cbe156d927
- No more OpenSSL 1.x support - Remove 1DES and 3DES - Remove NETLOGON, NTLM (client and 'digest' service)
129 lines
4.2 KiB
Groff
129 lines
4.2 KiB
Groff
-- $Id$ --
|
|
|
|
PKCS12 DEFINITIONS ::=
|
|
|
|
BEGIN
|
|
|
|
IMPORTS ContentInfo FROM cms
|
|
DigestInfo, AlgorithmIdentifier FROM rfc2459
|
|
HEIM_ANY, HEIM_ANY_SET FROM heim;
|
|
|
|
-- The PFX PDU
|
|
|
|
id-pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
|
|
rsadsi(113549) pkcs(1) pkcs-12(12) }
|
|
|
|
id-pkcs-12PbeIds OBJECT IDENTIFIER ::= { id-pkcs-12 1}
|
|
id-pbeWithSHAAnd128BitRC4 OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 1}
|
|
id-pbeWithSHAAnd40BitRC4 OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 2}
|
|
id-pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 3}
|
|
id-pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 4}
|
|
id-pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 5}
|
|
id-pbewithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 6}
|
|
|
|
id-pkcs12-bagtypes OBJECT IDENTIFIER ::= { id-pkcs-12 10 1}
|
|
|
|
id-pkcs12-keyBag OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 1 }
|
|
id-pkcs12-pkcs8ShroudedKeyBag OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 2 }
|
|
id-pkcs12-certBag OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 3 }
|
|
id-pkcs12-crlBag OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 4 }
|
|
id-pkcs12-secretBag OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 5 }
|
|
id-pkcs12-safeContentsBag OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 6 }
|
|
|
|
|
|
PKCS12-MacData ::= SEQUENCE {
|
|
mac DigestInfo,
|
|
macSalt OCTET STRING,
|
|
iterations INTEGER OPTIONAL
|
|
}
|
|
|
|
PKCS12-PFX ::= SEQUENCE {
|
|
version INTEGER,
|
|
authSafe ContentInfo,
|
|
macData PKCS12-MacData OPTIONAL
|
|
}
|
|
|
|
PKCS12-AuthenticatedSafe ::= SEQUENCE OF ContentInfo
|
|
-- Data if unencrypted
|
|
-- EncryptedData if password-encrypted
|
|
-- EnvelopedData if public key-encrypted
|
|
|
|
PKCS12-Attribute ::= SEQUENCE {
|
|
attrId OBJECT IDENTIFIER,
|
|
attrValues -- SET OF -- HEIM_ANY_SET
|
|
}
|
|
|
|
PKCS12-Attributes ::= SET OF PKCS12-Attribute
|
|
|
|
PKCS12-SafeBag ::= SEQUENCE {
|
|
bagId OBJECT IDENTIFIER,
|
|
bagValue [0] HEIM_ANY,
|
|
bagAttributes PKCS12-Attributes OPTIONAL
|
|
}
|
|
|
|
PKCS12-SafeContents ::= SEQUENCE OF PKCS12-SafeBag
|
|
|
|
PKCS12-CertBag ::= SEQUENCE {
|
|
certType OBJECT IDENTIFIER,
|
|
certValue [0] HEIM_ANY
|
|
}
|
|
|
|
PKCS12-PBEParams ::= SEQUENCE {
|
|
salt OCTET STRING,
|
|
iterations INTEGER (0..4294967295) OPTIONAL
|
|
}
|
|
|
|
PKCS12-OctetString ::= OCTET STRING
|
|
|
|
-- KeyBag ::= PrivateKeyInfo
|
|
-- PKCS8ShroudedKeyBag ::= EncryptedPrivateKeyInfo
|
|
|
|
-- PKCS#5 v2.0/v2.1 (RFC 8018) definitions for modern PKCS#12 PBE
|
|
|
|
id-pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
|
|
rsadsi(113549) pkcs(1) pkcs-5(5) }
|
|
|
|
id-PBES2 OBJECT IDENTIFIER ::= { id-pkcs-5 13 }
|
|
id-PBKDF2 OBJECT IDENTIFIER ::= { id-pkcs-5 12 }
|
|
|
|
-- PBKDF2 PRF algorithm OIDs (from RFC 8018, using RSA DigestAlgorithm arc)
|
|
-- id-rsadsi OBJECT IDENTIFIER ::= { 1 2 840 113549 }
|
|
-- id-digestAlgorithm OBJECT IDENTIFIER ::= { id-rsadsi 2 }
|
|
id-hmacWithSHA1 OBJECT IDENTIFIER ::=
|
|
{ iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 }
|
|
id-hmacWithSHA256 OBJECT IDENTIFIER ::=
|
|
{ iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 }
|
|
id-hmacWithSHA384 OBJECT IDENTIFIER ::=
|
|
{ iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 }
|
|
id-hmacWithSHA512 OBJECT IDENTIFIER ::=
|
|
{ iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 }
|
|
|
|
-- PBES2 encryption scheme OIDs (from RFC 8018 / NIST)
|
|
id-aes128-CBC OBJECT IDENTIFIER ::=
|
|
{ joint-iso-itu-t(2) country(16) us(840) organization(1)
|
|
gov(101) csor(3) nistAlgorithms(4) aes(1) 2 }
|
|
id-aes192-CBC OBJECT IDENTIFIER ::=
|
|
{ joint-iso-itu-t(2) country(16) us(840) organization(1)
|
|
gov(101) csor(3) nistAlgorithms(4) aes(1) 22 }
|
|
id-aes256-CBC OBJECT IDENTIFIER ::=
|
|
{ joint-iso-itu-t(2) country(16) us(840) organization(1)
|
|
gov(101) csor(3) nistAlgorithms(4) aes(1) 42 }
|
|
|
|
-- PBKDF2-params (RFC 8018, Section A.2)
|
|
-- Note: salt can be CHOICE { specified OCTET STRING, otherSource AlgorithmIdentifier }
|
|
-- but in practice it's always an OCTET STRING, so we simplify
|
|
PBKDF2-params ::= SEQUENCE {
|
|
salt OCTET STRING,
|
|
iterationCount INTEGER (1..4294967295),
|
|
keyLength INTEGER (1..4294967295) OPTIONAL,
|
|
prf AlgorithmIdentifier OPTIONAL -- default id-hmacWithSHA1
|
|
}
|
|
|
|
-- PBES2-params (RFC 8018, Section A.4)
|
|
PBES2-params ::= SEQUENCE {
|
|
keyDerivationFunc AlgorithmIdentifier, -- id-PBKDF2
|
|
encryptionScheme AlgorithmIdentifier -- e.g., id-aes256-CBC
|
|
}
|
|
|
|
END
|