File 2222-Update-public_key-to-use-modern-ASN.1-modules.patch of Package erlang
From b230e26c4f6530563919b19e76f2d2e96e436048 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Gustavsson?= <bjorn@erlang.org>
Date: Mon, 14 Apr 2025 06:07:21 +0200
Subject: [PATCH] Update public_key to use modern ASN.1 modules
This commit replaces the ancient ASN.1 modules in `public_key` with
more modern versions, while attempting to keep the documented Erlang
API for the `public_key` application compatible.
Co-authored-by: Dan Gudmundsson <dgud@erlang.org>
---
LICENSES/LicenseRef-RSA-PKCS3.txt | 23 +
LICENSES/LicenseRef-RSA-PKCS5v2-0.txt | 17 +
lib/public_key/.gitignore | 45 +-
.../asn1/AlgorithmInformation-2009.asn1 | 500 ++++++
.../asn1/AsymmetricKeyPackageModuleV1.asn1 | 167 ++
.../AttributeCertificateVersion1-2009.asn1 | 93 +
.../asn1/AuthenticationFramework.asn1 | 367 ----
lib/public_key/asn1/CMSAesRsaesOaep-2009.asn1 | 122 ++
lib/public_key/asn1/CMSAesRsaesOaep.asn1 | 39 -
.../asn1/CryptographicMessageSyntax-2009.asn1 | 497 ++++++
...tographicMessageSyntaxAlgorithms-2009.asn1 | 282 +++
lib/public_key/asn1/DSS.asn1 | 20 +
lib/public_key/asn1/ECPrivateKey.asn1 | 80 +-
lib/public_key/asn1/InformationFramework.asn1 | 682 -------
lib/public_key/asn1/Makefile | 58 +-
lib/public_key/asn1/OCSP-2013-88.asn1 | 149 --
lib/public_key/asn1/OCSP-2024-08.asn1 | 269 +++
lib/public_key/asn1/OTP-PKIX.asn1 | 961 ++--------
lib/public_key/asn1/OTP-PKIX.asn1config | 25 +
lib/public_key/asn1/OTP-PUB-KEY.asn1config | 3 -
lib/public_key/asn1/OTP-PUB-KEY.set.asn | 15 -
lib/public_key/asn1/PKCS-1.asn1 | 47 +-
lib/public_key/asn1/PKCS-10.asn1 | 184 +-
lib/public_key/asn1/PKCS-3.asn1 | 36 +-
lib/public_key/asn1/PKCS-7.asn1 | 449 -----
lib/public_key/asn1/PKCS-8.asn1 | 159 --
lib/public_key/asn1/PKCS-FRAME.set.asn | 22 +-
lib/public_key/asn1/PKCS5v2-0.asn1 | 26 +
.../asn1/PKIX-CommonTypes-2009.asn1 | 200 +++
.../asn1/PKIX-X400Address-2009.asn1 | 334 ++++
.../asn1/PKIX1-PSS-OAEP-Algorithms-2009.asn1 | 342 ++++
lib/public_key/asn1/PKIX1Algorithms88.asn1 | 294 ---
lib/public_key/asn1/PKIX1Explicit-2009.asn1 | 452 +++++
.../asn1/PKIX1Explicit-2009.asn1config | 25 +
lib/public_key/asn1/PKIX1Explicit88.asn1 | 641 -------
lib/public_key/asn1/PKIX1Implicit-2009.asn1 | 481 +++++
lib/public_key/asn1/PKIX1Implicit88.asn1 | 349 ----
lib/public_key/asn1/PKIXAlgs-2009.asn1 | 562 ++++++
.../asn1/PKIXAttributeCertificate-2009.asn1 | 326 ++++
.../asn1/PKIXAttributeCertificate.asn1 | 189 --
lib/public_key/asn1/RFC5639.asn1 | 34 +
lib/public_key/asn1/Safecurves-pkix-18.asn1 | 129 ++
.../asn1/SecureMimeMessageV3dot1-2009.asn1 | 156 ++
.../asn1/SelectedAttributeTypes.asn1 | 1575 -----------------
lib/public_key/asn1/UsefulDefinitions.asn1 | 234 ---
lib/public_key/include/OTP-PUB-KEY.hrl | 23 +
lib/public_key/include/public_key.hrl | 645 ++++++-
lib/public_key/src/Makefile | 15 +-
lib/public_key/src/pubkey_cert.erl | 25 +-
lib/public_key/src/pubkey_cert_records.erl | 321 ++--
lib/public_key/src/pubkey_crl.erl | 34 +-
lib/public_key/src/pubkey_ocsp.erl | 8 +-
lib/public_key/src/pubkey_pbe.erl | 25 +-
lib/public_key/src/pubkey_pem.erl | 15 +
lib/public_key/src/pubkey_policy_tree.erl | 26 +-
lib/public_key/src/pubkey_translation.erl | 104 ++
lib/public_key/src/public_key.app.src | 36 +-
lib/public_key/src/public_key.erl | 389 ++--
lib/public_key/src/public_key_internal.hrl | 257 +++
lib/public_key/test/erl_make_certs.erl | 4 +-
lib/public_key/test/pkits_SUITE.erl | 6 +-
lib/public_key/test/pubkey_ocsp_SUITE.erl | 4 +-
lib/public_key/test/public_key_SUITE.erl | 68 +-
63 files changed, 7166 insertions(+), 6499 deletions(-)
create mode 100644 LICENSES/LicenseRef-RSA-PKCS3.txt
create mode 100644 LICENSES/LicenseRef-RSA-PKCS5v2-0.txt
create mode 100644 lib/public_key/asn1/AlgorithmInformation-2009.asn1
create mode 100644 lib/public_key/asn1/AsymmetricKeyPackageModuleV1.asn1
create mode 100644 lib/public_key/asn1/AttributeCertificateVersion1-2009.asn1
delete mode 100644 lib/public_key/asn1/AuthenticationFramework.asn1
create mode 100644 lib/public_key/asn1/CMSAesRsaesOaep-2009.asn1
delete mode 100644 lib/public_key/asn1/CMSAesRsaesOaep.asn1
create mode 100644 lib/public_key/asn1/CryptographicMessageSyntax-2009.asn1
create mode 100644 lib/public_key/asn1/CryptographicMessageSyntaxAlgorithms-2009.asn1
delete mode 100644 lib/public_key/asn1/InformationFramework.asn1
delete mode 100644 lib/public_key/asn1/OCSP-2013-88.asn1
create mode 100644 lib/public_key/asn1/OCSP-2024-08.asn1
create mode 100644 lib/public_key/asn1/OTP-PKIX.asn1config
delete mode 100644 lib/public_key/asn1/OTP-PUB-KEY.asn1config
delete mode 100644 lib/public_key/asn1/OTP-PUB-KEY.set.asn
delete mode 100644 lib/public_key/asn1/PKCS-7.asn1
delete mode 100644 lib/public_key/asn1/PKCS-8.asn1
create mode 100644 lib/public_key/asn1/PKIX-CommonTypes-2009.asn1
create mode 100644 lib/public_key/asn1/PKIX-X400Address-2009.asn1
create mode 100644 lib/public_key/asn1/PKIX1-PSS-OAEP-Algorithms-2009.asn1
delete mode 100644 lib/public_key/asn1/PKIX1Algorithms88.asn1
create mode 100644 lib/public_key/asn1/PKIX1Explicit-2009.asn1
create mode 100644 lib/public_key/asn1/PKIX1Explicit-2009.asn1config
delete mode 100644 lib/public_key/asn1/PKIX1Explicit88.asn1
create mode 100644 lib/public_key/asn1/PKIX1Implicit-2009.asn1
delete mode 100644 lib/public_key/asn1/PKIX1Implicit88.asn1
create mode 100644 lib/public_key/asn1/PKIXAlgs-2009.asn1
create mode 100644 lib/public_key/asn1/PKIXAttributeCertificate-2009.asn1
delete mode 100644 lib/public_key/asn1/PKIXAttributeCertificate.asn1
create mode 100644 lib/public_key/asn1/Safecurves-pkix-18.asn1
create mode 100644 lib/public_key/asn1/SecureMimeMessageV3dot1-2009.asn1
delete mode 100644 lib/public_key/asn1/SelectedAttributeTypes.asn1
delete mode 100644 lib/public_key/asn1/UsefulDefinitions.asn1
create mode 100644 lib/public_key/include/OTP-PUB-KEY.hrl
create mode 100644 lib/public_key/src/pubkey_translation.erl
create mode 100644 lib/public_key/src/public_key_internal.hrl
diff --git a/LICENSES/LicenseRef-RSA-PKCS3.txt b/LICENSES/LicenseRef-RSA-PKCS3.txt
new file mode 100644
index 0000000000..c89b9cd56a
--- /dev/null
+++ b/LICENSES/LicenseRef-RSA-PKCS3.txt
@@ -0,0 +1,23 @@
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it
+or assist in its implementation may be prepared, copied, published
+and distributed, in whole or in part, without restriction of any
+kind, provided that the above copyright notice and this paragraph are
+included on all such copies and derivative works. However, this
+document itself may not be modified in any way, such as by removing
+the copyright notice or references to the Internet Society or other
+Internet organizations, except as needed for the purpose of
+developing Internet standards in which case the procedures for
+copyrights defined in the Internet Standards process must be
+followed, or as required to translate it into languages other than
+English.
+
+The limited permissions granted above are perpetual and will not be
+revoked by the Internet Society or its successors or assigns.
+
+This document and the information contained herein is provided on an
+"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
diff --git a/LICENSES/LicenseRef-RSA-PKCS5v2-0.txt b/LICENSES/LicenseRef-RSA-PKCS5v2-0.txt
new file mode 100644
index 0000000000..d08dfa4149
--- /dev/null
+++ b/LICENSES/LicenseRef-RSA-PKCS5v2-0.txt
@@ -0,0 +1,17 @@
+Intellectual Property Considerations
+
+RSA Security makes no patent claims on the general constructions
+described in this document, although specific underlying techniques
+may be covered. Among the underlying techniques, the RC5 encryption
+algorithm (Appendix B.2.4) is protected by U.S. Patents 5,724,428
+[22] and 5,835,600 [23].
+
+RC2 and RC5 are trademarks of RSA Security.
+
+License to copy this document is granted provided that it is
+identified as RSA Security Inc. Public-Key Cryptography Standards
+(PKCS) in all material mentioning or referencing this document.
+
+RSA Security makes no representations regarding intellectual property
+claims by other parties. Such determination is the responsibility of
+the user.
diff --git a/lib/public_key/asn1/AlgorithmInformation-2009.asn1 b/lib/public_key/asn1/AlgorithmInformation-2009.asn1
new file mode 100644
index 0000000000..b77e08b5a3
--- /dev/null
+++ b/lib/public_key/asn1/AlgorithmInformation-2009.asn1
@@ -0,0 +1,500 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+
+DEFINITIONS EXPLICIT TAGS ::=
+BEGIN
+EXPORTS ALL;
+IMPORTS
+
+KeyUsage
+FROM PKIX1Implicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-implicit-02(59)} ;
+
+-- Suggested prefixes for algorithm objects are:
+--
+-- mda- Message Digest Algorithms
+-- sa- Signature Algorithms
+-- kta- Key Transport Algorithms (Asymmetric)
+-- kaa- Key Agreement Algorithms (Asymmetric)
+-- kwa- Key Wrap Algorithms (Symmetric)
+-- kda- Key Derivation Algorithms
+-- maca- Message Authentication Code Algorithms
+-- pk- Public Key
+-- cea- Content (symmetric) Encryption Algorithms
+-- cap- S/MIME Capabilities
+
+ParamOptions ::= ENUMERATED {
+ required, -- Parameters MUST be encoded in structure
+ preferredPresent, -- Parameters SHOULD be encoded in structure
+ preferredAbsent, -- Parameters SHOULD NOT be encoded in structure
+ absent, -- Parameters MUST NOT be encoded in structure
+ inheritable, -- Parameters are inherited if not present
+ optional, -- Parameters MAY be encoded in the structure
+ ...
+}
+
+-- DIGEST-ALGORITHM
+--
+-- Describes the basic information for ASN.1 and a digest
+-- algorithm.
+--
+-- &id - contains the OID identifying the digest algorithm
+-- &Params - if present, contains the type for the algorithm
+-- parameters; if absent, implies no parameters
+-- ¶mPresence - parameter presence requirement
+--
+-- Additional information such as the length of the hash could have
+-- been encoded. Without a clear understanding of what information
+-- is needed by applications, such extraneous information was not
+-- considered to be of sufficient importance.
+--
+-- Example:
+-- mda-sha1 DIGEST-ALGORITHM ::= {
+-- IDENTIFIER id-sha1
+-- PARAMS TYPE NULL ARE preferredAbsent
+-- }
+
+DIGEST-ALGORITHM ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Params OPTIONAL,
+ ¶mPresence ParamOptions DEFAULT absent
+} WITH SYNTAX {
+ IDENTIFIER &id
+ [PARAMS [TYPE &Params] ARE ¶mPresence ]
+}
+
+-- SIGNATURE-ALGORITHM
+--
+-- Describes the basic properties of a signature algorithm
+--
+-- &id - contains the OID identifying the signature algorithm
+-- &Value - contains a type definition for the value structure of
+-- the signature; if absent, implies that no ASN.1
+-- encoding is performed on the value
+-- &Params - if present, contains the type for the algorithm
+-- parameters; if absent, implies no parameters
+-- ¶mPresence - parameter presence requirement
+-- &HashSet - The set of hash algorithms used with this
+-- signature algorithm
+-- &PublicKeySet - the set of public key algorithms for this
+-- signature algorithm
+-- &smimeCaps - contains the object describing how the S/MIME
+-- capabilities are presented.
+--
+-- Example:
+-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
+-- IDENTIFIER id-RSASSA-PSS
+-- PARAMS TYPE RSASSA-PSS-params ARE required
+-- HASHES { mda-sha1 | mda-md5, ... }
+-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
+-- }
+
+SIGNATURE-ALGORITHM ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Value OPTIONAL,
+ &Params OPTIONAL,
+ ¶mPresence ParamOptions DEFAULT absent,
+ &HashSet DIGEST-ALGORITHM OPTIONAL,
+ &PublicKeySet PUBLIC-KEY OPTIONAL,
+ &smimeCaps SMIME-CAPS OPTIONAL
+} WITH SYNTAX {
+ IDENTIFIER &id
+ [VALUE &Value]
+ [PARAMS [TYPE &Params] ARE ¶mPresence ]
+ [HASHES &HashSet]
+ [PUBLIC-KEYS &PublicKeySet]
+ [SMIME-CAPS &smimeCaps]
+}
+
+-- PUBLIC-KEY
+--
+-- Describes the basic properties of a public key
+--
+-- &id - contains the OID identifying the public key
+-- &KeyValue - contains the type for the key value
+-- &Params - if present, contains the type for the algorithm
+-- parameters; if absent, implies no parameters
+-- ¶mPresence - parameter presence requirement
+-- &keyUsage - contains the set of bits that are legal for this
+-- key type. Note that is does not make any statement
+-- about how bits may be paired.
+-- &PrivateKey - contains a type structure for encoding the private
+-- key information.
+--
+-- Example:
+-- pk-rsa-pss PUBLIC-KEY ::= {
+-- IDENTIFIER id-RSASSA-PSS
+-- KEY RSAPublicKey
+-- PARAMS TYPE RSASSA-PSS-params ARE optional
+-- CERT-KEY-USAGE { .... }
+-- }
+
+PUBLIC-KEY ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &KeyValue OPTIONAL,
+ &Params OPTIONAL,
+ ¶mPresence ParamOptions DEFAULT absent,
+ &keyUsage KeyUsage OPTIONAL,
+ &PrivateKey OPTIONAL
+} WITH SYNTAX {
+ IDENTIFIER &id
+ [KEY &KeyValue]
+ [PARAMS [TYPE &Params] ARE ¶mPresence]
+ [CERT-KEY-USAGE &keyUsage]
+ [PRIVATE-KEY &PrivateKey]
+}
+
+-- KEY-TRANSPORT
+--
+-- Describes the basic properties of a key transport algorithm
+--
+-- &id - contains the OID identifying the key transport algorithm
+-- &Params - if present, contains the type for the algorithm
+-- parameters; if absent, implies no parameters
+-- ¶mPresence - parameter presence requirement
+-- &PublicKeySet - specifies which public keys are used with
+-- this algorithm
+-- &smimeCaps - contains the object describing how the S/MIME
+-- capabilities are presented.
+--
+-- Example:
+-- kta-rsaTransport KEY-TRANSPORT ::= {
+-- IDENTIFIER &id
+-- PARAMS TYPE NULL ARE required
+-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
+-- }
+
+KEY-TRANSPORT ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Params OPTIONAL,
+ ¶mPresence ParamOptions DEFAULT absent,
+ &PublicKeySet PUBLIC-KEY OPTIONAL,
+ &smimeCaps SMIME-CAPS OPTIONAL
+} WITH SYNTAX {
+ IDENTIFIER &id
+ [PARAMS [TYPE &Params] ARE ¶mPresence]
+ [PUBLIC-KEYS &PublicKeySet]
+ [SMIME-CAPS &smimeCaps]
+}
+
+-- KEY-AGREE
+--
+-- Describes the basic properties of a key agreement algorithm
+--
+-- &id - contains the OID identifying the key agreement algorithm
+-- &Params - if present, contains the type for the algorithm
+-- parameters; if absent, implies no parameters
+-- ¶mPresence - parameter presence requirement
+-- &PublicKeySet - specifies which public keys are used with
+-- this algorithm
+-- &Ukm - type of user keying material used
+-- &ukmPresence - specifies the requirements to define the UKM field
+-- &smimeCaps - contains the object describing how the S/MIME
+-- capabilities are presented.
+--
+-- Example:
+-- kaa-dh-static-ephemeral KEY-AGREE ::= {
+-- IDENTIFIER id-alg-ESDH
+-- PARAMS TYPE KeyWrapAlgorithm ARE required
+-- PUBLIC-KEYS {
+-- {IDENTIFIER dh-public-number KEY DHPublicKey
+-- PARAMS TYPE DHDomainParameters ARE inheritable }
+-- }
+-- - - UKM should be present but is not separately ASN.1-encoded
+-- UKM ARE preferredPresent
+-- }
+
+KEY-AGREE ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Params OPTIONAL,
+ ¶mPresence ParamOptions DEFAULT absent,
+ &PublicKeySet PUBLIC-KEY OPTIONAL,
+ &Ukm OPTIONAL,
+ &ukmPresence ParamOptions DEFAULT absent,
+ &smimeCaps SMIME-CAPS OPTIONAL
+} WITH SYNTAX {
+ IDENTIFIER &id
+ [PARAMS [TYPE &Params] ARE ¶mPresence]
+ [PUBLIC-KEYS &PublicKeySet]
+ [UKM [TYPE &Ukm] ARE &ukmPresence]
+ [SMIME-CAPS &smimeCaps]
+}
+
+-- KEY-WRAP
+--
+-- Describes the basic properties of a key wrap algorithm
+--
+-- &id - contains the OID identifying the key wrap algorithm
+-- &Params - if present, contains the type for the algorithm
+-- parameters; if absent, implies no parameters
+-- ¶mPresence - parameter presence requirement
+-- &smimeCaps - contains the object describing how the S/MIME
+-- capabilities are presented.
+--
+-- Example:
+-- kwa-cms3DESwrap KEY-WRAP ::= {
+-- IDENTIFIER id-alg-CMS3DESwrap
+-- PARAMS TYPE NULL ARE required
+-- }
+
+KEY-WRAP ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Params OPTIONAL,
+ ¶mPresence ParamOptions DEFAULT absent,
+ &smimeCaps SMIME-CAPS OPTIONAL
+} WITH SYNTAX {
+ IDENTIFIER &id
+ [PARAMS [TYPE &Params] ARE ¶mPresence]
+ [SMIME-CAPS &smimeCaps]
+}
+-- KEY-DERIVATION
+--
+-- Describes the basic properties of a key derivation algorithm
+--
+-- &id - contains the OID identifying the key derivation algorithm
+-- &Params - if present, contains the type for the algorithm
+-- parameters; if absent, implies no parameters
+-- ¶mPresence - parameter presence requirement
+-- &smimeCaps - contains the object describing how the S/MIME
+-- capabilities are presented.
+--
+-- Example:
+-- kda-pbkdf2 KEY-DERIVATION ::= {
+-- IDENTIFIER id-PBKDF2
+-- PARAMS TYPE PBKDF2-params ARE required
+-- }
+
+KEY-DERIVATION ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Params OPTIONAL,
+ ¶mPresence ParamOptions DEFAULT absent,
+ &smimeCaps SMIME-CAPS OPTIONAL
+} WITH SYNTAX {
+ IDENTIFIER &id
+ [PARAMS [TYPE &Params] ARE ¶mPresence]
+ [SMIME-CAPS &smimeCaps]
+}
+
+-- MAC-ALGORITHM
+--
+-- Describes the basic properties of a message
+-- authentication code (MAC) algorithm
+--
+-- &id - contains the OID identifying the MAC algorithm
+-- &Params - if present, contains the type for the algorithm
+-- parameters; if absent, implies no parameters
+-- ¶mPresence - parameter presence requirement
+-- &keyed - MAC algorithm is a keyed MAC algorithm
+-- &smimeCaps - contains the object describing how the S/MIME
+-- capabilities are presented.
+--
+-- Some parameters that perhaps should have been added would be
+-- fields with the minimum and maximum MAC lengths for
+-- those MAC algorithms that allow truncations.
+--
+-- Example:
+-- maca-hmac-sha1 MAC-ALGORITHM ::= {
+-- IDENTIFIER hMAC-SHA1
+-- PARAMS TYPE NULL ARE preferredAbsent
+-- IS KEYED MAC TRUE
+-- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
+-- }
+
+MAC-ALGORITHM ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Params OPTIONAL,
+ ¶mPresence ParamOptions DEFAULT absent,
+ &keyed BOOLEAN,
+ &smimeCaps SMIME-CAPS OPTIONAL
+} WITH SYNTAX {
+ IDENTIFIER &id
+ [PARAMS [TYPE &Params] ARE ¶mPresence]
+ IS-KEYED-MAC &keyed
+ [SMIME-CAPS &smimeCaps]
+}
+
+-- CONTENT-ENCRYPTION
+--
+-- Describes the basic properties of a content encryption
+-- algorithm
+--
+-- &id - contains the OID identifying the content
+-- encryption algorithm
+-- &Params - if present, contains the type for the algorithm
+-- parameters; if absent, implies no parameters
+-- ¶mPresence - parameter presence requirement
+-- &smimeCaps - contains the object describing how the S/MIME
+-- capabilities are presented.
+--
+-- Example:
+-- cea-3DES-cbc CONTENT-ENCRYPTION ::= {
+-- IDENTIFIER des-ede3-cbc
+-- PARAMS TYPE IV ARE required
+-- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
+-- }
+
+CONTENT-ENCRYPTION ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Params OPTIONAL,
+ ¶mPresence ParamOptions DEFAULT absent,
+ &smimeCaps SMIME-CAPS OPTIONAL
+} WITH SYNTAX {
+ IDENTIFIER &id
+ [PARAMS [TYPE &Params] ARE ¶mPresence]
+ [SMIME-CAPS &smimeCaps]
+}
+
+-- ALGORITHM
+--
+-- Describes a generic algorithm identifier
+--
+-- &id - contains the OID identifying the algorithm
+-- &Params - if present, contains the type for the algorithm
+-- parameters; if absent, implies no parameters
+-- ¶mPresence - parameter presence requirement
+-- &smimeCaps - contains the object describing how the S/MIME
+-- capabilities are presented.
+--
+-- This would be used for cases where an algorithm of an unknown
+-- type is used. In general however, one should either define
+-- a more complete algorithm structure (such as the one above)
+-- or use the TYPE-IDENTIFIER class.
+
+ALGORITHM ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Params OPTIONAL,
+ ¶mPresence ParamOptions DEFAULT absent,
+ &smimeCaps SMIME-CAPS OPTIONAL
+} WITH SYNTAX {
+ IDENTIFIER &id
+ [PARAMS [TYPE &Params] ARE ¶mPresence]
+ [SMIME-CAPS &smimeCaps]
+}
+
+-- AlgorithmIdentifier
+--
+-- Provides the generic structure that is used to encode algorithm
+-- identification and the parameters associated with the
+-- algorithm.
+--
+-- The first parameter represents the type of the algorithm being
+-- used.
+-- The second parameter represents an object set containing the
+-- algorithms that may occur in this situation.
+-- The initial list of required algorithms should occur to the
+-- left of an extension marker; all other algorithms should
+-- occur to the right of an extension marker.
+--
+-- The object class ALGORITHM can be used for generic unspecified
+-- items.
+-- If new ALGORITHM classes are defined, the fields &id and &Params
+-- need to be present as fields in the object in order to use
+-- this parameterized type.
+--
+-- Example:
+-- SignatureAlgorithmIdentifier ::=
+-- AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgSet}}
+
+AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
+ SEQUENCE {
+ algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
+ parameters ALGORITHM-TYPE.
+ &Params({AlgorithmSet}{@algorithm}) OPTIONAL
+ }
+
+-- S/MIME Capabilities
+--
+-- We have moved the SMIME-CAPS from the module for RFC 3851 to here
+-- because it is used in RFC 4262 (X.509 Certificate Extension for
+-- S/MIME Capabilities)
+--
+--
+-- This class is used to represent an S/MIME capability. S/MIME
+-- capabilities are used to represent what algorithm capabilities
+-- an individual has. The classic example was the content encryption
+-- algorithm RC2 where the algorithm id and the RC2 key lengths
+-- supported needed to be advertised, but the IV used is not fixed.
+-- Thus, for RC2 we used
+--
+-- cap-RC2CBC SMIME-CAPS ::= {
+-- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc }
+--
+-- where 40 and 128 represent the RC2 key length in number of bits.
+--
+-- Another example where information needs to be shown is for
+-- RSA-OAEP where only specific hash functions or mask generation
+-- functions are supported, but the saltLength is specified by the
+-- sender and not the recipient. In this case, one can either
+-- generate a number of capability items,
+-- or a new S/MIME capability type could be generated where
+-- multiple hash functions could be specified.
+--
+--
+-- SMIME-CAP
+--
+-- This class is used to associate the type that describes the
+-- capabilities with the object identifier.
+--
+
+SMIME-CAPS ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Type OPTIONAL
+}
+WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id }
+
+--
+-- Generic type - this is used for defining values.
+--
+
+-- Define a single S/MIME capability encoding
+
+SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE {
+ capabilityID SMIME-CAPS.&id({CapabilitySet}),
+ parameters SMIME-CAPS.&Type({CapabilitySet}
+ {@capabilityID}) OPTIONAL
+}
+
+-- Define a sequence of S/MIME capability values
+
+SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::=
+ SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} }
+
+END
diff --git a/lib/public_key/asn1/AsymmetricKeyPackageModuleV1.asn1 b/lib/public_key/asn1/AsymmetricKeyPackageModuleV1.asn1
new file mode 100644
index 0000000000..bc4066c014
--- /dev/null
+++ b/lib/public_key/asn1/AsymmetricKeyPackageModuleV1.asn1
@@ -0,0 +1,167 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+AsymmetricKeyPackageModuleV1
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-asymmetricKeyPkgV1(50) }
+
+ DEFINITIONS IMPLICIT TAGS ::=
+
+ BEGIN
+
+ -- EXPORTS ALL
+
+ IMPORTS
+
+ -- FROM New SMIME ASN.1 [RFC5911]
+
+ Attribute{}, CONTENT-TYPE
+ FROM CryptographicMessageSyntax-2009
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-cms-2004-02(41) }
+
+ -- From New PKIX ASN.1 [RFC5912]
+ ATTRIBUTE
+ FROM PKIX-CommonTypes-2009
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkixCommon-02(57) }
+
+ -- From New PKIX ASN.1 [RFC5912]
+
+ AlgorithmIdentifier{}, ALGORITHM, PUBLIC-KEY, CONTENT-ENCRYPTION
+ FROM AlgorithmInformation-2009
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58) }
+
+ ;
+
+ ContentSet CONTENT-TYPE ::= {
+ ct-asymmetric-key-package,
+ ... -- Expect additional content types --
+ }
+
+ ct-asymmetric-key-package CONTENT-TYPE ::=
+ { AsymmetricKeyPackage IDENTIFIED BY id-ct-KP-aKeyPackage }
+
+ id-ct-KP-aKeyPackage OBJECT IDENTIFIER ::=
+ { joint-iso-itu-t(2) country(16) us(840) organization(1)
+ gov(101) dod(2) infosec(1) formats(2)
+ key-package-content-types(78) 5
+ }
+
+ AsymmetricKeyPackage ::= SEQUENCE SIZE (1..MAX) OF OneAsymmetricKey
+
+ OneAsymmetricKey ::= SEQUENCE {
+ version Version,
+ privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
+ privateKey PrivateKey,
+ attributes [0] Attributes OPTIONAL,
+ ...,
+ [[2: publicKey [1] PublicKey OPTIONAL ]],
+ ...
+ }
+
+ PrivateKeyInfo ::= OneAsymmetricKey
+
+ -- PrivateKeyInfo is used by [P12]. If any items tagged as version
+ -- 2 are used, the version must be v2, else the version should be
+ -- v1. When v1, PrivateKeyInfo is the same as it was in [RFC5208].
+
+ Version ::= INTEGER { v1(0), v2(1) } (v1, ..., v2)
+
+ PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
+ { PUBLIC-KEY,
+ { PrivateKeyAlgorithms } }
+
+ PrivateKey ::= OCTET STRING
+ -- Content varies based on type of key. The
+ -- algorithm identifier dictates the format of
+ -- the key.
+
+ PublicKey ::= BIT STRING
+ -- Content varies based on type of key. The
+ -- algorithm identifier dictates the format of
+ -- the key.
+
+ Attributes ::= SET OF Attribute { { OneAsymmetricKeyAttributes } }
+
+ OneAsymmetricKeyAttributes ATTRIBUTE ::= {
+ ... -- For local profiles
+ }
+
+ -- An alternate representation that makes full use of ASN.1
+ -- constraints follows. Also note that PUBLIC-KEY needs to be
+ -- imported from the new PKIX ASN.1 Algorithm Information module
+ -- and PrivateKeyAlgorithms needs to be commented out.
+
+ -- OneAsymmetricKey ::= SEQUENCE {
+ -- version Version,
+ -- privateKeyAlgorithm SEQUENCE {
+ -- algorithm PUBLIC-KEY.&id({PublicKeySet}),
+ -- parameters PUBLIC-KEY.&Params({PublicKeySet}
+ -- {@privateKeyAlgorithm.algorithm})
+ -- OPTIONAL}
+ -- privateKey OCTET STRING (CONTAINING
+ -- PUBLIC-KEY.&PrivateKey({PublicKeySet}
+ -- {@privateKeyAlgorithm.algorithm})),
+ -- attributes [0] Attributes OPTIONAL,
+ -- ...,
+ -- [[2: publicKey [1] BIT STRING (CONTAINING
+ -- PUBLIC-KEY.&Params({PublicKeySet}
+ -- {@privateKeyAlgorithm.algorithm})
+ -- OPTIONAL,
+ -- ...
+ -- }
+
+ EncryptedPrivateKeyInfo ::= SEQUENCE {
+ encryptionAlgorithm EncryptionAlgorithmIdentifier,
+ encryptedData EncryptedData }
+
+ EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+ { CONTENT-ENCRYPTION,
+ { KeyEncryptionAlgorithms } }
+
+ EncryptedData ::= OCTET STRING -- Encrypted PrivateKeyInfo
+
+ PrivateKeyAlgorithms ALGORITHM ::= {
+ ... -- Extensible
+ }
+
+ KeyEncryptionAlgorithms ALGORITHM ::= {
+ ... -- Extensible
+ }
+
+ END
diff --git a/lib/public_key/asn1/AttributeCertificateVersion1-2009.asn1 b/lib/public_key/asn1/AttributeCertificateVersion1-2009.asn1
new file mode 100644
index 0000000000..c03a39e171
--- /dev/null
+++ b/lib/public_key/asn1/AttributeCertificateVersion1-2009.asn1
@@ -0,0 +1,93 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ AttributeCertificateVersion1-2009
+ {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-v1AttrCert-02(49)}
+ DEFINITIONS EXPLICIT TAGS ::=
+ BEGIN
+ IMPORTS
+
+ SIGNATURE-ALGORITHM, ALGORITHM, AlgorithmIdentifier{}
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+
+ AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE
+ FROM PKIX-CommonTypes-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
+
+ CertificateSerialNumber, UniqueIdentifier, SIGNED{}
+ FROM PKIX1Explicit-2009
+ { iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
+
+ GeneralNames
+ FROM PKIX1Implicit-2009
+ { iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
+
+ AttCertValidityPeriod, IssuerSerial
+ FROM PKIXAttributeCertificate-2009
+ { iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } ;
+
+ -- Definition extracted from X.509-1997 [X.509-97], but
+ -- different type names are used to avoid collisions.
+
+ AttributeCertificateV1 ::= SIGNED{AttributeCertificateInfoV1}
+
+ AttributeCertificateInfoV1 ::= SEQUENCE {
+ version AttCertVersionV1 DEFAULT v1,
+ subject CHOICE {
+ baseCertificateID [0] IssuerSerial,
+ -- associated with a Public Key Certificate
+ subjectName [1] GeneralNames },
+ -- associated with a name
+ issuer GeneralNames,
+ signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}},
+ serialNumber CertificateSerialNumber,
+ attCertValidityPeriod AttCertValidityPeriod,
+ attributes SEQUENCE OF AttributeSet{{AttrList}},
+ issuerUniqueID UniqueIdentifier OPTIONAL,
+ extensions Extensions{{AttributeCertExtensionsV1}} OPTIONAL }
+
+ AttCertVersionV1 ::= INTEGER { v1(0) }
+
+ AttrList ATTRIBUTE ::= {...}
+ AttributeCertExtensionsV1 EXTENSION ::= {...}
+
+ END
diff --git a/lib/public_key/asn1/AuthenticationFramework.asn1 b/lib/public_key/asn1/AuthenticationFramework.asn1
deleted file mode 100644
index 3754486473..0000000000
--- a/lib/public_key/asn1/AuthenticationFramework.asn1
+++ /dev/null
@@ -1,367 +0,0 @@
-AuthenticationFramework {joint-iso-itu-t ds(5) module(1)
- authenticationFramework(7) 6} DEFINITIONS ::=
-BEGIN
-
--- EXPORTS All
--- The types and values defined in this module are exported for use in the other ASN.1 modules contained
--- within the Directory Specifications, and for the use of other applications which will use them to access
--- Directory services. Other applications may use them for their own purposes, but this will not constrain
--- extensions and modifications needed to maintain or improve the Directory service.
-IMPORTS
- id-at, id-nf, id-oc, informationFramework, selectedAttributeTypes,
- basicAccessControl, certificateExtensions
- FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
- usefulDefinitions(0) 6}
- Name, ATTRIBUTE, OBJECT-CLASS, NAME-FORM, top
- FROM InformationFramework informationFramework
- UniqueIdentifier, octetStringMatch, commonName, UnboundedDirectoryString
- FROM SelectedAttributeTypes selectedAttributeTypes
- certificateExactMatch, certificatePairExactMatch, certificateListExactMatch,
- KeyUsage, GeneralNames, CertificatePoliciesSyntax,
- algorithmIdentifierMatch, CertPolicyId
- FROM CertificateExtensions certificateExtensions;
-
--- parameterized types
-ENCRYPTED{ToBeEnciphered} ::=
- BIT STRING
- (CONSTRAINED BY {
- -- shall be the result of applying an encipherment procedure
- -- to the BER-encoded octets of a value of --ToBeEnciphered})
-
-HASH{ToBeHashed} ::= SEQUENCE {
- algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
- hashValue
- BIT STRING
- (CONSTRAINED BY {
- -- shall be the result of applying a hashing procedure to the DER-encoded octets
- -- of a value of -- ToBeHashed})
-}
-
-ENCRYPTED-HASH{ToBeSigned} ::=
- BIT STRING
- (CONSTRAINED BY {
- -- shall be the result of applying a hashing procedure to the DER-encoded (see 6.1) octets
- -- of a value of --ToBeSigned -- and then applying an encipherment procedure to those octets --})
-
-SIGNATURE{ToBeSigned} ::= SEQUENCE {
- algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
- encrypted ENCRYPTED-HASH{ToBeSigned}
-}
-
-SIGNED{ToBeSigned} ::= SEQUENCE {
- toBeSigned ToBeSigned,
- COMPONENTS OF SIGNATURE{ToBeSigned}
-}
-
--- public-key certificate definition
-Certificate ::= SIGNED{CertificateContent}
-
-CertificateContent ::= SEQUENCE {
- version [0] Version DEFAULT v1,
- serialNumber CertificateSerialNumber,
- signature AlgorithmIdentifier{{SupportedAlgorithms}},
- issuer Name,
- validity Validity,
- subject Name,
- subjectPublicKeyInfo SubjectPublicKeyInfo,
- issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL,
- -- if present, version shall be v2 or v3
- subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL,
- -- if present, version shall be v2 or v3
- extensions [3] Extensions OPTIONAL
- -- If present, version shall be v3
-}
-
-Version ::= INTEGER {v1(0), v2(1), v3(2)}
-
-CertificateSerialNumber ::= INTEGER
-
-AlgorithmIdentifier{ALGORITHM:SupportedAlgorithms} ::= SEQUENCE {
- algorithm ALGORITHM.&id({SupportedAlgorithms}),
- parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL
-}
-
--- Definition of the following information object set is deferred, perhaps to standardized
--- profiles or to protocol implementation conformance statements. The set is required to
--- specify a table constraint on the parameters component of AlgorithmIdentifier.
-SupportedAlgorithms ALGORITHM ::=
- {...}
-
-Validity ::= SEQUENCE {notBefore Time,
- notAfter Time
-}
-
-SubjectPublicKeyInfo ::= SEQUENCE {
- algorithm AlgorithmIdentifier{{SupportedAlgorithms}},
- subjectPublicKey BIT STRING
-}
-
-Time ::= CHOICE {utcTime UTCTime,
- generalizedTime GeneralizedTime
-}
-
-Extensions ::= SEQUENCE OF Extension
-
--- For those extensions where ordering of individual extensions within the SEQUENCE is significant, the
--- specification of those individual extensions shall include the rules for the significance of the order therein
-Extension ::= SEQUENCE {
- extnId EXTENSION.&id({ExtensionSet}),
- critical BOOLEAN DEFAULT FALSE,
- extnValue
- OCTET STRING
- (CONTAINING EXTENSION.&ExtnType({ExtensionSet}{@extnId})
- ENCODED BY
- der)
-}
-
-der OBJECT IDENTIFIER ::=
- {joint-iso-itu-t asn1(1) ber-derived(2) distinguished-encoding(1)}
-
-ExtensionSet EXTENSION ::=
- {...}
-
-EXTENSION ::= CLASS {&id OBJECT IDENTIFIER UNIQUE,
- &ExtnType
-}WITH SYNTAX {SYNTAX &ExtnType
- IDENTIFIED BY &id
-}
-
-ALGORITHM ::= CLASS {&Type OPTIONAL,
- &id OBJECT IDENTIFIER UNIQUE
-}WITH SYNTAX {[&Type]
- IDENTIFIED BY &id
-}
-
--- other PKI certificate constructs
-Certificates ::= SEQUENCE {
- userCertificate Certificate,
- certificationPath ForwardCertificationPath OPTIONAL
-}
-
-CertificationPath ::= SEQUENCE {
- userCertificate Certificate,
- theCACertificates SEQUENCE OF CertificatePair OPTIONAL
-}
-
-ForwardCertificationPath ::= SEQUENCE OF CrossCertificates
-
-CrossCertificates ::= SET OF Certificate
-
-PkiPath ::= SEQUENCE OF Certificate
-
--- certificate revocation list (CRL)
-CertificateList ::=
- SIGNED{CertificateListContent}
-
-CertificateListContent ::= SEQUENCE {
- version Version OPTIONAL,
- -- if present, version shall be v2
- signature AlgorithmIdentifier{{SupportedAlgorithms}},
- issuer Name,
- thisUpdate Time,
- nextUpdate Time OPTIONAL,
- revokedCertificates
- SEQUENCE OF
- SEQUENCE {serialNumber CertificateSerialNumber,
- revocationDate Time,
- crlEntryExtensions Extensions OPTIONAL} OPTIONAL,
- crlExtensions [0] Extensions OPTIONAL
-}
-
--- PKI object classes
-pkiUser OBJECT-CLASS ::= {
- SUBCLASS OF {top}
- KIND auxiliary
- MAY CONTAIN {userCertificate}
- ID id-oc-pkiUser
-}
-
-pkiCA OBJECT-CLASS ::= {
- SUBCLASS OF {top}
- KIND auxiliary
- MAY CONTAIN
- {cACertificate | certificateRevocationList | authorityRevocationList |
- crossCertificatePair}
- ID id-oc-pkiCA
-}
-
-cRLDistributionPoint OBJECT-CLASS ::= {
- SUBCLASS OF {top}
- KIND structural
- MUST CONTAIN {commonName}
- MAY CONTAIN
- {certificateRevocationList | authorityRevocationList | deltaRevocationList}
- ID id-oc-cRLDistributionPoint
-}
-
-cRLDistPtNameForm NAME-FORM ::= {
- NAMES cRLDistributionPoint
- WITH ATTRIBUTES {commonName}
- ID id-nf-cRLDistPtNameForm
-}
-
-deltaCRL OBJECT-CLASS ::= {
- SUBCLASS OF {top}
- KIND auxiliary
- MAY CONTAIN {deltaRevocationList}
- ID id-oc-deltaCRL
-}
-
-cpCps OBJECT-CLASS ::= {
- SUBCLASS OF {top}
- KIND auxiliary
- MAY CONTAIN {certificatePolicy | certificationPracticeStmt}
- ID id-oc-cpCps
-}
-
-pkiCertPath OBJECT-CLASS ::= {
- SUBCLASS OF {top}
- KIND auxiliary
- MAY CONTAIN {pkiPath}
- ID id-oc-pkiCertPath
-}
-
--- PKI directory attributes
-userCertificate ATTRIBUTE ::= {
- WITH SYNTAX Certificate
- EQUALITY MATCHING RULE certificateExactMatch
- ID id-at-userCertificate
-}
-
-cACertificate ATTRIBUTE ::= {
- WITH SYNTAX Certificate
- EQUALITY MATCHING RULE certificateExactMatch
- ID id-at-cAcertificate
-}
-
-crossCertificatePair ATTRIBUTE ::= {
- WITH SYNTAX CertificatePair
- EQUALITY MATCHING RULE certificatePairExactMatch
- ID id-at-crossCertificatePair
-}
-
-CertificatePair ::= SEQUENCE {
- forward [0] Certificate OPTIONAL,
- reverse [1] Certificate OPTIONAL
- -- at least one of the pair shall be present
-}
-(WITH COMPONENTS {
- ...,
- forward PRESENT
- } | WITH COMPONENTS {
- ...,
- reverse PRESENT
- })
-
-certificateRevocationList ATTRIBUTE ::= {
- WITH SYNTAX CertificateList
- EQUALITY MATCHING RULE certificateListExactMatch
- ID id-at-certificateRevocationList
-}
-
-authorityRevocationList ATTRIBUTE ::= {
- WITH SYNTAX CertificateList
- EQUALITY MATCHING RULE certificateListExactMatch
- ID id-at-authorityRevocationList
-}
-
-deltaRevocationList ATTRIBUTE ::= {
- WITH SYNTAX CertificateList
- EQUALITY MATCHING RULE certificateListExactMatch
- ID id-at-deltaRevocationList
-}
-
-supportedAlgorithms ATTRIBUTE ::= {
- WITH SYNTAX SupportedAlgorithm
- EQUALITY MATCHING RULE algorithmIdentifierMatch
- ID id-at-supportedAlgorithms
-}
-
-SupportedAlgorithm ::= SEQUENCE {
- algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
- intendedUsage [0] KeyUsage OPTIONAL,
- intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL
-}
-
-certificationPracticeStmt ATTRIBUTE ::= {
- WITH SYNTAX InfoSyntax
- ID id-at-certificationPracticeStmt
-}
-
-InfoSyntax ::= CHOICE {
- content UnboundedDirectoryString,
- pointer SEQUENCE {name GeneralNames,
- hash HASH{HashedPolicyInfo} OPTIONAL}
-}
-
-POLICY ::= TYPE-IDENTIFIER
-
-HashedPolicyInfo ::= POLICY.&Type({Policies})
-
-Policies POLICY ::=
- {...} -- Defined by implementors
-
-certificatePolicy ATTRIBUTE ::= {
- WITH SYNTAX PolicySyntax
- ID id-at-certificatePolicy
-}
-
-PolicySyntax ::= SEQUENCE {
- policyIdentifier PolicyID,
- policySyntax InfoSyntax
-}
-
-PolicyID ::= CertPolicyId
-
-pkiPath ATTRIBUTE ::= {WITH SYNTAX PkiPath
- ID id-at-pkiPath
-}
-
-userPassword ATTRIBUTE ::= {
- WITH SYNTAX OCTET STRING(SIZE (0..MAX))
- EQUALITY MATCHING RULE octetStringMatch
- ID id-at-userPassword
-}
-
--- object identifier assignments
--- object classes
-id-oc-cRLDistributionPoint OBJECT IDENTIFIER ::=
- {id-oc 19}
-
-id-oc-pkiUser OBJECT IDENTIFIER ::= {id-oc 21}
-
-id-oc-pkiCA OBJECT IDENTIFIER ::= {id-oc 22}
-
-id-oc-deltaCRL OBJECT IDENTIFIER ::= {id-oc 23}
-
-id-oc-cpCps OBJECT IDENTIFIER ::= {id-oc 30}
-
-id-oc-pkiCertPath OBJECT IDENTIFIER ::= {id-oc 31}
-
--- name forms
-id-nf-cRLDistPtNameForm OBJECT IDENTIFIER ::= {id-nf 14}
-
--- directory attributes
-id-at-userPassword OBJECT IDENTIFIER ::= {id-at 35}
-
-id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36}
-
-id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37}
-
-id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38}
-
-id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39}
-
-id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40}
-
-id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52}
-
-id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53}
-
-id-at-certificationPracticeStmt OBJECT IDENTIFIER ::= {id-at 68}
-
-id-at-certificatePolicy OBJECT IDENTIFIER ::= {id-at 69}
-
-id-at-pkiPath OBJECT IDENTIFIER ::= {id-at 70}
-
-END -- AuthenticationFramework
diff --git a/lib/public_key/asn1/CMSAesRsaesOaep-2009.asn1 b/lib/public_key/asn1/CMSAesRsaesOaep-2009.asn1
new file mode 100644
index 0000000000..d8b6b33621
--- /dev/null
+++ b/lib/public_key/asn1/CMSAesRsaesOaep-2009.asn1
@@ -0,0 +1,122 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+--
+-- RFC5911
+
+CMSAesRsaesOaep-2009 {iso(1) member-body(2) us(840) rsadsi(113549)
+ pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38)}
+ DEFINITIONS IMPLICIT TAGS ::=
+ BEGIN
+ IMPORTS
+
+ CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)};
+
+ AES-ContentEncryption CONTENT-ENCRYPTION ::= {
+ cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ...
+ }
+
+ AES-KeyWrap KEY-WRAP ::= {
+ kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ...
+ }
+
+ SMimeCaps SMIME-CAPS ::= {
+ cea-aes128-cbc.&smimeCaps |
+ cea-aes192-cbc.&smimeCaps |
+ cea-aes256-cbc.&smimeCaps |
+ kwa-aes128-wrap.&smimeCaps |
+ kwa-aes192-wrap.&smimeCaps |
+ kwa-aes256-wrap.&smimeCaps, ...
+ }
+
+ -- AES information object identifiers --
+
+ aes OBJECT IDENTIFIER ::=
+ { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
+ csor(3) nistAlgorithms(4) 1 }
+
+ -- AES using CBC mode for key sizes of 128, 192, 256
+
+ cea-aes128-cbc CONTENT-ENCRYPTION ::= {
+ IDENTIFIER id-aes128-CBC
+ PARAMS TYPE AES-IV ARE required
+ SMIME-CAPS { IDENTIFIED BY id-aes128-CBC }
+ }
+ id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 }
+
+ cea-aes192-cbc CONTENT-ENCRYPTION ::= {
+ IDENTIFIER id-aes192-CBC
+PARAMS TYPE AES-IV ARE required
+ SMIME-CAPS { IDENTIFIED BY id-aes192-CBC }
+ }
+ id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 }
+
+ cea-aes256-cbc CONTENT-ENCRYPTION ::= {
+ IDENTIFIER id-aes256-CBC
+ PARAMS TYPE AES-IV ARE required
+ SMIME-CAPS { IDENTIFIED BY id-aes256-CBC }
+ }
+ id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 }
+
+ -- AES-IV is the parameter for all the above object identifiers.
+
+ AES-IV ::= OCTET STRING (SIZE(16))
+
+ -- AES Key Wrap Algorithm Identifiers - Parameter is absent
+
+ kwa-aes128-wrap KEY-WRAP ::= {
+ IDENTIFIER id-aes128-wrap
+ PARAMS ARE absent
+ SMIME-CAPS { IDENTIFIED BY id-aes128-wrap }
+ }
+ id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
+
+ kwa-aes192-wrap KEY-WRAP ::= {
+ IDENTIFIER id-aes192-wrap
+ PARAMS ARE absent
+ SMIME-CAPS { IDENTIFIED BY id-aes192-wrap }
+ }
+ id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
+
+ kwa-aes256-wrap KEY-WRAP ::= {
+ IDENTIFIER id-aes256-wrap
+ PARAMS ARE absent
+ SMIME-CAPS { IDENTIFIED BY id-aes256-wrap }
+ }
+ id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
+
+ END
diff --git a/lib/public_key/asn1/CMSAesRsaesOaep.asn1 b/lib/public_key/asn1/CMSAesRsaesOaep.asn1
deleted file mode 100644
index ca8c7b7f92..0000000000
--- a/lib/public_key/asn1/CMSAesRsaesOaep.asn1
+++ /dev/null
@@ -1,39 +0,0 @@
-CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549)
- pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) }
-
-
-DEFINITIONS IMPLICIT TAGS ::=
-BEGIN
-
--- EXPORTS ALL --
-IMPORTS
- -- PKIX
- AlgorithmIdentifier
- FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
- internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
- id-pkix1-explicit(18)};
-
--- AES information object identifiers --
-
-aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
- organization(1) gov(101) csor(3) nistAlgorithms(4) 1 }
-
--- AES using CBC-chaining mode for key sizes of 128, 192, 256
-
-id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 }
-id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 }
-id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 }
-
--- AES-IV is a the parameter for all the above object identifiers.
-
-AES-IV ::= OCTET STRING (SIZE(16))
-
-
--- AES Key Wrap Algorithm Identifiers - Parameter is absent
-
-id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
-id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
-id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
-
-
-END
diff --git a/lib/public_key/asn1/CryptographicMessageSyntax-2009.asn1 b/lib/public_key/asn1/CryptographicMessageSyntax-2009.asn1
new file mode 100644
index 0000000000..6f06258329
--- /dev/null
+++ b/lib/public_key/asn1/CryptographicMessageSyntax-2009.asn1
@@ -0,0 +1,497 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ CryptographicMessageSyntax-2009
+ { iso(1) member-body(2) us(840) rsadsi(113549)
+ pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }
+ DEFINITIONS IMPLICIT TAGS ::=
+ BEGIN
+ IMPORTS
+
+ ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
+ PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
+ KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
+ AlgorithmIdentifier
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+ SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs,
+ MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs,
+ KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys
+ FROM CryptographicMessageSyntaxAlgorithms-2009
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
+
+ Certificate, CertificateList, CertificateSerialNumber,
+ Name, ATTRIBUTE
+ FROM PKIX1Explicit-2009
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-explicit-02(51) }
+
+ AttributeCertificate
+ FROM PKIXAttributeCertificate-2009
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-attribute-cert-02(47) }
+
+ AttributeCertificateV1
+ FROM AttributeCertificateVersion1-2009
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-v1AttrCert-02(49) } ;
+
+ -- Cryptographic Message Syntax
+
+ -- The following are used for version numbers using the ASN.1
+ -- idiom "[[n:"
+ -- Version 1 = PKCS #7
+ -- Version 2 = S/MIME V2
+ -- Version 3 = RFC 2630
+ -- Version 4 = RFC 3369
+ -- Version 5 = RFC 3852
+
+ CONTENT-TYPE ::= TYPE-IDENTIFIER
+ ContentType ::= CONTENT-TYPE.&id
+
+ ContentInfo ::= SEQUENCE {
+ contentType CONTENT-TYPE.
+ &id({ContentSet}),
+ content [0] EXPLICIT CONTENT-TYPE.
+ &Type({ContentSet}{@contentType})}
+
+ ContentSet CONTENT-TYPE ::= {
+ -- Define the set of content types to be recognized.
+ ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData |
+ ct-AuthenticatedData | ct-DigestedData, ... }
+
+ SignedData ::= SEQUENCE {
+ version CMSVersion,
+ digestAlgorithms SET OF DigestAlgorithmIdentifier,
+ encapContentInfo EncapsulatedContentInfo,
+ certificates [0] IMPLICIT CertificateSet OPTIONAL,
+ crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
+ signerInfos SignerInfos }
+
+ SignerInfos ::= SET OF SignerInfo
+
+ EncapsulatedContentInfo ::= SEQUENCE {
+ eContentType CONTENT-TYPE.&id({ContentSet}),
+ eContent [0] EXPLICIT OCTET STRING
+ ( CONTAINING CONTENT-TYPE.
+ &Type({ContentSet}{@eContentType})) OPTIONAL }
+
+ SignerInfo ::= SEQUENCE {
+ version CMSVersion,
+ sid SignerIdentifier,
+ digestAlgorithm DigestAlgorithmIdentifier,
+ signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
+ signatureAlgorithm SignatureAlgorithmIdentifier,
+ signature SignatureValue,
+ unsignedAttrs [1] IMPLICIT Attributes
+ {{UnsignedAttributes}} OPTIONAL }
+
+ SignedAttributes ::= Attributes {{ SignedAttributesSet }}
+
+ SignerIdentifier ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ ...,
+ [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
+
+ SignedAttributesSet ATTRIBUTE ::=
+ { aa-signingTime | aa-messageDigest | aa-contentType, ... }
+
+ UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... }
+
+ SignatureValue ::= OCTET STRING
+
+ EnvelopedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ encryptedContentInfo EncryptedContentInfo,
+ ...,
+ [[2: unprotectedAttrs [1] IMPLICIT Attributes
+ {{ UnprotectedAttributes }} OPTIONAL ]] }
+
+ OriginatorInfo ::= SEQUENCE {
+ certs [0] IMPLICIT CertificateSet OPTIONAL,
+ crls [1] IMPLICIT RevocationInfoChoices OPTIONAL }
+
+ RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
+
+ EncryptedContentInfo ::= SEQUENCE {
+ contentType CONTENT-TYPE.&id({ContentSet}),
+ contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
+ encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL }
+
+ -- If you want to do constraints, you might use:
+ -- EncryptedContentInfo ::= SEQUENCE {
+ -- contentType CONTENT-TYPE.&id({ContentSet}),
+ -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
+ -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE.
+ -- &Type({ContentSet}{@contentType}) OPTIONAL }
+ -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY
+ -- { ToBeEncrypted } )
+
+ UnprotectedAttributes ATTRIBUTE ::= { ... }
+
+ RecipientInfo ::= CHOICE {
+ ktri KeyTransRecipientInfo,
+ ...,
+ [[3: kari [1] KeyAgreeRecipientInfo ]],
+ [[4: kekri [2] KEKRecipientInfo]],
+ [[5: pwri [3] PasswordRecipientInfo,
+ ori [4] OtherRecipientInfo ]] }
+
+ EncryptedKey ::= OCTET STRING
+
+ KeyTransRecipientInfo ::= SEQUENCE {
+ version CMSVersion, -- always set to 0 or 2
+ rid RecipientIdentifier,
+ keyEncryptionAlgorithm AlgorithmIdentifier
+ {KEY-TRANSPORT, {KeyTransportAlgorithmSet}},
+ encryptedKey EncryptedKey }
+
+ KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... }
+
+ RecipientIdentifier ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ ...,
+ [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
+ KeyAgreeRecipientInfo ::= SEQUENCE {
+ version CMSVersion, -- always set to 3
+ originator [0] EXPLICIT OriginatorIdentifierOrKey,
+ ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
+ keyEncryptionAlgorithm AlgorithmIdentifier
+ {KEY-AGREE, {KeyAgreementAlgorithmSet}},
+ recipientEncryptedKeys RecipientEncryptedKeys }
+
+ KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... }
+
+ OriginatorIdentifierOrKey ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ subjectKeyIdentifier [0] SubjectKeyIdentifier,
+ originatorKey [1] OriginatorPublicKey }
+
+ OriginatorPublicKey ::= SEQUENCE {
+ algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}},
+ publicKey BIT STRING }
+
+ OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... }
+
+ RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
+
+ RecipientEncryptedKey ::= SEQUENCE {
+ rid KeyAgreeRecipientIdentifier,
+ encryptedKey EncryptedKey }
+
+ KeyAgreeRecipientIdentifier ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ rKeyId [0] IMPLICIT RecipientKeyIdentifier }
+
+ RecipientKeyIdentifier ::= SEQUENCE {
+ subjectKeyIdentifier SubjectKeyIdentifier,
+ date GeneralizedTime OPTIONAL,
+ other OtherKeyAttribute OPTIONAL }
+
+ SubjectKeyIdentifier ::= OCTET STRING
+
+ KEKRecipientInfo ::= SEQUENCE {
+ version CMSVersion, -- always set to 4
+ kekid KEKIdentifier,
+ keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+ encryptedKey EncryptedKey }
+
+ KEKIdentifier ::= SEQUENCE {
+ keyIdentifier OCTET STRING,
+ date GeneralizedTime OPTIONAL,
+ other OtherKeyAttribute OPTIONAL }
+ PasswordRecipientInfo ::= SEQUENCE {
+ version CMSVersion, -- always set to 0
+ keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier
+ OPTIONAL,
+ keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+ encryptedKey EncryptedKey }
+
+ OTHER-RECIPIENT ::= TYPE-IDENTIFIER
+
+ OtherRecipientInfo ::= SEQUENCE {
+ oriType OTHER-RECIPIENT.
+ &id({SupportedOtherRecipInfo}),
+ oriValue OTHER-RECIPIENT.
+ &Type({SupportedOtherRecipInfo}{@oriType})}
+
+ SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... }
+
+ DigestedData ::= SEQUENCE {
+ version CMSVersion,
+ digestAlgorithm DigestAlgorithmIdentifier,
+ encapContentInfo EncapsulatedContentInfo,
+ digest Digest, ... }
+
+ Digest ::= OCTET STRING
+
+ EncryptedData ::= SEQUENCE {
+ version CMSVersion,
+ encryptedContentInfo EncryptedContentInfo,
+ ...,
+ [[2: unprotectedAttrs [1] IMPLICIT Attributes
+ {{UnprotectedAttributes}} OPTIONAL ]] }
+
+ AuthenticatedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ macAlgorithm MessageAuthenticationCodeAlgorithm,
+ digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
+ encapContentInfo EncapsulatedContentInfo,
+ authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
+ mac MessageAuthenticationCode,
+ unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL }
+
+ AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
+ {{AuthAttributeSet}}
+
+ AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest
+ | aa-signingTime, ...}
+ MessageAuthenticationCode ::= OCTET STRING
+
+ UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
+ {{UnauthAttributeSet}}
+
+ UnauthAttributeSet ATTRIBUTE ::= {...}
+
+ --
+ -- General algorithm definitions
+ --
+
+ DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+ {DIGEST-ALGORITHM, {DigestAlgorithmSet}}
+
+ DigestAlgorithmSet DIGEST-ALGORITHM ::= {
+ CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... }
+
+ SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
+ {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}}
+
+ SignatureAlgorithmSet SIGNATURE-ALGORITHM ::=
+ { SignatureAlgs, ... }
+
+ KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+ {KEY-WRAP, {KeyEncryptionAlgorithmSet}}
+
+ KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... }
+
+ ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+ {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}}
+
+ ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::=
+ { ContentEncryptionAlgs, ... }
+
+ MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
+ {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}}
+
+ MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::=
+ { MessageAuthAlgs, ... }
+
+ KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier
+ {KEY-DERIVATION, {KeyDerivationAlgs, ...}}
+
+ RevocationInfoChoices ::= SET OF RevocationInfoChoice
+
+ RevocationInfoChoice ::= CHOICE {
+ crl CertificateList,
+ ...,
+ [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
+
+ OTHER-REVOK-INFO ::= TYPE-IDENTIFIER
+
+ OtherRevocationInfoFormat ::= SEQUENCE {
+ otherRevInfoFormat OTHER-REVOK-INFO.
+ &id({SupportedOtherRevokInfo}),
+ otherRevInfo OTHER-REVOK-INFO.
+ &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})}
+
+ SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... }
+
+ CertificateChoices ::= CHOICE {
+ certificate Certificate,
+ extendedCertificate [0] IMPLICIT ExtendedCertificate,
+ -- Obsolete
+ ...,
+ [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]],
+ -- Obsolete
+ [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]],
+ [[5: other [3] IMPLICIT OtherCertificateFormat]] }
+
+ AttributeCertificateV2 ::= AttributeCertificate
+
+ OTHER-CERT-FMT ::= TYPE-IDENTIFIER
+
+ OtherCertificateFormat ::= SEQUENCE {
+ otherCertFormat OTHER-CERT-FMT.
+ &id({SupportedCertFormats}),
+ otherCert OTHER-CERT-FMT.
+ &Type({SupportedCertFormats}{@otherCertFormat})}
+
+ SupportedCertFormats OTHER-CERT-FMT ::= { ... }
+
+ CertificateSet ::= SET OF CertificateChoices
+
+ IssuerAndSerialNumber ::= SEQUENCE {
+ issuer Name,
+ serialNumber CertificateSerialNumber }
+
+ CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
+
+ UserKeyingMaterial ::= OCTET STRING
+
+ KEY-ATTRIBUTE ::= TYPE-IDENTIFIER
+
+ OtherKeyAttribute ::= SEQUENCE {
+ keyAttrId KEY-ATTRIBUTE.
+
+ &id({SupportedKeyAttributes}),
+ keyAttr KEY-ATTRIBUTE.
+ &Type({SupportedKeyAttributes}{@keyAttrId})}
+
+ SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... }
+
+ -- Content Type Object Identifiers
+
+ id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 }
+
+ ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data}
+
+ id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }
+
+ ct-SignedData CONTENT-TYPE ::=
+ { SignedData IDENTIFIED BY id-signedData}
+
+ id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }
+
+ ct-EnvelopedData CONTENT-TYPE ::=
+ { EnvelopedData IDENTIFIED BY id-envelopedData}
+
+ id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 }
+
+ ct-DigestedData CONTENT-TYPE ::=
+ { DigestedData IDENTIFIED BY id-digestedData}
+
+ id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 }
+
+ ct-EncryptedData CONTENT-TYPE ::=
+ { EncryptedData IDENTIFIED BY id-encryptedData}
+
+ id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }
+
+ ct-AuthenticatedData CONTENT-TYPE ::=
+ { AuthenticatedData IDENTIFIED BY id-ct-authData}
+
+ id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 }
+
+ --
+ -- The CMS Attributes
+ --
+
+ MessageDigest ::= OCTET STRING
+
+ SigningTime ::= Time
+
+ Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime }
+
+ Countersignature ::= SignerInfo
+
+ -- Attribute Object Identifiers
+
+ aa-contentType ATTRIBUTE ::=
+ { TYPE ContentType IDENTIFIED BY id-contentType }
+ id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 }
+
+ aa-messageDigest ATTRIBUTE ::=
+ { TYPE MessageDigest IDENTIFIED BY id-messageDigest}
+ id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 }
+
+ aa-signingTime ATTRIBUTE ::=
+ { TYPE SigningTime IDENTIFIED BY id-signingTime }
+ id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
+
+ aa-countersignature ATTRIBUTE ::=
+ { TYPE Countersignature IDENTIFIED BY id-countersignature }
+ id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
+
+ --
+ -- Obsolete Extended Certificate syntax from PKCS#6
+ --
+
+ ExtendedCertificateOrCertificate ::= CHOICE {
+ certificate Certificate,
+ extendedCertificate [0] IMPLICIT ExtendedCertificate }
+
+ ExtendedCertificate ::= SEQUENCE {
+ extendedCertificateInfo ExtendedCertificateInfo,
+ signatureAlgorithm SignatureAlgorithmIdentifier,
+ signature Signature }
+
+ ExtendedCertificateInfo ::= SEQUENCE {
+ version CMSVersion,
+ certificate Certificate,
+ attributes UnauthAttributes }
+
+ Signature ::= BIT STRING
+
+ Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE {
+ attrType ATTRIBUTE.
+ &id({AttrList}),
+ attrValues SET OF ATTRIBUTE.
+ &Type({AttrList}{@attrType}) }
+
+ Attributes { ATTRIBUTE:AttrList } ::=
+ SET SIZE (1..MAX) OF Attribute {{ AttrList }}
+
+ END
diff --git a/lib/public_key/asn1/CryptographicMessageSyntaxAlgorithms-2009.asn1 b/lib/public_key/asn1/CryptographicMessageSyntaxAlgorithms-2009.asn1
new file mode 100644
index 0000000000..17cf260fa1
--- /dev/null
+++ b/lib/public_key/asn1/CryptographicMessageSyntaxAlgorithms-2009.asn1
@@ -0,0 +1,282 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ CryptographicMessageSyntaxAlgorithms-2009
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
+ DEFINITIONS IMPLICIT TAGS ::=
+ BEGIN
+ IMPORTS
+
+ ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
+ PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
+ KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
+ AlgorithmIdentifier{}, SMIME-CAPS
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+
+ pk-rsa, pk-dh, pk-dsa, rsaEncryption, DHPublicKey, dhpublicnumber
+ FROM PKIXAlgs-2009
+ {iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-algorithms2008-02(56)}
+
+ cap-RC2CBC
+ FROM SecureMimeMessageV3dot1-2009
+ {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-msg-v3dot1-02(39)};
+
+ -- 2. Hash algorithms in this document
+
+ MessageDigestAlgs DIGEST-ALGORITHM ::= {
+ -- mda-md5 | mda-sha1,
+ ... }
+
+ -- 3. Signature algorithms in this document
+
+ SignatureAlgs SIGNATURE-ALGORITHM ::= {
+ -- See RFC 3279
+ -- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1,
+ ... }
+
+ -- 4. Key Management Algorithms
+ -- 4.1 Key Agreement Algorithms
+
+ KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...}
+ KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...}
+
+ -- 4.2 Key Transport Algorithms
+
+ KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... }
+
+ -- 4.3 Symmetric Key-Encryption Key Algorithms
+
+ KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... }
+
+ -- 4.4 Key Derivation Algorithms
+
+ KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... }
+
+ -- 5. Content Encryption Algorithms
+
+ ContentEncryptionAlgs CONTENT-ENCRYPTION ::=
+ { cea-3DES-cbc | cea-RC2-cbc, ... }
+
+ -- 6. Message Authentication Code Algorithms
+
+ MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... }
+
+ -- S/MIME Capabilities for these items
+
+ SMimeCaps SMIME-CAPS ::= {
+ kaa-esdh.&smimeCaps |
+ kaa-ssdh.&smimeCaps |
+ kt-rsa.&smimeCaps |
+ kwa-3DESWrap.&smimeCaps |
+ kwa-RC2Wrap.&smimeCaps |
+ cea-3DES-cbc.&smimeCaps |
+ cea-RC2-cbc.&smimeCaps |
+ maca-hMAC-SHA1.&smimeCaps,
+ ...}
+
+ --
+ --
+ --
+
+ -- Algorithm Identifiers
+
+ -- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ -- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 }
+
+ id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+ rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 }
+
+ id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+ rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 }
+
+ id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 }
+
+ id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 }
+
+ des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) encryptionAlgorithm(3) 7 }
+
+ rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+ rsadsi(113549) encryptionAlgorithm(3) 2 }
+
+ hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
+ dod(6) internet(1) security(5) mechanisms(5) 8 1 2 }
+
+ id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+ rsadsi(113549) pkcs(1) pkcs-5(5) 12 }
+
+ -- Algorithm Identifier Parameter Types
+
+ KeyWrapAlgorithm ::=
+ AlgorithmIdentifier {KEY-WRAP, {KeyWrapAlgs }}
+
+ RC2wrapParameter ::= RC2ParameterVersion
+ RC2ParameterVersion ::= INTEGER
+
+ CBCParameter ::= IV
+
+ IV ::= OCTET STRING -- exactly 8 octets
+
+ RC2CBCParameter ::= SEQUENCE {
+ rc2ParameterVersion INTEGER (1..256),
+ iv OCTET STRING } -- exactly 8 octets
+
+ maca-hMAC-SHA1 MAC-ALGORITHM ::= {
+ IDENTIFIER hMAC-SHA1
+ PARAMS TYPE NULL ARE preferredAbsent
+ IS-KEYED-MAC TRUE
+ SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
+ }
+
+ PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM,
+ {PBKDF2-PRFs} }
+
+ alg-hMAC-SHA1 ALGORITHM ::=
+ { IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required }
+
+ PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... }
+
+ PBKDF2-SaltSources ALGORITHM ::= { ... }
+
+ PBKDF2-SaltSourcesAlgorithmIdentifier ::=
+ AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}}
+
+ defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::=
+ { algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL }
+
+ PBKDF2-params ::= SEQUENCE {
+ salt CHOICE {
+ specified OCTET STRING,
+ otherSource PBKDF2-SaltSourcesAlgorithmIdentifier },
+ iterationCount INTEGER (1..MAX),
+ keyLength INTEGER (1..MAX) OPTIONAL,
+ prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT
+ defaultPBKDF2
+ }
+
+ --
+ -- This object is included for completeness. It should not be used
+ -- for encoding of signatures, but was sometimes used in older
+ -- versions of CMS for encoding of RSA signatures.
+ --
+ --
+ -- sa-rsa SIGNATURE-ALGORITHM ::= {
+ -- IDENTIFIER rsaEncryption
+ -- - - value is not ASN.1 encoded
+ -- PARAMS TYPE NULL ARE required
+ -- HASHES {mda-sha1 | mda-md5, ...}
+ -- PUBLIC-KEYS { pk-rsa}
+ -- }
+ --
+ -- No ASN.1 encoding is applied to the signature value
+ -- for these items
+
+ kaa-esdh KEY-AGREE ::= {
+ IDENTIFIER id-alg-ESDH
+ PARAMS TYPE KeyWrapAlgorithm ARE required
+ PUBLIC-KEYS { pk-dh }
+ -- UKM is not ASN.1 encoded
+ UKM ARE optional
+ SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH}
+ }
+
+ kaa-ssdh KEY-AGREE ::= {
+ IDENTIFIER id-alg-SSDH
+ PARAMS TYPE KeyWrapAlgorithm ARE required
+ PUBLIC-KEYS {pk-dh}
+ -- UKM is not ASN.1 encoded
+ UKM ARE optional
+ SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH}
+ }
+
+ dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber
+
+ pk-originator-dh PUBLIC-KEY ::= {
+ IDENTIFIER dh-public-number
+ KEY DHPublicKey
+ PARAMS ARE absent
+ CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly}
+ }
+
+ kwa-3DESWrap KEY-WRAP ::= {
+ IDENTIFIER id-alg-CMS3DESwrap
+ PARAMS TYPE NULL ARE required
+ SMIME-CAPS {IDENTIFIED BY id-alg-CMS3DESwrap}
+ }
+
+ kwa-RC2Wrap KEY-WRAP ::= {
+ IDENTIFIER id-alg-CMSRC2wrap
+ PARAMS TYPE RC2wrapParameter ARE required
+ SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap }
+ }
+
+ kda-PBKDF2 KEY-DERIVATION ::= {
+ IDENTIFIER id-PBKDF2
+ PARAMS TYPE PBKDF2-params ARE required
+ -- No S/MIME caps defined
+ }
+
+ cea-3DES-cbc CONTENT-ENCRYPTION ::= {
+ IDENTIFIER des-ede3-cbc
+ PARAMS TYPE IV ARE required
+ SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
+ }
+
+ cea-RC2-cbc CONTENT-ENCRYPTION ::= {
+ IDENTIFIER rc2-cbc
+ PARAMS TYPE RC2CBCParameter ARE required
+ SMIME-CAPS cap-RC2CBC
+ }
+
+ kt-rsa KEY-TRANSPORT ::= {
+ IDENTIFIER rsaEncryption
+ PARAMS TYPE NULL ARE required
+ PUBLIC-KEYS { pk-rsa }
+ SMIME-CAPS {IDENTIFIED BY rsaEncryption}
+ }
+
+ -- S/MIME Capabilities - most have no label.
+
+ cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap }
+
+ END
diff --git a/lib/public_key/asn1/DSS.asn1 b/lib/public_key/asn1/DSS.asn1
index 77aca3808b..d5cf3d9112 100644
--- a/lib/public_key/asn1/DSS.asn1
+++ b/lib/public_key/asn1/DSS.asn1
@@ -1,3 +1,23 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: Apache-2.0
+--
+-- Copyright Ericsson AB 2008-2025. All Rights Reserved.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+-- %CopyrightEnd%
+
DSS DEFINITIONS EXPLICIT TAGS ::=
BEGIN
diff --git a/lib/public_key/asn1/ECPrivateKey.asn1 b/lib/public_key/asn1/ECPrivateKey.asn1
index 926afe5b29..7418ac90cc 100644
--- a/lib/public_key/asn1/ECPrivateKey.asn1
+++ b/lib/public_key/asn1/ECPrivateKey.asn1
@@ -1,31 +1,67 @@
-ECPrivateKey { iso(1) identified-organization(3) dod(6)
- internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
- id-mod-ecprivateKey(65) }
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
-DEFINITIONS EXPLICIT TAGS ::=
+ ECPrivateKey { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-ecprivateKey(65) }
-BEGIN
+ DEFINITIONS EXPLICIT TAGS ::=
--- EXPORTS ALL;
+ BEGIN
-IMPORTS
+ -- EXPORTS ALL;
--- FROM New PKIX ASN.1 [RFC5912]
+ IMPORTS
-EcpkParameters FROM PKIX1Algorithms88;
+ -- FROM New PKIX ASN.1 [RFC5912]
-ECPrivateKey ::= SEQUENCE {
- version INTEGER,
- privateKey CurvePrivateKey,
- parameters [0] EcpkParameters OPTIONAL,
- publicKey [1] CurvePublicKey OPTIONAL,
- -- Should be PKCS-8 Attributes but problem at the moment with PKCS-8 being part
- -- of PCKS-FRAME and PKIX1Algorithms88 is part of OTP-PUB-KEY. Procrastinate
- -- the solution as it mostly not used anyway
- attributes ANY OPTIONAL
-}
+ ECParameters{}, NamedCurve
+ FROM PKIXAlgs-2009
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-algorithms2008-02(56) }
-CurvePrivateKey ::= OCTET STRING
-CurvePublicKey ::= BIT STRING
+ ;
-END
+ ECPrivateKey ::= SEQUENCE {
+ version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+ privateKey OCTET STRING,
+-- FIXME: Remove this ugly workaround
+ parameters [0] CHOICE { namedCurve OBJECT IDENTIFIER } OPTIONAL,
+-- parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+ publicKey [1] BIT STRING OPTIONAL,
+ attributes ANY OPTIONAL
+ }
+
+ END
diff --git a/lib/public_key/asn1/InformationFramework.asn1 b/lib/public_key/asn1/InformationFramework.asn1
deleted file mode 100644
index 4aed43a39e..0000000000
--- a/lib/public_key/asn1/InformationFramework.asn1
+++ /dev/null
@@ -1,682 +0,0 @@
-InformationFramework {joint-iso-itu-t ds(5) module(1) informationFramework(1)
- 6} DEFINITIONS ::=
-BEGIN
-
--- EXPORTS All
--- The types and values defined in this module are exported for use in the other ASN.1 modules contained
--- within the Directory Specifications, and for the use of other applications which will use them to access
--- Directory services. Other applications may use them for their own purposes, but this will not constrain
--- extensions and modifications needed to maintain or improve the Directory service.
-IMPORTS
- -- from ITU-T Rec. X.501 | ISO/IEC 9594-2
- directoryAbstractService, id-ar, id-at, id-mr, id-nf, id-oa, id-oc,
- id-sc, selectedAttributeTypes, serviceAdministration
- FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
- usefulDefinitions(0) 6}
- SearchRule
- FROM ServiceAdministration serviceAdministration
- -- from ITU-T Rec. X.511 | ISO/IEC 9594-3
- TypeAndContextAssertion
- FROM DirectoryAbstractService directoryAbstractService
- -- from ITU-T Rec. X.520 | ISO/IEC 9594-6
- booleanMatch, commonName, generalizedTimeMatch, generalizedTimeOrderingMatch,
- integerFirstComponentMatch, integerMatch, integerOrderingMatch,
- objectIdentifierFirstComponentMatch, UnboundedDirectoryString
- FROM SelectedAttributeTypes selectedAttributeTypes;
-
--- attribute data types
-Attribute{ATTRIBUTE:SupportedAttributes} ::= SEQUENCE {
- type ATTRIBUTE.&id({SupportedAttributes}),
- values
- SET SIZE (0..MAX) OF ATTRIBUTE.&Type({SupportedAttributes}{@type}),
- valuesWithContext
- SET SIZE (1..MAX) OF
- SEQUENCE {value ATTRIBUTE.&Type({SupportedAttributes}{@type}),
- contextList SET SIZE (1..MAX) OF Context} OPTIONAL
-}
-
-AttributeType ::= ATTRIBUTE.&id
-
-AttributeValue ::= ATTRIBUTE.&Type
-
-Context ::= SEQUENCE {
- contextType CONTEXT.&id({SupportedContexts}),
- contextValues
- SET SIZE (1..MAX) OF CONTEXT.&Type({SupportedContexts}{@contextType}),
- fallback BOOLEAN DEFAULT FALSE
-}
-
-AttributeValueAssertion ::= SEQUENCE {
- type ATTRIBUTE.&id({SupportedAttributes}),
- assertion
- ATTRIBUTE.&equality-match.&AssertionType
- ({SupportedAttributes}{@type}),
- assertedContexts
- CHOICE {allContexts [0] NULL,
- selectedContexts [1] SET SIZE (1..MAX) OF ContextAssertion
- } OPTIONAL
-}
-
-ContextAssertion ::= SEQUENCE {
- contextType CONTEXT.&id({SupportedContexts}),
- contextValues
- SET SIZE (1..MAX) OF
- CONTEXT.&Assertion({SupportedContexts}{@contextType})
-}
-
-AttributeTypeAssertion ::= SEQUENCE {
- type ATTRIBUTE.&id({SupportedAttributes}),
- assertedContexts SEQUENCE SIZE (1..MAX) OF ContextAssertion OPTIONAL
-}
-
--- Definition of the following information object set is deferred, perhaps to standardized
--- profiles or to protocol implementation conformance statements. The set is required to
--- specify a table constraint on the values component of Attribute, the value component
--- of AttributeTypeAndValue, and the assertion component of AttributeValueAssertion.
-SupportedAttributes ATTRIBUTE ::=
- {objectClass | aliasedEntryName, ...}
-
--- Definition of the following information object set is deferred, perhaps to standardized
--- profiles or to protocol implementation conformance statements. The set is required to
--- specify a table constraint on the context specifications
-SupportedContexts CONTEXT ::=
- {...}
-
--- naming data types
-Name ::= CHOICE { -- only one possibility for now --rdnSequence RDNSequence
-}
-
-RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
-
-DistinguishedName ::= RDNSequence
-
-RelativeDistinguishedName ::=
- SET SIZE (1..MAX) OF AttributeTypeAndDistinguishedValue
-
-AttributeTypeAndDistinguishedValue ::= SEQUENCE {
- type ATTRIBUTE.&id({SupportedAttributes}),
- value ATTRIBUTE.&Type({SupportedAttributes}{@type}),
- primaryDistinguished BOOLEAN DEFAULT TRUE,
- valuesWithContext
- SET SIZE (1..MAX) OF
- SEQUENCE {distingAttrValue
- [0] ATTRIBUTE.&Type({SupportedAttributes}{@type})
- OPTIONAL,
- contextList SET SIZE (1..MAX) OF Context} OPTIONAL
-}
-
--- subtree data types
-SubtreeSpecification ::= SEQUENCE {
- base [0] LocalName DEFAULT {},
- COMPONENTS OF ChopSpecification,
- specificationFilter [4] Refinement OPTIONAL
-}
-
--- empty sequence specifies whole administrative area
-LocalName ::= RDNSequence
-
-ChopSpecification ::= SEQUENCE {
- specificExclusions
- [1] SET SIZE (1..MAX) OF
- CHOICE {chopBefore [0] LocalName,
- chopAfter [1] LocalName} OPTIONAL,
- minimum [2] BaseDistance DEFAULT 0,
- maximum [3] BaseDistance OPTIONAL
-}
-
-BaseDistance ::= INTEGER(0..MAX)
-
-Refinement ::= CHOICE {
- item [0] OBJECT-CLASS.&id,
- and [1] SET SIZE (1..MAX) OF Refinement,
- or [2] SET SIZE (1..MAX) OF Refinement,
- not [3] Refinement
-}
-
--- OBJECT-CLASS information object class specification
-OBJECT-CLASS ::= CLASS {
- &Superclasses OBJECT-CLASS OPTIONAL,
- &kind ObjectClassKind DEFAULT structural,
- &MandatoryAttributes ATTRIBUTE OPTIONAL,
- &OptionalAttributes ATTRIBUTE OPTIONAL,
- &id OBJECT IDENTIFIER UNIQUE
-}
-WITH SYNTAX {
- [SUBCLASS OF &Superclasses]
- [KIND &kind]
- [MUST CONTAIN &MandatoryAttributes]
- [MAY CONTAIN &OptionalAttributes]
- ID &id
-}
-
-ObjectClassKind ::= ENUMERATED {abstract(0), structural(1), auxiliary(2)}
-
--- object classes
-top OBJECT-CLASS ::= {
- KIND abstract
- MUST CONTAIN {objectClass}
- ID id-oc-top
-}
-
-alias OBJECT-CLASS ::= {
- SUBCLASS OF {top}
- MUST CONTAIN {aliasedEntryName}
- ID id-oc-alias
-}
-
-parent OBJECT-CLASS ::= {KIND abstract
- ID id-oc-parent
-}
-
-child OBJECT-CLASS ::= {KIND auxiliary
- ID id-oc-child
-}
-
--- ATTRIBUTE information object class specification
-ATTRIBUTE ::= CLASS {
- &derivation ATTRIBUTE OPTIONAL,
- &Type OPTIONAL, -- either &Type or &derivation required
- &equality-match MATCHING-RULE OPTIONAL,
- &ordering-match MATCHING-RULE OPTIONAL,
- &substrings-match MATCHING-RULE OPTIONAL,
- &single-valued BOOLEAN DEFAULT FALSE,
- &collective BOOLEAN DEFAULT FALSE,
- &dummy BOOLEAN DEFAULT FALSE,
- -- operational extensions
- &no-user-modification BOOLEAN DEFAULT FALSE,
- &usage AttributeUsage DEFAULT userApplications,
- &id OBJECT IDENTIFIER UNIQUE
-}
-WITH SYNTAX {
- [SUBTYPE OF &derivation]
- [WITH SYNTAX &Type]
- [EQUALITY MATCHING RULE &equality-match]
- [ORDERING MATCHING RULE &ordering-match]
- [SUBSTRINGS MATCHING RULE &substrings-match]
- [SINGLE VALUE &single-valued]
- [COLLECTIVE &collective]
- [DUMMY &dummy]
- [NO USER MODIFICATION &no-user-modification]
- [USAGE &usage]
- ID &id
-}
-
-AttributeUsage ::= ENUMERATED {
- userApplications(0), directoryOperation(1), distributedOperation(2),
- dSAOperation(3)}
-
--- attributes
-objectClass ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- ID id-at-objectClass
-}
-
-aliasedEntryName ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- SINGLE VALUE TRUE
- ID id-at-aliasedEntryName
-}
-
--- MATCHING-RULE information object class specification
-MATCHING-RULE ::= CLASS {
- &ParentMatchingRules MATCHING-RULE OPTIONAL,
- &AssertionType OPTIONAL,
- &uniqueMatchIndicator ATTRIBUTE OPTIONAL,
- &id OBJECT IDENTIFIER UNIQUE
-}
-WITH SYNTAX {
- [PARENT &ParentMatchingRules]
- [SYNTAX &AssertionType]
- [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator]
- ID &id
-}
-
--- matching rules
-objectIdentifierMatch MATCHING-RULE ::= {
- SYNTAX OBJECT IDENTIFIER
- ID id-mr-objectIdentifierMatch
-}
-
-distinguishedNameMatch MATCHING-RULE ::= {
- SYNTAX DistinguishedName
- ID id-mr-distinguishedNameMatch
-}
-
-MAPPING-BASED-MATCHING{SelectedBy, BOOLEAN:combinable, MappingResult,
- OBJECT IDENTIFIER:matchingRule} ::= CLASS {
- &selectBy SelectedBy OPTIONAL,
- &ApplicableTo ATTRIBUTE,
- &subtypesIncluded BOOLEAN DEFAULT TRUE,
- &combinable BOOLEAN(combinable),
- &mappingResults MappingResult OPTIONAL,
- &userControl BOOLEAN DEFAULT FALSE,
- &exclusive BOOLEAN DEFAULT TRUE,
- &matching-rule MATCHING-RULE.&id(matchingRule),
- &id OBJECT IDENTIFIER UNIQUE
-}
-WITH SYNTAX {
- [SELECT BY &selectBy]
- APPLICABLE TO &ApplicableTo
- [SUBTYPES INCLUDED &subtypesIncluded]
- COMBINABLE &combinable
- [MAPPING RESULTS &mappingResults]
- [USER CONTROL &userControl]
- [EXCLUSIVE &exclusive]
- MATCHING RULE &matching-rule
- ID &id
-}
-
--- NAME-FORM information object class specification
-NAME-FORM ::= CLASS {
- &namedObjectClass OBJECT-CLASS,
- &MandatoryAttributes ATTRIBUTE,
- &OptionalAttributes ATTRIBUTE OPTIONAL,
- &id OBJECT IDENTIFIER UNIQUE
-}
-WITH SYNTAX {
- NAMES &namedObjectClass
- WITH ATTRIBUTES &MandatoryAttributes
- [AND OPTIONALLY &OptionalAttributes]
- ID &id
-}
-
--- STRUCTURE-RULE class and DIT structure rule data types
-DITStructureRule ::= SEQUENCE {
- ruleIdentifier RuleIdentifier,
- -- shall be unique within the scope of the subschema
- nameForm NAME-FORM.&id,
- superiorStructureRules SET SIZE (1..MAX) OF RuleIdentifier OPTIONAL
-}
-
-RuleIdentifier ::= INTEGER
-
-STRUCTURE-RULE ::= CLASS {
- &nameForm NAME-FORM,
- &SuperiorStructureRules STRUCTURE-RULE OPTIONAL,
- &id RuleIdentifier
-}
-WITH SYNTAX {
- NAME FORM &nameForm
- [SUPERIOR RULES &SuperiorStructureRules]
- ID &id
-}
-
--- DIT content rule data type and CONTENT-RULE class
-DITContentRule ::= SEQUENCE {
- structuralObjectClass OBJECT-CLASS.&id,
- auxiliaries SET SIZE (1..MAX) OF OBJECT-CLASS.&id OPTIONAL,
- mandatory [1] SET SIZE (1..MAX) OF ATTRIBUTE.&id OPTIONAL,
- optional [2] SET SIZE (1..MAX) OF ATTRIBUTE.&id OPTIONAL,
- precluded [3] SET SIZE (1..MAX) OF ATTRIBUTE.&id OPTIONAL
-}
-
-CONTENT-RULE ::= CLASS {
- &structuralClass OBJECT-CLASS.&id UNIQUE,
- &Auxiliaries OBJECT-CLASS OPTIONAL,
- &Mandatory ATTRIBUTE OPTIONAL,
- &Optional ATTRIBUTE OPTIONAL,
- &Precluded ATTRIBUTE OPTIONAL
-}
-WITH SYNTAX {
- STRUCTURAL OBJECT-CLASS &structuralClass
- [AUXILIARY OBJECT-CLASSES &Auxiliaries]
- [MUST CONTAIN &Mandatory]
- [MAY CONTAIN &Optional]
- [MUST-NOT CONTAIN &Precluded]
-}
-
-CONTEXT ::= CLASS {
- &Type ,
- &DefaultValue OPTIONAL,
- &Assertion OPTIONAL,
- &absentMatch BOOLEAN DEFAULT TRUE,
- &id OBJECT IDENTIFIER UNIQUE
-}
-WITH SYNTAX {
- WITH SYNTAX &Type
- [DEFAULT-VALUE &DefaultValue]
- [ASSERTED AS &Assertion]
- [ABSENT-MATCH &absentMatch]
- ID &id
-}
-
-DITContextUse ::= SEQUENCE {
- attributeType ATTRIBUTE.&id,
- mandatoryContexts [1] SET SIZE (1..MAX) OF CONTEXT.&id OPTIONAL,
- optionalContexts [2] SET SIZE (1..MAX) OF CONTEXT.&id OPTIONAL
-}
-
-DIT-CONTEXT-USE-RULE ::= CLASS {
- &attributeType ATTRIBUTE.&id UNIQUE,
- &Mandatory CONTEXT OPTIONAL,
- &Optional CONTEXT OPTIONAL
-}
-WITH SYNTAX {
- ATTRIBUTE TYPE &attributeType
- [MANDATORY CONTEXTS &Mandatory]
- [OPTIONAL CONTEXTS &Optional]
-}
-
-FRIENDS ::= CLASS {
- &anchor ATTRIBUTE.&id UNIQUE,
- &Friends ATTRIBUTE
-}WITH SYNTAX {ANCHOR &anchor
- FRIENDS &Friends
-}
-
--- system schema information objects
--- object classes
-subentry OBJECT-CLASS ::= {
- SUBCLASS OF {top}
- KIND structural
- MUST CONTAIN {commonName | subtreeSpecification}
- ID id-sc-subentry
-}
-
-subentryNameForm NAME-FORM ::= {
- NAMES subentry
- WITH ATTRIBUTES {commonName}
- ID id-nf-subentryNameForm
-}
-
-subtreeSpecification ATTRIBUTE ::= {
- WITH SYNTAX SubtreeSpecification
- USAGE directoryOperation
- ID id-oa-subtreeSpecification
-}
-
-administrativeRole ATTRIBUTE ::= {
- WITH SYNTAX OBJECT-CLASS.&id
- EQUALITY MATCHING RULE objectIdentifierMatch
- USAGE directoryOperation
- ID id-oa-administrativeRole
-}
-
-createTimestamp ATTRIBUTE ::= {
- WITH SYNTAX GeneralizedTime
- -- as per 46.3 b) or c) of ITU-T Rec. X.680 | ISO/IEC 8824-1
- EQUALITY MATCHING RULE generalizedTimeMatch
- ORDERING MATCHING RULE generalizedTimeOrderingMatch
- SINGLE VALUE TRUE
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-createTimestamp
-}
-
-modifyTimestamp ATTRIBUTE ::= {
- WITH SYNTAX GeneralizedTime
- -- as per 46.3 b) or c) of ITU-T Rec. X.680 | ISO/IEC 8824-1
- EQUALITY MATCHING RULE generalizedTimeMatch
- ORDERING MATCHING RULE generalizedTimeOrderingMatch
- SINGLE VALUE TRUE
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-modifyTimestamp
-}
-
-subschemaTimestamp ATTRIBUTE ::= {
- WITH SYNTAX GeneralizedTime
- -- as per 46.3 b) or c) of ITU-T Rec. X.680 | ISO/IEC 8824-1
- EQUALITY MATCHING RULE generalizedTimeMatch
- ORDERING MATCHING RULE generalizedTimeOrderingMatch
- SINGLE VALUE TRUE
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-subschemaTimestamp
-}
-
-creatorsName ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- SINGLE VALUE TRUE
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-creatorsName
-}
-
-modifiersName ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- SINGLE VALUE TRUE
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-modifiersName
-}
-
-subschemaSubentryList ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- SINGLE VALUE TRUE
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-subschemaSubentryList
-}
-
-accessControlSubentryList ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-accessControlSubentryList
-}
-
-collectiveAttributeSubentryList ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-collectiveAttributeSubentryList
-}
-
-contextDefaultSubentryList ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-contextDefaultSubentryList
-}
-
-serviceAdminSubentryList ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-serviceAdminSubentryList
-}
-
-hasSubordinates ATTRIBUTE ::= {
- WITH SYNTAX BOOLEAN
- EQUALITY MATCHING RULE booleanMatch
- SINGLE VALUE TRUE
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-hasSubordinates
-}
-
-accessControlSubentry OBJECT-CLASS ::= {
- KIND auxiliary
- ID id-sc-accessControlSubentry
-}
-
-collectiveAttributeSubentry OBJECT-CLASS ::= {
- KIND auxiliary
- ID id-sc-collectiveAttributeSubentry
-}
-
-collectiveExclusions ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- USAGE directoryOperation
- ID id-oa-collectiveExclusions
-}
-
-contextAssertionSubentry OBJECT-CLASS ::= {
- KIND auxiliary
- MUST CONTAIN {contextAssertionDefaults}
- ID id-sc-contextAssertionSubentry
-}
-
-contextAssertionDefaults ATTRIBUTE ::= {
- WITH SYNTAX TypeAndContextAssertion
- EQUALITY MATCHING RULE objectIdentifierFirstComponentMatch
- USAGE directoryOperation
- ID id-oa-contextAssertionDefault
-}
-
-serviceAdminSubentry OBJECT-CLASS ::= {
- KIND auxiliary
- MUST CONTAIN {searchRules}
- ID id-sc-serviceAdminSubentry
-}
-
-searchRules ATTRIBUTE ::= {
- WITH SYNTAX SearchRuleDescription
- EQUALITY MATCHING RULE integerFirstComponentMatch
- USAGE directoryOperation
- ID id-oa-searchRules
-}
-
-SearchRuleDescription ::= SEQUENCE {
- COMPONENTS OF SearchRule,
- name [28] SET SIZE (1..MAX) OF UnboundedDirectoryString OPTIONAL,
- description [29] UnboundedDirectoryString OPTIONAL
-}
-
-hierarchyLevel ATTRIBUTE ::= {
- WITH SYNTAX HierarchyLevel
- EQUALITY MATCHING RULE integerMatch
- ORDERING MATCHING RULE integerOrderingMatch
- SINGLE VALUE TRUE
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-hierarchyLevel
-}
-
-HierarchyLevel ::= INTEGER
-
-hierarchyBelow ATTRIBUTE ::= {
- WITH SYNTAX HierarchyBelow
- EQUALITY MATCHING RULE booleanMatch
- SINGLE VALUE TRUE
- NO USER MODIFICATION TRUE
- USAGE directoryOperation
- ID id-oa-hierarchyBelow
-}
-
-HierarchyBelow ::= BOOLEAN
-
-hierarchyParent ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- SINGLE VALUE TRUE
- USAGE directoryOperation
- ID id-oa-hierarchyParent
-}
-
-hierarchyTop ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- SINGLE VALUE TRUE
- USAGE directoryOperation
- ID id-oa-hierarchyTop
-}
-
--- object identifier assignments
--- object classes
-id-oc-top OBJECT IDENTIFIER ::=
- {id-oc 0}
-
-id-oc-alias OBJECT IDENTIFIER ::= {id-oc 1}
-
-id-oc-parent OBJECT IDENTIFIER ::= {id-oc 28}
-
-id-oc-child OBJECT IDENTIFIER ::= {id-oc 29}
-
--- attributes
-id-at-objectClass OBJECT IDENTIFIER ::= {id-at 0}
-
-id-at-aliasedEntryName OBJECT IDENTIFIER ::= {id-at 1}
-
--- matching rules
-id-mr-objectIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 0}
-
-id-mr-distinguishedNameMatch OBJECT IDENTIFIER ::= {id-mr 1}
-
--- operational attributes
-id-oa-excludeAllCollectiveAttributes OBJECT IDENTIFIER ::=
- {id-oa 0}
-
-id-oa-createTimestamp OBJECT IDENTIFIER ::= {id-oa 1}
-
-id-oa-modifyTimestamp OBJECT IDENTIFIER ::= {id-oa 2}
-
-id-oa-creatorsName OBJECT IDENTIFIER ::= {id-oa 3}
-
-id-oa-modifiersName OBJECT IDENTIFIER ::= {id-oa 4}
-
-id-oa-administrativeRole OBJECT IDENTIFIER ::= {id-oa 5}
-
-id-oa-subtreeSpecification OBJECT IDENTIFIER ::= {id-oa 6}
-
-id-oa-collectiveExclusions OBJECT IDENTIFIER ::= {id-oa 7}
-
-id-oa-subschemaTimestamp OBJECT IDENTIFIER ::= {id-oa 8}
-
-id-oa-hasSubordinates OBJECT IDENTIFIER ::= {id-oa 9}
-
-id-oa-subschemaSubentryList OBJECT IDENTIFIER ::= {id-oa 10}
-
-id-oa-accessControlSubentryList OBJECT IDENTIFIER ::= {id-oa 11}
-
-id-oa-collectiveAttributeSubentryList OBJECT IDENTIFIER ::= {id-oa 12}
-
-id-oa-contextDefaultSubentryList OBJECT IDENTIFIER ::= {id-oa 13}
-
-id-oa-contextAssertionDefault OBJECT IDENTIFIER ::= {id-oa 14}
-
-id-oa-serviceAdminSubentryList OBJECT IDENTIFIER ::= {id-oa 15}
-
-id-oa-searchRules OBJECT IDENTIFIER ::= {id-oa 16}
-
-id-oa-hierarchyLevel OBJECT IDENTIFIER ::= {id-oa 17}
-
-id-oa-hierarchyBelow OBJECT IDENTIFIER ::= {id-oa 18}
-
-id-oa-hierarchyParent OBJECT IDENTIFIER ::= {id-oa 19}
-
-id-oa-hierarchyTop OBJECT IDENTIFIER ::= {id-oa 20}
-
--- subentry classes
-id-sc-subentry OBJECT IDENTIFIER ::= {id-sc 0}
-
-id-sc-accessControlSubentry OBJECT IDENTIFIER ::= {id-sc 1}
-
-id-sc-collectiveAttributeSubentry OBJECT IDENTIFIER ::= {id-sc 2}
-
-id-sc-contextAssertionSubentry OBJECT IDENTIFIER ::= {id-sc 3}
-
-id-sc-serviceAdminSubentry OBJECT IDENTIFIER ::= {id-sc 4}
-
--- Name forms
-id-nf-subentryNameForm OBJECT IDENTIFIER ::= {id-nf 16}
-
--- administrative roles
-id-ar-autonomousArea OBJECT IDENTIFIER ::= {id-ar 1}
-
-id-ar-accessControlSpecificArea OBJECT IDENTIFIER ::= {id-ar 2}
-
-id-ar-accessControlInnerArea OBJECT IDENTIFIER ::= {id-ar 3}
-
-id-ar-subschemaAdminSpecificArea OBJECT IDENTIFIER ::= {id-ar 4}
-
-id-ar-collectiveAttributeSpecificArea OBJECT IDENTIFIER ::= {id-ar 5}
-
-id-ar-collectiveAttributeInnerArea OBJECT IDENTIFIER ::= {id-ar 6}
-
-id-ar-contextDefaultSpecificArea OBJECT IDENTIFIER ::= {id-ar 7}
-
-id-ar-serviceSpecificArea OBJECT IDENTIFIER ::= {id-ar 8}
-
-END -- InformationFramework
diff --git a/lib/public_key/asn1/Makefile b/lib/public_key/asn1/Makefile
index 00d1531c64..f7dd49fca6 100644
--- a/lib/public_key/asn1/Makefile
+++ b/lib/public_key/asn1/Makefile
@@ -42,20 +42,40 @@ RELSYSDIR = $(RELEASE_PATH)/lib/public_key-$(VSN)
# ----------------------------------------------------
.SUFFIXES: .asn1
-.PRECIOUS: %.erl
+.PRECIOUS: $(ESRC)/%.erl $(ESRC)/%.hrl
INCLUDE = ../include
EBIN = ../ebin
-ASN_TOP = OTP-PUB-KEY PKCS-FRAME
-ASN_MODULES = PKIX1Explicit88 PKIX1Implicit88 PKIX1Algorithms88 \
- PKIXAttributeCertificate PKCS-1 PKCS-3 PKCS-7 PKCS-8 PKCS-10 PKCS5v2-0 OTP-PKIX \
- InformationFramework RFC5639 CMSAesRsaesOaep
+ASN_TOP = PKCS-FRAME $(ASN_MODULES)
+
+ASN_MODULES = \
+ AlgorithmInformation-2009 \
+ AttributeCertificateVersion1-2009 \
+ CryptographicMessageSyntax-2009 \
+ CryptographicMessageSyntaxAlgorithms-2009 \
+ CMSAesRsaesOaep-2009 \
+ DSS \
+ ECPrivateKey \
+ OCSP-2024-08 \
+ OTP-PKIX \
+ PKCS-1 PKCS-3 PKCS-10 \
+ PKIX-CommonTypes-2009 \
+ PKIX-X400Address-2009 \
+ PKIX1-PSS-OAEP-Algorithms-2009 \
+ PKIX1Explicit-2009 \
+ PKIX1Implicit-2009 \
+ PKIXAlgs-2009 \
+ PKIXAttributeCertificate-2009 \
+ RFC5639 \
+ Safecurves-pkix-18 \
+ SecureMimeMessageV3dot1-2009
+
ASN_ASNS = $(ASN_MODULES:%=%.asn1)
ASN_ERLS = $(ASN_TOP:%=$(ESRC)/%.erl)
-ASN_HRLS = $(ASN_TOP:%=%.hrl)
-ASN_CONFIGS = OTP-PUB-KEY.asn1config
-ASN_DBS = $(ASN_MODULES:%=%.asn1db) OTP-PUB-KEY.asn1db
+ASN_HRLS = PKCS-FRAME.hrl
+ASN_CONFIGS = OTP-PKIX.asn1config PKIX1Explicit-2009.asn1config
+ASN_DBS = $(ASN_MODULES:%=%.asn1db)
ASN_TABLES = $(ASN_MODULES:%=%.table)
ERL_MODULES = $(ASN_TOP) $(GEN_MODULES)
@@ -91,6 +111,9 @@ docs:
$(ESRC)/%.erl $(ESRC)/%.hrl: %.set.asn
$(asn_verbose)erlc $(ASN_FLAGS) -o $(ESRC) $<
+$(ESRC)/%.erl $(ESRC)/%.hrl: %.asn1
+ $(asn_verbose)erlc $(ASN_FLAGS) -o $(ESRC) $<
+
$(INCLUDE)/%.hrl: $(ESRC)/%.hrl
$(gen_verbose)cp -p $< $@
@@ -114,22 +137,9 @@ release_docs_spec:
#
# Dependencies
-
-$(EBIN)/OTP-PUB-KEY.beam: $(ESRC)/OTP-PUB-KEY.erl $(INCLUDE)/OTP-PUB-KEY.hrl
-$(ESRC)/OTP-PUB-KEY.asn1db $(ESRC)/OTP-PUB-KEY.erl $(INCLUDE)/OTP-PUB-KEY.hrl: \
- PKIX1Algorithms88.asn1 \
- PKIX1Explicit88.asn1 \
- PKIX1Implicit88.asn1 \
- PKIXAttributeCertificate.asn1 \
- PKCS-1.asn1 \
- PKCS-3.asn1 \
- PKCS-7.asn1 \
- PKCS-10.asn1 \
- InformationFramework.asn1 \
- OTP-PKIX.asn1 \
- RFC5639.asn1
+#
$(EBIN)/PKCS-FRAME.beam: $(ESRC)/PKCS-FRAME.erl $(INCLUDE)/PKCS-FRAME.hrl
$(ESRC)/PKCS-FRAME.erl $(INCLUDE)/PKCS-FRAME.hrl $(ESRC)/PKCS-FRAME.asn1db: \
- PKCS5v2-0.asn1 \
- PKCS-8.asn1
+ AsymmetricKeyPackageModuleV1.asn1 \
+ PKCS5v2-0.asn1
diff --git a/lib/public_key/asn1/OCSP-2013-88.asn1 b/lib/public_key/asn1/OCSP-2013-88.asn1
deleted file mode 100644
index 32b1eed962..0000000000
--- a/lib/public_key/asn1/OCSP-2013-88.asn1
+++ /dev/null
@@ -1,149 +0,0 @@
--- OCSP definition from RFC6960, 1998 Syntax
-
-OCSP-2013-88 {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) mechanisms(5) pkix(7) id-mod(0)
- id-mod-ocsp-2013-88(81)
-}
-
-DEFINITIONS EXPLICIT TAGS ::=
-
-BEGIN
-
-IMPORTS
-
- -- PKIX Certificate Extensions
- AuthorityInfoAccessSyntax, CRLReason, GeneralName
- FROM PKIX1Implicit88 { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) mechanisms(5) pkix(7)
- id-mod(0) id-pkix1-implicit(19) }
-
- Name, CertificateSerialNumber, Extensions,
- id-kp, id-ad-ocsp, Certificate, AlgorithmIdentifier
- FROM PKIX1Explicit88 { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) mechanisms(5) pkix(7)
- id-mod(0) id-pkix1-explicit(18) };
-
-OCSPRequest ::= SEQUENCE {
- tbsRequest TBSRequest,
- optionalSignature [0] EXPLICIT Signature OPTIONAL }
-
-TBSRequest ::= SEQUENCE {
- version [0] EXPLICIT Version DEFAULT v1,
- requestorName [1] EXPLICIT GeneralName OPTIONAL,
- requestList SEQUENCE OF Request,
- requestExtensions [2] EXPLICIT Extensions OPTIONAL }
-
-Signature ::= SEQUENCE {
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING,
- certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
-
-Version ::= INTEGER { v1(0) }
-
-Request ::= SEQUENCE {
- reqCert CertID,
- singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
-
-CertID ::= SEQUENCE {
- hashAlgorithm AlgorithmIdentifier,
- issuerNameHash OCTET STRING, -- Hash of issuer's DN
- issuerKeyHash OCTET STRING, -- Hash of issuer's public key
- serialNumber CertificateSerialNumber }
-
-OCSPResponse ::= SEQUENCE {
- responseStatus OCSPResponseStatus,
- responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
-
-OCSPResponseStatus ::= ENUMERATED {
- successful (0), -- Response has valid confirmations
- malformedRequest (1), -- Illegal confirmation request
- internalError (2), -- Internal error in issuer
- tryLater (3), -- Try again later
- -- (4) is not used
- sigRequired (5), -- Must sign the request
- unauthorized (6) -- Request unauthorized
-}
-
-ResponseBytes ::= SEQUENCE {
- responseType OBJECT IDENTIFIER,
- response OCTET STRING }
-
-BasicOCSPResponse ::= SEQUENCE {
- tbsResponseData ResponseData,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING,
- certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
-
-ResponseData ::= SEQUENCE {
- version [0] EXPLICIT Version DEFAULT v1,
- responderID ResponderID,
- producedAt GeneralizedTime,
- responses SEQUENCE OF SingleResponse,
- responseExtensions [1] EXPLICIT Extensions OPTIONAL }
-
-ResponderID ::= CHOICE {
- byName [1] Name,
- byKey [2] KeyHash }
-
-KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
- -- (i.e., the SHA-1 hash of the value of the
- -- BIT STRING subjectPublicKey [excluding
- -- the tag, length, and number of unused
- -- bits] in the responder's certificate)
-
-SingleResponse ::= SEQUENCE {
- certID CertID,
- certStatus CertStatus,
- thisUpdate GeneralizedTime,
- nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
- singleExtensions [1] EXPLICIT Extensions OPTIONAL }
-
-CertStatus ::= CHOICE {
- good [0] IMPLICIT NULL,
- revoked [1] IMPLICIT RevokedInfo,
- unknown [2] IMPLICIT UnknownInfo }
-
-RevokedInfo ::= SEQUENCE {
- revocationTime GeneralizedTime,
- revocationReason [0] EXPLICIT CRLReason OPTIONAL }
-
-UnknownInfo ::= NULL
-
-ArchiveCutoff ::= GeneralizedTime
-
-AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
-
-ServiceLocator ::= SEQUENCE {
- issuer Name,
- locator AuthorityInfoAccessSyntax }
-
-CrlID ::= SEQUENCE {
- crlUrl [0] EXPLICIT IA5String OPTIONAL,
- crlNum [1] EXPLICIT INTEGER OPTIONAL,
- crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
-
-PreferredSignatureAlgorithms ::= SEQUENCE OF PreferredSignatureAlgorithm
-
-PreferredSignatureAlgorithm ::= SEQUENCE {
- sigIdentifier AlgorithmIdentifier,
- certIdentifier AlgorithmIdentifier OPTIONAL }
-
-Nonce ::= OCTET STRING
-
--- Object Identifiers
-
--- Already defined in PKIX1Implicit88
---id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
-id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp }
-id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
-id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
-id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
-id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
-id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
-id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
-id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
-id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 }
-id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 }
-
-END
diff --git a/lib/public_key/asn1/OCSP-2024-08.asn1 b/lib/public_key/asn1/OCSP-2024-08.asn1
new file mode 100644
index 0000000000..0872d3fee0
--- /dev/null
+++ b/lib/public_key/asn1/OCSP-2024-08.asn1
@@ -0,0 +1,269 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+OCSP-2024-08
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-ocsp-2024-08(112) }
+
+DEFINITIONS EXPLICIT TAGS ::=
+BEGIN
+
+IMPORTS
+ Extensions{}, EXTENSION
+ FROM PKIX-CommonTypes-2009 -- From [RFC5912]
+ { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7)
+ id-mod(0) id-mod-pkixCommon-02(57) }
+
+ AlgorithmIdentifier{}, DIGEST-ALGORITHM,
+ SIGNATURE-ALGORITHM, PUBLIC-KEY
+ FROM AlgorithmInformation-2009 -- From [RFC5912]
+ { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7)
+ id-mod(0) id-mod-algorithmInformation-02(58) }
+
+ AuthorityInfoAccessSyntax, GeneralName,
+ CrlEntryExtensions, CRLReason
+ FROM PKIX1Implicit-2009 -- From [RFC5912]
+ { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7)
+ id-mod(0) id-mod-pkix1-implicit-02(59) }
+
+ Name, Certificate, CertificateSerialNumber,
+ id-kp, id-ad-ocsp
+ FROM PKIX1Explicit-2009 -- From [RFC5912]
+ { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7)
+ id-mod(0) id-mod-pkix1-explicit-02(51) }
+
+ sa-dsaWithSHA1, sa-rsaWithMD2,
+ sa-rsaWithMD5, sa-rsaWithSHA1
+ FROM PKIXAlgs-2009 -- From [RFC5912]
+ { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7)
+ id-mod(0) id-mod-pkix1-algorithms2008-02(56) } ;
+
+OCSPRequest ::= SEQUENCE {
+ tbsRequest TBSRequest,
+ optionalSignature [0] EXPLICIT Signature OPTIONAL }
+
+TBSRequest ::= SEQUENCE {
+ version [0] EXPLICIT Version DEFAULT v1,
+ requestorName [1] EXPLICIT GeneralName OPTIONAL,
+ requestList SEQUENCE OF Request,
+ requestExtensions [2] EXPLICIT Extensions
+ {{ re-ocsp-nonce | re-ocsp-response |
+ re-ocsp-preferred-signature-algorithms,
+ ... }} OPTIONAL }
+
+Signature ::= SEQUENCE {
+ signatureAlgorithm AlgorithmIdentifier
+ { SIGNATURE-ALGORITHM, {...}},
+ signature BIT STRING,
+ certs [0] EXPLICIT SEQUENCE OF
+ Certificate OPTIONAL }
+
+Version ::= INTEGER { v1(0) }
+
+Nonce ::= OCTET STRING (SIZE(1..128))
+
+Request ::= SEQUENCE {
+ reqCert CertID,
+ singleRequestExtensions [0] EXPLICIT Extensions
+ {{ re-ocsp-service-locator,
+ ... }} OPTIONAL }
+
+CertID ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier
+ { DIGEST-ALGORITHM, {...}},
+ issuerNameHash OCTET STRING, -- Hash of issuer's DN
+ issuerKeyHash OCTET STRING, -- Hash of issuer's public key
+ serialNumber CertificateSerialNumber }
+
+OCSPResponse ::= SEQUENCE {
+ responseStatus OCSPResponseStatus,
+ responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
+
+OCSPResponseStatus ::= ENUMERATED {
+ successful (0), -- Response has valid confirmations
+ malformedRequest (1), -- Illegal confirmation request
+ internalError (2), -- Internal error in issuer
+ tryLater (3), -- Try again later
+ -- (4) is not used
+ sigRequired (5), -- Must sign the request
+ unauthorized (6) -- Request unauthorized
+}
+
+RESPONSE ::= TYPE-IDENTIFIER
+
+ResponseSet RESPONSE ::= { basicResponse, ... }
+
+ResponseBytes ::= SEQUENCE {
+ responseType RESPONSE.&id ({ResponseSet}),
+ response OCTET STRING (CONTAINING RESPONSE.
+ &Type({ResponseSet}{@responseType}))}
+
+basicResponse RESPONSE ::=
+ { BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic }
+
+BasicOCSPResponse ::= SEQUENCE {
+ tbsResponseData ResponseData,
+ signatureAlgorithm AlgorithmIdentifier
+ { SIGNATURE-ALGORITHM,
+ { sa-dsaWithSHA1 |
+ sa-rsaWithSHA1 |
+ sa-rsaWithMD5 |
+ sa-rsaWithMD2,
+ ... }},
+ signature BIT STRING,
+ certs [0] EXPLICIT SEQUENCE OF
+ Certificate OPTIONAL }
+
+ResponseData ::= SEQUENCE {
+ version [0] EXPLICIT Version DEFAULT v1,
+ responderID ResponderID,
+ producedAt GeneralizedTime,
+ responses SEQUENCE OF SingleResponse,
+ responseExtensions [1] EXPLICIT Extensions
+ {{ re-ocsp-nonce |
+ re-ocsp-extended-revoke,
+ ... }} OPTIONAL }
+
+ResponderID ::= CHOICE {
+ byName [1] Name,
+ byKey [2] KeyHash }
+
+KeyHash ::= OCTET STRING
+ -- SHA-1 hash of responder's public key
+ -- (excluding the tag and length and number
+ -- of unused bits)
+
+SingleResponse ::= SEQUENCE {
+ certID CertID,
+ certStatus CertStatus,
+ thisUpdate GeneralizedTime,
+ nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
+ singleExtensions [1] EXPLICIT Extensions
+ {{ re-ocsp-crl |
+ re-ocsp-archive-cutoff |
+ CrlEntryExtensions,
+ ... }} OPTIONAL }
+
+CertStatus ::= CHOICE {
+ good [0] IMPLICIT NULL,
+ revoked [1] IMPLICIT RevokedInfo,
+ unknown [2] IMPLICIT UnknownInfo }
+
+RevokedInfo ::= SEQUENCE {
+ revocationTime GeneralizedTime,
+ revocationReason [0] EXPLICIT CRLReason OPTIONAL }
+
+UnknownInfo ::= NULL
+
+ArchiveCutoff ::= GeneralizedTime
+
+AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet})
+
+ServiceLocator ::= SEQUENCE {
+ issuer Name,
+ locator AuthorityInfoAccessSyntax }
+
+CrlID ::= SEQUENCE {
+ crlUrl [0] EXPLICIT IA5String OPTIONAL,
+ crlNum [1] EXPLICIT INTEGER OPTIONAL,
+ crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
+
+PreferredSignatureAlgorithms ::= SEQUENCE OF
+ PreferredSignatureAlgorithm
+
+PreferredSignatureAlgorithm ::= SEQUENCE {
+ sigIdentifier AlgorithmIdentifier
+ { SIGNATURE-ALGORITHM, {...} },
+ certIdentifier AlgorithmIdentifier {PUBLIC-KEY, {...}}
+ OPTIONAL }
+
+
+-- Certificate Extensions
+
+ext-ocsp-nocheck EXTENSION ::= {
+ SYNTAX NULL IDENTIFIED BY id-pkix-ocsp-nocheck }
+
+
+-- Request Extensions
+
+re-ocsp-nonce EXTENSION ::= {
+ SYNTAX Nonce IDENTIFIED BY id-pkix-ocsp-nonce }
+
+re-ocsp-response EXTENSION ::= {
+ SYNTAX AcceptableResponses IDENTIFIED BY
+ id-pkix-ocsp-response }
+
+re-ocsp-service-locator EXTENSION ::= {
+ SYNTAX ServiceLocator IDENTIFIED BY
+ id-pkix-ocsp-service-locator }
+
+re-ocsp-preferred-signature-algorithms EXTENSION ::= {
+ SYNTAX PreferredSignatureAlgorithms IDENTIFIED BY
+ id-pkix-ocsp-pref-sig-algs }
+
+
+-- Response Extensions
+
+re-ocsp-crl EXTENSION ::= {
+ SYNTAX CrlID IDENTIFIED BY id-pkix-ocsp-crl }
+
+re-ocsp-archive-cutoff EXTENSION ::= {
+ SYNTAX ArchiveCutoff IDENTIFIED BY
+ id-pkix-ocsp-archive-cutoff }
+
+re-ocsp-extended-revoke EXTENSION ::= {
+ SYNTAX NULL IDENTIFIED BY id-pkix-ocsp-extended-revoke }
+
+
+-- Object Identifiers
+
+id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
+id-pkix-ocsp OBJECT IDENTIFIER ::= id-ad-ocsp
+id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
+id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
+id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
+id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
+id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
+id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
+id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
+id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 }
+id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 }
+
+END
diff --git a/lib/public_key/asn1/OTP-PKIX.asn1 b/lib/public_key/asn1/OTP-PKIX.asn1
index 8c15bdc7ea..4a2ed525ff 100644
--- a/lib/public_key/asn1/OTP-PKIX.asn1
+++ b/lib/public_key/asn1/OTP-PKIX.asn1
@@ -1,3 +1,23 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: Apache-2.0
+--
+-- Copyright Ericsson AB 2008-2025. All Rights Reserved.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+-- %CopyrightEnd%
+
OTP-PKIX {iso(1) identified-organization(3) dod(6) internet(1)
private(4) enterprices(1) ericsson(193) otp(19) ssl(10)
pkix1(1)}
@@ -9,845 +29,210 @@ BEGIN
-- EXPORTS ALL
IMPORTS
- -- Certificate (parts of)
- Version,
- CertificateSerialNumber,
- --AlgorithmIdentifier,
- Validity,
- UniqueIdentifier,
-
- -- AttribyteTypeAndValue
- Name,
- AttributeType,
- id-at-name,
- id-at-surname,
- id-at-givenName,
- id-at-initials,
- id-at-generationQualifier, X520name,
- id-at-commonName, X520CommonName,
- id-at-localityName, X520LocalityName,
- id-at-stateOrProvinceName, X520StateOrProvinceName,
- id-at-organizationName, X520OrganizationName,
- id-at-organizationalUnitName, X520OrganizationalUnitName,
- id-at-title, X520Title,
- id-at-dnQualifier, X520dnQualifier,
- id-at-countryName, X520countryName,
- id-at-serialNumber, X520SerialNumber,
- id-at-pseudonym, X520Pseudonym,
- id-domainComponent, DomainComponent,
- id-emailAddress, EmailAddress,
-
- -- Extension Attributes
- common-name, CommonName,
- teletex-common-name, TeletexCommonName,
- teletex-personal-name, TeletexPersonalName,
- pds-name, PDSName,
- physical-delivery-country-name, PhysicalDeliveryCountryName,
- postal-code, PostalCode,
- physical-delivery-office-name, PhysicalDeliveryOfficeName,
- physical-delivery-office-number, PhysicalDeliveryOfficeNumber,
- extension-OR-address-components, ExtensionORAddressComponents,
- physical-delivery-personal-name, PhysicalDeliveryPersonalName,
- physical-delivery-organization-name, PhysicalDeliveryOrganizationName,
- extension-physical-delivery-address-components,
- ExtensionPhysicalDeliveryAddressComponents,
- unformatted-postal-address, UnformattedPostalAddress,
- street-address, StreetAddress,
- post-office-box-address, PostOfficeBoxAddress,
- poste-restante-address, PosteRestanteAddress,
- unique-postal-name, UniquePostalName,
- local-postal-attributes, LocalPostalAttributes,
- extended-network-address, ExtendedNetworkAddress,
- terminal-type, TerminalType,
- teletex-domain-defined-attributes, TeletexDomainDefinedAttributes
-
- FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6)
- internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
- id-pkix1-explicit(18) }
-
- -- Extensions
- id-ce-authorityKeyIdentifier, AuthorityKeyIdentifier,
- id-ce-subjectKeyIdentifier, SubjectKeyIdentifier,
- id-ce-keyUsage, KeyUsage,
- id-ce-privateKeyUsagePeriod, PrivateKeyUsagePeriod,
- id-ce-certificatePolicies, CertificatePolicies,
- id-ce-policyMappings, PolicyMappings,
- id-ce-subjectAltName, SubjectAltName,
- id-ce-issuerAltName, IssuerAltName,
- id-ce-subjectDirectoryAttributes, SubjectDirectoryAttributes,
- id-ce-basicConstraints, BasicConstraints,
- id-ce-nameConstraints, NameConstraints,
- id-ce-policyConstraints, PolicyConstraints,
- id-ce-cRLDistributionPoints, CRLDistributionPoints,
- id-ce-extKeyUsage, ExtKeyUsageSyntax,
- id-ce-inhibitAnyPolicy, InhibitAnyPolicy,
- id-ce-freshestCRL, FreshestCRL,
- id-pe-authorityInfoAccess, AuthorityInfoAccessSyntax,
- id-pe-subjectInfoAccess, SubjectInfoAccessSyntax,
- id-ce-cRLNumber, CRLNumber,
- id-ce-issuingDistributionPoint, IssuingDistributionPoint,
- id-ce-deltaCRLIndicator, BaseCRLNumber,
- id-ce-cRLReasons, CRLReason,
- id-ce-certificateIssuer, CertificateIssuer,
- id-ce-holdInstructionCode, HoldInstructionCode,
- id-ce-invalidityDate, InvalidityDate
-
- FROM PKIX1Implicit88 { iso(1) identified-organization(3) dod(6)
- internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
- id-pkix1-implicit(19) }
+ ATTRIBUTE, Extensions{}, SingleAttribute
+ FROM PKIX-CommonTypes-2009
+
+ CertificateSerialNumber, CertExtensions{}, NoticeReference
+ FROM PKIX1Implicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
+
+ at-name, at-surname, at-givenName, at-initials, at-generationQualifier,
+ at-x520CommonName, at-x520LocalityName, at-x520StateOrProvinceName,
+ at-x520OrganizationName, at-x520OrganizationalUnitName, at-x520Title,
+ at-x520dnQualifier, at-x520SerialNumber, at-x520Pseudonym,
+ at-domainComponent, at-emailAddress,
+ id-at-countryName, id-emailAddress,
+ ub-emailaddress-length,
+ Validity, Version, SubjectPublicKeyInfo,
+ UniqueIdentifier,
+ id-qt-unotice, id-qt-cps
+ FROM PKIX1Explicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-explicit-02(51)}
--Keys and Signatures
- id-dsa, Dss-Parms, DSAPublicKey,
- id-dsa-with-sha1, id-dsaWithSHA1,
- md2WithRSAEncryption,
- md5WithRSAEncryption,
- sha1WithRSAEncryption,
- rsaEncryption, RSAPublicKey,
- dhpublicnumber, DomainParameters, DHPublicKey,
- id-keyExchangeAlgorithm, KEA-Parms-Id, --KEA-PublicKey,
- ecdsa-with-SHA1, ecdsa-with-SHA224,
- ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512,
- prime-field, Prime-p,
- characteristic-two-field, --Characteristic-two,
- gnBasis,
- tpBasis, Trinomial,
- ppBasis, Pentanomial,
- id-ecPublicKey, EcpkParameters, ECParameters, ECPoint
- FROM PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6)
- internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
- id-mod-pkix1-algorithms(17) }
- md2WithRSAEncryption,
- md5WithRSAEncryption,
- sha1WithRSAEncryption,
- sha224WithRSAEncryption,
- sha256WithRSAEncryption,
- sha384WithRSAEncryption,
- sha512WithRSAEncryption,
- id-RSASSA-PSS,
- RSASSA-PSS-params
-
- FROM PKCS-1 {
- iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
- modules(0) pkcs-1(1)
- };
-
+ dsa-with-sha1, DSA-Sig-Value, mda-sha1, pk-dsa, DSA-Params
+ FROM PKIXAlgs-2009
+
+ AlgorithmIdentifier{}, SIGNATURE-ALGORITHM
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)};
--
-- Certificate
--
OTPCertificate ::= SEQUENCE {
tbsCertificate OTPTBSCertificate,
- signatureAlgorithm SignatureAlgorithm,
+ signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM,
+ { OTPSignatureAlgorithms }},
signature BIT STRING }
OTPTBSCertificate ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
- signature SignatureAlgorithm,
- issuer Name,
+ signature AlgorithmIdentifier{SIGNATURE-ALGORITHM,
+ { OTPSignatureAlgorithms }},
+ issuer OTPName,
validity Validity,
- subject Name,
- subjectPublicKeyInfo OTPSubjectPublicKeyInfo,
- issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
- -- If present, version MUST be v2 or v3
- subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
- -- If present, version MUST be v2 or v3
- extensions [3] Extensions OPTIONAL
- -- If present, version MUST be v3 -- }
-
-
--- Attribute type and values
---
-
-ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= CLASS {
- &id AttributeType UNIQUE,
- &Type }
- WITH SYNTAX {
- ID &id
- TYPE &Type }
-
-OTPAttributeTypeAndValue ::= SEQUENCE {
- type ATTRIBUTE-TYPE-AND-VALUE-CLASS.&id
- ({SupportedAttributeTypeAndValues}),
- value ATTRIBUTE-TYPE-AND-VALUE-CLASS.&Type
- ({SupportedAttributeTypeAndValues}{@type}) }
-
-SupportedAttributeTypeAndValues ATTRIBUTE-TYPE-AND-VALUE-CLASS ::=
- { name | surname | givenName | initials | generationQualifier |
- commonName | localityName | stateOrProvinceName | organizationName |
- organizationalUnitName | title | dnQualifier | countryName |
- serialNumber | pseudonym | domainComponent | emailAddress }
-
-name ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-name
- TYPE X520name }
-
-surname ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-surname
- TYPE X520name }
-
-givenName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-givenName
- TYPE X520name }
-
-initials ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-initials
- TYPE X520name }
-
-generationQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-generationQualifier
- TYPE X520name }
-
-commonName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-commonName
- TYPE X520CommonName }
-
-localityName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-localityName
- TYPE X520LocalityName }
-
-stateOrProvinceName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-stateOrProvinceName
- TYPE X520StateOrProvinceName }
-
-organizationName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-organizationName
- TYPE X520OrganizationName }
-
-organizationalUnitName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-organizationalUnitName
- TYPE X520OrganizationalUnitName }
-
-title ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-title
- TYPE X520Title }
-
-dnQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-dnQualifier
- TYPE X520dnQualifier }
-
-countryName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-countryName
- TYPE X520countryName } -- this is currently not used when decoding
- -- The decoding and mapping between ID and Type is done in the code
- -- in module publickey_cert_records via the function attribute_type
- -- To be more forgiving and compatible with other SSL implementations
- -- regarding how to handle and sometimes accept incorrect certificates
- -- we define and use the type below instead of X520countryName
-
- -- We accept utf8String encoding of the US-ASCII
- -- country name code and the mix up with other country code systems
- -- that uses three characters instead of two.
-
- OTP-X520countryname ::= CHOICE {
- printableString PrintableString (SIZE (2..3)),
- utf8String UTF8String (SIZE (2..3))
+ subject OTPName,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ ... ,
+ [[2: -- If present, version MUST be v2
+ issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+ subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL
+ ]],
+ [[3: -- If present, version MUST be v3 --
+ extensions [3] Extensions{{CertExtensions}} OPTIONAL
+ ]], ... }
+
+-- Here follows a workaround to handle very old certificates.
+
+OTPSignatureAlgorithms SIGNATURE-ALGORITHM ::= {
+ OTPSignatureAlgs, ...,
+ PKIX1-PSS-OAEP-Algorithms-2009.SignatureAlgs }
+
+OTPSignatureAlgs SIGNATURE-ALGORITHM ::= {
+ PKIXAlgs-2009.sa-rsaWithMD2 |
+ PKIXAlgs-2009.sa-rsaWithMD5 |
+ PKIXAlgs-2009.sa-rsaWithSHA1 |
+ otp-sa-dsaWithSHA1 |
+ PKIXAlgs-2009.sa-ecdsaWithSHA1,
+ ..., -- Extensible
+ PKIXAlgs-2009.sa-dsaWithSHA224 |
+ PKIXAlgs-2009.sa-dsaWithSHA256 |
+ PKIXAlgs-2009.sa-ecdsaWithSHA224 |
+ PKIXAlgs-2009.sa-ecdsaWithSHA256 |
+ PKIXAlgs-2009.sa-ecdsaWithSHA384 |
+ PKIXAlgs-2009.sa-ecdsaWithSHA512
}
-serialNumber ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-serialNumber
- TYPE X520SerialNumber }
-
-pseudonym ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-at-pseudonym
- TYPE X520Pseudonym }
-
-domainComponent ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-domainComponent
- TYPE DomainComponent }
-
-emailAddress ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
- ID id-emailAddress
- TYPE EmailAddress } -- this is currently not used when decoding
- -- The decoding and mapping between ID and Type is done in the code
- -- in module publickey_cert_records via the function attribute_type
- -- To be more forgiving and compatible with other SSL implementations
- -- regarding how to handle and sometimes accept incorrect certificates
- -- we define and use the type below instead of emailAddress
-
- OTP-emailAddress ::= CHOICE {
- ia5String IA5String (SIZE (1..255)),
- utf8String UTF8String (SIZE (1..255))
+otp-sa-dsaWithSHA1 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER dsa-with-sha1
+ VALUE DSA-Sig-Value
+-- Allow DSA-Params as well as NULL here.
+ PARAMS TYPE OTP-DSA-Params-Or-NULL ARE absent
+ HASHES { mda-sha1 }
+ PUBLIC-KEYS { pk-dsa }
+ SMIME-CAPS { IDENTIFIED BY dsa-with-sha1 }
}
---
--- Signature and Public Key Algorithms
---
-
-OTPOLDSubjectPublicKeyInfo ::= SEQUENCE {
- algorithm SEQUENCE {
- algo PUBLIC-KEY-ALGORITHM-CLASS.&id
- ({SupportedPublicKeyAlgorithms}),
- parameters PUBLIC-KEY-ALGORITHM-CLASS.&Type
- ({SupportedPublicKeyAlgorithms}{@.algo})
- OPTIONAL
- },
- subjectPublicKey PUBLIC-KEY-ALGORITHM-CLASS.&PublicKeyType
- ({SupportedPublicKeyAlgorithms}{@algorithm.algo}) }
-
-OTPSubjectPublicKeyInfo ::= SEQUENCE {
- algorithm PublicKeyAlgorithm,
- subjectPublicKey BIT STRING }
-
-
--- The following is needed for conversion of SubjectPublicKeyInfo.
-
-OTPSubjectPublicKeyInfo-Any ::= SEQUENCE {
- algorithm PublicKeyAlgorithm,
- subjectPublicKey ANY }
-
-
-SIGNATURE-ALGORITHM-CLASS ::= CLASS {
- &id OBJECT IDENTIFIER UNIQUE,
- &Type OPTIONAL }
- WITH SYNTAX {
- ID &id
- [TYPE &Type] }
-
-PUBLIC-KEY-ALGORITHM-CLASS ::= CLASS {
- &id OBJECT IDENTIFIER UNIQUE,
- &Type OPTIONAL,
- &PublicKeyType OPTIONAL }
- WITH SYNTAX {
- ID &id
- [TYPE &Type]
- [PUBLIC-KEY-TYPE &PublicKeyType] }
-
-SignatureAlgorithm ::= SEQUENCE {
- algorithm SIGNATURE-ALGORITHM-CLASS.&id
- ({SupportedSignatureAlgorithms}),
- parameters SIGNATURE-ALGORITHM-CLASS.&Type
- ({SupportedSignatureAlgorithms}{@algorithm})
- OPTIONAL }
-
-SignatureAlgorithm-Any ::= SEQUENCE {
- algorithm OBJECT IDENTIFIER,
- parameters ANY OPTIONAL }
-
-PublicKeyAlgorithm ::= SEQUENCE {
- algorithm PUBLIC-KEY-ALGORITHM-CLASS.&id
- ({SupportedPublicKeyAlgorithms}),
- parameters PUBLIC-KEY-ALGORITHM-CLASS.&Type
- ({SupportedPublicKeyAlgorithms}{@algorithm})
- OPTIONAL }
-
-SupportedSignatureAlgorithms SIGNATURE-ALGORITHM-CLASS ::= {
- dsa-with-sha1 | dsaWithSHA1 |
- dsa-with-sha224 |
- dsa-with-sha256 |
- md2-with-rsa-encryption |
- md5-with-rsa-encryption |
- sha1-with-rsa-encryption |
- sha-1with-rsa-encryption |
- sha224-with-rsa-encryption |
- sha256-with-rsa-encryption |
- sha384-with-rsa-encryption |
- sha512-with-rsa-encryption |
- rsassa-pss |
- ecdsa-with-sha1 |
- ecdsa-with-sha224 |
- ecdsa-with-sha256 |
- ecdsa-with-sha384 |
- ecdsa-with-sha512 }
-
-SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {
- dsa | rsa-encryption | rsa-pss | dh | kea | ec-public-key }
-
- -- DSA Keys and Signatures
-
-
- DSAParams ::= CHOICE
- {
- params Dss-Parms,
- null NULL
- }
-
- -- SubjectPublicKeyInfo:
-
- dsa PUBLIC-KEY-ALGORITHM-CLASS ::= {
- ID id-dsa
- TYPE DSAParams -- XXX Must be OPTIONAL
- PUBLIC-KEY-TYPE DSAPublicKey }
-
- -- Certificate.signatureAlgorithm
-
- dsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
- ID id-dsa-with-sha1
- TYPE DSAParams }
-
-
- dsaWithSHA1 SIGNATURE-ALGORITHM-CLASS ::= {
- ID id-dsaWithSHA1
- TYPE DSAParams }
-
- dsa-with-sha224 SIGNATURE-ALGORITHM-CLASS ::= {
- ID id-dsa-with-sha224
- TYPE DSAParams }
-
- dsa-with-sha256 SIGNATURE-ALGORITHM-CLASS ::= {
- ID id-dsa-with-sha256
- TYPE DSAParams }
-
- id-dsa-with-sha224 OBJECT IDENTIFIER ::= {
- joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
- csor(3) algorithms(4) id-dsa-with-sha2(3) 1 }
-
- id-dsa-with-sha256 OBJECT IDENTIFIER ::= {
- joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
- csor(3) algorithms(4) id-dsa-with-sha2(3) 2 }
- --
- -- RSA Keys and Signatures
- --
-
- -- Certificate.signatureAlgorithm
-
- md2-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
- ID md2WithRSAEncryption
- TYPE NULL }
-
- md5-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
- ID md5WithRSAEncryption
- TYPE NULL }
-
- sha1-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
- ID sha1WithRSAEncryption
- TYPE NULL }
-
- sha-1with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
- ID sha-1WithRSAEncryption
- TYPE NULL }
-
- sha224-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
- ID sha224WithRSAEncryption
- TYPE NULL }
-
- sha256-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
- ID sha256WithRSAEncryption
- TYPE NULL }
-
- sha384-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
- ID sha384WithRSAEncryption
- TYPE NULL }
-
- sha512-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
- ID sha512WithRSAEncryption
- TYPE NULL }
-
- rsassa-pss SIGNATURE-ALGORITHM-CLASS ::= {
- ID id-RSASSA-PSS
- TYPE RSASSA-PSS-params }
-
-
- -- Certificate.signature
- -- See PKCS #1 (RFC 2313). XXX
-
- -- SubjectPublicKeyInfo:
-
- rsa-encryption PUBLIC-KEY-ALGORITHM-CLASS ::= {
- ID rsaEncryption
- TYPE NULL
- PUBLIC-KEY-TYPE RSAPublicKey }
-
- rsa-pss PUBLIC-KEY-ALGORITHM-CLASS ::= {
- ID id-RSASSA-PSS
- TYPE RSASSA-PSS-params
- PUBLIC-KEY-TYPE RSAPublicKey }
-
- --
- -- Diffie-Hellman Keys
- --
-
- -- SubjectPublicKeyInfo:
-
- dh PUBLIC-KEY-ALGORITHM-CLASS ::= {
- ID dhpublicnumber
- TYPE DomainParameters
- PUBLIC-KEY-TYPE DHPublicKey }
-
- -- There are no Diffie-Hellman signature algorithms
-
- --
- -- KEA Keys
- --
+OTP-DSA-Params-Or-NULL ::= CHOICE {
+ present DSA-Params, -- Only in very old certificates.
+ absent NULL
+}
- -- SubjectPublicKeyInfo:
+-- OTPName can contain country name and email addresses that don't
+-- follow the standard.
- KEA-PublicKey ::= INTEGER
+OTPName ::= CHOICE {
+ rdnSequence RDNSequence }
- kea PUBLIC-KEY-ALGORITHM-CLASS ::= {
- ID id-keyExchangeAlgorithm
- TYPE KEA-Parms-Id
- PUBLIC-KEY-TYPE KEA-PublicKey }
+RDNSequence ::= SEQUENCE OF OTPRelativeDistinguishedName
- -- There are no KEA signature algorithms
+OTPRelativeDistinguishedName ::=
+ SET SIZE (1 .. MAX) OF SingleAttribute { {OTPSupportedAttributes} }
- --
- -- Elliptic Curve Keys, Signatures, and Curves
- --
+OTPSupportedAttributes ATTRIBUTE ::= {
+ at-name | at-surname | at-givenName | at-initials |
+ at-generationQualifier | at-x520CommonName |
+ at-x520LocalityName | at-x520StateOrProvinceName |
+ at-x520OrganizationName | at-x520OrganizationalUnitName |
+ at-x520Title | at-x520dnQualifier | otp-at-x520countryName |
+ at-x520SerialNumber | at-x520Pseudonym | at-domainComponent |
+ otp-at-emailAddress, ... }
- -- Certificate.signatureAlgorithm
+otp-at-x520countryName ATTRIBUTE ::= {
+ TYPE OTP-X520countryName IDENTIFIED BY id-at-countryName }
- ecdsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
- ID ecdsa-with-SHA1
- TYPE EcpkParameters } -- XXX Must be empty and not NULL
+otp-at-emailAddress ATTRIBUTE ::= {
+ TYPE OTP-emailAddress IDENTIFIED BY id-emailAddress }
- ecdsa-with-sha224 SIGNATURE-ALGORITHM-CLASS ::= {
- ID ecdsa-with-SHA224
- TYPE EcpkParameters } -- XXX Must be empty and not NULL
+ -- We accept utf8String encoding of the US-ASCII
+ -- country name code and the mix up with other country code systems
+ -- that uses three characters instead of two.
- ecdsa-with-sha256 SIGNATURE-ALGORITHM-CLASS ::= {
- ID ecdsa-with-SHA256
- TYPE EcpkParameters } -- XXX Must be empty and not NULL
+OTP-X520countryName ::= CHOICE {
+ correct PrintableString (SIZE (2..3)), -- Correct size is 2.
+ wrong UTF8String (SIZE (2..3))
+}
- ecdsa-with-sha384 SIGNATURE-ALGORITHM-CLASS ::= {
- ID ecdsa-with-SHA384
- TYPE EcpkParameters } -- XXX Must be empty and not NULL
+OTP-emailAddress ::= CHOICE {
+ correct IA5String (SIZE (1..ub-emailaddress-length)),
+ wrong UTF8String
+}
- ecdsa-with-sha512 SIGNATURE-ALGORITHM-CLASS ::= {
- ID ecdsa-with-SHA512
- TYPE EcpkParameters } -- XXX Must be empty and not NULL
+-- We use this variation of SingleAttribute/AttributeTypeAndValue
+-- when calculating the "short" hash of the certificate issuer.
+-- See public_key:short_name_hash/1.
+HashSingleAttribute ::= SEQUENCE {
+ type OBJECT IDENTIFIER,
+ value UTF8String
+}
- FIELD-ID-CLASS ::= CLASS {
- &id OBJECT IDENTIFIER UNIQUE,
- &Type }
- WITH SYNTAX {
- ID &id
- TYPE &Type }
+HashRDNSequence ::= SEQUENCE OF HashRelativeDistinguishedName
- OTPFieldID ::= SEQUENCE { -- Finite field
- fieldType FIELD-ID-CLASS.&id({SupportedFieldIds}),
- parameters FIELD-ID-CLASS.&Type({SupportedFieldIds}{@fieldType}) }
+HashRelativeDistinguishedName ::=
+ SET SIZE (1 .. MAX) OF HashSingleAttribute
- SupportedFieldIds FIELD-ID-CLASS ::= {
- field-prime-field | field-characteristic-two }
+-- Used to workaround that some CAs create too long User Notices
- field-prime-field FIELD-ID-CLASS ::= {
- ID prime-field
- TYPE Prime-p }
+OTPCertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF OTPPolicyInformation
- CHARACTERISTIC-TWO-CLASS ::= CLASS {
- &id OBJECT IDENTIFIER UNIQUE,
- &Type }
- WITH SYNTAX {
- ID &id
- TYPE &Type }
+OTPPolicyInformation ::= SEQUENCE {
+ policyIdentifier CertPolicyId,
+ policyQualifiers SEQUENCE SIZE (1..MAX) OF
+ OTPPolicyQualifierInfo OPTIONAL }
- OTPCharacteristic-two ::= SEQUENCE { -- Finite field
- m INTEGER, -- Field size 2^m
- basis CHARACTERISTIC-TWO-CLASS.&id({SupportedCharacteristicTwos}),
- parameters CHARACTERISTIC-TWO-CLASS.&Type
- ({SupportedCharacteristicTwos}{@basis}) }
+CertPolicyId ::= OBJECT IDENTIFIER
- SupportedCharacteristicTwos CHARACTERISTIC-TWO-CLASS ::= {
- gn-basis | tp-basis | pp-basis }
+CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER
- field-characteristic-two FIELD-ID-CLASS ::= {
- ID characteristic-two-field
- TYPE Characteristic-two }
+OTPPolicyQualifierInfo ::= SEQUENCE {
+ policyQualifierId CERT-POLICY-QUALIFIER.
+ &id({PolicyQualifierId}),
+ qualifier CERT-POLICY-QUALIFIER.
+ &Type({PolicyQualifierId}{@policyQualifierId})}
- gn-basis CHARACTERISTIC-TWO-CLASS ::= {
- ID gnBasis
- TYPE NULL }
+-- Implementations that recognize additional policy qualifiers MUST
+-- augment the following definition for PolicyQualifierId
- tp-basis CHARACTERISTIC-TWO-CLASS ::= {
- ID tpBasis
- TYPE Trinomial }
+PolicyQualifierId CERT-POLICY-QUALIFIER ::=
+ { pqid-cps | pqid-unotice, ... }
- pp-basis CHARACTERISTIC-TWO-CLASS ::= {
- ID ppBasis
- TYPE Pentanomial }
+pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps }
+pqid-unotice CERT-POLICY-QUALIFIER ::= { OTPUserNotice
+ IDENTIFIED BY id-qt-unotice }
+-- CPS pointer qualifier
- -- SubjectPublicKeyInfo.algorithm
+CPSuri ::= IA5String
- ec-public-key PUBLIC-KEY-ALGORITHM-CLASS ::= {
- ID id-ecPublicKey
- TYPE EcpkParameters
- PUBLIC-KEY-TYPE ECPoint }
+OTPUserNotice ::= SEQUENCE {
+ noticeRef NoticeReference OPTIONAL,
+ explicitText OTPDisplayText OPTIONAL}
---
--- Extension Attributes
---
+-- NoticeReference ::= SEQUENCE {
+-- organization OTPDisplayText,
+-- noticeNumbers SEQUENCE OF INTEGER }
-EXTENSION-ATTRIBUTE-CLASS ::= CLASS {
- &id INTEGER UNIQUE,
- &Type }
- WITH SYNTAX {
- ID &id
- TYPE &Type }
-
-OTPExtensionAttributes ::= SET SIZE (1..MAX) OF ExtensionAttribute
-
--- XXX Below we should have extension-attribute-type and extension-
--- attribute-value but Erlang ASN1 does not like it.
-OTPExtensionAttribute ::= SEQUENCE {
- extensionAttributeType [0] IMPLICIT EXTENSION-ATTRIBUTE-CLASS.&id
- ({SupportedExtensionAttributes}),
- extensionAttributeValue [1] EXTENSION-ATTRIBUTE-CLASS.&Type
- ({SupportedExtensionAttributes}{@extensionAttributeType}) }
-
-SupportedExtensionAttributes EXTENSION-ATTRIBUTE-CLASS ::= {
- x400-common-name |
- x400-teletex-common-name |
- x400-teletex-personal-name |
- x400-pds-name |
- x400-physical-delivery-country-name |
- x400-postal-code |
- x400-physical-delivery-office-name |
- x400-physical-delivery-office-number |
- x400-extension-OR-address-components |
- x400-physical-delivery-personal-name |
- x400-physical-delivery-organization-name |
- x400-extension-physical-delivery-address-components |
- x400-unformatted-postal-address |
- x400-street-address |
- x400-post-office-box-address |
- x400-poste-restante-address |
- x400-unique-postal-name |
- x400-local-postal-attributes |
- x400-extended-network-address |
- x400-terminal-type |
- x400-teletex-domain-defined-attributes }
-
--- Extension types and attribute values
-
-x400-common-name EXTENSION-ATTRIBUTE-CLASS ::= {
- ID common-name
- TYPE CommonName }
-
-x400-teletex-common-name EXTENSION-ATTRIBUTE-CLASS ::= {
- ID teletex-common-name
- TYPE TeletexCommonName }
-
-x400-teletex-personal-name EXTENSION-ATTRIBUTE-CLASS ::= {
- ID teletex-personal-name
- TYPE TeletexPersonalName }
-
-x400-pds-name EXTENSION-ATTRIBUTE-CLASS ::= {
- ID pds-name
- TYPE PDSName }
-
-x400-physical-delivery-country-name EXTENSION-ATTRIBUTE-CLASS ::= {
- ID physical-delivery-country-name
- TYPE PhysicalDeliveryCountryName }
-
-x400-postal-code EXTENSION-ATTRIBUTE-CLASS ::= {
- ID postal-code
- TYPE PostalCode }
-
-x400-physical-delivery-office-name EXTENSION-ATTRIBUTE-CLASS ::= {
- ID physical-delivery-office-name
- TYPE PhysicalDeliveryOfficeName }
-
-x400-physical-delivery-office-number EXTENSION-ATTRIBUTE-CLASS ::= {
- ID physical-delivery-office-number
- TYPE PhysicalDeliveryOfficeNumber }
-
-x400-extension-OR-address-components EXTENSION-ATTRIBUTE-CLASS ::= {
- ID extension-OR-address-components
- TYPE ExtensionORAddressComponents }
-
-x400-physical-delivery-personal-name EXTENSION-ATTRIBUTE-CLASS ::= {
- ID physical-delivery-personal-name
- TYPE PhysicalDeliveryPersonalName }
-
-x400-physical-delivery-organization-name EXTENSION-ATTRIBUTE-CLASS ::= {
- ID physical-delivery-organization-name
- TYPE PhysicalDeliveryOrganizationName }
-
-x400-extension-physical-delivery-address-components
- EXTENSION-ATTRIBUTE-CLASS ::= {
- ID extension-physical-delivery-address-components
- TYPE ExtensionPhysicalDeliveryAddressComponents }
-
-x400-unformatted-postal-address EXTENSION-ATTRIBUTE-CLASS ::= {
- ID unformatted-postal-address
- TYPE UnformattedPostalAddress }
-
-x400-street-address EXTENSION-ATTRIBUTE-CLASS ::= {
- ID street-address
- TYPE StreetAddress }
-
-x400-post-office-box-address EXTENSION-ATTRIBUTE-CLASS ::= {
- ID post-office-box-address
- TYPE PostOfficeBoxAddress }
-
-x400-poste-restante-address EXTENSION-ATTRIBUTE-CLASS ::= {
- ID poste-restante-address
- TYPE PosteRestanteAddress }
-
-x400-unique-postal-name EXTENSION-ATTRIBUTE-CLASS ::= {
- ID unique-postal-name
- TYPE UniquePostalName }
-
-x400-local-postal-attributes EXTENSION-ATTRIBUTE-CLASS ::= {
- ID local-postal-attributes
- TYPE LocalPostalAttributes }
-
-x400-extended-network-address EXTENSION-ATTRIBUTE-CLASS ::= {
- ID extended-network-address
- TYPE ExtendedNetworkAddress }
-
-x400-terminal-type EXTENSION-ATTRIBUTE-CLASS ::= {
- ID terminal-type
- TYPE TerminalType }
-
-x400-teletex-domain-defined-attributes EXTENSION-ATTRIBUTE-CLASS ::= {
- ID teletex-domain-defined-attributes
- TYPE TeletexDomainDefinedAttributes }
+OTPDisplayText ::= CHOICE {
+ ia5String IA5String (SIZE (1..650)),
+ visibleString VisibleString (SIZE (1..650)),
+ bmpString BMPString (SIZE (1..650)),
+ utf8String UTF8String (SIZE (1..650)) }
-- Extensions
-OTPExtensions ::= SEQUENCE SIZE (1..MAX) OF Extension
-
-EXTENSION-CLASS ::= CLASS {
- &id OBJECT IDENTIFIER UNIQUE,
- &Type OPTIONAL}
- WITH SYNTAX {
- ID &id
- [TYPE &Type] }
-
-OTPExtension ::= SEQUENCE {
- extnID EXTENSION-CLASS.&id({SupportedExtensions}),
- critical BOOLEAN DEFAULT FALSE,
- extnValue EXTENSION-CLASS.&Type({SupportedExtensions}{@extnID}) }
-
--- The following is needed for conversion between Extension and Extension-Cd
+Extensions ::= SEQUENCE SIZE (1..MAX) OF OTPExtension
-ObjId ::= OBJECT IDENTIFIER
-Boolean ::= BOOLEAN
-Any ::= ANY
-
-Extension-Any ::= SEQUENCE {
+OTPExtension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
- extnValue ANY }
-
-SupportedExtensions EXTENSION-CLASS ::= { authorityKeyIdentifier |
- subjectKeyIdentifier | keyUsage | privateKeyUsagePeriod |
- certificatePolicies | policyMappings | subjectAltName |
- issuerAltName | subjectDirectoryAttributes | basicConstraints |
- nameConstraints | policyConstraints | cRLDistributionPoints |
- extKeyUsage | inhibitAnyPolicy | freshestCRL | authorityInfoAccess |
- subjectInfoAccess | cRLNumber | issuingDistributionPoint |
- deltaCRLIndicator | cRLReasons | certificateIssuer |
- holdInstructionCode | invalidityDate }
-
-authorityKeyIdentifier EXTENSION-CLASS ::= {
- ID id-ce-authorityKeyIdentifier
- TYPE AuthorityKeyIdentifier }
-
-subjectKeyIdentifier EXTENSION-CLASS ::= {
- ID id-ce-subjectKeyIdentifier
- TYPE SubjectKeyIdentifier }
-
-keyUsage EXTENSION-CLASS ::= {
- ID id-ce-keyUsage
- TYPE KeyUsage }
-
-privateKeyUsagePeriod EXTENSION-CLASS ::= {
- ID id-ce-privateKeyUsagePeriod
- TYPE PrivateKeyUsagePeriod }
-
-certificatePolicies EXTENSION-CLASS ::= {
- ID id-ce-certificatePolicies
- TYPE CertificatePolicies }
-
-policyMappings EXTENSION-CLASS ::= {
- ID id-ce-policyMappings
- TYPE PolicyMappings }
-
-subjectAltName EXTENSION-CLASS ::= {
- ID id-ce-subjectAltName
- TYPE SubjectAltName }
-
-issuerAltName EXTENSION-CLASS ::= {
- ID id-ce-issuerAltName
- TYPE IssuerAltName }
-
-subjectDirectoryAttributes EXTENSION-CLASS ::= {
- ID id-ce-subjectDirectoryAttributes
- TYPE SubjectDirectoryAttributes }
-
-basicConstraints EXTENSION-CLASS ::= {
- ID id-ce-basicConstraints
- TYPE BasicConstraints }
-
-nameConstraints EXTENSION-CLASS ::= {
- ID id-ce-nameConstraints
- TYPE NameConstraints }
-
-policyConstraints EXTENSION-CLASS ::= {
- ID id-ce-policyConstraints
- TYPE PolicyConstraints }
-
-cRLDistributionPoints EXTENSION-CLASS ::= {
- ID id-ce-cRLDistributionPoints
- TYPE CRLDistributionPoints }
-
-extKeyUsage EXTENSION-CLASS ::= {
- ID id-ce-extKeyUsage
- TYPE ExtKeyUsageSyntax }
-
-inhibitAnyPolicy EXTENSION-CLASS ::= {
- ID id-ce-inhibitAnyPolicy
- TYPE InhibitAnyPolicy }
-
-freshestCRL EXTENSION-CLASS ::= {
- ID id-ce-freshestCRL
- TYPE FreshestCRL }
-
-authorityInfoAccess EXTENSION-CLASS ::= {
- ID id-pe-authorityInfoAccess
- TYPE AuthorityInfoAccessSyntax }
-
-subjectInfoAccess EXTENSION-CLASS ::= {
- ID id-pe-subjectInfoAccess
- TYPE SubjectInfoAccessSyntax }
-
-cRLNumber EXTENSION-CLASS ::= {
- ID id-ce-cRLNumber
- TYPE CRLNumber }
-
-issuingDistributionPoint EXTENSION-CLASS ::= {
- ID id-ce-issuingDistributionPoint
- TYPE IssuingDistributionPoint }
-
-deltaCRLIndicator EXTENSION-CLASS ::= {
- ID id-ce-deltaCRLIndicator
- TYPE BaseCRLNumber }
-
-cRLReasons EXTENSION-CLASS ::= {
- ID id-ce-cRLReasons
- TYPE CRLReason }
-
-certificateIssuer EXTENSION-CLASS ::= {
- ID id-ce-certificateIssuer
- TYPE CertificateIssuer }
-
-holdInstructionCode EXTENSION-CLASS ::= {
- ID id-ce-holdInstructionCode
- TYPE HoldInstructionCode }
-
-invalidityDate EXTENSION-CLASS ::= {
- ID id-ce-invalidityDate
- TYPE InvalidityDate }
-
--- Used to workaround that some CAs create too long User Notices
-
-OTPUserNotice ::= SEQUENCE {
- noticeRef OTPNoticeReference OPTIONAL,
- explicitText OTPDisplayText OPTIONAL}
-
-OTPNoticeReference ::= SEQUENCE {
- organization OTPDisplayText,
- noticeNumbers SEQUENCE OF INTEGER }
-
-OTPDisplayText ::= CHOICE {
- ia5String IA5String (SIZE (1..350)),
- visibleString VisibleString (SIZE (1..350)),
- bmpString BMPString (SIZE (1..350)),
- utf8String UTF8String (SIZE (1..350)) }
+ extnValue OCTET STRING }
END
diff --git a/lib/public_key/asn1/OTP-PKIX.asn1config b/lib/public_key/asn1/OTP-PKIX.asn1config
new file mode 100644
index 0000000000..514fa2bb52
--- /dev/null
+++ b/lib/public_key/asn1/OTP-PKIX.asn1config
@@ -0,0 +1,25 @@
+%% -*- erlang -*-
+%%
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: Apache-2.0
+%%
+%% Copyright Ericsson AB 2008-2025. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%% http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+
+{exclusive_decode,
+ {'OTP-PKIX',
+ [{decode_TBSCert_exclusive,['OTPCertificate',[{tbsCertificate,undecoded}]]}]}}.
diff --git a/lib/public_key/asn1/OTP-PUB-KEY.asn1config b/lib/public_key/asn1/OTP-PUB-KEY.asn1config
deleted file mode 100644
index 9ca30564af..0000000000
--- a/lib/public_key/asn1/OTP-PUB-KEY.asn1config
+++ /dev/null
@@ -1,3 +0,0 @@
-{exclusive_decode,{'OTP-PUB-KEY',
- [{decode_TBSCert_exclusive,['Certificate',[{tbsCertificate,undecoded}]]},
- {decode_TBSCertList_exclusive,['CertificateList',[{tbsCertList,undecoded}]]}]}}.
diff --git a/lib/public_key/asn1/OTP-PUB-KEY.set.asn b/lib/public_key/asn1/OTP-PUB-KEY.set.asn
deleted file mode 100644
index 74964a1c8f..0000000000
--- a/lib/public_key/asn1/OTP-PUB-KEY.set.asn
+++ /dev/null
@@ -1,15 +0,0 @@
-OTP-PKIX.asn1
-PKIX1Explicit88.asn1
-PKIX1Implicit88.asn1
-PKIXAttributeCertificate.asn1
-PKIX1Algorithms88.asn1
-PKCS-1.asn1
-PKCS-3.asn1
-DSS.asn1
-ECPrivateKey.asn1
-PKCS-7.asn1
-PKCS-10.asn1
-RFC5639.asn1
-CMSAesRsaesOaep.asn1
-OCSP-2013-88.asn1
-
diff --git a/lib/public_key/asn1/PKCS-1.asn1 b/lib/public_key/asn1/PKCS-1.asn1
index 6fb7ccb981..f276b2bd81 100644
--- a/lib/public_key/asn1/PKCS-1.asn1
+++ b/lib/public_key/asn1/PKCS-1.asn1
@@ -1,3 +1,37 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
-- PKCS #1 v2.2 ASN.1 Module
-- Revised October 27, 2012
-- (plain merged with previous version to support all that we need)
@@ -263,15 +297,14 @@ PKCS1Algorithms ALGORITHM-IDENTIFIER ::= {
-- ===================
-- Main structures
-- ===================
-RSAPublicKey ::= SEQUENCE {
- modulus INTEGER, -- n
- publicExponent INTEGER -- e
-}
---
+
+-- The RSAPublicKey definition has been deleted because it is defined
+-- in PKIXAlgs-2009.
+
-- Representation of RSA private key with information for the CRT algorithm.
--
RSAPrivateKey ::= SEQUENCE {
- version Version,
+ version PKCS1-Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
@@ -283,7 +316,7 @@ RSAPrivateKey ::= SEQUENCE {
otherPrimeInfos OtherPrimeInfos OPTIONAL
}
-Version ::= INTEGER { two-prime(0), multi(1) }
+PKCS1-Version ::= INTEGER { two-prime(0), multi(1) }
(CONSTRAINED BY {-- version must be multi if otherPrimeInfos present --})
OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo
diff --git a/lib/public_key/asn1/PKCS-10.asn1 b/lib/public_key/asn1/PKCS-10.asn1
index 5ada81c257..19f8cf80be 100644
--- a/lib/public_key/asn1/PKCS-10.asn1
+++ b/lib/public_key/asn1/PKCS-10.asn1
@@ -1,94 +1,90 @@
-PKCS-10 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
-pkcs-10(10) modules(1) pkcs-10(1)}
-
--- $Revision: 1.3 $ --
-
-DEFINITIONS IMPLICIT TAGS ::=
-
-BEGIN
-
--- EXPORTS All --
--- All types and values defined in this module are exported for use
--- in other ASN.1 modules.
-
-IMPORTS
-
---informationFramework, authenticationFramework
--- FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
--- usefulDefinitions(0) 3}
-
- ATTRIBUTE
- FROM InformationFramework informationFramework
-
- Name, Extensions, DirectoryString
- FROM PKIX1Explicit88 --InformationFramework informationFramework
-
- ALGORITHM
- FROM PKCS-7; --AuthenticationFramework authenticationFramework;
-
--- start inlined from PKCS-9
-
---pkcs-9-ub-pkcs9String INTEGER ::= 255
---pkcs-9-ub-challengePassword INTEGER ::= pkcs-9-ub-pkcs9String
-pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {pkcs-9 7}
-
-challengePassword ATTRIBUTE ::= {
- WITH SYNTAX DirectoryString --{pkcs-9-ub-challengePassword}
- SINGLE VALUE TRUE
- ID pkcs-9-at-challengePassword
-}
-
-pkcs-9-at-extensionRequest OBJECT IDENTIFIER ::= {pkcs-9 14}
-
-extensionRequest ATTRIBUTE ::= {
- WITH SYNTAX ExtensionRequest
- SINGLE VALUE TRUE
- ID pkcs-9-at-extensionRequest
-}
-
-ExtensionRequest ::= Extensions
-
--- end inlined from PKCS-9
-
--- Certificate requests
-
-CertificationRequestInfo ::= SEQUENCE {
- version INTEGER { v1(0) } (v1,...),
- subject Name,
- subjectPKInfo SubjectPublicKeyInfo-PKCS-10{{ PKInfoAlgorithms }},
- attributes [0] Attributes{{ CRIAttributes }}
-}
-
-SubjectPublicKeyInfo-PKCS-10 {ALGORITHM: IOSet} ::= SEQUENCE {
- algorithm AlgorithmIdentifierPKCS-10{{IOSet}},
- subjectPublicKey BIT STRING
-}
-
-PKInfoAlgorithms ALGORITHM ::= {
- ... -- add any locally defined algorithms here -- }
-
-Attributes { ATTRIBUTE:IOSet } ::= SET OF AttributePKCS-10{{ IOSet }}
-
-CRIAttributes ATTRIBUTE ::= {
-... -- add any locally defined attributes here -- }
-
-AttributePKCS-10 { ATTRIBUTE:IOSet } ::= SEQUENCE {
- type ATTRIBUTE.&id({IOSet}),
- values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
-}
-
-CertificationRequest ::= SEQUENCE {
- certificationRequestInfo CertificationRequestInfo,
- signatureAlgorithm AlgorithmIdentifierPKCS-10{{ SignatureAlgorithms }},
- signature BIT STRING
-}
-
-AlgorithmIdentifierPKCS-10 {ALGORITHM:IOSet } ::= SEQUENCE {
- algorithm ALGORITHM.&id({IOSet}),
- parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
-}
-
-SignatureAlgorithms ALGORITHM ::= {
- ... -- add any locally defined algorithms here -- }
-
-END
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ PKCS-10
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkcs10-2009(69)}
+ DEFINITIONS IMPLICIT TAGS ::=
+ BEGIN
+ IMPORTS
+
+ AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
+ PUBLIC-KEY
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+
+ ATTRIBUTE, Name
+ FROM PKIX1Explicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)};
+
+ -- Certificate requests
+ CertificationRequestInfo ::= SEQUENCE {
+ version INTEGER { v1(0) } (v1, ... ),
+ subject Name,
+ subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
+ attributes [0] Attributes{{ CRIAttributes }}
+ }
+
+ SubjectPublicKeyInfo {PUBLIC-KEY: IOSet} ::= SEQUENCE {
+ algorithm AlgorithmIdentifier {PUBLIC-KEY, {IOSet}},
+ subjectPublicKey BIT STRING
+ }
+
+ PKInfoAlgorithms PUBLIC-KEY ::= {
+ ... -- add any locally defined algorithms here -- }
+
+ Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}
+
+ CRIAttributes ATTRIBUTE ::= {
+ ... -- add any locally defined attributes here -- }
+
+ Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
+ type ATTRIBUTE.&id({IOSet}),
+ values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
+ }
+
+ CertificationRequest ::= SEQUENCE {
+ certificationRequestInfo CertificationRequestInfo,
+ signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM,
+ { SignatureAlgorithms }},
+ signature BIT STRING
+ }
+
+ SignatureAlgorithms SIGNATURE-ALGORITHM ::= {
+ ... -- add any locally defined algorithms here -- }
+
+ END
diff --git a/lib/public_key/asn1/PKCS-3.asn1 b/lib/public_key/asn1/PKCS-3.asn1
index 64180b3a85..c1f2983493 100644
--- a/lib/public_key/asn1/PKCS-3.asn1
+++ b/lib/public_key/asn1/PKCS-3.asn1
@@ -1,3 +1,35 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: LicenseRef-RSA-PKCS3
+--
+-- Copyright (C) The Internet Society (2000). All Rights Reserved.
+--
+-- This document and translations of it may be copied and furnished to
+-- others, and derivative works that comment on or otherwise explain it
+-- or assist in its implementation may be prepared, copied, published
+-- and distributed, in whole or in part, without restriction of any
+-- kind, provided that the above copyright notice and this paragraph are
+-- included on all such copies and derivative works. However, this
+-- document itself may not be modified in any way, such as by removing
+-- the copyright notice or references to the Internet Society or other
+-- Internet organizations, except as needed for the purpose of
+-- developing Internet standards in which case the procedures for
+-- copyrights defined in the Internet Standards process must be
+-- followed, or as required to translate it into languages other than
+-- English.
+--
+-- The limited permissions granted above are perpetual and will not be
+-- revoked by the Internet Society or its successors or assigns.
+--
+-- This document and the information contained herein is provided on an
+-- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+-- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+-- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+-- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+-- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+--
+-- %CopyrightEnd%
+
PKCS-3 {
iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) 3
@@ -6,11 +38,11 @@ PKCS-3 {
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
-
+
pkcs-3 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) 3 }
-
+
dhKeyAgreement OBJECT IDENTIFIER ::= { pkcs-3 1 }
DHParameter ::= SEQUENCE {
diff --git a/lib/public_key/asn1/PKCS-7.asn1 b/lib/public_key/asn1/PKCS-7.asn1
deleted file mode 100644
index e9c188be39..0000000000
--- a/lib/public_key/asn1/PKCS-7.asn1
+++ /dev/null
@@ -1,449 +0,0 @@
-PKCS-7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)
- modules(0) pkcs-7(1)}
-
-DEFINITIONS EXPLICIT TAGS ::=
-BEGIN
-
---
--- 3. Definitions
---
-
--- EXPORTS All;
-
-IMPORTS
-
-informationFramework, authenticationFramework
- FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
- usefulDefinitions(0) 3}
-
- ATTRIBUTE
- FROM InformationFramework informationFramework
-
- Name, Certificate, CertificateSerialNumber,
- CertificateList, Time
- FROM PKIX1Explicit88; -- AuthenticationFramework authenticationFramework;
-
--- contentType, messageDigest, signingTime
--- , counterSignature
--- FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
--- pkcs-9(9) modules(0) pkcs-9(1)};
---
--- 6. Useful types
---
-
--- inlined from AuthenticationFramework
-
-ALGORITHM ::= CLASS {&Type OPTIONAL,
- &id OBJECT IDENTIFIER UNIQUE
-}WITH SYNTAX {[&Type]
- IDENTIFIED BY &id
-}
-
--- inlined from PKCS-9
-
-pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
- rsadsi(113549) pkcs(1) 9}
-
-contentType ATTRIBUTE ::= {
- WITH SYNTAX ContentType
--- EQUALITY MATCHING RULE objectIdentifierMatch
- SINGLE VALUE TRUE
- ID pkcs-9-at-contentType
-}
-
-pkcs-9-at-contentType OBJECT IDENTIFIER ::= {pkcs-9 3}
-pkcs-9-at-messageDigest OBJECT IDENTIFIER ::= {pkcs-9 4}
-pkcs-9-at-signingTime OBJECT IDENTIFIER ::= {pkcs-9 5}
-pkcs-9-at-counterSignature OBJECT IDENTIFIER ::= {pkcs-9 6}
-
-counterSignature ATTRIBUTE ::= {
- WITH SYNTAX SignerInfo
- ID pkcs-9-at-counterSignature
-}
-messageDigest ATTRIBUTE ::= {
- WITH SYNTAX MessageDigest
--- EQUALITY MATCHING RULE octetStringMatch
- SINGLE VALUE TRUE
- ID pkcs-9-at-messageDigest
-}
-
-MessageDigest ::= OCTET STRING
-
-signingTime ATTRIBUTE ::= {
- WITH SYNTAX SigningTime
--- EQUALITY MATCHING RULE signingTimeMatch
- SINGLE VALUE TRUE
- ID pkcs-9-at-signingTime
-}
-
-SigningTime ::= Time -- imported from ISO/IEC 9594-8
-
--- begin added for VCE SCEP-support
-transactionID ATTRIBUTE ::= {
- WITH SYNTAX PrintableString
- ID id-transId
-}
-
-messageType ATTRIBUTE ::= {
- WITH SYNTAX PrintableString
- ID id-messageType
-}
-
-pkiStatus ATTRIBUTE ::= {
- WITH SYNTAX PrintableString
- ID id-pkiStatus
-}
-
-failInfo ATTRIBUTE ::= {
- WITH SYNTAX PrintableString
- ID id-failInfo
-}
-
-senderNonce ATTRIBUTE ::= {
- WITH SYNTAX OCTET STRING
- ID id-senderNonce
-}
-
-recipientNonce ATTRIBUTE ::= {
- WITH SYNTAX OCTET STRING
- ID id-recipientNonce
-}
-
--- This is the authenticatedAttributes -member from SignerInfo
--- added here to generate decode/encode functions for it which are
--- needed to build the pkcs-7 used by SCEP, the resulting encoding are
--- used to make a signed digest
-SignerInfoAuthenticatedAttributes ::= CHOICE {
- aaSet [0] IMPLICIT SET OF AttributePKCS-7 {{Authenticated}},
- aaSequence [2] EXPLICIT SEQUENCE OF AttributePKCS-7 {{Authenticated}}
- -- Explicit because easier to compute digest on sequence of attributes and then reuse
- -- encoded sequence in aaSequence.
- }
--- end added for VCE SCEP-support
-
-
--- Also defined in X.509
--- Redeclared here as a parameterized type
-AlgorithmIdentifierPKCS-7 {ALGORITHM:IOSet} ::= SEQUENCE {
- algorithm ALGORITHM.&id({IOSet}),
- parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
-}
-
--- Also defined in X.501
--- Redeclared here as a parameterized type
-AttributePKCS-7 { ATTRIBUTE:IOSet } ::= SEQUENCE {
- type ATTRIBUTE.&id({IOSet}),
- values SET SIZE (1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
-}
-
-CertificateRevocationLists ::=
- SET OF CertificateList
-
-Certificates ::=
- SEQUENCE OF Certificate
-
-CRLSequence ::=
- SEQUENCE OF CertificateList
-
-ContentEncryptionAlgorithmIdentifier ::=
- AlgorithmIdentifierPKCS-7 {{ContentEncryptionAlgorithms}}
-
-ContentEncryptionAlgorithms ALGORITHM ::= {
- ... -- add any application-specific algorithms here
-}
-
-DigestAlgorithmIdentifier ::=
- AlgorithmIdentifierPKCS-7 {{DigestAlgorithms}}
-
-DigestAlgorithms ALGORITHM ::= {
- ... -- add any application-specific algorithms here
-}
-
-DigestEncryptionAlgorithmIdentifier ::=
- AlgorithmIdentifierPKCS-7 {{DigestEncryptionAlgorithms}}
-
-DigestEncryptionAlgorithms ALGORITHM ::= {
- ... -- add any application-specific algorithms here
-}
-
-ExtendedCertificateOrCertificate ::= CHOICE {
- certificate Certificate, -- X.509
- extendedCertificate [0] IMPLICIT ExtendedCertificate -- PKCS#6
-}
-
-ExtendedCertificate ::= Certificate -- cheating
-
-ExtendedCertificatesAndCertificates ::=
- SET OF ExtendedCertificateOrCertificate
-
-IssuerAndSerialNumber ::= SEQUENCE {
- issuer Name,
- serialNumber CertificateSerialNumber
-}
-
-KeyEncryptionAlgorithmIdentifier ::=
- AlgorithmIdentifierPKCS-7 {{KeyEncryptionAlgorithms}}
-
-KeyEncryptionAlgorithms ALGORITHM ::= {
- ... -- add any application-specific algorithms here
-}
-
---
--- 7. General syntax
---
-
-ContentInfo ::= SEQUENCE {
--- contentType ContentType,
- contentType CONTENTS.&id({Contents}),
- content [0] EXPLICIT CONTENTS.&Type({Contents}{@contentType})
-OPTIONAL
-}
-
-CONTENTS ::= TYPE-IDENTIFIER
-
-Contents CONTENTS ::= {
- {Data IDENTIFIED BY data} |
- {SignedData IDENTIFIED BY signedData} |
- {EnvelopedData IDENTIFIED BY envelopedData} |
- {SignedAndEnvelopedData IDENTIFIED BY signedAndEnvelopedData} |
- {DigestedData IDENTIFIED BY digestedData} |
- {EncryptedData IDENTIFIED BY encryptedData},
- ... -- add any application-specific types/contents here
-}
-
-ContentType ::= CONTENTS.&id({Contents})
-
---
--- 8. Data content type
---
-
-Data ::= OCTET STRING
-
---
--- 9. Signed-data content type
---
-
-SignedData ::= SEQUENCE {
--- version INTEGER {sdVer1(1), sdVer2(2)} (sdVer1 | sdVer2),
- version INTEGER {sdVer1(1), sdVer2(2)},
- digestAlgorithms
- DigestAlgorithmIdentifiers,
- contentInfo ContentInfo,
- certificates CHOICE {
- certSet [0] IMPLICIT ExtendedCertificatesAndCertificates,
- certSequence [2] IMPLICIT Certificates
- } OPTIONAL,
- crls CHOICE {
- crlSet [1] IMPLICIT CertificateRevocationLists,
- crlSequence [3] IMPLICIT CRLSequence
- } OPTIONAL,
- signerInfos SignerInfos
-} (WITH COMPONENTS { ..., version (sdVer1),
- digestAlgorithms (WITH COMPONENTS { ..., daSet PRESENT }),
- certificates (WITH COMPONENTS { ..., certSequence ABSENT }),
- crls (WITH COMPONENTS { ..., crlSequence ABSENT }),
- signerInfos (WITH COMPONENTS { ..., siSet PRESENT })
- } |
- WITH COMPONENTS { ..., version (sdVer2),
- digestAlgorithms (WITH COMPONENTS { ..., daSequence PRESENT }),
- certificates (WITH COMPONENTS { ..., certSet ABSENT }),
- crls (WITH COMPONENTS { ..., crlSet ABSENT }),
- signerInfos (WITH COMPONENTS { ..., siSequence PRESENT })
-})
-
-SignerInfos ::= CHOICE {
- siSet SET OF SignerInfo,
- siSequence SEQUENCE OF SignerInfo
-}
-
-DigestAlgorithmIdentifiers ::= CHOICE {
- daSet SET OF DigestAlgorithmIdentifier,
- daSequence SEQUENCE OF DigestAlgorithmIdentifier
-}
-
-SignerInfo ::= SEQUENCE {
--- version INTEGER {siVer1(1), siVer2(2)} (siVer1 | siVer2),
- version INTEGER {siVer1(1), siVer2(2)},
- issuerAndSerialNumber
- IssuerAndSerialNumber,
- digestAlgorithm DigestAlgorithmIdentifier,
- -- Added explicit type for authenticatedAttributes to be able to
- -- encode/decode this type separately
- authenticatedAttributes SignerInfoAuthenticatedAttributes OPTIONAL,
- digestEncryptionAlgorithm
- DigestEncryptionAlgorithmIdentifier,
- encryptedDigest EncryptedDigest,
- unauthenticatedAttributes CHOICE {
- uaSet [1] IMPLICIT SET OF AttributePKCS-7 {{Unauthenticated}},
- uaSequence [3] IMPLICIT SEQUENCE OF AttributePKCS-7 {{Unauthenticated}}
- } OPTIONAL
-} (WITH COMPONENTS { ..., version (siVer1),
- authenticatedAttributes (WITH COMPONENTS { ..., aaSequence ABSENT }),
- unauthenticatedAttributes (WITH COMPONENTS { ..., uaSequence ABSENT })
-} | WITH COMPONENTS { ..., version (siVer2),
- authenticatedAttributes (WITH COMPONENTS { ..., aaSet ABSENT }),
- unauthenticatedAttributes (WITH COMPONENTS { ..., uaSet ABSENT })
-})
-
-Authenticated ATTRIBUTE ::= {
- contentType |
- messageDigest |
--- begin added for VCE SCEP-support
- transactionID |
- messageType |
- pkiStatus |
- failInfo |
- senderNonce |
- recipientNonce,
--- end added for VCE SCEP-support
- ..., -- add application-specific attributes here
- signingTime
-}
-
-Unauthenticated ATTRIBUTE ::= {
- contentType |
- messageDigest,
- ..., -- add application-specific attributes here
- counterSignature
--- ..., add application-specific attributes here
--- counterSignature
-}
-
-EncryptedDigest ::= OCTET STRING
-
-DigestInfo ::= SEQUENCE {
- digestAlgorithm DigestAlgorithmIdentifier,
- digest Digest
-}
-
-Digest ::= OCTET STRING
-
---
--- 10. Enveloped-data content type
---
-
-EnvelopedData ::= SEQUENCE {
--- version INTEGER {edVer0(0), edVer1(1)} (edVer0 | edVer1),
- version INTEGER {edVer0(0), edVer1(1)},
- recipientInfos RecipientInfos,
- encryptedContentInfo
- EncryptedContentInfo
-} (WITH COMPONENTS { ..., version (edVer0),
- recipientInfos (WITH COMPONENTS { ..., riSet PRESENT })
-} | WITH COMPONENTS { ..., version (edVer1),
- recipientInfos (WITH COMPONENTS { ..., riSequence PRESENT })
-})
-
-RecipientInfos ::= CHOICE {
- riSet SET OF RecipientInfo,
- riSequence SEQUENCE OF RecipientInfo
-}
-
-EncryptedContentInfo ::= SEQUENCE {
- contentType ContentType,
- contentEncryptionAlgorithm
- ContentEncryptionAlgorithmIdentifier,
- encryptedContent
- [0] IMPLICIT EncryptedContent OPTIONAL
-}
-
-EncryptedContent ::= OCTET STRING
-
-RecipientInfo ::= SEQUENCE {
--- version INTEGER {riVer0(0)} (riVer0),
- version INTEGER {riVer0(0)},
- issuerAndSerialNumber
- IssuerAndSerialNumber,
- keyEncryptionAlgorithm
- KeyEncryptionAlgorithmIdentifier,
- encryptedKey EncryptedKey
-}
-
-EncryptedKey ::= OCTET STRING
-
---
--- 11. Signed-and-enveloped-data content type
---
-
-SignedAndEnvelopedData ::= SEQUENCE {
--- version INTEGER {seVer1(1), seVer2(2)} (seVer1 | seVer2),
- version INTEGER {seVer1(1), seVer2(2)},
- recipientInfos RecipientInfos,
- digestAlgorithms
- DigestAlgorithmIdentifiers,
- encryptedContentInfo
- EncryptedContentInfo,
- certificates CHOICE {
- certSet [0] IMPLICIT ExtendedCertificatesAndCertificates,
- certSequence [2] IMPLICIT Certificates
- } OPTIONAL,
- crls CHOICE {
- crlSet [1] IMPLICIT CertificateRevocationLists,
- crlSequence [3] IMPLICIT CRLSequence
- } OPTIONAL,
- signerInfos SignerInfos
-} (WITH COMPONENTS { ..., version (seVer1),
- recipientInfos (WITH COMPONENTS { ..., riSet PRESENT }),
- digestAlgorithms (WITH COMPONENTS { ..., daSet PRESENT }),
- certificates (WITH COMPONENTS { ..., certSequence ABSENT }),
- crls (WITH COMPONENTS { ..., crlSequence ABSENT }),
- signerInfos (WITH COMPONENTS { ..., siSet PRESENT })
-} |
- WITH COMPONENTS { ..., version (seVer2),
- recipientInfos (WITH COMPONENTS { ..., riSequence PRESENT }),
- digestAlgorithms (WITH COMPONENTS { ..., daSequence PRESENT }),
- certificates (WITH COMPONENTS { ..., certSet ABSENT }),
- crls (WITH COMPONENTS { ..., crlSet ABSENT }),
- signerInfos (WITH COMPONENTS { ..., siSequence PRESENT })
-})
-
---
--- 12. Digested-data content type
---pbeWithSHAAnd3-KeyTripleDES-CBC
-
-DigestedData ::= SEQUENCE {
--- version INTEGER {ddVer0(0)} (ddVer0),
- version INTEGER {ddVer0(0)},
- digestAlgorithm DigestAlgorithmIdentifier,
- contentInfo ContentInfo,
- digest Digest
-}
-
---
--- 13. Encrypted-data content type
---
-
-EncryptedData ::= SEQUENCE {
--- version INTEGER {edVer0(0)} (edVer0),
- version INTEGER {edVer0(0)},
- encryptedContentInfo EncryptedContentInfo
-}
-
---
--- 14. Object Identifiers
---
-
-pkcs-7 OBJECT IDENTIFIER ::=
- { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 }
-data OBJECT IDENTIFIER ::= { pkcs-7 1 }
-signedData OBJECT IDENTIFIER ::= { pkcs-7 2 }
-envelopedData OBJECT IDENTIFIER ::= { pkcs-7 3 }
-signedAndEnvelopedData OBJECT IDENTIFIER ::= { pkcs-7 4 }
-digestedData OBJECT IDENTIFIER ::= { pkcs-7 5 }
-encryptedData OBJECT IDENTIFIER ::= { pkcs-7 6 }
-
--- begin added for VCE SCEP-support
-id-VeriSign OBJECT IDENTIFIER ::= {2 16 us(840) 1 veriSign(113733)}
-id-pki OBJECT IDENTIFIER ::= {id-VeriSign pki(1)}
-id-attributes OBJECT IDENTIFIER ::= {id-pki attributes(9)}
-id-messageType OBJECT IDENTIFIER ::= {id-attributes messageType(2)}
-id-pkiStatus OBJECT IDENTIFIER ::= {id-attributes pkiStatus(3)}
-id-failInfo OBJECT IDENTIFIER ::= {id-attributes failInfo(4)}
-id-senderNonce OBJECT IDENTIFIER ::= {id-attributes senderNonce(5)}
-id-recipientNonce OBJECT IDENTIFIER ::= {id-attributes recipientNonce(6)}
-id-transId OBJECT IDENTIFIER ::= {id-attributes transId(7)}
-id-extensionReq OBJECT IDENTIFIER ::= {id-attributes extensionReq(8)}
--- end added for VCE SCEP-support
-
-
-END
diff --git a/lib/public_key/asn1/PKCS-8.asn1 b/lib/public_key/asn1/PKCS-8.asn1
deleted file mode 100644
index 87b3ecd99c..0000000000
--- a/lib/public_key/asn1/PKCS-8.asn1
+++ /dev/null
@@ -1,159 +0,0 @@
-PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-8(8)
- modules(1) pkcs-8(1)}
-
--- $Revision: 1.5 $
-
--- This module has been checked for conformance with the ASN.1
--- standard by the OSS ASN.1 Tools
-
-DEFINITIONS IMPLICIT TAGS ::=
-
-BEGIN
-
--- EXPORTS All --
--- All types and values defined in this module is exported for use in other
--- ASN.1 modules.
-
---IMPORTS
-
--- informationFramework
--- FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
--- usefulDefinitions(0) 3}
-
---Attribute
--- FROM InformationFramework informationFramework
--- FROM InformationFramework;
-
--- This import is really unnecessary since ALGORITHM-IDENTIFIER is defined as a
--- TYPE-IDENTIFIER
--- Rename this import and replace all occurrences of ALGORITHM-IDENTIFIER with
--- TYPE-IDENTIFIER as a workaround for weaknesses in the ASN.1 compiler
---AlgorithmIdentifier, ALGORITHM-IDENTIFIER
--- FROM PKCS5v2-0 {iso(1) member-body(2) us(840) rsadsi(113549)
--- pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)};
-
--- Inlined from PKCS5v2-0 since it is the only thing imported from that module
--- AlgorithmIdentifier { ALGORITHM-IDENTIFIER:InfoObjectSet } ::=
-AlgorithmIdentifier { TYPE-IDENTIFIER:InfoObjectSet } ::=
-SEQUENCE {
--- algorithm ALGORITHM-IDENTIFIER.&id({InfoObjectSet}),
- algorithm TYPE-IDENTIFIER.&id({InfoObjectSet}),
--- parameters ALGORITHM-IDENTIFIER.&Type({InfoObjectSet}
- parameters TYPE-IDENTIFIER.&Type({InfoObjectSet}
- {@algorithm}) OPTIONAL }
-
--- Private-key information syntax
-
-PrivateKeyInfo ::= SEQUENCE {
- version Version,
--- privateKeyAlgorithm AlgorithmIdentifier {{PrivateKeyAlgorithms}},
- privateKeyAlgorithm AlgorithmIdentifier {{...}},
- privateKey PrivateKey,
- attributes [0] Attributes OPTIONAL }
-
--- START FROM RFC 5958
-OneAsymmetricKey ::= SEQUENCE {
- version Version,
- privateKeyAlgorithm AlgorithmIdentifier {{...}},
- privateKey PrivateKey,
- attributes [0] Attributes OPTIONAL,
- ...,
- [[2: publicKey [1] PublicKey OPTIONAL ]],
- ...
- }
-
-PublicKey ::= BIT STRING
- -- Content varies based on type of key. The
- -- algorithm identifier dictates the format of
- -- the key.
--- END FROM RFC 5958
-Version ::= INTEGER {v1(0)} (v1,...)
-
-PrivateKey ::= OCTET STRING
-
--- Attributes ::= SET OF PKAttribute
-Attributes ::= SET OF PKAttribute {{...}}
-
--- Encrypted private-key information syntax
-
-EncryptedPrivateKeyInfo ::= SEQUENCE {
--- encryptionAlgorithm AlgorithmIdentifier {{KeyEncryptionAlgorithms}},
- encryptionAlgorithm AlgorithmIdentifier {{...}},
- encryptedData EncryptedData
-}
-
-EncryptedData ::= OCTET STRING
-
--- PrivateKeyAlgorithms ALGORITHM-IDENTIFIER ::= {
-PrivateKeyAlgorithms TYPE-IDENTIFIER ::= {
- ... -- For local profiles
-}
-
--- KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
-KeyEncryptionAlgorithms TYPE-IDENTIFIER ::= {
- ... -- For local profiles
-}
-
--- From InformationFramework
-PKAttribute{ATTRIBUTE:SupportedAttributes} ::= SEQUENCE {
- type ATTRIBUTE.&id({SupportedAttributes}),
- values
- SET SIZE (0..MAX) OF ATTRIBUTE.&Type({SupportedAttributes}{@type}),
- valuesWithContext
- SET SIZE (1..MAX) OF
- SEQUENCE {value ATTRIBUTE.&Type({SupportedAttributes}{@type}),
- contextList SET SIZE (1..MAX) OF Context} OPTIONAL
-}
-
-Context ::= SEQUENCE {
- contextType CONTEXT.&id({SupportedContexts}),
- contextValues
- SET SIZE (1..MAX) OF CONTEXT.&Type({SupportedContexts}{@contextType}),
- fallback BOOLEAN DEFAULT FALSE
-}
--- Definition of the following information object set is deferred, perhaps to standardized
--- profiles or to protocol implementation conformance statements. The set is required to
--- specify a table constraint on the context specifications
-SupportedContexts CONTEXT ::=
- {...}
-
-
-CONTEXT ::= CLASS {
- &Type ,
- &DefaultValue OPTIONAL,
- &Assertion OPTIONAL,
- &absentMatch BOOLEAN DEFAULT TRUE,
- &id OBJECT IDENTIFIER UNIQUE
-}
-
--- ATTRIBUTE information object class specification
-ATTRIBUTE ::= CLASS {
- &derivation ATTRIBUTE OPTIONAL,
- &Type OPTIONAL, -- either &Type or &derivation required
- &equality-match MATCHING-RULE OPTIONAL,
- &ordering-match MATCHING-RULE OPTIONAL,
- &substrings-match MATCHING-RULE OPTIONAL,
- &single-valued BOOLEAN DEFAULT FALSE,
- &collective BOOLEAN DEFAULT FALSE,
- &dummy BOOLEAN DEFAULT FALSE,
- -- operational extensions
- &no-user-modification BOOLEAN DEFAULT FALSE,
- &usage AttributeUsage DEFAULT userApplications,
- &id OBJECT IDENTIFIER UNIQUE
-}
-
--- MATCHING-RULE information object class specification
-MATCHING-RULE ::= CLASS {
- &ParentMatchingRules MATCHING-RULE OPTIONAL,
- &AssertionType OPTIONAL,
- &uniqueMatchIndicator ATTRIBUTE OPTIONAL,
- &id OBJECT IDENTIFIER UNIQUE
-}
-
-AttributeUsage ::= ENUMERATED {
- userApplications(0), directoryOperation(1), distributedOperation(2),
- dSAOperation(3)}
-
-END
-
-
diff --git a/lib/public_key/asn1/PKCS-FRAME.set.asn b/lib/public_key/asn1/PKCS-FRAME.set.asn
index 69b6727bef..b1ab607453 100644
--- a/lib/public_key/asn1/PKCS-FRAME.set.asn
+++ b/lib/public_key/asn1/PKCS-FRAME.set.asn
@@ -1,2 +1,22 @@
-PKCS-8.asn1
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: Apache-2.0
+%%
+%% Copyright Ericsson AB 2008-2025. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%% http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+
+AsymmetricKeyPackageModuleV1.asn1
PKCS5v2-0.asn1
diff --git a/lib/public_key/asn1/PKCS5v2-0.asn1 b/lib/public_key/asn1/PKCS5v2-0.asn1
index fe7e16c7fa..8b4a546fe8 100644
--- a/lib/public_key/asn1/PKCS5v2-0.asn1
+++ b/lib/public_key/asn1/PKCS5v2-0.asn1
@@ -1,3 +1,29 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: LicenseRef-RSA-PKCS5v2-0
+--
+-- Copyright (C) The Internet Society (2000). All Rights Reserved.
+--
+-- Intellectual Property Considerations
+--
+-- RSA Security makes no patent claims on the general constructions
+-- described in this document, although specific underlying techniques
+-- may be covered. Among the underlying techniques, the RC5 encryption
+-- algorithm (Appendix B.2.4) is protected by U.S. Patents 5,724,428
+-- [22] and 5,835,600 [23].
+--
+-- RC2 and RC5 are trademarks of RSA Security.
+--
+-- License to copy this document is granted provided that it is
+-- identified as RSA Security Inc. Public-Key Cryptography Standards
+-- (PKCS) in all material mentioning or referencing this document.
+--
+-- RSA Security makes no representations regarding intellectual property
+-- claims by other parties. Such determination is the responsibility of
+-- the user.
+--
+-- %CopyrightEnd%
+
-- PKCS #5 v2.0 ASN.1 Module
-- Revised March 25, 1999
diff --git a/lib/public_key/asn1/PKIX-CommonTypes-2009.asn1 b/lib/public_key/asn1/PKIX-CommonTypes-2009.asn1
new file mode 100644
index 0000000000..afc2a0b83c
--- /dev/null
+++ b/lib/public_key/asn1/PKIX-CommonTypes-2009.asn1
@@ -0,0 +1,200 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ PKIX-CommonTypes-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
+
+ DEFINITIONS EXPLICIT TAGS ::=
+ BEGIN
+
+ -- ATTRIBUTE
+ --
+ -- Describe the set of data associated with an attribute of some type
+ --
+ -- &id is an OID identifying the attribute
+ -- &Type is the ASN.1 type structure for the attribute; not all
+ -- attributes have a data structure, so this field is optional
+ -- &minCount contains the minimum number of times the attribute can
+ -- occur in an AttributeSet
+ -- &maxCount contains the maximum number of times the attribute can
+ -- appear in an AttributeSet
+ -- Note: this cannot be automatically enforced as the field
+ -- cannot be defaulted to MAX.
+ -- &equality-match contains information about how matching should be
+ -- done
+ --
+ -- Currently we are using two different prefixes for attributes.
+ --
+ -- at- for certificate attributes
+ -- aa- for CMS attributes
+ --
+
+ ATTRIBUTE ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Type OPTIONAL,
+ &equality-match MATCHING-RULE OPTIONAL,
+ &minCount INTEGER DEFAULT 1,
+ &maxCount INTEGER OPTIONAL
+ } WITH SYNTAX {
+ [TYPE &Type]
+ [EQUALITY MATCHING RULE &equality-match]
+ [COUNTS [MIN &minCount] [MAX &maxCount]]
+ IDENTIFIED BY &id
+ }
+
+ -- Specification of MATCHING-RULE information object class
+ --
+
+ MATCHING-RULE ::= CLASS {
+ &ParentMatchingRules MATCHING-RULE OPTIONAL,
+ &AssertionType OPTIONAL,
+ &uniqueMatchIndicator ATTRIBUTE OPTIONAL,
+ &id OBJECT IDENTIFIER UNIQUE
+ }
+ WITH SYNTAX {
+ [PARENT &ParentMatchingRules]
+ [SYNTAX &AssertionType]
+ [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator]
+ ID &id
+ }
+
+ -- AttributeSet
+ --
+ -- Used when a set of attributes is to occur.
+ --
+ -- type contains the identifier of the attribute
+ -- values contains a set of values where the structure of the ASN.1
+ -- is defined by the attribute
+ --
+ -- The parameter contains the set of objects describing
+ -- those attributes that can occur in this location.
+ --
+
+ AttributeSet{ATTRIBUTE:AttrSet} ::= SEQUENCE {
+ type ATTRIBUTE.&id({AttrSet}),
+ values SET SIZE (1..MAX) OF ATTRIBUTE.
+ &Type({AttrSet}{@type})
+ }
+
+ -- SingleAttribute
+ --
+ -- Used for a single valued attribute
+ --
+ -- The parameter contains the set of objects describing the
+ -- attributes that can occur in this location
+ --
+
+ SingleAttribute{ATTRIBUTE:AttrSet} ::= SEQUENCE {
+ type ATTRIBUTE.&id({AttrSet}),
+ value ATTRIBUTE.&Type({AttrSet}{@type})
+ }
+
+ -- EXTENSION
+ --
+ -- This class definition is used to describe the association of
+ -- object identifier and ASN.1 type structure for extensions
+ --
+ -- All extensions are prefixed with ext-
+ --
+ -- &id contains the object identifier for the extension
+ -- &ExtnType specifies the ASN.1 type structure for the extension
+ -- &Critical contains the set of legal values for the critical field.
+ -- This is normally {TRUE|FALSE} but in some instances may be
+ -- restricted to just one of these values.
+ --
+
+ EXTENSION ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &ExtnType,
+ &Critical BOOLEAN DEFAULT {TRUE | FALSE }
+ } WITH SYNTAX {
+ SYNTAX &ExtnType IDENTIFIED BY &id
+ [CRITICALITY &Critical]
+ }
+
+ -- Extensions
+ --
+ -- Used for a sequence of extensions.
+ --
+ -- The parameter contains the set of legal extensions that can
+ -- occur in this sequence.
+ --
+
+ Extensions{EXTENSION:ExtensionSet} ::=
+ SEQUENCE SIZE (1..MAX) OF Extension{{ExtensionSet}}
+
+ -- Extension
+ --
+ -- Used for a single extension
+ --
+ -- The parameter contains the set of legal extensions that can
+ -- occur in this extension.
+ --
+ -- The restriction on the critical field has been commented out
+ -- the authors are not completely sure it is correct.
+ -- The restriction could be done using custom code rather than
+ -- compiler-generated code, however.
+ --
+
+ Extension{EXTENSION:ExtensionSet} ::= SEQUENCE {
+ extnID EXTENSION.&id({ExtensionSet}),
+ critical BOOLEAN
+ -- (EXTENSION.&Critical({ExtensionSet}{@extnID}))
+ DEFAULT FALSE,
+ extnValue OCTET STRING (CONTAINING
+ EXTENSION.&ExtnType({ExtensionSet}{@extnID}))
+ -- contains the DER encoding of the ASN.1 value
+ -- corresponding to the extension type identified
+ -- by extnID
+ }
+
+ -- Security Category
+ --
+ -- Security categories are used both for specifying clearances and
+ -- for labeling objects. We move this here from RFC 3281 so that
+ -- they will use a common single object class to express this
+ -- information.
+ --
+
+ SECURITY-CATEGORY ::= TYPE-IDENTIFIER
+
+ SecurityCategory{SECURITY-CATEGORY:Supported} ::= SEQUENCE {
+ type [0] IMPLICIT SECURITY-CATEGORY.
+ &id({Supported}),
+ value [1] EXPLICIT SECURITY-CATEGORY.
+ &Type({Supported}{@type})
+ }
+
+ END
diff --git a/lib/public_key/asn1/PKIX-X400Address-2009.asn1 b/lib/public_key/asn1/PKIX-X400Address-2009.asn1
new file mode 100644
index 0000000000..028d2d3d82
--- /dev/null
+++ b/lib/public_key/asn1/PKIX-X400Address-2009.asn1
@@ -0,0 +1,334 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ --
+ -- This module is used to isolate all the X.400 naming information.
+ -- There is no reason to expect this to occur in a PKIX certificate.
+ --
+
+ PKIX-X400Address-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60) }
+ DEFINITIONS EXPLICIT TAGS ::=
+ BEGIN
+
+ -- X.400 address syntax starts here
+
+ ORAddress ::= SEQUENCE {
+ built-in-standard-attributes BuiltInStandardAttributes,
+ built-in-domain-defined-attributes
+ BuiltInDomainDefinedAttributes OPTIONAL,
+
+ -- see also teletex-domain-defined-attributes
+ extension-attributes ExtensionAttributes OPTIONAL }
+
+ -- Built-in Standard Attributes
+
+ BuiltInStandardAttributes ::= SEQUENCE {
+ country-name CountryName OPTIONAL,
+ administration-domain-name AdministrationDomainName OPTIONAL,
+ network-address [0] IMPLICIT NetworkAddress OPTIONAL,
+ -- see also extended-network-address
+ terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL,
+ private-domain-name [2] PrivateDomainName OPTIONAL,
+ organization-name [3] IMPLICIT OrganizationName OPTIONAL,
+ -- see also teletex-organization-name
+ numeric-user-identifier [4] IMPLICIT NumericUserIdentifier
+ OPTIONAL,
+ personal-name [5] IMPLICIT PersonalName OPTIONAL,
+ -- see also teletex-personal-name
+ organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
+ OPTIONAL }
+ -- see also teletex-organizational-unit-names
+
+ CountryName ::= [APPLICATION 1] CHOICE {
+ x121-dcc-code NumericString
+ (SIZE (ub-country-name-numeric-length)),
+ iso-3166-alpha2-code PrintableString
+ (SIZE (ub-country-name-alpha-length)) }
+
+ AdministrationDomainName ::= [APPLICATION 2] CHOICE {
+ numeric NumericString (SIZE (0..ub-domain-name-length)),
+ printable PrintableString (SIZE (0..ub-domain-name-length)) }
+
+ NetworkAddress ::= X121Address -- see also extended-network-address
+
+ X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
+
+ TerminalIdentifier ::= PrintableString (SIZE
+ (1..ub-terminal-id-length))
+
+ PrivateDomainName ::= CHOICE {
+ numeric NumericString (SIZE (1..ub-domain-name-length)),
+ printable PrintableString (SIZE (1..ub-domain-name-length)) }
+
+ OrganizationName ::= PrintableString
+ (SIZE (1..ub-organization-name-length))
+ -- see also teletex-organization-name
+
+ NumericUserIdentifier ::= NumericString
+ (SIZE (1..ub-numeric-user-id-length))
+
+ PersonalName ::= SET {
+ surname [0] IMPLICIT PrintableString
+ (SIZE (1..ub-surname-length)),
+ given-name [1] IMPLICIT PrintableString
+ (SIZE (1..ub-given-name-length)) OPTIONAL,
+ initials [2] IMPLICIT PrintableString
+ (SIZE (1..ub-initials-length)) OPTIONAL,
+ generation-qualifier [3] IMPLICIT PrintableString
+ (SIZE (1..ub-generation-qualifier-length))
+ OPTIONAL }
+ -- see also teletex-personal-name
+
+ OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
+ OF OrganizationalUnitName
+ -- see also teletex-organizational-unit-names
+
+ OrganizationalUnitName ::= PrintableString (SIZE
+ (1..ub-organizational-unit-name-length))
+
+ -- Built-in Domain-defined Attributes
+
+ BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
+ (1..ub-domain-defined-attributes) OF
+ BuiltInDomainDefinedAttribute
+
+ BuiltInDomainDefinedAttribute ::= SEQUENCE {
+ type PrintableString (SIZE
+ (1..ub-domain-defined-attribute-type-length)),
+ value PrintableString (SIZE
+ (1..ub-domain-defined-attribute-value-length)) }
+
+ -- Extension Attributes
+
+ ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
+ ExtensionAttribute
+
+ EXTENSION-ATTRIBUTE ::= CLASS {
+ &id INTEGER (0..ub-extension-attributes) UNIQUE,
+ &Type
+ } WITH SYNTAX { &Type IDENTIFIED BY &id }
+
+ ExtensionAttribute ::= SEQUENCE {
+ extension-attribute-type [0] IMPLICIT EXTENSION-ATTRIBUTE.
+ &id({SupportedExtensionAttributes}),
+ extension-attribute-value [1] EXTENSION-ATTRIBUTE.
+ &Type({SupportedExtensionAttributes}
+ {@extension-attribute-type})}
+
+ SupportedExtensionAttributes EXTENSION-ATTRIBUTE ::= {
+ ea-commonName | ea-teletexCommonName | ea-teletexOrganizationName
+ | ea-teletexPersonalName | ea-teletexOrganizationalUnitNames |
+ ea-pDSName | ea-physicalDeliveryCountryName | ea-postalCode |
+ ea-physicalDeliveryOfficeName | ea-physicalDeliveryOfficeNumber |
+ ea-extensionORAddressComponents | ea-physicalDeliveryPersonalName
+ | ea-physicalDeliveryOrganizationName |
+ ea-extensionPhysicalDeliveryAddressComponents |
+ ea-unformattedPostalAddress | ea-streetAddress |
+ ea-postOfficeBoxAddress | ea-posteRestanteAddress |
+ ea-uniquePostalName | ea-localPostalAttributes |
+ ea-extendedNetworkAddress | ea-terminalType |
+ ea-teletexDomainDefinedAttributes, ... }
+
+ -- Extension types and attribute values
+
+ ea-commonName EXTENSION-ATTRIBUTE ::= { PrintableString
+ (SIZE (1..ub-common-name-length)) IDENTIFIED BY 1 }
+
+ ea-teletexCommonName EXTENSION-ATTRIBUTE ::= {TeletexString
+ (SIZE (1..ub-common-name-length)) IDENTIFIED BY 2 }
+
+ ea-teletexOrganizationName EXTENSION-ATTRIBUTE::= { TeletexString
+ (SIZE (1..ub-organization-name-length)) IDENTIFIED BY 3 }
+
+ ea-teletexPersonalName EXTENSION-ATTRIBUTE ::= {SET {
+ surname [0] IMPLICIT TeletexString
+ (SIZE (1..ub-surname-length)),
+ given-name [1] IMPLICIT TeletexString
+ (SIZE (1..ub-given-name-length)) OPTIONAL,
+ initials [2] IMPLICIT TeletexString
+ (SIZE (1..ub-initials-length)) OPTIONAL,
+ generation-qualifier [3] IMPLICIT TeletexString
+ (SIZE (1..ub-generation-qualifier-length))
+ OPTIONAL } IDENTIFIED BY 4 }
+
+ ea-teletexOrganizationalUnitNames EXTENSION-ATTRIBUTE ::=
+ { SEQUENCE SIZE (1..ub-organizational-units) OF
+ TeletexOrganizationalUnitName IDENTIFIED BY 5 }
+
+ TeletexOrganizationalUnitName ::= TeletexString
+ (SIZE (1..ub-organizational-unit-name-length))
+
+ ea-pDSName EXTENSION-ATTRIBUTE ::= {PrintableString
+ (SIZE (1..ub-pds-name-length)) IDENTIFIED BY 7 }
+
+ ea-physicalDeliveryCountryName EXTENSION-ATTRIBUTE ::= { CHOICE {
+ x121-dcc-code NumericString (SIZE
+ (ub-country-name-numeric-length)),
+ iso-3166-alpha2-code PrintableString
+ (SIZE (ub-country-name-alpha-length)) }
+ IDENTIFIED BY 8 }
+
+ ea-postalCode EXTENSION-ATTRIBUTE ::= { CHOICE {
+ numeric-code NumericString (SIZE (1..ub-postal-code-length)),
+ printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
+ IDENTIFIED BY 9 }
+
+ ea-physicalDeliveryOfficeName EXTENSION-ATTRIBUTE ::=
+ { PDSParameter IDENTIFIED BY 10 }
+
+ ea-physicalDeliveryOfficeNumber EXTENSION-ATTRIBUTE ::=
+ {PDSParameter IDENTIFIED BY 11 }
+
+ ea-extensionORAddressComponents EXTENSION-ATTRIBUTE ::=
+ {PDSParameter IDENTIFIED BY 12 }
+
+ ea-physicalDeliveryPersonalName EXTENSION-ATTRIBUTE ::=
+ {PDSParameter IDENTIFIED BY 13}
+
+ ea-physicalDeliveryOrganizationName EXTENSION-ATTRIBUTE ::=
+ {PDSParameter IDENTIFIED BY 14 }
+
+ ea-extensionPhysicalDeliveryAddressComponents EXTENSION-ATTRIBUTE ::=
+ {PDSParameter IDENTIFIED BY 15 }
+
+ ea-unformattedPostalAddress EXTENSION-ATTRIBUTE ::= { SET {
+ printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines)
+ OF PrintableString (SIZE (1..ub-pds-parameter-length))
+ OPTIONAL,
+ teletex-string TeletexString
+ (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
+ IDENTIFIED BY 16 }
+
+ ea-streetAddress EXTENSION-ATTRIBUTE ::=
+ {PDSParameter IDENTIFIED BY 17 }
+
+ ea-postOfficeBoxAddress EXTENSION-ATTRIBUTE ::=
+ {PDSParameter IDENTIFIED BY 18 }
+
+ ea-posteRestanteAddress EXTENSION-ATTRIBUTE ::=
+ {PDSParameter IDENTIFIED BY 19 }
+
+ ea-uniquePostalName EXTENSION-ATTRIBUTE ::=
+ { PDSParameter IDENTIFIED BY 20 }
+
+ ea-localPostalAttributes EXTENSION-ATTRIBUTE ::=
+ {PDSParameter IDENTIFIED BY 21 }
+ PDSParameter ::= SET {
+ printable-string PrintableString
+ (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
+ teletex-string TeletexString
+ (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
+
+ ea-extendedNetworkAddress EXTENSION-ATTRIBUTE ::= {
+ CHOICE {
+ e163-4-address SEQUENCE {
+ number [0] IMPLICIT NumericString
+ (SIZE (1..ub-e163-4-number-length)),
+ sub-address [1] IMPLICIT NumericString
+ (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL
+ },
+ psap-address [0] IMPLICIT PresentationAddress
+ } IDENTIFIED BY 22
+ }
+
+ PresentationAddress ::= SEQUENCE {
+ pSelector [0] EXPLICIT OCTET STRING OPTIONAL,
+ sSelector [1] EXPLICIT OCTET STRING OPTIONAL,
+ tSelector [2] EXPLICIT OCTET STRING OPTIONAL,
+ nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
+
+ ea-terminalType EXTENSION-ATTRIBUTE ::= {INTEGER {
+ telex (3),
+ teletex (4),
+ g3-facsimile (5),
+ g4-facsimile (6),
+ ia5-terminal (7),
+ videotex (8) } (0..ub-integer-options)
+ IDENTIFIED BY 23 }
+
+ -- Extension Domain-defined Attributes
+
+ ea-teletexDomainDefinedAttributes EXTENSION-ATTRIBUTE ::=
+ { SEQUENCE SIZE (1..ub-domain-defined-attributes) OF
+ TeletexDomainDefinedAttribute IDENTIFIED BY 6 }
+
+ TeletexDomainDefinedAttribute ::= SEQUENCE {
+ type TeletexString
+ (SIZE (1..ub-domain-defined-attribute-type-length)),
+ value TeletexString
+ (SIZE (1..ub-domain-defined-attribute-value-length)) }
+
+ -- specifications of Upper Bounds MUST be regarded as mandatory
+ -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
+ -- Upper Bounds
+ -- Upper Bounds
+ ub-match INTEGER ::= 128
+ ub-common-name-length INTEGER ::= 64
+ ub-country-name-alpha-length INTEGER ::= 2
+ ub-country-name-numeric-length INTEGER ::= 3
+ ub-domain-defined-attributes INTEGER ::= 4
+ ub-domain-defined-attribute-type-length INTEGER ::= 8
+ ub-domain-defined-attribute-value-length INTEGER ::= 128
+ ub-domain-name-length INTEGER ::= 16
+ ub-extension-attributes INTEGER ::= 256
+ ub-e163-4-number-length INTEGER ::= 15
+ ub-e163-4-sub-address-length INTEGER ::= 40
+ ub-generation-qualifier-length INTEGER ::= 3
+ ub-given-name-length INTEGER ::= 16
+ ub-initials-length INTEGER ::= 5
+ ub-integer-options INTEGER ::= 256
+ ub-numeric-user-id-length INTEGER ::= 32
+ ub-organization-name-length INTEGER ::= 64
+ ub-organizational-unit-name-length INTEGER ::= 32
+ ub-organizational-units INTEGER ::= 4
+ ub-pds-name-length INTEGER ::= 16
+ ub-pds-parameter-length INTEGER ::= 30
+ ub-pds-physical-address-lines INTEGER ::= 6
+ ub-postal-code-length INTEGER ::= 16
+ ub-surname-length INTEGER ::= 40
+ ub-terminal-id-length INTEGER ::= 24
+ ub-unformatted-address-length INTEGER ::= 180
+ ub-x121-address-length INTEGER ::= 16
+
+ -- Note - upper bounds on string types, such as TeletexString, are
+ -- measured in characters. Excepting PrintableString or IA5String, a
+ -- significantly greater number of octets will be required to hold
+ -- such a value. As a minimum, 16 octets or twice the specified
+ -- upper bound, whichever is the larger, should be allowed for
+ -- TeletexString. For UTF8String or UniversalString, at least four
+ -- times the upper bound should be allowed.
+
+ END
diff --git a/lib/public_key/asn1/PKIX1-PSS-OAEP-Algorithms-2009.asn1 b/lib/public_key/asn1/PKIX1-PSS-OAEP-Algorithms-2009.asn1
new file mode 100644
index 0000000000..7783d0eb3b
--- /dev/null
+++ b/lib/public_key/asn1/PKIX1-PSS-OAEP-Algorithms-2009.asn1
@@ -0,0 +1,342 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ PKIX1-PSS-OAEP-Algorithms-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)}
+ DEFINITIONS EXPLICIT TAGS ::=
+ BEGIN
+ IMPORTS
+
+ AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-TRANSPORT,
+ SIGNATURE-ALGORITHM, PUBLIC-KEY, SMIME-CAPS
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+
+ id-sha1, mda-sha1, pk-rsa, RSAPublicKey
+ FROM PKIXAlgs-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-algorithms2008-02(56)};
+
+ -- ============================
+ -- Object Set exports
+ -- ============================
+ --
+ -- Define top-level symbols with all of the objects defined for
+ -- export to other modules. These objects would be included as part
+ -- of an Object Set to restrict the set of legal values.
+ --
+
+ PublicKeys PUBLIC-KEY ::= { pk-rsaSSA-PSS | pk-rsaES-OAEP, ... }
+ SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-rsaSSA-PSS, ...}
+ KeyTransportAlgs KEY-TRANSPORT ::= { kta-rsaES-OAEP, ... }
+ HashAlgs DIGEST-ALGORITHM ::= { mda-sha224 | mda-sha256 | mda-sha384
+ | mda-sha512, ... }
+ SMimeCaps SMIME-CAPS ::= {
+ sa-rsaSSA-PSS.&smimeCaps |
+ kta-rsaES-OAEP.&smimeCaps,
+ ...
+ }
+
+ -- =============================
+ -- Algorithm Objects
+ -- =============================
+
+ --
+ -- Public key object for PSS signatures
+ --
+
+ pk-rsaSSA-PSS PUBLIC-KEY ::= {
+ IDENTIFIER id-RSASSA-PSS
+ KEY RSAPublicKey
+ PARAMS TYPE RSASSA-PSS-params ARE optional
+ -- Private key format not in this module --
+ CERT-KEY-USAGE { nonRepudiation, digitalSignature,
+ keyCertSign, cRLSign }
+ }
+
+ --
+ -- Signature algorithm definition for PSS signatures
+ --
+
+ sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER id-RSASSA-PSS
+ PARAMS TYPE RSASSA-PSS-params ARE required
+ HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384
+ | mda-sha512 }
+ PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS }
+ SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS }
+ }
+
+ --
+ -- Signature algorithm definitions for PKCS v1.5 signatures
+ --
+
+ sa-sha224WithRSAEncryption SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER sha224WithRSAEncryption
+ PARAMS TYPE NULL ARE required
+ HASHES { mda-sha224 }
+ PUBLIC-KEYS { pk-rsa }
+ SMIME-CAPS { IDENTIFIED BY sha224WithRSAEncryption }
+ }
+ sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 }
+
+ sa-sha256WithRSAEncryption SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER sha256WithRSAEncryption
+ PARAMS TYPE NULL ARE required
+ HASHES { mda-sha256 }
+ PUBLIC-KEYS { pk-rsa }
+ SMIME-CAPS { IDENTIFIED BY sha256WithRSAEncryption }
+ }
+ sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
+
+ sa-sha384WithRSAEncryption SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER sha384WithRSAEncryption
+ PARAMS TYPE NULL ARE required
+ HASHES { mda-sha384 }
+ PUBLIC-KEYS { pk-rsa }
+ SMIME-CAPS { IDENTIFIED BY sha384WithRSAEncryption }
+ }
+ sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
+
+ sa-sha512WithRSAEncryption SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER sha512WithRSAEncryption
+ PARAMS TYPE NULL ARE required
+ HASHES { mda-sha512 }
+ PUBLIC-KEYS { pk-rsa }
+ SMIME-CAPS { IDENTIFIED BY sha512WithRSAEncryption }
+ }
+ sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
+
+ --
+ -- Public key definition for OAEP encryption
+ --
+
+ pk-rsaES-OAEP PUBLIC-KEY ::= {
+ IDENTIFIER id-RSAES-OAEP
+ KEY RSAPublicKey
+ PARAMS TYPE RSAES-OAEP-params ARE optional
+ -- Private key format not in this module --
+ CERT-KEY-USAGE {keyEncipherment, dataEncipherment}
+ }
+
+ --
+ -- Key transport key lock definition for OAEP encryption
+ --
+
+ kta-rsaES-OAEP KEY-TRANSPORT ::= {
+ IDENTIFIER id-RSAES-OAEP
+ PARAMS TYPE RSAES-OAEP-params ARE required
+ PUBLIC-KEYS { pk-rsa | pk-rsaES-OAEP }
+ SMIME-CAPS { TYPE RSAES-OAEP-params IDENTIFIED BY id-RSAES-OAEP}
+ }
+ -- ============================
+ -- Basic object identifiers
+ -- ============================
+
+ pkcs-1 OBJECT IDENTIFIER ::=
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
+
+ -- When rsaEncryption is used in an AlgorithmIdentifier, the
+ -- parameters MUST be present and MUST be NULL.
+ -- rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
+
+ -- When id-RSAES-OAEP is used in an AlgorithmIdentifier,
+ -- and the parameters field is present, it MUST be
+ -- RSAES-OAEP-params.
+
+ id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 }
+
+ -- When id-mgf1 is used in an AlgorithmIdentifier, the parameters
+ -- MUST be present and MUST be a HashAlgorithm.
+
+ id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 }
+
+ -- When id-pSpecified is used in an AlgorithmIdentifier, the
+ -- parameters MUST be an OCTET STRING.
+
+ id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 }
+
+ -- When id-RSASSA-PSS is used in an AlgorithmIdentifier, and the
+ -- parameters field is present, it MUST be RSASSA-PSS-params.
+
+ id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 }
+
+ -- When the following OIDs are used in an AlgorithmIdentifier, the
+ -- parameters SHOULD be absent, but if the parameters are present,
+ -- they MUST be NULL.
+
+ --
+ -- id-sha1 is imported from RFC 3279. Additionally, the v1.5
+ -- signature algorithms (i.e., rsaWithSHA256) are now solely placed
+ -- in that module.
+ --
+
+ id-sha224 OBJECT IDENTIFIER ::=
+ { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
+ csor(3) nistAlgorithms(4) hashalgs(2) 4 }
+
+ mda-sha224 DIGEST-ALGORITHM ::= {
+ IDENTIFIER id-sha224
+ PARAMS TYPE NULL ARE preferredAbsent
+ }
+
+ id-sha256 OBJECT IDENTIFIER ::=
+ { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
+ csor(3) nistAlgorithms(4) hashalgs(2) 1 }
+
+ mda-sha256 DIGEST-ALGORITHM ::= {
+ IDENTIFIER id-sha256
+ PARAMS TYPE NULL ARE preferredAbsent
+ }
+ id-sha384 OBJECT IDENTIFIER ::=
+ { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
+ csor(3) nistAlgorithms(4) hashalgs(2) 2 }
+
+ mda-sha384 DIGEST-ALGORITHM ::= {
+ IDENTIFIER id-sha384
+ PARAMS TYPE NULL ARE preferredAbsent
+ }
+ id-sha512 OBJECT IDENTIFIER ::=
+ { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
+ csor(3) nistAlgorithms(4) hashalgs(2) 3 }
+
+ mda-sha512 DIGEST-ALGORITHM ::= {
+ IDENTIFIER id-sha512
+ PARAMS TYPE NULL ARE preferredAbsent
+ }
+
+ -- =============
+ -- Constants
+ -- =============
+
+ EncodingParameters ::= OCTET STRING(SIZE(0..MAX))
+
+ nullOctetString EncodingParameters ::= ''H
+
+ nullParameters NULL ::= NULL
+
+ -- =========================
+ -- Algorithm Identifiers
+ -- =========================
+
+ HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM,
+ {HashAlgorithms}}
+
+ HashAlgorithms DIGEST-ALGORITHM ::= {
+ { IDENTIFIER id-sha1 PARAMS TYPE NULL ARE preferredPresent } |
+ { IDENTIFIER id-sha224 PARAMS TYPE NULL ARE preferredPresent } |
+ { IDENTIFIER id-sha256 PARAMS TYPE NULL ARE preferredPresent } |
+ { IDENTIFIER id-sha384 PARAMS TYPE NULL ARE preferredPresent } |
+ { IDENTIFIER id-sha512 PARAMS TYPE NULL ARE preferredPresent }
+ }
+
+ sha1Identifier HashAlgorithm ::= {
+ algorithm id-sha1,
+ parameters NULL : NULL
+ }
+
+ --
+ -- We have a default algorithm - create the value here
+ --
+
+ MaskGenAlgorithm ::= AlgorithmIdentifier{ALGORITHM,
+ {PKCS1MGFAlgorithms}}
+
+ mgf1SHA1 MaskGenAlgorithm ::= {
+ algorithm id-mgf1,
+ parameters HashAlgorithm : sha1Identifier
+ }
+
+ --
+ -- Define the set of mask generation functions
+ --
+ -- If the identifier is id-mgf1, any of the listed hash
+ -- algorithms may be used.
+ --
+
+ PKCS1MGFAlgorithms ALGORITHM ::= {
+ { IDENTIFIER id-mgf1 PARAMS TYPE HashAlgorithm ARE required },
+ ...
+ }
+
+ --
+ -- Define the set of known source algorithms for PSS
+ --
+
+ PSourceAlgorithm ::= AlgorithmIdentifier{ALGORITHM,
+ {PSS-SourceAlgorithms}}
+
+ PSS-SourceAlgorithms ALGORITHM ::= {
+ { IDENTIFIER id-pSpecified PARAMS TYPE EncodingParameters
+ ARE required },
+ ...
+ }
+ pSpecifiedEmpty PSourceAlgorithm ::= {
+ algorithm id-pSpecified,
+ parameters EncodingParameters : nullOctetString
+ }
+
+ -- ===================
+ -- Main structures
+ -- ===================
+
+ -- AlgorithmIdentifier parameters for id-RSASSA-PSS.
+ -- Note that the tags in this Sequence are explicit.
+ -- Note: The hash algorithm in hashAlgorithm and in
+ -- maskGenAlgorithm should be the same.
+
+ RSASSA-PSS-params ::= SEQUENCE {
+ hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier,
+ maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1,
+ saltLength [2] INTEGER DEFAULT 20,
+ trailerField [3] INTEGER DEFAULT 1
+ }
+
+ -- AlgorithmIdentifier parameters for id-RSAES-OAEP.
+ -- Note that the tags in this Sequence are explicit.
+ -- Note: The hash algorithm in hashFunc and in
+ -- maskGenFunc should be the same.
+
+ RSAES-OAEP-params ::= SEQUENCE {
+ hashFunc [0] HashAlgorithm DEFAULT sha1Identifier,
+ maskGenFunc [1] MaskGenAlgorithm DEFAULT mgf1SHA1,
+ pSourceFunc [2] PSourceAlgorithm DEFAULT
+ pSpecifiedEmpty
+ }
+
+ END
diff --git a/lib/public_key/asn1/PKIX1Algorithms88.asn1 b/lib/public_key/asn1/PKIX1Algorithms88.asn1
deleted file mode 100644
index 207ab005a9..0000000000
--- a/lib/public_key/asn1/PKIX1Algorithms88.asn1
+++ /dev/null
@@ -1,294 +0,0 @@
- PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6)
- internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
- id-mod-pkix1-algorithms(17) }
-
- DEFINITIONS EXPLICIT TAGS ::= BEGIN
-
- -- EXPORTS All;
-
- -- IMPORTS NONE;
-
- --
- -- One-way Hash Functions
- -- md2, md5, id-sha1 see PKCS-1
-
- --
- -- DSA Keys and Signatures
- --
-
- -- OID for DSA public key
-
- id-dsa OBJECT IDENTIFIER ::= {
- iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
-
- -- encoding for DSA public key
-
- DSAPublicKey ::= INTEGER -- public key, y
-
- Dss-Parms ::= SEQUENCE {
- p INTEGER,
- q INTEGER,
- g INTEGER }
-
- -- OID for DSA signature generated with SHA-1 hash
-
- id-dsa-with-sha1 OBJECT IDENTIFIER ::= {
- iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
-
- id-dsaWithSHA1 OBJECT IDENTIFIER ::= {
- iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) dsaWithSHA1(27)
- }
- -- encoding for DSA signature generated with SHA-1 hash
-
- Dss-Sig-Value ::= SEQUENCE {
- r INTEGER,
- s INTEGER }
-
- --
- -- RSA Keys and Signatures, see PKCS-1
- --
-
- --
- -- Diffie-Hellman Keys
- --
-
- dhpublicnumber OBJECT IDENTIFIER ::= {
- iso(1) member-body(2) us(840) ansi-x942(10046)
- number-type(2) 1 }
-
- -- encoding for DSA public key
-
- DHPublicKey ::= INTEGER -- public key, y = g^x mod p
-
- DomainParameters ::= SEQUENCE {
- p INTEGER, -- odd prime, p=jq +1
- g INTEGER, -- generator, g
- q INTEGER, -- factor of p-1
- j INTEGER OPTIONAL, -- subgroup factor, j>= 2
- validationParms ValidationParms OPTIONAL }
-
- ValidationParms ::= SEQUENCE {
- seed BIT STRING,
- pgenCounter INTEGER }
-
- --
- -- KEA Keys
- --
-
- id-keyExchangeAlgorithm OBJECT IDENTIFIER ::=
- { 2 16 840 1 101 2 1 1 22 }
-
- KEA-Parms-Id ::= OCTET STRING
-
- --
- -- Elliptic Curve Keys, Signatures, and Curves
- --
-
- ansi-X9-62 OBJECT IDENTIFIER ::= {
- iso(1) member-body(2) us(840) 10045 }
-
- FieldID ::= SEQUENCE { -- Finite field
- fieldType OBJECT IDENTIFIER,
- parameters ANY DEFINED BY fieldType }
-
- -- Arc for ECDSA signature OIDS
-
- id-ecSigType OBJECT IDENTIFIER ::= { ansi-X9-62 signatures(4) }
-
- -- OID for ECDSA signatures with SHA-1
-
- ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { id-ecSigType 1 }
- ecdsa-with-SHA2 OBJECT IDENTIFIER ::= { id-ecSigType 3 }
- ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { ecdsa-with-SHA2 1 }
- ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { ecdsa-with-SHA2 2 }
- ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { ecdsa-with-SHA2 3 }
- ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { ecdsa-with-SHA2 4 }
-
- -- OID for an elliptic curve signature
- -- format for the value of an ECDSA signature value
-
- ECDSA-Sig-Value ::= SEQUENCE {
- r INTEGER,
- s INTEGER }
-
- -- recognized field type OIDs are defined in the following arc
-
- id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1) }
-
- -- where fieldType is prime-field, the parameters are of type Prime-p
-
- prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
-
- Prime-p ::= INTEGER -- Finite field F(p), where p is an odd prime
-
- -- where fieldType is characteristic-two-field, the parameters are
- -- of type Characteristic-two
-
- characteristic-two-field OBJECT IDENTIFIER ::= { id-fieldType 2 }
-
- Characteristic-two ::= SEQUENCE {
- m INTEGER, -- Field size 2^m
- basis OBJECT IDENTIFIER,
- parameters ANY DEFINED BY basis }
-
- -- recognized basis type OIDs are defined in the following arc
-
- id-characteristic-two-basis OBJECT IDENTIFIER ::= {
- characteristic-two-field basisType(3) }
-
- -- gnbasis is identified by OID gnBasis and indicates
- -- parameters are NULL
-
- gnBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 1 }
-
- -- parameters for this basis are NULL
-
- -- trinomial basis is identified by OID tpBasis and indicates
- -- parameters of type Pentanomial
-
- tpBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 2 }
-
- -- Trinomial basis representation of F2^m
- -- Integer k for reduction polynomial xm + xk + 1
-
- Trinomial ::= INTEGER
-
- -- for pentanomial basis is identified by OID ppBasis and indicates
- -- parameters of type Pentanomial
-
- ppBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 3 }
-
- -- Pentanomial basis representation of F2^m
- -- reduction polynomial integers k1, k2, k3
- -- f(x) = x**m + x**k3 + x**k2 + x**k1 + 1
-
- Pentanomial ::= SEQUENCE {
- k1 INTEGER,
- k2 INTEGER,
- k3 INTEGER }
-
- -- The object identifiers gnBasis, tpBasis and ppBasis name
- -- three kinds of basis for characteristic-two finite fields
-
- FieldElement ::= OCTET STRING -- Finite field element
-
- ECPoint ::= OCTET STRING -- Elliptic curve point
-
- -- Elliptic Curve parameters may be specified explicitly,
- -- specified implicitly through a "named curve", or
- -- inherited from the CA
-
- EcpkParameters ::= CHOICE {
- ecParameters ECParameters,
- namedCurve OBJECT IDENTIFIER,
- implicitlyCA NULL }
-
- ECParameters ::= SEQUENCE { -- Elliptic curve parameters
- version ECPVer,
- fieldID FieldID,
- curve Curve,
- base ECPoint, -- Base point G
- order INTEGER, -- Order n of the base point
- cofactor INTEGER OPTIONAL } -- The integer h = #E(Fq)/n
-
- ECPVer ::= INTEGER {ecpVer1(1)}
-
- Curve ::= SEQUENCE {
- a FieldElement, -- Elliptic curve coefficient a
- b FieldElement, -- Elliptic curve coefficient b
- seed BIT STRING OPTIONAL }
-
- id-publicKeyType OBJECT IDENTIFIER ::= { ansi-X9-62 keyType(2) }
-
- id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 }
-
- -- Named Elliptic Curves in ANSI X9.62.
-
- -- ellipticCurve OBJECT IDENTIFIER ::= { ansi-X9-62 curves(3) }
-
- -- c-TwoCurve OBJECT IDENTIFIER ::= {
- -- ansi-ellipticCurve characteristicTwo(0) }
-
- -- c2pnb163v1 OBJECT IDENTIFIER ::= { c-TwoCurve 1 }
- -- c2pnb163v2 OBJECT IDENTIFIER ::= { c-TwoCurve 2 }
- -- c2pnb163v3 OBJECT IDENTIFIER ::= { c-TwoCurve 3 }
- -- c2pnb176w1 OBJECT IDENTIFIER ::= { c-TwoCurve 4 }
- -- c2tnb191v1 OBJECT IDENTIFIER ::= { c-TwoCurve 5 }
- -- c2tnb191v2 OBJECT IDENTIFIER ::= { c-TwoCurve 6 }
- -- c2tnb191v3 OBJECT IDENTIFIER ::= { c-TwoCurve 7 }
- -- c2onb191v4 OBJECT IDENTIFIER ::= { c-TwoCurve 8 }
- -- c2onb191v5 OBJECT IDENTIFIER ::= { c-TwoCurve 9 }
- -- c2pnb208w1 OBJECT IDENTIFIER ::= { c-TwoCurve 10 }
- -- c2tnb239v1 OBJECT IDENTIFIER ::= { c-TwoCurve 11 }
- -- c2tnb239v2 OBJECT IDENTIFIER ::= { c-TwoCurve 12 }
- -- c2tnb239v3 OBJECT IDENTIFIER ::= { c-TwoCurve 13 }
- -- c2onb239v4 OBJECT IDENTIFIER ::= { c-TwoCurve 14 }
- -- c2onb239v5 OBJECT IDENTIFIER ::= { c-TwoCurve 15 }
- -- c2pnb272w1 OBJECT IDENTIFIER ::= { c-TwoCurve 16 }
- -- c2pnb304w1 OBJECT IDENTIFIER ::= { c-TwoCurve 17 }
- -- c2tnb359v1 OBJECT IDENTIFIER ::= { c-TwoCurve 18 }
- -- c2pnb368w1 OBJECT IDENTIFIER ::= { c-TwoCurve 19 }
- -- c2tnb431r1 OBJECT IDENTIFIER ::= { c-TwoCurve 20 }
-
- -- primeCurve OBJECT IDENTIFIER ::= { ansi-ellipticCurve prime(1) }
-
- -- prime192v1 OBJECT IDENTIFIER ::= { primeCurve 1 }
- -- prime192v2 OBJECT IDENTIFIER ::= { primeCurve 2 }
- -- prime192v3 OBJECT IDENTIFIER ::= { primeCurve 3 }
- -- prime239v1 OBJECT IDENTIFIER ::= { primeCurve 4 }
- -- prime239v2 OBJECT IDENTIFIER ::= { primeCurve 5 }
- -- prime239v3 OBJECT IDENTIFIER ::= { primeCurve 6 }
- -- prime256v1 OBJECT IDENTIFIER ::= { primeCurve 7 }
-
- certicom-arc OBJECT IDENTIFIER ::= {
- iso(1) identified-organization(3) certicom(132)
- }
-
- ellipticCurve OBJECT IDENTIFIER ::= {
- iso(1) identified-organization(3) certicom(132) curve(0)
- }
-
- secp192r1 OBJECT IDENTIFIER ::= { ansi-X9-62 curves(3) prime(1) 1 }
- secp256r1 OBJECT IDENTIFIER ::= { ansi-X9-62 curves(3) prime(1) 7 }
-
- sect163k1 OBJECT IDENTIFIER ::= { ellipticCurve 1 }
- sect163r1 OBJECT IDENTIFIER ::= { ellipticCurve 2 }
- sect239k1 OBJECT IDENTIFIER ::= { ellipticCurve 3 }
- sect113r1 OBJECT IDENTIFIER ::= { ellipticCurve 4 }
- sect113r2 OBJECT IDENTIFIER ::= { ellipticCurve 5 }
- secp112r1 OBJECT IDENTIFIER ::= { ellipticCurve 6 }
- secp112r2 OBJECT IDENTIFIER ::= { ellipticCurve 7 }
- secp160r1 OBJECT IDENTIFIER ::= { ellipticCurve 8 }
- secp160k1 OBJECT IDENTIFIER ::= { ellipticCurve 9 }
- secp256k1 OBJECT IDENTIFIER ::= { ellipticCurve 10 }
- sect163r2 OBJECT IDENTIFIER ::= { ellipticCurve 15 }
- sect283k1 OBJECT IDENTIFIER ::= { ellipticCurve 16 }
- sect283r1 OBJECT IDENTIFIER ::= { ellipticCurve 17 }
- sect131r1 OBJECT IDENTIFIER ::= { ellipticCurve 22 }
- sect131r2 OBJECT IDENTIFIER ::= { ellipticCurve 23 }
- sect193r1 OBJECT IDENTIFIER ::= { ellipticCurve 24 }
- sect193r2 OBJECT IDENTIFIER ::= { ellipticCurve 25 }
- sect233k1 OBJECT IDENTIFIER ::= { ellipticCurve 26 }
- sect233r1 OBJECT IDENTIFIER ::= { ellipticCurve 27 }
- secp128r1 OBJECT IDENTIFIER ::= { ellipticCurve 28 }
- secp128r2 OBJECT IDENTIFIER ::= { ellipticCurve 29 }
- secp160r2 OBJECT IDENTIFIER ::= { ellipticCurve 30 }
- secp192k1 OBJECT IDENTIFIER ::= { ellipticCurve 31 }
- secp224k1 OBJECT IDENTIFIER ::= { ellipticCurve 32 }
- secp224r1 OBJECT IDENTIFIER ::= { ellipticCurve 33 }
- secp384r1 OBJECT IDENTIFIER ::= { ellipticCurve 34 }
- secp521r1 OBJECT IDENTIFIER ::= { ellipticCurve 35 }
- sect409k1 OBJECT IDENTIFIER ::= { ellipticCurve 36 }
- sect409r1 OBJECT IDENTIFIER ::= { ellipticCurve 37 }
- sect571k1 OBJECT IDENTIFIER ::= { ellipticCurve 38 }
- sect571r1 OBJECT IDENTIFIER ::= { ellipticCurve 39 }
-
-
- id-edwards-curve-algs OBJECT IDENTIFIER ::= { 1 3 101 }
-
- id-X25519 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 110 }
- id-X448 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 111 }
- id-Ed25519 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 112 }
- id-Ed448 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 113 }
-
- END
diff --git a/lib/public_key/asn1/PKIX1Explicit-2009.asn1 b/lib/public_key/asn1/PKIX1Explicit-2009.asn1
new file mode 100644
index 0000000000..88400ddfb3
--- /dev/null
+++ b/lib/public_key/asn1/PKIX1Explicit-2009.asn1
@@ -0,0 +1,452 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ PKIX1Explicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-explicit-02(51)}
+ DEFINITIONS EXPLICIT TAGS ::=
+ BEGIN
+
+ IMPORTS
+
+ Extensions{}, EXTENSION, ATTRIBUTE, SingleAttribute{}
+ FROM PKIX-CommonTypes-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
+
+ AlgorithmIdentifier{}, PUBLIC-KEY, SIGNATURE-ALGORITHM
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+
+ CertExtensions, CrlExtensions, CrlEntryExtensions
+ FROM PKIX1Implicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
+ SignatureAlgs, PublicKeys
+ FROM PKIXAlgs-2009
+ {iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 56}
+
+ SignatureAlgs, PublicKeys
+ FROM PKIX1-PSS-OAEP-Algorithms-2009
+ {iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-rsa-pkalgs-02(54)}
+
+ ORAddress
+ FROM PKIX-X400Address-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60)};
+
+ id-pkix OBJECT IDENTIFIER ::=
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7)}
+
+ -- PKIX arcs
+
+ id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
+ -- arc for private certificate extensions
+ id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+ -- arc for policy qualifier types
+ id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+ -- arc for extended key purpose OIDs
+ id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
+ -- arc for access descriptors
+
+ -- policyQualifierIds for Internet policy qualifiers
+
+ id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
+ -- OID for CPS qualifier
+ id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
+ -- OID for user notice qualifier
+
+ -- access descriptor definitions
+
+ id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
+ id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
+ id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 }
+ id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 }
+
+ -- attribute data types
+ AttributeType ::= ATTRIBUTE.&id
+
+ -- Replaced by SingleAttribute{}
+ --
+ -- AttributeTypeAndValue ::= SEQUENCE {
+ -- type ATTRIBUTE.&id({SupportedAttributes}),
+ -- value ATTRIBUTE.&Type({SupportedAttributes}{@type}) }
+ --
+
+ -- Suggested naming attributes: Definition of the following
+ -- information object set may be augmented to meet local
+ -- requirements. Note that deleting members of the set may
+ -- prevent interoperability with conforming implementations.
+ -- All attributes are presented in pairs: the AttributeType
+ -- followed by the type definition for the corresponding
+ -- AttributeValue.
+
+ -- Arc for standard naming attributes
+
+ id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+
+ -- Naming attributes of type X520name
+
+ id-at-name AttributeType ::= { id-at 41 }
+ at-name ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-name }
+
+ id-at-surname AttributeType ::= { id-at 4 }
+ at-surname ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-surname }
+
+ id-at-givenName AttributeType ::= { id-at 42 }
+ at-givenName ATTRIBUTE ::=
+ { TYPE X520name IDENTIFIED BY id-at-givenName }
+
+ id-at-initials AttributeType ::= { id-at 43 }
+ at-initials ATTRIBUTE ::=
+ { TYPE X520name IDENTIFIED BY id-at-initials }
+
+ id-at-generationQualifier AttributeType ::= { id-at 44 }
+ at-generationQualifier ATTRIBUTE ::=
+ { TYPE X520name IDENTIFIED BY id-at-generationQualifier }
+
+ -- Directory string type --
+
+ DirectoryString{INTEGER:maxSize} ::= CHOICE {
+ teletexString TeletexString(SIZE (1..maxSize)),
+ printableString PrintableString(SIZE (1..maxSize)),
+ bmpString BMPString(SIZE (1..maxSize)),
+ universalString UniversalString(SIZE (1..maxSize)),
+ -- Note: The tag was spelled as `uTF8String` in the
+ -- RFC for unknown reason. That breaks backward
+ -- for public_key.
+ utf8String UTF8String(SIZE (1..maxSize))
+ }
+
+ X520name ::= DirectoryString {ub-name}
+
+ -- Naming attributes of type X520CommonName
+
+ id-at-commonName AttributeType ::= { id-at 3 }
+
+ at-x520CommonName ATTRIBUTE ::=
+ {TYPE X520CommonName IDENTIFIED BY id-at-commonName }
+
+ X520CommonName ::= DirectoryString {ub-common-name}
+
+ -- Naming attributes of type X520LocalityName
+
+ id-at-localityName AttributeType ::= { id-at 7 }
+
+ at-x520LocalityName ATTRIBUTE ::=
+ { TYPE X520LocalityName IDENTIFIED BY id-at-localityName }
+ X520LocalityName ::= DirectoryString {ub-locality-name}
+
+ -- Naming attributes of type X520StateOrProvinceName
+
+ id-at-stateOrProvinceName AttributeType ::= { id-at 8 }
+
+ at-x520StateOrProvinceName ATTRIBUTE ::=
+ { TYPE DirectoryString {ub-state-name}
+ IDENTIFIED BY id-at-stateOrProvinceName }
+ X520StateOrProvinceName ::= DirectoryString {ub-state-name}
+
+ -- Naming attributes of type X520OrganizationName
+
+ id-at-organizationName AttributeType ::= { id-at 10 }
+
+ at-x520OrganizationName ATTRIBUTE ::=
+ { TYPE DirectoryString {ub-organization-name}
+ IDENTIFIED BY id-at-organizationName }
+ X520OrganizationName ::= DirectoryString {ub-organization-name}
+
+ -- Naming attributes of type X520OrganizationalUnitName
+
+ id-at-organizationalUnitName AttributeType ::= { id-at 11 }
+
+ at-x520OrganizationalUnitName ATTRIBUTE ::=
+ { TYPE DirectoryString {ub-organizational-unit-name}
+ IDENTIFIED BY id-at-organizationalUnitName }
+ X520OrganizationalUnitName ::= DirectoryString
+ {ub-organizational-unit-name}
+
+ -- Naming attributes of type X520Title
+
+ id-at-title AttributeType ::= { id-at 12 }
+
+ at-x520Title ATTRIBUTE ::= { TYPE DirectoryString { ub-title }
+ IDENTIFIED BY id-at-title }
+
+ -- Naming attributes of type X520dnQualifier
+
+ id-at-dnQualifier AttributeType ::= { id-at 46 }
+
+ at-x520dnQualifier ATTRIBUTE ::= { TYPE PrintableString
+ IDENTIFIED BY id-at-dnQualifier }
+
+ -- Naming attributes of type X520countryName (digraph from IS 3166)
+
+ id-at-countryName AttributeType ::= { id-at 6 }
+
+ at-x520countryName ATTRIBUTE ::= { TYPE PrintableString (SIZE (2))
+ IDENTIFIED BY id-at-countryName }
+
+ -- Naming attributes of type X520SerialNumber
+
+ id-at-serialNumber AttributeType ::= { id-at 5 }
+
+ at-x520SerialNumber ATTRIBUTE ::= {TYPE PrintableString
+ (SIZE (1..ub-serial-number)) IDENTIFIED BY id-at-serialNumber }
+
+ -- Naming attributes of type X520Pseudonym
+
+ id-at-pseudonym AttributeType ::= { id-at 65 }
+
+ at-x520Pseudonym ATTRIBUTE ::= { TYPE DirectoryString {ub-pseudonym}
+ IDENTIFIED BY id-at-pseudonym }
+
+ -- Naming attributes of type DomainComponent (from RFC 2247)
+
+ id-domainComponent AttributeType ::=
+ { itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100)
+ pilotAttributeType(1) 25 }
+
+ at-domainComponent ATTRIBUTE ::= {TYPE IA5String
+ IDENTIFIED BY id-domainComponent }
+
+ -- Legacy attributes
+
+ pkcs-9 OBJECT IDENTIFIER ::=
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
+ id-emailAddress AttributeType ::= { pkcs-9 1 }
+
+ at-emailAddress ATTRIBUTE ::= {TYPE IA5String
+ (SIZE (1..ub-emailaddress-length)) IDENTIFIED BY
+ id-emailAddress }
+
+ -- naming data types --
+
+ Name ::= CHOICE { -- only one possibility for now --
+ rdnSequence RDNSequence }
+
+ RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+ DistinguishedName ::= RDNSequence
+
+ RelativeDistinguishedName ::=
+ SET SIZE (1 .. MAX) OF SingleAttribute { {SupportedAttributes} }
+
+ -- These are the known name elements for a DN
+
+ SupportedAttributes ATTRIBUTE ::= {
+ at-name | at-surname | at-givenName | at-initials |
+ at-generationQualifier | at-x520CommonName |
+ at-x520LocalityName | at-x520StateOrProvinceName |
+ at-x520OrganizationName | at-x520OrganizationalUnitName |
+ at-x520Title | at-x520dnQualifier | at-x520countryName |
+ at-x520SerialNumber | at-x520Pseudonym | at-domainComponent |
+ at-emailAddress, ... }
+
+ --
+ -- Certificate- and CRL-specific structures begin here
+ --
+
+ Certificate ::= SIGNED{TBSCertificate}
+
+ TBSCertificate ::= SEQUENCE {
+ version [0] Version DEFAULT v1,
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier{SIGNATURE-ALGORITHM,
+ {SignatureAlgorithms}},
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ ... ,
+ [[2: -- If present, version MUST be v2
+ issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+ subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL
+ ]],
+ [[3: -- If present, version MUST be v3 --
+ extensions [3] Extensions{{CertExtensions}} OPTIONAL
+ ]], ... }
+
+ Version ::= INTEGER { v1(0), v2(1), v3(2) }
+
+ CertificateSerialNumber ::= INTEGER
+
+ Validity ::= SEQUENCE {
+ notBefore Time,
+ notAfter Time }
+
+ Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime }
+
+ UniqueIdentifier ::= BIT STRING
+
+ SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier{PUBLIC-KEY,
+ {PublicKeyAlgorithms}},
+ subjectPublicKey BIT STRING }
+
+ -- CRL structures
+
+ CertificateList ::= SIGNED{TBSCertList}
+
+ TBSCertList ::= SEQUENCE {
+ version Version OPTIONAL,
+ -- if present, MUST be v2
+ signature AlgorithmIdentifier{SIGNATURE-ALGORITHM,
+ {SignatureAlgorithms}},
+ issuer Name,
+ thisUpdate Time,
+ nextUpdate Time OPTIONAL,
+ revokedCertificates SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ userCertificate CertificateSerialNumber,
+ revocationDate Time,
+ ... ,
+ [[2: -- if present, version MUST be v2
+ crlEntryExtensions Extensions{{CrlEntryExtensions}}
+ OPTIONAL
+ ]], ...
+ } OPTIONAL,
+ ... ,
+ [[2: -- if present, version MUST be v2
+ crlExtensions [0] Extensions{{CrlExtensions}}
+ OPTIONAL
+ ]], ... }
+
+ -- Version, Time, CertificateSerialNumber, and Extensions were
+ -- defined earlier for use in the certificate structure
+
+ --
+ -- The two object sets below should be expanded to include
+ -- those algorithms which are supported by the system.
+ --
+ -- For example:
+ -- SignatureAlgorithms SIGNATURE-ALGORITHM ::= {
+ -- PKIXAlgs-2008.SignatureAlgs, ...,
+ -- - - RFC 3279 provides the base set
+ -- PKIX1-PSS-OAEP-ALGORITHMS.SignatureAlgs |
+ -- - - RFC 4055 provides extension algs
+ -- OtherModule.SignatureAlgs
+ -- - - RFC XXXX provides additional extension algs
+ -- }
+
+ SignatureAlgorithms SIGNATURE-ALGORITHM ::= {
+ PKIXAlgs-2009.SignatureAlgs, ...,
+ PKIX1-PSS-OAEP-Algorithms-2009.SignatureAlgs }
+
+ PublicKeyAlgorithms PUBLIC-KEY ::= {
+ PKIXAlgs-2009.PublicKeys, ...,
+ PKIX1-PSS-OAEP-Algorithms-2009.PublicKeys}
+
+ -- Upper Bounds
+
+ ub-state-name INTEGER ::= 128
+ ub-organization-name INTEGER ::= 64
+ ub-organizational-unit-name INTEGER ::= 64
+ ub-title INTEGER ::= 64
+ ub-serial-number INTEGER ::= 64
+ ub-pseudonym INTEGER ::= 128
+ ub-emailaddress-length INTEGER ::= 255
+ ub-locality-name INTEGER ::= 128
+ ub-common-name INTEGER ::= 64
+ ub-name INTEGER ::= 32768
+
+ -- Note - upper bounds on string types, such as TeletexString, are
+ -- measured in characters. Excepting PrintableString or IA5String, a
+ -- significantly greater number of octets will be required to hold
+ -- such a value. As a minimum, 16 octets or twice the specified
+ -- upper bound, whichever is the larger, should be allowed for
+ -- TeletexString. For UTF8String or UniversalString, at least four
+ -- times the upper bound should be allowed.
+
+ -- Information object classes used in the definition
+ -- of certificates and CRLs
+
+ -- Parameterized Type SIGNED
+ --
+ -- Three different versions of doing SIGNED:
+ -- 1. Simple and close to the previous version
+ --
+ -- SIGNED{ToBeSigned} ::= SEQUENCE {
+ -- toBeSigned ToBeSigned,
+ -- algorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM,
+ -- {SignatureAlgorithms}},
+ -- signature BIT STRING
+ -- }
+
+ -- 2. From Authenticated Framework
+ --
+ -- SIGNED{ToBeSigned} ::= SEQUENCE {
+ -- toBeSigned ToBeSigned,
+ -- COMPONENTS OF SIGNATURE{ToBeSigned}
+ -- }
+ -- SIGNATURE{ToBeSigned} ::= SEQUENCE {
+ -- algorithmIdentifier AlgorithmIdentifier,
+ -- encrypted ENCRYPTED-HASH{ToBeSigned}
+ -- }
+ -- ENCRYPTED-HASH{ToBeSigned} ::=
+ -- BIT STRING
+ -- (CONSTRAINED BY {
+ -- shall be the result of applying a hashing procedure to
+ -- the DER-encoded (see 4.1) octets of a value of
+ -- ToBeSigned and then applying an encipherment procedure
+ -- to those octets
+ -- })
+ --
+ --
+ -- 3. A more complex version, but one that automatically ties
+ -- together both the signature algorithm and the
+ -- signature value for automatic decoding.
+ --
+ SIGNED{ToBeSigned} ::= SEQUENCE {
+ toBeSigned ToBeSigned,
+ algorithmIdentifier SEQUENCE {
+ algorithm SIGNATURE-ALGORITHM.
+ &id({SignatureAlgorithms}),
+ parameters SIGNATURE-ALGORITHM.
+ &Params({SignatureAlgorithms}
+ {@algorithmIdentifier.algorithm}) OPTIONAL
+ },
+ signature BIT STRING (CONTAINING SIGNATURE-ALGORITHM.&Value(
+ {SignatureAlgorithms}
+ {@algorithmIdentifier.algorithm}))
+ }
+
+ END
diff --git a/lib/public_key/asn1/PKIX1Explicit-2009.asn1config b/lib/public_key/asn1/PKIX1Explicit-2009.asn1config
new file mode 100644
index 0000000000..b3d917c22f
--- /dev/null
+++ b/lib/public_key/asn1/PKIX1Explicit-2009.asn1config
@@ -0,0 +1,25 @@
+%% -*- erlang -*-
+%%
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: Apache-2.0
+%%
+%% Copyright Ericsson AB 2008-2025. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%% http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+{exclusive_decode,
+ {'PKIX1Explicit-2009',
+ [{decode_TBSCertList_exclusive,['CertificateList',[{toBeSigned,undecoded}]]}]}}.
+
diff --git a/lib/public_key/asn1/PKIX1Explicit88.asn1 b/lib/public_key/asn1/PKIX1Explicit88.asn1
deleted file mode 100644
index 81fec8283e..0000000000
--- a/lib/public_key/asn1/PKIX1Explicit88.asn1
+++ /dev/null
@@ -1,641 +0,0 @@
-PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1)
- security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
-
-DEFINITIONS EXPLICIT TAGS ::=
-
-BEGIN
-
--- EXPORTS ALL --
-
--- IMPORTS NONE --
-
--- UNIVERSAL Types defined in 1993 and 1998 ASN.1
--- and required by this specification
-
--- UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
- -- UniversalString is defined in ASN.1:1993
-
--- BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
- -- BMPString is the subtype of UniversalString and models
- -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1
-
--- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
- -- The content of this type conforms to RFC 2279.
-
--- PKIX specific OIDs
-
-id-pkix OBJECT IDENTIFIER ::=
- { iso(1) identified-organization(3) dod(6) internet(1)
- security(5) mechanisms(5) pkix(7) }
-
--- PKIX arcs
-
-id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
- -- arc for private certificate extensions
-id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
- -- arc for policy qualifier types
-id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
- -- arc for extended key purpose OIDS
-id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
- -- arc for access descriptors
-
--- policyQualifierIds for Internet policy qualifiers
-
-id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
- -- OID for CPS qualifier
-id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
- -- OID for user notice qualifier
-
--- access descriptor definitions
-
-id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
-id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
-id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 }
-id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 }
-
--- attribute data types
-
-Attribute ::= SEQUENCE {
- type AttributeType,
- values SET OF AttributeValue }
- -- at least one value is required
-
-AttributeType ::= OBJECT IDENTIFIER
-
-AttributeValue ::= ANY
-
-AttributeTypeAndValue ::= SEQUENCE {
- type AttributeType,
- value AttributeValue }
-
--- suggested naming attributes: Definition of the following
--- information object set may be augmented to meet local
--- requirements. Note that deleting members of the set may
--- prevent interoperability with conforming implementations.
--- presented in pairs: the AttributeType followed by the
--- type definition for the corresponding AttributeValue
---Arc for standard naming attributes
-id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
-
--- Naming attributes of type X520name
-
-id-at-name AttributeType ::= { id-at 41 }
-id-at-surname AttributeType ::= { id-at 4 }
-id-at-givenName AttributeType ::= { id-at 42 }
-id-at-initials AttributeType ::= { id-at 43 }
-id-at-generationQualifier AttributeType ::= { id-at 44 }
-
-X520name ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-name-teletex)),
- printableString PrintableString (SIZE (1..ub-name-printable)),
- universalString UniversalString (SIZE (1..ub-name-universal)),
- utf8String UTF8String (SIZE (1..ub-name-utf8)),
- bmpString BMPString (SIZE (1..ub-name-universal)) }
-
--- Naming attributes of type X520CommonName
-
-id-at-commonName AttributeType ::= { id-at 3 }
-
-X520CommonName ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-common-name-teletex)),
- printableString PrintableString (SIZE (1..ub-common-name-printable)),
- universalString UniversalString (SIZE (1..ub-common-name-universal)),
- utf8String UTF8String (SIZE (1..ub-common-name-utf8)),
- bmpString BMPString (SIZE (1..ub-common-name-universal)) }
-
--- Naming attributes of type X520LocalityName
-
-id-at-localityName AttributeType ::= { id-at 7 }
-
-X520LocalityName ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-locality-name)),
- printableString PrintableString (SIZE (1..ub-locality-name)),
- universalString UniversalString (SIZE (1..ub-locality-name-universal)),
- utf8String UTF8String (SIZE (1..ub-locality-name-utf8)),
- bmpString BMPString (SIZE (1..ub-locality-name-universal)) }
-
--- Naming attributes of type X520StateOrProvinceName
-
-id-at-stateOrProvinceName AttributeType ::= { id-at 8 }
-
-X520StateOrProvinceName ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-state-name)),
- printableString PrintableString (SIZE (1..ub-state-name)),
- universalString UniversalString (SIZE (1..ub-state-name-universal)),
- utf8String UTF8String (SIZE (1..ub-state-name-utf8)),
- bmpString BMPString (SIZE(1..ub-state-name-universal)) }
-
--- Naming attributes of type X520OrganizationName
-
-id-at-organizationName AttributeType ::= { id-at 10 }
-
-X520OrganizationName ::= CHOICE {
- teletexString TeletexString
- (SIZE (1..ub-organization-name-teletex)),
- printableString PrintableString
- (SIZE (1..ub-organization-name-printable)),
- universalString UniversalString
- (SIZE (1..ub-organization-name-universal)),
- utf8String UTF8String
- (SIZE (1..ub-organization-name-utf8)),
- bmpString BMPString
- (SIZE (1..ub-organization-name-universal)) }
-
--- Naming attributes of type X520OrganizationalUnitName
-
-id-at-organizationalUnitName AttributeType ::= { id-at 11 }
-
-X520OrganizationalUnitName ::= CHOICE {
- teletexString TeletexString
- (SIZE (1..ub-organizational-unit-name-teletex)),
- printableString PrintableString
- (SIZE (1..ub-organizational-unit-name-printable)),
- universalString UniversalString
- (SIZE (1..ub-organizational-unit-name-universal)),
- utf8String UTF8String
- (SIZE (1..ub-organizational-unit-name-utf8)),
- bmpString BMPString
- (SIZE (1..ub-organizational-unit-name-universal)) }
-
--- Naming attributes of type X520Title
-
-id-at-title AttributeType ::= { id-at 12 }
-
-X520Title ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-title-teletex)),
- printableString PrintableString (SIZE (1..ub-title-printable)),
- universalString UniversalString (SIZE (1..ub-title-universal)),
- utf8String UTF8String (SIZE (1..ub-title-utf8)),
- bmpString BMPString (SIZE (1..ub-title-universal)) }
-
--- Naming attributes of type X520dnQualifier
-
-id-at-dnQualifier AttributeType ::= { id-at 46 }
-
-X520dnQualifier ::= PrintableString
-
--- Naming attributes of type X520countryName (digraph from IS 3166)
-
-id-at-countryName AttributeType ::= { id-at 6 }
-
-X520countryName ::= PrintableString (SIZE (2))
-
--- Naming attributes of type X520SerialNumber
-
-id-at-serialNumber AttributeType ::= { id-at 5 }
-
-X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number))
-
--- Naming attributes of type X520Pseudonym
-
-id-at-pseudonym AttributeType ::= { id-at 65 }
-
-X520Pseudonym ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-pseudonym)),
- printableString PrintableString (SIZE (1..ub-pseudonym)),
- universalString UniversalString (SIZE (1..ub-pseudonym-universal)),
- utf8String UTF8String (SIZE (1..ub-pseudonym-utf8)),
- bmpString BMPString (SIZE (1..ub-pseudonym-universal)) }
-
--- Naming attributes of type DomainComponent (from RFC 2247)
-
-id-domainComponent AttributeType ::=
- { 0 9 2342 19200300 100 1 25 }
-
-DomainComponent ::= IA5String
-
--- Legacy attributes
-
-id-emailAddress AttributeType ::= { pkcs-9 1 }
-
-EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length))
-
--- Legacy attributes
-
--- naming data types --
-
-Name ::= CHOICE { -- only one possibility for now --
- rdnSequence RDNSequence }
-
-RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
-
-DistinguishedName ::= RDNSequence
-
-RelativeDistinguishedName ::=
- SET SIZE (1 .. MAX) OF AttributeTypeAndValue
-
--- Directory string type --
-
-DirectoryString ::= CHOICE {
- teletexString TeletexString (SIZE (1..MAX)),
- printableString PrintableString (SIZE (1..MAX)),
- universalString UniversalString (SIZE (1..MAX)),
- utf8String UTF8String (SIZE (1..MAX)),
- bmpString BMPString (SIZE (1..MAX)) }
-
--- certificate and CRL specific structures begin here
-
-Certificate ::= SEQUENCE {
- tbsCertificate TBSCertificate,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING }
-
-TBSCertificate ::= SEQUENCE {
- version [0] Version DEFAULT v1,
- serialNumber CertificateSerialNumber,
- signature AlgorithmIdentifier,
- issuer Name,
- validity Validity,
- subject Name,
- subjectPublicKeyInfo SubjectPublicKeyInfo,
- issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
- -- If present, version MUST be v2 or v3
- subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
- -- If present, version MUST be v2 or v3
- extensions [3] Extensions OPTIONAL
- -- If present, version MUST be v3 -- }
-
-Version ::= INTEGER { v1(0), v2(1), v3(2) }
-
-CertificateSerialNumber ::= INTEGER
-
-Validity ::= SEQUENCE {
- notBefore Time,
- notAfter Time }
-
-Time ::= CHOICE {
- utcTime UTCTime,
- generalTime GeneralizedTime }
-
-UniqueIdentifier ::= BIT STRING
-
-SubjectPublicKeyInfo ::= SEQUENCE {
- algorithm AlgorithmIdentifier,
- subjectPublicKey BIT STRING }
-
-Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
-
-Extension ::= SEQUENCE {
- extnID OBJECT IDENTIFIER,
- critical BOOLEAN DEFAULT FALSE,
- extnValue OCTET STRING }
-
--- CRL structures
-
-CertificateList ::= SEQUENCE {
- tbsCertList TBSCertList,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING }
-
-TBSCertList ::= SEQUENCE {
- version Version OPTIONAL,
- -- if present, MUST be v2
- signature AlgorithmIdentifier,
- issuer Name,
- thisUpdate Time,
- nextUpdate Time OPTIONAL,
- revokedCertificates SEQUENCE OF SEQUENCE {
- userCertificate CertificateSerialNumber,
- revocationDate Time,
- crlEntryExtensions Extensions OPTIONAL
- -- if present, MUST be v2
- } OPTIONAL,
- crlExtensions [0] Extensions OPTIONAL }
- -- if present, MUST be v2
-
--- Version, Time, CertificateSerialNumber, and Extensions were
--- defined earlier for use in the certificate structure
-
-AlgorithmIdentifier ::= SEQUENCE {
- algorithm OBJECT IDENTIFIER,
- parameters ANY DEFINED BY algorithm OPTIONAL }
- -- contains a value of the type
- -- registered for use with the
- -- algorithm object identifier value
-
--- X.400 address syntax starts here
-
-ORAddress ::= SEQUENCE {
- built-in-standard-attributes BuiltInStandardAttributes,
- built-in-domain-defined-attributes
- BuiltInDomainDefinedAttributes OPTIONAL,
- -- see also teletex-domain-defined-attributes
- extension-attributes ExtensionAttributes OPTIONAL }
-
--- Built-in Standard Attributes
-
-BuiltInStandardAttributes ::= SEQUENCE {
- country-name CountryName OPTIONAL,
- administration-domain-name AdministrationDomainName OPTIONAL,
- network-address [0] IMPLICIT NetworkAddress OPTIONAL,
- -- see also extended-network-address
- terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL,
- private-domain-name [2] PrivateDomainName OPTIONAL,
- organization-name [3] IMPLICIT OrganizationName OPTIONAL,
- -- see also teletex-organization-name
- numeric-user-identifier [4] IMPLICIT NumericUserIdentifier
- OPTIONAL,
- personal-name [5] IMPLICIT PersonalName OPTIONAL,
- -- see also teletex-personal-name
- organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
- OPTIONAL }
- -- see also teletex-organizational-unit-names
-
-CountryName ::= [APPLICATION 1] CHOICE {
- x121-dcc-code NumericString
- (SIZE (ub-country-name-numeric-length)),
- iso-3166-alpha2-code PrintableString
- (SIZE (ub-country-name-alpha-length)) }
-
-AdministrationDomainName ::= [APPLICATION 2] CHOICE {
- numeric NumericString (SIZE (0..ub-domain-name-length)),
- printable PrintableString (SIZE (0..ub-domain-name-length)) }
-
-NetworkAddress ::= X121Address -- see also extended-network-address
-
-X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
-
-TerminalIdentifier ::= PrintableString (SIZE
-(1..ub-terminal-id-length))
-
-PrivateDomainName ::= CHOICE {
- numeric NumericString (SIZE (1..ub-domain-name-length)),
- printable PrintableString (SIZE (1..ub-domain-name-length)) }
-
-OrganizationName ::= PrintableString
- (SIZE (1..ub-organization-name-printable))
- -- see also teletex-organization-name
-
-NumericUserIdentifier ::= NumericString
- (SIZE (1..ub-numeric-user-id-length))
-
-PersonalName ::= SET {
- surname [0] IMPLICIT PrintableString
- (SIZE (1..ub-surname-length)),
- given-name [1] IMPLICIT PrintableString
- (SIZE (1..ub-given-name-length)) OPTIONAL,
- initials [2] IMPLICIT PrintableString
- (SIZE (1..ub-initials-length)) OPTIONAL,
- generation-qualifier [3] IMPLICIT PrintableString
- (SIZE (1..ub-generation-qualifier-length))
- OPTIONAL }
- -- see also teletex-personal-name
-
-OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
- OF OrganizationalUnitName
- -- see also teletex-organizational-unit-names
-
-OrganizationalUnitName ::= PrintableString (SIZE
- (1..ub-organizational-unit-name-printable))
-
--- Built-in Domain-defined Attributes
-
-BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
- (1..ub-domain-defined-attributes) OF
- BuiltInDomainDefinedAttribute
-
-BuiltInDomainDefinedAttribute ::= SEQUENCE {
- type PrintableString (SIZE
- (1..ub-domain-defined-attribute-type-length)),
- value PrintableString (SIZE
- (1..ub-domain-defined-attribute-value-length)) }
-
--- Extension Attributes
-
-ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
- ExtensionAttribute
-
-ExtensionAttribute ::= SEQUENCE {
- extension-attribute-type [0] IMPLICIT INTEGER
- (0..ub-extension-attributes),
- extension-attribute-value [1]
- ANY DEFINED BY extension-attribute-type }
-
--- Extension types and attribute values
-
-common-name INTEGER ::= 1
-
-CommonName ::= PrintableString (SIZE (1..ub-common-name-printable))
-
-teletex-common-name INTEGER ::= 2
-
-TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-teletex))
-
-teletex-organization-name INTEGER ::= 3
-
-TeletexOrganizationName ::=
- TeletexString (SIZE (1..ub-organization-name-teletex))
-
-teletex-personal-name INTEGER ::= 4
-
-TeletexPersonalName ::= SET {
- surname [0] IMPLICIT TeletexString
- (SIZE (1..ub-surname-length)),
- given-name [1] IMPLICIT TeletexString
- (SIZE (1..ub-given-name-length)) OPTIONAL,
- initials [2] IMPLICIT TeletexString
- (SIZE (1..ub-initials-length)) OPTIONAL,
- generation-qualifier [3] IMPLICIT TeletexString
- (SIZE (1..ub-generation-qualifier-length))
- OPTIONAL }
-
-teletex-organizational-unit-names INTEGER ::= 5
-
-TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
- (1..ub-organizational-units) OF TeletexOrganizationalUnitName
-
-TeletexOrganizationalUnitName ::= TeletexString
- (SIZE (1..ub-organizational-unit-name-teletex))
-
-pds-name INTEGER ::= 7
-
-PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
-
-physical-delivery-country-name INTEGER ::= 8
-
-PhysicalDeliveryCountryName ::= CHOICE {
- x121-dcc-code NumericString (SIZE
-(ub-country-name-numeric-length)),
- iso-3166-alpha2-code PrintableString
- (SIZE (ub-country-name-alpha-length)) }
-
-postal-code INTEGER ::= 9
-
-PostalCode ::= CHOICE {
- numeric-code NumericString (SIZE (1..ub-postal-code-length)),
- printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
-
-physical-delivery-office-name INTEGER ::= 10
-
-PhysicalDeliveryOfficeName ::= PDSParameter
-
-physical-delivery-office-number INTEGER ::= 11
-
-PhysicalDeliveryOfficeNumber ::= PDSParameter
-
-extension-OR-address-components INTEGER ::= 12
-
-ExtensionORAddressComponents ::= PDSParameter
-
-physical-delivery-personal-name INTEGER ::= 13
-
-PhysicalDeliveryPersonalName ::= PDSParameter
-
-physical-delivery-organization-name INTEGER ::= 14
-
-PhysicalDeliveryOrganizationName ::= PDSParameter
-
-extension-physical-delivery-address-components INTEGER ::= 15
-
-ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter
-
-unformatted-postal-address INTEGER ::= 16
-
-UnformattedPostalAddress ::= SET {
- printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines)
- OF PrintableString (SIZE (1..ub-pds-parameter-length))
- OPTIONAL,
- teletex-string TeletexString
- (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
-
-street-address INTEGER ::= 17
-
-StreetAddress ::= PDSParameter
-
-post-office-box-address INTEGER ::= 18
-
-PostOfficeBoxAddress ::= PDSParameter
-
-poste-restante-address INTEGER ::= 19
-
-PosteRestanteAddress ::= PDSParameter
-
-unique-postal-name INTEGER ::= 20
-
-UniquePostalName ::= PDSParameter
-
-local-postal-attributes INTEGER ::= 21
-
-LocalPostalAttributes ::= PDSParameter
-
-PDSParameter ::= SET {
- printable-string PrintableString
- (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
- teletex-string TeletexString
- (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
-
-extended-network-address INTEGER ::= 22
-
-ExtendedNetworkAddress ::= CHOICE {
- e163-4-address SEQUENCE {
- number [0] IMPLICIT NumericString
- (SIZE (1..ub-e163-4-number-length)),
- sub-address [1] IMPLICIT NumericString
- (SIZE (1..ub-e163-4-sub-address-length))
- OPTIONAL },
- psap-address [0] IMPLICIT PresentationAddress }
-
-PresentationAddress ::= SEQUENCE {
- pSelector [0] EXPLICIT OCTET STRING OPTIONAL,
- sSelector [1] EXPLICIT OCTET STRING OPTIONAL,
- tSelector [2] EXPLICIT OCTET STRING OPTIONAL,
- nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
-
-terminal-type INTEGER ::= 23
-
-TerminalType ::= INTEGER {
- telex (3),
- teletex (4),
- g3-facsimile (5),
- g4-facsimile (6),
- ia5-terminal (7),
- videotex (8) } (0..ub-integer-options)
-
--- Extension Domain-defined Attributes
-
-teletex-domain-defined-attributes INTEGER ::= 6
-
-TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
- (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
-
-TeletexDomainDefinedAttribute ::= SEQUENCE {
- type TeletexString
- (SIZE (1..ub-domain-defined-attribute-type-length)),
- value TeletexString
- (SIZE (1..ub-domain-defined-attribute-value-length)) }
-
--- specifications of Upper Bounds MUST be regarded as mandatory
--- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
--- Upper Bounds
-
--- Upper Bounds
-ub-name INTEGER ::= 32768
-ub-name-teletex INTEGER ::= 65536
-ub-name-printable INTEGER ::= 65536
-ub-name-universal INTEGER ::= 131072
-ub-name-utf8 INTEGER ::= 131072
-ub-common-name INTEGER ::= 64
-ub-common-name-teletex INTEGER::= 128
-ub-common-name-printable INTEGER ::= 128
-ub-common-name-universal INTEGER ::= 256
-ub-common-name-utf8 INTEGER ::= 256
-ub-locality-name INTEGER ::= 128
-ub-locality-name-utf8 INTEGER ::= 256
-ub-locality-name-universal INTEGER ::= 256
-ub-state-name INTEGER ::= 128
-ub-state-name-universal INTEGER ::= 256
-ub-state-name-utf8 INTEGER ::= 256
-ub-organization-name INTEGER ::= 64
-ub-organization-name-printable INTEGER ::= 128
-ub-organization-name-teletex INTEGER ::= 128
-ub-organization-name-universal INTEGER ::= 256
-ub-organization-name-utf8 INTEGER ::= 256
-ub-organizational-unit-name INTEGER ::= 64
-ub-organizational-unit-name-printable INTEGER ::= 128
-ub-organizational-unit-name-teletex INTEGER ::= 128
-ub-organizational-unit-name-universal INTEGER ::= 256
-ub-organizational-unit-name-utf8 INTEGER ::= 256
-ub-title INTEGER ::= 64
-ub-title-teletex INTEGER ::= 128
-ub-title-printable INTEGER ::= 128
-ub-title-universal INTEGER ::= 256
-ub-title-utf8 INTEGER ::= 256
-ub-serial-number INTEGER ::= 64
-ub-match INTEGER ::= 128
-ub-emailaddress-length INTEGER ::= 255
-ub-country-name-alpha-length INTEGER ::= 2
-ub-country-name-numeric-length INTEGER ::= 3
-ub-domain-defined-attributes INTEGER ::= 4
-ub-domain-defined-attribute-type-length INTEGER ::= 8
-ub-domain-defined-attribute-value-length INTEGER ::= 128
-ub-domain-name-length INTEGER ::= 16
-ub-extension-attributes INTEGER ::= 256
-ub-e163-4-number-length INTEGER ::= 15
-ub-e163-4-sub-address-length INTEGER ::= 40
-ub-generation-qualifier-length INTEGER ::= 3
-ub-given-name-length INTEGER ::= 16
-ub-initials-length INTEGER ::= 5
-ub-integer-options INTEGER ::= 256
-ub-numeric-user-id-length INTEGER ::= 32
-ub-organizational-units INTEGER ::= 4
-ub-pds-name-length INTEGER ::= 16
-ub-pds-parameter-length INTEGER ::= 30
-ub-pds-physical-address-lines INTEGER ::= 6
-ub-postal-code-length INTEGER ::= 16
-ub-pseudonym INTEGER ::= 128
-ub-pseudonym-utf8 INTEGER ::= 256
-ub-pseudonym-universal INTEGER ::= 256
-ub-surname-length INTEGER ::= 40
-ub-terminal-id-length INTEGER ::= 24
-ub-unformatted-address-length INTEGER ::= 180
-ub-x121-address-length INTEGER ::= 16
-
--- Note - upper bounds on string types, such as TeletexString, are
--- measured in characters. Excepting PrintableString or IA5String, a
--- significantly greater number of octets will be required to hold
--- such a value. As a minimum, 16 octets, or twice the specified
--- upper bound, whichever is the larger, should be allowed for
--- TeletexString. For UTF8String or UniversalString at least four
--- times the upper bound should be allowed.
-
-END
diff --git a/lib/public_key/asn1/PKIX1Implicit-2009.asn1 b/lib/public_key/asn1/PKIX1Implicit-2009.asn1
new file mode 100644
index 0000000000..e653c2c313
--- /dev/null
+++ b/lib/public_key/asn1/PKIX1Implicit-2009.asn1
@@ -0,0 +1,481 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ PKIX1Implicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
+ DEFINITIONS IMPLICIT TAGS ::=
+ BEGIN
+ IMPORTS
+
+ AttributeSet{}, EXTENSION, ATTRIBUTE
+ FROM PKIX-CommonTypes-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
+
+ id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name,
+ RelativeDistinguishedName, CertificateSerialNumber,
+ DirectoryString{}, SupportedAttributes
+ FROM PKIX1Explicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) };
+
+ CertExtensions EXTENSION ::= {
+ ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier |
+ ext-KeyUsage | ext-PrivateKeyUsagePeriod |
+ ext-CertificatePolicies | ext-PolicyMappings |
+ ext-SubjectAltName | ext-IssuerAltName |
+ ext-SubjectDirectoryAttributes |
+ ext-BasicConstraints | ext-NameConstraints |
+ ext-PolicyConstraints | ext-ExtKeyUsage |
+ ext-CRLDistributionPoints | ext-InhibitAnyPolicy |
+ ext-FreshestCRL | ext-AuthorityInfoAccess |
+ ext-SubjectInfoAccessSyntax, ... }
+
+ CrlExtensions EXTENSION ::= {
+ ext-AuthorityKeyIdentifier | ext-IssuerAltName |
+ ext-CRLNumber | ext-DeltaCRLIndicator |
+ ext-IssuingDistributionPoint | ext-FreshestCRL, ... }
+
+ CrlEntryExtensions EXTENSION ::= {
+ ext-CRLReason | ext-CertificateIssuer |
+ ext-HoldInstructionCode | ext-InvalidityDate, ... }
+ -- Shared arc for standard certificate and CRL extensions
+
+ id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }
+
+ -- authority key identifier OID and syntax
+
+ ext-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX
+ AuthorityKeyIdentifier IDENTIFIED BY
+ id-ce-authorityKeyIdentifier }
+ id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
+
+ AuthorityKeyIdentifier ::= SEQUENCE {
+ keyIdentifier [0] KeyIdentifier OPTIONAL,
+ authorityCertIssuer [1] GeneralNames OPTIONAL,
+ authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
+ (WITH COMPONENTS {
+ ...,
+ authorityCertIssuer PRESENT,
+ authorityCertSerialNumber PRESENT
+ } |
+ WITH COMPONENTS {
+ ...,
+ authorityCertIssuer ABSENT,
+ authorityCertSerialNumber ABSENT
+ })
+
+ KeyIdentifier ::= OCTET STRING
+
+ -- subject key identifier OID and syntax
+
+ ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX
+ KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier }
+ id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
+
+ -- key usage extension OID and syntax
+
+ ext-KeyUsage EXTENSION ::= { SYNTAX
+ KeyUsage IDENTIFIED BY id-ce-keyUsage }
+ id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
+
+ KeyUsage ::= BIT STRING {
+ digitalSignature (0),
+ nonRepudiation (1), -- recent editions of X.509 have
+ -- renamed this bit to
+ -- contentCommitment
+ keyEncipherment (2),
+ dataEncipherment (3),
+ keyAgreement (4),
+ keyCertSign (5),
+ cRLSign (6),
+ encipherOnly (7),
+ decipherOnly (8)
+ }
+
+ -- private key usage period extension OID and syntax
+
+ ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX
+ PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod }
+ id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 }
+
+ PrivateKeyUsagePeriod ::= SEQUENCE {
+ notBefore [0] GeneralizedTime OPTIONAL,
+ notAfter [1] GeneralizedTime OPTIONAL }
+ (WITH COMPONENTS {..., notBefore PRESENT } |
+ WITH COMPONENTS {..., notAfter PRESENT })
+
+ -- certificate policies extension OID and syntax
+
+ ext-CertificatePolicies EXTENSION ::= { SYNTAX
+ CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies}
+ id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
+
+ CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+
+ PolicyInformation ::= SEQUENCE {
+ policyIdentifier CertPolicyId,
+ policyQualifiers SEQUENCE SIZE (1..MAX) OF
+ PolicyQualifierInfo OPTIONAL }
+
+ CertPolicyId ::= OBJECT IDENTIFIER
+
+ CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER
+
+ PolicyQualifierInfo ::= SEQUENCE {
+ policyQualifierId CERT-POLICY-QUALIFIER.
+ &id({PolicyQualifierId}),
+ qualifier CERT-POLICY-QUALIFIER.
+ &Type({PolicyQualifierId}{@policyQualifierId})}
+
+ -- Implementations that recognize additional policy qualifiers MUST
+ -- augment the following definition for PolicyQualifierId
+
+ PolicyQualifierId CERT-POLICY-QUALIFIER ::=
+ { pqid-cps | pqid-unotice, ... }
+
+ pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps }
+ pqid-unotice CERT-POLICY-QUALIFIER ::= { UserNotice
+ IDENTIFIED BY id-qt-unotice }
+
+ -- CPS pointer qualifier
+
+ CPSuri ::= IA5String
+
+ -- user notice qualifier
+
+ UserNotice ::= SEQUENCE {
+ noticeRef NoticeReference OPTIONAL,
+ explicitText DisplayText OPTIONAL}
+
+ --
+ -- This is not made explicit in the text
+ --
+ -- {WITH COMPONENTS {..., noticeRef PRESENT} |
+ -- WITH COMPONENTS {..., DisplayText PRESENT }}
+
+ NoticeReference ::= SEQUENCE {
+ organization DisplayText,
+ noticeNumbers SEQUENCE OF INTEGER }
+
+ DisplayText ::= CHOICE {
+ ia5String IA5String (SIZE (1..200)),
+ visibleString VisibleString (SIZE (1..200)),
+ bmpString BMPString (SIZE (1..200)),
+ utf8String UTF8String (SIZE (1..200)) }
+
+ -- policy mapping extension OID and syntax
+
+ ext-PolicyMappings EXTENSION ::= { SYNTAX
+ PolicyMappings IDENTIFIED BY id-ce-policyMappings }
+ id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
+
+ PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ issuerDomainPolicy CertPolicyId,
+ subjectDomainPolicy CertPolicyId
+ }
+
+ -- subject alternative name extension OID and syntax
+
+ ext-SubjectAltName EXTENSION ::= { SYNTAX
+ GeneralNames IDENTIFIED BY id-ce-subjectAltName }
+ id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
+
+ GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+
+ GeneralName ::= CHOICE {
+ otherName [0] INSTANCE OF OTHER-NAME,
+ rfc822Name [1] IA5String,
+ dNSName [2] IA5String,
+ x400Address [3] ORAddress,
+ directoryName [4] Name,
+ ediPartyName [5] EDIPartyName,
+ uniformResourceIdentifier [6] IA5String,
+ iPAddress [7] OCTET STRING,
+ registeredID [8] OBJECT IDENTIFIER
+ }
+
+ -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
+ -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
+
+ OTHER-NAME ::= TYPE-IDENTIFIER
+
+ EDIPartyName ::= SEQUENCE {
+ nameAssigner [0] DirectoryString {ubMax} OPTIONAL,
+ partyName [1] DirectoryString {ubMax}
+ }
+
+ -- issuer alternative name extension OID and syntax
+
+ ext-IssuerAltName EXTENSION ::= { SYNTAX
+ GeneralNames IDENTIFIED BY id-ce-issuerAltName }
+ id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 }
+
+ ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX
+ SubjectDirectoryAttributes IDENTIFIED BY
+ id-ce-subjectDirectoryAttributes }
+ id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 }
+
+ SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF
+ AttributeSet{{SupportedAttributes}}
+
+ -- basic constraints extension OID and syntax
+
+ ext-BasicConstraints EXTENSION ::= { SYNTAX
+ BasicConstraints IDENTIFIED BY id-ce-basicConstraints }
+ id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
+
+ BasicConstraints ::= SEQUENCE {
+ cA BOOLEAN DEFAULT FALSE,
+ pathLenConstraint INTEGER (0..MAX) OPTIONAL
+ }
+
+ -- name constraints extension OID and syntax
+ ext-NameConstraints EXTENSION ::= { SYNTAX
+ NameConstraints IDENTIFIED BY id-ce-nameConstraints }
+ id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
+
+ NameConstraints ::= SEQUENCE {
+ permittedSubtrees [0] GeneralSubtrees OPTIONAL,
+ excludedSubtrees [1] GeneralSubtrees OPTIONAL
+ }
+ --
+ -- This is a constraint in the issued certificates by CAs, but is
+ -- not a requirement on EEs.
+ --
+ -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} |
+ -- WITH COMPONENTS { ..., excludedSubtrees PRESENT }}
+
+ GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+
+ GeneralSubtree ::= SEQUENCE {
+ base GeneralName,
+ minimum [0] BaseDistance DEFAULT 0,
+ maximum [1] BaseDistance OPTIONAL
+ }
+
+ BaseDistance ::= INTEGER (0..MAX)
+
+ -- policy constraints extension OID and syntax
+
+ ext-PolicyConstraints EXTENSION ::= { SYNTAX
+ PolicyConstraints IDENTIFIED BY id-ce-policyConstraints }
+ id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
+
+ PolicyConstraints ::= SEQUENCE {
+ requireExplicitPolicy [0] SkipCerts OPTIONAL,
+ inhibitPolicyMapping [1] SkipCerts OPTIONAL }
+ --
+ -- This is a constraint in the issued certificates by CAs,
+ -- but is not a requirement for EEs
+ --
+ -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} |
+ -- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT})
+
+ SkipCerts ::= INTEGER (0..MAX)
+
+ -- CRL distribution points extension OID and syntax
+
+ ext-CRLDistributionPoints EXTENSION ::= { SYNTAX
+ CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints}
+ id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
+ CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+
+ DistributionPoint ::= SEQUENCE {
+ distributionPoint [0] DistributionPointName OPTIONAL,
+ reasons [1] ReasonFlags OPTIONAL,
+ cRLIssuer [2] GeneralNames OPTIONAL
+ }
+ --
+ -- This is not a requirement in the text, but it seems as if it
+ -- should be
+ --
+ --(WITH COMPONENTS {..., distributionPoint PRESENT} |
+ -- WITH COMPONENTS {..., cRLIssuer PRESENT})
+
+ DistributionPointName ::= CHOICE {
+ fullName [0] GeneralNames,
+ nameRelativeToCRLIssuer [1] RelativeDistinguishedName
+ }
+
+ ReasonFlags ::= BIT STRING {
+ unused (0),
+ keyCompromise (1),
+ cACompromise (2),
+ affiliationChanged (3),
+ superseded (4),
+ cessationOfOperation (5),
+ certificateHold (6),
+ privilegeWithdrawn (7),
+ aACompromise (8)
+ }
+
+ -- extended key usage extension OID and syntax
+
+ ext-ExtKeyUsage EXTENSION ::= { SYNTAX
+ ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage }
+ id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
+
+ ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+
+ KeyPurposeId ::= OBJECT IDENTIFIER
+
+ -- permit unspecified key uses
+
+ anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
+
+ -- extended key purpose OIDs
+
+ id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
+ id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
+ id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
+ id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
+ id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
+ id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
+
+ -- inhibit any policy OID and syntax
+
+ ext-InhibitAnyPolicy EXTENSION ::= {SYNTAX
+ SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy }
+ id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 }
+
+ -- freshest (delta)CRL extension OID and syntax
+
+ ext-FreshestCRL EXTENSION ::= {SYNTAX
+ CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL }
+ id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 }
+
+ -- authority info access
+
+ ext-AuthorityInfoAccess EXTENSION ::= { SYNTAX
+ AuthorityInfoAccessSyntax IDENTIFIED BY
+ id-pe-authorityInfoAccess }
+ id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
+
+ AuthorityInfoAccessSyntax ::=
+ SEQUENCE SIZE (1..MAX) OF AccessDescription
+
+ AccessDescription ::= SEQUENCE {
+ accessMethod OBJECT IDENTIFIER,
+ accessLocation GeneralName }
+
+ -- subject info access
+
+ ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX
+ SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess }
+ id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 }
+
+ SubjectInfoAccessSyntax ::=
+ SEQUENCE SIZE (1..MAX) OF AccessDescription
+
+ -- CRL number extension OID and syntax
+
+ ext-CRLNumber EXTENSION ::= {SYNTAX
+ INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber }
+ id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
+
+ CRLNumber ::= INTEGER (0..MAX)
+ -- issuing distribution point extension OID and syntax
+
+ ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX
+ IssuingDistributionPoint IDENTIFIED BY
+ id-ce-issuingDistributionPoint }
+ id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
+
+ IssuingDistributionPoint ::= SEQUENCE {
+ distributionPoint [0] DistributionPointName OPTIONAL,
+ onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
+ onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
+ onlySomeReasons [3] ReasonFlags OPTIONAL,
+ indirectCRL [4] BOOLEAN DEFAULT FALSE,
+ onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE
+ }
+ -- at most one of onlyContainsUserCerts, onlyContainsCACerts,
+ -- or onlyContainsAttributeCerts may be set to TRUE.
+
+ ext-DeltaCRLIndicator EXTENSION ::= { SYNTAX
+ CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator }
+ id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
+
+ -- CRL reasons extension OID and syntax
+
+ ext-CRLReason EXTENSION ::= { SYNTAX
+ CRLReason IDENTIFIED BY id-ce-cRLReasons }
+ id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
+
+ CRLReason ::= ENUMERATED {
+ unspecified (0),
+ keyCompromise (1),
+ cACompromise (2),
+ affiliationChanged (3),
+ superseded (4),
+ cessationOfOperation (5),
+ certificateHold (6),
+ removeFromCRL (8),
+ privilegeWithdrawn (9),
+ aACompromise (10)
+ }
+
+ -- certificate issuer CRL entry extension OID and syntax
+
+ ext-CertificateIssuer EXTENSION ::= { SYNTAX
+ GeneralNames IDENTIFIED BY id-ce-certificateIssuer }
+ id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
+
+ -- hold instruction extension OID and syntax
+ ext-HoldInstructionCode EXTENSION ::= { SYNTAX
+ OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode }
+ id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
+
+ -- ANSI x9 holdinstructions
+
+ holdInstruction OBJECT IDENTIFIER ::=
+ {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
+ id-holdinstruction-none OBJECT IDENTIFIER ::=
+ {holdInstruction 1} -- deprecated
+ id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
+ {holdInstruction 2}
+ id-holdinstruction-reject OBJECT IDENTIFIER ::=
+ {holdInstruction 3}
+
+ -- invalidity date CRL entry extension OID and syntax
+
+ ext-InvalidityDate EXTENSION ::= { SYNTAX
+ GeneralizedTime IDENTIFIED BY id-ce-invalidityDate }
+ id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
+ -- Upper bounds
+ ubMax INTEGER ::= 32768
+
+ END
diff --git a/lib/public_key/asn1/PKIX1Implicit88.asn1 b/lib/public_key/asn1/PKIX1Implicit88.asn1
deleted file mode 100644
index ced270baf6..0000000000
--- a/lib/public_key/asn1/PKIX1Implicit88.asn1
+++ /dev/null
@@ -1,349 +0,0 @@
-PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) internet(1)
- security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) }
-
-DEFINITIONS IMPLICIT TAGS ::=
-
-BEGIN
-
--- EXPORTS ALL --
-
-IMPORTS
- id-pe, id-kp, id-qt-unotice, id-qt-cps,
- -- delete following line if "new" types are supported --
- -- BMPString,
- -- UTF8String, end "new" types --
- ORAddress, Name, RelativeDistinguishedName,
- CertificateSerialNumber, Attribute, DirectoryString
- FROM PKIX1Explicit88 { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) mechanisms(5) pkix(7)
- id-mod(0) id-pkix1-explicit(18) };
-
-
--- ISO arc for standard certificate and CRL extensions
-
-id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29}
-
--- authority key identifier OID and syntax
-
-id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
-
-AuthorityKeyIdentifier ::= SEQUENCE {
- keyIdentifier [0] KeyIdentifier OPTIONAL,
- authorityCertIssuer [1] GeneralNames OPTIONAL,
- authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
- -- authorityCertIssuer and authorityCertSerialNumber MUST both
- -- be present or both be absent
-
-KeyIdentifier ::= OCTET STRING
-
--- subject key identifier OID and syntax
-
-id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
-
-SubjectKeyIdentifier ::= KeyIdentifier
-
--- key usage extension OID and syntax
-
-id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
-
-KeyUsage ::= BIT STRING {
- digitalSignature (0),
- nonRepudiation (1),
- keyEncipherment (2),
- dataEncipherment (3),
- keyAgreement (4),
- keyCertSign (5),
- cRLSign (6),
- encipherOnly (7),
- decipherOnly (8) }
-
--- private key usage period extension OID and syntax
-
-id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 }
-
-PrivateKeyUsagePeriod ::= SEQUENCE {
- notBefore [0] GeneralizedTime OPTIONAL,
- notAfter [1] GeneralizedTime OPTIONAL }
- -- either notBefore or notAfter MUST be present
-
--- certificate policies extension OID and syntax
-
-id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
-
-anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 }
-
-CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
-
-PolicyInformation ::= SEQUENCE {
- policyIdentifier CertPolicyId,
- policyQualifiers SEQUENCE SIZE (1..MAX) OF
- PolicyQualifierInfo OPTIONAL }
-
-CertPolicyId ::= OBJECT IDENTIFIER
-
-PolicyQualifierInfo ::= SEQUENCE {
- policyQualifierId PolicyQualifierId,
- qualifier ANY DEFINED BY policyQualifierId }
-
--- Implementations that recognize additional policy qualifiers MUST
--- augment the following definition for PolicyQualifierId
-
-PolicyQualifierId ::=
- OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
-
--- CPS pointer qualifier
-
-CPSuri ::= IA5String
-
--- user notice qualifier
-
-UserNotice ::= SEQUENCE {
- noticeRef NoticeReference OPTIONAL,
- explicitText DisplayText OPTIONAL}
-
-NoticeReference ::= SEQUENCE {
- organization DisplayText,
- noticeNumbers SEQUENCE OF INTEGER }
-
-DisplayText ::= CHOICE {
- ia5String IA5String (SIZE (1..200)),
- visibleString VisibleString (SIZE (1..200)),
- bmpString BMPString (SIZE (1..200)),
- utf8String UTF8String (SIZE (1..200)) }
-
--- policy mapping extension OID and syntax
-
-id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
-
-PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
- issuerDomainPolicy CertPolicyId,
- subjectDomainPolicy CertPolicyId }
-
--- subject alternative name extension OID and syntax
-
-id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
-
-SubjectAltName ::= GeneralNames
-
-GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
-
-GeneralName ::= CHOICE {
- otherName [0] AnotherName,
- rfc822Name [1] IA5String,
- dNSName [2] IA5String,
- x400Address [3] ORAddress,
- directoryName [4] Name,
- ediPartyName [5] EDIPartyName,
- uniformResourceIdentifier [6] IA5String,
- iPAddress [7] OCTET STRING,
- registeredID [8] OBJECT IDENTIFIER }
-
--- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
--- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
-
-AnotherName ::= SEQUENCE {
- type-id OBJECT IDENTIFIER,
- value [0] EXPLICIT ANY DEFINED BY type-id }
-
-EDIPartyName ::= SEQUENCE {
- nameAssigner [0] DirectoryString OPTIONAL,
- partyName [1] DirectoryString }
-
--- issuer alternative name extension OID and syntax
-
-id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 }
-
-IssuerAltName ::= GeneralNames
-
-id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 }
-
-SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
-
--- basic constraints extension OID and syntax
-
-id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
-
-BasicConstraints ::= SEQUENCE {
- cA BOOLEAN DEFAULT FALSE,
- pathLenConstraint INTEGER (0..MAX) OPTIONAL }
-
--- name constraints extension OID and syntax
-
-id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
-
-NameConstraints ::= SEQUENCE {
- permittedSubtrees [0] GeneralSubtrees OPTIONAL,
- excludedSubtrees [1] GeneralSubtrees OPTIONAL }
-
-GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
-
-GeneralSubtree ::= SEQUENCE {
- base GeneralName,
- minimum [0] BaseDistance DEFAULT 0,
- maximum [1] BaseDistance OPTIONAL }
-
-BaseDistance ::= INTEGER (0..MAX)
-
--- policy constraints extension OID and syntax
-
-id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
-
-PolicyConstraints ::= SEQUENCE {
- requireExplicitPolicy [0] SkipCerts OPTIONAL,
- inhibitPolicyMapping [1] SkipCerts OPTIONAL }
-
-SkipCerts ::= INTEGER (0..MAX)
-
--- CRL distribution points extension OID and syntax
-
-id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
-
-CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
-
-DistributionPoint ::= SEQUENCE {
- distributionPoint [0] DistributionPointName OPTIONAL,
- reasons [1] ReasonFlags OPTIONAL,
- cRLIssuer [2] GeneralNames OPTIONAL }
-
-DistributionPointName ::= CHOICE {
- fullName [0] GeneralNames,
- nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
-
-ReasonFlags ::= BIT STRING {
- unused (0),
- keyCompromise (1),
- cACompromise (2),
- affiliationChanged (3),
- superseded (4),
- cessationOfOperation (5),
- certificateHold (6),
- privilegeWithdrawn (7),
- aACompromise (8) }
-
--- extended key usage extension OID and syntax
-
-id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
-
-ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
-
-
-KeyPurposeId ::= OBJECT IDENTIFIER
-
--- permit unspecified key uses
-
-anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
-
--- extended key purpose OIDs
-
-id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
-id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
-id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
-id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
-id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
-id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
-
--- inhibit any policy OID and syntax
-
-id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 }
-
-InhibitAnyPolicy ::= SkipCerts
-
--- freshest (delta)CRL extension OID and syntax
-
-id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 }
-
-FreshestCRL ::= CRLDistributionPoints
-
--- authority info access
-
-id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
-
-AuthorityInfoAccessSyntax ::=
- SEQUENCE SIZE (1..MAX) OF AccessDescription
-
-AccessDescription ::= SEQUENCE {
- accessMethod OBJECT IDENTIFIER,
- accessLocation GeneralName }
-
--- subject info access
-
-id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 }
-
-SubjectInfoAccessSyntax ::=
- SEQUENCE SIZE (1..MAX) OF AccessDescription
-
--- CRL number extension OID and syntax
-
-id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
-
-CRLNumber ::= INTEGER (0..MAX)
-
--- issuing distribution point extension OID and syntax
-
-id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
-
-IssuingDistributionPoint ::= SEQUENCE {
- distributionPoint [0] DistributionPointName OPTIONAL,
- onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
- onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
- onlySomeReasons [3] ReasonFlags OPTIONAL,
- indirectCRL [4] BOOLEAN DEFAULT FALSE,
- onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
-
-id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
-
-BaseCRLNumber ::= CRLNumber
-
--- CRL reasons extension OID and syntax
-
-id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
-
-CRLReason ::= ENUMERATED {
- unspecified (0),
- keyCompromise (1),
- cACompromise (2),
- affiliationChanged (3),
- superseded (4),
- cessationOfOperation (5),
- certificateHold (6),
- removeFromCRL (8),
- privilegeWithdrawn (9),
- aACompromise (10) }
-
--- certificate issuer CRL entry extension OID and syntax
-
-id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
-
-CertificateIssuer ::= GeneralNames
-
--- hold instruction extension OID and syntax
-
-id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
-
-HoldInstructionCode ::= OBJECT IDENTIFIER
-
--- ANSI x9 holdinstructions
-
--- ANSI x9 arc holdinstruction arc
-
-holdInstruction OBJECT IDENTIFIER ::=
- {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
-
--- ANSI X9 holdinstructions referenced by this standard
-
-id-holdinstruction-none OBJECT IDENTIFIER ::=
- {holdInstruction 1} -- deprecated
-
-id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
- {holdInstruction 2}
-
-id-holdinstruction-reject OBJECT IDENTIFIER ::=
- {holdInstruction 3}
-
--- invalidity date CRL entry extension OID and syntax
-
-id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
-
-InvalidityDate ::= GeneralizedTime
-
-END
diff --git a/lib/public_key/asn1/PKIXAlgs-2009.asn1 b/lib/public_key/asn1/PKIXAlgs-2009.asn1
new file mode 100644
index 0000000000..b3565041db
--- /dev/null
+++ b/lib/public_key/asn1/PKIXAlgs-2009.asn1
@@ -0,0 +1,562 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-algorithms2008-02(56) }
+
+ DEFINITIONS EXPLICIT TAGS ::=
+ BEGIN
+ IMPORTS
+
+ PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+
+ mda-sha224, mda-sha256, mda-sha384, mda-sha512
+ FROM PKIX1-PSS-OAEP-Algorithms-2009
+ {iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-rsa-pkalgs-02(54)} ;
+
+ --
+ -- Public Key (pk-) Algorithms
+ --
+
+ PublicKeys PUBLIC-KEY ::= {
+ pk-rsa |
+ pk-dsa |
+ pk-dh |
+ pk-kea,
+ ...,
+ pk-ec |
+ pk-ecDH |
+ pk-ecMQV
+ }
+
+ --
+ -- Signature Algorithms (sa-)
+ --
+
+ SignatureAlgs SIGNATURE-ALGORITHM ::= {
+ sa-rsaWithMD2 |
+ sa-rsaWithMD5 |
+ sa-rsaWithSHA1 |
+ sa-dsaWithSHA1 |
+ sa-ecdsaWithSHA1,
+ ..., -- Extensible
+ sa-dsaWithSHA224 |
+ sa-dsaWithSHA256 |
+ sa-ecdsaWithSHA224 |
+ sa-ecdsaWithSHA256 |
+ sa-ecdsaWithSHA384 |
+ sa-ecdsaWithSHA512
+ }
+
+ --
+ -- S/MIME CAPS for algorithms in this document
+ --
+ -- For all of the algorithms laid out in this document, the
+ -- parameters field for the S/MIME capabilities is defined as
+ -- ABSENT as there are no specific values that need to be known
+ -- by the receiver for negotiation.
+
+ --
+
+ SMimeCaps SMIME-CAPS ::= {
+ sa-rsaWithMD2.&smimeCaps |
+ sa-rsaWithMD5.&smimeCaps |
+ sa-rsaWithSHA1.&smimeCaps |
+ sa-dsaWithSHA1.&smimeCaps |
+ sa-dsaWithSHA224.&smimeCaps |
+ sa-dsaWithSHA256.&smimeCaps |
+ sa-ecdsaWithSHA1.&smimeCaps |
+ sa-ecdsaWithSHA224.&smimeCaps |
+ sa-ecdsaWithSHA256.&smimeCaps |
+ sa-ecdsaWithSHA384.&smimeCaps |
+ sa-ecdsaWithSHA512.&smimeCaps,
+ ... }
+
+ -- RSA PK Algorithm, Parameters, and Keys
+
+ pk-rsa PUBLIC-KEY ::= {
+ IDENTIFIER rsaEncryption
+ KEY RSAPublicKey
+ PARAMS TYPE NULL ARE absent
+ -- Private key format not in this module --
+ CERT-KEY-USAGE {digitalSignature, nonRepudiation,
+ keyEncipherment, dataEncipherment, keyCertSign, cRLSign}
+ }
+
+ rsaEncryption OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+ pkcs-1(1) 1 }
+
+ RSAPublicKey ::= SEQUENCE {
+ modulus INTEGER, -- n
+ publicExponent INTEGER -- e
+ }
+
+ -- DSA PK Algorithm, Parameters, and Keys
+
+ pk-dsa PUBLIC-KEY ::= {
+ IDENTIFIER id-dsa
+ KEY DSAPublicKey
+ PARAMS TYPE DSA-Params ARE inheritable
+ -- Private key format not in this module --
+ CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign,
+ cRLSign }
+ }
+
+ id-dsa OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
+
+ DSA-Params ::= SEQUENCE {
+ p INTEGER,
+ q INTEGER,
+ g INTEGER
+ }
+
+ DSAPublicKey ::= INTEGER -- public key, y
+
+ -- Diffie-Hellman PK Algorithm, Parameters, and Keys
+
+ pk-dh PUBLIC-KEY ::= {
+ IDENTIFIER dhpublicnumber
+ KEY DHPublicKey
+ PARAMS TYPE DomainParameters ARE inheritable
+ -- Private key format not in this module --
+ CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly }
+ }
+
+ dhpublicnumber OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-x942(10046)
+ number-type(2) 1 }
+
+ DomainParameters ::= SEQUENCE {
+ p INTEGER, -- odd prime, p=jq +1
+ g INTEGER, -- generator, g
+ q INTEGER, -- factor of p-1
+ j INTEGER OPTIONAL, -- subgroup factor, j>= 2
+ validationParams ValidationParams OPTIONAL
+ }
+
+ ValidationParams ::= SEQUENCE {
+ seed BIT STRING,
+ pgenCounter INTEGER
+ }
+
+ DiffieHellmanPublicNumber ::= INTEGER -- according to http://wikisec.free.fr/crypto/crypto.html
+
+ DHPublicKey ::= INTEGER -- public key, y = g^x mod p
+
+ -- KEA PK Algorithm and Parameters
+
+ pk-kea PUBLIC-KEY ::= {
+ IDENTIFIER id-keyExchangeAlgorithm
+ -- key is not encoded --
+ PARAMS TYPE KEA-Params-Id ARE required
+ -- Private key format not in this module --
+ CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly }
+ }
+ id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= {
+ joint-iso-itu-t(2) country(16) us(840) organization(1)
+ gov(101) dod(2) infosec(1) algorithms(1) 22 }
+
+ KEA-Params-Id ::= OCTET STRING
+
+ -- Elliptic Curve (EC) Signatures: Unrestricted Algorithms
+ -- (Section 2.1.1 of RFC 5480)
+ --
+ -- EC Unrestricted Algorithm ID -- -- this is used for ECDSA
+
+ pk-ec PUBLIC-KEY ::= {
+ IDENTIFIER id-ecPublicKey
+ KEY ECPoint
+ PARAMS TYPE ECParameters ARE required
+ -- Private key format not in this module --
+ CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement,
+ keyCertSign, cRLSign }
+ }
+
+ ECPoint ::= OCTET STRING -- see RFC 5480 for syntax and restrictions
+
+ id-ecPublicKey OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
+
+ -- Elliptic Curve (EC) Signatures: Restricted Algorithms
+ -- (Section 2.1.2 of RFC 5480)
+ --
+ -- EC Diffie-Hellman Algorithm ID
+
+ pk-ecDH PUBLIC-KEY ::= {
+ IDENTIFIER id-ecDH
+ KEY ECPoint
+ PARAMS TYPE ECParameters ARE required
+ -- Private key format not in this module --
+ CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly }
+ }
+
+ id-ecDH OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) schemes(1)
+ ecdh(12) }
+
+ -- EC Menezes-Qu-Vanstone Algorithm ID
+
+ pk-ecMQV PUBLIC-KEY ::= {
+ IDENTIFIER id-ecMQV
+ KEY ECPoint
+ PARAMS TYPE ECParameters ARE required
+ -- Private key format not in this module --
+ CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly }
+ }
+
+ id-ecMQV OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) schemes(1)
+ ecmqv(13) }
+
+ -- Parameters and Keys for both Restricted and Unrestricted EC
+
+ ECParameters ::= CHOICE {
+ namedCurve CURVE.&id({NamedCurve})
+ -- implicitCurve NULL
+ -- implicitCurve MUST NOT be used in PKIX
+ -- specifiedCurve SpecifiedCurve
+ -- specifiedCurve MUST NOT be used in PKIX
+ -- Details for specifiedCurve can be found in [X9.62]
+ -- Any future additions to this CHOICE should be coordinated
+ -- with ANSI X.9.
+ }
+ -- If you need to be able to decode ANSI X.9 parameter structures,
+ -- uncomment the implicitCurve and specifiedCurve above, and also
+ -- uncomment the following:
+ --(WITH COMPONENTS {namedCurve PRESENT})
+
+ -- Sec 2.1.1.1 Named Curve
+
+ CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE }
+ WITH SYNTAX { ID &id }
+
+ NamedCurve CURVE ::= {
+ { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } |
+ { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } |
+ { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } |
+ { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } |
+ { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 },
+ ... -- Extensible
+ }
+
+ -- Note in [X9.62] the curves are referred to as 'ansiX9' as
+ -- opposed to 'sec'. For example, secp192r1 is the same curve as
+ -- ansix9p192r1.
+
+ -- Note that in [PKI-ALG] the secp192r1 curve was referred to as
+ -- prime192v1 and the secp256r1 curve was referred to as
+ -- prime256v1.
+
+ -- Note that [FIPS186-3] refers to secp192r1 as P-192,
+ -- secp224r1 as P-224, secp256r1 as P-256, secp384r1 as P-384,
+ -- and secp521r1 as P-521.
+
+ secp192r1 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
+ prime(1) 1 }
+
+ sect163k1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 1 }
+
+ sect163r2 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 15 }
+
+ secp224r1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 33 }
+
+ sect233k1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 26 }
+
+ sect233r1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 27 }
+
+ secp256r1 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
+ prime(1) 7 }
+
+ sect283k1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 16 }
+
+ sect283r1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 17 }
+
+ secp384r1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 34 }
+
+ sect409k1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 36 }
+
+ sect409r1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 37 }
+
+ secp521r1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 35 }
+
+ sect571k1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 38 }
+
+ sect571r1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) certicom(132) curve(0) 39 }
+
+ -- RSA with MD-2
+
+ sa-rsaWithMD2 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER md2WithRSAEncryption
+ PARAMS TYPE NULL ARE required
+ HASHES { mda-md2 }
+ PUBLIC-KEYS { pk-rsa }
+ SMIME-CAPS { IDENTIFIED BY md2WithRSAEncryption }
+ }
+
+ md2WithRSAEncryption OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+ pkcs-1(1) 2 }
+
+ -- RSA with MD-5
+
+ sa-rsaWithMD5 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER md5WithRSAEncryption
+ PARAMS TYPE NULL ARE required
+ HASHES { mda-md5 }
+ PUBLIC-KEYS { pk-rsa }
+ SMIME-CAPS { IDENTIFIED BY md5WithRSAEncryption }
+ }
+
+ md5WithRSAEncryption OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+ pkcs-1(1) 4 }
+
+ -- RSA with SHA-1
+
+ sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER sha1WithRSAEncryption
+ PARAMS TYPE NULL ARE required
+ HASHES { mda-sha1 }
+ PUBLIC-KEYS { pk-rsa }
+ SMIME-CAPS {IDENTIFIED BY sha1WithRSAEncryption }
+ }
+
+ sha1WithRSAEncryption OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+ pkcs-1(1) 5 }
+
+ -- DSA with SHA-1
+
+ sa-dsaWithSHA1 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER dsa-with-sha1
+ VALUE DSA-Sig-Value
+ PARAMS TYPE NULL ARE absent
+ HASHES { mda-sha1 }
+ PUBLIC-KEYS { pk-dsa }
+ SMIME-CAPS { IDENTIFIED BY dsa-with-sha1 }
+ }
+
+ dsa-with-sha1 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 }
+
+ -- DSA with SHA-224
+
+ sa-dsaWithSHA224 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER dsa-with-sha224
+ VALUE DSA-Sig-Value
+ PARAMS TYPE NULL ARE absent
+ HASHES { mda-sha224 }
+ PUBLIC-KEYS { pk-dsa }
+ SMIME-CAPS { IDENTIFIED BY dsa-with-sha224 }
+ }
+
+ dsa-with-sha224 OBJECT IDENTIFIER ::= {
+ joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
+ csor(3) algorithms(4) id-dsa-with-sha2(3) 1 }
+
+ -- DSA with SHA-256
+
+ sa-dsaWithSHA256 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER dsa-with-sha256
+ VALUE DSA-Sig-Value
+ PARAMS TYPE NULL ARE absent
+ HASHES { mda-sha256 }
+ PUBLIC-KEYS { pk-dsa }
+ SMIME-CAPS { IDENTIFIED BY dsa-with-sha256 }
+ }
+
+ dsa-with-sha256 OBJECT IDENTIFIER ::= {
+ joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
+ csor(3) algorithms(4) id-dsa-with-sha2(3) 2 }
+
+ -- ECDSA with SHA-1
+
+ sa-ecdsaWithSHA1 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER ecdsa-with-SHA1
+ VALUE ECDSA-Sig-Value
+ PARAMS TYPE NULL ARE absent
+ HASHES { mda-sha1 }
+ PUBLIC-KEYS { pk-ec }
+ SMIME-CAPS {IDENTIFIED BY ecdsa-with-SHA1 }
+ }
+
+ ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-X9-62(10045)
+ signatures(4) 1 }
+
+ -- ECDSA with SHA-224
+
+ sa-ecdsaWithSHA224 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER ecdsa-with-SHA224
+ VALUE ECDSA-Sig-Value
+ PARAMS TYPE NULL ARE absent
+ HASHES { mda-sha224 }
+ PUBLIC-KEYS { pk-ec }
+ SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA224 }
+ }
+
+ ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ ecdsa-with-SHA2(3) 1 }
+
+ -- ECDSA with SHA-256
+
+ sa-ecdsaWithSHA256 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER ecdsa-with-SHA256
+ VALUE ECDSA-Sig-Value
+ PARAMS TYPE NULL ARE absent
+ HASHES { mda-sha256 }
+ PUBLIC-KEYS { pk-ec }
+ SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA256 }
+ }
+
+ ecdsa-with-SHA256 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ ecdsa-with-SHA2(3) 2 }
+
+ -- ECDSA with SHA-384
+
+ sa-ecdsaWithSHA384 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER ecdsa-with-SHA384
+ VALUE ECDSA-Sig-Value
+ PARAMS TYPE NULL ARE absent
+ HASHES { mda-sha384 }
+ PUBLIC-KEYS { pk-ec }
+ SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA384 }
+ }
+ ecdsa-with-SHA384 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ ecdsa-with-SHA2(3) 3 }
+
+ -- ECDSA with SHA-512
+
+ sa-ecdsaWithSHA512 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER ecdsa-with-SHA512
+ VALUE ECDSA-Sig-Value
+ PARAMS TYPE NULL ARE absent
+ HASHES { mda-sha512 }
+ PUBLIC-KEYS { pk-ec }
+ SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA512 }
+ }
+
+ ecdsa-with-SHA512 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ ecdsa-with-SHA2(3) 4 }
+
+ --
+ -- Signature Values
+ --
+
+ -- DSA
+
+ DSA-Sig-Value ::= SEQUENCE {
+ r INTEGER,
+ s INTEGER
+ }
+
+ -- ECDSA
+
+ ECDSA-Sig-Value ::= SEQUENCE {
+ r INTEGER,
+ s INTEGER
+ }
+
+ --
+ -- Message Digest Algorithms (mda-)
+ --
+
+ HashAlgs DIGEST-ALGORITHM ::= {
+ mda-md2 |
+ mda-md5 |
+ mda-sha1,
+ ... -- Extensible
+ }
+ -- MD-2
+
+ mda-md2 DIGEST-ALGORITHM ::= {
+ IDENTIFIER id-md2
+ PARAMS TYPE NULL ARE preferredAbsent
+ }
+
+ id-md2 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) rsadsi(113549)
+ digestAlgorithm(2) 2 }
+
+ -- MD-5
+
+ mda-md5 DIGEST-ALGORITHM ::= {
+ IDENTIFIER id-md5
+ PARAMS TYPE NULL ARE preferredAbsent
+ }
+
+ id-md5 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) rsadsi(113549)
+ digestAlgorithm(2) 5 }
+
+ -- SHA-1
+
+ mda-sha1 DIGEST-ALGORITHM ::= {
+ IDENTIFIER id-sha1
+ PARAMS TYPE NULL ARE preferredAbsent
+ }
+
+ id-sha1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) oiw(14) secsig(3)
+ algorithm(2) 26 }
+
+ END
diff --git a/lib/public_key/asn1/PKIXAttributeCertificate-2009.asn1 b/lib/public_key/asn1/PKIXAttributeCertificate-2009.asn1
new file mode 100644
index 0000000000..2e8c418cb6
--- /dev/null
+++ b/lib/public_key/asn1/PKIXAttributeCertificate-2009.asn1
@@ -0,0 +1,326 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ PKIXAttributeCertificate-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)}
+ DEFINITIONS IMPLICIT TAGS ::=
+ BEGIN
+ IMPORTS
+
+ AttributeSet{}, Extensions{}, SecurityCategory{},
+ EXTENSION, ATTRIBUTE, SECURITY-CATEGORY
+ FROM PKIX-CommonTypes-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
+
+ AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+
+ -- IMPORTed module OIDs MAY change if [PKIXPROF] changes
+ -- PKIX Certificate Extensions
+
+ CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp,
+ id-ad, id-at, SIGNED{}, SignatureAlgorithms
+ FROM PKIX1Explicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}
+
+ GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier,
+ ext-AuthorityInfoAccess, ext-CRLDistributionPoints
+ FROM PKIX1Implicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
+
+ ContentInfo
+ FROM CryptographicMessageSyntax-2009
+ { iso(1) member-body(2) us(840) rsadsi(113549)
+ pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) };
+ -- Define the set of extensions that can appear.
+ -- Some of these are imported from PKIX Cert
+
+ AttributeCertExtensions EXTENSION ::= {
+ ext-auditIdentity | ext-targetInformation |
+ ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess |
+ ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying |
+ ext-aaControls, ... }
+
+ ext-auditIdentity EXTENSION ::= { SYNTAX
+ OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity}
+
+ ext-targetInformation EXTENSION ::= { SYNTAX
+ Targets IDENTIFIED BY id-ce-targetInformation }
+
+ ext-noRevAvail EXTENSION ::= { SYNTAX
+ NULL IDENTIFIED BY id-ce-noRevAvail}
+
+ ext-ac-proxying EXTENSION ::= { SYNTAX
+ ProxyInfo IDENTIFIED BY id-pe-ac-proxying}
+
+ ext-aaControls EXTENSION ::= { SYNTAX
+ AAControls IDENTIFIED BY id-pe-aaControls}
+
+ -- Define the set of attributes used here
+
+ AttributesDefined ATTRIBUTE ::= { at-authenticationInfo |
+ at-accesIdentity | at-chargingIdentity | at-group |
+ at-role | at-clearance | at-encAttrs, ...}
+
+ at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo
+ IDENTIFIED BY id-aca-authenticationInfo}
+
+ at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo
+ IDENTIFIED BY id-aca-accessIdentity}
+
+ at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax
+ IDENTIFIED BY id-aca-chargingIdentity}
+
+ at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax
+ IDENTIFIED BY id-aca-group}
+
+ at-role ATTRIBUTE ::= { TYPE RoleSyntax
+ IDENTIFIED BY id-at-role}
+
+ at-clearance ATTRIBUTE ::= { TYPE Clearance
+ IDENTIFIED BY id-at-clearance}
+ at-clearance-RFC3281 ATTRIBUTE ::= {TYPE Clearance-rfc3281
+ IDENTIFIED BY id-at-clearance-rfc3281 }
+
+ at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo
+ IDENTIFIED BY id-aca-encAttrs}
+
+ --
+ -- OIDs used by Attribute Certificate Extensions
+ --
+
+ id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 }
+ id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 }
+ id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 }
+ id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 }
+ id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 }
+
+ --
+ -- OIDs used by Attribute Certificate Attributes
+ --
+
+ id-aca OBJECT IDENTIFIER ::= { id-pkix 10 }
+
+ id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 }
+ id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 }
+ id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 }
+ id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 }
+ -- { id-aca 5 } is reserved
+ id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 }
+
+ id-at-role OBJECT IDENTIFIER ::= { id-at 72}
+ id-at-clearance OBJECT IDENTIFIER ::= {
+ joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) }
+
+ -- Uncomment the following declaration and comment the above line if
+ -- using the id-at-clearance attribute as defined in [RFC3281]
+ -- id-at-clearance ::= id-at-clearance-3281
+
+ id-at-clearance-rfc3281 OBJECT IDENTIFIER ::= {
+ joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5)
+ clearance (55) }
+
+ --
+ -- The syntax of an Attribute Certificate
+ --
+
+ AttributeCertificate ::= SIGNED{AttributeCertificateInfo}
+
+ AttributeCertificateInfo ::= SEQUENCE {
+ version AttCertVersion, -- version is v2
+ holder Holder,
+ issuer AttCertIssuer,
+ signature AlgorithmIdentifier{SIGNATURE-ALGORITHM,
+ {SignatureAlgorithms}},
+ serialNumber CertificateSerialNumber,
+ attrCertValidityPeriod AttCertValidityPeriod,
+ attributes SEQUENCE OF
+ AttributeSet{{AttributesDefined}},
+ issuerUniqueID UniqueIdentifier OPTIONAL,
+ extensions Extensions{{AttributeCertExtensions}} OPTIONAL
+ }
+
+ AttCertVersion ::= INTEGER { v2(1) }
+
+ Holder ::= SEQUENCE {
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ -- the issuer and serial number of
+ -- the holder's Public Key Certificate
+ entityName [1] GeneralNames OPTIONAL,
+ -- the name of the claimant or role
+ objectDigestInfo [2] ObjectDigestInfo OPTIONAL
+ -- used to directly authenticate the
+ -- holder, for example, an executable
+ }
+
+ ObjectDigestInfo ::= SEQUENCE {
+ digestedObjectType ENUMERATED {
+ publicKey (0),
+ publicKeyCert (1),
+ otherObjectTypes (2) },
+ -- otherObjectTypes MUST NOT
+ -- be used in this profile
+ otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
+ digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}},
+ objectDigest BIT STRING
+ }
+
+ AttCertIssuer ::= CHOICE {
+ v1Form GeneralNames, -- MUST NOT be used in this
+ -- profile
+ v2Form [0] V2Form -- v2 only
+ }
+
+ V2Form ::= SEQUENCE {
+ issuerName GeneralNames OPTIONAL,
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ objectDigestInfo [1] ObjectDigestInfo OPTIONAL
+ -- issuerName MUST be present in this profile
+ -- baseCertificateID and objectDigestInfo MUST
+ -- NOT be present in this profile
+ }
+
+ IssuerSerial ::= SEQUENCE {
+ issuer GeneralNames,
+ serial CertificateSerialNumber,
+ issuerUID UniqueIdentifier OPTIONAL
+ }
+
+ AttCertValidityPeriod ::= SEQUENCE {
+ notBeforeTime GeneralizedTime,
+ notAfterTime GeneralizedTime
+ }
+
+ --
+ -- Syntax used by Attribute Certificate Extensions
+ --
+
+ Targets ::= SEQUENCE OF Target
+
+ Target ::= CHOICE {
+ targetName [0] GeneralName,
+ targetGroup [1] GeneralName,
+ targetCert [2] TargetCert
+ }
+
+ TargetCert ::= SEQUENCE {
+ targetCertificate IssuerSerial,
+ targetName GeneralName OPTIONAL,
+ certDigestInfo ObjectDigestInfo OPTIONAL
+ }
+
+ AAControls ::= SEQUENCE {
+ pathLenConstraint INTEGER (0..MAX) OPTIONAL,
+ permittedAttrs [0] AttrSpec OPTIONAL,
+ excludedAttrs [1] AttrSpec OPTIONAL,
+ permitUnSpecified BOOLEAN DEFAULT TRUE
+ }
+
+ AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER
+
+ ProxyInfo ::= SEQUENCE OF Targets
+
+ --
+ -- Syntax used by Attribute Certificate Attributes
+ --
+ IetfAttrSyntax ::= SEQUENCE {
+ policyAuthority[0] GeneralNames OPTIONAL,
+ values SEQUENCE OF CHOICE {
+ octets OCTET STRING,
+ oid OBJECT IDENTIFIER,
+ string UTF8String
+ }
+ }
+
+ SvceAuthInfo ::= SEQUENCE {
+ service GeneralName,
+ ident GeneralName,
+ authInfo OCTET STRING OPTIONAL
+ }
+
+ RoleSyntax ::= SEQUENCE {
+ roleAuthority [0] GeneralNames OPTIONAL,
+ roleName [1] GeneralName
+ }
+
+ Clearance ::= SEQUENCE {
+ policyId OBJECT IDENTIFIER,
+ classList ClassList DEFAULT {unclassified},
+ securityCategories SET OF SecurityCategory
+ {{SupportedSecurityCategories}} OPTIONAL
+ }
+
+ -- Uncomment the following lines to support deprecated clearance
+ -- syntax and comment out previous Clearance.
+
+ -- Clearance ::= Clearance-rfc3281
+
+ Clearance-rfc3281 ::= SEQUENCE {
+ policyId [0] OBJECT IDENTIFIER,
+ classList [1] ClassList DEFAULT {unclassified},
+ securityCategories [2] SET OF SecurityCategory-rfc3281
+ {{SupportedSecurityCategories}} OPTIONAL
+ }
+
+ ClassList ::= BIT STRING {
+ unmarked (0),
+ unclassified (1),
+ restricted (2),
+ confidential (3),
+ secret (4),
+ topSecret (5)
+ }
+ SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }
+
+ SecurityCategory-rfc3281{SECURITY-CATEGORY:Supported} ::= SEQUENCE {
+ type [0] IMPLICIT SECURITY-CATEGORY.
+ &id({Supported}),
+ value [1] EXPLICIT SECURITY-CATEGORY.
+ &Type({Supported}{@type})
+ }
+
+ ACClearAttrs ::= SEQUENCE {
+ acIssuer GeneralName,
+ acSerial INTEGER,
+ attrs SEQUENCE OF AttributeSet{{AttributesDefined}}
+ }
+
+ END
diff --git a/lib/public_key/asn1/PKIXAttributeCertificate.asn1 b/lib/public_key/asn1/PKIXAttributeCertificate.asn1
deleted file mode 100644
index 7d93e6b37e..0000000000
--- a/lib/public_key/asn1/PKIXAttributeCertificate.asn1
+++ /dev/null
@@ -1,189 +0,0 @@
- PKIXAttributeCertificate {iso(1) identified-organization(3) dod(6)
- internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
- id-mod-attribute-cert(12)}
-
- DEFINITIONS IMPLICIT TAGS ::=
-
- BEGIN
-
- -- EXPORTS ALL --
-
- IMPORTS
-
- -- IMPORTed module OIDs MAY change if [PKIXPROF] changes
- -- PKIX Certificate Extensions
- Attribute, AlgorithmIdentifier, CertificateSerialNumber,
- Extensions, UniqueIdentifier,
- id-pkix, id-pe, id-kp, id-ad, id-at
- FROM PKIX1Explicit88 {iso(1) identified-organization(3)
- dod(6) internet(1) security(5) mechanisms(5)
- pkix(7) id-mod(0) id-pkix1-explicit-88(1)}
-
- GeneralName, GeneralNames, id-ce
- FROM PKIX1Implicit88 {iso(1) identified-organization(3)
- dod(6) internet(1) security(5) mechanisms(5)
- pkix(7) id-mod(0) id-pkix1-implicit-88(2)} ;
-
- id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 }
- id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 }
- id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 }
- id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 }
-
- id-aca OBJECT IDENTIFIER ::= { id-pkix 10 }
- id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 }
- id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 }
- id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 }
- id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 }
- -- { id-aca 5 } is reserved
- id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 }
-
- id-at-role OBJECT IDENTIFIER ::= { id-at 72}
- id-at-clearance OBJECT IDENTIFIER ::=
- { joint-iso-ccitt(2) ds(5) module(1)
- selected-attribute-types(5) clearance (55) }
-
- -- Uncomment this if using a 1988 level ASN.1 compiler
- -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
-
- AttributeCertificate ::= SEQUENCE {
- acinfo AttributeCertificateInfo,
- signatureAlgorithm AlgorithmIdentifier,
- signatureValue BIT STRING
- }
-
- AttributeCertificateInfo ::= SEQUENCE {
- version AttCertVersion, -- version is v2
- holder Holder,
- issuer AttCertIssuer,
- signature AlgorithmIdentifier,
- serialNumber CertificateSerialNumber,
- attrCertValidityPeriod AttCertValidityPeriod,
- attributes SEQUENCE OF Attribute,
- issuerUniqueID UniqueIdentifier OPTIONAL,
- extensions Extensions OPTIONAL
- }
-
- AttCertVersion ::= INTEGER { v2(1) }
-
- Holder ::= SEQUENCE {
- baseCertificateID [0] IssuerSerial OPTIONAL,
- -- the issuer and serial number of
- -- the holder's Public Key Certificate
- entityName [1] GeneralNames OPTIONAL,
- -- the name of the claimant or role
- objectDigestInfo [2] ObjectDigestInfo OPTIONAL
- -- used to directly authenticate the
- -- holder, for example, an executable
- }
-
- ObjectDigestInfo ::= SEQUENCE {
- digestedObjectType ENUMERATED {
- publicKey (0),
- publicKeyCert (1),
- otherObjectTypes (2) },
- -- otherObjectTypes MUST NOT
- -- MUST NOT be used in this profile
- otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
- digestAlgorithm AlgorithmIdentifier,
- objectDigest BIT STRING
- }
-
- AttCertIssuer ::= CHOICE {
- v1Form GeneralNames, -- MUST NOT be used in this
- -- profile
- v2Form [0] V2Form -- v2 only
- }
-
- V2Form ::= SEQUENCE {
- issuerName GeneralNames OPTIONAL,
- baseCertificateID [0] IssuerSerial OPTIONAL,
- objectDigestInfo [1] ObjectDigestInfo OPTIONAL
- -- issuerName MUST be present in this profile
- -- baseCertificateID and objectDigestInfo MUST
- -- NOT be present in this profile
- }
-
- IssuerSerial ::= SEQUENCE {
- issuer GeneralNames,
- serial CertificateSerialNumber,
- issuerUID UniqueIdentifier OPTIONAL
- }
-
- AttCertValidityPeriod ::= SEQUENCE {
- notBeforeTime GeneralizedTime,
- notAfterTime GeneralizedTime
- }
-
- Targets ::= SEQUENCE OF Target
-
- Target ::= CHOICE {
- targetName [0] GeneralName,
- targetGroup [1] GeneralName,
- targetCert [2] TargetCert
- }
-
- TargetCert ::= SEQUENCE {
- targetCertificate IssuerSerial,
- targetName GeneralName OPTIONAL,
- certDigestInfo ObjectDigestInfo OPTIONAL
- }
-
- IetfAttrSyntax ::= SEQUENCE {
- policyAuthority[0] GeneralNames OPTIONAL,
- values SEQUENCE OF CHOICE {
- octets OCTET STRING,
- oid OBJECT IDENTIFIER,
- string UTF8String
- }
- }
-
- SvceAuthInfo ::= SEQUENCE {
- service GeneralName,
- ident GeneralName,
- authInfo OCTET STRING OPTIONAL
- }
-
- RoleSyntax ::= SEQUENCE {
- roleAuthority [0] GeneralNames OPTIONAL,
- roleName [1] GeneralName
- }
-
- Clearance ::= SEQUENCE {
- policyId [0] OBJECT IDENTIFIER,
- classList [1] ClassList DEFAULT {unclassified},
- securityCategories
- [2] SET OF SecurityCategory OPTIONAL
- }
-
- ClassList ::= BIT STRING {
- unmarked (0),
- unclassified (1),
- restricted (2),
- confidential (3),
- secret (4),
- topSecret (5)
- }
-
- SecurityCategory ::= SEQUENCE {
- type [0] IMPLICIT OBJECT IDENTIFIER,
- value [1] ANY DEFINED BY type
- }
-
- AAControls ::= SEQUENCE {
- pathLenConstraint INTEGER (0..MAX) OPTIONAL,
- permittedAttrs [0] AttrSpec OPTIONAL,
- excludedAttrs [1] AttrSpec OPTIONAL,
- permitUnSpecified BOOLEAN DEFAULT TRUE
- }
-
- AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER
-
- ACClearAttrs ::= SEQUENCE {
- acIssuer GeneralName,
- acSerial INTEGER,
- attrs SEQUENCE OF Attribute
- }
-
- ProxyInfo ::= SEQUENCE OF Targets
-
- END
diff --git a/lib/public_key/asn1/RFC5639.asn1 b/lib/public_key/asn1/RFC5639.asn1
index 85b8533132..5e3d221b70 100644
--- a/lib/public_key/asn1/RFC5639.asn1
+++ b/lib/public_key/asn1/RFC5639.asn1
@@ -1,3 +1,37 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
RFC5639 {iso(1) identified-organization(3) teletrust(36) algorithm(3) signature-algorithm(3) ecSign(2) 8} DEFINITIONS EXPLICIT TAGS ::=
BEGIN
diff --git a/lib/public_key/asn1/Safecurves-pkix-18.asn1 b/lib/public_key/asn1/Safecurves-pkix-18.asn1
new file mode 100644
index 0000000000..4474a6ebba
--- /dev/null
+++ b/lib/public_key/asn1/Safecurves-pkix-18.asn1
@@ -0,0 +1,129 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ Safecurves-pkix-18
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-safecurves-pkix(93) }
+
+ DEFINITIONS EXPLICIT TAGS ::=
+ BEGIN
+
+ IMPORTS
+ SIGNATURE-ALGORITHM, KEY-AGREE, PUBLIC-KEY, KEY-WRAP,
+ KeyUsage, AlgorithmIdentifier
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+
+ mda-sha512
+ FROM PKIX1-PSS-OAEP-Algorithms-2009
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-rsa-pkalgs-02(54) }
+
+ kwa-aes128-wrap, kwa-aes256-wrap
+ FROM CMSAesRsaesOaep-2009
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-cms-aes-02(38) }
+ ;
+
+ id-edwards-curve-algs OBJECT IDENTIFIER ::= { 1 3 101 }
+
+ id-X25519 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 110 }
+ id-X448 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 111 }
+ id-Ed25519 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 112 }
+ id-Ed448 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 113 }
+
+ sa-Ed25519 SIGNATURE-ALGORITHM ::= {
+ IDENTIFIER id-Ed25519
+ PARAMS ARE absent
+ PUBLIC-KEYS {pk-Ed25519}
+ SMIME-CAPS { IDENTIFIED BY id-Ed25519 }
+ }
+
+ pk-Ed25519 PUBLIC-KEY ::= {
+ IDENTIFIER id-Ed25519
+ -- KEY no ASN.1 wrapping --
+ PARAMS ARE absent
+ CERT-KEY-USAGE {digitalSignature, nonRepudiation,
+ keyCertSign, cRLSign}
+ PRIVATE-KEY CurvePrivateKey
+ }
+
+ kaa-X25519 KEY-AGREE ::= {
+ IDENTIFIER id-X25519
+ PARAMS ARE absent
+ PUBLIC-KEYS {pk-X25519}
+ UKM -- TYPE no ASN.1 wrapping -- ARE preferredPresent
+ SMIME-CAPS {
+ TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
+ IDENTIFIED BY id-X25519 }
+ }
+
+ pk-X25519 PUBLIC-KEY ::= {
+ IDENTIFIER id-X25519
+ -- KEY no ASN.1 wrapping --
+ PARAMS ARE absent
+ CERT-KEY-USAGE { keyAgreement }
+ PRIVATE-KEY CurvePrivateKey
+ }
+
+ KeyWrapAlgorithms KEY-WRAP ::= {
+ kwa-aes128-wrap | kwa-aes256-wrap,
+ ...
+ }
+
+ kaa-X448 KEY-AGREE ::= {
+ IDENTIFIER id-X448
+ PARAMS ARE absent
+ PUBLIC-KEYS {pk-X448}
+ UKM -- TYPE no ASN.1 wrapping -- ARE preferredPresent
+ SMIME-CAPS {
+ TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
+ IDENTIFIED BY id-X448 }
+ }
+
+ pk-X448 PUBLIC-KEY ::= {
+ IDENTIFIER id-X448
+ -- KEY no ASN.1 wrapping --
+ PARAMS ARE absent
+ CERT-KEY-USAGE { keyAgreement }
+ PRIVATE-KEY CurvePrivateKey
+ }
+
+ CurvePrivateKey ::= OCTET STRING
+
+END
diff --git a/lib/public_key/asn1/SecureMimeMessageV3dot1-2009.asn1 b/lib/public_key/asn1/SecureMimeMessageV3dot1-2009.asn1
new file mode 100644
index 0000000000..c9ef72d229
--- /dev/null
+++ b/lib/public_key/asn1/SecureMimeMessageV3dot1-2009.asn1
@@ -0,0 +1,156 @@
+-- %CopyrightBegin%
+--
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are met:
+--
+-- 1. Redistributions of source code must retain the above copyright notice,
+-- this list of conditions and the following disclaimer.
+--
+-- 2. Redistributions in binary form must reproduce the above copyright notice,
+-- this list of conditions and the following disclaimer in the documentation
+-- and/or other materials provided with the distribution.
+--
+-- 3. Neither the name of the copyright holder nor the names of its contributors
+-- may be used to endorse or promote products derived from this software
+-- without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+-- %CopyrightEnd%
+
+ SecureMimeMessageV3dot1-2009
+ {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-msg-v3dot1-02(39)}
+ DEFINITIONS IMPLICIT TAGS ::=
+ BEGIN
+ IMPORTS
+
+ SMIME-CAPS, SMIMECapabilities{}
+ FROM AlgorithmInformation-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-algorithmInformation-02(58)}
+
+ ATTRIBUTE
+ FROM PKIX-CommonTypes-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
+
+ SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier
+ FROM CryptographicMessageSyntax-2009
+ {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-cms-2004-02(41)}
+
+ rc2-cbc, SMimeCaps
+ FROM CryptographicMessageSyntaxAlgorithms-2009
+ {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) modules(0) id-mod-cmsalg-2001-02(37)}
+
+ SMimeCaps
+ FROM PKIXAlgs-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-algorithms2008-02(56)}
+
+ SMimeCaps
+ FROM PKIX1-PSS-OAEP-Algorithms-2009
+ {iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-rsa-pkalgs-02(54)};
+
+ SMimeAttributeSet ATTRIBUTE ::=
+ { aa-smimeCapabilities | aa-encrypKeyPref, ... }
+
+ -- id-aa is the arc with all new authenticated and unauthenticated
+ -- attributes produced by the S/MIME Working Group
+
+ id-aa OBJECT IDENTIFIER ::=
+ { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ smime(16) attributes(2)}
+
+ -- The S/MIME Capabilities attribute provides a method of broadcasting
+ -- the symmetric capabilities understood. Algorithms SHOULD be ordered
+ -- by preference and grouped by type
+
+ aa-smimeCapabilities ATTRIBUTE ::=
+ { TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY
+ smimeCapabilities }
+ smimeCapabilities OBJECT IDENTIFIER ::=
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ 15 }
+
+ SMimeCapsSet SMIME-CAPS ::=
+ { cap-preferBinaryInside | cap-RC2CBC |
+ PKIXAlgs-2009.SMimeCaps |
+ CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps |
+ PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... }
+
+ -- Encryption Key Preference provides a method of broadcasting the
+ -- preferred encryption certificate.
+
+ aa-encrypKeyPref ATTRIBUTE ::=
+ { TYPE SMIMEEncryptionKeyPreference
+ IDENTIFIED BY id-aa-encrypKeyPref }
+
+ id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11}
+
+ SMIMEEncryptionKeyPreference ::= CHOICE {
+ issuerAndSerialNumber [0] IssuerAndSerialNumber,
+ receipentKeyId [1] RecipientKeyIdentifier,
+ subjectAltKeyIdentifier [2] SubjectKeyIdentifier
+ }
+
+ -- receipentKeyId is spelt incorrectly, but kept for historical
+ -- reasons.
+
+ id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
+
+ id-cap OBJECT IDENTIFIER ::= { id-smime 11 }
+
+ -- The preferBinaryInside indicates an ability to receive messages
+ -- with binary encoding inside the CMS wrapper
+
+ cap-preferBinaryInside SMIME-CAPS ::=
+ { -- No value -- IDENTIFIED BY id-cap-preferBinaryInside }
+
+ id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 }
+
+ -- The following list OIDs to be used with S/MIME V3
+
+ -- Signature Algorithms Not Found in [RFC3370]
+ --
+ -- md2WithRSAEncryption OBJECT IDENTIFIER ::=
+ -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
+ -- 2}
+ --
+ -- Other Signed Attributes
+ --
+ -- signingTime OBJECT IDENTIFIER ::=
+ -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
+ -- 5}
+ -- See [RFC5652] for a description of how to encode the attribute
+ -- value.
+
+ cap-RC2CBC SMIME-CAPS ::=
+ { TYPE SMIMECapabilitiesParametersForRC2CBC
+ IDENTIFIED BY rc2-cbc}
+
+ SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...)
+ -- (RC2 Key Length (number of bits))
+
+ END
diff --git a/lib/public_key/asn1/SelectedAttributeTypes.asn1 b/lib/public_key/asn1/SelectedAttributeTypes.asn1
deleted file mode 100644
index 3ef7077370..0000000000
--- a/lib/public_key/asn1/SelectedAttributeTypes.asn1
+++ /dev/null
@@ -1,1575 +0,0 @@
-SelectedAttributeTypes {joint-iso-itu-t ds(5) module(1)
- selectedAttributeTypes(5) 6} DEFINITIONS ::=
-BEGIN
-
--- EXPORTS All
--- The types and values defined in this module are exported for use in the other ASN.1 modules contained
--- within the Directory Specifications, and for the use of other applications which will use them to access
--- Directory services. Other applications may use them for their own purposes, but this will not constrain
--- extensions and modifications needed to maintain or improve the Directory service.
-IMPORTS
- -- from ITU-T Rec. X.501 | ISO/IEC 9594-2
- directoryAbstractService, id-at, id-avc, id-cat, id-mr, id-not, id-pr,
- informationFramework, serviceAdministration
- FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
- usefulDefinitions(0) 6}
- Attribute{}, ATTRIBUTE, AttributeType, AttributeValueAssertion, CONTEXT,
- ContextAssertion, DistinguishedName, distinguishedNameMatch,
- MAPPING-BASED-MATCHING{}, MATCHING-RULE, OBJECT-CLASS,
- objectIdentifierMatch, SupportedAttributes
- FROM InformationFramework informationFramework
- AttributeCombination, ContextCombination, MRMapping
- FROM ServiceAdministration serviceAdministration
- -- from ITU-T Rec. X.511 | ISO/IEC 9594-3
- FilterItem, HierarchySelections, SearchControlOptions, ServiceControlOptions
- FROM DirectoryAbstractService directoryAbstractService
- -- from ITU-T Rec. X.411 | ISO/IEC 10021-4
- G3FacsimileNonBasicParameters
- FROM MTSAbstractService {joint-iso-itu-t mhs(6) mts(3) modules(0)
- mts-abstract-service(1) version-1999(1)};
-
-/*from IETF RFC 3727
-
-The following import is provided for information only (see 7.2.16), it is not referenced by any ASN.1 construct within these Directory Specifications. Note that the ASN.1 module in RFC 3727 imports from the InformationFramework module of edition 4 of ITU-T Rec. X.501 | ISO/IEC 9594-2. A specification importing from both these Directory Specifications and from RFC 3727 should take corrective actions, e.g., by making a copy of the ASN.1 module of
-RFC 3727 and then update the IMPORT statement.
-
- allComponentsMatch, componentFilterMatch, directoryComponentsMatch, presentMatch, rdnMatch
- FROM ComponentMatching {iso(1) 2 36 79672281 xed(3) module (0)
- component-matching(4)} */
--- Directory string type
-UnboundedDirectoryString ::= CHOICE {
- teletexString TeletexString(SIZE (1..MAX)),
- printableString PrintableString(SIZE (1..MAX)),
- bmpString BMPString(SIZE (1..MAX)),
- universalString UniversalString(SIZE (1..MAX)),
- uTF8String UTF8String(SIZE (1..MAX))
-}
-
-DirectoryString{INTEGER:maxSize} ::= CHOICE {
- teletexString TeletexString(SIZE (1..maxSize)),
- printableString PrintableString(SIZE (1..maxSize)),
- bmpString BMPString(SIZE (1..maxSize)),
- universalString UniversalString(SIZE (1..maxSize)),
- uTF8String UTF8String(SIZE (1..maxSize))
-}
-
--- Attribute types
-knowledgeInformation ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- EQUALITY MATCHING RULE caseIgnoreMatch
- ID id-at-knowledgeInformation
-}
-
-name ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- EQUALITY MATCHING RULE caseIgnoreMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-name
-}
-
-commonName ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-commonName
-}
-
-surname ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-surname
-}
-
-givenName ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-givenName
-}
-
-initials ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-initials
-}
-
-generationQualifier ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-generationQualifier
-}
-
-uniqueIdentifier ATTRIBUTE ::= {
- WITH SYNTAX UniqueIdentifier
- EQUALITY MATCHING RULE bitStringMatch
- ID id-at-uniqueIdentifier
-}
-
-UniqueIdentifier ::= BIT STRING
-
-dnQualifier ATTRIBUTE ::= {
- WITH SYNTAX PrintableString
- EQUALITY MATCHING RULE caseIgnoreMatch
- ORDERING MATCHING RULE caseIgnoreOrderingMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-dnQualifier
-}
-
-serialNumber ATTRIBUTE ::= {
- WITH SYNTAX PrintableString(SIZE (1..MAX))
- EQUALITY MATCHING RULE caseIgnoreMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-serialNumber
-}
-
-pseudonym ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-pseudonym
-}
-
-uUIDPair ATTRIBUTE ::= {
- WITH SYNTAX UUIDPair
- EQUALITY MATCHING RULE uUIDPairMatch
- ID id-at-uuidpair
-}
-
-UUIDPair ::= SEQUENCE {issuerUUID UUID,
- subjectUUID UUID
-}
-
-UUID ::= OCTET STRING(SIZE (16)) -- UUID format only
-
-
-countryName ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX CountryName
- SINGLE VALUE TRUE
- ID id-at-countryName
-}
-
-CountryName ::= PrintableString(SIZE (2)) -- ISO 3166 codes only
-
-
-localityName ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-localityName
-}
-
-collectiveLocalityName ATTRIBUTE ::= {
- SUBTYPE OF localityName
- COLLECTIVE TRUE
- ID id-at-collectiveLocalityName
-}
-
-stateOrProvinceName ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-stateOrProvinceName
-}
-
-collectiveStateOrProvinceName ATTRIBUTE ::= {
- SUBTYPE OF stateOrProvinceName
- COLLECTIVE TRUE
- ID id-at-collectiveStateOrProvinceName
-}
-
-streetAddress ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- EQUALITY MATCHING RULE caseIgnoreMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-streetAddress
-}
-
-collectiveStreetAddress ATTRIBUTE ::= {
- SUBTYPE OF streetAddress
- COLLECTIVE TRUE
- ID id-at-collectiveStreetAddress
-}
-
-houseIdentifier ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- EQUALITY MATCHING RULE caseIgnoreMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-houseIdentifier
-}
-
-organizationName ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-organizationName
-}
-
-collectiveOrganizationName ATTRIBUTE ::= {
- SUBTYPE OF organizationName
- COLLECTIVE TRUE
- ID id-at-collectiveOrganizationName
-}
-
-organizationalUnitName ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-organizationalUnitName
-}
-
-collectiveOrganizationalUnitName ATTRIBUTE ::= {
- SUBTYPE OF organizationalUnitName
- COLLECTIVE TRUE
- ID id-at-collectiveOrganizationalUnitName
-}
-
-title ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-title
-}
-
-description ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- EQUALITY MATCHING RULE caseIgnoreMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-description
-}
-
-searchGuide ATTRIBUTE ::= {WITH SYNTAX Guide
- ID id-at-searchGuide
-}
-
-Guide ::= SET {
- objectClass [0] OBJECT-CLASS.&id OPTIONAL,
- criteria [1] Criteria
-}
-
-Criteria ::= CHOICE {
- type [0] CriteriaItem,
- and [1] SET OF Criteria,
- or [2] SET OF Criteria,
- not [3] Criteria
-}
-
-CriteriaItem ::= CHOICE {
- equality [0] AttributeType,
- substrings [1] AttributeType,
- greaterOrEqual [2] AttributeType,
- lessOrEqual [3] AttributeType,
- approximateMatch [4] AttributeType
-}
-
-enhancedSearchGuide ATTRIBUTE ::= {
- WITH SYNTAX EnhancedGuide
- ID id-at-enhancedSearchGuide
-}
-
-EnhancedGuide ::= SEQUENCE {
- objectClass [0] OBJECT-CLASS.&id,
- criteria [1] Criteria,
- subset
- [2] INTEGER {baseObject(0), oneLevel(1), wholeSubtree(2)} DEFAULT oneLevel
-}
-
-businessCategory ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- EQUALITY MATCHING RULE caseIgnoreMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-businessCategory
-}
-
-postalAddress ATTRIBUTE ::= {
- WITH SYNTAX PostalAddress
- EQUALITY MATCHING RULE caseIgnoreListMatch
- SUBSTRINGS MATCHING RULE caseIgnoreListSubstringsMatch
- ID id-at-postalAddress
-}
-
-PostalAddress ::= SEQUENCE SIZE (1..MAX) OF UnboundedDirectoryString
-
-collectivePostalAddress ATTRIBUTE ::= {
- SUBTYPE OF postalAddress
- COLLECTIVE TRUE
- ID id-at-collectivePostalAddress
-}
-
-postalCode ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- EQUALITY MATCHING RULE caseIgnoreMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-postalCode
-}
-
-collectivePostalCode ATTRIBUTE ::= {
- SUBTYPE OF postalCode
- COLLECTIVE TRUE
- ID id-at-collectivePostalCode
-}
-
-postOfficeBox ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- EQUALITY MATCHING RULE caseIgnoreMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-postOfficeBox
-}
-
-collectivePostOfficeBox ATTRIBUTE ::= {
- SUBTYPE OF postOfficeBox
- COLLECTIVE TRUE
- ID id-at-collectivePostOfficeBox
-}
-
-physicalDeliveryOfficeName ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- EQUALITY MATCHING RULE caseIgnoreMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-physicalDeliveryOfficeName
-}
-
-collectivePhysicalDeliveryOfficeName ATTRIBUTE ::= {
- SUBTYPE OF physicalDeliveryOfficeName
- COLLECTIVE TRUE
- ID id-at-collectivePhysicalDeliveryOfficeName
-}
-
-telephoneNumber ATTRIBUTE ::= {
- WITH SYNTAX TelephoneNumber
- EQUALITY MATCHING RULE telephoneNumberMatch
- SUBSTRINGS MATCHING RULE telephoneNumberSubstringsMatch
- ID id-at-telephoneNumber
-}
-
-TelephoneNumber ::= PrintableString(SIZE (1..ub-telephone-number))
-
--- String complying with ITU-T Rec. E.123 only
-ub-telephone-number INTEGER ::=
- 32
-
-collectiveTelephoneNumber ATTRIBUTE ::= {
- SUBTYPE OF telephoneNumber
- COLLECTIVE TRUE
- ID id-at-collectiveTelephoneNumber
-}
-
-telexNumber ATTRIBUTE ::= {
- WITH SYNTAX TelexNumber
- ID id-at-telexNumber
-}
-
-TelexNumber ::= SEQUENCE {
- telexNumber PrintableString(SIZE (1..ub-telex-number)),
- countryCode PrintableString(SIZE (1..ub-country-code)),
- answerback PrintableString(SIZE (1..ub-answerback))
-}
-
-ub-telex-number INTEGER ::= 14
-
-ub-country-code INTEGER ::= 4
-
-ub-answerback INTEGER ::= 8
-
-collectiveTelexNumber ATTRIBUTE ::= {
- SUBTYPE OF telexNumber
- COLLECTIVE TRUE
- ID id-at-collectiveTelexNumber
-}
-
-facsimileTelephoneNumber ATTRIBUTE ::= {
- WITH SYNTAX FacsimileTelephoneNumber
- EQUALITY MATCHING RULE facsimileNumberMatch
- SUBSTRINGS MATCHING RULE facsimileNumberSubstringsMatch
- ID id-at-facsimileTelephoneNumber
-}
-
-FacsimileTelephoneNumber ::= SEQUENCE {
- telephoneNumber TelephoneNumber,
- parameters G3FacsimileNonBasicParameters OPTIONAL
-}
-
-collectiveFacsimileTelephoneNumber ATTRIBUTE ::= {
- SUBTYPE OF facsimileTelephoneNumber
- COLLECTIVE TRUE
- ID id-at-collectiveFacsimileTelephoneNumber
-}
-
-x121Address ATTRIBUTE ::= {
- WITH SYNTAX X121Address
- EQUALITY MATCHING RULE numericStringMatch
- SUBSTRINGS MATCHING RULE numericStringSubstringsMatch
- ID id-at-x121Address
-}
-
-X121Address ::= NumericString(SIZE (1..ub-x121-address))
-
--- String as defined by ITU-T Rec. X.121
-ub-x121-address INTEGER ::= 15
-
-internationalISDNNumber ATTRIBUTE ::= {
- WITH SYNTAX InternationalISDNNumber
- EQUALITY MATCHING RULE numericStringMatch
- SUBSTRINGS MATCHING RULE numericStringSubstringsMatch
- ID id-at-internationalISDNNumber
-}
-
-InternationalISDNNumber ::=
- NumericString(SIZE (1..ub-international-isdn-number))
-
--- String complying with ITU-T Rec. E.164 only
-ub-international-isdn-number INTEGER ::=
- 16
-
-collectiveInternationalISDNNumber ATTRIBUTE ::= {
- SUBTYPE OF internationalISDNNumber
- COLLECTIVE TRUE
- ID id-at-collectiveInternationalISDNNumber
-}
-
-registeredAddress ATTRIBUTE ::= {
- SUBTYPE OF postalAddress
- WITH SYNTAX PostalAddress
- ID id-at-registeredAddress
-}
-
-destinationIndicator ATTRIBUTE ::= {
- WITH SYNTAX DestinationIndicator
- EQUALITY MATCHING RULE caseIgnoreMatch
- SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
- ID id-at-destinationIndicator
-}
-
-DestinationIndicator ::= PrintableString(SIZE (1..MAX))
-
--- alphabetical characters only
-communicationsService ATTRIBUTE ::= {
- WITH SYNTAX CommunicationsService
- EQUALITY MATCHING RULE objectIdentifierMatch
- ID id-at-communicationsService
-}
-
-CommunicationsService ::= OBJECT IDENTIFIER
-
-communicationsNetwork ATTRIBUTE ::= {
- WITH SYNTAX CommunicationsNetwork
- EQUALITY MATCHING RULE objectIdentifierMatch
- SINGLE VALUE TRUE
- ID id-at-communicationsNetwork
-}
-
-CommunicationsNetwork ::= OBJECT IDENTIFIER
-
-preferredDeliveryMethod ATTRIBUTE ::= {
- WITH SYNTAX PreferredDeliveryMethod
- SINGLE VALUE TRUE
- ID id-at-preferredDeliveryMethod
-}
-
-PreferredDeliveryMethod ::=
- SEQUENCE OF
- INTEGER {any-delivery-method(0), mhs-delivery(1), physical-delivery(2),
- telex-delivery(3), teletex-delivery(4), g3-facsimile-delivery(5),
- g4-facsimile-delivery(6), ia5-terminal-delivery(7),
- videotex-delivery(8), telephone-delivery(9)}
-
-presentationAddress ATTRIBUTE ::= {
- WITH SYNTAX PresentationAddress
- EQUALITY MATCHING RULE presentationAddressMatch
- SINGLE VALUE TRUE
- ID id-at-presentationAddress
-}
-
-PresentationAddress ::= SEQUENCE {
- pSelector [0] OCTET STRING OPTIONAL,
- sSelector [1] OCTET STRING OPTIONAL,
- tSelector [2] OCTET STRING OPTIONAL,
- nAddresses [3] SET SIZE (1..MAX) OF OCTET STRING
-}
-
-supportedApplicationContext ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- ID id-at-supportedApplicationContext
-}
-
-protocolInformation ATTRIBUTE ::= {
- WITH SYNTAX ProtocolInformation
- EQUALITY MATCHING RULE protocolInformationMatch
- ID id-at-protocolInformation
-}
-
-ProtocolInformation ::= SEQUENCE {
- nAddress OCTET STRING,
- profiles SET OF OBJECT IDENTIFIER
-}
-
-distinguishedName ATTRIBUTE ::= {
- WITH SYNTAX DistinguishedName
- EQUALITY MATCHING RULE distinguishedNameMatch
- ID id-at-distinguishedName
-}
-
-member ATTRIBUTE ::= {SUBTYPE OF distinguishedName
- ID id-at-member
-}
-
-uniqueMember ATTRIBUTE ::= {
- WITH SYNTAX NameAndOptionalUID
- EQUALITY MATCHING RULE uniqueMemberMatch
- ID id-at-uniqueMember
-}
-
-NameAndOptionalUID ::= SEQUENCE {
- dn DistinguishedName,
- uid UniqueIdentifier OPTIONAL
-}
-
-owner ATTRIBUTE ::= {SUBTYPE OF distinguishedName
- ID id-at-owner
-}
-
-roleOccupant ATTRIBUTE ::= {
- SUBTYPE OF distinguishedName
- ID id-at-roleOccupant
-}
-
-seeAlso ATTRIBUTE ::= {SUBTYPE OF distinguishedName
- ID id-at-seeAlso
-}
-
-dmdName ATTRIBUTE ::= {
- SUBTYPE OF name
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-dmdName
-}
-
--- Attributes for tag-based identification
-tagOid ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- SINGLE VALUE TRUE
- ID id-at-tagOid
-}
-
-uiiFormat ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- SINGLE VALUE TRUE
- ID id-at-uiiFormat
-}
-
-uiiInUrn ATTRIBUTE ::= {
- WITH SYNTAX UTF8String
- EQUALITY MATCHING RULE caseExactMatch
- SINGLE VALUE TRUE
- ID id-at-uiiInUrn
-}
-
-contentUri ATTRIBUTE ::= {
- WITH SYNTAX UnboundedDirectoryString
- ID id-at-contentUri
-}
-
--- Notification attributes
-dSAProblem ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- ID id-not-dSAProblem
-}
-
-searchServiceProblem ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- SINGLE VALUE TRUE
- ID id-not-searchServiceProblem
-}
-
-serviceType ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- SINGLE VALUE TRUE
- ID id-not-serviceType
-}
-
-attributeTypeList ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- ID id-not-attributeTypeList
-}
-
-matchingRuleList ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- ID id-not-matchingRuleList
-}
-
-filterItem ATTRIBUTE ::= {
- WITH SYNTAX FilterItem
- ID id-not-filterItem
-}
-
-attributeCombinations ATTRIBUTE ::= {
- WITH SYNTAX AttributeCombination
- ID id-not-attributeCombinations
-}
-
-contextTypeList ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- ID id-not-contextTypeList
-}
-
-contextList ATTRIBUTE ::= {
- WITH SYNTAX ContextAssertion
- ID id-not-contextList
-}
-
-contextCombinations ATTRIBUTE ::= {
- WITH SYNTAX ContextCombination
- ID id-not-contextCombinations
-}
-
-hierarchySelectList ATTRIBUTE ::= {
- WITH SYNTAX HierarchySelections
- SINGLE VALUE TRUE
- ID id-not-hierarchySelectList
-}
-
-searchControlOptionsList ATTRIBUTE ::= {
- WITH SYNTAX SearchControlOptions
- SINGLE VALUE TRUE
- ID id-not-searchControlOptionsList
-}
-
-serviceControlOptionsList ATTRIBUTE ::= {
- WITH SYNTAX ServiceControlOptions
- SINGLE VALUE TRUE
- ID id-not-serviceControlOptionsList
-}
-
-multipleMatchingLocalities ATTRIBUTE ::= {
- WITH SYNTAX MultipleMatchingLocalities
- ID id-not-multipleMatchingLocalities
-}
-
-MultipleMatchingLocalities ::= SEQUENCE {
- matchingRuleUsed MATCHING-RULE.&id OPTIONAL,
- attributeList SEQUENCE OF AttributeValueAssertion
-}
-
-proposedRelaxation ATTRIBUTE ::= {
- WITH SYNTAX MRMappings
- ID id-not-proposedRelaxation
-}
-
-MRMappings ::= SEQUENCE OF MRMapping
-
-appliedRelaxation ATTRIBUTE ::= {
- WITH SYNTAX OBJECT IDENTIFIER
- EQUALITY MATCHING RULE objectIdentifierMatch
- ID id-not-appliedRelaxation
-}
-
--- Matching rules
-caseExactMatch MATCHING-RULE ::= {
- SYNTAX UnboundedDirectoryString
- ID id-mr-caseExactMatch
-}
-
-caseIgnoreMatch MATCHING-RULE ::= {
- SYNTAX UnboundedDirectoryString
- ID id-mr-caseIgnoreMatch
-}
-
-caseExactOrderingMatch MATCHING-RULE ::= {
- SYNTAX UnboundedDirectoryString
- ID id-mr-caseExactOrderingMatch
-}
-
-caseIgnoreOrderingMatch MATCHING-RULE ::= {
- SYNTAX UnboundedDirectoryString
- ID id-mr-caseIgnoreOrderingMatch
-}
-
-caseExactSubstringsMatch MATCHING-RULE ::= {
- SYNTAX SubstringAssertion -- only the PrintableString choice
- ID id-mr-caseExactSubstringsMatch
-}
-
-caseIgnoreSubstringsMatch MATCHING-RULE ::= {
- SYNTAX SubstringAssertion
- ID id-mr-caseIgnoreSubstringsMatch
-}
-
-SubstringAssertion ::=
- SEQUENCE OF
- CHOICE {initial [0] UnboundedDirectoryString,
- any [1] UnboundedDirectoryString,
- final [2] UnboundedDirectoryString,
- control Attribute{{SupportedAttributes}}
- } -- Used to specify interpretation of the following items
-
--- at most one initial and one final component
-numericStringMatch MATCHING-RULE ::= {
- SYNTAX NumericString
- ID id-mr-numericStringMatch
-}
-
-numericStringOrderingMatch MATCHING-RULE ::= {
- SYNTAX NumericString
- ID id-mr-numericStringOrderingMatch
-}
-
-numericStringSubstringsMatch MATCHING-RULE ::= {
- SYNTAX SubstringAssertion
- ID id-mr-numericStringSubstringsMatch
-}
-
-caseIgnoreListMatch MATCHING-RULE ::= {
- SYNTAX CaseIgnoreList
- ID id-mr-caseIgnoreListMatch
-}
-
-CaseIgnoreList ::= SEQUENCE OF UnboundedDirectoryString
-
-caseIgnoreListSubstringsMatch MATCHING-RULE ::= {
- SYNTAX SubstringAssertion
- ID id-mr-caseIgnoreListSubstringsMatch
-}
-
-storedPrefixMatch MATCHING-RULE ::= {
- SYNTAX UnboundedDirectoryString
- ID id-mr-storedPrefixMatch
-}
-
-booleanMatch MATCHING-RULE ::= {SYNTAX BOOLEAN
- ID id-mr-booleanMatch
-}
-
-integerMatch MATCHING-RULE ::= {SYNTAX INTEGER
- ID id-mr-integerMatch
-}
-
-integerOrderingMatch MATCHING-RULE ::= {
- SYNTAX INTEGER
- ID id-mr-integerOrderingMatch
-}
-
-bitStringMatch MATCHING-RULE ::= {
- SYNTAX BIT STRING
- ID id-mr-bitStringMatch
-}
-
-octetStringMatch MATCHING-RULE ::= {
- SYNTAX OCTET STRING
- ID id-mr-octetStringMatch
-}
-
-octetStringOrderingMatch MATCHING-RULE ::= {
- SYNTAX OCTET STRING
- ID id-mr-octetStringOrderingMatch
-}
-
-octetStringSubstringsMatch MATCHING-RULE ::= {
- SYNTAX OctetSubstringAssertion
- ID id-mr-octetStringSubstringsMatch
-}
-
-OctetSubstringAssertion ::=
- SEQUENCE OF
- CHOICE {initial [0] OCTET STRING,
- any [1] OCTET STRING,
- final [2] OCTET STRING}
-
--- at most one initial and one final component
-telephoneNumberMatch MATCHING-RULE ::= {
- SYNTAX TelephoneNumber
- ID id-mr-telephoneNumberMatch
-}
-
-telephoneNumberSubstringsMatch MATCHING-RULE ::= {
- SYNTAX SubstringAssertion
- ID id-mr-telephoneNumberSubstringsMatch
-}
-
-presentationAddressMatch MATCHING-RULE ::= {
- SYNTAX PresentationAddress
- ID id-mr-presentationAddressMatch
-}
-
-uniqueMemberMatch MATCHING-RULE ::= {
- SYNTAX NameAndOptionalUID
- ID id-mr-uniqueMemberMatch
-}
-
-protocolInformationMatch MATCHING-RULE ::= {
- SYNTAX OCTET STRING
- ID id-mr-protocolInformationMatch
-}
-
-facsimileNumberMatch MATCHING-RULE ::= {
- SYNTAX TelephoneNumber
- ID id-mr-facsimileNumberMatch
-}
-
-facsimileNumberSubstringsMatch MATCHING-RULE ::= {
- SYNTAX SubstringAssertion
- ID id-mr-facsimileNumberSubstringsMatch
-}
-
-uUIDPairMatch MATCHING-RULE ::= {SYNTAX UUIDPair
- ID id-mr-uuidpairmatch
-}
-
-uTCTimeMatch MATCHING-RULE ::= {SYNTAX UTCTime
- ID id-mr-uTCTimeMatch
-}
-
-uTCTimeOrderingMatch MATCHING-RULE ::= {
- SYNTAX UTCTime
- ID id-mr-uTCTimeOrderingMatch
-}
-
-generalizedTimeMatch MATCHING-RULE ::= {
- SYNTAX GeneralizedTime
- -- as per 46.3 b) or c) of ITU-T Rec. X.680 | ISO/IEC 8824-1
- ID id-mr-generalizedTimeMatch
-}
-
-generalizedTimeOrderingMatch MATCHING-RULE ::= {
- SYNTAX GeneralizedTime
- -- as per 46.3 b) or c) of ITU-T Rec. X.680 | ISO/IEC 8824-1
- ID id-mr-generalizedTimeOrderingMatch
-}
-
-systemProposedMatch MATCHING-RULE ::= {ID id-mr-systemProposedMatch
-}
-
-integerFirstComponentMatch MATCHING-RULE ::= {
- SYNTAX INTEGER
- ID id-mr-integerFirstComponentMatch
-}
-
-objectIdentifierFirstComponentMatch MATCHING-RULE ::= {
- SYNTAX OBJECT IDENTIFIER
- ID id-mr-objectIdentifierFirstComponentMatch
-}
-
-directoryStringFirstComponentMatch MATCHING-RULE ::= {
- SYNTAX UnboundedDirectoryString
- ID id-mr-directoryStringFirstComponentMatch
-}
-
-wordMatch MATCHING-RULE ::= {
- SYNTAX UnboundedDirectoryString
- ID id-mr-wordMatch
-}
-
-keywordMatch MATCHING-RULE ::= {
- SYNTAX UnboundedDirectoryString
- ID id-mr-keywordMatch
-}
-
-generalWordMatch MATCHING-RULE ::= {
- SYNTAX SubstringAssertion
- ID id-mr-generalWordMatch
-}
-
-sequenceMatchType ATTRIBUTE ::= {
- WITH SYNTAX SequenceMatchType
- SINGLE VALUE TRUE
- ID id-cat-sequenceMatchType
-} -- defaulting to sequenceExact
-
-SequenceMatchType ::= ENUMERATED {
- sequenceExact(0), sequenceDeletion(1), sequenceRestrictedDeletion(2),
- sequencePermutation(3), sequencePermutationAndDeletion(4),
- sequenceProviderDefined(5)}
-
-wordMatchTypes ATTRIBUTE ::= {
- WITH SYNTAX WordMatchTypes
- SINGLE VALUE TRUE
- ID id-cat-wordMatchType
-} -- defaulting to wordExact
-
-WordMatchTypes ::= ENUMERATED {
- wordExact(0), wordTruncated(1), wordPhonetic(2), wordProviderDefined(3)
-}
-
-characterMatchTypes ATTRIBUTE ::= {
- WITH SYNTAX CharacterMatchTypes
- SINGLE VALUE TRUE
- ID id-cat-characterMatchTypes
-}
-
-CharacterMatchTypes ::= ENUMERATED {
- characterExact(0), characterCaseIgnore(1), characterMapped(2)}
-
-selectedContexts ATTRIBUTE ::= {
- WITH SYNTAX ContextAssertion
- ID id-cat-selectedContexts
-}
-
-approximateStringMatch MATCHING-RULE ::= {ID id-mr-approximateStringMatch
-}
-
-ignoreIfAbsentMatch MATCHING-RULE ::= {ID id-mr-ignoreIfAbsentMatch
-}
-
-nullMatch MATCHING-RULE ::= {ID id-mr-nullMatch
-}
-
-ZONAL-MATCHING ::=
- MAPPING-BASED-MATCHING{ZonalSelect, TRUE, ZonalResult, zonalMatch.&id}
-
-ZonalSelect ::= SEQUENCE OF AttributeType
-
-ZonalResult ::= ENUMERATED {
- cannot-select-mapping(0), zero-mappings(2), multiple-mappings(3)}
-
-zonalMatch MATCHING-RULE ::= {
- UNIQUE-MATCH-INDICATOR multipleMatchingLocalities
- ID id-mr-zonalMatch
-}
-
--- Contexts
-languageContext CONTEXT ::= {
- WITH SYNTAX LanguageContextSyntax
- ID id-avc-language
-}
-
-LanguageContextSyntax ::= PrintableString(SIZE (2..3)) -- ISO 639-2 codes only
-
-
-temporalContext CONTEXT ::= {
- WITH SYNTAX TimeSpecification
- ASSERTED AS TimeAssertion
- ID id-avc-temporal
-}
-
-TimeSpecification ::= SEQUENCE {
- time
- CHOICE {absolute
- SEQUENCE {startTime [0] GeneralizedTime OPTIONAL,
- endTime [1] GeneralizedTime OPTIONAL},
- periodic SET SIZE (1..MAX) OF Period},
- notThisTime BOOLEAN DEFAULT FALSE,
- timeZone TimeZone OPTIONAL
-}
-
-Period ::= SEQUENCE {
- timesOfDay [0] SET SIZE (1..MAX) OF DayTimeBand OPTIONAL,
- days
- [1] CHOICE {intDay SET OF INTEGER,
- bitDay
- BIT STRING {sunday(0), monday(1), tuesday(2), wednesday(3),
- thursday(4), friday(5), saturday(6)},
- dayOf XDayOf} OPTIONAL,
- weeks
- [2] CHOICE {allWeeks NULL,
- intWeek SET OF INTEGER,
- bitWeek
- BIT STRING {week1(0), week2(1), week3(2), week4(3), week5(4)}
- } OPTIONAL,
- months
- [3] CHOICE {allMonths NULL,
- intMonth SET OF INTEGER,
- bitMonth
- BIT STRING {january(0), february(1), march(2), april(3),
- may(4), june(5), july(6), august(7),
- september(8), october(9), november(10),
- december(11)}} OPTIONAL,
- years [4] SET OF INTEGER(1000..MAX) OPTIONAL
-}
-
-XDayOf ::= CHOICE {
- first [1] NamedDay,
- second [2] NamedDay,
- third [3] NamedDay,
- fourth [4] NamedDay,
- fifth [5] NamedDay
-}
-
-NamedDay ::= CHOICE {
- intNamedDays
- ENUMERATED {sunday(1), monday(2), tuesday(3), wednesday(4), thursday(5),
- friday(6), saturday(7)},
- bitNamedDays
- BIT STRING {sunday(0), monday(1), tuesday(2), wednesday(3), thursday(4),
- friday(5), saturday(6)}
-}
-
-DayTimeBand ::= SEQUENCE {
- startDayTime [0] DayTime DEFAULT {hour 0},
- endDayTime [1] DayTime DEFAULT {hour 23, minute 59, second 59}
-}
-
-DayTime ::= SEQUENCE {
- hour [0] INTEGER(0..23),
- minute [1] INTEGER(0..59) DEFAULT 0,
- second [2] INTEGER(0..59) DEFAULT 0
-}
-
-TimeZone ::= INTEGER(-12..12)
-
-TimeAssertion ::= CHOICE {
- now NULL,
- at GeneralizedTime,
- between
- SEQUENCE {startTime [0] GeneralizedTime,
- endTime [1] GeneralizedTime OPTIONAL,
- entirely BOOLEAN DEFAULT FALSE}
-}
-
-localeContext CONTEXT ::= {
- WITH SYNTAX LocaleContextSyntax
- ID id-avc-locale
-}
-
-LocaleContextSyntax ::= CHOICE {
- localeID1 OBJECT IDENTIFIER,
- localeID2 UnboundedDirectoryString
-}
-
-ldapAttributeOptionContext CONTEXT ::= {
- WITH SYNTAX AttributeOptionList
- ASSERTED AS AttributeOptionList
- ABSENT-MATCH FALSE
- ID id-avc-ldapAttributeOption
-}
-
-AttributeOptionList ::= SEQUENCE OF UTF8String
-
--- Object identifier assignments
--- object identifiers assigned in other modules are shown in comments
--- Attributes
--- id-at-objectClass OBJECT IDENTIFIER ::= {id-at 0}
--- id-at-aliasedEntryName OBJECT IDENTIFIER ::= {id-at 1}
--- id-at-encryptedAliasedEntryName OBJECT IDENTIFIER ::= {id-at 1 2}
-id-at-knowledgeInformation OBJECT IDENTIFIER ::=
- {id-at 2}
-
-id-at-commonName OBJECT IDENTIFIER ::= {id-at 3}
-
--- id-at-encryptedCommonName OBJECT IDENTIFIER ::= {id-at 3 2}
-id-at-surname OBJECT IDENTIFIER ::=
- {id-at 4}
-
--- id-at-encryptedSurname OBJECT IDENTIFIER ::= {id-at 4 2}
-id-at-serialNumber OBJECT IDENTIFIER ::=
- {id-at 5}
-
--- id-at-encryptedSerialNumbe r OBJECT IDENTIFIER ::= {id-at 5 2}
-id-at-countryName OBJECT IDENTIFIER ::=
- {id-at 6}
-
--- id-at-encryptedCountryName OBJECT IDENTIFIER ::= {id-at 6 2}
-id-at-localityName OBJECT IDENTIFIER ::=
- {id-at 7}
-
--- id-at-encryptedLocalityName OBJECT IDENTIFIER ::= {id-at 7 2}
-id-at-collectiveLocalityName OBJECT IDENTIFIER ::=
- {id-at 7 1}
-
--- id-at-encryptedCollectiveLocalityName OBJECT IDENTIFIER ::= {id-at 7 1 2}
-id-at-stateOrProvinceName OBJECT IDENTIFIER ::=
- {id-at 8}
-
--- id-at-encryptedStateOrProvinceName OBJECT IDENTIFIER ::= {id-at 8 2}
-id-at-collectiveStateOrProvinceName OBJECT IDENTIFIER ::=
- {id-at 8 1}
-
--- id-at-encryptedCollectiveStateOrProvinceName OBJECT IDENTIFIER ::= {id-at 8 1 2}
-id-at-streetAddress OBJECT IDENTIFIER ::=
- {id-at 9}
-
--- id-at-encryptedStreetAddress OBJECT IDENTIFIER ::= {id-at 9 2}
-id-at-collectiveStreetAddress OBJECT IDENTIFIER ::=
- {id-at 9 1}
-
--- id-at-encryptedCollectiveStreetAddress OBJECT IDENTIFIER ::= {id-at 9 1 2}
-id-at-organizationName OBJECT IDENTIFIER ::=
- {id-at 10}
-
--- id-at-encryptedOrganizationName OBJECT IDENTIFIER ::= {id-at 10 2}
-id-at-collectiveOrganizationName OBJECT IDENTIFIER ::=
- {id-at 10 1}
-
--- id-at-encryptedCollectiveOrganizationName OBJECT IDENTIFIER ::= {id-at 10 1 2}
-id-at-organizationalUnitName OBJECT IDENTIFIER ::=
- {id-at 11}
-
--- id-at-encryptedOrganizationalUnitName OBJECT IDENTIFIER ::= {id-at 11 2}
-id-at-collectiveOrganizationalUnitName OBJECT IDENTIFIER ::=
- {id-at 11 1}
-
--- id-at-encryptedCollectiveOrganizationalUnitNam OBJECT IDENTIFIER ::= {id-at 11 1 2}
-id-at-title OBJECT IDENTIFIER ::=
- {id-at 12}
-
--- id-at-encryptedTitle OBJECT IDENTIFIER ::= {id-at 12 2}
-id-at-description OBJECT IDENTIFIER ::=
- {id-at 13}
-
--- id-at-encryptedDescription OBJECT IDENTIFIER ::= {id-at 13 2}
-id-at-searchGuide OBJECT IDENTIFIER ::=
- {id-at 14}
-
--- id-at-encryptedSearchGuide OBJECT IDENTIFIER ::= {id-at 14 2}
-id-at-businessCategory OBJECT IDENTIFIER ::=
- {id-at 15}
-
--- id-at-encryptedBusinessCategory OBJECT IDENTIFIER ::= {id-at 15 2}
-id-at-postalAddress OBJECT IDENTIFIER ::=
- {id-at 16}
-
--- id-at-encryptedPostalAddress OBJECT IDENTIFIER ::= {id-at 16 2}
-id-at-collectivePostalAddress OBJECT IDENTIFIER ::=
- {id-at 16 1}
-
--- id-at-encryptedCollectivePostalAddress OBJECT IDENTIFIER ::= {id-at 16 1 2}
-id-at-postalCode OBJECT IDENTIFIER ::=
- {id-at 17}
-
--- id-at-encryptedPostalCode OBJECT IDENTIFIER ::= {id-at 17 2}
-id-at-collectivePostalCode OBJECT IDENTIFIER ::=
- {id-at 17 1}
-
--- id-at-encryptedCollectivePostalCode OBJECT IDENTIFIER ::= {id-at 17 1 2}
-id-at-postOfficeBox OBJECT IDENTIFIER ::=
- {id-at 18}
-
-id-at-collectivePostOfficeBox OBJECT IDENTIFIER ::= {id-at 18 1}
-
--- id-at-encryptedPostOfficeBox OBJECT IDENTIFIER ::= {id-at 18 2}
--- id-at-encryptedCollectivePostOfficeBox OBJECT IDENTIFIER ::= {id-at 18 1 2}
-id-at-physicalDeliveryOfficeName OBJECT IDENTIFIER ::=
- {id-at 19}
-
-id-at-collectivePhysicalDeliveryOfficeName OBJECT IDENTIFIER ::= {id-at 19 1}
-
--- id-at-encryptedPhysicalDeliveryOfficeName OBJECT IDENTIFIER ::= {id-at 19 2}
--- id-at-encryptedCollectivePhysicalDeliveryOfficeName OBJECT IDENTIFIER ::= {id-at 19 1 2}
-id-at-telephoneNumber OBJECT IDENTIFIER ::=
- {id-at 20}
-
--- id-at-encryptedTelephoneNumber OBJECT IDENTIFIER ::= {id-at 20 2}
-id-at-collectiveTelephoneNumber OBJECT IDENTIFIER ::=
- {id-at 20 1}
-
--- id-at-encryptedCollectiveTelephoneNumber OBJECT IDENTIFIER ::= {id-at 20 1 2}
-id-at-telexNumber OBJECT IDENTIFIER ::=
- {id-at 21}
-
--- id-at-encryptedTelexNumber OBJECT IDENTIFIER ::= {id-at 21 2}
-id-at-collectiveTelexNumber OBJECT IDENTIFIER ::=
- {id-at 21 1}
-
--- id-at-encryptedCollectiveTelexNumber OBJECT IDENTIFIER ::= {id-at 21 1 2}
--- id-at-teletexTerminalIdentifier OBJECT IDENTIFIER ::= {id-at 22}
--- id-at-encryptedTeletexTerminalIdentifier OBJECT IDENTIFIER ::= {id-at 22 2}
--- id-at-collectiveTeletexTerminalIdentifier OBJECT IDENTIFIER ::= {id-at 22 1}
--- id-at-encryptedCollectiveTeletexTerminalIdentifier OBJECT IDENTIFIER ::= {id-at 22 1 2}
-id-at-facsimileTelephoneNumber OBJECT IDENTIFIER ::=
- {id-at 23}
-
--- id-at-encryptedFacsimileTelephoneNumber OBJECT IDENTIFIER ::= {id-at 23 2}
-id-at-collectiveFacsimileTelephoneNumber OBJECT IDENTIFIER ::=
- {id-at 23 1}
-
--- id-at-encryptedCollectiveFacsimileTelephoneNumber OBJECT IDENTIFIER ::= {id-at 23 1 2}
-id-at-x121Address OBJECT IDENTIFIER ::=
- {id-at 24}
-
--- id-at-encryptedX121Address OBJECT IDENTIFIER ::= {id-at 24 2}
-id-at-internationalISDNNumber OBJECT IDENTIFIER ::=
- {id-at 25}
-
--- id-at-encryptedInternationalISDNNumber OBJECT IDENTIFIER ::= {id-at 25 2}
-id-at-collectiveInternationalISDNNumber OBJECT IDENTIFIER ::=
- {id-at 25 1}
-
--- id-at-encryptedCollectiveInternationalISDNNumber OBJECT IDENTIFIER ::= {id-at 25 1 2}
-id-at-registeredAddress OBJECT IDENTIFIER ::=
- {id-at 26}
-
--- id-at-encryptedRegisteredAddress OBJECT IDENTIFIER ::= {id-at 26 2}
-id-at-destinationIndicator OBJECT IDENTIFIER ::=
- {id-at 27}
-
--- id-at-encryptedDestinationIndicator OBJECT IDENTIFIER ::= {id-at 27 2}
-id-at-preferredDeliveryMethod OBJECT IDENTIFIER ::=
- {id-at 28}
-
--- id-at-encryptedPreferredDeliveryMethod OBJECT IDENTIFIER ::= {id-at 28 2}
-id-at-presentationAddress OBJECT IDENTIFIER ::=
- {id-at 29}
-
--- id-at-encryptedPresentationAddress OBJECT IDENTIFIER ::= {id-at 29 2}
-id-at-supportedApplicationContext OBJECT IDENTIFIER ::=
- {id-at 30}
-
--- id-at-encryptedSupportedApplicationContext OBJECT IDENTIFIER ::= {id-at 30 2}
-id-at-member OBJECT IDENTIFIER ::=
- {id-at 31}
-
--- id-at-encryptedMember OBJECT IDENTIFIER ::= {id-at 31 2}
-id-at-owner OBJECT IDENTIFIER ::=
- {id-at 32}
-
--- id-at-encryptedOwner OBJECT IDENTIFIER ::= {id-at 32 2}
-id-at-roleOccupant OBJECT IDENTIFIER ::=
- {id-at 33}
-
--- id-at-encryptedRoleOccupant OBJECT IDENTIFIER ::= {id-at 33 2}
-id-at-seeAlso OBJECT IDENTIFIER ::=
- {id-at 34}
-
--- id-at-encryptedSeeAlso OBJECT IDENTIFIER ::= {id-at 34 2}
--- id-at-userPassword OBJECT IDENTIFIER ::= {id-at 35} X.509|Part8
--- id-at-encryptedUserPassword OBJECT IDENTIFIER ::= {id-at 35 2}
--- id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36} X.509|Part8
--- id-at-encryptedUserCertificate OBJECT IDENTIFIER ::= {id-at 36 2}
--- id-at-cACertificate OBJECT IDENTIFIER ::= {id-at 37} X.509|Part8
--- id-at-encryptedCACertificate OBJECT IDENTIFIER ::= {id-at 37 2}
--- id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38} X.509|Part8
--- id-at-encryptedAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 38 2}
--- id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39} X.509|Part8
--- id-at-encryptedCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 39 2}
--- id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40} X.509|Part8
--- id-at-encryptedCrossCertificatePair OBJECT IDENTIFIER ::= {id-at 40 2}
-id-at-name OBJECT IDENTIFIER ::=
- {id-at 41}
-
-id-at-givenName OBJECT IDENTIFIER ::= {id-at 42}
-
--- id-at-encryptedGivenName OBJECT IDENTIFIER ::= {id-at 42 2}
-id-at-initials OBJECT IDENTIFIER ::=
- {id-at 43}
-
--- id-at-encryptedInitials OBJECT IDENTIFIER ::= {id-at 43 2}
-id-at-generationQualifier OBJECT IDENTIFIER ::=
- {id-at 44}
-
--- id-at-encryptedGenerationQualifier OBJECT IDENTIFIER ::= {id-at 44 2}
-id-at-uniqueIdentifier OBJECT IDENTIFIER ::=
- {id-at 45}
-
--- id-at-encryptedUniqueIdentifier OBJECT IDENTIFIER ::= {id-at 45 2}
-id-at-dnQualifier OBJECT IDENTIFIER ::=
- {id-at 46}
-
--- id-at-encryptedDnQualifier OBJECT IDENTIFIER ::= {id-at 46 2}
-id-at-enhancedSearchGuide OBJECT IDENTIFIER ::=
- {id-at 47}
-
--- id-at-encryptedEnhancedSearchGuide OBJECT IDENTIFIER ::= {id-at 47 2}
-id-at-protocolInformation OBJECT IDENTIFIER ::=
- {id-at 48}
-
--- id-at-encryptedProtocolInformation OBJECT IDENTIFIER ::= {id-at 48 2}
-id-at-distinguishedName OBJECT IDENTIFIER ::=
- {id-at 49}
-
--- id-at-encryptedDistinguishedName OBJECT IDENTIFIER ::= {id-at 49 2}
-id-at-uniqueMember OBJECT IDENTIFIER ::=
- {id-at 50}
-
--- id-at-encryptedUniqueMember OBJECT IDENTIFIER ::= {id-at 50 2}
-id-at-houseIdentifier OBJECT IDENTIFIER ::=
- {id-at 51}
-
--- id-at-encryptedHouseIdentifier OBJECT IDENTIFIER ::= {id-at 51 2}
--- id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52} X.509|Part8
--- id-at-encryptedSupportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52 2}
--- id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53} X.509|Part8
--- id-at-encryptedDeltaRevocationList OBJECT IDENTIFIER ::= {id-at 53 2}
-id-at-dmdName OBJECT IDENTIFIER ::=
- {id-at 54}
-
--- id-at-encryptedDmdName OBJECT IDENTIFIER ::= {id-at 54 2}
--- id-at-clearance OBJECT IDENTIFIER ::= {id-at 55}
--- id-at-encryptedClearance OBJECT IDENTIFIER ::= {id-at 55 2}
--- id-at-defaultDirQop OBJECT IDENTIFIER ::= {id-at 56}
--- id-at-encryptedDefaultDirQop OBJECT IDENTIFIER ::= {id-at 56 2}
--- id-at-attributeIntegrityInfo OBJECT IDENTIFIER ::= {id-at 57}
--- id-at-encryptedAttributeIntegrityInfo OBJECT IDENTIFIER ::= {id-at 57 2}
--- id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58} X.509|Part8
--- id-at-encryptedAttributeCertificate OBJECT IDENTIFIER ::= {id-at 58 2}
--- id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59} X.509|Part8
--- id-at-encryptedAttributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59 2}
--- id-at-confKeyInfo OBJECT IDENTIFIER ::= {id-at 60}
--- id-at-encryptedConfKeyInfo OBJECT IDENTIFIER ::= {id-at 60 2}
--- id-at-aACertificate OBJECT IDENTIFIER ::= {id-at 61} X.509|Part8
--- id-at-attributeDescriptorCertificate OBJECT IDENTIFIER ::= {id-at 62} X.509|Part8
--- id-at-attributeAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 63} X.509|Part8
--- id-at-family-information OBJECT IDENTIFIER ::= {id-at 64}
-id-at-pseudonym OBJECT IDENTIFIER ::=
- {id-at 65}
-
-id-at-communicationsService OBJECT IDENTIFIER ::= {id-at 66}
-
-id-at-communicationsNetwork OBJECT IDENTIFIER ::= {id-at 67}
-
--- id-at-certificationPracticeStmt OBJECT IDENTIFIER ::= {id-at 68} X.509|Part8
--- id-at-certificatePolicy OBJECT IDENTIFIER ::= {id-at 69} X.509|Part8
--- id-at-pkiPath OBJECT IDENTIFIER ::= {id-at 70} X.509|Part8
--- id-at-privPolicy OBJECT IDENTIFIER ::= {id-at 71} X.509|Part8
--- id-at-role OBJECT IDENTIFIER ::= {id-at 72} X.509|Part8
--- id-at-delegationPath OBJECT IDENTIFIER ::= {id-at 73} X.509|Part8
--- id-at-protPrivPolicy OBJECT IDENTIFIER ::= {id-at 74} X.509|Part8
--- id-at-xMLPrivilegeInfo OBJECT IDENTIFIER ::= {id-at 75} X.509|Part8
--- id-at-xmlPrivPolicy OBJECT IDENTIFIER ::= {id-at 76} X.509|Part8
-id-at-uuidpair OBJECT IDENTIFIER ::=
- {id-at 77}
-
-id-at-tagOid OBJECT IDENTIFIER ::= {id-at 78}
-
-id-at-uiiFormat OBJECT IDENTIFIER ::= {id-at 79}
-
-id-at-uiiInUrn OBJECT IDENTIFIER ::= {id-at 80}
-
-id-at-contentUri OBJECT IDENTIFIER ::= {id-at 81}
-
--- id-at-permission OBJECT IDENTIFIER ::= {id-at 82} X.509|Part8
--- Control attributes
-id-cat-sequenceMatchType OBJECT IDENTIFIER ::=
- {id-cat 1}
-
-id-cat-wordMatchType OBJECT IDENTIFIER ::= {id-cat 2}
-
-id-cat-characterMatchTypes OBJECT IDENTIFIER ::= {id-cat 3}
-
-id-cat-selectedContexts OBJECT IDENTIFIER ::= {id-cat 4}
-
--- Notification attributes
-id-not-dSAProblem OBJECT IDENTIFIER ::= {id-not 0}
-
-id-not-searchServiceProblem OBJECT IDENTIFIER ::= {id-not 1}
-
-id-not-serviceType OBJECT IDENTIFIER ::= {id-not 2}
-
-id-not-attributeTypeList OBJECT IDENTIFIER ::= {id-not 3}
-
-id-not-matchingRuleList OBJECT IDENTIFIER ::= {id-not 4}
-
-id-not-filterItem OBJECT IDENTIFIER ::= {id-not 5}
-
-id-not-attributeCombinations OBJECT IDENTIFIER ::= {id-not 6}
-
-id-not-contextTypeList OBJECT IDENTIFIER ::= {id-not 7}
-
-id-not-contextList OBJECT IDENTIFIER ::= {id-not 8}
-
-id-not-contextCombinations OBJECT IDENTIFIER ::= {id-not 9}
-
-id-not-hierarchySelectList OBJECT IDENTIFIER ::= {id-not 10}
-
-id-not-searchControlOptionsList OBJECT IDENTIFIER ::= {id-not 11}
-
-id-not-serviceControlOptionsList OBJECT IDENTIFIER ::= {id-not 12}
-
-id-not-multipleMatchingLocalities OBJECT IDENTIFIER ::= {id-not 13}
-
-id-not-proposedRelaxation OBJECT IDENTIFIER ::= {id-not 14}
-
-id-not-appliedRelaxation OBJECT IDENTIFIER ::= {id-not 15}
-
--- Problem definitions
-id-pr-targetDsaUnavailable OBJECT IDENTIFIER ::=
- {id-pr 1}
-
-id-pr-dataSourceUnavailable OBJECT IDENTIFIER ::= {id-pr 2}
-
-id-pr-unidentifiedOperation OBJECT IDENTIFIER ::= {id-pr 3}
-
-id-pr-unavailableOperation OBJECT IDENTIFIER ::= {id-pr 4}
-
-id-pr-searchAttributeViolation OBJECT IDENTIFIER ::= {id-pr 5}
-
-id-pr-searchAttributeCombinationViolation OBJECT IDENTIFIER ::= {id-pr 6}
-
-id-pr-searchValueNotAllowed OBJECT IDENTIFIER ::= {id-pr 7}
-
-id-pr-missingSearchAttribute OBJECT IDENTIFIER ::= {id-pr 8}
-
-id-pr-searchValueViolation OBJECT IDENTIFIER ::= {id-pr 9}
-
-id-pr-attributeNegationViolation OBJECT IDENTIFIER ::= {id-pr 10}
-
-id-pr-searchValueRequired OBJECT IDENTIFIER ::= {id-pr 11}
-
-id-pr-invalidSearchValue OBJECT IDENTIFIER ::= {id-pr 12}
-
-id-pr-searchContextViolation OBJECT IDENTIFIER ::= {id-pr 13}
-
-id-pr-searchContextCombinationViolation OBJECT IDENTIFIER ::= {id-pr 14}
-
-id-pr-missingSearchContext OBJECT IDENTIFIER ::= {id-pr 15}
-
-id-pr-searchContextValueViolation OBJECT IDENTIFIER ::= {id-pr 16}
-
-id-pr-searchContextValueRequired OBJECT IDENTIFIER ::= {id-pr 17}
-
-id-pr-invalidContextSearchValue OBJECT IDENTIFIER ::= {id-pr 18}
-
-id-pr-unsupportedMatchingRule OBJECT IDENTIFIER ::= {id-pr 19}
-
-id-pr-attributeMatchingViolation OBJECT IDENTIFIER ::= {id-pr 20}
-
-id-pr-unsupportedMatchingUse OBJECT IDENTIFIER ::= {id-pr 21}
-
-id-pr-matchingUseViolation OBJECT IDENTIFIER ::= {id-pr 22}
-
-id-pr-hierarchySelectForbidden OBJECT IDENTIFIER ::= {id-pr 23}
-
-id-pr-invalidHierarchySelect OBJECT IDENTIFIER ::= {id-pr 24}
-
-id-pr-unavailableHierarchySelect OBJECT IDENTIFIER ::= {id-pr 25}
-
-id-pr-invalidSearchControlOptions OBJECT IDENTIFIER ::= {id-pr 26}
-
-id-pr-invalidServiceControlOptions OBJECT IDENTIFIER ::= {id-pr 27}
-
-id-pr-searchSubsetViolation OBJECT IDENTIFIER ::= {id-pr 28}
-
-id-pr-unmatchedKeyAttributes OBJECT IDENTIFIER ::= {id-pr 29}
-
-id-pr-ambiguousKeyAttributes OBJECT IDENTIFIER ::= {id-pr 30}
-
-id-pr-unavailableRelaxationLevel OBJECT IDENTIFIER ::= {id-pr 31}
-
-id-pr-emptyHierarchySelection OBJECT IDENTIFIER ::= {id-pr 32}
-
-id-pr-administratorImposedLimit OBJECT IDENTIFIER ::= {id-pr 33}
-
-id-pr-permanentRestriction OBJECT IDENTIFIER ::= {id-pr 34}
-
-id-pr-temporaryRestriction OBJECT IDENTIFIER ::= {id-pr 35}
-
-id-pr-relaxationNotSupported OBJECT IDENTIFIER ::= {id-pr 36}
-
--- Matching rules
--- id-mr-objectIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 0} X.501|Part2
--- id-mr-distinguishedNameMatch OBJECT IDENTIFIER ::= {id-mr 1} X.501|Part2
-id-mr-caseIgnoreMatch OBJECT IDENTIFIER ::=
- {id-mr 2}
-
-id-mr-caseIgnoreOrderingMatch OBJECT IDENTIFIER ::= {id-mr 3}
-
-id-mr-caseIgnoreSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 4}
-
-id-mr-caseExactMatch OBJECT IDENTIFIER ::= {id-mr 5}
-
-id-mr-caseExactOrderingMatch OBJECT IDENTIFIER ::= {id-mr 6}
-
-id-mr-caseExactSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 7}
-
-id-mr-numericStringMatch OBJECT IDENTIFIER ::= {id-mr 8}
-
-id-mr-numericStringOrderingMatch OBJECT IDENTIFIER ::= {id-mr 9}
-
-id-mr-numericStringSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 10}
-
-id-mr-caseIgnoreListMatch OBJECT IDENTIFIER ::= {id-mr 11}
-
-id-mr-caseIgnoreListSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 12}
-
-id-mr-booleanMatch OBJECT IDENTIFIER ::= {id-mr 13}
-
-id-mr-integerMatch OBJECT IDENTIFIER ::= {id-mr 14}
-
-id-mr-integerOrderingMatch OBJECT IDENTIFIER ::= {id-mr 15}
-
-id-mr-bitStringMatch OBJECT IDENTIFIER ::= {id-mr 16}
-
-id-mr-octetStringMatch OBJECT IDENTIFIER ::= {id-mr 17}
-
-id-mr-octetStringOrderingMatch OBJECT IDENTIFIER ::= {id-mr 18}
-
-id-mr-octetStringSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 19}
-
-id-mr-telephoneNumberMatch OBJECT IDENTIFIER ::= {id-mr 20}
-
-id-mr-telephoneNumberSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 21}
-
-id-mr-presentationAddressMatch OBJECT IDENTIFIER ::= {id-mr 22}
-
-id-mr-uniqueMemberMatch OBJECT IDENTIFIER ::= {id-mr 23}
-
-id-mr-protocolInformationMatch OBJECT IDENTIFIER ::= {id-mr 24}
-
-id-mr-uTCTimeMatch OBJECT IDENTIFIER ::= {id-mr 25}
-
-id-mr-uTCTimeOrderingMatch OBJECT IDENTIFIER ::= {id-mr 26}
-
-id-mr-generalizedTimeMatch OBJECT IDENTIFIER ::= {id-mr 27}
-
-id-mr-generalizedTimeOrderingMatch OBJECT IDENTIFIER ::= {id-mr 28}
-
-id-mr-integerFirstComponentMatch OBJECT IDENTIFIER ::= {id-mr 29}
-
-id-mr-objectIdentifierFirstComponentMatch OBJECT IDENTIFIER ::= {id-mr 30}
-
-id-mr-directoryStringFirstComponentMatch OBJECT IDENTIFIER ::= {id-mr 31}
-
-id-mr-wordMatch OBJECT IDENTIFIER ::= {id-mr 32}
-
-id-mr-keywordMatch OBJECT IDENTIFIER ::= {id-mr 33}
-
--- id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34} X.509|Part8
--- id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35} X.509|Part8
--- id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36} X.509|Part8
--- id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37} X.509|Part8
--- id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38} X.509|Part8
--- id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39} X.509|Part8
--- id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40} X.509|Part8
-id-mr-storedPrefixMatch OBJECT IDENTIFIER ::=
- {id-mr 41}
-
--- id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42} X.509|Part8
--- id-mr-readerAndKeyIDMatch OBJECT IDENTIFIER ::= {id-mr 43}
--- id-mr-attributeIntegrityMatch OBJECT IDENTIFIER ::= {id-mr 44}
--- id-mr-attributeCertificateExactMatch OBJECT IDENTIFIER ::= {id-mr 45} X.509|Part8
--- id-mr-holderIssuerMatch OBJECT IDENTIFIER ::= {id-mr 46} X.509|Part8
-id-mr-systemProposedMatch OBJECT IDENTIFIER ::=
- {id-mr 47}
-
-id-mr-generalWordMatch OBJECT IDENTIFIER ::= {id-mr 48}
-
-id-mr-approximateStringMatch OBJECT IDENTIFIER ::= {id-mr 49}
-
-id-mr-ignoreIfAbsentMatch OBJECT IDENTIFIER ::= {id-mr 50}
-
-id-mr-nullMatch OBJECT IDENTIFIER ::= {id-mr 51}
-
-id-mr-zonalMatch OBJECT IDENTIFIER ::= {id-mr 52}
-
--- id-mr-authAttIdMatch OBJECT IDENTIFIER ::= {id-mr 53} X.509|Part8
--- id-mr-roleSpecCertIdMatch OBJECT IDENTIFIER ::= {id-mr 54} X.509|Part8
--- id-mr-basicAttConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 55} X.509|Part8
--- id-mr-delegatedNameConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 56} X.509|Part8
--- id-mr-timeSpecMatch OBJECT IDENTIFIER ::= {id-mr 57} X.509|Part8
--- id-mr-attDescriptorMatch OBJECT IDENTIFIER ::= {id-mr 58} X.509|Part8
--- id-mr-acceptableCertPoliciesMatch OBJECT IDENTIFIER ::= {id-mr 59} X.509|Part8
--- id-mr-policyMatch OBJECT IDENTIFIER ::= {id-mr 60} X.509|Part8
--- id-mr-delegationPathMatch OBJECT IDENTIFIER ::= {id-mr 61} X.509|Part8
--- id-mr-pkiPathMatch OBJECT IDENTIFIER ::= {id-mr 62} X.509|Part8
-id-mr-facsimileNumberMatch OBJECT IDENTIFIER ::=
- {id-mr 63}
-
-id-mr-facsimileNumberSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 64}
-
--- id-mr-enhancedCertificateMatch OBJECT IDENTIFIER ::= {id-mr 65} X.509|Part8
--- id-mr-sOAIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 66} X.509|Part8
--- id-mr-extensionPresenceMatch OBJECT IDENTIFIER ::= {id-mr 67} X.509|Part8
-id-mr-uuidpairmatch OBJECT IDENTIFIER ::=
- {id-mr 68}
-
--- id-mr-dualStringMatch OBJECT IDENTIFIER ::= {id-mr 69} X.509|Part8
--- contexts
-id-avc-language OBJECT IDENTIFIER ::=
- {id-avc 0}
-
-id-avc-temporal OBJECT IDENTIFIER ::= {id-avc 1}
-
-id-avc-locale OBJECT IDENTIFIER ::= {id-avc 2}
-
--- id-avc-attributeValueSecurityLabelContext OBJECT IDENTIFIER ::= {id-avc 3}
--- id-avc-attributeValueIntegrityInfoContext OBJECT IDENTIFIER ::= {id-avc 4}
-id-avc-ldapAttributeOption OBJECT IDENTIFIER ::=
- {id-avc 5}
-
-END -- SelectedAttributeTypes
diff --git a/lib/public_key/asn1/UsefulDefinitions.asn1 b/lib/public_key/asn1/UsefulDefinitions.asn1
deleted file mode 100644
index a200aac6e2..0000000000
--- a/lib/public_key/asn1/UsefulDefinitions.asn1
+++ /dev/null
@@ -1,234 +0,0 @@
-UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 3}
-DEFINITIONS ::=
-BEGIN
-
--- EXPORTS All -
--- The types and values defined in this module are exported for use in the other ASN.1 modules contained
--- within the Directory Specifications, and for the use of other applications which will use them to access
--- Directory services. Other applications may use them for their own purposes, but this will not constrain
--- extensions and modifications needed to maintain or improve the Directory service.
-ID ::= OBJECT IDENTIFIER
-
-ds ID ::= {joint-iso-itu-t ds(5)}
-
--- categories of information object
-module ID ::= {ds 1}
-
-serviceElement ID ::= {ds 2}
-
-applicationContext ID ::= {ds 3}
-
-attributeType ID ::= {ds 4}
-
-attributeSyntax ID ::= {ds 5}
-
-objectClass ID ::= {ds 6}
-
--- attributeSet ID ::= {ds 7}
-algorithm ID ::= {ds 8}
-
-abstractSyntax ID ::= {ds 9}
-
--- object ID ::= {ds 10}
--- port ID ::= {ds 11}
-dsaOperationalAttribute ID ::=
- {ds 12}
-
-matchingRule ID ::= {ds 13}
-
-knowledgeMatchingRule ID ::= {ds 14}
-
-nameForm ID ::= {ds 15}
-
-group ID ::= {ds 16}
-
-subentry ID ::= {ds 17}
-
-operationalAttributeType ID ::= {ds 18}
-
-operationalBinding ID ::= {ds 19}
-
-schemaObjectClass ID ::= {ds 20}
-
-schemaOperationalAttribute ID ::= {ds 21}
-
-administrativeRoles ID ::= {ds 23}
-
-accessControlAttribute ID ::= {ds 24}
-
-rosObject ID ::= {ds 25}
-
-contract ID ::= {ds 26}
-
-package ID ::= {ds 27}
-
-accessControlSchemes ID ::= {ds 28}
-
-certificateExtension ID ::= {ds 29}
-
-managementObject ID ::= {ds 30}
-
-attributeValueContext ID ::= {ds 31}
-
--- securityExchange ID ::= {ds 32}
-idmProtocol ID ::= {ds 33}
-
-problem ID ::= {ds 34}
-
-notification ID ::= {ds 35}
-
-matchingRestriction ID ::=
- {ds 36} -- None are currently defined by this specification
-
-controlAttributeType ID ::= {ds 37}
-
--- modules
-usefulDefinitions ID ::= {module usefulDefinitions(0) 3}
-
-informationFramework ID ::= {module informationFramework(1) 3}
-
-directoryAbstractService ID ::= {module directoryAbstractService(2) 3}
-
-distributedOperations ID ::= {module distributedOperations(3) 3}
-
-protocolObjectIdentifiers ID ::= {module protocolObjectIdentifiers(4) 3}
-
-selectedAttributeTypes ID ::= {module selectedAttributeTypes(5) 3}
-
-selectedObjectClasses ID ::= {module selectedObjectClasses(6) 3}
-
-authenticationFramework ID ::= {module authenticationFramework(7) 3}
-
-algorithmObjectIdentifiers ID ::= {module algorithmObjectIdentifiers(8) 3}
-
-directoryObjectIdentifiers ID ::= {module directoryObjectIdentifiers(9) 3}
-
-upperBounds ID ::= {module upperBounds(10) 3}
-
-dap ID ::= {module dap(11) 3}
-
-dsp ID ::= {module dsp(12) 3}
-
-distributedDirectoryOIDs ID ::= {module distributedDirectoryOIDs(13) 3}
-
-directoryShadowOIDs ID ::= {module directoryShadowOIDs(14) 3}
-
-directoryShadowAbstractService ID ::=
- {module directoryShadowAbstractService(15) 3}
-
-disp ID ::= {module disp(16) 3}
-
-dop ID ::= {module dop(17) 3}
-
-opBindingManagement ID ::= {module opBindingManagement(18) 3}
-
-opBindingOIDs ID ::= {module opBindingOIDs(19) 3}
-
-hierarchicalOperationalBindings ID ::=
- {module hierarchicalOperationalBindings(20) 3}
-
-dsaOperationalAttributeTypes ID ::= {module dsaOperationalAttributeTypes(22) 3}
-
-schemaAdministration ID ::= {module schemaAdministration(23) 3}
-
-basicAccessControl ID ::= {module basicAccessControl(24) 3}
-
-directoryOperationalBindingTypes ID ::=
- {module directoryOperationalBindingTypes(25) 3}
-
-certificateExtensions ID ::= {module certificateExtensions(26) 0}
-
-directoryManagement ID ::= {module directoryManagement(27) 1}
-
-enhancedSecurity ID ::= {module enhancedSecurity(28) 1}
-
-iDMProtocolSpecification ID ::= {module iDMProtocolSpecification(30) 4}
-
-directoryIDMProtocols ID ::= {module directoryIDMProtocols(31) 4}
-
--- directorySecurityExchanges ID ::= {module directorySecurityExchanges (29) 1}
--- synonyms
-id-oc ID ::=
- objectClass
-
-id-at ID ::= attributeType
-
-id-as ID ::= abstractSyntax
-
-id-mr ID ::= matchingRule
-
-id-nf ID ::= nameForm
-
-id-sc ID ::= subentry
-
-id-oa ID ::= operationalAttributeType
-
-id-ob ID ::= operationalBinding
-
-id-doa ID ::= dsaOperationalAttribute
-
-id-kmr ID ::= knowledgeMatchingRule
-
-id-soc ID ::= schemaObjectClass
-
-id-soa ID ::= schemaOperationalAttribute
-
-id-ar ID ::= administrativeRoles
-
-id-aca ID ::= accessControlAttribute
-
-id-ac ID ::= applicationContext
-
-id-rosObject ID ::= rosObject
-
-id-contract ID ::= contract
-
-id-package ID ::= package
-
-id-acScheme ID ::= accessControlSchemes
-
-id-ce ID ::= certificateExtension
-
-id-mgt ID ::= managementObject
-
-id-idm ID ::= idmProtocol
-
-id-avc ID ::= attributeValueContext
-
--- id-se ID ::= securityExchange
-id-pr ID ::= problem
-
-id-not ID ::= notification
-
-id-mre ID ::= matchingRestriction
-
-id-cat ID ::= controlAttributeType
-
--- obsolete module identifiers
--- usefulDefinition ID ::= {module 0}
--- informationFramework ID ::= {module 1}
--- directoryAbstractService ID ::= {module 2}
--- distributedOperations ID ::= {module 3}
--- protocolObjectIdentifiers ID ::= {module 4}
--- selectedAttributeTypes ID ::= {module 5}
--- selectedObjectClasses ID ::= {module 6}
--- authenticationFramework ID ::= {module 7}
--- algorithmObjectIdentifiers ID ::= {module 8}
--- directoryObjectIdentifiers ID ::= {module 9}
--- upperBounds ID ::= {module 10}
--- dap ID ::= {module 11}
--- dsp ID ::= {module 12}
--- distributedDirectoryObjectIdentifiers ID ::= {module 13}
--- unused module identifiers
--- directoryShadowOIDs ID ::= {module 14}
--- directoryShadowAbstractService ID ::= {module 15}
--- disp ID ::= {module 16}
--- dop ID ::= {module 17}
--- opBindingManagement ID ::= {module 18}
--- opBindingOIDs ID ::= {module 19}
--- hierarchicalOperationalBindings ID ::= {module 20}
--- dsaOperationalAttributeTypes ID ::= {module 22}
--- schemaAdministration ID ::= {module 23}
--- basicAccessControl ID ::= {module 24}
--- operationalBindingOIDs ID ::= {module 25}
-END -- UsefulDefinitions
diff --git a/lib/public_key/include/OTP-PUB-KEY.hrl b/lib/public_key/include/OTP-PUB-KEY.hrl
new file mode 100644
index 0000000000..67aca628e5
--- /dev/null
+++ b/lib/public_key/include/OTP-PUB-KEY.hrl
@@ -0,0 +1,23 @@
+%%
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: Apache-2.0
+%%
+%% Copyright Ericsson AB 2008-2025. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%% http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+-include("public_key.hrl").
diff --git a/lib/public_key/include/public_key.hrl b/lib/public_key/include/public_key.hrl
index d04db8678c..55ffa989e9 100644
--- a/lib/public_key/include/public_key.hrl
+++ b/lib/public_key/include/public_key.hrl
@@ -20,17 +20,519 @@
%% %CopyrightEnd%
%%
-%%
-
-ifndef(public_key).
-define(public_key, true).
--include("OTP-PUB-KEY.hrl").
--include("PKCS-FRAME.hrl").
+%%%
+%%% RSA
+%%%
+
+-record('RSAPublicKey',
+ {
+ modulus,
+ publicExponent
+ }).
+
+-record('RSAPrivateKey',
+ {
+ version,
+ modulus,
+ publicExponent,
+ privateExponent,
+ prime1,
+ prime2,
+ exponent1,
+ exponent2,
+ coefficient,
+ otherPrimeInfos = asn1_NOVALUE
+ }).
+
+-record('OtherPrimeInfo',
+ {
+ prime,
+ exponent,
+ coefficient
+ }).
+
+-record('RSASSA-PSS-params',
+ {
+ hashAlgorithm = asn1_DEFAULT,
+ maskGenAlgorithm = asn1_DEFAULT,
+ saltLength = asn1_DEFAULT,
+ trailerField = asn1_DEFAULT
+ }).
+
+-record('HashAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('MaskGenAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+%%%
+%%% DSA
+%%%
+
+-record('DSAPrivateKey',
+ {
+ version, % pos_integer()
+ p, % pos_integer()
+ q, % pos_integer()
+ g, % pos_integer()
+ y, % pos_integer()
+ x % pos_integer()
+ }).
+
+-record('Dss-Parms',
+ {
+ p, % pos_integer()
+ q, % pos_integer()
+ g % pos_integer()
+ }).
+
+%%%
+%%% ECDSA and EDDSA
+%%%
--record('SubjectPublicKeyInfoAlgorithm', {
- algorithm,
- parameters = asn1_NOVALUE}).
+-define('id-Ed25519', {1,3,101,112}).
+-define('id-Ed448', {1,3,101,113}).
+
+%% Undocumented but used by test suite.
+-define('sect571r1', {1,3,132,0,39}).
+-define('sect571k1', {1,3,132,0,38}).
+-define('sect409r1', {1,3,132,0,37}).
+-define('sect409k1', {1,3,132,0,36}).
+-define('secp521r1', {1,3,132,0,35}).
+-define('secp384r1', {1,3,132,0,34}).
+-define('secp224r1', {1,3,132,0,33}).
+-define('secp224k1', {1,3,132,0,32}).
+-define('secp192k1', {1,3,132,0,31}).
+-define('secp160r2', {1,3,132,0,30}).
+-define('secp128r2', {1,3,132,0,29}).
+-define('secp128r1', {1,3,132,0,28}).
+-define('sect233r1', {1,3,132,0,27}).
+-define('sect233k1', {1,3,132,0,26}).
+-define('sect193r2', {1,3,132,0,25}).
+-define('sect193r1', {1,3,132,0,24}).
+-define('sect131r2', {1,3,132,0,23}).
+-define('sect131r1', {1,3,132,0,22}).
+-define('sect283r1', {1,3,132,0,17}).
+-define('sect283k1', {1,3,132,0,16}).
+-define('sect163r2', {1,3,132,0,15}).
+-define('secp256k1', {1,3,132,0,10}).
+-define('secp160k1', {1,3,132,0,9}).
+-define('secp160r1', {1,3,132,0,8}).
+-define('secp112r2', {1,3,132,0,7}).
+-define('secp112r1', {1,3,132,0,6}).
+-define('sect113r2', {1,3,132,0,5}).
+-define('sect113r1', {1,3,132,0,4}).
+-define('sect239k1', {1,3,132,0,3}).
+-define('sect163r1', {1,3,132,0,2}).
+-define('sect163k1', {1,3,132,0,1}).
+-define('secp256r1', {1,2,840,10045,3,1,7}).
+-define('secp192r1', {1,2,840,10045,3,1,1}).
+
+-record('ECPrivateKey',
+ {
+ version,
+ privateKey,
+ parameters = asn1_NOVALUE,
+ publicKey = asn1_NOVALUE,
+ attributes = asn1_NOVALUE
+ }).
+
+-record('ECParameters',
+ {
+ version,
+ fieldID,
+ curve,
+ base,
+ order,
+ cofactor = asn1_NOVALUE
+ }).
+
+
+-record('Curve',
+ {
+ a,
+ b,
+ seed = asn1_NOVALUE
+ }).
+
+-record('FieldID',
+ {
+ fieldType,
+ parameters
+ }).
+
+-record('ECPoint',
+ {
+ point
+ }).
+
+%%%
+%%% PKIX Certificates
+%%%
+
+-record('Certificate',
+ {
+ tbsCertificate,
+ signatureAlgorithm,
+ signature
+ }).
+
+-record('TBSCertificate',
+ {
+ version = asn1_DEFAULT,
+ serialNumber,
+ signature,
+ issuer,
+ validity,
+ subject,
+ subjectPublicKeyInfo,
+ issuerUniqueID = asn1_NOVALUE,
+ subjectUniqueID = asn1_NOVALUE,
+ extensions = asn1_NOVALUE
+ }).
+
+-record('AlgorithmIdentifier',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+%%%
+%%% Erlang alternate representation of PKIX certificate
+%%%
+
+-record('OTPCertificate',
+ {
+ tbsCertificate,
+ signatureAlgorithm,
+ signature
+ }).
+
+-record('OTPTBSCertificate',
+ {
+ version = asn1_DEFAULT,
+ serialNumber,
+ signature,
+ issuer,
+ validity,
+ subject,
+ subjectPublicKeyInfo,
+ issuerUniqueID = asn1_NOVALUE,
+ subjectUniqueID = asn1_NOVALUE,
+ extensions = asn1_NOVALUE
+ }).
+
+-record('SignatureAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-define('id-dsa-with-sha1', {1,2,840,10040,4,3}).
+-define('id-dsaWithSHA1', {1,3,14,3,2,27}). %Probably obsolete.
+-define('md2WithRSAEncryption', {1,2,840,113549,1,1,2}).
+-define('md5WithRSAEncryption', {1,2,840,113549,1,1,4}).
+-define('sha1WithRSAEncryption', {1,2,840,113549,1,1,5}).
+-define('sha-1WithRSAEncryption', {1,3,14,3,2,29}). %Probably obsolete.
+-define('sha224WithRSAEncryption', {1,2,840,113549,1,1,14}).
+-define('sha256WithRSAEncryption', {1,2,840,113549,1,1,11}).
+-define('sha512WithRSAEncryption', {1,2,840,113549,1,1,13}).
+-define('ecdsa-with-SHA1', {1,2,840,10045,4,1}).
+
+%% Undocumented but used by test suite.
+-define('id-dsa-with-sha224', {2,16,840,1,101,3,4,3,1}).
+-define('id-dsa-with-sha256', {2,16,840,1,101,3,4,3,2}).
+-define('id-sha1', {1,3,14,3,2,26}).
+-define('id-sha224', {2,16,840,1,101,3,4,2,4}).
+-define('id-sha256', {2,16,840,1,101,3,4,2,1}).
+-define('id-sha384', {2,16,840,1,101,3,4,2,2}).
+-define('id-sha512', {2,16,840,1,101,3,4,2,3}).
+-define('sha384WithRSAEncryption', {1,2,840,113549,1,1,12}).
+-define('id-RSASSA-PSS', {1,2,840,113549,1,1,10}).
+-define('ecdsa-with-SHA256', {1,2,840,10045,4,3,2}).
+-define('ecdsa-with-SHA384', {1,2,840,10045,4,3,3}).
+-define('ecdsa-with-SHA512', {1,2,840,10045,4,3,4}).
+-define('rSASSA-PSS-Default-Identifier', {'RSASSA-AlgorithmIdentifier',{1,2,840,113549,1,1,10},{'RSASSA-PSS-params',{'HashAlgorithm',{1,3,14,3,2,26},'NULL'},{'MaskGenAlgorithm',{1,2,840,113549,1,1,8},{'HashAlgorithm',{1,3,14,3,2,26},'NULL'}},20,1}}).
+-define('id-mgf1', {1,2,840,113549,1,1,8}).
+
+-record('AttributeTypeAndValue',
+ {
+ type,
+ value
+ }).
+
+-define('id-at-name', {2,5,4,41}).
+-define('id-at-surname', {2,5,4,4}).
+-define('id-at-givenName', {2,5,4,42}).
+-define('id-at-initials', {2,5,4,43}).
+-define('id-at-generationQualifier', {2,5,4,44}).
+-define('id-at-commonName', {2,5,4,3}).
+-define('id-at-localityName', {2,5,4,7}).
+-define('id-at-stateOrProvinceName', {2,5,4,8}).
+-define('id-at-organizationName', {2,5,4,10}).
+-define('id-at-title', {2,5,4,12}).
+-define('id-at-dnQualifier', {2,5,4,46}).
+-define('id-at-countryName', {2,5,4,6}).
+-define('id-at-serialNumber', {2,5,4,5}).
+-define('id-at-pseudonym', {2,5,4,65}).
+
+%% Not documented but used by the test suite.
+-define('id-emailAddress', {1,2,840,113549,1,9,1}).
+-define('id-at-organizationalUnitName', {2,5,4,11}).
+
+%%%
+%%% Validity, SubjectPublicKeyInfo, and SubjectPublicKeyInfoAlgorithm
+%%%
+
+-record('Validity',
+ {
+ notBefore,
+ notAfter
+ }).
+
+-record('SubjectPublicKeyInfo',
+ {
+ algorithm,
+ subjectPublicKey
+ }).
+
+-record('PublicKeyAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+%%%
+%%% Public-key algorithms
+%%%
+-define('rsaEncryption', {1,2,840,113549,1,1,1}).
+-define('id-dsa', {1,2,840,10040,4,1}).
+-define('dhpublicnumber', {1,2,840,10046,2,1}).
+-define('id-keyExchangeAlgorithm', {2,16,840,1,101,2,1,1,22}).
+-define('id-ecPublicKey', {1,2,840,10045,2,1}).
+
+-record('Extension',
+ {
+ extnID,
+ critical = asn1_DEFAULT,
+ extnValue
+ }).
+
+%%%
+%%% Standard Certificate Extensions
+%%%
+
+-define('id-ce-targetInformation', {2,5,29,55}).
+-define('id-ce-invalidityDate', {2,5,29,24}).
+-define('id-ce-holdInstructionCode', {2,5,29,23}).
+-define('id-ce-certificateIssuer', {2,5,29,29}).
+-define('id-ce-cRLReasons', {2,5,29,21}).
+-define('id-ce-deltaCRLIndicator', {2,5,29,27}).
+-define('id-ce-issuingDistributionPoint', {2,5,29,28}).
+-define('id-ce-cRLNumber', {2,5,29,20}).
+-define('id-ce-freshestCRL', {2,5,29,46}).
+-define('id-ce-inhibitAnyPolicy', {2,5,29,54}).
+-define('id-ce-extKeyUsage', {2,5,29,37}).
+-define('id-ce-cRLDistributionPoints', {2,5,29,31}).
+-define('id-ce-policyConstraints', {2,5,29,36}).
+-define('id-ce-nameConstraints', {2,5,29,30}).
+-define('id-ce-basicConstraints', {2,5,29,19}).
+-define('id-ce-subjectDirectoryAttributes', {2,5,29,9}).
+-define('id-ce-issuerAltName', {2,5,29,18}).
+-define('id-ce-subjectAltName', {2,5,29,17}).
+-define('id-ce-policyMappings', {2,5,29,33}).
+-define('id-ce-certificatePolicies', {2,5,29,32}).
+-define('id-ce-privateKeyUsagePeriod', {2,5,29,16}).
+-define('id-ce-keyUsage', {2,5,29,15}).
+-define('id-ce-subjectKeyIdentifier', {2,5,29,14}).
+-define('id-ce-authorityKeyIdentifier', {2,5,29,35}).
+
+%% Not documented but used by test suite.
+-define('anyExtendedKeyUsage', {2,5,29,37,0}).
+-define('anyPolicy', {2,5,29,32,0}).
+
+
+-record('AuthorityKeyIdentifier',
+ {
+ keyIdentifier = asn1_NOVALUE,
+ authorityCertIssuer = asn1_NOVALUE,
+ authorityCertSerialNumber = asn1_NOVALUE
+ }).
+
+-record('PrivateKeyUsagePeriod',
+ {
+ notBefore = asn1_NOVALUE,
+ notAfter = asn1_NOVALUE
+ }).
+
+-record('PolicyInformation',
+ {
+ policyIdentifier,
+ policyQualifiers = asn1_NOVALUE
+ }).
+
+-record('PolicyQualifierInfo',
+ {
+ policyQualifierId,
+ qualifier
+ }).
+
+-record('UserNotice',
+ {
+ noticeRef = asn1_NOVALUE,
+ explicitText = asn1_NOVALUE
+ }).
+
+-record('NoticeReference',
+ {
+ organization,
+ noticeNumbers
+ }).
+
+-record('PolicyMappings_SEQOF',
+ {
+ issuerDomainPolicy,
+ subjectDomainPolicy
+ }).
+
+-record('Attribute',
+ {
+ type,
+ values
+ }).
+
+-record('BasicConstraints',
+ {
+ cA = asn1_DEFAULT,
+ pathLenConstraint = asn1_NOVALUE
+ }).
+
+-record('NameConstraints',
+ {
+ permittedSubtrees = asn1_NOVALUE,
+ excludedSubtrees = asn1_NOVALUE
+ }).
+
+-record('GeneralSubtree',
+ {
+ base,
+ minimum = asn1_DEFAULT,
+ maximum = asn1_NOVALUE
+ }).
+
+-record('PolicyConstraints',
+ {
+ requireExplicitPolicy = asn1_NOVALUE,
+ inhibitPolicyMapping = asn1_NOVALUE
+ }).
+
+-record('DistributionPoint',
+ {
+ distributionPoint = asn1_NOVALUE,
+ reasons = asn1_NOVALUE,
+ cRLIssuer = asn1_NOVALUE
+ }).
+
+-record('AccessDescription',
+ {
+ accessMethod,
+ accessLocation
+ }).
+
+%%%
+%%% CRL and CRL Extensions Profile
+%%%
+
+-record('CertificateList',
+ {
+ tbsCertList,
+ signatureAlgorithm,
+ signature
+ }).
+
+-record('TBSCertList',
+ {
+ version = asn1_NOVALUE,
+ signature,
+ issuer,
+ thisUpdate,
+ nextUpdate = asn1_NOVALUE,
+ revokedCertificates = asn1_NOVALUE,
+ crlExtensions = asn1_NOVALUE
+ }).
+
+-record('TBSCertList_revokedCertificates_SEQOF',
+ {
+ userCertificate,
+ revocationDate,
+ crlEntryExtensions = asn1_NOVALUE
+ }).
+
+%%%
+%%% CRL Extensions
+%%%
+
+-record('IssuingDistributionPoint',
+ {
+ distributionPoint = asn1_NOVALUE,
+ onlyContainsUserCerts = asn1_DEFAULT,
+ onlyContainsCACerts = asn1_DEFAULT,
+ onlySomeReasons = asn1_NOVALUE,
+ indirectCRL = asn1_DEFAULT,
+ onlyContainsAttributeCerts = asn1_DEFAULT
+ }).
+
+%%%
+%%% PKCS#10 Certification Request
+%%%
+
+-record('CertificationRequest',
+ {
+ certificationRequestInfo,
+ signatureAlgorithm,
+ signature
+ }).
+
+-record('CertificationRequestInfo',
+ {
+ version,
+ subject,
+ subjectPKInfo,
+ attributes
+ }).
+
+-record('CertificationRequestInfo_subjectPKInfo',
+ {
+ algorithm,
+ subjectPublicKey
+ }).
+
+-record('CertificationRequestInfo_subjectPKInfo_algorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('CertificationRequest_signatureAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('AttributePKCS-10',
+ {
+ type,
+ values
+ }).
-define(DEFAULT_VERIFYFUN,
{fun(_,{bad_cert, _} = Reason, _) ->
@@ -78,11 +580,6 @@
details
}).
--record('ECPoint',
- {
- point
- }).
-
-record(cert,
{
der :: public_key:der_encoded(),
@@ -100,4 +597,128 @@
-define(privilegeWithdrawn, 9).
-define(aACompromise, 10).
+%%%
+%%% OCSP, undocumented, but used by test suite.
+%%%
+
+-record('BasicOCSPResponse',
+ {
+ tbsResponseData,
+ signatureAlgorithm,
+ signature,
+ certs = asn1_NOVALUE
+ }).
+
+-record('SingleResponse',
+ {
+ certID,
+ certStatus,
+ thisUpdate,
+ nextUpdate = asn1_NOVALUE,
+ singleExtensions = asn1_NOVALUE
+ }).
+
+-record('CertID',
+ {
+ hashAlgorithm,
+ issuerNameHash,
+ issuerKeyHash,
+ serialNumber
+ }).
+
+-record('ResponseData',
+ {
+ version = asn1_DEFAULT,
+ responderID,
+ producedAt,
+ responses,
+ responseExtensions = asn1_NOVALUE
+ }).
+
+-define('id-kp-OCSPSigning', {1,3,6,1,5,5,7,3,9}).
+-define('id-kp-timeStamping', {1,3,6,1,5,5,7,3,8}).
+-define('id-kp-emailProtection', {1,3,6,1,5,5,7,3,4}).
+-define('id-kp-codeSigning', {1,3,6,1,5,5,7,3,3}).
+-define('id-kp-clientAuth', {1,3,6,1,5,5,7,3,2}).
+-define('id-kp-serverAuth', {1,3,6,1,5,5,7,3,1}).
+
+%%%
+%%% OTP-PKIX.
+%%%
+%%% Undocumented but used but used in many places.
+%%%
+
+-record('OTPSubjectPublicKeyInfo',
+ {
+ algorithm,
+ subjectPublicKey
+ }).
+
+%%%
+%%% Undocumented but used by test suite.
+%%%
+
+-record('DHParameter',
+ {
+ prime,
+ base,
+ privateValueLength = asn1_NOVALUE
+ }).
+
+-record('RSASSA-AlgorithmIdentifier',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-define('id-pkix-ocsp-nonce', {1,3,6,1,5,5,7,48,1,2}).
+
+%%%
+%%% Undocumented but used by SSL.
+%%%
+
+-define('id-X25519', {1,3,101,110}).
+-define('id-X448', {1,3,101,111}).
+-define('brainpoolP512r1', {1,3,36,3,3,2,8,1,1,13}).
+-define('brainpoolP384r1', {1,3,36,3,3,2,8,1,1,11}).
+-define('brainpoolP256r1', {1,3,36,3,3,2,8,1,1,7}).
+
+-record('PrivateKeyInfo',
+ { %% OneAsymmetricKey
+ version,
+ privateKeyAlgorithm,
+ privateKey,
+ attributes = asn1_NOVALUE,
+ %% Version 2 with extension
+ publicKey = asn1_NOVALUE
+ }).
+
+-record('PrivateKeyInfo_privateKeyAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+%% used by SSL test suite
+
+-define('id-PBKDF2', {1,2,840,113549,1,5,12}).
+-define('id-hmacWithSHA1', {1,2,840,113549,2,7}).
+-define('id-aes256-CBC', {2,16,840,1,101,3,4,1,42}).
+
+%%%
+%%% Undocumented but used by SSH.
+%%%
+
+-record('ECDSA-Sig-Value',
+ {
+ r,
+ s
+ }).
+
+-record('Dss-Sig-Value',
+ {
+ r,
+ s
+ }).
+
-endif. % -ifdef(public_key).
diff --git a/lib/public_key/src/Makefile b/lib/public_key/src/Makefile
index 86cff43428..9649c8b83b 100644
--- a/lib/public_key/src/Makefile
+++ b/lib/public_key/src/Makefile
@@ -45,17 +45,18 @@ MODULES = \
public_key \
pubkey_pem \
pubkey_ssh \
- pubkey_pbe \
- pubkey_cert \
- pubkey_policy_tree \
pubkey_cert_records \
- pubkey_crl\
+ pubkey_crl \
+ pubkey_os_cacerts \
+ pubkey_translation \
+ pubkey_pbe \
pubkey_ocsp \
- pubkey_os_cacerts
+ pubkey_cert \
+ pubkey_policy_tree
-HRL_FILES = $(INCLUDE)/public_key.hrl
+HRL_FILES = $(INCLUDE)/public_key.hrl $(INCLUDE)/OTP-PUB-KEY.hrl
-INTERNAL_HRL_FILES = pubkey_moduli.hrl
+INTERNAL_HRL_FILES = pubkey_moduli.hrl public_key_internal.hrl
ERL_FILES = $(MODULES:%=%.erl)
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index b2d35b853e..bc32cbe3b3 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -23,8 +23,6 @@
-module(pubkey_cert).
-moduledoc false.
--include("public_key.hrl").
-
%% path validation
-export([init_validation_state/3,
validate_extensions/4,
@@ -57,7 +55,7 @@
x509_pkix_sign_types/1,
root_cert/2]).
--define(NULL, 0).
+-include("public_key_internal.hrl").
%%====================================================================
%% Internal application APIs
@@ -1441,7 +1439,7 @@ is_dir_name([[{'AttributeTypeAndValue', Type, What1}]|Rest1],
end;
is_dir_name(_,[],false) ->
true;
-is_dir_name(_,_,_) ->
+is_dir_name(_A,_B,_) ->
false.
%% attribute values in types other than PrintableString are case
@@ -1732,6 +1730,8 @@ verify_signature(OtpCert, DerCert, Key, KeyParams) ->
public_key:verify(PlainText, DigestType, Signature, Key,
verify_options(KeyParams));
'NULL' ->
+ public_key:verify(PlainText, DigestType, Signature, Key);
+ asn1_NOVALUE ->
public_key:verify(PlainText, DigestType, Signature, Key)
end;
_ ->
@@ -1739,10 +1739,9 @@ verify_signature(OtpCert, DerCert, Key, KeyParams) ->
end.
encoded_tbs_cert(Cert) ->
- {ok, PKIXCert} =
- 'OTP-PUB-KEY':decode_TBSCert_exclusive(Cert),
- {'Certificate',
- {'Certificate_tbsCertificate', EncodedTBSCert}, _, _} = PKIXCert,
+ {ok, PKIXCert} = 'OTP-PKIX':decode_TBSCert_exclusive(Cert),
+ {'OTPCertificate',
+ {'OTPCertificate_tbsCertificate', EncodedTBSCert}, _, _} = PKIXCert,
EncodedTBSCert.
public_key_info(PublicKeyInfo,
@@ -1750,8 +1749,8 @@ public_key_info(PublicKeyInfo,
WorkingAlgorithm,
working_public_key_parameters =
WorkingParams}) ->
- PublicKey = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.subjectPublicKey,
- AlgInfo = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.algorithm,
+ #'OTPSubjectPublicKeyInfo'{subjectPublicKey=PublicKey,
+ algorithm=AlgInfo} = PublicKeyInfo,
PublicKeyParams = AlgInfo#'PublicKeyAlgorithm'.parameters,
Algorithm = AlgInfo#'PublicKeyAlgorithm'.algorithm,
@@ -1979,10 +1978,10 @@ sign_algorithm(#'RSAPrivateKey'{} = Key , Opts) ->
case proplists:get_value(rsa_padding, Opts, rsa_pkcs1_pss_padding) of
rsa_pkcs1_pss_padding ->
DigestId = rsa_digest_oid(proplists:get_value(digest, Opts, sha1)),
- rsa_sign_algo(Key, DigestId, 'NULL');
+ rsa_sign_algo(Key, DigestId, asn1_NOVALUE);
rsa_pss_rsae ->
DigestId = rsa_digest_oid(proplists:get_value(digest, Opts, sha256)),
- rsa_sign_algo(Key, DigestId, 'NULL')
+ rsa_sign_algo(Key, DigestId, asn1_NOVALUE)
end;
sign_algorithm({#'RSAPrivateKey'{} = Key,#'RSASSA-PSS-params'{} = Params}, _Opts) ->
rsa_sign_algo(Key, ?'id-RSASSA-PSS', Params);
@@ -2094,7 +2093,7 @@ public_key({#'RSAPrivateKey'{modulus=N, publicExponent=E}, #'RSASSA-PSS-params'{
subjectPublicKey = Public};
public_key(#'RSAPrivateKey'{modulus=N, publicExponent=E}, _) ->
Public = #'RSAPublicKey'{modulus=N, publicExponent=E},
- Algo = #'PublicKeyAlgorithm'{algorithm= ?rsaEncryption, parameters='NULL'},
+ Algo = #'PublicKeyAlgorithm'{algorithm= ?rsaEncryption, parameters=asn1_NOVALUE},
#'OTPSubjectPublicKeyInfo'{algorithm = Algo,
subjectPublicKey = Public};
public_key(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}, _) ->
diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl
index 8d3005a67e..5a47623bf1 100644
--- a/lib/public_key/src/pubkey_cert_records.erl
+++ b/lib/public_key/src/pubkey_cert_records.erl
@@ -25,7 +25,7 @@
-module(pubkey_cert_records).
-moduledoc false.
--include("public_key.hrl").
+-include("public_key_internal.hrl").
-export([decode_cert/1, transform/2, supportedPublicKeyAlgorithms/1,
supportedCurvesTypes/1, namedCurves/1]).
@@ -40,68 +40,135 @@
%% Description: Recursively decodes a Certificate.
%%--------------------------------------------------------------------
decode_cert(DerCert) ->
- {ok, Cert} = 'OTP-PUB-KEY':decode('OTPCertificate', DerCert),
- #'OTPCertificate'{tbsCertificate = TBS} = Cert,
- {ok, Cert#'OTPCertificate'{tbsCertificate = decode_tbs(TBS)}}.
+ {ok, Cert0} = 'OTP-PKIX':decode('OTPCertificate', DerCert),
+ Cert = dec_transform(Cert0),
+ {ok, Cert}.
%%--------------------------------------------------------------------
-spec transform(term(), encode | decode) ->term().
%%
%% Description: Transforms between encoded and decode otp formatted
%% certificate parts.
-%%--------------------------------------------------------------------
+%%
+%% Note that this function operates on raw data that has not gone
+%% through the pubkey_translation module. Thus does the same
+%% backwards compatibility translation done in pubkey_translation.
+%%--------------------------------------------------------------------
-transform(#'OTPCertificate'{tbsCertificate = TBS} = Cert, encode) ->
- Cert#'OTPCertificate'{tbsCertificate=encode_tbs(TBS)};
-transform(#'OTPCertificate'{tbsCertificate = TBS} = Cert, decode) ->
- Cert#'OTPCertificate'{tbsCertificate=decode_tbs(TBS)};
-transform(#'OTPTBSCertificate'{}= TBS, encode) ->
- encode_tbs(TBS);
-transform(#'OTPTBSCertificate'{}= TBS, decode) ->
- decode_tbs(TBS);
-transform(#'AttributeTypeAndValue'{type=Id,value=Value0} = ATAV, Func) ->
- {ok, Value} =
- case attribute_type(Id) of
- 'X520countryName'when Func == decode ->
- %% Workaround that some certificates break the ASN-1 spec
- %% and encode countryname as utf8
- case 'OTP-PUB-KEY':Func('OTP-X520countryname', Value0) of
- {ok, {utf8String, Utf8Value}} ->
- {ok, unicode:characters_to_list(Utf8Value)};
- {ok, {printableString, ASCCI}} ->
- {ok, ASCCI}
- end;
- 'EmailAddress' when Func == decode ->
- %% Workaround that some certificates break the ASN-1 spec
- %% and encode emailAddress as utf8
- case 'OTP-PUB-KEY':Func('OTP-emailAddress', Value0) of
- {ok, {utf8String, Utf8Value}} ->
- {ok, unicode:characters_to_list(Utf8Value)};
- {ok, {ia5String, Ia5Value}} ->
- {ok, Ia5Value}
- end;
- Type when is_atom(Type) -> 'OTP-PUB-KEY':Func(Type, Value0);
- _UnknownType -> {ok, Value0}
- end,
- ATAV#'AttributeTypeAndValue'{value=Value};
-transform(AKI = #'AuthorityKeyIdentifier'{authorityCertIssuer=ACI},Func) ->
- AKI#'AuthorityKeyIdentifier'{authorityCertIssuer=transform(ACI,Func)};
-transform(List = [{directoryName, _}],Func) ->
- [{directoryName, transform(Value,Func)} || {directoryName, Value} <- List];
-transform({directoryName, Value},Func) ->
- {directoryName, transform(Value,Func)};
-transform({rdnSequence, SeqList},Func) when is_list(SeqList) ->
- {rdnSequence,
- lists:map(fun(Seq) ->
- lists:map(fun(Element) -> transform(Element,Func) end, Seq)
+transform(Term, encode) -> enc_transform(Term);
+transform(Term, decode) -> dec_transform(Term).
+
+enc_transform(#'OTPCertificate'{tbsCertificate = TBS, signatureAlgorithm=SA} = Cert) ->
+ Cert#'OTPCertificate'{tbsCertificate=enc_transform(TBS),
+ signatureAlgorithm=enc_transform(SA)};
+enc_transform(#'OTPTBSCertificate'{signature=Signature0,
+ issuer=Issuer0,
+ subject=Subject0,
+ subjectPublicKeyInfo=Spki0,
+ extensions=Exts0}=TBS) ->
+ Signature = enc_transform(Signature0),
+ Issuer = enc_transform(Issuer0),
+ Subject = enc_transform(Subject0),
+ Spki = encode_supportedPublicKey(Spki0),
+ Exts = encode_extensions(Exts0),
+ TBS#'OTPTBSCertificate'{signature = Signature,
+ issuer=Issuer,
+ subject=Subject,
+ subjectPublicKeyInfo=Spki,
+ extensions=Exts};
+enc_transform(#'SignatureAlgorithm'{algorithm=Algo,parameters=Params}) ->
+ #'OTPTBSCertificate_signature'{algorithm=Algo,parameters=enc_transform(Params)};
+enc_transform({params, #'Dss-Parms'{p=P,q=Q,g=G}}) ->
+ {present,#'DSA-Params'{p=P,q=Q,g=G}};
+enc_transform(#'AttributeTypeAndValue'{type=Id, value=Value0}) ->
+ case Id of
+ ?'id-at-countryName' ->
+ #'SingleAttribute'{type=Id, value={correct, Value0}};
+ ?'id-emailAddress' ->
+ #'SingleAttribute'{type=Id, value={correct, Value0}};
+ _ ->
+ #'SingleAttribute'{type=Id,value=Value0}
+ end;
+enc_transform(#'AuthorityKeyIdentifier'{authorityCertIssuer=ACI}=AKI) ->
+ AKI#'AuthorityKeyIdentifier'{authorityCertIssuer=enc_transform(ACI)};
+enc_transform([{directoryName, _}]=List) ->
+ [{directoryName, enc_transform(Value)} || {directoryName, Value} <- List];
+enc_transform({directoryName, Value}) ->
+ {directoryName, enc_transform(Value)};
+enc_transform({rdnSequence, SeqList}) when is_list(SeqList) ->
+ {rdnSequence,
+ lists:map(fun(Seq) ->
+ lists:map(fun(Element) -> enc_transform(Element) end, Seq)
end, SeqList)};
-transform(#'NameConstraints'{permittedSubtrees=Permitted, excludedSubtrees=Excluded}, Func) ->
- #'NameConstraints'{permittedSubtrees=transform_sub_tree(Permitted,Func),
- excludedSubtrees=transform_sub_tree(Excluded,Func)};
-
-transform(Other,_) ->
+enc_transform(#'NameConstraints'{permittedSubtrees=Permitted, excludedSubtrees=Excluded}) ->
+ #'NameConstraints'{permittedSubtrees=enc_transform_sub_tree(Permitted),
+ excludedSubtrees=enc_transform_sub_tree(Excluded)};
+enc_transform(Other) ->
Other.
+dec_transform(#'OTPCertificate'{tbsCertificate = TBS, signatureAlgorithm=SA}=Cert) ->
+ Cert#'OTPCertificate'{tbsCertificate=dec_transform(TBS),
+ signatureAlgorithm=dec_transform(SA)};
+dec_transform(#'OTPCertificate_signatureAlgorithm'{algorithm=Algo,parameters=Params}) ->
+ #'SignatureAlgorithm'{algorithm=Algo,parameters=dec_transform(Params)};
+dec_transform(#'OTPTBSCertificate'{signature=Signature0,
+ issuer=Issuer0,
+ subject=Subject0,
+ subjectPublicKeyInfo=Spki0,
+ extensions=Exts0}=TBS) ->
+ Signature = dec_transform(Signature0),
+ Issuer = dec_transform(Issuer0),
+ Subject = dec_transform(Subject0),
+ Spki = decode_supportedPublicKey(Spki0),
+ Exts = decode_extensions(Exts0),
+ TBS#'OTPTBSCertificate'{issuer=Issuer, subject=Subject,
+ signature=setelement(1, Signature, 'SignatureAlgorithm'),
+ subjectPublicKeyInfo=Spki,extensions=Exts};
+dec_transform(#'OTPTBSCertificate_signature'{algorithm=Algo,parameters=Params}) ->
+ #'SignatureAlgorithm'{algorithm=Algo,parameters=dec_transform(Params)};
+dec_transform({present,#'DSA-Params'{p=P,q=Q,g=G}}) ->
+ {params, #'Dss-Parms'{p=P,q=Q,g=G}};
+dec_transform({absent,'NULL'}) ->
+ 'NULL';
+dec_transform(#'SingleAttribute'{type=Id,value=Value0}) ->
+ case {Id, Value0} of
+ {?'id-at-countryName', {_,String}} ->
+ #'AttributeTypeAndValue'{type=Id, value=String};
+ {?'id-emailAddress', {_,String}} ->
+ #'AttributeTypeAndValue'{type=Id, value=String};
+ {_, _} ->
+ #'AttributeTypeAndValue'{type=Id, value=Value0}
+ end;
+dec_transform(#'AuthorityKeyIdentifier'{authorityCertIssuer=ACI}=AKI) ->
+ AKI#'AuthorityKeyIdentifier'{authorityCertIssuer=dec_transform(ACI)};
+dec_transform([{directoryName, _}]=List) ->
+ [{directoryName, dec_transform(Value)} || {directoryName, Value} <- List];
+dec_transform({directoryName, Value}) ->
+ {directoryName, dec_transform(Value)};
+dec_transform({rdnSequence, SeqList}) when is_list(SeqList) ->
+ {rdnSequence,
+ lists:map(fun(Seq) ->
+ lists:map(fun(Element) -> dec_transform(Element) end, Seq)
+ end, SeqList)};
+dec_transform(#'NameConstraints'{permittedSubtrees=Permitted, excludedSubtrees=Excluded}) ->
+ #'NameConstraints'{permittedSubtrees=dec_transform_sub_tree(Permitted),
+ excludedSubtrees=dec_transform_sub_tree(Excluded)};
+dec_transform(Other) ->
+ Other.
+
+
+enc_transform_sub_tree(asn1_NOVALUE) ->
+ asn1_NOVALUE;
+enc_transform_sub_tree(TreeList) ->
+ [Tree#'GeneralSubtree'{base=enc_transform(Name)} ||
+ #'GeneralSubtree'{base=Name}=Tree <- TreeList].
+
+dec_transform_sub_tree(asn1_NOVALUE) ->
+ asn1_NOVALUE;
+dec_transform_sub_tree(TreeList) ->
+ [Tree#'GeneralSubtree'{base=dec_transform(Name)} ||
+ #'GeneralSubtree'{base=Name}=Tree <- TreeList].
+
%%--------------------------------------------------------------------
-spec supportedPublicKeyAlgorithms(Oid::tuple()) -> public_key:asn1_type().
%%
@@ -233,29 +300,40 @@ namedCurves(brainpoolP512t1) -> ?'brainpoolP512t1'.
%%% SubjectPublicKey
-decode_supportedPublicKey(#'OTPSubjectPublicKeyInfo'{algorithm= PA =
- #'PublicKeyAlgorithm'{algorithm=Algo},
- subjectPublicKey = SPK0}) ->
+decode_supportedPublicKey(#'SubjectPublicKeyInfo'{algorithm=PA,
+ subjectPublicKey=SPK0}) ->
+ #'SubjectPublicKeyInfo_algorithm'{algorithm=Algo,parameters=Params0} = PA,
Type = supportedPublicKeyAlgorithms(Algo),
SPK = case Type of
- 'ECPoint' -> #'ECPoint'{point = SPK0};
- _ -> {ok, SPK1} = 'OTP-PUB-KEY':decode(Type, SPK0),
- SPK1
+ 'ECPoint' ->
+ #'ECPoint'{point = SPK0};
+ _ ->
+ public_key:der_decode(Type, SPK0)
end,
- #'OTPSubjectPublicKeyInfo'{subjectPublicKey = SPK, algorithm=PA}.
-
-encode_supportedPublicKey(#'OTPSubjectPublicKeyInfo'{algorithm= PA =
- #'PublicKeyAlgorithm'{algorithm=Algo},
- subjectPublicKey = SPK0}) ->
+ Params = case Params0 of
+ #'DSA-Params'{p=P,q=Q,g=G} -> {params, #'Dss-Parms'{p=P,q=Q,g=G}};
+ _ -> Params0
+ end,
+ #'OTPSubjectPublicKeyInfo'{subjectPublicKey = SPK,
+ algorithm=#'PublicKeyAlgorithm'{algorithm=Algo,
+ parameters=Params}}.
+encode_supportedPublicKey(#'OTPSubjectPublicKeyInfo'{
+ algorithm =
+ #'PublicKeyAlgorithm'{algorithm=Algo,parameters = Params0},
+ subjectPublicKey = SPK0}) ->
Type = supportedPublicKeyAlgorithms(Algo),
SPK = case Type of
'ECPoint' ->
SPK0#'ECPoint'.point;
_ ->
- {ok, SPK1} = 'OTP-PUB-KEY':encode(Type, SPK0),
- SPK1
+ public_key:der_encode(Type, SPK0)
end,
- #'OTPSubjectPublicKeyInfo'{subjectPublicKey = SPK, algorithm=PA}.
+ Params = case Params0 of
+ {params, #'Dss-Parms'{p=P,q=Q,g=G}} -> #'DSA-Params'{p=P,q=Q,g=G};
+ _ -> Params0
+ end,
+ PA = #'SubjectPublicKeyInfo_algorithm'{algorithm=Algo,parameters=Params},
+ #'SubjectPublicKeyInfo'{subjectPublicKey = SPK, algorithm=PA}.
%%% Extensions
@@ -286,77 +364,70 @@ extension_id(?'id-ce-holdInstructionCode') -> 'HoldInstructionCode';
extension_id(?'id-ce-invalidityDate') -> 'InvalidityDate';
extension_id(_) ->
undefined.
-
decode_extensions(asn1_NOVALUE) ->
asn1_NOVALUE;
decode_extensions(Exts) ->
lists:map(fun(Ext = #'Extension'{extnID=Id, extnValue=Value0}) ->
- case extension_id(Id) of
- undefined -> Ext;
- Type ->
- {ok, Value} = 'OTP-PUB-KEY':decode(Type, iolist_to_binary(Value0)),
- Ext#'Extension'{extnValue=transform(Value,decode)}
+ ExtId = extension_id(Id),
+ case ExtId =/= undefined andalso
+ 'PKIX1Implicit-2009':getdec_CertExtensions(Id)
+ of
+ false ->
+ Ext;
+ DecodeExt when ExtId =:= 'CertificatePolicies',
+ is_function(DecodeExt, 3) ->
+ %% Might need workaround to gracefully handle long user notices
+ try
+ Value = DecodeExt('ExtnType', iolist_to_binary(Value0), dummy),
+ Ext#'Extension'{extnValue=transform(Value,decode)}
+ catch exit:{_, {error,{asn1,bad_range}}} ->
+ decode_otp_cert_polices(Ext, iolist_to_binary(Value0))
+ end;
+ DecodeExt when is_function(DecodeExt, 3) ->
+ %% Undocumented asn1 usage, but
+ %% currently the only way to decode
+ %% extensions.
+ Value = DecodeExt('ExtnType', iolist_to_binary(Value0), dummy),
+ Ext#'Extension'{extnValue=transform(Value,decode)}
end
end, Exts).
+decode_otp_cert_polices(Ext, Value) ->
+ %% RFC 3280 states that certificate users SHOULD gracefully handle
+ %% explicitText with more than 200 characters.
+ {ok, CPs} = 'OTP-PKIX':decode('OTPCertificatePolicies', Value),
+ Ext#'Extension'{extnValue=[translate_cert_polices(CP) || CP <- CPs]}.
+
+translate_cert_polices(#'OTPPolicyInformation'{policyIdentifier = Id, policyQualifiers = Qs0}) ->
+ Qs = [translate_cert_polices(Q) || Q <- Qs0],
+ #'PolicyInformation'{policyIdentifier = Id, policyQualifiers = Qs};
+translate_cert_polices(#'OTPPolicyQualifierInfo'{policyQualifierId = Id, qualifier = Q0}) ->
+ Q = case Q0 of
+ #'OTPUserNotice'{noticeRef = Ref, explicitText = {Type, Text0}} ->
+ Text = string:slice(Text0, 0, 350),
+ #'UserNotice'{noticeRef = Ref, explicitText = {Type, Text}};
+ Other ->
+ Other
+ end,
+ #'PolicyQualifierInfo'{policyQualifierId = Id, qualifier = Q}.
+
encode_extensions(asn1_NOVALUE) ->
asn1_NOVALUE;
encode_extensions(Exts) ->
lists:map(fun(Ext = #'Extension'{extnID=Id, extnValue=Value0}) ->
- case extension_id(Id) of
- undefined -> Ext;
- Type ->
- Value1 = transform(Value0,encode),
- {ok, Value} = 'OTP-PUB-KEY':encode(Type, Value1),
- Ext#'Extension'{extnValue=Value}
+ case extension_id(Id) =/= undefined andalso
+ 'PKIX1Implicit-2009':getenc_CertExtensions(Id)
+ of
+ false ->
+ Ext;
+ EncodeExt when is_function(EncodeExt, 3) ->
+ %% Undocumented asn1 usage, but currently the only way
+ %% to decode extensions.
+ Value1 = pubkey_translation:encode(Value0),
+ Value = element(1,EncodeExt('ExtnType', Value1, dummy)),
+ Ext#'Extension'{extnValue= iolist_to_binary(Value)}
end
end, Exts).
-
-encode_tbs(TBS=#'OTPTBSCertificate'{issuer=Issuer0,
- subject=Subject0,
- subjectPublicKeyInfo=Spki0,
- extensions=Exts0}) ->
- Issuer = transform(Issuer0,encode),
- Subject = transform(Subject0,encode),
- Spki = encode_supportedPublicKey(Spki0),
- Exts = encode_extensions(Exts0),
- TBS#'OTPTBSCertificate'{issuer=Issuer, subject=Subject,
- subjectPublicKeyInfo=Spki,extensions=Exts}.
-
-decode_tbs(TBS = #'OTPTBSCertificate'{issuer=Issuer0,
- subject=Subject0,
- subjectPublicKeyInfo=Spki0,
- extensions=Exts0}) ->
- Issuer = transform(Issuer0,decode),
- Subject = transform(Subject0,decode),
- Spki = decode_supportedPublicKey(Spki0),
- Exts = decode_extensions(Exts0),
- TBS#'OTPTBSCertificate'{issuer=Issuer, subject=Subject,
- subjectPublicKeyInfo=Spki,extensions=Exts}.
-
-transform_sub_tree(asn1_NOVALUE,_) -> asn1_NOVALUE;
-transform_sub_tree(TreeList,Func) ->
- [Tree#'GeneralSubtree'{base=transform(Name,Func)} ||
- Tree = #'GeneralSubtree'{base=Name} <- TreeList].
-
-attribute_type(?'id-at-name') -> 'X520name';
-attribute_type(?'id-at-surname') -> 'X520name';
-attribute_type(?'id-at-givenName') -> 'X520name';
-attribute_type(?'id-at-initials') -> 'X520name';
-attribute_type(?'id-at-generationQualifier') -> 'X520name';
-attribute_type(?'id-at-commonName') -> 'X520CommonName';
-attribute_type(?'id-at-localityName') -> 'X520LocalityName';
-attribute_type(?'id-at-stateOrProvinceName') -> 'X520StateOrProvinceName';
-attribute_type(?'id-at-organizationName') -> 'X520OrganizationName';
-attribute_type(?'id-at-organizationalUnitName') -> 'X520OrganizationalUnitName';
-attribute_type(?'id-at-title') -> 'X520Title';
-attribute_type(?'id-at-dnQualifier') -> 'X520dnQualifier';
-attribute_type(?'id-at-countryName') -> 'X520countryName';
-attribute_type(?'id-at-serialNumber') -> 'X520SerialNumber';
-attribute_type(?'id-at-pseudonym') -> 'X520Pseudonym';
-attribute_type(?'id-domainComponent') -> 'DomainComponent';
-attribute_type(?'id-emailAddress') -> 'EmailAddress';
-attribute_type(Type) -> Type.
diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl
index 9c12bd1989..0f603c0f30 100644
--- a/lib/public_key/src/pubkey_crl.erl
+++ b/lib/public_key/src/pubkey_crl.erl
@@ -23,7 +23,7 @@
-module(pubkey_crl).
-moduledoc false.
--include("public_key.hrl").
+-include("public_key_internal.hrl").
-export([validate/7, init_revokation_state/0, fresh_crl/3, verify_crl_signature/4,
is_delta_crl/1, combines/2, match_one/2]).
@@ -41,7 +41,7 @@ validate(OtpCert, OtherDPCRLs, DP, {DerCRL, CRL}, {DerDeltaCRL, DeltaCRL},
TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
SerialNumber = TBSCert#'OTPTBSCertificate'.serialNumber,
CertIssuer = TBSCert#'OTPTBSCertificate'.issuer,
- TBSCRL = CRL#'CertificateList'.tbsCertList,
+ TBSCRL = CRL#'CertificateList'.toBeSigned,
CRLIssuer = TBSCRL#'TBSCertList'.issuer,
AltNames = case pubkey_cert:select_extension(?'id-ce-subjectAltName',
TBSCert#'OTPTBSCertificate'.extensions) of
@@ -68,7 +68,7 @@ fresh_crl(_, {undefined, undefined}, _) ->
%% Typically happens when there is no delta CRL that covers a CRL
no_fresh_crl;
-fresh_crl(DP, {_, #'CertificateList'{tbsCertList = TBSCRL}} = CRL, CallBack) ->
+fresh_crl(DP, {_, #'CertificateList'{toBeSigned = TBSCRL}} = CRL, CallBack) ->
Now = calendar:datetime_to_gregorian_seconds(calendar:universal_time()),
UpdateTime =
pubkey_cert:time_str_2_gregorian_sec(TBSCRL#'TBSCertList'.nextUpdate),
@@ -84,7 +84,7 @@ fresh_crl(DP, {_, #'CertificateList'{tbsCertList = TBSCRL}} = CRL, CallBack) ->
{fresh, CRL}
end.
-is_delta_crl(#'CertificateList'{tbsCertList = TBSCRL}) ->
+is_delta_crl(#'CertificateList'{toBeSigned = TBSCRL}) ->
Extensions = TBSCRL#'TBSCertList'.crlExtensions,
case pubkey_cert:select_extension(?'id-ce-deltaCRLIndicator',
Extensions) of
@@ -128,7 +128,7 @@ crl_status(#revoke_state{reasons_mask = Mask,
verify_crl(OtpCert, DP, CRL, DerCRL, DeltaCRL, DerDeltaCRL, OtherDPCRLs,
Options, State0) ->
- #'CertificateList'{tbsCertList =
+ #'CertificateList'{toBeSigned =
#'TBSCertList'{crlExtensions = Extensions,
revokedCertificates = TmpRevoked}
} = CRL,
@@ -254,7 +254,7 @@ validate_crl_signing_cert(OtpCert, IssuerFun, #userstate{dpcrls = CRLInfo} = Use
delta_revoked(undefined)->
[];
-delta_revoked(#'CertificateList'{tbsCertList =
+delta_revoked(#'CertificateList'{toBeSigned =
#'TBSCertList'{revokedCertificates
= DeltaRevoked}}) ->
revoked(DeltaRevoked).
@@ -314,7 +314,7 @@ all_reasons() ->
verify_issuer_and_scope(#'OTPCertificate'{tbsCertificate = TBSCert} = Cert,
#'DistributionPoint'{cRLIssuer = DPIssuer} = DP, IDP,
- #'CertificateList'{tbsCertList = TBSCRL} = CRL)
+ #'CertificateList'{toBeSigned = TBSCRL} = CRL)
when DPIssuer =/= asn1_NOVALUE ->
CRLIssuer = pubkey_cert_records:transform(TBSCRL#'TBSCertList'.issuer, decode),
Issuer = dp_crlissuer_to_issuer(DPIssuer),
@@ -331,7 +331,7 @@ verify_issuer_and_scope(#'OTPCertificate'{tbsCertificate = TBSCert} = Cert,
end;
verify_issuer_and_scope(#'OTPCertificate'{tbsCertificate = TBSCert}= Cert,
DP, IDP,
- #'CertificateList'{tbsCertList = TBSCRL}) ->
+ #'CertificateList'{toBeSigned = TBSCRL}) ->
CRLIssuer = pubkey_cert_records:transform(TBSCRL#'TBSCertList'.issuer, decode),
CertIssuer = TBSCert#'OTPTBSCertificate'.issuer,
case pubkey_cert:is_issuer(CertIssuer, CRLIssuer) of
@@ -463,8 +463,8 @@ verify_onlyContainsAttributeCerts(
#'IssuingDistributionPoint'{onlyContainsAttributeCerts = Bool}) ->
not Bool.
-check_crl_num(#'CertificateList'{tbsCertList = TBSCRL},
- #'CertificateList'{tbsCertList = TBSDeltaCRL})->
+check_crl_num(#'CertificateList'{toBeSigned = TBSCRL},
+ #'CertificateList'{toBeSigned = TBSDeltaCRL})->
Extensions = TBSCRL#'TBSCertList'.crlExtensions,
DeltaExtensions = TBSDeltaCRL#'TBSCertList'.crlExtensions,
@@ -501,8 +501,8 @@ assert_extension_value(Extension, ExtType, Extensions) ->
check_delta_issuer_and_scope(_, undefined) ->
true;
-check_delta_issuer_and_scope(#'CertificateList'{tbsCertList = TBSCRL},
- #'CertificateList'{tbsCertList = TBSDeltaCRL}) ->
+check_delta_issuer_and_scope(#'CertificateList'{toBeSigned = TBSCRL},
+ #'CertificateList'{toBeSigned = TBSDeltaCRL}) ->
case pubkey_cert:is_issuer(TBSCRL#'TBSCertList'.issuer,
TBSDeltaCRL#'TBSCertList'.issuer) of
true ->
@@ -578,17 +578,17 @@ verify_crl_signature(CRL, DerCRL, Key, KeyParams) ->
end.
extract_crl_verify_data(CRL, DerCRL) ->
Signature = CRL#'CertificateList'.signature,
- #'AlgorithmIdentifier'{algorithm = SigAlg} =
- CRL#'CertificateList'.signatureAlgorithm,
+ #'CertificateList_algorithmIdentifier'{algorithm = SigAlg} =
+ CRL#'CertificateList'.algorithmIdentifier,
PlainText = encoded_tbs_crl(DerCRL),
{DigestType, _} = public_key:pkix_sign_types(SigAlg),
{DigestType, PlainText, Signature}.
encoded_tbs_crl(CRL) ->
{ok, PKIXCRL} =
- 'OTP-PUB-KEY':decode_TBSCertList_exclusive(CRL),
+ 'PKIX1Explicit-2009':decode_TBSCertList_exclusive(CRL),
{'CertificateList',
- {'CertificateList_tbsCertList', EncodedTBSCertList}, _, _} = PKIXCRL,
+ {'CertificateList_toBeSigned', EncodedTBSCertList}, _, _} = PKIXCRL,
EncodedTBSCertList.
check_revoked(_,_,_,_,_,[], State) ->
@@ -653,7 +653,7 @@ verify_crl_keybit(#'OTPCertificate'{tbsCertificate = TBS}, Bit) ->
true
end.
-issuer_id(Cert, #'CertificateList'{tbsCertList = TBSCRL}) ->
+issuer_id(Cert, #'CertificateList'{toBeSigned = TBSCRL}) ->
Extensions =
pubkey_cert:extensions_list(TBSCRL#'TBSCertList'.crlExtensions),
case authority_key_identifier(Extensions) of
diff --git a/lib/public_key/src/pubkey_ocsp.erl b/lib/public_key/src/pubkey_ocsp.erl
index f859f551c0..26df0a9595 100644
--- a/lib/public_key/src/pubkey_ocsp.erl
+++ b/lib/public_key/src/pubkey_ocsp.erl
@@ -22,8 +22,8 @@
-module(pubkey_ocsp).
-moduledoc false.
--feature(maybe_expr,enable).
--include("public_key.hrl").
+
+-include("public_key_internal.hrl").
-export([find_single_response/3,
get_acceptable_response_types_extn/0,
@@ -58,7 +58,7 @@ verify_response(#'BasicOCSPResponse'{
ok ?= verify_past_timestamp(ProducedAt),
ok ?= verify_signature(
public_key:der_encode('ResponseData', ResponseData),
- SignatureAlgo#'AlgorithmIdentifier'.algorithm,
+ SignatureAlgo#'BasicOCSPResponse_signatureAlgorithm'.algorithm,
Signature, ResponderCerts,
ResponderID, IssuerCert, IsTrustedResponderFun),
verify_nonce(ResponseData, Nonce)
@@ -112,7 +112,7 @@ match_single_response(IssuerName, IssuerKey, SerialNum,
SingleResponse | Tail]) ->
#'SingleResponse'{thisUpdate = ThisUpdate,
nextUpdate = NextUpdate} = SingleResponse,
- HashType = public_key:pkix_hash_type(Algo#'AlgorithmIdentifier'.algorithm),
+ HashType = public_key:pkix_hash_type(Algo#'CertID_hashAlgorithm'.algorithm),
case (SerialNum == CertID#'CertID'.serialNumber) andalso
(crypto:hash(HashType, IssuerName) == CertID#'CertID'.issuerNameHash) andalso
(crypto:hash(HashType, IssuerKey) == CertID#'CertID'.issuerKeyHash) andalso
diff --git a/lib/public_key/src/pubkey_pbe.erl b/lib/public_key/src/pubkey_pbe.erl
index 92515a4192..242f42397d 100644
--- a/lib/public_key/src/pubkey_pbe.erl
+++ b/lib/public_key/src/pubkey_pbe.erl
@@ -24,7 +24,13 @@
-module(pubkey_pbe).
-moduledoc false.
--include("public_key.hrl").
+-include("PKCS-FRAME.hrl").
+
+-include("PKCS-1.hrl").
+
+-define('id-aes128-CBC', {2,16,840,1,101,3,4,1,2}).
+-define('id-aes192-CBC', {2,16,840,1,101,3,4,1,22}).
+-define('id-aes256-CBC', {2,16,840,1,101,3,4,1,42}).
-export([encode/4, decode/4, decrypt_parameters/1, encrypt_parameters/1]).
-export([pbdkdf1/4, pbdkdf2/7]).
@@ -108,18 +114,17 @@ pbdkdf2(Password, Salt, Count, DerivedKeyLen, Prf, PrfHash, PrfOutputLen)->
blocks(NumBlocks, NumLastBlockOctets, 1, Password, Salt,
Count, Prf, PrfHash, PrfOutputLen, <<>>).
%%--------------------------------------------------------------------
--spec decrypt_parameters(#'EncryptedPrivateKeyInfo_encryptionAlgorithm'{}) ->
- {Cipher::string(), #'PBES2-params'{}}.
-%%
+-spec decrypt_parameters(#'EncryptionAlgorithmIdentifier'{}) ->
+ {Cipher::string(), #'PBES2-params'{}}.
+
%% Description: Performs ANS1-decoding of encryption parameters.
%%--------------------------------------------------------------------
-decrypt_parameters(#'EncryptedPrivateKeyInfo_encryptionAlgorithm'{
+decrypt_parameters(#'EncryptionAlgorithmIdentifier'{
algorithm = Oid, parameters = Param}) ->
- decrypt_parameters(Oid, decode_handle_open_type_wrapper(Param)).
-
+ decrypt_parameters(Oid, decode_handle_open_type_wrapper(Param)).
%%--------------------------------------------------------------------
-spec encrypt_parameters({Cipher::string(), Params::term()}) ->
- #'EncryptedPrivateKeyInfo_encryptionAlgorithm'{}.
+ #'EncryptionAlgorithmIdentifier'{}.
%%
%% Description: Performs ANS1-decoding of encryption parameters.
%%--------------------------------------------------------------------
@@ -206,13 +211,13 @@ decrypt_parameters(?'pbeWithMD5AndDES-CBC', DekParams) ->
encrypt_parameters(_Cipher, #'PBES2-params'{} = Params) ->
{ok, Der} ='PKCS-FRAME':encode('PBES2-params', Params),
- #'EncryptedPrivateKeyInfo_encryptionAlgorithm'{
+ #'EncryptionAlgorithmIdentifier'{
algorithm = ?'id-PBES2',
parameters = encode_handle_open_type_wrapper(Der)};
encrypt_parameters(Cipher, {#'PBEParameter'{} = Params, Hash}) ->
{ok, Der} ='PKCS-FRAME':encode('PBEParameter', Params),
- #'EncryptedPrivateKeyInfo_encryptionAlgorithm'{
+ #'EncryptionAlgorithmIdentifier'{
algorithm = pbe1_oid(Cipher, Hash),
parameters = encode_handle_open_type_wrapper(Der)}.
diff --git a/lib/public_key/src/pubkey_pem.erl b/lib/public_key/src/pubkey_pem.erl
index 08e46e67dc..527c9b888a 100644
--- a/lib/public_key/src/pubkey_pem.erl
+++ b/lib/public_key/src/pubkey_pem.erl
@@ -44,6 +44,21 @@
-module(pubkey_pem).
-moduledoc false.
+-record('PBEParameter', {
+ salt,
+ iterationCount
+}).
+
+-record('PBES2-params', {
+ keyDerivationFunc,
+ encryptionScheme
+}).
+
+-record('EncryptedPrivateKeyInfo', {
+ encryptionAlgorithm,
+ encryptedData
+}).
+
-include("public_key.hrl").
-export([encode/1, decode/1, decipher/2, cipher/3]).
diff --git a/lib/public_key/src/pubkey_policy_tree.erl b/lib/public_key/src/pubkey_policy_tree.erl
index 9fafbcea37..d5abc69bf5 100644
--- a/lib/public_key/src/pubkey_policy_tree.erl
+++ b/lib/public_key/src/pubkey_policy_tree.erl
@@ -22,7 +22,7 @@
-module(pubkey_policy_tree).
-moduledoc false.
--include("../include/public_key.hrl").
+-include("public_key_internal.hrl").
%% API
-export([add_leaves/2,
@@ -138,16 +138,11 @@ all_leaves({_, Leaves}) ->
collect_qualifiers({_, ChildNodes}, Policy) ->
FormatQualifier =
fun(#'PolicyQualifierInfo'{policyQualifierId = ?'id-qt-unotice',
- qualifier = Qualifier}) ->
- try public_key:der_decode('UserNotice', Qualifier) of
- Notice ->
- Notice
- catch error:_ ->
- handle_too_long_notice(Qualifier)
- end;
+ qualifier = Qualifier}) when is_tuple(Qualifier) ->
+ Qualifier;
(#'PolicyQualifierInfo'{policyQualifierId = ?'id-qt-cps',
qualifier = Qualifier}) ->
- {uri, public_key:der_decode('CPSuri', Qualifier)}
+ {uri, Qualifier}
end,
Collect = fun(#{qualifier_set := QSet}) ->
lists:map(FormatQualifier, QSet)
@@ -408,16 +403,3 @@ prune_invalid_nodes_children(ChildNodes, InvalidNodes) when is_list(ChildNodes)-
(#{} = Child) -> % Possibly prune leaf
keep_policy_node(Child, InvalidNodes)
end, ChildNodes).
-
-handle_too_long_notice(Qualifier) ->
- %% RFC 3280 states that certificate users SHOULD gracefully handle
- %% explicitText with more than 200 characters.
- try public_key:der_decode('OTPUserNotice', Qualifier) of % Allow real value up to 350
- #'OTPUserNotice'{noticeRef = Ref,
- explicitText = DispText} ->
- #'UserNotice'{noticeRef = Ref,
- explicitText = DispText}
- catch error:_ -> %% Otherwhise return gracefully default
- #'UserNotice'{noticeRef = asn1_NOVALUE,
- explicitText = "User Notice much too long, so value is ignored"}
- end.
diff --git a/lib/public_key/src/pubkey_translation.erl b/lib/public_key/src/pubkey_translation.erl
new file mode 100644
index 0000000000..c4fdd0d54b
--- /dev/null
+++ b/lib/public_key/src/pubkey_translation.erl
@@ -0,0 +1,104 @@
+%%
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: Apache-2.0
+%%
+%% Copyright Ericsson AB 2008-2025. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%% http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+-module(pubkey_translation).
+-moduledoc false.
+
+-export([decode/1,encode/1]).
+
+-include("public_key_internal.hrl").
+
+decode(#'SubjectPublicKeyInfo'{algorithm=AlgId0,subjectPublicKey=Key}) ->
+ #'SubjectPublicKeyInfo_algorithm'{algorithm=AlgId1,parameters=Params1} = AlgId0,
+ AlgId = decode(AlgId1),
+ Params = decode(Params1),
+ #'SubjectPublicKeyInfo'{algorithm={'PublicKeyAlgorithm', AlgId, Params},
+ subjectPublicKey=Key};
+decode(#'DSA-Params'{p=P,q=Q,g=G}) ->
+ {params, #'Dss-Parms'{p=P,q=Q,g=G}};
+decode(#'DSA-Sig-Value'{r = R, s = S}) ->
+ {'Dss-Sig-Value', R,S};
+decode(#'OTPExtension'{}=E) ->
+ setelement(1, E, 'Extension');
+decode(#'SingleAttribute'{type=T,value=V}) ->
+ #'AttributeTypeAndValue'{type=T,value=V};
+decode({'OneAsymmetricKey', Vsn, KeyAlg, PrivKey, Attrs, PubKey} = Orig) -> %% Defined In PKCS_FRAME
+ case Vsn of
+ v1 -> {'PrivateKeyInfo', Vsn, KeyAlg, PrivKey, Attrs, PubKey};
+ _ -> Orig
+ end;
+decode(Tuple) when is_tuple(Tuple) ->
+ case is_simple_tuple(Tuple) of
+ true ->
+ Tuple;
+ false ->
+ list_to_tuple(decode_list(tuple_to_list(Tuple)))
+ end;
+decode(List) when is_list(List) ->
+ decode_list(List);
+decode(Other) ->
+ Other.
+
+decode_list(List) ->
+ [decode(E) || E <- List].
+
+encode(#'SubjectPublicKeyInfo'{algorithm={'PublicKeyAlgorithm', AlgId0, Params},
+ subjectPublicKey=Key}) ->
+ AlgId1 = encode(AlgId0),
+ Params1 = encode(Params),
+ Alg = #'SubjectPublicKeyInfo_algorithm'{algorithm=AlgId1,parameters=Params1},
+ #'SubjectPublicKeyInfo'{algorithm=Alg,subjectPublicKey=Key};
+encode(#'AttributeTypeAndValue'{type=T,value=V}) ->
+ #'SingleAttribute'{type=T,value=V};
+encode(#'SingleAttribute'{type=T,value={correct,V}}) ->
+ #'SingleAttribute'{type=T,value=V};
+encode({'PrivateKeyInfo', Vsn, KeyAlg, PrivKey, Attrs, PubKey}) ->
+ {'OneAsymmetricKey', Vsn, KeyAlg, PrivKey, Attrs, PubKey};
+encode({params, #'Dss-Parms'{p=P,q=Q,g=G}}) ->
+ #'DSA-Params'{p=P,q=Q,g=G};
+encode({'Dss-Sig-Value', R,S}) ->
+ #'DSA-Sig-Value'{r = R, s = S};
+encode(Tuple) when is_tuple(Tuple) ->
+ case is_simple_tuple(Tuple) of
+ true ->
+ Tuple;
+ false ->
+ list_to_tuple(encode_list(tuple_to_list(Tuple)))
+ end;
+encode(List) when is_list(List) ->
+ encode_list(List);
+encode(Other) ->
+ Other.
+
+encode_list(List) ->
+ [encode(E) || E <- List].
+
+is_simple_tuple({'Extension',_,_,Bin}) when is_binary(Bin) ->
+ true;
+is_simple_tuple(Tuple) ->
+ case element(1, Tuple) of
+ Int when is_integer(Int) -> true;
+ asn1_OPENTYPE -> true;
+ 'RSAPublicKey' -> true;
+ utcTime -> true;
+ _ -> false
+ end.
diff --git a/lib/public_key/src/public_key.app.src b/lib/public_key/src/public_key.app.src
index 400995825c..570dd1d6e6 100644
--- a/lib/public_key/src/public_key.app.src
+++ b/lib/public_key/src/public_key.app.src
@@ -8,18 +8,40 @@
{application, public_key,
[{description, "Public key infrastructure"},
{vsn, "%VSN%"},
- {modules, [public_key,
- pubkey_pem,
- pubkey_pbe,
- pubkey_ssh,
+ {modules, ['AlgorithmInformation-2009',
+ 'AttributeCertificateVersion1-2009',
+ 'CMSAesRsaesOaep-2009',
+ 'CryptographicMessageSyntax-2009',
+ 'CryptographicMessageSyntaxAlgorithms-2009',
+ 'DSS',
+ 'ECPrivateKey',
+ 'OCSP-2024-08',
+ 'OTP-PKIX',
+ 'PKCS-1',
+ 'PKCS-10',
+ 'PKCS-3',
+ 'PKCS-FRAME',
+ 'PKIX-CommonTypes-2009',
+ 'PKIX-X400Address-2009',
+ 'PKIX1-PSS-OAEP-Algorithms-2009',
+ 'PKIX1Explicit-2009',
+ 'PKIX1Implicit-2009',
+ 'PKIXAlgs-2009',
+ 'PKIXAttributeCertificate-2009',
+ 'RFC5639',
+ 'Safecurves-pkix-18',
+ 'SecureMimeMessageV3dot1-2009',
+ public_key,
pubkey_cert,
- pubkey_policy_tree,
pubkey_cert_records,
pubkey_crl,
pubkey_ocsp,
pubkey_os_cacerts,
- 'OTP-PUB-KEY',
- 'PKCS-FRAME'
+ pubkey_pbe,
+ pubkey_pem,
+ pubkey_policy_tree,
+ pubkey_ssh,
+ pubkey_translation
]},
{applications, [asn1, crypto, kernel, stdlib]},
{registered, []},
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 6535cc0011..6fb868465f 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -43,8 +43,7 @@
{function,<<"Legacy RSA Encryption API">>}
]}).
--feature(maybe_expr,enable).
--include("public_key.hrl").
+-include("public_key_internal.hrl").
-export([pem_decode/1, pem_encode/1,
der_decode/2, der_encode/2,
@@ -398,17 +396,18 @@ pem_encode(PemEntries) when is_list(PemEntries) ->
-spec pem_entry_decode(PemEntry) -> term() when PemEntry :: pem_entry() .
pem_entry_decode({'SubjectPublicKeyInfo', Der, _}) ->
- {_, {'AlgorithmIdentifier', AlgId, Params}, Key0}
- = der_decode('SubjectPublicKeyInfo', Der),
+ {_, {'PublicKeyAlgorithm', AlgId, Params0}, Key0} =
+ der_decode('SubjectPublicKeyInfo', Der),
+
KeyType = pubkey_cert_records:supportedPublicKeyAlgorithms(AlgId),
case KeyType of
'RSAPublicKey' ->
der_decode(KeyType, Key0);
'DSAPublicKey' ->
- {params, DssParams} = der_decode('DSAParams', Params),
- {der_decode(KeyType, Key0), DssParams};
+ {params, Params} = Params0,
+ {der_decode(KeyType, Key0), Params};
'ECPoint' ->
- ECCParams = ec_decode_params(AlgId, Params),
+ ECCParams = ec_decode_params(AlgId, Params0),
{#'ECPoint'{point = Key0}, ECCParams}
end;
pem_entry_decode({Asn1Type, Der, not_encrypted}) when is_atom(Asn1Type),
@@ -465,26 +464,23 @@ pem_entry_encode('SubjectPublicKeyInfo', Entity=#'RSAPublicKey'{}) ->
parameters =?DER_NULL}, KeyDer),
pem_entry_encode('SubjectPublicKeyInfo', Spki);
pem_entry_encode('SubjectPublicKeyInfo',
- {DsaInt, Params=#'Dss-Parms'{}}) when is_integer(DsaInt) ->
+ {DsaInt, Params0=#'Dss-Parms'{}}) when is_integer(DsaInt) ->
+ #'Dss-Parms'{p=P, q=Q, g=G} = Params0,
+ Params = #'DSA-Params'{p=P, q=Q, g=G},
KeyDer = der_encode('DSAPublicKey', DsaInt),
- ParamDer = der_encode('DSAParams', {params, Params}),
- Spki = subject_public_key_info(#'AlgorithmIdentifier'{algorithm =?'id-dsa',
- parameters = ParamDer},
- KeyDer),
- pem_entry_encode('SubjectPublicKeyInfo', Spki);
-pem_entry_encode('SubjectPublicKeyInfo',
- {#'ECPoint'{point = Key}, {namedCurve, ?'id-Ed25519' = ID}}) when is_binary(Key)->
- Spki = subject_public_key_info(#'AlgorithmIdentifier'{algorithm = ID}, Key),
+ AlgId = #'SubjectPublicKeyInfo_algorithm'{algorithm=?'id-dsa',
+ parameters=Params},
+ Spki = subject_public_key_info(AlgId, KeyDer),
pem_entry_encode('SubjectPublicKeyInfo', Spki);
pem_entry_encode('SubjectPublicKeyInfo',
- {#'ECPoint'{point = Key}, {namedCurve, ?'id-Ed448' = ID}}) when is_binary(Key)->
- Spki = subject_public_key_info(#'AlgorithmIdentifier'{algorithm = ID}, Key),
+ {#'ECPoint'{point = Key}, {namedCurve, ID}})
+ when is_binary(Key), ID =:= ?'id-Ed448' orelse ID =:= ?'id-Ed25519' ->
+ Spki = subject_public_key_info(#'PublicKeyAlgorithm'{algorithm = ID}, Key),
pem_entry_encode('SubjectPublicKeyInfo', Spki);
pem_entry_encode('SubjectPublicKeyInfo',
{#'ECPoint'{point = Key}, ECParam}) when is_binary(Key)->
- Params = der_encode('EcpkParameters',ECParam),
- Spki = subject_public_key_info(#'AlgorithmIdentifier'{algorithm =?'id-ecPublicKey',
- parameters = Params},
+ Spki = subject_public_key_info(#'PublicKeyAlgorithm'{algorithm =?'id-ecPublicKey',
+ parameters = ECParam},
Key),
pem_entry_encode('SubjectPublicKeyInfo', Spki);
pem_entry_encode(Asn1Type, Entity) when is_atom(Asn1Type) ->
@@ -550,16 +546,71 @@ der_decode(Asn1Type, Der) when (((Asn1Type == 'PrivateKeyInfo')
error:{badmatch, {error, _}} = Error ->
handle_pkcs_frame_error(Asn1Type, Der, Error)
end;
-
+der_decode('EcpkParameters', Der) ->
+ try
+ {ok, Decoded} = 'PKIXAlgs-2009':decode('ECParameters', Der),
+ pubkey_translation:decode(Decoded)
+ catch
+ error:{badmatch, {error, _}} = Error ->
+ erlang:error(Error)
+ end;
+der_decode('Dss-Sig-Value', Der) ->
+ try
+ {ok, Decoded} = 'PKIXAlgs-2009':decode('DSA-Sig-Value', Der),
+ pubkey_translation:decode(Decoded)
+ catch
+ error:{badmatch, {error, _}} = Error ->
+ erlang:error(Error)
+ end;
der_decode(Asn1Type, Der) when is_atom(Asn1Type), is_binary(Der) ->
- try
- {ok, Decoded} = 'OTP-PUB-KEY':decode(Asn1Type, Der),
- Decoded
- catch
+ Asn1Module = get_asn1_module(Asn1Type),
+ try
+ {ok, Decoded} = Asn1Module:decode(Asn1Type, Der),
+ pubkey_translation:decode(Decoded)
+ catch
error:{badmatch, {error, _}} = Error ->
erlang:error(Error)
end.
+get_asn1_module('BasicOCSPResponse') -> 'OCSP-2024-08';
+get_asn1_module('Nonce') -> 'OCSP-2024-08';
+get_asn1_module('OCSPResponse') -> 'OCSP-2024-08';
+get_asn1_module('ResponseData') -> 'OCSP-2024-08';
+get_asn1_module('Name') -> 'PKIX1Explicit-2009';
+get_asn1_module('Extensions') -> 'OTP-PKIX';
+
+get_asn1_module('AuthorityInfoAccessSyntax') -> 'PKIX1Implicit-2009';
+get_asn1_module('AuthorityKeyIdentifier') -> 'PKIX1Implicit-2009';
+get_asn1_module('BasicConstraints') -> 'PKIX1Implicit-2009';
+get_asn1_module('ExtKeyUsageSyntax') -> 'PKIX1Implicit-2009';
+get_asn1_module('KeyUsage') -> 'PKIX1Implicit-2009';
+get_asn1_module('RSAPublicKey') -> 'PKIXAlgs-2009';
+get_asn1_module('SubjectKeyIdentifier') -> 'CryptographicMessageSyntax-2009';
+
+get_asn1_module('Certificate') -> 'PKIX1Explicit-2009';
+get_asn1_module('CertificateList') -> 'PKIX1Explicit-2009';
+get_asn1_module('CertificationRequest') -> 'PKCS-10';
+get_asn1_module('ContentInfo') -> 'CryptographicMessageSyntax-2009';
+get_asn1_module('CurvePrivateKey') -> 'Safecurves-pkix-18';
+get_asn1_module('DHParameter') -> 'PKCS-3';
+get_asn1_module('ECPrivateKey') -> 'ECPrivateKey';
+get_asn1_module('DSA-Params') -> 'PKIXAlgs-2009';
+get_asn1_module('DSAPrivateKey') -> 'DSS';
+get_asn1_module('DSAPublicKey') -> 'PKIXAlgs-2009';
+get_asn1_module('ECDSA-Sig-Value') -> 'PKIXAlgs-2009';
+get_asn1_module('RSAPrivateKey') -> 'PKCS-1';
+get_asn1_module('RSASSA-PSS-params') -> 'PKIX1-PSS-OAEP-Algorithms-2009';
+get_asn1_module('SubjectPublicKeyInfo') -> 'PKIX1Explicit-2009';
+get_asn1_module('OTPTBSCertificate') -> 'OTP-PKIX';
+get_asn1_module('OTPCertificate') -> 'OTP-PKIX';
+get_asn1_module('CRLDistributionPoints') -> 'PKIX1Implicit-2009';
+get_asn1_module('CRLReason') -> 'PKIX1Implicit-2009';
+get_asn1_module('CRLNumber') -> 'PKIX1Implicit-2009';
+get_asn1_module('FreshestCRL') -> 'PKIX1Implicit-2009';
+get_asn1_module('IssuingDistributionPoint') -> 'PKIX1Implicit-2009';
+get_asn1_module('GeneralNames') -> 'PKIX1Implicit-2009'.
+
+
handle_pkcs_frame_error('PrivateKeyInfo', Der, _) ->
try
{ok, Decoded} = 'PKCS-FRAME':decode('OneAsymmetricKey', Der),
@@ -571,22 +622,28 @@ handle_pkcs_frame_error('PrivateKeyInfo', Der, _) ->
handle_pkcs_frame_error(_, _, Error) ->
erlang:error(Error).
-der_priv_key_decode(#'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm =
- #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'id-ecPublicKey',
- parameters = {asn1_OPENTYPE, Parameters}},
- privateKey = PrivKey}) ->
+%% The type for a DSA private key is not defined in any of our ASN.1 modules.
+%% However, we KNOW that it has the same type as the public key (an INTEGER).
+-define(dsa_private_key_type, 'DSAPublicKey').
+
+%% NOTE: No longer defined in modern ASN.1 specs.
+der_priv_key_decode(#'OneAsymmetricKey'{version = v1,
+ privateKeyAlgorithm =
+ #'PrivateKeyAlgorithmIdentifier'{algorithm = ?'id-ecPublicKey',
+ parameters = {asn1_OPENTYPE, Parameters}},
+ privateKey = PrivKey}) ->
EcPrivKey = der_decode('ECPrivateKey', PrivKey),
EcPrivKey#'ECPrivateKey'{parameters = der_decode('EcpkParameters', Parameters)};
-der_priv_key_decode(#'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm =#'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = CurveOId},
- privateKey = CurvePrivKey}) when
+der_priv_key_decode(#'OneAsymmetricKey'{version = v1,
+ privateKeyAlgorithm =
+ #'PrivateKeyAlgorithmIdentifier'{algorithm = CurveOId},
+ privateKey = CurvePrivKey}) when
CurveOId == ?'id-Ed25519'orelse
CurveOId == ?'id-Ed448' ->
PrivKey = der_decode('CurvePrivateKey', CurvePrivKey),
#'ECPrivateKey'{version = 1, parameters = {namedCurve, CurveOId}, privateKey = PrivKey};
der_priv_key_decode(#'OneAsymmetricKey'{
- privateKeyAlgorithm = #'OneAsymmetricKey_privateKeyAlgorithm'{algorithm = CurveOId},
+ privateKeyAlgorithm = #'PrivateKeyAlgorithmIdentifier'{algorithm = CurveOId},
privateKey = CurvePrivKey,
attributes = Attr,
publicKey = PubKey}) when
@@ -596,36 +653,36 @@ der_priv_key_decode(#'OneAsymmetricKey'{
#'ECPrivateKey'{version = 2, parameters = {namedCurve, CurveOId}, privateKey = PrivKey,
attributes = Attr,
publicKey = PubKey};
-der_priv_key_decode(#'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm =
- #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'rsaEncryption'},
- privateKey = PrivKey}) ->
+der_priv_key_decode(#'OneAsymmetricKey'{version = v1,
+ privateKeyAlgorithm =
+ #'PrivateKeyAlgorithmIdentifier'{algorithm = ?'rsaEncryption'},
+ privateKey = PrivKey}) ->
der_decode('RSAPrivateKey', PrivKey);
-der_priv_key_decode(#'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm =
- #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'id-RSASSA-PSS',
- parameters = {asn1_OPENTYPE, Parameters}},
- privateKey = PrivKey}) ->
+der_priv_key_decode(#'OneAsymmetricKey'{version = v1,
+ privateKeyAlgorithm =
+ #'PrivateKeyAlgorithmIdentifier'{algorithm = ?'id-RSASSA-PSS',
+ parameters = {asn1_OPENTYPE, Parameters}},
+ privateKey = PrivKey}) ->
Key = der_decode('RSAPrivateKey', PrivKey),
Params = der_decode('RSASSA-PSS-params', Parameters),
{Key, Params};
-der_priv_key_decode(#'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm =
- #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'id-RSASSA-PSS',
- parameters = asn1_NOVALUE},
- privateKey = PrivKey}) ->
+der_priv_key_decode(#'OneAsymmetricKey'{version = v1,
+ privateKeyAlgorithm =
+ #'PrivateKeyAlgorithmIdentifier'{algorithm = ?'id-RSASSA-PSS',
+ parameters = asn1_NOVALUE},
+ privateKey = PrivKey}) ->
Key = der_decode('RSAPrivateKey', PrivKey),
#'RSASSA-AlgorithmIdentifier'{parameters = Params} = ?'rSASSA-PSS-Default-Identifier',
{Key, Params};
-der_priv_key_decode(#'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm =
- #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'id-dsa',
- parameters =
- {asn1_OPENTYPE, Parameters}},
- privateKey = PrivKey}) ->
- {params, #'Dss-Parms'{p=P, q=Q, g=G}} = der_decode('DSAParams', Parameters),
- X = der_decode('Prime-p', PrivKey),
- #'DSAPrivateKey'{p=P, q=Q, g=G, x=X};
+der_priv_key_decode(#'OneAsymmetricKey'{version = v1,
+ privateKeyAlgorithm =
+ #'PrivateKeyAlgorithmIdentifier'{algorithm = ?'id-dsa',
+ parameters =
+ {asn1_OPENTYPE, Parameters}},
+ privateKey = PrivKey}) ->
+ {ok, #'DSA-Params'{p=P, q=Q, g=G}} = 'PKIXAlgs-2009':decode('DSA-Params', Parameters),
+ X = der_decode(?dsa_private_key_type, PrivKey),
+ #'DSAPrivateKey'{version=1, p=P, q=Q, g=G, x=X};
der_priv_key_decode(PKCS8Key) ->
PKCS8Key.
@@ -638,24 +695,24 @@ der_priv_key_decode(PKCS8Key) ->
Der :: binary() .
%%--------------------------------------------------------------------
der_encode('PrivateKeyInfo', #'DSAPrivateKey'{p=P, q=Q, g=G, x=X}) ->
- Params = der_encode('Dss-Parms', #'Dss-Parms'{p=P, q=Q, g=G}),
- Alg = #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'id-dsa',
- parameters =
- {asn1_OPENTYPE, Params}},
- Key = der_encode('Prime-p', X),
- der_encode('PrivateKeyInfo',
- #'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm = Alg,
- privateKey = Key});
+ Params = der_encode('DSA-Params', #'DSA-Params'{p=P, q=Q, g=G}),
+ Alg = #'PrivateKeyAlgorithmIdentifier'{algorithm = ?'id-dsa',
+ parameters =
+ {asn1_OPENTYPE, Params}},
+ Key = der_encode(?dsa_private_key_type, X),
+ der_encode('OneAsymmetricKey',
+ #'OneAsymmetricKey'{version = 0,
+ privateKeyAlgorithm = Alg,
+ privateKey = Key});
der_encode('PrivateKeyInfo', #'RSAPrivateKey'{} = PrivKey) ->
Parms = ?DER_NULL,
- Alg = #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'rsaEncryption',
- parameters = {asn1_OPENTYPE, Parms}},
+ Alg = #'PrivateKeyAlgorithmIdentifier'{algorithm = ?'rsaEncryption',
+ parameters = {asn1_OPENTYPE, Parms}},
Key = der_encode('RSAPrivateKey', PrivKey),
- der_encode('PrivateKeyInfo',
- #'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm = Alg,
- privateKey = Key});
+ der_encode('OneAsymmetricKey',
+ #'OneAsymmetricKey'{version = 0,
+ privateKeyAlgorithm = Alg,
+ privateKey = Key});
der_encode('PrivateKeyInfo', {#'RSAPrivateKey'{} = PrivKey, Parameters}) ->
#'RSASSA-AlgorithmIdentifier'{parameters = DefaultParams} = ?'rSASSA-PSS-Default-Identifier',
Params = case Parameters of
@@ -664,30 +721,30 @@ der_encode('PrivateKeyInfo', {#'RSAPrivateKey'{} = PrivKey, Parameters}) ->
_ ->
{asn1_OPENTYPE, der_encode('RSASSA-PSS-params', Parameters)}
end,
- Alg = #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'id-RSASSA-PSS',
+ Alg = #'PrivateKeyAlgorithmIdentifier'{algorithm = ?'id-RSASSA-PSS',
parameters = Params},
Key = der_encode('RSAPrivateKey', PrivKey),
- der_encode('PrivateKeyInfo', #'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm = Alg,
- privateKey = Key});
+ der_encode('OneAsymmetricKey', #'OneAsymmetricKey'{version = 0,
+ privateKeyAlgorithm = Alg,
+ privateKey = Key});
der_encode('PrivateKeyInfo', #'ECPrivateKey'{parameters = {namedCurve, CurveOId},
privateKey = Key}) when
CurveOId == ?'id-Ed25519' orelse
CurveOId == ?'id-Ed448' ->
CurvePrivKey = der_encode('CurvePrivateKey', Key),
- Alg = #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = CurveOId},
- der_encode('PrivateKeyInfo', #'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm = Alg,
- privateKey = CurvePrivKey});
+ Alg = #'PrivateKeyAlgorithmIdentifier'{algorithm = CurveOId},
+ der_encode('OneAsymmetricKey', #'OneAsymmetricKey'{version = 0,
+ privateKeyAlgorithm = Alg,
+ privateKey = CurvePrivKey});
der_encode('PrivateKeyInfo', #'ECPrivateKey'{parameters = Parameters} = PrivKey) ->
Params = der_encode('EcpkParameters', Parameters),
- Alg = #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'id-ecPublicKey',
+ Alg = #'PrivateKeyAlgorithmIdentifier'{algorithm = ?'id-ecPublicKey',
parameters = {asn1_OPENTYPE, Params}},
Key = der_encode('ECPrivateKey', PrivKey#'ECPrivateKey'{parameters = asn1_NOVALUE}),
- der_encode('PrivateKeyInfo',
- #'PrivateKeyInfo'{version = v1,
- privateKeyAlgorithm = Alg,
- privateKey = Key});
+ der_encode('OneAsymmetricKey',
+ #'OneAsymmetricKey'{version = 0,
+ privateKeyAlgorithm = Alg,
+ privateKey = Key});
der_encode('OneAsymmetricKey', #'ECPrivateKey'{parameters = {namedCurve, CurveOId},
privateKey = Key,
attributes = Attr,
@@ -695,7 +752,7 @@ der_encode('OneAsymmetricKey', #'ECPrivateKey'{parameters = {namedCurve, CurveOI
CurveOId == ?'id-Ed25519' orelse
CurveOId == ?'id-Ed448' ->
CurvePrivKey = der_encode('CurvePrivateKey', Key),
- Alg = #'OneAsymmetricKey_privateKeyAlgorithm'{algorithm = CurveOId},
+ Alg = #'PrivateKeyAlgorithmIdentifier'{algorithm = CurveOId},
der_encode('OneAsymmetricKey',
#'OneAsymmetricKey'{version = 1,
privateKeyAlgorithm = Alg,
@@ -706,7 +763,7 @@ der_encode('OneAsymmetricKey', #'ECPrivateKey'{parameters = {namedCurve, CurveOI
privateKey = Key,
attributes = Attr,
publicKey = PubKey}) ->
- Alg = #'OneAsymmetricKey_privateKeyAlgorithm'{algorithm = CurveOId},
+ Alg = #'PrivateKeyAlgorithmIdentifier'{algorithm = CurveOId},
der_encode('OneAsymmetricKey',
#'OneAsymmetricKey'{version = 1,
privateKeyAlgorithm = Alg,
@@ -723,11 +780,29 @@ der_encode(Asn1Type, Entity) when (Asn1Type == 'PrivateKeyInfo') orelse
error:{badmatch, {error, _}} = Error ->
erlang:error(Error)
end;
-der_encode(Asn1Type, Entity) when is_atom(Asn1Type) ->
- try
- {ok, Encoded} = 'OTP-PUB-KEY':encode(Asn1Type, Entity),
+der_encode('EcpkParameters', {namedCurve,_}=Entity) ->
+ try
+ {ok, Encoded} = 'PKIXAlgs-2009':encode('ECParameters', Entity),
+ Encoded
+ catch
+ error:{badmatch, {error, _}} = Error ->
+ erlang:error(Error)
+ end;
+der_encode('Dss-Sig-Value', Entity) ->
+ try
+ {ok, Encoded} = 'PKIXAlgs-2009':encode('DSA-Sig-Value', Entity),
Encoded
- catch
+ catch
+ error:{badmatch, {error, _}} = Error ->
+ erlang:error(Error)
+ end;
+der_encode(Asn1Type, Entity0) when is_atom(Asn1Type) ->
+ Asn1Module = get_asn1_module(Asn1Type),
+ try
+ Entity = pubkey_translation:encode(Entity0),
+ {ok, Encoded} = Asn1Module:encode(Asn1Type, Entity),
+ Encoded
+ catch
error:{badmatch, {error, _}} = Error ->
erlang:error(Error)
end.
@@ -794,10 +869,19 @@ the plain format this function directly calls
%%--------------------------------------------------------------------
pkix_encode(Asn1Type, Term, plain) when is_atom(Asn1Type) ->
der_encode(Asn1Type, Term);
-
-pkix_encode(Asn1Type, Term0, otp) when is_atom(Asn1Type) ->
+pkix_encode(Type, Term0, otp)
+ when Type =:= 'OTPCertificate'; Type =:= 'OTPTBSCertificate';
+ Type =:= 'OTPSubjectPublicKeyInfo' ->
Term = pubkey_cert_records:transform(Term0, encode),
- der_encode(Asn1Type, Term).
+ try
+ {ok, Encoded} = 'OTP-PKIX':encode(Type, Term),
+ Encoded
+ catch
+ error:{badmatch, {error, _}} = Error ->
+ erlang:error(Error)
+ end;
+pkix_encode(Type, Term, otp) ->
+ pkix_encode(Type, Term, plain).
%%--------------------------------------------------------------------
-doc(#{equiv => decrypt_private(CipherText, Key, []),
@@ -1121,13 +1205,11 @@ pkix_sign_types(?md2WithRSAEncryption) ->
{md2, rsa};
pkix_sign_types(?md5WithRSAEncryption) ->
{md5, rsa};
-pkix_sign_types(?'id-dsa-with-sha1') ->
+pkix_sign_types(?'dsa-with-sha1') ->
{sha, dsa};
-pkix_sign_types(?'id-dsaWithSHA1') ->
- {sha, dsa};
-pkix_sign_types(?'id-dsa-with-sha224') ->
+pkix_sign_types(?'dsa-with-sha224') ->
{sha224, dsa};
-pkix_sign_types(?'id-dsa-with-sha256') ->
+pkix_sign_types(?'dsa-with-sha256') ->
{sha256, dsa};
pkix_sign_types(?'ecdsa-with-SHA1') ->
{sha, ecdsa};
@@ -1259,12 +1341,9 @@ be used as input to `pkix_crls_validate/3`
%%--------------------------------------------------------------------
pkix_dist_point(OtpCert) when is_binary(OtpCert) ->
pkix_dist_point(pkix_decode_cert(OtpCert, otp));
-pkix_dist_point(OtpCert) ->
- Issuer = public_key:pkix_normalize_name(
- pubkey_cert_records:transform(
- OtpCert#'OTPCertificate'.tbsCertificate#'OTPTBSCertificate'.issuer, encode)),
-
- TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
+pkix_dist_point(#'OTPCertificate'{tbsCertificate = TBSCert}) ->
+ Issuer = pkix_normalize_name(TBSCert#'OTPTBSCertificate'.issuer),
+
Extensions = pubkey_cert:extensions_list(TBSCert#'OTPTBSCertificate'.extensions),
AltNames = case pubkey_cert:select_extension(?'id-ce-issuerAltName', Extensions) of
undefined ->
@@ -1315,9 +1394,8 @@ pkix_match_dist_point(#'CertificateList'{},
%% No distribution point name specified - that's considered a match.
true;
pkix_match_dist_point(#'CertificateList'{
- tbsCertList =
- #'TBSCertList'{
- crlExtensions = Extensions}},
+ toBeSigned = #'TBSCertList'{
+ crlExtensions = Extensions}},
#'DistributionPoint'{
distributionPoint = {fullName, DPs}}) ->
case pubkey_cert:select_extension(?'id-ce-issuingDistributionPoint', Extensions) of
@@ -1338,13 +1416,13 @@ pkix_match_dist_point(#'CertificateList'{
-doc "Signs an 'OTPTBSCertificate'. Returns the corresponding DER-encoded certificate.".
-doc(#{title => <<"Sign/Verify API">>,
since => <<"OTP R14B">>}).
--spec pkix_sign(Cert, Key) -> Der when Cert :: #'OTPTBSCertificate'{},
+-spec pkix_sign(Cert, Key) -> Der when Cert :: #'OTPTBSCertificate'{},
Key :: private_key(),
Der :: der_encoded().
%%--------------------------------------------------------------------
-pkix_sign(#'OTPTBSCertificate'{signature =
- #'SignatureAlgorithm'{}
- = SigAlg} = TBSCert, Key) ->
+pkix_sign(#'OTPTBSCertificate'{signature =
+ #'SignatureAlgorithm'{} = SigAlg} = TBSCert, Key) ->
+
Msg = pkix_encode('OTPTBSCertificate', TBSCert, otp),
{DigestType, _, Opts} = pubkey_cert:x509_pkix_sign_types(SigAlg),
Signature = sign(Msg, DigestType, format_pkix_sign_key(Key), Opts),
@@ -1362,7 +1440,7 @@ pkix_sign(#'OTPTBSCertificate'{signature =
Key :: public_key() .
%%--------------------------------------------------------------------
-pkix_verify(DerCert, {Key, #'Dss-Parms'{}} = DSAKey)
+pkix_verify(DerCert, {Key, #'Dss-Parms'{}} = DSAKey)
when is_binary(DerCert), is_integer(Key) ->
{DigestType, PlainText, Signature} = pubkey_cert:verify_data(DerCert),
verify(PlainText, DigestType, Signature, DSAKey);
@@ -1406,14 +1484,14 @@ pkix_crl_verify(CRL, Cert) when is_binary(CRL) ->
pkix_crl_verify(CRL, Cert) when is_binary(Cert) ->
pkix_crl_verify(CRL, pkix_decode_cert(Cert, otp));
pkix_crl_verify(#'CertificateList'{} = CRL, #'OTPCertificate'{} = Cert) ->
- TBSCert = Cert#'OTPCertificate'.tbsCertificate,
+ TBSCert = Cert#'OTPCertificate'.tbsCertificate,
PublicKeyInfo = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
PublicKey = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.subjectPublicKey,
AlgInfo = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.algorithm,
PublicKeyParams = AlgInfo#'PublicKeyAlgorithm'.parameters,
- pubkey_crl:verify_crl_signature(CRL,
- der_encode('CertificateList', CRL),
- PublicKey, PublicKeyParams).
+ pubkey_crl:verify_crl_signature(CRL,
+ der_encode('CertificateList', CRL),
+ PublicKey, PublicKeyParams).
%%--------------------------------------------------------------------
-doc "Checks if `IssuerCert` issued `Cert`.".
@@ -1423,17 +1501,17 @@ pkix_crl_verify(#'CertificateList'{} = CRL, #'OTPCertificate'{} = Cert) ->
boolean() when CertorCRL :: cert() | #'CertificateList'{},
IssuerCert :: cert().
%%--------------------------------------------------------------------
-pkix_is_issuer(Cert, IssuerCert) when is_binary(Cert) ->
+pkix_is_issuer(Cert, IssuerCert) when is_binary(Cert) ->
OtpCert = pkix_decode_cert(Cert, otp),
pkix_is_issuer(OtpCert, IssuerCert);
pkix_is_issuer(Cert, IssuerCert) when is_binary(IssuerCert) ->
OtpIssuerCert = pkix_decode_cert(IssuerCert, otp),
pkix_is_issuer(Cert, OtpIssuerCert);
-pkix_is_issuer(#'OTPCertificate'{tbsCertificate = TBSCert},
+pkix_is_issuer(#'OTPCertificate'{tbsCertificate = TBSCert},
#'OTPCertificate'{tbsCertificate = Candidate}) ->
pubkey_cert:is_issuer(TBSCert#'OTPTBSCertificate'.issuer,
Candidate#'OTPTBSCertificate'.subject);
-pkix_is_issuer(#'CertificateList'{tbsCertList = TBSCRL},
+pkix_is_issuer(#'CertificateList'{toBeSigned = TBSCRL},
#'OTPCertificate'{tbsCertificate = Candidate}) ->
pubkey_cert:is_issuer(Candidate#'OTPTBSCertificate'.subject,
pubkey_cert_records:transform(TBSCRL#'TBSCertList'.issuer, decode)).
@@ -1507,7 +1585,7 @@ pkix_crl_issuer(CRL) when is_binary(CRL) ->
pkix_crl_issuer(der_decode('CertificateList', CRL));
pkix_crl_issuer(#'CertificateList'{} = CRL) ->
pubkey_cert_records:transform(
- CRL#'CertificateList'.tbsCertList#'TBSCertList'.issuer, decode).
+ CRL#'CertificateList'.toBeSigned#'TBSCertList'.issuer, decode).
%%--------------------------------------------------------------------
-doc(#{title => <<"Certificate API">>,
@@ -2260,8 +2338,8 @@ cacerts_clear() ->
ec_decode_params(AlgId, _) when AlgId == ?'id-Ed25519';
AlgId == ?'id-Ed448' ->
{namedCurve, AlgId};
-ec_decode_params(_, Params) ->
- der_decode('EcpkParameters', Params).
+ec_decode_params(_AlgId, {namedCurve,_}=Entity) ->
+ Entity.
default_options([]) ->
[{rsa_padding, rsa_pkcs1_padding}];
@@ -2340,7 +2418,7 @@ format_verify_key(#'ECPrivateKey'{parameters = Param, publicKey = {_, Point}}) -
format_verify_key(#'ECPrivateKey'{parameters = Param, publicKey = Point}) ->
format_verify_key({#'ECPoint'{point = Point}, Param});
format_verify_key(#'DSAPrivateKey'{y=Y, p=P, q=Q, g=G}) ->
- format_verify_key({Y, #'Dss-Parms'{p=P, q=Q, g=G}});
+ format_verify_key({Y, #'DSA-Params'{p=P, q=Q, g=G}});
format_verify_key(_) ->
badarg.
@@ -2588,8 +2666,8 @@ combine(CRL, DeltaCRLs) ->
Delta;
[_,_|_] ->
Fun =
- fun({_, #'CertificateList'{tbsCertList = FirstTBSCRL}} = CRL1,
- {_, #'CertificateList'{tbsCertList = SecondTBSCRL}} = CRL2) ->
+ fun({_, #'CertificateList'{toBeSigned = FirstTBSCRL}} = CRL1,
+ {_, #'CertificateList'{toBeSigned = SecondTBSCRL}} = CRL2) ->
Time1 = pubkey_cert:time_str_2_gregorian_sec(
FirstTBSCRL#'TBSCertList'.thisUpdate),
Time2 = pubkey_cert:time_str_2_gregorian_sec(
@@ -2664,26 +2742,10 @@ ec_curve_type(x448) ->
ec_curve_type(_) ->
ecdh.
-format_field(characteristic_two_field = Type, Params0) ->
- #'Characteristic-two'{
- m = M,
- basis = BasisOid,
- parameters = Params} = der_decode('Characteristic-two', Params0),
- {Type, M, field_param_decode(BasisOid, Params)};
format_field(prime_field, Params0) ->
Prime = der_decode('Prime-p', Params0),
{prime_field, Prime}.
-field_param_decode(?'ppBasis', Params) ->
- #'Pentanomial'{k1 = K1, k2 = K2, k3 = K3} =
- der_decode('Pentanomial', Params),
- {ppbasis, K1, K2, K3};
-field_param_decode(?'tpBasis', Params) ->
- K = der_decode('Trinomial', Params),
- {tpbasis, K};
-field_param_decode(?'gnBasis', _) ->
- onbasis.
-
ec_key({PubKey, PrivateKey}, Params) ->
#'ECPrivateKey'{version = 1,
privateKey = PrivateKey,
@@ -2692,25 +2754,16 @@ ec_key({PubKey, PrivateKey}, Params) ->
encode_name_for_short_hash({rdnSequence, Attributes0}) ->
Attributes = lists:map(fun normalise_attribute/1, Attributes0),
- {Encoded, _} = 'OTP-PUB-KEY':'enc_RDNSequence'(Attributes, []),
+ {Encoded, _} = 'OTP-PKIX':enc_HashRDNSequence(Attributes, []),
Encoded.
-%% Normalise attribute for "short hash". If the attribute value
-%% hasn't been decoded yet, decode it so we can normalise it.
-normalise_attribute([#'AttributeTypeAndValue'{
- type = _Type,
- value = Binary} = ATV]) when is_binary(Binary) ->
- case pubkey_cert_records:transform(ATV, decode) of
- #'AttributeTypeAndValue'{value = Binary} ->
- %% Cannot decode attribute; return original.
- [ATV];
- DecodedATV = #'AttributeTypeAndValue'{} ->
- %% The new value will either be String or {Encoding,String}.
- normalise_attribute([DecodedATV])
- end;
+%% Normalise attribute for "short hash". We can't use the encoding
+%% function for the actual type of the attribute, since some of them
+%% don't allow utf8Strings, which is the required encoding when
+%% creating the hash.
normalise_attribute([#'AttributeTypeAndValue'{
- type = _Type,
- value = {Encoding, String}} = ATV])
+ type = Type,
+ value = {Encoding, String}}])
when
Encoding =:= utf8String;
Encoding =:= printableString;
@@ -2719,23 +2772,19 @@ normalise_attribute([#'AttributeTypeAndValue'{
%% These string types all give us something that the unicode
%% module understands.
NewValue = normalise_attribute_value(String),
- [ATV#'AttributeTypeAndValue'{value = NewValue}];
+ [#'HashSingleAttribute'{type = Type, value = NewValue}];
normalise_attribute([#'AttributeTypeAndValue'{
- type = _Type,
- value = String} = ATV]) when is_list(String) ->
+ type = Type,
+ value = String}]) when is_list(String) ->
%% A string returned by pubkey_cert_records:transform/2, for
%% certain attributes that commonly have incorrect value types.
NewValue = normalise_attribute_value(String),
- [ATV#'AttributeTypeAndValue'{value = NewValue}].
+ [#'HashSingleAttribute'{type = Type, value = NewValue}].
normalise_attribute_value(String) ->
Converted = unicode:characters_to_binary(String),
NormalisedString = normalise_string(Converted),
- %% We can't use the encoding function for the actual type of the
- %% attribute, since some of them don't allow utf8Strings, which is
- %% the required encoding when creating the hash.
- {NewBinary, _} = 'OTP-PUB-KEY':'enc_X520CommonName'({utf8String, NormalisedString}, []),
- NewBinary.
+ unicode:characters_to_list(NormalisedString).
normalise_string(String) ->
%% Normalise attribute values as required for "short hashes", as
@@ -2898,7 +2947,7 @@ format_details(Details) ->
Details.
subject_public_key_info(Alg, PubKey) ->
- #'OTPSubjectPublicKeyInfo'{algorithm = Alg, subjectPublicKey = PubKey}.
+ #'SubjectPublicKeyInfo'{algorithm = Alg, subjectPublicKey = PubKey}.
%%%################################################################
%%%#
diff --git a/lib/public_key/src/public_key_internal.hrl b/lib/public_key/src/public_key_internal.hrl
new file mode 100644
index 0000000000..2214adee9d
--- /dev/null
+++ b/lib/public_key/src/public_key_internal.hrl
@@ -0,0 +1,257 @@
+%%
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: Apache-2.0
+%%
+%% Copyright Ericsson AB 2008-2023. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%% http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+
+-ifndef(public_key_internal).
+-define(public_key_internal, true).
+
+-include("AlgorithmInformation-2009.hrl").
+-include("DSS.hrl").
+-include("ECPrivateKey.hrl").
+
+-include("OCSP-2024-08.hrl").
+-undef('id-kp-OCSPSigning').
+
+-include("OTP-PKIX.hrl").
+-include("PKCS-1.hrl").
+
+%% Bug in ASN.1 compiler (hardcode the correct value)
+-undef('rSASSA-PSS-Default-Identifier').
+-define('rSASSA-PSS-Default-Identifier',
+ {'RSASSA-AlgorithmIdentifier',{1,2,840,113549,1,1,10},
+ {'RSASSA-PSS-params',{'HashAlgorithm',{1,3,14,3,2,26},'NULL'},
+ {'MaskGenAlgorithm',{1,2,840,113549,1,1,8},
+ {'HashAlgorithm',{1,3,14,3,2,26},'NULL'}},20,1}}).
+
+
+-include("PKCS-3.hrl").
+-include("PKIX-CommonTypes-2009.hrl").
+-include("PKIX1Explicit-2009.hrl").
+
+-include("PKIX1Implicit-2009.hrl").
+
+-undef('id-md2').
+-undef('id-md5').
+-undef('id-sha1').
+-undef('rsaEncryption').
+-undef('md2WithRSAEncryption').
+-undef('md5WithRSAEncryption').
+-undef('sha1WithRSAEncryption').
+-include("PKIXAlgs-2009.hrl").
+
+-include("Safecurves-pkix-18.hrl").
+
+-include("RFC5639.hrl").
+
+
+-define(DEFAULT_VERIFYFUN,
+ {fun(_,{bad_cert, _} = Reason, _) ->
+ {fail, Reason};
+ (_,{extension, _}, UserState) ->
+ {unknown, UserState};
+ (_, valid, UserState) ->
+ {valid, UserState};
+ (_, valid_peer, UserState) ->
+ {valid, UserState}
+ end, []}).
+
+-record(path_validation_state,
+ {
+ valid_policy_tree,
+ user_initial_policy_set,
+ explicit_policy,
+ inhibit_any_policy,
+ inhibit_policy_mapping,
+ policy_mapping_ext,
+ policy_constraint_ext,
+ policy_inhibitany_ext,
+ policy_ext_present,
+ policy_ext_any,
+ current_any_policy_qualifiers,
+ cert_num,
+ last_cert = false,
+ permitted_subtrees = no_constraints, %% Name constraints
+ excluded_subtrees = [], %% Name constraints
+ working_public_key_algorithm,
+ working_public_key,
+ working_public_key_parameters,
+ working_issuer_name,
+ max_path_length,
+ verify_fun,
+ user_state
+ }).
+
+-record(revoke_state,
+ {
+ reasons_mask,
+ cert_status,
+ interim_reasons_mask,
+ valid_ext,
+ details
+ }).
+
+-record('ECPoint',
+ {
+ point
+ }).
+
+-record(cert,
+ {
+ der :: public_key:der_encoded(),
+ otp :: #'OTPCertificate'{}
+ }).
+
+-define(unspecified, 0).
+-define(keyCompromise, 1).
+-define(cACompromise, 2).
+-define(affiliationChanged, 3).
+-define(superseded, 4).
+-define(cessationOfOperation, 5).
+-define(certificateHold, 6).
+-define(removeFromCRL, 8).
+-define(privilegeWithdrawn, 9).
+-define(aACompromise, 10).
+
+-define('anyPolicy', {2,5,29,32,0}).
+
+-record('ECParameters',
+ {
+ version,
+ fieldID,
+ curve,
+ base,
+ order,
+ cofactor = asn1_NOVALUE
+ }).
+
+-record('Curve',
+ {
+ a,
+ b,
+ seed = asn1_NOVALUE
+ }).
+
+-record('FieldID',
+ {
+ fieldType,
+ parameters
+ }).
+
+-record('Dss-Parms',
+ {
+ p, % pos_integer()
+ q, % pos_integer()
+ g % pos_integer()
+ }).
+
+-record('SignatureAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('PublicKeyAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+%% Superseded by SingleAttribute.
+-record('AttributeTypeAndValue',
+ {
+ type,
+ value
+ }).
+
+-record('PBEParameter',
+ {
+ salt,
+ iterationCount
+ }).
+
+-record('PBES2-params',
+ {
+ keyDerivationFunc,
+ encryptionScheme
+ }).
+
+-record('OneAsymmetricKey',
+ {
+ version,
+ privateKeyAlgorithm,
+ privateKey,
+ attributes = asn1_NOVALUE,
+ %% with extensions
+ publicKey = asn1_NOVALUE
+ %% end of extensions
+ }).
+
+-record('PrivateKeyAlgorithmIdentifier',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('OTPSubjectPublicKeyInfo',
+ {
+ algorithm, % #'PublicKeyAlgorithm'{}
+ subjectPublicKey % binary()
+ }).
+
+-record('AnotherName',
+ {
+ 'type-id',
+ value
+ }).
+
+%% Object identifiers not present in modern specs.
+
+-define('characteristic-two-field', {1,2,840,10045,1,2}).
+-define('prime-field', {1,2,840,10045,1,1}).
+
+-define('secp224k1', {1,3,132,0,32}).
+-define('secp192k1', {1,3,132,0,31}).
+-define('secp160r2', {1,3,132,0,30}).
+-define('secp128r2', {1,3,132,0,29}).
+-define('secp128r1', {1,3,132,0,28}).
+-define('sect193r2', {1,3,132,0,25}).
+-define('sect193r1', {1,3,132,0,24}).
+-define('sect131r2', {1,3,132,0,23}).
+-define('sect131r1', {1,3,132,0,22}).
+-define('secp256k1', {1,3,132,0,10}).
+-define('secp160k1', {1,3,132,0,9}).
+-define('secp160r1', {1,3,132,0,8}).
+-define('secp112r2', {1,3,132,0,7}).
+-define('secp112r1', {1,3,132,0,6}).
+-define('sect113r2', {1,3,132,0,5}).
+-define('sect113r1', {1,3,132,0,4}).
+-define('sect239k1', {1,3,132,0,3}).
+-define('sect163r1', {1,3,132,0,2}).
+
+-define('id-dsa-with-sha1', {1,2,840,10040,4,3}).
+
+-define('ppBasis', {1,2,840,10045,1,2,3,3}).
+-define('tpBasis', {1,2,840,10045,1,2,3,2}).
+-define('gnBasis', {1,2,840,10045,1,2,3,1}).
+
+-endif. % -ifdef(public_key_internal).
diff --git a/lib/public_key/test/erl_make_certs.erl b/lib/public_key/test/erl_make_certs.erl
index e8e04122ff..acdd5684ac 100644
--- a/lib/public_key/test/erl_make_certs.erl
+++ b/lib/public_key/test/erl_make_certs.erl
@@ -164,13 +164,13 @@ decode_key(PemBin, Pw) ->
decode_key(KeyInfo, Pw).
encode_key(Key = #'RSAPrivateKey'{}) ->
- {ok, Der} = 'OTP-PUB-KEY':encode('RSAPrivateKey', Key),
+ {ok, Der} = 'PKCS-1':encode('RSAPrivateKey', Key),
{'RSAPrivateKey', Der, not_encrypted};
encode_key(Key = {#'RSAPrivateKey'{},#'RSASSA-PSS-params'{}}) ->
Der = public_key:der_encode('PrivateKeyInfo', Key),
{'PrivateKeyInfo', Der, not_encrypted};
encode_key(Key = #'DSAPrivateKey'{}) ->
- {ok, Der} = 'OTP-PUB-KEY':encode('DSAPrivateKey', Key),
+ {ok, Der} = 'DSS':encode('DSAPrivateKey', Key),
{'DSAPrivateKey', Der, not_encrypted};
encode_key(Key = #'ECPrivateKey'{}) ->
{ok, Der} = 'OTP-PUB-KEY':encode('ECPrivateKey', Key),
diff --git a/lib/public_key/test/pkits_SUITE.erl b/lib/public_key/test/pkits_SUITE.erl
index e34654fbad..a4c67551ac 100644
--- a/lib/public_key/test/pkits_SUITE.erl
+++ b/lib/public_key/test/pkits_SUITE.erl
@@ -1503,10 +1503,8 @@ run({Chap, Test, Result, CertsBody}, TA) ->
?error(" ~p ~p~n Expected ~p got ~p ~n", [Chap, Test, Result, _OK]),
fail
catch Type:Reason:Stack ->
- Str1 = lists:flatten(io_lib:format("Crash ~p:~p in ~p~n",[Type,Reason,Stack])),
- Str2 = lists:flatten(io_lib:format(" ~p ~p Expected ~p ~n", [Chap, Test, Result])),
- erlang:display(Str1),
- erlang:display(Str2),
+ io:format("Crash ~p:~p in ~p~n",[Type,Reason,Stack]),
+ io:format(" ~p ~p Expected ~p ~n", [Chap, Test, Result]),
exit(crash)
end;
diff --git a/lib/public_key/test/pubkey_ocsp_SUITE.erl b/lib/public_key/test/pubkey_ocsp_SUITE.erl
index 31d6c3ea9b..d20326d177 100644
--- a/lib/public_key/test/pubkey_ocsp_SUITE.erl
+++ b/lib/public_key/test/pubkey_ocsp_SUITE.erl
@@ -156,8 +156,8 @@ ocsp_test(Config) when is_list(Config) ->
IsTrustedReponderFun),
{'SingleResponse',
{'CertID',
- {'AlgorithmIdentifier',
- {1,3,14,3,2,26},<<5,0>>},
+ {'CertID_hashAlgorithm',
+ {1,3,14,3,2,26},{asn1_OPENTYPE, <<5,0>>}},
<<227,147,252,182,155,101,129,45,194,162,22,93,127,46,112,193,196,28,241,232>>,
<<34,25,129,87,115,255,155,246,200,97,92,7,51,110,152,61,97,155,164,171>>,9},
{good,'NULL'},"20230720122949Z",asn1_NOVALUE,asn1_NOVALUE} =
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index fc2cfee3b3..84ed1a8fa3 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -55,8 +55,6 @@
rsa_priv_pkcs8/1,
ec_pem/0,
ec_pem/1,
- ec_pem2/0,
- ec_pem2/1,
ec_priv_pkcs8/0,
ec_priv_pkcs8/1,
eddsa_priv_pkcs8/0,
@@ -140,14 +138,22 @@
short_cert_issuer_hash/1,
short_crl_issuer_hash/0,
short_crl_issuer_hash/1,
- gen_ec_param_prime_field/0,
- gen_ec_param_prime_field/1,
- gen_ec_param_char_2_field/0,
- gen_ec_param_char_2_field/1,
cacerts_load/0, cacerts_load/1,
ocsp_extensions/0, ocsp_extensions/1
]).
+%% Explicit parameters for EC are currently not implemented.
+%%-define('EXPLICIT_EC_PARAMS', true).
+
+-ifdef('EXPLICIT_EC_PARAMS').
+-export([ec_pem2/0,
+ ec_pem2/1,
+ gen_ec_param_prime_field/0,
+ gen_ec_param_prime_field/1,
+ gen_ec_param_char_2_field/0,
+ gen_ec_param_char_2_field/1]).
+-endif.
+
-export([list_cacerts/0]). % debug exports
@@ -196,21 +202,33 @@ all() ->
short_crl_issuer_hash,
cacerts_load,
ocsp_extensions,
- pkix_ocsp_validate
+ pkix_ocsp_validate | maybe_more()
].
groups() ->
[{pem_decode_encode, [], [dsa_pem, rsa_pem, rsa_pss_pss_pem,
rsa_pss_default_pem, ec_pem,
encrypted_pem_pwdstring, encrypted_pem_pwdfun,
- dh_pem, cert_pem, pkcs7_pem, pkcs10_pem, ec_pem2,
+ dh_pem, cert_pem, pkcs7_pem, pkcs10_pem,
rsa_priv_pkcs8, dsa_priv_pkcs8, ec_priv_pkcs8,
eddsa_priv_pkcs8, eddsa_priv_rfc5958,
- ec_pem_encode_generated, gen_ec_param_prime_field,
- gen_ec_param_char_2_field]},
+ ec_pem_encode_generated]},
{sign_verify, [], [rsa_sign_verify, rsa_pss_sign_verify, dsa_sign_verify,
- eddsa_sign_verify_24_compat, custom_sign_fun_verify]}
+ eddsa_sign_verify_24_compat, custom_sign_fun_verify]},
+ {explicit_ec_params,
+ [ec_pem2,
+ gen_ec_param_char_2_field,
+ gen_ec_param_prime_field
+ ]}
].
+
+
+-ifdef('EXPLICIT_EC_PARAMS').
+maybe_more() -> [{group, explicit_ec_params}].
+-else.
+maybe_more() -> [].
+-endif.
+
%%-------------------------------------------------------------------
init_per_suite(Config) ->
application:stop(crypto),
@@ -438,7 +456,8 @@ ec_pem(Config) when is_list(Config) ->
true = check_entry_type(ECPrivKey#'ECPrivateKey'.parameters, 'EcpkParameters'),
ECPemNoEndNewLines = strip_superfluous_newlines(ECPrivPem),
ECPemNoEndNewLines = strip_superfluous_newlines(public_key:pem_encode([Entry1, Entry2])).
-
+
+-ifdef('EXPLICIT_EC_PARAMS').
ec_pem2() ->
[{doc, "EC key w/explicit params PEM-file decode/encode"}].
ec_pem2(Config) when is_list(Config) ->
@@ -457,6 +476,7 @@ ec_pem2(Config) when is_list(Config) ->
true = check_entry_type(ECPrivKey#'ECPrivateKey'.parameters, 'EcpkParameters'),
ECPemNoEndNewLines = strip_superfluous_newlines(ECPrivPem),
ECPemNoEndNewLines = strip_superfluous_newlines(public_key:pem_encode([Entry1, Entry2])).
+-endif.
ec_priv_pkcs8() ->
[{doc, "EC PKCS8 private key decode/encode"}].
@@ -1385,7 +1405,7 @@ pkix_crl(Config) when is_list(Config) ->
Datadir = proplists:get_value(data_dir, Config),
{ok, PemCRL} = file:read_file(filename:join(Datadir, "idp_crl.pem")),
[{_, CRL, _}] = public_key:pem_decode(PemCRL),
-
+
{ok, IDPPemCert} = file:read_file(filename:join(Datadir, "idp_cert.pem")),
[{_, IDPCert, _}] = public_key:pem_decode(IDPPemCert),
@@ -1398,7 +1418,6 @@ pkix_crl(Config) when is_list(Config) ->
{rdnSequence,_} = public_key:pkix_crl_issuer(CRL),
{rdnSequence,_} = public_key:pkix_crl_issuer(ERLCRL),
-
true = public_key:pkix_crl_verify(CRL, SignCert),
true = public_key:pkix_crl_verify(ERLCRL, OTPSignCert),
@@ -1570,6 +1589,7 @@ short_crl_issuer_hash(Config) when is_list(Config) ->
CrlIssuerHash = public_key:short_name_hash(Issuer).
+-ifdef('EXPLICIT_EC_PARAMS').
%%--------------------------------------------------------------------
gen_ec_param_prime_field() ->
[{doc, "Generate key with EC prime_field parameters"}].
@@ -1583,18 +1603,24 @@ gen_ec_param_char_2_field() ->
gen_ec_param_char_2_field(Config) when is_list(Config) ->
Datadir = proplists:get_value(data_dir, Config),
do_gen_ec_param(filename:join(Datadir, "ec_key_param1.pem")).
+-endif.
%%--------------------------------------------------------------------
ocsp_extensions() ->
[{doc, "Check OCSP extensions"}].
ocsp_extensions(_Config) ->
Nonce = <<4,8,66,243,220,236,16,118,51,215>>,
- ExpectedExtentions =
+ ExpectedExtensions =
[{'Extension',
?'id-pkix-ocsp-nonce',
asn1_DEFAULT,
- <<4,8,66,243,220,236,16,118,51,215>>}],
- ExpectedExtentions = public_key:ocsp_extensions(Nonce).
+ Nonce}],
+ ExpectedExtensions = public_key:ocsp_extensions(Nonce),
+ Encoded = public_key:der_encode('Extensions', ExpectedExtensions),
+ [#'Extension'{extnID=?'id-pkix-ocsp-nonce',
+ critical=false,
+ extnValue=Nonce}] = public_key:der_decode('Extensions', Encoded),
+ ok.
pkix_ocsp_validate() ->
[{doc, "Check OCSP extensions"}].
@@ -1782,20 +1808,22 @@ cert_info([]) ->
subject(S) ->
- string:lowercase(subject(public_key:pkix_normalize_name(S), "unknown")).
+ unicode:characters_to_list(
+ string:lowercase(
+ subject(public_key:pkix_normalize_name(S), "unknown"))).
subject({rdnSequence, Seq}, Def) ->
subject(Seq, Def);
subject([[{'AttributeTypeAndValue', ?'id-at-commonName', Name0}]|_], _Def) ->
case Name0 of
{printableString, Name} -> Name;
- {utf8String, Name} -> unicode:characters_to_list(Name);
+ {utf8String, Name} -> Name;
Name -> Name
end;
subject([[{'AttributeTypeAndValue', ?'id-at-organizationName', Name0}]|Rest], _Def) ->
Name = case Name0 of
{printableString, Name1} -> Name1;
- {utf8String, Name1} -> unicode:characters_to_list(Name1);
+ {utf8String, Name1} -> Name1;
Name1 -> Name1
end,
subject(Rest, Name);
--
2.43.0
