Operational Attributes and Syntaxes

svn path=/trunk/; revision=18048

7 files changed, 282 insertions, 21 deletions

diff --git a/asn1/dap/dap-exp.cnf b/asn1/dap/dap-exp.cnf
index 60efa31464..185cd1f698 100644
--- a/asn1/dap/dap-exp.cnf
+++ b/asn1/dap/dap-exp.cnf
@@ -1,6 +1,7 @@
 #.IMPORT_TAG
 CommonResults            BER_CLASS_UNI BER_UNI_TAG_SET
 ContextSelection         BER_CLASS_ANY/*choice*/ -1/*choice*/
+Filter                   BER_CLASS_ANY/*choice*/ -1/*choice*/
 SecurityParameters       BER_CLASS_UNI BER_UNI_TAG_SET
 DirectoryBindArgument    BER_CLASS_UNI BER_UNI_TAG_SET
 DirectoryBindError       BER_CLASS_ANY/*choice*/ -1/*choice*/
@@ -36,6 +37,7 @@ UpdateError              BER_CLASS_ANY/*choice*/ -1/*choice*/
 #.TYPE_ATTR
 CommonResults            TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 ContextSelection         TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = VALS(dap_ContextSelection_vals)  BITMASK = 0
+Filter                   TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = VALS(dap_Filter_vals)  BITMASK = 0
 SecurityParameters       TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 DirectoryBindArgument    TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 DirectoryBindError       TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = VALS(dap_DirectoryBindError_vals)  BITMASK = 0
diff --git a/asn1/dap/dap.cnf b/asn1/dap/dap.cnf
index a44d0289d5..3c82a0a64b 100644
--- a/asn1/dap/dap.cnf
+++ b/asn1/dap/dap.cnf
@@ -26,6 +26,7 @@ DirectoryShadowAbstractService	disp
 #.INCLUDE	../acse/acse-exp.cnf
 
 #.EXPORTS
+Filter
 CommonResults
 Referral
 SecurityParameters
@@ -176,19 +177,21 @@ ModifyRights/_item/item/value			value-assertion
 
     	%(DEFAULT_BODY)s
 
-	len = tvb_length(out_tvb);
-	/* now see if we can add a string representation */
-	for(i=0; i<len; i++)
-		if(!g_ascii_isprint(tvb_get_guint8(out_tvb, i)))
-			break;
+	if(out_tvb) {
+		len = tvb_length(out_tvb);
+		/* now see if we can add a string representation */
+		for(i=0; i<len; i++)
+			if(!g_ascii_isprint(tvb_get_guint8(out_tvb, i)))
+				break;
 	
-	if(i == len) {
-		if((oct_item = get_ber_last_created_item())) {
-
-			proto_item_append_text(oct_item," (");
-			for(i=0; i<len; i++)
-				proto_item_append_text(oct_item,"%%c",tvb_get_guint8(out_tvb,i));
-			proto_item_append_text(oct_item,")");
+		if(i == len) {
+			if((oct_item = get_ber_last_created_item())) {
+
+				proto_item_append_text(oct_item," (");
+				for(i=0; i<len; i++)
+					proto_item_append_text(oct_item,"%%c",tvb_get_guint8(out_tvb,i));
+				proto_item_append_text(oct_item,")");
+			}
 		}
 	}
 	
diff --git a/asn1/dop/dop.asn b/asn1/dop/dop.asn
index 626997c7c6..8c0cfc8583 100644
--- a/asn1/dop/dop.asn
+++ b/asn1/dop/dop.asn
@@ -15,7 +15,7 @@ IMPORTS
     FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
       usefulDefinitions(0) 4}
   ATTRIBUTE, MATCHING-RULE, Name, Attribute, DistinguishedName,
-  RelativeDistinguishedName
+  RelativeDistinguishedName, Refinement, SubtreeSpecification, AttributeType, ContextAssertion
     FROM InformationFramework {joint-iso-itu-t ds(5) module(1)
       informationFramework(1) 4}
 --  OperationalBindingID
@@ -26,7 +26,7 @@ IMPORTS
     FROM DistributedOperations {joint-iso-itu-t ds(5) module(1)
       distributedOperations(3) 4}
   -- from ITU-T Rec. X.520 | ISO/IEC 9594-6
-  bitStringMatch
+  DirectoryString, NameAndOptionalUID,  bitStringMatch
     FROM SelectedAttributeTypes {joint-iso-itu-t ds(5) module(1)
       selectedAttributeTypes(5) 4}
   PresentationAddress, ProtocolInformation
@@ -38,11 +38,15 @@ IMPORTS
   -- from ITU-T Rec. X.509 | ISO/IEC 9594-8
   AlgorithmIdentifier
     FROM AuthenticationFramework {joint-iso-itu-t ds(5) module(1)
-      authenticationFramework(7) 4};
-
-
-
-
+      authenticationFramework(7) 4}
+  AttributeTypeAndValue
+    FROM BasicAccessControl {joint-iso-itu-t ds(5) module(1)
+      basicAccessControl(24) 4}
+  Filter
+    FROM DirectoryAbstractService {joint-iso-itu-t ds(5) module(1)
+      directoryAbstractService(2) 4}
+  EXTERNAL 
+    FROM ACSE-1 {joint-iso-itu-t association-control(2) modules(0) acse1(1) version1(1)};
 
 -- data types 
 DSEType ::= BIT STRING {
@@ -677,7 +681,200 @@ NHOBSubordinateToSuperior ::= SEQUENCE {
 --  ID                    id-op-binding-non-specific-hierarchical
 --}
 
-END -- HierarchicalOperationalBindings
+--END - - HierarchicalOperationalBindings
+
+-- Module BasicAccessControl (X.501:02/2001)
+--BasicAccessControl {joint-iso-itu-t ds(5) module(1) basicAccessControl(24) 4}
+--DEFINITIONS ::=
+--BEGIN
+
+-- EXPORTS All 
+-- The types and values defined in this module are exported for use in the other ASN.1 modules contained 
+-- within the Directory Specifications, and for the use of other applications which will use them to access 
+-- Directory services. Other applications may use them for their own purposes, but this will not constrain
+-- extensions and modifications needed to maintain or improve the Directory service.
+--IMPORTS
+  -- from ITU-T Rec. X.501 | ISO/IEC 9594-2
+--  directoryAbstractService, id-aca, id-acScheme, informationFramework,
+--    selectedAttributeTypes, upperBounds
+--    FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
+--      usefulDefinitions(0) 4}
+--  ATTRIBUTE, AttributeType, ContextAssertion, DistinguishedName, MATCHING-RULE,
+--    objectIdentifierMatch, Refinement, SubtreeSpecification,
+--    SupportedAttributes
+--    FROM InformationFramework {joint-iso-itu-t ds(5) module(1)
+--      informationFramework(1) 4}
+  -- from ITU-T Rec. X.511 | ISO/IEC 9594-3
+--  Filter
+--    FROM DirectoryAbstractService {joint-iso-itu-t ds(5) module(1)
+--      directoryAbstractService(2) 4}
+  -- from ITU-T Rec. X.520 | ISO/IEC 9594-6
+--  DirectoryString{}, directoryStringFirstComponentMatch, NameAndOptionalUID,
+--    UniqueIdentifier
+--    FROM SelectedAttributeTypes {joint-iso-itu-t ds(5) module(1)
+--      selectedAttributeTypes(5) 4}
+--  ub-tag
+--    FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 4};
+
+-- types 
+ACIItem ::= SEQUENCE {
+  identificationTag   DirectoryString --{ub-tag}--, 
+  precedence           Precedence,
+  authenticationLevel  AuthenticationLevel,
+  itemOrUserFirst
+    CHOICE {itemFirst
+              [0]  SEQUENCE {protectedItems   ProtectedItems,
+                             itemPermissions  SET OF ItemPermission},
+            userFirst
+              [1]  SEQUENCE {userClasses      UserClasses,
+                             userPermissions  SET OF UserPermission}}
+}
+
+Precedence ::= INTEGER --(0..255)--
+
+ProtectedItems ::= SEQUENCE {
+  entry                           [0]  NULL OPTIONAL,
+  allUserAttributeTypes           [1]  NULL OPTIONAL,
+  attributeType
+    [2]  SET --SIZE (1..MAX)-- OF AttributeType OPTIONAL,
+  allAttributeValues
+    [3]  SET --SIZE (1..MAX)-- OF AttributeType OPTIONAL,
+  allUserAttributeTypesAndValues  [4]  NULL OPTIONAL,
+  attributeValue
+    [5]  SET --SIZE (1..MAX)-- OF AttributeTypeAndValue OPTIONAL,
+  selfValue
+    [6]  SET --SIZE (1..MAX)-- OF AttributeType OPTIONAL,
+  rangeOfValues                   [7]  Filter OPTIONAL,
+  maxValueCount
+    [8]  SET --SIZE (1..MAX)-- OF MaxValueCount OPTIONAL,
+  maxImmSub                       [9]  INTEGER OPTIONAL,
+  restrictedBy
+    [10]  SET --SIZE (1..MAX)-- OF RestrictedValue OPTIONAL,
+  contexts
+    [11]  SET --SIZE (1..MAX)-- OF ContextAssertion OPTIONAL,
+  classes                         [12]  Refinement OPTIONAL
+}
+
+MaxValueCount ::= SEQUENCE {type      AttributeType,
+                            maxCount  INTEGER
+}
+
+RestrictedValue ::= SEQUENCE {type      AttributeType,
+                              valuesIn  AttributeType
+}
+
+UserClasses ::= SEQUENCE {
+  allUsers   [0]  NULL OPTIONAL,
+  thisEntry  [1]  NULL OPTIONAL,
+  name       [2]  SET --SIZE (1..MAX)-- OF NameAndOptionalUID OPTIONAL,
+  userGroup  [3]  SET --SIZE (1..MAX)-- OF NameAndOptionalUID OPTIONAL,
+  -- dn component shall be the name of an
+  -- entry of GroupOfUniqueNames 
+  subtree    [4]  SET --SIZE (1..MAX)-- OF SubtreeSpecification OPTIONAL
+}
+
+ItemPermission ::= SEQUENCE {
+  precedence        Precedence OPTIONAL,
+  -- defaults to precedence in ACIItem
+  userClasses       UserClasses,
+  grantsAndDenials  GrantsAndDenials
+}
+
+UserPermission ::= SEQUENCE {
+  precedence        Precedence OPTIONAL,
+  -- defaults to precedence in ACIItem
+  protectedItems    ProtectedItems,
+  grantsAndDenials  GrantsAndDenials
+}
+
+AuthenticationLevel ::= CHOICE {
+  basicLevels
+    SEQUENCE {level           ENUMERATED {none(0), simple(1), strong(2)},
+              localQualifier  INTEGER OPTIONAL,
+              signed          BOOLEAN DEFAULT FALSE},
+  other        EXTERNAL
+}
+
+GrantsAndDenials ::= BIT STRING {
+  -- permissions that may be used in conjunction
+  -- with any component of ProtectedItems 
+  grantAdd(0), denyAdd(1), grantDiscloseOnError(2), denyDiscloseOnError(3),
+  grantRead(4), denyRead(5), grantRemove(6),
+  denyRemove(7),
+  -- permissions that may be used only in conjunction
+  -- with the entry component
+  grantBrowse(8), denyBrowse(9), grantExport(10), denyExport(11),
+  grantImport(12), denyImport(13), grantModify(14), denyModify(15),
+  grantRename(16), denyRename(17), grantReturnDN(18),
+  denyReturnDN(19),
+  -- permissions that may be used in conjunction
+  -- with any component, except entry, of ProtectedItems
+  grantCompare(20), denyCompare(21), grantFilterMatch(22), denyFilterMatch(23),
+  grantInvoke(24), denyInvoke(25)}
+
+--AttributeTypeAndValue ::= SEQUENCE {
+--  type   ATTRIBUTE.&id({SupportedAttributes}),
+--  value  ATTRIBUTE.&Type({SupportedAttributes}{@type})
+--}
+
+-- attributes 
+--accessControlScheme ATTRIBUTE ::= {
+--  WITH SYNTAX             OBJECT IDENTIFIER
+--  EQUALITY MATCHING RULE  objectIdentifierMatch
+--  SINGLE VALUE            TRUE
+--  USAGE                   directoryOperation
+--  ID                      id-aca-accessControlScheme
+--}
+
+--prescriptiveACI ATTRIBUTE ::= {
+--  WITH SYNTAX             ACIItem
+--  EQUALITY MATCHING RULE  directoryStringFirstComponentMatch
+--  USAGE                   directoryOperation
+--  ID                      id-aca-prescriptiveACI
+--}
+
+--entryACI ATTRIBUTE ::= {
+--  WITH SYNTAX             ACIItem
+--  EQUALITY MATCHING RULE  directoryStringFirstComponentMatch
+--  USAGE                   directoryOperation
+--  ID                      id-aca-entryACI
+--}
+
+--subentryACI ATTRIBUTE ::= {
+--  WITH SYNTAX             ACIItem
+--  EQUALITY MATCHING RULE  directoryStringFirstComponentMatch
+--  USAGE                   directoryOperation
+--  ID                      id-aca-subentryACI
+--}
+
+-- object identifier assignments 
+-- attributes 
+--id-aca-accessControlScheme OBJECT IDENTIFIER ::=
+--  {id-aca 1}
+
+--id-aca-prescriptiveACI OBJECT IDENTIFIER ::= {id-aca 4}
+
+--id-aca-entryACI OBJECT IDENTIFIER ::= {id-aca 5}
+
+--id-aca-subentryACI OBJECT IDENTIFIER ::= {id-aca 6}
+
+-- access control schemes -
+--basicAccessControlScheme OBJECT IDENTIFIER ::=
+--  {id-acScheme 1}
+
+--simplifiedAccessControlScheme OBJECT IDENTIFIER ::= {id-acScheme 2}
+
+--rule-based-access-control OBJECT IDENTIFIER ::= {id-acScheme 3}
+
+--rule-and-basic-access-control OBJECT IDENTIFIER ::= {id-acScheme 4}
+
+--rule-and-simple-access-control OBJECT IDENTIFIER ::= {id-acScheme 5}
+
+END -- BasicAccessControl
+
+-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D
+
+
 
 -- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D
 
diff --git a/asn1/dop/dop.cnf b/asn1/dop/dop.cnf
index ad192bde1e..99e6cd83e2 100644
--- a/asn1/dop/dop.cnf
+++ b/asn1/dop/dop.cnf
@@ -4,12 +4,17 @@ DistributedOperations		dsp
 DirectoryAbstractService	dap
 InformationFramework		x509if
 AuthenticationFramework		x509af
+BasicAccessControl		crmf
+ACSE-1				acse
 
 #.INCLUDE ../x509sat/x509sat-exp.cnf
 #.INCLUDE ../x509if/x509if-exp.cnf
 #.INCLUDE ../x509af/x509af-exp.cnf
 #.INCLUDE ../dsp/dsp-exp.cnf
 #.INCLUDE ../dap/dap-exp.cnf
+#.INCLUDE ../pkixcrmf/crmf-exp.cnf
+#.INCLUDE ../acse/acse-exp.cnf
+
 
 #.EXPORTS
 DSEType
@@ -85,6 +90,10 @@ NHOBSuperiorToSubordinate		B "dop.modify.rolea.2.5.19.3" "non-specific-hierarchi
 NHOBSubordinateToSuperior		B "dop.establish.roleb.2.5.19.3" "non-specific-hierarchical-establish-roleb"
 NHOBSubordinateToSuperior		B "dop.modify.roleb.2.5.19.3"  "non-specific-hierarchical-modify-roleb"
 
+ACIItem		B	"2.5.24.4" "id-aca-prescriptiveACI"
+ACIItem		B	"2.5.24.5" "id-aca-entryACI"
+ACIItem		B	"2.5.24.6" "id-aca-subentryACI"
+
 #.FN_PARS	OBJECT_IDENTIFIER
 	FN_VARIANT = _str VAL_PTR = &binding_type
 
@@ -179,3 +188,12 @@ NHOBSubordinateToSuperior		B "dop.modify.roleb.2.5.19.3"  "non-specific-hierarch
 		}
   	}
 
+#.FN_PARS Precedence VAL_PTR = &precedence
+
+#.FN_BODY Precedence
+  guint32 precedence = 0;
+
+  %(DEFAULT_BODY)s
+
+  proto_item_append_text(tree, " precedence=%%d", precedence);
+
diff --git a/asn1/dop/packet-dop-template.c b/asn1/dop/packet-dop-template.c
index da0c9f6572..701d2b26ea 100644
--- a/asn1/dop/packet-dop-template.c
+++ b/asn1/dop/packet-dop-template.c
@@ -44,6 +44,7 @@
 #include "packet-x509if.h"
 #include "packet-dap.h"
 #include "packet-dsp.h"
+#include "packet-crmf.h"
 
 
 #include "packet-dop.h"
@@ -273,6 +274,23 @@ void proto_reg_handoff_dop(void) {
   register_ber_oid_name("2.5.19.2", "hierarchical-agreement");
   register_ber_oid_name("2.5.19.3", "non-specific-hierarchical-agreement");
 
+  /* ACCESS CONTROL SCHEMES */
+  register_ber_oid_name("2.5.28.1", "basic-ACS");
+  register_ber_oid_name("2.5.28.2", "simplified-ACS");
+  register_ber_oid_name("2.5.28.3", "ruleBased-ACS");
+  register_ber_oid_name("2.5.28.4", "ruleAndBasic-ACS");
+  register_ber_oid_name("2.5.28.5", "ruleAndSimple-ACS");
+
+  /* ADMINISTRATIVE ROLES */
+  register_ber_oid_name("2.5.23.1", "id-ar-autonomousArea");
+  register_ber_oid_name("2.5.23.2", "id-ar-accessControlSpecificArea");
+  register_ber_oid_name("2.5.23.3", "id-ar-accessControlInnerArea");
+  register_ber_oid_name("2.5.23.4", "id-ar-subschemaAdminSpecificArea");
+  register_ber_oid_name("2.5.23.5", "id-ar-collectiveAttributeSpecificArea");
+  register_ber_oid_name("2.5.23.6", "id-ar-collectiveAttributeInnerArea");
+  register_ber_oid_name("2.5.23.7", "id-ar-contextDefaultSpecificArea");
+  register_ber_oid_name("2.5.23.8", "id-ar-serviceSpecificArea");
+
   /* remember the tpkt handler for change in preferences */
   tpkt_handle = find_dissector("tpkt");
 
diff --git a/asn1/x509if/x509if.cnf b/asn1/x509if/x509if.cnf
index f3726d9291..66bfd93c19 100644
--- a/asn1/x509if/x509if.cnf
+++ b/asn1/x509if/x509if.cnf
@@ -97,6 +97,14 @@ DistinguishedName	B	"2.5.4.33"	"id-at-roleOccupant"
 DistinguishedName	B	"2.5.4.34"	"id-at-seeAlso"
 DistinguishedName	B	"2.5.4.49"	"id-at-distinguishedName"
 
+DistinguishedName	B	"2.5.18.3"	"id-oa-creatorsName"
+DistinguishedName	B	"2.5.18.4"	"id-oa-modifiersName"
+#SubtreeSpecification 	B 	"2.5.18.6" 	"id-oa-subtreeSpecification"
+DistinguishedName	B	"2.5.18.10"	"id-oa-subschemaSubentry"
+DistinguishedName	B	"2.5.18.11"	"id-oa-subschemaSubentry"
+DistinguishedName	B	"2.5.18.12"	"id-oa-collectiveAttributeSubentry"
+DistinguishedName	B	"2.5.18.13"	"id-oa-contextDefaultSubentry"
+
 # X402 - see master list in acp133.cnf
 DistinguishedName B "2.6.5.2.5" "id-at-mhs-message-store-dn"
 DistinguishedName B "2.6.5.2.14" "id-at-mhs-dl-related-lists"
@@ -117,6 +125,8 @@ DistinguishedName B "2.16.840.1.101.2.2.1.138" "id-at-plasServed"
 DistinguishedName B "2.16.840.1.101.2.2.1.139" "id-at-deployed"
 DistinguishedName B "2.16.840.1.101.2.2.1.140" "id-at-garrison"
 
+
+
 #.FN_PARS ContextId
   FN_VARIANT = _str  HF_INDEX = hf_x509if_object_identifier_id  VAL_PTR = &object_identifier_id
 
@@ -162,9 +172,14 @@ DistinguishedName B "2.16.840.1.101.2.2.1.140" "id-at-garrison"
   char  	*value = NULL;
   const char 	*fmt; 
   const char	*name = NULL;
+  const char    *orig_oid = object_identifier_id;
 
   offset=call_ber_oid_callback(object_identifier_id, tvb, offset, pinfo, tree);
 
+  /* in dissecting the value we may have overridden the OID of the value - which is
+     a problem if there are multiple values */
+  object_identifier_id = orig_oid;
+
   /* try and dissect as a string */
   dissect_ber_octet_string(FALSE, pinfo, NULL, tvb, old_offset, hf_x509if_any_string, &out_tvb);
   
@@ -268,7 +283,6 @@ DistinguishedName B "2.16.840.1.101.2.2.1.140" "id-at-garrison"
 	col_append_fstr(pinfo->cinfo, COL_INFO, " %%s%%s", fmt, last_dn);
   }
 
-  last_dn = NULL;
 
 #.FN_BODY RDNSequence/_item
 
diff --git a/asn1/x509sat/x509sat.cnf b/asn1/x509sat/x509sat.cnf
index 005c27e59e..0b8aa7afcf 100644
--- a/asn1/x509sat/x509sat.cnf
+++ b/asn1/x509sat/x509sat.cnf
@@ -164,6 +164,15 @@ DirectoryString        B "2.5.4.65"   "id-at-pseudonym"
 ObjectIdentifier       B "2.5.4.66" "id-at-communuicationsService"
 ObjectIdentifier       B "2.5.4.67" "id-at-communuicationsNetwork"
 
+SyntaxGeneralizedTime  B "2.5.18.1" "id-oa-createTimeStamp"	
+SyntaxGeneralizedTime  B "2.5.18.2" "id-oa-modifyTimeStamp"	
+ObjectIdentifier       B "2.5.18.5" "id-oa-administrativeRole"
+ObjectIdentifier       B "2.5.18.7" "id-oa-collectiveExclusions"
+SyntaxGeneralizedTime  B "2.5.18.8" "id-oa-subschemaTimeStamp"	
+Boolean		       B "2.5.18.9" "id-oa-hasSubordinates"
+
+ObjectIdentifier       B "2.5.24.1" "id-aca-accessControlScheme"
+
 # X402 - see master list in acp133.cnf
 ObjectIdentifier B "2.6.5.2.8" "id-at-mhs-supported-automatic-actions"
 ObjectIdentifier B "2.6.5.2.10" "id-at-mhs-supported-attributes"