PKCS-7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7) modules(0) pkcs-7(1)} DEFINITIONS EXPLICIT TAGS ::= BEGIN -- -- 3. Definitions -- -- EXPORTS All; IMPORTS informationFramework, authenticationFramework FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 3} ATTRIBUTE FROM InformationFramework informationFramework Name, Certificate, CertificateSerialNumber, CertificateList, Time FROM PKIX1Explicit88; -- AuthenticationFramework authenticationFramework; -- contentType, messageDigest, signingTime -- , counterSignature -- FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) -- pkcs-9(9) modules(0) pkcs-9(1)}; -- -- 6. Useful types -- -- inlined from AuthenticationFramework ALGORITHM ::= CLASS {&Type OPTIONAL, &id OBJECT IDENTIFIER UNIQUE }WITH SYNTAX {[&Type] IDENTIFIED BY &id } -- inlined from PKCS-9 pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9} contentType ATTRIBUTE ::= { WITH SYNTAX ContentType -- EQUALITY MATCHING RULE objectIdentifierMatch SINGLE VALUE TRUE ID pkcs-9-at-contentType } pkcs-9-at-contentType OBJECT IDENTIFIER ::= {pkcs-9 3} pkcs-9-at-messageDigest OBJECT IDENTIFIER ::= {pkcs-9 4} pkcs-9-at-signingTime OBJECT IDENTIFIER ::= {pkcs-9 5} pkcs-9-at-counterSignature OBJECT IDENTIFIER ::= {pkcs-9 6} counterSignature ATTRIBUTE ::= { WITH SYNTAX SignerInfo ID pkcs-9-at-counterSignature } messageDigest ATTRIBUTE ::= { WITH SYNTAX MessageDigest -- EQUALITY MATCHING RULE octetStringMatch SINGLE VALUE TRUE ID pkcs-9-at-messageDigest } MessageDigest ::= OCTET STRING signingTime ATTRIBUTE ::= { WITH SYNTAX SigningTime -- EQUALITY MATCHING RULE signingTimeMatch SINGLE VALUE TRUE ID pkcs-9-at-signingTime } SigningTime ::= Time -- imported from ISO/IEC 9594-8 -- begin added for VCE SCEP-support transactionID ATTRIBUTE ::= { WITH SYNTAX PrintableString ID id-transId } messageType ATTRIBUTE ::= { WITH SYNTAX PrintableString ID id-messageType } pkiStatus ATTRIBUTE ::= { WITH SYNTAX PrintableString ID id-pkiStatus } failInfo ATTRIBUTE ::= { WITH SYNTAX PrintableString ID id-failInfo } senderNonce ATTRIBUTE ::= { WITH SYNTAX OCTET STRING ID id-senderNonce } recipientNonce ATTRIBUTE ::= { WITH SYNTAX OCTET STRING ID id-recipientNonce } -- This is the authenticatedAttributes -member from SignerInfo -- added here to generate decode/encode functions for it which are -- needed to build the pkcs-7 used by SCEP, the resulting encoding are -- used to make a signed digest SignerInfoAuthenticatedAttributes ::= CHOICE { aaSet [0] IMPLICIT SET OF AttributePKCS-7 {{Authenticated}}, aaSequence [2] EXPLICIT SEQUENCE OF AttributePKCS-7 {{Authenticated}} -- Explicit because easier to compute digest on sequence of attributes and then reuse -- encoded sequence in aaSequence. } -- end added for VCE SCEP-support -- Also defined in X.509 -- Redeclared here as a parameterized type AlgorithmIdentifierPKCS-7 {ALGORITHM:IOSet} ::= SEQUENCE { algorithm ALGORITHM.&id({IOSet}), parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL } -- Also defined in X.501 -- Redeclared here as a parameterized type AttributePKCS-7 { ATTRIBUTE:IOSet } ::= SEQUENCE { type ATTRIBUTE.&id({IOSet}), values SET SIZE (1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) } CertificateRevocationLists ::= SET OF CertificateList Certificates ::= SEQUENCE OF Certificate CRLSequence ::= SEQUENCE OF CertificateList ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifierPKCS-7 {{ContentEncryptionAlgorithms}} ContentEncryptionAlgorithms ALGORITHM ::= { ... -- add any application-specific algorithms here } DigestAlgorithmIdentifier ::= AlgorithmIdentifierPKCS-7 {{DigestAlgorithms}} DigestAlgorithms ALGORITHM ::= { ... -- add any application-specific algorithms here } DigestEncryptionAlgorithmIdentifier ::= AlgorithmIdentifierPKCS-7 {{DigestEncryptionAlgorithms}} DigestEncryptionAlgorithms ALGORITHM ::= { ... -- add any application-specific algorithms here } ExtendedCertificateOrCertificate ::= CHOICE { certificate Certificate, -- X.509 extendedCertificate [0] IMPLICIT ExtendedCertificate -- PKCS#6 } ExtendedCertificate ::= Certificate -- cheating ExtendedCertificatesAndCertificates ::= SET OF ExtendedCertificateOrCertificate IssuerAndSerialNumber ::= SEQUENCE { issuer Name, serialNumber CertificateSerialNumber } KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifierPKCS-7 {{KeyEncryptionAlgorithms}} KeyEncryptionAlgorithms ALGORITHM ::= { ... -- add any application-specific algorithms here } -- -- 7. General syntax -- ContentInfo ::= SEQUENCE { -- contentType ContentType, contentType CONTENTS.&id({Contents}), content [0] EXPLICIT CONTENTS.&Type({Contents}{@contentType}) OPTIONAL } CONTENTS ::= TYPE-IDENTIFIER Contents CONTENTS ::= { {Data IDENTIFIED BY data} | {SignedData IDENTIFIED BY signedData} | {EnvelopedData IDENTIFIED BY envelopedData} | {SignedAndEnvelopedData IDENTIFIED BY signedAndEnvelopedData} | {DigestedData IDENTIFIED BY digestedData} | {EncryptedData IDENTIFIED BY encryptedData}, ... -- add any application-specific types/contents here } ContentType ::= CONTENTS.&id({Contents}) -- -- 8. Data content type -- Data ::= OCTET STRING -- -- 9. Signed-data content type -- SignedData ::= SEQUENCE { -- version INTEGER {sdVer1(1), sdVer2(2)} (sdVer1 | sdVer2), version INTEGER {sdVer1(1), sdVer2(2)}, digestAlgorithms DigestAlgorithmIdentifiers, contentInfo ContentInfo, certificates CHOICE { certSet [0] IMPLICIT ExtendedCertificatesAndCertificates, certSequence [2] IMPLICIT Certificates } OPTIONAL, crls CHOICE { crlSet [1] IMPLICIT CertificateRevocationLists, crlSequence [3] IMPLICIT CRLSequence } OPTIONAL, signerInfos SignerInfos } (WITH COMPONENTS { ..., version (sdVer1), digestAlgorithms (WITH COMPONENTS { ..., daSet PRESENT }), certificates (WITH COMPONENTS { ..., certSequence ABSENT }), crls (WITH COMPONENTS { ..., crlSequence ABSENT }), signerInfos (WITH COMPONENTS { ..., siSet PRESENT }) } | WITH COMPONENTS { ..., version (sdVer2), digestAlgorithms (WITH COMPONENTS { ..., daSequence PRESENT }), certificates (WITH COMPONENTS { ..., certSet ABSENT }), crls (WITH COMPONENTS { ..., crlSet ABSENT }), signerInfos (WITH COMPONENTS { ..., siSequence PRESENT }) }) SignerInfos ::= CHOICE { siSet SET OF SignerInfo, siSequence SEQUENCE OF SignerInfo } DigestAlgorithmIdentifiers ::= CHOICE { daSet SET OF DigestAlgorithmIdentifier, daSequence SEQUENCE OF DigestAlgorithmIdentifier } SignerInfo ::= SEQUENCE { -- version INTEGER {siVer1(1), siVer2(2)} (siVer1 | siVer2), version INTEGER {siVer1(1), siVer2(2)}, issuerAndSerialNumber IssuerAndSerialNumber, digestAlgorithm DigestAlgorithmIdentifier, -- Added explicit type for authenticatedAttributes to be able to -- encode/decode this type separately authenticatedAttributes SignerInfoAuthenticatedAttributes OPTIONAL, digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier, encryptedDigest EncryptedDigest, unauthenticatedAttributes CHOICE { uaSet [1] IMPLICIT SET OF AttributePKCS-7 {{Unauthenticated}}, uaSequence [3] IMPLICIT SEQUENCE OF AttributePKCS-7 {{Unauthenticated}} } OPTIONAL } (WITH COMPONENTS { ..., version (siVer1), authenticatedAttributes (WITH COMPONENTS { ..., aaSequence ABSENT }), unauthenticatedAttributes (WITH COMPONENTS { ..., uaSequence ABSENT }) } | WITH COMPONENTS { ..., version (siVer2), authenticatedAttributes (WITH COMPONENTS { ..., aaSet ABSENT }), unauthenticatedAttributes (WITH COMPONENTS { ..., uaSet ABSENT }) }) Authenticated ATTRIBUTE ::= { contentType | messageDigest | -- begin added for VCE SCEP-support transactionID | messageType | pkiStatus | failInfo | senderNonce | recipientNonce, -- end added for VCE SCEP-support ..., -- add application-specific attributes here signingTime } Unauthenticated ATTRIBUTE ::= { contentType | messageDigest, ..., -- add application-specific attributes here counterSignature -- ..., add application-specific attributes here -- counterSignature } EncryptedDigest ::= OCTET STRING DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, digest Digest } Digest ::= OCTET STRING -- -- 10. Enveloped-data content type -- EnvelopedData ::= SEQUENCE { -- version INTEGER {edVer0(0), edVer1(1)} (edVer0 | edVer1), version INTEGER {edVer0(0), edVer1(1)}, recipientInfos RecipientInfos, encryptedContentInfo EncryptedContentInfo } (WITH COMPONENTS { ..., version (edVer0), recipientInfos (WITH COMPONENTS { ..., riSet PRESENT }) } | WITH COMPONENTS { ..., version (edVer1), recipientInfos (WITH COMPONENTS { ..., riSequence PRESENT }) }) RecipientInfos ::= CHOICE { riSet SET OF RecipientInfo, riSequence SEQUENCE OF RecipientInfo } EncryptedContentInfo ::= SEQUENCE { contentType ContentType, contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL } EncryptedContent ::= OCTET STRING RecipientInfo ::= SEQUENCE { -- version INTEGER {riVer0(0)} (riVer0), version INTEGER {riVer0(0)}, issuerAndSerialNumber IssuerAndSerialNumber, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, encryptedKey EncryptedKey } EncryptedKey ::= OCTET STRING -- -- 11. Signed-and-enveloped-data content type -- SignedAndEnvelopedData ::= SEQUENCE { -- version INTEGER {seVer1(1), seVer2(2)} (seVer1 | seVer2), version INTEGER {seVer1(1), seVer2(2)}, recipientInfos RecipientInfos, digestAlgorithms DigestAlgorithmIdentifiers, encryptedContentInfo EncryptedContentInfo, certificates CHOICE { certSet [0] IMPLICIT ExtendedCertificatesAndCertificates, certSequence [2] IMPLICIT Certificates } OPTIONAL, crls CHOICE { crlSet [1] IMPLICIT CertificateRevocationLists, crlSequence [3] IMPLICIT CRLSequence } OPTIONAL, signerInfos SignerInfos } (WITH COMPONENTS { ..., version (seVer1), recipientInfos (WITH COMPONENTS { ..., riSet PRESENT }), digestAlgorithms (WITH COMPONENTS { ..., daSet PRESENT }), certificates (WITH COMPONENTS { ..., certSequence ABSENT }), crls (WITH COMPONENTS { ..., crlSequence ABSENT }), signerInfos (WITH COMPONENTS { ..., siSet PRESENT }) } | WITH COMPONENTS { ..., version (seVer2), recipientInfos (WITH COMPONENTS { ..., riSequence PRESENT }), digestAlgorithms (WITH COMPONENTS { ..., daSequence PRESENT }), certificates (WITH COMPONENTS { ..., certSet ABSENT }), crls (WITH COMPONENTS { ..., crlSet ABSENT }), signerInfos (WITH COMPONENTS { ..., siSequence PRESENT }) }) -- -- 12. Digested-data content type --pbeWithSHAAnd3-KeyTripleDES-CBC DigestedData ::= SEQUENCE { -- version INTEGER {ddVer0(0)} (ddVer0), version INTEGER {ddVer0(0)}, digestAlgorithm DigestAlgorithmIdentifier, contentInfo ContentInfo, digest Digest } -- -- 13. Encrypted-data content type -- EncryptedData ::= SEQUENCE { -- version INTEGER {edVer0(0)} (edVer0), version INTEGER {edVer0(0)}, encryptedContentInfo EncryptedContentInfo } -- -- 14. Object Identifiers -- pkcs-7 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 } data OBJECT IDENTIFIER ::= { pkcs-7 1 } signedData OBJECT IDENTIFIER ::= { pkcs-7 2 } envelopedData OBJECT IDENTIFIER ::= { pkcs-7 3 } signedAndEnvelopedData OBJECT IDENTIFIER ::= { pkcs-7 4 } digestedData OBJECT IDENTIFIER ::= { pkcs-7 5 } encryptedData OBJECT IDENTIFIER ::= { pkcs-7 6 } -- begin added for VCE SCEP-support id-VeriSign OBJECT IDENTIFIER ::= {2 16 us(840) 1 veriSign(113733)} id-pki OBJECT IDENTIFIER ::= {id-VeriSign pki(1)} id-attributes OBJECT IDENTIFIER ::= {id-pki attributes(9)} id-messageType OBJECT IDENTIFIER ::= {id-attributes messageType(2)} id-pkiStatus OBJECT IDENTIFIER ::= {id-attributes pkiStatus(3)} id-failInfo OBJECT IDENTIFIER ::= {id-attributes failInfo(4)} id-senderNonce OBJECT IDENTIFIER ::= {id-attributes senderNonce(5)} id-recipientNonce OBJECT IDENTIFIER ::= {id-attributes recipientNonce(6)} id-transId OBJECT IDENTIFIER ::= {id-attributes transId(7)} id-extensionReq OBJECT IDENTIFIER ::= {id-attributes extensionReq(8)} -- end added for VCE SCEP-support END