idnits 2.17.00 (12 Aug 2021) /tmp/idnits25246/draft-turner-additional-new-asn-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 12, 2010) is 4177 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'RFC3851' is mentioned on line 187, but not defined ** Obsolete undefined reference: RFC 3851 (Obsoleted by RFC 5751) == Missing Reference: 'RFC5280' is mentioned on line 283, but not defined -- Looks like a reference, but probably isn't: '0' on line 1209 -- Looks like a reference, but probably isn't: '1' on line 1091 -- Looks like a reference, but probably isn't: '2' on line 1093 -- Looks like a reference, but probably isn't: '3' on line 1094 -- Looks like a reference, but probably isn't: '4' on line 913 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schaad 3 Internet-Draft Soaring Hawk Consulting 4 Intended status: Informational S. Turner 5 Expires: June 15, 2011 IECA, Inc. 6 December 12, 2010 8 Additional New ASN.1 Modules 9 draft-turner-additional-new-asn-06 11 Abstract 13 The Cryptographic Message Syntax (CMS) format, and many associated 14 formats, are expressed using ASN.1. The current ASN.1 modules 15 conform to the 1988 version of ASN.1. This document updates some 16 auxiliary ASN.1 modules to conform to the 2008 version of ASN.1. 17 There are no bits-on-the-wire changes to any of the formats; this is 18 simply a change to the syntax. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on June 15, 2011. 37 Copyright Notice 39 Copyright (c) 2010 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. ASN.1 Updates (2002 to 2008) . . . . . . . . . . . . . . . 3 68 1.2. Requirements Terminology . . . . . . . . . . . . . . . . . 4 69 2. ASN.1 Module RFC 3274 . . . . . . . . . . . . . . . . . . . . 5 70 3. ASN.1 Module RFC 3779 . . . . . . . . . . . . . . . . . . . . 8 71 4. ASN.1 Module RFC 6019 . . . . . . . . . . . . . . . . . . . . 11 72 5. ASN.1 Module RFC 4073 . . . . . . . . . . . . . . . . . . . . 13 73 6. ASN.1 Module RFC 4231 . . . . . . . . . . . . . . . . . . . . 15 74 7. ASN.1 Module RFC 4334 . . . . . . . . . . . . . . . . . . . . 18 75 8. ASN.1 Module RFC 5083 . . . . . . . . . . . . . . . . . . . . 20 76 9. ASN.1 Module RFC 5652 . . . . . . . . . . . . . . . . . . . . 22 77 10. ASN.1 Module RFC 5752 . . . . . . . . . . . . . . . . . . . . 33 78 11. Module Identifiers in ASN.1 . . . . . . . . . . . . . . . . . 35 79 12. Security Considerations . . . . . . . . . . . . . . . . . . . 37 80 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 81 14. Normative References . . . . . . . . . . . . . . . . . . . . . 39 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 84 1. Introduction 86 Some developers would like the IETF to use the latest version of 87 ASN.1 in its standards. Most of the RFCs that relate to security 88 protocols still use ASN.1 from the 1988 standard, which has been 89 deprecated. This is particularly true for the standards that relate 90 to PKIX, CMS, and S/MIME. 92 In this document we have either changed the syntax to use the 2008 93 ASN.1 standard, or done some updates from previous conversions: 95 RFC 3274, Compressed Data Content Type for Cryptographic Message 96 Syntax (CMS) [RFC3274]. 98 RFC 3779, X.509 Extensions for IP Addresses and AS Identifiers 99 [RFC3779]. 101 RFC 6019, BinaryTime: An Alternate Format for Representing Date 102 and Time in ASN.1 [RFC6019]. 104 RFC 4073, Protecting Multiple Contents with the Cryptographic 105 Message Syntax (CMS) [RFC4073]. 107 RFC 4231, Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA- 108 256, HMAC-SHA-384, and HMAC-SHA-512 [RFC4231]. 110 RFC 4334, Certificate Extensions and Attributes Supporting 111 Authentication in Point-to-Point Protocol (PPP) and Wireless Local 112 Area Networks (WLAN) [RFC4334]. 114 RFC 5083, Cryptographic Message Syntax (CMS) Authenticated- 115 Enveloped-Data Content Type [RFC5083]. 117 RFC 5652, Cryptographic Message Syntax (CMS) [RFC5652]. 119 RFC 5752, Multiple Signatures in Cryptographic Message Syntax 120 (CMS) [RFC5752]. 122 Note that some of the modules in this document get some of their 123 definitions from places different than the modules in the original 124 RFCs. The idea is that these modules, when combined with the modules 125 in [RFC5912] and [RFC5911] can stand on their own and do not need to 126 import definitions from anywhere else. 128 1.1. ASN.1 Updates (2002 to 2008) 130 The modules defined in this document are compatible with the most 131 current ASN.1 specification published in 2008 (see [ASN1-2008]). The 132 changes between the 2002 specification and the 2008 specification 133 include the creation of some additional pre-defined types (DATE, 134 DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE-OID-IRI, TIME, 135 TIME-OF-DAY). The ability to define different encoding rules 136 (ENCODING-CONTROL, INSTRUCTIONS). None of the newly defined tokens 137 are currently used in any of the ASN.1 specifications published here. 139 1.2. Requirements Terminology 141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 143 document are to be interpreted as described in [RFC2119]. 145 2. ASN.1 Module RFC 3274 147 We have updated the ASN.1 module associated with this document to be 148 2008 compliant and to use the set of classes previously defined in 149 [RFC5911]. 151 CompressedDataContent 152 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 153 smime(16) modules(0) id-mod-compressedDataContent(54) } 155 DEFINITIONS IMPLICIT TAGS ::= 156 BEGIN 158 IMPORTS 159 CMSVersion, EncapsulatedContentInfo, 160 CONTENT-TYPE 161 FROM CryptographicMessageSyntax-2009 162 { iso(1) member-body(2) us(840) rsadsi(113549) 163 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 165 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 166 FROM AlgorithmInformation-2009 167 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 168 mechanisms(5) pkix(7) id-mod(0) 169 id-mod-algorithmInformation-02(58)} 170 ; 172 -- 173 -- ContentTypes contains the set of content types that are 174 -- defined in this module. 175 -- 176 -- The contents of ContentTypes should be added to 177 -- ContentSet defined in [RFC5652] 178 -- 180 ContentTypes CONTENT-TYPE ::= {ct-compressedData} 182 -- 183 -- SMimeCaps contains the set of S/MIME capabilities that 184 -- are associated with the algorithms defined in this 185 -- document. 186 -- 187 -- SMimeCaps are added to SMimeCapsSet defined in [RFC3851]. 188 -- 190 SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps} 192 -- 193 -- Define the compressed data content type 194 -- 196 ct-compressedData CONTENT-TYPE ::= { 197 TYPE CompressedData IDENTIFIED BY id-ct-compressedData 198 } 200 CompressedData ::= SEQUENCE { 201 version CMSVersion (v0), -- Always set to 0 202 compressionAlgorithm CompressionAlgorithmIdentifier, 203 encapContentInfo EncapsulatedContentInfo 204 } 206 CompressionAlgorithmIdentifier ::= 207 AlgorithmIdentifier{COMPRESS-ALGORITHM, {CompressAlgorithmSet}} 209 CompressAlgorithmSet COMPRESS-ALGORITHM ::= { 210 cpa-zlibCompress, ... 211 } 213 -- Algorithm Identifiers 215 id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2) 216 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 } 218 cpa-zlibCompress COMPRESS-ALGORITHM ::= { 219 IDENTIFIER id-alg-zlibCompress 220 PARAMS TYPE NULL ARE preferredAbsent 221 SMIME-CAPS {IDENTIFIED BY id-alg-zlibCompress} 222 } 224 -- Content Type Object Identifiers 226 id-ct-compressedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 227 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 9 } 229 -- 230 -- Class defined for compression algorithms 231 -- 233 COMPRESS-ALGORITHM ::= CLASS { 234 &id OBJECT IDENTIFIER UNIQUE, 235 &Params OPTIONAL, 236 ¶mPresence ParamOptions DEFAULT absent, 237 &smimeCaps SMIME-CAPS OPTIONAL 238 } 239 WITH SYNTAX { 240 IDENTIFIER &id 242 [PARAMS [TYPE &Params] ARE ¶mPresence] 243 [SMIME-CAPS &smimeCaps] 244 } 246 END 248 3. ASN.1 Module RFC 3779 250 We have updated the ASN.1 module associated with RFC 3779 to be ASN.1 251 2008 compliant and to use the set of classes previously defined in 252 [RFC5912]. 254 IPAddrAndASCertExtn { iso(1) identified-organization(3) dod(6) 255 internet(1) security(5) mechanisms(5) pkix(7) mod(0) 256 id-mod-ip-addr-and-as-ident-2(72) } 257 DEFINITIONS EXPLICIT TAGS ::= 258 BEGIN 259 EXPORTS ALL; 261 IMPORTS 263 -- PKIX specific OIDs and arcs -- 264 id-pe 265 FROM PKIX1Explicit-2009 266 { iso(1) identified-organization(3) dod(6) internet(1) 267 security(5) mechanisms(5) pkix(7) id-mod(0) 268 id-mod-pkix1-explicit-02(51)} 270 EXTENSION 271 FROM PKIX-CommonTypes-2009 272 { iso(1) identified-organization(3) dod(6) internet(1) 273 security(5) mechanisms(5) pkix(7) id-mod(0) 274 id-mod-pkixCommon-02(57)} 275 ; 277 -- 278 -- Extensions contains the set of extensions defined in this 279 -- module 280 -- 281 -- These are intended to be placed in public key certificates 282 -- and thus should be added to the CertExtensions extension 283 -- set in PKIXImplicit-2009 defined for [RFC5280] 284 -- 286 Extensions EXTENSION ::= { 287 ext-pe-ipAddrBlocks | ext-pe-autonomousSysIds 288 } 290 -- IP Address Delegation Extension OID -- 292 ext-pe-ipAddrBlocks EXTENSION ::= { 293 SYNTAX IPAddrBlocks 294 IDENTIFIED BY id-pe-ipAddrBlocks 295 } 296 id-pe-ipAddrBlocks OBJECT IDENTIFIER ::= { id-pe 7 } 298 -- IP Address Delegation Extension Syntax -- 300 IPAddrBlocks ::= SEQUENCE OF IPAddressFamily 302 IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI -- 303 addressFamily OCTET STRING (SIZE (2..3)), 304 ipAddressChoice IPAddressChoice } 306 IPAddressChoice ::= CHOICE { 307 inherit NULL, -- inherit from issuer -- 308 addressesOrRanges SEQUENCE OF IPAddressOrRange } 310 IPAddressOrRange ::= CHOICE { 311 addressPrefix IPAddress, 312 addressRange IPAddressRange } 314 IPAddressRange ::= SEQUENCE { 315 min IPAddress, 316 max IPAddress } 318 IPAddress ::= BIT STRING 320 -- Autonomous System Identifier Delegation Extension OID -- 322 ext-pe-autonomousSysIds EXTENSION ::= { 323 SYNTAX ASIdentifiers 324 IDENTIFIED BY id-pe-autonomousSysIds 325 } 327 id-pe-autonomousSysIds OBJECT IDENTIFIER ::= { id-pe 8 } 329 -- Autonomous System Identifier Delegation Extension Syntax -- 331 ASIdentifiers ::= SEQUENCE { 332 asnum [0] ASIdentifierChoice OPTIONAL, 333 rdi [1] ASIdentifierChoice OPTIONAL } 334 (WITH COMPONENTS {..., asnum PRESENT} | 335 WITH COMPONENTS {..., rdi PRESENT}) 337 ASIdentifierChoice ::= CHOICE { 338 inherit NULL, -- inherit from issuer -- 339 asIdsOrRanges SEQUENCE OF ASIdOrRange } 341 ASIdOrRange ::= CHOICE { 342 id ASId, 343 range ASRange } 345 ASRange ::= SEQUENCE { 346 min ASId, 347 max ASId } 349 ASId ::= INTEGER 351 END 353 4. ASN.1 Module RFC 6019 355 We have updated the ASN.1 module associated with this document to be 356 2008 compliant and to use the set of classes previously defined in 357 [RFC5911]. 359 BinarySigningTimeModule-2009 360 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 361 pkcs-9(9) smime(16) modules(0) 362 id-mod-binSigningTime-2009(55) } 363 DEFINITIONS IMPLICIT TAGS ::= 364 BEGIN 365 IMPORTS 367 -- From PKIX-CommonTypes-2009 [RFC5912] 369 ATTRIBUTE 370 FROM PKIX-CommonTypes-2009 371 { iso(1) identified-organization(3) dod(6) internet(1) 372 security(5) mechanisms(5) pkix(7) id-mod(0) 373 id-mod-pkixCommon-02(57) } 374 ; 376 -- 377 -- BinaryTime Definition 378 -- 379 -- BinaryTime contains the number seconds since 380 -- midnight Jan 1, 1970 UTC. 381 -- Leap seconds are EXCLUDED from the computation. 382 -- 384 BinaryTime ::= INTEGER (0..MAX) 386 -- 387 -- Signing Binary Time Attribute 388 -- 389 -- The binary signing time should be added to 390 -- SignedAttributeSet and tAuthenticatedAttributeSet 391 -- in CMS [RFC5652] and to AuthEnvDataAttributeSet 392 -- in [RFC5083]. 393 -- 395 aa-binarySigningTime ATTRIBUTE ::= { 396 TYPE BinarySigningTime 397 IDENTIFIED BY id-aa-binarySigningTime } 399 id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1) 400 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 401 smime(16) aa(2) 46 } 403 BinarySigningTime ::= BinaryTime 405 END 407 5. ASN.1 Module RFC 4073 409 We have updated the ASN.1 module associated with this document to be 410 2008 compliant and to use the set of classes previously defined in 411 [RFC5911]. 413 ContentCollectionModule-2009 414 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 415 pkcs-9(9) smime(16) modules(0) id-mod-context-Collect-2009(56) } 416 DEFINITIONS IMPLICIT TAGS ::= 417 BEGIN 418 IMPORTS 420 -- From CryptographicMessageSyntax-2009 [RFC5911] 422 CONTENT-TYPE, ContentInfo 423 FROM CryptographicMessageSyntax-2009 424 { iso(1) member-body(2) us(840) rsadsi(113549) 425 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 427 AttributeSet{}, ATTRIBUTE 428 FROM PKIX-CommonTypes-2009 429 { iso(1) identified-organization(3) dod(6) internet(1) 430 security(5) mechanisms(5) pkix(7) id-mod(0) 431 id-mod-pkixCommon-02(57) } 432 ; 434 -- 435 -- An object set of all content types defined by this module. 436 -- This is to be added to ContentSet in the CMS module 437 -- 439 ContentSet CONTENT-TYPE ::= { 440 ct-ContentCollection | ct-ContentWithAttributes, ... 441 } 443 -- 444 -- Content Collection Content Type and Object Identifier 445 -- 447 ct-ContentCollection CONTENT-TYPE ::= { 448 TYPE ContentCollection IDENTIFIED BY id-ct-contentCollection } 450 id-ct-contentCollection OBJECT IDENTIFIER ::= { 451 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 452 smime(16) ct(1) 19 } 454 ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo 455 -- 456 -- Content With Attributes Content Type and Object Identifier 457 -- 459 ct-ContentWithAttributes CONTENT-TYPE ::= { 460 TYPE ContentWithAttributes IDENTIFIED BY id-ct-contentWithAttrs } 462 id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { 463 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 464 smime(16) ct(1) 20 } 466 ContentWithAttributes ::= SEQUENCE { 467 content ContentInfo, 468 attrs SEQUENCE SIZE (1..MAX) OF AttributeSet 469 {{ ContentAttributeSet }} 470 } 472 ContentAttributeSet ATTRIBUTE ::= { ... } 473 END 475 6. ASN.1 Module RFC 4231 477 RFC 4231 does not contain an ASN.1 module to be updated. We have 478 therefore created an ASN.1 module to represent the ASN.1 that is 479 present in the document. Note that the parameters are defined as 480 expecting a parameter for the algorithm identifiers in this module, 481 this is different from most of the algorithms used in PKIX and 482 S/MIME. There is no concept of being able to truncate the MAC 483 (Message Authentication Code) value in the ASN.1 unlike the XML 484 definitions. This is reflected by not having a minimum MAC length 485 defined in the ASN.1. 487 HMAC { iso(1) identified-organization(3) dod(6) internet(1) 488 security(5) mechanisms(5) pkix(7) mod(0) id-mod-hmac(74) } 489 DEFINITIONS EXPLICIT TAGS ::= 490 BEGIN 491 EXPORTS ALL; 493 IMPORTS 495 MAC-ALGORITHM, SMIME-CAPS 496 FROM AlgorithmInformation-2009 497 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 498 mechanisms(5) pkix(7) id-mod(0) 499 id-mod-algorithmInformation-02(58)}; 501 -- 502 -- This object set contains all of the MAC algorithms that are 503 -- defined in this module. 504 -- One would add it to a constraining set of objects such as the 505 -- MessageAuthenticationCodeAlgorithmSet in [RFC5652] 506 -- 508 MessageAuthAlgs MAC-ALGORITHM ::= { 509 maca-hMAC-SHA224 | 510 maca-hMAC-SHA256 | 511 maca-hMAC-SHA384 | 512 maca-hMAC-SHA512 513 } 515 -- 516 -- This object set contains all of the S/MIME capabilities that 517 -- have been defined for all the MAC algorithms in this module. 518 -- One would add this to an object set that is used to restrict 519 -- smime capabilities such as the SMimeCapsSet variable in 520 -- the S/MIME message draft 521 -- 522 SMimeCaps SMIME-CAPS ::= { 523 maca-hMAC-SHA224.&smimeCaps | 524 maca-hMAC-SHA256.&smimeCaps | 525 maca-hMAC-SHA384.&smimeCaps | 526 maca-hMAC-SHA512.&smimeCaps 527 } 529 -- 530 -- Define the base OID for the algorithm identifiers 531 -- 533 rsadsi OBJECT IDENTIFIER ::= 534 {iso(1) member-body(2) us(840) rsadsi(113549)} 536 digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} 538 -- 539 -- Define the necessary algorithm identifiers 540 -- 542 id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} 543 id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} 544 id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} 545 id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} 547 -- 548 -- Define each of the MAC-ALGOIRTHM objects to describe the 549 -- algorithms defined 550 -- 552 maca-hMAC-SHA224 MAC-ALGORITHM ::= { 553 IDENTIFIER id-hmacWithSHA224 554 PARAMS TYPE NULL ARE preferredPresent 555 IS-KEYED-MAC TRUE 556 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA224} 557 } 559 maca-hMAC-SHA256 MAC-ALGORITHM ::= { 560 IDENTIFIER id-hmacWithSHA256 561 PARAMS TYPE NULL ARE preferredPresent 562 IS-KEYED-MAC TRUE 563 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA256} 564 } 566 maca-hMAC-SHA384 MAC-ALGORITHM ::= { 567 IDENTIFIER id-hmacWithSHA384 568 PARAMS TYPE NULL ARE preferredPresent 569 IS-KEYED-MAC TRUE 570 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA384} 571 } 573 maca-hMAC-SHA512 MAC-ALGORITHM ::= { 574 IDENTIFIER id-hmacWithSHA512 575 PARAMS TYPE NULL ARE preferredPresent 576 IS-KEYED-MAC TRUE 577 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA512} 578 } 580 END 582 7. ASN.1 Module RFC 4334 584 We have updated the ASN.1 module associated with RFC 4334 to be ASN.1 585 2008 compliant and to use the set of classes previously defined in 586 [RFC5912]. 588 WLANCertExtn 589 { iso(1) identified-organization(3) dod(6) internet(1) 590 security(5) mechanisms(5) pkix(7) id-mod(0) 591 id-mod-wlan-extns-2(73) } 593 DEFINITIONS IMPLICIT TAGS ::= 594 BEGIN 595 EXPORTS ALL; 597 IMPORTS 599 EXTENSION, ATTRIBUTE 600 FROM PKIX-CommonTypes-2009 601 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 602 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 604 id-pe, id-kp 605 FROM PKIX1Explicit-2009 606 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 607 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 609 id-aca 610 FROM PKIXAttributeCertificate-2009 611 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 612 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} 614 ; 616 -- Extended Key Usage Values 618 KeyUsageValues OBJECT IDENTIFIER ::= { 619 id-kp-eapOverPPP | id-kp-eapOverLAN 620 } 622 id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 } 624 id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 } 626 -- Wireless LAN SSID Extension 627 ext-pe-wlanSSID EXTENSION ::= { 628 SYNTAX SSIDList 629 IDENTIFIED BY id-pe-wlanSSID 630 CRITICALITY {FALSE} 631 } 633 id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 } 635 SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID 637 SSID ::= OCTET STRING (SIZE (1..32)) 639 -- Wireless LAN SSID Attribute Certificate Attribute 640 -- Uses same syntax as the certificate extension: SSIDList 642 at-aca-wlanSSID ATTRIBUTE ::= { 643 TYPE SSIDList 644 IDENTIFIED BY id-aca-wlanSSID 645 } 647 id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 7 } 649 END 651 8. ASN.1 Module RFC 5083 653 This module is updated from RFC 5911 [RFC5911] by the following 654 changes: 656 1. Define separate attribute sets for the unprotected attributes 657 used in EnvelopedData, EncryptedData and 658 AuthenticatedEnvelopedData (RFC 5083). 660 2. Define a parameterized type EncryptedContentInfoType so that the 661 basic type can be used with different algorithm sets (used for 662 EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC 663 5083)). The parameterized type is assigned to an unparameterized 664 type of EncryptedContentInfo to minimize the output changes from 665 previous versions. 667 Protocol designers can make use of the '08 ASN.1 contraints to define 668 different sets of attributes for EncryptedData and EnvelopedData and 669 for AuthenticatedData and AuthEnvelopedData. Previously, attributes 670 could only be constrained based on whether they were in the clear or 671 unauthenticated not on the encapsulating content type. 673 CMS-AuthEnvelopedData-2009 674 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 675 smime(16) modules(0) id-mod-cmsAuthEnvData-2009(57) } 676 DEFINITIONS IMPLICIT TAGS ::= 677 BEGIN 678 IMPORTS 680 CMSVersion, EncryptedContentInfoType{}, 681 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 682 CONTENT-TYPE, Attributes{}, ATTRIBUTE, CONTENT-ENCRYPTION, 683 AlgorithmIdentifier{}, 684 aa-signingTime, aa-messageDigest, aa-contentType 685 FROM CryptographicMessageSyntax-2009 686 { iso(1) member-body(2) us(840) rsadsi(113549) 687 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 689 ContentEncryptionAlgs 690 FROM CMS-AES-CCM-and-AES-GCM-2009 691 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 692 pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } 693 ; 695 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 697 ct-authEnvelopedData CONTENT-TYPE ::= { 698 TYPE AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 700 } 702 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 703 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 704 smime(16) ct(1) 23} 706 AuthEnvelopedData ::= SEQUENCE { 707 version CMSVersion, 708 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 709 recipientInfos RecipientInfos, 710 authEncryptedContentInfo EncryptedContentInfo, 711 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 712 mac MessageAuthenticationCode, 713 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL 714 } 716 EncryptedContentInfo ::= 717 EncryptedContentInfoType { AuthContentEncryptionAlgorithmIdentifier } 719 AuthContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 720 {CONTENT-ENCRYPTION, {AuthContentEncryptionAlgorithmSet}} 722 AuthContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= { 723 ContentEncryptionAlgs, ...} 725 AuthAttributes ::= Attributes{{AuthEnvDataAttributeSet}} 727 UnauthAttributes ::= Attributes{{UnauthEnvDataAttributeSet}} 729 AuthEnvDataAttributeSet ATTRIBUTE ::= { 730 aa-contentType | aa-messageDigest | aa-signingTime, ... } 732 UnauthEnvDataAttributeSet ATTRIBUTE ::= {...} 734 END 736 9. ASN.1 Module RFC 5652 738 This module is updated from RFC 5911 [RFC5911] by the following 739 changes: 741 1. Define separate attribute sets for the unprotected attributes 742 used in EnvelopedData, EncryptedData and 743 AuthenticatedEnvelopedData (RFC 5083). 745 2. Define a parameterized type EncryptedContentInfoType so that the 746 basic type can be used with algorithm sets (used for 747 EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC 748 5083)). The parameterized type is assigned to an unparameterized 749 type of EncryptedContentInfo to minimize the output changes from 750 previous versions. 752 We are anticipating the definition of attributes that are going to be 753 resticted to the use of only EnvelopedData. We are therefore 754 separating the different attribute sets so that protocol designers 755 that need to do this will be able to define attributes that are used 756 for EnvelopedData but not for EncryptedData. The same separation is 757 also being applied to AuthenticatedData and AuthEnvelopedData. 759 CryptographicMessageSyntax-2009 760 { iso(1) member-body(2) us(840) rsadsi(113549) 761 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 762 DEFINITIONS IMPLICIT TAGS ::= 763 BEGIN 764 IMPORTS 766 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 767 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 768 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 769 AlgorithmIdentifier{} 770 FROM AlgorithmInformation-2009 771 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 772 mechanisms(5) pkix(7) id-mod(0) 773 id-mod-algorithmInformation-02(58)} 775 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 776 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 777 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 778 FROM CryptographicMessageSyntaxAlgorithms-2009 779 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 780 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 782 Certificate, CertificateList, CertificateSerialNumber, 783 Name, ATTRIBUTE 785 FROM PKIX1Explicit-2009 786 { iso(1) identified-organization(3) dod(6) internet(1) 787 security(5) mechanisms(5) pkix(7) id-mod(0) 788 id-mod-pkix1-explicit-02(51) } 790 AttributeCertificate 791 FROM PKIXAttributeCertificate-2009 792 { iso(1) identified-organization(3) dod(6) internet(1) 793 security(5) mechanisms(5) pkix(7) id-mod(0) 794 id-mod-attribute-cert-02(47) } 796 AttributeCertificateV1 797 FROM AttributeCertificateVersion1-2009 798 { iso(1) identified-organization(3) dod(6) internet(1) 799 security(5) mechanisms(5) pkix(7) id-mod(0) 800 id-mod-v1AttrCert-02(49) } ; 802 -- Cryptographic Message Syntax 804 -- The following are used for version numbers using the ASN.1 805 -- idiom "[[n:" 806 -- Version 1 = PKCS #7 807 -- Version 2 = S/MIME V2 808 -- Version 3 = RFC 2630 809 -- Version 4 = RFC 3369 810 -- Version 5 = RFC 3852 812 CONTENT-TYPE ::= CLASS { 813 &id OBJECT IDENTIFIER UNIQUE, 814 &Type OPTIONAL 815 } WITH SYNTAX { 816 [TYPE &Type] IDENTIFIED BY &id 817 } 819 ContentType ::= CONTENT-TYPE.&id 821 ContentInfo ::= SEQUENCE { 822 contentType CONTENT-TYPE. 823 &id({ContentSet}), 824 content [0] EXPLICIT CONTENT-TYPE. 825 &Type({ContentSet}{@contentType})} 827 ContentSet CONTENT-TYPE ::= { 828 -- Define the set of content types to be recognized. 829 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 830 ct-AuthenticatedData | ct-DigestedData, ... } 832 SignedData ::= SEQUENCE { 833 version CMSVersion, 834 digestAlgorithms SET OF DigestAlgorithmIdentifier, 835 encapContentInfo EncapsulatedContentInfo, 836 certificates [0] IMPLICIT CertificateSet OPTIONAL, 837 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 838 signerInfos SignerInfos } 840 SignerInfos ::= SET OF SignerInfo 842 EncapsulatedContentInfo ::= SEQUENCE { 843 eContentType CONTENT-TYPE.&id({ContentSet}), 844 eContent [0] EXPLICIT OCTET STRING 845 ( CONTAINING CONTENT-TYPE. 846 &Type({ContentSet}{@eContentType})) OPTIONAL } 848 SignerInfo ::= SEQUENCE { 849 version CMSVersion, 850 sid SignerIdentifier, 851 digestAlgorithm DigestAlgorithmIdentifier, 852 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 853 signatureAlgorithm SignatureAlgorithmIdentifier, 854 signature SignatureValue, 855 unsignedAttrs [1] IMPLICIT Attributes 856 {{UnsignedAttributes}} OPTIONAL } 858 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 860 SignerIdentifier ::= CHOICE { 861 issuerAndSerialNumber IssuerAndSerialNumber, 862 ..., 863 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 865 SignedAttributesSet ATTRIBUTE ::= 866 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 868 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 870 SignatureValue ::= OCTET STRING 872 EnvelopedData ::= SEQUENCE { 873 version CMSVersion, 874 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 875 recipientInfos RecipientInfos, 876 encryptedContentInfo EncryptedContentInfo, 877 ..., 878 [[2: unprotectedAttrs [1] IMPLICIT Attributes 879 {{ UnprotectedEnvAttributes }} OPTIONAL ]] } 881 OriginatorInfo ::= SEQUENCE { 882 certs [0] IMPLICIT CertificateSet OPTIONAL, 883 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 885 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 887 EncryptedContentInfo ::= 888 EncryptedContentInfoType { ContentEncryptionAlgorithmIdentifier } 890 EncryptedContentInfoType { AlgorithmIdentifierType } ::= SEQUENCE { 891 contentType CONTENT-TYPE.&id({ContentSet}), 892 contentEncryptionAlgorithm AlgorithmIdentifierType, 893 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 895 -- If you want to do constraints, you might use: 896 -- EncryptedContentInfo ::= SEQUENCE { 897 -- contentType CONTENT-TYPE.&id({ContentSet}), 898 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 899 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 900 -- &Type({ContentSet}{@contentType}) OPTIONAL } 901 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 902 -- { ToBeEncrypted } ) 904 UnprotectedEnvAttributes ATTRIBUTE ::= { ... } 905 UnprotectedEncAttributes ATTRIBUTE ::= { ... } 907 RecipientInfo ::= CHOICE { 908 ktri KeyTransRecipientInfo, 909 ..., 910 [[3: kari [1] KeyAgreeRecipientInfo ]], 911 [[4: kekri [2] KEKRecipientInfo]], 912 [[5: pwri [3] PasswordRecipientInfo, 913 ori [4] OtherRecipientInfo ]] } 915 EncryptedKey ::= OCTET STRING 917 KeyTransRecipientInfo ::= SEQUENCE { 918 version CMSVersion, -- always set to 0 or 2 919 rid RecipientIdentifier, 920 keyEncryptionAlgorithm AlgorithmIdentifier 921 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 922 encryptedKey EncryptedKey } 924 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 926 RecipientIdentifier ::= CHOICE { 927 issuerAndSerialNumber IssuerAndSerialNumber, 928 ..., 929 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 930 KeyAgreeRecipientInfo ::= SEQUENCE { 931 version CMSVersion, -- always set to 3 932 originator [0] EXPLICIT OriginatorIdentifierOrKey, 933 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 934 keyEncryptionAlgorithm AlgorithmIdentifier 935 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 936 recipientEncryptedKeys RecipientEncryptedKeys } 938 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 940 OriginatorIdentifierOrKey ::= CHOICE { 941 issuerAndSerialNumber IssuerAndSerialNumber, 942 subjectKeyIdentifier [0] SubjectKeyIdentifier, 943 originatorKey [1] OriginatorPublicKey } 945 OriginatorPublicKey ::= SEQUENCE { 946 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 947 publicKey BIT STRING } 949 OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } 951 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 953 RecipientEncryptedKey ::= SEQUENCE { 954 rid KeyAgreeRecipientIdentifier, 955 encryptedKey EncryptedKey } 957 KeyAgreeRecipientIdentifier ::= CHOICE { 958 issuerAndSerialNumber IssuerAndSerialNumber, 959 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 961 RecipientKeyIdentifier ::= SEQUENCE { 962 subjectKeyIdentifier SubjectKeyIdentifier, 963 date GeneralizedTime OPTIONAL, 964 other OtherKeyAttribute OPTIONAL } 966 SubjectKeyIdentifier ::= OCTET STRING 968 KEKRecipientInfo ::= SEQUENCE { 969 version CMSVersion, -- always set to 4 970 kekid KEKIdentifier, 971 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 972 encryptedKey EncryptedKey } 974 KEKIdentifier ::= SEQUENCE { 975 keyIdentifier OCTET STRING, 976 date GeneralizedTime OPTIONAL, 977 other OtherKeyAttribute OPTIONAL } 978 PasswordRecipientInfo ::= SEQUENCE { 979 version CMSVersion, -- always set to 0 980 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 981 OPTIONAL, 982 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 983 encryptedKey EncryptedKey } 985 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 987 OtherRecipientInfo ::= SEQUENCE { 988 oriType OTHER-RECIPIENT. 989 &id({SupportedOtherRecipInfo}), 990 oriValue OTHER-RECIPIENT. 991 &Type({SupportedOtherRecipInfo}{@oriType})} 993 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 995 DigestedData ::= SEQUENCE { 996 version CMSVersion, 997 digestAlgorithm DigestAlgorithmIdentifier, 998 encapContentInfo EncapsulatedContentInfo, 999 digest Digest, ... } 1001 Digest ::= OCTET STRING 1003 EncryptedData ::= SEQUENCE { 1004 version CMSVersion, 1005 encryptedContentInfo EncryptedContentInfo, 1006 ..., 1007 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1008 {{UnprotectedEncAttributes}} OPTIONAL ]] } 1010 AuthenticatedData ::= SEQUENCE { 1011 version CMSVersion, 1012 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1013 recipientInfos RecipientInfos, 1014 macAlgorithm MessageAuthenticationCodeAlgorithm, 1015 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 1016 encapContentInfo EncapsulatedContentInfo, 1017 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 1018 mac MessageAuthenticationCode, 1019 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 1021 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 1022 {{AuthAttributeSet}} 1024 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 1025 | aa-signingTime, ...} 1026 MessageAuthenticationCode ::= OCTET STRING 1028 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 1029 {{UnauthAttributeSet}} 1031 UnauthAttributeSet ATTRIBUTE ::= {...} 1033 -- 1034 -- General algorithm definitions 1035 -- 1037 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1038 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 1040 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 1041 CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } 1043 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 1044 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 1046 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 1047 { SignatureAlgs, ... } 1049 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1050 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1052 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 1054 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1055 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 1057 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 1058 { ContentEncryptionAlgs, ... } 1060 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 1061 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 1063 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 1064 { MessageAuthAlgs, ... } 1066 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 1067 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 1069 RevocationInfoChoices ::= SET OF RevocationInfoChoice 1071 RevocationInfoChoice ::= CHOICE { 1072 crl CertificateList, 1073 ..., 1074 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1076 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 1078 OtherRevocationInfoFormat ::= SEQUENCE { 1079 otherRevInfoFormat OTHER-REVOK-INFO. 1080 &id({SupportedOtherRevokInfo}), 1081 otherRevInfo OTHER-REVOK-INFO. 1082 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 1084 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 1086 CertificateChoices ::= CHOICE { 1087 certificate Certificate, 1088 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1089 -- Obsolete 1090 ..., 1091 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 1092 -- Obsolete 1093 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 1094 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 1096 AttributeCertificateV2 ::= AttributeCertificate 1098 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 1100 OtherCertificateFormat ::= SEQUENCE { 1101 otherCertFormat OTHER-CERT-FMT. 1102 &id({SupportedCertFormats}), 1103 otherCert OTHER-CERT-FMT. 1104 &Type({SupportedCertFormats}{@otherCertFormat})} 1106 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 1108 CertificateSet ::= SET OF CertificateChoices 1110 IssuerAndSerialNumber ::= SEQUENCE { 1111 issuer Name, 1112 serialNumber CertificateSerialNumber } 1114 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1116 UserKeyingMaterial ::= OCTET STRING 1118 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1119 OtherKeyAttribute ::= SEQUENCE { 1120 keyAttrId KEY-ATTRIBUTE. 1121 &id({SupportedKeyAttributes}), 1122 keyAttr KEY-ATTRIBUTE. 1123 &Type({SupportedKeyAttributes}{@keyAttrId})} 1125 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1127 -- Content Type Object Identifiers 1129 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1130 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1132 ct-Data CONTENT-TYPE ::= { IDENTIFIED BY id-data } 1134 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1135 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1137 ct-SignedData CONTENT-TYPE ::= 1138 { TYPE SignedData IDENTIFIED BY id-signedData} 1140 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1141 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1143 ct-EnvelopedData CONTENT-TYPE ::= 1144 { TYPE EnvelopedData IDENTIFIED BY id-envelopedData} 1146 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1147 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1149 ct-DigestedData CONTENT-TYPE ::= 1150 { TYPE DigestedData IDENTIFIED BY id-digestedData} 1152 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1153 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1155 ct-EncryptedData CONTENT-TYPE ::= 1156 { TYPE EncryptedData IDENTIFIED BY id-encryptedData} 1158 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1159 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1161 ct-AuthenticatedData CONTENT-TYPE ::= 1162 { TYPE AuthenticatedData IDENTIFIED BY id-ct-authData} 1164 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1165 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1167 -- 1168 -- The CMS Attributes 1169 -- 1171 MessageDigest ::= OCTET STRING 1173 SigningTime ::= Time 1175 Time ::= CHOICE { 1176 utcTime UTCTime, 1177 generalTime GeneralizedTime } 1179 Countersignature ::= SignerInfo 1181 -- Attribute Object Identifiers 1183 aa-contentType ATTRIBUTE ::= 1184 { TYPE ContentType IDENTIFIED BY id-contentType } 1185 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1186 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1188 aa-messageDigest ATTRIBUTE ::= 1189 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1190 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1191 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1193 aa-signingTime ATTRIBUTE ::= 1194 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1195 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1196 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1198 aa-countersignature ATTRIBUTE ::= 1199 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1200 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1201 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1203 -- 1204 -- Obsolete Extended Certificate syntax from PKCS#6 1205 -- 1207 ExtendedCertificateOrCertificate ::= CHOICE { 1208 certificate Certificate, 1209 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1211 ExtendedCertificate ::= SEQUENCE { 1212 extendedCertificateInfo ExtendedCertificateInfo, 1213 signatureAlgorithm SignatureAlgorithmIdentifier, 1214 signature Signature } 1216 ExtendedCertificateInfo ::= SEQUENCE { 1217 version CMSVersion, 1218 certificate Certificate, 1219 attributes UnauthAttributes } 1221 Signature ::= BIT STRING 1223 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1224 attrType ATTRIBUTE. 1225 &id({AttrList}), 1226 attrValues SET OF ATTRIBUTE. 1227 &Type({AttrList}{@attrType}) } 1229 Attributes { ATTRIBUTE:AttrList } ::= 1230 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1232 END 1234 10. ASN.1 Module RFC 5752 1236 We have updated the ASN.1 module associated with this document to be 1237 2008 compliant and to use the set of classes previously defined in 1238 [RFC5911]. 1240 MultipleSignatures-2009 1241 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1242 smime(16) modules(0) id-mod-multipleSign-2009(59) } 1243 DEFINITIONS IMPLICIT TAGS ::= 1244 BEGIN 1245 -- EXPORTS All 1246 -- The types and values defined in this module are exported for use 1247 -- in the other ASN.1 modules. Other applications may use them for 1248 -- their own purposes. 1250 IMPORTS 1252 -- Imports from PKIX-Common-Types-2009 [RFC5912] 1254 ATTRIBUTE 1255 FROM PKIX-CommonTypes-2009 1256 { iso(1) identified-organization(3) dod(6) internet(1) 1257 security(5) mechanisms(5) pkix(7) id-mod(0) 1258 id-mod-pkixCommon-02(57)} 1260 -- Imports from CryptographicMessageSyntax-2009 [RFC5911] 1262 DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier 1263 FROM CryptographicMessageSyntax-2009 1264 { iso(1) member-body(2) us(840) rsadsi(113549) 1265 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 1267 -- Imports from ExtendedSecurityServices-2009 [RFC5911] 1269 ESSCertIDv2 1270 FROM ExtendedSecurityServices-2009 1271 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1272 smime(16) modules(0) id-mod-ess-2006-02(42) } 1273 ; 1275 -- 1276 -- Section 3.0 1277 -- 1278 -- at-multipleSignatures should be added ONLY to the 1279 -- SignedAttributesSet defined in [RFC5652] 1280 -- 1281 at-multipleSignatures ATTRIBUTE ::= { 1282 TYPE MultipleSignatures 1283 IDENTIFIED BY id-aa-multipleSignatures 1284 } 1286 id-aa-multipleSignatures OBJECT IDENTIFIER ::= { 1287 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1288 id-aa(2) 51 } 1290 MultipleSignatures ::= SEQUENCE { 1291 bodyHashAlg DigestAlgorithmIdentifier, 1292 signAlg SignatureAlgorithmIdentifier, 1293 signAttrsHash SignAttrsHash, 1294 cert ESSCertIDv2 OPTIONAL 1295 } 1297 SignAttrsHash ::= SEQUENCE { 1298 algID DigestAlgorithmIdentifier, 1299 hash OCTET STRING 1300 } 1302 END 1304 11. Module Identifiers in ASN.1 1306 One potential issue that can occur when updating modules is the fact 1307 that a large number of modules may need to be updated if they import 1308 from a newly updated module. This section addresses one method that 1309 can be used to deal with this problem, but the modules in this 1310 document don't currently implement the solution discussed here. 1312 When looking at an import statement, there are three portions: The 1313 list of items imported, a textual name for the module and an object 1314 identifier for the module. Full implementations of ASN.1 do module 1315 matching using first the object identifier and if that is not present 1316 the textual name of the module. Note however that some older 1317 implementations used the textual name of the module for the purposes 1318 of matching. In a full implementation the name assigned to the 1319 module is scoped to the ASN.1 module that it appears in (and thus 1320 need to match the module it is importing from). 1322 One can create a module that contains only the module number 1323 assignments and import the module assignments from the new module. 1324 This means that when a module is replaced, one can replace the 1325 previous module, update the module number assignment module and 1326 recompile without having to modify any other modules. 1328 A sample module assignment module would be: 1330 ModuleNumbers 1331 DEFINITIONS TAGS ::= 1332 BEGIN 1333 id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1334 pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } 1336 id-mod-AlgInfo ::= 1337 {iso(1) identified-organization(3) dod(6) internet(1) 1338 security(5) mechanisms(5) pkix(7) id-mod(0) 1339 id-mod-algorithmInformation-02(58)} 1340 END 1342 This would be used in the following import statement: 1344 IMPORTS 1345 id-mod-CMS, id-mod-AlgInfo 1346 FROM ModuleNumber -- Note it will match on the name since no 1347 -- OID is provided 1349 CMSVersion, EncapsulatedContentInfo, CONTENT-TYPE 1350 FROM CryptographicMessageSyntax-2009 1351 id-mod-CMS 1353 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 1354 FROM AlgorithmInformation-2009 id-mod-AlgInfo 1355 ; 1357 12. Security Considerations 1359 This document itself does not have any security considerations. The 1360 ASN.1 modules keep the same bits-on-the-wire as the modules that they 1361 replace. 1363 13. IANA Considerations 1365 None. 1367 14. Normative References 1369 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1370 Requirement Levels", BCP 14, RFC 2119, March 1997. 1372 [RFC3274] Gutmann, P., "Compressed Data Content Type for 1373 Cryptographic Message Syntax (CMS)", RFC 3274, June 2002. 1375 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 1376 Addresses and AS Identifiers", RFC 3779, June 2004. 1378 [RFC6019] Housley, R., "BinaryTime: An Alternate Format for 1379 Representing Date and Time in ASN.1", RFC 6019, 1380 September 2010. 1382 [RFC4073] Housley, R., "Protecting Multiple Contents with the 1383 Cryptographic Message Syntax (CMS)", RFC 4073, May 2005. 1385 [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 1386 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 1387 RFC 4231, December 2005. 1389 [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and 1390 Attributes Supporting Authentication in Point-to-Point 1391 Protocol (PPP) and Wireless Local Area Networks (WLAN)", 1392 RFC 4334, February 2006. 1394 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 1395 Authenticated-Enveloped-Data Content Type", RFC 5083, 1396 November 2007. 1398 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1399 RFC 5652, September 2009. 1401 [RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in 1402 Cryptographic Message Syntax (CMS)", RFC 5752, 1403 January 2010. 1405 [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for 1406 Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, 1407 June 2010. 1409 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 1410 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 1411 June 2010. 1413 [ASN1-2008] 1414 ITU-T, "ITU-T Recommendations X.680, X.681, X.682, and 1415 X.683", 2008. 1417 Authors' Addresses 1419 Jim Schaad 1420 Soaring Hawk Consulting 1422 Email: jimsch@augustcellars.com 1424 Sean Turner 1425 IECA, Inc. 1426 3057 Nutley Street, Suite 106 1427 Fairfax, VA 22031 1429 Email: turners@ieca.com