// MICOSec // based CORBASec 1.7 #if !defined(_SECURITY_IDL_) #define _SECURITY_IDL_ #pragma prefix "omg.org" #include #include #include #include module Security { typedef string SecurityName; typedef sequence Opaque; // Constant declarations for Security Service Options const CORBA::ServiceOption SecurityLevel1 = 1; const CORBA::ServiceOption SecurityLevel2 = 2; const CORBA::ServiceOption NonRepudiation = 3; const CORBA::ServiceOption SecurityORBServiceReady = 4; const CORBA::ServiceOption SecurityServiceReady = 5; const CORBA::ServiceOption ReplaceORBServices = 6; const CORBA::ServiceOption ReplaceSecurityServices = 7; const CORBA::ServiceOption StandardSecureInteroperability = 8; const CORBA::ServiceOption DCESecureInteroperability = 9; // Service options for Common Secure Interoperability const CORBA::ServiceOption CommonInteroperabilityLevel0 = 10; const CORBA::ServiceOption CommonInteroperabilityLevel1 = 11; const CORBA::ServiceOption CommonInteroperabilityLevel2 = 12; // Security mech types supported for secure association const CORBA::ServiceDetailType SecurityMechanismType = 1; // privillege types supported in standard access policy const CORBA::ServiceDetailType SecurityAttribute = 2; // extensible families for standard data types struct ExtensibleFamily { unsigned short family_definer; unsigned short family; }; // security attributes typedef unsigned long SecurityAttributeType; // identity attributes; family = 0 const SecurityAttributeType AuditId = 1; const SecurityAttributeType AccountingId = 2; const SecurityAttributeType NonRepudiationId = 3; // privilege attributes; family = 1 const SecurityAttributeType _Public = 1; const SecurityAttributeType AccessId = 2; const SecurityAttributeType PrimaryGroupId = 3; const SecurityAttributeType GroupId = 4; const SecurityAttributeType Role = 5; const SecurityAttributeType AttributeSet = 6; const SecurityAttributeType Clearance = 7; const SecurityAttributeType Capability = 8; // X.509 Certificate; family = 10 const SecurityAttributeType X509Subject = 1; const SecurityAttributeType X509Issuer = 2; const SecurityAttributeType X509Cipher = 3; const SecurityAttributeType X509Subject_CN = 4; const SecurityAttributeType X509Subject_C = 5; const SecurityAttributeType X509Subject_L = 6; const SecurityAttributeType X509Subject_ST = 7; const SecurityAttributeType X509Subject_O = 8; const SecurityAttributeType X509Subject_OU = 9; const SecurityAttributeType X509Issuer_CN = 10; const SecurityAttributeType X509Issuer_C = 11; const SecurityAttributeType X509Issuer_L = 12; const SecurityAttributeType X509Issuer_ST = 13; const SecurityAttributeType X509Issuer_O = 14; const SecurityAttributeType X509Issuer_OU = 15; // MICO Property; family = 11 const SecurityAttributeType AuthMethod = 1; const SecurityAttributeType PeerAddress = 2; struct AttributeType { ExtensibleFamily attribute_family; SecurityAttributeType attribute_type; }; typedef sequence AttributeTypeList; struct SecAttribute { AttributeType attribute_type; CSI::OID defining_authority; Opaque value; // the value of this attribute; can be // interpreted only with knowledge of type }; typedef sequence AttributeList; // Authentication return status enum AuthenticationStatus { SecAuthSuccess, SecAuthFailure, SecAuthContinue, SecAuthExpired }; // Association return status enum AssociationStatus { SecAssocSuccess, SecAssocFailure, SecAssocContinue }; // Authentication method typedef unsigned long AuthenticationMethod; typedef sequence AuthenticationMethodList; //AuthenticationMethods //const AuthenticationMethod KeyCertCAPass = 1; // Credential types which can be set as Current default enum CredentialsType { SecOwnCredentials, SecReceivedCredentials, SecTargetCredentials }; struct ChannelBindings { unsigned long initiator_addrtype; sequence initiator_address; unsigned long acceptor_addrtype; sequence acceptor_address; sequence application_data; }; // Declarations related to Rights // enum RightsFamilies { // corba // } // ###ras IDL adapted to CORBA 2.4.1 // Thu Jul 5 03:12:16 CEST 2001 struct Right { ExtensibleFamily rights_family; string rights_list; // gsmu for corba }; typedef sequence RightsList; enum RightsCombinator { SecAllRights, SecAnyRight }; // Delegation related enum DelegationState { SecInitiator, SecDelegate }; /** * This is the Delegation Directive. This directive * is part of the policy of whether or not to * enable delegation of credentials for a particular * invocation. */ enum DelegationDirective { Delegate, NoDelegate }; // pick up from TimeBase typedef TimeBase::UtcT UtcT; typedef TimeBase::IntervalT IntervalT; typedef TimeBase::TimeT TimeT; // Security features available on credentials. enum SecurityFeature { SecNoDelegation, SecSimpleDelegation, SecCompositeDelegation, SecNoProtection, SecIntegrity, SecConfidentiality, SecIntegrityAndConfidentiality, SecDetectReplay, SecDetectMisordering, SecEstablishTrustInTarget, SecEstablishTrustInClient }; // Quality of protection which can be specified // for an object reference and used to protect messages enum QOP { SecQOPNoProtection, SecQOPIntegrity, SecQOPConfidentiality, SecQOPIntegrityAndConfidentiality }; // Type of SecurityContext enum SecurityContextType { ClientSecurityContext, ServerSecurityContext }; // Operational State of a Security Context /** * The state of a context may go through several state * changes before becoming usuable. * * o SecContextInitialized * This state indicates that it has been initialized * and the initialized token as been produced. This * state is only good for Client type. * * o SecContextContinued * This state indicates that the security context has * needs more negotiation. * * o SecContextClientEstablished * This state indicates that when on the Client side, * we are able to protect messages and send them to the * server, however, we are still awaiting continue tokens * to fully establish the context, before we can reclaim * messages. * * o SecContextEstablished * This state indicates that the security context is invalid, * i.e. or no longer valid, and should not be used. * * o SecContextEstablishExpired * This state indicates that the security context expired * during the establish phase. * * o SecContextExpired * This state indicates that the security context expired * i.e. or no longer valid, and should not be used. * * o SecContextInvalid * This state indicates that the security context is invalid, * i.e. or no longer valid, and should not be used. */ enum SecurityContextState { SecContextInitialized, SecContextContinued, SecContextClientEstablished, SecContextEstablished, SecContextEstablishExpired, SecContextExpired, SecContextInvalid }; // For use with SecurityReplaceable struct OpaqueBuffer { Opaque buffer; unsigned long startpos; unsigned long endpos; // startpos <= endpos // OpaqueBuffer is said to be empty if startpos == endpos }; // Association options which can be administered // on secure invocation policy and used to // Initialize security context // kcg: in case somebody needs interoperability with broken VB // he/she needs to uncommend following define. //#define MICO_SSL_VB_COMPAT #ifdef MICO_SSL_VB_COMPAT typedef unsigned long AssociationOptions; #else typedef unsigned short AssociationOptions; #endif const AssociationOptions NoProtection = 1; const AssociationOptions Integrity = 2; const AssociationOptions Confidentiality = 4; const AssociationOptions DetectReplay = 8; const AssociationOptions DetectMisordering = 16; const AssociationOptions EstablishTrustInTarget = 32; const AssociationOptions EstablishTrustInClient = 64; const AssociationOptions NoDelegation = 128; const AssociationOptions SimpleDelegation = 256; const AssociationOptions CompositeDelegation = 512; // Flag to indicate whether association options being // administered are the "required" or "supported" set enum RequiresSupports { SecRequires, SecSupports }; // Direction of communication for which // secure invocation policy applies enum CommunicationDirection { SecDirectionBoth, SecDirectionRequest, SecDirectionReply }; // AssociationOptions-Direction pair struct OptionsDirectionPair { AssociationOptions options; CommunicationDirection direction; }; typedef sequence OptionsDirectionPairList; // Delegation mode which can be administered enum DelegationMode { SecDelModeNoDelegation, // i.e. use own credentials SecDelModeSimpleDelegation, // delegate received credentials SecDelModeCompositeDelegation // delegate both; }; // security association mechanism type typedef string MechanismType; typedef sequence MechanismTypeList; struct SecurityMechanismData { MechanismType mechanism; SecurityName security_name; AssociationOptions options_supported; AssociationOptions options_required; }; typedef sequence SecurityMechanismDataList; // Association options supported by a given mech type struct MechandOptions { MechanismType mechanism_type; AssociationOptions options_supported; }; typedef sequence MechandOptionsList; // Attribute of the SecurityLevel2::EstablishTrustPolicy struct EstablishTrust { boolean trust_in_client; boolean trust_in_target; }; // Audit typedef unsigned long AuditChannelId; typedef unsigned short _EventType; const _EventType AuditAll = 0; const _EventType AuditPrincipalAuth = 1; const _EventType AuditSessionAuth = 2; const _EventType AuditAuthorization = 3; const _EventType AuditInvocation = 4; const _EventType AuditSecEnvChange = 5; const _EventType AuditPolicyChange = 6; const _EventType AuditObjectCreation = 7; const _EventType AuditObjectDestruction = 8; const _EventType AuditNonRepudiation = 9; enum DayOfTheWeek { Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday }; enum AuditCombinator { SecAllSelectors, SecAnySelector }; struct AuditEventType { ExtensibleFamily event_family; unsigned short event_type; }; typedef sequence AuditEventTypeList; typedef unsigned long SelectorType; const SelectorType InterfaceName = 1; const SelectorType ObjectRef = 2; const SelectorType Operation = 3; const SelectorType Initiator = 4; const SelectorType SuccessFailure = 5; const SelectorType Time = 6; const SelectorType DayOfWeek = 7; // values defined for audit_needed and audit_write are: // InterfaceName: CORBA::RepositoryId // ObjectRef: object reference // Operation: op_name // Initiator: Credentials // SuccessFailure: boolean // Time: utc time on audit_write; time picked up from // environment in audit_needed if required // DayOfWeek: DayOfTheWeek struct SelectorValue { SelectorType selector; any value; }; typedef sequence SelectorValueList; // Constant declaration for Security Policy Types // General Administrative Policies const CORBA::PolicyType SecClientInvocationAccess = 1; const CORBA::PolicyType SecTargetInvocationAccess = 2; const CORBA::PolicyType SecApplicationAccess = 3; const CORBA::PolicyType SecClientInvocationAudit = 4; const CORBA::PolicyType SecTargetInvocationAudit = 5; const CORBA::PolicyType SecApplicationAudit = 6; const CORBA::PolicyType SecDelegation = 7; const CORBA::PolicyType SecClientSecureInvocation = 8; const CORBA::PolicyType SecTargetSecureInvocation = 9; const CORBA::PolicyType SecNonRepudiation = 10; // Policies used to control attributes of a binding to a target const CORBA::PolicyType SecMechanismPolicy = 12; const CORBA::PolicyType SecInvocationCredentialsPolicy = 13; const CORBA::PolicyType SecFeaturesPolicy = 14; // obsolete const CORBA::PolicyType SecQOPPolicy = 15; const CORBA::PolicyType SecDelegationDirectivePolicy = 38; const CORBA::PolicyType SecEstablishTrustPolicy = 39; //&&& Data for SSL Authentication struct SSLKeyCertCAPass { string _key; string cert; string CAfile; string CAdir; string pass; }; }; #endif /* _SECURITY_IDL_ */