- Added PCKS #15 ASN.1 module
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@480 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
6e0b7dea2c
commit
3e9d1470ae
|
@ -5,4 +5,4 @@ MAINTAINERCLEANFILES = Makefile.in
|
|||
man_MANS = pkcs15-crypt.1 pkcs15-init.1 \
|
||||
pkcs15-profile.5 \
|
||||
pkcs15.7
|
||||
EXTRA_DIST = $(man_MANS)
|
||||
EXTRA_DIST = $(man_MANS) pkcs-15v1_1.asn
|
||||
|
|
|
@ -0,0 +1,869 @@
|
|||
PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
|
||||
pkcs-15(15) modules(1) pkcs-15(1)}
|
||||
|
||||
-- $Revision$ --
|
||||
|
||||
DEFINITIONS IMPLICIT TAGS ::=
|
||||
|
||||
BEGIN
|
||||
|
||||
IMPORTS
|
||||
|
||||
informationFramework, authenticationFramework, certificateExtensions
|
||||
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
|
||||
usefulDefinitions(0) 3}
|
||||
|
||||
Name, Attribute
|
||||
FROM InformationFramework informationFramework
|
||||
|
||||
Certificate, AttributeCertificate, CertificateSerialNumber,
|
||||
SubjectPublicKeyInfo
|
||||
FROM AuthenticationFramework authenticationFramework
|
||||
|
||||
GeneralNames, KeyUsage
|
||||
FROM CertificateExtensions certificateExtensions
|
||||
|
||||
RecipientInfos, RecipientInfo, OriginatorInfo, sha-1,
|
||||
id-alg-CMS3DESwrap, id-alg-CMSRC2wrap, hMAC-SHA1, des-ede3-cbc
|
||||
FROM CryptographicMessageSyntax {iso(1) member-body(2)
|
||||
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)
|
||||
cms(1)}
|
||||
|
||||
RSAPublicKey
|
||||
FROM PKCS-1 {iso(1) member-body(2) us(840) rsadsi(113549)
|
||||
pkcs(1) pkcs-1(1) modules(0) pkcs-1(1)}
|
||||
|
||||
AlgorithmIdentifier, SupportingAlgorithms, PBKDF2Algorithms,
|
||||
ALGORITHM-IDENTIFIER, id-hmacWithSHA1
|
||||
FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
|
||||
pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)}
|
||||
|
||||
ECPoint, Parameters
|
||||
FROM ANSI-X9-62 {iso(1) member-body(2) us(840)
|
||||
ansi-x962(10045) module(4) 1}
|
||||
|
||||
DiffieHellmanPublicNumber, DomainParameters
|
||||
FROM ANSI-X9-42 {iso(1) member-body(2) us(840)
|
||||
ansi-x942(10046) module(5) 1}
|
||||
|
||||
OOBCertHash
|
||||
FROM PKIXCMP {iso(1) identified-organization(3) dod(6)
|
||||
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
|
||||
id-mod-cmp(9)};
|
||||
|
||||
-- Constants
|
||||
|
||||
pkcs15-ub-identifier INTEGER ::= 255
|
||||
pkcs15-ub-reference INTEGER ::= 255
|
||||
pkcs15-ub-index INTEGER ::= 65535
|
||||
pkcs15-ub-label INTEGER ::= pkcs15-ub-identifier
|
||||
pkcs15-lb-minPinLength INTEGER ::= 4
|
||||
pkcs15-ub-minPinLength INTEGER ::= 8
|
||||
pkcs15-ub-storedPinLength INTEGER ::= 64
|
||||
pkcs15-ub-recordLength INTEGER ::= 16383
|
||||
pkcs15-ub-userConsent INTEGER ::= 15
|
||||
pkcs15-ub-securityConditions INTEGER ::= 255
|
||||
pkcs15-ub-seInfo INTEGER ::= 255
|
||||
|
||||
-- Object Identifiers
|
||||
|
||||
pkcs15 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
|
||||
rsadsi(113549) pkcs(1) pkcs-15(15)}
|
||||
pkcs15-mo OBJECT IDENTIFIER ::= {pkcs15 1} -- Modules branch
|
||||
pkcs15-at OBJECT IDENTIFIER ::= {pkcs15 2} -- Attribute branch
|
||||
pkcs15-ct OBJECT IDENTIFIER ::= {pkcs15 3} -- Content type branch
|
||||
|
||||
-- Content Types
|
||||
|
||||
pkcs15-ct-PKCS15Token OBJECT IDENTIFIER ::= {pkcs15-ct 1}
|
||||
|
||||
-- Basic types
|
||||
|
||||
Identifier ::= OCTET STRING (SIZE (0..pkcs15-ub-identifier))
|
||||
|
||||
Reference ::= INTEGER (0..pkcs15-ub-reference)
|
||||
|
||||
Label ::= UTF8String (SIZE(0..pkcs15-ub-label))
|
||||
|
||||
KEY-IDENTIFIER ::= CLASS {
|
||||
&id INTEGER UNIQUE,
|
||||
&Value
|
||||
} WITH SYNTAX {
|
||||
SYNTAX &Value IDENTIFIED BY &id
|
||||
}
|
||||
|
||||
CredentialIdentifier {KEY-IDENTIFIER : IdentifierSet} ::= SEQUENCE {
|
||||
idType KEY-IDENTIFIER.&id ({IdentifierSet}),
|
||||
idValue KEY-IDENTIFIER.&Value ({IdentifierSet}{@idType})
|
||||
}
|
||||
|
||||
KeyIdentifiers KEY-IDENTIFIER ::= {
|
||||
issuerAndSerialNumber|
|
||||
issuerAndSerialNumberHash|
|
||||
subjectKeyId|
|
||||
subjectKeyHash |
|
||||
issuerKeyHash |
|
||||
issuerNameHash |
|
||||
subjectNameHash,
|
||||
...
|
||||
}
|
||||
|
||||
issuerAndSerialNumber KEY-IDENTIFIER::=
|
||||
{SYNTAX PKCS15-OPAQUE.&Type IDENTIFIED BY 1}
|
||||
-- As defined in RFC 2630
|
||||
subjectKeyId KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 2}
|
||||
-- From x509v3 certificate extension
|
||||
issuerAndSerialNumberHash KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 3}
|
||||
-- Assumes SHA-1 hash of DER encoding of IssuerAndSerialNumber
|
||||
subjectKeyHash KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 4}
|
||||
issuerKeyHash KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 5}
|
||||
issuerNameHash KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 6}
|
||||
-- SHA-1 hash of DER-encoded issuer name
|
||||
subjectNameHash KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 7}
|
||||
-- SHA-1 hash of DER-encoded subject name
|
||||
|
||||
ReferencedValue {Type} ::= CHOICE {
|
||||
path Path,
|
||||
url URL
|
||||
} (CONSTRAINED BY {-- 'path' or 'url' shall point to an object of
|
||||
-- type -- Type})
|
||||
|
||||
URL ::= CHOICE {
|
||||
url PrintableString,
|
||||
urlWithDigest [3] SEQUENCE {
|
||||
url IA5String,
|
||||
digest DigestInfoWithDefault
|
||||
}
|
||||
}
|
||||
|
||||
alg-id-sha1 AlgorithmIdentifier {{DigestAlgorithms}} ::= {
|
||||
algorithm sha-1,
|
||||
parameters SHA1Parameters : NULL}
|
||||
|
||||
SHA1Parameters ::= NULL
|
||||
|
||||
DigestInfoWithDefault ::= SEQUENCE {
|
||||
digestAlg AlgorithmIdentifier {{DigestAlgorithms}} DEFAULT alg-id-sha1,
|
||||
digest OCTET STRING (SIZE(8..128))
|
||||
}
|
||||
|
||||
Path ::= SEQUENCE {
|
||||
path OCTET STRING,
|
||||
index INTEGER (0..pkcs15-ub-index) OPTIONAL,
|
||||
length [0] INTEGER (0..pkcs15-ub-index) OPTIONAL
|
||||
}( WITH COMPONENTS {..., index PRESENT, length PRESENT}|
|
||||
WITH COMPONENTS {..., index ABSENT, length ABSENT})
|
||||
|
||||
ObjectValue { Type } ::= CHOICE {
|
||||
indirect ReferencedValue {Type},
|
||||
direct [0] Type,
|
||||
indirect-protected [1] ReferencedValue {EnvelopedData {Type}},
|
||||
direct-protected [2] EnvelopedData {Type}
|
||||
}(CONSTRAINED BY {-- if indirection is being used, then it is
|
||||
-- expected that the reference points either to a (possibly
|
||||
-- enveloped) object of type -- Type -- or (key case) to a card-
|
||||
-- specific key file --})
|
||||
|
||||
PathOrObjects {ObjectType} ::= CHOICE {
|
||||
path Path,
|
||||
objects [0] SEQUENCE OF ObjectType,
|
||||
...,
|
||||
indirect-protected [1] ReferencedValue {EnvelopedData {SEQUENCE OF ObjectType}},
|
||||
direct-protected [2] EnvelopedData {SEQUENCE OF ObjectType}
|
||||
}
|
||||
|
||||
CommonObjectAttributes ::= SEQUENCE {
|
||||
label Label OPTIONAL,
|
||||
flags CommonObjectFlags OPTIONAL,
|
||||
authId Identifier OPTIONAL,
|
||||
...,
|
||||
userConsent INTEGER (1..pkcs15-ub-userConsent) OPTIONAL,
|
||||
accessControlRules SEQUENCE SIZE (1..MAX) OF AccessControlRule OPTIONAL
|
||||
} (CONSTRAINED BY {-- authId should be present in the IC card case if
|
||||
-- flags.private is set. It must equal an authID in one AuthRecord
|
||||
-- in the AODF -- })
|
||||
|
||||
CommonObjectFlags ::= BIT STRING {
|
||||
private (0),
|
||||
modifiable (1)
|
||||
}
|
||||
|
||||
AccessControlRule ::= SEQUENCE {
|
||||
accessMode AccessMode,
|
||||
securityCondition SecurityCondition,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
AccessMode ::= BIT STRING {
|
||||
read (0),
|
||||
update (1),
|
||||
execute (2)
|
||||
}
|
||||
|
||||
SecurityCondition ::= CHOICE {
|
||||
authId Identifier,
|
||||
not [0] SecurityCondition,
|
||||
and [1] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
|
||||
OF SecurityCondition,
|
||||
or [2] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
|
||||
OF SecurityCondition,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
CommonKeyAttributes ::= SEQUENCE {
|
||||
iD Identifier,
|
||||
usage KeyUsageFlags,
|
||||
native BOOLEAN DEFAULT TRUE,
|
||||
accessFlags KeyAccessFlags OPTIONAL,
|
||||
keyReference Reference OPTIONAL,
|
||||
startDate GeneralizedTime OPTIONAL,
|
||||
endDate [0] GeneralizedTime OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
KeyUsageFlags ::= BIT STRING {
|
||||
encrypt (0),
|
||||
decrypt (1),
|
||||
sign (2),
|
||||
signRecover (3),
|
||||
wrap (4),
|
||||
unwrap (5),
|
||||
verify (6),
|
||||
verifyRecover (7),
|
||||
derive (8),
|
||||
nonRepudiation (9)
|
||||
}
|
||||
|
||||
KeyAccessFlags ::= BIT STRING {
|
||||
sensitive (0),
|
||||
extractable (1),
|
||||
alwaysSensitive (2),
|
||||
neverExtractable (3),
|
||||
local (4)
|
||||
}
|
||||
|
||||
CommonPrivateKeyAttributes ::= SEQUENCE {
|
||||
subjectName Name OPTIONAL,
|
||||
keyIdentifiers [0] SEQUENCE OF CredentialIdentifier
|
||||
{{KeyIdentifiers}} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
CommonPublicKeyAttributes ::= SEQUENCE {
|
||||
subjectName Name OPTIONAL,
|
||||
...,
|
||||
trustedUsage [0] Usage OPTIONAL
|
||||
}
|
||||
|
||||
CommonSecretKeyAttributes ::= SEQUENCE {
|
||||
keyLen INTEGER OPTIONAL, -- keylength (in bits)
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
KeyInfo {ParameterType, OperationsType} ::= CHOICE {
|
||||
reference Reference,
|
||||
paramsAndOps SEQUENCE {
|
||||
parameters ParameterType,
|
||||
supportedOperations OperationsType OPTIONAL
|
||||
}
|
||||
}
|
||||
|
||||
CommonCertificateAttributes ::= SEQUENCE {
|
||||
iD Identifier,
|
||||
authority BOOLEAN DEFAULT FALSE,
|
||||
identifier CredentialIdentifier {{KeyIdentifiers}} OPTIONAL,
|
||||
certHash [0] OOBCertHash OPTIONAL,
|
||||
...,
|
||||
trustedUsage [1] Usage OPTIONAL,
|
||||
identifiers [2] SEQUENCE OF CredentialIdentifier{{KeyIdentifiers}} OPTIONAL,
|
||||
implicitTrust [3] BOOLEAN DEFAULT FALSE
|
||||
}
|
||||
|
||||
Usage ::= SEQUENCE {
|
||||
keyUsage KeyUsage OPTIONAL,
|
||||
extKeyUsage SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL
|
||||
}(WITH COMPONENTS {..., keyUsage PRESENT} |
|
||||
WITH COMPONENTS {..., extKeyUsage PRESENT})
|
||||
|
||||
CommonDataObjectAttributes ::= SEQUENCE {
|
||||
applicationName Label OPTIONAL,
|
||||
applicationOID OBJECT IDENTIFIER OPTIONAL,
|
||||
... -- For future extensions
|
||||
} (WITH COMPONENTS {..., applicationName PRESENT}|
|
||||
WITH COMPONENTS {..., applicationOID PRESENT})
|
||||
|
||||
CommonAuthenticationObjectAttributes ::= SEQUENCE {
|
||||
authId Identifier,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes}
|
||||
::= SEQUENCE {
|
||||
commonObjectAttributes CommonObjectAttributes,
|
||||
classAttributes ClassAttributes,
|
||||
subClassAttributes [0] SubClassAttributes OPTIONAL,
|
||||
typeAttributes [1] TypeAttributes
|
||||
}
|
||||
|
||||
PKCS15Objects ::= CHOICE {
|
||||
privateKeys [0] PrivateKeys,
|
||||
publicKeys [1] PublicKeys,
|
||||
trustedPublicKeys [2] PublicKeys,
|
||||
secretKeys [3] SecretKeys,
|
||||
certificates [4] Certificates,
|
||||
trustedCertificates [5] Certificates,
|
||||
usefulCertificates [6] Certificates,
|
||||
dataObjects [7] DataObjects,
|
||||
authObjects [8] AuthObjects,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PrivateKeys ::= PathOrObjects {PrivateKeyType}
|
||||
|
||||
SecretKeys ::= PathOrObjects {SecretKeyType}
|
||||
|
||||
PublicKeys ::= PathOrObjects {PublicKeyType}
|
||||
|
||||
Certificates ::= PathOrObjects {CertificateType}
|
||||
|
||||
DataObjects ::= PathOrObjects {DataType}
|
||||
|
||||
AuthObjects ::= PathOrObjects {AuthenticationType}
|
||||
|
||||
PrivateKeyType ::= CHOICE {
|
||||
privateRSAKey PrivateKeyObject {PrivateRSAKeyAttributes},
|
||||
privateECKey [0] PrivateKeyObject {PrivateECKeyAttributes},
|
||||
privateDHKey [1] PrivateKeyObject {PrivateDHKeyAttributes},
|
||||
privateDSAKey [2] PrivateKeyObject {PrivateDSAKeyAttributes},
|
||||
privateKEAKey [3] PrivateKeyObject {PrivateKEAKeyAttributes},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PrivateKeyObject {KeyAttributes} ::= PKCS15Object {
|
||||
CommonKeyAttributes, CommonPrivateKeyAttributes, KeyAttributes}
|
||||
|
||||
PrivateRSAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {RSAPrivateKeyObject},
|
||||
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
|
||||
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
RSAPrivateKeyObject ::= SEQUENCE {
|
||||
modulus [0] INTEGER OPTIONAL, -- n
|
||||
publicExponent [1] INTEGER OPTIONAL, -- e
|
||||
privateExponent [2] INTEGER OPTIONAL, -- d
|
||||
prime1 [3] INTEGER OPTIONAL, -- p
|
||||
prime2 [4] INTEGER OPTIONAL, -- q
|
||||
exponent1 [5] INTEGER OPTIONAL, -- d mod (p-1)
|
||||
exponent2 [6] INTEGER OPTIONAL, -- d mod (q-1)
|
||||
coefficient [7] INTEGER OPTIONAL -- inv(q) mod p
|
||||
} (CONSTRAINED BY {-- must be possible to reconstruct modulus and
|
||||
-- privateExponent from selected fields --})
|
||||
|
||||
PrivateECKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {ECPrivateKey},
|
||||
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
ECPrivateKey ::= INTEGER
|
||||
|
||||
PrivateDHKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {DHPrivateKey},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DHPrivateKey ::= INTEGER -- Diffie-Hellman exponent
|
||||
|
||||
PrivateDSAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {DSAPrivateKey},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DSAPrivateKey ::= INTEGER
|
||||
|
||||
PrivateKEAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {KEAPrivateKey},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
KEAPrivateKey ::= INTEGER
|
||||
|
||||
PublicKeyType ::= CHOICE {
|
||||
publicRSAKey PublicKeyObject {PublicRSAKeyAttributes},
|
||||
publicECKey [0] PublicKeyObject {PublicECKeyAttributes},
|
||||
publicDHKey [1] PublicKeyObject {PublicDHKeyAttributes},
|
||||
publicDSAKey [2] PublicKeyObject {PublicDSAKeyAttributes},
|
||||
publicKEAKey [3] PublicKeyObject {PublicKEAKeyAttributes},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PublicKeyObject {KeyAttributes} ::= PKCS15Object {
|
||||
CommonKeyAttributes, CommonPublicKeyAttributes, KeyAttributes}
|
||||
|
||||
PublicRSAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {RSAPublicKeyChoice},
|
||||
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
|
||||
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
RSAPublicKeyChoice ::= CHOICE {
|
||||
raw RSAPublicKey,
|
||||
spki [1] SubjectPublicKeyInfo, -- See X.509. Must contain a
|
||||
-- public RSA key
|
||||
...
|
||||
}
|
||||
|
||||
PublicECKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {ECPublicKeyChoice},
|
||||
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
ECPublicKeyChoice ::= CHOICE {
|
||||
raw ECPoint,
|
||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public EC key
|
||||
...
|
||||
}
|
||||
|
||||
PublicDHKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {DHPublicKeyChoice},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DHPublicKeyChoice ::= CHOICE {
|
||||
raw DiffieHellmanPublicNumber,
|
||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public D-H key
|
||||
...
|
||||
}
|
||||
|
||||
PublicDSAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {DSAPublicKeyChoice},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DSAPublicKeyChoice ::= CHOICE {
|
||||
raw INTEGER,
|
||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public DSA key.
|
||||
...
|
||||
}
|
||||
|
||||
PublicKEAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {KEAPublicKeyChoice},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
KEAPublicKeyChoice ::= CHOICE {
|
||||
raw INTEGER,
|
||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public KEA key
|
||||
...
|
||||
}
|
||||
|
||||
SecretKeyType ::= CHOICE {
|
||||
genericSecretKey SecretKeyObject {GenericSecretKeyAttributes},
|
||||
rc2key [0] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
rc4key [1] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
desKey [2] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
des2Key [3] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
des3Key [4] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
castKey [5] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
cast3Key [6] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
cast128Key [7] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
rc5Key [8] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
ideaKey [9] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
skipjackKey [10] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
batonKey [11] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
juniperKey [12] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
rc6Key [13] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
otherKey [14] OtherKey,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
SecretKeyObject {KeyAttributes} ::= PKCS15Object {
|
||||
CommonKeyAttributes, CommonSecretKeyAttributes, KeyAttributes}
|
||||
|
||||
OtherKey ::= SEQUENCE {
|
||||
keyType OBJECT IDENTIFIER,
|
||||
keyAttr SecretKeyObject {GenericSecretKeyAttributes}
|
||||
}
|
||||
|
||||
GenericSecretKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue { OCTET STRING },
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
CertificateType ::= CHOICE {
|
||||
x509Certificate CertificateObject { X509CertificateAttributes},
|
||||
x509AttributeCertificate [0] CertificateObject
|
||||
{X509AttributeCertificateAttributes},
|
||||
spkiCertificate [1] CertificateObject {SPKICertificateAttributes},
|
||||
pgpCertificate [2] CertificateObject {PGPCertificateAttributes},
|
||||
wtlsCertificate [3] CertificateObject {WTLSCertificateAttributes},
|
||||
x9-68Certificate [4] CertificateObject {X9-68CertificateAttributes},
|
||||
...,
|
||||
cvCertificate [5] CertificateObject {CVCertificateAttributes}
|
||||
}
|
||||
|
||||
CertificateObject {CertAttributes} ::= PKCS15Object {
|
||||
CommonCertificateAttributes, NULL, CertAttributes}
|
||||
|
||||
X509CertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { Certificate },
|
||||
subject Name OPTIONAL,
|
||||
issuer [0] Name OPTIONAL,
|
||||
serialNumber CertificateSerialNumber OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
X509AttributeCertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { AttributeCertificate },
|
||||
issuer GeneralNames OPTIONAL,
|
||||
serialNumber CertificateSerialNumber OPTIONAL,
|
||||
attrTypes [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
SPKICertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PGPCertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
WTLSCertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
X9-68CertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
||||
... -- For future extensions
|
||||
}
|
||||
CVCertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { PKCS15-OPAQUE.&Type},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DataType ::= CHOICE {
|
||||
opaqueDO DataObject {Opaque},
|
||||
externalIDO [0] DataObject {ExternalIDO},
|
||||
oidDO [1] DataObject {OidDO},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DataObject {DataObjectAttributes} ::= PKCS15Object {
|
||||
CommonDataObjectAttributes, NULL, DataObjectAttributes}
|
||||
|
||||
Opaque ::= ObjectValue {PKCS15-OPAQUE.&Type}
|
||||
|
||||
ExternalIDO ::= ObjectValue {PKCS15-OPAQUE.&Type}
|
||||
(CONSTRAINED BY {-- All data objects must be defined in
|
||||
-- accordance with ISO/IEC 7816-6 --})
|
||||
|
||||
OidDO ::= SEQUENCE {
|
||||
id OBJECT IDENTIFIER,
|
||||
value ObjectValue {PKCS15-OPAQUE.&Type}
|
||||
}
|
||||
|
||||
AuthenticationType ::= CHOICE {
|
||||
pin AuthenticationObject { PinAttributes },
|
||||
...,
|
||||
biometricTemplate [0] AuthenticationObject {BiometricAttributes},
|
||||
authKey [1] AuthenticationObject {AuthKeyAttributes},
|
||||
external [2] AuthenticationObject {ExternalAuthObjectAttributes}
|
||||
}
|
||||
|
||||
AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object {
|
||||
CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes}
|
||||
|
||||
PinAttributes ::= SEQUENCE {
|
||||
pinFlags PinFlags,
|
||||
pinType PinType,
|
||||
minLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength),
|
||||
storedLength INTEGER (0..pkcs15-ub-storedPinLength),
|
||||
maxLength INTEGER OPTIONAL,
|
||||
pinReference [0] Reference DEFAULT 0,
|
||||
padChar OCTET STRING (SIZE(1)) OPTIONAL,
|
||||
lastPinChange GeneralizedTime OPTIONAL,
|
||||
path Path OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PinFlags ::= BIT STRING {
|
||||
case-sensitive (0),
|
||||
local (1),
|
||||
change-disabled (2),
|
||||
unblock-disabled (3),
|
||||
initialized (4),
|
||||
needs-padding (5),
|
||||
unblockingPin (6),
|
||||
soPin (7),
|
||||
disable-allowed (8),
|
||||
integrity-protected (9),
|
||||
confidentiality-protected (10),
|
||||
exchangeRefData (11)
|
||||
} (CONSTRAINED BY { -- 'unblockingPin' and 'soPIN' cannot both be set -- })
|
||||
|
||||
PinType ::= ENUMERATED {bcd, ascii-numeric, utf8, ...,
|
||||
half-nibble-bcd, iso9564-1}
|
||||
|
||||
BiometricAttributes ::= SEQUENCE {
|
||||
bioFlags BiometricFlags,
|
||||
templateId OBJECT IDENTIFIER,
|
||||
bioType BiometricType,
|
||||
bioReference Reference DEFAULT 0,
|
||||
lastChange GeneralizedTime OPTIONAL,
|
||||
path Path OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
BiometricFlags ::= BIT STRING {
|
||||
local (1),
|
||||
change-disabled (2),
|
||||
unblock-disabled (3),
|
||||
initialized (4),
|
||||
disable-allowed (8),
|
||||
integrity-protected (9),
|
||||
confidentiality-protected (10)
|
||||
} -- Note: bits 0, 5, 6, and 7 are reserved for future use
|
||||
|
||||
BiometricType ::= CHOICE {
|
||||
fingerPrint FingerPrint,
|
||||
irisScan [0] IrisScan,
|
||||
-- Possible extensions:
|
||||
-- voiceScan VoiceScan,
|
||||
-- faceScan FaceScan,
|
||||
-- retinaScan Retinascan,
|
||||
-- handGeometry HandGeometry,
|
||||
-- writeDynamics WriteDynamics,
|
||||
-- keyStrokeDynamicsKeyStrokeDynamics,
|
||||
-- lipDynamics LipDynamics,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
FingerPrint ::= SEQUENCE {
|
||||
hand ENUMERATED {left, right},
|
||||
finger ENUMERATED {thumb, pointerFinger, middleFinger,
|
||||
ringFinger, littleFinger},
|
||||
...
|
||||
}
|
||||
|
||||
IrisScan ::= SEQUENCE {
|
||||
eye ENUMERATED {left, right},
|
||||
...
|
||||
}
|
||||
|
||||
ExternalAuthObjectAttributes ::= CHOICE {
|
||||
authKeyAttributes AuthKeyAttributes,
|
||||
certBasedAttributes [0] CertBasedAuthenticationAttributes,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
AuthKeyAttributes ::= SEQUENCE {
|
||||
derivedKey BOOLEAN DEFAULT TRUE,
|
||||
authKeyId Identifier,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
CertBasedAuthenticationAttributes ::= SEQUENCE {
|
||||
cha OCTET STRING,
|
||||
...
|
||||
}
|
||||
|
||||
TokenInfo ::= SEQUENCE {
|
||||
version INTEGER {v1(0)} (v1,...),
|
||||
serialNumber OCTET STRING,
|
||||
manufacturerID Label OPTIONAL,
|
||||
label [0] Label OPTIONAL,
|
||||
tokenflags TokenFlags,
|
||||
seInfo SEQUENCE OF SecurityEnvironmentInfo OPTIONAL,
|
||||
recordInfo [1] RecordInfo OPTIONAL,
|
||||
supportedAlgorithms [2] SEQUENCE OF AlgorithmInfo OPTIONAL,
|
||||
...,
|
||||
issuerId [3] Label OPTIONAL,
|
||||
holderId [4] Label OPTIONAL,
|
||||
lastUpdate [5] LastUpdate OPTIONAL,
|
||||
preferredLanguage PrintableString OPTIONAL -- In accordance with
|
||||
-- IETF RFC 1766
|
||||
} (CONSTRAINED BY { -- Each AlgorithmInfo.reference value must be unique --})
|
||||
|
||||
TokenFlags ::= BIT STRING {
|
||||
readonly (0),
|
||||
loginRequired (1),
|
||||
prnGeneration (2),
|
||||
eidCompliant (3)
|
||||
}
|
||||
|
||||
SecurityEnvironmentInfo ::= SEQUENCE {
|
||||
se INTEGER (0..pkcs15-ub-seInfo),
|
||||
owner OBJECT IDENTIFIER,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
RecordInfo ::= SEQUENCE {
|
||||
oDFRecordLength [0] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
prKDFRecordLength [1] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
puKDFRecordLength [2] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
sKDFRecordLength [3] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
cDFRecordLength [4] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
dODFRecordLength [5] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
aODFRecordLength [6] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL
|
||||
}
|
||||
|
||||
AlgorithmInfo ::= SEQUENCE {
|
||||
reference Reference,
|
||||
algorithm PKCS15-ALGORITHM.&id({AlgorithmSet}),
|
||||
parameters PKCS15-ALGORITHM.&Parameters({AlgorithmSet}{@algorithm}),
|
||||
supportedOperations
|
||||
PKCS15-ALGORITHM.&Operations({AlgorithmSet}{@algorithm}),
|
||||
algId PKCS15-ALGORITHM.&objectIdentifier({AlgorithmSet}{@algorithm})
|
||||
OPTIONAL,
|
||||
algRef Reference OPTIONAL
|
||||
}
|
||||
|
||||
PKCS15-ALGORITHM ::= CLASS {
|
||||
&id INTEGER UNIQUE,
|
||||
&Parameters,
|
||||
&Operations Operations,
|
||||
&objectIdentifier OBJECT IDENTIFIER OPTIONAL
|
||||
} WITH SYNTAX {
|
||||
PARAMETERS &Parameters OPERATIONS &Operations ID &id [OID &objectIdentifier]}
|
||||
|
||||
PKCS15-OPAQUE ::= TYPE-IDENTIFIER
|
||||
|
||||
PublicKeyOperations ::= Operations
|
||||
|
||||
Operations ::= BIT STRING {
|
||||
compute-checksum (0), -- H/W computation of checksum
|
||||
compute-signature (1), -- H/W computation of signature
|
||||
verify-checksum (2), -- H/W verification of checksum
|
||||
verify-signature (3), -- H/W verification of signature
|
||||
encipher (4), -- H/W encryption of data
|
||||
decipher (5), -- H/W decryption of data
|
||||
hash (6), -- H/W hashing
|
||||
generate-key (7) -- H/W key generation
|
||||
}
|
||||
|
||||
pkcs15-alg-null PKCS15-ALGORITHM ::= {
|
||||
PARAMETERS NULL OPERATIONS {{generate-key}} ID -1}
|
||||
|
||||
AlgorithmSet PKCS15-ALGORITHM ::= {
|
||||
pkcs15-alg-null,
|
||||
... -- See PKCS #11 for values for the &id field (and parameters)
|
||||
}
|
||||
|
||||
LastUpdate ::= CHOICE {
|
||||
generalizedTime GeneralizedTime,
|
||||
referencedTime ReferencedValue {GeneralizedTime},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
-- Soft token related types and objects
|
||||
|
||||
EnvelopedData {Type} ::= SEQUENCE {
|
||||
version INTEGER{v0(0),v1(1),v2(2),v3(3),v4(4)}(v0|v1|v2,...),
|
||||
originatorInfo [0] OriginatorInfo OPTIONAL,
|
||||
recipientInfos RecipientInfos,
|
||||
encryptedContentInfo EncryptedContentInfo{Type},
|
||||
unprotectedAttrs [1] SET SIZE (1..MAX) OF Attribute OPTIONAL
|
||||
}
|
||||
|
||||
EncryptedContentInfo {Type} ::= SEQUENCE {
|
||||
contentType OBJECT IDENTIFIER,
|
||||
contentEncryptionAlgorithm AlgorithmIdentifier {{KeyDerivationAlgorithms}},
|
||||
encryptedContent [0] OCTET STRING OPTIONAL
|
||||
}(CONSTRAINED BY {-- 'encryptedContent' shall be the result of
|
||||
-- encrypting DER-encoded value of type -- Type})
|
||||
|
||||
PKCS15Token ::= SEQUENCE {
|
||||
version INTEGER {v1(0)} (v1,...),
|
||||
keyManagementInfo [0] KeyManagementInfo OPTIONAL,
|
||||
pkcs15Objects SEQUENCE OF PKCS15Objects
|
||||
}
|
||||
|
||||
KeyManagementInfo ::= SEQUENCE OF SEQUENCE {
|
||||
keyId Identifier,
|
||||
keyInfo CHOICE {
|
||||
recipientInfo RecipientInfo,
|
||||
passwordInfo [0] PasswordInfo
|
||||
}
|
||||
} (CONSTRAINED BY {-- Each keyID must be unique --})
|
||||
|
||||
PasswordInfo ::= SEQUENCE {
|
||||
hint Label OPTIONAL,
|
||||
algId AlgorithmIdentifier {{KeyDerivationAlgorithms}},
|
||||
...
|
||||
} (CONSTRAINED BY {--keyID shall point to a KEKRecipientInfo--})
|
||||
|
||||
KeyDerivationAlgorithms ALGORITHM-IDENTIFIER ::= {
|
||||
PBKDF2Algorithms,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
CMS3DESwrap ::= NULL
|
||||
|
||||
KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
|
||||
{CMS3DESwrap IDENTIFIED BY id-alg-CMS3DESwrap} |
|
||||
{INTEGER IDENTIFIED BY id-alg-CMSRC2wrap},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DES-IV ::= OCTET STRING (SIZE(8))
|
||||
|
||||
ContentEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
|
||||
SupportingAlgorithms EXCEPT {NULL IDENTIFIED BY id-hmacWithSHA1},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
MACAlgorithms ALGORITHM-IDENTIFIER ::= {
|
||||
{NULL IDENTIFIED BY hMAC-SHA1},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DigestAlgorithms ALGORITHM-IDENTIFIER ::= {
|
||||
{NULL IDENTIFIED BY sha-1},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
-- Misc
|
||||
|
||||
DDO ::= SEQUENCE {
|
||||
oid OBJECT IDENTIFIER,
|
||||
odfPath Path OPTIONAL,
|
||||
tokenInfoPath [0] Path OPTIONAL,
|
||||
unusedPath [1] Path OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DIRRecord ::= [APPLICATION 1] SEQUENCE {
|
||||
aid [APPLICATION 15] OCTET STRING,
|
||||
label [APPLICATION 16] UTF8String OPTIONAL,
|
||||
path [APPLICATION 17] OCTET STRING,
|
||||
ddo [APPLICATION 19] DDO OPTIONAL
|
||||
}
|
||||
|
||||
UnusedSpace ::= SEQUENCE {
|
||||
path Path (WITH COMPONENTS {..., index PRESENT, length PRESENT}),
|
||||
authId Identifier OPTIONAL,
|
||||
...,
|
||||
accessControlRules SEQUENCE OF AccessControlRule OPTIONAL
|
||||
}
|
||||
|
||||
END
|
Loading…
Reference in New Issue