pkixcmp -> cmp to make directory name consistent with filenames

svn path=/trunk/; revision=30473

7 files changed, 1240 insertions, 0 deletions

diff --git a/asn1/cmp/CMP.asn b/asn1/cmp/CMP.asn
new file mode 100644
index 0000000000..94e80dde5e
--- /dev/null
+++ b/asn1/cmp/CMP.asn
@@ -0,0 +1,524 @@
+-- Extracted from RFC4210
+-- by Martin Peylo <martin.peylo@nsn.com>
+--
+-- Changes to the original ASN.1 source:
+--   - Commented out the import of UTF8String which is not needed
+--   - Commented out PKIBody/p10cr since PKCS-10 is not implemented
+--   - Uncommented the definitions for the OIDs used in InfoTypeAndValue
+--
+-- The copyright statement from the original description in RFC4211
+-- follows below:
+--
+-- Full Copyright Statement
+-- 
+--    Copyright (C) The Internet Society (2005).
+-- 
+--    This document is subject to the rights, licenses and restrictions
+--    contained in BCP 78, and except as set forth therein, the authors
+--    retain all their rights.
+-- 
+--    This document and the information contained herein are provided on an
+--    "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+--    OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+--    ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+--    INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+--    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+--    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+     PKIXCMP {iso(1) identified-organization(3)
+           dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+           id-mod(0) id-mod-cmp2000(16)}
+
+     DEFINITIONS EXPLICIT TAGS ::=
+
+     BEGIN
+
+     -- EXPORTS ALL --
+
+     IMPORTS
+
+         Certificate, CertificateList, Extensions, AlgorithmIdentifier --,
+         -- UTF8String 
+	 -- if required; otherwise, comment out
+                FROM PKIX1Explicit88 {iso(1) identified-organization(3)
+                dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+                id-mod(0) id-pkix1-explicit-88(1)}
+
+         GeneralName, KeyIdentifier
+                FROM PKIX1Implicit88 {iso(1) identified-organization(3)
+                dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+                id-mod(0) id-pkix1-implicit-88(2)}
+
+         CertTemplate, PKIPublicationInfo, EncryptedValue, CertId,
+         CertReqMessages
+                FROM PKIXCRMF-2005 {iso(1) identified-organization(3)
+                dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+                id-mod(0) id-mod-crmf2005(36)}
+
+         -- see also the behavioral clarifications to CRMF codified in
+         -- Appendix C of this specification
+
+         CertificationRequest
+                FROM PKCS-10 {iso(1) member-body(2)
+                              us(840) rsadsi(113549)
+                              pkcs(1) pkcs-10(10) modules(1) pkcs-10(1)}
+
+         -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT
+         -- tags).  Alternatively, implementers may directly include
+         -- the [PKCS10] syntax in this module
+
+         ;
+
+   -- the rest of the module contains locally-defined OIDs and
+   -- constructs
+
+      CMPCertificate ::= CHOICE {
+         x509v3PKCert        Certificate
+      }
+   -- This syntax, while bits-on-the-wire compatible with the
+   -- standard X.509 definition of "Certificate", allows the
+   -- possibility of future certificate types (such as X.509
+   -- attribute certificates, WAP WTLS certificates, or other kinds
+   -- of certificates) within this certificate management protocol,
+   -- should a need ever arise to support such generality.  Those
+   -- implementations that do not foresee a need to ever support
+   -- other certificate types MAY, if they wish, comment out the
+   -- above structure and "un-comment" the following one prior to
+   -- compiling this ASN.1 module.  (Note that interoperability
+   -- with implementations that don't do this will be unaffected by
+   -- this change.)
+
+   -- CMPCertificate ::= Certificate
+
+      PKIMessage ::= SEQUENCE {
+         header           PKIHeader,
+         body             PKIBody,
+         protection   [0] PKIProtection OPTIONAL,
+         extraCerts   [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
+                          OPTIONAL
+     }
+
+     PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage
+
+     PKIHeader ::= SEQUENCE {
+         pvno                INTEGER     { cmp1999(1), cmp2000(2) },
+         sender              GeneralName,
+         -- identifies the sender
+         recipient           GeneralName,
+         -- identifies the intended recipient
+         messageTime     [0] GeneralizedTime         OPTIONAL,
+         -- time of production of this message (used when sender
+         -- believes that the transport will be "suitable"; i.e.,
+         -- that the time will still be meaningful upon receipt)
+         protectionAlg   [1] AlgorithmIdentifier     OPTIONAL,
+         -- algorithm used for calculation of protection bits
+         senderKID       [2] KeyIdentifier           OPTIONAL,
+         recipKID        [3] KeyIdentifier           OPTIONAL,
+         -- to identify specific keys used for protection
+         transactionID   [4] OCTET STRING            OPTIONAL,
+         -- identifies the transaction; i.e., this will be the same in
+         -- corresponding request, response, certConf, and PKIConf
+         -- messages
+         senderNonce     [5] OCTET STRING            OPTIONAL,
+         recipNonce      [6] OCTET STRING            OPTIONAL,
+         -- nonces used to provide replay protection, senderNonce
+         -- is inserted by the creator of this message; recipNonce
+         -- is a nonce previously inserted in a related message by
+         -- the intended recipient of this message
+         freeText        [7] PKIFreeText             OPTIONAL,
+         -- this may be used to indicate context-specific instructions
+         -- (this field is intended for human consumption)
+         generalInfo     [8] SEQUENCE SIZE (1..MAX) OF
+                                InfoTypeAndValue     OPTIONAL
+         -- this may be used to convey context-specific information
+         -- (this field not primarily intended for human consumption)
+     }
+
+     PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
+         -- text encoded as UTF-8 String [RFC3629] (note: each
+         -- UTF8String MAY include an [RFC3066] language tag
+         -- to indicate the language of the contained text
+         -- see [RFC2482] for details)
+
+     PKIBody ::= CHOICE {       -- message-specific body elements
+         ir       [0]  CertReqMessages,        --Initialization Request
+         ip       [1]  CertRepMessage,         --Initialization Response
+         cr       [2]  CertReqMessages,        --Certification Request
+         cp       [3]  CertRepMessage,         --Certification Response
+         -- p10cr    [4]  CertificationRequest,   
+	   --imported from [PKCS10]
+         p10cr    [4]  NULL, -- added for Wireshark to avoid miscounting of the branch_taken
+         popdecc  [5]  POPODecKeyChallContent, --pop Challenge
+         popdecr  [6]  POPODecKeyRespContent,  --pop Response
+         kur      [7]  CertReqMessages,        --Key Update Request
+         kup      [8]  CertRepMessage,         --Key Update Response
+         krr      [9]  CertReqMessages,        --Key Recovery Request
+         krp      [10] KeyRecRepContent,       --Key Recovery Response
+         rr       [11] RevReqContent,          --Revocation Request
+         rp       [12] RevRepContent,          --Revocation Response
+         ccr      [13] CertReqMessages,        --Cross-Cert. Request
+         ccp      [14] CertRepMessage,         --Cross-Cert. Response
+         ckuann   [15] CAKeyUpdAnnContent,     --CA Key Update Ann.
+         cann     [16] CertAnnContent,         --Certificate Ann.
+         rann     [17] RevAnnContent,          --Revocation Ann.
+         crlann   [18] CRLAnnContent,          --CRL Announcement
+         pkiconf  [19] PKIConfirmContent,      --Confirmation
+         nested   [20] NestedMessageContent,   --Nested Message
+         genm     [21] GenMsgContent,          --General Message
+         genp     [22] GenRepContent,          --General Response
+         error    [23] ErrorMsgContent,        --Error Message
+         certConf [24] CertConfirmContent,     --Certificate confirm
+         pollReq  [25] PollReqContent,         --Polling request
+         pollRep  [26] PollRepContent          --Polling response
+     }
+
+     PKIProtection ::= BIT STRING
+
+     ProtectedPart ::= SEQUENCE {
+         header    PKIHeader,
+         body      PKIBody
+     }
+
+     id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
+     PBMParameter ::= SEQUENCE {
+         salt                OCTET STRING,
+         -- note:  implementations MAY wish to limit acceptable sizes
+         -- of this string to values appropriate for their environment
+         -- in order to reduce the risk of denial-of-service attacks
+         owf                 AlgorithmIdentifier,
+         -- AlgId for a One-Way Function (SHA-1 recommended)
+         iterationCount      INTEGER,
+         -- number of times the OWF is applied
+         -- note:  implementations MAY wish to limit acceptable sizes
+         -- of this integer to values appropriate for their environment
+         -- in order to reduce the risk of denial-of-service attacks
+         mac                 AlgorithmIdentifier
+         -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+     }   -- or HMAC [RFC2104, RFC2202])
+
+     id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
+     DHBMParameter ::= SEQUENCE {
+         owf                 AlgorithmIdentifier,
+         -- AlgId for a One-Way Function (SHA-1 recommended)
+         mac                 AlgorithmIdentifier
+         -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+     }   -- or HMAC [RFC2104, RFC2202])
+
+
+     NestedMessageContent ::= PKIMessages
+
+     PKIStatus ::= INTEGER {
+         accepted                (0),
+         -- you got exactly what you asked for
+         grantedWithMods        (1),
+         -- you got something like what you asked for; the
+         -- requester is responsible for ascertaining the differences
+         rejection              (2),
+         -- you don't get it, more information elsewhere in the message
+         waiting                (3),
+         -- the request body part has not yet been processed; expect to
+         -- hear more later (note: proper handling of this status
+         -- response MAY use the polling req/rep PKIMessages specified
+         -- in Section 5.3.22; alternatively, polling in the underlying
+         -- transport layer MAY have some utility in this regard)
+         revocationWarning      (4),
+         -- this message contains a warning that a revocation is
+         -- imminent
+         revocationNotification (5),
+         -- notification that a revocation has occurred
+         keyUpdateWarning       (6)
+         -- update already done for the oldCertId specified in
+         -- CertReqMsg
+     }
+
+     PKIFailureInfo ::= BIT STRING {
+     -- since we can fail in more than one way!
+     -- More codes may be added in the future if/when required.
+         badAlg              (0),
+         -- unrecognized or unsupported Algorithm Identifier
+         badMessageCheck     (1),
+         -- integrity check failed (e.g., signature did not verify)
+         badRequest          (2),
+         -- transaction not permitted or supported
+         badTime             (3),
+         -- messageTime was not sufficiently close to the system time,
+         -- as defined by local policy
+         badCertId           (4),
+         -- no certificate could be found matching the provided criteria
+         badDataFormat       (5),
+         -- the data submitted has the wrong format
+         wrongAuthority      (6),
+         -- the authority indicated in the request is different from the
+         -- one creating the response token
+         incorrectData       (7),
+         -- the requester's data is incorrect (for notary services)
+         missingTimeStamp    (8),
+         -- when the timestamp is missing but should be there
+         -- (by policy)
+         badPOP              (9),
+         -- the proof-of-possession failed
+         certRevoked         (10),
+            -- the certificate has already been revoked
+         certConfirmed       (11),
+            -- the certificate has already been confirmed
+         wrongIntegrity      (12),
+            -- invalid integrity, password based instead of signature or
+            -- vice versa
+         badRecipientNonce   (13),
+            -- invalid recipient nonce, either missing or wrong value
+         timeNotAvailable    (14),
+            -- the TSA's time source is not available
+         unacceptedPolicy    (15),
+            -- the requested TSA policy is not supported by the TSA.
+         unacceptedExtension (16),
+            -- the requested extension is not supported by the TSA.
+         addInfoNotAvailable (17),
+            -- the additional information requested could not be
+            -- understood or is not available
+         badSenderNonce      (18),
+            -- invalid sender nonce, either missing or wrong size
+         badCertTemplate     (19),
+            -- invalid cert. template or missing mandatory information
+         signerNotTrusted    (20),
+            -- signer of the message unknown or not trusted
+         transactionIdInUse  (21),
+            -- the transaction identifier is already in use
+         unsupportedVersion  (22),
+            -- the version of the message is not supported
+         notAuthorized       (23),
+            -- the sender was not authorized to make the preceding
+            -- request or perform the preceding action
+         systemUnavail       (24),
+         -- the request cannot be handled due to system unavailability
+         systemFailure       (25),
+         -- the request cannot be handled due to system failure
+         duplicateCertReq    (26)
+         -- certificate cannot be issued because a duplicate
+         -- certificate already exists
+     }
+
+     PKIStatusInfo ::= SEQUENCE {
+         status        PKIStatus,
+         statusString  PKIFreeText     OPTIONAL,
+         failInfo      PKIFailureInfo  OPTIONAL
+     }
+
+     OOBCert ::= CMPCertificate
+
+     OOBCertHash ::= SEQUENCE {
+         hashAlg     [0] AlgorithmIdentifier     OPTIONAL,
+         certId      [1] CertId                  OPTIONAL,
+         hashVal         BIT STRING
+         -- hashVal is calculated over the DER encoding of the
+         -- self-signed certificate with the identifier certID.
+     }
+
+     POPODecKeyChallContent ::= SEQUENCE OF Challenge
+     -- One Challenge per encryption key certification request (in the
+     -- same order as these requests appear in CertReqMessages).
+
+     Challenge ::= SEQUENCE {
+         owf                 AlgorithmIdentifier  OPTIONAL,
+
+         -- MUST be present in the first Challenge; MAY be omitted in
+         -- any subsequent Challenge in POPODecKeyChallContent (if
+         -- omitted, then the owf used in the immediately preceding
+         -- Challenge is to be used).
+
+         witness             OCTET STRING,
+         -- the result of applying the one-way function (owf) to a
+         -- randomly-generated INTEGER, A.  [Note that a different
+         -- INTEGER MUST be used for each Challenge.]
+         challenge           OCTET STRING
+         -- the encryption (under the public key for which the cert.
+         -- request is being made) of Rand, where Rand is specified as
+         --   Rand ::= SEQUENCE {
+         --      int      INTEGER,
+         --       - the randomly-generated INTEGER A (above)
+         --      sender   GeneralName
+         --       - the sender's name (as included in PKIHeader)
+         --   }
+     }
+
+     POPODecKeyRespContent ::= SEQUENCE OF INTEGER
+     -- One INTEGER per encryption key certification request (in the
+     -- same order as these requests appear in CertReqMessages).  The
+     -- retrieved INTEGER A (above) is returned to the sender of the
+     -- corresponding Challenge.
+
+     CertRepMessage ::= SEQUENCE {
+         caPubs       [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
+                          OPTIONAL,
+         response         SEQUENCE OF CertResponse
+     }
+
+     CertResponse ::= SEQUENCE {
+         certReqId           INTEGER,
+         -- to match this response with corresponding request (a value
+         -- of -1 is to be used if certReqId is not specified in the
+         -- corresponding request)
+         status              PKIStatusInfo,
+         certifiedKeyPair    CertifiedKeyPair    OPTIONAL,
+         rspInfo             OCTET STRING        OPTIONAL
+         -- analogous to the id-regInfo-utf8Pairs string defined
+         -- for regInfo in CertReqMsg [CRMF]
+     }
+
+     CertifiedKeyPair ::= SEQUENCE {
+         certOrEncCert       CertOrEncCert,
+         privateKey      [0] EncryptedValue      OPTIONAL,
+         -- see [CRMF] for comment on encoding
+         publicationInfo [1] PKIPublicationInfo  OPTIONAL
+     }
+
+     CertOrEncCert ::= CHOICE {
+         certificate     [0] CMPCertificate,
+         encryptedCert   [1] EncryptedValue
+     }
+
+     KeyRecRepContent ::= SEQUENCE {
+         status                  PKIStatusInfo,
+         newSigCert          [0] CMPCertificate OPTIONAL,
+         caCerts             [1] SEQUENCE SIZE (1..MAX) OF
+                                             CMPCertificate OPTIONAL,
+         keyPairHist         [2] SEQUENCE SIZE (1..MAX) OF
+                                             CertifiedKeyPair OPTIONAL
+     }
+
+     RevReqContent ::= SEQUENCE OF RevDetails
+
+     RevDetails ::= SEQUENCE {
+         certDetails         CertTemplate,
+         -- allows requester to specify as much as they can about
+         -- the cert. for which revocation is requested
+         -- (e.g., for cases in which serialNumber is not available)
+         crlEntryDetails     Extensions       OPTIONAL
+         -- requested crlEntryExtensions
+     }
+
+     RevRepContent ::= SEQUENCE {
+         status       SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
+         -- in same order as was sent in RevReqContent
+         revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
+                                             OPTIONAL,
+         -- IDs for which revocation was requested
+         -- (same order as status)
+         crls     [1] SEQUENCE SIZE (1..MAX) OF CertificateList
+         -- the resulting CRLs (there may be more than one)
+     }
+
+     CAKeyUpdAnnContent ::= SEQUENCE {
+         oldWithNew   CMPCertificate, -- old pub signed with new priv
+         newWithOld   CMPCertificate, -- new pub signed with old priv
+         newWithNew   CMPCertificate  -- new pub signed with new priv
+     }
+
+     CertAnnContent ::= CMPCertificate
+
+     RevAnnContent ::= SEQUENCE {
+         status              PKIStatus,
+         certId              CertId,
+         willBeRevokedAt     GeneralizedTime,
+         badSinceDate        GeneralizedTime,
+         crlDetails          Extensions  OPTIONAL
+         -- extra CRL details (e.g., crl number, reason, location, etc.)
+     }
+
+     CRLAnnContent ::= SEQUENCE OF CertificateList
+
+     CertConfirmContent ::= SEQUENCE OF CertStatus
+
+     CertStatus ::= SEQUENCE {
+        certHash    OCTET STRING,
+        -- the hash of the certificate, using the same hash algorithm
+        -- as is used to create and verify the certificate signature
+        certReqId   INTEGER,
+        -- to match this confirmation with the corresponding req/rep
+        statusInfo  PKIStatusInfo OPTIONAL
+     }
+
+     PKIConfirmContent ::= NULL
+
+     InfoTypeAndValue ::= SEQUENCE {
+         infoType               OBJECT IDENTIFIER,
+         infoValue              ANY DEFINED BY infoType  OPTIONAL
+     }
+     -- Example InfoTypeAndValue contents include, but are not limited
+     -- to, the following (un-comment in this ASN.1 module and use as
+     -- appropriate for a given environment):
+     --
+     --   id-it-caProtEncCert    OBJECT IDENTIFIER ::= {id-it 1}
+           CAProtEncCertValue      ::= CMPCertificate
+     --   id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2}
+           SignKeyPairTypesValue   ::= SEQUENCE OF AlgorithmIdentifier
+     --   id-it-encKeyPairTypes  OBJECT IDENTIFIER ::= {id-it 3}
+           EncKeyPairTypesValue    ::= SEQUENCE OF AlgorithmIdentifier
+     --   id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4}
+           PreferredSymmAlgValue   ::= AlgorithmIdentifier
+     --   id-it-caKeyUpdateInfo  OBJECT IDENTIFIER ::= {id-it 5}
+           CAKeyUpdateInfoValue    ::= CAKeyUpdAnnContent
+     --   id-it-currentCRL       OBJECT IDENTIFIER ::= {id-it 6}
+           CurrentCRLValue         ::= CertificateList
+     --   id-it-unsupportedOIDs  OBJECT IDENTIFIER ::= {id-it 7}
+           UnsupportedOIDsValue    ::= SEQUENCE OF OBJECT IDENTIFIER
+     --   id-it-keyPairParamReq  OBJECT IDENTIFIER ::= {id-it 10}
+           KeyPairParamReqValue    ::= OBJECT IDENTIFIER
+     --   id-it-keyPairParamRep  OBJECT IDENTIFIER ::= {id-it 11}
+           KeyPairParamRepValue    ::= AlgorithmIdentifier
+     --   id-it-revPassphrase    OBJECT IDENTIFIER ::= {id-it 12}
+           RevPassphraseValue      ::= EncryptedValue
+     --   id-it-implicitConfirm  OBJECT IDENTIFIER ::= {id-it 13}
+           ImplicitConfirmValue    ::= NULL
+     --   id-it-confirmWaitTime  OBJECT IDENTIFIER ::= {id-it 14}
+           ConfirmWaitTimeValue    ::= GeneralizedTime
+     --   id-it-origPKIMessage   OBJECT IDENTIFIER ::= {id-it 15}
+           OrigPKIMessageValue     ::= PKIMessages
+     --   id-it-suppLangTags     OBJECT IDENTIFIER ::= {id-it 16}
+           SuppLangTagsValue       ::= SEQUENCE OF UTF8String
+     --
+     -- where
+     --
+     --   id-pkix OBJECT IDENTIFIER ::= {
+     --      iso(1) identified-organization(3)
+     --      dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
+     -- and
+     --   id-it   OBJECT IDENTIFIER ::= {id-pkix 4}
+     --
+     --
+     -- This construct MAY also be used to define new PKIX Certificate
+     -- Management Protocol request and response messages, or general-
+     -- purpose (e.g., announcement) messages for future needs or for
+     -- specific environments.
+
+     GenMsgContent ::= SEQUENCE OF InfoTypeAndValue
+
+     -- May be sent by EE, RA, or CA (depending on message content).
+     -- The OPTIONAL infoValue parameter of InfoTypeAndValue will
+     -- typically be omitted for some of the examples given above.
+     -- The receiver is free to ignore any contained OBJ. IDs that it
+     -- does not recognize. If sent from EE to CA, the empty set
+     -- indicates that the CA may send
+     -- any/all information that it wishes.
+     GenRepContent ::= SEQUENCE OF InfoTypeAndValue
+     -- Receiver MAY ignore any contained OIDs that it does not
+     -- recognize.
+
+     ErrorMsgContent ::= SEQUENCE {
+         pKIStatusInfo          PKIStatusInfo,
+         errorCode              INTEGER           OPTIONAL,
+         -- implementation-specific error codes
+         errorDetails           PKIFreeText       OPTIONAL
+         -- implementation-specific error details
+     }
+
+     PollReqContent ::= SEQUENCE OF SEQUENCE {
+         certReqId              INTEGER
+     }
+
+     PollRepContent ::= SEQUENCE OF SEQUENCE {
+         certReqId              INTEGER,
+         checkAfter             INTEGER,  -- time in seconds
+         reason                 PKIFreeText OPTIONAL
+     }
+
+     END -- of CMP module
diff --git a/asn1/cmp/Makefile.am b/asn1/cmp/Makefile.am
new file mode 100644
index 0000000000..462af31e88
--- /dev/null
+++ b/asn1/cmp/Makefile.am
@@ -0,0 +1,26 @@
+# $Id$
+#
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+
+
+include ../Makefile.preinc
+include Makefile.common
+include ../Makefile.inc
+
diff --git a/asn1/cmp/Makefile.common b/asn1/cmp/Makefile.common
new file mode 100644
index 0000000000..fcee4d0a6b
--- /dev/null
+++ b/asn1/cmp/Makefile.common
@@ -0,0 +1,55 @@
+# $Id$
+#
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+
+
+PROTOCOL_NAME=cmp
+
+DISSECTOR_FILES=packet-$(PROTOCOL_NAME).c \
+	packet-$(PROTOCOL_NAME).h
+
+
+EXT_ASN_FILE_LIST =
+
+ASN_FILE_LIST = CMP.asn
+
+# The packet-$(PROTOCOL_NAME)-template.h and $(PROTOCOL_NAME).asn
+# files do not exist for all protocols: Please add/remove as required.
+EXTRA_DIST = \
+	Makefile.nmake \
+	$(ASN_FILE_LIST) \
+	packet-$(PROTOCOL_NAME)-template.c \
+	packet-$(PROTOCOL_NAME)-template.h \
+	$(PROTOCOL_NAME).cnf
+
+SRC_FILES = \
+	$(EXTRA_DIST) \
+	$(EXT_ASN_FILE_LIST)
+
+A2W_FLAGS= -b 
+
+EXTRA_CNF= \
+	../pkix1explicit/pkix1explicit_exp.cnf \
+	../pkix1implicit/pkix1implicit_exp.cnf \
+	../crmf/crmf-exp.cnf
+
+../crmf/crmf-exp.cnf:
+	(cd ../crmf && $(MAKE_CNF_EXPORT))
+
diff --git a/asn1/cmp/Makefile.nmake b/asn1/cmp/Makefile.nmake
new file mode 100644
index 0000000000..5a32997c60
--- /dev/null
+++ b/asn1/cmp/Makefile.nmake
@@ -0,0 +1,29 @@
+## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake
+#
+# $Id$
+#
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+
+
+include ../../config.nmake
+include ../Makefile.preinc.nmake
+include Makefile.common
+include ../Makefile.inc.nmake
+
diff --git a/asn1/cmp/cmp.cnf b/asn1/cmp/cmp.cnf
new file mode 100644
index 0000000000..60209d49da
--- /dev/null
+++ b/asn1/cmp/cmp.cnf
@@ -0,0 +1,116 @@
+# CMP.cnf
+# CMP conformation file
+
+# $Id$
+
+#.MODULE_IMPORT
+PKIX1Explicit88	pkix1explicit
+PKIX1Implicit88	pkix1implicit
+PKIXCRMF-2005	crmf
+		
+#.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf
+#.INCLUDE ../pkix1implicit/pkix1implicit_exp.cnf
+#.IMPORT ../crmf/crmf-exp.cnf
+
+#.EXPORTS
+CAKeyUpdAnnContent
+CMPCertificate
+CRLAnnContent
+CertAnnContent
+CertConfirmContent
+CertOrEncCert
+CertRepMessage
+CertResponse
+CertStatus
+CertifiedKeyPair
+Challenge
+DHBMParameter
+ErrorMsgContent
+GenMsgContent
+InfoTypeAndValue
+KeyRecRepContent
+NestedMessageContent
+OOBCert
+OOBCertHash
+PBMParameter
+PKIBody
+PKIConfirmContent
+PKIFailureInfo
+PKIFreeText
+PKIHeader
+PKIMessage
+PKIMessages
+PKIProtection
+PKIStatus
+PKIStatusInfo
+POPODecKeyRespContent
+PollRepContent
+PollReqContent
+ProtectedPart
+RevAnnContent
+RevDetails
+RevRepContent
+RevReqContent
+
+#.REGISTER
+PBMParameter           B "1.2.840.113533.7.66.13" "id-PasswordBasedMac"
+DHBMParameter          B "1.2.640.113533.7.66.30" "id-DHBasedMac"
+CAProtEncCertValue     B "1.3.6.1.5.5.7.4.1"      "id-it-caProtEncCert"
+SignKeyPairTypesValue  B "1.3.6.1.5.5.7.4.2"      "id-it-signKeyPairTypes"
+EncKeyPairTypesValue   B "1.3.6.1.5.5.7.4.3"      "id-it-encKeyPairTypes"
+PreferredSymmAlgValue  B "1.3.6.1.5.5.7.4.4"      "id-it-preferredSymmAlg"
+CAKeyUpdateInfoValue   B "1.3.6.1.5.5.7.4.5"      "id-it-caKeyUpdateInfo"
+CurrentCRLValue        B "1.3.6.1.5.5.7.4.6"      "id-it-currentCRL"
+UnsupportedOIDsValue   B "1.3.6.1.5.5.7.4.7"      "id-it-unsupportedOIDs"
+KeyPairParamReqValue   B "1.3.6.1.5.5.7.4.10"     "id-it-keyPairParamReq"
+KeyPairParamRepValue   B "1.3.6.1.5.5.7.4.11"     "id-it-keyPairParamRep"
+RevPassphraseValue     B "1.3.6.1.5.5.7.4.12"     "id-it-revPassphrase"
+ImplicitConfirmValue   B "1.3.6.1.5.5.7.4.13"     "id-it-implicitConfirm"
+ConfirmWaitTimeValue   B "1.3.6.1.5.5.7.4.14"     "id-it-confirmWaitTime"
+OrigPKIMessageValue    B "1.3.6.1.5.5.7.4.15"     "id-it-origPKIMessage"
+SuppLangTagsValue      B "1.3.6.1.5.5.7.4.16"     "id-it-suppLangTags"
+
+
+#.NO_EMIT
+
+#.TYPE_RENAME
+
+#.FIELD_RENAME
+RevRepContent/status    rvrpcnt_status
+CertResponse/status     pkistatusinf
+KeyRecRepContent/status pkistatusinf
+PKIStatusInfo/status pkistatus
+RevAnnContent/status pkistatus
+
+
+#.FN_PARS InfoTypeAndValue/infoType
+  FN_VARIANT = _str  HF_INDEX = hf_cmp_type_oid  VAL_PTR = &object_identifier_id
+
+#.FN_BODY InfoTypeAndValue/infoValue
+  offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree);
+
+#.FN_PARS PKIBody
+  VAL_PTR = &branch_taken
+
+#.FN_BODY PKIBody
+  gint branch_taken;
+
+  %(DEFAULT_BODY)s
+
+  if (check_col(actx->pinfo->cinfo, COL_INFO)) {
+  	col_append_fstr(actx->pinfo->cinfo, COL_INFO, " Body=%%s", val_to_str(branch_taken, cmp_PKIBody_vals, "unknown"));
+  }
+
+#.FN_PARS PKIStatus
+  VAL_PTR = &value
+
+#.FN_BODY PKIStatus
+  guint32 value;
+
+  %(DEFAULT_BODY)s
+
+  if (check_col(actx->pinfo->cinfo, COL_INFO)) {
+  	col_append_fstr(actx->pinfo->cinfo, COL_INFO, " Status=%%s", val_to_str(value, cmp_PKIStatus_vals, "unknown"));
+  }
+
+#.END_OF_CNF
diff --git a/asn1/cmp/packet-cmp-template.c b/asn1/cmp/packet-cmp-template.c
new file mode 100644
index 0000000000..1fa3a5f922
--- /dev/null
+++ b/asn1/cmp/packet-cmp-template.c
@@ -0,0 +1,456 @@
+/* packet-cmp.c
+ *
+ * Routines for RFC2510 Certificate Management Protocol packet dissection
+ *   Ronnie Sahlberg 2004
+ * Updated to RFC4210 CMPv2 and associated "Transport Protocols for CMP" draft
+ *   Martin Peylo 2008
+ *
+ * $Id$
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <glib.h>
+#include <epan/packet.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <epan/oids.h>
+#include <epan/asn1.h>
+#include "packet-ber.h"
+#include "packet-cmp.h"
+#include "packet-crmf.h"
+#include "packet-pkix1explicit.h"
+#include "packet-pkix1implicit.h"
+#include "packet-tcp.h"
+#include "packet-http.h"
+#include <epan/prefs.h>
+#include <epan/nstime.h>
+
+#define PNAME  "Certificate Management Protocol"
+#define PSNAME "CMP"
+#define PFNAME "cmp"
+
+#define TCP_PORT_CMP 829
+
+/* desegmentation of CMP over TCP */
+static gboolean cmp_desegment = TRUE;
+
+static guint cmp_alternate_tcp_port = 0;
+static guint cmp_alternate_http_port = 0;
+static guint cmp_alternate_tcp_style_http_port = 0;
+
+/* Initialize the protocol and registered fields */
+int proto_cmp = -1;
+static int hf_cmp_type_oid = -1;
+static int hf_cmp_tcptrans_len = -1;
+static int hf_cmp_tcptrans_type = -1;
+static int hf_cmp_tcptrans_poll_ref = -1;
+static int hf_cmp_tcptrans_next_poll_ref = -1;
+static int hf_cmp_tcptrans_ttcb = -1;
+static int hf_cmp_tcptrans10_version = -1;
+static int hf_cmp_tcptrans10_flags = -1;
+#include "packet-cmp-hf.c"
+
+/* Initialize the subtree pointers */
+static gint ett_cmp = -1;
+#include "packet-cmp-ett.c"
+
+static const char *object_identifier_id;
+
+
+#include "packet-cmp-fn.c"
+
+static int
+dissect_cmp_pdu(tvbuff_t *tvb, proto_tree *tree, asn1_ctx_t *actx)
+{
+	return dissect_cmp_PKIMessage(FALSE, tvb, 0, actx,tree, -1);
+}
+
+#define CMP_TYPE_PKIMSG		0
+#define CMP_TYPE_POLLREP	1
+#define CMP_TYPE_POLLREQ	2
+#define CMP_TYPE_NEGPOLLREP	3
+#define CMP_TYPE_PARTIALMSGREP	4
+#define CMP_TYPE_FINALMSGREP	5
+#define CMP_TYPE_ERRORMSGREP	6
+static const value_string cmp_pdu_types[] = {
+	{ CMP_TYPE_PKIMSG,		"pkiMsg" },
+	{ CMP_TYPE_POLLREP,		"pollRep" },
+	{ CMP_TYPE_POLLREQ,		"pollReq" },
+	{ CMP_TYPE_NEGPOLLREP,		"negPollRep" },
+	{ CMP_TYPE_PARTIALMSGREP,	"partialMsgRep" },
+	{ CMP_TYPE_FINALMSGREP,		"finalMsgRep" },
+	{ CMP_TYPE_ERRORMSGREP,		"errorMsgRep" },
+	{ 0, NULL },
+};
+
+
+static int dissect_cmp_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
+{
+	tvbuff_t   *next_tvb;
+	guint32    pdu_len;
+	guint8     pdu_type;
+	nstime_t   ts;
+	proto_item *item=NULL;
+	proto_item *ti=NULL;
+	proto_tree *tree=NULL;
+	proto_tree *tcptrans_tree=NULL;
+	asn1_ctx_t asn1_ctx;
+	int offset=0;
+
+	asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "CMP");
+
+	col_set_str(pinfo->cinfo, COL_INFO, "PKIXCMP");
+
+	if(parent_tree){
+		item=proto_tree_add_item(parent_tree, proto_cmp, tvb, 0, -1, FALSE);
+		tree = proto_item_add_subtree(item, ett_cmp);
+	}
+
+	pdu_len=tvb_get_ntohl(tvb, 0);
+	pdu_type=tvb_get_guint8(tvb, 4);
+
+	if (pdu_type < 10) {
+		/* RFC2510 TCP transport */
+		ti = proto_tree_add_item(tree, proto_cmp, tvb, offset, 5, FALSE);
+		tcptrans_tree = proto_item_add_subtree(ti, ett_cmp);
+		proto_tree_add_item(tree, hf_cmp_tcptrans_len, tvb, offset, 4, FALSE);
+		offset += 4;
+		proto_tree_add_item(tree, hf_cmp_tcptrans_type, tvb, offset++, 1, FALSE);
+	} else {
+		/* post RFC2510 TCP transport - the former "type" field is now "version" */
+		ti = proto_tree_add_text(tree, tvb, offset, 7, "TCP transport");
+		tcptrans_tree = proto_item_add_subtree(ti, ett_cmp);
+		pdu_type=tvb_get_guint8(tvb, 6);
+		proto_tree_add_item(tcptrans_tree, hf_cmp_tcptrans_len, tvb, offset, 4, FALSE);
+		offset += 4;
+		proto_tree_add_item(tcptrans_tree, hf_cmp_tcptrans10_version, tvb, offset++, 1, FALSE);
+		proto_tree_add_item(tcptrans_tree, hf_cmp_tcptrans10_flags, tvb, offset++, 1, FALSE);
+		proto_tree_add_item(tcptrans_tree, hf_cmp_tcptrans_type, tvb, offset++, 1, FALSE);
+	}
+
+	if (check_col (pinfo->cinfo, COL_INFO)) {
+		col_add_str (pinfo->cinfo, COL_INFO, val_to_str (pdu_type, cmp_pdu_types, "0x%x"));
+	}
+
+	switch(pdu_type){
+		case CMP_TYPE_PKIMSG:
+			next_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), pdu_len);
+			dissect_cmp_pdu(next_tvb, tree, &asn1_ctx);
+			offset += tvb_length_remaining(tvb, offset);
+			break;
+		case CMP_TYPE_POLLREP:
+			proto_tree_add_item(tcptrans_tree, hf_cmp_tcptrans_poll_ref, tvb, offset, 4, FALSE);
+			offset += 4;
+
+			ts.secs = tvb_get_ntohl(tvb, 4);
+			ts.nsecs = 0;
+			proto_tree_add_time(tcptrans_tree, hf_cmp_tcptrans_ttcb, tvb, offset, 4, &ts);
+			offset += 4;
+			break;
+		case CMP_TYPE_POLLREQ:
+			proto_tree_add_item(tcptrans_tree, hf_cmp_tcptrans_poll_ref, tvb, offset, 4, FALSE);
+			offset += 4;
+			break;
+		case CMP_TYPE_NEGPOLLREP:
+			break;
+		case CMP_TYPE_PARTIALMSGREP:
+			proto_tree_add_item(tcptrans_tree, hf_cmp_tcptrans_next_poll_ref, tvb, offset, 4, FALSE);
+			offset += 4;
+
+			ts.secs = tvb_get_ntohl(tvb, 4);
+			ts.nsecs = 0;
+			proto_tree_add_time(tcptrans_tree, hf_cmp_tcptrans_ttcb, tvb, offset, 4, &ts);
+			offset += 4;
+
+			next_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), pdu_len);
+			dissect_cmp_pdu(next_tvb, tree, &asn1_ctx);
+			offset += tvb_length_remaining(tvb, offset);
+			break;
+		case CMP_TYPE_FINALMSGREP:
+			next_tvb = tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), pdu_len);
+			dissect_cmp_pdu(next_tvb, tree, &asn1_ctx);
+			offset += tvb_length_remaining(tvb, offset);
+			break;
+		case CMP_TYPE_ERRORMSGREP:
+			/*XXX to be added*/
+			break;
+	}
+
+	return offset;
+}
+
+static void dissect_cmp_tcp_pdu_no_return(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
+{
+	dissect_cmp_tcp_pdu(tvb, pinfo, parent_tree);
+}
+
+static guint get_cmp_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
+{
+	guint32 plen;
+
+	/*
+	 * Get the length of the CMP-over-TCP packet.
+	 */
+	plen = tvb_get_ntohl(tvb, offset);
+
+	return plen+4;
+}
+
+
+/* CMP over TCP: RFC2510 section 5.2 and "Transport Protocols for CMP" draft */
+	static int
+dissect_cmp_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
+{
+	guint32 pdu_len;
+	guint8 pdu_type;
+	int offset=4; /* RFC2510 TCP transport header length */
+
+	/* only attempt to dissect it as CMP over TCP if we have
+	 * at least 5 bytes.
+	 */
+	if (!tvb_bytes_exist(tvb, 0, 5)) {
+		return 0;
+	}
+
+	pdu_len=tvb_get_ntohl(tvb, 0);
+	pdu_type=tvb_get_guint8(tvb, 4);
+
+	if(pdu_type == 10) {
+		/* post RFC2510 TCP transport */
+		pdu_type = tvb_get_guint8(tvb, 7);
+		offset = 7; /* post RFC2510 TCP transport header length */
+		/* arbitrary limit: assume a CMP over TCP pdu is never >10000 bytes
+		 * in size.
+		 * It is definitely at least 3 byte for post RFC2510 TCP transport
+		 */
+		if((pdu_len<=2)||(pdu_len>10000)){
+			return 0;
+		}
+	} else {
+		/* RFC2510 TCP transport */
+		/* type is between 0 and 6 */
+		if(pdu_type>6){
+			return 0;
+		}
+		/* arbitrary limit: assume a CMP over TCP pdu is never >10000 bytes
+		 * in size.
+		 * It is definitely at least 1 byte to accomodate the flags byte
+		 */
+		if((pdu_len<=0)||(pdu_len>10000)){
+			return 0;
+		}
+	}
+
+	/* type 0 contains a PKI message and must therefore be >= 3 bytes
+	 * long (flags + BER TAG + BER LENGTH
+	 */
+	if((pdu_type==0)&&(pdu_len<3)){
+		return 0;
+	}
+
+	tcp_dissect_pdus(tvb, pinfo, parent_tree, cmp_desegment, offset, get_cmp_pdu_len,
+			dissect_cmp_tcp_pdu_no_return);
+
+	return tvb_length(tvb);
+}
+
+
+	static int
+dissect_cmp_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
+{
+	proto_item *item=NULL;
+	proto_tree *tree=NULL;
+	asn1_ctx_t asn1_ctx;
+
+	asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "CMP");
+
+	col_set_str(pinfo->cinfo, COL_INFO, "PKIXCMP");
+
+	if(parent_tree){
+		item=proto_tree_add_item(parent_tree, proto_cmp, tvb, 0, -1, FALSE);
+		tree = proto_item_add_subtree(item, ett_cmp);
+	}
+
+	return dissect_cmp_pdu(tvb, tree, &asn1_ctx);
+}
+
+
+/*--- proto_register_cmp ----------------------------------------------*/
+void proto_register_cmp(void) {
+
+	/* List of fields */
+	static hf_register_info hf[] = {
+		{ &hf_cmp_type_oid,
+			{ "InfoType", "cmp.type.oid",
+				FT_STRING, BASE_NONE, NULL, 0,
+				"Type of InfoTypeAndValue", HFILL }},
+		{ &hf_cmp_tcptrans_len,
+			{ "Length", "cmp.tcptrans.length",
+				FT_UINT32, BASE_DEC, NULL, 0,
+				"TCP transport Length of PDU in bytes", HFILL }},
+		{ &hf_cmp_tcptrans_type,
+			{ "Type", "cmp.tcptrans.type",
+				FT_UINT8, BASE_DEC, VALS(cmp_pdu_types), 0,
+				"TCP transport PDU Type", HFILL }},
+		{ &hf_cmp_tcptrans_poll_ref,
+			{ "Polling Reference", "cmp.tcptrans.poll_ref",
+				FT_UINT32, BASE_HEX, NULL, 0,
+				"TCP transport Polling Reference", HFILL }},
+		{ &hf_cmp_tcptrans_next_poll_ref,
+			{ "Next Polling Reference", "cmp.tcptrans.next_poll_ref",
+				FT_UINT32, BASE_HEX, NULL, 0,
+				"TCP transport Next Polling Reference", HFILL }},
+		{ &hf_cmp_tcptrans_ttcb,
+			{ "Time to check Back", "cmp.tcptrans.ttcb",
+				FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0,
+				"TCP transport Time to check Back", HFILL }},
+		{ &hf_cmp_tcptrans10_version,
+			{ "Version", "cmp.tcptrans10.version",
+				FT_UINT8, BASE_DEC, NULL, 0,
+				"TCP transport version", HFILL }},
+		{ &hf_cmp_tcptrans10_flags,
+			{ "Flags", "cmp.tcptrans10.flags",
+				FT_UINT8, BASE_DEC, NULL, 0,
+				"TCP transport flags", HFILL }},
+#include "packet-cmp-hfarr.c"
+	};
+
+	/* List of subtrees */
+	static gint *ett[] = {
+		&ett_cmp,
+#include "packet-cmp-ettarr.c"
+	};
+	module_t *cmp_module;
+
+	/* Register protocol */
+	proto_cmp = proto_register_protocol(PNAME, PSNAME, PFNAME);
+
+	/* Register fields and subtrees */
+	proto_register_field_array(proto_cmp, hf, array_length(hf));
+	proto_register_subtree_array(ett, array_length(ett));
+
+	cmp_module = prefs_register_protocol(proto_cmp, proto_reg_handoff_cmp);
+	prefs_register_bool_preference(cmp_module, "desegment",
+			"Reassemble CMP-over-TCP messages spanning multiple TCP segments",
+			"Whether the CMP-over-TCP dissector should reassemble messages spanning multiple TCP segments. "
+			"To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
+			&cmp_desegment);
+
+	prefs_register_uint_preference(cmp_module, "tcp_alternate_port",
+			"Alternate TCP port",
+			"Decode this TCP port\'s traffic as CMP. Set to \"0\" to disable.",
+			10,
+			&cmp_alternate_tcp_port);
+
+	prefs_register_uint_preference(cmp_module, "http_alternate_port",
+			"Alternate HTTP port",
+			"Decode this TCP port\'s traffic as CMP-over-HTTP. Set to \"0\" to disable. "
+			"Use this if the Content-Type is not set correctly.",
+			10,
+			&cmp_alternate_http_port);
+
+	prefs_register_uint_preference(cmp_module, "tcp_style_http_alternate_port",
+			"Alternate TCP-style-HTTP port",
+			"Decode this TCP port\'s traffic as TCP-transport-style CMP-over-HTTP. Set to \"0\" to disable. "
+			"Use this if the Content-Type is not set correctly.",
+			10,
+			&cmp_alternate_tcp_style_http_port);
+}
+
+
+/*--- proto_reg_handoff_cmp -------------------------------------------*/
+void proto_reg_handoff_cmp(void) {
+	static gboolean inited = FALSE;
+	static dissector_handle_t cmp_http_handle;
+	static dissector_handle_t cmp_tcp_style_http_handle;
+	static dissector_handle_t cmp_tcp_handle;
+	static guint cmp_alternate_tcp_port_prev = 0;
+	static guint cmp_alternate_http_port_prev = 0;
+	static guint cmp_alternate_tcp_style_http_port_prev = 0;
+
+	if (!inited) {
+		cmp_http_handle = new_create_dissector_handle(dissect_cmp_http, proto_cmp);
+		dissector_add_string("media_type", "application/pkixcmp", cmp_http_handle);
+		dissector_add_string("media_type", "application/x-pkixcmp", cmp_http_handle);
+
+		cmp_tcp_style_http_handle = new_create_dissector_handle(dissect_cmp_tcp_pdu, proto_cmp);
+		dissector_add_string("media_type", "application/pkixcmp-poll", cmp_tcp_style_http_handle);
+		dissector_add_string("media_type", "application/x-pkixcmp-poll", cmp_tcp_style_http_handle);
+
+		cmp_tcp_handle = new_create_dissector_handle(dissect_cmp_tcp, proto_cmp);
+		dissector_add("tcp.port", TCP_PORT_CMP, cmp_tcp_handle);
+
+		oid_add_from_string("Cryptlib-presence-check","1.3.6.1.4.1.3029.3.1.1");
+		oid_add_from_string("Cryptlib-PKIBoot","1.3.6.1.4.1.3029.3.1.2");
+
+		oid_add_from_string("HMAC MD5","1.3.6.1.5.5.8.1.1");
+		oid_add_from_string("HMAC SHA-1","1.3.6.1.5.5.8.1.2");
+		oid_add_from_string("HMAC TIGER","1.3.6.1.5.5.8.1.3");
+		oid_add_from_string("HMAC RIPEMD-160","1.3.6.1.5.5.8.1.4");
+
+		oid_add_from_string("sha256WithRSAEncryption","1.2.840.113549.1.1.11");
+
+#include "packet-cmp-dis-tab.c"
+		inited = TRUE;
+	}
+
+	/* change alternate TCP port if changed in the preferences */
+	if (cmp_alternate_tcp_port != cmp_alternate_tcp_port_prev) {
+		if (cmp_alternate_tcp_port_prev != 0)
+			dissector_delete("tcp.port", cmp_alternate_tcp_port_prev, cmp_tcp_handle);
+		if (cmp_alternate_tcp_port != 0)
+			dissector_add("tcp.port", cmp_alternate_tcp_port, cmp_tcp_handle);
+		cmp_alternate_tcp_port_prev = cmp_alternate_tcp_port;
+	}
+
+	/* change alternate HTTP port if changed in the preferences */
+	if (cmp_alternate_http_port != cmp_alternate_http_port_prev) {
+		if (cmp_alternate_http_port_prev != 0) {
+			dissector_delete("tcp.port", cmp_alternate_http_port_prev, NULL);
+			dissector_delete("http.port", cmp_alternate_http_port_prev, NULL);
+		}
+		if (cmp_alternate_http_port != 0)
+			http_dissector_add( cmp_alternate_http_port, cmp_http_handle);
+		cmp_alternate_http_port_prev = cmp_alternate_http_port;
+	}
+
+	/* change alternate TCP-style-HTTP port if changed in the preferences */
+	if (cmp_alternate_tcp_style_http_port != cmp_alternate_tcp_style_http_port_prev) {
+		if (cmp_alternate_tcp_style_http_port_prev != 0) {
+			dissector_delete("tcp.port", cmp_alternate_tcp_style_http_port_prev, NULL);
+			dissector_delete("http.port", cmp_alternate_tcp_style_http_port_prev, NULL);
+		}
+		if (cmp_alternate_tcp_style_http_port != 0)
+			http_dissector_add( cmp_alternate_tcp_style_http_port, cmp_tcp_style_http_handle);
+		cmp_alternate_tcp_style_http_port_prev = cmp_alternate_tcp_style_http_port;
+	}
+
+}
+
diff --git a/asn1/cmp/packet-cmp-template.h b/asn1/cmp/packet-cmp-template.h
new file mode 100644
index 0000000000..a5d80a819d
--- /dev/null
+++ b/asn1/cmp/packet-cmp-template.h
@@ -0,0 +1,34 @@
+/* packet-cmp.h
+ * Routines for RFC2510 Certificate Management Protocol packet dissection
+ *   Ronnie Sahlberg 2004
+ *
+ * $Id$
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifndef PACKET_CMP_H
+#define PACKET_CMP_H
+
+void proto_reg_handoff_cmp(void);
+
+#include "packet-cmp-exp.h"
+
+#endif  /* PACKET_CMP_H */
+