|
Class Summary |
| CAKeyUpdAnnContent |
CAKeyUpdAnnContent ::= SEQUENCE {
oldWithNew CMPCertificate, -- old pub signed with new priv
newWithOld CMPCertificate, -- new pub signed with old priv
newWithNew CMPCertificate -- new pub signed with new priv
} |
| CertAnnContent |
CertAnnContent ::= CMPCertificate |
| CertConfirmContent |
CertConfirmContent ::= SEQUENCE OF CertStatus |
| CertifiedKeyPair |
CertifiedKeyPair ::= SEQUENCE {
certOrEncCert CertOrEncCert,
privateKey [0] EncryptedKey OPTIONAL,
-- see [CRMF] for comment on encoding
publicationInfo [1] PKIPublicationInfo OPTIONAL
}
|
| CertOrEncCert |
CertOrEncCert ::= CHOICE {
certificate [0] CMPCertificate,
encryptedCert [1] EncryptedKey
} |
| CertRepMessage |
CertRepMessage ::= SEQUENCE {
caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
OPTIONAL,
response SEQUENCE OF CertResponse
} |
| CertReqTemplateContent |
GenMsg: {id-it 19}, < absent >
GenRep: {id-it 19}, CertReqTemplateContent | < absent >
|
| CertResponse |
CertResponse ::= SEQUENCE {
certReqId INTEGER,
status PKIStatusInfo,
certifiedKeyPair CertifiedKeyPair OPTIONAL,
rspInfo OCTET STRING OPTIONAL
-- analogous to the id-regInfo-utf8Pairs string defined
-- for regInfo in CertReqMsg [CRMF]
} |
| CertStatus |
CertStatus ::= SEQUENCE {
certHash OCTET STRING,
certReqId INTEGER,
statusInfo PKIStatusInfo OPTIONAL,
hashAlg [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {[]}}
OPTIONAL
} |
| Challenge |
Challenge ::= SEQUENCE {
owf AlgorithmIdentifier OPTIONAL,
-- MUST be present in the first Challenge; MAY be omitted in
-- any subsequent Challenge in POPODecKeyChallContent (if
-- omitted, then the owf used in the immediately preceding
-- Challenge is to be used). |
| Challenge.Rand |
Rand is the inner type |
| CMPCertificate |
|
| CRLAnnContent |
CRLAnnContent ::= SEQUENCE OF CertificateList |
| CRLSource |
GenMsg: {id-it TBD1}, SEQUENCE SIZE (1..MAX) OF CRLStatus
GenRep: {id-it TBD2}, SEQUENCE SIZE (1..MAX) OF
CertificateList | < absent >
|
| CRLStatus |
CRLStatus ::= SEQUENCE {
source CRLSource,
thisUpdate Time OPTIONAL } |
| DHBMParameter |
DHBMParameter ::= SEQUENCE {
owf AlgorithmIdentifier,
-- AlgId for a One-Way Function (SHA-1 recommended)
mac AlgorithmIdentifier
-- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
} -- or HMAC [RFC2104, RFC2202]) |
| ErrorMsgContent |
ErrorMsgContent ::= SEQUENCE {
pKIStatusInfo PKIStatusInfo,
errorCode INTEGER OPTIONAL,
-- implementation-specific error codes
errorDetails PKIFreeText OPTIONAL
-- implementation-specific error details
}
|
| GenMsgContent |
GenMsgContent ::= SEQUENCE OF InfoTypeAndValue |
| GenRepContent |
|
| InfoTypeAndValue |
Example InfoTypeAndValue contents include, but are not limited
to, the following (un-comment in this ASN.1 module and use as
appropriate for a given environment):
id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1}
CAProtEncCertValue ::= CMPCertificate
id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2}
SignKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier
id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3}
EncKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier
id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4}
PreferredSymmAlgValue ::= AlgorithmIdentifier
id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5}
CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent
id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6}
CurrentCRLValue ::= CertificateList
id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7}
UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER
id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10}
KeyPairParamReqValue ::= OBJECT IDENTIFIER
id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11}
KeyPairParamRepValue ::= AlgorithmIdentifer
id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12}
RevPassphraseValue ::= EncryptedValue
id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13}
ImplicitConfirmValue ::= NULL
id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14}
ConfirmWaitTimeValue ::= GeneralizedTime
id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15}
OrigPKIMessageValue ::= PKIMessages
id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16}
SuppLangTagsValue ::= SEQUENCE OF UTF8String
where
id-pkix OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
and
id-it OBJECT IDENTIFIER ::= {id-pkix 4}
|
| KemBMParameter |
KemBMParameter ::= SEQUENCE {
kdf AlgorithmIdentifier{KEY-DERIVATION, {[]}},
len INTEGER (1..MAX),
mac AlgorithmIdentifier{MAC-ALGORITHM, {[]}}
}
|
| KemCiphertextInfo |
KemCiphertextInfo ::= SEQUENCE {
kem AlgorithmIdentifier{KEM-ALGORITHM, {[]}},
ct OCTET STRING
}
|
| KemOtherInfo |
|
| KeyRecRepContent |
KeyRecRepContent ::= SEQUENCE {
status PKIStatusInfo,
newSigCert [0] CMPCertificate OPTIONAL,
caCerts [1] SEQUENCE SIZE (1..MAX) OF
CMPCertificate OPTIONAL,
keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
CertifiedKeyPair OPTIONAL
} |
| NestedMessageContent |
NestedMessageContent ::= PKIMessages |
| OOBCert |
OOBCert ::= CMPCertificate |
| OOBCertHash |
OOBCertHash ::= SEQUENCE {
hashAlg [0] AlgorithmIdentifier OPTIONAL,
certId [1] CertId OPTIONAL,
hashVal BIT STRING
-- hashVal is calculated over the DER encoding of the
-- self-signed certificate with the identifier certID. |
| PBMParameter |
PBMParameter ::= SEQUENCE {
salt OCTET STRING,
-- note: implementations MAY wish to limit acceptable sizes
-- of this string to values appropriate for their environment
-- in order to reduce the risk of denial-of-service attacks
owf AlgorithmIdentifier,
-- AlgId for a One-Way Function (SHA-1 recommended)
iterationCount INTEGER,
-- number of times the OWF is applied
-- note: implementations MAY wish to limit acceptable sizes
-- of this integer to values appropriate for their environment
-- in order to reduce the risk of denial-of-service attacks
mac AlgorithmIdentifier
-- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
} -- or HMAC [RFC2104, RFC2202]) |
| PKIBody |
PKIBody ::= CHOICE { -- message-specific body elements
ir [0] CertReqMessages, --Initialization Request
ip [1] CertRepMessage, --Initialization Response
cr [2] CertReqMessages, --Certification Request
cp [3] CertRepMessage, --Certification Response
p10cr [4] CertificationRequest, --imported from [PKCS10]
popdecc [5] POPODecKeyChallContent, --pop Challenge
popdecr [6] POPODecKeyRespContent, --pop Response
kur [7] CertReqMessages, --Key Update Request
kup [8] CertRepMessage, --Key Update Response
krr [9] CertReqMessages, --Key Recovery Request
krp [10] KeyRecRepContent, --Key Recovery Response
rr [11] RevReqContent, --Revocation Request
rp [12] RevRepContent, --Revocation Response
ccr [13] CertReqMessages, --Cross-Cert. |
| PKIConfirmContent |
PKIConfirmContent ::= NULL |
| PKIFailureInfo |
PKIFailureInfo ::= BIT STRING {
badAlg (0),
-- unrecognized or unsupported Algorithm Identifier
badMessageCheck (1), -- integrity check failed (e.g., signature did not verify)
badRequest (2),
-- transaction not permitted or supported
badTime (3), -- messageTime was not sufficiently close to the system time, as defined by local policy
badCertId (4), -- no certificate could be found matching the provided criteria
badDataFormat (5),
-- the data submitted has the wrong format
wrongAuthority (6), -- the authority indicated in the request is different from the one creating the response token
incorrectData (7), -- the requester's data is incorrect (for notary services)
missingTimeStamp (8), -- when the timestamp is missing but should be there (by policy)
badPOP (9) -- the proof-of-possession failed
certRevoked (10),
certConfirmed (11),
wrongIntegrity (12),
badRecipientNonce (13),
timeNotAvailable (14),
-- the TSA's time source is not available
unacceptedPolicy (15),
-- the requested TSA policy is not supported by the TSA
unacceptedExtension (16),
-- the requested extension is not supported by the TSA
addInfoNotAvailable (17)
-- the additional information requested could not be understood
-- or is not available
badSenderNonce (18),
badCertTemplate (19),
signerNotTrusted (20),
transactionIdInUse (21),
unsupportedVersion (22),
notAuthorized (23),
systemUnavail (24),
systemFailure (25),
-- the request cannot be handled due to system failure
duplicateCertReq (26)
|
| PKIFreeText |
PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
-- text encoded as UTF-8 String [RFC3629] (note: each
-- UTF8String MAY include an [RFC3066] language tag
-- to indicate the language of the contained text
-- see [RFC2482] for details) |
| PKIHeader |
PKIHeader ::= SEQUENCE {
pvno INTEGER { cmp1999(1), cmp2000(2) },
sender GeneralName,
-- identifies the sender
recipient GeneralName,
-- identifies the intended recipient
messageTime [0] GeneralizedTime OPTIONAL,
-- time of production of this message (used when sender
-- believes that the transport will be "suitable"; i.e.,
-- that the time will still be meaningful upon receipt)
protectionAlg [1] AlgorithmIdentifier OPTIONAL,
-- algorithm used for calculation of protection bits
senderKID [2] KeyIdentifier OPTIONAL,
recipKID [3] KeyIdentifier OPTIONAL,
-- to identify specific keys used for protection
transactionID [4] OCTET STRING OPTIONAL,
-- identifies the transaction; i.e., this will be the same in
-- corresponding request, response, certConf, and PKIConf
-- messages
senderNonce [5] OCTET STRING OPTIONAL,
recipNonce [6] OCTET STRING OPTIONAL,
-- nonces used to provide replay protection, senderNonce
-- is inserted by the creator of this message; recipNonce
-- is a nonce previously inserted in a related message by
-- the intended recipient of this message
freeText [7] PKIFreeText OPTIONAL,
-- this may be used to indicate context-specific instructions
-- (this field is intended for human consumption)
generalInfo [8] SEQUENCE SIZE (1..MAX) OF
InfoTypeAndValue OPTIONAL
-- this may be used to convey context-specific information
-- (this field not primarily intended for human consumption)
} |
| PKIHeaderBuilder |
|
| PKIMessage |
PKIMessage ::= SEQUENCE {
header PKIHeader,
body PKIBody,
protection [0] PKIProtection OPTIONAL,
extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
OPTIONAL
} |
| PKIMessages |
PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage |
| PKIStatus |
PKIStatus ::= INTEGER {
accepted (0),
-- you got exactly what you asked for
grantedWithMods (1),
-- you got something like what you asked for; the
-- requester is responsible for ascertaining the differences
rejection (2),
-- you don't get it, more information elsewhere in the message
waiting (3),
-- the request body part has not yet been processed; expect to
-- hear more later (note: proper handling of this status
-- response MAY use the polling req/rep PKIMessages specified
-- in Section 5.3.22; alternatively, polling in the underlying
-- transport layer MAY have some utility in this regard)
revocationWarning (4),
-- this message contains a warning that a revocation is
-- imminent
revocationNotification (5),
-- notification that a revocation has occurred
keyUpdateWarning (6)
-- update already done for the oldCertId specified in
-- CertReqMsg
} |
| PKIStatusInfo |
PKIStatusInfo ::= SEQUENCE {
status PKIStatus,
statusString PKIFreeText OPTIONAL,
failInfo PKIFailureInfo OPTIONAL
} |
| PollRepContent |
PollRepContent ::= SEQUENCE OF SEQUENCE {
certReqId INTEGER,
checkAfter INTEGER, -- time in seconds
reason PKIFreeText OPTIONAL } |
| PollReqContent |
PollReqContent ::= SEQUENCE OF SEQUENCE {
certReqId INTEGER } |
| POPODecKeyChallContent |
POPODecKeyChallContent ::= SEQUENCE OF Challenge
-- One Challenge per encryption key certification request (in the
-- same order as these requests appear in CertReqMessages). |
| POPODecKeyRespContent |
|
| ProtectedPart |
ProtectedPart ::= SEQUENCE {
header PKIHeader,
body PKIBody
}
|
| RevAnnContent |
RevAnnContent ::= SEQUENCE {
status PKIStatus,
certId CertId,
willBeRevokedAt GeneralizedTime,
badSinceDate GeneralizedTime,
crlDetails Extensions OPTIONAL
-- extra CRL details (e.g., crl number, reason, location, etc.)
}
|
| RevDetails |
RevDetails ::= SEQUENCE {
certDetails CertTemplate,
-- allows requester to specify as much as they can about
-- the cert. |
| RevRepContent |
RevRepContent ::= SEQUENCE {
status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
-- in same order as was sent in RevReqContent
revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
OPTIONAL,
-- IDs for which revocation was requested
-- (same order as status)
crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL
-- the resulting CRLs (there may be more than one)
}
|
| RevRepContentBuilder |
|
| RevReqContent |
RevReqContent ::= SEQUENCE OF RevDetails
|
| RootCaKeyUpdateContent |
GenMsg: {id-it 20}, RootCaCertValue | < absent >
GenRep: {id-it 18}, RootCaKeyUpdateContent | < absent >
|
Support classes useful for encoding and supporting PKIX-CMP as described RFC 4210.