diff options
author | Anders Broman <anders.broman@ericsson.com> | 2007-10-07 16:02:04 +0000 |
---|---|---|
committer | Anders Broman <anders.broman@ericsson.com> | 2007-10-07 16:02:04 +0000 |
commit | 0de04bfc2439ac38efa23590dadd54e4a2ad7b90 (patch) | |
tree | 4e88e1cd2000c2c065904438d581b04467e140e3 /asn1 | |
parent | dd122682775a7e1a59bdbf668f8a39db6f8cef89 (diff) | |
download | wireshark-0de04bfc2439ac38efa23590dadd54e4a2ad7b90.tar.gz |
From Martin Peylo:
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1888
There are new versions of CMP (v2) in RFC4210 and CRMF (v2) in RFC4211. The
right to exist of CRMF is bound to CMP so I don't split that into two bug
reports.
I'll upload the new (slightly handmassaged) ASN.1 files for both protocols,
along with patches for the respective cnf files, where I also added new
#.REGISTER statements.
Additionally I had to export some definitions from pkix1explicit (Attribute,
Time, UniqueIdentifier and Version) and from pkix1implicit (KeyIdentifier).
I'll also upload a patch for that.
I uploaded a CMPv2 sample (with errors in the protocol!) to the wiki.
svn path=/trunk/; revision=23082
Diffstat (limited to 'asn1')
-rw-r--r-- | asn1/pkix1explicit/Makefile | 2 | ||||
-rw-r--r-- | asn1/pkix1explicit/Makefile.nmake | 2 | ||||
-rw-r--r-- | asn1/pkix1explicit/PKIX1EXPLICIT93.asn | 15 | ||||
-rw-r--r-- | asn1/pkix1explicit/pkix1explicit-exp.cnf | 8 | ||||
-rw-r--r-- | asn1/pkix1explicit/pkix1explicit.cnf | 10 | ||||
-rw-r--r-- | asn1/pkix1explicit/pkix1explicit_exp.cnf | 8 | ||||
-rw-r--r-- | asn1/pkix1implicit/Makefile | 2 | ||||
-rw-r--r-- | asn1/pkix1implicit/Makefile.nmake | 2 | ||||
-rw-r--r-- | asn1/pkix1implicit/PKIX1IMPLICIT93.asn | 2 | ||||
-rw-r--r-- | asn1/pkix1implicit/pkix1implicit-exp.cnf | 2 | ||||
-rw-r--r-- | asn1/pkix1implicit/pkix1implicit.cnf | 1 | ||||
-rw-r--r-- | asn1/pkix1implicit/pkix1implicit_exp.cnf | 2 | ||||
-rw-r--r-- | asn1/pkixcmp/CMP.asn | 918 | ||||
-rw-r--r-- | asn1/pkixcmp/Makefile | 2 | ||||
-rw-r--r-- | asn1/pkixcmp/Makefile.nmake | 2 | ||||
-rw-r--r-- | asn1/pkixcmp/cmp-exp.cnf | 32 | ||||
-rw-r--r-- | asn1/pkixcmp/cmp.cnf | 42 | ||||
-rw-r--r-- | asn1/pkixcrmf/CRMF.asn | 408 | ||||
-rw-r--r-- | asn1/pkixcrmf/Makefile | 2 | ||||
-rw-r--r-- | asn1/pkixcrmf/Makefile.nmake | 2 | ||||
-rw-r--r-- | asn1/pkixcrmf/crmf-exp.cnf | 8 | ||||
-rw-r--r-- | asn1/pkixcrmf/crmf.cnf | 13 |
22 files changed, 854 insertions, 631 deletions
diff --git a/asn1/pkix1explicit/Makefile b/asn1/pkix1explicit/Makefile index 6ed4f2585e..4dc179e2d8 100644 --- a/asn1/pkix1explicit/Makefile +++ b/asn1/pkix1explicit/Makefile @@ -7,7 +7,7 @@ all: generate_dissector generate_dissector: $(DISSECTOR_FILES) $(DISSECTOR_FILES): ../../tools/asn2wrs.py PKIX1EXPLICIT93.asn packet-pkix1explicit-template.c packet-pkix1explicit-template.h pkix1explicit.cnf - python ../../tools/asn2wrs.py -e -b -p pkix1explicit -c pkix1explicit.cnf -s packet-pkix1explicit-template PKIX1EXPLICIT93.asn + python ../../tools/asn2wrs.py -e -b -X -T -p pkix1explicit -c pkix1explicit.cnf -s packet-pkix1explicit-template PKIX1EXPLICIT93.asn clean: rm -f pkix1explicit-exp.cnf parsetab.py $(DISSECTOR_FILES) diff --git a/asn1/pkix1explicit/Makefile.nmake b/asn1/pkix1explicit/Makefile.nmake index 0ddc6bc643..ff589fbd9c 100644 --- a/asn1/pkix1explicit/Makefile.nmake +++ b/asn1/pkix1explicit/Makefile.nmake @@ -15,7 +15,7 @@ generate_dissector: $(DISSECTOR_FILES) $(DISSECTOR_FILES): ../../tools/asn2wrs.py PKIX1EXPLICIT93.asn packet-pkix1explicit-template.c packet-pkix1explicit-template.h pkix1explicit.cnf !IFDEF PYTHON - $(PYTHON) "../../tools/asn2wrs.py" -e -b -p $(PROTOCOL_NAME) -c pkix1explicit.cnf -s packet-pkix1explicit-template PKIX1EXPLICIT93.asn + $(PYTHON) "../../tools/asn2wrs.py" -e -b -X -T -p $(PROTOCOL_NAME) -c pkix1explicit.cnf -s packet-pkix1explicit-template PKIX1EXPLICIT93.asn !ELSE @echo Error: You need Python to use asn2wrs.py @exit 1 diff --git a/asn1/pkix1explicit/PKIX1EXPLICIT93.asn b/asn1/pkix1explicit/PKIX1EXPLICIT93.asn index 86a52ac153..799e820f56 100644 --- a/asn1/pkix1explicit/PKIX1EXPLICIT93.asn +++ b/asn1/pkix1explicit/PKIX1EXPLICIT93.asn @@ -117,9 +117,9 @@ IMPORTS -- } --} -- ---UniqueIdentifier ::= BIT STRING +UniqueIdentifier ::= BIT STRING -- ---Version ::= INTEGER { v1(0), v2(1), v3(2) } +Version ::= INTEGER { v1(0), v2(1), v3(2) } -- This one is defined with .NO_EMIT in the conformance file -- and implemented in the template as just a call to the @@ -130,9 +130,9 @@ CertificateSerialNumber ::= INTEGER -- notBefore Time, -- notAfter Time } -- ---Time ::= CHOICE { --- utcTime UTCTime, --- generalTime GeneralizedTime } +Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime } -- @@ -362,6 +362,11 @@ ValidationParms ::= SEQUENCE { -- values SET SIZE (1 .. MAX) OF ATTRIBUTE.&Type -- ({SupportedAttributes}{@type})} +Attribute ::= SEQUENCE { + type OBJECT IDENTIFIER, + values SET SIZE (1 .. MAX) OF ANY + -- at least one value is required -- } + AttributeTypeAndValue ::= SEQUENCE { type OBJECT IDENTIFIER, value ANY diff --git a/asn1/pkix1explicit/pkix1explicit-exp.cnf b/asn1/pkix1explicit/pkix1explicit-exp.cnf index a2dd2fb5c0..c167bde3a0 100644 --- a/asn1/pkix1explicit/pkix1explicit-exp.cnf +++ b/asn1/pkix1explicit/pkix1explicit-exp.cnf @@ -8,9 +8,13 @@ PKIX1Explicit93 pkix1explicit #.END #.IMPORT_TAG +UniqueIdentifier BER_CLASS_UNI BER_UNI_TAG_BITSTRING +Version BER_CLASS_UNI BER_UNI_TAG_INTEGER CertificateSerialNumber BER_CLASS_UNI BER_UNI_TAG_INTEGER +Time BER_CLASS_ANY/*choice*/ -1/*choice*/ Extensions BER_CLASS_UNI BER_UNI_TAG_SEQUENCE Extension BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +Attribute BER_CLASS_UNI BER_UNI_TAG_SEQUENCE AttributeTypeAndValue BER_CLASS_UNI BER_UNI_TAG_SEQUENCE RDNSequence BER_CLASS_UNI BER_UNI_TAG_SEQUENCE RelativeDistinguishedName BER_CLASS_UNI BER_UNI_TAG_SET @@ -20,9 +24,13 @@ TeletexDomainDefinedAttribute BER_CLASS_UNI BER_UNI_TAG_SEQUENCE #.END #.TYPE_ATTR +UniqueIdentifier TYPE = FT_BYTES DISPLAY = BASE_HEX STRINGS = NULL BITMASK = 0 +Version TYPE = FT_INT32 DISPLAY = BASE_DEC STRINGS = VALS(pkix1explicit_Version_vals) BITMASK = 0 CertificateSerialNumber TYPE = FT_INT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 +Time TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(pkix1explicit_Time_vals) BITMASK = 0 Extensions TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 Extension TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +Attribute TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 AttributeTypeAndValue TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 RDNSequence TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 RelativeDistinguishedName TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 diff --git a/asn1/pkix1explicit/pkix1explicit.cnf b/asn1/pkix1explicit/pkix1explicit.cnf index 0e50f5955e..aefafed833 100644 --- a/asn1/pkix1explicit/pkix1explicit.cnf +++ b/asn1/pkix1explicit/pkix1explicit.cnf @@ -6,6 +6,7 @@ #.MODULE_IMPORT #.EXPORTS +Attribute AttributeTypeAndValue CertificateSerialNumber DirectoryString @@ -15,6 +16,9 @@ RelativeDistinguishedName RDNSequence TeletexDomainDefinedAttribute TerminalType +Version +Time +UniqueIdentifier #.REGISTER DirectoryString B "1.3.6.1.5.5.7.2.1" "id-qt-cps" @@ -31,6 +35,12 @@ DomainParameters B "1.2.840.10046.2.1" "dhpublicnumber" #.FN_BODY DirectoryString offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL); +#.FN_PARS Attribute/values + FN_VARIANT = _str HF_INDEX = hf_pkix1explicit_object_identifier_id VAL_PTR = &object_identifier_id + +#.FN_BODY Attribute/values/_item + offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree); + #.FN_PARS AttributeTypeAndValue/value FN_VARIANT = _str HF_INDEX = hf_pkix1explicit_object_identifier_id VAL_PTR = &object_identifier_id diff --git a/asn1/pkix1explicit/pkix1explicit_exp.cnf b/asn1/pkix1explicit/pkix1explicit_exp.cnf index 3007121ce4..c7cca6fc50 100644 --- a/asn1/pkix1explicit/pkix1explicit_exp.cnf +++ b/asn1/pkix1explicit/pkix1explicit_exp.cnf @@ -1,6 +1,7 @@ #.IMPORT_TAG AlgorithmIdentifier BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +Attribute BER_CLASS_UNI BER_UNI_TAG_SEQUENCE AttributeTypeAndValue BER_CLASS_UNI BER_UNI_TAG_SEQUENCE Certificate BER_CLASS_UNI BER_UNI_TAG_SEQUENCE CertificateList BER_CLASS_UNI BER_UNI_TAG_SEQUENCE @@ -15,9 +16,13 @@ RelativeDistinguishedName BER_CLASS_UNI BER_UNI_TAG_SET SubjectPublicKeyInfo BER_CLASS_UNI BER_UNI_TAG_SEQUENCE TeletexDomainDefinedAttribute BER_CLASS_UNI BER_UNI_TAG_SEQUENCE TerminalType BER_CLASS_UNI BER_UNI_TAG_INTEGER +Time BER_CLASS_ANY/*choice*/ -1/*choice*/ +UniqueIdentifier BER_CLASS_UNI BER_UNI_TAG_BITSTRING +Version BER_CLASS_UNI BER_UNI_TAG_INTEGER #.END #.TYPE_ATTR +Attribute TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 AttributeTypeAndValue TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 Certificate TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 CertificateList TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 @@ -32,5 +37,8 @@ RelativeDistinguishedName TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL SubjectPublicKeyInfo TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 TeletexDomainDefinedAttribute TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 TerminalType TYPE = FT_INT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 +Time TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(pkix1explicit_Time_vals) BITMASK = 0 +UniqueIdentifier TYPE = FT_BYTES DISPLAY = BASE_HEX STRINGS = NULL BITMASK = 0 +Version TYPE = FT_INT32 DISPLAY = BASE_DEC STRINGS = VALS(pkix1explicit_Version_vals) BITMASK = 0 #.END diff --git a/asn1/pkix1implicit/Makefile b/asn1/pkix1implicit/Makefile index 4283a3566a..6e11985c59 100644 --- a/asn1/pkix1implicit/Makefile +++ b/asn1/pkix1implicit/Makefile @@ -7,7 +7,7 @@ all: generate_dissector generate_dissector: $(DISSECTOR_FILES) $(DISSECTOR_FILES): ../../tools/asn2wrs.py PKIX1IMPLICIT93.asn packet-pkix1implicit-template.c packet-pkix1implicit-template.h pkix1implicit.cnf - python ../../tools/asn2wrs.py -e -b -p pkix1implicit -c pkix1implicit.cnf -s packet-pkix1implicit-template PKIX1IMPLICIT93.asn + python ../../tools/asn2wrs.py -e -b -X -T -p pkix1implicit -c pkix1implicit.cnf -s packet-pkix1implicit-template PKIX1IMPLICIT93.asn clean: rm -f pkix1implicit-exp.cnf parsetab.py $(DISSECTOR_FILES) diff --git a/asn1/pkix1implicit/Makefile.nmake b/asn1/pkix1implicit/Makefile.nmake index b6718cb304..5ed0f4153d 100644 --- a/asn1/pkix1implicit/Makefile.nmake +++ b/asn1/pkix1implicit/Makefile.nmake @@ -15,7 +15,7 @@ generate_dissector: $(DISSECTOR_FILES) $(DISSECTOR_FILES): ../../tools/asn2wrs.py PKIX1IMPLICIT93.asn packet-pkix1implicit-template.c packet-pkix1implicit-template.h pkix1implicit.cnf !IFDEF PYTHON - $(PYTHON) "../../tools/asn2wrs.py" -e -b -p $(PROTOCOL_NAME) -c pkix1implicit.cnf -s packet-pkix1implicit-template PKIX1IMPLICIT93.asn + $(PYTHON) "../../tools/asn2wrs.py" -e -b -X -T -p $(PROTOCOL_NAME) -c pkix1implicit.cnf -s packet-pkix1implicit-template PKIX1IMPLICIT93.asn !ELSE @echo Error: You need Python to use asn2wrs.py @exit 1 diff --git a/asn1/pkix1implicit/PKIX1IMPLICIT93.asn b/asn1/pkix1implicit/PKIX1IMPLICIT93.asn index 487bf84f62..075c8773f9 100644 --- a/asn1/pkix1implicit/PKIX1IMPLICIT93.asn +++ b/asn1/pkix1implicit/PKIX1IMPLICIT93.asn @@ -83,7 +83,7 @@ IMPORTS -- WITH COMPONENTS {..., authorityCertIssuer ABSENT, -- authorityCertSerialNumber ABSENT} ) -- ---KeyIdentifier ::= OCTET STRING +KeyIdentifier ::= OCTET STRING -- --subjectKeyIdentifier EXTENSION ::= { -- SYNTAX SubjectKeyIdentifier diff --git a/asn1/pkix1implicit/pkix1implicit-exp.cnf b/asn1/pkix1implicit/pkix1implicit-exp.cnf index 9190b0e2fc..c3c898e0cc 100644 --- a/asn1/pkix1implicit/pkix1implicit-exp.cnf +++ b/asn1/pkix1implicit/pkix1implicit-exp.cnf @@ -8,11 +8,13 @@ PKIX1Implicit93 pkix1implicit #.END #.IMPORT_TAG +KeyIdentifier BER_CLASS_UNI BER_UNI_TAG_OCTETSTRING AuthorityInfoAccessSyntax BER_CLASS_UNI BER_UNI_TAG_SEQUENCE UserNotice BER_CLASS_UNI BER_UNI_TAG_SEQUENCE #.END #.TYPE_ATTR +KeyIdentifier TYPE = FT_BYTES DISPLAY = BASE_HEX STRINGS = NULL BITMASK = 0 AuthorityInfoAccessSyntax TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 UserNotice TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 #.END diff --git a/asn1/pkix1implicit/pkix1implicit.cnf b/asn1/pkix1implicit/pkix1implicit.cnf index d567a0e4f6..3bfc3d33ad 100644 --- a/asn1/pkix1implicit/pkix1implicit.cnf +++ b/asn1/pkix1implicit/pkix1implicit.cnf @@ -12,6 +12,7 @@ PKIX1Explicit93 pkix1explicit #.EXPORTS AuthorityInfoAccessSyntax +KeyIdentifier UserNotice #.PDU diff --git a/asn1/pkix1implicit/pkix1implicit_exp.cnf b/asn1/pkix1implicit/pkix1implicit_exp.cnf index 982b4642fb..d583aaa454 100644 --- a/asn1/pkix1implicit/pkix1implicit_exp.cnf +++ b/asn1/pkix1implicit/pkix1implicit_exp.cnf @@ -2,6 +2,7 @@ #.IMPORT_TAG AuthorityInfoAccessSyntax BER_CLASS_UNI BER_UNI_TAG_SEQUENCE GeneralName BER_CLASS_CON -1/*choice*/ +KeyIdentifier BER_CLASS_UNI BER_UNI_TAG_OCTETSTRING ReasonFlags BER_CLASS_UNI BER_UNI_TAG_BITSTRING UserNotice BER_CLASS_UNI BER_UNI_TAG_SEQUENCE #.END @@ -9,6 +10,7 @@ UserNotice BER_CLASS_UNI BER_UNI_TAG_SEQUENCE #.TYPE_ATTR AuthorityInfoAccessSyntax TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 GeneralName TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 +KeyIdentifier TYPE = FT_BYTES DISPLAY = BASE_HEX STRINGS = NULL BITMASK = 0 ReasonFlags TYPE = FT_BYTES DISPLAY = BASE_HEX STRINGS = NULL BITMASK = 0 UserNotice TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 #.END diff --git a/asn1/pkixcmp/CMP.asn b/asn1/pkixcmp/CMP.asn index 17ba4f7c88..79d16be9eb 100644 --- a/asn1/pkixcmp/CMP.asn +++ b/asn1/pkixcmp/CMP.asn @@ -1,403 +1,523 @@ --- This ASN.1 definition is taken from RFC2510 and modified to pass --- through the asn2wrs compiler. --- --- The original copyright statement from RFC2510 follows below: --- +-- Extracted from RFC4210 +-- by Martin Peylo <martin.peylo@nsn.com> +-- +-- Changes to the original ASN.1 source: +-- - Commented out the import of UTF8String which is not needed +-- - Commented out PKIBody/p10cr since PKCS-10 is not implemented +-- - Uncommented the definitions for the OIDs used in InfoTypeAndValue +-- +-- The copyright statement from the original description in RFC4211 +-- follows below: +-- -- Full Copyright Statement -- --- Copyright (C) The Internet Society (1999). All Rights Reserved. --- --- This document and translations of it may be copied and furnished to --- others, and derivative works that comment on or otherwise explain it --- or assist in its implementation may be prepared, copied, published --- and distributed, in whole or in part, without restriction of any --- kind, provided that the above copyright notice and this paragraph are --- included on all such copies and derivative works. However, this --- document itself may not be modified in any way, such as by removing --- the copyright notice or references to the Internet Society or other --- Internet organizations, except as needed for the purpose of --- developing Internet standards in which case the procedures for --- copyrights defined in the Internet Standards process must be --- followed, or as required to translate it into languages other than --- English. +-- Copyright (C) The Internet Society (2005). -- --- The limited permissions granted above are perpetual and will not be --- revoked by the Internet Society or its successors or assigns. +-- This document is subject to the rights, licenses and restrictions +-- contained in BCP 78, and except as set forth therein, the authors +-- retain all their rights. -- --- This document and the information contained herein is provided on an --- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING --- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING --- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION --- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF --- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. --- - - ---PKIXCMP {iso(1) identified-organization(3) dod(6) internet(1) --- security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-cmp(9)} - -CMP DEFINITIONS EXPLICIT TAGS ::= - -BEGIN - - -- EXPORTS ALL -- - -IMPORTS - - Certificate, CertificateList, Extensions, AlgorithmIdentifier - FROM PKIX1Explicit88 {iso(1) identified-organization(3) - dod(6) internet(1) security(5) mechanisms(5) pkix(7) - id-mod(0) id-pkix1-explicit-88(1)} - - GeneralName, ReasonFlags - FROM PKIX1Implicit88 {iso(1) identified-organization(3) - dod(6) internet(1) security(5) mechanisms(5) pkix(7) - id-mod(0) id-pkix1-implicit-88(2)} - - CertTemplate, PKIPublicationInfo, EncryptedValue, CertId, - CertReqMessages - FROM PKIXCRMF {iso(1) identified-organization(3) - dod(6) internet(1) security(5) mechanisms(5) pkix(7) - id-mod(0) id-mod-crmf(5)}; - - -- CertificationRequest - -- FROM PKCS10 {no standard ASN.1 module defined; - -- implementers need to create their own module to import - -- from, or directly include the PKCS10 syntax in this module} - -KeyIdentifier ::= OCTET STRING - -PKIMessage ::= SEQUENCE { - header PKIHeader, - body PKIBody, - protection [0] PKIProtection OPTIONAL, - extraCerts [1] SEQUENCE SIZE (1..MAX) OF Certificate OPTIONAL -} - - PKIHeader ::= SEQUENCE { - pvno INTEGER { ietf-version2 (1) }, - sender GeneralName, - -- identifies the sender - recipient GeneralName, - -- identifies the intended recipient - messageTime [0] GeneralizedTime OPTIONAL, - -- time of production of this message (used when sender - -- believes that the transport will be "suitable"; i.e., - -- that the time will still be meaningful upon receipt) - protectionAlg [1] AlgorithmIdentifier OPTIONAL, - -- algorithm used for calculation of protection bits - senderKID [2] KeyIdentifier OPTIONAL, - recipKID [3] KeyIdentifier OPTIONAL, - -- to identify specific keys used for protection - transactionID [4] OCTET STRING OPTIONAL, - -- identifies the transaction; i.e., this will be the same in - -- corresponding request, response and confirmation messages - senderNonce [5] OCTET STRING OPTIONAL, - recipNonce [6] OCTET STRING OPTIONAL, - -- nonces used to provide replay protection, senderNonce - -- is inserted by the creator of this message; recipNonce - -- is a nonce previously inserted in a related message by - -- the intended recipient of this message - freeText [7] PKIFreeText OPTIONAL, - -- this may be used to indicate context-specific instructions - -- (this field is intended for human consumption) - generalInfo [8] SEQUENCE SIZE (1..MAX) OF - InfoTypeAndValue OPTIONAL - -- this may be used to convey context-specific information - -- (this field not primarily intended for human consumption) - } - - PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String - -- text encoded as UTF-8 String (note: each UTF8String SHOULD - -- include an RFC 1766 language tag to indicate the language - -- of the contained text) - - - PKIBody ::= CHOICE { -- message-specific body elements - ir [0] CertReqMessages, --Initialization Request - ip [1] CertRepMessage, --Initialization Response - cr [2] CertReqMessages, --Certification Request - cp [3] CertRepMessage, --Certification Response ---XXX dont know what this one looks like yet --- p10cr [4] CertificationRequest, - --imported from [PKCS10] - popdecc [5] POPODecKeyChallContent, --pop Challenge - popdecr [6] POPODecKeyRespContent, --pop Response - kur [7] CertReqMessages, --Key Update Request - kup [8] CertRepMessage, --Key Update Response - krr [9] CertReqMessages, --Key Recovery Request - krp [10] KeyRecRepContent, --Key Recovery Response - rr [11] RevReqContent, --Revocation Request - rp [12] RevRepContent, --Revocation Response - ccr [13] CertReqMessages, --Cross-Cert. Request - ccp [14] CertRepMessage, --Cross-Cert. Response - ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. - cann [16] CertAnnContent, --Certificate Ann. - rann [17] RevAnnContent, --Revocation Ann. - crlann [18] CRLAnnContent, --CRL Announcement - conf [19] PKIConfirmContent, --Confirmation - nested [20] NestedMessageContent, --Nested Message - genm [21] GenMsgContent, --General Message - genp [22] GenRepContent, --General Response - error [23] ErrorMsgContent --Error Message - } - - PKIProtection ::= BIT STRING - - ProtectedPart ::= SEQUENCE { - header PKIHeader, - body PKIBody - } - - PasswordBasedMac ::= OBJECT IDENTIFIER --{1 2 840 113533 7 66 13} - - PBMParameter ::= SEQUENCE { - salt OCTET STRING, - owf AlgorithmIdentifier, - -- AlgId for a One-Way Function (SHA-1 recommended) - iterationCount INTEGER, - -- number of times the OWF is applied - mac AlgorithmIdentifier - -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], - } -- or HMAC [RFC2104, RFC2202]) - - DHBasedMac ::= OBJECT IDENTIFIER --{1 2 840 113533 7 66 30} - - DHBMParameter ::= SEQUENCE { - owf AlgorithmIdentifier, - -- AlgId for a One-Way Function (SHA-1 recommended) - mac AlgorithmIdentifier - -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], - } -- or HMAC [RFC2104, RFC2202]) - - - NestedMessageContent ::= PKIMessage - - PKIStatus ::= INTEGER { - granted (0), - -- you got exactly what you asked for - grantedWithMods (1), - -- you got something like what you asked for; the - -- requester is responsible for ascertaining the differences - rejection (2), - -- you don't get it, more information elsewhere in the message - waiting (3), - -- the request body part has not yet been processed, - -- expect to hear more later - revocationWarning (4), - -- this message contains a warning that a revocation is - -- imminent - revocationNotification (5), - -- notification that a revocation has occurred - keyUpdateWarning (6) - -- update already done for the oldCertId specified in - -- CertReqMsg - } - - PKIFailureInfo ::= BIT STRING { - -- since we can fail in more than one way! - -- More codes may be added in the future if/when required. - badAlg (0), - -- unrecognized or unsupported Algorithm Identifier - badMessageCheck (1), - -- integrity check failed (e.g., signature did not verify) - badRequest (2), - -- transaction not permitted or supported - badTime (3), - -- messageTime was not sufficiently close to the system time, - -- as defined by local policy - badCertId (4), - -- no certificate could be found matching the provided criteria - badDataFormat (5), - -- the data submitted has the wrong format - wrongAuthority (6), - -- the authority indicated in the request is different from the - -- one creating the response token - incorrectData (7), - -- the requester's data is incorrect (for notary services) - missingTimeStamp (8), - -- when the timestamp is missing but should be there (by policy) - badPOP (9) - -- the proof-of-possession failed - } - - PKIStatusInfo ::= SEQUENCE { - status PKIStatus, - statusString PKIFreeText OPTIONAL, - failInfo PKIFailureInfo OPTIONAL - } - - OOBCert ::= Certificate - - OOBCertHash ::= SEQUENCE { - hashAlg [0] AlgorithmIdentifier OPTIONAL, - certId [1] CertId OPTIONAL, - hashVal BIT STRING - -- hashVal is calculated over DER encoding of the - -- subjectPublicKey field of the corresponding cert. - } - - POPODecKeyChallContent ::= SEQUENCE OF Challenge - -- One Challenge per encryption key certification request (in the - -- same order as these requests appear in CertReqMessages). - - Challenge ::= SEQUENCE { - owf AlgorithmIdentifier OPTIONAL, - -- MUST be present in the first Challenge; MAY be omitted in any - -- subsequent Challenge in POPODecKeyChallContent (if omitted, - -- then the owf used in the immediately preceding Challenge is - -- to be used). - witness OCTET STRING, - -- the result of applying the one-way function (owf) to a - -- randomly-generated INTEGER, A. [Note that a different - -- INTEGER MUST be used for each Challenge.] - challenge OCTET STRING - -- the encryption (under the public key for which the cert. - -- request is being made) of Rand, where Rand is specified as - -- Rand ::= SEQUENCE { - -- int INTEGER, - -- - the randomly-generated INTEGER A (above) - -- sender GeneralName - -- - the sender's name (as included in PKIHeader) - -- } - } - - POPODecKeyRespContent ::= SEQUENCE OF INTEGER - -- One INTEGER per encryption key certification request (in the - -- same order as these requests appear in CertReqMessages). The - -- retrieved INTEGER A (above) is returned to the sender of the - -- corresponding Challenge. - - - CertRepMessage ::= SEQUENCE { - caPubs [1] SEQUENCE SIZE (1..MAX) OF Certificate OPTIONAL, - response SEQUENCE OF CertResponse - } - - CertResponse ::= SEQUENCE { - certReqId INTEGER, - -- to match this response with corresponding request (a value - -- of -1 is to be used if certReqId is not specified in the - -- corresponding request) - status PKIStatusInfo, - certifiedKeyPair CertifiedKeyPair OPTIONAL, - rspInfo OCTET STRING OPTIONAL - -- analogous to the id-regInfo-asciiPairs OCTET STRING defined - -- for regInfo in CertReqMsg [CRMF] - } - - CertifiedKeyPair ::= SEQUENCE { - certOrEncCert CertOrEncCert, - privateKey [0] EncryptedValue OPTIONAL, - publicationInfo [1] PKIPublicationInfo OPTIONAL - } - - CertOrEncCert ::= CHOICE { - certificate [0] Certificate, - encryptedCert [1] EncryptedValue - } - - KeyRecRepContent ::= SEQUENCE { - status PKIStatusInfo, - newSigCert [0] Certificate OPTIONAL, - caCerts [1] SEQUENCE SIZE (1..MAX) OF - Certificate OPTIONAL, - keyPairHist [2] SEQUENCE SIZE (1..MAX) OF - CertifiedKeyPair OPTIONAL - } - - RevReqContent ::= SEQUENCE OF RevDetails - - RevDetails ::= SEQUENCE { - certDetails CertTemplate, - -- allows requester to specify as much as they can about - -- the cert. for which revocation is requested - -- (e.g., for cases in which serialNumber is not available) - revocationReason ReasonFlags OPTIONAL, - -- the reason that revocation is requested - badSinceDate GeneralizedTime OPTIONAL, - -- indicates best knowledge of sender - crlEntryDetails Extensions OPTIONAL - -- requested crlEntryExtensions - } - - RevRepContent ::= SEQUENCE { - status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, - -- in same order as was sent in RevReqContent - revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL, - -- IDs for which revocation was requested (same order as status) - crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL - -- the resulting CRLs (there may be more than one) - } - - - CAKeyUpdAnnContent ::= SEQUENCE { - oldWithNew Certificate, -- old pub signed with new priv - newWithOld Certificate, -- new pub signed with old priv - newWithNew Certificate -- new pub signed with new priv - } - - CertAnnContent ::= Certificate - - RevAnnContent ::= SEQUENCE { - status PKIStatus, - certId CertId, - willBeRevokedAt GeneralizedTime, - badSinceDate GeneralizedTime, - crlDetails Extensions OPTIONAL - -- extra CRL details(e.g., crl number, reason, location, etc.) -} - - CRLAnnContent ::= SEQUENCE OF CertificateList - - PKIConfirmContent ::= NULL - - InfoTypeAndValue ::= SEQUENCE { - infoType OBJECT IDENTIFIER, - infoValue ANY OPTIONAL - } - -- Example InfoTypeAndValue contents include, but are not limited to: - -- { CAProtEncCert = {id-it 1}, Certificate } - -- { SignKeyPairTypes = {id-it 2}, SEQUENCE OF AlgorithmIdentifier } - -- { EncKeyPairTypes = {id-it 3}, SEQUENCE OF AlgorithmIdentifier } - -- { PreferredSymmAlg = {id-it 4}, AlgorithmIdentifier } - -- { CAKeyUpdateInfo = {id-it 5}, CAKeyUpdAnnContent } - -- { CurrentCRL = {id-it 6}, CertificateList } - -- where {id-it} = {id-pkix 4} = {1 3 6 1 5 5 7 4} - -- This construct MAY also be used to define new PKIX Certificate - -- Management Protocol request and response messages, or general- - -- purpose (e.g., announcement) messages for future needs or for - -- specific environments. - - GenMsgContent ::= SEQUENCE OF InfoTypeAndValue - - -- May be sent by EE, RA, or CA (depending on message content). - -- The OPTIONAL infoValue parameter of InfoTypeAndValue will typically - -- be omitted for some of the examples given above. The receiver is - -- free to ignore any contained OBJ. IDs that it does not recognize. - -- If sent from EE to CA, the empty set indicates that the CA may send - -- any/all information that it wishes. - - GenRepContent ::= SEQUENCE OF InfoTypeAndValue - -- The receiver is free to ignore any contained OBJ. IDs that it does - -- not recognize. - - ErrorMsgContent ::= SEQUENCE { - pKIStatusInfo PKIStatusInfo, - errorCode INTEGER OPTIONAL, - -- implementation-specific error codes - errorDetails PKIFreeText OPTIONAL - -- implementation-specific error details - } - - - --- The following definition is provided for compatibility reasons with --- 1988 and 1993 ASN.1 compilers which allow the use of UNIVERSAL class --- tags (not a part of formal ASN.1); 1997 and subsequent compilers --- SHOULD comment out this line. --- ---UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING - -END - +-- This document and the information contained herein are provided on an +-- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS +-- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET +-- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, +-- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE +-- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED +-- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + PKIXCMP {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-mod-cmp2000(16)} + + DEFINITIONS EXPLICIT TAGS ::= + + BEGIN + + -- EXPORTS ALL -- + + IMPORTS + + Certificate, CertificateList, Extensions, AlgorithmIdentifier --, + -- UTF8String + -- if required; otherwise, comment out + FROM PKIX1Explicit88 {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-explicit-88(1)} + + GeneralName, KeyIdentifier + FROM PKIX1Implicit88 {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-implicit-88(2)} + + CertTemplate, PKIPublicationInfo, EncryptedValue, CertId, + CertReqMessages + FROM PKIXCRMF-2005 {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-mod-crmf2005(36)} + + -- see also the behavioral clarifications to CRMF codified in + -- Appendix C of this specification + + CertificationRequest + FROM PKCS-10 {iso(1) member-body(2) + us(840) rsadsi(113549) + pkcs(1) pkcs-10(10) modules(1) pkcs-10(1)} + + -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT + -- tags). Alternatively, implementers may directly include + -- the [PKCS10] syntax in this module + + ; + + -- the rest of the module contains locally-defined OIDs and + -- constructs + + CMPCertificate ::= CHOICE { + x509v3PKCert Certificate + } + -- This syntax, while bits-on-the-wire compatible with the + -- standard X.509 definition of "Certificate", allows the + -- possibility of future certificate types (such as X.509 + -- attribute certificates, WAP WTLS certificates, or other kinds + -- of certificates) within this certificate management protocol, + -- should a need ever arise to support such generality. Those + -- implementations that do not foresee a need to ever support + -- other certificate types MAY, if they wish, comment out the + -- above structure and "un-comment" the following one prior to + -- compiling this ASN.1 module. (Note that interoperability + -- with implementations that don't do this will be unaffected by + -- this change.) + + -- CMPCertificate ::= Certificate + + PKIMessage ::= SEQUENCE { + header PKIHeader, + body PKIBody, + protection [0] PKIProtection OPTIONAL, + extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate + OPTIONAL + } + + PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage + + PKIHeader ::= SEQUENCE { + pvno INTEGER { cmp1999(1), cmp2000(2) }, + sender GeneralName, + -- identifies the sender + recipient GeneralName, + -- identifies the intended recipient + messageTime [0] GeneralizedTime OPTIONAL, + -- time of production of this message (used when sender + -- believes that the transport will be "suitable"; i.e., + -- that the time will still be meaningful upon receipt) + protectionAlg [1] AlgorithmIdentifier OPTIONAL, + -- algorithm used for calculation of protection bits + senderKID [2] KeyIdentifier OPTIONAL, + recipKID [3] KeyIdentifier OPTIONAL, + -- to identify specific keys used for protection + transactionID [4] OCTET STRING OPTIONAL, + -- identifies the transaction; i.e., this will be the same in + -- corresponding request, response, certConf, and PKIConf + -- messages + senderNonce [5] OCTET STRING OPTIONAL, + recipNonce [6] OCTET STRING OPTIONAL, + -- nonces used to provide replay protection, senderNonce + -- is inserted by the creator of this message; recipNonce + -- is a nonce previously inserted in a related message by + -- the intended recipient of this message + freeText [7] PKIFreeText OPTIONAL, + -- this may be used to indicate context-specific instructions + -- (this field is intended for human consumption) + generalInfo [8] SEQUENCE SIZE (1..MAX) OF + InfoTypeAndValue OPTIONAL + -- this may be used to convey context-specific information + -- (this field not primarily intended for human consumption) + } + + PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String + -- text encoded as UTF-8 String [RFC3629] (note: each + -- UTF8String MAY include an [RFC3066] language tag + -- to indicate the language of the contained text + -- see [RFC2482] for details) + + PKIBody ::= CHOICE { -- message-specific body elements + ir [0] CertReqMessages, --Initialization Request + ip [1] CertRepMessage, --Initialization Response + cr [2] CertReqMessages, --Certification Request + cp [3] CertRepMessage, --Certification Response + -- p10cr [4] CertificationRequest, + --imported from [PKCS10] + popdecc [5] POPODecKeyChallContent, --pop Challenge + popdecr [6] POPODecKeyRespContent, --pop Response + kur [7] CertReqMessages, --Key Update Request + kup [8] CertRepMessage, --Key Update Response + krr [9] CertReqMessages, --Key Recovery Request + krp [10] KeyRecRepContent, --Key Recovery Response + rr [11] RevReqContent, --Revocation Request + rp [12] RevRepContent, --Revocation Response + ccr [13] CertReqMessages, --Cross-Cert. Request + ccp [14] CertRepMessage, --Cross-Cert. Response + ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. + cann [16] CertAnnContent, --Certificate Ann. + rann [17] RevAnnContent, --Revocation Ann. + crlann [18] CRLAnnContent, --CRL Announcement + pkiconf [19] PKIConfirmContent, --Confirmation + nested [20] NestedMessageContent, --Nested Message + genm [21] GenMsgContent, --General Message + genp [22] GenRepContent, --General Response + error [23] ErrorMsgContent, --Error Message + certConf [24] CertConfirmContent, --Certificate confirm + pollReq [25] PollReqContent, --Polling request + pollRep [26] PollRepContent --Polling response + } + + PKIProtection ::= BIT STRING + + ProtectedPart ::= SEQUENCE { + header PKIHeader, + body PKIBody + } + + id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13} + PBMParameter ::= SEQUENCE { + salt OCTET STRING, + -- note: implementations MAY wish to limit acceptable sizes + -- of this string to values appropriate for their environment + -- in order to reduce the risk of denial-of-service attacks + owf AlgorithmIdentifier, + -- AlgId for a One-Way Function (SHA-1 recommended) + iterationCount INTEGER, + -- number of times the OWF is applied + -- note: implementations MAY wish to limit acceptable sizes + -- of this integer to values appropriate for their environment + -- in order to reduce the risk of denial-of-service attacks + mac AlgorithmIdentifier + -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], + } -- or HMAC [RFC2104, RFC2202]) + + id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30} + DHBMParameter ::= SEQUENCE { + owf AlgorithmIdentifier, + -- AlgId for a One-Way Function (SHA-1 recommended) + mac AlgorithmIdentifier + -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], + } -- or HMAC [RFC2104, RFC2202]) + + + NestedMessageContent ::= PKIMessages + + PKIStatus ::= INTEGER { + accepted (0), + -- you got exactly what you asked for + grantedWithMods (1), + -- you got something like what you asked for; the + -- requester is responsible for ascertaining the differences + rejection (2), + -- you don't get it, more information elsewhere in the message + waiting (3), + -- the request body part has not yet been processed; expect to + -- hear more later (note: proper handling of this status + -- response MAY use the polling req/rep PKIMessages specified + -- in Section 5.3.22; alternatively, polling in the underlying + -- transport layer MAY have some utility in this regard) + revocationWarning (4), + -- this message contains a warning that a revocation is + -- imminent + revocationNotification (5), + -- notification that a revocation has occurred + keyUpdateWarning (6) + -- update already done for the oldCertId specified in + -- CertReqMsg + } + + PKIFailureInfo ::= BIT STRING { + -- since we can fail in more than one way! + -- More codes may be added in the future if/when required. + badAlg (0), + -- unrecognized or unsupported Algorithm Identifier + badMessageCheck (1), + -- integrity check failed (e.g., signature did not verify) + badRequest (2), + -- transaction not permitted or supported + badTime (3), + -- messageTime was not sufficiently close to the system time, + -- as defined by local policy + badCertId (4), + -- no certificate could be found matching the provided criteria + badDataFormat (5), + -- the data submitted has the wrong format + wrongAuthority (6), + -- the authority indicated in the request is different from the + -- one creating the response token + incorrectData (7), + -- the requester's data is incorrect (for notary services) + missingTimeStamp (8), + -- when the timestamp is missing but should be there + -- (by policy) + badPOP (9), + -- the proof-of-possession failed + certRevoked (10), + -- the certificate has already been revoked + certConfirmed (11), + -- the certificate has already been confirmed + wrongIntegrity (12), + -- invalid integrity, password based instead of signature or + -- vice versa + badRecipientNonce (13), + -- invalid recipient nonce, either missing or wrong value + timeNotAvailable (14), + -- the TSA's time source is not available + unacceptedPolicy (15), + -- the requested TSA policy is not supported by the TSA. + unacceptedExtension (16), + -- the requested extension is not supported by the TSA. + addInfoNotAvailable (17), + -- the additional information requested could not be + -- understood or is not available + badSenderNonce (18), + -- invalid sender nonce, either missing or wrong size + badCertTemplate (19), + -- invalid cert. template or missing mandatory information + signerNotTrusted (20), + -- signer of the message unknown or not trusted + transactionIdInUse (21), + -- the transaction identifier is already in use + unsupportedVersion (22), + -- the version of the message is not supported + notAuthorized (23), + -- the sender was not authorized to make the preceding + -- request or perform the preceding action + systemUnavail (24), + -- the request cannot be handled due to system unavailability + systemFailure (25), + -- the request cannot be handled due to system failure + duplicateCertReq (26) + -- certificate cannot be issued because a duplicate + -- certificate already exists + } + + PKIStatusInfo ::= SEQUENCE { + status PKIStatus, + statusString PKIFreeText OPTIONAL, + failInfo PKIFailureInfo OPTIONAL + } + + OOBCert ::= CMPCertificate + + OOBCertHash ::= SEQUENCE { + hashAlg [0] AlgorithmIdentifier OPTIONAL, + certId [1] CertId OPTIONAL, + hashVal BIT STRING + -- hashVal is calculated over the DER encoding of the + -- self-signed certificate with the identifier certID. + } + + POPODecKeyChallContent ::= SEQUENCE OF Challenge + -- One Challenge per encryption key certification request (in the + -- same order as these requests appear in CertReqMessages). + + Challenge ::= SEQUENCE { + owf AlgorithmIdentifier OPTIONAL, + + -- MUST be present in the first Challenge; MAY be omitted in + -- any subsequent Challenge in POPODecKeyChallContent (if + -- omitted, then the owf used in the immediately preceding + -- Challenge is to be used). + + witness OCTET STRING, + -- the result of applying the one-way function (owf) to a + -- randomly-generated INTEGER, A. [Note that a different + -- INTEGER MUST be used for each Challenge.] + challenge OCTET STRING + -- the encryption (under the public key for which the cert. + -- request is being made) of Rand, where Rand is specified as + -- Rand ::= SEQUENCE { + -- int INTEGER, + -- - the randomly-generated INTEGER A (above) + -- sender GeneralName + -- - the sender's name (as included in PKIHeader) + -- } + } + + POPODecKeyRespContent ::= SEQUENCE OF INTEGER + -- One INTEGER per encryption key certification request (in the + -- same order as these requests appear in CertReqMessages). The + -- retrieved INTEGER A (above) is returned to the sender of the + -- corresponding Challenge. + + CertRepMessage ::= SEQUENCE { + caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate + OPTIONAL, + response SEQUENCE OF CertResponse + } + + CertResponse ::= SEQUENCE { + certReqId INTEGER, + -- to match this response with corresponding request (a value + -- of -1 is to be used if certReqId is not specified in the + -- corresponding request) + status PKIStatusInfo, + certifiedKeyPair CertifiedKeyPair OPTIONAL, + rspInfo OCTET STRING OPTIONAL + -- analogous to the id-regInfo-utf8Pairs string defined + -- for regInfo in CertReqMsg [CRMF] + } + + CertifiedKeyPair ::= SEQUENCE { + certOrEncCert CertOrEncCert, + privateKey [0] EncryptedValue OPTIONAL, + -- see [CRMF] for comment on encoding + publicationInfo [1] PKIPublicationInfo OPTIONAL + } + + CertOrEncCert ::= CHOICE { + certificate [0] CMPCertificate, + encryptedCert [1] EncryptedValue + } + + KeyRecRepContent ::= SEQUENCE { + status PKIStatusInfo, + newSigCert [0] CMPCertificate OPTIONAL, + caCerts [1] SEQUENCE SIZE (1..MAX) OF + CMPCertificate OPTIONAL, + keyPairHist [2] SEQUENCE SIZE (1..MAX) OF + CertifiedKeyPair OPTIONAL + } + + RevReqContent ::= SEQUENCE OF RevDetails + + RevDetails ::= SEQUENCE { + certDetails CertTemplate, + -- allows requester to specify as much as they can about + -- the cert. for which revocation is requested + -- (e.g., for cases in which serialNumber is not available) + crlEntryDetails Extensions OPTIONAL + -- requested crlEntryExtensions + } + + RevRepContent ::= SEQUENCE { + status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, + -- in same order as was sent in RevReqContent + revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId + OPTIONAL, + -- IDs for which revocation was requested + -- (same order as status) + crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList + -- the resulting CRLs (there may be more than one) + } + + CAKeyUpdAnnContent ::= SEQUENCE { + oldWithNew CMPCertificate, -- old pub signed with new priv + newWithOld CMPCertificate, -- new pub signed with old priv + newWithNew CMPCertificate -- new pub signed with new priv + } + + CertAnnContent ::= CMPCertificate + + RevAnnContent ::= SEQUENCE { + status PKIStatus, + certId CertId, + willBeRevokedAt GeneralizedTime, + badSinceDate GeneralizedTime, + crlDetails Extensions OPTIONAL + -- extra CRL details (e.g., crl number, reason, location, etc.) + } + + CRLAnnContent ::= SEQUENCE OF CertificateList + + CertConfirmContent ::= SEQUENCE OF CertStatus + + CertStatus ::= SEQUENCE { + certHash OCTET STRING, + -- the hash of the certificate, using the same hash algorithm + -- as is used to create and verify the certificate signature + certReqId INTEGER, + -- to match this confirmation with the corresponding req/rep + statusInfo PKIStatusInfo OPTIONAL + } + + PKIConfirmContent ::= NULL + + InfoTypeAndValue ::= SEQUENCE { + infoType OBJECT IDENTIFIER, + infoValue ANY DEFINED BY infoType OPTIONAL + } + -- Example InfoTypeAndValue contents include, but are not limited + -- to, the following (un-comment in this ASN.1 module and use as + -- appropriate for a given environment): + -- + -- id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1} + CAProtEncCertValue ::= CMPCertificate + -- id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2} + SignKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier + -- id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3} + EncKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier + -- id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4} + PreferredSymmAlgValue ::= AlgorithmIdentifier + -- id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5} + CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent + -- id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6} + CurrentCRLValue ::= CertificateList + -- id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7} + UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER + -- id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10} + KeyPairParamReqValue ::= OBJECT IDENTIFIER + -- id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11} + KeyPairParamRepValue ::= AlgorithmIdentifier + -- id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12} + RevPassphraseValue ::= EncryptedValue + -- id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13} + ImplicitConfirmValue ::= NULL + -- id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14} + ConfirmWaitTimeValue ::= GeneralizedTime + -- id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15} + OrigPKIMessageValue ::= PKIMessages + -- id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16} + SuppLangTagsValue ::= SEQUENCE OF UTF8String + -- + -- where + -- + -- id-pkix OBJECT IDENTIFIER ::= { + -- iso(1) identified-organization(3) + -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} + -- and + -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} + -- + -- + -- This construct MAY also be used to define new PKIX Certificate + -- Management Protocol request and response messages, or general- + -- purpose (e.g., announcement) messages for future needs or for + -- specific environments. + + GenMsgContent ::= SEQUENCE OF InfoTypeAndValue + + -- May be sent by EE, RA, or CA (depending on message content). + -- The OPTIONAL infoValue parameter of InfoTypeAndValue will + -- typically be omitted for some of the examples given above. + -- The receiver is free to ignore any contained OBJ. IDs that it + -- does not recognize. If sent from EE to CA, the empty set + -- indicates that the CA may send + -- any/all information that it wishes. + GenRepContent ::= SEQUENCE OF InfoTypeAndValue + -- Receiver MAY ignore any contained OIDs that it does not + -- recognize. + + ErrorMsgContent ::= SEQUENCE { + pKIStatusInfo PKIStatusInfo, + errorCode INTEGER OPTIONAL, + -- implementation-specific error codes + errorDetails PKIFreeText OPTIONAL + -- implementation-specific error details + } + + PollReqContent ::= SEQUENCE OF SEQUENCE { + certReqId INTEGER + } + + PollRepContent ::= SEQUENCE OF SEQUENCE { + certReqId INTEGER, + checkAfter INTEGER, -- time in seconds + reason PKIFreeText OPTIONAL + } + + END -- of CMP module diff --git a/asn1/pkixcmp/Makefile b/asn1/pkixcmp/Makefile index 86b0b27289..bd21be1dd9 100644 --- a/asn1/pkixcmp/Makefile +++ b/asn1/pkixcmp/Makefile @@ -7,7 +7,7 @@ all: generate_dissector generate_dissector: $(DISSECTOR_FILES) $(DISSECTOR_FILES): ../../tools/asn2wrs.py CMP.asn packet-cmp-template.c packet-cmp-template.h cmp.cnf - python ../../tools/asn2wrs.py -b -e -p cmp -c cmp.cnf -s packet-cmp-template CMP.asn + python ../../tools/asn2wrs.py -b -X -T -e -p cmp -c cmp.cnf -s packet-cmp-template CMP.asn clean: rm -f parsetab.py $(DISSECTOR_FILES) diff --git a/asn1/pkixcmp/Makefile.nmake b/asn1/pkixcmp/Makefile.nmake index f5fd271875..4dd7b2f792 100644 --- a/asn1/pkixcmp/Makefile.nmake +++ b/asn1/pkixcmp/Makefile.nmake @@ -15,7 +15,7 @@ generate_dissector: $(DISSECTOR_FILES) $(DISSECTOR_FILES): ../../tools/asn2wrs.py CMP.asn packet-cmp-template.c packet-cmp-template.h cmp.cnf !IFDEF PYTHON - $(PYTHON) "../../tools/asn2wrs.py" -b -e -p $(PROTOCOL_NAME) -c cmp.cnf -s packet-cmp-template CMP.asn + $(PYTHON) "../../tools/asn2wrs.py" -b -X -T -e -p $(PROTOCOL_NAME) -c cmp.cnf -s packet-cmp-template CMP.asn !ELSE @echo Error: You need Python to use asn2wrs.py @exit 1 diff --git a/asn1/pkixcmp/cmp-exp.cnf b/asn1/pkixcmp/cmp-exp.cnf index d09232df9e..0d3611bee7 100644 --- a/asn1/pkixcmp/cmp-exp.cnf +++ b/asn1/pkixcmp/cmp-exp.cnf @@ -4,27 +4,26 @@ # ../../tools/asn2wrs.py -b -e -p cmp -c cmp.cnf -s packet-cmp-template CMP.asn #.MODULE -CMP cmp +PKIXCMP cmp #.END #.IMPORT_TAG +CMPCertificate BER_CLASS_ANY/*choice*/ -1/*choice*/ PKIMessage BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +PKIMessages BER_CLASS_UNI BER_UNI_TAG_SEQUENCE PKIHeader BER_CLASS_UNI BER_UNI_TAG_SEQUENCE PKIFreeText BER_CLASS_UNI BER_UNI_TAG_SEQUENCE PKIBody BER_CLASS_ANY/*choice*/ -1/*choice*/ PKIProtection BER_CLASS_UNI BER_UNI_TAG_BITSTRING ProtectedPart BER_CLASS_UNI BER_UNI_TAG_SEQUENCE -PasswordBasedMac BER_CLASS_UNI BER_UNI_TAG_OID PBMParameter BER_CLASS_UNI BER_UNI_TAG_SEQUENCE -DHBasedMac BER_CLASS_UNI BER_UNI_TAG_OID DHBMParameter BER_CLASS_UNI BER_UNI_TAG_SEQUENCE NestedMessageContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE PKIStatus BER_CLASS_UNI BER_UNI_TAG_INTEGER PKIFailureInfo BER_CLASS_UNI BER_UNI_TAG_BITSTRING PKIStatusInfo BER_CLASS_UNI BER_UNI_TAG_SEQUENCE -OOBCert BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +OOBCert BER_CLASS_ANY/*choice*/ -1/*choice*/ OOBCertHash BER_CLASS_UNI BER_UNI_TAG_SEQUENCE -POPODecKeyChallContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE Challenge BER_CLASS_UNI BER_UNI_TAG_SEQUENCE POPODecKeyRespContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE CertRepMessage BER_CLASS_UNI BER_UNI_TAG_SEQUENCE @@ -36,34 +35,36 @@ RevReqContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE RevDetails BER_CLASS_UNI BER_UNI_TAG_SEQUENCE RevRepContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE CAKeyUpdAnnContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE -CertAnnContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +CertAnnContent BER_CLASS_ANY/*choice*/ -1/*choice*/ RevAnnContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE CRLAnnContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +CertConfirmContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +CertStatus BER_CLASS_UNI BER_UNI_TAG_SEQUENCE PKIConfirmContent BER_CLASS_UNI BER_UNI_TAG_NULL InfoTypeAndValue BER_CLASS_UNI BER_UNI_TAG_SEQUENCE GenMsgContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE -GenRepContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE ErrorMsgContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +PollReqContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +PollRepContent BER_CLASS_UNI BER_UNI_TAG_SEQUENCE #.END #.TYPE_ATTR +CMPCertificate TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(cmp_CMPCertificate_vals) BITMASK = 0 PKIMessage TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +PKIMessages TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 PKIHeader TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 PKIFreeText TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 PKIBody TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(cmp_PKIBody_vals) BITMASK = 0 PKIProtection TYPE = FT_BYTES DISPLAY = BASE_HEX STRINGS = NULL BITMASK = 0 ProtectedPart TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 -PasswordBasedMac TYPE = FT_OID DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 PBMParameter TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 -DHBasedMac TYPE = FT_OID DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 DHBMParameter TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 -NestedMessageContent TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +NestedMessageContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 PKIStatus TYPE = FT_INT32 DISPLAY = BASE_DEC STRINGS = VALS(cmp_PKIStatus_vals) BITMASK = 0 PKIFailureInfo TYPE = FT_BYTES DISPLAY = BASE_HEX STRINGS = NULL BITMASK = 0 PKIStatusInfo TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 -OOBCert TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +OOBCert TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(cmp_CMPCertificate_vals) BITMASK = 0 OOBCertHash TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 -POPODecKeyChallContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 Challenge TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 POPODecKeyRespContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 CertRepMessage TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 @@ -75,13 +76,16 @@ RevReqContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL RevDetails TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 RevRepContent TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 CAKeyUpdAnnContent TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 -CertAnnContent TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +CertAnnContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(cmp_CMPCertificate_vals) BITMASK = 0 RevAnnContent TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 CRLAnnContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 +CertConfirmContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 +CertStatus TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 PKIConfirmContent TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 InfoTypeAndValue TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 GenMsgContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 -GenRepContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 ErrorMsgContent TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +PollReqContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 +PollRepContent TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 #.END diff --git a/asn1/pkixcmp/cmp.cnf b/asn1/pkixcmp/cmp.cnf index e572d88425..a57343259c 100644 --- a/asn1/pkixcmp/cmp.cnf +++ b/asn1/pkixcmp/cmp.cnf @@ -6,7 +6,7 @@ #.MODULE_IMPORT PKIX1Explicit88 pkix1explicit PKIX1Implicit88 pkix1implicit -PKIXCRMF crmf +PKIXCRMF-2005 crmf #.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf #.INCLUDE ../pkix1implicit/pkix1implicit_exp.cnf @@ -14,24 +14,24 @@ PKIXCRMF crmf #.EXPORTS CAKeyUpdAnnContent +CMPCertificate +CRLAnnContent CertAnnContent -CertifiedKeyPair +CertConfirmContent CertOrEncCert CertRepMessage CertResponse +CertStatus +CertifiedKeyPair Challenge -CRLAnnContent -DHBasedMac DHBMParameter ErrorMsgContent GenMsgContent -GenRepContent InfoTypeAndValue KeyRecRepContent NestedMessageContent OOBCert OOBCertHash -PasswordBasedMac PBMParameter PKIBody PKIConfirmContent @@ -39,11 +39,13 @@ PKIFailureInfo PKIFreeText PKIHeader PKIMessage +PKIMessages PKIProtection PKIStatus PKIStatusInfo -POPODecKeyChallContent POPODecKeyRespContent +PollRepContent +PollReqContent ProtectedPart RevAnnContent RevDetails @@ -51,12 +53,34 @@ RevRepContent RevReqContent #.REGISTER +PBMParameter B "1.2.840.113533.7.66.13" "id-PasswordBasedMac" +DHBMParameter B "1.2.640.113533.7.66.30" "id-DHBasedMac" +CAProtEncCertValue B "1.3.6.1.5.5.7.4.1" "id-it-caProtEncCert" +SignKeyPairTypesValue B "1.3.6.1.5.5.7.4.2" "id-it-signKeyPairTypes" +EncKeyPairTypesValue B "1.3.6.1.5.5.7.4.3" "id-it-encKeyPairTypes" +PreferredSymmAlgValue B "1.3.6.1.5.5.7.4.4" "id-it-preferredSymmAlg" +CAKeyUpdateInfoValue B "1.3.6.1.5.5.7.4.5" "id-it-caKeyUpdateInfo" +CurrentCRLValue B "1.3.6.1.5.5.7.4.6" "id-it-currentCRL" +UnsupportedOIDsValue B "1.3.6.1.5.5.7.4.7" "id-it-unsupportedOIDs" +KeyPairParamReqValue B "1.3.6.1.5.5.7.4.10" "id-it-keyPairParamReq" +KeyPairParamRepValue B "1.3.6.1.5.5.7.4.11" "id-it-keyPairParamRep" +RevPassphraseValue B "1.3.6.1.5.5.7.4.12" "id-it-revPassphrase" +ImplicitConfirmValue B "1.3.6.1.5.5.7.4.13" "id-it-implicitConfirm" +ConfirmWaitTimeValue B "1.3.6.1.5.5.7.4.14" "id-it-confirmWaitTime" +OrigPKIMessageValue B "1.3.6.1.5.5.7.4.15" "id-it-origPKIMessage" +SuppLangTagsValue B "1.3.6.1.5.5.7.4.16" "id-it-suppLangTags" + #.NO_EMIT #.TYPE_RENAME #.FIELD_RENAME +RevRepContent/status rvrpcnt_status +CertResponse/status pkistatusinf +KeyRecRepContent/status pkistatusinf +PKIStatusInfo/status pkistatus +RevAnnContent/status pkistatus #.FN_PARS InfoTypeAndValue/infoType @@ -65,6 +89,4 @@ RevReqContent #.FN_BODY InfoTypeAndValue/infoValue offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree); -#.END - - +#.END_OF_CNF diff --git a/asn1/pkixcrmf/CRMF.asn b/asn1/pkixcrmf/CRMF.asn index 55ce3a42b4..eb1eb17e61 100644 --- a/asn1/pkixcrmf/CRMF.asn +++ b/asn1/pkixcrmf/CRMF.asn @@ -1,199 +1,191 @@ --- This ASN1 definition is taken from RFC2511 and modified to pass through --- the asn2wrs compiler. +-- Extracted from RFC4211 +-- by Martin Peylo <martin.peylo@nsn.com> -- --- The copyright statement from the original description in RFC2511 +-- Changes to make it work with asn2wrs: +-- - none +-- +-- The copyright statement from the original description in RFC4211 -- follows below: --- --- +-- -- Full Copyright Statement --- --- Copyright (C) The Internet Society (1999). All Rights Reserved. --- --- This document and translations of it may be copied and furnished to --- others, and derivative works that comment on or otherwise explain it --- or assist in its implementation may be prepared, copied, published --- and distributed, in whole or in part, without restriction of any --- kind, provided that the above copyright notice and this paragraph are --- included on all such copies and derivative works. However, this --- document itself may not be modified in any way, such as by removing --- the copyright notice or references to the Internet Society or other --- Internet organizations, except as needed for the purpose of --- developing Internet standards in which case the procedures for --- copyrights defined in the Internet Standards process must be --- followed, or as required to translate it into languages other than --- English. --- --- The limited permissions granted above are perpetual and will not be --- revoked by the Internet Society or its successors or assigns. --- --- This document and the information contained herein is provided on an --- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING --- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING --- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION --- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF --- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - ---PKIXCRMF {iso(1) identified-organization(3) dod(6) internet(1) --- security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf(5)} - -CRMF DEFINITIONS IMPLICIT TAGS ::= +-- +-- Copyright (C) The Internet Society (2005). +-- +-- This document is subject to the rights, licenses and restrictions +-- contained in BCP 78, and except as set forth therein, the authors +-- retain all their rights. +-- +-- This document and the information contained herein are provided on an +-- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS +-- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET +-- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, +-- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE +-- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED +-- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6) internet(1) +security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36)} + +DEFINITIONS IMPLICIT TAGS ::= BEGIN IMPORTS - -- Directory Authentication Framework (X.509) - AlgorithmIdentifier, Name, - SubjectPublicKeyInfo, Extensions - FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) + -- Directory Authentication Framework (X.509) + Version, AlgorithmIdentifier, Name, Time, + SubjectPublicKeyInfo, Extensions, UniqueIdentifier, Attribute + FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-pkix1-explicit(18)} -- found in [PROFILE] + + -- Certificate Extensions (X.509) + GeneralName + FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-pkix1-explicit-88(1)} + id-pkix1-implicit(19)} -- found in [PROFILE] - -- Certificate Extensions (X.509) - GeneralName - FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) - internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-pkix1-implicit-88(2)} + -- Cryptographic Message Syntax + EnvelopedData + FROM CryptographicMessageSyntax2004 { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) + modules(0) cms-2004(24) }; -- found in [CMS] - -- Cryptographic Message Syntax - EnvelopedData - FROM CryptographicMessageSyntax { iso(1) member-body(2) - us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) - modules(0) cms(1) }; +-- The following definition may be uncommented for use with +-- ASN.1 compilers that do not understand UTF8String. + +-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING + -- The contents of this type correspond to RFC 2279. + +id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) +dod(6) internet(1) security(5) mechanisms(5) 7 } + +-- arc for Internet X.509 PKI protocols and their components +id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 } ---copied in from pkix1explicit -Version ::= INTEGER { v1(0), v2(1), v3(2) } -UniqueIdentifier ::= BIT STRING -Time ::= CHOICE { - utcTime UTCTime, - generalTime GeneralizedTime } +id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } +id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types +-- Core definitions for this module CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg CertReqMsg ::= SEQUENCE { - certReq CertRequest, - pop ProofOfPossession OPTIONAL, - -- content depends upon key type - regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL } + certReq CertRequest, + popo ProofOfPossession OPTIONAL, + -- content depends upon key type + regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL } CertRequest ::= SEQUENCE { - certReqId INTEGER, -- ID for matching request and reply - certTemplate CertTemplate, -- Selected fields of cert to be issued - controls Controls OPTIONAL } -- Attributes affecting issuance + certReqId INTEGER, -- ID for matching request and reply + certTemplate CertTemplate, -- Selected fields of cert to be issued + controls Controls OPTIONAL } -- Attributes affecting issuance CertTemplate ::= SEQUENCE { - version [0] Version OPTIONAL, - serialNumber [1] INTEGER OPTIONAL, - signingAlg [2] AlgorithmIdentifier OPTIONAL, - issuer [3] Name OPTIONAL, - validity [4] OptionalValidity OPTIONAL, - subject [5] Name OPTIONAL, - publicKey [6] SubjectPublicKeyInfo OPTIONAL, - issuerUID [7] UniqueIdentifier OPTIONAL, - subjectUID [8] UniqueIdentifier OPTIONAL, - extensions [9] Extensions OPTIONAL } + version [0] Version OPTIONAL, + serialNumber [1] INTEGER OPTIONAL, + signingAlg [2] AlgorithmIdentifier OPTIONAL, + issuer [3] Name OPTIONAL, + validity [4] OptionalValidity OPTIONAL, + subject [5] Name OPTIONAL, + publicKey [6] SubjectPublicKeyInfo OPTIONAL, + issuerUID [7] UniqueIdentifier OPTIONAL, + subjectUID [8] UniqueIdentifier OPTIONAL, + extensions [9] Extensions OPTIONAL } OptionalValidity ::= SEQUENCE { - notBefore [0] Time OPTIONAL, - notAfter [1] Time OPTIONAL } --at least one MUST be present + notBefore [0] Time OPTIONAL, + notAfter [1] Time OPTIONAL } -- at least one MUST be present Controls ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { - type OBJECT IDENTIFIER, - value ANY } + type OBJECT IDENTIFIER, + value ANY DEFINED BY type } ProofOfPossession ::= CHOICE { - raVerified [0] NULL, - -- used if the RA has already verified that the requester is in - -- possession of the private key - signature [1] POPOSigningKey, - keyEncipherment [2] POPOPrivKey, - keyAgreement [3] POPOPrivKey } + raVerified [0] NULL, + -- used if the RA has already verified that the requester is in + -- possession of the private key + signature [1] POPOSigningKey, + keyEncipherment [2] POPOPrivKey, + keyAgreement [3] POPOPrivKey } POPOSigningKey ::= SEQUENCE { - poposkInput [0] POPOSigningKeyInput OPTIONAL, - algorithmIdentifier AlgorithmIdentifier, - signature BIT STRING } - -- The signature (using "algorithmIdentifier") is on the - -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg - -- certReq CertTemplate contains the subject and publicKey values, - -- then poposkInput MUST be omitted and the signature MUST be - -- computed on the DER-encoded value of CertReqMsg certReq. If - -- the CertReqMsg certReq CertTemplate does not contain the public - -- key and subject values, then poposkInput MUST be present and - -- MUST be signed. This strategy ensures that the public key is - -- not present in both the poposkInput and CertReqMsg certReq - -- CertTemplate fields. + poposkInput [0] POPOSigningKeyInput OPTIONAL, + algorithmIdentifier AlgorithmIdentifier, + signature BIT STRING } + + -- The signature (using "algorithmIdentifier") is on the + -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg + -- certReq CertTemplate contains the subject and publicKey values, + -- then poposkInput MUST be omitted and the signature MUST be + -- computed over the DER-encoded value of CertReqMsg certReq. If + -- the CertReqMsg certReq CertTemplate does not contain both the + -- public key and subject values (i.e., if it contains only one + -- of these, or neither), then poposkInput MUST be present and + -- MUST be signed. POPOSigningKeyInput ::= SEQUENCE { - authInfo CHOICE { - sender [0] GeneralName, - -- used only if an authenticated identity has been - -- established for the sender (e.g., a DN from a - -- previously-issued and currently-valid certificate - publicKeyMAC PKMACValue }, - -- used if no authenticated GeneralName currently exists for - -- the sender; publicKeyMAC contains a password-based MAC - -- on the DER-encoded value of publicKey - publicKey SubjectPublicKeyInfo } -- from CertTemplate + authInfo CHOICE { + sender [0] GeneralName, + -- used only if an authenticated identity has been + -- established for the sender (e.g., a DN from a + -- previously-issued and currently-valid certificate) + publicKeyMAC PKMACValue }, + -- used if no authenticated GeneralName currently exists for + -- the sender; publicKeyMAC contains a password-based MAC + -- on the DER-encoded value of publicKey + publicKey SubjectPublicKeyInfo } -- from CertTemplate PKMACValue ::= SEQUENCE { - algId AlgorithmIdentifier, - -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13} - -- parameter value is PBMParameter - value BIT STRING } +algId AlgorithmIdentifier, +-- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13} +-- parameter value is PBMParameter +value BIT STRING } PBMParameter ::= SEQUENCE { - salt OCTET STRING, - owf AlgorithmIdentifier, - -- AlgId for a One-Way Function (SHA-1 recommended) - iterationCount INTEGER, - -- number of times the OWF is applied - mac AlgorithmIdentifier - -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], -} -- or HMAC [RFC2104, RFC2202]) + salt OCTET STRING, + owf AlgorithmIdentifier, + -- AlgId for a One-Way Function (SHA-1 recommended) + iterationCount INTEGER, + -- number of times the OWF is applied + mac AlgorithmIdentifier + -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], +} -- or HMAC [HMAC, RFC2202]) POPOPrivKey ::= CHOICE { - thisMessage [0] BIT STRING, - -- posession is proven in this message (which contains the private - -- key itself (encrypted for the CA)) - subsequentMessage [1] SubsequentMessage, - -- possession will be proven in a subsequent message - dhMAC [2] BIT STRING } - -- for keyAgreement (only), possession is proven in this message - -- (which contains a MAC (over the DER-encoded value of the - -- certReq parameter in CertReqMsg, which MUST include both subject - -- and publicKey) based on a key derived from the end entity's - -- private DH key and the CA's public DH key); - -- the dhMAC value MUST be calculated as per the directions given - -- in Appendix A. + thisMessage [0] BIT STRING, -- Deprecated + -- possession is proven in this message (which contains the private + -- key itself (encrypted for the CA)) + subsequentMessage [1] SubsequentMessage, + -- possession will be proven in a subsequent message + dhMAC [2] BIT STRING, -- Deprecated + agreeMAC [3] PKMACValue, + encryptedKey [4] EnvelopedData } + + -- for keyAgreement (only), possession is proven in this message + -- (which contains a MAC (over the DER-encoded value of the + -- certReq parameter in CertReqMsg, which MUST include both subject + -- and publicKey) based on a key derived from the end entity's + -- private DH key and the CA's public DH key); SubsequentMessage ::= INTEGER { - encrCert (0), - -- requests that resulting certificate be encrypted for the - -- end entity (following which, POP will be proven in a - -- confirmation message) - challengeResp (1) } - -- requests that CA engage in challenge-response exchange with - -- end entity in order to prove private key possession + encrCert (0), + -- requests that resulting certificate be encrypted for the + -- end entity (following which, POP will be proven in a + -- confirmation message) + challengeResp (1) } + -- requests that CA engage in challenge-response exchange with + -- end entity in order to prove private key possession -- Object identifier assignments -- -id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) -dod(6) internet(1) security(5) mechanisms(5) 7 } - --- arc for Internet X.509 PKI protocols and their components -id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 } - -- Registration Controls in CRMF id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 } --- The following definition may be uncommented for use with --- ASN.1 compilers which do not understand UTF8String. - --- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 } --with syntax: @@ -207,57 +199,66 @@ id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 } --with syntax: PKIPublicationInfo ::= SEQUENCE { - action INTEGER { - dontPublish (0), - pleasePublish (1) }, - pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL } - -- pubInfos MUST NOT be present if action is "dontPublish" - -- (if action is "pleasePublish" and pubInfos is omitted, - -- "dontCare" is assumed) +action INTEGER { + dontPublish (0), + pleasePublish (1) }, +pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL } + -- pubInfos MUST NOT be present if action is "dontPublish" + -- (if action is "pleasePublish" and pubInfos is omitted, + -- "dontCare" is assumed) SinglePubInfo ::= SEQUENCE { - pubMethod INTEGER { - dontCare (0), - x500 (1), - web (2), - ldap (3) }, - pubLocation GeneralName OPTIONAL } + pubMethod INTEGER { + dontCare (0), + x500 (1), + web (2), + ldap (3) }, + pubLocation GeneralName OPTIONAL } id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 } --with syntax: PKIArchiveOptions ::= CHOICE { - encryptedPrivKey [0] EncryptedKey, - -- the actual value of the private key - keyGenParameters [1] KeyGenParameters, - -- parameters which allow the private key to be re-generated - archiveRemGenPrivKey [2] BOOLEAN } - -- set to TRUE if sender wishes receiver to archive the private - -- key of a key pair which the receiver generates in response to - -- this request; set to FALSE if no archival is desired. + encryptedPrivKey [0] EncryptedKey, + -- the actual value of the private key + keyGenParameters [1] KeyGenParameters, + -- parameters that allow the private key to be re-generated + archiveRemGenPrivKey [2] BOOLEAN } + -- set to TRUE if sender wishes receiver to archive the private + -- key of a key pair that the receiver generates in response to + -- this request; set to FALSE if no archival is desired. EncryptedKey ::= CHOICE { - encryptedValue EncryptedValue, - envelopedData [0] EnvelopedData } - -- The encrypted private key MUST be placed in the envelopedData - -- encryptedContentInfo encryptedContent OCTET STRING. - + encryptedValue EncryptedValue, -- Deprecated + envelopedData [0] EnvelopedData } + -- The encrypted private key MUST be placed in the envelopedData + -- encryptedContentInfo encryptedContent OCTET STRING. EncryptedValue ::= SEQUENCE { - intendedAlg [0] AlgorithmIdentifier OPTIONAL, - -- the intended algorithm for which the value will be used - symmAlg [1] AlgorithmIdentifier OPTIONAL, - -- the symmetric algorithm used to encrypt the value - encSymmKey [2] BIT STRING OPTIONAL, - -- the (encrypted) symmetric key used to encrypt the value - keyAlg [3] AlgorithmIdentifier OPTIONAL, - -- algorithm used to encrypt the symmetric key - valueHint [4] OCTET STRING OPTIONAL, - -- a brief description or identifier of the encValue content - -- (may be meaningful only to the sending entity, and used only - -- if EncryptedValue might be re-examined by the sending entity - -- in the future) - encValue BIT STRING } - -- the encrypted value itself + intendedAlg [0] AlgorithmIdentifier OPTIONAL, + -- the intended algorithm for which the value will be used + symmAlg [1] AlgorithmIdentifier OPTIONAL, + -- the symmetric algorithm used to encrypt the value + encSymmKey [2] BIT STRING OPTIONAL, + -- the (encrypted) symmetric key used to encrypt the value + keyAlg [3] AlgorithmIdentifier OPTIONAL, + -- algorithm used to encrypt the symmetric key + valueHint [4] OCTET STRING OPTIONAL, + -- a brief description or identifier of the encValue content + -- (may be meaningful only to the sending entity, and used only + -- if EncryptedValue might be re-examined by the sending entity + -- in the future) + encValue BIT STRING } + -- the encrypted value itself +-- When EncryptedValue is used to carry a private key (as opposed to +-- a certificate), implementations MUST support the encValue field +-- containing an encrypted PrivateKeyInfo as defined in [PKCS11], +-- section 12.11. If encValue contains some other format/encoding +-- for the private key, the first octet of valueHint MAY be used +-- to indicate the format/encoding (but note that the possible values +-- of this octet are not specified at this time). In all cases, the +-- intendedAlg field MUST be used to indicate at least the OID of +-- the intended algorithm of the private key, unless this information +-- is known a priori to both sender and receiver by some other means. KeyGenParameters ::= OCTET STRING @@ -266,8 +267,8 @@ id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 } OldCertId ::= CertId CertId ::= SEQUENCE { - issuer GeneralName, - serialNumber INTEGER } + issuer GeneralName, + serialNumber INTEGER } id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= { id-regCtrl 6 } --with syntax: @@ -284,4 +285,27 @@ id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 } --with syntax CertReq ::= CertRequest +-- id-ct-encKeyWithID is a new content type used for CMS objects. +-- it contains both a private key and an identifier for key escrow +-- agents to check against recovery requestors. + +id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} + +EncKeyWithID ::= SEQUENCE { + privateKey PrivateKeyInfo, + identifier CHOICE { + string UTF8String, + generalName GeneralName + } OPTIONAL +} + +PrivateKeyInfo ::= SEQUENCE { + version INTEGER, + privateKeyAlgorithm AlgorithmIdentifier, + privateKey OCTET STRING, + attributes [0] IMPLICIT Attributes OPTIONAL +} + +Attributes ::= SET OF Attribute + END diff --git a/asn1/pkixcrmf/Makefile b/asn1/pkixcrmf/Makefile index f624d00452..3fc2742987 100644 --- a/asn1/pkixcrmf/Makefile +++ b/asn1/pkixcrmf/Makefile @@ -7,7 +7,7 @@ all: generate_dissector generate_dissector: $(DISSECTOR_FILES) $(DISSECTOR_FILES): ../../tools/asn2wrs.py CRMF.asn packet-crmf-template.c packet-crmf-template.h crmf.cnf - python ../../tools/asn2wrs.py -b -e -p crmf -c crmf.cnf -s packet-crmf-template CRMF.asn + python ../../tools/asn2wrs.py -b -X -T -e -p crmf -c crmf.cnf -s packet-crmf-template CRMF.asn clean: rm -f parsetab.py $(DISSECTOR_FILES) diff --git a/asn1/pkixcrmf/Makefile.nmake b/asn1/pkixcrmf/Makefile.nmake index 505677ce94..7aa239d1e6 100644 --- a/asn1/pkixcrmf/Makefile.nmake +++ b/asn1/pkixcrmf/Makefile.nmake @@ -15,7 +15,7 @@ generate_dissector: $(DISSECTOR_FILES) $(DISSECTOR_FILES): ../../tools/asn2wrs.py CRMF.asn packet-crmf-template.c packet-crmf-template.h crmf.cnf !IFDEF PYTHON - $(PYTHON) "../../tools/asn2wrs.py" -b -e -p $(PROTOCOL_NAME) -c crmf.cnf -s packet-crmf-template CRMF.asn + $(PYTHON) "../../tools/asn2wrs.py" -b -X -T -e -p $(PROTOCOL_NAME) -c crmf.cnf -s packet-crmf-template CRMF.asn !ELSE @echo Error: You need Python to use asn2wrs.py @exit 1 diff --git a/asn1/pkixcrmf/crmf-exp.cnf b/asn1/pkixcrmf/crmf-exp.cnf index f47a763ac4..2df5382d8d 100644 --- a/asn1/pkixcrmf/crmf-exp.cnf +++ b/asn1/pkixcrmf/crmf-exp.cnf @@ -4,7 +4,7 @@ # ../../tools/asn2wrs.py -b -e -p crmf -c crmf.cnf -s packet-crmf-template CRMF.asn #.MODULE -CRMF crmf +PKIXCRMF-2005 crmf #.END #.IMPORT_TAG @@ -35,6 +35,9 @@ CertId BER_CLASS_UNI BER_UNI_TAG_SEQUENCE ProtocolEncrKey BER_CLASS_UNI BER_UNI_TAG_SEQUENCE UTF8Pairs BER_CLASS_UNI BER_UNI_TAG_UTF8String CertReq BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +EncKeyWithID BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +PrivateKeyInfo BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +Attributes BER_CLASS_UNI BER_UNI_TAG_SET #.END #.TYPE_ATTR @@ -65,5 +68,8 @@ CertId TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL ProtocolEncrKey TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 UTF8Pairs TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 CertReq TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +EncKeyWithID TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +PrivateKeyInfo TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +Attributes TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 #.END diff --git a/asn1/pkixcrmf/crmf.cnf b/asn1/pkixcrmf/crmf.cnf index 2b902b1f5f..55567b4b72 100644 --- a/asn1/pkixcrmf/crmf.cnf +++ b/asn1/pkixcrmf/crmf.cnf @@ -6,6 +6,7 @@ #.MODULE_IMPORT PKIX1Explicit88 pkix1explicit PKIX1Implicit88 pkix1implicit +CryptographicMessageSyntax2004 cms #.INCLUDE ../cms/cms-exp.cnf #.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf @@ -13,6 +14,7 @@ PKIX1Implicit88 pkix1implicit #.EXPORTS Authenticator +Attributes AttributeTypeAndValue CertId CertReq @@ -21,6 +23,7 @@ CertReqMsg CertRequest CertTemplate Controls +EncKeyWithID EncryptedKey EncryptedValue KeyGenParameters @@ -33,6 +36,7 @@ PKMACValue POPOPrivKey POPOSigningKey POPOSigningKeyInput +PrivateKeyInfo ProofOfPossession ProtocolEncrKey RegToken @@ -41,7 +45,12 @@ SubsequentMessage UTF8Pairs #.REGISTER -PBMParameter B "1.2.840.113533.7.66.13" "PasswordBasedMac" +CertId B "1.3.6.1.5.5.7.5.1.5" "id-regCtrl-oldCertID" +CertRequest B "1.3.6.1.5.5.7.5.2.2" "id-regInfo-certReq" +EncKeyWithID B "1.2.840.113549.1.9.16.1.21" "id-ct-encKeyWithID" +PBMParameter B "1.2.840.113533.7.66.13" "PasswordBasedMac" +ProtocolEncrKey B "1.3.6.1.5.5.7.5.1.6" "id-regCtrl-protocolEncrKey" +UTF8Pairs B "1.3.6.1.5.5.7.5.2.1" "id-regInfo-utf8Pairs" #.NO_EMIT @@ -51,6 +60,8 @@ PBMParameter B "1.2.840.113533.7.66.13" "PasswordBasedMac" CertTemplate/issuer template_issuer POPOSigningKey/signature sk_signature PKMACValue/value pkmac_value +PrivateKeyInfo/version privkey_version +EncKeyWithID/privateKey enckeywid_privkey #.FN_PARS AttributeTypeAndValue/type FN_VARIANT = _str HF_INDEX = hf_crmf_type_oid VAL_PTR = &object_identifier_id |