forked from osmocom/wireshark
288 lines
11 KiB
Groff
288 lines
11 KiB
Groff
-- This ASN1 definition is taken from RFC2511 and modified to pass through
|
|
-- the ASN2ETH compiler.
|
|
--
|
|
-- The copyright statement from the original description in RFC2511
|
|
-- follows below:
|
|
--
|
|
--
|
|
-- Full Copyright Statement
|
|
--
|
|
-- Copyright (C) The Internet Society (1999). All Rights Reserved.
|
|
--
|
|
-- This document and translations of it may be copied and furnished to
|
|
-- others, and derivative works that comment on or otherwise explain it
|
|
-- or assist in its implementation may be prepared, copied, published
|
|
-- and distributed, in whole or in part, without restriction of any
|
|
-- kind, provided that the above copyright notice and this paragraph are
|
|
-- included on all such copies and derivative works. However, this
|
|
-- document itself may not be modified in any way, such as by removing
|
|
-- the copyright notice or references to the Internet Society or other
|
|
-- Internet organizations, except as needed for the purpose of
|
|
-- developing Internet standards in which case the procedures for
|
|
-- copyrights defined in the Internet Standards process must be
|
|
-- followed, or as required to translate it into languages other than
|
|
-- English.
|
|
--
|
|
-- The limited permissions granted above are perpetual and will not be
|
|
-- revoked by the Internet Society or its successors or assigns.
|
|
--
|
|
-- This document and the information contained herein is provided on an
|
|
-- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
|
-- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
|
-- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
|
-- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
|
-- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
--PKIXCRMF {iso(1) identified-organization(3) dod(6) internet(1)
|
|
-- security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf(5)}
|
|
|
|
CRMF DEFINITIONS IMPLICIT TAGS ::=
|
|
BEGIN
|
|
|
|
IMPORTS
|
|
-- Directory Authentication Framework (X.509)
|
|
AlgorithmIdentifier, Name,
|
|
SubjectPublicKeyInfo, Extensions
|
|
FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
|
|
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
|
|
id-pkix1-explicit-88(1)}
|
|
|
|
-- Certificate Extensions (X.509)
|
|
GeneralName
|
|
FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
|
|
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
|
|
id-pkix1-implicit-88(2)}
|
|
|
|
-- Cryptographic Message Syntax
|
|
EnvelopedData
|
|
FROM CryptographicMessageSyntax { iso(1) member-body(2)
|
|
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
|
|
modules(0) cms(1) };
|
|
|
|
|
|
--copied in from pkix1explicit
|
|
Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
|
UniqueIdentifier ::= BIT STRING
|
|
Time ::= CHOICE {
|
|
utcTime UTCTime,
|
|
generalTime GeneralizedTime }
|
|
|
|
|
|
|
|
CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
|
|
|
|
CertReqMsg ::= SEQUENCE {
|
|
certReq CertRequest,
|
|
pop ProofOfPossession OPTIONAL,
|
|
-- content depends upon key type
|
|
regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL }
|
|
|
|
CertRequest ::= SEQUENCE {
|
|
certReqId INTEGER, -- ID for matching request and reply
|
|
certTemplate CertTemplate, -- Selected fields of cert to be issued
|
|
controls Controls OPTIONAL } -- Attributes affecting issuance
|
|
|
|
CertTemplate ::= SEQUENCE {
|
|
version [0] Version OPTIONAL,
|
|
serialNumber [1] INTEGER OPTIONAL,
|
|
signingAlg [2] AlgorithmIdentifier OPTIONAL,
|
|
issuer [3] Name OPTIONAL,
|
|
validity [4] OptionalValidity OPTIONAL,
|
|
subject [5] Name OPTIONAL,
|
|
publicKey [6] SubjectPublicKeyInfo OPTIONAL,
|
|
issuerUID [7] UniqueIdentifier OPTIONAL,
|
|
subjectUID [8] UniqueIdentifier OPTIONAL,
|
|
extensions [9] Extensions OPTIONAL }
|
|
|
|
OptionalValidity ::= SEQUENCE {
|
|
notBefore [0] Time OPTIONAL,
|
|
notAfter [1] Time OPTIONAL } --at least one MUST be present
|
|
|
|
Controls ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue
|
|
|
|
AttributeTypeAndValue ::= SEQUENCE {
|
|
type OBJECT IDENTIFIER,
|
|
value ANY }
|
|
|
|
ProofOfPossession ::= CHOICE {
|
|
raVerified [0] NULL,
|
|
-- used if the RA has already verified that the requester is in
|
|
-- possession of the private key
|
|
signature [1] POPOSigningKey,
|
|
keyEncipherment [2] POPOPrivKey,
|
|
keyAgreement [3] POPOPrivKey }
|
|
|
|
POPOSigningKey ::= SEQUENCE {
|
|
poposkInput [0] POPOSigningKeyInput OPTIONAL,
|
|
algorithmIdentifier AlgorithmIdentifier,
|
|
signature BIT STRING }
|
|
-- The signature (using "algorithmIdentifier") is on the
|
|
-- DER-encoded value of poposkInput. NOTE: If the CertReqMsg
|
|
-- certReq CertTemplate contains the subject and publicKey values,
|
|
-- then poposkInput MUST be omitted and the signature MUST be
|
|
-- computed on the DER-encoded value of CertReqMsg certReq. If
|
|
-- the CertReqMsg certReq CertTemplate does not contain the public
|
|
-- key and subject values, then poposkInput MUST be present and
|
|
-- MUST be signed. This strategy ensures that the public key is
|
|
-- not present in both the poposkInput and CertReqMsg certReq
|
|
-- CertTemplate fields.
|
|
|
|
POPOSigningKeyInput ::= SEQUENCE {
|
|
authInfo CHOICE {
|
|
sender [0] GeneralName,
|
|
-- used only if an authenticated identity has been
|
|
-- established for the sender (e.g., a DN from a
|
|
-- previously-issued and currently-valid certificate
|
|
publicKeyMAC PKMACValue },
|
|
-- used if no authenticated GeneralName currently exists for
|
|
-- the sender; publicKeyMAC contains a password-based MAC
|
|
-- on the DER-encoded value of publicKey
|
|
publicKey SubjectPublicKeyInfo } -- from CertTemplate
|
|
|
|
PKMACValue ::= SEQUENCE {
|
|
algId AlgorithmIdentifier,
|
|
-- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
|
|
-- parameter value is PBMParameter
|
|
value BIT STRING }
|
|
|
|
PBMParameter ::= SEQUENCE {
|
|
salt OCTET STRING,
|
|
owf AlgorithmIdentifier,
|
|
-- AlgId for a One-Way Function (SHA-1 recommended)
|
|
iterationCount INTEGER,
|
|
-- number of times the OWF is applied
|
|
mac AlgorithmIdentifier
|
|
-- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
|
|
} -- or HMAC [RFC2104, RFC2202])
|
|
|
|
POPOPrivKey ::= CHOICE {
|
|
thisMessage [0] BIT STRING,
|
|
-- posession is proven in this message (which contains the private
|
|
-- key itself (encrypted for the CA))
|
|
subsequentMessage [1] SubsequentMessage,
|
|
-- possession will be proven in a subsequent message
|
|
dhMAC [2] BIT STRING }
|
|
-- for keyAgreement (only), possession is proven in this message
|
|
-- (which contains a MAC (over the DER-encoded value of the
|
|
-- certReq parameter in CertReqMsg, which MUST include both subject
|
|
-- and publicKey) based on a key derived from the end entity's
|
|
-- private DH key and the CA's public DH key);
|
|
-- the dhMAC value MUST be calculated as per the directions given
|
|
-- in Appendix A.
|
|
|
|
SubsequentMessage ::= INTEGER {
|
|
encrCert (0),
|
|
-- requests that resulting certificate be encrypted for the
|
|
-- end entity (following which, POP will be proven in a
|
|
-- confirmation message)
|
|
challengeResp (1) }
|
|
-- requests that CA engage in challenge-response exchange with
|
|
-- end entity in order to prove private key possession
|
|
|
|
-- Object identifier assignments --
|
|
|
|
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
|
|
dod(6) internet(1) security(5) mechanisms(5) 7 }
|
|
|
|
-- arc for Internet X.509 PKI protocols and their components
|
|
id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 }
|
|
|
|
-- Registration Controls in CRMF
|
|
id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 }
|
|
|
|
-- The following definition may be uncommented for use with
|
|
-- ASN.1 compilers which do not understand UTF8String.
|
|
|
|
-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
|
|
|
|
id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 }
|
|
--with syntax:
|
|
RegToken ::= UTF8String
|
|
|
|
id-regCtrl-authenticator OBJECT IDENTIFIER ::= { id-regCtrl 2 }
|
|
--with syntax:
|
|
Authenticator ::= UTF8String
|
|
|
|
id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 }
|
|
--with syntax:
|
|
|
|
PKIPublicationInfo ::= SEQUENCE {
|
|
action INTEGER {
|
|
dontPublish (0),
|
|
pleasePublish (1) },
|
|
pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }
|
|
-- pubInfos MUST NOT be present if action is "dontPublish"
|
|
-- (if action is "pleasePublish" and pubInfos is omitted,
|
|
-- "dontCare" is assumed)
|
|
|
|
SinglePubInfo ::= SEQUENCE {
|
|
pubMethod INTEGER {
|
|
dontCare (0),
|
|
x500 (1),
|
|
web (2),
|
|
ldap (3) },
|
|
pubLocation GeneralName OPTIONAL }
|
|
|
|
id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 }
|
|
--with syntax:
|
|
PKIArchiveOptions ::= CHOICE {
|
|
encryptedPrivKey [0] EncryptedKey,
|
|
-- the actual value of the private key
|
|
keyGenParameters [1] KeyGenParameters,
|
|
-- parameters which allow the private key to be re-generated
|
|
archiveRemGenPrivKey [2] BOOLEAN }
|
|
-- set to TRUE if sender wishes receiver to archive the private
|
|
-- key of a key pair which the receiver generates in response to
|
|
-- this request; set to FALSE if no archival is desired.
|
|
|
|
EncryptedKey ::= CHOICE {
|
|
encryptedValue EncryptedValue,
|
|
envelopedData [0] EnvelopedData }
|
|
-- The encrypted private key MUST be placed in the envelopedData
|
|
-- encryptedContentInfo encryptedContent OCTET STRING.
|
|
|
|
|
|
EncryptedValue ::= SEQUENCE {
|
|
intendedAlg [0] AlgorithmIdentifier OPTIONAL,
|
|
-- the intended algorithm for which the value will be used
|
|
symmAlg [1] AlgorithmIdentifier OPTIONAL,
|
|
-- the symmetric algorithm used to encrypt the value
|
|
encSymmKey [2] BIT STRING OPTIONAL,
|
|
-- the (encrypted) symmetric key used to encrypt the value
|
|
keyAlg [3] AlgorithmIdentifier OPTIONAL,
|
|
-- algorithm used to encrypt the symmetric key
|
|
valueHint [4] OCTET STRING OPTIONAL,
|
|
-- a brief description or identifier of the encValue content
|
|
-- (may be meaningful only to the sending entity, and used only
|
|
-- if EncryptedValue might be re-examined by the sending entity
|
|
-- in the future)
|
|
encValue BIT STRING }
|
|
-- the encrypted value itself
|
|
|
|
KeyGenParameters ::= OCTET STRING
|
|
|
|
id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 }
|
|
--with syntax:
|
|
OldCertId ::= CertId
|
|
|
|
CertId ::= SEQUENCE {
|
|
issuer GeneralName,
|
|
serialNumber INTEGER }
|
|
|
|
id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= { id-regCtrl 6 }
|
|
--with syntax:
|
|
ProtocolEncrKey ::= SubjectPublicKeyInfo
|
|
|
|
-- Registration Info in CRMF
|
|
id-regInfo OBJECT IDENTIFIER ::= { id-pkip 2 }
|
|
|
|
id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= { id-regInfo 1 }
|
|
--with syntax
|
|
UTF8Pairs ::= UTF8String
|
|
|
|
id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 }
|
|
--with syntax
|
|
CertReq ::= CertRequest
|
|
|
|
END
|