You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

737 lines
18 KiB

2 years ago
#
# This file is part of pyasn1-modules software.
#
# Created by Russ Housley.
#
# Copyright (c) 2019, Vigil Security, LLC
# License: http://snmplabs.com/pyasn1/license.html
#
# NSA's CMS Key Management Attributes
#
# ASN.1 source from:
# https://www.rfc-editor.org/rfc/rfc7906.txt
# https://www.rfc-editor.org/errata/eid5850
#
from pyasn1.type import char
from pyasn1.type import constraint
from pyasn1.type import namedtype
from pyasn1.type import namedval
from pyasn1.type import tag
from pyasn1.type import univ
from pyasn1_modules import rfc2634
from pyasn1_modules import rfc4108
from pyasn1_modules import rfc5280
from pyasn1_modules import rfc5652
from pyasn1_modules import rfc6010
from pyasn1_modules import rfc6019
from pyasn1_modules import rfc7191
MAX = float('inf')
# Imports From RFC 2634
id_aa_contentHint = rfc2634.id_aa_contentHint
ContentHints = rfc2634.ContentHints
id_aa_securityLabel = rfc2634.id_aa_securityLabel
SecurityPolicyIdentifier = rfc2634.SecurityPolicyIdentifier
SecurityClassification = rfc2634.SecurityClassification
ESSPrivacyMark = rfc2634.ESSPrivacyMark
SecurityCategories= rfc2634.SecurityCategories
ESSSecurityLabel = rfc2634.ESSSecurityLabel
# Imports From RFC 4108
id_aa_communityIdentifiers = rfc4108.id_aa_communityIdentifiers
CommunityIdentifier = rfc4108.CommunityIdentifier
CommunityIdentifiers = rfc4108.CommunityIdentifiers
# Imports From RFC 5280
AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
Name = rfc5280.Name
Certificate = rfc5280.Certificate
GeneralNames = rfc5280.GeneralNames
GeneralName = rfc5280.GeneralName
SubjectInfoAccessSyntax = rfc5280.SubjectInfoAccessSyntax
id_pkix = rfc5280.id_pkix
id_pe = rfc5280.id_pe
id_pe_subjectInfoAccess = rfc5280.id_pe_subjectInfoAccess
# Imports From RFC 6010
CMSContentConstraints = rfc6010.CMSContentConstraints
# Imports From RFC 6019
BinaryTime = rfc6019.BinaryTime
id_aa_binarySigningTime = rfc6019.id_aa_binarySigningTime
BinarySigningTime = rfc6019.BinarySigningTime
# Imports From RFC 5652
Attribute = rfc5652.Attribute
CertificateSet = rfc5652.CertificateSet
CertificateChoices = rfc5652.CertificateChoices
id_contentType = rfc5652.id_contentType
ContentType = rfc5652.ContentType
id_messageDigest = rfc5652.id_messageDigest
MessageDigest = rfc5652.MessageDigest
# Imports From RFC 7191
SIREntityName = rfc7191.SIREntityName
id_aa_KP_keyPkgIdAndReceiptReq = rfc7191.id_aa_KP_keyPkgIdAndReceiptReq
KeyPkgIdentifierAndReceiptReq = rfc7191.KeyPkgIdentifierAndReceiptReq
# Key Province Attribute
id_aa_KP_keyProvinceV2 = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.71')
class KeyProvinceV2(univ.ObjectIdentifier):
pass
aa_keyProvince_v2 = Attribute()
aa_keyProvince_v2['attrType'] = id_aa_KP_keyProvinceV2
aa_keyProvince_v2['attrValues'][0] = KeyProvinceV2()
# Manifest Attribute
id_aa_KP_manifest = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.72')
class ShortTitle(char.PrintableString):
pass
class Manifest(univ.SequenceOf):
pass
Manifest.componentType = ShortTitle()
Manifest.subtypeSpec=constraint.ValueSizeConstraint(1, MAX)
aa_manifest = Attribute()
aa_manifest['attrType'] = id_aa_KP_manifest
aa_manifest['attrValues'][0] = Manifest()
# Key Algorithm Attribute
id_kma_keyAlgorithm = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.1')
class KeyAlgorithm(univ.Sequence):
pass
KeyAlgorithm.componentType = namedtype.NamedTypes(
namedtype.NamedType('keyAlg', univ.ObjectIdentifier()),
namedtype.OptionalNamedType('checkWordAlg', univ.ObjectIdentifier().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
namedtype.OptionalNamedType('crcAlg', univ.ObjectIdentifier().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
)
aa_keyAlgorithm = Attribute()
aa_keyAlgorithm['attrType'] = id_kma_keyAlgorithm
aa_keyAlgorithm['attrValues'][0] = KeyAlgorithm()
# User Certificate Attribute
id_at_userCertificate = univ.ObjectIdentifier('2.5.4.36')
aa_userCertificate = Attribute()
aa_userCertificate['attrType'] = id_at_userCertificate
aa_userCertificate['attrValues'][0] = Certificate()
# Key Package Receivers Attribute
id_kma_keyPkgReceiversV2 = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.16')
class KeyPkgReceiver(univ.Choice):
pass
KeyPkgReceiver.componentType = namedtype.NamedTypes(
namedtype.NamedType('sirEntity', SIREntityName().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.NamedType('community', CommunityIdentifier().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
)
class KeyPkgReceiversV2(univ.SequenceOf):
pass
KeyPkgReceiversV2.componentType = KeyPkgReceiver()
KeyPkgReceiversV2.subtypeSpec=constraint.ValueSizeConstraint(1, MAX)
aa_keyPackageReceivers_v2 = Attribute()
aa_keyPackageReceivers_v2['attrType'] = id_kma_keyPkgReceiversV2
aa_keyPackageReceivers_v2['attrValues'][0] = KeyPkgReceiversV2()
# TSEC Nomenclature Attribute
id_kma_TSECNomenclature = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.3')
class CharEdition(char.PrintableString):
pass
class CharEditionRange(univ.Sequence):
pass
CharEditionRange.componentType = namedtype.NamedTypes(
namedtype.NamedType('firstCharEdition', CharEdition()),
namedtype.NamedType('lastCharEdition', CharEdition())
)
class NumEdition(univ.Integer):
pass
NumEdition.subtypeSpec = constraint.ValueRangeConstraint(0, 308915776)
class NumEditionRange(univ.Sequence):
pass
NumEditionRange.componentType = namedtype.NamedTypes(
namedtype.NamedType('firstNumEdition', NumEdition()),
namedtype.NamedType('lastNumEdition', NumEdition())
)
class EditionID(univ.Choice):
pass
EditionID.componentType = namedtype.NamedTypes(
namedtype.NamedType('char', univ.Choice(componentType=namedtype.NamedTypes(
namedtype.NamedType('charEdition', CharEdition().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
namedtype.NamedType('charEditionRange', CharEditionRange().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2)))
))
),
namedtype.NamedType('num', univ.Choice(componentType=namedtype.NamedTypes(
namedtype.NamedType('numEdition', NumEdition().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))),
namedtype.NamedType('numEditionRange', NumEditionRange().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4)))
))
)
)
class Register(univ.Integer):
pass
Register.subtypeSpec = constraint.ValueRangeConstraint(0, 2147483647)
class RegisterRange(univ.Sequence):
pass
RegisterRange.componentType = namedtype.NamedTypes(
namedtype.NamedType('firstRegister', Register()),
namedtype.NamedType('lastRegister', Register())
)
class RegisterID(univ.Choice):
pass
RegisterID.componentType = namedtype.NamedTypes(
namedtype.NamedType('register', Register().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))),
namedtype.NamedType('registerRange', RegisterRange().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 6)))
)
class SegmentNumber(univ.Integer):
pass
SegmentNumber.subtypeSpec = constraint.ValueRangeConstraint(1, 127)
class SegmentRange(univ.Sequence):
pass
SegmentRange.componentType = namedtype.NamedTypes(
namedtype.NamedType('firstSegment', SegmentNumber()),
namedtype.NamedType('lastSegment', SegmentNumber())
)
class SegmentID(univ.Choice):
pass
SegmentID.componentType = namedtype.NamedTypes(
namedtype.NamedType('segmentNumber', SegmentNumber().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))),
namedtype.NamedType('segmentRange', SegmentRange().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 8)))
)
class TSECNomenclature(univ.Sequence):
pass
TSECNomenclature.componentType = namedtype.NamedTypes(
namedtype.NamedType('shortTitle', ShortTitle()),
namedtype.OptionalNamedType('editionID', EditionID()),
namedtype.OptionalNamedType('registerID', RegisterID()),
namedtype.OptionalNamedType('segmentID', SegmentID())
)
aa_tsecNomenclature = Attribute()
aa_tsecNomenclature['attrType'] = id_kma_TSECNomenclature
aa_tsecNomenclature['attrValues'][0] = TSECNomenclature()
# Key Purpose Attribute
id_kma_keyPurpose = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.13')
class KeyPurpose(univ.Enumerated):
pass
KeyPurpose.namedValues = namedval.NamedValues(
('n-a', 0),
('a', 65),
('b', 66),
('l', 76),
('m', 77),
('r', 82),
('s', 83),
('t', 84),
('v', 86),
('x', 88),
('z', 90)
)
aa_keyPurpose = Attribute()
aa_keyPurpose['attrType'] = id_kma_keyPurpose
aa_keyPurpose['attrValues'][0] = KeyPurpose()
# Key Use Attribute
id_kma_keyUse = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.14')
class KeyUse(univ.Enumerated):
pass
KeyUse.namedValues = namedval.NamedValues(
('n-a', 0),
('ffk', 1),
('kek', 2),
('kpk', 3),
('msk', 4),
('qkek', 5),
('tek', 6),
('tsk', 7),
('trkek', 8),
('nfk', 9),
('effk', 10),
('ebfk', 11),
('aek', 12),
('wod', 13),
('kesk', 246),
('eik', 247),
('ask', 248),
('kmk', 249),
('rsk', 250),
('csk', 251),
('sak', 252),
('rgk', 253),
('cek', 254),
('exk', 255)
)
aa_keyUse = Attribute()
aa_keyPurpose['attrType'] = id_kma_keyUse
aa_keyPurpose['attrValues'][0] = KeyUse()
# Transport Key Attribute
id_kma_transportKey = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.15')
class TransOp(univ.Enumerated):
pass
TransOp.namedValues = namedval.NamedValues(
('transport', 1),
('operational', 2)
)
aa_transportKey = Attribute()
aa_transportKey['attrType'] = id_kma_transportKey
aa_transportKey['attrValues'][0] = TransOp()
# Key Distribution Period Attribute
id_kma_keyDistPeriod = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.5')
class KeyDistPeriod(univ.Sequence):
pass
KeyDistPeriod.componentType = namedtype.NamedTypes(
namedtype.OptionalNamedType('doNotDistBefore', BinaryTime().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.NamedType('doNotDistAfter', BinaryTime())
)
aa_keyDistributionPeriod = Attribute()
aa_keyDistributionPeriod['attrType'] = id_kma_keyDistPeriod
aa_keyDistributionPeriod['attrValues'][0] = KeyDistPeriod()
# Key Validity Period Attribute
id_kma_keyValidityPeriod = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.6')
class KeyValidityPeriod(univ.Sequence):
pass
KeyValidityPeriod.componentType = namedtype.NamedTypes(
namedtype.NamedType('doNotUseBefore', BinaryTime()),
namedtype.OptionalNamedType('doNotUseAfter', BinaryTime())
)
aa_keyValidityPeriod = Attribute()
aa_keyValidityPeriod['attrType'] = id_kma_keyValidityPeriod
aa_keyValidityPeriod['attrValues'][0] = KeyValidityPeriod()
# Key Duration Attribute
id_kma_keyDuration = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.7')
ub_KeyDuration_months = univ.Integer(72)
ub_KeyDuration_hours = univ.Integer(96)
ub_KeyDuration_days = univ.Integer(732)
ub_KeyDuration_weeks = univ.Integer(104)
ub_KeyDuration_years = univ.Integer(100)
class KeyDuration(univ.Choice):
pass
KeyDuration.componentType = namedtype.NamedTypes(
namedtype.NamedType('hours', univ.Integer().subtype(
subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_hours)).subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.NamedType('days', univ.Integer().subtype(
subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_days))),
namedtype.NamedType('weeks', univ.Integer().subtype(
subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_weeks)).subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
namedtype.NamedType('months', univ.Integer().subtype(
subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_months)).subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))),
namedtype.NamedType('years', univ.Integer().subtype(
subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_years)).subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)))
)
aa_keyDurationPeriod = Attribute()
aa_keyDurationPeriod['attrType'] = id_kma_keyDuration
aa_keyDurationPeriod['attrValues'][0] = KeyDuration()
# Classification Attribute
id_aa_KP_classification = univ.ObjectIdentifier(id_aa_securityLabel)
id_enumeratedPermissiveAttributes = univ.ObjectIdentifier('2.16.840.1.101.2.1.8.3.1')
id_enumeratedRestrictiveAttributes = univ.ObjectIdentifier('2.16.840.1.101.2.1.8.3.4')
id_informativeAttributes = univ.ObjectIdentifier('2.16.840.1.101.2.1.8.3.3')
class SecurityAttribute(univ.Integer):
pass
SecurityAttribute.subtypeSpec = constraint.ValueRangeConstraint(0, MAX)
class EnumeratedTag(univ.Sequence):
pass
EnumeratedTag.componentType = namedtype.NamedTypes(
namedtype.NamedType('tagName', univ.ObjectIdentifier()),
namedtype.NamedType('attributeList', univ.SetOf(componentType=SecurityAttribute()))
)
class FreeFormField(univ.Choice):
pass
FreeFormField.componentType = namedtype.NamedTypes(
namedtype.NamedType('bitSetAttributes', univ.BitString()), # Not permitted in RFC 7906
namedtype.NamedType('securityAttributes', univ.SetOf(componentType=SecurityAttribute()))
)
class InformativeTag(univ.Sequence):
pass
InformativeTag.componentType = namedtype.NamedTypes(
namedtype.NamedType('tagName', univ.ObjectIdentifier()),
namedtype.NamedType('attributes', FreeFormField())
)
class Classification(ESSSecurityLabel):
pass
aa_classification = Attribute()
aa_classification['attrType'] = id_aa_KP_classification
aa_classification['attrValues'][0] = Classification()
# Split Identifier Attribute
id_kma_splitID = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.11')
class SplitID(univ.Sequence):
pass
SplitID.componentType = namedtype.NamedTypes(
namedtype.NamedType('half', univ.Enumerated(
namedValues=namedval.NamedValues(('a', 0), ('b', 1)))),
namedtype.OptionalNamedType('combineAlg', AlgorithmIdentifier())
)
aa_splitIdentifier = Attribute()
aa_splitIdentifier['attrType'] = id_kma_splitID
aa_splitIdentifier['attrValues'][0] = SplitID()
# Key Package Type Attribute
id_kma_keyPkgType = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.12')
class KeyPkgType(univ.ObjectIdentifier):
pass
aa_keyPackageType = Attribute()
aa_keyPackageType['attrType'] = id_kma_keyPkgType
aa_keyPackageType['attrValues'][0] = KeyPkgType()
# Signature Usage Attribute
id_kma_sigUsageV3 = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.22')
class SignatureUsage(CMSContentConstraints):
pass
aa_signatureUsage_v3 = Attribute()
aa_signatureUsage_v3['attrType'] = id_kma_sigUsageV3
aa_signatureUsage_v3['attrValues'][0] = SignatureUsage()
# Other Certificate Format Attribute
id_kma_otherCertFormats = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.19')
aa_otherCertificateFormats = Attribute()
aa_signatureUsage_v3['attrType'] = id_kma_otherCertFormats
aa_signatureUsage_v3['attrValues'][0] = CertificateChoices()
# PKI Path Attribute
id_at_pkiPath = univ.ObjectIdentifier('2.5.4.70')
class PkiPath(univ.SequenceOf):
pass
PkiPath.componentType = Certificate()
PkiPath.subtypeSpec=constraint.ValueSizeConstraint(1, MAX)
aa_pkiPath = Attribute()
aa_pkiPath['attrType'] = id_at_pkiPath
aa_pkiPath['attrValues'][0] = PkiPath()
# Useful Certificates Attribute
id_kma_usefulCerts = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.20')
aa_usefulCertificates = Attribute()
aa_usefulCertificates['attrType'] = id_kma_usefulCerts
aa_usefulCertificates['attrValues'][0] = CertificateSet()
# Key Wrap Attribute
id_kma_keyWrapAlgorithm = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.21')
aa_keyWrapAlgorithm = Attribute()
aa_keyWrapAlgorithm['attrType'] = id_kma_keyWrapAlgorithm
aa_keyWrapAlgorithm['attrValues'][0] = AlgorithmIdentifier()
# Content Decryption Key Identifier Attribute
id_aa_KP_contentDecryptKeyID = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.66')
class ContentDecryptKeyID(univ.OctetString):
pass
aa_contentDecryptKeyIdentifier = Attribute()
aa_contentDecryptKeyIdentifier['attrType'] = id_aa_KP_contentDecryptKeyID
aa_contentDecryptKeyIdentifier['attrValues'][0] = ContentDecryptKeyID()
# Certificate Pointers Attribute
aa_certificatePointers = Attribute()
aa_certificatePointers['attrType'] = id_pe_subjectInfoAccess
aa_certificatePointers['attrValues'][0] = SubjectInfoAccessSyntax()
# CRL Pointers Attribute
id_aa_KP_crlPointers = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.70')
aa_cRLDistributionPoints = Attribute()
aa_cRLDistributionPoints['attrType'] = id_aa_KP_crlPointers
aa_cRLDistributionPoints['attrValues'][0] = GeneralNames()
# Extended Error Codes
id_errorCodes = univ.ObjectIdentifier('2.16.840.1.101.2.1.22')
id_missingKeyType = univ.ObjectIdentifier('2.16.840.1.101.2.1.22.1')
id_privacyMarkTooLong = univ.ObjectIdentifier('2.16.840.1.101.2.1.22.2')
id_unrecognizedSecurityPolicy = univ.ObjectIdentifier('2.16.840.1.101.2.1.22.3')
# Map of Attribute Type OIDs to Attributes added to the
# ones that are in rfc5652.py
_cmsAttributesMapUpdate = {
id_aa_contentHint: ContentHints(),
id_aa_communityIdentifiers: CommunityIdentifiers(),
id_aa_binarySigningTime: BinarySigningTime(),
id_contentType: ContentType(),
id_messageDigest: MessageDigest(),
id_aa_KP_keyPkgIdAndReceiptReq: KeyPkgIdentifierAndReceiptReq(),
id_aa_KP_keyProvinceV2: KeyProvinceV2(),
id_aa_KP_manifest: Manifest(),
id_kma_keyAlgorithm: KeyAlgorithm(),
id_at_userCertificate: Certificate(),
id_kma_keyPkgReceiversV2: KeyPkgReceiversV2(),
id_kma_TSECNomenclature: TSECNomenclature(),
id_kma_keyPurpose: KeyPurpose(),
id_kma_keyUse: KeyUse(),
id_kma_transportKey: TransOp(),
id_kma_keyDistPeriod: KeyDistPeriod(),
id_kma_keyValidityPeriod: KeyValidityPeriod(),
id_kma_keyDuration: KeyDuration(),
id_aa_KP_classification: Classification(),
id_kma_splitID: SplitID(),
id_kma_keyPkgType: KeyPkgType(),
id_kma_sigUsageV3: SignatureUsage(),
id_kma_otherCertFormats: CertificateChoices(),
id_at_pkiPath: PkiPath(),
id_kma_usefulCerts: CertificateSet(),
id_kma_keyWrapAlgorithm: AlgorithmIdentifier(),
id_aa_KP_contentDecryptKeyID: ContentDecryptKeyID(),
id_pe_subjectInfoAccess: SubjectInfoAccessSyntax(),
id_aa_KP_crlPointers: GeneralNames(),
}
rfc5652.cmsAttributesMap.update(_cmsAttributesMapUpdate)