You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by dr...@apache.org on 2015/01/12 14:06:18 UTC
[10/50] [abbrv] directory-kerberos git commit: Renaming packages in
haox-kerb projects, using "apache"
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/967d7e1c/haox-kerb/specs/README.asn1
----------------------------------------------------------------------
diff --git a/haox-kerb/specs/README.asn1 b/haox-kerb/specs/README.asn1
deleted file mode 100644
index 2a033f8..0000000
--- a/haox-kerb/specs/README.asn1
+++ /dev/null
@@ -1,560 +0,0 @@
-These notes attempt to explain how to use the ASN.1 infrastructure to
-add new ASN.1 types. ASN.1 is complicated and easy to get wrong, so
-it's best to verify your results against another tool (such as asn1c)
-if at all possible. These notes are up to date as of 2012-02-13.
-
-If you are trying to debug a problem which shows up in the ASN.1
-encoder or decoder, skip to the last section.
-
-General
--------
-
-For the moment, a developer must hand-translate the ASN.1 module into
-macro invocations which generate data structures used by the encoder
-and decoder. Ideally we would have a tool to compile an ASN.1 module
-(and probably some additional information about C identifier mappings)
-and generate the macro invocations.
-
-Currently the ASN.1 infrastructure is not visible to applications or
-plugins. For plugin modules shipped as part of the krb5 tree, the
-types can be added to asn1_k_encode.c and exported from libkrb5.
-Plugin modules built separately from the krb5 tree must use another
-tool (such as asn1c) for now if they need to do ASN.1 encoding or
-decoding.
-
-Tags
-----
-
-Before you start writing macro invocations, it's important to
-understand a little bit about ASN.1 tags. You will most commonly see
-tag notation in a sequence definition, like:
-
- TypeName ::= SEQUENCE {
- field-name [0] IMPLICIT OCTET STRING OPTIONAL
- }
-
-Contrary to intuition, the tag notation "[0] IMPLICIT" is not a
-property of the sequence field; instead, it specifies a type which is
-wraps the type named to the right (OCTET STRING). The right way to
-think about the above definition is:
-
- TypeName is defined as a sequence type
- which has an optional field named field-name
- whose type is a tagged type
- the tag's class is context-specific (by default)
- the tag's number is 0
- it is an implicit tag
- the tagged type wraps OCTET STRING
-
-The other case you are likely to see tag notation is something like:
-
- AS-REQ ::= [APPLICATION 10] KDC-REQ
-
-This example defines AS-REQ to be a tagged type whose class is
-application, whose tag number is 10, and whose base type is KDC-REQ.
-The tag may be implicit or explicit depending on the module's tag
-environment, which we'll get to in a moment.
-
-Tags can have one of four classes: universal, application, private,
-and context-specific. Universal tags are used for built-in ASN.1
-types. Application and context-specific tags are the most common to
-see in ASN.1 modules; private is rarely used. If no tag class is
-specified, the default is context-specific.
-
-Tags can be explicit or implicit, and the distinction is important to
-the wire encoding. If a tag's closing bracket is followed by word
-IMPLICIT or EXPLICIT, then it's clear which kind of tag it is, but
-usually there will be no such annotation. If not, the default depends
-on the header of the ASN.1 module. Look at the top of the module for
-the word DEFINITIONS. It may be followed by one of three phrases:
-
-* EXPLICIT TAGS -- in this case, tags default to explicit
-* IMPLICIT TAGS -- in this case, tags default to implicit (usually)
-* AUTOMATIC TAGS -- tags default to implicit (usually) and are also
- automatically added to sequence fields (usually)
-
-If none of those phrases appear, the default is explicit tags.
-
-Even if a module defaults to implicit tags, a tag defaults to explicit
-if its base type is a choice type or ANY type (or the information
-object equivalent of an ANY type).
-
-If the module's default is AUTOMATIC TAGS, sequence and set fields
-should have ascending context-specific tags wrapped around the field
-types, starting from 0, unless one of the fields of the sequence or
-set is already a tagged type. See ITU X.680 section 24.2 for details,
-particularly if COMPONENTS OF is used in the sequence definition.
-
-Basic types
------------
-
-In our infrastructure, a type descriptor specifies a mapping between
-an ASN.1 type and a C type. The first step is to ensure that type
-descriptors are defined for the basic types used by your ASN.1 module,
-as mapped to the C types used in your structures, in asn1_k_encode.c.
-If not, you'll need to create it. For a BOOLEAN or INTEGER ASN.1
-type, you'll use one of these macros:
-
- DEFBOOLTYPE(descname, ctype)
- DEFINTTYPE(descname, ctype)
- DEFUINTTYPE(descname, ctype)
-
-where "descname" is an identifier you make up and "ctype" is the
-integer type of the C object you want to map the ASN.1 value to. For
-integers, use DEFINTTYPE if the C type is a signed integer type and
-DEFUINTTYPE if it is an unsigned type. (For booleans, the distinction
-is unimportant since all integer types can hold the values 0 and 1.)
-We don't generally define integer mappings for every typedef name of
-an integer type. For example, we use the type descriptor int32, which
-maps an ASN.1 INTEGER to a krb5_int32, for krb5_enctype values.
-
-String types are a little more complicated. Our practice is to store
-strings in a krb5_data structure (rather than a zero-terminated C
-string), so our infrastructure currently assumes that all strings are
-represented as "counted types", meaning the C representation is a
-combination of a pointer and an integer type. So, first you must
-declare a counted type descriptor (we'll describe those in more detail
-later) with something like:
-
- DEFCOUNTEDSTRINGTYPE(generalstring, char *, unsigned int,
- k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
- ASN1_GENERALSTRING);
-
-The first parameter is an identifier you make up. The second and
-third parameters are the C types of the pointer and integer holding
-the string; for a krb5_data object, those should be the types in the
-example. The pointer type must be char * or unsigned char *. The
-fourth and fifth parameters reference primitive encoder and decoder
-functions; these should almost always be the ones in the example,
-unless the ASN.1 type is BIT STRING. The sixth parameter is the
-universal tag number of the ASN.1 type, as defined in krbasn1.h.
-
-Once you have defined the counted type, you can define a normal type
-descriptor to wrap it in a krb5_data structure with something like:
-
- DEFCOUNTEDTYPE(gstring_data, krb5_data, data, length, generalstring);
-
-Sequences
----------
-
-In our infrastructure, we model ASN.1 sequences using an array of
-normal type descriptors. Each type descriptor is applied in turn to
-the C object to generate (or consume) an encoding of an ASN.1 value.
-
-Of course, each value needs to be stored in a different place within
-the C object, or they would just overwrite each other. To address
-this, you must create an offset type wrapper for each sequence field:
-
- DEFOFFSETTYPE(descname, structuretype, fieldname, basedesc)
-
-where "descname" is an identifier you make up, "structuretype" and
-"fieldtype" are used to compute the offset and type-check the
-structure field, and "basedesc" is the type of the ASN.1 object to be
-stored at that offset.
-
-If your C structure contains a pointer to another C object, you'll
-need to first define a pointer wrapper, which is very simple:
-
- DEFPTRTYPE(descname, basedesc)
-
-Then wrap the defined pointer type in an offset type as described
-above. Once a pointer descriptor is defined for a base descriptor, it
-can be reused many times, so pointer descriptors are usually defined
-right after the types they wrap. When decoding, pointer wrappers
-cause a pointer to be allocated with a block of memory equal to the
-size of the C type corresponding to the base type. (For offset types,
-the corresponding C type is the structure type inside which the offset
-is computed.) It is okay for several fields of a sequence to
-reference the same pointer field within a structure, as long as the
-pointer types all wrap base types with the same corresponding C type.
-
-If the sequence field has a context tag attached to its type, you'll
-also need to create a tag wrapper for it:
-
- DEFCTAGGEDTYPE(descname, tagnum, basedesc)
- DEFCTAGGEDTYPE_IMPLICIT(descname, tagnum, basedesc)
-
-Use the first macro for explicit context tags and the second for
-implicit context tags. "tagnum" is the number of the context-specific
-tag, and "basedesc" is the name you chose for the offset type above.
-
-You don't actually need to separately write out DEFOFFSETTYPE and
-DEFCTAGGEDTYPE for each field. The combination of offset and context
-tag is so common that we have a macro to combine them:
-
- DEFFIELD(descname, structuretype, fieldname, tagnum, basedesc)
- DEFFIELD_IMPLICIT(descname, structuretype, fieldname, tagnum, basedesc)
-
-Once you have defined tag and offset wrappers for each sequence field,
-combine them together in an array and use the DEFSEQTYPE macro to
-define the sequence type descriptor:
-
- static const struct atype_info *my_sequence_fields[] = {
- &k5_atype_my_sequence_0, &k5_atype_my_sequence_1,
- };
- DEFSEQTYPE(my_sequence, structuretype, my_sequence_fields)
-
-Each field name must by prefixed by "&k5_atype_" to get a pointer to
-the actual variable used to hold the type descriptor.
-
-ASN.1 sequence types may or may not be defined to be extensible, and
-may group extensions together in blocks which must appear together.
-Our model does not distinguish these cases. Our decoder treats all
-sequence types as extensible. Extension blocks must be modeled by
-making all of the extension fields optional, and the decoder will not
-enforce that they appear together.
-
-If your ASN.1 sequence contains optional fields, keep reading.
-
-Optional sequence fields
-------------------------
-
-ASN.1 sequence fields can be annotated with OPTIONAL or, less
-commonly, with DEFAULT VALUE. (Be aware that if DEFAULT VALUE is
-specified for a sequence field, DER mandates that fields with that
-value not be encoded within the sequence. Most standards in the
-Kerberos ecosystem avoid the use of DEFAULT VALUE for this reason.)
-Although optionality is a property of sequence or set fields, not
-types, we still model optional sequence fields using type wrappers.
-Optional type wrappers must only be used as members of a sequence,
-although they can be nested in offset or pointer wrappers first.
-
-The simplest way to represent an optional value in a C structure is
-with a pointer which takes the value NULL if the field is not present.
-In this case, you can just use DEFOPTIONALZEROTYPE to wrap the pointer
-type:
-
- DEFPTRTYPE(ptr_basetype, basetype);
- DEFOPTIONALZEROTYPE(opt_ptr_basetype, ptr_basetype);
-
-and then use opt_ptr_basetype in the DEFFIELD invocation for the
-sequence field. DEFOPTIONALZEROTYPE can also be used for integer
-types, if it's okay for the value 0 to represent that the
-corresponding ASN.1 value is omitted. Optional-zero wrappers, like
-pointer wrappers, are usually defined just after the types they wrap.
-
-For null-terminated sequences, you can use a wrapper like this:
-
- DEFOPTIONALEMPTYTYPE(opt_seqof_basetype, seqof_basetype)
-
-to omit the sequence if it is either NULL or of zero length.
-
-A more general way to wrap optional types is:
-
- DEFOPTIONALTYPE(descname, predicatefn, initfn, basedesc);
-
-where "predicatefn" has the signature "int (*fn)(const void *p)" and
-is used by the encoder to test whether the ASN.1 value is present in
-the C object. "initfn" has the signature "void (*fn)(void *p)" and is
-used by the decoder to initialize the C object field if the
-corresponding ASN.1 value is omitted in the wire encoding. "initfn"
-can be NULL, in which case the C object will simply be left alone.
-All C objects are initialized to zero-filled memory when they are
-allocated by the decoder.
-
-An optional string type, represented in a krb5_data structure, can be
-wrapped using the nonempty_data function already defined in
-asn1_k_encode.c, like so:
-
- DEFOPTIONALTYPE(opt_ostring_data, nonempty_data, NULL, ostring_data);
-
-Sequence-of types
------------------
-
-ASN.1 sequence-of types can be represented as C types in two ways.
-The simplest is to use an array of pointers terminated in a null
-pointer. A descriptor for a sequence-of represented this way is
-defined in three steps:
-
- DEFPTRTYPE(ptr_basetype, basetype);
- DEFNULLTERMSEQOFTYPE(seqof_basetype, ptr_basetype);
- DEFPTRTYPE(ptr_seqof_basetype, seqof_basetype);
-
-If the C type corresponding to basetype is "ctype", then the C type
-corresponding to ptr_seqof_basetype will be "ctype **". The middle
-type sort of corresponds to "ctype *", but not exactly, as it
-describes an object of variable size.
-
-You can also use DEFNONEMPTYNULLTERMSEQOFTYPE in the second step. In
-this case, the encoder will throw an error if the sequence is empty.
-For historical reasons, the decoder will *not* throw an error if the
-sequence is empty, so the calling code must check before assuming a
-first element is present.
-
-The other way of representing sequences is through a combination of
-pointer and count. This pattern is most often used for compactness
-when the base type is an integer type. A descriptor for a sequence-of
-represented this way is defined using a counted type descriptor:
-
- DEFCOUNTEDSEQOFTYPE(descname, lentype, basedesc)
-
-where "lentype" is the C type of the length and "basedesc" is a
-pointer wrapper for the sequence element type (*not* the element type
-itself). For example, an array of 32-bit signed integers is defined
-as:
-
- DEFINTTYPE(int32, krb5_int32);
- DEFPTRTYPE(int32_ptr, int32);
- DEFCOUNTEDSEQOFTYPE(cseqof_int32, krb5_int32, int32_ptr);
-
-To use a counted sequence-of type in a sequence, you use DEFCOUNTEDTYPE:
-
- DEFCOUNTEDTYPE(descname, structuretype, ptrfield, lenfield, cdesc)
-
-where "structuretype", "ptrfield", and "lenfield" are used to compute
-the field offsets and type-check the structure fields, and "cdesc" is
-the name of the counted type descriptor.
-
-The combination of DEFCOUNTEDTYPE and DEFCTAGGEDTYPE can be
-abbreviated using DEFCNFIELD:
-
- DEFCNFIELD(descname, structuretype, ptrfield, lenfield, tagnum, cdesc)
-
-Tag wrappers
-------------
-
-We've previously covered DEFCTAGGEDTYPE and DEFCTAGGEDTYPE_IMPLICIT,
-which are used to define context-specific tag wrappers. There are
-two other macros for creating tag wrappers. The first is:
-
- DEFAPPTAGGEDTYPE(descname, tagnum, basedesc)
-
-Use this macro to model an "[APPLICATION tagnum]" tag wrapper in an
-ASN.1 module.
-
-There is also a general tag wrapper macro:
-
- DEFTAGGEDTYPE(descname, class, construction, tag, implicit, basedesc)
-
-where "class" is one of UNIVERSAL, APPLICATION, CONTEXT_SPECIFIC, or
-PRIVATE, "construction" is one of PRIMITIVE or CONSTRUCTED, "tag" is
-the tag number, "implicit" is 1 for an implicit tag and 0 for an
-explicit tag, and "basedesc" is the wrapped type. Note that that
-primitive vs. constructed is not a concept within the abstract ASN.1
-type model, but is instead a concept used in DER. In general, all
-explicit tags should be constructed (but see the section on "Dirty
-tricks" below). The construction parameter is ignored for implicit
-tags.
-
-Choice types
-------------
-
-ASN.1 CHOICE types are represented in C using a signed integer
-distinguisher and a union. Modeling a choice type happens in three
-steps:
-
-1. Define type descriptors for each alternative of the choice,
-typically using DEFCTAGGEDTYPE to create a tag wrapper for an existing
-type. There is no need to create offset type wrappers, as union
-fields always have an offset of 0. For example:
-
- DEFCTAGGEDTYPE(my_choice_0, 0, firstbasedesc);
- DEFCTAGGEDTYPE(my_choice_1, 1, secondbasedesc);
-
-2. Assemble them into an array, similar to how you would for a
-sequence, and use DEFCHOICETYPE to create a counted type descriptor:
-
- static const struct atype_info *my_choice_alternatives[] = {
- &k5_atype_my_choice_0, &k5_atype_my_choice_1
- };
- DEFCHOICETYPE(my_choice, union my_choice_choices, enum my_choice_selector,
- my_choice_alternatives);
-
-The second and third parameters to DEFCHOICETYPE are the C types of
-the union and distinguisher fields.
-
-3. Wrap the counted type descriptor in a type descriptor for the
-structure containing the distinguisher and union:
-
- DEFCOUNTEDTYPE_SIGNED(descname, structuretype, u, choice, my_choice);
-
-The third and fourth parameters to DEFCOUNTEDTYPE_SIGNED are the field
-names of the union and distinguisher fields within structuretype.
-
-ASN.1 choice types may be defined to be extensible, or may not be.
-Our model does not distinguish between the two cases. Our decoder
-treats all choice types as extensible.
-
-Our encoder will throw an error if the distinguisher is not within the
-range of valid offsets of the alternatives array. Our decoder will
-set the distinguisher to -1 if the tag of the ASN.1 value is not
-matched by any of the alternatives, and will leave the union
-zero-filled in that case.
-
-Counted type descriptors
-------------------------
-
-Several times in earlier sections we've referred to the notion of
-"counted type descriptors" without defining what they are. Counted
-type descriptors live in a separate namespace from normal type
-descriptors, and specify a mapping between an ASN.1 type and two C
-objects, one of them having integer type. There are four kinds of
-counted type descriptors, defined using the following macros:
-
- DEFCOUNTEDSTRINGTYPE(descname, ptrtype, lentype, encfn, decfn, tagnum)
- DEFCOUNTEDDERTYPE(descname, ptrtype, lentype)
- DEFCOUNTEDSEQOFTYPE(descname, lentype, baseptrdesc)
- DEFCHOICETYPE(descname, uniontype, distinguishertype, fields)
-
-DEFDERTYPE is described in the "Dirty tricks" section below. The
-other three kinds of counted types have been covered previously.
-
-Counted types are always used by wrapping them in a normal type
-descriptor with one of these macros:
-
- DEFCOUNTEDTYPE(descname, structuretype, datafield, countfield, cdesc)
- DEFCOUNTEDTYPE_SIGNED(descname, structuretype, datafield, countfield, cdesc)
-
-These macros are similar in concept to an offset type, only with two
-offsets. Use DEFCOUNTEDTYPE if the count field is unsigned or
-DEFCOUNTEDTYPE_SIGNED if it is signed.
-
-Defining encoder and decoder functions
---------------------------------------
-
-After you have created a type descriptor for your types, you need to
-create encoder or decoder functions for the ones you want calling code
-to be able to process. Do this with one of the following macros:
-
- MAKE_ENCODER(funcname, desc)
- MAKE_DECODER(funcname, desc)
- MAKE_CODEC(typename, desc)
-
-MAKE_ENCODER and MAKE_DECODER allow you to choose function names.
-MAKE_CODEC defines encoder and decoder functions with the names
-"encode_typename" and "decode_typename".
-
-If you are defining functions for a null-terminated sequence, use the
-descriptor created with DEFNULLTERMSEQOFTYPE or
-DEFNONEMPTYNULLTERMSEQOFTYPE, rather than the pointer to it. This is
-because encoder and decoder functions implicitly traffic in pointers
-to the C object being encoded or decoded.
-
-Encoder and decoder functions must be prototyped separately, either in
-k5-int.h or in a subsidiary included by it. Encoder functions have
-the prototype:
-
- krb5_error_code encode_typename(const ctype *rep, krb5_data **code_out);
-
-where "ctype" is the C type corresponding to desc. Decoder functions
-have the prototype:
-
- krb5_error_code decode_typename(const krb5_data *code, ctype **rep_out);
-
-Decoder functions allocate a container for the C type of the object
-being decoded and return a pointer to it in *rep_out.
-
-Writing test cases
-------------------
-
-New ASN.1 types in libkrb5 will typically only be accepted with test
-cases. Our current test framework lives in src/tests/asn.1. Adding
-new types to this framework involves the following steps:
-
-1. Define an initializer for a sample value of the type in ktest.c,
-named ktest_make_sample_typename(). Also define a contents-destructor
-for it, named ktest_empty_typename(). Prototype these functions in
-ktest.h.
-
-2. Define an equality test for the type in ktest_equal.c. Prototype
-this in ktest_equal.h. (This step is not necessary if the type has no
-decoder.)
-
-3. Add a test case to krb5_encode_test.c, following the examples of
-existing test cases there. Update reference_encode.out and
-trval_reference.out to contain the output generated by your test case.
-
-4. Add a test case to krb5_decode_test.c, following the examples of
-existing test cases there, and using the output generated by your
-encode test.
-
-5. Add a test case to krb5_decode_leak.c, following the examples of
-existing test cases there.
-
-Following these steps will not ensure the correctness of your
-translation of the ASN.1 module to macro invocations; it only lets us
-detect unintentional changes to the encodings after they are defined.
-For that, you should use a different tool such as asn1c. There is
-currently no blueprint for doing this; we should create one.
-
-Dirty tricks
-------------
-
-In rare cases you may want to represent the raw DER encoding of a
-value in the C structure. If so, you can use DEFCOUNTEDDERTYPE (or
-more likely, the existing der_data type descriptor). The encoder and
-decoder will throw errors if the wire encoding doesn't have a valid
-outermost tag, so be sure to use valid DER encodings in your test
-cases (see ktest_make_sample_algorithm_identifier for an example).
-
-Conversely, the ASN.1 module may define an OCTET STRING wrapper around
-a DER encoding which you want to represent as the decoded value. (The
-existing example of this is in PKINIT hash agility, where the
-PartyUInfo and PartyVInfo fields of OtherInfo are defined as octet
-strings which contain the DER encodings of KRB5PrincipalName values.)
-In this case you can use a DEFTAGGEDTYPE wrapper like so:
-
- DEFTAGGEDTYPE(descname, UNIVERSAL, PRIMITIVE, ASN1_OCTETSTRING, 0,
- basedesc)
-
-Limitations
------------
-
-We cannot currently encode or decode SET or SET OF types.
-
-We cannot model self-referential types (like "MATHSET ::= SET OF
-MATHSET").
-
-If a sequence uses an optional field which is a choice field (without
-a context tag wrapper), or an optional field which uses a stored DER
-encoding (again, without a context tag wrapper), our decoder may
-assign a value to the choice or stored-DER field when the correct
-behavior is to skip that field and assign the value to a subsequent
-field. It should be very rare for ASN.1 modules to use choice or open
-types this way.
-
-For historical interoperability reasons, our decoder the indefinite
-length form for constructed tags, which is allowed by BER but not DER.
-We still require the primitive forms of basic scalar types, however,
-so we do not accept all BER encodings of ASN.1 values.
-
-Debugging
----------
-
-If you're looking at a stack trace with a bunch of ASN.1 encoder or
-decoder calls at the top, here are some things which might help with
-debugging:
-
-1. You may have noticed that the entry point into the encoder is
-defined by a macro like MAKE_CODEC. Don't worry about this; those
-macros just define thin wrappers around k5_asn1_full_encode and
-k5_asn1_full_decode.
-
-2. If you're in the encoder, look for stack frames in
-encode_sequence(), and print the value of i within those stack frames.
-You should be able to subtract 1 from those values and match them up
-with the sequence field offsets in asn1_k_encode.c for the type being
-encoded. For example, if an as-req is being encoded and the i values
-(starting with the one closest to encode_krb5_as_req) are 4, 2, and 2,
-you could match those up as following:
-
-* as_req_encode wraps untagged_as_req, whose field at offset 3 is the
- descriptor for kdc_req_4, which wraps kdc_req_body.
-
-* kdc_req_body is a function wrapper around kdc_req_hack, whose field
- at offset 1 is the descriptor for req_body_1, which wraps
- opt_principal.
-
-* opt_principal wraps principal, which wraps principal_data, whose
- field at offset 1 is the descriptor for princname_1.
-
-* princname_1 is a sequence of general strings represented in the data
- and length fields of the krb5_principal_data structure.
-
-So the problem would likely be in the data components of the client
-principal in the kdc_req structure.
-
-3. If you're in the decoder, look for stacks frames in
-decode_sequence(), and again print the values of i. You can match
-these up just as above, except without subtracting 1 from the i
-values.
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/967d7e1c/haox-kerb/specs/TODO.asn1
----------------------------------------------------------------------
diff --git a/haox-kerb/specs/TODO.asn1 b/haox-kerb/specs/TODO.asn1
deleted file mode 100644
index 6459f64..0000000
--- a/haox-kerb/specs/TODO.asn1
+++ /dev/null
@@ -1,75 +0,0 @@
--*- text -*-
-
-Stuff that should still be done on the ASN.1 encoder conversion:
-
-* Make offsetof uses conforming. Currently we may use foo.bar or
- foo[0] as fields.
-
-* Script to generate the tables. Then each type or field entry can
- generate multiple bits of code, instead of forcing us to bury the
- type consistency checking into the structure initializer
- expression. For example, we might generate these bits of code from
- one field descriptor:
-
- * Field table entry.
-
- * Type-checking code: Create a pointer of the expected type and a
- pointer of the actual type (address of field of automatic struct),
- and verify consistency with comparison, assignment, or conditional
- expr. Plenty of comments to indicate what's being compared and
- what a compiler complain means.
-
- * Range-checking code for bitfields: Create an automatic field info
- struct, fill in the computed offset or whatever, read it back,
- make sure it matches. Also with comments.
-
- * Possibly header declarations describing the types that could be
- imported, with correct handles *and* C types.
-
- * Static declarations for non-exported types to keep symbol table
- sizes down.
-
- Then similar bits of code (e.g., all the field table entries) can be
- pulled together into the appropriate places.
-
-* Some kind of "module" system for exporting and importing encoders,
- better than relying on the "type_*" variable names. Probably use
- meaningful strings that indicate both the ASN.1 type and the
- associated C type. Find a way to fit "imported type" into this
- scheme so that we can cleanly move the PKINIT types into the PKINIT
- plugin, the LDAP types into the LDAP plugin, etc., and still let
- them use the encoders in the code. Only a subset of types would be
- exported probably.
-
-* More compact encoding: For struct atype and struct cntype, we could
- use structures with a common base type (similar to Xlib events)
- instead of a base structure with a void pointer, to save the cost of
- a pointer for each type. Doing this might not be strictly correct
- C.
-
-* Pie in the sky: A verbose mode that can tell you "missing field
- KDC-REP.cname.name-string[1].data" or some such. This would require
- tracking the stack of pending encodes and adding strings with type
- and field names.
-
-* For ALL_POINTERS_ARE_THE_SAME mode (which is not strictly conforming
- with the C standard, and thus not default currently, but makes
- things a little smaller and faster), eliminate the loadptr structure
- entry. (Note that if this infrastructure becomes exposed to
- plugins, ALL_POINTERS_ARE_THE_SAME changes the ABI.)
-
-* Maybe: Reorganize the data of a "module" so everything needing
- relocation is put in some tables, referenced by index from other
- structures without relocations. E.g., for krb5_data, here's the
- offset for the data pointer, here's the offset for the length value,
- here's the index into the pointer reader function table, here's the
- index into the length reader function table, here's an index into
- the string-type encoder table.
-
- Using an index into a set of pointer types, with a single function
- taking an integer parameter used to switch between various
- ptr-to-ptr-to-type code paths, will be a lot smaller -- with a good
- compiler the function will probably collapse to a simple
- fetch-a-pointer function ignoring the integer argument, while at the
- C level it's strictly conforming by using the correct types for
- access.
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/967d7e1c/haox-kerb/specs/krb5.asn1
----------------------------------------------------------------------
diff --git a/haox-kerb/specs/krb5.asn1 b/haox-kerb/specs/krb5.asn1
deleted file mode 100644
index f58637a..0000000
--- a/haox-kerb/specs/krb5.asn1
+++ /dev/null
@@ -1,392 +0,0 @@
-KerberosV5Spec2 {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2) modules(4) krb5spec2(2)
-} DEFINITIONS EXPLICIT TAGS ::= BEGIN
-
--- OID arc for KerberosV5
---
--- This OID may be used to identify Kerberos protocol messages
--- encapsulated in other protocols.
---
--- This OID also designates the OID arc for KerberosV5-related OIDs.
---
--- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
-id-krb5 OBJECT IDENTIFIER ::= {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2)
-}
-
-Int32 ::= INTEGER (-2147483648..2147483647)
- -- signed values representable in 32 bits
-
-UInt32 ::= INTEGER (0..4294967295)
- -- unsigned 32 bit values
-
-Microseconds ::= INTEGER (0..999999)
- -- microseconds
-
-KerberosString ::= GeneralString -- (IA5String)
-
-Realm ::= KerberosString
-
-PrincipalName ::= SEQUENCE {
- name-type [0] Int32,
- name-string [1] SEQUENCE OF KerberosString
-}
-
-KerberosTime ::= GeneralizedTime -- with no fractional seconds
-
-HostAddress ::= SEQUENCE {
- addr-type [0] Int32,
- address [1] OCTET STRING
-}
-
--- NOTE: HostAddresses is always used as an OPTIONAL field and
--- should not be empty.
-HostAddresses -- NOTE: subtly different from rfc1510,
- -- but has a value mapping and encodes the same
- ::= SEQUENCE OF HostAddress
-
--- NOTE: AuthorizationData is always used as an OPTIONAL field and
--- should not be empty.
-AuthorizationData ::= SEQUENCE OF SEQUENCE {
- ad-type [0] Int32,
- ad-data [1] OCTET STRING
-}
-
-PA-DATA ::= SEQUENCE {
- -- NOTE: first tag is [1], not [0]
- padata-type [1] Int32,
- padata-value [2] OCTET STRING -- might be encoded AP-REQ
-}
-
-KerberosFlags ::= BIT STRING (SIZE (32..MAX))
- -- minimum number of bits shall be sent,
- -- but no fewer than 32
-
-EncryptedData ::= SEQUENCE {
- etype [0] Int32 -- EncryptionType --,
- kvno [1] UInt32 OPTIONAL,
- cipher [2] OCTET STRING -- ciphertext
-}
-
-EncryptionKey ::= SEQUENCE {
- keytype [0] Int32 -- actually encryption type --,
- keyvalue [1] OCTET STRING
-}
-
-Checksum ::= SEQUENCE {
- cksumtype [0] Int32,
- checksum [1] OCTET STRING
-}
-
-Ticket ::= [APPLICATION 1] SEQUENCE {
- tkt-vno [0] INTEGER (5),
- realm [1] Realm,
- sname [2] PrincipalName,
- enc-part [3] EncryptedData -- EncTicketPart
-}
-
--- Encrypted part of ticket
-EncTicketPart ::= [APPLICATION 3] SEQUENCE {
- flags [0] TicketFlags,
- key [1] EncryptionKey,
- crealm [2] Realm,
- cname [3] PrincipalName,
- transited [4] TransitedEncoding,
- authtime [5] KerberosTime,
- starttime [6] KerberosTime OPTIONAL,
- endtime [7] KerberosTime,
- renew-till [8] KerberosTime OPTIONAL,
- caddr [9] HostAddresses OPTIONAL,
- authorization-data [10] AuthorizationData OPTIONAL
-}
-
--- encoded Transited field
-TransitedEncoding ::= SEQUENCE {
- tr-type [0] Int32 -- must be registered --,
- contents [1] OCTET STRING
-}
-
-TicketFlags ::= KerberosFlags
- -- reserved(0),
- -- forwardable(1),
- -- forwarded(2),
- -- proxiable(3),
- -- proxy(4),
- -- may-postdate(5),
- -- postdated(6),
- -- invalid(7),
- -- renewable(8),
- -- initial(9),
- -- pre-authent(10),
- -- hw-authent(11),
--- the following are new since 1510
- -- transited-policy-checked(12),
- -- ok-as-delegate(13)
-
-AS-REQ ::= [APPLICATION 10] KDC-REQ
-
-TGS-REQ ::= [APPLICATION 12] KDC-REQ
-
-KDC-REQ ::= SEQUENCE {
- -- NOTE: first tag is [1], not [0]
- pvno [1] INTEGER (5) ,
- msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
- padata [3] SEQUENCE OF PA-DATA OPTIONAL
- -- NOTE: not empty --,
- req-body [4] KDC-REQ-BODY
-}
-
-KDC-REQ-BODY ::= SEQUENCE {
- kdc-options [0] KDCOptions,
- cname [1] PrincipalName OPTIONAL
- -- Used only in AS-REQ --,
- realm [2] Realm
- -- Server's realm
- -- Also client's in AS-REQ --,
- sname [3] PrincipalName OPTIONAL,
- from [4] KerberosTime OPTIONAL,
- till [5] KerberosTime,
- rtime [6] KerberosTime OPTIONAL,
- nonce [7] UInt32,
- etype [8] SEQUENCE OF Int32 -- EncryptionType
- -- in preference order --,
- addresses [9] HostAddresses OPTIONAL,
- enc-authorization-data [10] EncryptedData OPTIONAL
- -- AuthorizationData --,
- additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
- -- NOTE: not empty
-}
-
-KDCOptions ::= KerberosFlags
- -- reserved(0),
- -- forwardable(1),
- -- forwarded(2),
- -- proxiable(3),
- -- proxy(4),
- -- allow-postdate(5),
- -- postdated(6),
- -- unused7(7),
- -- renewable(8),
- -- unused9(9),
- -- unused10(10),
- -- opt-hardware-auth(11),
- -- unused12(12),
- -- unused13(13),
--- 15 is reserved for canonicalize
- -- unused15(15),
--- 26 was unused in 1510
- -- disable-transited-check(26),
---
- -- renewable-ok(27),
- -- enc-tkt-in-skey(28),
- -- renew(30),
- -- validate(31)
-
-AS-REP ::= [APPLICATION 11] KDC-REP
-
-TGS-REP ::= [APPLICATION 13] KDC-REP
-
-KDC-REP ::= SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
- padata [2] SEQUENCE OF PA-DATA OPTIONAL
- -- NOTE: not empty --,
- crealm [3] Realm,
- cname [4] PrincipalName,
- ticket [5] Ticket,
- enc-part [6] EncryptedData
- -- EncASRepPart or EncTGSRepPart,
- -- as appropriate
-}
-
-EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
-
-EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
-
-EncKDCRepPart ::= SEQUENCE {
- key [0] EncryptionKey,
- last-req [1] LastReq,
- nonce [2] UInt32,
- key-expiration [3] KerberosTime OPTIONAL,
- flags [4] TicketFlags,
- authtime [5] KerberosTime,
- starttime [6] KerberosTime OPTIONAL,
- endtime [7] KerberosTime,
- renew-till [8] KerberosTime OPTIONAL,
- srealm [9] Realm,
- sname [10] PrincipalName,
- caddr [11] HostAddresses OPTIONAL
-}
-
-LastReq ::= SEQUENCE OF SEQUENCE {
- lr-type [0] Int32,
- lr-value [1] KerberosTime
-}
-
-AP-REQ ::= [APPLICATION 14] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (14),
- ap-options [2] APOptions,
- ticket [3] Ticket,
- authenticator [4] EncryptedData -- Authenticator
-}
-
-APOptions ::= KerberosFlags
- -- reserved(0),
- -- use-session-key(1),
- -- mutual-required(2)
-
--- Unencrypted authenticator
-Authenticator ::= [APPLICATION 2] SEQUENCE {
- authenticator-vno [0] INTEGER (5),
- crealm [1] Realm,
- cname [2] PrincipalName,
- cksum [3] Checksum OPTIONAL,
- cusec [4] Microseconds,
- ctime [5] KerberosTime,
- subkey [6] EncryptionKey OPTIONAL,
- seq-number [7] UInt32 OPTIONAL,
- authorization-data [8] AuthorizationData OPTIONAL
-}
-
-AP-REP ::= [APPLICATION 15] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (15),
- enc-part [2] EncryptedData -- EncAPRepPart
-}
-
-EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
- ctime [0] KerberosTime,
- cusec [1] Microseconds,
- subkey [2] EncryptionKey OPTIONAL,
- seq-number [3] UInt32 OPTIONAL
-}
-
-KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (20),
- safe-body [2] KRB-SAFE-BODY,
- cksum [3] Checksum
-}
-
-KRB-SAFE-BODY ::= SEQUENCE {
- user-data [0] OCTET STRING,
- timestamp [1] KerberosTime OPTIONAL,
- usec [2] Microseconds OPTIONAL,
- seq-number [3] UInt32 OPTIONAL,
- s-address [4] HostAddress,
- r-address [5] HostAddress OPTIONAL
-}
-
-KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (21),
- -- NOTE: there is no [2] tag
- enc-part [3] EncryptedData -- EncKrbPrivPart
-}
-
-EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
- user-data [0] OCTET STRING,
- timestamp [1] KerberosTime OPTIONAL,
- usec [2] Microseconds OPTIONAL,
- seq-number [3] UInt32 OPTIONAL,
- s-address [4] HostAddress -- sender's addr --,
- r-address [5] HostAddress OPTIONAL -- recip's addr
-}
-
-KRB-CRED ::= [APPLICATION 22] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (22),
- tickets [2] SEQUENCE OF Ticket,
- enc-part [3] EncryptedData -- EncKrbCredPart
-}
-
-EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
- ticket-info [0] SEQUENCE OF KrbCredInfo,
- nonce [1] UInt32 OPTIONAL,
- timestamp [2] KerberosTime OPTIONAL,
- usec [3] Microseconds OPTIONAL,
- s-address [4] HostAddress OPTIONAL,
- r-address [5] HostAddress OPTIONAL
-}
-
-KrbCredInfo ::= SEQUENCE {
- key [0] EncryptionKey,
- prealm [1] Realm OPTIONAL,
- pname [2] PrincipalName OPTIONAL,
- flags [3] TicketFlags OPTIONAL,
- authtime [4] KerberosTime OPTIONAL,
- starttime [5] KerberosTime OPTIONAL,
- endtime [6] KerberosTime OPTIONAL,
- renew-till [7] KerberosTime OPTIONAL,
- srealm [8] Realm OPTIONAL,
- sname [9] PrincipalName OPTIONAL,
- caddr [10] HostAddresses OPTIONAL
-}
-
-KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (30),
- ctime [2] KerberosTime OPTIONAL,
- cusec [3] Microseconds OPTIONAL,
- stime [4] KerberosTime,
- susec [5] Microseconds,
- error-code [6] Int32,
- crealm [7] Realm OPTIONAL,
- cname [8] PrincipalName OPTIONAL,
- realm [9] Realm -- service realm --,
- sname [10] PrincipalName -- service name --,
- e-text [11] KerberosString OPTIONAL,
- e-data [12] OCTET STRING OPTIONAL
-}
-
-METHOD-DATA ::= SEQUENCE OF PA-DATA
-
-TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
- data-type [0] Int32,
- data-value [1] OCTET STRING OPTIONAL
-}
-
--- preauth stuff follows
-
-PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
-
-PA-ENC-TS-ENC ::= SEQUENCE {
- patimestamp [0] KerberosTime -- client's time --,
- pausec [1] Microseconds OPTIONAL
-}
-
-ETYPE-INFO-ENTRY ::= SEQUENCE {
- etype [0] Int32,
- salt [1] OCTET STRING OPTIONAL
-}
-
-ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
-
-ETYPE-INFO2-ENTRY ::= SEQUENCE {
- etype [0] Int32,
- salt [1] KerberosString OPTIONAL,
- s2kparams [2] OCTET STRING OPTIONAL
-}
-
-ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
-
-AD-IF-RELEVANT ::= AuthorizationData
-
-AD-KDCIssued ::= SEQUENCE {
- ad-checksum [0] Checksum,
- i-realm [1] Realm OPTIONAL,
- i-sname [2] PrincipalName OPTIONAL,
- elements [3] AuthorizationData
-}
-
-AD-AND-OR ::= SEQUENCE {
- condition-count [0] Int32,
- elements [1] AuthorizationData
-}
-
-AD-MANDATORY-FOR-KDC ::= AuthorizationData
-
-END
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/967d7e1c/haox-kerb/specs/otp.asn1
----------------------------------------------------------------------
diff --git a/haox-kerb/specs/otp.asn1 b/haox-kerb/specs/otp.asn1
deleted file mode 100644
index 2e32432..0000000
--- a/haox-kerb/specs/otp.asn1
+++ /dev/null
@@ -1,109 +0,0 @@
- OTPKerberos
- DEFINITIONS IMPLICIT TAGS ::=
- BEGIN
-
- IMPORTS
-
- KerberosTime, KerberosFlags, EncryptionKey, Int32,
- EncryptedData, LastReq, KerberosString
- FROM KerberosV5Spec2 {iso(1) identified-organization(3)
- dod(6) internet(1) security(5)
- kerberosV5(2) modules(4) krb5spec2(2)}
- -- as defined in RFC 4120.
- AlgorithmIdentifier
- FROM PKIX1Explicit88 { iso (1) identified-organization (3)
- dod (6) internet (1)
- security (5) mechanisms (5) pkix (7)
- id-mod (0) id-pkix1-explicit (18) };
- -- As defined in RFC 5280.
-
- PA-OTP-CHALLENGE ::= SEQUENCE {
- nonce [0] OCTET STRING,
- otp-service [1] UTF8String OPTIONAL,
- otp-tokenInfo [2] SEQUENCE (SIZE(1..MAX)) OF
- OTP-TOKENINFO,
- salt [3] KerberosString OPTIONAL,
- s2kparams [4] OCTET STRING OPTIONAL,
- ...
- }
-
- OTP-TOKENINFO ::= SEQUENCE {
- flags [0] OTPFlags,
- otp-vendor [1] UTF8String OPTIONAL,
- otp-challenge [2] OCTET STRING (SIZE(1..MAX))
- OPTIONAL,
- otp-length [3] Int32 OPTIONAL,
- otp-format [4] OTPFormat OPTIONAL,
- otp-tokenID [5] OCTET STRING OPTIONAL,
- otp-algID [6] AnyURI OPTIONAL,
- supportedHashAlg [7] SEQUENCE OF AlgorithmIdentifier
- OPTIONAL,
- iterationCount [8] Int32 OPTIONAL,
- ...
- }
-
- OTPFormat ::= INTEGER {
- decimal(0),
- hexadecimal(1),
- alphanumeric(2),
- binary(3),
- base64(4)
- }
-
- OTPFlags ::= KerberosFlags
- -- reserved(0),
- -- nextOTP(1),
- -- combine(2),
- -- collect-pin(3),
- -- do-not-collect-pin(4),
- -- must-encrypt-nonce (5),
- -- separate-pin-required (6),
- -- check-digit (7)
-
- PA-OTP-REQUEST ::= SEQUENCE {
- flags [0] OTPFlags,
- nonce [1] OCTET STRING OPTIONAL,
- encData [2] EncryptedData,
- -- PA-OTP-ENC-REQUEST or PA-ENC-TS-ENC
- -- Key usage of KEY_USAGE_OTP_REQUEST
- hashAlg [3] AlgorithmIdentifier OPTIONAL,
- iterationCount [4] Int32 OPTIONAL,
- otp-value [5] OCTET STRING OPTIONAL,
- otp-pin [6] UTF8String OPTIONAL,
- otp-challenge [7] OCTET STRING (SIZE(1..MAX)) OPTIONAL,
- otp-time [8] KerberosTime OPTIONAL,
- otp-counter [9] OCTET STRING OPTIONAL,
- otp-format [10] OTPFormat OPTIONAL,
- otp-tokenID [11] OCTET STRING OPTIONAL,
- otp-algID [12] AnyURI OPTIONAL,
- otp-vendor [13] UTF8String OPTIONAL,
- ...
- }
-
- PA-OTP-ENC-REQUEST ::= SEQUENCE {
- nonce [0] OCTET STRING,
- ...
- }
-
-
- PA-OTP-PIN-CHANGE ::= SEQUENCE {
- flags [0] PinFlags,
- pin [1] UTF8String OPTIONAL,
- minLength [2] INTEGER OPTIONAL,
- maxLength [3] INTEGER OPTIONAL,
- last-req [4] LastReq OPTIONAL,
- format [5] OTPFormat OPTIONAL,
- ...
- }
-
- PinFlags ::= KerberosFlags
- -- reserved(0),
- -- systemSetPin(1),
- -- mandatory(2)
-
- AnyURI ::= UTF8String
- (CONSTRAINED BY {
- -- MUST be a valid URI in accordance with IETF RFC 2396
- })
-
- END
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/967d7e1c/haox-kerb/specs/pkinit-agility.asn1
----------------------------------------------------------------------
diff --git a/haox-kerb/specs/pkinit-agility.asn1 b/haox-kerb/specs/pkinit-agility.asn1
deleted file mode 100644
index ea9095b..0000000
--- a/haox-kerb/specs/pkinit-agility.asn1
+++ /dev/null
@@ -1,99 +0,0 @@
-KerberosV5-PK-INIT-Agility-SPEC {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2) modules(4) pkinit(5) agility (1)
-} DEFINITIONS EXPLICIT TAGS ::= BEGIN
-
-IMPORTS
- AlgorithmIdentifier, SubjectPublicKeyInfo
- FROM PKIX1Explicit88 { iso (1)
- identified-organization (3) dod (6) internet (1)
- security (5) mechanisms (5) pkix (7) id-mod (0)
- id-pkix1-explicit (18) }
- -- As defined in RFC 3280.
-
- Ticket, Int32, Realm, EncryptionKey, Checksum
- FROM KerberosV5Spec2 { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) kerberosV5(2)
- modules(4) krb5spec2(2) }
- -- as defined in RFC 4120.
-
- PKAuthenticator, DHNonce
- FROM KerberosV5-PK-INIT-SPEC {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2) modules(4) pkinit(5) };
- -- as defined in RFC 4556.
-
-TD-CMS-DIGEST-ALGORITHMS-DATA ::= SEQUENCE OF
- AlgorithmIdentifier
- -- Contains the list of CMS algorithm [RFC3852]
- -- identifiers that identify the digest algorithms
- -- acceptable by the KDC for signing CMS data in
- -- the order of decreasing preference.
-
-TD-CERT-DIGEST-ALGORITHMS-DATA ::= SEQUENCE {
- allowedAlgorithms [0] SEQUENCE OF AlgorithmIdentifier,
- -- Contains the list of CMS algorithm [RFC3852]
- -- identifiers that identify the digest algorithms
- -- that are used by the CA to sign the client's
- -- X.509 certificate and acceptable by the KDC in
- -- the process of validating the client's X.509
- -- certificate, in the order of decreasing
- -- preference.
- rejectedAlgorithm [1] AlgorithmIdentifier OPTIONAL,
- -- This identifies the digest algorithm that was
- -- used to sign the client's X.509 certificate and
- -- has been rejected by the KDC in the process of
- -- validating the client's X.509 certificate
- -- [RFC3280].
- ...
-}
-
-OtherInfo ::= SEQUENCE {
- algorithmID AlgorithmIdentifier,
- partyUInfo [0] OCTET STRING,
- partyVInfo [1] OCTET STRING,
- suppPubInfo [2] OCTET STRING OPTIONAL,
- suppPrivInfo [3] OCTET STRING OPTIONAL
-}
-
-PkinitSuppPubInfo ::= SEQUENCE {
- enctype [0] Int32,
- -- The enctype of the AS reply key.
- as-REQ [1] OCTET STRING,
- -- This contains the AS-REQ in the request.
- pk-as-rep [2] OCTET STRING,
- -- Contains the DER encoding of the type
- -- PA-PK-AS-REP [RFC4556] in the KDC reply.
- ...
-}
-
--- Renamed from AuthPack to allow asn1c to process this and pkinit.asn1
-AuthPack2 ::= SEQUENCE {
- pkAuthenticator [0] PKAuthenticator,
- clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
- supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
- OPTIONAL,
- clientDHNonce [3] DHNonce OPTIONAL,
- ...,
- supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
- -- Contains an unordered set of KDFs supported by the
- -- client.
- ...
-}
-
-KDFAlgorithmId ::= SEQUENCE {
- kdf-id [0] OBJECT IDENTIFIER,
- -- The object identifier of the KDF
- ...
-}
-
--- Renamed from DHRepInfo to allow asn1c to process this and pkinit.asn1
-DHRepInfo2 ::= SEQUENCE {
- dhSignedData [0] IMPLICIT OCTET STRING,
- serverDHNonce [1] DHNonce OPTIONAL,
- ...,
- kdf [2] KDFAlgorithmId OPTIONAL,
- -- The KDF picked by the KDC.
- ...
-}
-END
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/967d7e1c/haox-kerb/specs/pkinit.asn1
----------------------------------------------------------------------
diff --git a/haox-kerb/specs/pkinit.asn1 b/haox-kerb/specs/pkinit.asn1
deleted file mode 100644
index 8f9d8dd..0000000
--- a/haox-kerb/specs/pkinit.asn1
+++ /dev/null
@@ -1,253 +0,0 @@
-KerberosV5-PK-INIT-SPEC {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2) modules(4) pkinit(5)
-} DEFINITIONS EXPLICIT TAGS ::= BEGIN
-
-IMPORTS
-
- SubjectPublicKeyInfo, AlgorithmIdentifier
- FROM PKIX1Explicit88 { iso (1)
- identified-organization (3) dod (6) internet (1)
- security (5) mechanisms (5) pkix (7) id-mod (0)
- id-pkix1-explicit (18) }
- -- As defined in RFC 3280.
-
- KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum
- FROM KerberosV5Spec2 { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) kerberosV5(2)
- modules(4) krb5spec2(2) };
- -- as defined in RFC 4120.
-
-id-pkinit OBJECT IDENTIFIER ::=
- { iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosv5(2) pkinit (3) }
-
-id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 }
-id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 }
-id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 }
-id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= { id-pkinit 4 }
-id-pkinit-KPKdc OBJECT IDENTIFIER ::= { id-pkinit 5 }
-
-id-pkinit-san OBJECT IDENTIFIER ::=
- { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
- x509SanAN (2) }
-
-pa-pk-as-req INTEGER ::= 16
-pa-pk-as-rep INTEGER ::= 17
-
-ad-initial-verified-cas INTEGER ::= 9
-
-td-trusted-certifiers INTEGER ::= 104
-td-invalid-certificates INTEGER ::= 105
-td-dh-parameters INTEGER ::= 109
-
-PA-PK-AS-REQ ::= SEQUENCE {
- signedAuthPack [0] IMPLICIT OCTET STRING,
- -- Contains a CMS type ContentInfo encoded
- -- according to [RFC3852].
- -- The contentType field of the type ContentInfo
- -- is id-signedData (1.2.840.113549.1.7.2),
- -- and the content field is a SignedData.
- -- The eContentType field for the type SignedData is
- -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
- -- eContent field contains the DER encoding of the
- -- type AuthPack.
- -- AuthPack is defined below.
- trustedCertifiers [1] SEQUENCE OF
- ExternalPrincipalIdentifier OPTIONAL,
- -- Contains a list of CAs, trusted by the client,
- -- that can be used to certify the KDC.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
- -- The information contained in the
- -- trustedCertifiers SHOULD be used by the KDC as
- -- hints to guide its selection of an appropriate
- -- certificate chain to return to the client.
- kdcPkId [2] IMPLICIT OCTET STRING
- OPTIONAL,
- -- Contains a CMS type SignerIdentifier encoded
- -- according to [RFC3852].
- -- Identifies, if present, a particular KDC
- -- public key that the client already has.
- ...
-}
-
-DHNonce ::= OCTET STRING
-
-ExternalPrincipalIdentifier ::= SEQUENCE {
- subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
- -- Contains a PKIX type Name encoded according to
- -- [RFC3280].
- -- Identifies the certificate subject by the
- -- distinguished subject name.
- -- REQUIRED when there is a distinguished subject
- -- name present in the certificate.
- issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
- -- Contains a CMS type IssuerAndSerialNumber encoded
- -- according to [RFC3852].
- -- Identifies a certificate of the subject.
- -- REQUIRED for TD-INVALID-CERTIFICATES and
- -- TD-TRUSTED-CERTIFIERS.
- subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
- -- Identifies the subject's public key by a key
- -- identifier. When an X.509 certificate is
- -- referenced, this key identifier matches the X.509
- -- subjectKeyIdentifier extension value. When other
- -- certificate formats are referenced, the documents
- -- that specify the certificate format and their use
- -- with the CMS must include details on matching the
- -- key identifier to the appropriate certificate
- -- field.
- -- RECOMMENDED for TD-TRUSTED-CERTIFIERS.
- ...
-}
-
-AuthPack ::= SEQUENCE {
- pkAuthenticator [0] PKAuthenticator,
- clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
- -- Type SubjectPublicKeyInfo is defined in
- -- [RFC3280].
- -- Specifies Diffie-Hellman domain parameters
- -- and the client's public key value [IEEE1363].
- -- The DH public key value is encoded as a BIT
- -- STRING according to [RFC3279].
- -- This field is present only if the client wishes
- -- to use the Diffie-Hellman key agreement method.
- supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
- OPTIONAL,
- -- Type AlgorithmIdentifier is defined in
- -- [RFC3280].
- -- List of CMS algorithm [RFC3370] identifiers
- -- that identify key transport algorithms, or
- -- content encryption algorithms, or signature
- -- algorithms supported by the client in order of
- -- (decreasing) preference.
- clientDHNonce [3] DHNonce OPTIONAL,
- -- Present only if the client indicates that it
- -- wishes to reuse DH keys or to allow the KDC to
- -- do so.
- ...
-}
-
-PKAuthenticator ::= SEQUENCE {
- cusec [0] INTEGER (0..999999),
- ctime [1] KerberosTime,
- -- cusec and ctime are used as in [RFC4120], for
- -- replay prevention.
- nonce [2] INTEGER (0..4294967295),
- -- Chosen randomly; this nonce does not need to
- -- match with the nonce in the KDC-REQ-BODY.
- paChecksum [3] OCTET STRING OPTIONAL,
- -- MUST be present.
- -- Contains the SHA1 checksum, performed over
- -- KDC-REQ-BODY.
- ...
-}
-
-TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Identifies a list of CAs trusted by the KDC.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
-
-TD-INVALID-CERTIFICATES ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Each ExternalPrincipalIdentifier identifies a
- -- certificate (sent by the client) with an invalid
- -- signature.
-
-KRB5PrincipalName ::= SEQUENCE {
- realm [0] Realm,
- principalName [1] PrincipalName
-}
-
-AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Identifies the certification path based on which
- -- the client certificate was validated.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
-
-PA-PK-AS-REP ::= CHOICE {
- dhInfo [0] DHRepInfo,
- -- Selected when Diffie-Hellman key exchange is
- -- used.
- encKeyPack [1] IMPLICIT OCTET STRING,
- -- Selected when public key encryption is used.
- -- Contains a CMS type ContentInfo encoded
- -- according to [RFC3852].
- -- The contentType field of the type ContentInfo is
- -- id-envelopedData (1.2.840.113549.1.7.3).
- -- The content field is an EnvelopedData.
- -- The contentType field for the type EnvelopedData
- -- is id-signedData (1.2.840.113549.1.7.2).
- -- The eContentType field for the inner type
- -- SignedData (when unencrypted) is
- -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the
- -- eContent field contains the DER encoding of the
- -- type ReplyKeyPack.
- -- ReplyKeyPack is defined below.
- ...
-}
-
-DHRepInfo ::= SEQUENCE {
- dhSignedData [0] IMPLICIT OCTET STRING,
- -- Contains a CMS type ContentInfo encoded according
- -- to [RFC3852].
- -- The contentType field of the type ContentInfo is
- -- id-signedData (1.2.840.113549.1.7.2), and the
- -- content field is a SignedData.
- -- The eContentType field for the type SignedData is
- -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the
- -- eContent field contains the DER encoding of the
- -- type KDCDHKeyInfo.
- -- KDCDHKeyInfo is defined below.
- serverDHNonce [1] DHNonce OPTIONAL,
- -- Present if and only if dhKeyExpiration is
- -- present.
- ...
-}
-
-KDCDHKeyInfo ::= SEQUENCE {
- subjectPublicKey [0] BIT STRING,
- -- The KDC's DH public key.
- -- The DH public key value is encoded as a BIT
- -- STRING according to [RFC3279].
- nonce [1] INTEGER (0..4294967295),
- -- Contains the nonce in the pkAuthenticator field
- -- in the request if the DH keys are NOT reused,
- -- 0 otherwise.
- dhKeyExpiration [2] KerberosTime OPTIONAL,
- -- Expiration time for KDC's key pair,
- -- present if and only if the DH keys are reused.
- -- If present, the KDC's DH public key MUST not be
- -- used past the point of this expiration time.
- -- If this field is omitted then the serverDHNonce
- -- field MUST also be omitted.
- ...
-}
-
-ReplyKeyPack ::= SEQUENCE {
- replyKey [0] EncryptionKey,
- -- Contains the session key used to encrypt the
- -- enc-part field in the AS-REP, i.e., the
- -- AS reply key.
- asChecksum [1] Checksum,
- -- Contains the checksum of the AS-REQ
- -- corresponding to the containing AS-REP.
- -- The checksum is performed over the type AS-REQ.
- -- The protocol key [RFC3961] of the checksum is the
- -- replyKey and the key usage number is 6.
- -- If the replyKey's enctype is "newer" [RFC4120]
- -- [RFC4121], the checksum is the required
- -- checksum operation [RFC3961] for that enctype.
- -- The client MUST verify this checksum upon receipt
- -- of the AS-REP.
- ...
-}
-
-TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
- -- Each AlgorithmIdentifier specifies a set of
- -- Diffie-Hellman domain parameters [IEEE1363].
- -- This list is in decreasing preference order.
-END
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/967d7e1c/haox-kerb/specs/pkix.asn1
----------------------------------------------------------------------
diff --git a/haox-kerb/specs/pkix.asn1 b/haox-kerb/specs/pkix.asn1
deleted file mode 100644
index 0398188..0000000
--- a/haox-kerb/specs/pkix.asn1
+++ /dev/null
@@ -1,654 +0,0 @@
-PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1)
- security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
-
-DEFINITIONS EXPLICIT TAGS ::=
-
-BEGIN
-
--- EXPORTS ALL --
-
--- IMPORTS NONE --
-
--- UNIVERSAL Types defined in 1993 and 1998 ASN.1
--- and required by this specification
--- (Commented out for krb5 source tree)
-
--- UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
- -- UniversalString is defined in ASN.1:1993
-
--- BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
- -- BMPString is the subtype of UniversalString and models
- -- the Basic Multilingual Plane of ISO/IEC 10646
-
---UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
- -- The content of this type conforms to RFC 3629.
-
--- PKIX specific OIDs
-
-id-pkix OBJECT IDENTIFIER ::=
- { iso(1) identified-organization(3) dod(6) internet(1)
- security(5) mechanisms(5) pkix(7) }
-
--- PKIX arcs
-
-id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
- -- arc for private certificate extensions
-id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
- -- arc for policy qualifier types
-id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
- -- arc for extended key purpose OIDS
-id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
- -- arc for access descriptors
-
--- policyQualifierIds for Internet policy qualifiers
-
-id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
- -- OID for CPS qualifier
-id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
- -- OID for user notice qualifier
-
--- access descriptor definitions
-
-id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
-id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
-id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 }
-id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 }
-
--- attribute data types
-
-Attribute ::= SEQUENCE {
- type AttributeType,
- values SET OF AttributeValue }
- -- at least one value is required
-
-AttributeType ::= OBJECT IDENTIFIER
-
-AttributeValue ::= ANY -- DEFINED BY AttributeType
-
-AttributeTypeAndValue ::= SEQUENCE {
- type AttributeType,
- value AttributeValue }
-
--- suggested naming attributes: Definition of the following
--- information object set may be augmented to meet local
--- requirements. Note that deleting members of the set may
--- prevent interoperability with conforming implementations.
--- presented in pairs: the AttributeType followed by the
--- type definition for the corresponding AttributeValue
-
--- Arc for standard naming attributes
-
-id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
-
--- Naming attributes of type X520name
-
-id-at-name AttributeType ::= { id-at 41 }
-id-at-surname AttributeType ::= { id-at 4 }
-id-at-givenName AttributeType ::= { id-at 42 }
-id-at-initials AttributeType ::= { id-at 43 }
-id-at-generationQualifier AttributeType ::= { id-at 44 }
-
--- Naming attributes of type X520Name:
--- X520name ::= DirectoryString (SIZE (1..ub-name))
---
--- Expanded to avoid parameterized type:
-X520name ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-name)),
- printableString PrintableString (SIZE (1..ub-name)),
- universalString UniversalString (SIZE (1..ub-name)),
- utf8String UTF8String (SIZE (1..ub-name)),
- bmpString BMPString (SIZE (1..ub-name)) }
-
--- Naming attributes of type X520CommonName
-
-id-at-commonName AttributeType ::= { id-at 3 }
-
--- Naming attributes of type X520CommonName:
--- X520CommonName ::= DirectoryName (SIZE (1..ub-common-name))
---
--- Expanded to avoid parameterized type:
-X520CommonName ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-common-name)),
- printableString PrintableString (SIZE (1..ub-common-name)),
- universalString UniversalString (SIZE (1..ub-common-name)),
- utf8String UTF8String (SIZE (1..ub-common-name)),
- bmpString BMPString (SIZE (1..ub-common-name)) }
-
--- Naming attributes of type X520LocalityName
-
-id-at-localityName AttributeType ::= { id-at 7 }
-
--- Naming attributes of type X520LocalityName:
--- X520LocalityName ::= DirectoryName (SIZE (1..ub-locality-name))
---
--- Expanded to avoid parameterized type:
-X520LocalityName ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-locality-name)),
- printableString PrintableString (SIZE (1..ub-locality-name)),
- universalString UniversalString (SIZE (1..ub-locality-name)),
- utf8String UTF8String (SIZE (1..ub-locality-name)),
- bmpString BMPString (SIZE (1..ub-locality-name)) }
-
--- Naming attributes of type X520StateOrProvinceName
-
-id-at-stateOrProvinceName AttributeType ::= { id-at 8 }
-
--- Naming attributes of type X520StateOrProvinceName:
--- X520StateOrProvinceName ::= DirectoryName (SIZE (1..ub-state-name))
---
--- Expanded to avoid parameterized type:
-X520StateOrProvinceName ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-state-name)),
- printableString PrintableString (SIZE (1..ub-state-name)),
- universalString UniversalString (SIZE (1..ub-state-name)),
- utf8String UTF8String (SIZE (1..ub-state-name)),
- bmpString BMPString (SIZE (1..ub-state-name)) }
-
--- Naming attributes of type X520OrganizationName
-
-id-at-organizationName AttributeType ::= { id-at 10 }
-
--- Naming attributes of type X520OrganizationName:
--- X520OrganizationName ::=
--- DirectoryName (SIZE (1..ub-organization-name))
---
--- Expanded to avoid parameterized type:
-X520OrganizationName ::= CHOICE {
- teletexString TeletexString
- (SIZE (1..ub-organization-name)),
- printableString PrintableString
- (SIZE (1..ub-organization-name)),
- universalString UniversalString
- (SIZE (1..ub-organization-name)),
- utf8String UTF8String
- (SIZE (1..ub-organization-name)),
- bmpString BMPString
- (SIZE (1..ub-organization-name)) }
-
--- Naming attributes of type X520OrganizationalUnitName
-
-id-at-organizationalUnitName AttributeType ::= { id-at 11 }
-
--- Naming attributes of type X520OrganizationalUnitName:
--- X520OrganizationalUnitName ::=
--- DirectoryName (SIZE (1..ub-organizational-unit-name))
---
--- Expanded to avoid parameterized type:
-X520OrganizationalUnitName ::= CHOICE {
- teletexString TeletexString
- (SIZE (1..ub-organizational-unit-name)),
- printableString PrintableString
- (SIZE (1..ub-organizational-unit-name)),
- universalString UniversalString
- (SIZE (1..ub-organizational-unit-name)),
- utf8String UTF8String
- (SIZE (1..ub-organizational-unit-name)),
- bmpString BMPString
- (SIZE (1..ub-organizational-unit-name)) }
-
--- Naming attributes of type X520Title
-
-id-at-title AttributeType ::= { id-at 12 }
-
--- Naming attributes of type X520Title:
--- X520Title ::= DirectoryName (SIZE (1..ub-title))
---
--- Expanded to avoid parameterized type:
-X520Title ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-title)),
- printableString PrintableString (SIZE (1..ub-title)),
- universalString UniversalString (SIZE (1..ub-title)),
- utf8String UTF8String (SIZE (1..ub-title)),
- bmpString BMPString (SIZE (1..ub-title)) }
-
--- Naming attributes of type X520dnQualifier
-
-id-at-dnQualifier AttributeType ::= { id-at 46 }
-
-X520dnQualifier ::= PrintableString
-
--- Naming attributes of type X520countryName (digraph from IS 3166)
-
-id-at-countryName AttributeType ::= { id-at 6 }
-
-X520countryName ::= PrintableString (SIZE (2))
-
--- Naming attributes of type X520SerialNumber
-
-id-at-serialNumber AttributeType ::= { id-at 5 }
-
-X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number))
-
--- Naming attributes of type X520Pseudonym
-
-id-at-pseudonym AttributeType ::= { id-at 65 }
-
--- Naming attributes of type X520Pseudonym:
--- X520Pseudonym ::= DirectoryName (SIZE (1..ub-pseudonym))
---
--- Expanded to avoid parameterized type:
-X520Pseudonym ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-pseudonym)),
- printableString PrintableString (SIZE (1..ub-pseudonym)),
- universalString UniversalString (SIZE (1..ub-pseudonym)),
- utf8String UTF8String (SIZE (1..ub-pseudonym)),
- bmpString BMPString (SIZE (1..ub-pseudonym)) }
-
--- Naming attributes of type DomainComponent (from RFC 4519)
-
-id-domainComponent AttributeType ::= { 0 9 2342 19200300 100 1 25 }
-
-DomainComponent ::= IA5String
-
--- Legacy attributes
-
-pkcs-9 OBJECT IDENTIFIER ::=
- { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
-
-id-emailAddress AttributeType ::= { pkcs-9 1 }
-
-EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length))
-
--- naming data types --
-
-Name ::= CHOICE { -- only one possibility for now --
- rdnSequence RDNSequence }
-
-RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
-
-DistinguishedName ::= RDNSequence
-
-RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
-
--- Directory string type --
-
-DirectoryString ::= CHOICE {
- teletexString TeletexString (SIZE (1..MAX)),
- printableString PrintableString (SIZE (1..MAX)),
- universalString UniversalString (SIZE (1..MAX)),
- utf8String UTF8String (SIZE (1..MAX)),
- bmpString BMPString (SIZE (1..MAX)) }
-
--- certificate and CRL specific structures begin here
-
-Certificate ::= SEQUENCE {
- tbsCertificate TBSCertificate,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING }
-
-TBSCertificate ::= SEQUENCE {
- version [0] Version DEFAULT v1,
- serialNumber CertificateSerialNumber,
- signature AlgorithmIdentifier,
- issuer Name,
- validity Validity,
- subject Name,
- subjectPublicKeyInfo SubjectPublicKeyInfo,
- issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
- -- If present, version MUST be v2 or v3
- subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
- -- If present, version MUST be v2 or v3
- extensions [3] Extensions OPTIONAL
- -- If present, version MUST be v3 -- }
-
-Version ::= INTEGER { v1(0), v2(1), v3(2) }
-
-CertificateSerialNumber ::= INTEGER
-
-Validity ::= SEQUENCE {
- notBefore Time,
- notAfter Time }
-
-Time ::= CHOICE {
- utcTime UTCTime,
- generalTime GeneralizedTime }
-
-UniqueIdentifier ::= BIT STRING
-
-SubjectPublicKeyInfo ::= SEQUENCE {
- algorithm AlgorithmIdentifier,
- subjectPublicKey BIT STRING }
-
-Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
-
-Extension ::= SEQUENCE {
- extnID OBJECT IDENTIFIER,
- critical BOOLEAN DEFAULT FALSE,
- extnValue OCTET STRING
- -- contains the DER encoding of an ASN.1 value
- -- corresponding to the extension type identified
- -- by extnID
- }
-
--- CRL structures
-
-CertificateList ::= SEQUENCE {
- tbsCertList TBSCertList,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING }
-
-TBSCertList ::= SEQUENCE {
- version Version OPTIONAL,
- -- if present, MUST be v2
- signature AlgorithmIdentifier,
- issuer Name,
- thisUpdate Time,
- nextUpdate Time OPTIONAL,
- revokedCertificates SEQUENCE OF SEQUENCE {
- userCertificate CertificateSerialNumber,
- revocationDate Time,
- crlEntryExtensions Extensions OPTIONAL
- -- if present, version MUST be v2
- } OPTIONAL,
- crlExtensions [0] Extensions OPTIONAL }
- -- if present, version MUST be v2
-
--- Version, Time, CertificateSerialNumber, and Extensions were
--- defined earlier for use in the certificate structure
-
-AlgorithmIdentifier ::= SEQUENCE {
- algorithm OBJECT IDENTIFIER,
- parameters ANY DEFINED BY algorithm OPTIONAL }
- -- contains a value of the type
- -- registered for use with the
- -- algorithm object identifier value
-
--- X.400 address syntax starts here
-
-ORAddress ::= SEQUENCE {
- built-in-standard-attributes BuiltInStandardAttributes,
- built-in-domain-defined-attributes
- BuiltInDomainDefinedAttributes OPTIONAL,
- -- see also teletex-domain-defined-attributes
- extension-attributes ExtensionAttributes OPTIONAL }
-
--- Built-in Standard Attributes
-
-BuiltInStandardAttributes ::= SEQUENCE {
- country-name CountryName OPTIONAL,
- administration-domain-name AdministrationDomainName OPTIONAL,
- network-address [0] IMPLICIT NetworkAddress OPTIONAL,
- -- see also extended-network-address
- terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL,
- private-domain-name [2] PrivateDomainName OPTIONAL,
- organization-name [3] IMPLICIT OrganizationName OPTIONAL,
- -- see also teletex-organization-name
- numeric-user-identifier [4] IMPLICIT NumericUserIdentifier
- OPTIONAL,
- personal-name [5] IMPLICIT PersonalName OPTIONAL,
- -- see also teletex-personal-name
- organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
- OPTIONAL }
- -- see also teletex-organizational-unit-names
-
-CountryName ::= [APPLICATION 1] CHOICE {
- x121-dcc-code NumericString
- (SIZE (ub-country-name-numeric-length)),
- iso-3166-alpha2-code PrintableString
- (SIZE (ub-country-name-alpha-length)) }
-
-AdministrationDomainName ::= [APPLICATION 2] CHOICE {
- numeric NumericString (SIZE (0..ub-domain-name-length)),
- printable PrintableString (SIZE (0..ub-domain-name-length)) }
-
-NetworkAddress ::= X121Address -- see also extended-network-address
-
-X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
-
-TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
-
-PrivateDomainName ::= CHOICE {
- numeric NumericString (SIZE (1..ub-domain-name-length)),
- printable PrintableString (SIZE (1..ub-domain-name-length)) }
-
-OrganizationName ::= PrintableString
- (SIZE (1..ub-organization-name-length))
- -- see also teletex-organization-name
-
-NumericUserIdentifier ::= NumericString
- (SIZE (1..ub-numeric-user-id-length))
-
-PersonalName ::= SET {
- surname [0] IMPLICIT PrintableString
- (SIZE (1..ub-surname-length)),
- given-name [1] IMPLICIT PrintableString
- (SIZE (1..ub-given-name-length)) OPTIONAL,
- initials [2] IMPLICIT PrintableString
- (SIZE (1..ub-initials-length)) OPTIONAL,
- generation-qualifier [3] IMPLICIT PrintableString
- (SIZE (1..ub-generation-qualifier-length))
- OPTIONAL }
- -- see also teletex-personal-name
-
-OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
- OF OrganizationalUnitName
- -- see also teletex-organizational-unit-names
-
-OrganizationalUnitName ::= PrintableString (SIZE
- (1..ub-organizational-unit-name-length))
-
--- Built-in Domain-defined Attributes
-
-BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
- (1..ub-domain-defined-attributes) OF
- BuiltInDomainDefinedAttribute
-
-BuiltInDomainDefinedAttribute ::= SEQUENCE {
- type PrintableString (SIZE
- (1..ub-domain-defined-attribute-type-length)),
- value PrintableString (SIZE
- (1..ub-domain-defined-attribute-value-length)) }
-
--- Extension Attributes
-
-ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
- ExtensionAttribute
-
-ExtensionAttribute ::= SEQUENCE {
- extension-attribute-type [0] IMPLICIT INTEGER
- (0..ub-extension-attributes),
- extension-attribute-value [1]
- ANY DEFINED BY extension-attribute-type }
-
--- Extension types and attribute values
-
-common-name INTEGER ::= 1
-
-CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
-
-teletex-common-name INTEGER ::= 2
-
-TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
-
-teletex-organization-name INTEGER ::= 3
-
-TeletexOrganizationName ::=
- TeletexString (SIZE (1..ub-organization-name-length))
-
-teletex-personal-name INTEGER ::= 4
-
-TeletexPersonalName ::= SET {
- surname [0] IMPLICIT TeletexString
- (SIZE (1..ub-surname-length)),
- given-name [1] IMPLICIT TeletexString
- (SIZE (1..ub-given-name-length)) OPTIONAL,
- initials [2] IMPLICIT TeletexString
- (SIZE (1..ub-initials-length)) OPTIONAL,
- generation-qualifier [3] IMPLICIT TeletexString
- (SIZE (1..ub-generation-qualifier-length))
- OPTIONAL }
-
-teletex-organizational-unit-names INTEGER ::= 5
-
-TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
- (1..ub-organizational-units) OF TeletexOrganizationalUnitName
-
-TeletexOrganizationalUnitName ::= TeletexString
- (SIZE (1..ub-organizational-unit-name-length))
-
-pds-name INTEGER ::= 7
-
-PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
-
-physical-delivery-country-name INTEGER ::= 8
-
-PhysicalDeliveryCountryName ::= CHOICE {
- x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
- iso-3166-alpha2-code PrintableString
- (SIZE (ub-country-name-alpha-length)) }
-
-postal-code INTEGER ::= 9
-
-PostalCode ::= CHOICE {
- numeric-code NumericString (SIZE (1..ub-postal-code-length)),
- printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
-
-physical-delivery-office-name INTEGER ::= 10
-PhysicalDeliveryOfficeName ::= PDSParameter
-
-physical-delivery-office-number INTEGER ::= 11
-
-PhysicalDeliveryOfficeNumber ::= PDSParameter
-
-extension-OR-address-components INTEGER ::= 12
-
-ExtensionORAddressComponents ::= PDSParameter
-
-physical-delivery-personal-name INTEGER ::= 13
-
-PhysicalDeliveryPersonalName ::= PDSParameter
-
-physical-delivery-organization-name INTEGER ::= 14
-
-PhysicalDeliveryOrganizationName ::= PDSParameter
-
-extension-physical-delivery-address-components INTEGER ::= 15
-
-ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter
-
-unformatted-postal-address INTEGER ::= 16
-
-UnformattedPostalAddress ::= SET {
- printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines)
- OF PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
- teletex-string TeletexString
- (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
-
-street-address INTEGER ::= 17
-
-StreetAddress ::= PDSParameter
-
-post-office-box-address INTEGER ::= 18
-
-PostOfficeBoxAddress ::= PDSParameter
-
-poste-restante-address INTEGER ::= 19
-
-PosteRestanteAddress ::= PDSParameter
-
-unique-postal-name INTEGER ::= 20
-
-UniquePostalName ::= PDSParameter
-
-local-postal-attributes INTEGER ::= 21
-
-LocalPostalAttributes ::= PDSParameter
-
-PDSParameter ::= SET {
- printable-string PrintableString
- (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
- teletex-string TeletexString
- (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
-
-extended-network-address INTEGER ::= 22
-
-ExtendedNetworkAddress ::= CHOICE {
- e163-4-address SEQUENCE {
- number [0] IMPLICIT NumericString
- (SIZE (1..ub-e163-4-number-length)),
- sub-address [1] IMPLICIT NumericString
- (SIZE (1..ub-e163-4-sub-address-length))
- OPTIONAL },
- psap-address [0] IMPLICIT PresentationAddress }
-
-PresentationAddress ::= SEQUENCE {
- pSelector [0] EXPLICIT OCTET STRING OPTIONAL,
- sSelector [1] EXPLICIT OCTET STRING OPTIONAL,
- tSelector [2] EXPLICIT OCTET STRING OPTIONAL,
- nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
-
-terminal-type INTEGER ::= 23
-
-TerminalType ::= INTEGER {
- telex (3),
- teletex (4),
- g3-facsimile (5),
- g4-facsimile (6),
- ia5-terminal (7),
- videotex (8) } (0..ub-integer-options)
-
--- Extension Domain-defined Attributes
-
-teletex-domain-defined-attributes INTEGER ::= 6
-
-TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
- (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
-
-TeletexDomainDefinedAttribute ::= SEQUENCE {
- type TeletexString
- (SIZE (1..ub-domain-defined-attribute-type-length)),
- value TeletexString
- (SIZE (1..ub-domain-defined-attribute-value-length)) }
-
--- specifications of Upper Bounds MUST be regarded as mandatory
--- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
--- Upper Bounds
-
--- Upper Bounds
-ub-name INTEGER ::= 32768
-ub-common-name INTEGER ::= 64
-ub-locality-name INTEGER ::= 128
-ub-state-name INTEGER ::= 128
-ub-organization-name INTEGER ::= 64
-ub-organizational-unit-name INTEGER ::= 64
-ub-title INTEGER ::= 64
-ub-serial-number INTEGER ::= 64
-ub-match INTEGER ::= 128
-ub-emailaddress-length INTEGER ::= 255
-ub-common-name-length INTEGER ::= 64
-ub-country-name-alpha-length INTEGER ::= 2
-ub-country-name-numeric-length INTEGER ::= 3
-ub-domain-defined-attributes INTEGER ::= 4
-ub-domain-defined-attribute-type-length INTEGER ::= 8
-ub-domain-defined-attribute-value-length INTEGER ::= 128
-ub-domain-name-length INTEGER ::= 16
-ub-extension-attributes INTEGER ::= 256
-ub-e163-4-number-length INTEGER ::= 15
-ub-e163-4-sub-address-length INTEGER ::= 40
-ub-generation-qualifier-length INTEGER ::= 3
-ub-given-name-length INTEGER ::= 16
-ub-initials-length INTEGER ::= 5
-ub-integer-options INTEGER ::= 256
-ub-numeric-user-id-length INTEGER ::= 32
-ub-organization-name-length INTEGER ::= 64
-ub-organizational-unit-name-length INTEGER ::= 32
-ub-organizational-units INTEGER ::= 4
-ub-pds-name-length INTEGER ::= 16
-ub-pds-parameter-length INTEGER ::= 30
-ub-pds-physical-address-lines INTEGER ::= 6
-ub-postal-code-length INTEGER ::= 16
-ub-pseudonym INTEGER ::= 128
-ub-surname-length INTEGER ::= 40
-ub-terminal-id-length INTEGER ::= 24
-ub-unformatted-address-length INTEGER ::= 180
-ub-x121-address-length INTEGER ::= 16
-
--- Note - upper bounds on string types, such as TeletexString, are
--- measured in characters. Excepting PrintableString or IA5String, a
--- significantly greater number of octets will be required to hold
--- such a value. As a minimum, 16 octets, or twice the specified
--- upper bound, whichever is the larger, should be allowed for
--- TeletexString. For UTF8String or UniversalString at least four
--- times the upper bound should be allowed.
-
-END