Commit 197e4d5b authored by filatov's avatar filatov
Browse files

Security ASN.1 files: ready for asn1c

parent a3446482
......@@ -100,8 +100,8 @@ SequenceOfRectangularRegion ::= SEQUENCE OF RectangularRegion
PolygonalRegion ::= SEQUENCE SIZE(3..MAX) OF TwoDLocation
TwoDLocation ::= SEQUENCE {
latitude Latitude,
longitude Longitude
latitude SecLatitude,
longitude SecLongitude
}
IdentifiedRegion ::= CHOICE {
......@@ -133,14 +133,14 @@ RegionAndSubregions ::= SEQUENCE {
SequenceOfRegionAndSubregions ::= SEQUENCE OF RegionAndSubregions
ThreeDLocation ::= SEQUENCE {
latitude Latitude,
longitude Longitude,
elevation Elevation
latitude SecLatitude,
longitude SecLongitude,
elevation SecElevation
}
Latitude ::= NinetyDegreeInt
Longitude ::= OneEightyDegreeInt
Elevation ::= ElevInt
SecLatitude ::= NinetyDegreeInt
SecLongitude ::= OneEightyDegreeInt
SecElevation ::= ElevInt
NinetyDegreeInt ::= INTEGER {
min (-900000000),
......
EtsiTs102941BaseTypes
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(0) version1(1) }
-- draft version r6 of 28.09.2017
DEFINITIONS AUTOMATIC TAGS ::= BEGIN
IMPORTS
HashedId8, Time32, PublicEncryptionKey, PublicVerificationKey
FROM
IEEE1609dot2BaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base(1) base-types(2) major-version-2(2)}
CertificateId, SubjectAssurance, SequenceOfPsidSsp, SequenceOfPsidGroupPermissions, ValidityPeriod, GeographicRegion
FROM
IEEE1609dot2 {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base (1) schema (1) major-version-2(2)}
EtsiTs103097Data-Encrypted, EtsiTs103097Data-SignedExternalPayload
FROM EtsiTs103097Module
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)}
;
AuthorizationResponseCode ::= ENUMERATED {
ok(0),
-- ITS->AA
its-aa-cantparse, -- valid for any structure
its-aa-badcontenttype, -- not encrypted, not signed, not authorizationrequest
its-aa-imnottherecipient, -- the “recipients” of the outermost encrypted data doesn’t include me
its-aa-unknownencryptionalgorithm, -- either kexalg or contentencryptionalgorithm
its-aa-decryptionfailed, -- works for ECIES-HMAC and AES-CCM
its-aa-keysdontmatch, -- HMAC keyTag verification fails
its-aa-incompleterequest, -- some elements are missing
its-aa-invalidencryptionkey, -- the responseEncryptionKey is bad
its-aa-outofsyncrequest, -- signingTime is outside acceptable limits
its-aa-unknownea, -- the EA identified by eaId is unknown to me
its-aa-invalidea, -- the EA certificate is revoked
its-aa-deniedpermissions, -- I, the AA, deny the requested permissions
-- AA->EA
aa-ea-cantreachea, -- the EA is unreachable (network error?)
-- EA->AA
ea-aa-cantparse, -- valid for any structure
ea-aa-badcontenttype, -- not encrypted, not signed, not authorizationrequest
ea-aa-imnottherecipient, -- the “recipients” of the outermost encrypted data doesn’t include me
ea-aa-unknownencryptionalgorithm, -- either kexalg or contentencryptionalgorithm
ea-aa-decryptionfailed, -- works for ECIES-HMAC and AES-CCM
-- TODO: to be continued...
invalidaa, -- the AA certificate presented is invalid/revoked/whatever
invalidaasignature, -- the AA certificate presented can’t validate the request signature
wrongea, -- the encrypted signature doesn’t designate me as the EA
unknownits, -- can’t retrieve the EC/ITS in my DB
invalidsignature, -- signature verification of the request by the EC fails
invalidencryptionkey, -- signature is good, but the key is bad
deniedpermissions, -- permissions not granted
deniedtoomanycerts, -- parallel limit
... }
AuthorizationValidationResponseCode ::= ENUMERATED {
ok(0),
cantparse, -- valid for any structure
badcontenttype, -- not encrypted, not signed, not permissionsverificationrequest
imnottherecipient, -- the “recipients” of the outermost encrypted data doesn’t include me
unknownencryptionalgorithm, -- either kexalg or contentencryptionalgorithm
decryptionfailed, -- works for ECIES-HMAC and AES-CCM
invalidaa, -- the AA certificate presented is invalid/revoked/whatever
invalidaasignature, -- the AA certificate presented can’t validate the request signature
wrongea, -- the encrypted signature doesn’t designate me as the EA
unknownits, -- can’t retrieve the EC/ITS in my DB
invalidsignature, -- signature verification of the request by the EC fails
invalidencryptionkey, -- signature is good, but the responseEncryptionKey is bad
deniedpermissions, -- requested permissions not granted
deniedtoomanycerts, -- parallel limit
deniedrequest, -- any other reason?
... }
CertificateFormat::= INTEGER{
ts103097v211 (1)
}(1..255)
CertificateSubjectAttributes::= SEQUENCE {
id CertificateId OPTIONAL,
validityPeriod ValidityPeriod OPTIONAL,
region GeographicRegion OPTIONAL,
assuranceLevel SubjectAssurance OPTIONAL,
appPermissions SequenceOfPsidSsp OPTIONAL,
certIssuePermissions SequenceOfPsidGroupPermissions OPTIONAL,
...
}(WITH COMPONENTS { ..., appPermissions PRESENT} |
WITH COMPONENTS { ..., certIssuePermissions PRESENT})
EnrolmentResponseCode ::= ENUMERATED {
ok(0),
cantparse, -- valid for any structure
badcontenttype, -- not encrypted, not signed, not enrolmentrequest
imnottherecipient, -- the “recipients” doesn’t include me
unknownencryptionalgorithm, -- either kexalg or contentencryptionalgorithm
decryptionfailed, -- works for ECIES-HMAC and AES-CCM
unknownits, -- can’t retrieve the ITS from the itsId
invalidsignature, -- signature verification of the request fails
invalidencryptionkey, -- signature is good, but the responseEncryptionKey is bad
baditsstatus, -- revoked, not yet active
incompleterequest, -- some elements are missing
deniedpermissions, -- requested permissions are not granted
invalidkeys, -- either the verification_key of the encryption_key is bad
deniedrequest, -- any other reason?
... }
EcSignature::= CHOICE{
encryptedEcSignature EtsiTs103097Data-Encrypted{EtsiTs103097Data-SignedExternalPayload},
ecSignature EtsiTs103097Data-SignedExternalPayload
}
PublicKeys ::= SEQUENCE {
verificationKey PublicVerificationKey,
encryptionKey PublicEncryptionKey OPTIONAL
}
Version ::= INTEGER {v1(1)}
END
EtsiTs102941Its-sMessages
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) its-sMessages(1) version1(1)}
-- draft version r6 of 28.09.2017
DEFINITIONS AUTOMATIC TAGS ::=
BEGIN
IMPORTS
EtsiTs103097Certificate, EtsiTs103097Data-Signed, EtsiTs103097Data-Encrypted, EtsiTs103097Data-SignedExternalPayload, EtsiTs103097Data-SignedAndEncrypted
FROM EtsiTs103097Module
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)}
AuthorizationResponseCode, AuthorizationValidationResponseCode, CertificateFormat, CertificateSubjectAttributes,EnrolmentResponseCode, EcSignature, HashedId8, PublicKeys, Version
FROM EtsiTs102941BaseTypes
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(0) version1(1) }
;
/************
-- Messages
************/
EnrolmentRequestMessage::= EtsiTs103097Data-SignedAndEncrypted {EtsiTS102941DataIts-s (WITH COMPONENTS{..., content (WITH COMPONENTS{enrolmentRequest PRESENT})})}
EnrolmentResponseMessage::= EtsiTs103097Data-SignedAndEncrypted {EtsiTS102941DataIts-s (WITH COMPONENTS{..., content (WITH COMPONENTS{enrolmentResponse PRESENT})})}
AuthorizationRequestMessage::= EtsiTs103097Data-Encrypted {EtsiTS102941DataIts-s (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationRequest PRESENT})})}
AuthorizationRequestMessageWithPop::= EtsiTs103097Data-Encrypted {EtsiTS102941DataIts-s (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationRequestWithPop PRESENT})})}
AuthorizationResponseMessage::= EtsiTs103097Data-SignedAndEncrypted {EtsiTS102941DataIts-s (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationResponse PRESENT})})}
AuthorizationValidationRequestMessage::= EtsiTs103097Data-SignedAndEncrypted {EtsiTS102941DataIts-s (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationValidationRequest PRESENT})})}
AuthorizationValidationResponseMessage::= EtsiTs103097Data-SignedAndEncrypted {EtsiTS102941DataIts-s (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationValidationResponse PRESENT})})}
/************
-- EtsiTS102941Data
************/
EtsiTS102941DataIts-s::= SEQUENCE{
version Version (v1),
content Content}
Content ::= CHOICE{
enrolmentRequest InnerEcRequestSignedForPop,
enrolmentResponse InnerEcResponse,
authorizationRequest InnerAtRequest,
authorizationRequestWithPop InnerAtRequestSignedForPop,
authorizationResponse InnerAtResponse,
authorizationValidationRequest AuthorizationValidationRequest,
authorizationValidationResponse AuthorizationValidationResponse,
caCertificateRequest NULL,
caCertificateResponse NULL,
...
}
/************
-- EnrolmentRequest/Response
************/
InnerEcRequestSignedForPop::= EtsiTs103097Data-Signed{InnerEcRequest}
InnerEcRequest::= SEQUENCE {
itsId IA5String,
certificateFormat CertificateFormat,
publicKeys PublicKeys,
requestedSubjectAttributes CertificateSubjectAttributes (WITH COMPONENTS{certIssuePermissions ABSENT}),
...
}
InnerEcResponse ::= SEQUENCE {
requestHash OCTET STRING (SIZE(16)),
responseCode EnrolmentResponseCode,
certificate EtsiTs103097Certificate OPTIONAL,
...
}
(WITH COMPONENTS { responseCode (ok), certificate PRESENT }
| WITH COMPONENTS { responseCode (ALL EXCEPT ok), certificate ABSENT }
)
/************
-- AuthorizationRequest/Response
************/
InnerAtRequestSignedForPop::= EtsiTs103097Data-Signed{InnerAtRequest}
InnerAtRequest ::= SEQUENCE {
publicKeys PublicKeys,
hmacKey OCTET STRING (SIZE(32)),
sharedAtRequest SharedAtRequest,
ecSignature EcSignature,
...
}
SharedAtRequest ::= SEQUENCE {
eaId HashedId8,
keyTag OCTET STRING (SIZE(16)),
ertificateFormat CertificateFormat,
requestedSubjectAttributes CertificateSubjectAttributes (WITH COMPONENTS{certIssuePermissions ABSENT}),
...
}
InnerAtResponse ::= SEQUENCE {
requestHash OCTET STRING (SIZE(16)),
responseCode AuthorizationResponseCode,
certificate EtsiTs103097Certificate OPTIONAL,
...
}
(WITH COMPONENTS { responseCode (ok), certificate PRESENT }
| WITH COMPONENTS { responseCode (ALL EXCEPT ok), certificate ABSENT }
)
/************
-- AuthorizationValidationRequest/Response
************/
AuthorizationValidationRequest ::= SEQUENCE {
sharedAtRequest SharedAtRequest,
ecSignature EcSignature,
...
}
AuthorizationValidationResponse ::= SEQUENCE {
requestHash OCTET STRING (SIZE(16)),
responseCode AuthorizationValidationResponseCode,
confirmedSubjectAttributes CertificateSubjectAttributes (WITH COMPONENTS{certIssuePermissions ABSENT}) OPTIONAL,
...
}
END
EtsiTs102941OfflineDataStructures
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) offlineDataStructures(3) version1(1)}
-- draft version r6 of 28.09.2017
DEFINITIONS AUTOMATIC TAGS ::=
BEGIN
IMPORTS
EtsiTs103097Certificate, EtsiTs103097Data-SignedAndEncrypted, EtsiTs103097Data-Signed
FROM
EtsiTs103097Module
{itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)}
HashedId8, PublicKeys, CertificateSubjectAttributes, EnrolmentResponseCode, Time32, Version
FROM EtsiTs102941BaseTypes
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941)baseTypes(0) version1(1)}
;
/************
-- Messages
************/
CaCertificateRequestMessage ::= EtsiTs103097Data-Signed {EtsiTS102941DataCa(WITH COMPONENTS{..., content (WITH COMPONENTS{caCertificateRequest PRESENT})})}
CaCertificateResponseMessage ::= EtsiTs103097Data-Signed {EtsiTS102941DataCa(WITH COMPONENTS{..., content (WITH COMPONENTS{caCertificateResponse PRESENT})})}
/************
-- EtsiTS102941Data
************/
EtsiTS102941DataCa::= SEQUENCE{
version Version (v1),
content CaContent}
CaContent ::= CHOICE{
caCertificateRequest CaCertificateRequest,
caCertificateResponse CaCertificateResponse,
...
}
/************
-- CA certificate request
************/
CaCertificateRequest ::= SEQUENCE {
publicKeys PublicKeys,
reqquestedSubjectAttributes CertificateSubjectAttributes,
...
}
CaCertificateResponse::=SEQUENCE {
requestHash OCTET STRING (SIZE(16)),
responseCode EnrolmentResponseCode,
certificate EtsiTs103097Certificate OPTIONAL,
...
}
(WITH COMPONENTS { responseCode (ok), certificate PRESENT }
| WITH COMPONENTS { responseCode (ALL EXCEPT ok), certificate ABSENT }
)
END
EtsiTs102941TrustLists
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) trustLists(2) version(1)}
-- draft version r6 of 28.09.2017
DEFINITIONS AUTOMATIC TAGS ::= BEGIN
IMPORTS
ItsPduHeader
FROM
ITS-Container
{itu-t (0) identified-organization (4) etsi (0) itsDomain (5) wg1 (1) ts (102894) cdd (2) version (1)}
EtsiTs103097Certificate, EtsiTs103097Data-SignedAndEncrypted, EtsiTs103097Data-Signed
FROM
EtsiTs103097Module
{itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)}
HashedId8, Time32, Version
FROM EtsiTs102941BaseTypes
{itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(0) version1(1)}
;
/************
-- Messages
************/
CTLM::= SEQUENCE {
header ItsPduHeader,
ctl Ctl,
...
}
CRLM::= SEQUENCE {
header ItsPduHeader,
crl Crl,
...
}
/************
-- CRL
************/
Crl ::= EtsiTs103097Data-Signed{ToBeSignedCrl}
ToBeSignedCrl ::= SEQUENCE {
version Version,
thisUpdate Time32,
nextUpdate Time32,
entries SEQUENCE OF CRLEntry,
...
}
CRLEntry ::= HashedId8
/************
-- CTL
************/
Ctl ::= EtsiTs103097Data-Signed{ToBeSignedCtl}
ToBeSignedCtl::= CtlFormat (FullCtl | DeltaCtl)
FullCtl::= CtlFormat(WITH COMPONENTS {...,
isFullCtl(TRUE),
ctlCommands(WITH COMPONENT(
(WITH COMPONENTS {...,
delete ABSENT
})
))
})
DeltaCtl::= CtlFormat (WITH COMPONENTS {...,
isFullCtl(FALSE)
})
CtlFormat ::= SEQUENCE {
version Version,
nextUpdate Time32,
isFullCtl BOOLEAN,
ctlSequence INTEGER (0..255),
ctlCommands SEQUENCE OF CtlCommand,
...
}
CtlCommand::= CHOICE{
add CtlEntry,
delete CtlDelete,
...
}
CtlEntry ::= CHOICE {
rca RootCaEntry,
ea EaEntry,
aa AaEntry,
dc DcEntry,
tlm TlmEntry,
...
}
CtlDelete ::= CHOICE {
cert HashedId8,
dc DcDelete,
...
}
RootCaEntry ::= SEQUENCE {
selfsignedRootCa EtsiTs103097Certificate,
linkRootCaCertificate EtsiTs103097Certificate OPTIONAL,
constraints OCTET STRING OPTIONAL
}
EaEntry ::= SEQUENCE {
eaCertificate EtsiTs103097Certificate,
linkEaCertificate EtsiTs103097Certificate OPTIONAL,
aaAccessPoint Url,
itsAccessPoint Url OPTIONAL }
-- First URL is to be used by AA (AuthorizationValidationRequest)
-- second URL is to be used by ITS-S (AuthorizationRequest)
AaEntry ::= SEQUENCE {
aaCertificate EtsiTs103097Certificate,
accessPoint Url
}
DcEntry::= Url
DcDelete::= Url
TlmEntry::= SEQUENCE {
selfSignedTLMCertificate EtsiTs103097Certificate,
linkTLMCertificate EtsiTs103097Certificate OPTIONAL
}
Url::= IA5String
END
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment