remove old documentation (replaced by wiki).

git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2812 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
aj 2006-01-12 09:36:16 +00:00
parent de4b5c280f
commit 8fac2eaac2
11 changed files with 1 additions and 5386 deletions

View File

@ -1,6 +1,6 @@
# Process this file with automake to create Makefile.in
SUBDIRS = . old
SUBDIRS = .
MAINTAINERCLEANFILES = Makefile.in $(HTML) ChangeLog
@ -14,7 +14,6 @@ XML = $(shell ls $(srcdir)/tools/*.xml $(srcdir)/api/*.xml $(srcdir)/api/*/*.xml
index.html:
sh $(srcdir)/export-wiki.sh $(srcdir)
sh $(srcdir)/generate-man.sh $(srcdir)
sh $(srcdir)/old/generate.sh $(srcdir)/old
ChangeLog:
sh $(srcdir)/changelog.sh $(srcdir)

View File

@ -1,11 +0,0 @@
# Process this file with automake to create Makefile.in
XSLTPROC = @XSLTPROC@
SOURCE = opensc.xml opensc.xsl opensc-es.xml opensc.css opensc.xsl
GENERATE = opensc.html opensc-es.html
NILS = init_perso_guide.html init_perso_guide.txt
MAINTAINERCLEANFILES = Makefile.in $(GENERATE)
EXTRA_DIST = pkcs-15v1_1.asn $(NILS) $(SOURCE) $(GENERATE) doxygen.conf generate.sh

View File

@ -1,7 +0,0 @@
INPUT = ../src/libopensc
FILE_PATTERNS = *.h
PROJECT_NAME = OpenSC
PROJECT_NUMBER = 0.10.0
HIDE_UNDOC_MEMBERS = YES
SORT_MEMBER_DOCS = NO
OPTIMIZE_OUTPUT_FOR_C = YES

View File

@ -1,22 +0,0 @@
#!/bin/bash
set -e
SRCDIR=.
if test -n "$1"
then
SRCDIR="$1"
fi
test -f "$SRCDIR"/`basename $0`
if ! test -w "$SRCDIR"
then
exit 0
fi
xsltproc -o "$SRCDIR"/opensc.html "$SRCDIR"/opensc.xsl "$SRCDIR/"opensc.xml
tidy -im -utf8 -xml "$SRCDIR"/opensc.html || true
xsltproc -o "$SRCDIR"/opensc-es.html "$SRCDIR"/opensc.xsl "$SRCDIR"/opensc-es.xml
tidy -im -utf8 -xml "$SRCDIR"/opensc-es.html || true

View File

@ -1,466 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type"><title>init_perso_guide</title></head>
<body>
<h1>OpenSC card init and perso guide</h1>
<h2>1. Introduction</h2>
<div style="text-align: center;"><span style="font-style: italic;">Nothing
is impossible for the man who doesn't</span><br style="font-style: italic;">
&nbsp;
<span style="font-style: italic;">have
to do it himself. -- A.H. Weiler</span><br>
</div>
<br>
This guide is about initialising and personalising (no distinction
made) cards with the OpenSC library and tools (mostly pkcs15-init).<br>
<br>
Some knowlegde about smart cards is assumed. Below is a short overview
of some key words and concepts. For more info, see the opensc.html
manual.<br>
<br>
<span style="font-weight: bold;">Filesystem - MF - DF - EF - FID</span><br>
A smart cards has a non-volatile memory (EEPROM) in which usually
a PC-like file system is implemented. The directories are called
Dedicated Files (DF) and the files are called Elementary Files (EF).
They are
identified by a File ID (FID) on 2 bytes. For example, the root of
the file system
(called Master File or MF) has FID = 3F 00 (hex).<br>
<br>
<span style="font-weight: bold;">Commands - APDUs</span><br>
It is possible to send commands (APDUs) to the card to select, read,
write, create, list, delete, ... EFs and DFs (not all cards allow all
commands).<br>
<br>
<span style="font-weight: bold;">Access control, PIN, PUK</span><br>
The file system usually implements some sort of access control on EFs
and DFs.<br>
This is usually done by PINs or Keys: you have to provide a PIN or show
knowledge of a key before you can perform some command on some EF/DF. A
PIN is usually accompanied by a PUK (Pin Unblock Key), which can be
used to
reset (or unblock) that PIN.<br>
<br>
<span style="font-weight: bold;">Cryptographic keys</span><br>
On crypto cards, it is also possible to sign, decrypt, key(pair)
generation (what can be done exactly depends on the card). on some
cards, key
and/or PINs are files in the filesystem, on other cards, they don't
exist in the filesystem but are referenced through an ID.<br>
<br>
<span style="font-weight: bold;">Reader - PC/SC - OpenCT - CT-API</span><br>
Smart card readers come with a library that can be used on a PC to send
APDUs to the card. Commonly used APIs for those libraries are PC/SC,
OpenCT
and CT-API.<br>
<br>
<span style="font-weight: bold;">PKCS15</span><br>
There are standards (e.g. ISO7816, parts 4-...) that specify how to
select, read, write, EFs and DFs, and how to sign, decrypt, login, ...<br>
However, there is also a need to know which files contain what, or
where the keys, PINs, .. can be found.<br>
For crypto cards, PCKS15 adresses this need by defining some files that
contain info on where to find keys, certificates, PINs, and other data.
For
example, there is a PrKDF (Private Key Directory File) that contains
the EFs or
ID of the private keys, what those keys can be used for, by which PINs
they
are protected, ... So a "PCKS15 card" is nothing but any other card on
which the right set
of files has been added.<br>
In short: PKCS15 allows you to describe where to find PINS, keys,
certificates and data on a card, plus all the info that is needed to
use them.<br>
<h3>A little PKCS15 example:</h3>
Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
Object Directory File), PrKDF (Private Key Directory File) and CDF
(Certificate Directory File) that contain info on resp. the PINs,
private keys and certificates. Each of them contains 1 entry.<br>
<br>
AODF:
<pre> Com. Flags : private, modifiable<br> Auth ID : 01<br> Flags : [0x32], local, initialized, needs-padding<br> Length : min_len:4, max_len:8, stored_len:8<br> Pad char : 0x00<br> Reference : 1<br> Encoding : ASCII-numeric<br> Path : 3F005015<br></pre>
PrKDF:
<pre> Com. Flags : private, modifiable<br> Com. Auth ID: 01<br> Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep<br> Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local<br> ModLength : 1024<br> Key ref : 0<br> Native : yes<br> Path : 3F00501530450012<br> ID : 45<br></pre>
X.509 Certificate [/C=BE/ST=...]
<pre> Com. Flags : modifiable<br> Authority : no<br> Path : 3f0050154545<br> ID : 45</pre>
Some things to note:<br>
<ul>
<li>The Auth ID (01) of the private key is the same as the one of the
PIN which
means
that you first have to do a login with this PIN before
you can use this key.</li>
<li>The key is in an EF with ID = 0012 in the DF with ID = 3045,
which
on it is turn is a DF with ID 5015, which on it is turn is a DF of
the MF (3F00).</li>
<li>The private key and certificates share the same ID (45), which
means that they
belong together.</li>
<li>The certificate is in the EF with as path: 3F00\5015\3045
and is no CA
certificate.</li>
</ul>
Use the <span style="font-weight: bold;">tests/p15dump</span> tool to
see yourself what pkcs15 data is on your card, or <span style="font-weight: bold;">tools/opensc-explorer</span> to browse
through the files.<br>
<br>
Have the PKCS15 files a fixed place so everyone can find them? No,
there's only one: the EF(DIR) in the MF and with ID 2F00. That's the
starting
place.<br>
<br>
<h2>2. The OpenSC pkcs15-init library and profiles</h2>
Reading and writing files, PIN verification, signing and decryption
happen in much the same way on all cards. Therefore, the "normal life"
commands have been implemented in OpenSC for all supported cards.<br>
<br>
However, creating and deleting files, PINs and keys is very card
specific and has not yet been implemented for all cards.
Currently, pkcs15-init is implemented for: Cryptoflex, Cyberflex,
CardOS (etoken), GPK, Miocos, Starcos JCOP and Oberthur. (Check
src/pkcs15-init/pkcs15-*.c for possible updates). Because of this, and
because
pkcs15-init is not necessary for "normal life" operations, it has been
put in a separate library and in a separate directory.<br>
<br>
<span style="font-weight: bold;">Profile</span><br>
Because the initialisation/personalisation is so card-specific, it
would be very hard to make a tool or API that accepts all parameters
for all current and future cards.<br>
Therefore, a profile file has been made in OpenSC that contains all the
card-specific parameters. This card-specific profile is read by
card-specific code in the pkcs15-init library each time this library is
used on
that card.<br>
See the *.profile files in src/pkcs15-init/. There is one general file
(pkcs15.profile) and one card-specific profile for each card.<br>
<br>
<span style="font-weight: bold;">Profile options</span><br>
There are currently 3 options you can specify to modify a profile:<br>
<ul>
<li>default: creation/deletion/generation is controlled by the SO PIN
(SO = Security Officer, different from the regular user of the card)</li>
<li>onepin: creation/deletion/generation is controlled by the user
PIN and thus by the user. As a result, only 1 user PIN is possible</li>
<li>small: like default, but suitable for card with little memory</li>
</ul>
<h2>3. pkcs15-init tool</h2>
This is a command-line tool that uses the pkcs15-init library. It
allows you to do all the init/perso things, e.g. add/delete keys,
certificates, PINs and data, generate keys, ... while specifying key
usage, which PIN protects which key, ...<br>
<br>
As said before, not all cards are supported in the pkcs15-init library.
In
that case, the pkcs15-init tool won't work (top 5 questions on the
mailing list:-). To find out which card you have, try "<span style="font-style: italic;">opensc-tool -n</span>"<br>
<br>
Below is explained how to do the operations that are supported by
pkcs15-tool.<br>
Not all options are explained (run "<span style="font-style: italic;">pkcs15-tool
-h</span>" to see them) because some are card-specific or obsolete (or
we don't know about them). Feel free to experiment and explain them
here.<br>
<br>
So the things in this section are fairly general but not guaranteed to
work for all cards. See also the section on "card-specific issues".<br>
<br>
The --reader or -r can be given with any command. By default the first
reader is used. Do "<span style="font-style: italic;">opensc-tool -l</span>"
to see the list of available readers.<br>
<br>
To see the results of what you did, you can do one of the following:<br>
&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-tool --list-pins
--list-public-keys -k -c -C</span><br>
&nbsp;&nbsp; <span style="font-style: italic;">p15dump</span> (in the
src/tests directory)<br>
To see/dump the content of any file, use the <span style="font-style: italic;">opensc-explorer</span> tool.<br>
<h3>* Create the PKCS15 files</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-C {-T} {-p &lt;profile&gt;} </span><span style="font-style: italic;">--so-pin
&lt;PIN&gt; --so-puk &lt;PUK&gt; | --no-so-pin | --pin &lt;PIN&gt;
--puk &lt;PUK&gt;<br>
<br>
</span>This will create the PKCS15 DF (5015) and all the PKCS15 files
(some of which will be empty until a key, PIN, ... will be added). It
must be done before you can do any of the operations below.<br>
<ul>
<li>This operation usually requires a 'transport' key. pkcs15-init
will ask you for this key and propose the default one for that card.
With -T, the default will be used without asking. NOTE: if you get a
"Failed to erase card: PIN code or key incorrect", the transport key is
wrong. Find this key and then try again, DO NOT try the default key
again!</li>
<li>If you want an SO PIN and PUK, do so with the --so-pin and
--so-puk options, or specify --no-so-pin if you don't want to. If you
use
the onpin profile, there is no SO PIN so you should specify --pin and
--puk instead. (So you get: pkcs15-init -CT -p pkcs15+onepin --pin
&lt;PIN&gt; --puk &lt;PUK&gt;)</li>
<li>To specify the profile file + option. The profile file can only
be "pkcs15" for the moment, so you can have:<br>
&nbsp;&nbsp;&nbsp;&nbsp; pkcs15+default : the default (not needed to
specify it)<br>
&nbsp;&nbsp;&nbsp;&nbsp; pkcs15+onepin: for the onepin profile
option<br>
&nbsp;&nbsp;&nbsp;&nbsp; pkcs15+small: for the small
profile option</li>
</ul>
<h3>* Erase the card's content</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-E {-T}</span><br>
<br>
This will delete all keys, PINS, certificates, data that were listed in
PKCS15
files, along with the PKCS15 files themselves.<br>
<ul>
<li>This operation usually requires a 'transport' key. pkcs15-init
will ask you for this key and propose the default one for that card.
With -T, the default will be used without asking. NOTE: if you get a
"Failed to erase card: PIN code or key incorrect", the transport key is
wrong. Find this key and then try again, DO NOT try the default key
again!</li>
</ul>
Note: you can combine erase/create (-E -C or -EC) to erase and then
create<br>
the card's contents, except when you change the profile option.<br>
<h3>* Add a PIN (not possible with the onepin profile option)</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-P {-a &lt;AuthID&gt;} {--pin &lt;PIN&gt;} {--puk &lt;PUK&gt;} {-l
&lt;label&gt;}</span><br>
<ul>
<li>You can specify the AuthID with -a, if you don't do so, a value
that didn't exist yet on the card will be chosen.</li>
<li>Specify the PIN and PUK with --pin and --puk, if you don't do so,
the tool will prompt you for one.</li>
<li>Specify the label (name) of the PIN with -l, or accept the
default label.</li>
</ul>
<h3>* Generate a key pair (on card or in software on the PC)</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-G &lt;keyspec&gt; -a &lt;AuthID&gt; --insecure {-i &lt;ID&gt;}
{--soft}{-u &lt;keyusage&gt;}{-l &lt;privkeylabel&gt;}
{--public-key-label &lt;pubkeylabel&gt;}</span><br>
<br>
This will generate a public and private key pair.<br>
<ul>
<li>The keyspec consist of the key type, rsa or dsa (depends on what
your cards supports), and optinally a slash followed by the keysize in
bits. E.g. "rsa/1024" specifies a 1024 bit RSA key pair. Note: dsa is
not
fully supported.</li>
<li>Specify the AuthID of the PIN that protects this key (from being
used in a signature or decryption operation) with -a; or specify
--insecure if you want the private key to be used without first
providing a PIN.</li>
<li>Specify the ID of the key with -i, otherwise the tool with choose
one.</li>
<li>Specify --soft if you don't want the key pair to be generated
on-chip.</li>
<li>Specify the usage of the private key with -u; if you add a
corresponding certificate later, it should have the same key usage. (Do
"pkcs15-init -u help" for help).</li>
<li>Specify the label (name) of the private key with -l, or accept
the default label.</li>
<li>Specify the label (name) of the public key with
--public-key-label, or accept the default label if you don't do so.</li>
<li>Depending on your card and profile option, you will be prompted
to provide your SO PIN and/or PIN; if you don't want to be prompted,
add them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
NOTE: see the SSL engines (below) on how to make a certificate request
with the key you generated.<br>
<h3>* Add a private key</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-S &lt;keyfile&gt; {-f &lt;keyformat&gt;} -a &lt;AuthID&gt; --insecure
{-i &lt;ID&gt;} {-u &lt;keyusage&gt;} {--passphrase &lt;password&gt;}
{-l &lt;label&gt;}</span><br>
<ul>
<li>The keyfile should be in DER (binary) or PEM format.</li>
<li>The keyformat should be PEM (default) or DER.</li>
<li>Specify the AuthID of the PIN that protects this key (from being
used in a signature or decryption operation) with -a; or specify
--insecure if you want the private key to be used without first
providing a PIN.</li>
<li>Specify the ID of the key with -i</li>
&lt;&gt;Specify the usage of the private key with -u; if you add a
corresponding certificate later, it should have the same key usage. (Do
"pkcs15-init -u help" for help). <li>Specify the label (name) of
the with -l, or accept the
default label.</li>
<li>Depending on your card and profile option, you will be prompted
to provide your SO PIN and/or PIN; if you don't want to be prompted,
add them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
<h3>* Add a private key + certificate(s) (in a pkcs12 file)</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-S &lt;pkcs12file&gt; -f PKCS12 -a &lt;AuthID&gt; {--insecure} {-i
&lt;ID&gt;} {-u &lt;keyusage&gt;} {--passphrase &lt;password&gt;} {-l
&lt;privkeylabel&gt;} {--cert-label &lt;usercertlabel&gt;}</span><br>
<br>
This adds the private key and certificate chain to the card. If a
certificate already exists on the card, it won't be added again.<br>
<ul>
<li>Specify the AuthID of the PIN that protects this key (from being
used in a signature or decryption operation) with -a; or specify
--insecure if you want the private key to be used without first
providing a PIN.</li>
<li>Specify the ID of the key and the corresponding certificate with
-i,
otherwise the tool with choose one; only the 'user cert' will get the
same ID as the key, the other certificates will get 'authority' status
and
another ID.</li>
<li>You can specify the key-usage, but it is not advised to do this
so the key usage from the certificate is used.</li>
<li>Specify the password of the pkcs12 key file if you don't want to
be prompted for one.</li>
<li>Specify the label (name) of the private key with -l, or accept
the default label.</li>
<li>Specify the label (name) of the user certificate with
--cert-label, or accept the default label.</li>
<li>Depending on your card and profile option, you will be prompted
to provide your SO PIN and/or PIN; if you don't want to be prompted,
add them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
<h3>* Add a certificate</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="font-style: italic;">
pkcs15-init -W &lt;certfile&gt; {-f &lt;certformat&gt;} {-i &lt;ID&gt;}
{--authority}</span><br>
<ul>
<li>The certfile should be in DER (binary) or PEM format</li>
<li>The certformat should be PEM (default) or DER</li>
<li>Specify the ID of the certificate with -i, otherwise the tool
with
choose one; if the certificate corresponds to a private and/or public
key, you
should specify the same ID as that key.</li>
<li>Specify --authority if it is a CA certificate.</li>
<li>Depending on your card and profile option, you will be prompted
to
provide your SO PIN and/or PIN; if you don't want to be prompted, add
them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
<h3>* Add a public key</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
--store-public-key &lt;keyfile&gt; {-f &lt;keyformat&gt;} {-i
&lt;ID&gt;} {-l &lt;label&gt;}</span><br>
<ul>
<li>The keyfile should be in DER (binary) or PEM format</li>
<li>The keyformat should be PEM (default) or DER</li>
<li>Specify the ID of the key with -i, otherwise the tool with choose
one; if the key corresponds to a private key and/or certificate, you
should
specify the same ID as that private key and/or certificate.</li>
<li>Specify the label (name) of the with -l, or accept the
default label.</li>
<li>Depending on your card and profile option, you will be prompted
to
provide your SO PIN and/or PIN; if you don't want to be prompted, add
them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
<h3>* Add data</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-W &lt;datafile&gt; {-i &lt;ID&gt;} {-l &lt;label&gt;}</span><br>
<ul>
<li>The datafile is stored "as is" onto the card.</li>
<li>Specify the ID of the data with -i, or accept the default ID.</li>
<li>Specify the label (name) of the with -l, or accept the
default label.</li>
<li>Depending on your card and profile option, you will be prompted
to
provide your SO PIN and/or PIN; if you don't want to be prompted, add
them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
<h2>4. Other tools</h2>
<h3>* SSL-engines</h3>
These libraries can be loaded in OpenSSL so you can do a certificate
request with the openssl tool; the signature on the certificate request
will
then be made with the smart card. The result can then be sent to a CA
for certification, the resulting certificate can be put on the card
with
pkcs15-init or pkcs11-tool.<br>
<ul>
<li>Run openssl</li>
<li>On the openssl command prompt, type<br>
&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">engine dynamic
-pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD</span><br>
&nbsp;or<br>
&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">engine dynamic
-pre
SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD</span><br>
depending on which one of the 2 engines (pkcs11 or opensc) you want to
use.</li>
</ul>
<ul>
<li>Then type (on the openssl command prompt)<br>
&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">req -engine
pkcs11 -new -key &lt;ID&gt; -keyform engine -out &lt;cert_req&gt;</span><br>
or<span style="font-style: italic;"><br>
</span><span style="font-style: italic;">&nbsp;&nbsp;&nbsp;&nbsp;
req -engine opensc -new -key &lt;ID&gt; -keyform engine -out
&lt;cert_req&gt;</span><br>
in which ID is the slot+ID in the following format:<br>
&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">[slot_&lt;slotID&gt;][-][id_&lt;ID&gt;]</span>,
e.g. <span style="font-style: italic;">id_45</span> or <span style="font-style: italic;">slot_0-id_45</span><br>
</li>
</ul>
<h3>* pkcs11-tool and Mozilla/Netscape</h3>
You can use the OpenSC pkcs11 library to generate a keypair in Mozilla
or Netscape, and let the browser generate a certificate request that
is sent to an on-line CA to issue and send you a certificate that is
then added to the card.<br>
<br>
Just go to an online CA (Globalsign, Thawte, ...) and follow their
guidelines. Because such a request either costs you or at least
requires you to provide a valid mail address, it is advisable to first
try you card with "<span style="font-weight: bold;">pkcs11-tool
--moz-cert
&lt;cert_file_in_der_format&gt; --login</span>".<br>
<br>
NOTE: This can only be done with the onepin profile option (because the
browser won't ask for an SO PIN, only for the user PIN).<br>
<br>
<h2>5. Card-specific issues</h2>
<div style="text-align: center;"><span style="font-style: italic;">Experience
is that marvelous thing that enables you to recognize</span><br style="font-style: italic;">
<span style="font-style: italic;">a mistake when you make it again. --
Franklin P. Jones</span><br>
</div>
<br>
<span style="font-weight: bold;">Cryptoflex:</span><br>
<ul>
<li>DFs and EFs in a DF have to be deleted in reverse order of
creation.<br>
OpenSC relies on this fact for security, but also has some downsides.
For example, if you did a "pkcs15-init -C" and then added some EFs or
DFs in the MF, you won't be able to do a "pkcs15-init -E" afterwards to
remove the PKCS15 DF (5015). So you'll first have to manually remove
all EFs/DFs you created in the MF before being able remove the pkcs15
DF.<br>
</li>
</ul>
<span style="font-weight: bold;">Starcos SPK 2.3:</span><br>
<ul>
<li>Due to the way Starcos SPK 2.3 manages access rights it is
necessary to manually call "pkcs15-init --finalize" after card
personalization if no SO-PIN has been specified. Once the card has been
finalized it is no possible to add new private/secrets keys or PINs. If
a SO-PIN is used the card will automatically be finalized after the
SO-PIN has been stored.</li>
<li>If an SO-PIN is used and if there is enough space in the key file
left, then the owner of the SO-PIN can access/use every protected item
by creating a PIN for the necessary state.</li>
</ul>
<br>
</body></html>

View File

@ -1,380 +0,0 @@
1. Introduction
===============
Nothing is impossible for the man who doesn't
have to do it himself. -- A.H. Weiler
This guide is about initialising and personalising (no distinction made) cards
with the OpenSC library and tools (mostly pkcs15-init).
Some knowlegde about smart cards is assumed. Below is a short overview of some
key words and concepts. For more info, see the opensc.html manual.
Filesystem - MF - DF - EF - FID
A smart cards has a non-volatile memory (EEPROM) in which usually a
PC-like file system is implemented. The directories are called Dedicated Files
(DF) and the files are called Elementary Files (EF). They are identified by a
a File ID (FID) on 2 bytes. For example, the root of the file system (called
Master File or MF) has FID = 3F 00 (hex).
Commands - APDUs
It is possible to send commands (APDUs) to the card to select, read, write,
create, list, delete, ... EFs and DFs (not all cards allow all commands).
Access control, PIN, PUK
The file system usually implements some sort of access control on EFs and DFs.
This is usually done by PINs or Keys: you have to provide a PIN or show
knowledge of a key before you can perform some command on some EF/DF. A PIN
is usually accompanied by a PUK (Pin Unblock Key), which can be used to reset
(or unblock) that PIN.
Cryptographic keys
On crypto cards, it is also possible to sign, decrypt, generate a key pair
(what can be done exactly depends on the card). on some cards, key and/or PINs
are files in the filesystem, on other cards, they don't exist in the
filesystem but are referenced through an ID.
Reader - PC/SC - OpenCT - CT-API
Smart card readers come with a library that can be used on a PC to send APDUs
to the card. Commonly used APIs for those libraries are PC/SC, OpenCT and
CT-API.
PKCS15
There are standards (e.g. ISO7816, parts 4-...) that specify how to select,
read, write, EFs and DFs, and how to sign, decrypt, login, ...
However, there is also a need to know which files contain what, or where the
keys, PINs, .. can be found.
For crypto cards, PCKS15 adresses this need by defining some files that contain
info on where to find keys, certificates, PINs, and other data. For example,
there is a PrKDF (Private Key Directory File) that contains the EFs or ID of
the private keys, what those keys can be used for, by which PINs they are
protected, ...
So a "PCKS15 card" is nothing but any other card on which the right set of
files has been added.
In short: PKCS15 allows you to describe where to find PINs, keys, certificates
and data on a card, plus all the info that is needed to use them.
A little PKCS15 example:
Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
Object Directory File), PrKDF (Private Key Directory File) and CDF
(Certificate Directory File) that contain info on resp. the PINs, private
keys and certificates. Each of them contains 1 entry.
AODF:
Com. Flags : private, modifiable
Auth ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1
Encoding : ASCII-numeric
Path : 3F005015
PrKDF:
Com. Flags : private, modifiable
Com. Auth ID: 01
Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 0
Native : yes
Path : 3F00501530450012
ID : 45
X.509 Certificate [/C=BE/ST=...]
Com. Flags : modifiable
Authority : no
Path : 3f0050154545
ID : 45
Some things to note:
- The Auth ID (01) of the private key is the same as the one of the PIN which
means that you first have to do a login with this PIN before you can use
this key.
- The key is in an EF with ID = 0012 in the DF with ID = 3045, which on its
turn is a DF with ID = 5015, which on its turn is a DF of the MF (3F00).
- The private key and certificate share the same ID (45), which means that they
belong together.
- The cert is in the EF with as path: 3F00\5015\4545 and is no CA cert.
Use the tests/p15dump tool to see yourself what pkcs15 data is on
your card, or tools/opensc-explorer to browse through the files.
Have the PKCS15 files a fixed place so everyone can find them? No, there's
only one: the EF(DIR) in the MF and with ID 2F00. That's the starting place.
2. The OpenSC pkcs15-init library and profiles
==============================================
Reading and writing files, PIN verification, signing and decryption happen in
much the same way on all cards. Therefore, the "normal life" commands have
been implemented in OpenSC for all supported cards.
However, creating and deleting files, PINs and keys is very card specific and
has not yet been implemented for all cards. Currently, pkcs15-init is
implemented for: Cryptoflex, Cyberflex, CardOS (etoken), GPK, Miocos, Starcos
JCOP and Oberthur. (Check src/pkcs15init/pkcs15-*.c for possible updates).
Because of this, and because pkcs15-init is not necessary for "normal life"
operations, it has been put in a separate library and in a separate directory.
Profile
Because the initialisation/personalisation is so card-specific, it would be
very hard to make a tool or API that accepts all parameters for all current
and future cards. Therefore, a profile file has been made in OpenSC that
contains all the card-specific parameters. This card-specific profile is read
by card-specific code in the pkcs15-init library each time this library is
used on that card.
See the *.profile files in src/pkcs15init/. There is one general file
(pkcs15.profile) and one card-specific profile for each card.
Profile options
There are currently 3 options you can specify to modify a profile:
- default: creation/deletion/generation is controlled by the SO PIN (SO =
Security Officer, different from the regular user of the card)
- onepin: creation/deletion/generation is controlled by the user PIN and thus
by the user. As a result, only 1 user PIN is possible
- small: like default, but suitable for card with little memory
3. pkcs15-init tool
===================
This is a command-line tool that uses the pkcs15-init library. It allows you
to do all the init/perso things, e.g. add/delete keys, certificates, PINs and
data, generate keys, ... while specifying key usage, which PIN protects
which key, ...
As said before, not all cards are supported in the pkcs15-init library. In that
case, the pkcs15-init tool won't work (top 5 questions on the mailing list :-).
To find out which card you have, try "opensc-tool -n"
Below is explained how to do the operations that are supported by pkcs15-tool.
Not all options are explained (run "pkcs15-tool -h" to see them) because some
are card-specific or obsolete (or we don't know about them). Feel free to
experiment and explain them here.
So the things in this section are fairly general but not guaranteed to work
for all cards. See also the section on "card-specific issues".
The --reader or -r can be given with any command. By default the first reader
is used. Do "opensc-tool -l" to see the list of available readers.
To see the results of what you did, you can do one of the following:
pkcs15-tool --list-pins --list-public-keys -k -c -C
p15dump (in the src/tests directory)
To see/dump the content of any file, use the opensc-explorer tool.
* Create the PKCS15 files
pkcs15-init -C {-T} {-p <profile>}
--so-pin <PIN> --so-puk <PUK> | --no-so-pin | --pin <PIN> --puk <PUK>
This will create the PKCS15 DF (5015) and all the PKCS15 files (some of which
will be empty until a key, PIN, ... will be added). It must be done before you
can do any of the operations below.
- This operation usually requires a 'transport' key. pkcs15-init will ask you
for this key and propose the default one for that card. With -T, the default
key will be used without asking. NOTE: if you get a "Failed to erase card:
PIN code or key incorrect", the transport key is wrong. Find this key and
then try again, DO NOT try with the default key again!
- If you want an SO PIN and PUK, do so with the --so-pin and --so-puk options,
or specify --no-so-pin if you don't want them. If you use the onepin profile,
there is no SO PIN so you should specify --pin and --puk instead.
(So you get: pkcs15-init -CT -p pkcs15+onepin --pin <PIN> --puk <PUK>)
- To specify the profile file + option. The profile file can only be "pkcs15"
for the moment, so you can have:
pkcs15+default : the default (not needed to specify it)
pkcs15+onepin : for the onepin profile option
pkcs15+small : for the small profile option
* Erase the card's content
pkcs15-init -E {-T}
This will delete all keys, PINs, certificates, data that were listed in PKCS15
files, along with the PKCS15 files themselves.
- This operation usually requires a 'transport' key. pkcs15-init will ask you
for this key and propose the default one for that card. With -T, the default
key will be used without asking. NOTE: if you get a "Failed to erase card:
PIN code or key incorrect", the transport key is wrong. Find this key and
then try again, DO NOT try the default key again!
Note: you can combine erase/create (-E -C or -EC) to erase and then create
the card's contents, except when you change the profile option.
* Add a PIN (not possible with the onepin profile option)
pkcs15-init -P {-a <AuthID>} {--pin <PIN>} {--puk <PUK>} {-l <label>}
- You can specify the AuthID with -a, if you don't do so, a value that didn't
exist yet on the card will be used.
- Specify the PIN and PUK with --pin and --puk, if you don't do so, the tool
will prompt you for one.
- Specify the label (name) of the PIN with -l, or accept the default label.
* Generate a key pair (on card or in software on the PC)
pkcs15-init -G <keyspec> -a <AuthID> --insecure {-i <ID>} {--soft}
{-u <keyusage>}
{-l <privkeylabel>} {--public-key-label <pubkeylabel>}
This will generate a public and private key pair.
- The keyspec consist of the key type, rsa or dsa (depends on what your card
supports), and optinally a slash followed by the keysize in bits. E.g.
"rsa/1024" specifies a 1024-bit RSA key pair. Note: dsa is not fully
supported.
- Specify the AuthID of the PIN that protects this key (protect from being
used in a signature or decryption operation) with -a; or specify --insecure
if you want the private key to be used without first providing a PIN.
- Specify the ID of the key with -i, otherwise the tool will choose one.
- Specify --soft if you don't want the key pair to be generated on card.
- Specify the usage of the private key with -u; if you add a
corresponding certificate later, it should have the same key usage.
(Do "pkcs15-init -u help" for help).
- Specify the label (name) of the private key with -l, or accept the default
label.
- Specify the label (name) of the public key with --public-key-label, or
accept the default label.
- Depending on your card and profile option, you will be prompted to provide
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
command line with --so-pin <SOPIN> and/or --pin <PIN>.
NOTE: see the SSL engines (below) on how to make a certificate request with
the key you generated.
* Add a private key
pkcs15-init -S <keyfile> {-f <keyformat>} -a <AuthID> --insecure
{-i <ID>} {-u <keyusage>} {--passphrase <password>}
{-l <label>}
- The keyfile should be in DER (binary) or PEM format.
- The keyformat should be PEM (default) or DER.
- Specify the AuthID of the PIN that protects the private key (from being used
in a signature or decryption operation) with -a; or specify --insecure if
you want the private key to be used without first providing a PIN
- Specify the ID of the key with -i
- Specify the usage of the private key with -u; if you add a
corresponding certificate later, it should have the same key usage.
(Do "pkcs15-init -u help" for help).
- Specify the label (name) of the with -l, or accept the default label if
you don't do so.
- Depending on your card and profile option, you will be prompted to provide
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
command line with --so-pin <SOPIN> and/or --pin <PIN>.
* Add a private key + certificate(s) (in a pkcs12 file)
pkcs15-init -S <pkcs12file> -f PKCS12 -a <AuthID> {--insecure} {-i <ID>}
{-u <keyusage>} {--passphrase <password>}
{-l <privkeylabel>} {--cert-label <usercertlabel>}
This adds the private key and certificate chain to the card. If a certificate
already exists in the card, it won't be added again.
- Specify the AuthID of the PIN that protects this key (protect from being
used in a signature or decryption operation) with -a; or specify --insecure
if you want the private key to be used without first providing a PIN.
- Specify the ID of the key and the corresponding certificate with -i,
otherwise the tool with choose one; only the 'user cert' will get the same
ID as the key,
the other certificates will get 'authority' status and another ID.
- You can specify the key-usage, but it is advised not to do this so the key
usage is fetched from the certificate.
- Specify the password of the pkcs12 key file if you don't want to be prompted
for one.
- Specify the label (name) of the private key with -l, or accept the default
label if you don't do so.
- Specify the label (name) of the user certificate with --cert-label, or
accept the default label if you don't do so.
- Depending on your card and profile option, you will be prompted to provide
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
command line with --so-pin <SOPIN> and/or --pin <PIN>.
* Add a certificate
pkcs15-init -W <certfile> {-f <certformat>} {-i <ID>} {--authority}
- The certfile should be in DER (binary) or PEM format
- The certformat should be PEM (default) or DER
- Specify the ID of the certificate with -i, otherwise the tool with choose
one; if the certificate corresponds to a private and/or public key, you
should specify the same ID as that key.
- Specify --authority if it is a CA certificate.
- Depending on your card and profile option, you will be prompted to provide
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
command line with --so-pin <SOPIN> and/or --pin <PIN>.
* Add a public key
pkcs15-init --store-public-key <keyfile> {-f <keyformat>} {-i <ID>}
{-l <label>}
- The keyfile should be in DER (binary) or PEM format
- The keyformat should be PEM (default) or DER
- Specify the ID of the key with -i, otherwise the tool with choose one;
if the key corresponds to a private key and/or certificate, you should
specify the same ID as that private key and/or certificate.
- Specify the label (name) of the with -l, or accept the default label if
you don't do so.
- Depending on your card and profile option, you will be prompted to provide
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
command line with --so-pin <SOPIN> and/or --pin <PIN>.
* Add data
pkcs15-init -W <datafile> {-i <ID>} {-l <label>}
- The datafile is stored "as is" onto the card.
- Specify the ID of the data with -i, or accept the default ID.
- Specify the label (name) of the data with -l, or accept the default label.
- Depending on your card and profile option, you will be prompted to provide
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
command line with --so-pin <SOPIN> and/or --pin <PIN>.
4. Other tools
==============
* SSL-engines
These libraries can be loaded in OpenSSL so you can do a certificate request
with the openssl tool; the signature of the certificate request will then be
made using the smart card. The result can then be sent to a CA for
certification or the resulting certificate can be put on the card with pkcs15-init
or pkcs11-tool.
- Run openssl
- On the openssl command prompt, type
engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
or
engine dynamic -pre SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
depending on which one of the 2 engines (pkcs11 or opensc) you want to use.
- Then type (on the openssl command prompt)
req -engine pkcs11 -new -key <ID> -keyform engine -out <cert_req>
or
req -engine opensc -new -key <ID> -keyform engine -out <cert_req>
in which ID is the slot+ID in the following format:
[slot_<slotID>][-][id_<ID>], e.g. id_45 or slot_0-id_45
* pkcs11-tool and Mozilla/Netscape
You can use the OpenSC pkcs11 library to generate a key pair in Mozilla or
Netscape, and let the browser generate a certificate request that is sent
to an on-line CA to issue and send you a certificate that is then added to the
card.
Just go to an online CA (Globalsign, Thawte, ...) and follow their guidelines.
Because such a request either costs you or at least requires you to provide a
valid mail address, it is advisable to first try you card with
"pkcs11-tool --moz-cert <cert_file_in_der_format> --login".
NOTE: This can only be done with the onepin profile option (because the browser
won't ask for an SO PIN, only for the user PIN).
5. Card-specific issues
=======================
Experience is that marvelous thing that enables you to recognize
a mistake when you make it again. -- Franklin P. Jones
Cryptoflex:
- DFs and EFs in a DF have to be deleted in reverse order of creation.
OpenSC relies on this fact for security, but also has some downsides. For
example, if you did a "pkcs15-init -C" and then added some EFs or DFs in the
MF, you won't be able to do a "pkcs15-init -E" afterwards to remove the
PKCS15 DF (5015). So you'll first have to manually remove all EFs/DFs you
created in the MF before being able remove the pkcs15 DF.
Starcos SPK 2.3:
- Due to the way Starcos SPK 2.3 manages access rights it is necessary
to manually call "pkcs15-init --finalize" after card personalization
if no SO-PIN has been specified. Once the card has been finalized it is
not possible to add new private/secret keys or PINs. If a SO-PIN is
used the card will automatically be finalized after the SO-PIN has
been stored.
- If an SO-PIN is used and if there is enough space in the key file left,
then the owner of the SO-PIN can access/use every protected item by
creating a PIN for the necessary state.

File diff suppressed because it is too large Load Diff

View File

@ -1,23 +0,0 @@
.screen {
background-color: #dddddd;
cellspacing:"1";
cellpadding:"1";
}
.prompt {
background-color: #dddddd;
}
.command {
background-color: #dddddd;
}
.title {
}
.toc {
}
.book {
width: 630pt
}

File diff suppressed because it is too large Load Diff

View File

@ -1,11 +0,0 @@
<?xml version='1.0'?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:import href="/usr/share/sgml/docbook/stylesheet/xsl/nwalsh/xhtml/docbook.xsl"/>
<xsl:param name="html.stylesheet" select="'opensc.css'"/>
<xsl:param name="shade.verbatim" select="1"/>
<xsl:param name="html.cleanup" select="1" />
<xsl:param name="generate.section.toc.level" select="0" />
</xsl:stylesheet>

View File

@ -1,869 +0,0 @@
PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-15(15) modules(1) pkcs-15(1)}
-- $Revision$ --
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
informationFramework, authenticationFramework, certificateExtensions
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
usefulDefinitions(0) 3}
Name, Attribute
FROM InformationFramework informationFramework
Certificate, AttributeCertificate, CertificateSerialNumber,
SubjectPublicKeyInfo
FROM AuthenticationFramework authenticationFramework
GeneralNames, KeyUsage
FROM CertificateExtensions certificateExtensions
RecipientInfos, RecipientInfo, OriginatorInfo, sha-1,
id-alg-CMS3DESwrap, id-alg-CMSRC2wrap, hMAC-SHA1, des-ede3-cbc
FROM CryptographicMessageSyntax {iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)
cms(1)}
RSAPublicKey
FROM PKCS-1 {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-1(1) modules(0) pkcs-1(1)}
AlgorithmIdentifier, SupportingAlgorithms, PBKDF2Algorithms,
ALGORITHM-IDENTIFIER, id-hmacWithSHA1
FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)}
ECPoint, Parameters
FROM ANSI-X9-62 {iso(1) member-body(2) us(840)
ansi-x962(10045) module(4) 1}
DiffieHellmanPublicNumber, DomainParameters
FROM ANSI-X9-42 {iso(1) member-body(2) us(840)
ansi-x942(10046) module(5) 1}
OOBCertHash
FROM PKIXCMP {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-cmp(9)};
-- Constants
pkcs15-ub-identifier INTEGER ::= 255
pkcs15-ub-reference INTEGER ::= 255
pkcs15-ub-index INTEGER ::= 65535
pkcs15-ub-label INTEGER ::= pkcs15-ub-identifier
pkcs15-lb-minPinLength INTEGER ::= 4
pkcs15-ub-minPinLength INTEGER ::= 8
pkcs15-ub-storedPinLength INTEGER ::= 64
pkcs15-ub-recordLength INTEGER ::= 16383
pkcs15-ub-userConsent INTEGER ::= 15
pkcs15-ub-securityConditions INTEGER ::= 255
pkcs15-ub-seInfo INTEGER ::= 255
-- Object Identifiers
pkcs15 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-15(15)}
pkcs15-mo OBJECT IDENTIFIER ::= {pkcs15 1} -- Modules branch
pkcs15-at OBJECT IDENTIFIER ::= {pkcs15 2} -- Attribute branch
pkcs15-ct OBJECT IDENTIFIER ::= {pkcs15 3} -- Content type branch
-- Content Types
pkcs15-ct-PKCS15Token OBJECT IDENTIFIER ::= {pkcs15-ct 1}
-- Basic types
Identifier ::= OCTET STRING (SIZE (0..pkcs15-ub-identifier))
Reference ::= INTEGER (0..pkcs15-ub-reference)
Label ::= UTF8String (SIZE(0..pkcs15-ub-label))
KEY-IDENTIFIER ::= CLASS {
&id INTEGER UNIQUE,
&Value
} WITH SYNTAX {
SYNTAX &Value IDENTIFIED BY &id
}
CredentialIdentifier {KEY-IDENTIFIER : IdentifierSet} ::= SEQUENCE {
idType KEY-IDENTIFIER.&id ({IdentifierSet}),
idValue KEY-IDENTIFIER.&Value ({IdentifierSet}{@idType})
}
KeyIdentifiers KEY-IDENTIFIER ::= {
issuerAndSerialNumber|
issuerAndSerialNumberHash|
subjectKeyId|
subjectKeyHash |
issuerKeyHash |
issuerNameHash |
subjectNameHash,
...
}
issuerAndSerialNumber KEY-IDENTIFIER::=
{SYNTAX PKCS15-OPAQUE.&Type IDENTIFIED BY 1}
-- As defined in RFC 2630
subjectKeyId KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 2}
-- From x509v3 certificate extension
issuerAndSerialNumberHash KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 3}
-- Assumes SHA-1 hash of DER encoding of IssuerAndSerialNumber
subjectKeyHash KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 4}
issuerKeyHash KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 5}
issuerNameHash KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 6}
-- SHA-1 hash of DER-encoded issuer name
subjectNameHash KEY-IDENTIFIER ::=
{SYNTAX OCTET STRING IDENTIFIED BY 7}
-- SHA-1 hash of DER-encoded subject name
ReferencedValue {Type} ::= CHOICE {
path Path,
url URL
} (CONSTRAINED BY {-- 'path' or 'url' shall point to an object of
-- type -- Type})
URL ::= CHOICE {
url PrintableString,
urlWithDigest [3] SEQUENCE {
url IA5String,
digest DigestInfoWithDefault
}
}
alg-id-sha1 AlgorithmIdentifier {{DigestAlgorithms}} ::= {
algorithm sha-1,
parameters SHA1Parameters : NULL}
SHA1Parameters ::= NULL
DigestInfoWithDefault ::= SEQUENCE {
digestAlg AlgorithmIdentifier {{DigestAlgorithms}} DEFAULT alg-id-sha1,
digest OCTET STRING (SIZE(8..128))
}
Path ::= SEQUENCE {
path OCTET STRING,
index INTEGER (0..pkcs15-ub-index) OPTIONAL,
length [0] INTEGER (0..pkcs15-ub-index) OPTIONAL
}( WITH COMPONENTS {..., index PRESENT, length PRESENT}|
WITH COMPONENTS {..., index ABSENT, length ABSENT})
ObjectValue { Type } ::= CHOICE {
indirect ReferencedValue {Type},
direct [0] Type,
indirect-protected [1] ReferencedValue {EnvelopedData {Type}},
direct-protected [2] EnvelopedData {Type}
}(CONSTRAINED BY {-- if indirection is being used, then it is
-- expected that the reference points either to a (possibly
-- enveloped) object of type -- Type -- or (key case) to a card-
-- specific key file --})
PathOrObjects {ObjectType} ::= CHOICE {
path Path,
objects [0] SEQUENCE OF ObjectType,
...,
indirect-protected [1] ReferencedValue {EnvelopedData {SEQUENCE OF ObjectType}},
direct-protected [2] EnvelopedData {SEQUENCE OF ObjectType}
}
CommonObjectAttributes ::= SEQUENCE {
label Label OPTIONAL,
flags CommonObjectFlags OPTIONAL,
authId Identifier OPTIONAL,
...,
userConsent INTEGER (1..pkcs15-ub-userConsent) OPTIONAL,
accessControlRules SEQUENCE SIZE (1..MAX) OF AccessControlRule OPTIONAL
} (CONSTRAINED BY {-- authId should be present in the IC card case if
-- flags.private is set. It must equal an authID in one AuthRecord
-- in the AODF -- })
CommonObjectFlags ::= BIT STRING {
private (0),
modifiable (1)
}
AccessControlRule ::= SEQUENCE {
accessMode AccessMode,
securityCondition SecurityCondition,
... -- For future extensions
}
AccessMode ::= BIT STRING {
read (0),
update (1),
execute (2)
}
SecurityCondition ::= CHOICE {
authId Identifier,
not [0] SecurityCondition,
and [1] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
OF SecurityCondition,
or [2] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
OF SecurityCondition,
... -- For future extensions
}
CommonKeyAttributes ::= SEQUENCE {
iD Identifier,
usage KeyUsageFlags,
native BOOLEAN DEFAULT TRUE,
accessFlags KeyAccessFlags OPTIONAL,
keyReference Reference OPTIONAL,
startDate GeneralizedTime OPTIONAL,
endDate [0] GeneralizedTime OPTIONAL,
... -- For future extensions
}
KeyUsageFlags ::= BIT STRING {
encrypt (0),
decrypt (1),
sign (2),
signRecover (3),
wrap (4),
unwrap (5),
verify (6),
verifyRecover (7),
derive (8),
nonRepudiation (9)
}
KeyAccessFlags ::= BIT STRING {
sensitive (0),
extractable (1),
alwaysSensitive (2),
neverExtractable (3),
local (4)
}
CommonPrivateKeyAttributes ::= SEQUENCE {
subjectName Name OPTIONAL,
keyIdentifiers [0] SEQUENCE OF CredentialIdentifier
{{KeyIdentifiers}} OPTIONAL,
... -- For future extensions
}
CommonPublicKeyAttributes ::= SEQUENCE {
subjectName Name OPTIONAL,
...,
trustedUsage [0] Usage OPTIONAL
}
CommonSecretKeyAttributes ::= SEQUENCE {
keyLen INTEGER OPTIONAL, -- keylength (in bits)
... -- For future extensions
}
KeyInfo {ParameterType, OperationsType} ::= CHOICE {
reference Reference,
paramsAndOps SEQUENCE {
parameters ParameterType,
supportedOperations OperationsType OPTIONAL
}
}
CommonCertificateAttributes ::= SEQUENCE {
iD Identifier,
authority BOOLEAN DEFAULT FALSE,
identifier CredentialIdentifier {{KeyIdentifiers}} OPTIONAL,
certHash [0] OOBCertHash OPTIONAL,
...,
trustedUsage [1] Usage OPTIONAL,
identifiers [2] SEQUENCE OF CredentialIdentifier{{KeyIdentifiers}} OPTIONAL,
implicitTrust [3] BOOLEAN DEFAULT FALSE
}
Usage ::= SEQUENCE {
keyUsage KeyUsage OPTIONAL,
extKeyUsage SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL
}(WITH COMPONENTS {..., keyUsage PRESENT} |
WITH COMPONENTS {..., extKeyUsage PRESENT})
CommonDataObjectAttributes ::= SEQUENCE {
applicationName Label OPTIONAL,
applicationOID OBJECT IDENTIFIER OPTIONAL,
... -- For future extensions
} (WITH COMPONENTS {..., applicationName PRESENT}|
WITH COMPONENTS {..., applicationOID PRESENT})
CommonAuthenticationObjectAttributes ::= SEQUENCE {
authId Identifier,
... -- For future extensions
}
PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes}
::= SEQUENCE {
commonObjectAttributes CommonObjectAttributes,
classAttributes ClassAttributes,
subClassAttributes [0] SubClassAttributes OPTIONAL,
typeAttributes [1] TypeAttributes
}
PKCS15Objects ::= CHOICE {
privateKeys [0] PrivateKeys,
publicKeys [1] PublicKeys,
trustedPublicKeys [2] PublicKeys,
secretKeys [3] SecretKeys,
certificates [4] Certificates,
trustedCertificates [5] Certificates,
usefulCertificates [6] Certificates,
dataObjects [7] DataObjects,
authObjects [8] AuthObjects,
... -- For future extensions
}
PrivateKeys ::= PathOrObjects {PrivateKeyType}
SecretKeys ::= PathOrObjects {SecretKeyType}
PublicKeys ::= PathOrObjects {PublicKeyType}
Certificates ::= PathOrObjects {CertificateType}
DataObjects ::= PathOrObjects {DataType}
AuthObjects ::= PathOrObjects {AuthenticationType}
PrivateKeyType ::= CHOICE {
privateRSAKey PrivateKeyObject {PrivateRSAKeyAttributes},
privateECKey [0] PrivateKeyObject {PrivateECKeyAttributes},
privateDHKey [1] PrivateKeyObject {PrivateDHKeyAttributes},
privateDSAKey [2] PrivateKeyObject {PrivateDSAKeyAttributes},
privateKEAKey [3] PrivateKeyObject {PrivateKEAKeyAttributes},
... -- For future extensions
}
PrivateKeyObject {KeyAttributes} ::= PKCS15Object {
CommonKeyAttributes, CommonPrivateKeyAttributes, KeyAttributes}
PrivateRSAKeyAttributes ::= SEQUENCE {
value ObjectValue {RSAPrivateKeyObject},
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
RSAPrivateKeyObject ::= SEQUENCE {
modulus [0] INTEGER OPTIONAL, -- n
publicExponent [1] INTEGER OPTIONAL, -- e
privateExponent [2] INTEGER OPTIONAL, -- d
prime1 [3] INTEGER OPTIONAL, -- p
prime2 [4] INTEGER OPTIONAL, -- q
exponent1 [5] INTEGER OPTIONAL, -- d mod (p-1)
exponent2 [6] INTEGER OPTIONAL, -- d mod (q-1)
coefficient [7] INTEGER OPTIONAL -- inv(q) mod p
} (CONSTRAINED BY {-- must be possible to reconstruct modulus and
-- privateExponent from selected fields --})
PrivateECKeyAttributes ::= SEQUENCE {
value ObjectValue {ECPrivateKey},
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
ECPrivateKey ::= INTEGER
PrivateDHKeyAttributes ::= SEQUENCE {
value ObjectValue {DHPrivateKey},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
DHPrivateKey ::= INTEGER -- Diffie-Hellman exponent
PrivateDSAKeyAttributes ::= SEQUENCE {
value ObjectValue {DSAPrivateKey},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
DSAPrivateKey ::= INTEGER
PrivateKEAKeyAttributes ::= SEQUENCE {
value ObjectValue {KEAPrivateKey},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
KEAPrivateKey ::= INTEGER
PublicKeyType ::= CHOICE {
publicRSAKey PublicKeyObject {PublicRSAKeyAttributes},
publicECKey [0] PublicKeyObject {PublicECKeyAttributes},
publicDHKey [1] PublicKeyObject {PublicDHKeyAttributes},
publicDSAKey [2] PublicKeyObject {PublicDSAKeyAttributes},
publicKEAKey [3] PublicKeyObject {PublicKEAKeyAttributes},
... -- For future extensions
}
PublicKeyObject {KeyAttributes} ::= PKCS15Object {
CommonKeyAttributes, CommonPublicKeyAttributes, KeyAttributes}
PublicRSAKeyAttributes ::= SEQUENCE {
value ObjectValue {RSAPublicKeyChoice},
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
RSAPublicKeyChoice ::= CHOICE {
raw RSAPublicKey,
spki [1] SubjectPublicKeyInfo, -- See X.509. Must contain a
-- public RSA key
...
}
PublicECKeyAttributes ::= SEQUENCE {
value ObjectValue {ECPublicKeyChoice},
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
ECPublicKeyChoice ::= CHOICE {
raw ECPoint,
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public EC key
...
}
PublicDHKeyAttributes ::= SEQUENCE {
value ObjectValue {DHPublicKeyChoice},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
DHPublicKeyChoice ::= CHOICE {
raw DiffieHellmanPublicNumber,
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public D-H key
...
}
PublicDSAKeyAttributes ::= SEQUENCE {
value ObjectValue {DSAPublicKeyChoice},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
DSAPublicKeyChoice ::= CHOICE {
raw INTEGER,
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public DSA key.
...
}
PublicKEAKeyAttributes ::= SEQUENCE {
value ObjectValue {KEAPublicKeyChoice},
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
... -- For future extensions
}
KEAPublicKeyChoice ::= CHOICE {
raw INTEGER,
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public KEA key
...
}
SecretKeyType ::= CHOICE {
genericSecretKey SecretKeyObject {GenericSecretKeyAttributes},
rc2key [0] SecretKeyObject {GenericSecretKeyAttributes},
rc4key [1] SecretKeyObject {GenericSecretKeyAttributes},
desKey [2] SecretKeyObject {GenericSecretKeyAttributes},
des2Key [3] SecretKeyObject {GenericSecretKeyAttributes},
des3Key [4] SecretKeyObject {GenericSecretKeyAttributes},
castKey [5] SecretKeyObject {GenericSecretKeyAttributes},
cast3Key [6] SecretKeyObject {GenericSecretKeyAttributes},
cast128Key [7] SecretKeyObject {GenericSecretKeyAttributes},
rc5Key [8] SecretKeyObject {GenericSecretKeyAttributes},
ideaKey [9] SecretKeyObject {GenericSecretKeyAttributes},
skipjackKey [10] SecretKeyObject {GenericSecretKeyAttributes},
batonKey [11] SecretKeyObject {GenericSecretKeyAttributes},
juniperKey [12] SecretKeyObject {GenericSecretKeyAttributes},
rc6Key [13] SecretKeyObject {GenericSecretKeyAttributes},
otherKey [14] OtherKey,
... -- For future extensions
}
SecretKeyObject {KeyAttributes} ::= PKCS15Object {
CommonKeyAttributes, CommonSecretKeyAttributes, KeyAttributes}
OtherKey ::= SEQUENCE {
keyType OBJECT IDENTIFIER,
keyAttr SecretKeyObject {GenericSecretKeyAttributes}
}
GenericSecretKeyAttributes ::= SEQUENCE {
value ObjectValue { OCTET STRING },
... -- For future extensions
}
CertificateType ::= CHOICE {
x509Certificate CertificateObject { X509CertificateAttributes},
x509AttributeCertificate [0] CertificateObject
{X509AttributeCertificateAttributes},
spkiCertificate [1] CertificateObject {SPKICertificateAttributes},
pgpCertificate [2] CertificateObject {PGPCertificateAttributes},
wtlsCertificate [3] CertificateObject {WTLSCertificateAttributes},
x9-68Certificate [4] CertificateObject {X9-68CertificateAttributes},
...,
cvCertificate [5] CertificateObject {CVCertificateAttributes}
}
CertificateObject {CertAttributes} ::= PKCS15Object {
CommonCertificateAttributes, NULL, CertAttributes}
X509CertificateAttributes ::= SEQUENCE {
value ObjectValue { Certificate },
subject Name OPTIONAL,
issuer [0] Name OPTIONAL,
serialNumber CertificateSerialNumber OPTIONAL,
... -- For future extensions
}
X509AttributeCertificateAttributes ::= SEQUENCE {
value ObjectValue { AttributeCertificate },
issuer GeneralNames OPTIONAL,
serialNumber CertificateSerialNumber OPTIONAL,
attrTypes [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
... -- For future extensions
}
SPKICertificateAttributes ::= SEQUENCE {
value ObjectValue { PKCS15-OPAQUE.&Type },
... -- For future extensions
}
PGPCertificateAttributes ::= SEQUENCE {
value ObjectValue { PKCS15-OPAQUE.&Type },
... -- For future extensions
}
WTLSCertificateAttributes ::= SEQUENCE {
value ObjectValue { PKCS15-OPAQUE.&Type },
... -- For future extensions
}
X9-68CertificateAttributes ::= SEQUENCE {
value ObjectValue { PKCS15-OPAQUE.&Type },
... -- For future extensions
}
CVCertificateAttributes ::= SEQUENCE {
value ObjectValue { PKCS15-OPAQUE.&Type},
... -- For future extensions
}
DataType ::= CHOICE {
opaqueDO DataObject {Opaque},
externalIDO [0] DataObject {ExternalIDO},
oidDO [1] DataObject {OidDO},
... -- For future extensions
}
DataObject {DataObjectAttributes} ::= PKCS15Object {
CommonDataObjectAttributes, NULL, DataObjectAttributes}
Opaque ::= ObjectValue {PKCS15-OPAQUE.&Type}
ExternalIDO ::= ObjectValue {PKCS15-OPAQUE.&Type}
(CONSTRAINED BY {-- All data objects must be defined in
-- accordance with ISO/IEC 7816-6 --})
OidDO ::= SEQUENCE {
id OBJECT IDENTIFIER,
value ObjectValue {PKCS15-OPAQUE.&Type}
}
AuthenticationType ::= CHOICE {
pin AuthenticationObject { PinAttributes },
...,
biometricTemplate [0] AuthenticationObject {BiometricAttributes},
authKey [1] AuthenticationObject {AuthKeyAttributes},
external [2] AuthenticationObject {ExternalAuthObjectAttributes}
}
AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object {
CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes}
PinAttributes ::= SEQUENCE {
pinFlags PinFlags,
pinType PinType,
minLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength),
storedLength INTEGER (0..pkcs15-ub-storedPinLength),
maxLength INTEGER OPTIONAL,
pinReference [0] Reference DEFAULT 0,
padChar OCTET STRING (SIZE(1)) OPTIONAL,
lastPinChange GeneralizedTime OPTIONAL,
path Path OPTIONAL,
... -- For future extensions
}
PinFlags ::= BIT STRING {
case-sensitive (0),
local (1),
change-disabled (2),
unblock-disabled (3),
initialized (4),
needs-padding (5),
unblockingPin (6),
soPin (7),
disable-allowed (8),
integrity-protected (9),
confidentiality-protected (10),
exchangeRefData (11)
} (CONSTRAINED BY { -- 'unblockingPin' and 'soPIN' cannot both be set -- })
PinType ::= ENUMERATED {bcd, ascii-numeric, utf8, ...,
half-nibble-bcd, iso9564-1}
BiometricAttributes ::= SEQUENCE {
bioFlags BiometricFlags,
templateId OBJECT IDENTIFIER,
bioType BiometricType,
bioReference Reference DEFAULT 0,
lastChange GeneralizedTime OPTIONAL,
path Path OPTIONAL,
... -- For future extensions
}
BiometricFlags ::= BIT STRING {
local (1),
change-disabled (2),
unblock-disabled (3),
initialized (4),
disable-allowed (8),
integrity-protected (9),
confidentiality-protected (10)
} -- Note: bits 0, 5, 6, and 7 are reserved for future use
BiometricType ::= CHOICE {
fingerPrint FingerPrint,
irisScan [0] IrisScan,
-- Possible extensions:
-- voiceScan VoiceScan,
-- faceScan FaceScan,
-- retinaScan Retinascan,
-- handGeometry HandGeometry,
-- writeDynamics WriteDynamics,
-- keyStrokeDynamicsKeyStrokeDynamics,
-- lipDynamics LipDynamics,
... -- For future extensions
}
FingerPrint ::= SEQUENCE {
hand ENUMERATED {left, right},
finger ENUMERATED {thumb, pointerFinger, middleFinger,
ringFinger, littleFinger},
...
}
IrisScan ::= SEQUENCE {
eye ENUMERATED {left, right},
...
}
ExternalAuthObjectAttributes ::= CHOICE {
authKeyAttributes AuthKeyAttributes,
certBasedAttributes [0] CertBasedAuthenticationAttributes,
... -- For future extensions
}
AuthKeyAttributes ::= SEQUENCE {
derivedKey BOOLEAN DEFAULT TRUE,
authKeyId Identifier,
... -- For future extensions
}
CertBasedAuthenticationAttributes ::= SEQUENCE {
cha OCTET STRING,
...
}
TokenInfo ::= SEQUENCE {
version INTEGER {v1(0)} (v1,...),
serialNumber OCTET STRING,
manufacturerID Label OPTIONAL,
label [0] Label OPTIONAL,
tokenflags TokenFlags,
seInfo SEQUENCE OF SecurityEnvironmentInfo OPTIONAL,
recordInfo [1] RecordInfo OPTIONAL,
supportedAlgorithms [2] SEQUENCE OF AlgorithmInfo OPTIONAL,
...,
issuerId [3] Label OPTIONAL,
holderId [4] Label OPTIONAL,
lastUpdate [5] LastUpdate OPTIONAL,
preferredLanguage PrintableString OPTIONAL -- In accordance with
-- IETF RFC 1766
} (CONSTRAINED BY { -- Each AlgorithmInfo.reference value must be unique --})
TokenFlags ::= BIT STRING {
readonly (0),
loginRequired (1),
prnGeneration (2),
eidCompliant (3)
}
SecurityEnvironmentInfo ::= SEQUENCE {
se INTEGER (0..pkcs15-ub-seInfo),
owner OBJECT IDENTIFIER,
... -- For future extensions
}
RecordInfo ::= SEQUENCE {
oDFRecordLength [0] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
prKDFRecordLength [1] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
puKDFRecordLength [2] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
sKDFRecordLength [3] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
cDFRecordLength [4] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
dODFRecordLength [5] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
aODFRecordLength [6] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL
}
AlgorithmInfo ::= SEQUENCE {
reference Reference,
algorithm PKCS15-ALGORITHM.&id({AlgorithmSet}),
parameters PKCS15-ALGORITHM.&Parameters({AlgorithmSet}{@algorithm}),
supportedOperations
PKCS15-ALGORITHM.&Operations({AlgorithmSet}{@algorithm}),
algId PKCS15-ALGORITHM.&objectIdentifier({AlgorithmSet}{@algorithm})
OPTIONAL,
algRef Reference OPTIONAL
}
PKCS15-ALGORITHM ::= CLASS {
&id INTEGER UNIQUE,
&Parameters,
&Operations Operations,
&objectIdentifier OBJECT IDENTIFIER OPTIONAL
} WITH SYNTAX {
PARAMETERS &Parameters OPERATIONS &Operations ID &id [OID &objectIdentifier]}
PKCS15-OPAQUE ::= TYPE-IDENTIFIER
PublicKeyOperations ::= Operations
Operations ::= BIT STRING {
compute-checksum (0), -- H/W computation of checksum
compute-signature (1), -- H/W computation of signature
verify-checksum (2), -- H/W verification of checksum
verify-signature (3), -- H/W verification of signature
encipher (4), -- H/W encryption of data
decipher (5), -- H/W decryption of data
hash (6), -- H/W hashing
generate-key (7) -- H/W key generation
}
pkcs15-alg-null PKCS15-ALGORITHM ::= {
PARAMETERS NULL OPERATIONS {{generate-key}} ID -1}
AlgorithmSet PKCS15-ALGORITHM ::= {
pkcs15-alg-null,
... -- See PKCS #11 for values for the &id field (and parameters)
}
LastUpdate ::= CHOICE {
generalizedTime GeneralizedTime,
referencedTime ReferencedValue {GeneralizedTime},
... -- For future extensions
}
-- Soft token related types and objects
EnvelopedData {Type} ::= SEQUENCE {
version INTEGER{v0(0),v1(1),v2(2),v3(3),v4(4)}(v0|v1|v2,...),
originatorInfo [0] OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo{Type},
unprotectedAttrs [1] SET SIZE (1..MAX) OF Attribute OPTIONAL
}
EncryptedContentInfo {Type} ::= SEQUENCE {
contentType OBJECT IDENTIFIER,
contentEncryptionAlgorithm AlgorithmIdentifier {{KeyDerivationAlgorithms}},
encryptedContent [0] OCTET STRING OPTIONAL
}(CONSTRAINED BY {-- 'encryptedContent' shall be the result of
-- encrypting DER-encoded value of type -- Type})
PKCS15Token ::= SEQUENCE {
version INTEGER {v1(0)} (v1,...),
keyManagementInfo [0] KeyManagementInfo OPTIONAL,
pkcs15Objects SEQUENCE OF PKCS15Objects
}
KeyManagementInfo ::= SEQUENCE OF SEQUENCE {
keyId Identifier,
keyInfo CHOICE {
recipientInfo RecipientInfo,
passwordInfo [0] PasswordInfo
}
} (CONSTRAINED BY {-- Each keyID must be unique --})
PasswordInfo ::= SEQUENCE {
hint Label OPTIONAL,
algId AlgorithmIdentifier {{KeyDerivationAlgorithms}},
...
} (CONSTRAINED BY {--keyID shall point to a KEKRecipientInfo--})
KeyDerivationAlgorithms ALGORITHM-IDENTIFIER ::= {
PBKDF2Algorithms,
... -- For future extensions
}
CMS3DESwrap ::= NULL
KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
{CMS3DESwrap IDENTIFIED BY id-alg-CMS3DESwrap} |
{INTEGER IDENTIFIED BY id-alg-CMSRC2wrap},
... -- For future extensions
}
DES-IV ::= OCTET STRING (SIZE(8))
ContentEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
SupportingAlgorithms EXCEPT {NULL IDENTIFIED BY id-hmacWithSHA1},
... -- For future extensions
}
MACAlgorithms ALGORITHM-IDENTIFIER ::= {
{NULL IDENTIFIED BY hMAC-SHA1},
... -- For future extensions
}
DigestAlgorithms ALGORITHM-IDENTIFIER ::= {
{NULL IDENTIFIED BY sha-1},
... -- For future extensions
}
-- Misc
DDO ::= SEQUENCE {
oid OBJECT IDENTIFIER,
odfPath Path OPTIONAL,
tokenInfoPath [0] Path OPTIONAL,
unusedPath [1] Path OPTIONAL,
... -- For future extensions
}
DIRRecord ::= [APPLICATION 1] SEQUENCE {
aid [APPLICATION 15] OCTET STRING,
label [APPLICATION 16] UTF8String OPTIONAL,
path [APPLICATION 17] OCTET STRING,
ddo [APPLICATION 19] DDO OPTIONAL
}
UnusedSpace ::= SEQUENCE {
path Path (WITH COMPONENTS {..., index PRESENT, length PRESENT}),
authId Identifier OPTIONAL,
...,
accessControlRules SEQUENCE OF AccessControlRule OPTIONAL
}
END