Package org.bouncycastle.asn1.cmp
package org.bouncycastle.asn1.cmp
Support classes useful for encoding and supporting PKIX-CMP as described RFC 4210.
-
ClassDescriptionCertAnnContent ::= CMPCertificateCertifiedKeyPair ::= SEQUENCE { certOrEncCert CertOrEncCert, privateKey [0] EncryptedValue OPTIONAL, -- see [CRMF] for comment on encoding publicationInfo [1] PKIPublicationInfo OPTIONAL }CertOrEncCert ::= CHOICE { certificate [0] CMPCertificate, encryptedCert [1] EncryptedKey }GenMsg: {id-it 19}, < absent > GenRep: {id-it 19}, CertReqTemplateContent | < absent >CertStatus ::= SEQUENCE { certHash OCTET STRING, certReqId INTEGER, statusInfo PKIStatusInfo OPTIONAL, hashAlg [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} OPTIONAL }GenMsg: {id-it TBD1}, SEQUENCE SIZE (1..MAX) OF CRLStatus GenRep: {id-it TBD2}, SEQUENCE SIZE (1..MAX) OF CertificateList | < absent >CRLStatus ::= SEQUENCE { source CRLSource, thisUpdate Time OPTIONAL }DHBMParameter ::= SEQUENCE { owf AlgorithmIdentifier, -- AlgId for a One-Way Function (SHA-1 recommended) mac AlgorithmIdentifier -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], } -- or HMAC [RFC2104, RFC2202])Example InfoTypeAndValue contents include, but are not limited to, the following (un-comment in this ASN.1 module and use as appropriate for a given environment):KemBMParameter ::= SEQUENCE { kdf AlgorithmIdentifier{KEY-DERIVATION, {...}}, len INTEGER (1..MAX), mac AlgorithmIdentifier{MAC-ALGORITHM, {...}} }KemCiphertextInfo ::= SEQUENCE { kem AlgorithmIdentifier{KEM-ALGORITHM, {...}}, ct OCTET STRING }NestedMessageContent ::= PKIMessagesOOBCert ::= CMPCertificatePKIFailureInfo ::= BIT STRING { badAlg (0), -- unrecognized or unsupported Algorithm Identifier badMessageCheck (1), -- integrity check failed (e.g., signature did not verify) badRequest (2), -- transaction not permitted or supported badTime (3), -- messageTime was not sufficiently close to the system time, as defined by local policy badCertId (4), -- no certificate could be found matching the provided criteria badDataFormat (5), -- the data submitted has the wrong format wrongAuthority (6), -- the authority indicated in the request is different from the one creating the response token incorrectData (7), -- the requester's data is incorrect (for notary services) missingTimeStamp (8), -- when the timestamp is missing but should be there (by policy) badPOP (9) -- the proof-of-possession failed certRevoked (10), certConfirmed (11), wrongIntegrity (12), badRecipientNonce (13), timeNotAvailable (14), -- the TSA's time source is not available unacceptedPolicy (15), -- the requested TSA policy is not supported by the TSA unacceptedExtension (16), -- the requested extension is not supported by the TSA addInfoNotAvailable (17) -- the additional information requested could not be understood -- or is not available badSenderNonce (18), badCertTemplate (19), signerNotTrusted (20), transactionIdInUse (21), unsupportedVersion (22), notAuthorized (23), systemUnavail (24), systemFailure (25), -- the request cannot be handled due to system failure duplicateCertReq (26)PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessagePKIStatusInfo ::= SEQUENCE { status PKIStatus, statusString PKIFreeText OPTIONAL, failInfo PKIFailureInfo OPTIONAL }ProtectedPart ::= SEQUENCE { header PKIHeader, body PKIBody }GenMsg: {id-it 20}, RootCaCertValue | < absent > GenRep: {id-it 18}, RootCaKeyUpdateContent | < absent >