1# coding: utf-8 2# 3# This file is part of pyasn1-modules software. 4# 5# Created by Stanisław Pitucha with asn1ate tool. 6# Modified by Russ Housley to add a maps for CMC Control Attributes 7# and CMC Content Types for use with opentypes. 8# 9# Copyright (c) 2005-2019, Ilya Etingof <etingof@gmail.com> 10# License: http://snmplabs.com/pyasn1/license.html 11# 12# Certificate Management over CMS (CMC) Updates 13# 14# ASN.1 source from: 15# https://www.rfc-editor.org/rfc/rfc6402.txt 16# 17from pyasn1.type import char 18from pyasn1.type import constraint 19from pyasn1.type import namedtype 20from pyasn1.type import namedval 21from pyasn1.type import opentype 22from pyasn1.type import tag 23from pyasn1.type import univ 24from pyasn1.type import useful 25 26from pyasn1_modules import rfc4211 27from pyasn1_modules import rfc5280 28from pyasn1_modules import rfc5652 29 30MAX = float('inf') 31 32 33def _buildOid(*components): 34 output = [] 35 for x in tuple(components): 36 if isinstance(x, univ.ObjectIdentifier): 37 output.extend(list(x)) 38 else: 39 output.append(int(x)) 40 41 return univ.ObjectIdentifier(output) 42 43 44# Since CMS Attributes and CMC Controls both use 'attrType', one map is used 45cmcControlAttributesMap = rfc5652.cmsAttributesMap 46 47 48class ChangeSubjectName(univ.Sequence): 49 pass 50 51 52ChangeSubjectName.componentType = namedtype.NamedTypes( 53 namedtype.OptionalNamedType('subject', rfc5280.Name()), 54 namedtype.OptionalNamedType('subjectAlt', rfc5280.GeneralNames()) 55) 56 57 58class AttributeValue(univ.Any): 59 pass 60 61 62class CMCStatus(univ.Integer): 63 pass 64 65 66CMCStatus.namedValues = namedval.NamedValues( 67 ('success', 0), 68 ('failed', 2), 69 ('pending', 3), 70 ('noSupport', 4), 71 ('confirmRequired', 5), 72 ('popRequired', 6), 73 ('partial', 7) 74) 75 76 77class PendInfo(univ.Sequence): 78 pass 79 80 81PendInfo.componentType = namedtype.NamedTypes( 82 namedtype.NamedType('pendToken', univ.OctetString()), 83 namedtype.NamedType('pendTime', useful.GeneralizedTime()) 84) 85 86bodyIdMax = univ.Integer(4294967295) 87 88 89class BodyPartID(univ.Integer): 90 pass 91 92 93BodyPartID.subtypeSpec = constraint.ValueRangeConstraint(0, bodyIdMax) 94 95 96class BodyPartPath(univ.SequenceOf): 97 pass 98 99 100BodyPartPath.componentType = BodyPartID() 101BodyPartPath.sizeSpec = constraint.ValueSizeConstraint(1, MAX) 102 103 104class BodyPartReference(univ.Choice): 105 pass 106 107 108BodyPartReference.componentType = namedtype.NamedTypes( 109 namedtype.NamedType('bodyPartID', BodyPartID()), 110 namedtype.NamedType('bodyPartPath', BodyPartPath()) 111) 112 113 114class CMCFailInfo(univ.Integer): 115 pass 116 117 118CMCFailInfo.namedValues = namedval.NamedValues( 119 ('badAlg', 0), 120 ('badMessageCheck', 1), 121 ('badRequest', 2), 122 ('badTime', 3), 123 ('badCertId', 4), 124 ('unsupportedExt', 5), 125 ('mustArchiveKeys', 6), 126 ('badIdentity', 7), 127 ('popRequired', 8), 128 ('popFailed', 9), 129 ('noKeyReuse', 10), 130 ('internalCAError', 11), 131 ('tryLater', 12), 132 ('authDataFail', 13) 133) 134 135 136class CMCStatusInfoV2(univ.Sequence): 137 pass 138 139 140CMCStatusInfoV2.componentType = namedtype.NamedTypes( 141 namedtype.NamedType('cMCStatus', CMCStatus()), 142 namedtype.NamedType('bodyList', univ.SequenceOf(componentType=BodyPartReference())), 143 namedtype.OptionalNamedType('statusString', char.UTF8String()), 144 namedtype.OptionalNamedType( 145 'otherInfo', univ.Choice( 146 componentType=namedtype.NamedTypes( 147 namedtype.NamedType('failInfo', CMCFailInfo()), 148 namedtype.NamedType('pendInfo', PendInfo()), 149 namedtype.NamedType( 150 'extendedFailInfo', univ.Sequence( 151 componentType=namedtype.NamedTypes( 152 namedtype.NamedType('failInfoOID', univ.ObjectIdentifier()), 153 namedtype.NamedType('failInfoValue', AttributeValue())) 154 ) 155 ) 156 ) 157 ) 158 ) 159) 160 161 162class GetCRL(univ.Sequence): 163 pass 164 165 166GetCRL.componentType = namedtype.NamedTypes( 167 namedtype.NamedType('issuerName', rfc5280.Name()), 168 namedtype.OptionalNamedType('cRLName', rfc5280.GeneralName()), 169 namedtype.OptionalNamedType('time', useful.GeneralizedTime()), 170 namedtype.OptionalNamedType('reasons', rfc5280.ReasonFlags()) 171) 172 173id_pkix = _buildOid(1, 3, 6, 1, 5, 5, 7) 174 175id_cmc = _buildOid(id_pkix, 7) 176 177id_cmc_batchResponses = _buildOid(id_cmc, 29) 178 179id_cmc_popLinkWitness = _buildOid(id_cmc, 23) 180 181 182class PopLinkWitnessV2(univ.Sequence): 183 pass 184 185 186PopLinkWitnessV2.componentType = namedtype.NamedTypes( 187 namedtype.NamedType('keyGenAlgorithm', rfc5280.AlgorithmIdentifier()), 188 namedtype.NamedType('macAlgorithm', rfc5280.AlgorithmIdentifier()), 189 namedtype.NamedType('witness', univ.OctetString()) 190) 191 192id_cmc_popLinkWitnessV2 = _buildOid(id_cmc, 33) 193 194id_cmc_identityProofV2 = _buildOid(id_cmc, 34) 195 196id_cmc_revokeRequest = _buildOid(id_cmc, 17) 197 198id_cmc_recipientNonce = _buildOid(id_cmc, 7) 199 200 201class ControlsProcessed(univ.Sequence): 202 pass 203 204 205ControlsProcessed.componentType = namedtype.NamedTypes( 206 namedtype.NamedType('bodyList', univ.SequenceOf(componentType=BodyPartReference())) 207) 208 209 210class CertificationRequest(univ.Sequence): 211 pass 212 213 214CertificationRequest.componentType = namedtype.NamedTypes( 215 namedtype.NamedType( 216 'certificationRequestInfo', univ.Sequence( 217 componentType=namedtype.NamedTypes( 218 namedtype.NamedType('version', univ.Integer()), 219 namedtype.NamedType('subject', rfc5280.Name()), 220 namedtype.NamedType( 221 'subjectPublicKeyInfo', univ.Sequence( 222 componentType=namedtype.NamedTypes( 223 namedtype.NamedType('algorithm', rfc5280.AlgorithmIdentifier()), 224 namedtype.NamedType('subjectPublicKey', univ.BitString()) 225 ) 226 ) 227 ), 228 namedtype.NamedType( 229 'attributes', univ.SetOf( 230 componentType=rfc5652.Attribute()).subtype( 231 implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)) 232 ) 233 ) 234 ) 235 ), 236 namedtype.NamedType('signatureAlgorithm', rfc5280.AlgorithmIdentifier()), 237 namedtype.NamedType('signature', univ.BitString()) 238) 239 240 241class TaggedCertificationRequest(univ.Sequence): 242 pass 243 244 245TaggedCertificationRequest.componentType = namedtype.NamedTypes( 246 namedtype.NamedType('bodyPartID', BodyPartID()), 247 namedtype.NamedType('certificationRequest', CertificationRequest()) 248) 249 250 251class TaggedRequest(univ.Choice): 252 pass 253 254 255TaggedRequest.componentType = namedtype.NamedTypes( 256 namedtype.NamedType('tcr', TaggedCertificationRequest().subtype( 257 implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), 258 namedtype.NamedType('crm', 259 rfc4211.CertReqMsg().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 260 namedtype.NamedType('orm', univ.Sequence(componentType=namedtype.NamedTypes( 261 namedtype.NamedType('bodyPartID', BodyPartID()), 262 namedtype.NamedType('requestMessageType', univ.ObjectIdentifier()), 263 namedtype.NamedType('requestMessageValue', univ.Any()) 264 )) 265 .subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))) 266) 267 268id_cmc_popLinkRandom = _buildOid(id_cmc, 22) 269 270id_cmc_statusInfo = _buildOid(id_cmc, 1) 271 272id_cmc_trustedAnchors = _buildOid(id_cmc, 26) 273 274id_cmc_transactionId = _buildOid(id_cmc, 5) 275 276id_cmc_encryptedPOP = _buildOid(id_cmc, 9) 277 278 279class PublishTrustAnchors(univ.Sequence): 280 pass 281 282 283PublishTrustAnchors.componentType = namedtype.NamedTypes( 284 namedtype.NamedType('seqNumber', univ.Integer()), 285 namedtype.NamedType('hashAlgorithm', rfc5280.AlgorithmIdentifier()), 286 namedtype.NamedType('anchorHashes', univ.SequenceOf(componentType=univ.OctetString())) 287) 288 289 290class RevokeRequest(univ.Sequence): 291 pass 292 293 294RevokeRequest.componentType = namedtype.NamedTypes( 295 namedtype.NamedType('issuerName', rfc5280.Name()), 296 namedtype.NamedType('serialNumber', univ.Integer()), 297 namedtype.NamedType('reason', rfc5280.CRLReason()), 298 namedtype.OptionalNamedType('invalidityDate', useful.GeneralizedTime()), 299 namedtype.OptionalNamedType('passphrase', univ.OctetString()), 300 namedtype.OptionalNamedType('comment', char.UTF8String()) 301) 302 303id_cmc_senderNonce = _buildOid(id_cmc, 6) 304 305id_cmc_authData = _buildOid(id_cmc, 27) 306 307 308class TaggedContentInfo(univ.Sequence): 309 pass 310 311 312TaggedContentInfo.componentType = namedtype.NamedTypes( 313 namedtype.NamedType('bodyPartID', BodyPartID()), 314 namedtype.NamedType('contentInfo', rfc5652.ContentInfo()) 315) 316 317 318class IdentifyProofV2(univ.Sequence): 319 pass 320 321 322IdentifyProofV2.componentType = namedtype.NamedTypes( 323 namedtype.NamedType('proofAlgID', rfc5280.AlgorithmIdentifier()), 324 namedtype.NamedType('macAlgId', rfc5280.AlgorithmIdentifier()), 325 namedtype.NamedType('witness', univ.OctetString()) 326) 327 328 329class CMCPublicationInfo(univ.Sequence): 330 pass 331 332 333CMCPublicationInfo.componentType = namedtype.NamedTypes( 334 namedtype.NamedType('hashAlg', rfc5280.AlgorithmIdentifier()), 335 namedtype.NamedType('certHashes', univ.SequenceOf(componentType=univ.OctetString())), 336 namedtype.NamedType('pubInfo', rfc4211.PKIPublicationInfo()) 337) 338 339id_kp_cmcCA = _buildOid(rfc5280.id_kp, 27) 340 341id_cmc_confirmCertAcceptance = _buildOid(id_cmc, 24) 342 343id_cmc_raIdentityWitness = _buildOid(id_cmc, 35) 344 345id_ExtensionReq = _buildOid(1, 2, 840, 113549, 1, 9, 14) 346 347id_cct = _buildOid(id_pkix, 12) 348 349id_cct_PKIData = _buildOid(id_cct, 2) 350 351id_kp_cmcRA = _buildOid(rfc5280.id_kp, 28) 352 353 354class CMCStatusInfo(univ.Sequence): 355 pass 356 357 358CMCStatusInfo.componentType = namedtype.NamedTypes( 359 namedtype.NamedType('cMCStatus', CMCStatus()), 360 namedtype.NamedType('bodyList', univ.SequenceOf(componentType=BodyPartID())), 361 namedtype.OptionalNamedType('statusString', char.UTF8String()), 362 namedtype.OptionalNamedType( 363 'otherInfo', univ.Choice( 364 componentType=namedtype.NamedTypes( 365 namedtype.NamedType('failInfo', CMCFailInfo()), 366 namedtype.NamedType('pendInfo', PendInfo()) 367 ) 368 ) 369 ) 370) 371 372 373class DecryptedPOP(univ.Sequence): 374 pass 375 376 377DecryptedPOP.componentType = namedtype.NamedTypes( 378 namedtype.NamedType('bodyPartID', BodyPartID()), 379 namedtype.NamedType('thePOPAlgID', rfc5280.AlgorithmIdentifier()), 380 namedtype.NamedType('thePOP', univ.OctetString()) 381) 382 383id_cmc_addExtensions = _buildOid(id_cmc, 8) 384 385id_cmc_modCertTemplate = _buildOid(id_cmc, 31) 386 387 388class TaggedAttribute(univ.Sequence): 389 pass 390 391 392TaggedAttribute.componentType = namedtype.NamedTypes( 393 namedtype.NamedType('bodyPartID', BodyPartID()), 394 namedtype.NamedType('attrType', univ.ObjectIdentifier()), 395 namedtype.NamedType('attrValues', univ.SetOf(componentType=AttributeValue()), 396 openType=opentype.OpenType('attrType', cmcControlAttributesMap) 397 ) 398) 399 400 401class OtherMsg(univ.Sequence): 402 pass 403 404 405OtherMsg.componentType = namedtype.NamedTypes( 406 namedtype.NamedType('bodyPartID', BodyPartID()), 407 namedtype.NamedType('otherMsgType', univ.ObjectIdentifier()), 408 namedtype.NamedType('otherMsgValue', univ.Any()) 409) 410 411 412class PKIData(univ.Sequence): 413 pass 414 415 416PKIData.componentType = namedtype.NamedTypes( 417 namedtype.NamedType('controlSequence', univ.SequenceOf(componentType=TaggedAttribute())), 418 namedtype.NamedType('reqSequence', univ.SequenceOf(componentType=TaggedRequest())), 419 namedtype.NamedType('cmsSequence', univ.SequenceOf(componentType=TaggedContentInfo())), 420 namedtype.NamedType('otherMsgSequence', univ.SequenceOf(componentType=OtherMsg())) 421) 422 423 424class BodyPartList(univ.SequenceOf): 425 pass 426 427 428BodyPartList.componentType = BodyPartID() 429BodyPartList.sizeSpec = constraint.ValueSizeConstraint(1, MAX) 430 431id_cmc_responseBody = _buildOid(id_cmc, 37) 432 433 434class AuthPublish(BodyPartID): 435 pass 436 437 438class CMCUnsignedData(univ.Sequence): 439 pass 440 441 442CMCUnsignedData.componentType = namedtype.NamedTypes( 443 namedtype.NamedType('bodyPartPath', BodyPartPath()), 444 namedtype.NamedType('identifier', univ.ObjectIdentifier()), 445 namedtype.NamedType('content', univ.Any()) 446) 447 448 449class CMCCertId(rfc5652.IssuerAndSerialNumber): 450 pass 451 452 453class PKIResponse(univ.Sequence): 454 pass 455 456 457PKIResponse.componentType = namedtype.NamedTypes( 458 namedtype.NamedType('controlSequence', univ.SequenceOf(componentType=TaggedAttribute())), 459 namedtype.NamedType('cmsSequence', univ.SequenceOf(componentType=TaggedContentInfo())), 460 namedtype.NamedType('otherMsgSequence', univ.SequenceOf(componentType=OtherMsg())) 461) 462 463 464class ResponseBody(PKIResponse): 465 pass 466 467 468id_cmc_statusInfoV2 = _buildOid(id_cmc, 25) 469 470id_cmc_lraPOPWitness = _buildOid(id_cmc, 11) 471 472 473class ModCertTemplate(univ.Sequence): 474 pass 475 476 477ModCertTemplate.componentType = namedtype.NamedTypes( 478 namedtype.NamedType('pkiDataReference', BodyPartPath()), 479 namedtype.NamedType('certReferences', BodyPartList()), 480 namedtype.DefaultedNamedType('replace', univ.Boolean().subtype(value=1)), 481 namedtype.NamedType('certTemplate', rfc4211.CertTemplate()) 482) 483 484id_cmc_regInfo = _buildOid(id_cmc, 18) 485 486id_cmc_identityProof = _buildOid(id_cmc, 3) 487 488 489class ExtensionReq(univ.SequenceOf): 490 pass 491 492 493ExtensionReq.componentType = rfc5280.Extension() 494ExtensionReq.sizeSpec = constraint.ValueSizeConstraint(1, MAX) 495 496id_kp_cmcArchive = _buildOid(rfc5280.id_kp, 28) 497 498id_cmc_publishCert = _buildOid(id_cmc, 30) 499 500id_cmc_dataReturn = _buildOid(id_cmc, 4) 501 502 503class LraPopWitness(univ.Sequence): 504 pass 505 506 507LraPopWitness.componentType = namedtype.NamedTypes( 508 namedtype.NamedType('pkiDataBodyid', BodyPartID()), 509 namedtype.NamedType('bodyIds', univ.SequenceOf(componentType=BodyPartID())) 510) 511 512id_aa = _buildOid(1, 2, 840, 113549, 1, 9, 16, 2) 513 514id_aa_cmc_unsignedData = _buildOid(id_aa, 34) 515 516id_cmc_getCert = _buildOid(id_cmc, 15) 517 518id_cmc_batchRequests = _buildOid(id_cmc, 28) 519 520id_cmc_decryptedPOP = _buildOid(id_cmc, 10) 521 522id_cmc_responseInfo = _buildOid(id_cmc, 19) 523 524id_cmc_changeSubjectName = _buildOid(id_cmc, 36) 525 526 527class GetCert(univ.Sequence): 528 pass 529 530 531GetCert.componentType = namedtype.NamedTypes( 532 namedtype.NamedType('issuerName', rfc5280.GeneralName()), 533 namedtype.NamedType('serialNumber', univ.Integer()) 534) 535 536id_cmc_identification = _buildOid(id_cmc, 2) 537 538id_cmc_queryPending = _buildOid(id_cmc, 21) 539 540 541class AddExtensions(univ.Sequence): 542 pass 543 544 545AddExtensions.componentType = namedtype.NamedTypes( 546 namedtype.NamedType('pkiDataReference', BodyPartID()), 547 namedtype.NamedType('certReferences', univ.SequenceOf(componentType=BodyPartID())), 548 namedtype.NamedType('extensions', univ.SequenceOf(componentType=rfc5280.Extension())) 549) 550 551 552class EncryptedPOP(univ.Sequence): 553 pass 554 555 556EncryptedPOP.componentType = namedtype.NamedTypes( 557 namedtype.NamedType('request', TaggedRequest()), 558 namedtype.NamedType('cms', rfc5652.ContentInfo()), 559 namedtype.NamedType('thePOPAlgID', rfc5280.AlgorithmIdentifier()), 560 namedtype.NamedType('witnessAlgID', rfc5280.AlgorithmIdentifier()), 561 namedtype.NamedType('witness', univ.OctetString()) 562) 563 564id_cmc_getCRL = _buildOid(id_cmc, 16) 565 566id_cct_PKIResponse = _buildOid(id_cct, 3) 567 568id_cmc_controlProcessed = _buildOid(id_cmc, 32) 569 570 571class NoSignatureValue(univ.OctetString): 572 pass 573 574 575id_ad_cmc = _buildOid(rfc5280.id_ad, 12) 576 577id_alg_noSignature = _buildOid(id_pkix, 6, 2) 578 579 580# Map of CMC Control OIDs to CMC Control Attributes 581 582_cmcControlAttributesMapUpdate = { 583 id_cmc_statusInfo: CMCStatusInfo(), 584 id_cmc_statusInfoV2: CMCStatusInfoV2(), 585 id_cmc_identification: char.UTF8String(), 586 id_cmc_identityProof: univ.OctetString(), 587 id_cmc_identityProofV2: IdentifyProofV2(), 588 id_cmc_dataReturn: univ.OctetString(), 589 id_cmc_transactionId: univ.Integer(), 590 id_cmc_senderNonce: univ.OctetString(), 591 id_cmc_recipientNonce: univ.OctetString(), 592 id_cmc_addExtensions: AddExtensions(), 593 id_cmc_encryptedPOP: EncryptedPOP(), 594 id_cmc_decryptedPOP: DecryptedPOP(), 595 id_cmc_lraPOPWitness: LraPopWitness(), 596 id_cmc_getCert: GetCert(), 597 id_cmc_getCRL: GetCRL(), 598 id_cmc_revokeRequest: RevokeRequest(), 599 id_cmc_regInfo: univ.OctetString(), 600 id_cmc_responseInfo: univ.OctetString(), 601 id_cmc_queryPending: univ.OctetString(), 602 id_cmc_popLinkRandom: univ.OctetString(), 603 id_cmc_popLinkWitness: univ.OctetString(), 604 id_cmc_popLinkWitnessV2: PopLinkWitnessV2(), 605 id_cmc_confirmCertAcceptance: CMCCertId(), 606 id_cmc_trustedAnchors: PublishTrustAnchors(), 607 id_cmc_authData: AuthPublish(), 608 id_cmc_batchRequests: BodyPartList(), 609 id_cmc_batchResponses: BodyPartList(), 610 id_cmc_publishCert: CMCPublicationInfo(), 611 id_cmc_modCertTemplate: ModCertTemplate(), 612 id_cmc_controlProcessed: ControlsProcessed(), 613 id_ExtensionReq: ExtensionReq(), 614} 615 616cmcControlAttributesMap.update(_cmcControlAttributesMapUpdate) 617 618 619# Map of CMC Content Type OIDs to CMC Content Types are added to 620# the ones that are in rfc5652.py 621 622_cmsContentTypesMapUpdate = { 623 id_cct_PKIData: PKIData(), 624 id_cct_PKIResponse: PKIResponse(), 625} 626 627rfc5652.cmsContentTypesMap.update(_cmsContentTypesMapUpdate) 628 629