Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
EtsiTs102941TypesAuthorizationValidation
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authValidation(7) version1(1)}
DEFINITIONS AUTOMATIC TAGS ::=
BEGIN
IMPORTS
EtsiTs103097Certificate
FROM EtsiTs103097Module
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)}
CertificateFormat, CertificateSubjectAttributes,EcSignature, HashedId8, PublicKeys, Version
FROM EtsiTs102941BaseTypes
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version1(1) }
SharedAtRequest
FROM EtsiTs102941TypesAuthorization
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authorization(5) version1(1)}
;
/************
-- AuthorizationValidationRequest/Response
************/
AuthorizationValidationResponseCode ::= ENUMERATED {
ok(0),
cantparse, -- valid for any structure
badcontenttype, -- not encrypted, not signed, not permissionsverificationrequest
imnottherecipient, -- the “recipients” of the outermost encrypted data doesn’t include me
unknownencryptionalgorithm, -- either kexalg or contentencryptionalgorithm
decryptionfailed, -- works for ECIES-HMAC and AES-CCM
invalidaa, -- the AA certificate presented is invalid/revoked/whatever
invalidaasignature, -- the AA certificate presented can’t validate the request signature
wrongea, -- the encrypted signature doesn’t designate me as the EA
unknownits, -- can’t retrieve the EC/ITS in my DB
invalidsignature, -- signature verification of the request by the EC fails
invalidencryptionkey, -- signature is good, but the responseEncryptionKey is bad
deniedpermissions, -- requested permissions not granted
deniedtoomanycerts, -- parallel limit
deniedrequest, -- any other reason?
... }
AuthorizationValidationRequest ::= SEQUENCE {
sharedAtRequest SharedAtRequest,
ecSignature EcSignature,
...
}
AuthorizationValidationResponse ::= SEQUENCE {
requestHash OCTET STRING (SIZE(16)),
responseCode AuthorizationValidationResponseCode,
confirmedSubjectAttributes CertificateSubjectAttributes (WITH COMPONENTS{certIssuePermissions ABSENT}) OPTIONAL,
...
}
(WITH COMPONENTS { responseCode (ok), confirmedSubjectAttributes PRESENT }
| WITH COMPONENTS { responseCode (ALL EXCEPT ok), confirmedSubjectAttributes ABSENT }
)
END