asn1: Add TCG module

This is in preparation for adding support for TPM-related functionality
in lib/hx509 and, eventually, in bx509d.

lib/asn1/Makefile.am

@@ -25,9 +25,10 @@ BUILT_SOURCES =				\
 	$(gen_files_rfc2459:.x=.c)	\
 	$(gen_files_rfc4043:.x=.c)	\
 	$(gen_files_rfc4108:.x=.c)	\
+	$(gen_files_tcg:.x=.c)	        \
 	$(gen_files_cms:.x=.c)		\
 	$(gen_files_krb5:.x=.c)		\
-	$(gen_files_ocsp:.x=.c)	\
+	$(gen_files_ocsp:.x=.c)	        \
 	$(gen_files_pkinit:.x=.c)	\
 	$(gen_files_pkcs8:.x=.c)	\
 	$(gen_files_pkcs9:.x=.c)	\
@@ -42,6 +43,7 @@ gen_files_crmf = asn1_crmf_asn1.x
 gen_files_rfc2459 = asn1_rfc2459_asn1.x
 gen_files_rfc4043 = asn1_rfc4043_asn1.x
 gen_files_rfc4108 = asn1_rfc4108_asn1.x
+gen_files_tcg = asn1_tcg_asn1.x
 gen_files_ocsp = asn1_ocsp_asn1.x
 gen_files_pkinit = asn1_pkinit_asn1.x
 gen_files_pkcs10 = asn1_pkcs10_asn1.x
@@ -52,8 +54,7 @@ gen_files_test_template = test_template_asn1-template.x
 gen_files_test = asn1_test_asn1.x
 gen_files_digest = asn1_digest_asn1.x
 gen_files_kx509 = asn1_kx509_asn1.x
-gen_files_rfc4043 = asn1_rfc4043_asn1.x
-gen_files_rfc4108 = asn1_rfc4108_asn1.x
+gen_files_tcg = asn1_tcg_asn1.x
 
 oid_resolution.lo: $(BUILT_SOURCES)
 
@@ -147,6 +148,7 @@ CLEANFILES = \
 	$(gen_files_rfc2459) \
 	$(gen_files_rfc4043) \
 	$(gen_files_rfc4108) \
+	$(gen_files_tcg) \
 	$(gen_files_cms) \
 	$(gen_files_krb5) \
 	$(gen_files_ocsp) \
@@ -164,6 +166,7 @@ CLEANFILES = \
 	rfc2459_asn1_files rfc2459_asn1*.h* \
 	rfc4043_asn1_files rfc4043_asn1*.h* \
 	rfc4108_asn1_files rfc4108_asn1*.h* \
+	tcg_asn1_files tcg_asn1*.h* \
 	cms_asn1_files cms_asn1*.h* \
 	crmf_asn1_files crmf_asn1*.h* \
 	krb5_asn1_files krb5_asn1*.h* \
@@ -191,6 +194,7 @@ nodist_include_HEADERS += crmf_asn1.h
 nodist_include_HEADERS += rfc2459_asn1.h
 nodist_include_HEADERS += rfc4043_asn1.h
 nodist_include_HEADERS += rfc4108_asn1.h
+nodist_include_HEADERS += tcg_asn1.h
 nodist_include_HEADERS += ocsp_asn1.h
 nodist_include_HEADERS += pkcs8_asn1.h
 nodist_include_HEADERS += pkcs9_asn1.h
@@ -206,6 +210,7 @@ priv_headers += crmf_asn1-priv.h
 priv_headers += rfc2459_asn1-priv.h
 priv_headers += rfc4043_asn1-priv.h
 priv_headers += rfc4108_asn1-priv.h
+priv_headers += tcg_asn1-priv.h
 priv_headers += ocsp_asn1-priv.h
 priv_headers += pkcs8_asn1-priv.h
 priv_headers += pkcs9_asn1-priv.h
@@ -239,6 +244,7 @@ $(gen_files_kx509) kx509_asn1.hx kx509_asn1-priv.hx: kx509_asn1_files
 $(gen_files_rfc2459) rfc2459_asn1.hx rfc2459_asn1-priv.hx: rfc2459_asn1_files
 $(gen_files_rfc4043) rfc4043_asn1.hx rfc4043_asn1-priv.hx: rfc4043_asn1_files
 $(gen_files_rfc4108) rfc4108_asn1.hx rfc4108_asn1-priv.hx: rfc4108_asn1_files
+$(gen_files_tcg) tcg_asn1.hx tcg_asn1-priv.hx: tcg_asn1_files
 $(gen_files_cms) cms_asn1.hx cms_asn1-priv.hx: cms_asn1_files
 $(gen_files_crmf) crmf_asn1.hx crmf_asn1-priv.hx: crmf_asn1_files
 $(gen_files_test) test_asn1.hx test_asn1-priv.hx: test_asn1_files
@@ -253,6 +259,9 @@ rfc4043_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc4043.asn1
 rfc4108_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc4108.asn1
 	$(ASN1_COMPILE) --one-code-file $(srcdir)/rfc4108.asn1 rfc4108_asn1 || (rm -f rfc4108_asn1_files ; exit 1)
 
+tcg_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/tcg.asn1
+	$(ASN1_COMPILE) --prefix-enum --one-code-file $(srcdir)/tcg.asn1 tcg_asn1 || (rm -f tcg_asn1_files ; exit 1)
+
 cms_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/cms.asn1 $(srcdir)/cms.opt
 	$(ASN1_COMPILE) --one-code-file --option-file=$(srcdir)/cms.opt $(srcdir)/cms.asn1 cms_asn1 || (rm -f cms_asn1_files ; exit 1)
 
@@ -317,6 +326,7 @@ EXTRA_DIST =		\
 	rfc2459.asn1	\
 	rfc4043.asn1	\
 	rfc4108.asn1	\
+	tcg.asn1	\
 	setchgpw2.asn1	\
 	test.asn1	\
 	test.gen	\

lib/asn1/NTMakefile

@@ -47,6 +47,8 @@ gen_files_rfc4043	= $(OBJ)\asn1_rfc4043_asn1.x
 
 gen_files_rfc4108	= $(OBJ)\asn1_rfc4108_asn1.x
 
+gen_files_tcg		= $(OBJ)\asn1_tcg_asn1.x
+
 gen_files_ocsp		= $(OBJ)\asn1_ocsp_asn1.x
 
 gen_files_pkinit	= $(OBJ)\asn1_pkinit_asn1.x
@@ -123,9 +125,10 @@ LIBASN1_OBJS=	\
 	$(gen_files_rfc2459:.x=.obj)	\
 	$(gen_files_rfc4043:.x=.obj)	\
 	$(gen_files_rfc4108:.x=.obj)	\
+	$(gen_files_tcg:.x=.obj)	\
 	$(gen_files_cms:.x=.obj)	\
 	$(gen_files_crmf:.x=.obj)	\
-	$(gen_files_krb5:.x=.obj)		\
+	$(gen_files_krb5:.x=.obj)	\
 	$(gen_files_ocsp:.x=.obj)	\
 	$(gen_files_pkinit:.x=.obj)	\
 	$(gen_files_pkcs8:.x=.obj)	\
@@ -185,6 +188,8 @@ $(gen_files_rfc4043:.x=.c)  : $$(@R).x
 
 $(gen_files_rfc4108:.x=.c)  : $$(@R).x
 
+$(gen_files_tcg:.x=.c)      : $$(@R).x
+
 $(gen_files_cms:.x=.c)	    : $$(@R).x
 
 $(gen_files_crmf:.x=.c)	    : $$(@R).x
@@ -281,6 +286,14 @@ $(gen_files_rfc4108) $(OBJ)\rfc4108_asn1.hx: $(BINDIR)\asn1_compile.exe rfc4108.
 	|| ($(RM) $(OBJ)\rfc4108_asn1.h ; exit /b 1)
 	cd $(SRCDIR)
 
+$(gen_files_tcg) $(OBJ)\tcg_asn1.hx: $(BINDIR)\asn1_compile.exe tcg.asn1
+	cd $(OBJ)
+	$(BINDIR)\asn1_compile.exe \
+		--one-code-file \
+		$(SRCDIR)\tcg.asn1 tcg_asn1 \
+	|| ($(RM) $(OBJ)\tcg_asn1.h ; exit /b 1)
+	cd $(SRCDIR)
+
 $(gen_files_cms) $(OBJ)\cms_asn1.hx: $(BINDIR)\asn1_compile.exe cms.asn1 cms.opt
 	cd $(OBJ)
 	$(BINDIR)\asn1_compile.exe \
@@ -332,6 +345,7 @@ GENINCFILES=			    \
 	$(INCDIR)\rfc2459_asn1.h    \
 	$(INCDIR)\rfc4043_asn1.h    \
 	$(INCDIR)\rfc4108_asn1.h    \
+	$(INCDIR)\tcg_asn1.h        \
 	$(OBJ)\krb5_asn1-priv.h	    \
 	$(OBJ)\ocsp_asn1-priv.h     \
 	$(OBJ)\pkinit_asn1-priv.h   \
@@ -340,6 +354,7 @@ GENINCFILES=			    \
 	$(OBJ)\rfc2459_asn1-priv.h  \
 	$(OBJ)\rfc4043_asn1-priv.h  \
 	$(OBJ)\rfc4108_asn1-priv.h  \
+	$(OBJ)\tcg_asn1-priv.h      \
 	$(OBJ)\pkcs8_asn1-priv.h    \
 	$(OBJ)\pkcs9_asn1-priv.h    \
 	$(OBJ)\pkcs10_asn1-priv.h   \

lib/asn1/libasn1-exports.def

@@ -241,6 +241,20 @@ EXPORTS
 	asn1_oid_id_x509_ce_subjectKeyIdentifier	DATA
 	asn1_oid_id_x520_at	DATA
 	asn1_oid_id_x9_57	DATA
+	asn1_oid_tcg_at_tpmManufacturer	DATA
+	asn1_oid_tcg_at_tpmModel	DATA
+	asn1_oid_tcg_at_tpmSecurityAssertions	DATA
+	asn1_oid_tcg_at_tpmSpecification	DATA
+	asn1_oid_tcg_at_tpmVersion	DATA
+	asn1_oid_tcg_attribute	DATA
+	asn1_oid_tcg_cap_verifiedTPMFixed	DATA
+	asn1_oid_tcg_cap_verifiedTPMResidency	DATA
+	asn1_oid_tcg_cap_verifiedTPMRestricted	DATA
+	asn1_oid_tcg	DATA
+	asn1_oid_tcg_kp	DATA
+	asn1_oid_tcg_kp_EKCertificate	DATA
+	asn1_oid_tcg_on_ekPermIdSha256	DATA
+	asn1_oid_tcg_tpm20	DATA
 	asn1_SAMFlags_units
 	asn1_TicketFlags_units
 	copy_AccessDescription
@@ -288,6 +302,7 @@ EXPORTS
 	copy_CMSIdentifier
 	copy_CMSRC2CBCParameter
 	copy_CMSVersion
+	copy_CommonCriteriaMeasures
 	copy_CommunityIdentifier
 	copy_CommunityIdentifiers
 	copy_ContentEncryptionAlgorithmIdentifier
@@ -326,6 +341,9 @@ EXPORTS
 	copy_ECDSA_Sig_Value
 	copy_ECParameters
 	copy_ECPoint
+	copy_EKCertificateGenerationLocation
+	copy_EKGenerationLocation
+	copy_EKGenerationType
 	copy_EncAPRepPart
 	copy_EncapsulatedContentInfo
 	copy_EncASRepPart
@@ -346,12 +364,15 @@ EXPORTS
 	copy_ETYPE_INFO2_ENTRY
 	copy_ETYPE_INFO_ENTRY
 	copy_EtypeList
+	copy_EvaluationAssuranceLevel
+	copy_EvaluationStatus
 	copy_Extension
 	copy_Extensions
 	copy_ExternalPrincipalIdentifier
 	copy_ExternalPrincipalIdentifiers
 	copy_ExtKeyUsage
 	copy_FastOptions
+	copy_FIPSLevel
 	copy_FirmwarePackageIdentifier
 	copy_FirmwarePackageInfo
 	copy_FirmwarePackageLoadError
@@ -517,12 +538,14 @@ EXPORTS
 	copy_RSAPrivateKey
 	copy_RSAPublicKey
 	copy_SAMFlags
+	copy_SecurityLevel
 	copy_SignatureAlgorithmIdentifier
 	copy_SignatureValue
 	copy_SignedData
 	copy_SignerIdentifier
 	copy_SignerInfo
 	copy_SignerInfos
+	copy_StrengthOfFunction
 	copy_SubjectInfoAccessSyntax
 	copy_SubjectKeyIdentifier
 	copy_SubjectPublicKeyInfo
@@ -537,6 +560,9 @@ EXPORTS
 	copy_Ticket
 	copy_TicketFlags
 	copy_Time
+	copy_TPMSecurityAssertions
+	copy_TPMSpecification
+	copy_TPMVersion
 	copy_TransitedEncoding
 	copy_TrustedCA
 	copy_TrustedCA_Win2k
@@ -544,6 +570,7 @@ EXPORTS
 	copy_TYPED_DATA
 	copy_UniqueIdentifier
 	copy_UnprotectedAttributes
+	copy_URIReference
 	copy_ValidationParms
 	copy_Validity
 	copy_VendorLoadErrorCode
@@ -594,6 +621,7 @@ EXPORTS
 	decode_CMSIdentifier
 	decode_CMSRC2CBCParameter
 	decode_CMSVersion
+	decode_CommonCriteriaMeasures
 	decode_CommunityIdentifier
 	decode_CommunityIdentifiers
 	decode_ContentEncryptionAlgorithmIdentifier
@@ -632,6 +660,9 @@ EXPORTS
 	decode_ECDSA_Sig_Value
 	decode_ECParameters
 	decode_ECPoint
+	decode_EKCertificateGenerationLocation
+	decode_EKGenerationLocation
+	decode_EKGenerationType
 	decode_EncAPRepPart
 	decode_EncapsulatedContentInfo
 	decode_EncASRepPart
@@ -652,12 +683,15 @@ EXPORTS
 	decode_ETYPE_INFO2_ENTRY
 	decode_ETYPE_INFO_ENTRY
 	decode_EtypeList
+	decode_EvaluationAssuranceLevel
+	decode_EvaluationStatus
 	decode_Extension
 	decode_Extensions
 	decode_ExternalPrincipalIdentifier
 	decode_ExternalPrincipalIdentifiers
 	decode_ExtKeyUsage
 	decode_FastOptions
+	decode_FIPSLevel
 	decode_FirmwarePackageIdentifier
 	decode_FirmwarePackageInfo
 	decode_FirmwarePackageLoadError
@@ -823,12 +857,14 @@ EXPORTS
 	decode_RSAPrivateKey
 	decode_RSAPublicKey
 	decode_SAMFlags
+	decode_SecurityLevel
 	decode_SignatureAlgorithmIdentifier
 	decode_SignatureValue
 	decode_SignedData
 	decode_SignerIdentifier
 	decode_SignerInfo
 	decode_SignerInfos
+	decode_StrengthOfFunction
 	decode_SubjectInfoAccessSyntax
 	decode_SubjectKeyIdentifier
 	decode_SubjectPublicKeyInfo
@@ -843,6 +879,9 @@ EXPORTS
 	decode_Ticket
 	decode_TicketFlags
 	decode_Time
+	decode_TPMSecurityAssertions
+	decode_TPMSpecification
+	decode_TPMVersion
 	decode_TransitedEncoding
 	decode_TrustedCA
 	decode_TrustedCA_Win2k
@@ -850,6 +889,7 @@ EXPORTS
 	decode_TYPED_DATA
 	decode_UniqueIdentifier
 	decode_UnprotectedAttributes
+	decode_URIReference
 	decode_ValidationParms
 	decode_Validity
 	decode_VendorLoadErrorCode
@@ -1027,6 +1067,7 @@ EXPORTS
 	encode_CMSIdentifier
 	encode_CMSRC2CBCParameter
 	encode_CMSVersion
+	encode_CommonCriteriaMeasures
 	encode_CommunityIdentifier
 	encode_CommunityIdentifiers
 	encode_ContentEncryptionAlgorithmIdentifier
@@ -1065,6 +1106,9 @@ EXPORTS
 	encode_ECDSA_Sig_Value
 	encode_ECParameters
 	encode_ECPoint
+	encode_EKCertificateGenerationLocation
+	encode_EKGenerationLocation
+	encode_EKGenerationType
 	encode_EncAPRepPart
 	encode_EncapsulatedContentInfo
 	encode_EncASRepPart
@@ -1085,12 +1129,15 @@ EXPORTS
 	encode_ETYPE_INFO2_ENTRY
 	encode_ETYPE_INFO_ENTRY
 	encode_EtypeList
+	encode_EvaluationAssuranceLevel
+	encode_EvaluationStatus
 	encode_Extension
 	encode_Extensions
 	encode_ExternalPrincipalIdentifier
 	encode_ExternalPrincipalIdentifiers
 	encode_ExtKeyUsage
 	encode_FastOptions
+	encode_FIPSLevel
 	encode_FirmwarePackageIdentifier
 	encode_FirmwarePackageInfo
 	encode_FirmwarePackageLoadError
@@ -1256,12 +1303,14 @@ EXPORTS
 	encode_RSAPrivateKey
 	encode_RSAPublicKey
 	encode_SAMFlags
+	encode_SecurityLevel
 	encode_SignatureAlgorithmIdentifier
 	encode_SignatureValue
 	encode_SignedData
 	encode_SignerIdentifier
 	encode_SignerInfo
 	encode_SignerInfos
+	encode_StrengthOfFunction
 	encode_SubjectInfoAccessSyntax
 	encode_SubjectKeyIdentifier
 	encode_SubjectPublicKeyInfo
@@ -1276,6 +1325,9 @@ EXPORTS
 	encode_Ticket
 	encode_TicketFlags
 	encode_Time
+	encode_TPMSecurityAssertions
+	encode_TPMSpecification
+	encode_TPMVersion
 	encode_TransitedEncoding
 	encode_TrustedCA
 	encode_TrustedCA_Win2k
@@ -1283,6 +1335,7 @@ EXPORTS
 	encode_TYPED_DATA
 	encode_UniqueIdentifier
 	encode_UnprotectedAttributes
+	encode_URIReference
 	encode_ValidationParms
 	encode_Validity
 	encode_VendorLoadErrorCode
@@ -1334,6 +1387,7 @@ EXPORTS
 	free_CMSIdentifier
 	free_CMSRC2CBCParameter
 	free_CMSVersion
+	free_CommonCriteriaMeasures
 	free_CommunityIdentifier
 	free_CommunityIdentifiers
 	free_ContentEncryptionAlgorithmIdentifier
@@ -1372,6 +1426,9 @@ EXPORTS
 	free_ECDSA_Sig_Value
 	free_ECParameters
 	free_ECPoint
+	free_EKCertificateGenerationLocation
+	free_EKGenerationLocation
+	free_EKGenerationType
 	free_EncAPRepPart
 	free_EncapsulatedContentInfo
 	free_EncASRepPart
@@ -1392,12 +1449,15 @@ EXPORTS
 	free_ETYPE_INFO2_ENTRY
 	free_ETYPE_INFO_ENTRY
 	free_EtypeList
+	free_EvaluationAssuranceLevel
+	free_EvaluationStatus
 	free_Extension
 	free_Extensions
 	free_ExternalPrincipalIdentifier
 	free_ExternalPrincipalIdentifiers
 	free_ExtKeyUsage
 	free_FastOptions
+	free_FIPSLevel
 	free_FirmwarePackageIdentifier
 	free_FirmwarePackageInfo
 	free_FirmwarePackageLoadError
@@ -1563,12 +1623,14 @@ EXPORTS
 	free_RSAPrivateKey
 	free_RSAPublicKey
 	free_SAMFlags
+	free_SecurityLevel
 	free_SignatureAlgorithmIdentifier
 	free_SignatureValue
 	free_SignedData
 	free_SignerIdentifier
 	free_SignerInfo
 	free_SignerInfos
+	free_StrengthOfFunction
 	free_SubjectInfoAccessSyntax
 	free_SubjectKeyIdentifier
 	free_SubjectPublicKeyInfo
@@ -1583,6 +1645,9 @@ EXPORTS
 	free_Ticket
 	free_TicketFlags
 	free_Time
+	free_TPMSecurityAssertions
+	free_TPMSpecification
+	free_TPMVersion
 	free_TransitedEncoding
 	free_TrustedCA
 	free_TrustedCA_Win2k
@@ -1590,6 +1655,7 @@ EXPORTS
 	free_TYPED_DATA
 	free_UniqueIdentifier
 	free_UnprotectedAttributes
+	free_URIReference
 	free_ValidationParms
 	free_Validity
 	free_VendorLoadErrorCode
@@ -1662,6 +1728,7 @@ EXPORTS
 	length_CMSIdentifier
 	length_CMSRC2CBCParameter
 	length_CMSVersion
+	length_CommonCriteriaMeasures
 	length_CommunityIdentifier
 	length_CommunityIdentifiers
 	length_ContentEncryptionAlgorithmIdentifier
@@ -1700,6 +1767,9 @@ EXPORTS
 	length_ECDSA_Sig_Value
 	length_ECParameters
 	length_ECPoint
+	length_EKCertificateGenerationLocation
+	length_EKGenerationLocation
+	length_EKGenerationType
 	length_EncAPRepPart
 	length_EncapsulatedContentInfo
 	length_EncASRepPart
@@ -1720,12 +1790,15 @@ EXPORTS
 	length_ETYPE_INFO2_ENTRY
 	length_ETYPE_INFO_ENTRY
 	length_EtypeList
+	length_EvaluationAssuranceLevel
+	length_EvaluationStatus
 	length_Extension
 	length_Extensions
 	length_ExternalPrincipalIdentifier
 	length_ExternalPrincipalIdentifiers
 	length_ExtKeyUsage
 	length_FastOptions
+	length_FIPSLevel
 	length_FirmwarePackageIdentifier
 	length_FirmwarePackageInfo
 	length_FirmwarePackageLoadError
@@ -1891,12 +1964,14 @@ EXPORTS
 	length_RSAPrivateKey
 	length_RSAPublicKey
 	length_SAMFlags
+	length_SecurityLevel
 	length_SignatureAlgorithmIdentifier
 	length_SignatureValue
 	length_SignedData
 	length_SignerIdentifier
 	length_SignerInfo
 	length_SignerInfos
+	length_StrengthOfFunction
 	length_SubjectInfoAccessSyntax
 	length_SubjectKeyIdentifier
 	length_SubjectPublicKeyInfo
@@ -1911,6 +1986,9 @@ EXPORTS
 	length_Ticket
 	length_TicketFlags
 	length_Time
+	length_TPMSecurityAssertions
+	length_TPMSpecification
+	length_TPMVersion
 	length_TransitedEncoding
 	length_TrustedCA
 	length_TrustedCA_Win2k
@@ -1918,6 +1996,7 @@ EXPORTS
 	length_TYPED_DATA
 	length_UniqueIdentifier
 	length_UnprotectedAttributes
+	length_URIReference
 	length_ValidationParms
 	length_Validity
 	length_VendorLoadErrorCode

lib/asn1/oid_resolution.c

@@ -46,6 +46,7 @@
 #include "pkcs9_asn1.h"
 #include "pkinit_asn1.h"
 #include "rfc2459_asn1.h"
+#include "tcg_asn1.h"
 
 
 struct sym_oid {
@@ -70,6 +71,7 @@ static const struct sym_oid sym_oids[] = {
 #include "pkcs9_asn1_oids.x"
 #include "pkinit_asn1_oids.x"
 #include "rfc2459_asn1_oids.x"
+#include "tcg_asn1_oids.x"
 };
 
 static size_t num_sym_oids = sizeof(sym_oids) / sizeof(sym_oids[0]);

lib/asn1/tcg.asn1

@@ -0,0 +1,161 @@
+TCG DEFINITIONS ::= BEGIN
+
+IMPORTS CertificateSerialNumber, AlgorithmIdentifier, Name,
+        Attribute, Certificate, SubjectKeyIdentifier FROM rfc2459
+        heim_any, heim_any_set FROM heim;
+
+
+-- BEGIN Heimdal commentary
+--
+-- Copy-pasted from section 4 of
+--   https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p3_r2_pub.pdf
+--   https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
+-- and adjusted to compile as follows:
+--
+--  - Extensibility markers added to all SEQUENCEs as per the TCG's spec they
+--    reserve the right to add fields in the future.
+--  - Information Object System annotations commented out (Heimdal does not
+--    support them)
+--  - Types sorted topologically (at the time I did that the Heimdal ASN.1
+--    compiler wouldn't do that on its own)
+--  - Two otherwise equal ENUMERATED types share a definition now (at the time
+--    the Heimdal ASN.1 compiler did not prefix labels of ENUMERATED types)
+--
+-- A small note for anyone whoever finds this: do not add complex structures as
+-- DN attributes, or, indeed, never add DN attributes again.  If some metadata
+-- is name-like, then add a subjectAlternativeName otherName for it, otherwise
+-- add a certificate extension to carry that metadata.  And, for any name-like
+-- metadata, always always include query and display syntax for it.
+--
+-- Anyone designing anything but the simplest schema in ASN.1 should have to
+-- learn a bit more about ASN.1 and/or get a review from ASN.1 experts.
+--
+-- Anyone designing anything but the simplest x.509 extensions should have to
+-- learn a bit more about ASN.1 and x.509 and/or get a review from x.509
+-- experts.
+--
+-- Note that a module OID was not provided.  Indeed, a valid, complete ASN.1
+-- module was not provided.
+--
+-- END Heimdal commentary (though some minor Heimdal commentary appears below)
+
+--TCG specific OIDs
+tcg OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) international-organizations(23) tcg(133)}
+tcg-attribute OBJECT IDENTIFIER ::= {tcg 2}
+tcg-kp OBJECT IDENTIFIER ::= {tcg 8}
+
+--TCG Attribute OIDs
+tcg-at-tpmManufacturer OBJECT IDENTIFIER ::= {tcg-attribute 1}
+tcg-at-tpmModel OBJECT IDENTIFIER ::= {tcg-attribute 2}
+tcg-at-tpmVersion OBJECT IDENTIFIER ::= {tcg-attribute 3}
+tcg-at-tpmSpecification OBJECT IDENTIFIER ::= {tcg-attribute 16}
+tcg-at-tpmSecurityAssertions OBJECT IDENTIFIER ::= {tcg-attribute 18}
+
+--TCG Key Purposes OIDs
+tcg-kp-EKCertificate OBJECT IDENTIFIER ::= {tcg-kp 1}
+
+-- OIDs not in the module in TCG_IWG_EKCredentialProfile_v2p3_r2_pub but in
+-- TCG_IWG_DevID_v1r2_02dec2020 (missing arc names not mentioned in the TCG
+-- specs):
+tcg-tpm20 OBJECT IDENTIFIER ::= {tcg 1 2} -- this OID is not named in the TCG specs
+tcg-on-ekPermIdSha256 OBJECT IDENTIFIER ::= {tcg 12 1}
+tcg-cap-verifiedTPMResidency OBJECT IDENTIFIER ::= {tcg 11 1 1} -- policy OID
+tcg-cap-verifiedTPMFixed OBJECT IDENTIFIER ::= {tcg 11 1 2} -- policy OID
+tcg-cap-verifiedTPMRestricted OBJECT IDENTIFIER ::= {tcg 11 1 3} -- policy OID
+
+EKGenerationType ::= ENUMERATED {
+    internal (0),
+    injected (1),
+    internalRevocable(2),
+    injectedRevocable(3)
+    }
+EKGenerationLocation ::= ENUMERATED {
+    tpmManufacturer (0),
+    platformManufacturer (1),
+    ekCertSigner (2)
+}
+EKCertificateGenerationLocation ::= EKGenerationLocation -- XXX
+EvaluationAssuranceLevel ::= ENUMERATED {
+    ealevell (1),
+    ealevel2 (2),
+    ealevel3 (3),
+    ealevel4 (4),
+    ealevel5 (5),
+    ealevel6 (6),
+    ealevel7 (7)
+}
+SecurityLevel ::= ENUMERATED {
+    sllevel1 (1),
+    sllevel2 (2),
+    sllevel3 (3),
+    sllevel4 (4)
+}
+StrengthOfFunction ::= ENUMERATED {
+    basic (0),
+    medium (1),
+    high (2)
+}
+URIReference ::= SEQUENCE {
+    uniformResourceIdentifier IA5String, -- (SIZE (1..URIMAX))
+    hashAlgorithm AlgorithmIdentifier OPTIONAL,
+    hashValue BIT STRING OPTIONAL
+}
+EvaluationStatus ::= ENUMERATED {
+    designedToMeet (0),
+    evaluationInProgress (1),
+    evaluationCompleted (2)
+}
+
+--tcg specification attributes for tpm
+-- tPMSpecification ATTRIBUTE ::= {WITH SYNTAX TPMSpecification ID tcg-at-tpmSpecification }
+TPMSpecification ::= SEQUENCE {
+    family UTF8String, -- (SIZE (1..STRMAX))
+    level INTEGER,
+    revision INTEGER,
+    ...
+}
+
+--manufacturer implementation model and version attributes
+-- TPMManufacturer ATTRIBUTE ::= {WITH SYNTAX UTF8String (SIZE (1..STRMAX)) ID tcg-at-tpmManufacturer }
+-- TPMModel ATTRIBUTE ::= {WITH SYNTAX UTF8String (SIZE (1..STRMAX)) ID tcg-at-tpmModel }
+-- TPMVersion ATTRIBUTE ::= {WITH SYNTAX UTF8String (SIZE (1..STRMAX)) ID tcg-at-tpmVersion }
+
+--common criteria evaluation
+CommonCriteriaMeasures ::= SEQUENCE {
+    version IA5String, -- (SIZE (1..STRMAX)) “2.2” or “3.1”;future syntax defined by CC
+    assurancelevel EvaluationAssuranceLevel,
+    evaluationStatus EvaluationStatus,
+    plus BOOLEAN DEFAULT FALSE,
+    strengthOfFunction [0] IMPLICIT StrengthOfFunction OPTIONAL,
+    profileOid [1] IMPLICIT OBJECT IDENTIFIER OPTIONAL,
+    profileUri [2] IMPLICIT URIReference OPTIONAL,
+    targetOid [3] IMPLICIT OBJECT IDENTIFIER OPTIONAL,
+    targetUri [4] IMPLICIT URIReference OPTIONAL,
+    ...
+}
+
+--fips evaluation
+FIPSLevel ::= SEQUENCE {
+    version IA5String, -- (SIZE (1..STRMAX)) “140-1” or “140-2”
+    level SecurityLevel,
+    plus BOOLEAN DEFAULT FALSE,
+    ...
+}
+
+--tpm security assertions
+TPMVersion ::= INTEGER { tpm-v1(0) }
+--tPMSecurityAssertions ATTRIBUTE ::= {WITH SYNTAX TPMSecurityAssertions ID tcg—at-tpmSecurityAssertions}
+TPMSecurityAssertions ::= SEQUENCE {
+    version TPMVersion DEFAULT 0, -- v1
+    fieldUpgradable BOOLEAN DEFAULT FALSE,
+    ekGenerationType [0] IMPLICIT EKGenerationType OPTIONAL,
+    ekGenerationLocation [1] IMPLICIT EKGenerationLocation OPTIONAL,
+    ekCertificateGenerationLocation [2] IMPLICIT EKCertificateGenerationLocation OPTIONAL,
+    ccInfo [3] IMPLICIT CommonCriteriaMeasures OPTIONAL,
+    fipsLevel [4] IMPLICIT FIPSLevel OPTIONAL,
+    iso9000Certified [5] IMPLICIT BOOLEAN DEFAULT FALSE,
+    iso9000Uri IA5String OPTIONAL, -- (SIZE (1..URIMAX))
+    ...
+}
+
+END