diff options
Diffstat (limited to 'asn1/pkixcrmf')
| -rw-r--r-- | asn1/pkixcrmf/CRMF.asn | 408 | ||||
| -rw-r--r-- | asn1/pkixcrmf/Makefile | 2 | ||||
| -rw-r--r-- | asn1/pkixcrmf/Makefile.nmake | 2 | ||||
| -rw-r--r-- | asn1/pkixcrmf/crmf-exp.cnf | 8 | ||||
| -rw-r--r-- | asn1/pkixcrmf/crmf.cnf | 13 |
5 files changed, 237 insertions, 196 deletions
diff --git a/asn1/pkixcrmf/CRMF.asn b/asn1/pkixcrmf/CRMF.asn index 55ce3a42b4..eb1eb17e61 100644 --- a/asn1/pkixcrmf/CRMF.asn +++ b/asn1/pkixcrmf/CRMF.asn @@ -1,199 +1,191 @@ --- This ASN1 definition is taken from RFC2511 and modified to pass through --- the asn2wrs compiler. +-- Extracted from RFC4211 +-- by Martin Peylo <martin.peylo@nsn.com> -- --- The copyright statement from the original description in RFC2511 +-- Changes to make it work with asn2wrs: +-- - none +-- +-- The copyright statement from the original description in RFC4211 -- follows below: --- --- +-- -- Full Copyright Statement --- --- Copyright (C) The Internet Society (1999). All Rights Reserved. --- --- This document and translations of it may be copied and furnished to --- others, and derivative works that comment on or otherwise explain it --- or assist in its implementation may be prepared, copied, published --- and distributed, in whole or in part, without restriction of any --- kind, provided that the above copyright notice and this paragraph are --- included on all such copies and derivative works. However, this --- document itself may not be modified in any way, such as by removing --- the copyright notice or references to the Internet Society or other --- Internet organizations, except as needed for the purpose of --- developing Internet standards in which case the procedures for --- copyrights defined in the Internet Standards process must be --- followed, or as required to translate it into languages other than --- English. --- --- The limited permissions granted above are perpetual and will not be --- revoked by the Internet Society or its successors or assigns. --- --- This document and the information contained herein is provided on an --- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING --- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING --- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION --- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF --- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - ---PKIXCRMF {iso(1) identified-organization(3) dod(6) internet(1) --- security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf(5)} - -CRMF DEFINITIONS IMPLICIT TAGS ::= +-- +-- Copyright (C) The Internet Society (2005). +-- +-- This document is subject to the rights, licenses and restrictions +-- contained in BCP 78, and except as set forth therein, the authors +-- retain all their rights. +-- +-- This document and the information contained herein are provided on an +-- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS +-- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET +-- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, +-- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE +-- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED +-- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6) internet(1) +security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36)} + +DEFINITIONS IMPLICIT TAGS ::= BEGIN IMPORTS - -- Directory Authentication Framework (X.509) - AlgorithmIdentifier, Name, - SubjectPublicKeyInfo, Extensions - FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) + -- Directory Authentication Framework (X.509) + Version, AlgorithmIdentifier, Name, Time, + SubjectPublicKeyInfo, Extensions, UniqueIdentifier, Attribute + FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-pkix1-explicit(18)} -- found in [PROFILE] + + -- Certificate Extensions (X.509) + GeneralName + FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-pkix1-explicit-88(1)} + id-pkix1-implicit(19)} -- found in [PROFILE] - -- Certificate Extensions (X.509) - GeneralName - FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) - internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-pkix1-implicit-88(2)} + -- Cryptographic Message Syntax + EnvelopedData + FROM CryptographicMessageSyntax2004 { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) + modules(0) cms-2004(24) }; -- found in [CMS] - -- Cryptographic Message Syntax - EnvelopedData - FROM CryptographicMessageSyntax { iso(1) member-body(2) - us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) - modules(0) cms(1) }; +-- The following definition may be uncommented for use with +-- ASN.1 compilers that do not understand UTF8String. + +-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING + -- The contents of this type correspond to RFC 2279. + +id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) +dod(6) internet(1) security(5) mechanisms(5) 7 } + +-- arc for Internet X.509 PKI protocols and their components +id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 } ---copied in from pkix1explicit -Version ::= INTEGER { v1(0), v2(1), v3(2) } -UniqueIdentifier ::= BIT STRING -Time ::= CHOICE { - utcTime UTCTime, - generalTime GeneralizedTime } +id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } +id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types +-- Core definitions for this module CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg CertReqMsg ::= SEQUENCE { - certReq CertRequest, - pop ProofOfPossession OPTIONAL, - -- content depends upon key type - regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL } + certReq CertRequest, + popo ProofOfPossession OPTIONAL, + -- content depends upon key type + regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL } CertRequest ::= SEQUENCE { - certReqId INTEGER, -- ID for matching request and reply - certTemplate CertTemplate, -- Selected fields of cert to be issued - controls Controls OPTIONAL } -- Attributes affecting issuance + certReqId INTEGER, -- ID for matching request and reply + certTemplate CertTemplate, -- Selected fields of cert to be issued + controls Controls OPTIONAL } -- Attributes affecting issuance CertTemplate ::= SEQUENCE { - version [0] Version OPTIONAL, - serialNumber [1] INTEGER OPTIONAL, - signingAlg [2] AlgorithmIdentifier OPTIONAL, - issuer [3] Name OPTIONAL, - validity [4] OptionalValidity OPTIONAL, - subject [5] Name OPTIONAL, - publicKey [6] SubjectPublicKeyInfo OPTIONAL, - issuerUID [7] UniqueIdentifier OPTIONAL, - subjectUID [8] UniqueIdentifier OPTIONAL, - extensions [9] Extensions OPTIONAL } + version [0] Version OPTIONAL, + serialNumber [1] INTEGER OPTIONAL, + signingAlg [2] AlgorithmIdentifier OPTIONAL, + issuer [3] Name OPTIONAL, + validity [4] OptionalValidity OPTIONAL, + subject [5] Name OPTIONAL, + publicKey [6] SubjectPublicKeyInfo OPTIONAL, + issuerUID [7] UniqueIdentifier OPTIONAL, + subjectUID [8] UniqueIdentifier OPTIONAL, + extensions [9] Extensions OPTIONAL } OptionalValidity ::= SEQUENCE { - notBefore [0] Time OPTIONAL, - notAfter [1] Time OPTIONAL } --at least one MUST be present + notBefore [0] Time OPTIONAL, + notAfter [1] Time OPTIONAL } -- at least one MUST be present Controls ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { - type OBJECT IDENTIFIER, - value ANY } + type OBJECT IDENTIFIER, + value ANY DEFINED BY type } ProofOfPossession ::= CHOICE { - raVerified [0] NULL, - -- used if the RA has already verified that the requester is in - -- possession of the private key - signature [1] POPOSigningKey, - keyEncipherment [2] POPOPrivKey, - keyAgreement [3] POPOPrivKey } + raVerified [0] NULL, + -- used if the RA has already verified that the requester is in + -- possession of the private key + signature [1] POPOSigningKey, + keyEncipherment [2] POPOPrivKey, + keyAgreement [3] POPOPrivKey } POPOSigningKey ::= SEQUENCE { - poposkInput [0] POPOSigningKeyInput OPTIONAL, - algorithmIdentifier AlgorithmIdentifier, - signature BIT STRING } - -- The signature (using "algorithmIdentifier") is on the - -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg - -- certReq CertTemplate contains the subject and publicKey values, - -- then poposkInput MUST be omitted and the signature MUST be - -- computed on the DER-encoded value of CertReqMsg certReq. If - -- the CertReqMsg certReq CertTemplate does not contain the public - -- key and subject values, then poposkInput MUST be present and - -- MUST be signed. This strategy ensures that the public key is - -- not present in both the poposkInput and CertReqMsg certReq - -- CertTemplate fields. + poposkInput [0] POPOSigningKeyInput OPTIONAL, + algorithmIdentifier AlgorithmIdentifier, + signature BIT STRING } + + -- The signature (using "algorithmIdentifier") is on the + -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg + -- certReq CertTemplate contains the subject and publicKey values, + -- then poposkInput MUST be omitted and the signature MUST be + -- computed over the DER-encoded value of CertReqMsg certReq. If + -- the CertReqMsg certReq CertTemplate does not contain both the + -- public key and subject values (i.e., if it contains only one + -- of these, or neither), then poposkInput MUST be present and + -- MUST be signed. POPOSigningKeyInput ::= SEQUENCE { - authInfo CHOICE { - sender [0] GeneralName, - -- used only if an authenticated identity has been - -- established for the sender (e.g., a DN from a - -- previously-issued and currently-valid certificate - publicKeyMAC PKMACValue }, - -- used if no authenticated GeneralName currently exists for - -- the sender; publicKeyMAC contains a password-based MAC - -- on the DER-encoded value of publicKey - publicKey SubjectPublicKeyInfo } -- from CertTemplate + authInfo CHOICE { + sender [0] GeneralName, + -- used only if an authenticated identity has been + -- established for the sender (e.g., a DN from a + -- previously-issued and currently-valid certificate) + publicKeyMAC PKMACValue }, + -- used if no authenticated GeneralName currently exists for + -- the sender; publicKeyMAC contains a password-based MAC + -- on the DER-encoded value of publicKey + publicKey SubjectPublicKeyInfo } -- from CertTemplate PKMACValue ::= SEQUENCE { - algId AlgorithmIdentifier, - -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13} - -- parameter value is PBMParameter - value BIT STRING } +algId AlgorithmIdentifier, +-- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13} +-- parameter value is PBMParameter +value BIT STRING } PBMParameter ::= SEQUENCE { - salt OCTET STRING, - owf AlgorithmIdentifier, - -- AlgId for a One-Way Function (SHA-1 recommended) - iterationCount INTEGER, - -- number of times the OWF is applied - mac AlgorithmIdentifier - -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], -} -- or HMAC [RFC2104, RFC2202]) + salt OCTET STRING, + owf AlgorithmIdentifier, + -- AlgId for a One-Way Function (SHA-1 recommended) + iterationCount INTEGER, + -- number of times the OWF is applied + mac AlgorithmIdentifier + -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], +} -- or HMAC [HMAC, RFC2202]) POPOPrivKey ::= CHOICE { - thisMessage [0] BIT STRING, - -- posession is proven in this message (which contains the private - -- key itself (encrypted for the CA)) - subsequentMessage [1] SubsequentMessage, - -- possession will be proven in a subsequent message - dhMAC [2] BIT STRING } - -- for keyAgreement (only), possession is proven in this message - -- (which contains a MAC (over the DER-encoded value of the - -- certReq parameter in CertReqMsg, which MUST include both subject - -- and publicKey) based on a key derived from the end entity's - -- private DH key and the CA's public DH key); - -- the dhMAC value MUST be calculated as per the directions given - -- in Appendix A. + thisMessage [0] BIT STRING, -- Deprecated + -- possession is proven in this message (which contains the private + -- key itself (encrypted for the CA)) + subsequentMessage [1] SubsequentMessage, + -- possession will be proven in a subsequent message + dhMAC [2] BIT STRING, -- Deprecated + agreeMAC [3] PKMACValue, + encryptedKey [4] EnvelopedData } + + -- for keyAgreement (only), possession is proven in this message + -- (which contains a MAC (over the DER-encoded value of the + -- certReq parameter in CertReqMsg, which MUST include both subject + -- and publicKey) based on a key derived from the end entity's + -- private DH key and the CA's public DH key); SubsequentMessage ::= INTEGER { - encrCert (0), - -- requests that resulting certificate be encrypted for the - -- end entity (following which, POP will be proven in a - -- confirmation message) - challengeResp (1) } - -- requests that CA engage in challenge-response exchange with - -- end entity in order to prove private key possession + encrCert (0), + -- requests that resulting certificate be encrypted for the + -- end entity (following which, POP will be proven in a + -- confirmation message) + challengeResp (1) } + -- requests that CA engage in challenge-response exchange with + -- end entity in order to prove private key possession -- Object identifier assignments -- -id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) -dod(6) internet(1) security(5) mechanisms(5) 7 } - --- arc for Internet X.509 PKI protocols and their components -id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 } - -- Registration Controls in CRMF id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 } --- The following definition may be uncommented for use with --- ASN.1 compilers which do not understand UTF8String. - --- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 } --with syntax: @@ -207,57 +199,66 @@ id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 } --with syntax: PKIPublicationInfo ::= SEQUENCE { - action INTEGER { - dontPublish (0), - pleasePublish (1) }, - pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL } - -- pubInfos MUST NOT be present if action is "dontPublish" - -- (if action is "pleasePublish" and pubInfos is omitted, - -- "dontCare" is assumed) +action INTEGER { + dontPublish (0), + pleasePublish (1) }, +pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL } + -- pubInfos MUST NOT be present if action is "dontPublish" + -- (if action is "pleasePublish" and pubInfos is omitted, + -- "dontCare" is assumed) SinglePubInfo ::= SEQUENCE { - pubMethod INTEGER { - dontCare (0), - x500 (1), - web (2), - ldap (3) }, - pubLocation GeneralName OPTIONAL } + pubMethod INTEGER { + dontCare (0), + x500 (1), + web (2), + ldap (3) }, + pubLocation GeneralName OPTIONAL } id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 } --with syntax: PKIArchiveOptions ::= CHOICE { - encryptedPrivKey [0] EncryptedKey, - -- the actual value of the private key - keyGenParameters [1] KeyGenParameters, - -- parameters which allow the private key to be re-generated - archiveRemGenPrivKey [2] BOOLEAN } - -- set to TRUE if sender wishes receiver to archive the private - -- key of a key pair which the receiver generates in response to - -- this request; set to FALSE if no archival is desired. + encryptedPrivKey [0] EncryptedKey, + -- the actual value of the private key + keyGenParameters [1] KeyGenParameters, + -- parameters that allow the private key to be re-generated + archiveRemGenPrivKey [2] BOOLEAN } + -- set to TRUE if sender wishes receiver to archive the private + -- key of a key pair that the receiver generates in response to + -- this request; set to FALSE if no archival is desired. EncryptedKey ::= CHOICE { - encryptedValue EncryptedValue, - envelopedData [0] EnvelopedData } - -- The encrypted private key MUST be placed in the envelopedData - -- encryptedContentInfo encryptedContent OCTET STRING. - + encryptedValue EncryptedValue, -- Deprecated + envelopedData [0] EnvelopedData } + -- The encrypted private key MUST be placed in the envelopedData + -- encryptedContentInfo encryptedContent OCTET STRING. EncryptedValue ::= SEQUENCE { - intendedAlg [0] AlgorithmIdentifier OPTIONAL, - -- the intended algorithm for which the value will be used - symmAlg [1] AlgorithmIdentifier OPTIONAL, - -- the symmetric algorithm used to encrypt the value - encSymmKey [2] BIT STRING OPTIONAL, - -- the (encrypted) symmetric key used to encrypt the value - keyAlg [3] AlgorithmIdentifier OPTIONAL, - -- algorithm used to encrypt the symmetric key - valueHint [4] OCTET STRING OPTIONAL, - -- a brief description or identifier of the encValue content - -- (may be meaningful only to the sending entity, and used only - -- if EncryptedValue might be re-examined by the sending entity - -- in the future) - encValue BIT STRING } - -- the encrypted value itself + intendedAlg [0] AlgorithmIdentifier OPTIONAL, + -- the intended algorithm for which the value will be used + symmAlg [1] AlgorithmIdentifier OPTIONAL, + -- the symmetric algorithm used to encrypt the value + encSymmKey [2] BIT STRING OPTIONAL, + -- the (encrypted) symmetric key used to encrypt the value + keyAlg [3] AlgorithmIdentifier OPTIONAL, + -- algorithm used to encrypt the symmetric key + valueHint [4] OCTET STRING OPTIONAL, + -- a brief description or identifier of the encValue content + -- (may be meaningful only to the sending entity, and used only + -- if EncryptedValue might be re-examined by the sending entity + -- in the future) + encValue BIT STRING } + -- the encrypted value itself +-- When EncryptedValue is used to carry a private key (as opposed to +-- a certificate), implementations MUST support the encValue field +-- containing an encrypted PrivateKeyInfo as defined in [PKCS11], +-- section 12.11. If encValue contains some other format/encoding +-- for the private key, the first octet of valueHint MAY be used +-- to indicate the format/encoding (but note that the possible values +-- of this octet are not specified at this time). In all cases, the +-- intendedAlg field MUST be used to indicate at least the OID of +-- the intended algorithm of the private key, unless this information +-- is known a priori to both sender and receiver by some other means. KeyGenParameters ::= OCTET STRING @@ -266,8 +267,8 @@ id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 } OldCertId ::= CertId CertId ::= SEQUENCE { - issuer GeneralName, - serialNumber INTEGER } + issuer GeneralName, + serialNumber INTEGER } id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= { id-regCtrl 6 } --with syntax: @@ -284,4 +285,27 @@ id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 } --with syntax CertReq ::= CertRequest +-- id-ct-encKeyWithID is a new content type used for CMS objects. +-- it contains both a private key and an identifier for key escrow +-- agents to check against recovery requestors. + +id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} + +EncKeyWithID ::= SEQUENCE { + privateKey PrivateKeyInfo, + identifier CHOICE { + string UTF8String, + generalName GeneralName + } OPTIONAL +} + +PrivateKeyInfo ::= SEQUENCE { + version INTEGER, + privateKeyAlgorithm AlgorithmIdentifier, + privateKey OCTET STRING, + attributes [0] IMPLICIT Attributes OPTIONAL +} + +Attributes ::= SET OF Attribute + END diff --git a/asn1/pkixcrmf/Makefile b/asn1/pkixcrmf/Makefile index f624d00452..3fc2742987 100644 --- a/asn1/pkixcrmf/Makefile +++ b/asn1/pkixcrmf/Makefile @@ -7,7 +7,7 @@ all: generate_dissector generate_dissector: $(DISSECTOR_FILES) $(DISSECTOR_FILES): ../../tools/asn2wrs.py CRMF.asn packet-crmf-template.c packet-crmf-template.h crmf.cnf - python ../../tools/asn2wrs.py -b -e -p crmf -c crmf.cnf -s packet-crmf-template CRMF.asn + python ../../tools/asn2wrs.py -b -X -T -e -p crmf -c crmf.cnf -s packet-crmf-template CRMF.asn clean: rm -f parsetab.py $(DISSECTOR_FILES) diff --git a/asn1/pkixcrmf/Makefile.nmake b/asn1/pkixcrmf/Makefile.nmake index 505677ce94..7aa239d1e6 100644 --- a/asn1/pkixcrmf/Makefile.nmake +++ b/asn1/pkixcrmf/Makefile.nmake @@ -15,7 +15,7 @@ generate_dissector: $(DISSECTOR_FILES) $(DISSECTOR_FILES): ../../tools/asn2wrs.py CRMF.asn packet-crmf-template.c packet-crmf-template.h crmf.cnf !IFDEF PYTHON - $(PYTHON) "../../tools/asn2wrs.py" -b -e -p $(PROTOCOL_NAME) -c crmf.cnf -s packet-crmf-template CRMF.asn + $(PYTHON) "../../tools/asn2wrs.py" -b -X -T -e -p $(PROTOCOL_NAME) -c crmf.cnf -s packet-crmf-template CRMF.asn !ELSE @echo Error: You need Python to use asn2wrs.py @exit 1 diff --git a/asn1/pkixcrmf/crmf-exp.cnf b/asn1/pkixcrmf/crmf-exp.cnf index f47a763ac4..2df5382d8d 100644 --- a/asn1/pkixcrmf/crmf-exp.cnf +++ b/asn1/pkixcrmf/crmf-exp.cnf @@ -4,7 +4,7 @@ # ../../tools/asn2wrs.py -b -e -p crmf -c crmf.cnf -s packet-crmf-template CRMF.asn #.MODULE -CRMF crmf +PKIXCRMF-2005 crmf #.END #.IMPORT_TAG @@ -35,6 +35,9 @@ CertId BER_CLASS_UNI BER_UNI_TAG_SEQUENCE ProtocolEncrKey BER_CLASS_UNI BER_UNI_TAG_SEQUENCE UTF8Pairs BER_CLASS_UNI BER_UNI_TAG_UTF8String CertReq BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +EncKeyWithID BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +PrivateKeyInfo BER_CLASS_UNI BER_UNI_TAG_SEQUENCE +Attributes BER_CLASS_UNI BER_UNI_TAG_SET #.END #.TYPE_ATTR @@ -65,5 +68,8 @@ CertId TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL ProtocolEncrKey TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 UTF8Pairs TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 CertReq TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +EncKeyWithID TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +PrivateKeyInfo TYPE = FT_NONE DISPLAY = BASE_NONE STRINGS = NULL BITMASK = 0 +Attributes TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = NULL BITMASK = 0 #.END diff --git a/asn1/pkixcrmf/crmf.cnf b/asn1/pkixcrmf/crmf.cnf index 2b902b1f5f..55567b4b72 100644 --- a/asn1/pkixcrmf/crmf.cnf +++ b/asn1/pkixcrmf/crmf.cnf @@ -6,6 +6,7 @@ #.MODULE_IMPORT PKIX1Explicit88 pkix1explicit PKIX1Implicit88 pkix1implicit +CryptographicMessageSyntax2004 cms #.INCLUDE ../cms/cms-exp.cnf #.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf @@ -13,6 +14,7 @@ PKIX1Implicit88 pkix1implicit #.EXPORTS Authenticator +Attributes AttributeTypeAndValue CertId CertReq @@ -21,6 +23,7 @@ CertReqMsg CertRequest CertTemplate Controls +EncKeyWithID EncryptedKey EncryptedValue KeyGenParameters @@ -33,6 +36,7 @@ PKMACValue POPOPrivKey POPOSigningKey POPOSigningKeyInput +PrivateKeyInfo ProofOfPossession ProtocolEncrKey RegToken @@ -41,7 +45,12 @@ SubsequentMessage UTF8Pairs #.REGISTER -PBMParameter B "1.2.840.113533.7.66.13" "PasswordBasedMac" +CertId B "1.3.6.1.5.5.7.5.1.5" "id-regCtrl-oldCertID" +CertRequest B "1.3.6.1.5.5.7.5.2.2" "id-regInfo-certReq" +EncKeyWithID B "1.2.840.113549.1.9.16.1.21" "id-ct-encKeyWithID" +PBMParameter B "1.2.840.113533.7.66.13" "PasswordBasedMac" +ProtocolEncrKey B "1.3.6.1.5.5.7.5.1.6" "id-regCtrl-protocolEncrKey" +UTF8Pairs B "1.3.6.1.5.5.7.5.2.1" "id-regInfo-utf8Pairs" #.NO_EMIT @@ -51,6 +60,8 @@ PBMParameter B "1.2.840.113533.7.66.13" "PasswordBasedMac" CertTemplate/issuer template_issuer POPOSigningKey/signature sk_signature PKMACValue/value pkmac_value +PrivateKeyInfo/version privkey_version +EncKeyWithID/privateKey enckeywid_privkey #.FN_PARS AttributeTypeAndValue/type FN_VARIANT = _str HF_INDEX = hf_crmf_type_oid VAL_PTR = &object_identifier_id |