cryptlib.asn

cryptlib安全工具包

TSTInfo ::= SEQUENCE {
	version				INTEGER (1),
	policy				OBJECT IDENTIFIER,
	msgImprint			SEQUENCE { ... }	-- From request
	serialNo			INTEGER,			-- Unique value
	genTime				GeneralizedTime,	-- Current time
	nonce				INTEGER OPTIONAL	-- From input if present
	}

-/ PKCS #12 /-

PFX ::= SEQUENCE {
	version				INTEGER (3),
	authSafe			SEQUENCE {
		contentType		OBJECT IDENTIFIER id-Data,
		content		[0]	EXPLICIT OCTET STRING {
			safeConts	SEQUENCE {
						SEQUENCE {
				contentType
						OBJECT IDENTIFIER id-Data,
				content
					[0]	EXPLICIT OCTET STRING {
					safeContents
						SEQUENCE OF PKCS12Bag
						}
					}
				}
			}
		}
	macData				SEQUENCE {
		mac				SEQUENCE {
			algorithm	AlgorithmIdentifier,
			mac			OCTET STRING
			}
		macSalt			OCTET STRING,
		iterations		INTEGER DEFAULT 1
		}
	}

PKCS12CertBag ::= SEQUENCE {
	bagId				OBJECT IDENTIFIER certBag,
	bagValue		[0]	EXPLICIT SEQUENCE {
		certId			OBJECT IDENTIFIER x509Certificate,
		certValue	[0]	EXPLICIT OCTET STRING {
			cert		Certificate
			}
		}
	bagAttributes		SET OF Attribute
	}

PKCS12KeyBag ::= SEQUENCE {
	bagId				OBJECT IDENTIFIER pkcs8ShroudedKeyBag,
	bagValue		[0]	EXPLICIT SEQUENCE {
		encryptionAlgo	SEQUENCE {
			algo		OBJECT IDENTIFIER pbeWithSHAAnd2-KeyTripleDES-CBC,
			pbeParams	SEQUENCE {
				salt	OCTET STRING SIZE 16),
				iters	INTEGER (1000)
				}
			}
		encryptedData	OCTET STRING
		}
	bagAttributes		SET OF Attribute
	}

------------------------------------------------------------------------------
--																			--
--						Certificate Mismanagement Protocol					--
--																			--
------------------------------------------------------------------------------

-/ "If an undergraduate student handed this in as an assignment I'd fail them
	on the grounds that it shows a complete lack of understanding of the
	principles of workable protocol design" /-

xxxRequest ::= SEQUENCE {					-- ir/cr/kur, 3.3.1/3.3.3/3.3.5
	header				SEQUENCE {			--	Profile = B8
		version			INTEGER (2),
		sender		[4]	EXPLICIT DirectoryName,	-- DN of subject
		recipient	[4]	EXPLICIT DirectoryName,	-- DN of CA
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2] EXPLICIT OCTET STRING,
		transID		[4] EXPLICIT OCTET STRING SIZE (16),	-- Random
		nonce		[5] EXPLICIT OCTET STRING SIZE (16),	-- Random
		},
	body			[0]	EXPLICIT SEQUENCE {	-- [2] in cr, [7] in kur
		certReqMsg		SEQUENCE {			-- RFC 2510
						SEQUENCE {
			cReqID		INTEGER (0),
			cTemplate	SEQUENCE {
				validity[1] TIME OPTIONAL,
				subject	[5] EXPLICIT Name,
				pubKey	[6] SubjectPublicKeyInfo,
				exts	[9] Extensions OPTIONAL
						},
			cControls	SEQUENCE OF Attribute OPTIONAL		-- Ignored
					},
		pop			[1] EXPLICIT Signature	-- From X.509, for sig.key
or		pop			[2] EXPLICIT [1] INTEGER (0)
											-- For encr-only key
				}
			}
		},
	protection		[0]	EXPLICIT BIT STRING	-- ir = MAC, cr/kur = SIG
	}

xxxResponse ::= SEQUENCE {					-- ip/cp/kup, 3.3.2/3.3.4/3.3.6
	header				SEQUENCE {			--	Profile = B8
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
		nonceX		[5] EXPLICIT OCTET STRING SIZE (16),-- Needed in CertConf
		...
		},
	body			[1] EXPLICIT SEQUENCE {			-- [3] in cp, [8] in kup
		caPubs		[1] EXPLICIT SEQUENCE {...} OPTIONAL,-- Ignored
		response		SEQUENCE {
						SEQUENCE {
			certReqID	INTEGER (0),
			status		SEQUENCE {			-- PKIStatusInfo, 3.2.3
				status	INTEGER,
				statusStr SEQUENCE OF UTF8String OPTIONAL,
				failInfo BIT STRING OPTIONAL
				},
			certKeyPair	SEQUENCE {			-- If status == 0 or 1
				cert[0]	EXPLICIT Certificate,
or				encCert						-- For encr-only key
					[1] EXPLICIT EncryptedCert,
						...					-- Ignored
					}
				}
			}
		},
	protection		[0]	EXPLICIT BIT STRING	-- ip = MAC, cp/kup = SIG
	}

CertConf ::= SEQUENCE {						-- 3.3.18, profile = B8
	header				SEQUENCE {
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
		nonce		[5] EXPLICIT OCTET STRING SIZE (16),-- Random
		nonceX		[6] EXPLICIT OCTET STRING SIZE (16),-- Copied from InitResp
						...					-- Ignored
		},
	body		   [24]	EXPLICIT SEQUENCE {
						SEQUENCE {
		certHash		OCTET STRING
		certReqID		INTEGER (0),
			}
		},
	protection		[0]	EXPLICIT BIT STRING	-- ix = MAC, cx/kux = SIG
	}

Conf ::= SEQUENCE {							-- 3.3.17, profile = B8
	header				SEQUENCE {
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
						...					-- Ignored
		},
	body		   [19]	EXPLICIT NULL,
	protection		[0]	EXPLICIT BIT STRING	-- ix = MAC, cx/kux = SIG
	}

RevRequest ::= SEQUENCE {					-- rr, 3.3.9
	header				SEQUENCE {
		version			INTEGER (2),
		sender		[4]	EXPLICIT DirectoryName,	-- DN of subject
		recipient	[4]	EXPLICIT DirectoryName,	-- DN of CA
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2] EXPLICIT OCTET STRING,
		transID		[4] EXPLICIT OCTET STRING SIZE (16),	-- Random
		nonce		[5] EXPLICIT OCTET STRING SIZE (16),	-- Random
		},
	body		   [11]	EXPLICIT SEQUENCE {
		revDetails		SEQUENCE {
			cTemplate	SEQUENCE {			-- RFC 2510
				serial	[1] INTEGER,
				issuer	[3] EXPLICIT NAME
						},
			crlEntries	Extensions OPTIONAL
					}
				},
	protection		[0]	EXPLICIT BIT STRING	-- MAC or SIG
	}

RevResponse ::= SEQUENCE {					-- rp, 3.3.10
	header				SEQUENCE {
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (PBMac),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
						...					-- Ignored
		},
	body		   [12]	EXPLICIT SEQUENCE {
		status			SEQUENCE {
						SEQUENCE {			-- PKIStatusInfo, 3.2.3
			status		INTEGER,
			statusStr	SEQUENCE OF UTF8String OPTIONAL,
			failInfo	BIT STRING OPTIONAL
						},
						...					-- Ignored
					}
						...					-- Ignored
			},
	protection		[0]	EXPLICIT BIT STRING	-- MAC or SIG
	}

GenMsg ::= SEQUENCE {						-- 3.3.19/3.3.20
	header				SEQUENCE {
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (sigAlgo),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
						...					-- Ignored
		},
	body		   [21]	EXPLICIT SEQUENCE OF {
						SEQUENCE {
		infoType		OBJECT IDENTIFIER,
		intoValue		ANY DEFINED BY infoType OPTIONAL
						}
					},
	protection		[0]	EXPLICIT BIT STRING	-- MAC or SIG
	}

Error ::= SEQUENCE {						-- 3.3.21
	header				SEQUENCE {
		version			INTEGER (2),
		sender			SEQUENCE {...},		-- Ignored
		recipient		SEQUENCE {...},		-- Ignored
		messageTime	[0]	... OPTIONAL,		-- Ignored
		protAlgo	[1]	EXPLICIT AlgorithmIdentifier (sigAlgo),
		protKeyID	[2]	EXPLICIT OCTET STRING,			-- Must match previous
		transID		[4] EXPLICIT OCTET STRING SIZE (16),-- Must match previous
						...					-- Ignored
		},
	body		   [23]	EXPLICIT SEQUENCE {
						SEQUENCE {
		status			INTEGER,
						SEQUENCE {
			statusMsg	UTF8String,
						...					-- Ignored
						} OPTIONAL,
		failInfo		BIT STRING OPTIONAL
						},
		errorCode		INTEGER OPTIONAL,
						SEQUENCE {
			errorMsg	UTF8String,
						...					-- Ignored
						} OPTIONAL
					},
	protection		[0]	EXPLICIT BIT STRING	-- SIG
	}

-/ The MAC information used when the protection is a MAC /-

MacInfo ::= SEQUENCE {
	algoID				OBJECT IDENTIFIER (entrustMAC),
	algoParams			SEQUENCE {
		salt			OCTET STRING,
		pwHashAlgo		AlgorithmIdentifier (SHA-1),
		iterations		INTEGER,
		macAlgo			AlgorithmIdentifier (HMAC-SHA1)
		}
	}

-/ The encrypted data when the cert is returned encrypted /-

EncryptedCert ::= SEQUENCE {
	dummy			[0]	... OPTIONAL,		-- Ignored
	cekAlg			[1]	AlgorithmIdentifier,-- CEK algorithm
	encCEK			[2]	BIT STRING,			-- Encrypted CEK
	dummy			[3]	... OPTIONAL,		-- Ignored
	dummy			[4] ... OPTIONAL,		-- Ignored
	encData			BIT STRING
	}

------------------------------------------------------------------------------
--																			--
--						Certificate Messages over CMS						--
--																			--
------------------------------------------------------------------------------

-/ CMC request and response messages.  Certificates are returned as signing
   certs attached to the CMS signed data /-

PKIData ::= SEQUENCE {
	attributes		SEQUENCE OF TaggedAttribute, -- Control attrs.
	requests		SEQUENCE OF TaggedReq,	-- Cert.requests
	cms				SEQUENCE OF TaggedCMS,	-- CMS messages
	other			SEQUENCE OF OtherMsg	-- Type-and-value pairs
	}

PKIResp ::= SEQUENCE {
	attributes		SEQUENCE OF TaggedAttribute, -- Control attrs.
	cms				SEQUENCE OF TaggedCMS,	-- CMS messages
	other			SEQUENCE OF OtherMsg	-- Type-and-value pairs
	}

-/ TaggedXYZ types.  OtherMsg is identical to TaggedAttribute except that
   the value field is ANY DEFINED BY /-

TaggedAttribute ::= SEQUENCE {
	iD				INTEGER,				-- Unique 32-bit ID for this attr.
	type			OBJECT IDENTIFIER,
	values			SEQUENCE OF Attribute
	}

TaggedCMS ::= SEQUENCE {
	iD				INTEGER,				-- Unique 32-bit ID for this attr.
	value			CMS
	}

END