diff --git a/const-oid/oiddbgen/rfc5911.txt b/const-oid/oiddbgen/rfc5911.txt new file mode 100644 index 000000000..838ff0590 --- /dev/null +++ b/const-oid/oiddbgen/rfc5911.txt @@ -0,0 +1,3307 @@ + + + + + + +Internet Engineering Task Force (IETF) P. Hoffman +Request for Comments: 5911 VPN Consortium +Category: Informational J. Schaad +ISSN: 2070-1721 Soaring Hawk Consulting + June 2010 + + + New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME + +Abstract + + The Cryptographic Message Syntax (CMS) format, and many associated + formats, are expressed using ASN.1. The current ASN.1 modules + conform to the 1988 version of ASN.1. This document updates those + ASN.1 modules to conform to the 2002 version of ASN.1. There are no + bits-on-the-wire changes to any of the formats; this is simply a + change to the syntax. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc5911. + + + + + + + + + + + + + + + + + + +Hoffman & Schaad Informational [Page 1] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +Copyright Notice + + Copyright (c) 2010 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + This document may contain material from IETF Documents or IETF + Contributions published or made publicly available before November + 10, 2008. The person(s) controlling the copyright in some of this + material may not have granted the IETF Trust the right to allow + modifications of such material outside the IETF Standards Process. + Without obtaining an adequate license from the person(s) controlling + the copyright in such materials, this document may not be modified + outside the IETF Standards Process, and derivative works of it may + not be created outside the IETF Standards Process, except to format + it for publication as an RFC or to translate it into languages other + than English. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4 + 2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 4 + 3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14 + 4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 20 + 5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 22 + 6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24 + 7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34 + 8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 40 + 9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41 + 10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 47 + 11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48 + 12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 50 + 13. Security Considerations . . . . . . . . . . . . . . . . . . . 57 + 14. Normative References . . . . . . . . . . . . . . . . . . . . . 57 + + + + + + + +Hoffman & Schaad Informational [Page 2] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +1. Introduction + + Some developers would like the IETF to use the latest version of + ASN.1 in its standards. Most of the RFCs that relate to security + protocols still use ASN.1 from the 1988 standard, which has been + deprecated. This is particularly true for the standards that relate + to PKIX, CMS, and S/MIME. + + This document updates the following RFCs to use ASN.1 modules that + conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all + the modules are updated; some are included to simply make the set + complete. + + o RFC 3370, CMS Algorithms [RFC3370] + + o RFC 3565, Use of AES in CMS [RFC3565] + + o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851] + + o RFC 3852, CMS main [RFC3852] + + o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108] + + o RFC 4998, Evidence Record Syntax (ERS) [RFC4998] + + o RFC 5035, Enhanced Security Services (ESS) [RFC5035] + + o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083] + + o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in + CMS [RFC5084] + + o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275] + + Note that some of the modules in this document get some of their + definitions from places different than the modules in the original + RFCs. The idea is that these modules, when combined with the modules + in [RFC5912] can stand on their own and do not need to import + definitions from anywhere else. Also note that the ASN.1 modules in + this document have references in their text comments that need to be + looked up in original RFCs, and that some of those references may + have already been superseded by later RFCs. + + The document also includes a module of common definitions called + "AlgorithmInformation". These definitions are used here and in + [RFC5912]. + + + + + +Hoffman & Schaad Informational [Page 3] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + Note that some of the modules here import definitions from the common + definitions module, "PKIX-CommonTypes", in [RFC5912]. + +1.1. Design Notes + + The modules in this document use the object model available in the + 2002 ASN.1 documents to a great extent. Objects for each of the + different algorithm types are defined. Also, all of the places where + the 1988 ASN.1 syntax had ANY holes to allow for variable syntax now + use objects. + + Much like the way that the PKIX and S/MIME working groups use the + prefix of id- for object identifiers, this document has also adopted + a set of two-, three-, and four-letter prefixes to allow for quick + identification of the type of an object based on its name. This + allows, for example, the same back half of the name to be used for + the different objects. Thus, "id-sha1" is the object identifier, + while "mda-sha1" is the message digest object for "sha1". + + One or more object sets for the different types of algorithms are + defined. A single consistent name for each different algorithm type + is used. For example, an object set named PublicKeys contains the + public keys defined in that module. If no public keys are defined, + then the object set is not created. When importing these object sets + into an ASN.1 module, one needs to be able to distinguish between the + different object sets with the same name. This is done by using both + the module name (as specified in the IMPORT statement) and the object + set name. For example, in the module for RFC 5280: + + PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 } + PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 } + + PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ..., + PKIX1-PSS-OAEP-Algorithms.PublicKeys } + +2. ASN.1 Module AlgorithmInformation + + This section contains a module that is imported by many other modules + in this document. Note that this module is also given in [RFC5912]. + This module does not come from any existing RFC. + +AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + + + + + +Hoffman & Schaad Informational [Page 4] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +DEFINITIONS EXPLICIT TAGS ::= +BEGIN +EXPORTS ALL; +IMPORTS + +KeyUsage +FROM PKIX1Implicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-implicit-02(59)} ; + +-- Suggested prefixes for algorithm objects are: +-- +-- mda- Message Digest Algorithms +-- sa- Signature Algorithms +-- kta- Key Transport Algorithms (Asymmetric) +-- kaa- Key Agreement Algorithms (Asymmetric) +-- kwa- Key Wrap Algorithms (Symmetric) +-- kda- Key Derivation Algorithms +-- maca- Message Authentication Code Algorithms +-- pk- Public Key +-- cea- Content (symmetric) Encryption Algorithms +-- cap- S/MIME Capabilities + +ParamOptions ::= ENUMERATED { + required, -- Parameters MUST be encoded in structure + preferredPresent, -- Parameters SHOULD be encoded in structure + preferredAbsent, -- Parameters SHOULD NOT be encoded in structure + absent, -- Parameters MUST NOT be encoded in structure + inheritable, -- Parameters are inherited if not present + optional, -- Parameters MAY be encoded in the structure + ... +} + +-- DIGEST-ALGORITHM +-- +-- Describes the basic information for ASN.1 and a digest +-- algorithm. +-- +-- &id - contains the OID identifying the digest algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- +-- Additional information such as the length of the hash could have +-- been encoded. Without a clear understanding of what information +-- is needed by applications, such extraneous information was not +-- considered to be of sufficient importance. + + + +Hoffman & Schaad Informational [Page 5] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +-- +-- Example: +-- mda-sha1 DIGEST-ALGORITHM ::= { +-- IDENTIFIER id-sha1 +-- PARAMS TYPE NULL ARE preferredAbsent +-- } + +DIGEST-ALGORITHM ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence ] +} + +-- SIGNATURE-ALGORITHM +-- +-- Describes the basic properties of a signature algorithm +-- +-- &id - contains the OID identifying the signature algorithm +-- &Value - contains a type definition for the value structure of +-- the signature; if absent, implies that no ASN.1 +-- encoding is performed on the value +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &HashSet - The set of hash algorithms used with this +-- signature algorithm +-- &PublicKeySet - the set of public key algorithms for this +-- signature algorithm +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER id-RSASSA-PSS +-- PARAMS TYPE RSASSA-PSS-params ARE required +-- HASHES { mda-sha1 | mda-md5, ... } +-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } +-- } + +SIGNATURE-ALGORITHM ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Value OPTIONAL, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &HashSet DIGEST-ALGORITHM OPTIONAL, + + + +Hoffman & Schaad Informational [Page 6] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + &PublicKeySet PUBLIC-KEY OPTIONAL, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [VALUE &Value] + [PARAMS [TYPE &Params] ARE ¶mPresence ] + [HASHES &HashSet] + [PUBLIC-KEYS &PublicKeySet] + [SMIME-CAPS &smimeCaps] +} + +-- PUBLIC-KEY +-- +-- Describes the basic properties of a public key +-- +-- &id - contains the OID identifying the public key +-- &KeyValue - contains the type for the key value +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &keyUsage - contains the set of bits that are legal for this +-- key type. Note that it does not make any statement +-- about how bits may be paired. +-- &PrivateKey - contains a type structure for encoding the private +-- key information. +-- +-- Example: +-- pk-rsa-pss PUBLIC-KEY ::= { +-- IDENTIFIER id-RSASSA-PSS +-- KEY RSAPublicKey +-- PARAMS TYPE RSASSA-PSS-params ARE optional +-- CERT-KEY-USAGE { .... } +-- } + +PUBLIC-KEY ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &KeyValue OPTIONAL, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &keyUsage KeyUsage OPTIONAL, + &PrivateKey OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [KEY &KeyValue] + [PARAMS [TYPE &Params] ARE ¶mPresence] + [CERT-KEY-USAGE &keyUsage] + [PRIVATE-KEY &PrivateKey] +} + + + +Hoffman & Schaad Informational [Page 7] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +-- KEY-TRANSPORT +-- +-- Describes the basic properties of a key transport algorithm +-- +-- &id - contains the OID identifying the key transport algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &PublicKeySet - specifies which public keys are used with +-- this algorithm +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- kta-rsaTransport KEY-TRANSPORT ::= { +-- IDENTIFIER &id +-- PARAMS TYPE NULL ARE required +-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } +-- } + +KEY-TRANSPORT ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &PublicKeySet PUBLIC-KEY OPTIONAL, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [PUBLIC-KEYS &PublicKeySet] + [SMIME-CAPS &smimeCaps] +} + +-- KEY-AGREE +-- +-- Describes the basic properties of a key agreement algorithm +-- +-- &id - contains the OID identifying the key agreement algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &PublicKeySet - specifies which public keys are used with +-- this algorithm +-- &Ukm - type of user keying material used +-- &ukmPresence - specifies the requirements to define the UKM field +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- + + + +Hoffman & Schaad Informational [Page 8] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +-- Example: +-- kaa-dh-static-ephemeral KEY-AGREE ::= { +-- IDENTIFIER id-alg-ESDH +-- PARAMS TYPE KeyWrapAlgorithm ARE required +-- PUBLIC-KEYS { +-- {IDENTIFIER dh-public-number KEY DHPublicKey +-- PARAMS TYPE DHDomainParameters ARE inheritable } +-- } +-- - - UKM should be present but is not separately ASN.1-encoded +-- UKM ARE preferredPresent +-- } + +KEY-AGREE ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &PublicKeySet PUBLIC-KEY OPTIONAL, + &Ukm OPTIONAL, + &ukmPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [PUBLIC-KEYS &PublicKeySet] + [UKM [TYPE &Ukm] ARE &ukmPresence] + [SMIME-CAPS &smimeCaps] +} + +-- KEY-WRAP +-- +-- Describes the basic properties of a key wrap algorithm +-- +-- &id - contains the OID identifying the key wrap algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- kwa-cms3DESwrap KEY-WRAP ::= { +-- IDENTIFIER id-alg-CMS3DESwrap +-- PARAMS TYPE NULL ARE required +-- } + +KEY-WRAP ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + + + +Hoffman & Schaad Informational [Page 9] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + ¶mPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [SMIME-CAPS &smimeCaps] +} + +-- KEY-DERIVATION +-- +-- Describes the basic properties of a key derivation algorithm +-- +-- &id - contains the OID identifying the key derivation algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- kda-pbkdf2 KEY-DERIVATION ::= { +-- IDENTIFIER id-PBKDF2 +-- PARAMS TYPE PBKDF2-params ARE required +-- } + +KEY-DERIVATION ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [SMIME-CAPS &smimeCaps] +} + +-- MAC-ALGORITHM +-- +-- Describes the basic properties of a message +-- authentication code (MAC) algorithm +-- +-- &id - contains the OID identifying the MAC algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &keyed - MAC algorithm is a keyed MAC algorithm +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. + + + +Hoffman & Schaad Informational [Page 10] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +-- +-- Some parameters that perhaps should have been added would be +-- fields with the minimum and maximum MAC lengths for +-- those MAC algorithms that allow truncations. +-- +-- Example: +-- maca-hmac-sha1 MAC-ALGORITHM ::= { +-- IDENTIFIER hMAC-SHA1 +-- PARAMS TYPE NULL ARE preferredAbsent +-- IS KEYED MAC TRUE +-- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} +-- } + +MAC-ALGORITHM ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &keyed BOOLEAN, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + IS-KEYED-MAC &keyed + [SMIME-CAPS &smimeCaps] +} + +-- CONTENT-ENCRYPTION +-- +-- Describes the basic properties of a content encryption +-- algorithm +-- +-- &id - contains the OID identifying the content +-- encryption algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- cea-3DES-cbc CONTENT-ENCRYPTION ::= { +-- IDENTIFIER des-ede3-cbc +-- PARAMS TYPE IV ARE required +-- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } +-- } + +CONTENT-ENCRYPTION ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + + + +Hoffman & Schaad Informational [Page 11] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [SMIME-CAPS &smimeCaps] +} + +-- ALGORITHM +-- +-- Describes a generic algorithm identifier +-- +-- &id - contains the OID identifying the algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- This would be used for cases where an algorithm of an unknown +-- type is used. In general however, one should either define +-- a more complete algorithm structure (such as the one above) +-- or use the TYPE-IDENTIFIER class. + +ALGORITHM ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [SMIME-CAPS &smimeCaps] +} + +-- AlgorithmIdentifier +-- +-- Provides the generic structure that is used to encode algorithm +-- identification and the parameters associated with the +-- algorithm. +-- +-- The first parameter represents the type of the algorithm being +-- used. +-- The second parameter represents an object set containing the +-- algorithms that may occur in this situation. +-- The initial list of required algorithms should occur to the +-- left of an extension marker; all other algorithms should + + + +Hoffman & Schaad Informational [Page 12] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +-- occur to the right of an extension marker. +-- +-- The object class ALGORITHM can be used for generic unspecified +-- items. +-- If new ALGORITHM classes are defined, the fields &id and &Params +-- need to be present as fields in the object in order to use +-- this parameterized type. +-- +-- Example: +-- SignatureAlgorithmIdentifier ::= +-- AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgSet}} + +AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= + SEQUENCE { + algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), + parameters ALGORITHM-TYPE. + &Params({AlgorithmSet}{@algorithm}) OPTIONAL + } + +-- S/MIME Capabilities +-- +-- We have moved the SMIME-CAPS from the module for RFC 3851 to here +-- because it is used in RFC 4262 (X.509 Certificate Extension for +-- S/MIME Capabilities) +-- +-- +-- This class is used to represent an S/MIME capability. S/MIME +-- capabilities are used to represent what algorithm capabilities +-- an individual has. The classic example was the content encryption +-- algorithm RC2 where the algorithm id and the RC2 key lengths +-- supported needed to be advertised, but the IV used is not fixed. +-- Thus, for RC2 we used +-- +-- cap-RC2CBC SMIME-CAPS ::= { +-- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } +-- +-- where 40 and 128 represent the RC2 key length in number of bits. +-- +-- Another example where information needs to be shown is for +-- RSA-OAEP where only specific hash functions or mask generation +-- functions are supported, but the saltLength is specified by the +-- sender and not the recipient. In this case, one can either +-- generate a number of capability items, +-- or a new S/MIME capability type could be generated where +-- multiple hash functions could be specified. +-- +-- +-- SMIME-CAP + + + +Hoffman & Schaad Informational [Page 13] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +-- +-- This class is used to associate the type that describes the +-- capabilities with the object identifier. +-- + +SMIME-CAPS ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Type OPTIONAL +} +WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id } + +-- +-- Generic type - this is used for defining values. +-- + +-- Define a single S/MIME capability encoding + +SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { + capabilityID SMIME-CAPS.&id({CapabilitySet}), + parameters SMIME-CAPS.&Type({CapabilitySet} + {@capabilityID}) OPTIONAL +} + +-- Define a sequence of S/MIME capability values + +SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::= + SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} } + +END + +3. ASN.1 Module for RFC 3370 + + CryptographicMessageSyntaxAlgorithms-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cmsalg-2001-02(37) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, + PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, + KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, + AlgorithmIdentifier{}, SMIME-CAPS + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + + + +Hoffman & Schaad Informational [Page 14] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + pk-rsa, pk-dh, pk-dsa, rsaEncryption, DHPublicKey, dhpublicnumber + FROM PKIXAlgs-2009 + {iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms2008-02(56)} + + cap-RC2CBC + FROM SecureMimeMessageV3dot1-2009 + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-msg-v3dot1-02(39)}; + + -- 2. Hash algorithms in this document + + MessageDigestAlgs DIGEST-ALGORITHM ::= { + -- mda-md5 | mda-sha1, + ... } + + -- 3. Signature algorithms in this document + + SignatureAlgs SIGNATURE-ALGORITHM ::= { + -- See RFC 3279 + -- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1, + ... } + + -- 4. Key Management Algorithms + -- 4.1 Key Agreement Algorithms + + KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...} + KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...} + + -- 4.2 Key Transport Algorithms + + KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... } + + -- 4.3 Symmetric Key-Encryption Key Algorithms + + KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... } + + -- 4.4 Key Derivation Algorithms + + KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... } + + -- 5. Content Encryption Algorithms + + ContentEncryptionAlgs CONTENT-ENCRYPTION ::= + { cea-3DES-cbc | cea-RC2-cbc, ... } + + -- 6. Message Authentication Code Algorithms + + + +Hoffman & Schaad Informational [Page 15] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... } + + -- S/MIME Capabilities for these items + + SMimeCaps SMIME-CAPS ::= { + kaa-esdh.&smimeCaps | + kaa-ssdh.&smimeCaps | + kt-rsa.&smimeCaps | + kwa-3DESWrap.&smimeCaps | + kwa-RC2Wrap.&smimeCaps | + cea-3DES-cbc.&smimeCaps | + cea-RC2-cbc.&smimeCaps | + maca-hMAC-SHA1.&smimeCaps, + ...} + + -- + -- + -- + + -- Algorithm Identifiers + + -- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) + -- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } + + id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 } + + id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 } + + id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } + + id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 } + + des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } + + rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) encryptionAlgorithm(3) 2 } + + hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) 8 1 2 } + + id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-5(5) 12 } + + + + +Hoffman & Schaad Informational [Page 16] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + -- Algorithm Identifier Parameter Types + + KeyWrapAlgorithm ::= + AlgorithmIdentifier {KEY-WRAP, {KeyWrapAlgs }} + + RC2wrapParameter ::= RC2ParameterVersion + RC2ParameterVersion ::= INTEGER + + CBCParameter ::= IV + + IV ::= OCTET STRING -- exactly 8 octets + + RC2CBCParameter ::= SEQUENCE { + rc2ParameterVersion INTEGER (1..256), + iv OCTET STRING } -- exactly 8 octets + + maca-hMAC-SHA1 MAC-ALGORITHM ::= { + IDENTIFIER hMAC-SHA1 + PARAMS TYPE NULL ARE preferredAbsent + IS-KEYED-MAC TRUE + SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} + } + + PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM, + {PBKDF2-PRFs} } + + alg-hMAC-SHA1 ALGORITHM ::= + { IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required } + + PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... } + + PBKDF2-SaltSources ALGORITHM ::= { ... } + + PBKDF2-SaltSourcesAlgorithmIdentifier ::= + AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}} + + defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::= + { algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL } + + PBKDF2-params ::= SEQUENCE { + salt CHOICE { + specified OCTET STRING, + otherSource PBKDF2-SaltSourcesAlgorithmIdentifier }, + iterationCount INTEGER (1..MAX), + keyLength INTEGER (1..MAX) OPTIONAL, + prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT + defaultPBKDF2 + } + + + +Hoffman & Schaad Informational [Page 17] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + -- + -- This object is included for completeness. It should not be used + -- for encoding of signatures, but was sometimes used in older + -- versions of CMS for encoding of RSA signatures. + -- + -- + -- sa-rsa SIGNATURE-ALGORITHM ::= { + -- IDENTIFIER rsaEncryption + -- - - value is not ASN.1 encoded + -- PARAMS TYPE NULL ARE required + -- HASHES {mda-sha1 | mda-md5, ...} + -- PUBLIC-KEYS { pk-rsa} + -- } + -- + -- No ASN.1 encoding is applied to the signature value + -- for these items + + kaa-esdh KEY-AGREE ::= { + IDENTIFIER id-alg-ESDH + PARAMS TYPE KeyWrapAlgorithm ARE required + PUBLIC-KEYS { pk-dh } + -- UKM is not ASN.1 encoded + UKM ARE optional + SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH} + } + + kaa-ssdh KEY-AGREE ::= { + IDENTIFIER id-alg-SSDH + PARAMS TYPE KeyWrapAlgorithm ARE required + PUBLIC-KEYS {pk-dh} + -- UKM is not ASN.1 encoded + UKM ARE optional + SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH} + } + + dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber + + pk-originator-dh PUBLIC-KEY ::= { + IDENTIFIER dh-public-number + KEY DHPublicKey + PARAMS ARE absent + CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly} + } + + kwa-3DESWrap KEY-WRAP ::= { + IDENTIFIER id-alg-CMS3DESwrap + PARAMS TYPE NULL ARE required + SMIME-CAPS {IDENTIFIED BY id-alg-CMS3DESwrap} + + + +Hoffman & Schaad Informational [Page 18] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + } + + kwa-RC2Wrap KEY-WRAP ::= { + IDENTIFIER id-alg-CMSRC2wrap + PARAMS TYPE RC2wrapParameter ARE required + SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap } + } + + kda-PBKDF2 KEY-DERIVATION ::= { + IDENTIFIER id-PBKDF2 + PARAMS TYPE PBKDF2-params ARE required + -- No S/MIME caps defined + } + + cea-3DES-cbc CONTENT-ENCRYPTION ::= { + IDENTIFIER des-ede3-cbc + PARAMS TYPE IV ARE required + SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } + } + + cea-RC2-cbc CONTENT-ENCRYPTION ::= { + IDENTIFIER rc2-cbc + PARAMS TYPE RC2CBCParameter ARE required + SMIME-CAPS cap-RC2CBC + } + + kt-rsa KEY-TRANSPORT ::= { + IDENTIFIER rsaEncryption + PARAMS TYPE NULL ARE required + PUBLIC-KEYS { pk-rsa } + SMIME-CAPS {IDENTIFIED BY rsaEncryption} + } + + -- S/MIME Capabilities - most have no label. + + cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap } + + END + + + + + + + + + + + + + +Hoffman & Schaad Informational [Page 19] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +4. ASN.1 Module for RFC 3565 + + CMSAesRsaesOaep-2009 {iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38)} + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)}; + + AES-ContentEncryption CONTENT-ENCRYPTION ::= { + cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ... + } + + AES-KeyWrap KEY-WRAP ::= { + kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ... + } + + SMimeCaps SMIME-CAPS ::= { + cea-aes128-cbc.&smimeCaps | + cea-aes192-cbc.&smimeCaps | + cea-aes256-cbc.&smimeCaps | + kwa-aes128-wrap.&smimeCaps | + kwa-aes192-wrap.&smimeCaps | + kwa-aes256-wrap.&smimeCaps, ... + } + + -- AES information object identifiers -- + + aes OBJECT IDENTIFIER ::= + { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) + csor(3) nistAlgorithms(4) 1 } + + -- AES using CBC mode for key sizes of 128, 192, 256 + + cea-aes128-cbc CONTENT-ENCRYPTION ::= { + IDENTIFIER id-aes128-CBC + PARAMS TYPE AES-IV ARE required + SMIME-CAPS { IDENTIFIED BY id-aes128-CBC } + } + id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 } + + cea-aes192-cbc CONTENT-ENCRYPTION ::= { + IDENTIFIER id-aes192-CBC + + + +Hoffman & Schaad Informational [Page 20] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + PARAMS TYPE AES-IV ARE required + SMIME-CAPS { IDENTIFIED BY id-aes192-CBC } + } + id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 } + + cea-aes256-cbc CONTENT-ENCRYPTION ::= { + IDENTIFIER id-aes256-CBC + PARAMS TYPE AES-IV ARE required + SMIME-CAPS { IDENTIFIED BY id-aes256-CBC } + } + id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 } + + -- AES-IV is the parameter for all the above object identifiers. + + AES-IV ::= OCTET STRING (SIZE(16)) + + -- AES Key Wrap Algorithm Identifiers - Parameter is absent + + kwa-aes128-wrap KEY-WRAP ::= { + IDENTIFIER id-aes128-wrap + PARAMS ARE absent + SMIME-CAPS { IDENTIFIED BY id-aes128-wrap } + } + id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } + + kwa-aes192-wrap KEY-WRAP ::= { + IDENTIFIER id-aes192-wrap + PARAMS ARE absent + SMIME-CAPS { IDENTIFIED BY id-aes192-wrap } + } + id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } + + kwa-aes256-wrap KEY-WRAP ::= { + IDENTIFIER id-aes256-wrap + PARAMS ARE absent + SMIME-CAPS { IDENTIFIED BY id-aes256-wrap } + } + id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } + + END + + + + + + + + + + + +Hoffman & Schaad Informational [Page 21] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +5. ASN.1 Module for RFC 3851 + + SecureMimeMessageV3dot1-2009 + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-msg-v3dot1-02(39)} + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + SMIME-CAPS, SMIMECapabilities{} + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + ATTRIBUTE + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} + + SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier + FROM CryptographicMessageSyntax-2009 + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-2004-02(41)} + + rc2-cbc, SMimeCaps + FROM CryptographicMessageSyntaxAlgorithms-2009 + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cmsalg-2001-02(37)} + + SMimeCaps + FROM PKIXAlgs-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms2008-02(56)} + + SMimeCaps + FROM PKIX1-PSS-OAEP-Algorithms-2009 + {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-rsa-pkalgs-02(54)}; + + SMimeAttributeSet ATTRIBUTE ::= + { aa-smimeCapabilities | aa-encrypKeyPref, ... } + + -- id-aa is the arc with all new authenticated and unauthenticated + -- attributes produced by the S/MIME Working Group + + + + +Hoffman & Schaad Informational [Page 22] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + id-aa OBJECT IDENTIFIER ::= + { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) attributes(2)} + + -- The S/MIME Capabilities attribute provides a method of broadcasting + -- the symmetric capabilities understood. Algorithms SHOULD be ordered + -- by preference and grouped by type + + aa-smimeCapabilities ATTRIBUTE ::= + { TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY + smimeCapabilities } + smimeCapabilities OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + 15 } + + SMimeCapsSet SMIME-CAPS ::= + { cap-preferBinaryInside | cap-RC2CBC | + PKIXAlgs-2009.SMimeCaps | + CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps | + PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... } + + -- Encryption Key Preference provides a method of broadcasting the + -- preferred encryption certificate. + + aa-encrypKeyPref ATTRIBUTE ::= + { TYPE SMIMEEncryptionKeyPreference + IDENTIFIED BY id-aa-encrypKeyPref } + + id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} + + SMIMEEncryptionKeyPreference ::= CHOICE { + issuerAndSerialNumber [0] IssuerAndSerialNumber, + receipentKeyId [1] RecipientKeyIdentifier, + subjectAltKeyIdentifier [2] SubjectKeyIdentifier + } + + -- receipentKeyId is spelt incorrectly, but kept for historical + -- reasons. + + id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } + + id-cap OBJECT IDENTIFIER ::= { id-smime 11 } + + -- The preferBinaryInside indicates an ability to receive messages + -- with binary encoding inside the CMS wrapper + + cap-preferBinaryInside SMIME-CAPS ::= + + + +Hoffman & Schaad Informational [Page 23] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + { -- No value -- IDENTIFIED BY id-cap-preferBinaryInside } + + id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } + + -- The following list OIDs to be used with S/MIME V3 + + -- Signature Algorithms Not Found in [RFC3370] + -- + -- md2WithRSAEncryption OBJECT IDENTIFIER ::= + -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) + -- 2} + -- + -- Other Signed Attributes + -- + -- signingTime OBJECT IDENTIFIER ::= + -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + -- 5} + -- See [RFC5652] for a description of how to encode the attribute + -- value. + + cap-RC2CBC SMIME-CAPS ::= + { TYPE SMIMECapabilitiesParametersForRC2CBC + IDENTIFIED BY rc2-cbc} + + SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...) + -- (RC2 Key Length (number of bits)) + + END + +6. ASN.1 Module for RFC 3852 + + This module has an ASN.1 idiom for noting in which version of CMS + changes were made from the original PKCS #7; that idiom is "[[v:", + where "v" is an integer. For example: + + RevocationInfoChoice ::= CHOICE { + crl CertificateList, + ..., + [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } + + Similarly, this module adds the ASN.1 idiom for extensibility (the + "...,") in all places that have been extended in the past. See the + example above. + + CryptographicMessageSyntax-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } + DEFINITIONS IMPLICIT TAGS ::= + + + +Hoffman & Schaad Informational [Page 24] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + BEGIN + IMPORTS + + ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, + PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, + KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, + AlgorithmIdentifier + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, + MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, + KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys + FROM CryptographicMessageSyntaxAlgorithms-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cmsalg-2001-02(37) } + + Certificate, CertificateList, CertificateSerialNumber, + Name, ATTRIBUTE + FROM PKIX1Explicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-explicit-02(51) } + + AttributeCertificate + FROM PKIXAttributeCertificate-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-attribute-cert-02(47) } + + AttributeCertificateV1 + FROM AttributeCertificateVersion1-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-v1AttrCert-02(49) } ; + + -- Cryptographic Message Syntax + + -- The following are used for version numbers using the ASN.1 + -- idiom "[[n:" + -- Version 1 = PKCS #7 + -- Version 2 = S/MIME V2 + -- Version 3 = RFC 2630 + -- Version 4 = RFC 3369 + -- Version 5 = RFC 3852 + + CONTENT-TYPE ::= TYPE-IDENTIFIER + ContentType ::= CONTENT-TYPE.&id + + + +Hoffman & Schaad Informational [Page 25] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + ContentInfo ::= SEQUENCE { + contentType CONTENT-TYPE. + &id({ContentSet}), + content [0] EXPLICIT CONTENT-TYPE. + &Type({ContentSet}{@contentType})} + + ContentSet CONTENT-TYPE ::= { + -- Define the set of content types to be recognized. + ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | + ct-AuthenticatedData | ct-DigestedData, ... } + + SignedData ::= SEQUENCE { + version CMSVersion, + digestAlgorithms SET OF DigestAlgorithmIdentifier, + encapContentInfo EncapsulatedContentInfo, + certificates [0] IMPLICIT CertificateSet OPTIONAL, + crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, + signerInfos SignerInfos } + + SignerInfos ::= SET OF SignerInfo + + EncapsulatedContentInfo ::= SEQUENCE { + eContentType CONTENT-TYPE.&id({ContentSet}), + eContent [0] EXPLICIT OCTET STRING + ( CONTAINING CONTENT-TYPE. + &Type({ContentSet}{@eContentType})) OPTIONAL } + + SignerInfo ::= SEQUENCE { + version CMSVersion, + sid SignerIdentifier, + digestAlgorithm DigestAlgorithmIdentifier, + signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, + signatureAlgorithm SignatureAlgorithmIdentifier, + signature SignatureValue, + unsignedAttrs [1] IMPLICIT Attributes + {{UnsignedAttributes}} OPTIONAL } + + SignedAttributes ::= Attributes {{ SignedAttributesSet }} + + SignerIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + ..., + [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } + + SignedAttributesSet ATTRIBUTE ::= + { aa-signingTime | aa-messageDigest | aa-contentType, ... } + + UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } + + + +Hoffman & Schaad Informational [Page 26] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + SignatureValue ::= OCTET STRING + + EnvelopedData ::= SEQUENCE { + version CMSVersion, + originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, + recipientInfos RecipientInfos, + encryptedContentInfo EncryptedContentInfo, + ..., + [[2: unprotectedAttrs [1] IMPLICIT Attributes + {{ UnprotectedAttributes }} OPTIONAL ]] } + + OriginatorInfo ::= SEQUENCE { + certs [0] IMPLICIT CertificateSet OPTIONAL, + crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } + + RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo + + EncryptedContentInfo ::= SEQUENCE { + contentType CONTENT-TYPE.&id({ContentSet}), + contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, + encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } + + -- If you want to do constraints, you might use: + -- EncryptedContentInfo ::= SEQUENCE { + -- contentType CONTENT-TYPE.&id({ContentSet}), + -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, + -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. + -- &Type({ContentSet}{@contentType}) OPTIONAL } + -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY + -- { ToBeEncrypted } ) + + UnprotectedAttributes ATTRIBUTE ::= { ... } + + RecipientInfo ::= CHOICE { + ktri KeyTransRecipientInfo, + ..., + [[3: kari [1] KeyAgreeRecipientInfo ]], + [[4: kekri [2] KEKRecipientInfo]], + [[5: pwri [3] PasswordRecipientInfo, + ori [4] OtherRecipientInfo ]] } + + EncryptedKey ::= OCTET STRING + + KeyTransRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 or 2 + rid RecipientIdentifier, + keyEncryptionAlgorithm AlgorithmIdentifier + {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, + + + +Hoffman & Schaad Informational [Page 27] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + encryptedKey EncryptedKey } + + KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } + + RecipientIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + ..., + [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } + KeyAgreeRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 3 + originator [0] EXPLICIT OriginatorIdentifierOrKey, + ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, + keyEncryptionAlgorithm AlgorithmIdentifier + {KEY-AGREE, {KeyAgreementAlgorithmSet}}, + recipientEncryptedKeys RecipientEncryptedKeys } + + KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } + + OriginatorIdentifierOrKey ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + subjectKeyIdentifier [0] SubjectKeyIdentifier, + originatorKey [1] OriginatorPublicKey } + + OriginatorPublicKey ::= SEQUENCE { + algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, + publicKey BIT STRING } + + OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } + + RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey + + RecipientEncryptedKey ::= SEQUENCE { + rid KeyAgreeRecipientIdentifier, + encryptedKey EncryptedKey } + + KeyAgreeRecipientIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + rKeyId [0] IMPLICIT RecipientKeyIdentifier } + + RecipientKeyIdentifier ::= SEQUENCE { + subjectKeyIdentifier SubjectKeyIdentifier, + date GeneralizedTime OPTIONAL, + other OtherKeyAttribute OPTIONAL } + + SubjectKeyIdentifier ::= OCTET STRING + + KEKRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 4 + + + +Hoffman & Schaad Informational [Page 28] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + kekid KEKIdentifier, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + encryptedKey EncryptedKey } + + KEKIdentifier ::= SEQUENCE { + keyIdentifier OCTET STRING, + date GeneralizedTime OPTIONAL, + other OtherKeyAttribute OPTIONAL } + PasswordRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 + keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier + OPTIONAL, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + encryptedKey EncryptedKey } + + OTHER-RECIPIENT ::= TYPE-IDENTIFIER + + OtherRecipientInfo ::= SEQUENCE { + oriType OTHER-RECIPIENT. + &id({SupportedOtherRecipInfo}), + oriValue OTHER-RECIPIENT. + &Type({SupportedOtherRecipInfo}{@oriType})} + + SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } + + DigestedData ::= SEQUENCE { + version CMSVersion, + digestAlgorithm DigestAlgorithmIdentifier, + encapContentInfo EncapsulatedContentInfo, + digest Digest, ... } + + Digest ::= OCTET STRING + + EncryptedData ::= SEQUENCE { + version CMSVersion, + encryptedContentInfo EncryptedContentInfo, + ..., + [[2: unprotectedAttrs [1] IMPLICIT Attributes + {{UnprotectedAttributes}} OPTIONAL ]] } + + AuthenticatedData ::= SEQUENCE { + version CMSVersion, + originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, + recipientInfos RecipientInfos, + macAlgorithm MessageAuthenticationCodeAlgorithm, + digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, + encapContentInfo EncapsulatedContentInfo, + authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, + + + +Hoffman & Schaad Informational [Page 29] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + mac MessageAuthenticationCode, + unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } + + AuthAttributes ::= SET SIZE (1..MAX) OF Attribute + {{AuthAttributeSet}} + + AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest + | aa-signingTime, ...} + MessageAuthenticationCode ::= OCTET STRING + + UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute + {{UnauthAttributeSet}} + + UnauthAttributeSet ATTRIBUTE ::= {...} + + -- + -- General algorithm definitions + -- + + DigestAlgorithmIdentifier ::= AlgorithmIdentifier + {DIGEST-ALGORITHM, {DigestAlgorithmSet}} + + DigestAlgorithmSet DIGEST-ALGORITHM ::= { + CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } + + SignatureAlgorithmIdentifier ::= AlgorithmIdentifier + {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} + + SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= + { SignatureAlgs, ... } + + KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier + {KEY-WRAP, {KeyEncryptionAlgorithmSet}} + + KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } + + ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier + {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} + + ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= + { ContentEncryptionAlgs, ... } + + MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier + {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} + + MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= + { MessageAuthAlgs, ... } + + + + +Hoffman & Schaad Informational [Page 30] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier + {KEY-DERIVATION, {KeyDerivationAlgs, ...}} + + RevocationInfoChoices ::= SET OF RevocationInfoChoice + + RevocationInfoChoice ::= CHOICE { + crl CertificateList, + ..., + [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } + + OTHER-REVOK-INFO ::= TYPE-IDENTIFIER + + OtherRevocationInfoFormat ::= SEQUENCE { + otherRevInfoFormat OTHER-REVOK-INFO. + &id({SupportedOtherRevokInfo}), + otherRevInfo OTHER-REVOK-INFO. + &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} + + SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } + + CertificateChoices ::= CHOICE { + certificate Certificate, + extendedCertificate [0] IMPLICIT ExtendedCertificate, + -- Obsolete + ..., + [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], + -- Obsolete + [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], + [[5: other [3] IMPLICIT OtherCertificateFormat]] } + + AttributeCertificateV2 ::= AttributeCertificate + + OTHER-CERT-FMT ::= TYPE-IDENTIFIER + + OtherCertificateFormat ::= SEQUENCE { + otherCertFormat OTHER-CERT-FMT. + &id({SupportedCertFormats}), + otherCert OTHER-CERT-FMT. + &Type({SupportedCertFormats}{@otherCertFormat})} + + SupportedCertFormats OTHER-CERT-FMT ::= { ... } + + CertificateSet ::= SET OF CertificateChoices + + IssuerAndSerialNumber ::= SEQUENCE { + issuer Name, + serialNumber CertificateSerialNumber } + + + + +Hoffman & Schaad Informational [Page 31] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } + + UserKeyingMaterial ::= OCTET STRING + + KEY-ATTRIBUTE ::= TYPE-IDENTIFIER + + OtherKeyAttribute ::= SEQUENCE { + keyAttrId KEY-ATTRIBUTE. + + &id({SupportedKeyAttributes}), + keyAttr KEY-ATTRIBUTE. + &Type({SupportedKeyAttributes}{@keyAttrId})} + + SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } + + -- Content Type Object Identifiers + + id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } + + ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data} + + id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } + + ct-SignedData CONTENT-TYPE ::= + { SignedData IDENTIFIED BY id-signedData} + + id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } + + ct-EnvelopedData CONTENT-TYPE ::= + { EnvelopedData IDENTIFIED BY id-envelopedData} + + id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } + + ct-DigestedData CONTENT-TYPE ::= + { DigestedData IDENTIFIED BY id-digestedData} + + id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } + + ct-EncryptedData CONTENT-TYPE ::= + { EncryptedData IDENTIFIED BY id-encryptedData} + + id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } + + + +Hoffman & Schaad Informational [Page 32] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + ct-AuthenticatedData CONTENT-TYPE ::= + { AuthenticatedData IDENTIFIED BY id-ct-authData} + + id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } + + -- + -- The CMS Attributes + -- + + MessageDigest ::= OCTET STRING + + SigningTime ::= Time + + Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime } + + Countersignature ::= SignerInfo + + -- Attribute Object Identifiers + + aa-contentType ATTRIBUTE ::= + { TYPE ContentType IDENTIFIED BY id-contentType } + id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } + + aa-messageDigest ATTRIBUTE ::= + { TYPE MessageDigest IDENTIFIED BY id-messageDigest} + id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } + + aa-signingTime ATTRIBUTE ::= + { TYPE SigningTime IDENTIFIED BY id-signingTime } + id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } + + aa-countersignature ATTRIBUTE ::= + { TYPE Countersignature IDENTIFIED BY id-countersignature } + id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } + + -- + -- Obsolete Extended Certificate syntax from PKCS#6 + -- + + ExtendedCertificateOrCertificate ::= CHOICE { + certificate Certificate, + + + +Hoffman & Schaad Informational [Page 33] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + extendedCertificate [0] IMPLICIT ExtendedCertificate } + + ExtendedCertificate ::= SEQUENCE { + extendedCertificateInfo ExtendedCertificateInfo, + signatureAlgorithm SignatureAlgorithmIdentifier, + signature Signature } + + ExtendedCertificateInfo ::= SEQUENCE { + version CMSVersion, + certificate Certificate, + attributes UnauthAttributes } + + Signature ::= BIT STRING + + Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { + attrType ATTRIBUTE. + &id({AttrList}), + attrValues SET OF ATTRIBUTE. + &Type({AttrList}{@attrType}) } + + Attributes { ATTRIBUTE:AttrList } ::= + SET SIZE (1..MAX) OF Attribute {{ AttrList }} + + END + +7. ASN.1 Module for RFC 4108 + + CMSFirmwareWrapper-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + OTHER-NAME + FROM PKIX1Implicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } + + EnvelopedData, CONTENT-TYPE, ATTRIBUTE + FROM CryptographicMessageSyntax-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-2004-02(41) }; + + FirmwareContentTypes CONTENT-TYPE ::= { + ct-firmwarePackage | ct-firmwareLoadReceipt | + ct-firmwareLoadError,... } + + + + +Hoffman & Schaad Informational [Page 34] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + FirmwareSignedAttrs ATTRIBUTE ::= { + aa-firmwarePackageID | aa-targetHardwareIDs | + aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs | + aa-communityIdentifiers | aa-firmwarePackageInfo,... } + FirmwareUnsignedAttrs ATTRIBUTE ::= { + aa-wrappedFirmwareKey, ... } + + FirmwareOtherNames OTHER-NAME ::= { + on-hardwareModuleName, ... } + + -- Firmware Package Content Type and Object Identifier + + ct-firmwarePackage CONTENT-TYPE ::= + { FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage } + + id-ct-firmwarePackage OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) ct(1) 16 } + + FirmwarePkgData ::= OCTET STRING + + -- Firmware Package Signed Attributes and Object Identifiers + + aa-firmwarePackageID ATTRIBUTE ::= + { TYPE FirmwarePackageIdentifier IDENTIFIED BY + id-aa-firmwarePackageID } + + id-aa-firmwarePackageID OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 35 } + + FirmwarePackageIdentifier ::= SEQUENCE { + name PreferredOrLegacyPackageIdentifier, + stale PreferredOrLegacyStalePackageIdentifier OPTIONAL } + + PreferredOrLegacyPackageIdentifier ::= CHOICE { + preferred PreferredPackageIdentifier, + legacy OCTET STRING } + + PreferredPackageIdentifier ::= SEQUENCE { + fwPkgID OBJECT IDENTIFIER, + verNum INTEGER (0..MAX) } + + PreferredOrLegacyStalePackageIdentifier ::= CHOICE { + preferredStaleVerNum INTEGER (0..MAX), + legacyStaleVersion OCTET STRING } + + aa-targetHardwareIDs ATTRIBUTE ::= + + + +Hoffman & Schaad Informational [Page 35] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + { TYPE TargetHardwareIdentifiers IDENTIFIED BY + id-aa-targetHardwareIDs } + + id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 36 } + + TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER + + aa-decryptKeyID ATTRIBUTE ::= + { TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID} + + id-aa-decryptKeyID OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 37 } + + DecryptKeyIdentifier ::= OCTET STRING + + aa-implCryptoAlgs ATTRIBUTE ::= + { TYPE ImplementedCryptoAlgorithms IDENTIFIED BY + id-aa-implCryptoAlgs } + + id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 38 } + + ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER + + aa-implCompressAlgs ATTRIBUTE ::= + { TYPE ImplementedCompressAlgorithms IDENTIFIED BY + id-aa-implCompressAlgs } + + id-aa-implCompressAlgs OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 43 } + + ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER + + aa-communityIdentifiers ATTRIBUTE ::= + { TYPE CommunityIdentifiers IDENTIFIED BY + id-aa-communityIdentifiers } + + id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 40 } + + CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier + + + + +Hoffman & Schaad Informational [Page 36] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + CommunityIdentifier ::= CHOICE { + communityOID OBJECT IDENTIFIER, + hwModuleList HardwareModules } + HardwareModules ::= SEQUENCE { + hwType OBJECT IDENTIFIER, + hwSerialEntries SEQUENCE OF HardwareSerialEntry } + + HardwareSerialEntry ::= CHOICE { + all NULL, + single OCTET STRING, + block SEQUENCE { + low OCTET STRING, + high OCTET STRING + } + } + + aa-firmwarePackageInfo ATTRIBUTE ::= + { TYPE FirmwarePackageInfo IDENTIFIED BY + id-aa-firmwarePackageInfo } + id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 42 } + + FirmwarePackageInfo ::= SEQUENCE { + fwPkgType INTEGER OPTIONAL, + dependencies SEQUENCE OF + PreferredOrLegacyPackageIdentifier OPTIONAL } + + -- Firmware Package Unsigned Attributes and Object Identifiers + + aa-wrappedFirmwareKey ATTRIBUTE ::= + { TYPE WrappedFirmwareKey IDENTIFIED BY + id-aa-wrappedFirmwareKey } + id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 39 } + + WrappedFirmwareKey ::= EnvelopedData + + -- Firmware Package Load Receipt Content Type and Object Identifier + + ct-firmwareLoadReceipt CONTENT-TYPE ::= + { FirmwarePackageLoadReceipt IDENTIFIED BY + id-ct-firmwareLoadReceipt } + id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) ct(1) 17 } + + + + +Hoffman & Schaad Informational [Page 37] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + FirmwarePackageLoadReceipt ::= SEQUENCE { + version FWReceiptVersion DEFAULT v1, + hwType OBJECT IDENTIFIER, + hwSerialNum OCTET STRING, + fwPkgName PreferredOrLegacyPackageIdentifier, + trustAnchorKeyID OCTET STRING OPTIONAL, + decryptKeyID [1] OCTET STRING OPTIONAL } + + FWReceiptVersion ::= INTEGER { v1(1) } + + -- Firmware Package Load Error Report Content Type + -- and Object Identifier + + ct-firmwareLoadError CONTENT-TYPE ::= + { FirmwarePackageLoadError + IDENTIFIED BY id-ct-firmwareLoadError } + id-ct-firmwareLoadError OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) ct(1) 18 } + + FirmwarePackageLoadError ::= SEQUENCE { + version FWErrorVersion DEFAULT v1, + hwType OBJECT IDENTIFIER, + hwSerialNum OCTET STRING, + errorCode FirmwarePackageLoadErrorCode, + vendorErrorCode VendorLoadErrorCode OPTIONAL, + fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL, + config [1] SEQUENCE OF CurrentFWConfig OPTIONAL } + + FWErrorVersion ::= INTEGER { v1(1) } + + CurrentFWConfig ::= SEQUENCE { + fwPkgType INTEGER OPTIONAL, + fwPkgName PreferredOrLegacyPackageIdentifier } + + FirmwarePackageLoadErrorCode ::= ENUMERATED { + decodeFailure (1), + badContentInfo (2), + badSignedData (3), + badEncapContent (4), + badCertificate (5), + badSignerInfo (6), + badSignedAttrs (7), + badUnsignedAttrs (8), + missingContent (9), + noTrustAnchor (10), + notAuthorized (11), + badDigestAlgorithm (12), + + + +Hoffman & Schaad Informational [Page 38] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + badSignatureAlgorithm (13), + unsupportedKeySize (14), + signatureFailure (15), + contentTypeMismatch (16), + badEncryptedData (17), + unprotectedAttrsPresent (18), + badEncryptContent (19), + badEncryptAlgorithm (20), + missingCiphertext (21), + noDecryptKey (22), + decryptFailure (23), + badCompressAlgorithm (24), + missingCompressedContent (25), + decompressFailure (26), + wrongHardware (27), + stalePackage (28), + notInCommunity (29), + unsupportedPackageType (30), + missingDependency (31), + wrongDependencyVersion (32), + insufficientMemory (33), + badFirmware (34), + unsupportedParameters (35), + breaksDependency (36), + otherError (99) } + + VendorLoadErrorCode ::= INTEGER + + -- Other Name syntax for Hardware Module Name + + on-hardwareModuleName OTHER-NAME ::= + { HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName } + id-on-hardwareModuleName OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) on(8) 4 } + + HardwareModuleName ::= SEQUENCE { + hwType OBJECT IDENTIFIER, + hwSerialNum OCTET STRING } + + END + + + + + + + + + + +Hoffman & Schaad Informational [Page 39] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +8. ASN.1 Module for RFC 4998 + + ERS {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1) + id-mod-ers-v1(1) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + AttributeSet{}, ATTRIBUTE + FROM PKIX-CommonTypes + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } + + AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + ContentInfo + FROM CryptographicMessageSyntax2004 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } ; + + aa-er-Internal ATTRIBUTE ::= + { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } + id-aa-er-internal OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 49 } + + aa-er-External ATTRIBUTE ::= + { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } + id-aa-er-external OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 50 } + + ltans OBJECT IDENTIFIER ::= + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) ltans(11) } + + EvidenceRecord ::= SEQUENCE { + version INTEGER { v1(1) } , + digestAlgorithms SEQUENCE OF AlgorithmIdentifier + {DIGEST-ALGORITHM, {...}}, + cryptoInfos [0] CryptoInfos OPTIONAL, + encryptionInfo [1] EncryptionInfo OPTIONAL, + archiveTimeStampSequence ArchiveTimeStampSequence + + + +Hoffman & Schaad Informational [Page 40] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + } + + CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}} + + ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain + ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp + + ArchiveTimeStamp ::= SEQUENCE { + digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} + OPTIONAL, + attributes [1] Attributes OPTIONAL, + reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, + timeStamp ContentInfo + } + + PartialHashtree ::= SEQUENCE OF OCTET STRING + + Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}} + + EncryptionInfo ::= SEQUENCE { + encryptionInfoType ENCINFO-TYPE. + &id({SupportedEncryptionAlgorithms}), + encryptionInfoValue ENCINFO-TYPE. + &Type({SupportedEncryptionAlgorithms} + {@encryptionInfoType}) + } + + ENCINFO-TYPE ::= TYPE-IDENTIFIER + + SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...} + + END + +9. ASN.1 Module for RFC 5035 + + Section numbers in the module refer to the sections of RFC 2634 as + updated by RFC 5035. + + ExtendedSecurityServices-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-ess-2006-02(42) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{} + FROM PKIX-CommonTypes-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + + + +Hoffman & Schaad Informational [Page 41] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } + + AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, + CONTENT-TYPE + FROM CryptographicMessageSyntax-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-2004-02(41) } + + CertificateSerialNumber + FROM PKIX1Explicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } + + PolicyInformation, GeneralNames + FROM PKIX1Implicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} + + mda-sha256 + FROM PKIX1-PSS-OAEP-Algorithms-2009 + { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-rsa-pkalgs-02(54) } ; + + EssSignedAttributes ATTRIBUTE ::= { + aa-receiptRequest | aa-contentIdentifier | aa-contentHint | + aa-msgSigDigest | aa-contentReference | aa-securityLabel | + aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate | + aa-signingCertificateV2, ... } + + EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... } + + -- Extended Security Services + -- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 + -- constructs in this module. A valid ASN.1 SEQUENCE can have zero or + -- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE + -- to have at least one entry. MAX indicates the upper bound is + -- unspecified. Implementations are free to choose an upper bound + -- that suits their environment. + + -- Section 2.7 + + + + +Hoffman & Schaad Informational [Page 42] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + aa-receiptRequest ATTRIBUTE ::= + { TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest} + + ReceiptRequest ::= SEQUENCE { + signedContentIdentifier ContentIdentifier, + receiptsFrom ReceiptsFrom, + receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames + } + + ub-receiptsTo INTEGER ::= 16 + + aa-contentIdentifier ATTRIBUTE ::= + { TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier} + id-aa-receiptRequest OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 1} + + ContentIdentifier ::= OCTET STRING + + id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7} + + ct-receipt CONTENT-TYPE ::= + { Receipt IDENTIFIED BY id-ct-receipt } + id-ct-receipt OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-ct(1) 1} + + ReceiptsFrom ::= CHOICE { + allOrFirstTier [0] AllOrFirstTier, + -- formerly "allOrNone [0]AllOrNone" + receiptList [1] SEQUENCE OF GeneralNames } + + AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone + allReceipts (0), + firstTierRecipients (1) } + + -- Section 2.8 + + Receipt ::= SEQUENCE { + version ESSVersion, + contentType ContentType, + signedContentIdentifier ContentIdentifier, + originatorSignatureValue OCTET STRING + } + + ESSVersion ::= INTEGER { v1(1) } + + + + +Hoffman & Schaad Informational [Page 43] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + -- Section 2.9 + + aa-contentHint ATTRIBUTE ::= + { TYPE ContentHints IDENTIFIED BY id-aa-contentHint } + id-aa-contentHint OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 4} + + ContentHints ::= SEQUENCE { + contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL, + contentType ContentType } + + -- Section 2.10 + + aa-msgSigDigest ATTRIBUTE ::= + { TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest } + id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5} + + MsgSigDigest ::= OCTET STRING + + -- Section 2.11 + + aa-contentReference ATTRIBUTE ::= + { TYPE ContentReference IDENTIFIED BY id-aa-contentReference } + id-aa-contentReference OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 10 } + + ContentReference ::= SEQUENCE { + contentType ContentType, + signedContentIdentifier ContentIdentifier, + originatorSignatureValue OCTET STRING } + + -- Section 3.2 + + aa-securityLabel ATTRIBUTE ::= + { TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel } + id-aa-securityLabel OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 2} + + ESSSecurityLabel ::= SET { + security-policy-identifier SecurityPolicyIdentifier, + security-classification SecurityClassification OPTIONAL, + privacy-mark ESSPrivacyMark OPTIONAL, + security-categories SecurityCategories OPTIONAL } + + + + +Hoffman & Schaad Informational [Page 44] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + SecurityPolicyIdentifier ::= OBJECT IDENTIFIER + + SecurityClassification ::= INTEGER { + unmarked (0), + unclassified (1), + restricted (2), + confidential (3), + secret (4), + top-secret (5) + } (0..ub-integer-options) + + ub-integer-options INTEGER ::= 256 + + ESSPrivacyMark ::= CHOICE { + pString PrintableString (SIZE (1..ub-privacy-mark-length)), + utf8String UTF8String (SIZE (1..MAX)) + } + + ub-privacy-mark-length INTEGER ::= 128 + + SecurityCategories ::= + SET SIZE (1..ub-security-categories) OF SecurityCategory + {{SupportedSecurityCategories}} + + ub-security-categories INTEGER ::= 64 + + SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } + + -- Section 3.4 + + aa-equivalentLabels ATTRIBUTE ::= + { TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels } + id-aa-equivalentLabels OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 9} + + EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel + + -- Section 4.4 + + aa-mlExpandHistory ATTRIBUTE ::= + { TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory } + id-aa-mlExpandHistory OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 3 } + + MLExpansionHistory ::= SEQUENCE + SIZE (1..ub-ml-expansion-history) OF MLData + + + +Hoffman & Schaad Informational [Page 45] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + ub-ml-expansion-history INTEGER ::= 64 + + MLData ::= SEQUENCE { + mailListIdentifier EntityIdentifier, + expansionTime GeneralizedTime, + mlReceiptPolicy MLReceiptPolicy OPTIONAL } + + EntityIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + subjectKeyIdentifier SubjectKeyIdentifier } + + MLReceiptPolicy ::= CHOICE { + none [0] NULL, + insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames, + inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames } + + -- Section 5.4 + + aa-signingCertificate ATTRIBUTE ::= + { TYPE SigningCertificate IDENTIFIED BY + id-aa-signingCertificate } + id-aa-signingCertificate OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 12 } + + SigningCertificate ::= SEQUENCE { + certs SEQUENCE OF ESSCertID, + policies SEQUENCE OF PolicyInformation OPTIONAL + } + + aa-signingCertificateV2 ATTRIBUTE ::= + { TYPE SigningCertificateV2 IDENTIFIED BY + id-aa-signingCertificateV2 } + id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 47 } + + SigningCertificateV2 ::= SEQUENCE { + certs SEQUENCE OF ESSCertIDv2, + policies SEQUENCE OF PolicyInformation OPTIONAL + } + + HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, + {mda-sha256, ...}} + + ESSCertIDv2 ::= SEQUENCE { + hashAlgorithm HashAlgorithm + DEFAULT { algorithm mda-sha256.&id }, + + + +Hoffman & Schaad Informational [Page 46] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + certHash Hash, + issuerSerial IssuerSerial OPTIONAL + } + ESSCertID ::= SEQUENCE { + certHash Hash, + issuerSerial IssuerSerial OPTIONAL + } + + Hash ::= OCTET STRING + + IssuerSerial ::= SEQUENCE { + issuer GeneralNames, + serialNumber CertificateSerialNumber + } + + END + +10. ASN.1 Module for RFC 5083 + + CMS-AuthEnvelopedData-2009 + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-authEnvelopedData-02(43)} + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + AuthAttributes, CMSVersion, EncryptedContentInfo, + MessageAuthenticationCode, OriginatorInfo, RecipientInfos, + UnauthAttributes, CONTENT-TYPE + FROM CryptographicMessageSyntax-2009 + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-2004-02(41)} ; + + ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } + + ct-authEnvelopedData CONTENT-TYPE ::= { + AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData + } + + id-ct-authEnvelopedData OBJECT IDENTIFIER ::= + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) ct(1) 23} + + AuthEnvelopedData ::= SEQUENCE { + version CMSVersion, + originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, + recipientInfos RecipientInfos, + authEncryptedContentInfo EncryptedContentInfo, + + + +Hoffman & Schaad Informational [Page 47] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, + mac MessageAuthenticationCode, + unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL + } + + END + +11. ASN.1 Module for RFC 5084 + + CMS-AES-CCM-and-AES-GCM-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + EXPORTS ALL; + IMPORTS + + CONTENT-ENCRYPTION, SMIME-CAPS + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)}; + + -- Add this algorithm set to include all of the algorithms defined in + -- this document + + ContentEncryptionAlgs CONTENT-ENCRYPTION ::= { + cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM | + cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... } + + SMimeCaps SMIME-CAPS ::= { + cea-aes128-CCM.&smimeCaps | + cea-aes192-CCM.&smimeCaps | + cea-aes256-CCM.&smimeCaps | + cea-aes128-GCM.&smimeCaps | + cea-aes192-GCM.&smimeCaps | + cea-aes256-GCM.&smimeCaps, + ... + } + + -- Defining objects + + aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) + organization(1) gov(101) csor(3) nistAlgorithms(4) 1 } + + cea-aes128-CCM CONTENT-ENCRYPTION ::= { + IDENTIFIER id-aes128-CCM + PARAMS TYPE CCMParameters ARE required + + + +Hoffman & Schaad Informational [Page 48] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + SMIME-CAPS { IDENTIFIED BY id-aes128-CCM } + } + id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 } + + cea-aes192-CCM CONTENT-ENCRYPTION ::= { + IDENTIFIER id-aes192-CCM + PARAMS TYPE CCMParameters ARE required + SMIME-CAPS { IDENTIFIED BY id-aes192-CCM } + } + id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 } + + cea-aes256-CCM CONTENT-ENCRYPTION ::= { + IDENTIFIER id-aes256-CCM + PARAMS TYPE CCMParameters ARE required + SMIME-CAPS { IDENTIFIED BY id-aes256-CCM } + } + id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 } + + cea-aes128-GCM CONTENT-ENCRYPTION ::= { + IDENTIFIER id-aes128-GCM + PARAMS TYPE GCMParameters ARE required + SMIME-CAPS { IDENTIFIED BY id-aes128-GCM } + } + id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 } + + cea-aes192-GCM CONTENT-ENCRYPTION ::= { + IDENTIFIER id-aes128-GCM + PARAMS TYPE GCMParameters ARE required + SMIME-CAPS { IDENTIFIED BY id-aes192-GCM } + } + id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 } + + cea-aes256-GCM CONTENT-ENCRYPTION ::= { + IDENTIFIER id-aes128-GCM + PARAMS TYPE GCMParameters ARE required + SMIME-CAPS { IDENTIFIED BY id-aes256-GCM } + } + id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 } + + -- Parameters for AlgorithmIdentifier + + CCMParameters ::= SEQUENCE { + aes-nonce OCTET STRING (SIZE(7..13)), + aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } + + AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) + + GCMParameters ::= SEQUENCE { + + + +Hoffman & Schaad Informational [Page 49] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + aes-nonce OCTET STRING, -- recommended size is 12 octets + aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } + + AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) + + END + +12. ASN.1 Module for RFC 5275 + + SMIMESymmetricKeyDistribution-2009 + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-symkeydist-02(36)} + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + EXPORTS ALL; + IMPORTS + + AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP, + SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + GeneralName + FROM PKIX1Implicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } + + Certificate + FROM PKIX1Explicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } + + RecipientInfos, KEKIdentifier,CertificateSet + FROM CryptographicMessageSyntax-2009 + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-2004-02(41) } + + cap-3DESwrap + FROM CryptographicMessageSyntaxAlgorithms + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cmsalg-2001-02(37) } + + AttributeCertificate + FROM PKIXAttributeCertificate-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } + + + +Hoffman & Schaad Informational [Page 50] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + CMC-CONTROL, EXTENDED-FAILURE-INFO + FROM EnrollmentMessageSyntax + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53) } + + kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap + FROM CMSAesRsaesOaep-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } ; + + -- This defines the group list (GL symmetric key distribution OID arc + id-skd OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) skd(8) } + + SKD-ControlSet CMC-CONTROL ::= { + skd-glUseKEK | skd-glDelete | skd-glAddMember | + skd-glDeleteMember | skd-glRekey | skd-glAddOwner | + skd-glRemoveOwner | skd-glKeyCompromise | + skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert | + skd-glManageCert | skd-glKey, ... } + + -- This defines the GL Use KEK control attribute + + skd-glUseKEK CMC-CONTROL ::= + { GLUseKEK IDENTIFIED BY id-skd-glUseKEK } + + id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1} + + GLUseKEK ::= SEQUENCE { + glInfo GLInfo, + glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo, + glAdministration GLAdministration DEFAULT managed, + glKeyAttributes GLKeyAttributes OPTIONAL + } + + GLInfo ::= SEQUENCE { + glName GeneralName, + glAddress GeneralName + } + + GLOwnerInfo ::= SEQUENCE { + glOwnerName GeneralName, + glOwnerAddress GeneralName, + certificates Certificates OPTIONAL + } + + GLAdministration ::= INTEGER { + + + +Hoffman & Schaad Informational [Page 51] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + unmanaged (0), + managed (1), + closed (2) + } + + -- + -- The advertised set of algorithm capabilities for the document + -- + + SKD-Caps SMIME-CAPS ::= { + cap-3DESwrap | kwa-aes128-wrap.&smimeCaps | + kwa-aes192-wrap.&smimeCaps | kwa-aes256-wrap.&smimeCaps, ... + } + + cap-aes128-cbc KeyWrapAlgorithm ::= + { capabilityID kwa-aes128-wrap.&smimeCaps.&id } + + -- + -- The set of key wrap algorithms supported by this specification + -- + + KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}} + + GLKeyAttributes ::= SEQUENCE { + rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE, + recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE, + duration [2] INTEGER DEFAULT 0, + generationCounter [3] INTEGER DEFAULT 2, + requestedAlgorithm [4] KeyWrapAlgorithm + DEFAULT cap-aes128-cbc + } + + -- This defines the Delete GL control attribute. + -- It has the simple type GeneralName. + + skd-glDelete CMC-CONTROL ::= + { DeleteGL IDENTIFIED BY id-skd-glDelete } + + id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2} + DeleteGL ::= GeneralName + + -- This defines the Add GL Member control attribute + + skd-glAddMember CMC-CONTROL ::= + { GLAddMember IDENTIFIED BY id-skd-glAddMember } + + id-skd-glAddMember OBJECT IDENTIFIER ::= { id-skd 3} + GLAddMember ::= SEQUENCE { + + + +Hoffman & Schaad Informational [Page 52] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + glName GeneralName, + glMember GLMember + } + + GLMember ::= SEQUENCE { + glMemberName GeneralName, + glMemberAddress GeneralName OPTIONAL, + certificates Certificates OPTIONAL + } + + Certificates ::= SEQUENCE { + pKC [0] Certificate OPTIONAL, + -- See RFC 5280 + aC [1] SEQUENCE SIZE (1.. MAX) OF + AttributeCertificate OPTIONAL, + -- See RFC 3281 + certPath [2] CertificateSet OPTIONAL + -- From RFC 3852 + } + + -- This defines the Delete GL Member control attribute + + skd-glDeleteMember CMC-CONTROL ::= + { GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember } + + id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4} + + GLDeleteMember ::= SEQUENCE { + glName GeneralName, + glMemberToDelete GeneralName + } + + -- This defines the Delete GL Member control attribute + + skd-glRekey CMC-CONTROL ::= + { GLRekey IDENTIFIED BY id-skd-glRekey } + + id-skd-glRekey OBJECT IDENTIFIER ::= { id-skd 5} + + GLRekey ::= SEQUENCE { + glName GeneralName, + glAdministration GLAdministration OPTIONAL, + glNewKeyAttributes GLNewKeyAttributes OPTIONAL, + glRekeyAllGLKeys BOOLEAN OPTIONAL + } + + GLNewKeyAttributes ::= SEQUENCE { + rekeyControlledByGLO [0] BOOLEAN OPTIONAL, + + + +Hoffman & Schaad Informational [Page 53] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL, + duration [2] INTEGER OPTIONAL, + generationCounter [3] INTEGER OPTIONAL, + requestedAlgorithm [4] KeyWrapAlgorithm OPTIONAL + } + + -- This defines the Add and Delete GL Owner control attributes + + skd-glAddOwner CMC-CONTROL ::= + { GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner } + id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6} + + skd-glRemoveOwner CMC-CONTROL ::= + { GLOwnerAdministration IDENTIFIED BY id-skd-glRemoveOwner } + + id-skd-glRemoveOwner OBJECT IDENTIFIER ::= { id-skd 7} + + GLOwnerAdministration ::= SEQUENCE { + glName GeneralName, + glOwnerInfo GLOwnerInfo + } + + -- This defines the GL Key Compromise control attribute. + -- It has the simple type GeneralName. + + skd-glKeyCompromise CMC-CONTROL ::= + { GLKCompromise IDENTIFIED BY id-skd-glKeyCompromise } + + id-skd-glKeyCompromise OBJECT IDENTIFIER ::= { id-skd 8} + GLKCompromise ::= GeneralName + + -- This defines the GL Key Refresh control attribute. + + skd-glkRefresh CMC-CONTROL ::= + { GLKRefresh IDENTIFIED BY id-skd-glkRefresh } + + id-skd-glkRefresh OBJECT IDENTIFIER ::= { id-skd 9} + + GLKRefresh ::= SEQUENCE { + glName GeneralName, + dates SEQUENCE SIZE (1..MAX) OF Date + } + + Date ::= SEQUENCE { + start GeneralizedTime, + end GeneralizedTime OPTIONAL + } + + + + +Hoffman & Schaad Informational [Page 54] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + -- This defines the GLA Query Request control attribute. + + skd-glaQueryRequest CMC-CONTROL ::= + { GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest } + + id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11} + + SKD-QUERY ::= TYPE-IDENTIFIER + + SkdQuerySet SKD-QUERY ::= {skd-AlgRequest, ...} + GLAQueryRequest ::= SEQUENCE { + glaRequestType SKD-QUERY.&id ({SkdQuerySet}), + glaRequestValue SKD-QUERY. + &Type ({SkdQuerySet}{@glaRequestType}) + } + + -- This defines the GLA Query Response control attribute. + + skd-glaQueryResponse CMC-CONTROL ::= + { GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse } + + id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12} + + SKD-RESPONSE ::= TYPE-IDENTIFIER + + SkdResponseSet SKD-RESPONSE ::= {skd-AlgResponse, ...} + + GLAQueryResponse ::= SEQUENCE { + glaResponseType SKD-RESPONSE. + &id({SkdResponseSet}), + glaResponseValue SKD-RESPONSE. + &Type({SkdResponseSet}{@glaResponseType})} + + -- This defines the GLA Request/Response (glaRR) arc for + -- glaRequestType/glaResponseType. + + id-cmc-glaRR OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) cmc(7) glaRR(99) } + + -- This defines the Algorithm Request + + skd-AlgRequest SKD-QUERY ::= { + SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest + } + + id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 } + SKDAlgRequest ::= NULL + + + +Hoffman & Schaad Informational [Page 55] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + -- This defines the Algorithm Response + + skd-AlgResponse SKD-RESPONSE ::= { + SMIMECapability{{SKD-Caps}} IDENTIFIED BY + id-cmc-gla-skdAlgResponse + } + + id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 } + -- Note that the response for algorithmSupported request is the + -- smimeCapabilities attribute as defined in RFC 3851. + + -- This defines the control attribute to request an updated + -- certificate to the GLA. + + skd-glProvideCert CMC-CONTROL ::= + { GLManageCert IDENTIFIED BY id-skd-glProvideCert } + + id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13} + + GLManageCert ::= SEQUENCE { + glName GeneralName, + glMember GLMember + } + + -- This defines the control attribute to return an updated + -- certificate to the GLA. It has the type GLManageCert. + + skd-glManageCert CMC-CONTROL ::= + { GLManageCert IDENTIFIED BY id-skd-glManageCert } + + id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14} + + -- This defines the control attribute to distribute the GL shared + -- KEK. + + skd-glKey CMC-CONTROL ::= + { GLKey IDENTIFIED BY id-skd-glKey } + + id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15} + + GLKey ::= SEQUENCE { + glName GeneralName, + glIdentifier KEKIdentifier, -- See RFC 3852 + glkWrapped RecipientInfos, -- See RFC 3852 + glkAlgorithm KeyWrapAlgorithm, + glkNotBefore GeneralizedTime, + glkNotAfter GeneralizedTime + } + + + +Hoffman & Schaad Informational [Page 56] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + -- This defines the CMC error types + + skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= { + SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo + } + + id-cet-skdFailInfo OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) cet(15) skdFailInfo(1) } + + SKDFailInfo ::= INTEGER { + unspecified (0), + closedGL (1), + unsupportedDuration (2), + noGLACertificate (3), + invalidCert (4), + unsupportedAlgorithm (5), + noGLONameMatch (6), + invalidGLName (7), + nameAlreadyInUse (8), + noSpam (9), + deniedAccess (10), + alreadyAMember (11), + notAMember (12), + alreadyAnOwner (13), + notAnOwner (14) } + + END + +13. Security Considerations + + Even though all the RFCs in this document are security-related, the + document itself does not have any security considerations. The ASN.1 + modules keep the same bits-on-the-wire as the modules that they + replace. + +14. Normative References + + [ASN1-2002] ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and + X.683", ITU-T X.680, X.681, X.682, and X.683, 2002. + + [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) + Algorithms", RFC 3370, August 2002. + + [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard + (AES) Encryption Algorithm in Cryptographic Message + Syntax (CMS)", RFC 3565, July 2003. + + + + +Hoffman & Schaad Informational [Page 57] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + + [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail + Extensions (S/MIME) Version 3.1 Message Specification", + RFC 3851, July 2004. + + [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", + RFC 3852, July 2004. + + [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) + to Protect Firmware Packages", RFC 4108, August 2005. + + [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence + Record Syntax (ERS)", RFC 4998, August 2007. + + [RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: + Adding CertID Algorithm Agility", RFC 5035, August 2007. + + [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) + Authenticated-Enveloped-Data Content Type", RFC 5083, + November 2007. + + [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated + Encryption in the Cryptographic Message Syntax (CMS)", + RFC 5084, November 2007. + + [RFC5275] Turner, S., "CMS Symmetric Key Management and + Distribution", RFC 5275, June 2008. + + [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", + RFC 5652, September 2009. + + [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the + Public Key Infrastructure using X.509 (PKIX)", RFC 5912, + June 2010. + + + + + + + + + + + + + + + + + + +Hoffman & Schaad Informational [Page 58] + +RFC 5911 New ASN.1 for CMS and S/MIME June 2010 + + +Authors' Addresses + + Paul Hoffman + VPN Consortium + 127 Segre Place + Santa Cruz, CA 95060 + US + + Phone: 1-831-426-9827 + EMail: paul.hoffman@vpnc.org + + + Jim Schaad + Soaring Hawk Consulting + + EMail: jimsch@exmsft.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Hoffman & Schaad Informational [Page 59] + diff --git a/const-oid/oiddbgen/rfc5912.txt b/const-oid/oiddbgen/rfc5912.txt new file mode 100644 index 000000000..36a05f3b4 --- /dev/null +++ b/const-oid/oiddbgen/rfc5912.txt @@ -0,0 +1,6555 @@ + + + + + + +Internet Engineering Task Force (IETF) P. Hoffman +Request for Comments: 5912 VPN Consortium +Category: Informational J. Schaad +ISSN: 2070-1721 Soaring Hawk Consulting + June 2010 + + + New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX) + +Abstract + + The Public Key Infrastructure using X.509 (PKIX) certificate format, + and many associated formats, are expressed using ASN.1. The current + ASN.1 modules conform to the 1988 version of ASN.1. This document + updates those ASN.1 modules to conform to the 2002 version of ASN.1. + There are no bits-on-the-wire changes to any of the formats; this is + simply a change to the syntax. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc5912. + + + + + + + + + + + + + + + + + + +Hoffman & Schaad Informational [Page 1] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +Copyright Notice + + Copyright (c) 2010 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + This document may contain material from IETF Documents or IETF + Contributions published or made publicly available before November + 10, 2008. The person(s) controlling the copyright in some of this + material may not have granted the IETF Trust the right to allow + modifications of such material outside the IETF Standards Process. + Without obtaining an adequate license from the person(s) controlling + the copyright in such materials, this document may not be modified + outside the IETF Standards Process, and derivative works of it may + not be created outside the IETF Standards Process, except to format + it for publication as an RFC or to translate it into languages other + than English. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . 4 + 2. ASN.1 Module PKIX-CommonTypes . . . . . . . . . . . . . . . . 5 + 3. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 8 + 4. ASN.1 Module for RFC 2560 . . . . . . . . . . . . . . . . . . 18 + 5. ASN.1 Module for RFC 2986 . . . . . . . . . . . . . . . . . . 22 + 6. ASN.1 Module for RFC 3279 . . . . . . . . . . . . . . . . . . 23 + 7. ASN.1 Module for RFC 3852 (Attribute Certificate v1) . . . . 34 + 8. ASN.1 Module for RFC 4055 . . . . . . . . . . . . . . . . . . 36 + 9. ASN.1 Module for RFC 4210 . . . . . . . . . . . . . . . . . . 42 + 10. ASN.1 Module for RFC 4211 . . . . . . . . . . . . . . . . . . 53 + 11. ASN.1 Module for RFC 5055 . . . . . . . . . . . . . . . . . . 61 + 12. ASN.1 Module for RFC 5272 . . . . . . . . . . . . . . . . . . 74 + 13. ASN.1 Module for RFC 5755 . . . . . . . . . . . . . . . . . . 85 + 14. ASN.1 Module for RFC 5280, Explicit and Implicit . . . . . . 91 + 15. Security Considerations . . . . . . . . . . . . . . . . . . . 115 + 16. Normative References . . . . . . . . . . . . . . . . . . . . 116 + + + + + +Hoffman & Schaad Informational [Page 2] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +1. Introduction + + Some developers would like the IETF to use the latest version of + ASN.1 in its standards. Most of the RFCs that relate to security + protocols still use ASN.1 from the 1988 standard, which has been + deprecated. This is particularly true for the standards that relate + to PKIX, Cryptographic Message Syntax (CMS), and S/MIME. + + This document updates the following RFCs to use ASN.1 modules that + conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all + the modules are updated; some are included to simply make the set + complete. + + o RFC 2560, PKIX Online Certificate Status Protocol (OCSP) [RFC2560] + + o RFC 2986, PKCS #10 certificate request [RFC2986] + + o RFC 3279, PKIX algorithms and identifier [RFC3279] + + o RFC 3852, contains PKIX attribute certificates, version 1 + [RFC3852] + + o RFC 4055, Additional Algorithms and Identifiers for RSA + Cryptography [RFC4055] + + o RFC 4210, PKIX CMP (Certificate Management Protocol) [RFC4210] + + o RFC 4211, PKIX CRMF (Certificate Request Message Format) [RFC4211] + + o RFC 5055, PKIX SCVP (Server-based Certificate Validation Protocol) + [RFC5055] + + o RFC 5272, Certificate Management over CMS (CMC) [RFC5272] + + o RFC 5280, PKIX certificate and Certificate Revocation List (CRL) + profile [RFC5280] (both the implicit and explicit modules) + + o RFC 5755, PKIX attribute certificates, version 2 [RFC5755] + + Note that some of the modules in this document get some of their + definitions from places different than the modules in the original + RFCs. The idea is that these modules, when combined with the modules + in [RFC5911] can stand on their own and do not need to import + definitions from anywhere else. Also note that the ASN.1 modules in + this document have references in their text comments that need to be + looked up in original RFCs, and that some of those references may + have already been superseded by later RFCs. + + + + +Hoffman & Schaad Informational [Page 3] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + The document also includes a module of common definitions called + "PKIX-CommonTypes". These definitions are used here and in + [RFC5911]. + + The document also includes a module of common definitions called + "AlgorithmInformation". These definitions are used here and in + [RFC5911]. + +1.1. Design Notes + + The modules in this document use the object model available in the + 2002 ASN.1 documents to a great extent. Objects for each of the + different algorithm types are defined. Also, all of the places where + the 1988 ASN.1 syntax had ANY holes to allow for variable syntax now + use objects. + + Much like the way that the PKIX and S/MIME working groups use the + prefix of id- for object identifiers, this document has also adopted + a set of two-, three-, and four-letter prefixes to allow for quick + identification of the type of an object based on its name. This + allows, for example, the same back half of the name to be used for + the different objects. Thus, "id-sha1" is the object identifier, + while "mda-sha1" is the message digest object for "sha1". + + One or more object sets for the different types of algorithms are + defined. A single consistent name for each different algorithm type + is used. For example, an object set named PublicKeys contains the + public keys defined in that module. If no public keys are defined, + then the object set is not created. When importing these object sets + into an ASN.1 module, one needs to be able to distinguish between the + different object sets with the same name. This is done by using both + the module name (as specified in the IMPORT statement) and the object + set name. For example, in the module for RFC 5280: + + PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 } + PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 } + + PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ..., + PKIX1-PSS-OAEP-Algorithms.PublicKeys } + + + + + + + + + + + + +Hoffman & Schaad Informational [Page 4] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +2. ASN.1 Module PKIX-CommonTypes + + This section contains a module that is imported by many other modules + in this document and in [RFC5911]. This module does not come from + any existing RFC. + + PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} + + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + + -- ATTRIBUTE + -- + -- Describe the set of data associated with an attribute of some type + -- + -- &id is an OID identifying the attribute + -- &Type is the ASN.1 type structure for the attribute; not all + -- attributes have a data structure, so this field is optional + -- &minCount contains the minimum number of times the attribute can + -- occur in an AttributeSet + -- &maxCount contains the maximum number of times the attribute can + -- appear in an AttributeSet + -- Note: this cannot be automatically enforced as the field + -- cannot be defaulted to MAX. + -- &equality-match contains information about how matching should be + -- done + -- + -- Currently we are using two different prefixes for attributes. + -- + -- at- for certificate attributes + -- aa- for CMS attributes + -- + + ATTRIBUTE ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Type OPTIONAL, + &equality-match MATCHING-RULE OPTIONAL, + &minCount INTEGER DEFAULT 1, + &maxCount INTEGER OPTIONAL + } WITH SYNTAX { + [TYPE &Type] + [EQUALITY MATCHING RULE &equality-match] + [COUNTS [MIN &minCount] [MAX &maxCount]] + IDENTIFIED BY &id + } + + + + +Hoffman & Schaad Informational [Page 5] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- Specification of MATCHING-RULE information object class + -- + + MATCHING-RULE ::= CLASS { + &ParentMatchingRules MATCHING-RULE OPTIONAL, + &AssertionType OPTIONAL, + &uniqueMatchIndicator ATTRIBUTE OPTIONAL, + &id OBJECT IDENTIFIER UNIQUE + } + WITH SYNTAX { + [PARENT &ParentMatchingRules] + [SYNTAX &AssertionType] + [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator] + ID &id + } + + -- AttributeSet + -- + -- Used when a set of attributes is to occur. + -- + -- type contains the identifier of the attribute + -- values contains a set of values where the structure of the ASN.1 + -- is defined by the attribute + -- + -- The parameter contains the set of objects describing + -- those attributes that can occur in this location. + -- + + AttributeSet{ATTRIBUTE:AttrSet} ::= SEQUENCE { + type ATTRIBUTE.&id({AttrSet}), + values SET SIZE (1..MAX) OF ATTRIBUTE. + &Type({AttrSet}{@type}) + } + + -- SingleAttribute + -- + -- Used for a single valued attribute + -- + -- The parameter contains the set of objects describing the + -- attributes that can occur in this location + -- + + SingleAttribute{ATTRIBUTE:AttrSet} ::= SEQUENCE { + type ATTRIBUTE.&id({AttrSet}), + value ATTRIBUTE.&Type({AttrSet}{@type}) + } + + -- EXTENSION + + + +Hoffman & Schaad Informational [Page 6] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- + -- This class definition is used to describe the association of + -- object identifier and ASN.1 type structure for extensions + -- + -- All extensions are prefixed with ext- + -- + -- &id contains the object identifier for the extension + -- &ExtnType specifies the ASN.1 type structure for the extension + -- &Critical contains the set of legal values for the critical field. + -- This is normally {TRUE|FALSE} but in some instances may be + -- restricted to just one of these values. + -- + + EXTENSION ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &ExtnType, + &Critical BOOLEAN DEFAULT {TRUE | FALSE } + } WITH SYNTAX { + SYNTAX &ExtnType IDENTIFIED BY &id + [CRITICALITY &Critical] + } + + -- Extensions + -- + -- Used for a sequence of extensions. + -- + -- The parameter contains the set of legal extensions that can + -- occur in this sequence. + -- + + Extensions{EXTENSION:ExtensionSet} ::= + SEQUENCE SIZE (1..MAX) OF Extension{{ExtensionSet}} + + -- Extension + -- + -- Used for a single extension + -- + -- The parameter contains the set of legal extensions that can + -- occur in this extension. + -- + -- The restriction on the critical field has been commented out + -- the authors are not completely sure it is correct. + -- The restriction could be done using custom code rather than + -- compiler-generated code, however. + -- + + Extension{EXTENSION:ExtensionSet} ::= SEQUENCE { + extnID EXTENSION.&id({ExtensionSet}), + + + +Hoffman & Schaad Informational [Page 7] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + critical BOOLEAN + -- (EXTENSION.&Critical({ExtensionSet}{@extnID})) + DEFAULT FALSE, + extnValue OCTET STRING (CONTAINING + EXTENSION.&ExtnType({ExtensionSet}{@extnID})) + -- contains the DER encoding of the ASN.1 value + -- corresponding to the extension type identified + -- by extnID + } + + -- Security Category + -- + -- Security categories are used both for specifying clearances and + -- for labeling objects. We move this here from RFC 3281 so that + -- they will use a common single object class to express this + -- information. + -- + + SECURITY-CATEGORY ::= TYPE-IDENTIFIER + + SecurityCategory{SECURITY-CATEGORY:Supported} ::= SEQUENCE { + type [0] IMPLICIT SECURITY-CATEGORY. + &id({Supported}), + value [1] EXPLICIT SECURITY-CATEGORY. + &Type({Supported}{@type}) + } + + END + +3. ASN.1 Module AlgorithmInformation + + This section contains a module that is imported by many other modules + in this document. Note that this module is also given in [RFC5911]. + This module does not come from any existing RFC. + +AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + +DEFINITIONS EXPLICIT TAGS ::= +BEGIN +EXPORTS ALL; +IMPORTS + +KeyUsage +FROM PKIX1Implicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) + + + +Hoffman & Schaad Informational [Page 8] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-implicit-02(59)} ; + +-- Suggested prefixes for algorithm objects are: +-- +-- mda- Message Digest Algorithms +-- sa- Signature Algorithms +-- kta- Key Transport Algorithms (Asymmetric) +-- kaa- Key Agreement Algorithms (Asymmetric) +-- kwa- Key Wrap Algorithms (Symmetric) +-- kda- Key Derivation Algorithms +-- maca- Message Authentication Code Algorithms +-- pk- Public Key +-- cea- Content (symmetric) Encryption Algorithms +-- cap- S/MIME Capabilities + +ParamOptions ::= ENUMERATED { + required, -- Parameters MUST be encoded in structure + preferredPresent, -- Parameters SHOULD be encoded in structure + preferredAbsent, -- Parameters SHOULD NOT be encoded in structure + absent, -- Parameters MUST NOT be encoded in structure + inheritable, -- Parameters are inherited if not present + optional, -- Parameters MAY be encoded in the structure + ... +} + +-- DIGEST-ALGORITHM +-- +-- Describes the basic information for ASN.1 and a digest +-- algorithm. +-- +-- &id - contains the OID identifying the digest algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- +-- Additional information such as the length of the hash could have +-- been encoded. Without a clear understanding of what information +-- is needed by applications, such extraneous information was not +-- considered to be of sufficent importance. +-- +-- Example: +-- mda-sha1 DIGEST-ALGORITHM ::= { +-- IDENTIFIER id-sha1 +-- PARAMS TYPE NULL ARE preferredAbsent +-- } + +DIGEST-ALGORITHM ::= CLASS { + + + +Hoffman & Schaad Informational [Page 9] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence ] +} + +-- SIGNATURE-ALGORITHM +-- +-- Describes the basic properties of a signature algorithm +-- +-- &id - contains the OID identifying the signature algorithm +-- &Value - contains a type definition for the value structure of +-- the signature; if absent, implies that no ASN.1 +-- encoding is performed on the value +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &HashSet - The set of hash algorithms used with this +-- signature algorithm +-- &PublicKeySet - the set of public key algorithms for this +-- signature algorithm +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER id-RSASSA-PSS +-- PARAMS TYPE RSASSA-PSS-params ARE required +-- HASHES { mda-sha1 | mda-md5, ... } +-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } +-- } + +SIGNATURE-ALGORITHM ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Value OPTIONAL, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &HashSet DIGEST-ALGORITHM OPTIONAL, + &PublicKeySet PUBLIC-KEY OPTIONAL, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [VALUE &Value] + [PARAMS [TYPE &Params] ARE ¶mPresence ] + [HASHES &HashSet] + [PUBLIC-KEYS &PublicKeySet] + + + +Hoffman & Schaad Informational [Page 10] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + [SMIME-CAPS &smimeCaps] +} + +-- PUBLIC-KEY +-- +-- Describes the basic properties of a public key +-- +-- &id - contains the OID identifying the public key +-- &KeyValue - contains the type for the key value +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &keyUsage - contains the set of bits that are legal for this +-- key type. Note that is does not make any statement +-- about how bits may be paired. +-- &PrivateKey - contains a type structure for encoding the private +-- key information. +-- +-- Example: +-- pk-rsa-pss PUBLIC-KEY ::= { +-- IDENTIFIER id-RSASSA-PSS +-- KEY RSAPublicKey +-- PARAMS TYPE RSASSA-PSS-params ARE optional +-- CERT-KEY-USAGE { .... } +-- } + +PUBLIC-KEY ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &KeyValue OPTIONAL, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &keyUsage KeyUsage OPTIONAL, + &PrivateKey OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [KEY &KeyValue] + [PARAMS [TYPE &Params] ARE ¶mPresence] + [CERT-KEY-USAGE &keyUsage] + [PRIVATE-KEY &PrivateKey] +} + +-- KEY-TRANSPORT +-- +-- Describes the basic properties of a key transport algorithm +-- +-- &id - contains the OID identifying the key transport algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters + + + +Hoffman & Schaad Informational [Page 11] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +-- ¶mPresence - parameter presence requirement +-- &PublicKeySet - specifies which public keys are used with +-- this algorithm +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- kta-rsaTransport KEY-TRANSPORT ::= { +-- IDENTIFIER &id +-- PARAMS TYPE NULL ARE required +-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } +-- } + +KEY-TRANSPORT ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &PublicKeySet PUBLIC-KEY OPTIONAL, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [PUBLIC-KEYS &PublicKeySet] + [SMIME-CAPS &smimeCaps] +} + +-- KEY-AGREE +-- +-- Describes the basic properties of a key agreement algorithm +-- +-- &id - contains the OID identifying the key agreement algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &PublicKeySet - specifies which public keys are used with +-- this algorithm +-- &Ukm - type of user keying material used +-- &ukmPresence - specifies the requirements to define the UKM field +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- kaa-dh-static-ephemeral KEY-AGREE ::= { +-- IDENTIFIER id-alg-ESDH +-- PARAMS TYPE KeyWrapAlgorithm ARE required +-- PUBLIC-KEYS { +-- {IDENTIFIER dh-public-number KEY DHPublicKey +-- PARAMS TYPE DHDomainParameters ARE inheritable } + + + +Hoffman & Schaad Informational [Page 12] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +-- } +-- - - UKM should be present but is not separately ASN.1-encoded +-- UKM ARE preferredPresent +-- } + +KEY-AGREE ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &PublicKeySet PUBLIC-KEY OPTIONAL, + &Ukm OPTIONAL, + &ukmPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [PUBLIC-KEYS &PublicKeySet] + [UKM [TYPE &Ukm] ARE &ukmPresence] + [SMIME-CAPS &smimeCaps] +} + +-- KEY-WRAP +-- +-- Describes the basic properties of a key wrap algorithm +-- +-- &id - contains the OID identifying the key wrap algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- kwa-cms3DESwrap KEY-WRAP ::= { +-- IDENTIFIER id-alg-CMS3DESwrap +-- PARAMS TYPE NULL ARE required +-- } + +KEY-WRAP ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [SMIME-CAPS &smimeCaps] +} + + + +Hoffman & Schaad Informational [Page 13] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +-- KEY-DERIVATION +-- +-- Describes the basic properties of a key derivation algorithm +-- +-- &id - contains the OID identifying the key derivation algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- kda-pbkdf2 KEY-DERIVATION ::= { +-- IDENTIFIER id-PBKDF2 +-- PARAMS TYPE PBKDF2-params ARE required +-- } + +KEY-DERIVATION ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [SMIME-CAPS &smimeCaps] +} + +-- MAC-ALGORITHM +-- +-- Describes the basic properties of a message +-- authentication code (MAC) algorithm +-- +-- &id - contains the OID identifying the MAC algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &keyed - MAC algorithm is a keyed MAC algorithm +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Some parameters that perhaps should have been added would be +-- fields with the minimum and maximum MAC lengths for +-- those MAC algorithms that allow truncations. +-- +-- Example: +-- maca-hmac-sha1 MAC-ALGORITHM ::= { +-- IDENTIFIER hMAC-SHA1 + + + +Hoffman & Schaad Informational [Page 14] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +-- PARAMS TYPE NULL ARE preferredAbsent +-- IS KEYED MAC TRUE +-- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} +-- } + +MAC-ALGORITHM ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &keyed BOOLEAN, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + IS-KEYED-MAC &keyed + [SMIME-CAPS &smimeCaps] +} + +-- CONTENT-ENCRYPTION +-- +-- Describes the basic properties of a content encryption +-- algorithm +-- +-- &id - contains the OID identifying the content +-- encryption algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- Example: +-- cea-3DES-cbc CONTENT-ENCRYPTION ::= { +-- IDENTIFIER des-ede3-cbc +-- PARAMS TYPE IV ARE required +-- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } +-- } + +CONTENT-ENCRYPTION ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [SMIME-CAPS &smimeCaps] +} + + + +Hoffman & Schaad Informational [Page 15] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +-- ALGORITHM +-- +-- Describes a generic algorithm identifier +-- +-- &id - contains the OID identifying the algorithm +-- &Params - if present, contains the type for the algorithm +-- parameters; if absent, implies no parameters +-- ¶mPresence - parameter presence requirement +-- &smimeCaps - contains the object describing how the S/MIME +-- capabilities are presented. +-- +-- This would be used for cases where an algorithm of an unknown +-- type is used. In general however, one should either define +-- a more complete algorithm structure (such as the one above) +-- or use the TYPE-IDENTIFIER class. + +ALGORITHM ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL +} WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [SMIME-CAPS &smimeCaps] +} + +-- AlgorithmIdentifier +-- +-- Provides the generic structure that is used to encode algorithm +-- identification and the parameters associated with the +-- algorithm. +-- +-- The first parameter represents the type of the algorithm being +-- used. +-- The second parameter represents an object set containing the +-- algorithms that may occur in this situation. +-- The initial list of required algorithms should occur to the +-- left of an extension marker; all other algorithms should +-- occur to the right of an extension marker. +-- +-- The object class ALGORITHM can be used for generic unspecified +-- items. +-- If new ALGORITHM classes are defined, the fields &id and &Params +-- need to be present as fields in the object in order to use +-- this parameterized type. +-- +-- Example: + + + +Hoffman & Schaad Informational [Page 16] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +-- SignatureAlgorithmIdentifier ::= +-- AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgSet}} + +AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= + SEQUENCE { + algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), + parameters ALGORITHM-TYPE. + &Params({AlgorithmSet}{@algorithm}) OPTIONAL + } + +-- S/MIME Capabilities +-- +-- We have moved the SMIME-CAPS from the module for RFC 3851 to here +-- because it is used in RFC 4262 (X.509 Certificate Extension for +-- S/MIME Capabilities) +-- +-- +-- This class is used to represent an S/MIME capability. S/MIME +-- capabilities are used to represent what algorithm capabilities +-- an individual has. The classic example was the content encryption +-- algorithm RC2 where the algorithm id and the RC2 key lengths +-- supported needed to be advertised, but the IV used is not fixed. +-- Thus, for RC2 we used +-- +-- cap-RC2CBC SMIME-CAPS ::= { +-- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } +-- +-- where 40 and 128 represent the RC2 key length in number of bits. +-- +-- Another example where information needs to be shown is for +-- RSA-OAEP where only specific hash functions or mask generation +-- functions are supported, but the saltLength is specified by the +-- sender and not the recipient. In this case, one can either +-- generate a number of capability items, +-- or a new S/MIME capability type could be generated where +-- multiple hash functions could be specified. +-- +-- +-- SMIME-CAP +-- +-- This class is used to associate the type that describes the +-- capabilities with the object identifier. +-- + +SMIME-CAPS ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Type OPTIONAL +} + + + +Hoffman & Schaad Informational [Page 17] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id } + +-- +-- Generic type - this is used for defining values. +-- + +-- Define a single S/MIME capability encoding + +SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { + capabilityID SMIME-CAPS.&id({CapabilitySet}), + parameters SMIME-CAPS.&Type({CapabilitySet} + {@capabilityID}) OPTIONAL +} + +-- Define a sequence of S/MIME capability values + +SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::= + SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} } + +END + +4. ASN.1 Module for RFC 2560 + + OCSP-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-ocsp-02(48)} + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + IMPORTS + + Extensions{}, EXTENSION, ATTRIBUTE + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} + + AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + AuthorityInfoAccessSyntax, GeneralName, CrlEntryExtensions + FROM PKIX1Implicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} + + Name, CertificateSerialNumber, id-kp, id-ad-ocsp, Certificate + FROM PKIX1Explicit-2009 + + + +Hoffman & Schaad Informational [Page 18] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} + + sa-dsaWithSHA1, sa-rsaWithMD2, sa-rsaWithMD5, sa-rsaWithSHA1 + FROM PKIXAlgs-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms2008-02(56)}; + + OCSPRequest ::= SEQUENCE { + tbsRequest TBSRequest, + optionalSignature [0] EXPLICIT Signature OPTIONAL } + + TBSRequest ::= SEQUENCE { + version [0] EXPLICIT Version DEFAULT v1, + requestorName [1] EXPLICIT GeneralName OPTIONAL, + requestList SEQUENCE OF Request, + requestExtensions [2] EXPLICIT Extensions {{re-ocsp-nonce | + re-ocsp-response, ...}} OPTIONAL } + + Signature ::= SEQUENCE { + signatureAlgorithm AlgorithmIdentifier + { SIGNATURE-ALGORITHM, {...}}, + signature BIT STRING, + certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } + + Version ::= INTEGER { v1(0) } + + Request ::= SEQUENCE { + reqCert CertID, + singleRequestExtensions [0] EXPLICIT Extensions + { {re-ocsp-service-locator, + ...}} OPTIONAL } + + CertID ::= SEQUENCE { + hashAlgorithm AlgorithmIdentifier + {DIGEST-ALGORITHM, {...}}, + issuerNameHash OCTET STRING, -- Hash of Issuer's DN + issuerKeyHash OCTET STRING, -- Hash of Issuer's public key + serialNumber CertificateSerialNumber } + + OCSPResponse ::= SEQUENCE { + responseStatus OCSPResponseStatus, + responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } + + OCSPResponseStatus ::= ENUMERATED { + successful (0), --Response has valid confirmations + malformedRequest (1), --Illegal confirmation request + + + +Hoffman & Schaad Informational [Page 19] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + internalError (2), --Internal error in issuer + tryLater (3), --Try again later + -- (4) is not used + sigRequired (5), --Must sign the request + unauthorized (6) --Request unauthorized + } + + RESPONSE ::= TYPE-IDENTIFIER + + ResponseSet RESPONSE ::= {basicResponse, ...} + + ResponseBytes ::= SEQUENCE { + responseType RESPONSE. + &id ({ResponseSet}), + response OCTET STRING (CONTAINING RESPONSE. + &Type({ResponseSet}{@responseType}))} + + basicResponse RESPONSE ::= + { BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic } + + BasicOCSPResponse ::= SEQUENCE { + tbsResponseData ResponseData, + signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, + {sa-dsaWithSHA1 | sa-rsaWithSHA1 | + sa-rsaWithMD5 | sa-rsaWithMD2, ...}}, + signature BIT STRING, + certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } + + ResponseData ::= SEQUENCE { + version [0] EXPLICIT Version DEFAULT v1, + responderID ResponderID, + producedAt GeneralizedTime, + responses SEQUENCE OF SingleResponse, + responseExtensions [1] EXPLICIT Extensions + {{re-ocsp-nonce, ...}} OPTIONAL } + + ResponderID ::= CHOICE { + byName [1] Name, + byKey [2] KeyHash } + + KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key + -- (excluding the tag and length fields) + + SingleResponse ::= SEQUENCE { + certID CertID, + certStatus CertStatus, + thisUpdate GeneralizedTime, + nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, + + + +Hoffman & Schaad Informational [Page 20] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + singleExtensions [1] EXPLICIT Extensions{{re-ocsp-crl | + re-ocsp-archive-cutoff | + CrlEntryExtensions, ...} + } OPTIONAL } + + CertStatus ::= CHOICE { + good [0] IMPLICIT NULL, + revoked [1] IMPLICIT RevokedInfo, + unknown [2] IMPLICIT UnknownInfo } + + RevokedInfo ::= SEQUENCE { + revocationTime GeneralizedTime, + revocationReason [0] EXPLICIT CRLReason OPTIONAL } + + UnknownInfo ::= NULL + + CRLReason ::= INTEGER + + ArchiveCutoff ::= GeneralizedTime + + AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet}) + + ServiceLocator ::= SEQUENCE { + issuer Name, + locator AuthorityInfoAccessSyntax } + + CrlID ::= SEQUENCE { + crlUrl [0] EXPLICIT IA5String OPTIONAL, + crlNum [1] EXPLICIT INTEGER OPTIONAL, + crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } + + -- Request Extensions + + re-ocsp-nonce EXTENSION ::= { SYNTAX OCTET STRING IDENTIFIED + BY id-pkix-ocsp-nonce } + re-ocsp-response EXTENSION ::= { SYNTAX AcceptableResponses IDENTIFIED + BY id-pkix-ocsp-response } + re-ocsp-service-locator EXTENSION ::= { SYNTAX ServiceLocator + IDENTIFIED BY + id-pkix-ocsp-service-locator } + + -- Response Extensions + + re-ocsp-crl EXTENSION ::= { SYNTAX CrlID IDENTIFIED BY + id-pkix-ocsp-crl } + re-ocsp-archive-cutoff EXTENSION ::= { SYNTAX ArchiveCutoff + IDENTIFIED BY + id-pkix-ocsp-archive-cutoff } + + + +Hoffman & Schaad Informational [Page 21] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- Object Identifiers + + id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } + id-pkix-ocsp OBJECT IDENTIFIER ::= id-ad-ocsp + id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } + id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } + id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } + id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } + id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } + id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } + id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } + + END + +5. ASN.1 Module for RFC 2986 + + PKCS-10 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkcs10-2009(69)} + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, + PUBLIC-KEY + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + ATTRIBUTE, Name + FROM PKIX1Explicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}; + + -- Certificate requests + CertificationRequestInfo ::= SEQUENCE { + version INTEGER { v1(0) } (v1, ... ), + subject Name, + subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }}, + attributes [0] Attributes{{ CRIAttributes }} + } + + SubjectPublicKeyInfo {PUBLIC-KEY: IOSet} ::= SEQUENCE { + algorithm AlgorithmIdentifier {PUBLIC-KEY, {IOSet}}, + subjectPublicKey BIT STRING + } + + + + +Hoffman & Schaad Informational [Page 22] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + PKInfoAlgorithms PUBLIC-KEY ::= { + ... -- add any locally defined algorithms here -- } + + Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }} + + CRIAttributes ATTRIBUTE ::= { + ... -- add any locally defined attributes here -- } + + Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { + type ATTRIBUTE.&id({IOSet}), + values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) + } + + CertificationRequest ::= SEQUENCE { + certificationRequestInfo CertificationRequestInfo, + signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, + { SignatureAlgorithms }}, + signature BIT STRING + } + + SignatureAlgorithms SIGNATURE-ALGORITHM ::= { + ... -- add any locally defined algorithms here -- } + + END + +6. ASN.1 Module for RFC 3279 + + Note that this module also contains information from RFC 5480 + [RFC5480]. + + PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms2008-02(56) } + + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + IMPORTS + + PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + mda-sha224, mda-sha256, mda-sha384, mda-sha512 + FROM PKIX1-PSS-OAEP-Algorithms-2009 + {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + + + +Hoffman & Schaad Informational [Page 23] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + id-mod-pkix1-rsa-pkalgs-02(54)} ; + + -- + -- Public Key (pk-) Algorithms + -- + + PublicKeys PUBLIC-KEY ::= { + pk-rsa | + pk-dsa | + pk-dh | + pk-kea, + ..., + pk-ec | + pk-ecDH | + pk-ecMQV + } + + -- + -- Signature Algorithms (sa-) + -- + + SignatureAlgs SIGNATURE-ALGORITHM ::= { + sa-rsaWithMD2 | + sa-rsaWithMD5 | + sa-rsaWithSHA1 | + sa-dsaWithSHA1 | + sa-ecdsaWithSHA1, + ..., -- Extensible + sa-dsaWithSHA224 | + sa-dsaWithSHA256 | + sa-ecdsaWithSHA224 | + sa-ecdsaWithSHA256 | + sa-ecdsaWithSHA384 | + sa-ecdsaWithSHA512 + } + + -- + -- S/MIME CAPS for algorithms in this document + -- + -- For all of the algorithms laid out in this document, the + -- parameters field for the S/MIME capabilities is defined as + -- ABSENT as there are no specific values that need to be known + -- by the receiver for negotiation. + + -- + + SMimeCaps SMIME-CAPS ::= { + sa-rsaWithMD2.&smimeCaps | + + + +Hoffman & Schaad Informational [Page 24] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + sa-rsaWithMD5.&smimeCaps | + sa-rsaWithSHA1.&smimeCaps | + sa-dsaWithSHA1.&smimeCaps | + sa-dsaWithSHA224.&smimeCaps | + sa-dsaWithSHA256.&smimeCaps | + sa-ecdsaWithSHA1.&smimeCaps | + sa-ecdsaWithSHA224.&smimeCaps | + sa-ecdsaWithSHA256.&smimeCaps | + sa-ecdsaWithSHA384.&smimeCaps | + sa-ecdsaWithSHA512.&smimeCaps, + ... } + + -- RSA PK Algorithm, Parameters, and Keys + + pk-rsa PUBLIC-KEY ::= { + IDENTIFIER rsaEncryption + KEY RSAPublicKey + PARAMS TYPE NULL ARE absent + -- Private key format not in this module -- + CERT-KEY-USAGE {digitalSignature, nonRepudiation, + keyEncipherment, dataEncipherment, keyCertSign, cRLSign} + } + + rsaEncryption OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-1(1) 1 } + + RSAPublicKey ::= SEQUENCE { + modulus INTEGER, -- n + publicExponent INTEGER -- e + } + + -- DSA PK Algorithm, Parameters, and Keys + + pk-dsa PUBLIC-KEY ::= { + IDENTIFIER id-dsa + KEY DSAPublicKey + PARAMS TYPE DSA-Params ARE inheritable + -- Private key format not in this module -- + CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, + cRLSign } + } + + id-dsa OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } + + DSA-Params ::= SEQUENCE { + p INTEGER, + + + +Hoffman & Schaad Informational [Page 25] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + q INTEGER, + g INTEGER + } + + DSAPublicKey ::= INTEGER -- public key, y + + -- Diffie-Hellman PK Algorithm, Parameters, and Keys + + pk-dh PUBLIC-KEY ::= { + IDENTIFIER dhpublicnumber + KEY DHPublicKey + PARAMS TYPE DomainParameters ARE inheritable + -- Private key format not in this module -- + CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } + } + + dhpublicnumber OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-x942(10046) + number-type(2) 1 } + + DomainParameters ::= SEQUENCE { + p INTEGER, -- odd prime, p=jq +1 + g INTEGER, -- generator, g + q INTEGER, -- factor of p-1 + j INTEGER OPTIONAL, -- subgroup factor, j>= 2 + validationParams ValidationParams OPTIONAL + } + + ValidationParams ::= SEQUENCE { + seed BIT STRING, + pgenCounter INTEGER + } + + DHPublicKey ::= INTEGER -- public key, y = g^x mod p + + -- KEA PK Algorithm and Parameters + + pk-kea PUBLIC-KEY ::= { + IDENTIFIER id-keyExchangeAlgorithm + -- key is not encoded -- + PARAMS TYPE KEA-Params-Id ARE required + -- Private key format not in this module -- + CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } + } + id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + gov(101) dod(2) infosec(1) algorithms(1) 22 } + + + + +Hoffman & Schaad Informational [Page 26] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + KEA-Params-Id ::= OCTET STRING + + -- Elliptic Curve (EC) Signatures: Unrestricted Algorithms + -- (Section 2.1.1 of RFC 5480) + -- + -- EC Unrestricted Algorithm ID -- -- this is used for ECDSA + + pk-ec PUBLIC-KEY ::= { + IDENTIFIER id-ecPublicKey + KEY ECPoint + PARAMS TYPE ECParameters ARE required + -- Private key format not in this module -- + CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement, + keyCertSign, cRLSign } + } + + ECPoint ::= OCTET STRING -- see RFC 5480 for syntax and restrictions + + id-ecPublicKey OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } + + -- Elliptic Curve (EC) Signatures: Restricted Algorithms + -- (Section 2.1.2 of RFC 5480) + -- + -- EC Diffie-Hellman Algorithm ID + + pk-ecDH PUBLIC-KEY ::= { + IDENTIFIER id-ecDH + KEY ECPoint + PARAMS TYPE ECParameters ARE required + -- Private key format not in this module -- + CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } + } + + id-ecDH OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) schemes(1) + ecdh(12) } + + -- EC Menezes-Qu-Vanstone Algorithm ID + + pk-ecMQV PUBLIC-KEY ::= { + IDENTIFIER id-ecMQV + KEY ECPoint + PARAMS TYPE ECParameters ARE required + -- Private key format not in this module -- + CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } + } + + + + +Hoffman & Schaad Informational [Page 27] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + id-ecMQV OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) schemes(1) + ecmqv(13) } + + -- Parameters and Keys for both Restricted and Unrestricted EC + + ECParameters ::= CHOICE { + namedCurve CURVE.&id({NamedCurve}) + -- implicitCurve NULL + -- implicitCurve MUST NOT be used in PKIX + -- specifiedCurve SpecifiedCurve + -- specifiedCurve MUST NOT be used in PKIX + -- Details for specifiedCurve can be found in [X9.62] + -- Any future additions to this CHOICE should be coordinated + -- with ANSI X.9. + } + -- If you need to be able to decode ANSI X.9 parameter structures, + -- uncomment the implicitCurve and specifiedCurve above, and also + -- uncomment the following: + --(WITH COMPONENTS {namedCurve PRESENT}) + + -- Sec 2.1.1.1 Named Curve + + CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } + WITH SYNTAX { ID &id } + + NamedCurve CURVE ::= { + { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | + { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | + { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | + { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | + { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, + ... -- Extensible + } + + -- Note in [X9.62] the curves are referred to as 'ansiX9' as + -- opposed to 'sec'. For example, secp192r1 is the same curve as + -- ansix9p192r1. + + -- Note that in [PKI-ALG] the secp192r1 curve was referred to as + -- prime192v1 and the secp256r1 curve was referred to as + -- prime256v1. + + -- Note that [FIPS186-3] refers to secp192r1 as P-192, + -- secp224r1 as P-224, secp256r1 as P-256, secp384r1 as P-384, + -- and secp521r1 as P-521. + + secp192r1 OBJECT IDENTIFIER ::= { + + + +Hoffman & Schaad Informational [Page 28] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) + prime(1) 1 } + + sect163k1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 1 } + + sect163r2 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 15 } + + secp224r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 33 } + + sect233k1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 26 } + + sect233r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 27 } + + secp256r1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) + prime(1) 7 } + + sect283k1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 16 } + + sect283r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 17 } + + secp384r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 34 } + + sect409k1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 36 } + + sect409r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 37 } + + secp521r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 35 } + + sect571k1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 38 } + + sect571r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 39 } + + -- RSA with MD-2 + + + + +Hoffman & Schaad Informational [Page 29] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + sa-rsaWithMD2 SIGNATURE-ALGORITHM ::= { + IDENTIFIER md2WithRSAEncryption + PARAMS TYPE NULL ARE required + HASHES { mda-md2 } + PUBLIC-KEYS { pk-rsa } + SMIME-CAPS { IDENTIFIED BY md2WithRSAEncryption } + } + + md2WithRSAEncryption OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-1(1) 2 } + + -- RSA with MD-5 + + sa-rsaWithMD5 SIGNATURE-ALGORITHM ::= { + IDENTIFIER md5WithRSAEncryption + PARAMS TYPE NULL ARE required + HASHES { mda-md5 } + PUBLIC-KEYS { pk-rsa } + SMIME-CAPS { IDENTIFIED BY md5WithRSAEncryption } + } + + md5WithRSAEncryption OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-1(1) 4 } + + -- RSA with SHA-1 + + sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= { + IDENTIFIER sha1WithRSAEncryption + PARAMS TYPE NULL ARE required + HASHES { mda-sha1 } + PUBLIC-KEYS { pk-rsa } + SMIME-CAPS {IDENTIFIED BY sha1WithRSAEncryption } + } + + sha1WithRSAEncryption OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-1(1) 5 } + + -- DSA with SHA-1 + + sa-dsaWithSHA1 SIGNATURE-ALGORITHM ::= { + IDENTIFIER dsa-with-sha1 + VALUE DSA-Sig-Value + PARAMS TYPE NULL ARE absent + HASHES { mda-sha1 } + PUBLIC-KEYS { pk-dsa } + + + +Hoffman & Schaad Informational [Page 30] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + SMIME-CAPS { IDENTIFIED BY dsa-with-sha1 } + } + + dsa-with-sha1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } + + -- DSA with SHA-224 + + sa-dsaWithSHA224 SIGNATURE-ALGORITHM ::= { + IDENTIFIER dsa-with-sha224 + VALUE DSA-Sig-Value + PARAMS TYPE NULL ARE absent + HASHES { mda-sha224 } + PUBLIC-KEYS { pk-dsa } + SMIME-CAPS { IDENTIFIED BY dsa-with-sha224 } + } + + dsa-with-sha224 OBJECT IDENTIFIER ::= { + joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) + csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } + + -- DSA with SHA-256 + + sa-dsaWithSHA256 SIGNATURE-ALGORITHM ::= { + IDENTIFIER dsa-with-sha256 + VALUE DSA-Sig-Value + PARAMS TYPE NULL ARE absent + HASHES { mda-sha256 } + PUBLIC-KEYS { pk-dsa } + SMIME-CAPS { IDENTIFIED BY dsa-with-sha256 } + } + + dsa-with-sha256 OBJECT IDENTIFIER ::= { + joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) + csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } + + -- ECDSA with SHA-1 + + sa-ecdsaWithSHA1 SIGNATURE-ALGORITHM ::= { + IDENTIFIER ecdsa-with-SHA1 + VALUE ECDSA-Sig-Value + PARAMS TYPE NULL ARE absent + HASHES { mda-sha1 } + PUBLIC-KEYS { pk-ec } + SMIME-CAPS {IDENTIFIED BY ecdsa-with-SHA1 } + } + + ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { + + + +Hoffman & Schaad Informational [Page 31] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + iso(1) member-body(2) us(840) ansi-X9-62(10045) + signatures(4) 1 } + + -- ECDSA with SHA-224 + + sa-ecdsaWithSHA224 SIGNATURE-ALGORITHM ::= { + IDENTIFIER ecdsa-with-SHA224 + VALUE ECDSA-Sig-Value + PARAMS TYPE NULL ARE absent + HASHES { mda-sha224 } + PUBLIC-KEYS { pk-ec } + SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA224 } + } + + ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) + ecdsa-with-SHA2(3) 1 } + + -- ECDSA with SHA-256 + + sa-ecdsaWithSHA256 SIGNATURE-ALGORITHM ::= { + IDENTIFIER ecdsa-with-SHA256 + VALUE ECDSA-Sig-Value + PARAMS TYPE NULL ARE absent + HASHES { mda-sha256 } + PUBLIC-KEYS { pk-ec } + SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA256 } + } + + ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) + ecdsa-with-SHA2(3) 2 } + + -- ECDSA with SHA-384 + + sa-ecdsaWithSHA384 SIGNATURE-ALGORITHM ::= { + IDENTIFIER ecdsa-with-SHA384 + VALUE ECDSA-Sig-Value + PARAMS TYPE NULL ARE absent + HASHES { mda-sha384 } + PUBLIC-KEYS { pk-ec } + SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA384 } + } + ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) + ecdsa-with-SHA2(3) 3 } + + -- ECDSA with SHA-512 + + + +Hoffman & Schaad Informational [Page 32] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + sa-ecdsaWithSHA512 SIGNATURE-ALGORITHM ::= { + IDENTIFIER ecdsa-with-SHA512 + VALUE ECDSA-Sig-Value + PARAMS TYPE NULL ARE absent + HASHES { mda-sha512 } + PUBLIC-KEYS { pk-ec } + SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA512 } + } + + ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) + ecdsa-with-SHA2(3) 4 } + + -- + -- Signature Values + -- + + -- DSA + + DSA-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER + } + + -- ECDSA + + ECDSA-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER + } + + -- + -- Message Digest Algorithms (mda-) + -- + + HashAlgs DIGEST-ALGORITHM ::= { + mda-md2 | + mda-md5 | + mda-sha1, + ... -- Extensible + } + -- MD-2 + + mda-md2 DIGEST-ALGORITHM ::= { + IDENTIFIER id-md2 + PARAMS TYPE NULL ARE preferredAbsent + } + + + + +Hoffman & Schaad Informational [Page 33] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + id-md2 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) + digestAlgorithm(2) 2 } + + -- MD-5 + + mda-md5 DIGEST-ALGORITHM ::= { + IDENTIFIER id-md5 + PARAMS TYPE NULL ARE preferredAbsent + } + + id-md5 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) + digestAlgorithm(2) 5 } + + -- SHA-1 + + mda-sha1 DIGEST-ALGORITHM ::= { + IDENTIFIER id-sha1 + PARAMS TYPE NULL ARE preferredAbsent + } + + id-sha1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) oiw(14) secsig(3) + algorithm(2) 26 } + + END + +7. ASN.1 Module for RFC 3852 (Attribute Certificate v1) + + AttributeCertificateVersion1-2009 + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-v1AttrCert-02(49)} + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + IMPORTS + + SIGNATURE-ALGORITHM, ALGORITHM, AlgorithmIdentifier{} + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } + + + + +Hoffman & Schaad Informational [Page 34] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + CertificateSerialNumber, UniqueIdentifier, SIGNED{} + FROM PKIX1Explicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } + + GeneralNames + FROM PKIX1Implicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } + + AttCertValidityPeriod, IssuerSerial + FROM PKIXAttributeCertificate-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } ; + + -- Definition extracted from X.509-1997 [X.509-97], but + -- different type names are used to avoid collisions. + + AttributeCertificateV1 ::= SIGNED{AttributeCertificateInfoV1} + + AttributeCertificateInfoV1 ::= SEQUENCE { + version AttCertVersionV1 DEFAULT v1, + subject CHOICE { + baseCertificateID [0] IssuerSerial, + -- associated with a Public Key Certificate + subjectName [1] GeneralNames }, + -- associated with a name + issuer GeneralNames, + signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}}, + serialNumber CertificateSerialNumber, + attCertValidityPeriod AttCertValidityPeriod, + attributes SEQUENCE OF AttributeSet{{AttrList}}, + issuerUniqueID UniqueIdentifier OPTIONAL, + extensions Extensions{{AttributeCertExtensionsV1}} OPTIONAL } + + AttCertVersionV1 ::= INTEGER { v1(0) } + + AttrList ATTRIBUTE ::= {...} + AttributeCertExtensionsV1 EXTENSION ::= {...} + + END + + + + + + + + + + +Hoffman & Schaad Informational [Page 35] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +8. ASN.1 Module for RFC 4055 + + PKIX1-PSS-OAEP-Algorithms-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)} + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + IMPORTS + + AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-TRANSPORT, + SIGNATURE-ALGORITHM, PUBLIC-KEY, SMIME-CAPS + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + id-sha1, mda-sha1, pk-rsa, RSAPublicKey + FROM PKIXAlgs-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms2008-02(56)}; + + -- ============================ + -- Object Set exports + -- ============================ + -- + -- Define top-level symbols with all of the objects defined for + -- export to other modules. These objects would be included as part + -- of an Object Set to restrict the set of legal values. + -- + + PublicKeys PUBLIC-KEY ::= { pk-rsaSSA-PSS | pk-rsaES-OAEP, ... } + SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-rsaSSA-PSS, ...} + KeyTransportAlgs KEY-TRANSPORT ::= { kta-rsaES-OAEP, ... } + HashAlgs DIGEST-ALGORITHM ::= { mda-sha224 | mda-sha256 | mda-sha384 + | mda-sha512, ... } + SMimeCaps SMIME-CAPS ::= { + sa-rsaSSA-PSS.&smimeCaps | + kta-rsaES-OAEP.&smimeCaps, + ... + } + + -- ============================= + -- Algorithm Objects + -- ============================= + + -- + -- Public key object for PSS signatures + + + +Hoffman & Schaad Informational [Page 36] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- + + pk-rsaSSA-PSS PUBLIC-KEY ::= { + IDENTIFIER id-RSASSA-PSS + KEY RSAPublicKey + PARAMS TYPE RSASSA-PSS-params ARE optional + -- Private key format not in this module -- + CERT-KEY-USAGE { nonRepudiation, digitalSignature, + keyCertSign, cRLSign } + } + + -- + -- Signature algorithm definition for PSS signatures + -- + + sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= { + IDENTIFIER id-RSASSA-PSS + PARAMS TYPE RSASSA-PSS-params ARE required + HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384 + | mda-sha512 } + PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS } + SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS } + } + + -- + -- Signature algorithm definitions for PKCS v1.5 signatures + -- + + sa-sha224WithRSAEncryption SIGNATURE-ALGORITHM ::= { + IDENTIFIER sha224WithRSAEncryption + PARAMS TYPE NULL ARE required + HASHES { mda-sha224 } + PUBLIC-KEYS { pk-rsa } + SMIME-CAPS { IDENTIFIED BY sha224WithRSAEncryption } + } + sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } + + sa-sha256WithRSAEncryption SIGNATURE-ALGORITHM ::= { + IDENTIFIER sha256WithRSAEncryption + PARAMS TYPE NULL ARE required + HASHES { mda-sha256 } + PUBLIC-KEYS { pk-rsa } + SMIME-CAPS { IDENTIFIED BY sha256WithRSAEncryption } + } + sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } + + sa-sha384WithRSAEncryption SIGNATURE-ALGORITHM ::= { + IDENTIFIER sha384WithRSAEncryption + + + +Hoffman & Schaad Informational [Page 37] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + PARAMS TYPE NULL ARE required + HASHES { mda-sha384 } + PUBLIC-KEYS { pk-rsa } + SMIME-CAPS { IDENTIFIED BY sha384WithRSAEncryption } + } + sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } + + sa-sha512WithRSAEncryption SIGNATURE-ALGORITHM ::= { + IDENTIFIER sha512WithRSAEncryption + PARAMS TYPE NULL ARE required + HASHES { mda-sha512 } + PUBLIC-KEYS { pk-rsa } + SMIME-CAPS { IDENTIFIED BY sha512WithRSAEncryption } + } + sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } + + -- + -- Public key definition for OAEP encryption + -- + + pk-rsaES-OAEP PUBLIC-KEY ::= { + IDENTIFIER id-RSAES-OAEP + KEY RSAPublicKey + PARAMS TYPE RSAES-OAEP-params ARE optional + -- Private key format not in this module -- + CERT-KEY-USAGE {keyEncipherment, dataEncipherment} + } + + -- + -- Key transport key lock definition for OAEP encryption + -- + + kta-rsaES-OAEP KEY-TRANSPORT ::= { + IDENTIFIER id-RSAES-OAEP + PARAMS TYPE RSAES-OAEP-params ARE required + PUBLIC-KEYS { pk-rsa | pk-rsaES-OAEP } + SMIME-CAPS { TYPE RSAES-OAEP-params IDENTIFIED BY id-RSAES-OAEP} + } + -- ============================ + -- Basic object identifiers + -- ============================ + + pkcs-1 OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } + + -- When rsaEncryption is used in an AlgorithmIdentifier, the + -- parameters MUST be present and MUST be NULL. + + + + +Hoffman & Schaad Informational [Page 38] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } + + -- When id-RSAES-OAEP is used in an AlgorithmIdentifier, + -- and the parameters field is present, it MUST be + -- RSAES-OAEP-params. + + id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 } + + -- When id-mgf1 is used in an AlgorithmIdentifier, the parameters + -- MUST be present and MUST be a HashAlgorithm. + + id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 } + + -- When id-pSpecified is used in an AlgorithmIdentifier, the + -- parameters MUST be an OCTET STRING. + + id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 } + + -- When id-RSASSA-PSS is used in an AlgorithmIdentifier, and the + -- parameters field is present, it MUST be RSASSA-PSS-params. + + id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 } + + -- When the following OIDs are used in an AlgorithmIdentifier, the + -- parameters SHOULD be absent, but if the parameters are present, + -- they MUST be NULL. + + -- + -- id-sha1 is imported from RFC 3279. Additionally, the v1.5 + -- signature algorithms (i.e., rsaWithSHA256) are now solely placed + -- in that module. + -- + + id-sha224 OBJECT IDENTIFIER ::= + { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) + csor(3) nistAlgorithms(4) hashalgs(2) 4 } + + mda-sha224 DIGEST-ALGORITHM ::= { + IDENTIFIER id-sha224 + PARAMS TYPE NULL ARE preferredAbsent + } + + id-sha256 OBJECT IDENTIFIER ::= + { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) + csor(3) nistAlgorithms(4) hashalgs(2) 1 } + + mda-sha256 DIGEST-ALGORITHM ::= { + IDENTIFIER id-sha256 + + + +Hoffman & Schaad Informational [Page 39] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + PARAMS TYPE NULL ARE preferredAbsent + } + id-sha384 OBJECT IDENTIFIER ::= + { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) + csor(3) nistAlgorithms(4) hashalgs(2) 2 } + + mda-sha384 DIGEST-ALGORITHM ::= { + IDENTIFIER id-sha384 + PARAMS TYPE NULL ARE preferredAbsent + } + id-sha512 OBJECT IDENTIFIER ::= + { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) + csor(3) nistAlgorithms(4) hashalgs(2) 3 } + + mda-sha512 DIGEST-ALGORITHM ::= { + IDENTIFIER id-sha512 + PARAMS TYPE NULL ARE preferredAbsent + } + + -- ============= + -- Constants + -- ============= + + EncodingParameters ::= OCTET STRING(SIZE(0..MAX)) + + nullOctetString EncodingParameters ::= ''H + + nullParameters NULL ::= NULL + + -- ========================= + -- Algorithm Identifiers + -- ========================= + + HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, + {HashAlgorithms}} + + HashAlgorithms DIGEST-ALGORITHM ::= { + { IDENTIFIER id-sha1 PARAMS TYPE NULL ARE preferredPresent } | + { IDENTIFIER id-sha224 PARAMS TYPE NULL ARE preferredPresent } | + { IDENTIFIER id-sha256 PARAMS TYPE NULL ARE preferredPresent } | + { IDENTIFIER id-sha384 PARAMS TYPE NULL ARE preferredPresent } | + { IDENTIFIER id-sha512 PARAMS TYPE NULL ARE preferredPresent } + } + + sha1Identifier HashAlgorithm ::= { + algorithm id-sha1, + parameters NULL : NULL + } + + + +Hoffman & Schaad Informational [Page 40] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- + -- We have a default algorithm - create the value here + -- + + MaskGenAlgorithm ::= AlgorithmIdentifier{ALGORITHM, + {PKCS1MGFAlgorithms}} + + mgf1SHA1 MaskGenAlgorithm ::= { + algorithm id-mgf1, + parameters HashAlgorithm : sha1Identifier + } + + -- + -- Define the set of mask generation functions + -- + -- If the identifier is id-mgf1, any of the listed hash + -- algorithms may be used. + -- + + PKCS1MGFAlgorithms ALGORITHM ::= { + { IDENTIFIER id-mgf1 PARAMS TYPE HashAlgorithm ARE required }, + ... + } + + -- + -- Define the set of known source algorithms for PSS + -- + + PSourceAlgorithm ::= AlgorithmIdentifier{ALGORITHM, + {PSS-SourceAlgorithms}} + + PSS-SourceAlgorithms ALGORITHM ::= { + { IDENTIFIER id-pSpecified PARAMS TYPE EncodingParameters + ARE required }, + ... + } + pSpecifiedEmpty PSourceAlgorithm ::= { + algorithm id-pSpecified, + parameters EncodingParameters : nullOctetString + } + + -- =================== + -- Main structures + -- =================== + + -- AlgorithmIdentifier parameters for id-RSASSA-PSS. + -- Note that the tags in this Sequence are explicit. + -- Note: The hash algorithm in hashAlgorithm and in + + + +Hoffman & Schaad Informational [Page 41] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- maskGenAlgorithm should be the same. + + RSASSA-PSS-params ::= SEQUENCE { + hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, + maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1, + saltLength [2] INTEGER DEFAULT 20, + trailerField [3] INTEGER DEFAULT 1 + } + + -- AlgorithmIdentifier parameters for id-RSAES-OAEP. + -- Note that the tags in this Sequence are explicit. + -- Note: The hash algorithm in hashFunc and in + -- maskGenFunc should be the same. + + RSAES-OAEP-params ::= SEQUENCE { + hashFunc [0] HashAlgorithm DEFAULT sha1Identifier, + maskGenFunc [1] MaskGenAlgorithm DEFAULT mgf1SHA1, + pSourceFunc [2] PSourceAlgorithm DEFAULT + pSpecifiedEmpty + } + + END + +9. ASN.1 Module for RFC 4210 + + PKIXCMP-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-cmp2000-02(50) } + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + IMPORTS + + AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} + + AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, ALGORITHM, + DIGEST-ALGORITHM, MAC-ALGORITHM + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + Certificate, CertificateList + FROM PKIX1Explicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} + + + +Hoffman & Schaad Informational [Page 42] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + GeneralName, KeyIdentifier + FROM PKIX1Implicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} + + CertTemplate, PKIPublicationInfo, EncryptedValue, CertId, + CertReqMessages + FROM PKIXCRMF-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55) } + -- see also the behavioral clarifications to CRMF codified in + -- Appendix C of this specification + + CertificationRequest + FROM PKCS-10 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkcs10-2009(69)} + -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT + -- tags). Alternatively, implementers may directly include + -- the [PKCS10] syntax in this module + ; + + -- the rest of the module contains locally defined OIDs and + -- constructs + + CMPCertificate ::= CHOICE { x509v3PKCert Certificate, ... } + -- This syntax, while bits-on-the-wire compatible with the + -- standard X.509 definition of "Certificate", allows the + -- possibility of future certificate types (such as X.509 + -- attribute certificates, WAP WTLS certificates, or other kinds + -- of certificates) within this certificate management protocol, + -- should a need ever arise to support such generality. Those + -- implementations that do not foresee a need to ever support + -- other certificate types MAY, if they wish, comment out the + -- above structure and "uncomment" the following one prior to + -- compiling this ASN.1 module. (Note that interoperability + -- with implementations that don't do this will be unaffected by + -- this change.) + + -- CMPCertificate ::= Certificate + + PKIMessage ::= SEQUENCE { + header PKIHeader, + body PKIBody, + protection [0] PKIProtection OPTIONAL, + extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate + OPTIONAL } + + + + +Hoffman & Schaad Informational [Page 43] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage + + PKIHeader ::= SEQUENCE { + pvno INTEGER { cmp1999(1), cmp2000(2) }, + sender GeneralName, + -- identifies the sender + recipient GeneralName, + -- identifies the intended recipient + messageTime [0] GeneralizedTime OPTIONAL, + -- time of production of this message (used when sender + -- believes that the transport will be "suitable"; i.e., + -- that the time will still be meaningful upon receipt) + protectionAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} + OPTIONAL, + -- algorithm used for calculation of protection bits + senderKID [2] KeyIdentifier OPTIONAL, + recipKID [3] KeyIdentifier OPTIONAL, + -- to identify specific keys used for protection + transactionID [4] OCTET STRING OPTIONAL, + -- identifies the transaction; i.e., this will be the same in + -- corresponding request, response, certConf, and PKIConf + -- messages + senderNonce [5] OCTET STRING OPTIONAL, + recipNonce [6] OCTET STRING OPTIONAL, + -- nonces used to provide replay protection, senderNonce + -- is inserted by the creator of this message; recipNonce + -- is a nonce previously inserted in a related message by + -- the intended recipient of this message + freeText [7] PKIFreeText OPTIONAL, + -- this may be used to indicate context-specific instructions + -- (this field is intended for human consumption) + generalInfo [8] SEQUENCE SIZE (1..MAX) OF + InfoTypeAndValue OPTIONAL + -- this may be used to convey context-specific information + -- (this field not primarily intended for human consumption) + } + + PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String + -- text encoded as UTF-8 String [RFC3629] (note: each + -- UTF8String MAY include an [RFC3066] language tag + -- to indicate the language of the contained text; + -- see [RFC2482] for details) + + PKIBody ::= CHOICE { -- message-specific body elements + ir [0] CertReqMessages, --Initialization Request + ip [1] CertRepMessage, --Initialization Response + cr [2] CertReqMessages, --Certification Request + cp [3] CertRepMessage, --Certification Response + + + +Hoffman & Schaad Informational [Page 44] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + p10cr [4] CertificationRequest, --imported from [PKCS10] + popdecc [5] POPODecKeyChallContent, --pop Challenge + popdecr [6] POPODecKeyRespContent, --pop Response + kur [7] CertReqMessages, --Key Update Request + kup [8] CertRepMessage, --Key Update Response + krr [9] CertReqMessages, --Key Recovery Request + krp [10] KeyRecRepContent, --Key Recovery Response + rr [11] RevReqContent, --Revocation Request + rp [12] RevRepContent, --Revocation Response + ccr [13] CertReqMessages, --Cross-Cert. Request + ccp [14] CertRepMessage, --Cross-Cert. Response + ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. + cann [16] CertAnnContent, --Certificate Ann. + rann [17] RevAnnContent, --Revocation Ann. + crlann [18] CRLAnnContent, --CRL Announcement + pkiconf [19] PKIConfirmContent, --Confirmation + nested [20] NestedMessageContent, --Nested Message + genm [21] GenMsgContent, --General Message + genp [22] GenRepContent, --General Response + error [23] ErrorMsgContent, --Error Message + certConf [24] CertConfirmContent, --Certificate confirm + pollReq [25] PollReqContent, --Polling request + pollRep [26] PollRepContent --Polling response + } + + PKIProtection ::= BIT STRING + + ProtectedPart ::= SEQUENCE { + header PKIHeader, + body PKIBody } + + id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) + usa(840) nt(113533) nsn(7) algorithms(66) 13 } + PBMParameter ::= SEQUENCE { + salt OCTET STRING, + -- note: implementations MAY wish to limit acceptable sizes + -- of this string to values appropriate for their environment + -- in order to reduce the risk of denial-of-service attacks + owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, + -- AlgId for a One-Way Function (SHA-1 recommended) + iterationCount INTEGER, + -- number of times the OWF is applied + -- note: implementations MAY wish to limit acceptable sizes + -- of this integer to values appropriate for their environment + -- in order to reduce the risk of denial-of-service attacks + mac AlgorithmIdentifier{MAC-ALGORITHM, {...}} + -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], + -- or HMAC [RFC2104, RFC2202]) + + + +Hoffman & Schaad Informational [Page 45] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + } + + id-DHBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) + usa(840) nt(113533) nsn(7) algorithms(66) 30 } + DHBMParameter ::= SEQUENCE { + owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, + -- AlgId for a One-Way Function (SHA-1 recommended) + mac AlgorithmIdentifier{MAC-ALGORITHM, {...}} + -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], + -- or HMAC [RFC2104, RFC2202]) + } + + PKIStatus ::= INTEGER { + accepted (0), + -- you got exactly what you asked for + grantedWithMods (1), + -- you got something like what you asked for; the + -- requester is responsible for ascertaining the differences + rejection (2), + -- you don't get it, more information elsewhere in the message + waiting (3), + -- the request body part has not yet been processed; expect to + -- hear more later (note: proper handling of this status + -- response MAY use the polling req/rep PKIMessages specified + -- in Section 5.3.22; alternatively, polling in the underlying + -- transport layer MAY have some utility in this regard) + revocationWarning (4), + -- this message contains a warning that a revocation is + -- imminent + revocationNotification (5), + -- notification that a revocation has occurred + keyUpdateWarning (6) + -- update already done for the oldCertId specified in + -- CertReqMsg + } + + PKIFailureInfo ::= BIT STRING { + -- since we can fail in more than one way! + -- More codes may be added in the future if/when required. + badAlg (0), + -- unrecognized or unsupported Algorithm Identifier + badMessageCheck (1), + -- integrity check failed (e.g., signature did not verify) + badRequest (2), + -- transaction not permitted or supported + badTime (3), + -- messageTime was not sufficiently close to the system time, + -- as defined by local policy + + + +Hoffman & Schaad Informational [Page 46] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + badCertId (4), + -- no certificate could be found matching the provided criteria + badDataFormat (5), + -- the data submitted has the wrong format + wrongAuthority (6), + -- the authority indicated in the request is different from the + -- one creating the response token + incorrectData (7), + -- the requester's data is incorrect (for notary services) + missingTimeStamp (8), + -- when the timestamp is missing but should be there + -- (by policy) + badPOP (9), + -- the proof-of-possession failed + certRevoked (10), + -- the certificate has already been revoked + certConfirmed (11), + -- the certificate has already been confirmed + wrongIntegrity (12), + -- invalid integrity, password based instead of signature or + -- vice versa + badRecipientNonce (13), + -- invalid recipient nonce, either missing or wrong value + timeNotAvailable (14), + -- the TSA's time source is not available + unacceptedPolicy (15), + -- the requested TSA policy is not supported by the TSA + unacceptedExtension (16), + -- the requested extension is not supported by the TSA + addInfoNotAvailable (17), + -- the additional information requested could not be + -- understood or is not available + badSenderNonce (18), + -- invalid sender nonce, either missing or wrong size + badCertTemplate (19), + -- invalid cert. template or missing mandatory information + signerNotTrusted (20), + -- signer of the message unknown or not trusted + transactionIdInUse (21), + -- the transaction identifier is already in use + unsupportedVersion (22), + -- the version of the message is not supported + notAuthorized (23), + -- the sender was not authorized to make the preceding + -- request or perform the preceding action + systemUnavail (24), + -- the request cannot be handled due to system unavailability + systemFailure (25), + + + +Hoffman & Schaad Informational [Page 47] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- the request cannot be handled due to system failure + duplicateCertReq (26) + -- certificate cannot be issued because a duplicate + -- certificate already exists + } + + PKIStatusInfo ::= SEQUENCE { + status PKIStatus, + statusString PKIFreeText OPTIONAL, + failInfo PKIFailureInfo OPTIONAL } + + OOBCert ::= CMPCertificate + + OOBCertHash ::= SEQUENCE { + hashAlg [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} + OPTIONAL, + certId [1] CertId OPTIONAL, + hashVal BIT STRING + -- hashVal is calculated over the DER encoding of the + -- self-signed certificate with the identifier certID. + } + + POPODecKeyChallContent ::= SEQUENCE OF Challenge + -- One Challenge per encryption key certification request (in the + -- same order as these requests appear in CertReqMessages). + + Challenge ::= SEQUENCE { + owf AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} + OPTIONAL, + -- MUST be present in the first Challenge; MAY be omitted in + -- any subsequent Challenge in POPODecKeyChallContent (if + -- omitted, then the owf used in the immediately preceding + -- Challenge is to be used). + witness OCTET STRING, + -- the result of applying the one-way function (owf) to a + -- randomly-generated INTEGER, A. [Note that a different + -- INTEGER MUST be used for each Challenge.] + challenge OCTET STRING + -- the encryption (under the public key for which the cert. + -- request is being made) of Rand, where Rand is specified as + -- Rand ::= SEQUENCE { + -- int INTEGER, + -- - the randomly-generated INTEGER A (above) + -- sender GeneralName + -- - the sender's name (as included in PKIHeader) + -- } + } + + + + +Hoffman & Schaad Informational [Page 48] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + POPODecKeyRespContent ::= SEQUENCE OF INTEGER + -- One INTEGER per encryption key certification request (in the + -- same order as these requests appear in CertReqMessages). The + -- retrieved INTEGER A (above) is returned to the sender of the + -- corresponding Challenge. + + CertRepMessage ::= SEQUENCE { + caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate + OPTIONAL, + response SEQUENCE OF CertResponse } + + CertResponse ::= SEQUENCE { + certReqId INTEGER, + -- to match this response with the corresponding request (a value + -- of -1 is to be used if certReqId is not specified in the + -- corresponding request) + status PKIStatusInfo, + certifiedKeyPair CertifiedKeyPair OPTIONAL, + rspInfo OCTET STRING OPTIONAL + -- analogous to the id-regInfo-utf8Pairs string defined + -- for regInfo in CertReqMsg [RFC4211] + } + + CertifiedKeyPair ::= SEQUENCE { + certOrEncCert CertOrEncCert, + privateKey [0] EncryptedValue OPTIONAL, + -- see [RFC4211] for comment on encoding + publicationInfo [1] PKIPublicationInfo OPTIONAL } + + CertOrEncCert ::= CHOICE { + certificate [0] CMPCertificate, + encryptedCert [1] EncryptedValue } + KeyRecRepContent ::= SEQUENCE { + status PKIStatusInfo, + newSigCert [0] CMPCertificate OPTIONAL, + caCerts [1] SEQUENCE SIZE (1..MAX) OF + CMPCertificate OPTIONAL, + keyPairHist [2] SEQUENCE SIZE (1..MAX) OF + CertifiedKeyPair OPTIONAL } + + RevReqContent ::= SEQUENCE OF RevDetails + + RevDetails ::= SEQUENCE { + certDetails CertTemplate, + -- allows requester to specify as much as they can about + -- the cert. for which revocation is requested + -- (e.g., for cases in which serialNumber is not available) + crlEntryDetails Extensions{{...}} OPTIONAL + + + +Hoffman & Schaad Informational [Page 49] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- requested crlEntryExtensions + } + + RevRepContent ::= SEQUENCE { + status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, + -- in same order as was sent in RevReqContent + revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL, + -- IDs for which revocation was requested + -- (same order as status) + crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL + -- the resulting CRLs (there may be more than one) + } + + CAKeyUpdAnnContent ::= SEQUENCE { + oldWithNew CMPCertificate, -- old pub signed with new priv + newWithOld CMPCertificate, -- new pub signed with old priv + newWithNew CMPCertificate -- new pub signed with new priv + } + + CertAnnContent ::= CMPCertificate + + RevAnnContent ::= SEQUENCE { + status PKIStatus, + certId CertId, + willBeRevokedAt GeneralizedTime, + badSinceDate GeneralizedTime, + crlDetails Extensions{{...}} OPTIONAL + -- extra CRL details (e.g., crl number, reason, location, etc.) + } + + CRLAnnContent ::= SEQUENCE OF CertificateList + PKIConfirmContent ::= NULL + + NestedMessageContent ::= PKIMessages + + INFO-TYPE-AND-VALUE ::= TYPE-IDENTIFIER + + InfoTypeAndValue ::= SEQUENCE { + infoType INFO-TYPE-AND-VALUE. + &id({SupportedInfoSet}), + infoValue INFO-TYPE-AND-VALUE. + &Type({SupportedInfoSet}{@infoType}) } + + SupportedInfoSet INFO-TYPE-AND-VALUE ::= { ... } + + -- Example InfoTypeAndValue contents include, but are not limited + -- to, the following (uncomment in this ASN.1 module and use as + -- appropriate for a given environment): + + + +Hoffman & Schaad Informational [Page 50] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- + -- id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1} + -- CAProtEncCertValue ::= CMPCertificate + -- id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2} + -- SignKeyPairTypesValue ::= SEQUENCE OF + -- AlgorithmIdentifier{{...}} + -- id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3} + -- EncKeyPairTypesValue ::= SEQUENCE OF + -- AlgorithmIdentifier{{...}} + -- id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4} + -- PreferredSymmAlgValue ::= AlgorithmIdentifier{{...}} + -- id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5} + -- CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent + -- id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6} + -- CurrentCRLValue ::= CertificateList + -- id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7} + -- UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER + -- id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10} + -- KeyPairParamReqValue ::= OBJECT IDENTIFIER + -- id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11} + -- KeyPairParamRepValue ::= AlgorithmIdentifer + -- id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12} + -- RevPassphraseValue ::= EncryptedValue + -- id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13} + -- ImplicitConfirmValue ::= NULL + -- id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14} + -- ConfirmWaitTimeValue ::= GeneralizedTime + -- id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15} + -- OrigPKIMessageValue ::= PKIMessages + -- id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16} + -- SuppLangTagsValue ::= SEQUENCE OF UTF8String + -- + -- where + -- + -- id-pkix OBJECT IDENTIFIER ::= { + -- iso(1) identified-organization(3) + -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} + -- and + -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} + -- + -- + -- This construct MAY also be used to define new PKIX Certificate + -- Management Protocol request and response messages, or general- + -- purpose (e.g., announcement) messages for future needs or for + -- specific environments. + + GenMsgContent ::= SEQUENCE OF InfoTypeAndValue + + + + +Hoffman & Schaad Informational [Page 51] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- May be sent by EE, RA, or CA (depending on message content). + -- The OPTIONAL infoValue parameter of InfoTypeAndValue will + -- typically be omitted for some of the examples given above. + -- The receiver is free to ignore any contained OBJECT IDs that it + -- does not recognize. If sent from EE to CA, the empty set + -- indicates that the CA may send + -- any/all information that it wishes. + + GenRepContent ::= SEQUENCE OF InfoTypeAndValue + -- Receiver MAY ignore any contained OIDs that it does not + -- recognize. + + ErrorMsgContent ::= SEQUENCE { + pKIStatusInfo PKIStatusInfo, + errorCode INTEGER OPTIONAL, + -- implementation-specific error codes + errorDetails PKIFreeText OPTIONAL + -- implementation-specific error details + } + + CertConfirmContent ::= SEQUENCE OF CertStatus + + CertStatus ::= SEQUENCE { + certHash OCTET STRING, + -- the hash of the certificate, using the same hash algorithm + -- as is used to create and verify the certificate signature + certReqId INTEGER, + -- to match this confirmation with the corresponding req/rep + statusInfo PKIStatusInfo OPTIONAL } + + PollReqContent ::= SEQUENCE OF SEQUENCE { + certReqId INTEGER } + + PollRepContent ::= SEQUENCE OF SEQUENCE { + certReqId INTEGER, + checkAfter INTEGER, -- time in seconds + reason PKIFreeText OPTIONAL } + + END + + + + + + + + + + + + +Hoffman & Schaad Informational [Page 52] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +10. ASN.1 Module for RFC 4211 + + PKIXCRMF-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)} + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE, + SingleAttribute{} + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkixCommon-02(57) } + + AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, ALGORITHM, + DIGEST-ALGORITHM, MAC-ALGORITHM, PUBLIC-KEY + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + Version, Name, Time, SubjectPublicKeyInfo, UniqueIdentifier, id-pkix, + SignatureAlgorithms + FROM PKIX1Explicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} + + GeneralName, CertExtensions + FROM PKIX1Implicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} + + EnvelopedData, CONTENT-TYPE + FROM CryptographicMessageSyntax-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-2004-02(41)} + maca-hMAC-SHA1 + FROM CryptographicMessageSyntaxAlgorithms-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cmsalg-2001-02(37) } + + mda-sha1 + FROM PKIXAlgs-2009 + { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms2008-02(56) } ; + + + +Hoffman & Schaad Informational [Page 53] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- arc for Internet X.509 PKI protocols and their components + + id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 } + + id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } + + id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types + + -- Core definitions for this module + + CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg + + CertReqMsg ::= SEQUENCE { + certReq CertRequest, + popo ProofOfPossession OPTIONAL, + -- content depends upon key type + regInfo SEQUENCE SIZE(1..MAX) OF + SingleAttribute{{RegInfoSet}} OPTIONAL } + + CertRequest ::= SEQUENCE { + certReqId INTEGER, + -- ID for matching request and reply + certTemplate CertTemplate, + -- Selected fields of cert to be issued + controls Controls OPTIONAL } + -- Attributes affecting issuance + + CertTemplate ::= SEQUENCE { + version [0] Version OPTIONAL, + serialNumber [1] INTEGER OPTIONAL, + signingAlg [2] AlgorithmIdentifier{SIGNATURE-ALGORITHM, + {SignatureAlgorithms}} OPTIONAL, + issuer [3] Name OPTIONAL, + validity [4] OptionalValidity OPTIONAL, + subject [5] Name OPTIONAL, + publicKey [6] SubjectPublicKeyInfo OPTIONAL, + issuerUID [7] UniqueIdentifier OPTIONAL, + subjectUID [8] UniqueIdentifier OPTIONAL, + extensions [9] Extensions{{CertExtensions}} OPTIONAL } + + OptionalValidity ::= SEQUENCE { + notBefore [0] Time OPTIONAL, + notAfter [1] Time OPTIONAL } -- at least one MUST be present + + Controls ::= SEQUENCE SIZE(1..MAX) OF SingleAttribute + {{RegControlSet}} + + + + +Hoffman & Schaad Informational [Page 54] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + ProofOfPossession ::= CHOICE { + raVerified [0] NULL, + -- used if the RA has already verified that the requester is in + -- possession of the private key + signature [1] POPOSigningKey, + keyEncipherment [2] POPOPrivKey, + keyAgreement [3] POPOPrivKey } + + POPOSigningKey ::= SEQUENCE { + poposkInput [0] POPOSigningKeyInput OPTIONAL, + algorithmIdentifier AlgorithmIdentifier{SIGNATURE-ALGORITHM, + {SignatureAlgorithms}}, + signature BIT STRING } + -- The signature (using "algorithmIdentifier") is on the + -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg + -- certReq CertTemplate contains the subject and publicKey values, + -- then poposkInput MUST be omitted and the signature MUST be + -- computed over the DER-encoded value of CertReqMsg certReq. If + -- the CertReqMsg certReq CertTemplate does not contain both the + -- public key and subject values (i.e., if it contains only one + -- of these, or neither), then poposkInput MUST be present and + -- MUST be signed. + + POPOSigningKeyInput ::= SEQUENCE { + authInfo CHOICE { + sender [0] GeneralName, + -- used only if an authenticated identity has been + -- established for the sender (e.g., a DN from a + -- previously-issued and currently-valid certificate) + publicKeyMAC PKMACValue }, + -- used if no authenticated GeneralName currently exists for + -- the sender; publicKeyMAC contains a password-based MAC + -- on the DER-encoded value of publicKey + publicKey SubjectPublicKeyInfo } -- from CertTemplate + + PKMACValue ::= SEQUENCE { + algId AlgorithmIdentifier{MAC-ALGORITHM, + {Password-MACAlgorithms}}, + value BIT STRING } + + -- + -- Define the currently only acceptable MAC algorithm to be used + -- for the PKMACValue structure + -- + + id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) + usa(840) nt(113533) nsn(7) algorithms(66) 13 } + + + + +Hoffman & Schaad Informational [Page 55] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + Password-MACAlgorithms MAC-ALGORITHM ::= { + {IDENTIFIER id-PasswordBasedMac + PARAMS TYPE PBMParameter ARE required + IS-KEYED-MAC TRUE + }, ... + } + + PBMParameter ::= SEQUENCE { + salt OCTET STRING, + owf AlgorithmIdentifier{DIGEST-ALGORITHM, + {DigestAlgorithms}}, + -- AlgId for a One-Way Function (SHA-1 recommended) + iterationCount INTEGER, + -- number of times the OWF is applied + mac AlgorithmIdentifier{MAC-ALGORITHM, + {MACAlgorithms}} + -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC, or HMAC + } + + DigestAlgorithms DIGEST-ALGORITHM ::= { + mda-sha1, ... + } + + MACAlgorithms MAC-ALGORITHM ::= { + -- The modules containing the ASN.1 for the DES and 3DES MAC + -- algorithms have not been updated at the time that this is + -- being published. Users of this module should define the + -- appropriate MAC-ALGORITHM objects and uncomment the + -- following lines if they support these MAC algorithms. + -- maca-des-mac | maca-3des-mac -- + maca-hMAC-SHA1, + ... + } + + POPOPrivKey ::= CHOICE { + thisMessage [0] BIT STRING, -- Deprecated + -- possession is proven in this message (which contains + -- the private key itself (encrypted for the CA)) + subsequentMessage [1] SubsequentMessage, + -- possession will be proven in a subsequent message + dhMAC [2] BIT STRING, -- Deprecated + agreeMAC [3] PKMACValue, + encryptedKey [4] EnvelopedData } + -- for keyAgreement (only), possession is proven in this message + -- (which contains a MAC (over the DER-encoded value of the + -- certReq parameter in CertReqMsg, which MUST include both + -- subject and publicKey) based on a key derived from the end + -- entity's private DH key and the CA's public DH key); + + + +Hoffman & Schaad Informational [Page 56] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + SubsequentMessage ::= INTEGER { + encrCert (0), + -- requests that resulting certificate be encrypted for the + -- end entity (following which, POP will be proven in a + -- confirmation message) + challengeResp (1) } + -- requests that CA engage in challenge-response exchange with + -- end entity in order to prove private key possession + + -- + -- id-ct-encKeyWithID content type used as the content type for the + -- EnvelopedData in POPOPrivKey. + -- It contains both a private key and an identifier for key escrow + -- agents to check against recovery requestors. + -- + + ct-encKeyWithID CONTENT-TYPE ::= + { EncKeyWithID IDENTIFIED BY id-ct-encKeyWithID } + + id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} + + EncKeyWithID ::= SEQUENCE { + privateKey PrivateKeyInfo, + identifier CHOICE { + string UTF8String, + generalName GeneralName + } OPTIONAL + } + + PrivateKeyInfo ::= SEQUENCE { + version INTEGER, + privateKeyAlgorithm AlgorithmIdentifier{PUBLIC-KEY, {...}}, + privateKey OCTET STRING, + -- Structure of public key is in PUBLIC-KEY.&PrivateKey + attributes [0] IMPLICIT Attributes OPTIONAL + } + + Attributes ::= SET OF AttributeSet{{PrivateKeyAttributes}} + PrivateKeyAttributes ATTRIBUTE ::= {...} + + -- + -- 6. Registration Controls in CRMF + -- + + id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 } + + RegControlSet ATTRIBUTE ::= { + regCtrl-regToken | regCtrl-authenticator | + + + +Hoffman & Schaad Informational [Page 57] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + regCtrl-pkiPublicationInfo | regCtrl-pkiArchiveOptions | + regCtrl-oldCertID | regCtrl-protocolEncrKey, ... } + + -- + -- 6.1. Registration Token Control + -- + + regCtrl-regToken ATTRIBUTE ::= + { TYPE RegToken IDENTIFIED BY id-regCtrl-regToken } + + id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 } + + RegToken ::= UTF8String + + -- + -- 6.2. Authenticator Control + -- + + regCtrl-authenticator ATTRIBUTE ::= + { TYPE Authenticator IDENTIFIED BY id-regCtrl-authenticator } + + id-regCtrl-authenticator OBJECT IDENTIFIER ::= { id-regCtrl 2 } + + Authenticator ::= UTF8String + + -- + -- 6.3. Publication Information Control + -- + + regCtrl-pkiPublicationInfo ATTRIBUTE ::= + { TYPE PKIPublicationInfo IDENTIFIED BY + id-regCtrl-pkiPublicationInfo } + + id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 } + + PKIPublicationInfo ::= SEQUENCE { + action INTEGER { + dontPublish (0), + pleasePublish (1) }, + pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL } + -- pubInfos MUST NOT be present if action is "dontPublish" + -- (if action is "pleasePublish" and pubInfos is omitted, + -- "dontCare" is assumed) + + SinglePubInfo ::= SEQUENCE { + pubMethod INTEGER { + dontCare (0), + x500 (1), + + + +Hoffman & Schaad Informational [Page 58] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + web (2), + ldap (3) }, + pubLocation GeneralName OPTIONAL } + + -- + -- 6.4. Archive Options Control + -- + + regCtrl-pkiArchiveOptions ATTRIBUTE ::= + { TYPE PKIArchiveOptions IDENTIFIED BY + id-regCtrl-pkiArchiveOptions } + + id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 } + + PKIArchiveOptions ::= CHOICE { + encryptedPrivKey [0] EncryptedKey, + -- the actual value of the private key + keyGenParameters [1] KeyGenParameters, + -- parameters that allow the private key to be re-generated + archiveRemGenPrivKey [2] BOOLEAN } + -- set to TRUE if sender wishes receiver to archive the private + -- key of a key pair that the receiver generates in response to + -- this request; set to FALSE if no archive is desired. + + EncryptedKey ::= CHOICE { + encryptedValue EncryptedValue, -- Deprecated + envelopedData [0] EnvelopedData } + -- The encrypted private key MUST be placed in the envelopedData + -- encryptedContentInfo encryptedContent OCTET STRING. + + -- + -- We skipped doing the full constraints here since this structure + -- has been deprecated in favor of EnvelopedData + -- + + EncryptedValue ::= SEQUENCE { + intendedAlg [0] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, + -- the intended algorithm for which the value will be used + symmAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, + -- the symmetric algorithm used to encrypt the value + encSymmKey [2] BIT STRING OPTIONAL, + -- the (encrypted) symmetric key used to encrypt the value + keyAlg [3] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, + -- algorithm used to encrypt the symmetric key + valueHint [4] OCTET STRING OPTIONAL, + -- a brief description or identifier of the encValue content + -- (may be meaningful only to the sending entity, and used only + -- if EncryptedValue might be re-examined by the sending entity + + + +Hoffman & Schaad Informational [Page 59] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- in the future) + encValue BIT STRING } + -- the encrypted value itself + -- When EncryptedValue is used to carry a private key (as opposed to + -- a certificate), implementations MUST support the encValue field + -- containing an encrypted PrivateKeyInfo as defined in [PKCS11], + -- section 12.11. If encValue contains some other format/encoding + -- for the private key, the first octet of valueHint MAY be used + -- to indicate the format/encoding (but note that the possible values + -- of this octet are not specified at this time). In all cases, the + -- intendedAlg field MUST be used to indicate at least the OID of + -- the intended algorithm of the private key, unless this information + -- is known a priori to both sender and receiver by some other means. + + KeyGenParameters ::= OCTET STRING + + -- + -- 6.5. OldCert ID Control + -- + + regCtrl-oldCertID ATTRIBUTE ::= + { TYPE OldCertId IDENTIFIED BY id-regCtrl-oldCertID } + + id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 } + + OldCertId ::= CertId + + CertId ::= SEQUENCE { + issuer GeneralName, + serialNumber INTEGER } + + -- + -- 6.6. Protocol Encryption Key Control + -- + + regCtrl-protocolEncrKey ATTRIBUTE ::= + { TYPE ProtocolEncrKey IDENTIFIED BY id-regCtrl-protocolEncrKey } + id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= { id-regCtrl 6 } + + ProtocolEncrKey ::= SubjectPublicKeyInfo + + -- + -- 7. Registration Info in CRMF + -- + + id-regInfo OBJECT IDENTIFIER ::= { id-pkip 2 } + + RegInfoSet ATTRIBUTE ::= + + + +Hoffman & Schaad Informational [Page 60] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + { regInfo-utf8Pairs | regInfo-certReq } + + -- + -- 7.1. utf8Pairs RegInfo Control + -- + + regInfo-utf8Pairs ATTRIBUTE ::= + { TYPE UTF8Pairs IDENTIFIED BY id-regInfo-utf8Pairs } + + id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= { id-regInfo 1 } + --with syntax + UTF8Pairs ::= UTF8String + + -- + -- 7.2. certReq RegInfo Control + -- + + regInfo-certReq ATTRIBUTE ::= + { TYPE CertReq IDENTIFIED BY id-regInfo-certReq } + + id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 } + --with syntax + CertReq ::= CertRequest + + END + +11. ASN.1 Module for RFC 5055 + + SCVP-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-scvp-02(52) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + Extensions{}, EXTENSION, ATTRIBUTE + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } + + AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, PUBLIC-KEY, KEY-AGREE, + DIGEST-ALGORITHM, KEY-DERIVATION, MAC-ALGORITHM + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + Certificate, CertificateList, CertificateSerialNumber, + + + +Hoffman & Schaad Informational [Page 61] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + SignatureAlgorithms, SubjectPublicKeyInfo + FROM PKIX1Explicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } + + GeneralNames, GeneralName, KeyUsage, KeyPurposeId + FROM PKIX1Implicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } + + AttributeCertificate + FROM PKIXAttributeCertificate-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } + + OCSPResponse + FROM OCSP-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-ocsp-02(48) } + + ContentInfo, CONTENT-TYPE + FROM CryptographicMessageSyntax-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-2004-02(41) } + + mda-sha1 + FROM PKIXAlgs-2009 + { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms2008-02(56) } ; + + ContentTypes CONTENT-TYPE ::= {ct-scvp-certValRequest | + ct-scvp-certValResponse | ct-scvp-valPolRequest | + ct-scvp-valPolResponse, ... } + + id-ct OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + id-smime(16) 1 } + + ct-scvp-certValRequest CONTENT-TYPE ::= + { CVRequest IDENTIFIED BY id-ct-scvp-certValRequest } + + id-ct-scvp-certValRequest OBJECT IDENTIFIER ::= { id-ct 10 } + + -- SCVP Certificate Validation Request + + CVRequest ::= SEQUENCE { + cvRequestVersion INTEGER DEFAULT 1, + + + +Hoffman & Schaad Informational [Page 62] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + query Query, + requestorRef [0] GeneralNames OPTIONAL, + requestNonce [1] OCTET STRING OPTIONAL, + requestorName [2] GeneralName OPTIONAL, + responderName [3] GeneralName OPTIONAL, + requestExtensions [4] Extensions{{RequestExtensions}} + OPTIONAL, + signatureAlg [5] AlgorithmIdentifier + {SIGNATURE-ALGORITHM, + {SignatureAlgorithms}} + OPTIONAL, + hashAlg [6] OBJECT IDENTIFIER OPTIONAL, + requestorText [7] UTF8String (SIZE (1..256)) OPTIONAL + } + + -- Set of signature algorithms is coming from RFC 5280 + -- SignatureAlgorithms SIGNATURE-ALGORITHM ::= {...} + + -- Add supported request extensions here; all new items should + -- be added after the extension marker + + RequestExtensions EXTENSION ::= {...} + + Query ::= SEQUENCE { + queriedCerts CertReferences, + checks CertChecks, + wantBack [1] WantBack OPTIONAL, + validationPolicy ValidationPolicy, + responseFlags ResponseFlags OPTIONAL, + serverContextInfo [2] OCTET STRING OPTIONAL, + validationTime [3] GeneralizedTime OPTIONAL, + intermediateCerts [4] CertBundle OPTIONAL, + revInfos [5] RevocationInfos OPTIONAL, + producedAt [6] GeneralizedTime OPTIONAL, + queryExtensions [7] Extensions{{QueryExtensions}} OPTIONAL + } + + -- Add supported query extensions here; all new items should be added + -- after the extension marker + + QueryExtensions EXTENSION ::= {...} + + CertReferences ::= CHOICE { + pkcRefs [0] SEQUENCE SIZE (1..MAX) OF PKCReference, + acRefs [1] SEQUENCE SIZE (1..MAX) OF ACReference + } + + CertReference::= CHOICE { + + + +Hoffman & Schaad Informational [Page 63] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + pkc PKCReference, + ac ACReference + } + + PKCReference ::= CHOICE { + cert [0] Certificate, + pkcRef [1] SCVPCertID + } + + ACReference ::= CHOICE { + attrCert [2] AttributeCertificate, + acRef [3] SCVPCertID + } + + HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, + {mda-sha1, ...}} + + SCVPCertID ::= SEQUENCE { + certHash OCTET STRING, + issuerSerial SCVPIssuerSerial, + hashAlgorithm HashAlgorithm + DEFAULT { algorithm mda-sha1.&id } + } + + SCVPIssuerSerial ::= SEQUENCE { + issuer GeneralNames, + serialNumber CertificateSerialNumber + } + + ValidationPolicy ::= SEQUENCE { + validationPolRef ValidationPolRef, + validationAlg [0] ValidationAlg OPTIONAL, + userPolicySet [1] SEQUENCE SIZE (1..MAX) OF OBJECT + IDENTIFIER OPTIONAL, + inhibitPolicyMapping [2] BOOLEAN OPTIONAL, + requireExplicitPolicy [3] BOOLEAN OPTIONAL, + inhibitAnyPolicy [4] BOOLEAN OPTIONAL, + trustAnchors [5] TrustAnchors OPTIONAL, + keyUsages [6] SEQUENCE OF KeyUsage OPTIONAL, + extendedKeyUsages [7] SEQUENCE OF KeyPurposeId OPTIONAL, + specifiedKeyUsages [8] SEQUENCE OF KeyPurposeId OPTIONAL + } + + CertChecks ::= SEQUENCE SIZE (1..MAX) OF + OBJECT IDENTIFIER (CertCheckSet | ACertCheckSet, ... ) + + WantBack ::= SEQUENCE SIZE (1..MAX) OF + WANT-BACK.&id ({AllWantBacks}) + + + +Hoffman & Schaad Informational [Page 64] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + POLICY ::= ATTRIBUTE + + ValidationPolRefSet POLICY ::= { + svp-defaultValPolicy, ... + } + + ValidationPolRef ::= SEQUENCE { + valPolId POLICY.&id, + valPolParams POLICY.&Type OPTIONAL + } + + ValidationAlgSet POLICY ::= { + svp-basicValAlg, ... + } + + ValidationAlg ::= SEQUENCE { + valAlgId POLICY.&id, + parameters POLICY.&Type OPTIONAL + } + + NameValidationAlgSet POLICY ::= { + svp-nameValAlg, ... + } + + NameValidationAlgParams ::= SEQUENCE { + nameCompAlgId OBJECT IDENTIFIER (NameCompAlgSet, ... ), + validationNames GeneralNames + } + + TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference + KeyAgreePublicKey ::= SEQUENCE { + algorithm AlgorithmIdentifier{KEY-AGREE, + {SupportedKeyAgreePublicKeys}}, + publicKey BIT STRING, + macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, + {SupportedMACAlgorithms}}, + kDF AlgorithmIdentifier{KEY-DERIVATION, + {SupportedKeyDerivationFunctions}} + OPTIONAL + } + + SupportedKeyAgreePublicKeys KEY-AGREE ::= {...} + SupportedMACAlgorithms MAC-ALGORITHM ::= {...} + SupportedKeyDerivationFunctions KEY-DERIVATION ::= {...} + + ResponseFlags ::= SEQUENCE { + fullRequestInResponse [0] BOOLEAN DEFAULT FALSE, + responseValidationPolByRef [1] BOOLEAN DEFAULT TRUE, + + + +Hoffman & Schaad Informational [Page 65] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + protectResponse [2] BOOLEAN DEFAULT TRUE, + cachedResponse [3] BOOLEAN DEFAULT TRUE + } + + CertBundle ::= SEQUENCE SIZE (1..MAX) OF Certificate + + RevocationInfos ::= SEQUENCE SIZE (1..MAX) OF RevocationInfo + + RevocationInfo ::= CHOICE { + crl [0] CertificateList, + delta-crl [1] CertificateList, + ocsp [2] OCSPResponse, + other [3] OtherRevInfo + } + + REV-INFO ::= TYPE-IDENTIFIER + + OtherRevInfo ::= SEQUENCE { + riType REV-INFO.&id, + riValue REV-INFO.&Type + } + + -- SCVP Certificate Validation Response + + ct-scvp-certValResponse CONTENT-TYPE ::= + { CVResponse IDENTIFIED BY id-ct-scvp-certValResponse } + + id-ct-scvp-certValResponse OBJECT IDENTIFIER ::= { id-ct 11 } + + CVResponse ::= SEQUENCE { + cvResponseVersion INTEGER, + serverConfigurationID INTEGER, + producedAt GeneralizedTime, + responseStatus ResponseStatus, + respValidationPolicy [0] RespValidationPolicy OPTIONAL, + requestRef [1] RequestReference OPTIONAL, + requestorRef [2] GeneralNames OPTIONAL, + requestorName [3] GeneralNames OPTIONAL, + replyObjects [4] ReplyObjects OPTIONAL, + respNonce [5] OCTET STRING OPTIONAL, + serverContextInfo [6] OCTET STRING OPTIONAL, + cvResponseExtensions [7] Extensions{{CVResponseExtensions}} + OPTIONAL, + requestorText [8] UTF8String (SIZE (1..256)) OPTIONAL + } + + -- This document defines no extensions + CVResponseExtensions EXTENSION ::= {...} + + + +Hoffman & Schaad Informational [Page 66] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + ResponseStatus ::= SEQUENCE { + statusCode CVStatusCode DEFAULT okay, + errorMessage UTF8String OPTIONAL + } + + CVStatusCode ::= ENUMERATED { + okay (0), + skipUnrecognizedItems (1), + tooBusy (10), + invalidRequest (11), + internalError (12), + badStructure (20), + unsupportedVersion (21), + abortUnrecognizedItems (22), + unrecognizedSigKey (23), + badSignatureOrMAC (24), + unableToDecode (25), + notAuthorized (26), + unsupportedChecks (27), + unsupportedWantBacks (28), + unsupportedSignatureOrMAC (29), + invalidSignatureOrMAC (30), + protectedResponseUnsupported (31), + unrecognizedResponderName (32), + relayingLoop (40), + unrecognizedValPol (50), + unrecognizedValAlg (51), + fullRequestInResponseUnsupported (52), + fullPolResponseUnsupported (53), + inhibitPolicyMappingUnsupported (54), + requireExplicitPolicyUnsupported (55), + inhibitAnyPolicyUnsupported (56), + validationTimeUnsupported (57), + unrecognizedCritQueryExt (63), + unrecognizedCritRequestExt (64), + ... + } + + RespValidationPolicy ::= ValidationPolicy + + RequestReference ::= CHOICE { + requestHash [0] HashValue, -- hash of CVRequest + fullRequest [1] CVRequest } + + HashValue ::= SEQUENCE { + algorithm HashAlgorithm + DEFAULT { algorithm mda-sha1.&id }, + value OCTET STRING } + + + +Hoffman & Schaad Informational [Page 67] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + ReplyObjects ::= SEQUENCE SIZE (1..MAX) OF CertReply + + CertReply ::= SEQUENCE { + cert CertReference, + replyStatus ReplyStatus DEFAULT success, + replyValTime GeneralizedTime, + replyChecks ReplyChecks, + replyWantBacks ReplyWantBacks, + validationErrors [0] SEQUENCE SIZE (1..MAX) OF + OBJECT IDENTIFIER ( BasicValidationErrorSet | + NameValidationErrorSet, + ... ) OPTIONAL, + nextUpdate [1] GeneralizedTime OPTIONAL, + certReplyExtensions [2] Extensions{{...}} OPTIONAL + } + + ReplyStatus ::= ENUMERATED { + success (0), + malformedPKC (1), + malformedAC (2), + unavailableValidationTime (3), + referenceCertHashFail (4), + certPathConstructFail (5), + certPathNotValid (6), + certPathNotValidNow (7), + wantBackUnsatisfied (8) + } + ReplyChecks ::= SEQUENCE OF ReplyCheck + + ReplyCheck ::= SEQUENCE { + check OBJECT IDENTIFIER (CertCheckSet | ACertCheckSet, ... ), + status INTEGER DEFAULT 0 + } + + ReplyWantBacks ::= SEQUENCE OF ReplyWantBack + + ReplyWantBack::= SEQUENCE { + wb WANT-BACK.&id({AllWantBacks}), + value OCTET STRING + (CONTAINING WANT-BACK.&Type({AllWantBacks}{@wb})) + } + + WANT-BACK ::= TYPE-IDENTIFIER + + AllWantBacks WANT-BACK ::= { + WantBackSet | ACertWantBackSet | AnyWantBackSet, ... + } + + + + +Hoffman & Schaad Informational [Page 68] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + CertBundles ::= SEQUENCE SIZE (1..MAX) OF CertBundle + + RevInfoWantBack ::= SEQUENCE { + revocationInfo RevocationInfos, + extraCerts CertBundle OPTIONAL + } + + SCVPResponses ::= SEQUENCE OF ContentInfo + + -- SCVP Validation Policies Request + + ct-scvp-valPolRequest CONTENT-TYPE ::= + { ValPolRequest IDENTIFIED BY id-ct-scvp-valPolRequest } + + id-ct-scvp-valPolRequest OBJECT IDENTIFIER ::= { id-ct 12 } + + ValPolRequest ::= SEQUENCE { + vpRequestVersion INTEGER DEFAULT 1, + requestNonce OCTET STRING + } + + -- SCVP Validation Policies Response + + ct-scvp-valPolResponse CONTENT-TYPE ::= + { ValPolResponse IDENTIFIED BY id-ct-scvp-valPolResponse } + + id-ct-scvp-valPolResponse OBJECT IDENTIFIER ::= { id-ct 13 } + ValPolResponse ::= SEQUENCE { + vpResponseVersion INTEGER, + maxCVRequestVersion INTEGER, + maxVPRequestVersion INTEGER, + serverConfigurationID INTEGER, + thisUpdate GeneralizedTime, + nextUpdate GeneralizedTime OPTIONAL, + supportedChecks CertChecks, + supportedWantBacks WantBack, + validationPolicies SEQUENCE OF OBJECT IDENTIFIER, + validationAlgs SEQUENCE OF OBJECT IDENTIFIER, + authPolicies SEQUENCE OF AuthPolicy, + responseTypes ResponseTypes, + defaultPolicyValues RespValidationPolicy, + revocationInfoTypes RevocationInfoTypes, + signatureGeneration SEQUENCE OF AlgorithmIdentifier + {SIGNATURE-ALGORITHM, + {SignatureAlgorithms}}, + signatureVerification SEQUENCE OF AlgorithmIdentifier + {SIGNATURE-ALGORITHM, + {SignatureAlgorithms}}, + + + +Hoffman & Schaad Informational [Page 69] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + hashAlgorithms SEQUENCE SIZE (1..MAX) OF + OBJECT IDENTIFIER, + serverPublicKeys SEQUENCE OF KeyAgreePublicKey + OPTIONAL, + clockSkew INTEGER DEFAULT 10, + requestNonce OCTET STRING OPTIONAL + } + + ResponseTypes ::= ENUMERATED { + cached-only (0), + non-cached-only (1), + cached-and-non-cached (2) + } + + RevocationInfoTypes ::= BIT STRING { + fullCRLs (0), + deltaCRLs (1), + indirectCRLs (2), + oCSPResponses (3) + } + + AuthPolicy ::= OBJECT IDENTIFIER + + -- SCVP Check Identifiers + + id-stc OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) 17 } + + CertCheckSet OBJECT IDENTIFIER ::= { + id-stc-build-pkc-path | id-stc-build-valid-pkc-path | + id-stc-build-status-checked-pkc-path, ... } + + id-stc-build-pkc-path OBJECT IDENTIFIER ::= { id-stc 1 } + id-stc-build-valid-pkc-path OBJECT IDENTIFIER ::= { id-stc 2 } + id-stc-build-status-checked-pkc-path + OBJECT IDENTIFIER ::= { id-stc 3 } + + ACertCheckSet OBJECT IDENTIFIER ::= { + id-stc-build-aa-path | id-stc-build-valid-aa-path | + id-stc-build-status-checked-aa-path | + id-stc-status-check-ac-and-build-status-checked-aa-path + } + + id-stc-build-aa-path OBJECT IDENTIFIER ::= { id-stc 4 } + id-stc-build-valid-aa-path OBJECT IDENTIFIER ::= { id-stc 5 } + id-stc-build-status-checked-aa-path + OBJECT IDENTIFIER ::= { id-stc 6 } + + + +Hoffman & Schaad Informational [Page 70] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + id-stc-status-check-ac-and-build-status-checked-aa-path + OBJECT IDENTIFIER ::= { id-stc 7 } + + -- SCVP WantBack Identifiers + + id-swb OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) 18 } + + WantBackSet WANT-BACK ::= { + swb-pkc-cert | swb-pkc-best-cert-path | + swb-pkc-revocation-info | swb-pkc-public-key-info | + swb-pkc-all-cert-paths | swb-pkc-ee-revocation-info | + swb-pkc-CAs-revocation-info + } + + ACertWantBackSet WANT-BACK ::= { + swb-ac-cert | swb-aa-cert-path | + swb-aa-revocation-info | swb-ac-revocation-info + } + + AnyWantBackSet WANT-BACK ::= { swb-relayed-responses } + + swb-pkc-best-cert-path WANT-BACK ::= + { CertBundle IDENTIFIED BY id-swb-pkc-best-cert-path } + id-swb-pkc-best-cert-path OBJECT IDENTIFIER ::= { id-swb 1 } + swb-pkc-revocation-info WANT-BACK ::= + { RevInfoWantBack IDENTIFIED BY id-swb-pkc-revocation-info } + id-swb-pkc-revocation-info OBJECT IDENTIFIER ::= { id-swb 2 } + + swb-pkc-public-key-info WANT-BACK ::= + { SubjectPublicKeyInfo IDENTIFIED BY id-swb-pkc-public-key-info } + id-swb-pkc-public-key-info OBJECT IDENTIFIER ::= { id-swb 4 } + + swb-aa-cert-path WANT-BACK ::= + {CertBundle IDENTIFIED BY id-swb-aa-cert-path } + id-swb-aa-cert-path OBJECT IDENTIFIER ::= { id-swb 5 } + + swb-aa-revocation-info WANT-BACK ::= + { RevInfoWantBack IDENTIFIED BY id-swb-aa-revocation-info } + id-swb-aa-revocation-info OBJECT IDENTIFIER ::= { id-swb 6 } + + swb-ac-revocation-info WANT-BACK ::= + { RevInfoWantBack IDENTIFIED BY id-swb-ac-revocation-info } + id-swb-ac-revocation-info OBJECT IDENTIFIER ::= { id-swb 7 } + + swb-relayed-responses WANT-BACK ::= + {SCVPResponses IDENTIFIED BY id-swb-relayed-responses } + + + +Hoffman & Schaad Informational [Page 71] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + id-swb-relayed-responses OBJECT IDENTIFIER ::= { id-swb 9 } + + swb-pkc-all-cert-paths WANT-BACK ::= + {CertBundles IDENTIFIED BY id-swb-pkc-all-cert-paths } + id-swb-pkc-all-cert-paths OBJECT IDENTIFIER ::= { id-swb 12} + + swb-pkc-ee-revocation-info WANT-BACK ::= + { RevInfoWantBack IDENTIFIED BY id-swb-pkc-ee-revocation-info } + id-swb-pkc-ee-revocation-info OBJECT IDENTIFIER ::= { id-swb 13} + + swb-pkc-CAs-revocation-info WANT-BACK ::= + { RevInfoWantBack IDENTIFIED BY id-swb-pkc-CAs-revocation-info } + id-swb-pkc-CAs-revocation-info OBJECT IDENTIFIER ::= { id-swb 14} + + swb-pkc-cert WANT-BACK ::= + { Certificate IDENTIFIED BY id-swb-pkc-cert } + id-swb-pkc-cert OBJECT IDENTIFIER ::= { id-swb 10} + + swb-ac-cert WANT-BACK ::= + { AttributeCertificate IDENTIFIED BY id-swb-ac-cert } + id-swb-ac-cert OBJECT IDENTIFIER ::= { id-swb 11} + + -- SCVP Validation Policy and Algorithm Identifiers + + id-svp OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) 19 } + + svp-defaultValPolicy POLICY ::= + { IDENTIFIED BY id-svp-defaultValPolicy } + + id-svp-defaultValPolicy OBJECT IDENTIFIER ::= { id-svp 1 } + + -- SCVP Basic Validation Algorithm Identifier + + svp-basicValAlg POLICY ::= {IDENTIFIED BY id-svp-basicValAlg } + + id-svp-basicValAlg OBJECT IDENTIFIER ::= { id-svp 3 } + + -- SCVP Basic Validation Algorithm Errors + + id-bvae OBJECT IDENTIFIER ::= id-svp-basicValAlg + + BasicValidationErrorSet OBJECT IDENTIFIER ::= { + id-bvae-expired | id-bvae-not-yet-valid | + id-bvae-wrongTrustAnchor | id-bvae-noValidCertPath | + id-bvae-revoked | id-bvae-invalidKeyPurpose | + id-bvae-invalidKeyUsage | id-bvae-invalidCertPolicy + + + +Hoffman & Schaad Informational [Page 72] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + } + + id-bvae-expired OBJECT IDENTIFIER ::= { id-bvae 1 } + id-bvae-not-yet-valid OBJECT IDENTIFIER ::= { id-bvae 2 } + id-bvae-wrongTrustAnchor OBJECT IDENTIFIER ::= { id-bvae 3 } + id-bvae-noValidCertPath OBJECT IDENTIFIER ::= { id-bvae 4 } + id-bvae-revoked OBJECT IDENTIFIER ::= { id-bvae 5 } + id-bvae-invalidKeyPurpose OBJECT IDENTIFIER ::= { id-bvae 9 } + id-bvae-invalidKeyUsage OBJECT IDENTIFIER ::= { id-bvae 10 } + id-bvae-invalidCertPolicy OBJECT IDENTIFIER ::= { id-bvae 11 } + + -- SCVP Name Validation Algorithm Identifier + + svp-nameValAlg POLICY ::= + {TYPE NameValidationAlgParams IDENTIFIED BY id-svp-nameValAlg } + + id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 } + + -- SCVP Name Validation Algorithm DN comparison algorithm + + NameCompAlgSet OBJECT IDENTIFIER ::= { + id-nva-dnCompAlg + } + + id-nva-dnCompAlg OBJECT IDENTIFIER ::= { id-svp 4 } + -- SCVP Name Validation Algorithm Errors + + id-nvae OBJECT IDENTIFIER ::= id-svp-nameValAlg + + NameValidationErrorSet OBJECT IDENTIFIER ::= { + id-nvae-name-mismatch | id-nvae-no-name | id-nvae-unknown-alg | + id-nvae-bad-name | id-nvae-bad-name-type | id-nvae-mixed-names + } + + id-nvae-name-mismatch OBJECT IDENTIFIER ::= { id-nvae 1 } + id-nvae-no-name OBJECT IDENTIFIER ::= { id-nvae 2 } + id-nvae-unknown-alg OBJECT IDENTIFIER ::= { id-nvae 3 } + id-nvae-bad-name OBJECT IDENTIFIER ::= { id-nvae 4 } + id-nvae-bad-name-type OBJECT IDENTIFIER ::= { id-nvae 5 } + id-nvae-mixed-names OBJECT IDENTIFIER ::= { id-nvae 6 } + + -- SCVP Extended Key Usage Key Purpose Identifiers + + id-kp OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) 3 } + + SvcpExtKeyUsageSet OBJECT IDENTIFIER ::= { + + + +Hoffman & Schaad Informational [Page 73] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + id-kp-scvpServer | id-kp-scvpClient + } + + id-kp-scvpServer OBJECT IDENTIFIER ::= { id-kp 15 } + + id-kp-scvpClient OBJECT IDENTIFIER ::= { id-kp 16 } + + END + +12. ASN.1 Module for RFC 5272 + + EnrollmentMessageSyntax-2009 + {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53)} + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + EXPORTS ALL; + IMPORTS + + AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} + AlgorithmIdentifier{}, DIGEST-ALGORITHM, KEY-WRAP, KEY-DERIVATION, + MAC-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + CertificateSerialNumber, GeneralName, CRLReason, ReasonFlags, + CertExtensions + FROM PKIX1Implicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} + + Name, id-pkix, PublicKeyAlgorithms, SignatureAlgorithms + FROM PKIX1Explicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} + + ContentInfo, IssuerAndSerialNumber, CONTENT-TYPE + FROM CryptographicMessageSyntax-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-2004-02(41)} + + CertReqMsg, PKIPublicationInfo, CertTemplate + FROM PKIXCRMF-2009 + + + +Hoffman & Schaad Informational [Page 74] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)} + + mda-sha1 + FROM PKIXAlgs-2009 + { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms2008-02(56)} + + kda-PBKDF2, maca-hMAC-SHA1 + FROM CryptographicMessageSyntaxAlgorithms-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cmsalg-2001-02(37) } + + mda-sha256 + FROM PKIX1-PSS-OAEP-Algorithms-2009 + { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-rsa-pkalgs-02(54) } ; + + -- CMS Content types defined in this document + CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... } + + -- Signature Algorithms defined in this document + + SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature } + + -- CMS Unsigned Attributes + + CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData } + + -- + -- + + id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls + id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types + + -- This is the content type for a request message in the protocol + + ct-PKIData CONTENT-TYPE ::= + { PKIData IDENTIFIED BY id-cct-PKIData } + id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 } + + PKIData ::= SEQUENCE { + controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, + reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest, + cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, + otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg + + + +Hoffman & Schaad Informational [Page 75] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + } + + BodyPartID ::= INTEGER(0..4294967295) + + TaggedAttribute ::= SEQUENCE { + bodyPartID BodyPartID, + attrType CMC-CONTROL.&id({Cmc-Control-Set}), + attrValues SET OF CMC-CONTROL. + &Type({Cmc-Control-Set}{@attrType}) + } + + Cmc-Control-Set CMC-CONTROL ::= { + cmc-identityProof | cmc-dataReturn | cmc-regInfo | + cmc-responseInfo | cmc-queryPending | cmc-popLinkRandom | + cmc-popLinkWitness | cmc-identification | cmc-transactionId | + cmc-senderNonce | cmc-recipientNonce | cmc-statusInfo | + cmc-addExtensions | cmc-encryptedPOP | cmc-decryptedPOP | + cmc-lraPOPWitness | cmc-getCert | cmc-getCRL | + cmc-revokeRequest | cmc-confirmCertAcceptance | + cmc-statusInfoV2 | cmc-trustedAnchors | cmc-authData | + cmc-batchRequests | cmc-batchResponses | cmc-publishCert | + cmc-modCertTemplate | cmc-controlProcessed | + cmc-identityProofV2 | cmc-popLinkWitnessV2, ... } + + OTHER-REQUEST ::= TYPE-IDENTIFIER + + -- We do not define any other requests in this document; + -- examples might be attribute certification requests + + OtherRequests OTHER-REQUEST ::= {...} + + TaggedRequest ::= CHOICE { + tcr [0] TaggedCertificationRequest, + crm [1] CertReqMsg, + orm [2] SEQUENCE { + bodyPartID BodyPartID, + requestMessageType OTHER-REQUEST.&id({OtherRequests}), + requestMessageValue OTHER-REQUEST.&Type({OtherRequests} + {@.requestMessageType}) + } + } + + TaggedCertificationRequest ::= SEQUENCE { + bodyPartID BodyPartID, + certificationRequest CertificationRequest + } + + AttributeList ATTRIBUTE ::= {at-extension-req, ...} + + + +Hoffman & Schaad Informational [Page 76] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + CertificationRequest ::= SEQUENCE { + certificationRequestInfo SEQUENCE { + version INTEGER, + subject Name, + subjectPublicKeyInfo SEQUENCE { + algorithm AlgorithmIdentifier{PUBLIC-KEY, + {PublicKeyAlgorithms}}, + subjectPublicKey BIT STRING + }, + attributes [0] IMPLICIT SET OF + AttributeSet{{AttributeList}} + }, + signatureAlgorithm AlgorithmIdentifier + {SIGNATURE-ALGORITHM, + {SignatureAlgorithms}}, + signature BIT STRING + } + + TaggedContentInfo ::= SEQUENCE { + bodyPartID BodyPartID, + contentInfo ContentInfo + } + + OTHER-MSG ::= TYPE-IDENTIFIER + + -- No other messages currently defined + + OtherMsgSet OTHER-MSG ::= {...} + + OtherMsg ::= SEQUENCE { + bodyPartID BodyPartID, + otherMsgType OTHER-MSG.&id({OtherMsgSet}), + otherMsgValue OTHER-MSG.&Type({OtherMsgSet}{@otherMsgType}) } + + -- This defines the response message in the protocol + + ct-PKIResponse CONTENT-TYPE ::= + { PKIResponse IDENTIFIED BY id-cct-PKIResponse } + id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 } + + ResponseBody ::= PKIResponse + + PKIResponse ::= SEQUENCE { + controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, + cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, + otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg + } + + + + +Hoffman & Schaad Informational [Page 77] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + CMC-CONTROL ::= TYPE-IDENTIFIER + + -- The following controls have the type OCTET STRING + + cmc-identityProof CMC-CONTROL ::= + { OCTET STRING IDENTIFIED BY id-cmc-identityProof } + id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3} + + cmc-dataReturn CMC-CONTROL ::= + { OCTET STRING IDENTIFIED BY id-cmc-dataReturn } + id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4} + + cmc-regInfo CMC-CONTROL ::= + { OCTET STRING IDENTIFIED BY id-cmc-regInfo } + id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18} + + cmc-responseInfo CMC-CONTROL ::= + { OCTET STRING IDENTIFIED BY id-cmc-responseInfo } + id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19} + + cmc-queryPending CMC-CONTROL ::= + { OCTET STRING IDENTIFIED BY id-cmc-queryPending } + id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21} + + cmc-popLinkRandom CMC-CONTROL ::= + { OCTET STRING IDENTIFIED BY id-cmc-popLinkRandom } + id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22} + + cmc-popLinkWitness CMC-CONTROL ::= + { OCTET STRING IDENTIFIED BY id-cmc-popLinkWitness } + id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23} + + -- The following controls have the type UTF8String + + cmc-identification CMC-CONTROL ::= + { UTF8String IDENTIFIED BY id-cmc-identification } + id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2} + + -- The following controls have the type INTEGER + + cmc-transactionId CMC-CONTROL ::= + { INTEGER IDENTIFIED BY id-cmc-transactionId } + id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5} + + -- The following controls have the type OCTET STRING + + cmc-senderNonce CMC-CONTROL ::= + { OCTET STRING IDENTIFIED BY id-cmc-senderNonce } + + + +Hoffman & Schaad Informational [Page 78] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6} + + cmc-recipientNonce CMC-CONTROL ::= + { OCTET STRING IDENTIFIED BY id-cmc-recipientNonce } + id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7} + + -- Used to return status in a response + + cmc-statusInfo CMC-CONTROL ::= + { CMCStatusInfo IDENTIFIED BY id-cmc-statusInfo } + id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1} + + CMCStatusInfo ::= SEQUENCE { + cMCStatus CMCStatus, + bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID, + statusString UTF8String OPTIONAL, + otherInfo CHOICE { + failInfo CMCFailInfo, + pendInfo PendInfo + } OPTIONAL + } + + PendInfo ::= SEQUENCE { + pendToken OCTET STRING, + pendTime GeneralizedTime + } + + CMCStatus ::= INTEGER { + success (0), + failed (2), + pending (3), + noSupport (4), + confirmRequired (5), + popRequired (6), + partial (7) + } + + -- Note: + -- The spelling of unsupportedExt is corrected in this version. + -- In RFC 2797, it was unsuportedExt. + + CMCFailInfo ::= INTEGER { + badAlg (0), + badMessageCheck (1), + badRequest (2), + badTime (3), + badCertId (4), + unsuportedExt (5), + + + +Hoffman & Schaad Informational [Page 79] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + mustArchiveKeys (6), + badIdentity (7), + popRequired (8), + popFailed (9), + noKeyReuse (10), + internalCAError (11), + tryLater (12), + authDataFail (13) + } + + -- Used for RAs to add extensions to certification requests + + cmc-addExtensions CMC-CONTROL ::= + { AddExtensions IDENTIFIED BY id-cmc-addExtensions } + id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8} + + AddExtensions ::= SEQUENCE { + pkiDataReference BodyPartID, + certReferences SEQUENCE OF BodyPartID, + extensions SEQUENCE OF Extension{{CertExtensions}} + } + + cmc-encryptedPOP CMC-CONTROL ::= + { EncryptedPOP IDENTIFIED BY id-cmc-encryptedPOP } + cmc-decryptedPOP CMC-CONTROL ::= + { DecryptedPOP IDENTIFIED BY id-cmc-decryptedPOP } + id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9} + id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10} + + EncryptedPOP ::= SEQUENCE { + request TaggedRequest, + cms ContentInfo, + thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, + witnessAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, + {WitnessAlgs}}, + witness OCTET STRING + } + + POPAlgs MAC-ALGORITHM ::= {maca-hMAC-SHA1, ...} + WitnessAlgs DIGEST-ALGORITHM ::= {mda-sha1, ...} + + DecryptedPOP ::= SEQUENCE { + bodyPartID BodyPartID, + thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, + thePOP OCTET STRING + } + + cmc-lraPOPWitness CMC-CONTROL ::= + + + +Hoffman & Schaad Informational [Page 80] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + { LraPopWitness IDENTIFIED BY id-cmc-lraPOPWitness } + + id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11} + + LraPopWitness ::= SEQUENCE { + pkiDataBodyid BodyPartID, + bodyIds SEQUENCE OF BodyPartID + } + + -- + + cmc-getCert CMC-CONTROL ::= + { GetCert IDENTIFIED BY id-cmc-getCert } + id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15} + + GetCert ::= SEQUENCE { + issuerName GeneralName, + serialNumber INTEGER } + + cmc-getCRL CMC-CONTROL ::= + { GetCRL IDENTIFIED BY id-cmc-getCRL } + id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16} + GetCRL ::= SEQUENCE { + issuerName Name, + cRLName GeneralName OPTIONAL, + time GeneralizedTime OPTIONAL, + reasons ReasonFlags OPTIONAL } + + cmc-revokeRequest CMC-CONTROL ::= + { RevokeRequest IDENTIFIED BY id-cmc-revokeRequest} + id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17} + + RevokeRequest ::= SEQUENCE { + issuerName Name, + serialNumber INTEGER, + reason CRLReason, + invalidityDate GeneralizedTime OPTIONAL, + passphrase OCTET STRING OPTIONAL, + comment UTF8String OPTIONAL } + + cmc-confirmCertAcceptance CMC-CONTROL ::= + { CMCCertId IDENTIFIED BY id-cmc-confirmCertAcceptance } + id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24} + + CMCCertId ::= IssuerAndSerialNumber + + -- The following is used to request v3 extensions be added + -- to a certificate + + + +Hoffman & Schaad Informational [Page 81] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + at-extension-req ATTRIBUTE ::= + { TYPE ExtensionReq IDENTIFIED BY id-ExtensionReq } + id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-9(9) 14} + + ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF + Extension{{CertExtensions}} + + -- The following allows Diffie-Hellman Certification Request + -- Messages to be well-formed + + sa-noSignature SIGNATURE-ALGORITHM ::= { + IDENTIFIER id-alg-noSignature + VALUE NoSignatureValue + PARAMS TYPE NULL ARE required + HASHES { mda-sha1 } + } + id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2} + + NoSignatureValue ::= OCTET STRING + -- Unauthenticated attribute to carry removable data. + + id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)} + + aa-cmc-unsignedData ATTRIBUTE ::= + { TYPE CMCUnsignedData IDENTIFIED BY id-aa-cmc-unsignedData } + id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34} + + CMCUnsignedData ::= SEQUENCE { + bodyPartPath BodyPartPath, + identifier TYPE-IDENTIFIER.&id, + content TYPE-IDENTIFIER.&Type + } + + -- Replaces CMC Status Info + -- + + cmc-statusInfoV2 CMC-CONTROL ::= + { CMCStatusInfoV2 IDENTIFIED BY id-cmc-statusInfoV2 } + id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25} + + EXTENDED-FAILURE-INFO ::= TYPE-IDENTIFIER + + ExtendedFailures EXTENDED-FAILURE-INFO ::= {...} + + CMCStatusInfoV2 ::= SEQUENCE { + cMCStatus CMCStatus, + + + +Hoffman & Schaad Informational [Page 82] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + bodyList SEQUENCE SIZE (1..MAX) OF + BodyPartReference, + statusString UTF8String OPTIONAL, + otherInfo CHOICE { + failInfo CMCFailInfo, + pendInfo PendInfo, + extendedFailInfo [1] SEQUENCE { + failInfoOID TYPE-IDENTIFIER.&id + ({ExtendedFailures}), + failInfoValue TYPE-IDENTIFIER.&Type + ({ExtendedFailures} + {@.failInfoOID}) + } + } OPTIONAL + } + + BodyPartReference ::= CHOICE { + bodyPartID BodyPartID, + bodyPartPath BodyPartPath + } + + BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID + + -- Allow for distribution of trust anchors + -- + + cmc-trustedAnchors CMC-CONTROL ::= + { PublishTrustAnchors IDENTIFIED BY id-cmc-trustedAnchors } + id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26} + + PublishTrustAnchors ::= SEQUENCE { + seqNumber INTEGER, + hashAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, + {HashAlgorithms}}, + anchorHashes SEQUENCE OF OCTET STRING + } + + HashAlgorithms DIGEST-ALGORITHM ::= { + mda-sha1 | mda-sha256, ... + } + + cmc-authData CMC-CONTROL ::= + { AuthPublish IDENTIFIED BY id-cmc-authData } + id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27} + + AuthPublish ::= BodyPartID + + -- These two items use BodyPartList + + + +Hoffman & Schaad Informational [Page 83] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + cmc-batchRequests CMC-CONTROL ::= + { BodyPartList IDENTIFIED BY id-cmc-batchRequests } + id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28} + + cmc-batchResponses CMC-CONTROL ::= + { BodyPartList IDENTIFIED BY id-cmc-batchResponses } + id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29} + + BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID + + cmc-publishCert CMC-CONTROL ::= + { CMCPublicationInfo IDENTIFIED BY id-cmc-publishCert } + id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30} + + CMCPublicationInfo ::= SEQUENCE { + hashAlg AlgorithmIdentifier{DIGEST-ALGORITHM, + {HashAlgorithms}}, + certHashes SEQUENCE OF OCTET STRING, + pubInfo PKIPublicationInfo + } + + cmc-modCertTemplate CMC-CONTROL ::= + { ModCertTemplate IDENTIFIED BY id-cmc-modCertTemplate } + id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31} + + ModCertTemplate ::= SEQUENCE { + pkiDataReference BodyPartPath, + certReferences BodyPartList, + replace BOOLEAN DEFAULT TRUE, + certTemplate CertTemplate + } + + -- Inform follow-on servers that one or more controls have + -- already been processed + + cmc-controlProcessed CMC-CONTROL ::= + { ControlsProcessed IDENTIFIED BY id-cmc-controlProcessed } + id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32} + + ControlsProcessed ::= SEQUENCE { + bodyList SEQUENCE SIZE(1..MAX) OF BodyPartReference + } + + -- Identity Proof control w/ algorithm agility + + cmc-identityProofV2 CMC-CONTROL ::= + { IdentityProofV2 IDENTIFIED BY id-cmc-identityProofV2 } + id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 33 } + + + +Hoffman & Schaad Informational [Page 84] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + IdentityProofV2 ::= SEQUENCE { + proofAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, + {WitnessAlgs}}, + macAlgId AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, + witness OCTET STRING + } + + cmc-popLinkWitnessV2 CMC-CONTROL ::= + { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 } + id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 } + + PopLinkWitnessV2 ::= SEQUENCE { + keyGenAlgorithm AlgorithmIdentifier{KEY-DERIVATION, + {KeyDevAlgs}}, + macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, + witness OCTET STRING + } + + KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...} + + END + +13. ASN.1 Module for RFC 5755 + + PKIXAttributeCertificate-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + AttributeSet{}, Extensions{}, SecurityCategory{}, + EXTENSION, ATTRIBUTE, SECURITY-CATEGORY + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } + + AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + -- IMPORTed module OIDs MAY change if [PKIXPROF] changes + -- PKIX Certificate Extensions + + CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp, + id-ad, id-at, SIGNED{}, SignatureAlgorithms + + + +Hoffman & Schaad Informational [Page 85] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + FROM PKIX1Explicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} + + GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier, + ext-AuthorityInfoAccess, ext-CRLDistributionPoints + FROM PKIX1Implicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} + + ContentInfo + FROM CryptographicMessageSyntax-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }; + -- Define the set of extensions that can appear. + -- Some of these are imported from PKIX Cert + + AttributeCertExtensions EXTENSION ::= { + ext-auditIdentity | ext-targetInformation | + ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess | + ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying | + ext-aaControls, ... } + + ext-auditIdentity EXTENSION ::= { SYNTAX + OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity} + + ext-targetInformation EXTENSION ::= { SYNTAX + Targets IDENTIFIED BY id-ce-targetInformation } + + ext-noRevAvail EXTENSION ::= { SYNTAX + NULL IDENTIFIED BY id-ce-noRevAvail} + + ext-ac-proxying EXTENSION ::= { SYNTAX + ProxyInfo IDENTIFIED BY id-pe-ac-proxying} + + ext-aaControls EXTENSION ::= { SYNTAX + AAControls IDENTIFIED BY id-pe-aaControls} + + -- Define the set of attributes used here + + AttributesDefined ATTRIBUTE ::= { at-authenticationInfo | + at-accesIdentity | at-chargingIdentity | at-group | + at-role | at-clearance | at-encAttrs, ...} + + at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo + IDENTIFIED BY id-aca-authenticationInfo} + + at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo + + + +Hoffman & Schaad Informational [Page 86] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + IDENTIFIED BY id-aca-accessIdentity} + + at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax + IDENTIFIED BY id-aca-chargingIdentity} + + at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax + IDENTIFIED BY id-aca-group} + + at-role ATTRIBUTE ::= { TYPE RoleSyntax + IDENTIFIED BY id-at-role} + + at-clearance ATTRIBUTE ::= { TYPE Clearance + IDENTIFIED BY id-at-clearance} + at-clearance-RFC3281 ATTRIBUTE ::= {TYPE Clearance-rfc3281 + IDENTIFIED BY id-at-clearance-rfc3281 } + + at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo + IDENTIFIED BY id-aca-encAttrs} + + -- + -- OIDs used by Attribute Certificate Extensions + -- + + id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 } + id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 } + id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 } + id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 } + id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 } + + -- + -- OIDs used by Attribute Certificate Attributes + -- + + id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } + + id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 } + id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 } + id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 } + id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 } + -- { id-aca 5 } is reserved + id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 } + + id-at-role OBJECT IDENTIFIER ::= { id-at 72} + id-at-clearance OBJECT IDENTIFIER ::= { + joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) } + + -- Uncomment the following declaration and comment the above line if + -- using the id-at-clearance attribute as defined in [RFC3281] + + + +Hoffman & Schaad Informational [Page 87] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- id-at-clearance ::= id-at-clearance-3281 + + id-at-clearance-rfc3281 OBJECT IDENTIFIER ::= { + joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5) + clearance (55) } + + -- + -- The syntax of an Attribute Certificate + -- + + AttributeCertificate ::= SIGNED{AttributeCertificateInfo} + + AttributeCertificateInfo ::= SEQUENCE { + version AttCertVersion, -- version is v2 + holder Holder, + issuer AttCertIssuer, + signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, + {SignatureAlgorithms}}, + serialNumber CertificateSerialNumber, + attrCertValidityPeriod AttCertValidityPeriod, + attributes SEQUENCE OF + AttributeSet{{AttributesDefined}}, + issuerUniqueID UniqueIdentifier OPTIONAL, + extensions Extensions{{AttributeCertExtensions}} OPTIONAL + } + + AttCertVersion ::= INTEGER { v2(1) } + + Holder ::= SEQUENCE { + baseCertificateID [0] IssuerSerial OPTIONAL, + -- the issuer and serial number of + -- the holder's Public Key Certificate + entityName [1] GeneralNames OPTIONAL, + -- the name of the claimant or role + objectDigestInfo [2] ObjectDigestInfo OPTIONAL + -- used to directly authenticate the + -- holder, for example, an executable + } + + ObjectDigestInfo ::= SEQUENCE { + digestedObjectType ENUMERATED { + publicKey (0), + publicKeyCert (1), + otherObjectTypes (2) }, + -- otherObjectTypes MUST NOT + -- be used in this profile + otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, + digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, + + + +Hoffman & Schaad Informational [Page 88] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + objectDigest BIT STRING + } + + AttCertIssuer ::= CHOICE { + v1Form GeneralNames, -- MUST NOT be used in this + -- profile + v2Form [0] V2Form -- v2 only + } + + V2Form ::= SEQUENCE { + issuerName GeneralNames OPTIONAL, + baseCertificateID [0] IssuerSerial OPTIONAL, + objectDigestInfo [1] ObjectDigestInfo OPTIONAL + -- issuerName MUST be present in this profile + -- baseCertificateID and objectDigestInfo MUST + -- NOT be present in this profile + } + + IssuerSerial ::= SEQUENCE { + issuer GeneralNames, + serial CertificateSerialNumber, + issuerUID UniqueIdentifier OPTIONAL + } + + AttCertValidityPeriod ::= SEQUENCE { + notBeforeTime GeneralizedTime, + notAfterTime GeneralizedTime + } + + -- + -- Syntax used by Attribute Certificate Extensions + -- + + Targets ::= SEQUENCE OF Target + + Target ::= CHOICE { + targetName [0] GeneralName, + targetGroup [1] GeneralName, + targetCert [2] TargetCert + } + + TargetCert ::= SEQUENCE { + targetCertificate IssuerSerial, + targetName GeneralName OPTIONAL, + certDigestInfo ObjectDigestInfo OPTIONAL + } + + AAControls ::= SEQUENCE { + + + +Hoffman & Schaad Informational [Page 89] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + pathLenConstraint INTEGER (0..MAX) OPTIONAL, + permittedAttrs [0] AttrSpec OPTIONAL, + excludedAttrs [1] AttrSpec OPTIONAL, + permitUnSpecified BOOLEAN DEFAULT TRUE + } + + AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER + + ProxyInfo ::= SEQUENCE OF Targets + + -- + -- Syntax used by Attribute Certificate Attributes + -- + IetfAttrSyntax ::= SEQUENCE { + policyAuthority[0] GeneralNames OPTIONAL, + values SEQUENCE OF CHOICE { + octets OCTET STRING, + oid OBJECT IDENTIFIER, + string UTF8String + } + } + + SvceAuthInfo ::= SEQUENCE { + service GeneralName, + ident GeneralName, + authInfo OCTET STRING OPTIONAL + } + + RoleSyntax ::= SEQUENCE { + roleAuthority [0] GeneralNames OPTIONAL, + roleName [1] GeneralName + } + + Clearance ::= SEQUENCE { + policyId OBJECT IDENTIFIER, + classList ClassList DEFAULT {unclassified}, + securityCategories SET OF SecurityCategory + {{SupportedSecurityCategories}} OPTIONAL + } + + -- Uncomment the following lines to support deprecated clearance + -- syntax and comment out previous Clearance. + + -- Clearance ::= Clearance-rfc3281 + + Clearance-rfc3281 ::= SEQUENCE { + policyId [0] OBJECT IDENTIFIER, + classList [1] ClassList DEFAULT {unclassified}, + + + +Hoffman & Schaad Informational [Page 90] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + securityCategories [2] SET OF SecurityCategory-rfc3281 + {{SupportedSecurityCategories}} OPTIONAL + } + + ClassList ::= BIT STRING { + unmarked (0), + unclassified (1), + restricted (2), + confidential (3), + secret (4), + topSecret (5) + } + SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } + + SecurityCategory-rfc3281{SECURITY-CATEGORY:Supported} ::= SEQUENCE { + type [0] IMPLICIT SECURITY-CATEGORY. + &id({Supported}), + value [1] EXPLICIT SECURITY-CATEGORY. + &Type({Supported}{@type}) + } + + ACClearAttrs ::= SEQUENCE { + acIssuer GeneralName, + acSerial INTEGER, + attrs SEQUENCE OF AttributeSet{{AttributesDefined}} + } + + END + +14. ASN.1 Module for RFC 5280, Explicit and Implicit + + Note that many of the changes in this module are similar or the same + as the changes made in more recent versions of X.509 itself. + + PKIX1Explicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-explicit-02(51)} + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + + IMPORTS + + Extensions{}, EXTENSION, ATTRIBUTE, SingleAttribute{} + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} + + + + +Hoffman & Schaad Informational [Page 91] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + AlgorithmIdentifier{}, PUBLIC-KEY, SIGNATURE-ALGORITHM + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + CertExtensions, CrlExtensions, CrlEntryExtensions + FROM PKIX1Implicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} + SignatureAlgs, PublicKeys + FROM PKIXAlgs-2009 + {iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 56} + + SignatureAlgs, PublicKeys + FROM PKIX1-PSS-OAEP-Algorithms-2009 + {iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-rsa-pkalgs-02(54)} + + ORAddress + FROM PKIX-X400Address-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60)}; + + id-pkix OBJECT IDENTIFIER ::= + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7)} + + -- PKIX arcs + + id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } + -- arc for private certificate extensions + id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } + -- arc for policy qualifier types + id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } + -- arc for extended key purpose OIDs + id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } + -- arc for access descriptors + + -- policyQualifierIds for Internet policy qualifiers + + id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } + -- OID for CPS qualifier + id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } + -- OID for user notice qualifier + + + + +Hoffman & Schaad Informational [Page 92] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- access descriptor definitions + + id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } + id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } + id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 } + id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 } + + -- attribute data types + AttributeType ::= ATTRIBUTE.&id + + -- Replaced by SingleAttribute{} + -- + -- AttributeTypeAndValue ::= SEQUENCE { + -- type ATTRIBUTE.&id({SupportedAttributes}), + -- value ATTRIBUTE.&Type({SupportedAttributes}{@type}) } + -- + + -- Suggested naming attributes: Definition of the following + -- information object set may be augmented to meet local + -- requirements. Note that deleting members of the set may + -- prevent interoperability with conforming implementations. + -- All attributes are presented in pairs: the AttributeType + -- followed by the type definition for the corresponding + -- AttributeValue. + + -- Arc for standard naming attributes + + id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } + + -- Naming attributes of type X520name + + id-at-name AttributeType ::= { id-at 41 } + at-name ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-name } + + id-at-surname AttributeType ::= { id-at 4 } + at-surname ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-surname } + + id-at-givenName AttributeType ::= { id-at 42 } + at-givenName ATTRIBUTE ::= + { TYPE X520name IDENTIFIED BY id-at-givenName } + + id-at-initials AttributeType ::= { id-at 43 } + at-initials ATTRIBUTE ::= + { TYPE X520name IDENTIFIED BY id-at-initials } + + id-at-generationQualifier AttributeType ::= { id-at 44 } + at-generationQualifier ATTRIBUTE ::= + { TYPE X520name IDENTIFIED BY id-at-generationQualifier } + + + +Hoffman & Schaad Informational [Page 93] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- Directory string type -- + + DirectoryString{INTEGER:maxSize} ::= CHOICE { + teletexString TeletexString(SIZE (1..maxSize)), + printableString PrintableString(SIZE (1..maxSize)), + bmpString BMPString(SIZE (1..maxSize)), + universalString UniversalString(SIZE (1..maxSize)), + uTF8String UTF8String(SIZE (1..maxSize)) + } + + X520name ::= DirectoryString {ub-name} + + -- Naming attributes of type X520CommonName + + id-at-commonName AttributeType ::= { id-at 3 } + + at-x520CommonName ATTRIBUTE ::= + {TYPE X520CommonName IDENTIFIED BY id-at-commonName } + + X520CommonName ::= DirectoryString {ub-common-name} + + -- Naming attributes of type X520LocalityName + + id-at-localityName AttributeType ::= { id-at 7 } + + at-x520LocalityName ATTRIBUTE ::= + { TYPE X520LocalityName IDENTIFIED BY id-at-localityName } + X520LocalityName ::= DirectoryString {ub-locality-name} + + -- Naming attributes of type X520StateOrProvinceName + + id-at-stateOrProvinceName AttributeType ::= { id-at 8 } + + at-x520StateOrProvinceName ATTRIBUTE ::= + { TYPE DirectoryString {ub-state-name} + IDENTIFIED BY id-at-stateOrProvinceName } + X520StateOrProvinceName ::= DirectoryString {ub-state-name} + + -- Naming attributes of type X520OrganizationName + + id-at-organizationName AttributeType ::= { id-at 10 } + + at-x520OrganizationName ATTRIBUTE ::= + { TYPE DirectoryString {ub-organization-name} + IDENTIFIED BY id-at-organizationName } + X520OrganizationName ::= DirectoryString {ub-organization-name} + + -- Naming attributes of type X520OrganizationalUnitName + + + +Hoffman & Schaad Informational [Page 94] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + id-at-organizationalUnitName AttributeType ::= { id-at 11 } + + at-x520OrganizationalUnitName ATTRIBUTE ::= + { TYPE DirectoryString {ub-organizational-unit-name} + IDENTIFIED BY id-at-organizationalUnitName } + X520OrganizationalUnitName ::= DirectoryString + {ub-organizational-unit-name} + + -- Naming attributes of type X520Title + + id-at-title AttributeType ::= { id-at 12 } + + at-x520Title ATTRIBUTE ::= { TYPE DirectoryString { ub-title } + IDENTIFIED BY id-at-title } + + -- Naming attributes of type X520dnQualifier + + id-at-dnQualifier AttributeType ::= { id-at 46 } + + at-x520dnQualifier ATTRIBUTE ::= { TYPE PrintableString + IDENTIFIED BY id-at-dnQualifier } + + -- Naming attributes of type X520countryName (digraph from IS 3166) + + id-at-countryName AttributeType ::= { id-at 6 } + + at-x520countryName ATTRIBUTE ::= { TYPE PrintableString (SIZE (2)) + IDENTIFIED BY id-at-countryName } + + -- Naming attributes of type X520SerialNumber + + id-at-serialNumber AttributeType ::= { id-at 5 } + + at-x520SerialNumber ATTRIBUTE ::= {TYPE PrintableString + (SIZE (1..ub-serial-number)) IDENTIFIED BY id-at-serialNumber } + + -- Naming attributes of type X520Pseudonym + + id-at-pseudonym AttributeType ::= { id-at 65 } + + at-x520Pseudonym ATTRIBUTE ::= { TYPE DirectoryString {ub-pseudonym} + IDENTIFIED BY id-at-pseudonym } + + -- Naming attributes of type DomainComponent (from RFC 2247) + + id-domainComponent AttributeType ::= + { itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) + pilotAttributeType(1) 25 } + + + +Hoffman & Schaad Informational [Page 95] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + at-domainComponent ATTRIBUTE ::= {TYPE IA5String + IDENTIFIED BY id-domainComponent } + + -- Legacy attributes + + pkcs-9 OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } + id-emailAddress AttributeType ::= { pkcs-9 1 } + + at-emailAddress ATTRIBUTE ::= {TYPE IA5String + (SIZE (1..ub-emailaddress-length)) IDENTIFIED BY + id-emailAddress } + + -- naming data types -- + + Name ::= CHOICE { -- only one possibility for now -- + rdnSequence RDNSequence } + + RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + + DistinguishedName ::= RDNSequence + + RelativeDistinguishedName ::= + SET SIZE (1 .. MAX) OF SingleAttribute { {SupportedAttributes} } + + -- These are the known name elements for a DN + + SupportedAttributes ATTRIBUTE ::= { + at-name | at-surname | at-givenName | at-initials | + at-generationQualifier | at-x520CommonName | + at-x520LocalityName | at-x520StateOrProvinceName | + at-x520OrganizationName | at-x520OrganizationalUnitName | + at-x520Title | at-x520dnQualifier | at-x520countryName | + at-x520SerialNumber | at-x520Pseudonym | at-domainComponent | + at-emailAddress, ... } + + -- + -- Certificate- and CRL-specific structures begin here + -- + + Certificate ::= SIGNED{TBSCertificate} + + TBSCertificate ::= SEQUENCE { + version [0] Version DEFAULT v1, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, + {SignatureAlgorithms}}, + issuer Name, + + + +Hoffman & Schaad Informational [Page 96] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + validity Validity, + subject Name, + subjectPublicKeyInfo SubjectPublicKeyInfo, + ... , + [[2: -- If present, version MUST be v2 + issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, + subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL + ]], + [[3: -- If present, version MUST be v3 -- + extensions [3] Extensions{{CertExtensions}} OPTIONAL + ]], ... } + + Version ::= INTEGER { v1(0), v2(1), v3(2) } + + CertificateSerialNumber ::= INTEGER + + Validity ::= SEQUENCE { + notBefore Time, + notAfter Time } + + Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime } + + UniqueIdentifier ::= BIT STRING + + SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier{PUBLIC-KEY, + {PublicKeyAlgorithms}}, + subjectPublicKey BIT STRING } + + -- CRL structures + + CertificateList ::= SIGNED{TBSCertList} + + TBSCertList ::= SEQUENCE { + version Version OPTIONAL, + -- if present, MUST be v2 + signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, + {SignatureAlgorithms}}, + issuer Name, + thisUpdate Time, + nextUpdate Time OPTIONAL, + revokedCertificates SEQUENCE SIZE (1..MAX) OF SEQUENCE { + userCertificate CertificateSerialNumber, + revocationDate Time, + ... , + [[2: -- if present, version MUST be v2 + + + +Hoffman & Schaad Informational [Page 97] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + crlEntryExtensions Extensions{{CrlEntryExtensions}} + OPTIONAL + ]], ... + } OPTIONAL, + ... , + [[2: -- if present, version MUST be v2 + crlExtensions [0] Extensions{{CrlExtensions}} + OPTIONAL + ]], ... } + + -- Version, Time, CertificateSerialNumber, and Extensions were + -- defined earlier for use in the certificate structure + + -- + -- The two object sets below should be expanded to include + -- those algorithms which are supported by the system. + -- + -- For example: + -- SignatureAlgorithms SIGNATURE-ALGORITHM ::= { + -- PKIXAlgs-2008.SignatureAlgs, ..., + -- - - RFC 3279 provides the base set + -- PKIX1-PSS-OAEP-ALGORITHMS.SignatureAlgs | + -- - - RFC 4055 provides extension algs + -- OtherModule.SignatureAlgs + -- - - RFC XXXX provides additional extension algs + -- } + + SignatureAlgorithms SIGNATURE-ALGORITHM ::= { + PKIXAlgs-2009.SignatureAlgs, ..., + PKIX1-PSS-OAEP-Algorithms-2009.SignatureAlgs } + + PublicKeyAlgorithms PUBLIC-KEY ::= { + PKIXAlgs-2009.PublicKeys, ..., + PKIX1-PSS-OAEP-Algorithms-2009.PublicKeys} + + -- Upper Bounds + + ub-state-name INTEGER ::= 128 + ub-organization-name INTEGER ::= 64 + ub-organizational-unit-name INTEGER ::= 64 + ub-title INTEGER ::= 64 + ub-serial-number INTEGER ::= 64 + ub-pseudonym INTEGER ::= 128 + ub-emailaddress-length INTEGER ::= 255 + ub-locality-name INTEGER ::= 128 + ub-common-name INTEGER ::= 64 + ub-name INTEGER ::= 32768 + + + + +Hoffman & Schaad Informational [Page 98] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- Note - upper bounds on string types, such as TeletexString, are + -- measured in characters. Excepting PrintableString or IA5String, a + -- significantly greater number of octets will be required to hold + -- such a value. As a minimum, 16 octets or twice the specified + -- upper bound, whichever is the larger, should be allowed for + -- TeletexString. For UTF8String or UniversalString, at least four + -- times the upper bound should be allowed. + + -- Information object classes used in the definition + -- of certificates and CRLs + + -- Parameterized Type SIGNED + -- + -- Three different versions of doing SIGNED: + -- 1. Simple and close to the previous version + -- + -- SIGNED{ToBeSigned} ::= SEQUENCE { + -- toBeSigned ToBeSigned, + -- algorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, + -- {SignatureAlgorithms}}, + -- signature BIT STRING + -- } + + -- 2. From Authenticated Framework + -- + -- SIGNED{ToBeSigned} ::= SEQUENCE { + -- toBeSigned ToBeSigned, + -- COMPONENTS OF SIGNATURE{ToBeSigned} + -- } + -- SIGNATURE{ToBeSigned} ::= SEQUENCE { + -- algorithmIdentifier AlgorithmIdentifier, + -- encrypted ENCRYPTED-HASH{ToBeSigned} + -- } + -- ENCRYPTED-HASH{ToBeSigned} ::= + -- BIT STRING + -- (CONSTRAINED BY { + -- shall be the result of applying a hashing procedure to + -- the DER-encoded (see 4.1) octets of a value of + -- ToBeSigned and then applying an encipherment procedure + -- to those octets + -- }) + -- + -- + -- 3. A more complex version, but one that automatically ties + -- together both the signature algorithm and the + -- signature value for automatic decoding. + -- + SIGNED{ToBeSigned} ::= SEQUENCE { + + + +Hoffman & Schaad Informational [Page 99] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + toBeSigned ToBeSigned, + algorithmIdentifier SEQUENCE { + algorithm SIGNATURE-ALGORITHM. + &id({SignatureAlgorithms}), + parameters SIGNATURE-ALGORITHM. + &Params({SignatureAlgorithms} + {@algorithmIdentifier.algorithm}) OPTIONAL + }, + signature BIT STRING (CONTAINING SIGNATURE-ALGORITHM.&Value( + {SignatureAlgorithms} + {@algorithmIdentifier.algorithm})) + } + + END + + + PKIX1Implicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + AttributeSet{}, EXTENSION, ATTRIBUTE + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } + + id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name, + RelativeDistinguishedName, CertificateSerialNumber, + DirectoryString{}, SupportedAttributes + FROM PKIX1Explicit-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }; + + CertExtensions EXTENSION ::= { + ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier | + ext-KeyUsage | ext-PrivateKeyUsagePeriod | + ext-CertificatePolicies | ext-PolicyMappings | + ext-SubjectAltName | ext-IssuerAltName | + ext-SubjectDirectoryAttributes | + ext-BasicConstraints | ext-NameConstraints | + ext-PolicyConstraints | ext-ExtKeyUsage | + ext-CRLDistributionPoints | ext-InhibitAnyPolicy | + ext-FreshestCRL | ext-AuthorityInfoAccess | + ext-SubjectInfoAccessSyntax, ... } + + CrlExtensions EXTENSION ::= { + + + +Hoffman & Schaad Informational [Page 100] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + ext-AuthorityKeyIdentifier | ext-IssuerAltName | + ext-CRLNumber | ext-DeltaCRLIndicator | + ext-IssuingDistributionPoint | ext-FreshestCRL, ... } + + CrlEntryExtensions EXTENSION ::= { + ext-CRLReason | ext-CertificateIssuer | + ext-HoldInstructionCode | ext-InvalidityDate, ... } + -- Shared arc for standard certificate and CRL extensions + + id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 } + + -- authority key identifier OID and syntax + + ext-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX + AuthorityKeyIdentifier IDENTIFIED BY + id-ce-authorityKeyIdentifier } + id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } + + AuthorityKeyIdentifier ::= SEQUENCE { + keyIdentifier [0] KeyIdentifier OPTIONAL, + authorityCertIssuer [1] GeneralNames OPTIONAL, + authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } + (WITH COMPONENTS { + ..., + authorityCertIssuer PRESENT, + authorityCertSerialNumber PRESENT + } | + WITH COMPONENTS { + ..., + authorityCertIssuer ABSENT, + authorityCertSerialNumber ABSENT + }) + + KeyIdentifier ::= OCTET STRING + + -- subject key identifier OID and syntax + + ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX + KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier } + id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } + + -- key usage extension OID and syntax + + ext-KeyUsage EXTENSION ::= { SYNTAX + KeyUsage IDENTIFIED BY id-ce-keyUsage } + id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } + + KeyUsage ::= BIT STRING { + + + +Hoffman & Schaad Informational [Page 101] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + digitalSignature (0), + nonRepudiation (1), -- recent editions of X.509 have + -- renamed this bit to + -- contentCommitment + keyEncipherment (2), + dataEncipherment (3), + keyAgreement (4), + keyCertSign (5), + cRLSign (6), + encipherOnly (7), + decipherOnly (8) + } + + -- private key usage period extension OID and syntax + + ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX + PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod } + id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } + + PrivateKeyUsagePeriod ::= SEQUENCE { + notBefore [0] GeneralizedTime OPTIONAL, + notAfter [1] GeneralizedTime OPTIONAL } + (WITH COMPONENTS {..., notBefore PRESENT } | + WITH COMPONENTS {..., notAfter PRESENT }) + + -- certificate policies extension OID and syntax + + ext-CertificatePolicies EXTENSION ::= { SYNTAX + CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies} + id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } + + CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + + PolicyInformation ::= SEQUENCE { + policyIdentifier CertPolicyId, + policyQualifiers SEQUENCE SIZE (1..MAX) OF + PolicyQualifierInfo OPTIONAL } + + CertPolicyId ::= OBJECT IDENTIFIER + + CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER + + PolicyQualifierInfo ::= SEQUENCE { + policyQualifierId CERT-POLICY-QUALIFIER. + &id({PolicyQualifierId}), + qualifier CERT-POLICY-QUALIFIER. + &Type({PolicyQualifierId}{@policyQualifierId})} + + + + +Hoffman & Schaad Informational [Page 102] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- Implementations that recognize additional policy qualifiers MUST + -- augment the following definition for PolicyQualifierId + + PolicyQualifierId CERT-POLICY-QUALIFIER ::= + { pqid-cps | pqid-unotice, ... } + + pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps } + pqid-unotice CERT-POLICY-QUALIFIER ::= { UserNotice + IDENTIFIED BY id-qt-unotice } + + -- CPS pointer qualifier + + CPSuri ::= IA5String + + -- user notice qualifier + + UserNotice ::= SEQUENCE { + noticeRef NoticeReference OPTIONAL, + explicitText DisplayText OPTIONAL} + + -- + -- This is not made explicit in the text + -- + -- {WITH COMPONENTS {..., noticeRef PRESENT} | + -- WITH COMPONENTS {..., DisplayText PRESENT }} + + NoticeReference ::= SEQUENCE { + organization DisplayText, + noticeNumbers SEQUENCE OF INTEGER } + + DisplayText ::= CHOICE { + ia5String IA5String (SIZE (1..200)), + visibleString VisibleString (SIZE (1..200)), + bmpString BMPString (SIZE (1..200)), + utf8String UTF8String (SIZE (1..200)) } + + -- policy mapping extension OID and syntax + + ext-PolicyMappings EXTENSION ::= { SYNTAX + PolicyMappings IDENTIFIED BY id-ce-policyMappings } + id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } + + PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + issuerDomainPolicy CertPolicyId, + subjectDomainPolicy CertPolicyId + } + + -- subject alternative name extension OID and syntax + + + +Hoffman & Schaad Informational [Page 103] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + ext-SubjectAltName EXTENSION ::= { SYNTAX + GeneralNames IDENTIFIED BY id-ce-subjectAltName } + id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } + + GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + + GeneralName ::= CHOICE { + otherName [0] INSTANCE OF OTHER-NAME, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER + } + + -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as + -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax + + OTHER-NAME ::= TYPE-IDENTIFIER + + EDIPartyName ::= SEQUENCE { + nameAssigner [0] DirectoryString {ubMax} OPTIONAL, + partyName [1] DirectoryString {ubMax} + } + + -- issuer alternative name extension OID and syntax + + ext-IssuerAltName EXTENSION ::= { SYNTAX + GeneralNames IDENTIFIED BY id-ce-issuerAltName } + id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } + + ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX + SubjectDirectoryAttributes IDENTIFIED BY + id-ce-subjectDirectoryAttributes } + id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } + + SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF + AttributeSet{{SupportedAttributes}} + + -- basic constraints extension OID and syntax + + ext-BasicConstraints EXTENSION ::= { SYNTAX + BasicConstraints IDENTIFIED BY id-ce-basicConstraints } + id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } + + + + +Hoffman & Schaad Informational [Page 104] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + BasicConstraints ::= SEQUENCE { + cA BOOLEAN DEFAULT FALSE, + pathLenConstraint INTEGER (0..MAX) OPTIONAL + } + + -- name constraints extension OID and syntax + ext-NameConstraints EXTENSION ::= { SYNTAX + NameConstraints IDENTIFIED BY id-ce-nameConstraints } + id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } + + NameConstraints ::= SEQUENCE { + permittedSubtrees [0] GeneralSubtrees OPTIONAL, + excludedSubtrees [1] GeneralSubtrees OPTIONAL + } + -- + -- This is a constraint in the issued certificates by CAs, but is + -- not a requirement on EEs. + -- + -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} | + -- WITH COMPONENTS { ..., excludedSubtrees PRESENT }} + + GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree + + GeneralSubtree ::= SEQUENCE { + base GeneralName, + minimum [0] BaseDistance DEFAULT 0, + maximum [1] BaseDistance OPTIONAL + } + + BaseDistance ::= INTEGER (0..MAX) + + -- policy constraints extension OID and syntax + + ext-PolicyConstraints EXTENSION ::= { SYNTAX + PolicyConstraints IDENTIFIED BY id-ce-policyConstraints } + id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } + + PolicyConstraints ::= SEQUENCE { + requireExplicitPolicy [0] SkipCerts OPTIONAL, + inhibitPolicyMapping [1] SkipCerts OPTIONAL } + -- + -- This is a constraint in the issued certificates by CAs, + -- but is not a requirement for EEs + -- + -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} | + -- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT}) + + SkipCerts ::= INTEGER (0..MAX) + + + +Hoffman & Schaad Informational [Page 105] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- CRL distribution points extension OID and syntax + + ext-CRLDistributionPoints EXTENSION ::= { SYNTAX + CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints} + id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} + CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + + DistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + reasons [1] ReasonFlags OPTIONAL, + cRLIssuer [2] GeneralNames OPTIONAL + } + -- + -- This is not a requirement in the text, but it seems as if it + -- should be + -- + --(WITH COMPONENTS {..., distributionPoint PRESENT} | + -- WITH COMPONENTS {..., cRLIssuer PRESENT}) + + DistributionPointName ::= CHOICE { + fullName [0] GeneralNames, + nameRelativeToCRLIssuer [1] RelativeDistinguishedName + } + + ReasonFlags ::= BIT STRING { + unused (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + privilegeWithdrawn (7), + aACompromise (8) + } + + -- extended key usage extension OID and syntax + + ext-ExtKeyUsage EXTENSION ::= { SYNTAX + ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage } + id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} + + ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId + + KeyPurposeId ::= OBJECT IDENTIFIER + + -- permit unspecified key uses + + + + +Hoffman & Schaad Informational [Page 106] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } + + -- extended key purpose OIDs + + id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } + id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } + id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } + id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } + id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } + id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } + + -- inhibit any policy OID and syntax + + ext-InhibitAnyPolicy EXTENSION ::= {SYNTAX + SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy } + id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } + + -- freshest (delta)CRL extension OID and syntax + + ext-FreshestCRL EXTENSION ::= {SYNTAX + CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL } + id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } + + -- authority info access + + ext-AuthorityInfoAccess EXTENSION ::= { SYNTAX + AuthorityInfoAccessSyntax IDENTIFIED BY + id-pe-authorityInfoAccess } + id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } + + AuthorityInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + + AccessDescription ::= SEQUENCE { + accessMethod OBJECT IDENTIFIER, + accessLocation GeneralName } + + -- subject info access + + ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX + SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess } + id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } + + SubjectInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + + -- CRL number extension OID and syntax + + + + +Hoffman & Schaad Informational [Page 107] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + ext-CRLNumber EXTENSION ::= {SYNTAX + INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber } + id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } + + CRLNumber ::= INTEGER (0..MAX) + -- issuing distribution point extension OID and syntax + + ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX + IssuingDistributionPoint IDENTIFIED BY + id-ce-issuingDistributionPoint } + id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } + + IssuingDistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, + onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, + onlySomeReasons [3] ReasonFlags OPTIONAL, + indirectCRL [4] BOOLEAN DEFAULT FALSE, + onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE + } + -- at most one of onlyContainsUserCerts, onlyContainsCACerts, + -- or onlyContainsAttributeCerts may be set to TRUE. + + ext-DeltaCRLIndicator EXTENSION ::= { SYNTAX + CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator } + id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } + + -- CRL reasons extension OID and syntax + + ext-CRLReason EXTENSION ::= { SYNTAX + CRLReason IDENTIFIED BY id-ce-cRLReasons } + id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } + + CRLReason ::= ENUMERATED { + unspecified (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + removeFromCRL (8), + privilegeWithdrawn (9), + aACompromise (10) + } + + -- certificate issuer CRL entry extension OID and syntax + + + + +Hoffman & Schaad Informational [Page 108] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + ext-CertificateIssuer EXTENSION ::= { SYNTAX + GeneralNames IDENTIFIED BY id-ce-certificateIssuer } + id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } + + -- hold instruction extension OID and syntax + ext-HoldInstructionCode EXTENSION ::= { SYNTAX + OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode } + id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } + + -- ANSI x9 holdinstructions + + holdInstruction OBJECT IDENTIFIER ::= + {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} + id-holdinstruction-none OBJECT IDENTIFIER ::= + {holdInstruction 1} -- deprecated + id-holdinstruction-callissuer OBJECT IDENTIFIER ::= + {holdInstruction 2} + id-holdinstruction-reject OBJECT IDENTIFIER ::= + {holdInstruction 3} + + -- invalidity date CRL entry extension OID and syntax + + ext-InvalidityDate EXTENSION ::= { SYNTAX + GeneralizedTime IDENTIFIED BY id-ce-invalidityDate } + id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } + -- Upper bounds + ubMax INTEGER ::= 32768 + + END + + + -- + -- This module is used to isolate all the X.400 naming information. + -- There is no reason to expect this to occur in a PKIX certificate. + -- + + PKIX-X400Address-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60) } + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + + -- X.400 address syntax starts here + + ORAddress ::= SEQUENCE { + built-in-standard-attributes BuiltInStandardAttributes, + built-in-domain-defined-attributes + BuiltInDomainDefinedAttributes OPTIONAL, + + + +Hoffman & Schaad Informational [Page 109] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- see also teletex-domain-defined-attributes + extension-attributes ExtensionAttributes OPTIONAL } + + -- Built-in Standard Attributes + + BuiltInStandardAttributes ::= SEQUENCE { + country-name CountryName OPTIONAL, + administration-domain-name AdministrationDomainName OPTIONAL, + network-address [0] IMPLICIT NetworkAddress OPTIONAL, + -- see also extended-network-address + terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL, + private-domain-name [2] PrivateDomainName OPTIONAL, + organization-name [3] IMPLICIT OrganizationName OPTIONAL, + -- see also teletex-organization-name + numeric-user-identifier [4] IMPLICIT NumericUserIdentifier + OPTIONAL, + personal-name [5] IMPLICIT PersonalName OPTIONAL, + -- see also teletex-personal-name + organizational-unit-names [6] IMPLICIT OrganizationalUnitNames + OPTIONAL } + -- see also teletex-organizational-unit-names + + CountryName ::= [APPLICATION 1] CHOICE { + x121-dcc-code NumericString + (SIZE (ub-country-name-numeric-length)), + iso-3166-alpha2-code PrintableString + (SIZE (ub-country-name-alpha-length)) } + + AdministrationDomainName ::= [APPLICATION 2] CHOICE { + numeric NumericString (SIZE (0..ub-domain-name-length)), + printable PrintableString (SIZE (0..ub-domain-name-length)) } + + NetworkAddress ::= X121Address -- see also extended-network-address + + X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) + + TerminalIdentifier ::= PrintableString (SIZE + (1..ub-terminal-id-length)) + + PrivateDomainName ::= CHOICE { + numeric NumericString (SIZE (1..ub-domain-name-length)), + printable PrintableString (SIZE (1..ub-domain-name-length)) } + + OrganizationName ::= PrintableString + (SIZE (1..ub-organization-name-length)) + -- see also teletex-organization-name + + NumericUserIdentifier ::= NumericString + + + +Hoffman & Schaad Informational [Page 110] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + (SIZE (1..ub-numeric-user-id-length)) + + PersonalName ::= SET { + surname [0] IMPLICIT PrintableString + (SIZE (1..ub-surname-length)), + given-name [1] IMPLICIT PrintableString + (SIZE (1..ub-given-name-length)) OPTIONAL, + initials [2] IMPLICIT PrintableString + (SIZE (1..ub-initials-length)) OPTIONAL, + generation-qualifier [3] IMPLICIT PrintableString + (SIZE (1..ub-generation-qualifier-length)) + OPTIONAL } + -- see also teletex-personal-name + + OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) + OF OrganizationalUnitName + -- see also teletex-organizational-unit-names + + OrganizationalUnitName ::= PrintableString (SIZE + (1..ub-organizational-unit-name-length)) + + -- Built-in Domain-defined Attributes + + BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE + (1..ub-domain-defined-attributes) OF + BuiltInDomainDefinedAttribute + + BuiltInDomainDefinedAttribute ::= SEQUENCE { + type PrintableString (SIZE + (1..ub-domain-defined-attribute-type-length)), + value PrintableString (SIZE + (1..ub-domain-defined-attribute-value-length)) } + + -- Extension Attributes + + ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF + ExtensionAttribute + + EXTENSION-ATTRIBUTE ::= CLASS { + &id INTEGER (0..ub-extension-attributes) UNIQUE, + &Type + } WITH SYNTAX { &Type IDENTIFIED BY &id } + + ExtensionAttribute ::= SEQUENCE { + extension-attribute-type [0] IMPLICIT EXTENSION-ATTRIBUTE. + &id({SupportedExtensionAttributes}), + extension-attribute-value [1] EXTENSION-ATTRIBUTE. + &Type({SupportedExtensionAttributes} + + + +Hoffman & Schaad Informational [Page 111] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + {@extension-attribute-type})} + + SupportedExtensionAttributes EXTENSION-ATTRIBUTE ::= { + ea-commonName | ea-teletexCommonName | ea-teletexOrganizationName + | ea-teletexPersonalName | ea-teletexOrganizationalUnitNames | + ea-pDSName | ea-physicalDeliveryCountryName | ea-postalCode | + ea-physicalDeliveryOfficeName | ea-physicalDeliveryOfficeNumber | + ea-extensionORAddressComponents | ea-physicalDeliveryPersonalName + | ea-physicalDeliveryOrganizationName | + ea-extensionPhysicalDeliveryAddressComponents | + ea-unformattedPostalAddress | ea-streetAddress | + ea-postOfficeBoxAddress | ea-posteRestanteAddress | + ea-uniquePostalName | ea-localPostalAttributes | + ea-extendedNetworkAddress | ea-terminalType | + ea-teletexDomainDefinedAttributes, ... } + + -- Extension types and attribute values + + ea-commonName EXTENSION-ATTRIBUTE ::= { PrintableString + (SIZE (1..ub-common-name-length)) IDENTIFIED BY 1 } + + ea-teletexCommonName EXTENSION-ATTRIBUTE ::= {TeletexString + (SIZE (1..ub-common-name-length)) IDENTIFIED BY 2 } + + ea-teletexOrganizationName EXTENSION-ATTRIBUTE::= { TeletexString + (SIZE (1..ub-organization-name-length)) IDENTIFIED BY 3 } + + ea-teletexPersonalName EXTENSION-ATTRIBUTE ::= {SET { + surname [0] IMPLICIT TeletexString + (SIZE (1..ub-surname-length)), + given-name [1] IMPLICIT TeletexString + (SIZE (1..ub-given-name-length)) OPTIONAL, + initials [2] IMPLICIT TeletexString + (SIZE (1..ub-initials-length)) OPTIONAL, + generation-qualifier [3] IMPLICIT TeletexString + (SIZE (1..ub-generation-qualifier-length)) + OPTIONAL } IDENTIFIED BY 4 } + + ea-teletexOrganizationalUnitNames EXTENSION-ATTRIBUTE ::= + { SEQUENCE SIZE (1..ub-organizational-units) OF + TeletexOrganizationalUnitName IDENTIFIED BY 5 } + + TeletexOrganizationalUnitName ::= TeletexString + (SIZE (1..ub-organizational-unit-name-length)) + + ea-pDSName EXTENSION-ATTRIBUTE ::= {PrintableString + (SIZE (1..ub-pds-name-length)) IDENTIFIED BY 7 } + + + + +Hoffman & Schaad Informational [Page 112] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + ea-physicalDeliveryCountryName EXTENSION-ATTRIBUTE ::= { CHOICE { + x121-dcc-code NumericString (SIZE + (ub-country-name-numeric-length)), + iso-3166-alpha2-code PrintableString + (SIZE (ub-country-name-alpha-length)) } + IDENTIFIED BY 8 } + + ea-postalCode EXTENSION-ATTRIBUTE ::= { CHOICE { + numeric-code NumericString (SIZE (1..ub-postal-code-length)), + printable-code PrintableString (SIZE (1..ub-postal-code-length)) } + IDENTIFIED BY 9 } + + ea-physicalDeliveryOfficeName EXTENSION-ATTRIBUTE ::= + { PDSParameter IDENTIFIED BY 10 } + + ea-physicalDeliveryOfficeNumber EXTENSION-ATTRIBUTE ::= + {PDSParameter IDENTIFIED BY 11 } + + ea-extensionORAddressComponents EXTENSION-ATTRIBUTE ::= + {PDSParameter IDENTIFIED BY 12 } + + ea-physicalDeliveryPersonalName EXTENSION-ATTRIBUTE ::= + {PDSParameter IDENTIFIED BY 13} + + ea-physicalDeliveryOrganizationName EXTENSION-ATTRIBUTE ::= + {PDSParameter IDENTIFIED BY 14 } + + ea-extensionPhysicalDeliveryAddressComponents EXTENSION-ATTRIBUTE ::= + {PDSParameter IDENTIFIED BY 15 } + + ea-unformattedPostalAddress EXTENSION-ATTRIBUTE ::= { SET { + printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) + OF PrintableString (SIZE (1..ub-pds-parameter-length)) + OPTIONAL, + teletex-string TeletexString + (SIZE (1..ub-unformatted-address-length)) OPTIONAL } + IDENTIFIED BY 16 } + + ea-streetAddress EXTENSION-ATTRIBUTE ::= + {PDSParameter IDENTIFIED BY 17 } + + ea-postOfficeBoxAddress EXTENSION-ATTRIBUTE ::= + {PDSParameter IDENTIFIED BY 18 } + + ea-posteRestanteAddress EXTENSION-ATTRIBUTE ::= + {PDSParameter IDENTIFIED BY 19 } + + ea-uniquePostalName EXTENSION-ATTRIBUTE ::= + + + +Hoffman & Schaad Informational [Page 113] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + { PDSParameter IDENTIFIED BY 20 } + + ea-localPostalAttributes EXTENSION-ATTRIBUTE ::= + {PDSParameter IDENTIFIED BY 21 } + PDSParameter ::= SET { + printable-string PrintableString + (SIZE(1..ub-pds-parameter-length)) OPTIONAL, + teletex-string TeletexString + (SIZE(1..ub-pds-parameter-length)) OPTIONAL } + + ea-extendedNetworkAddress EXTENSION-ATTRIBUTE ::= { + CHOICE { + e163-4-address SEQUENCE { + number [0] IMPLICIT NumericString + (SIZE (1..ub-e163-4-number-length)), + sub-address [1] IMPLICIT NumericString + (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL + }, + psap-address [0] IMPLICIT PresentationAddress + } IDENTIFIED BY 22 + } + + PresentationAddress ::= SEQUENCE { + pSelector [0] EXPLICIT OCTET STRING OPTIONAL, + sSelector [1] EXPLICIT OCTET STRING OPTIONAL, + tSelector [2] EXPLICIT OCTET STRING OPTIONAL, + nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING } + + ea-terminalType EXTENSION-ATTRIBUTE ::= {INTEGER { + telex (3), + teletex (4), + g3-facsimile (5), + g4-facsimile (6), + ia5-terminal (7), + videotex (8) } (0..ub-integer-options) + IDENTIFIED BY 23 } + + -- Extension Domain-defined Attributes + + ea-teletexDomainDefinedAttributes EXTENSION-ATTRIBUTE ::= + { SEQUENCE SIZE (1..ub-domain-defined-attributes) OF + TeletexDomainDefinedAttribute IDENTIFIED BY 6 } + + TeletexDomainDefinedAttribute ::= SEQUENCE { + type TeletexString + (SIZE (1..ub-domain-defined-attribute-type-length)), + value TeletexString + (SIZE (1..ub-domain-defined-attribute-value-length)) } + + + +Hoffman & Schaad Informational [Page 114] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + -- specifications of Upper Bounds MUST be regarded as mandatory + -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter + -- Upper Bounds + -- Upper Bounds + ub-match INTEGER ::= 128 + ub-common-name-length INTEGER ::= 64 + ub-country-name-alpha-length INTEGER ::= 2 + ub-country-name-numeric-length INTEGER ::= 3 + ub-domain-defined-attributes INTEGER ::= 4 + ub-domain-defined-attribute-type-length INTEGER ::= 8 + ub-domain-defined-attribute-value-length INTEGER ::= 128 + ub-domain-name-length INTEGER ::= 16 + ub-extension-attributes INTEGER ::= 256 + ub-e163-4-number-length INTEGER ::= 15 + ub-e163-4-sub-address-length INTEGER ::= 40 + ub-generation-qualifier-length INTEGER ::= 3 + ub-given-name-length INTEGER ::= 16 + ub-initials-length INTEGER ::= 5 + ub-integer-options INTEGER ::= 256 + ub-numeric-user-id-length INTEGER ::= 32 + ub-organization-name-length INTEGER ::= 64 + ub-organizational-unit-name-length INTEGER ::= 32 + ub-organizational-units INTEGER ::= 4 + ub-pds-name-length INTEGER ::= 16 + ub-pds-parameter-length INTEGER ::= 30 + ub-pds-physical-address-lines INTEGER ::= 6 + ub-postal-code-length INTEGER ::= 16 + ub-surname-length INTEGER ::= 40 + ub-terminal-id-length INTEGER ::= 24 + ub-unformatted-address-length INTEGER ::= 180 + ub-x121-address-length INTEGER ::= 16 + + -- Note - upper bounds on string types, such as TeletexString, are + -- measured in characters. Excepting PrintableString or IA5String, a + -- significantly greater number of octets will be required to hold + -- such a value. As a minimum, 16 octets or twice the specified + -- upper bound, whichever is the larger, should be allowed for + -- TeletexString. For UTF8String or UniversalString, at least four + -- times the upper bound should be allowed. + + END + +15. Security Considerations + + Even though all the RFCs in this document are security-related, the + document itself does not have any security considerations. The ASN.1 + modules keep the same bits-on-the-wire as the modules that they + replace. + + + +Hoffman & Schaad Informational [Page 115] + +RFC 5912 New ASN.1 for PKIX June 2010 + + +16. Normative References + + [ASN1-2002] ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and + X.683", ITU-T X.680, X.681, X.682, and X.683, 2002. + + [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. + Adams, "X.509 Internet Public Key Infrastructure Online + Certificate Status Protocol - OCSP", RFC 2560, + June 1999. + + [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification + Request Syntax Specification Version 1.7", RFC 2986, + November 2000. + + [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and + Identifiers for the Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation + List (CRL) Profile", RFC 3279, April 2002. + + [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", + RFC 3852, July 2004. + + [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional + Algorithms and Identifiers for RSA Cryptography for use + in the Internet X.509 Public Key Infrastructure + Certificate and Certificate Revocation List (CRL) + Profile", RFC 4055, June 2005. + + [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, + "Internet X.509 Public Key Infrastructure Certificate + Management Protocol (CMP)", RFC 4210, September 2005. + + [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure + Certificate Request Message Format (CRMF)", RFC 4211, + September 2005. + + [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and + W. Polk, "Server-Based Certificate Validation Protocol + (SCVP)", RFC 5055, December 2007. + + [RFC5272] Schaad, J. and M. Myers, "Certificate Management over + CMS (CMC)", RFC 5272, June 2008. + + [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., + Housley, R., and W. Polk, "Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation + List (CRL) Profile", RFC 5280, May 2008. + + + + +Hoffman & Schaad Informational [Page 116] + +RFC 5912 New ASN.1 for PKIX June 2010 + + + [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. + Polk, "Elliptic Curve Cryptography Subject Public Key + Information", RFC 5480, March 2009. + + [RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet + Attribute Certificate Profile for Authorization", + RFC 5755, January 2010. + + [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for + Cryptographic Message Syntax (CMS) and S/MIME", + RFC 5911, June 2010. + +Authors' Addresses + + Paul Hoffman + VPN Consortium + 127 Segre Place + Santa Cruz, CA 95060 + US + + Phone: 1-831-426-9827 + EMail: paul.hoffman@vpnc.org + + + Jim Schaad + Soaring Hawk Consulting + + EMail: jimsch@exmsft.com + + + + + + + + + + + + + + + + + + + + + + + +Hoffman & Schaad Informational [Page 117] + diff --git a/const-oid/oiddbgen/rfc6268.txt b/const-oid/oiddbgen/rfc6268.txt new file mode 100644 index 000000000..95fe92deb --- /dev/null +++ b/const-oid/oiddbgen/rfc6268.txt @@ -0,0 +1,1851 @@ + + + + + + +Internet Engineering Task Force (IETF) J. Schaad +Request for Comments: 6268 Soaring Hawk Consulting +Updates: 5911 S. Turner +Category: Informational IECA, Inc. +ISSN: 2070-1721 July 2011 + + +Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) + and the Public Key Infrastructure Using X.509 (PKIX) + +Abstract + + The Cryptographic Message Syntax (CMS) format, and many associated + formats, are expressed using ASN.1. The current ASN.1 modules + conform to the 1988 version of ASN.1. This document updates some + auxiliary ASN.1 modules to conform to the 2008 version of ASN.1; the + 1988 ASN.1 modules remain the normative version. There are no bits- + on-the-wire changes to any of the formats; this is simply a change to + the syntax. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6268. + +Copyright Notice + + Copyright (c) 2011 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + + + + +Schaad & Turner Informational [Page 1] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + This document may contain material from IETF Documents or IETF + Contributions published or made publicly available before November + 10, 2008. The person(s) controlling the copyright in some of this + material may not have granted the IETF Trust the right to allow + modifications of such material outside the IETF Standards Process. + Without obtaining an adequate license from the person(s) controlling + the copyright in such materials, this document may not be modified + outside the IETF Standards Process, and derivative works of it may + not be created outside the IETF Standards Process, except to format + it for publication as an RFC or to translate it into languages other + than English. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. ASN.1 Updates (2002 to 2008) . . . . . . . . . . . . . . . 4 + 1.2. Requirements Terminology . . . . . . . . . . . . . . . . . 4 + 2. ASN.1 Module RFC 3274 . . . . . . . . . . . . . . . . . . . . 5 + 3. ASN.1 Module RFC 3779 . . . . . . . . . . . . . . . . . . . . 7 + 4. ASN.1 Module RFC 6019 . . . . . . . . . . . . . . . . . . . . 10 + 5. ASN.1 Module RFC 4073 . . . . . . . . . . . . . . . . . . . . 11 + 6. ASN.1 Module RFC 4231 . . . . . . . . . . . . . . . . . . . . 12 + 7. ASN.1 Module RFC 4334 . . . . . . . . . . . . . . . . . . . . 15 + 8. ASN.1 Module RFC 5083 . . . . . . . . . . . . . . . . . . . . 16 + 9. ASN.1 Module RFC 5652 . . . . . . . . . . . . . . . . . . . . 18 + 10. ASN.1 Module RFC 5752 . . . . . . . . . . . . . . . . . . . . 29 + 11. Module Identifiers in ASN.1 . . . . . . . . . . . . . . . . . 30 + 12. Security Considerations . . . . . . . . . . . . . . . . . . . 32 + 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32 + 13.1. Normative References . . . . . . . . . . . . . . . . . . . 32 + 13.2. Informative References . . . . . . . . . . . . . . . . . . 33 + + + + + + + + + + + + + + + + +Schaad & Turner Informational [Page 2] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + +1. Introduction + + Some developers would like the IETF to use the latest version of + ASN.1 in its standards. Most of the RFCs that relate to security + protocols still use ASN.1 from the 1988 standard, which has been + deprecated. This is particularly true for the standards that relate + to PKIX, CMS, and Secure/Multipurpose Internet Mail Extensions + (S/MIME). + + In this document we have either changed the syntax to use the 2008 + ASN.1 standard, or done some updates from previous conversions. The + ASN.1 modules updated came from the following RFCs: + + o RFC 3274, Compressed Data Content Type for Cryptographic Message + Syntax (CMS) [RFC3274]. + + o RFC 3779, X.509 Extensions for IP Addresses and AS Identifiers + [RFC3779]. + + o RFC 6019, BinaryTime: An Alternate Format for Representing Date + and Time in ASN.1 [RFC6019]. + + o RFC 4073, Protecting Multiple Contents with the Cryptographic + Message Syntax (CMS) [RFC4073]. + + o RFC 4231, Identifiers and Test Vectors for HMAC-SHA-224, + HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 [RFC4231]. + + o RFC 4334, Certificate Extensions and Attributes Supporting + Authentication in Point-to-Point Protocol (PPP) and Wireless Local + Area Networks (WLAN) [RFC4334]. + + o RFC 5083, Cryptographic Message Syntax (CMS) Authenticated- + Enveloped-Data Content Type [RFC5083]. + + o RFC 5652, Cryptographic Message Syntax (CMS) [RFC5652]. + + o RFC 5752, Multiple Signatures in Cryptographic Message Syntax + (CMS) [RFC5752]. + + Note that some of the modules in this document get some of their + definitions from places different than the modules in the original + RFCs. The idea is that these modules, when combined with the modules + in [RFC5911] and [RFC5912], can stand on their own and do not need to + import definitions from anywhere else. + + + + + + +Schaad & Turner Informational [Page 3] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + This document does not explicitly update the RFCs from which the + ASN.1 modules have been extracted. This is because the original 1988 + ASN.1 syntax remains the normative version and the modules in this + document as well as in [RFC5911] and [RFC5912] are informative (but + hopefully useful) annexes. + +1.1. ASN.1 Updates (2002 to 2008) + + The modules defined in this document are compatible with the most + current ASN.1 specification published in 2008 (see [ASN1-2008]). The + changes between the 2002 specification and the 2008 specification + include the creation of additional pre-defined types (DATE, DATE- + TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE-OID-IRI, TIME, TIME- + OF-DAY) and the ability to define different encoding rules (ENCODING- + CONTROL, INSTRUCTIONS). None of the newly defined tokens are + currently used in any of the ASN.1 specifications published here. + + Information on the changes to ASN.1 between the 1988 and 2002 + versions can be found in [RFC6025]. + +1.2. Requirements Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + + + + + + + + + + + + + + + + + + + + + + + + + + +Schaad & Turner Informational [Page 4] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + +2. ASN.1 Module RFC 3274 + + We have updated the ASN.1 module associated with this document to be + 2008 compliant and to use the set of classes previously defined in + [RFC5911]. + + CompressedDataContent-2010 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-compressedDataContent(54) } + + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + + IMPORTS + CMSVersion, ContentSet, + CONTENT-TYPE + FROM CryptographicMessageSyntax-2010 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } + + AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + ; + + -- + -- ContentTypes contains the set of content types that are + -- defined in this module. + -- + -- The contents of ContentTypes should be added to + -- ContentSet defined in [RFC5652] + -- + + ContentTypes CONTENT-TYPE ::= {ct-compressedData} + + -- + -- SMimeCaps contains the set of S/MIME capabilities that + -- are associated with the algorithms defined in this + -- document. + -- + -- SMimeCaps are added to the SMimeCapsSet defined in + -- [RFC5751] as updated by [RFC5911]. + + SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps, ...} + + + + + +Schaad & Turner Informational [Page 5] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + -- + -- Define the compressed data content type + -- + + ct-compressedData CONTENT-TYPE ::= { + TYPE CompressedData IDENTIFIED BY id-ct-compressedData + } + + CompressedData ::= SEQUENCE { + version CMSVersion (v0), -- Always set to 0 + compressionAlgorithm CompressionAlgorithmIdentifier, + encapContentInfo EncapsulatedContentInfo + } + + EncapsulatedContentInfo ::= SEQUENCE { + eContentType CONTENT-TYPE.&id({ContentSet}), + eContent [0] EXPLICIT OCTET STRING OPTIONAL } + + CompressionAlgorithmIdentifier ::= + AlgorithmIdentifier{COMPRESS-ALGORITHM, {CompressAlgorithmSet}} + + CompressAlgorithmSet COMPRESS-ALGORITHM ::= { + cpa-zlibCompress, ... + } + + -- Algorithm Identifiers + + id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 } + + cpa-zlibCompress COMPRESS-ALGORITHM ::= { + IDENTIFIER id-alg-zlibCompress + PARAMS TYPE NULL ARE preferredAbsent + SMIME-CAPS {IDENTIFIED BY id-alg-zlibCompress} + } + + -- Content Type Object Identifiers + + id-ct-compressedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 9 } + + -- + -- Class defined for compression algorithms + -- + + + + + + + +Schaad & Turner Informational [Page 6] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + COMPRESS-ALGORITHM ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Params OPTIONAL, + ¶mPresence ParamOptions DEFAULT absent, + &smimeCaps SMIME-CAPS OPTIONAL + } + WITH SYNTAX { + IDENTIFIER &id + [PARAMS [TYPE &Params] ARE ¶mPresence] + [SMIME-CAPS &smimeCaps] + } + + END + +3. ASN.1 Module RFC 3779 + + We have updated the ASN.1 module associated with RFC 3779 to be ASN.1 + 2008 compliant and to use the set of classes previously defined in + [RFC5912]. + + IPAddrAndASCertExtn-2010 { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) mod(0) + id-mod-ip-addr-and-as-ident-2(72) } + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + EXPORTS ALL; + + IMPORTS + + -- PKIX specific OIDs and arcs -- + id-pe + FROM PKIX1Explicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-explicit-02(51)} + + EXTENSION + FROM PKIX-CommonTypes-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkixCommon-02(57)} + ; + + + + + + + + + +Schaad & Turner Informational [Page 7] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + -- + -- Extensions contains the set of extensions defined in this + -- module + -- + -- These are intended to be placed in public key certificates + -- and thus should be added to the CertExtensions extension + -- set in PKIXImplicit-2009 defined for [RFC5280] + -- + + Extensions EXTENSION ::= { + ext-pe-ipAddrBlocks | ext-pe-autonomousSysIds + } + + -- IP Address Delegation Extension OID -- + + ext-pe-ipAddrBlocks EXTENSION ::= { + SYNTAX IPAddrBlocks + IDENTIFIED BY id-pe-ipAddrBlocks + } + + id-pe-ipAddrBlocks OBJECT IDENTIFIER ::= { id-pe 7 } + + -- IP Address Delegation Extension Syntax -- + + IPAddrBlocks ::= SEQUENCE OF IPAddressFamily + + IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI -- + addressFamily OCTET STRING (SIZE (2..3)), + ipAddressChoice IPAddressChoice } + + IPAddressChoice ::= CHOICE { + inherit NULL, -- inherit from issuer -- + addressesOrRanges SEQUENCE OF IPAddressOrRange } + + IPAddressOrRange ::= CHOICE { + addressPrefix IPAddress, + addressRange IPAddressRange } + + IPAddressRange ::= SEQUENCE { + min IPAddress, + max IPAddress } + + IPAddress ::= BIT STRING + + + + + + + + +Schaad & Turner Informational [Page 8] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + -- Autonomous System Identifier Delegation Extension OID -- + + ext-pe-autonomousSysIds EXTENSION ::= { + SYNTAX ASIdentifiers + IDENTIFIED BY id-pe-autonomousSysIds + } + + id-pe-autonomousSysIds OBJECT IDENTIFIER ::= { id-pe 8 } + + -- Autonomous System Identifier Delegation Extension Syntax -- + + ASIdentifiers ::= SEQUENCE { + asnum [0] ASIdentifierChoice OPTIONAL, + rdi [1] ASIdentifierChoice OPTIONAL } + (WITH COMPONENTS {..., asnum PRESENT} | + WITH COMPONENTS {..., rdi PRESENT}) + + ASIdentifierChoice ::= CHOICE { + inherit NULL, -- inherit from issuer -- + asIdsOrRanges SEQUENCE OF ASIdOrRange } + + ASIdOrRange ::= CHOICE { + id ASId, + range ASRange } + + ASRange ::= SEQUENCE { + min ASId, + max ASId } + + ASId ::= INTEGER + + END + + + + + + + + + + + + + + + + + + + +Schaad & Turner Informational [Page 9] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + +4. ASN.1 Module RFC 6019 + + We have updated the ASN.1 module associated with this document to be + 2008 compliant and to use the set of classes previously defined in + [RFC5911]. + + BinarySigningTimeModule-2010 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) modules(0) + id-mod-binSigningTime-2009(55) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + -- From PKIX-CommonTypes-2009 [RFC5912] + + ATTRIBUTE + FROM PKIX-CommonTypes-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkixCommon-02(57) } + ; + + -- + -- BinaryTime Definition + -- + -- BinaryTime contains the number seconds since + -- midnight Jan 1, 1970 UTC. + -- Leap seconds are EXCLUDED from the computation. + -- + + BinaryTime ::= INTEGER (0..MAX) + + -- + -- Signing Binary Time Attribute + -- + -- The binary signing time should be added to + -- SignedAttributeSet and AuthAttributeSet in CMS [RFC5652] + -- and to AuthEnvDataAttributeSet in [RFC5083] with the + -- new modules in this document, RFC 6268. + -- + + + + + + + + + + +Schaad & Turner Informational [Page 10] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + aa-binarySigningTime ATTRIBUTE ::= { + TYPE BinarySigningTime + IDENTIFIED BY id-aa-binarySigningTime } + + id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 46 } + + BinarySigningTime ::= BinaryTime + + END + +5. ASN.1 Module RFC 4073 + + We have updated the ASN.1 module associated with this document to be + 2008 compliant and to use the set of classes previously defined in + [RFC5911]. + + ContentCollectionModule-2010 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) modules(0) id-mod-context-Collect-2009(56) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + -- From CryptographicMessageSyntax-2010 [RFC6268] + + CONTENT-TYPE, ContentInfo + FROM CryptographicMessageSyntax-2010 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } + + AttributeSet{}, ATTRIBUTE + FROM PKIX-CommonTypes-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkixCommon-02(57) } + ; + + -- + -- An object set of all content types defined by this module. + -- This is to be added to ContentSet in the CMS module + -- + + ContentSet CONTENT-TYPE ::= { + ct-ContentCollection | ct-ContentWithAttributes, ... + } + + + + +Schaad & Turner Informational [Page 11] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + -- + -- Content Collection Content Type and Object Identifier + -- + + ct-ContentCollection CONTENT-TYPE ::= { + TYPE ContentCollection IDENTIFIED BY id-ct-contentCollection } + + id-ct-contentCollection OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) ct(1) 19 } + + ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo + + -- + -- Content With Attributes Content Type and Object Identifier + -- + + ct-ContentWithAttributes CONTENT-TYPE ::= { + TYPE ContentWithAttributes IDENTIFIED BY id-ct-contentWithAttrs } + + id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) ct(1) 20 } + + ContentWithAttributes ::= SEQUENCE { + content ContentInfo, + attrs SEQUENCE SIZE (1..MAX) OF AttributeSet + {{ ContentAttributeSet }} + } + + ContentAttributeSet ATTRIBUTE ::= { ... } + END + +6. ASN.1 Module RFC 4231 + + RFC 4231 does not contain an ASN.1 module to be updated. We have + therefore created an ASN.1 module to represent the ASN.1 that is + present in the document. Note that the parameters are defined as + expecting a parameter for the algorithm identifiers in this module; + this is different from most of the algorithms used in PKIX and + S/MIME. There is no concept of being able to truncate the MAC + (Message Authentication Code) value in the ASN.1 unlike the XML + definitions. This is reflected by not having a minimum MAC length + defined in the ASN.1. + + + + + + + +Schaad & Turner Informational [Page 12] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + HMAC-2010 { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) mod(0) id-mod-hmac(74) } + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + EXPORTS ALL; + + IMPORTS + + MAC-ALGORITHM, SMIME-CAPS + FROM AlgorithmInformation-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)}; + + -- + -- This object set contains all of the MAC algorithms that are + -- defined in this module. + -- One would add it to a constraining set of objects such as the + -- MessageAuthenticationCodeAlgorithmSet in [RFC5652] + -- + + MessageAuthAlgs MAC-ALGORITHM ::= { + maca-hMAC-SHA224 | + maca-hMAC-SHA256 | + maca-hMAC-SHA384 | + maca-hMAC-SHA512 + } + + -- + -- This object set contains all of the S/MIME capabilities that + -- have been defined for all the MAC algorithms in this module. + -- One would add this to an object set that is used to restrict + -- S/MIME capabilities such as the SMimeCapsSet variable in + -- RFC 3851 (obsoleted by RFC 5751) as modified in RFC 5911. + -- + + SMimeCaps SMIME-CAPS ::= { + maca-hMAC-SHA224.&smimeCaps | + maca-hMAC-SHA256.&smimeCaps | + maca-hMAC-SHA384.&smimeCaps | + maca-hMAC-SHA512.&smimeCaps + } + + -- + -- Define the base OID for the algorithm identifiers + -- + + + + + +Schaad & Turner Informational [Page 13] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + rsadsi OBJECT IDENTIFIER ::= + {iso(1) member-body(2) us(840) rsadsi(113549)} + + digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} + + -- + -- Define the necessary algorithm identifiers + -- + + id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} + id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} + id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} + id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} + + -- + -- Define each of the MAC-ALGORITHM objects to describe the + -- algorithms defined + -- + + maca-hMAC-SHA224 MAC-ALGORITHM ::= { + IDENTIFIER id-hmacWithSHA224 + PARAMS TYPE NULL ARE preferredPresent + IS-KEYED-MAC TRUE + SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA224} + } + + + maca-hMAC-SHA256 MAC-ALGORITHM ::= { + IDENTIFIER id-hmacWithSHA256 + PARAMS TYPE NULL ARE preferredPresent + IS-KEYED-MAC TRUE + SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA256} + } + + + maca-hMAC-SHA384 MAC-ALGORITHM ::= { + IDENTIFIER id-hmacWithSHA384 + PARAMS TYPE NULL ARE preferredPresent + IS-KEYED-MAC TRUE + SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA384} + } + + + + + + + + + + +Schaad & Turner Informational [Page 14] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + maca-hMAC-SHA512 MAC-ALGORITHM ::= { + IDENTIFIER id-hmacWithSHA512 + PARAMS TYPE NULL ARE preferredPresent + IS-KEYED-MAC TRUE + SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA512} + } + + END + +7. ASN.1 Module RFC 4334 + + We have updated the ASN.1 module associated with RFC 4334 to be ASN.1 + 2008 compliant and to use the set of classes previously defined in + [RFC5912]. + + WLANCertExtn-2010 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-wlan-extns-2(73) } + + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + EXPORTS ALL; + + IMPORTS + + EXTENSION, ATTRIBUTE + FROM PKIX-CommonTypes-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} + + id-pe, id-kp + FROM PKIX1Explicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} + + id-aca + FROM PKIXAttributeCertificate-2009 + { iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} + + ; + + -- Extended Key Usage Values + + KeyUsageValues OBJECT IDENTIFIER ::= { + id-kp-eapOverPPP | id-kp-eapOverLAN + } + + + +Schaad & Turner Informational [Page 15] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 } + + id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 } + + + -- Wireless LAN SSID Extension + + + ext-pe-wlanSSID EXTENSION ::= { + SYNTAX SSIDList + IDENTIFIED BY id-pe-wlanSSID + CRITICALITY {FALSE} + } + + id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 } + + SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID + + SSID ::= OCTET STRING (SIZE (1..32)) + + -- Wireless LAN SSID Attribute Certificate Attribute + -- Uses same syntax as the certificate extension: SSIDList + + + at-aca-wlanSSID ATTRIBUTE ::= { + TYPE SSIDList + IDENTIFIED BY id-aca-wlanSSID + } + + + id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 7 } + + END + +8. ASN.1 Module RFC 5083 + + This module is updated from RFC 5911 [RFC5911] by the following + changes: + + 1. Define separate attribute sets for the unprotected attributes + used in EnvelopedData, EncryptedData, and + AuthenticatedEnvelopedData (RFC 5083). + + 2. Define a parameterized type EncryptedContentInfoType so that the + basic type can be used with different algorithm sets (used for + EnvelopedData, EncryptedData, and AuthenticatedEnvelopedData (RFC + + + + + +Schaad & Turner Informational [Page 16] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + 5083)). The parameterized type is assigned to an unparameterized + type of EncryptedContentInfo to minimize the output changes from + previous versions. + + Protocol designers can make use of the '08 ASN.1 constraints to + define different sets of attributes for EncryptedData and + EnvelopedData and for AuthenticatedData and AuthEnvelopedData. + Previously, attributes could only be constrained based on whether + they were in the clear or unauthenticated not on the encapsulating + content type. + + CMS-AuthEnvelopedData-2010 + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cmsAuthEnvData-2009(57) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + CMSVersion, EncryptedContentInfoType{}, + MessageAuthenticationCode, OriginatorInfo, RecipientInfos, + CONTENT-TYPE, Attributes{}, ATTRIBUTE, CONTENT-ENCRYPTION, + AlgorithmIdentifier{}, + aa-signingTime, aa-messageDigest, aa-contentType + FROM CryptographicMessageSyntax-2010 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } + + ContentEncryptionAlgs + FROM CMS-AES-CCM-and-AES-GCM-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } + ; + + ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } + + ct-authEnvelopedData CONTENT-TYPE ::= { + TYPE AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData + } + + id-ct-authEnvelopedData OBJECT IDENTIFIER ::= + {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) ct(1) 23} + + AuthEnvelopedData ::= SEQUENCE { + version CMSVersion, + originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, + recipientInfos RecipientInfos, + authEncryptedContentInfo EncryptedContentInfo, + + + +Schaad & Turner Informational [Page 17] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, + mac MessageAuthenticationCode, + unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL + } + + EncryptedContentInfo ::= + EncryptedContentInfoType { AuthContentEncryptionAlgorithmIdentifier } + + AuthContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier + {CONTENT-ENCRYPTION, {AuthContentEncryptionAlgorithmSet}} + + AuthContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= { + ContentEncryptionAlgs, ...} + + AuthAttributes ::= Attributes{{AuthEnvDataAttributeSet}} + + UnauthAttributes ::= Attributes{{UnauthEnvDataAttributeSet}} + + AuthEnvDataAttributeSet ATTRIBUTE ::= { + aa-contentType | aa-messageDigest | aa-signingTime, ... } + + UnauthEnvDataAttributeSet ATTRIBUTE ::= {...} + + END + +9. ASN.1 Module RFC 5652 + + This module is updated from RFC 5911 [RFC5911] by the following + changes: + + 1. Define separate attribute sets for the unprotected attributes + used in EnvelopedData, EncryptedData, and + AuthenticatedEnvelopedData (RFC 5083). + + 2. Define a parameterized type EncryptedContentInfoType so that the + basic type can be used with algorithm sets (used for + EnvelopedData, EncryptedData, and AuthenticatedEnvelopedData (RFC + 5083)). The parameterized type is assigned to an unparameterized + type of EncryptedContentInfo to minimize the output changes from + previous versions. + + We are anticipating the definition of attributes that are going to be + restricted to the use of only EnvelopedData. We are therefore + separating the different attribute sets so that protocol designers + that need to do this will be able to define attributes that are used + for EnvelopedData, but not for EncryptedData. The same separation is + also being applied to AuthenticatedData and AuthEnvelopedData. + + + + +Schaad & Turner Informational [Page 18] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + CryptographicMessageSyntax-2010 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + IMPORTS + + ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, + PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, + KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, + AlgorithmIdentifier{} + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, + MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, + KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys + FROM CryptographicMessageSyntaxAlgorithms-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cmsalg-2001-02(37) } + + Certificate, CertificateList, CertificateSerialNumber, + Name, ATTRIBUTE + FROM PKIX1Explicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-explicit-02(51) } + + AttributeCertificate + FROM PKIXAttributeCertificate-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-attribute-cert-02(47) } + + AttributeCertificateV1 + FROM AttributeCertificateVersion1-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-v1AttrCert-02(49) } ; + + + + + + + + + + +Schaad & Turner Informational [Page 19] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + -- Cryptographic Message Syntax + + -- The following are used for version numbers using the ASN.1 + -- NOTE: The document reference represents where the versioned + -- feature was introduced to the module. + -- + -- idiom "[[n:" + -- Version 1 = PKCS #7 + -- Version 2 = S/MIME V2 + -- Version 3 = RFC 2630 + -- Version 4 = RFC 3369 + -- Version 5 = RFC 3852 + + CONTENT-TYPE ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Type OPTIONAL + } WITH SYNTAX { + [TYPE &Type] IDENTIFIED BY &id + } + + ContentType ::= CONTENT-TYPE.&id + + ContentInfo ::= SEQUENCE { + contentType CONTENT-TYPE. + &id({ContentSet}), + content [0] EXPLICIT CONTENT-TYPE. + &Type({ContentSet}{@contentType})} + + ContentSet CONTENT-TYPE ::= { + -- Define the set of content types to be recognized. + ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | + ct-AuthenticatedData | ct-DigestedData, ... } + + SignedData ::= SEQUENCE { + version CMSVersion, + digestAlgorithms SET OF DigestAlgorithmIdentifier, + encapContentInfo EncapsulatedContentInfo, + certificates [0] IMPLICIT CertificateSet OPTIONAL, + crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, + signerInfos SignerInfos } + + SignerInfos ::= SET OF SignerInfo + + EncapsulatedContentInfo ::= SEQUENCE { + eContentType CONTENT-TYPE.&id({ContentSet}), + eContent [0] EXPLICIT OCTET STRING + ( CONTAINING CONTENT-TYPE. + &Type({ContentSet}{@eContentType})) OPTIONAL } + + + +Schaad & Turner Informational [Page 20] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + SignerInfo ::= SEQUENCE { + version CMSVersion, + sid SignerIdentifier, + digestAlgorithm DigestAlgorithmIdentifier, + signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, + signatureAlgorithm SignatureAlgorithmIdentifier, + signature SignatureValue, + unsignedAttrs [1] IMPLICIT Attributes + {{UnsignedAttributes}} OPTIONAL } + + SignedAttributes ::= Attributes {{ SignedAttributesSet }} + + SignerIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + ..., + [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } + + SignedAttributesSet ATTRIBUTE ::= + { aa-signingTime | aa-messageDigest | aa-contentType, ... } + + UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } + + SignatureValue ::= OCTET STRING + + EnvelopedData ::= SEQUENCE { + version CMSVersion, + originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, + recipientInfos RecipientInfos, + encryptedContentInfo EncryptedContentInfo, + ..., + [[2: unprotectedAttrs [1] IMPLICIT Attributes + {{ UnprotectedEnvAttributes }} OPTIONAL ]] } + + OriginatorInfo ::= SEQUENCE { + certs [0] IMPLICIT CertificateSet OPTIONAL, + crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } + + RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo + + EncryptedContentInfo ::= + EncryptedContentInfoType { ContentEncryptionAlgorithmIdentifier } + + EncryptedContentInfoType { AlgorithmIdentifierType } ::= SEQUENCE { + contentType CONTENT-TYPE.&id({ContentSet}), + contentEncryptionAlgorithm AlgorithmIdentifierType, + encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } + + + + + +Schaad & Turner Informational [Page 21] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + -- If you want to do constraints, you might use: + -- EncryptedContentInfo ::= SEQUENCE { + -- contentType CONTENT-TYPE.&id({ContentSet}), + -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, + -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. + -- &Type({ContentSet}{@contentType}) OPTIONAL } + -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY + -- { ToBeEncrypted } ) + + UnprotectedEnvAttributes ATTRIBUTE ::= { ... } + UnprotectedEncAttributes ATTRIBUTE ::= { ... } + + RecipientInfo ::= CHOICE { + ktri KeyTransRecipientInfo, + ..., + [[3: kari [1] KeyAgreeRecipientInfo ]], + [[4: kekri [2] KEKRecipientInfo]], + [[5: pwri [3] PasswordRecipientInfo, + ori [4] OtherRecipientInfo ]] } + + EncryptedKey ::= OCTET STRING + + KeyTransRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 or 2 + rid RecipientIdentifier, + keyEncryptionAlgorithm AlgorithmIdentifier + {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, + encryptedKey EncryptedKey } + + KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } + + RecipientIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + ..., + [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } + KeyAgreeRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 3 + originator [0] EXPLICIT OriginatorIdentifierOrKey, + ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, + keyEncryptionAlgorithm AlgorithmIdentifier + {KEY-AGREE, {KeyAgreementAlgorithmSet}}, + recipientEncryptedKeys RecipientEncryptedKeys } + + KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } + + + + + + + +Schaad & Turner Informational [Page 22] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + OriginatorIdentifierOrKey ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + subjectKeyIdentifier [0] SubjectKeyIdentifier, + originatorKey [1] OriginatorPublicKey } + + OriginatorPublicKey ::= SEQUENCE { + algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, + publicKey BIT STRING } + + OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } + + RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey + + RecipientEncryptedKey ::= SEQUENCE { + rid KeyAgreeRecipientIdentifier, + encryptedKey EncryptedKey } + + KeyAgreeRecipientIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + rKeyId [0] IMPLICIT RecipientKeyIdentifier } + + RecipientKeyIdentifier ::= SEQUENCE { + subjectKeyIdentifier SubjectKeyIdentifier, + date GeneralizedTime OPTIONAL, + other OtherKeyAttribute OPTIONAL } + + SubjectKeyIdentifier ::= OCTET STRING + + KEKRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 4 + kekid KEKIdentifier, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + encryptedKey EncryptedKey } + + KEKIdentifier ::= SEQUENCE { + keyIdentifier OCTET STRING, + date GeneralizedTime OPTIONAL, + other OtherKeyAttribute OPTIONAL } + PasswordRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 + keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier + OPTIONAL, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + encryptedKey EncryptedKey } + + OTHER-RECIPIENT ::= TYPE-IDENTIFIER + + + + + +Schaad & Turner Informational [Page 23] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + OtherRecipientInfo ::= SEQUENCE { + oriType OTHER-RECIPIENT. + &id({SupportedOtherRecipInfo}), + oriValue OTHER-RECIPIENT. + &Type({SupportedOtherRecipInfo}{@oriType})} + + SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } + + DigestedData ::= SEQUENCE { + version CMSVersion, + digestAlgorithm DigestAlgorithmIdentifier, + encapContentInfo EncapsulatedContentInfo, + digest Digest, ... } + + Digest ::= OCTET STRING + + EncryptedData ::= SEQUENCE { + version CMSVersion, + encryptedContentInfo EncryptedContentInfo, + ..., + [[2: unprotectedAttrs [1] IMPLICIT Attributes + {{UnprotectedEncAttributes}} OPTIONAL ]] } + + AuthenticatedData ::= SEQUENCE { + version CMSVersion, + originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, + recipientInfos RecipientInfos, + macAlgorithm MessageAuthenticationCodeAlgorithm, + digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, + encapContentInfo EncapsulatedContentInfo, + authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, + mac MessageAuthenticationCode, + unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } + + AuthAttributes ::= SET SIZE (1..MAX) OF Attribute + {{AuthAttributeSet}} + + AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest + | aa-signingTime, ...} + + MessageAuthenticationCode ::= OCTET STRING + + UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute + {{UnauthAttributeSet}} + + UnauthAttributeSet ATTRIBUTE ::= {...} + + + + + +Schaad & Turner Informational [Page 24] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + -- + -- General algorithm definitions + -- + + DigestAlgorithmIdentifier ::= AlgorithmIdentifier + {DIGEST-ALGORITHM, {DigestAlgorithmSet}} + + DigestAlgorithmSet DIGEST-ALGORITHM ::= { + CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } + + SignatureAlgorithmIdentifier ::= AlgorithmIdentifier + {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} + + SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= + { SignatureAlgs, ... } + + KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier + {KEY-WRAP, {KeyEncryptionAlgorithmSet}} + + KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } + + ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier + {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} + + ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= + { ContentEncryptionAlgs, ... } + + MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier + {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} + + MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= + { MessageAuthAlgs, ... } + + KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier + {KEY-DERIVATION, {KeyDerivationAlgs, ...}} + + RevocationInfoChoices ::= SET OF RevocationInfoChoice + + RevocationInfoChoice ::= CHOICE { + crl CertificateList, + ..., + [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } + + OTHER-REVOK-INFO ::= TYPE-IDENTIFIER + + + + + + + +Schaad & Turner Informational [Page 25] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + OtherRevocationInfoFormat ::= SEQUENCE { + otherRevInfoFormat OTHER-REVOK-INFO. + &id({SupportedOtherRevokInfo}), + otherRevInfo OTHER-REVOK-INFO. + &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} + + SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } + + CertificateChoices ::= CHOICE { + certificate Certificate, + extendedCertificate [0] IMPLICIT ExtendedCertificate, + -- Obsolete + ..., + [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], + -- Obsolete + [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], + [[5: other [3] IMPLICIT OtherCertificateFormat]] } + + AttributeCertificateV2 ::= AttributeCertificate + + OTHER-CERT-FMT ::= TYPE-IDENTIFIER + + OtherCertificateFormat ::= SEQUENCE { + otherCertFormat OTHER-CERT-FMT. + &id({SupportedCertFormats}), + otherCert OTHER-CERT-FMT. + &Type({SupportedCertFormats}{@otherCertFormat})} + + SupportedCertFormats OTHER-CERT-FMT ::= { ... } + + CertificateSet ::= SET OF CertificateChoices + + IssuerAndSerialNumber ::= SEQUENCE { + issuer Name, + serialNumber CertificateSerialNumber } + + CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } + + UserKeyingMaterial ::= OCTET STRING + + KEY-ATTRIBUTE ::= TYPE-IDENTIFIER + + OtherKeyAttribute ::= SEQUENCE { + keyAttrId KEY-ATTRIBUTE. + &id({SupportedKeyAttributes}), + keyAttr KEY-ATTRIBUTE. + &Type({SupportedKeyAttributes}{@keyAttrId})} + + + + +Schaad & Turner Informational [Page 26] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } + + -- Content Type Object Identifiers + + id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } + + ct-Data CONTENT-TYPE ::= { IDENTIFIED BY id-data } + + id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } + + ct-SignedData CONTENT-TYPE ::= + { TYPE SignedData IDENTIFIED BY id-signedData} + + id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } + + ct-EnvelopedData CONTENT-TYPE ::= + { TYPE EnvelopedData IDENTIFIED BY id-envelopedData} + + id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } + + ct-DigestedData CONTENT-TYPE ::= + { TYPE DigestedData IDENTIFIED BY id-digestedData} + + id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } + + ct-EncryptedData CONTENT-TYPE ::= + { TYPE EncryptedData IDENTIFIED BY id-encryptedData} + + id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } + + ct-AuthenticatedData CONTENT-TYPE ::= + { TYPE AuthenticatedData IDENTIFIED BY id-ct-authData} + + id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } + + -- + -- The CMS Attributes + -- + + MessageDigest ::= OCTET STRING + + + + +Schaad & Turner Informational [Page 27] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + SigningTime ::= Time + + Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime } + + Countersignature ::= SignerInfo + + -- Attribute Object Identifiers + + aa-contentType ATTRIBUTE ::= + { TYPE ContentType IDENTIFIED BY id-contentType } + id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } + + aa-messageDigest ATTRIBUTE ::= + { TYPE MessageDigest IDENTIFIED BY id-messageDigest} + id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } + + aa-signingTime ATTRIBUTE ::= + { TYPE SigningTime IDENTIFIED BY id-signingTime } + id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } + + aa-countersignature ATTRIBUTE ::= + { TYPE Countersignature IDENTIFIED BY id-countersignature } + id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } + + -- + -- Obsolete Extended Certificate syntax from PKCS#6 + -- + + ExtendedCertificateOrCertificate ::= CHOICE { + certificate Certificate, + extendedCertificate [0] IMPLICIT ExtendedCertificate } + + ExtendedCertificate ::= SEQUENCE { + extendedCertificateInfo ExtendedCertificateInfo, + signatureAlgorithm SignatureAlgorithmIdentifier, + signature Signature } + + ExtendedCertificateInfo ::= SEQUENCE { + version CMSVersion, + certificate Certificate, + attributes UnauthAttributes } + + + + +Schaad & Turner Informational [Page 28] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + Signature ::= BIT STRING + + Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { + attrType ATTRIBUTE. + &id({AttrList}), + attrValues SET OF ATTRIBUTE. + &Type({AttrList}{@attrType}) } + + Attributes { ATTRIBUTE:AttrList } ::= + SET SIZE (1..MAX) OF Attribute {{ AttrList }} + + END + +10. ASN.1 Module RFC 5752 + + We have updated the ASN.1 module associated with this document to be + 2008 compliant and to use the set of classes previously defined in + [RFC5911]. + + MultipleSignatures-2010 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) modules(0) id-mod-multipleSign-2009(59) } + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + -- EXPORTS All + -- The types and values defined in this module are exported for use + -- in the other ASN.1 modules. Other applications may use them for + -- their own purposes. + + IMPORTS + + -- Imports from PKIX-Common-Types-2009 [RFC5912] + + ATTRIBUTE + FROM PKIX-CommonTypes-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkixCommon-02(57)} + + -- Imports from CryptographicMessageSyntax-2010 [RFC6268] + + DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier + FROM CryptographicMessageSyntax-2010 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } + + + + + + +Schaad & Turner Informational [Page 29] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + -- Imports from ExtendedSecurityServices-2009 [RFC5911] + + ESSCertIDv2 + FROM ExtendedSecurityServices-2009 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-ess-2006-02(42) } + ; + + -- + -- Section 3.0 + -- + -- at-multipleSignatures should be added ONLY to the + -- SignedAttributesSet defined in [RFC5652] + -- + + at-multipleSignatures ATTRIBUTE ::= { + TYPE MultipleSignatures + IDENTIFIED BY id-aa-multipleSignatures + } + + id-aa-multipleSignatures OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + id-aa(2) 51 } + + MultipleSignatures ::= SEQUENCE { + bodyHashAlg DigestAlgorithmIdentifier, + signAlg SignatureAlgorithmIdentifier, + signAttrsHash SignAttrsHash, + cert ESSCertIDv2 OPTIONAL + } + + SignAttrsHash ::= SEQUENCE { + algID DigestAlgorithmIdentifier, + hash OCTET STRING + } + + END + +11. Module Identifiers in ASN.1 + + One potential issue that can occur when updating modules is the fact + that a large number of modules may need to be updated if they import + from a newly updated module. This section addresses one method that + can be used to deal with this problem, but the modules in this + document don't currently implement the solution discussed here. + + + + + + +Schaad & Turner Informational [Page 30] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + When looking at an import statement, there are three portions: The + list of items imported, a textual name for the module, and an object + identifier for the module. Full implementations of ASN.1 do module + matching using first the object identifier, and if that is not + present, the textual name of the module. Note however that some + older implementations used the textual name of the module for the + purposes of matching. In a full implementation, the name assigned to + the module is scoped to the ASN.1 module that it appears in (and thus + the need to match the module it is importing from). + + One can create a module that contains only the module number + assignments and import the module assignments from the new module. + This means that when a module is replaced, one can replace the + previous module, update the module number assignment module, and + recompile without having to modify any other modules. + + A sample module assignment module would be: + + ModuleNumbers + DEFINITIONS TAGS ::= + BEGIN + id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) 58 } + + id-mod-AlgInfo ::= + {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + END + + This would be used in the following import statement: + + IMPORTS + id-mod-CMS, id-mod-AlgInfo + FROM ModuleNumbers -- Note it will match on the name since no + -- OID is provided + + CMSVersion, EncapsulatedContentInfo, CONTENT-TYPE + FROM CryptographicMessageSyntax-2010 + id-mod-CMS + + AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions + FROM AlgorithmInformation-2009 id-mod-AlgInfo + ; + + + + + + + +Schaad & Turner Informational [Page 31] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + +12. Security Considerations + + This document itself does not have any security considerations. The + ASN.1 modules keep the same bits-on-the-wire as the modules that they + replace. + +13. References + +13.1. Normative References + + [ASN1-2008] ITU-T, "ITU-T Recommendations X.680, X.681, X.682, and + X.683", 2008. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC3274] Gutmann, P., "Compressed Data Content Type for + Cryptographic Message Syntax (CMS)", RFC 3274, + June 2002. + + [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP + Addresses and AS Identifiers", RFC 3779, June 2004. + + [RFC4073] Housley, R., "Protecting Multiple Contents with the + Cryptographic Message Syntax (CMS)", RFC 4073, May 2005. + + [RFC4231] Nystrom, M., "Identifiers and Test Vectors for + HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA- + 512", RFC 4231, December 2005. + + [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and + Attributes Supporting Authentication in Point-to-Point + Protocol (PPP) and Wireless Local Area Networks (WLAN)", + RFC 4334, February 2006. + + [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) + Authenticated-Enveloped-Data Content Type", RFC 5083, + November 2007. + + [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., + Housley, R., and W. Polk, "Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation + List (CRL) Profile", RFC 5280, May 2008. + + [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", + STD 70, RFC 5652, September 2009. + + + + + +Schaad & Turner Informational [Page 32] + +RFC 6268 Additional New ASN.1 Modules July 2011 + + + [RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in + Cryptographic Message Syntax (CMS)", RFC 5752, + January 2010. + + [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for + Cryptographic Message Syntax (CMS) and S/MIME", + RFC 5911, June 2010. + + [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the + Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, + June 2010. + + [RFC6019] Housley, R., "BinaryTime: An Alternate Format for + Representing Date and Time in ASN.1", RFC 6019, + September 2010. + +13.2. Informative References + + [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose + Internet Mail Extensions (S/MIME) Version 3.2 Message + Specification", RFC 5751, January 2010. + + [RFC6025] Wallace, C. and C. Gardiner, "ASN.1 Translation", + RFC 6025, October 2010. + +Authors' Addresses + + Jim Schaad + Soaring Hawk Consulting + + EMail: ietf@augustcellars.com + + + Sean Turner + IECA, Inc. + 3057 Nutley Street, Suite 106 + Fairfax, VA 22031 + + EMail: turners@ieca.com + + + + + + + + + + + + +Schaad & Turner Informational [Page 33] + diff --git a/const-oid/oiddbgen/rfc7107.txt b/const-oid/oiddbgen/rfc7107.txt new file mode 100644 index 000000000..7fe57dcda --- /dev/null +++ b/const-oid/oiddbgen/rfc7107.txt @@ -0,0 +1,1011 @@ + + + + + + +Internet Engineering Task Force (IETF) R. Housley +Request for Comments: 7107 Vigil Security +Category: Informational January 2014 +ISSN: 2070-1721 + + + Object Identifier Registry for the S/MIME Mail Security Working Group + +Abstract + + When the S/MIME Mail Security Working Group was chartered, an object + identifier arc was donated by RSA Data Security for use by that + working group. This document describes the object identifiers that + were assigned in that donated arc, transfers control of that arc to + IANA, and establishes IANA allocation policies for any future + assignments within that arc. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7107. + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + +Housley Informational [Page 1] + +RFC 7107 S/MIME OID Registry January 2014 + + +Table of Contents + + 1. Introduction ....................................................2 + 2. Subordinate Object Identifier Arcs ..............................3 + 3. IANA Considerations .............................................4 + 3.1. Update to "SMI Security for Mechanism Codes" Registry ......4 + 3.2. "SMI Security for S/MIME Mail Security" Registry ...........4 + 3.3. "SMI Security for S/MIME Module Identifier" Registry .......5 + 3.4. "SMI Security for S/MIME CMS Content Type" Registry ........6 + 3.5. "SMI Security for S/MIME Attributes" Registry ..............7 + 3.6. "SMI Security for S/MIME Algorithms" Registry ..............9 + 3.7. "SMI Security for S/MIME Certificate Distribution + Mechanisms" Registry .......................................9 + 3.8. "SMI Security for S/MIME Signature Policy + Qualifier" Registry .......................................10 + 3.9. "SMI Security for S/MIME Commitment Type + Identifier" Registry ......................................10 + 3.10. "SMI Security for S/MIME Test Security Policies" + Registry .................................................10 + 3.11. "SMI Security for S/MIME Control Attributes for + Symmetric Key Distribution" Registry .....................11 + 3.12. "SMI Security for S/MIME Signature Type + Identifiers" Registry ....................................11 + 3.13. "SMI Security for S/MIME X.400 Encoded Information + Types (EIT) for S/MIME objects" Registry .................12 + 3.14. "SMI Security for S/MIME Capabilities (other than + cryptographic algorithms)" Registry ......................12 + 3.15. "SMI Security for S/MIME Portable Symmetric Key + Container (PSKC) Attributes" Registry ....................12 + 4. Security Considerations ........................................13 + 5. References .....................................................13 + 5.1. Normative References ......................................13 + 5.2. Informative References ....................................14 + 6. Acknowledgements ...............................................18 + +1. Introduction + + When the S/MIME Mail Security Working Group was chartered, an object + identifier arc was donated by RSA Data Security for use by that + working group. These object identifiers are primarily used with + Abstract Syntax Notation One (ASN.1) [ASN1-88] [ASN1-08]. The ASN.1 + specifications continue to evolve, but object identifiers can be used + with any and all versions of ASN.1. + + The S/MIME object identifier arc is: + + id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } + + + +Housley Informational [Page 2] + +RFC 7107 S/MIME OID Registry January 2014 + + + This document describes the object identifiers that were assigned in + that donated arc, transfers control of that arc to IANA, and + establishes IANA allocation policies for any future assignments + within that arc. + +2. Subordinate Object Identifier Arcs + + Thirteen subordinate object identifier arcs were used, numbered from + zero to twelve. They were assigned as follows: + + -- ASN.1 modules + id-mod OBJECT IDENTIFIER ::= { id-smime 0 } + + -- Cryptographic Message Syntax (CMS) content types + id-ct OBJECT IDENTIFIER ::= { id-smime 1 } + + -- attributes + id-aa OBJECT IDENTIFIER ::= { id-smime 2 } + + -- algorithm identifiers + id-alg OBJECT IDENTIFIER ::= { id-smime 3 } + + -- certificate distribution + id-cd OBJECT IDENTIFIER ::= { id-smime 4 } + + -- signature policy qualifier + id-spq OBJECT IDENTIFIER ::= { id-smime 5 } + + -- commitment type identifier + id-cti OBJECT IDENTIFIER ::= { id-smime 6 } + + -- test security policies + id-tsp OBJECT IDENTIFIER ::= { id-smime 7 } + + -- symmetric key distribution control attributes + id-skd OBJECT IDENTIFIER ::= { id-smime 8 } + + -- signature type identifier + id-sti OBJECT IDENTIFIER ::= { id-smime 9 } + + -- encoded information types + id-eit OBJECT IDENTIFIER ::= { id-smime 10 } + + -- S/MIME capabilities + id-cap OBJECT IDENTIFIER ::= { id-smime 11 } + + -- PSKC attributes + id-pskc OBJECT IDENTIFIER ::= { id-smime 12 } + + + +Housley Informational [Page 3] + +RFC 7107 S/MIME OID Registry January 2014 + + + The values assigned in each of these subordinate object identifier + arcs are discussed in the next section. + +3. IANA Considerations + + IANA is asked to update one registry table and create fourteen + additional tables. + + Updates to the new tables require both Specification Required and + Expert Review as defined in [RFC5226]. The expert is expected to + ensure that any new values are strongly related to the work that was + done by the S/MIME Mail Security Working Group; examples include + content types, attributes, and identifiers for algorithms used with + S/MIME and CMS. Object identifiers for other purposes should not be + assigned in this arc. + +3.1. Update to "SMI Security for Mechanism Codes" Registry + + The "SMI Security for Mechanism Codes" table generally contains + entries with a positive integer value, but the value donated by RSA + Data Security cannot be described in this manner. An accompanying + table is needed with this entry: + + OID Value Name Description References + --------------------- ----- --------------------- ---------- + 1.2.840.113549.1.9.16 smime S/MIME Mail Security This RFC + +3.2. "SMI Security for S/MIME Mail Security" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME Mail + Security (1.2.840.113549.1.9.16)" table with three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 0 Module identifiers This RFC + 1 CMS content types This RFC + 2 Attributes This RFC + 3 Algorithm identifiers This RFC + 4 Certificate distribution This RFC + 5 Signature policy qualifiers This RFC + 6 Commitment type identifiers This RFC + 7 Test security policies This RFC + 8 Symmetric key dist ctrl attrs This RFC + 9 Signature type identifiers This RFC + 10 Encoded information types This RFC + 11 S/MIME capabilities This RFC + 12 PSKC attributes This RFC + + + + +Housley Informational [Page 4] + +RFC 7107 S/MIME OID Registry January 2014 + + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + +3.3. "SMI Security for S/MIME Module Identifier" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME + Module Identifier (1.2.840.113549.1.9.16.0)" table with three + columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-mod-cms [RFC2630] + 2 id-mod-ess [RFC2634] + 3 id-mod-oid Reserved and Obsolete + 4 id-mod-msg-v3 [RFC2633] + 5 id-mod-ets-eSignature-88 [RFC3126] + 6 id-mod-ets-eSignature-97 [RFC3126] + 7 id-mod-ets-eSigPolicy-88 [RFC3125] + 8 id-mod-ets-eSigPolicy-97 [RFC3125] + 9 id-mod-certdist Reserved and Obsolete + 10 id-mod-domsec [RFC3183] + 11 id-mod-compress [RFC3274] + 12 id-mod-symkeydist [RFC5275] + 13 id-mod-cek-reuse [RFC3185] + 14 id-mod-cms-2001 [RFC3369] + 15 id-mod-v1AttrCert [RFC3369] + 16 id-mod-cmsalg-2001 [RFC3370] + 17 id-mod-cms-pwri-88 [RFC3211] + 18 id-mod-cms-pwri-97 [RFC3211] + 19 id-mod-cms-aes [RFC3565] + 20 id-mod-cms-rsaes-oaep [RFC3560] + 21 id-mod-msg-v3dot1 [RFC3851] + 22 id-mod-cms-firmware-wrap [RFC4108] + 23 id-mod-cms-camellia [RFC3657] + 24 id-mod-cms-2004 [RFC3852] + 25 id-mod-cms-seed [Err3865] + 26 id-mod-contentCollection [RFC4073] + 27 id-mod-binarySigningTime [RFC4049] + 28 id-mod-ets-eSignature-explicitSyntax88 [RFC5126] + 29 id-mod-ets-eSignature-explicitSyntax97 [RFC5126] + 30 id-mod-ess-2006 [RFC5035] + 31 id-mod-cms-authEnvelopedData [RFC5083] + 32 id-mod-cms-aes-ccm-and-gcm [RFC5084] + 33 id-mod-symmetricKeyPkgV1 [RFC6031] + 34 id-mod-multipleSig-2008 [RFC5752] + 35 id-mod-timestampedData [RFC5544] + 36 id-mod-symkeydist-02 [RFC5911] + 37 id-mod-cmsalg-2001-02 [RFC5911] + + + +Housley Informational [Page 5] + +RFC 7107 S/MIME OID Registry January 2014 + + + 38 id-mod-cms-aes-02 [RFC5911] + 39 id-mod-msg-v3dot1-02 [RFC5911] + 40 id-mod-cms-firmware-wrap-02 [RFC5911] + 41 id-mod-cms-2004-02 [RFC5911] + 42 id-mod-ess-2006-02 [RFC5911] + 43 id-mod-cms-authEnvelopedData-02 [RFC5911] + 44 id-mod-cms-aes-ccm-gcm-02 [RFC5911] + 45 id-mod-cms-ecc-alg-2009-88 [RFC5753] + 46 id-mod-cms-ecc-alg-2009-02 [RFC5753] + 47 id-mod-aesKeyWrapWithPad-88 [RFC5649] + 48 id-mod-aesKeyWrapWithPad-02 [RFC5649] + 49 id-mod-MD5-XOR-EXPERIMENT [Err3866] + 50 id-mod-asymmetricKeyPkgV1 [RFC5958] + 51 id-mod-encryptedKeyPkgV1 [RFC6032] + 52 id-mod-cms-algorithmProtect [RFC6211] + 53 id-mod-pskcAttributesModule [RFC6031] + 54 id-mod-compressedDataContent [RFC6268] + 55 id-mod-binSigningTime-2009 [RFC6268] + 56 id-mod-contentCollect-2009 [RFC6268] + 57 id-mod-cmsAuthEnvData-2009 [RFC6268] + 58 id-mod-cms-2009 [RFC6268] + 59 id-mod-multipleSign-2009 [RFC6268] + 60 id-mod-rpkiManifest [RFC6486] + 61 id-mod-rpkiROA [RFC6482] + 62 id-mod-setKeyAttributeV1 [SET-KEY] + 63 id-mod-keyPkgReceiptAndErrV2 [CMS-TYPES] + 64 id-mod-mts-hashsig-2013 [MTS-in-CMS] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + +3.4. "SMI Security for S/MIME CMS Content Type" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME CMS + Content Type (1.2.840.113549.1.9.16.1)" table with three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 0 id-ct-anyContentType [RFC6010] + 1 id-ct-receipt [RFC2634] + 2 id-ct-authData [RFC2630] + 3 id-ct-publishCert Reserved and Obsolete + 4 id-ct-TSTInfo [RFC3161] + 5 id-ct-TDTInfo Reserved and Obsolete + 6 id-ct-contentInfo [RFC2630] + 7 id-ct-DVCSRequestData [RFC3029] + 8 id-ct-DVCSResponseData [RFC3029] + 9 id-ct-compressedData [RFC3274] + + + +Housley Informational [Page 6] + +RFC 7107 S/MIME OID Registry January 2014 + + + 10 id-ct-scvp-certValRequest [RFC5055] + 11 id-ct-scvp-certValResponse [RFC5055] + 12 id-ct-scvp-valPolRequest [RFC5055] + 13 id-ct-scvp-valPolResponse [RFC5055] + 14 id-ct-attrCertEncAttrs [RFC5755] + 15 id-ct-TSReq Reserved and Obsolete + 16 id-ct-firmwarePackage [RFC4108] + 17 id-ct-firmwareLoadReceipt [RFC4108] + 18 id-ct-firmwareLoadError [RFC4108] + 19 id-ct-contentCollection [RFC4073] + 20 id-ct-contentWithAttrs [RFC4073] + 21 id-ct-encKeyWithID [RFC4211] + 22 id-ct-encPEPSI Reserved and Obsolete + 23 id-ct-authEnvelopedData [RFC5083] + 24 id-ct-routeOriginAuthz [RFC6482] + 25 id-ct-KP-sKeyPackage [RFC6031] + 26 id-ct-rpkiManifest [RFC6486] + 27 id-ct-asciiTextWithCRLF [RFC5485] + 28 id-ct-xml [RFC5485] + 29 id-ct-pdf [RFC5485] + 30 id-ct-postscript [RFC5485] + 31 id-ct-timestampedData [RFC5544] + 32 id-ct-ASAdjacencyAttest Reserved and Obsolete + 33 id-ct-rpkiTrustAnchor Reserved and Obsolete + 34 id-ct-trustAnchorList [RFC5914] + 35 id-ct-rpkiGhostbusters [RFC6493] + 36 id-ct-resourceTaggedAttest Reserved and Obsolete + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + +3.5. "SMI Security for S/MIME Attributes" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME + Attributes (1.2.840.113549.1.9.16.2)" table with three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-aa-receiptRequest [RFC2634] + 2 id-aa-securityLabel [RFC2634] + 3 id-aa-mlExpandHistory [RFC2634] + 4 id-aa-contentHint [RFC2634] + 5 id-aa-msgSigDigest [RFC2634] + 6 id-aa-encapContentType Reserved and Obsolete + 7 id-aa-contentIdentifier [RFC2634] + 8 id-aa-macValue Reserved and Obsolete + 9 id-aa-equivalentLabels [RFC2634] + 10 id-aa-contentReference [RFC2634] + + + +Housley Informational [Page 7] + +RFC 7107 S/MIME OID Registry January 2014 + + + 11 id-aa-encrypKeyPref [RFC2633] + 12 id-aa-signingCertificate [RFC2634] + 13 id-aa-smimeEncryptCerts Reserved and Obsolete + 14 id-aa-signatureTimeStampToken [RFC3126] + 15 id-aa-ets-sigPolicyId [RFC3126] + 16 id-aa-ets-commitmentType [RFC3126] + 17 id-aa-ets-signerLocation [RFC3126] + 18 id-aa-ets-signerAttr [RFC3126] + 19 id-aa-ets-otherSigCert [RFC3126] + 20 id-aa-ets-contentTimestamp [RFC3126] + 21 id-aa-ets-CertificateRefs [RFC3126] + 22 id-aa-ets-RevocationRefs [RFC3126] + 23 id-aa-ets-certValues [RFC3126] + 24 id-aa-ets-revocationValues [RFC3126] + 25 id-aa-ets-escTimeStamp [RFC3126] + 26 id-aa-ets-certCRLTimestamp [RFC3126] + 27 id-aa-ets-archiveTimeStamp [RFC3126] + 28 id-aa-signatureType [Err3757] + 29 id-aa-dvcs-dvc [RFC3029] + 30 id-aa-CEKReference [RFC3185] + 31 id-aa-CEKMaxDecrypts [RFC3185] + 32 id-aa-KEKDerivationAlg [RFC3185] + 33 id-aa-intendedRecipients Reserved and Obsolete + 34 id-aa-cmc-unsignedData [RFC5272] + 35 id-aa-firmwarePackageID [RFC4108] + 36 id-aa-targetHardwareIDs [RFC4108] + 37 id-aa-decryptKeyID [RFC4108] + 38 id-aa-implCryptoAlgs [RFC4108] + 39 id-aa-wrappedFirmwareKey [RFC4108] + 40 id-aa-communityIdentifiers [RFC4108] + 41 id-aa-fwPkgMessageDigest [RFC4108] + 42 id-aa-firmwarePackageInfo [RFC4108] + 43 id-aa-implCompressAlgs [RFC4108] + 44 id-aa-ets-attrCertificateRefs [RFC5126] + 45 id-aa-ets-attrRevocationRefs [RFC5126] + 46 id-aa-binarySigningTime [RFC4049] + 47 id-aa-signingCertificateV2 [RFC5035] + 48 id-aa-ets-archiveTimeStampV2 [RFC5126] + 49 id-aa-er-internal [RFC4998] + 50 id-aa-er-external [RFC4998] + 51 id-aa-multipleSignatures [RFC5752] + 52 id-aa-cmsAlgorithmProtect [RFC6211] + 53 id-aa-setKeyInformation [SET-KEY] + 54 id-aa-asymmDecryptKeyID [RFC7030] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + + + + +Housley Informational [Page 8] + +RFC 7107 S/MIME OID Registry January 2014 + + +3.6. "SMI Security for S/MIME Algorithms" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME + Algorithms (1.2.840.113549.1.9.16.3)" table with three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-alg-ESDHwith3DES Reserved and Obsolete + 2 id-alg-ESDHwithRC2 Reserved and Obsolete + 3 id-alg-3DESwrap Reserved and Obsolete + 4 id-alg-RC2wrap Reserved and Obsolete + 5 id-alg-ESDH [RFC2630] + 6 id-alg-CMS3DESwrap [RFC2630] + 7 id-alg-CMSRC2wrap [RFC2630] + 8 id-alg-zLibCompress [RFC3274] + 9 id-alg-PWRI-KEK [RFC3211] + 10 id-alg-SSDH [RFC3370] + 11 id-alg-HMACwith3DESwrap [RFC3537] + 12 id-alg-HMACwithAESwrap [RFC3537] + 13 id-alg-MD5-XOR-EXPERIMENT [RFC6210] + 14 id-alg-rsa-kem [RFC5990] + 15 id-alg-authEnc-128 [RFC6476] + 16 id-alg-authEnc-256 [RFC6476] + 17 id-alg-mts-hashsig [MTS-in-CMS] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + +3.7. "SMI Security for S/MIME Certificate Distribution Mechanisms" + Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME + Certificate Distribution Mechanisms (1.2.840.113549.1.9.16.4)" table + with three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-cd-ldap Reserved and Obsolete + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + + + + + + + + + + +Housley Informational [Page 9] + +RFC 7107 S/MIME OID Registry January 2014 + + +3.8. "SMI Security for S/MIME Signature Policy Qualifier" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME + Signature Policy Qualifier (1.2.840.113549.1.9.16.5)" table with + three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-spq-ets-uri [RFC3126] + 2 id-spq-ets-unotice [RFC3126] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + +3.9. "SMI Security for S/MIME Commitment Type Identifier" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME + Commitment Type Identifier (1.2.840.113549.1.9.16.6)" table with + three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-cti-ets-proofOfOrigin [RFC3126] + 2 id-cti-ets-proofOfReceipt [RFC3126] + 3 id-cti-ets-proofOfDelivery [RFC3126] + 4 id-cti-ets-proofOfSender [RFC3126] + 5 id-cti-ets-proofOfApproval [RFC3126] + 6 id-cti-ets-proofOfCreation [RFC3126] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + +3.10. "SMI Security for S/MIME Test Security Policies" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME Test + Security Policies (1.2.840.113549.1.9.16.7)" table with three + columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-tsp-TEST-Amoco [RFC3114] + 2 id-tsp-TEST-Caterpillar [RFC3114] + 3 id-tsp-TEST-Whirlpool [RFC3114] + 4 id-tsp-TEST-Whirlpool-Categories [RFC3114] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + + + + +Housley Informational [Page 10] + +RFC 7107 S/MIME OID Registry January 2014 + + +3.11. "SMI Security for S/MIME Control Attributes for Symmetric Key + Distribution" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME + Control Attributes for Symmetric Key Distribution + (1.2.840.113549.1.9.16.8)" table with three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-skd-glUseKEK [RFC5275] + 2 id-skd-glDelete [RFC5275] + 3 id-skd-glAddMember [RFC5275] + 4 id-skd-glDeleteMember [RFC5275] + 5 id-skd-glRekey [RFC5275] + 6 id-skd-glAddOwner [RFC5275] + 7 id-skd-glRemoveOwner [RFC5275] + 8 id-skd-glKeyCompromise [RFC5275] + 9 id-skd-glkRefresh [RFC5275] + 10 id-skd-glFailInfo Reserved and Obsolete + 11 id-skd-glaQueryRequest [RFC5275] + 12 id-skd-glaQueryResponse [RFC5275] + 13 id-skd-glProvideCert [RFC5275] + 14 id-skd-glManageCert [RFC5275] + 15 id-skd-glKey [RFC5275] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + +3.12. "SMI Security for S/MIME Signature Type Identifiers" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME + Signature Type Identifiers (1.2.840.113549.1.9.16.9)" table with + three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-sti-originatorSig [RFC3183] + 2 id-sti-domainSig [RFC3183] + 3 id-sti-addAttribSig [RFC3183] + 4 id-sti-reviewSig [RFC3183] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + + + + + + + + +Housley Informational [Page 11] + +RFC 7107 S/MIME OID Registry January 2014 + + +3.13. "SMI Security for S/MIME X.400 Encoded Information Types (EIT) + for S/MIME objects" Registry + + Within the SMI-numbers registry, add an "SMI Security for X.400 + Encoded Information Types (EIT) for S/MIME objects + (1.2.840.113549.1.9.16.10)" table with three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-eit-envelopedData [RFC3855] + 2 id-eit-signedData [RFC3855] + 3 id-eit-certsOnly [RFC3855] + 4 id-eit-signedReceipt [RFC3855] + 5 id-eit-envelopedX400 [RFC3855] + 6 id-eit-signedX400 [RFC3855] + 7 id-eit-compressedData [RFC3855] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + +3.14. "SMI Security for S/MIME Capabilities (other than cryptographic + algorithms)" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME + Capabilities (other than cryptographic algorithms) + (1.2.840.113549.1.9.16.11)" table with three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-cap-preferBinaryInside [RFC3851] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + +3.15. "SMI Security for S/MIME Portable Symmetric Key Container (PSKC) + Attributes" Registry + + Within the SMI-numbers registry, add an "SMI Security for S/MIME + Portable Symmetric Key Container (PSKC) Attributes + (1.2.840.113549.1.9.16.12)" table with three columns: + + Decimal Description References + ------- -------------------------------------- ---------- + 1 id-pskc-manufacturer [RFC6031] + 2 id-pskc-serialNo [RFC6031] + 3 id-pskc-model [RFC6031] + 4 id-pskc-issueNo [RFC6031] + 5 id-pskc-deviceBinding [RFC6031] + + + +Housley Informational [Page 12] + +RFC 7107 S/MIME OID Registry January 2014 + + + 6 id-pskc-deviceStartDate [RFC6031] + 7 id-pskc-deviceExpiryDate [RFC6031] + 8 id-pskc-moduleId [RFC6031] + 9 id-pskc-keyId [RFC6031] + 10 id-pskc-algorithm [RFC6031] + 11 id-pskc-issuer [RFC6031] + 12 id-pskc-keyProfileId [RFC6031] + 13 id-pskc-keyReference [RFC6031] + 14 id-pskc-friendlyName [RFC6031] + 15 id-pskc-algorithmParams [RFC6031] + 16 id-pskc-counter [RFC6031] + 17 id-pskc-time [RFC6031] + 18 id-pskc-timeInterval [RFC6031] + 19 id-pskc-timeDrift [RFC6031] + 20 id-pskc-valueMAC [RFC6031] + 21 id-pskc-keyStartDate [RFC6031] + 22 id-pskc-keyExpiryDate [RFC6031] + 23 id-pskc-noOfTransactions [RFC6031] + 24 id-pskc-keyUsages [RFC6031] + 25 id-pskc-pinPolicy [RFC6031] + 26 id-pskc-deviceUserId [RFC6031] + 27 id-pskc-keyUserId [RFC6031] + + Future updates to this table require both Specification Required and + Expert Review as defined in [RFC5226]. + +4. Security Considerations + + This document populates an IANA registry, and it raises no new + security considerations. The protocols that specify these values + include the security considerations associated with their usage. + +5. References + +5.1. Normative References + + [ASN1-08] International Telecommunication Union, "Abstract Syntax + Notation One (ASN.1): Specification of basic notation", + ITU-T Recommendation X.680, 2008. + + [ASN1-88] International Telephone and Telegraph Consultative + Committee, "Specification of Abstract Syntax Notation + One (ASN.1)", CCITT Recommendation X.208, 1988. + + [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an + IANA Considerations Section in RFCs", BCP 26, RFC 5226, + May 2008. + + + + +Housley Informational [Page 13] + +RFC 7107 S/MIME OID Registry January 2014 + + +5.2. Informative References + + [CMS-TYPES] Housley, R., "Cryptographic Message Syntax (CMS) Key + Package Receipt and Error Content Types", Work in + Progress, December 2013. + + [Err3757] RFC Errata, Errata ID 3757, RFC 3183, + . + + [Err3865] RFC Errata, Errata ID 3865, RFC 4010, + . + + [Err3866] RFC Errata, Errata ID 3866, RFC 6210, + . + + [MTS-in-CMS] Housley, R., "Use of the Hash-based Merkle Tree + Signature (MTS) Algorithm in the Cryptographic Message + Syntax (CMS)", Work in Progress, August 2013. + + [RFC2630] Housley, R., "Cryptographic Message Syntax", RFC 2630, + June 1999. + + [RFC2633] Ramsdell, B., Ed., "S/MIME Version 3 Message + Specification", RFC 2633, June 1999. + + [RFC2634] Hoffman, P., Ed., "Enhanced Security Services for + S/MIME", RFC 2634, June 1999. + + [RFC3029] Adams, C., Sylvester, P., Zolotarev, M., and R. + Zuccherato, "Internet X.509 Public Key Infrastructure + Data Validation and Certification Server Protocols", + RFC 3029, February 2001. + + [RFC3114] Nicolls, W., "Implementing Company Classification Policy + with the S/MIME Security Label", RFC 3114, May 2002. + + [RFC3125] Ross, J., Pinkas, D., and N. Pope, "Electronic Signature + Policies", RFC 3125, September 2001. + + [RFC3126] Pinkas, D., Ross, J., and N. Pope, "Electronic Signature + Formats for long term electronic signatures", RFC 3126, + September 2001. + + [RFC3161] Adams, C., Cain, P., Pinkas, D., and R. Zuccherato, + "Internet X.509 Public Key Infrastructure Time-Stamp + Protocol (TSP)", RFC 3161, August 2001. + + + + + +Housley Informational [Page 14] + +RFC 7107 S/MIME OID Registry January 2014 + + + [RFC3183] Dean, T. and W. Ottaway, "Domain Security Services using + S/MIME", RFC 3183, October 2001. + + [RFC3185] Farrell, S. and S. Turner, "Reuse of CMS Content + Encryption Keys", RFC 3185, October 2001. + + [RFC3211] Gutmann, P., "Password-based Encryption for CMS", + RFC 3211, December 2001. + + [RFC3274] Gutmann, P., "Compressed Data Content Type for + Cryptographic Message Syntax (CMS)", RFC 3274, June + 2002. + + [RFC3369] Housley, R., "Cryptographic Message Syntax (CMS)", + RFC 3369, August 2002. + + [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) + Algorithms", RFC 3370, August 2002. + + [RFC3537] Schaad, J. and R. Housley, "Wrapping a Hashed Message + Authentication Code (HMAC) key with a Triple-Data + Encryption Standard (DES) Key or an Advanced Encryption + Standard (AES) Key", RFC 3537, May 2003. + + [RFC3560] Housley, R., "Use of the RSAES-OAEP Key Transport + Algorithm in Cryptographic Message Syntax (CMS)", + RFC 3560, July 2003. + + [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard + (AES) Encryption Algorithm in Cryptographic Message + Syntax (CMS)", RFC 3565, July 2003. + + [RFC3657] Moriai, S. and A. Kato, "Use of the Camellia Encryption + Algorithm in Cryptographic Message Syntax (CMS)", + RFC 3657, January 2004. + + [RFC3851] Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail + Extensions (S/MIME) Version 3.1 Message Specification", + RFC 3851, July 2004. + + [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", + RFC 3852, July 2004. + + [RFC3855] Hoffman, P. and C. Bonatti, "Transporting + Secure/Multipurpose Internet Mail Extensions (S/MIME) + Objects in X.400", RFC 3855, July 2004. + + + + + +Housley Informational [Page 15] + +RFC 7107 S/MIME OID Registry January 2014 + + + [RFC4049] Housley, R., "BinaryTime: An Alternate Format for + Representing Date and Time in ASN.1", RFC 4049, + April 2005. + + [RFC4073] Housley, R., "Protecting Multiple Contents with the + Cryptographic Message Syntax (CMS)", RFC 4073, May 2005. + + [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) + to Protect Firmware Packages", RFC 4108, August 2005. + + [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure + Certificate Request Message Format (CRMF)", RFC 4211, + September 2005. + + [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence + Record Syntax (ERS)", RFC 4998, August 2007. + + [RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: + Adding CertID Algorithm Agility", RFC 5035, August 2007. + + [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and + W. Polk, "Server-Based Certificate Validation Protocol + (SCVP)", RFC 5055, December 2007. + + [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) + Authenticated-Enveloped-Data Content Type", RFC 5083, + November 2007. + + [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated + Encryption in the Cryptographic Message Syntax (CMS)", + RFC 5084, November 2007. + + [RFC5126] Pinkas, D., Pope, N., and J. Ross, "CMS Advanced + Electronic Signatures (CAdES)", RFC 5126, March 2008. + + [RFC5272] Schaad, J. and M. Myers, "Certificate Management over + CMS (CMC)", RFC 5272, June 2008. + + [RFC5275] Turner, S., "CMS Symmetric Key Management and + Distribution", RFC 5275, June 2008. + + [RFC5485] Housley, R., "Digital Signatures on Internet-Draft + Documents", RFC 5485, March 2009. + + [RFC5544] Santoni, A., "Syntax for Binding Documents with Time- + Stamps", RFC 5544, February 2010. + + + + + +Housley Informational [Page 16] + +RFC 7107 S/MIME OID Registry January 2014 + + + [RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption + Standard (AES) Key Wrap with Padding Algorithm", + RFC 5649, September 2009. + + [RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in + Cryptographic Message Syntax (CMS)", RFC 5752, + January 2010. + + [RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve + Cryptography (ECC) Algorithms in Cryptographic Message + Syntax (CMS)", RFC 5753, January 2010. + + [RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet + Attribute Certificate Profile for Authorization", + RFC 5755, January 2010. + + [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for + Cryptographic Message Syntax (CMS) and S/MIME", + RFC 5911, June 2010. + + [RFC5914] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor + Format", RFC 5914, June 2010. + + [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, + August 2010. + + [RFC5990] Randall, J., Kaliski, B., Brainard, J., and S. Turner, + "Use of the RSA-KEM Key Transport Algorithm in the + Cryptographic Message Syntax (CMS)", RFC 5990, + September 2010. + + [RFC6010] Housley, R., Ashmore, S., and C. Wallace, "Cryptographic + Message Syntax (CMS) Content Constraints Extension", + RFC 6010, September 2010. + + [RFC6031] Turner, S. and R. Housley, "Cryptographic Message Syntax + (CMS) Symmetric Key Package Content Type", RFC 6031, + December 2010. + + [RFC6032] Turner, S. and R. Housley, "Cryptographic Message Syntax + (CMS) Encrypted Key Package Content Type", RFC 6032, + December 2010. + + [RFC6210] Schaad, J., "Experiment: Hash Functions with Parameters + in the Cryptographic Message Syntax (CMS) and S/MIME", + RFC 6210, April 2011. + + + + + +Housley Informational [Page 17] + +RFC 7107 S/MIME OID Registry January 2014 + + + [RFC6211] Schaad, J., "Cryptographic Message Syntax (CMS) + Algorithm Identifier Protection Attribute", RFC 6211, + April 2011. + + [RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules + for the Cryptographic Message Syntax (CMS) and the + Public Key Infrastructure Using X.509 (PKIX)", RFC 6268, + July 2011. + + [RFC6476] Gutmann, P., "Using Message Authentication Code (MAC) + Encryption in the Cryptographic Message Syntax (CMS)", + RFC 6476, January 2012. + + [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for + Route Origin Authorizations (ROAs)", RFC 6482, February + 2012. + + [RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, + "Manifests for the Resource Public Key Infrastructure + (RPKI)", RFC 6486, February 2012. + + [RFC6493] Bush, R., "The Resource Public Key Infrastructure (RPKI) + Ghostbusters Record", RFC 6493, February 2012. + + [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., + "Enrollment over Secure Transport", RFC 7030, October + 2013. + + [SET-KEY] Herzog, J. and R. Khazan, "A set-key attribute for + symmetric-key packages", Work in Progress, October 2012. + +6. Acknowledgements + + Many thanks to Suresh Krishnan, Jim Schaad, Sean Turner, and Carl + Wallace for their careful review and comments. + +Author's Address + + Russ Housley + 918 Spring Knoll Drive + Herndon, VA 20170 + USA + + EMail: housley@vigilsec.com + + + + + + + +Housley Informational [Page 18] + diff --git a/const-oid/oiddbgen/rfc7299.txt b/const-oid/oiddbgen/rfc7299.txt new file mode 100644 index 000000000..7f691ecdf --- /dev/null +++ b/const-oid/oiddbgen/rfc7299.txt @@ -0,0 +1,1683 @@ + + + + + + +Internet Engineering Task Force (IETF) R. Housley +Request for Comments: 7299 Vigil Security +Category: Informational July 2014 +ISSN: 2070-1721 + + + Object Identifier Registry for the PKIX Working Group + +Abstract + + When the Public-Key Infrastructure using X.509 (PKIX) Working Group + was chartered, an object identifier arc was allocated by IANA for use + by that working group. This document describes the object + identifiers that were assigned in that arc, returns control of that + arc to IANA, and establishes IANA allocation policies for any future + assignments within that arc. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7299. + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + +Housley Informational [Page 1] + +RFC 7299 PKIX OID Registry July 2014 + + +Table of Contents + + 1. Introduction ....................................................3 + 2. Subordinate Object Identifier Arcs ..............................3 + 3. IANA Considerations .............................................6 + 3.1. Update to "SMI Security for Mechanism Codes" Registry ......6 + 3.2. "SMI Security for PKIX" Registry ...........................6 + 3.3. "SMI Security for PKIX Module Identifier" Registry .........7 + 3.4. "SMI Security for PKIX Certificate Extension" Registry .....9 + 3.5. "SMI Security for PKIX Policy Qualifier" Registry .........10 + 3.6. "SMI Security for PKIX Extended Key Purpose" Registry .....10 + 3.7. "SMI Security for PKIX CMP Information Types" Registry ....11 + 3.8. "SMI Security for PKIX CRMF Registration" Registry ........12 + 3.9. "SMI Security for PKIX CRMF Registration Controls" + Registry ..................................................12 + 3.10. "SMI Security for PKIX CRMF Registration + Information" Registry ....................................12 + 3.11. "SMI Security for PKIX Algorithms" Registry ..............13 + 3.12. "SMI Security for PKIX CMC Controls" Registry ............13 + 3.13. "SMI Security for PKIX CMC GLA Requests and + Responses" Registry ......................................14 + 3.14. "SMI Security for PKIX Other Name Forms" Registry ........15 + 3.15. "SMI Security for PKIX Personal Data Attributes" + Registry .................................................15 + 3.16. "SMI Security for PKIX Attribute Certificate + Attributes" Registry .....................................16 + 3.17. "SMI Security for PKIX Qualified Certificate + Statements" Registry .....................................16 + 3.18. "SMI Security for PKIX CMC Content Types" Registry .......16 + 3.19. "SMI Security for PKIX OIDs Used Only for + Testing" Registry ........................................17 + 3.20. "SMI Security for PKIX Certificate Policies" Registry ....17 + 3.21. "SMI Security for PKIX CMC Error Types" Registry .........17 + 3.22. "SMI Security for PKIX Revocation Information + Types" Registry ..........................................18 + 3.23. "SMI Security for PKIX SCVP Check Types" Registry ........18 + 3.24. "SMI Security for PKIX SCVP Want Back Types" Registry ....19 + 3.25. "SMI Security for PKIX SCVP Validation Policies + and Algorithms" Registry .................................20 + 3.26. "SMI Security for PKIX SCVP Name Validation + Policy Errors" Registry ..................................20 + 3.27. "SMI Security for PKIX SCVP Basic Validation + Policy Errors" Registry ..................................21 + 3.28. "SMI Security for PKIX SCVP Distinguished Name + Validation Policy Errors" Registry .......................21 + 3.29. "SMI Security for PKIX Other Logotype + Identifiers" Registry ....................................22 + + + + +Housley Informational [Page 2] + +RFC 7299 PKIX OID Registry July 2014 + + + 3.30. "SMI Security for PKIX Proxy Certificate Policy + Languages" Registry ......................................22 + 3.31. "SMI Security for PKIX Proxy Matching Rules" Registry ....22 + 3.32. "SMI Security for PKIX Subject Key Identifier + Semantics" Registry ......................................23 + 3.33. "SMI Security for PKIX Access Descriptor" Registry .......23 + 3.34. "SMI Security for PKIX Online Certificate Status + Protocol (OCSP)" Registry ................................24 + 4. Security Considerations ........................................24 + 5. References .....................................................25 + 5.1. Normative References ......................................25 + 5.2. Informative References ....................................25 + Acknowledgements ..................................................30 + +1. Introduction + + When the Public-Key Infrastructure using X.509 (PKIX) Working Group + was chartered, an object identifier arc was allocated by IANA for use + by that working group. These object identifiers are primarily used + with Abstract Syntax Notation One (ASN.1) [ASN1-88] [ASN1-97] + [ASN1-08]. The ASN.1 specifications continue to evolve, but object + identifiers can be used with any and all versions of ASN.1. + + The PKIX object identifier arc is: + + id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) } + + This document describes the object identifiers that were assigned in + the PKIX arc, returns control of the PKIX arc to IANA, and + establishes IANA allocation policies for any future assignments + within the PKIX arc. + +2. Subordinate Object Identifier Arcs + + Twenty-five subordinate object identifier arcs were used, numbered + from 0 to 23 and 48. In addition, there are seven subordinate arcs. + They were assigned as follows: + + -- Module identifiers + id-mod OBJECT IDENTIFIER ::= { id-pkix 0 } + + -- PKIX certificate extensions + id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } + + -- Policy qualifier types + id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } + + + + +Housley Informational [Page 3] + +RFC 7299 PKIX OID Registry July 2014 + + + -- Extended key purpose identifiers + id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } + + -- CMP information types + id-it OBJECT IDENTIFIER ::= { id-pkix 4 } + + -- CRMF registration + id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 } + + -- CRMF registration controls + id-regCtrl OBJECT IDENTIFIER ::= { id-pkix 5 1 } + + -- CRMF registration information + id-regInfo OBJECT IDENTIFIER ::= { id-pkix 5 2 } + + -- Algorithms + id-alg OBJECT IDENTIFIER ::= { id-pkix 6 } + + -- CMC controls + id-cmc OBJECT IDENTIFIER ::= { id-pkix 7 } + + -- CMC GLA Requests and Responses + id-cmc-glaRR OBJECT IDENTIFIER ::= { id-pkix 7 99 } + + -- Other name forms + id-on OBJECT IDENTIFIER ::= { id-pkix 8 } + + -- Personal data attribute + id-pda OBJECT IDENTIFIER ::= { id-pkix 9 } + + -- Attribute certificate attributes + id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } + + -- Qualified certificate statements + id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 } + + -- CMC content types + id-cct OBJECT IDENTIFIER ::= { id-pkix 12 } + + -- OIDs for TESTING ONLY + id-TEST OBJECT IDENTIFIER ::= { id-pkix 13 } + + -- Certificate policies + id-cp OBJECT IDENTIFIER ::= { id-pkix 14 } + + -- CMC error types + id-cet OBJECT IDENTIFIER ::= { id-pkix 15 } + + + + +Housley Informational [Page 4] + +RFC 7299 PKIX OID Registry July 2014 + + + -- Revocation information types + id-ri OBJECT IDENTIFIER ::= { id-pkix 16 } + + -- SCVP check type + id-sct OBJECT IDENTIFIER ::= { id-pkix 17 } + + -- SCVP want back types + id-swb OBJECT IDENTIFIER ::= { id-pkix 18 } + + -- SCVP validation policies + id-svp OBJECT IDENTIFIER ::= { id-pkix 19 } + + -- SCVP name validation policy errors + id-nvae OBJECT IDENTIFIER ::= { id-pkix 19 2 } + + -- SCVP basic validation policy errors + id-bvae OBJECT IDENTIFIER ::= { id-pkix 19 3 } + + -- SCVP distinguished name validation policy errors + id-dnvae OBJECT IDENTIFIER ::= { id-pkix 19 4 } + + -- Other logotype identifiers + id-logo OBJECT IDENTIFIER ::= { id-pkix 20 } + + -- Proxy certificate policy languages + id-ppl OBJECT IDENTIFIER ::= { id-pkix 21 } + + -- Matching rules + id-mr OBJECT IDENTIFIER ::= { id-pkix 22 } + + -- Subject key identifier semantics + id-skis OBJECT IDENTIFIER ::= { id-pkix 23 } + + -- Access descriptors + id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } + + -- Online Certificate Status Protocol + id-pkix-ocsp OBJECT IDENTIFIER ::= { id-pkix 48 1 } + + The values assigned in each of these subordinate object identifier + arcs are discussed in the next section. + + + + + + + + + + +Housley Informational [Page 5] + +RFC 7299 PKIX OID Registry July 2014 + + +3. IANA Considerations + + IANA has updated one registry table and created 33 additional tables. + + Updates to the new tables are to be made according to the + Specification Required policy as defined in [RFC5226]. The expert is + expected to ensure that any new values are strongly related to the + work that was done by the PKIX Working Group. That is, additional + object identifiers are to be related to X.509 certificates, X.509 + attribute certificates, X.509 certificate revocation lists (CRLs), or + protocols associated with them. Object identifiers for other + purposes should not be assigned in this arc. + +3.1. Update to "SMI Security for Mechanism Codes" Registry + + The reference for the Public Key Infrastructure using X.509 (PKIX) + entry (decimal value 7) has been updated to point to this document. + +3.2. "SMI Security for PKIX" Registry + + Within the SMI-numbers registry, a "PKIX (1.3.6.1.5.5.7)" table with + three columns has been added: + + Decimal Description References + ------- -------------------------------------- ---------- + 0 Module identifiers [RFC7299] + 1 PKIX certificate extensions [RFC7299] + 2 Policy qualifier types [RFC7299] + 3 Extended key purpose identifiers [RFC7299] + 4 CMP information types [RFC7299] + 5 CRMF registration [RFC7299] + 6 Algorithms [RFC7299] + 7 CMC controls [RFC7299] + 8 Other name forms [RFC7299] + 9 Personal data attribute [RFC7299] + 10 Attribute certificate attributes [RFC7299] + 11 Qualified certificate statements [RFC7299] + 12 CMC content types [RFC7299] + 13 OIDs for TESTING ONLY [RFC7299] + 14 Certificate policies [RFC7299] + 15 CMC error types [RFC7299] + 16 Revocation information types [RFC7299] + 17 SCVP check type [RFC7299] + 18 SCVP want back types [RFC7299] + 19 SCVP validation policies [RFC7299] + 20 Other logotype identifiers [RFC7299] + + + + + +Housley Informational [Page 6] + +RFC 7299 PKIX OID Registry July 2014 + + + 21 Proxy certificate policy languages [RFC7299] + 22 Matching rules [RFC7299] + 23 Subject key identifier semantics [RFC7299] + 48 Access descriptors [RFC7299] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.3. "SMI Security for PKIX Module Identifier" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Module + Identifier (1.3.6.1.5.5.7.0)" table with three columns has been + added: + + Decimal Description References + ------- ------------------------------- --------------------- + 1 id-pkix1-explicit-88 [RFC2459] + 2 id-pkix1-implicit-88 [RFC2459] + 3 id-pkix1-explicit-93 [RFC2459] + 4 id-pkix1-implicit-93 [RFC2459] + 5 id-mod-crmf [RFC2511] + 6 id-mod-cmc [RFC2797] + 7 id-mod-kea-profile-88 [RFC2528] + 8 id-mod-kea-profile-93 [RFC2528] + 9 id-mod-cmp [RFC2510] + 10 id-mod-qualified-cert-88 [RFC3039] + 11 id-mod-qualified-cert-93 [RFC3039] + 12 id-mod-attribute-cert [RFC3281] + 13 id-mod-tsp [RFC3161] + 14 id-mod-ocsp [RFC3029] + 15 id-mod-dvcs [RFC3029] + 16 id-mod-cmp2000 [RFC4210] + 17 id-mod-pkix1-algorithms [RFC3279] + 18 id-mod-pkix1-explicit [RFC3280] + 19 id-mod-pkix1-implicit [RFC3280] + 20 id-mod-user-group Reserved and Obsolete + 21 id-mod-scvp [RFC5055] + 22 id-mod-logotype [RFC3709] + 23 id-mod-cmc2002 [RFC5272] + 24 id-mod-wlan-extns [RFC3770] + 25 id-mod-proxy-cert-extns [RFC3820] + 26 id-mod-ac-policies [RFC4476] + 27 id-mod-warranty-extn [RFC4059] + 28 id-mod-perm-id-88 [RFC4043] + 29 id-mod-perm-id-93 [RFC4043] + 30 id-mod-ip-addr-and-as-ident [RFC3779] + 31 id-mod-qualified-cert [RFC3739] + 32 id-mod-crmf2003 Reserved and Obsolete + + + +Housley Informational [Page 7] + +RFC 7299 PKIX OID Registry July 2014 + + + 33 id-mod-pkix1-rsa-pkalgs [RFC4055] + 34 id-mod-cert-bundle [RFC4306] + 35 id-mod-qualified-cert-97 [RFC3739] + 36 id-mod-crmf2005 [RFC4210] + 37 id-mod-wlan-extns2005 [RFC4334] + 38 id-mod-sim2005 [RFC4683] + 39 id-mod-dns-srv-name-88 [RFC4985] + 40 id-mod-dns-srv-name-93 [RFC4985] + 41 id-mod-cmsContentConstr-88 [RFC6010] + 42 id-mod-cmsContentConstr-93 [RFC6010] + 43 id-mod-pkixCommon Reserved and Obsolete + 44 id-mod-pkixOtherCerts [RFC5697] + 45 id-mod-pkix1-algorithms2008 [RFC5480] + 46 id-mod-clearanceConstraints [RFC5913] + 47 id-mod-attribute-cert-02 [RFC5912] + 48 id-mod-ocsp-02 [RFC5912] + 49 id-mod-v1AttrCert-02 [RFC5912] + 50 id-mod-cmp2000-02 [RFC5912] + 51 id-mod-pkix1-explicit-02 [RFC5912] + 52 id-mod-scvp-02 [RFC5912] + 53 id-mod-cmc2002-02 [RFC5912] + 54 id-mod-pkix1-rsa-pkalgs-02 [RFC5912] + 55 id-mod-crmf2005-02 [RFC5912] + 56 id-mod-pkix1-algorithms2008-02 [RFC5912] + 57 id-mod-pkixCommon-02 [RFC5912] + 58 id-mod-algorithmInformation-02 [RFC5912] + 59 id-mod-pkix1-implicit-02 [RFC5912] + 60 id-mod-pkix1-x400address-02 [RFC5912] + 61 id-mod-attribute-cert-v2 [RFC5755] + 62 id-mod-sip-domain-extns2007 [RFC5924] + 63 id-mod-cms-otherRIs-2009-88 [RFC5940] + 64 id-mod-cms-otherRIs-2009-93 [RFC5940] + 65 id-mod-ecprivatekey [RFC5915] + 66 id-mod-ocsp-agility-2009-93 [RFC6277] + 67 id-mod-ocsp-agility-2009-88 [RFC6277] + 68 id-mod-logotype-certimage [RFC6170] + 69 id-mod-pkcs10-2009 [RFC5912] + 70 id-mod-dns-resource-record [Abley] + 71 id-mod-send-cert-extns [RFC6494] + 72 id-mod-ip-addr-and-as-ident-2 [RFC6268] + 73 id-mod-wlan-extns-2 [RFC6268] + 74 id-mod-hmac [RFC6268] + 75 id-mod-enrollMsgSyntax-2011-88 [RFC6402] [Err3860] + 76 id-mod-enrollMsgSyntax-2011-08 [RFC6402] + 77 id-mod-pubKeySMIMECaps-88 [RFC6664] + 78 id-mod-pubKeySMIMECaps-08 [RFC6664] + 79 id-mod-dhSign-2012-88 [RFC6955] + 80 id-mod-dhSign-2012-08 [RFC6955] + + + +Housley Informational [Page 8] + +RFC 7299 PKIX OID Registry July 2014 + + + 81 id-mod-ocsp-2013-88 [RFC6960] + 82 id-mod-ocsp-2013-08 [RFC6960] + 83 id-mod-TEST-certPolicies [RFC7229] + 84 id-mod-bgpsec-eku [BGPSEC] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.4. "SMI Security for PKIX Certificate Extension" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX + Certificate Extension (1.3.6.1.5.5.7.1)" table with three columns has + been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-pe-authorityInfoAccess [RFC2459] + 2 id-pe-biometricInfo [RFC3039] + 3 id-pe-qcStatements [RFC3039] + 4 id-pe-ac-auditIdentity [RFC3281] + 5 id-pe-ac-targeting Reserved and Obsolete + 6 id-pe-aaControls [RFC3281] + 7 id-pe-ipAddrBlocks [RFC3779] + 8 id-pe-autonomousSysIds [RFC3779] + 9 id-pe-sbgp-routerIdentifier Reserved and Obsolete + 10 id-pe-ac-proxying [RFC3281] + 11 id-pe-subjectInfoAccess [RFC3280] + 12 id-pe-logotype [RFC3709] + 13 id-pe-wlanSSID [RFC4334] + 14 id-pe-proxyCertInfo [RFC3820] + 15 id-pe-acPolicies [RFC4476] + 16 id-pe-warranty [RFC4059] + 17 id-pe-sim Reserved and Obsolete + 18 id-pe-cmsContentConstraints [RFC6010] + 19 id-pe-otherCerts [RFC5697] + 20 id-pe-wrappedApexContinKey [RFC5934] + 21 id-pe-clearanceConstraints [RFC5913] + 22 id-pe-skiSemantics Reserved and Obsolete + 23 id-pe-nsa [RFC7169] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + + + + + + + +Housley Informational [Page 9] + +RFC 7299 PKIX OID Registry July 2014 + + +3.5. "SMI Security for PKIX Policy Qualifier" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Policy + Qualifier Identifiers (1.3.6.1.5.5.7.2)" table with three columns has + been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-qt-cps [RFC2459] + 2 id-qt-unotice [RFC2459] + 3 id-qt-textNotice Reserved and Obsolete + 4 id-qt-acps [RFC4476] + 5 id-qt-acunotice [RFC4476] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.6. "SMI Security for PKIX Extended Key Purpose" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Extended + Key Purpose Identifiers (1.3.6.1.5.5.7.3)" table with three columns + has been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-kp-serverAuth [RFC2459] + 2 id-kp-clientAuth [RFC2459] + 3 id-kp-codeSigning [RFC2459] + 4 id-kp-emailProtection [RFC2459] + 5 id-kp-ipsecEndSystem Reserved and Obsolete + 6 id-kp-ipsecTunnel Reserved and Obsolete + 7 id-kp-ipsecUser Reserved and Obsolete + 8 id-kp-timeStamping [RFC2459] + 9 id-kp-OCSPSigning [RFC2560] + 10 id-kp-dvcs [RFC3029] + 11 id-kp-sbgpCertAAServerAuth Reserved and Obsolete + 12 id-kp-scvp-responder Reserved and Obsolete + 13 id-kp-eapOverPPP [RFC4334] + 14 id-kp-eapOverLAN [RFC4334] + 15 id-kp-scvpServer [RFC5055] + 16 id-kp-scvpClient [RFC5055] + 17 id-kp-ipsecIKE [RFC4945] + 18 id-kp-capwapAC [RFC5415] + 19 id-kp-capwapWTP [RFC5415] + 20 id-kp-sipDomain [RFC5924] + 21 id-kp-secureShellClient [RFC6187] + 22 id-kp-secureShellServer [RFC6187] + 23 id-kp-sendRouter [RFC6494] + + + +Housley Informational [Page 10] + +RFC 7299 PKIX OID Registry July 2014 + + + 24 id-kp-sendProxiedRouter [RFC6494] + 25 id-kp-sendOwner [RFC6494] + 26 id-kp-sendProxiedOwner [RFC6494] + 27 id-kp-cmcCA [RFC6402] + 28 id-kp-cmcRA [RFC6402] + 29 id-kp-cmcArchive [RFC6402] + 30 id-kp-bgpsec-router [BGPSEC] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.7. "SMI Security for PKIX CMP Information Types" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX CMP + Information Types (1.3.6.1.5.5.7.4)" table with three columns has + been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-it-caProtEncCert [RFC2510] + 2 id-it-signKeyPairTypes [RFC2510] + 3 id-it-encKeyPairTypes [RFC2510] + 4 id-it-preferredSymmAlg [RFC2510] + 5 id-it-caKeyUpdateInfo [RFC2510] + 6 id-it-currentCRL [RFC2510] + 7 id-it-unsupportedOIDs [RFC4210] + 8 id-it-subscriptionRequest Reserved and Obsolete + 9 id-it-subscriptionResponse Reserved and Obsolete + 10 id-it-keyPairParamReq [RFC4210] + 11 id-it-keyPairParamRep [RFC4210] + 12 id-it-revPassphrase [RFC4210] + 13 id-it-implicitConfirm [RFC4210] + 14 id-it-confirmWaitTime [RFC4210] + 15 id-it-origPKIMessage [RFC4210] + 16 id-it-suppLangTags [RFC4210] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + + + + + + + + + + + +Housley Informational [Page 11] + +RFC 7299 PKIX OID Registry July 2014 + + +3.8. "SMI Security for PKIX CRMF Registration" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX CRMF + Registration (1.3.6.1.5.5.7.5)" table with three columns has been + added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-regCtrl [RFC2511] + 2 id-regInfo [RFC2511] + 3 id-regEPEPSI [RFC4683] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.9. "SMI Security for PKIX CRMF Registration Controls" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX CRMF + Registration Controls (1.3.6.1.5.5.7.5.1)" table with three columns + has been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-regCtrl-regToken [RFC2511] + 2 id-regCtrl-authenticator [RFC2511] + 3 id-regCtrl-pkiPublicationInfo [RFC2511] + 4 id-regCtrl-pkiArchiveOptions [RFC2511] + 5 id-regCtrl-oldCertID [RFC2511] + 6 id-regCtrl-protocolEncrKey [RFC2511] + 7 id-regCtrl-altCertTemplate [RFC4210] + 8 id-regCtrl-wtlsTemplate Reserved and Obsolete + 9 id-regCtrl-regTokenUTF8 Reserved and Obsolete + 10 id-regCtrl-authenticatorUTF8 Reserved and Obsolete + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.10. "SMI Security for PKIX CRMF Registration Information" Registry + + Within the SMI-numbers registry, add an "SMI Security for PKIX CRMF + Registration Information (1.3.6.1.5.5.7.5.2)" table with three + columns: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-regInfo-utf8Pairs [RFC2511] + 2 id-regInfo-certReq [RFC2511] + + + + +Housley Informational [Page 12] + +RFC 7299 PKIX OID Registry July 2014 + + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.11. "SMI Security for PKIX Algorithms" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Algorithms + (1.3.6.1.5.5.7.6)" table with three columns has been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-alg-des40 Reserved and Obsolete + 2 id-alg-noSignature [RFC2797] + 3 id-alg-dh-sig-hmac-sha1 [RFC2875] + 4 id-alg-dhPop-sha1 [RFC2875] + 5 id-alg-dhPop-sha224 [RFC6955] + 6 id-alg-dhPop-sha256 [RFC6955] + 7 id-alg-dhPop-sha384 [RFC6955] + 8 id-alg-dhPop-sha512 [RFC6955] + 15 id-alg-dhPop-static-sha224-hmac-sha224 [RFC6955] + 16 id-alg-dhPop-static-sha256-hmac-sha256 [RFC6955] + 17 id-alg-dhPop-static-sha384-hmac-sha384 [RFC6955] + 18 id-alg-dhPop-static-sha512-hmac-sha512 [RFC6955] + 25 id-alg-ecdhPop-static-sha224-hmac-sha224 [RFC6955] + 26 id-alg-ecdhPop-static-sha256-hmac-sha256 [RFC6955] + 27 id-alg-ecdhPop-static-sha384-hmac-sha384 [RFC6955] + 28 id-alg-ecdhPop-static-sha512-hmac-sha512 [RFC6955] + + Note: id-alg-dhPop-sha1 is also known as id-alg-dh-pop. + + Note: id-alg-dh-sig-hmac-sha1 is also known as + id-alg-dhPop-static-sha1-hmac-sha1 and + id-dhPop-static-hmac-sha1. + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.12. "SMI Security for PKIX CMC Controls" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX CMC + Controls (1.3.6.1.5.5.7.7)" table with three columns has been added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-cmc-statusInfo [RFC2797] + 2 id-cmc-identification [RFC2797] + 3 id-cmc-identityProof [RFC2797] + 4 id-cmc-dataReturn [RFC2797] + 5 id-cmc-transactionId [RFC2797] + + + +Housley Informational [Page 13] + +RFC 7299 PKIX OID Registry July 2014 + + + 6 id-cmc-senderNonce [RFC2797] + 7 id-cmc-recipientNonce [RFC2797] + 8 id-cmc-addExtensions [RFC2797] + 9 id-cmc-encryptedPOP [RFC2797] + 10 id-cmc-decryptedPOP [RFC2797] + 11 id-cmc-lraPOPWitness [RFC2797] + 15 id-cmc-getCert [RFC2797] + 16 id-cmc-getCRL [RFC2797] + 17 id-cmc-revokeRequest [RFC2797] + 18 id-cmc-regInfo [RFC2797] + 19 id-cmc-responseInfo [RFC2797] + 21 id-cmc-queryPending [RFC2797] + 22 id-cmc-popLinkRandom [RFC2797] + 23 id-cmc-popLinkWitness [RFC2797] + 24 id-cmc-confirmCertAcceptance [RFC2797] + 25 id-cmc-statusInfoV2 [RFC5272] + 26 id-cmc-trustedAnchors [RFC5272] + 27 id-cmc-authData [RFC5272] + 28 id-cmc-batchRequests [RFC5272] + 29 id-cmc-batchResponses [RFC5272] + 30 id-cmc-publishCert [RFC5272] + 31 id-cmc-modCertTemplate [RFC5272] + 32 id-cmc-controlProcessed [RFC5272] + 33 id-cmc-popLinkWitnessV2 [RFC5272] + 34 id-cmc-identityProofV2 [RFC5272] + 35 id-cmc-raIdentityWitness [RFC6402] + 36 id-cmc-changeSubjectName [RFC6402] + 37 id-cmc-responseBody [RFC6402] + 99 id-cmc-glaRR [RFC5275] + + Note: id-cmc-statusInfo is also known as id-cmc-cMCStatusInfo. + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.13. "SMI Security for PKIX CMC GLA Requests and Responses" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX CMC GLA + Requests and Responses (1.3.6.1.5.5.7.7.99)" table with three columns + has been added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-cmc-gla-skdAlgRequest [RFC5275] + 2 id-cmc-gla-skdAlgResponse [RFC5275] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + +Housley Informational [Page 14] + +RFC 7299 PKIX OID Registry July 2014 + + +3.14. "SMI Security for PKIX Other Name Forms" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Other Name + Forms (1.3.6.1.5.5.7.8)" table with three columns has been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-on-personalData Reserved and Obsolete + 2 id-on-userGroup Reserved and Obsolete + 3 id-on-permanentIdentifier [RFC4043] + 4 id-on-hardwareModuleName [RFC4108] + 5 id-on-xmppAddr [RFC3920] + 6 id-on-SIM [RFC4683] + 7 id-on-dnsSRV [RFC4985] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.15. "SMI Security for PKIX Personal Data Attributes" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Personal + Data Attributes (1.3.6.1.5.5.7.9)" table with three columns has been + added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-pda-dateOfBirth [RFC3039] + 2 id-pda-placeOfBirth [RFC3039] + 3 id-pda-gender [RFC3039] + 4 id-pda-countryOfCitizenship [RFC3039] + 5 id-pda-countryOfResidence [RFC3039] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + + + + + + + + + + + + + + + +Housley Informational [Page 15] + +RFC 7299 PKIX OID Registry July 2014 + + +3.16. "SMI Security for PKIX Attribute Certificate Attributes" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Attribute + Certificate Attributes (1.3.6.1.5.5.7.10)" table with three columns + has been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-aca-authenticationInfo [RFC3281] + 2 id-aca-accessIdentity [RFC3281] + 3 id-aca-chargingIdentity [RFC3281] + 4 id-aca-group [RFC3281] + 5 id-aca-role Reserved and Obsolete + 6 id-aca-encAttrs [RFC3281] + 7 id-aca-wlanSSID [RFC4334] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.17. "SMI Security for PKIX Qualified Certificate Statements" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Qualified + Certificate Statements (1.3.6.1.5.5.7.11)" table with three columns + has been added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-qcs-pkixQCSyntax-v1 [RFC3039] + 2 id-qcs-pkixQCSyntax-v2 [RFC3739] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.18. "SMI Security for PKIX CMC Content Types" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX CMC + Content Types (1.3.6.1.5.5.7.12)" table with three columns has been + added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-cct-crs Reserved and Obsolete + 2 id-cct-PKIData [RFC2797] + 3 id-cct-PKIResponse [RFC2797] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + + +Housley Informational [Page 16] + +RFC 7299 PKIX OID Registry July 2014 + + +3.19. "SMI Security for PKIX OIDs Used Only for Testing" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX OIDs used + Only for Testing (1.3.6.1.5.5.7.13)" table with three columns has + been added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-TEST-certPolicyOne [RFC7229] + 2 id-TEST-certPolicyTwo [RFC7229] + 3 id-TEST-certPolicyThree [RFC7229] + 4 id-TEST-certPolicyFour [RFC7229] + 5 id-TEST-certPolicyFive [RFC7229] + 6 id-TEST-certPolicySix [RFC7229] + 7 id-TEST-certPolicySeven [RFC7229] + 8 id-TEST-certPolicyEight [RFC7229] + + Note: The object identifiers in this table should not appear on the + public Internet. These object identifiers are ONLY for + TESTING. + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.20. "SMI Security for PKIX Certificate Policies" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX + Certificate Policies (1.3.6.1.5.5.7.14)" table with three columns has + been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-cp-sbgpCertificatePolicy Reserved and Obsolete + 2 id-cp-ipAddr-asNumber [RFC6484] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.21. "SMI Security for PKIX CMC Error Types" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX CMC Error + Types (1.3.6.1.5.5.7.15)" table with three columns has been added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-cet-skdFailInfo [RFC5275] + + + + + +Housley Informational [Page 17] + +RFC 7299 PKIX OID Registry July 2014 + + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.22. "SMI Security for PKIX Revocation Information Types" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Revocation + Information Types (1.3.6.1.5.5.7.16)" table with three columns has + been added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-ri-crl [RFC5940] + 2 id-ri-ocsp-response [RFC5940] + 3 id-ri-delta-crl [RFC5940] + 4 id-ri-scvp [RFC5940] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.23. "SMI Security for PKIX SCVP Check Types" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX SCVP Check + Types (1.3.6.1.5.5.7.17)" table with three columns has been added: + + Decimal Description References + ------- ------------------------------------------------ ---------- + 1 id-stc-build-pkc-path [RFC5055] + 2 id-stc-build-valid-pkc-path [RFC5055] + 3 id-stc-build-status-checked-pkc-path [RFC5055] + 4 id-stc-build-aa-path [RFC5055] + 5 id-stc-build-valid-aa-path [RFC5055] + 6 id-stc-build-status-checked-aa-path [RFC5055] + 7 id-stc-status-check-ac-and-build-status-checked-aa-path + [RFC5055] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + + + + + + + + + + + + +Housley Informational [Page 18] + +RFC 7299 PKIX OID Registry July 2014 + + +3.24. "SMI Security for PKIX SCVP Want Back Types" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX SCVP Want + Back Types (1.3.6.1.5.5.7.18)" table with three columns has been + added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-swb-pkc-best-cert-path [RFC5055] + 2 id-swb-pkc-revocation-info [RFC5055] + 3 id-swb-pkc-cert-status Reserved and Obsolete + 4 id-swb-pkc-public-key-info [RFC5055] + 5 id-swb-aa-cert-path [RFC5055] + 6 id-swb-aa-revocation-info [RFC5055] + 7 id-swb-ac-revocation-info [RFC5055] + 8 id-swb-ac-cert-status Reserved and Obsolete + 9 id-swb-relayed-responses [RFC5055] + 10 id-swb-pkc-cert [RFC5055] + 11 id-swb-ac-cert [RFC5055] + 12 id-swb-pkc-all-cert-paths [RFC5055] + 13 id-swb-pkc-ee-revocation-info [RFC5055] + 14 id-swb-pkc-CAs-revocation-info [RFC5055] + 15 id-swb-partial-cert-path [RFC5276] + 16 id-swb-ers-pkc-cert [RFC5276] + 17 id-swb-ers-best-cert-path [RFC5276] + 18 id-swb-ers-partial-cert-path [RFC5276] + 19 id-swb-ers-revocation-info [RFC5276] + 20 id-swb-ers-all [RFC5276] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + + + + + + + + + + + + + + + + + + +Housley Informational [Page 19] + +RFC 7299 PKIX OID Registry July 2014 + + +3.25. "SMI Security for PKIX SCVP Validation Policies and Algorithms" + Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX SCVP + Validation Policies and Algorithms (1.3.6.1.5.5.7.19)" table with + three columns has been added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-svp-defaultValPolicy [RFC5055] + 2 id-svp-nameValAlg [RFC5055] + 3 id-svp-basicValAlg [RFC5055] + 4 id-svp-dnValAlg [RFC5055] + + Note: id-svp-nameValAlg is also known as id-nvae. + + Note: id-svp-basicValAlg is also known as id-bvae. + + Note: id-svp-dnValAlg is also known as id-dnvae and id-nva-dnCompAlg. + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.26. "SMI Security for PKIX SCVP Name Validation Policy Errors" + Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX SCVP Name + Validation Policy Errors (1.3.6.1.5.5.7.19.2)" table with three + columns has been added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-nvae-name-mismatch [RFC5055] + 2 id-nvae-no-name [RFC5055] + 3 id-nvae-unknown-alg [RFC5055] + 4 id-nvae-bad-name [RFC5055] + 5 id-nvae-bad-name-type [RFC5055] + 6 id-nvae-mixed-names [RFC5055] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + + + + + + + + +Housley Informational [Page 20] + +RFC 7299 PKIX OID Registry July 2014 + + +3.27. "SMI Security for PKIX SCVP Basic Validation Policy Errors" + Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX SCVP Basic + Validation Policy Errors (1.3.6.1.5.5.7.19.3)" table with three + columns has been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-bvae-expired [RFC5055] + 2 id-bvae-not-yet-valid [RFC5055] + 3 id-bvae-wrongTrustAnchor [RFC5055] + 4 id-bvae-noValidCertPath [RFC5055] + 5 id-bvae-revoked [RFC5055] + 9 id-bvae-invalidKeyPurpose [RFC5055] + 10 id-bvae-invalidKeyUsage [RFC5055] + 11 id-bvae-invalidCertPolicy [RFC5055] + 12 id-bvae-invalidName Reserved and Obsolete + 13 id-bvae-invalidEntity Reserved and Obsolete + 14 id-bvae-invalidPathDepth Reserved and Obsolete + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.28. "SMI Security for PKIX SCVP Distinguished Name Validation Policy + Errors" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX SCVP + Distinguished Name Validation Policy Errors (1.3.6.1.5.5.7.19.4)" + table with three columns has been added: + + Decimal Description References + ------- ------------------------------ ---------- + + Note: This table is currently empty. + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + + + + + + + + + + + +Housley Informational [Page 21] + +RFC 7299 PKIX OID Registry July 2014 + + +3.29. "SMI Security for PKIX Other Logotype Identifiers" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Other + Logotype Identifiers (1.3.6.1.5.5.7.20)" table with three columns has + been added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-logo-loyalty [RFC3709] + 2 id-logo-background [RFC3709] + 3 id-logo-certImage [RFC6170] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.30. "SMI Security for PKIX Proxy Certificate Policy Languages" + Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Proxy + Certificate Policy Languages (1.3.6.1.5.5.7.21)" table with three + columns has been added: + + Decimal Description References + ------- ------------------------------ ---------- + 0 id-ppl-anyLanguage [RFC3820] + 1 id-ppl-inheritAll [RFC3820] + 2 id-ppl-independent [RFC3820] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.31. "SMI Security for PKIX Proxy Matching Rules" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Proxy + Matching Rules (1.3.6.1.5.5.7.22)" table with three columns has been + added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-mr-pkix-alphanum-ids Reserved and Obsolete + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + + + + + + +Housley Informational [Page 22] + +RFC 7299 PKIX OID Registry July 2014 + + +3.32. "SMI Security for PKIX Subject Key Identifier Semantics" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Subject + Key Identifier Semantics (1.3.6.1.5.5.7.23)" table with three columns + has been added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-skis-keyHash Reserved and Obsolete + 2 id-skis-4BitKeyHash Reserved and Obsolete + 3 id-skis-keyInfoHash Reserved and Obsolete + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +3.33. "SMI Security for PKIX Access Descriptor" Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Access + Descriptor (1.3.6.1.5.5.7.48)" table with three columns has been + added: + + Decimal Description References + ------- ------------------------------ --------------------- + 1 id-ad-ocsp [RFC2459] + 2 id-ad-caIssuers [RFC2459] + 3 id-ad-timestamping [RFC3161] + 4 id-ad-dvcs [RFC3029] + 5 id-ad-caRepository [RFC3280] + 6 id-ad-http-certs [RFC4387] + 7 id-ad-http-crls [RFC4387] + 8 id-ad-xkms Reserved and Obsolete + 9 id-ad-signedObjectRepository Reserved and Obsolete + 10 id-ad-rpkiManifest [RFC6487] + 11 id-ad-signedObject [RFC6487] + 12 id-ad-cmc [RFC6402] + + Note: id-ad-ocsp is also known as id-pkix-ocsp. + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + + + + + + + + + + + +Housley Informational [Page 23] + +RFC 7299 PKIX OID Registry July 2014 + + +3.34. "SMI Security for PKIX Online Certificate Status Protocol (OCSP)" + Registry + + Within the SMI-numbers registry, an "SMI Security for PKIX Online + Certificate Status Protocol (OCSP) (1.3.6.1.5.5.7.48.1)" table with + three columns has been added: + + Decimal Description References + ------- ------------------------------ ---------- + 1 id-pkix-ocsp-basic [RFC2560] + 2 id-pkix-ocsp-nonce [RFC2560] + 3 id-pkix-ocsp-crl [RFC2560] + 4 id-pkix-ocsp-response [RFC2560] + 5 id-pkix-ocsp-nocheck [RFC2560] + 6 id-pkix-ocsp-archive-cutoff [RFC2560] + 7 id-pkix-ocsp-service-locator [RFC2560] + 8 id-pkix-ocsp-pref-sig-algs [RFC6277] + 9 id-pkix-ocsp-extended-revoke [RFC6960] + + Future updates to this table are to be made according to the + Specification Required policy as defined in [RFC5226]. + +4. Security Considerations + + This document populates an IANA registry, and it raises no new + security considerations. The protocols that specify these values + include the security considerations associated with their usage. + + The id-pe-nsa certificate extension should not appear in any + certificate that is used on the public Internet. + + + + + + + + + + + + + + + + + + + + + +Housley Informational [Page 24] + +RFC 7299 PKIX OID Registry July 2014 + + +5. References + +5.1. Normative References + + [ASN1-08] International Telecommunication Union, "Abstract Syntax + Notation One (ASN.1): Specification of basic notation", + ITU-T Recommendation X.680, November 2008. + + [ASN1-88] International Telephone and Telegraph Consultative + Committee, "Specification of Abstract Syntax Notation One + (ASN.1)", CCITT Recommendation X.208, 1988. + + [ASN1-97] International Telecommunication Union, "Abstract Syntax + Notation One (ASN.1): Specification of basic notation", + ITU-T Recommendation X.680, 1997. + + [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an + IANA Considerations Section in RFCs", BCP 26, RFC 5226, + May 2008. + +5.2. Informative References + + [Err3860] RFC Errata, Errata ID 3860, RFC 6402, + . + + [Abley] Abley, J., Schlyter, J., and G. Bailey, "DNSSEC Trust + Anchor Publication for the Root Zone", Work in Progress, + June 2014. + + [BGPSEC] Reynolds, M., Turner, S., and S. Kent, "A Profile for + BGPSEC Router Certificates, Certificate Revocation Lists, + and Certification Requests", Work in Progress, March 2014. + + [RFC2459] Housley, R., Ford, W., Polk, W., and D. Solo, "Internet + X.509 Public Key Infrastructure Certificate and CRL + Profile", RFC 2459, January 1999. + + [RFC2510] Adams, C. and S. Farrell, "Internet X.509 Public Key + Infrastructure Certificate Management Protocols", + RFC 2510, March 1999. + + [RFC2511] Myers, M., Adams, C., Solo, D., and D. Kemp, "Internet + X.509 Certificate Request Message Format", RFC 2511, + March 1999. + + + + + + + +Housley Informational [Page 25] + +RFC 7299 PKIX OID Registry July 2014 + + + [RFC2528] Housley, R. and W. Polk, "Internet X.509 Public Key + Infrastructure Representation of Key Exchange Algorithm + (KEA) Keys in Internet X.509 Public Key Infrastructure + Certificates", RFC 2528, March 1999. + + [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. + Adams, "X.509 Internet Public Key Infrastructure Online + Certificate Status Protocol - OCSP", RFC 2560, June 1999. + + [RFC2797] Myers, M., Liu, X., Schaad, J., and J. Weinstein, + "Certificate Management Messages over CMS", RFC 2797, + April 2000. + + [RFC2875] Prafullchandra, H. and J. Schaad, "Diffie-Hellman + Proof-of-Possession Algorithms", RFC 2875, July 2000. + + [RFC3029] Adams, C., Sylvester, P., Zolotarev, M., and R. + Zuccherato, "Internet X.509 Public Key Infrastructure Data + Validation and Certification Server Protocols", RFC 3029, + February 2001. + + [RFC3039] Santesson, S., Polk, W., Barzin, P., and M. Nystrom, + "Internet X.509 Public Key Infrastructure Qualified + Certificates Profile", RFC 3039, January 2001. + + [RFC3161] Adams, C., Cain, P., Pinkas, D., and R. Zuccherato, + "Internet X.509 Public Key Infrastructure Time-Stamp + Protocol (TSP)", RFC 3161, August 2001. + + [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and + Identifiers for the Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation List + (CRL) Profile", RFC 3279, April 2002. + + [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet + X.509 Public Key Infrastructure Certificate and + Certificate Revocation List (CRL) Profile", RFC 3280, + April 2002. + + [RFC3281] Farrell, S. and R. Housley, "An Internet Attribute + Certificate Profile for Authorization", RFC 3281, + April 2002. + + [RFC3709] Santesson, S., Housley, R., and T. Freeman, "Internet + X.509 Public Key Infrastructure: Logotypes in X.509 + Certificates", RFC 3709, February 2004. + + + + + +Housley Informational [Page 26] + +RFC 7299 PKIX OID Registry July 2014 + + + [RFC3739] Santesson, S., Nystrom, M., and T. Polk, "Internet X.509 + Public Key Infrastructure: Qualified Certificates + Profile", RFC 3739, March 2004. + + [RFC3770] Housley, R. and T. Moore, "Certificate Extensions and + Attributes Supporting Authentication in Point-to-Point + Protocol (PPP) and Wireless Local Area Networks (WLAN)", + RFC 3770, May 2004. + + [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP + Addresses and AS Identifiers", RFC 3779, June 2004. + + [RFC3820] Tuecke, S., Welch, V., Engert, D., Pearlman, L., and M. + Thompson, "Internet X.509 Public Key Infrastructure (PKI) + Proxy Certificate Profile", RFC 3820, June 2004. + + [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence + Protocol (XMPP): Core", RFC 3920, October 2004. + + [RFC4043] Pinkas, D. and T. Gindin, "Internet X.509 Public Key + Infrastructure Permanent Identifier", RFC 4043, May 2005. + + [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional + Algorithms and Identifiers for RSA Cryptography for use in + the Internet X.509 Public Key Infrastructure Certificate + and Certificate Revocation List (CRL) Profile", RFC 4055, + June 2005. + + [RFC4059] Linsenbardt, D., Pontius, S., and A. Sturgeon, "Internet + X.509 Public Key Infrastructure Warranty Certificate + Extension", RFC 4059, May 2005. + + [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to + Protect Firmware Packages", RFC 4108, August 2005. + + [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, + "Internet X.509 Public Key Infrastructure Certificate + Management Protocol (CMP)", RFC 4210, September 2005. + + [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) + Protocol", RFC 4306, December 2005. + + [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and + Attributes Supporting Authentication in Point-to-Point + Protocol (PPP) and Wireless Local Area Networks (WLAN)", + RFC 4334, February 2006. + + + + + +Housley Informational [Page 27] + +RFC 7299 PKIX OID Registry July 2014 + + + [RFC4387] Gutmann, P., Ed., "Internet X.509 Public Key + Infrastructure Operational Protocols: Certificate Store + Access via HTTP", RFC 4387, February 2006. + + [RFC4476] Francis, C. and D. Pinkas, "Attribute Certificate (AC) + Policies Extension", RFC 4476, May 2006. + + [RFC4683] Park, J., Lee, J., . Lee, H., Park, S., and T. Polk, + "Internet X.509 Public Key Infrastructure Subject + Identification Method (SIM)", RFC 4683, October 2006. + + [RFC4945] Korver, B., "The Internet IP Security PKI Profile of + IKEv1/ISAKMP, IKEv2, and PKIX", RFC 4945, August 2007. + + [RFC4985] Santesson, S., "Internet X.509 Public Key Infrastructure + Subject Alternative Name for Expression of Service Name", + RFC 4985, August 2007. + + [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. + Polk, "Server-Based Certificate Validation Protocol + (SCVP)", RFC 5055, December 2007. + + [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS + (CMC)", RFC 5272, June 2008. + + [RFC5275] Turner, S., "CMS Symmetric Key Management and + Distribution", RFC 5275, June 2008. + + [RFC5276] Wallace, C., "Using the Server-Based Certificate + Validation Protocol (SCVP) to Convey Long-Term Evidence + Records", RFC 5276, August 2008. + + [RFC5415] Calhoun, P., Ed., Montemurro, M., Ed., and D. Stanley, + Ed., "Control And Provisioning of Wireless Access Points + (CAPWAP) Protocol Specification", RFC 5415, March 2009. + + [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, + "Elliptic Curve Cryptography Subject Public Key + Information", RFC 5480, March 2009. + + [RFC5697] Farrell, S., "Other Certificates Extension", RFC 5697, + November 2009. + + [RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet + Attribute Certificate Profile for Authorization", + RFC 5755, January 2010. + + + + + +Housley Informational [Page 28] + +RFC 7299 PKIX OID Registry July 2014 + + + [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the + Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, + June 2010. + + [RFC5913] Turner, S. and S. Chokhani, "Clearance Attribute and + Authority Clearance Constraints Certificate Extension", + RFC 5913, June 2010. + + [RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key + Structure", RFC 5915, June 2010. + + [RFC5924] Lawrence, S. and V. Gurbani, "Extended Key Usage (EKU) for + Session Initiation Protocol (SIP) X.509 Certificates", + RFC 5924, June 2010. + + [RFC5934] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor + Management Protocol (TAMP)", RFC 5934, August 2010. + + [RFC5940] Turner, S. and R. Housley, "Additional Cryptographic + Message Syntax (CMS) Revocation Information Choices", + RFC 5940, August 2010. + + [RFC6010] Housley, R., Ashmore, S., and C. Wallace, "Cryptographic + Message Syntax (CMS) Content Constraints Extension", + RFC 6010, September 2010. + + [RFC6170] Santesson, S., Housley, R., Bajaj, S., and L. Rosenthol, + "Internet X.509 Public Key Infrastructure -- Certificate + Image", RFC 6170, May 2011. + + [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure + Shell Authentication", RFC 6187, March 2011. + + [RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules + for the Cryptographic Message Syntax (CMS) and the Public + Key Infrastructure Using X.509 (PKIX)", RFC 6268, + July 2011. + + [RFC6277] Santesson, S. and P. Hallam-Baker, "Online Certificate + Status Protocol Algorithm Agility", RFC 6277, June 2011. + + [RFC6402] Schaad, J., "Certificate Management over CMS (CMC) + Updates", RFC 6402, November 2011. + + [RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate + Policy (CP) for the Resource Public Key Infrastructure + (RPKI)", BCP 173, RFC 6484, February 2012. + + + + +Housley Informational [Page 29] + +RFC 7299 PKIX OID Registry July 2014 + + + [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for + X.509 PKIX Resource Certificates", RFC 6487, + February 2012. + + [RFC6494] Gagliano, R., Krishnan, S., and A. Kukec, "Certificate + Profile and Certificate Management for SEcure Neighbor + Discovery (SEND)", RFC 6494, February 2012. + + [RFC6664] Schaad, J., "S/MIME Capabilities for Public Key + Definitions", RFC 6664, July 2012. + + [RFC6955] Schaad, J. and H. Prafullchandra, "Diffie-Hellman + Proof-of-Possession Algorithms", RFC 6955, May 2013. + + [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., + Galperin, S., and C. Adams, "X.509 Internet Public Key + Infrastructure Online Certificate Status Protocol - OCSP", + RFC 6960, June 2013. + + [RFC7169] Turner, S., "The NSA (No Secrecy Afforded) Certificate + Extension", RFC 7169, April 1 2014. + + [RFC7229] Housley, R., "Object Identifiers for Test Certificate + Policies", RFC 7229, May 2014. + +Acknowledgements + + Many thanks to Lynne Bartholomew, David Cooper, Jim Schaad, and Sean + Turner for their careful review and comments. + +Author's Address + + Russ Housley + 918 Spring Knoll Drive + Herndon, VA 20170 + USA + + EMail: housley@vigilsec.com + + + + + + + + + + + + + +Housley Informational [Page 30] + diff --git a/const-oid/oiddbgen/src/asn1.rs b/const-oid/oiddbgen/src/asn1.rs index ee846cca6..ccd2bd2d4 100644 --- a/const-oid/oiddbgen/src/asn1.rs +++ b/const-oid/oiddbgen/src/asn1.rs @@ -4,13 +4,12 @@ use regex::Regex; #[derive(Clone, Debug)] pub struct Asn1Parser { - spec: String, tree: BTreeMap, Option)>, } impl Asn1Parser { const DEF: &'static str = r"(?mx) - (?P[a-z][a-zA-Z0-9-]*) # name + (?P[a-zA-Z][a-zA-Z0-9-]*) # name \s+ OBJECT \s+ @@ -20,11 +19,11 @@ impl Asn1Parser { \s* \{ \s* - (?:(?P[a-z][a-zA-Z0-9-]*)\s+)? # base + (?:(?P[a-zA-Z][a-zA-Z0-9-]*)\s+)? # base (?P # tail (?: (?: - [a-z][a-zA-Z0-9-]*\([0-9]+\)\s+ + [a-zA-Z][a-zA-Z0-9-]*\([0-9]+\)\s+ ) | (?: @@ -37,7 +36,7 @@ impl Asn1Parser { const ARC: &'static str = r"(?mx) (?: - [a-z][a-zA-Z0-9-]*\(([0-9]+)\) + [a-zA-Z][a-zA-Z0-9-]*\(([0-9]+)\) ) | (?: @@ -45,7 +44,7 @@ impl Asn1Parser { ) "; - pub fn new(spec: String, asn1: &str) -> Self { + pub fn new(asn1: &str) -> Self { let def = Regex::new(Self::DEF).unwrap(); let arc = Regex::new(Self::ARC).unwrap(); @@ -64,10 +63,15 @@ impl Asn1Parser { .join(".") }); + let tail = match tail.as_deref() { + Some("") => None, + _ => tail, + }; + tree.insert(name, (base, tail)); } - Self { spec, tree } + Self { tree } } pub fn resolve(&self, name: &str) -> Option { @@ -84,7 +88,7 @@ impl Asn1Parser { } } - pub fn iter(&self) -> impl '_ + Iterator { + pub fn iter(&self) -> impl '_ + Iterator { let bases: HashSet<&String> = self .tree .values() @@ -94,14 +98,13 @@ impl Asn1Parser { self.tree .keys() .filter(move |n| !bases.contains(n)) - .filter_map(|n| self.resolve(n).map(|p| (self.spec.clone(), n.clone(), p))) + .filter_map(|n| self.resolve(n).map(|p| (n.clone(), p))) } } #[test] fn test() { let asn1 = super::Asn1Parser::new( - "none".into(), r" foo OBJECT IDENTIFIER ::= { bar(1) baz(2) 3 } bat OBJECT IDENTIFIER ::= { foo qux(4) 5 } @@ -109,11 +112,7 @@ fn test() { ", ); - let answer = ( - "none".to_string(), - "quz".to_string(), - "1.2.3.4.5.6".to_string(), - ); + let answer = ("quz".to_string(), "1.2.3.4.5.6".to_string()); let mut iter = asn1.iter(); assert_eq!(Some(answer), iter.next()); diff --git a/const-oid/oiddbgen/src/main.rs b/const-oid/oiddbgen/src/main.rs index 4d85cd0db..07e0cd0d7 100644 --- a/const-oid/oiddbgen/src/main.rs +++ b/const-oid/oiddbgen/src/main.rs @@ -4,19 +4,28 @@ use oiddbgen::{Asn1Parser, LdapParser, Root}; // https://www.iana.org/assignments/ldap-parameters/ldap-parameters.xhtml#ldap-parameters-3 const LDAP: &str = include_str!("../ldap-parameters-3.csv"); -// Downloaded from: -// https://www.rfc-editor.org/rfc/rfc5280.txt -const RFC5280: &str = include_str!("../rfc5280.txt"); +// All RFCs downloaded from: +// https://www.rfc-editor.org/rfc/rfcNNNN.txt +const RFCS: &[(&str, &str)] = &[ + ("rfc5280", include_str!("../rfc5280.txt")), + ("rfc5911", include_str!("../rfc5911.txt")), + ("rfc5912", include_str!("../rfc5912.txt")), + ("rfc6268", include_str!("../rfc6268.txt")), + ("rfc7107", include_str!("../rfc7107.txt")), + ("rfc7299", include_str!("../rfc7299.txt")), +]; fn main() { let mut root = Root::default(); for (spec, name, obid) in LdapParser::new(LDAP).iter() { - root.add(&spec, &name, &obid) + root.add(&spec, &name, &obid); } - for (spec, name, obid) in Asn1Parser::new("rfc5280".into(), RFC5280).iter() { - root.add(&spec, &name, &obid) + for (spec, body) in RFCS { + for (name, obid) in Asn1Parser::new(body).iter() { + root.add(spec, &name, &obid); + } } println!("{}", root.module()); diff --git a/const-oid/src/db/gen.rs b/const-oid/src/db/gen.rs index 719d15ff5..a1061313d 100644 --- a/const-oid/src/db/gen.rs +++ b/const-oid/src/db/gen.rs @@ -2695,6 +2695,619 @@ pub mod rfc5280 { name: "pkcs-9", }; } +pub mod rfc5911 { + pub const DES_EDE_3_CBC: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.3.7"), + name: "des-ede3-cbc", + }; + pub const HMAC_SHA_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.8.1.2"), + name: "hMAC-SHA1", + }; + pub const ID_PBKDF_2: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.5.12"), + name: "id-PBKDF2", + }; + pub const ID_AA_COMMUNITY_IDENTIFIERS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.40"), + name: "id-aa-communityIdentifiers", + }; + pub const ID_AA_CONTENT_REFERENCE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.10"), + name: "id-aa-contentReference", + }; + pub const ID_AA_DECRYPT_KEY_ID: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.37"), + name: "id-aa-decryptKeyID", + }; + pub const ID_AA_ER_EXTERNAL: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.50"), + name: "id-aa-er-external", + }; + pub const ID_AA_ER_INTERNAL: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.49"), + name: "id-aa-er-internal", + }; + pub const ID_AA_FIRMWARE_PACKAGE_ID: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.35"), + name: "id-aa-firmwarePackageID", + }; + pub const ID_AA_FIRMWARE_PACKAGE_INFO: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.42"), + name: "id-aa-firmwarePackageInfo", + }; + pub const ID_AA_IMPL_COMPRESS_ALGS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.43"), + name: "id-aa-implCompressAlgs", + }; + pub const ID_AA_IMPL_CRYPTO_ALGS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.38"), + name: "id-aa-implCryptoAlgs", + }; + pub const ID_AA_ML_EXPAND_HISTORY: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.3"), + name: "id-aa-mlExpandHistory", + }; + pub const ID_AA_SIGNING_CERTIFICATE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.12"), + name: "id-aa-signingCertificate", + }; + pub const ID_AA_SIGNING_CERTIFICATE_V_2: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.47"), + name: "id-aa-signingCertificateV2", + }; + pub const ID_AA_TARGET_HARDWARE_I_DS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.36"), + name: "id-aa-targetHardwareIDs", + }; + pub const ID_AA_WRAPPED_FIRMWARE_KEY: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.39"), + name: "id-aa-wrappedFirmwareKey", + }; + pub const ID_AES_128_CBC: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.2"), + name: "id-aes128-CBC", + }; + pub const ID_AES_128_CCM: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.7"), + name: "id-aes128-CCM", + }; + pub const ID_AES_128_GCM: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.6"), + name: "id-aes128-GCM", + }; + pub const ID_AES_128_WRAP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.5"), + name: "id-aes128-wrap", + }; + pub const ID_AES_192_CBC: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.22"), + name: "id-aes192-CBC", + }; + pub const ID_AES_192_CCM: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.27"), + name: "id-aes192-CCM", + }; + pub const ID_AES_192_GCM: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.26"), + name: "id-aes192-GCM", + }; + pub const ID_AES_192_WRAP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.25"), + name: "id-aes192-wrap", + }; + pub const ID_AES_256_CBC: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.42"), + name: "id-aes256-CBC", + }; + pub const ID_AES_256_CCM: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.47"), + name: "id-aes256-CCM", + }; + pub const ID_AES_256_GCM: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.46"), + name: "id-aes256-GCM", + }; + pub const ID_AES_256_WRAP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.1.45"), + name: "id-aes256-wrap", + }; + pub const ID_ALG_CMS_3_DE_SWRAP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.3.6"), + name: "id-alg-CMS3DESwrap", + }; + pub const ID_ALG_CMSRC_2_WRAP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.3.7"), + name: "id-alg-CMSRC2wrap", + }; + pub const ID_ALG_ESDH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.3.5"), + name: "id-alg-ESDH", + }; + pub const ID_ALG_SSDH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.3.10"), + name: "id-alg-SSDH", + }; + pub const ID_CAP_PREFER_BINARY_INSIDE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.11.1"), + name: "id-cap-preferBinaryInside", + }; + pub const ID_CET_SKD_FAIL_INFO: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.15.1"), + name: "id-cet-skdFailInfo", + }; + pub const ID_CMC_GLA_SKD_ALG_REQUEST: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.7.99.1"), + name: "id-cmc-gla-skdAlgRequest", + }; + pub const ID_CMC_GLA_SKD_ALG_RESPONSE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.7.99.2"), + name: "id-cmc-gla-skdAlgResponse", + }; + pub const ID_CONTENT_TYPE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.3"), + name: "id-contentType", + }; + pub const ID_COUNTERSIGNATURE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.6"), + name: "id-countersignature", + }; + pub const ID_CT_AUTH_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.2"), + name: "id-ct-authData", + }; + pub const ID_CT_CONTENT_INFO: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.6"), + name: "id-ct-contentInfo", + }; + pub const ID_CT_FIRMWARE_LOAD_ERROR: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.18"), + name: "id-ct-firmwareLoadError", + }; + pub const ID_CT_FIRMWARE_LOAD_RECEIPT: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.17"), + name: "id-ct-firmwareLoadReceipt", + }; + pub const ID_CT_FIRMWARE_PACKAGE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.16"), + name: "id-ct-firmwarePackage", + }; + pub const ID_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.7.1"), + name: "id-data", + }; + pub const ID_DIGESTED_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.7.5"), + name: "id-digestedData", + }; + pub const ID_ENCRYPTED_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.7.6"), + name: "id-encryptedData", + }; + pub const ID_ENVELOPED_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.7.3"), + name: "id-envelopedData", + }; + pub const ID_MESSAGE_DIGEST: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.4"), + name: "id-messageDigest", + }; + pub const ID_ON_HARDWARE_MODULE_NAME: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.8.4"), + name: "id-on-hardwareModuleName", + }; + pub const ID_SIGNED_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.7.2"), + name: "id-signedData", + }; + pub const ID_SIGNING_TIME: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.5"), + name: "id-signingTime", + }; + pub const ID_SKD: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.8"), + name: "id-skd", + }; + pub const LTANS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.11"), + name: "ltans", + }; + pub const RC_2_CBC: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.3.2"), + name: "rc2-cbc", + }; + pub const SMIME_CAPABILITIES: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.15"), + name: "smimeCapabilities", + }; +} +pub mod rfc5912 { + pub const NAME_COMP_ALG_SET: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.19.4"), + name: "NameCompAlgSet", + }; + pub const DHPUBLICNUMBER: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.10046.2.1"), + name: "dhpublicnumber", + }; + pub const DSA_WITH_SHA_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.10040.4.3"), + name: "dsa-with-sha1", + }; + pub const DSA_WITH_SHA_224: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.3.1"), + name: "dsa-with-sha224", + }; + pub const DSA_WITH_SHA_256: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.3.2"), + name: "dsa-with-sha256", + }; + pub const ECDSA_WITH_SHA_224: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.10045.4.3.1"), + name: "ecdsa-with-SHA224", + }; + pub const ECDSA_WITH_SHA_256: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.10045.4.3.2"), + name: "ecdsa-with-SHA256", + }; + pub const ECDSA_WITH_SHA_384: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.10045.4.3.3"), + name: "ecdsa-with-SHA384", + }; + pub const ECDSA_WITH_SHA_512: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.10045.4.3.4"), + name: "ecdsa-with-SHA512", + }; + pub const ID_DH_BASED_MAC: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113533.7.66.30"), + name: "id-DHBasedMac", + }; + pub const ID_PASSWORD_BASED_MAC: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113533.7.66.13"), + name: "id-PasswordBasedMac", + }; + pub const ID_RSAES_OAEP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.7"), + name: "id-RSAES-OAEP", + }; + pub const ID_RSASSA_PSS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.10"), + name: "id-RSASSA-PSS", + }; + pub const ID_AT: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.4"), + name: "id-at", + }; + pub const ID_CE_AUTHORITY_KEY_IDENTIFIER: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.35"), + name: "id-ce-authorityKeyIdentifier", + }; + pub const ID_CE_BASIC_CONSTRAINTS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.19"), + name: "id-ce-basicConstraints", + }; + pub const ID_CE_CRL_NUMBER: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.20"), + name: "id-ce-cRLNumber", + }; + pub const ID_CE_CRL_REASONS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.21"), + name: "id-ce-cRLReasons", + }; + pub const ID_CE_CERTIFICATE_ISSUER: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.29"), + name: "id-ce-certificateIssuer", + }; + pub const ID_CE_CERTIFICATE_POLICIES: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.32"), + name: "id-ce-certificatePolicies", + }; + pub const ID_CE_DELTA_CRL_INDICATOR: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.27"), + name: "id-ce-deltaCRLIndicator", + }; + pub const ID_CE_FRESHEST_CRL: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.46"), + name: "id-ce-freshestCRL", + }; + pub const ID_CE_HOLD_INSTRUCTION_CODE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.23"), + name: "id-ce-holdInstructionCode", + }; + pub const ID_CE_INHIBIT_ANY_POLICY: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.54"), + name: "id-ce-inhibitAnyPolicy", + }; + pub const ID_CE_INVALIDITY_DATE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.24"), + name: "id-ce-invalidityDate", + }; + pub const ID_CE_ISSUER_ALT_NAME: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.18"), + name: "id-ce-issuerAltName", + }; + pub const ID_CE_ISSUING_DISTRIBUTION_POINT: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.28"), + name: "id-ce-issuingDistributionPoint", + }; + pub const ID_CE_KEY_USAGE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.15"), + name: "id-ce-keyUsage", + }; + pub const ID_CE_NAME_CONSTRAINTS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.30"), + name: "id-ce-nameConstraints", + }; + pub const ID_CE_NO_REV_AVAIL: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.56"), + name: "id-ce-noRevAvail", + }; + pub const ID_CE_POLICY_CONSTRAINTS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.36"), + name: "id-ce-policyConstraints", + }; + pub const ID_CE_POLICY_MAPPINGS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.33"), + name: "id-ce-policyMappings", + }; + pub const ID_CE_PRIVATE_KEY_USAGE_PERIOD: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.16"), + name: "id-ce-privateKeyUsagePeriod", + }; + pub const ID_CE_SUBJECT_ALT_NAME: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.17"), + name: "id-ce-subjectAltName", + }; + pub const ID_CE_SUBJECT_DIRECTORY_ATTRIBUTES: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.9"), + name: "id-ce-subjectDirectoryAttributes", + }; + pub const ID_CE_SUBJECT_KEY_IDENTIFIER: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.14"), + name: "id-ce-subjectKeyIdentifier", + }; + pub const ID_CE_TARGET_INFORMATION: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.5.29.55"), + name: "id-ce-targetInformation", + }; + pub const ID_CT_SCVP_CERT_VAL_REQUEST: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.10"), + name: "id-ct-scvp-certValRequest", + }; + pub const ID_CT_SCVP_CERT_VAL_RESPONSE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.11"), + name: "id-ct-scvp-certValResponse", + }; + pub const ID_CT_SCVP_VAL_POL_REQUEST: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.12"), + name: "id-ct-scvp-valPolRequest", + }; + pub const ID_CT_SCVP_VAL_POL_RESPONSE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.13"), + name: "id-ct-scvp-valPolResponse", + }; + pub const ID_DSA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.10040.4.1"), + name: "id-dsa", + }; + pub const ID_EC_DH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.1.12"), + name: "id-ecDH", + }; + pub const ID_EC_MQV: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.1.13"), + name: "id-ecMQV", + }; + pub const ID_EC_PUBLIC_KEY: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.10045.2.1"), + name: "id-ecPublicKey", + }; + pub const ID_KEY_EXCHANGE_ALGORITHM: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.2.1.1.22"), + name: "id-keyExchangeAlgorithm", + }; + pub const ID_MD_2: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.2.2"), + name: "id-md2", + }; + pub const ID_MD_5: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.2.5"), + name: "id-md5", + }; + pub const ID_MGF_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.8"), + name: "id-mgf1", + }; + pub const ID_P_SPECIFIED: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.9"), + name: "id-pSpecified", + }; + pub const ID_SHA_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.14.3.2.26"), + name: "id-sha1", + }; + pub const ID_SHA_224: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.2.4"), + name: "id-sha224", + }; + pub const ID_SHA_256: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.2.1"), + name: "id-sha256", + }; + pub const ID_SHA_384: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.2.2"), + name: "id-sha384", + }; + pub const ID_SHA_512: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("2.16.840.1.101.3.4.2.3"), + name: "id-sha512", + }; + pub const ID_SMIME: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16"), + name: "id-smime", + }; + pub const ID_STC_BUILD_AA_PATH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.17.4"), + name: "id-stc-build-aa-path", + }; + pub const ID_STC_BUILD_PKC_PATH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.17.1"), + name: "id-stc-build-pkc-path", + }; + pub const ID_STC_BUILD_STATUS_CHECKED_AA_PATH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.17.6"), + name: "id-stc-build-status-checked-aa-path", + }; + pub const ID_STC_BUILD_STATUS_CHECKED_PKC_PATH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.17.3"), + name: "id-stc-build-status-checked-pkc-path", + }; + pub const ID_STC_BUILD_VALID_AA_PATH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.17.5"), + name: "id-stc-build-valid-aa-path", + }; + pub const ID_STC_BUILD_VALID_PKC_PATH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.17.2"), + name: "id-stc-build-valid-pkc-path", + }; + pub const ID_STC_STATUS_CHECK_AC_AND_BUILD_STATUS_CHECKED_AA_PATH: crate::NamedOid<'_> = + crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.17.7"), + name: "id-stc-status-check-ac-and-build-status-checked-aa-path", + }; + pub const ID_SVP_BASIC_VAL_ALG: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.19.3"), + name: "id-svp-basicValAlg", + }; + pub const ID_SVP_DEFAULT_VAL_POLICY: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.19.1"), + name: "id-svp-defaultValPolicy", + }; + pub const ID_SVP_NAME_VAL_ALG: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.19.2"), + name: "id-svp-nameValAlg", + }; + pub const ID_SWB_AA_CERT_PATH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.18.5"), + name: "id-swb-aa-cert-path", + }; + pub const ID_SWB_AA_REVOCATION_INFO: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.18.6"), + name: "id-swb-aa-revocation-info", + }; + pub const ID_SWB_AC_REVOCATION_INFO: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.18.7"), + name: "id-swb-ac-revocation-info", + }; + pub const ID_SWB_PKC_BEST_CERT_PATH: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.18.1"), + name: "id-swb-pkc-best-cert-path", + }; + pub const ID_SWB_PKC_PUBLIC_KEY_INFO: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.18.4"), + name: "id-swb-pkc-public-key-info", + }; + pub const ID_SWB_PKC_REVOCATION_INFO: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.18.2"), + name: "id-swb-pkc-revocation-info", + }; + pub const ID_SWB_RELAYED_RESPONSES: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.18.9"), + name: "id-swb-relayed-responses", + }; + pub const MD_2_WITH_RSA_ENCRYPTION: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.2"), + name: "md2WithRSAEncryption", + }; + pub const MD_5_WITH_RSA_ENCRYPTION: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.4"), + name: "md5WithRSAEncryption", + }; + pub const PKCS_9: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9"), + name: "pkcs-9", + }; + pub const RSA_ENCRYPTION: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.1"), + name: "rsaEncryption", + }; + pub const SECP_224_R_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.33"), + name: "secp224r1", + }; + pub const SECP_256_R_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.10045.3.1.7"), + name: "secp256r1", + }; + pub const SECP_384_R_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.34"), + name: "secp384r1", + }; + pub const SECP_521_R_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.35"), + name: "secp521r1", + }; + pub const SECT_163_K_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.1"), + name: "sect163k1", + }; + pub const SECT_163_R_2: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.15"), + name: "sect163r2", + }; + pub const SECT_233_K_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.26"), + name: "sect233k1", + }; + pub const SECT_233_R_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.27"), + name: "sect233r1", + }; + pub const SECT_283_K_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.16"), + name: "sect283k1", + }; + pub const SECT_283_R_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.17"), + name: "sect283r1", + }; + pub const SECT_409_K_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.36"), + name: "sect409k1", + }; + pub const SECT_409_R_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.37"), + name: "sect409r1", + }; + pub const SECT_571_K_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.38"), + name: "sect571k1", + }; + pub const SECT_571_R_1: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.132.0.39"), + name: "sect571r1", + }; + pub const SHA_1_WITH_RSA_ENCRYPTION: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.5"), + name: "sha1WithRSAEncryption", + }; + pub const SHA_224_WITH_RSA_ENCRYPTION: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.14"), + name: "sha224WithRSAEncryption", + }; + pub const SHA_256_WITH_RSA_ENCRYPTION: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.11"), + name: "sha256WithRSAEncryption", + }; + pub const SHA_384_WITH_RSA_ENCRYPTION: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.12"), + name: "sha384WithRSAEncryption", + }; + pub const SHA_512_WITH_RSA_ENCRYPTION: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.1.13"), + name: "sha512WithRSAEncryption", + }; +} pub mod rfc6109 { pub const LDIF_LOCATION_URL: crate::NamedOid<'_> = crate::NamedOid { oid: crate::ObjectIdentifier::new("1.3.6.1.4.1.16572.2.2.6"), @@ -2733,6 +3346,260 @@ pub mod rfc6109 { name: "providerUnit", }; } +pub mod rfc6268 { + pub const ID_AA_BINARY_SIGNING_TIME: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2.46"), + name: "id-aa-binarySigningTime", + }; + pub const ID_AA_MULTIPLE_SIGNATURES: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.2.51"), + name: "id-aa-multipleSignatures", + }; + pub const ID_ALG_ZLIB_COMPRESS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.3.8"), + name: "id-alg-zlibCompress", + }; + pub const ID_CONTENT_TYPE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.3"), + name: "id-contentType", + }; + pub const ID_COUNTERSIGNATURE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.6"), + name: "id-countersignature", + }; + pub const ID_CT_AUTH_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.2"), + name: "id-ct-authData", + }; + pub const ID_CT_COMPRESSED_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.9"), + name: "id-ct-compressedData", + }; + pub const ID_CT_CONTENT_COLLECTION: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.19"), + name: "id-ct-contentCollection", + }; + pub const ID_CT_CONTENT_INFO: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.6"), + name: "id-ct-contentInfo", + }; + pub const ID_CT_CONTENT_WITH_ATTRS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1.20"), + name: "id-ct-contentWithAttrs", + }; + pub const ID_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.7.1"), + name: "id-data", + }; + pub const ID_DIGESTED_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.7.5"), + name: "id-digestedData", + }; + pub const ID_ENCRYPTED_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.7.6"), + name: "id-encryptedData", + }; + pub const ID_ENVELOPED_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.7.3"), + name: "id-envelopedData", + }; + pub const ID_MESSAGE_DIGEST: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.4"), + name: "id-messageDigest", + }; + pub const ID_SIGNED_DATA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.7.2"), + name: "id-signedData", + }; + pub const ID_SIGNING_TIME: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.5"), + name: "id-signingTime", + }; +} +pub mod rfc7107 { + pub const ID_AA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.2"), + name: "id-aa", + }; + pub const ID_ALG: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.3"), + name: "id-alg", + }; + pub const ID_CAP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.11"), + name: "id-cap", + }; + pub const ID_CD: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.4"), + name: "id-cd", + }; + pub const ID_CT: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.1"), + name: "id-ct", + }; + pub const ID_CTI: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.6"), + name: "id-cti", + }; + pub const ID_EIT: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.10"), + name: "id-eit", + }; + pub const ID_MOD: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.0"), + name: "id-mod", + }; + pub const ID_PSKC: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.12"), + name: "id-pskc", + }; + pub const ID_SKD: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.8"), + name: "id-skd", + }; + pub const ID_SPQ: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.5"), + name: "id-spq", + }; + pub const ID_STI: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.9"), + name: "id-sti", + }; + pub const ID_TSP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.2.840.113549.1.9.16.7"), + name: "id-tsp", + }; +} +pub mod rfc7299 { + pub const ID_TEST: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.13"), + name: "id-TEST", + }; + pub const ID_ACA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.10"), + name: "id-aca", + }; + pub const ID_AD: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.48"), + name: "id-ad", + }; + pub const ID_ALG: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.6"), + name: "id-alg", + }; + pub const ID_BVAE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.19.3"), + name: "id-bvae", + }; + pub const ID_CCT: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.12"), + name: "id-cct", + }; + pub const ID_CET: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.15"), + name: "id-cet", + }; + pub const ID_CMC: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.7"), + name: "id-cmc", + }; + pub const ID_CMC_GLA_RR: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.7.99"), + name: "id-cmc-glaRR", + }; + pub const ID_CP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.14"), + name: "id-cp", + }; + pub const ID_DNVAE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.19.4"), + name: "id-dnvae", + }; + pub const ID_IT: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.4"), + name: "id-it", + }; + pub const ID_KP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.3"), + name: "id-kp", + }; + pub const ID_LOGO: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.20"), + name: "id-logo", + }; + pub const ID_MOD: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.0"), + name: "id-mod", + }; + pub const ID_MR: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.22"), + name: "id-mr", + }; + pub const ID_NVAE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.19.2"), + name: "id-nvae", + }; + pub const ID_ON: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.8"), + name: "id-on", + }; + pub const ID_PDA: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.9"), + name: "id-pda", + }; + pub const ID_PE: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.1"), + name: "id-pe", + }; + pub const ID_PKIP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.5"), + name: "id-pkip", + }; + pub const ID_PKIX_OCSP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.48.1"), + name: "id-pkix-ocsp", + }; + pub const ID_PPL: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.21"), + name: "id-ppl", + }; + pub const ID_QCS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.11"), + name: "id-qcs", + }; + pub const ID_QT: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.2"), + name: "id-qt", + }; + pub const ID_REG_CTRL: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.5.1"), + name: "id-regCtrl", + }; + pub const ID_REG_INFO: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.5.2"), + name: "id-regInfo", + }; + pub const ID_RI: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.16"), + name: "id-ri", + }; + pub const ID_SCT: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.17"), + name: "id-sct", + }; + pub const ID_SKIS: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.23"), + name: "id-skis", + }; + pub const ID_SVP: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.19"), + name: "id-svp", + }; + pub const ID_SWB: crate::NamedOid<'_> = crate::NamedOid { + oid: crate::ObjectIdentifier::new("1.3.6.1.5.5.7.18"), + name: "id-swb", + }; +} pub mod rfc7532 { pub const FEDFS_ANNOTATION: crate::NamedOid<'_> = crate::NamedOid { oid: crate::ObjectIdentifier::new("1.3.6.1.4.1.31103.1.12"), @@ -3595,6 +4462,158 @@ pub const DB: super::Database<'static> = super::Database(&[ &rfc5280::ID_QT_CPS, &rfc5280::ID_QT_UNOTICE, &rfc5280::PKCS_9, + &rfc5911::DES_EDE_3_CBC, + &rfc5911::HMAC_SHA_1, + &rfc5911::ID_PBKDF_2, + &rfc5911::ID_AA_COMMUNITY_IDENTIFIERS, + &rfc5911::ID_AA_CONTENT_REFERENCE, + &rfc5911::ID_AA_DECRYPT_KEY_ID, + &rfc5911::ID_AA_ER_EXTERNAL, + &rfc5911::ID_AA_ER_INTERNAL, + &rfc5911::ID_AA_FIRMWARE_PACKAGE_ID, + &rfc5911::ID_AA_FIRMWARE_PACKAGE_INFO, + &rfc5911::ID_AA_IMPL_COMPRESS_ALGS, + &rfc5911::ID_AA_IMPL_CRYPTO_ALGS, + &rfc5911::ID_AA_ML_EXPAND_HISTORY, + &rfc5911::ID_AA_SIGNING_CERTIFICATE, + &rfc5911::ID_AA_SIGNING_CERTIFICATE_V_2, + &rfc5911::ID_AA_TARGET_HARDWARE_I_DS, + &rfc5911::ID_AA_WRAPPED_FIRMWARE_KEY, + &rfc5911::ID_AES_128_CBC, + &rfc5911::ID_AES_128_CCM, + &rfc5911::ID_AES_128_GCM, + &rfc5911::ID_AES_128_WRAP, + &rfc5911::ID_AES_192_CBC, + &rfc5911::ID_AES_192_CCM, + &rfc5911::ID_AES_192_GCM, + &rfc5911::ID_AES_192_WRAP, + &rfc5911::ID_AES_256_CBC, + &rfc5911::ID_AES_256_CCM, + &rfc5911::ID_AES_256_GCM, + &rfc5911::ID_AES_256_WRAP, + &rfc5911::ID_ALG_CMS_3_DE_SWRAP, + &rfc5911::ID_ALG_CMSRC_2_WRAP, + &rfc5911::ID_ALG_ESDH, + &rfc5911::ID_ALG_SSDH, + &rfc5911::ID_CAP_PREFER_BINARY_INSIDE, + &rfc5911::ID_CET_SKD_FAIL_INFO, + &rfc5911::ID_CMC_GLA_SKD_ALG_REQUEST, + &rfc5911::ID_CMC_GLA_SKD_ALG_RESPONSE, + &rfc5911::ID_CONTENT_TYPE, + &rfc5911::ID_COUNTERSIGNATURE, + &rfc5911::ID_CT_AUTH_DATA, + &rfc5911::ID_CT_CONTENT_INFO, + &rfc5911::ID_CT_FIRMWARE_LOAD_ERROR, + &rfc5911::ID_CT_FIRMWARE_LOAD_RECEIPT, + &rfc5911::ID_CT_FIRMWARE_PACKAGE, + &rfc5911::ID_DATA, + &rfc5911::ID_DIGESTED_DATA, + &rfc5911::ID_ENCRYPTED_DATA, + &rfc5911::ID_ENVELOPED_DATA, + &rfc5911::ID_MESSAGE_DIGEST, + &rfc5911::ID_ON_HARDWARE_MODULE_NAME, + &rfc5911::ID_SIGNED_DATA, + &rfc5911::ID_SIGNING_TIME, + &rfc5911::ID_SKD, + &rfc5911::LTANS, + &rfc5911::RC_2_CBC, + &rfc5911::SMIME_CAPABILITIES, + &rfc5912::NAME_COMP_ALG_SET, + &rfc5912::DHPUBLICNUMBER, + &rfc5912::DSA_WITH_SHA_1, + &rfc5912::DSA_WITH_SHA_224, + &rfc5912::DSA_WITH_SHA_256, + &rfc5912::ECDSA_WITH_SHA_224, + &rfc5912::ECDSA_WITH_SHA_256, + &rfc5912::ECDSA_WITH_SHA_384, + &rfc5912::ECDSA_WITH_SHA_512, + &rfc5912::ID_DH_BASED_MAC, + &rfc5912::ID_PASSWORD_BASED_MAC, + &rfc5912::ID_RSAES_OAEP, + &rfc5912::ID_RSASSA_PSS, + &rfc5912::ID_AT, + &rfc5912::ID_CE_AUTHORITY_KEY_IDENTIFIER, + &rfc5912::ID_CE_BASIC_CONSTRAINTS, + &rfc5912::ID_CE_CRL_NUMBER, + &rfc5912::ID_CE_CRL_REASONS, + &rfc5912::ID_CE_CERTIFICATE_ISSUER, + &rfc5912::ID_CE_CERTIFICATE_POLICIES, + &rfc5912::ID_CE_DELTA_CRL_INDICATOR, + &rfc5912::ID_CE_FRESHEST_CRL, + &rfc5912::ID_CE_HOLD_INSTRUCTION_CODE, + &rfc5912::ID_CE_INHIBIT_ANY_POLICY, + &rfc5912::ID_CE_INVALIDITY_DATE, + &rfc5912::ID_CE_ISSUER_ALT_NAME, + &rfc5912::ID_CE_ISSUING_DISTRIBUTION_POINT, + &rfc5912::ID_CE_KEY_USAGE, + &rfc5912::ID_CE_NAME_CONSTRAINTS, + &rfc5912::ID_CE_NO_REV_AVAIL, + &rfc5912::ID_CE_POLICY_CONSTRAINTS, + &rfc5912::ID_CE_POLICY_MAPPINGS, + &rfc5912::ID_CE_PRIVATE_KEY_USAGE_PERIOD, + &rfc5912::ID_CE_SUBJECT_ALT_NAME, + &rfc5912::ID_CE_SUBJECT_DIRECTORY_ATTRIBUTES, + &rfc5912::ID_CE_SUBJECT_KEY_IDENTIFIER, + &rfc5912::ID_CE_TARGET_INFORMATION, + &rfc5912::ID_CT_SCVP_CERT_VAL_REQUEST, + &rfc5912::ID_CT_SCVP_CERT_VAL_RESPONSE, + &rfc5912::ID_CT_SCVP_VAL_POL_REQUEST, + &rfc5912::ID_CT_SCVP_VAL_POL_RESPONSE, + &rfc5912::ID_DSA, + &rfc5912::ID_EC_DH, + &rfc5912::ID_EC_MQV, + &rfc5912::ID_EC_PUBLIC_KEY, + &rfc5912::ID_KEY_EXCHANGE_ALGORITHM, + &rfc5912::ID_MD_2, + &rfc5912::ID_MD_5, + &rfc5912::ID_MGF_1, + &rfc5912::ID_P_SPECIFIED, + &rfc5912::ID_SHA_1, + &rfc5912::ID_SHA_224, + &rfc5912::ID_SHA_256, + &rfc5912::ID_SHA_384, + &rfc5912::ID_SHA_512, + &rfc5912::ID_SMIME, + &rfc5912::ID_STC_BUILD_AA_PATH, + &rfc5912::ID_STC_BUILD_PKC_PATH, + &rfc5912::ID_STC_BUILD_STATUS_CHECKED_AA_PATH, + &rfc5912::ID_STC_BUILD_STATUS_CHECKED_PKC_PATH, + &rfc5912::ID_STC_BUILD_VALID_AA_PATH, + &rfc5912::ID_STC_BUILD_VALID_PKC_PATH, + &rfc5912::ID_STC_STATUS_CHECK_AC_AND_BUILD_STATUS_CHECKED_AA_PATH, + &rfc5912::ID_SVP_BASIC_VAL_ALG, + &rfc5912::ID_SVP_DEFAULT_VAL_POLICY, + &rfc5912::ID_SVP_NAME_VAL_ALG, + &rfc5912::ID_SWB_AA_CERT_PATH, + &rfc5912::ID_SWB_AA_REVOCATION_INFO, + &rfc5912::ID_SWB_AC_REVOCATION_INFO, + &rfc5912::ID_SWB_PKC_BEST_CERT_PATH, + &rfc5912::ID_SWB_PKC_PUBLIC_KEY_INFO, + &rfc5912::ID_SWB_PKC_REVOCATION_INFO, + &rfc5912::ID_SWB_RELAYED_RESPONSES, + &rfc5912::MD_2_WITH_RSA_ENCRYPTION, + &rfc5912::MD_5_WITH_RSA_ENCRYPTION, + &rfc5912::PKCS_9, + &rfc5912::RSA_ENCRYPTION, + &rfc5912::SECP_224_R_1, + &rfc5912::SECP_256_R_1, + &rfc5912::SECP_384_R_1, + &rfc5912::SECP_521_R_1, + &rfc5912::SECT_163_K_1, + &rfc5912::SECT_163_R_2, + &rfc5912::SECT_233_K_1, + &rfc5912::SECT_233_R_1, + &rfc5912::SECT_283_K_1, + &rfc5912::SECT_283_R_1, + &rfc5912::SECT_409_K_1, + &rfc5912::SECT_409_R_1, + &rfc5912::SECT_571_K_1, + &rfc5912::SECT_571_R_1, + &rfc5912::SHA_1_WITH_RSA_ENCRYPTION, + &rfc5912::SHA_224_WITH_RSA_ENCRYPTION, + &rfc5912::SHA_256_WITH_RSA_ENCRYPTION, + &rfc5912::SHA_384_WITH_RSA_ENCRYPTION, + &rfc5912::SHA_512_WITH_RSA_ENCRYPTION, &rfc6109::LDIF_LOCATION_URL, &rfc6109::LDIF_LOCATION_URL_OBJECT, &rfc6109::MAIL_RECEIPT, @@ -3604,6 +4623,68 @@ pub const DB: super::Database<'static> = super::Database(&[ &rfc6109::PROVIDER_CERTIFICATE_HASH, &rfc6109::PROVIDER_NAME, &rfc6109::PROVIDER_UNIT, + &rfc6268::ID_AA_BINARY_SIGNING_TIME, + &rfc6268::ID_AA_MULTIPLE_SIGNATURES, + &rfc6268::ID_ALG_ZLIB_COMPRESS, + &rfc6268::ID_CONTENT_TYPE, + &rfc6268::ID_COUNTERSIGNATURE, + &rfc6268::ID_CT_AUTH_DATA, + &rfc6268::ID_CT_COMPRESSED_DATA, + &rfc6268::ID_CT_CONTENT_COLLECTION, + &rfc6268::ID_CT_CONTENT_INFO, + &rfc6268::ID_CT_CONTENT_WITH_ATTRS, + &rfc6268::ID_DATA, + &rfc6268::ID_DIGESTED_DATA, + &rfc6268::ID_ENCRYPTED_DATA, + &rfc6268::ID_ENVELOPED_DATA, + &rfc6268::ID_MESSAGE_DIGEST, + &rfc6268::ID_SIGNED_DATA, + &rfc6268::ID_SIGNING_TIME, + &rfc7107::ID_AA, + &rfc7107::ID_ALG, + &rfc7107::ID_CAP, + &rfc7107::ID_CD, + &rfc7107::ID_CT, + &rfc7107::ID_CTI, + &rfc7107::ID_EIT, + &rfc7107::ID_MOD, + &rfc7107::ID_PSKC, + &rfc7107::ID_SKD, + &rfc7107::ID_SPQ, + &rfc7107::ID_STI, + &rfc7107::ID_TSP, + &rfc7299::ID_TEST, + &rfc7299::ID_ACA, + &rfc7299::ID_AD, + &rfc7299::ID_ALG, + &rfc7299::ID_BVAE, + &rfc7299::ID_CCT, + &rfc7299::ID_CET, + &rfc7299::ID_CMC, + &rfc7299::ID_CMC_GLA_RR, + &rfc7299::ID_CP, + &rfc7299::ID_DNVAE, + &rfc7299::ID_IT, + &rfc7299::ID_KP, + &rfc7299::ID_LOGO, + &rfc7299::ID_MOD, + &rfc7299::ID_MR, + &rfc7299::ID_NVAE, + &rfc7299::ID_ON, + &rfc7299::ID_PDA, + &rfc7299::ID_PE, + &rfc7299::ID_PKIP, + &rfc7299::ID_PKIX_OCSP, + &rfc7299::ID_PPL, + &rfc7299::ID_QCS, + &rfc7299::ID_QT, + &rfc7299::ID_REG_CTRL, + &rfc7299::ID_REG_INFO, + &rfc7299::ID_RI, + &rfc7299::ID_SCT, + &rfc7299::ID_SKIS, + &rfc7299::ID_SVP, + &rfc7299::ID_SWB, &rfc7532::FEDFS_ANNOTATION, &rfc7532::FEDFS_DESCR, &rfc7532::FEDFS_FSL,