cryptlib.asn

提供了很多种加密算法和CA认证及相关服务如CMP、OCSP等的开发

	fileReference		INTEGER					-- Reference to user file
	}

UserIndex ::= SEQUENCE OF UserIndexEntry

UserInfo ::= SEQUENCE {
	role				ENUMERATED,				-- SO/user/CA
	iD					OCTET STRING SIZE(16),	-- User ID
	creatorID			OCTET STRING SIZE(16),	-- Creating SO's ID
	name				UTF8String,				-- User name
	}

// Other user data, has to be stored elsewhere
//	state				ENUMERATED,				-- SO inited/user inited/locked
//	encSecKey			EncryptedData OPTIONAL	-- (Used for CAs)

PKCS15OidDO ::= SEQUENCE {
	type				OBJECT IDENTIFIER,
	value				ANY DEFINED BY type	-- ConfigOptions/UserIndex/UserInfo
	}

PKCS15Data ::= CHOICE {
	oidDO			[1]	PKCS15Object { PKCS15CommonDataObjectAttributes,
									   NULL,
									   PKCS15OidDO }
	}

-/ Overall object wrappers. The tagging is [n] PKCS15Objects.foo
   [0] PKCS15ObjectValue.objects /-

PrivateKeys ::= [0][0] SEQUENCE OF PKCS15PrivateKey
PublicKeys ::= [1][0] SEQUENCE OF PKCS15PublicKey
SecretKeys ::= [3][0] SEQUENCE OF PKCS15SecretKey
Certificates ::= [4][0] SEQUENCE OF PKCS15Certificate
DataObjects ::= [7][0] SEQUENCE OF PKCS15Data

------------------------------------------------------------------------------
--																			--
--								User/Config Info							--
--																			--
------------------------------------------------------------------------------

-/ User information /-

-/ PKI user information needed for CMP /-

userData ::= SEQUENCE {
	name				Name,					-- Name for CMP
	encAlgo				AlgorithmIdentifier,	-- Algo to encrypt passwords
	encPW				OCTET STRING,			-- Encrypted passwords
	attributes			Attributes
	}

userPW ::= SEQUENCE {
	issuePW				OCTET STRING SIZE(11),	-- Password for ir
	revPW				OCTET STRING SIZE(11)	-- Password for rr
	}

------------------------------------------------------------------------------
--																			--
--										Misc								--
--																			--
------------------------------------------------------------------------------

-/ OCSP /-

OCSPRequest ::= SEQUENCE {
						SEQUENCE {			-- tbsRequest
	version			[0]	EXPLICIT INTEGER DEFAULT 0,
											-- Must be 1 if !certID used
	reqName			[1]	EXPLICIT ... OPTIONAL
											-- Ignored
						SEQUENCE {			-- requestList
						SEQUENCE {			-- request
						SEQUENCE {			-- certID
	hashAlgo			AlgorithmIdentifier,
	iNameHash			OCTET STRING,		-- Hash of issuerName
	iKeyHash			OCTET STRING,		-- Hash of issuer SPKI w/o tag+len
	serialNo			INTEGER
					}
or
	issuerAndSerial	[0]	EXPLICIT IssuerAndSerialNumber
or
	certificate		[1]	EXPLICIT Certificate
or
	certHash		[2] EXPLICIT OCTET STRING
				}
			}
						...					-- Ignored
		}
	}

OCSPResponse ::= {
	respStatus			ENUMERATED,			-- 0 = OK
	respBytes		[0]	EXPLICIT SEQUENCE {
		respType		OBJECT IDENTIFIER,	-- id-pkix-ocsp-basic
		resp			OCTET STRING {
						SEQUENCE {			-- basicOCSPResponse
						SEQUENCE {			-- tbsRespData
			version [0] EXPLICIT ... OPTIONAL,-- Ignored
			respID		...,				-- Ignored
			producedAt	...,				-- Ignored
			responses	SEQUENCE {
						SEQUENCE {			-- singleResponse
				certID	...,				-- Ignored
				certStatus [0] EXPLICIT = OK, else !OK
						...					-- Ignored
						}
					}
						...					-- Ignored
				}
		sigAlgo			AlgorithmIdentifier,
		signature		BIT STRING
			}
		}
	}

-/ Timestamping /-

TSARequest ::= SEQUENCE {
	version				INTEGER (1),
	msgImprint			SEQUENCE {
		algorithm		AlgorithmIdentifier,
		hash			OCTET STRING
		},
	policy				OBJECT IDENTIFIER OPTIONAL,
											-- Ignored
	nonce				INTEGER OPTIONAL,	-- Copy to output if present
	includeSigCerts		BOOLEAN DEFAULT FALSE,
											-- Include signer certs if set
	extensions		[0]	Extensions OPTIONAL	-- Reject if present
	}

TSAResponse ::= SEQUENCE {
	status				SEQUENCE {
		status			INTEGER,			-- 0 = OK
						... OPTIONAL
		},
	timeStamp			ContentInfo
	}

TSTInfo ::= SEQUENCE {
	version				INTEGER (1),
	policy				OBJECT IDENTIFIER,
	msgImprint			SEQUENCE { ... }	-- From request
	serialNo			INTEGER,			-- Unique value
	genTime				GeneralizedTime,	-- Current time
	nonce				INTEGER OPTIONAL	-- From input if present
	}

-/ LDAP /-

BindReq ::= SEQUENCE {						-- RFC 1777, 4.1
	msgID				INTEGER (0),
				[APP 0]	SEQUENCE {
		version			INTEGER (2),
		name			OCTET STRING SIZE(0),
		authent		[0]	OCTET STRING SIZE(0)
		}
	}

BindResp ::= SEQUENCE {						-- RFC 1777, 4.2
	msgID				INTEGER (0),
				[APP 1]	SEQUENCE {
		result			ENUMBERATED (0),	-- 0 = OK
		dummy			OCTET STRING,
		errMsg			OCTET STRING		-- May be zero-length
		}
	}

SearchReq ::= SEQUENCE {					-- RFC 1777, 4.3
	msgID				INTEGER (0),
				[APP 3]	SEQUENCE {
		object			OCTET STRING,		-- DN
		scope			ENUMERATED (0),
		derefAliases	ENUMERATED (3),
		maxEntries		INTEGER (1),
		timeLimit		INTEGER (timeout),
		attrsOnly		BOOLEAN (FALSE),
		filter		[7]	OCTET STRING ("objectClass"),
		attrs			SEQUENCE {
			type		OCTET STRING ("userCertificate")
				}
			}
		}

SearchResp ::= SEQUENCE {					-- RFC 1777, 4.3
	msgID				INTEGER (0),
				[APP 4]	SEQUENCE {			-- Final resp as BindResult but
		objName			OCTET STRING,		-- with tag [APP 5]
		attrs			SEQUENCE {
						SEQUENCE {
			type		OCTET STRING,
						SET {
				value	OCTET STRING,
						...
						}
					}
						...
				}
	}

UnbindReq ::= SEQUENCE {					-- RFC 1777, 4.2
	msgID				INTEGER (0),
				[APP 2]	NULL
	}

------------------------------------------------------------------------------
--																			--
--						Certificate Mismanagement Protocol					--
--																			--
------------------------------------------------------------------------------

-/ "If an undergraduate student handed this in as an assignment I'd fail them
	on the grounds that it shows a complete lack of understanding of the
	principles of workable protocol design" /-

xxxRequest ::= SEQUENCE {					-- ir/cr/kur, 3.3.1/3.3.3/3.3.5
	header				SEQUENCE {			--	Profile = B8
		version			INTEGER (2),
		sender		[4]	EXPLICIT DirectoryName,	-- DN of subject
		recipient	[4]	EXPLICIT DirectoryName,	-- DN of CA
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2] EXPLICIT OCTET STRING,
		transID		[4] EXPLICIT OCTET STRING SIZE (16),	-- Random
		nonce		[5] EXPLICIT OCTET STRING SIZE (16),	-- Random
		},
	body			[0]	EXPLICIT SEQUENCE {	-- [2] in cr, [7] in kur
		certReqMsg		SEQUENCE {			-- RFC 2510
						SEQUENCE {
			cReqID		INTEGER (0),
			cTemplate	SEQUENCE {
				validity[1] TIME OPTIONAL,
				subject	[5] EXPLICIT Name,
				pubKey	[6] SubjectPublicKeyInfo,
				exts	[9] Extensions OPTIONAL
						}
					},
		pop			[1] EXPLICIT Signature	-- From X.509, for sig.key
or		pop			[2] EXPLICIT [1] EXPLICIT INTEGER (0)
											-- For encr-only key
				}
			}
		},
	protection		[0]	EXPLICIT BIT STRING	-- ir = MAC, cr/kur = SIG
	}

xxxResponse ::= SEQUENCE {					-- ip/cp/kup, 3.3.2/3.3.4/3.3.6
	header				SEQUENCE {			--	Profile = B8
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
		nonceX		[5] EXPLICIT OCTET STRING SIZE (16),-- Needed in CertConf
		...
		},
	body			[1] EXPLICIT SEQUENCE {			-- [3] in cp, [8] in kup
		caPubs		[1] EXPLICIT SEQUENCE {...} OPTIONAL,-- Ignored
		response		SEQUENCE {
						SEQUENCE {
			certReqID	INTEGER (0),
			status		SEQUENCE {			-- PKIStatusInfo, 3.2.3
				status	INTEGER,
				statusStr SEQUENCE OF UTF8String OPTIONAL,
				failInfo BIT STRING OPTIONAL
				},
			certKeyPair	SEQUENCE {			-- If status == 0 or 1
				cert[0]	EXPLICIT Certificate,
or				encCert						-- For encr-only key
					[1] EXPLICIT EncryptedCert,
						...					-- Ignored
					}
				}
			}
		},
	protection		[0]	EXPLICIT BIT STRING	-- ip = MAC, cp/kup = SIG
	}

CertConf ::= SEQUENCE {						-- 3.3.18, profile = B8
	header				SEQUENCE {
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
		nonce		[5] EXPLICIT OCTET STRING SIZE (16),-- Random
		nonceX		[6] EXPLICIT OCTET STRING SIZE (16),-- Copied from InitResp
						...					-- Ignored
		},
	body		   [24]	EXPLICIT SEQUENCE {
						SEQUENCE {
		certHash		OCTET STRING
		certReqID		INTEGER (0),
			}
		},
	protection		[0]	EXPLICIT BIT STRING	-- ix = MAC, cx/kux = SIG
	}

Conf ::= SEQUENCE {							-- 3.3.17, profile = B8
	header				SEQUENCE {
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
						...					-- Ignored
		},
	body		   [19]	EXPLICIT SEQUENCE {
						NULL
		},
	protection		[0]	EXPLICIT BIT STRING	-- ix = MAC, cx/kux = SIG
	}

RevRequest ::= SEQUENCE {					-- rr, 3.3.9
	header				SEQUENCE {
		version			INTEGER (2),
		sender		[4]	EXPLICIT DirectoryName,	-- DN of subject
		recipient	[4]	EXPLICIT DirectoryName,	-- DN of CA
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2] EXPLICIT OCTET STRING,
		transID		[4] EXPLICIT OCTET STRING SIZE (16),	-- Random
		nonce		[5] EXPLICIT OCTET STRING SIZE (16),	-- Random
		},
	body		   [11]	EXPLICIT SEQUENCE {
		revDetails		SEQUENCE {
			cTemplate	SEQUENCE {			-- RFC 2510
				serial	[1] INTEGER,
				issuer	[3] EXPLICIT NAME
						},
			crlEntries	Extensions OPTIONAL
					}
				},
	protection		[0]	EXPLICIT BIT STRING	-- MAC or SIG
	}

RevResponse ::= SEQUENCE {					-- rp, 3.3.10
	header				SEQUENCE {
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
						...					-- Ignored
		},
	body		   [12]	EXPLICIT SEQUENCE {
		status			SEQUENCE {
						SEQUENCE {			-- PKIStatusInfo, 3.2.3
			status		INTEGER,
			statusStr	SEQUENCE OF UTF8String OPTIONAL,
			failInfo	BIT STRING OPTIONAL
						},
						...					-- Ignored
					}
						...					-- Ignored
			},
	protection		[0]	EXPLICIT BIT STRING	-- MAC or SIG
	}

Error ::= SEQUENCE {						-- 3.3.21
	header				SEQUENCE {
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (sigAlgo),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
						...					-- Ignored
		},
	body		   [23]	EXPLICIT SEQUENCE {
						SEQUENCE {
		status			INTEGER,
						SEQUENCE {
			statusMsg	UTF8String,
						...					-- Ignored
						} OPTIONAL,
		failInfo		BIT STRING OPTIONAL
						},
		errorCode		INTEGER OPTIONAL,
						SEQUENCE {
			errorMsg	UTF8String,
						...					-- Ignored
						} OPTIONAL
					},
	protection		[0]	EXPLICIT BIT STRING	-- SIG
	}

-/ The MAC information used when the protection is a MAC /-

MacInfo ::= SEQUENCE {
	algoID				OBJECT IDENTIFIER (entrustMAC),
	algoParams			SEQUENCE {
		salt			OCTET STRING,
		pwHashAlgo		AlgorithmIdentifier (SHA-1),
		iterations		INTEGER,
		macAlgo			AlgorithmIdentifier (HMAC-SHA1)
		}
	}

-/ The encrypted data when the cert is returned encrypted /-

EncryptedCert ::= SEQUENCE {
	dummy			[0]	... OPTIONAL,		-- Ignored
	cekAlg			[1]	AlgorithmIdentifier,-- CEK algorithm
	encCEK			[2]	BIT STRING,			-- Encrypted CEK
	dummy			[3]	... OPTIONAL,		-- Ignored
	dummy			[4] ... OPTIONAL,		-- Ignored
	encData			BIT STRING
	}

END