From Martin Peylo:

http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1888

There are new versions of CMP (v2) in RFC4210 and CRMF (v2) in RFC4211. The
right to exist of CRMF is bound to CMP so I don't split that into two bug
reports. 

I'll upload the new (slightly handmassaged) ASN.1 files for both protocols,
along with patches for the respective cnf files, where I also added new
#.REGISTER statements.

Additionally I had to export some definitions from pkix1explicit (Attribute,
Time, UniqueIdentifier and Version) and from pkix1implicit (KeyIdentifier).
I'll also upload a patch for that.

I uploaded a CMPv2 sample (with errors in the protocol!) to the wiki.

svn path=/trunk/; revision=23082

22 files changed, 854 insertions, 631 deletions

diff --git a/asn1/pkix1explicit/Makefile b/asn1/pkix1explicit/Makefile
index 6ed4f2585e..4dc179e2d8 100644
--- a/asn1/pkix1explicit/Makefile
+++ b/asn1/pkix1explicit/Makefile
@@ -7,7 +7,7 @@ all: generate_dissector
 generate_dissector: $(DISSECTOR_FILES)
 
 $(DISSECTOR_FILES): ../../tools/asn2wrs.py PKIX1EXPLICIT93.asn packet-pkix1explicit-template.c packet-pkix1explicit-template.h pkix1explicit.cnf
-	python ../../tools/asn2wrs.py -e -b -p pkix1explicit -c pkix1explicit.cnf -s packet-pkix1explicit-template PKIX1EXPLICIT93.asn 
+	python ../../tools/asn2wrs.py -e -b -X -T -p pkix1explicit -c pkix1explicit.cnf -s packet-pkix1explicit-template PKIX1EXPLICIT93.asn 
 
 clean:
 	rm -f pkix1explicit-exp.cnf parsetab.py $(DISSECTOR_FILES)
diff --git a/asn1/pkix1explicit/Makefile.nmake b/asn1/pkix1explicit/Makefile.nmake
index 0ddc6bc643..ff589fbd9c 100644
--- a/asn1/pkix1explicit/Makefile.nmake
+++ b/asn1/pkix1explicit/Makefile.nmake
@@ -15,7 +15,7 @@ generate_dissector: $(DISSECTOR_FILES)
 
 $(DISSECTOR_FILES): ../../tools/asn2wrs.py PKIX1EXPLICIT93.asn packet-pkix1explicit-template.c packet-pkix1explicit-template.h pkix1explicit.cnf
 !IFDEF PYTHON
-	$(PYTHON) "../../tools/asn2wrs.py" -e -b -p $(PROTOCOL_NAME) -c pkix1explicit.cnf -s packet-pkix1explicit-template PKIX1EXPLICIT93.asn 
+	$(PYTHON) "../../tools/asn2wrs.py" -e -b -X -T -p $(PROTOCOL_NAME) -c pkix1explicit.cnf -s packet-pkix1explicit-template PKIX1EXPLICIT93.asn 
 !ELSE
 	@echo Error: You need Python to use asn2wrs.py
 	@exit 1
diff --git a/asn1/pkix1explicit/PKIX1EXPLICIT93.asn b/asn1/pkix1explicit/PKIX1EXPLICIT93.asn
index 86a52ac153..799e820f56 100644
--- a/asn1/pkix1explicit/PKIX1EXPLICIT93.asn
+++ b/asn1/pkix1explicit/PKIX1EXPLICIT93.asn
@@ -117,9 +117,9 @@ IMPORTS
 --   }
 --}
 --
---UniqueIdentifier        ::=  BIT STRING
+UniqueIdentifier        ::=  BIT STRING
 --
---Version                 ::=  INTEGER { v1(0), v2(1), v3(2) }
+Version                 ::=  INTEGER { v1(0), v2(1), v3(2) }
 
           -- This one is defined with .NO_EMIT in the conformance file
           -- and implemented in the template as just a call to the
@@ -130,9 +130,9 @@ CertificateSerialNumber ::=  INTEGER
 --   notBefore            Time,
 --   notAfter             Time }
 --
---Time ::= CHOICE {
---        utcTime         UTCTime,
---        generalTime             GeneralizedTime }
+Time ::= CHOICE {
+        utcTime         UTCTime,
+        generalTime             GeneralizedTime }
 --
 
 
@@ -362,6 +362,11 @@ ValidationParms ::= SEQUENCE {
 --        values  SET SIZE (1 .. MAX) OF ATTRIBUTE.&Type
 --                        ({SupportedAttributes}{@type})}
 
+Attribute       ::=     SEQUENCE {
+	type            OBJECT IDENTIFIER,
+	values  SET SIZE (1 .. MAX) OF ANY
+	-- at least one value is required -- }
+
 AttributeTypeAndValue           ::=     SEQUENCE {
         type            OBJECT IDENTIFIER,
         value           ANY
diff --git a/asn1/pkix1explicit/pkix1explicit-exp.cnf b/asn1/pkix1explicit/pkix1explicit-exp.cnf
index a2dd2fb5c0..c167bde3a0 100644
--- a/asn1/pkix1explicit/pkix1explicit-exp.cnf
+++ b/asn1/pkix1explicit/pkix1explicit-exp.cnf
@@ -8,9 +8,13 @@ PKIX1Explicit93  pkix1explicit
 #.END
 
 #.IMPORT_TAG
+UniqueIdentifier         BER_CLASS_UNI BER_UNI_TAG_BITSTRING
+Version                  BER_CLASS_UNI BER_UNI_TAG_INTEGER
 CertificateSerialNumber  BER_CLASS_UNI BER_UNI_TAG_INTEGER
+Time                     BER_CLASS_ANY/*choice*/ -1/*choice*/
 Extensions               BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 Extension                BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+Attribute                BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 AttributeTypeAndValue    BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 RDNSequence              BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 RelativeDistinguishedName BER_CLASS_UNI BER_UNI_TAG_SET
@@ -20,9 +24,13 @@ TeletexDomainDefinedAttribute BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 #.END
 
 #.TYPE_ATTR
+UniqueIdentifier         TYPE = FT_BYTES   DISPLAY = BASE_HEX   STRINGS = NULL  BITMASK = 0
+Version                  TYPE = FT_INT32   DISPLAY = BASE_DEC   STRINGS = VALS(pkix1explicit_Version_vals)  BITMASK = 0
 CertificateSerialNumber  TYPE = FT_INT32   DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
+Time                     TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = VALS(pkix1explicit_Time_vals)  BITMASK = 0
 Extensions               TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 Extension                TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
+Attribute                TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 AttributeTypeAndValue    TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 RDNSequence              TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 RelativeDistinguishedName TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
diff --git a/asn1/pkix1explicit/pkix1explicit.cnf b/asn1/pkix1explicit/pkix1explicit.cnf
index 0e50f5955e..aefafed833 100644
--- a/asn1/pkix1explicit/pkix1explicit.cnf
+++ b/asn1/pkix1explicit/pkix1explicit.cnf
@@ -6,6 +6,7 @@
 #.MODULE_IMPORT
 
 #.EXPORTS
+Attribute
 AttributeTypeAndValue
 CertificateSerialNumber
 DirectoryString
@@ -15,6 +16,9 @@ RelativeDistinguishedName
 RDNSequence
 TeletexDomainDefinedAttribute
 TerminalType
+Version
+Time
+UniqueIdentifier
 
 #.REGISTER
 DirectoryString  B "1.3.6.1.5.5.7.2.1" "id-qt-cps"
@@ -31,6 +35,12 @@ DomainParameters B "1.2.840.10046.2.1" "dhpublicnumber"
 #.FN_BODY DirectoryString
 	offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
 
+#.FN_PARS Attribute/values
+  FN_VARIANT = _str  HF_INDEX = hf_pkix1explicit_object_identifier_id  VAL_PTR = &object_identifier_id
+
+#.FN_BODY Attribute/values/_item
+  offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree);
+
 #.FN_PARS AttributeTypeAndValue/value
   FN_VARIANT = _str  HF_INDEX = hf_pkix1explicit_object_identifier_id  VAL_PTR = &object_identifier_id
 
diff --git a/asn1/pkix1explicit/pkix1explicit_exp.cnf b/asn1/pkix1explicit/pkix1explicit_exp.cnf
index 3007121ce4..c7cca6fc50 100644
--- a/asn1/pkix1explicit/pkix1explicit_exp.cnf
+++ b/asn1/pkix1explicit/pkix1explicit_exp.cnf
@@ -1,6 +1,7 @@
 
 #.IMPORT_TAG
 AlgorithmIdentifier      BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+Attribute                BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 AttributeTypeAndValue    BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 Certificate		 BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 CertificateList		 BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
@@ -15,9 +16,13 @@ RelativeDistinguishedName BER_CLASS_UNI BER_UNI_TAG_SET
 SubjectPublicKeyInfo     BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 TeletexDomainDefinedAttribute BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 TerminalType             BER_CLASS_UNI BER_UNI_TAG_INTEGER
+Time                     BER_CLASS_ANY/*choice*/ -1/*choice*/
+UniqueIdentifier         BER_CLASS_UNI BER_UNI_TAG_BITSTRING
+Version                  BER_CLASS_UNI BER_UNI_TAG_INTEGER
 #.END
 
 #.TYPE_ATTR
+Attribute                TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 AttributeTypeAndValue    TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 Certificate		 TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 CertificateList		 TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
@@ -32,5 +37,8 @@ RelativeDistinguishedName TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL
 SubjectPublicKeyInfo     TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 TeletexDomainDefinedAttribute TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 TerminalType             TYPE = FT_INT32   DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
+Time                     TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = VALS(pkix1explicit_Time_vals)  BITMASK = 0
+UniqueIdentifier         TYPE = FT_BYTES   DISPLAY = BASE_HEX   STRINGS = NULL  BITMASK = 0
+Version                  TYPE = FT_INT32   DISPLAY = BASE_DEC   STRINGS = VALS(pkix1explicit_Version_vals)  BITMASK = 0
 #.END
 
diff --git a/asn1/pkix1implicit/Makefile b/asn1/pkix1implicit/Makefile
index 4283a3566a..6e11985c59 100644
--- a/asn1/pkix1implicit/Makefile
+++ b/asn1/pkix1implicit/Makefile
@@ -7,7 +7,7 @@ all: generate_dissector
 generate_dissector: $(DISSECTOR_FILES)
 
 $(DISSECTOR_FILES): ../../tools/asn2wrs.py PKIX1IMPLICIT93.asn packet-pkix1implicit-template.c packet-pkix1implicit-template.h pkix1implicit.cnf
-	python ../../tools/asn2wrs.py -e -b -p pkix1implicit -c pkix1implicit.cnf -s packet-pkix1implicit-template PKIX1IMPLICIT93.asn 
+	python ../../tools/asn2wrs.py -e -b -X -T -p pkix1implicit -c pkix1implicit.cnf -s packet-pkix1implicit-template PKIX1IMPLICIT93.asn 
 
 clean:
 	rm -f pkix1implicit-exp.cnf parsetab.py $(DISSECTOR_FILES)
diff --git a/asn1/pkix1implicit/Makefile.nmake b/asn1/pkix1implicit/Makefile.nmake
index b6718cb304..5ed0f4153d 100644
--- a/asn1/pkix1implicit/Makefile.nmake
+++ b/asn1/pkix1implicit/Makefile.nmake
@@ -15,7 +15,7 @@ generate_dissector: $(DISSECTOR_FILES)
 
 $(DISSECTOR_FILES): ../../tools/asn2wrs.py PKIX1IMPLICIT93.asn packet-pkix1implicit-template.c packet-pkix1implicit-template.h pkix1implicit.cnf
 !IFDEF PYTHON
-	$(PYTHON) "../../tools/asn2wrs.py" -e -b -p $(PROTOCOL_NAME) -c pkix1implicit.cnf -s packet-pkix1implicit-template PKIX1IMPLICIT93.asn 
+	$(PYTHON) "../../tools/asn2wrs.py" -e -b -X -T -p $(PROTOCOL_NAME) -c pkix1implicit.cnf -s packet-pkix1implicit-template PKIX1IMPLICIT93.asn 
 !ELSE
 	@echo Error: You need Python to use asn2wrs.py
 	@exit 1
diff --git a/asn1/pkix1implicit/PKIX1IMPLICIT93.asn b/asn1/pkix1implicit/PKIX1IMPLICIT93.asn
index 487bf84f62..075c8773f9 100644
--- a/asn1/pkix1implicit/PKIX1IMPLICIT93.asn
+++ b/asn1/pkix1implicit/PKIX1IMPLICIT93.asn
@@ -83,7 +83,7 @@ IMPORTS
 --         WITH COMPONENTS        {..., authorityCertIssuer ABSENT,
 --                                authorityCertSerialNumber ABSENT} )
 --
---KeyIdentifier ::= OCTET STRING
+KeyIdentifier ::= OCTET STRING
 --
 --subjectKeyIdentifier EXTENSION ::= {
 --        SYNTAX          SubjectKeyIdentifier
diff --git a/asn1/pkix1implicit/pkix1implicit-exp.cnf b/asn1/pkix1implicit/pkix1implicit-exp.cnf
index 9190b0e2fc..c3c898e0cc 100644
--- a/asn1/pkix1implicit/pkix1implicit-exp.cnf
+++ b/asn1/pkix1implicit/pkix1implicit-exp.cnf
@@ -8,11 +8,13 @@ PKIX1Implicit93  pkix1implicit
 #.END
 
 #.IMPORT_TAG
+KeyIdentifier            BER_CLASS_UNI BER_UNI_TAG_OCTETSTRING
 AuthorityInfoAccessSyntax BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 UserNotice               BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 #.END
 
 #.TYPE_ATTR
+KeyIdentifier            TYPE = FT_BYTES   DISPLAY = BASE_HEX   STRINGS = NULL  BITMASK = 0
 AuthorityInfoAccessSyntax TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 UserNotice               TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 #.END
diff --git a/asn1/pkix1implicit/pkix1implicit.cnf b/asn1/pkix1implicit/pkix1implicit.cnf
index d567a0e4f6..3bfc3d33ad 100644
--- a/asn1/pkix1implicit/pkix1implicit.cnf
+++ b/asn1/pkix1implicit/pkix1implicit.cnf
@@ -12,6 +12,7 @@ PKIX1Explicit93 pkix1explicit
 #.EXPORTS
 
 AuthorityInfoAccessSyntax
+KeyIdentifier
 UserNotice
 
 #.PDU
diff --git a/asn1/pkix1implicit/pkix1implicit_exp.cnf b/asn1/pkix1implicit/pkix1implicit_exp.cnf
index 982b4642fb..d583aaa454 100644
--- a/asn1/pkix1implicit/pkix1implicit_exp.cnf
+++ b/asn1/pkix1implicit/pkix1implicit_exp.cnf
@@ -2,6 +2,7 @@
 #.IMPORT_TAG
 AuthorityInfoAccessSyntax BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 GeneralName              BER_CLASS_CON -1/*choice*/
+KeyIdentifier            BER_CLASS_UNI BER_UNI_TAG_OCTETSTRING
 ReasonFlags		 BER_CLASS_UNI BER_UNI_TAG_BITSTRING
 UserNotice               BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 #.END
@@ -9,6 +10,7 @@ UserNotice               BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 #.TYPE_ATTR
 AuthorityInfoAccessSyntax TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 GeneralName              TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
+KeyIdentifier            TYPE = FT_BYTES   DISPLAY = BASE_HEX   STRINGS = NULL  BITMASK = 0
 ReasonFlags		 TYPE = FT_BYTES   DISPLAY = BASE_HEX   STRINGS = NULL  BITMASK = 0
 UserNotice               TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 #.END
diff --git a/asn1/pkixcmp/CMP.asn b/asn1/pkixcmp/CMP.asn
index 17ba4f7c88..79d16be9eb 100644
--- a/asn1/pkixcmp/CMP.asn
+++ b/asn1/pkixcmp/CMP.asn
@@ -1,403 +1,523 @@
--- This ASN.1 definition is taken from RFC2510 and modified to pass
--- through the asn2wrs compiler.
--- 
--- The original copyright statement from RFC2510 follows below:
--- 
+-- Extracted from RFC4210
+-- by Martin Peylo <martin.peylo@nsn.com>
+--
+-- Changes to the original ASN.1 source:
+--   - Commented out the import of UTF8String which is not needed
+--   - Commented out PKIBody/p10cr since PKCS-10 is not implemented
+--   - Uncommented the definitions for the OIDs used in InfoTypeAndValue
+--
+-- The copyright statement from the original description in RFC4211
+-- follows below:
+--
 -- Full Copyright Statement
 -- 
---    Copyright (C) The Internet Society (1999).  All Rights Reserved.
--- 
---    This document and translations of it may be copied and furnished to
---    others, and derivative works that comment on or otherwise explain it
---    or assist in its implementation may be prepared, copied, published
---    and distributed, in whole or in part, without restriction of any
---    kind, provided that the above copyright notice and this paragraph are
---    included on all such copies and derivative works.  However, this
---    document itself may not be modified in any way, such as by removing
---    the copyright notice or references to the Internet Society or other
---    Internet organizations, except as needed for the purpose of
---    developing Internet standards in which case the procedures for
---    copyrights defined in the Internet Standards process must be
---    followed, or as required to translate it into languages other than
---    English.
+--    Copyright (C) The Internet Society (2005).
 -- 
---    The limited permissions granted above are perpetual and will not be
---    revoked by the Internet Society or its successors or assigns.
+--    This document is subject to the rights, licenses and restrictions
+--    contained in BCP 78, and except as set forth therein, the authors
+--    retain all their rights.
 -- 
---    This document and the information contained herein is provided on an
---    "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
---    TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
---    BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
---    HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
---    MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
--- 
-
-
---PKIXCMP {iso(1) identified-organization(3) dod(6) internet(1)
---     security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-cmp(9)}
-
-CMP DEFINITIONS EXPLICIT TAGS ::=
-
-BEGIN
-
-  -- EXPORTS ALL --
-
-IMPORTS
-
-      Certificate, CertificateList, Extensions, AlgorithmIdentifier
-             FROM PKIX1Explicit88 {iso(1) identified-organization(3)
-             dod(6) internet(1) security(5) mechanisms(5) pkix(7)
-             id-mod(0) id-pkix1-explicit-88(1)}
-
-      GeneralName, ReasonFlags
-             FROM PKIX1Implicit88 {iso(1) identified-organization(3)
-             dod(6) internet(1) security(5) mechanisms(5) pkix(7)
-             id-mod(0) id-pkix1-implicit-88(2)}
-
-      CertTemplate, PKIPublicationInfo, EncryptedValue, CertId,
-      CertReqMessages
-             FROM PKIXCRMF {iso(1) identified-organization(3)
-             dod(6) internet(1) security(5) mechanisms(5) pkix(7)
-             id-mod(0) id-mod-crmf(5)};
-
-      -- CertificationRequest
-      --     FROM PKCS10 {no standard ASN.1 module defined;
-      --     implementers need to create their own module to import
-      --     from, or directly include the PKCS10 syntax in this module}
-
-KeyIdentifier ::= OCTET STRING
-
-PKIMessage ::= SEQUENCE {
-      header           PKIHeader,
-      body             PKIBody,
-      protection   [0] PKIProtection OPTIONAL,
-      extraCerts   [1] SEQUENCE SIZE (1..MAX) OF Certificate OPTIONAL
-}
-
-  PKIHeader ::= SEQUENCE {
-      pvno                INTEGER     { ietf-version2 (1) },
-      sender              GeneralName,
-      -- identifies the sender
-      recipient           GeneralName,
-      -- identifies the intended recipient
-      messageTime     [0] GeneralizedTime         OPTIONAL,
-      -- time of production of this message (used when sender
-      -- believes that the transport will be "suitable"; i.e.,
-      -- that the time will still be meaningful upon receipt)
-      protectionAlg   [1] AlgorithmIdentifier     OPTIONAL,
-      -- algorithm used for calculation of protection bits
-      senderKID       [2] KeyIdentifier           OPTIONAL,
-      recipKID        [3] KeyIdentifier           OPTIONAL,
-      -- to identify specific keys used for protection
-      transactionID   [4] OCTET STRING            OPTIONAL,
-      -- identifies the transaction; i.e., this will be the same in
-      -- corresponding request, response and confirmation messages
-      senderNonce     [5] OCTET STRING            OPTIONAL,
-      recipNonce      [6] OCTET STRING            OPTIONAL,
-      -- nonces used to provide replay protection, senderNonce
-      -- is inserted by the creator of this message; recipNonce
-      -- is a nonce previously inserted in a related message by
-      -- the intended recipient of this message
-      freeText        [7] PKIFreeText             OPTIONAL,
-      -- this may be used to indicate context-specific instructions
-      -- (this field is intended for human consumption)
-      generalInfo     [8] SEQUENCE SIZE (1..MAX) OF
-                             InfoTypeAndValue     OPTIONAL
-      -- this may be used to convey context-specific information
-      -- (this field not primarily intended for human consumption)
-  }
-
-  PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
-      -- text encoded as UTF-8 String (note:  each UTF8String SHOULD
-      -- include an RFC 1766 language tag to indicate the language
-      -- of the contained text)
-
-
-  PKIBody ::= CHOICE {       -- message-specific body elements
-      ir      [0]  CertReqMessages,        --Initialization Request
-      ip      [1]  CertRepMessage,         --Initialization Response
-      cr      [2]  CertReqMessages,        --Certification Request
-      cp      [3]  CertRepMessage,         --Certification Response
---XXX dont know what this one looks like yet
---      p10cr   [4]  CertificationRequest,
-            --imported from [PKCS10]
-      popdecc [5]  POPODecKeyChallContent, --pop Challenge
-      popdecr [6]  POPODecKeyRespContent,  --pop Response
-      kur     [7]  CertReqMessages,        --Key Update Request
-      kup     [8]  CertRepMessage,         --Key Update Response
-      krr     [9]  CertReqMessages,        --Key Recovery Request
-      krp     [10] KeyRecRepContent,       --Key Recovery Response
-      rr      [11] RevReqContent,          --Revocation Request
-      rp      [12] RevRepContent,          --Revocation Response
-      ccr     [13] CertReqMessages,        --Cross-Cert. Request
-      ccp     [14] CertRepMessage,         --Cross-Cert. Response
-      ckuann  [15] CAKeyUpdAnnContent,     --CA Key Update Ann.
-      cann    [16] CertAnnContent,         --Certificate Ann.
-      rann    [17] RevAnnContent,          --Revocation Ann.
-      crlann  [18] CRLAnnContent,          --CRL Announcement
-      conf    [19] PKIConfirmContent,      --Confirmation
-      nested  [20] NestedMessageContent,   --Nested Message
-      genm    [21] GenMsgContent,          --General Message
-      genp    [22] GenRepContent,          --General Response
-      error   [23] ErrorMsgContent         --Error Message
-  }
-
-  PKIProtection ::= BIT STRING
-
-  ProtectedPart ::= SEQUENCE {
-      header    PKIHeader,
-      body      PKIBody
-  }
-
-  PasswordBasedMac ::= OBJECT IDENTIFIER --{1 2 840 113533 7 66 13}
-
-  PBMParameter ::= SEQUENCE {
-      salt                OCTET STRING,
-      owf                 AlgorithmIdentifier,
-      -- AlgId for a One-Way Function (SHA-1 recommended)
-      iterationCount      INTEGER,
-      -- number of times the OWF is applied
-      mac                 AlgorithmIdentifier
-      -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
-  }   -- or HMAC [RFC2104, RFC2202])
-
-  DHBasedMac ::= OBJECT IDENTIFIER --{1 2 840 113533 7 66 30}
-
-  DHBMParameter ::= SEQUENCE {
-      owf                 AlgorithmIdentifier,
-      -- AlgId for a One-Way Function (SHA-1 recommended)
-      mac                 AlgorithmIdentifier
-      -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
-  }   -- or HMAC [RFC2104, RFC2202])
-
-
-  NestedMessageContent ::= PKIMessage
-
-  PKIStatus ::= INTEGER {
-      granted                (0),
-      -- you got exactly what you asked for
-      grantedWithMods        (1),
-      -- you got something like what you asked for; the
-      -- requester is responsible for ascertaining the differences
-      rejection              (2),
-      -- you don't get it, more information elsewhere in the message
-      waiting                (3),
-      -- the request body part has not yet been processed,
-      -- expect to hear more later
-      revocationWarning      (4),
-      -- this message contains a warning that a revocation is
-      -- imminent
-      revocationNotification (5),
-      -- notification that a revocation has occurred
-      keyUpdateWarning       (6)
-      -- update already done for the oldCertId specified in
-      -- CertReqMsg
-  }
-
-  PKIFailureInfo ::= BIT STRING {
-  -- since we can fail in more than one way!
-  -- More codes may be added in the future if/when required.
-      badAlg           (0),
-      -- unrecognized or unsupported Algorithm Identifier
-      badMessageCheck  (1),
-      -- integrity check failed (e.g., signature did not verify)
-      badRequest       (2),
-      -- transaction not permitted or supported
-      badTime          (3),
-      -- messageTime was not sufficiently close to the system time,
-      -- as defined by local policy
-      badCertId        (4),
-      -- no certificate could be found matching the provided criteria
-      badDataFormat    (5),
-      -- the data submitted has the wrong format
-      wrongAuthority   (6),
-      -- the authority indicated in the request is different from the
-      -- one creating the response token
-      incorrectData    (7),
-      -- the requester's data is incorrect (for notary services)
-      missingTimeStamp (8),
-      -- when the timestamp is missing but should be there (by policy)
-      badPOP           (9)
-      -- the proof-of-possession failed
-  }
-
-  PKIStatusInfo ::= SEQUENCE {
-      status        PKIStatus,
-      statusString  PKIFreeText     OPTIONAL,
-      failInfo      PKIFailureInfo  OPTIONAL
-  }
-
-  OOBCert ::= Certificate
-
-  OOBCertHash ::= SEQUENCE {
-      hashAlg     [0] AlgorithmIdentifier     OPTIONAL,
-      certId      [1] CertId                  OPTIONAL,
-      hashVal         BIT STRING
-      -- hashVal is calculated over DER encoding of the
-      -- subjectPublicKey field of the corresponding cert.
-  }
-
-  POPODecKeyChallContent ::= SEQUENCE OF Challenge
-  -- One Challenge per encryption key certification request (in the
-  -- same order as these requests appear in CertReqMessages).
-
-  Challenge ::= SEQUENCE {
-      owf                 AlgorithmIdentifier  OPTIONAL,
-      -- MUST be present in the first Challenge; MAY be omitted in any
-      -- subsequent Challenge in POPODecKeyChallContent (if omitted,
-      -- then the owf used in the immediately preceding Challenge is
-      -- to be used).
-      witness             OCTET STRING,
-      -- the result of applying the one-way function (owf) to a
-      -- randomly-generated INTEGER, A.  [Note that a different
-      -- INTEGER MUST be used for each Challenge.]
-      challenge           OCTET STRING
-      -- the encryption (under the public key for which the cert.
-      -- request is being made) of Rand, where Rand is specified as
-      --   Rand ::= SEQUENCE {
-      --      int      INTEGER,
-      --       - the randomly-generated INTEGER A (above)
-      --      sender   GeneralName
-      --       - the sender's name (as included in PKIHeader)
-      --   }
-  }
-
-  POPODecKeyRespContent ::= SEQUENCE OF INTEGER
-  -- One INTEGER per encryption key certification request (in the
-  -- same order as these requests appear in CertReqMessages).  The
-  -- retrieved INTEGER A (above) is returned to the sender of the
-  -- corresponding Challenge.
-
-
-  CertRepMessage ::= SEQUENCE {
-      caPubs       [1] SEQUENCE SIZE (1..MAX) OF Certificate OPTIONAL,
-      response         SEQUENCE OF CertResponse
-  }
-
-  CertResponse ::= SEQUENCE {
-      certReqId           INTEGER,
-      -- to match this response with corresponding request (a value
-      -- of -1 is to be used if certReqId is not specified in the
-      -- corresponding request)
-      status              PKIStatusInfo,
-      certifiedKeyPair    CertifiedKeyPair    OPTIONAL,
-      rspInfo             OCTET STRING        OPTIONAL
-      -- analogous to the id-regInfo-asciiPairs OCTET STRING defined
-      -- for regInfo in CertReqMsg [CRMF]
-  }
-
-  CertifiedKeyPair ::= SEQUENCE {
-      certOrEncCert       CertOrEncCert,
-      privateKey      [0] EncryptedValue      OPTIONAL,
-      publicationInfo [1] PKIPublicationInfo  OPTIONAL
-  }
-
-  CertOrEncCert ::= CHOICE {
-      certificate     [0] Certificate,
-      encryptedCert   [1] EncryptedValue
-  }
-
-  KeyRecRepContent ::= SEQUENCE {
-      status                  PKIStatusInfo,
-      newSigCert          [0] Certificate                   OPTIONAL,
-      caCerts             [1] SEQUENCE SIZE (1..MAX) OF
-                                          Certificate       OPTIONAL,
-      keyPairHist         [2] SEQUENCE SIZE (1..MAX) OF
-                                          CertifiedKeyPair  OPTIONAL
-  }
-
-  RevReqContent ::= SEQUENCE OF RevDetails
-
-  RevDetails ::= SEQUENCE {
-      certDetails         CertTemplate,
-      -- allows requester to specify as much as they can about
-      -- the cert. for which revocation is requested
-      -- (e.g., for cases in which serialNumber is not available)
-      revocationReason    ReasonFlags      OPTIONAL,
-      -- the reason that revocation is requested
-      badSinceDate        GeneralizedTime  OPTIONAL,
-      -- indicates best knowledge of sender
-      crlEntryDetails     Extensions       OPTIONAL
-      -- requested crlEntryExtensions
-  }
-
-  RevRepContent ::= SEQUENCE {
-      status       SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
-      -- in same order as was sent in RevReqContent
-      revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL,
-      -- IDs for which revocation was requested (same order as status)
-      crls     [1] SEQUENCE SIZE (1..MAX) OF CertificateList  OPTIONAL
-      -- the resulting CRLs (there may be more than one)
-  }
-
-
-  CAKeyUpdAnnContent ::= SEQUENCE {
-      oldWithNew          Certificate, -- old pub signed with new priv
-      newWithOld          Certificate, -- new pub signed with old priv
-      newWithNew          Certificate  -- new pub signed with new priv
-  }
-
-  CertAnnContent ::= Certificate
-
-  RevAnnContent ::= SEQUENCE {
-      status              PKIStatus,
-      certId              CertId,
-      willBeRevokedAt     GeneralizedTime,
-      badSinceDate        GeneralizedTime,
-      crlDetails          Extensions  OPTIONAL
-      -- extra CRL details(e.g., crl number, reason, location, etc.)
-}
-
-  CRLAnnContent ::= SEQUENCE OF CertificateList
-
-  PKIConfirmContent ::= NULL
-
-  InfoTypeAndValue ::= SEQUENCE {
-      infoType               OBJECT IDENTIFIER,
-      infoValue              ANY OPTIONAL
-  }
-  -- Example InfoTypeAndValue contents include, but are not limited to:
-  --  { CAProtEncCert    = {id-it 1}, Certificate                     }
-  --  { SignKeyPairTypes = {id-it 2}, SEQUENCE OF AlgorithmIdentifier }
-  --  { EncKeyPairTypes  = {id-it 3}, SEQUENCE OF AlgorithmIdentifier }
-  --  { PreferredSymmAlg = {id-it 4}, AlgorithmIdentifier             }
-  --  { CAKeyUpdateInfo  = {id-it 5}, CAKeyUpdAnnContent              }
-  --  { CurrentCRL       = {id-it 6}, CertificateList                 }
-  -- where {id-it} = {id-pkix 4} = {1 3 6 1 5 5 7 4}
-  -- This construct MAY also be used to define new PKIX Certificate
-  -- Management Protocol request and response messages, or general-
-  -- purpose (e.g., announcement) messages for future needs or for
-  -- specific environments.
-
-  GenMsgContent ::= SEQUENCE OF InfoTypeAndValue
-
-  -- May be sent by EE, RA, or CA (depending on message content).
-  -- The OPTIONAL infoValue parameter of InfoTypeAndValue will typically
-  -- be omitted for some of the examples given above.  The receiver is
-  -- free to ignore any contained OBJ. IDs that it does not recognize.
-  -- If sent from EE to CA, the empty set indicates that the CA may send
-  -- any/all information that it wishes.
-
-  GenRepContent ::= SEQUENCE OF InfoTypeAndValue
-  -- The receiver is free to ignore any contained OBJ. IDs that it does
-  -- not recognize.
-
-  ErrorMsgContent ::= SEQUENCE {
-      pKIStatusInfo          PKIStatusInfo,
-      errorCode              INTEGER           OPTIONAL,
-      -- implementation-specific error codes
-      errorDetails           PKIFreeText       OPTIONAL
-      -- implementation-specific error details
-  }
-
-
-
--- The following definition is provided for compatibility reasons with
--- 1988 and 1993 ASN.1 compilers which allow the use of UNIVERSAL class
--- tags (not a part of formal ASN.1); 1997 and subsequent compilers
--- SHOULD comment out this line.
---
---UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
-
-END
-
+--    This document and the information contained herein are provided on an
+--    "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+--    OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+--    ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+--    INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+--    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+--    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+     PKIXCMP {iso(1) identified-organization(3)
+           dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+           id-mod(0) id-mod-cmp2000(16)}
+
+     DEFINITIONS EXPLICIT TAGS ::=
+
+     BEGIN
+
+     -- EXPORTS ALL --
+
+     IMPORTS
+
+         Certificate, CertificateList, Extensions, AlgorithmIdentifier --,
+         -- UTF8String 
+	 -- if required; otherwise, comment out
+                FROM PKIX1Explicit88 {iso(1) identified-organization(3)
+                dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+                id-mod(0) id-pkix1-explicit-88(1)}
+
+         GeneralName, KeyIdentifier
+                FROM PKIX1Implicit88 {iso(1) identified-organization(3)
+                dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+                id-mod(0) id-pkix1-implicit-88(2)}
+
+         CertTemplate, PKIPublicationInfo, EncryptedValue, CertId,
+         CertReqMessages
+                FROM PKIXCRMF-2005 {iso(1) identified-organization(3)
+                dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+                id-mod(0) id-mod-crmf2005(36)}
+
+         -- see also the behavioral clarifications to CRMF codified in
+         -- Appendix C of this specification
+
+         CertificationRequest
+                FROM PKCS-10 {iso(1) member-body(2)
+                              us(840) rsadsi(113549)
+                              pkcs(1) pkcs-10(10) modules(1) pkcs-10(1)}
+
+         -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT
+         -- tags).  Alternatively, implementers may directly include
+         -- the [PKCS10] syntax in this module
+
+         ;
+
+   -- the rest of the module contains locally-defined OIDs and
+   -- constructs
+
+      CMPCertificate ::= CHOICE {
+         x509v3PKCert        Certificate
+      }
+   -- This syntax, while bits-on-the-wire compatible with the
+   -- standard X.509 definition of "Certificate", allows the
+   -- possibility of future certificate types (such as X.509
+   -- attribute certificates, WAP WTLS certificates, or other kinds
+   -- of certificates) within this certificate management protocol,
+   -- should a need ever arise to support such generality.  Those
+   -- implementations that do not foresee a need to ever support
+   -- other certificate types MAY, if they wish, comment out the
+   -- above structure and "un-comment" the following one prior to
+   -- compiling this ASN.1 module.  (Note that interoperability
+   -- with implementations that don't do this will be unaffected by
+   -- this change.)
+
+   -- CMPCertificate ::= Certificate
+
+      PKIMessage ::= SEQUENCE {
+         header           PKIHeader,
+         body             PKIBody,
+         protection   [0] PKIProtection OPTIONAL,
+         extraCerts   [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
+                          OPTIONAL
+     }
+
+     PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage
+
+     PKIHeader ::= SEQUENCE {
+         pvno                INTEGER     { cmp1999(1), cmp2000(2) },
+         sender              GeneralName,
+         -- identifies the sender
+         recipient           GeneralName,
+         -- identifies the intended recipient
+         messageTime     [0] GeneralizedTime         OPTIONAL,
+         -- time of production of this message (used when sender
+         -- believes that the transport will be "suitable"; i.e.,
+         -- that the time will still be meaningful upon receipt)
+         protectionAlg   [1] AlgorithmIdentifier     OPTIONAL,
+         -- algorithm used for calculation of protection bits
+         senderKID       [2] KeyIdentifier           OPTIONAL,
+         recipKID        [3] KeyIdentifier           OPTIONAL,
+         -- to identify specific keys used for protection
+         transactionID   [4] OCTET STRING            OPTIONAL,
+         -- identifies the transaction; i.e., this will be the same in
+         -- corresponding request, response, certConf, and PKIConf
+         -- messages
+         senderNonce     [5] OCTET STRING            OPTIONAL,
+         recipNonce      [6] OCTET STRING            OPTIONAL,
+         -- nonces used to provide replay protection, senderNonce
+         -- is inserted by the creator of this message; recipNonce
+         -- is a nonce previously inserted in a related message by
+         -- the intended recipient of this message
+         freeText        [7] PKIFreeText             OPTIONAL,
+         -- this may be used to indicate context-specific instructions
+         -- (this field is intended for human consumption)
+         generalInfo     [8] SEQUENCE SIZE (1..MAX) OF
+                                InfoTypeAndValue     OPTIONAL
+         -- this may be used to convey context-specific information
+         -- (this field not primarily intended for human consumption)
+     }
+
+     PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
+         -- text encoded as UTF-8 String [RFC3629] (note: each
+         -- UTF8String MAY include an [RFC3066] language tag
+         -- to indicate the language of the contained text
+         -- see [RFC2482] for details)
+
+     PKIBody ::= CHOICE {       -- message-specific body elements
+         ir       [0]  CertReqMessages,        --Initialization Request
+         ip       [1]  CertRepMessage,         --Initialization Response
+         cr       [2]  CertReqMessages,        --Certification Request
+         cp       [3]  CertRepMessage,         --Certification Response
+         -- p10cr    [4]  CertificationRequest,   
+	   --imported from [PKCS10]
+         popdecc  [5]  POPODecKeyChallContent, --pop Challenge
+         popdecr  [6]  POPODecKeyRespContent,  --pop Response
+         kur      [7]  CertReqMessages,        --Key Update Request
+         kup      [8]  CertRepMessage,         --Key Update Response
+         krr      [9]  CertReqMessages,        --Key Recovery Request
+         krp      [10] KeyRecRepContent,       --Key Recovery Response
+         rr       [11] RevReqContent,          --Revocation Request
+         rp       [12] RevRepContent,          --Revocation Response
+         ccr      [13] CertReqMessages,        --Cross-Cert. Request
+         ccp      [14] CertRepMessage,         --Cross-Cert. Response
+         ckuann   [15] CAKeyUpdAnnContent,     --CA Key Update Ann.
+         cann     [16] CertAnnContent,         --Certificate Ann.
+         rann     [17] RevAnnContent,          --Revocation Ann.
+         crlann   [18] CRLAnnContent,          --CRL Announcement
+         pkiconf  [19] PKIConfirmContent,      --Confirmation
+         nested   [20] NestedMessageContent,   --Nested Message
+         genm     [21] GenMsgContent,          --General Message
+         genp     [22] GenRepContent,          --General Response
+         error    [23] ErrorMsgContent,        --Error Message
+         certConf [24] CertConfirmContent,     --Certificate confirm
+         pollReq  [25] PollReqContent,         --Polling request
+         pollRep  [26] PollRepContent          --Polling response
+     }
+
+     PKIProtection ::= BIT STRING
+
+     ProtectedPart ::= SEQUENCE {
+         header    PKIHeader,
+         body      PKIBody
+     }
+
+     id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
+     PBMParameter ::= SEQUENCE {
+         salt                OCTET STRING,
+         -- note:  implementations MAY wish to limit acceptable sizes
+         -- of this string to values appropriate for their environment
+         -- in order to reduce the risk of denial-of-service attacks
+         owf                 AlgorithmIdentifier,
+         -- AlgId for a One-Way Function (SHA-1 recommended)
+         iterationCount      INTEGER,
+         -- number of times the OWF is applied
+         -- note:  implementations MAY wish to limit acceptable sizes
+         -- of this integer to values appropriate for their environment
+         -- in order to reduce the risk of denial-of-service attacks
+         mac                 AlgorithmIdentifier
+         -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+     }   -- or HMAC [RFC2104, RFC2202])
+
+     id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
+     DHBMParameter ::= SEQUENCE {
+         owf                 AlgorithmIdentifier,
+         -- AlgId for a One-Way Function (SHA-1 recommended)
+         mac                 AlgorithmIdentifier
+         -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+     }   -- or HMAC [RFC2104, RFC2202])
+
+
+     NestedMessageContent ::= PKIMessages
+
+     PKIStatus ::= INTEGER {
+         accepted                (0),
+         -- you got exactly what you asked for
+         grantedWithMods        (1),
+         -- you got something like what you asked for; the
+         -- requester is responsible for ascertaining the differences
+         rejection              (2),
+         -- you don't get it, more information elsewhere in the message
+         waiting                (3),
+         -- the request body part has not yet been processed; expect to
+         -- hear more later (note: proper handling of this status
+         -- response MAY use the polling req/rep PKIMessages specified
+         -- in Section 5.3.22; alternatively, polling in the underlying
+         -- transport layer MAY have some utility in this regard)
+         revocationWarning      (4),
+         -- this message contains a warning that a revocation is
+         -- imminent
+         revocationNotification (5),
+         -- notification that a revocation has occurred
+         keyUpdateWarning       (6)
+         -- update already done for the oldCertId specified in
+         -- CertReqMsg
+     }
+
+     PKIFailureInfo ::= BIT STRING {
+     -- since we can fail in more than one way!
+     -- More codes may be added in the future if/when required.
+         badAlg              (0),
+         -- unrecognized or unsupported Algorithm Identifier
+         badMessageCheck     (1),
+         -- integrity check failed (e.g., signature did not verify)
+         badRequest          (2),
+         -- transaction not permitted or supported
+         badTime             (3),
+         -- messageTime was not sufficiently close to the system time,
+         -- as defined by local policy
+         badCertId           (4),
+         -- no certificate could be found matching the provided criteria
+         badDataFormat       (5),
+         -- the data submitted has the wrong format
+         wrongAuthority      (6),
+         -- the authority indicated in the request is different from the
+         -- one creating the response token
+         incorrectData       (7),
+         -- the requester's data is incorrect (for notary services)
+         missingTimeStamp    (8),
+         -- when the timestamp is missing but should be there
+         -- (by policy)
+         badPOP              (9),
+         -- the proof-of-possession failed
+         certRevoked         (10),
+            -- the certificate has already been revoked
+         certConfirmed       (11),
+            -- the certificate has already been confirmed
+         wrongIntegrity      (12),
+            -- invalid integrity, password based instead of signature or
+            -- vice versa
+         badRecipientNonce   (13),
+            -- invalid recipient nonce, either missing or wrong value
+         timeNotAvailable    (14),
+            -- the TSA's time source is not available
+         unacceptedPolicy    (15),
+            -- the requested TSA policy is not supported by the TSA.
+         unacceptedExtension (16),
+            -- the requested extension is not supported by the TSA.
+         addInfoNotAvailable (17),
+            -- the additional information requested could not be
+            -- understood or is not available
+         badSenderNonce      (18),
+            -- invalid sender nonce, either missing or wrong size
+         badCertTemplate     (19),
+            -- invalid cert. template or missing mandatory information
+         signerNotTrusted    (20),
+            -- signer of the message unknown or not trusted
+         transactionIdInUse  (21),
+            -- the transaction identifier is already in use
+         unsupportedVersion  (22),
+            -- the version of the message is not supported
+         notAuthorized       (23),
+            -- the sender was not authorized to make the preceding
+            -- request or perform the preceding action
+         systemUnavail       (24),
+         -- the request cannot be handled due to system unavailability
+         systemFailure       (25),
+         -- the request cannot be handled due to system failure
+         duplicateCertReq    (26)
+         -- certificate cannot be issued because a duplicate
+         -- certificate already exists
+     }
+
+     PKIStatusInfo ::= SEQUENCE {
+         status        PKIStatus,
+         statusString  PKIFreeText     OPTIONAL,
+         failInfo      PKIFailureInfo  OPTIONAL
+     }
+
+     OOBCert ::= CMPCertificate
+
+     OOBCertHash ::= SEQUENCE {
+         hashAlg     [0] AlgorithmIdentifier     OPTIONAL,
+         certId      [1] CertId                  OPTIONAL,
+         hashVal         BIT STRING
+         -- hashVal is calculated over the DER encoding of the
+         -- self-signed certificate with the identifier certID.
+     }
+
+     POPODecKeyChallContent ::= SEQUENCE OF Challenge
+     -- One Challenge per encryption key certification request (in the
+     -- same order as these requests appear in CertReqMessages).
+
+     Challenge ::= SEQUENCE {
+         owf                 AlgorithmIdentifier  OPTIONAL,
+
+         -- MUST be present in the first Challenge; MAY be omitted in
+         -- any subsequent Challenge in POPODecKeyChallContent (if
+         -- omitted, then the owf used in the immediately preceding
+         -- Challenge is to be used).
+
+         witness             OCTET STRING,
+         -- the result of applying the one-way function (owf) to a
+         -- randomly-generated INTEGER, A.  [Note that a different
+         -- INTEGER MUST be used for each Challenge.]
+         challenge           OCTET STRING
+         -- the encryption (under the public key for which the cert.
+         -- request is being made) of Rand, where Rand is specified as
+         --   Rand ::= SEQUENCE {
+         --      int      INTEGER,
+         --       - the randomly-generated INTEGER A (above)
+         --      sender   GeneralName
+         --       - the sender's name (as included in PKIHeader)
+         --   }
+     }
+
+     POPODecKeyRespContent ::= SEQUENCE OF INTEGER
+     -- One INTEGER per encryption key certification request (in the
+     -- same order as these requests appear in CertReqMessages).  The
+     -- retrieved INTEGER A (above) is returned to the sender of the
+     -- corresponding Challenge.
+
+     CertRepMessage ::= SEQUENCE {
+         caPubs       [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
+                          OPTIONAL,
+         response         SEQUENCE OF CertResponse
+     }
+
+     CertResponse ::= SEQUENCE {
+         certReqId           INTEGER,
+         -- to match this response with corresponding request (a value
+         -- of -1 is to be used if certReqId is not specified in the
+         -- corresponding request)
+         status              PKIStatusInfo,
+         certifiedKeyPair    CertifiedKeyPair    OPTIONAL,
+         rspInfo             OCTET STRING        OPTIONAL
+         -- analogous to the id-regInfo-utf8Pairs string defined
+         -- for regInfo in CertReqMsg [CRMF]
+     }
+
+     CertifiedKeyPair ::= SEQUENCE {
+         certOrEncCert       CertOrEncCert,
+         privateKey      [0] EncryptedValue      OPTIONAL,
+         -- see [CRMF] for comment on encoding
+         publicationInfo [1] PKIPublicationInfo  OPTIONAL
+     }
+
+     CertOrEncCert ::= CHOICE {
+         certificate     [0] CMPCertificate,
+         encryptedCert   [1] EncryptedValue
+     }
+
+     KeyRecRepContent ::= SEQUENCE {
+         status                  PKIStatusInfo,
+         newSigCert          [0] CMPCertificate OPTIONAL,
+         caCerts             [1] SEQUENCE SIZE (1..MAX) OF
+                                             CMPCertificate OPTIONAL,
+         keyPairHist         [2] SEQUENCE SIZE (1..MAX) OF
+                                             CertifiedKeyPair OPTIONAL
+     }
+
+     RevReqContent ::= SEQUENCE OF RevDetails
+
+     RevDetails ::= SEQUENCE {
+         certDetails         CertTemplate,
+         -- allows requester to specify as much as they can about
+         -- the cert. for which revocation is requested
+         -- (e.g., for cases in which serialNumber is not available)
+         crlEntryDetails     Extensions       OPTIONAL
+         -- requested crlEntryExtensions
+     }
+
+     RevRepContent ::= SEQUENCE {
+         status       SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
+         -- in same order as was sent in RevReqContent
+         revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
+                                             OPTIONAL,
+         -- IDs for which revocation was requested
+         -- (same order as status)
+         crls     [1] SEQUENCE SIZE (1..MAX) OF CertificateList
+         -- the resulting CRLs (there may be more than one)
+     }
+
+     CAKeyUpdAnnContent ::= SEQUENCE {
+         oldWithNew   CMPCertificate, -- old pub signed with new priv
+         newWithOld   CMPCertificate, -- new pub signed with old priv
+         newWithNew   CMPCertificate  -- new pub signed with new priv
+     }
+
+     CertAnnContent ::= CMPCertificate
+
+     RevAnnContent ::= SEQUENCE {
+         status              PKIStatus,
+         certId              CertId,
+         willBeRevokedAt     GeneralizedTime,
+         badSinceDate        GeneralizedTime,
+         crlDetails          Extensions  OPTIONAL
+         -- extra CRL details (e.g., crl number, reason, location, etc.)
+     }
+
+     CRLAnnContent ::= SEQUENCE OF CertificateList
+
+     CertConfirmContent ::= SEQUENCE OF CertStatus
+
+     CertStatus ::= SEQUENCE {
+        certHash    OCTET STRING,
+        -- the hash of the certificate, using the same hash algorithm
+        -- as is used to create and verify the certificate signature
+        certReqId   INTEGER,
+        -- to match this confirmation with the corresponding req/rep
+        statusInfo  PKIStatusInfo OPTIONAL
+     }
+
+     PKIConfirmContent ::= NULL
+
+     InfoTypeAndValue ::= SEQUENCE {
+         infoType               OBJECT IDENTIFIER,
+         infoValue              ANY DEFINED BY infoType  OPTIONAL
+     }
+     -- Example InfoTypeAndValue contents include, but are not limited
+     -- to, the following (un-comment in this ASN.1 module and use as
+     -- appropriate for a given environment):
+     --
+     --   id-it-caProtEncCert    OBJECT IDENTIFIER ::= {id-it 1}
+           CAProtEncCertValue      ::= CMPCertificate
+     --   id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2}
+           SignKeyPairTypesValue   ::= SEQUENCE OF AlgorithmIdentifier
+     --   id-it-encKeyPairTypes  OBJECT IDENTIFIER ::= {id-it 3}
+           EncKeyPairTypesValue    ::= SEQUENCE OF AlgorithmIdentifier
+     --   id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4}
+           PreferredSymmAlgValue   ::= AlgorithmIdentifier
+     --   id-it-caKeyUpdateInfo  OBJECT IDENTIFIER ::= {id-it 5}
+           CAKeyUpdateInfoValue    ::= CAKeyUpdAnnContent
+     --   id-it-currentCRL       OBJECT IDENTIFIER ::= {id-it 6}
+           CurrentCRLValue         ::= CertificateList
+     --   id-it-unsupportedOIDs  OBJECT IDENTIFIER ::= {id-it 7}
+           UnsupportedOIDsValue    ::= SEQUENCE OF OBJECT IDENTIFIER
+     --   id-it-keyPairParamReq  OBJECT IDENTIFIER ::= {id-it 10}
+           KeyPairParamReqValue    ::= OBJECT IDENTIFIER
+     --   id-it-keyPairParamRep  OBJECT IDENTIFIER ::= {id-it 11}
+           KeyPairParamRepValue    ::= AlgorithmIdentifier
+     --   id-it-revPassphrase    OBJECT IDENTIFIER ::= {id-it 12}
+           RevPassphraseValue      ::= EncryptedValue
+     --   id-it-implicitConfirm  OBJECT IDENTIFIER ::= {id-it 13}
+           ImplicitConfirmValue    ::= NULL
+     --   id-it-confirmWaitTime  OBJECT IDENTIFIER ::= {id-it 14}
+           ConfirmWaitTimeValue    ::= GeneralizedTime
+     --   id-it-origPKIMessage   OBJECT IDENTIFIER ::= {id-it 15}
+           OrigPKIMessageValue     ::= PKIMessages
+     --   id-it-suppLangTags     OBJECT IDENTIFIER ::= {id-it 16}
+           SuppLangTagsValue       ::= SEQUENCE OF UTF8String
+     --
+     -- where
+     --
+     --   id-pkix OBJECT IDENTIFIER ::= {
+     --      iso(1) identified-organization(3)
+     --      dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
+     -- and
+     --   id-it   OBJECT IDENTIFIER ::= {id-pkix 4}
+     --
+     --
+     -- This construct MAY also be used to define new PKIX Certificate
+     -- Management Protocol request and response messages, or general-
+     -- purpose (e.g., announcement) messages for future needs or for
+     -- specific environments.
+
+     GenMsgContent ::= SEQUENCE OF InfoTypeAndValue
+
+     -- May be sent by EE, RA, or CA (depending on message content).
+     -- The OPTIONAL infoValue parameter of InfoTypeAndValue will
+     -- typically be omitted for some of the examples given above.
+     -- The receiver is free to ignore any contained OBJ. IDs that it
+     -- does not recognize. If sent from EE to CA, the empty set
+     -- indicates that the CA may send
+     -- any/all information that it wishes.
+     GenRepContent ::= SEQUENCE OF InfoTypeAndValue
+     -- Receiver MAY ignore any contained OIDs that it does not
+     -- recognize.
+
+     ErrorMsgContent ::= SEQUENCE {
+         pKIStatusInfo          PKIStatusInfo,
+         errorCode              INTEGER           OPTIONAL,
+         -- implementation-specific error codes
+         errorDetails           PKIFreeText       OPTIONAL
+         -- implementation-specific error details
+     }
+
+     PollReqContent ::= SEQUENCE OF SEQUENCE {
+         certReqId              INTEGER
+     }
+
+     PollRepContent ::= SEQUENCE OF SEQUENCE {
+         certReqId              INTEGER,
+         checkAfter             INTEGER,  -- time in seconds
+         reason                 PKIFreeText OPTIONAL
+     }
+
+     END -- of CMP module
diff --git a/asn1/pkixcmp/Makefile b/asn1/pkixcmp/Makefile
index 86b0b27289..bd21be1dd9 100644
--- a/asn1/pkixcmp/Makefile
+++ b/asn1/pkixcmp/Makefile
@@ -7,7 +7,7 @@ all: generate_dissector
 generate_dissector: $(DISSECTOR_FILES)
 
 $(DISSECTOR_FILES): ../../tools/asn2wrs.py CMP.asn packet-cmp-template.c packet-cmp-template.h cmp.cnf 
-	python ../../tools/asn2wrs.py -b -e -p cmp -c cmp.cnf -s packet-cmp-template CMP.asn
+	python ../../tools/asn2wrs.py -b -X -T -e -p cmp -c cmp.cnf -s packet-cmp-template CMP.asn
 
 clean:
 	rm -f parsetab.py $(DISSECTOR_FILES)
diff --git a/asn1/pkixcmp/Makefile.nmake b/asn1/pkixcmp/Makefile.nmake
index f5fd271875..4dd7b2f792 100644
--- a/asn1/pkixcmp/Makefile.nmake
+++ b/asn1/pkixcmp/Makefile.nmake
@@ -15,7 +15,7 @@ generate_dissector: $(DISSECTOR_FILES)
 
 $(DISSECTOR_FILES): ../../tools/asn2wrs.py CMP.asn packet-cmp-template.c packet-cmp-template.h cmp.cnf 
 !IFDEF PYTHON
-	$(PYTHON) "../../tools/asn2wrs.py" -b -e -p $(PROTOCOL_NAME) -c cmp.cnf -s packet-cmp-template CMP.asn
+	$(PYTHON) "../../tools/asn2wrs.py" -b -X -T -e -p $(PROTOCOL_NAME) -c cmp.cnf -s packet-cmp-template CMP.asn
 !ELSE
 	@echo Error: You need Python to use asn2wrs.py
 	@exit 1
diff --git a/asn1/pkixcmp/cmp-exp.cnf b/asn1/pkixcmp/cmp-exp.cnf
index d09232df9e..0d3611bee7 100644
--- a/asn1/pkixcmp/cmp-exp.cnf
+++ b/asn1/pkixcmp/cmp-exp.cnf
@@ -4,27 +4,26 @@
 # ../../tools/asn2wrs.py -b -e -p cmp -c cmp.cnf -s packet-cmp-template CMP.asn
 
 #.MODULE
-CMP  cmp
+PKIXCMP  cmp
 #.END
 
 #.IMPORT_TAG
+CMPCertificate           BER_CLASS_ANY/*choice*/ -1/*choice*/
 PKIMessage               BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+PKIMessages              BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 PKIHeader                BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 PKIFreeText              BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 PKIBody                  BER_CLASS_ANY/*choice*/ -1/*choice*/
 PKIProtection            BER_CLASS_UNI BER_UNI_TAG_BITSTRING
 ProtectedPart            BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
-PasswordBasedMac         BER_CLASS_UNI BER_UNI_TAG_OID
 PBMParameter             BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
-DHBasedMac               BER_CLASS_UNI BER_UNI_TAG_OID
 DHBMParameter            BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 NestedMessageContent     BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 PKIStatus                BER_CLASS_UNI BER_UNI_TAG_INTEGER
 PKIFailureInfo           BER_CLASS_UNI BER_UNI_TAG_BITSTRING
 PKIStatusInfo            BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
-OOBCert                  BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+OOBCert                  BER_CLASS_ANY/*choice*/ -1/*choice*/
 OOBCertHash              BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
-POPODecKeyChallContent   BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 Challenge                BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 POPODecKeyRespContent    BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 CertRepMessage           BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
@@ -36,34 +35,36 @@ RevReqContent            BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 RevDetails               BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 RevRepContent            BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 CAKeyUpdAnnContent       BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
-CertAnnContent           BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+CertAnnContent           BER_CLASS_ANY/*choice*/ -1/*choice*/
 RevAnnContent            BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 CRLAnnContent            BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+CertConfirmContent       BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+CertStatus               BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 PKIConfirmContent        BER_CLASS_UNI BER_UNI_TAG_NULL
 InfoTypeAndValue         BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 GenMsgContent            BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
-GenRepContent            BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 ErrorMsgContent          BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+PollReqContent           BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+PollRepContent           BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 #.END
 
 #.TYPE_ATTR
+CMPCertificate           TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = VALS(cmp_CMPCertificate_vals)  BITMASK = 0
 PKIMessage               TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
+PKIMessages              TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 PKIHeader                TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 PKIFreeText              TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 PKIBody                  TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = VALS(cmp_PKIBody_vals)  BITMASK = 0
 PKIProtection            TYPE = FT_BYTES   DISPLAY = BASE_HEX   STRINGS = NULL  BITMASK = 0
 ProtectedPart            TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
-PasswordBasedMac         TYPE = FT_OID     DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 PBMParameter             TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
-DHBasedMac               TYPE = FT_OID     DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 DHBMParameter            TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
-NestedMessageContent     TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
+NestedMessageContent     TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 PKIStatus                TYPE = FT_INT32   DISPLAY = BASE_DEC   STRINGS = VALS(cmp_PKIStatus_vals)  BITMASK = 0
 PKIFailureInfo           TYPE = FT_BYTES   DISPLAY = BASE_HEX   STRINGS = NULL  BITMASK = 0
 PKIStatusInfo            TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
-OOBCert                  TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
+OOBCert                  TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = VALS(cmp_CMPCertificate_vals)  BITMASK = 0
 OOBCertHash              TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
-POPODecKeyChallContent   TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 Challenge                TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 POPODecKeyRespContent    TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 CertRepMessage           TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
@@ -75,13 +76,16 @@ RevReqContent            TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL
 RevDetails               TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 RevRepContent            TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 CAKeyUpdAnnContent       TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
-CertAnnContent           TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
+CertAnnContent           TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = VALS(cmp_CMPCertificate_vals)  BITMASK = 0
 RevAnnContent            TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 CRLAnnContent            TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
+CertConfirmContent       TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
+CertStatus               TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 PKIConfirmContent        TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 InfoTypeAndValue         TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 GenMsgContent            TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
-GenRepContent            TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 ErrorMsgContent          TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
+PollReqContent           TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
+PollRepContent           TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 #.END
 
diff --git a/asn1/pkixcmp/cmp.cnf b/asn1/pkixcmp/cmp.cnf
index e572d88425..a57343259c 100644
--- a/asn1/pkixcmp/cmp.cnf
+++ b/asn1/pkixcmp/cmp.cnf
@@ -6,7 +6,7 @@
 #.MODULE_IMPORT
 PKIX1Explicit88	pkix1explicit
 PKIX1Implicit88	pkix1implicit
-PKIXCRMF	crmf
+PKIXCRMF-2005	crmf
 		
 #.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf
 #.INCLUDE ../pkix1implicit/pkix1implicit_exp.cnf
@@ -14,24 +14,24 @@ PKIXCRMF	crmf
 
 #.EXPORTS
 CAKeyUpdAnnContent
+CMPCertificate
+CRLAnnContent
 CertAnnContent
-CertifiedKeyPair
+CertConfirmContent
 CertOrEncCert
 CertRepMessage
 CertResponse
+CertStatus
+CertifiedKeyPair
 Challenge
-CRLAnnContent
-DHBasedMac
 DHBMParameter
 ErrorMsgContent
 GenMsgContent
-GenRepContent
 InfoTypeAndValue
 KeyRecRepContent
 NestedMessageContent
 OOBCert
 OOBCertHash
-PasswordBasedMac
 PBMParameter
 PKIBody
 PKIConfirmContent
@@ -39,11 +39,13 @@ PKIFailureInfo
 PKIFreeText
 PKIHeader
 PKIMessage
+PKIMessages
 PKIProtection
 PKIStatus
 PKIStatusInfo
-POPODecKeyChallContent
 POPODecKeyRespContent
+PollRepContent
+PollReqContent
 ProtectedPart
 RevAnnContent
 RevDetails
@@ -51,12 +53,34 @@ RevRepContent
 RevReqContent
 
 #.REGISTER
+PBMParameter           B "1.2.840.113533.7.66.13" "id-PasswordBasedMac"
+DHBMParameter          B "1.2.640.113533.7.66.30" "id-DHBasedMac"
+CAProtEncCertValue     B "1.3.6.1.5.5.7.4.1"      "id-it-caProtEncCert"
+SignKeyPairTypesValue  B "1.3.6.1.5.5.7.4.2"      "id-it-signKeyPairTypes"
+EncKeyPairTypesValue   B "1.3.6.1.5.5.7.4.3"      "id-it-encKeyPairTypes"
+PreferredSymmAlgValue  B "1.3.6.1.5.5.7.4.4"      "id-it-preferredSymmAlg"
+CAKeyUpdateInfoValue   B "1.3.6.1.5.5.7.4.5"      "id-it-caKeyUpdateInfo"
+CurrentCRLValue        B "1.3.6.1.5.5.7.4.6"      "id-it-currentCRL"
+UnsupportedOIDsValue   B "1.3.6.1.5.5.7.4.7"      "id-it-unsupportedOIDs"
+KeyPairParamReqValue   B "1.3.6.1.5.5.7.4.10"     "id-it-keyPairParamReq"
+KeyPairParamRepValue   B "1.3.6.1.5.5.7.4.11"     "id-it-keyPairParamRep"
+RevPassphraseValue     B "1.3.6.1.5.5.7.4.12"     "id-it-revPassphrase"
+ImplicitConfirmValue   B "1.3.6.1.5.5.7.4.13"     "id-it-implicitConfirm"
+ConfirmWaitTimeValue   B "1.3.6.1.5.5.7.4.14"     "id-it-confirmWaitTime"
+OrigPKIMessageValue    B "1.3.6.1.5.5.7.4.15"     "id-it-origPKIMessage"
+SuppLangTagsValue      B "1.3.6.1.5.5.7.4.16"     "id-it-suppLangTags"
+
 
 #.NO_EMIT
 
 #.TYPE_RENAME
 
 #.FIELD_RENAME
+RevRepContent/status    rvrpcnt_status
+CertResponse/status     pkistatusinf
+KeyRecRepContent/status pkistatusinf
+PKIStatusInfo/status pkistatus
+RevAnnContent/status pkistatus
 
 
 #.FN_PARS InfoTypeAndValue/infoType
@@ -65,6 +89,4 @@ RevReqContent
 #.FN_BODY InfoTypeAndValue/infoValue
   offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree);
 
-#.END
-
-
+#.END_OF_CNF
diff --git a/asn1/pkixcrmf/CRMF.asn b/asn1/pkixcrmf/CRMF.asn
index 55ce3a42b4..eb1eb17e61 100644
--- a/asn1/pkixcrmf/CRMF.asn
+++ b/asn1/pkixcrmf/CRMF.asn
@@ -1,199 +1,191 @@
--- This ASN1 definition is taken from RFC2511 and modified to pass through 
--- the asn2wrs compiler.
+-- Extracted from RFC4211
+-- by Martin Peylo <martin.peylo@nsn.com>
 -- 
--- The copyright statement from the original description in RFC2511
+-- Changes to make it work with asn2wrs:
+--   - none
+--   
+-- The copyright statement from the original description in RFC4211
 -- follows below:
--- 
--- 
+--
 -- Full Copyright Statement
--- 
---    Copyright (C) The Internet Society (1999).  All Rights Reserved.
--- 
---    This document and translations of it may be copied and furnished to
---    others, and derivative works that comment on or otherwise explain it
---    or assist in its implementation may be prepared, copied, published
---    and distributed, in whole or in part, without restriction of any
---    kind, provided that the above copyright notice and this paragraph are
---    included on all such copies and derivative works.  However, this
---    document itself may not be modified in any way, such as by removing
---    the copyright notice or references to the Internet Society or other
---    Internet organizations, except as needed for the purpose of
---    developing Internet standards in which case the procedures for
---    copyrights defined in the Internet Standards process must be
---    followed, or as required to translate it into languages other than
---    English.
--- 
---    The limited permissions granted above are perpetual and will not be
---    revoked by the Internet Society or its successors or assigns.
--- 
---    This document and the information contained herein is provided on an
---    "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
---    TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
---    BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
---    HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
---    MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
---PKIXCRMF {iso(1) identified-organization(3) dod(6) internet(1)
---   security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf(5)}
-
-CRMF DEFINITIONS IMPLICIT TAGS ::=
+--
+--   Copyright (C) The Internet Society (2005).
+--
+--   This document is subject to the rights, licenses and restrictions
+--   contained in BCP 78, and except as set forth therein, the authors
+--   retain all their rights.
+--
+--   This document and the information contained herein are provided on an
+--   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+--   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+--   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+--   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+--   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+--   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6) internet(1)
+security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36)}
+
+DEFINITIONS IMPLICIT TAGS ::=
 BEGIN
 
 IMPORTS
-     -- Directory Authentication Framework (X.509)
-        AlgorithmIdentifier, Name,
-        SubjectPublicKeyInfo, Extensions
-           FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
+  -- Directory Authentication Framework (X.509)
+     Version, AlgorithmIdentifier, Name, Time,
+     SubjectPublicKeyInfo, Extensions, UniqueIdentifier, Attribute
+        FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
+            internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+            id-pkix1-explicit(18)} -- found in [PROFILE]
+
+  -- Certificate Extensions (X.509)
+     GeneralName
+        FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
                internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
-               id-pkix1-explicit-88(1)}
+               id-pkix1-implicit(19)}  -- found in [PROFILE]
 
-     -- Certificate Extensions (X.509)
-        GeneralName
-           FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
-                  internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
-                  id-pkix1-implicit-88(2)}
+  -- Cryptographic Message Syntax
+     EnvelopedData
+        FROM CryptographicMessageSyntax2004 { iso(1) member-body(2)
+             us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
+             modules(0) cms-2004(24) };  -- found in [CMS]
 
-     -- Cryptographic Message Syntax
-        EnvelopedData
-           FROM CryptographicMessageSyntax { iso(1) member-body(2)
-                us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
-                modules(0) cms(1) };
+-- The following definition may be uncommented for use with
+-- ASN.1 compilers that do not understand UTF8String.
+
+-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
+       -- The contents of this type correspond to RFC 2279.
+
+id-pkix  OBJECT IDENTIFIER  ::= { iso(1) identified-organization(3)
+dod(6) internet(1) security(5) mechanisms(5) 7 }
+
+-- arc for Internet X.509 PKI protocols and their components
 
+id-pkip  OBJECT IDENTIFIER ::= { id-pkix 5 }
 
---copied in from pkix1explicit
-Version                 ::=  INTEGER { v1(0), v2(1), v3(2) }
-UniqueIdentifier        ::=  BIT STRING
-Time ::= CHOICE {
-        utcTime         UTCTime,
-        generalTime             GeneralizedTime }
+id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+             us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
 
+id-ct   OBJECT IDENTIFIER ::= { id-smime  1 }  -- content types
 
+-- Core definitions for this module
 
 CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
 
 CertReqMsg ::= SEQUENCE {
-    certReq   CertRequest,
-    pop       ProofOfPossession  OPTIONAL,
-    -- content depends upon key type
-    regInfo   SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL }
+ certReq   CertRequest,
+ popo       ProofOfPossession  OPTIONAL,
+ -- content depends upon key type
+ regInfo   SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL }
 
 CertRequest ::= SEQUENCE {
-    certReqId     INTEGER,          -- ID for matching request and reply
-    certTemplate  CertTemplate,  -- Selected fields of cert to be issued
-    controls      Controls OPTIONAL }   -- Attributes affecting issuance
+ certReqId     INTEGER,          -- ID for matching request and reply
+ certTemplate  CertTemplate,  -- Selected fields of cert to be issued
+ controls      Controls OPTIONAL }   -- Attributes affecting issuance
 
 CertTemplate ::= SEQUENCE {
-    version      [0] Version               OPTIONAL,
-    serialNumber [1] INTEGER               OPTIONAL,
-    signingAlg   [2] AlgorithmIdentifier   OPTIONAL,
-    issuer       [3] Name                  OPTIONAL,
-    validity     [4] OptionalValidity      OPTIONAL,
-    subject      [5] Name                  OPTIONAL,
-    publicKey    [6] SubjectPublicKeyInfo  OPTIONAL,
-    issuerUID    [7] UniqueIdentifier      OPTIONAL,
-    subjectUID   [8] UniqueIdentifier      OPTIONAL,
-    extensions   [9] Extensions            OPTIONAL }
+ version      [0] Version               OPTIONAL,
+ serialNumber [1] INTEGER               OPTIONAL,
+ signingAlg   [2] AlgorithmIdentifier   OPTIONAL,
+ issuer       [3] Name                  OPTIONAL,
+ validity     [4] OptionalValidity      OPTIONAL,
+ subject      [5] Name                  OPTIONAL,
+ publicKey    [6] SubjectPublicKeyInfo  OPTIONAL,
+ issuerUID    [7] UniqueIdentifier      OPTIONAL,
+ subjectUID   [8] UniqueIdentifier      OPTIONAL,
+ extensions   [9] Extensions            OPTIONAL }
 
 OptionalValidity ::= SEQUENCE {
-    notBefore  [0] Time OPTIONAL,
-    notAfter   [1] Time OPTIONAL } --at least one MUST be present
+ notBefore  [0] Time OPTIONAL,
+ notAfter   [1] Time OPTIONAL } -- at least one MUST be present
 
 Controls  ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue
 
 AttributeTypeAndValue ::= SEQUENCE {
-    type         OBJECT IDENTIFIER,
-    value        ANY }
+ type         OBJECT IDENTIFIER,
+ value        ANY DEFINED BY type }
 
 ProofOfPossession ::= CHOICE {
-    raVerified        [0] NULL,
-    -- used if the RA has already verified that the requester is in
-    -- possession of the private key
-    signature         [1] POPOSigningKey,
-    keyEncipherment   [2] POPOPrivKey,
-    keyAgreement      [3] POPOPrivKey }
+ raVerified        [0] NULL,
+ -- used if the RA has already verified that the requester is in
+ -- possession of the private key
+ signature         [1] POPOSigningKey,
+ keyEncipherment   [2] POPOPrivKey,
+ keyAgreement      [3] POPOPrivKey }
 
 POPOSigningKey ::= SEQUENCE {
-    poposkInput           [0] POPOSigningKeyInput OPTIONAL,
-    algorithmIdentifier   AlgorithmIdentifier,
-    signature             BIT STRING }
-    -- The signature (using "algorithmIdentifier") is on the
-    -- DER-encoded value of poposkInput.  NOTE: If the CertReqMsg
-    -- certReq CertTemplate contains the subject and publicKey values,
-    -- then poposkInput MUST be omitted and the signature MUST be
-    -- computed on the DER-encoded value of CertReqMsg certReq.  If
-    -- the CertReqMsg certReq CertTemplate does not contain the public
-    -- key and subject values, then poposkInput MUST be present and
-    -- MUST be signed.  This strategy ensures that the public key is
-    -- not present in both the poposkInput and CertReqMsg certReq
-    -- CertTemplate fields.
+ poposkInput           [0] POPOSigningKeyInput OPTIONAL,
+ algorithmIdentifier   AlgorithmIdentifier,
+ signature             BIT STRING }
+
+ -- The signature (using "algorithmIdentifier") is on the
+ -- DER-encoded value of poposkInput.  NOTE: If the CertReqMsg
+ -- certReq CertTemplate contains the subject and publicKey values,
+ -- then poposkInput MUST be omitted and the signature MUST be
+ -- computed over the DER-encoded value of CertReqMsg certReq.  If
+ -- the CertReqMsg certReq CertTemplate does not contain both the
+ -- public key and subject values (i.e., if it contains only one
+ -- of these, or neither), then poposkInput MUST be present and
+ -- MUST be signed.
 
 POPOSigningKeyInput ::= SEQUENCE {
-    authInfo            CHOICE {
-        sender              [0] GeneralName,
-        -- used only if an authenticated identity has been
-        -- established for the sender (e.g., a DN from a
-        -- previously-issued and currently-valid certificate
-        publicKeyMAC        PKMACValue },
-        -- used if no authenticated GeneralName currently exists for
-        -- the sender; publicKeyMAC contains a password-based MAC
-        -- on the DER-encoded value of publicKey
-    publicKey           SubjectPublicKeyInfo }  -- from CertTemplate
+ authInfo            CHOICE {
+     sender              [0] GeneralName,
+     -- used only if an authenticated identity has been
+     -- established for the sender (e.g., a DN from a
+     -- previously-issued and currently-valid certificate)
+     publicKeyMAC        PKMACValue },
+     -- used if no authenticated GeneralName currently exists for
+     -- the sender; publicKeyMAC contains a password-based MAC
+     -- on the DER-encoded value of publicKey
+ publicKey           SubjectPublicKeyInfo }  -- from CertTemplate
 
 PKMACValue ::= SEQUENCE {
-   algId  AlgorithmIdentifier,
-   -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
-   -- parameter value is PBMParameter
-   value  BIT STRING }
+algId  AlgorithmIdentifier,
+-- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
+-- parameter value is PBMParameter
+value  BIT STRING }
 
 PBMParameter ::= SEQUENCE {
-      salt                OCTET STRING,
-      owf                 AlgorithmIdentifier,
-      -- AlgId for a One-Way Function (SHA-1 recommended)
-      iterationCount      INTEGER,
-      -- number of times the OWF is applied
-      mac                 AlgorithmIdentifier
-      -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
-}   -- or HMAC [RFC2104, RFC2202])
+   salt                OCTET STRING,
+   owf                 AlgorithmIdentifier,
+   -- AlgId for a One-Way Function (SHA-1 recommended)
+   iterationCount      INTEGER,
+   -- number of times the OWF is applied
+   mac                 AlgorithmIdentifier
+   -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+}   -- or HMAC [HMAC, RFC2202])
 
 POPOPrivKey ::= CHOICE {
-    thisMessage       [0] BIT STRING,
-    -- posession is proven in this message (which contains the private
-    -- key itself (encrypted for the CA))
-    subsequentMessage [1] SubsequentMessage,
-    -- possession will be proven in a subsequent message
-    dhMAC             [2] BIT STRING }
-    -- for keyAgreement (only), possession is proven in this message
-    -- (which contains a MAC (over the DER-encoded value of the
-    -- certReq parameter in CertReqMsg, which MUST include both subject
-    -- and publicKey) based on a key derived from the end entity's
-    -- private DH key and the CA's public DH key);
-    -- the dhMAC value MUST be calculated as per the directions given
-    -- in Appendix A.
+ thisMessage       [0] BIT STRING,         -- Deprecated
+ -- possession is proven in this message (which contains the private
+ -- key itself (encrypted for the CA))
+ subsequentMessage [1] SubsequentMessage,
+ -- possession will be proven in a subsequent message
+ dhMAC             [2] BIT STRING,         -- Deprecated
+ agreeMAC          [3] PKMACValue,
+ encryptedKey      [4] EnvelopedData }
+
+ -- for keyAgreement (only), possession is proven in this message
+ -- (which contains a MAC (over the DER-encoded value of the
+ -- certReq parameter in CertReqMsg, which MUST include both subject
+ -- and publicKey) based on a key derived from the end entity's
+ -- private DH key and the CA's public DH key);
 
 SubsequentMessage ::= INTEGER {
-    encrCert (0),
-    -- requests that resulting certificate be encrypted for the
-    -- end entity (following which, POP will be proven in a
-    -- confirmation message)
-    challengeResp (1) }
-    -- requests that CA engage in challenge-response exchange with
-    -- end entity in order to prove private key possession
+ encrCert (0),
+ -- requests that resulting certificate be encrypted for the
+ -- end entity (following which, POP will be proven in a
+ -- confirmation message)
+ challengeResp (1) }
+ -- requests that CA engage in challenge-response exchange with
+ -- end entity in order to prove private key possession
 
 -- Object identifier assignments --
 
-id-pkix  OBJECT IDENTIFIER  ::= { iso(1) identified-organization(3)
-dod(6) internet(1) security(5) mechanisms(5) 7 }
-
--- arc for Internet X.509 PKI protocols and their components
-id-pkip  OBJECT IDENTIFIER ::= { id-pkix 5 }
-
 -- Registration Controls in CRMF
 id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 }
 
--- The following definition may be uncommented for use with
--- ASN.1 compilers which do not understand UTF8String.
-
--- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
 
 id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 }
 --with syntax:
@@ -207,57 +199,66 @@ id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 }
 --with syntax:
 
 PKIPublicationInfo ::= SEQUENCE {
-   action     INTEGER {
-                dontPublish (0),
-                pleasePublish (1) },
-   pubInfos  SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }
-     -- pubInfos MUST NOT be present if action is "dontPublish"
-     -- (if action is "pleasePublish" and pubInfos is omitted,
-     -- "dontCare" is assumed)
+action     INTEGER {
+             dontPublish (0),
+             pleasePublish (1) },
+pubInfos  SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }
+  -- pubInfos MUST NOT be present if action is "dontPublish"
+  -- (if action is "pleasePublish" and pubInfos is omitted,
+  -- "dontCare" is assumed)
 
 SinglePubInfo ::= SEQUENCE {
-    pubMethod    INTEGER {
-        dontCare    (0),
-        x500        (1),
-        web         (2),
-        ldap        (3) },
-    pubLocation  GeneralName OPTIONAL }
+ pubMethod    INTEGER {
+     dontCare    (0),
+     x500        (1),
+     web         (2),
+     ldap        (3) },
+ pubLocation  GeneralName OPTIONAL }
 
 id-regCtrl-pkiArchiveOptions     OBJECT IDENTIFIER ::= { id-regCtrl 4 }
 --with syntax:
 PKIArchiveOptions ::= CHOICE {
-    encryptedPrivKey     [0] EncryptedKey,
-    -- the actual value of the private key
-    keyGenParameters     [1] KeyGenParameters,
-    -- parameters which allow the private key to be re-generated
-    archiveRemGenPrivKey [2] BOOLEAN }
-    -- set to TRUE if sender wishes receiver to archive the private
-    -- key of a key pair which the receiver generates in response to
-    -- this request; set to FALSE if no archival is desired.
+ encryptedPrivKey     [0] EncryptedKey,
+ -- the actual value of the private key
+ keyGenParameters     [1] KeyGenParameters,
+ -- parameters that allow the private key to be re-generated
+ archiveRemGenPrivKey [2] BOOLEAN }
+ -- set to TRUE if sender wishes receiver to archive the private
+ -- key of a key pair that the receiver generates in response to
+ -- this request; set to FALSE if no archival is desired.
 
 EncryptedKey ::= CHOICE {
-    encryptedValue        EncryptedValue,
-    envelopedData     [0] EnvelopedData }
-    -- The encrypted private key MUST be placed in the envelopedData
-    -- encryptedContentInfo encryptedContent OCTET STRING.
-
+ encryptedValue        EncryptedValue,   -- Deprecated
+ envelopedData     [0] EnvelopedData }
+ -- The encrypted private key MUST be placed in the envelopedData
+ -- encryptedContentInfo encryptedContent OCTET STRING.
 
 EncryptedValue ::= SEQUENCE {
-    intendedAlg   [0] AlgorithmIdentifier  OPTIONAL,
-    -- the intended algorithm for which the value will be used
-    symmAlg       [1] AlgorithmIdentifier  OPTIONAL,
-    -- the symmetric algorithm used to encrypt the value
-    encSymmKey    [2] BIT STRING           OPTIONAL,
-    -- the (encrypted) symmetric key used to encrypt the value
-    keyAlg        [3] AlgorithmIdentifier  OPTIONAL,
-    -- algorithm used to encrypt the symmetric key
-    valueHint     [4] OCTET STRING         OPTIONAL,
-    -- a brief description or identifier of the encValue content
-    -- (may be meaningful only to the sending entity, and used only
-    -- if EncryptedValue might be re-examined by the sending entity
-    -- in the future)
-    encValue       BIT STRING }
-    -- the encrypted value itself
+ intendedAlg   [0] AlgorithmIdentifier  OPTIONAL,
+ -- the intended algorithm for which the value will be used
+ symmAlg       [1] AlgorithmIdentifier  OPTIONAL,
+ -- the symmetric algorithm used to encrypt the value
+ encSymmKey    [2] BIT STRING           OPTIONAL,
+ -- the (encrypted) symmetric key used to encrypt the value
+ keyAlg        [3] AlgorithmIdentifier  OPTIONAL,
+ -- algorithm used to encrypt the symmetric key
+ valueHint     [4] OCTET STRING         OPTIONAL,
+ -- a brief description or identifier of the encValue content
+ -- (may be meaningful only to the sending entity, and used only
+ -- if EncryptedValue might be re-examined by the sending entity
+ -- in the future)
+ encValue       BIT STRING }
+ -- the encrypted value itself
+-- When EncryptedValue is used to carry a private key (as opposed to
+-- a certificate), implementations MUST support the encValue field
+-- containing an encrypted PrivateKeyInfo as defined in [PKCS11],
+-- section 12.11.  If encValue contains some other format/encoding
+-- for the private key, the first octet of valueHint MAY be used
+-- to indicate the format/encoding (but note that the possible values
+-- of this octet are not specified at this time).  In all cases, the
+-- intendedAlg field MUST be used to indicate at least the OID of
+-- the intended algorithm of the private key, unless this information
+-- is known a priori to both sender and receiver by some other means.
 
 KeyGenParameters ::= OCTET STRING
 
@@ -266,8 +267,8 @@ id-regCtrl-oldCertID          OBJECT IDENTIFIER ::= { id-regCtrl 5 }
 OldCertId ::= CertId
 
 CertId ::= SEQUENCE {
-    issuer           GeneralName,
-    serialNumber     INTEGER }
+ issuer           GeneralName,
+ serialNumber     INTEGER }
 
 id-regCtrl-protocolEncrKey    OBJECT IDENTIFIER ::= { id-regCtrl 6 }
 --with syntax:
@@ -284,4 +285,27 @@ id-regInfo-certReq       OBJECT IDENTIFIER ::= { id-regInfo 2 }
 --with syntax
 CertReq ::= CertRequest
 
+-- id-ct-encKeyWithID is a new content type used for CMS objects.
+-- it contains both a private key and an identifier for key escrow
+-- agents to check against recovery requestors.
+
+id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
+
+EncKeyWithID ::= SEQUENCE {
+  privateKey           PrivateKeyInfo,
+  identifier CHOICE {
+    string             UTF8String,
+    generalName        GeneralName
+  } OPTIONAL
+}
+
+PrivateKeyInfo ::= SEQUENCE {
+   version                   INTEGER,
+   privateKeyAlgorithm       AlgorithmIdentifier,
+   privateKey                OCTET STRING,
+   attributes                [0] IMPLICIT Attributes OPTIONAL
+}
+
+Attributes ::= SET OF Attribute
+
 END
diff --git a/asn1/pkixcrmf/Makefile b/asn1/pkixcrmf/Makefile
index f624d00452..3fc2742987 100644
--- a/asn1/pkixcrmf/Makefile
+++ b/asn1/pkixcrmf/Makefile
@@ -7,7 +7,7 @@ all: generate_dissector
 generate_dissector: $(DISSECTOR_FILES)
 
 $(DISSECTOR_FILES): ../../tools/asn2wrs.py CRMF.asn packet-crmf-template.c packet-crmf-template.h crmf.cnf 
-	python ../../tools/asn2wrs.py -b -e -p crmf -c crmf.cnf -s packet-crmf-template CRMF.asn
+	python ../../tools/asn2wrs.py -b -X -T -e -p crmf -c crmf.cnf -s packet-crmf-template CRMF.asn
 
 clean:
 	rm -f parsetab.py $(DISSECTOR_FILES)
diff --git a/asn1/pkixcrmf/Makefile.nmake b/asn1/pkixcrmf/Makefile.nmake
index 505677ce94..7aa239d1e6 100644
--- a/asn1/pkixcrmf/Makefile.nmake
+++ b/asn1/pkixcrmf/Makefile.nmake
@@ -15,7 +15,7 @@ generate_dissector: $(DISSECTOR_FILES)
 
 $(DISSECTOR_FILES): ../../tools/asn2wrs.py CRMF.asn packet-crmf-template.c packet-crmf-template.h crmf.cnf 
 !IFDEF PYTHON
-	$(PYTHON) "../../tools/asn2wrs.py" -b -e -p $(PROTOCOL_NAME) -c crmf.cnf -s packet-crmf-template CRMF.asn
+	$(PYTHON) "../../tools/asn2wrs.py" -b -X -T -e -p $(PROTOCOL_NAME) -c crmf.cnf -s packet-crmf-template CRMF.asn
 !ELSE
 	@echo Error: You need Python to use asn2wrs.py
 	@exit 1
diff --git a/asn1/pkixcrmf/crmf-exp.cnf b/asn1/pkixcrmf/crmf-exp.cnf
index f47a763ac4..2df5382d8d 100644
--- a/asn1/pkixcrmf/crmf-exp.cnf
+++ b/asn1/pkixcrmf/crmf-exp.cnf
@@ -4,7 +4,7 @@
 # ../../tools/asn2wrs.py -b -e -p crmf -c crmf.cnf -s packet-crmf-template CRMF.asn
 
 #.MODULE
-CRMF  crmf
+PKIXCRMF-2005  crmf
 #.END
 
 #.IMPORT_TAG
@@ -35,6 +35,9 @@ CertId                   BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 ProtocolEncrKey          BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 UTF8Pairs                BER_CLASS_UNI BER_UNI_TAG_UTF8String
 CertReq                  BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+EncKeyWithID             BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+PrivateKeyInfo           BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+Attributes               BER_CLASS_UNI BER_UNI_TAG_SET
 #.END
 
 #.TYPE_ATTR
@@ -65,5 +68,8 @@ CertId                   TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL
 ProtocolEncrKey          TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 UTF8Pairs                TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 CertReq                  TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
+EncKeyWithID             TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
+PrivateKeyInfo           TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
+Attributes               TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 #.END
 
diff --git a/asn1/pkixcrmf/crmf.cnf b/asn1/pkixcrmf/crmf.cnf
index 2b902b1f5f..55567b4b72 100644
--- a/asn1/pkixcrmf/crmf.cnf
+++ b/asn1/pkixcrmf/crmf.cnf
@@ -6,6 +6,7 @@
 #.MODULE_IMPORT
 PKIX1Explicit88	pkix1explicit
 PKIX1Implicit88	pkix1implicit
+CryptographicMessageSyntax2004 cms
 		
 #.INCLUDE ../cms/cms-exp.cnf
 #.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf
@@ -13,6 +14,7 @@ PKIX1Implicit88	pkix1implicit
 
 #.EXPORTS
 Authenticator
+Attributes
 AttributeTypeAndValue
 CertId
 CertReq
@@ -21,6 +23,7 @@ CertReqMsg
 CertRequest
 CertTemplate
 Controls
+EncKeyWithID
 EncryptedKey
 EncryptedValue
 KeyGenParameters
@@ -33,6 +36,7 @@ PKMACValue
 POPOPrivKey
 POPOSigningKey
 POPOSigningKeyInput
+PrivateKeyInfo
 ProofOfPossession
 ProtocolEncrKey
 RegToken
@@ -41,7 +45,12 @@ SubsequentMessage
 UTF8Pairs
 
 #.REGISTER
-PBMParameter         B "1.2.840.113533.7.66.13" "PasswordBasedMac"
+CertId               B "1.3.6.1.5.5.7.5.1.5"        "id-regCtrl-oldCertID"
+CertRequest          B "1.3.6.1.5.5.7.5.2.2"        "id-regInfo-certReq"
+EncKeyWithID         B "1.2.840.113549.1.9.16.1.21" "id-ct-encKeyWithID"
+PBMParameter         B "1.2.840.113533.7.66.13"     "PasswordBasedMac"
+ProtocolEncrKey      B "1.3.6.1.5.5.7.5.1.6"        "id-regCtrl-protocolEncrKey"
+UTF8Pairs            B "1.3.6.1.5.5.7.5.2.1"        "id-regInfo-utf8Pairs"
 
 #.NO_EMIT
 
@@ -51,6 +60,8 @@ PBMParameter         B "1.2.840.113533.7.66.13" "PasswordBasedMac"
 CertTemplate/issuer		template_issuer
 POPOSigningKey/signature	sk_signature
 PKMACValue/value		pkmac_value
+PrivateKeyInfo/version          privkey_version
+EncKeyWithID/privateKey         enckeywid_privkey
 
 #.FN_PARS AttributeTypeAndValue/type
   FN_VARIANT = _str  HF_INDEX = hf_crmf_type_oid  VAL_PTR = &object_identifier_id