1
-- Module PKCS7 (X.420:06/1999)
2
-- The ASN.1 in version 1.5 of the PKCS#7 document is not defined in an ASN.1 module. This prevents an IMPORT of it into other ASN.1 modules.
3
-- This Annex contains a module of PKCS#7 ASN.1 definitions conforming to current ASN.1 standards rather than the obsolescent (and now deprecated) 1988/90 version of ASN.1 used in version 1.5 of PKCS#7.
4
-- Extensions to PKCS#7 defined in RFC 2630 are included.
5
-- If differences are found between the ASN.1 in the following module and that in PKCS#7, the latter is definitive.
6
PKCS7 {iso member-body usa(840) rsadsi(113549) pkcs(1) 7
7
module(0) -- module not currently defined in PKCS#7 --} DEFINITIONS IMPLICIT
12
-- Directory Information Framework
15
FROM InformationFramework {joint-iso-itu-t ds(5) module(1)
16
informationFramework(1) 3}
17
-- Directory Authentication Framework
18
AlgorithmIdentifier, AttributeCertificate, Certificate, CertificateList,
19
CertificateSerialNumber, HASH{}, SIGNED{}
21
FROM AuthenticationFramework {joint-iso-itu-t ds(5) module(1)
22
authenticationFramework(7) 3};
24
-- In PKCS#7 the HASHED parameterised type applies the hash function to the
25
-- contents octets component of a DER encoding of a value of the parameter.
26
-- The ENCRYPTED parameterised type is redefined here because PKCS#7 encrypted values are
27
-- defined as OCTET STRING, instead of BIT STRING as in the Directory Authentication Framework
28
ENCRYPTED{ToBeEnciphered} ::=
31
-- must be the result of applying an encipherment procedure to the contents octets component
32
-- of a definite-length BER-encoding of a value of --ToBeEnciphered})
34
ContentInfo ::= SEQUENCE {
35
content-type PKCS7-CONTENT-TYPE.&id({PKCS7ContentTable}),
36
-- pkcs7-content [0] PKCS7-CONTENT-TYPE.&Type({PKCS7ContentTable}) OPTIONAL
37
pkcs7-content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
40
PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER
42
PKCS7ContentTable PKCS7-CONTENT-TYPE ::=
43
{data | signed-data | enveloped-data | signed-and-enveloped-data |
44
digested-data | encrypted-data | authenticated-data, ...}
47
data PKCS7-CONTENT-TYPE ::= {Data
54
signed-data PKCS7-CONTENT-TYPE ::= {SignedData
55
IDENTIFIED BY id-signed-data
58
SignedData ::= SEQUENCE {
60
digestAlgorithms DigestAlgorithmIdentifiers,
61
contentInfo ContentInfo,
62
certificates [0] CertificateSet OPTIONAL,
63
crls [1] CertificateRevocationLists OPTIONAL,
64
signerInfos SignerInfos
69
DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
71
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
73
CertificateSet ::= SET OF CertificateChoice
75
CertificateChoice ::= CHOICE {
76
certificate Certificate,
77
extendedCertificate [0] ExtendedCertificate, -- Obsolete
78
attributeCertificate [1] AttributeCertificate
81
CertificateRevocationLists ::= SET OF CertificateList
83
SignerInfos ::= SET OF SignerInfo
85
SignerInfo ::= SEQUENCE {
87
signerIdentifier SignerIdentifier,
88
digestAlgorithm DigestAlgorithmIdentifier,
89
authenticatedAttributes [0] Attributes OPTIONAL,
90
digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
91
encryptedDigest EncryptedDigest,
92
unauthenticatedAttributes [1] Attributes OPTIONAL
95
SignerIdentifier ::= CHOICE {
96
issuerAndSerialNumber IssuerAndSerialNumber,
97
subjectKeyIdentifier [2] SubjectKeyIdentifier
100
IssuerAndSerialNumber ::= SEQUENCE {
102
serialNumber CertificateSerialNumber
105
SubjectKeyIdentifier ::= OCTET STRING
107
DigestEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
109
EncryptedDigest ::= ENCRYPTED{DigestInfo}
111
DigestInfo ::= SEQUENCE {
112
digestAlgorithm DigestAlgorithmIdentifier,
119
[1] PKCS7-CONTENT-TYPE.&Type({PKCS7ContentTable}),
120
authenticated-attributes [0] EXPLICIT Attributes}}
123
enveloped-data PKCS7-CONTENT-TYPE ::= {
125
IDENTIFIED BY id-enveloped-data
128
EnvelopedData ::= SEQUENCE {
130
originatorInfo [0] OriginatorInfo OPTIONAL,
131
recipientInfos RecipientInfos,
132
encryptedContentInfo EncryptedContentInfo,
133
unprotectedAttributes [1] Attributes OPTIONAL
136
OriginatorInfo ::= SEQUENCE {
137
certificates [0] CertificateSet OPTIONAL,
138
crls [1] CertificateRevocationLists OPTIONAL
141
RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
143
RecipientInfo ::= CHOICE {
144
keyTransportRecipientInfo KeyTransportRecipientInfo,
145
keyAgreementRecipientInfo [1] KeyAgreementRecipientInfo,
146
keyEncryptionKeyRecipientInfo [2] KeyEncryptionKeyRecipientInfo
149
KeyTransportRecipientInfo ::= SEQUENCE {
151
recipientIdentifier RecipientIdentifier,
152
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
153
encryptedKey EncryptedKey
156
RecipientIdentifier ::= CHOICE {
157
issuerAndSerialNumber IssuerAndSerialNumber,
158
subjectKeyIdentifier [0] SubjectKeyIdentifier
161
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
163
EncryptedKey ::= OCTET STRING
165
KeyAgreementRecipientInfo ::= SEQUENCE {
167
originator [0] OriginatorIdentifierOrKey,
168
userKeyingMaterial [1] EXPLICIT OCTET STRING OPTIONAL,
169
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
170
recipientEncryptedKeys RecipientEncryptedKeys
173
OriginatorIdentifierOrKey ::= CHOICE {
174
issuerAndSerialNumber IssuerAndSerialNumber,
175
subjectKeyIdentifier [0] SubjectKeyIdentifier,
176
originatorPublicKey [1] OriginatorPublicKey
179
OriginatorPublicKey ::= SEQUENCE {
180
algorithm AlgorithmIdentifier,
184
RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
186
RecipientEncryptedKey ::= SEQUENCE {
187
recipientIdentifier KeyAgreementRecipientIdentifier,
188
encryptedKey EncryptedKey
191
KeyAgreementRecipientIdentifier ::= CHOICE {
192
issuerAndSerialNumber IssuerAndSerialNumber,
193
recipientKeyIdentifier [0] RecipientKeyIdentifier
196
RecipientKeyIdentifier ::= SEQUENCE {
197
subjectKeyIdentifier SubjectKeyIdentifier,
198
date GeneralizedTime OPTIONAL,
199
otherKeyAttribute OtherKeyAttribute OPTIONAL
202
OtherKeyAttribute ::= SEQUENCE {
203
keyAttributeIdentifier OTHER-KEY-ATTRIBUTE.&id({OtherKeyAttributeTable}),
205
OTHER-KEY-ATTRIBUTE.&Type
206
({OtherKeyAttributeTable}{@keyAttributeIdentifier}) OPTIONAL
209
OTHER-KEY-ATTRIBUTE ::= TYPE-IDENTIFIER
211
OtherKeyAttributeTable OTHER-KEY-ATTRIBUTE ::=
214
KeyEncryptionKeyRecipientInfo ::= SEQUENCE {
216
keyEncryptionKeyIdentifier KeyEncryptionKeyIdentifier,
217
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
218
encryptedKey EncryptedKey
221
KeyEncryptionKeyIdentifier ::= SEQUENCE {
222
keyIdentifier OCTET STRING,
223
date GeneralizedTime OPTIONAL,
224
otherKeyAttribute OtherKeyAttribute OPTIONAL
227
EncryptedContentInfo ::= SEQUENCE {
228
contentType PKCS7-CONTENT-TYPE.&id({PKCS7ContentTable}),
229
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
231
[0] ENCRYPTED{PKCS7-CONTENT-TYPE.&Type({PKCS7ContentTable}{@.contentType})}
235
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
237
-- Signed and Enveloped Data
238
signed-and-enveloped-data PKCS7-CONTENT-TYPE ::= {
239
SignedAndEnvelopedData
240
IDENTIFIED BY id-signed-and-enveloped-data
243
SignedAndEnvelopedData ::= SEQUENCE {
245
recipientInfos SET SIZE (1..MAX) OF KeyTransportRecipientInfo,
246
digestAlgorithms DigestAlgorithmIdentifiers,
247
encryptedContentInfo EncryptedContentInfo,
248
certificates [0] CertificateSet OPTIONAL,
249
crls [1] CertificateRevocationLists OPTIONAL,
255
signerIdentifier (WITH COMPONENTS {
256
issuerAndSerialNumber PRESENT
258
authenticatedAttributes ABSENT,
259
unauthenticatedAttributes ABSENT
264
digested-data PKCS7-CONTENT-TYPE ::= {
266
IDENTIFIED BY id-digested-data
269
DigestedData ::= SEQUENCE {
271
digestAlgorithm DigestAlgorithmIdentifier,
272
contentInfo ContentInfo,
273
digest HASH{PKCS7-CONTENT-TYPE.&Type({PKCS7ContentTable})}
277
encrypted-data PKCS7-CONTENT-TYPE ::= {
279
IDENTIFIED BY id-encrypted-data
282
EncryptedData ::= SEQUENCE {
284
encryptedContentInfo EncryptedContentInfo,
285
unprotectedAttributes [1] Attributes OPTIONAL
288
-- Authenticated Data
289
authenticated-data PKCS7-CONTENT-TYPE ::= {
291
IDENTIFIED BY id-authenticated-data
294
AuthenticatedData ::= SEQUENCE {
296
originatorInfo [0] OriginatorInfo OPTIONAL,
297
recipientInfos RecipientInfos,
298
macAlgorithm MessageAuthenticationCodeAlgorithmIdentifier,
299
digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
300
contentInfo ContentInfo,
301
authenticatedAttributes [2] Attributes OPTIONAL,
302
messageAuthenticationCode MessageAuthenticationCode,
303
unauthenticatedAttributes [3] Attributes OPTIONAL
306
MessageAuthenticationCodeAlgorithmIdentifier ::= AlgorithmIdentifier
308
MessageAuthenticationCode ::= OCTET STRING
310
-- Object Identifiers
311
id-pkcs OBJECT IDENTIFIER ::=
312
{iso member-body usa(840) rsadsi(113549) pkcs(1)}
314
id-data OBJECT IDENTIFIER ::= {id-pkcs 7 1}
316
id-signed-data OBJECT IDENTIFIER ::= {id-pkcs 7 2}
318
id-enveloped-data OBJECT IDENTIFIER ::= {id-pkcs 7 3}
320
id-signed-and-enveloped-data OBJECT IDENTIFIER ::= {id-pkcs 7 4}
322
id-digested-data OBJECT IDENTIFIER ::= {id-pkcs 7 5}
324
id-encrypted-data OBJECT IDENTIFIER ::= {id-pkcs 7 6}
326
id-authenticated-data OBJECT IDENTIFIER ::= {id-pkcs 9 16 1 2}
328
-- Definitions from PKCS#6
329
ExtendedCertificate ::=
330
SIGNED{ExtendedCertificateInfo}
332
ExtendedCertificateInfo ::= SEQUENCE {
334
certificate Certificate,
335
attributes Attributes
338
Attributes ::= SET OF Attribute
342
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D