idnits 2.17.1 draft-ietf-pkix-new-asn1-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 217: '... &Type OPTIONAL,...' RFC 2119 keyword, line 218: '...equality-match MATCHING-RULE OPTIONAL,...' RFC 2119 keyword, line 220: '... &maxCount INTEGER OPTIONAL...' RFC 2119 keyword, line 232: '...atchingRules MATCHING-RULE OPTIONAL,...' RFC 2119 keyword, line 233: '... &AssertionType OPTIONAL,...' (280 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 13, 2009) is 5368 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 5400 -- Looks like a reference, but probably isn't: '1' on line 5401 -- Looks like a reference, but probably isn't: '2' on line 5402 == Missing Reference: 'PKI-ASN' is mentioned on line 1074, but not defined == Missing Reference: 'PKIX-OAEP' is mentioned on line 1082, but not defined == Missing Reference: 'PKI-ALG' is mentioned on line 1318, but not defined == Missing Reference: 'FIPS186-3' is mentioned on line 1322, but not defined -- Looks like a reference, but probably isn't: '3' on line 5403 == Missing Reference: 'PKCS10' is mentioned on line 2357, but not defined -- Looks like a reference, but probably isn't: '4' on line 5197 -- Looks like a reference, but probably isn't: '5' on line 5199 -- Looks like a reference, but probably isn't: '6' on line 5201 -- Looks like a reference, but probably isn't: '7' on line 4909 -- Looks like a reference, but probably isn't: '8' on line 4910 == Missing Reference: 'RFC3629' is mentioned on line 2347, but not defined == Missing Reference: 'RFC3066' is mentioned on line 2348, but not defined ** Obsolete undefined reference: RFC 3066 (Obsoleted by RFC 4646, RFC 4647) == Missing Reference: 'RFC2482' is mentioned on line 2350, but not defined ** Obsolete undefined reference: RFC 2482 (Obsoleted by RFC 6082) -- Looks like a reference, but probably isn't: '9' on line 2824 -- Looks like a reference, but probably isn't: '10' on line 2363 -- Looks like a reference, but probably isn't: '11' on line 2364 -- Looks like a reference, but probably isn't: '12' on line 2365 -- Looks like a reference, but probably isn't: '13' on line 2366 -- Looks like a reference, but probably isn't: '14' on line 2367 -- Looks like a reference, but probably isn't: '15' on line 2368 -- Looks like a reference, but probably isn't: '16' on line 2369 -- Looks like a reference, but probably isn't: '17' on line 2370 -- Looks like a reference, but probably isn't: '18' on line 2371 -- Looks like a reference, but probably isn't: '19' on line 2372 -- Looks like a reference, but probably isn't: '20' on line 2373 -- Looks like a reference, but probably isn't: '21' on line 2374 -- Looks like a reference, but probably isn't: '22' on line 2375 -- Looks like a reference, but probably isn't: '23' on line 2376 -- Looks like a reference, but probably isn't: '24' on line 2377 -- Looks like a reference, but probably isn't: '25' on line 2378 -- Looks like a reference, but probably isn't: '26' on line 2379 == Missing Reference: 'PKCS11' is mentioned on line 3076, but not defined == Missing Reference: 'RFC2104' is mentioned on line 2414, but not defined == Missing Reference: 'RFC2202' is mentioned on line 2414, but not defined == Missing Reference: 'APPLICATION 1' is mentioned on line 5205, but not defined == Missing Reference: 'APPLICATION 2' is mentioned on line 5211, but not defined ** Obsolete normative reference: RFC 2560 (Obsoleted by RFC 6960) ** Obsolete normative reference: RFC 3281 (Obsoleted by RFC 5755) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) Summary: 7 errors (**), 0 flaws (~~), 15 warnings (==), 29 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Intended status: Informational J. Schaad 5 Expires: February 14, 2010 Soaring Hawk Consulting 6 August 13, 2009 8 New ASN.1 Modules for PKIX 9 draft-ietf-pkix-new-asn1-07.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. This document may contain material 15 from IETF Documents or IETF Contributions published or made publicly 16 available before November 10, 2008. The person(s) controlling the 17 copyright in some of this material may not have granted the IETF 18 Trust the right to allow modifications of such material outside the 19 IETF Standards Process. Without obtaining an adequate license from 20 the person(s) controlling the copyright in such materials, this 21 document may not be modified outside the IETF Standards Process, and 22 derivative works of it may not be created outside the IETF Standards 23 Process, except to format it for publication as an RFC or to 24 translate it into languages other than English. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt. 39 The list of Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 This Internet-Draft will expire on February 14, 2010. 44 Copyright Notice 46 Copyright (c) 2009 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents in effect on the date of 51 publication of this document (http://trustee.ietf.org/license-info). 52 Please review these documents carefully, as they describe your rights 53 and restrictions with respect to this document. 55 Abstract 57 The PKIX certificate format, and many associated formats, are 58 expressed using ASN.1. The current ASN.1 modules conform to the 1988 59 version of ASN.1. This document updates those ASN.1 modules to 60 conform to the 2002 version of ASN.1. There are no bits-on-the-wire 61 changes to any of the formats; this is simply a change to the syntax. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 66 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . 4 67 2. ASN.1 Module PKIX-CommonTypes . . . . . . . . . . . . . . . . 4 68 3. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 8 69 4. ASN.1 Module for RFC 2560 . . . . . . . . . . . . . . . . . . 18 70 5. ASN.1 Module for RFC 2986 . . . . . . . . . . . . . . . . . . 22 71 6. ASN.1 Module for RFC 3279 . . . . . . . . . . . . . . . . . . 23 72 7. ASN.1 Module for RFC 3281 . . . . . . . . . . . . . . . . . . 34 73 8. ASN.1 Module for RFC 3852 (Attribute Certificate v1) . . . . 40 74 9. ASN.1 Module for RFC 4055 . . . . . . . . . . . . . . . . . . 41 75 10. ASN.1 Module for RFC 4210 . . . . . . . . . . . . . . . . . . 48 76 11. ASN.1 Module for RFC 4211 . . . . . . . . . . . . . . . . . . 58 77 12. ASN.1 Module for RFC 5055 . . . . . . . . . . . . . . . . . . 67 78 13. ASN.1 Module for RFC 5272 . . . . . . . . . . . . . . . . . . 80 79 14. ASN.1 Module for RFC 5280, Explicit and Implicit . . . . . . 91 80 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 116 81 16. Security Considerations . . . . . . . . . . . . . . . . . . . 116 82 17. Normative References . . . . . . . . . . . . . . . . . . . . 116 83 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 117 84 A.1. Changes between draft-hoffman-pkix-new-asn1-00 and 85 draft-ietf-pkix-new-asn1-00 . . . . . . . . . . . . . . . 117 86 A.2. Changes between draft-ietf-pkix-new-asn1-00 and -01 . . . 118 87 A.3. Changes between draft-ietf-pkix-new-asn1-01 and -02 . . . 118 88 A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 . . . 118 89 A.5. Changes between draft-ietf-pkix-new-asn1-03 and -04 . . . 118 90 A.6. Changes between draft-ietf-pkix-new-asn1-04 and -05 . . . 119 91 A.7. Changes between draft-ietf-pkix-new-asn1-05 and -06 . . . 119 92 A.8. Changes between draft-ietf-pkix-new-asn1-06 and -07 . . . 119 93 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 120 95 1. Introduction 97 Some developers would like the IETF to use the latest version of 98 ASN.1 in its standards. Most of the RFCs that relate to security 99 protocols still use ASN.1 from the 1988 standard, which has been 100 deprecated. This is particularly true for the standards that relate 101 to PKIX, CMS, and S/MIME. 103 This document updates the following RFCs to use ASN.1 modules that 104 conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all 105 the modules are updated; some are included to simply make the set 106 complete. 108 o RFC 2560, PKIX Online Certificate Status Protocol (OCSP) [RFC2560] 110 o RFC 2986, PKCS #10 certificate request [RFC2986] 112 o RFC 3279, PKIX algorithms and identifier [RFC3279] 114 o RFC 3281, PKIX attribute certificates, version 2 [RFC3281] 116 o RFC 3852, contains PKIX attribute certificates, version 1 117 [RFC3852] 119 o RFC 4055, Additional Algorithms and Identifiers for RSA 120 Cryptography [RFC4055] 122 o RFC 4210, PKIX CMP (Certificate Management Protocol) [RFC4210] 124 o RFC 4211, PKIX CRMF (Certificate Request Message Format) [RFC4211] 126 o RFC 5055, PKIX SCVP (Server-based Certificate Validation Protocol) 127 [RFC5055] 129 o RFC 5272, Certificate Management over CMS (CMC) [RFC5272] 131 o RFC 5280, PKIX certificate and CRL profile [RFC5280] (both the 132 implicit and explicit modules) 134 Note that some of the modules in this document get some of their 135 definitions from places different than the modules in the original 136 RFCs. The idea is that these modules, when combined with the modules 137 in [NEW-CMS-SMIME] can stand on their own and do not need to import 138 definitions from anywhere else. 140 The document also includes a module of common definitions called 141 "PKIX-CommonTypes". These definitions are used here and in 142 [NEW-CMS-SMIME]. 144 The document also includes a module of common defintions called 145 "AlgorithmInformation". These definitions are used here and in 146 [NEW-CMS-SMIME]. 148 1.1. Design Notes 150 The modules in this document use the object model available in the 151 2002 ASN.1 documents to a great extent. Objects for each of the 152 different algorithm types are defined. Also, all of the places where 153 in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax 154 now have objects. 156 Much like the way that the PKIX and S/MIME working groups use the 157 prefix of id- for object identifiers, this document has also adopted 158 a set of two, three, and four letter prefixes to allow for quick 159 identification of the type of an object based on its name. This 160 allows, for example, the same back half of the name to be used for 161 the different objects. Thus, "id-sha1" is the object identifier, 162 while "mda-sha1" is the message digest object for "sha1". 164 One or more object sets for the different type of algorithms are 165 defined. A single consistent name for each of the different 166 algorithm types is used. For example, an object set named PublicKeys 167 might contain the public keys defined in that module. If no public 168 keys are defined, then the object set is not created. When 169 referencing these objects sets when imported, one needs to be able to 170 disambiguate between the different modules. This is done by using 171 both the module name (as specified in the IMPORT statement) and the 172 object set name. For example, in the module for RFC 5280: 174 PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 } 175 PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 } 177 PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ..., 178 PKIX1-PSS-OAEP-Algorithms.PublicKeys } 180 2. ASN.1 Module PKIX-CommonTypes 182 This section contains a module that is imported by many other modules 183 in this document and in [NEW-CMS-SMIME]. This module does not come 184 from any existing RFC. 186 PKIX-CommonTypes-2009 187 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 188 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 190 DEFINITIONS EXPLICIT TAGS ::= 191 BEGIN 193 -- ATTRIBUTE 194 -- 195 -- Describe the set of data associated with an attribute of some type 196 -- 197 -- &id is an OID identifying the attribute 198 -- &Type is the ASN.1 type structure for the attribute; not all 199 -- attributes have a data struture, so this field is optional 200 -- &minCount contains the minimum number of time the attribute can 201 -- occur in an AttributeSet 202 -- &maxCount contains the maximum number of times the attribute can 203 -- appear in an AttributeSet 204 -- Note: this cannot be automatically enforced as the field 205 -- cannot be defaulted to MAX. 206 -- &equality-match contains information about how matching should be 207 -- done 208 -- 209 -- Currently we are using two different prefixes for attributes. 210 -- 211 -- at- for certificiate attributes 212 -- aa- for CMS attributes 213 -- 215 ATTRIBUTE ::= CLASS { 216 &id OBJECT IDENTIFIER UNIQUE, 217 &Type OPTIONAL, 218 &equality-match MATCHING-RULE OPTIONAL, 219 &minCount INTEGER DEFAULT 1, 220 &maxCount INTEGER OPTIONAL 221 } WITH SYNTAX { 222 [TYPE &Type] 223 [EQUALITY MATCHING RULE &equality-match] 224 [COUNTS [MIN &minCount] [MAX &maxCount]] 225 IDENTIFIED BY &id 226 } 228 -- Specification of MATCHING-RULE information object class 229 -- 231 MATCHING-RULE ::= CLASS { 232 &ParentMatchingRules MATCHING-RULE OPTIONAL, 233 &AssertionType OPTIONAL, 234 &uniqueMatchIndicator ATTRIBUTE OPTIONAL, 235 &id OBJECT IDENTIFIER UNIQUE 236 } 237 WITH SYNTAX { 238 [PARENT &ParentMatchingRules] 240 [SYNTAX &AssertionType] 241 [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator] 242 ID &id 243 } 245 -- AttributeSet 246 -- 247 -- Used when a set of attributes is to occur. 248 -- 249 -- type contains the identifier of the attribute 250 -- values conains a set of values where the structure of the ASN.1 251 -- is defined by the attribute 252 -- 253 -- The parameter contains the set of objects describing 254 -- those attributes than can occur in this location. 255 -- 257 AttributeSet{ATTRIBUTE:AttrSet} ::= SEQUENCE { 258 type ATTRIBUTE.&id({AttrSet}), 259 values SET SIZE (1..MAX) OF ATTRIBUTE. 260 &Type({AttrSet}{@type}) 261 } 263 -- SingleAttribute 264 -- 265 -- Used for a single valued attribute 266 -- 267 -- The parameter contains the set of objects describing the 268 -- attibutes that can occur in this location 269 -- 271 SingleAttribute{ATTRIBUTE:AttrSet} ::= SEQUENCE { 272 type ATTRIBUTE.&id({AttrSet}), 273 value ATTRIBUTE.&Type({AttrSet}{@type}) 274 } 276 -- EXTENSION 277 -- 278 -- This class definition is used to describe the association of 279 -- object identifier and ASN.1 type structure for extensions 280 -- 281 -- All extensions are prefixed with ext- 282 -- 283 -- &id conains the object identifier for the extension 284 -- &ExtenType specifies the ASN.1 type structure for the extension 285 -- &Critical contains the set of legal values for the critical field. 287 -- This is normally {TRUE|FALSE} but in some instances may be 288 -- restricted just one of these values. 289 -- 291 EXTENSION ::= CLASS { 292 &id OBJECT IDENTIFIER UNIQUE, 293 &ExtnType, 294 &Critical BOOLEAN DEFAULT {TRUE | FALSE } 295 } WITH SYNTAX { 296 SYNTAX &ExtnType IDENTIFIED BY &id 297 [CRITICALITY &Critical] 298 } 300 -- Extensions 301 -- 302 -- Used for a sequence of extensions. 303 -- 304 -- The parameter contains the set of legal extensions that can 305 -- occur in this sequence. 306 -- 308 Extensions{EXTENSION:ExtensionSet} ::= 309 SEQUENCE SIZE (1..MAX) OF Extension{{ExtensionSet}} 311 -- Extension 312 -- 313 -- Used for a single extension 314 -- 315 -- The parameter contains the set of legal extensions that can 316 -- occur this extension. 317 -- 318 -- The restriction on the critial field has been commented out 319 -- the authors are not completely sure it is correct. 320 -- The restriction could be done using custom code rather than 321 -- compiler-generated code. however. 322 -- 324 Extension{EXTENSION:ExtensionSet} ::= SEQUENCE { 325 extnID EXTENSION.&id({ExtensionSet}), 326 critical BOOLEAN 327 -- (EXTENSION.&Critical({ExtensionSet}{@extnID})) 328 DEFAULT FALSE, 329 extnValue OCTET STRING (CONTAINING 330 EXTENSION.&ExtnType({ExtensionSet}{@extnID})) 331 -- contains the DER encding of the ASN.1 value 332 -- corresponding to the extension type identified 333 -- by extnID 334 } 335 -- Security Category 336 -- 337 -- Security categories are used both for specifing clearances and for 338 -- labeling objects. We move this here from RFC 3281 so that they 339 -- will use a common single object class to express this information. 340 -- 342 SECURITY-CATEGORY ::= TYPE-IDENTIFIER 344 SecurityCategory{SECURITY-CATEGORY:Supported} ::= SEQUENCE { 345 type [0] IMPLICIT SECURITY-CATEGORY. 346 &id({Supported}), 347 value [1] EXPLICIT SECURITY-CATEGORY. 348 &Type({Supported}{@type}) 349 } 351 END 353 3. ASN.1 Module AlgorithmInformation 355 This section contains a module that is imported by many other modules 356 in this document. Note that this module is also given in 357 [NEW-CMS-SMIME]. This module does not come from any existing RFC. 359 AlgorithmInformation-2009 360 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 361 mechanisms(5) pkix(7) id-mod(0) 362 id-mod-algorithmInformation-02(58)} 364 DEFINITIONS EXPLICIT TAGS ::= 365 BEGIN 366 EXPORTS ALL; 367 IMPORTS 369 KeyUsage 370 FROM PKIX1Implicit-2009 371 {iso(1) identified-organization(3) dod(6) internet(1) 372 security(5) mechanisms(5) pkix(7) id-mod(0) 373 id-mod-pkix1-implicit-02(59)} ; 375 -- Suggested prefixes for algorithm objects are: 376 -- 377 -- mda- Message Digest Algorithms 378 -- sa- Signature Algorithms 379 -- kta- Key Transport Algorithms (Asymmetric) 380 -- kaa- Key Agreement Algorithms (Asymmetric) 381 -- kwa- Key Wrap Algorithms (Symmetric) 382 -- kda- Key Derivation Algorithms 383 -- maca- Message Authentication Code Algorithms 384 -- pk- Public Key 385 -- cea- Content (symmetric) Encryption Algorithm 386 -- cap- S/MIME Capabilities 388 ParamOptions ::= ENUMERATED { 389 required, -- Parameters MUST be encoded in structure 390 preferredPresent, -- Parameters SHOULD be encoded in structure 391 preferredAbsent, -- Parameters SHOULD NOT be encoded in structure 392 absent, -- Parameters MUST NOT be encoded in structure 393 inheritable, -- Parameters are inherited if not present 394 optional, -- Parameters MAY be encoded in the structure 395 ... 396 } 398 -- DIGEST-ALGORITHM 399 -- 400 -- Describes the basic information for ASN.1 and a digest 401 -- algorithm. 402 -- 403 -- &id - contains the OID identifying the digest algorithm 404 -- &Params - contains the type for the algorithm parameters, 405 -- if present; absent implies no paramters 406 -- ¶mPresence - parameter presence requirement 407 -- 408 -- Additional information such as the length of the hash could also 409 -- be encoded. 410 -- 411 -- Example: 412 -- sha1 DIGEST-ALGORITHM ::= { 413 -- IDENTIFIER id-sha1 414 -- PARAMS TYPE NULL ARE preferredAbsent 415 -- } 417 DIGEST-ALGORITHM ::= CLASS { 418 &id OBJECT IDENTIFIER UNIQUE, 419 &Params OPTIONAL, 420 ¶mPresence ParamOptions DEFAULT absent 421 } WITH SYNTAX { 422 IDENTIFIER &id 423 [PARAMS [TYPE &Params] [ARE ¶mPresence] ] 424 } 426 -- SIGNATURE-ALGORITHM 427 -- 428 -- Describes the basic properties of a signature algorithm 429 -- 430 -- &id - contains the OID identifying the signature algorithm 431 -- &Value - contains a type defintion for the value structure of 432 -- the signature 433 -- &Params - contains the type for the algorithm parameters, 434 -- if present; absent implies no paramters 435 -- ¶mPresence - parameter presence resquirement 436 -- &HashSet - The set of hash algorithms used with this 437 -- signature algorithm 438 -- &PublicKeySet - the set of public key algorithms for this 439 -- signature algorithm 440 -- &smimeCaps - contains the object describing how the S/MIME 441 -- capabilities are presented. 442 -- 443 -- Example: 444 -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { 445 -- IDENTIFIER id-RSASSA-PSS 446 -- PARAMS TYPE RSASSA-PSS-params ARE required 447 -- HASHES { mda-sha1 | mda-md5, ... } 448 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 449 -- } 451 SIGNATURE-ALGORITHM ::= CLASS { 452 &id OBJECT IDENTIFIER UNIQUE, 453 &Value OPTIONAL, 454 &Params OPTIONAL, 455 ¶mPresence ParamOptions DEFAULT absent, 456 &HashSet DIGEST-ALGORITHM OPTIONAL, 457 &PublicKeySet PUBLIC-KEY OPTIONAL, 458 &smimeCaps SMIME-CAPS OPTIONAL 459 } WITH SYNTAX { 460 IDENTIFIER &id 461 [VALUE &Value] 462 [PARAMS [TYPE &Params] ARE ¶mPresence ] 463 [HASHES &HashSet] 464 [PUBLIC-KEYS &PublicKeySet] 465 [SMIME-CAPS &smimeCaps] 466 } 468 -- PUBLIC-KEY 469 -- 470 -- Describes the basic properties of a public key 471 -- 472 -- &id - contains the OID identifying the public key 473 -- &KeyValue - contains the type for the key value 474 -- &Params - contains the type for the algorithm parameters, 475 -- if present; absent implies no paramters 476 -- ¶mPresence - parameter presence requirement 477 -- &keyUsage - contains the set of bits that are legal for this 478 -- key type. Note that is does not make any statement 479 -- about how bits may be paired. 480 -- &PrivateKey - contains a type structure for encoding the private 481 -- key information. 482 -- 483 -- Example: 484 -- pk-rsa-pss PUBLIC-KEY ::= { 485 -- IDENTIFIER id-RSASSA-PSS 486 -- KEY RSAPublicKey 487 -- PARAMS TYPE RSASSA-PSS-params ARE optional 488 -- CERT-KEY-USAGE { .... } 489 -- } 491 PUBLIC-KEY ::= CLASS { 492 &id OBJECT IDENTIFIER UNIQUE, 493 &KeyValue OPTIONAL, 494 &Params OPTIONAL, 495 ¶mPresence ParamOptions DEFAULT absent, 496 &keyUsage KeyUsage OPTIONAL, 497 &PrivateKey OPTIONAL 498 } WITH SYNTAX { 499 IDENTIFIER &id 500 [KEY &KeyValue] 501 [PARAMS [TYPE &Params] ARE ¶mPresence] 502 [CERT-KEY-USAGE &keyUsage] 503 [PRIVATE-KEY &PrivateKey] 504 } 506 -- KEY-TRANSPORT 507 -- 508 -- Describes the basic properties of a key transport algorithm 509 -- 510 -- &id - contains the OID identifying the key transport algorithm 511 -- &Params - contains the type for the algorithm parameters, 512 -- if present; absent implies no paramters 513 -- ¶mPresence - parameter presence requirement 514 -- &PublicKeySet - specify which public keys are used with 515 -- this algorithm 516 -- &smimeCaps - contains the object describing how the S/MIME 517 -- capabilities are presented. 518 -- 519 -- Example: 520 -- rsaTransport KEY-TRANSPORT ::= { 521 -- IDENTIFIER &id 522 -- PARAMS TYPE NULL ARE required 523 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 524 -- } 526 KEY-TRANSPORT ::= CLASS { 527 &id OBJECT IDENTIFIER UNIQUE, 528 &Params OPTIONAL, 529 ¶mPresence ParamOptions DEFAULT absent, 530 &PublicKeySet PUBLIC-KEY OPTIONAL, 531 &smimeCaps SMIME-CAPS OPTIONAL 532 } WITH SYNTAX { 533 IDENTIFIER &id 534 [PARAMS [TYPE &Params] ARE ¶mPresence] 535 [PUBLIC-KEYS &PublicKeySet] 536 [SMIME-CAPS &smimeCaps] 537 } 539 -- KEY-AGREE 540 -- 541 -- Describes the basic properties of a key agreement algorithm 542 -- 543 -- &id - contains the OID identifying the key agreement algorithm 544 -- &Params - contains the type for the algorithm parameters, 545 -- if present; absent implies no paramters 546 -- ¶mPresence - parameter presence requirement 547 -- &PublicKeySet - specify which public keys are used with 548 -- this algorithm 549 -- &Ukm - type of user keying material used 550 -- &ukmPresence - specifies the requirements to define the UKM field 551 -- &smimeCaps - contains the object describing how the S/MIME 552 -- capabilities are presented. 553 -- 554 -- Example: 555 -- dh-static-ephemerial KEY-AGREE ::= { 556 -- IDENTIFIER id-alg-ESDH 557 -- PARAMS TYPE KeyWrapAlgorithm ARE required 558 -- - - user key material is not ASN.1-encoded. 559 -- PUBLIC-KEYS { 560 -- {IDENTIFIER dh-public-number KEY DHPublicKey 561 -- PARAMS TYPE DHDomainParameters ARE inheritable } 562 -- } 563 -- - - UKM should be present but is not separately ASN.1-encoded 564 -- UKM ARE preferredPresent 565 -- } 567 KEY-AGREE ::= CLASS { 568 &id OBJECT IDENTIFIER UNIQUE, 569 &Params OPTIONAL, 570 ¶mPresence ParamOptions DEFAULT absent, 571 &PublicKeySet PUBLIC-KEY OPTIONAL, 572 &Ukm OPTIONAL, 573 &ukmPresence ParamOptions DEFAULT absent, 574 &smimeCaps SMIME-CAPS OPTIONAL 575 } WITH SYNTAX { 576 IDENTIFIER &id 577 [PARAMS [TYPE &Params] ARE ¶mPresence] 578 [PUBLIC-KEYS &PublicKeySet] 579 [UKM [TYPE &Ukm] ARE &ukmPresence] 580 [SMIME-CAPS &smimeCaps] 581 } 583 -- KEY-WRAP 584 -- 585 -- Describes the basic properties of a key wrap algorithm 586 -- 587 -- &id - contains the OID identifying the key wrap algorithm 588 -- &Params - contains the type for the algorithm parameters, 589 -- if present; absent implies no paramters 590 -- ¶mPresence - parameter presence requirement 591 -- &smimeCaps - contains the object describing how the S/MIME 592 -- capabilities are presented. 593 -- 594 -- Example: 595 -- cms3DESwrap KEY-WRAP ::= { 596 -- IDENTIFIER id-alg-CMS3DESwrap 597 -- PARAMS TYPE NULL ARE required 598 -- } 600 KEY-WRAP ::= CLASS { 601 &id OBJECT IDENTIFIER UNIQUE, 602 &Params OPTIONAL, 603 ¶mPresence ParamOptions DEFAULT absent, 604 &smimeCaps SMIME-CAPS OPTIONAL 605 } WITH SYNTAX { 606 IDENTIFIER &id 607 [PARAMS [TYPE &Params] ARE ¶mPresence] 608 [SMIME-CAPS &smimeCaps] 609 } 611 -- KEY-DERIVATION 612 -- 613 -- Describes the basic properties of a key derivation algorithm 614 -- 615 -- &id - contains the OID identifying the key derivation algorithm 616 -- &Params - contains the type for the algorithm parameters, 617 -- if present; absent implies no paramters 618 -- ¶mPresence - parameter presence requirement 619 -- &smimeCaps - contains the object describing how the S/MIME 620 -- capabilities are presented. 621 -- 622 -- Could add information about defaults for the derivation algorithm 623 -- such as PRFs 624 -- 625 -- Example: 626 -- pbkdf2 KEY-DERIVATION ::= { 627 -- IDENTIFIER id-PBKDF2 628 -- PARAMS TYPE PBKDF2-params ARE required 629 -- } 631 KEY-DERIVATION ::= CLASS { 632 &id OBJECT IDENTIFIER UNIQUE, 633 &Params OPTIONAL, 634 ¶mPresence ParamOptions DEFAULT absent, 635 &smimeCaps SMIME-CAPS OPTIONAL 636 } WITH SYNTAX { 637 IDENTIFIER &id 638 [PARAMS [TYPE &Params] ARE ¶mPresence] 639 [SMIME-CAPS &smimeCaps] 640 } 642 -- MAC-ALGORITHM 643 -- 644 -- Describes the basic properties of a MAC algorithm 645 -- 646 -- &id - contains the OID identifying the MAC algorithm 647 -- &Params - contains the type for the algorithm parameters, 648 -- if present; absent implies no paramters 649 -- ¶mPresence - parameter presence requirement 650 -- &keyed - MAC algorithm is a keyed MAC algorithm 651 -- &smimeCaps - contains the object describing how the S/MIME 652 -- capabilities are presented. 653 -- 654 -- It would make sense to also add minimum and maximum MAC lengths 655 -- 656 -- Example: 657 -- maca-hmac-sha1 MAC-ALGORITHM ::= { 658 -- IDENTIFIER hMAC-SHA1 659 -- PARAMS TYPE NULL ARE preferredAbsent 660 -- IS KEYED MAC TRUE 661 -- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} 662 -- } 664 MAC-ALGORITHM ::= CLASS { 665 &id OBJECT IDENTIFIER UNIQUE, 666 &Params OPTIONAL, 667 ¶mPresence ParamOptions DEFAULT absent, 668 &keyed BOOLEAN, 669 &smimeCaps SMIME-CAPS OPTIONAL 670 } WITH SYNTAX { 671 IDENTIFIER &id 672 [PARAMS [TYPE &Params] [ARE ¶mPresence]] 673 IS-KEYED-MAC &keyed 674 [SMIME-CAPS &smimeCaps] 675 } 677 -- CONTENT-ENCRYPTION 678 -- 679 -- Describes the basic properties of a content encryption 680 -- algorithm 681 -- 682 -- &id - contains the OID identifying the content 683 -- encryption algorithm 684 -- &Params - contains the type for the algorithm parameters, 685 -- if present; absent implies no paramters 686 -- ¶mPresence - parameter presence requirement 687 -- &smimeCaps - contains the object describing how the S/MIME 688 -- capabilities are presented. 689 -- 690 -- Example: 691 -- cea-3DES-cbc CONTENT-ENCRYPTION ::= { 692 -- IDENTIFIER des-ede3-cbc 693 -- PARAMS TYPE IV ARE required 694 -- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } 695 -- } 697 CONTENT-ENCRYPTION ::= CLASS { 698 &id OBJECT IDENTIFIER UNIQUE, 699 &Params OPTIONAL, 700 ¶mPresence ParamOptions DEFAULT absent, 701 &smimeCaps SMIME-CAPS OPTIONAL 702 } WITH SYNTAX { 703 IDENTIFIER &id 704 [PARAMS [TYPE &Params] ARE ¶mPresence] 705 [SMIME-CAPS &smimeCaps] 706 } 708 -- ALGORITHM 709 -- 710 -- Describes a generic algorithm identifier 711 -- 712 -- &id - contains the OID identifying the algorithm 713 -- &Params - contains the type for the algorithm parameters, 714 -- if present; absent implies no paramters 715 -- ¶mPresence - parameter presence requirement 716 -- &smimeCaps - contains the object describing how the S/MIME 717 -- capabilities are presented. 718 -- 719 -- This would be used for cases where an unknown algorithm is 720 -- used. One should consider using TYPE-IDENTIFIER in these cases. 722 ALGORITHM ::= CLASS { 723 &id OBJECT IDENTIFIER UNIQUE, 724 &Params OPTIONAL, 725 ¶mPresence ParamOptions DEFAULT absent, 726 &smimeCaps SMIME-CAPS OPTIONAL 727 } WITH SYNTAX { 728 IDENTIFIER &id 729 [PARAMS [TYPE &Params] ARE ¶mPresence] 730 [SMIME-CAPS &smimeCaps] 731 } 733 -- AlgorithmIdentifier 734 -- 735 -- Provides the generic structure that is used to encode algorithm 736 -- identification and the parameters associated with the 737 -- algorithm. 738 -- 739 -- The first parameter represents the type of the algorithm being 740 -- used. 741 -- The second parameter represents an object set containing the 742 -- algorithms that may occur in this situation. 743 -- The initial list of required algorithms should occur to the 744 -- left of an extension marker, all other algorithms should 745 -- occur to the right of an extension marker. 746 -- 747 -- The object class ALGORITHM can be used for generic unspecified 748 -- items. 749 -- If new ALGORITHM objects are defined, the fields &id and &Params 750 -- need to be present as field in the object. 751 -- 753 AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= 754 SEQUENCE { 755 algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), 756 parameters ALGORITHM-TYPE. 757 &Params({AlgorithmSet}{@algorithm}) OPTIONAL 758 } 760 -- S/MIME Capabilities 761 -- 762 -- We have moved the SMIME-CAPS from the module for RFC 3851 to here 763 -- because it is used in the PKIX document RFC 4262 - Use of S/MIME 764 -- Caps in certificate extension 765 -- 766 -- 767 -- This class is used to represent an S/MIME capability. S/MIME 768 -- capabilities are used to represent what algorithm capabilities 769 -- an individual has. The classic example was the content encryption 770 -- algorithm RC2 where the algorithm id and the RC2 key lengths 771 -- supported needed to be advertised, but the IV used is not fixed. 772 -- Thus for RC2 we used 773 -- 774 -- cap-RC2CBC SMIME-CAPS ::= { 775 -- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } 776 -- 777 -- where 40 and 128 represent the RC2 key length in number of bits. 778 -- 779 -- Another example where information needs to be shown is for 780 -- RSA-OAEP where only specific hash functions or mask generation 781 -- functions are supported, but the saltLength is specified by the 782 -- sender and not the recipient. In this case one can either 783 -- generate a number of capability items, 784 -- or a new S/MIME capability type could be generated where 785 -- multiple hash functions could be specified. 786 -- 787 -- 788 -- SMIME-CAP 789 -- 790 -- This class is used to associate the type describing capabilities 791 -- with the object identifier. 792 -- 794 SMIME-CAPS ::= CLASS { 795 &id OBJECT IDENTIFIER UNIQUE, 796 &Type OPTIONAL 797 } 798 WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id } 800 -- 801 -- Generic type - this is used for defining values. 802 -- 804 -- Define a single S/MIME capability encoding 806 SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { 807 capabilityID SMIME-CAPS.&id({CapabilitySet}), 808 parameters SMIME-CAPS.&Type({CapabilitySet} 809 {@capabilityID}) OPTIONAL 810 } 812 -- Define a sequence of S/MIME capability value 814 SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::= 815 SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} } 817 END 819 4. ASN.1 Module for RFC 2560 821 OCSP-2009 822 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 823 mechanisms(5) pkix(7) id-mod(0) id-mod-ocsp-02(48)} 824 DEFINITIONS EXPLICIT TAGS ::= 825 BEGIN 826 IMPORTS 828 Extensions{}, EXTENSION, ATTRIBUTE 829 FROM PKIX-CommonTypes-2009 830 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 831 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 833 AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM 834 FROM AlgorithmInformation-2009 835 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 836 mechanisms(5) pkix(7) id-mod(0) 837 id-mod-algorithmInformation-02(58)} 839 AuthorityInfoAccessSyntax, GeneralName, CrlEntryExtensions 840 FROM PKIX1Implicit-2009 841 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 842 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 844 Name, CertificateSerialNumber, id-kp, id-ad-ocsp, Certificate 845 FROM PKIX1Explicit-2009 846 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 847 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 849 sa-dsaWithSHA1, sa-rsaWithMD2, sa-rsaWithMD5, sa-rsaWithSHA1 850 FROM PKIXAlgs-2009 851 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 852 mechanisms(5) pkix(7) id-mod(0) 853 id-mod-pkix1-algorithms2008-02(56)}; 855 OCSPRequest ::= SEQUENCE { 856 tbsRequest TBSRequest, 857 optionalSignature [0] EXPLICIT Signature OPTIONAL } 859 TBSRequest ::= SEQUENCE { 860 version [0] EXPLICIT Version DEFAULT v1, 861 requestorName [1] EXPLICIT GeneralName OPTIONAL, 862 requestList SEQUENCE OF Request, 863 requestExtensions [2] EXPLICIT Extensions {{re-ocsp-nonce | 864 re-ocsp-response, ...}} OPTIONAL } 866 Signature ::= SEQUENCE { 867 signatureAlgorithm AlgorithmIdentifier 868 { SIGNATURE-ALGORITHM, {...}}, 869 signature BIT STRING, 870 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 872 Version ::= INTEGER { v1(0) } 874 Request ::= SEQUENCE { 875 reqCert CertID, 876 singleRequestExtensions [0] EXPLICIT Extensions 877 { {re-ocsp-service-locator, 878 ...}} OPTIONAL } 880 CertID ::= SEQUENCE { 881 hashAlgorithm AlgorithmIdentifier 882 {DIGEST-ALGORITHM, {...}}, 883 issuerNameHash OCTET STRING, -- Hash of Issuer's DN 884 issuerKeyHash OCTET STRING, -- Hash of Issuers public key 885 serialNumber CertificateSerialNumber } 887 OCSPResponse ::= SEQUENCE { 888 responseStatus OCSPResponseStatus, 889 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } 891 OCSPResponseStatus ::= ENUMERATED { 892 successful (0), --Response has valid confirmations 893 malformedRequest (1), --Illegal confirmation request 894 internalError (2), --Internal error in issuer 895 tryLater (3), --Try again later 896 -- (4) is not used 897 sigRequired (5), --Must sign the request 898 unauthorized (6) --Request unauthorized 899 } 901 RESPONSE ::= TYPE-IDENTIFIER 902 ResponseSet RESPONSE ::= {basicResponse, ...} 904 ResponseBytes ::= SEQUENCE { 905 responseType RESPONSE. 906 &id ({ResponseSet}), 907 response OCTET STRING (CONTAINING RESPONSE. 908 &Type({ResponseSet}{@responseType}))} 910 basicResponse RESPONSE ::= 911 { BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic } 913 BasicOCSPResponse ::= SEQUENCE { 914 tbsResponseData ResponseData, 915 signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, 916 {sa-dsaWithSHA1 | sa-rsaWithSHA1 | 917 sa-rsaWithMD5 | sa-rsaWithMD2, ...}}, 918 signature BIT STRING, 919 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 921 ResponseData ::= SEQUENCE { 922 version [0] EXPLICIT Version DEFAULT v1, 923 responderID ResponderID, 924 producedAt GeneralizedTime, 925 responses SEQUENCE OF SingleResponse, 926 responseExtensions [1] EXPLICIT Extensions 927 {{re-ocsp-nonce, ...}} OPTIONAL } 929 ResponderID ::= CHOICE { 930 byName [1] Name, 931 byKey [2] KeyHash } 933 KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key 934 -- (excluding the tag and length fields) 936 SingleResponse ::= SEQUENCE { 937 certID CertID, 938 certStatus CertStatus, 939 thisUpdate GeneralizedTime, 940 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, 941 singleExtensions [1] EXPLICIT Extensions{{re-ocsp-crl | 942 re-ocsp-archive-cutoff | 943 CrlEntryExtensions, ...} 944 } OPTIONAL } 946 CertStatus ::= CHOICE { 947 good [0] IMPLICIT NULL, 948 revoked [1] IMPLICIT RevokedInfo, 949 unknown [2] IMPLICIT UnknownInfo } 951 RevokedInfo ::= SEQUENCE { 952 revocationTime GeneralizedTime, 953 revocationReason [0] EXPLICIT CRLReason OPTIONAL } 955 UnknownInfo ::= NULL -- this can be replaced with an enumeration 957 CRLReason ::= INTEGER 959 ArchiveCutoff ::= GeneralizedTime 961 AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet}) 963 ServiceLocator ::= SEQUENCE { 964 issuer Name, 965 locator AuthorityInfoAccessSyntax } 967 CrlID ::= SEQUENCE { 968 crlUrl [0] EXPLICIT IA5String OPTIONAL, 969 crlNum [1] EXPLICIT INTEGER OPTIONAL, 970 crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } 972 -- Request Extensions 974 re-ocsp-nonce EXTENSION ::= { SYNTAX OCTET STRING IDENTIFIED 975 BY id-pkix-ocsp-nonce } 976 re-ocsp-response EXTENSION ::= { SYNTAX AcceptableResponses IDENTIFIED 977 BY id-pkix-ocsp-response } 978 re-ocsp-service-locator EXTENSION ::= { SYNTAX ServiceLocator 979 IDENTIFIED BY 980 id-pkix-ocsp-service-locator } 982 -- Response Extensions 984 re-ocsp-crl EXTENSION ::= { SYNTAX CrlID IDENTIFIED BY 985 id-pkix-ocsp-crl } 986 re-ocsp-archive-cutoff EXTENSION ::= { SYNTAX ArchiveCutoff 987 IDENTIFIED BY 988 id-pkix-ocsp-archive-cutoff } 990 -- Object Identifiers 992 id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 993 id-pkix-ocsp OBJECT IDENTIFIER ::= id-ad-ocsp 994 id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } 995 id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } 996 id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } 997 id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } 998 id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } 999 id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } 1000 id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } 1002 END 1004 5. ASN.1 Module for RFC 2986 1006 PKCS-10 1007 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-10(10) 1008 modules(1) pkcs-10(1)} 1009 DEFINITIONS IMPLICIT TAGS ::= 1010 BEGIN 1011 IMPORTS 1013 AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 1014 PUBLIC-KEY 1015 FROM AlgorithmInformation-2009 1016 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1017 mechanisms(5) pkix(7) id-mod(0) 1018 id-mod-algorithmInformation-02(58)} 1020 ATTRIBUTE, Name 1021 FROM PKIX1Explicit-2009 1022 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1023 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}; 1025 -- Certificate requests 1026 CertificationRequestInfo ::= SEQUENCE { 1027 version INTEGER { v1(0) } (v1, ... ), 1028 subject Name, 1029 subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }}, 1030 attributes [0] Attributes{{ CRIAttributes }} 1031 } 1033 SubjectPublicKeyInfo {PUBLIC-KEY: IOSet} ::= SEQUENCE { 1034 algorithm AlgorithmIdentifier {PUBLIC-KEY, {IOSet}}, 1035 subjectPublicKey BIT STRING 1036 } 1038 PKInfoAlgorithms PUBLIC-KEY ::= { 1039 ... -- add any locally defined algorithms here -- } 1041 Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }} 1042 CRIAttributes ATTRIBUTE ::= { 1043 ... -- add any locally defined attributes here -- } 1045 Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { 1046 type ATTRIBUTE.&id({IOSet}), 1047 values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) 1048 } 1050 CertificationRequest ::= SEQUENCE { 1051 certificationRequestInfo CertificationRequestInfo, 1052 signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, 1053 { SignatureAlgorithms }}, 1054 signature BIT STRING 1055 } 1057 SignatureAlgorithms SIGNATURE-ALGORITHM ::= { 1058 ... -- add any locally defined algorithms here -- } 1060 END 1062 6. ASN.1 Module for RFC 3279 1064 Note that this module also contains information from RFC-to-be 5480. 1066 PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) 1067 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 1068 id-mod-pkix1-algorithms2008-02(56) } 1070 DEFINITIONS EXPLICIT TAGS ::= 1071 BEGIN 1072 IMPORTS 1074 -- FROM [PKI-ASN] 1076 PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS 1077 FROM AlgorithmInformation-2009 1078 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1079 mechanisms(5) pkix(7) id-mod(0) 1080 id-mod-algorithmInformation-02(58)} 1082 -- From [PKIX-OAEP] 1084 mda-sha224, mda-sha256, mda-sha384, mda-sha512 1085 FROM PKIX1-PSS-OAEP-Algorithms-2009 1086 {iso(1) identified-organization(3) dod(6) internet(1) 1087 security(5) mechanisms(5) pkix(7) id-mod(0) 1088 id-mod-pkix1-rsa-pkalgs-02(54)} ; 1090 -- 1091 -- Public Key (pk-) Algorithms 1092 -- 1094 PublicKeys PUBLIC-KEY ::= { 1095 pk-rsa | 1096 pk-dsa | 1097 pk-dh | 1098 pk-kea, 1099 ..., 1100 pk-ec | 1101 pk-ecDH | 1102 pk-ecMQV 1103 } 1105 -- 1106 -- Signature Algorithms (sa-) 1107 -- 1109 SignatureAlgs SIGNATURE-ALGORITHM ::= { 1110 sa-rsaWithMD2 | 1111 sa-rsaWithMD5 | 1112 sa-rsaWithSHA1 | 1113 sa-dsaWithSHA1 | 1114 sa-ecdsaWithSHA1, 1115 ..., -- Extensible 1116 sa-dsaWithSHA224 | 1117 sa-dsaWithSHA256 | 1118 sa-ecdsaWithSHA224 | 1119 sa-ecdsaWithSHA256 | 1120 sa-ecdsaWithSHA384 | 1121 sa-ecdsaWithSHA512 1122 } 1124 -- 1125 -- S/MIME CAPS for algorithms in this document 1126 -- 1127 -- For all of the algorithms laid out in this document, the 1128 -- parameters for the S/MIME capabilities is defined as ABSENT 1129 -- as there are no specific values that need to be known by the 1130 -- reciever for negotiation. 1131 -- 1133 SMimeCaps SMIME-CAPS ::= { 1134 sa-rsaWithMD2.&smimeCaps | 1135 sa-rsaWithMD5.&smimeCaps | 1136 sa-rsaWithSHA1.&smimeCaps | 1137 sa-dsaWithSHA1.&smimeCaps | 1138 sa-dsaWithSHA224.&smimeCaps | 1139 sa-dsaWithSHA256.&smimeCaps | 1140 sa-ecdsaWithSHA1.&smimeCaps | 1141 sa-ecdsaWithSHA224.&smimeCaps | 1142 sa-ecdsaWithSHA256.&smimeCaps | 1143 sa-ecdsaWithSHA384.&smimeCaps | 1144 sa-ecdsaWithSHA512.&smimeCaps, 1145 ... } 1147 -- RSA PK Algorithm, Parameters, and Keys 1149 pk-rsa PUBLIC-KEY ::= { 1150 IDENTIFIER rsaEncryption 1151 KEY RSAPublicKey 1152 PARAMS TYPE NULL ARE absent 1153 -- Private key format not in this module -- 1154 CERT-KEY-USAGE {digitalSignature, nonRepudiation, 1155 keyEncipherment, dataEncipherment, keyCertSign, cRLSign} 1156 } 1158 rsaEncryption OBJECT IDENTIFIER ::= { 1159 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1160 pkcs-1(1) 1 } 1162 RSAPublicKey ::= SEQUENCE { 1163 modulus INTEGER, -- n 1164 publicExponent INTEGER -- e 1165 } 1167 -- DSA PK Algorithm, Parameters, and Keys 1169 pk-dsa PUBLIC-KEY ::= { 1170 IDENTIFIER id-dsa 1171 KEY DSAPublicKey 1172 PARAMS TYPE DSA-Parms ARE inheritable 1173 -- Private key format not in this module -- 1174 CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, 1175 cRLSign } 1176 } 1178 id-dsa OBJECT IDENTIFIER ::= { 1179 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 1181 DSA-Parms ::= SEQUENCE { 1182 p INTEGER, 1183 q INTEGER, 1184 g INTEGER 1185 } 1186 DSAPublicKey ::= INTEGER -- public key, y 1188 -- Diffie-Hellman PK Algorithm, Parameters, and Keys 1190 pk-dh PUBLIC-KEY ::= { 1191 IDENTIFIER dhpublicnumber 1192 KEY DHPublicKey 1193 PARAMS TYPE DomainParameters ARE inheritable 1194 -- Private key format not in this module -- 1195 CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } 1196 } 1198 dhpublicnumber OBJECT IDENTIFIER ::= { 1199 iso(1) member-body(2) us(840) ansi-x942(10046) 1200 number-type(2) 1 } 1202 DomainParameters ::= SEQUENCE { 1203 p INTEGER, -- odd prime, p=jq +1 1204 g INTEGER, -- generator, g 1205 q INTEGER, -- factor of p-1 1206 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 1207 validationParms ValidationParms OPTIONAL 1208 } 1210 ValidationParms ::= SEQUENCE { 1211 seed BIT STRING, 1212 pgenCounter INTEGER 1213 } 1215 DHPublicKey ::= INTEGER -- public key, y = g^x mod p 1217 -- KEA PK Algorithm and Parameters 1219 pk-kea PUBLIC-KEY ::= { 1220 IDENTIFIER id-keyExchangeAlgorithm 1221 -- key is not encoded -- 1222 PARAMS TYPE KEA-Parms-Id ARE required 1223 -- Private key format not in this module -- 1224 CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } 1225 } 1227 id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { 1228 joint-iso-itu-t(2) country(16) us(840) organization(1) 1229 gov(101) dod(2) infosec(1) algorithms(1) 22 } 1231 KEA-Parms-Id ::= OCTET STRING 1233 -- Elliptic Curve (EC) Signatures: Unrestricted Algorithms 1234 -- (Section 2.1.1 of RFC 5480) 1235 -- 1236 -- EC Unrestricted Algorithm ID -- -- this is used for ECDSA 1238 pk-ec PUBLIC-KEY ::= { 1239 IDENTIFIER id-ecPublicKey 1240 KEY ECPoint 1241 PARAMS TYPE ECParameters ARE required 1242 -- Private key format not in this module -- 1243 CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement, 1244 keyCertSign, cRLSign } 1245 } 1247 ECPoint ::= OCTET STRING -- see RFC 5480 for syntax and restrictions 1249 id-ecPublicKey OBJECT IDENTIFIER ::= { 1250 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 1252 -- Elliptic Curve (EC) Signatures: Restricted Algorithms 1253 -- (Section 2.1.2 of RFC 5480) 1254 -- 1255 -- EC Diffie-Hellman Algorithm ID 1257 pk-ecDH PUBLIC-KEY ::= { 1258 IDENTIFIER id-ecDH 1259 KEY ECPoint 1260 PARAMS TYPE ECParameters ARE required 1261 -- Private key format not in this module -- 1262 CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } 1263 } 1265 id-ecDH OBJECT IDENTIFIER ::= { 1266 iso(1) identified-organization(3) certicom(132) schemes(1) 1267 ecdh(12) } 1269 -- EC Menezes-Qu-Vanstone Algorithm ID 1271 pk-ecMQV PUBLIC-KEY ::= { 1272 IDENTIFIER id-ecMQV 1273 KEY ECPoint 1274 PARAMS TYPE ECParameters ARE required 1275 -- Private key format not in this module -- 1276 CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } 1277 } 1279 id-ecMQV OBJECT IDENTIFIER ::= { 1280 iso(1) identified-organization(3) certicom(132) schemes(1) 1281 ecmqv(13) } 1283 -- Parameters and Keys for both Restricted and Unrestricted EC 1285 ECParameters ::= CHOICE { 1286 namedCurve CURVE.&id({NamedCurve}) --, 1287 -- implicitCurve NULL 1288 -- implicitCurve MUST NOT be used in PKIX 1289 -- specifiedCurve SpecifiedCurve 1290 -- specifiedCurve MUST NOT be used in PKIX 1291 -- Details for specifiedCurve can be found in [X9.62] 1292 -- Any future additions to this CHOICE should be coordinated 1293 -- with ANSI X.9. 1294 } 1295 -- If you need to be able to decode ANSI X.9 parameter structures, 1296 -- uncomment the implicitCurve and specificCurve above, and also 1297 -- uncomment the follow: 1298 --(WITH COMPONENTS {namedCurve PRESENT}) 1300 -- Sec 2.1.1.1 Named Curve 1302 CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } 1303 WITH SYNTAX { ID &id } 1305 NamedCurve CURVE ::= { 1306 { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | 1307 { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | 1308 { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | 1309 { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | 1310 { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, 1311 ... -- Extensible 1312 } 1314 -- Note in [X9.62] the curves are referred to as 'ansiX9' as 1315 -- opposed to 'sec'. For example secp192r1 is the same curve as 1316 -- ansix9p192r1. 1318 -- Note that in [PKI-ALG] the secp192r1 curve was referred to as 1319 -- prime192v1 and the secp256r1 curve was referred to as 1320 -- prime256v1. 1322 -- Note that [FIPS186-3] refers to secp192r1 as P-192, 1323 -- secp224r1 as P-224, secp256r1 as P-256, secp384r1 as P-384, 1324 -- and secp521r1 as P-521. 1326 secp192r1 OBJECT IDENTIFIER ::= { 1327 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 1328 prime(1) 1 } 1330 sect163k1 OBJECT IDENTIFIER ::= { 1331 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 1333 sect163r2 OBJECT IDENTIFIER ::= { 1334 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 1336 secp224r1 OBJECT IDENTIFIER ::= { 1337 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 1339 sect233k1 OBJECT IDENTIFIER ::= { 1340 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 1342 sect233r1 OBJECT IDENTIFIER ::= { 1343 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 1345 secp256r1 OBJECT IDENTIFIER ::= { 1346 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 1347 prime(1) 7 } 1349 sect283k1 OBJECT IDENTIFIER ::= { 1350 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 1352 sect283r1 OBJECT IDENTIFIER ::= { 1353 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 1355 secp384r1 OBJECT IDENTIFIER ::= { 1356 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 1358 sect409k1 OBJECT IDENTIFIER ::= { 1359 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 1361 sect409r1 OBJECT IDENTIFIER ::= { 1362 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 1364 secp521r1 OBJECT IDENTIFIER ::= { 1365 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 1367 sect571k1 OBJECT IDENTIFIER ::= { 1368 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 1370 sect571r1 OBJECT IDENTIFIER ::= { 1371 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 1373 -- RSA with MD-2 1375 sa-rsaWithMD2 SIGNATURE-ALGORITHM ::= { 1376 IDENTIFIER md2WithRSAEncryption 1377 PARAMS TYPE NULL ARE required 1378 HASHES { mda-md2 } 1379 PUBLIC-KEYS { pk-rsa } 1380 SMIME-CAPS { IDENTIFIED BY md2WithRSAEncryption } 1381 } 1383 md2WithRSAEncryption OBJECT IDENTIFIER ::= { 1384 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1385 pkcs-1(1) 2 } 1387 -- RSA with MD-5 1389 sa-rsaWithMD5 SIGNATURE-ALGORITHM ::= { 1390 IDENTIFIER md5WithRSAEncryption 1391 PARAMS TYPE NULL ARE required 1392 HASHES { mda-md5 } 1393 PUBLIC-KEYS { pk-rsa } 1394 SMIME-CAPS { IDENTIFIED BY md5WithRSAEncryption } 1395 } 1397 md5WithRSAEncryption OBJECT IDENTIFIER ::= { 1398 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1399 pkcs-1(1) 4 } 1401 -- RSA with SHA-1 1403 sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1404 IDENTIFIER sha1WithRSAEncryption 1405 PARAMS TYPE NULL ARE required 1406 HASHES { mda-sha1 } 1407 PUBLIC-KEYS { pk-rsa } 1408 SMIME-CAPS {IDENTIFIED BY sha1WithRSAEncryption } 1409 } 1411 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { 1412 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1413 pkcs-1(1) 5 } 1415 -- DSA with SHA-1 1417 sa-dsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1418 IDENTIFIER dsa-with-sha1 1419 VALUE DSA-Sig-Value 1420 PARAMS TYPE NULL ARE absent 1421 HASHES { mda-sha1 } 1422 PUBLIC-KEYS { pk-dsa } 1423 SMIME-CAPS { IDENTIFIED BY dsa-with-sha1 } 1424 } 1426 dsa-with-sha1 OBJECT IDENTIFIER ::= { 1427 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } 1429 -- DSA with SHA-224 1431 sa-dsaWithSHA224 SIGNATURE-ALGORITHM ::= { 1432 IDENTIFIER dsa-with-sha224 1433 VALUE DSA-Sig-Value 1434 PARAMS TYPE NULL ARE absent 1435 HASHES { mda-sha224 } 1436 PUBLIC-KEYS { pk-dsa } 1437 SMIME-CAPS { IDENTIFIED BY dsa-with-sha224 } 1438 } 1440 dsa-with-sha224 OBJECT IDENTIFIER ::= { 1441 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 1442 csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } 1444 -- DSA with SHA-256 1446 sa-dsaWithSHA256 SIGNATURE-ALGORITHM ::= { 1447 IDENTIFIER dsa-with-sha256 1448 VALUE DSA-Sig-Value 1449 PARAMS TYPE NULL ARE absent 1450 HASHES { mda-sha256 } 1451 PUBLIC-KEYS { pk-dsa } 1452 SMIME-CAPS { IDENTIFIED BY dsa-with-sha256 } 1453 } 1455 dsa-with-sha256 OBJECT IDENTIFIER ::= { 1456 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 1457 csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } 1459 -- ECDSA with SHA-1 1461 sa-ecdsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1462 IDENTIFIER ecdsa-with-SHA1 1463 VALUE ECDSA-Sig-Value 1464 PARAMS TYPE NULL ARE absent 1465 HASHES { mda-sha1 } 1466 PUBLIC-KEYS { pk-ec } 1467 SMIME-CAPS {IDENTIFIED BY ecdsa-with-SHA1 } 1468 } 1470 ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 1471 iso(1) member-body(2) us(840) ansi-X9-62(10045) 1472 signatures(4) 1 } 1474 -- ECDSA with SHA-224 1475 sa-ecdsaWithSHA224 SIGNATURE-ALGORITHM ::= { 1476 IDENTIFIER ecdsa-with-SHA224 1477 VALUE ECDSA-Sig-Value 1478 PARAMS TYPE NULL ARE absent 1479 HASHES { mda-sha224 } 1480 PUBLIC-KEYS { pk-ec } 1481 SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA224 } 1482 } 1484 ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { 1485 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1486 ecdsa-with-SHA2(3) 1 } 1488 -- ECDSA with SHA-256 1490 sa-ecdsaWithSHA256 SIGNATURE-ALGORITHM ::= { 1491 IDENTIFIER ecdsa-with-SHA256 1492 VALUE ECDSA-Sig-Value 1493 PARAMS TYPE NULL ARE absent 1494 HASHES { mda-sha256 } 1495 PUBLIC-KEYS { pk-ec } 1496 SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA256 } 1497 } 1499 ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { 1500 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1501 ecdsa-with-SHA2(3) 2 } 1503 -- ECDSA with SHA-384 1505 sa-ecdsaWithSHA384 SIGNATURE-ALGORITHM ::= { 1506 IDENTIFIER ecdsa-with-SHA384 1507 VALUE ECDSA-Sig-Value 1508 PARAMS TYPE NULL ARE absent 1509 HASHES { mda-sha384 } 1510 PUBLIC-KEYS { pk-ec } 1511 SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA384 } 1512 } 1514 ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { 1515 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1516 ecdsa-with-SHA2(3) 3 } 1518 -- ECDSA with SHA-512 1520 sa-ecdsaWithSHA512 SIGNATURE-ALGORITHM ::= { 1521 IDENTIFIER ecdsa-with-SHA512 1522 VALUE ECDSA-Sig-Value 1523 PARAMS TYPE NULL ARE absent 1524 HASHES { mda-sha512 } 1525 PUBLIC-KEYS { pk-ec } 1526 SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA512 } 1527 } 1529 ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { 1530 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1531 ecdsa-with-SHA2(3) 4 } 1533 -- 1534 -- Signature Values 1535 -- 1537 -- DSA 1539 DSA-Sig-Value ::= SEQUENCE { 1540 r INTEGER, 1541 s INTEGER 1542 } 1544 -- ECDSA 1546 ECDSA-Sig-Value ::= SEQUENCE { 1547 r INTEGER, 1548 s INTEGER 1549 } 1551 -- 1552 -- Message Digest Algorthms (mda-) 1553 -- 1555 HashAlgs DIGEST-ALGORITHM ::= { 1556 mda-md2 | 1557 mda-md5 | 1558 mda-sha1, 1559 ... -- Extensible 1560 } 1562 -- MD-2 1564 mda-md2 DIGEST-ALGORITHM ::= { 1565 IDENTIFIER id-md2 1566 PARAMS TYPE NULL ARE preferredAbsent 1567 } 1569 id-md2 OBJECT IDENTIFIER ::= { 1570 iso(1) member-body(2) us(840) rsadsi(113549) 1571 digestAlgorithm(2) 2 } 1573 -- MD-5 1575 mda-md5 DIGEST-ALGORITHM ::= { 1576 IDENTIFIER id-md5 1577 PARAMS TYPE NULL ARE preferredAbsent 1578 } 1580 id-md5 OBJECT IDENTIFIER ::= { 1581 iso(1) member-body(2) us(840) rsadsi(113549) 1582 digestAlgorithm(2) 5 } 1584 -- SHA-1 1586 mda-sha1 DIGEST-ALGORITHM ::= { 1587 IDENTIFIER id-sha1 1588 PARAMS TYPE NULL ARE preferredAbsent 1589 } 1591 id-sha1 OBJECT IDENTIFIER ::= { 1592 iso(1) identified-organization(3) oiw(14) secsig(3) 1593 algorithm(2) 26 } 1595 END 1597 7. ASN.1 Module for RFC 3281 1599 PKIXAttributeCertificate-2009 1600 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1601 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} 1602 DEFINITIONS IMPLICIT TAGS ::= 1603 BEGIN 1604 IMPORTS 1606 AttributeSet{}, Extensions{}, SecurityCategory{}, 1607 EXTENSION, ATTRIBUTE, SECURITY-CATEGORY 1608 FROM PKIX-CommonTypes-2009 1609 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1610 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1612 AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM 1613 FROM AlgorithmInformation-2009 1614 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1615 mechanisms(5) pkix(7) id-mod(0) 1616 id-mod-algorithmInformation-02(58)} 1618 CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp, 1619 id-ad, id-at, SIGNED{}, SignatureAlgorithms 1620 FROM PKIX1Explicit-2009 1621 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1622 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 1624 GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier, 1625 ext-AuthorityInfoAccess, ext-CRLDistributionPoints 1626 FROM PKIX1Implicit-2009 1627 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1628 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}; 1630 -- Define the set of extensions that can appear. 1631 -- Some of these are imported from PKIX Cert 1633 AttributeCertExtensions EXTENSION ::= { 1634 ext-auditIdentity | ext-targetInformation | 1635 ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess | 1636 ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying | 1637 ext-aaControls, ... } 1639 ext-auditIdentity EXTENSION ::= { SYNTAX 1640 OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity} 1642 ext-targetInformation EXTENSION ::= { SYNTAX 1643 Targets IDENTIFIED BY id-ce-targetInformation } 1645 ext-noRevAvail EXTENSION ::= { SYNTAX 1646 NULL IDENTIFIED BY id-ce-noRevAvail} 1648 ext-ac-proxying EXTENSION ::= { SYNTAX 1649 ProxyInfo IDENTIFIED BY id-pe-ac-proxying} 1651 ext-aaControls EXTENSION ::= { SYNTAX 1652 AAControls IDENTIFIED BY id-pe-aaControls} 1654 -- Define the set of attributes used here 1656 AttributesDefined ATTRIBUTE ::= { at-authenticationInfo | 1657 at-accesIdentity | at-chargingIdentity | at-group | 1658 at-role | at-clearance | at-encAttrs, ...} 1660 at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo 1661 IDENTIFIED BY id-aca-authenticationInfo} 1663 at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo 1664 IDENTIFIED BY id-aca-accessIdentity} 1666 at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax 1667 IDENTIFIED BY id-aca-chargingIdentity} 1669 at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax 1670 IDENTIFIED BY id-aca-group} 1672 at-role ATTRIBUTE ::= { TYPE RoleSyntax 1673 IDENTIFIED BY id-at-role} 1675 at-clearance ATTRIBUTE ::= { TYPE Clearance 1676 IDENTIFIED BY id-at-clearance} 1678 at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo 1679 IDENTIFIED BY id-aca-encAttrs} 1681 -- 1682 -- OIDs used by Attribute Certificate Extensions 1683 -- 1685 id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 } 1686 id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 } 1687 id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 } 1688 id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 } 1689 id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 } 1691 -- 1692 -- OIDs used by Attribute Certficate Attributes 1693 -- 1695 id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } 1697 id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 } 1698 id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 } 1699 id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 } 1700 id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 } 1701 -- { id-aca 5 } is reserved 1702 id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 } 1704 id-at-role OBJECT IDENTIFIER ::= { id-at 72} 1705 id-at-clearance OBJECT IDENTIFIER ::= 1706 { joint-iso-ccitt(2) ds(5) module(1) 1707 selected-attribute-types(5) clearance (55) } 1709 -- 1710 -- The syntax of an Attribute Certificate 1711 -- 1713 AttributeCertificate ::= SIGNED{AttributeCertificateInfo} 1714 AttributeCertificateInfo ::= SEQUENCE { 1715 version AttCertVersion, -- version is v2, 1716 holder Holder, 1717 issuer AttCertIssuer, 1718 signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, 1719 {SignatureAlgorithms}}, 1720 serialNumber CertificateSerialNumber, 1721 attrCertValidityPeriod AttCertValidityPeriod, 1722 attributes SEQUENCE SIZE (1..MAX) OF 1723 AttributeSet{{AttributesDefined}}, 1724 issuerUniqueID UniqueIdentifier OPTIONAL, 1725 extensions Extensions{{AttributeCertExtensions}} OPTIONAL 1726 } 1728 AttCertVersion ::= INTEGER { v2(1) } 1730 Holder ::= SEQUENCE { 1731 baseCertificateID [0] IssuerSerial OPTIONAL, 1732 -- the issuer and serial number of 1733 -- the holder's Public Key Certificate 1734 entityName [1] GeneralNames OPTIONAL, 1735 -- the name of the claimant or role 1736 objectDigestInfo [2] ObjectDigestInfo OPTIONAL 1737 -- used to directly authenticate the 1738 -- holder, for example, an executable 1739 } 1741 ObjectDigestInfo ::= SEQUENCE { 1742 digestedObjectType ENUMERATED { 1743 publicKey (0), 1744 publicKeyCert (1), 1745 otherObjectTypes (2) }, 1746 -- otherObjectTypes MUST NOT be used in 1747 -- this profile 1748 otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, 1749 digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, 1750 objectDigest BIT STRING 1751 } 1753 AttCertIssuer ::= CHOICE { 1754 v1Form GeneralNames, -- MUST NOT be used in this 1755 -- profile 1756 v2Form [0] V2Form -- v2 only 1757 } 1759 V2Form ::= SEQUENCE { 1760 issuerName GeneralNames OPTIONAL, 1761 baseCertificateID [0] IssuerSerial OPTIONAL, 1762 objectDigestInfo [1] ObjectDigestInfo OPTIONAL 1763 -- issuerName MUST be present in this profile 1764 -- baseCertificateID and objectDigestInfo MUST 1765 -- NOT be present in this profile 1766 } 1768 IssuerSerial ::= SEQUENCE { 1769 issuer GeneralNames, 1770 serial CertificateSerialNumber, 1771 issuerUID UniqueIdentifier OPTIONAL 1772 } 1774 AttCertValidityPeriod ::= SEQUENCE { 1775 notBeforeTime GeneralizedTime, 1776 notAfterTime GeneralizedTime 1777 } 1779 -- 1780 -- Syntax used by Attribute Certificte Extensions 1781 -- 1783 Targets ::= SEQUENCE OF Target 1785 Target ::= CHOICE { 1786 targetName [0] GeneralName, 1787 targetGroup [1] GeneralName, 1788 targetCert [2] TargetCert 1789 } 1791 TargetCert ::= SEQUENCE { 1792 targetCertificate IssuerSerial, 1793 targetName GeneralName OPTIONAL, 1794 certDigestInfo ObjectDigestInfo OPTIONAL 1795 } 1797 AAControls ::= SEQUENCE { 1798 pathLenConstraint INTEGER (0..MAX) OPTIONAL, 1799 permittedAttrs [0] AttrSpec OPTIONAL, 1800 excludedAttrs [1] AttrSpec OPTIONAL, 1801 permitUnSpecified BOOLEAN DEFAULT TRUE 1802 } 1804 AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER 1806 ProxyInfo ::= SEQUENCE OF Targets 1808 -- 1809 -- Syntax used by Attribute Certificate Attributes 1810 -- 1812 IetfAttrSyntax ::= SEQUENCE { 1813 policyAuthority[0] GeneralNames OPTIONAL, 1814 values SEQUENCE OF CHOICE { 1815 octets OCTET STRING, 1816 oid OBJECT IDENTIFIER, 1817 string UTF8String 1818 } 1819 } 1821 SvceAuthInfo ::= SEQUENCE { 1822 service GeneralName, 1823 ident GeneralName, 1824 authInfo OCTET STRING OPTIONAL 1825 } 1827 RoleSyntax ::= SEQUENCE { 1828 roleAuthority [0] GeneralNames OPTIONAL, 1829 roleName [1] GeneralName 1830 } 1832 Clearance ::= SEQUENCE { 1833 policyId OBJECT IDENTIFIER, 1834 classList ClassList DEFAULT {unclassified}, 1835 securityCategories SET OF SecurityCategory 1836 {{SupportedSecurityCategories}} OPTIONAL 1837 } 1839 ClassList ::= BIT STRING { 1840 unmarked (0), 1841 unclassified (1), 1842 restricted (2), 1843 confidential (3), 1844 secret (4), 1845 topSecret (5) 1846 } 1848 SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } 1850 ACClearAttrs ::= SEQUENCE { 1851 acIssuer GeneralName, 1852 acSerial INTEGER, 1853 attrs SEQUENCE OF AttributeSet{{AttributesDefined}} 1854 } 1856 ContentInfo ::= INTEGER 1857 END 1859 8. ASN.1 Module for RFC 3852 (Attribute Certificate v1) 1861 AttributeCertificateVersion1-2009 1862 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1863 smime(16) modules(0) id-mod-v1AttrCert-02(49)} 1864 DEFINITIONS EXPLICIT TAGS ::= 1865 BEGIN 1866 IMPORTS 1868 SIGNATURE-ALGORITHM, ALGORITHM, AlgorithmIdentifier{} 1869 FROM AlgorithmInformation-2009 1870 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1871 mechanisms(5) pkix(7) id-mod(0) 1872 id-mod-algorithmInformation-02(58)} 1874 AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE 1875 FROM PKIX-CommonTypes-2009 1876 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1877 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1879 CertificateSerialNumber, UniqueIdentifier, SIGNED{} 1880 FROM PKIX1Explicit-2009 1881 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1882 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 1884 GeneralNames 1885 FROM PKIX1Implicit-2009 1886 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1887 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 1889 AttCertValidityPeriod, IssuerSerial 1890 FROM PKIXAttributeCertificate-2009 1891 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1892 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } ; 1894 -- Definition extracted from X.509-1997 [X.509-97], but 1895 -- different type names are used to avoid collisions. 1897 AttributeCertificateV1 ::= SIGNED{AttributeCertificateInfoV1} 1899 AttributeCertificateInfoV1 ::= SEQUENCE { 1900 version AttCertVersionV1 DEFAULT v1, 1901 subject CHOICE { 1902 baseCertificateID [0] IssuerSerial, 1903 -- associated with a Public Key Certificate 1904 subjectName [1] GeneralNames }, 1905 -- associated with a name 1906 issuer GeneralNames, 1907 signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}}, 1908 serialNumber CertificateSerialNumber, 1909 attCertValidityPeriod AttCertValidityPeriod, 1910 attributes SEQUENCE OF AttributeSet{{AttrList}}, 1911 issuerUniqueID UniqueIdentifier OPTIONAL, 1912 extensions Extensions{{AttributeCertExtensionsV1}} OPTIONAL } 1914 AttCertVersionV1 ::= INTEGER { v1(0) } 1916 AttrList ATTRIBUTE ::= {...} 1918 AttributeCertExtensionsV1 EXTENSION ::= {...} 1920 END 1922 9. ASN.1 Module for RFC 4055 1924 PKIX1-PSS-OAEP-Algorithms-2009 1925 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1926 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)} 1927 DEFINITIONS EXPLICIT TAGS ::= 1928 BEGIN 1929 IMPORTS 1931 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-TRANSPORT, 1932 SIGNATURE-ALGORITHM, PUBLIC-KEY, SMIME-CAPS 1933 FROM AlgorithmInformation-2009 1934 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1935 mechanisms(5) pkix(7) id-mod(0) 1936 id-mod-algorithmInformation-02(58)} 1938 id-sha1, mda-sha1, pk-rsa, RSAPublicKey 1939 FROM PKIXAlgs-2009 1940 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1941 mechanisms(5) pkix(7) id-mod(0) 1942 id-mod-pkix1-algorithms2008-02(56)}; 1944 -- ============================ 1945 -- Object Set exports 1946 -- ============================ 1947 -- 1948 -- Define top level symbols with all of the objects defined for 1949 -- export to other modules. These objects would be included as part 1950 -- of an Object Set to restrict the set of legal values. 1951 -- 1953 -- M00BUG - where did rsaWithSHA256 go? 1955 PublicKeys PUBLIC-KEY ::= { pk-rsaSSA-PSS | pk-rsaES-OAEP, ... } 1956 SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-rsaSSA-PSS, ...} 1957 KeyTransportAlgs KEY-TRANSPORT ::= { kta-rsaES-OAEP, ... } 1958 HashAlgs DIGEST-ALGORITHM ::= { mda-sha224 | mda-sha256 | mda-sha384 1959 | mda-sha512, ... } 1960 SMimeCaps SMIME-CAPS ::= { 1961 sa-rsaSSA-PSS.&smimeCaps | 1962 kta-rsaES-OAEP.&smimeCaps, 1963 ... 1964 } 1966 -- ============================= 1967 -- Algorithm Objects 1968 -- ============================= 1970 -- 1971 -- Public key object for PSS signatures 1972 -- 1974 pk-rsaSSA-PSS PUBLIC-KEY ::= { 1975 IDENTIFIER id-RSASSA-PSS 1976 KEY RSAPublicKey 1977 PARAMS TYPE RSASSA-PSS-params ARE optional 1978 -- Private key format not in this module -- 1979 CERT-KEY-USAGE { nonRepudiation, digitalSignature, 1980 keyCertSign, cRLSign } 1981 } 1983 -- 1984 -- Signature algorithm definition for PSS signatures 1985 -- 1987 sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= { 1988 IDENTIFIER id-RSASSA-PSS 1989 PARAMS TYPE RSASSA-PSS-params ARE required 1990 HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384 1991 | mda-sha512 } 1992 PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS } 1993 SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS } 1994 } 1995 -- 1996 -- Signature algorithm defintions for PKCS v1.5 signatures 1997 -- 1999 sa-sha224WithRSAEncryption SIGNATURE-ALGORITHM ::= { 2000 IDENTIFIER sha224WithRSAEncryption 2001 PARAMS TYPE NULL ARE required 2002 HASHES { mda-sha224 } 2003 PUBLIC-KEYS { pk-rsa } 2004 SMIME-CAPS { IDENTIFIED BY sha224WithRSAEncryption } 2005 } 2006 sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } 2008 sa-sha256WithRSAEncryption SIGNATURE-ALGORITHM ::= { 2009 IDENTIFIER sha256WithRSAEncryption 2010 PARAMS TYPE NULL ARE required 2011 HASHES { mda-sha256 } 2012 PUBLIC-KEYS { pk-rsa } 2013 SMIME-CAPS { IDENTIFIED BY sha256WithRSAEncryption } 2014 } 2015 sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } 2017 sa-sha384WithRSAEncryption SIGNATURE-ALGORITHM ::= { 2018 IDENTIFIER sha384WithRSAEncryption 2019 PARAMS TYPE NULL ARE required 2020 HASHES { mda-sha384 } 2021 PUBLIC-KEYS { pk-rsa } 2022 SMIME-CAPS { IDENTIFIED BY sha384WithRSAEncryption } 2023 } 2024 sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } 2026 sa-sha512WithRSAEncryption SIGNATURE-ALGORITHM ::= { 2027 IDENTIFIER sha512WithRSAEncryption 2028 PARAMS TYPE NULL ARE required 2029 HASHES { mda-sha512 } 2030 PUBLIC-KEYS { pk-rsa } 2031 SMIME-CAPS { IDENTIFIED BY sha512WithRSAEncryption } 2032 } 2033 sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } 2035 -- 2036 -- Public key definition for OAEP encryption 2037 -- 2039 pk-rsaES-OAEP PUBLIC-KEY ::= { 2040 IDENTIFIER id-RSAES-OAEP 2041 KEY RSAPublicKey 2042 PARAMS TYPE RSAES-OAEP-params ARE optional 2043 -- Private key format not in this module -- 2044 CERT-KEY-USAGE {keyEncipherment, dataEncipherment} 2045 } 2047 -- 2048 -- Key transport key lock definition for OAEP encryption 2049 -- 2051 kta-rsaES-OAEP KEY-TRANSPORT ::= { 2052 IDENTIFIER id-RSAES-OAEP 2053 PARAMS TYPE RSAES-OAEP-params ARE required 2054 PUBLIC-KEYS { pk-rsa | pk-rsaES-OAEP } 2055 SMIME-CAPS { TYPE RSAES-OAEP-params IDENTIFIED BY id-RSAES-OAEP} 2056 } 2058 -- ============================ 2059 -- Basic object identifiers 2060 -- ============================ 2062 pkcs-1 OBJECT IDENTIFIER ::= 2063 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } 2065 -- When rsaEncryption is used in an AlgorithmIdentifier the 2066 -- parameters MUST be present and MUST be NULL. 2068 -- rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } 2070 -- When id-RSAES-OAEP is used in an AlgorithmIdentifier, 2071 -- and the parameters field is present, it MUST be 2072 -- RSAES-OAEP-params 2074 id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 } 2076 -- When id-mgf1 is used in an AlgorithmIdentifier the parameters 2077 -- MUST be present and MUST be a HashAlgorithm. 2079 id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 } 2081 -- When id-pSpecified is used in an AlgorithmIdentifier the 2082 -- parameters MUST be an OCTET STRING. 2084 id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 } 2086 -- When id-RSASSA-PSS is used in an AlgorithmIdentifier, and the 2087 -- parameters field is present, it MUST be RSASSA-PSS-params. 2089 id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 } 2090 -- When the following OIDs are used in an AlgorithmIdentifier the 2091 -- parameters SHOULD be absent, but if the parameters are present, 2092 -- they MUST be NULL. 2094 -- 2095 -- id-sha1 is imported from RFC 3279. Additionally, the v1.5 2096 -- signature algorithms (i.e. rsaWithSHA256) are now soley placed 2097 -- in that module. 2098 -- 2100 id-sha224 OBJECT IDENTIFIER ::= 2101 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2102 csor(3) nistalgorithm(4) hashalgs(2) 4 } 2104 mda-sha224 DIGEST-ALGORITHM ::= { 2105 IDENTIFIER id-sha224 2106 PARAMS TYPE NULL ARE preferredAbsent 2107 } 2109 id-sha256 OBJECT IDENTIFIER ::= 2110 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2111 csor(3) nistalgorithm(4) hashalgs(2) 1 } 2113 mda-sha256 DIGEST-ALGORITHM ::= { 2114 IDENTIFIER id-sha256 2115 PARAMS TYPE NULL ARE preferredAbsent 2116 } 2117 id-sha384 OBJECT IDENTIFIER ::= 2118 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2119 csor(3) nistalgorithm(4) hashalgs(2) 2 } 2121 mda-sha384 DIGEST-ALGORITHM ::= { 2122 IDENTIFIER id-sha384 2123 PARAMS TYPE NULL ARE preferredAbsent 2124 } 2125 id-sha512 OBJECT IDENTIFIER ::= 2126 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 2127 csor(3) nistalgorithm(4) hashalgs(2) 3 } 2129 mda-sha512 DIGEST-ALGORITHM ::= { 2130 IDENTIFIER id-sha512 2131 PARAMS TYPE NULL ARE preferredAbsent 2132 } 2134 -- ============= 2135 -- Constants 2136 -- ============= 2137 EncodingParameters ::= OCTET STRING(SIZE(0..MAX)) 2139 nullOctetString EncodingParameters ::= ''H 2141 nullParameters NULL ::= NULL 2143 -- ========================= 2144 -- Algorithm Identifiers 2145 -- ========================= 2147 HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, 2148 {HashAlgorithms}} 2150 HashAlgorithms DIGEST-ALGORITHM ::= { 2151 { IDENTIFIER id-sha1 PARAMS TYPE NULL ARE preferredPresent } | 2152 { IDENTIFIER id-sha224 PARAMS TYPE NULL ARE preferredPresent } | 2153 { IDENTIFIER id-sha256 PARAMS TYPE NULL ARE preferredPresent } | 2154 { IDENTIFIER id-sha384 PARAMS TYPE NULL ARE preferredPresent } | 2155 { IDENTIFIER id-sha512 PARAMS TYPE NULL ARE preferredPresent } 2156 } 2158 sha1Identifier HashAlgorithm ::= { 2159 algorithm id-sha1, 2160 parameters NULL : NULL 2161 } 2163 -- 2164 -- We have a default algorithm - create the value here 2165 -- 2167 MaskGenAlgorithm ::= AlgorithmIdentifier{ALGORITHM, 2168 {PKCS1MGFAlgorithms}} 2170 mgf1SHA1 MaskGenAlgorithm ::= { 2171 algorithm id-mgf1, 2172 parameters HashAlgorithm : sha1Identifier 2173 } 2175 -- 2176 -- Define the set of mask generation functions 2177 -- 2178 -- If the identifier is id-mgf1, any of the listed hash 2179 -- algorithms may be used. 2180 -- 2182 PKCS1MGFAlgorithms ALGORITHM ::= { 2183 { IDENTIFIER id-mgf1 PARAMS TYPE HashAlgorithm ARE required }, 2184 ... 2186 } 2188 -- 2189 -- Define the set of known source algorithms for PSS 2190 -- 2192 PSourceAlgorithm ::= AlgorithmIdentifier{ALGORITHM, 2193 {PSS-SourceAlgorithms}} 2195 PSS-SourceAlgorithms ALGORITHM ::= { 2196 { IDENTIFIER id-pSpecified PARAMS TYPE EncodingParameters 2197 ARE required }, 2198 ... 2199 } 2201 pSpecifiedEmpty PSourceAlgorithm ::= { 2202 algorithm id-pSpecified, 2203 parameters EncodingParameters : nullOctetString 2204 } 2206 -- =================== 2207 -- Main structures 2208 -- =================== 2210 -- AlgorithmIdentifier parameters for id-RSASSA-PSS. 2211 -- Note that the tags in this Sequence are explicit. 2212 -- Note The hash algorithm in hashAlgorithm and in 2213 -- maskGenAlgorithm should be the same. 2215 RSASSA-PSS-params ::= SEQUENCE { 2216 hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, 2217 maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1, 2218 saltLength [2] INTEGER DEFAULT 20, 2219 trailerField [3] INTEGER DEFAULT 1 2220 } 2222 -- AlgorithmIdentifier parameters for id-RSAES-OAEP. 2223 -- Note that the tags in this Sequence are explicit. 2224 -- Note: The hash algorithm in hashFunc and in 2225 -- maskGenFunc should be the same 2227 RSAES-OAEP-params ::= SEQUENCE { 2228 hashFunc [0] HashAlgorithm DEFAULT sha1Identifier, 2229 maskGenFunc [1] MaskGenAlgorithm DEFAULT mgf1SHA1, 2230 pSourceFunc [2] PSourceAlgorithm DEFAULT 2231 pSpecifiedEmpty 2232 } 2233 END 2235 10. ASN.1 Module for RFC 4210 2237 PKIXCMP-2009 2238 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2239 mechanisms(5) pkix(7) id-mod(0) id-mod-cmp2000-02(50) } 2240 DEFINITIONS EXPLICIT TAGS ::= 2241 BEGIN 2242 IMPORTS 2244 AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE 2245 FROM PKIX-CommonTypes-2009 2246 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2247 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 2249 AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, ALGORITHM, 2250 DIGEST-ALGORITHM, MAC-ALGORITHM 2251 FROM AlgorithmInformation-2009 2252 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2253 mechanisms(5) pkix(7) id-mod(0) 2254 id-mod-algorithmInformation-02(58)} 2256 Certificate, CertificateList 2257 FROM PKIX1Explicit-2009 2258 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2259 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 2261 GeneralName, KeyIdentifier 2262 FROM PKIX1Implicit-2009 2263 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2264 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 2266 CertTemplate, PKIPublicationInfo, EncryptedValue, CertId, 2267 CertReqMessages 2268 FROM PKIXCRMF-2009 2269 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2270 mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55) } 2271 -- see also the behavioral clarifications to CRMF codified in 2272 -- Appendix C of this specification 2274 CertificationRequest 2275 FROM PKCS-10 2276 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-10(10) 2277 modules(1) pkcs-10(1) } 2278 -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT 2279 -- tags). Alternatively, implementers may directly include 2280 -- the [PKCS10] syntax in this module 2281 ; 2283 -- the rest of the module contains locally-defined OIDs and 2284 -- constructs 2286 CMPCertificate ::= CHOICE { x509v3PKCert Certificate, ... } 2287 -- This syntax, while bits-on-the-wire compatible with the 2288 -- standard X.509 definition of "Certificate", allows the 2289 -- possibility of future certificate types (such as X.509 2290 -- attribute certificates, WAP WTLS certificates, or other kinds 2291 -- of certificates) within this certificate management protocol, 2292 -- should a need ever arise to support such generality. Those 2293 -- implementations that do not foresee a need to ever support 2294 -- other certificate types MAY, if they wish, comment out the 2295 -- above structure and "un-comment" the following one prior to 2296 -- compiling this ASN.1 module. (Note that interoperability 2297 -- with implementations that don't do this will be unaffected by 2298 -- this change.) 2300 -- CMPCertificate ::= Certificate 2302 PKIMessage ::= SEQUENCE { 2303 header PKIHeader, 2304 body PKIBody, 2305 protection [0] PKIProtection OPTIONAL, 2306 extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate 2307 OPTIONAL } 2309 PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage 2311 PKIHeader ::= SEQUENCE { 2312 pvno INTEGER { cmp1999(1), cmp2000(2) }, 2313 sender GeneralName, 2314 -- identifies the sender 2315 recipient GeneralName, 2316 -- identifies the intended recipient 2317 messageTime [0] GeneralizedTime OPTIONAL, 2318 -- time of production of this message (used when sender 2319 -- believes that the transport will be "suitable"; i.e., 2320 -- that the time will still be meaningful upon receipt) 2321 protectionAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} 2322 OPTIONAL, 2323 -- algorithm used for calculation of protection bits 2324 senderKID [2] KeyIdentifier OPTIONAL, 2325 recipKID [3] KeyIdentifier OPTIONAL, 2326 -- to identify specific keys used for protection 2327 transactionID [4] OCTET STRING OPTIONAL, 2328 -- identifies the transaction; i.e., this will be the same in 2329 -- corresponding request, response, certConf, and PKIConf 2330 -- messages 2331 senderNonce [5] OCTET STRING OPTIONAL, 2332 recipNonce [6] OCTET STRING OPTIONAL, 2333 -- nonces used to provide replay protection, senderNonce 2334 -- is inserted by the creator of this message; recipNonce 2335 -- is a nonce previously inserted in a related message by 2336 -- the intended recipient of this message 2337 freeText [7] PKIFreeText OPTIONAL, 2338 -- this may be used to indicate context-specific instructions 2339 -- (this field is intended for human consumption) 2340 generalInfo [8] SEQUENCE SIZE (1..MAX) OF 2341 InfoTypeAndValue OPTIONAL 2342 -- this may be used to convey context-specific information 2343 -- (this field not primarily intended for human consumption) 2344 } 2346 PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String 2347 -- text encoded as UTF-8 String [RFC3629] (note: each 2348 -- UTF8String MAY include an [RFC3066] language tag 2349 -- to indicate the language of the contained text 2350 -- see [RFC2482] for details) 2352 PKIBody ::= CHOICE { -- message-specific body elements 2353 ir [0] CertReqMessages, --Initialization Request 2354 ip [1] CertRepMessage, --Initialization Response 2355 cr [2] CertReqMessages, --Certification Request 2356 cp [3] CertRepMessage, --Certification Response 2357 p10cr [4] CertificationRequest, --imported from [PKCS10] 2358 popdecc [5] POPODecKeyChallContent, --pop Challenge 2359 popdecr [6] POPODecKeyRespContent, --pop Response 2360 kur [7] CertReqMessages, --Key Update Request 2361 kup [8] CertRepMessage, --Key Update Response 2362 krr [9] CertReqMessages, --Key Recovery Request 2363 krp [10] KeyRecRepContent, --Key Recovery Response 2364 rr [11] RevReqContent, --Revocation Request 2365 rp [12] RevRepContent, --Revocation Response 2366 ccr [13] CertReqMessages, --Cross-Cert. Request 2367 ccp [14] CertRepMessage, --Cross-Cert. Response 2368 ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. 2369 cann [16] CertAnnContent, --Certificate Ann. 2370 rann [17] RevAnnContent, --Revocation Ann. 2371 crlann [18] CRLAnnContent, --CRL Announcement 2372 pkiconf [19] PKIConfirmContent, --Confirmation 2373 nested [20] NestedMessageContent, --Nested Message 2374 genm [21] GenMsgContent, --General Message 2375 genp [22] GenRepContent, --General Response 2376 error [23] ErrorMsgContent, --Error Message 2377 certConf [24] CertConfirmContent, --Certificate confirm 2378 pollReq [25] PollReqContent, --Polling request 2379 pollRep [26] PollRepContent --Polling response 2380 } 2382 PKIProtection ::= BIT STRING 2384 ProtectedPart ::= SEQUENCE { 2385 header PKIHeader, 2386 body PKIBody } 2388 id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2389 usa(840) nt(113533) nsn(7) algorithms(66) 13 } 2390 PBMParameter ::= SEQUENCE { 2391 salt OCTET STRING, 2392 -- note: implementations MAY wish to limit acceptable sizes 2393 -- of this string to values appropriate for their environment 2394 -- in order to reduce the risk of denial-of-service attacks 2395 owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, 2396 -- AlgId for a One-Way Function (SHA-1 recommended) 2397 iterationCount INTEGER, 2398 -- number of times the OWF is applied 2399 -- note: implementations MAY wish to limit acceptable sizes 2400 -- of this integer to values appropriate for their environment 2401 -- in order to reduce the risk of denial-of-service attacks 2402 mac AlgorithmIdentifier{MAC-ALGORITHM, {...}} 2403 -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], 2404 -- or HMAC [RFC2104, RFC2202]) 2405 } 2407 id-DHBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2408 usa(840) nt(113533) nsn(7) algorithms(66) 30 } 2409 DHBMParameter ::= SEQUENCE { 2410 owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, 2411 -- AlgId for a One-Way Function (SHA-1 recommended) 2412 mac AlgorithmIdentifier{MAC-ALGORITHM, {...}} 2413 -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], 2414 -- or HMAC [RFC2104, RFC2202]) 2415 } 2417 PKIStatus ::= INTEGER { 2418 accepted (0), 2419 -- you got exactly what you asked for 2420 grantedWithMods (1), 2421 -- you got something like what you asked for; the 2422 -- requester is responsible for ascertaining the differences 2423 rejection (2), 2424 -- you don't get it, more information elsewhere in the message 2425 waiting (3), 2426 -- the request body part has not yet been processed; expect to 2427 -- hear more later (note: proper handling of this status 2428 -- response MAY use the polling req/rep PKIMessages specified 2429 -- in Section 5.3.22; alternatively, polling in the underlying 2430 -- transport layer MAY have some utility in this regard) 2431 revocationWarning (4), 2432 -- this message contains a warning that a revocation is 2433 -- imminent 2434 revocationNotification (5), 2435 -- notification that a revocation has occurred 2436 keyUpdateWarning (6) 2437 -- update already done for the oldCertId specified in 2438 -- CertReqMsg 2439 } 2441 PKIFailureInfo ::= BIT STRING { 2442 -- since we can fail in more than one way! 2443 -- More codes may be added in the future if/when required. 2444 badAlg (0), 2445 -- unrecognized or unsupported Algorithm Identifier 2446 badMessageCheck (1), 2447 -- integrity check failed (e.g., signature did not verify) 2448 badRequest (2), 2449 -- transaction not permitted or supported 2450 badTime (3), 2451 -- messageTime was not sufficiently close to the system time, 2452 -- as defined by local policy 2453 badCertId (4), 2454 -- no certificate could be found matching the provided criteria 2455 badDataFormat (5), 2456 -- the data submitted has the wrong format 2457 wrongAuthority (6), 2458 -- the authority indicated in the request is different from the 2459 -- one creating the response token 2460 incorrectData (7), 2461 -- the requester's data is incorrect (for notary services) 2462 missingTimeStamp (8), 2463 -- when the timestamp is missing but should be there 2464 -- (by policy) 2465 badPOP (9), 2466 -- the proof-of-possession failed 2467 certRevoked (10), 2468 -- the certificate has already been revoked 2469 certConfirmed (11), 2470 -- the certificate has already been confirmed 2471 wrongIntegrity (12), 2472 -- invalid integrity, password based instead of signature or 2473 -- vice versa 2474 badRecipientNonce (13), 2475 -- invalid recipient nonce, either missing or wrong value 2476 timeNotAvailable (14), 2477 -- the TSA's time source is not available 2478 unacceptedPolicy (15), 2479 -- the requested TSA policy is not supported by the TSA 2480 unacceptedExtension (16), 2481 -- the requested extension is not supported by the TSA 2482 addInfoNotAvailable (17), 2483 -- the additional information requested could not be 2484 -- understood or is not available 2485 badSenderNonce (18), 2486 -- invalid sender nonce, either missing or wrong size 2487 badCertTemplate (19), 2488 -- invalid cert. template or missing mandatory information 2489 signerNotTrusted (20), 2490 -- signer of the message unknown or not trusted 2491 transactionIdInUse (21), 2492 -- the transaction identifier is already in use 2493 unsupportedVersion (22), 2494 -- the version of the message is not supported 2495 notAuthorized (23), 2496 -- the sender was not authorized to make the preceding 2497 -- request or perform the preceding action 2498 systemUnavail (24), 2499 -- the request cannot be handled due to system unavailability 2500 systemFailure (25), 2501 -- the request cannot be handled due to system failure 2502 duplicateCertReq (26) 2503 -- certificate cannot be issued because a duplicate 2504 -- certificate already exists 2505 } 2507 PKIStatusInfo ::= SEQUENCE { 2508 status PKIStatus, 2509 statusString PKIFreeText OPTIONAL, 2510 failInfo PKIFailureInfo OPTIONAL } 2512 OOBCert ::= CMPCertificate 2514 OOBCertHash ::= SEQUENCE { 2515 hashAlg [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} 2516 OPTIONAL, 2517 certId [1] CertId OPTIONAL, 2518 hashVal BIT STRING 2519 -- hashVal is calculated over the DER encoding of the 2520 -- self-signed certificate with the identifier certID. 2521 } 2523 POPODecKeyChallContent ::= SEQUENCE OF Challenge 2524 -- One Challenge per encryption key certification request (in the 2525 -- same order as these requests appear in CertReqMessages). 2527 Challenge ::= SEQUENCE { 2528 owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} 2529 OPTIONAL, 2530 -- MUST be present in the first Challenge; MAY be omitted in 2531 -- any subsequent Challenge in POPODecKeyChallContent (if 2532 -- omitted, then the owf used in the immediately preceding 2533 -- Challenge is to be used). 2534 witness OCTET STRING, 2535 -- the result of applying the one-way function (owf) to a 2536 -- randomly-generated INTEGER, A. [Note that a different 2537 -- INTEGER MUST be used for each Challenge.] 2538 challenge OCTET STRING 2539 -- the encryption (under the public key for which the cert. 2540 -- request is being made) of Rand, where Rand is specified as 2541 -- Rand ::= SEQUENCE { 2542 -- int INTEGER, 2543 -- - the randomly-generated INTEGER A (above) 2544 -- sender GeneralName 2545 -- - the sender's name (as included in PKIHeader) 2546 -- } 2547 } 2549 POPODecKeyRespContent ::= SEQUENCE OF INTEGER 2550 -- One INTEGER per encryption key certification request (in the 2551 -- same order as these requests appear in CertReqMessages). The 2552 -- retrieved INTEGER A (above) is returned to the sender of the 2553 -- corresponding Challenge. 2555 CertRepMessage ::= SEQUENCE { 2556 caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate 2557 OPTIONAL, 2558 response SEQUENCE OF CertResponse } 2560 CertResponse ::= SEQUENCE { 2561 certReqId INTEGER, 2562 -- to match this response with corresponding request (a value 2563 -- of -1 is to be used if certReqId is not specified in the 2564 -- corresponding request) 2565 status PKIStatusInfo, 2566 certifiedKeyPair CertifiedKeyPair OPTIONAL, 2567 rspInfo OCTET STRING OPTIONAL 2568 -- analogous to the id-regInfo-utf8Pairs string defined 2569 -- for regInfo in CertReqMsg [RFC4211] 2570 } 2572 CertifiedKeyPair ::= SEQUENCE { 2573 certOrEncCert CertOrEncCert, 2574 privateKey [0] EncryptedValue OPTIONAL, 2575 -- see [RFC4211] for comment on encoding 2576 publicationInfo [1] PKIPublicationInfo OPTIONAL } 2578 CertOrEncCert ::= CHOICE { 2579 certificate [0] CMPCertificate, 2580 encryptedCert [1] EncryptedValue } 2582 KeyRecRepContent ::= SEQUENCE { 2583 status PKIStatusInfo, 2584 newSigCert [0] CMPCertificate OPTIONAL, 2585 caCerts [1] SEQUENCE SIZE (1..MAX) OF 2586 CMPCertificate OPTIONAL, 2587 keyPairHist [2] SEQUENCE SIZE (1..MAX) OF 2588 CertifiedKeyPair OPTIONAL } 2590 RevReqContent ::= SEQUENCE OF RevDetails 2592 RevDetails ::= SEQUENCE { 2593 certDetails CertTemplate, 2594 -- allows requester to specify as much as they can about 2595 -- the cert. for which revocation is requested 2596 -- (e.g., for cases in which serialNumber is not available) 2597 crlEntryDetails Extensions{{...}} OPTIONAL 2598 -- requested crlEntryExtensions 2599 } 2601 RevRepContent ::= SEQUENCE { 2602 status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, 2603 -- in same order as was sent in RevReqContent 2604 revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL, 2605 -- IDs for which revocation was requested 2606 -- (same order as status) 2607 crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL 2608 -- the resulting CRLs (there may be more than one) 2609 } 2611 CAKeyUpdAnnContent ::= SEQUENCE { 2612 oldWithNew CMPCertificate, -- old pub signed with new priv 2613 newWithOld CMPCertificate, -- new pub signed with old priv 2614 newWithNew CMPCertificate -- new pub signed with new priv 2615 } 2617 CertAnnContent ::= CMPCertificate 2619 RevAnnContent ::= SEQUENCE { 2620 status PKIStatus, 2621 certId CertId, 2622 willBeRevokedAt GeneralizedTime, 2623 badSinceDate GeneralizedTime, 2624 crlDetails Extensions{{...}} OPTIONAL 2625 -- extra CRL details (e.g., crl number, reason, location, etc.) 2626 } 2628 CRLAnnContent ::= SEQUENCE OF CertificateList 2630 PKIConfirmContent ::= NULL 2632 NestedMessageContent ::= PKIMessages 2634 INFO-TYPE-AND-VALUE ::= TYPE-IDENTIFIER 2636 InfoTypeAndValue ::= SEQUENCE { 2637 infoType INFO-TYPE-AND-VALUE. 2638 &id({SupportedInfoSet}), 2639 infoValue INFO-TYPE-AND-VALUE. 2640 &Type({SupportedInfoSet}{@infoType}) } 2642 SupportedInfoSet INFO-TYPE-AND-VALUE ::= { ... } 2644 -- Example InfoTypeAndValue contents include, but are not limited 2645 -- to, the following (un-comment in this ASN.1 module and use as 2646 -- appropriate for a given environment): 2647 -- 2648 -- id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1} 2649 -- CAProtEncCertValue ::= CMPCertificate 2650 -- id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2} 2651 -- SignKeyPairTypesValue ::= SEQUENCE OF 2652 -- AlgorithmIdentifier{{...}} 2653 -- id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3} 2654 -- EncKeyPairTypesValue ::= SEQUENCE OF 2655 -- AlgorithmIdentifier{{...}} 2656 -- id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4} 2657 -- PreferredSymmAlgValue ::= AlgorithmIdentifier{{...}} 2658 -- id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5} 2659 -- CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent 2660 -- id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6} 2661 -- CurrentCRLValue ::= CertificateList 2662 -- id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7} 2663 -- UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER 2664 -- id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10} 2665 -- KeyPairParamReqValue ::= OBJECT IDENTIFIER 2666 -- id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11} 2667 -- KeyPairParamRepValue ::= AlgorithmIdentifer 2668 -- id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12} 2669 -- RevPassphraseValue ::= EncryptedValue 2670 -- id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13} 2671 -- ImplicitConfirmValue ::= NULL 2672 -- id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14} 2673 -- ConfirmWaitTimeValue ::= GeneralizedTime 2674 -- id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15} 2675 -- OrigPKIMessageValue ::= PKIMessages 2676 -- id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16} 2677 -- SuppLangTagsValue ::= SEQUENCE OF UTF8String 2678 -- 2679 -- where 2680 -- 2681 -- id-pkix OBJECT IDENTIFIER ::= { 2682 -- iso(1) identified-organization(3) 2683 -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} 2684 -- and 2685 -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} 2686 -- 2687 -- 2688 -- This construct MAY also be used to define new PKIX Certificate 2689 -- Management Protocol request and response messages, or general- 2690 -- purpose (e.g., announcement) messages for future needs or for 2691 -- specific environments. 2693 GenMsgContent ::= SEQUENCE OF InfoTypeAndValue 2695 -- May be sent by EE, RA, or CA (depending on message content). 2696 -- The OPTIONAL infoValue parameter of InfoTypeAndValue will 2697 -- typically be omitted for some of the examples given above. 2698 -- The receiver is free to ignore any contained OBJ. IDs that it 2699 -- does not recognize. If sent from EE to CA, the empty set 2700 -- indicates that the CA may send 2701 -- any/all information that it wishes. 2703 GenRepContent ::= SEQUENCE OF InfoTypeAndValue 2704 -- Receiver MAY ignore any contained OIDs that it does not 2705 -- recognize. 2707 ErrorMsgContent ::= SEQUENCE { 2708 pKIStatusInfo PKIStatusInfo, 2709 errorCode INTEGER OPTIONAL, 2710 -- implementation-specific error codes 2711 errorDetails PKIFreeText OPTIONAL 2712 -- implementation-specific error details 2713 } 2715 CertConfirmContent ::= SEQUENCE OF CertStatus 2717 CertStatus ::= SEQUENCE { 2718 certHash OCTET STRING, 2719 -- the hash of the certificate, using the same hash algorithm 2720 -- as is used to create and verify the certificate signature 2721 certReqId INTEGER, 2722 -- to match this confirmation with the corresponding req/rep 2723 statusInfo PKIStatusInfo OPTIONAL } 2725 PollReqContent ::= SEQUENCE OF SEQUENCE { 2726 certReqId INTEGER } 2728 PollRepContent ::= SEQUENCE OF SEQUENCE { 2729 certReqId INTEGER, 2730 checkAfter INTEGER, -- time in seconds 2731 reason PKIFreeText OPTIONAL } 2733 END 2735 11. ASN.1 Module for RFC 4211 2737 PKIXCRMF-2009 2738 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2739 mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)} 2740 DEFINITIONS IMPLICIT TAGS ::= 2741 BEGIN 2742 IMPORTS 2744 AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE, 2745 SingleAttribute{} 2746 FROM PKIX-CommonTypes-2009 2747 {iso(1) identified-organization(3) dod(6) internet(1) 2748 security(5) mechanisms(5) pkix(7) id-mod(0) 2749 id-mod-pkixCommon-02(57) } 2751 AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, ALGORITHM, 2752 DIGEST-ALGORITHM, MAC-ALGORITHM, PUBLIC-KEY 2753 FROM AlgorithmInformation-2009 2754 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2755 mechanisms(5) pkix(7) id-mod(0) 2756 id-mod-algorithmInformation-02(58)} 2758 Version, Name, Time, SubjectPublicKeyInfo, UniqueIdentifier, id-pkix, 2759 SignatureAlgorithms 2760 FROM PKIX1Explicit-2009 2761 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2762 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 2764 GeneralName, CertExtensions 2765 FROM PKIX1Implicit-2009 2766 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2767 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 2769 EnvelopedData, CONTENT-TYPE 2770 FROM CryptographicMessageSyntax-2009 2771 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2772 smime(16) modules(0) id-mod-cms-2004-02(41)} 2774 maca-hMAC-SHA1 2775 FROM CryptographicMessageSyntaxAlgorithms-2009 2776 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2777 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 2779 mda-sha1 2780 FROM PKIXAlgs-2009 2781 { iso(1) identified-organization(3) dod(6) 2782 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 2783 id-mod-pkix1-algorithms2008-02(56) } ; 2785 -- arc for Internet X.509 PKI protocols and their components 2787 id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 } 2789 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2790 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 2792 id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types 2794 -- Core definitions for this module 2796 CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg 2798 CertReqMsg ::= SEQUENCE { 2799 certReq CertRequest, 2800 popo ProofOfPossession OPTIONAL, 2801 -- content depends upon key type 2802 regInfo SEQUENCE SIZE(1..MAX) OF 2803 SingleAttribute{{RegInfoSet}} OPTIONAL } 2805 CertRequest ::= SEQUENCE { 2806 certReqId INTEGER, 2807 -- ID for matching request and reply 2808 certTemplate CertTemplate, 2809 -- Selected fields of cert to be issued 2810 controls Controls OPTIONAL } 2811 -- Attributes affecting issuance 2813 CertTemplate ::= SEQUENCE { 2814 version [0] Version OPTIONAL, 2815 serialNumber [1] INTEGER OPTIONAL, 2816 signingAlg [2] AlgorithmIdentifier{SIGNATURE-ALGORITHM, 2817 {SignatureAlgorithms}} OPTIONAL, 2818 issuer [3] Name OPTIONAL, 2819 validity [4] OptionalValidity OPTIONAL, 2820 subject [5] Name OPTIONAL, 2821 publicKey [6] SubjectPublicKeyInfo OPTIONAL, 2822 issuerUID [7] UniqueIdentifier OPTIONAL, 2823 subjectUID [8] UniqueIdentifier OPTIONAL, 2824 extensions [9] Extensions{{CertExtensions}} OPTIONAL } 2826 OptionalValidity ::= SEQUENCE { 2827 notBefore [0] Time OPTIONAL, 2828 notAfter [1] Time OPTIONAL } -- at least one MUST be present 2830 Controls ::= SEQUENCE SIZE(1..MAX) OF SingleAttribute 2831 {{RegControlSet}} 2833 ProofOfPossession ::= CHOICE { 2834 raVerified [0] NULL, 2835 -- used if the RA has already verified that the requester is in 2836 -- possession of the private key 2837 signature [1] POPOSigningKey, 2838 keyEncipherment [2] POPOPrivKey, 2839 keyAgreement [3] POPOPrivKey } 2841 POPOSigningKey ::= SEQUENCE { 2842 poposkInput [0] POPOSigningKeyInput OPTIONAL, 2843 algorithmIdentifier AlgorithmIdentifier{SIGNATURE-ALGORITHM, 2844 {SignatureAlgorithms}}, 2845 signature BIT STRING } 2846 -- The signature (using "algorithmIdentifier") is on the 2847 -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg 2848 -- certReq CertTemplate contains the subject and publicKey values, 2849 -- then poposkInput MUST be omitted and the signature MUST be 2850 -- computed over the DER-encoded value of CertReqMsg certReq. If 2851 -- the CertReqMsg certReq CertTemplate does not contain both the 2852 -- public key and subject values (i.e., if it contains only one 2853 -- of these, or neither), then poposkInput MUST be present and 2854 -- MUST be signed. 2856 POPOSigningKeyInput ::= SEQUENCE { 2857 authInfo CHOICE { 2858 sender [0] GeneralName, 2859 -- used only if an authenticated identity has been 2860 -- established for the sender (e.g., a DN from a 2861 -- previously-issued and currently-valid certificate) 2862 publicKeyMAC PKMACValue }, 2863 -- used if no authenticated GeneralName currently exists for 2864 -- the sender; publicKeyMAC contains a password-based MAC 2865 -- on the DER-encoded value of publicKey 2866 publicKey SubjectPublicKeyInfo } -- from CertTemplate 2868 PKMACValue ::= SEQUENCE { 2869 algId AlgorithmIdentifier{MAC-ALGORITHM, 2870 {Password-MACAlgorithms}}, 2871 value BIT STRING } 2873 -- 2874 -- Define the currently only acceptable MAC algorithm to be used 2875 -- for the PKMACValue structure 2876 -- 2878 id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2879 usa(840) nt(113533) nsn(7) algorithms(66) 13 } 2881 Password-MACAlgorithms MAC-ALGORITHM ::= { 2882 {IDENTIFIER id-PasswordBasedMac 2883 PARAMS TYPE PBMParameter ARE required 2884 IS-KEYED-MAC TRUE 2885 }, ... 2886 } 2888 PBMParameter ::= SEQUENCE { 2889 salt OCTET STRING, 2890 owf AlgorithmIdentifier{DIGEST-ALGORITHM, 2891 {DigestAlgorithms}}, 2892 -- AlgId for a One-Way Function (SHA-1 recommended) 2893 iterationCount INTEGER, 2894 -- number of times the OWF is applied 2895 mac AlgorithmIdentifier{MAC-ALGORITHM, 2896 {MACAlgorithms}} 2897 -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC, or HMAC 2898 } 2900 DigestAlgorithms DIGEST-ALGORITHM ::= { 2901 mda-sha1, ... 2902 } 2904 MACAlgorithms MAC-ALGORITHM ::= { 2905 -- I don't currently find a module with these defined. 2906 -- maca-des-mac | maca-3des-mac -- 2907 maca-hMAC-SHA1, 2908 ... 2909 } 2911 POPOPrivKey ::= CHOICE { 2912 thisMessage [0] BIT STRING, -- Deprecated 2913 -- possession is proven in this message (which contains 2914 -- the private key itself (encrypted for the CA)) 2915 subsequentMessage [1] SubsequentMessage, 2916 -- possession will be proven in a subsequent message 2917 dhMAC [2] BIT STRING, -- Deprecated 2918 agreeMAC [3] PKMACValue, 2919 encryptedKey [4] EnvelopedData } 2920 -- for keyAgreement (only), possession is proven in this message 2921 -- (which contains a MAC (over the DER-encoded value of the 2922 -- certReq parameter in CertReqMsg, which MUST include both 2923 -- subject and publicKey) based on a key derived from the end 2924 -- entity's private DH key and the CA's public DH key); 2926 SubsequentMessage ::= INTEGER { 2927 encrCert (0), 2928 -- requests that resulting certificate be encrypted for the 2929 -- end entity (following which, POP will be proven in a 2930 -- confirmation message) 2931 challengeResp (1) } 2932 -- requests that CA engage in challenge-response exchange with 2933 -- end entity in order to prove private key possession 2935 -- 2936 -- id-ct-encKeyWithID content type used as the content type for the 2937 -- EnvelopedData in POPOPrivKey. 2938 -- It contains both a private key and an identifier for key escrow 2939 -- agents to check against recovery requestors. 2940 -- 2942 ct-encKeyWithID CONTENT-TYPE ::= 2943 { EncKeyWithID IDENTIFIED BY id-ct-encKeyWithID } 2945 id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} 2947 EncKeyWithID ::= SEQUENCE { 2948 privateKey PrivateKeyInfo, 2949 identifier CHOICE { 2950 string UTF8String, 2951 generalName GeneralName 2952 } OPTIONAL 2953 } 2955 PrivateKeyInfo ::= SEQUENCE { 2956 version INTEGER, 2957 privateKeyAlgorithm AlgorithmIdentifier{PUBLIC-KEY, {...}}, 2958 privateKey OCTET STRING, 2959 -- Structure of public key is in PUBLIC-KEY.&PrivateKey 2960 attributes [0] IMPLICIT Attributes OPTIONAL 2961 } 2963 Attributes ::= SET OF AttributeSet{{PrivateKeyAttributes}} 2965 PrivateKeyAttributes ATTRIBUTE ::= {...} 2967 -- 2968 -- 6. Registration Controls in CRMF 2969 -- 2971 id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 } 2973 RegControlSet ATTRIBUTE ::= { 2974 regCtrl-regToken | regCtrl-authenticator | 2975 regCtrl-pkiPublicationInfo | regCtrl-pkiArchiveOptions | 2976 regCtrl-oldCertID | regCtrl-protocolEncrKey, ... } 2978 -- 2979 -- 6.1 Registration Token Control 2980 -- 2982 regCtrl-regToken ATTRIBUTE ::= 2983 { TYPE RegToken IDENTIFIED BY id-regCtrl-regToken } 2985 id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 } 2987 RegToken ::= UTF8String 2989 -- 2990 -- 6.2 Authenticator Control 2991 -- 2993 regCtrl-authenticator ATTRIBUTE ::= 2994 { TYPE Authenticator IDENTIFIED BY id-regCtrl-authenticator } 2996 id-regCtrl-authenticator OBJECT IDENTIFIER ::= { id-regCtrl 2 } 2998 Authenticator ::= UTF8String 3000 -- 3001 -- 6.3. Publication Information Control 3002 -- 3004 regCtrl-pkiPublicationInfo ATTRIBUTE ::= 3005 { TYPE PKIPublicationInfo IDENTIFIED BY 3006 id-regCtrl-pkiPublicationInfo } 3008 id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 } 3010 PKIPublicationInfo ::= SEQUENCE { 3011 action INTEGER { 3012 dontPublish (0), 3013 pleasePublish (1) }, 3014 pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL } 3015 -- pubInfos MUST NOT be present if action is "dontPublish" 3016 -- (if action is "pleasePublish" and pubInfos is omitted, 3017 -- "dontCare" is assumed) 3019 SinglePubInfo ::= SEQUENCE { 3020 pubMethod INTEGER { 3021 dontCare (0), 3022 x500 (1), 3023 web (2), 3024 ldap (3) }, 3025 pubLocation GeneralName OPTIONAL } 3027 -- 3028 -- 6.4. Archive Options Control 3029 -- 3031 regCtrl-pkiArchiveOptions ATTRIBUTE ::= 3032 { TYPE PKIArchiveOptions IDENTIFIED BY 3033 id-regCtrl-pkiArchiveOptions } 3035 id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 } 3037 PKIArchiveOptions ::= CHOICE { 3038 encryptedPrivKey [0] EncryptedKey, 3039 -- the actual value of the private key 3040 keyGenParameters [1] KeyGenParameters, 3041 -- parameters that allow the private key to be re-generated 3042 archiveRemGenPrivKey [2] BOOLEAN } 3043 -- set to TRUE if sender wishes receiver to archive the private 3044 -- key of a key pair that the receiver generates in response to 3045 -- this request; set to FALSE if no archival is desired. 3047 EncryptedKey ::= CHOICE { 3048 encryptedValue EncryptedValue, -- Deprecated 3049 envelopedData [0] EnvelopedData } 3050 -- The encrypted private key MUST be placed in the envelopedData 3051 -- encryptedContentInfo encryptedContent OCTET STRING. 3053 -- 3054 -- We skipped doing the full constraints here since this struture has 3055 -- be deprecated in favor of EnvelopedData 3056 -- 3058 EncryptedValue ::= SEQUENCE { 3059 intendedAlg [0] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, 3060 -- the intended algorithm for which the value will be used 3061 symmAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, 3062 -- the symmetric algorithm used to encrypt the value 3063 encSymmKey [2] BIT STRING OPTIONAL, 3064 -- the (encrypted) symmetric key used to encrypt the value 3065 keyAlg [3] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, 3066 -- algorithm used to encrypt the symmetric key 3067 valueHint [4] OCTET STRING OPTIONAL, 3068 -- a brief description or identifier of the encValue content 3069 -- (may be meaningful only to the sending entity, and used only 3070 -- if EncryptedValue might be re-examined by the sending entity 3071 -- in the future) 3072 encValue BIT STRING } 3073 -- the encrypted value itself 3074 -- When EncryptedValue is used to carry a private key (as opposed to 3075 -- a certificate), implementations MUST support the encValue field 3076 -- containing an encrypted PrivateKeyInfo as defined in [PKCS11], 3077 -- section 12.11. If encValue contains some other format/encoding 3078 -- for the private key, the first octet of valueHint MAY be used 3079 -- to indicate the format/encoding (but note that the possible values 3080 -- of this octet are not specified at this time). In all cases, the 3081 -- intendedAlg field MUST be used to indicate at least the OID of 3082 -- the intended algorithm of the private key, unless this information 3083 -- is known a priori to both sender and receiver by some other means. 3085 KeyGenParameters ::= OCTET STRING 3087 -- 3088 -- 6.5. OldCert ID Control 3089 -- 3091 regCtrl-oldCertID ATTRIBUTE ::= 3092 { TYPE OldCertId IDENTIFIED BY id-regCtrl-oldCertID } 3094 id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 } 3096 OldCertId ::= CertId 3098 CertId ::= SEQUENCE { 3099 issuer GeneralName, 3100 serialNumber INTEGER } 3102 -- 3103 -- 6.6. Protocol Encryption Key Control 3104 -- 3106 regCtrl-protocolEncrKey ATTRIBUTE ::= 3107 { TYPE ProtocolEncrKey IDENTIFIED BY id-regCtrl-protocolEncrKey } 3109 id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= { id-regCtrl 6 } 3111 ProtocolEncrKey ::= SubjectPublicKeyInfo 3113 -- 3114 -- 7. Registration Info in CRMF 3115 -- 3117 id-regInfo OBJECT IDENTIFIER ::= { id-pkip 2 } 3119 RegInfoSet ATTRIBUTE ::= 3120 { regInfo-utf8Pairs | regInfo-certReq } 3122 -- 3123 -- 7.1. utf8Pairs RegInfo Control 3124 -- 3126 regInfo-utf8Pairs ATTRIBUTE ::= 3127 { TYPE UTF8Pairs IDENTIFIED BY id-regInfo-utf8Pairs } 3129 id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= { id-regInfo 1 } 3130 --with syntax 3131 UTF8Pairs ::= UTF8String 3133 -- 3134 -- 7.2. certReq RegInfo Control 3135 -- 3137 regInfo-certReq ATTRIBUTE ::= 3138 { TYPE CertReq IDENTIFIED BY id-regInfo-certReq } 3140 id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 } 3141 --with syntax 3142 CertReq ::= CertRequest 3144 END 3146 12. ASN.1 Module for RFC 5055 3148 SCVP-2009 3149 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3150 mechanisms(5) pkix(7) id-mod(0) id-mod-scvp-02(52) } 3151 DEFINITIONS IMPLICIT TAGS ::= 3152 BEGIN 3153 IMPORTS 3155 Extensions{}, EXTENSION, ATTRIBUTE 3156 FROM PKIX-CommonTypes-2009 3157 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3158 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 3160 AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, PUBLIC-KEY, KEY-AGREE, 3161 DIGEST-ALGORITHM, KEY-DERIVATION, MAC-ALGORITHM 3162 FROM AlgorithmInformation-2009 3163 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3164 mechanisms(5) pkix(7) id-mod(0) 3165 id-mod-algorithmInformation-02(58)} 3167 Certificate, CertificateList, CertificateSerialNumber, 3168 SignatureAlgorithms, SubjectPublicKeyInfo 3169 FROM PKIX1Explicit-2009 3170 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3171 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 3173 GeneralNames, GeneralName, KeyUsage, KeyPurposeId 3174 FROM PKIX1Implicit-2009 3175 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3176 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 3178 AttributeCertificate 3179 FROM PKIXAttributeCertificate-2009 3180 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3181 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } 3183 OCSPResponse 3184 FROM OCSP-2009 3185 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3186 mechanisms(5) pkix(7) id-mod(0) id-mod-ocsp-02(48) } 3188 ContentInfo, CONTENT-TYPE 3189 FROM CryptographicMessageSyntax-2009 3190 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 3191 smime(16) modules(0) id-mod-cms-2004-02(41) } 3193 mda-sha1 3194 FROM PKIXAlgs-2009 3195 { iso(1) identified-organization(3) dod(6) 3196 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 3197 id-mod-pkix1-algorithms2008-02(56) } ; 3199 ContentTypes CONTENT-TYPE ::= {ct-scvp-certValRequest | 3200 ct-scvp-certValResponse | ct-scvp-valPolRequest | 3201 ct-scvp-valPolResponse, ... } 3203 id-ct OBJECT IDENTIFIER ::= 3204 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3205 id-smime(16) 1 } 3207 ct-scvp-certValRequest CONTENT-TYPE ::= 3208 { CVRequest IDENTIFIED BY id-ct-scvp-certValRequest } 3210 id-ct-scvp-certValRequest OBJECT IDENTIFIER ::= { id-ct 10 } 3212 -- SCVP Certificate Validation Request 3214 CVRequest ::= SEQUENCE { 3215 cvRequestVersion INTEGER DEFAULT 1, 3216 query Query, 3217 requestorRef [0] GeneralNames OPTIONAL, 3218 requestNonce [1] OCTET STRING OPTIONAL, 3219 requestorName [2] GeneralName OPTIONAL, 3220 responderName [3] GeneralName OPTIONAL, 3221 requestExtensions [4] Extensions{{RequestExtensions}} 3222 OPTIONAL, 3223 signatureAlg [5] AlgorithmIdentifier 3224 {SIGNATURE-ALGORITHM, 3225 {SignatureAlgorithms}} 3226 OPTIONAL, 3227 hashAlg [6] OBJECT IDENTIFIER OPTIONAL, 3228 requestorText [7] UTF8String (SIZE (1..256)) OPTIONAL 3229 } 3230 -- Set of signature algorithms is comming from RFC 5280 3231 -- SignatureAlgorithms SIGNATURE-ALGORITHM ::= {...} 3233 -- Add supported request extensions here, all new items should 3234 -- be added after the extension marker 3236 RequestExtensions EXTENSION ::= {...} 3238 Query ::= SEQUENCE { 3239 queriedCerts CertReferences, 3240 checks CertChecks, 3241 wantBack [1] WantBack OPTIONAL, 3242 validationPolicy ValidationPolicy, 3243 responseFlags ResponseFlags OPTIONAL, 3244 serverContextInfo [2] OCTET STRING OPTIONAL, 3245 validationTime [3] GeneralizedTime OPTIONAL, 3246 intermediateCerts [4] CertBundle OPTIONAL, 3247 revInfos [5] RevocationInfos OPTIONAL, 3248 producedAt [6] GeneralizedTime OPTIONAL, 3249 queryExtensions [7] Extensions{{QueryExtensions}} OPTIONAL 3250 } 3252 -- Add supported query extensions here, all new items should be added 3253 -- after the extension marker 3255 QueryExtensions EXTENSION ::= {...} 3257 CertReferences ::= CHOICE { 3258 pkcRefs [0] SEQUENCE SIZE (1..MAX) OF PKCReference, 3259 acRefs [1] SEQUENCE SIZE (1..MAX) OF ACReference 3260 } 3262 CertReference::= CHOICE { 3263 pkc PKCReference, 3264 ac ACReference 3265 } 3267 PKCReference ::= CHOICE { 3268 cert [0] Certificate, 3269 pkcRef [1] SCVPCertID 3270 } 3272 ACReference ::= CHOICE { 3273 attrCert [2] AttributeCertificate, 3274 acRef [3] SCVPCertID 3275 } 3277 HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, 3278 {mda-sha1, ...}} 3280 SCVPCertID ::= SEQUENCE { 3281 certHash OCTET STRING, 3282 issuerSerial SCVPIssuerSerial, 3283 hashAlgorithm HashAlgorithm 3284 DEFAULT { algorithm mda-sha1.&id } 3285 } 3287 SCVPIssuerSerial ::= SEQUENCE { 3288 issuer GeneralNames, 3289 serialNumber CertificateSerialNumber 3290 } 3292 ValidationPolicy ::= SEQUENCE { 3293 validationPolRef ValidationPolRef, 3294 validationAlg [0] ValidationAlg OPTIONAL, 3295 userPolicySet [1] SEQUENCE SIZE (1..MAX) OF OBJECT 3296 IDENTIFIER OPTIONAL, 3297 inhibitPolicyMapping [2] BOOLEAN OPTIONAL, 3298 requireExplicitPolicy [3] BOOLEAN OPTIONAL, 3299 inhibitAnyPolicy [4] BOOLEAN OPTIONAL, 3300 trustAnchors [5] TrustAnchors OPTIONAL, 3301 keyUsages [6] SEQUENCE OF KeyUsage OPTIONAL, 3302 extendedKeyUsages [7] SEQUENCE OF KeyPurposeId OPTIONAL, 3303 specifiedKeyUsages [8] SEQUENCE OF KeyPurposeId OPTIONAL 3304 } 3306 CertChecks ::= SEQUENCE SIZE (1..MAX) OF 3307 OBJECT IDENTIFIER (CertCheckSet | ACertCheckSet, ... ) 3309 WantBack ::= SEQUENCE SIZE (1..MAX) OF 3310 WANT-BACK.&id ({AllWantBacks}) 3312 POLICY ::= ATTRIBUTE 3314 ValidationPolRefSet POLICY ::= { 3315 svp-defaultValPolicy, ... 3316 } 3318 ValidationPolRef ::= SEQUENCE { 3319 valPolId POLICY.&id, 3320 valPolParams POLICY.&Type OPTIONAL 3321 } 3323 ValidationAlgSet POLICY ::= { 3324 svp-basicValAlg, ... 3325 } 3326 ValidationAlg ::= SEQUENCE { 3327 valAlgId POLICY.&id, 3328 parameters POLICY.&Type OPTIONAL 3329 } 3331 NameValiationAlgSet POLICY ::= { 3332 svp-nameValAlg, ... 3333 } 3335 NameValidationAlgParms ::= SEQUENCE { 3336 nameCompAlgId OBJECT IDENTIFIER (NameCompAlgSet, ... ), 3337 validationNames GeneralNames 3338 } 3340 TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference 3342 KeyAgreePublicKey ::= SEQUENCE { 3343 algorithm AlgorithmIdentifier{KEY-AGREE, 3344 {SupportedKeyAgreePublicKeys}}, 3345 publicKey BIT STRING, 3346 macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, 3347 {SupportedMACAlgorithms}}, 3348 kDF AlgorithmIdentifier{KEY-DERIVATION, 3349 {SupportedKeyDerivationFunctions}} 3350 OPTIONAL 3351 } 3353 SupportedKeyAgreePublicKeys KEY-AGREE ::= {...} 3354 SupportedMACAlgorithms MAC-ALGORITHM ::= {...} 3355 SupportedKeyDerivationFunctions KEY-DERIVATION ::= {...} 3357 ResponseFlags ::= SEQUENCE { 3358 fullRequestInResponse [0] BOOLEAN DEFAULT FALSE, 3359 responseValidationPolByRef [1] BOOLEAN DEFAULT TRUE, 3360 protectResponse [2] BOOLEAN DEFAULT TRUE, 3361 cachedResponse [3] BOOLEAN DEFAULT TRUE 3362 } 3364 CertBundle ::= SEQUENCE SIZE (1..MAX) OF Certificate 3366 RevocationInfos ::= SEQUENCE SIZE (1..MAX) OF RevocationInfo 3368 RevocationInfo ::= CHOICE { 3369 crl [0] CertificateList, 3370 delta-crl [1] CertificateList, 3371 ocsp [2] OCSPResponse, 3372 other [3] OtherRevInfo 3373 } 3374 REV-INFO ::= TYPE-IDENTIFIER 3376 OtherRevInfo ::= SEQUENCE { 3377 riType REV-INFO.&id, 3378 riValue REV-INFO.&Type 3379 } 3381 -- SCVP Certificate Validation Response 3383 ct-scvp-certValResponse CONTENT-TYPE ::= 3384 { CVResponse IDENTIFIED BY id-ct-scvp-certValResponse } 3386 id-ct-scvp-certValResponse OBJECT IDENTIFIER ::= { id-ct 11 } 3388 CVResponse ::= SEQUENCE { 3389 cvResponseVersion INTEGER, 3390 serverConfigurationID INTEGER, 3391 producedAt GeneralizedTime, 3392 responseStatus ResponseStatus, 3393 respValidationPolicy [0] RespValidationPolicy OPTIONAL, 3394 requestRef [1] RequestReference OPTIONAL, 3395 requestorRef [2] GeneralNames OPTIONAL, 3396 requestorName [3] GeneralNames OPTIONAL, 3397 replyObjects [4] ReplyObjects OPTIONAL, 3398 respNonce [5] OCTET STRING OPTIONAL, 3399 serverContextInfo [6] OCTET STRING OPTIONAL, 3400 cvResponseExtensions [7] Extensions{{CVResponseExtensions}} 3401 OPTIONAL, 3402 requestorText [8] UTF8String (SIZE (1..256)) OPTIONAL 3403 } 3405 -- This doucment defines no extensions 3406 CVResponseExtensions EXTENSION ::= {...} 3408 ResponseStatus ::= SEQUENCE { 3409 statusCode CVStatusCode DEFAULT okay, 3410 errorMessage UTF8String OPTIONAL 3411 } 3413 CVStatusCode ::= ENUMERATED { 3414 okay (0), 3415 skipUnrecognizedItems (1), 3416 tooBusy (10), 3417 invalidRequest (11), 3418 internalError (12), 3419 badStructure (20), 3420 unsupportedVersion (21), 3421 abortUnrecognizedItems (22), 3422 unrecognizedSigKey (23), 3423 badSignatureOrMAC (24), 3424 unableToDecode (25), 3425 notAuthorized (26), 3426 unsupportedChecks (27), 3427 unsupportedWantBacks (28), 3428 unsupportedSignatureOrMAC (29), 3429 invalidSignatureOrMAC (30), 3430 protectedResponseUnsupported (31), 3431 unrecognizedResponderName (32), 3432 relayingLoop (40), 3433 unrecognizedValPol (50), 3434 unrecognizedValAlg (51), 3435 fullRequestInResponseUnsupported (52), 3436 fullPolResponseUnsupported (53), 3437 inhibitPolicyMappingUnsupported (54), 3438 requireExplicitPolicyUnsupported (55), 3439 inhibitAnyPolicyUnsupported (56), 3440 validationTimeUnsupported (57), 3441 unrecognizedCritQueryExt (63), 3442 unrecognizedCritRequestExt (64), 3443 ... 3444 } 3446 RespValidationPolicy ::= ValidationPolicy 3448 RequestReference ::= CHOICE { 3449 requestHash [0] HashValue, -- hash of CVRequest 3450 fullRequest [1] CVRequest } 3452 HashValue ::= SEQUENCE { 3453 algorithm HashAlgorithm 3454 DEFAULT { algorithm mda-sha1.&id }, 3455 value OCTET STRING } 3457 ReplyObjects ::= SEQUENCE SIZE (1..MAX) OF CertReply 3459 CertReply ::= SEQUENCE { 3460 cert CertReference, 3461 replyStatus ReplyStatus DEFAULT success, 3462 replyValTime GeneralizedTime, 3463 replyChecks ReplyChecks, 3464 replyWantBacks ReplyWantBacks, 3465 validationErrors [0] SEQUENCE SIZE (1..MAX) OF 3466 OBJECT IDENTIFIER ( BasicValidationErrorSet | 3467 NameValidationErrorSet, 3468 ... ) OPTIONAL, 3469 nextUpdate [1] GeneralizedTime OPTIONAL, 3470 certReplyExtensions [2] Extensions{{...}} OPTIONAL 3471 } 3473 ReplyStatus ::= ENUMERATED { 3474 success (0), 3475 malformedPKC (1), 3476 malformedAC (2), 3477 unavailableValidationTime (3), 3478 referenceCertHashFail (4), 3479 certPathConstructFail (5), 3480 certPathNotValid (6), 3481 certPathNotValidNow (7), 3482 wantBackUnsatisfied (8) 3483 } 3485 ReplyChecks ::= SEQUENCE OF ReplyCheck 3487 ReplyCheck ::= SEQUENCE { 3488 check OBJECT IDENTIFIER (CertCheckSet | ACertCheckSet, ... ), 3489 status INTEGER DEFAULT 0 3490 } 3492 ReplyWantBacks ::= SEQUENCE OF ReplyWantBack 3494 ReplyWantBack::= SEQUENCE { 3495 wb WANT-BACK.&id({AllWantBacks}), 3496 value OCTET STRING 3497 (CONTAINING WANT-BACK.&Type({AllWantBacks}{@wb})) 3498 } 3500 WANT-BACK ::= TYPE-IDENTIFIER 3502 AllWantBacks WANT-BACK ::= { 3503 WantBackSet | ACertWantBackSet | AnyWantBackSet, ... 3504 } 3506 CertBundles ::= SEQUENCE SIZE (1..MAX) OF CertBundle 3508 RevInfoWantBack ::= SEQUENCE { 3509 revocationInfo RevocationInfos, 3510 extraCerts CertBundle OPTIONAL 3511 } 3513 SCVPResponses ::= SEQUENCE OF ContentInfo 3515 -- SCVP Validation Policies Request 3517 ct-scvp-valPolRequest CONTENT-TYPE ::= 3518 { ValPolRequest IDENTIFIED BY id-ct-scvp-valPolRequest } 3520 id-ct-scvp-valPolRequest OBJECT IDENTIFIER ::= { id-ct 12 } 3522 ValPolRequest ::= SEQUENCE { 3523 vpRequestVersion INTEGER DEFAULT 1, 3524 requestNonce OCTET STRING 3525 } 3527 -- SCVP Validation Policies Response 3529 ct-scvp-valPolResponse CONTENT-TYPE ::= 3530 { ValPolResponse IDENTIFIED BY id-ct-scvp-valPolResponse } 3532 id-ct-scvp-valPolResponse OBJECT IDENTIFIER ::= { id-ct 13 } 3534 ValPolResponse ::= SEQUENCE { 3535 vpResponseVersion INTEGER, 3536 maxCVRequestVersion INTEGER, 3537 maxVPRequestVersion INTEGER, 3538 serverConfigurationID INTEGER, 3539 thisUpdate GeneralizedTime, 3540 nextUpdate GeneralizedTime OPTIONAL, 3541 supportedChecks CertChecks, 3542 supportedWantBacks WantBack, 3543 validationPolicies SEQUENCE OF OBJECT IDENTIFIER, 3544 validationAlgs SEQUENCE OF OBJECT IDENTIFIER, 3545 authPolicies SEQUENCE OF AuthPolicy, 3546 responseTypes ResponseTypes, 3547 defaultPolicyValues RespValidationPolicy, 3548 revocationInfoTypes RevocationInfoTypes, 3549 signatureGeneration SEQUENCE OF AlgorithmIdentifier 3550 {SIGNATURE-ALGORITHM, 3551 {SignatureAlgorithms}}, 3552 signatureVerification SEQUENCE OF AlgorithmIdentifier 3553 {SIGNATURE-ALGORITHM, 3554 {SignatureAlgorithms}}, 3555 hashAlgorithms SEQUENCE SIZE (1..MAX) OF 3556 OBJECT IDENTIFIER, 3557 serverPublicKeys SEQUENCE OF KeyAgreePublicKey 3558 OPTIONAL, 3559 clockSkew INTEGER DEFAULT 10, 3560 requestNonce OCTET STRING OPTIONAL 3561 } 3563 ResponseTypes ::= ENUMERATED { 3564 cached-only (0), 3565 non-cached-only (1), 3566 cached-and-non-cached (2) 3567 } 3569 RevocationInfoTypes ::= BIT STRING { 3570 fullCRLs (0), 3571 deltaCRLs (1), 3572 indirectCRLs (2), 3573 oCSPResponses (3) 3574 } 3576 AuthPolicy ::= OBJECT IDENTIFIER 3578 -- SCVP Check Identifiers 3580 id-stc OBJECT IDENTIFIER ::= 3581 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3582 mechanisms(5) pkix(7) 17 } 3584 CertCheckSet OBJECT IDENTIFIER ::= { 3585 id-stc-build-pkc-path | id-stc-build-valid-pkc-path | 3586 id-stc-build-status-checked-pkc-path, ... } 3588 id-stc-build-pkc-path OBJECT IDENTIFIER ::= { id-stc 1 } 3589 id-stc-build-valid-pkc-path OBJECT IDENTIFIER ::= { id-stc 2 } 3590 id-stc-build-status-checked-pkc-path 3591 OBJECT IDENTIFIER ::= { id-stc 3 } 3593 ACertCheckSet OBJECT IDENTIFIER ::= { 3594 id-stc-build-aa-path | id-stc-build-valid-aa-path | 3595 id-stc-build-status-checked-aa-path | 3596 id-stc-status-check-ac-and-build-status-checked-aa-path 3597 } 3599 id-stc-build-aa-path OBJECT IDENTIFIER ::= { id-stc 4 } 3600 id-stc-build-valid-aa-path OBJECT IDENTIFIER ::= { id-stc 5 } 3601 id-stc-build-status-checked-aa-path 3602 OBJECT IDENTIFIER ::= { id-stc 6 } 3603 id-stc-status-check-ac-and-build-status-checked-aa-path 3604 OBJECT IDENTIFIER ::= { id-stc 7 } 3606 -- SCVP WantBack Identifiers 3608 id-swb OBJECT IDENTIFIER ::= 3609 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3610 mechanisms(5) pkix(7) 18 } 3612 WantBackSet WANT-BACK ::= { 3613 swb-pkc-cert | swb-pkc-best-cert-path | 3614 swb-pkc-revocation-info | swb-pkc-public-key-info | 3615 swb-pkc-all-cert-paths | swb-pkc-ee-revocation-info | 3616 swb-pkc-CAs-revocation-info 3617 } 3619 ACertWantBackSet WANT-BACK ::= { 3620 swb-ac-cert | swb-aa-cert-path | 3621 swb-aa-revocation-info | swb-ac-revocation-info 3622 } 3624 AnyWantBackSet WANT-BACK ::= { swb-relayed-responses } 3626 swb-pkc-best-cert-path WANT-BACK ::= 3627 { CertBundle IDENTIFIED BY id-swb-pkc-best-cert-path } 3628 id-swb-pkc-best-cert-path OBJECT IDENTIFIER ::= { id-swb 1 } 3630 swb-pkc-revocation-info WANT-BACK ::= 3631 { RevInfoWantBack IDENTIFIED BY id-swb-pkc-revocation-info } 3632 id-swb-pkc-revocation-info OBJECT IDENTIFIER ::= { id-swb 2 } 3634 swb-pkc-public-key-info WANT-BACK ::= 3635 { SubjectPublicKeyInfo IDENTIFIED BY id-swb-pkc-public-key-info } 3636 id-swb-pkc-public-key-info OBJECT IDENTIFIER ::= { id-swb 4 } 3638 swb-aa-cert-path WANT-BACK ::= 3639 {CertBundle IDENTIFIED BY id-swb-aa-cert-path } 3640 id-swb-aa-cert-path OBJECT IDENTIFIER ::= { id-swb 5 } 3642 swb-aa-revocation-info WANT-BACK ::= 3643 { RevInfoWantBack IDENTIFIED BY id-swb-aa-revocation-info } 3644 id-swb-aa-revocation-info OBJECT IDENTIFIER ::= { id-swb 6 } 3646 swb-ac-revocation-info WANT-BACK ::= 3647 { RevInfoWantBack IDENTIFIED BY id-swb-ac-revocation-info } 3648 id-swb-ac-revocation-info OBJECT IDENTIFIER ::= { id-swb 7 } 3650 swb-relayed-responses WANT-BACK ::= 3651 {SCVPResponses IDENTIFIED BY id-swb-relayed-responses } 3652 id-swb-relayed-responses OBJECT IDENTIFIER ::= { id-swb 9 } 3654 swb-pkc-all-cert-paths WANT-BACK ::= 3655 {CertBundles IDENTIFIED BY id-swb-pkc-all-cert-paths } 3656 id-swb-pkc-all-cert-paths OBJECT IDENTIFIER ::= { id-swb 12} 3658 swb-pkc-ee-revocation-info WANT-BACK ::= 3659 { RevInfoWantBack IDENTIFIED BY id-swb-pkc-ee-revocation-info } 3660 id-swb-pkc-ee-revocation-info OBJECT IDENTIFIER ::= { id-swb 13} 3661 swb-pkc-CAs-revocation-info WANT-BACK ::= 3662 { RevInfoWantBack IDENTIFIED BY id-swb-pkc-CAs-revocation-info } 3663 id-swb-pkc-CAs-revocation-info OBJECT IDENTIFIER ::= { id-swb 14} 3665 swb-pkc-cert WANT-BACK ::= 3666 { Certificate IDENTIFIED BY id-swb-pkc-cert } 3667 id-swb-pkc-cert OBJECT IDENTIFIER ::= { id-swb 10} 3669 swb-ac-cert WANT-BACK ::= 3670 { AttributeCertificate IDENTIFIED BY id-swb-ac-cert } 3671 id-swb-ac-cert OBJECT IDENTIFIER ::= { id-swb 11} 3673 -- SCVP Validation Policy and Algorithm Identifiers 3675 id-svp OBJECT IDENTIFIER ::= 3676 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3677 mechanisms(5) pkix(7) 19 } 3679 svp-defaultValPolicy POLICY ::= 3680 { IDENTIFIED BY id-svp-defaultValPolicy } 3682 id-svp-defaultValPolicy OBJECT IDENTIFIER ::= { id-svp 1 } 3684 -- SCVP Basic Validation Algorithm Identifier 3686 svp-basicValAlg POLICY ::= {IDENTIFIED BY id-svp-basicValAlg } 3688 id-svp-basicValAlg OBJECT IDENTIFIER ::= { id-svp 3 } 3690 -- SCVP Basic Validation Algorithm Errors 3692 id-bvae OBJECT IDENTIFIER ::= id-svp-basicValAlg 3694 BasicValidationErrorSet OBJECT IDENTIFIER ::= { 3695 id-bvae-expired | id-bvae-not-yet-valid | 3696 id-bvae-wrongTrustAnchor | id-bvae-noValidCertPath | 3697 id-bvae-revoked | id-bvae-invalidKeyPurpose | 3698 id-bvae-invalidKeyUsage | id-bvae-invalidCertPolicy 3699 } 3701 id-bvae-expired OBJECT IDENTIFIER ::= { id-bvae 1 } 3702 id-bvae-not-yet-valid OBJECT IDENTIFIER ::= { id-bvae 2 } 3703 id-bvae-wrongTrustAnchor OBJECT IDENTIFIER ::= { id-bvae 3 } 3704 id-bvae-noValidCertPath OBJECT IDENTIFIER ::= { id-bvae 4 } 3705 id-bvae-revoked OBJECT IDENTIFIER ::= { id-bvae 5 } 3706 id-bvae-invalidKeyPurpose OBJECT IDENTIFIER ::= { id-bvae 9 } 3707 id-bvae-invalidKeyUsage OBJECT IDENTIFIER ::= { id-bvae 10 } 3708 id-bvae-invalidCertPolicy OBJECT IDENTIFIER ::= { id-bvae 11 } 3709 -- SCVP Name Validation Algorithm Identifier 3711 svp-nameValAlg POLICY ::= 3712 {TYPE NameValidationAlgParms IDENTIFIED BY id-svp-nameValAlg } 3714 id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 } 3716 -- SCVP Name Validation Algorithm DN comparison algorithm 3718 NameCompAlgSet OBJECT IDENTIFIER ::= { 3719 id-nva-dnCompAlg 3720 } 3722 id-nva-dnCompAlg OBJECT IDENTIFIER ::= { id-svp 4 } 3724 -- SCVP Name Validation Algorithm Errors 3726 id-nvae OBJECT IDENTIFIER ::= id-svp-nameValAlg 3728 NameValidationErrorSet OBJECT IDENTIFIER ::= { 3729 id-nvae-name-mismatch | id-nvae-no-name | id-nvae-unknown-alg | 3730 id-nvae-bad-name | id-nvae-bad-name-type | id-nvae-mixed-names 3731 } 3733 id-nvae-name-mismatch OBJECT IDENTIFIER ::= { id-nvae 1 } 3734 id-nvae-no-name OBJECT IDENTIFIER ::= { id-nvae 2 } 3735 id-nvae-unknown-alg OBJECT IDENTIFIER ::= { id-nvae 3 } 3736 id-nvae-bad-name OBJECT IDENTIFIER ::= { id-nvae 4 } 3737 id-nvae-bad-name-type OBJECT IDENTIFIER ::= { id-nvae 5 } 3738 id-nvae-mixed-names OBJECT IDENTIFIER ::= { id-nvae 6 } 3740 -- SCVP Extended Key Usage Key Purpose Identifiers 3742 id-kp OBJECT IDENTIFIER ::= 3743 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 3744 mechanisms(5) pkix(7) 3 } 3746 SvcpExtKeyUsageSet OBJECT IDENTIFIER ::= { 3747 id-kp-scvpServer | id-kp-scvpClient 3748 } 3750 id-kp-scvpServer OBJECT IDENTIFIER ::= { id-kp 15 } 3752 id-kp-scvpClient OBJECT IDENTIFIER ::= { id-kp 16 } 3754 END 3756 13. ASN.1 Module for RFC 5272 3758 EnrollmentMessageSyntax-2009 3759 {iso(1) identified-organization(3) dod(4) internet(1) 3760 security(5) mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53)} 3761 DEFINITIONS IMPLICIT TAGS ::= 3762 BEGIN 3763 EXPORTS ALL; 3764 IMPORTS 3766 AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE 3767 FROM PKIX-CommonTypes-2009 3768 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3769 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 3771 AlgorithmIdentifier{}, DIGEST-ALGORITHM, KEY-WRAP, KEY-DERIVATION, 3772 MAC-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY 3773 FROM AlgorithmInformation-2009 3774 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3775 mechanisms(5) pkix(7) id-mod(0) 3776 id-mod-algorithmInformation-02(58)} 3778 CertificateSerialNumber, GeneralName, CRLReason, ReasonFlags, 3779 CertExtensions 3780 FROM PKIX1Implicit-2009 3781 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3782 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 3784 Name, id-pkix, PublicKeyAlgorithms, SignatureAlgorithms 3785 FROM PKIX1Explicit-2009 3786 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3787 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 3789 ContentInfo, IssuerAndSerialNumber, CONTENT-TYPE 3790 FROM CryptographicMessageSyntax-2009 3791 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 3792 smime(16) modules(0) id-mod-cms-2004-02(41)} 3794 CertReqMsg, PKIPublicationInfo, CertTemplate 3795 FROM PKIXCRMF-2009 3796 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 3797 mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)} 3799 mda-sha1 3800 FROM PKIXAlgs-2009 3801 { iso(1) identified-organization(3) dod(6) 3802 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 3803 id-mod-pkix1-algorithms2008-02(56)} 3805 kda-PBKDF2, maca-hMAC-SHA1 3806 FROM CryptographicMessageSyntaxAlgorithms-2009 3807 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 3808 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 3810 mda-sha256 3811 FROM PKIX1-PSS-OAEP-Algorithms-2009 3812 { iso(1) identified-organization(3) dod(6) 3813 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 3814 id-mod-pkix1-rsa-pkalgs-02(54) } ; 3816 -- CMS Content types defined in this document 3818 CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... } 3820 -- Signaure Algorithms defined in this document 3822 SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature } 3824 -- CMS Unsigned Attibutes 3826 CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData } 3828 -- 3829 -- 3831 id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls 3832 id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types 3834 -- This is the content type for a request message in the protocol 3836 ct-PKIData CONTENT-TYPE ::= 3837 { PKIData IDENTIFIED BY id-cct-PKIData } 3838 id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 } 3840 PKIData ::= SEQUENCE { 3841 controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, 3842 reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest, 3843 cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, 3844 otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg 3845 } 3847 BodyPartID ::= INTEGER(0..4294967295) 3849 TaggedAttribute ::= SEQUENCE { 3850 bodyPartID BodyPartID, 3851 attrType CMC-CONTROL.&id({Cmc-Control-Set}), 3852 attrValues SET OF CMC-CONTROL. 3853 &Type({Cmc-Control-Set}{@attrType}) 3854 } 3856 Cmc-Control-Set CMC-CONTROL ::= { 3857 cmc-identityProof | cmc-dataReturn | cmc-regInfo | 3858 cmc-responseInfo | cmc-queryPending | cmc-popLinkRandom | 3859 cmc-popLinkWitness | cmc-identification | cmc-transactionId | 3860 cmc-senderNonce | cmc-recipientNonce | cmc-statusInfo | 3861 cmc-addExtensions | cmc-encryptedPOP | cmc-decryptedPOP | 3862 cmc-lraPOPWitness | cmc-getCert | cmc-getCRL | 3863 cmc-revokeRequest | cmc-confirmCertAcceptance | 3864 cmc-statusInfoV2 | cmc-trustedAnchors | cmc-authData | 3865 cmc-batchRequests | cmc-batchResponses | cmc-publishCert | 3866 cmc-modCertTemplate | cmc-controlProcessed | 3867 cmc-identityProofV2 | cmc-popLinkWitnessV2, ... } 3869 OTHER-REQUEST ::= TYPE-IDENTIFIER 3871 -- We do not define any other requests in this document 3872 -- examples might be attribute certification requests 3874 OtherRequests OTHER-REQUEST ::= {...} 3876 TaggedRequest ::= CHOICE { 3877 tcr [0] TaggedCertificationRequest, 3878 crm [1] CertReqMsg, 3879 orm [2] SEQUENCE { 3880 bodyPartID BodyPartID, 3881 requestMessageType OTHER-REQUEST.&id({OtherRequests}), 3882 requestMessageValue OTHER-REQUEST.&Type({OtherRequests} 3883 {@.requestMessageType}) 3884 } 3885 } 3887 TaggedCertificationRequest ::= SEQUENCE { 3888 bodyPartID BodyPartID, 3889 certificationRequest CertificationRequest 3890 } 3892 AttributeList ATTRIBUTE ::= {at-extension-req, ...} 3894 CertificationRequest ::= SEQUENCE { 3895 certificationRequestInfo SEQUENCE { 3896 version INTEGER, 3897 subject Name, 3898 subjectPublicKeyInfo SEQUENCE { 3899 algorithm AlgorithmIdentifier{PUBLIC-KEY, 3900 {PublicKeyAlgorithms}}, 3901 subjectPublicKey BIT STRING 3902 }, 3903 attributes [0] IMPLICIT SET OF 3904 AttributeSet{{AttributeList}} 3905 }, 3906 signatureAlgorithm AlgorithmIdentifier 3907 {SIGNATURE-ALGORITHM, 3908 {SignatureAlgorithms}}, 3909 signature BIT STRING 3910 } 3912 TaggedContentInfo ::= SEQUENCE { 3913 bodyPartID BodyPartID, 3914 contentInfo ContentInfo 3915 } 3917 OTHER-MSG ::= TYPE-IDENTIFIER 3919 -- No other messages currently defined 3921 OtherMsgSet OTHER-MSG ::= {...} 3923 OtherMsg ::= SEQUENCE { 3924 bodyPartID BodyPartID, 3925 otherMsgType OTHER-MSG.&id({OtherMsgSet}), 3926 otherMsgValue OTHER-MSG.&Type({OtherMsgSet}{@otherMsgType}) } 3928 -- This defines the response message in the protocol 3930 ct-PKIResponse CONTENT-TYPE ::= 3931 { PKIResponse IDENTIFIED BY id-cct-PKIResponse } 3932 id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 } 3934 ResponseBody ::= PKIResponse 3936 PKIResponse ::= SEQUENCE { 3937 controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, 3938 cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, 3939 otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg 3940 } 3942 CMC-CONTROL ::= TYPE-IDENTIFIER 3944 -- The following controls have the type OCTET STRING 3946 cmc-identityProof CMC-CONTROL ::= 3947 { OCTET STRING IDENTIFIED BY id-cmc-identityProof } 3948 id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3} 3950 cmc-dataReturn CMC-CONTROL ::= 3951 { OCTET STRING IDENTIFIED BY id-cmc-dataReturn } 3952 id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4} 3954 cmc-regInfo CMC-CONTROL ::= 3955 { OCTET STRING IDENTIFIED BY id-cmc-regInfo } 3956 id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18} 3958 cmc-responseInfo CMC-CONTROL ::= 3959 { OCTET STRING IDENTIFIED BY id-cmc-responseInfo } 3960 id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19} 3962 cmc-queryPending CMC-CONTROL ::= 3963 { OCTET STRING IDENTIFIED BY id-cmc-queryPending } 3964 id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21} 3966 cmc-popLinkRandom CMC-CONTROL ::= 3967 { OCTET STRING IDENTIFIED BY id-cmc-popLinkRandom } 3968 id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22} 3970 cmc-popLinkWitness CMC-CONTROL ::= 3971 { OCTET STRING IDENTIFIED BY id-cmc-popLinkWitness } 3972 id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23} 3974 -- The following controls have the type UTF8String 3976 cmc-identification CMC-CONTROL ::= 3977 { UTF8String IDENTIFIED BY id-cmc-identification } 3978 id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2} 3980 -- The following controls have the type INTEGER 3982 cmc-transactionId CMC-CONTROL ::= 3983 { INTEGER IDENTIFIED BY id-cmc-transactionId } 3984 id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5} 3986 -- The following controls have the type OCTET STRING 3988 cmc-senderNonce CMC-CONTROL ::= 3989 { OCTET STRING IDENTIFIED BY id-cmc-senderNonce } 3990 id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6} 3992 cmc-recipientNonce CMC-CONTROL ::= 3993 { OCTET STRING IDENTIFIED BY id-cmc-recipientNonce } 3994 id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7} 3995 -- Used to return status in a response 3997 cmc-statusInfo CMC-CONTROL ::= 3998 { CMCStatusInfo IDENTIFIED BY id-cmc-statusInfo } 3999 id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1} 4001 CMCStatusInfo ::= SEQUENCE { 4002 cMCStatus CMCStatus, 4003 bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID, 4004 statusString UTF8String OPTIONAL, 4005 otherInfo CHOICE { 4006 failInfo CMCFailInfo, 4007 pendInfo PendInfo 4008 } OPTIONAL 4009 } 4011 PendInfo ::= SEQUENCE { 4012 pendToken OCTET STRING, 4013 pendTime GeneralizedTime 4014 } 4016 CMCStatus ::= INTEGER { 4017 success (0), 4018 failed (2), 4019 pending (3), 4020 noSupport (4), 4021 confirmRequired (5), 4022 popRequired (6), 4023 partial (7) 4024 } 4026 CMCFailInfo ::= INTEGER { 4027 badAlg (0), 4028 badMessageCheck (1), 4029 badRequest (2), 4030 badTime (3), 4031 badCertId (4), 4032 unsuportedExt (5), 4033 mustArchiveKeys (6), 4034 badIdentity (7), 4035 popRequired (8), 4036 popFailed (9), 4037 noKeyReuse (10), 4038 internalCAError (11), 4039 tryLater (12), 4040 authDataFail (13) 4041 } 4042 -- Used for RAs to add extensions to certification requests 4044 cmc-addExtensions CMC-CONTROL ::= 4045 { AddExtensions IDENTIFIED BY id-cmc-addExtensions } 4046 id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8} 4048 AddExtensions ::= SEQUENCE { 4049 pkiDataReference BodyPartID, 4050 certReferences SEQUENCE OF BodyPartID, 4051 extensions SEQUENCE OF Extension{{CertExtensions}} 4052 } 4054 cmc-encryptedPOP CMC-CONTROL ::= 4055 { EncryptedPOP IDENTIFIED BY id-cmc-encryptedPOP } 4056 cmc-decryptedPOP CMC-CONTROL ::= 4057 { DecryptedPOP IDENTIFIED BY id-cmc-decryptedPOP } 4058 id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9} 4059 id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10} 4061 EncryptedPOP ::= SEQUENCE { 4062 request TaggedRequest, 4063 cms ContentInfo, 4064 thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, 4065 witnessAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, 4066 {WitnessAlgs}}, 4067 witness OCTET STRING 4068 } 4070 POPAlgs MAC-ALGORITHM ::= {maca-hMAC-SHA1, ...} 4071 WitnessAlgs DIGEST-ALGORITHM ::= {mda-sha1, ...} 4073 DecryptedPOP ::= SEQUENCE { 4074 bodyPartID BodyPartID, 4075 thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, 4076 thePOP OCTET STRING 4077 } 4079 cmc-lraPOPWitness CMC-CONTROL ::= 4080 { LraPopWitness IDENTIFIED BY id-cmc-lraPOPWitness } 4082 id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11} 4084 LraPopWitness ::= SEQUENCE { 4085 pkiDataBodyid BodyPartID, 4086 bodyIds SEQUENCE OF BodyPartID 4087 } 4088 -- 4090 cmc-getCert CMC-CONTROL ::= 4091 { GetCert IDENTIFIED BY id-cmc-getCert } 4092 id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15} 4094 GetCert ::= SEQUENCE { 4095 issuerName GeneralName, 4096 serialNumber INTEGER } 4098 cmc-getCRL CMC-CONTROL ::= 4099 { GetCRL IDENTIFIED BY id-cmc-getCRL } 4100 id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16} 4102 GetCRL ::= SEQUENCE { 4103 issuerName Name, 4104 cRLName GeneralName OPTIONAL, 4105 time GeneralizedTime OPTIONAL, 4106 reasons ReasonFlags OPTIONAL } 4108 cmc-revokeRequest CMC-CONTROL ::= 4109 { RevokeRequest IDENTIFIED BY id-cmc-revokeRequest} 4110 id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17} 4112 RevokeRequest ::= SEQUENCE { 4113 issuerName Name, 4114 serialNumber INTEGER, 4115 reason CRLReason, 4116 invalidityDate GeneralizedTime OPTIONAL, 4117 passphrase OCTET STRING OPTIONAL, 4118 comment UTF8String OPTIONAL } 4120 cmc-confirmCertAcceptance CMC-CONTROL ::= 4121 { CMCCertId IDENTIFIED BY id-cmc-confirmCertAcceptance } 4122 id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24} 4124 CMCCertId ::= IssuerAndSerialNumber 4126 -- The following is used to request V3 extensions be added 4127 -- to a certificate 4129 at-extension-req ATTRIBUTE ::= 4130 { TYPE ExtensionReq IDENTIFIED BY id-ExtensionReq } 4131 id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 4132 rsadsi(113549) pkcs(1) pkcs-9(9) 14} 4134 ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF 4135 Extension{{CertExtensions}} 4137 -- The following allows Diffie-Hellman Certification Request 4138 -- Messages to be well-formed 4140 sa-noSignature SIGNATURE-ALGORITHM ::= { 4141 IDENTIFIER id-alg-noSignature 4142 VALUE NoSignatureValue 4143 PARAMS TYPE NULL ARE required 4144 HASHES { mda-sha1 } 4145 } 4146 id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2} 4148 NoSignatureValue ::= OCTET STRING 4150 -- Unauthenticated attribute to carry removable data. 4152 id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 4153 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)} 4155 aa-cmc-unsignedData ATTRIBUTE ::= 4156 { TYPE CMCUnsignedData IDENTIFIED BY id-aa-cmc-unsignedData } 4157 id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34} 4159 CMCUnsignedData ::= SEQUENCE { 4160 bodyPartPath BodyPartPath, 4161 identifier TYPE-IDENTIFIER.&id, 4162 content TYPE-IDENTIFIER.&Type 4163 } 4165 -- Replaces CMC Status Info 4166 -- 4168 cmc-statusInfoV2 CMC-CONTROL ::= 4169 { CMCStatusInfoV2 IDENTIFIED BY id-cmc-statusInfoV2 } 4170 id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25} 4172 EXTENDED-FAILURE-INFO ::= TYPE-IDENTIFIER 4174 ExtendedFailures EXTENDED-FAILURE-INFO ::= {...} 4176 CMCStatusInfoV2 ::= SEQUENCE { 4177 cMCStatus CMCStatus, 4178 bodyList SEQUENCE SIZE (1..MAX) OF 4179 BodyPartReference, 4180 statusString UTF8String OPTIONAL, 4181 otherInfo CHOICE { 4182 failInfo CMCFailInfo, 4183 pendInfo PendInfo, 4184 extendedFailInfo [1] SEQUENCE { 4185 failInfoOID TYPE-IDENTIFIER.&id 4186 ({ExtendedFailures}), 4187 failInfoValue TYPE-IDENTIFIER.&Type 4188 ({ExtendedFailures} 4189 {@.failInfoOID}) 4190 } 4191 } OPTIONAL 4192 } 4194 BodyPartReference ::= CHOICE { 4195 bodyPartID BodyPartID, 4196 bodyPartPath BodyPartPath 4197 } 4199 BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID 4201 -- Allow for distribution of trust anchors 4202 -- 4204 cmc-trustedAnchors CMC-CONTROL ::= 4205 { PublishTrustAnchors IDENTIFIED BY id-cmc-trustedAnchors } 4206 id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26} 4208 PublishTrustAnchors ::= SEQUENCE { 4209 seqNumber INTEGER, 4210 hashAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, 4211 {HashAlgorithms}}, 4212 anchorHashes SEQUENCE OF OCTET STRING 4213 } 4215 HashAlgorithms DIGEST-ALGORITHM ::= { 4216 mda-sha1 | mda-sha256, ... 4217 } 4219 cmc-authData CMC-CONTROL ::= 4220 { AuthPublish IDENTIFIED BY id-cmc-authData } 4221 id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27} 4223 AuthPublish ::= BodyPartID 4225 -- These two items use BodyPartList 4227 cmc-batchRequests CMC-CONTROL ::= 4228 { BodyPartList IDENTIFIED BY id-cmc-batchRequests } 4230 id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28} 4232 cmc-batchResponses CMC-CONTROL ::= 4233 { BodyPartList IDENTIFIED BY id-cmc-batchResponses } 4234 id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29} 4236 BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID 4238 cmc-publishCert CMC-CONTROL ::= 4239 { CMCPublicationInfo IDENTIFIED BY id-cmc-publishCert } 4240 id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30} 4242 CMCPublicationInfo ::= SEQUENCE { 4243 hashAlg AlgorithmIdentifier{DIGEST-ALGORITHM, 4244 {HashAlgorithms}}, 4245 certHashes SEQUENCE OF OCTET STRING, 4246 pubInfo PKIPublicationInfo 4247 } 4249 cmc-modCertTemplate CMC-CONTROL ::= 4250 { ModCertTemplate IDENTIFIED BY id-cmc-modCertTemplate } 4251 id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31} 4253 ModCertTemplate ::= SEQUENCE { 4254 pkiDataReference BodyPartPath, 4255 certReferences BodyPartList, 4256 replace BOOLEAN DEFAULT TRUE, 4257 certTemplate CertTemplate 4258 } 4260 -- Inform follow-on servers that one or more controls have 4261 -- already been processed 4263 cmc-controlProcessed CMC-CONTROL ::= 4264 { ControlsProcessed IDENTIFIED BY id-cmc-controlProcessed } 4265 id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32} 4267 ControlsProcessed ::= SEQUENCE { 4268 bodyList SEQUENCE SIZE(1..MAX) OF BodyPartReference 4269 } 4271 -- Identity Proof control w/ algorithm agility 4273 cmc-identityProofV2 CMC-CONTROL ::= 4274 { IdentityProofV2 IDENTIFIED BY id-cmc-identityProofV2 } 4275 id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 33 } 4277 IdentityProofV2 ::= SEQUENCE { 4278 proofAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, 4279 {WitnessAlgs}}, 4280 macAlgId AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, 4281 witness OCTET STRING 4282 } 4284 cmc-popLinkWitnessV2 CMC-CONTROL ::= 4285 { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 } 4286 id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 } 4288 PopLinkWitnessV2 ::= SEQUENCE { 4289 keyGenAlgorithm AlgorithmIdentifier{KEY-DERIVATION, 4290 {KeyDevAlgs}}, 4291 macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, 4292 witness OCTET STRING 4293 } 4295 KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...} 4297 END 4299 14. ASN.1 Module for RFC 5280, Explicit and Implicit 4301 Note that many of the changes in this module are similar or the same 4302 as the changes made in more recent versions of X.509 itself. 4304 PKIX1Explicit-2009 4305 {iso(1) identified-organization(3) dod(6) internet(1) 4306 security(5) mechanisms(5) pkix(7) id-mod(0) 4307 id-mod-pkix1-explicit-02(51)} 4308 DEFINITIONS EXPLICIT TAGS ::= 4309 BEGIN 4311 IMPORTS 4313 Extensions{}, EXTENSION, ATTRIBUTE, SingleAttribute{} 4314 FROM PKIX-CommonTypes-2009 4315 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4316 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 4318 AlgorithmIdentifier{}, PUBLIC-KEY, SIGNATURE-ALGORITHM 4319 FROM AlgorithmInformation-2009 4320 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4321 mechanisms(5) pkix(7) id-mod(0) 4322 id-mod-algorithmInformation-02(58)} 4324 CertExtensions, CrlExtensions, CrlEntryExtensions 4325 FROM PKIX1Implicit-2009 4326 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4327 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 4329 SignatureAlgs, PublicKeys 4330 FROM PKIXAlgs-2009 4331 {iso(1) identified-organization(3) dod(6) 4332 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 56} 4334 SignatureAlgs, PublicKeys 4335 FROM PKIX1-PSS-OAEP-Algorithms-2009 4336 {iso(1) identified-organization(3) dod(6) 4337 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 4338 id-mod-pkix1-rsa-pkalgs-02(54)} 4340 ORAddress 4341 FROM PKIX-X400Address-2009 4342 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4343 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60)}; 4345 id-pkix OBJECT IDENTIFIER ::= 4346 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4347 mechanisms(5) pkix(7)} 4349 -- PKIX arcs 4351 id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } 4352 -- arc for private certificate extensions 4353 id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 4354 -- arc for policy qualifier types 4355 id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 4356 -- arc for extended key purpose OIDS 4357 id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } 4358 -- arc for access descriptors 4360 -- policyQualifierIds for Internet policy qualifiers 4362 id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 4363 -- OID for CPS qualifier 4364 id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 4365 -- OID for user notice qualifier 4367 -- access descriptor definitions 4369 id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } 4370 id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } 4371 id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 } 4372 id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 } 4374 -- attribute data types 4376 AttributeType ::= ATTRIBUTE.&id 4378 -- Replaced by SingleAttribute{} 4379 -- 4380 -- AttributeTypeAndValue ::= SEQUENCE { 4381 -- type ATTRIBUTE.&id({SupportedAttributes}), 4382 -- value ATTRIBUTE.&Type({SupportedAttributes}{@type}) } 4383 -- 4385 -- Suggested naming attributes: Definition of the following 4386 -- information object set may be augmented to meet local 4387 -- requirements. Note that deleting members of the set may 4388 -- prevent interoperability with conforming implementations. 4389 -- All attributes are presented in pairs: the AttributeType 4390 -- followed by the type definition for the corresponding 4391 -- AttributeValue. 4393 --Arc for standard naming attributes 4395 id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } 4397 -- Naming attributes of type X520name 4399 id-at-name AttributeType ::= { id-at 41 } 4400 at-name ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-name } 4402 id-at-surname AttributeType ::= { id-at 4 } 4403 at-surname ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-surname } 4405 id-at-givenName AttributeType ::= { id-at 42 } 4406 at-givenName ATTRIBUTE ::= 4407 { TYPE X520name IDENTIFIED BY id-at-givenName } 4409 id-at-initials AttributeType ::= { id-at 43 } 4410 at-initials ATTRIBUTE ::= 4411 { TYPE X520name IDENTIFIED BY id-at-initials } 4413 id-at-generationQualifier AttributeType ::= { id-at 44 } 4414 at-generationQualifier ATTRIBUTE ::= 4415 { TYPE X520name IDENTIFIED BY id-at-generationQualifier } 4417 -- Directory string type -- 4418 DirectoryString{INTEGER:maxSize} ::= CHOICE { 4419 teletexString TeletexString(SIZE (1..maxSize)), 4420 printableString PrintableString(SIZE (1..maxSize)), 4421 bmpString BMPString(SIZE (1..maxSize)), 4422 universalString UniversalString(SIZE (1..maxSize)), 4423 uTF8String UTF8String(SIZE (1..maxSize)) 4424 } 4426 X520name ::= DirectoryString {ub-name} 4428 -- Naming attributes of type X520CommonName 4430 id-at-commonName AttributeType ::= { id-at 3 } 4432 at-x520CommonName ATTRIBUTE ::= 4433 {TYPE X520CommonName IDENTIFIED BY id-at-commonName } 4434 X520CommonName ::= DirectoryString {ub-common-name} 4436 -- Naming attributes of type X520LocalityName 4438 id-at-localityName AttributeType ::= { id-at 7 } 4440 at-x520LocalityName ATTRIBUTE ::= 4441 { TYPE X520LocalityName IDENTIFIED BY id-at-localityName } 4442 X520LocalityName ::= DirectoryString {ub-locality-name} 4444 -- Naming attributes of type X520StateOrProvinceName 4446 id-at-stateOrProvinceName AttributeType ::= { id-at 8 } 4448 at-x520StateOrProvinceName ATTRIBUTE ::= 4449 { TYPE DirectoryString {ub-state-name} 4450 IDENTIFIED BY id-at-stateOrProvinceName } 4451 X520StateOrProvinceName ::= DirectoryString {ub-state-name} 4453 -- Naming attributes of type X520OrganizationName 4455 id-at-organizationName AttributeType ::= { id-at 10 } 4457 at-x520OrganizationName ATTRIBUTE ::= 4458 { TYPE DirectoryString {ub-organization-name} 4459 IDENTIFIED BY id-at-organizationName } 4460 X520OrganizationName ::= DirectoryString {ub-organization-name} 4462 -- Naming attributes of type X520OrganizationalUnitName 4464 id-at-organizationalUnitName AttributeType ::= { id-at 11 } 4465 at-x520OrganizationalUnitName ATTRIBUTE ::= 4466 { TYPE DirectoryString {ub-organizational-unit-name} 4467 IDENTIFIED BY id-at-organizationalUnitName } 4468 X520OrganizationalUnitName ::= DirectoryString 4469 {ub-organizational-unit-name} 4471 -- Naming attributes of type X520Title 4473 id-at-title AttributeType ::= { id-at 12 } 4475 at-x520Title ATTRIBUTE ::= { TYPE DirectoryString { ub-title } 4476 IDENTIFIED BY id-at-title } 4478 -- Naming attributes of type X520dnQualifier 4480 id-at-dnQualifier AttributeType ::= { id-at 46 } 4482 at-x520dnQualifier ATTRIBUTE ::= { TYPE PrintableString 4483 IDENTIFIED BY id-at-dnQualifier } 4485 -- Naming attributes of type X520countryName (digraph from IS 3166) 4487 id-at-countryName AttributeType ::= { id-at 6 } 4489 at-x520countryName ATTRIBUTE ::= { TYPE PrintableString (SIZE (2)) 4490 IDENTIFIED BY id-at-countryName } 4492 -- Naming attributes of type X520SerialNumber 4494 id-at-serialNumber AttributeType ::= { id-at 5 } 4496 at-x520SerialNumber ATTRIBUTE ::= {TYPE PrintableString 4497 (SIZE (1..ub-serial-number)) IDENTIFIED BY id-at-serialNumber } 4499 -- Naming attributes of type X520Pseudonym 4501 id-at-pseudonym AttributeType ::= { id-at 65 } 4503 at-x520Pseudonym ATTRIBUTE ::= { TYPE DirectoryString {ub-pseudonym} 4504 IDENTIFIED BY id-at-pseudonym } 4506 -- Naming attributes of type DomainComponent (from RFC 2247) 4508 id-domainComponent AttributeType ::= 4509 { itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) 4510 pilotAttributeType(1) 25 } 4512 at-domainComponent ATTRIBUTE ::= {TYPE IA5String 4513 IDENTIFIED BY id-domainComponent } 4515 -- Legacy attributes 4517 pkcs-9 OBJECT IDENTIFIER ::= 4518 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } 4519 id-emailAddress AttributeType ::= { pkcs-9 1 } 4521 at-emailAddress ATTRIBUTE ::= {TYPE IA5String 4522 (SIZE (1..ub-emailaddress-length)) IDENTIFIED BY 4523 id-emailAddress } 4525 -- naming data types -- 4527 Name ::= CHOICE { -- only one possibility for now -- 4528 rdnSequence RDNSequence } 4530 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 4532 DistinguishedName ::= RDNSequence 4534 RelativeDistinguishedName ::= 4535 SET SIZE (1 .. MAX) OF SingleAttribute { {SupportedAttributes} } 4537 -- These are the known name elements for a DN 4539 SupportedAttributes ATTRIBUTE ::= { 4540 at-name | at-surname | at-givenName | at-initials | 4541 at-generationQualifier | at-x520CommonName | 4542 at-x520LocalityName | at-x520StateOrProvinceName | 4543 at-x520OrganizationName | at-x520OrganizationalUnitName | 4544 at-x520Title | at-x520dnQualifier | at-x520countryName | 4545 at-x520SerialNumber | at-x520Pseudonym | at-domainComponent | 4546 at-emailAddress, ... } 4548 -- 4549 -- Certificate and CRL specific structures begin here 4550 -- 4552 Certificate ::= SIGNED{TBSCertificate} 4554 TBSCertificate ::= SEQUENCE { 4555 version [0] Version DEFAULT v1, 4556 serialNumber CertificateSerialNumber, 4557 signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, 4558 {SignatureAlgorithms}}, 4559 issuer Name, 4560 validity Validity, 4561 subject Name, 4562 subjectPublicKeyInfo SubjectPublicKeyInfo, 4563 ... , 4564 [[2: -- If present, version MUST be v2 4565 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 4566 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL 4567 ]], 4568 [[3: -- If present, version MUST be v3 -- 4569 extensions [3] Extensions{{CertExtensions}} OPTIONAL 4570 ]], ... } 4572 Version ::= INTEGER { v1(0), v2(1), v3(2) } 4574 CertificateSerialNumber ::= INTEGER 4576 Validity ::= SEQUENCE { 4577 notBefore Time, 4578 notAfter Time } 4580 Time ::= CHOICE { 4581 utcTime UTCTime, 4582 generalTime GeneralizedTime } 4584 UniqueIdentifier ::= BIT STRING 4586 SubjectPublicKeyInfo ::= SEQUENCE { 4587 algorithm AlgorithmIdentifier{PUBLIC-KEY, 4588 {PublicKeyAlgorithms}}, 4589 subjectPublicKey BIT STRING } 4591 -- CRL structures 4593 CertificateList ::= SIGNED{TBSCertList} 4595 TBSCertList ::= SEQUENCE { 4596 version Version OPTIONAL, 4597 -- if present, MUST be v2 4598 signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, 4599 {SignatureAlgorithms}}, 4600 issuer Name, 4601 thisUpdate Time, 4602 nextUpdate Time OPTIONAL, 4603 revokedCertificates SEQUENCE SIZE (1..MAX) OF SEQUENCE { 4604 userCertificate CertificateSerialNumber, 4605 revocationDate Time, 4606 ... , 4607 [[2: -- if present, version MUST be v2 4608 crlEntryExtensions Extensions{{CrlEntryExtensions}} 4609 OPTIONAL 4610 ]], ... 4611 } OPTIONAL, 4612 ... , 4613 [[2: -- if present, version MUST be v2 4614 crlExtensions [0] Extensions{{CrlExtensions}} 4615 OPTIONAL 4616 ]], ... } 4618 -- Version, Time, CertificateSerialNumber, and Extensions were 4619 -- defined earlier for use in the certificate structure 4621 -- 4622 -- The two object sets below should be expanded to include 4623 -- those algorithms which are supported by the system. 4624 -- 4625 -- For example: 4626 -- SignatureAlgorithms SIGNATURE-ALGORITHM ::= { 4627 -- PKIXAlgs-2008.SignatureAlgs, ..., 4628 -- - - RFC 3279 provides the base set 4629 -- PKIX1-PSS-OAEP-ALGORITHMS.SignatureAlgs | 4630 -- - - RFC 4055 provides extension algs 4631 -- OtherModule.SignatureAlgs 4632 -- - - RFC XXXX provides additional extension algs 4633 -- } 4635 SignatureAlgorithms SIGNATURE-ALGORITHM ::= { 4636 PKIXAlgs-2009.SignatureAlgs, ..., 4637 PKIX1-PSS-OAEP-Algorithms-2009.SignatureAlgs } 4639 PublicKeyAlgorithms PUBLIC-KEY ::= { 4640 PKIXAlgs-2009.PublicKeys, ..., 4641 PKIX1-PSS-OAEP-Algorithms-2009.PublicKeys} 4643 -- Upper Bounds 4645 ub-state-name INTEGER ::= 128 4646 ub-organization-name INTEGER ::= 64 4647 ub-organizational-unit-name INTEGER ::= 64 4648 ub-title INTEGER ::= 64 4649 ub-serial-number INTEGER ::= 64 4650 ub-pseudonym INTEGER ::= 128 4651 ub-emailaddress-length INTEGER ::= 255 4652 ub-locality-name INTEGER ::= 128 4653 ub-common-name INTEGER ::= 64 4654 ub-name INTEGER ::= 32768 4656 -- Note - upper bounds on string types, such as TeletexString, are 4657 -- measured in characters. Excepting PrintableString or IA5String, a 4658 -- significantly greater number of octets will be required to hold 4659 -- such a value. As a minimum, 16 octets, or twice the specified 4660 -- upper bound, whichever is the larger, should be allowed for 4661 -- TeletexString. For UTF8String or UniversalString at least four 4662 -- times the upper bound should be allowed. 4664 -- Information object classes used in the definition 4665 -- of certificates and CRLs 4667 -- Parameterized Type SIGNED 4668 -- 4669 -- Three different versions of doing SIGNED: 4670 -- 1. Simple and close to the previous version 4671 -- 4672 -- SIGNED{ToBeSigned} ::= SEQUENCE { 4673 -- toBeSigned ToBeSigned, 4674 -- algorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, 4675 -- {SignatureAlgorithms}}, 4676 -- signature BIT STRING 4677 -- } 4679 -- 2. From Authenticated Framework 4680 -- 4681 -- SIGNED{ToBeSigned} ::= SEQUENCE { 4682 -- toBeSigned ToBeSigned, 4683 -- COMPONENTS OF SIGNATURE{ToBeSigned} 4684 -- } 4685 -- SIGNATURE{ToBeSigned} ::= SEQUENCE { 4686 -- algorithmIdentifier AlgorithmIdentifier, 4687 -- encrypted ENCRYPTED-HASH{ToBeSigned} 4688 -- } 4689 -- ENCRYPTED-HASH{ToBeSigned} ::= 4690 -- BIT STRING 4691 -- (CONSTRAINED BY { 4692 -- shall be the result of applying a hashing procedure to 4693 -- the DER-encoded (see 6.1) octets of a value of 4694 -- ToBeSigned and then applying an encipherment procedure 4695 -- to those octets 4696 -- }) 4697 -- 4698 -- 4699 -- 3. A more complex version, but one that automatically ties 4700 -- together both the signature algorithm and the 4701 -- signature value for automatic decoding. 4702 -- 4703 SIGNED{ToBeSigned} ::= SEQUENCE { 4704 toBeSigned ToBeSigned, 4705 algorithmIdentifier SEQUENCE { 4706 algorithm SIGNATURE-ALGORITHM. 4707 &id({SignatureAlgorithms}), 4708 parameters SIGNATURE-ALGORITHM. 4709 &Params({SignatureAlgorithms} 4710 {@algorithmIdentifier.algorithm}) 4711 }, 4712 signature BIT STRING (CONTAINING SIGNATURE-ALGORITHM.&Value( 4713 {SignatureAlgorithms} 4714 {@algorithmIdentifier.algorithm})) 4715 } 4717 END 4719 PKIX1Implicit-2009 4720 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4721 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 4722 DEFINITIONS IMPLICIT TAGS ::= 4723 BEGIN 4724 IMPORTS 4726 AttributeSet{}, EXTENSION, ATTRIBUTE 4727 FROM PKIX-CommonTypes-2009 4728 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4729 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 4731 id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name, 4732 RelativeDistinguishedName, CertificateSerialNumber, 4733 DirectoryString{}, SupportedAttributes 4734 FROM PKIX1Explicit-2009 4735 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 4736 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }; 4738 CertExtensions EXTENSION ::= { 4739 ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier | 4740 ext-KeyUsage | ext-PrivateKeyUsagePeriod | 4741 ext-CertificatePolicies | ext-PolicyMappings | 4742 ext-SubjectAltName | ext-IssuerAltName | 4743 ext-SubjectDirectoryAttributes | 4744 ext-BasicConstraints | ext-NameConstraints | 4745 ext-PolicyConstraints | ext-ExtKeyUsage | 4746 ext-CRLDistributionPoints | ext-InhibitAnyPolicy | 4747 ext-FreshestCRL | ext-AuthorityInfoAccess | 4748 ext-SubjectInfoAccessSyntax, ... } 4750 CrlExtensions EXTENSION ::= { 4751 ext-AuthorityKeyIdentifier | ext-IssuerAltName | 4752 ext-CRLNumber | ext-DeltaCRLIndicator | 4753 ext-IssuingDistributionPoint | ext-FreshestCRL, ... } 4755 CrlEntryExtensions EXTENSION ::= { 4756 ext-CRLReason | ext-CertificateIssuer | 4757 ext-HoldInstructionCode | ext-InvalidityDate, ... } 4759 -- Shared arc for standard certificate and CRL extensions 4761 id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 } 4763 -- authority key identifier OID and syntax 4765 ext-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX 4766 AuthorityKeyIdentifier IDENTIFIED BY 4767 id-ce-authorityKeyIdentifier } 4768 id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } 4770 AuthorityKeyIdentifier ::= SEQUENCE { 4771 keyIdentifier [0] KeyIdentifier OPTIONAL, 4772 authorityCertIssuer [1] GeneralNames OPTIONAL, 4773 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } 4774 (WITH COMPONENTS { 4775 ..., 4776 authorityCertIssuer PRESENT, 4777 authorityCertSerialNumber PRESENT 4778 } | 4779 WITH COMPONENTS { 4780 ..., 4781 authorityCertIssuer ABSENT, 4782 authorityCertSerialNumber ABSENT 4783 }) 4785 KeyIdentifier ::= OCTET STRING 4787 -- subject key identifier OID and syntax 4789 ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX 4790 KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier } 4791 id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } 4793 -- key usage extension OID and syntax 4795 ext-KeyUsage EXTENSION ::= { SYNTAX 4796 KeyUsage IDENTIFIED BY id-ce-keyUsage } 4797 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } 4798 KeyUsage ::= BIT STRING { 4799 digitalSignature (0), 4800 nonRepudiation (1), -- recent editions of X.509 have 4801 -- renamed this bit to 4802 -- contentCommitment 4803 keyEncipherment (2), 4804 dataEncipherment (3), 4805 keyAgreement (4), 4806 keyCertSign (5), 4807 cRLSign (6), 4808 encipherOnly (7), 4809 decipherOnly (8) 4810 } 4812 -- private key usage period extension OID and syntax 4814 ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX 4815 PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod } 4816 id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } 4818 PrivateKeyUsagePeriod ::= SEQUENCE { 4819 notBefore [0] GeneralizedTime OPTIONAL, 4820 notAfter [1] GeneralizedTime OPTIONAL } 4821 (WITH COMPONENTS {..., notBefore PRESENT } | 4822 WITH COMPONENTS {..., notAfter PRESENT }) 4824 -- certificate policies extension OID and syntax 4826 ext-CertificatePolicies EXTENSION ::= { SYNTAX 4827 CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies} 4828 id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } 4830 CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 4832 PolicyInformation ::= SEQUENCE { 4833 policyIdentifier CertPolicyId, 4834 policyQualifiers SEQUENCE SIZE (1..MAX) OF 4835 PolicyQualifierInfo OPTIONAL } 4837 CertPolicyId ::= OBJECT IDENTIFIER 4839 CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER 4841 PolicyQualifierInfo ::= SEQUENCE { 4842 policyQualifierId CERT-POLICY-QUALIFIER. 4843 &id({PolicyQualifierId}), 4844 qualifier CERT-POLICY-QUALIFIER. 4845 &Type({PolicyQualifierId}{@policyQualifierId})} 4847 -- Implementations that recognize additional policy qualifiers MUST 4848 -- augment the following definition for PolicyQualifierId 4850 PolicyQualifierId CERT-POLICY-QUALIFIER ::= 4851 { pqid-cps | pqid-unotice, ... } 4853 pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps } 4855 pqid-unotice CERT-POLICY-QUALIFIER ::= { UserNotice 4856 IDENTIFIED BY id-qt-unotice } 4858 -- CPS pointer qualifier 4860 CPSuri ::= IA5String 4862 -- user notice qualifier 4864 UserNotice ::= SEQUENCE { 4865 noticeRef NoticeReference OPTIONAL, 4866 explicitText DisplayText OPTIONAL} 4867 -- 4868 -- This is not made explicit in the text 4869 -- 4870 -- {WITH COMPONENTS {..., noticeRef PRESENT} | 4871 -- WITH COMPONENTS {..., DisplayText PRESENT }} 4873 NoticeReference ::= SEQUENCE { 4874 organization DisplayText, 4875 noticeNumbers SEQUENCE OF INTEGER } 4877 DisplayText ::= CHOICE { 4878 ia5String IA5String (SIZE (1..200)), 4879 visibleString VisibleString (SIZE (1..200)), 4880 bmpString BMPString (SIZE (1..200)), 4881 utf8String UTF8String (SIZE (1..200)) } 4883 -- policy mapping extension OID and syntax 4885 ext-PolicyMappings EXTENSION ::= { SYNTAX 4886 PolicyMappings IDENTIFIED BY id-ce-policyMappings } 4887 id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } 4889 PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { 4890 issuerDomainPolicy CertPolicyId, 4891 subjectDomainPolicy CertPolicyId 4892 } 4894 -- subject alternative name extension OID and syntax 4895 ext-SubjectAltName EXTENSION ::= { SYNTAX 4896 GeneralNames IDENTIFIED BY id-ce-subjectAltName } 4897 id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } 4899 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 4901 GeneralName ::= CHOICE { 4902 otherName [0] INSTANCE OF OTHER-NAME, 4903 rfc822Name [1] IA5String, 4904 dNSName [2] IA5String, 4905 x400Address [3] ORAddress, 4906 directoryName [4] Name, 4907 ediPartyName [5] EDIPartyName, 4908 uniformResourceIdentifier [6] IA5String, 4909 iPAddress [7] OCTET STRING, 4910 registeredID [8] OBJECT IDENTIFIER 4911 } 4913 -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as 4914 -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax 4916 OTHER-NAME ::= TYPE-IDENTIFIER 4918 EDIPartyName ::= SEQUENCE { 4919 nameAssigner [0] DirectoryString {ubMax} OPTIONAL, 4920 partyName [1] DirectoryString {ubMax} 4921 } 4923 -- issuer alternative name extension OID and syntax 4925 ext-IssuerAltName EXTENSION ::= { SYNTAX 4926 GeneralNames IDENTIFIED BY id-ce-issuerAltName } 4927 id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } 4929 ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX 4930 SubjectDirectoryAttributes IDENTIFIED BY 4931 id-ce-subjectDirectoryAttributes } 4932 id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } 4934 SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF 4935 AttributeSet{{SupportedAttributes}} 4937 -- basic constraints extension OID and syntax 4939 ext-BasicConstraints EXTENSION ::= { SYNTAX 4940 BasicConstraints IDENTIFIED BY id-ce-basicConstraints } 4941 id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 4942 BasicConstraints ::= SEQUENCE { 4943 cA BOOLEAN DEFAULT FALSE, 4944 pathLenConstraint INTEGER (0..MAX) OPTIONAL 4945 } 4947 -- name constraints extension OID and syntax 4949 ext-NameConstraints EXTENSION ::= { SYNTAX 4950 NameConstraints IDENTIFIED BY id-ce-nameConstraints } 4951 id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } 4953 NameConstraints ::= SEQUENCE { 4954 permittedSubtrees [0] GeneralSubtrees OPTIONAL, 4955 excludedSubtrees [1] GeneralSubtrees OPTIONAL 4956 } 4957 -- 4958 -- This is a constraint in the issued certificates by CAs, but is 4959 -- not a requirement on EEs. 4960 -- 4961 -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} | 4962 -- WITH COMPONENTS { ..., excludedSubtrees PRESEENT }} 4964 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 4966 GeneralSubtree ::= SEQUENCE { 4967 base GeneralName, 4968 minimum [0] BaseDistance DEFAULT 0, 4969 maximum [1] BaseDistance OPTIONAL 4970 } 4972 BaseDistance ::= INTEGER (0..MAX) 4974 -- policy constraints extension OID and syntax 4976 ext-PolicyConstraints EXTENSION ::= { SYNTAX 4977 PolicyConstraints IDENTIFIED BY id-ce-policyConstraints } 4978 id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } 4980 PolicyConstraints ::= SEQUENCE { 4981 requireExplicitPolicy [0] SkipCerts OPTIONAL, 4982 inhibitPolicyMapping [1] SkipCerts OPTIONAL } 4983 -- 4984 -- This is a constraint in the issued certificates by CAs, 4985 -- but is not a requirement for EEs 4986 -- 4987 -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} | 4988 -- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT}) 4989 SkipCerts ::= INTEGER (0..MAX) 4991 -- CRL distribution points extension OID and syntax 4993 ext-CRLDistributionPoints EXTENSION ::= { SYNTAX 4994 CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints} 4995 id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} 4997 CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 4999 DistributionPoint ::= SEQUENCE { 5000 distributionPoint [0] DistributionPointName OPTIONAL, 5001 reasons [1] ReasonFlags OPTIONAL, 5002 cRLIssuer [2] GeneralNames OPTIONAL 5003 } 5004 -- 5005 -- This is not a requiement in the text, but is seems as if it 5006 -- should be 5007 -- 5008 --(WITH COMPONENTS {..., distributionPoint PRESENT} | 5009 -- WITH COMPONENTS {..., cRLIssuer PRESENT}) 5011 DistributionPointName ::= CHOICE { 5012 fullName [0] GeneralNames, 5013 nameRelativeToCRLIssuer [1] RelativeDistinguishedName 5014 } 5016 ReasonFlags ::= BIT STRING { 5017 unused (0), 5018 keyCompromise (1), 5019 cACompromise (2), 5020 affiliationChanged (3), 5021 superseded (4), 5022 cessationOfOperation (5), 5023 certificateHold (6), 5024 privilegeWithdrawn (7), 5025 aACompromise (8) 5026 } 5028 -- extended key usage extension OID and syntax 5030 ext-ExtKeyUsage EXTENSION ::= { SYNTAX 5031 ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage } 5032 id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} 5034 ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 5036 KeyPurposeId ::= OBJECT IDENTIFIER 5037 -- permit unspecified key uses 5039 anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } 5041 -- extended key purpose OIDs 5043 id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } 5044 id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } 5045 id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } 5046 id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } 5047 id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } 5048 id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 5050 -- inhibit any policy OID and syntax 5052 ext-InhibitAnyPolicy EXTENSION ::= {SYNTAX 5053 SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy } 5054 id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } 5056 -- freshest (delta)CRL extension OID and syntax 5058 ext-FreshestCRL EXTENSION ::= {SYNTAX 5059 CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL } 5060 id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } 5062 -- authority info access 5064 ext-AuthorityInfoAccess EXTENSION ::= { SYNTAX 5065 AuthorityInfoAccessSyntax IDENTIFIED BY 5066 id-pe-authorityInfoAccess } 5067 id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } 5069 AuthorityInfoAccessSyntax ::= 5070 SEQUENCE SIZE (1..MAX) OF AccessDescription 5072 AccessDescription ::= SEQUENCE { 5073 accessMethod OBJECT IDENTIFIER, 5074 accessLocation GeneralName } 5076 -- subject info access 5078 ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX 5079 SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess } 5080 id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } 5082 SubjectInfoAccessSyntax ::= 5083 SEQUENCE SIZE (1..MAX) OF AccessDescription 5085 -- CRL number extension OID and syntax 5087 ext-CRLNumber EXTENSION ::= {SYNTAX 5088 INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber } 5089 id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } 5091 CRLNumber ::= INTEGER (0..MAX) 5093 -- issuing distribution point extension OID and syntax 5095 ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX 5096 IssuingDistributionPoint IDENTIFIED BY 5097 id-ce-issuingDistributionPoint } 5098 id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } 5100 IssuingDistributionPoint ::= SEQUENCE { 5101 distributionPoint [0] DistributionPointName OPTIONAL, 5102 onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, 5103 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, 5104 onlySomeReasons [3] ReasonFlags OPTIONAL, 5105 indirectCRL [4] BOOLEAN DEFAULT FALSE, 5106 onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE 5107 } 5108 -- at most one of onlyContainsUserCerts, onlyContainsCACerts, 5109 -- and onlyContainsAttributeCerts may be set to TRUE. 5111 ext-DeltaCRLIndicator EXTENSION ::= { SYNTAX 5112 CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator } 5113 id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } 5115 -- CRL reasons extension OID and syntax 5117 ext-CRLReason EXTENSION ::= { SYNTAX 5118 CRLReason IDENTIFIED BY id-ce-cRLReasons } 5119 id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } 5121 CRLReason ::= ENUMERATED { 5122 unspecified (0), 5123 keyCompromise (1), 5124 cACompromise (2), 5125 affiliationChanged (3), 5126 superseded (4), 5127 cessationOfOperation (5), 5128 certificateHold (6), 5129 removeFromCRL (8), 5130 privilegeWithdrawn (9), 5131 aACompromise (10) 5132 } 5133 -- certificate issuer CRL entry extension OID and syntax 5135 ext-CertificateIssuer EXTENSION ::= { SYNTAX 5136 GeneralNames IDENTIFIED BY id-ce-certificateIssuer } 5137 id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } 5139 -- hold instruction extension OID and syntax 5141 ext-HoldInstructionCode EXTENSION ::= { SYNTAX 5142 OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode } 5143 id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } 5145 -- ANSI x9 holdinstructions 5147 holdInstruction OBJECT IDENTIFIER ::= 5148 {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} 5149 id-holdinstruction-none OBJECT IDENTIFIER ::= 5150 {holdInstruction 1} -- deprecated 5151 id-holdinstruction-callissuer OBJECT IDENTIFIER ::= 5152 {holdInstruction 2} 5153 id-holdinstruction-reject OBJECT IDENTIFIER ::= 5154 {holdInstruction 3} 5156 -- invalidity date CRL entry extension OID and syntax 5158 ext-InvalidityDate EXTENSION ::= { SYNTAX 5159 GeneralizedTime IDENTIFIED BY id-ce-invalidityDate } 5160 id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } 5161 -- Upper bounds 5162 ubMax INTEGER ::= 32768 5164 END 5166 -- 5167 -- This module is used to isolate all the X.400 naming information. 5168 -- There is no reason to expect this to occur in a PKIX certificate. 5169 -- 5171 PKIX-X400Address-2009 5172 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 5173 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60) } 5174 DEFINITIONS EXPLICIT TAGS ::= 5175 BEGIN 5177 -- X.400 address syntax starts here 5179 ORAddress ::= SEQUENCE { 5180 built-in-standard-attributes BuiltInStandardAttributes, 5181 built-in-domain-defined-attributes 5182 BuiltInDomainDefinedAttributes OPTIONAL, 5183 -- see also teletex-domain-defined-attributes 5184 extension-attributes ExtensionAttributes OPTIONAL } 5186 -- Built-in Standard Attributes 5188 BuiltInStandardAttributes ::= SEQUENCE { 5189 country-name CountryName OPTIONAL, 5190 administration-domain-name AdministrationDomainName OPTIONAL, 5191 network-address [0] IMPLICIT NetworkAddress OPTIONAL, 5192 -- see also extended-network-address 5193 terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL, 5194 private-domain-name [2] PrivateDomainName OPTIONAL, 5195 organization-name [3] IMPLICIT OrganizationName OPTIONAL, 5196 -- see also teletex-organization-name 5197 numeric-user-identifier [4] IMPLICIT NumericUserIdentifier 5198 OPTIONAL, 5199 personal-name [5] IMPLICIT PersonalName OPTIONAL, 5200 -- see also teletex-personal-name 5201 organizational-unit-names [6] IMPLICIT OrganizationalUnitNames 5202 OPTIONAL } 5203 -- see also teletex-organizational-unit-names 5205 CountryName ::= [APPLICATION 1] CHOICE { 5206 x121-dcc-code NumericString 5207 (SIZE (ub-country-name-numeric-length)), 5208 iso-3166-alpha2-code PrintableString 5209 (SIZE (ub-country-name-alpha-length)) } 5211 AdministrationDomainName ::= [APPLICATION 2] CHOICE { 5212 numeric NumericString (SIZE (0..ub-domain-name-length)), 5213 printable PrintableString (SIZE (0..ub-domain-name-length)) } 5215 NetworkAddress ::= X121Address -- see also extended-network-address 5217 X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) 5219 TerminalIdentifier ::= PrintableString (SIZE 5220 (1..ub-terminal-id-length)) 5222 PrivateDomainName ::= CHOICE { 5223 numeric NumericString (SIZE (1..ub-domain-name-length)), 5224 printable PrintableString (SIZE (1..ub-domain-name-length)) } 5226 OrganizationName ::= PrintableString 5227 (SIZE (1..ub-organization-name-length)) 5228 -- see also teletex-organization-name 5230 NumericUserIdentifier ::= NumericString 5231 (SIZE (1..ub-numeric-user-id-length)) 5233 PersonalName ::= SET { 5234 surname [0] IMPLICIT PrintableString 5235 (SIZE (1..ub-surname-length)), 5236 given-name [1] IMPLICIT PrintableString 5237 (SIZE (1..ub-given-name-length)) OPTIONAL, 5238 initials [2] IMPLICIT PrintableString 5239 (SIZE (1..ub-initials-length)) OPTIONAL, 5240 generation-qualifier [3] IMPLICIT PrintableString 5241 (SIZE (1..ub-generation-qualifier-length)) 5242 OPTIONAL } 5243 -- see also teletex-personal-name 5245 OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) 5246 OF OrganizationalUnitName 5247 -- see also teletex-organizational-unit-names 5249 OrganizationalUnitName ::= PrintableString (SIZE 5250 (1..ub-organizational-unit-name-length)) 5252 -- Built-in Domain-defined Attributes 5254 BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE 5255 (1..ub-domain-defined-attributes) OF 5256 BuiltInDomainDefinedAttribute 5258 BuiltInDomainDefinedAttribute ::= SEQUENCE { 5259 type PrintableString (SIZE 5260 (1..ub-domain-defined-attribute-type-length)), 5261 value PrintableString (SIZE 5262 (1..ub-domain-defined-attribute-value-length)) } 5264 -- Extension Attributes 5266 ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF 5267 ExtensionAttribute 5269 EXTENSION-ATTRIBUTE ::= CLASS { 5270 &id INTEGER (0..ub-extension-attributes) UNIQUE, 5271 &Type 5272 } WITH SYNTAX { &Type IDENTIFIED BY &id } 5274 ExtensionAttribute ::= SEQUENCE { 5275 extension-attribute-type [0] IMPLICIT EXTENSION-ATTRIBUTE. 5276 &id({SupportedExtensionAttributes}), 5277 extension-attribute-value [1] EXTENSION-ATTRIBUTE. 5279 &Type({SupportedExtensionAttributes} 5280 {@extension-attribute-type})} 5282 SupportedExtensionAttributes EXTENSION-ATTRIBUTE ::= { 5283 ea-commonName | ea-teletexCommonName | ea-teletexOrganizationName 5284 | ea-teletexPersonalName | ea-teletexOrganizationalUnitNames | 5285 ea-pDSName | ea-physicalDeliveryCountryName | ea-postalCode | 5286 ea-physicalDeliveryOfficeName | ea-physicalDeliveryOfficeNumber | 5287 ea-extensionORAddressComponents | ea-physicalDeliveryPersonalName 5288 | ea-physicalDeliveryOrganizationName | 5289 ea-extensionPhysicalDeliveryAddressComponents | 5290 ea-unformattedPostalAddress | ea-streetAddress | 5291 ea-postOfficeBoxAddress | ea-posteRestanteAddress | 5292 ea-uniquePostalName | ea-localPostalAttributes | 5293 ea-extendedNetworkAddress | ea-terminalType | 5294 ea-teletexDomainDefinedAttributes, ... } 5296 -- Extension types and attribute values 5298 ea-commonName EXTENSION-ATTRIBUTE ::= { PrintableString 5299 (SIZE (1..ub-common-name-length)) IDENTIFIED BY 1 } 5301 ea-teletexCommonName EXTENSION-ATTRIBUTE ::= {TeletexString 5302 (SIZE (1..ub-common-name-length)) IDENTIFIED BY 2 } 5304 ea-teletexOrganizationName EXTENSION-ATTRIBUTE::= { TeletexString 5305 (SIZE (1..ub-organization-name-length)) IDENTIFIED BY 3 } 5307 ea-teletexPersonalName EXTENSION-ATTRIBUTE ::= {SET { 5308 surname [0] IMPLICIT TeletexString 5309 (SIZE (1..ub-surname-length)), 5310 given-name [1] IMPLICIT TeletexString 5311 (SIZE (1..ub-given-name-length)) OPTIONAL, 5312 initials [2] IMPLICIT TeletexString 5313 (SIZE (1..ub-initials-length)) OPTIONAL, 5314 generation-qualifier [3] IMPLICIT TeletexString 5315 (SIZE (1..ub-generation-qualifier-length)) 5316 OPTIONAL } IDENTIFIED BY 4 } 5318 ea-teletexOrganizationalUnitNames EXTENSION-ATTRIBUTE ::= 5319 { SEQUENCE SIZE (1..ub-organizational-units) OF 5320 TeletexOrganizationalUnitName IDENTIFIED BY 5 } 5322 TeletexOrganizationalUnitName ::= TeletexString 5323 (SIZE (1..ub-organizational-unit-name-length)) 5325 ea-pDSName EXTENSION-ATTRIBUTE ::= {PrintableString 5326 (SIZE (1..ub-pds-name-length)) IDENTIFIED BY 7 } 5328 ea-physicalDeliveryCountryName EXTENSION-ATTRIBUTE ::= { CHOICE { 5329 x121-dcc-code NumericString (SIZE 5330 (ub-country-name-numeric-length)), 5331 iso-3166-alpha2-code PrintableString 5332 (SIZE (ub-country-name-alpha-length)) } 5333 IDENTIFIED BY 8 } 5335 ea-postalCode EXTENSION-ATTRIBUTE ::= { CHOICE { 5336 numeric-code NumericString (SIZE (1..ub-postal-code-length)), 5337 printable-code PrintableString (SIZE (1..ub-postal-code-length)) } 5338 IDENTIFIED BY 9 } 5340 ea-physicalDeliveryOfficeName EXTENSION-ATTRIBUTE ::= 5341 { PDSParameter IDENTIFIED BY 10 } 5343 ea-physicalDeliveryOfficeNumber EXTENSION-ATTRIBUTE ::= 5344 {PDSParameter IDENTIFIED BY 11 } 5346 ea-extensionORAddressComponents EXTENSION-ATTRIBUTE ::= 5347 {PDSParameter IDENTIFIED BY 12 } 5349 ea-physicalDeliveryPersonalName EXTENSION-ATTRIBUTE ::= 5350 {PDSParameter IDENTIFIED BY 13} 5352 ea-physicalDeliveryOrganizationName EXTENSION-ATTRIBUTE ::= 5353 {PDSParameter IDENTIFIED BY 14 } 5355 ea-extensionPhysicalDeliveryAddressComponents EXTENSION-ATTRIBUTE ::= 5356 {PDSParameter IDENTIFIED BY 15 } 5358 ea-unformattedPostalAddress EXTENSION-ATTRIBUTE ::= { SET { 5359 printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) 5360 OF PrintableString (SIZE (1..ub-pds-parameter-length)) 5361 OPTIONAL, 5362 teletex-string TeletexString 5363 (SIZE (1..ub-unformatted-address-length)) OPTIONAL } 5364 IDENTIFIED BY 16 } 5366 ea-streetAddress EXTENSION-ATTRIBUTE ::= 5367 {PDSParameter IDENTIFIED BY 17 } 5369 ea-postOfficeBoxAddress EXTENSION-ATTRIBUTE ::= 5370 {PDSParameter IDENTIFIED BY 18 } 5372 ea-posteRestanteAddress EXTENSION-ATTRIBUTE ::= 5373 {PDSParameter IDENTIFIED BY 19 } 5375 ea-uniquePostalName EXTENSION-ATTRIBUTE ::= 5376 { PDSParameter IDENTIFIED BY 20 } 5378 ea-localPostalAttributes EXTENSION-ATTRIBUTE ::= 5379 {PDSParameter IDENTIFIED BY 21 } 5381 PDSParameter ::= SET { 5382 printable-string PrintableString 5383 (SIZE(1..ub-pds-parameter-length)) OPTIONAL, 5384 teletex-string TeletexString 5385 (SIZE(1..ub-pds-parameter-length)) OPTIONAL } 5387 ea-extendedNetworkAddress EXTENSION-ATTRIBUTE ::= { 5388 CHOICE { 5389 e163-4-address SEQUENCE { 5390 number [0] IMPLICIT NumericString 5391 (SIZE (1..ub-e163-4-number-length)), 5392 sub-address [1] IMPLICIT NumericString 5393 (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL 5394 }, 5395 psap-address [0] IMPLICIT PresentationAddress 5396 } IDENTIFIED BY 22 5397 } 5399 PresentationAddress ::= SEQUENCE { 5400 pSelector [0] EXPLICIT OCTET STRING OPTIONAL, 5401 sSelector [1] EXPLICIT OCTET STRING OPTIONAL, 5402 tSelector [2] EXPLICIT OCTET STRING OPTIONAL, 5403 nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING } 5405 ea-terminalType EXTENSION-ATTRIBUTE ::= {INTEGER { 5406 telex (3), 5407 teletex (4), 5408 g3-facsimile (5), 5409 g4-facsimile (6), 5410 ia5-terminal (7), 5411 videotex (8) } (0..ub-integer-options) 5412 IDENTIFIED BY 23 } 5414 -- Extension Domain-defined Attributes 5416 ea-teletexDomainDefinedAttributes EXTENSION-ATTRIBUTE ::= 5417 { SEQUENCE SIZE (1..ub-domain-defined-attributes) OF 5418 TeletexDomainDefinedAttribute IDENTIFIED BY 6 } 5420 TeletexDomainDefinedAttribute ::= SEQUENCE { 5421 type TeletexString 5422 (SIZE (1..ub-domain-defined-attribute-type-length)), 5424 value TeletexString 5425 (SIZE (1..ub-domain-defined-attribute-value-length)) } 5427 -- specifications of Upper Bounds MUST be regarded as mandatory 5428 -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter 5429 -- Upper Bounds 5431 -- Upper Bounds 5432 ub-match INTEGER ::= 128 5433 ub-common-name-length INTEGER ::= 64 5434 ub-country-name-alpha-length INTEGER ::= 2 5435 ub-country-name-numeric-length INTEGER ::= 3 5436 ub-domain-defined-attributes INTEGER ::= 4 5437 ub-domain-defined-attribute-type-length INTEGER ::= 8 5438 ub-domain-defined-attribute-value-length INTEGER ::= 128 5439 ub-domain-name-length INTEGER ::= 16 5440 ub-extension-attributes INTEGER ::= 256 5441 ub-e163-4-number-length INTEGER ::= 15 5442 ub-e163-4-sub-address-length INTEGER ::= 40 5443 ub-generation-qualifier-length INTEGER ::= 3 5444 ub-given-name-length INTEGER ::= 16 5445 ub-initials-length INTEGER ::= 5 5446 ub-integer-options INTEGER ::= 256 5447 ub-numeric-user-id-length INTEGER ::= 32 5448 ub-organization-name-length INTEGER ::= 64 5449 ub-organizational-unit-name-length INTEGER ::= 32 5450 ub-organizational-units INTEGER ::= 4 5451 ub-pds-name-length INTEGER ::= 16 5452 ub-pds-parameter-length INTEGER ::= 30 5453 ub-pds-physical-address-lines INTEGER ::= 6 5454 ub-postal-code-length INTEGER ::= 16 5455 ub-surname-length INTEGER ::= 40 5456 ub-terminal-id-length INTEGER ::= 24 5457 ub-unformatted-address-length INTEGER ::= 180 5458 ub-x121-address-length INTEGER ::= 16 5460 -- Note - upper bounds on string types, such as TeletexString, are 5461 -- measured in characters. Excepting PrintableString or IA5String, a 5462 -- significantly greater number of octets will be required to hold 5463 -- such a value. As a minimum, 16 octets, or twice the specified 5464 -- upper bound, whichever is the larger, should be allowed for 5465 -- TeletexString. For UTF8String or UniversalString at least four 5466 -- times the upper bound should be allowed. 5468 END 5470 15. IANA Considerations 5472 There are no IANA actions needed for this document. 5474 16. Security Considerations 5476 Even though all the RFCs in this document are security-related, the 5477 document itself does not have any security considerations. The ASN.1 5478 modules keep the same bits-on-the-wire as the modules that they 5479 replace. 5481 17. Normative References 5483 [ASN1-2002] 5484 ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and 5485 X.683", ITU-T X.680, X.681, X.682, and X.683, 2002. 5487 [NEW-CMS-SMIME] 5488 Hoffman, P. and J. Schaad, "New ASN.1 Modules for CMS and 5489 S/MIME", draft-ietf-smime-new-asn1 (work in progress), 5490 December 2007. 5492 [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. 5493 Adams, "X.509 Internet Public Key Infrastructure Online 5494 Certificate Status Protocol - OCSP", RFC 2560, June 1999. 5496 [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification 5497 Request Syntax Specification Version 1.7", RFC 2986, 5498 November 2000. 5500 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 5501 Identifiers for the Internet X.509 Public Key 5502 Infrastructure Certificate and Certificate Revocation List 5503 (CRL) Profile", RFC 3279, April 2002. 5505 [RFC3281] Farrell, S. and R. Housley, "An Internet Attribute 5506 Certificate Profile for Authorization", RFC 3281, 5507 April 2002. 5509 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 5510 RFC 3852, July 2004. 5512 [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional 5513 Algorithms and Identifiers for RSA Cryptography for use in 5514 the Internet X.509 Public Key Infrastructure Certificate 5515 and Certificate Revocation List (CRL) Profile", RFC 4055, 5516 June 2005. 5518 [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, 5519 "Internet X.509 Public Key Infrastructure Certificate 5520 Management Protocol (CMP)", RFC 4210, September 2005. 5522 [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure 5523 Certificate Request Message Format (CRMF)", RFC 4211, 5524 September 2005. 5526 [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. 5527 Polk, "Server-Based Certificate Validation Protocol 5528 (SCVP)", RFC 5055, December 2007. 5530 [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS 5531 (CMC)", RFC 5272, June 2008. 5533 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 5534 Housley, R., and W. Polk, "Internet X.509 Public Key 5535 Infrastructure Certificate and Certificate Revocation List 5536 (CRL) Profile", RFC 5280, May 2008. 5538 Appendix A. Change History 5540 [[ This entire section is to be removed upon publication. ]] 5542 A.1. Changes between draft-hoffman-pkix-new-asn1-00 and 5543 draft-ietf-pkix-new-asn1-00 5545 Changed the draft name. 5547 Added the PKIX common definitions module. 5549 Added RFC 4055. 5551 Made RFC-to-be 5055 into RFC 5055. 5553 In RFC 2560, there was an error. Changed from "id-pkix-ocsp OBJECT 5554 IDENTIFIER ::= { id-ad-ocsp }" to "id-pkix-ocsp OBJECT IDENTIFIER ::= 5555 id-ad-ocsp". 5557 In RFC 3280, made the DirectoryString definition match the order and 5558 spelling of that of X.520. 5560 In the imports of the RFC 3280 implicit module, the DirectoryString 5561 type is now SIGNED{} because it is a parameterized type. 5563 In the imports of the RFC 3281 module, the SIGNED type is now 5564 SIGNED{} because it is a parameterized type. 5566 Combined the two modules for RFC 3280 (explicit and implicit) into 5567 one section. 5569 A.2. Changes between draft-ietf-pkix-new-asn1-00 and -01 5571 Added module for algorithm classes and modified RFC 3279 ASN.1 to use 5572 the classes defined. 5574 A.3. Changes between draft-ietf-pkix-new-asn1-01 and -02 5576 Added design notes. 5578 Removed issue on "Algorithm Structure" and "More Modules To Be 5579 Added". 5581 Updated all modules to use objects more deeply. 5583 Removed RFC 3280 and added RFC 5280. 5585 Added RFC 5272 (CMC). 5587 A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 5589 Many cosmetic-only changes to the modules. 5591 Changed some multi-word keywords to hypenated (such as "SMIME CAPS" 5592 to "SMIME-CAPS"). 5594 In section 6, added "Note that this module also contains information 5595 from RFC-to-be 5480." Will add a real reference in future version of 5596 this draft. 5598 In section 6, added the labels for the id-keyExchangeAlgorithm OID. 5600 Updated the reference of X.680 to X.680, X.681, X.682, and X.683. 5602 A.5. Changes between draft-ietf-pkix-new-asn1-03 and -04 5604 Changed the status of the document. 5606 In PKIX-CommonTypes, replaced "ExtensionSet" with "Extensions". This 5607 affected many other modules that use PKIX-CommonTypes. 5609 In RFC 5055, changed swb-pkc-cert from "{INTEGER IDENTIFIED BY id- 5610 swb-pkc-cert }" to "{ Certificate IDENTIFIED BY id-swb-pkc-cert }", 5611 and changed swb-ac-cert from "{INTEGER IDENTIFIED BY id-swb-ac-cert 5612 }" to "{ AttributeCertificate IDENTIFIED BY id-swb-ac-cert }". 5614 A.6. Changes between draft-ietf-pkix-new-asn1-04 and -05 5616 Removed the "Issues" section from section 1, which should have been 5617 done in the last draft. 5619 A.7. Changes between draft-ietf-pkix-new-asn1-05 and -06 5621 Minor nits to keep the nits checker happy. 5623 A.8. Changes between draft-ietf-pkix-new-asn1-06 and -07 5625 In the AlgorithmInformation module, there was an error in a 5626 commented-out example. Changed "-- HASHES {sha1 | md5, ... }" to "-- 5627 HASHES { mda-sha1 | mda-md5, ... }". 5629 In the module for RFC 3279, changed from: 5631 ECParameters ::= CHOICE { 5632 namedCurve CURVE.&id({NamedCurve}), 5633 implicitCurve NULL 5634 -- specifiedCurve SpecifiedCurve 5635 -- specifiedCurve MUST NOT be used in PKIX 5636 -- Details for specifiedCurve can be found in [X9.62] 5637 -- Any future additions to this CHOICE should be coordinated 5638 -- with ANSI X.9. 5639 } 5641 to: 5643 ECParameters ::= CHOICE { 5644 namedCurve CURVE.&id({NamedCurve}) --, 5645 -- implicitCurve NULL 5646 -- implicitCurve MUST NOT be used in PKIX 5647 -- specifiedCurve SpecifiedCurve 5648 -- specifiedCurve MUST NOT be used in PKIX 5649 -- Details for specifiedCurve can be found in [X9.62] 5650 -- Any future additions to this CHOICE should be coordinated 5651 -- with ANSI X.9. 5652 } 5653 -- If you need to be able to decode ANSI X.9 parameter structures, then 5654 -- uncomment the implicitCurve and specificCurve above, and also 5655 -- uncomment the follow: 5656 --(WITH COMPONENTS {namedCurve PRESENT}) 5658 Changed "memberBody" to "member-body" in the modules for RFCs 4210 5659 and 4211. 5661 Authors' Addresses 5663 Paul Hoffman 5664 VPN Consortium 5665 127 Segre Place 5666 Santa Cruz, CA 95060 5667 US 5669 Phone: 1-831-426-9827 5670 Email: paul.hoffman@vpnc.org 5672 Jim Schaad 5673 Soaring Hawk Consulting 5675 Email: jimsch@exmsft.com