PKCS-7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)
modules(0) pkcs-7(1)}
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
--
-- 3. Definitions
--
-- EXPORTS All;
IMPORTS
informationFramework, authenticationFramework
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
usefulDefinitions(0) 3}
ATTRIBUTE
FROM InformationFramework informationFramework
Name, Certificate, CertificateSerialNumber,
CertificateList, Time
FROM PKIX1Explicit88; -- AuthenticationFramework authenticationFramework;
-- contentType, messageDigest, signingTime
-- , counterSignature
-- FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
-- pkcs-9(9) modules(0) pkcs-9(1)};
--
-- 6. Useful types
--
-- inlined from AuthenticationFramework
ALGORITHM ::= CLASS {&Type OPTIONAL,
&id OBJECT IDENTIFIER UNIQUE
}WITH SYNTAX {[&Type]
IDENTIFIED BY &id
}
-- inlined from PKCS-9
pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) 9}
contentType ATTRIBUTE ::= {
WITH SYNTAX ContentType
-- EQUALITY MATCHING RULE objectIdentifierMatch
SINGLE VALUE TRUE
ID pkcs-9-at-contentType
}
pkcs-9-at-contentType OBJECT IDENTIFIER ::= {pkcs-9 3}
pkcs-9-at-messageDigest OBJECT IDENTIFIER ::= {pkcs-9 4}
pkcs-9-at-signingTime OBJECT IDENTIFIER ::= {pkcs-9 5}
pkcs-9-at-counterSignature OBJECT IDENTIFIER ::= {pkcs-9 6}
counterSignature ATTRIBUTE ::= {
WITH SYNTAX SignerInfo
ID pkcs-9-at-counterSignature
}
messageDigest ATTRIBUTE ::= {
WITH SYNTAX MessageDigest
-- EQUALITY MATCHING RULE octetStringMatch
SINGLE VALUE TRUE
ID pkcs-9-at-messageDigest
}
MessageDigest ::= OCTET STRING
signingTime ATTRIBUTE ::= {
WITH SYNTAX SigningTime
-- EQUALITY MATCHING RULE signingTimeMatch
SINGLE VALUE TRUE
ID pkcs-9-at-signingTime
}
SigningTime ::= Time -- imported from ISO/IEC 9594-8
-- begin added for VCE SCEP-support
transactionID ATTRIBUTE ::= {
WITH SYNTAX PrintableString
ID id-transId
}
messageType ATTRIBUTE ::= {
WITH SYNTAX PrintableString
ID id-messageType
}
pkiStatus ATTRIBUTE ::= {
WITH SYNTAX PrintableString
ID id-pkiStatus
}
failInfo ATTRIBUTE ::= {
WITH SYNTAX PrintableString
ID id-failInfo
}
senderNonce ATTRIBUTE ::= {
WITH SYNTAX OCTET STRING
ID id-senderNonce
}
recipientNonce ATTRIBUTE ::= {
WITH SYNTAX OCTET STRING
ID id-recipientNonce
}
-- This is the authenticatedAttributes -member from SignerInfo
-- added here to generate decode/encode functions for it which are
-- needed to build the pkcs-7 used by SCEP, the resulting encoding are
-- used to make a signed digest
SignerInfoAuthenticatedAttributes ::= CHOICE {
aaSet [0] IMPLICIT SET OF AttributePKCS-7 {{Authenticated}},
aaSequence [2] EXPLICIT SEQUENCE OF AttributePKCS-7 {{Authenticated}}
-- Explicit because easier to compute digest on sequence of attributes and then reuse
-- encoded sequence in aaSequence.
}
-- end added for VCE SCEP-support
-- Also defined in X.509
-- Redeclared here as a parameterized type
AlgorithmIdentifierPKSC-7 {ALGORITHM:IOSet} ::= SEQUENCE {
algorithm ALGORITHM.&id({IOSet}),
parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
}
-- Also defined in X.501
-- Redeclared here as a parameterized type
AttributePKCS-7 { ATTRIBUTE:IOSet } ::= SEQUENCE {
type ATTRIBUTE.&id({IOSet}),
values SET SIZE (1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
}
CertificateRevocationLists ::=
SET OF CertificateList
Certificates ::=
SEQUENCE OF Certificate
CRLSequence ::=
SEQUENCE OF CertificateList
ContentEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifierPKSC-7 {{ContentEncryptionAlgorithms}}
ContentEncryptionAlgorithms ALGORITHM ::= {
... -- add any application-specific algorithms here
}
DigestAlgorithmIdentifier ::=
AlgorithmIdentifierPKSC-7 {{DigestAlgorithms}}
DigestAlgorithms ALGORITHM ::= {
... -- add any application-specific algorithms here
}
DigestEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifierPKSC-7 {{DigestEncryptionAlgorithms}}
DigestEncryptionAlgorithms ALGORITHM ::= {
... -- add any application-specific algorithms here
}
ExtendedCertificateOrCertificate ::= CHOICE {
certificate Certificate, -- X.509
extendedCertificate [0] IMPLICIT ExtendedCertificate -- PKCS#6
}
ExtendedCertificate ::= Certificate -- cheating
ExtendedCertificatesAndCertificates ::=
SET OF ExtendedCertificateOrCertificate
IssuerAndSerialNumber ::= SEQUENCE {
issuer Name,
serialNumber CertificateSerialNumber
}
KeyEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifierPKSC-7 {{KeyEncryptionAlgorithms}}
KeyEncryptionAlgorithms ALGORITHM ::= {
... -- add any application-specific algorithms here
}
--
-- 7. General syntax
--
ContentInfo ::= SEQUENCE {
-- contentType ContentType,
contentType CONTENTS.&id({Contents}),
content [0] EXPLICIT CONTENTS.&Type({Contents}{@contentType})
OPTIONAL
}
CONTENTS ::= TYPE-IDENTIFIER
Contents CONTENTS ::= {
{Data IDENTIFIED BY data} |
{SignedData IDENTIFIED BY signedData} |
{EnvelopedData IDENTIFIED BY envelopedData} |
{SignedAndEnvelopedData IDENTIFIED BY signedAndEnvelopedData} |
{DigestedData IDENTIFIED BY digestedData} |
{EncryptedData IDENTIFIED BY encryptedData},
... -- add any application-specific types/contents here
}
ContentType ::= CONTENTS.&id({Contents})
--
-- 8. Data content type
--
Data ::= OCTET STRING
--
-- 9. Signed-data content type
--
SignedData ::= SEQUENCE {
-- version INTEGER {sdVer1(1), sdVer2(2)} (sdVer1 | sdVer2),
version INTEGER {sdVer1(1), sdVer2(2)},
digestAlgorithms
DigestAlgorithmIdentifiers,
contentInfo ContentInfo,
certificates CHOICE {
certSet [0] IMPLICIT ExtendedCertificatesAndCertificates,
certSequence [2] IMPLICIT Certificates
} OPTIONAL,
crls CHOICE {
crlSet [1] IMPLICIT CertificateRevocationLists,
crlSequence [3] IMPLICIT CRLSequence
} OPTIONAL,
signerInfos SignerInfos
} (WITH COMPONENTS { ..., version (sdVer1),
digestAlgorithms (WITH COMPONENTS { ..., daSet PRESENT }),
certificates (WITH COMPONENTS { ..., certSequence ABSENT }),
crls (WITH COMPONENTS { ..., crlSequence ABSENT }),
signerInfos (WITH COMPONENTS { ..., siSet PRESENT })
} |
WITH COMPONENTS { ..., version (sdVer2),
digestAlgorithms (WITH COMPONENTS { ..., daSequence PRESENT }),
certificates (WITH COMPONENTS { ..., certSet ABSENT }),
crls (WITH COMPONENTS { ..., crlSet ABSENT }),
signerInfos (WITH COMPONENTS { ..., siSequence PRESENT })
})
SignerInfos ::= CHOICE {
siSet SET OF SignerInfo,
siSequence SEQUENCE OF SignerInfo
}
DigestAlgorithmIdentifiers ::= CHOICE {
daSet SET OF DigestAlgorithmIdentifier,
daSequence SEQUENCE OF DigestAlgorithmIdentifier
}
SignerInfo ::= SEQUENCE {
-- version INTEGER {siVer1(1), siVer2(2)} (siVer1 | siVer2),
version INTEGER {siVer1(1), siVer2(2)},
issuerAndSerialNumber
IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier,
-- Added explicit type for authenticatedAttributes to be able to
-- encode/decode this type separately
authenticatedAttributes SignerInfoAuthenticatedAttributes OPTIONAL,
digestEncryptionAlgorithm
DigestEncryptionAlgorithmIdentifier,
encryptedDigest EncryptedDigest,
unauthenticatedAttributes CHOICE {
uaSet [1] IMPLICIT SET OF AttributePKCS-7 {{Unauthenticated}},
uaSequence [3] IMPLICIT SEQUENCE OF AttributePKCS-7 {{Unauthenticated}}
} OPTIONAL
} (WITH COMPONENTS { ..., version (siVer1),
authenticatedAttributes (WITH COMPONENTS { ..., aaSequence ABSENT }),
unauthenticatedAttributes (WITH COMPONENTS { ..., uaSequence ABSENT })
} | WITH COMPONENTS { ..., version (siVer2),
authenticatedAttributes (WITH COMPONENTS { ..., aaSet ABSENT }),
unauthenticatedAttributes (WITH COMPONENTS { ..., uaSet ABSENT })
})
Authenticated ATTRIBUTE ::= {
contentType |
messageDigest |
-- begin added for VCE SCEP-support
transactionID |
messageType |
pkiStatus |
failInfo |
senderNonce |
recipientNonce,
-- end added for VCE SCEP-support
..., -- add application-specific attributes here
signingTime
}
Unauthenticated ATTRIBUTE ::= {
contentType |
messageDigest,
..., -- add application-specific attributes here
counterSignature
-- ..., add application-specific attributes here
-- counterSignature
}
EncryptedDigest ::= OCTET STRING
DigestInfo ::= SEQUENCE {
digestAlgorithm DigestAlgorithmIdentifier,
digest Digest
}
Digest ::= OCTET STRING
--
-- 10. Enveloped-data content type
--
EnvelopedData ::= SEQUENCE {
-- version INTEGER {edVer0(0), edVer1(1)} (edVer0 | edVer1),
version INTEGER {edVer0(0), edVer1(1)},
recipientInfos RecipientInfos,
encryptedContentInfo
EncryptedContentInfo
} (WITH COMPONENTS { ..., version (edVer0),
recipientInfos (WITH COMPONENTS { ..., riSet PRESENT })
} | WITH COMPONENTS { ..., version (edVer1),
recipientInfos (WITH COMPONENTS { ..., riSequence PRESENT })
})
RecipientInfos ::= CHOICE {
riSet SET OF RecipientInfo,
riSequence SEQUENCE OF RecipientInfo
}
EncryptedContentInfo ::= SEQUENCE {
contentType ContentType,
contentEncryptionAlgorithm
ContentEncryptionAlgorithmIdentifier,
encryptedContent
[0] IMPLICIT EncryptedContent OPTIONAL
}
EncryptedContent ::= OCTET STRING
RecipientInfo ::= SEQUENCE {
-- version INTEGER {riVer0(0)} (riVer0),
version INTEGER {riVer0(0)},
issuerAndSerialNumber
IssuerAndSerialNumber,
keyEncryptionAlgorithm
KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey
}
EncryptedKey ::= OCTET STRING
--
-- 11. Signed-and-enveloped-data content type
--
SignedAndEnvelopedData ::= SEQUENCE {
-- version INTEGER {seVer1(1), seVer2(2)} (seVer1 | seVer2),
version INTEGER {seVer1(1), seVer2(2)},
recipientInfos RecipientInfos,
digestAlgorithms
DigestAlgorithmIdentifiers,
encryptedContentInfo
EncryptedContentInfo,
certificates CHOICE {
certSet [0] IMPLICIT ExtendedCertificatesAndCertificates,
certSequence [2] IMPLICIT Certificates
} OPTIONAL,
crls CHOICE {
crlSet [1] IMPLICIT CertificateRevocationLists,
crlSequence [3] IMPLICIT CRLSequence
} OPTIONAL,
signerInfos SignerInfos
} (WITH COMPONENTS { ..., version (seVer1),
recipientInfos (WITH COMPONENTS { ..., riSet PRESENT }),
digestAlgorithms (WITH COMPONENTS { ..., daSet PRESENT }),
certificates (WITH COMPONENTS { ..., certSequence ABSENT }),
crls (WITH COMPONENTS { ..., crlSequence ABSENT }),
signerInfos (WITH COMPONENTS { ..., siSet PRESENT })
} |
WITH COMPONENTS { ..., version (seVer2),
recipientInfos (WITH COMPONENTS { ..., riSequence PRESENT }),
digestAlgorithms (WITH COMPONENTS { ..., daSequence PRESENT }),
certificates (WITH COMPONENTS { ..., certSet ABSENT }),
crls (WITH COMPONENTS { ..., crlSet ABSENT }),
signerInfos (WITH COMPONENTS { ..., siSequence PRESENT })
})
--
-- 12. Digested-data content type
--pbeWithSHAAnd3-KeyTripleDES-CBC
DigestedData ::= SEQUENCE {
-- version INTEGER {ddVer0(0)} (ddVer0),
version INTEGER {ddVer0(0)},
digestAlgorithm DigestAlgorithmIdentifier,
contentInfo ContentInfo,
digest Digest
}
--
-- 13. Encrypted-data content type
--
EncryptedData ::= SEQUENCE {
-- version INTEGER {edVer0(0)} (edVer0),
version INTEGER {edVer0(0)},
encryptedContentInfo EncryptedContentInfo
}
--
-- 14. Object Identifiers
--
pkcs-7 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 }
data OBJECT IDENTIFIER ::= { pkcs-7 1 }
signedData OBJECT IDENTIFIER ::= { pkcs-7 2 }
envelopedData OBJECT IDENTIFIER ::= { pkcs-7 3 }
signedAndEnvelopedData OBJECT IDENTIFIER ::= { pkcs-7 4 }
digestedData OBJECT IDENTIFIER ::= { pkcs-7 5 }
encryptedData OBJECT IDENTIFIER ::= { pkcs-7 6 }
-- begin added for VCE SCEP-support
id-VeriSign OBJECT IDENTIFIER ::= {2 16 us(840) 1 veriSign(113733)}
id-pki OBJECT IDENTIFIER ::= {id-VeriSign pki(1)}
id-attributes OBJECT IDENTIFIER ::= {id-pki attributes(9)}
id-messageType OBJECT IDENTIFIER ::= {id-attributes messageType(2)}
id-pkiStatus OBJECT IDENTIFIER ::= {id-attributes pkiStatus(3)}
id-failInfo OBJECT IDENTIFIER ::= {id-attributes failInfo(4)}
id-senderNonce OBJECT IDENTIFIER ::= {id-attributes senderNonce(5)}
id-recipientNonce OBJECT IDENTIFIER ::= {id-attributes recipientNonce(6)}
id-transId OBJECT IDENTIFIER ::= {id-attributes transId(7)}
id-extensionReq OBJECT IDENTIFIER ::= {id-attributes extensionReq(8)}
-- end added for VCE SCEP-support
END
