Internet Engineering Task Force (IETF) P. Hoffman
Request for Comments: 5911 VPN Consortium
Category: Informational J. Schaad
ISSN: 2070-1721 Soaring Hawk Consulting
June 2010
Internet Engineering Task Force (IETF) P. Hoffman
Request for Comments: 5911 VPN Consortium
Category: Informational J. Schaad
ISSN: 2070-1721 Soaring Hawk Consulting
June 2010
New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME
用于加密消息语法(CMS)和S/MIME的新ASN.1模块
Abstract
摘要
The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax.
加密消息语法(CMS)格式和许多相关格式使用ASN.1表示。当前ASN.1模块符合1988年版ASN.1。本文档更新了这些ASN.1模块,以符合2002年版的ASN.1。导线上没有对任何格式进行更改的位;这只是对语法的一个更改。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5911.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5911.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4
2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 4
3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14
4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 20
5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 22
6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24
7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34
8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 40
9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41
10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 47
11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48
12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 50
13. Security Considerations . . . . . . . . . . . . . . . . . . . 57
14. Normative References . . . . . . . . . . . . . . . . . . . . . 57
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4
2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 4
3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14
4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 20
5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 22
6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24
7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34
8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 40
9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41
10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 47
11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48
12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 50
13. Security Considerations . . . . . . . . . . . . . . . . . . . 57
14. Normative References . . . . . . . . . . . . . . . . . . . . . 57
Some developers would like the IETF to use the latest version of ASN.1 in its standards. Most of the RFCs that relate to security protocols still use ASN.1 from the 1988 standard, which has been deprecated. This is particularly true for the standards that relate to PKIX, CMS, and S/MIME.
一些开发人员希望IETF在其标准中使用最新版本的ASN.1。大多数与安全协议相关的RFC仍然使用1988年标准中的ASN.1,该标准已被弃用。对于与PKIX、CMS和S/MIME相关的标准来说尤其如此。
This document updates the following RFCs to use ASN.1 modules that conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all the modules are updated; some are included to simply make the set complete.
本文件更新了以下RFC,以使用符合2002年版ASN.1[ASN1-2002]的ASN.1模块。请注意,并非所有模块都已更新;其中一些只是为了使这一套完整。
o RFC 3370, CMS Algorithms [RFC3370]
o RFC3370,CMS算法[RFC3370]
o RFC 3565, Use of AES in CMS [RFC3565]
o RFC 3565,在CMS中使用AES[RFC3565]
o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851]
o RFC 3851,S/MIME版本3.1消息规范[RFC3851]
o RFC 3852, CMS main [RFC3852]
o RFC 3852,CMS干管[RFC3852]
o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108]
o RFC 4108,使用CMS保护固件包[RFC4108]
o RFC 4998, Evidence Record Syntax (ERS) [RFC4998]
o RFC 4998,证据记录语法(ERS)[RFC4998]
o RFC 5035, Enhanced Security Services (ESS) [RFC5035]
o RFC 5035,增强型安全服务(ESS)[RFC5035]
o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083]
o RFC 5083,CMS认证的信封数据内容类型[RFC5083]
o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in CMS [RFC5084]
o RFC 5084,在CMS中使用AES-CCM和AES-GCM认证加密[RFC5084]
o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275]
o RFC 5275,CMS对称密钥管理和分发[RFC5275]
Note that some of the modules in this document get some of their definitions from places different than the modules in the original RFCs. The idea is that these modules, when combined with the modules in [RFC5912] can stand on their own and do not need to import definitions from anywhere else. Also note that the ASN.1 modules in this document have references in their text comments that need to be looked up in original RFCs, and that some of those references may have already been superseded by later RFCs.
请注意,本文档中的一些模块从与原始RFC中的模块不同的地方获得了一些定义。其思想是,当这些模块与[RFC5912]中的模块组合时,它们可以独立存在,不需要从任何其他地方导入定义。还请注意,本文档中的ASN.1模块在其文本注释中有引用,需要在原始RFC中查找,其中一些引用可能已被以后的RFC取代。
The document also includes a module of common definitions called "AlgorithmInformation". These definitions are used here and in [RFC5912].
该文件还包括一个名为“算法信息”的通用定义模块。此处和[RFC5912]中使用了这些定义。
Note that some of the modules here import definitions from the common definitions module, "PKIX-CommonTypes", in [RFC5912].
请注意,此处的一些模块从[RFC5912]中的公共定义模块“PKIX CommonTypes”导入定义。
The modules in this document use the object model available in the 2002 ASN.1 documents to a great extent. Objects for each of the different algorithm types are defined. Also, all of the places where the 1988 ASN.1 syntax had ANY holes to allow for variable syntax now use objects.
本文档中的模块在很大程度上使用了2002 ASN.1文档中提供的对象模型。定义了每种不同算法类型的对象。此外,1988年ASN.1语法中所有允许变量语法的地方现在都使用对象。
Much like the way that the PKIX and S/MIME working groups use the prefix of id- for object identifiers, this document has also adopted a set of two-, three-, and four-letter prefixes to allow for quick identification of the type of an object based on its name. This allows, for example, the same back half of the name to be used for the different objects. Thus, "id-sha1" is the object identifier, while "mda-sha1" is the message digest object for "sha1".
与PKIX和S/MIME工作组使用id前缀作为对象标识符的方式非常相似,本文档还采用了一组两个、三个和四个字母的前缀,以便根据对象的名称快速识别对象的类型。例如,这允许对不同的对象使用相同的名称后半部分。因此,“id-sha1”是对象标识符,“mda-sha1”是“sha1”的消息摘要对象。
One or more object sets for the different types of algorithms are defined. A single consistent name for each different algorithm type is used. For example, an object set named PublicKeys contains the public keys defined in that module. If no public keys are defined, then the object set is not created. When importing these object sets into an ASN.1 module, one needs to be able to distinguish between the different object sets with the same name. This is done by using both the module name (as specified in the IMPORT statement) and the object set name. For example, in the module for RFC 5280:
为不同类型的算法定义了一个或多个对象集。每个不同的算法类型使用一个统一的名称。例如,名为PublicKeys的对象集包含该模块中定义的公钥。如果未定义公钥,则不会创建对象集。将这些对象集导入ASN.1模块时,需要能够区分具有相同名称的不同对象集。这是通过使用模块名(如IMPORT语句中指定的)和对象集名来完成的。例如,在RFC 5280的模块中:
PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 }
PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 }
PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 }
PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 }
PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ...,
PKIX1-PSS-OAEP-Algorithms.PublicKeys }
PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ...,
PKIX1-PSS-OAEP-Algorithms.PublicKeys }
This section contains a module that is imported by many other modules in this document. Note that this module is also given in [RFC5912]. This module does not come from any existing RFC.
本节包含本文档中许多其他模块导入的模块。请注意,[RFC5912]中也给出了该模块。此模块不来自任何现有的RFC。
AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS
KeyUsage
FROM PKIX1Implicit-2009
{iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-implicit-02(59)} ;
KeyUsage
FROM PKIX1Implicit-2009
{iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-implicit-02(59)} ;
-- Suggested prefixes for algorithm objects are:
--
-- mda- Message Digest Algorithms
-- sa- Signature Algorithms
-- kta- Key Transport Algorithms (Asymmetric)
-- kaa- Key Agreement Algorithms (Asymmetric)
-- kwa- Key Wrap Algorithms (Symmetric)
-- kda- Key Derivation Algorithms
-- maca- Message Authentication Code Algorithms
-- pk- Public Key
-- cea- Content (symmetric) Encryption Algorithms
-- cap- S/MIME Capabilities
-- Suggested prefixes for algorithm objects are:
--
-- mda- Message Digest Algorithms
-- sa- Signature Algorithms
-- kta- Key Transport Algorithms (Asymmetric)
-- kaa- Key Agreement Algorithms (Asymmetric)
-- kwa- Key Wrap Algorithms (Symmetric)
-- kda- Key Derivation Algorithms
-- maca- Message Authentication Code Algorithms
-- pk- Public Key
-- cea- Content (symmetric) Encryption Algorithms
-- cap- S/MIME Capabilities
ParamOptions ::= ENUMERATED {
required, -- Parameters MUST be encoded in structure
preferredPresent, -- Parameters SHOULD be encoded in structure
preferredAbsent, -- Parameters SHOULD NOT be encoded in structure
absent, -- Parameters MUST NOT be encoded in structure
inheritable, -- Parameters are inherited if not present
optional, -- Parameters MAY be encoded in the structure
...
}
ParamOptions ::= ENUMERATED {
required, -- Parameters MUST be encoded in structure
preferredPresent, -- Parameters SHOULD be encoded in structure
preferredAbsent, -- Parameters SHOULD NOT be encoded in structure
absent, -- Parameters MUST NOT be encoded in structure
inheritable, -- Parameters are inherited if not present
optional, -- Parameters MAY be encoded in the structure
...
}
-- DIGEST-ALGORITHM
--
-- Describes the basic information for ASN.1 and a digest
-- algorithm.
--
-- &id - contains the OID identifying the digest algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
--
-- Additional information such as the length of the hash could have
-- been encoded. Without a clear understanding of what information
-- is needed by applications, such extraneous information was not
-- considered to be of sufficient importance.
-- DIGEST-ALGORITHM
--
-- Describes the basic information for ASN.1 and a digest
-- algorithm.
--
-- &id - contains the OID identifying the digest algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
--
-- Additional information such as the length of the hash could have
-- been encoded. Without a clear understanding of what information
-- is needed by applications, such extraneous information was not
-- considered to be of sufficient importance.
--
-- Example:
-- mda-sha1 DIGEST-ALGORITHM ::= {
-- IDENTIFIER id-sha1
-- PARAMS TYPE NULL ARE preferredAbsent
-- }
--
-- Example:
-- mda-sha1 DIGEST-ALGORITHM ::= {
-- IDENTIFIER id-sha1
-- PARAMS TYPE NULL ARE preferredAbsent
-- }
DIGEST-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence ]
}
DIGEST-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence ]
}
-- SIGNATURE-ALGORITHM
--
-- Describes the basic properties of a signature algorithm
--
-- &id - contains the OID identifying the signature algorithm
-- &Value - contains a type definition for the value structure of
-- the signature; if absent, implies that no ASN.1
-- encoding is performed on the value
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &HashSet - The set of hash algorithms used with this
-- signature algorithm
-- &PublicKeySet - the set of public key algorithms for this
-- signature algorithm
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER id-RSASSA-PSS
-- PARAMS TYPE RSASSA-PSS-params ARE required
-- HASHES { mda-sha1 | mda-md5, ... }
-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- }
-- SIGNATURE-ALGORITHM
--
-- Describes the basic properties of a signature algorithm
--
-- &id - contains the OID identifying the signature algorithm
-- &Value - contains a type definition for the value structure of
-- the signature; if absent, implies that no ASN.1
-- encoding is performed on the value
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &HashSet - The set of hash algorithms used with this
-- signature algorithm
-- &PublicKeySet - the set of public key algorithms for this
-- signature algorithm
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER id-RSASSA-PSS
-- PARAMS TYPE RSASSA-PSS-params ARE required
-- HASHES { mda-sha1 | mda-md5, ... }
-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- }
SIGNATURE-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Value OPTIONAL,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&HashSet DIGEST-ALGORITHM OPTIONAL,
SIGNATURE-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Value OPTIONAL,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&HashSet DIGEST-ALGORITHM OPTIONAL,
&PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[VALUE &Value]
[PARAMS [TYPE &Params] ARE ¶mPresence ]
[HASHES &HashSet]
[PUBLIC-KEYS &PublicKeySet]
[SMIME-CAPS &smimeCaps]
}
&PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[VALUE &Value]
[PARAMS [TYPE &Params] ARE ¶mPresence ]
[HASHES &HashSet]
[PUBLIC-KEYS &PublicKeySet]
[SMIME-CAPS &smimeCaps]
}
-- PUBLIC-KEY
--
-- Describes the basic properties of a public key
--
-- &id - contains the OID identifying the public key
-- &KeyValue - contains the type for the key value
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &keyUsage - contains the set of bits that are legal for this
-- key type. Note that it does not make any statement
-- about how bits may be paired.
-- &PrivateKey - contains a type structure for encoding the private
-- key information.
--
-- Example:
-- pk-rsa-pss PUBLIC-KEY ::= {
-- IDENTIFIER id-RSASSA-PSS
-- KEY RSAPublicKey
-- PARAMS TYPE RSASSA-PSS-params ARE optional
-- CERT-KEY-USAGE { .... }
-- }
-- PUBLIC-KEY
--
-- Describes the basic properties of a public key
--
-- &id - contains the OID identifying the public key
-- &KeyValue - contains the type for the key value
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &keyUsage - contains the set of bits that are legal for this
-- key type. Note that it does not make any statement
-- about how bits may be paired.
-- &PrivateKey - contains a type structure for encoding the private
-- key information.
--
-- Example:
-- pk-rsa-pss PUBLIC-KEY ::= {
-- IDENTIFIER id-RSASSA-PSS
-- KEY RSAPublicKey
-- PARAMS TYPE RSASSA-PSS-params ARE optional
-- CERT-KEY-USAGE { .... }
-- }
PUBLIC-KEY ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&KeyValue OPTIONAL,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&keyUsage KeyUsage OPTIONAL,
&PrivateKey OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[KEY &KeyValue]
[PARAMS [TYPE &Params] ARE ¶mPresence]
[CERT-KEY-USAGE &keyUsage]
[PRIVATE-KEY &PrivateKey]
}
PUBLIC-KEY ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&KeyValue OPTIONAL,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&keyUsage KeyUsage OPTIONAL,
&PrivateKey OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[KEY &KeyValue]
[PARAMS [TYPE &Params] ARE ¶mPresence]
[CERT-KEY-USAGE &keyUsage]
[PRIVATE-KEY &PrivateKey]
}
-- KEY-TRANSPORT
--
-- Describes the basic properties of a key transport algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &PublicKeySet - specifies which public keys are used with
-- this algorithm
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- kta-rsaTransport KEY-TRANSPORT ::= {
-- IDENTIFIER &id
-- PARAMS TYPE NULL ARE required
-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- }
-- KEY-TRANSPORT
--
-- Describes the basic properties of a key transport algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &PublicKeySet - specifies which public keys are used with
-- this algorithm
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- kta-rsaTransport KEY-TRANSPORT ::= {
-- IDENTIFIER &id
-- PARAMS TYPE NULL ARE required
-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- }
KEY-TRANSPORT ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[PUBLIC-KEYS &PublicKeySet]
[SMIME-CAPS &smimeCaps]
}
KEY-TRANSPORT ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[PUBLIC-KEYS &PublicKeySet]
[SMIME-CAPS &smimeCaps]
}
-- KEY-AGREE
--
-- Describes the basic properties of a key agreement algorithm
--
-- &id - contains the OID identifying the key agreement algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &PublicKeySet - specifies which public keys are used with
-- this algorithm
-- &Ukm - type of user keying material used
-- &ukmPresence - specifies the requirements to define the UKM field
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- KEY-AGREE
--
-- Describes the basic properties of a key agreement algorithm
--
-- &id - contains the OID identifying the key agreement algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &PublicKeySet - specifies which public keys are used with
-- this algorithm
-- &Ukm - type of user keying material used
-- &ukmPresence - specifies the requirements to define the UKM field
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- kaa-dh-static-ephemeral KEY-AGREE ::= {
-- IDENTIFIER id-alg-ESDH
-- PARAMS TYPE KeyWrapAlgorithm ARE required
-- PUBLIC-KEYS {
-- {IDENTIFIER dh-public-number KEY DHPublicKey
-- PARAMS TYPE DHDomainParameters ARE inheritable }
-- }
-- - - UKM should be present but is not separately ASN.1-encoded
-- UKM ARE preferredPresent
-- }
-- Example:
-- kaa-dh-static-ephemeral KEY-AGREE ::= {
-- IDENTIFIER id-alg-ESDH
-- PARAMS TYPE KeyWrapAlgorithm ARE required
-- PUBLIC-KEYS {
-- {IDENTIFIER dh-public-number KEY DHPublicKey
-- PARAMS TYPE DHDomainParameters ARE inheritable }
-- }
-- - - UKM should be present but is not separately ASN.1-encoded
-- UKM ARE preferredPresent
-- }
KEY-AGREE ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&PublicKeySet PUBLIC-KEY OPTIONAL,
&Ukm OPTIONAL,
&ukmPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[PUBLIC-KEYS &PublicKeySet]
[UKM [TYPE &Ukm] ARE &ukmPresence]
[SMIME-CAPS &smimeCaps]
}
KEY-AGREE ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&PublicKeySet PUBLIC-KEY OPTIONAL,
&Ukm OPTIONAL,
&ukmPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[PUBLIC-KEYS &PublicKeySet]
[UKM [TYPE &Ukm] ARE &ukmPresence]
[SMIME-CAPS &smimeCaps]
}
-- KEY-WRAP
--
-- Describes the basic properties of a key wrap algorithm
--
-- &id - contains the OID identifying the key wrap algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- kwa-cms3DESwrap KEY-WRAP ::= {
-- IDENTIFIER id-alg-CMS3DESwrap
-- PARAMS TYPE NULL ARE required
-- }
-- KEY-WRAP
--
-- Describes the basic properties of a key wrap algorithm
--
-- &id - contains the OID identifying the key wrap algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- kwa-cms3DESwrap KEY-WRAP ::= {
-- IDENTIFIER id-alg-CMS3DESwrap
-- PARAMS TYPE NULL ARE required
-- }
KEY-WRAP ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
KEY-WRAP ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[SMIME-CAPS &smimeCaps]
}
¶mPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[SMIME-CAPS &smimeCaps]
}
-- KEY-DERIVATION
--
-- Describes the basic properties of a key derivation algorithm
--
-- &id - contains the OID identifying the key derivation algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- kda-pbkdf2 KEY-DERIVATION ::= {
-- IDENTIFIER id-PBKDF2
-- PARAMS TYPE PBKDF2-params ARE required
-- }
-- KEY-DERIVATION
--
-- Describes the basic properties of a key derivation algorithm
--
-- &id - contains the OID identifying the key derivation algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- kda-pbkdf2 KEY-DERIVATION ::= {
-- IDENTIFIER id-PBKDF2
-- PARAMS TYPE PBKDF2-params ARE required
-- }
KEY-DERIVATION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[SMIME-CAPS &smimeCaps]
}
KEY-DERIVATION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[SMIME-CAPS &smimeCaps]
}
-- MAC-ALGORITHM
--
-- Describes the basic properties of a message
-- authentication code (MAC) algorithm
--
-- &id - contains the OID identifying the MAC algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &keyed - MAC algorithm is a keyed MAC algorithm
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
-- MAC-ALGORITHM
--
-- Describes the basic properties of a message
-- authentication code (MAC) algorithm
--
-- &id - contains the OID identifying the MAC algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &keyed - MAC algorithm is a keyed MAC algorithm
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Some parameters that perhaps should have been added would be
-- fields with the minimum and maximum MAC lengths for
-- those MAC algorithms that allow truncations.
--
-- Example:
-- maca-hmac-sha1 MAC-ALGORITHM ::= {
-- IDENTIFIER hMAC-SHA1
-- PARAMS TYPE NULL ARE preferredAbsent
-- IS KEYED MAC TRUE
-- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
-- }
--
-- Some parameters that perhaps should have been added would be
-- fields with the minimum and maximum MAC lengths for
-- those MAC algorithms that allow truncations.
--
-- Example:
-- maca-hmac-sha1 MAC-ALGORITHM ::= {
-- IDENTIFIER hMAC-SHA1
-- PARAMS TYPE NULL ARE preferredAbsent
-- IS KEYED MAC TRUE
-- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
-- }
MAC-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&keyed BOOLEAN,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
IS-KEYED-MAC &keyed
[SMIME-CAPS &smimeCaps]
}
MAC-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&keyed BOOLEAN,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
IS-KEYED-MAC &keyed
[SMIME-CAPS &smimeCaps]
}
-- CONTENT-ENCRYPTION
--
-- Describes the basic properties of a content encryption
-- algorithm
--
-- &id - contains the OID identifying the content
-- encryption algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- cea-3DES-cbc CONTENT-ENCRYPTION ::= {
-- IDENTIFIER des-ede3-cbc
-- PARAMS TYPE IV ARE required
-- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
-- }
-- CONTENT-ENCRYPTION
--
-- Describes the basic properties of a content encryption
-- algorithm
--
-- &id - contains the OID identifying the content
-- encryption algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- cea-3DES-cbc CONTENT-ENCRYPTION ::= {
-- IDENTIFIER des-ede3-cbc
-- PARAMS TYPE IV ARE required
-- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
-- }
CONTENT-ENCRYPTION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
CONTENT-ENCRYPTION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[SMIME-CAPS &smimeCaps]
}
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[SMIME-CAPS &smimeCaps]
}
-- ALGORITHM
--
-- Describes a generic algorithm identifier
--
-- &id - contains the OID identifying the algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- This would be used for cases where an algorithm of an unknown
-- type is used. In general however, one should either define
-- a more complete algorithm structure (such as the one above)
-- or use the TYPE-IDENTIFIER class.
-- ALGORITHM
--
-- Describes a generic algorithm identifier
--
-- &id - contains the OID identifying the algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- ¶mPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- This would be used for cases where an algorithm of an unknown
-- type is used. In general however, one should either define
-- a more complete algorithm structure (such as the one above)
-- or use the TYPE-IDENTIFIER class.
ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[SMIME-CAPS &smimeCaps]
}
ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
¶mPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE ¶mPresence]
[SMIME-CAPS &smimeCaps]
}
-- AlgorithmIdentifier
--
-- Provides the generic structure that is used to encode algorithm
-- identification and the parameters associated with the
-- algorithm.
--
-- The first parameter represents the type of the algorithm being
-- used.
-- The second parameter represents an object set containing the
-- algorithms that may occur in this situation.
-- The initial list of required algorithms should occur to the
-- left of an extension marker; all other algorithms should
-- AlgorithmIdentifier
--
-- Provides the generic structure that is used to encode algorithm
-- identification and the parameters associated with the
-- algorithm.
--
-- The first parameter represents the type of the algorithm being
-- used.
-- The second parameter represents an object set containing the
-- algorithms that may occur in this situation.
-- The initial list of required algorithms should occur to the
-- left of an extension marker; all other algorithms should
-- occur to the right of an extension marker.
--
-- The object class ALGORITHM can be used for generic unspecified
-- items.
-- If new ALGORITHM classes are defined, the fields &id and &Params
-- need to be present as fields in the object in order to use
-- this parameterized type.
--
-- Example:
-- SignatureAlgorithmIdentifier ::=
-- AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgSet}}
-- occur to the right of an extension marker.
--
-- The object class ALGORITHM can be used for generic unspecified
-- items.
-- If new ALGORITHM classes are defined, the fields &id and &Params
-- need to be present as fields in the object in order to use
-- this parameterized type.
--
-- Example:
-- SignatureAlgorithmIdentifier ::=
-- AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgSet}}
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
parameters ALGORITHM-TYPE.
&Params({AlgorithmSet}{@algorithm}) OPTIONAL
}
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
parameters ALGORITHM-TYPE.
&Params({AlgorithmSet}{@algorithm}) OPTIONAL
}
-- S/MIME Capabilities
--
-- We have moved the SMIME-CAPS from the module for RFC 3851 to here
-- because it is used in RFC 4262 (X.509 Certificate Extension for
-- S/MIME Capabilities)
--
--
-- This class is used to represent an S/MIME capability. S/MIME
-- capabilities are used to represent what algorithm capabilities
-- an individual has. The classic example was the content encryption
-- algorithm RC2 where the algorithm id and the RC2 key lengths
-- supported needed to be advertised, but the IV used is not fixed.
-- Thus, for RC2 we used
--
-- cap-RC2CBC SMIME-CAPS ::= {
-- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc }
--
-- where 40 and 128 represent the RC2 key length in number of bits.
--
-- Another example where information needs to be shown is for
-- RSA-OAEP where only specific hash functions or mask generation
-- functions are supported, but the saltLength is specified by the
-- sender and not the recipient. In this case, one can either
-- generate a number of capability items,
-- or a new S/MIME capability type could be generated where
-- multiple hash functions could be specified.
--
--
-- SMIME-CAP
-- S/MIME Capabilities
--
-- We have moved the SMIME-CAPS from the module for RFC 3851 to here
-- because it is used in RFC 4262 (X.509 Certificate Extension for
-- S/MIME Capabilities)
--
--
-- This class is used to represent an S/MIME capability. S/MIME
-- capabilities are used to represent what algorithm capabilities
-- an individual has. The classic example was the content encryption
-- algorithm RC2 where the algorithm id and the RC2 key lengths
-- supported needed to be advertised, but the IV used is not fixed.
-- Thus, for RC2 we used
--
-- cap-RC2CBC SMIME-CAPS ::= {
-- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc }
--
-- where 40 and 128 represent the RC2 key length in number of bits.
--
-- Another example where information needs to be shown is for
-- RSA-OAEP where only specific hash functions or mask generation
-- functions are supported, but the saltLength is specified by the
-- sender and not the recipient. In this case, one can either
-- generate a number of capability items,
-- or a new S/MIME capability type could be generated where
-- multiple hash functions could be specified.
--
--
-- SMIME-CAP
--
-- This class is used to associate the type that describes the
-- capabilities with the object identifier.
--
--
-- This class is used to associate the type that describes the
-- capabilities with the object identifier.
--
SMIME-CAPS ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL
}
WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id }
SMIME-CAPS ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL
}
WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id }
-- -- Generic type - this is used for defining values. --
----泛型类型-用于定义值--
-- Define a single S/MIME capability encoding
--定义单个S/MIME功能编码
SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE {
capabilityID SMIME-CAPS.&id({CapabilitySet}),
parameters SMIME-CAPS.&Type({CapabilitySet}
{@capabilityID}) OPTIONAL
}
SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE {
capabilityID SMIME-CAPS.&id({CapabilitySet}),
parameters SMIME-CAPS.&Type({CapabilitySet}
{@capabilityID}) OPTIONAL
}
-- Define a sequence of S/MIME capability values
--定义一系列S/MIME功能值
SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::=
SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} }
SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::=
SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} }
END
终止
CryptographicMessageSyntaxAlgorithms-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
CryptographicMessageSyntaxAlgorithms-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier{}, SMIME-CAPS
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier{}, SMIME-CAPS
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
pk-rsa, pk-dh, pk-dsa, rsaEncryption, DHPublicKey, dhpublicnumber
FROM PKIXAlgs-2009
{iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms2008-02(56)}
pk-rsa, pk-dh, pk-dsa, rsaEncryption, DHPublicKey, dhpublicnumber
FROM PKIXAlgs-2009
{iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms2008-02(56)}
cap-RC2CBC
FROM SecureMimeMessageV3dot1-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-msg-v3dot1-02(39)};
cap-RC2CBC
FROM SecureMimeMessageV3dot1-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-msg-v3dot1-02(39)};
-- 2. Hash algorithms in this document
-- 2. 本文档中的哈希算法
MessageDigestAlgs DIGEST-ALGORITHM ::= {
-- mda-md5 | mda-sha1,
... }
MessageDigestAlgs DIGEST-ALGORITHM ::= {
-- mda-md5 | mda-sha1,
... }
-- 3. Signature algorithms in this document
-- 3. 本文档中的签名算法
SignatureAlgs SIGNATURE-ALGORITHM ::= {
-- See RFC 3279
-- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1,
... }
SignatureAlgs SIGNATURE-ALGORITHM ::= {
-- See RFC 3279
-- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1,
... }
-- 4. Key Management Algorithms
-- 4.1 Key Agreement Algorithms
-- 4. Key Management Algorithms
-- 4.1 Key Agreement Algorithms
KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...}
KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...}
KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...}
KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...}
-- 4.2 Key Transport Algorithms
--4.2关键传输算法
KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... }
KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... }
-- 4.3 Symmetric Key-Encryption Key Algorithms
--4.3对称密钥加密密钥算法
KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... }
KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... }
-- 4.4 Key Derivation Algorithms
--4.4密钥派生算法
KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... }
KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... }
-- 5. Content Encryption Algorithms
-- 5. 内容加密算法
ContentEncryptionAlgs CONTENT-ENCRYPTION ::=
{ cea-3DES-cbc | cea-RC2-cbc, ... }
ContentEncryptionAlgs CONTENT-ENCRYPTION ::=
{ cea-3DES-cbc | cea-RC2-cbc, ... }
-- 6. Message Authentication Code Algorithms
-- 6. 消息认证码算法
MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... }
MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... }
-- S/MIME Capabilities for these items
--这些项目的S/MIME功能
SMimeCaps SMIME-CAPS ::= {
kaa-esdh.&smimeCaps |
kaa-ssdh.&smimeCaps |
kt-rsa.&smimeCaps |
kwa-3DESWrap.&smimeCaps |
kwa-RC2Wrap.&smimeCaps |
cea-3DES-cbc.&smimeCaps |
cea-RC2-cbc.&smimeCaps |
maca-hMAC-SHA1.&smimeCaps,
...}
SMimeCaps SMIME-CAPS ::= {
kaa-esdh.&smimeCaps |
kaa-ssdh.&smimeCaps |
kt-rsa.&smimeCaps |
kwa-3DESWrap.&smimeCaps |
kwa-RC2Wrap.&smimeCaps |
cea-3DES-cbc.&smimeCaps |
cea-RC2-cbc.&smimeCaps |
maca-hMAC-SHA1.&smimeCaps,
...}
-- -- --
-- -- --
-- Algorithm Identifiers
--算法标识符
-- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2)
-- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 }
-- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2)
-- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 }
id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 }
id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 }
id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 }
id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 }
id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 }
id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 }
id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 }
id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 }
des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) encryptionAlgorithm(3) 7 }
des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) encryptionAlgorithm(3) 7 }
rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) encryptionAlgorithm(3) 2 }
rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) encryptionAlgorithm(3) 2 }
hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) 8 1 2 }
hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) 8 1 2 }
id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-5(5) 12 }
id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-5(5) 12 }
-- Algorithm Identifier Parameter Types
--算法标识符参数类型
KeyWrapAlgorithm ::=
AlgorithmIdentifier {KEY-WRAP, {KeyWrapAlgs }}
KeyWrapAlgorithm ::=
AlgorithmIdentifier {KEY-WRAP, {KeyWrapAlgs }}
RC2wrapParameter ::= RC2ParameterVersion
RC2ParameterVersion ::= INTEGER
RC2wrapParameter ::= RC2ParameterVersion
RC2ParameterVersion ::= INTEGER
CBCParameter ::= IV
CBCParameter ::= IV
IV ::= OCTET STRING -- exactly 8 octets
IV ::= OCTET STRING -- exactly 8 octets
RC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (1..256),
iv OCTET STRING } -- exactly 8 octets
RC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (1..256),
iv OCTET STRING } -- exactly 8 octets
maca-hMAC-SHA1 MAC-ALGORITHM ::= {
IDENTIFIER hMAC-SHA1
PARAMS TYPE NULL ARE preferredAbsent
IS-KEYED-MAC TRUE
SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
}
maca-hMAC-SHA1 MAC-ALGORITHM ::= {
IDENTIFIER hMAC-SHA1
PARAMS TYPE NULL ARE preferredAbsent
IS-KEYED-MAC TRUE
SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
}
PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM,
{PBKDF2-PRFs} }
PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM,
{PBKDF2-PRFs} }
alg-hMAC-SHA1 ALGORITHM ::=
{ IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required }
alg-hMAC-SHA1 ALGORITHM ::=
{ IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required }
PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... }
PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... }
PBKDF2-SaltSources ALGORITHM ::= { ... }
PBKDF2-SaltSources ALGORITHM ::= { ... }
PBKDF2-SaltSourcesAlgorithmIdentifier ::=
AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}}
PBKDF2-SaltSourcesAlgorithmIdentifier ::=
AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}}
defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::=
{ algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL }
defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::=
{ algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL }
PBKDF2-params ::= SEQUENCE {
salt CHOICE {
specified OCTET STRING,
otherSource PBKDF2-SaltSourcesAlgorithmIdentifier },
iterationCount INTEGER (1..MAX),
keyLength INTEGER (1..MAX) OPTIONAL,
prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT
defaultPBKDF2
}
PBKDF2-params ::= SEQUENCE {
salt CHOICE {
specified OCTET STRING,
otherSource PBKDF2-SaltSourcesAlgorithmIdentifier },
iterationCount INTEGER (1..MAX),
keyLength INTEGER (1..MAX) OPTIONAL,
prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT
defaultPBKDF2
}
--
-- This object is included for completeness. It should not be used
-- for encoding of signatures, but was sometimes used in older
-- versions of CMS for encoding of RSA signatures.
--
--
-- sa-rsa SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER rsaEncryption
-- - - value is not ASN.1 encoded
-- PARAMS TYPE NULL ARE required
-- HASHES {mda-sha1 | mda-md5, ...}
-- PUBLIC-KEYS { pk-rsa}
-- }
--
-- No ASN.1 encoding is applied to the signature value
-- for these items
--
-- This object is included for completeness. It should not be used
-- for encoding of signatures, but was sometimes used in older
-- versions of CMS for encoding of RSA signatures.
--
--
-- sa-rsa SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER rsaEncryption
-- - - value is not ASN.1 encoded
-- PARAMS TYPE NULL ARE required
-- HASHES {mda-sha1 | mda-md5, ...}
-- PUBLIC-KEYS { pk-rsa}
-- }
--
-- No ASN.1 encoding is applied to the signature value
-- for these items
kaa-esdh KEY-AGREE ::= {
IDENTIFIER id-alg-ESDH
PARAMS TYPE KeyWrapAlgorithm ARE required
PUBLIC-KEYS { pk-dh }
-- UKM is not ASN.1 encoded
UKM ARE optional
SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH}
}
kaa-esdh KEY-AGREE ::= {
IDENTIFIER id-alg-ESDH
PARAMS TYPE KeyWrapAlgorithm ARE required
PUBLIC-KEYS { pk-dh }
-- UKM is not ASN.1 encoded
UKM ARE optional
SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH}
}
kaa-ssdh KEY-AGREE ::= {
IDENTIFIER id-alg-SSDH
PARAMS TYPE KeyWrapAlgorithm ARE required
PUBLIC-KEYS {pk-dh}
-- UKM is not ASN.1 encoded
UKM ARE optional
SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH}
}
kaa-ssdh KEY-AGREE ::= {
IDENTIFIER id-alg-SSDH
PARAMS TYPE KeyWrapAlgorithm ARE required
PUBLIC-KEYS {pk-dh}
-- UKM is not ASN.1 encoded
UKM ARE optional
SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH}
}
dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber
dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber
pk-originator-dh PUBLIC-KEY ::= {
IDENTIFIER dh-public-number
KEY DHPublicKey
PARAMS ARE absent
CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly}
}
pk-originator-dh PUBLIC-KEY ::= {
IDENTIFIER dh-public-number
KEY DHPublicKey
PARAMS ARE absent
CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly}
}
kwa-3DESWrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMS3DESwrap
PARAMS TYPE NULL ARE required
SMIME-CAPS {IDENTIFIED BY id-alg-CMS3DESwrap}
kwa-3DESWrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMS3DESwrap
PARAMS TYPE NULL ARE required
SMIME-CAPS {IDENTIFIED BY id-alg-CMS3DESwrap}
}
}
kwa-RC2Wrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMSRC2wrap
PARAMS TYPE RC2wrapParameter ARE required
SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap }
}
kwa-RC2Wrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMSRC2wrap
PARAMS TYPE RC2wrapParameter ARE required
SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap }
}
kda-PBKDF2 KEY-DERIVATION ::= {
IDENTIFIER id-PBKDF2
PARAMS TYPE PBKDF2-params ARE required
-- No S/MIME caps defined
}
kda-PBKDF2 KEY-DERIVATION ::= {
IDENTIFIER id-PBKDF2
PARAMS TYPE PBKDF2-params ARE required
-- No S/MIME caps defined
}
cea-3DES-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER des-ede3-cbc
PARAMS TYPE IV ARE required
SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
}
cea-3DES-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER des-ede3-cbc
PARAMS TYPE IV ARE required
SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
}
cea-RC2-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER rc2-cbc
PARAMS TYPE RC2CBCParameter ARE required
SMIME-CAPS cap-RC2CBC
}
cea-RC2-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER rc2-cbc
PARAMS TYPE RC2CBCParameter ARE required
SMIME-CAPS cap-RC2CBC
}
kt-rsa KEY-TRANSPORT ::= {
IDENTIFIER rsaEncryption
PARAMS TYPE NULL ARE required
PUBLIC-KEYS { pk-rsa }
SMIME-CAPS {IDENTIFIED BY rsaEncryption}
}
kt-rsa KEY-TRANSPORT ::= {
IDENTIFIER rsaEncryption
PARAMS TYPE NULL ARE required
PUBLIC-KEYS { pk-rsa }
SMIME-CAPS {IDENTIFIED BY rsaEncryption}
}
-- S/MIME Capabilities - most have no label.
--S/MIME功能—大多数都没有标签。
cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap }
cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap }
END
终止
CMSAesRsaesOaep-2009 {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
CMSAesRsaesOaep-2009 {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)};
CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)};
AES-ContentEncryption CONTENT-ENCRYPTION ::= {
cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ...
}
AES-ContentEncryption CONTENT-ENCRYPTION ::= {
cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ...
}
AES-KeyWrap KEY-WRAP ::= {
kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ...
}
AES-KeyWrap KEY-WRAP ::= {
kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ...
}
SMimeCaps SMIME-CAPS ::= {
cea-aes128-cbc.&smimeCaps |
cea-aes192-cbc.&smimeCaps |
cea-aes256-cbc.&smimeCaps |
kwa-aes128-wrap.&smimeCaps |
kwa-aes192-wrap.&smimeCaps |
kwa-aes256-wrap.&smimeCaps, ...
}
SMimeCaps SMIME-CAPS ::= {
cea-aes128-cbc.&smimeCaps |
cea-aes192-cbc.&smimeCaps |
cea-aes256-cbc.&smimeCaps |
kwa-aes128-wrap.&smimeCaps |
kwa-aes192-wrap.&smimeCaps |
kwa-aes256-wrap.&smimeCaps, ...
}
-- AES information object identifiers --
--AES信息对象标识符--
aes OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
csor(3) nistAlgorithms(4) 1 }
aes OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
csor(3) nistAlgorithms(4) 1 }
-- AES using CBC mode for key sizes of 128, 192, 256
--AES使用CBC模式,密钥大小为128、192、256
cea-aes128-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-CBC
PARAMS TYPE AES-IV ARE required
SMIME-CAPS { IDENTIFIED BY id-aes128-CBC }
}
id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 }
cea-aes128-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-CBC
PARAMS TYPE AES-IV ARE required
SMIME-CAPS { IDENTIFIED BY id-aes128-CBC }
}
id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 }
cea-aes192-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-CBC
cea-aes192-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-CBC
PARAMS TYPE AES-IV ARE required
SMIME-CAPS { IDENTIFIED BY id-aes192-CBC }
}
id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 }
PARAMS TYPE AES-IV ARE required
SMIME-CAPS { IDENTIFIED BY id-aes192-CBC }
}
id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 }
cea-aes256-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-CBC
PARAMS TYPE AES-IV ARE required
SMIME-CAPS { IDENTIFIED BY id-aes256-CBC }
}
id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 }
cea-aes256-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-CBC
PARAMS TYPE AES-IV ARE required
SMIME-CAPS { IDENTIFIED BY id-aes256-CBC }
}
id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 }
-- AES-IV is the parameter for all the above object identifiers.
--AES-IV是上述所有对象标识符的参数。
AES-IV ::= OCTET STRING (SIZE(16))
AES-IV ::= OCTET STRING (SIZE(16))
-- AES Key Wrap Algorithm Identifiers - Parameter is absent
--AES密钥包裹算法标识符-缺少参数
kwa-aes128-wrap KEY-WRAP ::= {
IDENTIFIER id-aes128-wrap
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes128-wrap }
}
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
kwa-aes128-wrap KEY-WRAP ::= {
IDENTIFIER id-aes128-wrap
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes128-wrap }
}
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
kwa-aes192-wrap KEY-WRAP ::= {
IDENTIFIER id-aes192-wrap
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes192-wrap }
}
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
kwa-aes192-wrap KEY-WRAP ::= {
IDENTIFIER id-aes192-wrap
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes192-wrap }
}
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
kwa-aes256-wrap KEY-WRAP ::= {
IDENTIFIER id-aes256-wrap
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes256-wrap }
}
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
kwa-aes256-wrap KEY-WRAP ::= {
IDENTIFIER id-aes256-wrap
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes256-wrap }
}
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
END
终止
SecureMimeMessageV3dot1-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-msg-v3dot1-02(39)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
SecureMimeMessageV3dot1-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-msg-v3dot1-02(39)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
SMIME-CAPS, SMIMECapabilities{}
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
SMIME-CAPS, SMIMECapabilities{}
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
ATTRIBUTE
FROM PKIX-CommonTypes-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
ATTRIBUTE
FROM PKIX-CommonTypes-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier
FROM CryptographicMessageSyntax-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41)}
SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier
FROM CryptographicMessageSyntax-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41)}
rc2-cbc, SMimeCaps
FROM CryptographicMessageSyntaxAlgorithms-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37)}
rc2-cbc, SMimeCaps
FROM CryptographicMessageSyntaxAlgorithms-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37)}
SMimeCaps
FROM PKIXAlgs-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms2008-02(56)}
SMimeCaps
FROM PKIXAlgs-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms2008-02(56)}
SMimeCaps
FROM PKIX1-PSS-OAEP-Algorithms-2009
{iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs-02(54)};
SMimeCaps
FROM PKIX1-PSS-OAEP-Algorithms-2009
{iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs-02(54)};
SMimeAttributeSet ATTRIBUTE ::=
{ aa-smimeCapabilities | aa-encrypKeyPref, ... }
SMimeAttributeSet ATTRIBUTE ::=
{ aa-smimeCapabilities | aa-encrypKeyPref, ... }
-- id-aa is the arc with all new authenticated and unauthenticated
-- attributes produced by the S/MIME Working Group
-- id-aa is the arc with all new authenticated and unauthenticated
-- attributes produced by the S/MIME Working Group
id-aa OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) attributes(2)}
id-aa OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) attributes(2)}
-- The S/MIME Capabilities attribute provides a method of broadcasting
-- the symmetric capabilities understood. Algorithms SHOULD be ordered
-- by preference and grouped by type
-- The S/MIME Capabilities attribute provides a method of broadcasting
-- the symmetric capabilities understood. Algorithms SHOULD be ordered
-- by preference and grouped by type
aa-smimeCapabilities ATTRIBUTE ::=
{ TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY
smimeCapabilities }
smimeCapabilities OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
15 }
aa-smimeCapabilities ATTRIBUTE ::=
{ TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY
smimeCapabilities }
smimeCapabilities OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
15 }
SMimeCapsSet SMIME-CAPS ::=
{ cap-preferBinaryInside | cap-RC2CBC |
PKIXAlgs-2009.SMimeCaps |
CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps |
PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... }
SMimeCapsSet SMIME-CAPS ::=
{ cap-preferBinaryInside | cap-RC2CBC |
PKIXAlgs-2009.SMimeCaps |
CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps |
PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... }
-- Encryption Key Preference provides a method of broadcasting the
-- preferred encryption certificate.
-- Encryption Key Preference provides a method of broadcasting the
-- preferred encryption certificate.
aa-encrypKeyPref ATTRIBUTE ::=
{ TYPE SMIMEEncryptionKeyPreference
IDENTIFIED BY id-aa-encrypKeyPref }
aa-encrypKeyPref ATTRIBUTE ::=
{ TYPE SMIMEEncryptionKeyPreference
IDENTIFIED BY id-aa-encrypKeyPref }
id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11}
id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11}
SMIMEEncryptionKeyPreference ::= CHOICE {
issuerAndSerialNumber [0] IssuerAndSerialNumber,
receipentKeyId [1] RecipientKeyIdentifier,
subjectAltKeyIdentifier [2] SubjectKeyIdentifier
}
SMIMEEncryptionKeyPreference ::= CHOICE {
issuerAndSerialNumber [0] IssuerAndSerialNumber,
receipentKeyId [1] RecipientKeyIdentifier,
subjectAltKeyIdentifier [2] SubjectKeyIdentifier
}
-- receipentKeyId is spelt incorrectly, but kept for historical
-- reasons.
-- receipentKeyId is spelt incorrectly, but kept for historical
-- reasons.
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
id-cap OBJECT IDENTIFIER ::= { id-smime 11 }
id-cap OBJECT IDENTIFIER ::= { id-smime 11 }
-- The preferBinaryInside indicates an ability to receive messages
-- with binary encoding inside the CMS wrapper
-- The preferBinaryInside indicates an ability to receive messages
-- with binary encoding inside the CMS wrapper
cap-preferBinaryInside SMIME-CAPS ::=
cap-preferBinaryInside SMIME-CAPS ::=
{ -- No value -- IDENTIFIED BY id-cap-preferBinaryInside }
{ -- No value -- IDENTIFIED BY id-cap-preferBinaryInside }
id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 }
id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 }
-- The following list OIDs to be used with S/MIME V3
--下面列出了与S/MIME V3一起使用的OID
-- Signature Algorithms Not Found in [RFC3370]
--
-- md2WithRSAEncryption OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
-- 2}
--
-- Other Signed Attributes
--
-- signingTime OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
-- 5}
-- See [RFC5652] for a description of how to encode the attribute
-- value.
-- Signature Algorithms Not Found in [RFC3370]
--
-- md2WithRSAEncryption OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
-- 2}
--
-- Other Signed Attributes
--
-- signingTime OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
-- 5}
-- See [RFC5652] for a description of how to encode the attribute
-- value.
cap-RC2CBC SMIME-CAPS ::=
{ TYPE SMIMECapabilitiesParametersForRC2CBC
IDENTIFIED BY rc2-cbc}
cap-RC2CBC SMIME-CAPS ::=
{ TYPE SMIMECapabilitiesParametersForRC2CBC
IDENTIFIED BY rc2-cbc}
SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...)
-- (RC2 Key Length (number of bits))
SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...)
-- (RC2 Key Length (number of bits))
END
终止
This module has an ASN.1 idiom for noting in which version of CMS changes were made from the original PKCS #7; that idiom is "[[v:", where "v" is an integer. For example:
本模块有一个ASN.1习惯用法,用于说明CMS的哪个版本是从原始PKCS#7修改而来的;这个成语是“[[v:”,其中“v”是一个整数。例如:
RevocationInfoChoice ::= CHOICE {
crl CertificateList,
...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
RevocationInfoChoice ::= CHOICE {
crl CertificateList,
...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
Similarly, this module adds the ASN.1 idiom for extensibility (the "...,") in all places that have been extended in the past. See the example above.
类似地,这个模块在过去扩展过的所有地方都添加了ASN.1的可扩展性(即“…”)。请参见上面的示例。
CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }
DEFINITIONS IMPLICIT TAGS ::=
CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN IMPORTS
开始进口
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs,
MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs,
KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys
FROM CryptographicMessageSyntaxAlgorithms-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs,
MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs,
KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys
FROM CryptographicMessageSyntaxAlgorithms-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
Certificate, CertificateList, CertificateSerialNumber,
Name, ATTRIBUTE
FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-explicit-02(51) }
Certificate, CertificateList, CertificateSerialNumber,
Name, ATTRIBUTE
FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-explicit-02(51) }
AttributeCertificate
FROM PKIXAttributeCertificate-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-attribute-cert-02(47) }
AttributeCertificate
FROM PKIXAttributeCertificate-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-attribute-cert-02(47) }
AttributeCertificateV1
FROM AttributeCertificateVersion1-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-v1AttrCert-02(49) } ;
AttributeCertificateV1
FROM AttributeCertificateVersion1-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-v1AttrCert-02(49) } ;
-- Cryptographic Message Syntax
--加密消息语法
-- The following are used for version numbers using the ASN.1
-- idiom "[[n:"
-- Version 1 = PKCS #7
-- Version 2 = S/MIME V2
-- Version 3 = RFC 2630
-- Version 4 = RFC 3369
-- Version 5 = RFC 3852
-- The following are used for version numbers using the ASN.1
-- idiom "[[n:"
-- Version 1 = PKCS #7
-- Version 2 = S/MIME V2
-- Version 3 = RFC 2630
-- Version 4 = RFC 3369
-- Version 5 = RFC 3852
CONTENT-TYPE ::= TYPE-IDENTIFIER
ContentType ::= CONTENT-TYPE.&id
CONTENT-TYPE ::= TYPE-IDENTIFIER
ContentType ::= CONTENT-TYPE.&id
ContentInfo ::= SEQUENCE {
contentType CONTENT-TYPE.
&id({ContentSet}),
content [0] EXPLICIT CONTENT-TYPE.
&Type({ContentSet}{@contentType})}
ContentInfo ::= SEQUENCE {
contentType CONTENT-TYPE.
&id({ContentSet}),
content [0] EXPLICIT CONTENT-TYPE.
&Type({ContentSet}{@contentType})}
ContentSet CONTENT-TYPE ::= {
-- Define the set of content types to be recognized.
ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData |
ct-AuthenticatedData | ct-DigestedData, ... }
ContentSet CONTENT-TYPE ::= {
-- Define the set of content types to be recognized.
ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData |
ct-AuthenticatedData | ct-DigestedData, ... }
SignedData ::= SEQUENCE {
version CMSVersion,
digestAlgorithms SET OF DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos }
SignedData ::= SEQUENCE {
version CMSVersion,
digestAlgorithms SET OF DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos }
SignerInfos ::= SET OF SignerInfo
SignerInfos ::= SET OF SignerInfo
EncapsulatedContentInfo ::= SEQUENCE {
eContentType CONTENT-TYPE.&id({ContentSet}),
eContent [0] EXPLICIT OCTET STRING
( CONTAINING CONTENT-TYPE.
&Type({ContentSet}{@eContentType})) OPTIONAL }
EncapsulatedContentInfo ::= SEQUENCE {
eContentType CONTENT-TYPE.&id({ContentSet}),
eContent [0] EXPLICIT OCTET STRING
( CONTAINING CONTENT-TYPE.
&Type({ContentSet}{@eContentType})) OPTIONAL }
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT Attributes
{{UnsignedAttributes}} OPTIONAL }
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT Attributes
{{UnsignedAttributes}} OPTIONAL }
SignedAttributes ::= Attributes {{ SignedAttributesSet }}
SignedAttributes ::= Attributes {{ SignedAttributesSet }}
SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
...,
[[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
...,
[[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
SignedAttributesSet ATTRIBUTE ::=
{ aa-signingTime | aa-messageDigest | aa-contentType, ... }
SignedAttributesSet ATTRIBUTE ::=
{ aa-signingTime | aa-messageDigest | aa-contentType, ... }
UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... }
UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... }
SignatureValue ::= OCTET STRING
SignatureValue ::= OCTET STRING
EnvelopedData ::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo,
...,
[[2: unprotectedAttrs [1] IMPLICIT Attributes
{{ UnprotectedAttributes }} OPTIONAL ]] }
EnvelopedData ::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo,
...,
[[2: unprotectedAttrs [1] IMPLICIT Attributes
{{ UnprotectedAttributes }} OPTIONAL ]] }
OriginatorInfo ::= SEQUENCE {
certs [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL }
OriginatorInfo ::= SEQUENCE {
certs [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL }
RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE {
contentType CONTENT-TYPE.&id({ContentSet}),
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL }
EncryptedContentInfo ::= SEQUENCE {
contentType CONTENT-TYPE.&id({ContentSet}),
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL }
-- If you want to do constraints, you might use:
-- EncryptedContentInfo ::= SEQUENCE {
-- contentType CONTENT-TYPE.&id({ContentSet}),
-- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
-- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE.
-- &Type({ContentSet}{@contentType}) OPTIONAL }
-- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY
-- { ToBeEncrypted } )
-- If you want to do constraints, you might use:
-- EncryptedContentInfo ::= SEQUENCE {
-- contentType CONTENT-TYPE.&id({ContentSet}),
-- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
-- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE.
-- &Type({ContentSet}{@contentType}) OPTIONAL }
-- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY
-- { ToBeEncrypted } )
UnprotectedAttributes ATTRIBUTE ::= { ... }
UnprotectedAttributes ATTRIBUTE ::= { ... }
RecipientInfo ::= CHOICE {
ktri KeyTransRecipientInfo,
...,
[[3: kari [1] KeyAgreeRecipientInfo ]],
[[4: kekri [2] KEKRecipientInfo]],
[[5: pwri [3] PasswordRecipientInfo,
ori [4] OtherRecipientInfo ]] }
RecipientInfo ::= CHOICE {
ktri KeyTransRecipientInfo,
...,
[[3: kari [1] KeyAgreeRecipientInfo ]],
[[4: kekri [2] KEKRecipientInfo]],
[[5: pwri [3] PasswordRecipientInfo,
ori [4] OtherRecipientInfo ]] }
EncryptedKey ::= OCTET STRING
EncryptedKey ::= OCTET STRING
KeyTransRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0 or 2
rid RecipientIdentifier,
keyEncryptionAlgorithm AlgorithmIdentifier
{KEY-TRANSPORT, {KeyTransportAlgorithmSet}},
KeyTransRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0 or 2
rid RecipientIdentifier,
keyEncryptionAlgorithm AlgorithmIdentifier
{KEY-TRANSPORT, {KeyTransportAlgorithmSet}},
encryptedKey EncryptedKey }
encryptedKey encryptedKey}
KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... }
KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... }
RecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
...,
[[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
KeyAgreeRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 3
originator [0] EXPLICIT OriginatorIdentifierOrKey,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
keyEncryptionAlgorithm AlgorithmIdentifier
{KEY-AGREE, {KeyAgreementAlgorithmSet}},
recipientEncryptedKeys RecipientEncryptedKeys }
RecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
...,
[[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
KeyAgreeRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 3
originator [0] EXPLICIT OriginatorIdentifierOrKey,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
keyEncryptionAlgorithm AlgorithmIdentifier
{KEY-AGREE, {KeyAgreementAlgorithmSet}},
recipientEncryptedKeys RecipientEncryptedKeys }
KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... }
KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... }
OriginatorIdentifierOrKey ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier,
originatorKey [1] OriginatorPublicKey }
OriginatorIdentifierOrKey ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier,
originatorKey [1] OriginatorPublicKey }
OriginatorPublicKey ::= SEQUENCE {
algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}},
publicKey BIT STRING }
OriginatorPublicKey ::= SEQUENCE {
algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}},
publicKey BIT STRING }
OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... }
OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... }
RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
RecipientEncryptedKey ::= SEQUENCE {
rid KeyAgreeRecipientIdentifier,
encryptedKey EncryptedKey }
RecipientEncryptedKey ::= SEQUENCE {
rid KeyAgreeRecipientIdentifier,
encryptedKey EncryptedKey }
KeyAgreeRecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] IMPLICIT RecipientKeyIdentifier }
KeyAgreeRecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] IMPLICIT RecipientKeyIdentifier }
RecipientKeyIdentifier ::= SEQUENCE {
subjectKeyIdentifier SubjectKeyIdentifier,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
RecipientKeyIdentifier ::= SEQUENCE {
subjectKeyIdentifier SubjectKeyIdentifier,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
SubjectKeyIdentifier ::= OCTET STRING
SubjectKeyIdentifier ::= OCTET STRING
KEKRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 4
KEKRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 4
kekid KEKIdentifier, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, encryptedKey EncryptedKey }
kekid KEKIdentifier,keyEncryptionAlgorithm KeyEncryptionalGorithmidIdentifier,encryptedKey encryptedKey}
KEKIdentifier ::= SEQUENCE {
keyIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
PasswordRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0
keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier
OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
KEKIdentifier ::= SEQUENCE {
keyIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
PasswordRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0
keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier
OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
OTHER-RECIPIENT ::= TYPE-IDENTIFIER
OTHER-RECIPIENT ::= TYPE-IDENTIFIER
OtherRecipientInfo ::= SEQUENCE {
oriType OTHER-RECIPIENT.
&id({SupportedOtherRecipInfo}),
oriValue OTHER-RECIPIENT.
&Type({SupportedOtherRecipInfo}{@oriType})}
OtherRecipientInfo ::= SEQUENCE {
oriType OTHER-RECIPIENT.
&id({SupportedOtherRecipInfo}),
oriValue OTHER-RECIPIENT.
&Type({SupportedOtherRecipInfo}{@oriType})}
SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... }
SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... }
DigestedData ::= SEQUENCE {
version CMSVersion,
digestAlgorithm DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo,
digest Digest, ... }
DigestedData ::= SEQUENCE {
version CMSVersion,
digestAlgorithm DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo,
digest Digest, ... }
Digest ::= OCTET STRING
Digest ::= OCTET STRING
EncryptedData ::= SEQUENCE {
version CMSVersion,
encryptedContentInfo EncryptedContentInfo,
...,
[[2: unprotectedAttrs [1] IMPLICIT Attributes
{{UnprotectedAttributes}} OPTIONAL ]] }
EncryptedData ::= SEQUENCE {
version CMSVersion,
encryptedContentInfo EncryptedContentInfo,
...,
[[2: unprotectedAttrs [1] IMPLICIT Attributes
{{UnprotectedAttributes}} OPTIONAL ]] }
AuthenticatedData ::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
macAlgorithm MessageAuthenticationCodeAlgorithm,
digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
encapContentInfo EncapsulatedContentInfo,
authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
AuthenticatedData ::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
macAlgorithm MessageAuthenticationCodeAlgorithm,
digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
encapContentInfo EncapsulatedContentInfo,
authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode, unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL }
mac MessageAuthenticationCode,unauthAttrs[3]隐式UnauthAttributes可选}
AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{AuthAttributeSet}}
AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{AuthAttributeSet}}
AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest
| aa-signingTime, ...}
MessageAuthenticationCode ::= OCTET STRING
AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest
| aa-signingTime, ...}
MessageAuthenticationCode ::= OCTET STRING
UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{UnauthAttributeSet}}
UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{UnauthAttributeSet}}
UnauthAttributeSet ATTRIBUTE ::= {...}
UnauthAttributeSet ATTRIBUTE ::= {...}
-- -- General algorithm definitions --
----通用算法定义--
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
{DIGEST-ALGORITHM, {DigestAlgorithmSet}}
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
{DIGEST-ALGORITHM, {DigestAlgorithmSet}}
DigestAlgorithmSet DIGEST-ALGORITHM ::= {
CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... }
DigestAlgorithmSet DIGEST-ALGORITHM ::= {
CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... }
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
{SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}}
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
{SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}}
SignatureAlgorithmSet SIGNATURE-ALGORITHM ::=
{ SignatureAlgs, ... }
SignatureAlgorithmSet SIGNATURE-ALGORITHM ::=
{ SignatureAlgs, ... }
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{KEY-WRAP, {KeyEncryptionAlgorithmSet}}
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{KEY-WRAP, {KeyEncryptionAlgorithmSet}}
KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... }
KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... }
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}}
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}}
ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::=
{ ContentEncryptionAlgs, ... }
ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::=
{ ContentEncryptionAlgs, ... }
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
{MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}}
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
{MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}}
MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::=
{ MessageAuthAlgs, ... }
MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::=
{ MessageAuthAlgs, ... }
KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier
{KEY-DERIVATION, {KeyDerivationAlgs, ...}}
KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier
{KEY-DERIVATION, {KeyDerivationAlgs, ...}}
RevocationInfoChoices ::= SET OF RevocationInfoChoice
RevocationInfoChoices ::= SET OF RevocationInfoChoice
RevocationInfoChoice ::= CHOICE {
crl CertificateList,
...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
RevocationInfoChoice ::= CHOICE {
crl CertificateList,
...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
OTHER-REVOK-INFO ::= TYPE-IDENTIFIER
OTHER-REVOK-INFO ::= TYPE-IDENTIFIER
OtherRevocationInfoFormat ::= SEQUENCE {
otherRevInfoFormat OTHER-REVOK-INFO.
&id({SupportedOtherRevokInfo}),
otherRevInfo OTHER-REVOK-INFO.
&Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})}
OtherRevocationInfoFormat ::= SEQUENCE {
otherRevInfoFormat OTHER-REVOK-INFO.
&id({SupportedOtherRevokInfo}),
otherRevInfo OTHER-REVOK-INFO.
&Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})}
SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... }
SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... }
CertificateChoices ::= CHOICE {
certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate,
-- Obsolete
...,
[[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]],
-- Obsolete
[[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]],
[[5: other [3] IMPLICIT OtherCertificateFormat]] }
CertificateChoices ::= CHOICE {
certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate,
-- Obsolete
...,
[[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]],
-- Obsolete
[[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]],
[[5: other [3] IMPLICIT OtherCertificateFormat]] }
AttributeCertificateV2 ::= AttributeCertificate
AttributeCertificateV2 ::= AttributeCertificate
OTHER-CERT-FMT ::= TYPE-IDENTIFIER
OTHER-CERT-FMT ::= TYPE-IDENTIFIER
OtherCertificateFormat ::= SEQUENCE {
otherCertFormat OTHER-CERT-FMT.
&id({SupportedCertFormats}),
otherCert OTHER-CERT-FMT.
&Type({SupportedCertFormats}{@otherCertFormat})}
OtherCertificateFormat ::= SEQUENCE {
otherCertFormat OTHER-CERT-FMT.
&id({SupportedCertFormats}),
otherCert OTHER-CERT-FMT.
&Type({SupportedCertFormats}{@otherCertFormat})}
SupportedCertFormats OTHER-CERT-FMT ::= { ... }
SupportedCertFormats OTHER-CERT-FMT ::= { ... }
CertificateSet ::= SET OF CertificateChoices
CertificateSet ::= SET OF CertificateChoices
IssuerAndSerialNumber ::= SEQUENCE {
issuer Name,
serialNumber CertificateSerialNumber }
IssuerAndSerialNumber ::= SEQUENCE {
issuer Name,
serialNumber CertificateSerialNumber }
CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
UserKeyingMaterial ::= OCTET STRING
UserKeyingMaterial ::= OCTET STRING
KEY-ATTRIBUTE ::= TYPE-IDENTIFIER
KEY-ATTRIBUTE ::= TYPE-IDENTIFIER
OtherKeyAttribute ::= SEQUENCE {
keyAttrId KEY-ATTRIBUTE.
OtherKeyAttribute ::= SEQUENCE {
keyAttrId KEY-ATTRIBUTE.
&id({SupportedKeyAttributes}),
keyAttr KEY-ATTRIBUTE.
&Type({SupportedKeyAttributes}{@keyAttrId})}
&id({SupportedKeyAttributes}),
keyAttr KEY-ATTRIBUTE.
&Type({SupportedKeyAttributes}{@keyAttrId})}
SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... }
SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... }
-- Content Type Object Identifiers
--内容类型对象标识符
id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 }
id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 }
ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data}
ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data}
id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }
id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }
ct-SignedData CONTENT-TYPE ::=
{ SignedData IDENTIFIED BY id-signedData}
ct-SignedData CONTENT-TYPE ::=
{ SignedData IDENTIFIED BY id-signedData}
id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }
id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }
ct-EnvelopedData CONTENT-TYPE ::=
{ EnvelopedData IDENTIFIED BY id-envelopedData}
ct-EnvelopedData CONTENT-TYPE ::=
{ EnvelopedData IDENTIFIED BY id-envelopedData}
id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 }
id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 }
ct-DigestedData CONTENT-TYPE ::=
{ DigestedData IDENTIFIED BY id-digestedData}
ct-DigestedData CONTENT-TYPE ::=
{ DigestedData IDENTIFIED BY id-digestedData}
id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 }
id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 }
ct-EncryptedData CONTENT-TYPE ::=
{ EncryptedData IDENTIFIED BY id-encryptedData}
ct-EncryptedData CONTENT-TYPE ::=
{ EncryptedData IDENTIFIED BY id-encryptedData}
id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }
id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }
ct-AuthenticatedData CONTENT-TYPE ::=
{ AuthenticatedData IDENTIFIED BY id-ct-authData}
ct-AuthenticatedData CONTENT-TYPE ::=
{ AuthenticatedData IDENTIFIED BY id-ct-authData}
id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 }
id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 }
-- -- The CMS Attributes --
--——CMS属性--
MessageDigest ::= OCTET STRING
MessageDigest ::= OCTET STRING
SigningTime ::= Time
SigningTime ::= Time
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
Countersignature ::= SignerInfo
Countersignature ::= SignerInfo
-- Attribute Object Identifiers
--属性对象标识符
aa-contentType ATTRIBUTE ::=
{ TYPE ContentType IDENTIFIED BY id-contentType }
id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 }
aa-contentType ATTRIBUTE ::=
{ TYPE ContentType IDENTIFIED BY id-contentType }
id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 }
aa-messageDigest ATTRIBUTE ::=
{ TYPE MessageDigest IDENTIFIED BY id-messageDigest}
id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 }
aa-messageDigest ATTRIBUTE ::=
{ TYPE MessageDigest IDENTIFIED BY id-messageDigest}
id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 }
aa-signingTime ATTRIBUTE ::=
{ TYPE SigningTime IDENTIFIED BY id-signingTime }
id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
aa-signingTime ATTRIBUTE ::=
{ TYPE SigningTime IDENTIFIED BY id-signingTime }
id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
aa-countersignature ATTRIBUTE ::=
{ TYPE Countersignature IDENTIFIED BY id-countersignature }
id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
aa-countersignature ATTRIBUTE ::=
{ TYPE Countersignature IDENTIFIED BY id-countersignature }
id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
-- -- Obsolete Extended Certificate syntax from PKCS#6 --
----PKCS#6中过时的扩展证书语法--
ExtendedCertificateOrCertificate ::= CHOICE {
certificate Certificate,
ExtendedCertificateOrCertificate ::= CHOICE {
certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate }
extendedCertificate[0]隐式extendedCertificate}
ExtendedCertificate ::= SEQUENCE {
extendedCertificateInfo ExtendedCertificateInfo,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature Signature }
ExtendedCertificate ::= SEQUENCE {
extendedCertificateInfo ExtendedCertificateInfo,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature Signature }
ExtendedCertificateInfo ::= SEQUENCE {
version CMSVersion,
certificate Certificate,
attributes UnauthAttributes }
ExtendedCertificateInfo ::= SEQUENCE {
version CMSVersion,
certificate Certificate,
attributes UnauthAttributes }
Signature ::= BIT STRING
Signature ::= BIT STRING
Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE {
attrType ATTRIBUTE.
&id({AttrList}),
attrValues SET OF ATTRIBUTE.
&Type({AttrList}{@attrType}) }
Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE {
attrType ATTRIBUTE.
&id({AttrList}),
attrValues SET OF ATTRIBUTE.
&Type({AttrList}{@attrType}) }
Attributes { ATTRIBUTE:AttrList } ::=
SET SIZE (1..MAX) OF Attribute {{ AttrList }}
Attributes { ATTRIBUTE:AttrList } ::=
SET SIZE (1..MAX) OF Attribute {{ AttrList }}
END
终止
CMSFirmwareWrapper-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
CMSFirmwareWrapper-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
OTHER-NAME
FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
OTHER-NAME
FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
EnvelopedData, CONTENT-TYPE, ATTRIBUTE
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41) };
EnvelopedData, CONTENT-TYPE, ATTRIBUTE
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41) };
FirmwareContentTypes CONTENT-TYPE ::= {
ct-firmwarePackage | ct-firmwareLoadReceipt |
ct-firmwareLoadError,... }
FirmwareContentTypes CONTENT-TYPE ::= {
ct-firmwarePackage | ct-firmwareLoadReceipt |
ct-firmwareLoadError,... }
FirmwareSignedAttrs ATTRIBUTE ::= {
aa-firmwarePackageID | aa-targetHardwareIDs |
aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs |
aa-communityIdentifiers | aa-firmwarePackageInfo,... }
FirmwareUnsignedAttrs ATTRIBUTE ::= {
aa-wrappedFirmwareKey, ... }
FirmwareSignedAttrs ATTRIBUTE ::= {
aa-firmwarePackageID | aa-targetHardwareIDs |
aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs |
aa-communityIdentifiers | aa-firmwarePackageInfo,... }
FirmwareUnsignedAttrs ATTRIBUTE ::= {
aa-wrappedFirmwareKey, ... }
FirmwareOtherNames OTHER-NAME ::= {
on-hardwareModuleName, ... }
FirmwareOtherNames OTHER-NAME ::= {
on-hardwareModuleName, ... }
-- Firmware Package Content Type and Object Identifier
--固件包内容类型和对象标识符
ct-firmwarePackage CONTENT-TYPE ::=
{ FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage }
ct-firmwarePackage CONTENT-TYPE ::=
{ FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage }
id-ct-firmwarePackage OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 16 }
id-ct-firmwarePackage OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 16 }
FirmwarePkgData ::= OCTET STRING
FirmwarePkgData ::= OCTET STRING
-- Firmware Package Signed Attributes and Object Identifiers
--固件包签名属性和对象标识符
aa-firmwarePackageID ATTRIBUTE ::=
{ TYPE FirmwarePackageIdentifier IDENTIFIED BY
id-aa-firmwarePackageID }
aa-firmwarePackageID ATTRIBUTE ::=
{ TYPE FirmwarePackageIdentifier IDENTIFIED BY
id-aa-firmwarePackageID }
id-aa-firmwarePackageID OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 35 }
id-aa-firmwarePackageID OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 35 }
FirmwarePackageIdentifier ::= SEQUENCE {
name PreferredOrLegacyPackageIdentifier,
stale PreferredOrLegacyStalePackageIdentifier OPTIONAL }
FirmwarePackageIdentifier ::= SEQUENCE {
name PreferredOrLegacyPackageIdentifier,
stale PreferredOrLegacyStalePackageIdentifier OPTIONAL }
PreferredOrLegacyPackageIdentifier ::= CHOICE {
preferred PreferredPackageIdentifier,
legacy OCTET STRING }
PreferredOrLegacyPackageIdentifier ::= CHOICE {
preferred PreferredPackageIdentifier,
legacy OCTET STRING }
PreferredPackageIdentifier ::= SEQUENCE {
fwPkgID OBJECT IDENTIFIER,
verNum INTEGER (0..MAX) }
PreferredPackageIdentifier ::= SEQUENCE {
fwPkgID OBJECT IDENTIFIER,
verNum INTEGER (0..MAX) }
PreferredOrLegacyStalePackageIdentifier ::= CHOICE {
preferredStaleVerNum INTEGER (0..MAX),
legacyStaleVersion OCTET STRING }
PreferredOrLegacyStalePackageIdentifier ::= CHOICE {
preferredStaleVerNum INTEGER (0..MAX),
legacyStaleVersion OCTET STRING }
aa-targetHardwareIDs ATTRIBUTE ::=
aa-targetHardwareIDs ATTRIBUTE ::=
{ TYPE TargetHardwareIdentifiers IDENTIFIED BY id-aa-targetHardwareIDs }
{由id aa targetHardwareIDs标识的类型TARGETHARDWAREIDIFIER}
id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 36 }
id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 36 }
TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER
TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER
aa-decryptKeyID ATTRIBUTE ::=
{ TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID}
aa-decryptKeyID ATTRIBUTE ::=
{ TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID}
id-aa-decryptKeyID OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 37 }
id-aa-decryptKeyID OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 37 }
DecryptKeyIdentifier ::= OCTET STRING
DecryptKeyIdentifier ::= OCTET STRING
aa-implCryptoAlgs ATTRIBUTE ::=
{ TYPE ImplementedCryptoAlgorithms IDENTIFIED BY
id-aa-implCryptoAlgs }
aa-implCryptoAlgs ATTRIBUTE ::=
{ TYPE ImplementedCryptoAlgorithms IDENTIFIED BY
id-aa-implCryptoAlgs }
id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 38 }
id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 38 }
ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER
ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER
aa-implCompressAlgs ATTRIBUTE ::=
{ TYPE ImplementedCompressAlgorithms IDENTIFIED BY
id-aa-implCompressAlgs }
aa-implCompressAlgs ATTRIBUTE ::=
{ TYPE ImplementedCompressAlgorithms IDENTIFIED BY
id-aa-implCompressAlgs }
id-aa-implCompressAlgs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 43 }
id-aa-implCompressAlgs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 43 }
ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER
ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER
aa-communityIdentifiers ATTRIBUTE ::=
{ TYPE CommunityIdentifiers IDENTIFIED BY
id-aa-communityIdentifiers }
aa-communityIdentifiers ATTRIBUTE ::=
{ TYPE CommunityIdentifiers IDENTIFIED BY
id-aa-communityIdentifiers }
id-aa-communityIdentifiers OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 40 }
id-aa-communityIdentifiers OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 40 }
CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier
CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier
CommunityIdentifier ::= CHOICE {
communityOID OBJECT IDENTIFIER,
hwModuleList HardwareModules }
HardwareModules ::= SEQUENCE {
hwType OBJECT IDENTIFIER,
hwSerialEntries SEQUENCE OF HardwareSerialEntry }
CommunityIdentifier ::= CHOICE {
communityOID OBJECT IDENTIFIER,
hwModuleList HardwareModules }
HardwareModules ::= SEQUENCE {
hwType OBJECT IDENTIFIER,
hwSerialEntries SEQUENCE OF HardwareSerialEntry }
HardwareSerialEntry ::= CHOICE {
all NULL,
single OCTET STRING,
block SEQUENCE {
low OCTET STRING,
high OCTET STRING
}
}
HardwareSerialEntry ::= CHOICE {
all NULL,
single OCTET STRING,
block SEQUENCE {
low OCTET STRING,
high OCTET STRING
}
}
aa-firmwarePackageInfo ATTRIBUTE ::=
{ TYPE FirmwarePackageInfo IDENTIFIED BY
id-aa-firmwarePackageInfo }
id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 42 }
aa-firmwarePackageInfo ATTRIBUTE ::=
{ TYPE FirmwarePackageInfo IDENTIFIED BY
id-aa-firmwarePackageInfo }
id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 42 }
FirmwarePackageInfo ::= SEQUENCE {
fwPkgType INTEGER OPTIONAL,
dependencies SEQUENCE OF
PreferredOrLegacyPackageIdentifier OPTIONAL }
FirmwarePackageInfo ::= SEQUENCE {
fwPkgType INTEGER OPTIONAL,
dependencies SEQUENCE OF
PreferredOrLegacyPackageIdentifier OPTIONAL }
-- Firmware Package Unsigned Attributes and Object Identifiers
--固件包未签名属性和对象标识符
aa-wrappedFirmwareKey ATTRIBUTE ::=
{ TYPE WrappedFirmwareKey IDENTIFIED BY
id-aa-wrappedFirmwareKey }
id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 39 }
aa-wrappedFirmwareKey ATTRIBUTE ::=
{ TYPE WrappedFirmwareKey IDENTIFIED BY
id-aa-wrappedFirmwareKey }
id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 39 }
WrappedFirmwareKey ::= EnvelopedData
WrappedFirmwareKey ::= EnvelopedData
-- Firmware Package Load Receipt Content Type and Object Identifier
--固件包加载接收内容类型和对象标识符
ct-firmwareLoadReceipt CONTENT-TYPE ::=
{ FirmwarePackageLoadReceipt IDENTIFIED BY
id-ct-firmwareLoadReceipt }
id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 17 }
ct-firmwareLoadReceipt CONTENT-TYPE ::=
{ FirmwarePackageLoadReceipt IDENTIFIED BY
id-ct-firmwareLoadReceipt }
id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 17 }
FirmwarePackageLoadReceipt ::= SEQUENCE {
version FWReceiptVersion DEFAULT v1,
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING,
fwPkgName PreferredOrLegacyPackageIdentifier,
trustAnchorKeyID OCTET STRING OPTIONAL,
decryptKeyID [1] OCTET STRING OPTIONAL }
FirmwarePackageLoadReceipt ::= SEQUENCE {
version FWReceiptVersion DEFAULT v1,
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING,
fwPkgName PreferredOrLegacyPackageIdentifier,
trustAnchorKeyID OCTET STRING OPTIONAL,
decryptKeyID [1] OCTET STRING OPTIONAL }
FWReceiptVersion ::= INTEGER { v1(1) }
FWReceiptVersion ::= INTEGER { v1(1) }
-- Firmware Package Load Error Report Content Type
-- and Object Identifier
-- Firmware Package Load Error Report Content Type
-- and Object Identifier
ct-firmwareLoadError CONTENT-TYPE ::=
{ FirmwarePackageLoadError
IDENTIFIED BY id-ct-firmwareLoadError }
id-ct-firmwareLoadError OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 18 }
ct-firmwareLoadError CONTENT-TYPE ::=
{ FirmwarePackageLoadError
IDENTIFIED BY id-ct-firmwareLoadError }
id-ct-firmwareLoadError OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 18 }
FirmwarePackageLoadError ::= SEQUENCE {
version FWErrorVersion DEFAULT v1,
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING,
errorCode FirmwarePackageLoadErrorCode,
vendorErrorCode VendorLoadErrorCode OPTIONAL,
fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL,
config [1] SEQUENCE OF CurrentFWConfig OPTIONAL }
FirmwarePackageLoadError ::= SEQUENCE {
version FWErrorVersion DEFAULT v1,
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING,
errorCode FirmwarePackageLoadErrorCode,
vendorErrorCode VendorLoadErrorCode OPTIONAL,
fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL,
config [1] SEQUENCE OF CurrentFWConfig OPTIONAL }
FWErrorVersion ::= INTEGER { v1(1) }
FWErrorVersion ::= INTEGER { v1(1) }
CurrentFWConfig ::= SEQUENCE {
fwPkgType INTEGER OPTIONAL,
fwPkgName PreferredOrLegacyPackageIdentifier }
CurrentFWConfig ::= SEQUENCE {
fwPkgType INTEGER OPTIONAL,
fwPkgName PreferredOrLegacyPackageIdentifier }
FirmwarePackageLoadErrorCode ::= ENUMERATED {
decodeFailure (1),
badContentInfo (2),
badSignedData (3),
badEncapContent (4),
badCertificate (5),
badSignerInfo (6),
badSignedAttrs (7),
badUnsignedAttrs (8),
missingContent (9),
noTrustAnchor (10),
notAuthorized (11),
badDigestAlgorithm (12),
FirmwarePackageLoadErrorCode ::= ENUMERATED {
decodeFailure (1),
badContentInfo (2),
badSignedData (3),
badEncapContent (4),
badCertificate (5),
badSignerInfo (6),
badSignedAttrs (7),
badUnsignedAttrs (8),
missingContent (9),
noTrustAnchor (10),
notAuthorized (11),
badDigestAlgorithm (12),
badSignatureAlgorithm (13), unsupportedKeySize (14), signatureFailure (15), contentTypeMismatch (16), badEncryptedData (17), unprotectedAttrsPresent (18), badEncryptContent (19), badEncryptAlgorithm (20), missingCiphertext (21), noDecryptKey (22), decryptFailure (23), badCompressAlgorithm (24), missingCompressedContent (25), decompressFailure (26), wrongHardware (27), stalePackage (28), notInCommunity (29), unsupportedPackageType (30), missingDependency (31), wrongDependencyVersion (32), insufficientMemory (33), badFirmware (34), unsupportedParameters (35), breaksDependency (36), otherError (99) }
badSignatureAlgorithm(13)、unsupportedKeySize(14)、signatureFailure(15)、contentTypeMismatch(16)、badEncryptedData(17)、unprotectedAttrsPresent(18)、badEncryptContent(19)、BadEncryptedAlgorithm(20)、missingCiphertext(21)、noDecryptKey(22)、decryptFailure(23)、badCompressAlgorithm(24)、missingCompressedContent(25)、DecompressedFailure(26),错误的硬件(27)、陈旧的包(28)、不独立的包(29)、不支持的包类型(30)、缺少依赖项(31)、错误的依赖项版本(32)、内存不足(33)、固件错误(34)、不支持的参数(35)、中断依赖项(36)、其他错误(99)}
VendorLoadErrorCode ::= INTEGER
VendorLoadErrorCode ::= INTEGER
-- Other Name syntax for Hardware Module Name
--硬件模块名称的其他名称语法
on-hardwareModuleName OTHER-NAME ::=
{ HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName }
id-on-hardwareModuleName OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) on(8) 4 }
on-hardwareModuleName OTHER-NAME ::=
{ HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName }
id-on-hardwareModuleName OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) on(8) 4 }
HardwareModuleName ::= SEQUENCE {
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING }
HardwareModuleName ::= SEQUENCE {
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING }
END
终止
ERS {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1)
id-mod-ers-v1(1) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
ERS {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1)
id-mod-ers-v1(1) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
AttributeSet{}, ATTRIBUTE
FROM PKIX-CommonTypes
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
AttributeSet{}, ATTRIBUTE
FROM PKIX-CommonTypes
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
ContentInfo
FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } ;
ContentInfo
FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } ;
aa-er-Internal ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal }
id-aa-er-internal OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 49 }
aa-er-Internal ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal }
id-aa-er-internal OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 49 }
aa-er-External ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external }
id-aa-er-external OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 50 }
aa-er-External ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external }
id-aa-er-external OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 50 }
ltans OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) ltans(11) }
ltans OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) ltans(11) }
EvidenceRecord ::= SEQUENCE {
version INTEGER { v1(1) } ,
digestAlgorithms SEQUENCE OF AlgorithmIdentifier
{DIGEST-ALGORITHM, {...}},
cryptoInfos [0] CryptoInfos OPTIONAL,
encryptionInfo [1] EncryptionInfo OPTIONAL,
archiveTimeStampSequence ArchiveTimeStampSequence
EvidenceRecord ::= SEQUENCE {
version INTEGER { v1(1) } ,
digestAlgorithms SEQUENCE OF AlgorithmIdentifier
{DIGEST-ALGORITHM, {...}},
cryptoInfos [0] CryptoInfos OPTIONAL,
encryptionInfo [1] EncryptionInfo OPTIONAL,
archiveTimeStampSequence ArchiveTimeStampSequence
}
}
CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}}
CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}}
ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain
ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp
ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain
ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp
ArchiveTimeStamp ::= SEQUENCE {
digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}
OPTIONAL,
attributes [1] Attributes OPTIONAL,
reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL,
timeStamp ContentInfo
}
ArchiveTimeStamp ::= SEQUENCE {
digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}
OPTIONAL,
attributes [1] Attributes OPTIONAL,
reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL,
timeStamp ContentInfo
}
PartialHashtree ::= SEQUENCE OF OCTET STRING
PartialHashtree ::= SEQUENCE OF OCTET STRING
Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}}
Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}}
EncryptionInfo ::= SEQUENCE {
encryptionInfoType ENCINFO-TYPE.
&id({SupportedEncryptionAlgorithms}),
encryptionInfoValue ENCINFO-TYPE.
&Type({SupportedEncryptionAlgorithms}
{@encryptionInfoType})
}
EncryptionInfo ::= SEQUENCE {
encryptionInfoType ENCINFO-TYPE.
&id({SupportedEncryptionAlgorithms}),
encryptionInfoValue ENCINFO-TYPE.
&Type({SupportedEncryptionAlgorithms}
{@encryptionInfoType})
}
ENCINFO-TYPE ::= TYPE-IDENTIFIER
ENCINFO-TYPE ::= TYPE-IDENTIFIER
SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...}
SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...}
END
终止
Section numbers in the module refer to the sections of RFC 2634 as updated by RFC 5035.
模块中的章节编号指由RFC 5035更新的RFC 2634章节。
ExtendedSecurityServices-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-ess-2006-02(42) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
ExtendedSecurityServices-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-ess-2006-02(42) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{}
FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{}
FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier,
CONTENT-TYPE
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41) }
ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier,
CONTENT-TYPE
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41) }
CertificateSerialNumber
FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
CertificateSerialNumber
FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
PolicyInformation, GeneralNames
FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
PolicyInformation, GeneralNames
FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
mda-sha256
FROM PKIX1-PSS-OAEP-Algorithms-2009
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs-02(54) } ;
mda-sha256
FROM PKIX1-PSS-OAEP-Algorithms-2009
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs-02(54) } ;
EssSignedAttributes ATTRIBUTE ::= {
aa-receiptRequest | aa-contentIdentifier | aa-contentHint |
aa-msgSigDigest | aa-contentReference | aa-securityLabel |
aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate |
aa-signingCertificateV2, ... }
EssSignedAttributes ATTRIBUTE ::= {
aa-receiptRequest | aa-contentIdentifier | aa-contentHint |
aa-msgSigDigest | aa-contentReference | aa-securityLabel |
aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate |
aa-signingCertificateV2, ... }
EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... }
EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... }
-- Extended Security Services
-- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
-- constructs in this module. A valid ASN.1 SEQUENCE can have zero or
-- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE
-- to have at least one entry. MAX indicates the upper bound is
-- unspecified. Implementations are free to choose an upper bound
-- that suits their environment.
-- Extended Security Services
-- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
-- constructs in this module. A valid ASN.1 SEQUENCE can have zero or
-- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE
-- to have at least one entry. MAX indicates the upper bound is
-- unspecified. Implementations are free to choose an upper bound
-- that suits their environment.
-- Section 2.7
--第2.7节
aa-receiptRequest ATTRIBUTE ::=
{ TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest}
aa-receiptRequest ATTRIBUTE ::=
{ TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest}
ReceiptRequest ::= SEQUENCE {
signedContentIdentifier ContentIdentifier,
receiptsFrom ReceiptsFrom,
receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames
}
ReceiptRequest ::= SEQUENCE {
signedContentIdentifier ContentIdentifier,
receiptsFrom ReceiptsFrom,
receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames
}
ub-receiptsTo INTEGER ::= 16
ub-receiptsTo INTEGER ::= 16
aa-contentIdentifier ATTRIBUTE ::=
{ TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier}
id-aa-receiptRequest OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 1}
aa-contentIdentifier ATTRIBUTE ::=
{ TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier}
id-aa-receiptRequest OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 1}
ContentIdentifier ::= OCTET STRING
ContentIdentifier ::= OCTET STRING
id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7}
id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7}
ct-receipt CONTENT-TYPE ::=
{ Receipt IDENTIFIED BY id-ct-receipt }
id-ct-receipt OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-ct(1) 1}
ct-receipt CONTENT-TYPE ::=
{ Receipt IDENTIFIED BY id-ct-receipt }
id-ct-receipt OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-ct(1) 1}
ReceiptsFrom ::= CHOICE {
allOrFirstTier [0] AllOrFirstTier,
-- formerly "allOrNone [0]AllOrNone"
receiptList [1] SEQUENCE OF GeneralNames }
ReceiptsFrom ::= CHOICE {
allOrFirstTier [0] AllOrFirstTier,
-- formerly "allOrNone [0]AllOrNone"
receiptList [1] SEQUENCE OF GeneralNames }
AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone
allReceipts (0),
firstTierRecipients (1) }
AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone
allReceipts (0),
firstTierRecipients (1) }
-- Section 2.8
--第2.8节
Receipt ::= SEQUENCE {
version ESSVersion,
contentType ContentType,
signedContentIdentifier ContentIdentifier,
originatorSignatureValue OCTET STRING
}
Receipt ::= SEQUENCE {
version ESSVersion,
contentType ContentType,
signedContentIdentifier ContentIdentifier,
originatorSignatureValue OCTET STRING
}
ESSVersion ::= INTEGER { v1(1) }
ESSVersion ::= INTEGER { v1(1) }
-- Section 2.9
--第2.9节
aa-contentHint ATTRIBUTE ::=
{ TYPE ContentHints IDENTIFIED BY id-aa-contentHint }
id-aa-contentHint OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 4}
aa-contentHint ATTRIBUTE ::=
{ TYPE ContentHints IDENTIFIED BY id-aa-contentHint }
id-aa-contentHint OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 4}
ContentHints ::= SEQUENCE {
contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL,
contentType ContentType }
ContentHints ::= SEQUENCE {
contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL,
contentType ContentType }
-- Section 2.10
--第2.10节
aa-msgSigDigest ATTRIBUTE ::=
{ TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest }
id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5}
aa-msgSigDigest ATTRIBUTE ::=
{ TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest }
id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5}
MsgSigDigest ::= OCTET STRING
MsgSigDigest ::= OCTET STRING
-- Section 2.11
--第2.11节
aa-contentReference ATTRIBUTE ::=
{ TYPE ContentReference IDENTIFIED BY id-aa-contentReference }
id-aa-contentReference OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 10 }
aa-contentReference ATTRIBUTE ::=
{ TYPE ContentReference IDENTIFIED BY id-aa-contentReference }
id-aa-contentReference OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 10 }
ContentReference ::= SEQUENCE {
contentType ContentType,
signedContentIdentifier ContentIdentifier,
originatorSignatureValue OCTET STRING }
ContentReference ::= SEQUENCE {
contentType ContentType,
signedContentIdentifier ContentIdentifier,
originatorSignatureValue OCTET STRING }
-- Section 3.2
--第3.2节
aa-securityLabel ATTRIBUTE ::=
{ TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel }
id-aa-securityLabel OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 2}
aa-securityLabel ATTRIBUTE ::=
{ TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel }
id-aa-securityLabel OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 2}
ESSSecurityLabel ::= SET {
security-policy-identifier SecurityPolicyIdentifier,
security-classification SecurityClassification OPTIONAL,
privacy-mark ESSPrivacyMark OPTIONAL,
security-categories SecurityCategories OPTIONAL }
ESSSecurityLabel ::= SET {
security-policy-identifier SecurityPolicyIdentifier,
security-classification SecurityClassification OPTIONAL,
privacy-mark ESSPrivacyMark OPTIONAL,
security-categories SecurityCategories OPTIONAL }
SecurityPolicyIdentifier ::= OBJECT IDENTIFIER
SecurityPolicyIdentifier ::= OBJECT IDENTIFIER
SecurityClassification ::= INTEGER {
unmarked (0),
unclassified (1),
restricted (2),
confidential (3),
secret (4),
top-secret (5)
} (0..ub-integer-options)
SecurityClassification ::= INTEGER {
unmarked (0),
unclassified (1),
restricted (2),
confidential (3),
secret (4),
top-secret (5)
} (0..ub-integer-options)
ub-integer-options INTEGER ::= 256
ub-integer-options INTEGER ::= 256
ESSPrivacyMark ::= CHOICE {
pString PrintableString (SIZE (1..ub-privacy-mark-length)),
utf8String UTF8String (SIZE (1..MAX))
}
ESSPrivacyMark ::= CHOICE {
pString PrintableString (SIZE (1..ub-privacy-mark-length)),
utf8String UTF8String (SIZE (1..MAX))
}
ub-privacy-mark-length INTEGER ::= 128
ub-privacy-mark-length INTEGER ::= 128
SecurityCategories ::=
SET SIZE (1..ub-security-categories) OF SecurityCategory
{{SupportedSecurityCategories}}
SecurityCategories ::=
SET SIZE (1..ub-security-categories) OF SecurityCategory
{{SupportedSecurityCategories}}
ub-security-categories INTEGER ::= 64
ub-security-categories INTEGER ::= 64
SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }
SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }
-- Section 3.4
--第3.4节
aa-equivalentLabels ATTRIBUTE ::=
{ TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels }
id-aa-equivalentLabels OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 9}
aa-equivalentLabels ATTRIBUTE ::=
{ TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels }
id-aa-equivalentLabels OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 9}
EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel
EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel
-- Section 4.4
--第4.4节
aa-mlExpandHistory ATTRIBUTE ::=
{ TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory }
id-aa-mlExpandHistory OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 3 }
aa-mlExpandHistory ATTRIBUTE ::=
{ TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory }
id-aa-mlExpandHistory OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 3 }
MLExpansionHistory ::= SEQUENCE
SIZE (1..ub-ml-expansion-history) OF MLData
MLExpansionHistory ::= SEQUENCE
SIZE (1..ub-ml-expansion-history) OF MLData
ub-ml-expansion-history INTEGER ::= 64
ub-ml-expansion-history INTEGER ::= 64
MLData ::= SEQUENCE {
mailListIdentifier EntityIdentifier,
expansionTime GeneralizedTime,
mlReceiptPolicy MLReceiptPolicy OPTIONAL }
MLData ::= SEQUENCE {
mailListIdentifier EntityIdentifier,
expansionTime GeneralizedTime,
mlReceiptPolicy MLReceiptPolicy OPTIONAL }
EntityIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier SubjectKeyIdentifier }
EntityIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier SubjectKeyIdentifier }
MLReceiptPolicy ::= CHOICE {
none [0] NULL,
insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames,
inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames }
MLReceiptPolicy ::= CHOICE {
none [0] NULL,
insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames,
inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames }
-- Section 5.4
--第5.4节
aa-signingCertificate ATTRIBUTE ::=
{ TYPE SigningCertificate IDENTIFIED BY
id-aa-signingCertificate }
id-aa-signingCertificate OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 12 }
aa-signingCertificate ATTRIBUTE ::=
{ TYPE SigningCertificate IDENTIFIED BY
id-aa-signingCertificate }
id-aa-signingCertificate OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 12 }
SigningCertificate ::= SEQUENCE {
certs SEQUENCE OF ESSCertID,
policies SEQUENCE OF PolicyInformation OPTIONAL
}
SigningCertificate ::= SEQUENCE {
certs SEQUENCE OF ESSCertID,
policies SEQUENCE OF PolicyInformation OPTIONAL
}
aa-signingCertificateV2 ATTRIBUTE ::=
{ TYPE SigningCertificateV2 IDENTIFIED BY
id-aa-signingCertificateV2 }
id-aa-signingCertificateV2 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 47 }
aa-signingCertificateV2 ATTRIBUTE ::=
{ TYPE SigningCertificateV2 IDENTIFIED BY
id-aa-signingCertificateV2 }
id-aa-signingCertificateV2 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 47 }
SigningCertificateV2 ::= SEQUENCE {
certs SEQUENCE OF ESSCertIDv2,
policies SEQUENCE OF PolicyInformation OPTIONAL
}
SigningCertificateV2 ::= SEQUENCE {
certs SEQUENCE OF ESSCertIDv2,
policies SEQUENCE OF PolicyInformation OPTIONAL
}
HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM,
{mda-sha256, ...}}
HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM,
{mda-sha256, ...}}
ESSCertIDv2 ::= SEQUENCE {
hashAlgorithm HashAlgorithm
DEFAULT { algorithm mda-sha256.&id },
ESSCertIDv2 ::= SEQUENCE {
hashAlgorithm HashAlgorithm
DEFAULT { algorithm mda-sha256.&id },
certHash Hash,
issuerSerial IssuerSerial OPTIONAL
}
ESSCertID ::= SEQUENCE {
certHash Hash,
issuerSerial IssuerSerial OPTIONAL
}
certHash Hash,
issuerSerial IssuerSerial OPTIONAL
}
ESSCertID ::= SEQUENCE {
certHash Hash,
issuerSerial IssuerSerial OPTIONAL
}
Hash ::= OCTET STRING
Hash ::= OCTET STRING
IssuerSerial ::= SEQUENCE {
issuer GeneralNames,
serialNumber CertificateSerialNumber
}
IssuerSerial ::= SEQUENCE {
issuer GeneralNames,
serialNumber CertificateSerialNumber
}
END
终止
CMS-AuthEnvelopedData-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-authEnvelopedData-02(43)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
CMS-AuthEnvelopedData-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-authEnvelopedData-02(43)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
AuthAttributes, CMSVersion, EncryptedContentInfo,
MessageAuthenticationCode, OriginatorInfo, RecipientInfos,
UnauthAttributes, CONTENT-TYPE
FROM CryptographicMessageSyntax-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41)} ;
AuthAttributes, CMSVersion, EncryptedContentInfo,
MessageAuthenticationCode, OriginatorInfo, RecipientInfos,
UnauthAttributes, CONTENT-TYPE
FROM CryptographicMessageSyntax-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41)} ;
ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... }
ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... }
ct-authEnvelopedData CONTENT-TYPE ::= {
AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData
}
ct-authEnvelopedData CONTENT-TYPE ::= {
AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData
}
id-ct-authEnvelopedData OBJECT IDENTIFIER ::=
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) 23}
id-ct-authEnvelopedData OBJECT IDENTIFIER ::=
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) 23}
AuthEnvelopedData ::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
authEncryptedContentInfo EncryptedContentInfo,
AuthEnvelopedData ::= SEQUENCE {
version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos,
authEncryptedContentInfo EncryptedContentInfo,
authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, mac MessageAuthenticationCode, unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL }
authAttrs[1]隐式AuthAttributes可选,mac MessageAuthenticationCode,unauthAttrs[2]隐式UnauthAttributes可选}
END
终止
CMS-AES-CCM-and-AES-GCM-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS
CMS-AES-CCM-and-AES-GCM-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS
CONTENT-ENCRYPTION, SMIME-CAPS
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)};
CONTENT-ENCRYPTION, SMIME-CAPS
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)};
-- Add this algorithm set to include all of the algorithms defined in
-- this document
-- Add this algorithm set to include all of the algorithms defined in
-- this document
ContentEncryptionAlgs CONTENT-ENCRYPTION ::= {
cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM |
cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... }
ContentEncryptionAlgs CONTENT-ENCRYPTION ::= {
cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM |
cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... }
SMimeCaps SMIME-CAPS ::= {
cea-aes128-CCM.&smimeCaps |
cea-aes192-CCM.&smimeCaps |
cea-aes256-CCM.&smimeCaps |
cea-aes128-GCM.&smimeCaps |
cea-aes192-GCM.&smimeCaps |
cea-aes256-GCM.&smimeCaps,
...
}
SMimeCaps SMIME-CAPS ::= {
cea-aes128-CCM.&smimeCaps |
cea-aes192-CCM.&smimeCaps |
cea-aes256-CCM.&smimeCaps |
cea-aes128-GCM.&smimeCaps |
cea-aes192-GCM.&smimeCaps |
cea-aes256-GCM.&smimeCaps,
...
}
-- Defining objects
--定义对象
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
organization(1) gov(101) csor(3) nistAlgorithms(4) 1 }
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
organization(1) gov(101) csor(3) nistAlgorithms(4) 1 }
cea-aes128-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-CCM
PARAMS TYPE CCMParameters ARE required
cea-aes128-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-CCM
PARAMS TYPE CCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes128-CCM }
}
id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 }
SMIME-CAPS { IDENTIFIED BY id-aes128-CCM }
}
id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 }
cea-aes192-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-CCM
PARAMS TYPE CCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes192-CCM }
}
id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 }
cea-aes192-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-CCM
PARAMS TYPE CCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes192-CCM }
}
id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 }
cea-aes256-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-CCM
PARAMS TYPE CCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes256-CCM }
}
id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 }
cea-aes256-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-CCM
PARAMS TYPE CCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes256-CCM }
}
id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 }
cea-aes128-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes128-GCM }
}
id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 }
cea-aes128-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes128-GCM }
}
id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 }
cea-aes192-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes192-GCM }
}
id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 }
cea-aes192-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes192-GCM }
}
id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 }
cea-aes256-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes256-GCM }
}
id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 }
cea-aes256-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes256-GCM }
}
id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 }
-- Parameters for AlgorithmIdentifier
--算法识别器的参数
CCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING (SIZE(7..13)),
aes-ICVlen AES-CCM-ICVlen DEFAULT 12 }
CCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING (SIZE(7..13)),
aes-ICVlen AES-CCM-ICVlen DEFAULT 12 }
AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16)
AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16)
GCMParameters ::= SEQUENCE {
GCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING, -- recommended size is 12 octets aes-ICVlen AES-GCM-ICVlen DEFAULT 12 }
aes nonce八位字节字符串,--建议大小为12个八位字节aes ICVlen aes GCM ICVlen DEFAULT 12}
AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)
AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)
END
终止
SMIMESymmetricKeyDistribution-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-symkeydist-02(36)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS
SMIMESymmetricKeyDistribution-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-symkeydist-02(36)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP,
SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP,
SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
GeneralName
FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
GeneralName
FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
Certificate
FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
Certificate
FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
RecipientInfos, KEKIdentifier,CertificateSet
FROM CryptographicMessageSyntax-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41) }
RecipientInfos, KEKIdentifier,CertificateSet
FROM CryptographicMessageSyntax-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41) }
cap-3DESwrap
FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
cap-3DESwrap
FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
AttributeCertificate
FROM PKIXAttributeCertificate-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) }
AttributeCertificate
FROM PKIXAttributeCertificate-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) }
CMC-CONTROL, EXTENDED-FAILURE-INFO
FROM EnrollmentMessageSyntax
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53) }
CMC-CONTROL, EXTENDED-FAILURE-INFO
FROM EnrollmentMessageSyntax
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53) }
kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap
FROM CMSAesRsaesOaep-2009
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } ;
kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap
FROM CMSAesRsaesOaep-2009
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } ;
-- This defines the group list (GL symmetric key distribution OID arc
id-skd OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) skd(8) }
-- This defines the group list (GL symmetric key distribution OID arc
id-skd OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) skd(8) }
SKD-ControlSet CMC-CONTROL ::= {
skd-glUseKEK | skd-glDelete | skd-glAddMember |
skd-glDeleteMember | skd-glRekey | skd-glAddOwner |
skd-glRemoveOwner | skd-glKeyCompromise |
skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert |
skd-glManageCert | skd-glKey, ... }
SKD-ControlSet CMC-CONTROL ::= {
skd-glUseKEK | skd-glDelete | skd-glAddMember |
skd-glDeleteMember | skd-glRekey | skd-glAddOwner |
skd-glRemoveOwner | skd-glKeyCompromise |
skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert |
skd-glManageCert | skd-glKey, ... }
-- This defines the GL Use KEK control attribute
--这定义了GL Use KEK control属性
skd-glUseKEK CMC-CONTROL ::=
{ GLUseKEK IDENTIFIED BY id-skd-glUseKEK }
skd-glUseKEK CMC-CONTROL ::=
{ GLUseKEK IDENTIFIED BY id-skd-glUseKEK }
id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1}
id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1}
GLUseKEK ::= SEQUENCE {
glInfo GLInfo,
glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo,
glAdministration GLAdministration DEFAULT managed,
glKeyAttributes GLKeyAttributes OPTIONAL
}
GLUseKEK ::= SEQUENCE {
glInfo GLInfo,
glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo,
glAdministration GLAdministration DEFAULT managed,
glKeyAttributes GLKeyAttributes OPTIONAL
}
GLInfo ::= SEQUENCE {
glName GeneralName,
glAddress GeneralName
}
GLInfo ::= SEQUENCE {
glName GeneralName,
glAddress GeneralName
}
GLOwnerInfo ::= SEQUENCE {
glOwnerName GeneralName,
glOwnerAddress GeneralName,
certificates Certificates OPTIONAL
}
GLOwnerInfo ::= SEQUENCE {
glOwnerName GeneralName,
glOwnerAddress GeneralName,
certificates Certificates OPTIONAL
}
GLAdministration ::= INTEGER {
GLAdministration ::= INTEGER {
unmanaged (0), managed (1), closed (2) }
非托管(0)、托管(1)、关闭(2)}
-- -- The advertised set of algorithm capabilities for the document --
----文档的公布算法功能集--
SKD-Caps SMIME-CAPS ::= {
cap-3DESwrap | kwa-aes128-wrap.&smimeCaps |
kwa-aes192-wrap.&smimeCaps | kwa-aes256-wrap.&smimeCaps, ...
}
SKD-Caps SMIME-CAPS ::= {
cap-3DESwrap | kwa-aes128-wrap.&smimeCaps |
kwa-aes192-wrap.&smimeCaps | kwa-aes256-wrap.&smimeCaps, ...
}
cap-aes128-cbc KeyWrapAlgorithm ::=
{ capabilityID kwa-aes128-wrap.&smimeCaps.&id }
cap-aes128-cbc KeyWrapAlgorithm ::=
{ capabilityID kwa-aes128-wrap.&smimeCaps.&id }
-- -- The set of key wrap algorithms supported by this specification --
----本规范支持的密钥封装算法集--
KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}}
KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}}
GLKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE,
recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE,
duration [2] INTEGER DEFAULT 0,
generationCounter [3] INTEGER DEFAULT 2,
requestedAlgorithm [4] KeyWrapAlgorithm
DEFAULT cap-aes128-cbc
}
GLKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE,
recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE,
duration [2] INTEGER DEFAULT 0,
generationCounter [3] INTEGER DEFAULT 2,
requestedAlgorithm [4] KeyWrapAlgorithm
DEFAULT cap-aes128-cbc
}
-- This defines the Delete GL control attribute.
-- It has the simple type GeneralName.
-- This defines the Delete GL control attribute.
-- It has the simple type GeneralName.
skd-glDelete CMC-CONTROL ::=
{ DeleteGL IDENTIFIED BY id-skd-glDelete }
skd-glDelete CMC-CONTROL ::=
{ DeleteGL IDENTIFIED BY id-skd-glDelete }
id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2}
DeleteGL ::= GeneralName
id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2}
DeleteGL ::= GeneralName
-- This defines the Add GL Member control attribute
--这定义了“添加总账成员控件”属性
skd-glAddMember CMC-CONTROL ::=
{ GLAddMember IDENTIFIED BY id-skd-glAddMember }
skd-glAddMember CMC-CONTROL ::=
{ GLAddMember IDENTIFIED BY id-skd-glAddMember }
id-skd-glAddMember OBJECT IDENTIFIER ::= { id-skd 3}
GLAddMember ::= SEQUENCE {
id-skd-glAddMember OBJECT IDENTIFIER ::= { id-skd 3}
GLAddMember ::= SEQUENCE {
glName GeneralName, glMember GLMember }
glName GeneralName,glMember glMember}
GLMember ::= SEQUENCE {
glMemberName GeneralName,
glMemberAddress GeneralName OPTIONAL,
certificates Certificates OPTIONAL
}
GLMember ::= SEQUENCE {
glMemberName GeneralName,
glMemberAddress GeneralName OPTIONAL,
certificates Certificates OPTIONAL
}
Certificates ::= SEQUENCE {
pKC [0] Certificate OPTIONAL,
-- See RFC 5280
aC [1] SEQUENCE SIZE (1.. MAX) OF
AttributeCertificate OPTIONAL,
-- See RFC 3281
certPath [2] CertificateSet OPTIONAL
-- From RFC 3852
}
Certificates ::= SEQUENCE {
pKC [0] Certificate OPTIONAL,
-- See RFC 5280
aC [1] SEQUENCE SIZE (1.. MAX) OF
AttributeCertificate OPTIONAL,
-- See RFC 3281
certPath [2] CertificateSet OPTIONAL
-- From RFC 3852
}
-- This defines the Delete GL Member control attribute
--这定义了“删除总账成员”控件属性
skd-glDeleteMember CMC-CONTROL ::=
{ GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember }
skd-glDeleteMember CMC-CONTROL ::=
{ GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember }
id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4}
id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4}
GLDeleteMember ::= SEQUENCE {
glName GeneralName,
glMemberToDelete GeneralName
}
GLDeleteMember ::= SEQUENCE {
glName GeneralName,
glMemberToDelete GeneralName
}
-- This defines the Delete GL Member control attribute
--这定义了“删除总账成员”控件属性
skd-glRekey CMC-CONTROL ::=
{ GLRekey IDENTIFIED BY id-skd-glRekey }
skd-glRekey CMC-CONTROL ::=
{ GLRekey IDENTIFIED BY id-skd-glRekey }
id-skd-glRekey OBJECT IDENTIFIER ::= { id-skd 5}
id-skd-glRekey OBJECT IDENTIFIER ::= { id-skd 5}
GLRekey ::= SEQUENCE {
glName GeneralName,
glAdministration GLAdministration OPTIONAL,
glNewKeyAttributes GLNewKeyAttributes OPTIONAL,
glRekeyAllGLKeys BOOLEAN OPTIONAL
}
GLRekey ::= SEQUENCE {
glName GeneralName,
glAdministration GLAdministration OPTIONAL,
glNewKeyAttributes GLNewKeyAttributes OPTIONAL,
glRekeyAllGLKeys BOOLEAN OPTIONAL
}
GLNewKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN OPTIONAL,
GLNewKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN OPTIONAL,
recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL, duration [2] INTEGER OPTIONAL, generationCounter [3] INTEGER OPTIONAL, requestedAlgorithm [4] KeyWrapAlgorithm OPTIONAL }
recipientsNotMutuallyAware[1]布尔可选,持续时间[2]整数可选,生成计数器[3]整数可选,requestedAlgorithm[4]KeyWrapAlgorithm可选}
-- This defines the Add and Delete GL Owner control attributes
--这定义了添加和删除总账所有者控制属性
skd-glAddOwner CMC-CONTROL ::=
{ GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner }
id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6}
skd-glAddOwner CMC-CONTROL ::=
{ GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner }
id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6}
skd-glRemoveOwner CMC-CONTROL ::=
{ GLOwnerAdministration IDENTIFIED BY id-skd-glRemoveOwner }
skd-glRemoveOwner CMC-CONTROL ::=
{ GLOwnerAdministration IDENTIFIED BY id-skd-glRemoveOwner }
id-skd-glRemoveOwner OBJECT IDENTIFIER ::= { id-skd 7}
id-skd-glRemoveOwner OBJECT IDENTIFIER ::= { id-skd 7}
GLOwnerAdministration ::= SEQUENCE {
glName GeneralName,
glOwnerInfo GLOwnerInfo
}
GLOwnerAdministration ::= SEQUENCE {
glName GeneralName,
glOwnerInfo GLOwnerInfo
}
-- This defines the GL Key Compromise control attribute.
-- It has the simple type GeneralName.
-- This defines the GL Key Compromise control attribute.
-- It has the simple type GeneralName.
skd-glKeyCompromise CMC-CONTROL ::=
{ GLKCompromise IDENTIFIED BY id-skd-glKeyCompromise }
skd-glKeyCompromise CMC-CONTROL ::=
{ GLKCompromise IDENTIFIED BY id-skd-glKeyCompromise }
id-skd-glKeyCompromise OBJECT IDENTIFIER ::= { id-skd 8}
GLKCompromise ::= GeneralName
id-skd-glKeyCompromise OBJECT IDENTIFIER ::= { id-skd 8}
GLKCompromise ::= GeneralName
-- This defines the GL Key Refresh control attribute.
--这定义了GL键刷新控制属性。
skd-glkRefresh CMC-CONTROL ::=
{ GLKRefresh IDENTIFIED BY id-skd-glkRefresh }
skd-glkRefresh CMC-CONTROL ::=
{ GLKRefresh IDENTIFIED BY id-skd-glkRefresh }
id-skd-glkRefresh OBJECT IDENTIFIER ::= { id-skd 9}
id-skd-glkRefresh OBJECT IDENTIFIER ::= { id-skd 9}
GLKRefresh ::= SEQUENCE {
glName GeneralName,
dates SEQUENCE SIZE (1..MAX) OF Date
}
GLKRefresh ::= SEQUENCE {
glName GeneralName,
dates SEQUENCE SIZE (1..MAX) OF Date
}
Date ::= SEQUENCE {
start GeneralizedTime,
end GeneralizedTime OPTIONAL
}
Date ::= SEQUENCE {
start GeneralizedTime,
end GeneralizedTime OPTIONAL
}
-- This defines the GLA Query Request control attribute.
--这定义了GLA查询请求控制属性。
skd-glaQueryRequest CMC-CONTROL ::=
{ GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest }
skd-glaQueryRequest CMC-CONTROL ::=
{ GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest }
id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11}
id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11}
SKD-QUERY ::= TYPE-IDENTIFIER
SKD-QUERY ::= TYPE-IDENTIFIER
SkdQuerySet SKD-QUERY ::= {skd-AlgRequest, ...}
GLAQueryRequest ::= SEQUENCE {
glaRequestType SKD-QUERY.&id ({SkdQuerySet}),
glaRequestValue SKD-QUERY.
&Type ({SkdQuerySet}{@glaRequestType})
}
SkdQuerySet SKD-QUERY ::= {skd-AlgRequest, ...}
GLAQueryRequest ::= SEQUENCE {
glaRequestType SKD-QUERY.&id ({SkdQuerySet}),
glaRequestValue SKD-QUERY.
&Type ({SkdQuerySet}{@glaRequestType})
}
-- This defines the GLA Query Response control attribute.
--这定义了GLA查询响应控制属性。
skd-glaQueryResponse CMC-CONTROL ::=
{ GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse }
skd-glaQueryResponse CMC-CONTROL ::=
{ GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse }
id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12}
id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12}
SKD-RESPONSE ::= TYPE-IDENTIFIER
SKD-RESPONSE ::= TYPE-IDENTIFIER
SkdResponseSet SKD-RESPONSE ::= {skd-AlgResponse, ...}
SkdResponseSet SKD-RESPONSE ::= {skd-AlgResponse, ...}
GLAQueryResponse ::= SEQUENCE {
glaResponseType SKD-RESPONSE.
&id({SkdResponseSet}),
glaResponseValue SKD-RESPONSE.
&Type({SkdResponseSet}{@glaResponseType})}
GLAQueryResponse ::= SEQUENCE {
glaResponseType SKD-RESPONSE.
&id({SkdResponseSet}),
glaResponseValue SKD-RESPONSE.
&Type({SkdResponseSet}{@glaResponseType})}
-- This defines the GLA Request/Response (glaRR) arc for
-- glaRequestType/glaResponseType.
-- This defines the GLA Request/Response (glaRR) arc for
-- glaRequestType/glaResponseType.
id-cmc-glaRR OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cmc(7) glaRR(99) }
id-cmc-glaRR OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cmc(7) glaRR(99) }
-- This defines the Algorithm Request
--这定义了算法请求
skd-AlgRequest SKD-QUERY ::= {
SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest
}
skd-AlgRequest SKD-QUERY ::= {
SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest
}
id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 }
SKDAlgRequest ::= NULL
id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 }
SKDAlgRequest ::= NULL
-- This defines the Algorithm Response
--这定义了算法响应
skd-AlgResponse SKD-RESPONSE ::= {
SMIMECapability{{SKD-Caps}} IDENTIFIED BY
id-cmc-gla-skdAlgResponse
}
skd-AlgResponse SKD-RESPONSE ::= {
SMIMECapability{{SKD-Caps}} IDENTIFIED BY
id-cmc-gla-skdAlgResponse
}
id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 }
-- Note that the response for algorithmSupported request is the
-- smimeCapabilities attribute as defined in RFC 3851.
id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 }
-- Note that the response for algorithmSupported request is the
-- smimeCapabilities attribute as defined in RFC 3851.
-- This defines the control attribute to request an updated
-- certificate to the GLA.
-- This defines the control attribute to request an updated
-- certificate to the GLA.
skd-glProvideCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glProvideCert }
skd-glProvideCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glProvideCert }
id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13}
id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13}
GLManageCert ::= SEQUENCE {
glName GeneralName,
glMember GLMember
}
GLManageCert ::= SEQUENCE {
glName GeneralName,
glMember GLMember
}
-- This defines the control attribute to return an updated
-- certificate to the GLA. It has the type GLManageCert.
-- This defines the control attribute to return an updated
-- certificate to the GLA. It has the type GLManageCert.
skd-glManageCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glManageCert }
skd-glManageCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glManageCert }
id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14}
id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14}
-- This defines the control attribute to distribute the GL shared
-- KEK.
-- This defines the control attribute to distribute the GL shared
-- KEK.
skd-glKey CMC-CONTROL ::=
{ GLKey IDENTIFIED BY id-skd-glKey }
skd-glKey CMC-CONTROL ::=
{ GLKey IDENTIFIED BY id-skd-glKey }
id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15}
id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15}
GLKey ::= SEQUENCE {
glName GeneralName,
glIdentifier KEKIdentifier, -- See RFC 3852
glkWrapped RecipientInfos, -- See RFC 3852
glkAlgorithm KeyWrapAlgorithm,
glkNotBefore GeneralizedTime,
glkNotAfter GeneralizedTime
}
GLKey ::= SEQUENCE {
glName GeneralName,
glIdentifier KEKIdentifier, -- See RFC 3852
glkWrapped RecipientInfos, -- See RFC 3852
glkAlgorithm KeyWrapAlgorithm,
glkNotBefore GeneralizedTime,
glkNotAfter GeneralizedTime
}
-- This defines the CMC error types
--这定义了CMC错误类型
skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= {
SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo
}
skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= {
SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo
}
id-cet-skdFailInfo OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cet(15) skdFailInfo(1) }
id-cet-skdFailInfo OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cet(15) skdFailInfo(1) }
SKDFailInfo ::= INTEGER {
unspecified (0),
closedGL (1),
unsupportedDuration (2),
noGLACertificate (3),
invalidCert (4),
unsupportedAlgorithm (5),
noGLONameMatch (6),
invalidGLName (7),
nameAlreadyInUse (8),
noSpam (9),
deniedAccess (10),
alreadyAMember (11),
notAMember (12),
alreadyAnOwner (13),
notAnOwner (14) }
SKDFailInfo ::= INTEGER {
unspecified (0),
closedGL (1),
unsupportedDuration (2),
noGLACertificate (3),
invalidCert (4),
unsupportedAlgorithm (5),
noGLONameMatch (6),
invalidGLName (7),
nameAlreadyInUse (8),
noSpam (9),
deniedAccess (10),
alreadyAMember (11),
notAMember (12),
alreadyAnOwner (13),
notAnOwner (14) }
END
终止
Even though all the RFCs in this document are security-related, the document itself does not have any security considerations. The ASN.1 modules keep the same bits-on-the-wire as the modules that they replace.
即使本文档中的所有RFC都与安全相关,文档本身也没有任何安全考虑。ASN.1模块在导线上保留与其替换的模块相同的位。
[ASN1-2002] ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and X.683", ITU-T X.680, X.681, X.682, and X.683, 2002.
[ASN1-2002]ITU-T,“ITU-T建议X.680、X.681、X.682和X.683”,ITU-T X.680、X.681、X.682和X.683,2002年。
[RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) Algorithms", RFC 3370, August 2002.
[RFC3370]Housley,R.,“加密消息语法(CMS)算法”,RFC3370,2002年8月。
[RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)", RFC 3565, July 2003.
[RFC3565]Schaad,J.,“在加密消息语法(CMS)中使用高级加密标准(AES)加密算法”,RFC 3565,2003年7月。
[RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification", RFC 3851, July 2004.
[RFC3851]Ramsdell,B.,“安全/多用途Internet邮件扩展(S/MIME)版本3.1消息规范”,RFC 38512004年7月。
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004.
[RFC3852]Housley,R.,“加密消息语法(CMS)”,RFC3852,2004年7月。
[RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages", RFC 4108, August 2005.
[RFC4108]Housley,R.“使用加密消息语法(CMS)保护固件包”,RFC 4108,2005年8月。
[RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence Record Syntax (ERS)", RFC 4998, August 2007.
[RFC4998]Gondrom,T.,Brandner,R.,和U.Pordesch,“证据记录语法(ERS)”,RFC 49982007年8月。
[RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility", RFC 5035, August 2007.
[RFC5035]Schaad,J.,“增强安全服务(ESS)更新:添加CertID算法敏捷性”,RFC 5035,2007年8月。
[RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type", RFC 5083, November 2007.
[RFC5083]Housley,R.,“加密消息语法(CMS)认证的信封数据内容类型”,RFC 5083,2007年11月。
[RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)", RFC 5084, November 2007.
[RFC5084]Housley,R.,“在加密消息语法(CMS)中使用AES-CCM和AES-GCM认证加密”,RFC 5084,2007年11月。
[RFC5275] Turner, S., "CMS Symmetric Key Management and Distribution", RFC 5275, June 2008.
[RFC5275]Turner,S.,“CMS对称密钥管理和分发”,RFC 52752008年6月。
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 5652, September 2009.
[RFC5652]Housley,R.,“加密消息语法(CMS)”,RFC 56522009年9月。
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the Public Key Infrastructure using X.509 (PKIX)", RFC 5912, June 2010.
[RFC5912]Hoffman,P.和J.Schaad,“使用X.509(PKIX)的公钥基础设施的新ASN.1模块”,RFC 5912,2010年6月。
Authors' Addresses
作者地址
Paul Hoffman VPN Consortium 127 Segre Place Santa Cruz, CA 95060 US
美国加利福尼亚州圣克鲁斯塞格雷广场127号保罗·霍夫曼私人有限公司,邮编95060
Phone: 1-831-426-9827 EMail: paul.hoffman@vpnc.org
电话:1-831-426-9827电子邮件:保罗。hoffman@vpnc.org
Jim Schaad Soaring Hawk Consulting
吉姆·沙德·霍克咨询公司
EMail: jimsch@exmsft.com
EMail: jimsch@exmsft.com