1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
//File: NRService.idl
//Part of the Security Service
#ifndef _NR_SERVICE_IDL
#define _NR_SERVICE_IDL
// omniORB specific pragmas to insert extra includes into the stub header.
#pragma hh #include "COS_sysdep.h"
#include <SecurityLevel2.idl>
#pragma prefix "omg.org"
module NRService {
typedef Security::MechanismType NRMech;
typedef Security::ExtensibleFamily NRPolicyId;
enum EvidenceType {
SecProofofCreation,
SecProofofReceipt,
SecProofofApproval,
SecProofofRetrieval,
SecProofofOrigin,
SecProofofDelivery,
SecNoEvidence // used when request-only token desired
};
enum NRVerificationResult {
SecNRInvalid,
SecNRValid,
SecNRConditionallyValid
};
// the following are used for evidence validity duration
typedef unsigned long DurationInMinutes;
const DurationInMinutes DurationHour = 60;
const DurationInMinutes DurationDay = 1440;
const DurationInMinutes DurationWeek = 10080;
const DurationInMinutes DurationMonth = 43200;// 30 days;
const DurationInMinutes DurationYear = 525600;//365 days;
typedef long TimeOffsetInMinutes;
struct NRPolicyFeatures {
NRPolicyId policy_id;
unsigned long policy_version;
NRMech mechanism;
};
typedef sequence <NRPolicyFeatures> NRPolicyFeaturesList;
// features used when generating requests
struct RequestFeatures {
NRPolicyFeatures requested_policy;
EvidenceType requested_evidence;
string requested_evidence_generators;
string requested_evidence_recipients;
boolean include_this_token_in_evidence;
};
struct EvidenceDescriptor {
EvidenceType evidence_type;
DurationInMinutes evidence_validity_duration;
boolean must_use_trusted_time;
};
typedef sequence <EvidenceDescriptor> EvidenceDescriptorList;
struct AuthorityDescriptor {
string authority_name;
string authority_role;
TimeOffsetInMinutes last_revocation_check_offset;
// may be >0 or <0; add this to evid. gen. time to
// get latest time at which mech. will check to see
// if this authority's key has been revoked.
};
typedef sequence <AuthorityDescriptor> AuthorityDescriptorList;
struct MechanismDescriptor {
NRMech mech_type;
AuthorityDescriptorList authority_list;
TimeOffsetInMinutes max_time_skew;
// max permissible difference between evid. gen. time
// and time of time service countersignature
// ignored if trusted time not reqd.
};
typedef sequence <MechanismDescriptor> MechanismDescriptorList;
interface NRCredentials : SecurityLevel2::Credentials{
boolean set_NR_features(
in NRPolicyFeaturesList requested_features,
out NRPolicyFeaturesList actual_features
);
NRPolicyFeaturesList get_NR_features ();
void generate_token(
in Security::Opaque input_buffer,
in EvidenceType generate_evidence_type,
in boolean include_data_in_token,
in boolean generate_request,
in RequestFeatures request_features,
in boolean input_buffer_complete,
out Security::Opaque nr_token,
out Security::Opaque evidence_check
);
NRVerificationResult verify_evidence(
in Security::Opaque input_token_buffer,
in Security::Opaque evidence_check,
in boolean form_complete_evidence,
in boolean token_buffer_complete,
out Security::Opaque output_token,
out Security::Opaque data_included_in_token,
out boolean evidence_is_complete,
out boolean trusted_time_used,
out Security::TimeT complete_evidence_before,
out Security::TimeT complete_evidence_after
);
void get_token_details(
in Security::Opaque token_buffer,
in boolean token_buffer_complete,
out string token_generator_name,
out NRPolicyFeatures policy_features,
out EvidenceType evidence_type,
out Security::UtcT evidence_generation_time,
out Security::UtcT evidence_valid_start_time,
out DurationInMinutes evidence_validity_duration,
out boolean data_included_in_token,
out boolean request_included_in_token,
out RequestFeatures request_features
);
boolean form_complete_evidence(
in Security::Opaque input_token,
out Security::Opaque output_token,
out boolean trusted_time_used,
out Security::TimeT complete_evidence_before,
out Security::TimeT complete_evidence_after
);
};
interface NRPolicy : CORBA::Policy{
void get_NR_policy_info(
out Security::ExtensibleFamily NR_policy_id,
out unsigned long policy_version,
out Security::TimeT policy_effective_time,
out Security::TimeT policy_expiry_time,
out EvidenceDescriptorList supported_evidence_types,
out MechanismDescriptorList supported_mechanisms
);
boolean set_NR_policy_info(
in MechanismDescriptorList requested_mechanisms,
out MechanismDescriptorList actual_mechanisms
);
};
};
#endif /* _NR_SERVICE_IDL */
|
