# # This file is part of pyasn1-modules software. # # Created by Russ Housley. # # Copyright (c) 2019, Vigil Security, LLC # License: http://snmplabs.com/pyasn1/license.html # # NSA's CMS Key Management Attributes # # ASN.1 source from: # https://www.rfc-editor.org/rfc/rfc7906.txt # https://www.rfc-editor.org/errata/eid5850 # from pyasn1.type import char from pyasn1.type import constraint from pyasn1.type import namedtype from pyasn1.type import namedval from pyasn1.type import tag from pyasn1.type import univ from pyasn1_modules import rfc2634 from pyasn1_modules import rfc4108 from pyasn1_modules import rfc5280 from pyasn1_modules import rfc5652 from pyasn1_modules import rfc6010 from pyasn1_modules import rfc6019 from pyasn1_modules import rfc7191 MAX = float('inf') # Imports From RFC 2634 id_aa_contentHint = rfc2634.id_aa_contentHint ContentHints = rfc2634.ContentHints id_aa_securityLabel = rfc2634.id_aa_securityLabel SecurityPolicyIdentifier = rfc2634.SecurityPolicyIdentifier SecurityClassification = rfc2634.SecurityClassification ESSPrivacyMark = rfc2634.ESSPrivacyMark SecurityCategories= rfc2634.SecurityCategories ESSSecurityLabel = rfc2634.ESSSecurityLabel # Imports From RFC 4108 id_aa_communityIdentifiers = rfc4108.id_aa_communityIdentifiers CommunityIdentifier = rfc4108.CommunityIdentifier CommunityIdentifiers = rfc4108.CommunityIdentifiers # Imports From RFC 5280 AlgorithmIdentifier = rfc5280.AlgorithmIdentifier Name = rfc5280.Name Certificate = rfc5280.Certificate GeneralNames = rfc5280.GeneralNames GeneralName = rfc5280.GeneralName SubjectInfoAccessSyntax = rfc5280.SubjectInfoAccessSyntax id_pkix = rfc5280.id_pkix id_pe = rfc5280.id_pe id_pe_subjectInfoAccess = rfc5280.id_pe_subjectInfoAccess # Imports From RFC 6010 CMSContentConstraints = rfc6010.CMSContentConstraints # Imports From RFC 6019 BinaryTime = rfc6019.BinaryTime id_aa_binarySigningTime = rfc6019.id_aa_binarySigningTime BinarySigningTime = rfc6019.BinarySigningTime # Imports From RFC 5652 Attribute = rfc5652.Attribute CertificateSet = rfc5652.CertificateSet CertificateChoices = rfc5652.CertificateChoices id_contentType = rfc5652.id_contentType ContentType = rfc5652.ContentType id_messageDigest = rfc5652.id_messageDigest MessageDigest = rfc5652.MessageDigest # Imports From RFC 7191 SIREntityName = rfc7191.SIREntityName id_aa_KP_keyPkgIdAndReceiptReq = rfc7191.id_aa_KP_keyPkgIdAndReceiptReq KeyPkgIdentifierAndReceiptReq = rfc7191.KeyPkgIdentifierAndReceiptReq # Key Province Attribute id_aa_KP_keyProvinceV2 = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.71') class KeyProvinceV2(univ.ObjectIdentifier): pass aa_keyProvince_v2 = Attribute() aa_keyProvince_v2['attrType'] = id_aa_KP_keyProvinceV2 aa_keyProvince_v2['attrValues'][0] = KeyProvinceV2() # Manifest Attribute id_aa_KP_manifest = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.72') class ShortTitle(char.PrintableString): pass class Manifest(univ.SequenceOf): pass Manifest.componentType = ShortTitle() Manifest.subtypeSpec=constraint.ValueSizeConstraint(1, MAX) aa_manifest = Attribute() aa_manifest['attrType'] = id_aa_KP_manifest aa_manifest['attrValues'][0] = Manifest() # Key Algorithm Attribute id_kma_keyAlgorithm = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.1') class KeyAlgorithm(univ.Sequence): pass KeyAlgorithm.componentType = namedtype.NamedTypes( namedtype.NamedType('keyAlg', univ.ObjectIdentifier()), namedtype.OptionalNamedType('checkWordAlg', univ.ObjectIdentifier().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), namedtype.OptionalNamedType('crcAlg', univ.ObjectIdentifier().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) ) aa_keyAlgorithm = Attribute() aa_keyAlgorithm['attrType'] = id_kma_keyAlgorithm aa_keyAlgorithm['attrValues'][0] = KeyAlgorithm() # User Certificate Attribute id_at_userCertificate = univ.ObjectIdentifier('2.5.4.36') aa_userCertificate = Attribute() aa_userCertificate['attrType'] = id_at_userCertificate aa_userCertificate['attrValues'][0] = Certificate() # Key Package Receivers Attribute id_kma_keyPkgReceiversV2 = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.16') class KeyPkgReceiver(univ.Choice): pass KeyPkgReceiver.componentType = namedtype.NamedTypes( namedtype.NamedType('sirEntity', SIREntityName().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.NamedType('community', CommunityIdentifier().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) ) class KeyPkgReceiversV2(univ.SequenceOf): pass KeyPkgReceiversV2.componentType = KeyPkgReceiver() KeyPkgReceiversV2.subtypeSpec=constraint.ValueSizeConstraint(1, MAX) aa_keyPackageReceivers_v2 = Attribute() aa_keyPackageReceivers_v2['attrType'] = id_kma_keyPkgReceiversV2 aa_keyPackageReceivers_v2['attrValues'][0] = KeyPkgReceiversV2() # TSEC Nomenclature Attribute id_kma_TSECNomenclature = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.3') class CharEdition(char.PrintableString): pass class CharEditionRange(univ.Sequence): pass CharEditionRange.componentType = namedtype.NamedTypes( namedtype.NamedType('firstCharEdition', CharEdition()), namedtype.NamedType('lastCharEdition', CharEdition()) ) class NumEdition(univ.Integer): pass NumEdition.subtypeSpec = constraint.ValueRangeConstraint(0, 308915776) class NumEditionRange(univ.Sequence): pass NumEditionRange.componentType = namedtype.NamedTypes( namedtype.NamedType('firstNumEdition', NumEdition()), namedtype.NamedType('lastNumEdition', NumEdition()) ) class EditionID(univ.Choice): pass EditionID.componentType = namedtype.NamedTypes( namedtype.NamedType('char', univ.Choice(componentType=namedtype.NamedTypes( namedtype.NamedType('charEdition', CharEdition().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), namedtype.NamedType('charEditionRange', CharEditionRange().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))) )) ), namedtype.NamedType('num', univ.Choice(componentType=namedtype.NamedTypes( namedtype.NamedType('numEdition', NumEdition().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), namedtype.NamedType('numEditionRange', NumEditionRange().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))) )) ) ) class Register(univ.Integer): pass Register.subtypeSpec = constraint.ValueRangeConstraint(0, 2147483647) class RegisterRange(univ.Sequence): pass RegisterRange.componentType = namedtype.NamedTypes( namedtype.NamedType('firstRegister', Register()), namedtype.NamedType('lastRegister', Register()) ) class RegisterID(univ.Choice): pass RegisterID.componentType = namedtype.NamedTypes( namedtype.NamedType('register', Register().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), namedtype.NamedType('registerRange', RegisterRange().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 6))) ) class SegmentNumber(univ.Integer): pass SegmentNumber.subtypeSpec = constraint.ValueRangeConstraint(1, 127) class SegmentRange(univ.Sequence): pass SegmentRange.componentType = namedtype.NamedTypes( namedtype.NamedType('firstSegment', SegmentNumber()), namedtype.NamedType('lastSegment', SegmentNumber()) ) class SegmentID(univ.Choice): pass SegmentID.componentType = namedtype.NamedTypes( namedtype.NamedType('segmentNumber', SegmentNumber().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), namedtype.NamedType('segmentRange', SegmentRange().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 8))) ) class TSECNomenclature(univ.Sequence): pass TSECNomenclature.componentType = namedtype.NamedTypes( namedtype.NamedType('shortTitle', ShortTitle()), namedtype.OptionalNamedType('editionID', EditionID()), namedtype.OptionalNamedType('registerID', RegisterID()), namedtype.OptionalNamedType('segmentID', SegmentID()) ) aa_tsecNomenclature = Attribute() aa_tsecNomenclature['attrType'] = id_kma_TSECNomenclature aa_tsecNomenclature['attrValues'][0] = TSECNomenclature() # Key Purpose Attribute id_kma_keyPurpose = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.13') class KeyPurpose(univ.Enumerated): pass KeyPurpose.namedValues = namedval.NamedValues( ('n-a', 0), ('a', 65), ('b', 66), ('l', 76), ('m', 77), ('r', 82), ('s', 83), ('t', 84), ('v', 86), ('x', 88), ('z', 90) ) aa_keyPurpose = Attribute() aa_keyPurpose['attrType'] = id_kma_keyPurpose aa_keyPurpose['attrValues'][0] = KeyPurpose() # Key Use Attribute id_kma_keyUse = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.14') class KeyUse(univ.Enumerated): pass KeyUse.namedValues = namedval.NamedValues( ('n-a', 0), ('ffk', 1), ('kek', 2), ('kpk', 3), ('msk', 4), ('qkek', 5), ('tek', 6), ('tsk', 7), ('trkek', 8), ('nfk', 9), ('effk', 10), ('ebfk', 11), ('aek', 12), ('wod', 13), ('kesk', 246), ('eik', 247), ('ask', 248), ('kmk', 249), ('rsk', 250), ('csk', 251), ('sak', 252), ('rgk', 253), ('cek', 254), ('exk', 255) ) aa_keyUse = Attribute() aa_keyPurpose['attrType'] = id_kma_keyUse aa_keyPurpose['attrValues'][0] = KeyUse() # Transport Key Attribute id_kma_transportKey = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.15') class TransOp(univ.Enumerated): pass TransOp.namedValues = namedval.NamedValues( ('transport', 1), ('operational', 2) ) aa_transportKey = Attribute() aa_transportKey['attrType'] = id_kma_transportKey aa_transportKey['attrValues'][0] = TransOp() # Key Distribution Period Attribute id_kma_keyDistPeriod = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.5') class KeyDistPeriod(univ.Sequence): pass KeyDistPeriod.componentType = namedtype.NamedTypes( namedtype.OptionalNamedType('doNotDistBefore', BinaryTime().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.NamedType('doNotDistAfter', BinaryTime()) ) aa_keyDistributionPeriod = Attribute() aa_keyDistributionPeriod['attrType'] = id_kma_keyDistPeriod aa_keyDistributionPeriod['attrValues'][0] = KeyDistPeriod() # Key Validity Period Attribute id_kma_keyValidityPeriod = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.6') class KeyValidityPeriod(univ.Sequence): pass KeyValidityPeriod.componentType = namedtype.NamedTypes( namedtype.NamedType('doNotUseBefore', BinaryTime()), namedtype.OptionalNamedType('doNotUseAfter', BinaryTime()) ) aa_keyValidityPeriod = Attribute() aa_keyValidityPeriod['attrType'] = id_kma_keyValidityPeriod aa_keyValidityPeriod['attrValues'][0] = KeyValidityPeriod() # Key Duration Attribute id_kma_keyDuration = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.7') ub_KeyDuration_months = univ.Integer(72) ub_KeyDuration_hours = univ.Integer(96) ub_KeyDuration_days = univ.Integer(732) ub_KeyDuration_weeks = univ.Integer(104) ub_KeyDuration_years = univ.Integer(100) class KeyDuration(univ.Choice): pass KeyDuration.componentType = namedtype.NamedTypes( namedtype.NamedType('hours', univ.Integer().subtype( subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_hours)).subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.NamedType('days', univ.Integer().subtype( subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_days))), namedtype.NamedType('weeks', univ.Integer().subtype( subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_weeks)).subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), namedtype.NamedType('months', univ.Integer().subtype( subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_months)).subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), namedtype.NamedType('years', univ.Integer().subtype( subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_years)).subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) ) aa_keyDurationPeriod = Attribute() aa_keyDurationPeriod['attrType'] = id_kma_keyDuration aa_keyDurationPeriod['attrValues'][0] = KeyDuration() # Classification Attribute id_aa_KP_classification = univ.ObjectIdentifier(id_aa_securityLabel) id_enumeratedPermissiveAttributes = univ.ObjectIdentifier('2.16.840.1.101.2.1.8.3.1') id_enumeratedRestrictiveAttributes = univ.ObjectIdentifier('2.16.840.1.101.2.1.8.3.4') id_informativeAttributes = univ.ObjectIdentifier('2.16.840.1.101.2.1.8.3.3') class SecurityAttribute(univ.Integer): pass SecurityAttribute.subtypeSpec = constraint.ValueRangeConstraint(0, MAX) class EnumeratedTag(univ.Sequence): pass EnumeratedTag.componentType = namedtype.NamedTypes( namedtype.NamedType('tagName', univ.ObjectIdentifier()), namedtype.NamedType('attributeList', univ.SetOf(componentType=SecurityAttribute())) ) class FreeFormField(univ.Choice): pass FreeFormField.componentType = namedtype.NamedTypes( namedtype.NamedType('bitSetAttributes', univ.BitString()), # Not permitted in RFC 7906 namedtype.NamedType('securityAttributes', univ.SetOf(componentType=SecurityAttribute())) ) class InformativeTag(univ.Sequence): pass InformativeTag.componentType = namedtype.NamedTypes( namedtype.NamedType('tagName', univ.ObjectIdentifier()), namedtype.NamedType('attributes', FreeFormField()) ) class Classification(ESSSecurityLabel): pass aa_classification = Attribute() aa_classification['attrType'] = id_aa_KP_classification aa_classification['attrValues'][0] = Classification() # Split Identifier Attribute id_kma_splitID = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.11') class SplitID(univ.Sequence): pass SplitID.componentType = namedtype.NamedTypes( namedtype.NamedType('half', univ.Enumerated( namedValues=namedval.NamedValues(('a', 0), ('b', 1)))), namedtype.OptionalNamedType('combineAlg', AlgorithmIdentifier()) ) aa_splitIdentifier = Attribute() aa_splitIdentifier['attrType'] = id_kma_splitID aa_splitIdentifier['attrValues'][0] = SplitID() # Key Package Type Attribute id_kma_keyPkgType = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.12') class KeyPkgType(univ.ObjectIdentifier): pass aa_keyPackageType = Attribute() aa_keyPackageType['attrType'] = id_kma_keyPkgType aa_keyPackageType['attrValues'][0] = KeyPkgType() # Signature Usage Attribute id_kma_sigUsageV3 = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.22') class SignatureUsage(CMSContentConstraints): pass aa_signatureUsage_v3 = Attribute() aa_signatureUsage_v3['attrType'] = id_kma_sigUsageV3 aa_signatureUsage_v3['attrValues'][0] = SignatureUsage() # Other Certificate Format Attribute id_kma_otherCertFormats = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.19') aa_otherCertificateFormats = Attribute() aa_signatureUsage_v3['attrType'] = id_kma_otherCertFormats aa_signatureUsage_v3['attrValues'][0] = CertificateChoices() # PKI Path Attribute id_at_pkiPath = univ.ObjectIdentifier('2.5.4.70') class PkiPath(univ.SequenceOf): pass PkiPath.componentType = Certificate() PkiPath.subtypeSpec=constraint.ValueSizeConstraint(1, MAX) aa_pkiPath = Attribute() aa_pkiPath['attrType'] = id_at_pkiPath aa_pkiPath['attrValues'][0] = PkiPath() # Useful Certificates Attribute id_kma_usefulCerts = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.20') aa_usefulCertificates = Attribute() aa_usefulCertificates['attrType'] = id_kma_usefulCerts aa_usefulCertificates['attrValues'][0] = CertificateSet() # Key Wrap Attribute id_kma_keyWrapAlgorithm = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.21') aa_keyWrapAlgorithm = Attribute() aa_keyWrapAlgorithm['attrType'] = id_kma_keyWrapAlgorithm aa_keyWrapAlgorithm['attrValues'][0] = AlgorithmIdentifier() # Content Decryption Key Identifier Attribute id_aa_KP_contentDecryptKeyID = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.66') class ContentDecryptKeyID(univ.OctetString): pass aa_contentDecryptKeyIdentifier = Attribute() aa_contentDecryptKeyIdentifier['attrType'] = id_aa_KP_contentDecryptKeyID aa_contentDecryptKeyIdentifier['attrValues'][0] = ContentDecryptKeyID() # Certificate Pointers Attribute aa_certificatePointers = Attribute() aa_certificatePointers['attrType'] = id_pe_subjectInfoAccess aa_certificatePointers['attrValues'][0] = SubjectInfoAccessSyntax() # CRL Pointers Attribute id_aa_KP_crlPointers = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.70') aa_cRLDistributionPoints = Attribute() aa_cRLDistributionPoints['attrType'] = id_aa_KP_crlPointers aa_cRLDistributionPoints['attrValues'][0] = GeneralNames() # Extended Error Codes id_errorCodes = univ.ObjectIdentifier('2.16.840.1.101.2.1.22') id_missingKeyType = univ.ObjectIdentifier('2.16.840.1.101.2.1.22.1') id_privacyMarkTooLong = univ.ObjectIdentifier('2.16.840.1.101.2.1.22.2') id_unrecognizedSecurityPolicy = univ.ObjectIdentifier('2.16.840.1.101.2.1.22.3') # Map of Attribute Type OIDs to Attributes added to the # ones that are in rfc5652.py _cmsAttributesMapUpdate = { id_aa_contentHint: ContentHints(), id_aa_communityIdentifiers: CommunityIdentifiers(), id_aa_binarySigningTime: BinarySigningTime(), id_contentType: ContentType(), id_messageDigest: MessageDigest(), id_aa_KP_keyPkgIdAndReceiptReq: KeyPkgIdentifierAndReceiptReq(), id_aa_KP_keyProvinceV2: KeyProvinceV2(), id_aa_KP_manifest: Manifest(), id_kma_keyAlgorithm: KeyAlgorithm(), id_at_userCertificate: Certificate(), id_kma_keyPkgReceiversV2: KeyPkgReceiversV2(), id_kma_TSECNomenclature: TSECNomenclature(), id_kma_keyPurpose: KeyPurpose(), id_kma_keyUse: KeyUse(), id_kma_transportKey: TransOp(), id_kma_keyDistPeriod: KeyDistPeriod(), id_kma_keyValidityPeriod: KeyValidityPeriod(), id_kma_keyDuration: KeyDuration(), id_aa_KP_classification: Classification(), id_kma_splitID: SplitID(), id_kma_keyPkgType: KeyPkgType(), id_kma_sigUsageV3: SignatureUsage(), id_kma_otherCertFormats: CertificateChoices(), id_at_pkiPath: PkiPath(), id_kma_usefulCerts: CertificateSet(), id_kma_keyWrapAlgorithm: AlgorithmIdentifier(), id_aa_KP_contentDecryptKeyID: ContentDecryptKeyID(), id_pe_subjectInfoAccess: SubjectInfoAccessSyntax(), id_aa_KP_crlPointers: GeneralNames(), } rfc5652.cmsAttributesMap.update(_cmsAttributesMapUpdate)