idnits 2.17.00 (12 Aug 2021) /tmp/idnits24394/draft-turner-additional-new-asn-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 12, 2010) is 4177 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3851' is mentioned on line 187, but not defined ** Obsolete undefined reference: RFC 3851 (Obsoleted by RFC 5751) == Missing Reference: 'RFC5280' is mentioned on line 283, but not defined -- Looks like a reference, but probably isn't: '0' on line 1211 -- Looks like a reference, but probably isn't: '1' on line 1093 -- Looks like a reference, but probably isn't: '2' on line 1095 -- Looks like a reference, but probably isn't: '3' on line 1096 -- Looks like a reference, but probably isn't: '4' on line 915 == Unused Reference: 'RFC5084' is defined on line 1401, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 3379 ** Obsolete normative reference: RFC 4049 (Obsoleted by RFC 6019) ** Downref: Normative reference to an Informational RFC: RFC 5911 ** Downref: Normative reference to an Informational RFC: RFC 5912 -- Possible downref: Non-RFC (?) normative reference: ref. 'ASN1-2008' Summary: 5 errors (**), 0 flaws (~~), 5 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schaad 3 Internet-Draft Soaring Hawk Consulting 4 Intended status: Standards Track S. Turner 5 Expires: June 15, 2011 IECA, Inc. 6 December 12, 2010 8 Additional New ASN.1 Modules 9 draft-turner-additional-new-asn-05 11 Abstract 13 The Cryptographic Message Syntax (CMS) format, and many associated 14 formats, are expressed using ASN.1. The current ASN.1 modules 15 conform to the 1988 version of ASN.1. This document updates some 16 auxiliary ASN.1 modules to conform to the 2008 version of ASN.1. 17 There are no bits-on-the-wire changes to any of the formats; this is 18 simply a change to the syntax. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on June 15, 2011. 37 Copyright Notice 39 Copyright (c) 2010 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. ASN.1 Updates (2002 to 2008) . . . . . . . . . . . . . . . 3 68 1.2. Requirements Terminology . . . . . . . . . . . . . . . . . 4 69 2. ASN.1 Module RFC 3274 . . . . . . . . . . . . . . . . . . . . 5 70 3. ASN.1 Module RFC 3379 . . . . . . . . . . . . . . . . . . . . 8 71 4. ASN.1 Module RFC 4049 . . . . . . . . . . . . . . . . . . . . 11 72 5. ASN.1 Module RFC 4073 . . . . . . . . . . . . . . . . . . . . 13 73 6. ASN.1 Module RFC 4231 . . . . . . . . . . . . . . . . . . . . 15 74 7. ASN.1 Module RFC 4334 . . . . . . . . . . . . . . . . . . . . 18 75 8. ASN.1 Module RFC 5083 . . . . . . . . . . . . . . . . . . . . 20 76 9. ASN.1 Module RFC 5652 . . . . . . . . . . . . . . . . . . . . 22 77 10. ASN.1 Module RFC 5752 . . . . . . . . . . . . . . . . . . . . 33 78 11. Module Identifiers in ASN.1 . . . . . . . . . . . . . . . . . 35 79 12. Security Considerations . . . . . . . . . . . . . . . . . . . 37 80 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 81 14. Normative References . . . . . . . . . . . . . . . . . . . . . 39 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 84 1. Introduction 86 Some developers would like the IETF to use the latest version of 87 ASN.1 in its standards. Most of the RFCs that relate to security 88 protocols still use ASN.1 from the 1988 standard, which has been 89 deprecated. This is particularly true for the standards that relate 90 to PKIX, CMS, and S/MIME. 92 In this document we have either change the syntax to use the 2008 93 ASN.1 standard, or done some updates from previous conversions: 95 RFC 3274, Compressed Data Content Type for Cryptographic Message 96 Syntax (CMS) [RFC3274]. 98 RFC 3379, Delegated Path Validation and Delegated Path Discovery 99 Protocol Requirements [RFC3379]. 101 RFC 4049, BinaryTime: An Alternate Format for Representing Date 102 and Time in ASN.1 [RFC4049]. 104 RFC 4073, Protecting Multiple Contents with the Cryptographic 105 Message Syntax (CMS) [RFC4073]. 107 RFC 4231, Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA- 108 256, HMAC-SHA-384, and HMAC-SHA-512 [RFC4231]. 110 RFC 4334, Certificate Extensions and Attributes Supporting 111 Authentication in Point-to-Point Protocol (PPP) and Wireless Local 112 Area Networks (WLAN) [RFC4334]. 114 RFC 5083, Cryptographic Message Syntax (CMS) Authenticated- 115 Enveloped-Data Content Type [RFC5083]. 117 RFC 5652, Cryptogrphic Message Syntax (CMS) [RFC5652]. 119 RFC 5752, Multiple Signatures in Cryptographic Message Syntax 120 (CMS) [RFC5752]. 122 Note that some of the modules in this document get some of their 123 definitions from places different than the modules in the original 124 RFCs. The idea is that these modules, when combined with the modules 125 in [RFC5912] and [RFC5911] can stand on their own and do not need to 126 import definitions from anywhere else. 128 1.1. ASN.1 Updates (2002 to 2008) 130 The modules defined in this document are compatable with the most 131 current ASN.1 specification published in 2008 (see [ASN1-2008]). The 132 changes between the 2002 specification and the 2008 specification 133 include the creation of some additional pre-defined types (DATE, 134 DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE-OID-IRI, TIME, 135 TIME-OF-DAY). The ability to define different encoding rules 136 (ENCODING-CONTROL, INSTRUCTIONS). None of the newly defined tokens 137 are currently used in any of the ASN.1 specifications published here. 139 1.2. Requirements Terminology 141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 143 document are to be interpreted as described in [RFC2119]. 145 2. ASN.1 Module RFC 3274 147 We have updated the ASN.1 module associated with this document to be 148 2008 compliant and to use the set of classes previously defined in 149 [RFC5911]. 151 CompressedDataContent 152 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 153 smime(16) modules(0) id-mod-compressedDataContent(54) } 155 DEFINITIONS IMPLICIT TAGS ::= 156 BEGIN 158 IMPORTS 159 CMSVersion, EncapsulatedContentInfo, 160 CONTENT-TYPE 161 FROM CryptographicMessageSyntax-2009 162 { iso(1) member-body(2) us(840) rsadsi(113549) 163 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 165 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 166 FROM AlgorithmInformation-2009 167 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 168 mechanisms(5) pkix(7) id-mod(0) 169 id-mod-algorithmInformation-02(58)} 170 ; 172 -- 173 -- ContentTypes contains the set of content types that are 174 -- defined in this module. 175 -- 176 -- The contents of ContentTypes should be added to 177 -- ContentSet defined in [RFC5652] 178 -- 180 ContentTypes CONTENT-TYPE ::= {ct-compressedData} 182 -- 183 -- SMimeCaps contains the set of S/MIME capabilities that 184 -- are associated with the algorithms defined in this 185 -- document. 186 -- 187 -- SMimeCaps are added to SMimeCapsSet defined in [RFC3851]. 188 -- 190 SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps} 192 -- 193 -- Define the compressed data content type 194 -- 196 ct-compressedData CONTENT-TYPE ::= { 197 TYPE CompressedData IDENTIFIED BY id-ct-compressedData 198 } 200 CompressedData ::= SEQUENCE { 201 version CMSVersion (v0), -- Always set to 0 202 compressionAlgorithm CompressionAlgorithmIdentifier, 203 encapContentInfo EncapsulatedContentInfo 204 } 206 CompressionAlgorithmIdentifier ::= 207 AlgorithmIdentifier{COMPRESS-ALGORITHM, {CompressAlgorithmSet}} 209 CompressAlgorithmSet COMPRESS-ALGORITHM ::= { 210 cpa-zlibCompress, ... 211 } 213 -- Algorithm Identifiers 215 id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2) 216 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 } 218 cpa-zlibCompress COMPRESS-ALGORITHM ::= { 219 IDENTIFIER id-alg-zlibCompress 220 PARAMS TYPE NULL ARE preferredAbsent 221 SMIME-CAPS {IDENTIFIED BY id-alg-zlibCompress} 222 } 224 -- Content Type Object Identifiers 226 id-ct-compressedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 227 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 9 } 229 -- 230 -- Class defined for compression algorithms 231 -- 233 COMPRESS-ALGORITHM ::= CLASS { 234 &id OBJECT IDENTIFIER UNIQUE, 235 &Params OPTIONAL, 236 ¶mPresence ParamOptions DEFAULT absent, 237 &smimeCaps SMIME-CAPS OPTIONAL 238 } 239 WITH SYNTAX { 240 IDENTIFIER &id 242 [PARAMS [TYPE &Params] ARE ¶mPresence] 243 [SMIME-CAPS &smimeCaps] 244 } 246 END 248 3. ASN.1 Module RFC 3379 250 We have updated the ASN.1 module assocated with RFC 3379 to be ASN.1 251 2008 compliant and to use the set of classes previously defined in 252 [RFC5912]. 254 IPAddrAndASCertExtn { iso(1) identified-organization(3) dod(6) 255 internet(1) security(5) mechanisms(5) pkix(7) mod(0) 256 id-mod-ip-addr-and-as-ident-2(72) } 257 DEFINITIONS EXPLICIT TAGS ::= 258 BEGIN 259 EXPORTS ALL; 261 IMPORTS 263 -- PKIX specific OIDs and arcs -- 264 id-pe 265 FROM PKIX1Explicit-2009 266 { iso(1) identified-organization(3) dod(6) internet(1) 267 security(5) mechanisms(5) pkix(7) id-mod(0) 268 id-mod-pkix1-explicit-02(51)} 270 EXTENSION 271 FROM PKIX-CommonTypes-2009 272 { iso(1) identified-organization(3) dod(6) internet(1) 273 security(5) mechanisms(5) pkix(7) id-mod(0) 274 id-mod-pkixCommon-02(57)} 275 ; 277 -- 278 -- Extensions contains the set of extensions defined in this 279 -- module 280 -- 281 -- These are intended to be placed in public key certificates 282 -- and thus should be added to the CertExtensions extension 283 -- set in PKIXImplicit-2009 defined for [RFC5280] 284 -- 286 Extensions EXTENSION ::= { 287 ext-pe-ipAddrBlocks | ext-pe-autonomousSysIds 288 } 290 -- IP Address Delegation Extension OID -- 292 ext-pe-ipAddrBlocks EXTENSION ::= { 293 SYNTAX IPAddrBlocks 294 IDENTIFIED BY id-pe-ipAddrBlocks 295 } 296 id-pe-ipAddrBlocks OBJECT IDENTIFIER ::= { id-pe 7 } 298 -- IP Address Delegation Extension Syntax -- 300 IPAddrBlocks ::= SEQUENCE OF IPAddressFamily 302 IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI -- 303 addressFamily OCTET STRING (SIZE (2..3)), 304 ipAddressChoice IPAddressChoice } 306 IPAddressChoice ::= CHOICE { 307 inherit NULL, -- inherit from issuer -- 308 addressesOrRanges SEQUENCE OF IPAddressOrRange } 310 IPAddressOrRange ::= CHOICE { 311 addressPrefix IPAddress, 312 addressRange IPAddressRange } 314 IPAddressRange ::= SEQUENCE { 315 min IPAddress, 316 max IPAddress } 318 IPAddress ::= BIT STRING 320 -- Autonomous System Identifier Delegation Extension OID -- 322 ext-pe-autonomousSysIds EXTENSION ::= { 323 SYNTAX ASIdentifiers 324 IDENTIFIED BY id-pe-autonomousSysIds 325 } 327 id-pe-autonomousSysIds OBJECT IDENTIFIER ::= { id-pe 8 } 329 -- Autonomous System Identifier Delegation Extension Syntax -- 331 ASIdentifiers ::= SEQUENCE { 332 asnum [0] ASIdentifierChoice OPTIONAL, 333 rdi [1] ASIdentifierChoice OPTIONAL } 334 (WITH COMPONENTS {..., asnum PRESENT} | 335 WITH COMPONENTS {..., rdi PRESENT}) 337 ASIdentifierChoice ::= CHOICE { 338 inherit NULL, -- inherit from issuer -- 339 asIdsOrRanges SEQUENCE OF ASIdOrRange } 341 ASIdOrRange ::= CHOICE { 342 id ASId, 343 range ASRange } 345 ASRange ::= SEQUENCE { 346 min ASId, 347 max ASId } 349 ASId ::= INTEGER 351 END 353 4. ASN.1 Module RFC 4049 355 We have updated the ASN.1 module associated with this document to be 356 2008 compliant and to use the set of classes previously defined in 357 [RFC5911]. 359 BinarySigningTimeModule-2009 360 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 361 pkcs-9(9) smime(16) modules(0) 362 id-mod-binSigningTime-2009(55) } 363 DEFINITIONS IMPLICIT TAGS ::= 364 BEGIN 365 IMPORTS 367 -- From PKIX-CommonTypes-2009 [RFC5912] 369 ATTRIBUTE 370 FROM PKIX-CommonTypes-2009 371 { iso(1) identified-organization(3) dod(6) internet(1) 372 security(5) mechanisms(5) pkix(7) id-mod(0) 373 id-mod-pkixCommon-02(57) } 374 ; 376 -- 377 -- BinaryTime Definition 378 -- 379 -- BinaryTime contains the number seconds since 380 -- midnight Jan 1, 1970 UTC. 381 -- Leap seconds are EXCLUDED from the computation. 382 -- 384 BinaryTime ::= INTEGER (0..MAX) 386 -- 387 -- Signing Binary Time Attribute 388 -- 389 -- The binary signing time should be added to 390 -- SignedAttributeSet and tAuthenticatedAttributeSet 391 -- in CMS [RFC5652] and to AuthEnvDataAttributeSet 392 -- in [RFC5083]. 393 -- 395 aa-binarySigningTime ATTRIBUTE ::= { 396 TYPE BinarySigningTime 397 IDENTIFIED BY id-aa-binarySigningTime } 399 id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1) 400 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 401 smime(16) aa(2) 46 } 403 BinarySigningTime ::= BinaryTime 405 END 407 5. ASN.1 Module RFC 4073 409 We have updated the ASN.1 module associated with this document to be 410 2008 compliant and to use the set of classes previously defined in 411 [RFC5911]. 413 ContentCollectionModule-2009 414 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 415 pkcs-9(9) smime(16) modules(0) id-mod-context-Collect-2009(56) } 416 DEFINITIONS IMPLICIT TAGS ::= 417 BEGIN 418 IMPORTS 420 -- From CryptographicMessageSyntax-2009 [RFC5911] 422 CONTENT-TYPE, ContentInfo 423 FROM CryptographicMessageSyntax-2009 424 { iso(1) member-body(2) us(840) rsadsi(113549) 425 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 427 AttributeSet{}, ATTRIBUTE 428 FROM PKIX-CommonTypes-2009 429 { iso(1) identified-organization(3) dod(6) internet(1) 430 security(5) mechanisms(5) pkix(7) id-mod(0) 431 id-mod-pkixCommon-02(57) } 432 ; 434 -- 435 -- An object set of all content types defined by this module. 436 -- This is to be added to ContentSet in the CMS module 437 -- 439 ContentSet CONTENT-TYPE ::= { 440 ct-ContentCollection | ct-ContentWithAttributes, ... 441 } 443 -- 444 -- Content Collection Content Type and Object Identifier 445 -- 447 ct-ContentCollection CONTENT-TYPE ::= { 448 TYPE ContentCollection IDENTIFIED BY id-ct-contentCollection } 450 id-ct-contentCollection OBJECT IDENTIFIER ::= { 451 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 452 smime(16) ct(1) 19 } 454 ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo 455 -- 456 -- Content With Attributes Content Type and Object Identifier 457 -- 459 ct-ContentWithAttributes CONTENT-TYPE ::= { 460 TYPE ContentWithAttributes IDENTIFIED BY id-ct-contentWithAttrs } 462 id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { 463 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 464 smime(16) ct(1) 20 } 466 ContentWithAttributes ::= SEQUENCE { 467 content ContentInfo, 468 attrs SEQUENCE SIZE (1..MAX) OF AttributeSet 469 {{ ContentAttributeSet }} 470 } 472 ContentAttributeSet ATTRIBUTE ::= { ... } 473 END 475 6. ASN.1 Module RFC 4231 477 RFC 4231 does not contain an ASN.1 module to be updated. We have 478 therefore created an ASN.1 module to represent the ASN.1 that is 479 present in the document. Note that the parameters are defined as 480 expecting a parameter for the algorithm identifiers in this module, 481 this is different from most of the algorithms used in PKIX and 482 S/MIME. There is no concept of being able to truncate the MAC value 483 in the ASN.1 unlike the XML definitions. This is reflected by not 484 having a minimum MAC length defined in the ASN.1. 486 HMAC { iso(1) identified-organization(3) dod(6) internet(1) 487 security(5) mechanisms(5) pkix(7) mod(0) id-mod-hmac(74) } 488 DEFINITIONS EXPLICIT TAGS ::= 489 BEGIN 490 EXPORTS ALL; 492 IMPORTS 494 MAC-ALGORITHM, SMIME-CAPS 495 FROM AlgorithmInformation-2009 496 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 497 mechanisms(5) pkix(7) id-mod(0) 498 id-mod-algorithmInformation-02(58)}; 500 -- 501 -- This object set contains all of the MAC algorithms that are 502 -- defined in this module. 503 -- One would add it to a constraining set of objects such as the 504 -- MessageAuthenticationCodeAlgorithmSet in [RFC5652] 505 -- 507 MessageAuthAlgs MAC-ALGORITHM ::= { 508 maca-hMAC-SHA224 | 509 maca-hMAC-SHA256 | 510 maca-hMAC-SHA384 | 511 maca-hMAC-SHA512 512 } 514 -- 515 -- This object set contains all of the S/MIME capabilities that 516 -- have been defined for all the MAC algorithms in this module. 517 -- One would add this to an object set that is used to restrict 518 -- smime capabilities such as the SMimeCapsSet variable in 519 -- the S/MIME message draft 520 -- 522 SMimeCaps SMIME-CAPS ::= { 523 maca-hMAC-SHA224.&smimeCaps | 524 maca-hMAC-SHA256.&smimeCaps | 525 maca-hMAC-SHA384.&smimeCaps | 526 maca-hMAC-SHA512.&smimeCaps 527 } 529 -- 530 -- Define the base OID for the algorithm identifiers 531 -- 533 rsadsi OBJECT IDENTIFIER ::= 534 {iso(1) member-body(2) us(840) rsadsi(113549)} 536 digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} 538 -- 539 -- Define the necessary algorithm identifiers 540 -- 542 id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} 543 id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} 544 id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} 545 id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} 547 -- 548 -- Define each of the MAC-ALGOIRTHM objects to describe the 549 -- algorithms defined 550 -- 552 maca-hMAC-SHA224 MAC-ALGORITHM ::= { 553 IDENTIFIER id-hmacWithSHA224 554 PARAMS TYPE NULL ARE preferredPresent 555 IS-KEYED-MAC TRUE 556 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA224} 557 } 559 maca-hMAC-SHA256 MAC-ALGORITHM ::= { 560 IDENTIFIER id-hmacWithSHA256 561 PARAMS TYPE NULL ARE preferredPresent 562 IS-KEYED-MAC TRUE 563 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA256} 564 } 566 maca-hMAC-SHA384 MAC-ALGORITHM ::= { 567 IDENTIFIER id-hmacWithSHA384 568 PARAMS TYPE NULL ARE preferredPresent 569 IS-KEYED-MAC TRUE 570 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA384} 571 } 573 maca-hMAC-SHA512 MAC-ALGORITHM ::= { 574 IDENTIFIER id-hmacWithSHA512 575 PARAMS TYPE NULL ARE preferredPresent 576 IS-KEYED-MAC TRUE 577 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA512} 578 } 580 END 582 7. ASN.1 Module RFC 4334 584 We have updated the ASN.1 module assocated with RFC 4334 to be ASN.1 585 2008 compliant and to use the set of classes previously defined in 586 [RFC5912]. 588 WLANCertExtn 589 { iso(1) identified-organization(3) dod(6) internet(1) 590 security(5) mechanisms(5) pkix(7) id-mod(0) 591 id-mod-wlan-extns-2(73) } 593 DEFINITIONS IMPLICIT TAGS ::= 594 BEGIN 595 EXPORTS ALL; 597 IMPORTS 599 EXTENSION, ATTRIBUTE 600 FROM PKIX-CommonTypes-2009 601 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 602 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 604 id-pe, id-kp 605 FROM PKIX1Explicit-2009 606 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 607 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 609 id-aca 610 FROM PKIXAttributeCertificate-2009 611 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 612 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} 614 ; 616 -- Extended Key Usage Values 618 KeyUsageValues OBJECT IDENTIFIER ::= { 619 id-kp-eapOverPPP | id-kp-eapOverLAN 620 } 622 id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 } 624 id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 } 626 -- Wireless LAN SSID Extension 627 ext-pe-wlanSSID EXTENSION ::= { 628 SYNTAX SSIDList 629 IDENTIFIED BY id-pe-wlanSSID 630 CRITICALITY {FALSE} 631 } 633 id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 } 635 SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID 637 SSID ::= OCTET STRING (SIZE (1..32)) 639 -- Wireless LAN SSID Attribute Certificate Attribute 640 -- Uses same syntax as the certificate extension: SSIDList 642 at-aca-wlanSSID ATTRIBUTE ::= { 643 TYPE SSIDList 644 IDENTIFIED BY id-aca-wlanSSID 645 } 647 id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 7 } 649 END 651 8. ASN.1 Module RFC 5083 653 This module is updated from RFC 5911 [RFC5911] by the following 654 changes: 656 1. Define seperate attribute sets for the unprotected attributes 657 used in EnvelopedData, EncryptedData and 658 AuthenticatedEnvelopedData (RFC 5083). 660 2. Define a parameterized type EncryptedContentInfoType so that the 661 basic type can be used with algorithm sets (used for 662 EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC 663 5083)). The parameterized type is assigned to an unparameterized 664 type of EncryptedContentInfo to minimize the output changes from 665 previous versions. 667 The use of different attribute sets for EncryptedData and 668 EnvelopedData as well as for AuthenticatedData and AuthEnvelopedData, 669 protocol designers can make use of the '08 ASN.1 constraints to 670 define different sets of attributes for EncryptedData and 671 EnvelopedData and for AuthenticatedData and AuthEnvelopedData. 672 Previously, attributes could only be constrained based on whether 673 they were in the clear or unauthenticated not on the encapsulating 674 content type. 676 CMS-AuthEnvelopedData-2009 677 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 678 smime(16) modules(0) id-mod-cmsAuthEnvData-2009(57) } 679 DEFINITIONS IMPLICIT TAGS ::= 680 BEGIN 681 IMPORTS 683 CMSVersion, EncryptedContentInfoType{}, 684 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 685 CONTENT-TYPE, Attributes{}, ATTRIBUTE, CONTENT-ENCRYPTION, 686 AlgorithmIdentifier{}, 687 aa-signingTime, aa-messageDigest, aa-contentType 688 FROM CryptographicMessageSyntax-2009 689 { iso(1) member-body(2) us(840) rsadsi(113549) 690 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 692 ContentEncryptionAlgs 693 FROM CMS-AES-CCM-and-AES-GCM-2009 694 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 695 pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } 696 ; 698 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 699 ct-authEnvelopedData CONTENT-TYPE ::= { 700 TYPE AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 701 } 703 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 704 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 705 smime(16) ct(1) 23} 707 AuthEnvelopedData ::= SEQUENCE { 708 version CMSVersion, 709 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 710 recipientInfos RecipientInfos, 711 authEncryptedContentInfo EncryptedContentInfo, 712 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 713 mac MessageAuthenticationCode, 714 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL 715 } 717 EncryptedContentInfo ::= 718 EncryptedContentInfoType { AuthContentEncryptionAlgorithmIdentifier } 720 AuthContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 721 {CONTENT-ENCRYPTION, {AuthContentEncryptionAlgorithmSet}} 723 AuthContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= { 724 ContentEncryptionAlgs, ...} 726 AuthAttributes ::= Attributes{{AuthEnvDataAttributeSet}} 728 UnauthAttributes ::= Attributes{{UnauthEnvDataAttributeSet}} 730 AuthEnvDataAttributeSet ATTRIBUTE ::= { 731 aa-contentType | aa-messageDigest | aa-signingTime, ... } 733 UnauthEnvDataAttributeSet ATTRIBUTE ::= {...} 735 END 737 9. ASN.1 Module RFC 5652 739 This module is updated from RFC 5911 [RFC5911] by the following 740 changes: 742 1. Define seperate attribute sets for the unprotected attributes 743 used in EnvelopedData, EncryptedData and 744 AuthenticatedEnvelopedData (RFC 5083). 746 2. Define a parameterized type EncryptedContentInfoType so that the 747 basic type can be used with algorithm sets (used for 748 EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC 749 5083)). The parameterized type is assigned to an unparameterized 750 type of EncryptedContentInfo to minimize the output changes from 751 previous versions. 753 The use of different attribute sets for EncryptedData and 754 EnvelopedData as well as for AuthenticatedData and AuthEnvelopedData, 755 protocol designers can make use of the '08 ASN.1 constraints to 756 define different sets of attributes for EncryptedData and 757 EnvelopedData and for AuthenticatedData and AuthEnvelopedData. 758 Previously, attributes could only be constrained based on whether 759 they were in the clear or unauthenticated not on the encapsulating 760 content type. 762 CryptographicMessageSyntax-2009 763 { iso(1) member-body(2) us(840) rsadsi(113549) 764 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 765 DEFINITIONS IMPLICIT TAGS ::= 766 BEGIN 767 IMPORTS 769 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 770 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 771 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 772 AlgorithmIdentifier{} 773 FROM AlgorithmInformation-2009 774 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 775 mechanisms(5) pkix(7) id-mod(0) 776 id-mod-algorithmInformation-02(58)} 778 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 779 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 780 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 781 FROM CryptographicMessageSyntaxAlgorithms-2009 782 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 783 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 785 Certificate, CertificateList, CertificateSerialNumber, 786 Name, ATTRIBUTE 787 FROM PKIX1Explicit-2009 788 { iso(1) identified-organization(3) dod(6) internet(1) 789 security(5) mechanisms(5) pkix(7) id-mod(0) 790 id-mod-pkix1-explicit-02(51) } 792 AttributeCertificate 793 FROM PKIXAttributeCertificate-2009 794 { iso(1) identified-organization(3) dod(6) internet(1) 795 security(5) mechanisms(5) pkix(7) id-mod(0) 796 id-mod-attribute-cert-02(47) } 798 AttributeCertificateV1 799 FROM AttributeCertificateVersion1-2009 800 { iso(1) identified-organization(3) dod(6) internet(1) 801 security(5) mechanisms(5) pkix(7) id-mod(0) 802 id-mod-v1AttrCert-02(49) } ; 804 -- Cryptographic Message Syntax 806 -- The following are used for version numbers using the ASN.1 807 -- idiom "[[n:" 808 -- Version 1 = PKCS #7 809 -- Version 2 = S/MIME V2 810 -- Version 3 = RFC 2630 811 -- Version 4 = RFC 3369 812 -- Version 5 = RFC 3852 814 CONTENT-TYPE ::= CLASS { 815 &id OBJECT IDENTIFIER UNIQUE, 816 &Type OPTIONAL 817 } WITH SYNTAX { 818 [TYPE &Type] IDENTIFIED BY &id 819 } 821 ContentType ::= CONTENT-TYPE.&id 823 ContentInfo ::= SEQUENCE { 824 contentType CONTENT-TYPE. 825 &id({ContentSet}), 826 content [0] EXPLICIT CONTENT-TYPE. 827 &Type({ContentSet}{@contentType})} 829 ContentSet CONTENT-TYPE ::= { 830 -- Define the set of content types to be recognized. 831 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 832 ct-AuthenticatedData | ct-DigestedData, ... } 834 SignedData ::= SEQUENCE { 835 version CMSVersion, 836 digestAlgorithms SET OF DigestAlgorithmIdentifier, 837 encapContentInfo EncapsulatedContentInfo, 838 certificates [0] IMPLICIT CertificateSet OPTIONAL, 839 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 840 signerInfos SignerInfos } 842 SignerInfos ::= SET OF SignerInfo 844 EncapsulatedContentInfo ::= SEQUENCE { 845 eContentType CONTENT-TYPE.&id({ContentSet}), 846 eContent [0] EXPLICIT OCTET STRING 847 ( CONTAINING CONTENT-TYPE. 848 &Type({ContentSet}{@eContentType})) OPTIONAL } 850 SignerInfo ::= SEQUENCE { 851 version CMSVersion, 852 sid SignerIdentifier, 853 digestAlgorithm DigestAlgorithmIdentifier, 854 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 855 signatureAlgorithm SignatureAlgorithmIdentifier, 856 signature SignatureValue, 857 unsignedAttrs [1] IMPLICIT Attributes 858 {{UnsignedAttributes}} OPTIONAL } 860 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 862 SignerIdentifier ::= CHOICE { 863 issuerAndSerialNumber IssuerAndSerialNumber, 864 ..., 865 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 867 SignedAttributesSet ATTRIBUTE ::= 868 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 870 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 872 SignatureValue ::= OCTET STRING 874 EnvelopedData ::= SEQUENCE { 875 version CMSVersion, 876 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 877 recipientInfos RecipientInfos, 878 encryptedContentInfo EncryptedContentInfo, 879 ..., 880 [[2: unprotectedAttrs [1] IMPLICIT Attributes 881 {{ UnprotectedEnvAttributes }} OPTIONAL ]] } 883 OriginatorInfo ::= SEQUENCE { 884 certs [0] IMPLICIT CertificateSet OPTIONAL, 885 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 887 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 889 EncryptedContentInfo ::= 890 EncryptedContentInfoType { ContentEncryptionAlgorithmIdentifier } 892 EncryptedContentInfoType { AlgorithmIdentifierType } ::= SEQUENCE { 893 contentType CONTENT-TYPE.&id({ContentSet}), 894 contentEncryptionAlgorithm AlgorithmIdentifierType, 895 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 897 -- If you want to do constraints, you might use: 898 -- EncryptedContentInfo ::= SEQUENCE { 899 -- contentType CONTENT-TYPE.&id({ContentSet}), 900 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 901 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 902 -- &Type({ContentSet}{@contentType}) OPTIONAL } 903 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 904 -- { ToBeEncrypted } ) 906 UnprotectedEnvAttributes ATTRIBUTE ::= { ... } 907 UnprotectedEncAttributes ATTRIBUTE ::= { ... } 909 RecipientInfo ::= CHOICE { 910 ktri KeyTransRecipientInfo, 911 ..., 912 [[3: kari [1] KeyAgreeRecipientInfo ]], 913 [[4: kekri [2] KEKRecipientInfo]], 914 [[5: pwri [3] PasswordRecipientInfo, 915 ori [4] OtherRecipientInfo ]] } 917 EncryptedKey ::= OCTET STRING 919 KeyTransRecipientInfo ::= SEQUENCE { 920 version CMSVersion, -- always set to 0 or 2 921 rid RecipientIdentifier, 922 keyEncryptionAlgorithm AlgorithmIdentifier 923 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 924 encryptedKey EncryptedKey } 926 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 928 RecipientIdentifier ::= CHOICE { 929 issuerAndSerialNumber IssuerAndSerialNumber, 930 ..., 931 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 932 KeyAgreeRecipientInfo ::= SEQUENCE { 933 version CMSVersion, -- always set to 3 934 originator [0] EXPLICIT OriginatorIdentifierOrKey, 935 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 936 keyEncryptionAlgorithm AlgorithmIdentifier 937 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 938 recipientEncryptedKeys RecipientEncryptedKeys } 940 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 942 OriginatorIdentifierOrKey ::= CHOICE { 943 issuerAndSerialNumber IssuerAndSerialNumber, 944 subjectKeyIdentifier [0] SubjectKeyIdentifier, 945 originatorKey [1] OriginatorPublicKey } 947 OriginatorPublicKey ::= SEQUENCE { 948 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 949 publicKey BIT STRING } 951 OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } 953 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 955 RecipientEncryptedKey ::= SEQUENCE { 956 rid KeyAgreeRecipientIdentifier, 957 encryptedKey EncryptedKey } 959 KeyAgreeRecipientIdentifier ::= CHOICE { 960 issuerAndSerialNumber IssuerAndSerialNumber, 961 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 963 RecipientKeyIdentifier ::= SEQUENCE { 964 subjectKeyIdentifier SubjectKeyIdentifier, 965 date GeneralizedTime OPTIONAL, 966 other OtherKeyAttribute OPTIONAL } 968 SubjectKeyIdentifier ::= OCTET STRING 970 KEKRecipientInfo ::= SEQUENCE { 971 version CMSVersion, -- always set to 4 972 kekid KEKIdentifier, 973 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 974 encryptedKey EncryptedKey } 976 KEKIdentifier ::= SEQUENCE { 977 keyIdentifier OCTET STRING, 978 date GeneralizedTime OPTIONAL, 979 other OtherKeyAttribute OPTIONAL } 980 PasswordRecipientInfo ::= SEQUENCE { 981 version CMSVersion, -- always set to 0 982 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 983 OPTIONAL, 984 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 985 encryptedKey EncryptedKey } 987 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 989 OtherRecipientInfo ::= SEQUENCE { 990 oriType OTHER-RECIPIENT. 991 &id({SupportedOtherRecipInfo}), 992 oriValue OTHER-RECIPIENT. 993 &Type({SupportedOtherRecipInfo}{@oriType})} 995 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 997 DigestedData ::= SEQUENCE { 998 version CMSVersion, 999 digestAlgorithm DigestAlgorithmIdentifier, 1000 encapContentInfo EncapsulatedContentInfo, 1001 digest Digest, ... } 1003 Digest ::= OCTET STRING 1005 EncryptedData ::= SEQUENCE { 1006 version CMSVersion, 1007 encryptedContentInfo EncryptedContentInfo, 1008 ..., 1009 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1010 {{UnprotectedEncAttributes}} OPTIONAL ]] } 1012 AuthenticatedData ::= SEQUENCE { 1013 version CMSVersion, 1014 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1015 recipientInfos RecipientInfos, 1016 macAlgorithm MessageAuthenticationCodeAlgorithm, 1017 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 1018 encapContentInfo EncapsulatedContentInfo, 1019 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 1020 mac MessageAuthenticationCode, 1021 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 1023 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 1024 {{AuthAttributeSet}} 1026 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 1027 | aa-signingTime, ...} 1028 MessageAuthenticationCode ::= OCTET STRING 1030 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 1031 {{UnauthAttributeSet}} 1033 UnauthAttributeSet ATTRIBUTE ::= {...} 1035 -- 1036 -- General algorithm definitions 1037 -- 1039 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1040 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 1042 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 1043 CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } 1045 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 1046 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 1048 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 1049 { SignatureAlgs, ... } 1051 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1052 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1054 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 1056 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1057 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 1059 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 1060 { ContentEncryptionAlgs, ... } 1062 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 1063 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 1065 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 1066 { MessageAuthAlgs, ... } 1068 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 1069 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 1071 RevocationInfoChoices ::= SET OF RevocationInfoChoice 1073 RevocationInfoChoice ::= CHOICE { 1074 crl CertificateList, 1075 ..., 1076 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1078 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 1080 OtherRevocationInfoFormat ::= SEQUENCE { 1081 otherRevInfoFormat OTHER-REVOK-INFO. 1082 &id({SupportedOtherRevokInfo}), 1083 otherRevInfo OTHER-REVOK-INFO. 1084 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 1086 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 1088 CertificateChoices ::= CHOICE { 1089 certificate Certificate, 1090 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1091 -- Obsolete 1092 ..., 1093 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 1094 -- Obsolete 1095 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 1096 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 1098 AttributeCertificateV2 ::= AttributeCertificate 1100 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 1102 OtherCertificateFormat ::= SEQUENCE { 1103 otherCertFormat OTHER-CERT-FMT. 1104 &id({SupportedCertFormats}), 1105 otherCert OTHER-CERT-FMT. 1106 &Type({SupportedCertFormats}{@otherCertFormat})} 1108 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 1110 CertificateSet ::= SET OF CertificateChoices 1112 IssuerAndSerialNumber ::= SEQUENCE { 1113 issuer Name, 1114 serialNumber CertificateSerialNumber } 1116 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1118 UserKeyingMaterial ::= OCTET STRING 1120 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1121 OtherKeyAttribute ::= SEQUENCE { 1122 keyAttrId KEY-ATTRIBUTE. 1123 &id({SupportedKeyAttributes}), 1124 keyAttr KEY-ATTRIBUTE. 1125 &Type({SupportedKeyAttributes}{@keyAttrId})} 1127 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1129 -- Content Type Object Identifiers 1131 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1132 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1134 ct-Data CONTENT-TYPE ::= { IDENTIFIED BY id-data } 1136 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1137 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1139 ct-SignedData CONTENT-TYPE ::= 1140 { TYPE SignedData IDENTIFIED BY id-signedData} 1142 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1143 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1145 ct-EnvelopedData CONTENT-TYPE ::= 1146 { TYPE EnvelopedData IDENTIFIED BY id-envelopedData} 1148 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1149 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1151 ct-DigestedData CONTENT-TYPE ::= 1152 { TYPE DigestedData IDENTIFIED BY id-digestedData} 1154 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1155 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1157 ct-EncryptedData CONTENT-TYPE ::= 1158 { TYPE EncryptedData IDENTIFIED BY id-encryptedData} 1160 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1161 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1163 ct-AuthenticatedData CONTENT-TYPE ::= 1164 { TYPE AuthenticatedData IDENTIFIED BY id-ct-authData} 1166 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1167 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1169 -- 1170 -- The CMS Attributes 1171 -- 1173 MessageDigest ::= OCTET STRING 1175 SigningTime ::= Time 1177 Time ::= CHOICE { 1178 utcTime UTCTime, 1179 generalTime GeneralizedTime } 1181 Countersignature ::= SignerInfo 1183 -- Attribute Object Identifiers 1185 aa-contentType ATTRIBUTE ::= 1186 { TYPE ContentType IDENTIFIED BY id-contentType } 1187 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1188 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1190 aa-messageDigest ATTRIBUTE ::= 1191 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1192 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1193 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1195 aa-signingTime ATTRIBUTE ::= 1196 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1197 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1198 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1200 aa-countersignature ATTRIBUTE ::= 1201 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1202 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1203 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1205 -- 1206 -- Obsolete Extended Certificate syntax from PKCS#6 1207 -- 1209 ExtendedCertificateOrCertificate ::= CHOICE { 1210 certificate Certificate, 1211 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1213 ExtendedCertificate ::= SEQUENCE { 1214 extendedCertificateInfo ExtendedCertificateInfo, 1215 signatureAlgorithm SignatureAlgorithmIdentifier, 1216 signature Signature } 1218 ExtendedCertificateInfo ::= SEQUENCE { 1219 version CMSVersion, 1220 certificate Certificate, 1221 attributes UnauthAttributes } 1223 Signature ::= BIT STRING 1225 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1226 attrType ATTRIBUTE. 1227 &id({AttrList}), 1228 attrValues SET OF ATTRIBUTE. 1229 &Type({AttrList}{@attrType}) } 1231 Attributes { ATTRIBUTE:AttrList } ::= 1232 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1234 END 1236 10. ASN.1 Module RFC 5752 1238 We have updated the ASN.1 module associated with this document to be 1239 2008 compliant and to use the set of classes previously defined in 1240 [RFC5911]. 1242 MultipleSignatures-2009 1243 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1244 smime(16) modules(0) id-mod-multipleSign-2009(59) } 1245 DEFINITIONS IMPLICIT TAGS ::= 1246 BEGIN 1247 -- EXPORTS All 1248 -- The types and values defined in this module are exported for use 1249 -- in the other ASN.1 modules. Other applications may use them for 1250 -- their own purposes. 1252 IMPORTS 1254 -- Imports from PKIX-Common-Types-2009 [RFC5912] 1256 ATTRIBUTE 1257 FROM PKIX-CommonTypes-2009 1258 { iso(1) identified-organization(3) dod(6) internet(1) 1259 security(5) mechanisms(5) pkix(7) id-mod(0) 1260 id-mod-pkixCommon-02(57)} 1262 -- Imports from CryptographicMessageSyntax-2009 [RFC5911] 1264 DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier 1265 FROM CryptographicMessageSyntax-2009 1266 { iso(1) member-body(2) us(840) rsadsi(113549) 1267 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 1269 -- Imports from ExtendedSecurityServices-2009 [RFC5911] 1271 ESSCertIDv2 1272 FROM ExtendedSecurityServices-2009 1273 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1274 smime(16) modules(0) id-mod-ess-2006-02(42) } 1275 ; 1277 -- 1278 -- Section 3.0 1279 -- 1280 -- at-multipleSignatures should be added ONLY to the 1281 -- SignedAttributesSet defined in [RFC5652] 1282 -- 1283 at-multipleSignatures ATTRIBUTE ::= { 1284 TYPE MultipleSignatures 1285 IDENTIFIED BY id-aa-multipleSignatures 1286 } 1288 id-aa-multipleSignatures OBJECT IDENTIFIER ::= { 1289 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1290 id-aa(2) 51 } 1292 MultipleSignatures ::= SEQUENCE { 1293 bodyHashAlg DigestAlgorithmIdentifier, 1294 signAlg SignatureAlgorithmIdentifier, 1295 signAttrsHash SignAttrsHash, 1296 cert ESSCertIDv2 OPTIONAL 1297 } 1299 SignAttrsHash ::= SEQUENCE { 1300 algID DigestAlgorithmIdentifier, 1301 hash OCTET STRING 1302 } 1304 END 1306 11. Module Identifiers in ASN.1 1308 One potential issue that can occur when updating modules is the fact 1309 that a large number of modules may need to be updated if they import 1310 from a newly updated module. This section addresses one method that 1311 can be used to deal with this problem, but the modules in this 1312 document don't currently implement the solution discussed here. 1314 When looking at an import statement, there are three portions: The 1315 list of items imported, a textual name for the module and an object 1316 identifier for the module. Full implementations of ASN.1 do module 1317 matching using first the object identifier and if that is not present 1318 the textual name of the module. Note however that some older 1319 implementations used the textual name of the module for the purposes 1320 of matching. In a full implementation the name assigned to the 1321 module is scoped to the ASN.1 module that it appears in (and thus 1322 need to match the module it is importing from). 1324 One can create a module that contains only the module number 1325 assignments and import the module assignments from the new module. 1326 This means that when a module is replaced, one can replace the 1327 previous module, update the module number assigment module and 1328 recompile without having to modify any other modules. 1330 A sample module assigment module would be: 1332 ModuleNumbers 1333 DEFINITIONS TAGS ::= 1334 BEGIN 1335 id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1336 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } 1338 id-mod-AlgInfo ::= 1339 {iso(1) identified-organization(3) dod(6) internet(1) 1340 security(5) mechanisms(5) pkix(7) id-mod(0) 1341 id-mod-algorithmInformation-02(58)} 1342 END 1344 This would be used in the following import statement: 1346 IMPORTS 1347 id-mod-CMS, id-mod-AlgInfo 1348 FROM ModuleNumber -- Note it will match on the name since no 1349 -- OID is provided 1351 CMSVersion, EncapsulatedContentInfo, CONTENT-TYPE 1352 FROM CryptographicMessageSyntax-2009 1353 id-mod-CMS 1355 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 1356 FROM AlgorithmInformation-2009 id-mod-AlgInfo 1357 ; 1359 12. Security Considerations 1361 This document itself does not have any security considerations. The 1362 ASN.1 modules keep the same bits-on-the-wire as the modules that they 1363 replace. 1365 13. IANA Considerations 1367 None. 1369 14. Normative References 1371 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1372 Requirement Levels", BCP 14, RFC 2119, March 1997. 1374 [RFC3274] Gutmann, P., "Compressed Data Content Type for 1375 Cryptographic Message Syntax (CMS)", RFC 3274, June 2002. 1377 [RFC3379] Pinkas, D. and R. Housley, "Delegated Path Validation and 1378 Delegated Path Discovery Protocol Requirements", RFC 3379, 1379 September 2002. 1381 [RFC4049] Housley, R., "BinaryTime: An Alternate Format for 1382 Representing Date and Time in ASN.1", RFC 4049, 1383 April 2005. 1385 [RFC4073] Housley, R., "Protecting Multiple Contents with the 1386 Cryptographic Message Syntax (CMS)", RFC 4073, May 2005. 1388 [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 1389 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 1390 RFC 4231, December 2005. 1392 [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and 1393 Attributes Supporting Authentication in Point-to-Point 1394 Protocol (PPP) and Wireless Local Area Networks (WLAN)", 1395 RFC 4334, February 2006. 1397 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 1398 Authenticated-Enveloped-Data Content Type", RFC 5083, 1399 November 2007. 1401 [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated 1402 Encryption in the Cryptographic Message Syntax (CMS)", 1403 RFC 5084, November 2007. 1405 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1406 RFC 5652, September 2009. 1408 [RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in 1409 Cryptographic Message Syntax (CMS)", RFC 5752, 1410 January 2010. 1412 [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for 1413 Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, 1414 June 2010. 1416 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 1417 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 1418 June 2010. 1420 [ASN1-2008] 1421 ITU-T, "ITU-T Recommendations X.680, X.681, X.682, and 1422 X.683", 2008. 1424 Authors' Addresses 1426 Jim Schaad 1427 Soaring Hawk Consulting 1429 Email: jimsch@augustcellars.com 1431 Sean Turner 1432 IECA, Inc. 1433 3057 Nutley Street, Suite 106 1434 Fairfax, VA 22031 1436 Email: turners@ieca.com