//
// CSI.idl
// CORBA Core 3.0 Chapter 24

#ifndef _CSI_IDL_
#define _CSI_IDL_

#ifdef _PRE_3_0_COMPILER_
#pragma prefix "omg.org"
#else
#endif // _PRE_3_0_COMPILER_

module CSI {

#ifndef _PRE_3_0_COMPILER_ 
    typeprefix CSI "omg.org";
#endif // _PRE_3_0_COMPILER_

    // The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever.

    const unsigned long OMGVMCID = 0x4F4D0;

    // An X509CertificateChain contains an ASN.1 BER encoded SEQUENCE 
    // [1..MAX] OF X.509 certificates encapsulated in a sequence of octets. The
    // subject's certificate shall come first in the list. Each following 
    // certificate shall directly certify the one preceding it. The ASN.1
    // representation of Certificate is as defined in [IETF RFC 2459].

    typedef sequence <octet> X509CertificateChain; 

    // an X.501 type name or Distinguished Name encapsulated in a sequence of
    // octets containing the ASN.1 encoding.

    typedef sequence <octet> X501DistinguishedName;

    // UTF-8 Encoding of String

    typedef sequence <octet> UTF8String;

    // ASN.1 Encoding of an OBJECT IDENTIFIER

    typedef sequence <octet> OID;

    typedef sequence <OID> OIDList;

    // A sequence of octets containing a GSStoken. Initial context tokens are
    // ASN.1 encoded as defined in [IETF RFC 2743] Section 3.1, 
    // "Mechanism-Independent token Format", pp. 81-82. Initial context tokens
    // contain an ASN.1 tag followed by a token length, a mechanism identifier,
    // and a mechanism-specific token (i.e. a GSSUP::InitialContextToken). The
    // encoding of all other GSS tokens (e.g. error tokens and final context
    // tokens) is mechanism dependent.

    typedef sequence <octet> GSSToken;

    // An encoding of a GSS Mechanism-Independent Exported Name Object as
    // defined in [IETF RFC 2743] Section 3.2, "GSS Mechanism-Independent
    // Exported Name Object Format," p. 84.

    typedef sequence <octet> GSS_NT_ExportedName;

    typedef sequence <GSS_NT_ExportedName> GSS_NT_ExportedNameList;

    // The MsgType enumeration defines the complete set of service context
    // message types used by the CSI context management protocols, including
    // those message types pertaining only to the stateful application of the 
    // protocols (to insure proper alignment of the identifiers between
    // stateless and stateful implementations). Specifically, the 
    // MTMessageInContext is not sent by stateless clients (although it may
    // be received by stateless targets).

    typedef short MsgType;
      
    const MsgType MTEstablishContext = 0;
    const MsgType MTCompleteEstablishContext = 1;      
    const MsgType MTContextError = 4; 
    const MsgType MTMessageInContext = 5;

    // The ContextId type is used carry session identifiers. A stateless 
    // application of the service context protocol is indicated by a session
    // identifier value of 0.

    typedef unsigned long long ContextId;

    // The AuthorizationElementType defines the contents and encoding of
    // the_element field of the AuthorizationElement.

    // The high order 20-bits of each AuthorizationElementType constant
    // shall contain the Vendor Minor Codeset ID (VMCID) of the
    // organization that defined the element type. The low order 12 bits
    // shall contain the organization-scoped element type identifier. The
    // high-order 20 bits of all element types defined by the OMG shall
    // contain the VMCID allocated to the OMG (that is, 0x4F4D0).
      
    typedef unsigned long AuthorizationElementType;

    // An AuthorizationElementType of X509AttributeCertChain indicates that 
    // the_element field of the AuthorizationElement contains an ASN.1 BER
    // SEQUENCE composed of an (X.509) AttributeCertificate followed by a
    // SEQUENCE OF (X.509) Certificate. The two-part SEQUENCE is encapsulated
    // in an octet stream. The chain of identity certificates is provided
    // to certify the attribute certificate. Each certificate in the chain 
    // shall directly certify the one preceding it. The first certificate
    // in the chain shall certify the attribute certificate. The ASN.1
    // representation of (X.509) Certificate is as defined in [IETF RFC 2459].
    // The ASN.1 representation of (X.509) AtributeCertificate is as defined
    // in [IETF ID PKIXAC].  

    const AuthorizationElementType X509AttributeCertChain = OMGVMCID | 1;

    typedef sequence <octet> AuthorizationElementContents;

    // The AuthorizationElement contains one element of an authorization token.
    // Each element of an authorization token is logically a PAC.

    struct AuthorizationElement {
	AuthorizationElementType   the_type;
	AuthorizationElementContents   the_element;
    };

    // The AuthorizationToken is made up of a sequence of 
    // AuthorizationElements

    typedef sequence <AuthorizationElement> AuthorizationToken;
      
    typedef unsigned long IdentityTokenType;

    // Additional standard identity token types shall only be defined by the
    // OMG. All IdentityTokenType constants shall be a power of 2.

    const IdentityTokenType ITTAbsent = 0;      
    const IdentityTokenType ITTAnonymous = 1;
    const IdentityTokenType ITTPrincipalName = 2;
    const IdentityTokenType ITTX509CertChain = 4;
    const IdentityTokenType ITTDistinguishedName = 8;

    typedef sequence <octet> IdentityExtension;
      
    union IdentityToken switch ( IdentityTokenType ) {
	case ITTAbsent: boolean absent;
	case ITTAnonymous: boolean anonymous;
        case ITTPrincipalName: GSS_NT_ExportedName principal_name;
	case ITTX509CertChain: X509CertificateChain certificate_chain;
	case ITTDistinguishedName: X501DistinguishedName dn;
	default: IdentityExtension id;
    };

    struct EstablishContext {
	ContextId client_context_id;
	AuthorizationToken authorization_token;
	IdentityToken identity_token;
	GSSToken client_authentication_token;
    };
      
    struct CompleteEstablishContext {
	ContextId client_context_id;
	boolean context_stateful;
	GSSToken final_context_token;
    };

    struct ContextError {
	ContextId client_context_id;
	long major_status;
	long minor_status;
	GSSToken error_token;
    };

    // Not sent by stateless clients. If received by a stateless server, a
    // ContextError message should be returned, indicating the session does
    // not exist.
      
    struct MessageInContext {
	ContextId client_context_id;
	boolean discard_context;
    };
      
    union SASContextBody switch ( MsgType ) {
	case MTEstablishContext: EstablishContext establish_msg;
	case MTCompleteEstablishContext: CompleteEstablishContext complete_msg;
	case MTContextError: ContextError error_msg;
	case MTMessageInContext: MessageInContext in_context_msg;
    };

    // The following type represents the string representation of an ASN.1
    // OBJECT IDENTIFIER (OID). OIDs are represented by the string "oid:"
    // followed by the integer base 10 representation of the OID separated
    // by dots. For example, the OID corresponding to the OMG is represented
    // as: "oid:2.23.130"     

    typedef string StringOID;

    // The GSS Object Identifier for the KRB5 mechanism is:
    // { iso(1) member-body(2) United States(840) mit(113554) infosys(1)
    // gssapi(2) krb5(2) }

    const StringOID KRB5MechOID = "oid:1.2.840.113554.1.2.2";

    // The GSS Object Identifier for name objects of the Mechanism-idependent
    // Exported Name Object type is:
    // { iso(1) org(3) dod(6) internet(1) security(5) nametypes(6)
    // gss-api-exported-name(4) }

    const StringOID GSS_NT_Export_Name_OID = "oid:1.3.6.1.5.6.4";

    // The GSS Object Identifier for the scoped-username name form is:
    // { iso-itu-t (2) international-organization (23) omg (130) security (1)
    // naming (2) scoped-username(1) }

    const StringOID GSS_NT_Scoped_Username_OID = "oid:2.23.130.1.2.1";

}; // CSI

#endif