-- Module CRMF (X.843:10/2000)
-- See also ITU-T X.843 (10/2000)
-- See also the index of all ASN.1 assignments needed in this document
CRMF DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL;
IMPORTS
-- Directory Information Framework (X.501)
Name
FROM InformationFramework {joint-iso-itu-t(2) ds(5) module(1)
informationFramework(1) 3}
-- Directory Authentication Framework (X.509)
AlgorithmIdentifier, Extensions, SubjectPublicKeyInfo, Time, Version
FROM AuthenticationFramework {joint-iso-itu-t(2) ds(5) module(1)
authenticationFramework(7) 3}
-- Directory Selected Attributes (X.520)
UniqueIdentifier
FROM SelectedAttributeTypes {joint-iso-itu-t(2) ds(5) module(1)
selectedAttributeTypes(5) 3}
-- Certificate Extensions (X.509)
GeneralName
FROM CertificateExtensions {joint-iso-itu-t(2) ds(5) module(1)
certificateExtensions(26) 0}
-- Cryptographic Message Syntax
EnvelopedData
FROM CryptographicMessageSyntax {iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1)};
CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
CertReqMsg ::= SEQUENCE {
certReq CertRequest,
pop ProofOfPossession OPTIONAL,
-- content depends upon key type
regInfo SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue OPTIONAL
}
CertRequest ::= SEQUENCE {
certReqId INTEGER, -- ID for matching request and response
certTemplate CertTemplate, -- Selected fields of certificate to be issued
controls Controls OPTIONAL
} -- Attributes affecting issuance
CertTemplate ::= SEQUENCE {
version [0] Version OPTIONAL,
serialNumber [1] INTEGER OPTIONAL,
signingAlg [2] AlgorithmIdentifier OPTIONAL,
issuer [3] EXPLICIT Name OPTIONAL,
validity [4] OptionalValidity OPTIONAL,
subject [5] EXPLICIT Name OPTIONAL,
publicKey [6] SubjectPublicKeyInfo OPTIONAL,
issuerUID [7] UniqueIdentifier OPTIONAL,
subjectUID [8] UniqueIdentifier OPTIONAL,
extensions [9] Extensions OPTIONAL
}
OptionalValidity ::= SEQUENCE {
notBefore [0] EXPLICIT Time OPTIONAL,
notAfter [1] EXPLICIT Time OPTIONAL
} --at least one SHALL be present
Controls ::= SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type TYPE-IDENTIFIER.&id({CRMF-Table}),
value TYPE-IDENTIFIER.&Type({CRMF-Table}{@type})
}
CRMF-Table TYPE-IDENTIFIER ::=
{...}
ProofOfPossession ::= CHOICE {
raVerified [0] NULL,
-- used if the RA has already verified that the requester is in
-- possession of the private key
signature [1] POPOSigningKey
}
POPOSigningKey ::= SEQUENCE {
poposkInput [0] POPOSigningKeyInput OPTIONAL,
algorithmIdentifier AlgorithmIdentifier,
signature BIT STRING
}
-- The signature (using "algorithmIdentifier") is on the
-- DER-encoded value of poposkInput. NOTE - If the CertReqMsg
-- certReq CertTemplate contains the subject and publicKey values,
-- then poposkInput SHALL be omitted and the signature SHALL be
-- computed on the DER-encoded value of CertReqMsg certReq. If
-- the CertReqMsg certReq CertTemplate does not contain the public
-- key and subject values, then poposkInput SHALL be present and
-- SHALL be signed. This strategy ensures that the public key is
-- not present in both the poposkInput and CertReqMsg certReq
-- CertTemplate fields.
POPOSigningKeyInput ::= SEQUENCE {
authInfo
CHOICE {sender [0] EXPLICIT GeneralName,
-- used only if an authenticated identity has been
-- established for the sender (e.g. a DN from a
-- previously-issued and currently-valid certificate
publicKeyMAC PKMACValue},
-- used if no authenticated GeneralName currently exists for
-- the sender; publicKeyMAC contains a password-based MAC
-- on the DER-encoded value of publicKey
publicKey SubjectPublicKeyInfo
} -- from CertTemplate
PKMACValue ::= SEQUENCE {
algId AlgorithmIdentifier,
-- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
-- parameter value is PBMParameter
value BIT STRING
}
PBMParameter ::= SEQUENCE {
salt OCTET STRING,
owf AlgorithmIdentifier,
-- AlgorithmIdentifier for a One-Way Function (SHA-1 recommended)
iterationCount INTEGER,
-- number of times the OWF is applied
mac AlgorithmIdentifier
-- the MAC AlgorithmIdentifier (e.g. DES-MAC, Triple-DES-MAC as in PKCS #11,
} -- or HMAC as in RFC2104, RFC2202)
-- Object identifier assignments
id-pkix OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) 7}
-- arc for Internet X.509 PKI protocols and their components
id-pkip OBJECT IDENTIFIER ::=
{id-pkix 5}
-- Registration Controls in CRMF
id-regCtrl OBJECT IDENTIFIER ::= {id-pkip 1}
id-regCtrl-regToken OBJECT IDENTIFIER ::= {id-regCtrl 1}
--with syntax:
RegToken ::= UTF8String
id-regCtrl-authenticator OBJECT IDENTIFIER ::= {id-regCtrl 2}
--with syntax:
Authenticator ::= UTF8String
id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= {id-regCtrl 3}
--with syntax:
PKIPublicationInfo ::= SEQUENCE {
action INTEGER {dontPublish(0), pleasePublish(1)},
pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL
}
-- pubInfos SHALL not be present if action is "dontPublish"
-- (if action is "pleasePublish" and pubInfos is omitted,
-- "dontCare" is assumed)
SinglePubInfo ::= SEQUENCE {
pubMethod INTEGER {dontCare(0), x500(1), web(2), ldap(3)},
pubLocation GeneralName OPTIONAL
}
EncryptedKey ::= CHOICE {
encryptedValue EncryptedValue,
envelopedData [0] EnvelopedData
}
-- The encrypted private key SHALL be placed in the envelopedData
-- encryptedContentInfo encryptedContent OCTET STRING.
EncryptedValue ::= SEQUENCE {
intendedAlg [0] AlgorithmIdentifier OPTIONAL,
symmAlg [1] AlgorithmIdentifier OPTIONAL,
encSymmKey [2] BIT STRING OPTIONAL,
keyAlg [3] AlgorithmIdentifier OPTIONAL,
valueHint [4] OCTET STRING OPTIONAL,
encValue BIT STRING
}
KeyGenParameters ::= OCTET STRING
id-regCtrl-oldCertID OBJECT IDENTIFIER ::= {id-regCtrl 5}
--with syntax:
OldCertId ::= CertId
CertId ::= SEQUENCE {issuer GeneralName,
serialNumber INTEGER
}
id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= {id-regCtrl 6}
--with syntax:
ProtocolEncrKey ::= SubjectPublicKeyInfo
-- Registration Info in CRMF
id-regInfo OBJECT IDENTIFIER ::= {id-pkip 2}
id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= {id-regInfo 1}
--with syntax
UTF8Pairs ::= UTF8String
id-regInfo-certReq OBJECT IDENTIFIER ::= {id-regInfo 2}
--with syntax
CertReq ::= CertRequest
END
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D