idnits 2.17.1 draft-ietf-smime-new-asn1-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 220: '... -- Parameters MUST be encoded in st...' RFC 2119 keyword, line 221: '...t, -- Parameters SHOULD be encoded in ...' RFC 2119 keyword, line 222: '..., -- Parameters SHOULD NOT be encoded...' RFC 2119 keyword, line 223: '... -- Parameters MUST NOT be encoded i...' RFC 2119 keyword, line 225: '... -- Parameters MAY be encoded in the...' (96 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 616 has weird spacing: '...e could be ge...' -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 6, 2009) is 5500 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 2522 -- Looks like a reference, but probably isn't: '1' on line 2523 -- Looks like a reference, but probably isn't: '2' on line 2524 == Missing Reference: 'CMSALG' is mentioned on line 1088, but not defined == Missing Reference: 'CMS' is mentioned on line 1099, but not defined -- Looks like a reference, but probably isn't: '3' on line 2525 -- Looks like a reference, but probably isn't: '4' on line 2526 ** Obsolete normative reference: RFC 3851 (Obsoleted by RFC 5751) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) Summary: 5 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Intended status: Informational J. Schaad 5 Expires: October 8, 2009 Soaring Hawk Consulting 6 April 6, 2009 8 New ASN.1 Modules for CMS and S/MIME 9 draft-ietf-smime-new-asn1-04.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. This document may contain material 15 from IETF Documents or IETF Contributions published or made publicly 16 available before November 10, 2008. The person(s) controlling the 17 copyright in some of this material may not have granted the IETF 18 Trust the right to allow modifications of such material outside the 19 IETF Standards Process. Without obtaining an adequate license from 20 the person(s) controlling the copyright in such materials, this 21 document may not be modified outside the IETF Standards Process, and 22 derivative works of it may not be created outside the IETF Standards 23 Process, except to format it for publication as an RFC or to 24 translate it into languages other than English. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt. 39 The list of Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 This Internet-Draft will expire on October 8, 2009. 44 Copyright Notice 46 Copyright (c) 2009 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents in effect on the date of 51 publication of this document (http://trustee.ietf.org/license-info). 52 Please review these documents carefully, as they describe your rights 53 and restrictions with respect to this document. 55 Abstract 57 The Cryptographic Message Syntax (CMS) format, and many associated 58 formats, are expressed using ASN.1. The current ASN.1 modules 59 conform to the 1988 version of ASN.1. This document updates those 60 ASN.1 modules to conform to the 2002 version of ASN.1. There are no 61 bits-on-the-wire changes to any of the formats; this is simply a 62 change to the syntax. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4 68 1.2. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 1.2.1. Module OIDs Changing . . . . . . . . . . . . . . . . . 4 70 2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 5 71 3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14 72 4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 20 73 5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 22 74 6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24 75 7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34 76 8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 40 77 9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41 78 10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 48 79 11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48 80 12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 50 81 13. Security Considerations . . . . . . . . . . . . . . . . . . . 58 82 14. Normative References . . . . . . . . . . . . . . . . . . . . . 58 83 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 59 84 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 85 draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 59 86 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 60 87 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 . . . 60 88 A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 . . . 60 89 A.5. Changes between draft-ietf-smime-new-asn1-03 and -04 . . . 60 90 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 92 1. Introduction 94 Some developers would like the IETF to use the latest version of 95 ASN.1 in its standards. Most of the RFCs that relate to security 96 protocols still use ASN.1 from the 1988 standard, which has been 97 deprecated. This is particularly true for the standards that relate 98 to PKIX, CMS, and S/MIME. 100 This document updates the following RFCs to use ASN.1 modules that 101 conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all 102 the modules are updated; some are included to simply make the set 103 complete. 105 o RFC 3370, CMS Algorithms [RFC3370] 107 o RFC 3565, Use of AES in CMS [RFC3565] 109 o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851] 111 o RFC 3852, CMS main [RFC3852] 113 o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108] 115 o RFC 4998, Evidence Record Syntax (ERS) [RFC4998] 117 o RFC 5035, Enhanced Security Services (ESS) [RFC5035] 119 o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083] 121 o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in 122 CMS [RFC5084] 124 o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275] 126 Note that some of the modules in this document get some of their 127 definitions from places different than the modules in the original 128 RFCs. The idea is that these modules, when combined with the modules 129 in [NEW-PKIX] can stand on their own and do not need to import 130 definitions from anywhere else. 132 The document also includes a module of common definitions called 133 "AlgorithmInformation". These definitions are used here and in 134 [NEW-PKIX]. 136 Note that some of the modules here import definitions from the common 137 definitions module, "PKIX-CommonTypes", in [NEW-PKIX]. 139 1.1. Design Notes 141 The modules in this document use the object model available in the 142 2002 ASN.1 documents to a great extent. Objects for each of the 143 different algorithm types are defined. Also, all of the places where 144 in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax 145 now have objects. 147 Much like the way that the PKIX and S/MIME working groups use the 148 prefix of id- for object identifiers, this document has also adopted 149 a set of two, three, and four letter prefixes to allow for quick 150 identification of the type of an object based on its name. This 151 allows, for example, the same back half of the name to be used for 152 the different objects. Thus, "id-sha1" is the object identifier, 153 while "mda-sha1" is the message digest object for "sha1". 155 One or more object sets for the different type of algorithms are 156 defined. A single consistent name for each of the different 157 algorithm types is used. For example, an object set named PublicKeys 158 might contain the public keys defined in that module. If no public 159 keys are defined, then the object set is not created. When 160 referencing these objects sets when imported, one needs to be able to 161 disambiguate between the different modules. This is done by using 162 both the module name (as specified in the IMPORT statement) and the 163 object set name. For example, in the module for RFC 5280: 165 PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 } 166 PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 } 168 PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ..., 169 PKIX1-PSS-OAEP-Algorithms.PublicKeys } 171 1.2. Issues 173 This section will be removed before final publication. 175 1.2.1. Module OIDs Changing 177 The OIDs given in the modules in this version of the document are the 178 same as the OIDs from the original modules, even though some of the 179 modules have changed syntax. That is clearly incorrect. In a later 180 version of this document, we will change the OIDs for every changed 181 module. The WG (hopefully in coordination with the PKIX WG) needs to 182 determine how to do this and what the result will be. 184 2. ASN.1 Module AlgorithmInformation 186 This section contains a module that is imported by many other modules 187 in this document. Note that this module is also given in [NEW-PKIX]. 188 This module does not come from any existing RFC. 190 AlgorithmInformation-2009 191 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 192 mechanisms(5) pkix(7) id-mod(0) 193 id-mod-algorithmInformation-02(58)} 195 DEFINITIONS EXPLICIT TAGS ::= 196 BEGIN 197 EXPORTS ALL; 198 IMPORTS 200 KeyUsage 201 FROM PKIX1Implicit-2009 202 {iso(1) identified-organization(3) dod(6) internet(1) 203 security(5) mechanisms(5) pkix(7) id-mod(0) 204 id-mod-pkix1-implicit-02(59)} ; 206 -- Suggested prefixes for algorithm objects are: 207 -- 208 -- mda- Message Digest Algorithms 209 -- sa- Signature Algorithms 210 -- kta- Key Transport Algorithms (Asymmetric) 211 -- kaa- Key Agreement Algorithms (Asymmetric) 212 -- kwa- Key Wrap Algorithms (Symmetric) 213 -- kda- Key Derivation Algorithms 214 -- maca- Message Authentication Code Algorithms 215 -- pk- Public Key 216 -- cea- Content (symmetric) Encryption Algorithm 217 -- cap- S/MIME Capabilities 219 ParamOptions ::= ENUMERATED { 220 required, -- Parameters MUST be encoded in structure 221 preferredPresent, -- Parameters SHOULD be encoded in structure 222 preferredAbsent, -- Parameters SHOULD NOT be encoded in structure 223 absent, -- Parameters MUST NOT be encoded in structure 224 inheritable, -- Parameters are inherited if not present 225 optional, -- Parameters MAY be encoded in the structure 226 ... 227 } 229 -- DIGEST-ALGORITHM 230 -- 231 -- Describes the basic information for ASN.1 and a digest 232 -- algorithm. 233 -- 234 -- &id - contains the OID identifying the digest algorithm 235 -- &Params - contains the type for the algorithm parameters, 236 -- if present; absent implies no paramters 237 -- ¶mPresence - parameter presence requirement 238 -- 239 -- Additional information such as the length of the hash could also 240 -- be encoded. 241 -- 242 -- Example: 243 -- sha1 DIGEST-ALGORITHM ::= { 244 -- IDENTIFIER id-sha1 245 -- PARAMS TYPE NULL ARE preferredAbsent 246 -- } 248 DIGEST-ALGORITHM ::= CLASS { 249 &id OBJECT IDENTIFIER UNIQUE, 250 &Params OPTIONAL, 251 ¶mPresence ParamOptions DEFAULT absent 252 } WITH SYNTAX { 253 IDENTIFIER &id 254 [PARAMS [TYPE &Params] [ARE ¶mPresence] ] 255 } 257 -- SIGNATURE-ALGORITHM 258 -- 259 -- Describes the basic properties of a signature algorithm 260 -- 261 -- &id - contains the OID identifying the signature algorithm 262 -- &Value - contains a type defintion for the value structure of 263 -- the signature 264 -- &Params - contains the type for the algorithm parameters, 265 -- if present; absent implies no paramters 266 -- ¶mPresence - parameter presence resquirement 267 -- &HashSet - The set of hash algorithms used with this 268 -- signature algorithm 269 -- &PublicKeySet - the set of public key algorithms for this 270 -- signature algorithm 271 -- &smimeCaps - contains the object describing how the S/MIME 272 -- capabilities are presented. 273 -- 274 -- Example: 275 -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { 276 -- IDENTIFIER id-RSASSA-PSS 277 -- PARAMS TYPE RSASSA-PSS-params ARE required 278 -- HASHES {sha1 | md5, ... } 279 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 280 -- } 282 SIGNATURE-ALGORITHM ::= CLASS { 283 &id OBJECT IDENTIFIER UNIQUE, 284 &Value OPTIONAL, 285 &Params OPTIONAL, 286 ¶mPresence ParamOptions DEFAULT absent, 287 &HashSet DIGEST-ALGORITHM OPTIONAL, 288 &PublicKeySet PUBLIC-KEY OPTIONAL, 289 &smimeCaps SMIME-CAPS OPTIONAL 290 } WITH SYNTAX { 291 IDENTIFIER &id 292 [VALUE &Value] 293 [PARAMS [TYPE &Params] ARE ¶mPresence ] 294 [HASHES &HashSet] 295 [PUBLIC-KEYS &PublicKeySet] 296 [SMIME-CAPS &smimeCaps] 297 } 299 -- PUBLIC-KEY 300 -- 301 -- Describes the basic properties of a public key 302 -- 303 -- &id - contains the OID identifying the public key 304 -- &KeyValue - contains the type for the key value 305 -- &Params - contains the type for the algorithm parameters, 306 -- if present; absent implies no paramters 307 -- ¶mPresence - parameter presence requirement 308 -- &keyUsage - contains the set of bits that are legal for this 309 -- key type. Note that is does not make any statement 310 -- about how bits may be paired. 311 -- &PrivateKey - contains a type structure for encoding the private 312 -- key information. 313 -- 314 -- Example: 315 -- pk-rsa-pss PUBLIC-KEY ::= { 316 -- IDENTIFIER id-RSASSA-PSS 317 -- KEY RSAPublicKey 318 -- PARAMS TYPE RSASSA-PSS-params ARE optional 319 -- CERT-KEY-USAGE { .... } 320 -- } 322 PUBLIC-KEY ::= CLASS { 323 &id OBJECT IDENTIFIER UNIQUE, 324 &KeyValue OPTIONAL, 325 &Params OPTIONAL, 326 ¶mPresence ParamOptions DEFAULT absent, 327 &keyUsage KeyUsage OPTIONAL, 328 &PrivateKey OPTIONAL 329 } WITH SYNTAX { 330 IDENTIFIER &id 331 [KEY &KeyValue] 332 [PARAMS [TYPE &Params] ARE ¶mPresence] 333 [CERT-KEY-USAGE &keyUsage] 334 [PRIVATE-KEY &PrivateKey] 335 } 337 -- KEY-TRANSPORT 338 -- 339 -- Describes the basic properties of a key transport algorithm 340 -- 341 -- &id - contains the OID identifying the key transport algorithm 342 -- &Params - contains the type for the algorithm parameters, 343 -- if present; absent implies no paramters 344 -- ¶mPresence - parameter presence requirement 345 -- &PublicKeySet - specify which public keys are used with 346 -- this algorithm 347 -- &smimeCaps - contains the object describing how the S/MIME 348 -- capabilities are presented. 349 -- 350 -- Example: 351 -- rsaTransport KEY-TRANSPORT ::= { 352 -- IDENTIFIER &id 353 -- PARAMS TYPE NULL ARE required 354 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 355 -- } 357 KEY-TRANSPORT ::= CLASS { 358 &id OBJECT IDENTIFIER UNIQUE, 359 &Params OPTIONAL, 360 ¶mPresence ParamOptions DEFAULT absent, 361 &PublicKeySet PUBLIC-KEY OPTIONAL, 362 &smimeCaps SMIME-CAPS OPTIONAL 363 } WITH SYNTAX { 364 IDENTIFIER &id 365 [PARAMS [TYPE &Params] ARE ¶mPresence] 366 [PUBLIC-KEYS &PublicKeySet] 367 [SMIME-CAPS &smimeCaps] 368 } 370 -- KEY-AGREE 371 -- 372 -- Describes the basic properties of a key agreement algorithm 373 -- 374 -- &id - contains the OID identifying the key agreement algorithm 375 -- &Params - contains the type for the algorithm parameters, 376 -- if present; absent implies no paramters 377 -- ¶mPresence - parameter presence requirement 378 -- &PublicKeySet - specify which public keys are used with 379 -- this algorithm 380 -- &Ukm - type of user keying material used 381 -- &ukmPresence - specifies the requirements to define the UKM field 382 -- &smimeCaps - contains the object describing how the S/MIME 383 -- capabilities are presented. 384 -- 385 -- Example: 386 -- dh-static-ephemerial KEY-AGREE ::= { 387 -- IDENTIFIER id-alg-ESDH 388 -- PARAMS TYPE KeyWrapAlgorithm ARE required 389 -- - - user key material is not ASN.1-encoded. 390 -- PUBLIC-KEYS { 391 -- {IDENTIFIER dh-public-number KEY DHPublicKey 392 -- PARAMS TYPE DHDomainParameters ARE inheritable } 393 -- } 394 -- - - UKM should be present but is not separately ASN.1-encoded 395 -- UKM ARE preferredPresent 396 -- } 398 KEY-AGREE ::= CLASS { 399 &id OBJECT IDENTIFIER UNIQUE, 400 &Params OPTIONAL, 401 ¶mPresence ParamOptions DEFAULT absent, 402 &PublicKeySet PUBLIC-KEY OPTIONAL, 403 &Ukm OPTIONAL, 404 &ukmPresence ParamOptions DEFAULT absent, 405 &smimeCaps SMIME-CAPS OPTIONAL 406 } WITH SYNTAX { 407 IDENTIFIER &id 408 [PARAMS [TYPE &Params] ARE ¶mPresence] 409 [PUBLIC-KEYS &PublicKeySet] 410 [UKM [TYPE &Ukm] ARE &ukmPresence] 411 [SMIME-CAPS &smimeCaps] 412 } 414 -- KEY-WRAP 415 -- 416 -- Describes the basic properties of a key wrap algorithm 417 -- 418 -- &id - contains the OID identifying the key wrap algorithm 419 -- &Params - contains the type for the algorithm parameters, 420 -- if present; absent implies no paramters 421 -- ¶mPresence - parameter presence requirement 422 -- &smimeCaps - contains the object describing how the S/MIME 423 -- capabilities are presented. 425 -- 426 -- Example: 427 -- cms3DESwrap KEY-WRAP ::= { 428 -- IDENTIFIER id-alg-CMS3DESwrap 429 -- PARAMS TYPE NULL ARE required 430 -- } 432 KEY-WRAP ::= CLASS { 433 &id OBJECT IDENTIFIER UNIQUE, 434 &Params OPTIONAL, 435 ¶mPresence ParamOptions DEFAULT absent, 436 &smimeCaps SMIME-CAPS OPTIONAL 437 } WITH SYNTAX { 438 IDENTIFIER &id 439 [PARAMS [TYPE &Params] ARE ¶mPresence] 440 [SMIME-CAPS &smimeCaps] 441 } 443 -- KEY-DERIVATION 444 -- 445 -- Describes the basic properties of a key derivation algorithm 446 -- 447 -- &id - contains the OID identifying the key derivation algorithm 448 -- &Params - contains the type for the algorithm parameters, 449 -- if present; absent implies no paramters 450 -- ¶mPresence - parameter presence requirement 451 -- &smimeCaps - contains the object describing how the S/MIME 452 -- capabilities are presented. 453 -- 454 -- Could add information about defaults for the derivation algorithm 455 -- such as PRFs 456 -- 457 -- Example: 458 -- pbkdf2 KEY-DERIVATION ::= { 459 -- IDENTIFIER id-PBKDF2 460 -- PARAMS TYPE PBKDF2-params ARE required 461 -- } 463 KEY-DERIVATION ::= CLASS { 464 &id OBJECT IDENTIFIER UNIQUE, 465 &Params OPTIONAL, 466 ¶mPresence ParamOptions DEFAULT absent, 467 &smimeCaps SMIME-CAPS OPTIONAL 468 } WITH SYNTAX { 469 IDENTIFIER &id 470 [PARAMS [TYPE &Params] ARE ¶mPresence] 471 [SMIME-CAPS &smimeCaps] 472 } 473 -- MAC-ALGORITHM 474 -- 475 -- Describes the basic properties of a MAC algorithm 476 -- 477 -- &id - contains the OID identifying the MAC algorithm 478 -- &Params - contains the type for the algorithm parameters, 479 -- if present; absent implies no paramters 480 -- ¶mPresence - parameter presence requirement 481 -- &keyed - MAC algorithm is a keyed MAC algorithm 482 -- &smimeCaps - contains the object describing how the S/MIME 483 -- capabilities are presented. 484 -- 485 -- It would make sense to also add minimum and maximum MAC lengths 486 -- 487 -- Example: 488 -- maca-hmac-sha1 MAC-ALGORITHM ::= { 489 -- IDENTIFIER hMAC-SHA1 490 -- PARAMS TYPE NULL ARE preferredAbsent 491 -- IS KEYED MAC TRUE 492 -- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} 493 -- } 495 MAC-ALGORITHM ::= CLASS { 496 &id OBJECT IDENTIFIER UNIQUE, 497 &Params OPTIONAL, 498 ¶mPresence ParamOptions DEFAULT absent, 499 &keyed BOOLEAN, 500 &smimeCaps SMIME-CAPS OPTIONAL 501 } WITH SYNTAX { 502 IDENTIFIER &id 503 [PARAMS [TYPE &Params] [ARE ¶mPresence]] 504 IS-KEYED-MAC &keyed 505 [SMIME-CAPS &smimeCaps] 506 } 508 -- CONTENT-ENCRYPTION 509 -- 510 -- Describes the basic properties of a content encryption 511 -- algorithm 512 -- 513 -- &id - contains the OID identifying the content 514 -- encryption algorithm 515 -- &Params - contains the type for the algorithm parameters, 516 -- if present; absent implies no paramters 517 -- ¶mPresence - parameter presence requirement 518 -- &smimeCaps - contains the object describing how the S/MIME 519 -- capabilities are presented. 520 -- 521 -- Example: 522 -- cea-3DES-cbc CONTENT-ENCRYPTION ::= { 523 -- IDENTIFIER des-ede3-cbc 524 -- PARAMS TYPE IV ARE required 525 -- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } 526 -- } 528 CONTENT-ENCRYPTION ::= CLASS { 529 &id OBJECT IDENTIFIER UNIQUE, 530 &Params OPTIONAL, 531 ¶mPresence ParamOptions DEFAULT absent, 532 &smimeCaps SMIME-CAPS OPTIONAL 533 } WITH SYNTAX { 534 IDENTIFIER &id 535 [PARAMS [TYPE &Params] ARE ¶mPresence] 536 [SMIME-CAPS &smimeCaps] 537 } 539 -- ALGORITHM 540 -- 541 -- Describes a generic algorithm identifier 542 -- 543 -- &id - contains the OID identifying the algorithm 544 -- &Params - contains the type for the algorithm parameters, 545 -- if present; absent implies no paramters 546 -- ¶mPresence - parameter presence requirement 547 -- &smimeCaps - contains the object describing how the S/MIME 548 -- capabilities are presented. 549 -- 550 -- This would be used for cases where an unknown algorithm is 551 -- used. One should consider using TYPE-IDENTIFIER in these cases. 553 ALGORITHM ::= CLASS { 554 &id OBJECT IDENTIFIER UNIQUE, 555 &Params OPTIONAL, 556 ¶mPresence ParamOptions DEFAULT absent, 557 &smimeCaps SMIME-CAPS OPTIONAL 558 } WITH SYNTAX { 559 IDENTIFIER &id 560 [PARAMS [TYPE &Params] ARE ¶mPresence] 561 [SMIME-CAPS &smimeCaps] 562 } 564 -- AlgorithmIdentifier 565 -- 566 -- Provides the generic structure that is used to encode algorithm 567 -- identification and the parameters associated with the 568 -- algorithm. 570 -- 571 -- The first parameter represents the type of the algorithm being 572 -- used. 573 -- The second parameter represents an object set containing the 574 -- algorithms that may occur in this situation. 575 -- The initial list of required algorithms should occur to the 576 -- left of an extension marker, all other algorithms should 577 -- occur to the right of an extension marker. 578 -- 579 -- The object class ALGORITHM can be used for generic unspecified 580 -- items. 581 -- If new ALGORITHM objects are defined, the fields &id and &Params 582 -- need to be present as field in the object. 583 -- 585 AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= 586 SEQUENCE { 587 algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), 588 parameters ALGORITHM-TYPE. 589 &Params({AlgorithmSet}{@algorithm}) OPTIONAL 590 } 592 -- S/MIME Capabilities 593 -- 594 -- We have moved the SMIME-CAPS from the module for RFC 3851 to here 595 -- because it is used in the PKIX document RFC 4262 - Use of S/MIME 596 -- Caps in certificate extension 597 -- 598 -- 599 -- This class is used to represent an S/MIME capability. S/MIME 600 -- capabilities are used to represent what algorithm capabilities 601 -- an individual has. The classic example was the content encryption 602 -- algorithm RC2 where the algorithm id and the RC2 key lengths 603 -- supported needed to be advertised, but the IV used is not fixed. 604 -- Thus for RC2 we used 605 -- 606 -- cap-RC2CBC SMIME-CAPS ::= { 607 -- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } 608 -- 609 -- where 40 and 128 represent the RC2 key length in number of bits. 610 -- 611 -- Another example where information needs to be shown is for 612 -- RSA-OAEP where only specific hash functions or mask generation 613 -- functions are supported, but the saltLength is specified by the 614 -- sender and not the recipient. In this case one can either 615 -- generate a number of capability items, 616 -- or a new S/MIME capability type could be generated where 617 -- multiple hash functions could be specified. 618 -- 619 -- 620 -- SMIME-CAP 621 -- 622 -- This class is used to associate the type describing capabilities 623 -- with the object identifier. 624 -- 626 SMIME-CAPS ::= CLASS { 627 &id OBJECT IDENTIFIER UNIQUE, 628 &Type OPTIONAL 629 } 630 WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id } 632 -- 633 -- Generic type - this is used for defining values. 634 -- 636 -- Define a single S/MIME capability encoding 638 SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { 639 capabilityID SMIME-CAPS.&id({CapabilitySet}), 640 parameters SMIME-CAPS.&Type({CapabilitySet} 641 {@capabilityID}) OPTIONAL 642 } 644 -- Define a sequence of S/MIME capability value 646 SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::= 647 SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} } 649 END 651 3. ASN.1 Module for RFC 3370 653 CryptographicMessageSyntaxAlgorithms-2009 654 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 655 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 656 DEFINITIONS IMPLICIT TAGS ::= 657 BEGIN 658 IMPORTS 660 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 661 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 662 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 663 AlgorithmIdentifier{}, SMIME-CAPS 664 FROM AlgorithmInformation-2009 665 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 666 mechanisms(5) pkix(7) id-mod(0) 667 id-mod-algorithmInformation-02(58)} 669 pk-rsa, pk-dh, pk-dsa, rsaEncryption, DHPublicKey, dhpublicnumber 670 FROM PKIXAlgs-2009 671 {iso(1) identified-organization(3) dod(6) 672 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 673 id-mod-pkix1-algorithms2008-02(56)} 675 cap-RC2CBC 676 FROM SecureMimeMessageV3dot1-2009 677 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 678 smime(16) modules(0) id-mod-msg-v3dot1-02(39)}; 680 -- 2. Hash algorthms in this document 682 MessageDigestAlgs DIGEST-ALGORITHM ::= { 683 -- mda-md5 | mda-sha1, 684 ... } 686 -- 3. Signature algorithms in this document 688 SignatureAlgs SIGNATURE-ALGORITHM ::= { 689 -- See RFC 3279 690 -- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1, 691 ... } 693 -- 4. Key Managment Algorithms 694 -- 4.1 Key Agreement Algorithms 696 KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...} 697 KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...} 699 -- 4.2 Key Transport Algorithms 701 KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... } 703 -- 4.3 Symmetric Key-Encryption Key Algorithms 705 KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... } 707 -- 4.4 Key Derivation Algorithms 708 KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... } 710 -- 5. Content Encryption Algorithms 712 ContentEncryptionAlgs CONTENT-ENCRYPTION ::= 713 { cea-3DES-cbc | cea-RC2-cbc, ... } 715 -- 6. Message Authentication Code Algorithms 717 MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... } 719 -- SMIME Capabilities for these items 721 SMimeCaps SMIME-CAPS ::= { 722 kaa-esdh.&smimeCaps | 723 kaa-ssdh.&smimeCaps | 724 kt-rsa.&smimeCaps | 725 kwa-3DESWrap.&smimeCaps | 726 kwa-RC2Wrap.&smimeCaps | 727 cea-3DES-cbc.&smimeCaps | 728 cea-RC2-cbc.&smimeCaps | 729 maca-hMAC-SHA1.&smimeCaps, 730 ...} 732 -- 733 -- 734 -- 736 -- Algorithm Identifiers 738 -- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) 739 -- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 741 id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 742 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 } 744 id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 745 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 } 747 id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 748 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } 750 id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 751 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 } 753 des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 754 us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } 756 rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 757 rsadsi(113549) encryptionAlgorithm(3) 2 } 759 hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 760 dod(6) internet(1) security(5) mechanisms(5) 8 1 2 } 762 id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 763 rsadsi(113549) pkcs(1) pkcs-5(5) 12 } 765 -- Algorithm Identifier Parameter Types 767 KeyWrapAlgorithm ::= 768 AlgorithmIdentifier {KEY-WRAP, {KeyWrapAlgs }} 770 RC2wrapParameter ::= RC2ParameterVersion 772 RC2ParameterVersion ::= INTEGER 774 CBCParameter ::= IV 776 IV ::= OCTET STRING -- exactly 8 octets 778 RC2CBCParameter ::= SEQUENCE { 779 rc2ParameterVersion INTEGER (1..256), 780 iv OCTET STRING } -- exactly 8 octets 782 maca-hMAC-SHA1 MAC-ALGORITHM ::= { 783 IDENTIFIER hMAC-SHA1 784 PARAMS TYPE NULL ARE preferredAbsent 785 IS-KEYED-MAC TRUE 786 SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} 787 } 789 PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM, 790 {PBKDF2-PRFs} } 792 alg-hMAC-SHA1 ALGORITHM ::= 793 { IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required } 795 PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... } 797 PBKDF2-SaltSources ALGORITHM ::= { ... } 799 PBKDF2-SaltSourcesAlgorithmIdentifier ::= 800 AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}} 802 defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::= 803 { algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL } 805 PBKDF2-params ::= SEQUENCE { 806 salt CHOICE { 807 specified OCTET STRING, 808 otherSource PBKDF2-SaltSourcesAlgorithmIdentifier }, 809 iterationCount INTEGER (1..MAX), 810 keyLength INTEGER (1..MAX) OPTIONAL, 811 prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT 812 defaultPBKDF2 813 } 815 -- 816 -- This object is included for completeness. It should not be used 817 -- for encoding of signatures, but was sometimes used in older 818 -- versions of CMS for encoding of RSA signatures. 819 -- 820 -- 821 -- sa-rsa SIGNATURE-ALGORITHM ::= { 822 -- IDENTIFIER rsaEncryption 823 -- - - value is not ASN.1 encoded 824 -- PARAMS TYPE NULL ARE required 825 -- HASHES {mda-sha1 | mda-md5, ...} 826 -- PUBLIC-KEYS { pk-rsa} 827 -- } 828 -- 829 -- No ASN.1 encoding is applied to the signature value 830 -- for these items 832 kaa-esdh KEY-AGREE ::= { 833 IDENTIFIER id-alg-ESDH 834 PARAMS TYPE KeyWrapAlgorithm ARE required 835 PUBLIC-KEYS { pk-dh } 836 -- UKM is not ASN.1 encoded 837 UKM ARE optional 838 SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH} 839 } 841 kaa-ssdh KEY-AGREE ::= { 842 IDENTIFIER id-alg-SSDH 843 PARAMS TYPE KeyWrapAlgorithm ARE required 844 PUBLIC-KEYS {pk-dh} 845 -- UKM is not ASN.1 encoded 846 UKM ARE optional 847 SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH} 848 } 850 dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber 851 pk-originator-dh PUBLIC-KEY ::= { 852 IDENTIFIER dh-public-number 853 KEY DHPublicKey 854 PARAMS ARE absent 855 CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly} 856 } 858 kwa-3DESWrap KEY-WRAP ::= { 859 IDENTIFIER id-alg-CMS3DESwrap 860 PARAMS TYPE NULL ARE required 861 SMIME-CAPS {IDENTIFIED BY id-alg-CMS3DESwrap} 862 } 864 kwa-RC2Wrap KEY-WRAP ::= { 865 IDENTIFIER id-alg-CMSRC2wrap 866 PARAMS TYPE RC2wrapParameter ARE required 867 SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap } 868 } 870 kda-PBKDF2 KEY-DERIVATION ::= { 871 IDENTIFIER id-PBKDF2 872 PARAMS TYPE PBKDF2-params ARE required 873 -- No s/mime caps defined 874 } 876 cea-3DES-cbc CONTENT-ENCRYPTION ::= { 877 IDENTIFIER des-ede3-cbc 878 PARAMS TYPE IV ARE required 879 SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } 880 } 882 cea-RC2-cbc CONTENT-ENCRYPTION ::= { 883 IDENTIFIER rc2-cbc 884 PARAMS TYPE RC2CBCParameter ARE required 885 SMIME-CAPS cap-RC2CBC 886 } 888 kt-rsa KEY-TRANSPORT ::= { 889 IDENTIFIER rsaEncryption 890 PARAMS TYPE NULL ARE required 891 PUBLIC-KEYS { pk-rsa } 892 SMIME-CAPS {IDENTIFIED BY rsaEncryption} 893 } 895 -- S/MIME Capabilities - most have no label. 897 cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap } 898 END 900 4. ASN.1 Module for RFC 3565 902 CMSAesRsaesOaep-2009 {iso(1) member-body(2) us(840) rsadsi(113549) 903 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38)} 904 DEFINITIONS IMPLICIT TAGS ::= 905 BEGIN 906 IMPORTS 908 CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS 909 FROM AlgorithmInformation-2009 910 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 911 mechanisms(5) pkix(7) id-mod(0) 912 id-mod-algorithmInformation-02(58)}; 914 AES-ContentEncryption CONTENT-ENCRYPTION ::= { 915 cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ... 916 } 918 AES-KeyWrap KEY-WRAP ::= { 919 kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ... 920 } 922 SMimeCaps SMIME-CAPS ::= { 923 cea-aes128-cbc.&smimeCaps | 924 cea-aes192-cbc.&smimeCaps | 925 cea-aes256-cbc.&smimeCaps | 926 kwa-aes128-wrap.&smimeCaps | 927 kwa-aes192-wrap.&smimeCaps | 928 kwa-aes256-wrap.&smimeCaps, ... 929 } 931 -- AES information object identifiers -- 933 aes OBJECT IDENTIFIER ::= 934 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 935 csor(3) nistAlgorithms(4) 1 } 937 -- AES using CBC mode for key sizes of 128, 192, 256 939 cea-aes128-cbc CONTENT-ENCRYPTION ::= { 940 IDENTIFIER id-aes128-CBC 941 PARAMS TYPE AES-IV ARE required 942 SMIME-CAPS { IDENTIFIED BY id-aes128-CBC } 943 } 944 id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 } 946 cea-aes192-cbc CONTENT-ENCRYPTION ::= { 947 IDENTIFIER id-aes192-CBC 948 PARAMS TYPE AES-IV ARE required 949 SMIME-CAPS { IDENTIFIED BY id-aes192-CBC } 950 } 951 id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 } 953 cea-aes256-cbc CONTENT-ENCRYPTION ::= { 954 IDENTIFIER id-aes256-CBC 955 PARAMS TYPE AES-IV ARE required 956 SMIME-CAPS { IDENTIFIED BY id-aes256-CBC } 957 } 958 id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 } 960 -- AES-IV is the parameter for all the above object identifiers. 962 AES-IV ::= OCTET STRING (SIZE(16)) 964 -- AES Key Wrap Algorithm Identifiers - Parameter is absent 966 kwa-aes128-wrap KEY-WRAP ::= { 967 IDENTIFIER id-aes128-wrap 968 PARAMS ARE absent 969 SMIME-CAPS { IDENTIFIED BY id-aes128-wrap } 970 } 971 id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } 973 kwa-aes192-wrap KEY-WRAP ::= { 974 IDENTIFIER id-aes192-wrap 975 PARAMS ARE absent 976 SMIME-CAPS { IDENTIFIED BY id-aes192-wrap } 977 } 978 id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } 980 kwa-aes256-wrap KEY-WRAP ::= { 981 IDENTIFIER id-aes256-wrap 982 PARAMS ARE absent 983 SMIME-CAPS { IDENTIFIED BY id-aes256-wrap } 984 } 985 id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } 987 END 989 5. ASN.1 Module for RFC 3851 991 SecureMimeMessageV3dot1-2009 992 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 993 smime(16) modules(0) id-mod-msg-v3dot1-02(39)} 994 DEFINITIONS IMPLICIT TAGS ::= 995 BEGIN 996 IMPORTS 998 SMIME-CAPS, SMIMECapabilities{} 999 FROM AlgorithmInformation-2009 1000 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1001 mechanisms(5) pkix(7) id-mod(0) 1002 id-mod-algorithmInformation-02(58)} 1004 ATTRIBUTE 1005 FROM PKIX-CommonTypes-2009 1006 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1007 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 1009 SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier 1010 FROM CryptographicMessageSyntax-2009 1011 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1012 smime(16) modules(0) id-mod-cms-2004-02(41)} 1014 rc2-cbc, SMimeCaps 1015 FROM CryptographicMessageSyntaxAlgorithms-2009 1016 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1017 smime(16) modules(0) id-mod-cmsalg-2001-02(37)} 1019 SMimeCaps 1020 FROM PKIXAlgs-2009 1021 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1022 mechanisms(5) pkix(7) id-mod(0) 1023 id-mod-pkix1-algorithms2008-02(56)} 1025 SMimeCaps 1026 FROM PKIX1-PSS-OAEP-Algorithms-2009 1027 {iso(1) identified-organization(3) dod(6) internet(1) 1028 security(5) mechanisms(5) pkix(7) id-mod(0) 1029 id-mod-pkix1-rsa-pkalgs-02(54)}; 1031 SMimeAttributeSet ATTRIBUTE ::= 1032 { aa-smimeCapabilities | aa-encrypKeyPref, ... } 1034 -- id-aa is the arc with all new authenticated and unauthenticated 1035 -- attributes produced by the S/MIME Working Group 1036 id-aa OBJECT IDENTIFIER ::= 1037 { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1038 smime(16) attributes(2)} 1040 -- S/MIME Capabilities provides a method of broadcasting the symmetric 1041 -- capabilities understood. Algorithms SHOULD be ordered by 1042 -- preference and grouped by type 1044 aa-smimeCapabilities ATTRIBUTE ::= 1045 { TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY 1046 smimeCapabilities } 1048 smimeCapabilities OBJECT IDENTIFIER ::= 1049 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1050 15 } 1052 SMimeCapsSet SMIME-CAPS ::= 1053 { cap-preferBinaryInside | cap-RC2CBC | 1054 PKIXAlgs-2009.SMimeCaps | 1055 CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps | 1056 PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... } 1058 -- Encryption Key Preference provides a method of broadcasting the 1059 -- preferred encryption certificate. 1061 aa-encrypKeyPref ATTRIBUTE ::= 1062 { TYPE SMIMEEncryptionKeyPreference 1063 IDENTIFIED BY id-aa-encrypKeyPref } 1065 id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} 1067 SMIMEEncryptionKeyPreference ::= CHOICE { 1068 issuerAndSerialNumber [0] IssuerAndSerialNumber, 1069 receipentKeyId [1] RecipientKeyIdentifier, 1070 subjectAltKeyIdentifier [2] SubjectKeyIdentifier 1071 } 1073 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1074 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 1076 id-cap OBJECT IDENTIFIER ::= { id-smime 11 } 1078 -- The preferBinaryInside indicates an ability to receive messages 1079 -- with binary encoding inside the CMS wrapper 1081 cap-preferBinaryInside SMIME-CAPS ::= 1082 { -- No value -- IDENTIFIED BY id-cap-preferBinaryInside } 1084 id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } 1086 -- The following list OIDs to be used with S/MIME V3 1088 -- Signature Algorithms Not Found in [CMSALG] 1089 -- 1090 -- md2WithRSAEncryption OBJECT IDENTIFIER ::= 1091 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1092 -- 2} 1093 -- 1094 -- Other Signed Attributes 1095 -- 1096 -- signingTime OBJECT IDENTIFIER ::= 1097 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1098 -- 5} 1099 -- See [CMS] for a description of how to encode the attribute 1100 -- value. 1102 cap-RC2CBC SMIME-CAPS ::= 1103 { TYPE SMIMECapabilitiesParametersForRC2CBC 1104 IDENTIFIED BY rc2-cbc} 1106 SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...) 1107 -- (RC2 Key Length (number of bits)) 1109 END 1111 6. ASN.1 Module for RFC 3852 1113 This module has an ASN.1 idiom for noting in which version of CMS 1114 changes were made from the original PKCS #7; that idiom is "[[v:", 1115 where "v" is an integer. For example: 1117 RevocationInfoChoice ::= CHOICE { 1118 crl CertificateList, 1119 ..., 1120 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1122 Similarly, this module adds the ASN.1 idiom for extensiblity (the 1123 "...,") in all places that have been extended in the past. See the 1124 example above. 1126 CryptographicMessageSyntax-2009 1127 { iso(1) member-body(2) us(840) rsadsi(113549) 1128 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } 1129 DEFINITIONS IMPLICIT TAGS ::= 1130 BEGIN 1131 IMPORTS 1133 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 1134 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 1135 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 1136 AlgorithmIdentifier 1137 FROM AlgorithmInformation-2009 1138 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1139 mechanisms(5) pkix(7) id-mod(0) 1140 id-mod-algorithmInformation-02(58)} 1142 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 1143 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 1144 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 1145 FROM CryptographicMessageSyntaxAlgorithms-2009 1146 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1147 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 1149 Certificate, CertificateList, CertificateSerialNumber, 1150 Name, ATTRIBUTE 1151 FROM PKIX1Explicit-2009 1152 { iso(1) identified-organization(3) dod(6) internet(1) 1153 security(5) mechanisms(5) pkix(7) id-mod(0) 1154 id-mod-pkix1-explicit-02(51) } 1156 AttributeCertificate 1157 FROM PKIXAttributeCertificate-2009 1158 { iso(1) identified-organization(3) dod(6) internet(1) 1159 security(5) mechanisms(5) pkix(7) id-mod(0) 1160 id-mod-attribute-cert-02(47) } 1162 AttributeCertificateV1 1163 FROM AttributeCertificateVersion1-2009 1164 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1165 smime(16) modules(0) id-mod-v1AttrCert-02(49) } ; 1167 -- Cryptographic Message Syntax 1169 -- The following are used for version numbers using the ASN.1 1170 -- idiom "[[n:" 1171 -- Version 1 = PKCS #7 1172 -- Version 2 = S/MIME V2 1173 -- Version 3 = RFC 2630 1174 -- Version 4 = RFC 3369 1175 -- Version 5 = RFC 3852 1176 CONTENT-TYPE ::= TYPE-IDENTIFIER 1177 ContentType ::= CONTENT-TYPE.&id 1179 ContentInfo ::= SEQUENCE { 1180 contentType CONTENT-TYPE. 1181 &id({ContentSet}), 1182 content [0] EXPLICIT CONTENT-TYPE. 1183 &Type({ContentSet}{@contentType})} 1185 ContentSet CONTENT-TYPE ::= { 1186 -- Define the set of content types to be recognized. 1187 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 1188 ct-AuthenticatedData | ct-DigestedData, ... } 1190 SignedData ::= SEQUENCE { 1191 version CMSVersion, 1192 digestAlgorithms SET OF DigestAlgorithmIdentifier, 1193 encapContentInfo EncapsulatedContentInfo, 1194 certificates [0] IMPLICIT CertificateSet OPTIONAL, 1195 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 1196 signerInfos SignerInfos } 1198 SignerInfos ::= SET OF SignerInfo 1200 EncapsulatedContentInfo ::= SEQUENCE { 1201 eContentType CONTENT-TYPE.&id({ContentSet}), 1202 eContent [0] EXPLICIT OCTET STRING 1203 ( CONTAINING CONTENT-TYPE. 1204 &Type({ContentSet}{@eContentType})) OPTIONAL } 1206 SignerInfo ::= SEQUENCE { 1207 version CMSVersion, 1208 sid SignerIdentifier, 1209 digestAlgorithm DigestAlgorithmIdentifier, 1210 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 1211 signatureAlgorithm SignatureAlgorithmIdentifier, 1212 signature SignatureValue, 1213 unsignedAttrs [1] IMPLICIT Attributes 1214 {{UnsignedAttributes}} OPTIONAL } 1216 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 1218 SignerIdentifier ::= CHOICE { 1219 issuerAndSerialNumber IssuerAndSerialNumber, 1220 ..., 1221 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 1223 SignedAttributesSet ATTRIBUTE ::= 1224 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 1226 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 1228 SignatureValue ::= OCTET STRING 1230 EnvelopedData ::= SEQUENCE { 1231 version CMSVersion, 1232 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1233 recipientInfos RecipientInfos, 1234 encryptedContentInfo EncryptedContentInfo, 1235 ..., 1236 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1237 {{ UnprotectedAttributes }} OPTIONAL ]] } 1239 OriginatorInfo ::= SEQUENCE { 1240 certs [0] IMPLICIT CertificateSet OPTIONAL, 1241 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 1243 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 1245 EncryptedContentInfo ::= SEQUENCE { 1246 contentType CONTENT-TYPE.&id({ContentSet}), 1247 contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 1248 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 1250 -- If you want to do constraints, you might use: 1251 -- EncryptedContentInfo ::= SEQUENCE { 1252 -- contentType CONTENT-TYPE.&id({ContentSet}), 1253 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 1254 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 1255 -- &Type({ContentSet}{@contentType}) OPTIONAL } 1256 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 1257 -- { ToBeEncrypted } ) 1259 UnprotectedAttributes ATTRIBUTE ::= { ... } 1261 RecipientInfo ::= CHOICE { 1262 ktri KeyTransRecipientInfo, 1263 ..., 1264 [[3: kari [1] KeyAgreeRecipientInfo ]], 1265 [[4: kekri [2] KEKRecipientInfo]], 1266 [[5: pwri [3] PasswordRecipientInfo, 1267 ori [4] OtherRecipientInfo ]] } 1269 EncryptedKey ::= OCTET STRING 1271 KeyTransRecipientInfo ::= SEQUENCE { 1272 version CMSVersion, -- always set to 0 or 2 1273 rid RecipientIdentifier, 1274 keyEncryptionAlgorithm AlgorithmIdentifier 1275 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 1276 encryptedKey EncryptedKey } 1278 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 1280 RecipientIdentifier ::= CHOICE { 1281 issuerAndSerialNumber IssuerAndSerialNumber, 1282 ..., 1283 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 1285 KeyAgreeRecipientInfo ::= SEQUENCE { 1286 version CMSVersion, -- always set to 3 1287 originator [0] EXPLICIT OriginatorIdentifierOrKey, 1288 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 1289 keyEncryptionAlgorithm AlgorithmIdentifier 1290 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 1291 recipientEncryptedKeys RecipientEncryptedKeys } 1293 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 1295 OriginatorIdentifierOrKey ::= CHOICE { 1296 issuerAndSerialNumber IssuerAndSerialNumber, 1297 subjectKeyIdentifier [0] SubjectKeyIdentifier, 1298 originatorKey [1] OriginatorPublicKey } 1300 OriginatorPublicKey ::= SEQUENCE { 1301 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 1302 publicKey BIT STRING } 1304 OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } 1306 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 1308 RecipientEncryptedKey ::= SEQUENCE { 1309 rid KeyAgreeRecipientIdentifier, 1310 encryptedKey EncryptedKey } 1312 KeyAgreeRecipientIdentifier ::= CHOICE { 1313 issuerAndSerialNumber IssuerAndSerialNumber, 1314 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 1316 RecipientKeyIdentifier ::= SEQUENCE { 1317 subjectKeyIdentifier SubjectKeyIdentifier, 1318 date GeneralizedTime OPTIONAL, 1319 other OtherKeyAttribute OPTIONAL } 1321 SubjectKeyIdentifier ::= OCTET STRING 1323 KEKRecipientInfo ::= SEQUENCE { 1324 version CMSVersion, -- always set to 4 1325 kekid KEKIdentifier, 1326 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 1327 encryptedKey EncryptedKey } 1329 KEKIdentifier ::= SEQUENCE { 1330 keyIdentifier OCTET STRING, 1331 date GeneralizedTime OPTIONAL, 1332 other OtherKeyAttribute OPTIONAL } 1334 PasswordRecipientInfo ::= SEQUENCE { 1335 version CMSVersion, -- always set to 0 1336 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 1337 OPTIONAL, 1338 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 1339 encryptedKey EncryptedKey } 1341 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 1343 OtherRecipientInfo ::= SEQUENCE { 1344 oriType OTHER-RECIPIENT. 1345 &id({SupportedOtherRecipInfo}), 1346 oriValue OTHER-RECIPIENT. 1347 &Type({SupportedOtherRecipInfo}{@oriType})} 1349 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 1351 DigestedData ::= SEQUENCE { 1352 version CMSVersion, 1353 digestAlgorithm DigestAlgorithmIdentifier, 1354 encapContentInfo EncapsulatedContentInfo, 1355 digest Digest, ... } 1357 Digest ::= OCTET STRING 1359 EncryptedData ::= SEQUENCE { 1360 version CMSVersion, 1361 encryptedContentInfo EncryptedContentInfo, 1362 ..., 1363 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1364 {{UnprotectedAttributes}} OPTIONAL ]] } 1366 AuthenticatedData ::= SEQUENCE { 1367 version CMSVersion, 1368 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1369 recipientInfos RecipientInfos, 1370 macAlgorithm MessageAuthenticationCodeAlgorithm, 1371 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 1372 encapContentInfo EncapsulatedContentInfo, 1373 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 1374 mac MessageAuthenticationCode, 1375 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 1377 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 1378 {{AuthAttributeSet}} 1380 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 1381 | aa-signingTime, ...} 1383 MessageAuthenticationCode ::= OCTET STRING 1385 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 1386 {{UnauthAttributeSet}} 1388 UnauthAttributeSet ATTRIBUTE ::= {...} 1390 -- 1391 -- General algorithm definitions 1392 -- 1394 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1395 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 1397 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 1398 CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } 1400 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 1401 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 1403 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 1404 { SignatureAlgs, ... } 1406 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1407 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1409 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 1411 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1412 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 1414 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 1415 { ContentEncryptionAlgs, ... } 1417 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 1418 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 1420 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 1421 { MessageAuthAlgs, ... } 1423 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 1424 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 1426 RevocationInfoChoices ::= SET OF RevocationInfoChoice 1428 RevocationInfoChoice ::= CHOICE { 1429 crl CertificateList, 1430 ..., 1431 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1433 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 1435 OtherRevocationInfoFormat ::= SEQUENCE { 1436 otherRevInfoFormat OTHER-REVOK-INFO. 1437 &id({SupportedOtherRevokInfo}), 1438 otherRevInfo OTHER-REVOK-INFO. 1439 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 1441 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 1443 CertificateChoices ::= CHOICE { 1444 certificate Certificate, 1445 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1446 -- Obsolete 1447 ..., 1448 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 1449 -- Obsolete 1450 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 1451 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 1453 AttributeCertificateV2 ::= AttributeCertificate 1455 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 1457 OtherCertificateFormat ::= SEQUENCE { 1458 otherCertFormat OTHER-CERT-FMT. 1459 &id({SupportedCertFormats}), 1460 otherCert OTHER-CERT-FMT. 1461 &Type({SupportedCertFormats}{@otherCertFormat})} 1463 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 1464 CertificateSet ::= SET OF CertificateChoices 1466 IssuerAndSerialNumber ::= SEQUENCE { 1467 issuer Name, 1468 serialNumber CertificateSerialNumber } 1470 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1472 UserKeyingMaterial ::= OCTET STRING 1474 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1476 OtherKeyAttribute ::= SEQUENCE { 1477 keyAttrId KEY-ATTRIBUTE. 1478 &id({SupportedKeyAttributes}), 1479 keyAttr KEY-ATTRIBUTE. 1480 &Type({SupportedKeyAttributes}{@keyAttrId})} 1482 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1484 -- Content Type Object Identifiers 1486 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1487 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1489 ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data} 1491 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1492 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1494 ct-SignedData CONTENT-TYPE ::= 1495 { SignedData IDENTIFIED BY id-signedData} 1497 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1498 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1500 ct-EnvelopedData CONTENT-TYPE ::= 1501 { EnvelopedData IDENTIFIED BY id-envelopedData} 1503 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1504 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1506 ct-DigestedData CONTENT-TYPE ::= 1507 { DigestedData IDENTIFIED BY id-digestedData} 1509 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1510 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1512 ct-EncryptedData CONTENT-TYPE ::= 1513 { EncryptedData IDENTIFIED BY id-encryptedData} 1515 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1516 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1518 ct-AuthenticatedData CONTENT-TYPE ::= 1519 { AuthenticatedData IDENTIFIED BY id-ct-authData} 1521 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1522 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1524 -- 1525 -- The CMS Attributes 1526 -- 1528 MessageDigest ::= OCTET STRING 1530 SigningTime ::= Time 1532 Time ::= CHOICE { 1533 utcTime UTCTime, 1534 generalTime GeneralizedTime } 1536 Countersignature ::= SignerInfo 1538 -- Attribute Object Identifiers 1540 aa-contentType ATTRIBUTE ::= 1541 { TYPE ContentType IDENTIFIED BY id-contentType } 1542 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1543 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1545 aa-messageDigest ATTRIBUTE ::= 1546 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1547 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1548 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1550 aa-signingTime ATTRIBUTE ::= 1551 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1552 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1553 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1555 aa-countersignature ATTRIBUTE ::= 1556 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1557 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1558 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1560 -- 1561 -- Obsolete Extended Certificate syntax from PKCS#6 1562 -- 1564 ExtendedCertificateOrCertificate ::= CHOICE { 1565 certificate Certificate, 1566 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1568 ExtendedCertificate ::= SEQUENCE { 1569 extendedCertificateInfo ExtendedCertificateInfo, 1570 signatureAlgorithm SignatureAlgorithmIdentifier, 1571 signature Signature } 1573 ExtendedCertificateInfo ::= SEQUENCE { 1574 version CMSVersion, 1575 certificate Certificate, 1576 attributes UnauthAttributes } 1578 Signature ::= BIT STRING 1580 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1581 attrType ATTRIBUTE. 1582 &id({AttrList}), 1583 attrValues SET OF ATTRIBUTE. 1584 &Type({AttrList}{@attrType}) } 1586 Attributes { ATTRIBUTE:AttrList } ::= 1587 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1589 END 1591 7. ASN.1 Module for RFC 4108 1593 CMSFirmwareWrapper-2009 1594 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1595 smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) } 1596 DEFINITIONS IMPLICIT TAGS ::= 1597 BEGIN 1598 IMPORTS 1600 OTHER-NAME 1601 FROM PKIX1Implicit-2009 1602 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1603 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 1605 EnvelopedData, CONTENT-TYPE, ATTRIBUTE 1606 FROM CryptographicMessageSyntax-2009 1607 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1608 smime(16) modules(0) id-mod-cms-2004-02(41) }; 1610 FirmwareContentTypes CONTENT-TYPE ::= { 1611 ct-firmwarePackage | ct-firmwareLoadReceipt | 1612 ct-firmwareLoadError,... } 1614 FirmwareSignedAttrs ATTRIBUTE ::= { 1615 aa-firmwarePackageID | aa-targetHardwareIDs | 1616 aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs | 1617 aa-communityIdentifiers | aa-firmwarePackageInfo,... } 1619 FirmwareUnsignedAttrs ATTRIBUTE ::= { 1620 aa-wrappedFirmwareKey, ... } 1622 FirmwareOtherNames OTHER-NAME ::= { 1623 on-hardwareModuleName, ... } 1625 -- Firmware Package Content Type and Object Identifier 1627 ct-firmwarePackage CONTENT-TYPE ::= 1628 { FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage } 1630 id-ct-firmwarePackage OBJECT IDENTIFIER ::= { 1631 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1632 smime(16) ct(1) 16 } 1634 FirmwarePkgData ::= OCTET STRING 1636 -- Firmware Package Signed Attributes and Object Identifiers 1638 aa-firmwarePackageID ATTRIBUTE ::= 1639 { TYPE FirmwarePackageIdentifier IDENTIFIED BY 1640 id-aa-firmwarePackageID } 1642 id-aa-firmwarePackageID OBJECT IDENTIFIER ::= { 1643 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1644 smime(16) aa(2) 35 } 1646 FirmwarePackageIdentifier ::= SEQUENCE { 1647 name PreferredOrLegacyPackageIdentifier, 1648 stale PreferredOrLegacyStalePackageIdentifier OPTIONAL } 1650 PreferredOrLegacyPackageIdentifier ::= CHOICE { 1651 preferred PreferredPackageIdentifier, 1652 legacy OCTET STRING } 1654 PreferredPackageIdentifier ::= SEQUENCE { 1655 fwPkgID OBJECT IDENTIFIER, 1656 verNum INTEGER (0..MAX) } 1658 PreferredOrLegacyStalePackageIdentifier ::= CHOICE { 1659 preferredStaleVerNum INTEGER (0..MAX), 1660 legacyStaleVersion OCTET STRING } 1662 aa-targetHardwareIDs ATTRIBUTE ::= 1663 { TYPE TargetHardwareIdentifiers IDENTIFIED BY 1664 id-aa-targetHardwareIDs } 1666 id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= { 1667 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1668 smime(16) aa(2) 36 } 1670 TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER 1672 aa-decryptKeyID ATTRIBUTE ::= 1673 { TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID} 1675 id-aa-decryptKeyID OBJECT IDENTIFIER ::= { 1676 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1677 smime(16) aa(2) 37 } 1679 DecryptKeyIdentifier ::= OCTET STRING 1681 aa-implCryptoAlgs ATTRIBUTE ::= 1682 { TYPE ImplementedCryptoAlgorithms IDENTIFIED BY 1683 id-aa-implCryptoAlgs } 1685 id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= { 1686 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1687 smime(16) aa(2) 38 } 1689 ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1691 aa-implCompressAlgs ATTRIBUTE ::= 1692 { TYPE ImplementedCompressAlgorithms IDENTIFIED BY 1693 id-aa-implCompressAlgs } 1695 id-aa-implCompressAlgs OBJECT IDENTIFIER ::= { 1696 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1697 smime(16) aa(2) 43 } 1699 ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1701 aa-communityIdentifiers ATTRIBUTE ::= 1702 { TYPE CommunityIdentifiers IDENTIFIED BY 1703 id-aa-communityIdentifiers } 1705 id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { 1706 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1707 smime(16) aa(2) 40 } 1709 CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier 1711 CommunityIdentifier ::= CHOICE { 1712 communityOID OBJECT IDENTIFIER, 1713 hwModuleList HardwareModules } 1715 HardwareModules ::= SEQUENCE { 1716 hwType OBJECT IDENTIFIER, 1717 hwSerialEntries SEQUENCE OF HardwareSerialEntry } 1719 HardwareSerialEntry ::= CHOICE { 1720 all NULL, 1721 single OCTET STRING, 1722 block SEQUENCE { 1723 low OCTET STRING, 1724 high OCTET STRING 1725 } 1726 } 1728 aa-firmwarePackageInfo ATTRIBUTE ::= 1729 { TYPE FirmwarePackageInfo IDENTIFIED BY 1730 id-aa-firmwarePackageInfo } 1731 id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= { 1732 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1733 smime(16) aa(2) 42 } 1735 FirmwarePackageInfo ::= SEQUENCE { 1736 fwPkgType INTEGER OPTIONAL, 1737 dependencies SEQUENCE OF 1738 PreferredOrLegacyPackageIdentifier OPTIONAL } 1740 -- Firmware Package Unsigned Attributes and Object Identifiers 1742 aa-wrappedFirmwareKey ATTRIBUTE ::= 1743 { TYPE WrappedFirmwareKey IDENTIFIED BY 1744 id-aa-wrappedFirmwareKey } 1745 id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= { 1746 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1747 smime(16) aa(2) 39 } 1749 WrappedFirmwareKey ::= EnvelopedData 1750 -- Firmware Package Load Receipt Content Type and Object Identifier 1752 ct-firmwareLoadReceipt CONTENT-TYPE ::= 1753 { FirmwarePackageLoadReceipt IDENTIFIED BY 1754 id-ct-firmwareLoadReceipt } 1755 id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= { 1756 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1757 smime(16) ct(1) 17 } 1759 FirmwarePackageLoadReceipt ::= SEQUENCE { 1760 version FWReceiptVersion DEFAULT v1, 1761 hwType OBJECT IDENTIFIER, 1762 hwSerialNum OCTET STRING, 1763 fwPkgName PreferredOrLegacyPackageIdentifier, 1764 trustAnchorKeyID OCTET STRING OPTIONAL, 1765 decryptKeyID [1] OCTET STRING OPTIONAL } 1767 FWReceiptVersion ::= INTEGER { v1(1) } 1769 -- Firmware Package Load Error Report Content Type 1770 -- and Object Identifier 1772 ct-firmwareLoadError CONTENT-TYPE ::= 1773 { FirmwarePackageLoadError 1774 IDENTIFIED BY id-ct-firmwareLoadError } 1775 id-ct-firmwareLoadError OBJECT IDENTIFIER ::= { 1776 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1777 smime(16) ct(1) 18 } 1779 FirmwarePackageLoadError ::= SEQUENCE { 1780 version FWErrorVersion DEFAULT v1, 1781 hwType OBJECT IDENTIFIER, 1782 hwSerialNum OCTET STRING, 1783 errorCode FirmwarePackageLoadErrorCode, 1784 vendorErrorCode VendorLoadErrorCode OPTIONAL, 1785 fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL, 1786 config [1] SEQUENCE OF CurrentFWConfig OPTIONAL } 1788 FWErrorVersion ::= INTEGER { v1(1) } 1790 CurrentFWConfig ::= SEQUENCE { 1791 fwPkgType INTEGER OPTIONAL, 1792 fwPkgName PreferredOrLegacyPackageIdentifier } 1794 FirmwarePackageLoadErrorCode ::= ENUMERATED { 1795 decodeFailure (1), 1796 badContentInfo (2), 1797 badSignedData (3), 1798 badEncapContent (4), 1799 badCertificate (5), 1800 badSignerInfo (6), 1801 badSignedAttrs (7), 1802 badUnsignedAttrs (8), 1803 missingContent (9), 1804 noTrustAnchor (10), 1805 notAuthorized (11), 1806 badDigestAlgorithm (12), 1807 badSignatureAlgorithm (13), 1808 unsupportedKeySize (14), 1809 signatureFailure (15), 1810 contentTypeMismatch (16), 1811 badEncryptedData (17), 1812 unprotectedAttrsPresent (18), 1813 badEncryptContent (19), 1814 badEncryptAlgorithm (20), 1815 missingCiphertext (21), 1816 noDecryptKey (22), 1817 decryptFailure (23), 1818 badCompressAlgorithm (24), 1819 missingCompressedContent (25), 1820 decompressFailure (26), 1821 wrongHardware (27), 1822 stalePackage (28), 1823 notInCommunity (29), 1824 unsupportedPackageType (30), 1825 missingDependency (31), 1826 wrongDependencyVersion (32), 1827 insufficientMemory (33), 1828 badFirmware (34), 1829 unsupportedParameters (35), 1830 breaksDependency (36), 1831 otherError (99) } 1833 VendorLoadErrorCode ::= INTEGER 1835 -- Other Name syntax for Hardware Module Name 1837 on-hardwareModuleName OTHER-NAME ::= 1838 { HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName } 1839 id-on-hardwareModuleName OBJECT IDENTIFIER ::= { 1840 iso(1) identified-organization(3) dod(6) internet(1) security(5) 1841 mechanisms(5) pkix(7) on(8) 4 } 1843 HardwareModuleName ::= SEQUENCE { 1844 hwType OBJECT IDENTIFIER, 1845 hwSerialNum OCTET STRING } 1847 END 1849 8. ASN.1 Module for RFC 4998 1851 ERS {iso(1) identified-organization(3) dod(6) internet(1) 1852 security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1) 1853 id-mod-ers-v1(1) } 1854 DEFINITIONS IMPLICIT TAGS ::= 1855 BEGIN 1856 IMPORTS 1858 AttributeSet{}, ATTRIBUTE 1859 FROM PKIX-CommonTypes 1860 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1861 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1863 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM 1864 FROM AlgorithmInformation-2009 1865 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1866 mechanisms(5) pkix(7) id-mod(0) 1867 id-mod-algorithmInformation-02(58)} 1869 ContentInfo 1870 FROM CryptographicMessageSyntax2004 1871 { iso(1) member-body(2) us(840) rsadsi(113549) 1872 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } ; 1874 aa-er-Internal ATTRIBUTE ::= 1875 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } 1876 id-aa-er-internal OBJECT IDENTIFIER ::= 1877 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1878 smime(16) id-aa(2) 49 } 1880 aa-er-External ATTRIBUTE ::= 1881 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } 1882 id-aa-er-external OBJECT IDENTIFIER ::= 1883 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1884 smime(16) id-aa(2) 50 } 1886 ltans OBJECT IDENTIFIER ::= 1887 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1888 mechanisms(5) ltans(11) } 1890 EvidenceRecord ::= SEQUENCE { 1891 version INTEGER { v1(1) } , 1892 digestAlgorithms SEQUENCE OF AlgorithmIdentifier 1893 {DIGEST-ALGORITHM, {...}}, 1894 cryptoInfos [0] CryptoInfos OPTIONAL, 1895 encryptionInfo [1] EncryptionInfo OPTIONAL, 1896 archiveTimeStampSequence ArchiveTimeStampSequence 1897 } 1899 CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}} 1901 ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain 1903 ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp 1905 ArchiveTimeStamp ::= SEQUENCE { 1906 digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} 1907 OPTIONAL, 1908 attributes [1] Attributes OPTIONAL, 1909 reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, 1910 timeStamp ContentInfo 1911 } 1913 PartialHashtree ::= SEQUENCE OF OCTET STRING 1915 Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}} 1917 EncryptionInfo ::= SEQUENCE { 1918 encryptionInfoType ENCINFO-TYPE. 1919 &id({SupportedEncryptionAlgorithms}), 1920 encryptionInfoValue ENCINFO-TYPE. 1921 &Type({SupportedEncryptionAlgorithms} 1922 {@encryptionInfoType}) 1923 } 1925 ENCINFO-TYPE ::= TYPE-IDENTIFIER 1927 SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...} 1929 END 1931 9. ASN.1 Module for RFC 5035 1933 ExtendedSecurityServices-2009 1934 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1935 smime(16) modules(0) id-mod-ess-2006-02(42) } 1936 DEFINITIONS IMPLICIT TAGS ::= 1937 BEGIN 1938 IMPORTS 1940 AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{} 1941 FROM PKIX-CommonTypes-2009 1942 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1943 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1945 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM 1946 FROM AlgorithmInformation-2009 1947 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1948 mechanisms(5) pkix(7) id-mod(0) 1949 id-mod-algorithmInformation-02(58)} 1951 ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, 1952 CONTENT-TYPE 1953 FROM CryptographicMessageSyntax-2009 1954 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1955 smime(16) modules(0) id-mod-cms-2004-02(41) } 1957 CertificateSerialNumber 1958 FROM PKIX1Explicit-2009 1959 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1960 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 1962 PolicyInformation, GeneralNames 1963 FROM PKIX1Implicit-2009 1964 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1965 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 1967 mda-sha256 1968 FROM PKIX1-PSS-OAEP-Algorithms-2009 1969 { iso(1) identified-organization(3) dod(6) 1970 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 1971 id-mod-pkix1-rsa-pkalgs-02(54) } ; 1973 EssSignedAttributes ATTRIBUTE ::= { 1974 aa-receiptRequest | aa-contentIdentifier | aa-contentHint | 1975 aa-msgSigDigest | aa-contentReference | aa-securityLabel | 1976 aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate | 1977 aa-signingCertificateV2, ... } 1979 EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... } 1981 -- Extended Security Services 1982 -- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 1983 -- constructs in this module. A valid ASN.1 SEQUENCE can have zero or 1984 -- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE 1985 -- to have at least one entry. MAX indicates the upper bound is 1986 -- unspecified. Implementations are free to choose an upper bound 1987 -- that suits their environment. 1989 -- Section 2.7 1991 aa-receiptRequest ATTRIBUTE ::= 1992 { TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest} 1994 ReceiptRequest ::= SEQUENCE { 1995 signedContentIdentifier ContentIdentifier, 1996 receiptsFrom ReceiptsFrom, 1997 receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames 1998 } 2000 ub-receiptsTo INTEGER ::= 16 2002 aa-contentIdentifier ATTRIBUTE ::= 2003 { TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier} 2004 id-aa-receiptRequest OBJECT IDENTIFIER ::= 2005 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2006 smime(16) id-aa(2) 1} 2008 ContentIdentifier ::= OCTET STRING 2010 id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2011 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7} 2013 ct-receipt CONTENT-TYPE ::= 2014 { Receipt IDENTIFIED BY id-ct-receipt } 2015 id-ct-receipt OBJECT IDENTIFIER ::= 2016 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2017 smime(16) id-ct(1) 1} 2019 ReceiptsFrom ::= CHOICE { 2020 allOrFirstTier [0] AllOrFirstTier, 2021 -- formerly "allOrNone [0]AllOrNone" 2022 receiptList [1] SEQUENCE OF GeneralNames } 2024 AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone 2025 allReceipts (0), 2026 firstTierRecipients (1) } 2028 -- Section 2.8 2030 Receipt ::= SEQUENCE { 2031 version ESSVersion, 2032 contentType ContentType, 2033 signedContentIdentifier ContentIdentifier, 2034 originatorSignatureValue OCTET STRING 2035 } 2037 ESSVersion ::= INTEGER { v1(1) } 2039 -- Section 2.9 2041 aa-contentHint ATTRIBUTE ::= 2042 { TYPE ContentHints IDENTIFIED BY id-aa-contentHint } 2043 id-aa-contentHint OBJECT IDENTIFIER ::= 2044 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2045 smime(16) id-aa(2) 4} 2047 ContentHints ::= SEQUENCE { 2048 contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL, 2049 contentType ContentType } 2051 -- Section 2.10 2053 aa-msgSigDigest ATTRIBUTE ::= 2054 { TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest } 2055 id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2056 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5} 2058 MsgSigDigest ::= OCTET STRING 2060 -- Section 2.11 2062 aa-contentReference ATTRIBUTE ::= 2063 { TYPE ContentReference IDENTIFIED BY id-aa-contentReference } 2064 id-aa-contentReference OBJECT IDENTIFIER ::= 2065 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2066 smime(16) id-aa(2) 10 } 2068 ContentReference ::= SEQUENCE { 2069 contentType ContentType, 2070 signedContentIdentifier ContentIdentifier, 2071 originatorSignatureValue OCTET STRING } 2073 -- Section 3.2 2075 aa-securityLabel ATTRIBUTE ::= 2076 { TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel } 2077 id-aa-securityLabel OBJECT IDENTIFIER ::= 2078 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2079 smime(16) id-aa(2) 2} 2081 ESSSecurityLabel ::= SET { 2082 security-policy-identifier SecurityPolicyIdentifier, 2083 security-classification SecurityClassification OPTIONAL, 2084 privacy-mark ESSPrivacyMark OPTIONAL, 2085 security-categories SecurityCategories OPTIONAL } 2087 SecurityPolicyIdentifier ::= OBJECT IDENTIFIER 2089 SecurityClassification ::= INTEGER { 2090 unmarked (0), 2091 unclassified (1), 2092 restricted (2), 2093 confidential (3), 2094 secret (4), 2095 top-secret (5) 2096 } (0..ub-integer-options) 2098 ub-integer-options INTEGER ::= 256 2100 ESSPrivacyMark ::= CHOICE { 2101 pString PrintableString (SIZE (1..ub-privacy-mark-length)), 2102 utf8String UTF8String (SIZE (1..MAX)) 2103 } 2105 ub-privacy-mark-length INTEGER ::= 128 2107 SecurityCategories ::= 2108 SET SIZE (1..ub-security-categories) OF SecurityCategory 2109 {{SupportedSecurityCategories}} 2111 ub-security-categories INTEGER ::= 64 2113 SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } 2115 -- Section 3.4 2117 aa-equivalentLabels ATTRIBUTE ::= 2118 { TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels } 2119 id-aa-equivalentLabels OBJECT IDENTIFIER ::= 2120 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2121 smime(16) id-aa(2) 9} 2123 EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel 2125 -- Section 4.4 2127 aa-mlExpandHistory ATTRIBUTE ::= 2128 { TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory } 2130 id-aa-mlExpandHistory OBJECT IDENTIFIER ::= 2131 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2132 smime(16) id-aa(2) 3 } 2134 MLExpansionHistory ::= SEQUENCE 2135 SIZE (1..ub-ml-expansion-history) OF MLData 2137 ub-ml-expansion-history INTEGER ::= 64 2139 MLData ::= SEQUENCE { 2140 mailListIdentifier EntityIdentifier, 2141 expansionTime GeneralizedTime, 2142 mlReceiptPolicy MLReceiptPolicy OPTIONAL } 2144 EntityIdentifier ::= CHOICE { 2145 issuerAndSerialNumber IssuerAndSerialNumber, 2146 subjectKeyIdentifier SubjectKeyIdentifier } 2148 MLReceiptPolicy ::= CHOICE { 2149 none [0] NULL, 2150 insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames, 2151 inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames } 2153 -- Section 5.4 2155 aa-signingCertificate ATTRIBUTE ::= 2156 { TYPE SigningCertificate IDENTIFIED BY 2157 id-aa-signingCertificate } 2158 id-aa-signingCertificate OBJECT IDENTIFIER ::= 2159 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2160 smime(16) id-aa(2) 12 } 2162 SigningCertificate ::= SEQUENCE { 2163 certs SEQUENCE OF ESSCertID, 2164 policies SEQUENCE OF PolicyInformation OPTIONAL 2165 } 2167 aa-signingCertificateV2 ATTRIBUTE ::= 2168 { TYPE SigningCertificateV2 IDENTIFIED BY 2169 id-aa-signingCertificateV2 } 2170 id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= 2171 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2172 smime(16) id-aa(2) 47 } 2174 SigningCertificateV2 ::= SEQUENCE { 2175 certs SEQUENCE OF ESSCertIDv2, 2176 policies SEQUENCE OF PolicyInformation OPTIONAL 2177 } 2178 HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, 2179 {mda-sha256, ...}} 2181 ESSCertIDv2 ::= SEQUENCE { 2182 hashAlgorithm HashAlgorithm 2183 DEFAULT { algorithm mda-sha256.&id }, 2184 certHash Hash, 2185 issuerSerial IssuerSerial OPTIONAL 2186 } 2188 ESSCertID ::= SEQUENCE { 2189 certHash Hash, 2190 issuerSerial IssuerSerial OPTIONAL 2191 } 2193 Hash ::= OCTET STRING 2195 IssuerSerial ::= SEQUENCE { 2196 issuer GeneralNames, 2197 serialNumber CertificateSerialNumber 2198 } 2200 END 2202 10. ASN.1 Module for RFC 5083 2204 CMS-AuthEnvelopedData-2009 2205 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2206 smime(16) modules(0) id-mod-cms-authEnvelopedData-02(43)} 2207 DEFINITIONS IMPLICIT TAGS ::= 2208 BEGIN 2209 IMPORTS 2211 AuthAttributes, CMSVersion, EncryptedContentInfo, 2212 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 2213 UnauthAttributes, CONTENT-TYPE 2214 FROM CryptographicMessageSyntax-2009 2215 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2216 smime(16) modules(0) id-mod-cms-2004-02(41)} ; 2218 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 2220 ct-authEnvelopedData CONTENT-TYPE ::= { 2221 AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 2222 } 2224 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 2225 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2226 smime(16) ct(1) 23} 2228 AuthEnvelopedData ::= SEQUENCE { 2229 version CMSVersion, 2230 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 2231 recipientInfos RecipientInfos, 2232 authEncryptedContentInfo EncryptedContentInfo, 2233 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 2234 mac MessageAuthenticationCode, 2235 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL 2236 } 2238 END 2240 11. ASN.1 Module for RFC 5084 2242 CMS-AES-CCM-and-AES-GCM-2009 2243 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 2244 pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } 2245 DEFINITIONS IMPLICIT TAGS ::= 2246 BEGIN 2247 EXPORTS ALL; 2248 IMPORTS 2250 CONTENT-ENCRYPTION, SMIME-CAPS 2251 FROM AlgorithmInformation-2009 2252 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2253 mechanisms(5) pkix(7) id-mod(0) 2254 id-mod-algorithmInformation-02(58)}; 2256 -- Add this algorithm set to include all of the algorithms defined in 2257 -- this document 2259 ContentEncryptionAlgs CONTENT-ENCRYPTION ::= { 2260 cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM | 2261 cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... } 2263 SMimeCaps SMIME-CAPS ::= { 2264 cea-aes128-CCM.&smimeCaps | 2265 cea-aes192-CCM.&smimeCaps | 2266 cea-aes256-CCM.&smimeCaps | 2267 cea-aes128-GCM.&smimeCaps | 2268 cea-aes192-GCM.&smimeCaps | 2269 cea-aes256-GCM.&smimeCaps, 2270 ... 2271 } 2273 -- Defining objects 2275 aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) 2276 organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } 2278 cea-aes128-CCM CONTENT-ENCRYPTION ::= { 2279 IDENTIFIER id-aes128-CCM 2280 PARAMS TYPE CCMParameters ARE required 2281 SMIME-CAPS { IDENTIFIED BY id-aes128-CCM } 2282 } 2283 id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 } 2285 cea-aes192-CCM CONTENT-ENCRYPTION ::= { 2286 IDENTIFIER id-aes192-CCM 2287 PARAMS TYPE CCMParameters ARE required 2288 SMIME-CAPS { IDENTIFIED BY id-aes192-CCM } 2289 } 2290 id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 } 2292 cea-aes256-CCM CONTENT-ENCRYPTION ::= { 2293 IDENTIFIER id-aes256-CCM 2294 PARAMS TYPE CCMParameters ARE required 2295 SMIME-CAPS { IDENTIFIED BY id-aes256-CCM } 2297 } 2298 id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 } 2300 cea-aes128-GCM CONTENT-ENCRYPTION ::= { 2301 IDENTIFIER id-aes128-GCM 2302 PARAMS TYPE GCMParameters ARE required 2303 SMIME-CAPS { IDENTIFIED BY id-aes128-GCM } 2304 } 2305 id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 } 2307 cea-aes192-GCM CONTENT-ENCRYPTION ::= { 2308 IDENTIFIER id-aes128-GCM 2309 PARAMS TYPE GCMParameters ARE required 2310 SMIME-CAPS { IDENTIFIED BY id-aes192-GCM } 2311 } 2312 id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 } 2314 cea-aes256-GCM CONTENT-ENCRYPTION ::= { 2315 IDENTIFIER id-aes128-GCM 2316 PARAMS TYPE GCMParameters ARE required 2317 SMIME-CAPS { IDENTIFIED BY id-aes256-GCM } 2318 } 2319 id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 } 2321 -- Parameters for AlgorithmIdentifier 2323 CCMParameters ::= SEQUENCE { 2324 aes-nonce OCTET STRING (SIZE(7..13)), 2325 aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } 2327 AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) 2329 GCMParameters ::= SEQUENCE { 2330 aes-nonce OCTET STRING, -- recommended size is 12 octets 2331 aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } 2333 AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) 2335 END 2337 12. ASN.1 Module for RFC 5275 2339 SMIMESymmetricKeyDistribution-2009 2340 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2341 smime(16) modules(0) id-mod-symkeydist-02(36)} 2342 DEFINITIONS IMPLICIT TAGS ::= 2343 BEGIN 2344 EXPORTS ALL; 2345 IMPORTS 2347 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP, 2348 SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS 2349 FROM AlgorithmInformation-2009 2350 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2351 mechanisms(5) pkix(7) id-mod(0) 2352 id-mod-algorithmInformation-02(58)} 2354 GeneralName 2355 FROM PKIX1Implicit-2009 2356 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2357 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 2359 Certificate 2360 FROM PKIX1Explicit-2009 2361 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2362 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 2364 RecipientInfos, KEKIdentifier,CertificateSet 2365 FROM CryptographicMessageSyntax-2009 2366 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2367 smime(16) modules(0) id-mod-cms-2004-02(41) } 2369 cap-3DESwrap 2370 FROM CryptographicMessageSyntaxAlgorithms 2371 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2372 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 2374 AttributeCertificate 2375 FROM PKIXAttributeCertificate-2009 2376 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2377 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } 2379 CMC-CONTROL, EXTENDED-FAILURE-INFO 2380 FROM EnrollmentMessageSyntax 2381 { iso(1) identified-organization(3) dod(4) internet(1) security(5) 2382 mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53) } 2384 kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap 2385 FROM CMSAesRsaesOaep-2009 2386 { iso(1) member-body(2) us(840) rsadsi(113549) 2387 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } ; 2389 -- This defines the group list (GL symmetric key distribution OID arc 2390 id-skd OBJECT IDENTIFIER ::= 2391 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2392 smime(16) skd(8) } 2394 SKD-ControlSet CMC-CONTROL ::= { 2395 skd-glUseKEK | skd-glDelete | skd-glAddMember | 2396 skd-glDeleteMember | skd-glRekey | skd-glAddOwner | 2397 skd-glRemoveOwner | skd-glKeyCompromise | 2398 skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert | 2399 skd-glManageCert | skd-glKey, ... } 2401 -- This defines the GL Use KEK control attribute 2403 skd-glUseKEK CMC-CONTROL ::= 2404 { GLUseKEK IDENTIFIED BY id-skd-glUseKEK } 2406 id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1} 2408 GLUseKEK ::= SEQUENCE { 2409 glInfo GLInfo, 2410 glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo, 2411 glAdministration GLAdministration DEFAULT managed, 2412 glKeyAttributes GLKeyAttributes OPTIONAL 2413 } 2415 GLInfo ::= SEQUENCE { 2416 glName GeneralName, 2417 glAddress GeneralName 2418 } 2420 GLOwnerInfo ::= SEQUENCE { 2421 glOwnerName GeneralName, 2422 glOwnerAddress GeneralName, 2423 certificates Certificates OPTIONAL 2424 } 2426 GLAdministration ::= INTEGER { 2427 unmanaged (0), 2428 managed (1), 2429 closed (2) 2430 } 2432 -- 2433 -- The advertised set of algorithm capabilites for the docment 2434 -- 2436 SKD-Caps SMIME-CAPS ::= { 2437 cap-3DESwrap | kwa-aes128-wrap.&smimeCaps | 2438 kwa-aes192-wrap.&smimeCaps | kwa-aes256-wrap.&smimeCaps, ... 2439 } 2441 cap-aes128-cbc KeyWrapAlgorithm ::= 2442 { capabilityID kwa-aes128-wrap.&smimeCaps.&id } 2444 -- 2445 -- The set of key wrap algorithms supported by this specification 2446 -- 2448 KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}} 2450 GLKeyAttributes ::= SEQUENCE { 2451 rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE, 2452 recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE, 2453 duration [2] INTEGER DEFAULT 0, 2454 generationCounter [3] INTEGER DEFAULT 2, 2455 requestedAlgorithm [4] KeyWrapAlgorithm 2456 DEFAULT cap-aes128-cbc 2457 } 2459 -- This defines the Delete GL control attribute. 2460 -- It has the simple type GeneralName. 2462 skd-glDelete CMC-CONTROL ::= 2463 { DeleteGL IDENTIFIED BY id-skd-glDelete } 2465 id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2} 2466 DeleteGL ::= GeneralName 2468 -- This defines the Add GL Member control attribute 2470 skd-glAddMember CMC-CONTROL ::= 2471 { GLAddMember IDENTIFIED BY id-skd-glAddMember } 2473 id-skd-glAddMember OBJECT IDENTIFIER ::= { id-skd 3} 2474 GLAddMember ::= SEQUENCE { 2475 glName GeneralName, 2476 glMember GLMember 2477 } 2479 GLMember ::= SEQUENCE { 2480 glMemberName GeneralName, 2481 glMemberAddress GeneralName OPTIONAL, 2482 certificates Certificates OPTIONAL 2483 } 2485 Certificates ::= SEQUENCE { 2486 pKC [0] Certificate OPTIONAL, 2487 -- See RFC 5280 2488 aC [1] SEQUENCE SIZE (1.. MAX) OF 2489 AttributeCertificate OPTIONAL, 2490 -- See RFC 3281 2491 certPath [2] CertificateSet OPTIONAL 2492 -- From RFC 3852 2493 } 2495 -- This defines the Delete GL Member control attribute 2497 skd-glDeleteMember CMC-CONTROL ::= 2498 { GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember } 2500 id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4} 2502 GLDeleteMember ::= SEQUENCE { 2503 glName GeneralName, 2504 glMemberToDelete GeneralName 2505 } 2507 -- This defines the Delete GL Member control attribute 2509 skd-glRekey CMC-CONTROL ::= 2510 { GLRekey IDENTIFIED BY id-skd-glRekey } 2512 id-skd-glRekey OBJECT IDENTIFIER ::= { id-skd 5} 2514 GLRekey ::= SEQUENCE { 2515 glName GeneralName, 2516 glAdministration GLAdministration OPTIONAL, 2517 glNewKeyAttributes GLNewKeyAttributes OPTIONAL, 2518 glRekeyAllGLKeys BOOLEAN OPTIONAL 2519 } 2521 GLNewKeyAttributes ::= SEQUENCE { 2522 rekeyControlledByGLO [0] BOOLEAN OPTIONAL, 2523 recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL, 2524 duration [2] INTEGER OPTIONAL, 2525 generationCounter [3] INTEGER OPTIONAL, 2526 requestedAlgorithm [4] KeyWrapAlgorithm OPTIONAL 2527 } 2529 -- This defines the Add and Delete GL Owner control attributes 2531 skd-glAddOwner CMC-CONTROL ::= 2532 { GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner } 2534 id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6} 2536 skd-glRemoveOwner CMC-CONTROL ::= 2537 { GLOwnerAdministration IDENTIFIED BY id-skd-glRemoveOwner } 2539 id-skd-glRemoveOwner OBJECT IDENTIFIER ::= { id-skd 7} 2541 GLOwnerAdministration ::= SEQUENCE { 2542 glName GeneralName, 2543 glOwnerInfo GLOwnerInfo 2544 } 2546 -- This defines the GL Key Compromise control attribute. 2547 -- It has the simple type GeneralName. 2549 skd-glKeyCompromise CMC-CONTROL ::= 2550 { GLKCompromise IDENTIFIED BY id-skd-glKeyCompromise } 2552 id-skd-glKeyCompromise OBJECT IDENTIFIER ::= { id-skd 8} 2553 GLKCompromise ::= GeneralName 2555 -- This defines the GL Key Refresh control attribute. 2557 skd-glkRefresh CMC-CONTROL ::= 2558 { GLKRefresh IDENTIFIED BY id-skd-glkRefresh } 2560 id-skd-glkRefresh OBJECT IDENTIFIER ::= { id-skd 9} 2562 GLKRefresh ::= SEQUENCE { 2563 glName GeneralName, 2564 dates SEQUENCE SIZE (1..MAX) OF Date 2565 } 2567 Date ::= SEQUENCE { 2568 start GeneralizedTime, 2569 end GeneralizedTime OPTIONAL 2570 } 2572 -- This defines the GLA Query Request control attribute. 2574 skd-glaQueryRequest CMC-CONTROL ::= 2575 { GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest } 2577 id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11} 2579 SKD-QUERY ::= TYPE-IDENTIFIER 2581 SkdQuerySet SKD-QUERY ::= {skd-AlgRequest, ...} 2582 GLAQueryRequest ::= SEQUENCE { 2583 glaRequestType SKD-QUERY.&id ({SkdQuerySet}), 2584 glaRequestValue SKD-QUERY. 2585 &Type ({SkdQuerySet}{@glaRequestType}) 2586 } 2588 -- This defines the GLA Query Response control attribute. 2590 skd-glaQueryResponse CMC-CONTROL ::= 2591 { GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse } 2593 id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12} 2595 SKD-RESPONSE ::= TYPE-IDENTIFIER 2597 SkdResponseSet SKD-RESPONSE ::= {skd-AlgResponse, ...} 2599 GLAQueryResponse ::= SEQUENCE { 2600 glaResponseType SKD-RESPONSE. 2601 &id({SkdResponseSet}), 2602 glaResponseValue SKD-RESPONSE. 2603 &Type({SkdResponseSet}{@glaResponseType})} 2605 -- This defines the GLA Request/Response (glaRR) arc for 2606 -- glaRequestType/glaResponseType. 2608 id-cmc-glaRR OBJECT IDENTIFIER ::= 2609 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2610 mechanisms(5) pkix(7) cmc(7) glaRR(99) } 2612 -- This defines the Algorithm Request 2614 skd-AlgRequest SKD-QUERY ::= { 2615 SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest 2616 } 2618 id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 } 2619 SKDAlgRequest ::= NULL 2621 -- This defines the Algorithm Response 2623 skd-AlgResponse SKD-RESPONSE ::= { 2624 SMIMECapability{{SKD-Caps}} IDENTIFIED BY 2625 id-cmc-gla-skdAlgResponse 2626 } 2628 id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 } 2629 -- Note that the response for algorithmSupported request is the 2630 -- smimeCapabilities attribute as defined in RFC 3851. 2632 -- This defines the control attribute to request an updated 2633 -- certificate to the GLA. 2635 skd-glProvideCert CMC-CONTROL ::= 2636 { GLManageCert IDENTIFIED BY id-skd-glProvideCert } 2638 id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13} 2640 GLManageCert ::= SEQUENCE { 2641 glName GeneralName, 2642 glMember GLMember 2643 } 2645 -- This defines the control attribute to return an updated 2646 -- certificate to the GLA. It has the type GLManageCert. 2648 skd-glManageCert CMC-CONTROL ::= 2649 { GLManageCert IDENTIFIED BY id-skd-glManageCert } 2651 id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14} 2653 -- This defines the control attribute to distribute the GL shared 2654 -- KEK. 2656 skd-glKey CMC-CONTROL ::= 2657 { GLKey IDENTIFIED BY id-skd-glKey } 2659 id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15} 2661 GLKey ::= SEQUENCE { 2662 glName GeneralName, 2663 glIdentifier KEKIdentifier, -- See RFC 3852 2664 glkWrapped RecipientInfos, -- See RFC 3852 2665 glkAlgorithm KeyWrapAlgorithm, 2666 glkNotBefore GeneralizedTime, 2667 glkNotAfter GeneralizedTime 2668 } 2670 -- This defines the CMC error types 2672 skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= { 2673 SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo 2674 } 2676 id-cet-skdFailInfo OBJECT IDENTIFIER ::= 2677 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2678 mechanisms(5) pkix(7) cet(15) skdFailInfo(1) } 2680 SKDFailInfo ::= INTEGER { 2681 unspecified (0), 2682 closedGL (1), 2683 unsupportedDuration (2), 2684 noGLACertificate (3), 2685 invalidCert (4), 2686 unsupportedAlgorithm (5), 2687 noGLONameMatch (6), 2688 invalidGLName (7), 2689 nameAlreadyInUse (8), 2690 noSpam (9), 2691 deniedAccess (10), 2692 alreadyAMember (11), 2693 notAMember (12), 2694 alreadyAnOwner (13), 2695 notAnOwner (14) } 2697 END 2699 13. Security Considerations 2701 Even though all the RFCs in this document are security-related, the 2702 document itself does not have any security considerations. The ASN.1 2703 modules keep the same bits-on-the-wire as the modules that they 2704 replace. 2706 14. Normative References 2708 [ASN1-2002] 2709 ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and 2710 X.683", ITU-T X.680, X.681, X.682, and X.683, 2002. 2712 [NEW-PKIX] 2713 Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX", 2714 draft-ietf-pkix-new-asn1 (work in progress), 2715 December 2007. 2717 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) 2718 Algorithms", RFC 3370, August 2002. 2720 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) 2721 Encryption Algorithm in Cryptographic Message Syntax 2722 (CMS)", RFC 3565, July 2003. 2724 [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail 2725 Extensions (S/MIME) Version 3.1 Message Specification", 2726 RFC 3851, July 2004. 2728 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 2729 RFC 3852, July 2004. 2731 [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to 2732 Protect Firmware Packages", RFC 4108, August 2005. 2734 [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence 2735 Record Syntax (ERS)", RFC 4998, August 2007. 2737 [RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: 2738 Adding CertID Algorithm Agility", RFC 5035, August 2007. 2740 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 2741 Authenticated-Enveloped-Data Content Type", RFC 5083, 2742 November 2007. 2744 [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated 2745 Encryption in the Cryptographic Message Syntax (CMS)", 2746 RFC 5084, November 2007. 2748 [RFC5275] Turner, S., "CMS Symmetric Key Management and 2749 Distribution", RFC 5275, June 2008. 2751 Appendix A. Change History 2753 [[ This entire section is to be removed upon publication. ]] 2755 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 2756 draft-ietf-smime-new-asn1-00 2758 Changed the draft name. 2760 Added RFC 3565, 2762 Added RFC 4998. 2764 Made RFCs-to-be 5083 and 5084 into RFCs. 2766 In RFC 3370, a line in the comment staring with "Another way to 2767 do..." was not commented out when it should have been. 2769 In RFC 3851, the name of the module from which we are importing was 2770 wrong, although the OID was right. 2772 In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate 2773 which version of CMS added the various extensions. 2775 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 2777 Added RFC 5275. 2779 Added module for algorithm classes, and modified RFC 3370 and RFC 2780 3852 to uses the classes defined. 2782 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 2784 Added design notes. 2786 Removed issue on "Algorithm Structure" and issue on "More Modules To 2787 Be Added". 2789 Updated all modules to use objects more deeply. 2791 In section 6, changed "PKCS #10" to "PKCS #7" to reflect the actual 2792 module where the changes were made. 2794 A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 2796 Many cosmetic-only changes to the modules. 2798 Changed some multi-word keywords to hypenated (such as "SMIME CAPS" 2799 to "SMIME-CAPS"). 2801 Updated the reference of X.680 to X.680, X.681, X.682, and X.683. 2803 A.5. Changes between draft-ietf-smime-new-asn1-03 and -04 2805 Changed the status of the document. 2807 Authors' Addresses 2809 Paul Hoffman 2810 VPN Consortium 2811 127 Segre Place 2812 Santa Cruz, CA 95060 2813 US 2815 Phone: 1-831-426-9827 2816 Email: paul.hoffman@vpnc.org 2817 Jim Schaad 2818 Soaring Hawk Consulting 2820 Email: jimsch@exmsft.com