📄 cryptlib.asn
字号:
}
PKCS15Data ::= CHOICE {
oidDO [1] PKCS15Object { PKCS15CommonDataObjectAttributes,
NULL,
PKCS15OidDO }
}
-/ Overall object wrappers. The tagging is [n] PKCS15Objects.foo
[0] PKCS15ObjectValue.objects /-
PrivateKeys ::= [0][0] SEQUENCE OF PKCS15PrivateKey
PublicKeys ::= [1][0] SEQUENCE OF PKCS15PublicKey
SecretKeys ::= [3][0] SEQUENCE OF PKCS15SecretKey
Certificates ::= [4][0] SEQUENCE OF PKCS15Certificate
DataObjects ::= [7][0] SEQUENCE OF PKCS15Data
------------------------------------------------------------------------------
-- --
-- User/Config Info --
-- --
------------------------------------------------------------------------------
-/ User information /-
-/ PKI user information needed for CMP. The attributes always include an
sKID (to uniquely identify the user info) and optionally additional
template attributes that are applied to certificate(s) created for this
user. The dual use of the attributes is somewhat ugly, in theory we
could split the two into attributes required for PKI user management and
attributes to apply to the issued certificate, but because the only one
that's used for user management is the sKID it's easier to special-case
it in the cert handling code /-
userData ::= SEQUENCE {
name Name, -- Name for CMP
encAlgo AlgorithmIdentifier, -- Algo to encrypt passwords
encPW OCTET STRING, -- Encrypted passwords
attributes Attributes
}
userPW ::= SEQUENCE {
issuePW OCTET STRING SIZE(11), -- Password for ir
revPW OCTET STRING SIZE(11) -- Password for rr
}
------------------------------------------------------------------------------
-- --
-- Misc --
-- --
------------------------------------------------------------------------------
-/ OCSP /-
OCSPRequest ::= SEQUENCE {
SEQUENCE { -- tbsRequest
version [0] EXPLICIT INTEGER DEFAULT 0,
-- Must be 1 if !certID used
reqName [1] EXPLICIT ... OPTIONAL
-- Ignored
SEQUENCE { -- requestList
SEQUENCE { -- request
certID CertID,
}
},
reqExts [2] EXPLICIT Extensions OPTIONAL
},
signature [0] EXPLICIT SEQUENCE {
sigAlgo AlgorithmIdentifier,
sig BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
} OPTIONAL
}
OCSPResponse ::= {
respStatus ENUMERATED, -- 0 = OK
respBytes [0] EXPLICIT SEQUENCE {
respType OBJECT IDENTIFIER, -- id-pkix-ocsp-basic
resp OCTET STRING {
SEQUENCE { -- basicOCSPResponse
SEQUENCE { -- tbsRespData
version [0] EXPLICIT ... OPTIONAL,-- Ignored
respID ..., -- Ignored
producedAt ..., -- Ignored
responses SEQUENCE {
SEQUENCE { -- singleResponse
certID ..., -- Ignored
certStatus [0] EXPLICIT = OK, else !OK
... -- Ignored
}
},
respExts[0] EXPLICIT Extensions OPTIONAL
}
sigAlgo AlgorithmIdentifier,
signature BIT STRING
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
}
}
}
}
OCSPCryptlibResponse ::= {
respStatus ENUMERATED, -- 0 = OK
respBytes [0] EXPLICIT SEQUENCE {
respType OBJECT IDENTIFIER, -- cryptlibOcspBasic
resp OCTET STRING {
SEQUENCE { -- rtcsResponse
SEQUENCE { -- tbsRespData
responses SEQUENCE {
SEQUENCE { -- singleResponse
certHash
OCTET STRING SIZE(20),
status BOOLEAN
}
},
respExts Extensions OPTIONAL
}
sigAlgo AlgorithmIdentifier OPTIONAL,
signature BIT STRING OPTIONAL,
certs [0] SEQUENCE OF Certificate OPTIONAL
}
}
}
}
CertID ::= CHOICE {
certID SEQUENCE {
hashAlgo AlgorithmIdentifier,
iNameHash OCTET STRING, -- Hash of issuerName
iKeyHash OCTET STRING, -- Hash of issuer SPKI w/o tag+len
serialNo INTEGER
},
issuerAndSerial [0] IssuerAndSerialNumber,
certificate [1] Certificate,
certHash [2] OCTET STRING
}
-/ Timestamping /-
TSARequest ::= SEQUENCE {
version INTEGER (1),
msgImprint SEQUENCE {
algorithm AlgorithmIdentifier,
hash OCTET STRING
},
policy OBJECT IDENTIFIER OPTIONAL,
-- Ignored
nonce INTEGER OPTIONAL, -- Copy to output if present
includeSigCerts BOOLEAN DEFAULT FALSE,
-- Include signer certs if set
extensions [0] Extensions OPTIONAL -- Reject if present
}
TSAResponse ::= SEQUENCE {
status SEQUENCE {
status INTEGER, -- 0 = OK
... OPTIONAL
},
timeStamp ContentInfo
}
TSTInfo ::= SEQUENCE {
version INTEGER (1),
policy OBJECT IDENTIFIER,
msgImprint SEQUENCE { ... } -- From request
serialNo INTEGER, -- Unique value
genTime GeneralizedTime, -- Current time
nonce INTEGER OPTIONAL -- From input if present
}
-/ PKCS #12 /-
PFX ::= SEQUENCE {
version INTEGER (3),
authSafe SEQUENCE {
contentType OBJECT IDENTIFIER id-Data,
content [0] EXPLICIT OCTET STRING {
safeConts SEQUENCE {
SEQUENCE {
contentType
OBJECT IDENTIFIER id-Data,
content
[0] EXPLICIT OCTET STRING {
safeContents
SEQUENCE OF PKCS12Bag
}
}
}
}
}
macData SEQUENCE {
mac SEQUENCE {
algorithm AlgorithmIdentifier,
mac OCTET STRING
}
macSalt OCTET STRING,
iterations INTEGER DEFAULT 1
}
}
PKCS12CertBag ::= SEQUENCE {
bagId OBJECT IDENTIFIER certBag,
bagValue [0] EXPLICIT SEQUENCE {
certId OBJECT IDENTIFIER x509Certificate,
certValue [0] EXPLICIT OCTET STRING {
cert Certificate
}
}
bagAttributes SET OF Attribute
}
PKCS12KeyBag ::= SEQUENCE {
bagId OBJECT IDENTIFIER pkcs8ShroudedKeyBag,
bagValue [0] EXPLICIT SEQUENCE {
encryptionAlgo SEQUENCE {
algo OBJECT IDENTIFIER pbeWithSHAAnd2-KeyTripleDES-CBC,
pbeParams SEQUENCE {
salt OCTET STRING SIZE 16),
iters INTEGER (1000)
}
}
encryptedData OCTET STRING
}
bagAttributes SET OF Attribute
}
------------------------------------------------------------------------------
-- --
-- Certificate Mismanagement Protocol --
-- --
------------------------------------------------------------------------------
-/ "If an undergraduate student handed this in as an assignment I'd fail them
on the grounds that it shows a complete lack of understanding of the
principles of workable protocol design" /-
xxxRequest ::= SEQUENCE { -- ir/cr/kur, 3.3.1/3.3.3/3.3.5
header SEQUENCE { -- Profile = B8
version INTEGER (2),
sender [4] EXPLICIT DirectoryName, -- DN of subject
recipient [4] EXPLICIT DirectoryName, -- DN of CA
protAlgo [1] EXPLICIT AlgorithmIdentifier (PBMac),
protKeyID [2] EXPLICIT OCTET STRING,
transID [4] EXPLICIT OCTET STRING SIZE (16), -- Random
nonce [5] EXPLICIT OCTET STRING SIZE (16), -- Random
},
body [0] EXPLICIT SEQUENCE { -- [2] in cr, [7] in kur
certReqMsg SEQUENCE { -- RFC 2510
SEQUENCE {
cReqID INTEGER (0),
cTemplate SEQUENCE {
validity[1] TIME OPTIONAL,
subject [5] EXPLICIT Name,
pubKey [6] SubjectPublicKeyInfo,
exts [9] Extensions OPTIONAL
}
},
pop [1] EXPLICIT Signature -- From X.509, for sig.key
or pop [2] EXPLICIT [1] INTEGER (0)
-- For encr-only key
}
}
},
protection [0] EXPLICIT BIT STRING -- ir = MAC, cr/kur = SIG
}
xxxResponse ::= SEQUENCE { -- ip/cp/kup, 3.3.2/3.3.4/3.3.6
header SEQUENCE { -- Profile = B8
version INTEGER (2),
sender SEQUENCE {...}, -- Ignored
recipient SEQUENCE {...}, -- Ignored
messageTime [0] ... OPTIONAL, -- Ignored
protAlgo [1] EXPLICIT AlgorithmIdentifier (PBMac),
protKeyID [2] EXPLICIT OCTET STRING, -- Must match previous
transID [4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
nonceX [5] EXPLICIT OCTET STRING SIZE (16),-- Needed in CertConf
...
},
body [1] EXPLICIT SEQUENCE { -- [3] in cp, [8] in kup
caPubs [1] EXPLICIT SEQUENCE {...} OPTIONAL,-- Ignored
response SEQUENCE {
SEQUENCE {
certReqID INTEGER (0),
status SEQUENCE { -- PKIStatusInfo, 3.2.3
status INTEGER,
statusStr SEQUENCE OF UTF8String OPTIONAL,
failInfo BIT STRING OPTIONAL
},
certKeyPair SEQUENCE { -- If status == 0 or 1
cert[0] EXPLICIT Certificate,
or encCert -- For encr-only key
[1] EXPLICIT EncryptedCert,
... -- Ignored
}
}
}
},
protection [0] EXPLICIT BIT STRING -- ip = MAC, cp/kup = SIG
}
CertConf ::= SEQUENCE { -- 3.3.18, profile = B8
header SEQUENCE {
version INTEGER (2),
sender SEQUENCE {...}, -- Ignored
recipient SEQUENCE {...}, -- Ignored
messageTime [0] ... OPTIONAL, -- Ignored
protAlgo [1] EXPLICIT AlgorithmIdentifier (PBMac),
protKeyID [2] EXPLICIT OCTET STRING, -- Must match previous
transID [4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
nonce [5] EXPLICIT OCTET STRING SIZE (16),-- Random
nonceX [6] EXPLICIT OCTET STRING SIZE (16),-- Copied from InitResp
... -- Ignored
},
body [24] EXPLICIT SEQUENCE {
SEQUENCE {
certHash OCTET STRING
certReqID INTEGER (0),
}
},
protection [0] EXPLICIT BIT STRING -- ix = MAC, cx/kux = SIG
}
Conf ::= SEQUENCE { -- 3.3.17, profile = B8
header SEQUENCE {
version INTEGER (2),
sender SEQUENCE {...}, -- Ignored
recipient SEQUENCE {...}, -- Ignored
messageTime [0] ... OPTIONAL, -- Ignored
protAlgo [1] EXPLICIT AlgorithmIdentifier (PBMac),
protKeyID [2] EXPLICIT OCTET STRING, -- Must match previous
transID [4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
... -- Ignored
},
body [19] EXPLICIT SEQUENCE {
NULL
},
protection [0] EXPLICIT BIT STRING -- ix = MAC, cx/kux = SIG
}
RevRequest ::= SEQUENCE { -- rr, 3.3.9
header SEQUENCE {
version INTEGER (2),
sender [4] EXPLICIT DirectoryName, -- DN of subject
recipient [4] EXPLICIT DirectoryName, -- DN of CA
protAlgo [1] EXPLICIT AlgorithmIdentifier (PBMac),
protKeyID [2] EXPLICIT OCTET STRING,
transID [4] EXPLICIT OCTET STRING SIZE (16), -- Random
nonce [5] EXPLICIT OCTET STRING SIZE (16), -- Random
},
body [11] EXPLICIT SEQUENCE {
revDetails SEQUENCE {
cTemplate SEQUENCE { -- RFC 2510
serial [1] INTEGER,
issuer [3] EXPLICIT NAME
},
crlEntries Extensions OPTIONAL
}
},
protection [0] EXPLICIT BIT STRING -- MAC or SIG
}
RevResponse ::= SEQUENCE { -- rp, 3.3.10
header SEQUENCE {
version INTEGER (2),
sender SEQUENCE {...}, -- Ignored
recipient SEQUENCE {...}, -- Ignored
messageTime [0] ... OPTIONAL, -- Ignored
protAlgo [1] EXPLICIT AlgorithmIdentifier (PBMac),
protKeyID [2] EXPLICIT OCTET STRING, -- Must match previous
transID [4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
... -- Ignored
},
body [12] EXPLICIT SEQUENCE {
status SEQUENCE {
SEQUENCE { -- PKIStatusInfo, 3.2.3
status INTEGER,
statusStr SEQUENCE OF UTF8String OPTIONAL,
failInfo BIT STRING OPTIONAL
},
... -- Ignored
}
... -- Ignored
},
protection [0] EXPLICIT BIT STRING -- MAC or SIG
}
GenMsg ::= SEQUENCE { -- 3.3.19/3.3.20
header SEQUENCE {
version INTEGER (2),
sender SEQUENCE {...}, -- Ignored
recipient SEQUENCE {...}, -- Ignored
messageTime [0] ... OPTIONAL, -- Ignored
protAlgo [1] EXPLICIT AlgorithmIdentifier (sigAlgo),
protKeyID [2] EXPLICIT OCTET STRING, -- Must match previous
transID [4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
... -- Ignored
},
body [21] EXPLICIT SEQUENCE OF {
SEQUENCE {
infoType OBJECT IDENTIFIER,
intoValue ANY DEFINED BY infoType OPTIONAL
}
},
protection [0] EXPLICIT BIT STRING -- MAC or SIG
}
Error ::= SEQUENCE { -- 3.3.21
header SEQUENCE {
version INTEGER (2),
sender SEQUENCE {...}, -- Ignored
recipient SEQUENCE {...}, -- Ignored
messageTime [0] ... OPTIONAL, -- Ignored
protAlgo [1] EXPLICIT AlgorithmIdentifier (sigAlgo),
protKeyID [2] EXPLICIT OCTET STRING, -- Must match previous
transID [4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
... -- Ignored
},
body [23] EXPLICIT SEQUENCE {
SEQUENCE {
status INTEGER,
SEQUENCE {
statusMsg UTF8String,
... -- Ignored
} OPTIONAL,
failInfo BIT STRING OPTIONAL
},
errorCode INTEGER OPTIONAL,
SEQUENCE {
errorMsg UTF8String,
... -- Ignored
} OPTIONAL
},
protection [0] EXPLICIT BIT STRING -- SIG
}
-/ The MAC information used when the protection is a MAC /-
MacInfo ::= SEQUENCE {
algoID OBJECT IDENTIFIER (entrustMAC),
algoParams SEQUENCE {
salt OCTET STRING,
pwHashAlgo AlgorithmIdentifier (SHA-1),
iterations INTEGER,
macAlgo AlgorithmIdentifier (HMAC-SHA1)
}
}
-/ The encrypted data when the cert is returned encrypted /-
EncryptedCert ::= SEQUENCE {
dummy [0] ... OPTIONAL, -- Ignored
cekAlg [1] AlgorithmIdentifier,-- CEK algorithm
encCEK [2] BIT STRING, -- Encrypted CEK
dummy [3] ... OPTIONAL, -- Ignored
dummy [4] ... OPTIONAL, -- Ignored
encData BIT STRING
}
END
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -