Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 5912

New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)

Pages: 117
Informational
Errata
Updated by:  69609480
Part 2 of 6 – Pages 18 to 35
First   Prev   Next

Top   ToC   RFC5912 - Page 18   prevText

4. ASN.1 Module for RFC 2560

OCSP-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-ocsp-02(48)} DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS Extensions{}, EXTENSION, ATTRIBUTE FROM PKIX-CommonTypes-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM FROM AlgorithmInformation-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)} AuthorityInfoAccessSyntax, GeneralName, CrlEntryExtensions FROM PKIX1Implicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} Name, CertificateSerialNumber, id-kp, id-ad-ocsp, Certificate FROM PKIX1Explicit-2009
Top   ToC   RFC5912 - Page 19
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}

  sa-dsaWithSHA1, sa-rsaWithMD2, sa-rsaWithMD5, sa-rsaWithSHA1
  FROM PKIXAlgs-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0)
      id-mod-pkix1-algorithms2008-02(56)};

  OCSPRequest     ::=     SEQUENCE {
      tbsRequest                  TBSRequest,
      optionalSignature   [0]     EXPLICIT Signature OPTIONAL }

  TBSRequest      ::=     SEQUENCE {
      version             [0] EXPLICIT Version DEFAULT v1,
      requestorName       [1] EXPLICIT GeneralName OPTIONAL,
      requestList             SEQUENCE OF Request,
      requestExtensions   [2] EXPLICIT Extensions {{re-ocsp-nonce |
                                  re-ocsp-response, ...}} OPTIONAL }

  Signature       ::=     SEQUENCE {
      signatureAlgorithm   AlgorithmIdentifier
                               { SIGNATURE-ALGORITHM, {...}},
      signature            BIT STRING,
      certs            [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

  Version  ::=  INTEGER  {  v1(0) }

  Request ::=     SEQUENCE {
      reqCert                    CertID,
      singleRequestExtensions    [0] EXPLICIT Extensions
                                         { {re-ocsp-service-locator,
                                                ...}} OPTIONAL }

  CertID ::= SEQUENCE {
      hashAlgorithm            AlgorithmIdentifier
                                   {DIGEST-ALGORITHM, {...}},
      issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
      issuerKeyHash      OCTET STRING, -- Hash of Issuer's public key
      serialNumber       CertificateSerialNumber }

  OCSPResponse ::= SEQUENCE {
     responseStatus         OCSPResponseStatus,
     responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }

  OCSPResponseStatus ::= ENUMERATED {
      successful            (0), --Response has valid confirmations
      malformedRequest      (1), --Illegal confirmation request
Top   ToC   RFC5912 - Page 20
      internalError         (2), --Internal error in issuer
      tryLater              (3), --Try again later
                                 -- (4) is not used
      sigRequired           (5), --Must sign the request
      unauthorized          (6)  --Request unauthorized
  }

  RESPONSE ::= TYPE-IDENTIFIER

  ResponseSet RESPONSE ::= {basicResponse, ...}

  ResponseBytes ::=       SEQUENCE {
      responseType        RESPONSE.
                              &id ({ResponseSet}),
      response            OCTET STRING (CONTAINING RESPONSE.
                              &Type({ResponseSet}{@responseType}))}

  basicResponse RESPONSE ::=
      { BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic }

  BasicOCSPResponse       ::= SEQUENCE {
     tbsResponseData      ResponseData,
     signatureAlgorithm   AlgorithmIdentifier{SIGNATURE-ALGORITHM,
                              {sa-dsaWithSHA1 | sa-rsaWithSHA1 |
                                   sa-rsaWithMD5 | sa-rsaWithMD2, ...}},
     signature            BIT STRING,
     certs            [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

  ResponseData ::= SEQUENCE {
     version              [0] EXPLICIT Version DEFAULT v1,
     responderID              ResponderID,
     producedAt               GeneralizedTime,
     responses                SEQUENCE OF SingleResponse,
     responseExtensions   [1] EXPLICIT Extensions
                                  {{re-ocsp-nonce, ...}} OPTIONAL }

  ResponderID ::= CHOICE {
     byName   [1] Name,
     byKey    [2] KeyHash }

  KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
                           -- (excluding the tag and length fields)

  SingleResponse ::= SEQUENCE {
     certID                       CertID,
     certStatus                   CertStatus,
     thisUpdate                   GeneralizedTime,
     nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
Top   ToC   RFC5912 - Page 21
     singleExtensions     [1]     EXPLICIT Extensions{{re-ocsp-crl |
                                               re-ocsp-archive-cutoff |
                                                CrlEntryExtensions, ...}
                                               } OPTIONAL }

  CertStatus ::= CHOICE {
      good                [0]     IMPLICIT NULL,
      revoked             [1]     IMPLICIT RevokedInfo,
      unknown             [2]     IMPLICIT UnknownInfo }

  RevokedInfo ::= SEQUENCE {
      revocationTime              GeneralizedTime,
      revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }

  UnknownInfo ::= NULL

  CRLReason ::= INTEGER

  ArchiveCutoff ::= GeneralizedTime

  AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet})

  ServiceLocator ::= SEQUENCE {
      issuer    Name,
      locator   AuthorityInfoAccessSyntax }

  CrlID ::= SEQUENCE {
      crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
      crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
      crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }

  --  Request Extensions

  re-ocsp-nonce EXTENSION ::= { SYNTAX OCTET STRING IDENTIFIED
                                    BY id-pkix-ocsp-nonce }
  re-ocsp-response EXTENSION ::= { SYNTAX AcceptableResponses IDENTIFIED
                                       BY id-pkix-ocsp-response }
  re-ocsp-service-locator EXTENSION ::= { SYNTAX ServiceLocator
                                          IDENTIFIED BY
                                          id-pkix-ocsp-service-locator }

  --  Response Extensions

  re-ocsp-crl EXTENSION ::= { SYNTAX CrlID IDENTIFIED BY
                                  id-pkix-ocsp-crl }
  re-ocsp-archive-cutoff EXTENSION ::= { SYNTAX ArchiveCutoff
                                         IDENTIFIED BY
                                         id-pkix-ocsp-archive-cutoff }
Top   ToC   RFC5912 - Page 22
  -- Object Identifiers

  id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
  id-pkix-ocsp                 OBJECT IDENTIFIER ::= id-ad-ocsp
  id-pkix-ocsp-basic           OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
  id-pkix-ocsp-nonce           OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
  id-pkix-ocsp-crl             OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
  id-pkix-ocsp-response        OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
  id-pkix-ocsp-nocheck         OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
  id-pkix-ocsp-archive-cutoff  OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
  id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }

  END

5. ASN.1 Module for RFC 2986

PKCS-10 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkcs10-2009(69)} DEFINITIONS IMPLICIT TAGS ::= BEGIN IMPORTS AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY FROM AlgorithmInformation-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)} ATTRIBUTE, Name FROM PKIX1Explicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}; -- Certificate requests CertificationRequestInfo ::= SEQUENCE { version INTEGER { v1(0) } (v1, ... ), subject Name, subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }}, attributes [0] Attributes{{ CRIAttributes }} } SubjectPublicKeyInfo {PUBLIC-KEY: IOSet} ::= SEQUENCE { algorithm AlgorithmIdentifier {PUBLIC-KEY, {IOSet}}, subjectPublicKey BIT STRING }
Top   ToC   RFC5912 - Page 23
  PKInfoAlgorithms PUBLIC-KEY ::= {
      ... -- add any locally defined algorithms here -- }

  Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}

  CRIAttributes  ATTRIBUTE  ::= {
      ... -- add any locally defined attributes here -- }

  Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
      type   ATTRIBUTE.&id({IOSet}),
      values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
  }

  CertificationRequest ::= SEQUENCE {
      certificationRequestInfo  CertificationRequestInfo,
      signatureAlgorithm        AlgorithmIdentifier{SIGNATURE-ALGORITHM,
                                    { SignatureAlgorithms }},
      signature                 BIT STRING
  }

  SignatureAlgorithms SIGNATURE-ALGORITHM ::= {
      ... -- add any locally defined algorithms here -- }

  END

6. ASN.1 Module for RFC 3279

Note that this module also contains information from RFC 5480 [RFC5480]. PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-algorithms2008-02(56) } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS FROM AlgorithmInformation-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)} mda-sha224, mda-sha256, mda-sha384, mda-sha512 FROM PKIX1-PSS-OAEP-Algorithms-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
Top   ToC   RFC5912 - Page 24
       id-mod-pkix1-rsa-pkalgs-02(54)} ;

   --
   -- Public Key (pk-) Algorithms
   --

   PublicKeys PUBLIC-KEY ::= {
    pk-rsa  |
    pk-dsa  |
    pk-dh   |
    pk-kea,
    ...,
    pk-ec   |
    pk-ecDH |
    pk-ecMQV
   }

   --
   -- Signature Algorithms (sa-)
   --

   SignatureAlgs SIGNATURE-ALGORITHM ::= {
    sa-rsaWithMD2      |
    sa-rsaWithMD5      |
    sa-rsaWithSHA1     |
    sa-dsaWithSHA1     |
    sa-ecdsaWithSHA1,
    ..., -- Extensible
    sa-dsaWithSHA224   |
    sa-dsaWithSHA256   |
    sa-ecdsaWithSHA224 |
    sa-ecdsaWithSHA256 |
    sa-ecdsaWithSHA384 |
    sa-ecdsaWithSHA512
   }

   --
   -- S/MIME CAPS for algorithms in this document
   --
   -- For all of the algorithms laid out in this document, the
   -- parameters field for the S/MIME capabilities is defined as
   -- ABSENT as there are no specific values that need to be known
   -- by the receiver for negotiation.

   --

   SMimeCaps SMIME-CAPS ::= {
    sa-rsaWithMD2.&smimeCaps      |
Top   ToC   RFC5912 - Page 25
    sa-rsaWithMD5.&smimeCaps      |
    sa-rsaWithSHA1.&smimeCaps     |
    sa-dsaWithSHA1.&smimeCaps     |
    sa-dsaWithSHA224.&smimeCaps   |
    sa-dsaWithSHA256.&smimeCaps   |
    sa-ecdsaWithSHA1.&smimeCaps   |
    sa-ecdsaWithSHA224.&smimeCaps |
    sa-ecdsaWithSHA256.&smimeCaps |
    sa-ecdsaWithSHA384.&smimeCaps |
    sa-ecdsaWithSHA512.&smimeCaps,
    ... }

   -- RSA PK Algorithm, Parameters, and Keys

   pk-rsa PUBLIC-KEY ::= {
    IDENTIFIER rsaEncryption
    KEY RSAPublicKey
    PARAMS TYPE NULL ARE absent
    -- Private key format not in this module --
    CERT-KEY-USAGE {digitalSignature, nonRepudiation,
    keyEncipherment, dataEncipherment, keyCertSign, cRLSign}
   }

   rsaEncryption OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
    pkcs-1(1) 1 }

   RSAPublicKey ::= SEQUENCE {
    modulus         INTEGER, -- n
    publicExponent  INTEGER  -- e
   }

   -- DSA PK Algorithm, Parameters, and Keys

   pk-dsa PUBLIC-KEY ::= {
    IDENTIFIER id-dsa
    KEY DSAPublicKey
    PARAMS TYPE DSA-Params ARE inheritable
    -- Private key format not in this module --
    CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign,
                        cRLSign }
   }

   id-dsa OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }

   DSA-Params ::= SEQUENCE {
    p  INTEGER,
Top   ToC   RFC5912 - Page 26
    q  INTEGER,
    g  INTEGER
   }

   DSAPublicKey ::= INTEGER --  public key, y

   -- Diffie-Hellman PK Algorithm, Parameters, and Keys

   pk-dh PUBLIC-KEY ::= {
    IDENTIFIER dhpublicnumber
    KEY DHPublicKey
    PARAMS TYPE DomainParameters ARE inheritable
    -- Private key format not in this module --
    CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly }
   }

   dhpublicnumber OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) ansi-x942(10046)
    number-type(2) 1 }

   DomainParameters ::= SEQUENCE {
    p                INTEGER,           -- odd prime, p=jq +1
    g                INTEGER,           -- generator, g
    q                INTEGER,           -- factor of p-1
    j                INTEGER OPTIONAL,  -- subgroup factor, j>= 2
    validationParams  ValidationParams OPTIONAL
   }

   ValidationParams ::= SEQUENCE {
    seed         BIT STRING,
    pgenCounter  INTEGER
   }

   DHPublicKey ::= INTEGER  -- public key, y = g^x mod p

   -- KEA PK Algorithm and Parameters

   pk-kea PUBLIC-KEY ::= {
    IDENTIFIER id-keyExchangeAlgorithm
    -- key is not encoded --
    PARAMS TYPE KEA-Params-Id ARE required
    -- Private key format not in this module --
    CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly }
   }
   id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= {
       joint-iso-itu-t(2) country(16) us(840) organization(1)
       gov(101) dod(2) infosec(1) algorithms(1) 22 }
Top   ToC   RFC5912 - Page 27
   KEA-Params-Id ::= OCTET STRING

   -- Elliptic Curve (EC) Signatures: Unrestricted Algorithms
   --  (Section 2.1.1 of RFC 5480)
   --
   -- EC Unrestricted Algorithm ID -- -- this is used for ECDSA

   pk-ec PUBLIC-KEY ::= {
    IDENTIFIER id-ecPublicKey
    KEY ECPoint
    PARAMS TYPE ECParameters ARE required
    -- Private key format not in this module --
    CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement,
                         keyCertSign, cRLSign }
   }

   ECPoint ::= OCTET STRING -- see RFC 5480 for syntax and restrictions

   id-ecPublicKey OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }

   -- Elliptic Curve (EC) Signatures: Restricted Algorithms
   --  (Section 2.1.2 of RFC 5480)
   --
   -- EC Diffie-Hellman Algorithm ID

   pk-ecDH PUBLIC-KEY ::= {
    IDENTIFIER id-ecDH
    KEY ECPoint
    PARAMS TYPE ECParameters ARE required
    -- Private key format not in this module --
    CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly }
   }

   id-ecDH OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) schemes(1)
    ecdh(12) }

   -- EC Menezes-Qu-Vanstone Algorithm ID

   pk-ecMQV PUBLIC-KEY ::= {
    IDENTIFIER id-ecMQV
    KEY ECPoint
    PARAMS TYPE ECParameters ARE required
    -- Private key format not in this module --
    CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly }
   }
Top   ToC   RFC5912 - Page 28
   id-ecMQV OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) schemes(1)
    ecmqv(13) }

   -- Parameters and Keys for both Restricted and Unrestricted EC

   ECParameters ::= CHOICE {
    namedCurve      CURVE.&id({NamedCurve})
    -- implicitCurve   NULL
      -- implicitCurve MUST NOT be used in PKIX
    -- specifiedCurve  SpecifiedCurve
      -- specifiedCurve MUST NOT be used in PKIX
      -- Details for specifiedCurve can be found in [X9.62]
      -- Any future additions to this CHOICE should be coordinated
      -- with ANSI X.9.
   }
   -- If you need to be able to decode ANSI X.9 parameter structures,
   -- uncomment the implicitCurve and specifiedCurve above, and also
   -- uncomment the following:
   --(WITH COMPONENTS {namedCurve PRESENT})

   -- Sec 2.1.1.1 Named Curve

   CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE }
    WITH SYNTAX { ID &id }

   NamedCurve CURVE ::= {
   { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } |
   { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } |
   { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } |
   { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } |
   { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 },
   ... -- Extensible
   }

   -- Note in [X9.62] the curves are referred to as 'ansiX9' as
   -- opposed to 'sec'.  For example, secp192r1 is the same curve as
   -- ansix9p192r1.

   -- Note that in [PKI-ALG] the secp192r1 curve was referred to as
   -- prime192v1 and the secp256r1 curve was referred to as
   -- prime256v1.

   -- Note that [FIPS186-3] refers to secp192r1 as P-192,
   -- secp224r1 as P-224, secp256r1 as P-256, secp384r1 as P-384,
   -- and secp521r1 as P-521.

   secp192r1 OBJECT IDENTIFIER ::= {
Top   ToC   RFC5912 - Page 29
    iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
    prime(1) 1 }

   sect163k1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 1 }

   sect163r2 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 15 }

   secp224r1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 33 }

   sect233k1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 26 }

   sect233r1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 27 }

   secp256r1 OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
    prime(1) 7 }

   sect283k1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 16 }

   sect283r1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 17 }

   secp384r1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 34 }

   sect409k1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 36 }

   sect409r1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 37 }

   secp521r1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 35 }

   sect571k1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 38 }

   sect571r1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) certicom(132) curve(0) 39 }

   -- RSA with MD-2
Top   ToC   RFC5912 - Page 30
   sa-rsaWithMD2 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER md2WithRSAEncryption
    PARAMS TYPE NULL ARE required
    HASHES { mda-md2 }
    PUBLIC-KEYS { pk-rsa }
    SMIME-CAPS { IDENTIFIED BY md2WithRSAEncryption }
   }

   md2WithRSAEncryption OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
    pkcs-1(1) 2 }

   -- RSA with MD-5

   sa-rsaWithMD5 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER md5WithRSAEncryption
    PARAMS TYPE NULL ARE required
    HASHES { mda-md5 }
    PUBLIC-KEYS { pk-rsa }
    SMIME-CAPS { IDENTIFIED BY md5WithRSAEncryption }
   }

   md5WithRSAEncryption OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
    pkcs-1(1) 4 }

   -- RSA with SHA-1

   sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER sha1WithRSAEncryption
    PARAMS TYPE NULL ARE required
    HASHES { mda-sha1 }
    PUBLIC-KEYS { pk-rsa }
    SMIME-CAPS {IDENTIFIED BY sha1WithRSAEncryption }
   }

   sha1WithRSAEncryption OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
    pkcs-1(1) 5 }

   -- DSA with SHA-1

   sa-dsaWithSHA1 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER dsa-with-sha1
    VALUE DSA-Sig-Value
    PARAMS TYPE NULL ARE absent
    HASHES { mda-sha1 }
    PUBLIC-KEYS { pk-dsa }
Top   ToC   RFC5912 - Page 31
    SMIME-CAPS { IDENTIFIED BY dsa-with-sha1 }
   }

   dsa-with-sha1 OBJECT IDENTIFIER ::=  {
    iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 }

   -- DSA with SHA-224

   sa-dsaWithSHA224 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER dsa-with-sha224
    VALUE DSA-Sig-Value
    PARAMS TYPE NULL ARE absent
    HASHES { mda-sha224 }
    PUBLIC-KEYS { pk-dsa }
    SMIME-CAPS { IDENTIFIED BY dsa-with-sha224 }
   }

   dsa-with-sha224 OBJECT IDENTIFIER  ::=  {
    joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
    csor(3) algorithms(4) id-dsa-with-sha2(3) 1 }

   -- DSA with SHA-256

   sa-dsaWithSHA256 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER dsa-with-sha256
    VALUE DSA-Sig-Value
    PARAMS TYPE NULL ARE absent
    HASHES { mda-sha256 }
    PUBLIC-KEYS { pk-dsa }
    SMIME-CAPS { IDENTIFIED BY dsa-with-sha256 }
   }

   dsa-with-sha256 OBJECT IDENTIFIER  ::=  {
    joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
    csor(3) algorithms(4) id-dsa-with-sha2(3) 2 }

   -- ECDSA with SHA-1

   sa-ecdsaWithSHA1 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER ecdsa-with-SHA1
    VALUE ECDSA-Sig-Value
    PARAMS TYPE NULL ARE absent
    HASHES { mda-sha1 }
    PUBLIC-KEYS { pk-ec }
    SMIME-CAPS {IDENTIFIED BY ecdsa-with-SHA1 }
   }

   ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
Top   ToC   RFC5912 - Page 32
    iso(1) member-body(2) us(840) ansi-X9-62(10045)
    signatures(4) 1 }

   -- ECDSA with SHA-224

   sa-ecdsaWithSHA224 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER ecdsa-with-SHA224
    VALUE ECDSA-Sig-Value
    PARAMS TYPE NULL ARE absent
    HASHES { mda-sha224 }
    PUBLIC-KEYS { pk-ec }
    SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA224 }
   }

   ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
    ecdsa-with-SHA2(3) 1 }

   -- ECDSA with SHA-256

   sa-ecdsaWithSHA256 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER ecdsa-with-SHA256
    VALUE ECDSA-Sig-Value
    PARAMS TYPE NULL ARE absent
    HASHES { mda-sha256 }
    PUBLIC-KEYS { pk-ec }
    SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA256 }
   }

   ecdsa-with-SHA256 OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
    ecdsa-with-SHA2(3) 2 }

   -- ECDSA with SHA-384

   sa-ecdsaWithSHA384 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER ecdsa-with-SHA384
    VALUE ECDSA-Sig-Value
    PARAMS TYPE NULL ARE absent
    HASHES { mda-sha384 }
    PUBLIC-KEYS { pk-ec }
    SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA384 }
   }
   ecdsa-with-SHA384 OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
    ecdsa-with-SHA2(3) 3 }

   -- ECDSA with SHA-512
Top   ToC   RFC5912 - Page 33
   sa-ecdsaWithSHA512 SIGNATURE-ALGORITHM ::= {
    IDENTIFIER ecdsa-with-SHA512
    VALUE ECDSA-Sig-Value
    PARAMS TYPE NULL ARE absent
    HASHES { mda-sha512 }
    PUBLIC-KEYS { pk-ec }
    SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA512 }
   }

   ecdsa-with-SHA512 OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
    ecdsa-with-SHA2(3) 4 }

   --
   -- Signature Values
   --

   -- DSA

   DSA-Sig-Value ::= SEQUENCE {
    r  INTEGER,
    s  INTEGER
   }

   -- ECDSA

   ECDSA-Sig-Value ::= SEQUENCE {
    r  INTEGER,
    s  INTEGER
   }

   --
   -- Message Digest Algorithms (mda-)
   --

   HashAlgs DIGEST-ALGORITHM ::= {
    mda-md2    |
    mda-md5    |
    mda-sha1,
    ... -- Extensible
   }
   -- MD-2

   mda-md2 DIGEST-ALGORITHM ::= {
    IDENTIFIER id-md2
    PARAMS TYPE NULL ARE preferredAbsent
   }
Top   ToC   RFC5912 - Page 34
   id-md2  OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) rsadsi(113549)
    digestAlgorithm(2) 2 }

   -- MD-5

   mda-md5 DIGEST-ALGORITHM ::= {
    IDENTIFIER id-md5
    PARAMS TYPE NULL ARE preferredAbsent
   }

   id-md5  OBJECT IDENTIFIER ::= {
    iso(1) member-body(2) us(840) rsadsi(113549)
    digestAlgorithm(2) 5 }

   -- SHA-1

   mda-sha1 DIGEST-ALGORITHM ::= {
    IDENTIFIER id-sha1
    PARAMS TYPE NULL ARE preferredAbsent
   }

   id-sha1 OBJECT IDENTIFIER ::= {
    iso(1) identified-organization(3) oiw(14) secsig(3)
    algorithm(2) 26 }

   END

7. ASN.1 Module for RFC 3852 (Attribute Certificate v1)

AttributeCertificateVersion1-2009 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-v1AttrCert-02(49)} DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS SIGNATURE-ALGORITHM, ALGORITHM, AlgorithmIdentifier{} FROM AlgorithmInformation-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)} AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE FROM PKIX-CommonTypes-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
Top   ToC   RFC5912 - Page 35
  CertificateSerialNumber, UniqueIdentifier, SIGNED{}
  FROM PKIX1Explicit-2009
      { iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }

  GeneralNames
  FROM PKIX1Implicit-2009
      { iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }

  AttCertValidityPeriod, IssuerSerial
  FROM PKIXAttributeCertificate-2009
      { iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } ;

  -- Definition extracted from X.509-1997 [X.509-97], but
  -- different type names are used to avoid collisions.

  AttributeCertificateV1 ::= SIGNED{AttributeCertificateInfoV1}

  AttributeCertificateInfoV1 ::= SEQUENCE {
     version AttCertVersionV1 DEFAULT v1,
     subject CHOICE {
        baseCertificateID [0] IssuerSerial,
        -- associated with a Public Key Certificate
        subjectName [1] GeneralNames },
     -- associated with a name
     issuer GeneralNames,
     signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}},
     serialNumber CertificateSerialNumber,
     attCertValidityPeriod AttCertValidityPeriod,
     attributes SEQUENCE OF AttributeSet{{AttrList}},
     issuerUniqueID UniqueIdentifier OPTIONAL,
     extensions Extensions{{AttributeCertExtensionsV1}} OPTIONAL }

  AttCertVersionV1 ::= INTEGER { v1(0) }

  AttrList ATTRIBUTE ::= {...}
  AttributeCertExtensionsV1 EXTENSION ::= {...}

  END


(next page on part 3)

Next Section