312 lines
11 KiB
Groff
312 lines
11 KiB
Groff
-- Extracted from RFC4211
|
|
-- by Martin Peylo <martin.peylo@nsn.com>
|
|
--
|
|
-- Changes to make it work with asn2wrs:
|
|
-- - none
|
|
--
|
|
-- The copyright statement from the original description in RFC4211
|
|
-- follows below:
|
|
--
|
|
-- Full Copyright Statement
|
|
--
|
|
-- Copyright (C) The Internet Society (2005).
|
|
--
|
|
-- This document is subject to the rights, licenses and restrictions
|
|
-- contained in BCP 78, and except as set forth therein, the authors
|
|
-- retain all their rights.
|
|
--
|
|
-- This document and the information contained herein are provided on an
|
|
-- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
|
-- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
|
-- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
|
-- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
|
-- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|
-- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
|
|
PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6) internet(1)
|
|
security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36)}
|
|
|
|
DEFINITIONS IMPLICIT TAGS ::=
|
|
BEGIN
|
|
|
|
IMPORTS
|
|
-- Directory Authentication Framework (X.509)
|
|
Version, AlgorithmIdentifier, Name, Time,
|
|
SubjectPublicKeyInfo, Extensions, UniqueIdentifier, Attribute
|
|
FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
|
|
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
|
|
id-pkix1-explicit(18)} -- found in [PROFILE]
|
|
|
|
-- Certificate Extensions (X.509)
|
|
GeneralName
|
|
FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
|
|
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
|
|
id-pkix1-implicit(19)} -- found in [PROFILE]
|
|
|
|
-- Cryptographic Message Syntax
|
|
EnvelopedData
|
|
FROM CryptographicMessageSyntax2004 { iso(1) member-body(2)
|
|
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
|
|
modules(0) cms-2004(24) }; -- found in [CMS]
|
|
|
|
-- The following definition may be uncommented for use with
|
|
-- ASN.1 compilers that do not understand UTF8String.
|
|
|
|
-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
|
|
-- The contents of this type correspond to RFC 2279.
|
|
|
|
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
|
|
dod(6) internet(1) security(5) mechanisms(5) 7 }
|
|
|
|
-- arc for Internet X.509 PKI protocols and their components
|
|
|
|
id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 }
|
|
|
|
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
|
|
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
|
|
|
|
id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types
|
|
|
|
-- Core definitions for this module
|
|
|
|
CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
|
|
|
|
CertReqMsg ::= SEQUENCE {
|
|
certReq CertRequest,
|
|
popo ProofOfPossession OPTIONAL,
|
|
-- content depends upon key type
|
|
regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL }
|
|
|
|
CertRequest ::= SEQUENCE {
|
|
certReqId INTEGER, -- ID for matching request and reply
|
|
certTemplate CertTemplate, -- Selected fields of cert to be issued
|
|
controls Controls OPTIONAL } -- Attributes affecting issuance
|
|
|
|
CertTemplate ::= SEQUENCE {
|
|
version [0] Version OPTIONAL,
|
|
serialNumber [1] INTEGER(MIN..MAX) OPTIONAL, -- Wireshark extension to get 64 bit handling
|
|
signingAlg [2] AlgorithmIdentifier OPTIONAL,
|
|
issuer [3] Name OPTIONAL,
|
|
validity [4] OptionalValidity OPTIONAL,
|
|
subject [5] Name OPTIONAL,
|
|
publicKey [6] SubjectPublicKeyInfo OPTIONAL,
|
|
issuerUID [7] UniqueIdentifier OPTIONAL,
|
|
subjectUID [8] UniqueIdentifier OPTIONAL,
|
|
extensions [9] Extensions OPTIONAL }
|
|
|
|
OptionalValidity ::= SEQUENCE {
|
|
notBefore [0] Time OPTIONAL,
|
|
notAfter [1] Time OPTIONAL } -- at least one MUST be present
|
|
|
|
Controls ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue
|
|
|
|
AttributeTypeAndValue ::= SEQUENCE {
|
|
type OBJECT IDENTIFIER,
|
|
value ANY DEFINED BY type }
|
|
|
|
ProofOfPossession ::= CHOICE {
|
|
raVerified [0] NULL,
|
|
-- used if the RA has already verified that the requester is in
|
|
-- possession of the private key
|
|
signature [1] POPOSigningKey,
|
|
keyEncipherment [2] POPOPrivKey,
|
|
keyAgreement [3] POPOPrivKey }
|
|
|
|
POPOSigningKey ::= SEQUENCE {
|
|
poposkInput [0] POPOSigningKeyInput OPTIONAL,
|
|
algorithmIdentifier AlgorithmIdentifier,
|
|
signature BIT STRING }
|
|
|
|
-- The signature (using "algorithmIdentifier") is on the
|
|
-- DER-encoded value of poposkInput. NOTE: If the CertReqMsg
|
|
-- certReq CertTemplate contains the subject and publicKey values,
|
|
-- then poposkInput MUST be omitted and the signature MUST be
|
|
-- computed over the DER-encoded value of CertReqMsg certReq. If
|
|
-- the CertReqMsg certReq CertTemplate does not contain both the
|
|
-- public key and subject values (i.e., if it contains only one
|
|
-- of these, or neither), then poposkInput MUST be present and
|
|
-- MUST be signed.
|
|
|
|
POPOSigningKeyInput ::= SEQUENCE {
|
|
authInfo CHOICE {
|
|
sender [0] GeneralName,
|
|
-- used only if an authenticated identity has been
|
|
-- established for the sender (e.g., a DN from a
|
|
-- previously-issued and currently-valid certificate)
|
|
publicKeyMAC PKMACValue },
|
|
-- used if no authenticated GeneralName currently exists for
|
|
-- the sender; publicKeyMAC contains a password-based MAC
|
|
-- on the DER-encoded value of publicKey
|
|
publicKey SubjectPublicKeyInfo } -- from CertTemplate
|
|
|
|
PKMACValue ::= SEQUENCE {
|
|
algId AlgorithmIdentifier,
|
|
-- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
|
|
-- parameter value is PBMParameter
|
|
value BIT STRING }
|
|
|
|
PBMParameter ::= SEQUENCE {
|
|
salt OCTET STRING,
|
|
owf AlgorithmIdentifier,
|
|
-- AlgId for a One-Way Function (SHA-1 recommended)
|
|
iterationCount INTEGER,
|
|
-- number of times the OWF is applied
|
|
mac AlgorithmIdentifier
|
|
-- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
|
|
} -- or HMAC [HMAC, RFC2202])
|
|
|
|
POPOPrivKey ::= CHOICE {
|
|
thisMessage [0] BIT STRING, -- Deprecated
|
|
-- possession is proven in this message (which contains the private
|
|
-- key itself (encrypted for the CA))
|
|
subsequentMessage [1] SubsequentMessage,
|
|
-- possession will be proven in a subsequent message
|
|
dhMAC [2] BIT STRING, -- Deprecated
|
|
agreeMAC [3] PKMACValue,
|
|
encryptedKey [4] EnvelopedData }
|
|
|
|
-- for keyAgreement (only), possession is proven in this message
|
|
-- (which contains a MAC (over the DER-encoded value of the
|
|
-- certReq parameter in CertReqMsg, which MUST include both subject
|
|
-- and publicKey) based on a key derived from the end entity's
|
|
-- private DH key and the CA's public DH key);
|
|
|
|
SubsequentMessage ::= INTEGER {
|
|
encrCert (0),
|
|
-- requests that resulting certificate be encrypted for the
|
|
-- end entity (following which, POP will be proven in a
|
|
-- confirmation message)
|
|
challengeResp (1) }
|
|
-- requests that CA engage in challenge-response exchange with
|
|
-- end entity in order to prove private key possession
|
|
|
|
-- Object identifier assignments --
|
|
|
|
-- Registration Controls in CRMF
|
|
id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 }
|
|
|
|
|
|
id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 }
|
|
--with syntax:
|
|
RegToken ::= UTF8String
|
|
|
|
id-regCtrl-authenticator OBJECT IDENTIFIER ::= { id-regCtrl 2 }
|
|
--with syntax:
|
|
Authenticator ::= UTF8String
|
|
|
|
id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 }
|
|
--with syntax:
|
|
|
|
PKIPublicationInfo ::= SEQUENCE {
|
|
action INTEGER {
|
|
dontPublish (0),
|
|
pleasePublish (1) },
|
|
pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }
|
|
-- pubInfos MUST NOT be present if action is "dontPublish"
|
|
-- (if action is "pleasePublish" and pubInfos is omitted,
|
|
-- "dontCare" is assumed)
|
|
|
|
SinglePubInfo ::= SEQUENCE {
|
|
pubMethod INTEGER {
|
|
dontCare (0),
|
|
x500 (1),
|
|
web (2),
|
|
ldap (3) },
|
|
pubLocation GeneralName OPTIONAL }
|
|
|
|
id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 }
|
|
--with syntax:
|
|
PKIArchiveOptions ::= CHOICE {
|
|
encryptedPrivKey [0] EncryptedKey,
|
|
-- the actual value of the private key
|
|
keyGenParameters [1] KeyGenParameters,
|
|
-- parameters that allow the private key to be re-generated
|
|
archiveRemGenPrivKey [2] BOOLEAN }
|
|
-- set to TRUE if sender wishes receiver to archive the private
|
|
-- key of a key pair that the receiver generates in response to
|
|
-- this request; set to FALSE if no archival is desired.
|
|
|
|
EncryptedKey ::= CHOICE {
|
|
encryptedValue EncryptedValue, -- Deprecated
|
|
envelopedData [0] EnvelopedData }
|
|
-- The encrypted private key MUST be placed in the envelopedData
|
|
-- encryptedContentInfo encryptedContent OCTET STRING.
|
|
|
|
EncryptedValue ::= SEQUENCE {
|
|
intendedAlg [0] AlgorithmIdentifier OPTIONAL,
|
|
-- the intended algorithm for which the value will be used
|
|
symmAlg [1] AlgorithmIdentifier OPTIONAL,
|
|
-- the symmetric algorithm used to encrypt the value
|
|
encSymmKey [2] BIT STRING OPTIONAL,
|
|
-- the (encrypted) symmetric key used to encrypt the value
|
|
keyAlg [3] AlgorithmIdentifier OPTIONAL,
|
|
-- algorithm used to encrypt the symmetric key
|
|
valueHint [4] OCTET STRING OPTIONAL,
|
|
-- a brief description or identifier of the encValue content
|
|
-- (may be meaningful only to the sending entity, and used only
|
|
-- if EncryptedValue might be re-examined by the sending entity
|
|
-- in the future)
|
|
encValue BIT STRING }
|
|
-- the encrypted value itself
|
|
-- When EncryptedValue is used to carry a private key (as opposed to
|
|
-- a certificate), implementations MUST support the encValue field
|
|
-- containing an encrypted PrivateKeyInfo as defined in [PKCS11],
|
|
-- section 12.11. If encValue contains some other format/encoding
|
|
-- for the private key, the first octet of valueHint MAY be used
|
|
-- to indicate the format/encoding (but note that the possible values
|
|
-- of this octet are not specified at this time). In all cases, the
|
|
-- intendedAlg field MUST be used to indicate at least the OID of
|
|
-- the intended algorithm of the private key, unless this information
|
|
-- is known a priori to both sender and receiver by some other means.
|
|
|
|
KeyGenParameters ::= OCTET STRING
|
|
|
|
id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 }
|
|
--with syntax:
|
|
OldCertId ::= CertId
|
|
|
|
CertId ::= SEQUENCE {
|
|
issuer GeneralName,
|
|
serialNumber INTEGER(MIN..MAX) } -- Wireshark extension to get 64 bit handling
|
|
|
|
id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= { id-regCtrl 6 }
|
|
--with syntax:
|
|
ProtocolEncrKey ::= SubjectPublicKeyInfo
|
|
|
|
-- Registration Info in CRMF
|
|
id-regInfo OBJECT IDENTIFIER ::= { id-pkip 2 }
|
|
|
|
id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= { id-regInfo 1 }
|
|
--with syntax
|
|
UTF8Pairs ::= UTF8String
|
|
|
|
id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 }
|
|
--with syntax
|
|
CertReq ::= CertRequest
|
|
|
|
-- id-ct-encKeyWithID is a new content type used for CMS objects.
|
|
-- it contains both a private key and an identifier for key escrow
|
|
-- agents to check against recovery requestors.
|
|
|
|
id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
|
|
|
|
EncKeyWithID ::= SEQUENCE {
|
|
privateKey PrivateKeyInfo,
|
|
identifier CHOICE {
|
|
string UTF8String,
|
|
generalName GeneralName
|
|
} OPTIONAL
|
|
}
|
|
|
|
PrivateKeyInfo ::= SEQUENCE {
|
|
version INTEGER,
|
|
privateKeyAlgorithm AlgorithmIdentifier,
|
|
privateKey OCTET STRING,
|
|
attributes [0] IMPLICIT Attributes OPTIONAL
|
|
}
|
|
|
|
Attributes ::= SET OF Attribute
|
|
|
|
END
|