Public-Key Cryptography Standards #9

Format utilisé par Up ! Security Manager

Le format Public-Key Cryptography Standards #9 (PKCS#9) du laboratoire Rsa spécifie les conventions sur les attributs d'un certificat X.509 étendu par des attributs.

La norme utilisée utilisée est Abstract Syntax Notation One (ASN.1) de l'International Telecommunication Union (ITU) compilée en Basic Encoding Rules (BER).

PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) modules(0) pkcs-9(1)} DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS All -- -- All types and values defined in this module is exported for use in other ASN.1 modules. IMPORTS


	informationFramework, authenticationFramework, selectedAttributeTypes, upperBounds , id-at FROM UsefulDefinitions

	
		{joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 3}

	
	ub-name FROM UpperBounds upperBounds

	OBJECT-CLASS, ATTRIBUTE, MATCHING-RULE, Attribute, top, objectIdentifierMatch FROM InformationFramework informationFramework

	ALGORITHM, Extensions, Time FROM AuthenticationFramework authenticationFramework

	DirectoryString, octetStringMatch, caseIgnoreMatch, caseExactMatch, generalizedTimeMatch, integerMatch, serialNumber FROM 	SelectedAttributeTypes selectedAttributeTypes

	ContentInfo, SignerInfo FROM CryptographicMessageSyntax

	
		{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1)}
	
	EncryptedPrivateKeyInfo FROM PKCS-8

	
		{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-8(8) modules(1) pkcs-8(1)}
	
	PFX FROM PKCS-12 
	
		{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-12(12) modules(0) pkcs-12(1)}
	
	PKCS15Token FROM PKCS-15

	
		{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-15(15) modules(1) pkcs-15(1)};




-- Upper bounds

pkcs-9-ub-pkcs9String INTEGER ::= 255

pkcs-9-ub-emailAddress INTEGER ::= pkcs-9-ub-pkcs9String

pkcs-9-ub-unstructuredName INTEGER ::= pkcs-9-ub-pkcs9String

pkcs-9-ub-unstructuredAddress INTEGER ::= pkcs-9-ub-pkcs9String

pkcs-9-ub-challengePassword INTEGER ::= pkcs-9-ub-pkcs9String

pkcs-9-ub-friendlyName INTEGER ::= pkcs-9-ub-pkcs9String

pkcs-9-ub-signingDescription INTEGER ::= pkcs-9-ub-pkcs9String

pkcs-9-ub-match INTEGER ::= pkcs-9-ub-pkcs9String

pkcs-9-ub-pseudonym INTEGER ::= ub-name

pkcs-9-ub-placeOfBirth INTEGER ::= ub-name



-- Object Identifiers

pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9}



-- Main arcs

pkcs-9-mo OBJECT IDENTIFIER ::= {pkcs-9 0} -- Modules branch

pkcs-9-oc OBJECT IDENTIFIER ::= {pkcs-9 24} -- Object class branch

pkcs-9-at OBJECT IDENTIFIER ::= {pkcs-9 25} -- Attribute branch, for new attributes

pkcs-9-sx OBJECT IDENTIFIER ::= {pkcs-9 26} -- For syntaxes (RFC 2252)

pkcs-9-mr OBJECT IDENTIFIER ::= {pkcs-9 27} -- Matching rules



-- Object classes

pkcs-9-oc-pkcsEntity OBJECT IDENTIFIER ::= {pkcs-9-oc 1}

pkcs-9-oc-naturalPerson OBJECT IDENTIFIER ::= {pkcs-9-oc 2}



-- Attributes

pkcs-9-at-emailAddress OBJECT IDENTIFIER ::= {pkcs-9 1}

pkcs-9-at-unstructuredName OBJECT IDENTIFIER ::= {pkcs-9 2}

pkcs-9-at-contentType OBJECT IDENTIFIER ::= {pkcs-9 3}

pkcs-9-at-messageDigest OBJECT IDENTIFIER ::= {pkcs-9 4}

pkcs-9-at-signingTime OBJECT IDENTIFIER ::= {pkcs-9 5}

pkcs-9-at-counterSignature OBJECT IDENTIFIER ::= {pkcs-9 6}

pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {pkcs-9 7}

pkcs-9-at-unstructuredAddress OBJECT IDENTIFIER ::= {pkcs-9 8}

pkcs-9-at-extendedCertificateAttributes OBJECT IDENTIFIER ::= {pkcs-9 9}



"-- Obsolete (?) attribute identifiers, purportedly from "tentative PKCS #9 draft"

-- pkcs-9-at-issuerAndSerialNumber OBJECT IDENTIFIER ::= {pkcs-9 10}

-- pkcs-9-at-passwordCheck OBJECT IDENTIFIER ::= {pkcs-9 11}

-- pkcs-9-at-publicKey OBJECT IDENTIFIER ::= {pkcs-9 12}



pkcs-9-at-signingDescription OBJECT IDENTIFIER ::= {pkcs-9 13}

pkcs-9-at-extensionRequest OBJECT IDENTIFIER ::= {pkcs-9 14}

pkcs-9-at-smimeCapabilities OBJECT IDENTIFIER ::= {pkcs-9 15}



-- Unused (?)

-- pkcs-9-at-? OBJECT IDENTIFIER ::= {pkcs-9 17}

-- pkcs-9-at-? OBJECT IDENTIFIER ::= {pkcs-9 18}

-- pkcs-9-at-? OBJECT IDENTIFIER ::= {pkcs-9 19}



pkcs-9-at-friendlyName OBJECT IDENTIFIER ::= {pkcs-9 20}

pkcs-9-at-localKeyId OBJECT IDENTIFIER ::= {pkcs-9 21}

pkcs-9-at-userPKCS12 OBJECT IDENTIFIER ::= {2 16 840 1 113730 3 1 216}

pkcs-9-at-pkcs15Token OBJECT IDENTIFIER ::= {pkcs-9-at 1}

pkcs-9-at-encryptedPrivateKeyInfo OBJECT IDENTIFIER ::= {pkcs-9-at 2}

pkcs-9-at-randomNonce OBJECT IDENTIFIER ::= {pkcs-9-at 3}

pkcs-9-at-sequenceNumber OBJECT IDENTIFIER ::= {pkcs-9-at 4}

pkcs-9-at-pkcs7PDU OBJECT IDENTIFIER ::= {pkcs-9-at 5}



-- IETF PKIX Attribute branch

ietf-at OBJECT IDENTIFIER ::= {1 3 6 1 5 5 7 9}

pkcs-9-at-dateOfBirth OBJECT IDENTIFIER ::= {ietf-at 1}

pkcs-9-at-placeOfBirth OBJECT IDENTIFIER ::= {ietf-at 2}

pkcs-9-at-gender OBJECT IDENTIFIER ::= {ietf-at 3}

pkcs-9-at-countryOfCitizenship OBJECT IDENTIFIER ::= {ietf-at 4}

pkcs-9-at-countryOfResidence OBJECT IDENTIFIER ::= {ietf-at 5}



-- Syntaxes (for use with LDAP accessible directories)

pkcs-9-sx-pkcs9String OBJECT IDENTIFIER ::= {pkcs-9-sx 1}

pkcs-9-sx-signingTime OBJECT IDENTIFIER ::= {pkcs-9-sx 2}



-- Matching rules

pkcs-9-mr-caseIgnoreMatch OBJECT IDENTIFIER ::= {pkcs-9-mr 1}

pkcs-9-mr-signingTimeMatch OBJECT IDENTIFIER ::= {pkcs-9-mr 2}



-- Arcs with attributes defined elsewhere

smime OBJECT IDENTIFIER ::= {pkcs-9 16}

-- Main arc for S/MIME (RFC 2633)

certTypes OBJECT IDENTIFIER ::= {pkcs-9 22}

-- Main arc for certificate types defined in PKCS #12

crlTypes OBJECT IDENTIFIER ::= {pkcs-9 23}

-- Main arc for crl types defined in PKCS #12



-- Other object identifiers

id-at-pseudonym OBJECT IDENTIFIER ::= {id-at 65}

-- Useful types

PKCS9String {INTEGER : maxSize} ::= CHOICE

	{

	ia5String IA5String (SIZE(1..maxSize)),

	directoryString DirectoryString {maxSize}

	}



-- Object classes

pkcsEntity OBJECT-CLASS ::=

-- Objet generique decrivant les entites Pkcs. Pour les services LDAP.
 

	{

	SUBCLASS OF { top }

	KIND auxiliary

	MAY CONTAIN { PKCSEntityAttributeSet }

	ID pkcs-9-oc-pkcsEntity

	}



naturalPerson OBJECT-CLASS ::=

-- Objet generique decrivant les etres humains. Pour les services X.500 ou LDAP.
 

	{

	SUBCLASS OF { top }

	KIND auxiliary

	MAY CONTAIN { NaturalPersonAttributeSet }

	ID pkcs-9-oc-naturalPerson

	}



-- Attribute sets

PKCSEntityAttributeSet ATTRIBUTE ::=

	{

	pKCS7PDU | userPKCS12 | pKCS15Token | encryptedPrivateKeyInfo,

	... -- For future extensions

	}



NaturalPersonAttributeSet ATTRIBUTE ::= 

	{

	emailAddress | unstructuredName | unstructuredAddress | dateOfBirth | placeOfBirth | gender | countryOfCitizenship | countryOfResidence | pseudonym | serialNumber,

	... -- For future extensions

	}



-- Attributes

pKCS7PDU ATTRIBUTE ::= 

-- Attributs pour PKCS#7 - Transmission d'une cle publique en reponse a une requete d'un tiers.
 

	{

	WITH SYNTAX ContentInfo ID pkcs-9-at-pkcs7PDU

	}



userPKCS12 ATTRIBUTE ::= 

-- Attributs pour PKCS#12 - Information sur l'identite d'une personne.
 

	{

	WITH SYNTAX PFX ID pkcs-9-at-userPKCS12

	}



pKCS15Token ATTRIBUTE ::= 

-- Attributs pour PKCS#15 - Etiquettes pour un materiel conservant une cle privee.
 

	{

	WITH SYNTAX PKCS15Token ID pkcs-9-at-pkcs15Token

	}



encryptedPrivateKeyInfo ATTRIBUTE ::=
 
-- Attributs pour PKCS#8 - Transmission d'une cle privee encryptee en reponse a une requete du demandeur.
 

	{

	WITH SYNTAX EncryptedPrivateKeyInfo ID pkcs-9-at-encryptedPrivateKeyInfo

	}



emailAddress ATTRIBUTE ::=
 
-- Adresse e-mail issue de l'identite d'une personne.
 

	{

	WITH SYNTAX IA5String (SIZE(1..pkcs-9-ub-emailAddress)) EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch ID pkcs-9-at-emailAddress

	}



unstructuredName ATTRIBUTE ::=

-- Nom non formate issu de l'identite d'une personne.
 

	{

	WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName} EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch ID pkcs-9-at-unstructuredName

	}



unstructuredAddress ATTRIBUTE ::= 

-- Adresse non formatee issue de l'identite d'une personne.
 

	{

	WITH SYNTAX DirectoryString {pkcs-9-ub-unstructuredAddress} EQUALITY MATCHING RULE caseIgnoreMatch ID pkcs-9-at-unstructuredAddress

	}



dateOfBirth ATTRIBUTE ::= 

-- Date de naissance issue de l'identite d'une personne.
 

	{

	WITH SYNTAX GeneralizedTime EQUALITY MATCHING RULE generalizedTimeMatch SINGLE VALUE TRUE ID pkcs-9-at-dateOfBirth

	}



placeOfBirth ATTRIBUTE ::= 

-- Lieu de naissance issu de l'identite d'une personne.
 

	{

	WITH SYNTAX DirectoryString {pkcs-9-ub-placeOfBirth} EQUALITY MATCHING RULE caseExactMatch SINGLE VALUE TRUE ID pkcs-9-at-placeOfBirth

	}



gender ATTRIBUTE ::= 

-- Genre issu de l'identite d'une personne - M / m ou F / f.
 

	{

	WITH SYNTAX PrintableString (SIZE(1) ^ FROM ("M" | "F" | "m" | "f")) EQUALITY MATCHING RULE caseIgnoreMatch SINGLE VALUE TRUE ID pkcs-9-at-gender

	}



countryOfCitizenship ATTRIBUTE ::= 

-- Code ISO du pays de citoyennete issu de l'identite d'une personne.
 

	{

	WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY 
	
		{

		-- Must be a two-letter country acronym in accordance with

		-- ISO/IEC 3166 --

		})

	
	EQUALITY MATCHING RULE caseIgnoreMatch ID pkcs-9-at-countryOfCitizenship

	}



countryOfResidence ATTRIBUTE ::= 

-- Code ISO du pays de residence issu de l'identite d'une personne.
 

	{

	WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY
	
		{

		-- Must be a two-letter country acronym in accordance with

		-- ISO/IEC 3166 --

		})
	
	EQUALITY MATCHING RULE caseIgnoreMatch ID pkcs-9-at-countryOfResidence

	}



pseudonym ATTRIBUTE ::= 

-- Pseudonyme issu de l'identite d'une personne.
 

	{

	WITH SYNTAX DirectoryString {pkcs-9-ub-pseudonym} EQUALITY MATCHING RULE caseExactMatch ID id-at-pseudonym

	}



contentType ATTRIBUTE ::= 
-- Type de contenu pour PKCS#7.ContentInfo.contentType.
 

	{

	WITH SYNTAX ContentType EQUALITY MATCHING RULE objectIdentifierMatch SINGLE VALUE TRUE ID pkcs-9-at-contentType

	}



ContentType ::= OBJECT IDENTIFIER



messageDigest ATTRIBUTE ::= 

-- Identifiant de l'algorithme de signature de PKCS#7.ContentInfo.content.
 

	{

	WITH SYNTAX MessageDigest EQUALITY MATCHING RULE octetStringMatch SINGLE VALUE TRUE ID pkcs-9-at-messageDigest

	}



MessageDigest ::= OCTET STRING



signingTime ATTRIBUTE ::= 

-- Date et heure de signature de PKCS#7.ContentInfo.content.
 

	{

	WITH SYNTAX SigningTime EQUALITY MATCHING RULE signingTimeMatch SINGLE VALUE TRUE ID pkcs-9-at-signingTime

	}



SigningTime ::= Time -- imported from ISO/IEC 9594-8



randomNonce ATTRIBUTE ::= 

-- Pour rester anonyme pour la date et heure de signature de PKCS#7.ContentInfo.content.
 

	{

	WITH SYNTAX RandomNonce EQUALITY MATCHING RULE octetStringMatch SINGLE VALUE TRUE ID pkcs-9-at-randomNonce

	}



RandomNonce ::= OCTET STRING (SIZE(4..MAX)) -- At least four bytes long



sequenceNumber ATTRIBUTE ::= 

-- Numero de sequence de la signature de PKCS#7.ContentInfo.content par le signataire.
 

	{

	WITH SYNTAX SequenceNumber EQUALITY MATCHING RULE integerMatch SINGLE VALUE TRUE ID pkcs-9-at-sequenceNumber

	}



SequenceNumber ::= INTEGER (1..MAX)



counterSignature ATTRIBUTE ::= 

-- Contre-signature de PKCS#7.SignerInfo.encryptedDigest.
 

	{

	WITH SYNTAX SignerInfo ID pkcs-9-at-counterSignature

	}



challengePassword ATTRIBUTE ::=

-- Mot de passe utitilise pour revoquer un certificat.
 

	{

	WITH SYNTAX DirectoryString {pkcs-9-ub-challengePassword} EQUALITY MATCHING RULE caseExactMatch SINGLE VALUE TRUE ID pkcs-9-at-challengePassword

	}



extensionRequest ATTRIBUTE ::= 

-- Requete sur l'extension PKCS#10 d'un certificat. Elle est envoyee par un tiers au Certificate Authoritate (CA).
 

	{

	WITH SYNTAX ExtensionRequest SINGLE VALUE TRUE ID pkcs-9-at-extensionRequest

	}



ExtensionRequest ::= Extensions



extendedCertificateAttributes ATTRIBUTE ::= 

-- Type d'un attribut defini dans PKCS#6 pour une requete sur l'extension PKCS#10 d'un certificat. Obsolete.
 

	{

	WITH SYNTAX SET OF Attribute SINGLE VALUE TRUE ID pkcs-9-at-extendedCertificateAttributes

	}




friendlyName ATTRIBUTE ::= 

-- Nom commun issu des informations personnelles.
 


	{

	WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName)) EQUALITY MATCHING RULE caseIgnoreMatch SINGLE VALUE TRUE
ID pkcs-9-at-friendlyName

	}



localKeyId ATTRIBUTE ::= 

-- Identifiant d'une clé issu des informations personnelles.
 

	{

	WITH SYNTAX OCTET STRING EQUALITY MATCHING RULE octetStringMatch SINGLE VALUE TRUE ID pkcs-9-at-localKeyId

	}



signingDescription ATTRIBUTE ::= 

-- Message presente a l'utilisateur avant une operation de cryptage ou de signature.
 

	{

	WITH SYNTAX DirectoryString {pkcs-9-ub-signingDescription} EQUALITY MATCHING RULE caseIgnoreMatch SINGLE VALUE TRUE ID pkcs-9-at-signingDescription

	}



smimeCapabilities ATTRIBUTE ::= 

	{

	WITH SYNTAX SMIMECapabilities SINGLE VALUE TRUE ID pkcs-9-at-smimeCapabilities

	}



SMIMECapabilities ::= SEQUENCE OF SMIMECapability



SMIMECapability ::= SEQUENCE

	{

	algorithm ALGORITHM.&id ({SMIMEv3Algorithms}),

	parameters ALGORITHM.&Type ({SMIMEv3Algorithms}{@algorithm})

	}



SMIMEv3Algorithms ALGORITHM ::= {...-- See RFC 2633 --}



-- Matching rules

pkcs9CaseIgnoreMatch MATCHING-RULE ::= 

-- Comparaison en ignorant la casse.
 

	{

	SYNTAX PKCS9String {pkcs-9-ub-match} ID pkcs-9-mr-caseIgnoreMatch

	}



signingTimeMatch MATCHING-RULE ::= 

-- Comparaison de dates et heures.
 

	{

	SYNTAX SigningTime ID pkcs-9-mr-signingTimeMatch

	}


END