diff --git a/docs/Makefile.am b/docs/Makefile.am index 4e20d962..4acbc450 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -5,4 +5,4 @@ MAINTAINERCLEANFILES = Makefile.in man_MANS = pkcs15-crypt.1 pkcs15-init.1 \ pkcs15-profile.5 \ pkcs15.7 -EXTRA_DIST = $(man_MANS) +EXTRA_DIST = $(man_MANS) pkcs-15v1_1.asn diff --git a/docs/pkcs-15v1_1.asn b/docs/pkcs-15v1_1.asn new file mode 100644 index 00000000..5ef2122d --- /dev/null +++ b/docs/pkcs-15v1_1.asn @@ -0,0 +1,869 @@ +PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-15(15) modules(1) pkcs-15(1)} + +-- $Revision$ -- + +DEFINITIONS IMPLICIT TAGS ::= + +BEGIN + +IMPORTS + +informationFramework, authenticationFramework, certificateExtensions + FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1) + usefulDefinitions(0) 3} + +Name, Attribute + FROM InformationFramework informationFramework + +Certificate, AttributeCertificate, CertificateSerialNumber, + SubjectPublicKeyInfo + FROM AuthenticationFramework authenticationFramework + +GeneralNames, KeyUsage + FROM CertificateExtensions certificateExtensions + +RecipientInfos, RecipientInfo, OriginatorInfo, sha-1, + id-alg-CMS3DESwrap, id-alg-CMSRC2wrap, hMAC-SHA1, des-ede3-cbc + FROM CryptographicMessageSyntax {iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) + cms(1)} + +RSAPublicKey + FROM PKCS-1 {iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-1(1) modules(0) pkcs-1(1)} + +AlgorithmIdentifier, SupportingAlgorithms, PBKDF2Algorithms, + ALGORITHM-IDENTIFIER, id-hmacWithSHA1 + FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)} + +ECPoint, Parameters + FROM ANSI-X9-62 {iso(1) member-body(2) us(840) + ansi-x962(10045) module(4) 1} + +DiffieHellmanPublicNumber, DomainParameters + FROM ANSI-X9-42 {iso(1) member-body(2) us(840) + ansi-x942(10046) module(5) 1} + +OOBCertHash + FROM PKIXCMP {iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-cmp(9)}; + +-- Constants + +pkcs15-ub-identifier INTEGER ::= 255 +pkcs15-ub-reference INTEGER ::= 255 +pkcs15-ub-index INTEGER ::= 65535 +pkcs15-ub-label INTEGER ::= pkcs15-ub-identifier +pkcs15-lb-minPinLength INTEGER ::= 4 +pkcs15-ub-minPinLength INTEGER ::= 8 +pkcs15-ub-storedPinLength INTEGER ::= 64 +pkcs15-ub-recordLength INTEGER ::= 16383 +pkcs15-ub-userConsent INTEGER ::= 15 +pkcs15-ub-securityConditions INTEGER ::= 255 +pkcs15-ub-seInfo INTEGER ::= 255 + +-- Object Identifiers + +pkcs15 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-15(15)} +pkcs15-mo OBJECT IDENTIFIER ::= {pkcs15 1} -- Modules branch +pkcs15-at OBJECT IDENTIFIER ::= {pkcs15 2} -- Attribute branch +pkcs15-ct OBJECT IDENTIFIER ::= {pkcs15 3} -- Content type branch + +-- Content Types + +pkcs15-ct-PKCS15Token OBJECT IDENTIFIER ::= {pkcs15-ct 1} + +-- Basic types + +Identifier ::= OCTET STRING (SIZE (0..pkcs15-ub-identifier)) + +Reference ::= INTEGER (0..pkcs15-ub-reference) + +Label ::= UTF8String (SIZE(0..pkcs15-ub-label)) + +KEY-IDENTIFIER ::= CLASS { + &id INTEGER UNIQUE, + &Value +} WITH SYNTAX { + SYNTAX &Value IDENTIFIED BY &id +} + +CredentialIdentifier {KEY-IDENTIFIER : IdentifierSet} ::= SEQUENCE { + idType KEY-IDENTIFIER.&id ({IdentifierSet}), + idValue KEY-IDENTIFIER.&Value ({IdentifierSet}{@idType}) +} + +KeyIdentifiers KEY-IDENTIFIER ::= { + issuerAndSerialNumber| + issuerAndSerialNumberHash| + subjectKeyId| + subjectKeyHash | + issuerKeyHash | + issuerNameHash | + subjectNameHash, + ... +} + +issuerAndSerialNumber KEY-IDENTIFIER::= + {SYNTAX PKCS15-OPAQUE.&Type IDENTIFIED BY 1} + -- As defined in RFC 2630 +subjectKeyId KEY-IDENTIFIER ::= + {SYNTAX OCTET STRING IDENTIFIED BY 2} + -- From x509v3 certificate extension +issuerAndSerialNumberHash KEY-IDENTIFIER ::= + {SYNTAX OCTET STRING IDENTIFIED BY 3} + -- Assumes SHA-1 hash of DER encoding of IssuerAndSerialNumber +subjectKeyHash KEY-IDENTIFIER ::= + {SYNTAX OCTET STRING IDENTIFIED BY 4} +issuerKeyHash KEY-IDENTIFIER ::= + {SYNTAX OCTET STRING IDENTIFIED BY 5} +issuerNameHash KEY-IDENTIFIER ::= + {SYNTAX OCTET STRING IDENTIFIED BY 6} + -- SHA-1 hash of DER-encoded issuer name +subjectNameHash KEY-IDENTIFIER ::= + {SYNTAX OCTET STRING IDENTIFIED BY 7} + -- SHA-1 hash of DER-encoded subject name + +ReferencedValue {Type} ::= CHOICE { + path Path, + url URL +} (CONSTRAINED BY {-- 'path' or 'url' shall point to an object of + -- type -- Type}) + +URL ::= CHOICE { + url PrintableString, + urlWithDigest [3] SEQUENCE { + url IA5String, + digest DigestInfoWithDefault + } +} + +alg-id-sha1 AlgorithmIdentifier {{DigestAlgorithms}} ::= { + algorithm sha-1, + parameters SHA1Parameters : NULL} + +SHA1Parameters ::= NULL + +DigestInfoWithDefault ::= SEQUENCE { + digestAlg AlgorithmIdentifier {{DigestAlgorithms}} DEFAULT alg-id-sha1, + digest OCTET STRING (SIZE(8..128)) +} + +Path ::= SEQUENCE { + path OCTET STRING, + index INTEGER (0..pkcs15-ub-index) OPTIONAL, + length [0] INTEGER (0..pkcs15-ub-index) OPTIONAL + }( WITH COMPONENTS {..., index PRESENT, length PRESENT}| + WITH COMPONENTS {..., index ABSENT, length ABSENT}) + +ObjectValue { Type } ::= CHOICE { + indirect ReferencedValue {Type}, + direct [0] Type, + indirect-protected [1] ReferencedValue {EnvelopedData {Type}}, + direct-protected [2] EnvelopedData {Type} + }(CONSTRAINED BY {-- if indirection is being used, then it is + -- expected that the reference points either to a (possibly + -- enveloped) object of type -- Type -- or (key case) to a card- + -- specific key file --}) + +PathOrObjects {ObjectType} ::= CHOICE { + path Path, + objects [0] SEQUENCE OF ObjectType, + ..., + indirect-protected [1] ReferencedValue {EnvelopedData {SEQUENCE OF ObjectType}}, + direct-protected [2] EnvelopedData {SEQUENCE OF ObjectType} + } + +CommonObjectAttributes ::= SEQUENCE { + label Label OPTIONAL, + flags CommonObjectFlags OPTIONAL, + authId Identifier OPTIONAL, + ..., + userConsent INTEGER (1..pkcs15-ub-userConsent) OPTIONAL, + accessControlRules SEQUENCE SIZE (1..MAX) OF AccessControlRule OPTIONAL +} (CONSTRAINED BY {-- authId should be present in the IC card case if + -- flags.private is set. It must equal an authID in one AuthRecord + -- in the AODF -- }) + +CommonObjectFlags ::= BIT STRING { + private (0), + modifiable (1) +} + +AccessControlRule ::= SEQUENCE { + accessMode AccessMode, + securityCondition SecurityCondition, + ... -- For future extensions +} + +AccessMode ::= BIT STRING { + read (0), + update (1), + execute (2) +} + +SecurityCondition ::= CHOICE { + authId Identifier, + not [0] SecurityCondition, + and [1] SEQUENCE SIZE (2..pkcs15-ub-securityConditions) + OF SecurityCondition, + or [2] SEQUENCE SIZE (2..pkcs15-ub-securityConditions) + OF SecurityCondition, + ... -- For future extensions +} + +CommonKeyAttributes ::= SEQUENCE { + iD Identifier, + usage KeyUsageFlags, + native BOOLEAN DEFAULT TRUE, + accessFlags KeyAccessFlags OPTIONAL, + keyReference Reference OPTIONAL, + startDate GeneralizedTime OPTIONAL, + endDate [0] GeneralizedTime OPTIONAL, + ... -- For future extensions +} + +KeyUsageFlags ::= BIT STRING { + encrypt (0), + decrypt (1), + sign (2), + signRecover (3), + wrap (4), + unwrap (5), + verify (6), + verifyRecover (7), + derive (8), + nonRepudiation (9) +} + +KeyAccessFlags ::= BIT STRING { + sensitive (0), + extractable (1), + alwaysSensitive (2), + neverExtractable (3), + local (4) +} + +CommonPrivateKeyAttributes ::= SEQUENCE { + subjectName Name OPTIONAL, + keyIdentifiers [0] SEQUENCE OF CredentialIdentifier + {{KeyIdentifiers}} OPTIONAL, + ... -- For future extensions +} + +CommonPublicKeyAttributes ::= SEQUENCE { + subjectName Name OPTIONAL, + ..., + trustedUsage [0] Usage OPTIONAL +} + +CommonSecretKeyAttributes ::= SEQUENCE { + keyLen INTEGER OPTIONAL, -- keylength (in bits) + ... -- For future extensions +} + +KeyInfo {ParameterType, OperationsType} ::= CHOICE { + reference Reference, + paramsAndOps SEQUENCE { + parameters ParameterType, + supportedOperations OperationsType OPTIONAL + } +} + +CommonCertificateAttributes ::= SEQUENCE { + iD Identifier, + authority BOOLEAN DEFAULT FALSE, + identifier CredentialIdentifier {{KeyIdentifiers}} OPTIONAL, + certHash [0] OOBCertHash OPTIONAL, + ..., + trustedUsage [1] Usage OPTIONAL, + identifiers [2] SEQUENCE OF CredentialIdentifier{{KeyIdentifiers}} OPTIONAL, + implicitTrust [3] BOOLEAN DEFAULT FALSE +} + +Usage ::= SEQUENCE { + keyUsage KeyUsage OPTIONAL, + extKeyUsage SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL + }(WITH COMPONENTS {..., keyUsage PRESENT} | + WITH COMPONENTS {..., extKeyUsage PRESENT}) + +CommonDataObjectAttributes ::= SEQUENCE { + applicationName Label OPTIONAL, + applicationOID OBJECT IDENTIFIER OPTIONAL, + ... -- For future extensions + } (WITH COMPONENTS {..., applicationName PRESENT}| + WITH COMPONENTS {..., applicationOID PRESENT}) + +CommonAuthenticationObjectAttributes ::= SEQUENCE { + authId Identifier, + ... -- For future extensions +} + +PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes} + ::= SEQUENCE { + commonObjectAttributes CommonObjectAttributes, + classAttributes ClassAttributes, + subClassAttributes [0] SubClassAttributes OPTIONAL, + typeAttributes [1] TypeAttributes +} + +PKCS15Objects ::= CHOICE { + privateKeys [0] PrivateKeys, + publicKeys [1] PublicKeys, + trustedPublicKeys [2] PublicKeys, + secretKeys [3] SecretKeys, + certificates [4] Certificates, + trustedCertificates [5] Certificates, + usefulCertificates [6] Certificates, + dataObjects [7] DataObjects, + authObjects [8] AuthObjects, + ... -- For future extensions +} + +PrivateKeys ::= PathOrObjects {PrivateKeyType} + +SecretKeys ::= PathOrObjects {SecretKeyType} + +PublicKeys ::= PathOrObjects {PublicKeyType} + +Certificates ::= PathOrObjects {CertificateType} + +DataObjects ::= PathOrObjects {DataType} + +AuthObjects ::= PathOrObjects {AuthenticationType} + +PrivateKeyType ::= CHOICE { + privateRSAKey PrivateKeyObject {PrivateRSAKeyAttributes}, + privateECKey [0] PrivateKeyObject {PrivateECKeyAttributes}, + privateDHKey [1] PrivateKeyObject {PrivateDHKeyAttributes}, + privateDSAKey [2] PrivateKeyObject {PrivateDSAKeyAttributes}, + privateKEAKey [3] PrivateKeyObject {PrivateKEAKeyAttributes}, + ... -- For future extensions +} + +PrivateKeyObject {KeyAttributes} ::= PKCS15Object { + CommonKeyAttributes, CommonPrivateKeyAttributes, KeyAttributes} + +PrivateRSAKeyAttributes ::= SEQUENCE { + value ObjectValue {RSAPrivateKeyObject}, + modulusLength INTEGER, -- modulus length in bits, e.g. 1024 + keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL, + ... -- For future extensions +} + +RSAPrivateKeyObject ::= SEQUENCE { + modulus [0] INTEGER OPTIONAL, -- n + publicExponent [1] INTEGER OPTIONAL, -- e + privateExponent [2] INTEGER OPTIONAL, -- d + prime1 [3] INTEGER OPTIONAL, -- p + prime2 [4] INTEGER OPTIONAL, -- q + exponent1 [5] INTEGER OPTIONAL, -- d mod (p-1) + exponent2 [6] INTEGER OPTIONAL, -- d mod (q-1) + coefficient [7] INTEGER OPTIONAL -- inv(q) mod p +} (CONSTRAINED BY {-- must be possible to reconstruct modulus and + -- privateExponent from selected fields --}) + +PrivateECKeyAttributes ::= SEQUENCE { + value ObjectValue {ECPrivateKey}, + keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL, + ... -- For future extensions +} + +ECPrivateKey ::= INTEGER + +PrivateDHKeyAttributes ::= SEQUENCE { + value ObjectValue {DHPrivateKey}, + keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL, + ... -- For future extensions +} + +DHPrivateKey ::= INTEGER -- Diffie-Hellman exponent + +PrivateDSAKeyAttributes ::= SEQUENCE { + value ObjectValue {DSAPrivateKey}, + keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL, + ... -- For future extensions +} + +DSAPrivateKey ::= INTEGER + +PrivateKEAKeyAttributes ::= SEQUENCE { + value ObjectValue {KEAPrivateKey}, + keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL, + ... -- For future extensions +} + +KEAPrivateKey ::= INTEGER + +PublicKeyType ::= CHOICE { + publicRSAKey PublicKeyObject {PublicRSAKeyAttributes}, + publicECKey [0] PublicKeyObject {PublicECKeyAttributes}, + publicDHKey [1] PublicKeyObject {PublicDHKeyAttributes}, + publicDSAKey [2] PublicKeyObject {PublicDSAKeyAttributes}, + publicKEAKey [3] PublicKeyObject {PublicKEAKeyAttributes}, + ... -- For future extensions +} + +PublicKeyObject {KeyAttributes} ::= PKCS15Object { + CommonKeyAttributes, CommonPublicKeyAttributes, KeyAttributes} + +PublicRSAKeyAttributes ::= SEQUENCE { + value ObjectValue {RSAPublicKeyChoice}, + modulusLength INTEGER, -- modulus length in bits, e.g. 1024 + keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL, + ... -- For future extensions +} + +RSAPublicKeyChoice ::= CHOICE { + raw RSAPublicKey, + spki [1] SubjectPublicKeyInfo, -- See X.509. Must contain a + -- public RSA key + ... +} + +PublicECKeyAttributes ::= SEQUENCE { + value ObjectValue {ECPublicKeyChoice}, + keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL, + ... -- For future extensions +} + +ECPublicKeyChoice ::= CHOICE { + raw ECPoint, + spki SubjectPublicKeyInfo, -- See X.509. Must contain a public EC key + ... +} + +PublicDHKeyAttributes ::= SEQUENCE { + value ObjectValue {DHPublicKeyChoice}, + keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL, + ... -- For future extensions +} + +DHPublicKeyChoice ::= CHOICE { + raw DiffieHellmanPublicNumber, + spki SubjectPublicKeyInfo, -- See X.509. Must contain a public D-H key + ... +} + +PublicDSAKeyAttributes ::= SEQUENCE { + value ObjectValue {DSAPublicKeyChoice}, + keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL, + ... -- For future extensions +} + +DSAPublicKeyChoice ::= CHOICE { + raw INTEGER, + spki SubjectPublicKeyInfo, -- See X.509. Must contain a public DSA key. + ... +} + +PublicKEAKeyAttributes ::= SEQUENCE { + value ObjectValue {KEAPublicKeyChoice}, + keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL, + ... -- For future extensions +} + +KEAPublicKeyChoice ::= CHOICE { + raw INTEGER, + spki SubjectPublicKeyInfo, -- See X.509. Must contain a public KEA key + ... +} + +SecretKeyType ::= CHOICE { + genericSecretKey SecretKeyObject {GenericSecretKeyAttributes}, + rc2key [0] SecretKeyObject {GenericSecretKeyAttributes}, + rc4key [1] SecretKeyObject {GenericSecretKeyAttributes}, + desKey [2] SecretKeyObject {GenericSecretKeyAttributes}, + des2Key [3] SecretKeyObject {GenericSecretKeyAttributes}, + des3Key [4] SecretKeyObject {GenericSecretKeyAttributes}, + castKey [5] SecretKeyObject {GenericSecretKeyAttributes}, + cast3Key [6] SecretKeyObject {GenericSecretKeyAttributes}, + cast128Key [7] SecretKeyObject {GenericSecretKeyAttributes}, + rc5Key [8] SecretKeyObject {GenericSecretKeyAttributes}, + ideaKey [9] SecretKeyObject {GenericSecretKeyAttributes}, + skipjackKey [10] SecretKeyObject {GenericSecretKeyAttributes}, + batonKey [11] SecretKeyObject {GenericSecretKeyAttributes}, + juniperKey [12] SecretKeyObject {GenericSecretKeyAttributes}, + rc6Key [13] SecretKeyObject {GenericSecretKeyAttributes}, + otherKey [14] OtherKey, +... -- For future extensions +} + +SecretKeyObject {KeyAttributes} ::= PKCS15Object { + CommonKeyAttributes, CommonSecretKeyAttributes, KeyAttributes} + +OtherKey ::= SEQUENCE { + keyType OBJECT IDENTIFIER, + keyAttr SecretKeyObject {GenericSecretKeyAttributes} +} + +GenericSecretKeyAttributes ::= SEQUENCE { + value ObjectValue { OCTET STRING }, + ... -- For future extensions +} + +CertificateType ::= CHOICE { + x509Certificate CertificateObject { X509CertificateAttributes}, + x509AttributeCertificate [0] CertificateObject + {X509AttributeCertificateAttributes}, + spkiCertificate [1] CertificateObject {SPKICertificateAttributes}, + pgpCertificate [2] CertificateObject {PGPCertificateAttributes}, + wtlsCertificate [3] CertificateObject {WTLSCertificateAttributes}, + x9-68Certificate [4] CertificateObject {X9-68CertificateAttributes}, + ..., + cvCertificate [5] CertificateObject {CVCertificateAttributes} +} + +CertificateObject {CertAttributes} ::= PKCS15Object { + CommonCertificateAttributes, NULL, CertAttributes} + +X509CertificateAttributes ::= SEQUENCE { + value ObjectValue { Certificate }, + subject Name OPTIONAL, + issuer [0] Name OPTIONAL, + serialNumber CertificateSerialNumber OPTIONAL, + ... -- For future extensions +} + +X509AttributeCertificateAttributes ::= SEQUENCE { + value ObjectValue { AttributeCertificate }, + issuer GeneralNames OPTIONAL, + serialNumber CertificateSerialNumber OPTIONAL, + attrTypes [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL, + ... -- For future extensions +} + +SPKICertificateAttributes ::= SEQUENCE { + value ObjectValue { PKCS15-OPAQUE.&Type }, + ... -- For future extensions +} + +PGPCertificateAttributes ::= SEQUENCE { + value ObjectValue { PKCS15-OPAQUE.&Type }, + ... -- For future extensions +} + +WTLSCertificateAttributes ::= SEQUENCE { + value ObjectValue { PKCS15-OPAQUE.&Type }, + ... -- For future extensions +} + +X9-68CertificateAttributes ::= SEQUENCE { + value ObjectValue { PKCS15-OPAQUE.&Type }, + ... -- For future extensions +} +CVCertificateAttributes ::= SEQUENCE { + value ObjectValue { PKCS15-OPAQUE.&Type}, + ... -- For future extensions +} + +DataType ::= CHOICE { + opaqueDO DataObject {Opaque}, + externalIDO [0] DataObject {ExternalIDO}, + oidDO [1] DataObject {OidDO}, + ... -- For future extensions +} + +DataObject {DataObjectAttributes} ::= PKCS15Object { + CommonDataObjectAttributes, NULL, DataObjectAttributes} + +Opaque ::= ObjectValue {PKCS15-OPAQUE.&Type} + +ExternalIDO ::= ObjectValue {PKCS15-OPAQUE.&Type} + (CONSTRAINED BY {-- All data objects must be defined in + -- accordance with ISO/IEC 7816-6 --}) + +OidDO ::= SEQUENCE { + id OBJECT IDENTIFIER, + value ObjectValue {PKCS15-OPAQUE.&Type} +} + +AuthenticationType ::= CHOICE { + pin AuthenticationObject { PinAttributes }, + ..., + biometricTemplate [0] AuthenticationObject {BiometricAttributes}, + authKey [1] AuthenticationObject {AuthKeyAttributes}, + external [2] AuthenticationObject {ExternalAuthObjectAttributes} +} + +AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object { + CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes} + +PinAttributes ::= SEQUENCE { + pinFlags PinFlags, + pinType PinType, + minLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength), + storedLength INTEGER (0..pkcs15-ub-storedPinLength), + maxLength INTEGER OPTIONAL, + pinReference [0] Reference DEFAULT 0, + padChar OCTET STRING (SIZE(1)) OPTIONAL, + lastPinChange GeneralizedTime OPTIONAL, + path Path OPTIONAL, + ... -- For future extensions +} + +PinFlags ::= BIT STRING { + case-sensitive (0), + local (1), + change-disabled (2), + unblock-disabled (3), + initialized (4), + needs-padding (5), + unblockingPin (6), + soPin (7), + disable-allowed (8), + integrity-protected (9), + confidentiality-protected (10), + exchangeRefData (11) +} (CONSTRAINED BY { -- 'unblockingPin' and 'soPIN' cannot both be set -- }) + +PinType ::= ENUMERATED {bcd, ascii-numeric, utf8, ..., + half-nibble-bcd, iso9564-1} + +BiometricAttributes ::= SEQUENCE { + bioFlags BiometricFlags, + templateId OBJECT IDENTIFIER, + bioType BiometricType, + bioReference Reference DEFAULT 0, + lastChange GeneralizedTime OPTIONAL, + path Path OPTIONAL, +... -- For future extensions +} + +BiometricFlags ::= BIT STRING { + local (1), + change-disabled (2), + unblock-disabled (3), + initialized (4), + disable-allowed (8), + integrity-protected (9), + confidentiality-protected (10) + } -- Note: bits 0, 5, 6, and 7 are reserved for future use + +BiometricType ::= CHOICE { + fingerPrint FingerPrint, + irisScan [0] IrisScan, + -- Possible extensions: + -- voiceScan VoiceScan, + -- faceScan FaceScan, + -- retinaScan Retinascan, + -- handGeometry HandGeometry, + -- writeDynamics WriteDynamics, + -- keyStrokeDynamicsKeyStrokeDynamics, + -- lipDynamics LipDynamics, + ... -- For future extensions +} + +FingerPrint ::= SEQUENCE { + hand ENUMERATED {left, right}, + finger ENUMERATED {thumb, pointerFinger, middleFinger, + ringFinger, littleFinger}, + ... +} + +IrisScan ::= SEQUENCE { + eye ENUMERATED {left, right}, + ... +} + +ExternalAuthObjectAttributes ::= CHOICE { + authKeyAttributes AuthKeyAttributes, + certBasedAttributes [0] CertBasedAuthenticationAttributes, + ... -- For future extensions +} + +AuthKeyAttributes ::= SEQUENCE { + derivedKey BOOLEAN DEFAULT TRUE, + authKeyId Identifier, + ... -- For future extensions +} + +CertBasedAuthenticationAttributes ::= SEQUENCE { + cha OCTET STRING, + ... +} + +TokenInfo ::= SEQUENCE { + version INTEGER {v1(0)} (v1,...), + serialNumber OCTET STRING, + manufacturerID Label OPTIONAL, + label [0] Label OPTIONAL, + tokenflags TokenFlags, + seInfo SEQUENCE OF SecurityEnvironmentInfo OPTIONAL, + recordInfo [1] RecordInfo OPTIONAL, + supportedAlgorithms [2] SEQUENCE OF AlgorithmInfo OPTIONAL, + ..., + issuerId [3] Label OPTIONAL, + holderId [4] Label OPTIONAL, + lastUpdate [5] LastUpdate OPTIONAL, + preferredLanguage PrintableString OPTIONAL -- In accordance with + -- IETF RFC 1766 +} (CONSTRAINED BY { -- Each AlgorithmInfo.reference value must be unique --}) + +TokenFlags ::= BIT STRING { + readonly (0), + loginRequired (1), + prnGeneration (2), + eidCompliant (3) +} + +SecurityEnvironmentInfo ::= SEQUENCE { + se INTEGER (0..pkcs15-ub-seInfo), + owner OBJECT IDENTIFIER, + ... -- For future extensions +} + +RecordInfo ::= SEQUENCE { + oDFRecordLength [0] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL, + prKDFRecordLength [1] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL, + puKDFRecordLength [2] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL, + sKDFRecordLength [3] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL, + cDFRecordLength [4] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL, + dODFRecordLength [5] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL, + aODFRecordLength [6] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL +} + +AlgorithmInfo ::= SEQUENCE { + reference Reference, + algorithm PKCS15-ALGORITHM.&id({AlgorithmSet}), + parameters PKCS15-ALGORITHM.&Parameters({AlgorithmSet}{@algorithm}), + supportedOperations + PKCS15-ALGORITHM.&Operations({AlgorithmSet}{@algorithm}), + algId PKCS15-ALGORITHM.&objectIdentifier({AlgorithmSet}{@algorithm}) + OPTIONAL, + algRef Reference OPTIONAL +} + +PKCS15-ALGORITHM ::= CLASS { + &id INTEGER UNIQUE, + &Parameters, + &Operations Operations, + &objectIdentifier OBJECT IDENTIFIER OPTIONAL +} WITH SYNTAX { + PARAMETERS &Parameters OPERATIONS &Operations ID &id [OID &objectIdentifier]} + +PKCS15-OPAQUE ::= TYPE-IDENTIFIER + +PublicKeyOperations ::= Operations + +Operations ::= BIT STRING { + compute-checksum (0), -- H/W computation of checksum + compute-signature (1), -- H/W computation of signature + verify-checksum (2), -- H/W verification of checksum + verify-signature (3), -- H/W verification of signature + encipher (4), -- H/W encryption of data + decipher (5), -- H/W decryption of data + hash (6), -- H/W hashing + generate-key (7) -- H/W key generation + } + +pkcs15-alg-null PKCS15-ALGORITHM ::= { + PARAMETERS NULL OPERATIONS {{generate-key}} ID -1} + +AlgorithmSet PKCS15-ALGORITHM ::= { + pkcs15-alg-null, + ... -- See PKCS #11 for values for the &id field (and parameters) + } + +LastUpdate ::= CHOICE { + generalizedTime GeneralizedTime, + referencedTime ReferencedValue {GeneralizedTime}, + ... -- For future extensions + } + +-- Soft token related types and objects + +EnvelopedData {Type} ::= SEQUENCE { + version INTEGER{v0(0),v1(1),v2(2),v3(3),v4(4)}(v0|v1|v2,...), + originatorInfo [0] OriginatorInfo OPTIONAL, + recipientInfos RecipientInfos, + encryptedContentInfo EncryptedContentInfo{Type}, + unprotectedAttrs [1] SET SIZE (1..MAX) OF Attribute OPTIONAL +} + +EncryptedContentInfo {Type} ::= SEQUENCE { + contentType OBJECT IDENTIFIER, + contentEncryptionAlgorithm AlgorithmIdentifier {{KeyDerivationAlgorithms}}, + encryptedContent [0] OCTET STRING OPTIONAL +}(CONSTRAINED BY {-- 'encryptedContent' shall be the result of + -- encrypting DER-encoded value of type -- Type}) + +PKCS15Token ::= SEQUENCE { + version INTEGER {v1(0)} (v1,...), + keyManagementInfo [0] KeyManagementInfo OPTIONAL, + pkcs15Objects SEQUENCE OF PKCS15Objects +} + +KeyManagementInfo ::= SEQUENCE OF SEQUENCE { + keyId Identifier, + keyInfo CHOICE { + recipientInfo RecipientInfo, + passwordInfo [0] PasswordInfo + } +} (CONSTRAINED BY {-- Each keyID must be unique --}) + +PasswordInfo ::= SEQUENCE { + hint Label OPTIONAL, + algId AlgorithmIdentifier {{KeyDerivationAlgorithms}}, + ... +} (CONSTRAINED BY {--keyID shall point to a KEKRecipientInfo--}) + +KeyDerivationAlgorithms ALGORITHM-IDENTIFIER ::= { + PBKDF2Algorithms, + ... -- For future extensions +} + +CMS3DESwrap ::= NULL + +KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= { + {CMS3DESwrap IDENTIFIED BY id-alg-CMS3DESwrap} | + {INTEGER IDENTIFIED BY id-alg-CMSRC2wrap}, + ... -- For future extensions +} + +DES-IV ::= OCTET STRING (SIZE(8)) + +ContentEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= { + SupportingAlgorithms EXCEPT {NULL IDENTIFIED BY id-hmacWithSHA1}, + ... -- For future extensions +} + +MACAlgorithms ALGORITHM-IDENTIFIER ::= { + {NULL IDENTIFIED BY hMAC-SHA1}, + ... -- For future extensions +} + +DigestAlgorithms ALGORITHM-IDENTIFIER ::= { + {NULL IDENTIFIED BY sha-1}, + ... -- For future extensions +} + +-- Misc + +DDO ::= SEQUENCE { + oid OBJECT IDENTIFIER, + odfPath Path OPTIONAL, + tokenInfoPath [0] Path OPTIONAL, + unusedPath [1] Path OPTIONAL, + ... -- For future extensions +} + +DIRRecord ::= [APPLICATION 1] SEQUENCE { + aid [APPLICATION 15] OCTET STRING, + label [APPLICATION 16] UTF8String OPTIONAL, + path [APPLICATION 17] OCTET STRING, + ddo [APPLICATION 19] DDO OPTIONAL +} + +UnusedSpace ::= SEQUENCE { + path Path (WITH COMPONENTS {..., index PRESENT, length PRESENT}), + authId Identifier OPTIONAL, + ..., + accessControlRules SEQUENCE OF AccessControlRule OPTIONAL +} + +END