PKCS-7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)
        modules(0) pkcs-7(1)}

DEFINITIONS EXPLICIT TAGS ::=
BEGIN

--
-- 3. Definitions
--

-- EXPORTS All;

IMPORTS

informationFramework, authenticationFramework
    FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
                            usefulDefinitions(0) 3}

  Name, ATTRIBUTE
    FROM InformationFramework informationFramework

  ALGORITHM, Certificate, CertificateSerialNumber,
    CertificateList, Time
    FROM AuthenticationFramework authenticationFramework;

--  contentType, messageDigest, signingTime
-- , counterSignature
--    FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
--                 pkcs-9(9) modules(0) pkcs-9(1)};
--
-- 6. Useful types
--
pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
                              rsadsi(113549) pkcs(1) 9}
contentType ATTRIBUTE ::= {
        WITH SYNTAX ContentType
--        EQUALITY MATCHING RULE objectIdentifierMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-contentType
}

pkcs-9-at-contentType                   OBJECT IDENTIFIER ::= {pkcs-9 3}
pkcs-9-at-messageDigest                 OBJECT IDENTIFIER ::= {pkcs-9 4}
pkcs-9-at-signingTime                   OBJECT IDENTIFIER ::= {pkcs-9 5}
pkcs-9-at-counterSignature              OBJECT IDENTIFIER ::= {pkcs-9 6}

counterSignature ATTRIBUTE ::= {
        WITH SYNTAX SignerInfo
        ID pkcs-9-at-counterSignature
}
messageDigest ATTRIBUTE ::= {
        WITH SYNTAX MessageDigest
--        EQUALITY MATCHING RULE octetStringMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-messageDigest
}

MessageDigest ::= OCTET STRING

signingTime ATTRIBUTE ::= {
        WITH SYNTAX SigningTime
--        EQUALITY MATCHING RULE signingTimeMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-signingTime
}

SigningTime ::= Time -- imported from ISO/IEC 9594-8


-- Also defined in X.509
-- Redeclared here as a parameterized type
AlgorithmIdentifier {ALGORITHM:IOSet} ::= SEQUENCE {
   algorithm   ALGORITHM.&id({IOSet}),
   parameters  ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
}

-- Also defined in X.501
-- Redeclared here as a parameterized type
Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
  type    ATTRIBUTE.&id({IOSet}),
  values  SET SIZE (1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
}

CertificateRevocationLists ::=
  SET OF CertificateList

Certificates ::=
  SEQUENCE OF Certificate

CRLSequence ::=
  SEQUENCE OF CertificateList

ContentEncryptionAlgorithmIdentifier ::=
  AlgorithmIdentifier {{ContentEncryptionAlgorithms}}

ContentEncryptionAlgorithms ALGORITHM ::= {
  ...  -- add any application-specific algorithms here
}

DigestAlgorithmIdentifier ::=
  AlgorithmIdentifier {{DigestAlgorithms}}

DigestAlgorithms ALGORITHM ::= {
   ...  -- add any application-specific algorithms here
}

DigestEncryptionAlgorithmIdentifier ::=
  AlgorithmIdentifier {{DigestEncryptionAlgorithms}}

DigestEncryptionAlgorithms ALGORITHM ::= {
  ...  -- add any application-specific algorithms here
}

ExtendedCertificateOrCertificate ::= CHOICE {
  certificate          Certificate,                      -- X.509
  extendedCertificate  [0] IMPLICIT ExtendedCertificate  -- PKCS#6
}

ExtendedCertificate ::= Certificate -- cheating

ExtendedCertificatesAndCertificates ::=
  SET OF ExtendedCertificateOrCertificate

IssuerAndSerialNumber ::= SEQUENCE {
  issuer        Name,
  serialNumber  CertificateSerialNumber
}

KeyEncryptionAlgorithmIdentifier ::=
  AlgorithmIdentifier {{KeyEncryptionAlgorithms}}

KeyEncryptionAlgorithms ALGORITHM ::= {
  ...  -- add any application-specific algorithms here
}

--
-- 7. General syntax
--

ContentInfo ::= SEQUENCE {
--  contentType  ContentType,
  contentType  CONTENTS.&id({Contents}),
  content      [0] EXPLICIT CONTENTS.&Type({Contents}{@contentType})
OPTIONAL
}

CONTENTS ::= TYPE-IDENTIFIER

Contents CONTENTS ::= {
  {Data                    IDENTIFIED BY data}                   |
  {SignedData              IDENTIFIED BY signedData}             |
  {EnvelopedData           IDENTIFIED BY envelopedData}          |
  {SignedAndEnvelopedData  IDENTIFIED BY signedAndEnvelopedData} |
  {DigestedData            IDENTIFIED BY digestedData}           |
  {EncryptedData           IDENTIFIED BY encryptedData},
  ...  -- add any application-specific types/contents here
}

ContentType ::= CONTENTS.&id({Contents})

--
-- 8. Data content type
--

Data ::= OCTET STRING

--
-- 9. Signed-data content type
--

SignedData ::= SEQUENCE {
--  version         INTEGER {sdVer1(1), sdVer2(2)} (sdVer1 | sdVer2),
  version         INTEGER {sdVer1(1), sdVer2(2)},
  digestAlgorithms
                  DigestAlgorithmIdentifiers,
  contentInfo     ContentInfo,
  certificates CHOICE {
    certSet       [0] IMPLICIT ExtendedCertificatesAndCertificates,
    certSequence  [2] IMPLICIT Certificates
  } OPTIONAL,
  crls CHOICE {
    crlSet        [1] IMPLICIT CertificateRevocationLists,
    crlSequence   [3] IMPLICIT CRLSequence
  } OPTIONAL,
  signerInfos     SignerInfos
} (WITH COMPONENTS { ..., version (sdVer1),
     digestAlgorithms   (WITH COMPONENTS { ..., daSet PRESENT }),
     certificates       (WITH COMPONENTS { ..., certSequence ABSENT }),
     crls               (WITH COMPONENTS { ..., crlSequence ABSENT }),
     signerInfos        (WITH COMPONENTS { ..., siSet PRESENT })
   } |
   WITH COMPONENTS { ..., version (sdVer2),
      digestAlgorithms  (WITH COMPONENTS { ..., daSequence PRESENT }),
      certificates      (WITH COMPONENTS { ..., certSet ABSENT }),
      crls              (WITH COMPONENTS { ..., crlSet ABSENT }),
      signerInfos       (WITH COMPONENTS { ..., siSequence PRESENT })
})

SignerInfos ::= CHOICE {
    siSet         SET OF SignerInfo,
    siSequence    SEQUENCE OF SignerInfo
}

DigestAlgorithmIdentifiers ::= CHOICE {
  daSet           SET OF DigestAlgorithmIdentifier,
  daSequence      SEQUENCE OF DigestAlgorithmIdentifier
}

SignerInfo ::= SEQUENCE {
--  version         INTEGER {siVer1(1), siVer2(2)} (siVer1 | siVer2),
  version         INTEGER {siVer1(1), siVer2(2)},
  issuerAndSerialNumber
                  IssuerAndSerialNumber,
  digestAlgorithm DigestAlgorithmIdentifier,
  authenticatedAttributes CHOICE {
    aaSet         [0] IMPLICIT SET OF Attribute {{Authenticated}},
    aaSequence    [2] EXPLICIT SEQUENCE OF Attribute {{Authenticated}}
    -- Explicit because easier to compute digest on sequence of attributes and then reuse
    -- encoded sequence in aaSequence.
  } OPTIONAL,
  digestEncryptionAlgorithm
                  DigestEncryptionAlgorithmIdentifier,
  encryptedDigest EncryptedDigest,
  unauthenticatedAttributes CHOICE {
    uaSet         [1] IMPLICIT SET OF Attribute {{Unauthenticated}},
    uaSequence    [3] IMPLICIT SEQUENCE OF Attribute {{Unauthenticated}}
  } OPTIONAL
} (WITH COMPONENTS { ..., version (siVer1),
  authenticatedAttributes       (WITH COMPONENTS { ..., aaSequence ABSENT }),
  unauthenticatedAttributes     (WITH COMPONENTS { ..., uaSequence ABSENT })
} | WITH COMPONENTS { ..., version (siVer2),
  authenticatedAttributes       (WITH COMPONENTS { ..., aaSet ABSENT }),
  unauthenticatedAttributes     (WITH COMPONENTS { ..., uaSet ABSENT })
})

Authenticated ATTRIBUTE ::= {
  contentType |
  messageDigest,
  ...,  -- add application-specific attributes here
  signingTime
}

Unauthenticated ATTRIBUTE ::= {
  contentType |
  messageDigest,
  ...,  -- add application-specific attributes here
  counterSignature
--  ...,  add application-specific attributes here
--  counterSignature
}

EncryptedDigest ::= OCTET STRING

DigestInfo ::= SEQUENCE {
  digestAlgorithm DigestAlgorithmIdentifier,
  digest          Digest
}

Digest ::= OCTET STRING

--
-- 10. Enveloped-data content type
--

EnvelopedData ::= SEQUENCE {
--  version         INTEGER {edVer0(0), edVer1(1)} (edVer0 | edVer1),
  version         INTEGER {edVer0(0), edVer1(1)},
  recipientInfos  RecipientInfos,
  encryptedContentInfo
                  EncryptedContentInfo
} (WITH COMPONENTS { ..., version (edVer0),
    recipientInfos      (WITH COMPONENTS { ..., riSet PRESENT })
} | WITH COMPONENTS { ..., version (edVer1),
    recipientInfos      (WITH COMPONENTS { ..., riSequence PRESENT })
})

RecipientInfos ::= CHOICE {
  riSet           SET OF RecipientInfo,
  riSequence      SEQUENCE OF RecipientInfo
}

EncryptedContentInfo ::= SEQUENCE {
  contentType     ContentType,
  contentEncryptionAlgorithm
                  ContentEncryptionAlgorithmIdentifier,
  encryptedContent
                  [0] IMPLICIT EncryptedContent OPTIONAL
}

EncryptedContent ::= OCTET STRING

RecipientInfo ::= SEQUENCE {
--  version         INTEGER {riVer0(0)} (riVer0),
  version         INTEGER {riVer0(0)},
  issuerAndSerialNumber
                  IssuerAndSerialNumber,
  keyEncryptionAlgorithm
                  KeyEncryptionAlgorithmIdentifier,
  encryptedKey    EncryptedKey
}

EncryptedKey ::= OCTET STRING

--
-- 11. Signed-and-enveloped-data content type
--

SignedAndEnvelopedData ::= SEQUENCE {
--  version         INTEGER {seVer1(1), seVer2(2)} (seVer1 | seVer2),
  version         INTEGER {seVer1(1), seVer2(2)},
  recipientInfos  RecipientInfos,
  digestAlgorithms
                  DigestAlgorithmIdentifiers,
  encryptedContentInfo
                  EncryptedContentInfo,
  certificates CHOICE {
    certSet       [0] IMPLICIT ExtendedCertificatesAndCertificates,
    certSequence  [2] IMPLICIT Certificates
  } OPTIONAL,
  crls CHOICE {
    crlSet        [1] IMPLICIT CertificateRevocationLists,
    crlSequence   [3] IMPLICIT CRLSequence
  } OPTIONAL,
  signerInfos     SignerInfos
} (WITH COMPONENTS { ..., version (seVer1),
    recipientInfos   (WITH COMPONENTS { ..., riSet PRESENT }),
    digestAlgorithms (WITH COMPONENTS { ..., daSet PRESENT }),
    certificates     (WITH COMPONENTS { ..., certSequence ABSENT }),
    crls             (WITH COMPONENTS { ..., crlSequence ABSENT }),
    signerInfos      (WITH COMPONENTS { ..., siSet PRESENT })
} |
  WITH COMPONENTS { ..., version (seVer2),
    recipientInfos   (WITH COMPONENTS { ..., riSequence PRESENT }),
    digestAlgorithms (WITH COMPONENTS { ..., daSequence PRESENT }),
    certificates     (WITH COMPONENTS { ..., certSet ABSENT }),
    crls             (WITH COMPONENTS { ..., crlSet ABSENT }),
    signerInfos      (WITH COMPONENTS { ..., siSequence PRESENT })
})

--
-- 12. Digested-data content type
--pbeWithSHAAnd3-KeyTripleDES-CBC

DigestedData ::= SEQUENCE {
--  version         INTEGER {ddVer0(0)} (ddVer0),
  version         INTEGER {ddVer0(0)},
  digestAlgorithm DigestAlgorithmIdentifier,
  contentInfo     ContentInfo,
  digest          Digest
}

--
-- 13. Encrypted-data content type
--

EncryptedData ::= SEQUENCE {
--  version		INTEGER {edVer0(0)} (edVer0),
  version		INTEGER {edVer0(0)},
  encryptedContentInfo  EncryptedContentInfo
}

--
-- 14. Object Identifiers
--

pkcs-7                  OBJECT IDENTIFIER ::=
  { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 }
data                    OBJECT IDENTIFIER ::= { pkcs-7 1 }
signedData              OBJECT IDENTIFIER ::= { pkcs-7 2 }
envelopedData           OBJECT IDENTIFIER ::= { pkcs-7 3 }
signedAndEnvelopedData  OBJECT IDENTIFIER ::= { pkcs-7 4 }
digestedData            OBJECT IDENTIFIER ::= { pkcs-7 5 }
encryptedData           OBJECT IDENTIFIER ::= { pkcs-7 6 }

END