idnits 2.17.00 (12 Aug 2021) /tmp/idnits22114/draft-turner-additional-new-asn-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 8, 2010) is 4211 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3851' is mentioned on line 187, but not defined ** Obsolete undefined reference: RFC 3851 (Obsoleted by RFC 5751) == Missing Reference: 'RFC5280' is mentioned on line 283, but not defined -- Looks like a reference, but probably isn't: '0' on line 1207 -- Looks like a reference, but probably isn't: '1' on line 1089 -- Looks like a reference, but probably isn't: '2' on line 1091 -- Looks like a reference, but probably isn't: '3' on line 1092 -- Looks like a reference, but probably isn't: '4' on line 911 ** Obsolete normative reference: RFC 4049 (Obsoleted by RFC 6019) ** Downref: Normative reference to an Informational RFC: RFC 5911 ** Downref: Normative reference to an Informational RFC: RFC 5912 -- Possible downref: Non-RFC (?) normative reference: ref. 'ASN1-2008' Summary: 4 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schaad 3 Internet-Draft Soaring Hawk Consulting 4 Intended status: Standards Track S. Turner 5 Expires: May 12, 2011 IECA, Inc. 6 November 8, 2010 8 Additional New ASN.1 Modules 9 draft-turner-additional-new-asn-02 11 Abstract 13 The Cryptographic Message Syntax (CMS) format, and many associated 14 formats, are expressed using ASN.1. The current ASN.1 modules 15 conform to the 1988 version of ASN.1. This document updates some 16 auxiliary ASN.1 modules to conform to the 2008 version of ASN.1. 17 There are no bits-on-the-wire changes to any of the formats; this is 18 simply a change to the syntax. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on May 12, 2011. 37 Copyright Notice 39 Copyright (c) 2010 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. ASN.1 Updates (2002 to 2008) . . . . . . . . . . . . . . . 3 68 1.2. Requirements Terminology . . . . . . . . . . . . . . . . . 4 69 2. ASN.1 Module RFC 3274 . . . . . . . . . . . . . . . . . . . . 5 70 3. ASN.1 Module RFC 3779 . . . . . . . . . . . . . . . . . . . . 8 71 4. ASN.1 Module RFC 4049 . . . . . . . . . . . . . . . . . . . . 11 72 5. ASN.1 Module RFC 4073 . . . . . . . . . . . . . . . . . . . . 13 73 6. ASN.1 Module RFC 4231 . . . . . . . . . . . . . . . . . . . . 15 74 7. ASN.1 Module RFC 4334 . . . . . . . . . . . . . . . . . . . . 18 75 8. ASN.1 Module RFC 5083 . . . . . . . . . . . . . . . . . . . . 20 76 9. ASN.1 Module RFC 5652 . . . . . . . . . . . . . . . . . . . . 22 77 10. ASN.1 Module RFC 5752 . . . . . . . . . . . . . . . . . . . . 33 78 11. Module Identifiers in ASN.1 . . . . . . . . . . . . . . . . . 35 79 12. Security Considerations . . . . . . . . . . . . . . . . . . . 37 80 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 81 14. Normative References . . . . . . . . . . . . . . . . . . . . . 39 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 84 1. Introduction 86 Some developers would like the IETF to use the latest version of 87 ASN.1 in its standards. Most of the RFCs that relate to security 88 protocols still use ASN.1 from the 1988 standard, which has been 89 deprecated. This is particularly true for the standards that relate 90 to PKIX, CMS, and S/MIME. 92 In this document we have either change the syntax to use the 2008 93 ASN.1 standard, or done some updates from previous conversions: 95 RFC 3274, Compressed Data Content Type for Cryptographic Message 96 Syntax (CMS) [RFC3274]. 98 RFC 3779, X.509 Extensions for IP Addresses and AS Identifiers 99 [RFC3779]. 101 RFC 4049, BinaryTime: An Alternate Format for Representing Date 102 and Time in ASN.1 [RFC4049]. 104 RFC 4073, Protecting Multiple Contents with the Cryptographic 105 Message Syntax (CMS) [RFC4073]. 107 RFC 4231, Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA- 108 256, HMAC-SHA-384, and HMAC-SHA-512 [RFC4231]. 110 RFC 4334, Certificate Extensions and Attributes Supporting 111 Authentication in Point-to-Point Protocol (PPP) and Wireless Local 112 Area Networks (WLAN) [RFC4334]. 114 RFC 5083, Cryptographic Message Syntax (CMS) Authenticated- 115 Enveloped-Data Content Type [RFC5083]. 117 RFC 5652, Cryptographic Message Syntax (CMS) [RFC5652]. 119 RFC 5752, Multiple Signatures in Cryptographic Message Syntax 120 (CMS) [RFC5752]. 122 Note that some of the modules in this document get some of their 123 definitions from places different than the modules in the original 124 RFCs. The idea is that these modules, when combined with the modules 125 in [RFC5912] and [RFC5911] can stand on their own and do not need to 126 import definitions from anywhere else. 128 1.1. ASN.1 Updates (2002 to 2008) 130 The modules defined in this document are compatible with the most 131 current ASN.1 specification published in 2008 (see [ASN1-2008]). The 132 changes between the 2002 specification and the 2008 specification 133 include the creation of some additional pre-defined types (DATE, 134 DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE-OID-IRI, TIME, 135 TIME-OF-DAY). The ability to define different encoding rules 136 (ENCODING-CONTROL, INSTRUCTIONS). None of the newly defined tokens 137 are currently used in any of the ASN.1 specifications published here. 139 1.2. Requirements Terminology 141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 143 document are to be interpreted as described in [RFC2119]. 145 2. ASN.1 Module RFC 3274 147 We have updated the ASN.1 module associated with this document to be 148 2008 compliant and to use the set of classes previously defined in 149 [RFC5911]. 151 CompressedDataContent 152 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 153 smime(16) modules(0) TBD4 } 155 DEFINITIONS IMPLICIT TAGS ::= 156 BEGIN 158 IMPORTS 159 CMSVersion, EncapsulatedContentInfo, 160 CONTENT-TYPE 161 FROM CryptographicMessageSyntax-2009 162 { iso(1) member-body(2) us(840) rsadsi(113549) 163 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD1 } 165 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 166 FROM AlgorithmInformation-2009 167 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 168 mechanisms(5) pkix(7) id-mod(0) 169 id-mod-algorithmInformation-02(58)} 170 ; 172 -- 173 -- ContentTypes contains the set of content types that are 174 -- defined in this module. 175 -- 176 -- The contents of ContentTypes should be added to 177 -- ContentSet defined in [RFC5652] 178 -- 180 ContentTypes CONTENT-TYPE ::= {ct-compressedData} 182 -- 183 -- SMimeCaps contains the set of S/MIME capabilities that 184 -- are associated with the algorithms defined in this 185 -- document. 186 -- 187 -- SMimeCaps are added to SMimeCapsSet defined in [RFC3851]. 188 -- 190 SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps} 192 -- 193 -- Define the compressed data content type 194 -- 196 ct-compressedData CONTENT-TYPE ::= { 197 TYPE CompressedData IDENTIFIED BY id-ct-compressedData 198 } 200 CompressedData ::= SEQUENCE { 201 version CMSVersion (v0), -- Always set to 0 202 compressionAlgorithm CompressionAlgorithmIdentifier, 203 encapContentInfo EncapsulatedContentInfo 204 } 206 CompressionAlgorithmIdentifier ::= 207 AlgorithmIdentifier{COMPRESS-ALGORITHM, {CompressAlgorithmSet}} 209 CompressAlgorithmSet COMPRESS-ALGORITHM ::= { 210 cpa-zlibCompress, ... 211 } 213 -- Algorithm Identifiers 215 id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2) 216 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 } 218 cpa-zlibCompress COMPRESS-ALGORITHM ::= { 219 IDENTIFIER id-alg-zlibCompress 220 PARAMS TYPE NULL ARE preferredAbsent 221 SMIME-CAPS {IDENTIFIED BY id-alg-zlibCompress} 222 } 224 -- Content Type Object Identifiers 226 id-ct-compressedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 227 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 9 } 229 -- 230 -- Class defined for compression algorithms 231 -- 233 COMPRESS-ALGORITHM ::= CLASS { 234 &id OBJECT IDENTIFIER UNIQUE, 235 &Params OPTIONAL, 236 ¶mPresence ParamOptions DEFAULT absent, 237 &smimeCaps SMIME-CAPS OPTIONAL 238 } 239 WITH SYNTAX { 240 IDENTIFIER &id 242 [PARAMS [TYPE &Params] ARE ¶mPresence] 243 [SMIME-CAPS &smimeCaps] 244 } 246 END 248 3. ASN.1 Module RFC 3779 250 We have updated the ASN.1 module associated with RFC 3779 to be ASN.1 251 2008 compliant and to use the set of classes previously defined in 252 [RFC5912]. 254 IPAddrAndASCertExtn { iso(1) identified-organization(3) dod(6) 255 internet(1) security(5) mechanisms(5) pkix(7) mod(0) 256 TBD6 } 257 DEFINITIONS EXPLICIT TAGS ::= 258 BEGIN 259 EXPORTS ALL; 261 IMPORTS 263 -- PKIX specific OIDs and arcs -- 264 id-pe 265 FROM PKIX1Explicit-2009 266 { iso(1) identified-organization(3) dod(6) internet(1) 267 security(5) mechanisms(5) pkix(7) id-mod(0) 268 id-mod-pkix1-explicit-02(51)} 270 EXTENSION 271 FROM PKIX-CommonTypes-2009 272 { iso(1) identified-organization(3) dod(6) internet(1) 273 security(5) mechanisms(5) pkix(7) id-mod(0) 274 id-mod-pkixCommon-02(57)} 275 ; 277 -- 278 -- Extensions contains the set of extensions defined in this 279 -- module 280 -- 281 -- These are intended to be placed in public key certificates 282 -- and thus should be added to the CertExtensions extension 283 -- set in PKIXImplicit-2009 defined for [RFC5280] 284 -- 286 Extensions EXTENSION ::= { 287 ext-pe-ipAddrBlocks | ext-pe-autonomousSysIds 288 } 290 -- IP Address Delegation Extension OID -- 292 ext-pe-ipAddrBlocks EXTENSION ::= { 293 SYNTAX IPAddrBlocks 294 IDENTIFIED BY id-pe-ipAddrBlocks 295 } 296 id-pe-ipAddrBlocks OBJECT IDENTIFIER ::= { id-pe 7 } 298 -- IP Address Delegation Extension Syntax -- 300 IPAddrBlocks ::= SEQUENCE OF IPAddressFamily 302 IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI -- 303 addressFamily OCTET STRING (SIZE (2..3)), 304 ipAddressChoice IPAddressChoice } 306 IPAddressChoice ::= CHOICE { 307 inherit NULL, -- inherit from issuer -- 308 addressesOrRanges SEQUENCE OF IPAddressOrRange } 310 IPAddressOrRange ::= CHOICE { 311 addressPrefix IPAddress, 312 addressRange IPAddressRange } 314 IPAddressRange ::= SEQUENCE { 315 min IPAddress, 316 max IPAddress } 318 IPAddress ::= BIT STRING 320 -- Autonomous System Identifier Delegation Extension OID -- 322 ext-pe-autonomousSysIds EXTENSION ::= { 323 SYNTAX ASIdentifiers 324 IDENTIFIED BY id-pe-autonomousSysIds 325 } 327 id-pe-autonomousSysIds OBJECT IDENTIFIER ::= { id-pe 8 } 329 -- Autonomous System Identifier Delegation Extension Syntax -- 331 ASIdentifiers ::= SEQUENCE { 332 asnum [0] ASIdentifierChoice OPTIONAL, 333 rdi [1] ASIdentifierChoice OPTIONAL } 334 (WITH COMPONENTS {..., asnum PRESENT} | 335 WITH COMPONENTS {..., rdi PRESENT}) 337 ASIdentifierChoice ::= CHOICE { 338 inherit NULL, -- inherit from issuer -- 339 asIdsOrRanges SEQUENCE OF ASIdOrRange } 341 ASIdOrRange ::= CHOICE { 342 id ASId, 343 range ASRange } 345 ASRange ::= SEQUENCE { 346 min ASId, 347 max ASId } 349 ASId ::= INTEGER 351 END 353 4. ASN.1 Module RFC 4049 355 We have updated the ASN.1 module associated with this document to be 356 2008 compliant and to use the set of classes previously defined in 357 [RFC5911]. 359 BinarySigningTimeModule-2009 360 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 361 pkcs-9(9) smime(16) modules(0) TBD6 } 362 DEFINITIONS IMPLICIT TAGS ::= 363 BEGIN 364 IMPORTS 366 -- From PKIX-CommonTypes-2009 [RFC5912] 368 ATTRIBUTE 369 FROM PKIX-CommonTypes-2009 370 { iso(1) identified-organization(3) dod(6) internet(1) 371 security(5) mechanisms(5) pkix(7) id-mod(0) 372 id-mod-pkixCommon-02(57) } 373 ; 375 -- 376 -- BinaryTime Definition 377 -- 378 -- BinaryTime contains the number seconds since 379 -- midnight Jan 1, 1970 UTC. 380 -- Leap seconds are EXCLUDED from the computation. 381 -- 383 BinaryTime ::= INTEGER (0..MAX) 385 -- 386 -- Signing Binary Time Attribute 387 -- 388 -- The binary signing time should be added to 389 -- SignedAttributeSet and tAuthenticatedAttributeSet 390 -- in CMS [RFC5652] and to AuthEnvDataAttributeSet 391 -- in [RFC5083]. 392 -- 394 aa-binarySigningTime ATTRIBUTE ::= { 395 TYPE BinarySigningTime 396 IDENTIFIED BY id-aa-binarySigningTime } 398 id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1) 399 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 400 smime(16) aa(2) 46 } 402 BinarySigningTime ::= BinaryTime 404 END 406 5. ASN.1 Module RFC 4073 408 We have updated the ASN.1 module associated with this document to be 409 2008 compliant and to use the set of classes previously defined in 410 [RFC5911]. 412 ContentCollectionModule-2009 413 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 414 pkcs-9(9) smime(16) modules(0) TBD7 } 415 DEFINITIONS IMPLICIT TAGS ::= 416 BEGIN 417 IMPORTS 419 -- From CryptographicMessageSyntax-2009 [RFC5911] 421 CONTENT-TYPE, ContentInfo 422 FROM CryptographicMessageSyntax-2009 423 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 424 pkcs-9(9) smime(16) modules(0) TBD1 } 426 AttributeSet{}, ATTRIBUTE 427 FROM PKIX-CommonTypes-2009 428 { iso(1) identified-organization(3) dod(6) internet(1) 429 security(5) mechanisms(5) pkix(7) id-mod(0) 430 id-mod-pkixCommon-02(57) } 431 ; 433 -- 434 -- An object set of all content types defined by this module. 435 -- This is to be added to ContentSet in the CMS module 436 -- 438 ContentSet CONTENT-TYPE ::= { 439 ct-ContentCollection | ct-ContentWithAttributes, ... 440 } 442 -- 443 -- Content Collection Content Type and Object Identifier 444 -- 446 ct-ContentCollection CONTENT-TYPE ::= { 447 TYPE ContentCollection IDENTIFIED BY id-ct-contentCollection } 449 id-ct-contentCollection OBJECT IDENTIFIER ::= { 450 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 451 smime(16) ct(1) 19 } 453 ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo 454 -- 455 -- Content With Attributes Content Type and Object Identifier 456 -- 458 ct-ContentWithAttributes CONTENT-TYPE ::= { 459 TYPE ContentWithAttributes IDENTIFIED BY id-ct-contentWithAttrs } 461 id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { 462 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 463 smime(16) ct(1) 20 } 465 ContentWithAttributes ::= SEQUENCE { 466 content ContentInfo, 467 attrs SEQUENCE SIZE (1..MAX) OF AttributeSet 468 {{ ContentAttributeSet }} 469 } 471 ContentAttributeSet ATTRIBUTE ::= { ... } 472 END 473 6. ASN.1 Module RFC 4231 475 RFC 4231 does not contain an ASN.1 module to be updated. We have 476 therefore created an ASN.1 module to represent the ASN.1 that is 477 present in the document. Note that the parameters are defined as 478 expecting a parameter for the algorithm identifiers in this module, 479 this is different from most of the algorithms used in PKIX and 480 S/MIME. There is no concept of being able to truncate the MAC value 481 in the ASN.1 unlike the XML definitions. This is reflected by not 482 having a minimum MAC length defined in the ASN.1. 484 HMAC -- { TBD } -- 485 DEFINITIONS EXPLICIT TAGS ::= 486 BEGIN 487 EXPORTS ALL; 489 IMPORTS 491 MAC-ALGORITHM, SMIME-CAPS 492 FROM AlgorithmInformation-2009 493 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 494 mechanisms(5) pkix(7) id-mod(0) 495 id-mod-algorithmInformation-02(58)}; 497 -- 498 -- This object set contains all of the MAC algorithms that are 499 -- defined in this module. 500 -- One would add it to a constraining set of objects such as the 501 -- MessageAuthenticationCodeAlgorithmSet in [RFC5652] 502 -- 504 MessageAuthAlgs MAC-ALGORITHM ::= { 505 maca-hMAC-SHA224 | 506 maca-hMAC-SHA256 | 507 maca-hMAC-SHA384 | 508 maca-hMAC-SHA512 509 } 511 -- 512 -- This object set contains all of the S/MIME capabilities that 513 -- have been defined for all the MAC algorithms in this module. 514 -- One would add this to an object set that is used to restrict 515 -- smime capabilities such as the SMimeCapsSet variable in 516 -- the S/MIME message draft 517 -- 519 SMimeCaps SMIME-CAPS ::= { 520 maca-hMAC-SHA224.&smimeCaps | 521 maca-hMAC-SHA256.&smimeCaps | 522 maca-hMAC-SHA384.&smimeCaps | 523 maca-hMAC-SHA512.&smimeCaps 524 } 526 -- 527 -- Define the base OID for the algorithm identifiers 528 -- 530 rsadsi OBJECT IDENTIFIER ::= 531 {iso(1) member-body(2) us(840) rsadsi(113549)} 533 digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} 535 -- 536 -- Define the necessary algorithm identifiers 537 -- 539 id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} 540 id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} 541 id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} 542 id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} 544 -- 545 -- Define each of the MAC-ALGOIRTHM objects to describe the 546 -- algorithms defined 547 -- 549 maca-hMAC-SHA224 MAC-ALGORITHM ::= { 550 IDENTIFIER id-hmacWithSHA224 551 PARAMS TYPE NULL ARE preferredPresent 552 IS-KEYED-MAC TRUE 553 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA224} 554 } 556 maca-hMAC-SHA256 MAC-ALGORITHM ::= { 557 IDENTIFIER id-hmacWithSHA256 558 PARAMS TYPE NULL ARE preferredPresent 559 IS-KEYED-MAC TRUE 560 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA256} 561 } 563 maca-hMAC-SHA384 MAC-ALGORITHM ::= { 564 IDENTIFIER id-hmacWithSHA384 565 PARAMS TYPE NULL ARE preferredPresent 566 IS-KEYED-MAC TRUE 567 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA384} 568 } 570 maca-hMAC-SHA512 MAC-ALGORITHM ::= { 571 IDENTIFIER id-hmacWithSHA512 572 PARAMS TYPE NULL ARE preferredPresent 573 IS-KEYED-MAC TRUE 574 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA512} 575 } 577 END 579 7. ASN.1 Module RFC 4334 581 We have updated the ASN.1 module associated with RFC 4334 to be ASN.1 582 2008 compliant and to use the set of classes previously defined in 583 [RFC5912]. 585 WLANCertExtn 586 { iso(1) identified-organization(3) dod(6) internet(1) 587 security(5) mechanisms(5) pkix(7) id-mod(0) 588 TBD8 } 590 DEFINITIONS IMPLICIT TAGS ::= 591 BEGIN 592 EXPORTS ALL; 594 IMPORTS 596 EXTENSION, ATTRIBUTE 597 FROM PKIX-CommonTypes-2009 598 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 599 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 601 id-pe, id-kp 602 FROM PKIX1Explicit-2009 603 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 604 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 606 id-aca 607 FROM PKIXAttributeCertificate-2009 608 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 609 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} 611 ; 613 -- Extended Key Usage Values 615 KeyUsageValues OBJECT IDENTIFIER ::= { 616 id-kp-eapOverPPP | id-kp-eapOverLAN 617 } 619 id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 } 621 id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 } 623 -- Wireless LAN SSID Extension 624 ext-pe-wlanSSID EXTENSION ::= { 625 SYNTAX SSIDList 626 IDENTIFIED BY id-pe-wlanSSID 627 CRITICALITY {FALSE} 628 } 630 id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 } 632 SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID 634 SSID ::= OCTET STRING (SIZE (1..32)) 636 -- Wireless LAN SSID Attribute Certificate Attribute 637 -- Uses same syntax as the certificate extension: SSIDList 639 at-aca-wlanSSID ATTRIBUTE ::= { 640 TYPE SSIDList 641 IDENTIFIED BY id-aca-wlanSSID 642 } 644 id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 7 } 646 END 648 8. ASN.1 Module RFC 5083 650 This module is updated from RFC 5911 [RFC5911] by the following 651 changes: 653 1. Define separate attribute sets for the unprotected attributes 654 used in EnvelopedData, EncryptedData and 655 AuthenticatedEnvelopedData (RFC 5083). 657 2. Define a parameterized type EncryptedContentInfoType so that the 658 basic type can be used with different algorithm sets (used for 659 EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC 660 5083)). The parameterized type is assigned to an unparameterized 661 type of EncryptedContentInfo to minimize the output changes from 662 previous versions. 664 The use of different attribute sets for EncryptedData and 665 EnvelopedData as well as for AuthenticatedData and AuthEnvelopedData, 666 protocol designers can make use of the '08 ASN.1 constraints to 667 define different sets of attributes for EncryptedData and 668 EnvelopedData and for AuthenticatedData and AuthEnvelopedData. 669 Previously, attributes could only be constrained based on whether 670 they were in the clear or unauthenticated not on the encapsulating 671 content type. 673 CMS-AuthEnvelopedData-2009 674 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 675 smime(16) modules(0) TBD2} 676 DEFINITIONS IMPLICIT TAGS ::= 677 BEGIN 678 IMPORTS 680 CMSVersion, EncryptedContentInfoType{}, 681 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 682 CONTENT-TYPE, Attributes{}, ATTRIBUTE, CONTENT-ENCRYPTION, 683 AlgorithmIdentifier{}, 684 aa-signingTime, aa-messageDigest, aa-contentType 685 FROM CryptographicMessageSyntax-2009 686 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 687 smime(16) modules(0) id-mod-cms-2004-02(TBD1)} 689 ContentEncryptionAlgs 690 FROM CMS-AES-CCM-and-AES-GCM-2009 691 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 692 pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } 693 ; 695 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 696 ct-authEnvelopedData CONTENT-TYPE ::= { 697 TYPE AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 698 } 700 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 701 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 702 smime(16) ct(1) 23} 704 AuthEnvelopedData ::= SEQUENCE { 705 version CMSVersion, 706 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 707 recipientInfos RecipientInfos, 708 authEncryptedContentInfo EncryptedContentInfo, 709 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 710 mac MessageAuthenticationCode, 711 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL 712 } 714 EncryptedContentInfo ::= 715 EncryptedContentInfoType { AuthContentEncryptionAlgorithmIdentifier } 717 AuthContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 718 {CONTENT-ENCRYPTION, {AuthContentEncryptionAlgorithmSet}} 720 AuthContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= { 721 ContentEncryptionAlgs, ...} 723 AuthAttributes ::= Attributes{{AuthEnvDataAttributeSet}} 725 UnauthAttributes ::= Attributes{{UnauthEnvDataAttributeSet}} 727 AuthEnvDataAttributeSet ATTRIBUTE ::= { 728 aa-contentType | aa-messageDigest | aa-signingTime, ... } 730 UnauthEnvDataAttributeSet ATTRIBUTE ::= {...} 732 END 734 9. ASN.1 Module RFC 5652 736 This module is updated from RFC 5911 [RFC5911] by the following 737 changes: 739 1. Define separate attribute sets for the unprotected attributes 740 used in EnvelopedData, EncryptedData and 741 AuthenticatedEnvelopedData (RFC 5083). 743 2. Define a parameterized type EncryptedContentInfoType so that the 744 basic type can be used with algorithm sets (used for 745 EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC 746 5083)). The parameterized type is assigned to an unparameterized 747 type of EncryptedContentInfo to minimize the output changes from 748 previous versions. 750 The use of different attribute sets for EncryptedData and 751 EnvelopedData as well as for AuthenticatedData and AuthEnvelopedData, 752 protocol designers can make use of the '08 ASN.1 constraints to 753 define different sets of attributes for EncryptedData and 754 EnvelopedData and for AuthenticatedData and AuthEnvelopedData. 755 Previously, attributes could only be constrained based on whether 756 they were in the clear or unauthenticated not on the encapsulating 757 content type. 759 CryptographicMessageSyntax-2009 760 { iso(1) member-body(2) us(840) rsadsi(113549) 761 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD1 } 762 DEFINITIONS IMPLICIT TAGS ::= 763 BEGIN 764 IMPORTS 766 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 767 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 768 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 769 AlgorithmIdentifier{} 770 FROM AlgorithmInformation-2009 771 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 772 mechanisms(5) pkix(7) id-mod(0) 773 id-mod-algorithmInformation-02(58)} 775 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 776 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 777 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 778 FROM CryptographicMessageSyntaxAlgorithms-2009 779 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 780 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 782 Certificate, CertificateList, CertificateSerialNumber, 783 Name, ATTRIBUTE 784 FROM PKIX1Explicit-2009 785 { iso(1) identified-organization(3) dod(6) internet(1) 786 security(5) mechanisms(5) pkix(7) id-mod(0) 787 id-mod-pkix1-explicit-02(51) } 789 AttributeCertificate 790 FROM PKIXAttributeCertificate-2009 791 { iso(1) identified-organization(3) dod(6) internet(1) 792 security(5) mechanisms(5) pkix(7) id-mod(0) 793 id-mod-attribute-cert-02(47) } 795 AttributeCertificateV1 796 FROM AttributeCertificateVersion1-2009 797 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 798 smime(16) modules(0) id-mod-v1AttrCert-02(49) } ; 800 -- Cryptographic Message Syntax 802 -- The following are used for version numbers using the ASN.1 803 -- idiom "[[n:" 804 -- Version 1 = PKCS #7 805 -- Version 2 = S/MIME V2 806 -- Version 3 = RFC 2630 807 -- Version 4 = RFC 3369 808 -- Version 5 = RFC 3852 810 CONTENT-TYPE ::= CLASS { 811 &id OBJECT IDENTIFIER UNIQUE, 812 &Type OPTIONAL 813 } WITH SYNTAX { 814 [TYPE &Type] IDENTIFIED BY &id 815 } 817 ContentType ::= CONTENT-TYPE.&id 819 ContentInfo ::= SEQUENCE { 820 contentType CONTENT-TYPE. 821 &id({ContentSet}), 822 content [0] EXPLICIT CONTENT-TYPE. 823 &Type({ContentSet}{@contentType})} 825 ContentSet CONTENT-TYPE ::= { 826 -- Define the set of content types to be recognized. 827 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 828 ct-AuthenticatedData | ct-DigestedData, ... } 830 SignedData ::= SEQUENCE { 831 version CMSVersion, 832 digestAlgorithms SET OF DigestAlgorithmIdentifier, 833 encapContentInfo EncapsulatedContentInfo, 834 certificates [0] IMPLICIT CertificateSet OPTIONAL, 835 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 836 signerInfos SignerInfos } 838 SignerInfos ::= SET OF SignerInfo 840 EncapsulatedContentInfo ::= SEQUENCE { 841 eContentType CONTENT-TYPE.&id({ContentSet}), 842 eContent [0] EXPLICIT OCTET STRING 843 ( CONTAINING CONTENT-TYPE. 844 &Type({ContentSet}{@eContentType})) OPTIONAL } 846 SignerInfo ::= SEQUENCE { 847 version CMSVersion, 848 sid SignerIdentifier, 849 digestAlgorithm DigestAlgorithmIdentifier, 850 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 851 signatureAlgorithm SignatureAlgorithmIdentifier, 852 signature SignatureValue, 853 unsignedAttrs [1] IMPLICIT Attributes 854 {{UnsignedAttributes}} OPTIONAL } 856 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 858 SignerIdentifier ::= CHOICE { 859 issuerAndSerialNumber IssuerAndSerialNumber, 860 ..., 861 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 863 SignedAttributesSet ATTRIBUTE ::= 864 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 866 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 868 SignatureValue ::= OCTET STRING 870 EnvelopedData ::= SEQUENCE { 871 version CMSVersion, 872 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 873 recipientInfos RecipientInfos, 874 encryptedContentInfo EncryptedContentInfo, 875 ..., 876 [[2: unprotectedAttrs [1] IMPLICIT Attributes 877 {{ UnprotectedEnvAttributes }} OPTIONAL ]] } 879 OriginatorInfo ::= SEQUENCE { 880 certs [0] IMPLICIT CertificateSet OPTIONAL, 881 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 883 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 885 EncryptedContentInfo ::= 886 EncryptedContentInfoType { ContentEncryptionAlgorithmIdentifier } 888 EncryptedContentInfoType { AlgorithmIdentifierType } ::= SEQUENCE { 889 contentType CONTENT-TYPE.&id({ContentSet}), 890 contentEncryptionAlgorithm AlgorithmIdentifierType, 891 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 893 -- If you want to do constraints, you might use: 894 -- EncryptedContentInfo ::= SEQUENCE { 895 -- contentType CONTENT-TYPE.&id({ContentSet}), 896 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 897 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 898 -- &Type({ContentSet}{@contentType}) OPTIONAL } 899 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 900 -- { ToBeEncrypted } ) 902 UnprotectedEnvAttributes ATTRIBUTE ::= { ... } 903 UnprotectedEncAttributes ATTRIBUTE ::= { ... } 905 RecipientInfo ::= CHOICE { 906 ktri KeyTransRecipientInfo, 907 ..., 908 [[3: kari [1] KeyAgreeRecipientInfo ]], 909 [[4: kekri [2] KEKRecipientInfo]], 910 [[5: pwri [3] PasswordRecipientInfo, 911 ori [4] OtherRecipientInfo ]] } 913 EncryptedKey ::= OCTET STRING 915 KeyTransRecipientInfo ::= SEQUENCE { 916 version CMSVersion, -- always set to 0 or 2 917 rid RecipientIdentifier, 918 keyEncryptionAlgorithm AlgorithmIdentifier 919 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 920 encryptedKey EncryptedKey } 922 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 924 RecipientIdentifier ::= CHOICE { 925 issuerAndSerialNumber IssuerAndSerialNumber, 926 ..., 927 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 928 KeyAgreeRecipientInfo ::= SEQUENCE { 929 version CMSVersion, -- always set to 3 930 originator [0] EXPLICIT OriginatorIdentifierOrKey, 931 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 932 keyEncryptionAlgorithm AlgorithmIdentifier 933 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 934 recipientEncryptedKeys RecipientEncryptedKeys } 936 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 938 OriginatorIdentifierOrKey ::= CHOICE { 939 issuerAndSerialNumber IssuerAndSerialNumber, 940 subjectKeyIdentifier [0] SubjectKeyIdentifier, 941 originatorKey [1] OriginatorPublicKey } 943 OriginatorPublicKey ::= SEQUENCE { 944 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 945 publicKey BIT STRING } 947 OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } 949 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 951 RecipientEncryptedKey ::= SEQUENCE { 952 rid KeyAgreeRecipientIdentifier, 953 encryptedKey EncryptedKey } 955 KeyAgreeRecipientIdentifier ::= CHOICE { 956 issuerAndSerialNumber IssuerAndSerialNumber, 957 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 959 RecipientKeyIdentifier ::= SEQUENCE { 960 subjectKeyIdentifier SubjectKeyIdentifier, 961 date GeneralizedTime OPTIONAL, 962 other OtherKeyAttribute OPTIONAL } 964 SubjectKeyIdentifier ::= OCTET STRING 966 KEKRecipientInfo ::= SEQUENCE { 967 version CMSVersion, -- always set to 4 968 kekid KEKIdentifier, 969 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 970 encryptedKey EncryptedKey } 972 KEKIdentifier ::= SEQUENCE { 973 keyIdentifier OCTET STRING, 974 date GeneralizedTime OPTIONAL, 975 other OtherKeyAttribute OPTIONAL } 976 PasswordRecipientInfo ::= SEQUENCE { 977 version CMSVersion, -- always set to 0 978 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 979 OPTIONAL, 980 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 981 encryptedKey EncryptedKey } 983 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 985 OtherRecipientInfo ::= SEQUENCE { 986 oriType OTHER-RECIPIENT. 987 &id({SupportedOtherRecipInfo}), 988 oriValue OTHER-RECIPIENT. 989 &Type({SupportedOtherRecipInfo}{@oriType})} 991 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 993 DigestedData ::= SEQUENCE { 994 version CMSVersion, 995 digestAlgorithm DigestAlgorithmIdentifier, 996 encapContentInfo EncapsulatedContentInfo, 997 digest Digest, ... } 999 Digest ::= OCTET STRING 1001 EncryptedData ::= SEQUENCE { 1002 version CMSVersion, 1003 encryptedContentInfo EncryptedContentInfo, 1004 ..., 1005 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1006 {{UnprotectedEncAttributes}} OPTIONAL ]] } 1008 AuthenticatedData ::= SEQUENCE { 1009 version CMSVersion, 1010 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1011 recipientInfos RecipientInfos, 1012 macAlgorithm MessageAuthenticationCodeAlgorithm, 1013 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 1014 encapContentInfo EncapsulatedContentInfo, 1015 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 1016 mac MessageAuthenticationCode, 1017 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 1019 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 1020 {{AuthAttributeSet}} 1022 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 1023 | aa-signingTime, ...} 1024 MessageAuthenticationCode ::= OCTET STRING 1026 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 1027 {{UnauthAttributeSet}} 1029 UnauthAttributeSet ATTRIBUTE ::= {...} 1031 -- 1032 -- General algorithm definitions 1033 -- 1035 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1036 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 1038 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 1039 CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } 1041 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 1042 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 1044 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 1045 { SignatureAlgs, ... } 1047 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1048 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1050 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 1052 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1053 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 1055 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 1056 { ContentEncryptionAlgs, ... } 1058 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 1059 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 1061 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 1062 { MessageAuthAlgs, ... } 1064 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 1065 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 1067 RevocationInfoChoices ::= SET OF RevocationInfoChoice 1069 RevocationInfoChoice ::= CHOICE { 1070 crl CertificateList, 1071 ..., 1072 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1074 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 1076 OtherRevocationInfoFormat ::= SEQUENCE { 1077 otherRevInfoFormat OTHER-REVOK-INFO. 1078 &id({SupportedOtherRevokInfo}), 1079 otherRevInfo OTHER-REVOK-INFO. 1080 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 1082 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 1084 CertificateChoices ::= CHOICE { 1085 certificate Certificate, 1086 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1087 -- Obsolete 1088 ..., 1089 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 1090 -- Obsolete 1091 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 1092 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 1094 AttributeCertificateV2 ::= AttributeCertificate 1096 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 1098 OtherCertificateFormat ::= SEQUENCE { 1099 otherCertFormat OTHER-CERT-FMT. 1100 &id({SupportedCertFormats}), 1101 otherCert OTHER-CERT-FMT. 1102 &Type({SupportedCertFormats}{@otherCertFormat})} 1104 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 1106 CertificateSet ::= SET OF CertificateChoices 1108 IssuerAndSerialNumber ::= SEQUENCE { 1109 issuer Name, 1110 serialNumber CertificateSerialNumber } 1112 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1114 UserKeyingMaterial ::= OCTET STRING 1116 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1117 OtherKeyAttribute ::= SEQUENCE { 1118 keyAttrId KEY-ATTRIBUTE. 1119 &id({SupportedKeyAttributes}), 1120 keyAttr KEY-ATTRIBUTE. 1121 &Type({SupportedKeyAttributes}{@keyAttrId})} 1123 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1125 -- Content Type Object Identifiers 1127 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1128 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1130 ct-Data CONTENT-TYPE ::= {IDENTIFIED BY id-data } 1132 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1133 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1135 ct-SignedData CONTENT-TYPE ::= 1136 { TYPE SignedData IDENTIFIED BY id-signedData} 1138 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1139 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1141 ct-EnvelopedData CONTENT-TYPE ::= 1142 { TYPE EnvelopedData IDENTIFIED BY id-envelopedData} 1144 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1145 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1147 ct-DigestedData CONTENT-TYPE ::= 1148 { TYPE DigestedData IDENTIFIED BY id-digestedData} 1150 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1151 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1153 ct-EncryptedData CONTENT-TYPE ::= 1154 { TYPE EncryptedData IDENTIFIED BY id-encryptedData} 1156 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1157 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1159 ct-AuthenticatedData CONTENT-TYPE ::= 1160 { TYPE AuthenticatedData IDENTIFIED BY id-ct-authData} 1162 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1163 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1165 -- 1166 -- The CMS Attributes 1167 -- 1169 MessageDigest ::= OCTET STRING 1171 SigningTime ::= Time 1173 Time ::= CHOICE { 1174 utcTime UTCTime, 1175 generalTime GeneralizedTime } 1177 Countersignature ::= SignerInfo 1179 -- Attribute Object Identifiers 1181 aa-contentType ATTRIBUTE ::= 1182 { TYPE ContentType IDENTIFIED BY id-contentType } 1183 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1184 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1186 aa-messageDigest ATTRIBUTE ::= 1187 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1188 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1189 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1191 aa-signingTime ATTRIBUTE ::= 1192 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1193 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1194 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1196 aa-countersignature ATTRIBUTE ::= 1197 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1198 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1199 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1201 -- 1202 -- Obsolete Extended Certificate syntax from PKCS#6 1203 -- 1205 ExtendedCertificateOrCertificate ::= CHOICE { 1206 certificate Certificate, 1207 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1209 ExtendedCertificate ::= SEQUENCE { 1210 extendedCertificateInfo ExtendedCertificateInfo, 1211 signatureAlgorithm SignatureAlgorithmIdentifier, 1212 signature Signature } 1214 ExtendedCertificateInfo ::= SEQUENCE { 1215 version CMSVersion, 1216 certificate Certificate, 1217 attributes UnauthAttributes } 1219 Signature ::= BIT STRING 1221 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1222 attrType ATTRIBUTE. 1223 &id({AttrList}), 1224 attrValues SET OF ATTRIBUTE. 1225 &Type({AttrList}{@attrType}) } 1227 Attributes { ATTRIBUTE:AttrList } ::= 1228 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1230 END 1232 10. ASN.1 Module RFC 5752 1234 We have updated the ASN.1 module associated with this document to be 1235 2008 compliant and to use the set of classes previously defined in 1236 [RFC5911]. 1238 MultipleSignatures-2009 1239 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1240 smime(16) modules(0) TBD9 } 1241 DEFINITIONS IMPLICIT TAGS ::= 1242 BEGIN 1243 -- EXPORTS All 1244 -- The types and values defined in this module are exported for use 1245 -- in the other ASN.1 modules. Other applications may use them for 1246 -- their own purposes. 1248 IMPORTS 1250 -- Imports from PKIX-Common-Types-2009 [RFC5912] 1252 ATTRIBUTE 1253 FROM PKIX-CommonTypes-2009 1254 { iso(1) identified-organization(3) dod(6) internet(1) 1255 security(5) mechanisms(5) pkix(7) id-mod(0) 1256 id-mod-pkixCommon-02(57) } 1258 -- Imports from CryptographicMessageSyntax-2009 [RFC5911] 1260 DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier 1261 FROM CryptographicMessageSyntax-2009 1262 { iso(1) member-body(2) us(840) rsadsi(113549) 1263 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD1 } 1265 -- Imports from ExtendedSecurityServices-2009 [RFC5911] 1267 ESSCertIDv2 1268 FROM ExtendedSecurityServices-2009 1269 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1270 smime(16) modules(0) id-mod-ess-2006-02(42) } 1271 ; 1273 -- 1274 -- Section 3.0 1275 -- 1276 -- at-multipleSignatures should be added ONLY to the 1277 -- SignedAttributesSet defined in [RFC5652] 1278 -- 1279 at-multipleSignatures ATTRIBUTE ::= { 1280 TYPE MultipleSignatures 1281 IDENTIFIED BY id-aa-multipleSignatures 1282 } 1284 id-aa-multipleSignatures OBJECT IDENTIFIER ::= { 1285 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1286 id-aa(2) 51 } 1288 MultipleSignatures ::= SEQUENCE { 1289 bodyHashAlg DigestAlgorithmIdentifier, 1290 signAlg SignatureAlgorithmIdentifier, 1291 signAttrsHash SignAttrsHash, 1292 cert ESSCertIDv2 OPTIONAL 1293 } 1295 SignAttrsHash ::= SEQUENCE { 1296 algID DigestAlgorithmIdentifier, 1297 hash OCTET STRING 1298 } 1300 END 1302 11. Module Identifiers in ASN.1 1304 One potential issue that can occur when updating modules is the fact 1305 that a large number of modules may need to be updated if they import 1306 from a newly updated module. This section addresses one method that 1307 can be used to deal with this problem, but the modules in this 1308 document don't currently implement the solution discussed here. 1310 When looking at an import statement, there are three portions: The 1311 list of items imported, a textual name for the module and an object 1312 identifier for the module. Full implementations of ASN.1 do module 1313 matching using first the object identifier and if that is not present 1314 the textual name of the module. Note however that some older 1315 implementations used the textual name of the module for the purposes 1316 of matching. In a full implementation the name assigned to the 1317 module is scoped to the ASN.1 module that it appears in (and thus 1318 need to match the module it is importing from). 1320 One can create a module that contains only the module number 1321 assignments and import the module assignments from the new module. 1322 This means that when a module is replaced, one can replace the 1323 previous module, update the module number assignment module and 1324 recompile without having to modify any other modules. 1326 A sample module assignment module would be: 1328 ModuleNumbersxs 1329 DEFINITIONS TAGS ::= 1330 BEGIN 1331 id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1332 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } 1334 id-mod-AlgInfo ::= 1335 {iso(1) identified-organization(3) dod(6) internet(1) 1336 security(5) mechanisms(5) pkix(7) id-mod(0) 1337 id-mod-algorithmInformation-02(58)} 1338 END 1340 This would be used in the following import statement: 1342 IMPORTS 1343 id-mod-CMS, id-mod-AlgInfo 1344 FROM ModuleNumber -- Note it will match on the name since no 1345 -- OID is provided 1347 CMSVersion, EncapsulatedContentInfo, CONTENT-TYPE 1348 FROM CryptographicMessageSyntax-2009 1349 id-mod-CMS 1351 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 1352 FROM AlgorithmInformation-2009 id-mod-AlgInfo 1353 ; 1355 12. Security Considerations 1357 This document itself does not have any security considerations. The 1358 ASN.1 modules keep the same bits-on-the-wire as the modules that they 1359 replace. 1361 13. IANA Considerations 1363 None. 1365 14. Normative References 1367 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1368 Requirement Levels", BCP 14, RFC 2119, March 1997. 1370 [RFC3274] Gutmann, P., "Compressed Data Content Type for 1371 Cryptographic Message Syntax (CMS)", RFC 3274, June 2002. 1373 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 1374 Addresses and AS Identifiers", RFC 3779, June 2004. 1376 [RFC4049] Housley, R., "BinaryTime: An Alternate Format for 1377 Representing Date and Time in ASN.1", RFC 4049, 1378 April 2005. 1380 [RFC4073] Housley, R., "Protecting Multiple Contents with the 1381 Cryptographic Message Syntax (CMS)", RFC 4073, May 2005. 1383 [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 1384 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 1385 RFC 4231, December 2005. 1387 [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and 1388 Attributes Supporting Authentication in Point-to-Point 1389 Protocol (PPP) and Wireless Local Area Networks (WLAN)", 1390 RFC 4334, February 2006. 1392 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 1393 Authenticated-Enveloped-Data Content Type", RFC 5083, 1394 November 2007. 1396 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1397 RFC 5652, September 2009. 1399 [RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in 1400 Cryptographic Message Syntax (CMS)", RFC 5752, 1401 January 2010. 1403 [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for 1404 Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, 1405 June 2010. 1407 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 1408 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 1409 June 2010. 1411 [ASN1-2008] 1412 ITU-T, "ITU-T Recommendations X.680, X.681, X.682, and 1413 X.683", 2008. 1415 Authors' Addresses 1417 Jim Schaad 1418 Soaring Hawk Consulting 1420 Email: jimsch@augustcellars.com 1422 Sean Turner 1423 IECA, Inc. 1424 3057 Nutley Street, Suite 106 1425 Fairfax, VA 22031 1427 Email: turners@ieca.com