draft-ietf-smime-new-asn1-01.txt   draft-ietf-smime-new-asn1-02.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft VPN Consortium Internet-Draft VPN Consortium
Updates: 3370, 3565, 3851, 3852, J. Schaad Updates: 3370, 3565, 3851, 3852, J. Schaad
4108, 4998, 5035, 5083, 5084 Soaring Hawk Consulting 4108, 4998, 5035, 5083, 5084 Soaring Hawk Consulting
(if approved) July 10, 2008 (if approved) January 9, 2009
Intended status: Standards Track Intended status: Standards Track
Expires: January 11, 2009 Expires: July 13, 2009
New ASN.1 Modules for CMS and S/MIME New ASN.1 Modules for CMS and S/MIME
draft-ietf-smime-new-asn1-01.txt draft-ietf-smime-new-asn1-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted to IETF in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79.
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 11, 2009. This Internet-Draft will expire on July 13, 2009.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Abstract Abstract
The Cryptographic Message Syntax (CMS) format, and many associated The Cryptographic Message Syntax (CMS) format, and many associated
formats, are expressed using ASN.1. The current ASN.1 modules formats, are expressed using ASN.1. The current ASN.1 modules
conform to the 1988 version of ASN.1. This document updates those conform to the 1988 version of ASN.1. This document updates those
ASN.1 modules to conform to the 2002 version of ASN.1. There are no ASN.1 modules to conform to the 2002 version of ASN.1. There are no
bits-on-the-wire changes to any of the formats; this is simply a bits-on-the-wire changes to any of the formats; this is simply a
change to the syntax. change to the syntax.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.1. More Modules To Be Added . . . . . . . . . . . . . . . 4 1.2. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2. Algorithm Structure . . . . . . . . . . . . . . . . . 4 1.2.1. Module OIDs Changing . . . . . . . . . . . . . . . . . 4
1.1.3. Module OIDs Changing . . . . . . . . . . . . . . . . . 4 2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 5
2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 4 3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14
3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 12
4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 19 4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 19
5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 19 5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 21
6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 22 6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24
7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 32 7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34
8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 37 8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 40
9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 39 9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41
10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 45 10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 48
11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 46 11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48
12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 46 12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 51
13. Security Considerations . . . . . . . . . . . . . . . . . . . 53 13. Security Considerations . . . . . . . . . . . . . . . . . . . 58
14. Normative References . . . . . . . . . . . . . . . . . . . . . 53 14. Normative References . . . . . . . . . . . . . . . . . . . . . 58
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 54 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 59
A.1. Changes between draft-hoffman-cms-new-asn1-00 and A.1. Changes between draft-hoffman-cms-new-asn1-00 and
draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 55 draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 59
A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 55 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 60
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 55 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 . . . 60
Intellectual Property and Copyright Statements . . . . . . . . . . 56 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60
1. Introduction 1. Introduction
Some developers would like the IETF to use the latest version of Some developers would like the IETF to use the latest version of
ASN.1 in its standards. Most of the RFCs that relate to security ASN.1 in its standards. Most of the RFCs that relate to security
protocols still use ASN.1 from the 1988 standard, which has been protocols still use ASN.1 from the 1988 standard, which has been
deprecated. This is particularly true for the standards that relate deprecated. This is particularly true for the standards that relate
to PKIX, CMS, and S/MIME. to PKIX, CMS, and S/MIME.
This document updates the following RFCs to use ASN.1 modules that This document updates the following RFCs to use ASN.1 modules that
skipping to change at page 4, line 5 skipping to change at page 4, line 5
in [NEW-PKIX] can stand on their own and do not need to import in [NEW-PKIX] can stand on their own and do not need to import
definitions from anywhere else. definitions from anywhere else.
The document also includes a module of common defintions called The document also includes a module of common defintions called
"AlgorithmInformation". These definitions are used here and in "AlgorithmInformation". These definitions are used here and in
[NEW-PKIX]. [NEW-PKIX].
Note that some of the modules here import definitions from the common Note that some of the modules here import definitions from the common
definitions module, "PKIX-CommonTypes", in [NEW-PKIX]. definitions module, "PKIX-CommonTypes", in [NEW-PKIX].
1.1. Issues 1.1. Design Notes
This section will be removed before final publication. The modules in this document use the object model available in the
2002 ASN.1 documents to a great extent. Objects for each of the
different algorithm types are defined. Also, all of the places where
in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax
now have objects.
1.1.1. More Modules To Be Added Much like the way that the PKIX and S/MIME working groups use the
prefix of id- for object identifiers, this document has also adopted
a set of two, three, and four letter prefixes to allow for quick
identification of the type of an object based on its name. This
allows, for example, the same back half of the name to be used for
the different objects. Thus, "id-sha1" is the object identifier,
while "mda-sha1" is the message digest object for "sha1".
There are many modules from standards-track RFCs that are not listed One or more object sets for the different type of algorithms are
in this document or the companion document on PKIX. We will discuss defined. A single consistent name for each of the different
with the two communities which modules are appropriate for the two algorithm types is used. For example, an object set named PublicKeys
documents. We will also consider making "super-modules", individual might contain the public keys defined in that module. If no public
modules which might update multiple RFCs at one time. We may also keys are defined, then the object set is not created. When
add objects to some of the modules. referencing these objects sets when imported, one needs to be able to
disambiguate between the different modules. This is done by using
both the module name (as specified in the IMPORT statement) and the
object set name. For example, in the module for RFC 5280:
1.1.2. Algorithm Structure PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 }
PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 }
Algorithms are currently not defined here. We need to discuss what PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ...,
structure we want for algorithm objects. Currently, we just do PKIX1-PSS-OAEP-Algorithms.PublicKeys }
"parameter, OID", but we could add more. Because we don't know what
the final structure is, the object sets in the various modules are
commented out. We will fix this before finishing this project.
1.1.3. Module OIDs Changing 1.2. Issues
This section will be removed before final publication.
1.2.1. Module OIDs Changing
The OIDs given in the modules in this version of the document are the The OIDs given in the modules in this version of the document are the
same as the OIDs from the original modules, even though some of the same as the OIDs from the original modules, even though some of the
modules have changed syntax. That is clearly incorrect. In a later modules have changed syntax. That is clearly incorrect. In a later
version of this document, we will change the OIDs for every changed version of this document, we will change the OIDs for every changed
module. module. The WG (hopefully in coordination with the PKIX WG) needs to
determine how to do this and what the result will be.
2. ASN.1 Module AlgorithmInformation 2. ASN.1 Module AlgorithmInformation
This section contains a module that is imported by many other modules This section contains a module that is imported by many other modules
in this document and in [NEW-PKIX]. This module does not come from in this document and in [NEW-PKIX]. This module does not come from
any existing RFC. any existing RFC.
AlgorithmInformation AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
DEFINITIONS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS ; IMPORTS
KeyUsage
FROM PKIX1Implicit88
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-implicit(19) }
;
-- Suggested prefixes for algorithm objects are: -- Suggested prefixes for algorithm objects are:
-- --
-- mda- Message Digest Algorithms -- mda- Message Digest Algorithms
-- sa- Signature Algorithms -- sa- Signature Algorithms
-- kta- Key Transport Algorithms (Asymetric) -- kta- Key Transport Algorithms (Asymetric)
-- kaa- Key Agreement Algorithms (Asymetric) -- kaa- Key Agreement Algorithms (Asymetric)
-- kwa- Key Wrap Algorithms (Symetric) -- kwa- Key Wrap Algorithms (Symetric)
-- kda- Key Derivation Algorithms -- kda- Key Derivation Algorithms
-- maca- Message Authentication Code Algorithms -- maca- Message Authentication Code Algorithms
-- pk- Public Key -- pk- Public Key
-- sea- Symmetric Encryption Algorithm -- cea- Content (symetric) Encryption Algorithm
-- cap- S/MIME Capabilities
ParamOptions ::= ENUMERATED { ParamOptions ::= ENUMERATED {
required, -- Parameters MUST be encoded in structure required, -- Parameters MUST be encoded in structure
preferedPresent, -- Parameters SHOULD be encoded in structure preferredPresent, -- Parameters SHOULD be encoded in structure
preferedAbsent, -- Parameters SHOULD NOT be encoded in structure preferredAbsent, -- Parameters SHOULD NOT be encoded in structure
absent, -- Parameters MUST NOT be encoded in structure absent, -- Parameters MUST NOT be encoded in structure
notPresent, inheritable, -- Parameters are inheritied if not present
inheritable -- Parameters are inheritied if not present optional, -- Parameters MAY be encoded in the structure
...
} }
-- DIGEST-ALGORITHM -- DIGEST-ALGORITHM
-- --
-- Describes the basic information for ASN.1 and a digest -- Describes the basic information for ASN.1 and a digest
-- algorithm. -- algorithm.
-- --
-- &id - contains the OID identifying the digest algorithm -- &id - contains the OID identifying the digest algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- --
-- Additional information such as the length of the hash could also -- Additional information such as the length of the hash could also
-- be encoded. -- be encoded.
-- --
-- Example: -- Example:
-- sha1 DIGEST-ALGORITHM ::= { -- sha1 DIGEST-ALGORITHM ::= {
-- IDENTIFIER id-sha1 -- IDENTIFIER id-sha1
-- PARAM NULL -- PARAM TYPE NULL ARE preferredAbsent
-- PARMS ARE preferedAbsent
-- } -- }
DIGEST-ALGORITHM ::= CLASS { DIGEST-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER, &id OBJECT IDENTIFIER,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required &paramPresence ParamOptions DEFAULT absent
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [&Params] [ARE &paramPresence] ] [PARAMS [TYPE &Params] [ARE &paramPresence] ]
} }
-- SIGNATURE-ALGORITHM -- SIGNATURE-ALGORITHM
-- --
-- Describes the basic properities of a signature algorithm -- Describes the basic properities of a signature algorithm
-- --
-- &id - contains the OID identifying the signature algoithm -- &id - contains the OID identifying the signature algoithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &HashSet - The set of hash algorithms used with this -- &HashSet - The set of hash algorithms used with this
-- signature algoirthm -- signature algoirthm
skipping to change at page 6, line 19 skipping to change at page 6, line 45
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &HashSet - The set of hash algorithms used with this -- &HashSet - The set of hash algorithms used with this
-- signature algoirthm -- signature algoirthm
-- &PublicKeySet - the set of public key algorithms for this -- &PublicKeySet - the set of public key algorithms for this
-- signature algorithm -- signature algorithm
-- Example: -- Example:
-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER id-RSASSA-PSS -- IDENTIFIER id-RSASSA-PSS
-- PARAMS RSASSA-PSS-params -- PARAMS TYPE RSASSA-PSS-params ARE required
-- ARE required -- HASHES {sha1 | md5, ... }
-- HASH SET {sha1 | md5, ... } -- PUBLIC KEYS { pk-rsa | pk-rsa-pss }
-- PUBLIC KEY SET { pk-rsa | pk-rsa-pss }
-- } -- }
SIGNATURE-ALGORITHM ::= CLASS { SIGNATURE-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER, &id OBJECT IDENTIFIER,
&Params OPTIONAL, &Params OPTIONAL,
&Value OPTIONAL, &Value OPTIONAL,
&paramPresence ParamOptions DEFAULT required, &paramPresence ParamOptions DEFAULT absent,
&HashSet DIGEST-ALGORITHM OPTIONAL, &HashSet DIGEST-ALGORITHM OPTIONAL,
&PublicKeySet PUBLIC-KEY OPTIONAL &PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[VALUE &Value] [VALUE &Value]
[PARAMS [&Params] ARE &paramPresence ] [PARAMS [TYPE &Params] ARE &paramPresence ]
[USES &HashSet] [HASHES &HashSet]
[PUBKEYS &PublicKeySet] [PUBLIC KEYS &PublicKeySet]
[SMIME CAPS &smimeCaps]
} }
-- PUBLIC-KEY -- PUBLIC-KEY
-- --
-- Describes the basic properities of a public key -- Describes the basic properities of a public key
-- --
-- &id - contains the OID identifying the public key -- &id - contains the OID identifying the public key
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &KeyValue - contains the type for the key value -- &KeyValue - contains the type for the key value
-- --
-- Could add information about the keyUsage bits -- Could add information about the keyUsage bits
-- --
-- Example: -- Example:
-- pk-rsa-pss PUBLIC-KEY ::= { -- pk-rsa-pss PUBLIC-KEY ::= {
-- IDENTIFIER id-RSASSA-PSS -- IDENTIFIER id-RSASSA-PSS
-- KEY RSAPublicKey -- KEY RSAPublicKey
-- HAS PARAMS RSASSA-PSS-params -- PARAMS TYPE RSASSA-PSS-params ARE optional
-- PARAMS ARE optional -- KEY USAGE BITS { .... }
-- } -- }
PUBLIC-KEY ::= CLASS { PUBLIC-KEY ::= CLASS {
&id OBJECT IDENTIFIER, &id OBJECT IDENTIFIER,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required, &paramPresence ParamOptions DEFAULT absent,
&KeyValue, &KeyValue OPTIONAL,
&PrivateKey OPTIONAL &PrivateKey OPTIONAL,
&keyUsage KeyUsage OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
KEY &KeyValue [KEY &KeyValue]
[PARAMS [&Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[CERT KEY USAGE &keyUsage]
[PRIVATE KEY &PrivateKey] [PRIVATE KEY &PrivateKey]
} }
-- KEY-TRANSPORT -- KEY-TRANSPORT
-- --
-- Describes the basic properities of a key transport algorithm -- Describes the basic properities of a key transport algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
skipping to change at page 7, line 46 skipping to change at page 8, line 27
-- Example: -- Example:
-- rsaTransport KEY-TRANSPORT ::= { -- rsaTransport KEY-TRANSPORT ::= {
-- &id rsaEncryption -- &id rsaEncryption
-- &Params NULL -- &Params NULL
-- &paramPresence required -- &paramPresence required
-- &PublicKeySet { pk-rsa | pk-rsa-pss } -- &PublicKeySet { pk-rsa | pk-rsa-pss }
-- } -- }
KEY-TRANSPORT ::= CLASS { KEY-TRANSPORT ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params, &Params OPTIONAL,
&paramPresnce ParamOptions, &paramPresence ParamOptions DEFAULT absent,
&PublicKeySet PUBLIC-KEY OPTIONAL &PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence]
[PUBLIC KEYS &PublicKeySet]
[SMIME CAPS &smimeCaps]
} }
-- KEY-AGREE -- KEY-AGREE
-- --
-- Describes the basic properities of a key agreement algorithm -- Describes the basic properities of a key agreement algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &Ukm - type of user keying material used -- &Ukm - type of user keying material used
-- &PublicKeySet - specify which public keys are used with -- &PublicKeySet - specify which public keys are used with
-- this algorithm -- this algorithm
-- --
-- Additional items could be a restricted set of key wrap algoithms -- Additional items could be a restricted set of key wrap algoithms
-- --
-- Example: -- Example:
-- dh-static-ephemerial KEY-TRANSPORT ::= { -- dh-static-ephemerial KEY-AGREE ::= {
-- &id id-alg-ESDH -- IDENTIFIER id-alg-ESDH
-- &Params KeyWrapAlgorithm -- PARAMS TYPE KeyWrapAlgorithm ARE required
-- &paramPresence required
-- - - user key material is not ASN.1 encoded. -- - - user key material is not ASN.1 encoded.
-- &PublicKeySet { -- PUBLIC KEYS {
-- {IDENTIFIER dh-public-number KEY DHPublicKey -- {IDENTIFIER dh-public-number KEY DHPublicKey
-- HASH PARAMS DHDomainParamters PARAMS ARE inheritable } -- HASH PARAMS DHDomainParamters PARAMS ARE inheritable }
-- } -- }
-- - - UKM should be present, but is not separately
-- - - ASN.1 encoded
-- UKM ARE preferredPresent
-- } -- }
KEY-AGREE ::= CLASS { KEY-AGREE ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required, &paramPresence ParamOptions DEFAULT absent,
&Ukm OPTIONAL, &Ukm OPTIONAL,
&PublicKeySet PUBLIC-KEY OPTIONAL &ukmPresence ParamOptions DEFAULT absent,
&PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [&Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[PUBLIC KEY &PublicKeySet] [PUBLIC KEYS &PublicKeySet]
[UKM &Ukm] [UKM [TYPE &Ukm] ARE &ukmPresence]
[SMIME CAPS &smimeCaps]
} }
-- KEY-WRAP -- KEY-WRAP
-- --
-- Describes the basic properities of a key wrap algorithm -- Describes the basic properities of a key wrap algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
skipping to change at page 9, line 4 skipping to change at page 9, line 44
-- KEY-WRAP -- KEY-WRAP
-- --
-- Describes the basic properities of a key wrap algorithm -- Describes the basic properities of a key wrap algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- --
-- Example: -- Example:
-- cms3DESwrap KEY-WRAP ::= { -- cms3DESwrap KEY-WRAP ::= {
-- &id id-alg-CMS3DESwrap -- IDENTIFIER id-alg-CMS3DESwrap
-- &Params NULL -- PARAMS TYPE NULL ARE required
-- &paramPresence required
-- } -- }
KEY-WRAP ::= CLASS { KEY-WRAP ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required &paramPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [&Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME CAPS &smimeCaps]
} }
-- KEY-DERIVATION -- KEY-DERIVATION
-- --
-- Describes the basic properities of a key transport algorithm -- Describes the basic properities of a key transport algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- --
-- Could add information about defaults for the derivation algorithm -- Could add information about defaults for the derivation algorithm
-- such as PRFs -- such as PRFs
-- --
-- Example: -- Example:
-- pbkdf2 KEY-DERIVATION ::= { -- pbkdf2 KEY-DERIVATION ::= {
-- &id id-PBKF2 -- IDENTIFIER id-PBKF2
-- &Params PBKDF2-params -- PARAMS TYPE PBKDF2-params ARE required
-- &paramPresence required
-- } -- }
KEY-DERIVATION ::= CLASS { KEY-DERIVATION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required &paramPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
PARAMS [&Params] ARE &paramPresence [PARAMS [TYPE &Params] ARE &paramPresence]
} [SMIME CAPS &smimeCaps]
-- BULK-ENCRYPTION
--
-- Describes the basic properities of a bulk encryption algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
--
-- Example:
-- aes128 BULK-ENCRYPTION ::= {
-- &id id-aes128-CBC
-- &Params AES-IV
-- &paramPresence required
-- }
BULK-ENCRYPTION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params,
&paramPresence ParamOptions DEFAULT required
} WITH SYNTAX {
OID &id
PARAMS &Params [ARE &paramPresence]
} }
-- MAC-ALGORITHM -- MAC-ALGORITHM
-- --
-- Describes the basic properities of a key transport algorithm -- Describes the basic properities of a key transport algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &keyed - MAC algorithm is a keyed MAC algorithm
-- --
-- It would make sense to also add minimum and maximum MAC lengths -- It would make sense to also add minimum and maximum MAC lengths
-- --
-- Example: -- Example:
-- hmac-sha1 MAC-ALGORITHM ::= { -- maca-hmac-sha1 MAC-ALGORITHM ::= {
-- &id hMAC-SHA1 -- IDENTIFIER hMAC-SHA1
-- &Params NULL -- PARAMS TYPE NULL ARE perferedAbsent
-- &paramPresence perferedAbsent
-- } -- }
MAC-ALGORITHM ::= CLASS { MAC-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required &paramPresence ParamOptions DEFAULT absent,
&keyed BOOLEAN,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
OID &id IDENTIFIER &id
[PARAMS [&Params] [ARE &paramPresence]] [PARAMS [TYPE &Params] [ARE &paramPresence]]
IS KEYED MAC &keyed
[SMIME CAPS &smimeCaps]
} }
-- CONTENT-ENCRYPTION -- CONTENT-ENCRYPTION
-- --
-- Describes the basic properities of a symetric encryption -- Describes the basic properities of a symetric encryption
-- algorithm -- algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- --
-- Example: -- Example:
-- cms3DESwrap KEY-WRAP ::= { -- cms3DESwrap KEY-WRAP ::= {
-- &id id-alg-CMS3DESwrap -- IDENTIFIER id-alg-CMS3DESwrap
-- &Params NULL -- PARAMS TYPE NULL ARE required
-- &paramPresence required
-- } -- }
CONTENT-ENCRYPTION ::= CLASS { CONTENT-ENCRYPTION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required &paramPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [&Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
} [SMIME CAPS &smimeCaps]
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
parameters ALGORITHM-TYPE.
&Params({AlgorithmSet}{@algorithm}) OPTIONAL
} }
-- ALGORITHM -- ALGORITHM
-- --
-- Describes a generic algorithm identifier -- Describes a generic algorithm identifier
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paameters
-- --
-- This would be used for cases where an unknown algorithm is -- This would be used for cases where an unknown algorithm is
-- used. One should consider using TYPE-IDENTIFIER in these cases. -- used. One should consider using TYPE-IDENTIFIER in these cases.
ALGORITHM ::= CLASS { ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id [PARAMS &Params] IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME CAPS &smimeCaps]
} }
-- AlgorithmIdentifier
--
-- Provides the generic structure that is used to encode algorithm
-- identification and the parameters associated with the
-- algorithm.
--
-- The first parameter represents the type of the algorithm being
-- used.
-- The second parameter represents a object set containing the set of
-- algorithms that may occur in this situation.
-- The first set of required algorithms should occur to the left
-- of an extension marker, all other algorithms should occur to
-- the right of an extension marker.
--
-- The object class ALGORITHM can be used for generic unspecified
-- items.
-- If new ALGORITHM objects are defined, the fields &id and &Params
-- need to be present as field in the object.
--
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
parameters ALGORITHM-TYPE.
&Params({AlgorithmSet}{@algorithm}) OPTIONAL
}
-- S/MIME Capabilities
--
-- We have moved the SMIME-CAPS out of rfc3851.asn to here since it
-- is used in the PKIX document RFC 4262 - Use of S/MIME Caps in
-- certificate extension
--
--
-- This class is used to represent an S/MIME capability. S/MIME
-- capabilities are used to represent what algorithm capabilities
-- an individual has. The classic example was the content encryption
-- algorithm RC2 where the algorithm id and the RC2 key lengths
-- supported needed to be advertised, but the IV used is not fixed.
-- Thus for RC2 we used
--
-- cap-RC2CBC SMIME-CAPS ::= {
-- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc }
--
-- where 40 and 128 represent the RC2 key length in number of bits.
--
-- Another example where infomation needs to be shown is for
-- RSA-OAEP where only specific hash functions or mask generation
-- functions are suppoted, but the saltLength is specified by the
-- sender and not the recipient. In this case one can either
-- generate a number of different capability items are generated,
-- or a new S/MIME capability type could be generated where
-- multiple hash functions could be specified.
--
--
-- SMIME-CAP
--
-- This class is used to associate the type descibing capabilities
-- with the object identifier.
--
SMIME-CAPS ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL
}
WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id }
--
-- Generic type - this is used for defining values.
--
-- Parameterized Type - this is used in structures to allow for
-- automatic decoding to occur on capaiblity parameters for a
-- specific set of values.
SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE {
capabilityID SMIME-CAPS.&id({CapabilitySet}),
parameters SMIME-CAPS.&Type({CapabilitySet}
{@capabilityID}) OPTIONAL
}
-- Parameterized Type - this is used in structures to all for
-- automatic decoding to occur on capability parametes for a
-- specific set of values.
SMIMECapabilities { SMIME-CAPS : CapabilitySet } ::=
SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} }
END END
3. ASN.1 Module for RFC 3370 3. ASN.1 Module for RFC 3370
CryptographicMessageSyntaxAlgorithms CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) } smime(16) modules(0) cmsalg-2001(16) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier AlgorithmIdentifier{}, SMIME-CAPS
FROM AlgorithmInformation FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
--FROM PKIX-CommonTypes pk-rsa, pk-dh, pk-dsa,
-- {iso(1) identified-organization(3) dod(6) internet(1) rsaEncryption, DHPublicKey, dhpublicnumber
-- security(5) mechanisms(5) pkix(7) id-mod(0) FROM
-- id-mod-pkixCommon(43) } PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6)
; internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 995 }
--
-- Create the object sets for each of the different type of signature
-- algorithms defined by this module.
--
-- Philosophy: Sean Turner raised the question about wheither theses
-- object sets should be defined as being extensible. My response is
-- as follows:
--
-- If the working group believes that this document would be updated
-- in the future for the definition of new algorithms, or that
-- this document would be updated to reference (and thus include)
-- new algorithms defined in other documents, then these object
-- sets need to be marked as extensible.
-- If the working group believes that new algorithms will be defined
-- by the creation of new documents, then these object sets do not
-- need to be extensible.
-- In either case, documents that are referencing these objects sets
-- should probably be marked as being extensible in the location
-- they are being used. Thus in the main PKIX document you would
-- have
--
-- SIGNED{ToBeSigned} ::= SEQUENCE {
-- toBeSigned ToBeSigned,
-- algorithm AlgorithmIdentifier
-- {SIGNATURE-ALGORITHM, {Sa-PKIXAlgorithms, ...}},
-- signature BIT STRING
-- }
--
-- Future versions might include additional algorithm drafts and
-- use the line
-- algorithm AlgorithmIdentifier
-- {SIGNATURE-ALGORITHM,
-- {Sa-PKIXAlgorithms, ..., Sa-NewPKIXAlgorithms}},
--
-- Signature algorithms in this document
Sa-CMSAlgorithms SIGNATURE-ALGORITHM ::= {
sa-dsa-with-sha1 |
sa-md5WithRSAEncryption |
sa-sha1WithRSAEncryption }
-- Hash algorthms in this document cap-RC2CBC
FROM SecureMimeMessageV3dot1
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) msg-v3dot1(21) }
Mda-CMSAlgorithms DIGEST-ALGORITHM ::= { mda-md5 | ;
mda-sha1 } -- 2. Hash algorthms in this document
-- Public Key Algorithms in this document MessageDigestAlgs DIGEST-ALGORITHM ::= {
-- mda-md5 |
-- mda-sha1,
... }
Pk-CMSAlgorithms PUBLIC-KEY ::= { pk-dsa | pk-rsa | pk-dh } -- 3. Signature algorithms in this document
-- SignatureAlgs SIGNATURE-ALGORITHM ::= {
-- See rfc3279.asn
-- sa-dsaWithSHA1 |
-- sa-rsaWithMD5 |
-- sa-rsaWithSHA1,
... }
Kta-CMSAlgorithms KEY-TRANSPORT ::= {...} -- 4. Key Managment Algorithms
-- 4.1 Key Agreement Algorithms
-- Key Agreement Algorithms KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...}
KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...}
Kaa-CMSAlgorithms KEY-AGREE ::= {kaa-esdh | kaa-ssdh} -- 4.2 Key Transport Algorithms
-- Key Wrap Algorithms KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... }
Kwa-CMSAlgorithms KEY-WRAP ::= { ... } -- 4.3 Symmetric Key-Encryption Key Algorithms
-- Message Authenticaiton Code Algorithms KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... }
Mac-CMSAlgorithms MAC-ALGORITHM ::= {...}
-- -- 4.4 Key Derivation Algorithms
Cea-CMSAlgorithms CONTENT-ENCRYPTION ::= {...} KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... }
-- Algorithm Identifiers -- 5. Content Encryption Algorithms
sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) ContentEncryptionAlgs CONTENT-ENCRYPTION ::=
oiw(14) secsig(3) algorithm(2) 26 } { cea-3DES-cbc | cea-RC2-cbc, ... }
md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) -- 6. Message Authenticaiton Code Algorithms
rsadsi(113549) digestAlgorithm(2) 5 }
id-dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... }
x9-57(10040) x9cm(4) 1 }
id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- SMIME Capabilities for these items
us(840) x9-57(10040) x9cm(4) 3 }
rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) SMimeCaps SMIME-CAPS ::= {
us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } kaa-esdh.&smimeCaps |
kaa-ssdh.&smimeCaps |
kt-rsa.&smimeCaps |
kwa-3DESWrap.&smimeCaps |
kwa-RC2Wrap.&smimeCaps |
cea-3DES-cbc.&smimeCaps |
cea-RC2-cbc.&smimeCaps |
maca-hMAC-SHA1.&smimeCaps,
...}
md5WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) --
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 } --
--
sha1WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) -- Algorithm Identifiers
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 }
dh-public-number OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) ansi-x942(10046) number-type(2) 1 } -- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 }
id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 } rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 }
id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 } rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 }
id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 }
skipping to change at page 15, line 4 skipping to change at page 16, line 36
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 } rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 }
id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 }
id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 } us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 }
des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } us(840) rsadsi(113549) encryptionAlgorithm(3) 7 }
rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) encryptionAlgorithm(3) 2 } rsadsi(113549) encryptionAlgorithm(3) 2 }
hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) 8 1 2 } dod(6) internet(1) security(5) mechanisms(5) 8 1 2 }
id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-5(5) 12 } rsadsi(113549) pkcs(1) pkcs-5(5) 12 }
-- Public Key Types
Dss-Pub-Key ::= INTEGER -- Y
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER } -- e
DHPublicKey ::= INTEGER -- y = g^x mod p
-- Signature Value Types
Dss-Sig-Value ::= SEQUENCE {
r INTEGER,
s INTEGER }
-- Algorithm Identifier Parameter Types -- Algorithm Identifier Parameter Types
Dss-Parms ::= SEQUENCE {
p INTEGER,
q INTEGER,
g INTEGER }
DHDomainParameters ::= SEQUENCE {
p INTEGER, -- odd prime, p=jq +1
g INTEGER, -- generator, g
q INTEGER, -- factor of p-1
j INTEGER OPTIONAL, -- subgroup factor
validationParms ValidationParms OPTIONAL }
ValidationParms ::= SEQUENCE {
seed BIT STRING,
pgenCounter INTEGER }
KeyWrapAlgorithm ::= KeyWrapAlgorithm ::=
AlgorithmIdentifier {KEY-WRAP, {Kwa-CMSAlgorithms }} AlgorithmIdentifier {KEY-WRAP, {KeyWrapAlgs }}
RC2wrapParameter ::= RC2ParameterVersion RC2wrapParameter ::= RC2ParameterVersion
RC2ParameterVersion ::= INTEGER RC2ParameterVersion ::= INTEGER
CBCParameter ::= IV CBCParameter ::= IV
IV ::= OCTET STRING -- exactly 8 octets IV ::= OCTET STRING -- exactly 8 octets
RC2CBCParameter ::= SEQUENCE { RC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (1..256), rc2ParameterVersion INTEGER (1..256),
iv OCTET STRING } -- exactly 8 octets iv OCTET STRING } -- exactly 8 octets
maca-hMAC-SHA1 MAC-ALGORITHM ::= { maca-hMAC-SHA1 MAC-ALGORITHM ::= {
OID hMAC-SHA1 IDENTIFIER hMAC-SHA1
PARAMS NULL ARE required PARAMS TYPE NULL ARE preferredAbsent
IS KEYED MAC TRUE
SMIME CAPS {IDENTIFIED BY hMAC-SHA1}
} }
-- Another way to do the following would be: -- Another way to do the following would be:
-- alg-hMAC-SHA1 AlgorithmIdentifier{{PBKDF2-PRFs}} ::= -- alg-hMAC-SHA1 AlgorithmIdentifier{{PBKDF2-PRFs}} ::=
-- { algorithm hMAC-SHA1, parameters NULL:NULL } -- { algorithm hMAC-SHA1, parameters NULL:NULL }
PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM, PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM,
{PBKDF2-PRFs} } {PBKDF2-PRFs} }
alg-hMAC-SHA1 -- PBKDF2-PRFsAlgorithmIdentifier ::= alg-hMAC-SHA1 -- PBKDF2-PRFsAlgorithmIdentifier ::=
ALGORITHM ::= ALGORITHM ::=
{ IDENTIFIER hMAC-SHA1 PARAMS NULL } { IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required }
PBKDF2-SaltSources ALGORITHM ::= { ... } PBKDF2-SaltSources ALGORITHM ::= { ... }
PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... } PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... }
PBKDF2-SaltSourcesAlgorithmIdentifier ::= PBKDF2-SaltSourcesAlgorithmIdentifier ::=
AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}} AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}}
defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::= defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::=
{ algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL } { algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL }
PBKDF2-params ::= SEQUENCE { PBKDF2-params ::= SEQUENCE {
salt CHOICE { salt CHOICE {
specified OCTET STRING, specified OCTET STRING,
otherSource PBKDF2-SaltSourcesAlgorithmIdentifier }, otherSource PBKDF2-SaltSourcesAlgorithmIdentifier },
iterationCount INTEGER (1..MAX), iterationCount INTEGER (1..MAX),
keyLength INTEGER (1..MAX) OPTIONAL, keyLength INTEGER (1..MAX) OPTIONAL,
prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT
defaultPBKDF2 defaultPBKDF2
} }
--
mda-sha1 DIGEST-ALGORITHM ::= { -- This object is included for completeness. It should not be used
IDENTIFIER sha-1 PARAMS NULL ARE preferedAbsent } -- for encoding of signtures, but was sometimes used in older
mda-md5 DIGEST-ALGORITHM ::= { -- versions of CMS for encoding of RSA signatures.
IDENTIFIER md5 PARAMS NULL ARE preferedAbsent } --
--
pk-dsa PUBLIC-KEY ::= { -- sa-rsa SIGNATURE-ALGORITHM ::= {
IDENTIFIER id-dsa -- IDENTIFIER rsaEncryption
KEY Dss-Pub-Key -- - - value is not ASN.1 encoded
PARAMS Dss-Parms ARE inheritable -- PARAMS TYPE NULL ARE required
} -- HASHES {mda-sha1 | mda-md5, ...}
-- PUBLIC KEYS { pk-rsa}
sa-dsa-with-sha1 SIGNATURE-ALGORITHM ::= { -- }
IDENTIFIER id-dsa-with-sha1 --
VALUE Dss-Sig-Value
PARAMS Dss-Parms ARE inheritable
USES {mda-sha1}
PUBKEYS {pk-dsa}
}
pk-rsa PUBLIC-KEY ::= {
IDENTIFIER rsaEncryption
KEY RSAPublicKey
PARAMS NULL ARE required
}
sa-rsa SIGNATURE-ALGORITHM ::= {
IDENTIFIER rsaEncryption
-- value is not ASN.1 encoded
PARAMS NULL ARE required
USES {mda-sha1 | mda-md5, ...}
PUBKEYS { pk-rsa}
}
sa-sha1WithRSAEncryption SIGNATURE-ALGORITHM ::= {
IDENTIFIER sha1WithRSAEncryption
-- value is not ASN.1 encoded
PARAMS NULL ARE required
USES {mda-sha1}
PUBKEYS {pk-rsa}
}
sa-md5WithRSAEncryption SIGNATURE-ALGORITHM ::= {
IDENTIFIER md5WithRSAEncryption
-- value is not ASN.1 encoded
PARAMS NULL ARE required
USES {mda-md5}
PUBKEYS {pk-rsa}
}
-- No ASN.1 encoding is applied to the signature value -- No ASN.1 encoding is applied to the signature value
-- for these items -- for these items
pk-dh PUBLIC-KEY ::= {
IDENTIFIER dh-public-number
KEY DHPublicKey
PARAMS DHDomainParameters ARE inheritable
}
kaa-esdh KEY-AGREE ::= { kaa-esdh KEY-AGREE ::= {
IDENTIFIER id-alg-ESDH IDENTIFIER id-alg-ESDH
PARAMS KeyWrapAlgorithm ARE required PARAMS TYPE KeyWrapAlgorithm ARE required
PUBLIC KEY { pk-dh } PUBLIC KEYS { pk-dh }
-- UKM is not ASN.1 encoded
UKM ARE optional
SMIME CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH}
} }
kaa-ssdh KEY-AGREE ::= { kaa-ssdh KEY-AGREE ::= {
IDENTIFIER id-alg-SSDH IDENTIFIER id-alg-SSDH
PARAMS KeyWrapAlgorithm ARE required PARAMS TYPE KeyWrapAlgorithm ARE required
PUBLIC KEY {pk-dh} PUBLIC KEYS {pk-dh}
-- UKM is not ASN.1 encoded
UKM ARE optional
SMIME CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH}
} }
KeyTransportAlgorithms ALGORITHM ::= {...} dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber
SymmetricKeyEncryptionAlgorthms KEY-WRAP ::= pk-originator-dh PUBLIC-KEY ::= {
{ kwa-3DESWrap | kwa-RC2Wrap } IDENTIFIER dh-public-number
KEY DHPublicKey
PARAMS ARE absent
CERT KEY USAGE {keyAgreement, encipherOnly, decipherOnly}
}
kwa-3DESWrap KEY-WRAP ::= { kwa-3DESWrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMS3DESwrap PARAMS NULL ARE required IDENTIFIER id-alg-CMS3DESwrap
PARAMS TYPE NULL ARE required
SMIME CAPS {IDENTIFIED BY id-alg-CMSRC2wrap}
} }
kwa-RC2Wrap KEY-WRAP ::= { kwa-RC2Wrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMSRC2wrap PARAMS RC2wrapParameter ARE required IDENTIFIER id-alg-CMSRC2wrap
PARAMS TYPE RC2wrapParameter ARE required
SMIME CAPS { IDENTIFIED BY id-alg-CMSRC2wrap }
} }
KeyDerivationAlgorithms KEY-DERIVATION ::= {
kda-PBKDF2}
kda-PBKDF2 KEY-DERIVATION ::= { kda-PBKDF2 KEY-DERIVATION ::= {
IDENTIFIER id-PBKDF2 IDENTIFIER id-PBKDF2
PARAMS PBKDF2-params ARE required PARAMS TYPE PBKDF2-params ARE required
-- No s/mime caps defined
} }
ContentEncryptionAlgorthms ALGORITHM ::= {...} cea-3DES-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER des-ede3-cbc
PARAMS TYPE IV ARE required
SMIME CAPS { IDENTIFIED BY des-ede3-cbc }
}
cea-RC2-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER rc2-cbc
PARAMS TYPE RC2CBCParameter ARE required
SMIME CAPS cap-RC2CBC
}
kt-rsa KEY-TRANSPORT ::= {
IDENTIFIER rsaEncryption
PARAMS TYPE NULL ARE required
PUBLIC KEYS { pk-rsa }
SMIME CAPS {IDENTIFIED BY rsaEncryption}
}
-- S/MIME Capabilities - most have no label.
cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap }
END END
4. ASN.1 Module for RFC 3565 4. ASN.1 Module for RFC 3565
CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549) CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) } pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS
CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS
FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
;
AES-ContentEncryption CONTENT-ENCRYPTION ::= {
cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ...
}
AES-KeyWrap KEY-WRAP ::= {
kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ...
}
SMimeCaps SMIME-CAPS ::= {
cea-aes128-cbc.&smimeCaps |
cea-aes192-cbc.&smimeCaps |
cea-aes256-cbc.&smimeCaps |
kwa-aes128-wrap.&smimeCaps |
kwa-aes192-wrap.&smimeCaps |
kwa-aes256-wrap.&smimeCaps, ...
}
-- AES information object identifiers -- -- AES information object identifiers --
aes OBJECT IDENTIFIER ::= aes OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
csor(3) nistAlgorithms(4) 1 } csor(3) nistAlgorithms(4) 1 }
-- AES using CBC-chaining mode for key sizes of 128, 192, 256 -- AES using CBC-chaining mode for key sizes of 128, 192, 256
id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 } id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 }
id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 } id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 }
id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 } id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 }
cea-aes128-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-CBC
PARAMS TYPE AES-IV ARE required
SMIME CAPS { IDENTIFIED BY id-aes128-CBC }
}
cea-aes192-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-CBC
PARAMS TYPE AES-IV ARE required
SMIME CAPS { IDENTIFIED BY id-aes192-CBC }
}
cea-aes256-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-CBC
PARAMS TYPE AES-IV ARE required
SMIME CAPS { IDENTIFIED BY id-aes256-CBC }
}
-- AES-IV is a the parameter for all the above object identifiers. -- AES-IV is a the parameter for all the above object identifiers.
AES-IV ::= OCTET STRING (SIZE(16)) AES-IV ::= OCTET STRING (SIZE(16))
-- AES Key Wrap Algorithm Identifiers - Parameter is absent -- AES Key Wrap Algorithm Identifiers - Parameter is absent
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
kwa-aes128-wrap KEY-WRAP ::= {
IDENTIFIER id-aes128-wrap
PARAMS ARE absent
SMIME CAPS { IDENTIFIED BY id-aes128-wrap }
}
kwa-aes192-wrap KEY-WRAP ::= {
IDENTIFIER id-aes192-wrap
PARAMS ARE absent
SMIME CAPS { IDENTIFIED BY id-aes192-wrap }
}
kwa-aes256-wrap KEY-WRAP ::= {
IDENTIFIER id-aes256-wrap
PARAMS ARE absent
SMIME CAPS { IDENTIFIED BY id-aes256-wrap }
}
END END
5. ASN.1 Module for RFC 3851 5. ASN.1 Module for RFC 3851
SecureMimeMessageV3dot1 SecureMimeMessageV3dot1
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) msg-v3dot1(21) } smime(16) modules(0) msg-v3dot1(21) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier, SMIME-CAPS, SMIMECapabilities{}
CMS-ATTRIBUTE FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
ATTRIBUTE
FROM PKIX-CommonTypes
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }
SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } smime(16) modules(0) cms-2004(24) }
rc2-cbc rc2-cbc, SMimeCaps
FROM CryptographicMessageSyntaxAlgorithms FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) }; smime(16) modules(0) cmsalg-2001(16) }
SMimeAttributeSet CMS-ATTRIBUTE ::= SMimeCaps
{ attr-smimeCapabilities | attr-encrypKeyPref } FROM PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 995 }
SMimeCaps
FROM PKIX1-PSS-OAEP-Algorithms
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs(33) }
;
SMimeAttributeSet ATTRIBUTE ::=
{ aa-smimeCapabilities | aa-encrypKeyPref, ... }
-- id-aa is the arc with all new authenticated and unauthenticated -- id-aa is the arc with all new authenticated and unauthenticated
-- attributes produced the by S/MIME Working Group -- attributes produced the by S/MIME Working Group
id-aa OBJECT IDENTIFIER ::= id-aa OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) attributes(2)} smime(16) attributes(2)}
-- S/MIME Capabilities provides a method of broadcasting the symmetric -- S/MIME Capabilities provides a method of broadcasting the symmetric
-- capabilities understood. Algorithms SHOULD be ordered by -- capabilities understood. Algorithms SHOULD be ordered by
-- preference and grouped by type -- preference and grouped by type
attr-smimeCapabilities CMS-ATTRIBUTE ::= aa-smimeCapabilities ATTRIBUTE ::=
{ TYPE SMIMECapabilities IDENTIFIED BY smimeCapabilities } { TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY
smimeCapabilities }
smimeCapabilities OBJECT IDENTIFIER ::= smimeCapabilities OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
15 } 15 }
SMIME-CAPS ::= CLASS {
&Type OPTIONAL,
&id OBJECT IDENTIFIER UNIQUE
}
WITH SYNTAX {TYPE &Type IDENTIFIED BY &id }
SMIMECapability ::= SEQUENCE {
capabilityID SMIME-CAPS.
&id({SMimeCapsSet}),
parameters SMIME-CAPS.
&Type({SMimeCapsSet}{@capabilityID}) OPTIONAL
}
SMimeCapsSet SMIME-CAPS ::= SMimeCapsSet SMIME-CAPS ::=
{ cap-preferBinaryInside | cap-RC2CBC, ... } { cap-preferBinaryInside | cap-RC2CBC |
PKIXAlgs-2008.SMimeCaps |
CryptographicMessageSyntaxAlgorithms.SMimeCaps |
PKIX1-PSS-OAEP-Algorithms.SMimeCaps, ... }
SMIMECapabilities ::= SEQUENCE OF SMIMECapability --- Encryption Key Preference provides a method of broadcasting the
-- Encryption Key Preference provides a method of broadcasting the
-- preferred encryption certificate. -- preferred encryption certificate.
attr-encrypKeyPref CMS-ATTRIBUTE ::= aa-encrypKeyPref ATTRIBUTE ::=
{ TYPE SMIMEEncryptionKeyPreference { TYPE SMIMEEncryptionKeyPreference
IDENTIFIED BY id-aa-encrypKeyPref } IDENTIFIED BY id-aa-encrypKeyPref }
id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11}
SMIMEEncryptionKeyPreference ::= CHOICE { SMIMEEncryptionKeyPreference ::= CHOICE {
issuerAndSerialNumber [0] IssuerAndSerialNumber, issuerAndSerialNumber [0] IssuerAndSerialNumber,
receipentKeyId [1] RecipientKeyIdentifier, receipentKeyId [1] RecipientKeyIdentifier,
subjectAltKeyIdentifier [2] SubjectKeyIdentifier subjectAltKeyIdentifier [2] SubjectKeyIdentifier
} }
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
id-cap OBJECT IDENTIFIER ::= { id-smime 11 } id-cap OBJECT IDENTIFIER ::= { id-smime 11 }
-- The preferBinaryInside indicates an ability to receive messages -- The preferBinaryInside indicates an ability to receive messages
-- with binary encoding inside the CMS wrapper -- with binary encoding inside the CMS wrapper
cap-preferBinaryInside SMIME-CAPS ::= cap-preferBinaryInside SMIME-CAPS ::=
{ TYPE NULL IDENTIFIED BY id-cap-preferBinaryInside } { -- No value -- IDENTIFIED BY id-cap-preferBinaryInside }
id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 }
-- The following list the OIDs to be used with S/MIME V3 -- The following list the OIDs to be used with S/MIME V3
-- Signature Algorithms Not Found in [CMSALG] -- Signature Algorithms Not Found in [CMSALG]
-- --
-- md2WithRSAEncryption OBJECT IDENTIFIER ::= -- md2WithRSAEncryption OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
-- 2} -- 2}
skipping to change at page 21, line 51 skipping to change at page 24, line 20
-- --
-- signingTime OBJECT IDENTIFIER ::= -- signingTime OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
-- 5} -- 5}
-- See [CMS] for a description of how to encode the attribute -- See [CMS] for a description of how to encode the attribute
-- value. -- value.
cap-RC2CBC SMIME-CAPS ::= cap-RC2CBC SMIME-CAPS ::=
{ TYPE SMIMECapabilitiesParametersForRC2CBC { TYPE SMIMECapabilitiesParametersForRC2CBC
IDENTIFIED BY rc2-cbc} IDENTIFIED BY rc2-cbc}
SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...) SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...)
-- (RC2 Key Length (number of bits)) -- (RC2 Key Length (number of bits))
END END
6. ASN.1 Module for RFC 3852 6. ASN.1 Module for RFC 3852
This module has an ASN.1 idiom for noting in which version of CMS This module has an ASN.1 idiom for noting in which version of CMS
changes were made from the original PKCS #10; that idiom is "[[v:", changes were made from the original PKCS #7; that idiom is "[[v:",
where "v" is an integer. For example: where "v" is an integer. For example:
RevocationInfoChoice ::= CHOICE { RevocationInfoChoice ::= CHOICE {
crl CertificateList, crl CertificateList,
..., ...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
Similarly, this module adds the ASN.1 idiom for extensiblity (the Similarly, this module adds the ASN.1 idiom for extensiblity (the
"...,") in all places that have been extended in the past. See the "...,") in all places that have been extended in the past. See the
example above. example above.
CryptographicMessageSyntax2004 CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS -- Set MAX and MIN for attributes
IMPORTS
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier AlgorithmIdentifier
FROM AlgorithmInformation FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
Sa-CMSAlgorithms, Mda-CMSAlgorithms, Kaa-CMSAlgorithms, SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs,
Mac-CMSAlgorithms, Kwa-CMSAlgorithms, Cea-CMSAlgorithms, MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs,
Kta-CMSAlgorithms KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys
FROM CryptographicMessageSyntaxAlgorithms FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) } smime(16) modules(0) cmsalg-2001(16) }
Certificate, CertificateList, CertificateSerialNumber, Certificate, CertificateList, CertificateSerialNumber,
Name, ATTRIBUTE Name, ATTRIBUTE
FROM PKIX1Explicit88 FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18) } id-pkix1-explicit(18) }
skipping to change at page 24, line 27 skipping to change at page 26, line 47
unsignedAttrs [1] IMPLICIT Attributes unsignedAttrs [1] IMPLICIT Attributes
{{UnsignedAttributes}} OPTIONAL } {{UnsignedAttributes}} OPTIONAL }
SignedAttributes ::= Attributes {{ SignedAttributesSet }} SignedAttributes ::= Attributes {{ SignedAttributesSet }}
SignerIdentifier ::= CHOICE { SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
..., ...,
[[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
SignedAttributesSet CMS-ATTRIBUTE ::= -- M00QUEST - should we add in the ESS & S/MIME attributes or
{ attr-signingTime | attr-messageDigest | attr-contentType, ... } -- leave them out
UnsignedAttributes CMS-ATTRIBUTE ::= { attr-countersignature, ... } SignedAttributesSet ATTRIBUTE ::=
{ aa-signingTime | aa-messageDigest | aa-contentType, ... }
UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... }
SignatureValue ::= OCTET STRING SignatureValue ::= OCTET STRING
EnvelopedData ::= SEQUENCE { EnvelopedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo, encryptedContentInfo EncryptedContentInfo,
..., ...,
[[2: unprotectedAttrs [1] IMPLICIT Attributes [[2: unprotectedAttrs [1] IMPLICIT Attributes
skipping to change at page 25, line 15 skipping to change at page 27, line 37
-- If you want to do constraints, you might use: -- If you want to do constraints, you might use:
-- EncryptedContentInfo ::= SEQUENCE { -- EncryptedContentInfo ::= SEQUENCE {
-- contentType CONTENT-TYPE.&id({ContentSet}), -- contentType CONTENT-TYPE.&id({ContentSet}),
-- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
-- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE.
-- &Type({ContentSet}{@contentType}) OPTIONAL } -- &Type({ContentSet}{@contentType}) OPTIONAL }
-- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY
-- { ToBeEncrypted } ) -- { ToBeEncrypted } )
UnprotectedAttributes CMS-ATTRIBUTE ::= { ... } UnprotectedAttributes ATTRIBUTE ::= { ... }
RecipientInfo ::= CHOICE { RecipientInfo ::= CHOICE {
ktri KeyTransRecipientInfo, ktri KeyTransRecipientInfo,
..., ...,
[[3: kari [1] KeyAgreeRecipientInfo ]], [[3: kari [1] KeyAgreeRecipientInfo ]],
[[4: kekri [2] KEKRecipientInfo]], [[4: kekri [2] KEKRecipientInfo]],
[[5: pwri [3] PasswordRecipientInfo, [[5: pwri [3] PasswordRecipientInfo,
ori [4] OtherRecipientInfo ]] } ori [4] OtherRecipientInfo ]] }
EncryptedKey ::= OCTET STRING EncryptedKey ::= OCTET STRING
KeyTransRecipientInfo ::= SEQUENCE { KeyTransRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0 or 2 version CMSVersion, -- always set to 0 or 2
rid RecipientIdentifier, rid RecipientIdentifier,
keyEncryptionAlgorithm AlgorithmIdentifier keyEncryptionAlgorithm AlgorithmIdentifier
{KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, {KEY-TRANSPORT, {KeyTransportAlgorithmSet}},
encryptedKey EncryptedKey } encryptedKey EncryptedKey }
KeyTransportAlgorithmSet KEY-TRANSPORT ::= { Kta-CMSAlgorithms, ... } KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... }
RecipientIdentifier ::= CHOICE { RecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
..., ...,
[[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
KeyAgreeRecipientInfo ::= SEQUENCE { KeyAgreeRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 3 version CMSVersion, -- always set to 3
originator [0] EXPLICIT OriginatorIdentifierOrKey, originator [0] EXPLICIT OriginatorIdentifierOrKey,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
keyEncryptionAlgorithm AlgorithmIdentifier keyEncryptionAlgorithm AlgorithmIdentifier
{KEY-AGREE, {KeyAgreementAlgorithmSet}}, {KEY-AGREE, {KeyAgreementAlgorithmSet}},
recipientEncryptedKeys RecipientEncryptedKeys } recipientEncryptedKeys RecipientEncryptedKeys }
KeyAgreementAlgorithmSet KEY-AGREE ::= { Kaa-CMSAlgorithms, ... } KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... }
OriginatorIdentifierOrKey ::= CHOICE { OriginatorIdentifierOrKey ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier, subjectKeyIdentifier [0] SubjectKeyIdentifier,
originatorKey [1] OriginatorPublicKey } originatorKey [1] OriginatorPublicKey }
OriginatorPublicKey ::= SEQUENCE { OriginatorPublicKey ::= SEQUENCE {
algorithm AlgorithmIdentifier {PUBLIC-KEY, {...}}, algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}},
publicKey BIT STRING } publicKey BIT STRING }
OriginatorKeySet PUBLIC-KEY ::= {
KeyAgreePublicKeys, ...
}
RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
RecipientEncryptedKey ::= SEQUENCE { RecipientEncryptedKey ::= SEQUENCE {
rid KeyAgreeRecipientIdentifier, rid KeyAgreeRecipientIdentifier,
encryptedKey EncryptedKey } encryptedKey EncryptedKey }
KeyAgreeRecipientIdentifier ::= CHOICE { KeyAgreeRecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] IMPLICIT RecipientKeyIdentifier } rKeyId [0] IMPLICIT RecipientKeyIdentifier }
skipping to change at page 27, line 13 skipping to change at page 29, line 38
&id({SupportedOtherRecipInfo}), &id({SupportedOtherRecipInfo}),
oriValue OTHER-RECIPIENT. oriValue OTHER-RECIPIENT.
&Type({SupportedOtherRecipInfo}{@oriType})} &Type({SupportedOtherRecipInfo}{@oriType})}
SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... }
DigestedData ::= SEQUENCE { DigestedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
digest Digest } digest Digest, ... }
Digest ::= OCTET STRING Digest ::= OCTET STRING
EncryptedData ::= SEQUENCE { EncryptedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
encryptedContentInfo EncryptedContentInfo, encryptedContentInfo EncryptedContentInfo,
..., ...,
[[2: unprotectedAttrs [1] IMPLICIT Attributes [[2: unprotectedAttrs [1] IMPLICIT Attributes
{{UnprotectedAttributes}} OPTIONAL ]] } {{UnprotectedAttributes}} OPTIONAL ]] }
skipping to change at page 27, line 36 skipping to change at page 30, line 13
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
macAlgorithm MessageAuthenticationCodeAlgorithm, macAlgorithm MessageAuthenticationCodeAlgorithm,
digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode, mac MessageAuthenticationCode,
unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL }
AuthAttributes ::= SET SIZE (1..MAX) OF Attribute AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{SupportedAttributes}} {{AuthAttributeSet}}
UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{SupportedAttributes}} {{UnauthAttributeSet}}
AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest
| aa-signingTime, ...}
UnauthAttributeSet ATTRIBUTE ::= {...}
MessageAuthenticationCode ::= OCTET STRING MessageAuthenticationCode ::= OCTET STRING
DigestAlgorithmIdentifier ::= AlgorithmIdentifier DigestAlgorithmIdentifier ::= AlgorithmIdentifier
{DIGEST-ALGORITHM, {DigestAlgorithmSet}} {DIGEST-ALGORITHM, {DigestAlgorithmSet}}
DigestAlgorithmSet DIGEST-ALGORITHM ::= { Mda-CMSAlgorithms, ... } DigestAlgorithmSet DIGEST-ALGORITHM ::= {
CryptographicMessageSyntaxAlgorithms.MessageDigestAlgs, ... }
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
{SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}}
SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= SignatureAlgorithmSet SIGNATURE-ALGORITHM ::=
{ Sa-CMSAlgorithms, ... } { SignatureAlgs, ... }
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{KEY-WRAP, {KeyEncryptionAlgorithmSet}} {KEY-WRAP, {KeyEncryptionAlgorithmSet}}
KeyEncryptionAlgorithmSet KEY-WRAP ::= { Kwa-CMSAlgorithms, ... } KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... }
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}}
ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::=
{ Cea-CMSAlgorithms, ... } { ContentEncryptionAlgs, ... }
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
{MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}}
MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::=
{ Mac-CMSAlgorithms, ... } { MessageAuthAlgs, ... }
KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier
{KEY-DERIVATION, {...}} {KEY-DERIVATION, {KeyDerivationAlgs, ...}}
RevocationInfoChoices ::= SET OF RevocationInfoChoice RevocationInfoChoices ::= SET OF RevocationInfoChoice
RevocationInfoChoice ::= CHOICE { RevocationInfoChoice ::= CHOICE {
crl CertificateList, crl CertificateList,
..., ...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
OTHER-REVOK-INFO ::= TYPE-IDENTIFIER OTHER-REVOK-INFO ::= TYPE-IDENTIFIER
skipping to change at page 30, line 42 skipping to change at page 33, line 26
SigningTime ::= Time SigningTime ::= Time
Time ::= CHOICE { Time ::= CHOICE {
utcTime UTCTime, utcTime UTCTime,
generalTime GeneralizedTime } generalTime GeneralizedTime }
Countersignature ::= SignerInfo Countersignature ::= SignerInfo
-- Attribute Object Identifiers -- Attribute Object Identifiers
attr-contentType CMS-ATTRIBUTE ::= aa-contentType ATTRIBUTE ::=
{ TYPE ContentType IDENTIFIED BY id-contentType } { TYPE ContentType IDENTIFIED BY id-contentType }
id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 }
attr-messageDigest CMS-ATTRIBUTE ::= aa-messageDigest ATTRIBUTE ::=
{ TYPE MessageDigest IDENTIFIED BY id-messageDigest} { TYPE MessageDigest IDENTIFIED BY id-messageDigest}
id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 }
attr-signingTime CMS-ATTRIBUTE ::= aa-signingTime ATTRIBUTE ::=
{ TYPE SigningTime IDENTIFIED BY id-signingTime } { TYPE SigningTime IDENTIFIED BY id-signingTime }
id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
attr-countersignature CMS-ATTRIBUTE ::= aa-countersignature ATTRIBUTE ::=
{ TYPE Countersignature IDENTIFIED BY id-countersignature } { TYPE Countersignature IDENTIFIED BY id-countersignature }
id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
-- Obsolete Extended Certificate syntax from PKCS#6 -- Obsolete Extended Certificate syntax from PKCS#6
ExtendedCertificateOrCertificate ::= CHOICE { ExtendedCertificateOrCertificate ::= CHOICE {
certificate Certificate, certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate } extendedCertificate [0] IMPLICIT ExtendedCertificate }
ExtendedCertificate ::= SEQUENCE { ExtendedCertificate ::= SEQUENCE {
extendedCertificateInfo ExtendedCertificateInfo, extendedCertificateInfo ExtendedCertificateInfo,
signatureAlgorithm SignatureAlgorithmIdentifier, signatureAlgorithm SignatureAlgorithmIdentifier,
signature Signature } signature Signature }
ExtendedCertificateInfo ::= SEQUENCE { ExtendedCertificateInfo ::= SEQUENCE {
skipping to change at page 31, line 36 skipping to change at page 34, line 20
signatureAlgorithm SignatureAlgorithmIdentifier, signatureAlgorithm SignatureAlgorithmIdentifier,
signature Signature } signature Signature }
ExtendedCertificateInfo ::= SEQUENCE { ExtendedCertificateInfo ::= SEQUENCE {
version CMSVersion, version CMSVersion,
certificate Certificate, certificate Certificate,
attributes UnauthAttributes } attributes UnauthAttributes }
Signature ::= BIT STRING Signature ::= BIT STRING
-- Class definitions used in the module Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE {
attrType ATTRIBUTE.
CMS-ATTRIBUTE ::= ATTRIBUTE
Attribute{ CMS-ATTRIBUTE:AttrList } ::= SEQUENCE {
attrType CMS-ATTRIBUTE.
&id({AttrList}), &id({AttrList}),
attrValues SET OF CMS-ATTRIBUTE. attrValues SET OF ATTRIBUTE.
&Type({AttrList}{@attrType}) } &Type({AttrList}{@attrType}) }
SupportedAttributes CMS-ATTRIBUTE ::= { ... } Attributes { ATTRIBUTE:AttrList } ::=
Attributes { CMS-ATTRIBUTE:AttrList } ::=
SET SIZE (1..MAX) OF Attribute {{ AttrList }} SET SIZE (1..MAX) OF Attribute {{ AttrList }}
END END
7. ASN.1 Module for RFC 4108 7. ASN.1 Module for RFC 4108
CMSFirmwareWrapper CMSFirmwareWrapper
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-firmware-wrap(22) } smime(16) modules(0) cms-firmware-wrap(22) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
OTHER-NAME OTHER-NAME
FROM PKIX1Implicit88 FROM PKIX1Implicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) }
EnvelopedData, CONTENT-TYPE, CMS-ATTRIBUTE EnvelopedData, CONTENT-TYPE, ATTRIBUTE
FROM CryptographicMessageSyntax FROM CryptographicMessageSyntax
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) }; smime(16) modules(0) cms-2004(24) };
FirmwareContentTypes CONTENT-TYPE ::= { FirmwareContentTypes CONTENT-TYPE ::= {
ct-firmwarePackage | ct-firmwareLoadReceipt | ct-firmwarePackage | ct-firmwareLoadReceipt |
ct-firmwareLoadError } ct-firmwareLoadError,... }
FirmwareSignedAttrs CMS-ATTRIBUTE ::= { FirmwareSignedAttrs ATTRIBUTE ::= {
aa-firmwarePackageID | aa-targetHardwareIDs | aa-firmwarePackageID | aa-targetHardwareIDs |
aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs | aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs |
aa-communityIdentifiers | aa-firmwarePackageInfo } aa-communityIdentifiers | aa-firmwarePackageInfo,... }
FirmwareUnsignedAttrs CMS-ATTRIBUTE ::= { FirmwareUnsignedAttrs ATTRIBUTE ::= {
aa-wrappedFirmwareKey } aa-wrappedFirmwareKey, ... }
FirmwareOtherNames OTHER-NAME ::= { FirmwareOtherNames OTHER-NAME ::= {
on-hardwareModuleName } on-hardwareModuleName, ... }
-- Firmware Package Content Type and Object Identifier -- Firmware Package Content Type and Object Identifier
ct-firmwarePackage CONTENT-TYPE ::= ct-firmwarePackage CONTENT-TYPE ::=
{ FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage } { FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage }
id-ct-firmwarePackage OBJECT IDENTIFIER ::= { id-ct-firmwarePackage OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 16 } smime(16) ct(1) 16 }
FirmwarePkgData ::= OCTET STRING FirmwarePkgData ::= OCTET STRING
-- Firmware Package Signed Attributes and Object Identifiers -- Firmware Package Signed Attributes and Object Identifiers
aa-firmwarePackageID CMS-ATTRIBUTE ::=
aa-firmwarePackageID ATTRIBUTE ::=
{ TYPE FirmwarePackageIdentifier IDENTIFIED BY { TYPE FirmwarePackageIdentifier IDENTIFIED BY
id-aa-firmwarePackageID } id-aa-firmwarePackageID }
id-aa-firmwarePackageID OBJECT IDENTIFIER ::= { id-aa-firmwarePackageID OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 35 } smime(16) aa(2) 35 }
FirmwarePackageIdentifier ::= SEQUENCE { FirmwarePackageIdentifier ::= SEQUENCE {
name PreferredOrLegacyPackageIdentifier, name PreferredOrLegacyPackageIdentifier,
stale PreferredOrLegacyStalePackageIdentifier OPTIONAL } stale PreferredOrLegacyStalePackageIdentifier OPTIONAL }
skipping to change at page 33, line 23 skipping to change at page 36, line 4
name PreferredOrLegacyPackageIdentifier, name PreferredOrLegacyPackageIdentifier,
stale PreferredOrLegacyStalePackageIdentifier OPTIONAL } stale PreferredOrLegacyStalePackageIdentifier OPTIONAL }
PreferredOrLegacyPackageIdentifier ::= CHOICE { PreferredOrLegacyPackageIdentifier ::= CHOICE {
preferred PreferredPackageIdentifier, preferred PreferredPackageIdentifier,
legacy OCTET STRING } legacy OCTET STRING }
PreferredPackageIdentifier ::= SEQUENCE { PreferredPackageIdentifier ::= SEQUENCE {
fwPkgID OBJECT IDENTIFIER, fwPkgID OBJECT IDENTIFIER,
verNum INTEGER (0..MAX) } verNum INTEGER (0..MAX) }
PreferredOrLegacyStalePackageIdentifier ::= CHOICE { PreferredOrLegacyStalePackageIdentifier ::= CHOICE {
preferredStaleVerNum INTEGER (0..MAX), preferredStaleVerNum INTEGER (0..MAX),
legacyStaleVersion OCTET STRING } legacyStaleVersion OCTET STRING }
aa-targetHardwareIDs CMS-ATTRIBUTE ::= aa-targetHardwareIDs ATTRIBUTE ::=
{ TYPE TargetHardwareIdentifiers IDENTIFIED BY { TYPE TargetHardwareIdentifiers IDENTIFIED BY
id-aa-targetHardwareIDs } id-aa-targetHardwareIDs }
id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= { id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 36 } smime(16) aa(2) 36 }
TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER
aa-decryptKeyID CMS-ATTRIBUTE ::= aa-decryptKeyID ATTRIBUTE ::=
{ TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID} { TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID}
id-aa-decryptKeyID OBJECT IDENTIFIER ::= { id-aa-decryptKeyID OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 37 } smime(16) aa(2) 37 }
DecryptKeyIdentifier ::= OCTET STRING DecryptKeyIdentifier ::= OCTET STRING
aa-implCryptoAlgs CMS-ATTRIBUTE ::= aa-implCryptoAlgs ATTRIBUTE ::=
{ TYPE ImplementedCryptoAlgorithms IDENTIFIED BY { TYPE ImplementedCryptoAlgorithms IDENTIFIED BY
id-aa-implCryptoAlgs } id-aa-implCryptoAlgs }
id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= { id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 38 } smime(16) aa(2) 38 }
ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER
aa-implCompressAlgs CMS-ATTRIBUTE ::= aa-implCompressAlgs ATTRIBUTE ::=
{ TYPE ImplementedCompressAlgorithms IDENTIFIED BY { TYPE ImplementedCompressAlgorithms IDENTIFIED BY
id-aa-implCompressAlgs } id-aa-implCompressAlgs }
id-aa-implCompressAlgs OBJECT IDENTIFIER ::= { id-aa-implCompressAlgs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 43 } smime(16) aa(2) 43 }
ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER
aa-communityIdentifiers CMS-ATTRIBUTE ::= aa-communityIdentifiers ATTRIBUTE ::=
{ TYPE CommunityIdentifiers IDENTIFIED BY { TYPE CommunityIdentifiers IDENTIFIED BY
id-aa-communityIdentifiers } id-aa-communityIdentifiers }
id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { id-aa-communityIdentifiers OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 40 } smime(16) aa(2) 40 }
CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier
CommunityIdentifier ::= CHOICE { CommunityIdentifier ::= CHOICE {
skipping to change at page 34, line 44 skipping to change at page 37, line 24
hwType OBJECT IDENTIFIER, hwType OBJECT IDENTIFIER,
hwSerialEntries SEQUENCE OF HardwareSerialEntry } hwSerialEntries SEQUENCE OF HardwareSerialEntry }
HardwareSerialEntry ::= CHOICE { HardwareSerialEntry ::= CHOICE {
all NULL, all NULL,
single OCTET STRING, single OCTET STRING,
block SEQUENCE { block SEQUENCE {
low OCTET STRING, low OCTET STRING,
high OCTET STRING } } high OCTET STRING } }
aa-firmwarePackageInfo CMS-ATTRIBUTE ::= aa-firmwarePackageInfo ATTRIBUTE ::=
{ TYPE FirmwarePackageInfo IDENTIFIED BY { TYPE FirmwarePackageInfo IDENTIFIED BY
id-aa-firmwarePackageInfo } id-aa-firmwarePackageInfo }
id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= { id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 42 } smime(16) aa(2) 42 }
FirmwarePackageInfo ::= SEQUENCE { FirmwarePackageInfo ::= SEQUENCE {
fwPkgType INTEGER OPTIONAL, fwPkgType INTEGER OPTIONAL,
dependencies SEQUENCE OF dependencies SEQUENCE OF
PreferredOrLegacyPackageIdentifier OPTIONAL } PreferredOrLegacyPackageIdentifier OPTIONAL }
-- Firmware Package Unsigned Attributes and Object Identifiers -- Firmware Package Unsigned Attributes and Object Identifiers
aa-wrappedFirmwareKey CMS-ATTRIBUTE ::= aa-wrappedFirmwareKey ATTRIBUTE ::=
{ TYPE WrappedFirmwareKey IDENTIFIED BY { TYPE WrappedFirmwareKey IDENTIFIED BY
id-aa-wrappedFirmwareKey } id-aa-wrappedFirmwareKey }
id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= { id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 39 } smime(16) aa(2) 39 }
WrappedFirmwareKey ::= EnvelopedData WrappedFirmwareKey ::= EnvelopedData
-- Firmware Package Load Receipt Content Type and Object Identifier -- Firmware Package Load Receipt Content Type and Object Identifier
skipping to change at page 37, line 37 skipping to change at page 40, line 18
8. ASN.1 Module for RFC 4998 8. ASN.1 Module for RFC 4998
ERS {iso(1) identified-organization(3) dod(6) internet(1) ERS {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1) security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1)
id-mod-ers-v1(1) } id-mod-ers-v1(1) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
Attribute{}, AlgorithmIdentifier{}, ATTRIBUTE, ALGORITHM AttributeSet{}, ATTRIBUTE
FROM PKIX-CommonTypes FROM PKIX-CommonTypes
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }
ContentInfo, CMS-ATTRIBUTE AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
ContentInfo
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } ; pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } ;
ltans OBJECT IDENTIFIER ::= ltans OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) ltans(11) } mechanisms(5) ltans(11) }
EvidenceRecord ::= SEQUENCE { EvidenceRecord ::= SEQUENCE {
version INTEGER { v1(1) } , version INTEGER { v1(1) } ,
digestAlgorithms SEQUENCE OF AlgorithmIdentifier{{...}}, digestAlgorithms SEQUENCE OF AlgorithmIdentifier
{DIGEST-ALGORITHM, {...}},
cryptoInfos [0] CryptoInfos OPTIONAL, cryptoInfos [0] CryptoInfos OPTIONAL,
encryptionInfo [1] EncryptionInfo OPTIONAL, encryptionInfo [1] EncryptionInfo OPTIONAL,
archiveTimeStampSequence ArchiveTimeStampSequence archiveTimeStampSequence ArchiveTimeStampSequence
} }
CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF Attribute{{...}} CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}}
ArchiveTimeStamp ::= SEQUENCE { ArchiveTimeStamp ::= SEQUENCE {
digestAlgorithm [0] AlgorithmIdentifier{{...}} OPTIONAL, digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}
OPTIONAL,
attributes [1] Attributes OPTIONAL, attributes [1] Attributes OPTIONAL,
reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL,
timeStamp ContentInfo timeStamp ContentInfo
} }
PartialHashtree ::= SEQUENCE OF OCTET STRING PartialHashtree ::= SEQUENCE OF OCTET STRING
Attributes ::= SET SIZE (1..MAX) OF Attribute{{...}} Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}}
ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp
ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain
EncryptionInfo ::= SEQUENCE { EncryptionInfo ::= SEQUENCE {
encryptionInfoType ENCINFO-TYPE. encryptionInfoType ENCINFO-TYPE.
&id({SupportedEncryptionAlgorithms}), &id({SupportedEncryptionAlgorithms}),
encryptionInfoValue ENCINFO-TYPE. encryptionInfoValue ENCINFO-TYPE.
&Type({SupportedEncryptionAlgorithms} &Type({SupportedEncryptionAlgorithms}
{@encryptionInfoType}) {@encryptionInfoType})
} }
ENCINFO-TYPE ::= TYPE-IDENTIFIER ENCINFO-TYPE ::= TYPE-IDENTIFIER
SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...} SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...}
er-Internal CMS-ATTRIBUTE ::= aa-er-Internal ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal }
id-aa-er-internal OBJECT IDENTIFIER ::= id-aa-er-internal OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 49 } smime(16) id-aa(2) 49 }
er-External CMS-ATTRIBUTE ::= aa-er-External ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external }
id-aa-er-external OBJECT IDENTIFIER ::= id-aa-er-external OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 50 } smime(16) id-aa(2) 50 }
END END
9. ASN.1 Module for RFC 5035 9. ASN.1 Module for RFC 5035
ExtendedSecurityServices-2006 ExtendedSecurityServices-2006
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
skipping to change at page 39, line 20 skipping to change at page 42, line 11
9. ASN.1 Module for RFC 5035 9. ASN.1 Module for RFC 5035
ExtendedSecurityServices-2006 ExtendedSecurityServices-2006
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-ess-2006(30) } smime(16) modules(0) id-mod-ess-2006(30) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
Attribute{}, AlgorithmIdentifier{}, ATTRIBUTE, ALGORITHM AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{}
FROM PKIX-CommonTypes FROM PKIX-CommonTypes
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier,
CMS-ATTRIBUTE, CONTENT-TYPE CONTENT-TYPE
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } smime(16) modules(0) cms-2004(24) }
CertificateSerialNumber CertificateSerialNumber
FROM PKIX1Explicit88 FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
PolicyInformation, GeneralNames PolicyInformation, GeneralNames
FROM PKIX1Implicit88 FROM PKIX1Implicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)}; mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)}
EssSignedAttributes CMS-ATTRIBUTE ::= { mda-sha256
FROM PKIX1-PSS-OAEP-Algorithms
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs(33) }
;
EssSignedAttributes ATTRIBUTE ::= {
aa-receiptRequest | aa-contentIdentifier | aa-contentHint | aa-receiptRequest | aa-contentIdentifier | aa-contentHint |
aa-msgSigDigest | aa-contentReference | aa-securityLabel | aa-msgSigDigest | aa-contentReference | aa-securityLabel |
aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate | aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate |
aa-signingCertificateV2 } aa-signingCertificateV2, ... }
EssContentTypes CONTENT-TYPE ::= { ct-receipt } EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... }
-- Extended Security Services -- Extended Security Services
-- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 -- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
-- constructs in this module. A valid ASN.1 SEQUENCE can have zero or -- constructs in this module. A valid ASN.1 SEQUENCE can have zero or
-- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE -- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE
-- tp have at least one entry. MAX indicates the upper bound is -- tp have at least one entry. MAX indicates the upper bound is
-- unspecified. Implementations are free to choose an upper bound -- unspecified. Implementations are free to choose an upper bound
-- that suits their environment. -- that suits their environment.
-- Section 2.7 -- Section 2.7
aa-receiptRequest CMS-ATTRIBUTE ::= aa-receiptRequest ATTRIBUTE ::=
{ TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest} { TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest}
ReceiptRequest ::= SEQUENCE { ReceiptRequest ::= SEQUENCE {
signedContentIdentifier ContentIdentifier, signedContentIdentifier ContentIdentifier,
receiptsFrom ReceiptsFrom, receiptsFrom ReceiptsFrom,
receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames
} }
ub-receiptsTo INTEGER ::= 16 ub-receiptsTo INTEGER ::= 16
id-aa-receiptRequest OBJECT IDENTIFIER ::= id-aa-receiptRequest OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 1} smime(16) id-aa(2) 1}
aa-contentIdentifier CMS-ATTRIBUTE ::= aa-contentIdentifier ATTRIBUTE ::=
{ TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier} { TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier}
ContentIdentifier ::= OCTET STRING ContentIdentifier ::= OCTET STRING
id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7} us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7}
ct-receipt CONTENT-TYPE ::= ct-receipt CONTENT-TYPE ::=
{ Receipt IDENTIFIED BY id-ct-receipt } { Receipt IDENTIFIED BY id-ct-receipt }
skipping to change at page 41, line 18 skipping to change at page 44, line 18
originatorSignatureValue OCTET STRING } originatorSignatureValue OCTET STRING }
id-ct-receipt OBJECT IDENTIFIER ::= id-ct-receipt OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-ct(1) 1} smime(16) id-ct(1) 1}
ESSVersion ::= INTEGER { v1(1) } ESSVersion ::= INTEGER { v1(1) }
-- Section 2.9 -- Section 2.9
aa-contentHint CMS-ATTRIBUTE ::= aa-contentHint ATTRIBUTE ::=
{ TYPE ContentHints IDENTIFIED BY id-aa-contentHint } { TYPE ContentHints IDENTIFIED BY id-aa-contentHint }
ContentHints ::= SEQUENCE { ContentHints ::= SEQUENCE {
contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL, contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL,
contentType ContentType } contentType ContentType }
id-aa-contentHint OBJECT IDENTIFIER ::= id-aa-contentHint OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 4} smime(16) id-aa(2) 4}
-- Section 2.10 -- Section 2.10
aa-msgSigDigest CMS-ATTRIBUTE ::= aa-msgSigDigest ATTRIBUTE ::=
{ TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest } { TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest }
MsgSigDigest ::= OCTET STRING MsgSigDigest ::= OCTET STRING
id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5} us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5}
-- Section 2.11 -- Section 2.11
aa-contentReference CMS-ATTRIBUTE ::= aa-contentReference ATTRIBUTE ::=
{ TYPE ContentReference IDENTIFIED BY id-aa-contentReference } { TYPE ContentReference IDENTIFIED BY id-aa-contentReference }
ContentReference ::= SEQUENCE { ContentReference ::= SEQUENCE {
contentType ContentType, contentType ContentType,
signedContentIdentifier ContentIdentifier, signedContentIdentifier ContentIdentifier,
originatorSignatureValue OCTET STRING } originatorSignatureValue OCTET STRING }
id-aa-contentReference OBJECT IDENTIFIER ::= id-aa-contentReference OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 10 } smime(16) id-aa(2) 10 }
skipping to change at page 42, line 5 skipping to change at page 45, line 4
{ TYPE ContentReference IDENTIFIED BY id-aa-contentReference } { TYPE ContentReference IDENTIFIED BY id-aa-contentReference }
ContentReference ::= SEQUENCE { ContentReference ::= SEQUENCE {
contentType ContentType, contentType ContentType,
signedContentIdentifier ContentIdentifier, signedContentIdentifier ContentIdentifier,
originatorSignatureValue OCTET STRING } originatorSignatureValue OCTET STRING }
id-aa-contentReference OBJECT IDENTIFIER ::= id-aa-contentReference OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 10 } smime(16) id-aa(2) 10 }
-- Section 3.2 -- Section 3.2
aa-securityLabel CMS-ATTRIBUTE ::= aa-securityLabel ATTRIBUTE ::=
{ TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel } { TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel }
ESSSecurityLabel ::= SET { ESSSecurityLabel ::= SET {
security-policy-identifier SecurityPolicyIdentifier, security-policy-identifier SecurityPolicyIdentifier,
security-classification SecurityClassification OPTIONAL, security-classification SecurityClassification OPTIONAL,
privacy-mark ESSPrivacyMark OPTIONAL, privacy-mark ESSPrivacyMark OPTIONAL,
security-categories SecurityCategories OPTIONAL } security-categories SecurityCategories OPTIONAL }
id-aa-securityLabel OBJECT IDENTIFIER ::= id-aa-securityLabel OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
skipping to change at page 42, line 42 skipping to change at page 45, line 40
ESSPrivacyMark ::= CHOICE { ESSPrivacyMark ::= CHOICE {
pString PrintableString (SIZE (1..ub-privacy-mark-length)), pString PrintableString (SIZE (1..ub-privacy-mark-length)),
utf8String UTF8String (SIZE (1..MAX)) utf8String UTF8String (SIZE (1..MAX))
} }
ub-privacy-mark-length INTEGER ::= 128 ub-privacy-mark-length INTEGER ::= 128
SecurityCategories ::= SecurityCategories ::=
SET SIZE (1..ub-security-categories) OF SecurityCategory SET SIZE (1..ub-security-categories) OF SecurityCategory
{{SupportedSecurityCategories}}
ub-security-categories INTEGER ::= 64 ub-security-categories INTEGER ::= 64
SECURITY-CATEGORY ::= TYPE-IDENTIFIER
SecurityCategory ::= SEQUENCE {
type [0] SECURITY-CATEGORY.
&id({SupportedSecurityCategories}),
value [1] SECURITY-CATEGORY.
&Type({SupportedSecurityCategories}{@type})
}
SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }
--Note: The aforementioned SecurityCategory syntax produces identical
--hex encodings as the following SecurityCategory syntax that is
--documented in the X.411 specification:
--
--SecurityCategory ::= SEQUENCE {
-- type [0] SECURITY-CATEGORY,
-- value [1] ANY DEFINED BY type }
--
--SECURITY-CATEGORY MACRO ::=
--BEGIN
--TYPE NOTATION ::= type | empty
--VALUE NOTATION ::= value (VALUE OBJECT IDENTIFIER)
--END
-- Section 3.4 -- Section 3.4
aa-equivalentLabels CMS-ATTRIBUTE ::= aa-equivalentLabels ATTRIBUTE ::=
{ TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels } { TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels }
EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel
id-aa-equivalentLabels OBJECT IDENTIFIER ::= id-aa-equivalentLabels OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 9} smime(16) id-aa(2) 9}
-- Section 4.4 -- Section 4.4
aa-mlExpandHistory CMS-ATTRIBUTE ::= aa-mlExpandHistory ATTRIBUTE ::=
{ TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory } { TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory }
MLExpansionHistory ::= SEQUENCE MLExpansionHistory ::= SEQUENCE
SIZE (1..ub-ml-expansion-history) OF MLData SIZE (1..ub-ml-expansion-history) OF MLData
id-aa-mlExpandHistory OBJECT IDENTIFIER ::= id-aa-mlExpandHistory OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 3 } smime(16) id-aa(2) 3 }
ub-ml-expansion-history INTEGER ::= 64 ub-ml-expansion-history INTEGER ::= 64
skipping to change at page 44, line 15 skipping to change at page 46, line 38
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier SubjectKeyIdentifier } subjectKeyIdentifier SubjectKeyIdentifier }
MLReceiptPolicy ::= CHOICE { MLReceiptPolicy ::= CHOICE {
none [0] NULL, none [0] NULL,
insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames, insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames,
inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames } inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames }
-- Section 5.4 -- Section 5.4
aa-signingCertificate CMS-ATTRIBUTE ::= aa-signingCertificate ATTRIBUTE ::=
{ TYPE SigningCertificate IDENTIFIED BY { TYPE SigningCertificate IDENTIFIED BY
id-aa-signingCertificate } id-aa-signingCertificate }
SigningCertificate ::= SEQUENCE { SigningCertificate ::= SEQUENCE {
certs SEQUENCE OF ESSCertID, certs SEQUENCE OF ESSCertID,
policies SEQUENCE OF PolicyInformation OPTIONAL policies SEQUENCE OF PolicyInformation OPTIONAL
} }
id-aa-signingCertificate OBJECT IDENTIFIER ::= id-aa-signingCertificate OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 12 } smime(16) id-aa(2) 12 }
aa-signingCertificateV2 CMS-ATTRIBUTE ::= aa-signingCertificateV2 ATTRIBUTE ::=
{ TYPE SigningCertificateV2 IDENTIFIED BY { TYPE SigningCertificateV2 IDENTIFIED BY
id-aa-signingCertificateV2 } id-aa-signingCertificateV2 }
SigningCertificateV2 ::= SEQUENCE { SigningCertificateV2 ::= SEQUENCE {
certs SEQUENCE OF ESSCertIDv2, certs SEQUENCE OF ESSCertIDv2,
policies SEQUENCE OF PolicyInformation OPTIONAL policies SEQUENCE OF PolicyInformation OPTIONAL
} }
id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= id-aa-signingCertificateV2 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 47 } smime(16) id-aa(2) 47 }
id-sha256 OBJECT IDENTIFIER ::= HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM,
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) {mda-sha256, ...}}
csor(3) nistalgorithm(4) hashalgs(2) 1 }
HashAlgorithm ::= AlgorithmIdentifier{{...}}
ESSCertIDv2 ::= SEQUENCE { ESSCertIDv2 ::= SEQUENCE {
hashAlgorithm HashAlgorithm hashAlgorithm HashAlgorithm
DEFAULT { algorithm id-sha256 }, DEFAULT { algorithm mda-sha256.&id },
certHash Hash, certHash Hash,
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
ESSCertID ::= SEQUENCE { ESSCertID ::= SEQUENCE {
certHash Hash, certHash Hash,
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
Hash ::= OCTET STRING Hash ::= OCTET STRING
skipping to change at page 45, line 32 skipping to change at page 48, line 17
CMS-AuthEnvelopedData-2007 CMS-AuthEnvelopedData-2007
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData(31) } pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData(31) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AuthAttributes, CMSVersion, EncryptedContentInfo, AuthAttributes, CMSVersion, EncryptedContentInfo,
MessageAuthenticationCode, OriginatorInfo, RecipientInfos, MessageAuthenticationCode, OriginatorInfo, RecipientInfos,
UnauthAttributes UnauthAttributes, CONTENT-TYPE
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } ; smime(16) modules(0) cms-2004(24) } ;
--
ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... }
--
ct-authEnvelopedData CONTENT-TYPE ::= {
AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData
}
id-ct-authEnvelopedData OBJECT IDENTIFIER ::= id-ct-authEnvelopedData OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) 23 } smime(16) ct(1) 23 }
AuthEnvelopedData ::= SEQUENCE { AuthEnvelopedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
authEncryptedContentInfo EncryptedContentInfo, authEncryptedContentInfo EncryptedContentInfo,
authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, authAttrs [1] IMPLICIT AuthAttributes OPTIONAL,
skipping to change at page 46, line 13 skipping to change at page 49, line 8
END END
11. ASN.1 Module for RFC 5084 11. ASN.1 Module for RFC 5084
CMS-AES-CCM-and-AES-GCM CMS-AES-CCM-and-AES-GCM
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) } pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL;
IMPORTS
CONTENT-ENCRYPTION, SMIME-CAPS
FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)};
-- Add this algorithm set to include all of the algorithms defined in
-- this document
ContentEncryptionAlgs CONTENT-ENCRYPTION ::= {
cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM |
cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... }
SMimeCaps SMIME-CAPS ::= {
cea-aes128-CCM.&smimeCaps |
cea-aes192-CCM.&smimeCaps |
cea-aes256-CCM.&smimeCaps |
cea-aes128-GCM.&smimeCaps |
cea-aes192-GCM.&smimeCaps |
cea-aes256-GCM.&smimeCaps,
...
}
-- Object Identifiers -- Object Identifiers
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } organization(1) gov(101) csor(3) nistAlgorithm(4) 1 }
id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 } id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 }
id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 } id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 }
id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 } id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 }
skipping to change at page 46, line 44 skipping to change at page 50, line 16
aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } aes-ICVlen AES-CCM-ICVlen DEFAULT 12 }
AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16)
GCMParameters ::= SEQUENCE { GCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING, -- recommended size is 12 octets aes-nonce OCTET STRING, -- recommended size is 12 octets
aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } aes-ICVlen AES-GCM-ICVlen DEFAULT 12 }
AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)
-- Defining objects
cea-aes128-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-CCM
PARAMS TYPE CCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes128-CCM }
}
cea-aes192-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-CCM
PARAMS TYPE CCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes192-CCM }
}
cea-aes256-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-CCM
PARAMS TYPE CCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes256-CCM }
}
cea-aes128-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes128-GCM }
}
cea-aes192-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes192-GCM }
}
cea-aes256-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes256-GCM }
}
END END
12. ASN.1 Module for RFC 5275 12. ASN.1 Module for RFC 5275
SMIMESymmetricKeyDistribution SMIMESymmetricKeyDistribution
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) symkeydist(12) } smime(16) modules(0) symkeydist(12) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL;
IMPORTS IMPORTS
Attribute{}, AlgorithmIdentifier{}, Extensions{}, EXTENSION, AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP,
ATTRIBUTE, ALGORITHM SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS
FROM PKIX-CommonTypes FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
GeneralName GeneralName
FROM PKIX1Implicit88 FROM PKIX1Implicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) }
Certificate Certificate
FROM PKIX1Explicit88 FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
RecipientInfos, KEKIdentifier,CertificateSet RecipientInfos, KEKIdentifier,CertificateSet
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax2004
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } smime(16) modules(0) cms-2004(24) }
id-alg-CMS3DESwrap cap-3DESwrap
FROM CryptographicMessageSyntaxAlgorithms FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) } smime(16) modules(0) cmsalg-2001(16) }
AttributeCertificate AttributeCertificate
FROM PKIXAttributeCertificate FROM PKIXAttributeCertificate
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert(12) } mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert(12) }
CMC-CONTROL, EXTENDED-FAILURE-INFO
CMC-CONTROL
FROM EnrollmentMessageSyntax FROM EnrollmentMessageSyntax
{ iso(1) identified-organization(3) dod(4) internet(1) security(5) { iso(1) identified-organization(3) dod(4) internet(1) security(5)
mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002(23) }; mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002(23) }
cea-aes128-cbc, cea-aes192-cbc, cea-aes256-cbc
FROM CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) }
;
-- This defines the GL symmetric key distribution object identifier -- This defines the GL symmetric key distribution object identifier
-- arc. -- arc.
id-skd OBJECT IDENTIFIER ::= id-skd OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) skd(8) } smime(16) skd(8) }
ControlSet CMC-CONTROL ::= {
SKD-ControlSet CMC-CONTROL ::= {
skd-glUseKEK | skd-glDelete | skd-glAddMember | skd-glUseKEK | skd-glDelete | skd-glAddMember |
skd-glDeleteMember | skd-glRekey | skd-glAddOwner | skd-glDeleteMember | skd-glRekey | skd-glAddOwner |
skd-glRemoveOwner | skd-glKeyCompromise | skd-glRemoveOwner | skd-glKeyCompromise |
skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert | skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert |
skd-glManageCert | skd-glKey, ... } skd-glManageCert | skd-glKey, ... }
-- This defines the GL Use KEK control attribute -- This defines the GL Use KEK control attribute
skd-glUseKEK CMC-CONTROL ::= skd-glUseKEK CMC-CONTROL ::=
{ GLUseKEK IDENTIFIED BY id-skd-glUseKEK } { GLUseKEK IDENTIFIED BY id-skd-glUseKEK }
id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1} id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1}
GLUseKEK ::= SEQUENCE { GLUseKEK ::= SEQUENCE {
glInfo GLInfo, glInfo GLInfo,
glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo, glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo,
glAdministration GLAdministration DEFAULT 1, glAdministration GLAdministration DEFAULT managed,
glKeyAttributes GLKeyAttributes OPTIONAL glKeyAttributes GLKeyAttributes OPTIONAL
} }
GLInfo ::= SEQUENCE { GLInfo ::= SEQUENCE {
glName GeneralName, glName GeneralName,
glAddress GeneralName glAddress GeneralName
} }
GLOwnerInfo ::= SEQUENCE { GLOwnerInfo ::= SEQUENCE {
glOwnerName GeneralName, glOwnerName GeneralName,
glOwnerAddress GeneralName, glOwnerAddress GeneralName,
certificates Certificates OPTIONAL certificates Certificates OPTIONAL
} }
GLAdministration ::= INTEGER { GLAdministration ::= INTEGER {
unmanaged (0), unmanaged (0),
managed (1), managed (1),
closed (2) closed (2)
} }
KeyWrapAlgorithm ::= AlgorithmIdentifier {{...}} --
-- The set of key wrap algorithms supported by this specification
--
SKD-Caps SMIME-CAPS ::= {
cap-3DESwrap | cea-aes128-cbc.&smimeCaps |
cea-aes192-cbc.&smimeCaps | cea-aes256-cbc.&smimeCaps, ...
}
KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}}
cap-aes128-cbc KeyWrapAlgorithm ::=
{ capabilityID cea-aes128-cbc.&smimeCaps.&id }
GLKeyAttributes ::= SEQUENCE { GLKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE, rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE,
recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE, recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE,
duration [2] INTEGER DEFAULT 0, duration [2] INTEGER DEFAULT 0,
generationCounter [3] INTEGER DEFAULT 2, generationCounter [3] INTEGER DEFAULT 2,
requestedAlgorithm [4] KeyWrapAlgorithm requestedAlgorithm [4] KeyWrapAlgorithm
DEFAULT {algorithm id-alg-CMS3DESwrap} DEFAULT cap-aes128-cbc
} }
-- This defines the Delete GL control attribute. -- This defines the Delete GL control attribute.
-- It has the simple type GeneralName. -- It has the simple type GeneralName.
skd-glDelete CMC-CONTROL ::= skd-glDelete CMC-CONTROL ::=
{ DeleteGL IDENTIFIED BY id-skd-glDelete } { DeleteGL IDENTIFIED BY id-skd-glDelete }
id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2} id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2}
DeleteGL ::= GeneralName DeleteGL ::= GeneralName
-- This defines the Add GL Member control attribute -- This defines the Add GL Member control attribute
skipping to change at page 50, line 23 skipping to change at page 55, line 5
glAdministration GLAdministration OPTIONAL, glAdministration GLAdministration OPTIONAL,
glNewKeyAttributes GLNewKeyAttributes OPTIONAL, glNewKeyAttributes GLNewKeyAttributes OPTIONAL,
glRekeyAllGLKeys BOOLEAN OPTIONAL glRekeyAllGLKeys BOOLEAN OPTIONAL
} }
GLNewKeyAttributes ::= SEQUENCE { GLNewKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN OPTIONAL, rekeyControlledByGLO [0] BOOLEAN OPTIONAL,
recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL, recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL,
duration [2] INTEGER OPTIONAL, duration [2] INTEGER OPTIONAL,
generationCounter [3] INTEGER OPTIONAL, generationCounter [3] INTEGER OPTIONAL,
requestedAlgorithm [4] AlgorithmIdentifier{{...}} requestedAlgorithm [4] KeyWrapAlgorithm OPTIONAL
OPTIONAL
} }
-- This defines the Add and Delete GL Owner control attributes -- This defines the Add and Delete GL Owner control attributes
skd-glAddOwner CMC-CONTROL ::= skd-glAddOwner CMC-CONTROL ::=
{ GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner } { GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner }
id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6} id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6}
skd-glRemoveOwner CMC-CONTROL ::= skd-glRemoveOwner CMC-CONTROL ::=
skipping to change at page 51, line 30 skipping to change at page 56, line 12
-- This defines the GLA Query Request control attribute. -- This defines the GLA Query Request control attribute.
skd-glaQueryRequest CMC-CONTROL ::= skd-glaQueryRequest CMC-CONTROL ::=
{ GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest } { GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest }
id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11} id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11}
SKD-QUERY ::= TYPE-IDENTIFIER SKD-QUERY ::= TYPE-IDENTIFIER
SkdQuerySet SKD-QUERY ::= {...} SkdQuerySet SKD-QUERY ::= {skd-AlgRequest, ...}
GLAQueryRequest ::= SEQUENCE { GLAQueryRequest ::= SEQUENCE {
glaRequestType SKD-QUERY.&id ({SkdQuerySet}), glaRequestType SKD-QUERY.&id ({SkdQuerySet}),
glaRequestValue SKD-QUERY. glaRequestValue SKD-QUERY.
&Type ({SkdQuerySet}{@glaRequestType}) &Type ({SkdQuerySet}{@glaRequestType})
} }
-- This defines the GLA Query Response control attribute. -- This defines the GLA Query Response control attribute.
skd-glaQueryResponse CMC-CONTROL ::= skd-glaQueryResponse CMC-CONTROL ::=
{ GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse } { GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse }
id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12} id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12}
SKD-RESPONSE ::= TYPE-IDENTIFIER SKD-RESPONSE ::= TYPE-IDENTIFIER
SkdResponseSet SKD-RESPONSE ::= {...} SkdResponseSet SKD-RESPONSE ::= {skd-AlgResponse, ...}
GLAQueryResponse ::= SEQUENCE { GLAQueryResponse ::= SEQUENCE {
glaResponseType SKD-RESPONSE. glaResponseType SKD-RESPONSE.
&id({SkdResponseSet}), &id({SkdResponseSet}),
glaResponseValue SKD-RESPONSE. glaResponseValue SKD-RESPONSE.
&Type({SkdResponseSet}{@glaResponseType})} &Type({SkdResponseSet}{@glaResponseType})}
-- This defines the GLA Request/Response (glaRR) arc for -- This defines the GLA Request/Response (glaRR) arc for
-- glaRequestType/glaResponseType. -- glaRequestType/glaResponseType.
id-cmc-glaRR OBJECT IDENTIFIER ::= id-cmc-glaRR OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cmc(7) glaRR(99) } mechanisms(5) pkix(7) cmc(7) glaRR(99) }
-- This defines the Algorithm Request -- This defines the Algorithm Request
skd-AlgRequest SKD-QUERY ::= {
SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest
}
id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 } id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 }
SKDAlgRequest ::= NULL SKDAlgRequest ::= NULL
-- This defines the Algorithm Response -- This defines the Algorithm Response
skd-AlgResponse SKD-RESPONSE ::= {
SMIMECapability{{SKD-Caps}} IDENTIFIED BY
id-cmc-gla-skdAlgResponse
}
id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 } id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 }
-- Note that the response for algorithmSupported request is the -- Note that the response for algorithmSupported request is the
-- smimeCapabilities attribute as defined in MsgSpec [MSG]. -- smimeCapabilities attribute as defined in MsgSpec [MSG].
-- This defines the control attribute to request an updated -- This defines the control attribute to request an updated
-- certificate to the GLA. -- certificate to the GLA.
skd-glProvideCert CMC-CONTROL ::= skd-glProvideCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glProvideCert } { GLManageCert IDENTIFIED BY id-skd-glProvideCert }
skipping to change at page 53, line 4 skipping to change at page 57, line 41
skd-glManageCert CMC-CONTROL ::= skd-glManageCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glManageCert } { GLManageCert IDENTIFIED BY id-skd-glManageCert }
id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14} id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14}
-- This defines the control attribute to distribute the GL shared -- This defines the control attribute to distribute the GL shared
-- KEK. -- KEK.
skd-glKey CMC-CONTROL ::= skd-glKey CMC-CONTROL ::=
{ GLKey IDENTIFIED BY id-skd-glKey } { GLKey IDENTIFIED BY id-skd-glKey }
id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15} id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15}
GLKey ::= SEQUENCE { GLKey ::= SEQUENCE {
glName GeneralName, glName GeneralName,
glIdentifier KEKIdentifier, -- See [CMS] glIdentifier KEKIdentifier, -- See [CMS]
glkWrapped RecipientInfos, -- See [CMS] glkWrapped RecipientInfos, -- See [CMS]
glkAlgorithm AlgorithmIdentifier{{...}}, glkAlgorithm KeyWrapAlgorithm,
glkNotBefore GeneralizedTime, glkNotBefore GeneralizedTime,
glkNotAfter GeneralizedTime glkNotAfter GeneralizedTime
} }
-- This defines the CMC error types -- This defines the CMC error types
skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= {
SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo
}
id-cet-skdFailInfo OBJECT IDENTIFIER ::= id-cet-skdFailInfo OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cet(15) skdFailInfo(1) } mechanisms(5) pkix(7) cet(15) skdFailInfo(1) }
SKDFailInfo ::= INTEGER { SKDFailInfo ::= INTEGER {
unspecified (0), unspecified (0),
closedGL (1), closedGL (1),
unsupportedDuration (2), unsupportedDuration (2),
noGLACertificate (3), noGLACertificate (3),
invalidCert (4), invalidCert (4),
skipping to change at page 55, line 32 skipping to change at page 60, line 24
In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate
which version of CMS added the various extensions. which version of CMS added the various extensions.
A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01
Added RFC 5275. Added RFC 5275.
Added module for algorithm classes, and modified RFC 3370 and RFC Added module for algorithm classes, and modified RFC 3370 and RFC
3852 to uses the classes defined. 3852 to uses the classes defined.
A.3. Changes between draft-ietf-smime-new-asn1-01 and -02
Added design notes.
Removed issue on "Algorithm Structure" and issue on "More Modules To
Be Added".
Updated all modules to use objects more deeply.
In section 6, changed "PKCS #10" to "PKCS #7" to reflect the actual
module where the changes were made.
Authors' Addresses Authors' Addresses
Paul Hoffman Paul Hoffman
VPN Consortium VPN Consortium
127 Segre Place 127 Segre Place
Santa Cruz, CA 95060 Santa Cruz, CA 95060
US US
Phone: 1-831-426-9827 Phone: 1-831-426-9827
Email: paul.hoffman@vpnc.org Email: paul.hoffman@vpnc.org
skipping to change at page 55, line 42 skipping to change at page 61, line 4
Authors' Addresses Authors' Addresses
Paul Hoffman Paul Hoffman
VPN Consortium VPN Consortium
127 Segre Place 127 Segre Place
Santa Cruz, CA 95060 Santa Cruz, CA 95060
US US
Phone: 1-831-426-9827 Phone: 1-831-426-9827
Email: paul.hoffman@vpnc.org Email: paul.hoffman@vpnc.org
Jim Schaad Jim Schaad
Soaring Hawk Consulting Soaring Hawk Consulting
Email: jimsch@exmsft.com Email: jimsch@exmsft.com
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
 End of changes. 219 change blocks. 
485 lines changed or deleted 717 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/