idnits 2.17.00 (12 Aug 2021) /tmp/idnits23441/draft-turner-additional-new-asn-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 11, 2010) is 4331 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 1158 -- Looks like a reference, but probably isn't: '1' on line 1161 -- Looks like a reference, but probably isn't: '2' on line 1163 -- Looks like a reference, but probably isn't: '3' on line 980 -- Looks like a reference, but probably isn't: '4' on line 800 == Unused Reference: 'ASN1-2008' is defined on line 1287, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 3379 ** Obsolete normative reference: RFC 4049 (Obsoleted by RFC 6019) ** Downref: Normative reference to an Informational RFC: RFC 5911 ** Downref: Normative reference to an Informational RFC: RFC 5912 -- Possible downref: Non-RFC (?) normative reference: ref. 'ASN1-2008' Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schaad 3 Internet-Draft Soaring Hawk Consulting 4 Intended status: Standards Track S. Turner 5 Expires: January 12, 2011 IECA, Inc. 6 July 11, 2010 8 Additional New ASN.1 Modules 9 draft-turner-additional-new-asn-01 11 Abstract 13 The Cryptographic Message Syntax (CMS) format, and many associated 14 formats, are expressed using ASN.1. The current ASN.1 modules 15 conform to the 1988 version of ASN.1. This document updates some 16 auxiliary ASN.1 modules to conform to the 2008 version of ASN.1. 17 There are no bits-on-the-wire changes to any of the formats; this is 18 simply a change to the syntax. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on January 12, 2011. 37 Copyright Notice 39 Copyright (c) 2010 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. Requirements Terminology . . . . . . . . . . . . . . . . . 3 68 2. ASN.1 Module RFC 3274 . . . . . . . . . . . . . . . . . . . . 5 69 3. ASN.1 Module RFC 3379 . . . . . . . . . . . . . . . . . . . . 7 70 4. ASN.1 Module RFC 4049 . . . . . . . . . . . . . . . . . . . . 9 71 5. ASN.1 Module RFC 4073 . . . . . . . . . . . . . . . . . . . . 10 72 6. ASN.1 Module RFC 4231 . . . . . . . . . . . . . . . . . . . . 12 73 7. ASN.1 Module RFC 4334 . . . . . . . . . . . . . . . . . . . . 15 74 8. ASN.1 Module RFC 5752 . . . . . . . . . . . . . . . . . . . . 17 75 9. ASN.1 Module RFC 5652 . . . . . . . . . . . . . . . . . . . . 19 76 10. ASN.1 Module RFC 5083 . . . . . . . . . . . . . . . . . . . . 29 77 11. Module Identifiers in ASN.1 . . . . . . . . . . . . . . . . . 31 78 12. Security Considerations . . . . . . . . . . . . . . . . . . . 33 79 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 80 14. Normative References . . . . . . . . . . . . . . . . . . . . . 35 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37 83 1. Introduction 85 Some developers would like the IETF to use the latest version of 86 ASN.1 in its standards. Most of the RFCs that relate to security 87 protocols still use ASN.1 from the 1988 standard, which has been 88 deprecated. This is particularly true for the standards that relate 89 to PKIX, CMS, and S/MIME. 91 In this document we have either change the syntax to use the 2008 92 ASN.1 standard, or done some updates from previous conversions: 94 RFC 3274, Compressed Data Content Type for Cryptographic Message 95 Syntax (CMS) [RFC3274] 97 RFC 3379, Delegated Path Validation and Delegated Path Discovery 98 Protocol Requirements [RFC3379] 100 RFC 4049, BinaryTime: An Alternate Format for Representing Date 101 and Time in ASN.1 [RFC4049] 103 RFC 4073, Protecting Multiple Contents with the Cryptographic 104 Message Syntax (CMS) [RFC4073] 106 RFC 4231, Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA- 107 256, HMAC-SHA-384, and HMAC-SHA-512 [RFC4231] 109 RFC 4334, Certificate Extensions and Attributes Supporting 110 Authentication in Point-to-Point Protocol (PPP) and Wireless Local 111 Area Networks (WLAN) [RFC4334] 113 RFC 5752, Multiple Signatures in Cryptographic Message Syntax 114 (CMS) [RFC5752] 116 RFC 5652, Cryptogrphic Message Syntax (CMS) [RFC5652] 118 RFC 5083, Cryptographic Message Syntax (CMS) Authenticated- 119 Enveloped-Data Content Type [RFC5083]. 121 Note that some of the modules in this document get some of their 122 definitions from places different than the modules in the original 123 RFCs. The idea is that these modules, when combined with the modules 124 in [RFC5912] and [RFC5911] can stand on their own and do not need to 125 import definitions from anywhere else. 127 1.1. Requirements Terminology 129 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 130 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 131 document are to be interpreted as described in [RFC2119]. 133 2. ASN.1 Module RFC 3274 135 CompressedDataContent 136 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 137 smime(16) modules(0) TBD } 139 DEFINITIONS IMPLICIT TAGS ::= 140 BEGIN 142 IMPORTS 143 CMSVersion, EncapsulatedContentInfo, 144 CONTENT-TYPE 145 FROM CryptographicMessageSyntax-2009 146 { iso(1) member-body(2) us(840) rsadsi(113549) 147 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } 149 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 150 FROM AlgorithmInformation-2009 151 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 152 mechanisms(5) pkix(7) id-mod(0) 153 id-mod-algorithmInformation-02(58)} 155 ; 157 -- 158 -- 159 -- 161 ContentTypes CONTENT-TYPE ::= {ct-compressedData} 163 SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps} 165 ct-compressedData CONTENT-TYPE ::= { 166 CompressedData IDENTIFIED BY id-ct-compressedData 167 } 169 CompressedData ::= SEQUENCE { 170 version CMSVersion, -- Always set to 0 171 compressionAlgorithm CompressionAlgorithmIdentifier, 172 encapContentInfo EncapsulatedContentInfo 173 } 175 CompressionAlgorithmIdentifier ::= 176 AlgorithmIdentifier{COMPRESS-ALGORITHM, {CompressAlgorithmSet}} 178 CompressAlgorithmSet COMPRESS-ALGORITHM ::= { 179 cpa-zlibCompress, ... 181 } 183 -- Algorithm Identifiers 185 id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2) 186 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 } 188 cpa-zlibCompress COMPRESS-ALGORITHM ::= { 189 IDENTIFIER id-alg-zlibCompress 190 PARAMS TYPE NULL ARE preferredAbsent 191 SMIME-CAPS {IDENTIFIED BY id-alg-zlibCompress} 192 } 194 -- Content Type Object Identifiers 196 id-ct-compressedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 197 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 9 } 199 -- 200 -- Class defined for compression algorithms 201 -- 203 COMPRESS-ALGORITHM ::= CLASS { 204 &id OBJECT IDENTIFIER UNIQUE, 205 &Params OPTIONAL, 206 ¶mPresence ParamOptions DEFAULT absent, 207 &smimeCaps SMIME-CAPS OPTIONAL 208 } 209 WITH SYNTAX { 210 IDENTIFIER &id 211 [PARAMS [TYPE &Params] ARE ¶mPresence] 212 [SMIME-CAPS &smimeCaps] 213 } 215 END 217 3. ASN.1 Module RFC 3379 219 IPAddrAndASCertExtn { iso(1) identified-organization(3) dod(6) 220 internet(1) security(5) mechanisms(5) pkix(7) mod(0) 221 TBD } 222 DEFINITIONS EXPLICIT TAGS ::= 223 BEGIN 224 EXPORTS ALL; 226 IMPORTS 228 -- PKIX specific OIDs and arcs -- 229 id-pe 230 FROM PKIX1Explicit-2009 231 { iso(1) identified-organization(3) dod(6) internet(1) 232 security(5) mechanisms(5) pkix(7) id-mod(0) 233 id-mod-pkix1-explicit-02(51)} 235 EXTENSION 236 FROM PKIX-CommonTypes-2009 237 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 238 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 239 ; 241 -- IP Address Delegation Extension OID -- 243 ext-pe-ipAddrBlocks EXTENSION ::= { 244 SYNTAX IPAddrBlocks 245 IDENTIFIED BY id-pe-ipAddrBlocks 246 } 248 id-pe-ipAddrBlocks OBJECT IDENTIFIER ::= { id-pe 7 } 250 -- IP Address Delegation Extension Syntax -- 252 IPAddrBlocks ::= SEQUENCE OF IPAddressFamily 254 IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI -- 255 addressFamily OCTET STRING (SIZE (2..3)), 256 ipAddressChoice IPAddressChoice } 258 IPAddressChoice ::= CHOICE { 259 inherit NULL, -- inherit from issuer -- 260 addressesOrRanges SEQUENCE OF IPAddressOrRange } 262 IPAddressOrRange ::= CHOICE { 263 addressPrefix IPAddress, 264 addressRange IPAddressRange } 266 IPAddressRange ::= SEQUENCE { 267 min IPAddress, 268 max IPAddress } 270 IPAddress ::= BIT STRING 272 -- Autonomous System Identifier Delegation Extension OID -- 274 ext-pe-autonomousSysIds EXTENSION ::= { 275 SYNTAX ASIdentifiers 276 IDENTIFIED BY id-pe-autonomousSysIds 277 } 279 id-pe-autonomousSysIds OBJECT IDENTIFIER ::= { id-pe 8 } 281 -- Autonomous System Identifier Delegation Extension Syntax -- 283 ASIdentifiers ::= SEQUENCE { 284 asnum [0] ASIdentifierChoice OPTIONAL, 285 rdi [1] ASIdentifierChoice OPTIONAL } 286 (WITH COMPONENTS {..., asnum PRESENT} | 287 WITH COMPONENTS {..., rdi PRESENT}) 289 ASIdentifierChoice ::= CHOICE { 290 inherit NULL, -- inherit from issuer -- 291 asIdsOrRanges SEQUENCE OF ASIdOrRange } 293 ASIdOrRange ::= CHOICE { 294 id ASId, 295 range ASRange } 297 ASRange ::= SEQUENCE { 298 min ASId, 299 max ASId } 301 ASId ::= INTEGER 303 END 305 4. ASN.1 Module RFC 4049 307 BinarySigningTimeModule-2009 308 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 309 pkcs-9(9) smime(16) modules(0) TBD0 } 310 DEFINITIONS IMPLICIT TAGS ::= 311 BEGIN 312 IMPORTS 314 -- From PKIX-CommonTypes-2009 [RFC5912] 316 ATTRIBUTE 317 FROM PKIX-CommonTypes-2009 318 { iso(1) identified-organization(3) dod(6) internet(1) 319 security(5) mechanisms(5) pkix(7) id-mod(0) 320 id-mod-pkixCommon-02(57) } 321 ; 323 -- 324 -- BinaryTime Definition 325 -- 326 -- BinaryTime contains the number seconds since 327 -- midnight Jan 1, 1970 UTC. 328 -- Leap seconds are EXCLUDED from the computation. 329 -- 331 BinaryTime ::= INTEGER (0..MAX) 333 -- 334 -- Signing Binary Time Attribute 335 -- 336 -- The binary signing time should be added to the 337 -- SignedAttributeSet and the AuthenticatedAttributeSet 338 -- in the CMS modules. 339 -- 341 aa-binarySigningTime ATTRIBUTE ::= { 342 TYPE BinarySigningTime 343 IDENTIFIED BY id-aa-binarySigningTime } 345 id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1) 346 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 347 smime(16) aa(2) 46 } 349 BinarySigningTime ::= BinaryTime 351 END 353 5. ASN.1 Module RFC 4073 355 ContentCollectionModule-2009 356 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 357 pkcs-9(9) smime(16) modules(0) TBD1 } 358 DEFINITIONS IMPLICIT TAGS ::= 359 BEGIN 360 IMPORTS 362 -- From CryptographicMessageSyntax-2009 [RFC5911] 364 CONTENT-TYPE, ContentInfo 365 FROM CryptographicMessageSyntax-2009 366 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 367 pkcs-9(9) smime(16) modules(0) TBD } 369 AttributeSet{} 370 FROM PKIX-CommonTypes-2009 371 { iso(1) identified-organization(3) dod(6) internet(1) 372 security(5) mechanisms(5) pkix(7) id-mod(0) 373 id-mod-pkixCommon-02(57) } 374 ; 376 -- 377 -- An object set of all content types defined by this module. 378 -- This is to be added to ContentSet in the CMS module 379 -- 381 ContentSet CONTENT-TYPE ::= { 382 ct-ContentCollection | ct-ContentWithAttributes, ... 383 } 385 -- 386 -- Content Collection Content Type and Object Identifier 387 -- 389 ct-ContentCollection CONTENT TYPE ::= { 390 ContentCollection IDENTIFIED BY id-ct-contentCollection } 392 id-ct-contentCollection OBJECT IDENTIFIER ::= { 393 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 394 smime(16) ct(1) 19 } 396 ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo 398 -- 399 -- Content With Attributes Content Type and Object Identifier 400 -- 401 ct-ContentWithAttributes CONTENT TYPE ::= { 402 { ContentWithAttributes IDENTIFIED BY id-ct-contentWithAttrs } 404 id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { 405 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 406 smime(16) ct(1) 20 } 408 ContentWithAttributes ::= SEQUENCE { 409 content ContentInfo, 410 attrs SEQUENCE SIZE (1..MAX) OF AttributeSet 411 { ContentAttributeSet } 413 ContentAttributeSet ATTRIBUTE ::= { ... } 414 END 416 6. ASN.1 Module RFC 4231 418 HMAC { TBD } 419 DEFINITIONS EXPLICIT TAGS ::= 420 BEGIN 421 EXPORTS ALL; 423 IMPORTS 425 MAC-ALGORITHM, SMIME-CAPS 426 FROM AlgorithmInformation-2009 427 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 428 mechanisms(5) pkix(7) id-mod(0) 429 id-mod-algorithmInformation-02(58)}; 431 -- 432 -- This object set contains all of the MAC algorithms that are 433 -- defined in this module. 434 -- One would add it to a constraining set of objects such as the 435 -- MessageAuthenticationCodeAlgorithmSet in [RFC5652] 436 -- 438 MessageAuthAlgs MAC-ALGORITHM ::= { 439 maca-hMAC-SHA224 | 440 maca-hMAC-SHA256 | 441 maca-hMAC-SHA384 | 442 maca-hMAC-SHA512 443 } 445 -- 446 -- This object set contains all of the S/MIME capabilities that 447 -- have been defined for all the MAC algorithms in this module. 448 -- One would add this to an object set that is used to restrict 449 -- smime capabilities such as the SMimeCapsSet variable in 450 -- the S/MIME message draft 451 -- 453 SMimeCaps SMIME-CAPS ::= { 454 maca-hMAC-SHA224.&smimeCaps | 455 maca-hMAC-SHA256.&smimeCaps | 456 maca-hMAC-SHA384.&smimeCaps | 457 maca-hMAC-SHA512.&smimeCaps 458 } 460 -- 461 -- Define the base OID for the algorithm identifiers 462 -- 463 rsadsi OBJECT IDENTIFIER ::= 464 {iso(1) member-body(2) us(840) rsadsi(113549)} 466 digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} 468 -- 469 -- Define the necessary algorithm identifiers 470 -- 472 id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} 473 id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} 474 id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} 475 id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} 477 -- 478 -- Define each of the MAC-ALGOIRTHM objects to describe the 479 -- algorithms defined 480 -- 482 maca-hMAC-SHA224 MAC-ALGORITHM ::= { 483 IDENTIFIER id-hmacWithSHA224 484 PARAMS TYPE NULL ARE preferredPresent 485 IS-KEYED-MAC TRUE 486 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA224} 487 } 489 maca-hMAC-SHA256 MAC-ALGORITHM ::= { 490 IDENTIFIER id-hmacWithSHA256 491 PARAMS TYPE NULL ARE preferredPresent 492 IS-KEYED-MAC TRUE 493 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA256} 494 } 496 maca-hMAC-SHA384 MAC-ALGORITHM ::= { 497 IDENTIFIER id-hmacWithSHA384 498 PARAMS TYPE NULL ARE preferredPresent 499 IS-KEYED-MAC TRUE 500 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA384} 501 } 503 maca-hMAC-SHA512 MAC-ALGORITHM ::= { 504 IDENTIFIER id-hmacWithSHA512 505 PARAMS TYPE NULL ARE preferredPresent 506 IS-KEYED-MAC TRUE 507 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA512} 509 } 511 END 513 7. ASN.1 Module RFC 4334 515 WLANCertExtn 516 { iso(1) identified-organization(3) dod(6) internet(1) 517 security(5) mechanisms(5) pkix(7) id-mod(0) 518 TBD } 520 DEFINITIONS IMPLICIT TAGS ::= 521 BEGIN 522 EXPORTS ALL; 524 IMPORTS 526 EXTENSION, ATTRIBUTE 527 FROM PKIX-CommonTypes-2009 528 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 529 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 531 id-pe, id-kp 532 FROM PKIX1Explicit-2009 533 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 534 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 536 id-aca 537 FROM PKIXAttributeCertificate-2009 538 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 539 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} 541 ; 543 -- Extended Key Usage Values 545 KeyUsageValues OBJECT IDENTIFIER ::= { 546 id-kp-eapOverPPP | id-kp-eapOverLAN 547 } 549 id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 } 551 id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 } 553 -- Wireless LAN SSID Extension 555 ext-pe-wlanSSID EXTENSION ::= { 556 SYNTAX SSIDList 557 IDENTIFIED BY id-pe-wlanSSID 558 CRITICALITY {FALSE} 559 } 561 id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 } 563 SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID 565 SSID ::= OCTET STRING (SIZE (1..32)) 567 -- Wireless LAN SSID Attribute Certificate Attribute 568 -- Uses same syntax as the certificate extension: SSIDList 570 at-aca-wlanSSID ATTRIBUTE ::= { 571 TYPE SSIDList 572 IDENTIFIED BY id-aca-wlanSSID 573 } 575 id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 7 } 577 END 579 8. ASN.1 Module RFC 5752 581 MultipleSignatures-2009 582 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 583 smime(16) modules(0) TBD2 } 584 DEFINITIONS IMPLICIT TAGS ::= 585 BEGIN 586 -- EXPORTS All 587 -- The types and values defined in this module are exported for use 588 -- in the other ASN.1 modules. Other applications may use them for 589 -- their own purposes. 591 IMPORTS 593 -- Imports from PKIX-Common-Types-2009 [RFC5912] 595 ATTRIBUTE 596 FROM PKIX-CommonTypes-2009 597 { iso(1) identified-organization(3) dod(6) internet(1) 598 security(5) mechanisms(5) pkix(7) id-mod(0) 599 id-mod-pkixCommon-02(57) } 601 -- Imports from CryptographicMessageSyntax-2009 [RFC5911] 603 DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier 604 FROM CryptographicMessageSyntax-2009 605 { iso(1) member-body(2) us(840) rsadsi(113549) 606 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } 608 -- Imports from ExtendedSecurityServices-2009 [RFC5911] 610 ESSCertIDv2 611 FROM ExtendedSecurityServices-2009 612 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 613 smime(16) modules(0) id-mod-ess-2006-02(42) } 614 ; 616 -- 617 -- Section 3.0 618 -- 619 -- at-multipleSignatures should be added ONLY to the 620 -- SignedAttributesSet defined in [RFC5652] 621 -- 623 at-multipleSignatures ATTRIBUTE ::= { 624 TYPE MultipleSignatures 625 IDENTIFIED BY id-aa-multipleSignatures 626 } 627 id-aa-multipleSignatures OBJECT IDENTIFIER ::= { 628 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 629 id-aa(2) 51 } 631 MultipleSignatures ::= SEQUENCE { 632 bodyHashAlg DigestAlgorithmIdentifier, 633 signAlg SignatureAlgorithmIdentifier, 634 signAttrsHash SignAttrsHash, 635 cert ESSCertIDv2 OPTIONAL 636 } 638 SignAttrsHash ::= SEQUENCE { 639 algID DigestAlgorithmIdentifier, 640 hash OCTET STRING 641 } 643 END 645 9. ASN.1 Module RFC 5652 647 This module is updated from RFC 5911 [RFC5911] by defining seperate 648 attribute sets for the protected and unprotected attribute sets. By 649 using different attribute sets for EncryptedData and EnvelopedData as 650 well as for AuthenticatedData and AuthEnvelopedData, protocol 651 designers can make use of the '02 ASN.1 constraints to define 652 different sets of attributes for EncryptedData and EnvelopedData and 653 for AuthenticatedData and AuthEnvelopedData. Previously, attributes 654 could only be constrained based on whether they were in the clear or 655 unauthenticated not on the encapsulating content type. 657 CryptographicMessageSyntax-2009 658 { iso(1) member-body(2) us(840) rsadsi(113549) 659 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } 660 DEFINITIONS IMPLICIT TAGS ::= 661 BEGIN 662 IMPORTS 664 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 665 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 666 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 667 AlgorithmIdentifier 668 FROM AlgorithmInformation-2009 669 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 670 mechanisms(5) pkix(7) id-mod(0) 671 id-mod-algorithmInformation-02(58)} 673 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 674 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 675 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 676 FROM CryptographicMessageSyntaxAlgorithms-2009 677 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 678 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 680 Certificate, CertificateList, CertificateSerialNumber, 681 Name, ATTRIBUTE 682 FROM PKIX1Explicit-2009 683 { iso(1) identified-organization(3) dod(6) internet(1) 684 security(5) mechanisms(5) pkix(7) id-mod(0) 685 id-mod-pkix1-explicit-02(51) } 687 AttributeCertificate 688 FROM PKIXAttributeCertificate-2009 689 { iso(1) identified-organization(3) dod(6) internet(1) 690 security(5) mechanisms(5) pkix(7) id-mod(0) 691 id-mod-attribute-cert-02(47) } 693 AttributeCertificateV1 694 FROM AttributeCertificateVersion1-2009 695 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 696 smime(16) modules(0) id-mod-v1AttrCert-02(49) } ; 698 -- Cryptographic Message Syntax 700 -- The following are used for version numbers using the ASN.1 701 -- idiom "[[n:" 702 -- Version 1 = PKCS #7 703 -- Version 2 = S/MIME V2 704 -- Version 3 = RFC 2630 705 -- Version 4 = RFC 3369 706 -- Version 5 = RFC 3852 708 CONTENT-TYPE ::= TYPE-IDENTIFIER 709 ContentType ::= CONTENT-TYPE.&id 711 ContentInfo ::= SEQUENCE { 712 contentType CONTENT-TYPE. 713 &id({ContentSet}), 714 content [0] EXPLICIT CONTENT-TYPE. 715 &Type({ContentSet}{@contentType})} 717 ContentSet CONTENT-TYPE ::= { 718 -- Define the set of content types to be recognized. 719 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 720 ct-AuthenticatedData | ct-DigestedData, ... } 722 SignedData ::= SEQUENCE { 723 version CMSVersion, 724 digestAlgorithms SET OF DigestAlgorithmIdentifier, 725 encapContentInfo EncapsulatedContentInfo, 726 certificates [0] IMPLICIT CertificateSet OPTIONAL, 727 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 728 signerInfos SignerInfos } 730 SignerInfos ::= SET OF SignerInfo 732 EncapsulatedContentInfo ::= SEQUENCE { 733 eContentType CONTENT-TYPE.&id({ContentSet}), 734 eContent [0] EXPLICIT OCTET STRING 735 ( CONTAINING CONTENT-TYPE. 736 &Type({ContentSet}{@eContentType})) OPTIONAL } 738 SignerInfo ::= SEQUENCE { 739 version CMSVersion, 740 sid SignerIdentifier, 741 digestAlgorithm DigestAlgorithmIdentifier, 742 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 743 signatureAlgorithm SignatureAlgorithmIdentifier, 744 signature SignatureValue, 745 unsignedAttrs [1] IMPLICIT Attributes 746 {{UnsignedAttributes}} OPTIONAL } 748 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 750 SignerIdentifier ::= CHOICE { 751 issuerAndSerialNumber IssuerAndSerialNumber, 752 ..., 753 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 755 SignedAttributesSet ATTRIBUTE ::= 756 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 758 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 760 SignatureValue ::= OCTET STRING 762 EnvelopedData ::= SEQUENCE { 763 version CMSVersion, 764 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 765 recipientInfos RecipientInfos, 766 encryptedContentInfo EncryptedContentInfo, 767 ..., 768 [[2: unprotectedAttrs [1] IMPLICIT Attributes 769 {{ UnprotectedEnvAttributes }} OPTIONAL ]] } 771 OriginatorInfo ::= SEQUENCE { 772 certs [0] IMPLICIT CertificateSet OPTIONAL, 773 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 775 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 777 EncryptedContentInfo ::= SEQUENCE { 778 contentType CONTENT-TYPE.&id({ContentSet}), 779 contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 780 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 782 -- If you want to do constraints, you might use: 783 -- EncryptedContentInfo ::= SEQUENCE { 784 -- contentType CONTENT-TYPE.&id({ContentSet}), 785 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 786 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 787 -- &Type({ContentSet}{@contentType}) OPTIONAL } 788 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 789 -- { ToBeEncrypted } ) 791 UnprotectedEnvAttributes ATTRIBUTE ::= { ... } 792 UnprotectedEncAttributes ATTRIBUTE ::= { ... } 794 RecipientInfo ::= CHOICE { 795 ktri KeyTransRecipientInfo, 796 ..., 797 [[3: kari [1] KeyAgreeRecipientInfo ]], 798 [[4: kekri [2] KEKRecipientInfo]], 799 [[5: pwri [3] PasswordRecipientInfo, 800 ori [4] OtherRecipientInfo ]] } 802 EncryptedKey ::= OCTET STRING 804 KeyTransRecipientInfo ::= SEQUENCE { 805 version CMSVersion, -- always set to 0 or 2 806 rid RecipientIdentifier, 807 keyEncryptionAlgorithm AlgorithmIdentifier 808 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 809 encryptedKey EncryptedKey } 811 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 813 RecipientIdentifier ::= CHOICE { 814 issuerAndSerialNumber IssuerAndSerialNumber, 815 ..., 816 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 817 KeyAgreeRecipientInfo ::= SEQUENCE { 818 version CMSVersion, -- always set to 3 819 originator [0] EXPLICIT OriginatorIdentifierOrKey, 820 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 821 keyEncryptionAlgorithm AlgorithmIdentifier 822 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 823 recipientEncryptedKeys RecipientEncryptedKeys } 825 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 827 OriginatorIdentifierOrKey ::= CHOICE { 828 issuerAndSerialNumber IssuerAndSerialNumber, 829 subjectKeyIdentifier [0] SubjectKeyIdentifier, 830 originatorKey [1] OriginatorPublicKey } 832 OriginatorPublicKey ::= SEQUENCE { 833 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 834 publicKey BIT STRING } 836 OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } 837 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 839 RecipientEncryptedKey ::= SEQUENCE { 840 rid KeyAgreeRecipientIdentifier, 841 encryptedKey EncryptedKey } 843 KeyAgreeRecipientIdentifier ::= CHOICE { 844 issuerAndSerialNumber IssuerAndSerialNumber, 845 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 847 RecipientKeyIdentifier ::= SEQUENCE { 848 subjectKeyIdentifier SubjectKeyIdentifier, 849 date GeneralizedTime OPTIONAL, 850 other OtherKeyAttribute OPTIONAL } 852 SubjectKeyIdentifier ::= OCTET STRING 854 KEKRecipientInfo ::= SEQUENCE { 855 version CMSVersion, -- always set to 4 856 kekid KEKIdentifier, 857 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 858 encryptedKey EncryptedKey } 860 KEKIdentifier ::= SEQUENCE { 861 keyIdentifier OCTET STRING, 862 date GeneralizedTime OPTIONAL, 863 other OtherKeyAttribute OPTIONAL } 864 PasswordRecipientInfo ::= SEQUENCE { 865 version CMSVersion, -- always set to 0 866 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 867 OPTIONAL, 868 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 869 encryptedKey EncryptedKey } 871 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 873 OtherRecipientInfo ::= SEQUENCE { 874 oriType OTHER-RECIPIENT. 875 &id({SupportedOtherRecipInfo}), 876 oriValue OTHER-RECIPIENT. 877 &Type({SupportedOtherRecipInfo}{@oriType})} 879 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 881 DigestedData ::= SEQUENCE { 882 version CMSVersion, 883 digestAlgorithm DigestAlgorithmIdentifier, 884 encapContentInfo EncapsulatedContentInfo, 885 digest Digest, ... } 887 Digest ::= OCTET STRING 889 EncryptedData ::= SEQUENCE { 890 version CMSVersion, 891 encryptedContentInfo EncryptedContentInfo, 892 ..., 893 [[2: unprotectedAttrs [1] IMPLICIT Attributes 894 {{UnprotectedEncAttributes}} OPTIONAL ]] } 896 AuthenticatedData ::= SEQUENCE { 897 version CMSVersion, 898 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 899 recipientInfos RecipientInfos, 900 macAlgorithm MessageAuthenticationCodeAlgorithm, 901 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 902 encapContentInfo EncapsulatedContentInfo, 903 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 904 mac MessageAuthenticationCode, 905 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 907 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 908 {{AuthAttributeSet}} 910 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 911 | aa-signingTime, ...} 912 MessageAuthenticationCode ::= OCTET STRING 914 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 915 {{UnauthAttributeSet}} 917 UnauthAttributeSet ATTRIBUTE ::= {...} 919 -- 920 -- General algorithm definitions 921 -- 923 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 924 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 926 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 927 CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } 929 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 930 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 932 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 933 { SignatureAlgs, ... } 935 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 936 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 938 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 940 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 941 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 943 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 944 { ContentEncryptionAlgs, ... } 946 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 947 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 949 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 950 { MessageAuthAlgs, ... } 952 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 953 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 955 RevocationInfoChoices ::= SET OF RevocationInfoChoice 957 RevocationInfoChoice ::= CHOICE { 958 crl CertificateList, 959 ..., 960 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 962 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 964 OtherRevocationInfoFormat ::= SEQUENCE { 965 otherRevInfoFormat OTHER-REVOK-INFO. 966 &id({SupportedOtherRevokInfo}), 967 otherRevInfo OTHER-REVOK-INFO. 968 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 970 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 972 CertificateChoices ::= CHOICE { 973 certificate Certificate, 974 extendedCertificate [0] IMPLICIT ExtendedCertificate, 975 -- Obsolete 976 ..., 977 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 978 -- Obsolete 979 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 980 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 982 AttributeCertificateV2 ::= AttributeCertificate 984 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 986 OtherCertificateFormat ::= SEQUENCE { 987 otherCertFormat OTHER-CERT-FMT. 988 &id({SupportedCertFormats}), 989 otherCert OTHER-CERT-FMT. 990 &Type({SupportedCertFormats}{@otherCertFormat})} 992 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 994 CertificateSet ::= SET OF CertificateChoices 996 IssuerAndSerialNumber ::= SEQUENCE { 997 issuer Name, 998 serialNumber CertificateSerialNumber } 1000 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1002 UserKeyingMaterial ::= OCTET STRING 1004 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1006 OtherKeyAttribute ::= SEQUENCE { 1007 keyAttrId KEY-ATTRIBUTE. 1008 &id({SupportedKeyAttributes}), 1009 keyAttr KEY-ATTRIBUTE. 1010 &Type({SupportedKeyAttributes}{@keyAttrId})} 1012 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1014 -- Content Type Object Identifiers 1016 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1017 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1019 ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data} 1021 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1022 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1024 ct-SignedData CONTENT-TYPE ::= 1025 { SignedData IDENTIFIED BY id-signedData} 1027 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1028 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1030 ct-EnvelopedData CONTENT-TYPE ::= 1031 { EnvelopedData IDENTIFIED BY id-envelopedData} 1033 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1034 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1036 ct-DigestedData CONTENT-TYPE ::= 1037 { DigestedData IDENTIFIED BY id-digestedData} 1039 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1040 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1042 ct-EncryptedData CONTENT-TYPE ::= 1043 { EncryptedData IDENTIFIED BY id-encryptedData} 1045 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1046 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1048 ct-AuthenticatedData CONTENT-TYPE ::= 1049 { AuthenticatedData IDENTIFIED BY id-ct-authData} 1051 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1052 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1054 -- 1055 -- The CMS Attributes 1056 -- 1058 MessageDigest ::= OCTET STRING 1060 SigningTime ::= Time 1062 Time ::= CHOICE { 1063 utcTime UTCTime, 1064 generalTime GeneralizedTime } 1066 Countersignature ::= SignerInfo 1068 -- Attribute Object Identifiers 1070 aa-contentType ATTRIBUTE ::= 1071 { TYPE ContentType IDENTIFIED BY id-contentType } 1072 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1073 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1075 aa-messageDigest ATTRIBUTE ::= 1076 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1077 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1078 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1080 aa-signingTime ATTRIBUTE ::= 1081 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1082 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1083 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1085 aa-countersignature ATTRIBUTE ::= 1086 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1087 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1088 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1090 -- 1091 -- Obsolete Extended Certificate syntax from PKCS#6 1092 -- 1094 ExtendedCertificateOrCertificate ::= CHOICE { 1095 certificate Certificate, 1096 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1098 ExtendedCertificate ::= SEQUENCE { 1099 extendedCertificateInfo ExtendedCertificateInfo, 1100 signatureAlgorithm SignatureAlgorithmIdentifier, 1101 signature Signature } 1103 ExtendedCertificateInfo ::= SEQUENCE { 1104 version CMSVersion, 1105 certificate Certificate, 1106 attributes UnauthAttributes } 1108 Signature ::= BIT STRING 1110 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1111 attrType ATTRIBUTE. 1112 &id({AttrList}), 1113 attrValues SET OF ATTRIBUTE. 1114 &Type({AttrList}{@attrType}) } 1116 Attributes { ATTRIBUTE:AttrList } ::= 1117 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1119 END 1121 10. ASN.1 Module RFC 5083 1123 This module is updated from RFC 5911 [RFC5911] by defining seperate 1124 attribute sets for the protected and unprotected attribute sets. By 1125 using different attribute sets for AuthenticatedData and 1126 AuthEnvelopedData, protocol designers can make use of the '02 ASN.1 1127 constraints to define different sets of attributes for 1128 AuthenticatedData and AuthEnvelopedData. Previously, attributes 1129 could only be constrained based on whether they were unauthenticated 1130 not on the content type. 1132 CMS-AuthEnvelopedData-2009 1133 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1134 smime(16) modules(0) TBD} 1135 DEFINITIONS IMPLICIT TAGS ::= 1136 BEGIN 1137 IMPORTS 1139 CMSVersion, EncryptedContentInfo, 1140 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 1141 CONTENT-TYPE, Attributes{} 1142 FROM CryptographicMessageSyntax-2009 1143 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1144 smime(16) modules(0) id-mod-cms-2004-02(41)} ; 1146 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 1148 ct-authEnvelopedData CONTENT-TYPE ::= { 1149 AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 1150 } 1152 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 1153 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1154 smime(16) ct(1) 23} 1156 AuthEnvelopedData ::= SEQUENCE { 1157 version CMSVersion, 1158 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1159 recipientInfos RecipientInfos, 1160 authEncryptedContentInfo EncryptedContentInfo, 1161 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 1162 mac MessageAuthenticationCode, 1163 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL 1164 } 1166 AuthAttributes ::= Attributes{{AuthEnvDataAttributeSet}} 1168 UnauthAttributes ::= Attributes{{UnauthEnvDataAttributeSet}} 1170 AuthEnvDataAttributeSet ::= {aa-contentType | aa-messageDigest | 1171 aa-signedTime, ... } 1173 UnauthEnvDataAttributeSet ::= {...} 1175 END 1177 11. Module Identifiers in ASN.1 1179 One potential issue that can occur when updating modules is the fact 1180 that a large number of modules may need to be updated if they import 1181 from a newly updated module. This section addresses one method that 1182 can be used to deal with this problem, but the modules in this 1183 document don't currently implement the solution discussed here. 1185 When looking at an import statement, there are three portions: The 1186 list of items imported, a textual name for the module and an object 1187 identifier for the module. Full implementations of ASN.1 do module 1188 matching using first the object identifier and if that is not present 1189 the textual name of the module. Note however that some older 1190 implementations used the textual name of the module for the purposes 1191 of matching. In a full implementation the name assigned to the 1192 module is scoped to the ASN.1 module that it appears in (and thus 1193 need to match the module it is importing from). 1195 One can create a module that contains only the module number 1196 assignments and import the module assignments from the new module. 1197 This means that when a module is replaced, one can replace the 1198 previous module, update the module number assigment module and 1199 recompile without having to modify any other modules. 1201 A sample module assigment module would be: 1203 ModuleNumbers 1204 DEFINITIONS TAGS ::= 1205 BEGIN 1206 id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1207 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } 1209 id-mod-AlgInfo ::= 1210 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1211 mechanisms(5) pkix(7) id-mod(0) 1212 id-mod-algorithmInformation-02(58)} 1213 END 1215 This would be used in the following import statement: 1217 IMPORTS 1218 id-mod-CMS, id-mod-AlgInfo 1219 FROM ModuleNumber -- Note it will match on the name since no 1220 -- OID is provided 1222 CMSVersion, EncapsulatedContentInfo, CONTENT-TYPE 1223 FROM CryptographicMessageSyntax-2009 1224 id-mod-CMS 1226 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 1227 FROM AlgorithmInformation-2009 id-mod-AlgInfo 1228 ; 1230 12. Security Considerations 1232 This document itself does not have any security considerations. The 1233 ASN.1 modules keep the same bits-on-the-wire as the modules that they 1234 replace. 1236 13. IANA Considerations 1238 None. 1240 14. Normative References 1242 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1243 Requirement Levels", BCP 14, RFC 2119, March 1997. 1245 [RFC3274] Gutmann, P., "Compressed Data Content Type for 1246 Cryptographic Message Syntax (CMS)", RFC 3274, June 2002. 1248 [RFC3379] Pinkas, D. and R. Housley, "Delegated Path Validation and 1249 Delegated Path Discovery Protocol Requirements", RFC 3379, 1250 September 2002. 1252 [RFC4049] Housley, R., "BinaryTime: An Alternate Format for 1253 Representing Date and Time in ASN.1", RFC 4049, 1254 April 2005. 1256 [RFC4073] Housley, R., "Protecting Multiple Contents with the 1257 Cryptographic Message Syntax (CMS)", RFC 4073, May 2005. 1259 [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 1260 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 1261 RFC 4231, December 2005. 1263 [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and 1264 Attributes Supporting Authentication in Point-to-Point 1265 Protocol (PPP) and Wireless Local Area Networks (WLAN)", 1266 RFC 4334, February 2006. 1268 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 1269 Authenticated-Enveloped-Data Content Type", RFC 5083, 1270 November 2007. 1272 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", 1273 RFC 5652, September 2009. 1275 [RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in 1276 Cryptographic Message Syntax (CMS)", RFC 5752, 1277 January 2010. 1279 [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for 1280 Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, 1281 June 2010. 1283 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 1284 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 1285 June 2010. 1287 [ASN1-2008] 1288 ITU-T, "ITU-T Recommendations X.680, X.681, X.682, and 1289 X.683", 2008. 1291 Authors' Addresses 1293 Jim Schaad 1294 Soaring Hawk Consulting 1296 Email: jimsch@augustcellars.com 1298 Sean Turner 1299 IECA, Inc. 1300 3057 Nutley Street, Suite 106 1301 Fairfax, VA 22031 1303 Email: turners@ieca.com