PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-15(15) modules(1) pkcs-15(1)}
-- $Revision: 1.7 $ --
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
informationFramework, authenticationFramework, certificateExtensions
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
usefulDefinitions(0) 3}
Name, Attribute
FROM InformationFramework informationFramework
Certificate, AttributeCertificate, CertificateSerialNumber,
SubjectPublicKeyInfo
FROM AuthenticationFramework authenticationFramework
GeneralNames, KeyUsage
FROM CertificateExtensions certificateExtensions
RecipientInfos, RecipientInfo, OriginatorInfo, sha-1,
id-alg-CMS3DESwrap, id-alg-CMSRC2wrap, hMAC-SHA1, des-ede3-cbc
FROM CryptographicMessageSyntax {iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)
cms(1)}
RSAPublicKey
FROM PKCS-1 {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-1(1) modules(0) pkcs-1(1)}
AlgorithmIdentifier, SupportingAlgorithms, PBKDF2Algorithms,
ALGORITHM-IDENTIFIER, id-hmacWithSHA1
FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)}
ECPoint, Parameters
FROM ANSI-X9-62 {iso(1) member-body(2) us(840)
ansi-x962(10045) module(4) 1}
DiffieHellmanPublicNumber, DomainParameters
FROM ANSI-X9-42 {iso(1) member-body(2) us(840)
ansi-x942(10046) module(5) 1}
OOBCertHash
FROM PKIXCMP {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-cmp(9)};
-- Constants
pkcs15-ub-identifier INTEGER ::= 255
pkcs15-ub-reference INTEGER ::= 255
pkcs15-ub-index INTEGER ::= 65535
pkcs15-ub-label INTEGER ::= pkcs15-ub-identifier
pkcs15-lb-minPinLength INTEGER ::= 4
pkcs15-ub-minPinLength INTEGER ::= 8
pkcs15-ub-storedPinLength INTEGER ::= 64
pkcs15-ub-recordLength INTEGER ::= 16383
pkcs15-ub-userConsent INTEGER ::= 15
pkcs15-ub-securityConditions INTEGER ::= 255
pkcs15-ub-seInfo INTEGER ::= 255
-- Object Identifiers
pkcs15 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-15(15)}
pkcs15-mo OBJECT IDENTIFIER ::= {pkcs15 1} -- Modules branch
pkcs15-at OBJECT IDENTIFIER ::= {pkcs15 2} -- Attribute branch
pkcs15-ct OBJECT IDENTIFIER ::= {pkcs15 3} -- Content type branch
-- Content Types
pkcs15-ct-PKCS15Token OBJECT IDENTIFIER ::= {pkcs15-ct 1}
-- Basic types
Identifier ::= OCTET STRING (SIZE (0..pkcs15-ub-identifier))
Reference ::= INTEGER (0..pkcs15-ub-reference)
Label ::= UTF8String (SIZE(0..pkcs15-ub-label))
KEY-IDENTIFIER ::= CLASS {
&id INTEGER UNIQUE,
&Value
} WITH SYNTAX {
SYNTAX &Value IDENTIFIED BY &id
}
CredentialIdentifier {KEY-IDENTIFIER : IdentifierSet} ::= SEQUENCE {
idType KEY-IDENTIFIER.&id ({IdentifierSet}),
idValue KEY-IDENTIFIER.&Value ({IdentifierSet}{@idType})
}
KeyIdentifiers KEY-IDENTIFIER ::= {
issuerAndSerialNumber|
issuerAndSerialNumberHash|
subjectKeyId|
subjectKeyHash |
issuerKeyHash |
issuerNameHash |
subjectNameHash,
...
}
issuerAndSerialNumber KEY-IDENTIFIER::=
{SYNTAX PKCS15-OPAQUE.&Type IDENTIFIED BY 1}
-- As defined in RFC 2630
subjectKeyId KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 2}
-- From x509v3 certificate extension
issuerAndSerialNumberHash KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 3}
-- Assumes SHA-1 hash of DER encoding of IssuerAndSerialNumber
subjectKeyHash KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 4}
issuerKeyHash KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 5}
issuerNameHash KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 6}
-- SHA-1 hash of DER-encoded issuer name
subjectNameHash KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 7}
-- SHA-1 hash of DER-encoded subject name
ReferencedValue {Type} ::= CHOICE {
path Path,
url URL
} (CONSTRAINED BY {-- 'path' or 'url' shall point to an object of
-- type -- Type})
URL ::= CHOICE {
url PrintableString,
urlWithDigest [3] SEQUENCE {
url IA5String,
digest DigestInfoWithDefault
}
}
alg-id-sha1 AlgorithmIdentifier {{DigestAlgorithms}} ::= {
algorithm sha-1,
parameters SHA1Parameters : NULL}
SHA1Parameters ::= NULL
DigestInfoWithDefault ::= SEQUENCE {
digestAlg AlgorithmIdentifier {{DigestAlgorithms}} DEFAULT alg-id-sha1,
digest OCTET STRING (SIZE(8..128))
}
Path ::= SEQUENCE {
path OCTET STRING,
index INTEGER (0..pkcs15-ub-index) OPTIONAL,
length [0] INTEGER (0..pkcs15-ub-index) OPTIONAL
}( WITH COMPONENTS {..., index PRESENT, length PRESENT}|
WITH COMPONENTS {..., index ABSENT, length ABSENT})
ObjectValue { Type } ::= CHOICE {
indirect ReferencedValue {Type},
direct [0] Type,
indirect-protected [1] ReferencedValue {EnvelopedData {Type}},
direct-protected [2] EnvelopedData {Type}
}(CONSTRAINED BY {-- if indirection is being used, then it is
-- expected that the reference points either to a (possibly
-- enveloped) object of type -- Type -- or (key case) to a card-
-- specific key file --})
PathOrObjects {ObjectType} ::= CHOICE {
path Path,
objects [0] SEQUENCE OF ObjectType,
...,
indirect-protected [1] ReferencedValue {EnvelopedData {SEQUENCE OF ObjectType}},
direct-protected [2] EnvelopedData {SEQUENCE OF ObjectType}
}
CommonObjectAttributes ::= SEQUENCE {
label Label OPTIONAL,
flags CommonObjectFlags OPTIONAL,
authId Identifier OPTIONAL,
...,
userConsent INTEGER (1..pkcs15-ub-userConsent) OPTIONAL,
accessControlRules SEQUENCE SIZE (1..MAX) OF AccessControlRule OPTIONAL
} (CONSTRAINED BY {-- authId should be present in the IC card case if
-- flags.private is set. It must equal an authID in one AuthRecord
-- in the AODF -- })
CommonObjectFlags ::= BIT STRING {
private (0),
modifiable (1)
}
AccessControlRule ::= SEQUENCE {
accessMode AccessMode,
securityCondition SecurityCondition,
... -- For future extensions
}
AccessMode ::= BIT STRING {
read (0),
update (1),
execute (2)
}
SecurityCondition ::= CHOICE {
authId Identifier,
not [0] SecurityCondition,
and [1] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
OF SecurityCondition,
or [2] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
OF SecurityCondition,
... -- For future extensions
}
CommonKeyAttributes ::= SEQUENCE {
iD Identifier,
usage KeyUsageFlags,
native BOOLEAN DEFAULT TRUE,
accessFlags KeyAccessFlags OPTIONAL,
keyReference Reference OPTIONAL,
startDate GeneralizedTime OPTIONAL,
endDate [0] GeneralizedTime OPTIONAL,
... -- For future extensions
}
KeyUsageFlags ::= BIT STRING {
encrypt (0),
decrypt (1),
sign (2),
signRecover (3),
wrap (4),
unwrap (5),
verify (6),
verifyRecover (7),
derive (8),
nonRepudiation (9)
}
KeyAccessFlags ::= BIT STRING {
sensitive (0),
extractable (1),
alwaysSensitive (2),
neverExtractable (3),
local (4)
}
CommonPrivateKeyAttributes ::= SEQUENCE {
subjectName Name OPTIONAL,
keyIdentifiers [0] SEQUENCE OF CredentialIdentifier
{{KeyIdentifiers}} OPTIONAL,
... -- For future extensions
}
CommonPublicKeyAttributes ::= SEQUENCE {
subjectName Name OPTIONAL,
...,
trustedUsage [0] Usage OPTIONAL
}
CommonSecretKeyAttributes ::= SEQUENCE {
keyLen INTEGER OPTIONAL, -- keylength (in bits)
... -- For future extensions
}
KeyInfo {ParameterType, OperationsType} ::= CHOICE {
reference Reference,
paramsAndOps SEQUENCE {
parameters ParameterType,
supportedOperations OperationsType OPTIONAL
}
}
CommonCertificateAttributes ::= SEQUENCE {
iD Identifier,
authority BOOLEAN DEFAULT FALSE,
identifier CredentialIdentifier {{KeyIdentifiers}} OPTIONAL,
certHash [0] OOBCertHash OPTIONAL,
...,
trustedUsage [1] Usage OPTIONAL,
identifiers [2] SEQUENCE OF CredentialIdentifier{{KeyIdentifiers}} OPTIONAL,
implicitTrust [3] BOOLEAN DEFAULT FALSE
}
Usage ::= SEQUENCE {
keyUsage KeyUsage OPTIONAL,
extKeyUsage SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL
}(WITH COMPONENTS {..., keyUsage PRESENT} |
WITH COMPONENTS {..., extKeyUsage PRESENT})
CommonDataObjectAttributes ::= SEQUENCE {
applicationName Label OPTIONAL,
applicationOID OBJECT IDENTIFIER OPTIONAL,
... -- For future extensions
} (WITH COMPONENTS {..., applicationName PRESENT}|
WITH COMPONENTS {..., applicationOID PRESENT})
CommonAuthenticationObjectAttributes ::= SEQUENCE {
authId Identifier,
... -- For future extensions
}
PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes}
::= SEQUENCE {
commonObjectAttributes CommonObjectAttributes,
classAttributes ClassAttributes,
subClassAttributes [0] SubClassAttributes OPTIONAL,
typeAttributes [1] TypeAttributes
}
PKCS15Objects ::= CHOICE {
privateKeys [0] PrivateKeys,
publicKeys [1] PublicKeys,
trustedPublicKeys [2] PublicKeys,
secretKeys [3] SecretKeys,
certificates [4] Certificates,
trustedCertificates [5] Certificates,
usefulCertificates [6] Certificates,
dataObjects [7] DataObjects,
authObjects [8] AuthObjects,
... -- For future extensions
}
PrivateKeys ::= PathOrObjects {PrivateKeyType}
SecretKeys ::= PathOrObjects {SecretKeyType}
PublicKeys ::= PathOrObjects {PublicKeyType}
Certificates ::= PathOrObjects {CertificateType}
DataObjects ::= PathOrObjects {DataType}
AuthObjects ::= PathOrObjects {AuthenticationType}
PrivateKeyType ::= CHOICE {
privateRSAKey PrivateKeyObject {PrivateRSAKeyAttributes},
privateECKey [0] PrivateKeyObject {PrivateECKeyAttributes},
privateDHKey [1] PrivateKeyObject {PrivateDHKeyAttributes},
privateDSAKey [2] PrivateKeyObject {PrivateDSAKeyAttributes},
privateKEAKey [3] PrivateKeyObject {PrivateKEAKeyAttributes},
... -- For future extensions
}
PrivateKeyObject {KeyAttributes} ::= PKCS15Object {
CommonKeyAttributes, CommonPrivateKeyAttributes, KeyAttributes}
PrivateRSAKeyAttributes ::= SEQUENCE {
value ObjectValue {RSAPrivateKeyObject},
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
RSAPrivateKeyObject ::= SEQUENCE {
modulus [0] INTEGER OPTIONAL, -- n
publicExponent [1] INTEGER OPTIONAL, -- e
privateExponent [2] INTEGER OPTIONAL, -- d
prime1 [3] INTEGER OPTIONAL, -- p
prime2 [4] INTEGER OPTIONAL, -- q
exponent1 [5] INTEGER OPTIONAL, -- d mod (p-1)
exponent2 [6] INTEGER OPTIONAL, -- d mod (q-1)
coefficient [7] INTEGER OPTIONAL -- inv(q) mod p
} (CONSTRAINED BY {-- must be possible to reconstruct modulus and
-- privateExponent from selected fields --})
PrivateECKeyAttributes ::= SEQUENCE {
value ObjectValue {ECPrivateKey},
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
ECPrivateKey ::= INTEGER
PrivateDHKeyAttributes ::= SEQUENCE {
value ObjectValue {DHPrivateKey},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
DHPrivateKey ::= INTEGER -- Diffie-Hellman exponent
PrivateDSAKeyAttributes ::= SEQUENCE {
value ObjectValue {DSAPrivateKey},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
DSAPrivateKey ::= INTEGER
PrivateKEAKeyAttributes ::= SEQUENCE {
value ObjectValue {KEAPrivateKey},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
KEAPrivateKey ::= INTEGER
PublicKeyType ::= CHOICE {
publicRSAKey PublicKeyObject {PublicRSAKeyAttributes},
publicECKey [0] PublicKeyObject {PublicECKeyAttributes},
publicDHKey [1] PublicKeyObject {PublicDHKeyAttributes},
publicDSAKey [2] PublicKeyObject {PublicDSAKeyAttributes},
publicKEAKey [3] PublicKeyObject {PublicKEAKeyAttributes},
... -- For future extensions
}
PublicKeyObject {KeyAttributes} ::= PKCS15Object {
CommonKeyAttributes, CommonPublicKeyAttributes, KeyAttributes}
PublicRSAKeyAttributes ::= SEQUENCE {
value ObjectValue {RSAPublicKeyChoice},
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
RSAPublicKeyChoice ::= CHOICE {
raw RSAPublicKey,
spki [1] SubjectPublicKeyInfo, -- See X.509. Must contain a
-- public RSA key
...
}
PublicECKeyAttributes ::= SEQUENCE {
value ObjectValue {ECPublicKeyChoice},
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
ECPublicKeyChoice ::= CHOICE {
raw ECPoint,
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public EC key
...
}
PublicDHKeyAttributes ::= SEQUENCE {
value ObjectValue {DHPublicKeyChoice},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
DHPublicKeyChoice ::= CHOICE {
raw DiffieHellmanPublicNumber,
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public D-H key
...
}
PublicDSAKeyAttributes ::= SEQUENCE {
value ObjectValue {DSAPublicKeyChoice},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
DSAPublicKeyChoice ::= CHOICE {
raw INTEGER,
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public DSA key.
...
}
PublicKEAKeyAttributes ::= SEQUENCE {
value ObjectValue {KEAPublicKeyChoice},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
KEAPublicKeyChoice ::= CHOICE {
raw INTEGER,
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public KEA key
...
}
SecretKeyType ::= CHOICE {
genericSecretKey SecretKeyObject {GenericSecretKeyAttributes},
rc2key [0] SecretKeyObject {GenericSecretKeyAttributes},
rc4key [1] SecretKeyObject {GenericSecretKeyAttributes},
desKey [2] SecretKeyObject {GenericSecretKeyAttributes},
des2Key [3] SecretKeyObject {GenericSecretKeyAttributes},
des3Key [4] SecretKeyObject {GenericSecretKeyAttributes},
castKey [5] SecretKeyObject {GenericSecretKeyAttributes},
cast3Key [6] SecretKeyObject {GenericSecretKeyAttributes},
cast128Key [7] SecretKeyObject {GenericSecretKeyAttributes},
rc5Key [8] SecretKeyObject {GenericSecretKeyAttributes},
ideaKey [9] SecretKeyObject {GenericSecretKeyAttributes},
skipjackKey [10] SecretKeyObject {GenericSecretKeyAttributes},
batonKey [11] SecretKeyObject {GenericSecretKeyAttributes},
juniperKey [12] SecretKeyObject {GenericSecretKeyAttributes},
rc6Key [13] SecretKeyObject {GenericSecretKeyAttributes},
otherKey [14] OtherKey,
... -- For future extensions
}
SecretKeyObject {KeyAttributes} ::= PKCS15Object {
CommonKeyAttributes, CommonSecretKeyAttributes, KeyAttributes}
OtherKey ::= SEQUENCE {
keyType OBJECT IDENTIFIER,
keyAttr SecretKeyObject {GenericSecretKeyAttributes}
}
GenericSecretKeyAttributes ::= SEQUENCE {
value ObjectValue { OCTET STRING },
... -- For future extensions
}
CertificateType ::= CHOICE {
x509Certificate CertificateObject { X509CertificateAttributes},
x509AttributeCertificate [0] CertificateObject
{X509AttributeCertificateAttributes},
spkiCertificate [1] CertificateObject {SPKICertificateAttributes},
pgpCertificate [2] CertificateObject {PGPCertificateAttributes},
wtlsCertificate [3] CertificateObject {WTLSCertificateAttributes},
x9-68Certificate [4] CertificateObject {X9-68CertificateAttributes},
...,
cvCertificate [5] CertificateObject {CVCertificateAttributes}
}
CertificateObject {CertAttributes} ::= PKCS15Object {
CommonCertificateAttributes, NULL, CertAttributes}
X509CertificateAttributes ::= SEQUENCE {
value ObjectValue { Certificate },
subject Name OPTIONAL,
issuer [0] Name OPTIONAL,
serialNumber CertificateSerialNumber OPTIONAL,
... -- For future extensions
}
X509AttributeCertificateAttributes ::= SEQUENCE {
value ObjectValue { AttributeCertificate },
issuer GeneralNames OPTIONAL,
serialNumber CertificateSerialNumber OPTIONAL,
attrTypes [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
... -- For future extensions
}
SPKICertificateAttributes ::= SEQUENCE {
value ObjectValue { PKCS15-OPAQUE.&Type },
... -- For future extensions
}
PGPCertificateAttributes ::= SEQUENCE {
value ObjectValue { PKCS15-OPAQUE.&Type },
... -- For future extensions
}
WTLSCertificateAttributes ::= SEQUENCE {
value ObjectValue { PKCS15-OPAQUE.&Type },
... -- For future extensions
}
X9-68CertificateAttributes ::= SEQUENCE {
value ObjectValue { PKCS15-OPAQUE.&Type },
... -- For future extensions
}
CVCertificateAttributes ::= SEQUENCE {
value ObjectValue { PKCS15-OPAQUE.&Type},
... -- For future extensions
}
DataType ::= CHOICE {
opaqueDO DataObject {Opaque},
externalIDO [0] DataObject {ExternalIDO},
oidDO [1] DataObject {OidDO},
... -- For future extensions
}
DataObject {DataObjectAttributes} ::= PKCS15Object {
CommonDataObjectAttributes, NULL, DataObjectAttributes}
Opaque ::= ObjectValue {PKCS15-OPAQUE.&Type}
ExternalIDO ::= ObjectValue {PKCS15-OPAQUE.&Type}
(CONSTRAINED BY {-- All data objects must be defined in
-- accordance with ISO/IEC 7816-6 --})
OidDO ::= SEQUENCE {
id OBJECT IDENTIFIER,
value ObjectValue {PKCS15-OPAQUE.&Type}
}
AuthenticationType ::= CHOICE {
pin AuthenticationObject { PinAttributes },
...,
biometricTemplate [0] AuthenticationObject {BiometricAttributes},
authKey [1] AuthenticationObject {AuthKeyAttributes},
external [2] AuthenticationObject {ExternalAuthObjectAttributes}
}
AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object {
CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes}
PinAttributes ::= SEQUENCE {
pinFlags PinFlags,
pinType PinType,
minLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength),
storedLength INTEGER (0..pkcs15-ub-storedPinLength),
maxLength INTEGER OPTIONAL,
pinReference [0] Reference DEFAULT 0,
padChar OCTET STRING (SIZE(1)) OPTIONAL,
lastPinChange GeneralizedTime OPTIONAL,
path Path OPTIONAL,
... -- For future extensions
}
PinFlags ::= BIT STRING {
case-sensitive (0),
local (1),
change-disabled (2),
unblock-disabled (3),
initialized (4),
needs-padding (5),
unblockingPin (6),
soPin (7),
disable-allowed (8),
integrity-protected (9),
confidentiality-protected (10),
exchangeRefData (11)
} (CONSTRAINED BY { -- 'unblockingPin' and 'soPIN' cannot both be set -- })
PinType ::= ENUMERATED {bcd, ascii-numeric, utf8, ...,
half-nibble-bcd, iso9564-1}
BiometricAttributes ::= SEQUENCE {
bioFlags BiometricFlags,
templateId OBJECT IDENTIFIER,
bioType BiometricType,
bioReference Reference DEFAULT 0,
lastChange GeneralizedTime OPTIONAL,
path Path OPTIONAL,
... -- For future extensions
}
BiometricFlags ::= BIT STRING {
local (1),
change-disabled (2),
unblock-disabled (3),
initialized (4),
disable-allowed (8),
integrity-protected (9),
confidentiality-protected (10)
} -- Note: bits 0, 5, 6, and 7 are reserved for future use
BiometricType ::= CHOICE {
fingerPrint FingerPrint,
irisScan [0] IrisScan,
-- Possible extensions:
-- voiceScan VoiceScan,
-- faceScan FaceScan,
-- retinaScan Retinascan,
-- handGeometry HandGeometry,
-- writeDynamics WriteDynamics,
-- keyStrokeDynamicsKeyStrokeDynamics,
-- lipDynamics LipDynamics,
... -- For future extensions
}
FingerPrint ::= SEQUENCE {
hand ENUMERATED {left, right},
finger ENUMERATED {thumb, pointerFinger, middleFinger,
ringFinger, littleFinger},
...
}
IrisScan ::= SEQUENCE {
eye ENUMERATED {left, right},
...
}
ExternalAuthObjectAttributes ::= CHOICE {
authKeyAttributes AuthKeyAttributes,
certBasedAttributes [0] CertBasedAuthenticationAttributes,
... -- For future extensions
}
AuthKeyAttributes ::= SEQUENCE {
derivedKey BOOLEAN DEFAULT TRUE,
authKeyId Identifier,
... -- For future extensions
}
CertBasedAuthenticationAttributes ::= SEQUENCE {
cha OCTET STRING,
...
}
TokenInfo ::= SEQUENCE {
version INTEGER {v1(0)} (v1,...),
serialNumber OCTET STRING,
manufacturerID Label OPTIONAL,
label [0] Label OPTIONAL,
tokenflags TokenFlags,
seInfo SEQUENCE OF SecurityEnvironmentInfo OPTIONAL,
recordInfo [1] RecordInfo OPTIONAL,
supportedAlgorithms [2] SEQUENCE OF AlgorithmInfo OPTIONAL,
...,
issuerId [3] Label OPTIONAL,
holderId [4] Label OPTIONAL,
lastUpdate [5] LastUpdate OPTIONAL,
preferredLanguage PrintableString OPTIONAL -- In accordance with
-- IETF RFC 1766
} (CONSTRAINED BY { -- Each AlgorithmInfo.reference value must be unique --})
TokenFlags ::= BIT STRING {
readonly (0),
loginRequired (1),
prnGeneration (2),
eidCompliant (3)
}
SecurityEnvironmentInfo ::= SEQUENCE {
se INTEGER (0..pkcs15-ub-seInfo),
owner OBJECT IDENTIFIER,
... -- For future extensions
}
RecordInfo ::= SEQUENCE {
oDFRecordLength [0] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
prKDFRecordLength [1] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
puKDFRecordLength [2] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
sKDFRecordLength [3] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
cDFRecordLength [4] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
dODFRecordLength [5] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
aODFRecordLength [6] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL
}
AlgorithmInfo ::= SEQUENCE {
reference Reference,
algorithm PKCS15-ALGORITHM.&id({AlgorithmSet}),
parameters PKCS15-ALGORITHM.&Parameters({AlgorithmSet}{@algorithm}),
supportedOperations
PKCS15-ALGORITHM.&Operations({AlgorithmSet}{@algorithm}),
algId PKCS15-ALGORITHM.&objectIdentifier({AlgorithmSet}{@algorithm})
OPTIONAL,
algRef Reference OPTIONAL
}
PKCS15-ALGORITHM ::= CLASS {
&id INTEGER UNIQUE,
&Parameters,
&Operations Operations,
&objectIdentifier OBJECT IDENTIFIER OPTIONAL
} WITH SYNTAX {
PARAMETERS &Parameters OPERATIONS &Operations ID &id [OID &objectIdentifier]}
PKCS15-OPAQUE ::= TYPE-IDENTIFIER
PublicKeyOperations ::= Operations
Operations ::= BIT STRING {
compute-checksum (0), -- H/W computation of checksum
compute-signature (1), -- H/W computation of signature
verify-checksum (2), -- H/W verification of checksum
verify-signature (3), -- H/W verification of signature
encipher (4), -- H/W encryption of data
decipher (5), -- H/W decryption of data
hash (6), -- H/W hashing
generate-key (7) -- H/W key generation
}
pkcs15-alg-null PKCS15-ALGORITHM ::= {
PARAMETERS NULL OPERATIONS {{generate-key}} ID -1}
AlgorithmSet PKCS15-ALGORITHM ::= {
pkcs15-alg-null,
... -- See PKCS #11 for values for the &id field (and parameters)
}
LastUpdate ::= CHOICE {
generalizedTime GeneralizedTime,
referencedTime ReferencedValue {GeneralizedTime},
... -- For future extensions
}
-- Soft token related types and objects
EnvelopedData {Type} ::= SEQUENCE {
version INTEGER{v0(0),v1(1),v2(2),v3(3),v4(4)}(v0|v1|v2,...),
originatorInfo [0] OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo{Type},
unprotectedAttrs [1] SET SIZE (1..MAX) OF Attribute OPTIONAL
}
EncryptedContentInfo {Type} ::= SEQUENCE {
contentType OBJECT IDENTIFIER,
contentEncryptionAlgorithm AlgorithmIdentifier {{KeyDerivationAlgorithms}},
encryptedContent [0] OCTET STRING OPTIONAL
}(CONSTRAINED BY {-- 'encryptedContent' shall be the result of
-- encrypting DER-encoded value of type -- Type})
PKCS15Token ::= SEQUENCE {
version INTEGER {v1(0)} (v1,...),
keyManagementInfo [0] KeyManagementInfo OPTIONAL,
pkcs15Objects SEQUENCE OF PKCS15Objects
}
KeyManagementInfo ::= SEQUENCE OF SEQUENCE {
keyId Identifier,
keyInfo CHOICE {
recipientInfo RecipientInfo,
passwordInfo [0] PasswordInfo
}
} (CONSTRAINED BY {-- Each keyID must be unique --})
PasswordInfo ::= SEQUENCE {
hint Label OPTIONAL,
algId AlgorithmIdentifier {{KeyDerivationAlgorithms}},
...
} (CONSTRAINED BY {--keyID shall point to a KEKRecipientInfo--})
KeyDerivationAlgorithms ALGORITHM-IDENTIFIER ::= {
PBKDF2Algorithms,
... -- For future extensions
}
CMS3DESwrap ::= NULL
KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
{CMS3DESwrap IDENTIFIED BY id-alg-CMS3DESwrap} |
{INTEGER IDENTIFIED BY id-alg-CMSRC2wrap},
... -- For future extensions
}
DES-IV ::= OCTET STRING (SIZE(8))
ContentEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
SupportingAlgorithms EXCEPT {NULL IDENTIFIED BY id-hmacWithSHA1},
... -- For future extensions
}
MACAlgorithms ALGORITHM-IDENTIFIER ::= {
{NULL IDENTIFIED BY hMAC-SHA1},
... -- For future extensions
}
DigestAlgorithms ALGORITHM-IDENTIFIER ::= {
{NULL IDENTIFIED BY sha-1},
... -- For future extensions
}
-- Misc
DDO ::= SEQUENCE {
oid OBJECT IDENTIFIER,
odfPath Path OPTIONAL,
tokenInfoPath [0] Path OPTIONAL,
unusedPath [1] Path OPTIONAL,
... -- For future extensions
}
DIRRecord ::= [APPLICATION 1] SEQUENCE {
aid [APPLICATION 15] OCTET STRING,
label [APPLICATION 16] UTF8String OPTIONAL,
path [APPLICATION 17] OCTET STRING,
ddo [APPLICATION 19] DDO OPTIONAL
}
UnusedSpace ::= SEQUENCE {
path Path (WITH COMPONENTS {..., index PRESENT, length PRESENT}),
authId Identifier OPTIONAL,
...,
accessControlRules SEQUENCE OF AccessControlRule OPTIONAL
}
END