Internet Engineering Task Force (IETF) R. Housley Request for Comments: 7191 Vigil Security Category: Standards Track April 2014 ISSN: 2070-1721
Internet Engineering Task Force (IETF) R. Housley Request for Comments: 7191 Vigil Security Category: Standards Track April 2014 ISSN: 2070-1721
Cryptographic Message Syntax (CMS) Key Package Receipt and Error Content Types
加密消息语法(CMS)密钥包接收和错误内容类型
Abstract
摘要
This document defines the syntax for two Cryptographic Message Syntax (CMS) content types: one for key package receipts and another for key package errors. The key package receipt content type is used to confirm receipt of an identified key package or collection of key packages. The key package error content type is used to indicate an error occurred during the processing of a key package. CMS can be used to digitally sign, digest, authenticate, or encrypt these content types.
本文档定义了两种加密消息语法(CMS)内容类型的语法:一种用于密钥包收据,另一种用于密钥包错误。密钥包接收内容类型用于确认已识别密钥包或密钥包集合的接收。密钥包错误内容类型用于指示在处理密钥包期间发生的错误。CMS可用于对这些内容类型进行数字签名、摘要、身份验证或加密。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7191.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7191.
Copyright Notice
版权公告
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2014 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................2 1.1. Requirements Terminology ...................................2 1.2. ASN.1 Syntax Notation ......................................2 1.3. Processing Key Package Receipt Requests ....................3 1.4. Processing Key Packages with Errors ........................3 2. SIR Entity Name .................................................3 3. Key Package Identifier and Receipt Request Attribute ............4 4. Key Package Receipt CMS Content Type ............................6 5. Key Package Error CMS Content Type ..............................8 6. Protecting the KeyPackageReceipt and KeyPackageError ...........17 7. Using the application/cms Media Type ...........................17 8. IANA Considerations ............................................17 9. Security Considerations ........................................17 10. Acknowledgements ..............................................18 11. References ....................................................18 11.1. Normative References .....................................18 11.2. Informative References ...................................20 Appendix A. ASN.1 Module ..........................................21
1. Introduction ....................................................2 1.1. Requirements Terminology ...................................2 1.2. ASN.1 Syntax Notation ......................................2 1.3. Processing Key Package Receipt Requests ....................3 1.4. Processing Key Packages with Errors ........................3 2. SIR Entity Name .................................................3 3. Key Package Identifier and Receipt Request Attribute ............4 4. Key Package Receipt CMS Content Type ............................6 5. Key Package Error CMS Content Type ..............................8 6. Protecting the KeyPackageReceipt and KeyPackageError ...........17 7. Using the application/cms Media Type ...........................17 8. IANA Considerations ............................................17 9. Security Considerations ........................................17 10. Acknowledgements ..............................................18 11. References ....................................................18 11.1. Normative References .....................................18 11.2. Informative References ...................................20 Appendix A. ASN.1 Module ..........................................21
This document defines the syntax for two Cryptographic Message Syntax (CMS) [RFC5652] content types: one for key package receipts and another for key package errors. The key package receipt content type is used to confirm receipt of an identified key package or collection of key packages. The key package error content type is used to indicate an error occurred during the processing of a key package. CMS can be used to digitally sign, digest, authenticate, or encrypt these content types.
本文档定义了两种加密消息语法(CMS)[RFC5652]内容类型的语法:一种用于密钥包收据,另一种用于密钥包错误。密钥包接收内容类型用于确认已识别密钥包或密钥包集合的接收。密钥包错误内容类型用于指示在处理密钥包期间发生的错误。CMS可用于对这些内容类型进行数字签名、摘要、身份验证或加密。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The content types defined herein use ASN.1 ([X.680], [X.681], [X.682], and [X.683]).
本文定义的内容类型使用ASN.1([X.680]、[X.681]、[X.682]和[X.683])。
The CONTENT-TYPE definition was updated to the 2008 version of ASN.1 by [RFC6268]; however, none of the new 2008 ASN.1 tokens are used in this specification, which allows compilers that only support the 2002 version of ASN.1 to compile the module in Appendix A.
[RFC6268]将内容类型定义更新为2008版ASN.1;但是,本规范中未使用新的2008 ASN.1令牌,这使得仅支持2002版ASN.1的编译器能够编译附录A中的模块。
The key package or collection of key packages [RFC4073] [RFC5958] [RFC6031] [RFC6032] for which the receipt is being generated MUST be signed, and the key package MUST include the key-package-identifier-and-receipt-request attribute specified in Section 3.
必须对生成收据的密钥包或密钥包集合[RFC4073][RFC5958][RFC6031][RFC6032]进行签名,并且密钥包必须包含第3节中指定的密钥包标识符和收据请求属性。
The key package or collection of key packages [RFC4073] [RFC5958] [RFC6031] [RFC6032] for which the error is being generated might be signed. The key package can be identified by a key-package-identifier-and-receipt-request attribute specified in Section 3.
正在为其生成错误的密钥包或密钥包集合[RFC4073][RFC5958][RFC6031][RFC6032]可能已签名。密钥包可以通过第3节中指定的密钥包标识符和接收请求属性来标识。
Within a key distribution system, the source, intermediary, and receiver entities are identified by a Source Intermediary Recipient (SIR) entity name. The syntax for the SIR entity name does not impose any particular structure, and it accommodates straightforward registration of additional SIR entity name types.
在密钥分发系统中,源、中介和接收方实体由源中介接收方(SIR)实体名称标识。SIR实体名称的语法没有强加任何特定的结构,它允许直接注册其他SIR实体名称类型。
The inclusion of the nameType object identifier ensures that two identifiers of different types that happen to contain the same values are not interpreted as equivalent. Additional SIR entity name types are expected to be registered that represent different granularities. For example, one SIR entity name type might represent the receiver organization, and at a finer granularity, another SIR entity name type might identify a specific device, perhaps using a manufacturer identifier and serial number. The use of an object identifier avoids the need for a central registry of SIR entity name types.
包含nameType对象标识符可确保碰巧包含相同值的两个不同类型的标识符不会被解释为等效。预计将注册表示不同粒度的其他SIR实体名称类型。例如,一个SIR实体名称类型可能代表接收器组织,并且在更细的粒度上,另一个SIR实体名称类型可能使用制造商标识符和序列号来标识特定设备。使用对象标识符可以避免需要SIR实体名称类型的中央注册表。
The nameValue is an OCTET STRING, which allows the canonical form of any name to be carried. Two names of the same type are considered equal if the octet strings are the same length and contain the same string of octets.
nameValue是一个八位字符串,它允许携带任何名称的规范形式。如果八位字节字符串长度相同且包含相同的八位字节字符串,则认为相同类型的两个名称相等。
SIREntityNames and SIREntityName have the following syntax:
SirentyName和SirentyName具有以下语法:
SIREntityNames ::= SEQUENCE SIZE (1..MAX) OF SIREntityName
SIREntityNames ::= SEQUENCE SIZE (1..MAX) OF SIREntityName
SIR-ENTITY-NAME ::= CLASS { &sIRENType OBJECT IDENTIFIER UNIQUE, &SIRENValue } WITH SYNTAX { SYNTAX &SIRENValue IDENTIFIED BY &sIRENType }
SIR-ENTITY-NAME ::= CLASS { &sIRENType OBJECT IDENTIFIER UNIQUE, &SIRENValue } WITH SYNTAX { SYNTAX &SIRENValue IDENTIFIED BY &sIRENType }
SIREntityName ::= SEQUENCE { sirenType SIR-ENTITY-NAME.&sIRENType({SIREntityNameTypes}), sirenValue OCTET STRING (CONTAINING SIR-ENTITY-NAME.&SIRENValue( {SIREntityNameTypes}{@sirenType}) ) }
SIREntityName ::= SEQUENCE { sirenType SIR-ENTITY-NAME.&sIRENType({SIREntityNameTypes}), sirenValue OCTET STRING (CONTAINING SIR-ENTITY-NAME.&SIRENValue( {SIREntityNameTypes}{@sirenType}) ) }
This document defines one SIR entity name type: the DN type. The DN type uses a nameType of id-dn and a nameValue of a Distinguished Name (DN). The nameValue OCTET STRING carries an ASN.1 encoded Name as specified in [RFC5280]. Note that other documents may define additional types.
本文档定义了一种SIR实体名称类型:DN类型。DN类型使用id为DN的nameType和可分辨名称(DN)的nameValue。nameValue八位字节字符串包含[RFC5280]中指定的ASN.1编码名称。请注意,其他文档可能会定义其他类型。
SIREntityNameTypes SIR-ENTITY-NAME ::= { siren-dn, ... -- Expect additional SIR Entity Name types -- }
SIREntityNameTypes SIR-ENTITY-NAME ::= { siren-dn, ... -- Expect additional SIR Entity Name types -- }
siren-dn SIR-ENTITY-NAME ::= { SYNTAX DistinguishedName IDENTIFIED BY id-dn }
siren-dn SIR-ENTITY-NAME ::= { SYNTAX DistinguishedName IDENTIFIED BY id-dn }
id-dn OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) sir-name-types(16) 0 }
id-dn OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) sir-name-types(16) 0 }
The key-package-identifier-and-receipt-request attribute, as its name implies, allows the originator to identify the key package and, optionally, request receipts. This attribute can appear as a signed, authenticated, and content attribute. Signed attributes are carried in the CMS Signed-data content type described in Section 5 of [RFC5652]. Authenticated attributes are carried in the CMS Authenticated-data content type described in Section 9 of [RFC5652] or in the CMS Authenticated-enveloped-data content type described in Section 2 of [RFC5083]. Content attributes are carried in the Content-with-attributes content type described in Section 3 of [RFC4073].
密钥包标识符和接收请求属性,顾名思义,允许发起者识别密钥包和(可选)请求接收。此属性可以显示为已签名、已验证和内容属性。签名属性在[RFC5652]第5节中描述的CMS签名数据内容类型中携带。认证属性在[RFC5652]第9节中描述的CMS认证数据内容类型或[RFC5083]第2节中描述的CMS认证信封数据内容类型中携带。内容属性包含在[RFC4073]第3节中描述的属性内容类型的内容中。
The key-package-identifier-and-receipt-request attribute has the following syntax:
密钥包标识符和接收请求属性具有以下语法:
aa-keyPackageIdentifierAndReceiptRequest ATTRIBUTE ::= { TYPE KeyPkgIdentifierAndReceiptReq IDENTIFIED BY id-aa-KP-keyPkgIdAndReceiptReq }
aa-keyPackageIdentifierAndReceiptRequest ATTRIBUTE ::= { TYPE KeyPkgIdentifierAndReceiptReq IDENTIFIED BY id-aa-KP-keyPkgIdAndReceiptReq }
id-aa-KP-keyPkgIdAndReceiptReq OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 65 }
id-aa-KP-keyPkgIdAndReceiptReq OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 65 }
KeyPkgIdentifierAndReceiptReq ::= SEQUENCE { pkgID KeyPkgID, receiptReq KeyPkgReceiptReq OPTIONAL }
KeyPkgIdentifierAndReceiptReq ::= SEQUENCE { pkgID KeyPkgID, receiptReq KeyPkgReceiptReq OPTIONAL }
KeyPkgID ::= OCTET STRING
KeyPkgID ::= OCTET STRING
KeyPkgReceiptReq ::= SEQUENCE { encryptReceipt BOOLEAN DEFAULT FALSE, receiptsFrom [0] SIREntityNames OPTIONAL, receiptsTo SIREntityNames }
KeyPkgReceiptReq ::= SEQUENCE { encryptReceipt BOOLEAN DEFAULT FALSE, receiptsFrom [0] SIREntityNames OPTIONAL, receiptsTo SIREntityNames }
Even though the ATTRIBUTE syntax is defined as a SET OF AttributeValue, a key-package-identifier-and-receipt-request attribute MUST have a single attribute value; zero or multiple instances of AttributeValue are not permitted.
即使属性语法定义为一组AttributeValue,关键包标识符和接收请求属性也必须具有单个属性值;不允许AttributeValue的零个或多个实例。
The fields in the key-package-identifier-and-receipt-request attribute have the following semantics:
密钥包标识符和接收请求属性中的字段具有以下语义:
o pkgID contains an octet string, and this syntax does not impose any particular structure on the identifier.
o pkgID包含一个八位字节字符串,该语法不会对标识符施加任何特定的结构。
o receiptReq is OPTIONAL, and when it is present, it includes an encryption receipt flag, an OPTIONAL indication of which receivers should generate receipts, and an indication of where the receipts are to be sent.
o receiptReq是可选的,当它存在时,它包括一个加密接收标志,一个可选的指示哪些接收者应该生成收据,以及一个指示收据将被发送到哪里。
* The encryption receipt flag indicates whether the key package originator wants the receipt to be encrypted. If the boolean is set, then the receipt SHOULD be encrypted.
* 加密收据标志指示密钥包发起人是否希望对收据进行加密。如果设置了布尔值,则应对收据进行加密。
* The OPTIONAL ReceiptsFrom field provides an indication of which receivers SHOULD generate receipts. When the ReceiptsFrom field is absent, all receivers of the key package are expected to return receipts. When the ReceiptsFrom field is present, a list of SIR entity names indicates which receivers of the key package are requested to return receipts.
* 可选的ReceiptsFrom字段提供应生成收据的接收者的指示。当ReceiptsFrom字段不存在时,密钥包的所有接收者都应返回收据。当ReceiptsFrom字段存在时,SIR实体名称列表指示请求密钥包的哪些接收者返回收据。
In this case, the receiver SHOULD return a receipt only if their SIR entity name appears on the list.
在这种情况下,仅当其SIR实体名称出现在列表上时,接收方才应返回收据。
* The receipt request does not include any key management information; however, the list of SIR entity names in the receiptsTo field can be used to select symmetric or asymmetric keying material for the receipt receivers.
* 接收请求不包括任何密钥管理信息;但是,receiptsTo字段中的SIR实体名称列表可用于为收据接收者选择对称或非对称键控材料。
A receiver SHOULD ignore the nameValue associated with any unrecognized nameType in either the receiptsFrom field or the receiptsTo field.
接收方应忽略与receiptsFrom字段或receiptsTo字段中任何未识别名称类型关联的名称值。
When the key-package-identifier-and-receipt-request attribute appears in more than one location in the overall key package, each occurrence is evaluated independently. That is, the receiver may generate more than one receipt for a single key package. However, the time at which the receipts are sent will depend on policies that are beyond the scope of this document.
当密钥包标识符和接收请求属性出现在整个密钥包中的多个位置时,将独立评估每个事件。也就是说,接收器可以为单个密钥包生成多个收据。但是,收据的发送时间将取决于超出本文档范围的策略。
The key package receipt content type is used to confirm receipt of an identified key package or collection of key packages. This content type MUST be encoded using the Distinguished Encoding Rules (DER) [X.690].
密钥包接收内容类型用于确认已识别密钥包或密钥包集合的接收。此内容类型必须使用可分辨编码规则(DER)[X.690]进行编码。
The key package receipt content type has the following syntax:
密钥包收据内容类型具有以下语法:
ct-key-package-receipt CONTENT-TYPE ::= { TYPE KeyPackageReceipt IDENTIFIED BY id-ct-KP-keyPackageReceipt }
ct-key-package-receipt CONTENT-TYPE ::= { TYPE KeyPackageReceipt IDENTIFIED BY id-ct-KP-keyPackageReceipt }
id-ct-KP-keyPackageReceipt OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) formats(2) key-package-content-types(78) 3 }
id-ct-KP-keyPackageReceipt OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) formats(2) key-package-content-types(78) 3 }
KeyPackageReceipt ::= SEQUENCE { version KeyPkgVersion DEFAULT v2, receiptOf KeyPkgIdentifier, receivedBy SIREntityName }
KeyPackageReceipt ::= SEQUENCE { version KeyPkgVersion DEFAULT v2, receiptOf KeyPkgIdentifier, receivedBy SIREntityName }
-- Revised definition of KeyPkgVersion from [RFC6031] KeyPkgVersion ::= INTEGER { v1(1), v2(2) } (1 .. 65535)
-- Revised definition of KeyPkgVersion from [RFC6031] KeyPkgVersion ::= INTEGER { v1(1), v2(2) } (1 .. 65535)
KeyPkgIdentifier ::= CHOICE { pkgID KeyPkgID, attribute SingleAttribute {{ KeyPkgIdentifiers }} }
KeyPkgIdentifier ::= CHOICE { pkgID KeyPkgID, attribute SingleAttribute {{ KeyPkgIdentifiers }} }
KeyPkgID ::= OCTET STRING
KeyPkgID ::= OCTET STRING
KeyPkgIdentifiers ATTRIBUTE ::= { ... }
KeyPkgIdentifiers ATTRIBUTE ::= { ... }
The KeyPackageReceipt fields are used as follows:
KeyPackageReceipt字段的使用方式如下:
o version identifies version of the key package receipt content. For this version of the specification, the default value, v2, MUST be used. Note that v1 was defined in an earlier version, but the use of v1 is deprecated.
o 版本标识关键包收据内容的版本。对于此版本的规范,必须使用默认值v2。请注意,v1是在早期版本中定义的,但不推荐使用v1。
o receiptOf offers two alternatives for identifying the key package for which the receipt is being generated. The first alternative, pkgID, MUST be supported, and pkgID provides the key package identifier of the key package or collection of key packages for which this receipt is being generated. This key package identifier value MUST exactly match the key package identifier value of the key-package-identifier-and-receipt-request attribute in the received key package or collection. The key-package-identifier-and-receipt-request attribute is described Section 3. The second alternative allows alternate attributes to be used to define the identifier.
o receiptOf提供了两种备选方案,用于识别生成收据的密钥包。必须支持第一个备选方案pkgID,pkgID提供生成此收据的密钥包或密钥包集合的密钥包标识符。此密钥包标识符值必须与接收到的密钥包或集合中的密钥包标识符和接收请求属性的密钥包标识符值完全匹配。第3节描述了密钥包标识符和接收请求属性。第二个备选方案允许使用备选属性定义标识符。
o receivedBy identifies the entity that received the key package. The entity is named by an SIR entity name as specified in Section 2.
o receivedBy标识接收密钥包的实体。该实体由第2节规定的SIR实体名称命名。
Key package receipts MUST be encapsulated in a CMS SignedData content type to carry the signature of the entity that is confirming receipt of the identified key package or collection of key packages. Key package receipts MAY be encrypted by encapsulating them in the CMS EncryptedData content type, the CMS EnvelopedData content type, or the AuthEnvelopedData content type. When the key package receipt is signed and encrypted, it MUST be signed prior to being encrypted.
密钥包收据必须封装在CMS SignedData内容类型中,以携带确认接收已识别密钥包或密钥包集合的实体的签名。密钥包收据可以通过将其封装在CMS EncryptedData内容类型、CMS EnvelopedData内容类型或AuthEnvelopedData内容类型中进行加密。签名和加密密钥包收据时,必须在加密之前签名。
Note that delivery assurance is the responsibility of the protocol that is used to transport and track key packages. The key package receipt content type can be used in conjunction with that protocol as part of an overall delivery assurance solution.
请注意,交付保证是用于运输和跟踪关键包的协议的责任。关键包裹收据内容类型可与该协议结合使用,作为整体交付保证解决方案的一部分。
Because the receipts are signed, all recipients that generate key package receipts MUST have a private signature key to sign the receipt as well as store their own certificate or have a means of obtaining the key identifier of their public key. If memory is a concern, the public key identifier can be computed from the public key.
因为收据是经过签名的,所以生成密钥包收据的所有收件人都必须具有私人签名密钥来签署收据,并存储自己的证书,或者具有获取其公钥的密钥标识符的方法。如果内存是一个问题,则可以从公钥计算公钥标识符。
If the receipt signer has access to a real-time clock, then the binary-signing-time [RFC6019] signed attribute SHOULD be included in the key package receipt to provide the date and time when it was generated.
如果收据签名人可以访问实时时钟,则密钥包收据中应包含二进制签名时间[RFC6019]签名属性,以提供生成日期和时间。
The key package error content type provides an indication of the reason for rejection of a key package or collection of key packages. This content type MUST be encoded using the Distinguished Encoding Rules (DER) [X.690].
密钥包错误内容类型指示拒绝密钥包或密钥包集合的原因。此内容类型必须使用可分辨编码规则(DER)[X.690]进行编码。
The key package error content type has the following syntax:
密钥包错误内容类型具有以下语法:
ct-key-package-error CONTENT-TYPE ::= { TYPE KeyPackageError IDENTIFIED BY id-ct-KP-keyPackageError }
ct-key-package-error CONTENT-TYPE ::= { TYPE KeyPackageError IDENTIFIED BY id-ct-KP-keyPackageError }
id-ct-KP-keyPackageError OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) formats(2) key-package-content-types(78) 6 }
id-ct-KP-keyPackageError OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) formats(2) key-package-content-types(78) 6 }
KeyPackageError ::= SEQUENCE { version KeyPkgVersion DEFAULT v2, errorOf [0] KeyPkgIdentifier OPTIONAL, errorBy SIREntityName, errorCode ErrorCodeChoice }
KeyPackageError ::= SEQUENCE { version KeyPkgVersion DEFAULT v2, errorOf [0] KeyPkgIdentifier OPTIONAL, errorBy SIREntityName, errorCode ErrorCodeChoice }
KeyPkgVersion ::= INTEGER { v1(1), v2(2) } (1 .. 65535)
KeyPkgVersion ::= INTEGER { v1(1), v2(2) } (1 .. 65535)
KeyPkgIdentifier ::= CHOICE { pkgID KeyPkgID, attribute SingleAttribute {{ KeyPkgIdentifiers }} }
KeyPkgIdentifier ::= CHOICE { pkgID KeyPkgID, attribute SingleAttribute {{ KeyPkgIdentifiers }} }
KeyPkgID ::= OCTET STRING
KeyPkgID ::= OCTET STRING
KeyPkgIdentifiers ATTRIBUTE ::= { ... }
KeyPkgIdentifiers ATTRIBUTE ::= { ... }
ErrorCodeChoice ::= CHOICE { enum EnumeratedErrorCode, oid OBJECT IDENTIFIER }
ErrorCodeChoice ::= CHOICE { enum EnumeratedErrorCode, oid OBJECT IDENTIFIER }
EnumeratedErrorCode ::= ENUMERATED { decodeFailure (1), badContentInfo (2), badSignedData (3), badEncapContent (4), badCertificate (5),
EnumeratedErrorCode ::= ENUMERATED { decodeFailure (1), badContentInfo (2), badSignedData (3), badEncapContent (4), badCertificate (5),
badSignerInfo (6), badSignedAttrs (7), badUnsignedAttrs (8), missingContent (9), noTrustAnchor (10), notAuthorized (11), badDigestAlgorithm (12), badSignatureAlgorithm (13), unsupportedKeySize (14), unsupportedParameters (15), signatureFailure (16), insufficientMemory (17), incorrectTarget (23), missingSignature (29), resourcesBusy (30), versionNumberMismatch (31), revokedCertificate (33),
badSignerInfo(6)、badSignedAttrs(7)、badUnsignedAttrs(8)、missingContent(9)、noTrustAnchor(10)、notAuthorized(11)、badDigestAlgorithm(12)、badSignatureAlgorithm(13)、unsupportedKeySize(14)、unsupportedParameters(15)、signatureFailure(16)、内存不足(17)、目标不正确(23)、missingSignature(29)、resourcesBusy(30),版本号匹配(31),撤销证书(33),
-- Error codes with values <= 33 are aligned with [RFC5934]
--值小于等于33的错误代码与[RFC5934]对齐
ambiguousDecrypt (60), noDecryptKey (61), badEncryptedData (62), badEnvelopedData (63), badAuthenticatedData (64), badAuthEnvelopedData (65), badKeyAgreeRecipientInfo (66), badKEKRecipientInfo (67), badEncryptContent (68), badEncryptAlgorithm (69), missingCiphertext (70), decryptFailure (71), badMACAlgorithm (72), badAuthAttrs (73), badUnauthAttrs (74), invalidMAC (75), mismatchedDigestAlg (76), missingCertificate (77), tooManySigners (78), missingSignedAttributes (79), derEncodingNotUsed (80), missingContentHints (81), invalidAttributeLocation (82), badMessageDigest (83), badKeyPackage (84), badAttributes (85), attributeComparisonFailure (86), unsupportedSymmetricKeyPackage (87),
含糊不清的加密数据(60)、noDecryptKey(61)、badEncryptedData(62)、badEncryptedData(63)、badAuthenticatedData(64)、badAuthEnvelopedData(65)、badKeyAgreeRecipientInfo(66)、badKEKRecipientInfo(67)、badEncryptContent(68)、BadEncryptedAlgorithm(69)、missingCiphertext(70)、decryptFailure(71)、badMACAlgorithm(72)、badAuthAttrs(73),badUnauthAttrs(74)、invalidMAC(75)、不匹配的addingTag(76)、丢失证书(77)、tooManySigners(78)、丢失签名属性(79)、DerecodingNotUsed(80)、丢失内容提示(81)、InvalidateDistributeLocation(82)、badMessageDigest(83)、badKeyPackage(84)、badAttributes(85)、attributeComparisonFailure(86),不受支持的密钥包(87),
unsupportedAsymmetricKeyPackage (88), constraintViolation (89), ambiguousDefaultValue (90), noMatchingRecipientInfo (91), unsupportedKeyWrapAlgorithm (92), badKeyTransRecipientInfo (93), other (127), ... -- Expect additional error codes -- }
不受支持的对称性包装(88)、约束性包装(89)、模糊的默认值(90)、不受支持的密码信息(91)、不受支持的密码算法(92)、badKeyTransRecipientInfo(93)、其他(127)…--需要其他错误代码--}
The KeyPackageError fields are used as follows:
KeyPackageError字段的使用方式如下:
o version identifies version of the key package error content structure. For this version of the specification, the default value, v2, MUST be used. Note that v1 was defined in an earlier version, but the use of v1 is deprecated.
o 版本标识密钥包错误内容结构的版本。对于此版本的规范,必须使用默认值v2。请注意,v1是在早期版本中定义的,但不推荐使用v1。
o errorOf is OPTIONAL, and it provides the identifier of the keying material for which this error is being generated. This is omitted if the receiver or intermediary cannot parse the received data to determine the package identifier. Also, encryption may prevent an intermediary from obtaining any of the identifiers. Two alternatives for identifying the keying material are possible; see KeyPkgIdentifier as described in Section 4. The value MUST exactly match the value of the key-package-identifier-and-receipt-request attribute in the received key package or collection. The key-package-identifier-and-receipt-request attribute is described in Section 3.
o errorOf是可选的,它提供生成此错误的键控材质的标识符。如果接收方或中介无法解析接收到的数据以确定包标识符,则省略此操作。此外,加密可防止中介获得任何标识符。识别键控材料的两种备选方案是可能的;请参见第4节中所述的KeyPkgIdentifier。该值必须与收到的密钥包或集合中的密钥包标识符和接收请求属性的值完全匹配。第3节描述了关键包标识符和接收请求属性。
o errorBy identifies the entity that received the key package. The entity is named by an SIR entity name as specified in Section 2.
o errorBy标识接收密钥包的实体。该实体由第2节规定的SIR实体名称命名。
o errorCode contains a code that indicates the reason for the error. It contains either an enumerated error code from the list below or an extended error code represented by an object identifier. The enumerated error code alternative MUST be supported. The object identifier error code MAY be supported.
o errorCode包含指示错误原因的代码。它包含下面列表中的枚举错误代码或由对象标识符表示的扩展错误代码。必须支持枚举错误代码替代项。可能支持对象标识符错误代码。
* decodeFailure is used to indicate that the key package intermediary or receiver was unable to successfully decode the provided package. The specified content type and the provided content do not match.
* decodeFailure用于指示密钥包中介或接收器无法成功解码所提供的包。指定的内容类型与提供的内容不匹配。
* badContentInfo is used to indicate that the ContentInfo syntax is invalid or that the contentType carried within the ContentInfo is unknown or unsupported.
* badContentInfo用于指示ContentInfo语法无效或ContentInfo中包含的contentType未知或不受支持。
* badSignedData is used to indicate that the SignedData syntax is invalid, the version is unknown or unsupported, or more than one entry is present in digestAlgorithms.
* badSignedData用于指示SignedData语法无效、版本未知或不受支持,或者digestAlgorithms中存在多个条目。
* badEncapContent is used to indicate that the EncapsulatedContentInfo syntax is invalid within a SignedData or an AuthenticatedData or the EncryptedContentInfo syntax is invalid within an AuthEnvelopedData.
* BadEncapcContent用于指示在SignedData或AuthenticatedData中封装的ContentInfo语法无效,或者在AuthEnvelopedData中加密的ContentInfo语法无效。
* badCertificate is used to indicate that the syntax for one or more certificates in CertificateSet or elsewhere is invalid or unsupported.
* badCertificate用于指示CertificateSet或其他位置中的一个或多个证书的语法无效或不受支持。
* badSignerInfo is used to indicate that the SignerInfo syntax is invalid or the version is unknown or unsupported.
* badSignerInfo用于指示SignerInfo语法无效或版本未知或不受支持。
* badSignedAttrs is used to indicate that the signedAttrs syntax within SignerInfo is invalid.
* badSignedAttrs用于指示SignerInfo中的signedAttrs语法无效。
* badUnsignedAttrs is used to indicate that the unsignedAttrs within SignerInfo contains one or more attributes. Since unrecognized attributes are ignored, this error code is used when the object identifier for the attribute is recognized, but the value is malformed or internally inconsistent. In addition, this error code can be used when policy prohibits an implementation from supporting unsigned attributes.
* badUnsignedAttrs用于指示SignerInfo中的unsignedAttrs包含一个或多个属性。由于忽略无法识别的属性,因此在识别属性的对象标识符,但该值格式不正确或内部不一致时,将使用此错误代码。此外,当策略禁止实现支持无符号属性时,可以使用此错误代码。
* missingContent is used to indicate that the optional eContent is missing in EncapsulatedContentInfo, which is required when including an asymmetric key package, a symmetric key package, and an encrypted key package. This error can be generated due to problems located in SignedData or AuthenticatedData.
* missingContent用于指示在封装的ContentInfo中缺少可选的eContent,这在包含非对称密钥包、对称密钥包和加密密钥包时是必需的。由于SignedData或AuthenticatedData中存在的问题,可能会生成此错误。
Note that CMS EncapsulatedContentInfo eContent field is optional [RFC5652]; however, [RFC5958], [RFC6031], and [RFC6032] require that the eContent be present.
注意,CMS封装的ContentInfo eContent字段是可选的[RFC5652];但是,[RFC5958]、[RFC6031]和[RFC6032]要求存在eContent。
* noTrustAnchor is used to indicate that the subjectKeyIdentifier does not identify the public key of a trust anchor or a certification path that terminates with an installed trust anchor.
* noTrustAnchor用于指示subjectKeyIdentifier未标识以已安装的信任锚点终止的信任锚点或证书路径的公钥。
* notAuthorized is used to indicate that the sid within SignerInfo leads to an installed trust anchor, but that trust anchor is not an authorized signer for the received content type.
* notAuthorized用于指示SignerInfo中的sid指向已安装的信任锚,但该信任锚不是已接收内容类型的授权签名者。
* badDigestAlgorithm is used to indicate that the digestAlgorithm in either SignerInfo, SignedData, or AuthenticatedData is unknown or unsupported.
* badDigestAlgorithm用于指示SignerInfo、SignedData或AuthenticatedData中的digestAlgorithm未知或不受支持。
* badSignatureAlgorithm is used to indicate that the signatureAlgorithm in SignerInfo is unknown or unsupported.
* badSignatureAlgorithm用于指示SignerInfo中的signatureAlgorithm未知或不受支持。
* unsupportedKeySize is used to indicate that the signatureAlgorithm in SignerInfo is known and supported, but the digital signature could not be validated because an unsupported key size was employed by the signer. Alternatively, the algorithm used in EnvelopedData, AuthenticatedData, or AuthEnvelopedData to generate the key-encryption key is known and supported, but an unsupported key size was employed by the originator.
* unsupportedKeySize用于表示SignerInfo中的signatureAlgorithm已知并受支持,但无法验证数字签名,因为签名者使用了不受支持的密钥大小。或者,已知并支持在EnvelopedData、AuthenticatedData或AuthEnvelopedData中用于生成密钥加密密钥的算法,但发起者使用了不受支持的密钥大小。
* unsupportedParameters is used to indicate that the signatureAlgorithm in SignerInfo is known, but the digital signature could not be validated because unsupported parameters were employed by the signer. Alternatively, the algorithm used in EnvelopedData, AuthenticatedData, or AuthEnvelopedData to generate the key-encryption key is known and supported, but unsupported parameters were employed by the originator.
* unsupportedParameters用于指示SignerInfo中的signatureAlgorithm是已知的,但无法验证数字签名,因为签名者使用了不支持的参数。或者,已知并支持在EnvelopedData、AuthenticatedData或AuthEnvelopedData中用于生成密钥加密密钥的算法,但发起者使用了不受支持的参数。
* signatureFailure is used to indicate that the signatureAlgorithm in SignerInfo is known and supported, but the digital signature in the signature field within SignerInfo could not be validated.
* signatureFailure用于指示SignerInfo中的signatureAlgorithm是已知的并受支持的,但无法验证SignerInfo中signature字段中的数字签名。
* insufficientMemory indicates that the key package could not be processed because the intermediary or receiver did not have sufficient memory to store the keying material.
* 内存不足表示无法处理密钥包,因为中介或接收器没有足够的内存来存储密钥材料。
* incorrectTarget indicates that a receiver is not the intended recipient.
* 不正确的目标表示接收者不是预期的接收者。
* missingSignature indicates that the receiver requires the key package to be signed or authenticated with a Message Authentication Code (MAC), but the received key package was not signed or authenticated.
* missingSignature表示接收方要求使用消息身份验证码(MAC)对密钥包进行签名或身份验证,但未对收到的密钥包进行签名或身份验证。
* resourcesBusy indicates that the resources necessary to process the key package are not available at the present time, but the resources might be available at some point in the future.
* resourcesBusy表示处理密钥包所需的资源目前不可用,但这些资源可能在将来某个时候可用。
* versionNumberMismatch indicates that the version number in a received key package is not acceptable.
* versionNumberMismatch表示接收到的密钥包中的版本号不可接受。
* revokedCertificate indicates that one or more of the certificates needed to properly process the key package has been revoked.
* revokedCertificate表示正确处理密钥包所需的一个或多个证书已被吊销。
* ambiguousDecrypt indicates that the EncryptedData content type was used, and the key package receiver could not determine the appropriate keying material to perform the decryption.
* 含糊不清的加密表示使用了EncryptedData内容类型,密钥包接收器无法确定执行解密的适当密钥材料。
* noDecryptKey indicates that the receiver does not have the key named in the content-decryption-key-identifier attribute (see [RFC6032]).
* noDecryptKey表示接收方没有内容解密密钥标识符属性中指定的密钥(请参阅[RFC6032])。
* badEncryptedData indicates that the EncryptedData syntax is invalid or the version is unknown or unsupported.
* badEncryptedData表示EncryptedData语法无效,或者版本未知或不受支持。
* badEnvelopedData indicates that the EnvelopedData syntax is invalid or the version is unknown or unsupported.
* badEnvelopedData表示EnvelopedData语法无效,或者版本未知或不受支持。
* badAuthenticatedData indicates that the AuthenticatedData syntax is invalid or the version is unknown or unsupported.
* badAuthenticatedData表示AuthenticatedData语法无效,或者版本未知或不受支持。
* badAuthEnvelopedData indicates that the AuthEnvelopedData syntax is invalid or the version is unknown or unsupported.
* badAuthEnvelopedData表示AuthEnvelopedData语法无效,或者版本未知或不受支持。
* badKeyAgreeRecipientInfo indicates that the KeyAgreeRecipientInfo syntax is invalid or the version is unknown or unsupported.
* badKeyAgreeRecipientInfo表示KeyAgreeRecipientInfo语法无效,或者版本未知或不受支持。
* badKEKRecipientInfo indicates that the KEKRecipientInfo syntax is invalid or the version is unknown or unsupported.
* badKEKRecipientInfo表示KEKRecipientInfo语法无效,或者版本未知或不受支持。
* badEncryptContent indicates that the EncryptedContentInfo syntax is invalid, or that the content type carried within the contentType is unknown or unsupported.
* badEncryptContent表示EncryptedContentInfo语法无效,或者contentType中包含的内容类型未知或不受支持。
* badEncryptAlgorithm indicates that the encryption algorithm identified by contentEncryptionAlgorithm in EncryptedContentInfo is unknown or unsupported. This can result from EncryptedData, EnvelopedData, or AuthEnvelopedData.
* badEncryptAlgorithm表示EncryptedContentInfo中contentEncryptionAlgorithm标识的加密算法未知或不受支持。这可能由EncryptedData、EnvelopedData或AuthEnvelopedData产生。
* missingCiphertext indicates that the optional encryptedContent is missing in EncryptedContentInfo, which is required when including an asymmetric key package, a symmetric key package, and an encrypted key package.
* missingCiphertext表示EncryptedContentInfo中缺少可选encryptedContent,这在包含非对称密钥包、对称密钥包和加密密钥包时是必需的。
* decryptFailure indicates that the encryptedContent in EncryptedContentInfo did not decrypt properly.
* DecryptedFailure表示EncryptedContentInfo中的encryptedContent未正确解密。
* badMACAlgorithm indicates that the MAC algorithm identified by MessageAuthenticationCodeAlgorithm in AuthenticatedData is unknown or unsupported.
* badMACAlgorithm表示AuthenticatedData中MessageAuthenticationCodeAlgorithm标识的MAC算法未知或不受支持。
* badAuthAttrs is used to indicate that the authAttrs syntax within AuthenticatedData or AuthEnvelopedData is invalid. Since unrecognized attributes are ignored, this error code is used when the object identifier for the attribute is recognized, but the value is malformed or internally inconsistent.
* badAuthAttrs用于指示AuthenticatedData或AuthEnvelopedData中的authAttrs语法无效。由于忽略无法识别的属性,因此在识别属性的对象标识符,但该值格式不正确或内部不一致时,将使用此错误代码。
* badUnauthAttrs is used to indicate that the unauthAttrs syntax within AuthenticatedData or AuthEnvelopedData is invalid. Since unrecognized attributes are ignored, this error code is used when the object identifier for the attribute is recognized, but the value is malformed or internally inconsistent.
* badUnauthAttrs用于指示AuthenticatedData或AuthEnvelopedData中的unauthAttrs语法无效。由于忽略无法识别的属性,因此在识别属性的对象标识符,但该值格式不正确或内部不一致时,将使用此错误代码。
* invalidMAC is used to indicate that the message authentication code value within AuthenticatedData or AuthEnvelopedData did not validate properly.
* invalidMAC用于指示AuthenticatedData或AuthEnvelopedData中的消息身份验证代码值未正确验证。
* mismatchedDigestAlg is used to indicate that the digest algorithm in digestAlgorithms field within SignedData does not match the digest algorithm used in the signature algorithm.
* Mismatcheddigstalg用于指示SignedData中digestAlgorithms字段中的摘要算法与签名算法中使用的摘要算法不匹配。
* missingCertificate indicates that a signature could not be verified using a trust anchor or a certificate from the certificates field within SignedData. Similarly, this error code can indicate that a needed certificate is missing when processing EnvelopedData, AuthEnvelopedData, or AuthenticatedData.
* missingCertificate表示无法使用信任锚或SignedData中证书字段中的证书验证签名。类似地,此错误代码可能表示在处理EnvelopedData、AuthEnvelopedData或AuthenticatedData时缺少所需的证书。
* tooManySigners indicates that a SignedData content contained more than one SignerInfo for a content type that requires only one signer.
* tooManySigners表示SignedData内容包含多个SignerInfo,用于只需要一个签名者的内容类型。
* missingSignedAttributes indicates that a SignedInfo within a SignedData content did not contain any signed attributes; at a minimum, the content-type and message-digest must be present, as per [RFC5652]. Similarly, this error code can indicate that required authenticated attributes are missing when processing AuthEnvelopedData or AuthenticatedData.
* MissingSignedAttribute表示SignedData内容中的SignedInfo不包含任何已签名属性;根据[RFC5652],内容类型和消息摘要至少必须存在。类似地,此错误代码可以指示在处理AuthEnvelopedData或AuthenticatedData时缺少所需的已验证属性。
* derEncodingNotUsed indicates that the content contained BER encoding, or some other encoding, where DER encoding was required.
* DeRecodingNotUsed表示内容包含BER编码或某些其他编码,其中需要DER编码。
* missingContentHints indicates that a SignedData content encapsulates a content other than a key package or an encrypted key package; however, the content-hints attribute [RFC2634] is not included. Similarly, this error code can indicate that the content-hints attribute was missing when processing AuthEnvelopedData or AuthenticatedData.
* MissingContentHits表示SignedData内容封装的内容不是密钥包或加密密钥包;但是,不包括内容提示属性[RFC2634]。类似地,此错误代码可能表示在处理AuthEnvelopedData或AuthenticatedData时缺少content Hits属性。
* invalidAttributeLocation indicates that an attribute appeared in an unacceptable location.
* InvalidateDistributeLocation表示属性出现在不可接受的位置。
* badMessageDigest indicates that the value of the message-digest attribute [RFC5652] did not match the calculated value.
* badMessageDigest表示消息摘要属性[RFC5652]的值与计算值不匹配。
* badKeyPackage indicates that the SymmetricKeyPackage [RFC6031] or AsymmetricKeyPackage [RFC5958] syntax is invalid or that the version is unknown.
* badKeyPackage表示SymmetricKeyPackage[RFC6031]或AsymmetricKeyPackage[RFC5958]语法无效或版本未知。
* badAttributes indicates that an attribute collection either contained multiple instances of the same attribute type that allows only one instance or contained an attribute instance with multiple values in an attribute that allows only one value.
* badAttributes表示属性集合包含同一属性类型的多个实例(仅允许一个实例),或者在仅允许一个值的属性中包含具有多个值的属性实例。
* attributeComparisonFailure indicates that multiple instances of an attribute failed the comparison rules for the type of attribute.
* attributeComparisonFailure表示一个属性的多个实例未能通过该属性类型的比较规则。
* unsupportedSymmetricKeyPackage indicates that the implementation does not support symmetric key packages [RFC6031].
* unsupportedSymmetricKeyPackage表示该实现不支持对称密钥包[RFC6031]。
* unsupportedAsymmetricKeyPackage indicates that the implementation does not support asymmetric key packages [RFC5958].
* UnsupportedAsymetrickeyPackage表示该实现不支持非对称密钥包[RFC5958]。
* constraintViolation indicates that one or more of the attributes has a value that is not in the authorized set of values for the signer [RFC6010]. That is, the value is in conflict with the constraints imposed on the signer.
* constraintViolation表示一个或多个属性的值不在签名者的授权值集中[RFC6010]。也就是说,该值与强加给签名者的约束冲突。
* ambiguousDefaultValue indicates that one or more of the attributes that is part of the signer's constraints is omitted from the key package, and the constraint permits more than one value; therefore, the appropriate default value for that attribute or attribute cannot be determined.
* ambiguousDefaultValue表示密钥包中省略了作为签名者约束一部分的一个或多个属性,并且约束允许多个值;因此,无法确定该属性或属性的适当默认值。
* noMatchingRecipientInfo indicates that a recipientInfo could not be found for the recipient. This can result from a ktri or kari found in EncryptedData, EnvelopedData, or AuthEnvelopedData.
* noMatchingRecipientInfo表示找不到收件人的recipientInfo。这可能是由EncryptedData、EnvelopedData或AuthEnvelopedData中的ktri或kari导致的。
* unsupportedKeyWrapAlgorithm indicates that the key wrap algorithm is not supported.
* unsupportedKeyWrapAlgorithm表示不支持密钥包裹算法。
* badKeyTransRecipientInfo indicates that the KeyTransRecipientInfo syntax is invalid or the version is unknown or unsupported.
* badKeyTransRecipientInfo表示KeyTransRecipientInfo语法无效,或者版本未知或不受支持。
* other indicates that the key package could not be processed, but the reason is not covered by any of the assigned status codes. Use of this status code SHOULD be avoided.
* other表示无法处理密钥包,但原因不在任何分配的状态代码中。应避免使用此状态代码。
The key package error content type MUST be signed if the entity generating it is capable of signing it. For example, a device will be incapable of signing when it is in early stages of deployment and it has not been configured with a private signing key or a device has an internal error that prevents use of its private signing key. When it is signed, the key package error MUST be encapsulated in a CMS SignedData content type to carry the signature of the party that is indicating an error. When it is encrypted, the key package error MUST be encapsulated in a CMS EnvelopedData content type, a CMS EncryptedData content type, or a CMS AuthEnvelopedData content type. When a key package error is signed and encrypted, it MUST be signed prior to being encrypted.
如果生成密钥包错误内容类型的实体能够对其进行签名,则必须对其进行签名。例如,当设备处于部署的早期阶段,并且尚未配置专用签名密钥,或者设备存在阻止使用其专用签名密钥的内部错误时,设备将无法进行签名。签名时,密钥包错误必须封装在CMS SignedData内容类型中,以携带指示错误的一方的签名。加密时,密钥包错误必须封装在CMS EnvelopedData内容类型、CMS EncryptedData内容类型或CMS AuthEnvelopedData内容类型中。对密钥包错误进行签名和加密时,必须在加密之前对其进行签名。
All devices that generate signed key package error reports MUST store their own certificate or have a means of obtaining the key identifier of their public key. If memory is a concern, the public key identifier can be computed from the public key.
生成签名密钥包错误报告的所有设备都必须存储自己的证书或具有获取其公钥的密钥标识符的方法。如果内存是一个问题,则可以从公钥计算公钥标识符。
If the error report signer has access to a real-time clock, then the binary-signing-time attribute [RFC6019] SHOULD be included in the key package error to provide the date and time when it was generated.
如果错误报告签名者可以访问实时时钟,则二进制签名时间属性[RFC6019]应包含在密钥包错误中,以提供生成该错误的日期和时间。
CMS protecting content types, [RFC5652] and [RFC5083], can be used to provide security to the KeyPackageReceipt and KeyPackageError content types:
CMS保护内容类型[RFC5652]和[RFC5083]可用于为KeyPackageReceipt和KeyPackageError内容类型提供安全性:
o SignedData can be used to apply a digital signature.
o SignedData可用于应用数字签名。
o EncryptedData can be used to encrypt the content type with simple symmetric encryption, where the sender and the receiver already share the necessary encryption key.
o EncryptedData可用于使用简单对称加密对内容类型进行加密,其中发送方和接收方已共享必要的加密密钥。
o EnvelopedData can be used to encrypt the content type with symmetric encryption, where the sender and the receiver do not already share the necessary encryption key.
o EnvelopedData可用于使用对称加密对内容类型进行加密,其中发送方和接收方尚未共享必要的加密密钥。
o AuthenticatedData can be used to integrity protect the content type with message authentication algorithms that support authenticated encryption, where key management information is handled in a manner similar to EnvelopedData.
o AuthenticatedData可用于使用支持身份验证加密的消息身份验证算法保护内容类型的完整性,其中密钥管理信息的处理方式与EnvelopedData类似。
o AuthEnvelopedData can be used to protect the content types with algorithms that support authenticated encryption, where key management information is handled in a manner similar to EnvelopedData.
o AuthEnvelopedData可以使用支持身份验证加密的算法来保护内容类型,其中密钥管理信息的处理方式与EnvelopedData类似。
The media type and parameters for carrying a key package receipt or a key package error content type are specified in [RFC7193].
[RFC7193]中规定了用于携带密钥包回执或密钥包错误内容类型的媒体类型和参数。
IANA has updated the reference for the following registration in the "SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" registry:
IANA已在“S/MIME模块标识符的SMI安全性(1.2.840.113549.1.9.16.0)”注册表中更新了以下注册的参考:
63 id-mod-keyPkgReceiptAndErrV2 [RFC7191]
63 id-mod-KEYPKGRECIPTANDERV2[RFC7191]
The key package receipt and key package error contents are not necessarily protected. These content types can be combined with a security protocol to protect the contents of the package.
密钥包收据和密钥包错误内容不一定受到保护。这些内容类型可以与安全协议结合使用,以保护包的内容。
The KeyPkgReceiptReq structure includes a receiptsFrom list and a receiptsTo list. Both lists contain SIREntityNames. The syntax does not specify a limit on the number of SIREntityNames that may be
KeyPkgReceiptReq结构包括receiptsFrom列表和receiptsTo列表。两个列表都包含sirentynames。该语法没有对可能出现的sirentynames的数量进行限制
included in either of these lists. In addition, there is purposefully no requirement that the receiptTo entries have any relation to the sender of the key package. To avoid these features being used as part of a denial-of-service amplification, receipts should only be returned for key packages with a valid signature from a trusted signer.
包括在这些列表中。此外,有意不要求Receipto条目与密钥包的发送者有任何关系。为避免这些功能被用作拒绝服务放大的一部分,应仅为具有可信签名者有效签名的密钥包返回收据。
If an implementation is willing to accept key packages from more than one source, then there is a possibility that the same key package identifier could be used by more than one source. As a result, there is the potential for a receipt for one key package to be confused with the receipt for another, potentially leading to confusion about the keying material that is available to the recipient. In environments with multiple key sources, a convention for assignment of key package identifiers can avoid this potential confusion altogether.
如果一个实现愿意接受来自多个源的密钥包,那么同一个密钥包标识符可能会被多个源使用。因此,一个钥匙包的收据可能与另一个钥匙包的收据混淆,可能导致对收件人可用的钥匙材料的混淆。在具有多个密钥源的环境中,分配密钥包标识符的约定可以完全避免这种潜在的混淆。
In some situations, returning very detailed error information can provide an attacker with insight into the security processing. Where this is a concern, the implementation should return the most generic error code that is appropriate. However, detailed error codes are very helpful during development, debugging, and interoperability testing. For this reason, implementations may want to have a way to configure the use of a generic error code or a detailed one.
在某些情况下,返回非常详细的错误信息可以让攻击者深入了解安全处理过程。如果这是一个问题,那么实现应该返回最通用的适当错误代码。然而,在开发、调试和互操作性测试期间,详细的错误代码非常有用。出于这个原因,实现可能需要一种方法来配置通用错误代码或详细错误代码的使用。
Many thanks to Radia Perlman, Sean Turner, Jim Schaad, and Carl Wallace for their insightful review. Thanks to Robert Sparks for improved wording.
非常感谢Radia Perlman、Sean Turner、Jim Schaad和Carl Wallace的深刻评论。感谢罗伯特·斯帕克斯改进了措辞。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2634] Hoffman, P., Ed., "Enhanced Security Services for S/MIME", RFC 2634, June 1999.
[RFC2634]Hoffman,P.,Ed.“S/MIME的增强安全服务”,RFC 2634,1999年6月。
[RFC4073] Housley, R., "Protecting Multiple Contents with the Cryptographic Message Syntax (CMS)", RFC 4073, May 2005.
[RFC4073]Housley,R.,“使用加密消息语法(CMS)保护多个内容”,RFC 4073,2005年5月。
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 52802008年5月。
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, September 2009.
[RFC5652]Housley,R.,“加密消息语法(CMS)”,STD 70,RFC 56522009年9月。
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, June 2010.
[RFC5912]Hoffman,P.和J.Schaad,“使用X.509(PKIX)的公钥基础设施的新ASN.1模块”,RFC 5912,2010年6月。
[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, August 2010.
[RFC5958]Turner,S.,“非对称密钥包”,RFC 5958,2010年8月。
[RFC6010] Housley, R., Ashmore, S., and C. Wallace, "Cryptographic Message Syntax (CMS) Content Constraints Extension", RFC 6010, September 2010.
[RFC6010]Housley,R.,Ashmore,S.,和C.Wallace,“加密消息语法(CMS)内容约束扩展”,RFC6010,2010年9月。
[RFC6019] Housley, R., "BinaryTime: An Alternate Format for Representing Date and Time in ASN.1", RFC 6019, September 2010.
[RFC6019]Housley,R.,“二进制时间:在ASN.1中表示日期和时间的替代格式”,RFC 6019,2010年9月。
[RFC6031] Turner, S. and R. Housley, "Cryptographic Message Syntax (CMS) Symmetric Key Package Content Type", RFC 6031, December 2010.
[RFC6031]Turner,S.和R.Housley,“加密消息语法(CMS)对称密钥包内容类型”,RFC 60312010年12月。
[RFC6032] Turner, S. and R. Housley, "Cryptographic Message Syntax (CMS) Encrypted Key Package Content Type", RFC 6032, December 2010.
[RFC6032]Turner,S.和R.Housley,“加密消息语法(CMS)加密密钥包内容类型”,RFC 60322010年12月。
[RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)", RFC 6268, July 2011.
[RFC6268]Schaad,J.和S.Turner,“加密消息语法(CMS)和使用X.509(PKIX)的公钥基础设施的额外新ASN.1模块”,RFC 6268,2011年7月。
[RFC7193] Turner, S., Housley, R., and J. Schaad, "The application/cms Media Type", RFC 7193, April 2014.
[RFC7193]Turner,S.,Housley,R.,和J.Schaad,“应用程序/cms媒体类型”,RFC 7193,2014年4月。
[X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002. Information Technology - Abstract Syntax Notation One.
[X.680]ITU-T建议X.680(2002)| ISO/IEC 8824-1:2002。信息技术.抽象语法符号1。
[X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002. Information Technology - Abstract Syntax Notation One: Information Object Specification.
[X.681]ITU-T建议X.681(2002)| ISO/IEC 8824-2:2002。信息技术.抽象语法符号1:信息对象规范。
[X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002. Information Technology - Abstract Syntax Notation One: Constraint Specification.
[X.682]ITU-T建议X.682(2002)| ISO/IEC 8824-3:2002。信息技术.抽象语法符号1:约束规范。
[X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002. Information Technology - Abstract Syntax Notation One: Parameterization of ASN.1 Specifications.
[X.683]ITU-T建议X.683(2002)| ISO/IEC 8824-4:2002。信息技术.抽象语法符号1:ASN.1规范的参数化。
[X.690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825- 1:2002. Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER).
[X.690]ITU-T建议X.690(2002)| ISO/IEC 8825-1:2002。信息技术.ASN.1编码规则:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)的规范。
[RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type", RFC 5083, November 2007.
[RFC5083]Housley,R.,“加密消息语法(CMS)认证的信封数据内容类型”,RFC 5083,2007年11月。
[RFC5934] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor Management Protocol (TAMP)", RFC 5934, August 2010.
[RFC5934]Housley,R.,Ashmore,S.,和C.Wallace,“信任锚管理协议(TAMP)”,RFC 59342010年8月。
This annex provides the normative ASN.1 definitions for the structures described in this specification using ASN.1 as defined in [X.680], [X.681], [X.682], and [X.683].
本附录使用[X.680]、[X.681]、[X.682]和[X.683]中定义的ASN.1为本规范中描述的结构提供了规范性ASN.1定义。
KeyPackageReceiptAndErrorModuleV2 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-keyPkgReceiptAndErrV2(63) }
KeyPackageReceiptAndErrorModuleV2 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-keyPkgReceiptAndErrV2(63) }
DEFINITIONS IMPLICIT TAGS ::=
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL
--全部出口
IMPORTS
进口
-- FROM New SMIME ASN.1 [RFC6268]
--来自新SMIME ASN.1[RFC6268]
CONTENT-TYPE FROM CryptographicMessageSyntax-2010 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
CONTENT-TYPE FROM CryptographicMessageSyntax-2010 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
-- From New PKIX ASN.1 [RFC5912]
--来自新的PKIX ASN.1[RFC5912]
ATTRIBUTE, SingleAttribute {} FROM PKIX-CommonTypes-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
ATTRIBUTE, SingleAttribute {} FROM PKIX-CommonTypes-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
DistinguishedName FROM PKIX1Explicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} ;
DistinguishedName FROM PKIX1Explicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} ;
--- --- Key Package Version Number (revised from [RFC6031]) ---
--- --- Key Package Version Number (revised from [RFC6031]) ---
KeyPkgVersion ::= INTEGER { v1(1), v2(2) } (1 .. 65535)
KeyPkgVersion ::= INTEGER { v1(1), v2(2) } (1 .. 65535)
-- -- SIR Entity Name --
----长官实体名称--
SIREntityNames ::= SEQUENCE SIZE (1..MAX) OF SIREntityName
SIREntityNames ::= SEQUENCE SIZE (1..MAX) OF SIREntityName
SIREntityNameTypes SIR-ENTITY-NAME ::= { siren-dn, ... -- Expect additional SIR Entity Name types -- }
SIREntityNameTypes SIR-ENTITY-NAME ::= { siren-dn, ... -- Expect additional SIR Entity Name types -- }
SIR-ENTITY-NAME ::= CLASS { &sIRENType OBJECT IDENTIFIER UNIQUE, &SIRENValue } WITH SYNTAX { SYNTAX &SIRENValue IDENTIFIED BY &sIRENType }
SIR-ENTITY-NAME ::= CLASS { &sIRENType OBJECT IDENTIFIER UNIQUE, &SIRENValue } WITH SYNTAX { SYNTAX &SIRENValue IDENTIFIED BY &sIRENType }
SIREntityName ::= SEQUENCE { sirenType SIR-ENTITY-NAME.&sIRENType({SIREntityNameTypes}), sirenValue OCTET STRING (CONTAINING SIR-ENTITY-NAME.&SIRENValue( {SIREntityNameTypes}{@sirenType}) ) }
SIREntityName ::= SEQUENCE { sirenType SIR-ENTITY-NAME.&sIRENType({SIREntityNameTypes}), sirenValue OCTET STRING (CONTAINING SIR-ENTITY-NAME.&SIRENValue( {SIREntityNameTypes}{@sirenType}) ) }
siren-dn SIR-ENTITY-NAME ::= { SYNTAX DistinguishedName IDENTIFIED BY id-dn }
siren-dn SIR-ENTITY-NAME ::= { SYNTAX DistinguishedName IDENTIFIED BY id-dn }
id-dn OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) sir-name-types(16) 0 }
id-dn OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) sir-name-types(16) 0 }
-- -- Attribute Definitions --
----属性定义--
aa-keyPackageIdentifierAndReceiptRequest ATTRIBUTE ::= { TYPE KeyPkgIdentifierAndReceiptReq IDENTIFIED BY id-aa-KP-keyPkgIdAndReceiptReq } id-aa-KP-keyPkgIdAndReceiptReq OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 65 }
aa-keyPackageIdentifierAndReceiptRequest ATTRIBUTE ::= { TYPE KeyPkgIdentifierAndReceiptReq IDENTIFIED BY id-aa-KP-keyPkgIdAndReceiptReq } id-aa-KP-keyPkgIdAndReceiptReq OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 65 }
KeyPkgIdentifierAndReceiptReq ::= SEQUENCE { pkgID KeyPkgID, receiptReq KeyPkgReceiptReq OPTIONAL }
KeyPkgIdentifierAndReceiptReq ::= SEQUENCE { pkgID KeyPkgID, receiptReq KeyPkgReceiptReq OPTIONAL }
KeyPkgID ::= OCTET STRING
KeyPkgID ::= OCTET STRING
KeyPkgReceiptReq ::= SEQUENCE { encryptReceipt BOOLEAN DEFAULT FALSE, receiptsFrom [0] SIREntityNames OPTIONAL, receiptsTo SIREntityNames }
KeyPkgReceiptReq ::= SEQUENCE { encryptReceipt BOOLEAN DEFAULT FALSE, receiptsFrom [0] SIREntityNames OPTIONAL, receiptsTo SIREntityNames }
-- -- Content Type Definitions --
----内容类型定义--
KeyPackageContentTypes CONTENT-TYPE ::= { ct-key-package-receipt | ct-key-package-error, ... -- Expect additional content types -- }
KeyPackageContentTypes CONTENT-TYPE ::= { ct-key-package-receipt | ct-key-package-error, ... -- Expect additional content types -- }
-- Key Package Receipt CMS Content Type
--关键包裹收据CMS内容类型
ct-key-package-receipt CONTENT-TYPE ::= { TYPE KeyPackageReceipt IDENTIFIED BY id-ct-KP-keyPackageReceipt }
ct-key-package-receipt CONTENT-TYPE ::= { TYPE KeyPackageReceipt IDENTIFIED BY id-ct-KP-keyPackageReceipt }
id-ct-KP-keyPackageReceipt OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) formats(2) key-package-content-types(78) 3 }
id-ct-KP-keyPackageReceipt OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) formats(2) key-package-content-types(78) 3 }
KeyPackageReceipt ::= SEQUENCE { version KeyPkgVersion DEFAULT v2, receiptOf KeyPkgIdentifier, receivedBy SIREntityName }
KeyPackageReceipt ::= SEQUENCE { version KeyPkgVersion DEFAULT v2, receiptOf KeyPkgIdentifier, receivedBy SIREntityName }
KeyPkgIdentifier ::= CHOICE { pkgID KeyPkgID, attribute SingleAttribute {{ KeyPkgIdentifiers }} }
KeyPkgIdentifier ::= CHOICE { pkgID KeyPkgID, attribute SingleAttribute {{ KeyPkgIdentifiers }} }
KeyPkgIdentifiers ATTRIBUTE ::= { ... }
KeyPkgIdentifiers ATTRIBUTE ::= { ... }
-- Key Package Receipt CMS Content Type
--关键包裹收据CMS内容类型
ct-key-package-error CONTENT-TYPE ::= { TYPE KeyPackageError IDENTIFIED BY id-ct-KP-keyPackageError }
ct-key-package-error CONTENT-TYPE ::= { TYPE KeyPackageError IDENTIFIED BY id-ct-KP-keyPackageError }
id-ct-KP-keyPackageError OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) formats(2) key-package-content-types(78) 6 }
id-ct-KP-keyPackageError OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) formats(2) key-package-content-types(78) 6 }
KeyPackageError ::= SEQUENCE { version KeyPkgVersion DEFAULT v2, errorOf [0] KeyPkgIdentifier OPTIONAL, errorBy SIREntityName, errorCode ErrorCodeChoice }
KeyPackageError ::= SEQUENCE { version KeyPkgVersion DEFAULT v2, errorOf [0] KeyPkgIdentifier OPTIONAL, errorBy SIREntityName, errorCode ErrorCodeChoice }
ErrorCodeChoice ::= CHOICE { enum EnumeratedErrorCode, oid OBJECT IDENTIFIER }
ErrorCodeChoice ::= CHOICE { enum EnumeratedErrorCode, oid OBJECT IDENTIFIER }
EnumeratedErrorCode ::= ENUMERATED { decodeFailure (1), badContentInfo (2), badSignedData (3), badEncapContent (4), badCertificate (5), badSignerInfo (6), badSignedAttrs (7), badUnsignedAttrs (8), missingContent (9), noTrustAnchor (10), notAuthorized (11), badDigestAlgorithm (12), badSignatureAlgorithm (13), unsupportedKeySize (14), unsupportedParameters (15), signatureFailure (16), insufficientMemory (17), incorrectTarget (23), missingSignature (29), resourcesBusy (30), versionNumberMismatch (31), revokedCertificate (33),
EnumeratedErrorCode ::= ENUMERATED { decodeFailure (1), badContentInfo (2), badSignedData (3), badEncapContent (4), badCertificate (5), badSignerInfo (6), badSignedAttrs (7), badUnsignedAttrs (8), missingContent (9), noTrustAnchor (10), notAuthorized (11), badDigestAlgorithm (12), badSignatureAlgorithm (13), unsupportedKeySize (14), unsupportedParameters (15), signatureFailure (16), insufficientMemory (17), incorrectTarget (23), missingSignature (29), resourcesBusy (30), versionNumberMismatch (31), revokedCertificate (33),
-- Error codes with values <= 33 are aligned with [RFC5934]
--值小于等于33的错误代码与[RFC5934]对齐
ambiguousDecrypt (60), noDecryptKey (61), badEncryptedData (62), badEnvelopedData (63), badAuthenticatedData (64), badAuthEnvelopedData (65), badKeyAgreeRecipientInfo (66), badKEKRecipientInfo (67), badEncryptContent (68), badEncryptAlgorithm (69), missingCiphertext (70), decryptFailure (71),
含糊不清的加密数据(60)、noDecryptKey(61)、badEncryptedData(62)、badEncryptedData(63)、badAuthenticatedData(64)、BadAuthEnveledData(65)、badKeyAgreeRecipientInfo(66)、badKEKRecipientInfo(67)、badEncryptContent(68)、badEncryptedData(69)、missingCiphertext(70)、decryptFailure(71),
badMACAlgorithm (72), badAuthAttrs (73), badUnauthAttrs (74), invalidMAC (75), mismatchedDigestAlg (76), missingCertificate (77), tooManySigners (78), missingSignedAttributes (79), derEncodingNotUsed (80), missingContentHints (81), invalidAttributeLocation (82), badMessageDigest (83), badKeyPackage (84), badAttributes (85), attributeComparisonFailure (86), unsupportedSymmetricKeyPackage (87), unsupportedAsymmetricKeyPackage (88), constraintViolation (89), ambiguousDefaultValue (90), noMatchingRecipientInfo (91), unsupportedKeyWrapAlgorithm (92), badKeyTransRecipientInfo (93), other (127), ... -- Expect additional error codes -- }
badMACAlgorithm(72)、badAuthAttrs(73)、badUnauthAttrs(74)、invalidMAC(75)、不匹配的AddingTag(76)、丢失证书(77)、tooManySigners(78)、丢失签名属性(79)、DerecodingNotUsed(80)、丢失内容提示(81)、InvalidateDistributionLocation(82)、badMessageDigest(83)、badKeyPackage(84)、badAttributes(85),属性比较失败(86)、不受支持的对称密钥包(87)、不受支持的对称密钥包(88)、约束冲突(89)、模糊的默认值(90)、不受支持的密钥包信息(91)、不受支持的密钥包信息(92)、badKeyTransRecipientInfo(93)、其他(127)需要其他错误代码--}
END
终止
Author's Address
作者地址
Russ Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA
Russ Housley Vigil Security,LLC 918 Spring Knoll Drive Herndon,弗吉尼亚州,邮编20170
EMail: housley@vigilsec.com
EMail: housley@vigilsec.com