idnits 2.17.1 draft-ietf-smime-new-asn1-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1757. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1768. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1775. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1781. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 234: '... j INTEGER OPTIONAL, -- subgroup...' RFC 2119 keyword, line 235: '...dationParms ValidationParms OPTIONAL }...' RFC 2119 keyword, line 280: '... keyLength INTEGER (1..MAX) OPTIONAL,...' RFC 2119 keyword, line 286: '...InfoObjectSet}{@algorithm}) OPTIONAL }...' RFC 2119 keyword, line 400: '...tood. Algorithms SHOULD be ordered by...' (51 more instances...) -- The draft header indicates that this document updates RFC3370, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3565, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3851, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3852, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year (Using the creation date from RFC3370, updated by this document, for RFC5378 checks: 2001-04-25) (Using the creation date from RFC3565, updated by this document, for RFC5378 checks: 2000-11-22) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 21, 2007) is 5971 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 1603 -- Looks like a reference, but probably isn't: '1' on line 1606 -- Looks like a reference, but probably isn't: '2' on line 1608 == Missing Reference: 'CMSALG' is mentioned on line 457, but not defined == Missing Reference: 'CMS' is mentioned on line 468, but not defined -- Looks like a reference, but probably isn't: '3' on line 797 -- Looks like a reference, but probably isn't: '4' on line 628 == Unused Reference: 'ETH' is defined on line 1664, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'ASN1-2002' -- Possible downref: Non-RFC (?) normative reference: ref. 'ETH' ** Downref: Normative reference to an Informational draft: draft-ietf-pkix-new-asn1 (ref. 'NEW-PKIX') ** Obsolete normative reference: RFC 3851 (Obsoleted by RFC 5751) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 18 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Updates: 3370, 3565, 3851, 3852, J. Schaad 5 4108, 4998, 5035, 5083, 5084 Soaring Hawk Consulting 6 (if approved) December 21, 2007 7 Expires: June 23, 2008 9 New ASN.1 Modules for CMS and S/MIME 10 draft-ietf-smime-new-asn1-00.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on June 23, 2008. 37 Copyright Notice 39 Copyright (C) The IETF Trust (2007). 41 Abstract 43 The Cryptographic Message Syntax (CMS) format, and many associated 44 formats, are expressed using ASN.1. The current ASN.1 modules 45 conform to the 1988 version of ASN.1. This document updates those 46 ASN.1 modules to conform to the 2002 version of ASN.1. There are no 47 bits-on-the-wire changes to any of the formats; this is simply a 48 change to the syntax. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.1. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.1.1. More Modules To Be Added . . . . . . . . . . . . . . . 3 55 1.1.2. Algorithm Structure . . . . . . . . . . . . . . . . . 4 56 1.1.3. Module OIDs Changing . . . . . . . . . . . . . . . . . 4 57 2. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 4 58 3. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 9 59 4. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 9 60 5. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 12 61 6. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 21 62 7. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 27 63 8. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 29 64 9. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 35 65 10. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 36 66 11. Security Considerations . . . . . . . . . . . . . . . . . . . 36 67 12. Normative References . . . . . . . . . . . . . . . . . . . . . 37 68 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 37 69 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 70 draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 38 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 38 72 Intellectual Property and Copyright Statements . . . . . . . . . . 39 74 1. Introduction 76 Some developers would like the IETF to use the latest version of 77 ASN.1 in its standards. Most of the RFCs that relate to security 78 protocols still use ASN.1 from the 1988 standard, which has been 79 deprecated. This is particularly true for the standards that relate 80 to PKIX, CMS, and S/MIME. 82 This document updates the following RFCs to use ASN.1 modules that 83 conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all 84 the modules are updated; some are included to simply make the set 85 compete. 87 o RFC 3370, CMS Algorithms [RFC3370] 89 o RFC 3565, Use of AES in CMS [RFC3565] 91 o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851] 93 o RFC 3852, CMS main [RFC3852] 95 o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108] 97 o RFC 4998, Evidence Record Syntax (ERS) [RFC4998] 99 o RFC 5035, Enhanced Security Services (ESS) [RFC5035] 101 o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083] 103 o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in 104 CMS [RFC5084] 106 Note that some of the modules in this document get some of their 107 definitions from places different than the modules in the original 108 RFCs. The idea is that these modules, when combined with the modules 109 in [NEW-PKIX] can stand on their own and do not need to import 110 definitions from anywhere else. Note that some of the modules here 111 import definitions from the common definitions module, "PKIX- 112 CommonTypes", in [NEW-PKIX]. 114 1.1. Issues 116 This section will be removed before final publication. 118 1.1.1. More Modules To Be Added 120 There are many modules from standards-track RFCs that are not listed 121 in this document or the companion document on PKIX. We will discuss 122 with the two communities which modules are appropriate for the two 123 documents. We will also consider making "super-modules", individual 124 modules which might update multiple RFCs at one time. We may also 125 add objects to some of the modules. 127 1.1.2. Algorithm Structure 129 Algorithms are currently not defined here. We need to discuss what 130 structure we want for algorithm objects. Currently, we just do 131 "parameter, OID", but we could add more. Because we don't know what 132 the final structure is, the object sets in the various modules are 133 commented out. We will fix this before finishing this project. 135 1.1.3. Module OIDs Changing 137 The OIDs given in the modules in this version of the document are the 138 same as the OIDs from the original modules, even though some of the 139 modules have changed syntax. That is clearly incorrect. In a later 140 version of this document, we will change the OIDs for every changed 141 module. 143 2. ASN.1 Module for RFC 3370 145 CryptographicMessageSyntaxAlgorithms 146 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 147 smime(16) modules(0) cmsalg-2001(16) } 148 DEFINITIONS IMPLICIT TAGS ::= 149 BEGIN 151 IMPORTS 153 ALGORITHM 154 FROM PKIX-CommonTypes 155 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 156 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }; 158 -- Algorithm Identifiers 160 sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 161 oiw(14) secsig(3) algorithm(2) 26 } 163 md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 164 rsadsi(113549) digestAlgorithm(2) 5 } 166 id-dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 167 x9-57(10040) x9cm(4) 1 } 169 id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 170 us(840) x9-57(10040) x9cm(4) 3 } 172 rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) 173 us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 175 md5WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) 176 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 } 178 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) 179 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } 181 dh-public-number OBJECT IDENTIFIER ::= { iso(1) member-body(2) 182 us(840) ansi-x942(10046) number-type(2) 1 } 184 id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 185 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 } 187 id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 188 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 } 190 id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 191 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } 193 id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 194 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 } 196 des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 197 us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } 199 rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 200 rsadsi(113549) encryptionAlgorithm(3) 2 } 202 hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 203 dod(6) internet(1) security(5) mechanisms(5) 8 1 2 } 205 id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 206 rsadsi(113549) pkcs(1) pkcs-5(5) 12 } 208 -- Public Key Types 210 Dss-Pub-Key ::= INTEGER -- Y 212 RSAPublicKey ::= SEQUENCE { 213 modulus INTEGER, -- n 214 publicExponent INTEGER } -- e 216 DHPublicKey ::= INTEGER -- y = g^x mod p 217 -- Signature Value Types 219 Dss-Sig-Value ::= SEQUENCE { 220 r INTEGER, 221 s INTEGER } 223 -- Algorithm Identifier Parameter Types 225 Dss-Parms ::= SEQUENCE { 226 p INTEGER, 227 q INTEGER, 228 g INTEGER } 230 DHDomainParameters ::= SEQUENCE { 231 p INTEGER, -- odd prime, p=jq +1 232 g INTEGER, -- generator, g 233 q INTEGER, -- factor of p-1 234 j INTEGER OPTIONAL, -- subgroup factor 235 validationParms ValidationParms OPTIONAL } 237 ValidationParms ::= SEQUENCE { 238 seed BIT STRING, 239 pgenCounter INTEGER } 241 KeyWrapAlgorithm ::= 242 AlgorithmIdentifier {{SupportedKeyWrapAlgorithms}} 244 SupportedKeyWrapAlgorithms ALGORITHM ::= { ... } 246 RC2wrapParameter ::= RC2ParameterVersion 248 RC2ParameterVersion ::= INTEGER 250 CBCParameter ::= IV 252 IV ::= OCTET STRING -- exactly 8 octets 254 RC2CBCParameter ::= SEQUENCE { 255 rc2ParameterVersion INTEGER (1..256), 256 iv OCTET STRING } -- exactly 8 octets 258 algid-hMAC-SHA1 ALGORITHM ::= { OID hMAC-SHA1 PARAMS NULL } 260 -- Another way to do the following would be: 261 -- alg-hMAC-SHA1 AlgorithmIdentifier{{PBKDF2-PRFs}} ::= 262 -- { algorithm hMAC-SHA1, parameters NULL:NULL } 264 PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{{PBKDF2-PRFs}} 265 alg-hMAC-SHA1 PBKDF2-PRFsAlgorithmIdentifier ::= 266 { algorithm hMAC-SHA1, parameters NULL:NULL } 268 PBKDF2-SaltSources ALGORITHM ::= { ... } 270 PBKDF2-PRFs ALGORITHM ::= { algid-hMAC-SHA1, ... } 272 PBKDF2-SaltSourcesAlgorithmIdentifier ::= 273 AlgorithmIdentifier {{PBKDF2-SaltSources}} 275 PBKDF2-params ::= SEQUENCE { 276 salt CHOICE { 277 specified OCTET STRING, 278 otherSource PBKDF2-SaltSourcesAlgorithmIdentifier }, 279 iterationCount INTEGER (1..MAX), 280 keyLength INTEGER (1..MAX) OPTIONAL, 281 prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT 282 alg-hMAC-SHA1 } 284 AlgorithmIdentifier { ALGORITHM:InfoObjectSet } ::= SEQUENCE { 285 algorithm ALGORITHM.&id({InfoObjectSet}), 286 parameters ALGORITHM.&Type({InfoObjectSet}{@algorithm}) OPTIONAL } 288 MessageDigestAlgorithms ALGORITHM ::= { 289 alg-sha1-null,... } 291 alg-sha1-null ALGORITHM ::= { OID sha-1 PARAMS NULL } 292 alg-sha1-noNull ALGORITHM ::= { OID sha-1 } 293 alg-md5 ALGORITHM ::= { OID md5 PARAMS NULL } 294 alg-md5-noNull ALGORITHM ::= { OID md5 } 296 SignatureAlgorithms ALGORITHM ::= { ... } 298 param-dsa ALGORITHM ::= { OID id-dsa PARAMS Dss-Parms } 299 pubkey-dsa ALGORITHM ::= { OID id-dsa PARAMS Dss-Pub-Key } 301 -- sig-dsa-with-sha1 ALGORITHM ::= { OID id-dsa-with-sha1 } 302 sigVal-dsa-with-sha1 ALGORITHM ::= { OID id-dsa-with-sha1 303 PARAMS Dss-Sig-Value } 305 param-rsa ALGORITHM ::= { OID rsaEncryption PARAMS NULL} 306 pubkey-rsa ALGORITHM ::= { OID rsaEncryption PARAMS RSAPublicKey } 308 sig-rsa ALGORITHM ::= { OID rsaEncryption PARAMS NULL} 309 sig-rsa-sha1 ALGORITHM ::= { OID sha1WithRSAEncryption PARAMS NULL} 310 sig-rsa-md5 ALGORITHM ::= { OID md5WithRSAEncryption PARAMS NULL} 311 -- No ASN.1 encoding is applied to the signature value 312 -- for these items 313 KeyAgreementAlgorithms ALGORITHM ::= {...} 315 -- pubkey-dh ALGORITHM ::= { ABSENT OID dh-public-number } 317 kea-esdh ALGORITHM ::= { OID id-alg-ESDH PARAMS KeyWrapAlgorithm } 318 kea-ssdh ALGORITHM ::= { OID id-alg-SSDH PARAMS KeyWrapAlgorithm } 320 KeyTransportAlgorithms ALGORITHM ::= {...} 322 SymmetricKeyEncryptionAlgorthms ALGORITHM ::= 323 { alg-3DESWrap | alg-RC2Wrap } 325 alg-3DESWrap ALGORITHM ::= { OID id-alg-CMS3DESwrap PARAMS NULL } 326 alg-RC2Wrap ALGORITHM ::= { OID id-alg-CMSRC2wrap 327 PARAMS RC2wrapParameter } 329 KeyDerivationAlgorithms ALGORITHM ::= {alg-PBKDF2} 331 alg-PBKDF2 ALGORITHM ::= { OID id-PBKDF2 PARAMS PBKDF2-params } 333 ContentEncryptionAlgorthms ALGORITHM ::= {...} 335 END 337 3. ASN.1 Module for RFC 3565 339 CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549) 340 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) } 341 DEFINITIONS IMPLICIT TAGS ::= 342 BEGIN 344 -- AES information object identifiers -- 346 aes OBJECT IDENTIFIER ::= 347 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 348 csor(3) nistAlgorithms(4) 1 } 350 -- AES using CBC-chaining mode for key sizes of 128, 192, 256 352 id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 } 353 id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 } 354 id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 } 356 -- AES-IV is a the parameter for all the above object identifiers. 358 AES-IV ::= OCTET STRING (SIZE(16)) 360 -- AES Key Wrap Algorithm Identifiers - Parameter is absent 362 id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } 363 id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } 364 id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } 366 END 368 4. ASN.1 Module for RFC 3851 370 SecureMimeMessageV3dot1 371 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 372 smime(16) modules(0) msg-v3dot1(21) } 373 DEFINITIONS IMPLICIT TAGS ::= 374 BEGIN 376 IMPORTS 378 SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier, 379 CMS-ATTRIBUTE 380 FROM CryptographicMessageSyntax2004 381 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 382 smime(16) modules(0) cms-2004(24) } 384 rc2-cbc 385 FROM CryptographicMessageSyntaxAlgorithms 386 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 387 smime(16) modules(0) cmsalg-2001(16) }; 389 SMimeAttributeSet CMS-ATTRIBUTE ::= 390 { attr-smimeCapabilities | attr-encrypKeyPref } 392 -- id-aa is the arc with all new authenticated and unauthenticated 393 -- attributes produced the by S/MIME Working Group 395 id-aa OBJECT IDENTIFIER ::= 396 { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9) 397 smime(16) attributes(2)} 399 -- S/MIME Capabilities provides a method of broadcasting the symmetric 400 -- capabilities understood. Algorithms SHOULD be ordered by 401 -- preference and grouped by type 403 attr-smimeCapabilities CMS-ATTRIBUTE ::= 404 { TYPE SMIMECapabilities IDENTIFIED BY smimeCapabilities } 406 smimeCapabilities OBJECT IDENTIFIER ::= 407 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 408 15 } 410 SMIME-CAPS ::= CLASS { 411 &Type OPTIONAL, 412 &id OBJECT IDENTIFIER UNIQUE 413 } 414 WITH SYNTAX {TYPE &Type IDENTIFIED BY &id } 416 SMIMECapability ::= SEQUENCE { 417 capabilityID SMIME-CAPS. 418 &id({SMimeCapsSet}), 419 parameters SMIME-CAPS. 420 &Type({SMimeCapsSet}{@capabilityID}) OPTIONAL 421 } 423 SMimeCapsSet SMIME-CAPS ::= 424 { cap-preferBinaryInside | cap-RC2CBC, ... } 426 SMIMECapabilities ::= SEQUENCE OF SMIMECapability 427 -- Encryption Key Preference provides a method of broadcasting the 428 -- preferred encryption certificate. 430 attr-encrypKeyPref CMS-ATTRIBUTE ::= 431 { TYPE SMIMEEncryptionKeyPreference 432 IDENTIFIED BY id-aa-encrypKeyPref } 434 id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} 436 SMIMEEncryptionKeyPreference ::= CHOICE { 437 issuerAndSerialNumber [0] IssuerAndSerialNumber, 438 receipentKeyId [1] RecipientKeyIdentifier, 439 subjectAltKeyIdentifier [2] SubjectKeyIdentifier 440 } 442 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 443 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 445 id-cap OBJECT IDENTIFIER ::= { id-smime 11 } 447 -- The preferBinaryInside indicates an ability to receive messages 448 -- with binary encoding inside the CMS wrapper 450 cap-preferBinaryInside SMIME-CAPS ::= 451 { TYPE NULL IDENTIFIED BY id-cap-preferBinaryInside } 453 id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } 455 -- The following list the OIDs to be used with S/MIME V3 457 -- Signature Algorithms Not Found in [CMSALG] 458 -- 459 -- md2WithRSAEncryption OBJECT IDENTIFIER ::= 460 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 461 -- 2} 462 -- 463 -- Other Signed Attributes 464 -- 465 -- signingTime OBJECT IDENTIFIER ::= 466 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 467 -- 5} 468 -- See [CMS] for a description of how to encode the attribute 469 -- value. 471 cap-RC2CBC SMIME-CAPS ::= 472 { TYPE SMIMECapabilitiesParametersForRC2CBC 473 IDENTIFIED BY rc2-cbc} 474 SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...) 475 -- (RC2 Key Length (number of bits)) 477 END 479 5. ASN.1 Module for RFC 3852 481 This module has an ASN.1 idiom for noting in which version of CMS 482 changes were made from the original PKCS #10; that idiom is "[[v:", 483 where "v" is an integer. For example: 485 RevocationInfoChoice ::= CHOICE { 486 crl CertificateList, 487 ..., 488 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 490 Similarly, this module adds the ASN.1 idiom for extensiblity (the 491 "...,") in all places that have been extended in the past. See the 492 example above. 494 CryptographicMessageSyntax2004 495 { iso(1) member-body(2) us(840) rsadsi(113549) 496 pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } 497 DEFINITIONS IMPLICIT TAGS ::= 498 BEGIN 500 IMPORTS 502 ALGORITHM, Certificate, CertificateList, CertificateSerialNumber, 503 Name, ATTRIBUTE 504 FROM PKIX1Explicit88 505 { iso(1) identified-organization(3) dod(6) internet(1) 506 security(5) mechanisms(5) pkix(7) id-mod(0) 507 id-pkix1-explicit(18) } 509 AttributeCertificate 510 FROM PKIXAttributeCertificate 511 { iso(1) identified-organization(3) dod(6) internet(1) 512 security(5) mechanisms(5) pkix(7) id-mod(0) 513 id-mod-attribute-cert(12) } 515 AttributeCertificateV1 516 FROM AttributeCertificateVersion1 517 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 518 smime(16) modules(0) v1AttrCert(15) } ; 520 -- Cryptographic Message Syntax 521 -- The following are used for version numbers using the ASN.1 522 -- idiom "[[n:" 523 -- Version 1 = PKCS #7 524 -- Version 2 = S/MIME V2 525 -- Version 3 = RFC 2630 526 -- Version 4 = RFC 3369 527 -- Version 5 = RFC 3852 529 CONTENT-TYPE ::= TYPE-IDENTIFIER 530 ContentType ::= CONTENT-TYPE.&id 532 ContentInfo ::= SEQUENCE { 533 contentType CONTENT-TYPE. 534 &id({ContentSet}), 535 content [0] EXPLICIT CONTENT-TYPE. 536 &Type({ContentSet}{@contentType})} 538 ContentSet CONTENT-TYPE ::= { 539 -- Define the set of content types to be recognized. 540 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 541 ct-AuthenticatedData | ct-DigestedData, ... } 543 SignedData ::= SEQUENCE { 544 version CMSVersion, 545 digestAlgorithms SET OF DigestAlgorithmIdentifier, 546 encapContentInfo EncapsulatedContentInfo, 547 certificates [0] IMPLICIT CertificateSet OPTIONAL, 548 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 549 signerInfos SignerInfos } 551 DigestAlgorithmList ALGORITHM ::= { -- alg-sha-1 | alg-md5, -- ... } 553 SignatureAlgorithmList ALGORITHM ::= 554 { -- alg-dsa-with-sha1 | alg-md5WithRSAEncryption -- 555 -- | alg-sha1WithRSAEncryption, -- ... } 557 SignerInfos ::= SET OF SignerInfo 559 EncapsulatedContentInfo ::= SEQUENCE { 560 eContentType CONTENT-TYPE.&id({ContentSet}), 561 eContent [0] EXPLICIT OCTET STRING 562 ( CONTAINING CONTENT-TYPE. 563 &Type({ContentSet}{@eContentType})) OPTIONAL } 565 SignerInfo ::= SEQUENCE { 566 version CMSVersion, 567 sid SignerIdentifier, 568 digestAlgorithm DigestAlgorithmIdentifier, 569 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 570 signatureAlgorithm SignatureAlgorithmIdentifier, 571 signature SignatureValue, 572 unsignedAttrs [1] IMPLICIT Attributes 573 {{UnsignedAttributes}} OPTIONAL } 575 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 577 SignerIdentifier ::= CHOICE { 578 issuerAndSerialNumber IssuerAndSerialNumber, 579 ..., 580 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 582 SignedAttributesSet CMS-ATTRIBUTE ::= 583 { attr-signingTime | attr-messageDigest | attr-contentType, ... } 585 UnsignedAttributes CMS-ATTRIBUTE ::= { attr-countersignature, ... } 587 SignatureValue ::= OCTET STRING 589 EnvelopedData ::= SEQUENCE { 590 version CMSVersion, 591 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 592 recipientInfos RecipientInfos, 593 encryptedContentInfo EncryptedContentInfo, 594 ..., 595 [[2: unprotectedAttrs [1] IMPLICIT Attributes 596 {{ UnprotectedAttributes }} OPTIONAL ]] } 598 OriginatorInfo ::= SEQUENCE { 599 certs [0] IMPLICIT CertificateSet OPTIONAL, 600 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 602 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 604 EncryptedContentInfo ::= SEQUENCE { 605 contentType CONTENT-TYPE.&id({ContentSet}), 606 contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 607 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 609 -- If you want to do constraints, you might use: 610 -- EncryptedContentInfo ::= SEQUENCE { 611 -- contentType CONTENT-TYPE.&id({ContentSet}), 612 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 613 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 614 -- &Type({ContentSet}{@contentType}) OPTIONAL } 615 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 616 -- { ToBeEncrypted } ) 617 ContentEncryptionAlgorithmList ALGORITHM ::= 618 { -- alg-des-ede3-cbc | alg-rd2-cbc, -- ... } 620 UnprotectedAttributes CMS-ATTRIBUTE ::= { ... } 622 RecipientInfo ::= CHOICE { 623 ktri KeyTransRecipientInfo, 624 ..., 625 [[3: kari [1] KeyAgreeRecipientInfo ]], 626 [[4: kekri [2] KEKRecipientInfo]], 627 [[5: pwri [3] PasswordRecipientInfo, 628 ori [4] OtherRecipientInfo ]] } 630 EncryptedKey ::= OCTET STRING 632 KeyTransRecipientInfo ::= SEQUENCE { 633 version CMSVersion, -- always set to 0 or 2 634 rid RecipientIdentifier, 635 keyEncryptionAlgorithm AlgorithmIdentifier 636 {{KeyTransportAlgorithmList}}, 637 encryptedKey EncryptedKey } 639 KeyTransportAlgorithmList ALGORITHM ::= 640 { -- alg-rsaEncryption, -- ... } 642 RecipientIdentifier ::= CHOICE { 643 issuerAndSerialNumber IssuerAndSerialNumber, 644 ..., 645 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 647 KeyAgreeRecipientInfo ::= SEQUENCE { 648 version CMSVersion, -- always set to 3 649 originator [0] EXPLICIT OriginatorIdentifierOrKey, 650 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 651 keyEncryptionAlgorithm AlgorithmIdentifier 652 {{KeyAgreementAlgorithmList}}, 653 recipientEncryptedKeys RecipientEncryptedKeys } 655 KeyAgreementAlgorithmList ALGORITHM ::= 656 { -- alg-ESDH | alg-SSDH, -- ... } 658 OriginatorIdentifierOrKey ::= CHOICE { 659 issuerAndSerialNumber IssuerAndSerialNumber, 660 subjectKeyIdentifier [0] SubjectKeyIdentifier, 661 originatorKey [1] OriginatorPublicKey } 663 OriginatorPublicKey ::= SEQUENCE { 664 algorithm AlgorithmIdentifier {{AlgorithmList}}, 665 publicKey BIT STRING } 667 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 669 RecipientEncryptedKey ::= SEQUENCE { 670 rid KeyAgreeRecipientIdentifier, 671 encryptedKey EncryptedKey } 673 KeyEncryptKeyAlgorithmList ALGORITHM ::= 674 { -- alg-CMS3DESwrap | alg-CMSRC2wrap, -- ... } 676 KeyEncryptionAlgorithmList ALGORITHM ::= { ... } 678 KeyAgreeRecipientIdentifier ::= CHOICE { 679 issuerAndSerialNumber IssuerAndSerialNumber, 680 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 682 RecipientKeyIdentifier ::= SEQUENCE { 683 subjectKeyIdentifier SubjectKeyIdentifier, 684 date GeneralizedTime OPTIONAL, 685 other OtherKeyAttribute OPTIONAL } 687 SubjectKeyIdentifier ::= OCTET STRING 689 KEKRecipientInfo ::= SEQUENCE { 690 version CMSVersion, -- always set to 4 691 kekid KEKIdentifier, 692 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 693 encryptedKey EncryptedKey } 695 KEKIdentifier ::= SEQUENCE { 696 keyIdentifier OCTET STRING, 697 date GeneralizedTime OPTIONAL, 698 other OtherKeyAttribute OPTIONAL } 700 PasswordRecipientInfo ::= SEQUENCE { 701 version CMSVersion, -- always set to 0 702 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 703 OPTIONAL, 704 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 705 encryptedKey EncryptedKey } 707 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 709 OtherRecipientInfo ::= SEQUENCE { 710 oriType OTHER-RECIPIENT. 711 &id({SupportedOtherRecipInfo}), 712 oriValue OTHER-RECIPIENT. 714 &Type({SupportedOtherRecipInfo}{@oriType})} 716 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 718 DigestedData ::= SEQUENCE { 719 version CMSVersion, 720 digestAlgorithm DigestAlgorithmIdentifier, 721 encapContentInfo EncapsulatedContentInfo, 722 digest Digest } 724 Digest ::= OCTET STRING 726 EncryptedData ::= SEQUENCE { 727 version CMSVersion, 728 encryptedContentInfo EncryptedContentInfo, 729 ..., 730 [[2: unprotectedAttrs [1] IMPLICIT Attributes 731 {{UnprotectedAttributes}} OPTIONAL ]] } 733 AuthenticatedData ::= SEQUENCE { 734 version CMSVersion, 735 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 736 recipientInfos RecipientInfos, 737 macAlgorithm MessageAuthenticationCodeAlgorithm, 738 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 739 encapContentInfo EncapsulatedContentInfo, 740 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 741 mac MessageAuthenticationCode, 742 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 744 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 745 {{SupportedAttributes}} 747 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 748 {{SupportedAttributes}} 750 MessageAuthenticationCode ::= OCTET STRING 752 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 753 {{DigestAlgorithmList}} 755 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 756 {{SignatureAlgorithmList}} 758 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 759 {{KeyEncryptionAlgorithmList}} 761 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 762 {{ContentEncryptionAlgorithmList}} 764 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 765 {{AlgorithmList}} 767 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 768 {{AlgorithmList}} 770 AlgorithmList ALGORITHM ::= { ... } 772 RevocationInfoChoices ::= SET OF RevocationInfoChoice 774 RevocationInfoChoice ::= CHOICE { 775 crl CertificateList, 776 ..., 777 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 779 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 781 OtherRevocationInfoFormat ::= SEQUENCE { 782 otherRevInfoFormat OTHER-REVOK-INFO. 783 &id({SupportedOtherRevokInfo}), 784 otherRevInfo OTHER-REVOK-INFO. 785 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 787 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 789 CertificateChoices ::= CHOICE { 790 certificate Certificate, 791 extendedCertificate [0] IMPLICIT ExtendedCertificate, 792 -- Obsolete 793 ..., 794 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 795 -- Obsolete 796 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 797 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 799 AttributeCertificateV2 ::= AttributeCertificate 801 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 803 OtherCertificateFormat ::= SEQUENCE { 804 otherCertFormat OTHER-CERT-FMT. 805 &id({SupportedCertFormats}), 806 otherCert OTHER-CERT-FMT. 807 &Type({SupportedCertFormats}{@otherCertFormat})} 809 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 810 CertificateSet ::= SET OF CertificateChoices 812 IssuerAndSerialNumber ::= SEQUENCE { 813 issuer Name, 814 serialNumber CertificateSerialNumber } 816 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 818 UserKeyingMaterial ::= OCTET STRING 820 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 822 OtherKeyAttribute ::= SEQUENCE { 823 keyAttrId KEY-ATTRIBUTE. 824 &id({SupportedKeyAttributes}), 825 keyAttr KEY-ATTRIBUTE. 826 &Type({SupportedKeyAttributes}{@keyAttrId})} 828 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 830 -- Content Type Object Identifiers 832 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 833 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 835 ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data} 837 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 838 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 840 ct-SignedData CONTENT-TYPE ::= 841 { SignedData IDENTIFIED BY id-signedData} 843 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 844 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 846 ct-EnvelopedData CONTENT-TYPE ::= 847 { EnvelopedData IDENTIFIED BY id-envelopedData} 849 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 850 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 852 ct-DigestedData CONTENT-TYPE ::= 853 { DigestedData IDENTIFIED BY id-digestedData} 855 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 856 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 858 ct-EncryptedData CONTENT-TYPE ::= 859 { EncryptedData IDENTIFIED BY id-encryptedData} 861 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 862 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 864 ct-AuthenticatedData CONTENT-TYPE ::= 865 { AuthenticatedData IDENTIFIED BY id-ct-authData} 867 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 868 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 870 -- The CMS Attributes 872 MessageDigest ::= OCTET STRING 874 SigningTime ::= Time 876 Time ::= CHOICE { 877 utcTime UTCTime, 878 generalTime GeneralizedTime } 880 Countersignature ::= SignerInfo 882 -- Attribute Object Identifiers 884 attr-contentType CMS-ATTRIBUTE ::= 885 { TYPE ContentType IDENTIFIED BY id-contentType } 887 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 888 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 890 attr-messageDigest CMS-ATTRIBUTE ::= 891 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 893 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 894 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 896 attr-signingTime CMS-ATTRIBUTE ::= 897 { TYPE SigningTime IDENTIFIED BY id-signingTime } 899 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 900 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 902 attr-countersignature CMS-ATTRIBUTE ::= 903 { TYPE Countersignature IDENTIFIED BY id-countersignature } 905 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 906 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 908 -- Obsolete Extended Certificate syntax from PKCS#6 910 ExtendedCertificateOrCertificate ::= CHOICE { 911 certificate Certificate, 912 extendedCertificate [0] IMPLICIT ExtendedCertificate } 914 ExtendedCertificate ::= SEQUENCE { 915 extendedCertificateInfo ExtendedCertificateInfo, 916 signatureAlgorithm SignatureAlgorithmIdentifier, 917 signature Signature } 919 ExtendedCertificateInfo ::= SEQUENCE { 920 version CMSVersion, 921 certificate Certificate, 922 attributes UnauthAttributes } 924 Signature ::= BIT STRING 926 -- Class definitions used in the module 928 AlgorithmIdentifier { ALGORITHM:IOSet } ::= SEQUENCE { 929 algorithm ALGORITHM.&id({IOSet}), 930 parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL } 932 CMS-ATTRIBUTE ::= ATTRIBUTE 934 Attribute{ CMS-ATTRIBUTE:AttrList } ::= SEQUENCE { 935 attrType CMS-ATTRIBUTE. 936 &id({AttrList}), 937 attrValues SET OF CMS-ATTRIBUTE. 938 &Type({AttrList}{@attrType}) } 940 SupportedAttributes CMS-ATTRIBUTE ::= { ... } 942 Attributes { CMS-ATTRIBUTE:AttrList } ::= 943 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 945 END 947 6. ASN.1 Module for RFC 4108 949 CMSFirmwareWrapper 950 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 951 smime(16) modules(0) cms-firmware-wrap(22) } 953 DEFINITIONS IMPLICIT TAGS ::= 954 BEGIN 956 IMPORTS 958 OTHER-NAME 959 FROM PKIX1Implicit88 960 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 961 mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } 963 EnvelopedData, CONTENT-TYPE, CMS-ATTRIBUTE 964 FROM CryptographicMessageSyntax 965 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 966 smime(16) modules(0) cms-2004(24) }; 968 FirmwareContentTypes CONTENT-TYPE ::= { 969 ct-firmwarePackage | ct-firmwareLoadReceipt | 970 ct-firmwareLoadError } 972 FirmwareSignedAttrs CMS-ATTRIBUTE ::= { 973 aa-firmwarePackageID | aa-targetHardwareIDs | 974 aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs | 975 aa-communityIdentifiers | aa-firmwarePackageInfo } 977 FirmwareUnsignedAttrs CMS-ATTRIBUTE ::= { 978 aa-wrappedFirmwareKey } 980 FirmwareOtherNames OTHER-NAME ::= { 981 on-hardwareModuleName } 983 -- Firmware Package Content Type and Object Identifier 985 ct-firmwarePackage CONTENT-TYPE ::= 986 { FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage } 988 id-ct-firmwarePackage OBJECT IDENTIFIER ::= { 989 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 990 smime(16) ct(1) 16 } 992 FirmwarePkgData ::= OCTET STRING 994 -- Firmware Package Signed Attributes and Object Identifiers 996 aa-firmwarePackageID CMS-ATTRIBUTE ::= 997 { TYPE FirmwarePackageIdentifier IDENTIFIED BY 998 id-aa-firmwarePackageID } 1000 id-aa-firmwarePackageID OBJECT IDENTIFIER ::= { 1001 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1002 smime(16) aa(2) 35 } 1004 FirmwarePackageIdentifier ::= SEQUENCE { 1005 name PreferredOrLegacyPackageIdentifier, 1006 stale PreferredOrLegacyStalePackageIdentifier OPTIONAL } 1008 PreferredOrLegacyPackageIdentifier ::= CHOICE { 1009 preferred PreferredPackageIdentifier, 1010 legacy OCTET STRING } 1012 PreferredPackageIdentifier ::= SEQUENCE { 1013 fwPkgID OBJECT IDENTIFIER, 1014 verNum INTEGER (0..MAX) } 1016 PreferredOrLegacyStalePackageIdentifier ::= CHOICE { 1017 preferredStaleVerNum INTEGER (0..MAX), 1018 legacyStaleVersion OCTET STRING } 1020 aa-targetHardwareIDs CMS-ATTRIBUTE ::= 1021 { TYPE TargetHardwareIdentifiers IDENTIFIED BY 1022 id-aa-targetHardwareIDs } 1024 id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= { 1025 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1026 smime(16) aa(2) 36 } 1028 TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER 1030 aa-decryptKeyID CMS-ATTRIBUTE ::= 1031 { TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID} 1033 id-aa-decryptKeyID OBJECT IDENTIFIER ::= { 1034 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1035 smime(16) aa(2) 37 } 1037 DecryptKeyIdentifier ::= OCTET STRING 1039 aa-implCryptoAlgs CMS-ATTRIBUTE ::= 1040 { TYPE ImplementedCryptoAlgorithms IDENTIFIED BY 1041 id-aa-implCryptoAlgs } 1043 id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= { 1044 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1045 smime(16) aa(2) 38 } 1047 ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1048 aa-implCompressAlgs CMS-ATTRIBUTE ::= 1049 { TYPE ImplementedCompressAlgorithms IDENTIFIED BY 1050 id-aa-implCompressAlgs } 1052 id-aa-implCompressAlgs OBJECT IDENTIFIER ::= { 1053 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1054 smime(16) aa(2) 43 } 1056 ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1058 aa-communityIdentifiers CMS-ATTRIBUTE ::= 1059 { TYPE CommunityIdentifiers IDENTIFIED BY 1060 id-aa-communityIdentifiers } 1062 id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { 1063 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1064 smime(16) aa(2) 40 } 1066 CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier 1068 CommunityIdentifier ::= CHOICE { 1069 communityOID OBJECT IDENTIFIER, 1070 hwModuleList HardwareModules } 1072 HardwareModules ::= SEQUENCE { 1073 hwType OBJECT IDENTIFIER, 1074 hwSerialEntries SEQUENCE OF HardwareSerialEntry } 1076 HardwareSerialEntry ::= CHOICE { 1077 all NULL, 1078 single OCTET STRING, 1079 block SEQUENCE { 1080 low OCTET STRING, 1081 high OCTET STRING } } 1083 aa-firmwarePackageInfo CMS-ATTRIBUTE ::= 1084 { TYPE FirmwarePackageInfo IDENTIFIED BY 1085 id-aa-firmwarePackageInfo } 1087 id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= { 1088 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1089 smime(16) aa(2) 42 } 1091 FirmwarePackageInfo ::= SEQUENCE { 1092 fwPkgType INTEGER OPTIONAL, 1093 dependencies SEQUENCE OF 1094 PreferredOrLegacyPackageIdentifier OPTIONAL } 1096 -- Firmware Package Unsigned Attributes and Object Identifiers 1098 aa-wrappedFirmwareKey CMS-ATTRIBUTE ::= 1099 { TYPE WrappedFirmwareKey IDENTIFIED BY 1100 id-aa-wrappedFirmwareKey } 1102 id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= { 1103 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1104 smime(16) aa(2) 39 } 1106 WrappedFirmwareKey ::= EnvelopedData 1108 -- Firmware Package Load Receipt Content Type and Object Identifier 1110 ct-firmwareLoadReceipt CONTENT-TYPE ::= 1111 { FirmwarePackageLoadReceipt IDENTIFIED BY 1112 id-ct-firmwareLoadReceipt } 1114 id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= { 1115 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1116 smime(16) ct(1) 17 } 1118 FirmwarePackageLoadReceipt ::= SEQUENCE { 1119 version FWReceiptVersion DEFAULT v1, 1120 hwType OBJECT IDENTIFIER, 1121 hwSerialNum OCTET STRING, 1122 fwPkgName PreferredOrLegacyPackageIdentifier, 1123 trustAnchorKeyID OCTET STRING OPTIONAL, 1124 decryptKeyID [1] OCTET STRING OPTIONAL } 1126 FWReceiptVersion ::= INTEGER { v1(1) } 1128 -- Firmware Package Load Error Report Content Type 1129 -- and Object Identifier 1131 ct-firmwareLoadError CONTENT-TYPE ::= 1132 { FirmwarePackageLoadError 1133 IDENTIFIED BY id-ct-firmwareLoadError } 1135 id-ct-firmwareLoadError OBJECT IDENTIFIER ::= { 1136 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1137 smime(16) ct(1) 18 } 1139 FirmwarePackageLoadError ::= SEQUENCE { 1140 version FWErrorVersion DEFAULT v1, 1141 hwType OBJECT IDENTIFIER, 1142 hwSerialNum OCTET STRING, 1143 errorCode FirmwarePackageLoadErrorCode, 1144 vendorErrorCode VendorLoadErrorCode OPTIONAL, 1145 fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL, 1146 config [1] SEQUENCE OF CurrentFWConfig OPTIONAL } 1148 FWErrorVersion ::= INTEGER { v1(1) } 1150 CurrentFWConfig ::= SEQUENCE { 1151 fwPkgType INTEGER OPTIONAL, 1152 fwPkgName PreferredOrLegacyPackageIdentifier } 1154 FirmwarePackageLoadErrorCode ::= ENUMERATED { 1155 decodeFailure (1), 1156 badContentInfo (2), 1157 badSignedData (3), 1158 badEncapContent (4), 1159 badCertificate (5), 1160 badSignerInfo (6), 1161 badSignedAttrs (7), 1162 badUnsignedAttrs (8), 1163 missingContent (9), 1164 noTrustAnchor (10), 1165 notAuthorized (11), 1166 badDigestAlgorithm (12), 1167 badSignatureAlgorithm (13), 1168 unsupportedKeySize (14), 1169 signatureFailure (15), 1170 contentTypeMismatch (16), 1171 badEncryptedData (17), 1172 unprotectedAttrsPresent (18), 1173 badEncryptContent (19), 1174 badEncryptAlgorithm (20), 1175 missingCiphertext (21), 1176 noDecryptKey (22), 1177 decryptFailure (23), 1178 badCompressAlgorithm (24), 1179 missingCompressedContent (25), 1180 decompressFailure (26), 1181 wrongHardware (27), 1182 stalePackage (28), 1183 notInCommunity (29), 1184 unsupportedPackageType (30), 1185 missingDependency (31), 1186 wrongDependencyVersion (32), 1187 insufficientMemory (33), 1188 badFirmware (34), 1189 unsupportedParameters (35), 1190 breaksDependency (36), 1191 otherError (99) } 1193 VendorLoadErrorCode ::= INTEGER 1195 -- Other Name syntax for Hardware Module Name 1197 on-hardwareModuleName OTHER-NAME ::= 1198 { HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName } 1200 id-on-hardwareModuleName OBJECT IDENTIFIER ::= { 1201 iso(1) identified-organization(3) dod(6) internet(1) security(5) 1202 mechanisms(5) pkix(7) on(8) 4 } 1204 HardwareModuleName ::= SEQUENCE { 1205 hwType OBJECT IDENTIFIER, 1206 hwSerialNum OCTET STRING } 1208 END 1210 7. ASN.1 Module for RFC 4998 1212 ERS {iso(1) identified-organization(3) dod(6) internet(1) 1213 security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1) 1214 id-mod-ers-v1(1) } 1215 DEFINITIONS IMPLICIT TAGS ::= 1216 BEGIN 1218 IMPORTS 1220 Attribute{}, AlgorithmIdentifier{}, Extensions{}, EXTENSION, 1221 ATTRIBUTE, ALGORITHM 1222 FROM PKIX-CommonTypes 1223 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1224 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } 1226 ContentInfo, CMS-ATTRIBUTE 1227 FROM CryptographicMessageSyntax2004 1228 { iso(1) member-body(2) us(840) rsadsi(113549) 1229 pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } ; 1231 ltans OBJECT IDENTIFIER ::= 1232 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1233 mechanisms(5) ltans(11) } 1235 EvidenceRecord ::= SEQUENCE { 1236 version INTEGER { v1(1) } , 1237 digestAlgorithms SEQUENCE OF AlgorithmIdentifier{{...}}, 1238 cryptoInfos [0] CryptoInfos OPTIONAL, 1239 encryptionInfo [1] EncryptionInfo OPTIONAL, 1240 archiveTimeStampSequence ArchiveTimeStampSequence 1241 } 1243 CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF Attribute{{...}} 1245 ArchiveTimeStamp ::= SEQUENCE { 1246 digestAlgorithm [0] AlgorithmIdentifier{{...}} OPTIONAL, 1247 attributes [1] Attributes OPTIONAL, 1248 reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, 1249 timeStamp ContentInfo 1250 } 1252 PartialHashtree ::= SEQUENCE OF OCTET STRING 1254 Attributes ::= SET SIZE (1..MAX) OF Attribute{{...}} 1256 ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp 1258 ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain 1260 EncryptionInfo ::= SEQUENCE { 1261 encryptionInfoType ENCINFO-TYPE. 1262 &id({SupportedEncryptionAlgorithms}), 1263 encryptionInfoValue ENCINFO-TYPE. 1264 &Type({SupportedEncryptionAlgorithms} 1265 {@encryptionInfoType}) 1266 } 1268 ENCINFO-TYPE ::= TYPE-IDENTIFIER 1270 SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...} 1272 er-Internal CMS-ATTRIBUTE ::= 1273 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } 1275 id-aa-er-internal OBJECT IDENTIFIER ::= 1276 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1277 smime(16) id-aa(2) 49 } 1279 er-External CMS-ATTRIBUTE ::= 1280 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } 1282 id-aa-er-external OBJECT IDENTIFIER ::= 1283 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1284 smime(16) id-aa(2) 50 } 1286 END 1288 8. ASN.1 Module for RFC 5035 1290 ExtendedSecurityServices-2006 1291 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1292 smime(16) modules(0) id-mod-ess-2006(30) } 1293 DEFINITIONS IMPLICIT TAGS ::= 1294 BEGIN 1296 IMPORTS 1298 Attribute{}, AlgorithmIdentifier{}, Extensions{}, EXTENSION, 1299 ATTRIBUTE, ALGORITHM 1300 FROM PKIX-CommonTypes 1301 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1302 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } 1304 ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, 1305 CMS-ATTRIBUTE, CONTENT-TYPE 1306 FROM CryptographicMessageSyntax2004 1307 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1308 smime(16) modules(0) cms-2004(24) } 1310 CertificateSerialNumber 1311 FROM PKIX1Explicit88 1312 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1313 mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } 1315 PolicyInformation, GeneralNames 1316 FROM PKIX1Implicit88 1317 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1318 mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)}; 1320 EssSignedAttributes CMS-ATTRIBUTE ::= { 1321 aa-receiptRequest | aa-contentIdentifier | aa-contentHint | 1322 aa-msgSigDigest | aa-contentReference | aa-securityLabel | 1323 aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate | 1324 aa-signingCertificateV2 } 1326 EssContentTypes CONTENT-TYPE ::= { ct-receipt } 1328 -- Extended Security Services 1329 -- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 1330 -- constructs in this module. A valid ASN.1 SEQUENCE can have zero or 1331 -- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE 1332 -- tp have at least one entry. MAX indicates the upper bound is 1333 -- unspecified. Implementations are free to choose an upper bound 1334 -- that suits their environment. 1336 -- Section 2.7 1338 aa-receiptRequest CMS-ATTRIBUTE ::= 1339 { TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest} 1341 ReceiptRequest ::= SEQUENCE { 1342 signedContentIdentifier ContentIdentifier, 1343 receiptsFrom ReceiptsFrom, 1344 receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames 1345 } 1347 ub-receiptsTo INTEGER ::= 16 1349 id-aa-receiptRequest OBJECT IDENTIFIER ::= 1350 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1351 smime(16) id-aa(2) 1} 1353 aa-contentIdentifier CMS-ATTRIBUTE ::= 1354 { TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier} 1356 ContentIdentifier ::= OCTET STRING 1358 id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1359 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7} 1361 ct-receipt CONTENT-TYPE ::= 1362 { Receipt IDENTIFIED BY id-ct-receipt } 1364 ReceiptsFrom ::= CHOICE { 1365 allOrFirstTier [0] AllOrFirstTier, 1366 -- formerly "allOrNone [0]AllOrNone" 1367 receiptList [1] SEQUENCE OF GeneralNames } 1369 AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone 1370 allReceipts (0), 1371 firstTierRecipients (1) } 1373 -- Section 2.8 1375 Receipt ::= SEQUENCE { 1376 version ESSVersion, 1377 contentType ContentType, 1378 signedContentIdentifier ContentIdentifier, 1379 originatorSignatureValue OCTET STRING } 1381 id-ct-receipt OBJECT IDENTIFIER ::= 1382 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1383 smime(16) id-ct(1) 1} 1385 ESSVersion ::= INTEGER { v1(1) } 1387 -- Section 2.9 1389 aa-contentHint CMS-ATTRIBUTE ::= 1390 { TYPE ContentHints IDENTIFIED BY id-aa-contentHint } 1392 ContentHints ::= SEQUENCE { 1393 contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL, 1394 contentType ContentType } 1396 id-aa-contentHint OBJECT IDENTIFIER ::= 1397 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1398 smime(16) id-aa(2) 4} 1400 -- Section 2.10 1402 aa-msgSigDigest CMS-ATTRIBUTE ::= 1403 { TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest } 1405 MsgSigDigest ::= OCTET STRING 1407 id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1408 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5} 1410 -- Section 2.11 1412 aa-contentReference CMS-ATTRIBUTE ::= 1413 { TYPE ContentReference IDENTIFIED BY id-aa-contentReference } 1415 ContentReference ::= SEQUENCE { 1416 contentType ContentType, 1417 signedContentIdentifier ContentIdentifier, 1418 originatorSignatureValue OCTET STRING } 1420 id-aa-contentReference OBJECT IDENTIFIER ::= 1421 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1422 smime(16) id-aa(2) 10 } 1424 -- Section 3.2 1425 aa-securityLabel CMS-ATTRIBUTE ::= 1426 { TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel } 1428 ESSSecurityLabel ::= SET { 1429 security-policy-identifier SecurityPolicyIdentifier, 1430 security-classification SecurityClassification OPTIONAL, 1431 privacy-mark ESSPrivacyMark OPTIONAL, 1432 security-categories SecurityCategories OPTIONAL } 1434 id-aa-securityLabel OBJECT IDENTIFIER ::= 1435 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1436 smime(16) id-aa(2) 2} 1437 SecurityPolicyIdentifier ::= OBJECT IDENTIFIER 1439 SecurityClassification ::= INTEGER { 1440 unmarked (0), 1441 unclassified (1), 1442 restricted (2), 1443 confidential (3), 1444 secret (4), 1445 top-secret (5) 1446 } (0..ub-integer-options) 1448 ub-integer-options INTEGER ::= 256 1450 ESSPrivacyMark ::= CHOICE { 1451 pString PrintableString (SIZE (1..ub-privacy-mark-length)), 1452 utf8String UTF8String (SIZE (1..MAX)) 1453 } 1455 ub-privacy-mark-length INTEGER ::= 128 1457 SecurityCategories ::= 1458 SET SIZE (1..ub-security-categories) OF SecurityCategory 1460 ub-security-categories INTEGER ::= 64 1462 SECURITY-CATEGORY ::= TYPE-IDENTIFIER 1464 SecurityCategory ::= SEQUENCE { 1465 type [0] SECURITY-CATEGORY. 1466 &id({SupportedSecurityCategories}), 1467 value [1] SECURITY-CATEGORY. 1468 &Type({SupportedSecurityCategories}{@type}) 1469 } 1471 SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } 1472 --Note: The aforementioned SecurityCategory syntax produces identical 1473 --hex encodings as the following SecurityCategory syntax that is 1474 --documented in the X.411 specification: 1475 -- 1476 --SecurityCategory ::= SEQUENCE { 1477 -- type [0] SECURITY-CATEGORY, 1478 -- value [1] ANY DEFINED BY type } 1479 -- 1480 --SECURITY-CATEGORY MACRO ::= 1481 --BEGIN 1482 --TYPE NOTATION ::= type | empty 1483 --VALUE NOTATION ::= value (VALUE OBJECT IDENTIFIER) 1484 --END 1486 -- Section 3.4 1488 aa-equivalentLabels CMS-ATTRIBUTE ::= 1489 { TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels } 1491 EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel 1493 id-aa-equivalentLabels OBJECT IDENTIFIER ::= 1494 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1495 smime(16) id-aa(2) 9} 1497 -- Section 4.4 1499 aa-mlExpandHistory CMS-ATTRIBUTE ::= 1500 { TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory } 1502 MLExpansionHistory ::= SEQUENCE 1503 SIZE (1..ub-ml-expansion-history) OF MLData 1505 id-aa-mlExpandHistory OBJECT IDENTIFIER ::= 1506 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1507 smime(16) id-aa(2) 3 } 1509 ub-ml-expansion-history INTEGER ::= 64 1511 MLData ::= SEQUENCE { 1512 mailListIdentifier EntityIdentifier, 1513 expansionTime GeneralizedTime, 1514 mlReceiptPolicy MLReceiptPolicy OPTIONAL } 1516 EntityIdentifier ::= CHOICE { 1517 issuerAndSerialNumber IssuerAndSerialNumber, 1518 subjectKeyIdentifier SubjectKeyIdentifier } 1520 MLReceiptPolicy ::= CHOICE { 1521 none [0] NULL, 1522 insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames, 1523 inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames } 1525 -- Section 5.4 1527 aa-signingCertificate CMS-ATTRIBUTE ::= 1528 { TYPE SigningCertificate IDENTIFIED BY 1529 id-aa-signingCertificate } 1531 SigningCertificate ::= SEQUENCE { 1532 certs SEQUENCE OF ESSCertID, 1533 policies SEQUENCE OF PolicyInformation OPTIONAL 1534 } 1536 id-aa-signingCertificate OBJECT IDENTIFIER ::= 1537 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1538 smime(16) id-aa(2) 12 } 1540 aa-signingCertificateV2 CMS-ATTRIBUTE ::= 1541 { TYPE SigningCertificateV2 IDENTIFIED BY 1542 id-aa-signingCertificateV2 } 1544 SigningCertificateV2 ::= SEQUENCE { 1545 certs SEQUENCE OF ESSCertIDv2, 1546 policies SEQUENCE OF PolicyInformation OPTIONAL 1547 } 1549 id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= 1550 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1551 smime(16) id-aa(2) 47 } 1553 id-sha256 OBJECT IDENTIFIER ::= 1554 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1555 csor(3) nistalgorithm(4) hashalgs(2) 1 } 1557 HashAlgorithm ::= AlgorithmIdentifier{{...}} 1559 ESSCertIDv2 ::= SEQUENCE { 1560 hashAlgorithm HashAlgorithm 1561 DEFAULT { algorithm id-sha256 }, 1562 certHash Hash, 1563 issuerSerial IssuerSerial OPTIONAL 1564 } 1566 ESSCertID ::= SEQUENCE { 1567 certHash Hash, 1568 issuerSerial IssuerSerial OPTIONAL 1569 } 1571 Hash ::= OCTET STRING 1573 IssuerSerial ::= SEQUENCE { 1574 issuer GeneralNames, 1575 serialNumber CertificateSerialNumber 1576 } 1578 END 1580 9. ASN.1 Module for RFC 5083 1582 CMS-AuthEnvelopedData-2007 1583 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1584 pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData(31) } 1585 DEFINITIONS IMPLICIT TAGS ::= 1586 BEGIN 1588 IMPORTS 1590 AuthAttributes, CMSVersion, EncryptedContentInfo, 1591 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 1592 UnauthAttributes 1593 FROM CryptographicMessageSyntax2004 1594 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1595 smime(16) modules(0) cms-2004(24) } ; 1597 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 1598 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1599 smime(16) ct(1) 23 } 1601 AuthEnvelopedData ::= SEQUENCE { 1602 version CMSVersion, 1603 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1604 recipientInfos RecipientInfos, 1605 authEncryptedContentInfo EncryptedContentInfo, 1606 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 1607 mac MessageAuthenticationCode, 1608 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL } 1610 END 1612 10. ASN.1 Module for RFC 5084 1614 CMS-AES-CCM-and-AES-GCM 1615 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1616 pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) } 1617 DEFINITIONS IMPLICIT TAGS ::= 1618 BEGIN 1620 -- Object Identifiers 1622 aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) 1623 organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } 1625 id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 } 1627 id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 } 1629 id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 } 1631 id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 } 1633 id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 } 1635 id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 } 1637 -- Parameters for AigorithmIdentifier 1639 CCMParameters ::= SEQUENCE { 1640 aes-nonce OCTET STRING (SIZE(7..13)), 1641 aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } 1643 AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) 1645 GCMParameters ::= SEQUENCE { 1646 aes-nonce OCTET STRING, -- recommended size is 12 octets 1647 aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } 1649 AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) 1651 END 1653 11. Security Considerations 1655 Even though all the RFCs in this document are security-related, the 1656 document itself does not have any security considerations. The ASN.1 1657 modules keep the same bits-on-the-wire as the modules that they 1658 replace. 1660 12. Normative References 1662 [ASN1-2002] 1663 ITU-T, "ITU-T Recommendation X.680 Information technology 1664 [ETH] Abstract Syntax Notation One (ASN.1): Specification 1665 of basic notation", ITU-T X.680, 2002. 1667 [NEW-PKIX] 1668 Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX", 1669 draft-ietf-pkix-new-asn1 (work in progress), 1670 December 2007. 1672 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) 1673 Algorithms", RFC 3370, August 2002. 1675 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) 1676 Encryption Algorithm in Cryptographic Message Syntax 1677 (CMS)", RFC 3565, July 2003. 1679 [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail 1680 Extensions (S/MIME) Version 3.1 Message Specification", 1681 RFC 3851, July 2004. 1683 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 1684 RFC 3852, July 2004. 1686 [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to 1687 Protect Firmware Packages", RFC 4108, August 2005. 1689 [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence 1690 Record Syntax (ERS)", RFC 4998, August 2007. 1692 [RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: 1693 Adding CertID Algorithm Agility", RFC 5035, August 2007. 1695 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 1696 Authenticated-Enveloped-Data Content Type", RFC 5083, 1697 November 2007. 1699 [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated 1700 Encryption in the Cryptographic Message Syntax (CMS)", 1701 RFC 5084, November 2007. 1703 Appendix A. Change History 1705 [[ This entire section is to be removed upon publication. ]] 1707 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 1708 draft-ietf-smime-new-asn1-00 1710 Changed the draft name. 1712 Added RFC 3565, 1714 Added RFC 4998. 1716 Made RFCs-to-be 5083 and 5084 into RFCs. 1718 In RFC 3370, a line in the comment staring with "Another way to 1719 do..." was not commented out when it should have been. 1721 In RFC 3851, the name of the module from which we are importing was 1722 wrong, although the OID was right. 1724 In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate 1725 which version of CMS added the various extensions. 1727 Authors' Addresses 1729 Paul Hoffman 1730 VPN Consortium 1731 127 Segre Place 1732 Santa Cruz, CA 95060 1733 US 1735 Phone: 1-831-426-9827 1736 Email: paul.hoffman@vpnc.org 1738 Jim Schaad 1739 Soaring Hawk Consulting 1741 Email: jimsch@exmsft.com 1743 Full Copyright Statement 1745 Copyright (C) The IETF Trust (2007). 1747 This document is subject to the rights, licenses and restrictions 1748 contained in BCP 78, and except as set forth therein, the authors 1749 retain all their rights. 1751 This document and the information contained herein are provided on an 1752 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1753 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1754 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1755 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1756 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1757 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1759 Intellectual Property 1761 The IETF takes no position regarding the validity or scope of any 1762 Intellectual Property Rights or other rights that might be claimed to 1763 pertain to the implementation or use of the technology described in 1764 this document or the extent to which any license under such rights 1765 might or might not be available; nor does it represent that it has 1766 made any independent effort to identify any such rights. Information 1767 on the procedures with respect to rights in RFC documents can be 1768 found in BCP 78 and BCP 79. 1770 Copies of IPR disclosures made to the IETF Secretariat and any 1771 assurances of licenses to be made available, or the result of an 1772 attempt made to obtain a general license or permission for the use of 1773 such proprietary rights by implementers or users of this 1774 specification can be obtained from the IETF on-line IPR repository at 1775 http://www.ietf.org/ipr. 1777 The IETF invites any interested party to bring to its attention any 1778 copyrights, patents or patent applications, or other proprietary 1779 rights that may cover technology that may be required to implement 1780 this standard. Please address the information to the IETF at 1781 ietf-ipr@ietf.org. 1783 Acknowledgment 1785 Funding for the RFC Editor function is provided by the IETF 1786 Administrative Support Activity (IASA).