT STRING Context-Data ::= SEQUENCE { channelId ChannelId OPTIONAL, seq-number INTEGER OPTIONAL, options Options, conf-alg Conf-Algs, intg-alg Intg-Algs, owf-alg OWF-Algs } ChannelId ::= OCTET STRING Options ::= BIT STRING { delegation-state(0), mutual-state(1), replay-det-state(2), sequence-state(3), conf-avail(4), integ-avail(5), target-certif-data-required(6)} Conf-Algs ::= CHOICE { algs [0] SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}}, null [1] NULL } Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}} OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}} Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}} SPKM-REP-TI ::= SEQUENCE { responseToken REP-TI-TOKEN, certif-data CertificationData OPTIONAL -- present if target-certif-data-required option was } -- set to TRUE in SPKM-REQ REP-TI-TOKEN ::= SEQUENCE { rep-ti-contents Rep-ti-contents, algId AlgorithmIdentifier{{SupportedAlgorithms}}, rep-ti-integ Integrity -- "token" is Rep-ti-contents } Rep-ti-contents ::= SEQUENCE { tok-id INTEGER(512), -- shall contain 0200 (hex) context-id Random-Integer, pvno [0] BIT STRING OPTIONAL, timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2 randTarg Random-Integer, src-name [1] Name OPTIONAL, targ-name Name, randSrc Random-Integer, rep-data Context-Data, validity [2] Validity OPTIONAL, key-estb-id AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL, key-estb-str BIT STRING OPTIONAL } SPKM-REP-IT ::= SEQUENCE { responseToken REP-IT-TOKEN, algId AlgorithmIdentifier{{SupportedAlgorithms}}, rep-it-integ Integrity -- "token" is REP-IT-TOKEN } REP-IT-TOKEN ::= SEQUENCE { tok-id INTEGER(768), -- shall contain 0300 (hex) context-id Random-Integer, randSrc Random-Integer, randTarg Random-Integer, targ-name Name, src-name Name OPTIONAL, key-estb-rep BIT STRING OPTIONAL } SPKM-ERROR ::= SEQUENCE { errorToken ERROR-TOKEN, algId AlgorithmIdentifier{{SupportedAlgorithms}}, integrity Integrity -- "token" is ERROR-TOKEN } ERROR-TOKEN ::= SEQUENCE { tok-id INTEGER(1024), -- shall contain 0400 (hex) context-id Random-Integer } SPKM-MIC ::= SEQUENCE {mic-header Mic-Header, int-cksum BIT STRING } Mic-Header ::= SEQUENCE { tok-id INTEGER(257), -- shall contain 0101 (hex) context-id Random-Integer, int-alg [0] AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL, snd-seq [1] SeqNum OPTIONAL } SeqNum ::= SEQUENCE {num INTEGER, dir-ind BOOLEAN } SPKM-WRAP ::= SEQUENCE {wrap-header Wrap-Header, wrap-body Wrap-Body } Wrap-Header ::= SEQUENCE { tok-id INTEGER(513), -- shall contain 0201 (hex) context-id Random-Integer, int-alg [0] AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL, conf-alg [1] Conf-Alg OPTIONAL, snd-seq [2] SeqNum OPTIONAL } Wrap-Body ::= SEQUENCE {int-cksum BIT STRING, data BIT STRING } Conf-Alg ::= CHOICE { algId [0] AlgorithmIdentifier{{SupportedAlgorithms}}, null [1] NULL } SPKM-DEL ::= SEQUENCE {del-header Del-Header, int-cksum BIT STRING } Del-Header ::= SEQUENCE { tok-id INTEGER(769), -- shall contain 0301 (hex) context-id Random-Integer, int-alg [0] AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL, snd-seq [1] SeqNum OPTIONAL } -- other types -- from [RFC-1508] MechType ::= OBJECT IDENTIFIER InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE { thisMech MechType, innerContextToken SPKMInnerContextToken } -- when thisMech is SPKM-1 or SPKM-2 SPKMInnerContextToken ::= CHOICE { req [0] SPKM-REQ, rep-ti [1] SPKM-REP-TI, rep-it [2] SPKM-REP-IT, error [3] SPKM-ERROR, mic [4] SPKM-MIC, wrap [5] SPKM-WRAP, del [6] SPKM-DEL } -- from [RFC-1510] AuthorizationData ::= SEQUENCE OF SEQUENCE {ad-type INTEGER, ad-data OCTET STRING} -- object identifier assignments md5-DES-CBC OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) dod(6) internet(1) security(5) integrity(3) md5-DES-CBC(1)} sum64-DES-CBC OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) dod(6) internet(1) security(5) integrity(3) sum64-DES-CBC(2)} spkm-1 OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) spkm(1) spkm-1(1)} spkm-2 OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) spkm(1) spkm-2(2)} END -- SpkmGssTokens