SSPDefinitions { itu-t (0) identified-organization (4) etsi (0) smart-secure-platform (3666) part1 (1) } DEFINITIONS AUTOMATIC TAGS EXTENSIBILITY IMPLIED ::= BEGIN EXPORTS ALL; /* Imports */ IMPORTS Certificate, -- RFC5280 Certificate X.509v3 id-pkix, Extensions, -- RFC5280 X.509v3 extension Extension, ECDSA-Sig-Value, AlgorithmIdentifier, Attribute, AttributeType, AttributeValue, AttributeTypeAndValue, SubjectPublicKeyInfo, UniqueIdentifier, Validity, Version FROM PKIX1Explicit88; /* Basic types */ maxUInt32 INTEGER ::= 4294967295 UInt32 ::= INTEGER (0..maxUInt32) /* Common types */ UUID ::= OCTET STRING (SIZE(16)) URI ::= OCTET STRING Certificates ::= SET OF Certificate VersionType ::= OCTET STRING(SIZE(2)) -- major/minor version, coded as binary value on byte 1 and 2, e.g. '0F 00' for v15.0. /* Capabilities of the terminal */ TerminalCapability ::= SEQUENCE { aTerminalRelease [0] VersionType, aTerminalVendorName [1] UTF8String (SIZE(1..20)) OPTIONAL, aInterfacePowerSupply [2] INTEGER (0..1000) DEFAULT 0, aExternalPowerSupply [3] INTEGER (0..1000) DEFAULT 0, aToolkitTerminalProfile [4] OCTET STRING OPTIONAL } /* Class of the SSP, as defined in clause 11 */ SSPClass ::= ENUMERATED { eSSPClass-Integrated (0), -- iSSP eSSPClass-Embedded-Type1 (1), -- eSSP Type 1 eSSPClass-Embedded-Type2 (2), -- eSSP Type 2 eSSPClass-Removable (3) -- rSSP } /* Capabilities of the SSP */ SSPCapability ::= SEQUENCE { aSspRelease [0] VersionType, aSspVendorName [1] UTF8String (SIZE(1..20)) OPTIONAL, aSspClass [2] SSPClass, aClassSpecificCapabilities [3] ANY DEFINED BY aSspClass OPTIONAL, aSspUicc [4] SspUiccCapability OPTIONAL, aSspUserInterface [5] SSPUserInterface OPTIONAL } /* Capabilities of the SSP - UICC*/ SspUiccCapability ::= SEQUENCE { aNumberOfLogicalChannels [0] INTEGER (1..20) DEFAULT 1, aProactivePollingRequirement [1] BOOLEAN DEFAULT FALSE, aSupportOfUiccFileSystem [2] BOOLEAN DEFAULT FALSE, aSupportOfCardApplicationToolkit [3] BOOLEAN DEFAULT FALSE, aCardApplicationToolkitCapabilities [4] OCTET STRING OPTIONAL } /* Capabilities of the SSP - User interface */ SSPUserInterface ::= SEQUENCE { aUrl [1] OCTET STRING -- Url for the user interface } /* Node descriptor */ FileSize ::= INTEGER MetaDatum ::= SEQUENCE { aTypeDatum OBJECT IDENTIFIER, aData ANY DEFINED BY aTypeDatum OPTIONAL } NodeDescriptor ::= SEQUENCE { aNodeName NodeName, -- Node name aShortName UUID, -- Short node name aNode CHOICE { aLink SEQUENCE { aLinkedFileIdentity NodeIdentity, -- Identity of the linked SSP file aLinkedFileSize FileSize -- Size of the linked SSP file }, aFile SEQUENCE { aFileSize FileSize -- Size of the SSP file }, aDirectory SEQUENCE { } }, aMetaData SEQUENCE OF MetaDatum OPTIONAL, -- Optional meta data aACL SET OF AccessControl OPTIONAL -- Access Control List attribute } /* Node identity */ NodeName ::= UTF8String (SIZE(1..16)) -- node name encoded in UTF-8 NodeReference ::= SEQUENCE (SIZE(1..6)) OF NodeName -- pathname and node name NodeIdentity ::= CHOICE { aShortName UUID, -- UUID of file reference using absolute pathname aNodeReference NodeReference -- Node reference } AccessMode ::= BIT STRING { eReadAccessMode (0), -- Access mode: read eWriteAccessMode (1) -- Access mode: write } SessionID ::= INTEGER (0..255) eFSAccessRight-RequiresSecurePipe AccessorRights ::= { eRight-Bit1 } eFSAccessRight-ReadContent AccessorRights ::= { eRight-Bit2 } eFSAccessRight-GetInfo AccessorRights ::= { eRight-Bit3 } eFSAccessRight-Write AccessorRights ::= { eRight-Bit4 } eFSAccessRight-UpdateMetadata AccessorRights ::= { eRight-Bit5 } eFSAccessRight-UpdateACL AccessorRights ::= { eRight-Bit6 } eFSAccessRight-Delete AccessorRights ::= { eRight-Bit7 } eFSAccessRight-DeleteChild AccessorRights ::= { eRight-Bit8 } FS-ADMIN-GET-CAPABILITIES-Service-Command ::= [PRIVATE 16] SEQUENCE { } FS-ADMIN-GET-CAPABILITIES-Service-Response-Parameter ::= SEQUENCE { aVersion VersionType, -- Release of the file system service aSimultaneousFileSessions INTEGER (1..32) DEFAULT 1, -- Max number of simultaneous file sessions aSimultaneousFileSessionsPerFile INTEGER (1..32) DEFAULT 1, -- Max number of sessions on a file aTotalCapacity INTEGER (0..MAX), -- Total capacity in bytes aFreeCapacity INTEGER (0..MAX), -- Remaining capacity in bytes aMaxMetaDataSizePerNode INTEGER (0..MAX) -- Maximum metadata size per node } FS-ADMIN-GET-CAPABILITIES-Service-Response ::= [PRIVATE 16] SEQUENCE { aFS-Service-Response FS-Service-Response DEFAULT eFS-OK, aParameter FS-ADMIN-GET-CAPABILITIES-Service-Response-Parameter OPTIONAL } FS-ADMIN-CREATE-NODE-Service-Command ::= [PRIVATE 17] SEQUENCE { aNodeDescriptor NodeDescriptor, -- Node descriptor aNodeDirectoryIdentity NodeIdentity -- Node identity } FS-ADMIN-CREATE-NODE-Service-Response ::= [PRIVATE 17] SEQUENCE { aFS-Service-Response FS-Service-Response DEFAULT eFS-OK } FS-ADMIN-DELETE-NODE-Service-Command ::= [PRIVATE 18] SEQUENCE { aNodeIdentity NodeIdentity -- Node identity } FS-ADMIN-DELETE-NODE-Service-Response ::= [PRIVATE 18] SEQUENCE { aFS-Service-Response FS-Service-Response DEFAULT eFS-OK } FS-ADMIN-UPDATE-NODE-ATTRIBUTES-Service-Command ::= [PRIVATE 19] SEQUENCE { aNodeIdentity NodeIdentity, -- Node identity aMetaData SEQUENCE OF MetaDatum OPTIONAL, -- New meta data aACL SET OF AccessControl OPTIONAL -- New access control } FS-ADMIN-UPDATE-NODE-ATTRIBUTES-Service-Response ::= [PRIVATE 19] SEQUENCE { aFS-Service-Response FS-Service-Response DEFAULT eFS-OK } FS-OP-FILE-OPEN-Service-Command ::= [PRIVATE 20] SEQUENCE { aNodeIdentity NodeIdentity, -- Node identity aAccessMode AccessMode DEFAULT '01'B, -- Access mode, default: eReadAccessMode aGateURI URI OPTIONAL -- URI of data gate (only for transfer on separate pipe session) } FS-OP-FILE-OPEN-Service-Response-Parameter ::= SEQUENCE { aSessionID SessionID -- File session } FS-OP-FILE-OPEN-Service-Response ::= [PRIVATE 20] SEQUENCE { aFS-Service-Response FS-Service-Response DEFAULT eFS-OK, aParameter FS-OP-FILE-OPEN-Service-Response-Parameter OPTIONAL } FS-OP-FILE-CLOSE-Service-Command ::= [PRIVATE 21] SEQUENCE { aSessionID SessionID -- File session } FS-OP-FILE-CLOSE-Service-Response ::= [PRIVATE 21] SEQUENCE { aFS-Service-Response FS-Service-Response DEFAULT eFS-OK } FS-OP-NODE-GET-INFO-Service-Command ::= [PRIVATE 22] SEQUENCE { aNodeIdentity NodeIdentity, -- Node identity aRequestType BIT STRING { aParent (0), -- Get info on the parent of the requested node (if not set, get info of requested node) aContain (1), -- Get info on the child nodes of the requested node (applicable only for SSP directories) aMetaData (2) -- Include metadata in the response } DEFAULT '000'B } FS-OP-NODE-GET-INFO-Service-Response-Parameter ::= SEQUENCE { aNodeDescriptorList SEQUENCE (SIZE (1..255)) OF NodeDescriptor } FS-OP-NODE-GET-INFO-Service-Response ::= [PRIVATE 22] SEQUENCE { aFS-Service-Response FS-Service-Response DEFAULT eFS-OK, aParameter FS-OP-NODE-GET-INFO-Service-Response-Parameter OPTIONAL } FS-OP-FILE-READ-Service-Command ::= [PRIVATE 23] SEQUENCE { aSessionID SessionID, -- File session aOffset UInt32 OPTIONAL, -- Offset from the beginning of the file aNumberOfBytes UInt32 OPTIONAL -- Number of bytes to read } FS-OP-FILE-READ-Service-Response-Parameter ::= SEQUENCE { aSessionID SessionID, -- File session aData OCTET STRING OPTIONAL } FS-OP-FILE-READ-Service-Response ::= [PRIVATE 23] SEQUENCE { aFS-Service-Response FS-Service-Response DEFAULT eFS-OK, aParameter FS-OP-FILE-READ-Service-Response-Parameter OPTIONAL } FS-OP-FILE-WRITE-Service-Command ::= [PRIVATE 24] SEQUENCE { aSessionID SessionID, -- File session aOffset UInt32 OPTIONAL, -- Offset from the beginning of the file aDataInfo CHOICE { aNumberOfBytes UInt32, -- Number of bytes to write aData OCTET STRING -- Data to write } } FS-OP-FILE-WRITE-Service-Response-Parameter ::= SEQUENCE { aSessionID SessionID -- File session } FS-OP-FILE-WRITE-Service-Response ::= [PRIVATE 24] SEQUENCE { aFS-Service-Response FS-Service-Response DEFAULT eFS-OK, aParameter FS-OP-FILE-WRITE-Service-Response-Parameter OPTIONAL } FS-OP-FILE-GET-POSITION-Service-Command ::= [PRIVATE 25] SEQUENCE { aSessionID SessionID -- File session } FS-OP-FILE-GET-POSITION-Service-Response-Parameter ::= SEQUENCE { aCurrentOffset UInt32 OPTIONAL -- Current offset } FS-OP-FILE-GET-POSITION-Service-Response ::= [PRIVATE 25] SEQUENCE { aFS-Service-Response FS-Service-Response DEFAULT eFS-OK, aParameter FS-OP-FILE-GET-POSITION-Service-Response-Parameter OPTIONAL } FS-Service-Response ::= ENUMERATED { eFS-OK (0), -- no error eFS-E-CMD-PAR-UNKNOWN (2), -- unknown or illegal command parameter eFS-E-NOK (3), -- the command has failed eFS-NODE-BUSY (9), -- The file system is already processing an operation on the node eFS-NODE-NOT-FOUND (10), -- Node not found eFS-OPERATION-ILLEGAL (11), -- Illegal operation (eg. opening a file with a directory identity instead a file identity) eFS-NOT-ENOUGH-SPACE (12), -- The operation exceeds the size limit of a file eFS-BAD-SESSSION-ID (13), -- the session identifier related to a file does not exist eFS-ACL-RULES-VIOLATIONS (14), -- the operation of the administration violates the ACL rules associated to a node eFS-MAX-FILE-SESSION-REACHED (15) -- the maximum number of file sessions has been reached } AccessControl ::= SEQUENCE { aAccessorIdentity AccessorIdentity, -- Identity of the accessor accessing the resource aAccessorRights AccessorRights, -- Accessor rights (e.g. delete, update). aGrantorIdentity AccessorIdentity OPTIONAL -- Identity of the grantor } AccessorRights ::= BIT STRING { eRight-Bit1 (0), eRight-Bit2 (1), eRight-Bit3 (2), eRight-Bit4 (3), eRight-Bit5 (4), eRight-Bit6 (5), eRight-Bit7 (6), eRight-Bit8 (7), eRight-Bit9 (8), eRight-Bit10 (9), eRight-Bit11 (10), eRight-Bit12 (11), eRight-Bit13 (12), eRight-Bit14 (13), eRight-Bit15 (14), eRight-Bit16 (15), eRight-Bit17 (16), eRight-Bit18 (17), eRight-Bit19 (18), eRight-Bit20 (19), eRight-Bit21 (20), eRight-Bit22 (21), eRight-Bit23 (22), eRight-Bit24 (23), eRight-Bit25 (24), eRight-Bit26 (25), eRight-Bit27 (26), eRight-Bit28 (27), eRight-Bit29 (28), eRight-Bit30 (29), eRight-Bit31 (30), eRight-Bit32 (31) } (SIZE(32)) AccessControlList ::= SET OF AccessControl -- Access control list Accessor ::= [PRIVATE 8] CHOICE { aAccessorGroup AccessorGroup, aAccessorUser AccessorUser } AccessorGroup ::= SEQUENCE { aAccessorIdentity AccessorIdentity, -- Identity of the accessor aMembersOfGroup SET OF AccessorIdentity, -- Members of the group aACL AccessControlList -- Access control list } AccessorUser ::= SEQUENCE { aAccessorIdentity AccessorIdentity, -- Identity of the accessor aAccessorConditions AccessorConditions OPTIONAL, -- Accessor conditions aACL AccessControlList -- Access control list } AccessorIdentity ::= UUID -- accessor identity AccessorConditions ::= SEQUENCE { aAccessConditionsBiometry AccessorConditionsBiometry OPTIONAL, aAccessConditionsPIN AccessorConditionsPIN OPTIONAL, aAccessConditionsTokens AccessorConditionsToken OPTIONAL, aAccessConditionHostDomain AccessConditionHostDomain OPTIONAL } AccessorConditionsBiometry ::= [PRIVATE 9] BIT STRING { eReservedForFuture (0) -- Reserved for future usage } (SIZE(32)) AccessorConditionsPIN ::= [PRIVATE 10] BIT STRING { ePinNumeric (0), -- The user shall present a numeric PIN ePinPassword (1), -- The user shall present a password ePinPattern (2) -- The user shall present a graphical pattern } (SIZE(32)) AccessorConditionsToken ::= [PRIVATE 11] BIT STRING { eTokenCertificate (0) -- A token verification by using the certificate shall be performed } (SIZE(32)) AccessConditionHostDomain ::= [PRIVATE 12] BOOLEAN eAASAccessRight-RequiresSecurePipe AccessorRights ::= {eRight-Bit1 } eAASAccessRight-Create AccessorRights ::= { eRight-Bit2 } eAASAccessRight-Delete AccessorRights ::= { eRight-Bit3 } eAASAccessRight-Update AccessorRights ::= { eRight-Bit4 } eAASAccessRight-UpdateACL AccessorRights ::= { eRight-Bit5 } eAASAccessRight-UpdateGroup AccessorRights ::= { eRight-Bit6 } eAASAccessRight-UpdateCredentialPolicy AccessorRights ::= { eRight-Bit7 } eAASAccessRight-UpdateCredentialStatus AccessorRights ::= { eRight-Bit8 } /* Maximum size of each side of the entry panel for pattern */ maxEntryPanelDimension INTEGER ::= 10 /* Coordinate of point in pattern from the top-left corner, starting with index 1 */ PatternPoint ::= SEQUENCE { x INTEGER (1.. maxEntryPanelDimension), -- X coordinate y INTEGER (1.. maxEntryPanelDimension) -- Y coordinate } AccessorCredentials ::= [PRIVATE 13] SEQUENCE { -- Credentials of type PIN aPinNumericCredential [0] NumericString (SIZE(4..255)) OPTIONAL, -- Numeric PIN aPinPasswordCredential [1] PrintableString (SIZE(4..255)) OPTIONAL, -- Password aPinPatternCredential [2] SEQUENCE OF PatternPoint (SIZE(4..255)) OPTIONAL, -- Graphical pattern -- Credentials for the token based verification aCertificates [10] Certificates (SIZE(1..MAX)), -- Set of X.509 certificates of the accessor -- Credentials of type host domain aHostDomainCredential [20] SET OF UUID -- Set of SCL host domains -- Credentials of type biometric: for future usage } PinNumericPolicy ::= SEQUENCE { aIsDisableForbidden BOOLEAN DEFAULT FALSE, -- Disabling forbidden aMinSize INTEGER (4..255) DEFAULT 4, -- Minimum size of PIN aMaxSize INTEGER (4..255) DEFAULT 255, -- Maximum size of PIN aMaxAttempts INTEGER (0..255) DEFAULT 0 -- Maximum number of attempts } PinPasswordPolicy ::= SEQUENCE { aMinSize INTEGER (4..255) DEFAULT 4, -- Minimum length of password aMaxSize INTEGER (4..255) DEFAULT 255, -- Maximum length of password aRequiresLowerCaseLetter BOOLEAN DEFAULT FALSE, -- At least one lower case letter is required aRequiresUpperCaseLetter BOOLEAN DEFAULT FALSE, -- At least one upper case letter is required aRequiresNumber BOOLEAN DEFAULT FALSE, -- At least on numeric digit is required aRequiresSymbol BOOLEAN DEFAULT FALSE, -- At least one special character is required aMaxAttempts INTEGER (0..255) DEFAULT 0 -- Maximum number of attempts } PinPatternPolicy ::= SEQUENCE { aMinSize INTEGER (4..255) DEFAULT 4, -- Minimum number of points in pattern aMaxSize INTEGER (4..255) DEFAULT 255, -- Maximum number of points in pattern aEntryPanelMinSize INTEGER (3.. maxEntryPanelDimension) DEFAULT 3, aSamePointMultipleTimes BOOLEAN DEFAULT FALSE, -- If a point can occur multiple times aMaxAttempts INTEGER (0..255) DEFAULT 0 -- Maximum number of attempts } AccessorCredentialsPolicy ::= SEQUENCE { aPinNumericPolicy PinNumericPolicy OPTIONAL, -- Numeric PIN policy aPinPasswordPolicy PinPasswordPolicy OPTIONAL, -- Password policy aPinPatternPolicy PinPatternPolicy OPTIONAL -- Graphical pattern policy } AccessorCommonCredentialStatus ::= SEQUENCE { aIsDisabled BOOLEAN DEFAULT TRUE, -- indicates if credential is disabled aRemainingAttempts INTEGER (0..255) OPTIONAL -- remaining number of attempts } PinNumericCredentialStatus ::= SEQUENCE { aCommonStatus AccessorCommonCredentialStatus } PinPasswordCredentialStatus ::= SEQUENCE { aCommonStatus AccessorCommonCredentialStatus } PinPatternCredentialStatus ::= SEQUENCE { aCommonStatus AccessorCommonCredentialStatus } AccessorCredentialsStatus ::= SEQUENCE { aPinNumericStatus PinNumericCredentialStatus OPTIONAL, aPinPasswordStatus PinPasswordCredentialStatus OPTIONAL, aPinPatternStatus PinPatternCredentialStatus OPTIONAL } AAS-GET-CAPABILITIES-Type ::= ENUMERATED { eGlobalAuthenticationService (0), -- retrieve user accessors available in the SSP host eAccessorStatus (1) -- retrieve status related to the accessor authentication service gate } AAS-OP-GET-CAPABILITIES-Service-Command ::= [PRIVATE 16] SEQUENCE { aRequestType AAS-GET-CAPABILITIES-Type } AAS-OP-GET-CAPABILITIES-Service-Response-Parameter ::= CHOICE { aGlobalAuthenticationService SEQUENCE -- for aRequestType set to eGlobalAuthenticationService { aAASVersion VersionType, -- release of the AAS service aAccessorList SET OF Accessor, -- List of accessors aACL AccessControlList -- Access control list }, aAccessorStatus SEQUENCE -- for aRequestType set to eAccessorStatus { aIsAuthenticated BOOLEAN, -- indicates if the accessor is authenticated aAccessorConditions AccessorConditions, -- accessor conditions aAccessorCredentialsStatus AccessorCredentialsStatus, -- status of credentials of the accessor aAccessorCredentialsPolicy AccessorCredentialsPolicy -- policies for the credentials of the accessor } } AAS-OP-GET-CAPABILITIES-Service-Response ::= [PRIVATE 16] SEQUENCE { aAAS-Service-Response AAS-Service-Response DEFAULT eAAS-OK, aParameter AAS-OP-GET-CAPABILITIES-Service-Response-Parameter OPTIONAL } AAS-ADMIN-CREATE-ACCESSOR-Service-Command ::= [PRIVATE 17] SEQUENCE { aAccessor Accessor, -- Accessor to be created aAccessorConditions AccessorConditions, -- Conditions aCredential AccessorCredentials, -- Credentials for the accessor aCredentialsPolicy AccessorCredentialsPolicy OPTIONAL, -- Policy for the provided accessors aCredentialsStatus AccessorCredentialsStatus OPTIONAL -- Status of credentials } AAS-ADMIN-CREATE-ACCESSOR-Service-Response ::= [PRIVATE 17] SEQUENCE { aAAS-Service-Response AAS-Service-Response DEFAULT eAAS-OK } AAS-ADMIN-UPDATE-ACCESSOR-Service-Command ::= [PRIVATE 18] SEQUENCE { aAccessorIdentity AccessorIdentity, -- Identity of the accessor aMembersOfGroup SET OF AccessorIdentity OPTIONAL, -- Members of the group aACL AccessControlList OPTIONAL, -- Access control list aSetAccessorConditions AccessorConditions OPTIONAL, -- Conditions to be set aRemoveAccessorConditions AccessorConditions OPTIONAL, -- Conditions to be removed aSetCredential AccessorCredentials OPTIONAL, -- Credentials to be set aRemoveCredential AccessorConditions OPTIONAL, -- List of credentials to be removed aCredentialsPolicy AccessorCredentialsPolicy OPTIONAL, -- Credential policy aCredentialsStatus AccessorCredentialsStatus OPTIONAL -- Status of credentials } AAS-ADMIN-UPDATE-ACCESSOR-Service-Response ::= [PRIVATE 18] SEQUENCE { aAAS-Service-Response AAS-Service-Response DEFAULT eAAS-OK } AAS-ADMIN-DELETE-ACCESSOR-Service-Command ::= [PRIVATE 19] SEQUENCE { aAccessorIdentity AccessorIdentity -- Identity of the accessor to delete } AAS-ADMIN-DELETE-ACCESSOR-Service-Response ::= [PRIVATE 19] SEQUENCE { aAAS-Service-Response AAS-Service-Response DEFAULT eAAS-OK } AAS-OP-AUTHENTICATE-ACCESSOR-Service-Command ::= [PRIVATE 22] SEQUENCE { aCredential CHOICE { aPinNumericCredential [10] NumericString, -- Numeric PIN aPinPasswordCredential [11] PrintableString, -- Password aPinPatternCredential [12] PrintableString, -- Graphical pattern aAccessorTokenCertificationPath [20] Certificates, aHostDomainCredential [30] NULL } } AAS-OP-AUTHENTICATE-ACCESSOR-Service-Response-Parameter ::= SEQUENCE { aCredentialsStatus AccessorCredentialsStatus OPTIONAL, -- Status of credentials after the command aServiceTokenCertificationPath Certificates OPTIONAL -- Certification path of the token generated by the accessor authentication service } AAS-OP-AUTHENTICATE-ACCESSOR-Service-Response ::= [PRIVATE 22] SEQUENCE { aAAS-Service-Response AAS-Service-Response DEFAULT eAAS-OK, aParameter AAS-OP-AUTHENTICATE-ACCESSOR-Service-Response-Parameter OPTIONAL } AAS-OP-ACCESS-SERVICE-Service-Command ::= [PRIVATE 20] SEQUENCE { aServiceIdentifier UUID, -- Identifier of the service gate aUseSecurePipe BOOLEAN DEFAULT FALSE -- Indication of secure pipe is requested } AAS-OP-ACCESS-SERVICE-Service-Response-Parameter ::= SEQUENCE { aGateIdentifier UUID -- Identifier of the service gate } AAS-OP-ACCESS-SERVICE-Service-Response ::= [PRIVATE 20] SEQUENCE { aAAS-Service-Response AAS-Service-Response DEFAULT eAAS-OK, aParameter AAS-OP-ACCESS-SERVICE-Service-Response-Parameter OPTIONAL } AAS-OP-GET-CHALLENGE-Service-Command ::= [PRIVATE 21] SEQUENCE { } AAS-OP-GET-CHALLENGE-Service-Response-Parameter ::= SEQUENCE { aChallenge OCTET STRING (SIZE (16)), aCertificates Certificates -- Certificates of the accessor authentication service } AAS-OP-GET-CHALLENGE-Service-Response ::= [PRIVATE 21] SEQUENCE { aAAS-Service-Response AAS-Service-Response DEFAULT eAAS-OK, aParameter AAS-OP-GET-CHALLENGE-Service-Response-Parameter OPTIONAL } AAS-Service-Response ::= ENUMERATED { eAAS-OK (0), -- Operation successful eAAS-E-CMD-PAR-UNKNOWN (2), -- Unknown parameters used for an operation eAAS-E-NOK (3), -- Operation failed eAAS-ACL-RULES-VIOLATIONS (14), -- The operation violates the ACL conditions eAAS-NOT-AUTHENTICATED (15), -- The accessor is not authenticated eAAS-POLICY-RULES-VIOLATIONS (16) -- The operation violates the credentials policy } /* Identity Gate */ URN-Description ::= SEQUENCE { aURN-Readable PrintableString, -- URN string used to compute UUID aURN-UUID UUID -- UUID of the gate computed from aURN-Readable present in GATE_LIST } URN-Description-List ::= SEQUENCE OF URN-Description FS-CONTROL-SERVICE-GATE-Commands ::= [APPLICATION 2] CHOICE { aFS-ADMIN-GET-CAPABILITIES-Service-Command FS-ADMIN-GET-CAPABILITIES-Service-Command, aFS-ADMIN-CREATE-NODE-Service-Command FS-ADMIN-CREATE-NODE-Service-Command, aFS-ADMIN-DELETE-NODE-Service-Command FS-ADMIN-DELETE-NODE-Service-Command, aFS-ADMIN-UPDATE-NODE-ATTRIBUTES-Service-Command FS-ADMIN-UPDATE-NODE-ATTRIBUTES-Service-Command, aFS-OP-FILE-OPEN-Service-Command FS-OP-FILE-OPEN-Service-Command, aFS-OP-FILE-CLOSE-Service-Command FS-OP-FILE-CLOSE-Service-Command, aFS-OP-NODE-GET-INFO-Service-Command FS-OP-NODE-GET-INFO-Service-Command, aFS-OP-FILE-READ-Service-Command FS-OP-FILE-READ-Service-Command, aFS-OP-FILE-WRITE-Service-Command FS-OP-FILE-WRITE-Service-Command, aFS-OP-FILE-GET-POSITION-Service-Command FS-OP-FILE-GET-POSITION-Service-Command } FS-CONTROL-SERVICE-GATE-Responses ::= [APPLICATION 1] CHOICE { aFS-ADMIN-GET-CAPABILITIES-Service-Response FS-ADMIN-GET-CAPABILITIES-Service-Response, aFS-ADMIN-CREATE-NODE-Service-Response FS-ADMIN-CREATE-NODE-Service-Response, aFS-ADMIN-DELETE-NODE-Service-Response FS-ADMIN-DELETE-NODE-Service-Response, aFS-ADMIN-UPDATE-NODE-ATTRIBUTES-Service-Response FS-ADMIN-UPDATE-NODE-ATTRIBUTES-Service-Response, aFS-OP-FILE-OPEN-Service-Response FS-OP-FILE-OPEN-Service-Response, aFS-OP-FILE-CLOSE-Service-Response FS-OP-FILE-CLOSE-Service-Response, aFS-OP-NODE-GET-INFO-Service-Response FS-OP-NODE-GET-INFO-Service-Response, aFS-OP-FILE-READ-Service-Response FS-OP-FILE-READ-Service-Response, aFS-OP-FILE-WRITE-Service-Response FS-OP-FILE-WRITE-Service-Response, aFS-OP-FILE-GET-POSITION-Service-Response FS-OP-FILE-GET-POSITION-Service-Response } /* TCP Service: definitions */ IPV6Addr ::= OCTET STRING (SIZE(16)) IPV4Addr ::= OCTET STRING (SIZE(4)) IPAddress ::= CHOICE {aIPV4 IPV4Addr, aIPV6 IPV6Addr} FQDN ::= UTF8String ConnectionID ::= INTEGER (0..255) TCP-CONTROL-SERVICE-GATE-Commands ::= [APPLICATION 2] CHOICE { aTCP-REQUEST-CONNECTION-Service-Command TCP-REQUEST-CONNECTION-Service-Command, aTCP-GET-STATUS-CONNECTION-Service-Command TCP-GET-STATUS-CONNECTION-Service-Command, aTCP-CLOSE-CONNECTION-Service-Command TCP-CLOSE-CONNECTION-Service-Command } NetworkParameters ::= SEQUENCE { aBearerType INTEGER -- Bearer type { eDefaultBearer (0), -- Default Bearer, as defined in ETSIÿTS 102 223 [6], clause 8.52 eWWAN (1), -- WWAN Bearer eWLAN (2) -- WLAN local breakout } OPTIONAL, aNetworkAccessName OCTET STRING OPTIONAL, -- Network Access Name aUserLogin OCTET STRING OPTIONAL, -- User login for the network aUserPassword OCTET STRING OPTIONAL -- User password for the network } TCP-REQUEST-CONNECTION-Service-Command ::= [PRIVATE 16] SEQUENCE { aConnectionMode [0] INTEGER { ePassiveLocal (0), -- TCP mode for LISTEN/ACCEPT for client local to the device only ePassiveAny (1), -- TCP mode for LISTEN/ACCEPT for either local or remote client eActive (2) -- TCP Mode as client for CONNECT }, aDestinationAddress [1] CHOICE -- Destination address { aIP IPAddress, -- IP address aFQDN FQDN -- Fully Qualified Domain Name of the server } OPTIONAL, aPortNumber [2] INTEGER(1..65535), -- Port number aGateID [3] UUID, -- Gate identifier as defined in clause 8.2 aTimeout [4] INTEGER OPTIONAL, -- Time unit is second aNetworkParameters [5] NetworkParameters OPTIONAL -- Network parameters } TCP-REQUEST-CONNECTION-Service-Response-Parameter ::= SEQUENCE { aConnectionID [0] ConnectionID -- Connection ID } TCP-REQUEST-CONNECTION-Service-Response ::= [PRIVATE 16] SEQUENCE { aTCP-Control-Service-Response TCP-Control-Service-Response DEFAULT eTCP-OK, aParameter TCP-REQUEST-CONNECTION-Service-Response-Parameter OPTIONAL } TCP-CLOSE-CONNECTION-Service-Command ::= [PRIVATE 17] SEQUENCE { aConnectionID [0] ConnectionID -- Connection ID } TCP-CLOSE-CONNECTION-Service-Response-Parameter ::= SEQUENCE { aConnectionID [0] ConnectionID -- Connection ID } TCP-CLOSE-CONNECTION-Service-Response ::= [PRIVATE 17] SEQUENCE { aTCP-Control-Service-Response TCP-Control-Service-Response DEFAULT eTCP-OK, aParameter TCP-CLOSE-CONNECTION-Service-Response-Parameter OPTIONAL } TCP-GET-STATUS-CONNECTION-Service-Command ::= [PRIVATE 18] SEQUENCE { aConnectionID [0] ConnectionID -- Connection ID } TCP-GET-STATUS-CONNECTION-Service-Response-Parameter ::= SEQUENCE { aConnectionID [0] ConnectionID, -- Connection ID aStateOfConnection [1] INTEGER -- State of the connection { eLISTEN (0), -- TCP mode for LISTEN state (awaiting a connection request from a TCP client) eESTABLSHMENT-IN-PROGRESS (1), -- TCP handshake is in progress eESTABLISHED (2), -- TCP handshake has been completed eCLOSED (3) -- TCP connection is CLOSED or not OPENED } } TCP-GET-STATUS-CONNECTION-Service-Response ::= [PRIVATE 18] SEQUENCE { aTCP-Control-Service-Response TCP-Control-Service-Response DEFAULT eTCP-OK, aParameter TCP-GET-STATUS-CONNECTION-Service-Response-Parameter OPTIONAL } TCP-CONTROL-SERVICE-GATE-Responses ::= [APPLICATION 1] CHOICE { aTCP-REQUEST-CONNECTION-Service-Response TCP-REQUEST-CONNECTION-Service-Response, aTCP-GET-STATUS-CONNECTION-Service-Response TCP-GET-STATUS-CONNECTION-Service-Response, aTCP-CLOSE-CONNECTION-Service-Response TCP-CLOSE-CONNECTION-Service-Response } TCP-Control-Service-Response ::= ENUMERATED { eTCP-OK (0), -- no error eTCP-E-CMD-PAR-UNKNOWN (2), -- unknown or illegal command parameter eTCP-E-NOK (3) -- the command has failed } TCP-CONTROL-APPLICATION-GATE-Commands ::= [APPLICATION 2] CHOICE { aTCP-ACCEPT-CONNECTION-Application-Command TCP-ACCEPT-CONNECTION-Application-Command } TCP-ACCEPT-CONNECTION-Application-Command ::= [PRIVATE 16] SEQUENCE { aConnectionID [0] ConnectionID, -- Connection ID eSourceIP [1] IPAddress OPTIONAL, -- IP address of the incoming connection aSourcePortNumber [2] INTEGER(1..65535) -- Source port of the incoming connection } TCP-ACCEPT-CONNECTION-Application-Response ::= [PRIVATE 16] SEQUENCE { aTCP-Control-Application-Response TCP-Control-Application-Response DEFAULT eTCP-OK } TCP-CONTROL-APPLICATION-GATE-Responses ::= [APPLICATION 1] CHOICE { aTCP-REQUEST-CONNECTION-Application-Response TCP-ACCEPT-CONNECTION-Application-Response } TCP-Control-Application-Response ::= ENUMERATED { eTCP-OK (0), -- no error eTCP-E-CMD-PAR-UNKNOWN (2), -- unknown or illegal command parameter eTCP-E-NOK (3) -- the command has failed } TCP-CONTROL-APPLICATION-GATE-Events ::= [APPLICATION 0] CHOICE { aEVT-TCP-ERROR-Application-Event EVT-TCP-ERROR-Application-Event } EVT-TCP-ERROR-Application-Event ::= [PRIVATE 16] SEQUENCE { aConnectionID [0] ConnectionID, -- Connection ID aErrorCode [1] INTEGER -- Error code { eUNREACHABLE (1), eREDIRECTION (2), eTIMEOUT (3), eIP-HEADER-WRONG (4), eACCESS-TECHNOLOGY-ERROR (5), eTERMINAL-BUSY (6), eNETWORK-BUSY (7), eCALL-CONTROL-INTERACTION-ERROR (8), eDNS-RESOLUTION-ERROR (9), eLINK-DROPPED (10) }, aErrorInfo [2] OCTET STRING (SIZE(2)) -- Additional details on the error } SocketID ::= INTEGER (0..255) UDP-SERVICE-GATE-Commands ::= [APPLICATION 2] CHOICE { aUDP-REQUEST-SOCKET-Command UDP-REQUEST-SOCKET-Command, aUDP-CLOSE-SOCKET-Command UDP-CLOSE-SOCKET-Command } UDP-REQUEST-SOCKET-Command ::= [PRIVATE 16] SEQUENCE { aPortNumber [1] INTEGER(1..65535) OPTIONAL, -- UDP port on the terminal aNetworkParameters [2] NetworkParameters OPTIONAL, -- Network parameters aLocalOnly [3] BOOLEAN OPTIONAL -- if UDP datagrams from remote entities are allowed } UDP-REQUEST-SOCKET-Response-Parameter ::= SEQUENCE { aSocketID SocketID -- Socket identifier } UDP-REQUEST-SOCKET-Response ::= [PRIVATE 16] SEQUENCE { aUDP-Service-Response UDP-Service-Response DEFAULT eUDP-OK, aParameter UDP-REQUEST-SOCKET-Response-Parameter OPTIONAL } UDP-CLOSE-SOCKET-Command ::= [PRIVATE 17] SEQUENCE { aSocketID SocketID -- Socket identifier } UDP-CLOSE-SOCKET-Response-Parameter ::= SEQUENCE { aSocketID SocketID -- Socket identifier } UDP-CLOSE-SOCKET-Response ::= [PRIVATE 17] SEQUENCE { aUDP-Service-Response UDP-Service-Response DEFAULT eUDP-OK, aParameter UDP-CLOSE-SOCKET-Response-Parameter OPTIONAL } UDP-SERVICE-GATE-Responses ::= [APPLICATION 1] CHOICE { aUDP-REQUEST-SOCKET-Response UDP-REQUEST-SOCKET-Response, aUDP-CLOSE-SOCKET-Response UDP-CLOSE-SOCKET-Response } UDP-Service-Response ::= ENUMERATED { eUDP-OK (0), -- No Error eUDP-E-CMD-PAR-UNKNOWN (2), -- Unknown or illegal command parameter eUDP-E-NOK (3), -- the command has failed eUDP-E-PORT-NOT-AVAILABLE (10) -- The UDP port is not available } UDP-SERVICE-GATE-Events ::= [APPLICATION 0] CHOICE { aEVT-UDP-DATAGRAM-OUT-Service-Event EVT-UDP-DATAGRAM-OUT-Service-Event } EVT-UDP-DATAGRAM-OUT-Service-Event ::= [PRIVATE 16] SEQUENCE { aSocketID SocketID, -- Socket identifier aDestinationAddress CHOICE -- Destination address { aIP IPAddress, -- IP address aFQDN FQDN -- Fully Qualified Domain Name of the server }, aDestinationPortNumber INTEGER(1..65535), -- UDP port to send the UDP datagram aData OCTET STRING (SIZE (1..65507)) -- Data to send } UDP-APPLICATION-GATE-Events ::= [APPLICATION 0] CHOICE { aEVT-UDP-DATAGRAM-IN-Application-Event EVT-UDP-DATAGRAM-IN-Application-Event, aEVT-UDP-ERROR-Application-Event EVT-UDP-ERROR-Application-Event } EVT-UDP-DATAGRAM-IN-Application-Event ::= [PRIVATE 17] SEQUENCE { asocketID SocketID, -- Socket identifier aSourceIP IPAddress, -- IP address of the incoming UDP datagram aSourcePortNumber INTEGER(1..65535), -- UDP port of the incoming UDP datagram aData OCTET STRING (SIZE (1..65507)) -- Received data } EVT-UDP-ERROR-Application-Event ::= [PRIVATE 16] SEQUENCE { aSocketID SocketID, -- Socket identifier aErrorCode INTEGER -- Error code { eUNREACHABLE (1), eREDIRECTION (2), eIP-HEADER-WRONG (4), eACCESS-TECHNOLOGY-ERROR (5), eTERMINAL-BUSY (6), eNETWORK-BUSY (7), eCALL-CONTROL-INTERACTION-ERROR (8), eDNS-RESOLUTION-ERROR (9), eLINK-DROPPED (10) }, aErrorInfo OCTET STRING (SIZE(2)) -- Additional error information } /* CRON service: definitions*/ CRON-ID ::= INTEGER (0..255) /* CRON Service: commands */ CRON-SERVICE-GATE-Commands ::= [APPLICATION 2] CHOICE { aCRON-REQUEST-TIMER-Command CRON-REQUEST-TIMER-Command, aCRON-READ-DATE-Command CRON-READ-DATE-TIME-Command, aCRON-KILL-TIMER-Command CRON-KILL-TIMER-Command, aCRON-KILL-ALL-TIMERS-Command CRON-KILL-ALL-TIMERS-Command } CRON-REQUEST-TIMER-Command ::= [PRIVATE 16] SEQUENCE { aInitialNotificationDateTime CHOICE -- Time of the initial notification { aDateTimeAbsolute GeneralizedTime, -- Absolute date and time aTimeRelative INTEGER (50..65535) -- Time in units of 100 milliseconds from the time of the request }, aPeriod INTEGER (10..65535) OPTIONAL -- Interval of periodic notifications after the initial notification. The period is in units of 100 milliseconds } CRON-REQUEST-TIMER-Response-Parameter ::= SEQUENCE { aCRON-ID CRON-ID, -- CRON id aPersistantOverPowerCycle BOOLEAN -- Indication of persistence across power cycles } CRON-REQUEST-TIMER-Response ::= [PRIVATE 16] SEQUENCE { aCRON-Service-Response CRON-Service-Response DEFAULT eCRON-OK, aParameter CRON-REQUEST-TIMER-Response-Parameter OPTIONAL } CRON-READ-DATE-TIME-Command ::= [PRIVATE 17] SEQUENCE { } CRON-READ-DATE-TIME-Response-Parameter ::= SEQUENCE { aDateTime GeneralizedTime } CRON-READ-DATE-TIME-Response ::= [PRIVATE 17] SEQUENCE { aCRON-Service-Response CRON-Service-Response DEFAULT eCRON-OK, aParameter CRON-READ-DATE-TIME-Response-Parameter OPTIONAL } CRON-KILL-TIMER-Command ::= [PRIVATE 18] SEQUENCE { aCRON-ID CRON-ID -- CRON id } CRON-KILL-TIMER-Response ::= [PRIVATE 18] SEQUENCE { aCRON-Service-Response CRON-Service-Response DEFAULT eCRON-OK } CRON-KILL-ALL-TIMERS-Command ::= [PRIVATE 19] SEQUENCE { } CRON-KILL-ALL-TIMERS-Response ::= SEQUENCE { aCRON-Service-Response CRON-Service-Response DEFAULT eCRON-OK } /* CRON Service: responses */ CRON-SERVICE-GATE-Responses ::= [APPLICATION 1] CHOICE { aCRON-REQUEST-TIMER-Response CRON-REQUEST-TIMER-Response, aCRON-READ-DATE-TIME-Response CRON-READ-DATE-TIME-Response, aCRON-KILL-TIMER-Response CRON-KILL-TIMER-Response, aCRON-KILL-ALL-TIMERS-Response CRON-KILL-ALL-TIMERS-Response } CRON-Service-Response ::= ENUMERATED { eCRON-OK (0), -- No Error eCRON-E-CMD-PAR-UNKNOWN (2), -- Unknown or illegal command parameter eCRON-E-NOK (3), -- the command has failed eCRON-E-NO-ABSOLUTE-TIME (20) -- the terminal does not support the absolute time } /* CRON Service: events */ CRON-APPLICATION-GATE-Events ::= [APPLICATION 0] CHOICE { aCRON-ELAPSED-TIMER-Event CRON-ELAPSED-TIMER-Event } CRON-ELAPSED-TIMER-Event ::= [PRIVATE 16] SEQUENCE { aCRON-ID CRON-ID -- CRON id } AAS-CONTROL-SERVICE-GATE-Commands ::= [APPLICATION 2] CHOICE { aAAS-OP-GET-CAPABILITIES-Service-Command AAS-OP-GET-CAPABILITIES-Service-Command, aAAS-ADMIN-CREATE-ACCESSOR-Service-Command AAS-ADMIN-CREATE-ACCESSOR-Service-Command, aAAS-ADMIN-UPDATE-ACCESSOR-Service-Command AAS-ADMIN-UPDATE-ACCESSOR-Service-Command, aAAS-ADMIN-DELETE-ACCESSOR-Service-Command AAS-ADMIN-DELETE-ACCESSOR-Service-Command, aAAS-OP-ACCESS-SERVICE-Service-Command AAS-OP-ACCESS-SERVICE-Service-Command, aAAS-OP-AUTHENTICATE-ACCESSOR-Service-Command AAS-OP-AUTHENTICATE-ACCESSOR-Service-Command, aAAS-OP-GET-CHALLENGE-Service-Command AAS-OP-GET-CHALLENGE-Service-Command } AAS-CONTROL-SERVICE-GATE-Responses ::= [APPLICATION 1] CHOICE { aAAS-OP-GET-CAPABILITIES-Service-Response AAS-OP-GET-CAPABILITIES-Service-Response, aAAS-ADMIN-CREATE-ACCESSOR-Service-Response AAS-ADMIN-CREATE-ACCESSOR-Service-Response, aAAS-ADMIN-UPDATE-ACCESSOR-Service-Response AAS-ADMIN-UPDATE-ACCESSOR-Service-Response, aAAS-ADMIN-DELETE-ACCESSOR-Service-Response AAS-ADMIN-DELETE-ACCESSOR-Service-Response, aAAS-OP-ACCESS-SERVICE-Service-Response AAS-OP-ACCESS-SERVICE-Service-Response, aAAS-OP-AUTHENTICATE-ACCESSOR-Service-Response AAS-OP-AUTHENTICATE-ACCESSOR-Service-Response, aAAS-OP-GET-CHALLENGE-Service-Response AAS-OP-GET-CHALLENGE-Service-Response } AuthenticationToken ::= SEQUENCE { tbsToken TBSToken, signatureAlgorithm AlgorithmIdentifier, signature ECDSA-Sig-Value } TBSToken ::= SEQUENCE { version [0] Version DEFAULT v1, subjectPublicKeyInfo SubjectPublicKeyInfo, aATK-Content ATK-Content, extensions [8] Extensions OPTIONAL } Key-Size ::= INTEGER { e128 (0), -- 128 Bit Key size e256 (1) -- 256 Bit Key size } StreamCipherIdentifier ::= INTEGER { aAES-CGM-StreamCipherIdentifier (0) -- AES GCM algorithm } ATK-Content ::= SEQUENCE { aChallenge OCTET STRING (SIZE (16)), -- Challenge aKey-Size Key-Size, aStreamCipherIdentifier StreamCipherIdentifier } id-ssp OBJECT IDENTIFIER ::= { itu-t (0) identified-organization (4) etsi (0) smart-secure-platform (3666) part1 (1) } id-role OBJECT IDENTIFIER ::= { id-ssp role (1) } id-role-aaa OBJECT IDENTIFIER ::= { id-role aaa (1) } id-role-aas OBJECT IDENTIFIER ::= { id-role aas (2) } END