idnits 2.17.1 draft-ietf-smime-new-asn1-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 221: '... -- Parameters MUST be encoded in st...' RFC 2119 keyword, line 222: '...t, -- Parameters SHOULD be encoded in ...' RFC 2119 keyword, line 223: '..., -- Parameters SHOULD NOT be encoded...' RFC 2119 keyword, line 224: '... -- Parameters MUST NOT be encoded i...' RFC 2119 keyword, line 226: '... -- Parameters MAY be encoded in the...' (96 more instances...) -- The draft header indicates that this document updates RFC3370, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3565, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3851, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3852, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 617 has weird spacing: '...e could be ge...' (Using the creation date from RFC3370, updated by this document, for RFC5378 checks: 2001-04-25) (Using the creation date from RFC3565, updated by this document, for RFC5378 checks: 2000-11-22) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 9, 2009) is 5527 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 2523 -- Looks like a reference, but probably isn't: '1' on line 2524 -- Looks like a reference, but probably isn't: '2' on line 2525 == Missing Reference: 'CMSALG' is mentioned on line 1089, but not defined == Missing Reference: 'CMS' is mentioned on line 1100, but not defined -- Looks like a reference, but probably isn't: '3' on line 2526 -- Looks like a reference, but probably isn't: '4' on line 2527 -- Possible downref: Non-RFC (?) normative reference: ref. 'ASN1-2002' ** Downref: Normative reference to an Informational draft: draft-ietf-pkix-new-asn1 (ref. 'NEW-PKIX') ** Obsolete normative reference: RFC 3851 (Obsoleted by RFC 5751) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) Summary: 6 errors (**), 0 flaws (~~), 4 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Updates: 3370, 3565, 3851, 3852, J. Schaad 5 4108, 4998, 5035, 5083, 5084 Soaring Hawk Consulting 6 (if approved) March 9, 2009 7 Intended status: Standards Track 8 Expires: September 10, 2009 10 New ASN.1 Modules for CMS and S/MIME 11 draft-ietf-smime-new-asn1-03.txt 13 Status of this Memo 15 This Internet-Draft is submitted to IETF in full conformance with the 16 provisions of BCP 78 and BCP 79. This document may contain material 17 from IETF Documents or IETF Contributions published or made publicly 18 available before November 10, 2008. The person(s) controlling the 19 copyright in some of this material may not have granted the IETF 20 Trust the right to allow modifications of such material outside the 21 IETF Standards Process. Without obtaining an adequate license from 22 the person(s) controlling the copyright in such materials, this 23 document may not be modified outside the IETF Standards Process, and 24 derivative works of it may not be created outside the IETF Standards 25 Process, except to format it for publication as an RFC or to 26 translate it into languages other than English. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF), its areas, and its working groups. Note that 30 other groups may also distribute working documents as Internet- 31 Drafts. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 The list of current Internet-Drafts can be accessed at 39 http://www.ietf.org/ietf/1id-abstracts.txt. 41 The list of Internet-Draft Shadow Directories can be accessed at 42 http://www.ietf.org/shadow.html. 44 This Internet-Draft will expire on September 10, 2009. 46 Copyright Notice 48 Copyright (c) 2009 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents in effect on the date of 53 publication of this document (http://trustee.ietf.org/license-info). 54 Please review these documents carefully, as they describe your rights 55 and restrictions with respect to this document. 57 Abstract 59 The Cryptographic Message Syntax (CMS) format, and many associated 60 formats, are expressed using ASN.1. The current ASN.1 modules 61 conform to the 1988 version of ASN.1. This document updates those 62 ASN.1 modules to conform to the 2002 version of ASN.1. There are no 63 bits-on-the-wire changes to any of the formats; this is simply a 64 change to the syntax. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 5 70 1.2. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 5 71 1.2.1. Module OIDs Changing . . . . . . . . . . . . . . . . . 5 72 2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 6 73 3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 15 74 4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 21 75 5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 23 76 6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 25 77 7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 35 78 8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 41 79 9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 42 80 10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 49 81 11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 49 82 12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 51 83 13. Security Considerations . . . . . . . . . . . . . . . . . . . 59 84 14. Normative References . . . . . . . . . . . . . . . . . . . . . 59 85 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 60 86 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 87 draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 60 88 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 61 89 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 . . . 61 90 A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 . . . 61 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 61 93 1. Introduction 95 Some developers would like the IETF to use the latest version of 96 ASN.1 in its standards. Most of the RFCs that relate to security 97 protocols still use ASN.1 from the 1988 standard, which has been 98 deprecated. This is particularly true for the standards that relate 99 to PKIX, CMS, and S/MIME. 101 This document updates the following RFCs to use ASN.1 modules that 102 conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all 103 the modules are updated; some are included to simply make the set 104 complete. 106 o RFC 3370, CMS Algorithms [RFC3370] 108 o RFC 3565, Use of AES in CMS [RFC3565] 110 o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851] 112 o RFC 3852, CMS main [RFC3852] 114 o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108] 116 o RFC 4998, Evidence Record Syntax (ERS) [RFC4998] 118 o RFC 5035, Enhanced Security Services (ESS) [RFC5035] 120 o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083] 122 o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in 123 CMS [RFC5084] 125 o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275] 127 Note that some of the modules in this document get some of their 128 definitions from places different than the modules in the original 129 RFCs. The idea is that these modules, when combined with the modules 130 in [NEW-PKIX] can stand on their own and do not need to import 131 definitions from anywhere else. 133 The document also includes a module of common definitions called 134 "AlgorithmInformation". These definitions are used here and in 135 [NEW-PKIX]. 137 Note that some of the modules here import definitions from the common 138 definitions module, "PKIX-CommonTypes", in [NEW-PKIX]. 140 1.1. Design Notes 142 The modules in this document use the object model available in the 143 2002 ASN.1 documents to a great extent. Objects for each of the 144 different algorithm types are defined. Also, all of the places where 145 in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax 146 now have objects. 148 Much like the way that the PKIX and S/MIME working groups use the 149 prefix of id- for object identifiers, this document has also adopted 150 a set of two, three, and four letter prefixes to allow for quick 151 identification of the type of an object based on its name. This 152 allows, for example, the same back half of the name to be used for 153 the different objects. Thus, "id-sha1" is the object identifier, 154 while "mda-sha1" is the message digest object for "sha1". 156 One or more object sets for the different type of algorithms are 157 defined. A single consistent name for each of the different 158 algorithm types is used. For example, an object set named PublicKeys 159 might contain the public keys defined in that module. If no public 160 keys are defined, then the object set is not created. When 161 referencing these objects sets when imported, one needs to be able to 162 disambiguate between the different modules. This is done by using 163 both the module name (as specified in the IMPORT statement) and the 164 object set name. For example, in the module for RFC 5280: 166 PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 } 167 PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 } 169 PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ..., 170 PKIX1-PSS-OAEP-Algorithms.PublicKeys } 172 1.2. Issues 174 This section will be removed before final publication. 176 1.2.1. Module OIDs Changing 178 The OIDs given in the modules in this version of the document are the 179 same as the OIDs from the original modules, even though some of the 180 modules have changed syntax. That is clearly incorrect. In a later 181 version of this document, we will change the OIDs for every changed 182 module. The WG (hopefully in coordination with the PKIX WG) needs to 183 determine how to do this and what the result will be. 185 2. ASN.1 Module AlgorithmInformation 187 This section contains a module that is imported by many other modules 188 in this document. Note that this module is also given in [NEW-PKIX]. 189 This module does not come from any existing RFC. 191 AlgorithmInformation-2009 192 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 193 mechanisms(5) pkix(7) id-mod(0) 194 id-mod-algorithmInformation-02(58)} 196 DEFINITIONS EXPLICIT TAGS ::= 197 BEGIN 198 EXPORTS ALL; 199 IMPORTS 201 KeyUsage 202 FROM PKIX1Implicit-2009 203 {iso(1) identified-organization(3) dod(6) internet(1) 204 security(5) mechanisms(5) pkix(7) id-mod(0) 205 id-mod-pkix1-implicit-02(59)} ; 207 -- Suggested prefixes for algorithm objects are: 208 -- 209 -- mda- Message Digest Algorithms 210 -- sa- Signature Algorithms 211 -- kta- Key Transport Algorithms (Asymmetric) 212 -- kaa- Key Agreement Algorithms (Asymmetric) 213 -- kwa- Key Wrap Algorithms (Symmetric) 214 -- kda- Key Derivation Algorithms 215 -- maca- Message Authentication Code Algorithms 216 -- pk- Public Key 217 -- cea- Content (symmetric) Encryption Algorithm 218 -- cap- S/MIME Capabilities 220 ParamOptions ::= ENUMERATED { 221 required, -- Parameters MUST be encoded in structure 222 preferredPresent, -- Parameters SHOULD be encoded in structure 223 preferredAbsent, -- Parameters SHOULD NOT be encoded in structure 224 absent, -- Parameters MUST NOT be encoded in structure 225 inheritable, -- Parameters are inherited if not present 226 optional, -- Parameters MAY be encoded in the structure 227 ... 228 } 230 -- DIGEST-ALGORITHM 231 -- 232 -- Describes the basic information for ASN.1 and a digest 233 -- algorithm. 234 -- 235 -- &id - contains the OID identifying the digest algorithm 236 -- &Params - contains the type for the algorithm parameters, 237 -- if present; absent implies no paramters 238 -- ¶mPresence - parameter presence requirement 239 -- 240 -- Additional information such as the length of the hash could also 241 -- be encoded. 242 -- 243 -- Example: 244 -- sha1 DIGEST-ALGORITHM ::= { 245 -- IDENTIFIER id-sha1 246 -- PARAMS TYPE NULL ARE preferredAbsent 247 -- } 249 DIGEST-ALGORITHM ::= CLASS { 250 &id OBJECT IDENTIFIER UNIQUE, 251 &Params OPTIONAL, 252 ¶mPresence ParamOptions DEFAULT absent 253 } WITH SYNTAX { 254 IDENTIFIER &id 255 [PARAMS [TYPE &Params] [ARE ¶mPresence] ] 256 } 258 -- SIGNATURE-ALGORITHM 259 -- 260 -- Describes the basic properties of a signature algorithm 261 -- 262 -- &id - contains the OID identifying the signature algorithm 263 -- &Value - contains a type defintion for the value structure of 264 -- the signature 265 -- &Params - contains the type for the algorithm parameters, 266 -- if present; absent implies no paramters 267 -- ¶mPresence - parameter presence resquirement 268 -- &HashSet - The set of hash algorithms used with this 269 -- signature algorithm 270 -- &PublicKeySet - the set of public key algorithms for this 271 -- signature algorithm 272 -- &smimeCaps - contains the object describing how the S/MIME 273 -- capabilities are presented. 274 -- 275 -- Example: 276 -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { 277 -- IDENTIFIER id-RSASSA-PSS 278 -- PARAMS TYPE RSASSA-PSS-params ARE required 279 -- HASHES {sha1 | md5, ... } 280 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 281 -- } 283 SIGNATURE-ALGORITHM ::= CLASS { 284 &id OBJECT IDENTIFIER UNIQUE, 285 &Value OPTIONAL, 286 &Params OPTIONAL, 287 ¶mPresence ParamOptions DEFAULT absent, 288 &HashSet DIGEST-ALGORITHM OPTIONAL, 289 &PublicKeySet PUBLIC-KEY OPTIONAL, 290 &smimeCaps SMIME-CAPS OPTIONAL 291 } WITH SYNTAX { 292 IDENTIFIER &id 293 [VALUE &Value] 294 [PARAMS [TYPE &Params] ARE ¶mPresence ] 295 [HASHES &HashSet] 296 [PUBLIC-KEYS &PublicKeySet] 297 [SMIME-CAPS &smimeCaps] 298 } 300 -- PUBLIC-KEY 301 -- 302 -- Describes the basic properties of a public key 303 -- 304 -- &id - contains the OID identifying the public key 305 -- &KeyValue - contains the type for the key value 306 -- &Params - contains the type for the algorithm parameters, 307 -- if present; absent implies no paramters 308 -- ¶mPresence - parameter presence requirement 309 -- &keyUsage - contains the set of bits that are legal for this 310 -- key type. Note that is does not make any statement 311 -- about how bits may be paired. 312 -- &PrivateKey - contains a type structure for encoding the private 313 -- key information. 314 -- 315 -- Example: 316 -- pk-rsa-pss PUBLIC-KEY ::= { 317 -- IDENTIFIER id-RSASSA-PSS 318 -- KEY RSAPublicKey 319 -- PARAMS TYPE RSASSA-PSS-params ARE optional 320 -- CERT-KEY-USAGE { .... } 321 -- } 323 PUBLIC-KEY ::= CLASS { 324 &id OBJECT IDENTIFIER UNIQUE, 325 &KeyValue OPTIONAL, 326 &Params OPTIONAL, 327 ¶mPresence ParamOptions DEFAULT absent, 328 &keyUsage KeyUsage OPTIONAL, 329 &PrivateKey OPTIONAL 330 } WITH SYNTAX { 331 IDENTIFIER &id 332 [KEY &KeyValue] 333 [PARAMS [TYPE &Params] ARE ¶mPresence] 334 [CERT-KEY-USAGE &keyUsage] 335 [PRIVATE-KEY &PrivateKey] 336 } 338 -- KEY-TRANSPORT 339 -- 340 -- Describes the basic properties of a key transport algorithm 341 -- 342 -- &id - contains the OID identifying the key transport algorithm 343 -- &Params - contains the type for the algorithm parameters, 344 -- if present; absent implies no paramters 345 -- ¶mPresence - parameter presence requirement 346 -- &PublicKeySet - specify which public keys are used with 347 -- this algorithm 348 -- &smimeCaps - contains the object describing how the S/MIME 349 -- capabilities are presented. 350 -- 351 -- Example: 352 -- rsaTransport KEY-TRANSPORT ::= { 353 -- IDENTIFIER &id 354 -- PARAMS TYPE NULL ARE required 355 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 356 -- } 358 KEY-TRANSPORT ::= CLASS { 359 &id OBJECT IDENTIFIER UNIQUE, 360 &Params OPTIONAL, 361 ¶mPresence ParamOptions DEFAULT absent, 362 &PublicKeySet PUBLIC-KEY OPTIONAL, 363 &smimeCaps SMIME-CAPS OPTIONAL 364 } WITH SYNTAX { 365 IDENTIFIER &id 366 [PARAMS [TYPE &Params] ARE ¶mPresence] 367 [PUBLIC-KEYS &PublicKeySet] 368 [SMIME-CAPS &smimeCaps] 369 } 371 -- KEY-AGREE 372 -- 373 -- Describes the basic properties of a key agreement algorithm 374 -- 375 -- &id - contains the OID identifying the key agreement algorithm 376 -- &Params - contains the type for the algorithm parameters, 377 -- if present; absent implies no paramters 378 -- ¶mPresence - parameter presence requirement 379 -- &PublicKeySet - specify which public keys are used with 380 -- this algorithm 381 -- &Ukm - type of user keying material used 382 -- &ukmPresence - specifies the requirements to define the UKM field 383 -- &smimeCaps - contains the object describing how the S/MIME 384 -- capabilities are presented. 385 -- 386 -- Example: 387 -- dh-static-ephemerial KEY-AGREE ::= { 388 -- IDENTIFIER id-alg-ESDH 389 -- PARAMS TYPE KeyWrapAlgorithm ARE required 390 -- - - user key material is not ASN.1-encoded. 391 -- PUBLIC-KEYS { 392 -- {IDENTIFIER dh-public-number KEY DHPublicKey 393 -- PARAMS TYPE DHDomainParameters ARE inheritable } 394 -- } 395 -- - - UKM should be present but is not separately ASN.1-encoded 396 -- UKM ARE preferredPresent 397 -- } 399 KEY-AGREE ::= CLASS { 400 &id OBJECT IDENTIFIER UNIQUE, 401 &Params OPTIONAL, 402 ¶mPresence ParamOptions DEFAULT absent, 403 &PublicKeySet PUBLIC-KEY OPTIONAL, 404 &Ukm OPTIONAL, 405 &ukmPresence ParamOptions DEFAULT absent, 406 &smimeCaps SMIME-CAPS OPTIONAL 407 } WITH SYNTAX { 408 IDENTIFIER &id 409 [PARAMS [TYPE &Params] ARE ¶mPresence] 410 [PUBLIC-KEYS &PublicKeySet] 411 [UKM [TYPE &Ukm] ARE &ukmPresence] 412 [SMIME-CAPS &smimeCaps] 413 } 415 -- KEY-WRAP 416 -- 417 -- Describes the basic properties of a key wrap algorithm 418 -- 419 -- &id - contains the OID identifying the key wrap algorithm 420 -- &Params - contains the type for the algorithm parameters, 421 -- if present; absent implies no paramters 422 -- ¶mPresence - parameter presence requirement 423 -- &smimeCaps - contains the object describing how the S/MIME 424 -- capabilities are presented. 426 -- 427 -- Example: 428 -- cms3DESwrap KEY-WRAP ::= { 429 -- IDENTIFIER id-alg-CMS3DESwrap 430 -- PARAMS TYPE NULL ARE required 431 -- } 433 KEY-WRAP ::= CLASS { 434 &id OBJECT IDENTIFIER UNIQUE, 435 &Params OPTIONAL, 436 ¶mPresence ParamOptions DEFAULT absent, 437 &smimeCaps SMIME-CAPS OPTIONAL 438 } WITH SYNTAX { 439 IDENTIFIER &id 440 [PARAMS [TYPE &Params] ARE ¶mPresence] 441 [SMIME-CAPS &smimeCaps] 442 } 444 -- KEY-DERIVATION 445 -- 446 -- Describes the basic properties of a key derivation algorithm 447 -- 448 -- &id - contains the OID identifying the key derivation algorithm 449 -- &Params - contains the type for the algorithm parameters, 450 -- if present; absent implies no paramters 451 -- ¶mPresence - parameter presence requirement 452 -- &smimeCaps - contains the object describing how the S/MIME 453 -- capabilities are presented. 454 -- 455 -- Could add information about defaults for the derivation algorithm 456 -- such as PRFs 457 -- 458 -- Example: 459 -- pbkdf2 KEY-DERIVATION ::= { 460 -- IDENTIFIER id-PBKDF2 461 -- PARAMS TYPE PBKDF2-params ARE required 462 -- } 464 KEY-DERIVATION ::= CLASS { 465 &id OBJECT IDENTIFIER UNIQUE, 466 &Params OPTIONAL, 467 ¶mPresence ParamOptions DEFAULT absent, 468 &smimeCaps SMIME-CAPS OPTIONAL 469 } WITH SYNTAX { 470 IDENTIFIER &id 471 [PARAMS [TYPE &Params] ARE ¶mPresence] 472 [SMIME-CAPS &smimeCaps] 473 } 474 -- MAC-ALGORITHM 475 -- 476 -- Describes the basic properties of a MAC algorithm 477 -- 478 -- &id - contains the OID identifying the MAC algorithm 479 -- &Params - contains the type for the algorithm parameters, 480 -- if present; absent implies no paramters 481 -- ¶mPresence - parameter presence requirement 482 -- &keyed - MAC algorithm is a keyed MAC algorithm 483 -- &smimeCaps - contains the object describing how the S/MIME 484 -- capabilities are presented. 485 -- 486 -- It would make sense to also add minimum and maximum MAC lengths 487 -- 488 -- Example: 489 -- maca-hmac-sha1 MAC-ALGORITHM ::= { 490 -- IDENTIFIER hMAC-SHA1 491 -- PARAMS TYPE NULL ARE preferredAbsent 492 -- IS KEYED MAC TRUE 493 -- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} 494 -- } 496 MAC-ALGORITHM ::= CLASS { 497 &id OBJECT IDENTIFIER UNIQUE, 498 &Params OPTIONAL, 499 ¶mPresence ParamOptions DEFAULT absent, 500 &keyed BOOLEAN, 501 &smimeCaps SMIME-CAPS OPTIONAL 502 } WITH SYNTAX { 503 IDENTIFIER &id 504 [PARAMS [TYPE &Params] [ARE ¶mPresence]] 505 IS-KEYED-MAC &keyed 506 [SMIME-CAPS &smimeCaps] 507 } 509 -- CONTENT-ENCRYPTION 510 -- 511 -- Describes the basic properties of a content encryption 512 -- algorithm 513 -- 514 -- &id - contains the OID identifying the content 515 -- encryption algorithm 516 -- &Params - contains the type for the algorithm parameters, 517 -- if present; absent implies no paramters 518 -- ¶mPresence - parameter presence requirement 519 -- &smimeCaps - contains the object describing how the S/MIME 520 -- capabilities are presented. 521 -- 522 -- Example: 523 -- cea-3DES-cbc CONTENT-ENCRYPTION ::= { 524 -- IDENTIFIER des-ede3-cbc 525 -- PARAMS TYPE IV ARE required 526 -- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } 527 -- } 529 CONTENT-ENCRYPTION ::= CLASS { 530 &id OBJECT IDENTIFIER UNIQUE, 531 &Params OPTIONAL, 532 ¶mPresence ParamOptions DEFAULT absent, 533 &smimeCaps SMIME-CAPS OPTIONAL 534 } WITH SYNTAX { 535 IDENTIFIER &id 536 [PARAMS [TYPE &Params] ARE ¶mPresence] 537 [SMIME-CAPS &smimeCaps] 538 } 540 -- ALGORITHM 541 -- 542 -- Describes a generic algorithm identifier 543 -- 544 -- &id - contains the OID identifying the algorithm 545 -- &Params - contains the type for the algorithm parameters, 546 -- if present; absent implies no paramters 547 -- ¶mPresence - parameter presence requirement 548 -- &smimeCaps - contains the object describing how the S/MIME 549 -- capabilities are presented. 550 -- 551 -- This would be used for cases where an unknown algorithm is 552 -- used. One should consider using TYPE-IDENTIFIER in these cases. 554 ALGORITHM ::= CLASS { 555 &id OBJECT IDENTIFIER UNIQUE, 556 &Params OPTIONAL, 557 ¶mPresence ParamOptions DEFAULT absent, 558 &smimeCaps SMIME-CAPS OPTIONAL 559 } WITH SYNTAX { 560 IDENTIFIER &id 561 [PARAMS [TYPE &Params] ARE ¶mPresence] 562 [SMIME-CAPS &smimeCaps] 563 } 565 -- AlgorithmIdentifier 566 -- 567 -- Provides the generic structure that is used to encode algorithm 568 -- identification and the parameters associated with the 569 -- algorithm. 571 -- 572 -- The first parameter represents the type of the algorithm being 573 -- used. 574 -- The second parameter represents an object set containing the 575 -- algorithms that may occur in this situation. 576 -- The initial list of required algorithms should occur to the 577 -- left of an extension marker, all other algorithms should 578 -- occur to the right of an extension marker. 579 -- 580 -- The object class ALGORITHM can be used for generic unspecified 581 -- items. 582 -- If new ALGORITHM objects are defined, the fields &id and &Params 583 -- need to be present as field in the object. 584 -- 586 AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= 587 SEQUENCE { 588 algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), 589 parameters ALGORITHM-TYPE. 590 &Params({AlgorithmSet}{@algorithm}) OPTIONAL 591 } 593 -- S/MIME Capabilities 594 -- 595 -- We have moved the SMIME-CAPS from the module for RFC 3851 to here 596 -- because it is used in the PKIX document RFC 4262 - Use of S/MIME 597 -- Caps in certificate extension 598 -- 599 -- 600 -- This class is used to represent an S/MIME capability. S/MIME 601 -- capabilities are used to represent what algorithm capabilities 602 -- an individual has. The classic example was the content encryption 603 -- algorithm RC2 where the algorithm id and the RC2 key lengths 604 -- supported needed to be advertised, but the IV used is not fixed. 605 -- Thus for RC2 we used 606 -- 607 -- cap-RC2CBC SMIME-CAPS ::= { 608 -- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } 609 -- 610 -- where 40 and 128 represent the RC2 key length in number of bits. 611 -- 612 -- Another example where information needs to be shown is for 613 -- RSA-OAEP where only specific hash functions or mask generation 614 -- functions are supported, but the saltLength is specified by the 615 -- sender and not the recipient. In this case one can either 616 -- generate a number of capability items, 617 -- or a new S/MIME capability type could be generated where 618 -- multiple hash functions could be specified. 619 -- 620 -- 621 -- SMIME-CAP 622 -- 623 -- This class is used to associate the type describing capabilities 624 -- with the object identifier. 625 -- 627 SMIME-CAPS ::= CLASS { 628 &id OBJECT IDENTIFIER UNIQUE, 629 &Type OPTIONAL 630 } 631 WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id } 633 -- 634 -- Generic type - this is used for defining values. 635 -- 637 -- Define a single S/MIME capability encoding 639 SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { 640 capabilityID SMIME-CAPS.&id({CapabilitySet}), 641 parameters SMIME-CAPS.&Type({CapabilitySet} 642 {@capabilityID}) OPTIONAL 643 } 645 -- Define a sequence of S/MIME capability value 647 SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::= 648 SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} } 650 END 652 3. ASN.1 Module for RFC 3370 654 CryptographicMessageSyntaxAlgorithms-2009 655 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 656 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 657 DEFINITIONS IMPLICIT TAGS ::= 658 BEGIN 659 IMPORTS 661 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 662 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 663 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 664 AlgorithmIdentifier{}, SMIME-CAPS 665 FROM AlgorithmInformation-2009 666 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 667 mechanisms(5) pkix(7) id-mod(0) 668 id-mod-algorithmInformation-02(58)} 670 pk-rsa, pk-dh, pk-dsa, rsaEncryption, DHPublicKey, dhpublicnumber 671 FROM PKIXAlgs-2009 672 {iso(1) identified-organization(3) dod(6) 673 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 674 id-mod-pkix1-algorithms2008-02(56)} 676 cap-RC2CBC 677 FROM SecureMimeMessageV3dot1-2009 678 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 679 smime(16) modules(0) id-mod-msg-v3dot1-02(39)}; 681 -- 2. Hash algorthms in this document 683 MessageDigestAlgs DIGEST-ALGORITHM ::= { 684 -- mda-md5 | mda-sha1, 685 ... } 687 -- 3. Signature algorithms in this document 689 SignatureAlgs SIGNATURE-ALGORITHM ::= { 690 -- See RFC 3279 691 -- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1, 692 ... } 694 -- 4. Key Managment Algorithms 695 -- 4.1 Key Agreement Algorithms 697 KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...} 698 KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...} 700 -- 4.2 Key Transport Algorithms 702 KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... } 704 -- 4.3 Symmetric Key-Encryption Key Algorithms 706 KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... } 708 -- 4.4 Key Derivation Algorithms 709 KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... } 711 -- 5. Content Encryption Algorithms 713 ContentEncryptionAlgs CONTENT-ENCRYPTION ::= 714 { cea-3DES-cbc | cea-RC2-cbc, ... } 716 -- 6. Message Authentication Code Algorithms 718 MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... } 720 -- SMIME Capabilities for these items 722 SMimeCaps SMIME-CAPS ::= { 723 kaa-esdh.&smimeCaps | 724 kaa-ssdh.&smimeCaps | 725 kt-rsa.&smimeCaps | 726 kwa-3DESWrap.&smimeCaps | 727 kwa-RC2Wrap.&smimeCaps | 728 cea-3DES-cbc.&smimeCaps | 729 cea-RC2-cbc.&smimeCaps | 730 maca-hMAC-SHA1.&smimeCaps, 731 ...} 733 -- 734 -- 735 -- 737 -- Algorithm Identifiers 739 -- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) 740 -- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 742 id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 743 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 } 745 id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 746 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 } 748 id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 749 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } 751 id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 752 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 } 754 des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 755 us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } 757 rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 758 rsadsi(113549) encryptionAlgorithm(3) 2 } 760 hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 761 dod(6) internet(1) security(5) mechanisms(5) 8 1 2 } 763 id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 764 rsadsi(113549) pkcs(1) pkcs-5(5) 12 } 766 -- Algorithm Identifier Parameter Types 768 KeyWrapAlgorithm ::= 769 AlgorithmIdentifier {KEY-WRAP, {KeyWrapAlgs }} 771 RC2wrapParameter ::= RC2ParameterVersion 773 RC2ParameterVersion ::= INTEGER 775 CBCParameter ::= IV 777 IV ::= OCTET STRING -- exactly 8 octets 779 RC2CBCParameter ::= SEQUENCE { 780 rc2ParameterVersion INTEGER (1..256), 781 iv OCTET STRING } -- exactly 8 octets 783 maca-hMAC-SHA1 MAC-ALGORITHM ::= { 784 IDENTIFIER hMAC-SHA1 785 PARAMS TYPE NULL ARE preferredAbsent 786 IS-KEYED-MAC TRUE 787 SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} 788 } 790 PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM, 791 {PBKDF2-PRFs} } 793 alg-hMAC-SHA1 ALGORITHM ::= 794 { IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required } 796 PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... } 798 PBKDF2-SaltSources ALGORITHM ::= { ... } 800 PBKDF2-SaltSourcesAlgorithmIdentifier ::= 801 AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}} 803 defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::= 804 { algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL } 806 PBKDF2-params ::= SEQUENCE { 807 salt CHOICE { 808 specified OCTET STRING, 809 otherSource PBKDF2-SaltSourcesAlgorithmIdentifier }, 810 iterationCount INTEGER (1..MAX), 811 keyLength INTEGER (1..MAX) OPTIONAL, 812 prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT 813 defaultPBKDF2 814 } 816 -- 817 -- This object is included for completeness. It should not be used 818 -- for encoding of signatures, but was sometimes used in older 819 -- versions of CMS for encoding of RSA signatures. 820 -- 821 -- 822 -- sa-rsa SIGNATURE-ALGORITHM ::= { 823 -- IDENTIFIER rsaEncryption 824 -- - - value is not ASN.1 encoded 825 -- PARAMS TYPE NULL ARE required 826 -- HASHES {mda-sha1 | mda-md5, ...} 827 -- PUBLIC-KEYS { pk-rsa} 828 -- } 829 -- 830 -- No ASN.1 encoding is applied to the signature value 831 -- for these items 833 kaa-esdh KEY-AGREE ::= { 834 IDENTIFIER id-alg-ESDH 835 PARAMS TYPE KeyWrapAlgorithm ARE required 836 PUBLIC-KEYS { pk-dh } 837 -- UKM is not ASN.1 encoded 838 UKM ARE optional 839 SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH} 840 } 842 kaa-ssdh KEY-AGREE ::= { 843 IDENTIFIER id-alg-SSDH 844 PARAMS TYPE KeyWrapAlgorithm ARE required 845 PUBLIC-KEYS {pk-dh} 846 -- UKM is not ASN.1 encoded 847 UKM ARE optional 848 SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH} 849 } 851 dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber 852 pk-originator-dh PUBLIC-KEY ::= { 853 IDENTIFIER dh-public-number 854 KEY DHPublicKey 855 PARAMS ARE absent 856 CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly} 857 } 859 kwa-3DESWrap KEY-WRAP ::= { 860 IDENTIFIER id-alg-CMS3DESwrap 861 PARAMS TYPE NULL ARE required 862 SMIME-CAPS {IDENTIFIED BY id-alg-CMS3DESwrap} 863 } 865 kwa-RC2Wrap KEY-WRAP ::= { 866 IDENTIFIER id-alg-CMSRC2wrap 867 PARAMS TYPE RC2wrapParameter ARE required 868 SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap } 869 } 871 kda-PBKDF2 KEY-DERIVATION ::= { 872 IDENTIFIER id-PBKDF2 873 PARAMS TYPE PBKDF2-params ARE required 874 -- No s/mime caps defined 875 } 877 cea-3DES-cbc CONTENT-ENCRYPTION ::= { 878 IDENTIFIER des-ede3-cbc 879 PARAMS TYPE IV ARE required 880 SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } 881 } 883 cea-RC2-cbc CONTENT-ENCRYPTION ::= { 884 IDENTIFIER rc2-cbc 885 PARAMS TYPE RC2CBCParameter ARE required 886 SMIME-CAPS cap-RC2CBC 887 } 889 kt-rsa KEY-TRANSPORT ::= { 890 IDENTIFIER rsaEncryption 891 PARAMS TYPE NULL ARE required 892 PUBLIC-KEYS { pk-rsa } 893 SMIME-CAPS {IDENTIFIED BY rsaEncryption} 894 } 896 -- S/MIME Capabilities - most have no label. 898 cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap } 899 END 901 4. ASN.1 Module for RFC 3565 903 CMSAesRsaesOaep-2009 {iso(1) member-body(2) us(840) rsadsi(113549) 904 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38)} 905 DEFINITIONS IMPLICIT TAGS ::= 906 BEGIN 907 IMPORTS 909 CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS 910 FROM AlgorithmInformation-2009 911 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 912 mechanisms(5) pkix(7) id-mod(0) 913 id-mod-algorithmInformation-02(58)}; 915 AES-ContentEncryption CONTENT-ENCRYPTION ::= { 916 cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ... 917 } 919 AES-KeyWrap KEY-WRAP ::= { 920 kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ... 921 } 923 SMimeCaps SMIME-CAPS ::= { 924 cea-aes128-cbc.&smimeCaps | 925 cea-aes192-cbc.&smimeCaps | 926 cea-aes256-cbc.&smimeCaps | 927 kwa-aes128-wrap.&smimeCaps | 928 kwa-aes192-wrap.&smimeCaps | 929 kwa-aes256-wrap.&smimeCaps, ... 930 } 932 -- AES information object identifiers -- 934 aes OBJECT IDENTIFIER ::= 935 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 936 csor(3) nistAlgorithms(4) 1 } 938 -- AES using CBC mode for key sizes of 128, 192, 256 940 cea-aes128-cbc CONTENT-ENCRYPTION ::= { 941 IDENTIFIER id-aes128-CBC 942 PARAMS TYPE AES-IV ARE required 943 SMIME-CAPS { IDENTIFIED BY id-aes128-CBC } 944 } 945 id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 } 947 cea-aes192-cbc CONTENT-ENCRYPTION ::= { 948 IDENTIFIER id-aes192-CBC 949 PARAMS TYPE AES-IV ARE required 950 SMIME-CAPS { IDENTIFIED BY id-aes192-CBC } 951 } 952 id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 } 954 cea-aes256-cbc CONTENT-ENCRYPTION ::= { 955 IDENTIFIER id-aes256-CBC 956 PARAMS TYPE AES-IV ARE required 957 SMIME-CAPS { IDENTIFIED BY id-aes256-CBC } 958 } 959 id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 } 961 -- AES-IV is the parameter for all the above object identifiers. 963 AES-IV ::= OCTET STRING (SIZE(16)) 965 -- AES Key Wrap Algorithm Identifiers - Parameter is absent 967 kwa-aes128-wrap KEY-WRAP ::= { 968 IDENTIFIER id-aes128-wrap 969 PARAMS ARE absent 970 SMIME-CAPS { IDENTIFIED BY id-aes128-wrap } 971 } 972 id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } 974 kwa-aes192-wrap KEY-WRAP ::= { 975 IDENTIFIER id-aes192-wrap 976 PARAMS ARE absent 977 SMIME-CAPS { IDENTIFIED BY id-aes192-wrap } 978 } 979 id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } 981 kwa-aes256-wrap KEY-WRAP ::= { 982 IDENTIFIER id-aes256-wrap 983 PARAMS ARE absent 984 SMIME-CAPS { IDENTIFIED BY id-aes256-wrap } 985 } 986 id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } 988 END 990 5. ASN.1 Module for RFC 3851 992 SecureMimeMessageV3dot1-2009 993 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 994 smime(16) modules(0) id-mod-msg-v3dot1-02(39)} 995 DEFINITIONS IMPLICIT TAGS ::= 996 BEGIN 997 IMPORTS 999 SMIME-CAPS, SMIMECapabilities{} 1000 FROM AlgorithmInformation-2009 1001 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1002 mechanisms(5) pkix(7) id-mod(0) 1003 id-mod-algorithmInformation-02(58)} 1005 ATTRIBUTE 1006 FROM PKIX-CommonTypes-2009 1007 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1008 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 1010 SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier 1011 FROM CryptographicMessageSyntax-2009 1012 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1013 smime(16) modules(0) id-mod-cms-2004-02(41)} 1015 rc2-cbc, SMimeCaps 1016 FROM CryptographicMessageSyntaxAlgorithms-2009 1017 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1018 smime(16) modules(0) id-mod-cmsalg-2001-02(37)} 1020 SMimeCaps 1021 FROM PKIXAlgs-2009 1022 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1023 mechanisms(5) pkix(7) id-mod(0) 1024 id-mod-pkix1-algorithms2008-02(56)} 1026 SMimeCaps 1027 FROM PKIX1-PSS-OAEP-Algorithms-2009 1028 {iso(1) identified-organization(3) dod(6) internet(1) 1029 security(5) mechanisms(5) pkix(7) id-mod(0) 1030 id-mod-pkix1-rsa-pkalgs-02(54)}; 1032 SMimeAttributeSet ATTRIBUTE ::= 1033 { aa-smimeCapabilities | aa-encrypKeyPref, ... } 1035 -- id-aa is the arc with all new authenticated and unauthenticated 1036 -- attributes produced by the S/MIME Working Group 1037 id-aa OBJECT IDENTIFIER ::= 1038 { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1039 smime(16) attributes(2)} 1041 -- S/MIME Capabilities provides a method of broadcasting the symmetric 1042 -- capabilities understood. Algorithms SHOULD be ordered by 1043 -- preference and grouped by type 1045 aa-smimeCapabilities ATTRIBUTE ::= 1046 { TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY 1047 smimeCapabilities } 1049 smimeCapabilities OBJECT IDENTIFIER ::= 1050 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1051 15 } 1053 SMimeCapsSet SMIME-CAPS ::= 1054 { cap-preferBinaryInside | cap-RC2CBC | 1055 PKIXAlgs-2009.SMimeCaps | 1056 CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps | 1057 PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... } 1059 -- Encryption Key Preference provides a method of broadcasting the 1060 -- preferred encryption certificate. 1062 aa-encrypKeyPref ATTRIBUTE ::= 1063 { TYPE SMIMEEncryptionKeyPreference 1064 IDENTIFIED BY id-aa-encrypKeyPref } 1066 id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} 1068 SMIMEEncryptionKeyPreference ::= CHOICE { 1069 issuerAndSerialNumber [0] IssuerAndSerialNumber, 1070 receipentKeyId [1] RecipientKeyIdentifier, 1071 subjectAltKeyIdentifier [2] SubjectKeyIdentifier 1072 } 1074 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1075 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 1077 id-cap OBJECT IDENTIFIER ::= { id-smime 11 } 1079 -- The preferBinaryInside indicates an ability to receive messages 1080 -- with binary encoding inside the CMS wrapper 1082 cap-preferBinaryInside SMIME-CAPS ::= 1083 { -- No value -- IDENTIFIED BY id-cap-preferBinaryInside } 1085 id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } 1087 -- The following list OIDs to be used with S/MIME V3 1089 -- Signature Algorithms Not Found in [CMSALG] 1090 -- 1091 -- md2WithRSAEncryption OBJECT IDENTIFIER ::= 1092 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1093 -- 2} 1094 -- 1095 -- Other Signed Attributes 1096 -- 1097 -- signingTime OBJECT IDENTIFIER ::= 1098 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1099 -- 5} 1100 -- See [CMS] for a description of how to encode the attribute 1101 -- value. 1103 cap-RC2CBC SMIME-CAPS ::= 1104 { TYPE SMIMECapabilitiesParametersForRC2CBC 1105 IDENTIFIED BY rc2-cbc} 1107 SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...) 1108 -- (RC2 Key Length (number of bits)) 1110 END 1112 6. ASN.1 Module for RFC 3852 1114 This module has an ASN.1 idiom for noting in which version of CMS 1115 changes were made from the original PKCS #7; that idiom is "[[v:", 1116 where "v" is an integer. For example: 1118 RevocationInfoChoice ::= CHOICE { 1119 crl CertificateList, 1120 ..., 1121 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1123 Similarly, this module adds the ASN.1 idiom for extensiblity (the 1124 "...,") in all places that have been extended in the past. See the 1125 example above. 1127 CryptographicMessageSyntax-2009 1128 { iso(1) member-body(2) us(840) rsadsi(113549) 1129 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } 1130 DEFINITIONS IMPLICIT TAGS ::= 1131 BEGIN 1132 IMPORTS 1134 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 1135 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 1136 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 1137 AlgorithmIdentifier 1138 FROM AlgorithmInformation-2009 1139 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1140 mechanisms(5) pkix(7) id-mod(0) 1141 id-mod-algorithmInformation-02(58)} 1143 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 1144 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 1145 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 1146 FROM CryptographicMessageSyntaxAlgorithms-2009 1147 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1148 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 1150 Certificate, CertificateList, CertificateSerialNumber, 1151 Name, ATTRIBUTE 1152 FROM PKIX1Explicit-2009 1153 { iso(1) identified-organization(3) dod(6) internet(1) 1154 security(5) mechanisms(5) pkix(7) id-mod(0) 1155 id-mod-pkix1-explicit-02(51) } 1157 AttributeCertificate 1158 FROM PKIXAttributeCertificate-2009 1159 { iso(1) identified-organization(3) dod(6) internet(1) 1160 security(5) mechanisms(5) pkix(7) id-mod(0) 1161 id-mod-attribute-cert-02(47) } 1163 AttributeCertificateV1 1164 FROM AttributeCertificateVersion1-2009 1165 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1166 smime(16) modules(0) id-mod-v1AttrCert-02(49) } ; 1168 -- Cryptographic Message Syntax 1170 -- The following are used for version numbers using the ASN.1 1171 -- idiom "[[n:" 1172 -- Version 1 = PKCS #7 1173 -- Version 2 = S/MIME V2 1174 -- Version 3 = RFC 2630 1175 -- Version 4 = RFC 3369 1176 -- Version 5 = RFC 3852 1177 CONTENT-TYPE ::= TYPE-IDENTIFIER 1178 ContentType ::= CONTENT-TYPE.&id 1180 ContentInfo ::= SEQUENCE { 1181 contentType CONTENT-TYPE. 1182 &id({ContentSet}), 1183 content [0] EXPLICIT CONTENT-TYPE. 1184 &Type({ContentSet}{@contentType})} 1186 ContentSet CONTENT-TYPE ::= { 1187 -- Define the set of content types to be recognized. 1188 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 1189 ct-AuthenticatedData | ct-DigestedData, ... } 1191 SignedData ::= SEQUENCE { 1192 version CMSVersion, 1193 digestAlgorithms SET OF DigestAlgorithmIdentifier, 1194 encapContentInfo EncapsulatedContentInfo, 1195 certificates [0] IMPLICIT CertificateSet OPTIONAL, 1196 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 1197 signerInfos SignerInfos } 1199 SignerInfos ::= SET OF SignerInfo 1201 EncapsulatedContentInfo ::= SEQUENCE { 1202 eContentType CONTENT-TYPE.&id({ContentSet}), 1203 eContent [0] EXPLICIT OCTET STRING 1204 ( CONTAINING CONTENT-TYPE. 1205 &Type({ContentSet}{@eContentType})) OPTIONAL } 1207 SignerInfo ::= SEQUENCE { 1208 version CMSVersion, 1209 sid SignerIdentifier, 1210 digestAlgorithm DigestAlgorithmIdentifier, 1211 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 1212 signatureAlgorithm SignatureAlgorithmIdentifier, 1213 signature SignatureValue, 1214 unsignedAttrs [1] IMPLICIT Attributes 1215 {{UnsignedAttributes}} OPTIONAL } 1217 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 1219 SignerIdentifier ::= CHOICE { 1220 issuerAndSerialNumber IssuerAndSerialNumber, 1221 ..., 1222 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 1224 SignedAttributesSet ATTRIBUTE ::= 1225 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 1227 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 1229 SignatureValue ::= OCTET STRING 1231 EnvelopedData ::= SEQUENCE { 1232 version CMSVersion, 1233 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1234 recipientInfos RecipientInfos, 1235 encryptedContentInfo EncryptedContentInfo, 1236 ..., 1237 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1238 {{ UnprotectedAttributes }} OPTIONAL ]] } 1240 OriginatorInfo ::= SEQUENCE { 1241 certs [0] IMPLICIT CertificateSet OPTIONAL, 1242 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 1244 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 1246 EncryptedContentInfo ::= SEQUENCE { 1247 contentType CONTENT-TYPE.&id({ContentSet}), 1248 contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 1249 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 1251 -- If you want to do constraints, you might use: 1252 -- EncryptedContentInfo ::= SEQUENCE { 1253 -- contentType CONTENT-TYPE.&id({ContentSet}), 1254 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 1255 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 1256 -- &Type({ContentSet}{@contentType}) OPTIONAL } 1257 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 1258 -- { ToBeEncrypted } ) 1260 UnprotectedAttributes ATTRIBUTE ::= { ... } 1262 RecipientInfo ::= CHOICE { 1263 ktri KeyTransRecipientInfo, 1264 ..., 1265 [[3: kari [1] KeyAgreeRecipientInfo ]], 1266 [[4: kekri [2] KEKRecipientInfo]], 1267 [[5: pwri [3] PasswordRecipientInfo, 1268 ori [4] OtherRecipientInfo ]] } 1270 EncryptedKey ::= OCTET STRING 1272 KeyTransRecipientInfo ::= SEQUENCE { 1273 version CMSVersion, -- always set to 0 or 2 1274 rid RecipientIdentifier, 1275 keyEncryptionAlgorithm AlgorithmIdentifier 1276 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 1277 encryptedKey EncryptedKey } 1279 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 1281 RecipientIdentifier ::= CHOICE { 1282 issuerAndSerialNumber IssuerAndSerialNumber, 1283 ..., 1284 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 1286 KeyAgreeRecipientInfo ::= SEQUENCE { 1287 version CMSVersion, -- always set to 3 1288 originator [0] EXPLICIT OriginatorIdentifierOrKey, 1289 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 1290 keyEncryptionAlgorithm AlgorithmIdentifier 1291 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 1292 recipientEncryptedKeys RecipientEncryptedKeys } 1294 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 1296 OriginatorIdentifierOrKey ::= CHOICE { 1297 issuerAndSerialNumber IssuerAndSerialNumber, 1298 subjectKeyIdentifier [0] SubjectKeyIdentifier, 1299 originatorKey [1] OriginatorPublicKey } 1301 OriginatorPublicKey ::= SEQUENCE { 1302 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 1303 publicKey BIT STRING } 1305 OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } 1307 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 1309 RecipientEncryptedKey ::= SEQUENCE { 1310 rid KeyAgreeRecipientIdentifier, 1311 encryptedKey EncryptedKey } 1313 KeyAgreeRecipientIdentifier ::= CHOICE { 1314 issuerAndSerialNumber IssuerAndSerialNumber, 1315 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 1317 RecipientKeyIdentifier ::= SEQUENCE { 1318 subjectKeyIdentifier SubjectKeyIdentifier, 1319 date GeneralizedTime OPTIONAL, 1320 other OtherKeyAttribute OPTIONAL } 1322 SubjectKeyIdentifier ::= OCTET STRING 1324 KEKRecipientInfo ::= SEQUENCE { 1325 version CMSVersion, -- always set to 4 1326 kekid KEKIdentifier, 1327 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 1328 encryptedKey EncryptedKey } 1330 KEKIdentifier ::= SEQUENCE { 1331 keyIdentifier OCTET STRING, 1332 date GeneralizedTime OPTIONAL, 1333 other OtherKeyAttribute OPTIONAL } 1335 PasswordRecipientInfo ::= SEQUENCE { 1336 version CMSVersion, -- always set to 0 1337 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 1338 OPTIONAL, 1339 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 1340 encryptedKey EncryptedKey } 1342 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 1344 OtherRecipientInfo ::= SEQUENCE { 1345 oriType OTHER-RECIPIENT. 1346 &id({SupportedOtherRecipInfo}), 1347 oriValue OTHER-RECIPIENT. 1348 &Type({SupportedOtherRecipInfo}{@oriType})} 1350 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 1352 DigestedData ::= SEQUENCE { 1353 version CMSVersion, 1354 digestAlgorithm DigestAlgorithmIdentifier, 1355 encapContentInfo EncapsulatedContentInfo, 1356 digest Digest, ... } 1358 Digest ::= OCTET STRING 1360 EncryptedData ::= SEQUENCE { 1361 version CMSVersion, 1362 encryptedContentInfo EncryptedContentInfo, 1363 ..., 1364 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1365 {{UnprotectedAttributes}} OPTIONAL ]] } 1367 AuthenticatedData ::= SEQUENCE { 1368 version CMSVersion, 1369 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1370 recipientInfos RecipientInfos, 1371 macAlgorithm MessageAuthenticationCodeAlgorithm, 1372 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 1373 encapContentInfo EncapsulatedContentInfo, 1374 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 1375 mac MessageAuthenticationCode, 1376 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 1378 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 1379 {{AuthAttributeSet}} 1381 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 1382 | aa-signingTime, ...} 1384 MessageAuthenticationCode ::= OCTET STRING 1386 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 1387 {{UnauthAttributeSet}} 1389 UnauthAttributeSet ATTRIBUTE ::= {...} 1391 -- 1392 -- General algorithm definitions 1393 -- 1395 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1396 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 1398 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 1399 CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } 1401 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 1402 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 1404 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 1405 { SignatureAlgs, ... } 1407 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1408 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1410 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 1412 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1413 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 1415 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 1416 { ContentEncryptionAlgs, ... } 1418 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 1419 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 1421 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 1422 { MessageAuthAlgs, ... } 1424 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 1425 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 1427 RevocationInfoChoices ::= SET OF RevocationInfoChoice 1429 RevocationInfoChoice ::= CHOICE { 1430 crl CertificateList, 1431 ..., 1432 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1434 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 1436 OtherRevocationInfoFormat ::= SEQUENCE { 1437 otherRevInfoFormat OTHER-REVOK-INFO. 1438 &id({SupportedOtherRevokInfo}), 1439 otherRevInfo OTHER-REVOK-INFO. 1440 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 1442 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 1444 CertificateChoices ::= CHOICE { 1445 certificate Certificate, 1446 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1447 -- Obsolete 1448 ..., 1449 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 1450 -- Obsolete 1451 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 1452 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 1454 AttributeCertificateV2 ::= AttributeCertificate 1456 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 1458 OtherCertificateFormat ::= SEQUENCE { 1459 otherCertFormat OTHER-CERT-FMT. 1460 &id({SupportedCertFormats}), 1461 otherCert OTHER-CERT-FMT. 1462 &Type({SupportedCertFormats}{@otherCertFormat})} 1464 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 1465 CertificateSet ::= SET OF CertificateChoices 1467 IssuerAndSerialNumber ::= SEQUENCE { 1468 issuer Name, 1469 serialNumber CertificateSerialNumber } 1471 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1473 UserKeyingMaterial ::= OCTET STRING 1475 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1477 OtherKeyAttribute ::= SEQUENCE { 1478 keyAttrId KEY-ATTRIBUTE. 1479 &id({SupportedKeyAttributes}), 1480 keyAttr KEY-ATTRIBUTE. 1481 &Type({SupportedKeyAttributes}{@keyAttrId})} 1483 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1485 -- Content Type Object Identifiers 1487 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1488 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1490 ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data} 1492 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1493 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1495 ct-SignedData CONTENT-TYPE ::= 1496 { SignedData IDENTIFIED BY id-signedData} 1498 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1499 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1501 ct-EnvelopedData CONTENT-TYPE ::= 1502 { EnvelopedData IDENTIFIED BY id-envelopedData} 1504 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1505 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1507 ct-DigestedData CONTENT-TYPE ::= 1508 { DigestedData IDENTIFIED BY id-digestedData} 1510 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1511 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1513 ct-EncryptedData CONTENT-TYPE ::= 1514 { EncryptedData IDENTIFIED BY id-encryptedData} 1516 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1517 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1519 ct-AuthenticatedData CONTENT-TYPE ::= 1520 { AuthenticatedData IDENTIFIED BY id-ct-authData} 1522 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1523 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1525 -- 1526 -- The CMS Attributes 1527 -- 1529 MessageDigest ::= OCTET STRING 1531 SigningTime ::= Time 1533 Time ::= CHOICE { 1534 utcTime UTCTime, 1535 generalTime GeneralizedTime } 1537 Countersignature ::= SignerInfo 1539 -- Attribute Object Identifiers 1541 aa-contentType ATTRIBUTE ::= 1542 { TYPE ContentType IDENTIFIED BY id-contentType } 1543 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1544 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1546 aa-messageDigest ATTRIBUTE ::= 1547 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1548 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1549 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1551 aa-signingTime ATTRIBUTE ::= 1552 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1553 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1554 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1556 aa-countersignature ATTRIBUTE ::= 1557 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1558 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1559 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1561 -- 1562 -- Obsolete Extended Certificate syntax from PKCS#6 1563 -- 1565 ExtendedCertificateOrCertificate ::= CHOICE { 1566 certificate Certificate, 1567 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1569 ExtendedCertificate ::= SEQUENCE { 1570 extendedCertificateInfo ExtendedCertificateInfo, 1571 signatureAlgorithm SignatureAlgorithmIdentifier, 1572 signature Signature } 1574 ExtendedCertificateInfo ::= SEQUENCE { 1575 version CMSVersion, 1576 certificate Certificate, 1577 attributes UnauthAttributes } 1579 Signature ::= BIT STRING 1581 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1582 attrType ATTRIBUTE. 1583 &id({AttrList}), 1584 attrValues SET OF ATTRIBUTE. 1585 &Type({AttrList}{@attrType}) } 1587 Attributes { ATTRIBUTE:AttrList } ::= 1588 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1590 END 1592 7. ASN.1 Module for RFC 4108 1594 CMSFirmwareWrapper-2009 1595 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1596 smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) } 1597 DEFINITIONS IMPLICIT TAGS ::= 1598 BEGIN 1599 IMPORTS 1601 OTHER-NAME 1602 FROM PKIX1Implicit-2009 1603 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1604 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 1606 EnvelopedData, CONTENT-TYPE, ATTRIBUTE 1607 FROM CryptographicMessageSyntax-2009 1608 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1609 smime(16) modules(0) id-mod-cms-2004-02(41) }; 1611 FirmwareContentTypes CONTENT-TYPE ::= { 1612 ct-firmwarePackage | ct-firmwareLoadReceipt | 1613 ct-firmwareLoadError,... } 1615 FirmwareSignedAttrs ATTRIBUTE ::= { 1616 aa-firmwarePackageID | aa-targetHardwareIDs | 1617 aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs | 1618 aa-communityIdentifiers | aa-firmwarePackageInfo,... } 1620 FirmwareUnsignedAttrs ATTRIBUTE ::= { 1621 aa-wrappedFirmwareKey, ... } 1623 FirmwareOtherNames OTHER-NAME ::= { 1624 on-hardwareModuleName, ... } 1626 -- Firmware Package Content Type and Object Identifier 1628 ct-firmwarePackage CONTENT-TYPE ::= 1629 { FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage } 1631 id-ct-firmwarePackage OBJECT IDENTIFIER ::= { 1632 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1633 smime(16) ct(1) 16 } 1635 FirmwarePkgData ::= OCTET STRING 1637 -- Firmware Package Signed Attributes and Object Identifiers 1639 aa-firmwarePackageID ATTRIBUTE ::= 1640 { TYPE FirmwarePackageIdentifier IDENTIFIED BY 1641 id-aa-firmwarePackageID } 1643 id-aa-firmwarePackageID OBJECT IDENTIFIER ::= { 1644 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1645 smime(16) aa(2) 35 } 1647 FirmwarePackageIdentifier ::= SEQUENCE { 1648 name PreferredOrLegacyPackageIdentifier, 1649 stale PreferredOrLegacyStalePackageIdentifier OPTIONAL } 1651 PreferredOrLegacyPackageIdentifier ::= CHOICE { 1652 preferred PreferredPackageIdentifier, 1653 legacy OCTET STRING } 1655 PreferredPackageIdentifier ::= SEQUENCE { 1656 fwPkgID OBJECT IDENTIFIER, 1657 verNum INTEGER (0..MAX) } 1659 PreferredOrLegacyStalePackageIdentifier ::= CHOICE { 1660 preferredStaleVerNum INTEGER (0..MAX), 1661 legacyStaleVersion OCTET STRING } 1663 aa-targetHardwareIDs ATTRIBUTE ::= 1664 { TYPE TargetHardwareIdentifiers IDENTIFIED BY 1665 id-aa-targetHardwareIDs } 1667 id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= { 1668 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1669 smime(16) aa(2) 36 } 1671 TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER 1673 aa-decryptKeyID ATTRIBUTE ::= 1674 { TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID} 1676 id-aa-decryptKeyID OBJECT IDENTIFIER ::= { 1677 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1678 smime(16) aa(2) 37 } 1680 DecryptKeyIdentifier ::= OCTET STRING 1682 aa-implCryptoAlgs ATTRIBUTE ::= 1683 { TYPE ImplementedCryptoAlgorithms IDENTIFIED BY 1684 id-aa-implCryptoAlgs } 1686 id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= { 1687 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1688 smime(16) aa(2) 38 } 1690 ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1692 aa-implCompressAlgs ATTRIBUTE ::= 1693 { TYPE ImplementedCompressAlgorithms IDENTIFIED BY 1694 id-aa-implCompressAlgs } 1696 id-aa-implCompressAlgs OBJECT IDENTIFIER ::= { 1697 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1698 smime(16) aa(2) 43 } 1700 ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1702 aa-communityIdentifiers ATTRIBUTE ::= 1703 { TYPE CommunityIdentifiers IDENTIFIED BY 1704 id-aa-communityIdentifiers } 1706 id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { 1707 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1708 smime(16) aa(2) 40 } 1710 CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier 1712 CommunityIdentifier ::= CHOICE { 1713 communityOID OBJECT IDENTIFIER, 1714 hwModuleList HardwareModules } 1716 HardwareModules ::= SEQUENCE { 1717 hwType OBJECT IDENTIFIER, 1718 hwSerialEntries SEQUENCE OF HardwareSerialEntry } 1720 HardwareSerialEntry ::= CHOICE { 1721 all NULL, 1722 single OCTET STRING, 1723 block SEQUENCE { 1724 low OCTET STRING, 1725 high OCTET STRING 1726 } 1727 } 1729 aa-firmwarePackageInfo ATTRIBUTE ::= 1730 { TYPE FirmwarePackageInfo IDENTIFIED BY 1731 id-aa-firmwarePackageInfo } 1732 id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= { 1733 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1734 smime(16) aa(2) 42 } 1736 FirmwarePackageInfo ::= SEQUENCE { 1737 fwPkgType INTEGER OPTIONAL, 1738 dependencies SEQUENCE OF 1739 PreferredOrLegacyPackageIdentifier OPTIONAL } 1741 -- Firmware Package Unsigned Attributes and Object Identifiers 1743 aa-wrappedFirmwareKey ATTRIBUTE ::= 1744 { TYPE WrappedFirmwareKey IDENTIFIED BY 1745 id-aa-wrappedFirmwareKey } 1746 id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= { 1747 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1748 smime(16) aa(2) 39 } 1750 WrappedFirmwareKey ::= EnvelopedData 1751 -- Firmware Package Load Receipt Content Type and Object Identifier 1753 ct-firmwareLoadReceipt CONTENT-TYPE ::= 1754 { FirmwarePackageLoadReceipt IDENTIFIED BY 1755 id-ct-firmwareLoadReceipt } 1756 id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= { 1757 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1758 smime(16) ct(1) 17 } 1760 FirmwarePackageLoadReceipt ::= SEQUENCE { 1761 version FWReceiptVersion DEFAULT v1, 1762 hwType OBJECT IDENTIFIER, 1763 hwSerialNum OCTET STRING, 1764 fwPkgName PreferredOrLegacyPackageIdentifier, 1765 trustAnchorKeyID OCTET STRING OPTIONAL, 1766 decryptKeyID [1] OCTET STRING OPTIONAL } 1768 FWReceiptVersion ::= INTEGER { v1(1) } 1770 -- Firmware Package Load Error Report Content Type 1771 -- and Object Identifier 1773 ct-firmwareLoadError CONTENT-TYPE ::= 1774 { FirmwarePackageLoadError 1775 IDENTIFIED BY id-ct-firmwareLoadError } 1776 id-ct-firmwareLoadError OBJECT IDENTIFIER ::= { 1777 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1778 smime(16) ct(1) 18 } 1780 FirmwarePackageLoadError ::= SEQUENCE { 1781 version FWErrorVersion DEFAULT v1, 1782 hwType OBJECT IDENTIFIER, 1783 hwSerialNum OCTET STRING, 1784 errorCode FirmwarePackageLoadErrorCode, 1785 vendorErrorCode VendorLoadErrorCode OPTIONAL, 1786 fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL, 1787 config [1] SEQUENCE OF CurrentFWConfig OPTIONAL } 1789 FWErrorVersion ::= INTEGER { v1(1) } 1791 CurrentFWConfig ::= SEQUENCE { 1792 fwPkgType INTEGER OPTIONAL, 1793 fwPkgName PreferredOrLegacyPackageIdentifier } 1795 FirmwarePackageLoadErrorCode ::= ENUMERATED { 1796 decodeFailure (1), 1797 badContentInfo (2), 1798 badSignedData (3), 1799 badEncapContent (4), 1800 badCertificate (5), 1801 badSignerInfo (6), 1802 badSignedAttrs (7), 1803 badUnsignedAttrs (8), 1804 missingContent (9), 1805 noTrustAnchor (10), 1806 notAuthorized (11), 1807 badDigestAlgorithm (12), 1808 badSignatureAlgorithm (13), 1809 unsupportedKeySize (14), 1810 signatureFailure (15), 1811 contentTypeMismatch (16), 1812 badEncryptedData (17), 1813 unprotectedAttrsPresent (18), 1814 badEncryptContent (19), 1815 badEncryptAlgorithm (20), 1816 missingCiphertext (21), 1817 noDecryptKey (22), 1818 decryptFailure (23), 1819 badCompressAlgorithm (24), 1820 missingCompressedContent (25), 1821 decompressFailure (26), 1822 wrongHardware (27), 1823 stalePackage (28), 1824 notInCommunity (29), 1825 unsupportedPackageType (30), 1826 missingDependency (31), 1827 wrongDependencyVersion (32), 1828 insufficientMemory (33), 1829 badFirmware (34), 1830 unsupportedParameters (35), 1831 breaksDependency (36), 1832 otherError (99) } 1834 VendorLoadErrorCode ::= INTEGER 1836 -- Other Name syntax for Hardware Module Name 1838 on-hardwareModuleName OTHER-NAME ::= 1839 { HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName } 1840 id-on-hardwareModuleName OBJECT IDENTIFIER ::= { 1841 iso(1) identified-organization(3) dod(6) internet(1) security(5) 1842 mechanisms(5) pkix(7) on(8) 4 } 1844 HardwareModuleName ::= SEQUENCE { 1845 hwType OBJECT IDENTIFIER, 1846 hwSerialNum OCTET STRING } 1848 END 1850 8. ASN.1 Module for RFC 4998 1852 ERS {iso(1) identified-organization(3) dod(6) internet(1) 1853 security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1) 1854 id-mod-ers-v1(1) } 1855 DEFINITIONS IMPLICIT TAGS ::= 1856 BEGIN 1857 IMPORTS 1859 AttributeSet{}, ATTRIBUTE 1860 FROM PKIX-CommonTypes 1861 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1862 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1864 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM 1865 FROM AlgorithmInformation-2009 1866 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1867 mechanisms(5) pkix(7) id-mod(0) 1868 id-mod-algorithmInformation-02(58)} 1870 ContentInfo 1871 FROM CryptographicMessageSyntax2004 1872 { iso(1) member-body(2) us(840) rsadsi(113549) 1873 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } ; 1875 aa-er-Internal ATTRIBUTE ::= 1876 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } 1877 id-aa-er-internal OBJECT IDENTIFIER ::= 1878 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1879 smime(16) id-aa(2) 49 } 1881 aa-er-External ATTRIBUTE ::= 1882 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } 1883 id-aa-er-external OBJECT IDENTIFIER ::= 1884 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1885 smime(16) id-aa(2) 50 } 1887 ltans OBJECT IDENTIFIER ::= 1888 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1889 mechanisms(5) ltans(11) } 1891 EvidenceRecord ::= SEQUENCE { 1892 version INTEGER { v1(1) } , 1893 digestAlgorithms SEQUENCE OF AlgorithmIdentifier 1894 {DIGEST-ALGORITHM, {...}}, 1895 cryptoInfos [0] CryptoInfos OPTIONAL, 1896 encryptionInfo [1] EncryptionInfo OPTIONAL, 1897 archiveTimeStampSequence ArchiveTimeStampSequence 1898 } 1900 CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}} 1902 ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain 1904 ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp 1906 ArchiveTimeStamp ::= SEQUENCE { 1907 digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} 1908 OPTIONAL, 1909 attributes [1] Attributes OPTIONAL, 1910 reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, 1911 timeStamp ContentInfo 1912 } 1914 PartialHashtree ::= SEQUENCE OF OCTET STRING 1916 Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}} 1918 EncryptionInfo ::= SEQUENCE { 1919 encryptionInfoType ENCINFO-TYPE. 1920 &id({SupportedEncryptionAlgorithms}), 1921 encryptionInfoValue ENCINFO-TYPE. 1922 &Type({SupportedEncryptionAlgorithms} 1923 {@encryptionInfoType}) 1924 } 1926 ENCINFO-TYPE ::= TYPE-IDENTIFIER 1928 SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...} 1930 END 1932 9. ASN.1 Module for RFC 5035 1934 ExtendedSecurityServices-2009 1935 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1936 smime(16) modules(0) id-mod-ess-2006-02(42) } 1937 DEFINITIONS IMPLICIT TAGS ::= 1938 BEGIN 1939 IMPORTS 1941 AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{} 1942 FROM PKIX-CommonTypes-2009 1943 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1944 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1946 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM 1947 FROM AlgorithmInformation-2009 1948 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1949 mechanisms(5) pkix(7) id-mod(0) 1950 id-mod-algorithmInformation-02(58)} 1952 ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, 1953 CONTENT-TYPE 1954 FROM CryptographicMessageSyntax-2009 1955 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1956 smime(16) modules(0) id-mod-cms-2004-02(41) } 1958 CertificateSerialNumber 1959 FROM PKIX1Explicit-2009 1960 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1961 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 1963 PolicyInformation, GeneralNames 1964 FROM PKIX1Implicit-2009 1965 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1966 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 1968 mda-sha256 1969 FROM PKIX1-PSS-OAEP-Algorithms-2009 1970 { iso(1) identified-organization(3) dod(6) 1971 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 1972 id-mod-pkix1-rsa-pkalgs-02(54) } ; 1974 EssSignedAttributes ATTRIBUTE ::= { 1975 aa-receiptRequest | aa-contentIdentifier | aa-contentHint | 1976 aa-msgSigDigest | aa-contentReference | aa-securityLabel | 1977 aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate | 1978 aa-signingCertificateV2, ... } 1980 EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... } 1982 -- Extended Security Services 1983 -- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 1984 -- constructs in this module. A valid ASN.1 SEQUENCE can have zero or 1985 -- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE 1986 -- to have at least one entry. MAX indicates the upper bound is 1987 -- unspecified. Implementations are free to choose an upper bound 1988 -- that suits their environment. 1990 -- Section 2.7 1992 aa-receiptRequest ATTRIBUTE ::= 1993 { TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest} 1995 ReceiptRequest ::= SEQUENCE { 1996 signedContentIdentifier ContentIdentifier, 1997 receiptsFrom ReceiptsFrom, 1998 receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames 1999 } 2001 ub-receiptsTo INTEGER ::= 16 2003 aa-contentIdentifier ATTRIBUTE ::= 2004 { TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier} 2005 id-aa-receiptRequest OBJECT IDENTIFIER ::= 2006 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2007 smime(16) id-aa(2) 1} 2009 ContentIdentifier ::= OCTET STRING 2011 id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2012 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7} 2014 ct-receipt CONTENT-TYPE ::= 2015 { Receipt IDENTIFIED BY id-ct-receipt } 2016 id-ct-receipt OBJECT IDENTIFIER ::= 2017 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2018 smime(16) id-ct(1) 1} 2020 ReceiptsFrom ::= CHOICE { 2021 allOrFirstTier [0] AllOrFirstTier, 2022 -- formerly "allOrNone [0]AllOrNone" 2023 receiptList [1] SEQUENCE OF GeneralNames } 2025 AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone 2026 allReceipts (0), 2027 firstTierRecipients (1) } 2029 -- Section 2.8 2031 Receipt ::= SEQUENCE { 2032 version ESSVersion, 2033 contentType ContentType, 2034 signedContentIdentifier ContentIdentifier, 2035 originatorSignatureValue OCTET STRING 2036 } 2038 ESSVersion ::= INTEGER { v1(1) } 2040 -- Section 2.9 2042 aa-contentHint ATTRIBUTE ::= 2043 { TYPE ContentHints IDENTIFIED BY id-aa-contentHint } 2044 id-aa-contentHint OBJECT IDENTIFIER ::= 2045 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2046 smime(16) id-aa(2) 4} 2048 ContentHints ::= SEQUENCE { 2049 contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL, 2050 contentType ContentType } 2052 -- Section 2.10 2054 aa-msgSigDigest ATTRIBUTE ::= 2055 { TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest } 2056 id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2057 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5} 2059 MsgSigDigest ::= OCTET STRING 2061 -- Section 2.11 2063 aa-contentReference ATTRIBUTE ::= 2064 { TYPE ContentReference IDENTIFIED BY id-aa-contentReference } 2065 id-aa-contentReference OBJECT IDENTIFIER ::= 2066 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2067 smime(16) id-aa(2) 10 } 2069 ContentReference ::= SEQUENCE { 2070 contentType ContentType, 2071 signedContentIdentifier ContentIdentifier, 2072 originatorSignatureValue OCTET STRING } 2074 -- Section 3.2 2076 aa-securityLabel ATTRIBUTE ::= 2077 { TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel } 2078 id-aa-securityLabel OBJECT IDENTIFIER ::= 2079 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2080 smime(16) id-aa(2) 2} 2082 ESSSecurityLabel ::= SET { 2083 security-policy-identifier SecurityPolicyIdentifier, 2084 security-classification SecurityClassification OPTIONAL, 2085 privacy-mark ESSPrivacyMark OPTIONAL, 2086 security-categories SecurityCategories OPTIONAL } 2088 SecurityPolicyIdentifier ::= OBJECT IDENTIFIER 2090 SecurityClassification ::= INTEGER { 2091 unmarked (0), 2092 unclassified (1), 2093 restricted (2), 2094 confidential (3), 2095 secret (4), 2096 top-secret (5) 2097 } (0..ub-integer-options) 2099 ub-integer-options INTEGER ::= 256 2101 ESSPrivacyMark ::= CHOICE { 2102 pString PrintableString (SIZE (1..ub-privacy-mark-length)), 2103 utf8String UTF8String (SIZE (1..MAX)) 2104 } 2106 ub-privacy-mark-length INTEGER ::= 128 2108 SecurityCategories ::= 2109 SET SIZE (1..ub-security-categories) OF SecurityCategory 2110 {{SupportedSecurityCategories}} 2112 ub-security-categories INTEGER ::= 64 2114 SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } 2116 -- Section 3.4 2118 aa-equivalentLabels ATTRIBUTE ::= 2119 { TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels } 2120 id-aa-equivalentLabels OBJECT IDENTIFIER ::= 2121 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2122 smime(16) id-aa(2) 9} 2124 EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel 2126 -- Section 4.4 2128 aa-mlExpandHistory ATTRIBUTE ::= 2129 { TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory } 2131 id-aa-mlExpandHistory OBJECT IDENTIFIER ::= 2132 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2133 smime(16) id-aa(2) 3 } 2135 MLExpansionHistory ::= SEQUENCE 2136 SIZE (1..ub-ml-expansion-history) OF MLData 2138 ub-ml-expansion-history INTEGER ::= 64 2140 MLData ::= SEQUENCE { 2141 mailListIdentifier EntityIdentifier, 2142 expansionTime GeneralizedTime, 2143 mlReceiptPolicy MLReceiptPolicy OPTIONAL } 2145 EntityIdentifier ::= CHOICE { 2146 issuerAndSerialNumber IssuerAndSerialNumber, 2147 subjectKeyIdentifier SubjectKeyIdentifier } 2149 MLReceiptPolicy ::= CHOICE { 2150 none [0] NULL, 2151 insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames, 2152 inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames } 2154 -- Section 5.4 2156 aa-signingCertificate ATTRIBUTE ::= 2157 { TYPE SigningCertificate IDENTIFIED BY 2158 id-aa-signingCertificate } 2159 id-aa-signingCertificate OBJECT IDENTIFIER ::= 2160 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2161 smime(16) id-aa(2) 12 } 2163 SigningCertificate ::= SEQUENCE { 2164 certs SEQUENCE OF ESSCertID, 2165 policies SEQUENCE OF PolicyInformation OPTIONAL 2166 } 2168 aa-signingCertificateV2 ATTRIBUTE ::= 2169 { TYPE SigningCertificateV2 IDENTIFIED BY 2170 id-aa-signingCertificateV2 } 2171 id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= 2172 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2173 smime(16) id-aa(2) 47 } 2175 SigningCertificateV2 ::= SEQUENCE { 2176 certs SEQUENCE OF ESSCertIDv2, 2177 policies SEQUENCE OF PolicyInformation OPTIONAL 2178 } 2179 HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, 2180 {mda-sha256, ...}} 2182 ESSCertIDv2 ::= SEQUENCE { 2183 hashAlgorithm HashAlgorithm 2184 DEFAULT { algorithm mda-sha256.&id }, 2185 certHash Hash, 2186 issuerSerial IssuerSerial OPTIONAL 2187 } 2189 ESSCertID ::= SEQUENCE { 2190 certHash Hash, 2191 issuerSerial IssuerSerial OPTIONAL 2192 } 2194 Hash ::= OCTET STRING 2196 IssuerSerial ::= SEQUENCE { 2197 issuer GeneralNames, 2198 serialNumber CertificateSerialNumber 2199 } 2201 END 2203 10. ASN.1 Module for RFC 5083 2205 CMS-AuthEnvelopedData-2009 2206 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2207 smime(16) modules(0) id-mod-cms-authEnvelopedData-02(43)} 2208 DEFINITIONS IMPLICIT TAGS ::= 2209 BEGIN 2210 IMPORTS 2212 AuthAttributes, CMSVersion, EncryptedContentInfo, 2213 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 2214 UnauthAttributes, CONTENT-TYPE 2215 FROM CryptographicMessageSyntax-2009 2216 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2217 smime(16) modules(0) id-mod-cms-2004-02(41)} ; 2219 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 2221 ct-authEnvelopedData CONTENT-TYPE ::= { 2222 AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 2223 } 2225 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 2226 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2227 smime(16) ct(1) 23} 2229 AuthEnvelopedData ::= SEQUENCE { 2230 version CMSVersion, 2231 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 2232 recipientInfos RecipientInfos, 2233 authEncryptedContentInfo EncryptedContentInfo, 2234 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 2235 mac MessageAuthenticationCode, 2236 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL 2237 } 2239 END 2241 11. ASN.1 Module for RFC 5084 2243 CMS-AES-CCM-and-AES-GCM-2009 2244 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 2245 pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } 2246 DEFINITIONS IMPLICIT TAGS ::= 2247 BEGIN 2248 EXPORTS ALL; 2249 IMPORTS 2251 CONTENT-ENCRYPTION, SMIME-CAPS 2252 FROM AlgorithmInformation-2009 2253 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2254 mechanisms(5) pkix(7) id-mod(0) 2255 id-mod-algorithmInformation-02(58)}; 2257 -- Add this algorithm set to include all of the algorithms defined in 2258 -- this document 2260 ContentEncryptionAlgs CONTENT-ENCRYPTION ::= { 2261 cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM | 2262 cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... } 2264 SMimeCaps SMIME-CAPS ::= { 2265 cea-aes128-CCM.&smimeCaps | 2266 cea-aes192-CCM.&smimeCaps | 2267 cea-aes256-CCM.&smimeCaps | 2268 cea-aes128-GCM.&smimeCaps | 2269 cea-aes192-GCM.&smimeCaps | 2270 cea-aes256-GCM.&smimeCaps, 2271 ... 2272 } 2274 -- Defining objects 2276 aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) 2277 organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } 2279 cea-aes128-CCM CONTENT-ENCRYPTION ::= { 2280 IDENTIFIER id-aes128-CCM 2281 PARAMS TYPE CCMParameters ARE required 2282 SMIME-CAPS { IDENTIFIED BY id-aes128-CCM } 2283 } 2284 id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 } 2286 cea-aes192-CCM CONTENT-ENCRYPTION ::= { 2287 IDENTIFIER id-aes192-CCM 2288 PARAMS TYPE CCMParameters ARE required 2289 SMIME-CAPS { IDENTIFIED BY id-aes192-CCM } 2290 } 2291 id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 } 2293 cea-aes256-CCM CONTENT-ENCRYPTION ::= { 2294 IDENTIFIER id-aes256-CCM 2295 PARAMS TYPE CCMParameters ARE required 2296 SMIME-CAPS { IDENTIFIED BY id-aes256-CCM } 2298 } 2299 id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 } 2301 cea-aes128-GCM CONTENT-ENCRYPTION ::= { 2302 IDENTIFIER id-aes128-GCM 2303 PARAMS TYPE GCMParameters ARE required 2304 SMIME-CAPS { IDENTIFIED BY id-aes128-GCM } 2305 } 2306 id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 } 2308 cea-aes192-GCM CONTENT-ENCRYPTION ::= { 2309 IDENTIFIER id-aes128-GCM 2310 PARAMS TYPE GCMParameters ARE required 2311 SMIME-CAPS { IDENTIFIED BY id-aes192-GCM } 2312 } 2313 id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 } 2315 cea-aes256-GCM CONTENT-ENCRYPTION ::= { 2316 IDENTIFIER id-aes128-GCM 2317 PARAMS TYPE GCMParameters ARE required 2318 SMIME-CAPS { IDENTIFIED BY id-aes256-GCM } 2319 } 2320 id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 } 2322 -- Parameters for AlgorithmIdentifier 2324 CCMParameters ::= SEQUENCE { 2325 aes-nonce OCTET STRING (SIZE(7..13)), 2326 aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } 2328 AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) 2330 GCMParameters ::= SEQUENCE { 2331 aes-nonce OCTET STRING, -- recommended size is 12 octets 2332 aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } 2334 AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) 2336 END 2338 12. ASN.1 Module for RFC 5275 2340 SMIMESymmetricKeyDistribution-2009 2341 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2342 smime(16) modules(0) id-mod-symkeydist-02(36)} 2343 DEFINITIONS IMPLICIT TAGS ::= 2344 BEGIN 2345 EXPORTS ALL; 2346 IMPORTS 2348 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP, 2349 SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS 2350 FROM AlgorithmInformation-2009 2351 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2352 mechanisms(5) pkix(7) id-mod(0) 2353 id-mod-algorithmInformation-02(58)} 2355 GeneralName 2356 FROM PKIX1Implicit-2009 2357 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2358 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 2360 Certificate 2361 FROM PKIX1Explicit-2009 2362 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2363 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 2365 RecipientInfos, KEKIdentifier,CertificateSet 2366 FROM CryptographicMessageSyntax-2009 2367 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2368 smime(16) modules(0) id-mod-cms-2004-02(41) } 2370 cap-3DESwrap 2371 FROM CryptographicMessageSyntaxAlgorithms 2372 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2373 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 2375 AttributeCertificate 2376 FROM PKIXAttributeCertificate-2009 2377 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2378 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } 2380 CMC-CONTROL, EXTENDED-FAILURE-INFO 2381 FROM EnrollmentMessageSyntax 2382 { iso(1) identified-organization(3) dod(4) internet(1) security(5) 2383 mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53) } 2385 kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap 2386 FROM CMSAesRsaesOaep-2009 2387 { iso(1) member-body(2) us(840) rsadsi(113549) 2388 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } ; 2390 -- This defines the group list (GL symmetric key distribution OID arc 2391 id-skd OBJECT IDENTIFIER ::= 2392 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2393 smime(16) skd(8) } 2395 SKD-ControlSet CMC-CONTROL ::= { 2396 skd-glUseKEK | skd-glDelete | skd-glAddMember | 2397 skd-glDeleteMember | skd-glRekey | skd-glAddOwner | 2398 skd-glRemoveOwner | skd-glKeyCompromise | 2399 skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert | 2400 skd-glManageCert | skd-glKey, ... } 2402 -- This defines the GL Use KEK control attribute 2404 skd-glUseKEK CMC-CONTROL ::= 2405 { GLUseKEK IDENTIFIED BY id-skd-glUseKEK } 2407 id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1} 2409 GLUseKEK ::= SEQUENCE { 2410 glInfo GLInfo, 2411 glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo, 2412 glAdministration GLAdministration DEFAULT managed, 2413 glKeyAttributes GLKeyAttributes OPTIONAL 2414 } 2416 GLInfo ::= SEQUENCE { 2417 glName GeneralName, 2418 glAddress GeneralName 2419 } 2421 GLOwnerInfo ::= SEQUENCE { 2422 glOwnerName GeneralName, 2423 glOwnerAddress GeneralName, 2424 certificates Certificates OPTIONAL 2425 } 2427 GLAdministration ::= INTEGER { 2428 unmanaged (0), 2429 managed (1), 2430 closed (2) 2431 } 2433 -- 2434 -- The advertised set of algorithm capabilites for the docment 2435 -- 2437 SKD-Caps SMIME-CAPS ::= { 2438 cap-3DESwrap | kwa-aes128-wrap.&smimeCaps | 2439 kwa-aes192-wrap.&smimeCaps | kwa-aes256-wrap.&smimeCaps, ... 2440 } 2442 cap-aes128-cbc KeyWrapAlgorithm ::= 2443 { capabilityID kwa-aes128-wrap.&smimeCaps.&id } 2445 -- 2446 -- The set of key wrap algorithms supported by this specification 2447 -- 2449 KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}} 2451 GLKeyAttributes ::= SEQUENCE { 2452 rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE, 2453 recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE, 2454 duration [2] INTEGER DEFAULT 0, 2455 generationCounter [3] INTEGER DEFAULT 2, 2456 requestedAlgorithm [4] KeyWrapAlgorithm 2457 DEFAULT cap-aes128-cbc 2458 } 2460 -- This defines the Delete GL control attribute. 2461 -- It has the simple type GeneralName. 2463 skd-glDelete CMC-CONTROL ::= 2464 { DeleteGL IDENTIFIED BY id-skd-glDelete } 2466 id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2} 2467 DeleteGL ::= GeneralName 2469 -- This defines the Add GL Member control attribute 2471 skd-glAddMember CMC-CONTROL ::= 2472 { GLAddMember IDENTIFIED BY id-skd-glAddMember } 2474 id-skd-glAddMember OBJECT IDENTIFIER ::= { id-skd 3} 2475 GLAddMember ::= SEQUENCE { 2476 glName GeneralName, 2477 glMember GLMember 2478 } 2480 GLMember ::= SEQUENCE { 2481 glMemberName GeneralName, 2482 glMemberAddress GeneralName OPTIONAL, 2483 certificates Certificates OPTIONAL 2484 } 2486 Certificates ::= SEQUENCE { 2487 pKC [0] Certificate OPTIONAL, 2488 -- See RFC 5280 2489 aC [1] SEQUENCE SIZE (1.. MAX) OF 2490 AttributeCertificate OPTIONAL, 2491 -- See RFC 3281 2492 certPath [2] CertificateSet OPTIONAL 2493 -- From RFC 3852 2494 } 2496 -- This defines the Delete GL Member control attribute 2498 skd-glDeleteMember CMC-CONTROL ::= 2499 { GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember } 2501 id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4} 2503 GLDeleteMember ::= SEQUENCE { 2504 glName GeneralName, 2505 glMemberToDelete GeneralName 2506 } 2508 -- This defines the Delete GL Member control attribute 2510 skd-glRekey CMC-CONTROL ::= 2511 { GLRekey IDENTIFIED BY id-skd-glRekey } 2513 id-skd-glRekey OBJECT IDENTIFIER ::= { id-skd 5} 2515 GLRekey ::= SEQUENCE { 2516 glName GeneralName, 2517 glAdministration GLAdministration OPTIONAL, 2518 glNewKeyAttributes GLNewKeyAttributes OPTIONAL, 2519 glRekeyAllGLKeys BOOLEAN OPTIONAL 2520 } 2522 GLNewKeyAttributes ::= SEQUENCE { 2523 rekeyControlledByGLO [0] BOOLEAN OPTIONAL, 2524 recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL, 2525 duration [2] INTEGER OPTIONAL, 2526 generationCounter [3] INTEGER OPTIONAL, 2527 requestedAlgorithm [4] KeyWrapAlgorithm OPTIONAL 2528 } 2530 -- This defines the Add and Delete GL Owner control attributes 2532 skd-glAddOwner CMC-CONTROL ::= 2533 { GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner } 2535 id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6} 2537 skd-glRemoveOwner CMC-CONTROL ::= 2538 { GLOwnerAdministration IDENTIFIED BY id-skd-glRemoveOwner } 2540 id-skd-glRemoveOwner OBJECT IDENTIFIER ::= { id-skd 7} 2542 GLOwnerAdministration ::= SEQUENCE { 2543 glName GeneralName, 2544 glOwnerInfo GLOwnerInfo 2545 } 2547 -- This defines the GL Key Compromise control attribute. 2548 -- It has the simple type GeneralName. 2550 skd-glKeyCompromise CMC-CONTROL ::= 2551 { GLKCompromise IDENTIFIED BY id-skd-glKeyCompromise } 2553 id-skd-glKeyCompromise OBJECT IDENTIFIER ::= { id-skd 8} 2554 GLKCompromise ::= GeneralName 2556 -- This defines the GL Key Refresh control attribute. 2558 skd-glkRefresh CMC-CONTROL ::= 2559 { GLKRefresh IDENTIFIED BY id-skd-glkRefresh } 2561 id-skd-glkRefresh OBJECT IDENTIFIER ::= { id-skd 9} 2563 GLKRefresh ::= SEQUENCE { 2564 glName GeneralName, 2565 dates SEQUENCE SIZE (1..MAX) OF Date 2566 } 2568 Date ::= SEQUENCE { 2569 start GeneralizedTime, 2570 end GeneralizedTime OPTIONAL 2571 } 2573 -- This defines the GLA Query Request control attribute. 2575 skd-glaQueryRequest CMC-CONTROL ::= 2576 { GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest } 2578 id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11} 2580 SKD-QUERY ::= TYPE-IDENTIFIER 2582 SkdQuerySet SKD-QUERY ::= {skd-AlgRequest, ...} 2583 GLAQueryRequest ::= SEQUENCE { 2584 glaRequestType SKD-QUERY.&id ({SkdQuerySet}), 2585 glaRequestValue SKD-QUERY. 2586 &Type ({SkdQuerySet}{@glaRequestType}) 2587 } 2589 -- This defines the GLA Query Response control attribute. 2591 skd-glaQueryResponse CMC-CONTROL ::= 2592 { GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse } 2594 id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12} 2596 SKD-RESPONSE ::= TYPE-IDENTIFIER 2598 SkdResponseSet SKD-RESPONSE ::= {skd-AlgResponse, ...} 2600 GLAQueryResponse ::= SEQUENCE { 2601 glaResponseType SKD-RESPONSE. 2602 &id({SkdResponseSet}), 2603 glaResponseValue SKD-RESPONSE. 2604 &Type({SkdResponseSet}{@glaResponseType})} 2606 -- This defines the GLA Request/Response (glaRR) arc for 2607 -- glaRequestType/glaResponseType. 2609 id-cmc-glaRR OBJECT IDENTIFIER ::= 2610 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2611 mechanisms(5) pkix(7) cmc(7) glaRR(99) } 2613 -- This defines the Algorithm Request 2615 skd-AlgRequest SKD-QUERY ::= { 2616 SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest 2617 } 2619 id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 } 2620 SKDAlgRequest ::= NULL 2622 -- This defines the Algorithm Response 2624 skd-AlgResponse SKD-RESPONSE ::= { 2625 SMIMECapability{{SKD-Caps}} IDENTIFIED BY 2626 id-cmc-gla-skdAlgResponse 2627 } 2629 id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 } 2630 -- Note that the response for algorithmSupported request is the 2631 -- smimeCapabilities attribute as defined in RFC 3851. 2633 -- This defines the control attribute to request an updated 2634 -- certificate to the GLA. 2636 skd-glProvideCert CMC-CONTROL ::= 2637 { GLManageCert IDENTIFIED BY id-skd-glProvideCert } 2639 id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13} 2641 GLManageCert ::= SEQUENCE { 2642 glName GeneralName, 2643 glMember GLMember 2644 } 2646 -- This defines the control attribute to return an updated 2647 -- certificate to the GLA. It has the type GLManageCert. 2649 skd-glManageCert CMC-CONTROL ::= 2650 { GLManageCert IDENTIFIED BY id-skd-glManageCert } 2652 id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14} 2654 -- This defines the control attribute to distribute the GL shared 2655 -- KEK. 2657 skd-glKey CMC-CONTROL ::= 2658 { GLKey IDENTIFIED BY id-skd-glKey } 2660 id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15} 2662 GLKey ::= SEQUENCE { 2663 glName GeneralName, 2664 glIdentifier KEKIdentifier, -- See RFC 3852 2665 glkWrapped RecipientInfos, -- See RFC 3852 2666 glkAlgorithm KeyWrapAlgorithm, 2667 glkNotBefore GeneralizedTime, 2668 glkNotAfter GeneralizedTime 2669 } 2671 -- This defines the CMC error types 2673 skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= { 2674 SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo 2675 } 2677 id-cet-skdFailInfo OBJECT IDENTIFIER ::= 2678 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2679 mechanisms(5) pkix(7) cet(15) skdFailInfo(1) } 2681 SKDFailInfo ::= INTEGER { 2682 unspecified (0), 2683 closedGL (1), 2684 unsupportedDuration (2), 2685 noGLACertificate (3), 2686 invalidCert (4), 2687 unsupportedAlgorithm (5), 2688 noGLONameMatch (6), 2689 invalidGLName (7), 2690 nameAlreadyInUse (8), 2691 noSpam (9), 2692 deniedAccess (10), 2693 alreadyAMember (11), 2694 notAMember (12), 2695 alreadyAnOwner (13), 2696 notAnOwner (14) } 2698 END 2700 13. Security Considerations 2702 Even though all the RFCs in this document are security-related, the 2703 document itself does not have any security considerations. The ASN.1 2704 modules keep the same bits-on-the-wire as the modules that they 2705 replace. 2707 14. Normative References 2709 [ASN1-2002] 2710 ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and 2711 X.683", ITU-T X.680, X.681, X.682, and X.683, 2002. 2713 [NEW-PKIX] 2714 Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX", 2715 draft-ietf-pkix-new-asn1 (work in progress), 2716 December 2007. 2718 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) 2719 Algorithms", RFC 3370, August 2002. 2721 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) 2722 Encryption Algorithm in Cryptographic Message Syntax 2723 (CMS)", RFC 3565, July 2003. 2725 [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail 2726 Extensions (S/MIME) Version 3.1 Message Specification", 2727 RFC 3851, July 2004. 2729 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 2730 RFC 3852, July 2004. 2732 [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to 2733 Protect Firmware Packages", RFC 4108, August 2005. 2735 [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence 2736 Record Syntax (ERS)", RFC 4998, August 2007. 2738 [RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: 2739 Adding CertID Algorithm Agility", RFC 5035, August 2007. 2741 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 2742 Authenticated-Enveloped-Data Content Type", RFC 5083, 2743 November 2007. 2745 [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated 2746 Encryption in the Cryptographic Message Syntax (CMS)", 2747 RFC 5084, November 2007. 2749 [RFC5275] Turner, S., "CMS Symmetric Key Management and 2750 Distribution", RFC 5275, June 2008. 2752 Appendix A. Change History 2754 [[ This entire section is to be removed upon publication. ]] 2756 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 2757 draft-ietf-smime-new-asn1-00 2759 Changed the draft name. 2761 Added RFC 3565, 2763 Added RFC 4998. 2765 Made RFCs-to-be 5083 and 5084 into RFCs. 2767 In RFC 3370, a line in the comment staring with "Another way to 2768 do..." was not commented out when it should have been. 2770 In RFC 3851, the name of the module from which we are importing was 2771 wrong, although the OID was right. 2773 In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate 2774 which version of CMS added the various extensions. 2776 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 2778 Added RFC 5275. 2780 Added module for algorithm classes, and modified RFC 3370 and RFC 2781 3852 to uses the classes defined. 2783 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 2785 Added design notes. 2787 Removed issue on "Algorithm Structure" and issue on "More Modules To 2788 Be Added". 2790 Updated all modules to use objects more deeply. 2792 In section 6, changed "PKCS #10" to "PKCS #7" to reflect the actual 2793 module where the changes were made. 2795 A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 2797 Many cosmetic-only changes to the modules. 2799 Changed some multi-word keywords to hypenated (such as "SMIME CAPS" 2800 to "SMIME-CAPS"). 2802 Updated the reference of X.680 to X.680, X.681, X.682, and X.683. 2804 Authors' Addresses 2806 Paul Hoffman 2807 VPN Consortium 2808 127 Segre Place 2809 Santa Cruz, CA 95060 2810 US 2812 Phone: 1-831-426-9827 2813 Email: paul.hoffman@vpnc.org 2814 Jim Schaad 2815 Soaring Hawk Consulting 2817 Email: jimsch@exmsft.com