idnits 2.17.1 draft-ietf-pkix-new-asn1-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 227: '... &Type OPTIONAL,...' RFC 2119 keyword, line 228: '...equality-match MATCHING-RULE OPTIONAL,...' RFC 2119 keyword, line 230: '... &maxCount INTEGER OPTIONAL...' RFC 2119 keyword, line 242: '...atchingRules MATCHING-RULE OPTIONAL,...' RFC 2119 keyword, line 243: '... &AssertionType OPTIONAL,...' (283 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 7, 2010) is 5158 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 5444 -- Looks like a reference, but probably isn't: '1' on line 5445 -- Looks like a reference, but probably isn't: '2' on line 5446 == Missing Reference: 'PKI-ASN' is mentioned on line 1084, but not defined == Missing Reference: 'PKIX-OAEP' is mentioned on line 1092, but not defined == Missing Reference: 'PKI-ALG' is mentioned on line 1328, but not defined == Missing Reference: 'FIPS186-3' is mentioned on line 1332, but not defined -- Looks like a reference, but probably isn't: '3' on line 5447 == Missing Reference: 'PKCS10' is mentioned on line 2104, but not defined -- Looks like a reference, but probably isn't: '4' on line 5241 -- Looks like a reference, but probably isn't: '5' on line 5243 -- Looks like a reference, but probably isn't: '6' on line 5245 -- Looks like a reference, but probably isn't: '7' on line 4953 -- Looks like a reference, but probably isn't: '8' on line 4954 == Missing Reference: 'RFC3629' is mentioned on line 2094, but not defined == Missing Reference: 'RFC3066' is mentioned on line 2095, but not defined ** Obsolete undefined reference: RFC 3066 (Obsoleted by RFC 4646, RFC 4647) == Missing Reference: 'RFC2482' is mentioned on line 2097, but not defined ** Obsolete undefined reference: RFC 2482 (Obsoleted by RFC 6082) -- Looks like a reference, but probably isn't: '9' on line 2570 -- Looks like a reference, but probably isn't: '10' on line 2110 -- Looks like a reference, but probably isn't: '11' on line 2111 -- Looks like a reference, but probably isn't: '12' on line 2112 -- Looks like a reference, but probably isn't: '13' on line 2113 -- Looks like a reference, but probably isn't: '14' on line 2114 -- Looks like a reference, but probably isn't: '15' on line 2115 -- Looks like a reference, but probably isn't: '16' on line 2116 -- Looks like a reference, but probably isn't: '17' on line 2117 -- Looks like a reference, but probably isn't: '18' on line 2118 -- Looks like a reference, but probably isn't: '19' on line 2119 -- Looks like a reference, but probably isn't: '20' on line 2120 -- Looks like a reference, but probably isn't: '21' on line 2121 -- Looks like a reference, but probably isn't: '22' on line 2122 -- Looks like a reference, but probably isn't: '23' on line 2123 -- Looks like a reference, but probably isn't: '24' on line 2124 -- Looks like a reference, but probably isn't: '25' on line 2125 -- Looks like a reference, but probably isn't: '26' on line 2126 == Missing Reference: 'PKCS11' is mentioned on line 2821, but not defined == Missing Reference: 'RFC2104' is mentioned on line 2161, but not defined == Missing Reference: 'RFC2202' is mentioned on line 2161, but not defined == Missing Reference: 'PKIXPROF' is mentioned on line 4064, but not defined == Missing Reference: 'RFC3281' is mentioned on line 4166, but not defined ** Obsolete undefined reference: RFC 3281 (Obsoleted by RFC 5755) == Missing Reference: 'APPLICATION 1' is mentioned on line 5249, but not defined == Missing Reference: 'APPLICATION 2' is mentioned on line 5255, but not defined == Unused Reference: 'RFC5480' is defined on line 5576, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2560 (Obsoleted by RFC 6960) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) Summary: 7 errors (**), 0 flaws (~~), 18 warnings (==), 29 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Intended status: Informational J. Schaad 5 Expires: September 8, 2010 Soaring Hawk Consulting 6 March 7, 2010 8 New ASN.1 Modules for PKIX 9 draft-ietf-pkix-new-asn1-08.txt 11 Abstract 13 The PKIX certificate format, and many associated formats, are 14 expressed using ASN.1. The current ASN.1 modules conform to the 1988 15 version of ASN.1. This document updates those ASN.1 modules to 16 conform to the 2002 version of ASN.1. There are no bits-on-the-wire 17 changes to any of the formats; this is simply a change to the syntax. 19 Status of this Memo 21 This Internet-Draft is submitted to IETF in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF), its areas, and its working groups. Note that 26 other groups may also distribute working documents as Internet- 27 Drafts. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 The list of current Internet-Drafts can be accessed at 35 http://www.ietf.org/ietf/1id-abstracts.txt. 37 The list of Internet-Draft Shadow Directories can be accessed at 38 http://www.ietf.org/shadow.html. 40 This Internet-Draft will expire on September 8, 2010. 42 Copyright Notice 44 Copyright (c) 2010 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the BSD License. 57 This document may contain material from IETF Documents or IETF 58 Contributions published or made publicly available before November 59 10, 2008. The person(s) controlling the copyright in some of this 60 material may not have granted the IETF Trust the right to allow 61 modifications of such material outside the IETF Standards Process. 62 Without obtaining an adequate license from the person(s) controlling 63 the copyright in such materials, this document may not be modified 64 outside the IETF Standards Process, and derivative works of it may 65 not be created outside the IETF Standards Process, except to format 66 it for publication as an RFC or to translate it into languages other 67 than English. 69 Table of Contents 71 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 72 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . 5 73 2. ASN.1 Module PKIX-CommonTypes . . . . . . . . . . . . . . . . 5 74 3. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 9 75 4. ASN.1 Module for RFC 2560 . . . . . . . . . . . . . . . . . . 19 76 5. ASN.1 Module for RFC 2986 . . . . . . . . . . . . . . . . . . 23 77 6. ASN.1 Module for RFC 3279 . . . . . . . . . . . . . . . . . . 24 78 7. ASN.1 Module for RFC 3852 (Attribute Certificate v1) . . . . 35 79 8. ASN.1 Module for RFC 4055 . . . . . . . . . . . . . . . . . . 37 80 9. ASN.1 Module for RFC 4210 . . . . . . . . . . . . . . . . . . 43 81 10. ASN.1 Module for RFC 4211 . . . . . . . . . . . . . . . . . . 54 82 11. ASN.1 Module for RFC 5055 . . . . . . . . . . . . . . . . . . 62 83 12. ASN.1 Module for RFC 5272 . . . . . . . . . . . . . . . . . . 75 84 13. ASN.1 Module for RFC 5755 . . . . . . . . . . . . . . . . . . 87 85 14. ASN.1 Module for RFC 5280, Explicit and Implicit . . . . . . 93 86 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 117 87 16. Security Considerations . . . . . . . . . . . . . . . . . . . 117 88 17. Normative References . . . . . . . . . . . . . . . . . . . . 118 89 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 119 90 A.1. Changes between draft-hoffman-pkix-new-asn1-00 and 91 draft-ietf-pkix-new-asn1-00 . . . . . . . . . . . . . . . 119 92 A.2. Changes between draft-ietf-pkix-new-asn1-00 and -01 . . . 120 93 A.3. Changes between draft-ietf-pkix-new-asn1-01 and -02 . . . 120 94 A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 . . . 120 95 A.5. Changes between draft-ietf-pkix-new-asn1-03 and -04 . . . 120 96 A.6. Changes between draft-ietf-pkix-new-asn1-04 and -05 . . . 121 97 A.7. Changes between draft-ietf-pkix-new-asn1-05 and -06 . . . 121 98 A.8. Changes between draft-ietf-pkix-new-asn1-06 and -07 . . . 121 99 A.9. Changes between draft-ietf-pkix-new-asn1-06 and -07 . . . 122 100 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 122 102 1. Introduction 104 Some developers would like the IETF to use the latest version of 105 ASN.1 in its standards. Most of the RFCs that relate to security 106 protocols still use ASN.1 from the 1988 standard, which has been 107 deprecated. This is particularly true for the standards that relate 108 to PKIX, CMS, and S/MIME. 110 This document updates the following RFCs to use ASN.1 modules that 111 conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all 112 the modules are updated; some are included to simply make the set 113 complete. 115 o RFC 2560, PKIX Online Certificate Status Protocol (OCSP) [RFC2560] 117 o RFC 2986, PKCS #10 certificate request [RFC2986] 119 o RFC 3279, PKIX algorithms and identifier [RFC3279] 121 o RFC 3852, contains PKIX attribute certificates, version 1 122 [RFC3852] 124 o RFC 4055, Additional Algorithms and Identifiers for RSA 125 Cryptography [RFC4055] 127 o RFC 4210, PKIX CMP (Certificate Management Protocol) [RFC4210] 129 o RFC 4211, PKIX CRMF (Certificate Request Message Format) [RFC4211] 131 o RFC 5055, PKIX SCVP (Server-based Certificate Validation Protocol) 132 [RFC5055] 134 o RFC 5272, Certificate Management over CMS (CMC) [RFC5272] 136 o RFC 5280, PKIX certificate and CRL profile [RFC5280] (both the 137 implicit and explicit modules) 139 o RFC 5755, PKIX attribute certificates, version 2 [RFC5755] 141 Note that some of the modules in this document get some of their 142 definitions from places different than the modules in the original 143 RFCs. The idea is that these modules, when combined with the modules 144 in [NEW-CMS-SMIME] can stand on their own and do not need to import 145 definitions from anywhere else. Also note that the ASN.1 modules in 146 this document have references in their text comments that need to be 147 looked up in original RFCs, and that some of those references may 148 have already been superseded by later RFCs. 150 The document also includes a module of common definitions called 151 "PKIX-CommonTypes". These definitions are used here and in 152 [NEW-CMS-SMIME]. 154 The document also includes a module of common definitions called 155 "AlgorithmInformation". These definitions are used here and in 156 [NEW-CMS-SMIME]. 158 1.1. Design Notes 160 The modules in this document use the object model available in the 161 2002 ASN.1 documents to a great extent. Objects for each of the 162 different algorithm types are defined. Also, all of the places where 163 in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax 164 now have objects. 166 Much like the way that the PKIX and S/MIME working groups use the 167 prefix of id- for object identifiers, this document has also adopted 168 a set of two, three, and four letter prefixes to allow for quick 169 identification of the type of an object based on its name. This 170 allows, for example, the same back half of the name to be used for 171 the different objects. Thus, "id-sha1" is the object identifier, 172 while "mda-sha1" is the message digest object for "sha1". 174 One or more object sets for the different type of algorithms are 175 defined. A single consistent name for each of the different 176 algorithm types is used. For example, an object set named PublicKeys 177 might contain the public keys defined in that module. If no public 178 keys are defined, then the object set is not created. When 179 referencing these objects sets when imported, one needs to be able to 180 disambiguate between the different modules. This is done by using 181 both the module name (as specified in the IMPORT statement) and the 182 object set name. For example, in the module for RFC 5280: 184 PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 } 185 PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 } 187 PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ..., 188 PKIX1-PSS-OAEP-Algorithms.PublicKeys } 190 2. ASN.1 Module PKIX-CommonTypes 192 This section contains a module that is imported by many other modules 193 in this document and in [NEW-CMS-SMIME]. This module does not come 194 from any existing RFC. 196 PKIX-CommonTypes-2009 197 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 198 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 200 DEFINITIONS EXPLICIT TAGS ::= 201 BEGIN 203 -- ATTRIBUTE 204 -- 205 -- Describe the set of data associated with an attribute of some type 206 -- 207 -- &id is an OID identifying the attribute 208 -- &Type is the ASN.1 type structure for the attribute; not all 209 -- attributes have a data structure, so this field is optional 210 -- &minCount contains the minimum number of time the attribute can 211 -- occur in an AttributeSet 212 -- &maxCount contains the maximum number of times the attribute can 213 -- appear in an AttributeSet 214 -- Note: this cannot be automatically enforced as the field 215 -- cannot be defaulted to MAX. 216 -- &equality-match contains information about how matching should be 217 -- done 218 -- 219 -- Currently we are using two different prefixes for attributes. 220 -- 221 -- at- for certificate attributes 222 -- aa- for CMS attributes 223 -- 225 ATTRIBUTE ::= CLASS { 226 &id OBJECT IDENTIFIER UNIQUE, 227 &Type OPTIONAL, 228 &equality-match MATCHING-RULE OPTIONAL, 229 &minCount INTEGER DEFAULT 1, 230 &maxCount INTEGER OPTIONAL 231 } WITH SYNTAX { 232 [TYPE &Type] 233 [EQUALITY MATCHING RULE &equality-match] 234 [COUNTS [MIN &minCount] [MAX &maxCount]] 235 IDENTIFIED BY &id 236 } 238 -- Specification of MATCHING-RULE information object class 239 -- 241 MATCHING-RULE ::= CLASS { 242 &ParentMatchingRules MATCHING-RULE OPTIONAL, 243 &AssertionType OPTIONAL, 244 &uniqueMatchIndicator ATTRIBUTE OPTIONAL, 245 &id OBJECT IDENTIFIER UNIQUE 246 } 247 WITH SYNTAX { 248 [PARENT &ParentMatchingRules] 249 [SYNTAX &AssertionType] 250 [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator] 251 ID &id 252 } 254 -- AttributeSet 255 -- 256 -- Used when a set of attributes is to occur. 257 -- 258 -- type contains the identifier of the attribute 259 -- values contains a set of values where the structure of the ASN.1 260 -- is defined by the attribute 261 -- 262 -- The parameter contains the set of objects describing 263 -- those attributes than can occur in this location. 264 -- 266 AttributeSet{ATTRIBUTE:AttrSet} ::= SEQUENCE { 267 type ATTRIBUTE.&id({AttrSet}), 268 values SET SIZE (1..MAX) OF ATTRIBUTE. 269 &Type({AttrSet}{@type}) 270 } 272 -- SingleAttribute 273 -- 274 -- Used for a single valued attribute 275 -- 276 -- The parameter contains the set of objects describing the 277 -- attributes that can occur in this location 278 -- 280 SingleAttribute{ATTRIBUTE:AttrSet} ::= SEQUENCE { 281 type ATTRIBUTE.&id({AttrSet}), 282 value ATTRIBUTE.&Type({AttrSet}{@type}) 283 } 285 -- EXTENSION 286 -- 287 -- This class definition is used to describe the association of 288 -- object identifier and ASN.1 type structure for extensions 289 -- 290 -- All extensions are prefixed with ext- 291 -- 292 -- &id contains the object identifier for the extension 293 -- &ExtenType specifies the ASN.1 type structure for the extension 294 -- &Critical contains the set of legal values for the critical field. 295 -- This is normally {TRUE|FALSE} but in some instances may be 296 -- restricted just one of these values. 297 -- 299 EXTENSION ::= CLASS { 300 &id OBJECT IDENTIFIER UNIQUE, 301 &ExtnType, 302 &Critical BOOLEAN DEFAULT {TRUE | FALSE } 303 } WITH SYNTAX { 304 SYNTAX &ExtnType IDENTIFIED BY &id 305 [CRITICALITY &Critical] 306 } 308 -- Extensions 309 -- 310 -- Used for a sequence of extensions. 311 -- 312 -- The parameter contains the set of legal extensions that can 313 -- occur in this sequence. 314 -- 316 Extensions{EXTENSION:ExtensionSet} ::= 317 SEQUENCE SIZE (1..MAX) OF Extension{{ExtensionSet}} 319 -- Extension 320 -- 321 -- Used for a single extension 322 -- 323 -- The parameter contains the set of legal extensions that can 324 -- occur this extension. 325 -- 326 -- The restriction on the critical field has been commented out 327 -- the authors are not completely sure it is correct. 328 -- The restriction could be done using custom code rather than 329 -- compiler-generated code. however. 330 -- 332 Extension{EXTENSION:ExtensionSet} ::= SEQUENCE { 333 extnID EXTENSION.&id({ExtensionSet}), 334 critical BOOLEAN 335 -- (EXTENSION.&Critical({ExtensionSet}{@extnID})) 336 DEFAULT FALSE, 337 extnValue OCTET STRING (CONTAINING 338 EXTENSION.&ExtnType({ExtensionSet}{@extnID})) 339 -- contains the DER encoding of the ASN.1 value 340 -- corresponding to the extension type identified 341 -- by extnID 342 } 344 -- Security Category 345 -- 346 -- Security categories are used both for specifying clearances and 347 -- for labeling objects. We move this here from RFC 3281 so that 348 -- they will use a common single object class to express this 349 -- information. 350 -- 352 SECURITY-CATEGORY ::= TYPE-IDENTIFIER 354 SecurityCategory{SECURITY-CATEGORY:Supported} ::= SEQUENCE { 355 type [0] IMPLICIT SECURITY-CATEGORY. 356 &id({Supported}), 357 value [1] EXPLICIT SECURITY-CATEGORY. 358 &Type({Supported}{@type}) 359 } 361 END 363 3. ASN.1 Module AlgorithmInformation 365 This section contains a module that is imported by many other modules 366 in this document. Note that this module is also given in 367 [NEW-CMS-SMIME]. This module does not come from any existing RFC. 369 AlgorithmInformation-2009 370 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 371 mechanisms(5) pkix(7) id-mod(0) 372 id-mod-algorithmInformation-02(58)} 374 DEFINITIONS EXPLICIT TAGS ::= 375 BEGIN 376 EXPORTS ALL; 377 IMPORTS 379 KeyUsage 380 FROM PKIX1Implicit-2009 381 {iso(1) identified-organization(3) dod(6) internet(1) 382 security(5) mechanisms(5) pkix(7) id-mod(0) 383 id-mod-pkix1-implicit-02(59)} ; 385 -- Suggested prefixes for algorithm objects are: 386 -- 387 -- mda- Message Digest Algorithms 388 -- sa- Signature Algorithms 389 -- kta- Key Transport Algorithms (Asymmetric) 390 -- kaa- Key Agreement Algorithms (Asymmetric) 391 -- kwa- Key Wrap Algorithms (Symmetric) 392 -- kda- Key Derivation Algorithms 393 -- maca- Message Authentication Code Algorithms 394 -- pk- Public Key 395 -- cea- Content (symmetric) Encryption Algorithm 396 -- cap- S/MIME Capabilities 398 ParamOptions ::= ENUMERATED { 399 required, -- Parameters MUST be encoded in structure 400 preferredPresent, -- Parameters SHOULD be encoded in structure 401 preferredAbsent, -- Parameters SHOULD NOT be encoded in structure 402 absent, -- Parameters MUST NOT be encoded in structure 403 inheritable, -- Parameters are inherited if not present 404 optional, -- Parameters MAY be encoded in the structure 405 ... 406 } 408 -- DIGEST-ALGORITHM 409 -- 410 -- Describes the basic information for ASN.1 and a digest 411 -- algorithm. 412 -- 413 -- &id - contains the OID identifying the digest algorithm 414 -- &Params - contains the type for the algorithm parameters, 415 -- if present; absent implies no parameters 416 -- ¶mPresence - parameter presence requirement 417 -- 418 -- Additional information such as the length of the hash could also 419 -- be encoded. 420 -- 421 -- Example: 422 -- sha1 DIGEST-ALGORITHM ::= { 423 -- IDENTIFIER id-sha1 424 -- PARAMS TYPE NULL ARE preferredAbsent 425 -- } 427 DIGEST-ALGORITHM ::= CLASS { 428 &id OBJECT IDENTIFIER UNIQUE, 429 &Params OPTIONAL, 430 ¶mPresence ParamOptions DEFAULT absent 431 } WITH SYNTAX { 432 IDENTIFIER &id 434 [PARAMS [TYPE &Params] [ARE ¶mPresence] ] 435 } 437 -- SIGNATURE-ALGORITHM 438 -- 439 -- Describes the basic properties of a signature algorithm 440 -- 441 -- &id - contains the OID identifying the signature algorithm 442 -- &Value - contains a type definition for the value structure of 443 -- the signature 444 -- &Params - contains the type for the algorithm parameters, 445 -- if present; absent implies no parameters 446 -- ¶mPresence - parameter presence requirement 447 -- &HashSet - The set of hash algorithms used with this 448 -- signature algorithm 449 -- &PublicKeySet - the set of public key algorithms for this 450 -- signature algorithm 451 -- &smimeCaps - contains the object describing how the S/MIME 452 -- capabilities are presented. 453 -- 454 -- Example: 455 -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { 456 -- IDENTIFIER id-RSASSA-PSS 457 -- PARAMS TYPE RSASSA-PSS-params ARE required 458 -- HASHES { mda-sha1 | mda-md5, ... } 459 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 460 -- } 462 SIGNATURE-ALGORITHM ::= CLASS { 463 &id OBJECT IDENTIFIER UNIQUE, 464 &Value OPTIONAL, 465 &Params OPTIONAL, 466 ¶mPresence ParamOptions DEFAULT absent, 467 &HashSet DIGEST-ALGORITHM OPTIONAL, 468 &PublicKeySet PUBLIC-KEY OPTIONAL, 469 &smimeCaps SMIME-CAPS OPTIONAL 470 } WITH SYNTAX { 471 IDENTIFIER &id 472 [VALUE &Value] 473 [PARAMS [TYPE &Params] ARE ¶mPresence ] 474 [HASHES &HashSet] 475 [PUBLIC-KEYS &PublicKeySet] 476 [SMIME-CAPS &smimeCaps] 477 } 479 -- PUBLIC-KEY 480 -- 481 -- Describes the basic properties of a public key 482 -- 483 -- &id - contains the OID identifying the public key 484 -- &KeyValue - contains the type for the key value 485 -- &Params - contains the type for the algorithm parameters, 486 -- if present; absent implies no parameters 487 -- ¶mPresence - parameter presence requirement 488 -- &keyUsage - contains the set of bits that are legal for this 489 -- key type. Note that is does not make any statement 490 -- about how bits may be paired. 491 -- &PrivateKey - contains a type structure for encoding the private 492 -- key information. 493 -- 494 -- Example: 495 -- pk-rsa-pss PUBLIC-KEY ::= { 496 -- IDENTIFIER id-RSASSA-PSS 497 -- KEY RSAPublicKey 498 -- PARAMS TYPE RSASSA-PSS-params ARE optional 499 -- CERT-KEY-USAGE { .... } 500 -- } 502 PUBLIC-KEY ::= CLASS { 503 &id OBJECT IDENTIFIER UNIQUE, 504 &KeyValue OPTIONAL, 505 &Params OPTIONAL, 506 ¶mPresence ParamOptions DEFAULT absent, 507 &keyUsage KeyUsage OPTIONAL, 508 &PrivateKey OPTIONAL 509 } WITH SYNTAX { 510 IDENTIFIER &id 511 [KEY &KeyValue] 512 [PARAMS [TYPE &Params] ARE ¶mPresence] 513 [CERT-KEY-USAGE &keyUsage] 514 [PRIVATE-KEY &PrivateKey] 515 } 517 -- KEY-TRANSPORT 518 -- 519 -- Describes the basic properties of a key transport algorithm 520 -- 521 -- &id - contains the OID identifying the key transport algorithm 522 -- &Params - contains the type for the algorithm parameters, 523 -- if present; absent implies no parameters 524 -- ¶mPresence - parameter presence requirement 525 -- &PublicKeySet - specify which public keys are used with 526 -- this algorithm 527 -- &smimeCaps - contains the object describing how the S/MIME 528 -- capabilities are presented. 529 -- 530 -- Example: 531 -- rsaTransport KEY-TRANSPORT ::= { 532 -- IDENTIFIER &id 533 -- PARAMS TYPE NULL ARE required 534 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 535 -- } 537 KEY-TRANSPORT ::= CLASS { 538 &id OBJECT IDENTIFIER UNIQUE, 539 &Params OPTIONAL, 540 ¶mPresence ParamOptions DEFAULT absent, 541 &PublicKeySet PUBLIC-KEY OPTIONAL, 542 &smimeCaps SMIME-CAPS OPTIONAL 543 } WITH SYNTAX { 544 IDENTIFIER &id 545 [PARAMS [TYPE &Params] ARE ¶mPresence] 546 [PUBLIC-KEYS &PublicKeySet] 547 [SMIME-CAPS &smimeCaps] 548 } 550 -- KEY-AGREE 551 -- 552 -- Describes the basic properties of a key agreement algorithm 553 -- 554 -- &id - contains the OID identifying the key agreement algorithm 555 -- &Params - contains the type for the algorithm parameters, 556 -- if present; absent implies no parameters 557 -- ¶mPresence - parameter presence requirement 558 -- &PublicKeySet - specify which public keys are used with 559 -- this algorithm 560 -- &Ukm - type of user keying material used 561 -- &ukmPresence - specifies the requirements to define the UKM field 562 -- &smimeCaps - contains the object describing how the S/MIME 563 -- capabilities are presented. 564 -- 565 -- Example: 566 -- dh-static-ephemerial KEY-AGREE ::= { 567 -- IDENTIFIER id-alg-ESDH 568 -- PARAMS TYPE KeyWrapAlgorithm ARE required 569 -- - - user key material is not ASN.1-encoded. 570 -- PUBLIC-KEYS { 571 -- {IDENTIFIER dh-public-number KEY DHPublicKey 572 -- PARAMS TYPE DHDomainParameters ARE inheritable } 573 -- } 574 -- - - UKM should be present but is not separately ASN.1-encoded 575 -- UKM ARE preferredPresent 576 -- } 577 KEY-AGREE ::= CLASS { 578 &id OBJECT IDENTIFIER UNIQUE, 579 &Params OPTIONAL, 580 ¶mPresence ParamOptions DEFAULT absent, 581 &PublicKeySet PUBLIC-KEY OPTIONAL, 582 &Ukm OPTIONAL, 583 &ukmPresence ParamOptions DEFAULT absent, 584 &smimeCaps SMIME-CAPS OPTIONAL 585 } WITH SYNTAX { 586 IDENTIFIER &id 587 [PARAMS [TYPE &Params] ARE ¶mPresence] 588 [PUBLIC-KEYS &PublicKeySet] 589 [UKM [TYPE &Ukm] ARE &ukmPresence] 590 [SMIME-CAPS &smimeCaps] 591 } 593 -- KEY-WRAP 594 -- 595 -- Describes the basic properties of a key wrap algorithm 596 -- 597 -- &id - contains the OID identifying the key wrap algorithm 598 -- &Params - contains the type for the algorithm parameters, 599 -- if present; absent implies no parameters 600 -- ¶mPresence - parameter presence requirement 601 -- &smimeCaps - contains the object describing how the S/MIME 602 -- capabilities are presented. 603 -- 604 -- Example: 605 -- cms3DESwrap KEY-WRAP ::= { 606 -- IDENTIFIER id-alg-CMS3DESwrap 607 -- PARAMS TYPE NULL ARE required 608 -- } 610 KEY-WRAP ::= CLASS { 611 &id OBJECT IDENTIFIER UNIQUE, 612 &Params OPTIONAL, 613 ¶mPresence ParamOptions DEFAULT absent, 614 &smimeCaps SMIME-CAPS OPTIONAL 615 } WITH SYNTAX { 616 IDENTIFIER &id 617 [PARAMS [TYPE &Params] ARE ¶mPresence] 618 [SMIME-CAPS &smimeCaps] 619 } 621 -- KEY-DERIVATION 622 -- 623 -- Describes the basic properties of a key derivation algorithm 624 -- 625 -- &id - contains the OID identifying the key derivation algorithm 626 -- &Params - contains the type for the algorithm parameters, 627 -- if present; absent implies no parameters 628 -- ¶mPresence - parameter presence requirement 629 -- &smimeCaps - contains the object describing how the S/MIME 630 -- capabilities are presented. 631 -- 632 -- Could add information about defaults for the derivation algorithm 633 -- such as PRFs 634 -- 635 -- Example: 636 -- pbkdf2 KEY-DERIVATION ::= { 637 -- IDENTIFIER id-PBKDF2 638 -- PARAMS TYPE PBKDF2-params ARE required 639 -- } 641 KEY-DERIVATION ::= CLASS { 642 &id OBJECT IDENTIFIER UNIQUE, 643 &Params OPTIONAL, 644 ¶mPresence ParamOptions DEFAULT absent, 645 &smimeCaps SMIME-CAPS OPTIONAL 646 } WITH SYNTAX { 647 IDENTIFIER &id 648 [PARAMS [TYPE &Params] ARE ¶mPresence] 649 [SMIME-CAPS &smimeCaps] 650 } 652 -- MAC-ALGORITHM 653 -- 654 -- Describes the basic properties of a MAC algorithm 655 -- 656 -- &id - contains the OID identifying the MAC algorithm 657 -- &Params - contains the type for the algorithm parameters, 658 -- if present; absent implies no parameters 659 -- ¶mPresence - parameter presence requirement 660 -- &keyed - MAC algorithm is a keyed MAC algorithm 661 -- &smimeCaps - contains the object describing how the S/MIME 662 -- capabilities are presented. 663 -- 664 -- It would make sense to also add minimum and maximum MAC lengths 665 -- 666 -- Example: 667 -- maca-hmac-sha1 MAC-ALGORITHM ::= { 668 -- IDENTIFIER hMAC-SHA1 669 -- PARAMS TYPE NULL ARE preferredAbsent 670 -- IS KEYED MAC TRUE 671 -- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} 672 -- } 673 MAC-ALGORITHM ::= CLASS { 674 &id OBJECT IDENTIFIER UNIQUE, 675 &Params OPTIONAL, 676 ¶mPresence ParamOptions DEFAULT absent, 677 &keyed BOOLEAN, 678 &smimeCaps SMIME-CAPS OPTIONAL 679 } WITH SYNTAX { 680 IDENTIFIER &id 681 [PARAMS [TYPE &Params] [ARE ¶mPresence]] 682 IS-KEYED-MAC &keyed 683 [SMIME-CAPS &smimeCaps] 684 } 686 -- CONTENT-ENCRYPTION 687 -- 688 -- Describes the basic properties of a content encryption 689 -- algorithm 690 -- 691 -- &id - contains the OID identifying the content 692 -- encryption algorithm 693 -- &Params - contains the type for the algorithm parameters, 694 -- if present; absent implies no parameters 695 -- ¶mPresence - parameter presence requirement 696 -- &smimeCaps - contains the object describing how the S/MIME 697 -- capabilities are presented. 698 -- 699 -- Example: 700 -- cea-3DES-cbc CONTENT-ENCRYPTION ::= { 701 -- IDENTIFIER des-ede3-cbc 702 -- PARAMS TYPE IV ARE required 703 -- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } 704 -- } 706 CONTENT-ENCRYPTION ::= CLASS { 707 &id OBJECT IDENTIFIER UNIQUE, 708 &Params OPTIONAL, 709 ¶mPresence ParamOptions DEFAULT absent, 710 &smimeCaps SMIME-CAPS OPTIONAL 711 } WITH SYNTAX { 712 IDENTIFIER &id 713 [PARAMS [TYPE &Params] ARE ¶mPresence] 714 [SMIME-CAPS &smimeCaps] 715 } 717 -- ALGORITHM 718 -- 719 -- Describes a generic algorithm identifier 720 -- 721 -- &id - contains the OID identifying the algorithm 722 -- &Params - contains the type for the algorithm parameters, 723 -- if present; absent implies no parameters 724 -- ¶mPresence - parameter presence requirement 725 -- &smimeCaps - contains the object describing how the S/MIME 726 -- capabilities are presented. 727 -- 728 -- This would be used for cases where an unknown algorithm is 729 -- used. One should consider using TYPE-IDENTIFIER in these cases. 731 ALGORITHM ::= CLASS { 732 &id OBJECT IDENTIFIER UNIQUE, 733 &Params OPTIONAL, 734 ¶mPresence ParamOptions DEFAULT absent, 735 &smimeCaps SMIME-CAPS OPTIONAL 736 } WITH SYNTAX { 737 IDENTIFIER &id 738 [PARAMS [TYPE &Params] ARE ¶mPresence] 739 [SMIME-CAPS &smimeCaps] 740 } 742 -- AlgorithmIdentifier 743 -- 744 -- Provides the generic structure that is used to encode algorithm 745 -- identification and the parameters associated with the 746 -- algorithm. 747 -- 748 -- The first parameter represents the type of the algorithm being 749 -- used. 750 -- The second parameter represents an object set containing the 751 -- algorithms that may occur in this situation. 752 -- The initial list of required algorithms should occur to the 753 -- left of an extension marker, all other algorithms should 754 -- occur to the right of an extension marker. 755 -- 756 -- The object class ALGORITHM can be used for generic unspecified 757 -- items. 758 -- If new ALGORITHM objects are defined, the fields &id and &Params 759 -- need to be present as field in the object. 760 -- 762 AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= 763 SEQUENCE { 764 algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), 765 parameters ALGORITHM-TYPE. 766 &Params({AlgorithmSet}{@algorithm}) OPTIONAL 767 } 769 -- S/MIME Capabilities 770 -- 771 -- We have moved the SMIME-CAPS from the module for RFC 3851 to here 772 -- because it is used in the PKIX document RFC 4262 - Use of S/MIME 773 -- Caps in certificate extension 774 -- 775 -- 776 -- This class is used to represent an S/MIME capability. S/MIME 777 -- capabilities are used to represent what algorithm capabilities 778 -- an individual has. The classic example was the content encryption 779 -- algorithm RC2 where the algorithm id and the RC2 key lengths 780 -- supported needed to be advertised, but the IV used is not fixed. 781 -- Thus for RC2 we used 782 -- 783 -- cap-RC2CBC SMIME-CAPS ::= { 784 -- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } 785 -- 786 -- where 40 and 128 represent the RC2 key length in number of bits. 787 -- 788 -- Another example where information needs to be shown is for 789 -- RSA-OAEP where only specific hash functions or mask generation 790 -- functions are supported, but the saltLength is specified by the 791 -- sender and not the recipient. In this case one can either 792 -- generate a number of capability items, 793 -- or a new S/MIME capability type could be generated where 794 -- multiple hash functions could be specified. 795 -- 796 -- 797 -- SMIME-CAP 798 -- 799 -- This class is used to associate the type describing capabilities 800 -- with the object identifier. 801 -- 803 SMIME-CAPS ::= CLASS { 804 &id OBJECT IDENTIFIER UNIQUE, 805 &Type OPTIONAL 806 } 807 WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id } 809 -- 810 -- Generic type - this is used for defining values. 811 -- 813 -- Define a single S/MIME capability encoding 814 SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { 815 capabilityID SMIME-CAPS.&id({CapabilitySet}), 816 parameters SMIME-CAPS.&Type({CapabilitySet} 817 {@capabilityID}) OPTIONAL 818 } 820 -- Define a sequence of S/MIME capability value 822 SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::= 823 SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} } 825 END 827 4. ASN.1 Module for RFC 2560 829 OCSP-2009 830 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 831 mechanisms(5) pkix(7) id-mod(0) id-mod-ocsp-02(48)} 832 DEFINITIONS EXPLICIT TAGS ::= 833 BEGIN 834 IMPORTS 836 Extensions{}, EXTENSION, ATTRIBUTE 837 FROM PKIX-CommonTypes-2009 838 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 839 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 841 AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM 842 FROM AlgorithmInformation-2009 843 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 844 mechanisms(5) pkix(7) id-mod(0) 845 id-mod-algorithmInformation-02(58)} 847 AuthorityInfoAccessSyntax, GeneralName, CrlEntryExtensions 848 FROM PKIX1Implicit-2009 849 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 850 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 852 Name, CertificateSerialNumber, id-kp, id-ad-ocsp, Certificate 853 FROM PKIX1Explicit-2009 854 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 855 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 857 sa-dsaWithSHA1, sa-rsaWithMD2, sa-rsaWithMD5, sa-rsaWithSHA1 858 FROM PKIXAlgs-2009 859 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 860 mechanisms(5) pkix(7) id-mod(0) 861 id-mod-pkix1-algorithms2008-02(56)}; 863 OCSPRequest ::= SEQUENCE { 864 tbsRequest TBSRequest, 865 optionalSignature [0] EXPLICIT Signature OPTIONAL } 867 TBSRequest ::= SEQUENCE { 868 version [0] EXPLICIT Version DEFAULT v1, 869 requestorName [1] EXPLICIT GeneralName OPTIONAL, 870 requestList SEQUENCE OF Request, 871 requestExtensions [2] EXPLICIT Extensions {{re-ocsp-nonce | 872 re-ocsp-response, ...}} OPTIONAL } 874 Signature ::= SEQUENCE { 875 signatureAlgorithm AlgorithmIdentifier 876 { SIGNATURE-ALGORITHM, {...}}, 877 signature BIT STRING, 878 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 880 Version ::= INTEGER { v1(0) } 882 Request ::= SEQUENCE { 883 reqCert CertID, 884 singleRequestExtensions [0] EXPLICIT Extensions 885 { {re-ocsp-service-locator, 886 ...}} OPTIONAL } 888 CertID ::= SEQUENCE { 889 hashAlgorithm AlgorithmIdentifier 890 {DIGEST-ALGORITHM, {...}}, 891 issuerNameHash OCTET STRING, -- Hash of Issuer's DN 892 issuerKeyHash OCTET STRING, -- Hash of Issuers public key 893 serialNumber CertificateSerialNumber } 895 OCSPResponse ::= SEQUENCE { 896 responseStatus OCSPResponseStatus, 897 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } 899 OCSPResponseStatus ::= ENUMERATED { 900 successful (0), --Response has valid confirmations 901 malformedRequest (1), --Illegal confirmation request 902 internalError (2), --Internal error in issuer 903 tryLater (3), --Try again later 904 -- (4) is not used 905 sigRequired (5), --Must sign the request 906 unauthorized (6) --Request unauthorized 907 } 908 RESPONSE ::= TYPE-IDENTIFIER 910 ResponseSet RESPONSE ::= {basicResponse, ...} 912 ResponseBytes ::= SEQUENCE { 913 responseType RESPONSE. 914 &id ({ResponseSet}), 915 response OCTET STRING (CONTAINING RESPONSE. 916 &Type({ResponseSet}{@responseType}))} 918 basicResponse RESPONSE ::= 919 { BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic } 921 BasicOCSPResponse ::= SEQUENCE { 922 tbsResponseData ResponseData, 923 signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, 924 {sa-dsaWithSHA1 | sa-rsaWithSHA1 | 925 sa-rsaWithMD5 | sa-rsaWithMD2, ...}}, 926 signature BIT STRING, 927 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 929 ResponseData ::= SEQUENCE { 930 version [0] EXPLICIT Version DEFAULT v1, 931 responderID ResponderID, 932 producedAt GeneralizedTime, 933 responses SEQUENCE OF SingleResponse, 934 responseExtensions [1] EXPLICIT Extensions 935 {{re-ocsp-nonce, ...}} OPTIONAL } 937 ResponderID ::= CHOICE { 938 byName [1] Name, 939 byKey [2] KeyHash } 941 KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key 942 -- (excluding the tag and length fields) 944 SingleResponse ::= SEQUENCE { 945 certID CertID, 946 certStatus CertStatus, 947 thisUpdate GeneralizedTime, 948 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, 949 singleExtensions [1] EXPLICIT Extensions{{re-ocsp-crl | 950 re-ocsp-archive-cutoff | 951 CrlEntryExtensions, ...} 952 } OPTIONAL } 954 CertStatus ::= CHOICE { 955 good [0] IMPLICIT NULL, 956 revoked [1] IMPLICIT RevokedInfo, 957 unknown [2] IMPLICIT UnknownInfo } 959 RevokedInfo ::= SEQUENCE { 960 revocationTime GeneralizedTime, 961 revocationReason [0] EXPLICIT CRLReason OPTIONAL } 963 UnknownInfo ::= NULL -- this can be replaced with an enumeration 965 CRLReason ::= INTEGER 967 ArchiveCutoff ::= GeneralizedTime 969 AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet}) 971 ServiceLocator ::= SEQUENCE { 972 issuer Name, 973 locator AuthorityInfoAccessSyntax } 975 CrlID ::= SEQUENCE { 976 crlUrl [0] EXPLICIT IA5String OPTIONAL, 977 crlNum [1] EXPLICIT INTEGER OPTIONAL, 978 crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } 980 -- Request Extensions 982 re-ocsp-nonce EXTENSION ::= { SYNTAX OCTET STRING IDENTIFIED 983 BY id-pkix-ocsp-nonce } 984 re-ocsp-response EXTENSION ::= { SYNTAX AcceptableResponses IDENTIFIED 985 BY id-pkix-ocsp-response } 986 re-ocsp-service-locator EXTENSION ::= { SYNTAX ServiceLocator 987 IDENTIFIED BY 988 id-pkix-ocsp-service-locator } 990 -- Response Extensions 992 re-ocsp-crl EXTENSION ::= { SYNTAX CrlID IDENTIFIED BY 993 id-pkix-ocsp-crl } 994 re-ocsp-archive-cutoff EXTENSION ::= { SYNTAX ArchiveCutoff 995 IDENTIFIED BY 996 id-pkix-ocsp-archive-cutoff } 998 -- Object Identifiers 1000 id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 1001 id-pkix-ocsp OBJECT IDENTIFIER ::= id-ad-ocsp 1002 id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } 1003 id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } 1004 id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } 1005 id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } 1006 id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } 1007 id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } 1008 id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } 1010 END 1012 5. ASN.1 Module for RFC 2986 1014 PKCS-10 1015 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-10(10) 1016 modules(1) pkcs-10(1)} 1017 DEFINITIONS IMPLICIT TAGS ::= 1018 BEGIN 1019 IMPORTS 1021 AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 1022 PUBLIC-KEY 1023 FROM AlgorithmInformation-2009 1024 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1025 mechanisms(5) pkix(7) id-mod(0) 1026 id-mod-algorithmInformation-02(58)} 1028 ATTRIBUTE, Name 1029 FROM PKIX1Explicit-2009 1030 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1031 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}; 1033 -- Certificate requests 1034 CertificationRequestInfo ::= SEQUENCE { 1035 version INTEGER { v1(0) } (v1, ... ), 1036 subject Name, 1037 subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }}, 1038 attributes [0] Attributes{{ CRIAttributes }} 1039 } 1041 SubjectPublicKeyInfo {PUBLIC-KEY: IOSet} ::= SEQUENCE { 1042 algorithm AlgorithmIdentifier {PUBLIC-KEY, {IOSet}}, 1043 subjectPublicKey BIT STRING 1044 } 1046 PKInfoAlgorithms PUBLIC-KEY ::= { 1047 ... -- add any locally defined algorithms here -- } 1049 Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }} 1051 CRIAttributes ATTRIBUTE ::= { 1052 ... -- add any locally defined attributes here -- } 1054 Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { 1055 type ATTRIBUTE.&id({IOSet}), 1056 values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) 1057 } 1059 CertificationRequest ::= SEQUENCE { 1060 certificationRequestInfo CertificationRequestInfo, 1061 signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, 1062 { SignatureAlgorithms }}, 1063 signature BIT STRING 1064 } 1066 SignatureAlgorithms SIGNATURE-ALGORITHM ::= { 1067 ... -- add any locally defined algorithms here -- } 1069 END 1071 6. ASN.1 Module for RFC 3279 1073 Note that this module also contains information from [RFC5480]RFC 1074 5480. 1076 PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) 1077 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 1078 id-mod-pkix1-algorithms2008-02(56) } 1080 DEFINITIONS EXPLICIT TAGS ::= 1081 BEGIN 1082 IMPORTS 1084 -- FROM [PKI-ASN] 1086 PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS 1087 FROM AlgorithmInformation-2009 1088 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1089 mechanisms(5) pkix(7) id-mod(0) 1090 id-mod-algorithmInformation-02(58)} 1092 -- From [PKIX-OAEP] 1093 mda-sha224, mda-sha256, mda-sha384, mda-sha512 1094 FROM PKIX1-PSS-OAEP-Algorithms-2009 1095 {iso(1) identified-organization(3) dod(6) internet(1) 1096 security(5) mechanisms(5) pkix(7) id-mod(0) 1097 id-mod-pkix1-rsa-pkalgs-02(54)} ; 1099 -- 1100 -- Public Key (pk-) Algorithms 1101 -- 1103 PublicKeys PUBLIC-KEY ::= { 1104 pk-rsa | 1105 pk-dsa | 1106 pk-dh | 1107 pk-kea, 1108 ..., 1109 pk-ec | 1110 pk-ecDH | 1111 pk-ecMQV 1112 } 1114 -- 1115 -- Signature Algorithms (sa-) 1116 -- 1118 SignatureAlgs SIGNATURE-ALGORITHM ::= { 1119 sa-rsaWithMD2 | 1120 sa-rsaWithMD5 | 1121 sa-rsaWithSHA1 | 1122 sa-dsaWithSHA1 | 1123 sa-ecdsaWithSHA1, 1124 ..., -- Extensible 1125 sa-dsaWithSHA224 | 1126 sa-dsaWithSHA256 | 1127 sa-ecdsaWithSHA224 | 1128 sa-ecdsaWithSHA256 | 1129 sa-ecdsaWithSHA384 | 1130 sa-ecdsaWithSHA512 1131 } 1133 -- 1134 -- S/MIME CAPS for algorithms in this document 1135 -- 1136 -- For all of the algorithms laid out in this document, the 1137 -- parameters for the S/MIME capabilities is defined as ABSENT 1138 -- as there are no specific values that need to be known by the 1139 -- receiver for negotiation. 1141 -- 1143 SMimeCaps SMIME-CAPS ::= { 1144 sa-rsaWithMD2.&smimeCaps | 1145 sa-rsaWithMD5.&smimeCaps | 1146 sa-rsaWithSHA1.&smimeCaps | 1147 sa-dsaWithSHA1.&smimeCaps | 1148 sa-dsaWithSHA224.&smimeCaps | 1149 sa-dsaWithSHA256.&smimeCaps | 1150 sa-ecdsaWithSHA1.&smimeCaps | 1151 sa-ecdsaWithSHA224.&smimeCaps | 1152 sa-ecdsaWithSHA256.&smimeCaps | 1153 sa-ecdsaWithSHA384.&smimeCaps | 1154 sa-ecdsaWithSHA512.&smimeCaps, 1155 ... } 1157 -- RSA PK Algorithm, Parameters, and Keys 1159 pk-rsa PUBLIC-KEY ::= { 1160 IDENTIFIER rsaEncryption 1161 KEY RSAPublicKey 1162 PARAMS TYPE NULL ARE absent 1163 -- Private key format not in this module -- 1164 CERT-KEY-USAGE {digitalSignature, nonRepudiation, 1165 keyEncipherment, dataEncipherment, keyCertSign, cRLSign} 1166 } 1168 rsaEncryption OBJECT IDENTIFIER ::= { 1169 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1170 pkcs-1(1) 1 } 1172 RSAPublicKey ::= SEQUENCE { 1173 modulus INTEGER, -- n 1174 publicExponent INTEGER -- e 1175 } 1177 -- DSA PK Algorithm, Parameters, and Keys 1179 pk-dsa PUBLIC-KEY ::= { 1180 IDENTIFIER id-dsa 1181 KEY DSAPublicKey 1182 PARAMS TYPE DSA-Params ARE inheritable 1183 -- Private key format not in this module -- 1184 CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, 1185 cRLSign } 1186 } 1188 id-dsa OBJECT IDENTIFIER ::= { 1189 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 1191 DSA-Params ::= SEQUENCE { 1192 p INTEGER, 1193 q INTEGER, 1194 g INTEGER 1195 } 1197 DSAPublicKey ::= INTEGER -- public key, y 1199 -- Diffie-Hellman PK Algorithm, Parameters, and Keys 1201 pk-dh PUBLIC-KEY ::= { 1202 IDENTIFIER dhpublicnumber 1203 KEY DHPublicKey 1204 PARAMS TYPE DomainParameters ARE inheritable 1205 -- Private key format not in this module -- 1206 CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } 1207 } 1209 dhpublicnumber OBJECT IDENTIFIER ::= { 1210 iso(1) member-body(2) us(840) ansi-x942(10046) 1211 number-type(2) 1 } 1213 DomainParameters ::= SEQUENCE { 1214 p INTEGER, -- odd prime, p=jq +1 1215 g INTEGER, -- generator, g 1216 q INTEGER, -- factor of p-1 1217 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 1218 validationParams ValidationParams OPTIONAL 1219 } 1221 ValidationParams ::= SEQUENCE { 1222 seed BIT STRING, 1223 pgenCounter INTEGER 1224 } 1226 DHPublicKey ::= INTEGER -- public key, y = g^x mod p 1228 -- KEA PK Algorithm and Parameters 1230 pk-kea PUBLIC-KEY ::= { 1231 IDENTIFIER id-keyExchangeAlgorithm 1232 -- key is not encoded -- 1233 PARAMS TYPE KEA-Params-Id ARE required 1234 -- Private key format not in this module -- 1235 CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } 1236 } 1237 id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { 1238 joint-iso-itu-t(2) country(16) us(840) organization(1) 1239 gov(101) dod(2) infosec(1) algorithms(1) 22 } 1241 KEA-Params-Id ::= OCTET STRING 1243 -- Elliptic Curve (EC) Signatures: Unrestricted Algorithms 1244 -- (Section 2.1.1 of RFC 5480) 1245 -- 1246 -- EC Unrestricted Algorithm ID -- -- this is used for ECDSA 1248 pk-ec PUBLIC-KEY ::= { 1249 IDENTIFIER id-ecPublicKey 1250 KEY ECPoint 1251 PARAMS TYPE ECParameters ARE required 1252 -- Private key format not in this module -- 1253 CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement, 1254 keyCertSign, cRLSign } 1255 } 1257 ECPoint ::= OCTET STRING -- see RFC 5480 for syntax and restrictions 1259 id-ecPublicKey OBJECT IDENTIFIER ::= { 1260 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 1262 -- Elliptic Curve (EC) Signatures: Restricted Algorithms 1263 -- (Section 2.1.2 of RFC 5480) 1264 -- 1265 -- EC Diffie-Hellman Algorithm ID 1267 pk-ecDH PUBLIC-KEY ::= { 1268 IDENTIFIER id-ecDH 1269 KEY ECPoint 1270 PARAMS TYPE ECParameters ARE required 1271 -- Private key format not in this module -- 1272 CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } 1273 } 1275 id-ecDH OBJECT IDENTIFIER ::= { 1276 iso(1) identified-organization(3) certicom(132) schemes(1) 1277 ecdh(12) } 1279 -- EC Menezes-Qu-Vanstone Algorithm ID 1281 pk-ecMQV PUBLIC-KEY ::= { 1282 IDENTIFIER id-ecMQV 1283 KEY ECPoint 1284 PARAMS TYPE ECParameters ARE required 1285 -- Private key format not in this module -- 1286 CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } 1287 } 1289 id-ecMQV OBJECT IDENTIFIER ::= { 1290 iso(1) identified-organization(3) certicom(132) schemes(1) 1291 ecmqv(13) } 1293 -- Parameters and Keys for both Restricted and Unrestricted EC 1295 ECParameters ::= CHOICE { 1296 namedCurve CURVE.&id({NamedCurve}) 1297 -- implicitCurve NULL 1298 -- implicitCurve MUST NOT be used in PKIX 1299 -- specifiedCurve SpecifiedCurve 1300 -- specifiedCurve MUST NOT be used in PKIX 1301 -- Details for specifiedCurve can be found in [X9.62] 1302 -- Any future additions to this CHOICE should be coordinated 1303 -- with ANSI X.9. 1304 } 1305 -- If you need to be able to decode ANSI X.9 parameter structures, 1306 -- uncomment the implicitCurve and specificCurve above, and also 1307 -- uncomment the follow: 1308 --(WITH COMPONENTS {namedCurve PRESENT}) 1310 -- Sec 2.1.1.1 Named Curve 1312 CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } 1313 WITH SYNTAX { ID &id } 1315 NamedCurve CURVE ::= { 1316 { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | 1317 { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | 1318 { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | 1319 { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | 1320 { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, 1321 ... -- Extensible 1322 } 1324 -- Note in [X9.62] the curves are referred to as 'ansiX9' as 1325 -- opposed to 'sec'. For example secp192r1 is the same curve as 1326 -- ansix9p192r1. 1328 -- Note that in [PKI-ALG] the secp192r1 curve was referred to as 1329 -- prime192v1 and the secp256r1 curve was referred to as 1330 -- prime256v1. 1332 -- Note that [FIPS186-3] refers to secp192r1 as P-192, 1333 -- secp224r1 as P-224, secp256r1 as P-256, secp384r1 as P-384, 1334 -- and secp521r1 as P-521. 1336 secp192r1 OBJECT IDENTIFIER ::= { 1337 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 1338 prime(1) 1 } 1340 sect163k1 OBJECT IDENTIFIER ::= { 1341 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 1343 sect163r2 OBJECT IDENTIFIER ::= { 1344 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 1346 secp224r1 OBJECT IDENTIFIER ::= { 1347 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 1349 sect233k1 OBJECT IDENTIFIER ::= { 1350 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 1352 sect233r1 OBJECT IDENTIFIER ::= { 1353 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 1355 secp256r1 OBJECT IDENTIFIER ::= { 1356 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 1357 prime(1) 7 } 1359 sect283k1 OBJECT IDENTIFIER ::= { 1360 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 1362 sect283r1 OBJECT IDENTIFIER ::= { 1363 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 1365 secp384r1 OBJECT IDENTIFIER ::= { 1366 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 1368 sect409k1 OBJECT IDENTIFIER ::= { 1369 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 1371 sect409r1 OBJECT IDENTIFIER ::= { 1372 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 1374 secp521r1 OBJECT IDENTIFIER ::= { 1375 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 1377 sect571k1 OBJECT IDENTIFIER ::= { 1378 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 1380 sect571r1 OBJECT IDENTIFIER ::= { 1381 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 1383 -- RSA with MD-2 1385 sa-rsaWithMD2 SIGNATURE-ALGORITHM ::= { 1386 IDENTIFIER md2WithRSAEncryption 1387 PARAMS TYPE NULL ARE required 1388 HASHES { mda-md2 } 1389 PUBLIC-KEYS { pk-rsa } 1390 SMIME-CAPS { IDENTIFIED BY md2WithRSAEncryption } 1391 } 1393 md2WithRSAEncryption OBJECT IDENTIFIER ::= { 1394 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1395 pkcs-1(1) 2 } 1397 -- RSA with MD-5 1399 sa-rsaWithMD5 SIGNATURE-ALGORITHM ::= { 1400 IDENTIFIER md5WithRSAEncryption 1401 PARAMS TYPE NULL ARE required 1402 HASHES { mda-md5 } 1403 PUBLIC-KEYS { pk-rsa } 1404 SMIME-CAPS { IDENTIFIED BY md5WithRSAEncryption } 1405 } 1407 md5WithRSAEncryption OBJECT IDENTIFIER ::= { 1408 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1409 pkcs-1(1) 4 } 1411 -- RSA with SHA-1 1413 sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1414 IDENTIFIER sha1WithRSAEncryption 1415 PARAMS TYPE NULL ARE required 1416 HASHES { mda-sha1 } 1417 PUBLIC-KEYS { pk-rsa } 1418 SMIME-CAPS {IDENTIFIED BY sha1WithRSAEncryption } 1419 } 1421 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { 1422 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1423 pkcs-1(1) 5 } 1425 -- DSA with SHA-1 1427 sa-dsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1428 IDENTIFIER dsa-with-sha1 1429 VALUE DSA-Sig-Value 1430 PARAMS TYPE NULL ARE absent 1431 HASHES { mda-sha1 } 1432 PUBLIC-KEYS { pk-dsa } 1433 SMIME-CAPS { IDENTIFIED BY dsa-with-sha1 } 1434 } 1436 dsa-with-sha1 OBJECT IDENTIFIER ::= { 1437 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } 1439 -- DSA with SHA-224 1441 sa-dsaWithSHA224 SIGNATURE-ALGORITHM ::= { 1442 IDENTIFIER dsa-with-sha224 1443 VALUE DSA-Sig-Value 1444 PARAMS TYPE NULL ARE absent 1445 HASHES { mda-sha224 } 1446 PUBLIC-KEYS { pk-dsa } 1447 SMIME-CAPS { IDENTIFIED BY dsa-with-sha224 } 1448 } 1450 dsa-with-sha224 OBJECT IDENTIFIER ::= { 1451 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 1452 csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } 1454 -- DSA with SHA-256 1456 sa-dsaWithSHA256 SIGNATURE-ALGORITHM ::= { 1457 IDENTIFIER dsa-with-sha256 1458 VALUE DSA-Sig-Value 1459 PARAMS TYPE NULL ARE absent 1460 HASHES { mda-sha256 } 1461 PUBLIC-KEYS { pk-dsa } 1462 SMIME-CAPS { IDENTIFIED BY dsa-with-sha256 } 1463 } 1465 dsa-with-sha256 OBJECT IDENTIFIER ::= { 1466 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 1467 csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } 1469 -- ECDSA with SHA-1 1471 sa-ecdsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1472 IDENTIFIER ecdsa-with-SHA1 1473 VALUE ECDSA-Sig-Value 1474 PARAMS TYPE NULL ARE absent 1475 HASHES { mda-sha1 } 1476 PUBLIC-KEYS { pk-ec } 1477 SMIME-CAPS {IDENTIFIED BY ecdsa-with-SHA1 } 1478 } 1480 ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 1481 iso(1) member-body(2) us(840) ansi-X9-62(10045) 1482 signatures(4) 1 } 1484 -- ECDSA with SHA-224 1486 sa-ecdsaWithSHA224 SIGNATURE-ALGORITHM ::= { 1487 IDENTIFIER ecdsa-with-SHA224 1488 VALUE ECDSA-Sig-Value 1489 PARAMS TYPE NULL ARE absent 1490 HASHES { mda-sha224 } 1491 PUBLIC-KEYS { pk-ec } 1492 SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA224 } 1493 } 1495 ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { 1496 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1497 ecdsa-with-SHA2(3) 1 } 1499 -- ECDSA with SHA-256 1501 sa-ecdsaWithSHA256 SIGNATURE-ALGORITHM ::= { 1502 IDENTIFIER ecdsa-with-SHA256 1503 VALUE ECDSA-Sig-Value 1504 PARAMS TYPE NULL ARE absent 1505 HASHES { mda-sha256 } 1506 PUBLIC-KEYS { pk-ec } 1507 SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA256 } 1508 } 1510 ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { 1511 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1512 ecdsa-with-SHA2(3) 2 } 1514 -- ECDSA with SHA-384 1516 sa-ecdsaWithSHA384 SIGNATURE-ALGORITHM ::= { 1517 IDENTIFIER ecdsa-with-SHA384 1518 VALUE ECDSA-Sig-Value 1519 PARAMS TYPE NULL ARE absent 1520 HASHES { mda-sha384 } 1521 PUBLIC-KEYS { pk-ec } 1522 SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA384 } 1523 } 1524 ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { 1525 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1526 ecdsa-with-SHA2(3) 3 } 1528 -- ECDSA with SHA-512 1530 sa-ecdsaWithSHA512 SIGNATURE-ALGORITHM ::= { 1531 IDENTIFIER ecdsa-with-SHA512 1532 VALUE ECDSA-Sig-Value 1533 PARAMS TYPE NULL ARE absent 1534 HASHES { mda-sha512 } 1535 PUBLIC-KEYS { pk-ec } 1536 SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA512 } 1537 } 1539 ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { 1540 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1541 ecdsa-with-SHA2(3) 4 } 1543 -- 1544 -- Signature Values 1545 -- 1547 -- DSA 1549 DSA-Sig-Value ::= SEQUENCE { 1550 r INTEGER, 1551 s INTEGER 1552 } 1554 -- ECDSA 1556 ECDSA-Sig-Value ::= SEQUENCE { 1557 r INTEGER, 1558 s INTEGER 1559 } 1561 -- 1562 -- Message Digest Algorthms (mda-) 1563 -- 1565 HashAlgs DIGEST-ALGORITHM ::= { 1566 mda-md2 | 1567 mda-md5 | 1568 mda-sha1, 1569 ... -- Extensible 1570 } 1571 -- MD-2 1573 mda-md2 DIGEST-ALGORITHM ::= { 1574 IDENTIFIER id-md2 1575 PARAMS TYPE NULL ARE preferredAbsent 1576 } 1578 id-md2 OBJECT IDENTIFIER ::= { 1579 iso(1) member-body(2) us(840) rsadsi(113549) 1580 digestAlgorithm(2) 2 } 1582 -- MD-5 1584 mda-md5 DIGEST-ALGORITHM ::= { 1585 IDENTIFIER id-md5 1586 PARAMS TYPE NULL ARE preferredAbsent 1587 } 1589 id-md5 OBJECT IDENTIFIER ::= { 1590 iso(1) member-body(2) us(840) rsadsi(113549) 1591 digestAlgorithm(2) 5 } 1593 -- SHA-1 1595 mda-sha1 DIGEST-ALGORITHM ::= { 1596 IDENTIFIER id-sha1 1597 PARAMS TYPE NULL ARE preferredAbsent 1598 } 1600 id-sha1 OBJECT IDENTIFIER ::= { 1601 iso(1) identified-organization(3) oiw(14) secsig(3) 1602 algorithm(2) 26 } 1604 END 1606 7. ASN.1 Module for RFC 3852 (Attribute Certificate v1) 1608 AttributeCertificateVersion1-2009 1609 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1610 smime(16) modules(0) id-mod-v1AttrCert-02(49)} 1611 DEFINITIONS EXPLICIT TAGS ::= 1612 BEGIN 1613 IMPORTS 1615 SIGNATURE-ALGORITHM, ALGORITHM, AlgorithmIdentifier{} 1616 FROM AlgorithmInformation-2009 1617 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1618 mechanisms(5) pkix(7) id-mod(0) 1619 id-mod-algorithmInformation-02(58)} 1621 AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE 1622 FROM PKIX-CommonTypes-2009 1623 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1624 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1626 CertificateSerialNumber, UniqueIdentifier, SIGNED{} 1627 FROM PKIX1Explicit-2009 1628 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1629 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 1631 GeneralNames 1632 FROM PKIX1Implicit-2009 1633 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1634 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 1636 AttCertValidityPeriod, IssuerSerial 1637 FROM PKIXAttributeCertificate-2009 1638 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1639 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } ; 1641 -- Definition extracted from X.509-1997 [X.509-97], but 1642 -- different type names are used to avoid collisions. 1644 AttributeCertificateV1 ::= SIGNED{AttributeCertificateInfoV1} 1646 AttributeCertificateInfoV1 ::= SEQUENCE { 1647 version AttCertVersionV1 DEFAULT v1, 1648 subject CHOICE { 1649 baseCertificateID [0] IssuerSerial, 1650 -- associated with a Public Key Certificate 1651 subjectName [1] GeneralNames }, 1652 -- associated with a name 1653 issuer GeneralNames, 1654 signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}}, 1655 serialNumber CertificateSerialNumber, 1656 attCertValidityPeriod AttCertValidityPeriod, 1657 attributes SEQUENCE OF AttributeSet{{AttrList}}, 1658 issuerUniqueID UniqueIdentifier OPTIONAL, 1659 extensions Extensions{{AttributeCertExtensionsV1}} OPTIONAL } 1661 AttCertVersionV1 ::= INTEGER { v1(0) } 1663 AttrList ATTRIBUTE ::= {...} 1664 AttributeCertExtensionsV1 EXTENSION ::= {...} 1666 END 1668 8. ASN.1 Module for RFC 4055 1670 PKIX1-PSS-OAEP-Algorithms-2009 1671 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1672 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)} 1673 DEFINITIONS EXPLICIT TAGS ::= 1674 BEGIN 1675 IMPORTS 1677 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-TRANSPORT, 1678 SIGNATURE-ALGORITHM, PUBLIC-KEY, SMIME-CAPS 1679 FROM AlgorithmInformation-2009 1680 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1681 mechanisms(5) pkix(7) id-mod(0) 1682 id-mod-algorithmInformation-02(58)} 1684 id-sha1, mda-sha1, pk-rsa, RSAPublicKey 1685 FROM PKIXAlgs-2009 1686 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1687 mechanisms(5) pkix(7) id-mod(0) 1688 id-mod-pkix1-algorithms2008-02(56)}; 1690 -- ============================ 1691 -- Object Set exports 1692 -- ============================ 1693 -- 1694 -- Define top level symbols with all of the objects defined for 1695 -- export to other modules. These objects would be included as part 1696 -- of an Object Set to restrict the set of legal values. 1697 -- 1699 -- M00BUG - where did rsaWithSHA256 go? 1701 PublicKeys PUBLIC-KEY ::= { pk-rsaSSA-PSS | pk-rsaES-OAEP, ... } 1702 SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-rsaSSA-PSS, ...} 1703 KeyTransportAlgs KEY-TRANSPORT ::= { kta-rsaES-OAEP, ... } 1704 HashAlgs DIGEST-ALGORITHM ::= { mda-sha224 | mda-sha256 | mda-sha384 1705 | mda-sha512, ... } 1706 SMimeCaps SMIME-CAPS ::= { 1707 sa-rsaSSA-PSS.&smimeCaps | 1708 kta-rsaES-OAEP.&smimeCaps, 1709 ... 1710 } 1712 -- ============================= 1713 -- Algorithm Objects 1714 -- ============================= 1716 -- 1717 -- Public key object for PSS signatures 1718 -- 1720 pk-rsaSSA-PSS PUBLIC-KEY ::= { 1721 IDENTIFIER id-RSASSA-PSS 1722 KEY RSAPublicKey 1723 PARAMS TYPE RSASSA-PSS-params ARE optional 1724 -- Private key format not in this module -- 1725 CERT-KEY-USAGE { nonRepudiation, digitalSignature, 1726 keyCertSign, cRLSign } 1727 } 1729 -- 1730 -- Signature algorithm definition for PSS signatures 1731 -- 1733 sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= { 1734 IDENTIFIER id-RSASSA-PSS 1735 PARAMS TYPE RSASSA-PSS-params ARE required 1736 HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384 1737 | mda-sha512 } 1738 PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS } 1739 SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS } 1740 } 1742 -- 1743 -- Signature algorithm definitions for PKCS v1.5 signatures 1744 -- 1746 sa-sha224WithRSAEncryption SIGNATURE-ALGORITHM ::= { 1747 IDENTIFIER sha224WithRSAEncryption 1748 PARAMS TYPE NULL ARE required 1749 HASHES { mda-sha224 } 1750 PUBLIC-KEYS { pk-rsa } 1751 SMIME-CAPS { IDENTIFIED BY sha224WithRSAEncryption } 1752 } 1753 sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } 1755 sa-sha256WithRSAEncryption SIGNATURE-ALGORITHM ::= { 1756 IDENTIFIER sha256WithRSAEncryption 1757 PARAMS TYPE NULL ARE required 1758 HASHES { mda-sha256 } 1759 PUBLIC-KEYS { pk-rsa } 1760 SMIME-CAPS { IDENTIFIED BY sha256WithRSAEncryption } 1761 } 1762 sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } 1764 sa-sha384WithRSAEncryption SIGNATURE-ALGORITHM ::= { 1765 IDENTIFIER sha384WithRSAEncryption 1766 PARAMS TYPE NULL ARE required 1767 HASHES { mda-sha384 } 1768 PUBLIC-KEYS { pk-rsa } 1769 SMIME-CAPS { IDENTIFIED BY sha384WithRSAEncryption } 1770 } 1771 sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } 1773 sa-sha512WithRSAEncryption SIGNATURE-ALGORITHM ::= { 1774 IDENTIFIER sha512WithRSAEncryption 1775 PARAMS TYPE NULL ARE required 1776 HASHES { mda-sha512 } 1777 PUBLIC-KEYS { pk-rsa } 1778 SMIME-CAPS { IDENTIFIED BY sha512WithRSAEncryption } 1779 } 1780 sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } 1782 -- 1783 -- Public key definition for OAEP encryption 1784 -- 1786 pk-rsaES-OAEP PUBLIC-KEY ::= { 1787 IDENTIFIER id-RSAES-OAEP 1788 KEY RSAPublicKey 1789 PARAMS TYPE RSAES-OAEP-params ARE optional 1790 -- Private key format not in this module -- 1791 CERT-KEY-USAGE {keyEncipherment, dataEncipherment} 1792 } 1794 -- 1795 -- Key transport key lock definition for OAEP encryption 1796 -- 1798 kta-rsaES-OAEP KEY-TRANSPORT ::= { 1799 IDENTIFIER id-RSAES-OAEP 1800 PARAMS TYPE RSAES-OAEP-params ARE required 1801 PUBLIC-KEYS { pk-rsa | pk-rsaES-OAEP } 1802 SMIME-CAPS { TYPE RSAES-OAEP-params IDENTIFIED BY id-RSAES-OAEP} 1803 } 1804 -- ============================ 1805 -- Basic object identifiers 1806 -- ============================ 1808 pkcs-1 OBJECT IDENTIFIER ::= 1809 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } 1811 -- When rsaEncryption is used in an AlgorithmIdentifier the 1812 -- parameters MUST be present and MUST be NULL. 1814 -- rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } 1816 -- When id-RSAES-OAEP is used in an AlgorithmIdentifier, 1817 -- and the parameters field is present, it MUST be 1818 -- RSAES-OAEP-params 1820 id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 } 1822 -- When id-mgf1 is used in an AlgorithmIdentifier the parameters 1823 -- MUST be present and MUST be a HashAlgorithm. 1825 id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 } 1827 -- When id-pSpecified is used in an AlgorithmIdentifier the 1828 -- parameters MUST be an OCTET STRING. 1830 id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 } 1832 -- When id-RSASSA-PSS is used in an AlgorithmIdentifier, and the 1833 -- parameters field is present, it MUST be RSASSA-PSS-params. 1835 id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 } 1837 -- When the following OIDs are used in an AlgorithmIdentifier the 1838 -- parameters SHOULD be absent, but if the parameters are present, 1839 -- they MUST be NULL. 1841 -- 1842 -- id-sha1 is imported from RFC 3279. Additionally, the v1.5 1843 -- signature algorithms (i.e. rsaWithSHA256) are now solely placed 1844 -- in that module. 1845 -- 1847 id-sha224 OBJECT IDENTIFIER ::= 1848 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1849 csor(3) nistalgorithm(4) hashalgs(2) 4 } 1851 mda-sha224 DIGEST-ALGORITHM ::= { 1852 IDENTIFIER id-sha224 1853 PARAMS TYPE NULL ARE preferredAbsent 1854 } 1856 id-sha256 OBJECT IDENTIFIER ::= 1857 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1858 csor(3) nistalgorithm(4) hashalgs(2) 1 } 1860 mda-sha256 DIGEST-ALGORITHM ::= { 1861 IDENTIFIER id-sha256 1862 PARAMS TYPE NULL ARE preferredAbsent 1863 } 1864 id-sha384 OBJECT IDENTIFIER ::= 1865 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1866 csor(3) nistalgorithm(4) hashalgs(2) 2 } 1868 mda-sha384 DIGEST-ALGORITHM ::= { 1869 IDENTIFIER id-sha384 1870 PARAMS TYPE NULL ARE preferredAbsent 1871 } 1872 id-sha512 OBJECT IDENTIFIER ::= 1873 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1874 csor(3) nistalgorithm(4) hashalgs(2) 3 } 1876 mda-sha512 DIGEST-ALGORITHM ::= { 1877 IDENTIFIER id-sha512 1878 PARAMS TYPE NULL ARE preferredAbsent 1879 } 1881 -- ============= 1882 -- Constants 1883 -- ============= 1885 EncodingParameters ::= OCTET STRING(SIZE(0..MAX)) 1887 nullOctetString EncodingParameters ::= ''H 1889 nullParameters NULL ::= NULL 1891 -- ========================= 1892 -- Algorithm Identifiers 1893 -- ========================= 1895 HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, 1896 {HashAlgorithms}} 1898 HashAlgorithms DIGEST-ALGORITHM ::= { 1899 { IDENTIFIER id-sha1 PARAMS TYPE NULL ARE preferredPresent } | 1900 { IDENTIFIER id-sha224 PARAMS TYPE NULL ARE preferredPresent } | 1901 { IDENTIFIER id-sha256 PARAMS TYPE NULL ARE preferredPresent } | 1902 { IDENTIFIER id-sha384 PARAMS TYPE NULL ARE preferredPresent } | 1903 { IDENTIFIER id-sha512 PARAMS TYPE NULL ARE preferredPresent } 1904 } 1906 sha1Identifier HashAlgorithm ::= { 1907 algorithm id-sha1, 1908 parameters NULL : NULL 1909 } 1911 -- 1912 -- We have a default algorithm - create the value here 1913 -- 1915 MaskGenAlgorithm ::= AlgorithmIdentifier{ALGORITHM, 1916 {PKCS1MGFAlgorithms}} 1918 mgf1SHA1 MaskGenAlgorithm ::= { 1919 algorithm id-mgf1, 1920 parameters HashAlgorithm : sha1Identifier 1921 } 1923 -- 1924 -- Define the set of mask generation functions 1925 -- 1926 -- If the identifier is id-mgf1, any of the listed hash 1927 -- algorithms may be used. 1928 -- 1930 PKCS1MGFAlgorithms ALGORITHM ::= { 1931 { IDENTIFIER id-mgf1 PARAMS TYPE HashAlgorithm ARE required }, 1932 ... 1933 } 1935 -- 1936 -- Define the set of known source algorithms for PSS 1937 -- 1939 PSourceAlgorithm ::= AlgorithmIdentifier{ALGORITHM, 1940 {PSS-SourceAlgorithms}} 1942 PSS-SourceAlgorithms ALGORITHM ::= { 1943 { IDENTIFIER id-pSpecified PARAMS TYPE EncodingParameters 1944 ARE required }, 1945 ... 1946 } 1947 pSpecifiedEmpty PSourceAlgorithm ::= { 1948 algorithm id-pSpecified, 1949 parameters EncodingParameters : nullOctetString 1950 } 1952 -- =================== 1953 -- Main structures 1954 -- =================== 1956 -- AlgorithmIdentifier parameters for id-RSASSA-PSS. 1957 -- Note that the tags in this Sequence are explicit. 1958 -- Note The hash algorithm in hashAlgorithm and in 1959 -- maskGenAlgorithm should be the same. 1961 RSASSA-PSS-params ::= SEQUENCE { 1962 hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, 1963 maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1, 1964 saltLength [2] INTEGER DEFAULT 20, 1965 trailerField [3] INTEGER DEFAULT 1 1966 } 1968 -- AlgorithmIdentifier parameters for id-RSAES-OAEP. 1969 -- Note that the tags in this Sequence are explicit. 1970 -- Note: The hash algorithm in hashFunc and in 1971 -- maskGenFunc should be the same 1973 RSAES-OAEP-params ::= SEQUENCE { 1974 hashFunc [0] HashAlgorithm DEFAULT sha1Identifier, 1975 maskGenFunc [1] MaskGenAlgorithm DEFAULT mgf1SHA1, 1976 pSourceFunc [2] PSourceAlgorithm DEFAULT 1977 pSpecifiedEmpty 1978 } 1980 END 1982 9. ASN.1 Module for RFC 4210 1984 PKIXCMP-2009 1985 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1986 mechanisms(5) pkix(7) id-mod(0) id-mod-cmp2000-02(50) } 1987 DEFINITIONS EXPLICIT TAGS ::= 1988 BEGIN 1989 IMPORTS 1991 AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE 1992 FROM PKIX-CommonTypes-2009 1993 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1994 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 1996 AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, ALGORITHM, 1997 DIGEST-ALGORITHM, MAC-ALGORITHM 1998 FROM AlgorithmInformation-2009 1999 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2000 mechanisms(5) pkix(7) id-mod(0) 2001 id-mod-algorithmInformation-02(58)} 2003 Certificate, CertificateList 2004 FROM PKIX1Explicit-2009 2005 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2006 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 2008 GeneralName, KeyIdentifier 2009 FROM PKIX1Implicit-2009 2010 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2011 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 2013 CertTemplate, PKIPublicationInfo, EncryptedValue, CertId, 2014 CertReqMessages 2015 FROM PKIXCRMF-2009 2016 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2017 mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55) } 2018 -- see also the behavioral clarifications to CRMF codified in 2019 -- Appendix C of this specification 2021 CertificationRequest 2022 FROM PKCS-10 2023 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-10(10) 2024 modules(1) pkcs-10(1) } 2025 -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT 2026 -- tags). Alternatively, implementers may directly include 2027 -- the [PKCS10] syntax in this module 2028 ; 2030 -- the rest of the module contains locally-defined OIDs and 2031 -- constructs 2033 CMPCertificate ::= CHOICE { x509v3PKCert Certificate, ... } 2034 -- This syntax, while bits-on-the-wire compatible with the 2035 -- standard X.509 definition of "Certificate", allows the 2036 -- possibility of future certificate types (such as X.509 2037 -- attribute certificates, WAP WTLS certificates, or other kinds 2038 -- of certificates) within this certificate management protocol, 2039 -- should a need ever arise to support such generality. Those 2040 -- implementations that do not foresee a need to ever support 2041 -- other certificate types MAY, if they wish, comment out the 2042 -- above structure and "un-comment" the following one prior to 2043 -- compiling this ASN.1 module. (Note that interoperability 2044 -- with implementations that don't do this will be unaffected by 2045 -- this change.) 2047 -- CMPCertificate ::= Certificate 2049 PKIMessage ::= SEQUENCE { 2050 header PKIHeader, 2051 body PKIBody, 2052 protection [0] PKIProtection OPTIONAL, 2053 extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate 2054 OPTIONAL } 2056 PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage 2058 PKIHeader ::= SEQUENCE { 2059 pvno INTEGER { cmp1999(1), cmp2000(2) }, 2060 sender GeneralName, 2061 -- identifies the sender 2062 recipient GeneralName, 2063 -- identifies the intended recipient 2064 messageTime [0] GeneralizedTime OPTIONAL, 2065 -- time of production of this message (used when sender 2066 -- believes that the transport will be "suitable"; i.e., 2067 -- that the time will still be meaningful upon receipt) 2068 protectionAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} 2069 OPTIONAL, 2070 -- algorithm used for calculation of protection bits 2071 senderKID [2] KeyIdentifier OPTIONAL, 2072 recipKID [3] KeyIdentifier OPTIONAL, 2073 -- to identify specific keys used for protection 2074 transactionID [4] OCTET STRING OPTIONAL, 2075 -- identifies the transaction; i.e., this will be the same in 2076 -- corresponding request, response, certConf, and PKIConf 2077 -- messages 2078 senderNonce [5] OCTET STRING OPTIONAL, 2079 recipNonce [6] OCTET STRING OPTIONAL, 2080 -- nonces used to provide replay protection, senderNonce 2081 -- is inserted by the creator of this message; recipNonce 2082 -- is a nonce previously inserted in a related message by 2083 -- the intended recipient of this message 2084 freeText [7] PKIFreeText OPTIONAL, 2085 -- this may be used to indicate context-specific instructions 2086 -- (this field is intended for human consumption) 2087 generalInfo [8] SEQUENCE SIZE (1..MAX) OF 2088 InfoTypeAndValue OPTIONAL 2089 -- this may be used to convey context-specific information 2090 -- (this field not primarily intended for human consumption) 2091 } 2093 PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String 2094 -- text encoded as UTF-8 String [RFC3629] (note: each 2095 -- UTF8String MAY include an [RFC3066] language tag 2096 -- to indicate the language of the contained text 2097 -- see [RFC2482] for details) 2099 PKIBody ::= CHOICE { -- message-specific body elements 2100 ir [0] CertReqMessages, --Initialization Request 2101 ip [1] CertRepMessage, --Initialization Response 2102 cr [2] CertReqMessages, --Certification Request 2103 cp [3] CertRepMessage, --Certification Response 2104 p10cr [4] CertificationRequest, --imported from [PKCS10] 2105 popdecc [5] POPODecKeyChallContent, --pop Challenge 2106 popdecr [6] POPODecKeyRespContent, --pop Response 2107 kur [7] CertReqMessages, --Key Update Request 2108 kup [8] CertRepMessage, --Key Update Response 2109 krr [9] CertReqMessages, --Key Recovery Request 2110 krp [10] KeyRecRepContent, --Key Recovery Response 2111 rr [11] RevReqContent, --Revocation Request 2112 rp [12] RevRepContent, --Revocation Response 2113 ccr [13] CertReqMessages, --Cross-Cert. Request 2114 ccp [14] CertRepMessage, --Cross-Cert. Response 2115 ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. 2116 cann [16] CertAnnContent, --Certificate Ann. 2117 rann [17] RevAnnContent, --Revocation Ann. 2118 crlann [18] CRLAnnContent, --CRL Announcement 2119 pkiconf [19] PKIConfirmContent, --Confirmation 2120 nested [20] NestedMessageContent, --Nested Message 2121 genm [21] GenMsgContent, --General Message 2122 genp [22] GenRepContent, --General Response 2123 error [23] ErrorMsgContent, --Error Message 2124 certConf [24] CertConfirmContent, --Certificate confirm 2125 pollReq [25] PollReqContent, --Polling request 2126 pollRep [26] PollRepContent --Polling response 2127 } 2129 PKIProtection ::= BIT STRING 2131 ProtectedPart ::= SEQUENCE { 2132 header PKIHeader, 2133 body PKIBody } 2135 id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2136 usa(840) nt(113533) nsn(7) algorithms(66) 13 } 2137 PBMParameter ::= SEQUENCE { 2138 salt OCTET STRING, 2139 -- note: implementations MAY wish to limit acceptable sizes 2140 -- of this string to values appropriate for their environment 2141 -- in order to reduce the risk of denial-of-service attacks 2142 owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, 2143 -- AlgId for a One-Way Function (SHA-1 recommended) 2144 iterationCount INTEGER, 2145 -- number of times the OWF is applied 2146 -- note: implementations MAY wish to limit acceptable sizes 2147 -- of this integer to values appropriate for their environment 2148 -- in order to reduce the risk of denial-of-service attacks 2149 mac AlgorithmIdentifier{MAC-ALGORITHM, {...}} 2150 -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], 2151 -- or HMAC [RFC2104, RFC2202]) 2152 } 2154 id-DHBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2155 usa(840) nt(113533) nsn(7) algorithms(66) 30 } 2156 DHBMParameter ::= SEQUENCE { 2157 owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, 2158 -- AlgId for a One-Way Function (SHA-1 recommended) 2159 mac AlgorithmIdentifier{MAC-ALGORITHM, {...}} 2160 -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], 2161 -- or HMAC [RFC2104, RFC2202]) 2162 } 2164 PKIStatus ::= INTEGER { 2165 accepted (0), 2166 -- you got exactly what you asked for 2167 grantedWithMods (1), 2168 -- you got something like what you asked for; the 2169 -- requester is responsible for ascertaining the differences 2170 rejection (2), 2171 -- you don't get it, more information elsewhere in the message 2172 waiting (3), 2173 -- the request body part has not yet been processed; expect to 2174 -- hear more later (note: proper handling of this status 2175 -- response MAY use the polling req/rep PKIMessages specified 2176 -- in Section 5.3.22; alternatively, polling in the underlying 2177 -- transport layer MAY have some utility in this regard) 2178 revocationWarning (4), 2179 -- this message contains a warning that a revocation is 2180 -- imminent 2181 revocationNotification (5), 2182 -- notification that a revocation has occurred 2183 keyUpdateWarning (6) 2184 -- update already done for the oldCertId specified in 2185 -- CertReqMsg 2186 } 2188 PKIFailureInfo ::= BIT STRING { 2189 -- since we can fail in more than one way! 2190 -- More codes may be added in the future if/when required. 2191 badAlg (0), 2192 -- unrecognized or unsupported Algorithm Identifier 2193 badMessageCheck (1), 2194 -- integrity check failed (e.g., signature did not verify) 2195 badRequest (2), 2196 -- transaction not permitted or supported 2197 badTime (3), 2198 -- messageTime was not sufficiently close to the system time, 2199 -- as defined by local policy 2200 badCertId (4), 2201 -- no certificate could be found matching the provided criteria 2202 badDataFormat (5), 2203 -- the data submitted has the wrong format 2204 wrongAuthority (6), 2205 -- the authority indicated in the request is different from the 2206 -- one creating the response token 2207 incorrectData (7), 2208 -- the requester's data is incorrect (for notary services) 2209 missingTimeStamp (8), 2210 -- when the timestamp is missing but should be there 2211 -- (by policy) 2212 badPOP (9), 2213 -- the proof-of-possession failed 2214 certRevoked (10), 2215 -- the certificate has already been revoked 2216 certConfirmed (11), 2217 -- the certificate has already been confirmed 2218 wrongIntegrity (12), 2219 -- invalid integrity, password based instead of signature or 2220 -- vice versa 2221 badRecipientNonce (13), 2222 -- invalid recipient nonce, either missing or wrong value 2223 timeNotAvailable (14), 2224 -- the TSA's time source is not available 2225 unacceptedPolicy (15), 2226 -- the requested TSA policy is not supported by the TSA 2227 unacceptedExtension (16), 2228 -- the requested extension is not supported by the TSA 2229 addInfoNotAvailable (17), 2230 -- the additional information requested could not be 2231 -- understood or is not available 2232 badSenderNonce (18), 2233 -- invalid sender nonce, either missing or wrong size 2234 badCertTemplate (19), 2235 -- invalid cert. template or missing mandatory information 2236 signerNotTrusted (20), 2237 -- signer of the message unknown or not trusted 2238 transactionIdInUse (21), 2239 -- the transaction identifier is already in use 2240 unsupportedVersion (22), 2241 -- the version of the message is not supported 2242 notAuthorized (23), 2243 -- the sender was not authorized to make the preceding 2244 -- request or perform the preceding action 2245 systemUnavail (24), 2246 -- the request cannot be handled due to system unavailability 2247 systemFailure (25), 2248 -- the request cannot be handled due to system failure 2249 duplicateCertReq (26) 2250 -- certificate cannot be issued because a duplicate 2251 -- certificate already exists 2252 } 2254 PKIStatusInfo ::= SEQUENCE { 2255 status PKIStatus, 2256 statusString PKIFreeText OPTIONAL, 2257 failInfo PKIFailureInfo OPTIONAL } 2259 OOBCert ::= CMPCertificate 2261 OOBCertHash ::= SEQUENCE { 2262 hashAlg [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} 2263 OPTIONAL, 2264 certId [1] CertId OPTIONAL, 2265 hashVal BIT STRING 2266 -- hashVal is calculated over the DER encoding of the 2267 -- self-signed certificate with the identifier certID. 2268 } 2270 POPODecKeyChallContent ::= SEQUENCE OF Challenge 2271 -- One Challenge per encryption key certification request (in the 2272 -- same order as these requests appear in CertReqMessages). 2274 Challenge ::= SEQUENCE { 2275 owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} 2276 OPTIONAL, 2277 -- MUST be present in the first Challenge; MAY be omitted in 2278 -- any subsequent Challenge in POPODecKeyChallContent (if 2279 -- omitted, then the owf used in the immediately preceding 2280 -- Challenge is to be used). 2281 witness OCTET STRING, 2282 -- the result of applying the one-way function (owf) to a 2283 -- randomly-generated INTEGER, A. [Note that a different 2284 -- INTEGER MUST be used for each Challenge.] 2285 challenge OCTET STRING 2286 -- the encryption (under the public key for which the cert. 2287 -- request is being made) of Rand, where Rand is specified as 2288 -- Rand ::= SEQUENCE { 2289 -- int INTEGER, 2290 -- - the randomly-generated INTEGER A (above) 2291 -- sender GeneralName 2292 -- - the sender's name (as included in PKIHeader) 2293 -- } 2294 } 2296 POPODecKeyRespContent ::= SEQUENCE OF INTEGER 2297 -- One INTEGER per encryption key certification request (in the 2298 -- same order as these requests appear in CertReqMessages). The 2299 -- retrieved INTEGER A (above) is returned to the sender of the 2300 -- corresponding Challenge. 2302 CertRepMessage ::= SEQUENCE { 2303 caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate 2304 OPTIONAL, 2305 response SEQUENCE OF CertResponse } 2307 CertResponse ::= SEQUENCE { 2308 certReqId INTEGER, 2309 -- to match this response with corresponding request (a value 2310 -- of -1 is to be used if certReqId is not specified in the 2311 -- corresponding request) 2312 status PKIStatusInfo, 2313 certifiedKeyPair CertifiedKeyPair OPTIONAL, 2314 rspInfo OCTET STRING OPTIONAL 2315 -- analogous to the id-regInfo-utf8Pairs string defined 2316 -- for regInfo in CertReqMsg [RFC4211] 2317 } 2319 CertifiedKeyPair ::= SEQUENCE { 2320 certOrEncCert CertOrEncCert, 2321 privateKey [0] EncryptedValue OPTIONAL, 2322 -- see [RFC4211] for comment on encoding 2323 publicationInfo [1] PKIPublicationInfo OPTIONAL } 2325 CertOrEncCert ::= CHOICE { 2326 certificate [0] CMPCertificate, 2327 encryptedCert [1] EncryptedValue } 2329 KeyRecRepContent ::= SEQUENCE { 2330 status PKIStatusInfo, 2331 newSigCert [0] CMPCertificate OPTIONAL, 2332 caCerts [1] SEQUENCE SIZE (1..MAX) OF 2333 CMPCertificate OPTIONAL, 2334 keyPairHist [2] SEQUENCE SIZE (1..MAX) OF 2335 CertifiedKeyPair OPTIONAL } 2337 RevReqContent ::= SEQUENCE OF RevDetails 2339 RevDetails ::= SEQUENCE { 2340 certDetails CertTemplate, 2341 -- allows requester to specify as much as they can about 2342 -- the cert. for which revocation is requested 2343 -- (e.g., for cases in which serialNumber is not available) 2344 crlEntryDetails Extensions{{...}} OPTIONAL 2345 -- requested crlEntryExtensions 2346 } 2348 RevRepContent ::= SEQUENCE { 2349 status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, 2350 -- in same order as was sent in RevReqContent 2351 revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL, 2352 -- IDs for which revocation was requested 2353 -- (same order as status) 2354 crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL 2355 -- the resulting CRLs (there may be more than one) 2356 } 2358 CAKeyUpdAnnContent ::= SEQUENCE { 2359 oldWithNew CMPCertificate, -- old pub signed with new priv 2360 newWithOld CMPCertificate, -- new pub signed with old priv 2361 newWithNew CMPCertificate -- new pub signed with new priv 2362 } 2364 CertAnnContent ::= CMPCertificate 2366 RevAnnContent ::= SEQUENCE { 2367 status PKIStatus, 2368 certId CertId, 2369 willBeRevokedAt GeneralizedTime, 2370 badSinceDate GeneralizedTime, 2371 crlDetails Extensions{{...}} OPTIONAL 2372 -- extra CRL details (e.g., crl number, reason, location, etc.) 2373 } 2375 CRLAnnContent ::= SEQUENCE OF CertificateList 2376 PKIConfirmContent ::= NULL 2378 NestedMessageContent ::= PKIMessages 2380 INFO-TYPE-AND-VALUE ::= TYPE-IDENTIFIER 2382 InfoTypeAndValue ::= SEQUENCE { 2383 infoType INFO-TYPE-AND-VALUE. 2384 &id({SupportedInfoSet}), 2385 infoValue INFO-TYPE-AND-VALUE. 2386 &Type({SupportedInfoSet}{@infoType}) } 2388 SupportedInfoSet INFO-TYPE-AND-VALUE ::= { ... } 2390 -- Example InfoTypeAndValue contents include, but are not limited 2391 -- to, the following (un-comment in this ASN.1 module and use as 2392 -- appropriate for a given environment): 2393 -- 2394 -- id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1} 2395 -- CAProtEncCertValue ::= CMPCertificate 2396 -- id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2} 2397 -- SignKeyPairTypesValue ::= SEQUENCE OF 2398 -- AlgorithmIdentifier{{...}} 2399 -- id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3} 2400 -- EncKeyPairTypesValue ::= SEQUENCE OF 2401 -- AlgorithmIdentifier{{...}} 2402 -- id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4} 2403 -- PreferredSymmAlgValue ::= AlgorithmIdentifier{{...}} 2404 -- id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5} 2405 -- CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent 2406 -- id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6} 2407 -- CurrentCRLValue ::= CertificateList 2408 -- id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7} 2409 -- UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER 2410 -- id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10} 2411 -- KeyPairParamReqValue ::= OBJECT IDENTIFIER 2412 -- id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11} 2413 -- KeyPairParamRepValue ::= AlgorithmIdentifer 2414 -- id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12} 2415 -- RevPassphraseValue ::= EncryptedValue 2416 -- id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13} 2417 -- ImplicitConfirmValue ::= NULL 2418 -- id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14} 2419 -- ConfirmWaitTimeValue ::= GeneralizedTime 2420 -- id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15} 2421 -- OrigPKIMessageValue ::= PKIMessages 2422 -- id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16} 2423 -- SuppLangTagsValue ::= SEQUENCE OF UTF8String 2424 -- 2425 -- where 2426 -- 2427 -- id-pkix OBJECT IDENTIFIER ::= { 2428 -- iso(1) identified-organization(3) 2429 -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} 2430 -- and 2431 -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} 2432 -- 2433 -- 2434 -- This construct MAY also be used to define new PKIX Certificate 2435 -- Management Protocol request and response messages, or general- 2436 -- purpose (e.g., announcement) messages for future needs or for 2437 -- specific environments. 2439 GenMsgContent ::= SEQUENCE OF InfoTypeAndValue 2441 -- May be sent by EE, RA, or CA (depending on message content). 2442 -- The OPTIONAL infoValue parameter of InfoTypeAndValue will 2443 -- typically be omitted for some of the examples given above. 2444 -- The receiver is free to ignore any contained OBJ. IDs that it 2445 -- does not recognize. If sent from EE to CA, the empty set 2446 -- indicates that the CA may send 2447 -- any/all information that it wishes. 2449 GenRepContent ::= SEQUENCE OF InfoTypeAndValue 2450 -- Receiver MAY ignore any contained OIDs that it does not 2451 -- recognize. 2453 ErrorMsgContent ::= SEQUENCE { 2454 pKIStatusInfo PKIStatusInfo, 2455 errorCode INTEGER OPTIONAL, 2456 -- implementation-specific error codes 2457 errorDetails PKIFreeText OPTIONAL 2458 -- implementation-specific error details 2459 } 2461 CertConfirmContent ::= SEQUENCE OF CertStatus 2463 CertStatus ::= SEQUENCE { 2464 certHash OCTET STRING, 2465 -- the hash of the certificate, using the same hash algorithm 2466 -- as is used to create and verify the certificate signature 2467 certReqId INTEGER, 2468 -- to match this confirmation with the corresponding req/rep 2469 statusInfo PKIStatusInfo OPTIONAL } 2471 PollReqContent ::= SEQUENCE OF SEQUENCE { 2472 certReqId INTEGER } 2474 PollRepContent ::= SEQUENCE OF SEQUENCE { 2475 certReqId INTEGER, 2476 checkAfter INTEGER, -- time in seconds 2477 reason PKIFreeText OPTIONAL } 2479 END 2481 10. ASN.1 Module for RFC 4211 2483 PKIXCRMF-2009 2484 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2485 mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)} 2486 DEFINITIONS IMPLICIT TAGS ::= 2487 BEGIN 2488 IMPORTS 2490 AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE, 2491 SingleAttribute{} 2492 FROM PKIX-CommonTypes-2009 2493 {iso(1) identified-organization(3) dod(6) internet(1) 2494 security(5) mechanisms(5) pkix(7) id-mod(0) 2495 id-mod-pkixCommon-02(57) } 2497 AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, ALGORITHM, 2498 DIGEST-ALGORITHM, MAC-ALGORITHM, PUBLIC-KEY 2499 FROM AlgorithmInformation-2009 2500 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2501 mechanisms(5) pkix(7) id-mod(0) 2502 id-mod-algorithmInformation-02(58)} 2504 Version, Name, Time, SubjectPublicKeyInfo, UniqueIdentifier, id-pkix, 2505 SignatureAlgorithms 2506 FROM PKIX1Explicit-2009 2507 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2508 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 2510 GeneralName, CertExtensions 2511 FROM PKIX1Implicit-2009 2512 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2513 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 2515 EnvelopedData, CONTENT-TYPE 2516 FROM CryptographicMessageSyntax-2009 2517 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2518 smime(16) modules(0) id-mod-cms-2004-02(41)} 2520 maca-hMAC-SHA1 2521 FROM CryptographicMessageSyntaxAlgorithms-2009 2522 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2523 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 2525 mda-sha1 2526 FROM PKIXAlgs-2009 2527 { iso(1) identified-organization(3) dod(6) 2528 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 2529 id-mod-pkix1-algorithms2008-02(56) } ; 2531 -- arc for Internet X.509 PKI protocols and their components 2533 id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 } 2535 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2536 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 2538 id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types 2540 -- Core definitions for this module 2542 CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg 2544 CertReqMsg ::= SEQUENCE { 2545 certReq CertRequest, 2546 popo ProofOfPossession OPTIONAL, 2547 -- content depends upon key type 2548 regInfo SEQUENCE SIZE(1..MAX) OF 2549 SingleAttribute{{RegInfoSet}} OPTIONAL } 2551 CertRequest ::= SEQUENCE { 2552 certReqId INTEGER, 2553 -- ID for matching request and reply 2554 certTemplate CertTemplate, 2555 -- Selected fields of cert to be issued 2556 controls Controls OPTIONAL } 2557 -- Attributes affecting issuance 2559 CertTemplate ::= SEQUENCE { 2560 version [0] Version OPTIONAL, 2561 serialNumber [1] INTEGER OPTIONAL, 2562 signingAlg [2] AlgorithmIdentifier{SIGNATURE-ALGORITHM, 2563 {SignatureAlgorithms}} OPTIONAL, 2564 issuer [3] Name OPTIONAL, 2565 validity [4] OptionalValidity OPTIONAL, 2566 subject [5] Name OPTIONAL, 2567 publicKey [6] SubjectPublicKeyInfo OPTIONAL, 2568 issuerUID [7] UniqueIdentifier OPTIONAL, 2569 subjectUID [8] UniqueIdentifier OPTIONAL, 2570 extensions [9] Extensions{{CertExtensions}} OPTIONAL } 2572 OptionalValidity ::= SEQUENCE { 2573 notBefore [0] Time OPTIONAL, 2574 notAfter [1] Time OPTIONAL } -- at least one MUST be present 2576 Controls ::= SEQUENCE SIZE(1..MAX) OF SingleAttribute 2577 {{RegControlSet}} 2579 ProofOfPossession ::= CHOICE { 2580 raVerified [0] NULL, 2581 -- used if the RA has already verified that the requester is in 2582 -- possession of the private key 2583 signature [1] POPOSigningKey, 2584 keyEncipherment [2] POPOPrivKey, 2585 keyAgreement [3] POPOPrivKey } 2587 POPOSigningKey ::= SEQUENCE { 2588 poposkInput [0] POPOSigningKeyInput OPTIONAL, 2589 algorithmIdentifier AlgorithmIdentifier{SIGNATURE-ALGORITHM, 2590 {SignatureAlgorithms}}, 2591 signature BIT STRING } 2592 -- The signature (using "algorithmIdentifier") is on the 2593 -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg 2594 -- certReq CertTemplate contains the subject and publicKey values, 2595 -- then poposkInput MUST be omitted and the signature MUST be 2596 -- computed over the DER-encoded value of CertReqMsg certReq. If 2597 -- the CertReqMsg certReq CertTemplate does not contain both the 2598 -- public key and subject values (i.e., if it contains only one 2599 -- of these, or neither), then poposkInput MUST be present and 2600 -- MUST be signed. 2602 POPOSigningKeyInput ::= SEQUENCE { 2603 authInfo CHOICE { 2604 sender [0] GeneralName, 2605 -- used only if an authenticated identity has been 2606 -- established for the sender (e.g., a DN from a 2607 -- previously-issued and currently-valid certificate) 2608 publicKeyMAC PKMACValue }, 2609 -- used if no authenticated GeneralName currently exists for 2610 -- the sender; publicKeyMAC contains a password-based MAC 2611 -- on the DER-encoded value of publicKey 2612 publicKey SubjectPublicKeyInfo } -- from CertTemplate 2614 PKMACValue ::= SEQUENCE { 2615 algId AlgorithmIdentifier{MAC-ALGORITHM, 2616 {Password-MACAlgorithms}}, 2617 value BIT STRING } 2619 -- 2620 -- Define the currently only acceptable MAC algorithm to be used 2621 -- for the PKMACValue structure 2622 -- 2624 id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2625 usa(840) nt(113533) nsn(7) algorithms(66) 13 } 2627 Password-MACAlgorithms MAC-ALGORITHM ::= { 2628 {IDENTIFIER id-PasswordBasedMac 2629 PARAMS TYPE PBMParameter ARE required 2630 IS-KEYED-MAC TRUE 2631 }, ... 2632 } 2634 PBMParameter ::= SEQUENCE { 2635 salt OCTET STRING, 2636 owf AlgorithmIdentifier{DIGEST-ALGORITHM, 2637 {DigestAlgorithms}}, 2638 -- AlgId for a One-Way Function (SHA-1 recommended) 2639 iterationCount INTEGER, 2640 -- number of times the OWF is applied 2641 mac AlgorithmIdentifier{MAC-ALGORITHM, 2642 {MACAlgorithms}} 2643 -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC, or HMAC 2644 } 2646 DigestAlgorithms DIGEST-ALGORITHM ::= { 2647 mda-sha1, ... 2648 } 2650 MACAlgorithms MAC-ALGORITHM ::= { 2651 -- I don't currently find a module with these defined. 2652 -- maca-des-mac | maca-3des-mac -- 2653 maca-hMAC-SHA1, 2654 ... 2655 } 2657 POPOPrivKey ::= CHOICE { 2658 thisMessage [0] BIT STRING, -- Deprecated 2659 -- possession is proven in this message (which contains 2660 -- the private key itself (encrypted for the CA)) 2661 subsequentMessage [1] SubsequentMessage, 2662 -- possession will be proven in a subsequent message 2663 dhMAC [2] BIT STRING, -- Deprecated 2664 agreeMAC [3] PKMACValue, 2665 encryptedKey [4] EnvelopedData } 2666 -- for keyAgreement (only), possession is proven in this message 2667 -- (which contains a MAC (over the DER-encoded value of the 2668 -- certReq parameter in CertReqMsg, which MUST include both 2669 -- subject and publicKey) based on a key derived from the end 2670 -- entity's private DH key and the CA's public DH key); 2672 SubsequentMessage ::= INTEGER { 2673 encrCert (0), 2674 -- requests that resulting certificate be encrypted for the 2675 -- end entity (following which, POP will be proven in a 2676 -- confirmation message) 2677 challengeResp (1) } 2678 -- requests that CA engage in challenge-response exchange with 2679 -- end entity in order to prove private key possession 2681 -- 2682 -- id-ct-encKeyWithID content type used as the content type for the 2683 -- EnvelopedData in POPOPrivKey. 2684 -- It contains both a private key and an identifier for key escrow 2685 -- agents to check against recovery requestors. 2686 -- 2688 ct-encKeyWithID CONTENT-TYPE ::= 2689 { EncKeyWithID IDENTIFIED BY id-ct-encKeyWithID } 2691 id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} 2693 EncKeyWithID ::= SEQUENCE { 2694 privateKey PrivateKeyInfo, 2695 identifier CHOICE { 2696 string UTF8String, 2697 generalName GeneralName 2698 } OPTIONAL 2699 } 2701 PrivateKeyInfo ::= SEQUENCE { 2702 version INTEGER, 2703 privateKeyAlgorithm AlgorithmIdentifier{PUBLIC-KEY, {...}}, 2704 privateKey OCTET STRING, 2705 -- Structure of public key is in PUBLIC-KEY.&PrivateKey 2706 attributes [0] IMPLICIT Attributes OPTIONAL 2707 } 2709 Attributes ::= SET OF AttributeSet{{PrivateKeyAttributes}} 2710 PrivateKeyAttributes ATTRIBUTE ::= {...} 2712 -- 2713 -- 6. Registration Controls in CRMF 2714 -- 2716 id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 } 2718 RegControlSet ATTRIBUTE ::= { 2719 regCtrl-regToken | regCtrl-authenticator | 2720 regCtrl-pkiPublicationInfo | regCtrl-pkiArchiveOptions | 2721 regCtrl-oldCertID | regCtrl-protocolEncrKey, ... } 2723 -- 2724 -- 6.1 Registration Token Control 2725 -- 2727 regCtrl-regToken ATTRIBUTE ::= 2728 { TYPE RegToken IDENTIFIED BY id-regCtrl-regToken } 2730 id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 } 2732 RegToken ::= UTF8String 2734 -- 2735 -- 6.2 Authenticator Control 2736 -- 2738 regCtrl-authenticator ATTRIBUTE ::= 2739 { TYPE Authenticator IDENTIFIED BY id-regCtrl-authenticator } 2741 id-regCtrl-authenticator OBJECT IDENTIFIER ::= { id-regCtrl 2 } 2743 Authenticator ::= UTF8String 2745 -- 2746 -- 6.3. Publication Information Control 2747 -- 2749 regCtrl-pkiPublicationInfo ATTRIBUTE ::= 2750 { TYPE PKIPublicationInfo IDENTIFIED BY 2751 id-regCtrl-pkiPublicationInfo } 2753 id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 } 2755 PKIPublicationInfo ::= SEQUENCE { 2756 action INTEGER { 2757 dontPublish (0), 2758 pleasePublish (1) }, 2759 pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL } 2760 -- pubInfos MUST NOT be present if action is "dontPublish" 2761 -- (if action is "pleasePublish" and pubInfos is omitted, 2762 -- "dontCare" is assumed) 2764 SinglePubInfo ::= SEQUENCE { 2765 pubMethod INTEGER { 2766 dontCare (0), 2767 x500 (1), 2768 web (2), 2769 ldap (3) }, 2770 pubLocation GeneralName OPTIONAL } 2772 -- 2773 -- 6.4. Archive Options Control 2774 -- 2776 regCtrl-pkiArchiveOptions ATTRIBUTE ::= 2777 { TYPE PKIArchiveOptions IDENTIFIED BY 2778 id-regCtrl-pkiArchiveOptions } 2780 id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 } 2782 PKIArchiveOptions ::= CHOICE { 2783 encryptedPrivKey [0] EncryptedKey, 2784 -- the actual value of the private key 2785 keyGenParameters [1] KeyGenParameters, 2786 -- parameters that allow the private key to be re-generated 2787 archiveRemGenPrivKey [2] BOOLEAN } 2788 -- set to TRUE if sender wishes receiver to archive the private 2789 -- key of a key pair that the receiver generates in response to 2790 -- this request; set to FALSE if no archival is desired. 2792 EncryptedKey ::= CHOICE { 2793 encryptedValue EncryptedValue, -- Deprecated 2794 envelopedData [0] EnvelopedData } 2795 -- The encrypted private key MUST be placed in the envelopedData 2796 -- encryptedContentInfo encryptedContent OCTET STRING. 2798 -- 2799 -- We skipped doing the full constraints here since this structure 2800 -- has been deprecated in favor of EnvelopedData 2801 -- 2803 EncryptedValue ::= SEQUENCE { 2804 intendedAlg [0] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, 2805 -- the intended algorithm for which the value will be used 2806 symmAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, 2807 -- the symmetric algorithm used to encrypt the value 2808 encSymmKey [2] BIT STRING OPTIONAL, 2809 -- the (encrypted) symmetric key used to encrypt the value 2810 keyAlg [3] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, 2811 -- algorithm used to encrypt the symmetric key 2812 valueHint [4] OCTET STRING OPTIONAL, 2813 -- a brief description or identifier of the encValue content 2814 -- (may be meaningful only to the sending entity, and used only 2815 -- if EncryptedValue might be re-examined by the sending entity 2816 -- in the future) 2817 encValue BIT STRING } 2818 -- the encrypted value itself 2819 -- When EncryptedValue is used to carry a private key (as opposed to 2820 -- a certificate), implementations MUST support the encValue field 2821 -- containing an encrypted PrivateKeyInfo as defined in [PKCS11], 2822 -- section 12.11. If encValue contains some other format/encoding 2823 -- for the private key, the first octet of valueHint MAY be used 2824 -- to indicate the format/encoding (but note that the possible values 2825 -- of this octet are not specified at this time). In all cases, the 2826 -- intendedAlg field MUST be used to indicate at least the OID of 2827 -- the intended algorithm of the private key, unless this information 2828 -- is known a priori to both sender and receiver by some other means. 2830 KeyGenParameters ::= OCTET STRING 2832 -- 2833 -- 6.5. OldCert ID Control 2834 -- 2836 regCtrl-oldCertID ATTRIBUTE ::= 2837 { TYPE OldCertId IDENTIFIED BY id-regCtrl-oldCertID } 2839 id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 } 2841 OldCertId ::= CertId 2843 CertId ::= SEQUENCE { 2844 issuer GeneralName, 2845 serialNumber INTEGER } 2847 -- 2848 -- 6.6. Protocol Encryption Key Control 2849 -- 2851 regCtrl-protocolEncrKey ATTRIBUTE ::= 2852 { TYPE ProtocolEncrKey IDENTIFIED BY id-regCtrl-protocolEncrKey } 2854 id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= { id-regCtrl 6 } 2856 ProtocolEncrKey ::= SubjectPublicKeyInfo 2858 -- 2859 -- 7. Registration Info in CRMF 2860 -- 2862 id-regInfo OBJECT IDENTIFIER ::= { id-pkip 2 } 2864 RegInfoSet ATTRIBUTE ::= 2865 { regInfo-utf8Pairs | regInfo-certReq } 2867 -- 2868 -- 7.1. utf8Pairs RegInfo Control 2869 -- 2871 regInfo-utf8Pairs ATTRIBUTE ::= 2872 { TYPE UTF8Pairs IDENTIFIED BY id-regInfo-utf8Pairs } 2874 id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= { id-regInfo 1 } 2875 --with syntax 2876 UTF8Pairs ::= UTF8String 2878 -- 2879 -- 7.2. certReq RegInfo Control 2880 -- 2882 regInfo-certReq ATTRIBUTE ::= 2883 { TYPE CertReq IDENTIFIED BY id-regInfo-certReq } 2885 id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 } 2886 --with syntax 2887 CertReq ::= CertRequest 2889 END 2891 11. ASN.1 Module for RFC 5055 2893 SCVP-2009 2894 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2895 mechanisms(5) pkix(7) id-mod(0) id-mod-scvp-02(52) } 2896 DEFINITIONS IMPLICIT TAGS ::= 2897 BEGIN 2898 IMPORTS 2900 Extensions{}, EXTENSION, ATTRIBUTE 2901 FROM PKIX-CommonTypes-2009 2902 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2903 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 2905 AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, PUBLIC-KEY, KEY-AGREE, 2906 DIGEST-ALGORITHM, KEY-DERIVATION, MAC-ALGORITHM 2907 FROM AlgorithmInformation-2009 2908 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2909 mechanisms(5) pkix(7) id-mod(0) 2910 id-mod-algorithmInformation-02(58)} 2912 Certificate, CertificateList, CertificateSerialNumber, 2913 SignatureAlgorithms, SubjectPublicKeyInfo 2914 FROM PKIX1Explicit-2009 2915 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2916 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 2918 GeneralNames, GeneralName, KeyUsage, KeyPurposeId 2919 FROM PKIX1Implicit-2009 2920 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2921 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 2923 AttributeCertificate 2924 FROM PKIXAttributeCertificate-2009 2925 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2926 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } 2928 OCSPResponse 2929 FROM OCSP-2009 2930 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2931 mechanisms(5) pkix(7) id-mod(0) id-mod-ocsp-02(48) } 2933 ContentInfo, CONTENT-TYPE 2934 FROM CryptographicMessageSyntax-2009 2935 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2936 smime(16) modules(0) id-mod-cms-2004-02(41) } 2938 mda-sha1 2939 FROM PKIXAlgs-2009 2940 { iso(1) identified-organization(3) dod(6) 2941 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 2942 id-mod-pkix1-algorithms2008-02(56) } ; 2944 ContentTypes CONTENT-TYPE ::= {ct-scvp-certValRequest | 2945 ct-scvp-certValResponse | ct-scvp-valPolRequest | 2946 ct-scvp-valPolResponse, ... } 2948 id-ct OBJECT IDENTIFIER ::= 2949 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2950 id-smime(16) 1 } 2952 ct-scvp-certValRequest CONTENT-TYPE ::= 2953 { CVRequest IDENTIFIED BY id-ct-scvp-certValRequest } 2955 id-ct-scvp-certValRequest OBJECT IDENTIFIER ::= { id-ct 10 } 2957 -- SCVP Certificate Validation Request 2959 CVRequest ::= SEQUENCE { 2960 cvRequestVersion INTEGER DEFAULT 1, 2961 query Query, 2962 requestorRef [0] GeneralNames OPTIONAL, 2963 requestNonce [1] OCTET STRING OPTIONAL, 2964 requestorName [2] GeneralName OPTIONAL, 2965 responderName [3] GeneralName OPTIONAL, 2966 requestExtensions [4] Extensions{{RequestExtensions}} 2967 OPTIONAL, 2968 signatureAlg [5] AlgorithmIdentifier 2969 {SIGNATURE-ALGORITHM, 2970 {SignatureAlgorithms}} 2971 OPTIONAL, 2972 hashAlg [6] OBJECT IDENTIFIER OPTIONAL, 2973 requestorText [7] UTF8String (SIZE (1..256)) OPTIONAL 2974 } 2976 -- Set of signature algorithms is comming from RFC 5280 2977 -- SignatureAlgorithms SIGNATURE-ALGORITHM ::= {...} 2979 -- Add supported request extensions here, all new items should 2980 -- be added after the extension marker 2982 RequestExtensions EXTENSION ::= {...} 2984 Query ::= SEQUENCE { 2985 queriedCerts CertReferences, 2986 checks CertChecks, 2987 wantBack [1] WantBack OPTIONAL, 2988 validationPolicy ValidationPolicy, 2989 responseFlags ResponseFlags OPTIONAL, 2990 serverContextInfo [2] OCTET STRING OPTIONAL, 2991 validationTime [3] GeneralizedTime OPTIONAL, 2992 intermediateCerts [4] CertBundle OPTIONAL, 2993 revInfos [5] RevocationInfos OPTIONAL, 2994 producedAt [6] GeneralizedTime OPTIONAL, 2995 queryExtensions [7] Extensions{{QueryExtensions}} OPTIONAL 2996 } 2998 -- Add supported query extensions here, all new items should be added 2999 -- after the extension marker 3001 QueryExtensions EXTENSION ::= {...} 3003 CertReferences ::= CHOICE { 3004 pkcRefs [0] SEQUENCE SIZE (1..MAX) OF PKCReference, 3005 acRefs [1] SEQUENCE SIZE (1..MAX) OF ACReference 3006 } 3008 CertReference::= CHOICE { 3009 pkc PKCReference, 3010 ac ACReference 3011 } 3013 PKCReference ::= CHOICE { 3014 cert [0] Certificate, 3015 pkcRef [1] SCVPCertID 3016 } 3018 ACReference ::= CHOICE { 3019 attrCert [2] AttributeCertificate, 3020 acRef [3] SCVPCertID 3021 } 3023 HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, 3024 {mda-sha1, ...}} 3026 SCVPCertID ::= SEQUENCE { 3027 certHash OCTET STRING, 3028 issuerSerial SCVPIssuerSerial, 3029 hashAlgorithm HashAlgorithm 3030 DEFAULT { algorithm mda-sha1.&id } 3031 } 3033 SCVPIssuerSerial ::= SEQUENCE { 3034 issuer GeneralNames, 3035 serialNumber CertificateSerialNumber 3036 } 3038 ValidationPolicy ::= SEQUENCE { 3039 validationPolRef ValidationPolRef, 3040 validationAlg [0] ValidationAlg OPTIONAL, 3041 userPolicySet [1] SEQUENCE SIZE (1..MAX) OF OBJECT 3042 IDENTIFIER OPTIONAL, 3043 inhibitPolicyMapping [2] BOOLEAN OPTIONAL, 3044 requireExplicitPolicy [3] BOOLEAN OPTIONAL, 3045 inhibitAnyPolicy [4] BOOLEAN OPTIONAL, 3046 trustAnchors [5] TrustAnchors OPTIONAL, 3047 keyUsages [6] SEQUENCE OF KeyUsage OPTIONAL, 3048 extendedKeyUsages [7] SEQUENCE OF KeyPurposeId OPTIONAL, 3049 specifiedKeyUsages [8] SEQUENCE OF KeyPurposeId OPTIONAL 3050 } 3052 CertChecks ::= SEQUENCE SIZE (1..MAX) OF 3053 OBJECT IDENTIFIER (CertCheckSet | ACertCheckSet, ... ) 3055 WantBack ::= SEQUENCE SIZE (1..MAX) OF 3056 WANT-BACK.&id ({AllWantBacks}) 3058 POLICY ::= ATTRIBUTE 3060 ValidationPolRefSet POLICY ::= { 3061 svp-defaultValPolicy, ... 3062 } 3064 ValidationPolRef ::= SEQUENCE { 3065 valPolId POLICY.&id, 3066 valPolParams POLICY.&Type OPTIONAL 3067 } 3069 ValidationAlgSet POLICY ::= { 3070 svp-basicValAlg, ... 3071 } 3073 ValidationAlg ::= SEQUENCE { 3074 valAlgId POLICY.&id, 3075 parameters POLICY.&Type OPTIONAL 3076 } 3078 NameValiationAlgSet POLICY ::= { 3079 svp-nameValAlg, ... 3080 } 3082 NameValidationAlgParams ::= SEQUENCE { 3083 nameCompAlgId OBJECT IDENTIFIER (NameCompAlgSet, ... ), 3084 validationNames GeneralNames 3085 } 3087 TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference 3088 KeyAgreePublicKey ::= SEQUENCE { 3089 algorithm AlgorithmIdentifier{KEY-AGREE, 3090 {SupportedKeyAgreePublicKeys}}, 3091 publicKey BIT STRING, 3092 macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, 3093 {SupportedMACAlgorithms}}, 3094 kDF AlgorithmIdentifier{KEY-DERIVATION, 3095 {SupportedKeyDerivationFunctions}} 3096 OPTIONAL 3097 } 3099 SupportedKeyAgreePublicKeys KEY-AGREE ::= {...} 3100 SupportedMACAlgorithms MAC-ALGORITHM ::= {...} 3101 SupportedKeyDerivationFunctions KEY-DERIVATION ::= {...} 3103 ResponseFlags ::= SEQUENCE { 3104 fullRequestInResponse [0] BOOLEAN DEFAULT FALSE, 3105 responseValidationPolByRef [1] BOOLEAN DEFAULT TRUE, 3106 protectResponse [2] BOOLEAN DEFAULT TRUE, 3107 cachedResponse [3] BOOLEAN DEFAULT TRUE 3108 } 3110 CertBundle ::= SEQUENCE SIZE (1..MAX) OF Certificate 3112 RevocationInfos ::= SEQUENCE SIZE (1..MAX) OF RevocationInfo 3114 RevocationInfo ::= CHOICE { 3115 crl [0] CertificateList, 3116 delta-crl [1] CertificateList, 3117 ocsp [2] OCSPResponse, 3118 other [3] OtherRevInfo 3119 } 3121 REV-INFO ::= TYPE-IDENTIFIER 3123 OtherRevInfo ::= SEQUENCE { 3124 riType REV-INFO.&id, 3125 riValue REV-INFO.&Type 3126 } 3128 -- SCVP Certificate Validation Response 3130 ct-scvp-certValResponse CONTENT-TYPE ::= 3131 { CVResponse IDENTIFIED BY id-ct-scvp-certValResponse } 3133 id-ct-scvp-certValResponse OBJECT IDENTIFIER ::= { id-ct 11 } 3135 CVResponse ::= SEQUENCE { 3136 cvResponseVersion INTEGER, 3137 serverConfigurationID INTEGER, 3138 producedAt GeneralizedTime, 3139 responseStatus ResponseStatus, 3140 respValidationPolicy [0] RespValidationPolicy OPTIONAL, 3141 requestRef [1] RequestReference OPTIONAL, 3142 requestorRef [2] GeneralNames OPTIONAL, 3143 requestorName [3] GeneralNames OPTIONAL, 3144 replyObjects [4] ReplyObjects OPTIONAL, 3145 respNonce [5] OCTET STRING OPTIONAL, 3146 serverContextInfo [6] OCTET STRING OPTIONAL, 3147 cvResponseExtensions [7] Extensions{{CVResponseExtensions}} 3148 OPTIONAL, 3149 requestorText [8] UTF8String (SIZE (1..256)) OPTIONAL 3150 } 3152 -- This document defines no extensions 3153 CVResponseExtensions EXTENSION ::= {...} 3155 ResponseStatus ::= SEQUENCE { 3156 statusCode CVStatusCode DEFAULT okay, 3157 errorMessage UTF8String OPTIONAL 3158 } 3160 CVStatusCode ::= ENUMERATED { 3161 okay (0), 3162 skipUnrecognizedItems (1), 3163 tooBusy (10), 3164 invalidRequest (11), 3165 internalError (12), 3166 badStructure (20), 3167 unsupportedVersion (21), 3168 abortUnrecognizedItems (22), 3169 unrecognizedSigKey (23), 3170 badSignatureOrMAC (24), 3171 unableToDecode (25), 3172 notAuthorized (26), 3173 unsupportedChecks (27), 3174 unsupportedWantBacks (28), 3175 unsupportedSignatureOrMAC (29), 3176 invalidSignatureOrMAC (30), 3177 protectedResponseUnsupported (31), 3178 unrecognizedResponderName (32), 3179 relayingLoop (40), 3180 unrecognizedValPol (50), 3181 unrecognizedValAlg (51), 3182 fullRequestInResponseUnsupported (52), 3183 fullPolResponseUnsupported (53), 3184 inhibitPolicyMappingUnsupported (54), 3185 requireExplicitPolicyUnsupported (55), 3186 inhibitAnyPolicyUnsupported (56), 3187 validationTimeUnsupported (57), 3188 unrecognizedCritQueryExt (63), 3189 unrecognizedCritRequestExt (64), 3190 ... 3191 } 3193 RespValidationPolicy ::= ValidationPolicy 3195 RequestReference ::= CHOICE { 3196 requestHash [0] HashValue, -- hash of CVRequest 3197 fullRequest [1] CVRequest } 3199 HashValue ::= SEQUENCE { 3200 algorithm HashAlgorithm 3201 DEFAULT { algorithm mda-sha1.&id }, 3202 value OCTET STRING } 3204 ReplyObjects ::= SEQUENCE SIZE (1..MAX) OF CertReply 3206 CertReply ::= SEQUENCE { 3207 cert CertReference, 3208 replyStatus ReplyStatus DEFAULT success, 3209 replyValTime GeneralizedTime, 3210 replyChecks ReplyChecks, 3211 replyWantBacks ReplyWantBacks, 3212 validationErrors [0] SEQUENCE SIZE (1..MAX) OF 3213 OBJECT IDENTIFIER ( BasicValidationErrorSet | 3214 NameValidationErrorSet, 3215 ... ) OPTIONAL, 3216 nextUpdate [1] GeneralizedTime OPTIONAL, 3217 certReplyExtensions [2] Extensions{{...}} OPTIONAL 3218 } 3220 ReplyStatus ::= ENUMERATED { 3221 success (0), 3222 malformedPKC (1), 3223 malformedAC (2), 3224 unavailableValidationTime (3), 3225 referenceCertHashFail (4), 3226 certPathConstructFail (5), 3227 certPathNotValid (6), 3228 certPathNotValidNow (7), 3229 wantBackUnsatisfied (8) 3230 } 3231 ReplyChecks ::= SEQUENCE OF ReplyCheck 3233 ReplyCheck ::= SEQUENCE { 3234 check OBJECT IDENTIFIER (CertCheckSet | ACertCheckSet, ... ), 3235 status INTEGER DEFAULT 0 3236 } 3238 ReplyWantBacks ::= SEQUENCE OF ReplyWantBack 3240 ReplyWantBack::= SEQUENCE { 3241 wb WANT-BACK.&id({AllWantBacks}), 3242 value OCTET STRING 3243 (CONTAINING WANT-BACK.&Type({AllWantBacks}{@wb})) 3244 } 3246 WANT-BACK ::= TYPE-IDENTIFIER 3248 AllWantBacks WANT-BACK ::= { 3249 WantBackSet | ACertWantBackSet | AnyWantBackSet, ... 3250 } 3252 CertBundles ::= SEQUENCE SIZE (1..MAX) OF CertBundle 3254 RevInfoWantBack ::= SEQUENCE { 3255 revocationInfo RevocationInfos, 3256 extraCerts CertBundle OPTIONAL 3257 } 3259 SCVPResponses ::= SEQUENCE OF ContentInfo 3261 -- SCVP Validation Policies Request 3263 ct-scvp-valPolRequest CONTENT-TYPE ::= 3264 { ValPolRequest IDENTIFIED BY id-ct-scvp-valPolRequest } 3266 id-ct-scvp-valPolRequest OBJECT IDENTIFIER ::= { id-ct 12 } 3268 ValPolRequest ::= SEQUENCE { 3269 vpRequestVersion INTEGER DEFAULT 1, 3270 requestNonce OCTET STRING 3271 } 3273 -- SCVP Validation Policies Response 3275 ct-scvp-valPolResponse CONTENT-TYPE ::= 3276 { ValPolResponse IDENTIFIED BY id-ct-scvp-valPolResponse } 3278 id-ct-scvp-valPolResponse OBJECT IDENTIFIER ::= { id-ct 13 } 3279 ValPolResponse ::= SEQUENCE { 3280 vpResponseVersion INTEGER, 3281 maxCVRequestVersion INTEGER, 3282 maxVPRequestVersion INTEGER, 3283 serverConfigurationID INTEGER, 3284 thisUpdate GeneralizedTime, 3285 nextUpdate GeneralizedTime OPTIONAL, 3286 supportedChecks CertChecks, 3287 supportedWantBacks WantBack, 3288 validationPolicies SEQUENCE OF OBJECT IDENTIFIER, 3289 validationAlgs SEQUENCE OF OBJECT IDENTIFIER, 3290 authPolicies SEQUENCE OF AuthPolicy, 3291 responseTypes ResponseTypes, 3292 defaultPolicyValues RespValidationPolicy, 3293 revocationInfoTypes RevocationInfoTypes, 3294 signatureGeneration SEQUENCE OF AlgorithmIdentifier 3295 {SIGNATURE-ALGORITHM, 3296 {SignatureAlgorithms}}, 3297 signatureVerification SEQUENCE OF AlgorithmIdentifier 3298 {SIGNATURE-ALGORITHM, 3299 {SignatureAlgorithms}}, 3300 hashAlgorithms SEQUENCE SIZE (1..MAX) OF 3301 OBJECT IDENTIFIER, 3302 serverPublicKeys SEQUENCE OF KeyAgreePublicKey 3303 OPTIONAL, 3304 clockSkew INTEGER DEFAULT 10, 3305 requestNonce OCTET STRING OPTIONAL 3306 } 3308 ResponseTypes ::= ENUMERATED { 3309 cached-only (0), 3310 non-cached-only (1), 3311 cached-and-non-cached (2) 3312 } 3314 RevocationInfoTypes ::= BIT STRING { 3315 fullCRLs (0), 3316 deltaCRLs (1), 3317 indirectCRLs (2), 3318 oCSPResponses (3) 3319 } 3321 AuthPolicy ::= OBJECT IDENTIFIER 3323 -- SCVP Check Identifiers 3325 id-stc OBJECT IDENTIFIER ::= 3326 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3327 mechanisms(5) pkix(7) 17 } 3329 CertCheckSet OBJECT IDENTIFIER ::= { 3330 id-stc-build-pkc-path | id-stc-build-valid-pkc-path | 3331 id-stc-build-status-checked-pkc-path, ... } 3333 id-stc-build-pkc-path OBJECT IDENTIFIER ::= { id-stc 1 } 3334 id-stc-build-valid-pkc-path OBJECT IDENTIFIER ::= { id-stc 2 } 3335 id-stc-build-status-checked-pkc-path 3336 OBJECT IDENTIFIER ::= { id-stc 3 } 3338 ACertCheckSet OBJECT IDENTIFIER ::= { 3339 id-stc-build-aa-path | id-stc-build-valid-aa-path | 3340 id-stc-build-status-checked-aa-path | 3341 id-stc-status-check-ac-and-build-status-checked-aa-path 3342 } 3344 id-stc-build-aa-path OBJECT IDENTIFIER ::= { id-stc 4 } 3345 id-stc-build-valid-aa-path OBJECT IDENTIFIER ::= { id-stc 5 } 3346 id-stc-build-status-checked-aa-path 3347 OBJECT IDENTIFIER ::= { id-stc 6 } 3348 id-stc-status-check-ac-and-build-status-checked-aa-path 3349 OBJECT IDENTIFIER ::= { id-stc 7 } 3351 -- SCVP WantBack Identifiers 3353 id-swb OBJECT IDENTIFIER ::= 3354 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3355 mechanisms(5) pkix(7) 18 } 3357 WantBackSet WANT-BACK ::= { 3358 swb-pkc-cert | swb-pkc-best-cert-path | 3359 swb-pkc-revocation-info | swb-pkc-public-key-info | 3360 swb-pkc-all-cert-paths | swb-pkc-ee-revocation-info | 3361 swb-pkc-CAs-revocation-info 3362 } 3364 ACertWantBackSet WANT-BACK ::= { 3365 swb-ac-cert | swb-aa-cert-path | 3366 swb-aa-revocation-info | swb-ac-revocation-info 3367 } 3369 AnyWantBackSet WANT-BACK ::= { swb-relayed-responses } 3371 swb-pkc-best-cert-path WANT-BACK ::= 3372 { CertBundle IDENTIFIED BY id-swb-pkc-best-cert-path } 3373 id-swb-pkc-best-cert-path OBJECT IDENTIFIER ::= { id-swb 1 } 3374 swb-pkc-revocation-info WANT-BACK ::= 3375 { RevInfoWantBack IDENTIFIED BY id-swb-pkc-revocation-info } 3376 id-swb-pkc-revocation-info OBJECT IDENTIFIER ::= { id-swb 2 } 3378 swb-pkc-public-key-info WANT-BACK ::= 3379 { SubjectPublicKeyInfo IDENTIFIED BY id-swb-pkc-public-key-info } 3380 id-swb-pkc-public-key-info OBJECT IDENTIFIER ::= { id-swb 4 } 3382 swb-aa-cert-path WANT-BACK ::= 3383 {CertBundle IDENTIFIED BY id-swb-aa-cert-path } 3384 id-swb-aa-cert-path OBJECT IDENTIFIER ::= { id-swb 5 } 3386 swb-aa-revocation-info WANT-BACK ::= 3387 { RevInfoWantBack IDENTIFIED BY id-swb-aa-revocation-info } 3388 id-swb-aa-revocation-info OBJECT IDENTIFIER ::= { id-swb 6 } 3390 swb-ac-revocation-info WANT-BACK ::= 3391 { RevInfoWantBack IDENTIFIED BY id-swb-ac-revocation-info } 3392 id-swb-ac-revocation-info OBJECT IDENTIFIER ::= { id-swb 7 } 3394 swb-relayed-responses WANT-BACK ::= 3395 {SCVPResponses IDENTIFIED BY id-swb-relayed-responses } 3396 id-swb-relayed-responses OBJECT IDENTIFIER ::= { id-swb 9 } 3398 swb-pkc-all-cert-paths WANT-BACK ::= 3399 {CertBundles IDENTIFIED BY id-swb-pkc-all-cert-paths } 3400 id-swb-pkc-all-cert-paths OBJECT IDENTIFIER ::= { id-swb 12} 3402 swb-pkc-ee-revocation-info WANT-BACK ::= 3403 { RevInfoWantBack IDENTIFIED BY id-swb-pkc-ee-revocation-info } 3404 id-swb-pkc-ee-revocation-info OBJECT IDENTIFIER ::= { id-swb 13} 3406 swb-pkc-CAs-revocation-info WANT-BACK ::= 3407 { RevInfoWantBack IDENTIFIED BY id-swb-pkc-CAs-revocation-info } 3408 id-swb-pkc-CAs-revocation-info OBJECT IDENTIFIER ::= { id-swb 14} 3410 swb-pkc-cert WANT-BACK ::= 3411 { Certificate IDENTIFIED BY id-swb-pkc-cert } 3412 id-swb-pkc-cert OBJECT IDENTIFIER ::= { id-swb 10} 3414 swb-ac-cert WANT-BACK ::= 3415 { AttributeCertificate IDENTIFIED BY id-swb-ac-cert } 3416 id-swb-ac-cert OBJECT IDENTIFIER ::= { id-swb 11} 3418 -- SCVP Validation Policy and Algorithm Identifiers 3420 id-svp OBJECT IDENTIFIER ::= 3421 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3422 mechanisms(5) pkix(7) 19 } 3424 svp-defaultValPolicy POLICY ::= 3425 { IDENTIFIED BY id-svp-defaultValPolicy } 3427 id-svp-defaultValPolicy OBJECT IDENTIFIER ::= { id-svp 1 } 3429 -- SCVP Basic Validation Algorithm Identifier 3431 svp-basicValAlg POLICY ::= {IDENTIFIED BY id-svp-basicValAlg } 3433 id-svp-basicValAlg OBJECT IDENTIFIER ::= { id-svp 3 } 3435 -- SCVP Basic Validation Algorithm Errors 3437 id-bvae OBJECT IDENTIFIER ::= id-svp-basicValAlg 3439 BasicValidationErrorSet OBJECT IDENTIFIER ::= { 3440 id-bvae-expired | id-bvae-not-yet-valid | 3441 id-bvae-wrongTrustAnchor | id-bvae-noValidCertPath | 3442 id-bvae-revoked | id-bvae-invalidKeyPurpose | 3443 id-bvae-invalidKeyUsage | id-bvae-invalidCertPolicy 3444 } 3446 id-bvae-expired OBJECT IDENTIFIER ::= { id-bvae 1 } 3447 id-bvae-not-yet-valid OBJECT IDENTIFIER ::= { id-bvae 2 } 3448 id-bvae-wrongTrustAnchor OBJECT IDENTIFIER ::= { id-bvae 3 } 3449 id-bvae-noValidCertPath OBJECT IDENTIFIER ::= { id-bvae 4 } 3450 id-bvae-revoked OBJECT IDENTIFIER ::= { id-bvae 5 } 3451 id-bvae-invalidKeyPurpose OBJECT IDENTIFIER ::= { id-bvae 9 } 3452 id-bvae-invalidKeyUsage OBJECT IDENTIFIER ::= { id-bvae 10 } 3453 id-bvae-invalidCertPolicy OBJECT IDENTIFIER ::= { id-bvae 11 } 3455 -- SCVP Name Validation Algorithm Identifier 3457 svp-nameValAlg POLICY ::= 3458 {TYPE NameValidationAlgParams IDENTIFIED BY id-svp-nameValAlg } 3460 id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 } 3462 -- SCVP Name Validation Algorithm DN comparison algorithm 3464 NameCompAlgSet OBJECT IDENTIFIER ::= { 3465 id-nva-dnCompAlg 3466 } 3468 id-nva-dnCompAlg OBJECT IDENTIFIER ::= { id-svp 4 } 3469 -- SCVP Name Validation Algorithm Errors 3471 id-nvae OBJECT IDENTIFIER ::= id-svp-nameValAlg 3473 NameValidationErrorSet OBJECT IDENTIFIER ::= { 3474 id-nvae-name-mismatch | id-nvae-no-name | id-nvae-unknown-alg | 3475 id-nvae-bad-name | id-nvae-bad-name-type | id-nvae-mixed-names 3476 } 3478 id-nvae-name-mismatch OBJECT IDENTIFIER ::= { id-nvae 1 } 3479 id-nvae-no-name OBJECT IDENTIFIER ::= { id-nvae 2 } 3480 id-nvae-unknown-alg OBJECT IDENTIFIER ::= { id-nvae 3 } 3481 id-nvae-bad-name OBJECT IDENTIFIER ::= { id-nvae 4 } 3482 id-nvae-bad-name-type OBJECT IDENTIFIER ::= { id-nvae 5 } 3483 id-nvae-mixed-names OBJECT IDENTIFIER ::= { id-nvae 6 } 3485 -- SCVP Extended Key Usage Key Purpose Identifiers 3487 id-kp OBJECT IDENTIFIER ::= 3488 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3489 mechanisms(5) pkix(7) 3 } 3491 SvcpExtKeyUsageSet OBJECT IDENTIFIER ::= { 3492 id-kp-scvpServer | id-kp-scvpClient 3493 } 3495 id-kp-scvpServer OBJECT IDENTIFIER ::= { id-kp 15 } 3497 id-kp-scvpClient OBJECT IDENTIFIER ::= { id-kp 16 } 3499 END 3501 12. ASN.1 Module for RFC 5272 3503 EnrollmentMessageSyntax-2009 3504 {iso(1) identified-organization(3) dod(6) internet(1) 3505 security(5) mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53)} 3506 DEFINITIONS IMPLICIT TAGS ::= 3507 BEGIN 3508 EXPORTS ALL; 3509 IMPORTS 3511 AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE 3512 FROM PKIX-CommonTypes-2009 3513 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3514 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 3516 AlgorithmIdentifier{}, DIGEST-ALGORITHM, KEY-WRAP, KEY-DERIVATION, 3517 MAC-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY 3518 FROM AlgorithmInformation-2009 3519 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3520 mechanisms(5) pkix(7) id-mod(0) 3521 id-mod-algorithmInformation-02(58)} 3523 CertificateSerialNumber, GeneralName, CRLReason, ReasonFlags, 3524 CertExtensions 3525 FROM PKIX1Implicit-2009 3526 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3527 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 3529 Name, id-pkix, PublicKeyAlgorithms, SignatureAlgorithms 3530 FROM PKIX1Explicit-2009 3531 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3532 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 3534 ContentInfo, IssuerAndSerialNumber, CONTENT-TYPE 3535 FROM CryptographicMessageSyntax-2009 3536 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 3537 smime(16) modules(0) id-mod-cms-2004-02(41)} 3539 CertReqMsg, PKIPublicationInfo, CertTemplate 3540 FROM PKIXCRMF-2009 3541 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3542 mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)} 3544 mda-sha1 3545 FROM PKIXAlgs-2009 3546 { iso(1) identified-organization(3) dod(6) 3547 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 3548 id-mod-pkix1-algorithms2008-02(56)} 3550 kda-PBKDF2, maca-hMAC-SHA1 3551 FROM CryptographicMessageSyntaxAlgorithms-2009 3552 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 3553 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 3555 mda-sha256 3556 FROM PKIX1-PSS-OAEP-Algorithms-2009 3557 { iso(1) identified-organization(3) dod(6) 3558 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 3559 id-mod-pkix1-rsa-pkalgs-02(54) } ; 3561 -- CMS Content types defined in this document 3562 CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... } 3564 -- Signature Algorithms defined in this document 3566 SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature } 3568 -- CMS Unsigned Attributes 3570 CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData } 3572 -- 3573 -- 3575 id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls 3576 id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types 3578 -- This is the content type for a request message in the protocol 3580 ct-PKIData CONTENT-TYPE ::= 3581 { PKIData IDENTIFIED BY id-cct-PKIData } 3582 id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 } 3584 PKIData ::= SEQUENCE { 3585 controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, 3586 reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest, 3587 cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, 3588 otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg 3589 } 3591 BodyPartID ::= INTEGER(0..4294967295) 3593 TaggedAttribute ::= SEQUENCE { 3594 bodyPartID BodyPartID, 3595 attrType CMC-CONTROL.&id({Cmc-Control-Set}), 3596 attrValues SET OF CMC-CONTROL. 3597 &Type({Cmc-Control-Set}{@attrType}) 3598 } 3600 Cmc-Control-Set CMC-CONTROL ::= { 3601 cmc-identityProof | cmc-dataReturn | cmc-regInfo | 3602 cmc-responseInfo | cmc-queryPending | cmc-popLinkRandom | 3603 cmc-popLinkWitness | cmc-identification | cmc-transactionId | 3604 cmc-senderNonce | cmc-recipientNonce | cmc-statusInfo | 3605 cmc-addExtensions | cmc-encryptedPOP | cmc-decryptedPOP | 3606 cmc-lraPOPWitness | cmc-getCert | cmc-getCRL | 3607 cmc-revokeRequest | cmc-confirmCertAcceptance | 3608 cmc-statusInfoV2 | cmc-trustedAnchors | cmc-authData | 3609 cmc-batchRequests | cmc-batchResponses | cmc-publishCert | 3610 cmc-modCertTemplate | cmc-controlProcessed | 3611 cmc-identityProofV2 | cmc-popLinkWitnessV2, ... } 3613 OTHER-REQUEST ::= TYPE-IDENTIFIER 3615 -- We do not define any other requests in this document 3616 -- examples might be attribute certification requests 3618 OtherRequests OTHER-REQUEST ::= {...} 3620 TaggedRequest ::= CHOICE { 3621 tcr [0] TaggedCertificationRequest, 3622 crm [1] CertReqMsg, 3623 orm [2] SEQUENCE { 3624 bodyPartID BodyPartID, 3625 requestMessageType OTHER-REQUEST.&id({OtherRequests}), 3626 requestMessageValue OTHER-REQUEST.&Type({OtherRequests} 3627 {@.requestMessageType}) 3628 } 3629 } 3631 TaggedCertificationRequest ::= SEQUENCE { 3632 bodyPartID BodyPartID, 3633 certificationRequest CertificationRequest 3634 } 3636 AttributeList ATTRIBUTE ::= {at-extension-req, ...} 3638 CertificationRequest ::= SEQUENCE { 3639 certificationRequestInfo SEQUENCE { 3640 version INTEGER, 3641 subject Name, 3642 subjectPublicKeyInfo SEQUENCE { 3643 algorithm AlgorithmIdentifier{PUBLIC-KEY, 3644 {PublicKeyAlgorithms}}, 3645 subjectPublicKey BIT STRING 3646 }, 3647 attributes [0] IMPLICIT SET OF 3648 AttributeSet{{AttributeList}} 3649 }, 3650 signatureAlgorithm AlgorithmIdentifier 3651 {SIGNATURE-ALGORITHM, 3652 {SignatureAlgorithms}}, 3653 signature BIT STRING 3654 } 3656 TaggedContentInfo ::= SEQUENCE { 3657 bodyPartID BodyPartID, 3658 contentInfo ContentInfo 3659 } 3661 OTHER-MSG ::= TYPE-IDENTIFIER 3663 -- No other messages currently defined 3665 OtherMsgSet OTHER-MSG ::= {...} 3667 OtherMsg ::= SEQUENCE { 3668 bodyPartID BodyPartID, 3669 otherMsgType OTHER-MSG.&id({OtherMsgSet}), 3670 otherMsgValue OTHER-MSG.&Type({OtherMsgSet}{@otherMsgType}) } 3672 -- This defines the response message in the protocol 3674 ct-PKIResponse CONTENT-TYPE ::= 3675 { PKIResponse IDENTIFIED BY id-cct-PKIResponse } 3676 id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 } 3678 ResponseBody ::= PKIResponse 3680 PKIResponse ::= SEQUENCE { 3681 controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, 3682 cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, 3683 otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg 3684 } 3686 CMC-CONTROL ::= TYPE-IDENTIFIER 3688 -- The following controls have the type OCTET STRING 3690 cmc-identityProof CMC-CONTROL ::= 3691 { OCTET STRING IDENTIFIED BY id-cmc-identityProof } 3692 id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3} 3694 cmc-dataReturn CMC-CONTROL ::= 3695 { OCTET STRING IDENTIFIED BY id-cmc-dataReturn } 3696 id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4} 3698 cmc-regInfo CMC-CONTROL ::= 3699 { OCTET STRING IDENTIFIED BY id-cmc-regInfo } 3700 id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18} 3702 cmc-responseInfo CMC-CONTROL ::= 3703 { OCTET STRING IDENTIFIED BY id-cmc-responseInfo } 3704 id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19} 3705 cmc-queryPending CMC-CONTROL ::= 3706 { OCTET STRING IDENTIFIED BY id-cmc-queryPending } 3707 id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21} 3709 cmc-popLinkRandom CMC-CONTROL ::= 3710 { OCTET STRING IDENTIFIED BY id-cmc-popLinkRandom } 3711 id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22} 3713 cmc-popLinkWitness CMC-CONTROL ::= 3714 { OCTET STRING IDENTIFIED BY id-cmc-popLinkWitness } 3715 id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23} 3717 -- The following controls have the type UTF8String 3719 cmc-identification CMC-CONTROL ::= 3720 { UTF8String IDENTIFIED BY id-cmc-identification } 3721 id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2} 3723 -- The following controls have the type INTEGER 3725 cmc-transactionId CMC-CONTROL ::= 3726 { INTEGER IDENTIFIED BY id-cmc-transactionId } 3727 id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5} 3729 -- The following controls have the type OCTET STRING 3731 cmc-senderNonce CMC-CONTROL ::= 3732 { OCTET STRING IDENTIFIED BY id-cmc-senderNonce } 3733 id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6} 3735 cmc-recipientNonce CMC-CONTROL ::= 3736 { OCTET STRING IDENTIFIED BY id-cmc-recipientNonce } 3737 id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7} 3739 -- Used to return status in a response 3741 cmc-statusInfo CMC-CONTROL ::= 3742 { CMCStatusInfo IDENTIFIED BY id-cmc-statusInfo } 3743 id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1} 3745 CMCStatusInfo ::= SEQUENCE { 3746 cMCStatus CMCStatus, 3747 bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID, 3748 statusString UTF8String OPTIONAL, 3749 otherInfo CHOICE { 3750 failInfo CMCFailInfo, 3751 pendInfo PendInfo 3752 } OPTIONAL 3754 } 3756 PendInfo ::= SEQUENCE { 3757 pendToken OCTET STRING, 3758 pendTime GeneralizedTime 3759 } 3761 CMCStatus ::= INTEGER { 3762 success (0), 3763 failed (2), 3764 pending (3), 3765 noSupport (4), 3766 confirmRequired (5), 3767 popRequired (6), 3768 partial (7) 3769 } 3771 CMCFailInfo ::= INTEGER { 3772 badAlg (0), 3773 badMessageCheck (1), 3774 badRequest (2), 3775 badTime (3), 3776 badCertId (4), 3777 unsuportedExt (5), 3778 mustArchiveKeys (6), 3779 badIdentity (7), 3780 popRequired (8), 3781 popFailed (9), 3782 noKeyReuse (10), 3783 internalCAError (11), 3784 tryLater (12), 3785 authDataFail (13) 3786 } 3788 -- Used for RAs to add extensions to certification requests 3790 cmc-addExtensions CMC-CONTROL ::= 3791 { AddExtensions IDENTIFIED BY id-cmc-addExtensions } 3792 id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8} 3794 AddExtensions ::= SEQUENCE { 3795 pkiDataReference BodyPartID, 3796 certReferences SEQUENCE OF BodyPartID, 3797 extensions SEQUENCE OF Extension{{CertExtensions}} 3798 } 3800 cmc-encryptedPOP CMC-CONTROL ::= 3801 { EncryptedPOP IDENTIFIED BY id-cmc-encryptedPOP } 3802 cmc-decryptedPOP CMC-CONTROL ::= 3803 { DecryptedPOP IDENTIFIED BY id-cmc-decryptedPOP } 3804 id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9} 3805 id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10} 3807 EncryptedPOP ::= SEQUENCE { 3808 request TaggedRequest, 3809 cms ContentInfo, 3810 thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, 3811 witnessAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, 3812 {WitnessAlgs}}, 3813 witness OCTET STRING 3814 } 3816 POPAlgs MAC-ALGORITHM ::= {maca-hMAC-SHA1, ...} 3817 WitnessAlgs DIGEST-ALGORITHM ::= {mda-sha1, ...} 3819 DecryptedPOP ::= SEQUENCE { 3820 bodyPartID BodyPartID, 3821 thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, 3822 thePOP OCTET STRING 3823 } 3825 cmc-lraPOPWitness CMC-CONTROL ::= 3826 { LraPopWitness IDENTIFIED BY id-cmc-lraPOPWitness } 3828 id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11} 3830 LraPopWitness ::= SEQUENCE { 3831 pkiDataBodyid BodyPartID, 3832 bodyIds SEQUENCE OF BodyPartID 3833 } 3835 -- 3837 cmc-getCert CMC-CONTROL ::= 3838 { GetCert IDENTIFIED BY id-cmc-getCert } 3839 id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15} 3841 GetCert ::= SEQUENCE { 3842 issuerName GeneralName, 3843 serialNumber INTEGER } 3845 cmc-getCRL CMC-CONTROL ::= 3846 { GetCRL IDENTIFIED BY id-cmc-getCRL } 3847 id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16} 3848 GetCRL ::= SEQUENCE { 3849 issuerName Name, 3850 cRLName GeneralName OPTIONAL, 3851 time GeneralizedTime OPTIONAL, 3852 reasons ReasonFlags OPTIONAL } 3854 cmc-revokeRequest CMC-CONTROL ::= 3855 { RevokeRequest IDENTIFIED BY id-cmc-revokeRequest} 3856 id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17} 3858 RevokeRequest ::= SEQUENCE { 3859 issuerName Name, 3860 serialNumber INTEGER, 3861 reason CRLReason, 3862 invalidityDate GeneralizedTime OPTIONAL, 3863 passphrase OCTET STRING OPTIONAL, 3864 comment UTF8String OPTIONAL } 3866 cmc-confirmCertAcceptance CMC-CONTROL ::= 3867 { CMCCertId IDENTIFIED BY id-cmc-confirmCertAcceptance } 3868 id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24} 3870 CMCCertId ::= IssuerAndSerialNumber 3872 -- The following is used to request V3 extensions be added 3873 -- to a certificate 3875 at-extension-req ATTRIBUTE ::= 3876 { TYPE ExtensionReq IDENTIFIED BY id-ExtensionReq } 3877 id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 3878 rsadsi(113549) pkcs(1) pkcs-9(9) 14} 3880 ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF 3881 Extension{{CertExtensions}} 3883 -- The following allows Diffie-Hellman Certification Request 3884 -- Messages to be well-formed 3886 sa-noSignature SIGNATURE-ALGORITHM ::= { 3887 IDENTIFIER id-alg-noSignature 3888 VALUE NoSignatureValue 3889 PARAMS TYPE NULL ARE required 3890 HASHES { mda-sha1 } 3891 } 3892 id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2} 3894 NoSignatureValue ::= OCTET STRING 3895 -- Unauthenticated attribute to carry removable data. 3897 id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 3898 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)} 3900 aa-cmc-unsignedData ATTRIBUTE ::= 3901 { TYPE CMCUnsignedData IDENTIFIED BY id-aa-cmc-unsignedData } 3902 id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34} 3904 CMCUnsignedData ::= SEQUENCE { 3905 bodyPartPath BodyPartPath, 3906 identifier TYPE-IDENTIFIER.&id, 3907 content TYPE-IDENTIFIER.&Type 3908 } 3910 -- Replaces CMC Status Info 3911 -- 3913 cmc-statusInfoV2 CMC-CONTROL ::= 3914 { CMCStatusInfoV2 IDENTIFIED BY id-cmc-statusInfoV2 } 3915 id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25} 3917 EXTENDED-FAILURE-INFO ::= TYPE-IDENTIFIER 3919 ExtendedFailures EXTENDED-FAILURE-INFO ::= {...} 3921 CMCStatusInfoV2 ::= SEQUENCE { 3922 cMCStatus CMCStatus, 3923 bodyList SEQUENCE SIZE (1..MAX) OF 3924 BodyPartReference, 3925 statusString UTF8String OPTIONAL, 3926 otherInfo CHOICE { 3927 failInfo CMCFailInfo, 3928 pendInfo PendInfo, 3929 extendedFailInfo [1] SEQUENCE { 3930 failInfoOID TYPE-IDENTIFIER.&id 3931 ({ExtendedFailures}), 3932 failInfoValue TYPE-IDENTIFIER.&Type 3933 ({ExtendedFailures} 3934 {@.failInfoOID}) 3935 } 3936 } OPTIONAL 3937 } 3939 BodyPartReference ::= CHOICE { 3940 bodyPartID BodyPartID, 3941 bodyPartPath BodyPartPath 3943 } 3945 BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID 3947 -- Allow for distribution of trust anchors 3948 -- 3950 cmc-trustedAnchors CMC-CONTROL ::= 3951 { PublishTrustAnchors IDENTIFIED BY id-cmc-trustedAnchors } 3952 id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26} 3954 PublishTrustAnchors ::= SEQUENCE { 3955 seqNumber INTEGER, 3956 hashAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, 3957 {HashAlgorithms}}, 3958 anchorHashes SEQUENCE OF OCTET STRING 3959 } 3961 HashAlgorithms DIGEST-ALGORITHM ::= { 3962 mda-sha1 | mda-sha256, ... 3963 } 3965 cmc-authData CMC-CONTROL ::= 3966 { AuthPublish IDENTIFIED BY id-cmc-authData } 3967 id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27} 3969 AuthPublish ::= BodyPartID 3971 -- These two items use BodyPartList 3973 cmc-batchRequests CMC-CONTROL ::= 3974 { BodyPartList IDENTIFIED BY id-cmc-batchRequests } 3975 id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28} 3977 cmc-batchResponses CMC-CONTROL ::= 3978 { BodyPartList IDENTIFIED BY id-cmc-batchResponses } 3979 id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29} 3981 BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID 3983 cmc-publishCert CMC-CONTROL ::= 3984 { CMCPublicationInfo IDENTIFIED BY id-cmc-publishCert } 3985 id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30} 3987 CMCPublicationInfo ::= SEQUENCE { 3988 hashAlg AlgorithmIdentifier{DIGEST-ALGORITHM, 3989 {HashAlgorithms}}, 3990 certHashes SEQUENCE OF OCTET STRING, 3991 pubInfo PKIPublicationInfo 3992 } 3994 cmc-modCertTemplate CMC-CONTROL ::= 3995 { ModCertTemplate IDENTIFIED BY id-cmc-modCertTemplate } 3996 id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31} 3998 ModCertTemplate ::= SEQUENCE { 3999 pkiDataReference BodyPartPath, 4000 certReferences BodyPartList, 4001 replace BOOLEAN DEFAULT TRUE, 4002 certTemplate CertTemplate 4003 } 4005 -- Inform follow-on servers that one or more controls have 4006 -- already been processed 4008 cmc-controlProcessed CMC-CONTROL ::= 4009 { ControlsProcessed IDENTIFIED BY id-cmc-controlProcessed } 4010 id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32} 4012 ControlsProcessed ::= SEQUENCE { 4013 bodyList SEQUENCE SIZE(1..MAX) OF BodyPartReference 4014 } 4016 -- Identity Proof control w/ algorithm agility 4018 cmc-identityProofV2 CMC-CONTROL ::= 4019 { IdentityProofV2 IDENTIFIED BY id-cmc-identityProofV2 } 4020 id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 33 } 4022 IdentityProofV2 ::= SEQUENCE { 4023 proofAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, 4024 {WitnessAlgs}}, 4025 macAlgId AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, 4026 witness OCTET STRING 4027 } 4029 cmc-popLinkWitnessV2 CMC-CONTROL ::= 4030 { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 } 4031 id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 } 4033 PopLinkWitnessV2 ::= SEQUENCE { 4034 keyGenAlgorithm AlgorithmIdentifier{KEY-DERIVATION, 4035 {KeyDevAlgs}}, 4036 macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, 4037 witness OCTET STRING 4038 } 4039 KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...} 4041 END 4043 13. ASN.1 Module for RFC 5755 4045 PKIXAttributeCertificate-2009 4046 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4047 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} 4048 DEFINITIONS IMPLICIT TAGS ::= 4049 BEGIN 4050 IMPORTS 4052 AttributeSet{}, Extensions{}, SecurityCategory{}, 4053 EXTENSION, ATTRIBUTE, SECURITY-CATEGORY 4054 FROM PKIX-CommonTypes-2009 4055 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4056 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 4058 AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM 4059 FROM AlgorithmInformation-2009 4060 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4061 mechanisms(5) pkix(7) id-mod(0) 4062 id-mod-algorithmInformation-02(58)} 4064 -- IMPORTeD module OIDs MAY Change if [PKIXPROF] changes 4065 -- PKIX Certificate Extensions 4067 CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp, 4068 id-ad, id-at, SIGNED{}, SignatureAlgorithms 4069 FROM PKIX1Explicit-2009 4070 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4071 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 4073 GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier, 4074 ext-AuthorityInfoAccess, ext-CRLDistributionPoints 4075 FROM PKIX1Implicit-2009 4076 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4077 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 4079 ContentInfo 4080 FROM CryptographicMessageSyntax-2009 4081 { iso(1) member-body(2) us(840) rsadsi(113549) 4082 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }; 4084 -- Define the set of extensions that can appear. 4085 -- Some of these are imported from PKIX Cert 4087 AttributeCertExtensions EXTENSION ::= { 4088 ext-auditIdentity | ext-targetInformation | 4089 ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess | 4090 ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying | 4091 ext-aaControls, ... } 4093 ext-auditIdentity EXTENSION ::= { SYNTAX 4094 OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity} 4096 ext-targetInformation EXTENSION ::= { SYNTAX 4097 Targets IDENTIFIED BY id-ce-targetInformation } 4099 ext-noRevAvail EXTENSION ::= { SYNTAX 4100 NULL IDENTIFIED BY id-ce-noRevAvail} 4102 ext-ac-proxying EXTENSION ::= { SYNTAX 4103 ProxyInfo IDENTIFIED BY id-pe-ac-proxying} 4105 ext-aaControls EXTENSION ::= { SYNTAX 4106 AAControls IDENTIFIED BY id-pe-aaControls} 4108 -- Define the set of attributes used here 4110 AttributesDefined ATTRIBUTE ::= { at-authenticationInfo | 4111 at-accesIdentity | at-chargingIdentity | at-group | 4112 at-role | at-clearance | at-encAttrs, ...} 4114 at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo 4115 IDENTIFIED BY id-aca-authenticationInfo} 4117 at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo 4118 IDENTIFIED BY id-aca-accessIdentity} 4120 at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax 4121 IDENTIFIED BY id-aca-chargingIdentity} 4123 at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax 4124 IDENTIFIED BY id-aca-group} 4126 at-role ATTRIBUTE ::= { TYPE RoleSyntax 4127 IDENTIFIED BY id-at-role} 4129 at-clearance ATTRIBUTE ::= { TYPE Clearance 4130 IDENTIFIED BY id-at-clearance} 4132 at-clearance-RFC3281 ATTRIBUTE ::= {TYPE Clearance-rfc3281 4133 IDENTIFIED BY id-at-clearance-rfc3281 } 4135 at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo 4136 IDENTIFIED BY id-aca-encAttrs} 4138 -- 4139 -- OIDs used by Attribute Certificate Extensions 4140 -- 4142 id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 } 4143 id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 } 4144 id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 } 4145 id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 } 4146 id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 } 4148 -- 4149 -- OIDs used by Attribute Certficate Attributes 4150 -- 4152 id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } 4154 id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 } 4155 id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 } 4156 id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 } 4157 id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 } 4158 -- { id-aca 5 } is reserved 4159 id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 } 4161 id-at-role OBJECT IDENTIFIER ::= { id-at 72} 4162 id-at-clearance OBJECT IDENTIFIER ::= { 4163 joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) } 4165 -- Uncomment the following declaration and comment the above line if 4166 -- using the id-at-clearance attribute as defined in [RFC3281] 4167 -- id-at-clearance ::= id-at-clearance-3281 4169 id-at-clearance-rfc3281 OBJECT IDENTIFIER ::= { 4170 joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5) 4171 clearance (55) } 4173 -- 4174 -- The syntax of an Attribute Certificate 4175 -- 4177 AttributeCertificate ::= SIGNED{AttributeCertificateInfo} 4179 AttributeCertificateInfo ::= SEQUENCE { 4180 version AttCertVersion, -- version is v2 4181 holder Holder, 4182 issuer AttCertIssuer, 4183 signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, 4184 {SignatureAlgorithms}}, 4185 serialNumber CertificateSerialNumber, 4186 attrCertValidityPeriod AttCertValidityPeriod, 4187 attributes SEQUENCE OF 4188 AttributeSet{{AttributesDefined}}, 4189 issuerUniqueID UniqueIdentifier OPTIONAL, 4190 extensions Extensions{{AttributeCertExtensions}} OPTIONAL 4191 } 4193 AttCertVersion ::= INTEGER { v2(1) } 4195 Holder ::= SEQUENCE { 4196 baseCertificateID [0] IssuerSerial OPTIONAL, 4197 -- the issuer and serial number of 4198 -- the holder's Public Key Certificate 4199 entityName [1] GeneralNames OPTIONAL, 4200 -- the name of the claimant or role 4201 objectDigestInfo [2] ObjectDigestInfo OPTIONAL 4202 -- used to directly authenticate the 4203 -- holder, for example, an executable 4204 } 4206 ObjectDigestInfo ::= SEQUENCE { 4207 digestedObjectType ENUMERATED { 4208 publicKey (0), 4209 publicKeyCert (1), 4210 otherObjectTypes (2) }, 4211 -- otherObjectTypes MUST NOT 4212 -- MUST NOT be used in this profile 4213 otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, 4214 digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, 4215 objectDigest BIT STRING 4216 } 4218 AttCertIssuer ::= CHOICE { 4219 v1Form GeneralNames, -- MUST NOT be used in this 4220 -- profile 4221 v2Form [0] V2Form -- v2 only 4222 } 4224 V2Form ::= SEQUENCE { 4225 issuerName GeneralNames OPTIONAL, 4226 baseCertificateID [0] IssuerSerial OPTIONAL, 4227 objectDigestInfo [1] ObjectDigestInfo OPTIONAL 4228 -- issuerName MUST be present in this profile 4229 -- baseCertificateID and objectDigestInfo MUST 4230 -- NOT be present in this profile 4231 } 4233 IssuerSerial ::= SEQUENCE { 4234 issuer GeneralNames, 4235 serial CertificateSerialNumber, 4236 issuerUID UniqueIdentifier OPTIONAL 4237 } 4239 AttCertValidityPeriod ::= SEQUENCE { 4240 notBeforeTime GeneralizedTime, 4241 notAfterTime GeneralizedTime 4242 } 4244 -- 4245 -- Syntax used by Attribute Certificate Extensions 4246 -- 4248 Targets ::= SEQUENCE OF Target 4250 Target ::= CHOICE { 4251 targetName [0] GeneralName, 4252 targetGroup [1] GeneralName, 4253 targetCert [2] TargetCert 4254 } 4256 TargetCert ::= SEQUENCE { 4257 targetCertificate IssuerSerial, 4258 targetName GeneralName OPTIONAL, 4259 certDigestInfo ObjectDigestInfo OPTIONAL 4260 } 4262 AAControls ::= SEQUENCE { 4263 pathLenConstraint INTEGER (0..MAX) OPTIONAL, 4264 permittedAttrs [0] AttrSpec OPTIONAL, 4265 excludedAttrs [1] AttrSpec OPTIONAL, 4266 permitUnSpecified BOOLEAN DEFAULT TRUE 4267 } 4269 AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER 4271 ProxyInfo ::= SEQUENCE OF Targets 4273 -- 4274 -- Syntax used by Attribute Certificate Attributes 4275 -- 4276 IetfAttrSyntax ::= SEQUENCE { 4277 policyAuthority[0] GeneralNames OPTIONAL, 4278 values SEQUENCE OF CHOICE { 4279 octets OCTET STRING, 4280 oid OBJECT IDENTIFIER, 4281 string UTF8String 4282 } 4283 } 4285 SvceAuthInfo ::= SEQUENCE { 4286 service GeneralName, 4287 ident GeneralName, 4288 authInfo OCTET STRING OPTIONAL 4289 } 4291 RoleSyntax ::= SEQUENCE { 4292 roleAuthority [0] GeneralNames OPTIONAL, 4293 roleName [1] GeneralName 4294 } 4296 Clearance ::= SEQUENCE { 4297 policyId OBJECT IDENTIFIER, 4298 classList ClassList DEFAULT {unclassified}, 4299 securityCategories SET OF SecurityCategory 4300 {{SupportedSecurityCategories}} OPTIONAL 4301 } 4303 -- Uncomment the following lines to support deprecated clearance 4304 -- syntax and comment out previous Clearance. 4306 -- Clearance ::= Clearance-rfc3281 4308 Clearance-rfc3281 ::= SEQUENCE { 4309 policyId [0] OBJECT IDENTIFIER, 4310 classList [1] ClassList DEFAULT {unclassified}, 4311 securityCategories [2] SET OF SecurityCategory-rfc3281 4312 {{SupportedSecurityCategories}} OPTIONAL 4313 } 4315 ClassList ::= BIT STRING { 4316 unmarked (0), 4317 unclassified (1), 4318 restricted (2), 4319 confidential (3), 4320 secret (4), 4321 topSecret (5) 4322 } 4323 SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } 4325 SecurityCategory-rfc3281{SECURITY-CATEGORY:Supported} ::= SEQUENCE { 4326 type [0] IMPLICIT SECURITY-CATEGORY. 4327 &id({Supported}), 4328 value [1] EXPLICIT SECURITY-CATEGORY. 4329 &Type({Supported}{@type}) 4330 } 4332 ACClearAttrs ::= SEQUENCE { 4333 acIssuer GeneralName, 4334 acSerial INTEGER, 4335 attrs SEQUENCE OF AttributeSet{{AttributesDefined}} 4336 } 4338 END 4340 14. ASN.1 Module for RFC 5280, Explicit and Implicit 4342 Note that many of the changes in this module are similar or the same 4343 as the changes made in more recent versions of X.509 itself. 4345 PKIX1Explicit-2009 4346 {iso(1) identified-organization(3) dod(6) internet(1) 4347 security(5) mechanisms(5) pkix(7) id-mod(0) 4348 id-mod-pkix1-explicit-02(51)} 4349 DEFINITIONS EXPLICIT TAGS ::= 4350 BEGIN 4352 IMPORTS 4354 Extensions{}, EXTENSION, ATTRIBUTE, SingleAttribute{} 4355 FROM PKIX-CommonTypes-2009 4356 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4357 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 4359 AlgorithmIdentifier{}, PUBLIC-KEY, SIGNATURE-ALGORITHM 4360 FROM AlgorithmInformation-2009 4361 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4362 mechanisms(5) pkix(7) id-mod(0) 4363 id-mod-algorithmInformation-02(58)} 4365 CertExtensions, CrlExtensions, CrlEntryExtensions 4366 FROM PKIX1Implicit-2009 4367 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4368 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 4370 SignatureAlgs, PublicKeys 4371 FROM PKIXAlgs-2009 4372 {iso(1) identified-organization(3) dod(6) 4373 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 56} 4375 SignatureAlgs, PublicKeys 4376 FROM PKIX1-PSS-OAEP-Algorithms-2009 4377 {iso(1) identified-organization(3) dod(6) 4378 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 4379 id-mod-pkix1-rsa-pkalgs-02(54)} 4381 ORAddress 4382 FROM PKIX-X400Address-2009 4383 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4384 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60)}; 4386 id-pkix OBJECT IDENTIFIER ::= 4387 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4388 mechanisms(5) pkix(7)} 4390 -- PKIX arcs 4392 id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } 4393 -- arc for private certificate extensions 4394 id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 4395 -- arc for policy qualifier types 4396 id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 4397 -- arc for extended key purpose OIDS 4398 id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } 4399 -- arc for access descriptors 4401 -- policyQualifierIds for Internet policy qualifiers 4403 id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 4404 -- OID for CPS qualifier 4405 id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 4406 -- OID for user notice qualifier 4408 -- access descriptor definitions 4410 id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } 4411 id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } 4412 id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 } 4413 id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 } 4415 -- attribute data types 4416 AttributeType ::= ATTRIBUTE.&id 4418 -- Replaced by SingleAttribute{} 4419 -- 4420 -- AttributeTypeAndValue ::= SEQUENCE { 4421 -- type ATTRIBUTE.&id({SupportedAttributes}), 4422 -- value ATTRIBUTE.&Type({SupportedAttributes}{@type}) } 4423 -- 4425 -- Suggested naming attributes: Definition of the following 4426 -- information object set may be augmented to meet local 4427 -- requirements. Note that deleting members of the set may 4428 -- prevent interoperability with conforming implementations. 4429 -- All attributes are presented in pairs: the AttributeType 4430 -- followed by the type definition for the corresponding 4431 -- AttributeValue. 4433 --Arc for standard naming attributes 4435 id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } 4437 -- Naming attributes of type X520name 4439 id-at-name AttributeType ::= { id-at 41 } 4440 at-name ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-name } 4442 id-at-surname AttributeType ::= { id-at 4 } 4443 at-surname ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-surname } 4445 id-at-givenName AttributeType ::= { id-at 42 } 4446 at-givenName ATTRIBUTE ::= 4447 { TYPE X520name IDENTIFIED BY id-at-givenName } 4449 id-at-initials AttributeType ::= { id-at 43 } 4450 at-initials ATTRIBUTE ::= 4451 { TYPE X520name IDENTIFIED BY id-at-initials } 4453 id-at-generationQualifier AttributeType ::= { id-at 44 } 4454 at-generationQualifier ATTRIBUTE ::= 4455 { TYPE X520name IDENTIFIED BY id-at-generationQualifier } 4457 -- Directory string type -- 4459 DirectoryString{INTEGER:maxSize} ::= CHOICE { 4460 teletexString TeletexString(SIZE (1..maxSize)), 4461 printableString PrintableString(SIZE (1..maxSize)), 4462 bmpString BMPString(SIZE (1..maxSize)), 4463 universalString UniversalString(SIZE (1..maxSize)), 4464 uTF8String UTF8String(SIZE (1..maxSize)) 4465 } 4467 X520name ::= DirectoryString {ub-name} 4469 -- Naming attributes of type X520CommonName 4471 id-at-commonName AttributeType ::= { id-at 3 } 4473 at-x520CommonName ATTRIBUTE ::= 4474 {TYPE X520CommonName IDENTIFIED BY id-at-commonName } 4475 X520CommonName ::= DirectoryString {ub-common-name} 4477 -- Naming attributes of type X520LocalityName 4479 id-at-localityName AttributeType ::= { id-at 7 } 4481 at-x520LocalityName ATTRIBUTE ::= 4482 { TYPE X520LocalityName IDENTIFIED BY id-at-localityName } 4483 X520LocalityName ::= DirectoryString {ub-locality-name} 4485 -- Naming attributes of type X520StateOrProvinceName 4487 id-at-stateOrProvinceName AttributeType ::= { id-at 8 } 4489 at-x520StateOrProvinceName ATTRIBUTE ::= 4490 { TYPE DirectoryString {ub-state-name} 4491 IDENTIFIED BY id-at-stateOrProvinceName } 4492 X520StateOrProvinceName ::= DirectoryString {ub-state-name} 4494 -- Naming attributes of type X520OrganizationName 4496 id-at-organizationName AttributeType ::= { id-at 10 } 4498 at-x520OrganizationName ATTRIBUTE ::= 4499 { TYPE DirectoryString {ub-organization-name} 4500 IDENTIFIED BY id-at-organizationName } 4501 X520OrganizationName ::= DirectoryString {ub-organization-name} 4503 -- Naming attributes of type X520OrganizationalUnitName 4505 id-at-organizationalUnitName AttributeType ::= { id-at 11 } 4507 at-x520OrganizationalUnitName ATTRIBUTE ::= 4508 { TYPE DirectoryString {ub-organizational-unit-name} 4509 IDENTIFIED BY id-at-organizationalUnitName } 4510 X520OrganizationalUnitName ::= DirectoryString 4511 {ub-organizational-unit-name} 4513 -- Naming attributes of type X520Title 4515 id-at-title AttributeType ::= { id-at 12 } 4517 at-x520Title ATTRIBUTE ::= { TYPE DirectoryString { ub-title } 4518 IDENTIFIED BY id-at-title } 4520 -- Naming attributes of type X520dnQualifier 4522 id-at-dnQualifier AttributeType ::= { id-at 46 } 4524 at-x520dnQualifier ATTRIBUTE ::= { TYPE PrintableString 4525 IDENTIFIED BY id-at-dnQualifier } 4527 -- Naming attributes of type X520countryName (digraph from IS 3166) 4529 id-at-countryName AttributeType ::= { id-at 6 } 4531 at-x520countryName ATTRIBUTE ::= { TYPE PrintableString (SIZE (2)) 4532 IDENTIFIED BY id-at-countryName } 4534 -- Naming attributes of type X520SerialNumber 4536 id-at-serialNumber AttributeType ::= { id-at 5 } 4538 at-x520SerialNumber ATTRIBUTE ::= {TYPE PrintableString 4539 (SIZE (1..ub-serial-number)) IDENTIFIED BY id-at-serialNumber } 4541 -- Naming attributes of type X520Pseudonym 4543 id-at-pseudonym AttributeType ::= { id-at 65 } 4545 at-x520Pseudonym ATTRIBUTE ::= { TYPE DirectoryString {ub-pseudonym} 4546 IDENTIFIED BY id-at-pseudonym } 4548 -- Naming attributes of type DomainComponent (from RFC 2247) 4550 id-domainComponent AttributeType ::= 4551 { itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) 4552 pilotAttributeType(1) 25 } 4554 at-domainComponent ATTRIBUTE ::= {TYPE IA5String 4555 IDENTIFIED BY id-domainComponent } 4557 -- Legacy attributes 4559 pkcs-9 OBJECT IDENTIFIER ::= 4560 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } 4562 id-emailAddress AttributeType ::= { pkcs-9 1 } 4564 at-emailAddress ATTRIBUTE ::= {TYPE IA5String 4565 (SIZE (1..ub-emailaddress-length)) IDENTIFIED BY 4566 id-emailAddress } 4568 -- naming data types -- 4570 Name ::= CHOICE { -- only one possibility for now -- 4571 rdnSequence RDNSequence } 4573 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 4575 DistinguishedName ::= RDNSequence 4577 RelativeDistinguishedName ::= 4578 SET SIZE (1 .. MAX) OF SingleAttribute { {SupportedAttributes} } 4580 -- These are the known name elements for a DN 4582 SupportedAttributes ATTRIBUTE ::= { 4583 at-name | at-surname | at-givenName | at-initials | 4584 at-generationQualifier | at-x520CommonName | 4585 at-x520LocalityName | at-x520StateOrProvinceName | 4586 at-x520OrganizationName | at-x520OrganizationalUnitName | 4587 at-x520Title | at-x520dnQualifier | at-x520countryName | 4588 at-x520SerialNumber | at-x520Pseudonym | at-domainComponent | 4589 at-emailAddress, ... } 4591 -- 4592 -- Certificate and CRL specific structures begin here 4593 -- 4595 Certificate ::= SIGNED{TBSCertificate} 4597 TBSCertificate ::= SEQUENCE { 4598 version [0] Version DEFAULT v1, 4599 serialNumber CertificateSerialNumber, 4600 signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, 4601 {SignatureAlgorithms}}, 4602 issuer Name, 4603 validity Validity, 4604 subject Name, 4605 subjectPublicKeyInfo SubjectPublicKeyInfo, 4606 ... , 4607 [[2: -- If present, version MUST be v2 4608 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 4609 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL 4610 ]], 4611 [[3: -- If present, version MUST be v3 -- 4612 extensions [3] Extensions{{CertExtensions}} OPTIONAL 4613 ]], ... } 4615 Version ::= INTEGER { v1(0), v2(1), v3(2) } 4617 CertificateSerialNumber ::= INTEGER 4619 Validity ::= SEQUENCE { 4620 notBefore Time, 4621 notAfter Time } 4623 Time ::= CHOICE { 4624 utcTime UTCTime, 4625 generalTime GeneralizedTime } 4627 UniqueIdentifier ::= BIT STRING 4629 SubjectPublicKeyInfo ::= SEQUENCE { 4630 algorithm AlgorithmIdentifier{PUBLIC-KEY, 4631 {PublicKeyAlgorithms}}, 4632 subjectPublicKey BIT STRING } 4634 -- CRL structures 4636 CertificateList ::= SIGNED{TBSCertList} 4638 TBSCertList ::= SEQUENCE { 4639 version Version OPTIONAL, 4640 -- if present, MUST be v2 4641 signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, 4642 {SignatureAlgorithms}}, 4643 issuer Name, 4644 thisUpdate Time, 4645 nextUpdate Time OPTIONAL, 4646 revokedCertificates SEQUENCE SIZE (1..MAX) OF SEQUENCE { 4647 userCertificate CertificateSerialNumber, 4648 revocationDate Time, 4649 ... , 4650 [[2: -- if present, version MUST be v2 4651 crlEntryExtensions Extensions{{CrlEntryExtensions}} 4652 OPTIONAL 4653 ]], ... 4654 } OPTIONAL, 4655 ... , 4656 [[2: -- if present, version MUST be v2 4657 crlExtensions [0] Extensions{{CrlExtensions}} 4658 OPTIONAL 4659 ]], ... } 4661 -- Version, Time, CertificateSerialNumber, and Extensions were 4662 -- defined earlier for use in the certificate structure 4664 -- 4665 -- The two object sets below should be expanded to include 4666 -- those algorithms which are supported by the system. 4667 -- 4668 -- For example: 4669 -- SignatureAlgorithms SIGNATURE-ALGORITHM ::= { 4670 -- PKIXAlgs-2008.SignatureAlgs, ..., 4671 -- - - RFC 3279 provides the base set 4672 -- PKIX1-PSS-OAEP-ALGORITHMS.SignatureAlgs | 4673 -- - - RFC 4055 provides extension algs 4674 -- OtherModule.SignatureAlgs 4675 -- - - RFC XXXX provides additional extension algs 4676 -- } 4678 SignatureAlgorithms SIGNATURE-ALGORITHM ::= { 4679 PKIXAlgs-2009.SignatureAlgs, ..., 4680 PKIX1-PSS-OAEP-Algorithms-2009.SignatureAlgs } 4682 PublicKeyAlgorithms PUBLIC-KEY ::= { 4683 PKIXAlgs-2009.PublicKeys, ..., 4684 PKIX1-PSS-OAEP-Algorithms-2009.PublicKeys} 4686 -- Upper Bounds 4688 ub-state-name INTEGER ::= 128 4689 ub-organization-name INTEGER ::= 64 4690 ub-organizational-unit-name INTEGER ::= 64 4691 ub-title INTEGER ::= 64 4692 ub-serial-number INTEGER ::= 64 4693 ub-pseudonym INTEGER ::= 128 4694 ub-emailaddress-length INTEGER ::= 255 4695 ub-locality-name INTEGER ::= 128 4696 ub-common-name INTEGER ::= 64 4697 ub-name INTEGER ::= 32768 4699 -- Note - upper bounds on string types, such as TeletexString, are 4700 -- measured in characters. Excepting PrintableString or IA5String, a 4701 -- significantly greater number of octets will be required to hold 4702 -- such a value. As a minimum, 16 octets, or twice the specified 4703 -- upper bound, whichever is the larger, should be allowed for 4704 -- TeletexString. For UTF8String or UniversalString at least four 4705 -- times the upper bound should be allowed. 4707 -- Information object classes used in the definition 4708 -- of certificates and CRLs 4710 -- Parameterized Type SIGNED 4711 -- 4712 -- Three different versions of doing SIGNED: 4713 -- 1. Simple and close to the previous version 4714 -- 4715 -- SIGNED{ToBeSigned} ::= SEQUENCE { 4716 -- toBeSigned ToBeSigned, 4717 -- algorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, 4718 -- {SignatureAlgorithms}}, 4719 -- signature BIT STRING 4720 -- } 4722 -- 2. From Authenticated Framework 4723 -- 4724 -- SIGNED{ToBeSigned} ::= SEQUENCE { 4725 -- toBeSigned ToBeSigned, 4726 -- COMPONENTS OF SIGNATURE{ToBeSigned} 4727 -- } 4728 -- SIGNATURE{ToBeSigned} ::= SEQUENCE { 4729 -- algorithmIdentifier AlgorithmIdentifier, 4730 -- encrypted ENCRYPTED-HASH{ToBeSigned} 4731 -- } 4732 -- ENCRYPTED-HASH{ToBeSigned} ::= 4733 -- BIT STRING 4734 -- (CONSTRAINED BY { 4735 -- shall be the result of applying a hashing procedure to 4736 -- the DER-encoded (see 6.1) octets of a value of 4737 -- ToBeSigned and then applying an encipherment procedure 4738 -- to those octets 4739 -- }) 4740 -- 4741 -- 4742 -- 3. A more complex version, but one that automatically ties 4743 -- together both the signature algorithm and the 4744 -- signature value for automatic decoding. 4745 -- 4746 SIGNED{ToBeSigned} ::= SEQUENCE { 4747 toBeSigned ToBeSigned, 4748 algorithmIdentifier SEQUENCE { 4749 algorithm SIGNATURE-ALGORITHM. 4750 &id({SignatureAlgorithms}), 4751 parameters SIGNATURE-ALGORITHM. 4752 &Params({SignatureAlgorithms} 4753 {@algorithmIdentifier.algorithm}) 4754 }, 4755 signature BIT STRING (CONTAINING SIGNATURE-ALGORITHM.&Value( 4756 {SignatureAlgorithms} 4757 {@algorithmIdentifier.algorithm})) 4758 } 4760 END 4762 PKIX1Implicit-2009 4763 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4764 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 4765 DEFINITIONS IMPLICIT TAGS ::= 4766 BEGIN 4767 IMPORTS 4769 AttributeSet{}, EXTENSION, ATTRIBUTE 4770 FROM PKIX-CommonTypes-2009 4771 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4772 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 4774 id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name, 4775 RelativeDistinguishedName, CertificateSerialNumber, 4776 DirectoryString{}, SupportedAttributes 4777 FROM PKIX1Explicit-2009 4778 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4779 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }; 4781 CertExtensions EXTENSION ::= { 4782 ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier | 4783 ext-KeyUsage | ext-PrivateKeyUsagePeriod | 4784 ext-CertificatePolicies | ext-PolicyMappings | 4785 ext-SubjectAltName | ext-IssuerAltName | 4786 ext-SubjectDirectoryAttributes | 4787 ext-BasicConstraints | ext-NameConstraints | 4788 ext-PolicyConstraints | ext-ExtKeyUsage | 4789 ext-CRLDistributionPoints | ext-InhibitAnyPolicy | 4790 ext-FreshestCRL | ext-AuthorityInfoAccess | 4791 ext-SubjectInfoAccessSyntax, ... } 4793 CrlExtensions EXTENSION ::= { 4794 ext-AuthorityKeyIdentifier | ext-IssuerAltName | 4795 ext-CRLNumber | ext-DeltaCRLIndicator | 4796 ext-IssuingDistributionPoint | ext-FreshestCRL, ... } 4798 CrlEntryExtensions EXTENSION ::= { 4799 ext-CRLReason | ext-CertificateIssuer | 4800 ext-HoldInstructionCode | ext-InvalidityDate, ... } 4802 -- Shared arc for standard certificate and CRL extensions 4804 id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 } 4806 -- authority key identifier OID and syntax 4808 ext-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX 4809 AuthorityKeyIdentifier IDENTIFIED BY 4810 id-ce-authorityKeyIdentifier } 4811 id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } 4813 AuthorityKeyIdentifier ::= SEQUENCE { 4814 keyIdentifier [0] KeyIdentifier OPTIONAL, 4815 authorityCertIssuer [1] GeneralNames OPTIONAL, 4816 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } 4817 (WITH COMPONENTS { 4818 ..., 4819 authorityCertIssuer PRESENT, 4820 authorityCertSerialNumber PRESENT 4821 } | 4822 WITH COMPONENTS { 4823 ..., 4824 authorityCertIssuer ABSENT, 4825 authorityCertSerialNumber ABSENT 4826 }) 4828 KeyIdentifier ::= OCTET STRING 4830 -- subject key identifier OID and syntax 4832 ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX 4833 KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier } 4834 id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } 4836 -- key usage extension OID and syntax 4838 ext-KeyUsage EXTENSION ::= { SYNTAX 4839 KeyUsage IDENTIFIED BY id-ce-keyUsage } 4840 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } 4842 KeyUsage ::= BIT STRING { 4843 digitalSignature (0), 4844 nonRepudiation (1), -- recent editions of X.509 have 4845 -- renamed this bit to 4846 -- contentCommitment 4847 keyEncipherment (2), 4848 dataEncipherment (3), 4849 keyAgreement (4), 4850 keyCertSign (5), 4851 cRLSign (6), 4852 encipherOnly (7), 4853 decipherOnly (8) 4854 } 4856 -- private key usage period extension OID and syntax 4858 ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX 4859 PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod } 4860 id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } 4862 PrivateKeyUsagePeriod ::= SEQUENCE { 4863 notBefore [0] GeneralizedTime OPTIONAL, 4864 notAfter [1] GeneralizedTime OPTIONAL } 4865 (WITH COMPONENTS {..., notBefore PRESENT } | 4866 WITH COMPONENTS {..., notAfter PRESENT }) 4868 -- certificate policies extension OID and syntax 4870 ext-CertificatePolicies EXTENSION ::= { SYNTAX 4871 CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies} 4872 id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } 4874 CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 4876 PolicyInformation ::= SEQUENCE { 4877 policyIdentifier CertPolicyId, 4878 policyQualifiers SEQUENCE SIZE (1..MAX) OF 4879 PolicyQualifierInfo OPTIONAL } 4881 CertPolicyId ::= OBJECT IDENTIFIER 4883 CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER 4885 PolicyQualifierInfo ::= SEQUENCE { 4886 policyQualifierId CERT-POLICY-QUALIFIER. 4887 &id({PolicyQualifierId}), 4888 qualifier CERT-POLICY-QUALIFIER. 4889 &Type({PolicyQualifierId}{@policyQualifierId})} 4891 -- Implementations that recognize additional policy qualifiers MUST 4892 -- augment the following definition for PolicyQualifierId 4894 PolicyQualifierId CERT-POLICY-QUALIFIER ::= 4895 { pqid-cps | pqid-unotice, ... } 4897 pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps } 4898 pqid-unotice CERT-POLICY-QUALIFIER ::= { UserNotice 4899 IDENTIFIED BY id-qt-unotice } 4901 -- CPS pointer qualifier 4903 CPSuri ::= IA5String 4905 -- user notice qualifier 4907 UserNotice ::= SEQUENCE { 4908 noticeRef NoticeReference OPTIONAL, 4909 explicitText DisplayText OPTIONAL} 4910 -- 4911 -- This is not made explicit in the text 4912 -- 4913 -- {WITH COMPONENTS {..., noticeRef PRESENT} | 4914 -- WITH COMPONENTS {..., DisplayText PRESENT }} 4916 NoticeReference ::= SEQUENCE { 4917 organization DisplayText, 4918 noticeNumbers SEQUENCE OF INTEGER } 4920 DisplayText ::= CHOICE { 4921 ia5String IA5String (SIZE (1..200)), 4922 visibleString VisibleString (SIZE (1..200)), 4923 bmpString BMPString (SIZE (1..200)), 4924 utf8String UTF8String (SIZE (1..200)) } 4926 -- policy mapping extension OID and syntax 4928 ext-PolicyMappings EXTENSION ::= { SYNTAX 4929 PolicyMappings IDENTIFIED BY id-ce-policyMappings } 4930 id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } 4932 PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { 4933 issuerDomainPolicy CertPolicyId, 4934 subjectDomainPolicy CertPolicyId 4935 } 4937 -- subject alternative name extension OID and syntax 4939 ext-SubjectAltName EXTENSION ::= { SYNTAX 4940 GeneralNames IDENTIFIED BY id-ce-subjectAltName } 4941 id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } 4943 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 4945 GeneralName ::= CHOICE { 4946 otherName [0] INSTANCE OF OTHER-NAME, 4947 rfc822Name [1] IA5String, 4948 dNSName [2] IA5String, 4949 x400Address [3] ORAddress, 4950 directoryName [4] Name, 4951 ediPartyName [5] EDIPartyName, 4952 uniformResourceIdentifier [6] IA5String, 4953 iPAddress [7] OCTET STRING, 4954 registeredID [8] OBJECT IDENTIFIER 4955 } 4957 -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as 4958 -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax 4960 OTHER-NAME ::= TYPE-IDENTIFIER 4962 EDIPartyName ::= SEQUENCE { 4963 nameAssigner [0] DirectoryString {ubMax} OPTIONAL, 4964 partyName [1] DirectoryString {ubMax} 4965 } 4967 -- issuer alternative name extension OID and syntax 4969 ext-IssuerAltName EXTENSION ::= { SYNTAX 4970 GeneralNames IDENTIFIED BY id-ce-issuerAltName } 4971 id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } 4973 ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX 4974 SubjectDirectoryAttributes IDENTIFIED BY 4975 id-ce-subjectDirectoryAttributes } 4976 id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } 4978 SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF 4979 AttributeSet{{SupportedAttributes}} 4981 -- basic constraints extension OID and syntax 4983 ext-BasicConstraints EXTENSION ::= { SYNTAX 4984 BasicConstraints IDENTIFIED BY id-ce-basicConstraints } 4985 id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 4987 BasicConstraints ::= SEQUENCE { 4988 cA BOOLEAN DEFAULT FALSE, 4989 pathLenConstraint INTEGER (0..MAX) OPTIONAL 4990 } 4992 -- name constraints extension OID and syntax 4993 ext-NameConstraints EXTENSION ::= { SYNTAX 4994 NameConstraints IDENTIFIED BY id-ce-nameConstraints } 4995 id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } 4997 NameConstraints ::= SEQUENCE { 4998 permittedSubtrees [0] GeneralSubtrees OPTIONAL, 4999 excludedSubtrees [1] GeneralSubtrees OPTIONAL 5000 } 5001 -- 5002 -- This is a constraint in the issued certificates by CAs, but is 5003 -- not a requirement on EEs. 5004 -- 5005 -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} | 5006 -- WITH COMPONENTS { ..., excludedSubtrees PRESENT }} 5008 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 5010 GeneralSubtree ::= SEQUENCE { 5011 base GeneralName, 5012 minimum [0] BaseDistance DEFAULT 0, 5013 maximum [1] BaseDistance OPTIONAL 5014 } 5016 BaseDistance ::= INTEGER (0..MAX) 5018 -- policy constraints extension OID and syntax 5020 ext-PolicyConstraints EXTENSION ::= { SYNTAX 5021 PolicyConstraints IDENTIFIED BY id-ce-policyConstraints } 5022 id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } 5024 PolicyConstraints ::= SEQUENCE { 5025 requireExplicitPolicy [0] SkipCerts OPTIONAL, 5026 inhibitPolicyMapping [1] SkipCerts OPTIONAL } 5027 -- 5028 -- This is a constraint in the issued certificates by CAs, 5029 -- but is not a requirement for EEs 5030 -- 5031 -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} | 5032 -- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT}) 5034 SkipCerts ::= INTEGER (0..MAX) 5036 -- CRL distribution points extension OID and syntax 5038 ext-CRLDistributionPoints EXTENSION ::= { SYNTAX 5039 CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints} 5040 id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} 5041 CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 5043 DistributionPoint ::= SEQUENCE { 5044 distributionPoint [0] DistributionPointName OPTIONAL, 5045 reasons [1] ReasonFlags OPTIONAL, 5046 cRLIssuer [2] GeneralNames OPTIONAL 5047 } 5048 -- 5049 -- This is not a requirement in the text, but is seems as if it 5050 -- should be 5051 -- 5052 --(WITH COMPONENTS {..., distributionPoint PRESENT} | 5053 -- WITH COMPONENTS {..., cRLIssuer PRESENT}) 5055 DistributionPointName ::= CHOICE { 5056 fullName [0] GeneralNames, 5057 nameRelativeToCRLIssuer [1] RelativeDistinguishedName 5058 } 5060 ReasonFlags ::= BIT STRING { 5061 unused (0), 5062 keyCompromise (1), 5063 cACompromise (2), 5064 affiliationChanged (3), 5065 superseded (4), 5066 cessationOfOperation (5), 5067 certificateHold (6), 5068 privilegeWithdrawn (7), 5069 aACompromise (8) 5070 } 5072 -- extended key usage extension OID and syntax 5074 ext-ExtKeyUsage EXTENSION ::= { SYNTAX 5075 ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage } 5076 id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} 5078 ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 5080 KeyPurposeId ::= OBJECT IDENTIFIER 5082 -- permit unspecified key uses 5084 anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } 5086 -- extended key purpose OIDs 5088 id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } 5089 id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } 5090 id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } 5091 id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } 5092 id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } 5093 id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 5095 -- inhibit any policy OID and syntax 5097 ext-InhibitAnyPolicy EXTENSION ::= {SYNTAX 5098 SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy } 5099 id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } 5101 -- freshest (delta)CRL extension OID and syntax 5103 ext-FreshestCRL EXTENSION ::= {SYNTAX 5104 CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL } 5105 id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } 5107 -- authority info access 5109 ext-AuthorityInfoAccess EXTENSION ::= { SYNTAX 5110 AuthorityInfoAccessSyntax IDENTIFIED BY 5111 id-pe-authorityInfoAccess } 5112 id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } 5114 AuthorityInfoAccessSyntax ::= 5115 SEQUENCE SIZE (1..MAX) OF AccessDescription 5117 AccessDescription ::= SEQUENCE { 5118 accessMethod OBJECT IDENTIFIER, 5119 accessLocation GeneralName } 5121 -- subject info access 5123 ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX 5124 SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess } 5125 id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } 5127 SubjectInfoAccessSyntax ::= 5128 SEQUENCE SIZE (1..MAX) OF AccessDescription 5130 -- CRL number extension OID and syntax 5132 ext-CRLNumber EXTENSION ::= {SYNTAX 5133 INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber } 5134 id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } 5136 CRLNumber ::= INTEGER (0..MAX) 5137 -- issuing distribution point extension OID and syntax 5139 ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX 5140 IssuingDistributionPoint IDENTIFIED BY 5141 id-ce-issuingDistributionPoint } 5142 id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } 5144 IssuingDistributionPoint ::= SEQUENCE { 5145 distributionPoint [0] DistributionPointName OPTIONAL, 5146 onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, 5147 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, 5148 onlySomeReasons [3] ReasonFlags OPTIONAL, 5149 indirectCRL [4] BOOLEAN DEFAULT FALSE, 5150 onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE 5151 } 5152 -- at most one of onlyContainsUserCerts, onlyContainsCACerts, 5153 -- and onlyContainsAttributeCerts may be set to TRUE. 5155 ext-DeltaCRLIndicator EXTENSION ::= { SYNTAX 5156 CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator } 5157 id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } 5159 -- CRL reasons extension OID and syntax 5161 ext-CRLReason EXTENSION ::= { SYNTAX 5162 CRLReason IDENTIFIED BY id-ce-cRLReasons } 5163 id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } 5165 CRLReason ::= ENUMERATED { 5166 unspecified (0), 5167 keyCompromise (1), 5168 cACompromise (2), 5169 affiliationChanged (3), 5170 superseded (4), 5171 cessationOfOperation (5), 5172 certificateHold (6), 5173 removeFromCRL (8), 5174 privilegeWithdrawn (9), 5175 aACompromise (10) 5176 } 5178 -- certificate issuer CRL entry extension OID and syntax 5180 ext-CertificateIssuer EXTENSION ::= { SYNTAX 5181 GeneralNames IDENTIFIED BY id-ce-certificateIssuer } 5182 id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } 5184 -- hold instruction extension OID and syntax 5185 ext-HoldInstructionCode EXTENSION ::= { SYNTAX 5186 OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode } 5187 id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } 5189 -- ANSI x9 holdinstructions 5191 holdInstruction OBJECT IDENTIFIER ::= 5192 {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} 5193 id-holdinstruction-none OBJECT IDENTIFIER ::= 5194 {holdInstruction 1} -- deprecated 5195 id-holdinstruction-callissuer OBJECT IDENTIFIER ::= 5196 {holdInstruction 2} 5197 id-holdinstruction-reject OBJECT IDENTIFIER ::= 5198 {holdInstruction 3} 5200 -- invalidity date CRL entry extension OID and syntax 5202 ext-InvalidityDate EXTENSION ::= { SYNTAX 5203 GeneralizedTime IDENTIFIED BY id-ce-invalidityDate } 5204 id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } 5205 -- Upper bounds 5206 ubMax INTEGER ::= 32768 5208 END 5210 -- 5211 -- This module is used to isolate all the X.400 naming information. 5212 -- There is no reason to expect this to occur in a PKIX certificate. 5213 -- 5215 PKIX-X400Address-2009 5216 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 5217 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60) } 5218 DEFINITIONS EXPLICIT TAGS ::= 5219 BEGIN 5221 -- X.400 address syntax starts here 5223 ORAddress ::= SEQUENCE { 5224 built-in-standard-attributes BuiltInStandardAttributes, 5225 built-in-domain-defined-attributes 5226 BuiltInDomainDefinedAttributes OPTIONAL, 5227 -- see also teletex-domain-defined-attributes 5228 extension-attributes ExtensionAttributes OPTIONAL } 5230 -- Built-in Standard Attributes 5232 BuiltInStandardAttributes ::= SEQUENCE { 5233 country-name CountryName OPTIONAL, 5234 administration-domain-name AdministrationDomainName OPTIONAL, 5235 network-address [0] IMPLICIT NetworkAddress OPTIONAL, 5236 -- see also extended-network-address 5237 terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL, 5238 private-domain-name [2] PrivateDomainName OPTIONAL, 5239 organization-name [3] IMPLICIT OrganizationName OPTIONAL, 5240 -- see also teletex-organization-name 5241 numeric-user-identifier [4] IMPLICIT NumericUserIdentifier 5242 OPTIONAL, 5243 personal-name [5] IMPLICIT PersonalName OPTIONAL, 5244 -- see also teletex-personal-name 5245 organizational-unit-names [6] IMPLICIT OrganizationalUnitNames 5246 OPTIONAL } 5247 -- see also teletex-organizational-unit-names 5249 CountryName ::= [APPLICATION 1] CHOICE { 5250 x121-dcc-code NumericString 5251 (SIZE (ub-country-name-numeric-length)), 5252 iso-3166-alpha2-code PrintableString 5253 (SIZE (ub-country-name-alpha-length)) } 5255 AdministrationDomainName ::= [APPLICATION 2] CHOICE { 5256 numeric NumericString (SIZE (0..ub-domain-name-length)), 5257 printable PrintableString (SIZE (0..ub-domain-name-length)) } 5259 NetworkAddress ::= X121Address -- see also extended-network-address 5261 X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) 5263 TerminalIdentifier ::= PrintableString (SIZE 5264 (1..ub-terminal-id-length)) 5266 PrivateDomainName ::= CHOICE { 5267 numeric NumericString (SIZE (1..ub-domain-name-length)), 5268 printable PrintableString (SIZE (1..ub-domain-name-length)) } 5270 OrganizationName ::= PrintableString 5271 (SIZE (1..ub-organization-name-length)) 5272 -- see also teletex-organization-name 5274 NumericUserIdentifier ::= NumericString 5275 (SIZE (1..ub-numeric-user-id-length)) 5277 PersonalName ::= SET { 5278 surname [0] IMPLICIT PrintableString 5279 (SIZE (1..ub-surname-length)), 5280 given-name [1] IMPLICIT PrintableString 5281 (SIZE (1..ub-given-name-length)) OPTIONAL, 5282 initials [2] IMPLICIT PrintableString 5283 (SIZE (1..ub-initials-length)) OPTIONAL, 5284 generation-qualifier [3] IMPLICIT PrintableString 5285 (SIZE (1..ub-generation-qualifier-length)) 5286 OPTIONAL } 5287 -- see also teletex-personal-name 5289 OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) 5290 OF OrganizationalUnitName 5291 -- see also teletex-organizational-unit-names 5293 OrganizationalUnitName ::= PrintableString (SIZE 5294 (1..ub-organizational-unit-name-length)) 5296 -- Built-in Domain-defined Attributes 5298 BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE 5299 (1..ub-domain-defined-attributes) OF 5300 BuiltInDomainDefinedAttribute 5302 BuiltInDomainDefinedAttribute ::= SEQUENCE { 5303 type PrintableString (SIZE 5304 (1..ub-domain-defined-attribute-type-length)), 5305 value PrintableString (SIZE 5306 (1..ub-domain-defined-attribute-value-length)) } 5308 -- Extension Attributes 5310 ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF 5311 ExtensionAttribute 5313 EXTENSION-ATTRIBUTE ::= CLASS { 5314 &id INTEGER (0..ub-extension-attributes) UNIQUE, 5315 &Type 5316 } WITH SYNTAX { &Type IDENTIFIED BY &id } 5318 ExtensionAttribute ::= SEQUENCE { 5319 extension-attribute-type [0] IMPLICIT EXTENSION-ATTRIBUTE. 5320 &id({SupportedExtensionAttributes}), 5321 extension-attribute-value [1] EXTENSION-ATTRIBUTE. 5322 &Type({SupportedExtensionAttributes} 5323 {@extension-attribute-type})} 5325 SupportedExtensionAttributes EXTENSION-ATTRIBUTE ::= { 5326 ea-commonName | ea-teletexCommonName | ea-teletexOrganizationName 5327 | ea-teletexPersonalName | ea-teletexOrganizationalUnitNames | 5328 ea-pDSName | ea-physicalDeliveryCountryName | ea-postalCode | 5329 ea-physicalDeliveryOfficeName | ea-physicalDeliveryOfficeNumber | 5330 ea-extensionORAddressComponents | ea-physicalDeliveryPersonalName 5331 | ea-physicalDeliveryOrganizationName | 5332 ea-extensionPhysicalDeliveryAddressComponents | 5333 ea-unformattedPostalAddress | ea-streetAddress | 5334 ea-postOfficeBoxAddress | ea-posteRestanteAddress | 5335 ea-uniquePostalName | ea-localPostalAttributes | 5336 ea-extendedNetworkAddress | ea-terminalType | 5337 ea-teletexDomainDefinedAttributes, ... } 5339 -- Extension types and attribute values 5341 ea-commonName EXTENSION-ATTRIBUTE ::= { PrintableString 5342 (SIZE (1..ub-common-name-length)) IDENTIFIED BY 1 } 5344 ea-teletexCommonName EXTENSION-ATTRIBUTE ::= {TeletexString 5345 (SIZE (1..ub-common-name-length)) IDENTIFIED BY 2 } 5347 ea-teletexOrganizationName EXTENSION-ATTRIBUTE::= { TeletexString 5348 (SIZE (1..ub-organization-name-length)) IDENTIFIED BY 3 } 5350 ea-teletexPersonalName EXTENSION-ATTRIBUTE ::= {SET { 5351 surname [0] IMPLICIT TeletexString 5352 (SIZE (1..ub-surname-length)), 5353 given-name [1] IMPLICIT TeletexString 5354 (SIZE (1..ub-given-name-length)) OPTIONAL, 5355 initials [2] IMPLICIT TeletexString 5356 (SIZE (1..ub-initials-length)) OPTIONAL, 5357 generation-qualifier [3] IMPLICIT TeletexString 5358 (SIZE (1..ub-generation-qualifier-length)) 5359 OPTIONAL } IDENTIFIED BY 4 } 5361 ea-teletexOrganizationalUnitNames EXTENSION-ATTRIBUTE ::= 5362 { SEQUENCE SIZE (1..ub-organizational-units) OF 5363 TeletexOrganizationalUnitName IDENTIFIED BY 5 } 5365 TeletexOrganizationalUnitName ::= TeletexString 5366 (SIZE (1..ub-organizational-unit-name-length)) 5368 ea-pDSName EXTENSION-ATTRIBUTE ::= {PrintableString 5369 (SIZE (1..ub-pds-name-length)) IDENTIFIED BY 7 } 5371 ea-physicalDeliveryCountryName EXTENSION-ATTRIBUTE ::= { CHOICE { 5372 x121-dcc-code NumericString (SIZE 5373 (ub-country-name-numeric-length)), 5374 iso-3166-alpha2-code PrintableString 5375 (SIZE (ub-country-name-alpha-length)) } 5377 IDENTIFIED BY 8 } 5379 ea-postalCode EXTENSION-ATTRIBUTE ::= { CHOICE { 5380 numeric-code NumericString (SIZE (1..ub-postal-code-length)), 5381 printable-code PrintableString (SIZE (1..ub-postal-code-length)) } 5382 IDENTIFIED BY 9 } 5384 ea-physicalDeliveryOfficeName EXTENSION-ATTRIBUTE ::= 5385 { PDSParameter IDENTIFIED BY 10 } 5387 ea-physicalDeliveryOfficeNumber EXTENSION-ATTRIBUTE ::= 5388 {PDSParameter IDENTIFIED BY 11 } 5390 ea-extensionORAddressComponents EXTENSION-ATTRIBUTE ::= 5391 {PDSParameter IDENTIFIED BY 12 } 5393 ea-physicalDeliveryPersonalName EXTENSION-ATTRIBUTE ::= 5394 {PDSParameter IDENTIFIED BY 13} 5396 ea-physicalDeliveryOrganizationName EXTENSION-ATTRIBUTE ::= 5397 {PDSParameter IDENTIFIED BY 14 } 5399 ea-extensionPhysicalDeliveryAddressComponents EXTENSION-ATTRIBUTE ::= 5400 {PDSParameter IDENTIFIED BY 15 } 5402 ea-unformattedPostalAddress EXTENSION-ATTRIBUTE ::= { SET { 5403 printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) 5404 OF PrintableString (SIZE (1..ub-pds-parameter-length)) 5405 OPTIONAL, 5406 teletex-string TeletexString 5407 (SIZE (1..ub-unformatted-address-length)) OPTIONAL } 5408 IDENTIFIED BY 16 } 5410 ea-streetAddress EXTENSION-ATTRIBUTE ::= 5411 {PDSParameter IDENTIFIED BY 17 } 5413 ea-postOfficeBoxAddress EXTENSION-ATTRIBUTE ::= 5414 {PDSParameter IDENTIFIED BY 18 } 5416 ea-posteRestanteAddress EXTENSION-ATTRIBUTE ::= 5417 {PDSParameter IDENTIFIED BY 19 } 5419 ea-uniquePostalName EXTENSION-ATTRIBUTE ::= 5420 { PDSParameter IDENTIFIED BY 20 } 5422 ea-localPostalAttributes EXTENSION-ATTRIBUTE ::= 5423 {PDSParameter IDENTIFIED BY 21 } 5425 PDSParameter ::= SET { 5426 printable-string PrintableString 5427 (SIZE(1..ub-pds-parameter-length)) OPTIONAL, 5428 teletex-string TeletexString 5429 (SIZE(1..ub-pds-parameter-length)) OPTIONAL } 5431 ea-extendedNetworkAddress EXTENSION-ATTRIBUTE ::= { 5432 CHOICE { 5433 e163-4-address SEQUENCE { 5434 number [0] IMPLICIT NumericString 5435 (SIZE (1..ub-e163-4-number-length)), 5436 sub-address [1] IMPLICIT NumericString 5437 (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL 5438 }, 5439 psap-address [0] IMPLICIT PresentationAddress 5440 } IDENTIFIED BY 22 5441 } 5443 PresentationAddress ::= SEQUENCE { 5444 pSelector [0] EXPLICIT OCTET STRING OPTIONAL, 5445 sSelector [1] EXPLICIT OCTET STRING OPTIONAL, 5446 tSelector [2] EXPLICIT OCTET STRING OPTIONAL, 5447 nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING } 5449 ea-terminalType EXTENSION-ATTRIBUTE ::= {INTEGER { 5450 telex (3), 5451 teletex (4), 5452 g3-facsimile (5), 5453 g4-facsimile (6), 5454 ia5-terminal (7), 5455 videotex (8) } (0..ub-integer-options) 5456 IDENTIFIED BY 23 } 5458 -- Extension Domain-defined Attributes 5460 ea-teletexDomainDefinedAttributes EXTENSION-ATTRIBUTE ::= 5461 { SEQUENCE SIZE (1..ub-domain-defined-attributes) OF 5462 TeletexDomainDefinedAttribute IDENTIFIED BY 6 } 5464 TeletexDomainDefinedAttribute ::= SEQUENCE { 5465 type TeletexString 5466 (SIZE (1..ub-domain-defined-attribute-type-length)), 5467 value TeletexString 5468 (SIZE (1..ub-domain-defined-attribute-value-length)) } 5470 -- specifications of Upper Bounds MUST be regarded as mandatory 5471 -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter 5472 -- Upper Bounds 5473 -- Upper Bounds 5474 ub-match INTEGER ::= 128 5475 ub-common-name-length INTEGER ::= 64 5476 ub-country-name-alpha-length INTEGER ::= 2 5477 ub-country-name-numeric-length INTEGER ::= 3 5478 ub-domain-defined-attributes INTEGER ::= 4 5479 ub-domain-defined-attribute-type-length INTEGER ::= 8 5480 ub-domain-defined-attribute-value-length INTEGER ::= 128 5481 ub-domain-name-length INTEGER ::= 16 5482 ub-extension-attributes INTEGER ::= 256 5483 ub-e163-4-number-length INTEGER ::= 15 5484 ub-e163-4-sub-address-length INTEGER ::= 40 5485 ub-generation-qualifier-length INTEGER ::= 3 5486 ub-given-name-length INTEGER ::= 16 5487 ub-initials-length INTEGER ::= 5 5488 ub-integer-options INTEGER ::= 256 5489 ub-numeric-user-id-length INTEGER ::= 32 5490 ub-organization-name-length INTEGER ::= 64 5491 ub-organizational-unit-name-length INTEGER ::= 32 5492 ub-organizational-units INTEGER ::= 4 5493 ub-pds-name-length INTEGER ::= 16 5494 ub-pds-parameter-length INTEGER ::= 30 5495 ub-pds-physical-address-lines INTEGER ::= 6 5496 ub-postal-code-length INTEGER ::= 16 5497 ub-surname-length INTEGER ::= 40 5498 ub-terminal-id-length INTEGER ::= 24 5499 ub-unformatted-address-length INTEGER ::= 180 5500 ub-x121-address-length INTEGER ::= 16 5502 -- Note - upper bounds on string types, such as TeletexString, are 5503 -- measured in characters. Excepting PrintableString or IA5String, a 5504 -- significantly greater number of octets will be required to hold 5505 -- such a value. As a minimum, 16 octets, or twice the specified 5506 -- upper bound, whichever is the larger, should be allowed for 5507 -- TeletexString. For UTF8String or UniversalString at least four 5508 -- times the upper bound should be allowed. 5510 END 5512 15. IANA Considerations 5514 There are no IANA actions needed for this document. 5516 16. Security Considerations 5518 Even though all the RFCs in this document are security-related, the 5519 document itself does not have any security considerations. The ASN.1 5520 modules keep the same bits-on-the-wire as the modules that they 5521 replace. 5523 17. Normative References 5525 [ASN1-2002] 5526 ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and 5527 X.683", ITU-T X.680, X.681, X.682, and X.683, 2002. 5529 [NEW-CMS-SMIME] 5530 Hoffman, P. and J. Schaad, "New ASN.1 Modules for CMS and 5531 S/MIME", draft-ietf-smime-new-asn1 (work in progress), 5532 December 2007. 5534 [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. 5535 Adams, "X.509 Internet Public Key Infrastructure Online 5536 Certificate Status Protocol - OCSP", RFC 2560, June 1999. 5538 [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification 5539 Request Syntax Specification Version 1.7", RFC 2986, 5540 November 2000. 5542 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 5543 Identifiers for the Internet X.509 Public Key 5544 Infrastructure Certificate and Certificate Revocation List 5545 (CRL) Profile", RFC 3279, April 2002. 5547 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 5548 RFC 3852, July 2004. 5550 [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional 5551 Algorithms and Identifiers for RSA Cryptography for use in 5552 the Internet X.509 Public Key Infrastructure Certificate 5553 and Certificate Revocation List (CRL) Profile", RFC 4055, 5554 June 2005. 5556 [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, 5557 "Internet X.509 Public Key Infrastructure Certificate 5558 Management Protocol (CMP)", RFC 4210, September 2005. 5560 [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure 5561 Certificate Request Message Format (CRMF)", RFC 4211, 5562 September 2005. 5564 [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. 5565 Polk, "Server-Based Certificate Validation Protocol 5566 (SCVP)", RFC 5055, December 2007. 5568 [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS 5569 (CMC)", RFC 5272, June 2008. 5571 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 5572 Housley, R., and W. Polk, "Internet X.509 Public Key 5573 Infrastructure Certificate and Certificate Revocation List 5574 (CRL) Profile", RFC 5280, May 2008. 5576 [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, 5577 "Elliptic Curve Cryptography Subject Public Key 5578 Information", RFC 5480, March 2009. 5580 [RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet 5581 Attribute Certificate Profile for Authorization", 5582 RFC 5755, January 2010. 5584 Appendix A. Change History 5586 [[ This entire section is to be removed upon publication. ]] 5588 A.1. Changes between draft-hoffman-pkix-new-asn1-00 and 5589 draft-ietf-pkix-new-asn1-00 5591 Changed the draft name. 5593 Added the PKIX common definitions module. 5595 Added RFC 4055. 5597 Made RFC-to-be 5055 into RFC 5055. 5599 In RFC 2560, there was an error. Changed from "id-pkix-ocsp OBJECT 5600 IDENTIFIER ::= { id-ad-ocsp }" to "id-pkix-ocsp OBJECT IDENTIFIER ::= 5601 id-ad-ocsp". 5603 In RFC 3280, made the DirectoryString definition match the order and 5604 spelling of that of X.520. 5606 In the imports of the RFC 3280 implicit module, the DirectoryString 5607 type is now SIGNED{} because it is a parameterized type. 5609 In the imports of the RFC 3281 module, the SIGNED type is now 5610 SIGNED{} because it is a parameterized type. 5612 Combined the two modules for RFC 3280 (explicit and implicit) into 5613 one section. 5615 A.2. Changes between draft-ietf-pkix-new-asn1-00 and -01 5617 Added module for algorithm classes and modified RFC 3279 ASN.1 to use 5618 the classes defined. 5620 A.3. Changes between draft-ietf-pkix-new-asn1-01 and -02 5622 Added design notes. 5624 Removed issue on "Algorithm Structure" and "More Modules To Be 5625 Added". 5627 Updated all modules to use objects more deeply. 5629 Removed RFC 3280 and added RFC 5280. 5631 Added RFC 5272 (CMC). 5633 A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 5635 Many cosmetic-only changes to the modules. 5637 Changed some multi-word keywords to hyphenated (such as "SMIME CAPS" 5638 to "SMIME-CAPS"). 5640 In section 6, added "Note that this module also contains information 5641 from RFC-to-be 5480." Will add a real reference in future version of 5642 this draft. 5644 In section 6, added the labels for the id-keyExchangeAlgorithm OID. 5646 Updated the reference of X.680 to X.680, X.681, X.682, and X.683. 5648 A.5. Changes between draft-ietf-pkix-new-asn1-03 and -04 5650 Changed the status of the document. 5652 In PKIX-CommonTypes, replaced "ExtensionSet" with "Extensions". This 5653 affected many other modules that use PKIX-CommonTypes. 5655 In RFC 5055, changed swb-pkc-cert from "{INTEGER IDENTIFIED BY id- 5656 swb-pkc-cert }" to "{ Certificate IDENTIFIED BY id-swb-pkc-cert }", 5657 and changed swb-ac-cert from "{INTEGER IDENTIFIED BY id-swb-ac-cert 5658 }" to "{ AttributeCertificate IDENTIFIED BY id-swb-ac-cert }". 5660 A.6. Changes between draft-ietf-pkix-new-asn1-04 and -05 5662 Removed the "Issues" section from section 1, which should have been 5663 done in the last draft. 5665 A.7. Changes between draft-ietf-pkix-new-asn1-05 and -06 5667 Minor nits to keep the nits checker happy. 5669 A.8. Changes between draft-ietf-pkix-new-asn1-06 and -07 5671 In the AlgorithmInformation module, there was an error in a 5672 commented-out example. Changed "-- HASHES {sha1 | md5, ... }" to "-- 5673 HASHES { mda-sha1 | mda-md5, ... }". 5675 In the module for RFC 3279, changed from: 5677 ECParameters ::= CHOICE { 5678 namedCurve CURVE.&id({NamedCurve}), 5679 implicitCurve NULL 5680 -- specifiedCurve SpecifiedCurve 5681 -- specifiedCurve MUST NOT be used in PKIX 5682 -- Details for specifiedCurve can be found in [X9.62] 5683 -- Any future additions to this CHOICE should be coordinated 5684 -- with ANSI X.9. 5685 } 5687 to: 5689 ECParameters ::= CHOICE { 5690 namedCurve CURVE.&id({NamedCurve}) --, 5691 -- implicitCurve NULL 5692 -- implicitCurve MUST NOT be used in PKIX 5693 -- specifiedCurve SpecifiedCurve 5694 -- specifiedCurve MUST NOT be used in PKIX 5695 -- Details for specifiedCurve can be found in [X9.62] 5696 -- Any future additions to this CHOICE should be coordinated 5697 -- with ANSI X.9. 5698 } 5699 -- If you need to be able to decode ANSI X.9 parameter structures, then 5700 -- uncomment the implicitCurve and specificCurve above, and also 5701 -- uncomment the follow: 5702 --(WITH COMPONENTS {namedCurve PRESENT}) 5704 Changed "memberBody" to "member-body" in the modules for RFCs 4210 5705 and 4211. 5707 A.9. Changes between draft-ietf-pkix-new-asn1-06 and -07 5709 Throughout, changed all instances of RFC 3281 to RFC 5755. 5711 Throughout, fixed spelling errors in module comments and parameter 5712 names. 5714 In section 1, added "Also note that the ASN.1 modules in this 5715 document have references in their text comments that need to be 5716 looked up in original RFCs, and that some of those references may 5717 have already been superseded by later RFCs." 5719 In RFC 5272, fixed the OID for EnrollmentMessageSyntax. 5721 In section 6, changed "RFC-to-be 5480" to "RFC 5480" and added a 5722 reference for it. 5724 Authors' Addresses 5726 Paul Hoffman 5727 VPN Consortium 5728 127 Segre Place 5729 Santa Cruz, CA 95060 5730 US 5732 Phone: 1-831-426-9827 5733 Email: paul.hoffman@vpnc.org 5735 Jim Schaad 5736 Soaring Hawk Consulting 5738 Email: jimsch@exmsft.com