idnits 2.17.00 (12 Aug 2021) /tmp/idnits20588/draft-turner-additional-new-asn-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 9, 2010) is 4210 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3851' is mentioned on line 187, but not defined ** Obsolete undefined reference: RFC 3851 (Obsoleted by RFC 5751) == Missing Reference: 'RFC5280' is mentioned on line 283, but not defined -- Looks like a reference, but probably isn't: '0' on line 1208 -- Looks like a reference, but probably isn't: '1' on line 1089 -- Looks like a reference, but probably isn't: '2' on line 1091 -- Looks like a reference, but probably isn't: '3' on line 1092 -- Looks like a reference, but probably isn't: '4' on line 910 ** Downref: Normative reference to an Informational RFC: RFC 5911 ** Downref: Normative reference to an Informational RFC: RFC 5912 -- Possible downref: Non-RFC (?) normative reference: ref. 'ASN1-2008' Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schaad 3 Internet-Draft Soaring Hawk Consulting 4 Intended status: Standards Track S. Turner 5 Expires: May 13, 2011 IECA, Inc. 6 November 9, 2010 8 Additional New ASN.1 Modules 9 draft-turner-additional-new-asn-03 11 Abstract 13 The Cryptographic Message Syntax (CMS) format, and many associated 14 formats, are expressed using ASN.1. The current ASN.1 modules 15 conform to the 1988 version of ASN.1. This document updates some 16 auxiliary ASN.1 modules to conform to the 2008 version of ASN.1. 17 There are no bits-on-the-wire changes to any of the formats; this is 18 simply a change to the syntax. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on May 13, 2011. 37 Copyright Notice 39 Copyright (c) 2010 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. ASN.1 Updates (2002 to 2008) . . . . . . . . . . . . . . . 3 68 1.2. Requirements Terminology . . . . . . . . . . . . . . . . . 4 69 2. ASN.1 Module RFC 3274 . . . . . . . . . . . . . . . . . . . . 5 70 3. ASN.1 Module RFC 3779 . . . . . . . . . . . . . . . . . . . . 8 71 4. ASN.1 Module RFC 6019 . . . . . . . . . . . . . . . . . . . . 11 72 5. ASN.1 Module RFC 4073 . . . . . . . . . . . . . . . . . . . . 13 73 6. ASN.1 Module RFC 4231 . . . . . . . . . . . . . . . . . . . . 15 74 7. ASN.1 Module RFC 4334 . . . . . . . . . . . . . . . . . . . . 18 75 8. ASN.1 Module RFC 5083 . . . . . . . . . . . . . . . . . . . . 20 76 9. ASN.1 Module RFC 5652 . . . . . . . . . . . . . . . . . . . . 22 77 10. ASN.1 Module RFC 5752 . . . . . . . . . . . . . . . . . . . . 33 78 11. Module Identifiers in ASN.1 . . . . . . . . . . . . . . . . . 35 79 12. Security Considerations . . . . . . . . . . . . . . . . . . . 37 80 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 81 14. Normative References . . . . . . . . . . . . . . . . . . . . . 39 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 84 1. Introduction 86 Some developers would like the IETF to use the latest version of 87 ASN.1 in its standards. Most of the RFCs that relate to security 88 protocols still use ASN.1 from the 1988 standard, which has been 89 deprecated. This is particularly true for the standards that relate 90 to PKIX, CMS, and S/MIME. 92 In this document we have either changed the syntax to use the 2008 93 ASN.1 standard, or done some updates from previous conversions: 95 RFC 3274, Compressed Data Content Type for Cryptographic Message 96 Syntax (CMS) [RFC3274]. 98 RFC 3779, X.509 Extensions for IP Addresses and AS Identifiers 99 [RFC3779]. 101 RFC 6019, BinaryTime: An Alternate Format for Representing Date 102 and Time in ASN.1 [RFC6019]. 104 RFC 4073, Protecting Multiple Contents with the Cryptographic 105 Message Syntax (CMS) [RFC4073]. 107 RFC 4231, Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA- 108 256, HMAC-SHA-384, and HMAC-SHA-512 [RFC4231]. 110 RFC 4334, Certificate Extensions and Attributes Supporting 111 Authentication in Point-to-Point Protocol (PPP) and Wireless Local 112 Area Networks (WLAN) [RFC4334]. 114 RFC 5083, Cryptographic Message Syntax (CMS) Authenticated- 115 Enveloped-Data Content Type [RFC5083]. 117 RFC 5652, Cryptographic Message Syntax (CMS) [RFC5652]. 119 RFC 5752, Multiple Signatures in Cryptographic Message Syntax 120 (CMS) [RFC5752]. 122 Note that some of the modules in this document get some of their 123 definitions from places different than the modules in the original 124 RFCs. The idea is that these modules, when combined with the modules 125 in [RFC5912] and [RFC5911] can stand on their own and do not need to 126 import definitions from anywhere else. 128 1.1. ASN.1 Updates (2002 to 2008) 130 The modules defined in this document are compatible with the most 131 current ASN.1 specification published in 2008 (see [ASN1-2008]). The 132 changes between the 2002 specification and the 2008 specification 133 include the creation of some additional pre-defined types (DATE, 134 DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE-OID-IRI, TIME, 135 TIME-OF-DAY). The ability to define different encoding rules 136 (ENCODING-CONTROL, INSTRUCTIONS). None of the newly defined tokens 137 are currently used in any of the ASN.1 specifications published here. 139 1.2. Requirements Terminology 141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 143 document are to be interpreted as described in [RFC2119]. 145 2. ASN.1 Module RFC 3274 147 We have updated the ASN.1 module associated with this document to be 148 2008 compliant and to use the set of classes previously defined in 149 [RFC5911]. 151 CompressedDataContent 152 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 153 smime(16) modules(0) TBD4 } 155 DEFINITIONS IMPLICIT TAGS ::= 156 BEGIN 158 IMPORTS 159 CMSVersion, EncapsulatedContentInfo, 160 CONTENT-TYPE 161 FROM CryptographicMessageSyntax-2009 162 { iso(1) member-body(2) us(840) rsadsi(113549) 163 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD1 } 165 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 166 FROM AlgorithmInformation-2009 167 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 168 mechanisms(5) pkix(7) id-mod(0) 169 id-mod-algorithmInformation-02(58)} 170 ; 172 -- 173 -- ContentTypes contains the set of content types that are 174 -- defined in this module. 175 -- 176 -- The contents of ContentTypes should be added to 177 -- ContentSet defined in [RFC5652] 178 -- 180 ContentTypes CONTENT-TYPE ::= {ct-compressedData} 182 -- 183 -- SMimeCaps contains the set of S/MIME capabilities that 184 -- are associated with the algorithms defined in this 185 -- document. 186 -- 187 -- SMimeCaps are added to SMimeCapsSet defined in [RFC3851]. 188 -- 190 SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps} 192 -- 193 -- Define the compressed data content type 194 -- 196 ct-compressedData CONTENT-TYPE ::= { 197 TYPE CompressedData IDENTIFIED BY id-ct-compressedData 198 } 200 CompressedData ::= SEQUENCE { 201 version CMSVersion (v0), -- Always set to 0 202 compressionAlgorithm CompressionAlgorithmIdentifier, 203 encapContentInfo EncapsulatedContentInfo 204 } 206 CompressionAlgorithmIdentifier ::= 207 AlgorithmIdentifier{COMPRESS-ALGORITHM, {CompressAlgorithmSet}} 209 CompressAlgorithmSet COMPRESS-ALGORITHM ::= { 210 cpa-zlibCompress, ... 211 } 213 -- Algorithm Identifiers 215 id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2) 216 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 } 218 cpa-zlibCompress COMPRESS-ALGORITHM ::= { 219 IDENTIFIER id-alg-zlibCompress 220 PARAMS TYPE NULL ARE preferredAbsent 221 SMIME-CAPS {IDENTIFIED BY id-alg-zlibCompress} 222 } 224 -- Content Type Object Identifiers 226 id-ct-compressedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 227 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 9 } 229 -- 230 -- Class defined for compression algorithms 231 -- 233 COMPRESS-ALGORITHM ::= CLASS { 234 &id OBJECT IDENTIFIER UNIQUE, 235 &Params OPTIONAL, 236 ¶mPresence ParamOptions DEFAULT absent, 237 &smimeCaps SMIME-CAPS OPTIONAL 238 } 239 WITH SYNTAX { 240 IDENTIFIER &id 242 [PARAMS [TYPE &Params] ARE ¶mPresence] 243 [SMIME-CAPS &smimeCaps] 244 } 246 END 248 3. ASN.1 Module RFC 3779 250 We have updated the ASN.1 module associated with RFC 3779 to be ASN.1 251 2008 compliant and to use the set of classes previously defined in 252 [RFC5912]. 254 IPAddrAndASCertExtn { iso(1) identified-organization(3) dod(6) 255 internet(1) security(5) mechanisms(5) pkix(7) mod(0) 256 TBD6 } 257 DEFINITIONS EXPLICIT TAGS ::= 258 BEGIN 259 EXPORTS ALL; 261 IMPORTS 263 -- PKIX specific OIDs and arcs -- 264 id-pe 265 FROM PKIX1Explicit-2009 266 { iso(1) identified-organization(3) dod(6) internet(1) 267 security(5) mechanisms(5) pkix(7) id-mod(0) 268 id-mod-pkix1-explicit-02(51)} 270 EXTENSION 271 FROM PKIX-CommonTypes-2009 272 { iso(1) identified-organization(3) dod(6) internet(1) 273 security(5) mechanisms(5) pkix(7) id-mod(0) 274 id-mod-pkixCommon-02(57)} 275 ; 277 -- 278 -- Extensions contains the set of extensions defined in this 279 -- module 280 -- 281 -- These are intended to be placed in public key certificates 282 -- and thus should be added to the CertExtensions extension 283 -- set in PKIXImplicit-2009 defined for [RFC5280] 284 -- 286 Extensions EXTENSION ::= { 287 ext-pe-ipAddrBlocks | ext-pe-autonomousSysIds 288 } 290 -- IP Address Delegation Extension OID -- 292 ext-pe-ipAddrBlocks EXTENSION ::= { 293 SYNTAX IPAddrBlocks 294 IDENTIFIED BY id-pe-ipAddrBlocks 295 } 296 id-pe-ipAddrBlocks OBJECT IDENTIFIER ::= { id-pe 7 } 298 -- IP Address Delegation Extension Syntax -- 300 IPAddrBlocks ::= SEQUENCE OF IPAddressFamily 302 IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI -- 303 addressFamily OCTET STRING (SIZE (2..3)), 304 ipAddressChoice IPAddressChoice } 306 IPAddressChoice ::= CHOICE { 307 inherit NULL, -- inherit from issuer -- 308 addressesOrRanges SEQUENCE OF IPAddressOrRange } 310 IPAddressOrRange ::= CHOICE { 311 addressPrefix IPAddress, 312 addressRange IPAddressRange } 314 IPAddressRange ::= SEQUENCE { 315 min IPAddress, 316 max IPAddress } 318 IPAddress ::= BIT STRING 320 -- Autonomous System Identifier Delegation Extension OID -- 322 ext-pe-autonomousSysIds EXTENSION ::= { 323 SYNTAX ASIdentifiers 324 IDENTIFIED BY id-pe-autonomousSysIds 325 } 327 id-pe-autonomousSysIds OBJECT IDENTIFIER ::= { id-pe 8 } 329 -- Autonomous System Identifier Delegation Extension Syntax -- 331 ASIdentifiers ::= SEQUENCE { 332 asnum [0] ASIdentifierChoice OPTIONAL, 333 rdi [1] ASIdentifierChoice OPTIONAL } 334 (WITH COMPONENTS {..., asnum PRESENT} | 335 WITH COMPONENTS {..., rdi PRESENT}) 337 ASIdentifierChoice ::= CHOICE { 338 inherit NULL, -- inherit from issuer -- 339 asIdsOrRanges SEQUENCE OF ASIdOrRange } 341 ASIdOrRange ::= CHOICE { 342 id ASId, 343 range ASRange } 345 ASRange ::= SEQUENCE { 346 min ASId, 347 max ASId } 349 ASId ::= INTEGER 351 END 353 4. ASN.1 Module RFC 6019 355 We have updated the ASN.1 module associated with this document to be 356 2008 compliant and to use the set of classes previously defined in 357 [RFC5911]. 359 BinarySigningTimeModule-2009 360 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 361 pkcs-9(9) smime(16) modules(0) TBD6 } 362 DEFINITIONS IMPLICIT TAGS ::= 363 BEGIN 364 IMPORTS 366 -- From PKIX-CommonTypes-2009 [RFC5912] 368 ATTRIBUTE 369 FROM PKIX-CommonTypes-2009 370 { iso(1) identified-organization(3) dod(6) internet(1) 371 security(5) mechanisms(5) pkix(7) id-mod(0) 372 id-mod-pkixCommon-02(57) } 373 ; 375 -- 376 -- BinaryTime Definition 377 -- 378 -- BinaryTime contains the number seconds since 379 -- midnight Jan 1, 1970 UTC. 380 -- Leap seconds are EXCLUDED from the computation. 381 -- 383 BinaryTime ::= INTEGER (0..MAX) 385 -- 386 -- Signing Binary Time Attribute 387 -- 388 -- The binary signing time should be added to 389 -- SignedAttributeSet and tAuthenticatedAttributeSet 390 -- in CMS [RFC5652] and to AuthEnvDataAttributeSet 391 -- in [RFC5083]. 392 -- 394 aa-binarySigningTime ATTRIBUTE ::= { 395 TYPE BinarySigningTime 396 IDENTIFIED BY id-aa-binarySigningTime } 398 id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1) 399 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 400 smime(16) aa(2) 46 } 402 BinarySigningTime ::= BinaryTime 404 END 406 5. ASN.1 Module RFC 4073 408 We have updated the ASN.1 module associated with this document to be 409 2008 compliant and to use the set of classes previously defined in 410 [RFC5911]. 412 ContentCollectionModule-2009 413 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 414 pkcs-9(9) smime(16) modules(0) TBD7 } 415 DEFINITIONS IMPLICIT TAGS ::= 416 BEGIN 417 IMPORTS 419 -- From CryptographicMessageSyntax-2009 [RFC5911] 421 CONTENT-TYPE, ContentInfo 422 FROM CryptographicMessageSyntax-2009 423 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 424 pkcs-9(9) smime(16) modules(0) TBD1 } 426 AttributeSet{}, ATTRIBUTE 427 FROM PKIX-CommonTypes-2009 428 { iso(1) identified-organization(3) dod(6) internet(1) 429 security(5) mechanisms(5) pkix(7) id-mod(0) 430 id-mod-pkixCommon-02(57) } 431 ; 433 -- 434 -- An object set of all content types defined by this module. 435 -- This is to be added to ContentSet in the CMS module 436 -- 438 ContentSet CONTENT-TYPE ::= { 439 ct-ContentCollection | ct-ContentWithAttributes, ... 440 } 442 -- 443 -- Content Collection Content Type and Object Identifier 444 -- 446 ct-ContentCollection CONTENT-TYPE ::= { 447 TYPE ContentCollection IDENTIFIED BY id-ct-contentCollection } 449 id-ct-contentCollection OBJECT IDENTIFIER ::= { 450 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 451 smime(16) ct(1) 19 } 453 ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo 454 -- 455 -- Content With Attributes Content Type and Object Identifier 456 -- 458 ct-ContentWithAttributes CONTENT-TYPE ::= { 459 TYPE ContentWithAttributes IDENTIFIED BY id-ct-contentWithAttrs } 461 id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { 462 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 463 smime(16) ct(1) 20 } 465 ContentWithAttributes ::= SEQUENCE { 466 content ContentInfo, 467 attrs SEQUENCE SIZE (1..MAX) OF AttributeSet 468 {{ ContentAttributeSet }} 469 } 471 ContentAttributeSet ATTRIBUTE ::= { ... } 472 END 473 6. ASN.1 Module RFC 4231 475 RFC 4231 does not contain an ASN.1 module to be updated. We have 476 therefore created an ASN.1 module to represent the ASN.1 that is 477 present in the document. Note that the parameters are defined as 478 expecting a parameter for the algorithm identifiers in this module, 479 this is different from most of the algorithms used in PKIX and 480 S/MIME. There is no concept of being able to truncate the MAC 481 (Message Authentication Code) value in the ASN.1 unlike the XML 482 definitions. This is reflected by not having a minimum MAC length 483 defined in the ASN.1. 485 HMAC -- { TBD } -- 486 DEFINITIONS EXPLICIT TAGS ::= 487 BEGIN 488 EXPORTS ALL; 490 IMPORTS 492 MAC-ALGORITHM, SMIME-CAPS 493 FROM AlgorithmInformation-2009 494 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 495 mechanisms(5) pkix(7) id-mod(0) 496 id-mod-algorithmInformation-02(58)}; 498 -- 499 -- This object set contains all of the MAC algorithms that are 500 -- defined in this module. 501 -- One would add it to a constraining set of objects such as the 502 -- MessageAuthenticationCodeAlgorithmSet in [RFC5652] 503 -- 505 MessageAuthAlgs MAC-ALGORITHM ::= { 506 maca-hMAC-SHA224 | 507 maca-hMAC-SHA256 | 508 maca-hMAC-SHA384 | 509 maca-hMAC-SHA512 510 } 512 -- 513 -- This object set contains all of the S/MIME capabilities that 514 -- have been defined for all the MAC algorithms in this module. 515 -- One would add this to an object set that is used to restrict 516 -- smime capabilities such as the SMimeCapsSet variable in 517 -- the S/MIME message draft 518 -- 520 SMimeCaps SMIME-CAPS ::= { 521 maca-hMAC-SHA224.&smimeCaps | 522 maca-hMAC-SHA256.&smimeCaps | 523 maca-hMAC-SHA384.&smimeCaps | 524 maca-hMAC-SHA512.&smimeCaps 525 } 527 -- 528 -- Define the base OID for the algorithm identifiers 529 -- 531 rsadsi OBJECT IDENTIFIER ::= 532 {iso(1) member-body(2) us(840) rsadsi(113549)} 534 digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} 536 -- 537 -- Define the necessary algorithm identifiers 538 -- 540 id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} 541 id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} 542 id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} 543 id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} 545 -- 546 -- Define each of the MAC-ALGOIRTHM objects to describe the 547 -- algorithms defined 548 -- 550 maca-hMAC-SHA224 MAC-ALGORITHM ::= { 551 IDENTIFIER id-hmacWithSHA224 552 PARAMS TYPE NULL ARE preferredPresent 553 IS-KEYED-MAC TRUE 554 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA224} 555 } 557 maca-hMAC-SHA256 MAC-ALGORITHM ::= { 558 IDENTIFIER id-hmacWithSHA256 559 PARAMS TYPE NULL ARE preferredPresent 560 IS-KEYED-MAC TRUE 561 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA256} 562 } 564 maca-hMAC-SHA384 MAC-ALGORITHM ::= { 565 IDENTIFIER id-hmacWithSHA384 566 PARAMS TYPE NULL ARE preferredPresent 567 IS-KEYED-MAC TRUE 568 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA384} 569 } 571 maca-hMAC-SHA512 MAC-ALGORITHM ::= { 572 IDENTIFIER id-hmacWithSHA512 573 PARAMS TYPE NULL ARE preferredPresent 574 IS-KEYED-MAC TRUE 575 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA512} 576 } 578 END 580 7. ASN.1 Module RFC 4334 582 We have updated the ASN.1 module associated with RFC 4334 to be ASN.1 583 2008 compliant and to use the set of classes previously defined in 584 [RFC5912]. 586 WLANCertExtn 587 { iso(1) identified-organization(3) dod(6) internet(1) 588 security(5) mechanisms(5) pkix(7) id-mod(0) 589 TBD8 } 591 DEFINITIONS IMPLICIT TAGS ::= 592 BEGIN 593 EXPORTS ALL; 595 IMPORTS 597 EXTENSION, ATTRIBUTE 598 FROM PKIX-CommonTypes-2009 599 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 600 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 602 id-pe, id-kp 603 FROM PKIX1Explicit-2009 604 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 605 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 607 id-aca 608 FROM PKIXAttributeCertificate-2009 609 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 610 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} 612 ; 614 -- Extended Key Usage Values 616 KeyUsageValues OBJECT IDENTIFIER ::= { 617 id-kp-eapOverPPP | id-kp-eapOverLAN 618 } 620 id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 } 622 id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 } 624 -- Wireless LAN SSID Extension 625 ext-pe-wlanSSID EXTENSION ::= { 626 SYNTAX SSIDList 627 IDENTIFIED BY id-pe-wlanSSID 628 CRITICALITY {FALSE} 629 } 631 id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 } 633 SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID 635 SSID ::= OCTET STRING (SIZE (1..32)) 637 -- Wireless LAN SSID Attribute Certificate Attribute 638 -- Uses same syntax as the certificate extension: SSIDList 640 at-aca-wlanSSID ATTRIBUTE ::= { 641 TYPE SSIDList 642 IDENTIFIED BY id-aca-wlanSSID 643 } 645 id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 7 } 647 END 649 8. ASN.1 Module RFC 5083 651 This module is updated from RFC 5911 [RFC5911] by the following 652 changes: 654 1. Define separate attribute sets for the unprotected attributes 655 used in EnvelopedData, EncryptedData and 656 AuthenticatedEnvelopedData (RFC 5083). 658 2. Define a parameterized type EncryptedContentInfoType so that the 659 basic type can be used with different algorithm sets (used for 660 EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC 661 5083)). The parameterized type is assigned to an unparameterized 662 type of EncryptedContentInfo to minimize the output changes from 663 previous versions. 665 Protocol designers can make use of the '08 ASN.1 contraints to define 666 different sets of attributes for EncryptedData and EnvelopedData and 667 for AuthenticatedData and AuthEnvelopedData. Previously, attributes 668 could only be constrained based on whether they were in the clear or 669 unauthenticated not on the encapsulating content type. 671 CMS-AuthEnvelopedData-2009 672 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 673 smime(16) modules(0) TBD2} 674 DEFINITIONS IMPLICIT TAGS ::= 675 BEGIN 676 IMPORTS 678 CMSVersion, EncryptedContentInfoType{}, 679 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 680 CONTENT-TYPE, Attributes{}, ATTRIBUTE, CONTENT-ENCRYPTION, 681 AlgorithmIdentifier{}, 682 aa-signingTime, aa-messageDigest, aa-contentType 683 FROM CryptographicMessageSyntax-2009 684 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 685 smime(16) modules(0) id-mod-cms-2004-02(TBD1)} 687 ContentEncryptionAlgs 688 FROM CMS-AES-CCM-and-AES-GCM-2009 689 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 690 pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } 691 ; 693 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 695 ct-authEnvelopedData CONTENT-TYPE ::= { 696 TYPE AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 698 } 700 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 701 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 702 smime(16) ct(1) 23} 704 AuthEnvelopedData ::= SEQUENCE { 705 version CMSVersion, 706 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 707 recipientInfos RecipientInfos, 708 authEncryptedContentInfo EncryptedContentInfo, 709 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 710 mac MessageAuthenticationCode, 711 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL 712 } 714 EncryptedContentInfo ::= 715 EncryptedContentInfoType { AuthContentEncryptionAlgorithmIdentifier } 717 AuthContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 718 {CONTENT-ENCRYPTION, {AuthContentEncryptionAlgorithmSet}} 720 AuthContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= { 721 ContentEncryptionAlgs, ...} 723 AuthAttributes ::= Attributes{{AuthEnvDataAttributeSet}} 725 UnauthAttributes ::= Attributes{{UnauthEnvDataAttributeSet}} 727 AuthEnvDataAttributeSet ATTRIBUTE ::= { 728 aa-contentType | aa-messageDigest | aa-signingTime, ... } 730 UnauthEnvDataAttributeSet ATTRIBUTE ::= {...} 732 END 734 9. ASN.1 Module RFC 5652 736 This module is updated from RFC 5911 [RFC5911] by the following 737 changes: 739 1. Define separate attribute sets for the unprotected attributes 740 used in EnvelopedData, EncryptedData and 741 AuthenticatedEnvelopedData (RFC 5083). 743 2. Define a parameterized type EncryptedContentInfoType so that the 744 basic type can be used with algorithm sets (used for 745 EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC 746 5083)). The parameterized type is assigned to an unparameterized 747 type of EncryptedContentInfo to minimize the output changes from 748 previous versions. 750 We are anticipating the definition of attributes that are going to be 751 resticted to the use of only EnvelopedData. We are therefore 752 separating the different attribute sets so that protocol designers 753 that need to do this will be able to define attributes that are used 754 for EnvelopedData but not for EncryptedData. The same separation is 755 also being applied to AuthenticatedData and AuthEnvelopedData. 757 CryptographicMessageSyntax-2009 758 { iso(1) member-body(2) us(840) rsadsi(113549) 759 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD1 } 760 DEFINITIONS IMPLICIT TAGS ::= 761 BEGIN 762 IMPORTS 764 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 765 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 766 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 767 AlgorithmIdentifier{} 768 FROM AlgorithmInformation-2009 769 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 770 mechanisms(5) pkix(7) id-mod(0) 771 id-mod-algorithmInformation-02(58)} 773 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 774 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 775 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 776 FROM CryptographicMessageSyntaxAlgorithms-2009 777 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 778 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 780 Certificate, CertificateList, CertificateSerialNumber, 781 Name, ATTRIBUTE 783 FROM PKIX1Explicit-2009 784 { iso(1) identified-organization(3) dod(6) internet(1) 785 security(5) mechanisms(5) pkix(7) id-mod(0) 786 id-mod-pkix1-explicit-02(51) } 788 AttributeCertificate 789 FROM PKIXAttributeCertificate-2009 790 { iso(1) identified-organization(3) dod(6) internet(1) 791 security(5) mechanisms(5) pkix(7) id-mod(0) 792 id-mod-attribute-cert-02(47) } 794 AttributeCertificateV1 795 FROM AttributeCertificateVersion1-2009 796 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 797 smime(16) modules(0) id-mod-v1AttrCert-02(49) } ; 799 -- Cryptographic Message Syntax 801 -- The following are used for version numbers using the ASN.1 802 -- idiom "[[n:" 803 -- Version 1 = PKCS #7 804 -- Version 2 = S/MIME V2 805 -- Version 3 = RFC 2630 806 -- Version 4 = RFC 3369 807 -- Version 5 = RFC 3852 809 CONTENT-TYPE ::= CLASS { 810 &id OBJECT IDENTIFIER UNIQUE, 811 &Type OPTIONAL 812 } WITH SYNTAX { 813 [TYPE &Type] IDENTIFIED BY &id 814 } 816 ContentType ::= CONTENT-TYPE.&id 818 ContentInfo ::= SEQUENCE { 819 contentType CONTENT-TYPE. 820 &id({ContentSet}), 821 content [0] EXPLICIT CONTENT-TYPE. 822 &Type({ContentSet}{@contentType})} 824 ContentSet CONTENT-TYPE ::= { 825 -- Define the set of content types to be recognized. 826 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 827 ct-AuthenticatedData | ct-DigestedData, ... } 829 SignedData ::= SEQUENCE { 830 version CMSVersion, 831 digestAlgorithms SET OF DigestAlgorithmIdentifier, 832 encapContentInfo EncapsulatedContentInfo, 833 certificates [0] IMPLICIT CertificateSet OPTIONAL, 834 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 835 signerInfos SignerInfos } 837 SignerInfos ::= SET OF SignerInfo 839 EncapsulatedContentInfo ::= SEQUENCE { 840 eContentType CONTENT-TYPE.&id({ContentSet}), 841 eContent [0] EXPLICIT OCTET STRING 842 ( CONTAINING CONTENT-TYPE. 843 &Type({ContentSet}{@eContentType})) OPTIONAL } 845 SignerInfo ::= SEQUENCE { 846 version CMSVersion, 847 sid SignerIdentifier, 848 digestAlgorithm DigestAlgorithmIdentifier, 849 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 850 signatureAlgorithm SignatureAlgorithmIdentifier, 851 signature SignatureValue, 852 unsignedAttrs [1] IMPLICIT Attributes 853 {{UnsignedAttributes}} OPTIONAL } 855 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 857 SignerIdentifier ::= CHOICE { 858 issuerAndSerialNumber IssuerAndSerialNumber, 859 ..., 860 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 862 SignedAttributesSet ATTRIBUTE ::= 863 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 865 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 867 SignatureValue ::= OCTET STRING 869 EnvelopedData ::= SEQUENCE { 870 version CMSVersion, 871 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 872 recipientInfos RecipientInfos, 873 encryptedContentInfo EncryptedContentInfo, 874 ..., 875 [[2: unprotectedAttrs [1] IMPLICIT Attributes 876 {{ UnprotectedEnvAttributes }} OPTIONAL ]] } 878 OriginatorInfo ::= SEQUENCE { 879 certs [0] IMPLICIT CertificateSet OPTIONAL, 880 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 882 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 884 EncryptedContentInfo ::= 885 EncryptedContentInfoType { ContentEncryptionAlgorithmIdentifier } 887 EncryptedContentInfoType { AlgorithmIdentifierType } ::= SEQUENCE { 888 contentType CONTENT-TYPE.&id({ContentSet}), 889 contentEncryptionAlgorithm AlgorithmIdentifierType, 890 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 892 -- If you want to do constraints, you might use: 893 -- EncryptedContentInfo ::= SEQUENCE { 894 -- contentType CONTENT-TYPE.&id({ContentSet}), 895 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 896 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 897 -- &Type({ContentSet}{@contentType}) OPTIONAL } 898 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 899 -- { ToBeEncrypted } ) 901 UnprotectedEnvAttributes ATTRIBUTE ::= { ... } 902 UnprotectedEncAttributes ATTRIBUTE ::= { ... } 904 RecipientInfo ::= CHOICE { 905 ktri KeyTransRecipientInfo, 906 ..., 907 [[3: kari [1] KeyAgreeRecipientInfo ]], 908 [[4: kekri [2] KEKRecipientInfo]], 909 [[5: pwri [3] PasswordRecipientInfo, 910 ori [4] OtherRecipientInfo ]] } 912 EncryptedKey ::= OCTET STRING 914 KeyTransRecipientInfo ::= SEQUENCE { 915 version CMSVersion, -- always set to 0 or 2 916 rid RecipientIdentifier, 917 keyEncryptionAlgorithm AlgorithmIdentifier 918 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 919 encryptedKey EncryptedKey } 921 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 923 RecipientIdentifier ::= CHOICE { 924 issuerAndSerialNumber IssuerAndSerialNumber, 925 ..., 927 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 928 KeyAgreeRecipientInfo ::= SEQUENCE { 929 version CMSVersion, -- always set to 3 930 originator [0] EXPLICIT OriginatorIdentifierOrKey, 931 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 932 keyEncryptionAlgorithm AlgorithmIdentifier 933 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 934 recipientEncryptedKeys RecipientEncryptedKeys } 936 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 938 OriginatorIdentifierOrKey ::= CHOICE { 939 issuerAndSerialNumber IssuerAndSerialNumber, 940 subjectKeyIdentifier [0] SubjectKeyIdentifier, 941 originatorKey [1] OriginatorPublicKey } 943 OriginatorPublicKey ::= SEQUENCE { 944 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 945 publicKey BIT STRING } 947 OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } 949 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 951 RecipientEncryptedKey ::= SEQUENCE { 952 rid KeyAgreeRecipientIdentifier, 953 encryptedKey EncryptedKey } 955 KeyAgreeRecipientIdentifier ::= CHOICE { 956 issuerAndSerialNumber IssuerAndSerialNumber, 957 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 959 RecipientKeyIdentifier ::= SEQUENCE { 960 subjectKeyIdentifier SubjectKeyIdentifier, 961 date GeneralizedTime OPTIONAL, 962 other OtherKeyAttribute OPTIONAL } 964 SubjectKeyIdentifier ::= OCTET STRING 966 KEKRecipientInfo ::= SEQUENCE { 967 version CMSVersion, -- always set to 4 968 kekid KEKIdentifier, 969 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 970 encryptedKey EncryptedKey } 972 KEKIdentifier ::= SEQUENCE { 973 keyIdentifier OCTET STRING, 974 date GeneralizedTime OPTIONAL, 975 other OtherKeyAttribute OPTIONAL } 976 PasswordRecipientInfo ::= SEQUENCE { 977 version CMSVersion, -- always set to 0 978 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 979 OPTIONAL, 980 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 981 encryptedKey EncryptedKey } 983 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 985 OtherRecipientInfo ::= SEQUENCE { 986 oriType OTHER-RECIPIENT. 987 &id({SupportedOtherRecipInfo}), 988 oriValue OTHER-RECIPIENT. 989 &Type({SupportedOtherRecipInfo}{@oriType})} 991 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 993 DigestedData ::= SEQUENCE { 994 version CMSVersion, 995 digestAlgorithm DigestAlgorithmIdentifier, 996 encapContentInfo EncapsulatedContentInfo, 997 digest Digest, ... } 999 Digest ::= OCTET STRING 1001 EncryptedData ::= SEQUENCE { 1002 version CMSVersion, 1003 encryptedContentInfo EncryptedContentInfo, 1004 ..., 1005 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1006 {{UnprotectedEncAttributes}} OPTIONAL ]] } 1008 AuthenticatedData ::= SEQUENCE { 1009 version CMSVersion, 1010 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1011 recipientInfos RecipientInfos, 1012 macAlgorithm MessageAuthenticationCodeAlgorithm, 1013 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 1014 encapContentInfo EncapsulatedContentInfo, 1015 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 1016 mac MessageAuthenticationCode, 1017 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 1019 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 1020 {{AuthAttributeSet}} 1022 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 1023 | aa-signingTime, ...} 1024 MessageAuthenticationCode ::= OCTET STRING 1026 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 1027 {{UnauthAttributeSet}} 1029 UnauthAttributeSet ATTRIBUTE ::= {...} 1031 -- 1032 -- General algorithm definitions 1033 -- 1035 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1036 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 1038 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 1039 CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } 1041 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 1042 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 1044 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 1045 { SignatureAlgs, ... } 1047 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1048 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1050 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 1052 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1053 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 1055 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 1056 { ContentEncryptionAlgs, ... } 1058 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 1059 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 1061 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 1062 { MessageAuthAlgs, ... } 1064 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 1065 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 1067 RevocationInfoChoices ::= SET OF RevocationInfoChoice 1069 RevocationInfoChoice ::= CHOICE { 1070 crl CertificateList, 1071 ..., 1072 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1074 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 1076 OtherRevocationInfoFormat ::= SEQUENCE { 1077 otherRevInfoFormat OTHER-REVOK-INFO. 1078 &id({SupportedOtherRevokInfo}), 1079 otherRevInfo OTHER-REVOK-INFO. 1080 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 1082 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 1084 CertificateChoices ::= CHOICE { 1085 certificate Certificate, 1086 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1087 -- Obsolete 1088 ..., 1089 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 1090 -- Obsolete 1091 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 1092 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 1094 AttributeCertificateV2 ::= AttributeCertificate 1096 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 1098 OtherCertificateFormat ::= SEQUENCE { 1099 otherCertFormat OTHER-CERT-FMT. 1100 &id({SupportedCertFormats}), 1101 otherCert OTHER-CERT-FMT. 1102 &Type({SupportedCertFormats}{@otherCertFormat})} 1104 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 1106 CertificateSet ::= SET OF CertificateChoices 1108 IssuerAndSerialNumber ::= SEQUENCE { 1109 issuer Name, 1110 serialNumber CertificateSerialNumber } 1112 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1114 UserKeyingMaterial ::= OCTET STRING 1116 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1118 OtherKeyAttribute ::= SEQUENCE { 1119 keyAttrId KEY-ATTRIBUTE. 1120 &id({SupportedKeyAttributes}), 1121 keyAttr KEY-ATTRIBUTE. 1122 &Type({SupportedKeyAttributes}{@keyAttrId})} 1124 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1126 -- Content Type Object Identifiers 1128 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1129 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1131 ct-Data CONTENT-TYPE ::= {IDENTIFIED BY id-data } 1133 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1134 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1136 ct-SignedData CONTENT-TYPE ::= 1137 { TYPE SignedData IDENTIFIED BY id-signedData} 1139 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1140 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1142 ct-EnvelopedData CONTENT-TYPE ::= 1143 { TYPE EnvelopedData IDENTIFIED BY id-envelopedData} 1145 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1146 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1148 ct-DigestedData CONTENT-TYPE ::= 1149 { TYPE DigestedData IDENTIFIED BY id-digestedData} 1151 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1152 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1154 ct-EncryptedData CONTENT-TYPE ::= 1155 { TYPE EncryptedData IDENTIFIED BY id-encryptedData} 1157 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1158 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1160 ct-AuthenticatedData CONTENT-TYPE ::= 1161 { TYPE AuthenticatedData IDENTIFIED BY id-ct-authData} 1163 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1164 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1166 -- 1167 -- The CMS Attributes 1168 -- 1170 MessageDigest ::= OCTET STRING 1172 SigningTime ::= Time 1174 Time ::= CHOICE { 1175 utcTime UTCTime, 1176 generalTime GeneralizedTime } 1178 Countersignature ::= SignerInfo 1180 -- Attribute Object Identifiers 1182 aa-contentType ATTRIBUTE ::= 1183 { TYPE ContentType IDENTIFIED BY id-contentType } 1184 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1185 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1187 aa-messageDigest ATTRIBUTE ::= 1188 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1189 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1190 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1192 aa-signingTime ATTRIBUTE ::= 1193 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1194 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1195 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1197 aa-countersignature ATTRIBUTE ::= 1198 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1199 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1200 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1202 -- 1203 -- Obsolete Extended Certificate syntax from PKCS#6 1204 -- 1206 ExtendedCertificateOrCertificate ::= CHOICE { 1207 certificate Certificate, 1208 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1210 ExtendedCertificate ::= SEQUENCE { 1211 extendedCertificateInfo ExtendedCertificateInfo, 1212 signatureAlgorithm SignatureAlgorithmIdentifier, 1213 signature Signature } 1215 ExtendedCertificateInfo ::= SEQUENCE { 1216 version CMSVersion, 1217 certificate Certificate, 1218 attributes UnauthAttributes } 1220 Signature ::= BIT STRING 1222 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1223 attrType ATTRIBUTE. 1224 &id({AttrList}), 1225 attrValues SET OF ATTRIBUTE. 1226 &Type({AttrList}{@attrType}) } 1228 Attributes { ATTRIBUTE:AttrList } ::= 1229 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1231 END 1233 10. ASN.1 Module RFC 5752 1235 We have updated the ASN.1 module associated with this document to be 1236 2008 compliant and to use the set of classes previously defined in 1237 [RFC5911]. 1239 MultipleSignatures-2009 1240 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1241 smime(16) modules(0) TBD9 } 1242 DEFINITIONS IMPLICIT TAGS ::= 1243 BEGIN 1244 -- EXPORTS All 1245 -- The types and values defined in this module are exported for use 1246 -- in the other ASN.1 modules. Other applications may use them for 1247 -- their own purposes. 1249 IMPORTS 1251 -- Imports from PKIX-Common-Types-2009 [RFC5912] 1253 ATTRIBUTE 1254 FROM PKIX-CommonTypes-2009 1255 { iso(1) identified-organization(3) dod(6) internet(1) 1256 security(5) mechanisms(5) pkix(7) id-mod(0) 1257 id-mod-pkixCommon-02(57) } 1259 -- Imports from CryptographicMessageSyntax-2009 [RFC5911] 1261 DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier 1262 FROM CryptographicMessageSyntax-2009 1263 { iso(1) member-body(2) us(840) rsadsi(113549) 1264 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD1 } 1266 -- Imports from ExtendedSecurityServices-2009 [RFC5911] 1268 ESSCertIDv2 1269 FROM ExtendedSecurityServices-2009 1270 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1271 smime(16) modules(0) id-mod-ess-2006-02(42) } 1272 ; 1274 -- 1275 -- Section 3.0 1276 -- 1277 -- at-multipleSignatures should be added ONLY to the 1278 -- SignedAttributesSet defined in [RFC5652] 1279 -- 1280 at-multipleSignatures ATTRIBUTE ::= { 1281 TYPE MultipleSignatures 1282 IDENTIFIED BY id-aa-multipleSignatures 1283 } 1285 id-aa-multipleSignatures OBJECT IDENTIFIER ::= { 1286 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1287 id-aa(2) 51 } 1289 MultipleSignatures ::= SEQUENCE { 1290 bodyHashAlg DigestAlgorithmIdentifier, 1291 signAlg SignatureAlgorithmIdentifier, 1292 signAttrsHash SignAttrsHash, 1293 cert ESSCertIDv2 OPTIONAL 1294 } 1296 SignAttrsHash ::= SEQUENCE { 1297 algID DigestAlgorithmIdentifier, 1298 hash OCTET STRING 1299 } 1301 END 1303 11. Module Identifiers in ASN.1 1305 One potential issue that can occur when updating modules is the fact 1306 that a large number of modules may need to be updated if they import 1307 from a newly updated module. This section addresses one method that 1308 can be used to deal with this problem, but the modules in this 1309 document don't currently implement the solution discussed here. 1311 When looking at an import statement, there are three portions: The 1312 list of items imported, a textual name for the module and an object 1313 identifier for the module. Full implementations of ASN.1 do module 1314 matching using first the object identifier and if that is not present 1315 the textual name of the module. Note however that some older 1316 implementations used the textual name of the module for the purposes 1317 of matching. In a full implementation the name assigned to the 1318 module is scoped to the ASN.1 module that it appears in (and thus 1319 need to match the module it is importing from). 1321 One can create a module that contains only the module number 1322 assignments and import the module assignments from the new module. 1323 This means that when a module is replaced, one can replace the 1324 previous module, update the module number assignment module and 1325 recompile without having to modify any other modules. 1327 A sample module assignment module would be: 1329 ModuleNumbers 1330 DEFINITIONS TAGS ::= 1331 BEGIN 1332 id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1333 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } 1335 id-mod-AlgInfo ::= 1336 {iso(1) identified-organization(3) dod(6) internet(1) 1337 security(5) mechanisms(5) pkix(7) id-mod(0) 1338 id-mod-algorithmInformation-02(58)} 1339 END 1341 This would be used in the following import statement: 1343 IMPORTS 1344 id-mod-CMS, id-mod-AlgInfo 1345 FROM ModuleNumber -- Note it will match on the name since no 1346 -- OID is provided 1348 CMSVersion, EncapsulatedContentInfo, CONTENT-TYPE 1349 FROM CryptographicMessageSyntax-2009 1350 id-mod-CMS 1352 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 1353 FROM AlgorithmInformation-2009 id-mod-AlgInfo 1354 ; 1356 12. Security Considerations 1358 This document itself does not have any security considerations. The 1359 ASN.1 modules keep the same bits-on-the-wire as the modules that they 1360 replace. 1362 13. IANA Considerations 1364 None. 1366 14. Normative References 1368 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1369 Requirement Levels", BCP 14, RFC 2119, March 1997. 1371 [RFC3274] Gutmann, P., "Compressed Data Content Type for 1372 Cryptographic Message Syntax (CMS)", RFC 3274, June 2002. 1374 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 1375 Addresses and AS Identifiers", RFC 3779, June 2004. 1377 [RFC6019] Housley, R., "BinaryTime: An Alternate Format for 1378 Representing Date and Time in ASN.1", RFC 6019, 1379 September 2010. 1381 [RFC4073] Housley, R., "Protecting Multiple Contents with the 1382 Cryptographic Message Syntax (CMS)", RFC 4073, May 2005. 1384 [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 1385 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 1386 RFC 4231, December 2005. 1388 [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and 1389 Attributes Supporting Authentication in Point-to-Point 1390 Protocol (PPP) and Wireless Local Area Networks (WLAN)", 1391 RFC 4334, February 2006. 1393 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 1394 Authenticated-Enveloped-Data Content Type", RFC 5083, 1395 November 2007. 1397 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1398 RFC 5652, September 2009. 1400 [RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in 1401 Cryptographic Message Syntax (CMS)", RFC 5752, 1402 January 2010. 1404 [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for 1405 Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, 1406 June 2010. 1408 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 1409 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 1410 June 2010. 1412 [ASN1-2008] 1413 ITU-T, "ITU-T Recommendations X.680, X.681, X.682, and 1414 X.683", 2008. 1416 Authors' Addresses 1418 Jim Schaad 1419 Soaring Hawk Consulting 1421 Email: jimsch@augustcellars.com 1423 Sean Turner 1424 IECA, Inc. 1425 3057 Nutley Street, Suite 106 1426 Fairfax, VA 22031 1428 Email: turners@ieca.com