[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xcbf] XCBF Cryptographic Message Syntax (CMS)
Here's a first pass at a CMS schema for use by
XCBF. I've more to do still, and it has not even
been syntax checked yet, but it will give you a
better idea of how the biometrics are enhanced
using CMS security types in XCBF.
I also hope to initiate discussion on which
cryptographic algorithms we will support. So,
I've started filling in the algorithm IOSets
with what I believe is best. Of course, where
there is more than one algorithm for a given
use, we should probably choose one or more
that must be supported.
I'll post an updated version to the XCBF web
site once I have something that is a little
more clean.
Phil
--
-- Revised: Saturday, May 11, 2002
--
-- Last Modified: Saturday, May 11, 2002
--
-- The following ASN.1 is based on the module found in the
-- ANS X9.84 Biometric Information Management and Security
-- standard. It has been modified for use in the OASIS XML
-- Common Biometric Standard (XCBF) and provides a simplified
-- cryptographic message syntax based in part on definitions
-- from X9.73 for the CMS types AuthenticatedData, EncryptedData,
-- EnvelopedData, and SignedData initially defined in RSA PKCS #7.
XCBF-CMS -- { Need OID here } --
DEFINITIONS IMPLICIT TAGS ::= BEGIN
-- EXPORTS All;
IMPORTS
-- X.501 Directory Information Framework --
ATTRIBUTE, Name
FROM InformationFramework {
joint-iso-itu-t ds(5) modules(1) informationFramework(1) 3 }
-- X.509 Directory Authentication Framework --
AttributeCertificate, Certificate, CertificateList
FROM AuthenticationFramework {
joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 3 }
-- X9.68 Domain Certificate Syntax --
DomainCertificate
FROM DomainCertificate {
iso(1) identified-organization(3) tc68(133) country(16)
x9(840) x9Standards(9) x9-68(68) modules(0)
domainCertificate(1) }
dhpublicnumber, dsa-with-sha1, ecdsa-with-SHA1, ellipticCurve,
sha1, rsaEncryption, sha1WithRSAEncryption
FROM XCBF-OIDs -- { Need OID here } -- ;
SignedData ::= SEQUENCE {
version Version (v1),
digestAlgorithms DigestAlgorithmIdentifiers,
contentInfo ContentInfo,
certificates [0] CertificateSet OPTIONAL,
crls [1] CertificateRevocationLists OPTIONAL,
signerInfos SignerInfos
}
Version ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
DigestAlgorithmIdentifiers ::=
SET SIZE(1) OF DigestAlgorithmIdentifier
DigestAlgorithmIdentifier ::= AlgorithmIdentifier {{DigestAlgorithms}}
DigestAlgorithms ALGORITHM ::= {
{ OID sha1 PARMS NoIV },
... -- Expect others --
}
NoIV ::= NULL -- No initialization vector
ContentInfo ::= SEQUENCE {
contentType ContentType
}
ContentType ::= CONTENTS.&id({Contents})
CONTENTS ::= TYPE-IDENTIFIER -- ISO/IEC 8824-2:1998, Annex A
Contents CONTENTS ::= {
{ SignedData IDENTIFIED BY id-signedData } |
{ EnvelopedData IDENTIFIED BY id-envelopedData } |
{ AuthenticatedData IDENTIFIED BY id-ct-authData } |
{ EncryptedData IDENTIFIED BY id-encryptedData },
... -- Expect additional objects --
}
CertificateSet ::= SET SIZE(1..MAX) OF CertificateChoices
CertificateChoices ::= CHOICE {
certificate Certificate,
attrCert [1] AttributeCertificate,
domainCert [2] DomainCertificate, -- X9.68:2
otherCert [3] OtherCertificate
}
-- PHG Maybe XCBF should not suppport OtherCertificate
-- For that matter, maybe we should not support
-- AttributeCertificate and just focus on X.509
-- certificates and DomainCertificate for constrained
-- environment use???
OtherCertificate ::= INSTANCE OF OTHER-CERT({CertSet})
OTHER-CERT ::= TYPE-IDENTIFIER -- ISO/IEC 8824-2:1998, Annex A
CertSet OTHER-CERT ::= { ... -- defined as needed -- }
CertificateRevocationLists ::= SET SIZE(1..MAX) OF CertificateList
SignerInfos ::= SET SIZE(1) OF SignerInfo
SignerInfo ::= SEQUENCE {
version Version (v1),
sid IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue
}
IssuerAndSerialNumber ::= SEQUENCE {
issuer Name,
serialNumber CertificateSerialNumber
}
CertificateSerialNumber ::= INTEGER -- Expect large values
SignatureAlgorithmIdentifier ::=
AlgorithmIdentifier {{SignatureAlgorithms}}
SignatureAlgorithms ALGORITHM ::= {
-- { OID dsa-with-sha1 PHG need to define parms --
-- { OID ecdsa-with-SHA1 PHG need to define parms --
{ OID sha1WithRSAEncryption PARMS NoIV },
... -- Expect others --
}
SignatureValue ::= OCTET STRING
EncryptedData ::= SEQUENCE {
version Version (v0),
encryptedContentInfo EncryptedContentInfo
}
EncryptedContentInfo ::= SEQUENCE {
contentType ContentType,
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] EncryptedContent OPTIONAL
}
ContentEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifier {{ContentEncryptionAlgorithms}}
ContentEncryptionAlgorithms ALGORITHM ::= {
... -- any X9-approved algorithm --
}
EncryptedContent ::= OCTET STRING
EnvelopedData ::= SEQUENCE {
version Version,
recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo
}
RecipientInfos ::= SET SIZE(1) OF RecipientInfo
RecipientInfo ::= CHOICE {
ktri KeyTransRecipientInfo,
kari [1] KeyAgreeRecipientInfo,
mlri [2] KEKRecipientInfo,
ekmri [3] ExtendedKeyMgmtRecipientInfo
}
KeyTransRecipientInfo ::= SEQUENCE {
version Version (v0|v2),
rid EntityIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey
}
EntityIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier
}
SubjectKeyIdentifier ::= OCTET STRING
KeyEncryptionAlgorithmIdentifier ::=
AlgorithmIdentifier {{KeyEncryptionAlgorithms}}
KeyEncryptionAlgorithms ALGORITHM ::= {
... -- any X9-approved algorithm --
}
EncryptedKey ::= OCTET STRING
KeyAgreeRecipientInfo ::= SEQUENCE {
version Version (v3),
originatorCert [0] EXPLICIT EntityIdentifier,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
recipientEncryptedKeys RecipientEncryptedKeys
}
UserKeyingMaterial ::= OCTET STRING
RecipientEncryptedKeys ::=
SEQUENCE SIZE(1..MAX) OF RecipientEncryptedKey
RecipientEncryptedKey ::= SEQUENCE {
rid RecipientIdentifier,
encryptedKey EncryptedKey
}
RecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] RecipientKeyIdentifier
}
RecipientKeyIdentifier ::= SEQUENCE {
subjectKeyIdentifier SubjectKeyIdentifier,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL
}
OtherKeyAttribute ::= AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type ATTRIBUTE.&id({OtherAttributes}),
value ATTRIBUTE.&Type({OtherAttributes}{@type})
}
OtherAttributes ATTRIBUTE ::= { ... }
KEKRecipientInfo ::= SEQUENCE {
version Version (v4),
kekid KEKIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey
}
KEKIdentifier ::= SEQUENCE {
kekIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL
}
ExtendedKeyMgmtRecipientInfo ::=
INSTANCE OF EXTENDED-KEY-MGMT-INFO({EKMIOSet})
EXTENDED-KEY-MGMT-INFO ::= TYPE-IDENTIFIER -- ISO/IEC 8824-2:1998,
Annex A
EKMIOSet EXTENDED-KEY-MGMT-INFO ::= {
-- PHG Need to decide if we want to explicitly support
-- Constructive Key Management in this OASIS XCBF
-- work. I think this complexity is best avoided,
-- but cutting it out - what a nasty hack
... -- as defined in X9.73 --
}
AuthenticatedData ::= SEQUENCE {
version Version (v0),
recipientInfos RecipientInfos,
macAlgorithm MACAlgorithmIdentifier,
contentInfo ContentInfo,
mac MessageAuthenticationCode
}
MACAlgorithmIdentifier ::= AlgorithmIdentifier {{MACAlgorithms}}
MACAlgorithms ALGORITHM ::= {
-- PHG Need X9.71 HMAC OID here
... -- any X9-approved MAC or HMAC algorithm --
}
MessageAuthenticationCode ::= OCTET STRING
-- Cryptographic algorithm identification --
ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL
}
WITH SYNTAX { OID &id [PARMS &Type] }
AlgorithmIdentifier { ALGORITHM:IOSet } ::= SEQUENCE {
algorithm ALGORITHM.&id( {IOSet} ),
parameters ALGORITHM.&Type( {IOSet}{@algorithm} ) OPTIONAL
}
END -- XCBF-CMS --
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC