New protocol dissector for PKCS#12 - Personal Information Exchange Syntax.

Generally found within a file (.p12 or .pfx) or as a directory attribute (userPKCS12 from iNetOrgPerson).

Wiki page and sample file to follow.


svn path=/trunk/; revision=20416

11 files changed, 697 insertions, 7 deletions

diff --git a/asn1/cms/cms-exp.cnf b/asn1/cms/cms-exp.cnf
index 5d7aa8672b..0eb30a20a9 100644
--- a/asn1/cms/cms-exp.cnf
+++ b/asn1/cms/cms-exp.cnf
@@ -20,6 +20,8 @@ SignedAttributes         BER_CLASS_UNI BER_UNI_TAG_SET
 UnsignedAttributes       BER_CLASS_UNI BER_UNI_TAG_SET
 SignatureValue           BER_CLASS_UNI BER_UNI_TAG_OCTETSTRING
 EnvelopedData            BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
+Digest                   BER_CLASS_UNI BER_UNI_TAG_OCTETSTRING
+DigestAlgorithmIdentifier BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 IssuerAndSerialNumber    BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 Countersignature         BER_CLASS_UNI BER_UNI_TAG_SEQUENCE
 #.END
@@ -37,6 +39,8 @@ SignedAttributes         TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL
 UnsignedAttributes       TYPE = FT_UINT32  DISPLAY = BASE_DEC   STRINGS = NULL  BITMASK = 0
 SignatureValue           TYPE = FT_BYTES   DISPLAY = BASE_HEX   STRINGS = NULL  BITMASK = 0
 EnvelopedData            TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
+Digest                   TYPE = FT_BYTES   DISPLAY = BASE_HEX   STRINGS = NULL  BITMASK = 0
+DigestAlgorithmIdentifier TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 IssuerAndSerialNumber    TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 Countersignature         TYPE = FT_NONE    DISPLAY = BASE_NONE  STRINGS = NULL  BITMASK = 0
 #.END
diff --git a/asn1/cms/cms.cnf b/asn1/cms/cms.cnf
index 04d2d72217..853c5e0bf0 100644
--- a/asn1/cms/cms.cnf
+++ b/asn1/cms/cms.cnf
@@ -10,6 +10,8 @@
 ContentInfo
 ContentType
 Countersignature
+Digest
+DigestAlgorithmIdentifier
 DigestAlgorithmIdentifiers
 EncapsulatedContentInfo
 EnvelopedData
@@ -24,6 +26,7 @@ UnsignedAttributes
 
 #.REGISTER
 ContentInfo       B "1.2.840.113549.1.9.16.1.6" "id-ct-contentInfo"
+#OctetString	B "1.2.840.113549.1.7.1"      "id-data"			 see x509sat.cnf
 SignedData        B "1.2.840.113549.1.7.2"      "id-signedData"
 EnvelopedData     B "1.2.840.113549.1.7.3"      "id-envelopedData"
 DigestedData      B "1.2.840.113549.1.7.5"      "id-digestedData"
@@ -52,16 +55,22 @@ EncryptedContentInfo/contentType	encryptedContentType
   content_tvb = NULL;
   top_tree = NULL;
 
-#.FN_BODY ContentInfo/contentType
-  offset = dissect_ber_object_identifier_str(FALSE, pinfo, tree, tvb, offset,
-                                         hf_cms_ci_contentType, &object_identifier_id);
+#.FN_PARS ContentType
+	FN_VARIANT = _str VAL_PTR = &object_identifier_id
+
+#.FN_BODY ContentType
+  	const char *name = NULL;
+
+	%(DEFAULT_BODY)s
+
+	if(object_identifier_id) {  
+		name = get_oid_str_name(object_identifier_id);
+		proto_item_append_text(tree, " (%%s)", name ? name : object_identifier_id); 
+	}
 
 #.FN_BODY ContentInfo/content
   offset=call_ber_oid_callback(object_identifier_id, tvb, offset, pinfo, tree);
 
-#.FN_BODY EncapsulatedContentInfo/eContentType
-  offset = dissect_ber_object_identifier_str(FALSE, pinfo, tree, tvb, offset,
-                                         hf_cms_ci_contentType, &object_identifier_id);
 
 #.FN_BODY EncapsulatedContentInfo/eContent
   gint8 class;
@@ -78,6 +87,7 @@ EncryptedContentInfo/contentType	encryptedContentType
   content_offset = pdu_offset = get_ber_length(tree, tvb, pdu_offset, &len, &ind);
   pdu_offset = call_ber_oid_callback(object_identifier_id, tvb, pdu_offset, pinfo, top_tree ? top_tree : tree);
   
+  /* save the content for checking the message digest */	
   content_tvb = tvb_new_subset(tvb, content_offset, len, -1);
 
 #.FN_PARS OtherKeyAttribute/keyAttrId
diff --git a/asn1/cms/packet-cms-template.c b/asn1/cms/packet-cms-template.c
index 678959149d..6ceb9da072 100644
--- a/asn1/cms/packet-cms-template.c
+++ b/asn1/cms/packet-cms-template.c
@@ -162,5 +162,8 @@ void proto_register_cms(void) {
 /*--- proto_reg_handoff_cms -------------------------------------------*/
 void proto_reg_handoff_cms(void) {
 #include "packet-cms-dis-tab.c"
+
+  add_oid_str_name("1.2.840.113549.1.7.1", "id-data");
+
 }
 
diff --git a/asn1/pkcs12/Makefile b/asn1/pkcs12/Makefile
new file mode 100644
index 0000000000..11f1a0e3d0
--- /dev/null
+++ b/asn1/pkcs12/Makefile
@@ -0,0 +1,16 @@
+# $Id$
+
+DISSECTOR_FILES=packet-pkcs12.c packet-pkcs12.h
+
+all: generate_dissector
+
+generate_dissector: $(DISSECTOR_FILES)
+
+$(DISSECTOR_FILES): ../../tools/asn2wrs.py pkcs12.asn packet-pkcs12-template.c packet-pkcs12-template.h pkcs12.cnf ../cms/cms-exp.cnf ../x509af/x509af-exp.cnf ../x509if/x509if-exp.cnf
+	python ../../tools/asn2wrs.py -b -e -p pkcs12 -c pkcs12.cnf -s packet-pkcs12-template pkcs12.asn
+
+clean:
+	rm -f parsetab.py $(DISSECTOR_FILES) *~
+
+copy_files: generate_dissector
+	cp $(DISSECTOR_FILES) ../../epan/dissectors
diff --git a/asn1/pkcs12/Makefile.nmake b/asn1/pkcs12/Makefile.nmake
new file mode 100644
index 0000000000..8669262858
--- /dev/null
+++ b/asn1/pkcs12/Makefile.nmake
@@ -0,0 +1,46 @@
+## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake
+#
+# $Id$
+
+include ../../config.nmake
+
+UNIX2DOS=$(PERL) ../../tools/unix2dos.pl
+
+PROTOCOL_NAME=pkcs12
+DISSECTOR_FILES=packet-$(PROTOCOL_NAME).c packet-$(PROTOCOL_NAME).h
+
+all: generate_dissector
+
+generate_dissector: $(DISSECTOR_FILES)
+
+$(DISSECTOR_FILES): ../../tools/asn2wrs.py pkcs12.asn packet-pkcs12-template.c packet-pkcs12-template.h pkcs12.cnf ../cms/cms-exp.cnf ../x509af/x509af-exp.cnf ../x509if/x509if-exp.cnf
+!IFDEF PYTHON
+	$(PYTHON) ../../tools/asn2wrs.py -b -e -p $(PROTOCOL_NAME) -c pkcs12.cnf -s packet-pkcs12-template pkcs12.asn
+!ELSE
+	@echo Error: You need Python to use asn2wrs.py
+	@exit 1
+!ENDIF
+
+clean:
+	rm -f parsetab.py parsetab.pyc $(DISSECTOR_FILES)
+
+distclean: clean
+
+maintainer-clean: distclean
+
+# Fix EOL in generated dissectors. Cygwin's python generates files with 
+# mixed EOL styles, which can't be commited to the SVN repository.
+# Stuff included from template and "cnf" files has "\r\n" on windows, while 
+# the generated stuff has "\n".
+
+fix_eol: generate_dissector
+	move packet-$(PROTOCOL_NAME).c packet-$(PROTOCOL_NAME).c.tmp
+	move packet-$(PROTOCOL_NAME).h packet-$(PROTOCOL_NAME).h.tmp
+	$(UNIX2DOS) < packet-$(PROTOCOL_NAME).c.tmp > packet-$(PROTOCOL_NAME).c
+	$(UNIX2DOS) < packet-$(PROTOCOL_NAME).h.tmp > packet-$(PROTOCOL_NAME).h
+	del /f packet-$(PROTOCOL_NAME).c.tmp packet-$(PROTOCOL_NAME).h.tmp
+
+copy_files: generate_dissector fix_eol
+	xcopy packet-$(PROTOCOL_NAME).c ..\..\epan\dissectors /d /y
+	xcopy packet-$(PROTOCOL_NAME).h ..\..\epan\dissectors /d /y
+
diff --git a/asn1/pkcs12/packet-pkcs12-template.c b/asn1/pkcs12/packet-pkcs12-template.c
new file mode 100644
index 0000000000..04997031cd
--- /dev/null
+++ b/asn1/pkcs12/packet-pkcs12-template.c
@@ -0,0 +1,159 @@
+/* packet-pkcs12.c
+ * Routines for PKCS#12: Personal Information Exchange packet dissection
+ * Graeme Lunt 2006
+ *
+ * $Id$
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <glib.h>
+#include <epan/packet.h>
+#include <epan/conversation.h>
+#include <epan/oid_resolv.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include "packet-ber.h"
+#include "packet-pkcs12.h"
+#include "packet-x509af.h"
+#include "packet-x509if.h"
+#include "packet-cms.h"
+
+#define PNAME  "PKCS#12: Personal Information Exchange"
+#define PSNAME "PKCS12"
+#define PFNAME "pkcs12"
+
+/* Initialize the protocol and registered fields */
+int proto_pkcs12 = -1;
+
+static const char *object_identifier_id = NULL; 
+static const gchar *pref_password = NULL;
+
+
+static void dissect_AuthenticatedSafe_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);
+static void dissect_SafeContents_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);
+
+#include "packet-pkcs12-hf.c"
+
+/* Initialize the subtree pointers */
+#include "packet-pkcs12-ett.c"
+
+#include "packet-pkcs12-fn.c"
+
+static int strip_octet_string(tvbuff_t *tvb, proto_tree *tree) 
+{
+  gint8 class;
+  gboolean pc, ind;
+  gint32 tag;
+  guint32 len;
+  int offset = 0;
+
+  /* PKCS#7 encodes the content as OCTET STRING, whereas CMS is just any ANY */
+  /* if we use CMS (rather than PKCS#7) - which we are - we need to strip the OCTET STRING tag */
+  /* before proceeding */
+
+  offset = get_ber_identifier(tvb, 0, &class, &pc, &tag);
+  offset = get_ber_length(NULL, tvb, offset, &len, &ind);
+
+  if((class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_OCTETSTRING))
+    return offset;
+
+  proto_tree_add_text(tree, tvb, 0, 1, "BER Error: OCTET STRING expected");
+
+  return 0;
+
+}
+
+static void dissect_AuthenticatedSafe_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
+  int offset = 0;
+
+  if((offset = strip_octet_string(tvb, tree)) > 0)
+    dissect_pkcs12_AuthenticatedSafe(FALSE, tvb, offset, pinfo, tree, hf_pkcs12_AuthenticatedSafe_PDU);
+}
+
+static void dissect_SafeContents_OCTETSTRING_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) 
+{
+  int offset = 0;
+
+  if((offset = strip_octet_string(tvb, tree)) > 0)
+    dissect_pkcs12_SafeContents(FALSE, tvb, offset, pinfo, tree, hf_pkcs12_SafeContents_PDU);
+}
+
+#if 0 
+static int decrypt_data(tvbuff_t *encrypted_data, 
+			/* enc_params */
+			gnu_tls_ciper_algorithm cipher,
+			int iter_count,
+			/* kdf_params */
+			gnutls_datum_t *salt, size_t salt_size,
+			gnutls_datum_t *iv, size_t iv_size,
+			size_t key_size, 
+			tvb_buff_t **decrypted_data)
+{
+
+
+  
+
+  if(key_size == 0) 
+    key_size = gnutls_cipher_get_key_size(cipher);
+
+
+}
+			
+# endif /* 0 */
+
+/*--- proto_register_pkcs12 ----------------------------------------------*/
+void proto_register_pkcs12(void) {
+
+  /* List of fields */
+  static hf_register_info hf[] = {
+
+#include "packet-pkcs12-hfarr.c"
+  };
+
+  /* List of subtrees */
+  static gint *ett[] = {
+#include "packet-pkcs12-ettarr.c"
+  };
+
+  /* Register protocol */
+  proto_pkcs12 = proto_register_protocol(PNAME, PSNAME, PFNAME);
+
+  /* Register fields and subtrees */
+  proto_register_field_array(proto_pkcs12, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+
+  register_ber_syntax_dissector("PKCS#12", proto_pkcs12, dissect_PFX_PDU); 
+  register_ber_oid_syntax(".p12", NULL, "PKCS#12");
+  register_ber_oid_syntax(".pfx", NULL, "PKCS#12");
+}
+
+
+/*--- proto_reg_handoff_pkcs12 -------------------------------------------*/
+void proto_reg_handoff_pkcs12(void) {
+#include "packet-pkcs12-dis-tab.c"
+
+}
+
diff --git a/asn1/pkcs12/packet-pkcs12-template.h b/asn1/pkcs12/packet-pkcs12-template.h
new file mode 100644
index 0000000000..ec83dd7bca
--- /dev/null
+++ b/asn1/pkcs12/packet-pkcs12-template.h
@@ -0,0 +1,30 @@
+/* packet-pkcs12.h
+ * Routines for PKCS#12 Personal Information Exchange packet dissection
+ * Graeme Lunt 2006
+ *
+ * $Id$
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifndef PACKET_PKCS12_H
+#define PACKET_PKCS12_H
+
+#endif  /* PACKET_PKCS12_H */
+
diff --git a/asn1/pkcs12/pkcs12.asn b/asn1/pkcs12/pkcs12.asn
new file mode 100644
index 0000000000..70c35d6798
--- /dev/null
+++ b/asn1/pkcs12/pkcs12.asn
@@ -0,0 +1,277 @@
+PKCS-12 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+                 pkcs-12(12) modules(0)  pkcs-12(1)}
+
+-- $Revision$
+
+DEFINITIONS IMPLICIT TAGS ::=
+
+BEGIN
+
+-- EXPORTS ALL
+-- All types and values defined in this module is exported for use in
+-- other ASN.1 modules. 
+
+IMPORTS
+
+--informationFramework
+--        FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
+--        usefulDefinitions(0) 3}
+
+Attribute
+	FROM InformationFramework informationFramework
+
+ContentInfo, --DigestInfo-- Digest, DigestAlgorithmIdentifier
+	FROM PKCS-7 {iso(1) member-body(2) us(840) rsadsi(113549)
+	pkcs(1) pkcs-7(7) modules(0) pkcs-7(1)}
+
+--PrivateKeyInfo, EncryptedPrivateKeyInfo
+--	FROM PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549)
+--	pkcs(1) pkcs-8(8) modules(1) pkcs-8(1)}
+--
+--pkcs-9, friendlyName, localKeyId, certTypes, crlTypes
+--	FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549)
+--	pkcs(1) pkcs-9(9) modules(0) pkcs-9(1) };--
+
+-- A PKCS#8 IMPORT from below
+AlgorithmIdentifier, ALGORITHM-IDENTIFIER
+        FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
+        pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)};
+
+
+-- Object identifiers
+
+--rsadsi	OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549)}
+--pkcs    OBJECT IDENTIFIER ::= {rsadsi pkcs(1)}
+--pkcs-12	OBJECT IDENTIFIER ::= {pkcs 12}
+--pkcs-12PbeIds                  	OBJECT IDENTIFIER ::= {pkcs-12 1}
+--pbeWithSHAAnd128BitRC4          OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1}
+--pbeWithSHAAnd40BitRC4           OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2}
+--pbeWithSHAAnd3-KeyTripleDES-CBC	OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3}
+--pbeWithSHAAnd2-KeyTripleDES-CBC	OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4}
+--pbeWithSHAAnd128BitRC2-CBC      OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5}
+--pbewithSHAAnd40BitRC2-CBC       OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6}
+
+--bagtypes			OBJECT IDENTIFIER ::= {pkcs-12 10 1}
+
+-- The PFX PDU
+
+PFX ::= SEQUENCE {
+    	version		INTEGER {v3(3)}(v3,...),
+    	authSafe	ContentInfo,
+    	macData    	MacData OPTIONAL
+}
+
+MacData ::= SEQUENCE {
+    	mac 		DigestInfo,
+	macSalt	        OCTET STRING,
+	iterations	INTEGER DEFAULT 1
+-- Note: The default is for historical reasons and its use is
+-- deprecated. A higher value, like 1024 is recommended.
+}
+
+-- Imported from PKCS#7
+DigestInfo ::= SEQUENCE {
+        digestAlgorithm DigestAlgorithmIdentifier,
+        digest		Digest
+}
+
+AuthenticatedSafe ::= SEQUENCE OF ContentInfo
+	-- Data if unencrypted
+	-- EncryptedData if password-encrypted
+	-- EnvelopedData if public key-encrypted
+
+SafeContents ::= SEQUENCE OF SafeBag
+
+SafeBag ::= SEQUENCE {
+  	bagId	      	-- BAG-TYPE.&id ({PKCS12BagSet}) -- OBJECT IDENTIFIER,
+  	bagValue      	[0] EXPLICIT --BAG-TYPE.&Type({PKCS12BagSet}{@bagId}) -- ANY,
+  	bagAttributes 	SET OF PKCS12Attribute OPTIONAL
+}
+
+-- Bag types
+
+--keyBag 	  BAG-TYPE ::= 
+--	{KeyBag IDENTIFIED BY {bagtypes 1}}
+--pkcs8ShroudedKeyBag BAG-TYPE ::=
+--	{PKCS8ShroudedKeyBag IDENTIFIED BY {bagtypes 2}}
+--certBag BAG-TYPE ::= 
+--	{CertBag IDENTIFIED BY {bagtypes 3}}
+--crlBag BAG-TYPE ::=
+--	{CRLBag IDENTIFIED BY {bagtypes 4}}
+--secretBag BAG-TYPE ::=    
+--	{SecretBag IDENTIFIED BY {bagtypes 5}}
+--safeContentsBag BAG-TYPE ::=
+--	{SafeContents IDENTIFIED BY {bagtypes 6}}
+
+--PKCS12BagSet BAG-TYPE ::= {
+--	keyBag | 
+--	pkcs8ShroudedKeyBag |
+--	certBag |
+--	crlBag | 
+--	secretBag | 
+--	safeContentsBag,
+--	... - - For future extensions
+--}
+
+--BAG-TYPE ::= TYPE-IDENTIFIER
+
+-- KeyBag
+
+KeyBag ::= PrivateKeyInfo
+
+-- Shrouded KeyBag
+
+PKCS8ShroudedKeyBag ::= EncryptedPrivateKeyInfo
+
+-- CertBag
+
+CertBag ::= SEQUENCE {
+	certId    --BAG-TYPE.&id   ({CertTypes}) -- OBJECT IDENTIFIER,
+	certValue [0] EXPLICIT --BAG-TYPE.&Type ({CertTypes}{@certId})-- ANY
+}
+
+--x509Certificate BAG-TYPE ::=
+--	{OCTET STRING IDENTIFIED BY {certTypes 1}}
+	-- DER-encoded X.509 certificate stored in OCTET STRING
+--sdsiCertificate BAG-TYPE ::=
+--	{IA5String IDENTIFIED BY {certTypes 2}}
+	-- Base64-encoded SDSI certificate stored in IA5String
+
+--CertTypes BAG-TYPE ::= {
+--	x509Certificate |
+--	sdsiCertificate,
+--	... - - For future extensions
+--}
+
+-- CRLBag
+
+CRLBag ::= SEQUENCE {
+	crlId     	--BAG-TYPE.&id ({CRLTypes})-- OBJECT IDENTIFIER,
+	crlValue 	[0] EXPLICIT --BAG-TYPE.&Type ({CRLTypes}{@crlId})-- ANY
+}
+
+--x509CRL BAG-TYPE ::=
+--	{OCTET STRING IDENTIFIED BY {crlTypes 1}}
+	-- DER-encoded X.509 CRL stored in OCTET STRING
+
+--CRLTypes BAG-TYPE ::= {
+--	x509CRL,
+--	... - - For future extensions
+--}
+
+-- Secret Bag
+
+SecretBag ::= SEQUENCE {
+	secretTypeId --BAG-TYPE.&id ({SecretTypes})-- OBJECT IDENTIFIER,
+	secretValue  [0] EXPLICIT --BAG-TYPE.&Type ({SecretTypes}{@secretTypeId})-- ANY
+}
+
+--SecretTypes BAG-TYPE ::= {
+--	... - - For future extensions
+--}
+
+-- Attributes
+
+PKCS12Attribute ::= SEQUENCE {
+	attrId	   	--ATTRIBUTE.&id ({PKCS12AttrSet})-- OBJECT IDENTIFIER,
+	attrValues 	SET OF --ATTRIBUTE.&Type ({PKCS12AttrSet}{@attrId})-- ANY
+} -- This type is compatible with the X.500 type 'Attribute'
+
+--PKCS12AttrSet ATTRIBUTE ::= {
+--	friendlyName |
+--	localKeyId,
+--	... - - Other attributes are allowed
+--}
+
+--END
+
+-- We import PKCS#8 here directly rather than creating another dissector
+
+--PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-8(8)
+--        modules(1) pkcs-8(1)} 
+
+-- $Revision: 1.5 $
+
+-- This module has been checked for conformance with the ASN.1
+-- standard by the OSS ASN.1 Tools
+
+--DEFINITIONS IMPLICIT TAGS ::= 
+
+--BEGIN
+
+-- EXPORTS All --
+-- All types and values defined in this module is exported for use in other
+-- ASN.1 modules.
+
+--IMPORTS
+
+--informationFramework
+--        FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
+--                                usefulDefinitions(0) 3} 
+
+--Attribute
+--        FROM InformationFramework informationFramework
+
+--AlgorithmIdentifier, ALGORITHM-IDENTIFIER
+--        FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
+--        pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)};
+
+-- Private-key information syntax
+
+PrivateKeyInfo ::= SEQUENCE {
+  version Version,
+  privateKeyAlgorithm AlgorithmIdentifier --{{PrivateKeyAlgorithms}}--,
+  privateKey PrivateKey,
+  attributes [0] Attributes OPTIONAL }
+
+Version ::= INTEGER {v1(0)} (v1,...)
+
+PrivateKey ::= OCTET STRING
+
+Attributes ::= SET OF Attribute
+
+-- Encrypted private-key information syntax
+
+EncryptedPrivateKeyInfo ::= SEQUENCE {
+    encryptionAlgorithm AlgorithmIdentifier --{{KeyEncryptionAlgorithms}}--,
+    encryptedData EncryptedData 
+}
+
+EncryptedData ::= OCTET STRING
+
+--PrivateKeyAlgorithms ALGORITHM-IDENTIFIER ::= {
+--    ... - - For local profiles
+--}
+
+--KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
+--    ... - - For local profiles
+--}
+
+-- From RFC 2898
+PBEParameter ::= SEQUENCE {
+    salt		OCTET STRING,
+    iterationCount 	INTEGER
+}
+
+
+PBKDF2Params ::= SEQUENCE {
+    salt CHOICE {
+        specified OCTET STRING,
+	otherSource AlgorithmIdentifier --{{PBKDF2-SaltSources}}--
+	},
+    iterationCount INTEGER --(1..MAX)--,
+    keyLength INTEGER (1..MAX) OPTIONAL,
+    prf AlgorithmIdentifier --{{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1-- OPTIONAL }
+
+PBES2Params ::= SEQUENCE {
+    keyDerivationFunc AlgorithmIdentifier --{{PBES2-KDFs}}--,
+    encryptionScheme AlgorithmIdentifier --{{PBES2-Encs}}-- }
+
+PBMAC1Params ::=  SEQUENCE {
+    keyDerivationFunc AlgorithmIdentifier --{{PBMAC1-KDFs}}--,
+    messageAuthScheme AlgorithmIdentifier --{{PBMAC1-MACs}}-- }
+
+
+END
+
+
diff --git a/asn1/pkcs12/pkcs12.cnf b/asn1/pkcs12/pkcs12.cnf
new file mode 100644
index 0000000000..4a86238dc4
--- /dev/null
+++ b/asn1/pkcs12/pkcs12.cnf
@@ -0,0 +1,117 @@
+# pkcs12.cnf
+# PKCS12 conformation file
+
+# $Id$
+
+#.MODULE_IMPORT
+PKCS-7	cms
+PKCS-5	x509af
+
+#.INCLUDE ../cms/cms-exp.cnf
+#.INCLUDE ../x509if/x509if-exp.cnf
+#.INCLUDE ../x509af/x509af-exp.cnf
+
+#.EXPORTS
+
+
+#.REGISTER
+KeyBag			B "1.2.840.113549.1.12.10.1.1"	"keyBag"
+PKCS8ShroudedKeyBag	B "1.2.840.113549.1.12.10.1.2"	"pkcs8ShroudedKeyBag"
+CertBag			B "1.2.840.113549.1.12.10.1.3"	"certBag"
+SecretBag		B "1.2.840.113549.1.12.10.1.4"	"secretBag"
+CRLBag			B "1.2.840.113549.1.12.10.1.5"	"crlBag"
+SafeContents		B "1.2.840.113549.1.12.10.1.6"	"safeContentsBag"
+
+# PKCS#9 Attributes - see master list in x509sat.cnf
+PFX			B "2.16.840.1.113730.3.1.216"   "pkcs-9-at-PKCS12"
+EncryptedPrivateKeyInfo	B "1.2.840.113549.1.9.25.2"	"pkcs-9-at-encryptedPrivateKeyInfo" 
+
+# Password Based Encryption
+PBEParameter		B "1.2.840.113549.1.12.1.1" "pbeWithSHAAnd128BitRC4"
+PBEParameter		B "1.2.840.113549.1.12.1.2" "pbeWithSHAAnd40BitRC4"
+PBEParameter		B "1.2.840.113549.1.12.1.3" "pbeWithSHAAnd3-KeyTripleDES-CBC"
+PBEParameter		B "1.2.840.113549.1.12.1.4" "pbeWithSHAAnd2-KeyTripleDES-CBC"
+PBEParameter		B "1.2.840.113549.1.12.1.5" "pbeWithSHAAnd128BitRC2-CBC"
+PBEParameter		B "1.2.840.113549.1.12.1.6" "pbeWithSHAAnd128BitRC2-CBC"
+
+PBEParameter		B "1.2.840.113549.1.5.1" "pbeWithMD2AndDES-CBC"
+PBEParameter		B "1.2.840.113549.1.5.3" "pbeWithMD5AndDES-CBC"
+PBEParameter		B "1.2.840.113549.1.5.4" "pbeWithMD2AndRC2-CBC"
+PBEParameter		B "1.2.840.113549.1.5.6" "pbeWithMD5AndRC2-CBC"
+PBEParameter		B "1.2.840.113549.1.5.10" "pbeWithSHA1AndDES-CBC"
+PBEParameter		B "1.2.840.113549.1.5.11" "pbeWithSHA1AndRC2-CBC"
+
+PBKDF2Params		B "1.2.840.113549.1.5.12" "id-PBKDF2"
+PBES2Params		B "1.2.840.113549.1.5.13" "id-PBES2"
+PBMAC1Params		B "1.2.840.113549.1.5.14" "id-PBMAC1"
+
+#.NO_EMIT
+
+#.TYPE_RENAME
+
+#.FIELD_RENAME
+PrivateKeyInfo/version		privateKeyVersion
+PBKDF2Params/salt		saltChoice
+
+#.PDU
+AuthenticatedSafe
+
+#.FN_BODY PFX
+	dissector_handle_t dissector_handle;
+
+	/* we change the CMS id-data dissector to dissect as AuthenticatedSafe
+	   not sure why PKCS#12 couldn't have used its own content type OID for AuthenticatedSafe */
+	dissector_handle=create_dissector_handle(dissect_AuthenticatedSafe_OCTETSTRING_PDU, proto_pkcs12);
+	dissector_change_string("ber.oid", "1.2.840.113549.1.7.1", dissector_handle);
+
+	%(DEFAULT_BODY)s
+
+	/* restore the original dissector */
+	dissector_reset_string("ber.oid", "1.2.840.113549.1.7.1");
+
+#.FN_BODY AuthenticatedSafe
+	dissector_handle_t dissector_handle;
+
+	/* we change the CMS id-data dissector to dissect as SafeContents */
+	dissector_handle=create_dissector_handle(dissect_SafeContents_OCTETSTRING_PDU, proto_pkcs12);
+	dissector_change_string("ber.oid", "1.2.840.113549.1.7.1", dissector_handle);
+
+	%(DEFAULT_BODY)s
+
+	/* restore the original dissector */
+	dissector_reset_string("ber.oid", "1.2.840.113549.1.7.1");
+
+#.FN_PARS OBJECT_IDENTIFIER
+	FN_VARIANT = _str VAL_PTR = &object_identifier_id
+
+#.FN_BODY OBJECT_IDENTIFIER
+  	const char *name = NULL;
+
+	%(DEFAULT_BODY)s
+  
+	name = get_oid_str_name(object_identifier_id);
+	proto_item_append_text(tree, " (%%s)", name ? name : object_identifier_id); 
+
+#.FN_BODY T_bagValue	
+	if(object_identifier_id)
+		offset = call_ber_oid_callback(object_identifier_id, tvb, offset, pinfo, tree);
+
+#.FN_BODY T_attrValues_item	
+	if(object_identifier_id)
+		offset = call_ber_oid_callback(object_identifier_id, tvb, offset, pinfo, tree);
+
+#.FN_BODY T_certValue
+	if(object_identifier_id)
+		offset = call_ber_oid_callback(object_identifier_id, tvb, offset, pinfo, tree);
+
+#.FN_BODY T_crlValue
+	if(object_identifier_id)
+		offset = call_ber_oid_callback(object_identifier_id, tvb, offset, pinfo, tree);
+
+#.FN_BODY T_secretValue
+	if(object_identifier_id)
+		offset = call_ber_oid_callback(object_identifier_id, tvb, offset, pinfo, tree);
+
+#.END
+
+
diff --git a/asn1/x509sat/x509sat-exp.cnf b/asn1/x509sat/x509sat-exp.cnf
index 9be756f641..6def1c478d 100644
--- a/asn1/x509sat/x509sat-exp.cnf
+++ b/asn1/x509sat/x509sat-exp.cnf
@@ -1,6 +1,6 @@
 # Do not modify this file.
 # It is created automatically by the ASN.1 to Wireshark dissector compiler
-# .\x509sat-exp.cnf
+# ./x509sat-exp.cnf
 # ../../tools/asn2wrs.py -b -e -p x509sat -c x509sat.cnf -s packet-x509sat-template SelectedAttributeTypes.asn
 
 #.MODULE
diff --git a/asn1/x509sat/x509sat.cnf b/asn1/x509sat/x509sat.cnf
index 8424ff7ba8..d3a8b2c9ed 100644
--- a/asn1/x509sat/x509sat.cnf
+++ b/asn1/x509sat/x509sat.cnf
@@ -233,6 +233,34 @@ DirectoryString B "2.16.840.1.101.2.2.1.143" "id-at-adminConversion"
 SyntaxPrintableString B "2.16.840.1.101.2.2.1.144" "id-at-tCCG"
 DirectoryString B "2.16.840.1.101.2.2.1.145" "id-at-usdConversion"
 
+# PKCS#9
+
+SyntaxIA5String	B "1.2.840.113549.1.9.1"	"pkcs-9-at-emailAddress"
+#PKCS9String	B "1.2.840.113549.1.9.2"	"pkcs-9-at-unstructuredName" - TBD
+#ContentType	B "1.2.840.113549.1.9.3"	"pkcs-9-at-contentType" - see cms.cnf
+#MessageDigest 	B "1.2.840.113549.1.9.4"	"pkcs-9-at-messageDigest" - see cms.cnf
+#SigningTime	B "1.2.840.113549.1.9.5"	"pkcs-9-at-signingTime" - see cms.cnf
+#Countersignature	B "1.2.840.113549.1.9.6"	"pkcs-9-at-counterSignature" - see cms.cnf
+DirectoryString	B "1.2.840.113549.1.9.7"	"pkcs-9-at-challengePassword"
+DirectoryString	B "1.2.840.113549.1.9.8"	"pkcs-9-at-unstructuredAddress"
+#SETOFAttribute	B "1.2.840.113549.1.9.9"	"pkcs-9-at-extendedCertificateAttributes" - TBD
+DirectoryString	B "1.2.840.113549.1.9.13"	"pkcs-9-at-signingDescription"
+#ExtensionRequest	B "1.2.840.113549.1.9.14"	"pkcs-9-at-extensionRequest" - TBD
+#SMIMECapabiliaties	B "1.2.840.113549.1.9.15"	"pkcs-9-at-smimeCapabilities" - TBD
+SyntaxBMPString	B "1.2.840.113549.1.9.20"	"pkcs-9-at-friendlyName"
+OctetString	B "1.2.840.113549.1.9.21"	"pkcs-9-at-localKeyId"
+#PFX		B "2.16.840.1.113730.3.1.216"   "pkcs-9-at-PKCS12" - see pkcs12.cnf
+#PKCS15Token	B "1.2.840.113549.1.9.25.1"	"pkcs-9-at-pkcs15Token" - TBD
+#EncryptedPrivateKeyInfo	B "1.2.840.113549.1.9.25.2"	"pkcs-9-at-encryptedPrivateKeyInfo" - see pkcs12.cnf
+OctetString	B "1.2.840.113549.1.9.25.3"	"pkcs-9-at-randomNonce" # move to PKCS#9 when defined
+Integer		B "1.2.840.113549.1.9.25.4"	"pkcs-9-at-sequenceNumber" # move to PKCS#9 when defined
+#ContentInfo	B "1.2.840.113549.1.9.25.5"	"pkcs-9-at-pkcs7PDU" - TBD - not the same as CMS ContentInfo
+
+SyntaxGeneralizedTime B "1.3.6.1.5.5.7.9.1"		"pkcs-9-at-dateOfBirth"
+DirectoryString	B "1.3.6.1.5.5.7.9.2"		"pkcs-9-at-placeOfBirth"
+SyntaxPrintableString	B "1.3.6.1.5.5.7.9.3"		"pkcs-9-at-gender"
+SyntaxPrintableString B "1.3.6.1.5.5.7.9.4"		"pkcs-9-at-countryOfCitizenship"
+SyntaxPrintableString	B "1.3.6.1.5.5.7.9.5"		"pkcs-9-at-countryOfResidence"
 
 #.NO_EMIT