PKCS 7 PKCS10 PKCS12 个人信息交换语法 - 学习记录 2020/8/30

研一

---

PKCS 7

PKCS7是加密信息传输语法标准，根据不同应用场景定义了5中不同的数据类型，以下是RSA实验室定义的部分asn.1语法，并不完整，所以不要当标准用！

-- 0.ContentInfo --
ContentInfo ::= SEQUENCE {
	contentType ContentType, 
	content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}

ContentType ::= OBJECT INDETIFIER

-- 1.Data --
Data ::= OCTET STRING

-- 2.SignedData -- 
SignedData ::= SEQUENCE {
	version Version,
	digestAlgorithms DigestAlgorithmIdentifiers,
	contentInfo ContentInfo, 
	certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL,
	crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
	signerInfos SignerInfos
}

DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
SignerInfos ::= SET OF SignerInfo
SignerInfo ::= SEQUENCE {
	version Version DEFAULT 1,
	issuerAndSerialNumber IssuerAndSerialNumber,
	digestAlgorithm DigestAlgorithmIdentifier,
	authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
	digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
	encryptedDigest EncryptedDigest,
	unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}
Attributes ::= SET OF Attribute
Attribute ::= SEQUENCE {
	type EncodedObjectID,
	values AttrubuteSetValue
}

EncryptedDigest ::= OCTET STRING
DigestInfo ::= SEQUENCE {
	digestAlgorithm DigestAlgorithm,
	digest Digest
}
Digest ::= OCTET STRING

-- 3.Enveloped data --
EnvelopedData ::= SEQUENCE {
	version Version, --DEFAULT 0
	recepientInfos RecipientInfos,
	encryptedContentInfo EncryptedContentInfo
}

RecipentInfos ::=  SET OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE {
	contentType ContentType,
	contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
	encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL
}
EncryptedContent ::= OCTET STRING
RecipientInfo ::= SEQUENCE {
	version Version, --DEFAULT 0
	issuerAndSerialNumber IssuerAndSerialNUmber,
	keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
	encryptedKey EncryptedKey
}
EncryptedKey ::= OCTET STRING

-- 4.Signed and Enveloped Data --
SignedAndEnvelopedData ::= SEQUENCE {
	version Version,
	recipientInfos RecipientOnfos,
	digestAlgorithms DigestAlgorithmIdentifiers,
	encrypedContentInfo EncryptedContentInfo,
	certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL,
    crls [1] IMPLICIT CertificateRevocateionLists OPTIONAL,
    signerInfos SignerInfos
}

-- 5.Digested Data --
DigestedData ::= SEQUENCE {
	version Version,
	digestAlgorithm DigestAlgorithmIdentifier,
	contentInfo ContentInfo,
	digest Digest
}

Digest ::= OCTET STRING

-- 6.Encrypted Data --
EncryptedData ::= SEQUENCE {
	version Version,
	encryptedContentInfo EncryptedContentInfo
}

PKCS10

PKCS10 是认证请求语法标准，里面包含了需要被认证的公钥信息及其签名，以下是RSA实验室定义的部分asn.1语法，并不完整，所以不要当标准用！

CertificationRequest ::= SEQUENCE {
	certificationRequstInfo CertificationRequestInfo,
    signatureAlgorithm AlgorithmIdentifier {{SignatureAlgorithm}},
    signature BIT STRING
}

CertificationRequestInfo ::= SEQUENCE {
	version INTEGER {v1(0)} (v1, ...),
	subject Name,
    subjectPKInfo SubjectPublicKeyInfo {{PKInfoAlgorithms}},
    attributes [0] attributes {{CRIAttributes}}
}

SubjectPublicKeyInfo {ALGORITHM : IOSet} ::= SEQUENCE {
	algorithm AlgorithmIdentifier {{IOSet}},
	subjectPublicKey BIT STRING
}
PKInfoAlgorithms ALGORITHM ::= {
	... --add any locally defined algorithms here --
}
Attributes {ATTRIBUTE : IOSet} ::= SET OF Attribute {{IOSet}}
CRIAttributes ATTRIBUTE ::= {
	... -- add any locally defined attributes here --
}
Attribute {ATTRIBUTE: IOSet} ::= SEQUENCE {
	type ATTRIBUTE.&id({IOSet}),
    values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@Type})
}
AlgorithmIdentifier {ALGORITHM : IOSet} ::= SEQUENCE {
	algorithm ALGORITHM.&id{{IOSet}}
    parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
}
SignatureAlgorithm ALGORITHM ::= {... -- add any locally defined algorithms here -- }

PKCS12 个人信息交换语法

本标准描述了个人身份标识信息传递语法，包括私钥、证书、各种形式的秘密值机器扩展。

PFX ::= SEQUENCE {
	version INTEGER {v3(3)}(v3,...),
	authSafe ContentInfo,
	macData MacData OPTIONAL
}

MacData ::= SEQUENCE {
	mac DigestInfo,
	macSalt OCTET STRING,
	iterations INTEGER DEFAULT 1
}
AuthenticatedSafe ::= SEQUENCE OF ContentInfo
	-- Data if unencrypted
	-- EncryptedData
	-- EnvelopedData
SafeContents ::= SEQUENCE OF SafeBag
SafeBag ::= SEQUENCE {
	bagId BAG-TYPE.&id({PKCS12BagSet}),
	bagValue [0] EXPLICIT BAG-TYPE.&Type{{PKCS12BagSet}{@bagId}},
	bagAttributes SET OF PKCS12Attribute OPTIONAL
}
PKCS12AttrSet ATTRIBUTE ::= {
	friendlName I, --from PKCS #9
	localKeyId, --from PKCS #9
}

bagtypes OBJECT IDENTIFIER ::= {pkcs-12 10 1}

BAG-TYPE BAG-TYPE ::= {KeyBag IDENTIFIED BY {bagtypes 1}}
pkcs8ShroudedKeyBag BAG-TYPE ::= {PKCS8ShroudedKeyBag IDENTIFIED BY {bagtypes 2}}
certBag BAG-TYPE ::= {certBag IDENTIFIED BY {bagtypes 3}}
crlBag BAG-TYPE ::= {CRLBag IDENTIFIED BY {bagtypes 4}}
secretBag BAG-TYPE ::= {SecretBag IDENTIFIED BY {bagtypes 5}}
safeContentsBag BAG-TYPE ::= {SafeContents IDENTIFIED Y {bagtypes 6}}

PKCS12BagSet BAG-TYPE ::= {
	keyBag |
	pkcs8ShroudedKeyBag |
	certBag |
	crlBag |
	secretBag |
	safeContentsBag,
	...
}
KeyBag ::= PrivateKeyInfo
PKCS8ShroudedKeyBag ::= EncryptedPrivateKeyInfo
CertBag ::= SEQUENCE {
	certId BAG-TYPE.&id {{CertTypes}},
    certValue [0] EXPLICIT BAG-TYPE.&Type {{CertTYpes}{@certId}}
}
x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {certTypes 1}}
sdsiCertificate BAG-TYPE {IA5String IDENTIFIED BY {certTypes 2}}
CertTypes BAG-TYPE ::= {
	x509Certificate |
	sdsiCertificate,
	...
}
CRLBag ::= SEQUENCE {
	crlId BAG-TYPE.&id {{CRLTypes}},
	crlValue [0] EXPLICIT BAG-TYPE.&Type {{CRLTypes}{@crlId}}
}
x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {certTypes 1}}
CRLTypes BAG-TYPE ::= {
	x509CRL,
	...
}
SecretBag ::= SEQUENCE {
	secretTypeId BAG-TYPE.&id ({SecretTypes}),
	secretValue [0] EXPLICIT BAG-TPE.&Type ({SecretTypes}{secretTypeId})
}
SecretTypes BAG-TYPE ::= {
	...
}
-- SafeContents allows the recursion nesting of all other safebag types --
pkcs-12PbeParams ::= SEQUENCE {
	salt OCTET STRING,
	iterations INTEGER
}