Commit much improved ASN.1 compiler from joda-choice-branch.

Highlighs for the compiler is support for CHOICE and in general better support for tags. This compiler support most of what is needed for PK-INIT, LDAP, X.509, PKCS-12 and many other protocols. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15617 ec53bebd-3082-4978-b11e-865c3cabbd6b
2005-07-12 06:27:42 +00:00
parent bed557d8e7
commit b838707d0e
48 changed files with 7670 additions and 2442 deletions
--- a/lib/asn1/pkinit.asn1
+++ b/lib/asn1/pkinit.asn1
@@ -1,189 +1,171 @@
+-- $Id$ --
+
 PKINIT DEFINITIONS ::= BEGIN

-IMPORTS  EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData 
-	FROM krb5;
-IMPORTS SignedData, EnvelopedData FROM CMS;
-IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509;
+IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum FROM krb5
+	IssuerAndSerialNumber, ContentInfo FROM cms
+	SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
+	heim_any FROM heim;

+id-pkinit OBJECT IDENTIFIER ::=
+  { iso (1) org (3) dod (6) internet (1) security (5)
+    kerberosv5 (2) pkinit (3) }

-- 3.1
+id-pkauthdata  OBJECT IDENTIFIER  ::= { id-pkinit 1 }
+id-pkdhkeydata OBJECT IDENTIFIER  ::= { id-pkinit 2 }
+id-pkrkeydata  OBJECT IDENTIFIER  ::= { id-pkinit 3 }
+id-pkekuoid    OBJECT IDENTIFIER  ::= { id-pkinit 4 }
+id-pkkdcekuoid OBJECT IDENTIFIER  ::= { id-pkinit 5 }

-CertPrincipalName ::= SEQUENCE {
-	name-type[0]		INTEGER,
-	name-string[1]		SEQUENCE OF UTF8String
-}
+pa-pk-as-req INTEGER ::=                  16
+pa-pk-as-rep INTEGER ::=                  17

+ad-initial-verified-cas INTEGER ::=        9

-- 3.2.2
+td-trusted-certifiers INTEGER ::=        104
+td-invalid-certificates INTEGER ::=      105
+td-dh-parameters INTEGER ::=             109

+DHNonce ::= OCTET STRING

-TrustedCertifiers ::= SEQUENCE OF PrincipalName
-				-- X.500 name encoded as a principal name
-				-- see Section 3.1
-CertificateIndex  ::= INTEGER
-				-- 0 = 1st certificate,
-				--     (in order of encoding)
-				-- 1 = 2nd certificate, etc
-
-PA-PK-AS-REP ::= CHOICE {
-				-- PA TYPE 15
-	dhSignedData[0]		SignedData,
-				-- Defined in CMS and used only with
-				-- Diffie-Hellman key exchange (if the
-				-- client public value was present in the
-				-- request).
-				-- This choice MUST be supported
-				-- by compliant implementations.
-	encKeyPack[1]		EnvelopedData
-				-- Defined in CMS
-				-- The temporary key is encrypted
-				-- using the client public key
-				-- key
-				-- SignedReplyKeyPack, encrypted
-				-- with the temporary key, is also
-				-- included.
-}
-
-
-
-KdcDHKeyInfo ::= SEQUENCE {
-				-- used only when utilizing Diffie-Hellman
-	nonce[0]		INTEGER,
-				-- binds responce to the request
-	subjectPublicKey[2]	BIT STRING
-				-- Equals public exponent (g^a mod p)
-				-- INTEGER encoded as payload of
-				-- BIT STRING
-}
-
-ReplyKeyPack ::= SEQUENCE {
-				-- not used for Diffie-Hellman
-	replyKey[0]		EncryptionKey,
-				-- used to encrypt main reply
-				-- ENCTYPE is at least as strong as
-				-- ENCTYPE of session key
-	nonce[1]		INTEGER
-				-- binds response to the request
-				-- must be same as the nonce
-				-- passed in the PKAuthenticator
-}
-
-- subjectAltName EXTENSION ::= {
-- 	SYNTAX GeneralNames
-- 	IDENTIFIED BY id-ce-subjectAltName
-- }
-
-OtherName ::= SEQUENCE {
-	type-id			OBJECT IDENTIFIER,
-	value[0]		OCTET STRING
--	value[0] EXPLICIT ANY DEFINED BY type-id
-}
-
-GeneralName ::= CHOICE {
-	otherName       [0] OtherName,
+TrustedCA ::= SEQUENCE {
+	caName                  [0] IMPLICIT OCTET STRING,
+	certificateSerialNumber [1] INTEGER OPTIONAL,
+	subjectKeyIdentifier    [2] OCTET STRING OPTIONAL,
 	...
 }

-GeneralNames ::= SEQUENCE -- SIZE(1..MAX)
-	OF GeneralName
-
-KerberosName ::= SEQUENCE {
-	realm[0]		Realm,
-				-- as defined in RFC 1510
-	principalName[1]	CertPrincipalName
-				-- defined above
-}
-
-
-- krb5 OBJECT IDENTIFIER ::= {
-- 	iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2)
-- }
-
-- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
-
-- 3.2.1
-
-
-IssuerAndSerialNumber ::= SEQUENCE {
-	issuer			Name,
-	serialNumber		CertificateSerialNumber
-}
-
-TrustedCas ::= CHOICE {
-	principalName[0]	KerberosName,
-				-- as defined below
-	caName[1]		Name,
-				-- fully qualified X.500 name
-				-- as defined by X.509
-	issuerAndSerial[2]	IssuerAndSerialNumber
-				-- Since a CA may have a number of
-				-- certificates, only one of which
-				-- a client trusts
-}
-
 PA-PK-AS-REQ ::= SEQUENCE {
-	-- PA TYPE 14
-	signedAuthPack[0]	SignedData,
-				-- defined in CMS [11]
-				-- AuthPack (below) defines the data
-				-- that is signed
-	trustedCertifiers[1]	SEQUENCE OF TrustedCas OPTIONAL,
-				-- CAs that the client trusts
-	kdcCert[2]		IssuerAndSerialNumber OPTIONAL,
-				-- as defined in CMS [11]
-				-- specifies a particular KDC
-				-- certificate if the client
-				-- already has it;
-	encryptionCert[3]	IssuerAndSerialNumber OPTIONAL
-				-- For example, this may be the
-				-- client's Diffie-Hellman
-				-- certificate, or it may be the
-				-- client's RSA encryption
-				-- certificate.
+	signedAuthPack          [0] IMPLICIT OCTET STRING,
+	trustedCertifiers       [1] SEQUENCE OF TrustedCA OPTIONAL,
+	kdcPkId                 [2] IMPLICIT OCTET STRING OPTIONAL,
+	...
 }

 PKAuthenticator ::= SEQUENCE {
-	kdcName[0]		PrincipalName,
-	kdcRealm[1]		Realm,
-	cusec[2]		INTEGER,
-				-- for replay prevention as in RFC1510
-	ctime[3]		KerberosTime,
-				-- for replay prevention as in RFC1510
-	nonce[4]		INTEGER
+	cusec                   [0] INTEGER -- (0..999999) --,
+	ctime                   [1] KerberosTime,
+	nonce                   [2] INTEGER (0..4294967295),
+	paChecksum              [3] OCTET STRING,
+	...
 }

-- This is the real definition of AlgorithmIdentifier
-- AlgorithmIdentifier ::= SEQUENCE {
-- 	algorithm		ALGORITHM.&id,
--	parameters		ALGORITHM.&Type
-- }   -- as specified by the X.509 recommendation[10]
-
-- But we'll use this one instead:
-
-AlgorithmIdentifier ::= SEQUENCE {
-	algorithm		OBJECT IDENTIFIER,
-	parameters		CHOICE {
-					a INTEGER
-				}
-}
-
-
-
-SubjectPublicKeyInfo ::= SEQUENCE {
-	algorithm		AlgorithmIdentifier,
-				-- dhKeyAgreement
-	subjectPublicKey	BIT STRING
-				-- for DH, equals
-				-- public exponent (INTEGER encoded
-				-- as payload of BIT STRING)
-} -- as specified by the X.509 recommendation[10]
-
 AuthPack ::= SEQUENCE {
-	pkAuthenticator[0]	PKAuthenticator,
-	clientPublicValue[1]	SubjectPublicKeyInfo OPTIONAL
-				-- if client is using Diffie-Hellman
-				-- (ephemeral-ephemeral only)
+	pkAuthenticator         [0] PKAuthenticator,
+	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL,
+	supportedCMSTypes       [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
+	clientDHNonce           [3] DHNonce OPTIONAL,
+	...
+}
+
+TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF TrustedCA
+TD-INVALID-CERTIFICATES ::= SEQUENCE OF OCTET STRING
+
+KRB5PrincipalName ::= SEQUENCE {
+	realm                   [0] Realm,
+	principalName           [1] PrincipalName
+}
+
+AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF TrustedCA
+
+
+DHRepInfo ::= SEQUENCE {
+	dhSignedData            [0] IMPLICIT OCTET STRING,
+	serverDHNonce           [1] DHNonce OPTIONAL
+}
+
+PA-PK-AS-REP ::= CHOICE {
+	dhInfo                  [0] DHRepInfo,
+	encKeyPack              [1] IMPLICIT OCTET STRING,
+	...
+}
+
+KDCDHKeyInfo ::= SEQUENCE {
+	subjectPublicKey        [0] BIT STRING,
+	nonce                   [1] INTEGER (0..4294967295),
+	dhKeyExpiration         [2] KerberosTime OPTIONAL,
+	...
+}
+
+ReplyKeyPack ::= SEQUENCE {
+	replyKey                [0] EncryptionKey,
+	nonce                   [1] INTEGER (0..4294967295),
+	...
+}
+
+TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
+
+
+-- Windows and pk-init-19 compat glue --
+
+PKAuthenticator-Win2k ::= SEQUENCE {
+	kdcName			[0] PrincipalName,
+	kdcRealm		[1] Realm,
+	cusec			[2] INTEGER (0..4294967295),
+	ctime			[3] KerberosTime,
+	nonce                   [4] INTEGER (-2147483648..2147483647)
+}
+
+AuthPack-Win2k ::= SEQUENCE {
+	pkAuthenticator         [0] PKAuthenticator-Win2k,
+	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
 }


+PA-PK-AS-REP-Win2k ::= CHOICE {
+	dhSignedData		[0] IMPLICIT OCTET STRING, 
+	encKeyPack		[1] IMPLICIT OCTET STRING
+}
+
+
+KDCDHKeyInfo-Win2k ::= SEQUENCE {
+	nonce			[0] INTEGER (-2147483648..2147483647),
+	subjectPublicKey	[2] BIT STRING
+}
+
+TrustedCA-19 ::= CHOICE {
+	caName                  [1] heim_any,
+	issuerAndSerial         [2] IssuerAndSerialNumber
+}
+
+PA-PK-AS-REQ-19 ::= SEQUENCE {	-- PAType 14
+	signedAuthPack          [0] ContentInfo,	-- AuthPack
+	trustedCertifiers       [1] SEQUENCE OF TrustedCA-19 OPTIONAL,
+	kdcCert                 [2] IssuerAndSerialNumber OPTIONAL,
+	encryptionCert          [3] IssuerAndSerialNumber OPTIONAL,
+	...
+}
+
+PA-PK-AS-REQ-Win2k ::= SEQUENCE { 
+	signed-auth-pack	[0] IMPLICIT OCTET STRING, 
+	trusted-certifiers	[2] SEQUENCE OF TrustedCA-19 OPTIONAL, 
+	kdc-cert		[3] IMPLICIT OCTET STRING OPTIONAL, 
+	encryption-cert		[4] IMPLICIT OCTET STRING OPTIONAL
+}
+
+PKAuthenticator-19 ::= SEQUENCE {
+        cusec                   [0] INTEGER (0..4294967295),
+        ctime                   [1] KerberosTime,
+        nonce                   [2] INTEGER (0..4294967295),
+        paChecksum              [3] Checksum,
+	...
+}
+
+AuthPack-19 ::= SEQUENCE {
+	pkAuthenticator         [0] PKAuthenticator-19,
+	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
+}
+
+PA-PK-AS-REP-19 ::= CHOICE {
+	dhSignedData            [0] ContentInfo,
+	encKeyPack              [1] ContentInfo,
+	...
+}
+
+ReplyKeyPack-19 ::= SEQUENCE {
+        replyKey                [0] EncryptionKey,
+        nonce                   [1] INTEGER (0..4294967295),
+	...
+}
+
 END