aboutsummaryrefslogblamecommitdiffstats
path: root/lib/asn1/test/asn1_SUITE_data/rfcs/PKIXCRMF-2009.asn1
blob: 1c0b7804992ccaf30feb62153736018f5357756d (plain) (tree)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
























































































































































































































































































































































































































                                                                        
  PKIXCRMF-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)}
  DEFINITIONS IMPLICIT TAGS ::=
  BEGIN
  IMPORTS

  AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE,
      SingleAttribute{}
  FROM PKIX-CommonTypes-2009
      {iso(1) identified-organization(3) dod(6) internet(1)
      security(5) mechanisms(5) pkix(7) id-mod(0)
      id-mod-pkixCommon-02(57) }

  AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, ALGORITHM,
      DIGEST-ALGORITHM, MAC-ALGORITHM, PUBLIC-KEY
  FROM AlgorithmInformation-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0)
      id-mod-algorithmInformation-02(58)}

  Version, Name, Time, SubjectPublicKeyInfo, UniqueIdentifier, id-pkix,
      SignatureAlgorithms
  FROM PKIX1Explicit-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}

  GeneralName, CertExtensions
  FROM PKIX1Implicit-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}

  EnvelopedData, CONTENT-TYPE
  FROM CryptographicMessageSyntax-2009
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
      smime(16) modules(0) id-mod-cms-2004-02(41)}
  maca-hMAC-SHA1
  FROM CryptographicMessageSyntaxAlgorithms-2009
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
      smime(16) modules(0) id-mod-cmsalg-2001-02(37) }

  mda-sha1
  FROM PKIXAlgs-2009
      { iso(1) identified-organization(3) dod(6)
      internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
      id-mod-pkix1-algorithms2008-02(56) } ;

  -- arc for Internet X.509 PKI protocols and their components

  id-pkip  OBJECT IDENTIFIER ::= { id-pkix 5 }

  id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
       us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }

  id-ct   OBJECT IDENTIFIER ::= { id-smime  1 }  -- content types

  -- Core definitions for this module

  CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg

  CertReqMsg ::= SEQUENCE {
      certReq   CertRequest,
      popo       ProofOfPossession  OPTIONAL,
      -- content depends upon key type
      regInfo   SEQUENCE SIZE(1..MAX) OF
          SingleAttribute{{RegInfoSet}} OPTIONAL }

  CertRequest ::= SEQUENCE {
      certReqId     INTEGER,
      -- ID for matching request and reply
      certTemplate  CertTemplate,
      -- Selected fields of cert to be issued
      controls      Controls OPTIONAL }
      -- Attributes affecting issuance

  CertTemplate ::= SEQUENCE {
      version      [0] Version               OPTIONAL,
      serialNumber [1] INTEGER               OPTIONAL,
      signingAlg   [2] AlgorithmIdentifier{SIGNATURE-ALGORITHM,
                           {SignatureAlgorithms}}   OPTIONAL,
      issuer       [3] Name                  OPTIONAL,
      validity     [4] OptionalValidity      OPTIONAL,
      subject      [5] Name                  OPTIONAL,
      publicKey    [6] SubjectPublicKeyInfo  OPTIONAL,
      issuerUID    [7] UniqueIdentifier      OPTIONAL,
      subjectUID   [8] UniqueIdentifier      OPTIONAL,
      extensions   [9] Extensions{{CertExtensions}}  OPTIONAL }

  OptionalValidity ::= SEQUENCE {
      notBefore  [0] Time OPTIONAL,
      notAfter   [1] Time OPTIONAL } -- at least one MUST be present

  Controls  ::= SEQUENCE SIZE(1..MAX) OF SingleAttribute
                    {{RegControlSet}}

  ProofOfPossession ::= CHOICE {
      raVerified        [0] NULL,
      -- used if the RA has already verified that the requester is in
      -- possession of the private key
      signature         [1] POPOSigningKey,
      keyEncipherment   [2] POPOPrivKey,
      keyAgreement      [3] POPOPrivKey }

  POPOSigningKey ::= SEQUENCE {
      poposkInput           [0] POPOSigningKeyInput OPTIONAL,
      algorithmIdentifier   AlgorithmIdentifier{SIGNATURE-ALGORITHM,
                                {SignatureAlgorithms}},
      signature             BIT STRING }
      -- The signature (using "algorithmIdentifier") is on the
      -- DER-encoded value of poposkInput.  NOTE: If the CertReqMsg
      -- certReq CertTemplate contains the subject and publicKey values,
      -- then poposkInput MUST be omitted and the signature MUST be
      -- computed over the DER-encoded value of CertReqMsg certReq.  If
      -- the CertReqMsg certReq CertTemplate does not contain both the
      -- public key and subject values (i.e., if it contains only one
      -- of these, or neither), then poposkInput MUST be present and
      -- MUST be signed.

  POPOSigningKeyInput ::= SEQUENCE {
      authInfo            CHOICE {
       sender              [0] GeneralName,
       -- used only if an authenticated identity has been
       -- established for the sender (e.g., a DN from a
       -- previously-issued and currently-valid certificate)
       publicKeyMAC        PKMACValue },
       -- used if no authenticated GeneralName currently exists for
       -- the sender; publicKeyMAC contains a password-based MAC
       -- on the DER-encoded value of publicKey
      publicKey           SubjectPublicKeyInfo }  -- from CertTemplate

  PKMACValue ::= SEQUENCE {
      algId  AlgorithmIdentifier{MAC-ALGORITHM,
                 {Password-MACAlgorithms}},
      value  BIT STRING }

  --
  --  Define the currently only acceptable MAC algorithm to be used
  --  for the PKMACValue structure
  --

  id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2)
      usa(840) nt(113533) nsn(7) algorithms(66) 13 }

  Password-MACAlgorithms MAC-ALGORITHM ::= {
      {IDENTIFIER id-PasswordBasedMac
       PARAMS TYPE PBMParameter ARE required
       IS-KEYED-MAC TRUE
      }, ...
  }

  PBMParameter ::= SEQUENCE {
     salt                OCTET STRING,
     owf                 AlgorithmIdentifier{DIGEST-ALGORITHM,
                             {DigestAlgorithms}},
     -- AlgId for a One-Way Function (SHA-1 recommended)
     iterationCount      INTEGER,
     -- number of times the OWF is applied
     mac                 AlgorithmIdentifier{MAC-ALGORITHM,
                             {MACAlgorithms}}
     -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC, or HMAC
  }

  DigestAlgorithms DIGEST-ALGORITHM ::= {
     mda-sha1, ...
  }

  MACAlgorithms MAC-ALGORITHM ::= {
      -- The modules containing the ASN.1 for the DES and 3DES MAC
      -- algorithms have not been updated at the time that this is
      -- being published.  Users of this module should define the
      -- appropriate MAC-ALGORITHM objects and uncomment the
      -- following lines if they support these MAC algorithms.
      -- maca-des-mac | maca-3des-mac --
      maca-hMAC-SHA1,
      ...
  }

  POPOPrivKey ::= CHOICE {
      thisMessage       [0] BIT STRING,         -- Deprecated
      -- possession is proven in this message (which contains
      -- the private key itself (encrypted for the CA))
      subsequentMessage [1] SubsequentMessage,
      -- possession will be proven in a subsequent message
      dhMAC             [2] BIT STRING,         -- Deprecated
      agreeMAC          [3] PKMACValue,
      encryptedKey      [4] EnvelopedData }
      -- for keyAgreement (only), possession is proven in this message
      -- (which contains a MAC (over the DER-encoded value of the
      -- certReq parameter in CertReqMsg, which MUST include both
      -- subject and publicKey) based on a key derived from the end
      -- entity's private DH key and the CA's public DH key);

  SubsequentMessage ::= INTEGER {
      encrCert (0),
      -- requests that resulting certificate be encrypted for the
      -- end entity (following which, POP will be proven in a
      -- confirmation message)
      challengeResp (1) }
      -- requests that CA engage in challenge-response exchange with
      -- end entity in order to prove private key possession

  --
  -- id-ct-encKeyWithID content type used as the content type for the
  -- EnvelopedData in POPOPrivKey.
  -- It contains both a private key and an identifier for key escrow
  -- agents to check against recovery requestors.
  --

  ct-encKeyWithID CONTENT-TYPE ::=
      { EncKeyWithID IDENTIFIED BY id-ct-encKeyWithID }

  id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}

  EncKeyWithID ::= SEQUENCE {
      privateKey           PrivateKeyInfo,
      identifier CHOICE {
          string             UTF8String,
          generalName        GeneralName
      } OPTIONAL
  }

  PrivateKeyInfo ::= SEQUENCE {
     version                   INTEGER,
     privateKeyAlgorithm       AlgorithmIdentifier{PUBLIC-KEY, {...}},
     privateKey                OCTET STRING,
               --  Structure of public key is in PUBLIC-KEY.&PrivateKey
     attributes                [0] IMPLICIT Attributes OPTIONAL
  }

  Attributes ::= SET OF AttributeSet{{PrivateKeyAttributes}}
  PrivateKeyAttributes ATTRIBUTE ::= {...}

  --
  -- 6.  Registration Controls in CRMF
  --

  id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 }

  RegControlSet ATTRIBUTE ::= {
      regCtrl-regToken | regCtrl-authenticator |
      regCtrl-pkiPublicationInfo | regCtrl-pkiArchiveOptions |
      regCtrl-oldCertID | regCtrl-protocolEncrKey, ... }

  --
  --  6.1.  Registration Token Control
  --

  regCtrl-regToken ATTRIBUTE ::=
      { TYPE RegToken IDENTIFIED BY id-regCtrl-regToken }

  id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 }

  RegToken ::= UTF8String

  --
  --  6.2.  Authenticator Control
  --

  regCtrl-authenticator ATTRIBUTE ::=
      { TYPE Authenticator IDENTIFIED BY id-regCtrl-authenticator }

  id-regCtrl-authenticator OBJECT IDENTIFIER ::= { id-regCtrl 2 }

  Authenticator ::= UTF8String

  --
  --  6.3.  Publication Information Control
  --

  regCtrl-pkiPublicationInfo ATTRIBUTE ::=
      { TYPE PKIPublicationInfo IDENTIFIED BY
          id-regCtrl-pkiPublicationInfo }

  id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 }

  PKIPublicationInfo ::= SEQUENCE {
      action     INTEGER {
                     dontPublish (0),
                     pleasePublish (1) },
      pubInfos  SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }
      -- pubInfos MUST NOT be present if action is "dontPublish"
      -- (if action is "pleasePublish" and pubInfos is omitted,
      -- "dontCare" is assumed)

  SinglePubInfo ::= SEQUENCE {
      pubMethod    INTEGER {
          dontCare    (0),
          x500        (1),
          web         (2),
          ldap        (3) },
      pubLocation  GeneralName OPTIONAL }

  --
  --  6.4.  Archive Options Control
  --

  regCtrl-pkiArchiveOptions ATTRIBUTE ::=
      { TYPE PKIArchiveOptions IDENTIFIED BY
          id-regCtrl-pkiArchiveOptions }

  id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 }

  PKIArchiveOptions ::= CHOICE {
      encryptedPrivKey     [0] EncryptedKey,
      -- the actual value of the private key
      keyGenParameters     [1] KeyGenParameters,
      -- parameters that allow the private key to be re-generated
      archiveRemGenPrivKey [2] BOOLEAN }
      -- set to TRUE if sender wishes receiver to archive the private
      -- key of a key pair that the receiver generates in response to
      -- this request; set to FALSE if no archive is desired.

  EncryptedKey ::= CHOICE {
      encryptedValue        EncryptedValue,   -- Deprecated
      envelopedData     [0] EnvelopedData }
      -- The encrypted private key MUST be placed in the envelopedData
      -- encryptedContentInfo encryptedContent OCTET STRING.

  --
  --  We skipped doing the full constraints here since this structure
  --      has been deprecated in favor of EnvelopedData
  --

  EncryptedValue ::= SEQUENCE {
      intendedAlg   [0] AlgorithmIdentifier{ALGORITHM, {...}}  OPTIONAL,
      -- the intended algorithm for which the value will be used
      symmAlg       [1] AlgorithmIdentifier{ALGORITHM, {...}}  OPTIONAL,
      -- the symmetric algorithm used to encrypt the value
      encSymmKey    [2] BIT STRING           OPTIONAL,
      -- the (encrypted) symmetric key used to encrypt the value
      keyAlg        [3] AlgorithmIdentifier{ALGORITHM, {...}}  OPTIONAL,
      -- algorithm used to encrypt the symmetric key
      valueHint     [4] OCTET STRING         OPTIONAL,
      -- a brief description or identifier of the encValue content
      -- (may be meaningful only to the sending entity, and used only
      -- if EncryptedValue might be re-examined by the sending entity
      -- in the future)
      encValue       BIT STRING }
      -- the encrypted value itself
  -- When EncryptedValue is used to carry a private key (as opposed to
  -- a certificate), implementations MUST support the encValue field
  -- containing an encrypted PrivateKeyInfo as defined in [PKCS11],
  -- section 12.11.  If encValue contains some other format/encoding
  -- for the private key, the first octet of valueHint MAY be used
  -- to indicate the format/encoding (but note that the possible values
  -- of this octet are not specified at this time).  In all cases, the
  -- intendedAlg field MUST be used to indicate at least the OID of
  -- the intended algorithm of the private key, unless this information
  -- is known a priori to both sender and receiver by some other means.

  KeyGenParameters ::= OCTET STRING

  --
  --  6.5.  OldCert ID Control
  --

  regCtrl-oldCertID ATTRIBUTE ::=
      { TYPE OldCertId IDENTIFIED BY id-regCtrl-oldCertID }

  id-regCtrl-oldCertID  OBJECT IDENTIFIER ::= { id-regCtrl 5 }

  OldCertId ::= CertId

  CertId ::= SEQUENCE {
      issuer           GeneralName,
      serialNumber     INTEGER }

  --
  -- 6.6.  Protocol Encryption Key Control
  --

  regCtrl-protocolEncrKey ATTRIBUTE ::=
      { TYPE ProtocolEncrKey IDENTIFIED BY id-regCtrl-protocolEncrKey }
  id-regCtrl-protocolEncrKey    OBJECT IDENTIFIER ::= { id-regCtrl 6 }

  ProtocolEncrKey ::= SubjectPublicKeyInfo

  --
  -- 7.  Registration Info in CRMF
  --

  id-regInfo OBJECT IDENTIFIER ::= { id-pkip 2 }

  RegInfoSet ATTRIBUTE ::=
      { regInfo-utf8Pairs | regInfo-certReq }

  --
  -- 7.1.  utf8Pairs RegInfo Control
  --

  regInfo-utf8Pairs ATTRIBUTE ::=
      { TYPE UTF8Pairs IDENTIFIED BY id-regInfo-utf8Pairs }

  id-regInfo-utf8Pairs    OBJECT IDENTIFIER ::= { id-regInfo 1 }
  --with syntax
  UTF8Pairs ::= UTF8String

  --
  --  7.2.  certReq RegInfo Control
  --

  regInfo-certReq ATTRIBUTE ::=
      { TYPE CertReq IDENTIFIED BY id-regInfo-certReq }

  id-regInfo-certReq       OBJECT IDENTIFIER ::= { id-regInfo 2 }
  --with syntax
  CertReq ::= CertRequest

  END