EtsiTs102941TypesAuthorizationValidation
  { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authValidation(7) version2(2)}

DEFINITIONS AUTOMATIC TAGS ::=
BEGIN

IMPORTS

EtsiTs103097Certificate
FROM EtsiTs103097Module
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)}

CertificateFormat, CertificateSubjectAttributes,EcSignature, HashedId8, PublicKeys, Version
FROM EtsiTs102941BaseTypes
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version2(2) }

SharedAtRequest
FROM EtsiTs102941TypesAuthorization
{ itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authorization(5) version2(2)}

;

/************
-- AuthorizationValidationRequest/Response
************/

AuthorizationValidationResponseCode ::= ENUMERATED {
  ok(0),
  cantparse, -- valid for any structure
  badcontenttype, -- not encrypted, not signed, not permissionsverificationrequest
  imnottherecipient, -- the "recipients" of the outermost encrypted data doesn't include me
  unknownencryptionalgorithm, -- either kexalg or contentencryptionalgorithm
  decryptionfailed, -- works for ECIES-HMAC and AES-CCM
  invalidaa, -- the AA certificate presented is invalid/revoked/whatever
  invalidaasignature, -- the AA certificate presented can't validate the request signature
  wrongea, -- the encrypted signature doesn't designate me as the EA
  unknownits, -- can't retrieve the EC/ITS in my DB
  invalidsignature, -- signature verification of the request by the EC fails
  invalidencryptionkey, -- signature is good, but the responseEncryptionKey is bad
  deniedpermissions, -- requested permissions not granted
  deniedtoomanycerts, -- parallel limit
  deniedrequest, -- any other reason?
  ... }

AuthorizationValidationRequest ::= SEQUENCE {
  sharedAtRequest               SharedAtRequest,
  ecSignature                   EcSignature,
  ...
  }

AuthorizationValidationResponse ::= SEQUENCE { 
  requestHash                   OCTET STRING (SIZE(16)),
  responseCode                  AuthorizationValidationResponseCode,
  confirmedSubjectAttributes    CertificateSubjectAttributes (WITH COMPONENTS{..., certIssuePermissions ABSENT}) OPTIONAL,
  ...
  }
  (WITH COMPONENTS { responseCode (ok), confirmedSubjectAttributes PRESENT }
  | WITH COMPONENTS { responseCode (ALL EXCEPT ok), confirmedSubjectAttributes ABSENT }
  )

END