org.bouncycastle.asn1.cmp (Bouncy Castle Library 1.79 API Specification)

CAKeyUpdAnnContent

CAKeyUpdAnnContent ::= SEQUENCE { oldWithNew CMPCertificate, -- old pub signed with new priv newWithOld CMPCertificate, -- new pub signed with old priv newWithNew CMPCertificate -- new pub signed with new priv }

CertAnnContent

CertAnnContent ::= CMPCertificate

CertConfirmContent

CertConfirmContent ::= SEQUENCE OF CertStatus

CertifiedKeyPair

CertifiedKeyPair ::= SEQUENCE { certOrEncCert CertOrEncCert, privateKey [0] EncryptedKey OPTIONAL, -- see [CRMF] for comment on encoding publicationInfo [1] PKIPublicationInfo OPTIONAL }

CertOrEncCert

CertOrEncCert ::= CHOICE { certificate [0] CMPCertificate, encryptedCert [1] EncryptedKey }

CertRepMessage

CertRepMessage ::= SEQUENCE { caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate OPTIONAL, response SEQUENCE OF CertResponse }

CertReqTemplateContent

GenMsg: {id-it 19}, < absent > GenRep: {id-it 19}, CertReqTemplateContent | < absent > CertReqTemplateValue ::= CertReqTemplateContent CertReqTemplateContent ::= SEQUENCE { certTemplate CertTemplate, keySpec Controls OPTIONAL } Controls ::= SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue

CertResponse

CertResponse ::= SEQUENCE { certReqId INTEGER, status PKIStatusInfo, certifiedKeyPair CertifiedKeyPair OPTIONAL, rspInfo OCTET STRING OPTIONAL -- analogous to the id-regInfo-utf8Pairs string defined -- for regInfo in CertReqMsg [CRMF] }

CertStatus

CertStatus ::= SEQUENCE { certHash OCTET STRING, certReqId INTEGER, statusInfo PKIStatusInfo OPTIONAL, hashAlg [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {[]}} OPTIONAL }

Challenge

Challenge ::= SEQUENCE { owf AlgorithmIdentifier OPTIONAL, -- MUST be present in the first Challenge; MAY be omitted in -- any subsequent Challenge in POPODecKeyChallContent (if -- omitted, then the owf used in the immediately preceding -- Challenge is to be used).

Challenge.Rand

Rand is the inner type

CMPCertificate

CRLAnnContent

CRLAnnContent ::= SEQUENCE OF CertificateList

CRLSource

GenMsg: {id-it TBD1}, SEQUENCE SIZE (1..MAX) OF CRLStatus GenRep: {id-it TBD2}, SEQUENCE SIZE (1..MAX) OF CertificateList | < absent > CRLSource ::= CHOICE { dpn [0] DistributionPointName, issuer [1] GeneralNames }

CRLStatus

CRLStatus ::= SEQUENCE { source CRLSource, thisUpdate Time OPTIONAL }

DHBMParameter

DHBMParameter ::= SEQUENCE { owf AlgorithmIdentifier, -- AlgId for a One-Way Function (SHA-1 recommended) mac AlgorithmIdentifier -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], } -- or HMAC [RFC2104, RFC2202])

ErrorMsgContent

ErrorMsgContent ::= SEQUENCE { pKIStatusInfo PKIStatusInfo, errorCode INTEGER OPTIONAL, -- implementation-specific error codes errorDetails PKIFreeText OPTIONAL -- implementation-specific error details }

GenMsgContent

GenMsgContent ::= SEQUENCE OF InfoTypeAndValue

GenRepContent

InfoTypeAndValue

Example InfoTypeAndValue contents include, but are not limited to, the following (un-comment in this ASN.1 module and use as appropriate for a given environment): id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1} CAProtEncCertValue ::= CMPCertificate id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2} SignKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3} EncKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4} PreferredSymmAlgValue ::= AlgorithmIdentifier id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5} CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6} CurrentCRLValue ::= CertificateList id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7} UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10} KeyPairParamReqValue ::= OBJECT IDENTIFIER id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11} KeyPairParamRepValue ::= AlgorithmIdentifer id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12} RevPassphraseValue ::= EncryptedValue id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13} ImplicitConfirmValue ::= NULL id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14} ConfirmWaitTimeValue ::= GeneralizedTime id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15} OrigPKIMessageValue ::= PKIMessages id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16} SuppLangTagsValue ::= SEQUENCE OF UTF8String where id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7)} and id-it OBJECT IDENTIFIER ::= {id-pkix 4}

KemBMParameter

KemBMParameter ::= SEQUENCE { kdf AlgorithmIdentifier{KEY-DERIVATION, {[]}}, len INTEGER (1..MAX), mac AlgorithmIdentifier{MAC-ALGORITHM, {[]}} }

KemCiphertextInfo

KemCiphertextInfo ::= SEQUENCE { kem AlgorithmIdentifier{KEM-ALGORITHM, {[]}}, ct OCTET STRING }

KemOtherInfo

KeyRecRepContent

KeyRecRepContent ::= SEQUENCE { status PKIStatusInfo, newSigCert [0] CMPCertificate OPTIONAL, caCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate OPTIONAL, keyPairHist [2] SEQUENCE SIZE (1..MAX) OF CertifiedKeyPair OPTIONAL }

NestedMessageContent

NestedMessageContent ::= PKIMessages

OOBCert

OOBCert ::= CMPCertificate

OOBCertHash

OOBCertHash ::= SEQUENCE { hashAlg [0] AlgorithmIdentifier OPTIONAL, certId [1] CertId OPTIONAL, hashVal BIT STRING -- hashVal is calculated over the DER encoding of the -- self-signed certificate with the identifier certID. }

PBMParameter

PBMParameter ::= SEQUENCE { salt OCTET STRING, -- note: implementations MAY wish to limit acceptable sizes -- of this string to values appropriate for their environment -- in order to reduce the risk of denial-of-service attacks owf AlgorithmIdentifier, -- AlgId for a One-Way Function (SHA-1 recommended) iterationCount INTEGER, -- number of times the OWF is applied -- note: implementations MAY wish to limit acceptable sizes -- of this integer to values appropriate for their environment -- in order to reduce the risk of denial-of-service attacks mac AlgorithmIdentifier -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], } -- or HMAC [RFC2104, RFC2202])

PKIBody

PKIBody ::= CHOICE { -- message-specific body elements ir [0] CertReqMessages, --Initialization Request ip [1] CertRepMessage, --Initialization Response cr [2] CertReqMessages, --Certification Request cp [3] CertRepMessage, --Certification Response p10cr [4] CertificationRequest, --imported from [PKCS10] popdecc [5] POPODecKeyChallContent, --pop Challenge popdecr [6] POPODecKeyRespContent, --pop Response kur [7] CertReqMessages, --Key Update Request kup [8] CertRepMessage, --Key Update Response krr [9] CertReqMessages, --Key Recovery Request krp [10] KeyRecRepContent, --Key Recovery Response rr [11] RevReqContent, --Revocation Request rp [12] RevRepContent, --Revocation Response ccr [13] CertReqMessages, --Cross-Cert.

PKIConfirmContent

PKIConfirmContent ::= NULL

PKIFailureInfo

PKIFailureInfo ::= BIT STRING { badAlg (0), -- unrecognized or unsupported Algorithm Identifier badMessageCheck (1), -- integrity check failed (e.g., signature did not verify) badRequest (2), -- transaction not permitted or supported badTime (3), -- messageTime was not sufficiently close to the system time, as defined by local policy badCertId (4), -- no certificate could be found matching the provided criteria badDataFormat (5), -- the data submitted has the wrong format wrongAuthority (6), -- the authority indicated in the request is different from the one creating the response token incorrectData (7), -- the requester's data is incorrect (for notary services) missingTimeStamp (8), -- when the timestamp is missing but should be there (by policy) badPOP (9) -- the proof-of-possession failed certRevoked (10), certConfirmed (11), wrongIntegrity (12), badRecipientNonce (13), timeNotAvailable (14), -- the TSA's time source is not available unacceptedPolicy (15), -- the requested TSA policy is not supported by the TSA unacceptedExtension (16), -- the requested extension is not supported by the TSA addInfoNotAvailable (17) -- the additional information requested could not be understood -- or is not available badSenderNonce (18), badCertTemplate (19), signerNotTrusted (20), transactionIdInUse (21), unsupportedVersion (22), notAuthorized (23), systemUnavail (24), systemFailure (25), -- the request cannot be handled due to system failure duplicateCertReq (26)

PKIFreeText

PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String -- text encoded as UTF-8 String [RFC3629] (note: each -- UTF8String MAY include an [RFC3066] language tag -- to indicate the language of the contained text -- see [RFC2482] for details)

PKIHeader

PKIHeader ::= SEQUENCE { pvno INTEGER { cmp1999(1), cmp2000(2) }, sender GeneralName, -- identifies the sender recipient GeneralName, -- identifies the intended recipient messageTime [0] GeneralizedTime OPTIONAL, -- time of production of this message (used when sender -- believes that the transport will be "suitable"; i.e., -- that the time will still be meaningful upon receipt) protectionAlg [1] AlgorithmIdentifier OPTIONAL, -- algorithm used for calculation of protection bits senderKID [2] KeyIdentifier OPTIONAL, recipKID [3] KeyIdentifier OPTIONAL, -- to identify specific keys used for protection transactionID [4] OCTET STRING OPTIONAL, -- identifies the transaction; i.e., this will be the same in -- corresponding request, response, certConf, and PKIConf -- messages senderNonce [5] OCTET STRING OPTIONAL, recipNonce [6] OCTET STRING OPTIONAL, -- nonces used to provide replay protection, senderNonce -- is inserted by the creator of this message; recipNonce -- is a nonce previously inserted in a related message by -- the intended recipient of this message freeText [7] PKIFreeText OPTIONAL, -- this may be used to indicate context-specific instructions -- (this field is intended for human consumption) generalInfo [8] SEQUENCE SIZE (1..MAX) OF InfoTypeAndValue OPTIONAL -- this may be used to convey context-specific information -- (this field not primarily intended for human consumption) }

PKIHeaderBuilder

PKIMessage

PKIMessage ::= SEQUENCE { header PKIHeader, body PKIBody, protection [0] PKIProtection OPTIONAL, extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate OPTIONAL }

PKIMessages

PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage

PKIStatus

PKIStatus ::= INTEGER { accepted (0), -- you got exactly what you asked for grantedWithMods (1), -- you got something like what you asked for; the -- requester is responsible for ascertaining the differences rejection (2), -- you don't get it, more information elsewhere in the message waiting (3), -- the request body part has not yet been processed; expect to -- hear more later (note: proper handling of this status -- response MAY use the polling req/rep PKIMessages specified -- in Section 5.3.22; alternatively, polling in the underlying -- transport layer MAY have some utility in this regard) revocationWarning (4), -- this message contains a warning that a revocation is -- imminent revocationNotification (5), -- notification that a revocation has occurred keyUpdateWarning (6) -- update already done for the oldCertId specified in -- CertReqMsg }

PKIStatusInfo

PKIStatusInfo ::= SEQUENCE { status PKIStatus, statusString PKIFreeText OPTIONAL, failInfo PKIFailureInfo OPTIONAL }

PollRepContent

PollRepContent ::= SEQUENCE OF SEQUENCE { certReqId INTEGER, checkAfter INTEGER, -- time in seconds reason PKIFreeText OPTIONAL }

PollReqContent

PollReqContent ::= SEQUENCE OF SEQUENCE { certReqId INTEGER }

POPODecKeyChallContent

POPODecKeyChallContent ::= SEQUENCE OF Challenge -- One Challenge per encryption key certification request (in the -- same order as these requests appear in CertReqMessages).

POPODecKeyRespContent

ProtectedPart

ProtectedPart ::= SEQUENCE { header PKIHeader, body PKIBody }

RevAnnContent

RevAnnContent ::= SEQUENCE { status PKIStatus, certId CertId, willBeRevokedAt GeneralizedTime, badSinceDate GeneralizedTime, crlDetails Extensions OPTIONAL -- extra CRL details (e.g., crl number, reason, location, etc.) }

RevDetails

RevDetails ::= SEQUENCE { certDetails CertTemplate, -- allows requester to specify as much as they can about -- the cert. for which revocation is requested -- (e.g., for cases in which serialNumber is not available) crlEntryDetails Extensions OPTIONAL -- requested crlEntryExtensions }

RevRepContent

RevRepContent ::= SEQUENCE { status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, -- in same order as was sent in RevReqContent revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL, -- IDs for which revocation was requested -- (same order as status) crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL -- the resulting CRLs (there may be more than one) }

RevRepContentBuilder

RevReqContent

RevReqContent ::= SEQUENCE OF RevDetails

RootCaKeyUpdateContent

GenMsg: {id-it 20}, RootCaCertValue | < absent > GenRep: {id-it 18}, RootCaKeyUpdateContent | < absent > RootCaCertValue ::= CMPCertificate RootCaKeyUpdateValue ::= RootCaKeyUpdateContent RootCaKeyUpdateContent ::= SEQUENCE { newWithNew CMPCertificate, newWithOld [0] CMPCertificate OPTIONAL, oldWithNew [1] CMPCertificate OPTIONAL }

Package org.bouncycastle.asn1.cmp

Package org.bouncycastle.asn1.cmp Description

Class Summary
CAKeyUpdAnnContent	CAKeyUpdAnnContent ::= SEQUENCE { oldWithNew CMPCertificate, -- old pub signed with new priv newWithOld CMPCertificate, -- new pub signed with old priv newWithNew CMPCertificate -- new pub signed with new priv }
CertAnnContent	CertAnnContent ::= CMPCertificate
CertConfirmContent	CertConfirmContent ::= SEQUENCE OF CertStatus
CertifiedKeyPair	CertifiedKeyPair ::= SEQUENCE { certOrEncCert CertOrEncCert, privateKey [0] EncryptedKey OPTIONAL, -- see [CRMF] for comment on encoding publicationInfo [1] PKIPublicationInfo OPTIONAL }
CertOrEncCert	CertOrEncCert ::= CHOICE { certificate [0] CMPCertificate, encryptedCert [1] EncryptedKey }
CertRepMessage	CertRepMessage ::= SEQUENCE { caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate OPTIONAL, response SEQUENCE OF CertResponse }
CertReqTemplateContent	GenMsg: {id-it 19}, < absent > GenRep: {id-it 19}, CertReqTemplateContent \| < absent > CertReqTemplateValue ::= CertReqTemplateContent CertReqTemplateContent ::= SEQUENCE { certTemplate CertTemplate, keySpec Controls OPTIONAL } Controls ::= SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue
CertResponse	CertResponse ::= SEQUENCE { certReqId INTEGER, status PKIStatusInfo, certifiedKeyPair CertifiedKeyPair OPTIONAL, rspInfo OCTET STRING OPTIONAL -- analogous to the id-regInfo-utf8Pairs string defined -- for regInfo in CertReqMsg [CRMF] }
CertStatus	CertStatus ::= SEQUENCE { certHash OCTET STRING, certReqId INTEGER, statusInfo PKIStatusInfo OPTIONAL, hashAlg [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {[]}} OPTIONAL }
Challenge	Challenge ::= SEQUENCE { owf AlgorithmIdentifier OPTIONAL, -- MUST be present in the first Challenge; MAY be omitted in -- any subsequent Challenge in POPODecKeyChallContent (if -- omitted, then the owf used in the immediately preceding -- Challenge is to be used).
Challenge.Rand	Rand is the inner type
CMPCertificate
CRLAnnContent	CRLAnnContent ::= SEQUENCE OF CertificateList
CRLSource	GenMsg: {id-it TBD1}, SEQUENCE SIZE (1..MAX) OF CRLStatus GenRep: {id-it TBD2}, SEQUENCE SIZE (1..MAX) OF CertificateList \| < absent > CRLSource ::= CHOICE { dpn [0] DistributionPointName, issuer [1] GeneralNames }
CRLStatus	CRLStatus ::= SEQUENCE { source CRLSource, thisUpdate Time OPTIONAL }
DHBMParameter	DHBMParameter ::= SEQUENCE { owf AlgorithmIdentifier, -- AlgId for a One-Way Function (SHA-1 recommended) mac AlgorithmIdentifier -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], } -- or HMAC [RFC2104, RFC2202])
ErrorMsgContent	ErrorMsgContent ::= SEQUENCE { pKIStatusInfo PKIStatusInfo, errorCode INTEGER OPTIONAL, -- implementation-specific error codes errorDetails PKIFreeText OPTIONAL -- implementation-specific error details }
GenMsgContent	GenMsgContent ::= SEQUENCE OF InfoTypeAndValue
GenRepContent
InfoTypeAndValue	Example InfoTypeAndValue contents include, but are not limited to, the following (un-comment in this ASN.1 module and use as appropriate for a given environment): id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1} CAProtEncCertValue ::= CMPCertificate id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2} SignKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3} EncKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4} PreferredSymmAlgValue ::= AlgorithmIdentifier id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5} CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6} CurrentCRLValue ::= CertificateList id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7} UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10} KeyPairParamReqValue ::= OBJECT IDENTIFIER id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11} KeyPairParamRepValue ::= AlgorithmIdentifer id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12} RevPassphraseValue ::= EncryptedValue id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13} ImplicitConfirmValue ::= NULL id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14} ConfirmWaitTimeValue ::= GeneralizedTime id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15} OrigPKIMessageValue ::= PKIMessages id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16} SuppLangTagsValue ::= SEQUENCE OF UTF8String where id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7)} and id-it OBJECT IDENTIFIER ::= {id-pkix 4}
KemBMParameter	KemBMParameter ::= SEQUENCE { kdf AlgorithmIdentifier{KEY-DERIVATION, {[]}}, len INTEGER (1..MAX), mac AlgorithmIdentifier{MAC-ALGORITHM, {[]}} }
KemCiphertextInfo	KemCiphertextInfo ::= SEQUENCE { kem AlgorithmIdentifier{KEM-ALGORITHM, {[]}}, ct OCTET STRING }
KemOtherInfo
KeyRecRepContent	KeyRecRepContent ::= SEQUENCE { status PKIStatusInfo, newSigCert [0] CMPCertificate OPTIONAL, caCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate OPTIONAL, keyPairHist [2] SEQUENCE SIZE (1..MAX) OF CertifiedKeyPair OPTIONAL }
NestedMessageContent	NestedMessageContent ::= PKIMessages
OOBCert	OOBCert ::= CMPCertificate
OOBCertHash	OOBCertHash ::= SEQUENCE { hashAlg [0] AlgorithmIdentifier OPTIONAL, certId [1] CertId OPTIONAL, hashVal BIT STRING -- hashVal is calculated over the DER encoding of the -- self-signed certificate with the identifier certID. }
PBMParameter	PBMParameter ::= SEQUENCE { salt OCTET STRING, -- note: implementations MAY wish to limit acceptable sizes -- of this string to values appropriate for their environment -- in order to reduce the risk of denial-of-service attacks owf AlgorithmIdentifier, -- AlgId for a One-Way Function (SHA-1 recommended) iterationCount INTEGER, -- number of times the OWF is applied -- note: implementations MAY wish to limit acceptable sizes -- of this integer to values appropriate for their environment -- in order to reduce the risk of denial-of-service attacks mac AlgorithmIdentifier -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], } -- or HMAC [RFC2104, RFC2202])
PKIBody	PKIBody ::= CHOICE { -- message-specific body elements ir [0] CertReqMessages, --Initialization Request ip [1] CertRepMessage, --Initialization Response cr [2] CertReqMessages, --Certification Request cp [3] CertRepMessage, --Certification Response p10cr [4] CertificationRequest, --imported from [PKCS10] popdecc [5] POPODecKeyChallContent, --pop Challenge popdecr [6] POPODecKeyRespContent, --pop Response kur [7] CertReqMessages, --Key Update Request kup [8] CertRepMessage, --Key Update Response krr [9] CertReqMessages, --Key Recovery Request krp [10] KeyRecRepContent, --Key Recovery Response rr [11] RevReqContent, --Revocation Request rp [12] RevRepContent, --Revocation Response ccr [13] CertReqMessages, --Cross-Cert.
PKIConfirmContent	PKIConfirmContent ::= NULL
PKIFailureInfo	PKIFailureInfo ::= BIT STRING { badAlg (0), -- unrecognized or unsupported Algorithm Identifier badMessageCheck (1), -- integrity check failed (e.g., signature did not verify) badRequest (2), -- transaction not permitted or supported badTime (3), -- messageTime was not sufficiently close to the system time, as defined by local policy badCertId (4), -- no certificate could be found matching the provided criteria badDataFormat (5), -- the data submitted has the wrong format wrongAuthority (6), -- the authority indicated in the request is different from the one creating the response token incorrectData (7), -- the requester's data is incorrect (for notary services) missingTimeStamp (8), -- when the timestamp is missing but should be there (by policy) badPOP (9) -- the proof-of-possession failed certRevoked (10), certConfirmed (11), wrongIntegrity (12), badRecipientNonce (13), timeNotAvailable (14), -- the TSA's time source is not available unacceptedPolicy (15), -- the requested TSA policy is not supported by the TSA unacceptedExtension (16), -- the requested extension is not supported by the TSA addInfoNotAvailable (17) -- the additional information requested could not be understood -- or is not available badSenderNonce (18), badCertTemplate (19), signerNotTrusted (20), transactionIdInUse (21), unsupportedVersion (22), notAuthorized (23), systemUnavail (24), systemFailure (25), -- the request cannot be handled due to system failure duplicateCertReq (26)
PKIFreeText	PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String -- text encoded as UTF-8 String [RFC3629] (note: each -- UTF8String MAY include an [RFC3066] language tag -- to indicate the language of the contained text -- see [RFC2482] for details)
PKIHeader	PKIHeader ::= SEQUENCE { pvno INTEGER { cmp1999(1), cmp2000(2) }, sender GeneralName, -- identifies the sender recipient GeneralName, -- identifies the intended recipient messageTime [0] GeneralizedTime OPTIONAL, -- time of production of this message (used when sender -- believes that the transport will be "suitable"; i.e., -- that the time will still be meaningful upon receipt) protectionAlg [1] AlgorithmIdentifier OPTIONAL, -- algorithm used for calculation of protection bits senderKID [2] KeyIdentifier OPTIONAL, recipKID [3] KeyIdentifier OPTIONAL, -- to identify specific keys used for protection transactionID [4] OCTET STRING OPTIONAL, -- identifies the transaction; i.e., this will be the same in -- corresponding request, response, certConf, and PKIConf -- messages senderNonce [5] OCTET STRING OPTIONAL, recipNonce [6] OCTET STRING OPTIONAL, -- nonces used to provide replay protection, senderNonce -- is inserted by the creator of this message; recipNonce -- is a nonce previously inserted in a related message by -- the intended recipient of this message freeText [7] PKIFreeText OPTIONAL, -- this may be used to indicate context-specific instructions -- (this field is intended for human consumption) generalInfo [8] SEQUENCE SIZE (1..MAX) OF InfoTypeAndValue OPTIONAL -- this may be used to convey context-specific information -- (this field not primarily intended for human consumption) }
PKIHeaderBuilder
PKIMessage	PKIMessage ::= SEQUENCE { header PKIHeader, body PKIBody, protection [0] PKIProtection OPTIONAL, extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate OPTIONAL }
PKIMessages	PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage
PKIStatus	PKIStatus ::= INTEGER { accepted (0), -- you got exactly what you asked for grantedWithMods (1), -- you got something like what you asked for; the -- requester is responsible for ascertaining the differences rejection (2), -- you don't get it, more information elsewhere in the message waiting (3), -- the request body part has not yet been processed; expect to -- hear more later (note: proper handling of this status -- response MAY use the polling req/rep PKIMessages specified -- in Section 5.3.22; alternatively, polling in the underlying -- transport layer MAY have some utility in this regard) revocationWarning (4), -- this message contains a warning that a revocation is -- imminent revocationNotification (5), -- notification that a revocation has occurred keyUpdateWarning (6) -- update already done for the oldCertId specified in -- CertReqMsg }
PKIStatusInfo	PKIStatusInfo ::= SEQUENCE { status PKIStatus, statusString PKIFreeText OPTIONAL, failInfo PKIFailureInfo OPTIONAL }
PollRepContent	PollRepContent ::= SEQUENCE OF SEQUENCE { certReqId INTEGER, checkAfter INTEGER, -- time in seconds reason PKIFreeText OPTIONAL }
PollReqContent	PollReqContent ::= SEQUENCE OF SEQUENCE { certReqId INTEGER }
POPODecKeyChallContent	POPODecKeyChallContent ::= SEQUENCE OF Challenge -- One Challenge per encryption key certification request (in the -- same order as these requests appear in CertReqMessages).
POPODecKeyRespContent
ProtectedPart	ProtectedPart ::= SEQUENCE { header PKIHeader, body PKIBody }
RevAnnContent	RevAnnContent ::= SEQUENCE { status PKIStatus, certId CertId, willBeRevokedAt GeneralizedTime, badSinceDate GeneralizedTime, crlDetails Extensions OPTIONAL -- extra CRL details (e.g., crl number, reason, location, etc.) }
RevDetails	RevDetails ::= SEQUENCE { certDetails CertTemplate, -- allows requester to specify as much as they can about -- the cert. for which revocation is requested -- (e.g., for cases in which serialNumber is not available) crlEntryDetails Extensions OPTIONAL -- requested crlEntryExtensions }
RevRepContent	RevRepContent ::= SEQUENCE { status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, -- in same order as was sent in RevReqContent revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL, -- IDs for which revocation was requested -- (same order as status) crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL -- the resulting CRLs (there may be more than one) }
RevRepContentBuilder
RevReqContent	RevReqContent ::= SEQUENCE OF RevDetails
RootCaKeyUpdateContent	GenMsg: {id-it 20}, RootCaCertValue \| < absent > GenRep: {id-it 18}, RootCaKeyUpdateContent \| < absent > RootCaCertValue ::= CMPCertificate RootCaKeyUpdateValue ::= RootCaKeyUpdateContent RootCaKeyUpdateContent ::= SEQUENCE { newWithNew CMPCertificate, newWithOld [0] CMPCertificate OPTIONAL, oldWithNew [1] CMPCertificate OPTIONAL }

Interface Summary
CMPObjectIdentifiers