870 lines
26 KiB
Groff
870 lines
26 KiB
Groff
PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
|
|
pkcs-15(15) modules(1) pkcs-15(1)}
|
|
|
|
-- $Revision$ --
|
|
|
|
DEFINITIONS IMPLICIT TAGS ::=
|
|
|
|
BEGIN
|
|
|
|
IMPORTS
|
|
|
|
informationFramework, authenticationFramework, certificateExtensions
|
|
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
|
|
usefulDefinitions(0) 3}
|
|
|
|
Name, Attribute
|
|
FROM InformationFramework informationFramework
|
|
|
|
Certificate, AttributeCertificate, CertificateSerialNumber,
|
|
SubjectPublicKeyInfo
|
|
FROM AuthenticationFramework authenticationFramework
|
|
|
|
GeneralNames, KeyUsage
|
|
FROM CertificateExtensions certificateExtensions
|
|
|
|
RecipientInfos, RecipientInfo, OriginatorInfo, sha-1,
|
|
id-alg-CMS3DESwrap, id-alg-CMSRC2wrap, hMAC-SHA1, des-ede3-cbc
|
|
FROM CryptographicMessageSyntax {iso(1) member-body(2)
|
|
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)
|
|
cms(1)}
|
|
|
|
RSAPublicKey
|
|
FROM PKCS-1 {iso(1) member-body(2) us(840) rsadsi(113549)
|
|
pkcs(1) pkcs-1(1) modules(0) pkcs-1(1)}
|
|
|
|
AlgorithmIdentifier, SupportingAlgorithms, PBKDF2Algorithms,
|
|
ALGORITHM-IDENTIFIER, id-hmacWithSHA1
|
|
FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
|
|
pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)}
|
|
|
|
ECPoint, Parameters
|
|
FROM ANSI-X9-62 {iso(1) member-body(2) us(840)
|
|
ansi-x962(10045) module(4) 1}
|
|
|
|
DiffieHellmanPublicNumber, DomainParameters
|
|
FROM ANSI-X9-42 {iso(1) member-body(2) us(840)
|
|
ansi-x942(10046) module(5) 1}
|
|
|
|
OOBCertHash
|
|
FROM PKIXCMP {iso(1) identified-organization(3) dod(6)
|
|
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
|
|
id-mod-cmp(9)};
|
|
|
|
-- Constants
|
|
|
|
pkcs15-ub-identifier INTEGER ::= 255
|
|
pkcs15-ub-reference INTEGER ::= 255
|
|
pkcs15-ub-index INTEGER ::= 65535
|
|
pkcs15-ub-label INTEGER ::= pkcs15-ub-identifier
|
|
pkcs15-lb-minPinLength INTEGER ::= 4
|
|
pkcs15-ub-minPinLength INTEGER ::= 8
|
|
pkcs15-ub-storedPinLength INTEGER ::= 64
|
|
pkcs15-ub-recordLength INTEGER ::= 16383
|
|
pkcs15-ub-userConsent INTEGER ::= 15
|
|
pkcs15-ub-securityConditions INTEGER ::= 255
|
|
pkcs15-ub-seInfo INTEGER ::= 255
|
|
|
|
-- Object Identifiers
|
|
|
|
pkcs15 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
|
|
rsadsi(113549) pkcs(1) pkcs-15(15)}
|
|
pkcs15-mo OBJECT IDENTIFIER ::= {pkcs15 1} -- Modules branch
|
|
pkcs15-at OBJECT IDENTIFIER ::= {pkcs15 2} -- Attribute branch
|
|
pkcs15-ct OBJECT IDENTIFIER ::= {pkcs15 3} -- Content type branch
|
|
|
|
-- Content Types
|
|
|
|
pkcs15-ct-PKCS15Token OBJECT IDENTIFIER ::= {pkcs15-ct 1}
|
|
|
|
-- Basic types
|
|
|
|
Identifier ::= OCTET STRING (SIZE (0..pkcs15-ub-identifier))
|
|
|
|
Reference ::= INTEGER (0..pkcs15-ub-reference)
|
|
|
|
Label ::= UTF8String (SIZE(0..pkcs15-ub-label))
|
|
|
|
KEY-IDENTIFIER ::= CLASS {
|
|
&id INTEGER UNIQUE,
|
|
&Value
|
|
} WITH SYNTAX {
|
|
SYNTAX &Value IDENTIFIED BY &id
|
|
}
|
|
|
|
CredentialIdentifier {KEY-IDENTIFIER : IdentifierSet} ::= SEQUENCE {
|
|
idType KEY-IDENTIFIER.&id ({IdentifierSet}),
|
|
idValue KEY-IDENTIFIER.&Value ({IdentifierSet}{@idType})
|
|
}
|
|
|
|
KeyIdentifiers KEY-IDENTIFIER ::= {
|
|
issuerAndSerialNumber|
|
|
issuerAndSerialNumberHash|
|
|
subjectKeyId|
|
|
subjectKeyHash |
|
|
issuerKeyHash |
|
|
issuerNameHash |
|
|
subjectNameHash,
|
|
...
|
|
}
|
|
|
|
issuerAndSerialNumber KEY-IDENTIFIER::=
|
|
{SYNTAX PKCS15-OPAQUE.&Type IDENTIFIED BY 1}
|
|
-- As defined in RFC 2630
|
|
subjectKeyId KEY-IDENTIFIER ::=
|
|
{SYNTAX OCTET STRING IDENTIFIED BY 2}
|
|
-- From x509v3 certificate extension
|
|
issuerAndSerialNumberHash KEY-IDENTIFIER ::=
|
|
{SYNTAX OCTET STRING IDENTIFIED BY 3}
|
|
-- Assumes SHA-1 hash of DER encoding of IssuerAndSerialNumber
|
|
subjectKeyHash KEY-IDENTIFIER ::=
|
|
{SYNTAX OCTET STRING IDENTIFIED BY 4}
|
|
issuerKeyHash KEY-IDENTIFIER ::=
|
|
{SYNTAX OCTET STRING IDENTIFIED BY 5}
|
|
issuerNameHash KEY-IDENTIFIER ::=
|
|
{SYNTAX OCTET STRING IDENTIFIED BY 6}
|
|
-- SHA-1 hash of DER-encoded issuer name
|
|
subjectNameHash KEY-IDENTIFIER ::=
|
|
{SYNTAX OCTET STRING IDENTIFIED BY 7}
|
|
-- SHA-1 hash of DER-encoded subject name
|
|
|
|
ReferencedValue {Type} ::= CHOICE {
|
|
path Path,
|
|
url URL
|
|
} (CONSTRAINED BY {-- 'path' or 'url' shall point to an object of
|
|
-- type -- Type})
|
|
|
|
URL ::= CHOICE {
|
|
url PrintableString,
|
|
urlWithDigest [3] SEQUENCE {
|
|
url IA5String,
|
|
digest DigestInfoWithDefault
|
|
}
|
|
}
|
|
|
|
alg-id-sha1 AlgorithmIdentifier {{DigestAlgorithms}} ::= {
|
|
algorithm sha-1,
|
|
parameters SHA1Parameters : NULL}
|
|
|
|
SHA1Parameters ::= NULL
|
|
|
|
DigestInfoWithDefault ::= SEQUENCE {
|
|
digestAlg AlgorithmIdentifier {{DigestAlgorithms}} DEFAULT alg-id-sha1,
|
|
digest OCTET STRING (SIZE(8..128))
|
|
}
|
|
|
|
Path ::= SEQUENCE {
|
|
path OCTET STRING,
|
|
index INTEGER (0..pkcs15-ub-index) OPTIONAL,
|
|
length [0] INTEGER (0..pkcs15-ub-index) OPTIONAL
|
|
}( WITH COMPONENTS {..., index PRESENT, length PRESENT}|
|
|
WITH COMPONENTS {..., index ABSENT, length ABSENT})
|
|
|
|
ObjectValue { Type } ::= CHOICE {
|
|
indirect ReferencedValue {Type},
|
|
direct [0] Type,
|
|
indirect-protected [1] ReferencedValue {EnvelopedData {Type}},
|
|
direct-protected [2] EnvelopedData {Type}
|
|
}(CONSTRAINED BY {-- if indirection is being used, then it is
|
|
-- expected that the reference points either to a (possibly
|
|
-- enveloped) object of type -- Type -- or (key case) to a card-
|
|
-- specific key file --})
|
|
|
|
PathOrObjects {ObjectType} ::= CHOICE {
|
|
path Path,
|
|
objects [0] SEQUENCE OF ObjectType,
|
|
...,
|
|
indirect-protected [1] ReferencedValue {EnvelopedData {SEQUENCE OF ObjectType}},
|
|
direct-protected [2] EnvelopedData {SEQUENCE OF ObjectType}
|
|
}
|
|
|
|
CommonObjectAttributes ::= SEQUENCE {
|
|
label Label OPTIONAL,
|
|
flags CommonObjectFlags OPTIONAL,
|
|
authId Identifier OPTIONAL,
|
|
...,
|
|
userConsent INTEGER (1..pkcs15-ub-userConsent) OPTIONAL,
|
|
accessControlRules SEQUENCE SIZE (1..MAX) OF AccessControlRule OPTIONAL
|
|
} (CONSTRAINED BY {-- authId should be present in the IC card case if
|
|
-- flags.private is set. It must equal an authID in one AuthRecord
|
|
-- in the AODF -- })
|
|
|
|
CommonObjectFlags ::= BIT STRING {
|
|
private (0),
|
|
modifiable (1)
|
|
}
|
|
|
|
AccessControlRule ::= SEQUENCE {
|
|
accessMode AccessMode,
|
|
securityCondition SecurityCondition,
|
|
... -- For future extensions
|
|
}
|
|
|
|
AccessMode ::= BIT STRING {
|
|
read (0),
|
|
update (1),
|
|
execute (2)
|
|
}
|
|
|
|
SecurityCondition ::= CHOICE {
|
|
authId Identifier,
|
|
not [0] SecurityCondition,
|
|
and [1] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
|
|
OF SecurityCondition,
|
|
or [2] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
|
|
OF SecurityCondition,
|
|
... -- For future extensions
|
|
}
|
|
|
|
CommonKeyAttributes ::= SEQUENCE {
|
|
iD Identifier,
|
|
usage KeyUsageFlags,
|
|
native BOOLEAN DEFAULT TRUE,
|
|
accessFlags KeyAccessFlags OPTIONAL,
|
|
keyReference Reference OPTIONAL,
|
|
startDate GeneralizedTime OPTIONAL,
|
|
endDate [0] GeneralizedTime OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
KeyUsageFlags ::= BIT STRING {
|
|
encrypt (0),
|
|
decrypt (1),
|
|
sign (2),
|
|
signRecover (3),
|
|
wrap (4),
|
|
unwrap (5),
|
|
verify (6),
|
|
verifyRecover (7),
|
|
derive (8),
|
|
nonRepudiation (9)
|
|
}
|
|
|
|
KeyAccessFlags ::= BIT STRING {
|
|
sensitive (0),
|
|
extractable (1),
|
|
alwaysSensitive (2),
|
|
neverExtractable (3),
|
|
local (4)
|
|
}
|
|
|
|
CommonPrivateKeyAttributes ::= SEQUENCE {
|
|
subjectName Name OPTIONAL,
|
|
keyIdentifiers [0] SEQUENCE OF CredentialIdentifier
|
|
{{KeyIdentifiers}} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
CommonPublicKeyAttributes ::= SEQUENCE {
|
|
subjectName Name OPTIONAL,
|
|
...,
|
|
trustedUsage [0] Usage OPTIONAL
|
|
}
|
|
|
|
CommonSecretKeyAttributes ::= SEQUENCE {
|
|
keyLen INTEGER OPTIONAL, -- keylength (in bits)
|
|
... -- For future extensions
|
|
}
|
|
|
|
KeyInfo {ParameterType, OperationsType} ::= CHOICE {
|
|
reference Reference,
|
|
paramsAndOps SEQUENCE {
|
|
parameters ParameterType,
|
|
supportedOperations OperationsType OPTIONAL
|
|
}
|
|
}
|
|
|
|
CommonCertificateAttributes ::= SEQUENCE {
|
|
iD Identifier,
|
|
authority BOOLEAN DEFAULT FALSE,
|
|
identifier CredentialIdentifier {{KeyIdentifiers}} OPTIONAL,
|
|
certHash [0] OOBCertHash OPTIONAL,
|
|
...,
|
|
trustedUsage [1] Usage OPTIONAL,
|
|
identifiers [2] SEQUENCE OF CredentialIdentifier{{KeyIdentifiers}} OPTIONAL,
|
|
implicitTrust [3] BOOLEAN DEFAULT FALSE
|
|
}
|
|
|
|
Usage ::= SEQUENCE {
|
|
keyUsage KeyUsage OPTIONAL,
|
|
extKeyUsage SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL
|
|
}(WITH COMPONENTS {..., keyUsage PRESENT} |
|
|
WITH COMPONENTS {..., extKeyUsage PRESENT})
|
|
|
|
CommonDataObjectAttributes ::= SEQUENCE {
|
|
applicationName Label OPTIONAL,
|
|
applicationOID OBJECT IDENTIFIER OPTIONAL,
|
|
... -- For future extensions
|
|
} (WITH COMPONENTS {..., applicationName PRESENT}|
|
|
WITH COMPONENTS {..., applicationOID PRESENT})
|
|
|
|
CommonAuthenticationObjectAttributes ::= SEQUENCE {
|
|
authId Identifier,
|
|
... -- For future extensions
|
|
}
|
|
|
|
PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes}
|
|
::= SEQUENCE {
|
|
commonObjectAttributes CommonObjectAttributes,
|
|
classAttributes ClassAttributes,
|
|
subClassAttributes [0] SubClassAttributes OPTIONAL,
|
|
typeAttributes [1] TypeAttributes
|
|
}
|
|
|
|
PKCS15Objects ::= CHOICE {
|
|
privateKeys [0] PrivateKeys,
|
|
publicKeys [1] PublicKeys,
|
|
trustedPublicKeys [2] PublicKeys,
|
|
secretKeys [3] SecretKeys,
|
|
certificates [4] Certificates,
|
|
trustedCertificates [5] Certificates,
|
|
usefulCertificates [6] Certificates,
|
|
dataObjects [7] DataObjects,
|
|
authObjects [8] AuthObjects,
|
|
... -- For future extensions
|
|
}
|
|
|
|
PrivateKeys ::= PathOrObjects {PrivateKeyType}
|
|
|
|
SecretKeys ::= PathOrObjects {SecretKeyType}
|
|
|
|
PublicKeys ::= PathOrObjects {PublicKeyType}
|
|
|
|
Certificates ::= PathOrObjects {CertificateType}
|
|
|
|
DataObjects ::= PathOrObjects {DataType}
|
|
|
|
AuthObjects ::= PathOrObjects {AuthenticationType}
|
|
|
|
PrivateKeyType ::= CHOICE {
|
|
privateRSAKey PrivateKeyObject {PrivateRSAKeyAttributes},
|
|
privateECKey [0] PrivateKeyObject {PrivateECKeyAttributes},
|
|
privateDHKey [1] PrivateKeyObject {PrivateDHKeyAttributes},
|
|
privateDSAKey [2] PrivateKeyObject {PrivateDSAKeyAttributes},
|
|
privateKEAKey [3] PrivateKeyObject {PrivateKEAKeyAttributes},
|
|
... -- For future extensions
|
|
}
|
|
|
|
PrivateKeyObject {KeyAttributes} ::= PKCS15Object {
|
|
CommonKeyAttributes, CommonPrivateKeyAttributes, KeyAttributes}
|
|
|
|
PrivateRSAKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue {RSAPrivateKeyObject},
|
|
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
|
|
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
RSAPrivateKeyObject ::= SEQUENCE {
|
|
modulus [0] INTEGER OPTIONAL, -- n
|
|
publicExponent [1] INTEGER OPTIONAL, -- e
|
|
privateExponent [2] INTEGER OPTIONAL, -- d
|
|
prime1 [3] INTEGER OPTIONAL, -- p
|
|
prime2 [4] INTEGER OPTIONAL, -- q
|
|
exponent1 [5] INTEGER OPTIONAL, -- d mod (p-1)
|
|
exponent2 [6] INTEGER OPTIONAL, -- d mod (q-1)
|
|
coefficient [7] INTEGER OPTIONAL -- inv(q) mod p
|
|
} (CONSTRAINED BY {-- must be possible to reconstruct modulus and
|
|
-- privateExponent from selected fields --})
|
|
|
|
PrivateECKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue {ECPrivateKey},
|
|
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
ECPrivateKey ::= INTEGER
|
|
|
|
PrivateDHKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue {DHPrivateKey},
|
|
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
DHPrivateKey ::= INTEGER -- Diffie-Hellman exponent
|
|
|
|
PrivateDSAKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue {DSAPrivateKey},
|
|
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
DSAPrivateKey ::= INTEGER
|
|
|
|
PrivateKEAKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue {KEAPrivateKey},
|
|
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
KEAPrivateKey ::= INTEGER
|
|
|
|
PublicKeyType ::= CHOICE {
|
|
publicRSAKey PublicKeyObject {PublicRSAKeyAttributes},
|
|
publicECKey [0] PublicKeyObject {PublicECKeyAttributes},
|
|
publicDHKey [1] PublicKeyObject {PublicDHKeyAttributes},
|
|
publicDSAKey [2] PublicKeyObject {PublicDSAKeyAttributes},
|
|
publicKEAKey [3] PublicKeyObject {PublicKEAKeyAttributes},
|
|
... -- For future extensions
|
|
}
|
|
|
|
PublicKeyObject {KeyAttributes} ::= PKCS15Object {
|
|
CommonKeyAttributes, CommonPublicKeyAttributes, KeyAttributes}
|
|
|
|
PublicRSAKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue {RSAPublicKeyChoice},
|
|
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
|
|
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
RSAPublicKeyChoice ::= CHOICE {
|
|
raw RSAPublicKey,
|
|
spki [1] SubjectPublicKeyInfo, -- See X.509. Must contain a
|
|
-- public RSA key
|
|
...
|
|
}
|
|
|
|
PublicECKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue {ECPublicKeyChoice},
|
|
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
ECPublicKeyChoice ::= CHOICE {
|
|
raw ECPoint,
|
|
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public EC key
|
|
...
|
|
}
|
|
|
|
PublicDHKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue {DHPublicKeyChoice},
|
|
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
DHPublicKeyChoice ::= CHOICE {
|
|
raw DiffieHellmanPublicNumber,
|
|
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public D-H key
|
|
...
|
|
}
|
|
|
|
PublicDSAKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue {DSAPublicKeyChoice},
|
|
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
DSAPublicKeyChoice ::= CHOICE {
|
|
raw INTEGER,
|
|
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public DSA key.
|
|
...
|
|
}
|
|
|
|
PublicKEAKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue {KEAPublicKeyChoice},
|
|
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
KEAPublicKeyChoice ::= CHOICE {
|
|
raw INTEGER,
|
|
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public KEA key
|
|
...
|
|
}
|
|
|
|
SecretKeyType ::= CHOICE {
|
|
genericSecretKey SecretKeyObject {GenericSecretKeyAttributes},
|
|
rc2key [0] SecretKeyObject {GenericSecretKeyAttributes},
|
|
rc4key [1] SecretKeyObject {GenericSecretKeyAttributes},
|
|
desKey [2] SecretKeyObject {GenericSecretKeyAttributes},
|
|
des2Key [3] SecretKeyObject {GenericSecretKeyAttributes},
|
|
des3Key [4] SecretKeyObject {GenericSecretKeyAttributes},
|
|
castKey [5] SecretKeyObject {GenericSecretKeyAttributes},
|
|
cast3Key [6] SecretKeyObject {GenericSecretKeyAttributes},
|
|
cast128Key [7] SecretKeyObject {GenericSecretKeyAttributes},
|
|
rc5Key [8] SecretKeyObject {GenericSecretKeyAttributes},
|
|
ideaKey [9] SecretKeyObject {GenericSecretKeyAttributes},
|
|
skipjackKey [10] SecretKeyObject {GenericSecretKeyAttributes},
|
|
batonKey [11] SecretKeyObject {GenericSecretKeyAttributes},
|
|
juniperKey [12] SecretKeyObject {GenericSecretKeyAttributes},
|
|
rc6Key [13] SecretKeyObject {GenericSecretKeyAttributes},
|
|
otherKey [14] OtherKey,
|
|
... -- For future extensions
|
|
}
|
|
|
|
SecretKeyObject {KeyAttributes} ::= PKCS15Object {
|
|
CommonKeyAttributes, CommonSecretKeyAttributes, KeyAttributes}
|
|
|
|
OtherKey ::= SEQUENCE {
|
|
keyType OBJECT IDENTIFIER,
|
|
keyAttr SecretKeyObject {GenericSecretKeyAttributes}
|
|
}
|
|
|
|
GenericSecretKeyAttributes ::= SEQUENCE {
|
|
value ObjectValue { OCTET STRING },
|
|
... -- For future extensions
|
|
}
|
|
|
|
CertificateType ::= CHOICE {
|
|
x509Certificate CertificateObject { X509CertificateAttributes},
|
|
x509AttributeCertificate [0] CertificateObject
|
|
{X509AttributeCertificateAttributes},
|
|
spkiCertificate [1] CertificateObject {SPKICertificateAttributes},
|
|
pgpCertificate [2] CertificateObject {PGPCertificateAttributes},
|
|
wtlsCertificate [3] CertificateObject {WTLSCertificateAttributes},
|
|
x9-68Certificate [4] CertificateObject {X9-68CertificateAttributes},
|
|
...,
|
|
cvCertificate [5] CertificateObject {CVCertificateAttributes}
|
|
}
|
|
|
|
CertificateObject {CertAttributes} ::= PKCS15Object {
|
|
CommonCertificateAttributes, NULL, CertAttributes}
|
|
|
|
X509CertificateAttributes ::= SEQUENCE {
|
|
value ObjectValue { Certificate },
|
|
subject Name OPTIONAL,
|
|
issuer [0] Name OPTIONAL,
|
|
serialNumber CertificateSerialNumber OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
X509AttributeCertificateAttributes ::= SEQUENCE {
|
|
value ObjectValue { AttributeCertificate },
|
|
issuer GeneralNames OPTIONAL,
|
|
serialNumber CertificateSerialNumber OPTIONAL,
|
|
attrTypes [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
SPKICertificateAttributes ::= SEQUENCE {
|
|
value ObjectValue { PKCS15-OPAQUE.&Type },
|
|
... -- For future extensions
|
|
}
|
|
|
|
PGPCertificateAttributes ::= SEQUENCE {
|
|
value ObjectValue { PKCS15-OPAQUE.&Type },
|
|
... -- For future extensions
|
|
}
|
|
|
|
WTLSCertificateAttributes ::= SEQUENCE {
|
|
value ObjectValue { PKCS15-OPAQUE.&Type },
|
|
... -- For future extensions
|
|
}
|
|
|
|
X9-68CertificateAttributes ::= SEQUENCE {
|
|
value ObjectValue { PKCS15-OPAQUE.&Type },
|
|
... -- For future extensions
|
|
}
|
|
CVCertificateAttributes ::= SEQUENCE {
|
|
value ObjectValue { PKCS15-OPAQUE.&Type},
|
|
... -- For future extensions
|
|
}
|
|
|
|
DataType ::= CHOICE {
|
|
opaqueDO DataObject {Opaque},
|
|
externalIDO [0] DataObject {ExternalIDO},
|
|
oidDO [1] DataObject {OidDO},
|
|
... -- For future extensions
|
|
}
|
|
|
|
DataObject {DataObjectAttributes} ::= PKCS15Object {
|
|
CommonDataObjectAttributes, NULL, DataObjectAttributes}
|
|
|
|
Opaque ::= ObjectValue {PKCS15-OPAQUE.&Type}
|
|
|
|
ExternalIDO ::= ObjectValue {PKCS15-OPAQUE.&Type}
|
|
(CONSTRAINED BY {-- All data objects must be defined in
|
|
-- accordance with ISO/IEC 7816-6 --})
|
|
|
|
OidDO ::= SEQUENCE {
|
|
id OBJECT IDENTIFIER,
|
|
value ObjectValue {PKCS15-OPAQUE.&Type}
|
|
}
|
|
|
|
AuthenticationType ::= CHOICE {
|
|
pin AuthenticationObject { PinAttributes },
|
|
...,
|
|
biometricTemplate [0] AuthenticationObject {BiometricAttributes},
|
|
authKey [1] AuthenticationObject {AuthKeyAttributes},
|
|
external [2] AuthenticationObject {ExternalAuthObjectAttributes}
|
|
}
|
|
|
|
AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object {
|
|
CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes}
|
|
|
|
PinAttributes ::= SEQUENCE {
|
|
pinFlags PinFlags,
|
|
pinType PinType,
|
|
minLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength),
|
|
storedLength INTEGER (0..pkcs15-ub-storedPinLength),
|
|
maxLength INTEGER OPTIONAL,
|
|
pinReference [0] Reference DEFAULT 0,
|
|
padChar OCTET STRING (SIZE(1)) OPTIONAL,
|
|
lastPinChange GeneralizedTime OPTIONAL,
|
|
path Path OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
PinFlags ::= BIT STRING {
|
|
case-sensitive (0),
|
|
local (1),
|
|
change-disabled (2),
|
|
unblock-disabled (3),
|
|
initialized (4),
|
|
needs-padding (5),
|
|
unblockingPin (6),
|
|
soPin (7),
|
|
disable-allowed (8),
|
|
integrity-protected (9),
|
|
confidentiality-protected (10),
|
|
exchangeRefData (11)
|
|
} (CONSTRAINED BY { -- 'unblockingPin' and 'soPIN' cannot both be set -- })
|
|
|
|
PinType ::= ENUMERATED {bcd, ascii-numeric, utf8, ...,
|
|
half-nibble-bcd, iso9564-1}
|
|
|
|
BiometricAttributes ::= SEQUENCE {
|
|
bioFlags BiometricFlags,
|
|
templateId OBJECT IDENTIFIER,
|
|
bioType BiometricType,
|
|
bioReference Reference DEFAULT 0,
|
|
lastChange GeneralizedTime OPTIONAL,
|
|
path Path OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
BiometricFlags ::= BIT STRING {
|
|
local (1),
|
|
change-disabled (2),
|
|
unblock-disabled (3),
|
|
initialized (4),
|
|
disable-allowed (8),
|
|
integrity-protected (9),
|
|
confidentiality-protected (10)
|
|
} -- Note: bits 0, 5, 6, and 7 are reserved for future use
|
|
|
|
BiometricType ::= CHOICE {
|
|
fingerPrint FingerPrint,
|
|
irisScan [0] IrisScan,
|
|
-- Possible extensions:
|
|
-- voiceScan VoiceScan,
|
|
-- faceScan FaceScan,
|
|
-- retinaScan Retinascan,
|
|
-- handGeometry HandGeometry,
|
|
-- writeDynamics WriteDynamics,
|
|
-- keyStrokeDynamicsKeyStrokeDynamics,
|
|
-- lipDynamics LipDynamics,
|
|
... -- For future extensions
|
|
}
|
|
|
|
FingerPrint ::= SEQUENCE {
|
|
hand ENUMERATED {left, right},
|
|
finger ENUMERATED {thumb, pointerFinger, middleFinger,
|
|
ringFinger, littleFinger},
|
|
...
|
|
}
|
|
|
|
IrisScan ::= SEQUENCE {
|
|
eye ENUMERATED {left, right},
|
|
...
|
|
}
|
|
|
|
ExternalAuthObjectAttributes ::= CHOICE {
|
|
authKeyAttributes AuthKeyAttributes,
|
|
certBasedAttributes [0] CertBasedAuthenticationAttributes,
|
|
... -- For future extensions
|
|
}
|
|
|
|
AuthKeyAttributes ::= SEQUENCE {
|
|
derivedKey BOOLEAN DEFAULT TRUE,
|
|
authKeyId Identifier,
|
|
... -- For future extensions
|
|
}
|
|
|
|
CertBasedAuthenticationAttributes ::= SEQUENCE {
|
|
cha OCTET STRING,
|
|
...
|
|
}
|
|
|
|
TokenInfo ::= SEQUENCE {
|
|
version INTEGER {v1(0)} (v1,...),
|
|
serialNumber OCTET STRING,
|
|
manufacturerID Label OPTIONAL,
|
|
label [0] Label OPTIONAL,
|
|
tokenflags TokenFlags,
|
|
seInfo SEQUENCE OF SecurityEnvironmentInfo OPTIONAL,
|
|
recordInfo [1] RecordInfo OPTIONAL,
|
|
supportedAlgorithms [2] SEQUENCE OF AlgorithmInfo OPTIONAL,
|
|
...,
|
|
issuerId [3] Label OPTIONAL,
|
|
holderId [4] Label OPTIONAL,
|
|
lastUpdate [5] LastUpdate OPTIONAL,
|
|
preferredLanguage PrintableString OPTIONAL -- In accordance with
|
|
-- IETF RFC 1766
|
|
} (CONSTRAINED BY { -- Each AlgorithmInfo.reference value must be unique --})
|
|
|
|
TokenFlags ::= BIT STRING {
|
|
readonly (0),
|
|
loginRequired (1),
|
|
prnGeneration (2),
|
|
eidCompliant (3)
|
|
}
|
|
|
|
SecurityEnvironmentInfo ::= SEQUENCE {
|
|
se INTEGER (0..pkcs15-ub-seInfo),
|
|
owner OBJECT IDENTIFIER,
|
|
... -- For future extensions
|
|
}
|
|
|
|
RecordInfo ::= SEQUENCE {
|
|
oDFRecordLength [0] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
prKDFRecordLength [1] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
puKDFRecordLength [2] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
sKDFRecordLength [3] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
cDFRecordLength [4] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
dODFRecordLength [5] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
aODFRecordLength [6] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL
|
|
}
|
|
|
|
AlgorithmInfo ::= SEQUENCE {
|
|
reference Reference,
|
|
algorithm PKCS15-ALGORITHM.&id({AlgorithmSet}),
|
|
parameters PKCS15-ALGORITHM.&Parameters({AlgorithmSet}{@algorithm}),
|
|
supportedOperations
|
|
PKCS15-ALGORITHM.&Operations({AlgorithmSet}{@algorithm}),
|
|
algId PKCS15-ALGORITHM.&objectIdentifier({AlgorithmSet}{@algorithm})
|
|
OPTIONAL,
|
|
algRef Reference OPTIONAL
|
|
}
|
|
|
|
PKCS15-ALGORITHM ::= CLASS {
|
|
&id INTEGER UNIQUE,
|
|
&Parameters,
|
|
&Operations Operations,
|
|
&objectIdentifier OBJECT IDENTIFIER OPTIONAL
|
|
} WITH SYNTAX {
|
|
PARAMETERS &Parameters OPERATIONS &Operations ID &id [OID &objectIdentifier]}
|
|
|
|
PKCS15-OPAQUE ::= TYPE-IDENTIFIER
|
|
|
|
PublicKeyOperations ::= Operations
|
|
|
|
Operations ::= BIT STRING {
|
|
compute-checksum (0), -- H/W computation of checksum
|
|
compute-signature (1), -- H/W computation of signature
|
|
verify-checksum (2), -- H/W verification of checksum
|
|
verify-signature (3), -- H/W verification of signature
|
|
encipher (4), -- H/W encryption of data
|
|
decipher (5), -- H/W decryption of data
|
|
hash (6), -- H/W hashing
|
|
generate-key (7) -- H/W key generation
|
|
}
|
|
|
|
pkcs15-alg-null PKCS15-ALGORITHM ::= {
|
|
PARAMETERS NULL OPERATIONS {{generate-key}} ID -1}
|
|
|
|
AlgorithmSet PKCS15-ALGORITHM ::= {
|
|
pkcs15-alg-null,
|
|
... -- See PKCS #11 for values for the &id field (and parameters)
|
|
}
|
|
|
|
LastUpdate ::= CHOICE {
|
|
generalizedTime GeneralizedTime,
|
|
referencedTime ReferencedValue {GeneralizedTime},
|
|
... -- For future extensions
|
|
}
|
|
|
|
-- Soft token related types and objects
|
|
|
|
EnvelopedData {Type} ::= SEQUENCE {
|
|
version INTEGER{v0(0),v1(1),v2(2),v3(3),v4(4)}(v0|v1|v2,...),
|
|
originatorInfo [0] OriginatorInfo OPTIONAL,
|
|
recipientInfos RecipientInfos,
|
|
encryptedContentInfo EncryptedContentInfo{Type},
|
|
unprotectedAttrs [1] SET SIZE (1..MAX) OF Attribute OPTIONAL
|
|
}
|
|
|
|
EncryptedContentInfo {Type} ::= SEQUENCE {
|
|
contentType OBJECT IDENTIFIER,
|
|
contentEncryptionAlgorithm AlgorithmIdentifier {{KeyDerivationAlgorithms}},
|
|
encryptedContent [0] OCTET STRING OPTIONAL
|
|
}(CONSTRAINED BY {-- 'encryptedContent' shall be the result of
|
|
-- encrypting DER-encoded value of type -- Type})
|
|
|
|
PKCS15Token ::= SEQUENCE {
|
|
version INTEGER {v1(0)} (v1,...),
|
|
keyManagementInfo [0] KeyManagementInfo OPTIONAL,
|
|
pkcs15Objects SEQUENCE OF PKCS15Objects
|
|
}
|
|
|
|
KeyManagementInfo ::= SEQUENCE OF SEQUENCE {
|
|
keyId Identifier,
|
|
keyInfo CHOICE {
|
|
recipientInfo RecipientInfo,
|
|
passwordInfo [0] PasswordInfo
|
|
}
|
|
} (CONSTRAINED BY {-- Each keyID must be unique --})
|
|
|
|
PasswordInfo ::= SEQUENCE {
|
|
hint Label OPTIONAL,
|
|
algId AlgorithmIdentifier {{KeyDerivationAlgorithms}},
|
|
...
|
|
} (CONSTRAINED BY {--keyID shall point to a KEKRecipientInfo--})
|
|
|
|
KeyDerivationAlgorithms ALGORITHM-IDENTIFIER ::= {
|
|
PBKDF2Algorithms,
|
|
... -- For future extensions
|
|
}
|
|
|
|
CMS3DESwrap ::= NULL
|
|
|
|
KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
|
|
{CMS3DESwrap IDENTIFIED BY id-alg-CMS3DESwrap} |
|
|
{INTEGER IDENTIFIED BY id-alg-CMSRC2wrap},
|
|
... -- For future extensions
|
|
}
|
|
|
|
DES-IV ::= OCTET STRING (SIZE(8))
|
|
|
|
ContentEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
|
|
SupportingAlgorithms EXCEPT {NULL IDENTIFIED BY id-hmacWithSHA1},
|
|
... -- For future extensions
|
|
}
|
|
|
|
MACAlgorithms ALGORITHM-IDENTIFIER ::= {
|
|
{NULL IDENTIFIED BY hMAC-SHA1},
|
|
... -- For future extensions
|
|
}
|
|
|
|
DigestAlgorithms ALGORITHM-IDENTIFIER ::= {
|
|
{NULL IDENTIFIED BY sha-1},
|
|
... -- For future extensions
|
|
}
|
|
|
|
-- Misc
|
|
|
|
DDO ::= SEQUENCE {
|
|
oid OBJECT IDENTIFIER,
|
|
odfPath Path OPTIONAL,
|
|
tokenInfoPath [0] Path OPTIONAL,
|
|
unusedPath [1] Path OPTIONAL,
|
|
... -- For future extensions
|
|
}
|
|
|
|
DIRRecord ::= [APPLICATION 1] SEQUENCE {
|
|
aid [APPLICATION 15] OCTET STRING,
|
|
label [APPLICATION 16] UTF8String OPTIONAL,
|
|
path [APPLICATION 17] OCTET STRING,
|
|
ddo [APPLICATION 19] DDO OPTIONAL
|
|
}
|
|
|
|
UnusedSpace ::= SEQUENCE {
|
|
path Path (WITH COMPONENTS {..., index PRESENT, length PRESENT}),
|
|
authId Identifier OPTIONAL,
|
|
...,
|
|
accessControlRules SEQUENCE OF AccessControlRule OPTIONAL
|
|
}
|
|
|
|
END
|