One document matched: draft-ietf-smime-new-asn1-01.txt
Differences from draft-ietf-smime-new-asn1-00.txt
Network Working Group P. Hoffman
Internet-Draft VPN Consortium
Updates: 3370, 3565, 3851, 3852, J. Schaad
4108, 4998, 5035, 5083, 5084 Soaring Hawk Consulting
(if approved) July 10, 2008
Intended status: Standards Track
Expires: January 11, 2009
New ASN.1 Modules for CMS and S/MIME
draft-ietf-smime-new-asn1-01.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 11, 2009.
Copyright Notice
Copyright (C) The IETF Trust (2008).
Abstract
The Cryptographic Message Syntax (CMS) format, and many associated
formats, are expressed using ASN.1. The current ASN.1 modules
conform to the 1988 version of ASN.1. This document updates those
ASN.1 modules to conform to the 2002 version of ASN.1. There are no
bits-on-the-wire changes to any of the formats; this is simply a
Hoffman & Schaad Expires January 11, 2009 [Page 1]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
change to the syntax.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.1. More Modules To Be Added . . . . . . . . . . . . . . . 4
1.1.2. Algorithm Structure . . . . . . . . . . . . . . . . . 4
1.1.3. Module OIDs Changing . . . . . . . . . . . . . . . . . 4
2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 4
3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 12
4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 19
5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 19
6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 22
7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 32
8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 37
9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 39
10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 45
11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 46
12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 46
13. Security Considerations . . . . . . . . . . . . . . . . . . . 53
14. Normative References . . . . . . . . . . . . . . . . . . . . . 53
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 54
A.1. Changes between draft-hoffman-cms-new-asn1-00 and
draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 55
A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 55
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 55
Intellectual Property and Copyright Statements . . . . . . . . . . 56
Hoffman & Schaad Expires January 11, 2009 [Page 2]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
1. Introduction
Some developers would like the IETF to use the latest version of
ASN.1 in its standards. Most of the RFCs that relate to security
protocols still use ASN.1 from the 1988 standard, which has been
deprecated. This is particularly true for the standards that relate
to PKIX, CMS, and S/MIME.
This document updates the following RFCs to use ASN.1 modules that
conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all
the modules are updated; some are included to simply make the set
complete.
o RFC 3370, CMS Algorithms [RFC3370]
o RFC 3565, Use of AES in CMS [RFC3565]
o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851]
o RFC 3852, CMS main [RFC3852]
o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108]
o RFC 4998, Evidence Record Syntax (ERS) [RFC4998]
o RFC 5035, Enhanced Security Services (ESS) [RFC5035]
o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083]
o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in
CMS [RFC5084]
o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275]
Note that some of the modules in this document get some of their
definitions from places different than the modules in the original
RFCs. The idea is that these modules, when combined with the modules
in [NEW-PKIX] can stand on their own and do not need to import
definitions from anywhere else.
The document also includes a module of common defintions called
"AlgorithmInformation". These definitions are used here and in
[NEW-PKIX].
Note that some of the modules here import definitions from the common
definitions module, "PKIX-CommonTypes", in [NEW-PKIX].
Hoffman & Schaad Expires January 11, 2009 [Page 3]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
1.1. Issues
This section will be removed before final publication.
1.1.1. More Modules To Be Added
There are many modules from standards-track RFCs that are not listed
in this document or the companion document on PKIX. We will discuss
with the two communities which modules are appropriate for the two
documents. We will also consider making "super-modules", individual
modules which might update multiple RFCs at one time. We may also
add objects to some of the modules.
1.1.2. Algorithm Structure
Algorithms are currently not defined here. We need to discuss what
structure we want for algorithm objects. Currently, we just do
"parameter, OID", but we could add more. Because we don't know what
the final structure is, the object sets in the various modules are
commented out. We will fix this before finishing this project.
1.1.3. Module OIDs Changing
The OIDs given in the modules in this version of the document are the
same as the OIDs from the original modules, even though some of the
modules have changed syntax. That is clearly incorrect. In a later
version of this document, we will change the OIDs for every changed
module.
2. ASN.1 Module AlgorithmInformation
This section contains a module that is imported by many other modules
in this document and in [NEW-PKIX]. This module does not come from
any existing RFC.
AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
DEFINITIONS ::=
BEGIN
EXPORTS ALL;
IMPORTS ;
-- Suggested prefixes for algorithm objects are:
--
Hoffman & Schaad Expires January 11, 2009 [Page 4]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- mda- Message Digest Algorithms
-- sa- Signature Algorithms
-- kta- Key Transport Algorithms (Asymetric)
-- kaa- Key Agreement Algorithms (Asymetric)
-- kwa- Key Wrap Algorithms (Symetric)
-- kda- Key Derivation Algorithms
-- maca- Message Authentication Code Algorithms
-- pk- Public Key
-- sea- Symmetric Encryption Algorithm
ParamOptions ::= ENUMERATED {
required, -- Parameters MUST be encoded in structure
preferedPresent, -- Parameters SHOULD be encoded in structure
preferedAbsent, -- Parameters SHOULD NOT be encoded in structure
absent, -- Parameters MUST NOT be encoded in structure
notPresent,
inheritable -- Parameters are inheritied if not present
}
-- DIGEST-ALGORITHM
--
-- Describes the basic information for ASN.1 and a digest
-- algorithm.
--
-- &id - contains the OID identifying the digest algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- ¶mPresence - parameter presence requirement
--
-- Additional information such as the length of the hash could also
-- be encoded.
--
-- Example:
-- sha1 DIGEST-ALGORITHM ::= {
-- IDENTIFIER id-sha1
-- PARAM NULL
-- PARMS ARE preferedAbsent
-- }
DIGEST-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT required
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [&Params] [ARE ¶mPresence] ]
}
Hoffman & Schaad Expires January 11, 2009 [Page 5]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- SIGNATURE-ALGORITHM
--
-- Describes the basic properities of a signature algorithm
--
-- &id - contains the OID identifying the signature algoithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- ¶mPresence - parameter presence requirement
-- &HashSet - The set of hash algorithms used with this
-- signature algoirthm
-- &PublicKeySet - the set of public key algorithms for this
-- signature algorithm
-- Example:
-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER id-RSASSA-PSS
-- PARAMS RSASSA-PSS-params
-- ARE required
-- HASH SET {sha1 | md5, ... }
-- PUBLIC KEY SET { pk-rsa | pk-rsa-pss }
-- }
SIGNATURE-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER,
&Params OPTIONAL,
&Value OPTIONAL,
¶mPresence ParamOptions DEFAULT required,
&HashSet DIGEST-ALGORITHM OPTIONAL,
&PublicKeySet PUBLIC-KEY OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[VALUE &Value]
[PARAMS [&Params] ARE ¶mPresence ]
[USES &HashSet]
[PUBKEYS &PublicKeySet]
}
-- PUBLIC-KEY
--
-- Describes the basic properities of a public key
--
-- &id - contains the OID identifying the public key
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- ¶mPresence - parameter presence requirement
-- &KeyValue - contains the type for the key value
--
-- Could add information about the keyUsage bits
--
Hoffman & Schaad Expires January 11, 2009 [Page 6]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- Example:
-- pk-rsa-pss PUBLIC-KEY ::= {
-- IDENTIFIER id-RSASSA-PSS
-- KEY RSAPublicKey
-- HAS PARAMS RSASSA-PSS-params
-- PARAMS ARE optional
-- }
PUBLIC-KEY ::= CLASS {
&id OBJECT IDENTIFIER,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT required,
&KeyValue,
&PrivateKey OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
KEY &KeyValue
[PARAMS [&Params] ARE ¶mPresence]
[PRIVATE KEY &PrivateKey]
}
-- KEY-TRANSPORT
--
-- Describes the basic properities of a key transport algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- ¶mPresence - parameter presence requirement
-- &PublicKeySet - specify which public keys are used with
-- this algorithm
--
-- Example:
-- rsaTransport KEY-TRANSPORT ::= {
-- &id rsaEncryption
-- &Params NULL
-- ¶mPresence required
-- &PublicKeySet { pk-rsa | pk-rsa-pss }
-- }
KEY-TRANSPORT ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params,
¶mPresnce ParamOptions,
&PublicKeySet PUBLIC-KEY OPTIONAL
}
-- KEY-AGREE
Hoffman & Schaad Expires January 11, 2009 [Page 7]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
--
-- Describes the basic properities of a key agreement algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- ¶mPresence - parameter presence requirement
-- &Ukm - type of user keying material used
-- &PublicKeySet - specify which public keys are used with
-- this algorithm
--
-- Additional items could be a restricted set of key wrap algoithms
--
-- Example:
-- dh-static-ephemerial KEY-TRANSPORT ::= {
-- &id id-alg-ESDH
-- &Params KeyWrapAlgorithm
-- ¶mPresence required
-- - - user key material is not ASN.1 encoded.
-- &PublicKeySet {
-- {IDENTIFIER dh-public-number KEY DHPublicKey
-- HASH PARAMS DHDomainParamters PARAMS ARE inheritable }
-- }
-- }
KEY-AGREE ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT required,
&Ukm OPTIONAL,
&PublicKeySet PUBLIC-KEY OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [&Params] ARE ¶mPresence]
[PUBLIC KEY &PublicKeySet]
[UKM &Ukm]
}
-- KEY-WRAP
--
-- Describes the basic properities of a key wrap algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- ¶mPresence - parameter presence requirement
--
-- Example:
Hoffman & Schaad Expires January 11, 2009 [Page 8]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- cms3DESwrap KEY-WRAP ::= {
-- &id id-alg-CMS3DESwrap
-- &Params NULL
-- ¶mPresence required
-- }
KEY-WRAP ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT required
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [&Params] ARE ¶mPresence]
}
-- KEY-DERIVATION
--
-- Describes the basic properities of a key transport algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- ¶mPresence - parameter presence requirement
--
-- Could add information about defaults for the derivation algorithm
-- such as PRFs
--
-- Example:
-- pbkdf2 KEY-DERIVATION ::= {
-- &id id-PBKF2
-- &Params PBKDF2-params
-- ¶mPresence required
-- }
KEY-DERIVATION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT required
} WITH SYNTAX {
IDENTIFIER &id
PARAMS [&Params] ARE ¶mPresence
}
-- BULK-ENCRYPTION
--
-- Describes the basic properities of a bulk encryption algorithm
--
-- &id - contains the OID identifying the key transport algorithm
Hoffman & Schaad Expires January 11, 2009 [Page 9]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- ¶mPresence - parameter presence requirement
--
-- Example:
-- aes128 BULK-ENCRYPTION ::= {
-- &id id-aes128-CBC
-- &Params AES-IV
-- ¶mPresence required
-- }
BULK-ENCRYPTION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params,
¶mPresence ParamOptions DEFAULT required
} WITH SYNTAX {
OID &id
PARAMS &Params [ARE ¶mPresence]
}
-- MAC-ALGORITHM
--
-- Describes the basic properities of a key transport algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- ¶mPresence - parameter presence requirement
--
-- It would make sense to also add minimum and maximum MAC lengths
--
-- Example:
-- hmac-sha1 MAC-ALGORITHM ::= {
-- &id hMAC-SHA1
-- &Params NULL
-- ¶mPresence perferedAbsent
-- }
MAC-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT required
} WITH SYNTAX {
OID &id
[PARAMS [&Params] [ARE ¶mPresence]]
}
-- CONTENT-ENCRYPTION
Hoffman & Schaad Expires January 11, 2009 [Page 10]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
--
-- Describes the basic properities of a symetric encryption
-- algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- ¶mPresence - parameter presence requirement
--
-- Example:
-- cms3DESwrap KEY-WRAP ::= {
-- &id id-alg-CMS3DESwrap
-- &Params NULL
-- ¶mPresence required
-- }
CONTENT-ENCRYPTION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT required
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [&Params] ARE ¶mPresence]
}
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
parameters ALGORITHM-TYPE.
&Params({AlgorithmSet}{@algorithm}) OPTIONAL
}
-- ALGORITHM
--
-- Describes a generic algorithm identifier
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
--
-- This would be used for cases where an unknown algorithm is
-- used. One should consider using TYPE-IDENTIFIER in these cases.
ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id [PARAMS &Params]
Hoffman & Schaad Expires January 11, 2009 [Page 11]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
}
END
3. ASN.1 Module for RFC 3370
CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier
FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
--FROM PKIX-CommonTypes
-- {iso(1) identified-organization(3) dod(6) internet(1)
-- security(5) mechanisms(5) pkix(7) id-mod(0)
-- id-mod-pkixCommon(43) }
;
--
-- Create the object sets for each of the different type of signature
-- algorithms defined by this module.
--
-- Philosophy: Sean Turner raised the question about wheither theses
-- object sets should be defined as being extensible. My response is
-- as follows:
--
-- If the working group believes that this document would be updated
-- in the future for the definition of new algorithms, or that
-- this document would be updated to reference (and thus include)
-- new algorithms defined in other documents, then these object
-- sets need to be marked as extensible.
-- If the working group believes that new algorithms will be defined
-- by the creation of new documents, then these object sets do not
-- need to be extensible.
-- In either case, documents that are referencing these objects sets
Hoffman & Schaad Expires January 11, 2009 [Page 12]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- should probably be marked as being extensible in the location
-- they are being used. Thus in the main PKIX document you would
-- have
--
-- SIGNED{ToBeSigned} ::= SEQUENCE {
-- toBeSigned ToBeSigned,
-- algorithm AlgorithmIdentifier
-- {SIGNATURE-ALGORITHM, {Sa-PKIXAlgorithms, ...}},
-- signature BIT STRING
-- }
--
-- Future versions might include additional algorithm drafts and
-- use the line
-- algorithm AlgorithmIdentifier
-- {SIGNATURE-ALGORITHM,
-- {Sa-PKIXAlgorithms, ..., Sa-NewPKIXAlgorithms}},
--
-- Signature algorithms in this document
Sa-CMSAlgorithms SIGNATURE-ALGORITHM ::= {
sa-dsa-with-sha1 |
sa-md5WithRSAEncryption |
sa-sha1WithRSAEncryption }
-- Hash algorthms in this document
Mda-CMSAlgorithms DIGEST-ALGORITHM ::= { mda-md5 |
mda-sha1 }
-- Public Key Algorithms in this document
Pk-CMSAlgorithms PUBLIC-KEY ::= { pk-dsa | pk-rsa | pk-dh }
--
Kta-CMSAlgorithms KEY-TRANSPORT ::= {...}
-- Key Agreement Algorithms
Kaa-CMSAlgorithms KEY-AGREE ::= {kaa-esdh | kaa-ssdh}
-- Key Wrap Algorithms
Kwa-CMSAlgorithms KEY-WRAP ::= { ... }
-- Message Authenticaiton Code Algorithms
Hoffman & Schaad Expires January 11, 2009 [Page 13]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
Mac-CMSAlgorithms MAC-ALGORITHM ::= {...}
--
Cea-CMSAlgorithms CONTENT-ENCRYPTION ::= {...}
-- Algorithm Identifiers
sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
oiw(14) secsig(3) algorithm(2) 26 }
md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) digestAlgorithm(2) 5 }
id-dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
x9-57(10040) x9cm(4) 1 }
id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) x9-57(10040) x9cm(4) 3 }
rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 }
md5WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 }
sha1WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 }
dh-public-number OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) ansi-x942(10046) number-type(2) 1 }
id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 }
id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 }
id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 }
id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 }
des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) encryptionAlgorithm(3) 7 }
Hoffman & Schaad Expires January 11, 2009 [Page 14]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) encryptionAlgorithm(3) 2 }
hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) 8 1 2 }
id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-5(5) 12 }
-- Public Key Types
Dss-Pub-Key ::= INTEGER -- Y
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER } -- e
DHPublicKey ::= INTEGER -- y = g^x mod p
-- Signature Value Types
Dss-Sig-Value ::= SEQUENCE {
r INTEGER,
s INTEGER }
-- Algorithm Identifier Parameter Types
Dss-Parms ::= SEQUENCE {
p INTEGER,
q INTEGER,
g INTEGER }
DHDomainParameters ::= SEQUENCE {
p INTEGER, -- odd prime, p=jq +1
g INTEGER, -- generator, g
q INTEGER, -- factor of p-1
j INTEGER OPTIONAL, -- subgroup factor
validationParms ValidationParms OPTIONAL }
ValidationParms ::= SEQUENCE {
seed BIT STRING,
pgenCounter INTEGER }
KeyWrapAlgorithm ::=
AlgorithmIdentifier {KEY-WRAP, {Kwa-CMSAlgorithms }}
RC2wrapParameter ::= RC2ParameterVersion
Hoffman & Schaad Expires January 11, 2009 [Page 15]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
RC2ParameterVersion ::= INTEGER
CBCParameter ::= IV
IV ::= OCTET STRING -- exactly 8 octets
RC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (1..256),
iv OCTET STRING } -- exactly 8 octets
maca-hMAC-SHA1 MAC-ALGORITHM ::= {
OID hMAC-SHA1
PARAMS NULL ARE required
}
-- Another way to do the following would be:
-- alg-hMAC-SHA1 AlgorithmIdentifier{{PBKDF2-PRFs}} ::=
-- { algorithm hMAC-SHA1, parameters NULL:NULL }
PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM,
{PBKDF2-PRFs} }
alg-hMAC-SHA1 -- PBKDF2-PRFsAlgorithmIdentifier ::=
ALGORITHM ::=
{ IDENTIFIER hMAC-SHA1 PARAMS NULL }
PBKDF2-SaltSources ALGORITHM ::= { ... }
PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... }
PBKDF2-SaltSourcesAlgorithmIdentifier ::=
AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}}
defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::=
{ algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL }
PBKDF2-params ::= SEQUENCE {
salt CHOICE {
specified OCTET STRING,
otherSource PBKDF2-SaltSourcesAlgorithmIdentifier },
iterationCount INTEGER (1..MAX),
keyLength INTEGER (1..MAX) OPTIONAL,
prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT
defaultPBKDF2
}
mda-sha1 DIGEST-ALGORITHM ::= {
IDENTIFIER sha-1 PARAMS NULL ARE preferedAbsent }
Hoffman & Schaad Expires January 11, 2009 [Page 16]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
mda-md5 DIGEST-ALGORITHM ::= {
IDENTIFIER md5 PARAMS NULL ARE preferedAbsent }
pk-dsa PUBLIC-KEY ::= {
IDENTIFIER id-dsa
KEY Dss-Pub-Key
PARAMS Dss-Parms ARE inheritable
}
sa-dsa-with-sha1 SIGNATURE-ALGORITHM ::= {
IDENTIFIER id-dsa-with-sha1
VALUE Dss-Sig-Value
PARAMS Dss-Parms ARE inheritable
USES {mda-sha1}
PUBKEYS {pk-dsa}
}
pk-rsa PUBLIC-KEY ::= {
IDENTIFIER rsaEncryption
KEY RSAPublicKey
PARAMS NULL ARE required
}
sa-rsa SIGNATURE-ALGORITHM ::= {
IDENTIFIER rsaEncryption
-- value is not ASN.1 encoded
PARAMS NULL ARE required
USES {mda-sha1 | mda-md5, ...}
PUBKEYS { pk-rsa}
}
sa-sha1WithRSAEncryption SIGNATURE-ALGORITHM ::= {
IDENTIFIER sha1WithRSAEncryption
-- value is not ASN.1 encoded
PARAMS NULL ARE required
USES {mda-sha1}
PUBKEYS {pk-rsa}
}
sa-md5WithRSAEncryption SIGNATURE-ALGORITHM ::= {
IDENTIFIER md5WithRSAEncryption
-- value is not ASN.1 encoded
PARAMS NULL ARE required
USES {mda-md5}
PUBKEYS {pk-rsa}
}
-- No ASN.1 encoding is applied to the signature value
Hoffman & Schaad Expires January 11, 2009 [Page 17]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- for these items
pk-dh PUBLIC-KEY ::= {
IDENTIFIER dh-public-number
KEY DHPublicKey
PARAMS DHDomainParameters ARE inheritable
}
kaa-esdh KEY-AGREE ::= {
IDENTIFIER id-alg-ESDH
PARAMS KeyWrapAlgorithm ARE required
PUBLIC KEY { pk-dh }
}
kaa-ssdh KEY-AGREE ::= {
IDENTIFIER id-alg-SSDH
PARAMS KeyWrapAlgorithm ARE required
PUBLIC KEY {pk-dh}
}
KeyTransportAlgorithms ALGORITHM ::= {...}
SymmetricKeyEncryptionAlgorthms KEY-WRAP ::=
{ kwa-3DESWrap | kwa-RC2Wrap }
kwa-3DESWrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMS3DESwrap PARAMS NULL ARE required
}
kwa-RC2Wrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMSRC2wrap PARAMS RC2wrapParameter ARE required
}
KeyDerivationAlgorithms KEY-DERIVATION ::= {
kda-PBKDF2}
kda-PBKDF2 KEY-DERIVATION ::= {
IDENTIFIER id-PBKDF2
PARAMS PBKDF2-params ARE required
}
ContentEncryptionAlgorthms ALGORITHM ::= {...}
END
Hoffman & Schaad Expires January 11, 2009 [Page 18]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
4. ASN.1 Module for RFC 3565
CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- AES information object identifiers --
aes OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
csor(3) nistAlgorithms(4) 1 }
-- AES using CBC-chaining mode for key sizes of 128, 192, 256
id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 }
id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 }
id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 }
-- AES-IV is a the parameter for all the above object identifiers.
AES-IV ::= OCTET STRING (SIZE(16))
-- AES Key Wrap Algorithm Identifiers - Parameter is absent
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
END
5. ASN.1 Module for RFC 3851
SecureMimeMessageV3dot1
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) msg-v3dot1(21) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier,
CMS-ATTRIBUTE
FROM CryptographicMessageSyntax2004
Hoffman & Schaad Expires January 11, 2009 [Page 19]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) }
rc2-cbc
FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) };
SMimeAttributeSet CMS-ATTRIBUTE ::=
{ attr-smimeCapabilities | attr-encrypKeyPref }
-- id-aa is the arc with all new authenticated and unauthenticated
-- attributes produced the by S/MIME Working Group
id-aa OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) attributes(2)}
-- S/MIME Capabilities provides a method of broadcasting the symmetric
-- capabilities understood. Algorithms SHOULD be ordered by
-- preference and grouped by type
attr-smimeCapabilities CMS-ATTRIBUTE ::=
{ TYPE SMIMECapabilities IDENTIFIED BY smimeCapabilities }
smimeCapabilities OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
15 }
SMIME-CAPS ::= CLASS {
&Type OPTIONAL,
&id OBJECT IDENTIFIER UNIQUE
}
WITH SYNTAX {TYPE &Type IDENTIFIED BY &id }
SMIMECapability ::= SEQUENCE {
capabilityID SMIME-CAPS.
&id({SMimeCapsSet}),
parameters SMIME-CAPS.
&Type({SMimeCapsSet}{@capabilityID}) OPTIONAL
}
SMimeCapsSet SMIME-CAPS ::=
{ cap-preferBinaryInside | cap-RC2CBC, ... }
SMIMECapabilities ::= SEQUENCE OF SMIMECapability
Hoffman & Schaad Expires January 11, 2009 [Page 20]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- Encryption Key Preference provides a method of broadcasting the
-- preferred encryption certificate.
attr-encrypKeyPref CMS-ATTRIBUTE ::=
{ TYPE SMIMEEncryptionKeyPreference
IDENTIFIED BY id-aa-encrypKeyPref }
id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11}
SMIMEEncryptionKeyPreference ::= CHOICE {
issuerAndSerialNumber [0] IssuerAndSerialNumber,
receipentKeyId [1] RecipientKeyIdentifier,
subjectAltKeyIdentifier [2] SubjectKeyIdentifier
}
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
id-cap OBJECT IDENTIFIER ::= { id-smime 11 }
-- The preferBinaryInside indicates an ability to receive messages
-- with binary encoding inside the CMS wrapper
cap-preferBinaryInside SMIME-CAPS ::=
{ TYPE NULL IDENTIFIED BY id-cap-preferBinaryInside }
id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 }
-- The following list the OIDs to be used with S/MIME V3
-- Signature Algorithms Not Found in [CMSALG]
--
-- md2WithRSAEncryption OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
-- 2}
--
-- Other Signed Attributes
--
-- signingTime OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
-- 5}
-- See [CMS] for a description of how to encode the attribute
-- value.
cap-RC2CBC SMIME-CAPS ::=
{ TYPE SMIMECapabilitiesParametersForRC2CBC
IDENTIFIED BY rc2-cbc}
SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...)
Hoffman & Schaad Expires January 11, 2009 [Page 21]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- (RC2 Key Length (number of bits))
END
6. ASN.1 Module for RFC 3852
This module has an ASN.1 idiom for noting in which version of CMS
changes were made from the original PKCS #10; that idiom is "[[v:",
where "v" is an integer. For example:
RevocationInfoChoice ::= CHOICE {
crl CertificateList,
...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
Similarly, this module adds the ASN.1 idiom for extensiblity (the
"...,") in all places that have been extended in the past. See the
example above.
CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier
FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
Sa-CMSAlgorithms, Mda-CMSAlgorithms, Kaa-CMSAlgorithms,
Mac-CMSAlgorithms, Kwa-CMSAlgorithms, Cea-CMSAlgorithms,
Kta-CMSAlgorithms
FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) }
Certificate, CertificateList, CertificateSerialNumber,
Name, ATTRIBUTE
FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6) internet(1)
Hoffman & Schaad Expires January 11, 2009 [Page 22]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18) }
AttributeCertificate
FROM PKIXAttributeCertificate
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-attribute-cert(12) }
AttributeCertificateV1
FROM AttributeCertificateVersion1
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) v1AttrCert(15) } ;
-- Cryptographic Message Syntax
-- The following are used for version numbers using the ASN.1
-- idiom "[[n:"
-- Version 1 = PKCS #7
-- Version 2 = S/MIME V2
-- Version 3 = RFC 2630
-- Version 4 = RFC 3369
-- Version 5 = RFC 3852
CONTENT-TYPE ::= TYPE-IDENTIFIER
ContentType ::= CONTENT-TYPE.&id
ContentInfo ::= SEQUENCE {
contentType CONTENT-TYPE.
&id({ContentSet}),
content [0] EXPLICIT CONTENT-TYPE.
&Type({ContentSet}{@contentType})}
ContentSet CONTENT-TYPE ::= {
-- Define the set of content types to be recognized.
ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData |
ct-AuthenticatedData | ct-DigestedData, ... }
SignedData ::= SEQUENCE {
version CMSVersion,
digestAlgorithms SET OF DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos }
SignerInfos ::= SET OF SignerInfo
Hoffman & Schaad Expires January 11, 2009 [Page 23]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
EncapsulatedContentInfo ::= SEQUENCE {
eContentType CONTENT-TYPE.&id({ContentSet}),
eContent [0] EXPLICIT OCTET STRING
( CONTAINING CONTENT-TYPE.
&Type({ContentSet}{@eContentType})) OPTIONAL }
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT Attributes
{{UnsignedAttributes}} OPTIONAL }
SignedAttributes ::= Attributes {{ SignedAttributesSet }}
SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
...,
[[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
SignedAttributesSet CMS-ATTRIBUTE ::=
{ attr-signingTime | attr-messageDigest | attr-contentType, ... }
UnsignedAttributes CMS-ATTRIBUTE ::= { attr-countersignature, ... }
SignatureValue ::= OCTET STRING
EnvelopedData ::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo,
...,
[[2: unprotectedAttrs [1] IMPLICIT Attributes
{{ UnprotectedAttributes }} OPTIONAL ]] }
OriginatorInfo ::= SEQUENCE {
certs [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL }
RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE {
contentType CONTENT-TYPE.&id({ContentSet}),
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
Hoffman & Schaad Expires January 11, 2009 [Page 24]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL }
-- If you want to do constraints, you might use:
-- EncryptedContentInfo ::= SEQUENCE {
-- contentType CONTENT-TYPE.&id({ContentSet}),
-- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
-- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE.
-- &Type({ContentSet}{@contentType}) OPTIONAL }
-- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY
-- { ToBeEncrypted } )
UnprotectedAttributes CMS-ATTRIBUTE ::= { ... }
RecipientInfo ::= CHOICE {
ktri KeyTransRecipientInfo,
...,
[[3: kari [1] KeyAgreeRecipientInfo ]],
[[4: kekri [2] KEKRecipientInfo]],
[[5: pwri [3] PasswordRecipientInfo,
ori [4] OtherRecipientInfo ]] }
EncryptedKey ::= OCTET STRING
KeyTransRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0 or 2
rid RecipientIdentifier,
keyEncryptionAlgorithm AlgorithmIdentifier
{KEY-TRANSPORT, {KeyTransportAlgorithmSet}},
encryptedKey EncryptedKey }
KeyTransportAlgorithmSet KEY-TRANSPORT ::= { Kta-CMSAlgorithms, ... }
RecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
...,
[[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
KeyAgreeRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 3
originator [0] EXPLICIT OriginatorIdentifierOrKey,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
keyEncryptionAlgorithm AlgorithmIdentifier
{KEY-AGREE, {KeyAgreementAlgorithmSet}},
recipientEncryptedKeys RecipientEncryptedKeys }
KeyAgreementAlgorithmSet KEY-AGREE ::= { Kaa-CMSAlgorithms, ... }
OriginatorIdentifierOrKey ::= CHOICE {
Hoffman & Schaad Expires January 11, 2009 [Page 25]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier,
originatorKey [1] OriginatorPublicKey }
OriginatorPublicKey ::= SEQUENCE {
algorithm AlgorithmIdentifier {PUBLIC-KEY, {...}},
publicKey BIT STRING }
RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
RecipientEncryptedKey ::= SEQUENCE {
rid KeyAgreeRecipientIdentifier,
encryptedKey EncryptedKey }
KeyAgreeRecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] IMPLICIT RecipientKeyIdentifier }
RecipientKeyIdentifier ::= SEQUENCE {
subjectKeyIdentifier SubjectKeyIdentifier,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
SubjectKeyIdentifier ::= OCTET STRING
KEKRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 4
kekid KEKIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
KEKIdentifier ::= SEQUENCE {
keyIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
PasswordRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0
keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier
OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
OTHER-RECIPIENT ::= TYPE-IDENTIFIER
OtherRecipientInfo ::= SEQUENCE {
oriType OTHER-RECIPIENT.
&id({SupportedOtherRecipInfo}),
Hoffman & Schaad Expires January 11, 2009 [Page 26]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
oriValue OTHER-RECIPIENT.
&Type({SupportedOtherRecipInfo}{@oriType})}
SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... }
DigestedData ::= SEQUENCE {
version CMSVersion,
digestAlgorithm DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo,
digest Digest }
Digest ::= OCTET STRING
EncryptedData ::= SEQUENCE {
version CMSVersion,
encryptedContentInfo EncryptedContentInfo,
...,
[[2: unprotectedAttrs [1] IMPLICIT Attributes
{{UnprotectedAttributes}} OPTIONAL ]] }
AuthenticatedData ::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
macAlgorithm MessageAuthenticationCodeAlgorithm,
digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
encapContentInfo EncapsulatedContentInfo,
authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode,
unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL }
AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{SupportedAttributes}}
UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{SupportedAttributes}}
MessageAuthenticationCode ::= OCTET STRING
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
{DIGEST-ALGORITHM, {DigestAlgorithmSet}}
DigestAlgorithmSet DIGEST-ALGORITHM ::= { Mda-CMSAlgorithms, ... }
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
{SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}}
SignatureAlgorithmSet SIGNATURE-ALGORITHM ::=
Hoffman & Schaad Expires January 11, 2009 [Page 27]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
{ Sa-CMSAlgorithms, ... }
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{KEY-WRAP, {KeyEncryptionAlgorithmSet}}
KeyEncryptionAlgorithmSet KEY-WRAP ::= { Kwa-CMSAlgorithms, ... }
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}}
ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::=
{ Cea-CMSAlgorithms, ... }
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
{MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}}
MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::=
{ Mac-CMSAlgorithms, ... }
KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier
{KEY-DERIVATION, {...}}
RevocationInfoChoices ::= SET OF RevocationInfoChoice
RevocationInfoChoice ::= CHOICE {
crl CertificateList,
...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
OTHER-REVOK-INFO ::= TYPE-IDENTIFIER
OtherRevocationInfoFormat ::= SEQUENCE {
otherRevInfoFormat OTHER-REVOK-INFO.
&id({SupportedOtherRevokInfo}),
otherRevInfo OTHER-REVOK-INFO.
&Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})}
SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... }
CertificateChoices ::= CHOICE {
certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate,
-- Obsolete
...,
[[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]],
-- Obsolete
[[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]],
[[5: other [3] IMPLICIT OtherCertificateFormat]] }
Hoffman & Schaad Expires January 11, 2009 [Page 28]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
AttributeCertificateV2 ::= AttributeCertificate
OTHER-CERT-FMT ::= TYPE-IDENTIFIER
OtherCertificateFormat ::= SEQUENCE {
otherCertFormat OTHER-CERT-FMT.
&id({SupportedCertFormats}),
otherCert OTHER-CERT-FMT.
&Type({SupportedCertFormats}{@otherCertFormat})}
SupportedCertFormats OTHER-CERT-FMT ::= { ... }
CertificateSet ::= SET OF CertificateChoices
IssuerAndSerialNumber ::= SEQUENCE {
issuer Name,
serialNumber CertificateSerialNumber }
CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
UserKeyingMaterial ::= OCTET STRING
KEY-ATTRIBUTE ::= TYPE-IDENTIFIER
OtherKeyAttribute ::= SEQUENCE {
keyAttrId KEY-ATTRIBUTE.
&id({SupportedKeyAttributes}),
keyAttr KEY-ATTRIBUTE.
&Type({SupportedKeyAttributes}{@keyAttrId})}
SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... }
-- Content Type Object Identifiers
id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 }
ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data}
id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }
ct-SignedData CONTENT-TYPE ::=
{ SignedData IDENTIFIED BY id-signedData}
id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }
Hoffman & Schaad Expires January 11, 2009 [Page 29]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
ct-EnvelopedData CONTENT-TYPE ::=
{ EnvelopedData IDENTIFIED BY id-envelopedData}
id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 }
ct-DigestedData CONTENT-TYPE ::=
{ DigestedData IDENTIFIED BY id-digestedData}
id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 }
ct-EncryptedData CONTENT-TYPE ::=
{ EncryptedData IDENTIFIED BY id-encryptedData}
id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }
ct-AuthenticatedData CONTENT-TYPE ::=
{ AuthenticatedData IDENTIFIED BY id-ct-authData}
id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 }
-- The CMS Attributes
MessageDigest ::= OCTET STRING
SigningTime ::= Time
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
Countersignature ::= SignerInfo
-- Attribute Object Identifiers
attr-contentType CMS-ATTRIBUTE ::=
{ TYPE ContentType IDENTIFIED BY id-contentType }
id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 }
attr-messageDigest CMS-ATTRIBUTE ::=
{ TYPE MessageDigest IDENTIFIED BY id-messageDigest}
id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
Hoffman & Schaad Expires January 11, 2009 [Page 30]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 }
attr-signingTime CMS-ATTRIBUTE ::=
{ TYPE SigningTime IDENTIFIED BY id-signingTime }
id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
attr-countersignature CMS-ATTRIBUTE ::=
{ TYPE Countersignature IDENTIFIED BY id-countersignature }
id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
-- Obsolete Extended Certificate syntax from PKCS#6
ExtendedCertificateOrCertificate ::= CHOICE {
certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate }
ExtendedCertificate ::= SEQUENCE {
extendedCertificateInfo ExtendedCertificateInfo,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature Signature }
ExtendedCertificateInfo ::= SEQUENCE {
version CMSVersion,
certificate Certificate,
attributes UnauthAttributes }
Signature ::= BIT STRING
-- Class definitions used in the module
CMS-ATTRIBUTE ::= ATTRIBUTE
Attribute{ CMS-ATTRIBUTE:AttrList } ::= SEQUENCE {
attrType CMS-ATTRIBUTE.
&id({AttrList}),
attrValues SET OF CMS-ATTRIBUTE.
&Type({AttrList}{@attrType}) }
SupportedAttributes CMS-ATTRIBUTE ::= { ... }
Attributes { CMS-ATTRIBUTE:AttrList } ::=
SET SIZE (1..MAX) OF Attribute {{ AttrList }}
END
Hoffman & Schaad Expires January 11, 2009 [Page 31]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
7. ASN.1 Module for RFC 4108
CMSFirmwareWrapper
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-firmware-wrap(22) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
OTHER-NAME
FROM PKIX1Implicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) }
EnvelopedData, CONTENT-TYPE, CMS-ATTRIBUTE
FROM CryptographicMessageSyntax
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) };
FirmwareContentTypes CONTENT-TYPE ::= {
ct-firmwarePackage | ct-firmwareLoadReceipt |
ct-firmwareLoadError }
FirmwareSignedAttrs CMS-ATTRIBUTE ::= {
aa-firmwarePackageID | aa-targetHardwareIDs |
aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs |
aa-communityIdentifiers | aa-firmwarePackageInfo }
FirmwareUnsignedAttrs CMS-ATTRIBUTE ::= {
aa-wrappedFirmwareKey }
FirmwareOtherNames OTHER-NAME ::= {
on-hardwareModuleName }
-- Firmware Package Content Type and Object Identifier
ct-firmwarePackage CONTENT-TYPE ::=
{ FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage }
id-ct-firmwarePackage OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 16 }
FirmwarePkgData ::= OCTET STRING
-- Firmware Package Signed Attributes and Object Identifiers
Hoffman & Schaad Expires January 11, 2009 [Page 32]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
aa-firmwarePackageID CMS-ATTRIBUTE ::=
{ TYPE FirmwarePackageIdentifier IDENTIFIED BY
id-aa-firmwarePackageID }
id-aa-firmwarePackageID OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 35 }
FirmwarePackageIdentifier ::= SEQUENCE {
name PreferredOrLegacyPackageIdentifier,
stale PreferredOrLegacyStalePackageIdentifier OPTIONAL }
PreferredOrLegacyPackageIdentifier ::= CHOICE {
preferred PreferredPackageIdentifier,
legacy OCTET STRING }
PreferredPackageIdentifier ::= SEQUENCE {
fwPkgID OBJECT IDENTIFIER,
verNum INTEGER (0..MAX) }
PreferredOrLegacyStalePackageIdentifier ::= CHOICE {
preferredStaleVerNum INTEGER (0..MAX),
legacyStaleVersion OCTET STRING }
aa-targetHardwareIDs CMS-ATTRIBUTE ::=
{ TYPE TargetHardwareIdentifiers IDENTIFIED BY
id-aa-targetHardwareIDs }
id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 36 }
TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER
aa-decryptKeyID CMS-ATTRIBUTE ::=
{ TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID}
id-aa-decryptKeyID OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 37 }
DecryptKeyIdentifier ::= OCTET STRING
aa-implCryptoAlgs CMS-ATTRIBUTE ::=
{ TYPE ImplementedCryptoAlgorithms IDENTIFIED BY
id-aa-implCryptoAlgs }
id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= {
Hoffman & Schaad Expires January 11, 2009 [Page 33]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 38 }
ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER
aa-implCompressAlgs CMS-ATTRIBUTE ::=
{ TYPE ImplementedCompressAlgorithms IDENTIFIED BY
id-aa-implCompressAlgs }
id-aa-implCompressAlgs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 43 }
ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER
aa-communityIdentifiers CMS-ATTRIBUTE ::=
{ TYPE CommunityIdentifiers IDENTIFIED BY
id-aa-communityIdentifiers }
id-aa-communityIdentifiers OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 40 }
CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier
CommunityIdentifier ::= CHOICE {
communityOID OBJECT IDENTIFIER,
hwModuleList HardwareModules }
HardwareModules ::= SEQUENCE {
hwType OBJECT IDENTIFIER,
hwSerialEntries SEQUENCE OF HardwareSerialEntry }
HardwareSerialEntry ::= CHOICE {
all NULL,
single OCTET STRING,
block SEQUENCE {
low OCTET STRING,
high OCTET STRING } }
aa-firmwarePackageInfo CMS-ATTRIBUTE ::=
{ TYPE FirmwarePackageInfo IDENTIFIED BY
id-aa-firmwarePackageInfo }
id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 42 }
Hoffman & Schaad Expires January 11, 2009 [Page 34]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
FirmwarePackageInfo ::= SEQUENCE {
fwPkgType INTEGER OPTIONAL,
dependencies SEQUENCE OF
PreferredOrLegacyPackageIdentifier OPTIONAL }
-- Firmware Package Unsigned Attributes and Object Identifiers
aa-wrappedFirmwareKey CMS-ATTRIBUTE ::=
{ TYPE WrappedFirmwareKey IDENTIFIED BY
id-aa-wrappedFirmwareKey }
id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 39 }
WrappedFirmwareKey ::= EnvelopedData
-- Firmware Package Load Receipt Content Type and Object Identifier
ct-firmwareLoadReceipt CONTENT-TYPE ::=
{ FirmwarePackageLoadReceipt IDENTIFIED BY
id-ct-firmwareLoadReceipt }
id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 17 }
FirmwarePackageLoadReceipt ::= SEQUENCE {
version FWReceiptVersion DEFAULT v1,
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING,
fwPkgName PreferredOrLegacyPackageIdentifier,
trustAnchorKeyID OCTET STRING OPTIONAL,
decryptKeyID [1] OCTET STRING OPTIONAL }
FWReceiptVersion ::= INTEGER { v1(1) }
-- Firmware Package Load Error Report Content Type
-- and Object Identifier
ct-firmwareLoadError CONTENT-TYPE ::=
{ FirmwarePackageLoadError
IDENTIFIED BY id-ct-firmwareLoadError }
id-ct-firmwareLoadError OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 18 }
Hoffman & Schaad Expires January 11, 2009 [Page 35]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
FirmwarePackageLoadError ::= SEQUENCE {
version FWErrorVersion DEFAULT v1,
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING,
errorCode FirmwarePackageLoadErrorCode,
vendorErrorCode VendorLoadErrorCode OPTIONAL,
fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL,
config [1] SEQUENCE OF CurrentFWConfig OPTIONAL }
FWErrorVersion ::= INTEGER { v1(1) }
CurrentFWConfig ::= SEQUENCE {
fwPkgType INTEGER OPTIONAL,
fwPkgName PreferredOrLegacyPackageIdentifier }
FirmwarePackageLoadErrorCode ::= ENUMERATED {
decodeFailure (1),
badContentInfo (2),
badSignedData (3),
badEncapContent (4),
badCertificate (5),
badSignerInfo (6),
badSignedAttrs (7),
badUnsignedAttrs (8),
missingContent (9),
noTrustAnchor (10),
notAuthorized (11),
badDigestAlgorithm (12),
badSignatureAlgorithm (13),
unsupportedKeySize (14),
signatureFailure (15),
contentTypeMismatch (16),
badEncryptedData (17),
unprotectedAttrsPresent (18),
badEncryptContent (19),
badEncryptAlgorithm (20),
missingCiphertext (21),
noDecryptKey (22),
decryptFailure (23),
badCompressAlgorithm (24),
missingCompressedContent (25),
decompressFailure (26),
wrongHardware (27),
stalePackage (28),
notInCommunity (29),
unsupportedPackageType (30),
missingDependency (31),
wrongDependencyVersion (32),
Hoffman & Schaad Expires January 11, 2009 [Page 36]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
insufficientMemory (33),
badFirmware (34),
unsupportedParameters (35),
breaksDependency (36),
otherError (99) }
VendorLoadErrorCode ::= INTEGER
-- Other Name syntax for Hardware Module Name
on-hardwareModuleName OTHER-NAME ::=
{ HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName }
id-on-hardwareModuleName OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) on(8) 4 }
HardwareModuleName ::= SEQUENCE {
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING }
END
8. ASN.1 Module for RFC 4998
ERS {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1)
id-mod-ers-v1(1) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
Attribute{}, AlgorithmIdentifier{}, ATTRIBUTE, ALGORITHM
FROM PKIX-CommonTypes
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }
ContentInfo, CMS-ATTRIBUTE
FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } ;
ltans OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
Hoffman & Schaad Expires January 11, 2009 [Page 37]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
mechanisms(5) ltans(11) }
EvidenceRecord ::= SEQUENCE {
version INTEGER { v1(1) } ,
digestAlgorithms SEQUENCE OF AlgorithmIdentifier{{...}},
cryptoInfos [0] CryptoInfos OPTIONAL,
encryptionInfo [1] EncryptionInfo OPTIONAL,
archiveTimeStampSequence ArchiveTimeStampSequence
}
CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF Attribute{{...}}
ArchiveTimeStamp ::= SEQUENCE {
digestAlgorithm [0] AlgorithmIdentifier{{...}} OPTIONAL,
attributes [1] Attributes OPTIONAL,
reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL,
timeStamp ContentInfo
}
PartialHashtree ::= SEQUENCE OF OCTET STRING
Attributes ::= SET SIZE (1..MAX) OF Attribute{{...}}
ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp
ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain
EncryptionInfo ::= SEQUENCE {
encryptionInfoType ENCINFO-TYPE.
&id({SupportedEncryptionAlgorithms}),
encryptionInfoValue ENCINFO-TYPE.
&Type({SupportedEncryptionAlgorithms}
{@encryptionInfoType})
}
ENCINFO-TYPE ::= TYPE-IDENTIFIER
SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...}
er-Internal CMS-ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal }
id-aa-er-internal OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 49 }
er-External CMS-ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external }
Hoffman & Schaad Expires January 11, 2009 [Page 38]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
id-aa-er-external OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 50 }
END
9. ASN.1 Module for RFC 5035
ExtendedSecurityServices-2006
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-ess-2006(30) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
Attribute{}, AlgorithmIdentifier{}, ATTRIBUTE, ALGORITHM
FROM PKIX-CommonTypes
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }
ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier,
CMS-ATTRIBUTE, CONTENT-TYPE
FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) }
CertificateSerialNumber
FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
PolicyInformation, GeneralNames
FROM PKIX1Implicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)};
EssSignedAttributes CMS-ATTRIBUTE ::= {
aa-receiptRequest | aa-contentIdentifier | aa-contentHint |
aa-msgSigDigest | aa-contentReference | aa-securityLabel |
aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate |
aa-signingCertificateV2 }
EssContentTypes CONTENT-TYPE ::= { ct-receipt }
Hoffman & Schaad Expires January 11, 2009 [Page 39]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- Extended Security Services
-- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
-- constructs in this module. A valid ASN.1 SEQUENCE can have zero or
-- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE
-- tp have at least one entry. MAX indicates the upper bound is
-- unspecified. Implementations are free to choose an upper bound
-- that suits their environment.
-- Section 2.7
aa-receiptRequest CMS-ATTRIBUTE ::=
{ TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest}
ReceiptRequest ::= SEQUENCE {
signedContentIdentifier ContentIdentifier,
receiptsFrom ReceiptsFrom,
receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames
}
ub-receiptsTo INTEGER ::= 16
id-aa-receiptRequest OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 1}
aa-contentIdentifier CMS-ATTRIBUTE ::=
{ TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier}
ContentIdentifier ::= OCTET STRING
id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7}
ct-receipt CONTENT-TYPE ::=
{ Receipt IDENTIFIED BY id-ct-receipt }
ReceiptsFrom ::= CHOICE {
allOrFirstTier [0] AllOrFirstTier,
-- formerly "allOrNone [0]AllOrNone"
receiptList [1] SEQUENCE OF GeneralNames }
AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone
allReceipts (0),
firstTierRecipients (1) }
-- Section 2.8
Hoffman & Schaad Expires January 11, 2009 [Page 40]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
Receipt ::= SEQUENCE {
version ESSVersion,
contentType ContentType,
signedContentIdentifier ContentIdentifier,
originatorSignatureValue OCTET STRING }
id-ct-receipt OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-ct(1) 1}
ESSVersion ::= INTEGER { v1(1) }
-- Section 2.9
aa-contentHint CMS-ATTRIBUTE ::=
{ TYPE ContentHints IDENTIFIED BY id-aa-contentHint }
ContentHints ::= SEQUENCE {
contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL,
contentType ContentType }
id-aa-contentHint OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 4}
-- Section 2.10
aa-msgSigDigest CMS-ATTRIBUTE ::=
{ TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest }
MsgSigDigest ::= OCTET STRING
id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5}
-- Section 2.11
aa-contentReference CMS-ATTRIBUTE ::=
{ TYPE ContentReference IDENTIFIED BY id-aa-contentReference }
ContentReference ::= SEQUENCE {
contentType ContentType,
signedContentIdentifier ContentIdentifier,
originatorSignatureValue OCTET STRING }
id-aa-contentReference OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
Hoffman & Schaad Expires January 11, 2009 [Page 41]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
smime(16) id-aa(2) 10 }
-- Section 3.2
aa-securityLabel CMS-ATTRIBUTE ::=
{ TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel }
ESSSecurityLabel ::= SET {
security-policy-identifier SecurityPolicyIdentifier,
security-classification SecurityClassification OPTIONAL,
privacy-mark ESSPrivacyMark OPTIONAL,
security-categories SecurityCategories OPTIONAL }
id-aa-securityLabel OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 2}
SecurityPolicyIdentifier ::= OBJECT IDENTIFIER
SecurityClassification ::= INTEGER {
unmarked (0),
unclassified (1),
restricted (2),
confidential (3),
secret (4),
top-secret (5)
} (0..ub-integer-options)
ub-integer-options INTEGER ::= 256
ESSPrivacyMark ::= CHOICE {
pString PrintableString (SIZE (1..ub-privacy-mark-length)),
utf8String UTF8String (SIZE (1..MAX))
}
ub-privacy-mark-length INTEGER ::= 128
SecurityCategories ::=
SET SIZE (1..ub-security-categories) OF SecurityCategory
ub-security-categories INTEGER ::= 64
SECURITY-CATEGORY ::= TYPE-IDENTIFIER
SecurityCategory ::= SEQUENCE {
type [0] SECURITY-CATEGORY.
&id({SupportedSecurityCategories}),
value [1] SECURITY-CATEGORY.
&Type({SupportedSecurityCategories}{@type})
Hoffman & Schaad Expires January 11, 2009 [Page 42]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
}
SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }
--Note: The aforementioned SecurityCategory syntax produces identical
--hex encodings as the following SecurityCategory syntax that is
--documented in the X.411 specification:
--
--SecurityCategory ::= SEQUENCE {
-- type [0] SECURITY-CATEGORY,
-- value [1] ANY DEFINED BY type }
--
--SECURITY-CATEGORY MACRO ::=
--BEGIN
--TYPE NOTATION ::= type | empty
--VALUE NOTATION ::= value (VALUE OBJECT IDENTIFIER)
--END
-- Section 3.4
aa-equivalentLabels CMS-ATTRIBUTE ::=
{ TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels }
EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel
id-aa-equivalentLabels OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 9}
-- Section 4.4
aa-mlExpandHistory CMS-ATTRIBUTE ::=
{ TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory }
MLExpansionHistory ::= SEQUENCE
SIZE (1..ub-ml-expansion-history) OF MLData
id-aa-mlExpandHistory OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 3 }
ub-ml-expansion-history INTEGER ::= 64
MLData ::= SEQUENCE {
mailListIdentifier EntityIdentifier,
expansionTime GeneralizedTime,
mlReceiptPolicy MLReceiptPolicy OPTIONAL }
Hoffman & Schaad Expires January 11, 2009 [Page 43]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
EntityIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier SubjectKeyIdentifier }
MLReceiptPolicy ::= CHOICE {
none [0] NULL,
insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames,
inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames }
-- Section 5.4
aa-signingCertificate CMS-ATTRIBUTE ::=
{ TYPE SigningCertificate IDENTIFIED BY
id-aa-signingCertificate }
SigningCertificate ::= SEQUENCE {
certs SEQUENCE OF ESSCertID,
policies SEQUENCE OF PolicyInformation OPTIONAL
}
id-aa-signingCertificate OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 12 }
aa-signingCertificateV2 CMS-ATTRIBUTE ::=
{ TYPE SigningCertificateV2 IDENTIFIED BY
id-aa-signingCertificateV2 }
SigningCertificateV2 ::= SEQUENCE {
certs SEQUENCE OF ESSCertIDv2,
policies SEQUENCE OF PolicyInformation OPTIONAL
}
id-aa-signingCertificateV2 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 47 }
id-sha256 OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) 1 }
HashAlgorithm ::= AlgorithmIdentifier{{...}}
ESSCertIDv2 ::= SEQUENCE {
hashAlgorithm HashAlgorithm
DEFAULT { algorithm id-sha256 },
certHash Hash,
issuerSerial IssuerSerial OPTIONAL
Hoffman & Schaad Expires January 11, 2009 [Page 44]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
}
ESSCertID ::= SEQUENCE {
certHash Hash,
issuerSerial IssuerSerial OPTIONAL
}
Hash ::= OCTET STRING
IssuerSerial ::= SEQUENCE {
issuer GeneralNames,
serialNumber CertificateSerialNumber
}
END
10. ASN.1 Module for RFC 5083
CMS-AuthEnvelopedData-2007
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData(31) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
AuthAttributes, CMSVersion, EncryptedContentInfo,
MessageAuthenticationCode, OriginatorInfo, RecipientInfos,
UnauthAttributes
FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } ;
id-ct-authEnvelopedData OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) 23 }
AuthEnvelopedData ::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
authEncryptedContentInfo EncryptedContentInfo,
authAttrs [1] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode,
unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL }
END
Hoffman & Schaad Expires January 11, 2009 [Page 45]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
11. ASN.1 Module for RFC 5084
CMS-AES-CCM-and-AES-GCM
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- Object Identifiers
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
organization(1) gov(101) csor(3) nistAlgorithm(4) 1 }
id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 }
id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 }
id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 }
id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 }
id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 }
id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 }
-- Parameters for AigorithmIdentifier
CCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING (SIZE(7..13)),
aes-ICVlen AES-CCM-ICVlen DEFAULT 12 }
AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16)
GCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING, -- recommended size is 12 octets
aes-ICVlen AES-GCM-ICVlen DEFAULT 12 }
AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)
END
12. ASN.1 Module for RFC 5275
SMIMESymmetricKeyDistribution
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) symkeydist(12) }
DEFINITIONS IMPLICIT TAGS ::=
Hoffman & Schaad Expires January 11, 2009 [Page 46]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
BEGIN
IMPORTS
Attribute{}, AlgorithmIdentifier{}, Extensions{}, EXTENSION,
ATTRIBUTE, ALGORITHM
FROM PKIX-CommonTypes
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }
GeneralName
FROM PKIX1Implicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) }
Certificate
FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
RecipientInfos, KEKIdentifier,CertificateSet
FROM CryptographicMessageSyntax2004
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) }
id-alg-CMS3DESwrap
FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) }
AttributeCertificate
FROM PKIXAttributeCertificate
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert(12) }
CMC-CONTROL
FROM EnrollmentMessageSyntax
{ iso(1) identified-organization(3) dod(4) internet(1) security(5)
mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002(23) };
-- This defines the GL symmetric key distribution object identifier
-- arc.
id-skd OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) skd(8) }
Hoffman & Schaad Expires January 11, 2009 [Page 47]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
ControlSet CMC-CONTROL ::= {
skd-glUseKEK | skd-glDelete | skd-glAddMember |
skd-glDeleteMember | skd-glRekey | skd-glAddOwner |
skd-glRemoveOwner | skd-glKeyCompromise |
skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert |
skd-glManageCert | skd-glKey, ... }
-- This defines the GL Use KEK control attribute
skd-glUseKEK CMC-CONTROL ::=
{ GLUseKEK IDENTIFIED BY id-skd-glUseKEK }
id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1}
GLUseKEK ::= SEQUENCE {
glInfo GLInfo,
glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo,
glAdministration GLAdministration DEFAULT 1,
glKeyAttributes GLKeyAttributes OPTIONAL
}
GLInfo ::= SEQUENCE {
glName GeneralName,
glAddress GeneralName
}
GLOwnerInfo ::= SEQUENCE {
glOwnerName GeneralName,
glOwnerAddress GeneralName,
certificates Certificates OPTIONAL
}
GLAdministration ::= INTEGER {
unmanaged (0),
managed (1),
closed (2)
}
KeyWrapAlgorithm ::= AlgorithmIdentifier {{...}}
GLKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE,
recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE,
duration [2] INTEGER DEFAULT 0,
generationCounter [3] INTEGER DEFAULT 2,
requestedAlgorithm [4] KeyWrapAlgorithm
DEFAULT {algorithm id-alg-CMS3DESwrap}
}
Hoffman & Schaad Expires January 11, 2009 [Page 48]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- This defines the Delete GL control attribute.
-- It has the simple type GeneralName.
skd-glDelete CMC-CONTROL ::=
{ DeleteGL IDENTIFIED BY id-skd-glDelete }
id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2}
DeleteGL ::= GeneralName
-- This defines the Add GL Member control attribute
skd-glAddMember CMC-CONTROL ::=
{ GLAddMember IDENTIFIED BY id-skd-glAddMember }
id-skd-glAddMember OBJECT IDENTIFIER ::= { id-skd 3}
GLAddMember ::= SEQUENCE {
glName GeneralName,
glMember GLMember
}
GLMember ::= SEQUENCE {
glMemberName GeneralName,
glMemberAddress GeneralName OPTIONAL,
certificates Certificates OPTIONAL
}
Certificates ::= SEQUENCE {
pKC [0] Certificate OPTIONAL,
-- See [PROFILE]
aC [1] SEQUENCE SIZE (1.. MAX) OF
AttributeCertificate OPTIONAL,
-- See [ACPROF]
certPath [2] CertificateSet OPTIONAL
-- From [CMS]
}
-- This defines the Delete GL Member control attribute
skd-glDeleteMember CMC-CONTROL ::=
{ GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember }
id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4}
GLDeleteMember ::= SEQUENCE {
glName GeneralName,
glMemberToDelete GeneralName
}
Hoffman & Schaad Expires January 11, 2009 [Page 49]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- This defines the Delete GL Member control attribute
skd-glRekey CMC-CONTROL ::=
{ GLRekey IDENTIFIED BY id-skd-glRekey }
id-skd-glRekey OBJECT IDENTIFIER ::= { id-skd 5}
GLRekey ::= SEQUENCE {
glName GeneralName,
glAdministration GLAdministration OPTIONAL,
glNewKeyAttributes GLNewKeyAttributes OPTIONAL,
glRekeyAllGLKeys BOOLEAN OPTIONAL
}
GLNewKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN OPTIONAL,
recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL,
duration [2] INTEGER OPTIONAL,
generationCounter [3] INTEGER OPTIONAL,
requestedAlgorithm [4] AlgorithmIdentifier{{...}}
OPTIONAL
}
-- This defines the Add and Delete GL Owner control attributes
skd-glAddOwner CMC-CONTROL ::=
{ GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner }
id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6}
skd-glRemoveOwner CMC-CONTROL ::=
{ GLOwnerAdministration IDENTIFIED BY id-skd-glRemoveOwner }
id-skd-glRemoveOwner OBJECT IDENTIFIER ::= { id-skd 7}
GLOwnerAdministration ::= SEQUENCE {
glName GeneralName,
glOwnerInfo GLOwnerInfo
}
-- This defines the GL Key Compromise control attribute.
-- It has the simple type GeneralName.
skd-glKeyCompromise CMC-CONTROL ::=
{ GLKCompromise IDENTIFIED BY id-skd-glKeyCompromise }
id-skd-glKeyCompromise OBJECT IDENTIFIER ::= { id-skd 8}
GLKCompromise ::= GeneralName
Hoffman & Schaad Expires January 11, 2009 [Page 50]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
-- This defines the GL Key Refresh control attribute.
skd-glkRefresh CMC-CONTROL ::=
{ GLKRefresh IDENTIFIED BY id-skd-glkRefresh }
id-skd-glkRefresh OBJECT IDENTIFIER ::= { id-skd 9}
GLKRefresh ::= SEQUENCE {
glName GeneralName,
dates SEQUENCE SIZE (1..MAX) OF Date
}
Date ::= SEQUENCE {
start GeneralizedTime,
end GeneralizedTime OPTIONAL
}
-- This defines the GLA Query Request control attribute.
skd-glaQueryRequest CMC-CONTROL ::=
{ GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest }
id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11}
SKD-QUERY ::= TYPE-IDENTIFIER
SkdQuerySet SKD-QUERY ::= {...}
GLAQueryRequest ::= SEQUENCE {
glaRequestType SKD-QUERY.&id ({SkdQuerySet}),
glaRequestValue SKD-QUERY.
&Type ({SkdQuerySet}{@glaRequestType})
}
-- This defines the GLA Query Response control attribute.
skd-glaQueryResponse CMC-CONTROL ::=
{ GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse }
id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12}
SKD-RESPONSE ::= TYPE-IDENTIFIER
SkdResponseSet SKD-RESPONSE ::= {...}
GLAQueryResponse ::= SEQUENCE {
glaResponseType SKD-RESPONSE.
&id({SkdResponseSet}),
Hoffman & Schaad Expires January 11, 2009 [Page 51]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
glaResponseValue SKD-RESPONSE.
&Type({SkdResponseSet}{@glaResponseType})}
-- This defines the GLA Request/Response (glaRR) arc for
-- glaRequestType/glaResponseType.
id-cmc-glaRR OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cmc(7) glaRR(99) }
-- This defines the Algorithm Request
id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 }
SKDAlgRequest ::= NULL
-- This defines the Algorithm Response
id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 }
-- Note that the response for algorithmSupported request is the
-- smimeCapabilities attribute as defined in MsgSpec [MSG].
-- This defines the control attribute to request an updated
-- certificate to the GLA.
skd-glProvideCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glProvideCert }
id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13}
GLManageCert ::= SEQUENCE {
glName GeneralName,
glMember GLMember
}
-- This defines the control attribute to return an updated
-- certificate to the GLA. It has the type GLManageCert.
skd-glManageCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glManageCert }
id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14}
-- This defines the control attribute to distribute the GL shared
-- KEK.
skd-glKey CMC-CONTROL ::=
{ GLKey IDENTIFIED BY id-skd-glKey }
Hoffman & Schaad Expires January 11, 2009 [Page 52]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15}
GLKey ::= SEQUENCE {
glName GeneralName,
glIdentifier KEKIdentifier, -- See [CMS]
glkWrapped RecipientInfos, -- See [CMS]
glkAlgorithm AlgorithmIdentifier{{...}},
glkNotBefore GeneralizedTime,
glkNotAfter GeneralizedTime
}
-- This defines the CMC error types
id-cet-skdFailInfo OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cet(15) skdFailInfo(1) }
SKDFailInfo ::= INTEGER {
unspecified (0),
closedGL (1),
unsupportedDuration (2),
noGLACertificate (3),
invalidCert (4),
unsupportedAlgorithm (5),
noGLONameMatch (6),
invalidGLName (7),
nameAlreadyInUse (8),
noSpam (9),
deniedAccess (10),
alreadyAMember (11),
notAMember (12),
alreadyAnOwner (13),
notAnOwner (14) }
END
13. Security Considerations
Even though all the RFCs in this document are security-related, the
document itself does not have any security considerations. The ASN.1
modules keep the same bits-on-the-wire as the modules that they
replace.
14. Normative References
[ASN1-2002]
Hoffman & Schaad Expires January 11, 2009 [Page 53]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
ITU-T, "ITU-T Recommendation X.680 Information technology
[ETH] Abstract Syntax Notation One (ASN.1): Specification
of basic notation", ITU-T X.680, 2002.
[NEW-PKIX]
Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX",
draft-ietf-pkix-new-asn1 (work in progress),
December 2007.
[RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002.
[RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax
(CMS)", RFC 3565, July 2003.
[RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail
Extensions (S/MIME) Version 3.1 Message Specification",
RFC 3851, July 2004.
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 3852, July 2004.
[RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to
Protect Firmware Packages", RFC 4108, August 2005.
[RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence
Record Syntax (ERS)", RFC 4998, August 2007.
[RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update:
Adding CertID Algorithm Agility", RFC 5035, August 2007.
[RFC5083] Housley, R., "Cryptographic Message Syntax (CMS)
Authenticated-Enveloped-Data Content Type", RFC 5083,
November 2007.
[RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated
Encryption in the Cryptographic Message Syntax (CMS)",
RFC 5084, November 2007.
[RFC5275] Turner, S., "CMS Symmetric Key Management and
Distribution", RFC 5275, June 2008.
Appendix A. Change History
[[ This entire section is to be removed upon publication. ]]
Hoffman & Schaad Expires January 11, 2009 [Page 54]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
A.1. Changes between draft-hoffman-cms-new-asn1-00 and
draft-ietf-smime-new-asn1-00
Changed the draft name.
Added RFC 3565,
Added RFC 4998.
Made RFCs-to-be 5083 and 5084 into RFCs.
In RFC 3370, a line in the comment staring with "Another way to
do..." was not commented out when it should have been.
In RFC 3851, the name of the module from which we are importing was
wrong, although the OID was right.
In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate
which version of CMS added the various extensions.
A.2. Changes between draft-ietf-smime-new-asn1-00 and -01
Added RFC 5275.
Added module for algorithm classes, and modified RFC 3370 and RFC
3852 to uses the classes defined.
Authors' Addresses
Paul Hoffman
VPN Consortium
127 Segre Place
Santa Cruz, CA 95060
US
Phone: 1-831-426-9827
Email: paul.hoffman@vpnc.org
Jim Schaad
Soaring Hawk Consulting
Email: jimsch@exmsft.com
Hoffman & Schaad Expires January 11, 2009 [Page 55]
Internet-Draft New ASN.1 for CMS and S/MIME July 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Hoffman & Schaad Expires January 11, 2009 [Page 56]
| PAFTECH AB 2003-2026 | 2026-04-23 02:41:39 |