PKIXCRMF-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE,
SingleAttribute{}
FROM PKIX-CommonTypes-2009
{iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) }
AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, ALGORITHM,
DIGEST-ALGORITHM, MAC-ALGORITHM, PUBLIC-KEY
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
Version, Name, Time, SubjectPublicKeyInfo, UniqueIdentifier, id-pkix,
SignatureAlgorithms
FROM PKIX1Explicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}
GeneralName, CertExtensions
FROM PKIX1Implicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
EnvelopedData, CONTENT-TYPE
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41)}
maca-hMAC-SHA1
FROM CryptographicMessageSyntaxAlgorithms-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
mda-sha1
FROM PKIXAlgs-2009
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms2008-02(56) } ;
-- arc for Internet X.509 PKI protocols and their components
id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 }
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types
-- Core definitions for this module
CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
CertReqMsg ::= SEQUENCE {
certReq CertRequest,
popo ProofOfPossession OPTIONAL,
-- content depends upon key type
regInfo SEQUENCE SIZE(1..MAX) OF
SingleAttribute{{RegInfoSet}} OPTIONAL }
CertRequest ::= SEQUENCE {
certReqId INTEGER,
-- ID for matching request and reply
certTemplate CertTemplate,
-- Selected fields of cert to be issued
controls Controls OPTIONAL }
-- Attributes affecting issuance
CertTemplate ::= SEQUENCE {
version [0] Version OPTIONAL,
serialNumber [1] INTEGER OPTIONAL,
signingAlg [2] AlgorithmIdentifier{SIGNATURE-ALGORITHM,
{SignatureAlgorithms}} OPTIONAL,
issuer [3] Name OPTIONAL,
validity [4] OptionalValidity OPTIONAL,
subject [5] Name OPTIONAL,
publicKey [6] SubjectPublicKeyInfo OPTIONAL,
issuerUID [7] UniqueIdentifier OPTIONAL,
subjectUID [8] UniqueIdentifier OPTIONAL,
extensions [9] Extensions{{CertExtensions}} OPTIONAL }
OptionalValidity ::= SEQUENCE {
notBefore [0] Time OPTIONAL,
notAfter [1] Time OPTIONAL } -- at least one MUST be present
Controls ::= SEQUENCE SIZE(1..MAX) OF SingleAttribute
{{RegControlSet}}
ProofOfPossession ::= CHOICE {
raVerified [0] NULL,
-- used if the RA has already verified that the requester is in
-- possession of the private key
signature [1] POPOSigningKey,
keyEncipherment [2] POPOPrivKey,
keyAgreement [3] POPOPrivKey }
POPOSigningKey ::= SEQUENCE {
poposkInput [0] POPOSigningKeyInput OPTIONAL,
algorithmIdentifier AlgorithmIdentifier{SIGNATURE-ALGORITHM,
{SignatureAlgorithms}},
signature BIT STRING }
-- The signature (using "algorithmIdentifier") is on the
-- DER-encoded value of poposkInput. NOTE: If the CertReqMsg
-- certReq CertTemplate contains the subject and publicKey values,
-- then poposkInput MUST be omitted and the signature MUST be
-- computed over the DER-encoded value of CertReqMsg certReq. If
-- the CertReqMsg certReq CertTemplate does not contain both the
-- public key and subject values (i.e., if it contains only one
-- of these, or neither), then poposkInput MUST be present and
-- MUST be signed.
POPOSigningKeyInput ::= SEQUENCE {
authInfo CHOICE {
sender [0] GeneralName,
-- used only if an authenticated identity has been
-- established for the sender (e.g., a DN from a
-- previously-issued and currently-valid certificate)
publicKeyMAC PKMACValue },
-- used if no authenticated GeneralName currently exists for
-- the sender; publicKeyMAC contains a password-based MAC
-- on the DER-encoded value of publicKey
publicKey SubjectPublicKeyInfo } -- from CertTemplate
PKMACValue ::= SEQUENCE {
algId AlgorithmIdentifier{MAC-ALGORITHM,
{Password-MACAlgorithms}},
value BIT STRING }
--
-- Define the currently only acceptable MAC algorithm to be used
-- for the PKMACValue structure
--
id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2)
usa(840) nt(113533) nsn(7) algorithms(66) 13 }
Password-MACAlgorithms MAC-ALGORITHM ::= {
{IDENTIFIER id-PasswordBasedMac
PARAMS TYPE PBMParameter ARE required
IS-KEYED-MAC TRUE
}, ...
}
PBMParameter ::= SEQUENCE {
salt OCTET STRING,
owf AlgorithmIdentifier{DIGEST-ALGORITHM,
{DigestAlgorithms}},
-- AlgId for a One-Way Function (SHA-1 recommended)
iterationCount INTEGER,
-- number of times the OWF is applied
mac AlgorithmIdentifier{MAC-ALGORITHM,
{MACAlgorithms}}
-- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC, or HMAC
}
DigestAlgorithms DIGEST-ALGORITHM ::= {
mda-sha1, ...
}
MACAlgorithms MAC-ALGORITHM ::= {
-- The modules containing the ASN.1 for the DES and 3DES MAC
-- algorithms have not been updated at the time that this is
-- being published. Users of this module should define the
-- appropriate MAC-ALGORITHM objects and uncomment the
-- following lines if they support these MAC algorithms.
-- maca-des-mac | maca-3des-mac --
maca-hMAC-SHA1,
...
}
POPOPrivKey ::= CHOICE {
thisMessage [0] BIT STRING, -- Deprecated
-- possession is proven in this message (which contains
-- the private key itself (encrypted for the CA))
subsequentMessage [1] SubsequentMessage,
-- possession will be proven in a subsequent message
dhMAC [2] BIT STRING, -- Deprecated
agreeMAC [3] PKMACValue,
encryptedKey [4] EnvelopedData }
-- for keyAgreement (only), possession is proven in this message
-- (which contains a MAC (over the DER-encoded value of the
-- certReq parameter in CertReqMsg, which MUST include both
-- subject and publicKey) based on a key derived from the end
-- entity's private DH key and the CA's public DH key);
SubsequentMessage ::= INTEGER {
encrCert (0),
-- requests that resulting certificate be encrypted for the
-- end entity (following which, POP will be proven in a
-- confirmation message)
challengeResp (1) }
-- requests that CA engage in challenge-response exchange with
-- end entity in order to prove private key possession
--
-- id-ct-encKeyWithID content type used as the content type for the
-- EnvelopedData in POPOPrivKey.
-- It contains both a private key and an identifier for key escrow
-- agents to check against recovery requestors.
--
ct-encKeyWithID CONTENT-TYPE ::=
{ EncKeyWithID IDENTIFIED BY id-ct-encKeyWithID }
id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
EncKeyWithID ::= SEQUENCE {
privateKey PrivateKeyInfo,
identifier CHOICE {
string UTF8String,
generalName GeneralName
} OPTIONAL
}
PrivateKeyInfo ::= SEQUENCE {
version INTEGER,
privateKeyAlgorithm AlgorithmIdentifier{PUBLIC-KEY, {...}},
privateKey OCTET STRING,
-- Structure of public key is in PUBLIC-KEY.&PrivateKey
attributes [0] IMPLICIT Attributes OPTIONAL
}
Attributes ::= SET OF AttributeSet{{PrivateKeyAttributes}}
PrivateKeyAttributes ATTRIBUTE ::= {...}
--
-- 6. Registration Controls in CRMF
--
id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 }
RegControlSet ATTRIBUTE ::= {
regCtrl-regToken | regCtrl-authenticator |
regCtrl-pkiPublicationInfo | regCtrl-pkiArchiveOptions |
regCtrl-oldCertID | regCtrl-protocolEncrKey, ... }
--
-- 6.1. Registration Token Control
--
regCtrl-regToken ATTRIBUTE ::=
{ TYPE RegToken IDENTIFIED BY id-regCtrl-regToken }
id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 }
RegToken ::= UTF8String
--
-- 6.2. Authenticator Control
--
regCtrl-authenticator ATTRIBUTE ::=
{ TYPE Authenticator IDENTIFIED BY id-regCtrl-authenticator }
id-regCtrl-authenticator OBJECT IDENTIFIER ::= { id-regCtrl 2 }
Authenticator ::= UTF8String
--
-- 6.3. Publication Information Control
--
regCtrl-pkiPublicationInfo ATTRIBUTE ::=
{ TYPE PKIPublicationInfo IDENTIFIED BY
id-regCtrl-pkiPublicationInfo }
id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 }
PKIPublicationInfo ::= SEQUENCE {
action INTEGER {
dontPublish (0),
pleasePublish (1) },
pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }
-- pubInfos MUST NOT be present if action is "dontPublish"
-- (if action is "pleasePublish" and pubInfos is omitted,
-- "dontCare" is assumed)
SinglePubInfo ::= SEQUENCE {
pubMethod INTEGER {
dontCare (0),
x500 (1),
web (2),
ldap (3) },
pubLocation GeneralName OPTIONAL }
--
-- 6.4. Archive Options Control
--
regCtrl-pkiArchiveOptions ATTRIBUTE ::=
{ TYPE PKIArchiveOptions IDENTIFIED BY
id-regCtrl-pkiArchiveOptions }
id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 }
PKIArchiveOptions ::= CHOICE {
encryptedPrivKey [0] EncryptedKey,
-- the actual value of the private key
keyGenParameters [1] KeyGenParameters,
-- parameters that allow the private key to be re-generated
archiveRemGenPrivKey [2] BOOLEAN }
-- set to TRUE if sender wishes receiver to archive the private
-- key of a key pair that the receiver generates in response to
-- this request; set to FALSE if no archive is desired.
EncryptedKey ::= CHOICE {
encryptedValue EncryptedValue, -- Deprecated
envelopedData [0] EnvelopedData }
-- The encrypted private key MUST be placed in the envelopedData
-- encryptedContentInfo encryptedContent OCTET STRING.
--
-- We skipped doing the full constraints here since this structure
-- has been deprecated in favor of EnvelopedData
--
EncryptedValue ::= SEQUENCE {
intendedAlg [0] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL,
-- the intended algorithm for which the value will be used
symmAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL,
-- the symmetric algorithm used to encrypt the value
encSymmKey [2] BIT STRING OPTIONAL,
-- the (encrypted) symmetric key used to encrypt the value
keyAlg [3] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL,
-- algorithm used to encrypt the symmetric key
valueHint [4] OCTET STRING OPTIONAL,
-- a brief description or identifier of the encValue content
-- (may be meaningful only to the sending entity, and used only
-- if EncryptedValue might be re-examined by the sending entity
-- in the future)
encValue BIT STRING }
-- the encrypted value itself
-- When EncryptedValue is used to carry a private key (as opposed to
-- a certificate), implementations MUST support the encValue field
-- containing an encrypted PrivateKeyInfo as defined in [PKCS11],
-- section 12.11. If encValue contains some other format/encoding
-- for the private key, the first octet of valueHint MAY be used
-- to indicate the format/encoding (but note that the possible values
-- of this octet are not specified at this time). In all cases, the
-- intendedAlg field MUST be used to indicate at least the OID of
-- the intended algorithm of the private key, unless this information
-- is known a priori to both sender and receiver by some other means.
KeyGenParameters ::= OCTET STRING
--
-- 6.5. OldCert ID Control
--
regCtrl-oldCertID ATTRIBUTE ::=
{ TYPE OldCertId IDENTIFIED BY id-regCtrl-oldCertID }
id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 }
OldCertId ::= CertId
CertId ::= SEQUENCE {
issuer GeneralName,
serialNumber INTEGER }
--
-- 6.6. Protocol Encryption Key Control
--
regCtrl-protocolEncrKey ATTRIBUTE ::=
{ TYPE ProtocolEncrKey IDENTIFIED BY id-regCtrl-protocolEncrKey }
id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= { id-regCtrl 6 }
ProtocolEncrKey ::= SubjectPublicKeyInfo
--
-- 7. Registration Info in CRMF
--
id-regInfo OBJECT IDENTIFIER ::= { id-pkip 2 }
RegInfoSet ATTRIBUTE ::=
{ regInfo-utf8Pairs | regInfo-certReq }
--
-- 7.1. utf8Pairs RegInfo Control
--
regInfo-utf8Pairs ATTRIBUTE ::=
{ TYPE UTF8Pairs IDENTIFIED BY id-regInfo-utf8Pairs }
id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= { id-regInfo 1 }
--with syntax
UTF8Pairs ::= UTF8String
--
-- 7.2. certReq RegInfo Control
--
regInfo-certReq ATTRIBUTE ::=
{ TYPE CertReq IDENTIFIED BY id-regInfo-certReq }
id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 }
--with syntax
CertReq ::= CertRequest
END
