diff options
author | Martin Kaiser <wireshark@kaiser.cx> | 2013-12-31 14:20:08 +0000 |
---|---|---|
committer | Martin Kaiser <wireshark@kaiser.cx> | 2013-12-31 14:20:08 +0000 |
commit | 43e892e985fb8e01d7422886a4a88e0e8d69422e (patch) | |
tree | 6b6b1942a196b87aa984e422a092c23317c7bcd8 /asn1 | |
parent | fc15329e6a33ddd7550b9fb76bcbc5b814bb7e37 (diff) |
From Dirk
dissector for Novell's PKIS certificate extensions
from me
clean up the $Id$ tags
remove packet-pkis(-template).h
remove ASN.1 definitions that cause compiler warnings
(OID, SecurityLabelType2)
move the dissector to the clean ASN.1 dissectors
support CMake build
change the name to novell_pkis
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9597
svn path=/trunk/; revision=54508
Diffstat (limited to 'asn1')
-rw-r--r-- | asn1/CMakeLists.txt | 1 | ||||
-rw-r--r-- | asn1/Makefile.am | 1 | ||||
-rw-r--r-- | asn1/Makefile.nmake | 1 | ||||
-rw-r--r-- | asn1/novell_pkis/CMakeLists.txt | 47 | ||||
-rw-r--r-- | asn1/novell_pkis/Makefile.am | 23 | ||||
-rw-r--r-- | asn1/novell_pkis/Makefile.common | 37 | ||||
-rw-r--r-- | asn1/novell_pkis/Makefile.nmake | 26 | ||||
-rw-r--r-- | asn1/novell_pkis/novell_pkis.asn | 283 | ||||
-rw-r--r-- | asn1/novell_pkis/novell_pkis.cnf | 22 | ||||
-rw-r--r-- | asn1/novell_pkis/packet-novell_pkis-template.c | 66 |
10 files changed, 507 insertions, 0 deletions
diff --git a/asn1/CMakeLists.txt b/asn1/CMakeLists.txt index 8a519a9508..dc86af264b 100644 --- a/asn1/CMakeLists.txt +++ b/asn1/CMakeLists.txt @@ -79,6 +79,7 @@ set(ASN1_SRC_DIRS mpeg-pes nbap ns_cert_exts + novell_pkis ocsp p1 p22 diff --git a/asn1/Makefile.am b/asn1/Makefile.am index 238c845144..0f62fe351d 100644 --- a/asn1/Makefile.am +++ b/asn1/Makefile.am @@ -80,6 +80,7 @@ SUBDIRS = \ mpeg-audio \ mpeg-pes \ nbap \ + novell_pkis \ ns_cert_exts \ ocsp \ p1 \ diff --git a/asn1/Makefile.nmake b/asn1/Makefile.nmake index 1ab5f69239..213adbd2e9 100644 --- a/asn1/Makefile.nmake +++ b/asn1/Makefile.nmake @@ -78,6 +78,7 @@ BER_LIST= \ logotypecertextn \ mms \ ns_cert_exts \ + novell_pkis \ ocsp \ p1 \ p22 \ diff --git a/asn1/novell_pkis/CMakeLists.txt b/asn1/novell_pkis/CMakeLists.txt new file mode 100644 index 0000000000..2895aefc36 --- /dev/null +++ b/asn1/novell_pkis/CMakeLists.txt @@ -0,0 +1,47 @@ +# CMakeLists.txt +# +# $Id$ +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# + +set( PROTOCOL_NAME novell_pkis ) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + ${EXT_ASN_FILE_LIST} + ${PROTOCOL_NAME}.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS -b -u ) + +ASN2WRS() diff --git a/asn1/novell_pkis/Makefile.am b/asn1/novell_pkis/Makefile.am new file mode 100644 index 0000000000..ff76388193 --- /dev/null +++ b/asn1/novell_pkis/Makefile.am @@ -0,0 +1,23 @@ +# $Id$ +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +include ../Makefile.preinc +include Makefile.common +include ../Makefile.inc diff --git a/asn1/novell_pkis/Makefile.common b/asn1/novell_pkis/Makefile.common new file mode 100644 index 0000000000..5ab18b1203 --- /dev/null +++ b/asn1/novell_pkis/Makefile.common @@ -0,0 +1,37 @@ +# $Id$ +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +PROTOCOL_NAME=novell_pkis + +EXT_ASN_FILE_LIST = +ASN_FILE_LIST = $(PROTOCOL_NAME).asn + +EXTRA_DIST = \ + Makefile.nmake \ + $(ASN_FILE_LIST) \ + packet-$(PROTOCOL_NAME)-template.c \ + $(PROTOCOL_NAME).cnf + +SRC_FILES = \ + $(EXTRA_DIST) \ + $(EXT_ASN_FILE_LIST) \ + $(ASN_FILE_LIST) + +A2W_FLAGS = -b -u diff --git a/asn1/novell_pkis/Makefile.nmake b/asn1/novell_pkis/Makefile.nmake new file mode 100644 index 0000000000..ce532ca797 --- /dev/null +++ b/asn1/novell_pkis/Makefile.nmake @@ -0,0 +1,26 @@ +## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake +# +# $Id$ +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +include ../../config.nmake +include ../Makefile.preinc.nmake +include Makefile.common +include ../Makefile.inc.nmake diff --git a/asn1/novell_pkis/novell_pkis.asn b/asn1/novell_pkis/novell_pkis.asn new file mode 100644 index 0000000000..fff6c8a9ad --- /dev/null +++ b/asn1/novell_pkis/novell_pkis.asn @@ -0,0 +1,283 @@ +-- from pkisv10.pdf +-- you can find this document at https://web.archive.org/web/19990224174228/http://www.developer.novell.com/repository/attributes/certattrs_v10.htm + +PKIS { joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719) } DEFINITIONS IMPLICIT TAGS ::= +BEGIN + +-- ASN.1 Definition of Useful Attributes + +-- The following are useful Novell OIDs, etc. +novell OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719)} +applications OBJECT IDENTIFIER ::= {novell applications(1) } +pki OBJECT IDENTIFIER ::= {applications pki(9) } +pkiAttributeType OBJECT IDENTIFIER ::= {pki at(4) } +pkiAttributeSyntax OBJECT IDENTIFIER ::= {pki at(5) } +pkiObjectClass OBJECT IDENTIFIER ::= {pki at(6) } + +-- The following unique PKI attributes are hereby defined under the novell applications pki arc: +pa-sa OBJECT IDENTIFIER ::= { pkiAttributeType (1) } + -- securityAttributes + -- 2.16.840.113719.1.9.4.1 + +pa-rl OBJECT IDENTIFIER ::= { pkiAttributeType (2) } + -- relianceLimit + -- 2.16.840.113719.1.9.4.2 + +SecurityAttributes ::= SEQUENCE { + versionNumber OCTET STRING (SIZE (2)), + -- The initial value should be (01 00) + -- The first octet is the major version, + -- the second octet is the minor version number. + nSI BOOLEAN (TRUE), + -- NSI = “Nonverified Subscriber Information” + -- If FALSE, it means that the CA issuing + -- a certificate HAS verified the validity + -- of ALL of the values contained + -- within the Novell Security Attributes + -- using appropriate means as defined + -- for example in their Certificate Policy + -- and/or Certificate Practice Statement + -- If TRUE, it means that the subscriber + -- requesting the certificate has represented + -- to the CA that the extension defined + -- is valid and correct, but that the CA + -- has not independently validated the accuracy + -- of the attribute. Note that in no case may + -- the CA issue a certificate containing an + -- extension which it has reason to + -- believe is not accurate at the time of + -- issuance, except for test certificates + -- which are identified as such in the + -- Certificate class attribute (by setting + -- the certificateValid flag to FALSE.) + securityTM PrintableString ("Novell Security Attribute(tm)"), + -- Note: Since the “Novell Security + -- Attribute(tm)” string is trademarked, if + -- it is displayed visually to the user it + -- must be presented exactly as shown, + -- in English, even in non-English + -- implementations. A translation of the + -- phrase may be displayed to the user + -- in addition, if desired. + -- Vendors who license the use of the term + -- must agree to check for the presence of + -- this string in any attribute defined (by its + -- OID) as a Novell Security attribute + uriReference IA5String, + -- The initial value should be set to (“http://developer.novell.com/repository/attributes/certattrs_v10.htm”), + -- This attribute will be included in all + -- NICI and PKIS certificates. + -- Novell will maintain a copy of this + -- document or other suitable definition + -- at that location. + gLBExtensions GLBExtensions +} + +GLBExtensions::=SEQUENCE{ + -- These are the extensions over which the + -- Greatest Lower Bound is computed within NICI. + keyQuality [0] IMPLICIT KeyQuality, + cryptoProcessQuality [1] IMPLICIT CryptoProcessQuality, + certificateClass [2] IMPLICIT CertificateClass, + enterpriseId [3] IMPLICIT EnterpriseId +} + +-- ASN.1 Definitions of Key Quality and Crypto Process Quality Attributes: +KeyQuality ::= Quality +CryptoProcessQuality ::= Quality + +Quality ::= SEQUENCE { + enforceQuality BOOLEAN, + -- If TRUE, the explicit attributes compusecQuality, + -- cryptoQuality, and keyStorageQuality, plus the + -- implicit attributes algorithmType and keyLength + -- are either enforced at all times, or a dynamic low + -- water mark (Greatest Lower Bound)may be maintained. + -- I.e., if enforceQuality is TRUE for the + -- keyQuality attribute, the key must never be + -- allowed to be transported to and/or used on any + -- platform that does not meet the minimum + -- criteria, and hence enforceQuality must be TRUE for + -- the cryptoProcessQuality as well + -- If enforceQuality is FALSE for keyQuality, but + -- TRUE for cryptoProcessQuality, then the + -- operating system has not enforced the criteria + -- in any technical sense, but the subscriber + -- is nonetheless representing that the minimum + -- criteria will be maintained, + -- e.g., by manual or procedural controls. + -- For PKIS and NICI versions 1.0, enforceQuality + -- must be set to FALSE in the keyQuality attribute. + compusecQuality CompusecQuality, + cryptoQuality CryptoQuality, + keyStorageQuality INTEGER (0..255) -- See definitions in Appendix C +} + +CompusecQuality ::= SEQUENCE SIZE (1..1) + OF CompusecQualityPair + -- Multiple pairs of {Criteria, Rating} are allowed + -- In the first release, only one pair(TCSEC criteria)is provided + +CompusecQualityPair ::= SEQUENCE { + compusecCriteria INTEGER(0..255), + -- The default should be 1, but DEFAULT implies OPTIONAL, which + -- is not the intent. So the value has to be coded explicitly. + -- 0= Reserved (encoding error) + -- 1= Trusted Computer Security Evaluation Criteria (TCSEC) + -- 2= International Trusted Security Evaluation Criteria (ITSEC) + -- 3= Common Criteria + -- all others reserved + compusecRating INTEGER (0..255) + -- the compusecRating is in accordance with the specified + -- compusecCriteria for each pair in the sequence + -- Defined values for ratings for components and systems formally + -- evaluated in accordance with the Trusted Computer Security + -- Evaluation Criteria and the Trusted Network Interpretation + -- (Red Book) are provided in Appendix A. +} + +CryptoQuality ::= SEQUENCE SIZE (1..1) + OF CryptoQualityPair + -- Multiple pairs of {Criteria, Rating} are allowed. + -- In the initial release, only one pair is provided. + +CryptoQualityPair ::= SEQUENCE { + cryptoModuleCriteria INTEGER(0..255), + -- The default should be 1, but DEFAULT implies OPTIONAL, which + -- is not the intent. So the value has to be coded explicitly. + -- 1 = FIPS 140-1 + -- all others reserved + cryptoModuleRating INTEGER (0..255) + -- the cryptoModuleRating value is in accordance with + -- the specified cryptoModuleCriteria for each pair + -- FIPS 140-1 ratings definitions: + -- 0 = Reserved (encoding error) + -- 1 = unevaluated/unknown, + -- all others—see Appendix B +} + +-- ASN.1 Definition of Certificate Class Attribute: + +CertificateClass ::= SEQUENCE { + classValue INTEGER (0..255), + -- Defined class values are contained in Appendix C + certificateValid BOOLEAN + -- The default should be true, but DEFAULT is OPTIONAL + -- which would make the GLB computation awkward. + -- See Section 5 and the footnote for a discussion. +} + +-- ASN.1 Definition of Enterprise Identifier Attribute: + +EnterpriseId ::= SEQUENCE { + rootLabel [0] IMPLICIT SecurityLabelType1, + registryLabel [1] IMPLICIT SecurityLabelType1, + enterpriseLabel [2] IMPLICIT SEQUENCE SIZE (1..1) OF SecurityLabelType1 +} + +SecurityLabelType1 ::= SEQUENCE { + labelType1 INTEGER (0..255), + -- The default should be 2, but DEFAULT implies OPTIONAL, which + -- is not the intent. So the value has to be coded explicitly. + -- Note that the label type for Version 1 + -- of Graded Authentication is 0 or 1. + -- Byte sizes and reserved fields are omitted, + -- because they are derivable from the ASN.1. + secrecyLevel1 INTEGER (0..255), + -- The default should be 0, but DEFAULT implies OPTIONAL, which + -- is not the intent. So the value has to be coded explicitly. + -- 0 = low secrecy, 255 = high secrecy + -- It seems highly unlikely anyone would ever + -- need more than 255 secrecy levels + integrityLevel1 INTEGER (0..255), + -- The default should be 0, but DEFAULT implies OPTIONAL, which + -- is not the intent. So the value has to be coded explicitly. + -- NOTE! 255 = low integrity, 0 = high integrity! + -- It seems highly unlikely anyone would ever + -- need more than 255 integrity levels + secrecyCategories1 BIT STRING (SIZE(96)), + -- The default should be FALSE, but DEFAULT implies OPTIONAL, + -- which is not the intent. So the value has to be coded + -- explicitly. + -- 96 secrecy categories, 0 origin indexing + integrityCategories1 BIT STRING (SIZE(64)), + -- The default should be FALSE, but DEFAULT implies OPTIONAL, + -- which is not the intent. So the value has to be coded + -- explicitly. + -- 64 integrity categories, 0 origin indexing + secrecySingletons1 Singletons, + integritySingletons1 Singletons +} + +-- (removed the unused definition of SecurityLabelType2) + +Singletons ::= SEQUENCE SIZE (1..16) OF SingletonChoice + -- Presently up to 16 singletons or singleton ranges + -- can be defined within one security label. This + -- is completely arbitrary and can be easily changed, + -- but it seems reasonable. Note that no more space + -- is taken in the ASN.1 DER encoding than is actually + -- required. + +SingletonChoice ::= CHOICE { + uniqueSingleton INTEGER (0..9223372036854775807), + -- The implied value of the singleton being + -- specified in this case is TRUE. + -- Note that there isn’t any way to set a + -- singleton value to FALSE, except by using the + -- SingletonRange functions with identical lower + -- and upper bounds. + singletonRange SingletonRange +} + +SingletonRange ::= SEQUENCE { + singletonLowerBound INTEGER (0..9223372036854775807), + -- The default should be 0, but DEFAULT implies OPTIONAL, + -- which is not the intent. So the value has to be coded + -- explicitly. + -- Lower bound of a range of singletons + -- to be set to the singletonValue specified + + singletonUpperBound INTEGER (0..9223372036854775807), + -- The default should be 9223372036854775807, + -- but DEFAULT implies OPTIONAL, + -- which is not the intent. So the value has to be coded + -- explicitly. + -- Upper bound of a range of singletons + -- to be set to the singletonValue specified + singletonValue BOOLEAN + -- An entire range of singletons can be set to + -- either TRUE or FALSE. + -- Note that singletonRanges are allowed to overlap, + -- and in particular that a uniqueSingleton can + -- reset a singleton value already set by a + -- singletonRange, and vice versa. + -- The uniqueSingleton and singletonRanges are applied + -- consecutively, from the lower bound of SEQUENCE (1) + -- to the upper bound. +} + +-- ASN.1 Definition of Reliance Limit Attribute: + +-- relianceLimits EXTENSION ::= { SYNTAX RelianceLimits IDENTIFIED BY {pa-rl) } +-- 2.16.840.113719.1.9.4.2 + +RelianceLimits ::= SEQUENCE { + perTransactionLimit MonetaryValue, + perCertificateLimit MonetaryValue +} + +MonetaryValue ::= SEQUENCE { -- from SET and draft ANSI X9.45 + currency Currency, + amount INTEGER, -- value is amount * (10 ** amtExp10), an exact representation + amtExp10 INTEGER +} + +Currency ::= INTEGER (1..999) +-- currency denomination from ISO 4217 +-- cf. Appendix E for the numeric currency codes and their +-- alphabetic (display) equivalents. +-- US Dollar (USD) is 840. +-- Euro (EUR) is 978. + +END diff --git a/asn1/novell_pkis/novell_pkis.cnf b/asn1/novell_pkis/novell_pkis.cnf new file mode 100644 index 0000000000..c173f2dd4a --- /dev/null +++ b/asn1/novell_pkis/novell_pkis.cnf @@ -0,0 +1,22 @@ +# pkis.cnf + +# $Id$ + +#.MODULE_IMPORT + +#.EXPORTS + +#.REGISTER +SecurityAttributes B "2.16.840.1.113719.1.9.4.1" "pa-sa" +RelianceLimits B "2.16.840.1.113719.1.9.4.2" "pa-rl" + +#.PDU +# PKIS-MESSAGE + +#.NO_EMIT + +#.TYPE_RENAME + +#.FIELD_RENAME + +#.END diff --git a/asn1/novell_pkis/packet-novell_pkis-template.c b/asn1/novell_pkis/packet-novell_pkis-template.c new file mode 100644 index 0000000000..c0192c5f33 --- /dev/null +++ b/asn1/novell_pkis/packet-novell_pkis-template.c @@ -0,0 +1,66 @@ +/* packet-novell_pkis.c + * + * $Id$ + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include "config.h" + +#include <glib.h> +#include <epan/expert.h> +#include <epan/packet.h> +#include <epan/prefs.h> +#include <epan/oids.h> +#include <epan/conversation.h> +#include <epan/asn1.h> + +#include <stdio.h> +#include <string.h> + +#include <epan/dissectors/packet-per.h> +#include "packet-ber.h" + +#include "packet-novell_pkis-hf.c" +#include "packet-novell_pkis-ett.c" +#include "packet-novell_pkis-fn.c" + +static int proto_novell_pkis = -1; + +void proto_reg_handoff_novell_pkis(void) +{ +#include "packet-novell_pkis-dis-tab.c" +} + +void proto_register_novell_pkis (void) +{ + static hf_register_info hf[] = { +#include "packet-novell_pkis-hfarr.c" + }; + static gint *ett[] = { +#include "packet-novell_pkis-ettarr.c" + }; + + /* execute protocol initialization only once */ + if (proto_novell_pkis != -1) return; + + proto_novell_pkis = proto_register_protocol("Novell PKIS ASN.1 type", "novell_pkis", "novell_pkis"); + proto_register_field_array (proto_novell_pkis, hf, array_length (hf)); + proto_register_subtree_array (ett, array_length (ett)); +} |