Internet Engineering Task Force (IETF) J. Schaad Request for Comments: 6402 Soaring Hawk Consulting Updates: 5272, 5273, 5274 November 2011 Category: Standards Track ISSN: 2070-1721
Internet Engineering Task Force (IETF) J. Schaad Request for Comments: 6402 Soaring Hawk Consulting Updates: 5272, 5273, 5274 November 2011 Category: Standards Track ISSN: 2070-1721
Certificate Management over CMS (CMC) Updates
CMS(CMC)更新上的证书管理
Abstract
摘要
This document contains a set of updates to the base syntax for CMC, a Certificate Management protocol using the Cryptographic Message Syntax (CMS). This document updates RFC 5272, RFC 5273, and RFC 5274.
本文档包含对CMC基本语法的一组更新,CMC是一种使用加密消息语法(CMS)的证书管理协议。本文档更新了RFC 5272、RFC 5273和RFC 5274。
The new items in this document are: new controls for future work in doing server side key generation, definition of a Subject Information Access value to identify CMC servers, and the registration of a port number for TCP/IP for the CMC service to run on.
本文档中的新项目包括:用于生成服务器端密钥的未来工作的新控件、用于标识CMC服务器的主题信息访问值的定义,以及注册要运行CMC服务的TCP/IP端口号。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6402.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6402.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从该文档中提取的代码组件必须
include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
包括信托法律条款第4.e节中所述的简化BSD许可证文本,且不提供简化BSD许可证中所述的担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Terminology . . . . . . . . . . . . . . . . . 3 1.2. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 3 2. Updates to RFC 5272 - "Certificate Management over CMS (CMC)" . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. New Section 1.3 - "Updates Made by RFC 6402" . . . . . . . 3 2.2. Update Section 6 - "Controls" . . . . . . . . . . . . . . 4 2.3. Replace Section 6.3 - "Linking Identity and POP Information" . . . . . . . . . . . . . . . . . . . . . . . 4 2.4. Replace Section 6.3.3 - "Renewal and Rekey Messages" . . . 5 2.5. New Section 6.20 - "RA Identity Proof Witness Control" . . 5 2.6. New Section 6.21 - "Response Body Control" . . . . . . . . 7 2.7. New Section 7 - "Other Attributes" . . . . . . . . . . . . 8 2.8. New Section 7.1 - "Change Subject Name Attribute" . . . . 8 2.9. New Section 9 - "Certificate Requirements" . . . . . . . . 10 2.10. New Section 9.1 - "Extended Key Usage" . . . . . . . . . . 10 2.11. New Section 9.2 - "Subject Information Access" . . . . . . 11 2.12. Update Section 8 - "Security Considerations" . . . . . . . 11 3. Updates to RFC 5273 - "Certificate Management over CMS (CMC): Transport Protocols" . . . . . . . . . . . . . . . . . 12 3.1. Update Section 5 - "TCP-Based Protocol" . . . . . . . . . 12 3.2. New Section 6 - "IANA Considerations" . . . . . . . . . . 12 4. Updates to RFC 5274 - "Certificate Management Message over CMS (CMC): Compliance Requirements" . . . . . . . . . . . . . 13 4.1. Update to Section 4.2 - "Controls" . . . . . . . . . . . . 13 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 7.1. Normative References . . . . . . . . . . . . . . . . . . . 13 7.2. Informative References . . . . . . . . . . . . . . . . . . 14 Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . . 15 A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 15 A.2. 2008 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 24
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Terminology . . . . . . . . . . . . . . . . . 3 1.2. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 3 2. Updates to RFC 5272 - "Certificate Management over CMS (CMC)" . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. New Section 1.3 - "Updates Made by RFC 6402" . . . . . . . 3 2.2. Update Section 6 - "Controls" . . . . . . . . . . . . . . 4 2.3. Replace Section 6.3 - "Linking Identity and POP Information" . . . . . . . . . . . . . . . . . . . . . . . 4 2.4. Replace Section 6.3.3 - "Renewal and Rekey Messages" . . . 5 2.5. New Section 6.20 - "RA Identity Proof Witness Control" . . 5 2.6. New Section 6.21 - "Response Body Control" . . . . . . . . 7 2.7. New Section 7 - "Other Attributes" . . . . . . . . . . . . 8 2.8. New Section 7.1 - "Change Subject Name Attribute" . . . . 8 2.9. New Section 9 - "Certificate Requirements" . . . . . . . . 10 2.10. New Section 9.1 - "Extended Key Usage" . . . . . . . . . . 10 2.11. New Section 9.2 - "Subject Information Access" . . . . . . 11 2.12. Update Section 8 - "Security Considerations" . . . . . . . 11 3. Updates to RFC 5273 - "Certificate Management over CMS (CMC): Transport Protocols" . . . . . . . . . . . . . . . . . 12 3.1. Update Section 5 - "TCP-Based Protocol" . . . . . . . . . 12 3.2. New Section 6 - "IANA Considerations" . . . . . . . . . . 12 4. Updates to RFC 5274 - "Certificate Management Message over CMS (CMC): Compliance Requirements" . . . . . . . . . . . . . 13 4.1. Update to Section 4.2 - "Controls" . . . . . . . . . . . . 13 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 7.1. Normative References . . . . . . . . . . . . . . . . . . . 13 7.2. Informative References . . . . . . . . . . . . . . . . . . 14 Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . . 15 A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 15 A.2. 2008 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 24
While dealing with the Suite B profile of CMC [RFC6403], a number of deficiencies were noted in the current base CMC specification. This document has a set of updates to [RFC5272], [RFC5273], and [RFC5274] to deal with those issues.
在处理CMC[RFC6403]的套件B配置文件时,注意到当前基本CMC规范中存在许多缺陷。本文档对[RFC5272]、[RFC5273]和[RFC5274]进行了一系列更新,以解决这些问题。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The following abbreviations are used in this document. Terms are used as defined in Section 2.1 of RFC 5272.
本文件中使用了以下缩写。术语的定义见RFC 5272第2.1节。
CA - Certification Authority CRL - Certificate Revocation List CRMF - Certificate Request Message Format EE - End-Entity MAC - Message Authentication Code PKI - Public Key Infrastructure RA - Registration Authority
CA-证书颁发机构CRL-证书吊销列表CRMF-证书请求消息格式EE-终端实体MAC-消息认证码PKI-公钥基础设施RA-注册机构
Insert this section before the current Section 1.3.
在当前第1.3节之前插入本节。
The following updates were made by RFC 6402.
RFC 6402进行了以下更新。
o Add new controls:
o 添加新控件:
RA Identity Witness allows for an RA to perform identity checking using the identity and shared-secret, and then tell any following servers that the identity check was successfully performed.
RA Identity Witness允许RA使用身份和共享机密执行身份检查,然后告诉任何以下服务器身份检查已成功执行。
Response Body allows for an RA to identify a nested response for an EE to process.
响应主体允许RA识别EE要处理的嵌套响应。
o Create a new attribute, Change Subject Name, that allows a client to request a change in the subject name and subject alternate name fields in a certificate.
o 创建一个新属性ChangeSubject Name,该属性允许客户端请求更改证书中的Subject Name和Subject alternate Name字段。
o Add Extended Key Usages for CMC to distinguish server types.
o 添加CMC的扩展密钥用法以区分服务器类型。
o Define a new Subject Information Access type to hold locations to contact the CMC server.
o 定义新的主题信息访问类型,以保留联系CMC服务器的位置。
o Clarify that the use of a pre-existing certificate is not limited to just renewal and rekey messages and is required for support. This formalizes a requirement for the ability to do renewal and rekey that previously was implicit.
o 澄清预先存在的证书的使用不仅限于续订和重新密钥消息,而且是支持所必需的。这正式规定了一项要求,即以前隐含的更新和重新设置密钥的能力。
Update Table 1 by adding the following rows:
通过添加以下行更新表1:
+--------------------------+-----------+-----------------+---------+ | Identifier Description | OID | ASN.1 Structure | Section | +--------------------------+-----------+-----------------+---------+ | id-cmc-raIdentityWitness | id-cmc 35 | BodyPartPath | 6.20 | | | | | | | id-cmc-responseBody | id-cmc 37 | BodyPartPath | 6.21 | +--------------------------+-----------+-----------------+---------+
+--------------------------+-----------+-----------------+---------+ | Identifier Description | OID | ASN.1 Structure | Section | +--------------------------+-----------+-----------------+---------+ | id-cmc-raIdentityWitness | id-cmc 35 | BodyPartPath | 6.20 | | | | | | | id-cmc-responseBody | id-cmc 37 | BodyPartPath | 6.21 | +--------------------------+-----------+-----------------+---------+
Addition to Table 1: CMC Control Attributes
表1的新增内容:CMC控件属性
Replace the text of the section with the following text.
将该节的文本替换为以下文本。
In a CMC Full PKI Request, identity proof information about the client is carried in the certificate associated with the signature of the SignedData containing the certification requests, one of the two identity proof controls or the MAC computed for the AuthenticatedData containing the certification requests. Proof-of-possession (POP) information for key pairs, however, is carried separately for each PKCS #10 or CRMF certification request. (For keys capable of generating a digital signature, the POP is provided by the signature on the PKCS #10 or CRMF request. For encryption-only keys, the controls described in Section 6.7 are used.) In order to prevent substitution-style attacks, the protocol must guarantee that the same entity supplied both the POP and proof-of-identity information.
在CMC完整PKI请求中,与包含认证请求的已签名数据的签名、两个身份验证控件之一或为包含认证请求的已认证数据计算的MAC相关联的证书中包含有关客户端的身份验证信息。但是,对于每个PKCS#10或CRMF认证请求,密钥对的持有证明(POP)信息是单独携带的。(对于能够生成数字签名的密钥,POP由PKCS#10或CRMF请求上的签名提供。对于仅加密密钥,使用第6.7节中描述的控件。)为了防止替换式攻击,协议必须保证同一实体同时提供POP和身份证明信息。
We describe three mechanisms for linking identity and POP information: witness values cryptographically derived from a shared-secret (Section 6.3.1), shared-secret/subject name matching (Section 6.3.2), and subject name matching to an existing certificate (Section 6.3.3). Clients and servers MUST support the witness value and the certificate linking techniques. Clients and servers MAY support shared-secret/name matching or MAY support other bilateral techniques
我们描述了三种链接身份和POP信息的机制:以加密方式从共享机密(第6.3.1节)派生的见证值、共享机密/主题名称匹配(第6.3.2节)以及主题名称与现有证书匹配(第6.3.3节)。客户端和服务器必须支持见证值和证书链接技术。客户端和服务器可以支持共享秘密/名称匹配,或者可以支持其他双边技术
of similar strength. The idea behind the first two mechanisms is to force the client to sign some data into each certification request that can be directly associated with the shared-secret; this will defeat attempts to include certification requests from different entities in a single Full PKI Request.
具有相似的强度。前两种机制背后的思想是强制客户机在每个认证请求中签署一些数据,这些数据可以直接与共享秘密关联;这将挫败在单个完整PKI请求中包含来自不同实体的认证请求的尝试。
Make the new section title "Existing Certificate Linking". Replace all text in this section with this text.
使新的部分标题为“现有证书链接”。用此文本替换本节中的所有文本。
Linking between the POP and an identity is easy when an existing certificate is used. The client copies all of the naming information from the existing certificate (subject name and subject alternative name) into the new certification request. The POP on the new public key is then performed by using the new key to sign the identity information (linking the POP to a specific identity). The identity information is then tied to the POP information by signing the entire enrollment request with the private key of the existing certificate.
使用现有证书时,POP和标识之间的链接很容易。客户端将现有证书(使用者名称和使用者备选名称)中的所有命名信息复制到新的证书请求中。然后,通过使用新密钥对身份信息进行签名(将POP链接到特定身份),对新公钥执行POP。然后,通过使用现有证书的私钥对整个注册请求进行签名,将身份信息绑定到POP信息。
Existing certificate linking can be used in the following circumstances:
现有证书链接可在以下情况下使用:
When replacing a certificate by doing a renewal or rekey certification request.
通过执行续订或重新密钥认证请求替换证书时。
Using an existing certificate to get a new certificate. An example of this would be to get a key establishment certificate after having gotten a signature certificate.
使用现有证书获取新证书。这方面的一个例子是在获得签名证书后获得密钥建立证书。
Using a third-party certificate to get a new certificate from a CA. An example of this would be using a certificate and key pair distributed with a device to prove an identity. This requires that the CA have an out-of-band channel to map the identity in the device certificate to the new EE identity.
使用第三方证书从CA获取新证书。这方面的一个示例是使用与设备一起分发的证书和密钥对来证明身份。这要求CA具有带外通道,以将设备证书中的标识映射到新的EE标识。
Insert this section.
插入本节。
The RA Identity Proof Witness control allows an RA to indicate to subsequent control processors that all of the identity proof requirements have been met. This permits the identity proof to be performed at a location closer to the end-entity. For example, the identity proof could be done at multiple physical locations, while the CA could operate on a company-wide basis. The RA performs the identity proof, and potentially other tasks that require the secret
RA身份验证见证控制允许RA向后续控制处理器指示所有身份验证要求均已满足。这允许在靠近最终实体的位置执行身份验证。例如,身份验证可以在多个物理位置进行,而CA可以在公司范围内运行。RA执行身份验证,以及可能需要保密的其他任务
to be used, while the CA is prevented from knowing the secret. If the identity proof fails, then the RA returns an error to the client denoting that fact.
在CA被阻止知道秘密的情况下使用。如果身份证明失败,则RA将向客户机返回一个表示该事实的错误。
The relevant ASN.1 for the RA Identity Proof Witness control is as follows:
RA身份证明证人控制的相关ASN.1如下:
cmc-raIdentityWitness CMC-CONTROL ::= { BodyPartPath IDENTIFIED BY id-cmc-raIdentityWitness }
cmc-raIdentityWitness CMC-CONTROL ::= { BodyPartPath IDENTIFIED BY id-cmc-raIdentityWitness }
id-cmc-raIdentityWitness OBJECT IDENTIFIER ::= {id-cmc 35}
id-cmc-raIdentityWitness OBJECT IDENTIFIER ::= {id-cmc 35}
The above ASN.1 defines the following items:
上述ASN.1定义了以下项目:
cmc-raIdentityWitness is a CMC-CONTROL associating the object identifier id-cmc-raIdentityWitness and the type BodyPartPath. This object is omitted from the 1988 module. The object is added to the object set Cmc-Control-Set. The control is permitted to appear only in the control sequence of a PKIData object. It MUST NOT appear in the control sequence of a PKIResponse. The control is permitted to be used only by an RA. The control may appear multiple times in a control sequence with each occurrence pointing to a different object.
cmc RAID EntityWitness是将对象标识符id cmc RAID EntityWitness和类型BodyPartPath关联起来的cmc-CONTROL。1988模块中省略了该对象。对象将添加到对象集Cmc控制集。该控件只允许出现在PKIData对象的控件序列中。它不能出现在PKI响应的控制序列中。该控件仅允许RA使用。控件可能在控件序列中出现多次,每次出现都指向不同的对象。
id-cmc-raIdentityWitness is the object identifier used to identify this CMC control.
id cmc raIdentityWitness是用于标识此cmc控件的对象标识符。
BodyPartPath is the type structure associated with the control. The syntax of BodyPartPath is defined in Section 3.2.2. The path contains a sequence of body part identifiers leading to one of the following items:
BodyPartPath是与控件关联的类型结构。BodyPartPath的语法在第3.2.2节中定义。路径包含指向以下项目之一的身体部位标识符序列:
Identity Proof control if the RA verified the identity proof in this control.
身份证明控件(如果RA验证此控件中的身份证明)。
Identity Proof Version 2 control if the RA verified the identity proof in this control.
如果RA验证了此控件中的身份验证,则为身份验证版本2控件。
Full PKI Request if the RA performed an out-of-band identity proof for this request. The request SHOULD NOT contain either Identity Proof control.
如果RA对此请求执行带外身份验证,则完整PKI请求。请求不应包含任何身份验证控件。
Simple PKI Request if the RA performed an out-of-band identity proof for this request.
如果RA对此请求执行带外身份验证,则为简单PKI请求。
The RA Identity Proof Witness control will frequently be associated with a Modify Certification Request control, which changes the name fields in the associated certification requests. This is because the
RA身份验证见证控件经常与修改认证请求控件关联,该控件更改关联认证请求中的名称字段。这是因为
RA knows the actual name to be assigned to the entity requesting the certificate, and the end-entity does not yet have the details of the name. (The association would be set up by the operator at the time the shared-secret was generated by the RA.)
RA知道要分配给请求证书的实体的实际名称,而最终实体还没有该名称的详细信息。(关联将由操作员在RA生成共享机密时建立。)
When this control is placed in a message, it is RECOMMENDED that the Control Processed control be placed in the body sequence as well. Using the explicit new control, rather than implicitly relying on the Control Processed control is important due to the need to know explicitly which identity proofs have been performed. The new control also allows an RA to state that out-of-band identity proofs have been performed.
将此控件放置在消息中时,建议将控件处理过的控件也放置在正文序列中。使用显式的新控件,而不是隐式地依赖于已处理的控件是很重要的,因为需要明确地知道已经执行了哪些身份证明。新控件还允许RA声明已执行带外身份验证。
When the identity proof is performed by an RA, the RA also MUST validate the linking between the identity proof and the name information wrapped inside of the key proof-of-possession.
当身份证明由RA执行时,RA还必须验证身份证明与密钥占有证明中包装的姓名信息之间的链接。
Insert this section.
插入本节。
The Response Body Control is designed to enable an RA to inform an EE that there is an embedded response message that MUST be processed as part of the processing of this message. This control is designed to be used in a couple of different cases where an RA has done some additional processing for the certification request, e.g., as key generation. When an RA performs key generation on behalf of an EE, the RA MUST respond with both the original response message from the certificate issuer (containing the certificate issuance) as part of the response generated by the RA (containing the new key). Another case where this is useful is when the secret is shared between the RA and the EE (rather than between the CA and the EE) and the RA returns the Publish Trust Anchors control (to populate the correct trust points).
响应主体控件旨在使RA能够通知EE存在嵌入式响应消息,该消息必须作为该消息处理的一部分进行处理。此控件设计用于两种不同的情况,其中RA对认证请求进行了一些附加处理,例如,作为密钥生成。当RA代表EE执行密钥生成时,RA必须响应来自证书颁发者(包含证书颁发)的原始响应消息,作为RA生成的响应(包含新密钥)的一部分。这很有用的另一种情况是,在RA和EE(而不是CA和EE)之间共享机密,并且RA返回发布信任锚控件(以填充正确的信任点)。
The relevant ASN.1 for the Response Body Control is as follows:
响应机构控制的相关ASN.1如下:
cmc-responseBody CMC-CONTROL ::= { BodyPartPath IDENTIFIED BY id-cmc-responseBody }
cmc-responseBody CMC-CONTROL ::= { BodyPartPath IDENTIFIED BY id-cmc-responseBody }
id-cmc-responseBody OBJECT IDENTIFIER ::= {id-cmc 37}
id-cmc-responseBody OBJECT IDENTIFIER ::= {id-cmc 37}
The above ASN.1 defines the following items:
上述ASN.1定义了以下项目:
cmc-responseBody is a CMC-CONTROL associating the object identifier id-cmc-responseBody with the type BodyPartPath. This object is omitted from the 1988 module. The object is added to the object set Cmc-Control-Set. The control is permitted to appear only in the control sequence of a PKIResponse. The control MUST NOT appear in the control sequence of a PKIData. It is expected that only an intermediary RA will use this control; a CA generally does not need the control as it is creating the original innermost message.
cmc responseBody是将对象标识符id cmc responseBody与类型BodyPartPath关联的cmc-CONTROL。1988模块中省略了该对象。对象将添加到对象集Cmc控制集。该控件只允许出现在PKI响应的控制序列中。控件不得出现在PKIData的控件序列中。预计只有中间RA将使用此控件;CA通常不需要该控件,因为它正在创建原始的最内层消息。
id-cmc-responseBody is the object identifier used to identify this CMC control.
id cmc ResponseBy是用于标识此cmc控件的对象标识符。
BodyPartPath is the type structure associated with the control. The syntax of BodyPartPath is defined in Section 3.2.2. The path contains a sequence of body part identifiers leading to a cmsSequence item which contains a PKIResponse within it.
BodyPartPath是与控件关联的类型结构。BodyPartPath的语法在第3.2.2节中定义。路径包含一系列正文部分标识符,这些标识符指向一个cmsSequence项,该项中包含PKI响应。
Insert this section before the current Section 7.
在当前第7节之前插入本节。
There are a number of different locations where various types of attributes can be placed in either a CMC request or a CMC response message. These places include the attribute sequence of a PKCS #10 request, controls in CRMF (Section 6 of [RFC4211]), and the various CMS attribute sequences.
有许多不同的位置,可以在CMC请求或CMC响应消息中放置各种类型的属性。这些位置包括PKCS#10请求的属性序列、CRMF中的控件(RFC4211第6节)以及各种CMS属性序列。
Insert this section.
插入本节。
The Client Name Change Request attribute is designed for a client to ask for a change in its name as part of a certification request. Because of security issues, this cannot be done in the simple way of just changing the requested subject name in the certificate template. The name in the certification request MUST match the name in the certificate used to verify the request, in order that identity and possession proofs are correctly applied.
“客户端名称更改请求”属性用于客户端请求更改其名称,作为认证请求的一部分。由于安全问题,这不能通过在证书模板中仅更改请求的使用者名称的简单方式来完成。认证请求中的名称必须与用于验证请求的证书中的名称相匹配,以便正确应用身份和占有证明。
The relevant ASN.1 for the Client Name Change Request attribute is as follows:
客户端名称更改请求属性的相关ASN.1如下所示:
at-cmc-changeSubjectName ATTRIBUTE ::= { ChangeSubjectName IDENTIFIED BY id-cmc-changeSubjectName }
at-cmc-changeSubjectName ATTRIBUTE ::= { ChangeSubjectName IDENTIFIED BY id-cmc-changeSubjectName }
id-cmc-changeSubjectName OBJECT IDENTIFIER ::= {id-cmc 36}
id-cmc-changeSubjectName OBJECT IDENTIFIER ::= {id-cmc 36}
ChangeSubjectName ::= SEQUENCE { subject Name OPTIONAL, subjectAlt SubjectAltName OPTIONAL } (WITH COMPONENTS {..., subject PRESENT} | COMPONENTS {..., subjectAlt PRESENT} )
ChangeSubjectName ::= SEQUENCE { subject Name OPTIONAL, subjectAlt SubjectAltName OPTIONAL } (WITH COMPONENTS {..., subject PRESENT} | COMPONENTS {..., subjectAlt PRESENT} )
The attribute is designed to be used as an ATTRIBUTE object. As such, the attribute is placed in one of the following two places:
该属性被设计为用作属性对象。因此,属性将放置在以下两个位置之一:
The attributes field in a CertificationRequest.
CertificationRequest中的属性字段。
The controls field of a CertRequest for a CRMF certification request.
CRMF认证请求的CertRequest的控制字段。
The control is identified by the Object Identifier id-cmc-changeSubjectName.
控件由对象标识符id cmc changeSubjectName标识。
The ASN.1 type associated with control is ChangeSubjectName. The fields of the structure are configured as follows:
与控件关联的ASN.1类型是ChangeSubjectName。结构的字段配置如下:
subject contains the requested subject name for the new certificate.
subject包含新证书的请求使用者名称。
subjectAlt contains the requested subject alternative name for the new certificate.
subjectAlt包含新证书的请求使用者备选名称。
At least one of the fields in the sequence MUST be present when encoding the structure.
编码结构时,序列中必须至少有一个字段。
When the CA processes this attribute in a certification request, it will do the following:
CA在认证请求中处理此属性时,将执行以下操作:
1. If present, the subject field is copied to the name field of the template. If the subject field is absent, the name field of the template will be set to a empty sequence.
1. 如果存在,主题字段将复制到模板的名称字段。如果缺少主题字段,则模板的名称字段将设置为空序列。
2. If present, the subjectAlt field is used as the content of a SubjectAltName extension in the certificate. If the subjectAlt field is absent, the subjectAltName extension is removed from the certificate template.
2. 如果存在,subjectAlt字段将用作证书中SubjectAltName扩展的内容。如果缺少subjectAlt字段,则将从证书模板中删除subjectAltName扩展名。
Insert this section before the current Section 8.
在当前第8节之前插入本节。
Certificates for servers used in the CMC protocol SHOULD conform to the profile defined in [RFC5280]. This document defines some additional items that MAY appear in CMC server certificates. Section 9.1 defines some additional values for the Extended Key Usage extension. Section 9.2 defines a new Subject Information Access value that allows for a CMC certificate to publish information on how to contact the services it provides.
CMC协议中使用的服务器证书应符合[RFC5280]中定义的配置文件。本文档定义了CMC服务器证书中可能出现的一些附加项。第9.1节定义了扩展密钥使用扩展的一些附加值。第9.2节定义了一个新的主题信息访问值,该值允许CMC证书发布有关如何联系其提供的服务的信息。
Insert this section.
插入本节。
The Extended Key Usage (EKU) extension is used to restrict the use of a certificate to specific applications. We define three different EKUs in this document. The ASN.1 to define these EKUs is:
扩展密钥使用(EKU)扩展用于将证书的使用限制到特定应用程序。我们在本文件中定义了三种不同的EKU。定义这些EKU的ASN.1是:
id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmcArchive OBJECT IDENTIFIER ::= { id-kp 29 }
id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmcArchive OBJECT IDENTIFIER ::= { id-kp 29 }
The usage description for each of the EKUs is as follows:
每个EKU的使用说明如下:
CMC Certification Authorities are identified by the id-kp-cmcCA extended key usage. The certificate may be the same as or different than the CA certificate. If a different certificate is used, the certificates containing the id-kp-cmcCA extended key usage SHOULD have the same name as the certificate used for issuing the certificates. (Using a separate key pair for CMC protocol operations and for issuing certificates and CRLs decreases the number of operations for which the private key used to sign certificates and CRLs would be used.)
CMC认证机构由id kp cmcCA扩展密钥使用标识。该证书可能与CA证书相同或不同。如果使用不同的证书,则包含id kp cmcCA扩展密钥用法的证书应与用于颁发证书的证书具有相同的名称。(使用单独的密钥对进行CMC协议操作以及颁发证书和CRL可减少使用私钥对证书和CRL进行签名的操作数。)
CMC Registration Authorities are identified by the id-kp-cmcRA extended key usage. This usage is placed into RA certificates.
CMC注册机构由id kp cmcRA扩展密钥使用标识。这种用法被放入RA证书中。
CMC Archive Servers are identified by the id-kp-cmcArchive extended key usage. CMC Archive Servers and the associated protocol are to be defined in a future document.
CMC归档服务器由id kp cmcArchive扩展密钥使用情况标识。CMC存档服务器和相关协议将在以后的文档中定义。
Insert this section.
插入本节。
The subject information access extension indicates how to access information and services for the subject of the certificate. We define a new value for use in this extension, to identify the different locations that CMC services will be available. If this value is placed in a certificate, an appropriate extended key usage defined in Section 9.1 MUST be included in the certificate as well.
subject information access extension指示如何访问证书主题的信息和服务。我们在此扩展中定义了一个新值,用于标识CMC服务将可用的不同位置。如果该值放在证书中,则第9.1节中定义的适当扩展密钥用法也必须包含在证书中。
The id-ad-cmc OID is used when the subject offers certification services using the CMC protocol. If the CMC services are available via HTTP or FTP, accessLocation MUST be a uniformResourceIdentifier. If the CMC services are available via electronic mail, accessLocation MUST be an rfc822Name. If CMC services are available using TCP/IP, the dNSName or iPAddress name forms MUST be used. Since the GeneralName data structure does not permit the inclusion of a port number, in the absence of other external configuration information, the value of 5318 should be used. (The port registration is in Section 3.2.) The semantics of other name forms of accessLocation (when accessMethod is id-ad-cmc) are not defined by this specification.
当受试者使用cmc协议提供认证服务时,使用id ad cmc OID。如果CMC服务通过HTTP或FTP可用,则accessLocation必须是uniformResourceIdentifier。如果CMC服务通过电子邮件提供,则accessLocation必须是RFC822名称。如果CMC服务使用TCP/IP可用,则必须使用dNSName或iPAddress名称表单。由于GeneralName数据结构不允许包含端口号,因此在缺少其他外部配置信息的情况下,应使用5318的值。(端口注册在第3.2节中。)accessLocation的其他名称形式的语义(当accessMethod为id ad cmc时)不在本规范中定义。
The ASN.1 type for this extension is GeneralName (see Section 4.2.1.8 of [RFC5280]).
此扩展的ASN.1类型为GeneralName(见[RFC5280]第4.2.1.8节)。
id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 }
id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 }
Add the following paragraphs to the end of Section 8.
在第8节末尾添加以下段落。
A number of controls such as the RA Identity Proof Witness control exist for an RA to either make assertions about or modify a certification request. Any upstream request processor, such as a CA, MUST verify that the RA is fully identified and authorized to make the assertion or modification it is claiming. If it is not identified or authorized, then any request MUST be rejected.
RA存在许多控件,例如RA身份验证见证控件,用于RA对认证请求进行断言或修改认证请求。任何上游请求处理器(如CA)都必须验证RA是否已完全识别并授权其进行声明或修改。如果未识别或授权,则必须拒绝任何请求。
CMC servers, both RAs and CAs, need to perform due diligence in checking the contents of a certification request. At an absolute minimum, all fields should be checked to ensure that the policies of the CA/RA are correctly enforced. While all fields need to be checked, special care should be taken with names, name forms, algorithm choices, and algorithm parameters.
CMC服务器(RAs和CAs)需要在检查认证请求的内容时进行尽职调查。至少应检查所有字段,以确保CA/RA的策略得到正确实施。虽然需要检查所有字段,但应特别注意名称、名称形式、算法选择和算法参数。
3. Updates to RFC 5273 - "Certificate Management over CMS (CMC): Transport Protocols"
3. RFC 5273更新-“CMS上的证书管理(CMC):传输协议”
Replace paragraph 3 in Section 5 with the following.
将第5节第3段替换为以下内容。
CMC requires a registered port number to send and receive CMC messages over TCP. The title of this IP Protocol number is "pkix-cmc". The value of this TCP port is 5318.
CMC需要注册的端口号才能通过TCP发送和接收CMC消息。此IP协议编号的标题为“pkix cmc”。此TCP端口的值为5318。
Prior to this update, CMC did not have a registered port number and used an externally configured port from the Private Port range. Client implementations MAY want to continue to allow for this to occur. Servers SHOULD change to use the new port. It is expected that HTTP will continue to be the primary transport method used by CMC installations.
在此更新之前,CMC没有注册的端口号,并且使用了专用端口范围中的外部配置端口。客户端实现可能希望继续允许这种情况发生。服务器应更改为使用新端口。预计HTTP将继续是CMC安装使用的主要传输方法。
Insert this new section before the current Section 6.
在当前第6节之前插入此新节。
IANA has assigned a TCP port number in the Registered Port Number range for the use of CMC.
IANA已在注册端口号范围内为CMC分配了TCP端口号。
Service name: pkix-cmc Port Number: 5318 Transport protocol: TCP Description: PKIX Certificate Management using CMS (CMC) Reference: RFC 6402 Assignee: iesg@ietf.org Contact: chair@ietf.org
Service name: pkix-cmc Port Number: 5318 Transport protocol: TCP Description: PKIX Certificate Management using CMS (CMC) Reference: RFC 6402 Assignee: iesg@ietf.org Contact: chair@ietf.org
4. Updates to RFC 5274 - "Certificate Management Message over CMS (CMC): Compliance Requirements"
4. RFC 5274更新-“CMS(CMC)上的证书管理消息:合规性要求”
Add the following lines to the end of Table 1.
在表1末尾添加以下行。
The following table lists the name and level of support required for each control.
下表列出了每个控件所需的名称和支持级别。
+---------------------------+-----+------+-----+ | Control | EE | RA | CA | +---------------------------+-----+------+-----+ | RA Identity Proof Witness | N/A | MUST | (2) | | | | | | | Response Body | (6) | (6) | N/A | +---------------------------+-----+------+-----+
+---------------------------+-----+------+-----+ | Control | EE | RA | CA | +---------------------------+-----+------+-----+ | RA Identity Proof Witness | N/A | MUST | (2) | | | | | | | Response Body | (6) | (6) | N/A | +---------------------------+-----+------+-----+
Addition to Table 1: CMC Control Attributes
表1的新增内容:CMC控件属性
The following note should be added.
应添加以下注释。
6. EE's SHOULD implement if designed to work with RAs and MUST implement if intended to be used in environments where RAs are used for identity validation or key generation. RAs SHOULD implement and validate responses for consistency.
6. 如果设计用于RAs,则EE应实施,如果打算在RAs用于身份验证或密钥生成的环境中使用,则必须实施。RAs应实施并验证响应的一致性。
This document contains a new IANA Considerations section to be added to [RFC5273] as part of this update.
本文件包含一个新的IANA注意事项部分,将作为本更新的一部分添加到[RFC5273]。
No changes are made to the existing security considerations of RFC 5273 and RFC 5274. The security considerations for RFC 5272 have been slightly modified (Section 2.12).
未对RFC 5273和RFC 5274的现有安全注意事项进行任何更改。RFC 5272的安全注意事项已稍作修改(第2.12节)。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS (CMC)", RFC 5272, June 2008.
[RFC5272]Schaad,J.和M.Myers,“CMS上的证书管理(CMC)”,RFC 52722008年6月。
[RFC5273] Schaad, J. and M. Myers, "Certificate Management over CMS (CMC): Transport Protocols", RFC 5273, June 2008.
[RFC5273]Schaad,J.和M.Myers,“CMS上的证书管理(CMC):传输协议”,RFC 5273,2008年6月。
[RFC5274] Schaad, J. and M. Myers, "Certificate Management Messages over CMS (CMC): Compliance Requirements", RFC 5274, June 2008.
[RFC5274]Schaad,J.和M.Myers,“CMS上的证书管理消息(CMC):合规性要求”,RFC 5274,2008年6月。
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 52802008年5月。
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, September 2009.
[CMS]Housley,R.,“加密消息语法(CMS)”,STD 70,RFC 56522009年9月。
[RFC6403] Zieglar, L., Turner, S., and M. Peck, "Suite B Profile of Certificate Management over CMS", RFC 6403, November 2011.
[RFC6403]Zieglar,L.,Turner,S.,和M.Peck,“CMS上证书管理的套件B配置文件”,RFC 6403,2011年11月。
[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)", RFC 4211, September 2005.
[RFC4211]Schaad,J.“Internet X.509公钥基础设施证书请求消息格式(CRMF)”,RFC 42112005年9月。
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, June 2010.
[RFC5912]Hoffman,P.和J.Schaad,“使用X.509(PKIX)的公钥基础设施的新ASN.1模块”,RFC 5912,2010年6月。
This section contains the updated ASN.1 module for [RFC5272]. This module replaces the module in Appendix A of that document. Although a 2008 ASN.1 module is provided, this remains the normative module as per the policy of the PKIX working group.
本节包含[RFC5272]的更新ASN.1模块。本模块取代该文件附录A中的模块。虽然提供了2008 ASN.1模块,但根据PKIX工作组的政策,该模块仍然是规范性模块。
EnrollmentMessageSyntax-2011-v88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-enrollMsgSyntax-2011-88(76) }
EnrollmentMessageSyntax-2011-v88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-enrollMsgSyntax-2011-88(76) }
DEFINITIONS IMPLICIT TAGS ::= BEGIN
DEFINITIONS IMPLICIT TAGS ::= BEGIN
-- EXPORTS All -- -- The types and values defined in this module are exported for use -- in the other ASN.1 modules. Other applications may use them for -- their own purposes.
-- EXPORTS All -- -- The types and values defined in this module are exported for use -- in the other ASN.1 modules. Other applications may use them for -- their own purposes.
IMPORTS
进口
-- PKIX Part 1 - Implicit From [RFC5280] GeneralName, CRLReason, ReasonFlags, GeneralNames FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)}
-- PKIX Part 1 - Implicit From [RFC5280] GeneralName, CRLReason, ReasonFlags, GeneralNames FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)}
-- PKIX Part 1 - Explicit From [RFC5280] AlgorithmIdentifier, Extension, Name, CertificateSerialNumber, id-ad, id-kp FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18)}
-- PKIX Part 1 - Explicit From [RFC5280] AlgorithmIdentifier, Extension, Name, CertificateSerialNumber, id-ad, id-kp FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18)}
-- Cryptographic Message Syntax FROM [CMS] ContentInfo, Attribute, IssuerAndSerialNumber FROM CryptographicMessageSyntax2004 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24)}
-- Cryptographic Message Syntax FROM [CMS] ContentInfo, Attribute, IssuerAndSerialNumber FROM CryptographicMessageSyntax2004 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24)}
-- CRMF FROM [RFC4211] CertReqMsg, PKIPublicationInfo, CertTemplate FROM PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36)};
-- CRMF FROM [RFC4211] CertReqMsg, PKIPublicationInfo, CertTemplate FROM PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36)};
-- Global Types -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING -- The content of this type conforms to RFC 3629.
-- Global Types -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING -- The content of this type conforms to RFC 3629.
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types
id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types
-- The following controls have the type OCTET STRING
--以下控件的类型为八位字节字符串
id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3} id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4} id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18} id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19} id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21} id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22} id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23}
id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3} id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4} id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18} id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19} id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21} id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22} id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23}
-- The following controls have the type UTF8String
--以下控件的类型为UTF8String
id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2}
id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2}
-- The following controls have the type INTEGER
--以下控件的类型为INTEGER
id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5}
id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5}
-- The following controls have the type OCTET STRING
--以下控件的类型为八位字节字符串
id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6} id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7}
id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6} id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7}
-- This is the content type used for a request message -- in the protocol
-- This is the content type used for a request message -- in the protocol
id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 }
id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 }
PKIData ::= SEQUENCE { controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg }
PKIData ::= SEQUENCE { controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg }
bodyIdMax INTEGER ::= 4294967295
bodyIdMax INTEGER ::= 4294967295
BodyPartID ::= INTEGER(0..bodyIdMax)
BodyPartID ::= INTEGER(0..bodyIdMax)
TaggedAttribute ::= SEQUENCE { bodyPartID BodyPartID, attrType OBJECT IDENTIFIER, attrValues SET OF AttributeValue }
TaggedAttribute ::= SEQUENCE { bodyPartID BodyPartID, attrType OBJECT IDENTIFIER, attrValues SET OF AttributeValue }
AttributeValue ::= ANY
AttributeValue ::= ANY
TaggedRequest ::= CHOICE { tcr [0] TaggedCertificationRequest, crm [1] CertReqMsg, orm [2] SEQUENCE { bodyPartID BodyPartID, requestMessageType OBJECT IDENTIFIER, requestMessageValue ANY DEFINED BY requestMessageType } }
TaggedRequest ::= CHOICE { tcr [0] TaggedCertificationRequest, crm [1] CertReqMsg, orm [2] SEQUENCE { bodyPartID BodyPartID, requestMessageType OBJECT IDENTIFIER, requestMessageValue ANY DEFINED BY requestMessageType } }
TaggedCertificationRequest ::= SEQUENCE { bodyPartID BodyPartID, certificationRequest CertificationRequest }
TaggedCertificationRequest ::= SEQUENCE { bodyPartID BodyPartID, certificationRequest CertificationRequest }
CertificationRequest ::= SEQUENCE { certificationRequestInfo SEQUENCE { version INTEGER, subject Name, subjectPublicKeyInfo SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING }, attributes [0] IMPLICIT SET OF Attribute }, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING }
CertificationRequest ::= SEQUENCE { certificationRequestInfo SEQUENCE { version INTEGER, subject Name, subjectPublicKeyInfo SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING }, attributes [0] IMPLICIT SET OF Attribute }, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING }
TaggedContentInfo ::= SEQUENCE { bodyPartID BodyPartID, contentInfo ContentInfo }
TaggedContentInfo ::= SEQUENCE { bodyPartID BodyPartID, contentInfo ContentInfo }
OtherMsg ::= SEQUENCE { bodyPartID BodyPartID, otherMsgType OBJECT IDENTIFIER, otherMsgValue ANY DEFINED BY otherMsgType }
OtherMsg ::= SEQUENCE { bodyPartID BodyPartID, otherMsgType OBJECT IDENTIFIER, otherMsgValue ANY DEFINED BY otherMsgType }
-- This defines the response message in the protocol id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 }
-- This defines the response message in the protocol id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 }
ResponseBody ::= PKIResponse
ResponseBody ::= PKIResponse
PKIResponse ::= SEQUENCE { controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg
PKIResponse ::= SEQUENCE { controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg
}
}
-- Used to return status state in a response
--用于在响应中返回状态
id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1}
id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1}
CMCStatusInfo ::= SEQUENCE { cMCStatus CMCStatus, bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID, statusString UTF8String OPTIONAL, otherInfo CHOICE { failInfo CMCFailInfo, pendInfo PendInfo } OPTIONAL }
CMCStatusInfo ::= SEQUENCE { cMCStatus CMCStatus, bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID, statusString UTF8String OPTIONAL, otherInfo CHOICE { failInfo CMCFailInfo, pendInfo PendInfo } OPTIONAL }
PendInfo ::= SEQUENCE { pendToken OCTET STRING, pendTime GeneralizedTime }
PendInfo ::= SEQUENCE { pendToken OCTET STRING, pendTime GeneralizedTime }
CMCStatus ::= INTEGER { success (0), failed (2), pending (3), noSupport (4), confirmRequired (5), popRequired (6), partial (7) }
CMCStatus ::= INTEGER { success (0), failed (2), pending (3), noSupport (4), confirmRequired (5), popRequired (6), partial (7) }
-- Note: -- The spelling of unsupportedExt is corrected in this version. -- In RFC 2797, it was unsuportedExt.
-- Note: -- The spelling of unsupportedExt is corrected in this version. -- In RFC 2797, it was unsuportedExt.
CMCFailInfo ::= INTEGER { badAlg (0), badMessageCheck (1), badRequest (2), badTime (3), badCertId (4), unsupportedExt (5), mustArchiveKeys (6), badIdentity (7), popRequired (8), popFailed (9), noKeyReuse (10), internalCAError (11), tryLater (12), authDataFail (13) }
CMCFailInfo ::= INTEGER { badAlg (0), badMessageCheck (1), badRequest (2), badTime (3), badCertId (4), unsupportedExt (5), mustArchiveKeys (6), badIdentity (7), popRequired (8), popFailed (9), noKeyReuse (10), internalCAError (11), tryLater (12), authDataFail (13) }
-- Used for RAs to add extensions to certification requests id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8}
-- Used for RAs to add extensions to certification requests id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8}
AddExtensions ::= SEQUENCE { pkiDataReference BodyPartID, certReferences SEQUENCE OF BodyPartID, extensions SEQUENCE OF Extension }
AddExtensions ::= SEQUENCE { pkiDataReference BodyPartID, certReferences SEQUENCE OF BodyPartID, extensions SEQUENCE OF Extension }
id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9} id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10}
id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9} id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10}
EncryptedPOP ::= SEQUENCE { request TaggedRequest, cms ContentInfo, thePOPAlgID AlgorithmIdentifier, witnessAlgID AlgorithmIdentifier, witness OCTET STRING }
EncryptedPOP ::= SEQUENCE { request TaggedRequest, cms ContentInfo, thePOPAlgID AlgorithmIdentifier, witnessAlgID AlgorithmIdentifier, witness OCTET STRING }
DecryptedPOP ::= SEQUENCE { bodyPartID BodyPartID, thePOPAlgID AlgorithmIdentifier, thePOP OCTET STRING }
DecryptedPOP ::= SEQUENCE { bodyPartID BodyPartID, thePOPAlgID AlgorithmIdentifier, thePOP OCTET STRING }
id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11}
id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11}
LraPopWitness ::= SEQUENCE { pkiDataBodyid BodyPartID, bodyIds SEQUENCE OF BodyPartID }
LraPopWitness ::= SEQUENCE { pkiDataBodyid BodyPartID, bodyIds SEQUENCE OF BodyPartID }
-- id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15}
-- id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15}
GetCert ::= SEQUENCE { issuerName GeneralName, serialNumber INTEGER }
GetCert ::= SEQUENCE { issuerName GeneralName, serialNumber INTEGER }
id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16}
id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16}
GetCRL ::= SEQUENCE { issuerName Name, cRLName GeneralName OPTIONAL, time GeneralizedTime OPTIONAL, reasons ReasonFlags OPTIONAL }
GetCRL ::= SEQUENCE { issuerName Name, cRLName GeneralName OPTIONAL, time GeneralizedTime OPTIONAL, reasons ReasonFlags OPTIONAL }
id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17}
id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17}
RevokeRequest ::= SEQUENCE { issuerName Name, serialNumber INTEGER, reason CRLReason, invalidityDate GeneralizedTime OPTIONAL, passphrase OCTET STRING OPTIONAL, comment UTF8String OPTIONAL }
RevokeRequest ::= SEQUENCE { issuerName Name, serialNumber INTEGER, reason CRLReason, invalidityDate GeneralizedTime OPTIONAL, passphrase OCTET STRING OPTIONAL, comment UTF8String OPTIONAL }
id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24}
id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24}
CMCCertId ::= IssuerAndSerialNumber
CMCCertId ::= IssuerAndSerialNumber
-- The following is used to request V3 extensions be added to a -- certificate
-- The following is used to request V3 extensions be added to a -- certificate
id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 14}
id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 14}
ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF Extension
ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF Extension
-- The following exists to allow Diffie-Hellman Certification -- Request Messages to be well-formed
-- The following exists to allow Diffie-Hellman Certification -- Request Messages to be well-formed
id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}
id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}
NoSignatureValue ::= OCTET STRING
NoSignatureValue ::= OCTET STRING
-- Unauthenticated attribute to carry removable data. -- This could be used in an update of "CMC Extensions: Server -- Side Key Generation and Key Escrow" (February 2005) and in -- other documents.
-- Unauthenticated attribute to carry removable data. -- This could be used in an update of "CMC Extensions: Server -- Side Key Generation and Key Escrow" (February 2005) and in -- other documents.
id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)} id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34}
id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)} id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34}
CMCUnsignedData ::= SEQUENCE { bodyPartPath BodyPartPath, identifier OBJECT IDENTIFIER, content ANY DEFINED BY identifier }
CMCUnsignedData ::= SEQUENCE { bodyPartPath BodyPartPath, identifier OBJECT IDENTIFIER, content ANY DEFINED BY identifier }
-- Replaces CMC Status Info --
--替换CMC状态信息--
id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25}
id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25}
CMCStatusInfoV2 ::= SEQUENCE { cMCStatus CMCStatus, bodyList SEQUENCE SIZE (1..MAX) OF BodyPartReference, statusString UTF8String OPTIONAL, otherInfo CHOICE { failInfo CMCFailInfo, pendInfo PendInfo, extendedFailInfo SEQUENCE { failInfoOID OBJECT IDENTIFIER, failInfoValue AttributeValue } } OPTIONAL }
CMCStatusInfoV2 ::= SEQUENCE { cMCStatus CMCStatus, bodyList SEQUENCE SIZE (1..MAX) OF BodyPartReference, statusString UTF8String OPTIONAL, otherInfo CHOICE { failInfo CMCFailInfo, pendInfo PendInfo, extendedFailInfo SEQUENCE { failInfoOID OBJECT IDENTIFIER, failInfoValue AttributeValue } } OPTIONAL }
BodyPartReference ::= CHOICE { bodyPartID BodyPartID, bodyPartPath BodyPartPath }
BodyPartReference ::= CHOICE { bodyPartID BodyPartID, bodyPartPath BodyPartPath }
BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID
BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID
-- Allow for distribution of trust anchors --
--允许分发信任锚--
id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26}
id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26}
PublishTrustAnchors ::= SEQUENCE { seqNumber INTEGER, hashAlgorithm AlgorithmIdentifier, anchorHashes SEQUENCE OF OCTET STRING }
PublishTrustAnchors ::= SEQUENCE { seqNumber INTEGER, hashAlgorithm AlgorithmIdentifier, anchorHashes SEQUENCE OF OCTET STRING }
id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27}
id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27}
AuthPublish ::= BodyPartID
AuthPublish ::= BodyPartID
-- These two items use BodyPartList id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28} id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29}
-- These two items use BodyPartList id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28} id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29}
BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID
BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID
-- id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30}
-- id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30}
CMCPublicationInfo ::= SEQUENCE { hashAlg AlgorithmIdentifier, certHashes SEQUENCE OF OCTET STRING, pubInfo PKIPublicationInfo }
CMCPublicationInfo ::= SEQUENCE { hashAlg AlgorithmIdentifier, certHashes SEQUENCE OF OCTET STRING, pubInfo PKIPublicationInfo }
id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31}
id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31}
ModCertTemplate ::= SEQUENCE { pkiDataReference BodyPartPath, certReferences BodyPartList, replace BOOLEAN DEFAULT TRUE, certTemplate CertTemplate }
ModCertTemplate ::= SEQUENCE { pkiDataReference BodyPartPath, certReferences BodyPartList, replace BOOLEAN DEFAULT TRUE, certTemplate CertTemplate }
-- Inform follow-on servers that one or more controls have already -- been processed
-- Inform follow-on servers that one or more controls have already -- been processed
id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32}
id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32}
ControlsProcessed ::= SEQUENCE { bodyList SEQUENCE SIZE(1..MAX) OF BodyPartReference }
ControlsProcessed ::= SEQUENCE { bodyList SEQUENCE SIZE(1..MAX) OF BodyPartReference }
-- Identity Proof control w/ algorithm agility
--具有算法敏捷性的身份证明控制
id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 34 }
id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 34 }
IdentifyProofV2 ::= SEQUENCE { proofAlgID AlgorithmIdentifier, macAlgId AlgorithmIdentifier, witness OCTET STRING }
IdentifyProofV2 ::= SEQUENCE { proofAlgID AlgorithmIdentifier, macAlgId AlgorithmIdentifier, witness OCTET STRING }
id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 33 } PopLinkWitnessV2 ::= SEQUENCE { keyGenAlgorithm AlgorithmIdentifier, macAlgorithm AlgorithmIdentifier, witness OCTET STRING }
id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 33 } PopLinkWitnessV2 ::= SEQUENCE { keyGenAlgorithm AlgorithmIdentifier, macAlgorithm AlgorithmIdentifier, witness OCTET STRING }
--
--
id-cmc-raIdentityWitness OBJECT IDENTIFIER ::= {id-cmc 35}
id-cmc-raIdentityWitness OBJECT IDENTIFIER ::= {id-cmc 35}
-- -- Allow for an End-Entity to request a change in name. -- This item is added to RegControlSet in CRMF. --
-- -- Allow for an End-Entity to request a change in name. -- This item is added to RegControlSet in CRMF. --
id-cmc-changeSubjectName OBJECT IDENTIFIER ::= {id-cmc 36}
id-cmc-changeSubjectName OBJECT IDENTIFIER ::= {id-cmc 36}
ChangeSubjectName ::= SEQUENCE { subject Name OPTIONAL, subjectAlt GeneralNames OPTIONAL } -- (WITH COMPONENTS {..., subject PRESENT} | -- WITH COMPONENTS {..., subjectAlt PRESENT} )
ChangeSubjectName ::= SEQUENCE { subject Name OPTIONAL, subjectAlt GeneralNames OPTIONAL } -- (WITH COMPONENTS {..., subject PRESENT} | -- WITH COMPONENTS {..., subjectAlt PRESENT} )
-- -- Embedded response from a third party for processing --
----第三方处理的嵌入式响应--
id-cmc-responseBody OBJECT IDENTIFIER ::= {id-cmc 37}
id-cmc-responseBody OBJECT IDENTIFIER ::= {id-cmc 37}
-- -- Key purpose identifiers are in the Extended Key Usage extension --
----密钥用途标识符位于扩展密钥使用扩展中--
id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmcArchive OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmcArchive OBJECT IDENTIFIER ::= { id-kp 28 }
-- -- Subject Information Access identifier --
----主题信息访问标识符--
id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 }
id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 }
END
终止
An updated 2008 ASN.1 module has been provided as part of this update. The module contains those changes that were done to update the current ASN.1 standards (done for [RFC5912]) as well as changes made for this document.
更新的2008 ASN.1模块已作为此更新的一部分提供。该模块包含为更新当前ASN.1标准所做的更改(针对[RFC5912]所做的更改)以及为本文档所做的更改。
EnrollmentMessageSyntax-2011-v08 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-enrollMsgSyntax-2011-08(76)} DEFINITIONS IMPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS
EnrollmentMessageSyntax-2011-v08 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-enrollMsgSyntax-2011-08(76)} DEFINITIONS IMPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS
AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE FROM PKIX-CommonTypes-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE FROM PKIX-CommonTypes-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
AlgorithmIdentifier{}, DIGEST-ALGORITHM, KEY-WRAP, KEY-DERIVATION, MAC-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY FROM AlgorithmInformation-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)}
AlgorithmIdentifier{}, DIGEST-ALGORITHM, KEY-WRAP, KEY-DERIVATION, MAC-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY FROM AlgorithmInformation-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)}
CertificateSerialNumber, GeneralName, CRLReason, ReasonFlags, CertExtensions, GeneralNames FROM PKIX1Implicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
CertificateSerialNumber, GeneralName, CRLReason, ReasonFlags, CertExtensions, GeneralNames FROM PKIX1Implicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
Name, id-pkix, PublicKeyAlgorithms, SignatureAlgorithms, id-ad, id-kp FROM PKIX1Explicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}
Name, id-pkix, PublicKeyAlgorithms, SignatureAlgorithms, id-ad, id-kp FROM PKIX1Explicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}
ContentInfo, IssuerAndSerialNumber, CONTENT-TYPE FROM CryptographicMessageSyntax-2010 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
ContentInfo, IssuerAndSerialNumber, CONTENT-TYPE FROM CryptographicMessageSyntax-2010 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
CertReqMsg, PKIPublicationInfo, CertTemplate FROM PKIXCRMF-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)}
CertReqMsg, PKIPublicationInfo, CertTemplate FROM PKIXCRMF-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)}
mda-sha1 FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-algorithms2008-02(56)}
mda-sha1 FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-algorithms2008-02(56)}
kda-PBKDF2, maca-hMAC-SHA1 FROM CryptographicMessageSyntaxAlgorithms-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
kda-PBKDF2, maca-hMAC-SHA1 FROM CryptographicMessageSyntaxAlgorithms-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
mda-sha256 FROM PKIX1-PSS-OAEP-Algorithms-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54) } ;
mda-sha256 FROM PKIX1-PSS-OAEP-Algorithms-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54) } ;
-- CMS content types defined in this document
--本文档中定义的CMS内容类型
CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... }
CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... }
-- Signature Algorithms defined in this document
--本文档中定义的签名算法
SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature }
SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature }
-- CMS Unsigned Attributes
--CMS无符号属性
CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData }
CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData }
-- --
-- --
id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types
id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types
-- This is the content type for a request message in the protocol
--这是协议中请求消息的内容类型
ct-PKIData CONTENT-TYPE ::= { TYPE PKIData IDENTIFIED BY id-cct-PKIData } id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 }
ct-PKIData CONTENT-TYPE ::= { TYPE PKIData IDENTIFIED BY id-cct-PKIData } id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 }
PKIData ::= SEQUENCE { controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg }
PKIData ::= SEQUENCE { controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg }
BodyPartID ::= INTEGER(0..4294967295)
BodyPartID ::= INTEGER(0..4294967295)
TaggedAttribute ::= SEQUENCE { bodyPartID BodyPartID, attrType CMC-CONTROL.&id({Cmc-Control-Set}), attrValues SET OF CMC-CONTROL. &Type({Cmc-Control-Set}{@attrType}) }
TaggedAttribute ::= SEQUENCE { bodyPartID BodyPartID, attrType CMC-CONTROL.&id({Cmc-Control-Set}), attrValues SET OF CMC-CONTROL. &Type({Cmc-Control-Set}{@attrType}) }
Cmc-Control-Set CMC-CONTROL ::= { cmc-identityProof | cmc-dataReturn | cmc-regInfo | cmc-responseInfo | cmc-queryPending | cmc-popLinkRandom | cmc-popLinkWitness | cmc-identification | cmc-transactionId | cmc-senderNonce | cmc-recipientNonce | cmc-statusInfo | cmc-addExtensions | cmc-encryptedPOP | cmc-decryptedPOP | cmc-lraPOPWitness | cmc-getCert | cmc-getCRL | cmc-revokeRequest | cmc-confirmCertAcceptance | cmc-statusInfoV2 | cmc-trustedAnchors | cmc-authData | cmc-batchRequests | cmc-batchResponses | cmc-publishCert | cmc-modCertTemplate | cmc-controlProcessed | cmc-identityProofV2 | cmc-popLinkWitnessV2, ..., cmc-raIdentityWitness | cmc-responseBody }
Cmc-Control-Set CMC-CONTROL ::= { cmc-identityProof | cmc-dataReturn | cmc-regInfo | cmc-responseInfo | cmc-queryPending | cmc-popLinkRandom | cmc-popLinkWitness | cmc-identification | cmc-transactionId | cmc-senderNonce | cmc-recipientNonce | cmc-statusInfo | cmc-addExtensions | cmc-encryptedPOP | cmc-decryptedPOP | cmc-lraPOPWitness | cmc-getCert | cmc-getCRL | cmc-revokeRequest | cmc-confirmCertAcceptance | cmc-statusInfoV2 | cmc-trustedAnchors | cmc-authData | cmc-batchRequests | cmc-batchResponses | cmc-publishCert | cmc-modCertTemplate | cmc-controlProcessed | cmc-identityProofV2 | cmc-popLinkWitnessV2, ..., cmc-raIdentityWitness | cmc-responseBody }
OTHER-REQUEST ::= TYPE-IDENTIFIER
OTHER-REQUEST ::= TYPE-IDENTIFIER
-- We do not define any other requests in this document. -- Examples might be attribute certification requests.
-- We do not define any other requests in this document. -- Examples might be attribute certification requests.
OtherRequests OTHER-REQUEST ::= {...}
OtherRequests OTHER-REQUEST ::= {...}
TaggedRequest ::= CHOICE { tcr [0] TaggedCertificationRequest, crm [1] CertReqMsg, orm [2] SEQUENCE { bodyPartID BodyPartID, requestMessageType OTHER-REQUEST.&id({OtherRequests}), requestMessageValue OTHER-REQUEST.&Type({OtherRequests} {@.requestMessageType}) } }
TaggedRequest ::= CHOICE { tcr [0] TaggedCertificationRequest, crm [1] CertReqMsg, orm [2] SEQUENCE { bodyPartID BodyPartID, requestMessageType OTHER-REQUEST.&id({OtherRequests}), requestMessageValue OTHER-REQUEST.&Type({OtherRequests} {@.requestMessageType}) } }
TaggedCertificationRequest ::= SEQUENCE { bodyPartID BodyPartID, certificationRequest CertificationRequest }
TaggedCertificationRequest ::= SEQUENCE { bodyPartID BodyPartID, certificationRequest CertificationRequest }
AttributeList ATTRIBUTE ::= {at-extension-req, ..., at-cmc-changeSubjectName}
AttributeList ATTRIBUTE ::= {at-extension-req, ..., at-cmc-changeSubjectName}
CertificationRequest ::= SEQUENCE { certificationRequestInfo SEQUENCE { version INTEGER, subject Name, subjectPublicKeyInfo SEQUENCE { algorithm AlgorithmIdentifier{PUBLIC-KEY, {PublicKeyAlgorithms}}, subjectPublicKey BIT STRING }, attributes [0] IMPLICIT SET OF AttributeSet{{AttributeList}} }, signatureAlgorithm AlgorithmIdentifier {SIGNATURE-ALGORITHM, {SignatureAlgorithms}}, signature BIT STRING }
CertificationRequest ::= SEQUENCE { certificationRequestInfo SEQUENCE { version INTEGER, subject Name, subjectPublicKeyInfo SEQUENCE { algorithm AlgorithmIdentifier{PUBLIC-KEY, {PublicKeyAlgorithms}}, subjectPublicKey BIT STRING }, attributes [0] IMPLICIT SET OF AttributeSet{{AttributeList}} }, signatureAlgorithm AlgorithmIdentifier {SIGNATURE-ALGORITHM, {SignatureAlgorithms}}, signature BIT STRING }
TaggedContentInfo ::= SEQUENCE { bodyPartID BodyPartID, contentInfo ContentInfo }
TaggedContentInfo ::= SEQUENCE { bodyPartID BodyPartID, contentInfo ContentInfo }
OTHER-MSG ::= TYPE-IDENTIFIER
OTHER-MSG ::= TYPE-IDENTIFIER
-- No other messages currently defined
--当前未定义其他消息
OtherMsgSet OTHER-MSG ::= {...}
OtherMsgSet OTHER-MSG ::= {...}
OtherMsg ::= SEQUENCE { bodyPartID BodyPartID, otherMsgType OTHER-MSG.&id({OtherMsgSet}), otherMsgValue OTHER-MSG.&Type({OtherMsgSet}{@otherMsgType}) }
OtherMsg ::= SEQUENCE { bodyPartID BodyPartID, otherMsgType OTHER-MSG.&id({OtherMsgSet}), otherMsgValue OTHER-MSG.&Type({OtherMsgSet}{@otherMsgType}) }
-- This defines the response message in the protocol
--这定义了协议中的响应消息
ct-PKIResponse CONTENT-TYPE ::= { TYPE PKIResponse IDENTIFIED BY id-cct-PKIResponse } id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 }
ct-PKIResponse CONTENT-TYPE ::= { TYPE PKIResponse IDENTIFIED BY id-cct-PKIResponse } id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 }
ResponseBody ::= PKIResponse
ResponseBody ::= PKIResponse
PKIResponse ::= SEQUENCE { controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg }
PKIResponse ::= SEQUENCE { controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg }
CMC-CONTROL ::= TYPE-IDENTIFIER
CMC-CONTROL ::= TYPE-IDENTIFIER
-- The following controls have the type OCTET STRING
--以下控件的类型为八位字节字符串
cmc-identityProof CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-identityProof } id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3}
cmc-identityProof CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-identityProof } id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3}
cmc-dataReturn CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-dataReturn } id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4}
cmc-dataReturn CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-dataReturn } id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4}
cmc-regInfo CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-regInfo } id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18}
cmc-regInfo CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-regInfo } id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18}
cmc-responseInfo CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-responseInfo } id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19}
cmc-responseInfo CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-responseInfo } id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19}
cmc-queryPending CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-queryPending } id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21}
cmc-queryPending CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-queryPending } id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21}
cmc-popLinkRandom CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-popLinkRandom } id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22}
cmc-popLinkRandom CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-popLinkRandom } id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22}
cmc-popLinkWitness CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-popLinkWitness } id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23}
cmc-popLinkWitness CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-popLinkWitness } id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23}
-- The following controls have the type UTF8String
--以下控件的类型为UTF8String
cmc-identification CMC-CONTROL ::= { UTF8String IDENTIFIED BY id-cmc-identification } id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2}
cmc-identification CMC-CONTROL ::= { UTF8String IDENTIFIED BY id-cmc-identification } id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2}
-- The following controls have the type INTEGER
--以下控件的类型为INTEGER
cmc-transactionId CMC-CONTROL ::= { INTEGER IDENTIFIED BY id-cmc-transactionId } id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5}
cmc-transactionId CMC-CONTROL ::= { INTEGER IDENTIFIED BY id-cmc-transactionId } id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5}
-- The following controls have the type OCTET STRING
--以下控件的类型为八位字节字符串
cmc-senderNonce CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-senderNonce } id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6}
cmc-senderNonce CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-senderNonce } id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6}
cmc-recipientNonce CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-recipientNonce }
cmc-recipientNonce CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-recipientNonce }
id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7}
id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7}
-- Used to return status in a response
--用于在响应中返回状态
cmc-statusInfo CMC-CONTROL ::= { CMCStatusInfo IDENTIFIED BY id-cmc-statusInfo } id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1}
cmc-statusInfo CMC-CONTROL ::= { CMCStatusInfo IDENTIFIED BY id-cmc-statusInfo } id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1}
CMCStatusInfo ::= SEQUENCE { cMCStatus CMCStatus, bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID, statusString UTF8String OPTIONAL, otherInfo CHOICE { failInfo CMCFailInfo, pendInfo PendInfo } OPTIONAL }
CMCStatusInfo ::= SEQUENCE { cMCStatus CMCStatus, bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID, statusString UTF8String OPTIONAL, otherInfo CHOICE { failInfo CMCFailInfo, pendInfo PendInfo } OPTIONAL }
PendInfo ::= SEQUENCE { pendToken OCTET STRING, pendTime GeneralizedTime }
PendInfo ::= SEQUENCE { pendToken OCTET STRING, pendTime GeneralizedTime }
CMCStatus ::= INTEGER { success (0), failed (2), pending (3), noSupport (4), confirmRequired (5), popRequired (6), partial (7) }
CMCStatus ::= INTEGER { success (0), failed (2), pending (3), noSupport (4), confirmRequired (5), popRequired (6), partial (7) }
CMCFailInfo ::= INTEGER { badAlg (0), badMessageCheck (1), badRequest (2), badTime (3), badCertId (4), unsuportedExt (5), mustArchiveKeys (6), badIdentity (7), popRequired (8), popFailed (9), noKeyReuse (10), internalCAError (11), tryLater (12), authDataFail (13) }
CMCFailInfo ::= INTEGER { badAlg (0), badMessageCheck (1), badRequest (2), badTime (3), badCertId (4), unsuportedExt (5), mustArchiveKeys (6), badIdentity (7), popRequired (8), popFailed (9), noKeyReuse (10), internalCAError (11), tryLater (12), authDataFail (13) }
-- Used for RAs to add extensions to certification requests
--用于RAs向认证请求添加扩展
cmc-addExtensions CMC-CONTROL ::= { AddExtensions IDENTIFIED BY id-cmc-addExtensions } id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8}
cmc-addExtensions CMC-CONTROL ::= { AddExtensions IDENTIFIED BY id-cmc-addExtensions } id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8}
AddExtensions ::= SEQUENCE { pkiDataReference BodyPartID, certReferences SEQUENCE OF BodyPartID, extensions SEQUENCE OF Extension{{CertExtensions}} }
AddExtensions ::= SEQUENCE { pkiDataReference BodyPartID, certReferences SEQUENCE OF BodyPartID, extensions SEQUENCE OF Extension{{CertExtensions}} }
cmc-encryptedPOP CMC-CONTROL ::= { EncryptedPOP IDENTIFIED BY id-cmc-encryptedPOP } cmc-decryptedPOP CMC-CONTROL ::= { DecryptedPOP IDENTIFIED BY id-cmc-decryptedPOP } id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9} id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10}
cmc-encryptedPOP CMC-CONTROL ::= { EncryptedPOP IDENTIFIED BY id-cmc-encryptedPOP } cmc-decryptedPOP CMC-CONTROL ::= { DecryptedPOP IDENTIFIED BY id-cmc-decryptedPOP } id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9} id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10}
EncryptedPOP ::= SEQUENCE { request TaggedRequest, cms ContentInfo, thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, witnessAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, {WitnessAlgs}}, witness OCTET STRING }
EncryptedPOP ::= SEQUENCE { request TaggedRequest, cms ContentInfo, thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, witnessAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, {WitnessAlgs}}, witness OCTET STRING }
POPAlgs MAC-ALGORITHM ::= {maca-hMAC-SHA1, ...} WitnessAlgs DIGEST-ALGORITHM ::= {mda-sha1, ...}
POPAlgs MAC-ALGORITHM ::= {maca-hMAC-SHA1, ...} WitnessAlgs DIGEST-ALGORITHM ::= {mda-sha1, ...}
DecryptedPOP ::= SEQUENCE { bodyPartID BodyPartID, thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, thePOP OCTET STRING }
DecryptedPOP ::= SEQUENCE { bodyPartID BodyPartID, thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, thePOP OCTET STRING }
cmc-lraPOPWitness CMC-CONTROL ::= { LraPopWitness IDENTIFIED BY id-cmc-lraPOPWitness }
cmc-lraPOPWitness CMC-CONTROL ::= { LraPopWitness IDENTIFIED BY id-cmc-lraPOPWitness }
id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11}
id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11}
LraPopWitness ::= SEQUENCE { pkiDataBodyid BodyPartID, bodyIds SEQUENCE OF BodyPartID }
LraPopWitness ::= SEQUENCE { pkiDataBodyid BodyPartID, bodyIds SEQUENCE OF BodyPartID }
--
--
cmc-getCert CMC-CONTROL ::= { GetCert IDENTIFIED BY id-cmc-getCert } id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15}
cmc-getCert CMC-CONTROL ::= { GetCert IDENTIFIED BY id-cmc-getCert } id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15}
GetCert ::= SEQUENCE { issuerName GeneralName, serialNumber INTEGER }
GetCert ::= SEQUENCE { issuerName GeneralName, serialNumber INTEGER }
cmc-getCRL CMC-CONTROL ::= { GetCRL IDENTIFIED BY id-cmc-getCRL } id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16}
cmc-getCRL CMC-CONTROL ::= { GetCRL IDENTIFIED BY id-cmc-getCRL } id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16}
GetCRL ::= SEQUENCE { issuerName Name, cRLName GeneralName OPTIONAL, time GeneralizedTime OPTIONAL, reasons ReasonFlags OPTIONAL }
GetCRL ::= SEQUENCE { issuerName Name, cRLName GeneralName OPTIONAL, time GeneralizedTime OPTIONAL, reasons ReasonFlags OPTIONAL }
cmc-revokeRequest CMC-CONTROL ::= { RevokeRequest IDENTIFIED BY id-cmc-revokeRequest} id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17}
cmc-revokeRequest CMC-CONTROL ::= { RevokeRequest IDENTIFIED BY id-cmc-revokeRequest} id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17}
RevokeRequest ::= SEQUENCE { issuerName Name, serialNumber INTEGER, reason CRLReason, invalidityDate GeneralizedTime OPTIONAL, passphrase OCTET STRING OPTIONAL, comment UTF8String OPTIONAL }
RevokeRequest ::= SEQUENCE { issuerName Name, serialNumber INTEGER, reason CRLReason, invalidityDate GeneralizedTime OPTIONAL, passphrase OCTET STRING OPTIONAL, comment UTF8String OPTIONAL }
cmc-confirmCertAcceptance CMC-CONTROL ::= { CMCCertId IDENTIFIED BY id-cmc-confirmCertAcceptance } id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24}
cmc-confirmCertAcceptance CMC-CONTROL ::= { CMCCertId IDENTIFIED BY id-cmc-confirmCertAcceptance } id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24}
CMCCertId ::= IssuerAndSerialNumber
CMCCertId ::= IssuerAndSerialNumber
-- The following is used to request V3 extensions be added -- to a certificate
-- The following is used to request V3 extensions be added -- to a certificate
at-extension-req ATTRIBUTE ::= { TYPE ExtensionReq IDENTIFIED BY id-ExtensionReq } id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 14}
at-extension-req ATTRIBUTE ::= { TYPE ExtensionReq IDENTIFIED BY id-ExtensionReq } id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 14}
ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF Extension{{CertExtensions}}
ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF Extension{{CertExtensions}}
-- The following allows Diffie-Hellman Certification Request -- Messages to be well-formed
-- The following allows Diffie-Hellman Certification Request -- Messages to be well-formed
sa-noSignature SIGNATURE-ALGORITHM ::= { IDENTIFIER id-alg-noSignature VALUE NoSignatureValue PARAMS TYPE NULL ARE required HASHES { mda-sha1 } } id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}
sa-noSignature SIGNATURE-ALGORITHM ::= { IDENTIFIER id-alg-noSignature VALUE NoSignatureValue PARAMS TYPE NULL ARE required HASHES { mda-sha1 } } id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}
NoSignatureValue ::= OCTET STRING
NoSignatureValue ::= OCTET STRING
-- Unauthenticated attribute to carry removable data.
--未经验证的属性,用于承载可移动数据。
id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)}
id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)}
aa-cmc-unsignedData ATTRIBUTE ::= { TYPE CMCUnsignedData IDENTIFIED BY id-aa-cmc-unsignedData } id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34}
aa-cmc-unsignedData ATTRIBUTE ::= { TYPE CMCUnsignedData IDENTIFIED BY id-aa-cmc-unsignedData } id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34}
CMCUnsignedData ::= SEQUENCE { bodyPartPath BodyPartPath, identifier TYPE-IDENTIFIER.&id, content TYPE-IDENTIFIER.&Type }
CMCUnsignedData ::= SEQUENCE { bodyPartPath BodyPartPath, identifier TYPE-IDENTIFIER.&id, content TYPE-IDENTIFIER.&Type }
-- Replaces CMC Status Info --
--替换CMC状态信息--
cmc-statusInfoV2 CMC-CONTROL ::= { CMCStatusInfoV2 IDENTIFIED BY id-cmc-statusInfoV2 } id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25}
cmc-statusInfoV2 CMC-CONTROL ::= { CMCStatusInfoV2 IDENTIFIED BY id-cmc-statusInfoV2 } id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25}
EXTENDED-FAILURE-INFO ::= TYPE-IDENTIFIER
EXTENDED-FAILURE-INFO ::= TYPE-IDENTIFIER
ExtendedFailures EXTENDED-FAILURE-INFO ::= {...}
ExtendedFailures EXTENDED-FAILURE-INFO ::= {...}
CMCStatusInfoV2 ::= SEQUENCE { cMCStatus CMCStatus, bodyList SEQUENCE SIZE (1..MAX) OF BodyPartReference, statusString UTF8String OPTIONAL, otherInfo CHOICE { failInfo CMCFailInfo, pendInfo PendInfo, extendedFailInfo [1] SEQUENCE { failInfoOID TYPE-IDENTIFIER.&id ({ExtendedFailures}), failInfoValue TYPE-IDENTIFIER.&Type ({ExtendedFailures} {@.failInfoOID}) } } OPTIONAL }
CMCStatusInfoV2 ::= SEQUENCE { cMCStatus CMCStatus, bodyList SEQUENCE SIZE (1..MAX) OF BodyPartReference, statusString UTF8String OPTIONAL, otherInfo CHOICE { failInfo CMCFailInfo, pendInfo PendInfo, extendedFailInfo [1] SEQUENCE { failInfoOID TYPE-IDENTIFIER.&id ({ExtendedFailures}), failInfoValue TYPE-IDENTIFIER.&Type ({ExtendedFailures} {@.failInfoOID}) } } OPTIONAL }
BodyPartReference ::= CHOICE { bodyPartID BodyPartID, bodyPartPath BodyPartPath }
BodyPartReference ::= CHOICE { bodyPartID BodyPartID, bodyPartPath BodyPartPath }
BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID
BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID
-- Allow for distribution of trust anchors --
--允许分发信任锚--
cmc-trustedAnchors CMC-CONTROL ::= { PublishTrustAnchors IDENTIFIED BY id-cmc-trustedAnchors } id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26}
cmc-trustedAnchors CMC-CONTROL ::= { PublishTrustAnchors IDENTIFIED BY id-cmc-trustedAnchors } id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26}
PublishTrustAnchors ::= SEQUENCE { seqNumber INTEGER, hashAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {HashAlgorithms}}, anchorHashes SEQUENCE OF OCTET STRING }
PublishTrustAnchors ::= SEQUENCE { seqNumber INTEGER, hashAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {HashAlgorithms}}, anchorHashes SEQUENCE OF OCTET STRING }
HashAlgorithms DIGEST-ALGORITHM ::= { mda-sha1 | mda-sha256, ... }
HashAlgorithms DIGEST-ALGORITHM ::= { mda-sha1 | mda-sha256, ... }
cmc-authData CMC-CONTROL ::= { AuthPublish IDENTIFIED BY id-cmc-authData } id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27}
cmc-authData CMC-CONTROL ::= { AuthPublish IDENTIFIED BY id-cmc-authData } id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27}
AuthPublish ::= BodyPartID
AuthPublish ::= BodyPartID
-- These two items use BodyPartList
--这两项使用BodyPartList
cmc-batchRequests CMC-CONTROL ::= { BodyPartList IDENTIFIED BY id-cmc-batchRequests }
cmc-batchRequests CMC-CONTROL ::= { BodyPartList IDENTIFIED BY id-cmc-batchRequests }
id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28}
id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28}
cmc-batchResponses CMC-CONTROL ::= { BodyPartList IDENTIFIED BY id-cmc-batchResponses } id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29}
cmc-batchResponses CMC-CONTROL ::= { BodyPartList IDENTIFIED BY id-cmc-batchResponses } id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29}
BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID
BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID
cmc-publishCert CMC-CONTROL ::= { CMCPublicationInfo IDENTIFIED BY id-cmc-publishCert } id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30}
cmc-publishCert CMC-CONTROL ::= { CMCPublicationInfo IDENTIFIED BY id-cmc-publishCert } id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30}
CMCPublicationInfo ::= SEQUENCE { hashAlg AlgorithmIdentifier{DIGEST-ALGORITHM, {HashAlgorithms}}, certHashes SEQUENCE OF OCTET STRING, pubInfo PKIPublicationInfo }
CMCPublicationInfo ::= SEQUENCE { hashAlg AlgorithmIdentifier{DIGEST-ALGORITHM, {HashAlgorithms}}, certHashes SEQUENCE OF OCTET STRING, pubInfo PKIPublicationInfo }
cmc-modCertTemplate CMC-CONTROL ::= { ModCertTemplate IDENTIFIED BY id-cmc-modCertTemplate }
cmc-modCertTemplate CMC-CONTROL ::= { ModCertTemplate IDENTIFIED BY id-cmc-modCertTemplate }
id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31}
id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31}
ModCertTemplate ::= SEQUENCE { pkiDataReference BodyPartPath, certReferences BodyPartList, replace BOOLEAN DEFAULT TRUE, certTemplate CertTemplate }
ModCertTemplate ::= SEQUENCE { pkiDataReference BodyPartPath, certReferences BodyPartList, replace BOOLEAN DEFAULT TRUE, certTemplate CertTemplate }
-- Inform follow-on servers that one or more controls have -- already been processed
-- Inform follow-on servers that one or more controls have -- already been processed
cmc-controlProcessed CMC-CONTROL ::= { ControlsProcessed IDENTIFIED BY id-cmc-controlProcessed } id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32}
cmc-controlProcessed CMC-CONTROL ::= { ControlsProcessed IDENTIFIED BY id-cmc-controlProcessed } id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32}
ControlsProcessed ::= SEQUENCE { bodyList SEQUENCE SIZE(1..MAX) OF BodyPartReference }
ControlsProcessed ::= SEQUENCE { bodyList SEQUENCE SIZE(1..MAX) OF BodyPartReference }
-- Identity Proof control w/ algorithm agility
--具有算法敏捷性的身份证明控制
cmc-identityProofV2 CMC-CONTROL ::= { IdentityProofV2 IDENTIFIED BY id-cmc-identityProofV2 } id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 33 }
cmc-identityProofV2 CMC-CONTROL ::= { IdentityProofV2 IDENTIFIED BY id-cmc-identityProofV2 } id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 33 }
IdentityProofV2 ::= SEQUENCE { proofAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, {WitnessAlgs}}, macAlgId AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, witness OCTET STRING }
IdentityProofV2 ::= SEQUENCE { proofAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, {WitnessAlgs}}, macAlgId AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, witness OCTET STRING }
cmc-popLinkWitnessV2 CMC-CONTROL ::= { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 } id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 }
cmc-popLinkWitnessV2 CMC-CONTROL ::= { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 } id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 }
PopLinkWitnessV2 ::= SEQUENCE { keyGenAlgorithm AlgorithmIdentifier{KEY-DERIVATION, {KeyDevAlgs}}, macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, witness OCTET STRING }
PopLinkWitnessV2 ::= SEQUENCE { keyGenAlgorithm AlgorithmIdentifier{KEY-DERIVATION, {KeyDevAlgs}}, macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, witness OCTET STRING }
KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...}
KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...}
cmc-raIdentityWitness CMC-CONTROL ::= { BodyPartPath IDENTIFIED BY id-cmc-raIdentityWitness }
cmc-raIdentityWitness CMC-CONTROL ::= { BodyPartPath IDENTIFIED BY id-cmc-raIdentityWitness }
id-cmc-raIdentityWitness OBJECT IDENTIFIER ::= {id-cmc 35}
id-cmc-raIdentityWitness OBJECT IDENTIFIER ::= {id-cmc 35}
-- -- Allow for an End-Entity to request a change in name. -- This item is added to RegControlSet in CRMF. -- at-cmc-changeSubjectName ATTRIBUTE ::= { TYPE ChangeSubjectName IDENTIFIED BY id-cmc-changeSubjectName }
-- -- Allow for an End-Entity to request a change in name. -- This item is added to RegControlSet in CRMF. -- at-cmc-changeSubjectName ATTRIBUTE ::= { TYPE ChangeSubjectName IDENTIFIED BY id-cmc-changeSubjectName }
id-cmc-changeSubjectName OBJECT IDENTIFIER ::= {id-cmc 36}
id-cmc-changeSubjectName OBJECT IDENTIFIER ::= {id-cmc 36}
ChangeSubjectName ::= SEQUENCE { subject Name OPTIONAL, subjectAlt GeneralNames OPTIONAL } (WITH COMPONENTS {..., subject PRESENT} | WITH COMPONENTS {..., subjectAlt PRESENT} )
ChangeSubjectName ::= SEQUENCE { subject Name OPTIONAL, subjectAlt GeneralNames OPTIONAL } (WITH COMPONENTS {..., subject PRESENT} | WITH COMPONENTS {..., subjectAlt PRESENT} )
-- -- Embedded response from a third party for processing --
----第三方处理的嵌入式响应--
cmc-responseBody CMC-CONTROL ::= { BodyPartPath IDENTIFIED BY id-cmc-responseBody }
cmc-responseBody CMC-CONTROL ::= { BodyPartPath IDENTIFIED BY id-cmc-responseBody }
id-cmc-responseBody OBJECT IDENTIFIER ::= {id-cmc 37}
id-cmc-responseBody OBJECT IDENTIFIER ::= {id-cmc 37}
-- -- Key purpose identifiers are in the Extended Key Usage extension --
----密钥用途标识符位于扩展密钥使用扩展中--
id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmcArchive OBJECT IDENTIFIER ::= { id-kp 29 }
id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmcArchive OBJECT IDENTIFIER ::= { id-kp 29 }
-- -- Subject Information Access identifier --
----主题信息访问标识符--
id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 }
id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 }
END
终止
Author's Address
作者地址
Jim Schaad Soaring Hawk Consulting
吉姆·沙德·霍克咨询公司
EMail: jimsch@augustcellars.com
EMail: jimsch@augustcellars.com