[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unparseable PKCS#12 cert
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: Unparseable PKCS#12 cert |
Date: |
Sun, 02 Nov 2008 14:17:18 +0200 |
User-agent: |
Thunderbird 2.0.0.17 (X11/20080925) |
Joe Orton wrote:
> Hi folks, I've attached a PKCS#12 file which was apparently produced by
> the Bouncy Castle Java crypto toolkit; GnuTLS 2.5.6 + libtasn1 1.3 can't
> parse it. I haven't attempted to debug this any further.
>
> OpenSSL can parse it, though PKCS12_parse() failed to pair up the key
> and cert correctly (instead giving the key and embedded CA cert), which
> is why I heard about this. Just happened to try this cert with GnuTLS
> too.
>
> $ bin/certtool --p12-info --infile ~/TestUser.p12 --inder
> bin/certtool: p12_import: ASN1 parser: Error in TAG.
>
> The encryption password is "password".
The attached patch to libtasn1 should solve this issue[0]. It seems the
mozilla pkcs12 structure is BER encoded and our decoder worked with DER
data. Still our decoder lacks full BER support but at least with this
patch it can decode this structure.
regards,
Nikos
[0]. It also contains some optimizations in the libtasn1 tree generation.
diff --git a/NEWS b/NEWS
index 641646b..93d9494 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
Version 1.5 (unreleased)
- Update gnulib files.
- Fix memory leaks, from Christian Grothoff <address@hidden>.
+- Optimized tree generation
+- Decoder can now decode BER encoded octet strings
Version 1.4 (released 2008-04-21)
- Update gnulib files.
diff --git a/lib/decoding.c b/lib/decoding.c
index c1de9e6..51ecc01 100644
--- a/lib/decoding.c
+++ b/lib/decoding.c
@@ -33,8 +33,10 @@
#include "structure.h"
#include "element.h"
+static asn1_retCode
+_asn1_get_indefinite_length_string (const unsigned char *der, int *len);
-void
+static void
_asn1_error_description_tag_error (node_asn * node, char *ErrorDescription)
{
@@ -101,8 +103,6 @@ asn1_get_length_der (const unsigned char *der, int der_len,
int *len)
}
-
-
/**
* asn1_get_tag_der:
* @der: DER data to decode.
@@ -121,7 +121,7 @@ asn1_get_tag_der (const unsigned char *der, int der_len,
{
int punt, ris;
- if (der == NULL || der_len <= 0 || len == NULL)
+ if (der == NULL || der_len < 2 || len == NULL)
return ASN1_DER_ERROR;
*cls = der[0] & 0xE0;
@@ -160,8 +160,36 @@ asn1_get_tag_der (const unsigned char *der, int der_len,
return ASN1_SUCCESS;
}
-
-
+/**
+ * asn1_get_length_ber:
+ * @ber: BER data to decode.
+ * @ber_len: Length of BER data to decode.
+ * @len: Output variable containing the length of the BER length field.
+ *
+ * Extract a length field from BER data.
+ *
+ * Return value: Return the decoded length value, or negative value
+ * when the value was too big. The difference with asn1_get_length_der()
+ * is that it will return length even if the value has indefinite encoding.
+ *
+ **/
+long
+asn1_get_length_ber (const unsigned char *ber, int ber_len, int *len)
+{
+ int ret;
+ long err;
+
+ ret = asn1_get_length_der( ber, ber_len, len);
+ if (ret == -1)
+ { /* indefinite length method */
+ ret = ber_len;
+ err = _asn1_get_indefinite_length_string (ber+1, &ret);
+ if (err != ASN1_SUCCESS)
+ return -3;
+ }
+
+ return ret;
+}
/**
* asn1_get_octet_der:
@@ -268,9 +296,6 @@ _asn1_get_objectid_der (const unsigned char *der, int
der_len, int *ret_len,
*ret_len = len + len_len;
}
-
-
-
/**
* asn1_get_bit_der:
* @der: DER data to decode containing the BIT SEQUENCE.
@@ -349,15 +374,21 @@ _asn1_extract_tag_der (node_asn * node, const unsigned
char *der, int der_len,
(der + counter, der_len - counter, &class, &len2,
&tag) != ASN1_SUCCESS)
return ASN1_DER_ERROR;
+
if (counter + len2 > der_len)
return ASN1_DER_ERROR;
counter += len2;
+
len3 =
- asn1_get_length_der (der + counter, der_len - counter,
+ asn1_get_length_ber (der + counter, der_len - counter,
&len2);
if (len3 < 0)
return ASN1_DER_ERROR;
+
counter += len2;
+ if (counter > der_len)
+ return ASN1_DER_ERROR;
+
if (!is_tag_implicit)
{
if ((class != (class2 | ASN1_CLASS_STRUCTURED)) ||
@@ -369,7 +400,6 @@ _asn1_extract_tag_der (node_asn * node, const unsigned char
*der, int der_len,
if ((class != class_implicit) || (tag != tag_implicit))
return ASN1_TAG_ERROR;
}
-
is_tag_implicit = 0;
}
else
@@ -425,6 +455,7 @@ _asn1_extract_tag_der (node_asn * node, const unsigned char
*der, int der_len,
(der + counter, der_len - counter, &class, &len2,
&tag) != ASN1_SUCCESS)
return ASN1_DER_ERROR;
+
if (counter + len2 > der_len)
return ASN1_DER_ERROR;
@@ -565,12 +596,52 @@ _asn1_delete_not_used (node_asn * node)
return ASN1_SUCCESS;
}
+asn1_retCode _asn1_extract_der_octet(node_asn * node, const unsigned char
*der, int der_len)
+{
+int len2, len3;
+int counter2, counter_end;
+
+ len2 = asn1_get_length_der (der, der_len, &len3);
+ if (len2 < -1)
+ return ASN1_DER_ERROR;
+
+ counter2 = len3 + 1;
+
+ if (len2 == -1)
+ counter_end = der_len - 2;
+ else
+ counter_end = der_len;
+
+ while (counter2 < counter_end)
+ {
+ len2 = asn1_get_length_der (der + counter2, der_len - counter2, &len3);
+
+ if (len2 < -1)
+ return ASN1_DER_ERROR;
+
+ if (len2 > 0)
+ {
+ _asn1_append_value( node, der + counter2 + len3, len2);
+ }
+ else
+ { /* indefinite */
+
+ len2 = _asn1_extract_der_octet( node, der+counter2+len3,
der_len-counter2-len3);
+ if (len2 < 0)
+ return len2;
+ }
+
+ counter2 += len2 + len3 + 1;
+ }
+
+ return ASN1_SUCCESS;
+}
+
asn1_retCode
_asn1_get_octet_string (const unsigned char *der, node_asn * node, int *len)
{
- int len2, len3, counter, counter2, counter_end, tot_len, indefinite;
- unsigned char *temp, *temp2;
+ int len2, len3, counter, tot_len, indefinite;
counter = 0;
@@ -617,43 +688,20 @@ _asn1_get_octet_string (const unsigned char *der,
node_asn * node, int *len)
/* copy */
if (node)
{
- asn1_length_der (tot_len, NULL, &len2);
- temp = _asn1_malloc (len2 + tot_len);
- if (temp == NULL)
- {
- return ASN1_MEM_ALLOC_ERROR;
- }
+ unsigned char temp[DER_LEN];
+ int ret;
+
+ len2 = sizeof(temp);
asn1_length_der (tot_len, temp, &len2);
- tot_len += len2;
- temp2 = temp + len2;
- len2 = asn1_get_length_der (der, *len, &len3);
- if (len2 < -1)
- return ASN1_DER_ERROR;
- counter2 = len3 + 1;
-
- if (indefinite == -1)
- counter_end = counter - 2;
- else
- counter_end = counter;
+ _asn1_set_value (node, temp, len2);
- while (counter2 < counter_end)
- {
- len2 =
- asn1_get_length_der (der + counter2, *len - counter, &len3);
- if (len2 < -1)
- return ASN1_DER_ERROR;
+ tot_len += len2;
- /* FIXME: to be checked. Is this ok? Has the
- * size been checked before?
- */
- memcpy (temp2, der + counter2 + len3, len2);
- temp2 += len2;
- counter2 += len2 + len3 + 1;
- }
+ ret = _asn1_extract_der_octet(node, der, *len);
+ if (ret!=ASN1_SUCCESS)
+ return ret;
- _asn1_set_value (node, temp, tot_len);
- _asn1_free (temp);
}
}
else
@@ -673,8 +721,7 @@ _asn1_get_octet_string (const unsigned char *der, node_asn
* node, int *len)
}
-
-asn1_retCode
+static asn1_retCode
_asn1_get_indefinite_length_string (const unsigned char *der, int *len)
{
int len2, len3, counter, indefinite;
@@ -756,7 +803,7 @@ asn1_der_decoding (ASN1_TYPE * element, const void *ider,
int len,
node_asn *node, *p, *p2, *p3;
char temp[128];
int counter, len2, len3, len4, move, ris, tlen;
- unsigned char class, *temp2;
+ unsigned char class;
unsigned long tag;
int indefinite, result;
const unsigned char *der = ider;
@@ -1192,17 +1239,7 @@ asn1_der_decoding (ASN1_TYPE * element, const void
*ider, int len,
if (len4 != -1)
{
len2 += len4;
- asn1_length_der (len2 + len3, NULL, &len4);
- temp2 = (unsigned char *) _asn1_malloc (len2 + len3 + len4);
- if (temp2 == NULL)
- {
- asn1_delete_structure (element);
- return ASN1_MEM_ALLOC_ERROR;
- }
-
- asn1_octet_der (der + counter, len2 + len3, temp2, &len4);
- _asn1_set_value (p, temp2, len4);
- _asn1_free (temp2);
+ _asn1_set_value_octet (p, der+counter, len2+len3);
counter += len2 + len3;
}
else
@@ -1221,17 +1258,8 @@ asn1_der_decoding (ASN1_TYPE * element, const void
*ider, int len,
asn1_delete_structure (element);
return ris;
}
- asn1_length_der (len2, NULL, &len4);
- temp2 = (unsigned char *) _asn1_malloc (len2 + len4);
- if (temp2 == NULL)
- {
- asn1_delete_structure (element);
- return ASN1_MEM_ALLOC_ERROR;
- }
- asn1_octet_der (der + counter, len2, temp2, &len4);
- _asn1_set_value (p, temp2, len4);
- _asn1_free (temp2);
+ _asn1_set_value_octet (p, der+counter, len2);
counter += len2;
/* Check if a couple of 0x00 are present due to an EXPLICIT
TAG with
@@ -1877,19 +1905,8 @@ asn1_der_decoding_element (ASN1_TYPE * structure, const
char *elementName,
len2 += len4;
if (state == FOUND)
{
- asn1_length_der (len2 + len3, NULL, &len4);
- temp2 =
- (unsigned char *) _asn1_malloc (len2 + len3 + len4);
- if (temp2 == NULL)
- {
- asn1_delete_structure (structure);
- return ASN1_MEM_ALLOC_ERROR;
- }
-
- asn1_octet_der (der + counter, len2 + len3, temp2,
- &len4);
- _asn1_set_value (p, temp2, len4);
- _asn1_free (temp2);
+ _asn1_set_value_octet (p, der+counter, len2+len3);
+ temp2 = NULL;
if (p == nodeFound)
state = EXIT;
@@ -1915,17 +1932,7 @@ asn1_der_decoding_element (ASN1_TYPE * structure, const
char *elementName,
if (state == FOUND)
{
- asn1_length_der (len2, NULL, &len4);
- temp2 = (unsigned char *) _asn1_malloc (len2 + len4);
- if (temp2 == NULL)
- {
- asn1_delete_structure (structure);
- return ASN1_MEM_ALLOC_ERROR;
- }
-
- asn1_octet_der (der + counter, len2, temp2, &len4);
- _asn1_set_value (p, temp2, len4);
- _asn1_free (temp2);
+ _asn1_set_value_octet (p, der+counter, len2);
if (p == nodeFound)
state = EXIT;
diff --git a/lib/element.c b/lib/element.c
index 703276c..25ecd5a 100644
--- a/lib/element.c
+++ b/lib/element.c
@@ -417,19 +417,7 @@ asn1_write_value (ASN1_TYPE node_root, const char *name,
(!negative && (value_temp[k] & 0x80)))
k--;
- asn1_length_der (len - k, NULL, &len2);
- temp = (unsigned char *) _asn1_malloc (len - k + len2);
- if (temp == NULL)
- {
- _asn1_free (value_temp);
- return ASN1_MEM_ALLOC_ERROR;
- }
-
- asn1_octet_der (value_temp + k, len - k, temp, &len2);
- _asn1_set_value (node, temp, len2);
-
- _asn1_free (temp);
-
+ _asn1_set_value_octet (node, value_temp+k, len-k);
if (node->type & CONST_DEFAULT)
{
@@ -569,26 +557,12 @@ asn1_write_value (ASN1_TYPE node_root, const char *name,
case TYPE_OCTET_STRING:
if (len == 0)
len = strlen (value);
- asn1_length_der (len, NULL, &len2);
- temp = (unsigned char *) _asn1_malloc (len + len2);
- if (temp == NULL)
- return ASN1_MEM_ALLOC_ERROR;
-
- asn1_octet_der (value, len, temp, &len2);
- _asn1_set_value (node, temp, len2);
- _asn1_free (temp);
+ _asn1_set_value_octet (node, value, len);
break;
case TYPE_GENERALSTRING:
if (len == 0)
len = strlen (value);
- asn1_length_der (len, NULL, &len2);
- temp = (unsigned char *) _asn1_malloc (len + len2);
- if (temp == NULL)
- return ASN1_MEM_ALLOC_ERROR;
-
- asn1_octet_der (value, len, temp, &len2);
- _asn1_set_value (node, temp, len2);
- _asn1_free (temp);
+ _asn1_set_value_octet (node, value, len);
break;
case TYPE_BIT_STRING:
if (len == 0)
@@ -599,8 +573,8 @@ asn1_write_value (ASN1_TYPE node_root, const char *name,
return ASN1_MEM_ALLOC_ERROR;
asn1_bit_der (value, len, temp, &len2);
- _asn1_set_value (node, temp, len2);
- _asn1_free (temp);
+ _asn1_set_value_m (node, temp, len2);
+ temp = NULL;
break;
case TYPE_CHOICE:
p = node->down;
@@ -627,14 +601,7 @@ asn1_write_value (ASN1_TYPE node_root, const char *name,
return ASN1_ELEMENT_NOT_FOUND;
break;
case TYPE_ANY:
- asn1_length_der (len, NULL, &len2);
- temp = (unsigned char *) _asn1_malloc (len + len2);
- if (temp == NULL)
- return ASN1_MEM_ALLOC_ERROR;
-
- asn1_octet_der (value, len, temp, &len2);
- _asn1_set_value (node, temp, len2);
- _asn1_free (temp);
+ _asn1_set_value_octet (node, value, len);
break;
case TYPE_SEQUENCE_OF:
case TYPE_SET_OF:
diff --git a/lib/libtasn1.h b/lib/libtasn1.h
index fd35867..efcee0e 100644
--- a/lib/libtasn1.h
+++ b/lib/libtasn1.h
@@ -31,7 +31,7 @@ extern "C"
{
#endif
-#define LIBTASN1_VERSION "1.4"
+#define LIBTASN1_VERSION "1.5"
#include <sys/types.h>
#include <time.h>
@@ -105,11 +105,14 @@ extern "C"
/* that represent an ASN.1 DEFINITION. */
/******************************************************/
+#define SMALL_VALUE_SIZE 16
+
struct node_asn_struct
{
char *name; /* Node name */
unsigned int type; /* Node type */
unsigned char *value; /* Node value */
+ unsigned char small_value[SMALL_VALUE_SIZE]; /* if value is less than that
store it here */
int value_len;
struct node_asn_struct *down; /* Pointer to the son node */
struct node_asn_struct *right; /* Pointer to the brother node */
@@ -228,6 +231,8 @@ extern "C"
signed long asn1_get_length_der (const unsigned char *der, int der_len,
int *len);
+ long asn1_get_length_ber (const unsigned char *ber, int ber_len,
+ int *len);
void asn1_length_der (unsigned long int len, unsigned char *ans,
int *ans_len);
diff --git a/lib/parser_aux.c b/lib/parser_aux.c
index 51169b1..43522da 100644
--- a/lib/parser_aux.c
+++ b/lib/parser_aux.c
@@ -199,23 +199,27 @@ asn1_find_node (ASN1_TYPE pointer, const char *name)
/* Return: pointer to the NODE_ASN element. */
/******************************************************************/
node_asn *
-_asn1_set_value (node_asn * node, const void *_value, unsigned int len)
+_asn1_set_value (node_asn * node, const void *value, unsigned int len)
{
- const unsigned char *value = _value;
-
if (node == NULL)
return node;
if (node->value)
{
- _asn1_free (node->value);
+ if (node->value != node->small_value) _asn1_free (node->value);
node->value = NULL;
node->value_len = 0;
}
+
if (!len)
return node;
- node->value = (unsigned char *) _asn1_malloc (len);
- if (node->value == NULL)
- return NULL;
+
+ if (len < sizeof(node->small_value)) {
+ node->value = node->small_value;
+ } else {
+ node->value = _asn1_malloc (len);
+ if (node->value == NULL)
+ return NULL;
+ }
node->value_len = len;
memcpy (node->value, value, len);
@@ -223,6 +227,106 @@ _asn1_set_value (node_asn * node, const void *_value,
unsigned int len)
}
/******************************************************************/
+/* Function : _asn1_set_value_octet */
+/* Description: sets the field VALUE in a NODE_ASN element. The */
+/* previous value (if exist) will be lost. The value */
+/* given is stored as an octet string. */
+/* Parameters: */
+/* node: element pointer. */
+/* value: pointer to the value that you want to set. */
+/* len: character number of value. */
+/* Return: pointer to the NODE_ASN element. */
+/******************************************************************/
+node_asn *
+_asn1_set_value_octet (node_asn * node, const void *value, unsigned int len)
+{
+int len2;
+void* temp;
+
+ if (node == NULL)
+ return node;
+
+ asn1_length_der (len, NULL, &len2);
+ temp = (unsigned char *) _asn1_malloc (len + len2);
+ if (temp == NULL)
+ return NULL;
+
+ asn1_octet_der (value, len, temp, &len2);
+ return _asn1_set_value_m (node, temp, len2);
+}
+
+/* the same as _asn1_set_value except that it sets an already malloc'ed
+ * value.
+ */
+node_asn *
+_asn1_set_value_m (node_asn * node, void *value, unsigned int len)
+{
+ if (node == NULL)
+ return node;
+
+ if (node->value)
+ {
+ if (node->value != node->small_value) _asn1_free (node->value);
+ node->value = NULL;
+ node->value_len = 0;
+ }
+
+ if (!len)
+ return node;
+
+ node->value = value;
+ node->value_len = len;
+
+ return node;
+}
+
+/******************************************************************/
+/* Function : _asn1_append_value */
+/* Description: appends to the field VALUE in a NODE_ASN element. */
+/* */
+/* Parameters: */
+/* node: element pointer. */
+/* value: pointer to the value that you want to be appended. */
+/* len: character number of value. */
+/* Return: pointer to the NODE_ASN element. */
+/******************************************************************/
+node_asn *
+_asn1_append_value (node_asn * node, const void *value, unsigned int len)
+{
+ if (node == NULL)
+ return node;
+ if (node->value != NULL && node->value != node->small_value) /* value is
allocated */
+ {
+ int prev_len = node->value_len;
+ node->value_len+=len;
+ node->value = _asn1_realloc( node->value, node->value_len);
+ if (node->value == NULL) {
+ node->value_len = 0;
+ return NULL;
+ }
+ memcpy( &node->value[prev_len], value, len);
+
+ return node;
+ }
+ else if (node->value == node->small_value) /* value is in node */
+ {
+ int prev_len = node->value_len;
+ node->value_len+=len;
+ node->value = _asn1_malloc( node->value_len);
+ if (node->value == NULL) {
+ node->value_len = 0;
+ return NULL;
+ }
+ memcpy( node->value, node->small_value, prev_len);
+ memcpy( &node->value[prev_len], value, len);
+
+ return node;
+ }
+ else /* node->value == NULL */
+ return _asn1_set_value(node, value, len);
+}
+
+/******************************************************************/
/* Function : _asn1_set_name */
/* Description: sets the field NAME in a NODE_ASN element. The */
/* previous value (if exist) will be lost */
@@ -401,7 +505,7 @@ _asn1_remove_node (node_asn * node)
if (node->name != NULL)
_asn1_free (node->name);
- if (node->value != NULL)
+ if (node->value != NULL && node->value != node->small_value)
_asn1_free (node->value);
_asn1_free (node);
}
diff --git a/lib/parser_aux.h b/lib/parser_aux.h
index 3055510..6e18bb6 100644
--- a/lib/parser_aux.h
+++ b/lib/parser_aux.h
@@ -2,6 +2,7 @@
#ifndef _PARSER_AUX_H
#define _PARSER_AUX_H
+#define DER_LEN 16
/***************************************/
/* Functions used by ASN.1 parser */
@@ -13,6 +14,15 @@ node_asn *
_asn1_set_value(node_asn *node,const void *value,unsigned int len);
node_asn *
+_asn1_set_value_m(node_asn *node,void *value,unsigned int len);
+
+node_asn *
+_asn1_set_value_octet(node_asn *node,const void *value,unsigned int len);
+
+node_asn *
+_asn1_append_value(node_asn *node,const void *value,unsigned int len);
+
+node_asn *
_asn1_set_name(node_asn *node,const char *name);
node_asn *
diff --git a/tests/Makefile.am b/tests/Makefile.am
index dc30d80..2095311 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -22,7 +22,7 @@ AM_LDFLAGS = -no-install
LDADD = ../lib/libtasn1.la
EXTRA_DIST = Test_parser.asn Test_tree.asn Test_tree_asn1_tab.c \
- Test_encoding.asn
+ Test_encoding.asn pkix.asn TestIndef.p12
# For crlf.
EXTRA_DIST += crlf.cer
@@ -30,12 +30,15 @@ dist_check_SCRIPTS = crlf
MOSTLYCLEANFILES = Test_parser_ERROR.asn
-check_PROGRAMS = Test_parser Test_tree Test_encoding
+check_PROGRAMS = Test_parser Test_tree Test_encoding Test_indefinite
-TESTS = Test_parser Test_tree Test_encoding crlf
+TESTS = Test_parser Test_tree Test_encoding Test_indefinite crlf
TESTS_ENVIRONMENT = \
ASN1PARSER=$(srcdir)/Test_parser.asn \
ASN1TREE=$(srcdir)/Test_tree.asn \
+ ASN1PKIX=$(srcdir)/pkix.asn \
+ ASN1PKIX=$(srcdir)/pkix.asn \
+ ASN1INDEF=$(srcdir)/TestIndef.p12 \
ASN1ENCODING=$(srcdir)/Test_encoding.asn \
$(VALGRIND)
diff --git a/tests/TestIndef.p12 b/tests/TestIndef.p12
new file mode 100644
index 0000000..285d8dd
Binary files /dev/null and b/tests/TestIndef.p12 differ
diff --git a/tests/Test_indefinite.c b/tests/Test_indefinite.c
new file mode 100644
index 0000000..9f6df7b
--- /dev/null
+++ b/tests/Test_indefinite.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2006, 2007 Free Software Foundation
+ * Copyright (C) 2002 Fabio Fiorina
+ *
+ * This file is part of LIBTASN1.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+/*****************************************************/
+/* File: Test_tree.c */
+/* Description: Test sequences for these functions: */
+/* asn1_visit_tree, */
+/* asn1_create_structure, */
+/* asn1_delete_structure, */
+/* asn1_write_value, */
+/* asn1_read_value, */
+/*****************************************************/
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "libtasn1.h"
+
+
+
+int
+main(int argc,char *argv[])
+{
+ asn1_retCode result;
+ char buffer[10*1024];
+ ASN1_TYPE definitions=ASN1_TYPE_EMPTY;
+ ASN1_TYPE asn1_element=ASN1_TYPE_EMPTY;
+ char errorDescription[MAX_ERROR_DESCRIPTION_SIZE];
+ FILE *out, *fd;
+ ssize_t size;
+ const char *treefile = getenv ("ASN1PKIX");
+ const char *indeffile = getenv ("ASN1INDEF");
+
+ if (!treefile)
+ treefile = "pkix.asn";
+
+ if (!indeffile)
+ indeffile = "TestIndef.p12";
+
+ printf("\n\n/****************************************/\n");
+ printf( "/* Test sequence : Test_indefinite */\n");
+ printf( "/****************************************/\n\n");
+ printf("ASN1TREE: %s\n", treefile);
+
+ /* Check version */
+ if(asn1_check_version("0.2.11")==NULL)
+ printf("\nLibrary version check ERROR:\n actual version:
%s\n\n",asn1_check_version(NULL));
+
+ result=asn1_parser2tree(treefile,&definitions,errorDescription);
+ if(result!=ASN1_SUCCESS){
+ libtasn1_perror(result);
+ printf("ErrorDescription = %s\n\n",errorDescription);
+ exit(1);
+ }
+
+ out=stdout;
+
+ fd = fopen(indeffile, "r");
+ if (fd == NULL) {
+ printf("Cannot read file %s\n", indeffile);
+ exit(1);
+ }
+ size = fread(buffer, 1, sizeof(buffer), fd);
+ if (size <= 0) {
+ printf("Cannot read from file %s\n", indeffile);
+ exit(1);
+ }
+
+ fclose(fd);
+
+ result=asn1_create_element(definitions,"PKIX1.pkcs-12-PFX",&asn1_element);
+ if (result != ASN1_SUCCESS) {
+ libtasn1_perror(result);
+ printf("Cannot create PKCS12 element\n");
+ exit(1);
+ }
+
+ result=asn1_der_decoding(&asn1_element,buffer,size,
+ errorDescription);
+ if (result != ASN1_SUCCESS) {
+ libtasn1_perror(result);
+ printf("Cannot decode BER data (size %d)\n", size);
+ exit(1);
+ }
+
+ /* Clear the definition structures */
+ asn1_delete_structure(&definitions);
+ asn1_delete_structure(&asn1_element);
+
+ if(out != stdout) fclose(out);
+
+ exit(0);
+}
+
+
+
+
+
+
+
+
+
diff --git a/tests/pkix.asn b/tests/pkix.asn
new file mode 100644
index 0000000..d46dfa0
--- /dev/null
+++ b/tests/pkix.asn
@@ -0,0 +1,1241 @@
+
+PKIX1 { }
+
+DEFINITIONS IMPLICIT TAGS ::=
+
+BEGIN
+
+-- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules.
+
+-- ISO arc for standard certificate and CRL extensions
+
+id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29}
+
+
+-- authority key identifier OID and syntax
+
+id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
+
+AuthorityKeyIdentifier ::= SEQUENCE {
+ keyIdentifier [0] KeyIdentifier OPTIONAL,
+ authorityCertIssuer [1] GeneralNames OPTIONAL,
+ authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
+ -- authorityCertIssuer and authorityCertSerialNumber shall both
+ -- be present or both be absgent
+
+KeyIdentifier ::= OCTET STRING
+
+-- subject key identifier OID and syntax
+
+id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
+
+SubjectKeyIdentifier ::= KeyIdentifier
+
+-- key usage extension OID and syntax
+
+id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
+
+KeyUsage ::= BIT STRING {
+ digitalSignature (0),
+ nonRepudiation (1),
+ keyEncipherment (2),
+ dataEncipherment (3),
+ keyAgreement (4),
+ keyCertSign (5),
+ cRLSign (6),
+ encipherOnly (7),
+ decipherOnly (8) }
+
+-- private key usage period extension OID and syntax
+
+id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 }
+
+PrivateKeyUsagePeriod ::= SEQUENCE {
+ notBefore [0] GeneralizedTime OPTIONAL,
+ notAfter [1] GeneralizedTime OPTIONAL }
+ -- either notBefore or notAfter shall be present
+
+-- certificate policies extension OID and syntax
+
+id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
+
+CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+
+PolicyInformation ::= SEQUENCE {
+ policyIdentifier CertPolicyId,
+ policyQualifiers SEQUENCE SIZE (1..MAX) OF
+ PolicyQualifierInfo OPTIONAL }
+
+CertPolicyId ::= OBJECT IDENTIFIER
+
+PolicyQualifierInfo ::= SEQUENCE {
+ policyQualifierId PolicyQualifierId,
+ qualifier ANY DEFINED BY policyQualifierId }
+
+-- Implementations that recognize additional policy qualifiers shall
+-- augment the following definition for PolicyQualifierId
+
+PolicyQualifierId ::=
+ OBJECT IDENTIFIER -- ( id-qt-cps | id-qt-unotice )
+
+-- CPS pointer qualifier
+
+CPSuri ::= IA5String
+
+-- user notice qualifier
+
+UserNotice ::= SEQUENCE {
+ noticeRef NoticeReference OPTIONAL,
+ explicitText DisplayText OPTIONAL}
+
+NoticeReference ::= SEQUENCE {
+ organization DisplayText,
+ noticeNumbers SEQUENCE OF INTEGER }
+
+DisplayText ::= CHOICE {
+ visibleString VisibleString (SIZE (1..200)),
+ bmpString BMPString (SIZE (1..200)),
+ utf8String UTF8String (SIZE (1..200)) }
+
+-- policy mapping extension OID and syntax
+
+id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
+
+PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ issuerDomainPolicy CertPolicyId,
+ subjectDomainPolicy CertPolicyId }
+
+-- subject alternative name extension OID and syntax
+
+-- Directory string type --
+
+DirectoryString ::= CHOICE {
+ teletexString TeletexString (SIZE (1..MAX)),
+ printableString PrintableString (SIZE (1..MAX)),
+ universalString UniversalString (SIZE (1..MAX)),
+ utf8String UTF8String (SIZE (1..MAX)),
+ bmpString BMPString (SIZE(1..MAX)),
+ -- IA5String is added here to handle old UID encoded as ia5String --
+ -- See tests/userid/ for more information. It shouldn't be here, --
+ -- so if it causes problems, considering dropping it. --
+ ia5String IA5String (SIZE(1..MAX)) }
+
+id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
+
+SubjectAltName ::= GeneralNames
+
+GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+
+GeneralName ::= CHOICE {
+ otherName [0] AnotherName,
+ rfc822Name [1] IA5String,
+ dNSName [2] IA5String,
+ x400Address [3] ORAddress,
+-- Changed to work with the libtasn1 parser.
+ directoryName [4] EXPLICIT RDNSequence, --Name,
+ ediPartyName [5] EDIPartyName,
+ uniformResourceIdentifier [6] IA5String,
+ iPAddress [7] OCTET STRING,
+ registeredID [8] OBJECT IDENTIFIER }
+
+-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
+-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
+
+AnotherName ::= SEQUENCE {
+ type-id OBJECT IDENTIFIER,
+ value [0] EXPLICIT ANY DEFINED BY type-id }
+
+EDIPartyName ::= SEQUENCE {
+ nameAssigner [0] DirectoryString OPTIONAL,
+ partyName [1] DirectoryString }
+
+-- issuer alternative name extension OID and syntax
+
+id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 }
+
+IssuerAltName ::= GeneralNames
+
+id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 }
+
+SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+
+-- basic constraints extension OID and syntax
+
+id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
+
+BasicConstraints ::= SEQUENCE {
+ cA BOOLEAN DEFAULT FALSE,
+ pathLenConstraint INTEGER (0..MAX) OPTIONAL }
+
+-- name constraints extension OID and syntax
+
+id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
+
+NameConstraints ::= SEQUENCE {
+ permittedSubtrees [0] GeneralSubtrees OPTIONAL,
+ excludedSubtrees [1] GeneralSubtrees OPTIONAL }
+
+GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+
+GeneralSubtree ::= SEQUENCE {
+ base GeneralName,
+ minimum [0] BaseDistance DEFAULT 0,
+ maximum [1] BaseDistance OPTIONAL }
+
+BaseDistance ::= INTEGER (0..MAX)
+
+-- policy constraints extension OID and syntax
+
+id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
+
+PolicyConstraints ::= SEQUENCE {
+ requireExplicitPolicy [0] SkipCerts OPTIONAL,
+ inhibitPolicyMapping [1] SkipCerts OPTIONAL }
+
+SkipCerts ::= INTEGER (0..MAX)
+
+-- CRL distribution points extension OID and syntax
+
+id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
+
+CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+
+DistributionPoint ::= SEQUENCE {
+ distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL,
+ reasons [1] ReasonFlags OPTIONAL,
+ cRLIssuer [2] GeneralNames OPTIONAL
+}
+
+DistributionPointName ::= CHOICE {
+ fullName [0] GeneralNames,
+ nameRelativeToCRLIssuer [1] RelativeDistinguishedName
+}
+
+ReasonFlags ::= BIT STRING {
+ unused (0),
+ keyCompromise (1),
+ cACompromise (2),
+ affiliationChanged (3),
+ superseded (4),
+ cessationOfOperation (5),
+ certificateHold (6),
+ privilegeWithdrawn (7),
+ aACompromise (8) }
+
+-- extended key usage extension OID and syntax
+
+id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
+
+ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+
+KeyPurposeId ::= OBJECT IDENTIFIER
+
+-- extended key purpose OIDs
+id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
+id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
+id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
+id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
+id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-kp 5 }
+id-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-kp 6 }
+id-kp-ipsecUser OBJECT IDENTIFIER ::= { id-kp 7 }
+id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
+
+-- authority info access
+
+id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
+
+AuthorityInfoAccessSyntax ::=
+ SEQUENCE SIZE (1..MAX) OF AccessDescription
+
+AccessDescription ::= SEQUENCE {
+ accessMethod OBJECT IDENTIFIER,
+ accessLocation GeneralName }
+
+-- CRL number extension OID and syntax
+
+id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
+
+CRLNumber ::= INTEGER (0..MAX)
+
+-- issuing distribution point extension OID and syntax
+
+id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
+
+IssuingDistributionPoint ::= SEQUENCE {
+ distributionPoint [0] DistributionPointName OPTIONAL,
+ onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
+ onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
+ onlySomeReasons [3] ReasonFlags OPTIONAL,
+ indirectCRL [4] BOOLEAN DEFAULT FALSE }
+
+
+id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
+
+-- deltaCRLIndicator ::= BaseCRLNumber
+
+BaseCRLNumber ::= CRLNumber
+
+-- CRL reasons extension OID and syntax
+
+id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
+
+CRLReason ::= ENUMERATED {
+ unspecified (0),
+ keyCompromise (1),
+ cACompromise (2),
+ affiliationChanged (3),
+ superseded (4),
+ cessationOfOperation (5),
+ certificateHold (6),
+ removeFromCRL (8) }
+
+-- certificate issuer CRL entry extension OID and syntax
+
+id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
+
+CertificateIssuer ::= GeneralNames
+
+-- hold instruction extension OID and syntax
+
+id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
+
+HoldInstructionCode ::= OBJECT IDENTIFIER
+
+-- ANSI x9 holdinstructions
+
+-- ANSI x9 arc holdinstruction arc
+holdInstruction OBJECT IDENTIFIER ::=
+ {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
+
+-- ANSI X9 holdinstructions referenced by this standard
+id-holdinstruction-none OBJECT IDENTIFIER ::=
+ {holdInstruction 1} -- deprecated
+id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
+ {holdInstruction 2}
+id-holdinstruction-reject OBJECT IDENTIFIER ::=
+ {holdInstruction 3}
+
+-- invalidity date CRL entry extension OID and syntax
+
+id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
+
+InvalidityDate ::= GeneralizedTime
+
+
+-- --------------------------------------
+-- EXPLICIT
+-- --------------------------------------
+
+-- UNIVERSAL Types defined in '93 and '98 ASN.1
+-- but required by this specification
+
+VisibleString ::= [UNIVERSAL 26] IMPLICIT OCTET STRING
+
+NumericString ::= [UNIVERSAL 18] IMPLICIT OCTET STRING
+
+IA5String ::= [UNIVERSAL 22] IMPLICIT OCTET STRING
+
+TeletexString ::= [UNIVERSAL 20] IMPLICIT OCTET STRING
+
+PrintableString ::= [UNIVERSAL 19] IMPLICIT OCTET STRING
+
+UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
+ -- UniversalString is defined in ASN.1:1993
+
+BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
+ -- BMPString is the subtype of UniversalString and models
+ -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1
+
+UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
+ -- The content of this type conforms to RFC 2279.
+
+
+-- PKIX specific OIDs
+
+id-pkix OBJECT IDENTIFIER ::=
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) }
+
+-- PKIX arcs
+
+id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
+ -- arc for private certificate extensions
+id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+ -- arc for policy qualifier types
+id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+ -- arc for extended key purpose OIDS
+id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
+ -- arc for access descriptors
+
+-- policyQualifierIds for Internet policy qualifiers
+
+id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
+ -- OID for CPS qualifier
+id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
+ -- OID for user notice qualifier
+
+-- access descriptor definitions
+
+id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
+id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
+
+-- attribute data types --
+
+Attribute ::= SEQUENCE {
+ type AttributeType,
+ values SET OF AttributeValue
+ -- at least one value is required --
+}
+
+AttributeType ::= OBJECT IDENTIFIER
+
+AttributeValue ::= ANY DEFINED BY type
+
+AttributeTypeAndValue ::= SEQUENCE {
+ type AttributeType,
+ value AttributeValue }
+
+-- suggested naming attributes: Definition of the following
+-- information object set may be augmented to meet local
+-- requirements. Note that deleting members of the set may
+-- prevent interoperability with conforming implementations.
+-- presented in pairs: the AttributeType followed by the
+-- type definition for the corresponding AttributeValue
+
+-- Arc for standard naming attributes
+id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
+
+-- Attributes of type NameDirectoryString
+id-at-initials AttributeType ::= { id-at 43 }
+X520initials ::= DirectoryString
+
+id-at-generationQualifier AttributeType ::= { id-at 44 }
+X520generationQualifier ::= DirectoryString
+
+id-at-surname AttributeType ::= { id-at 4 }
+X520surName ::= DirectoryString
+
+id-at-givenName AttributeType ::= { id-at 42 }
+X520givenName ::= DirectoryString
+
+id-at-name AttributeType ::= { id-at 41 }
+X520name ::= DirectoryString
+
+id-at-commonName AttributeType ::= {id-at 3}
+X520CommonName ::= DirectoryString
+
+id-at-localityName AttributeType ::= {id-at 7}
+X520LocalityName ::= DirectoryString
+
+id-at-stateOrProvinceName AttributeType ::= {id-at 8}
+X520StateOrProvinceName ::= DirectoryString
+
+id-at-organizationName AttributeType ::= {id-at 10}
+X520OrganizationName ::= DirectoryString
+
+id-at-organizationalUnitName AttributeType ::= {id-at 11}
+X520OrganizationalUnitName ::= DirectoryString
+
+id-at-title AttributeType ::= {id-at 12}
+X520Title ::= DirectoryString
+
+id-at-description AttributeType ::= {id-at 13}
+X520Description ::= DirectoryString
+
+id-at-dnQualifier AttributeType ::= {id-at 46}
+X520dnQualifier ::= PrintableString
+
+id-at-countryName AttributeType ::= {id-at 6}
+X520countryName ::= PrintableString (SIZE (2)) -- IS 3166 codes
+
+id-at-serialNumber AttributeType ::= {id-at 5}
+X520serialNumber ::= PrintableString
+
+id-at-telephoneNumber AttributeType ::= {id-at 20}
+X520telephoneNumber ::= PrintableString
+
+id-at-facsimileTelephoneNumber AttributeType ::= {id-at 23}
+X520facsimileTelephoneNumber ::= PrintableString
+
+id-at-pseudonym AttributeType ::= {id-at 65}
+X520pseudonym ::= DirectoryString
+
+id-at-name AttributeType ::= {id-at 41}
+X520name ::= DirectoryString
+
+id-at-streetAddress AttributeType ::= {id-at 9}
+X520streetAddress ::= DirectoryString
+
+id-at-postalAddress AttributeType ::= {id-at 16}
+X520postalAddress ::= PostalAddress
+
+PostalAddress ::= SEQUENCE OF DirectoryString
+
+
+ -- Legacy attributes
+
+pkcs OBJECT IDENTIFIER ::=
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) }
+
+pkcs-9 OBJECT IDENTIFIER ::=
+ { pkcs 9 }
+
+
+emailAddress AttributeType ::= { pkcs-9 1 }
+
+Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
+
+-- naming data types --
+
+Name ::= CHOICE { -- only one possibility for now --
+ rdnSequence RDNSequence }
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+DistinguishedName ::= RDNSequence
+
+RelativeDistinguishedName ::=
+ SET SIZE (1 .. MAX) OF AttributeTypeAndValue
+
+
+
+-- --------------------------------------------------------
+-- certificate and CRL specific structures begin here
+-- --------------------------------------------------------
+
+Certificate ::= SEQUENCE {
+ tbsCertificate TBSCertificate,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING }
+
+TBSCertificate ::= SEQUENCE {
+ version [0] EXPLICIT Version DEFAULT v1,
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+ -- If present, version shall be v2 or v3
+ subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
+ -- If present, version shall be v2 or v3
+ extensions [3] EXPLICIT Extensions OPTIONAL
+ -- If present, version shall be v3 --
+}
+
+Version ::= INTEGER { v1(0), v2(1), v3(2) }
+
+CertificateSerialNumber ::= INTEGER
+
+Validity ::= SEQUENCE {
+ notBefore Time,
+ notAfter Time }
+
+Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime }
+
+UniqueIdentifier ::= BIT STRING
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ subjectPublicKey BIT STRING }
+
+Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+
+Extension ::= SEQUENCE {
+ extnID OBJECT IDENTIFIER,
+ critical BOOLEAN DEFAULT FALSE,
+ extnValue OCTET STRING }
+
+
+-- ------------------------------------------
+-- CRL structures
+-- ------------------------------------------
+
+CertificateList ::= SEQUENCE {
+ tbsCertList TBSCertList,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING }
+
+TBSCertList ::= SEQUENCE {
+ version Version OPTIONAL,
+ -- if present, shall be v2
+ signature AlgorithmIdentifier,
+ issuer Name,
+ thisUpdate Time,
+ nextUpdate Time OPTIONAL,
+ revokedCertificates SEQUENCE OF SEQUENCE {
+ userCertificate CertificateSerialNumber,
+ revocationDate Time,
+ crlEntryExtensions Extensions OPTIONAL
+ -- if present, shall be v2
+ } OPTIONAL,
+ crlExtensions [0] EXPLICIT Extensions OPTIONAL
+ -- if present, shall be v2 --
+}
+
+-- Version, Time, CertificateSerialNumber, and Extensions were
+-- defined earlier for use in the certificate structure
+
+AlgorithmIdentifier ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY algorithm OPTIONAL }
+ -- contains a value of the type
+ -- registered for use with the
+ -- algorithm object identifier value
+
+-- Algorithm OIDs and parameter structures
+
+pkcs-1 OBJECT IDENTIFIER ::= {
+ pkcs 1 }
+
+rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
+
+md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
+
+md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
+
+sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
+
+id-dsa-with-sha1 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
+
+Dss-Sig-Value ::= SEQUENCE {
+ r INTEGER,
+ s INTEGER
+}
+
+dhpublicnumber OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }
+
+DomainParameters ::= SEQUENCE {
+ p INTEGER, -- odd prime, p=jq +1
+ g INTEGER, -- generator, g
+ q INTEGER, -- factor of p-1
+ j INTEGER OPTIONAL, -- subgroup factor, j>= 2
+ validationParms ValidationParms OPTIONAL }
+
+ValidationParms ::= SEQUENCE {
+ seed BIT STRING,
+ pgenCounter INTEGER }
+
+id-dsa OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
+
+Dss-Parms ::= SEQUENCE {
+ p INTEGER,
+ q INTEGER,
+ g INTEGER }
+
+-- x400 address syntax starts here
+-- OR Names
+
+ORAddress ::= SEQUENCE {
+ built-in-standard-attributes BuiltInStandardAttributes,
+ built-in-domain-defined-attributes
+ BuiltInDomainDefinedAttributes OPTIONAL,
+ -- see also teletex-domain-defined-attributes
+ extension-attributes ExtensionAttributes OPTIONAL }
+-- The OR-address is semantically absent from the OR-name if the
+-- built-in-standard-attribute sequence is empty and the
+-- built-in-domain-defined-attributes and extension-attributes are
+-- both omitted.
+
+-- Built-in Standard Attributes
+
+BuiltInStandardAttributes ::= SEQUENCE {
+ country-name CountryName OPTIONAL,
+ administration-domain-name AdministrationDomainName OPTIONAL,
+ network-address [0] EXPLICIT NetworkAddress OPTIONAL,
+ -- see also extended-network-address
+ terminal-identifier [1] EXPLICIT TerminalIdentifier OPTIONAL,
+ private-domain-name [2] EXPLICIT PrivateDomainName OPTIONAL,
+ organization-name [3] EXPLICIT OrganizationName OPTIONAL,
+ -- see also teletex-organization-name
+ numeric-user-identifier [4] EXPLICIT NumericUserIdentifier OPTIONAL,
+ personal-name [5] EXPLICIT PersonalName OPTIONAL,
+ -- see also teletex-personal-name
+ organizational-unit-names [6] EXPLICIT OrganizationalUnitNames OPTIONAL
+ -- see also teletex-organizational-unit-names --
+}
+
+CountryName ::= [APPLICATION 1] CHOICE {
+ x121-dcc-code NumericString
+ (SIZE (ub-country-name-numeric-length)),
+ iso-3166-alpha2-code PrintableString
+ (SIZE (ub-country-name-alpha-length)) }
+
+AdministrationDomainName ::= [APPLICATION 2] EXPLICIT CHOICE {
+ numeric NumericString (SIZE (0..ub-domain-name-length)),
+ printable PrintableString (SIZE (0..ub-domain-name-length)) }
+
+NetworkAddress ::= X121Address -- see also extended-network-address
+
+X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
+
+TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
+
+PrivateDomainName ::= CHOICE {
+ numeric NumericString (SIZE (1..ub-domain-name-length)),
+ printable PrintableString (SIZE (1..ub-domain-name-length)) }
+
+OrganizationName ::= PrintableString
+ (SIZE (1..ub-organization-name-length))
+-- see also teletex-organization-name
+
+NumericUserIdentifier ::= NumericString
+ (SIZE (1..ub-numeric-user-id-length))
+
+PersonalName ::= SET {
+ surname [0] PrintableString (SIZE (1..ub-surname-length)),
+ given-name [1] PrintableString
+ (SIZE (1..ub-given-name-length)) OPTIONAL,
+ initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
+ generation-qualifier [3] PrintableString
+ (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
+-- see also teletex-personal-name
+
+OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
+ OF OrganizationalUnitName
+-- see also teletex-organizational-unit-names
+
+OrganizationalUnitName ::= PrintableString (SIZE
+ (1..ub-organizational-unit-name-length))
+
+-- Built-in Domain-defined Attributes
+
+BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
+ (1..ub-domain-defined-attributes) OF
+ BuiltInDomainDefinedAttribute
+
+BuiltInDomainDefinedAttribute ::= SEQUENCE {
+ type PrintableString (SIZE
+ (1..ub-domain-defined-attribute-type-length)),
+ value PrintableString (SIZE
+ (1..ub-domain-defined-attribute-value-length))}
+
+-- Extension Attributes
+
+ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
+ ExtensionAttribute
+
+ExtensionAttribute ::= SEQUENCE {
+ extension-attribute-type [0] EXPLICIT INTEGER (0..ub-extension-attributes),
+ extension-attribute-value [1] EXPLICIT
+ ANY DEFINED BY extension-attribute-type }
+
+-- Extension types and attribute values
+--
+
+common-name INTEGER ::= 1
+
+CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
+
+teletex-common-name INTEGER ::= 2
+
+TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
+
+teletex-organization-name INTEGER ::= 3
+
+TeletexOrganizationName ::=
+ TeletexString (SIZE (1..ub-organization-name-length))
+
+teletex-personal-name INTEGER ::= 4
+
+TeletexPersonalName ::= SET {
+ surname [0] EXPLICIT TeletexString (SIZE (1..ub-surname-length)),
+ given-name [1] EXPLICIT TeletexString
+ (SIZE (1..ub-given-name-length)) OPTIONAL,
+ initials [2] EXPLICIT TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
+ generation-qualifier [3] EXPLICIT TeletexString (SIZE
+ (1..ub-generation-qualifier-length)) OPTIONAL }
+
+teletex-organizational-unit-names INTEGER ::= 5
+
+TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
+ (1..ub-organizational-units) OF TeletexOrganizationalUnitName
+
+TeletexOrganizationalUnitName ::= TeletexString
+ (SIZE (1..ub-organizational-unit-name-length))
+
+pds-name INTEGER ::= 7
+
+PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
+
+physical-delivery-country-name INTEGER ::= 8
+
+PhysicalDeliveryCountryName ::= CHOICE {
+ x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
+ iso-3166-alpha2-code PrintableString
+ (SIZE (ub-country-name-alpha-length)) }
+
+postal-code INTEGER ::= 9
+
+PostalCode ::= CHOICE {
+ numeric-code NumericString (SIZE (1..ub-postal-code-length)),
+ printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
+
+physical-delivery-office-name INTEGER ::= 10
+
+PhysicalDeliveryOfficeName ::= PDSParameter
+
+physical-delivery-office-number INTEGER ::= 11
+
+PhysicalDeliveryOfficeNumber ::= PDSParameter
+
+extension-OR-address-components INTEGER ::= 12
+
+ExtensionORAddressComponents ::= PDSParameter
+
+physical-delivery-personal-name INTEGER ::= 13
+
+PhysicalDeliveryPersonalName ::= PDSParameter
+
+physical-delivery-organization-name INTEGER ::= 14
+
+PhysicalDeliveryOrganizationName ::= PDSParameter
+
+extension-physical-delivery-address-components INTEGER ::= 15
+
+ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter
+
+unformatted-postal-address INTEGER ::= 16
+
+UnformattedPostalAddress ::= SET {
+ printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
+ PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
+ teletex-string TeletexString
+ (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
+
+street-address INTEGER ::= 17
+
+StreetAddress ::= PDSParameter
+
+post-office-box-address INTEGER ::= 18
+
+PostOfficeBoxAddress ::= PDSParameter
+
+poste-restante-address INTEGER ::= 19
+
+PosteRestanteAddress ::= PDSParameter
+
+unique-postal-name INTEGER ::= 20
+
+UniquePostalName ::= PDSParameter
+
+local-postal-attributes INTEGER ::= 21
+
+LocalPostalAttributes ::= PDSParameter
+
+PDSParameter ::= SET {
+ printable-string PrintableString
+ (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
+ teletex-string TeletexString
+ (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
+
+extended-network-address INTEGER ::= 22
+
+ExtendedNetworkAddress ::= CHOICE {
+ e163-4-address SEQUENCE {
+ number [0] EXPLICIT NumericString (SIZE (1..ub-e163-4-number-length)),
+ sub-address [1] EXPLICIT NumericString
+ (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
+ psap-address [0] EXPLICIT PresentationAddress }
+
+PresentationAddress ::= SEQUENCE {
+ pSelector [0] EXPLICIT OCTET STRING OPTIONAL,
+ sSelector [1] EXPLICIT OCTET STRING OPTIONAL,
+ tSelector [2] EXPLICIT OCTET STRING OPTIONAL,
+ nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
+
+terminal-type INTEGER ::= 23
+
+TerminalType ::= INTEGER {
+ telex (3),
+ teletex (4),
+ g3-facsimile (5),
+ g4-facsimile (6),
+ ia5-terminal (7),
+ videotex (8) } -- (0..ub-integer-options)
+
+-- Extension Domain-defined Attributes
+
+teletex-domain-defined-attributes INTEGER ::= 6
+
+TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
+ (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
+
+TeletexDomainDefinedAttribute ::= SEQUENCE {
+ type TeletexString
+ (SIZE (1..ub-domain-defined-attribute-type-length)),
+ value TeletexString
+ (SIZE (1..ub-domain-defined-attribute-value-length)) }
+
+-- specifications of Upper Bounds shall be regarded as mandatory
+-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
+-- Upper Bounds
+
+-- Upper Bounds
+ub-name INTEGER ::= 32768
+ub-common-name INTEGER ::= 64
+ub-locality-name INTEGER ::= 128
+ub-state-name INTEGER ::= 128
+ub-organization-name INTEGER ::= 64
+ub-organizational-unit-name INTEGER ::= 64
+ub-title INTEGER ::= 64
+ub-match INTEGER ::= 128
+
+ub-emailaddress-length INTEGER ::= 128
+
+ub-common-name-length INTEGER ::= 64
+ub-country-name-alpha-length INTEGER ::= 2
+ub-country-name-numeric-length INTEGER ::= 3
+ub-domain-defined-attributes INTEGER ::= 4
+ub-domain-defined-attribute-type-length INTEGER ::= 8
+ub-domain-defined-attribute-value-length INTEGER ::= 128
+ub-domain-name-length INTEGER ::= 16
+ub-extension-attributes INTEGER ::= 256
+ub-e163-4-number-length INTEGER ::= 15
+ub-e163-4-sub-address-length INTEGER ::= 40
+ub-generation-qualifier-length INTEGER ::= 3
+ub-given-name-length INTEGER ::= 16
+ub-initials-length INTEGER ::= 5
+ub-integer-options INTEGER ::= 256
+ub-numeric-user-id-length INTEGER ::= 32
+ub-organization-name-length INTEGER ::= 64
+ub-organizational-unit-name-length INTEGER ::= 32
+ub-organizational-units INTEGER ::= 4
+ub-pds-name-length INTEGER ::= 16
+ub-pds-parameter-length INTEGER ::= 30
+ub-pds-physical-address-lines INTEGER ::= 6
+ub-postal-code-length INTEGER ::= 16
+ub-surname-length INTEGER ::= 40
+ub-terminal-id-length INTEGER ::= 24
+ub-unformatted-address-length INTEGER ::= 180
+ub-x121-address-length INTEGER ::= 16
+
+-- Note - upper bounds on string types, such as TeletexString, are
+-- measured in characters. Excepting PrintableString or IA5String, a
+-- significantly greater number of octets will be required to hold
+-- such a value. As a minimum, 16 octets, or twice the specified upper
+-- bound, whichever is the larger, should be allowed for TeletexString.
+-- For UTF8String or UniversalString at least four times the upper
+-- bound should be allowed.
+
+
+
+-- END of PKIX1Implicit88
+
+
+-- BEGIN of RFC2630
+
+-- Cryptographic Message Syntax
+
+pkcs-7-ContentInfo ::= SEQUENCE {
+ contentType pkcs-7-ContentType,
+ content [0] EXPLICIT ANY DEFINED BY contentType }
+
+pkcs-7-DigestInfo ::= SEQUENCE {
+ digestAlgorithm pkcs-7-DigestAlgorithmIdentifier,
+ digest pkcs-7-Digest
+}
+
+pkcs-7-Digest ::= OCTET STRING
+
+pkcs-7-ContentType ::= OBJECT IDENTIFIER
+
+pkcs-7-SignedData ::= SEQUENCE {
+ version pkcs-7-CMSVersion,
+ digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers,
+ encapContentInfo pkcs-7-EncapsulatedContentInfo,
+ certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL,
+ crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL,
+ signerInfos pkcs-7-SignerInfos
+}
+
+pkcs-7-CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
+
+pkcs-7-DigestAlgorithmIdentifiers ::= SET OF pkcs-7-DigestAlgorithmIdentifier
+
+pkcs-7-DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+
+pkcs-7-EncapsulatedContentInfo ::= SEQUENCE {
+ eContentType pkcs-7-ContentType,
+ eContent [0] EXPLICIT OCTET STRING OPTIONAL }
+
+-- We don't use CertificateList here since we only want
+-- to read the raw data.
+pkcs-7-CertificateRevocationLists ::= SET OF ANY
+
+pkcs-7-CertificateChoices ::= CHOICE {
+-- Although the paper uses Certificate type, we
+-- don't use it since, we don't need to parse it.
+-- We only need to read and store it.
+ certificate ANY
+}
+
+pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices
+
+pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it
+ -- anyway
+
+
+-- BEGIN of RFC2986
+
+-- Certificate requests
+pkcs-10-CertificationRequestInfo ::= SEQUENCE {
+ version INTEGER { v1(0) },
+ subject Name,
+ subjectPKInfo SubjectPublicKeyInfo,
+ attributes [0] Attributes
+}
+
+Attributes ::= SET OF Attribute
+
+pkcs-10-CertificationRequest ::= SEQUENCE {
+ certificationRequestInfo pkcs-10-CertificationRequestInfo,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING
+}
+
+-- stuff from PKCS#9
+
+pkcs-9-ub-challengePassword INTEGER ::= 255
+
+pkcs-9-certTypes OBJECT IDENTIFIER ::= {pkcs-9 22}
+pkcs-9-crlTypes OBJECT IDENTIFIER ::= {pkcs-9 23}
+
+pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {pkcs-9 7}
+
+pkcs-9-challengePassword ::= CHOICE {
+ printableString PrintableString (SIZE
(1..pkcs-9-ub-challengePassword)),
+ utf8String UTF8String (SIZE (1..pkcs-9-ub-challengePassword))
}
+
+pkcs-9-at-localKeyId OBJECT IDENTIFIER ::= {pkcs-9 21}
+
+pkcs-9-localKeyId ::= OCTET STRING
+
+pkcs-9-at-friendlyName OBJECT IDENTIFIER ::= {pkcs-9 20}
+
+pkcs-9-friendlyName ::= BMPString (SIZE (1..255))
+
+-- PKCS #8 stuff
+
+-- Private-key information syntax
+
+pkcs-8-PrivateKeyInfo ::= SEQUENCE {
+ version pkcs-8-Version,
+ privateKeyAlgorithm AlgorithmIdentifier,
+ privateKey pkcs-8-PrivateKey,
+ attributes [0] Attributes OPTIONAL }
+
+pkcs-8-Version ::= INTEGER {v1(0)}
+
+pkcs-8-PrivateKey ::= OCTET STRING
+
+pkcs-8-Attributes ::= SET OF Attribute
+
+-- Encrypted private-key information syntax
+
+pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE {
+ encryptionAlgorithm AlgorithmIdentifier,
+ encryptedData pkcs-8-EncryptedData
+}
+
+pkcs-8-EncryptedData ::= OCTET STRING
+
+-- PKCS #5 stuff
+
+pkcs-5 OBJECT IDENTIFIER ::=
+ { pkcs 5 }
+
+pkcs-5-encryptionAlgorithm OBJECT IDENTIFIER ::=
+ { iso(1) member-body(2) us(840) rsadsi(113549) 3 }
+
+pkcs-5-des-EDE3-CBC OBJECT IDENTIFIER ::= {pkcs-5-encryptionAlgorithm 7}
+
+pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8))
+
+pkcs-5-id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
+
+pkcs-5-PBES2-params ::= SEQUENCE {
+ keyDerivationFunc AlgorithmIdentifier,
+ encryptionScheme AlgorithmIdentifier }
+
+-- PBKDF2
+
+pkcs-5-id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
+
+-- pkcs-5-id-hmacWithSHA1 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
rsadsi(113549) 2 7}
+
+-- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::=
+-- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL}
+
+pkcs-5-PBKDF2-params ::= SEQUENCE {
+ salt CHOICE {
+ specified OCTET STRING,
+ otherSource AlgorithmIdentifier
+ },
+ iterationCount INTEGER (1..MAX),
+ keyLength INTEGER (1..MAX) OPTIONAL,
+ prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1
+}
+
+-- PKCS #12 stuff
+
+pkcs-12 OBJECT IDENTIFIER ::= {pkcs 12}
+
+pkcs-12-PFX ::= SEQUENCE {
+ version INTEGER {v3(3)},
+ authSafe pkcs-7-ContentInfo,
+ macData pkcs-12-MacData OPTIONAL
+}
+
+pkcs-12-PbeParams ::= SEQUENCE {
+ salt OCTET STRING,
+ iterations INTEGER
+}
+
+pkcs-12-MacData ::= SEQUENCE {
+ mac pkcs-7-DigestInfo,
+ macSalt OCTET STRING,
+ iterations INTEGER DEFAULT 1
+-- Note: The default is for historical reasons and its use is
+-- deprecated. A higher value, like 1024 is recommended.
+}
+
+pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo
+ -- Data if unencrypted
+ -- EncryptedData if password-encrypted
+ -- EnvelopedData if public key-encrypted
+
+pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag
+
+pkcs-12-SafeBag ::= SEQUENCE {
+ bagId OBJECT IDENTIFIER,
+ bagValue [0] EXPLICIT ANY DEFINED BY badId,
+ bagAttributes SET OF pkcs-12-PKCS12Attribute OPTIONAL
+}
+
+-- Bag types
+
+
+pkcs-12-bagtypes OBJECT IDENTIFIER ::= {pkcs-12 10 1}
+
+pkcs-12-keyBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 1}
+pkcs-12-pkcs8ShroudedKeyBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 2}
+pkcs-12-certBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 3}
+pkcs-12-crlBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 4}
+
+pkcs-12-KeyBag ::= pkcs-8-PrivateKeyInfo
+
+-- Shrouded KeyBag
+
+pkcs-12-PKCS8ShroudedKeyBag ::= pkcs-8-EncryptedPrivateKeyInfo
+
+-- CertBag
+
+pkcs-12-CertBag ::= SEQUENCE {
+ certId OBJECT IDENTIFIER,
+ certValue [0] EXPLICIT ANY DEFINED BY certId
+}
+
+-- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes
1}}
+-- DER-encoded X.509 certificate stored in OCTET STRING
+
+pkcs-12-CRLBag ::= SEQUENCE {
+ crlId OBJECT IDENTIFIER,
+ crlValue [0] EXPLICIT ANY DEFINED BY crlId
+}
+
+-- x509CRL BAG-TYPE ::=
+-- {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}}
+-- DER-encoded X.509 CRL stored in OCTET STRING
+
+pkcs-12-PKCS12Attribute ::= Attribute
+
+-- PKCS #7 stuff (needed in PKCS 12)
+
+pkcs-7-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }
+
+pkcs-7-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }
+
+pkcs-7-Data ::= OCTET STRING
+
+pkcs-7-EncryptedData ::= SEQUENCE {
+ version pkcs-7-CMSVersion,
+ encryptedContentInfo pkcs-7-EncryptedContentInfo,
+ unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL }
+
+pkcs-7-EncryptedContentInfo ::= SEQUENCE {
+ contentType pkcs-7-ContentType,
+ contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier,
+ encryptedContent [0] IMPLICIT pkcs-7-EncryptedContent OPTIONAL }
+
+pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+
+pkcs-7-EncryptedContent ::= OCTET STRING
+
+pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+-- LDAP stuff
+-- may not be correct
+
+id-at-ldap-DC AttributeType ::= { 0 9 2342 19200300 100 1 25 }
+
+ldap-DC ::= IA5String
+
+id-at-ldap-UID AttributeType ::= { 0 9 2342 19200300 100 1 1 }
+
+ldap-UID ::= DirectoryString
+
+-- rfc3039
+
+id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
+
+id-pda-dateOfBirth AttributeType ::= { id-pda 1 }
+DateOfBirth ::= GeneralizedTime
+
+id-pda-placeOfBirth AttributeType ::= { id-pda 2 }
+PlaceOfBirth ::= DirectoryString
+
+id-pda-gender AttributeType ::= { id-pda 3 }
+Gender ::= PrintableString (SIZE(1))
+ -- "M", "F", "m" or "f"
+
+id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
+CountryOfCitizenship ::= PrintableString (SIZE (2))
+ -- ISO 3166 Country Code
+
+id-pda-countryOfResidence AttributeType ::= { id-pda 5 }
+CountryOfResidence ::= PrintableString (SIZE (2))
+ -- ISO 3166 Country Code
+
+-- rfc3820
+
+id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pe 14 }
+
+id-ppl-inheritAll OBJECT IDENTIFIER ::= { id-pkix 21 1 }
+id-ppl-independent OBJECT IDENTIFIER ::= { id-pkix 21 2 }
+
+ProxyCertInfo ::= SEQUENCE {
+ pCPathLenConstraint INTEGER (0..MAX) OPTIONAL,
+ proxyPolicy ProxyPolicy }
+
+ProxyPolicy ::= SEQUENCE {
+ policyLanguage OBJECT IDENTIFIER,
+ policy OCTET STRING OPTIONAL }
+
+-- rfc3920 section 5.1.1
+
+id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms
+
+id-on-xmppAddr OBJECT IDENTIFIER ::= { id-on 5 }
+
+XmppAddr ::= UTF8String
+
+END
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Unparseable PKCS#12 cert,
Nikos Mavrogiannopoulos <=