Newer
Older
--***************************************************************************--
--***************************************************************************--
/**
* @note Section references in this file are to clauses in IEEE Std
* 1609.2 unless indicated otherwise. Full forms of acronyms and
* abbreviations used in this file are specified in 3.2.
Ieee1609Dot2 {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base(1) schema(1) major-version-2(2) minor-version-6(6)}
DEFINITIONS AUTOMATIC TAGS ::= BEGIN
CrlSeries,
EccP256CurvePoint,
EciesP256EncryptedKey,
EncryptionKey,
GeographicRegion,
GroupLinkageValue,
HashAlgorithm,
HashedId3,
HashedId8,
Hostname,
IValue,
LinkageValue,
Opaque,
Psid,
PsidSsp,
PsidSspRange,
PublicEncryptionKey,
PublicVerificationKey,
SequenceOfHashedId3,
SequenceOfPsidSsp,
SequenceOfPsidSspRange,
ServiceSpecificPermissions,
Signature,
SubjectAssurance,
SymmetricEncryptionKey,
ThreeDLocation,
Time64,
Uint3,
Uint8,
Uint32,
ValidityPeriod
FROM Ieee1609Dot2BaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2)
base(1) base-types(2) major-version-2(2) minor-version-4(4)}
EtsiOriginatingHeaderInfoExtension
FROM EtsiTs103097ExtensionModule {itu-t(0) identified-organization(4) etsi(0)
itsDomain(5) wg5(5) secHeaders(103097) extension(2) major-version-1(1)
;
--***************************************************************************--
-- Secured Data --
--***************************************************************************--
* @brief This data type is used to contain the other data types in this
* clause. The fields in the Ieee1609Dot2Data have the following meanings:
* @param protocolVersion: contains the current version of the protocol. The
* version specified in this standard is version 3, represented by the
* integer 3. There are no major or minor version numbers.
*
* @param content: contains the content in the form of an Ieee1609Dot2Content.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2. The canonicalization
* applies to the Ieee1609Dot2Content.
Ieee1609Dot2Data ::= SEQUENCE {
protocolVersion Uint8(3),
content Ieee1609Dot2Content
}
/**
* @brief In this structure:
*
* @param unsecuredData: indicates that the content is an OCTET STRING to be
* consumed outside the SDS.
*
* @param signedData: indicates that the content has been signed according to
* this standard.
*
* @param encryptedData: indicates that the content has been encrypted
* according to this standard.
*
* @param signedCertificateRequest: indicates that the content is a
* certificate request signed by an IEEE 1609.2 certificate or self-signed.
*
* @param signedX509CertificateRequest: indicates that the content is a
* certificate request signed by an ITU-T X.509 certificate.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2 if it is of type signedData.
* The canonicalization applies to the SignedData.
Ieee1609Dot2Content ::= CHOICE {
unsecuredData Opaque,
signedData SignedData,
encryptedData EncryptedData,
signedCertificateRequest Opaque,
...,
signedX509CertificateRequest Opaque
}
/**
* @brief In this structure:
*
* @param hashId: indicates the hash algorithm to be used to generate the hash
* of the message for signing and verification.
*
* @param tbsData: contains the data that is hashed as input to the signature.
* @param signer: determines the keying material and hash algorithm used to
* sign the data.
*
* @param signature: contains the digital signature itself, calculated as
* specified in 5.3.1.
* - If signer indicates the choice self, then the signature calculation
* is parameterized as follows:
* - Data input is equal to the COER encoding of the tbsData field
* canonicalized according to the encoding considerations given in 6.3.6.
* - Verification type is equal to self.
* - Signer identifier input is equal to the empty string.
* - If signer indicates certificate or digest, then the signature
* calculation is parameterized as follows:
* - Data input is equal to the COER encoding of the tbsData field
* canonicalized according to the encoding considerations given in 6.3.6.
* - Verification type is equal to certificate.
* - Signer identifier input equal to the COER-encoding of the
* Certificate that is to be used to verify the SPDU, canonicalized according
* to the encoding considerations given in 6.4.3.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2. The canonicalization
* applies to the ToBeSignedData and the Signature.
SignedData ::= SEQUENCE {
hashId HashAlgorithm,
tbsData ToBeSignedData,
signer SignerIdentifier,
signature Signature
}
/**
* @brief This structure contains the data to be hashed when generating or
* verifying a signature. See 6.3.4 for the specification of the input to the
* hash.
*
* @param payload: contains data that is provided by the entity that invokes
* @param headerInfo: contains additional data that is inserted by the SDS.
* This structure is used as follows to determine the "data input" to the
* hash operation for signing or verification as specified in 5.3.1.2.2 or
* 5.3.1.3.
* - If payload does not contain the field omitted, the data input to the
* hash operation is the COER encoding of the ToBeSignedData.
* - If payload field in this ToBeSignedData instance contains the field
* omitted, the data input to the hash operation is the COER encoding of the
* ToBeSignedData, concatenated with the hash of the omitted payload. The hash
* of the omitted payload is calculated with the same hash algorithm that is
* used to calculate the hash of the data input for signing or verification.
* The data input to the hash operation is simply the COER enocding of the
* ToBeSignedData, concatenated with the hash of the omitted payload: there is
* no additional wrapping or length indication. As noted in 5.2.4.3.4, the
* means by which the signer and verifier establish the contents of the
* omitted payload are out of scope for this standard.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2. The canonicalization
* applies to the SignedDataPayload if it is of type data, and to the
* HeaderInfo.
ToBeSignedData ::= SEQUENCE {
payload SignedDataPayload,
headerInfo HeaderInfo
}
* @brief This structure contains the data payload of a ToBeSignedData. This
* structure contains at least one of the optional elements, and may contain
* more than one. See 5.2.4.3.4 for more details.
* The security profile in Annex C allows an implementation of this standard
* to state which forms of SignedDataPayload are supported by that
* implementation, and also how the signer and verifier are intended to obtain
* the external data for hashing. The specification of an SDEE that uses
* external data is expected to be explicit and unambiguous about how this
* data is obtained and how it is formatted prior to processing by the hash
* function.
*
* @param data: contains data that is explicitly transported within the
* @param extDataHash: contains the hash of data that is not explicitly
* transported within the structure, and which the creator of the structure
* wishes to cryptographically bind to the signature.
*
* @param omitted: indicates that there is external data to be included in the
* hash calculation for the signature.The mechanism for including the external
* data in the hash calculation is specified in 6.3.6.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2. The canonicalization
* applies to the Ieee1609Dot2Data.
*/
SignedDataPayload ::= SEQUENCE {
data Ieee1609Dot2Data OPTIONAL,
extDataHash HashedData OPTIONAL,
...,
omitted NULL OPTIONAL
} (WITH COMPONENTS {..., data PRESENT} |
WITH COMPONENTS {..., extDataHash PRESENT} |
WITH COMPONENTS {..., omitted PRESENT})
/**
* @brief This structure contains the hash of some data with a specified hash
* algorithm. See 5.3.3 for specification of the permitted hash algorithms.
* @param sha256HashedData: indicates data hashed with SHA-256.
*
* @param sha384HashedData: indicates data hashed with SHA-384.
*
* @param sm3HashedData: indicates data hashed with SM3.
*
* @note Critical information fields: If present, this is a critical
* information field as defined in 5.2.6. An implementation that does not
* recognize the indicated CHOICE for this type when verifying a signed SPDU
* shall indicate that the signed SPDU is invalid in the sense of 4.2.2.3.2,
* that is, it is invalid in the sense that its validity cannot be established.
HashedData::= CHOICE {
sha256HashedData HashedId32,
...,
sha384HashedData HashedId48,
sm3HashedData HashedId32
}
/**
* @brief This structure contains information that is used to establish
* validity by the criteria of 5.2.
*
* @param psid: indicates the application area with which the sender is
* claiming the payload is to be associated.
* @param generationTime: indicates the time at which the structure was
* generated. See 5.2.5.2.2 and 5.2.5.2.3 for discussion of the use of this
* @param expiryTime: if present, contains the time after which the data
* is no longer considered relevant. If both generationTime and
* expiryTime are present, the signed SPDU is invalid if generationTime is
* not strictly earlier than expiryTime.
*
* @param generationLocation: if present, contains the location at which the
* signature was generated.
*
* @param p2pcdLearningRequest: if present, is used by the SDS to request
* certificates for which it has seen identifiers and does not know the
* entire certificate. A specification of this peer-to-peer certificate
* distribution (P2PCD) mechanism is given in Clause 8. This field is used
* for the separate-certificate-pdu flavor of P2PCD and shall only be present
* if inlineP2pcdRequest is not present. The HashedId3 is calculated with the
* whole-certificate hash algorithm, determined as described in 6.4.3,
* applied to the COER-encoded certificate, canonicalized as defined in the
* definition of Certificate.
*
* @param missingCrlIdentifier: if present, is used by the SDS to request
* CRLs which it knows to have been issued and have not received. This is
* provided for future use and the associated mechanism is not defined in
* this version of this standard.
*
* @param encryptionKey: if present, is used to provide a key that is to
* be used to encrypt at least one response to this SPDU. The SDEE
* specification is expected to specify which response SPDUs are to be
* encrypted with this key. One possible use of this key to encrypt a
* response is specified in 6.3.35, 6.3.37, and 6.3.34. An encryptionKey
* field of type symmetric should only be used if the SignedData containing
* this field is securely encrypted by some means.
* @param inlineP2pcdRequest: if present, is used by the SDS to request
* unknown certificates per the inline peer-to-peer certificate distribution
* mechanism is given in Clause 8. This field shall only be present if
* p2pcdLearningRequest is not present. The HashedId3 is calculated with the
* whole-certificate hash algorithm, determined as described in 6.4.3, applied
* to the COER-encoded certificate, canonicalized as defined in the definition
* of Certificate.
* @param requestedCertificate: if present, is used by the SDS to provide
* certificates per the "inline" version of the peer-to-peer certificate
* distribution mechanism given in Clause 8.
*
* @param pduFunctionalType: if present, is used to indicate that the SPDU is
* to be consumed by a process other than an application process as defined
* in ISO 21177 [B14a]. See 6.3.23b for more details.
*
* @param contributedExtensions: if present, is used to contain additional
* extensions defined using the ContributedExtensionBlocks structure.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2. The canonicalization
* applies to the EncryptionKey. If encryptionKey is present, and indicates
* the choice public, and contains a BasePublicEncryptionKey that is an
* elliptic curve point (i.e., of type EccP256CurvePoint or
* EccP384CurvePoint), then the elliptic curve point is encoded in compressed
* form, i.e., such that the choice indicated within the Ecc*CurvePoint is
* compressed-y-0 or compressed-y-1.
* The canonicalization does not apply to any fields after the extension
* marker, including any fields in contributedExtensions.
HeaderInfo ::= SEQUENCE {
psid Psid,
generationTime Time64 OPTIONAL,
expiryTime Time64 OPTIONAL,
generationLocation ThreeDLocation OPTIONAL,
p2pcdLearningRequest HashedId3 OPTIONAL,
missingCrlIdentifier MissingCrlIdentifier OPTIONAL,
encryptionKey EncryptionKey OPTIONAL,
...,
inlineP2pcdRequest SequenceOfHashedId3 OPTIONAL,
requestedCertificate Certificate OPTIONAL,
pduFunctionalType PduFunctionalType OPTIONAL,
contributedExtensions ContributedExtensionBlocks OPTIONAL
}
/**
* @brief This structure may be used to request a CRL that the SSME knows to
* have been issued and has not yet received. It is provided for future use
* and its use is not defined in this version of this standard.
*
* @param cracaId: is the HashedId3 of the CRACA, as defined in 5.1.3. The
* HashedId3 is calculated with the whole-certificate hash algorithm,
* determined as described in 6.4.3, applied to the COER-encoded certificate,
* canonicalized as defined in the definition of Certificate.
* @param crlSeries: is the requested CRL Series value. See 5.1.3 for more
* information.
*/
MissingCrlIdentifier ::= SEQUENCE {
cracaId HashedId3,
crlSeries CrlSeries,
...
}
* @brief This data structure identifies the functional entity that is
* intended to consume an SPDU, for the case where that functional entity is
* not an application process, and are instead security support services for an
* application process. Further details and the intended use of this field are
* defined in ISO 21177 [B20].
*
* @param tlsHandshake: indicates that the Signed SPDU is not to be directly
* consumed as an application PDU and is to be used to provide information
* about the holders permissions to a Transport Layer Security (TLS)
* (IETF 5246 [B15], IETF 8446 [B16]) handshake process operating to secure
* communications to an application process. See IETF [B15] and ISO 21177
* [B20] for further information.
*
* @param iso21177ExtendedAuth: indicates that the Signed SPDU is not to be
* directly consumed as an application PDU and is to be used to provide
* additional information about the holders permissions to the ISO 21177
* Security Subsystem for an application process. See ISO 21177 [B20] for
* further information.
*
* @param iso21177SessionExtension: indicates that the Signed SPDU is not to
* be directly consumed as an application PDU and is to be used to extend an
* existing ISO 21177 secure session. This enables a secure session to
* persist beyond the lifetime of the certificates used to establish that
* session.
PduFunctionalType ::= INTEGER (0..255)
tlsHandshake PduFunctionalType ::= 1
iso21177ExtendedAuth PduFunctionalType ::= 2
iso21177SessionExtension PduFunctionalType ::= 3
* @brief This type is used for clarity of definitions.
ContributedExtensionBlocks ::= SEQUENCE (SIZE(1..MAX)) OF
ContributedExtensionBlock
* @brief This data structure defines the format of an extension block
* provided by an identified contributor by using the temnplate provided
* in the class IEEE1609DOT2-HEADERINFO-CONTRIBUTED-EXTENSION constraint
* to the objects in the set Ieee1609Dot2HeaderInfoContributedExtensions.
*
* @param contributorId: uniquely identifies the contributor.
* @param extns: contains a list of extensions from that contributor.
* Extensions are expected and not required to follow the format specified
* in 6.5.
ContributedExtensionBlock ::= SEQUENCE {
contributorId IEEE1609DOT2-HEADERINFO-CONTRIBUTED-EXTENSION.&id({
Ieee1609Dot2HeaderInfoContributedExtensions
}),
extns SEQUENCE (SIZE(1..MAX)) OF
IEEE1609DOT2-HEADERINFO-CONTRIBUTED-EXTENSION.&Extn({
Ieee1609Dot2HeaderInfoContributedExtensions
}{@.contributorId})
* @brief This Information Object Class defines the class that provides a
* template for defining extension blocks.
IEEE1609DOT2-HEADERINFO-CONTRIBUTED-EXTENSION ::= CLASS {
&id HeaderInfoContributorId UNIQUE,
&Extn
} WITH SYNTAX {&Extn IDENTIFIED BY &id}
* @brief This structure is an ASN.1 Information Object Set listing the
* defined contributed extension types and the associated
* HeaderInfoContributorId values. In this version of this standard two
* extension types are defined: Ieee1609ContributedHeaderInfoExtension and
* EtsiOriginatingHeaderInfoExtension.
Ieee1609Dot2HeaderInfoContributedExtensions
IEEE1609DOT2-HEADERINFO-CONTRIBUTED-EXTENSION ::= {
{Ieee1609ContributedHeaderInfoExtension IDENTIFIED BY
ieee1609HeaderInfoContributorId} |
{EtsiOriginatingHeaderInfoExtension IDENTIFIED BY
etsiHeaderInfoContributorId},
...
}
* @brief This is an integer used to identify a HeaderInfo extension
* contributing organization. In this version of this standard two values are
* defined:
* - ieee1609OriginatingExtensionId indicating extensions originating with
* IEEE 1609.
* - etsiOriginatingExtensionId indicating extensions originating with
* ETSI TC ITS.
HeaderInfoContributorId ::= INTEGER (0..255)
ieee1609HeaderInfoContributorId HeaderInfoContributorId ::= 1
etsiHeaderInfoContributorId HeaderInfoContributorId ::= 2
/**
* @brief This structure allows the recipient of data to determine which
* keying material to use to authenticate the data. It also indicates the
* verification type to be used to generate the hash for verification, as
* @param digest: If the choice indicated is digest:
* - The structure contains the HashedId8 of the relevant certificate. The
* HashedId8 is calculated with the whole-certificate hash algorithm,
* determined as described in 6.4.3.
* - The verification type is certificate and the certificate data
* passed to the hash function as specified in 5.3.1 is the authorization
* @param certificate: If the choice indicated is certificate:
* - The structure contains one or more Certificate structures, in order
* such that the first certificate is the authorization certificate and each
* subsequent certificate is the issuer of the one before it.
* - The verification type is certificate and the certificate data
* passed to the hash function as specified in 5.3.1 is the authorization
* @param self: If the choice indicated is self:
* - The structure does not contain any data beyond the indication that
* the choice value is self.
* - The verification type is self-signed.
* @note Critical information fields:
* - If present, this is a critical information field as defined in 5.2.6.
* An implementation that does not recognize the CHOICE value for this type
* when verifying a signed SPDU shall indicate that the signed SPDU is invalid.
* - If present, certificate is a critical information field as defined in
* 5.2.6. An implementation that does not support the number of certificates
* in certificate when verifying a signed SPDU shall indicate that the signed
* SPDU is invalid. A compliant implementation shall support certificate
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
* fields containing at least one certificate.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2. The canonicalization
* applies to every Certificate in the certificate field.
*/
SignerIdentifier ::= CHOICE {
digest HashedId8,
certificate SequenceOfCertificate,
self NULL,
...
}
/**
* @brief This data structure is used to perform a countersignature over an
* already-signed SPDU. This is the profile of an Ieee1609Dot2Data containing
* a signedData. The tbsData within content is composed of a payload
* containing the hash (extDataHash) of the externally generated, pre-signed
* SPDU over which the countersignature is performed.
*/
Countersignature ::= Ieee1609Dot2Data (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data ABSENT,
extDataHash PRESENT
}),
headerInfo(WITH COMPONENTS {...,
generationTime PRESENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
--***************************************************************************--
-- Encrypted Data --
--***************************************************************************--
/**
* @brief This data structure encodes data that has been encrypted to one or
* more recipients using the recipients public or symmetric keys as
* @param recipients: contains one or more RecipientInfos. These entries may
* be more than one RecipientInfo, and more than one type of RecipientInfo,
* as long as all entries are indicating or containing the same data encryption
* @param ciphertext: contains the encrypted data. This is the encryption of
* an encoded Ieee1609Dot2Data structure as specified in 5.3.4.2.
*
* @note Critical information fields:
* - If present, recipients is a critical information field as defined in
* 5.2.6. An implementation that does not support the number of RecipientInfo
* in recipients when decrypted shall indicate that the encrypted SPDU could
* not be decrypted due to unsupported critical information fields. A
* compliant implementation shall support recipients fields containing at
* least eight entries.
*
* @note If the plaintext is raw data, i.e., it has not been output from a
* previous operation of the SDS, then it is trivial to encapsulate it in an
* Ieee1609Dot2Data of type unsecuredData as noted in 4.2.2.2.2. For example,
* '03 80 08 01 23 45 67 89 AB CD EF' is the C-OER encoding of '01 23 45 67
* 89 AB CD EF' encapsulated in an Ieee1609Dot2Data of type unsecuredData.
* The first byte of the encoding 03 is the protocolVersion, the second byte
* 80 indicates the choice unsecuredData, and the third byte 08 is the length
* of the raw data '01 23 45 67 89 AB CD EF'.
EncryptedData ::= SEQUENCE {
recipients SequenceOfRecipientInfo,
ciphertext SymmetricCiphertext
}
/**
* @brief This data structure is used to transfer the data encryption key to
* an individual recipient of an EncryptedData. The option pskRecipInfo is
* selected if the EncryptedData was encrypted using the static encryption
* key approach specified in 5.3.4. The other options are selected if the
* EncryptedData was encrypted using the ephemeral encryption key approach
* specified in 5.3.4. The meanings of the choices are:
* See Annex C.7 for guidance on when it may be appropriate to use
* each of these approaches.
*
* @param pskRecipInfo: The data was encrypted directly using a pre-shared
* symmetric key.
*
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
* @param symmRecipInfo: The data was encrypted with a data encryption key,
* and the data encryption key was encrypted using a symmetric key.
*
* @param certRecipInfo: The data was encrypted with a data encryption key,
* the data encryption key was encrypted using a public key encryption scheme,
* where the public encryption key was obtained from a certificate. In this
* case, the parameter P1 to ECIES as defined in 5.3.5 is the hash of the
* certificate, calculated with the whole-certificate hash algorithm,
* determined as described in 6.4.3, applied to the COER-encoded certificate,
* canonicalized as defined in the definition of Certificate.
*
* @note If the encryption algorithm is SM2, there is no equivalent of the
* parameter P1 and so no input to the encryption process that uses the hash
* of the certificate.
*
* @param signedDataRecipInfo: The data was encrypted with a data encryption
* key, the data encryption key was encrypted using a public key encryption
* scheme, where the public encryption key was obtained as the public response
* encryption key from a SignedData. In this case, if ECIES is the encryption
* algorithm, then the parameter P1 to ECIES as defined in 5.3.5 is the
* SHA-256 hash of the Ieee1609Dot2Data of type signedData containing the
* response encryption key, canonicalized as defined in the definition of
* Ieee1609Dot2Data.
*
* @note If the encryption algorithm is SM2, there is no equivalent of the
* parameter P1 and so no input to the encryption process that uses the hash
* of the Ieee1609Dot2Data.
*
* @param rekRecipInfo: The data was encrypted with a data encryption key,
* the data encryption key was encrypted using a public key encryption scheme,
* where the public encryption key was not obtained from a Signed-Data or a
* certificate. In this case, the SDEE specification is expected to specify
* how the public key is obtained, and if ECIES is the encryption algorithm,
* then the parameter P1 to ECIES as defined in 5.3.5 is the hash of the
* empty string.
*
* @note If the encryption algorithm is SM2, there is no equivalent of the
* parameter P1 and so no input to the encryption process that uses the hash
* of the empty string.
*
* @note The material input to encryption is the bytes of the encryption key
* with no headers, encapsulation, or length indication. Contrast this to
* encryption of data, where the data is encapsulated in an Ieee1609Dot2Data.
RecipientInfo ::= CHOICE {
pskRecipInfo PreSharedKeyRecipientInfo,
symmRecipInfo SymmRecipientInfo,
certRecipInfo PKRecipientInfo,
signedDataRecipInfo PKRecipientInfo,
rekRecipInfo PKRecipientInfo
}
* @brief This type is used for clarity of definitions.
*/
SequenceOfRecipientInfo ::= SEQUENCE OF RecipientInfo
/**
* @brief This data structure is used to indicate a symmetric key that may
* be used directly to decrypt a SymmetricCiphertext. It consists of the
* low-order 8 bytes of the hash of the COER encoding of a
* SymmetricEncryptionKey structure containing the symmetric key in question.
* The HashedId8 is calculated with the hash algorithm determined as
* specified in 5.3.9.3. The symmetric key may be established by any
* appropriate means agreed by the two parties to the exchange.
* @brief This data structure contains the following fields:
*
* @param recipientId: contains the hash of the symmetric key encryption key
* that may be used to decrypt the data encryption key. It consists of the
* low-order 8 bytes of the hash of the COER encoding of a
* SymmetricEncryptionKey structure containing the symmetric key in question.
* The HashedId8 is calculated with the hash algorithm determined as
* specified in 5.3.9.4. The symmetric key may be established by any
* appropriate means agreed by the two parties to the exchange.
*
* @param encKey: contains the encrypted data encryption key within a
* SymmetricCiphertext, where the data encryption key is input to the data
* encryption key encryption process with no headers, encapsulation, or
* length indication.
SymmRecipientInfo ::= SEQUENCE {
recipientId HashedId8,
encKey SymmetricCiphertext
}
* @brief This data structure contains the following fields:
*
* @param recipientId: contains the hash of the container for the encryption
* public key as specified in the definition of RecipientInfo. Specifically,
* depending on the choice indicated by the containing RecipientInfo structure:
* - If the containing RecipientInfo structure indicates certRecipInfo,
* this field contains the HashedId8 of the certificate. The HashedId8 is
* calculated with the whole-certificate hash algorithm, determined as
* described in 6.4.3, applied to the COER-encoded certificate, canonicalized
* as defined in the definition of Certificate.
* - If the containing RecipientInfo structure indicates
* signedDataRecipInfo, this field contains the HashedId8 of the
* Ieee1609Dot2Data of type signedData that contained the encryption key,
* with that Ieee1609Dot2Data canonicalized per 6.3.4. The HashedId8 is
* calculated with the hash algorithm determined as specified in 5.3.9.5.
* - If the containing RecipientInfo structure indicates rekRecipInfo, this
* field contains the HashedId8 of the COER encoding of a PublicEncryptionKey
* structure containing the response encryption key. The HashedId8 is
* calculated with the hash algorithm determined as specified in 5.3.9.5.
*
* @param encKey: contains the encrypted data encryption key, where the data
* encryption key is input to the data encryption key encryption process with
* no headers, encapsulation, or length indication.
PKRecipientInfo ::= SEQUENCE {
recipientId HashedId8,
encKey EncryptedDataEncryptionKey
}
/**
* @brief This data structure contains an encrypted data encryption key,
* where the data encryption key is input to the data encryption key
* encryption process with no headers, encapsulation, or length indication.
* Critical information fields: If present and applicable to
* the receiving SDEE, this is a critical information field as defined in
* 5.2.6. If an implementation receives an encrypted SPDU and determines that
* one or more RecipientInfo fields are relevant to it, and if all of those
* RecipientInfos contain an EncryptedDataEncryptionKey such that the
* implementation does not recognize the indicated CHOICE, the implementation
* shall indicate that the encrypted SPDU is not decryptable.
*/
EncryptedDataEncryptionKey ::= CHOICE {
eciesNistP256 EciesP256EncryptedKey,
eciesBrainpoolP256r1 EciesP256EncryptedKey,
...,
ecencSm2256 EcencP256EncryptedKey
}
* @brief This data structure encapsulates a ciphertext generated with an
* @note Critical information fields: If present, this is a critical
* information field as defined in 5.2.6. An implementation that does not
* recognize the indicated CHOICE value for this type in an encrypted SPDU
* shall indicate that the signed SPDU is invalid in the sense of 4.2.2.3.2,
* that is, it is invalid in the sense that its validity cannot be established.
SymmetricCiphertext ::= CHOICE {
aes128ccm One28BitCcmCiphertext,
...,
sm4Ccm One28BitCcmCiphertext
}
/**
* @brief This data structure encapsulates an encrypted ciphertext for any
* symmetric algorithm with 128-bit blocks in CCM mode. The ciphertext is
* 16 bytes longer than the corresponding plaintext due to the inclusion of
* the message authentication code (MAC). The plaintext resulting from a
* correct decryption of the ciphertext is either a COER-encoded
* Ieee1609Dot2Data structure (see 6.3.41), or a 16-byte symmetric key
* (see 6.3.44).
* The ciphertext is 16 bytes longer than the corresponding plaintext.
* The plaintext resulting from a correct decryption of the
* ciphertext is a COER-encoded Ieee1609Dot2Data structure.
*
* @param nonce: contains the nonce N as specified in 5.3.8.
*
* @param ccmCiphertext: contains the ciphertext C as specified in 5.3.8.
* @note In the name of this structure, "One28" indicates that the
* symmetric cipher block size is 128 bits. It happens to also be the case
* that the keys used for both AES-128-CCM and SM4-CCM are also 128 bits long.
* This is, however, not what One28 refers to. Since the cipher is used in
* counter mode, i.e., as a stream cipher, the fact that that block size is 128
* bits affects only the size of the MAC and does not affect the size of the
* raw ciphertext.
One28BitCcmCiphertext ::= SEQUENCE {
nonce OCTET STRING (SIZE (12)),
ccmCiphertext Opaque
}
/**
* @brief This type is defined only for backwards compatibility.
--***************************************************************************--
-- Certificates and other Security Management --
--***************************************************************************--
* @brief This structure is a profile of the structure CertificateBase which
* specifies the valid combinations of fields to transmit implicit and
* explicit certificates.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2. The canonicalization
* applies to the CertificateBase.
Certificate ::=
CertificateBase (ImplicitCertificate | ExplicitCertificate)
* @brief This type is used for clarity of definitions.
*/
* @brief The fields in this structure have the following meaning:
*
* @param version: contains the version of the certificate format. In this
* version of the data structures, this field is set to 3.
*
* @param type: states whether the certificate is implicit or explicit. This
* field is set to explicit for explicit certificates and to implicit for
* implicit certificates. See ExplicitCertificate and ImplicitCertificate for
* more details.
*
* @param issuer: identifies the issuer of the certificate.
* @param toBeSigned: is the certificate contents. This field is an input to
* the hash when generating or verifying signatures for an explicit
* certificate, or generating or verifying the public key from the
* reconstruction value for an implicit certificate. The details of how this
* field are encoded are given in the description of the
* ToBeSignedCertificate type.
*
* @param signature: is included in an ExplicitCertificate. It is the
* signature, calculated by the signer identified in the issuer field, over
* the hash of toBeSigned. The hash is calculated as specified in 5.3.1, where:
* - Data input is the encoding of toBeSigned following the COER.
* - Signer identifier input depends on the verification type, which in
* turn depends on the choice indicated by issuer. If the choice indicated by
* issuer is self, the verification type is self-signed and the signer
* identifier input is the empty string. If the choice indicated by issuer is
* not self, the verification type is certificate and the signer identifier
* input is the canonicalized COER encoding of the certificate indicated by
* issuer. The canonicalization is carried out as specified in the
* Canonicalization section of this subclause.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2. The canonicalization
* applies to the ToBeSignedCertificate and to the Signature.
*
* @note Whole-certificate hash: If the entirety of a certificate is hashed
* to calculate a HashedId3, HashedId8, or HashedId10, the algorithm used for
* this purpose is known as the whole-certificate hash. The method used to
* determine the whole-certificate hash algorithm is specified in 5.3.9.2.
CertificateBase ::= SEQUENCE {
version Uint8(3),
type CertificateType,
issuer IssuerIdentifier,
toBeSigned ToBeSignedCertificate,
signature Signature OPTIONAL
}
* @brief This enumerated type indicates whether a certificate is explicit or
* implicit.
*
* @note Critical information fields: If present, this is a critical
* information field as defined in 5.2.5. An implementation that does not
* recognize the indicated CHOICE for this type when verifying a signed SPDU
* shall indicate that the signed SPDU is invalid in the sense of 4.2.2.3.2,
* that is, it is invalid in the sense that its validity cannot be
* established.
*/
CertificateType ::= ENUMERATED {
explicit,
implicit,
...
}
* @brief This is a profile of the CertificateBase structure providing all
* the fields necessary for an implicit certificate, and no others.
*/
ImplicitCertificate ::= CertificateBase (WITH COMPONENTS {...,
type(implicit),
toBeSigned(WITH COMPONENTS {...,
verifyKeyIndicator(WITH COMPONENTS {reconstructionValue})
}),
signature ABSENT
})
* @brief This is a profile of the CertificateBase structure providing all
* the fields necessary for an explicit certificate, and no others.
*/
ExplicitCertificate ::= CertificateBase (WITH COMPONENTS {...,
type(explicit),
toBeSigned (WITH COMPONENTS {...,
verifyKeyIndicator(WITH COMPONENTS {verificationKey})
}),
signature PRESENT
})
* @brief This structure allows the recipient of a certificate to determine
* which keying material to use to authenticate the certificate.
*
* If the choice indicated is sha256AndDigest, sha384AndDigest, or
* sm3AndDigest:
* - The structure contains the HashedId8 of the issuing certificate. The
* HashedId8 is calculated with the whole-certificate hash algorithm,
* determined as described in 6.4.3, applied to the COER-encoded certificate,
* canonicalized as defined in the definition of Certificate.
* - The hash algorithm to be used to generate the hash of the certificate
* for verification is SHA-256 (in the case of sha256AndDigest), SM3 (in the
* case of sm3AndDigest) or SHA-384 (in the case of sha384AndDigest).
* - The certificate is to be verified with the public key of the
* indicated issuing certificate.
*
* If the choice indicated is self:
* - The structure indicates what hash algorithm is to be used to generate
* the hash of the certificate for verification.
* - The certificate is to be verified with the public key indicated by
* the verifyKeyIndicator field in theToBeSignedCertificate.
* @note Critical information fields: If present, this is a critical
* information field as defined in 5.2.5. An implementation that does not
* recognize the indicated CHOICE for this type when verifying a signed SPDU
* shall indicate that the signed SPDU is invalid in the sense of 4.2.2.3.2,
* that is, it is invalid in the sense that its validity cannot be
* established.
IssuerIdentifier ::= CHOICE {
sha256AndDigest HashedId8,
self HashAlgorithm,
...,
sha384AndDigest HashedId8,
sm3AndDigest HashedId8
}
* @brief The fields in the ToBeSignedCertificate structure have the
* following meaning:
*
* For both implicit and explicit certificates, when the certificate
* is hashed to create or recover the public key (in the case of an implicit
* certificate) or to generate or verify the signature (in the case of an
* explicit certificate), the hash is Hash (Data input) || Hash (
* Signer identifier input), where:
* - Data input is the COER encoding of toBeSigned, canonicalized
* as described above.
* - Signer identifier input depends on the verification type,
* which in turn depends on the choice indicated by issuer. If the choice
* indicated by issuer is self, the verification type is self-signed and the
* signer identifier input is the empty string. If the choice indicated by
* issuer is not self, the verification type is certificate and the signer
* identifier input is the COER encoding of the canonicalization per 6.4.3 of
*
* In other words, for implicit certificates, the value H (CertU) in SEC 4,
* section 3, is for purposes of this standard taken to be H [H
* (canonicalized ToBeSignedCertificate from the subordinate certificate) ||
* H (entirety of issuer Certificate)]. See 5.3.2 for further discussion,
* including material differences between this standard and SEC 4 regarding
* how the hash function output is converted from a bit string to an integer.
*
* @param id: contains information that is used to identify the certificate
* holder if necessary.
*
* @param cracaId: identifies the Certificate Revocation Authorization CA
* (CRACA) responsible for certificate revocation lists (CRLs) on which this
* certificate might appear. Use of the cracaId is specified in 5.1.3. The
* HashedId3 is calculated with the whole-certificate hash algorithm,
* determined as described in 6.4.3, applied to the COER-encoded certificate,
* canonicalized as defined in the definition of Certificate.
* @param crlSeries: represents the CRL series relevant to a particular
* Certificate Revocation Authorization CA (CRACA) on which the certificate
* might appear. Use of this field is specified in 5.1.3.
* @param validityPeriod: contains the validity period of the certificate.
* @param region: if present, indicates the validity region of the
* certificate. If it is omitted the validity region is indicated as follows:
* - If enclosing certificate is self-signed, i.e., the choice indicated
* by the issuer field in the enclosing certificate structure is self, the
* certificate is valid worldwide.
* - Otherwise, the certificate has the same validity region as the
* certificate that issued it.
* @param assuranceLevel: indicates the assurance level of the certificate
* @param appPermissions: indicates the permissions that the certificate
* holder has to sign application data with this certificate. A valid
* instance of appPermissions contains any particular Psid value in at most
* @param certIssuePermissions: indicates the permissions that the certificate
* holder has to sign certificates with this certificate. A valid instance of
* this array contains no more than one entry whose psidSspRange field
* indicates all. If the array has multiple entries and one entry has its
* psidSspRange field indicate all, then the entry indicating all specifies
* the permissions for all PSIDs other than the ones explicitly specified in
* the other entries. See the description of PsidGroupPermissions for further