研一
PKCS 7
PKCS7是加密信息传输语法标准,根据不同应用场景定义了5中不同的数据类型,以下是RSA实验室定义的部分asn.1语法,并不完整,所以不要当标准用!
-- 0.ContentInfo --
ContentInfo ::= SEQUENCE {contentType ContentType, content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}ContentType ::= OBJECT INDETIFIER-- 1.Data --
Data ::= OCTET STRING-- 2.SignedData --
SignedData ::= SEQUENCE {version Version,digestAlgorithms DigestAlgorithmIdentifiers,contentInfo ContentInfo, certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL,crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,signerInfos SignerInfos
}DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
SignerInfos ::= SET OF SignerInfo
SignerInfo ::= SEQUENCE {version Version DEFAULT 1,issuerAndSerialNumber IssuerAndSerialNumber,digestAlgorithm DigestAlgorithmIdentifier,authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,encryptedDigest EncryptedDigest,unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}
Attributes ::= SET OF Attribute
Attribute ::= SEQUENCE {type EncodedObjectID,values AttrubuteSetValue
}EncryptedDigest ::= OCTET STRING
DigestInfo ::= SEQUENCE {digestAlgorithm DigestAlgorithm,digest Digest
}
Digest ::= OCTET STRING-- 3.Enveloped data --
EnvelopedData ::= SEQUENCE {version Version, --DEFAULT 0recepientInfos RecipientInfos,encryptedContentInfo EncryptedContentInfo
}RecipentInfos ::= SET OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE {contentType ContentType,contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL
}
EncryptedContent ::= OCTET STRING
RecipientInfo ::= SEQUENCE {version Version, --DEFAULT 0issuerAndSerialNumber IssuerAndSerialNUmber,keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,encryptedKey EncryptedKey
}
EncryptedKey ::= OCTET STRING-- 4.Signed and Enveloped Data --
SignedAndEnvelopedData ::= SEQUENCE {version Version,recipientInfos RecipientOnfos,digestAlgorithms DigestAlgorithmIdentifiers,encrypedContentInfo EncryptedContentInfo,certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL,crls [1] IMPLICIT CertificateRevocateionLists OPTIONAL,signerInfos SignerInfos
}-- 5.Digested Data --
DigestedData ::= SEQUENCE {version Version,digestAlgorithm DigestAlgorithmIdentifier,contentInfo ContentInfo,digest Digest
}Digest ::= OCTET STRING-- 6.Encrypted Data --
EncryptedData ::= SEQUENCE {version Version,encryptedContentInfo EncryptedContentInfo
}
PKCS10
PKCS10 是认证请求语法标准,里面包含了需要被认证的公钥信息及其签名,以下是RSA实验室定义的部分asn.1语法,并不完整,所以不要当标准用!
CertificationRequest ::= SEQUENCE {certificationRequstInfo CertificationRequestInfo,signatureAlgorithm AlgorithmIdentifier {
{SignatureAlgorithm}},signature BIT STRING
}CertificationRequestInfo ::= SEQUENCE {version INTEGER {v1(0)} (v1, ...),subject Name,subjectPKInfo SubjectPublicKeyInfo {
{PKInfoAlgorithms}},attributes [0] attributes {
{CRIAttributes}}
}SubjectPublicKeyInfo {ALGORITHM : IOSet} ::= SEQUENCE {algorithm AlgorithmIdentifier {
{IOSet}},subjectPublicKey BIT STRING
}
PKInfoAlgorithms ALGORITHM ::= {... --add any locally defined algorithms here --
}
Attributes {ATTRIBUTE : IOSet} ::= SET OF Attribute {
{IOSet}}
CRIAttributes ATTRIBUTE ::= {... -- add any locally defined attributes here --
}
Attribute {ATTRIBUTE: IOSet} ::= SEQUENCE {type ATTRIBUTE.&id({IOSet}),values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@Type})
}
AlgorithmIdentifier {ALGORITHM : IOSet} ::= SEQUENCE {algorithm ALGORITHM.&id{
{IOSet}}parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
}
SignatureAlgorithm ALGORITHM ::= {... -- add any locally defined algorithms here -- }
PKCS12 个人信息交换语法
本标准描述了个人身份标识信息传递语法,包括私钥、证书、各种形式的秘密值机器扩展。
PFX ::= SEQUENCE {version INTEGER {v3(3)}(v3,...),authSafe ContentInfo,macData MacData OPTIONAL
}MacData ::= SEQUENCE {mac DigestInfo,macSalt OCTET STRING,iterations INTEGER DEFAULT 1
}
AuthenticatedSafe ::= SEQUENCE OF ContentInfo-- Data if unencrypted-- EncryptedData-- EnvelopedData
SafeContents ::= SEQUENCE OF SafeBag
SafeBag ::= SEQUENCE {bagId BAG-TYPE.&id({PKCS12BagSet}),bagValue [0] EXPLICIT BAG-TYPE.&Type{
{PKCS12BagSet}{@bagId}},bagAttributes SET OF PKCS12Attribute OPTIONAL
}
PKCS12AttrSet ATTRIBUTE ::= {friendlName I, --from PKCS #9localKeyId, --from PKCS #9
}bagtypes OBJECT IDENTIFIER ::= {pkcs-12 10 1}BAG-TYPE BAG-TYPE ::= {KeyBag IDENTIFIED BY {bagtypes 1}}
pkcs8ShroudedKeyBag BAG-TYPE ::= {PKCS8ShroudedKeyBag IDENTIFIED BY {bagtypes 2}}
certBag BAG-TYPE ::= {certBag IDENTIFIED BY {bagtypes 3}}
crlBag BAG-TYPE ::= {CRLBag IDENTIFIED BY {bagtypes 4}}
secretBag BAG-TYPE ::= {SecretBag IDENTIFIED BY {bagtypes 5}}
safeContentsBag BAG-TYPE ::= {SafeContents IDENTIFIED Y {bagtypes 6}}PKCS12BagSet BAG-TYPE ::= {keyBag |pkcs8ShroudedKeyBag |certBag |crlBag |secretBag |safeContentsBag,...
}
KeyBag ::= PrivateKeyInfo
PKCS8ShroudedKeyBag ::= EncryptedPrivateKeyInfo
CertBag ::= SEQUENCE {certId BAG-TYPE.&id {
{CertTypes}},certValue [0] EXPLICIT BAG-TYPE.&Type {
{CertTYpes}{@certId}}
}
x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {certTypes 1}}
sdsiCertificate BAG-TYPE {IA5String IDENTIFIED BY {certTypes 2}}
CertTypes BAG-TYPE ::= {x509Certificate |sdsiCertificate,...
}
CRLBag ::= SEQUENCE {crlId BAG-TYPE.&id {
{CRLTypes}},crlValue [0] EXPLICIT BAG-TYPE.&Type {
{CRLTypes}{@crlId}}
}
x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {certTypes 1}}
CRLTypes BAG-TYPE ::= {x509CRL,...
}
SecretBag ::= SEQUENCE {secretTypeId BAG-TYPE.&id ({SecretTypes}),secretValue [0] EXPLICIT BAG-TPE.&Type ({SecretTypes}{secretTypeId})
}
SecretTypes BAG-TYPE ::= {...
}
-- SafeContents allows the recursion nesting of all other safebag types --
pkcs-12PbeParams ::= SEQUENCE {salt OCTET STRING,iterations INTEGER
}