CRMF (X.843:10/2000)

-- Module CRMF (X.843:10/2000)
-- See also ITU-T X.843 (10/2000)
-- See also the index of all ASN.1 assignments needed in this document
CRMF DEFINITIONS IMPLICIT TAGS ::=
BEGIN

-- EXPORTS ALL; 
IMPORTS
  -- Directory Information Framework (X.501)
  Name
    FROM InformationFramework {joint-iso-itu-t(2) ds(5) module(1)
      informationFramework(1) 3}
  -- Directory Authentication Framework (X.509)
  AlgorithmIdentifier, Extensions, SubjectPublicKeyInfo, Time, Version
    FROM AuthenticationFramework {joint-iso-itu-t(2) ds(5) module(1)
      authenticationFramework(7) 3}
  -- Directory Selected Attributes (X.520) 
  UniqueIdentifier
    FROM SelectedAttributeTypes {joint-iso-itu-t(2) ds(5) module(1)
      selectedAttributeTypes(5) 3}
  -- Certificate Extensions (X.509) 
  GeneralName
    FROM CertificateExtensions {joint-iso-itu-t(2) ds(5) module(1)
      certificateExtensions(26) 0}
  -- Cryptographic Message Syntax
  EnvelopedData
    FROM CryptographicMessageSyntax {iso(1) member-body(2) us(840)
      rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1)};

CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg

CertReqMsg ::= SEQUENCE {
  certReq  CertRequest,
  pop      ProofOfPossession OPTIONAL,
  -- content depends upon key type
  regInfo  SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue OPTIONAL
}

CertRequest ::= SEQUENCE {
  certReqId     INTEGER, -- ID for matching request and response
  certTemplate  CertTemplate, -- Selected fields of certificate to be issued
  controls      Controls OPTIONAL
} -- Attributes affecting issuance

CertTemplate ::= SEQUENCE {
  version       [0]  Version OPTIONAL,
  serialNumber  [1]  INTEGER OPTIONAL,
  signingAlg    [2]  AlgorithmIdentifier OPTIONAL,
  issuer        [3] EXPLICIT Name OPTIONAL,
  validity      [4]  OptionalValidity OPTIONAL,
  subject       [5] EXPLICIT Name OPTIONAL,
  publicKey     [6]  SubjectPublicKeyInfo OPTIONAL,
  issuerUID     [7]  UniqueIdentifier OPTIONAL,
  subjectUID    [8]  UniqueIdentifier OPTIONAL,
  extensions    [9]  Extensions OPTIONAL
}

OptionalValidity ::= SEQUENCE {
  notBefore  [0] EXPLICIT Time OPTIONAL,
  notAfter   [1] EXPLICIT Time OPTIONAL
} --at least one SHALL be present

Controls ::= SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue

AttributeTypeAndValue ::= SEQUENCE {
  type   TYPE-IDENTIFIER.&id({CRMF-Table}),
  value  TYPE-IDENTIFIER.&Type({CRMF-Table}{@type})
}

CRMF-Table TYPE-IDENTIFIER ::=
  {...}

ProofOfPossession ::= CHOICE {
  raVerified  [0]  NULL,
  -- used if the RA has already verified that the requester is in 
  -- possession of the private key
  signature   [1]  POPOSigningKey
}

POPOSigningKey ::= SEQUENCE {
  poposkInput          [0]  POPOSigningKeyInput OPTIONAL,
  algorithmIdentifier  AlgorithmIdentifier,
  signature            BIT STRING
}

-- The signature (using "algorithmIdentifier") is on the 
-- DER-encoded value of poposkInput.  NOTE - If the CertReqMsg 
-- certReq CertTemplate contains the subject and publicKey values, 
-- then poposkInput SHALL be omitted and the signature SHALL be 
-- computed on the DER-encoded value of CertReqMsg certReq.  If 
-- the CertReqMsg certReq CertTemplate does not contain the public 
-- key and subject values, then poposkInput SHALL be present and 
-- SHALL be signed.  This strategy ensures that the public key is 
-- not present in both the poposkInput and CertReqMsg certReq 
-- CertTemplate fields.
POPOSigningKeyInput ::= SEQUENCE {
  authInfo
    CHOICE {sender        [0] EXPLICIT GeneralName,
            -- used only if an authenticated identity has been 
            -- established for the sender (e.g. a DN from a
            -- previously-issued and currently-valid certificate
            publicKeyMAC  PKMACValue},
  -- used if no authenticated GeneralName currently exists for
  -- the sender; publicKeyMAC contains a password-based MAC
  -- on the DER-encoded value of publicKey
  publicKey  SubjectPublicKeyInfo
} -- from CertTemplate

PKMACValue ::= SEQUENCE {
  algId  AlgorithmIdentifier,
  -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
  -- parameter value is PBMParameter
  value  BIT STRING
}

PBMParameter ::= SEQUENCE {
  salt            OCTET STRING,
  owf             AlgorithmIdentifier,
  -- AlgorithmIdentifier for a One-Way Function (SHA-1 recommended)
  iterationCount  INTEGER,
  -- number of times the OWF is applied
  mac             AlgorithmIdentifier
  -- the MAC AlgorithmIdentifier (e.g. DES-MAC, Triple-DES-MAC as in PKCS #11,
} -- or HMAC as in RFC2104, RFC2202)

-- Object identifier assignments 
id-pkix OBJECT IDENTIFIER ::=
  {iso(1) identified-organization(3) dod(6) internet(1) security(5)
   mechanisms(5) 7}

-- arc for Internet X.509 PKI protocols and their components
id-pkip OBJECT IDENTIFIER ::=
  {id-pkix 5}

-- Registration Controls in CRMF
id-regCtrl OBJECT IDENTIFIER ::= {id-pkip 1}

id-regCtrl-regToken OBJECT IDENTIFIER ::= {id-regCtrl 1}

--with syntax:
RegToken ::= UTF8String

id-regCtrl-authenticator OBJECT IDENTIFIER ::= {id-regCtrl 2}

--with syntax: 
Authenticator ::= UTF8String

id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= {id-regCtrl 3}

--with syntax:
PKIPublicationInfo ::= SEQUENCE {
  action    INTEGER {dontPublish(0), pleasePublish(1)},
  pubInfos  SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL
}

-- pubInfos SHALL not be present if action is "dontPublish"
-- (if action is "pleasePublish" and pubInfos is omitted, 
-- "dontCare" is assumed)
SinglePubInfo ::= SEQUENCE {
  pubMethod    INTEGER {dontCare(0), x500(1), web(2), ldap(3)},
  pubLocation  GeneralName OPTIONAL
}

EncryptedKey ::= CHOICE {
  encryptedValue  EncryptedValue,
  envelopedData   [0]  EnvelopedData
}

-- The encrypted private key SHALL be placed in the envelopedData 
-- encryptedContentInfo encryptedContent OCTET STRING.
EncryptedValue ::= SEQUENCE {
  intendedAlg  [0]  AlgorithmIdentifier OPTIONAL,
  symmAlg      [1]  AlgorithmIdentifier OPTIONAL,
  encSymmKey   [2]  BIT STRING OPTIONAL,
  keyAlg       [3]  AlgorithmIdentifier OPTIONAL,
  valueHint    [4]  OCTET STRING OPTIONAL,
  encValue     BIT STRING
}

KeyGenParameters ::= OCTET STRING

id-regCtrl-oldCertID OBJECT IDENTIFIER ::= {id-regCtrl 5}

--with syntax:
OldCertId ::= CertId

CertId ::= SEQUENCE {issuer        GeneralName,
                     serialNumber  INTEGER
}

id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= {id-regCtrl 6}

--with syntax: 
ProtocolEncrKey ::= SubjectPublicKeyInfo

-- Registration Info in CRMF
id-regInfo OBJECT IDENTIFIER ::= {id-pkip 2}

id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= {id-regInfo 1}

--with syntax
UTF8Pairs ::= UTF8String

id-regInfo-certReq OBJECT IDENTIFIER ::= {id-regInfo 2}

--with syntax
CertReq ::= CertRequest

END
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D