e0945a4762
svn path=/trunk/; revision=12828
404 lines
16 KiB
Groff
404 lines
16 KiB
Groff
-- This ASN.1 definition is taken from RFC2510 and modified to pass
|
|
-- through the ASN2ETH compiler.
|
|
--
|
|
-- The original copyright statement from RFC2510 follows below:
|
|
--
|
|
-- Full Copyright Statement
|
|
--
|
|
-- Copyright (C) The Internet Society (1999). All Rights Reserved.
|
|
--
|
|
-- This document and translations of it may be copied and furnished to
|
|
-- others, and derivative works that comment on or otherwise explain it
|
|
-- or assist in its implementation may be prepared, copied, published
|
|
-- and distributed, in whole or in part, without restriction of any
|
|
-- kind, provided that the above copyright notice and this paragraph are
|
|
-- included on all such copies and derivative works. However, this
|
|
-- document itself may not be modified in any way, such as by removing
|
|
-- the copyright notice or references to the Internet Society or other
|
|
-- Internet organizations, except as needed for the purpose of
|
|
-- developing Internet standards in which case the procedures for
|
|
-- copyrights defined in the Internet Standards process must be
|
|
-- followed, or as required to translate it into languages other than
|
|
-- English.
|
|
--
|
|
-- The limited permissions granted above are perpetual and will not be
|
|
-- revoked by the Internet Society or its successors or assigns.
|
|
--
|
|
-- This document and the information contained herein is provided on an
|
|
-- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
|
-- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
|
-- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
|
-- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
|
-- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
--
|
|
|
|
|
|
--PKIXCMP {iso(1) identified-organization(3) dod(6) internet(1)
|
|
-- security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-cmp(9)}
|
|
|
|
CMP DEFINITIONS EXPLICIT TAGS ::=
|
|
|
|
BEGIN
|
|
|
|
-- EXPORTS ALL --
|
|
|
|
IMPORTS
|
|
|
|
Certificate, CertificateList, Extensions, AlgorithmIdentifier
|
|
FROM PKIX1Explicit88 {iso(1) identified-organization(3)
|
|
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
|
|
id-mod(0) id-pkix1-explicit-88(1)}
|
|
|
|
GeneralName, ReasonFlags
|
|
FROM PKIX1Implicit88 {iso(1) identified-organization(3)
|
|
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
|
|
id-mod(0) id-pkix1-implicit-88(2)}
|
|
|
|
CertTemplate, PKIPublicationInfo, EncryptedValue, CertId,
|
|
CertReqMessages
|
|
FROM PKIXCRMF {iso(1) identified-organization(3)
|
|
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
|
|
id-mod(0) id-mod-crmf(5)};
|
|
|
|
-- CertificationRequest
|
|
-- FROM PKCS10 {no standard ASN.1 module defined;
|
|
-- implementers need to create their own module to import
|
|
-- from, or directly include the PKCS10 syntax in this module}
|
|
|
|
KeyIdentifier ::= OCTET STRING
|
|
|
|
PKIMessage ::= SEQUENCE {
|
|
header PKIHeader,
|
|
body PKIBody,
|
|
protection [0] PKIProtection OPTIONAL,
|
|
extraCerts [1] SEQUENCE SIZE (1..MAX) OF Certificate OPTIONAL
|
|
}
|
|
|
|
PKIHeader ::= SEQUENCE {
|
|
pvno INTEGER { ietf-version2 (1) },
|
|
sender GeneralName,
|
|
-- identifies the sender
|
|
recipient GeneralName,
|
|
-- identifies the intended recipient
|
|
messageTime [0] GeneralizedTime OPTIONAL,
|
|
-- time of production of this message (used when sender
|
|
-- believes that the transport will be "suitable"; i.e.,
|
|
-- that the time will still be meaningful upon receipt)
|
|
protectionAlg [1] AlgorithmIdentifier OPTIONAL,
|
|
-- algorithm used for calculation of protection bits
|
|
senderKID [2] KeyIdentifier OPTIONAL,
|
|
recipKID [3] KeyIdentifier OPTIONAL,
|
|
-- to identify specific keys used for protection
|
|
transactionID [4] OCTET STRING OPTIONAL,
|
|
-- identifies the transaction; i.e., this will be the same in
|
|
-- corresponding request, response and confirmation messages
|
|
senderNonce [5] OCTET STRING OPTIONAL,
|
|
recipNonce [6] OCTET STRING OPTIONAL,
|
|
-- nonces used to provide replay protection, senderNonce
|
|
-- is inserted by the creator of this message; recipNonce
|
|
-- is a nonce previously inserted in a related message by
|
|
-- the intended recipient of this message
|
|
freeText [7] PKIFreeText OPTIONAL,
|
|
-- this may be used to indicate context-specific instructions
|
|
-- (this field is intended for human consumption)
|
|
generalInfo [8] SEQUENCE SIZE (1..MAX) OF
|
|
InfoTypeAndValue OPTIONAL
|
|
-- this may be used to convey context-specific information
|
|
-- (this field not primarily intended for human consumption)
|
|
}
|
|
|
|
PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
|
|
-- text encoded as UTF-8 String (note: each UTF8String SHOULD
|
|
-- include an RFC 1766 language tag to indicate the language
|
|
-- of the contained text)
|
|
|
|
|
|
PKIBody ::= CHOICE { -- message-specific body elements
|
|
ir [0] CertReqMessages, --Initialization Request
|
|
ip [1] CertRepMessage, --Initialization Response
|
|
cr [2] CertReqMessages, --Certification Request
|
|
cp [3] CertRepMessage, --Certification Response
|
|
--XXX dont know what this one looks like yet
|
|
-- p10cr [4] CertificationRequest,
|
|
--imported from [PKCS10]
|
|
popdecc [5] POPODecKeyChallContent, --pop Challenge
|
|
popdecr [6] POPODecKeyRespContent, --pop Response
|
|
kur [7] CertReqMessages, --Key Update Request
|
|
kup [8] CertRepMessage, --Key Update Response
|
|
krr [9] CertReqMessages, --Key Recovery Request
|
|
krp [10] KeyRecRepContent, --Key Recovery Response
|
|
rr [11] RevReqContent, --Revocation Request
|
|
rp [12] RevRepContent, --Revocation Response
|
|
ccr [13] CertReqMessages, --Cross-Cert. Request
|
|
ccp [14] CertRepMessage, --Cross-Cert. Response
|
|
ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann.
|
|
cann [16] CertAnnContent, --Certificate Ann.
|
|
rann [17] RevAnnContent, --Revocation Ann.
|
|
crlann [18] CRLAnnContent, --CRL Announcement
|
|
conf [19] PKIConfirmContent, --Confirmation
|
|
nested [20] NestedMessageContent, --Nested Message
|
|
genm [21] GenMsgContent, --General Message
|
|
genp [22] GenRepContent, --General Response
|
|
error [23] ErrorMsgContent --Error Message
|
|
}
|
|
|
|
PKIProtection ::= BIT STRING
|
|
|
|
ProtectedPart ::= SEQUENCE {
|
|
header PKIHeader,
|
|
body PKIBody
|
|
}
|
|
|
|
PasswordBasedMac ::= OBJECT IDENTIFIER --{1 2 840 113533 7 66 13}
|
|
|
|
PBMParameter ::= SEQUENCE {
|
|
salt OCTET STRING,
|
|
owf AlgorithmIdentifier,
|
|
-- AlgId for a One-Way Function (SHA-1 recommended)
|
|
iterationCount INTEGER,
|
|
-- number of times the OWF is applied
|
|
mac AlgorithmIdentifier
|
|
-- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
|
|
} -- or HMAC [RFC2104, RFC2202])
|
|
|
|
DHBasedMac ::= OBJECT IDENTIFIER --{1 2 840 113533 7 66 30}
|
|
|
|
DHBMParameter ::= SEQUENCE {
|
|
owf AlgorithmIdentifier,
|
|
-- AlgId for a One-Way Function (SHA-1 recommended)
|
|
mac AlgorithmIdentifier
|
|
-- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
|
|
} -- or HMAC [RFC2104, RFC2202])
|
|
|
|
|
|
NestedMessageContent ::= PKIMessage
|
|
|
|
PKIStatus ::= INTEGER {
|
|
granted (0),
|
|
-- you got exactly what you asked for
|
|
grantedWithMods (1),
|
|
-- you got something like what you asked for; the
|
|
-- requester is responsible for ascertaining the differences
|
|
rejection (2),
|
|
-- you don't get it, more information elsewhere in the message
|
|
waiting (3),
|
|
-- the request body part has not yet been processed,
|
|
-- expect to hear more later
|
|
revocationWarning (4),
|
|
-- this message contains a warning that a revocation is
|
|
-- imminent
|
|
revocationNotification (5),
|
|
-- notification that a revocation has occurred
|
|
keyUpdateWarning (6)
|
|
-- update already done for the oldCertId specified in
|
|
-- CertReqMsg
|
|
}
|
|
|
|
PKIFailureInfo ::= BIT STRING {
|
|
-- since we can fail in more than one way!
|
|
-- More codes may be added in the future if/when required.
|
|
badAlg (0),
|
|
-- unrecognized or unsupported Algorithm Identifier
|
|
badMessageCheck (1),
|
|
-- integrity check failed (e.g., signature did not verify)
|
|
badRequest (2),
|
|
-- transaction not permitted or supported
|
|
badTime (3),
|
|
-- messageTime was not sufficiently close to the system time,
|
|
-- as defined by local policy
|
|
badCertId (4),
|
|
-- no certificate could be found matching the provided criteria
|
|
badDataFormat (5),
|
|
-- the data submitted has the wrong format
|
|
wrongAuthority (6),
|
|
-- the authority indicated in the request is different from the
|
|
-- one creating the response token
|
|
incorrectData (7),
|
|
-- the requester's data is incorrect (for notary services)
|
|
missingTimeStamp (8),
|
|
-- when the timestamp is missing but should be there (by policy)
|
|
badPOP (9)
|
|
-- the proof-of-possession failed
|
|
}
|
|
|
|
PKIStatusInfo ::= SEQUENCE {
|
|
status PKIStatus,
|
|
statusString PKIFreeText OPTIONAL,
|
|
failInfo PKIFailureInfo OPTIONAL
|
|
}
|
|
|
|
OOBCert ::= Certificate
|
|
|
|
OOBCertHash ::= SEQUENCE {
|
|
hashAlg [0] AlgorithmIdentifier OPTIONAL,
|
|
certId [1] CertId OPTIONAL,
|
|
hashVal BIT STRING
|
|
-- hashVal is calculated over DER encoding of the
|
|
-- subjectPublicKey field of the corresponding cert.
|
|
}
|
|
|
|
POPODecKeyChallContent ::= SEQUENCE OF Challenge
|
|
-- One Challenge per encryption key certification request (in the
|
|
-- same order as these requests appear in CertReqMessages).
|
|
|
|
Challenge ::= SEQUENCE {
|
|
owf AlgorithmIdentifier OPTIONAL,
|
|
-- MUST be present in the first Challenge; MAY be omitted in any
|
|
-- subsequent Challenge in POPODecKeyChallContent (if omitted,
|
|
-- then the owf used in the immediately preceding Challenge is
|
|
-- to be used).
|
|
witness OCTET STRING,
|
|
-- the result of applying the one-way function (owf) to a
|
|
-- randomly-generated INTEGER, A. [Note that a different
|
|
-- INTEGER MUST be used for each Challenge.]
|
|
challenge OCTET STRING
|
|
-- the encryption (under the public key for which the cert.
|
|
-- request is being made) of Rand, where Rand is specified as
|
|
-- Rand ::= SEQUENCE {
|
|
-- int INTEGER,
|
|
-- - the randomly-generated INTEGER A (above)
|
|
-- sender GeneralName
|
|
-- - the sender's name (as included in PKIHeader)
|
|
-- }
|
|
}
|
|
|
|
POPODecKeyRespContent ::= SEQUENCE OF INTEGER
|
|
-- One INTEGER per encryption key certification request (in the
|
|
-- same order as these requests appear in CertReqMessages). The
|
|
-- retrieved INTEGER A (above) is returned to the sender of the
|
|
-- corresponding Challenge.
|
|
|
|
|
|
CertRepMessage ::= SEQUENCE {
|
|
caPubs [1] SEQUENCE SIZE (1..MAX) OF Certificate OPTIONAL,
|
|
response SEQUENCE OF CertResponse
|
|
}
|
|
|
|
CertResponse ::= SEQUENCE {
|
|
certReqId INTEGER,
|
|
-- to match this response with corresponding request (a value
|
|
-- of -1 is to be used if certReqId is not specified in the
|
|
-- corresponding request)
|
|
status PKIStatusInfo,
|
|
certifiedKeyPair CertifiedKeyPair OPTIONAL,
|
|
rspInfo OCTET STRING OPTIONAL
|
|
-- analogous to the id-regInfo-asciiPairs OCTET STRING defined
|
|
-- for regInfo in CertReqMsg [CRMF]
|
|
}
|
|
|
|
CertifiedKeyPair ::= SEQUENCE {
|
|
certOrEncCert CertOrEncCert,
|
|
privateKey [0] EncryptedValue OPTIONAL,
|
|
publicationInfo [1] PKIPublicationInfo OPTIONAL
|
|
}
|
|
|
|
CertOrEncCert ::= CHOICE {
|
|
certificate [0] Certificate,
|
|
encryptedCert [1] EncryptedValue
|
|
}
|
|
|
|
KeyRecRepContent ::= SEQUENCE {
|
|
status PKIStatusInfo,
|
|
newSigCert [0] Certificate OPTIONAL,
|
|
caCerts [1] SEQUENCE SIZE (1..MAX) OF
|
|
Certificate OPTIONAL,
|
|
keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
|
|
CertifiedKeyPair OPTIONAL
|
|
}
|
|
|
|
RevReqContent ::= SEQUENCE OF RevDetails
|
|
|
|
RevDetails ::= SEQUENCE {
|
|
certDetails CertTemplate,
|
|
-- allows requester to specify as much as they can about
|
|
-- the cert. for which revocation is requested
|
|
-- (e.g., for cases in which serialNumber is not available)
|
|
revocationReason ReasonFlags OPTIONAL,
|
|
-- the reason that revocation is requested
|
|
badSinceDate GeneralizedTime OPTIONAL,
|
|
-- indicates best knowledge of sender
|
|
crlEntryDetails Extensions OPTIONAL
|
|
-- requested crlEntryExtensions
|
|
}
|
|
|
|
RevRepContent ::= SEQUENCE {
|
|
status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
|
|
-- in same order as was sent in RevReqContent
|
|
revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL,
|
|
-- IDs for which revocation was requested (same order as status)
|
|
crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL
|
|
-- the resulting CRLs (there may be more than one)
|
|
}
|
|
|
|
|
|
CAKeyUpdAnnContent ::= SEQUENCE {
|
|
oldWithNew Certificate, -- old pub signed with new priv
|
|
newWithOld Certificate, -- new pub signed with old priv
|
|
newWithNew Certificate -- new pub signed with new priv
|
|
}
|
|
|
|
CertAnnContent ::= Certificate
|
|
|
|
RevAnnContent ::= SEQUENCE {
|
|
status PKIStatus,
|
|
certId CertId,
|
|
willBeRevokedAt GeneralizedTime,
|
|
badSinceDate GeneralizedTime,
|
|
crlDetails Extensions OPTIONAL
|
|
-- extra CRL details(e.g., crl number, reason, location, etc.)
|
|
}
|
|
|
|
CRLAnnContent ::= SEQUENCE OF CertificateList
|
|
|
|
PKIConfirmContent ::= NULL
|
|
|
|
InfoTypeAndValue ::= SEQUENCE {
|
|
infoType OBJECT IDENTIFIER,
|
|
infoValue ANY OPTIONAL
|
|
}
|
|
-- Example InfoTypeAndValue contents include, but are not limited to:
|
|
-- { CAProtEncCert = {id-it 1}, Certificate }
|
|
-- { SignKeyPairTypes = {id-it 2}, SEQUENCE OF AlgorithmIdentifier }
|
|
-- { EncKeyPairTypes = {id-it 3}, SEQUENCE OF AlgorithmIdentifier }
|
|
-- { PreferredSymmAlg = {id-it 4}, AlgorithmIdentifier }
|
|
-- { CAKeyUpdateInfo = {id-it 5}, CAKeyUpdAnnContent }
|
|
-- { CurrentCRL = {id-it 6}, CertificateList }
|
|
-- where {id-it} = {id-pkix 4} = {1 3 6 1 5 5 7 4}
|
|
-- This construct MAY also be used to define new PKIX Certificate
|
|
-- Management Protocol request and response messages, or general-
|
|
-- purpose (e.g., announcement) messages for future needs or for
|
|
-- specific environments.
|
|
|
|
GenMsgContent ::= SEQUENCE OF InfoTypeAndValue
|
|
|
|
-- May be sent by EE, RA, or CA (depending on message content).
|
|
-- The OPTIONAL infoValue parameter of InfoTypeAndValue will typically
|
|
-- be omitted for some of the examples given above. The receiver is
|
|
-- free to ignore any contained OBJ. IDs that it does not recognize.
|
|
-- If sent from EE to CA, the empty set indicates that the CA may send
|
|
-- any/all information that it wishes.
|
|
|
|
GenRepContent ::= SEQUENCE OF InfoTypeAndValue
|
|
-- The receiver is free to ignore any contained OBJ. IDs that it does
|
|
-- not recognize.
|
|
|
|
ErrorMsgContent ::= SEQUENCE {
|
|
pKIStatusInfo PKIStatusInfo,
|
|
errorCode INTEGER OPTIONAL,
|
|
-- implementation-specific error codes
|
|
errorDetails PKIFreeText OPTIONAL
|
|
-- implementation-specific error details
|
|
}
|
|
|
|
|
|
|
|
-- The following definition is provided for compatibility reasons with
|
|
-- 1988 and 1993 ASN.1 compilers which allow the use of UNIVERSAL class
|
|
-- tags (not a part of formal ASN.1); 1997 and subsequent compilers
|
|
-- SHOULD comment out this line.
|
|
--
|
|
--UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
|
|
|
|
END
|
|
|