PKCS #15: Cryptographic Token Information Format Standard RSA Laboratories WORKING DRAFT- November 16, 1998 Editor's note: This is a working public draft of PKCS #15 v1.0, which is available for a 30-day public review. Please send comments and questions, both editorial and technical, to pkcs-editor@rsa.com or pkcs-tng@rsa.com Copyright (c) 1998 RSA Laboratories, a division of RSA Data Security, Inc. License to copy this document is granted provided that it is identified as "RSA Data Security, Inc. Public-Key Cryptography Standards (PKCS)" in all material mentioning or referencing this document. 000-000000-000-000-000 Table of Contents 1 INTRODUCTION 2 REFERENCES AND RELATED DOCUMENTS 3 DEFINITIONS 4 SYMBOLS AND ABBREVIATIONS 5 GENERAL OVERVIEW 6 IC CARD FILE FORMAT 6.1 OVERVIEW 6.2 IC CARD REQUIREMENTS 6.3 GENERAL CHARACTERISTICS 6.3.1 Card Layout 6.3.2 Card File Structure 6.4 MF DIRECTORY CONTENTS 6.4.1 EF(DIR) 6.5 PKCS#15 APPLICATION DIRECTORY CONTENTS 6.5.1 EF(ODF) 6.5.2 Private Key Directory Files (PrKDFs) 6.5.3 Secret Key Directory Files (SKDFs) 6.5.4 Public Key Directory Files (PuKDFs) 6.5.5 Certificate Directory Files (CDFs) 6.5.6 Data Object Directory Files (DODFs) 6.5.7 Authentication Object Directory Files (AODFs) 6.5.8 EF(TokenInfo) 6.5.9 Other elementary files in the PKCS#15 directory 6.6 FILE IDENTIFIERS 6.7 PKCS#15 APPLICATION SELECTION 6.7.1 AID for the PKCS#15 application 7 INFORMATION FORMAT IN ASN.1 7.1 BASIC ASN.1 DEFINED TYPES 7.1.1 PKCS15Identifier 7.1.2 PKCS15Reference 7.1.3 PKCS15Label 7.1.4 PKCS15ReferencedValue and PKCS15Path 7.1.5 PKCS15ObjectValue 7.1.6 PKCS15PathOrObjects 7.1.7 PKCS15-ENCRYPTED and PKCS15-OPTIONALLY-SIGNED 7.1.8 PKCS15CommonObjectAttributes 7.1.9 PKCS15CommonKeyAttributes 7.1.10 PKCS15CommonPrivateKeyAttributes 7.1.11 PKCS15CommonSecretKeyAttributes 7.1.12 PKCS15CommonPublicKeyAttributes 7.1.13 PKCS15KeyInfo 7.1.14 PKCS15CommonCertificateAttributes 7.1.15 PKCS15CommonDataObjectAttributes 7.1.16 PKCS15CommonAuthenticationObjectAttributes 7.1.17 PKCS15Object 7.2 THE PKCS15ODF TYPE 7.3 THE PKCS15PRIVATEKEYS TYPE 7.3.1 Private RSA key objects 7.3.2 Private EC key objects 7.4 THE PKCS15SECRETKEYS TYPE 7.4.1 RC5 key objects 7.5 THE PKCS15PUBLICKEYS TYPE 7.6 THE PKCS15CERTIFICATES TYPE 7.6.1 X.509 Certificate Objects 7.6.2 X.509 Attribute Certificate Objects 7.7 THE PKCS15DATAOBJECTS TYPE 7.7.1 'Login' Data Objects 7.7.2 External data objects (IDOs) 7.8 THE PKCS15AUTHENTICATIONOBJECT TYPE 7.8.1 Pin Objects 7.9 THE PKCS#15 INFORMATION FILE, EF(TOKENINFO) 8 ASN.1 MODULE 9 REVISION HISTORY APPENDIX A: FILE ACCESS CONDITIONS (INFORMATIONAL) A.1 SCOPE A.2 BACKGROUND A.3 READ-ONLY AND READ-WRITE CARDS APPENDIX B: AN ELECTRONIC IDENTIFICATION PROFILE OF PKCS#15 B.1 PKCS#15 OBJECTS B.2 ACCESS CONTROL RULES APPENDIX C: EXAMPLES C.1 EXAMPLE OF EF(TOKENINFO) C.2 EXAMPLE OF A WHOLE PKCS15 APPLICATION C.2.1 EF(TokenInfo) C.2.2 EF(ODF) C.2.3 EF(PrKDF) C.2.4 EF(CDF) C.2.5 EF(AODF) C.2.6 EF(DODF) C.3 SOFTWARE EXAMPLE ABOUT PKCS 1 Introduction The purpose of this recommendation is to promote interoperability between applications, hosts and cryptographic tokens with respect to security-related information stored on tokens. For example, the holder of a token containing a digital certificate should be able to present the token to any application running on any host connected to any smart card reader and successfully use it to present the contained certificate to the application. In order to reach this purpose, a file and directory format for storing security-related information on cryptographic tokens (IC Cards, memory cards, files, etc) is specified. The format builds on the PKCS#11 standard. 2 References and related documents * ISO/IEC 7816-4 Identification Cards - Integrated Circuit(s) cards with contacts - Part 4: Interindustry commands for interchange. * ISO/IEC 7816-5 Identification Cards - Integrated Circuit(s) cards with contacts - Part 5: Numbering system and registration procedure for application identifiers. * ISO/IEC 7816-6 Identification Cards - Integrated Circuit(s) cards with contacts - Part 6: Inter-industry data elements * FCD ISO/IEC 7816-8 Identification Cards - Integrated Circuit(s) cards with contacts - Part 8: Security related interindustry commands * ISO/IEC 8824-1 Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation * ISO/IEC 8824-2 Information technology - Abstract Syntax Notation One (ASN.1): Information object specification * ISO/IEC 8824-3 Information technology - Abstract Syntax Notation One (ASN.1): Constraint specification * ISO/IEC 8824-4 Information technology - Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 specifications * ISO/IEC 8825-1 Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) * ISO/IEC 8825-2 Information technology - ASN.1 encoding rules - Specification of Packed Encoding Rules (PER) * ISO/IEC 9594-2 Information technology - Open Systems Interconnection - The Directory: Models * ISO/IEC 9594-6 Information technology - Open Systems Interconnection - The Directory: Selected attribute types * ISO/IEC 9594-8 Information technology - Open Systems Interconnection - The Directory: Authentication framework * RSA Laboratories PKCS #1: RSA Encryption Standard * RSA Laboratories PKCS #3: Diffie-Hellman Key-Agreement Standard * RSA Laboratories PKCS #5: Password-Based Encryption Standard * RSA Laboratories PKCS #8: Private Key Information Syntax Standard * RSA Laboratories PKCS #11: Cryptographic Token Interface Standard * RSA Laboratories PKCS #12: Personal Information Exchange Syntax Standard * IETF RFC 2279: "UTF-8, a transformation format of ISO 10646", F. Yergeau. * IETF RFC 2396: "Uniform Resource Identifiers (URI): Generic Syntax.", T. Berners-Lee, R. Fielding, L. Masinter * IETF RFC 2XXX: "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", D. Solo, Housley, W. Ford, T. Polk * ANSI X3.4: Information Systems - Coded Character Sets - 7-Bit American National Standard Code for Information Interchange (7-Bit ASCII) * ANSI X9.42: Public Key Cryptography for The Financial Service Industry: Agreement of Symmetric Keys on Using Diffie-Hellman and MQV Algorithms * ANSI X9.62: Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) 3 Definitions AID: Application Identifier. A data element that identifies an application in a card. An application identifier may contain a registered application provider number in which case it is a unique identification for the application. If it contains no application provider number, then this identification may be ambiguous. ALW: Always. Access condition indicating a given function is always accessible. ANSI: American National Standards Institute. An American standards body. APDU: Application protocol data unit. A message between the card and the host computer. Application: The implementation of a well-defined and related set of functions that perform useful work on behalf of the user. It may consist of software and or hardware elements and associated user interfaces. Application provider: An entity that provides an application. ASN.1 object: Abstract Syntax Notation object as defined in ISO/IEC 8824. A formal syntax for describing complex data objects. ATR: Answer-to-Reset. Stream of data sent from the card to the reader in response to a RESET condition. AUT: Authenticated. Access condition indicating that a function is only available to entities that have been authenticated (typically through a cryptographic protocol involving the successful encryption of a challenge or a CHV, see below). BCD: Number representation where a number is expressed as a sequence of decimal digits and then each decimal digit is encoded as a four bit binary number. E.g. decimal 92 would be encoded as the eight bit sequence 1001 0010. BER: Basic Encoding Rules. Rules for encoding an ASN.1 object into a byte sequence. Cardholder: The person or entity presenting a smart card for use. Card Issuer: The organization or entity that owns and provides a smart card product. CHV: CardHolder Verification. Also called the PIN. Typically a 4 to 8 digit number entered by the cardholder to verify that the cardholder is authorized to use the card. Command: A message sent by the terminal to the card that initiates an action and solicits a response from the card. Command/response pair: Set of two messages: a command to the card followed by a response from the card. Cryptogram: Result of a cryptographic operation. Data element: Item of information as seen at the interface between a token and an application for which are defined a name, a description of logical content, a format and a coding. Defined in ISO/IEC 7816-4. Data unit: The smallest set of bits that can be unambiguously referenced. Defined in ISO/IEC 7816-4. DER: Distinguished Encoding Rules for encoding ASN.1 objects in byte-sequences. A special case of BER. DF: Dedicated file. File containing file control information, and, optionally, memory available for allocation. It may be the parent of elementary files and/or other dedicated files. DIR file: Directory file. An optional elementary file containing a list of applications supported by the card and optional related data elements. Defined in ISO/IEC 7816-5. DO: Data Object. Information as seen at the interface between a card and an application. Consists of a tag, a length and a value (i.e., a data element). Defined in ISO/IEC 7816-4. EF: Elementary file. A set of data units or records which share the same identifier. It cannot be a parent of another file. File control information (FCI): Logical, structural, and security attributes of a file as defined in ISO/IEC 7816-4. File identifier: A 2-byte binary value used to address a file on a smart card. Function: A process accomplished by one or more commands and resultant actions that are used to perform all or part of a transaction. ICC: Integrated Circuit Card. Another name for a smart card. IEC: International Electrotechnical Commission. Internal Elementary File: Elementary file for storing data interpreted by the card. ISO: International Organization for Standardization Level: Number of DFs in the path to a file, starting with the path from the master file. Memory Card: A card with a simple memory chip with read and write capacity. Message: String of bytes transmitted by the internal device to the card or vice versa, excluding transmission-control characters. MF: Master file. Mandatory unique dedicated file representing the root of the structure. The MF typically has the file identifier 3F0016. NEV: An access condition indicating a given function is never accessible. Nibble: Half a byte. The most significant nibble of a byte consists of bits b8 b7 b6 b5 and the least significant of bits b4 b3 b2 b1. Parent file: The MF or DF immediately preceding a given file within the hierarchy. Password: Data that may be required by the application to be presented to the card by its user before data can be processed. Path: Concatenation of file identifiers without delimitation. If the path starts with the MF identifier, it an absolute path, otherwise it is a relative path. PER: Packed Encoding Rules for encoding ASN.1 objects in byte sequences. A special case of BER. PIN: Personal Identification Number. See CHV. PIN Pad: An arrangement of alphanumeric and command keys to be used for PIN entry. Provider: Authority who has or who obtained the rights to create the MF or a DF in the card. Reader: As used in this specification, refers to a PC peripheral device that supports bidirectional I/O to an ISO/IEC 7816 standard ICC. Record: String of bytes that can be handled as a whole by the card and referenced by a record number or by a record identifier. Record Identifier: Value associated with a record that can be used to reference that record. Several records may have the same record identifier within an EF. Record number: A sequential number assigned to each record that uniquely identifies the record within its EF. Response: A message returned by the ICC to the terminal after the processing of a command message received by the ICC. RID: Registered application provider identifier. Stored Value Card: A smart card that stores non-bearer information like e-cash. Template: Value field of a constructed data object, defined to give a logical grouping of data objects. Defined in ISO/IEC 7816-6. Token: In this specification, a portable device capable of storing persistent data. Tokenholder: Analogous to cardholder. Uniform Resource Identifiers: a compact string of characters for identifying an abstract or physical resource. Described in RFC 2396. 4 Symbols and Abbreviations BER Basic Encoding Rules DER Distinguished Encoding Rules DF Dedicated File DO Data Object EF Elementary File FCD Final Committee Draft IDO Interindustry Data Object MF Master File ODF Object Directory File PIN Personal Identification Number TLV Tag-Length-Value URL Uniform Resource Locator (a class of uniform resource identifiers) 5 General Overview This document defines the PKCS#15 Cryptographic Token Information Format. The format specifies how keys, certificates and other application-specific data may be stored on an ISO/IEC 7816 compliant IC card or other media. It has the following characteristics: * Dynamic structure enables implementations on a wide variety of media, including stored value cards and pure software implementations * When implemented on an IC Card, it allows multiple applications to reside on the card (even multiple PKCS#15 applications) * Supports storage of any PKCS#11 objects (keys, certificates and data) * Straightforward mapping from PKCS#11 In general, an attempt has been made to be flexible enough to allow for many different token types, while still preserving the requirements for interoperability. A key factor in this is the notion of 'Directory Files' (See section 6.5) which provides a layer of indirection between objects on the token and the actual format of these objects. 6 IC Card File Format This section describes how to implement the PKCS#15 application on IC Cards. 6.1 Overview In general, an IC card file format specifies how certain abstract, higher level elements such as keys and certificates is to be represented in terms of more lower level elements such as IC card files and directory structures. The format may also suggests how and under which circumstances these higher level objects may be accessed by external sources and how these access rules are to be implemented in the underlying representation (i.e. the card's operating system). However, since it is anticipated that this recommendation will be used in many types of applications, this task has been left to each application provider's discretion. Some general suggestions can be found in appendix A, though. Note that the words 'format' and 'contents' shall be interpreted to mean 'The way the information appears to a host side application making use of a predefined set of commands (ISO/IEC 7816-4 and perhaps the FCD of ISO/IEC 7816-8) to access this data'. It may well be that a particular card is able to store the information described here in a more compact or efficient way than another card, however the 'card-edge' representation of the information shall be the same in both cases. Hence the term 'token-edge' specification. 6.2 IC Card requirements This section of this recommendation requires that compliant cards have necessary support for ISO/IEC 7816-4, ISO/IEC 7816-5 and ISO/IEC 7816-6 (hierarchic logical file system, direct or indirect application selection and read operations). 6.3 General characteristics 6.3.1 Card Layout A card supporting this recommendation should have the following layout: MF (File Id: 3F 00) __________________________________ / \ \ \ \ / \ \ \ \ DF(PKCS15) EF(DIR) ...(Other DFs, EFs) Figure 1: PKCS#15 Card Layout. Note: For the purpose of this recommendation, EF(DIR) is only needed on IC Cards which does not support direct application selection as defined in ISO/IEC 7816-5 or when multiple PKCS#15 applications resides on a single card. 6.3.2 Card File Structure The general file structure is shown in Figure 1. The contents of the PKCS#15 Application Directory is a bit dependent on the type of IC card and its intended use, but the following file structure is believed to be the most common: DF(PKCS15) ___________________________________________________ / \ \ \ \ \ / \ \ \ \ \ EF(ODF) EF(TokenInfo) EF(PrKDF) EF(CDF) EF(AODF) Other EF(DFs) and Object files Figure 2: Contents of DF(PKCS15). The contents and purpose of each file and directory is described below. 6.4 MF directory contents This section describes some EFs of the IC Cards master directory, MF. 6.4.1 EF(DIR) This optional file shall, if present, contain one or several application templates as defined in ISO/IEC 7816-5. The application template (tag '61') for the PKCS15 application shall at least contain the following DOs: * Application Identifier (tag '4F'), value defined in this recommendation * Application Label (tag '50'), value supplied by application issuer * Path (tag '51'), value supplied by application issuer Other tags from ISO/IEC 7816-5 may, at the application issuer's discretion, be present as well. 6.5 PKCS#15 Application Directory Contents This section describes the EFs of the PKCS#15 application directory, DF(PKCS15). 6.5.1 EF(ODF) The mandatory Object Directory File (ODF) consists of pointers to other EFs (PrKDFs, PuKDFs, SKDFs, CDFs, DODFs and AODFs), each one containing a directory over PKCS#15 objects of a particular class. The ASN.1 syntax for the contents of EF(ODF) is described in section 7.2. 6.5.2 Private Key Directory Files (PrKDFs) These files contain directories of private keys known to the PKCS#15 application. At least one PrKDF must be present on an IC Card which contains private keys (or references to private keys) known to the PKCS#15 application. The ASN.1 syntax for the contents of PrKDFs is described in section 7.3. 6.5.3 Secret Key Directory Files (SKDFs) These files contain directories of secret (symmetric) keys known to the PKCS#15 application. At least one SKDF must be present on an IC Card which contains secret keys (or references to secret keys) known to the PKCS#15 application. The ASN.1 syntax for the contents of SKDFs is described in section 7.4. 6.5.4 Public Key Directory Files (PuKDFs) These files contain directories of public keys known to the PKCS#15 application. At least one PuKDF must be present on an IC Card which contains public keys (or references to public keys) known to the PKCS#15 application. The ASN.1 syntax for the contents of PuKDFs is described in section 7.5. 6.5.5 Certificate Directory Files (CDFs) These files contain directories of certificates known to the PKCS#15 application. At least one CDF must be present on an IC Card which contains certificates (or references to certificates) known to the PKCS#15 application. The ASN.1 syntax for the contents of CDFs is described in section 7.6. 6.5.6 Data Object Directory Files (DODFs) These files contain directories of data objects (not keys or certificates) known to the PKCS#15 application. At least one DODF must be present on an IC Card which contains such data objects (or references to such data objects) known to the PKCS#15 application. The ASN.1 syntax for the contents of DODFs is described in section 7.7. 6.5.7 Authentication Object Directory Files (AODFs) These files contain directories of authentication objects (e.g. PINs) known to the PKCS#15 application. At least one AODF must be present on an IC Card, which contains authentication objects coupled to the PKCS#15 application. The ASN.1 syntax for the contents of the AODFs is described in section 7.8. 6.5.8 EF(TokenInfo) The mandatory TokenInfo elementary file shall contain generic information about the token as such and it's capabilities, as seen by the PKCS15 application. The ASN.1 syntax for the contents of the TokenInfo file shall be a compatible tag allocation scheme as described in ISO/IEC 7816-6 and is described in detail in section 7.9. 6.5.9 Other elementary files in the PKCS#15 directory These (optional) files will contain the actual values of objects (such as private keys, public keys, secret keys, certificates and application specific data) referenced from within PrKDFs, SKDFs, PuKDFs, CDFs or DODFs. The ASN.1 format for the contents of these files follows from the ASN.1 description in section 7. 6.6 File Identifiers The following file identifiers are defined for the PKCS15 files. Note that the RID (see ISO/IEC 7816-5) is A0 00 00 00 ?? [TBD]. File DF File Identifier (relative to nearest DF) --------------------------------------------------------- MF x 0x3F00 (ISO/IEC 7816-4) DIR 0x2F00 (ISO/IEC 7816-4) PKCS15 x RID || "PK15-10" (File identifier is decided by application issuer) ODF 0x5031 TokenInfo 0x5032 AODFs Decided by application issuer PrKDFs Decided by application issuer PuKDFs Decided by application issuer SKDFs Decided by application issuer CDFs Decided by application issuer DODFs Decided by application issuer Other EFs Decided by application issuer Table 1: File Identifiers 6.7 PKCS#15 Application Selection PKCS#15 compliant IC cards should support direct application selection as defined in ISO/IEC 7816-4 section 9 and ISO/IEC 7816-5, section 6. The full AID is to be used as parameter for a 'Select File' command. If direct application selection isn't supported, or several PKCS#15 applications resides on the card, an EF(DIR) file with contents as specified in section 6.4.1 must be used. The operating system of the card will keep track of the currently selected application and only allow the commands applicable to that particular application while it is selected. 6.7.1 AID for the PKCS#15 application The Application Identifier (AID) data element consists of 12 bytes and its contents is defined below. The AID is used as the filename for DF(PKCS15) in order to facilitate direct selection of the PKCS#15 application on multi-application cards with only one PKCS#15 application present. The AID is composed of RID || PIX, where '||' denotes concatenation. RID is the 5 byte globally 'Registered Identifier' as specified in ISO/IEC 7816-5. RID shall be set to A0 00 00 00 ?? [TBD] for the purposes of this recommendation. PIX (Proprietary application Identifier eXtension) shall be set to "PK15-xx" where 'xx' denotes the version of this recommendation. For this version, the value is '10' (version 1.0). The full AID for the current version of this recommendation is thus A0 00 00 00 ?? 50 4B 31 35 2D 31 30 7 Information Format in ASN.1 This section contains a detailed description on ASN.1 constructs to be used on PKCS#15 tokens. This section applies to ISO/IEC 7816-4 compliant IC Card implementations as well as other implementations. 7.1 Basic ASN.1 defined types 7.1.1 PKCS15Identifier PKCS15Identifier ::= OCTET STRING (SIZE (1..pkcs15-ub-identifier)) The PKCS15Identifier is a constrained version of PKCS#11's CKA_ID. 7.1.2 PKCS15Reference PKCS15Reference ::= INTEGER (0..pkcs15-ub-reference) This type is used for generic reference purposes. 7.1.3 PKCS15Label PKCS15Label ::= UTF8String (SIZE(1..pkcs15-ub-label)) This type is used for all labels. 7.1.4 PKCS15ReferencedValue and PKCS15Path PKCS15ReferencedValue ::= CHOICE { path [0] PKCS15Path, url [1] PrintableString } PKCS15Path ::= SEQUENCE { path [APPLICATION 17] OCTET STRING, --See ISO7816-5 index INTEGER (1..pkcs15-ub-index) OPTIONAL, length [0] INTEGER (1..pkcs15-ub-index) OPTIONAL } (WITH COMPONENTS {..., index PRESENT, length PRESENT} | WITH COMPONENTS {..., index ABSENT, length ABSENT}) A PKCS15ReferencedValue is a reference to a PKCS15 object value of some kind. This can either be some external reference (captured by the 'url' identifier) or a reference to a file on the card (the 'path' identifier). In the PKCS15Path case, identifiers 'index' and 'length' may specify a specific location within the file (If the file in question is a linear record file, index will be the record identifier and length can be set to 0, if it is a binary file, then index can be used to specify an offset within the file.). In the 'url' case, the given url must be in accordance with [RFC2396]. 7.1.5 PKCS15ObjectValue PKCS15ObjectValue { Type } ::= CHOICE { indirect [0] PKCS15ReferencedValue, direct [1] Type } (CONSTRAINED BY {-- if indirection is being used, -- then it is expected that the reference points -- either to an object of type -- Type -- or (key -- case) to a card-specific key file --}) The PKCS15ObjectValue construct is intended to catch the choice which can be made between storing a particular PKCS#15 object (key, certificate, et c) 'in-line' or by indirect reference. On ISO/IEC 7816-4 compliant IC Cards, the indirect alternative shall always be used. In other cases, any of the CHOICE alternatives may be used. 7.1.6 PKCS15PathOrObjects PKCS15PathOrObjects {ObjectType} ::= CHOICE { path [0] PKCS15Path, objects [1] SEQUENCE OF ObjectType, encrypted [2] PKCS15-ENCRYPTED {SEQUENCE OF ObjectType} } This construct is used to reference sequences of objects either residing within the ODF or externally. There is also a provision for storing an encrypted sequence of objects of the particular type. If the 'path' alternative is used, then it is expected that the file pointed to by 'path' contain the value part of an object of type SEQUENCE OF ObjectType (that is, the 'SEQUENCE OF' tag and length shall not be present in the file). On ISO/IEC 7816-4 compliant IC Cards, the 'path' alternative shall always be used. 7.1.7 PKCS15-ENCRYPTED and PKCS15-OPTIONALLY-SIGNED PKCS15-ENCRYPTED {Type} ::= SEQUENCE { algId AlgorithmIdentifier, data OCTET STRING } (CONSTRAINED BY {-- the contents of data must be the result -- of applying the given algorithm identifier to the complete -- DER-encoding (excluding the outermost tag and length bytes) -- of the value denoted by -- Type}) PKCS15-OPTIONALLY-SIGNED { ToBeSigned } ::= CHOICE { unsigned-data [0] ToBeSigned, signed-data [1] SIGNED {ToBeSigned } } These two structures are intended to capture the cases where a) a particular type needs to encrypted or b) a particular type might be signed. They are only relevant in non-ISO/IEC 7816-4 IC Card cases, and it is expected that the key used for the transformation in question is to be deduced by other means, e.g. from a password. The SIGNED construct is imported from ISO/IEC 9594-8. 7.1.8 PKCS15CommonObjectAttributes This type is a container for attributes common to all PKCS#15 objects. PKCS15CommonObjectAttributes ::= SEQUENCE { label PKCS15Label, flags PKCS15CommonObjectFlags, authId PKCS15Identifier OPTIONAL } (CONSTRAINED BY {-- authId must be present in the IC Card -- case if flags.private is set. It must equal an -- authID in one AuthRecord in the -- AuthInfo file. --}) PKCS15CommonObjectFlags ::= BIT STRING { private(0), modifiable (1) } The 'label' is the equivalent of the CKA_LABEL present in PKCS#11, and enables unique user-oriented names for each object. The 'flags' field indicates whether the particular object is private or not, and whether it is of type read-only or not. While it is true that in the IC Card case this can be deduced by other means, e.g. by studying EFs FCI, this is not the case when, for example, PKCS#15 is implemented in software. The 'authId' field gives, in the case of a private object, a cross-reference back to the authentication object used to protect this object (For a description of authentication objects, see section 6.5.7). 7.1.9 PKCS15CommonKeyAttributes This type contains all attributes common to PKCS#15 keys, except for the PKCS15CommonObjectAttributes. PKCS15CommonKeyAttributes ::= SEQUENCE { iD PKCS15Identifier, usage PKCS15KeyUsageFlags, info [0] PKCS15CommonKeyInfo OPTIONAL, -- if not present, the value '0'B is assumed key-reference [1] PKCS15Reference OPTIONAL, startDate [2] GeneralizedTime OPTIONAL, endDate [3] GeneralizedTime OPTIONAL } PKCS15KeyUsageFlags ::= BIT STRING { encrypt (0), decrypt (1), sign (2), signRecover (3), wrap (4), unwrap (5), verify (6), verifyRecover (7), nonRepudiation (8) } PKCS15CommonKeyInfo ::= BIT STRING { derive (0), local (1) } Note: The 'nonRepudiation' value is not present in PKCS#11. The 'iD' field must be unique for each key stored in the token. The 'usage' field ('encrypt', 'decrypt', 'sign', 'signRecover', 'wrap', 'unwrap', 'verify', 'verifyRecover' and 'nonRepudiation') signals the intended usage of the key. To map between ISO/IEC 9594-8 (X.509) keyUsage flags for public keys, and PKCS#15 flags for private keys, use the following table: PKCS#15 identifier Corresponding X.509 keyUsage flag for public key ------------------------------------------------------------------------ Decrypt DataEncipherment Sign DigitalSignature, KeyCertSign, CRLSign SignRecover DigitalSignature, KeyCertSign, CRLSign Unwrap KeyEncipherment, KeyAgreement NonRepudiation NonRepudiation Table 2 : Mapping between PKCS#15 key usage flags and X.509 keyUsage extension flags The 'info' field's 'derive' and 'local' identifiers corresponds to the same fields in PKCS#11 and have the same semantics. The 'key-reference' field is only applicable for IC Cards with cryptographic capabilities. If present, it contains a card-specific reference to the key in question. The 'startDate' and 'endDate' fields have the same semantics as in PKCS#11. 7.1.10 PKCS15CommonPrivateKeyAttributes This type contains all attributes common to PKCS#15 private keys, except for PKCS15CommonKeyAttributes and PKCS15CommonObjectAttributes. PKCS15CommonPrivateKeyAttributes ::= SEQUENCE { access-flags PKCS15KeyAccessFlags OPTIONAL, keyHash OCTET STRING (SIZE(20)) OPTIONAL } PKCS15KeyAccessFlags ::= BIT STRING { sensitive (0), extractable (1), alwaysSensitive (2), neverExtractable(3) } The motivation for the fields of the PKCS15CommonPrivateKeyAttributes type above is as follows: The semantics of the 'access-flags' field's 'sensitive', 'extractable', 'alwaysSensitive' and 'neverExtractable' identifiers is the same as in PKCS#11. The field is not required to be present in cases where the value can be deduced by other means (e.g. a pure software implementation). The 'keyHash' field: When receiving for example an enveloped message together with the public key used for encrypting the message's session key, the application need to deduce which (if any) of the private keys present on the token that should be used for decrypting the session key. For some public key algorithms, this can be accomplished by calculating a hash for the public key in the certificate and then compare this hash with the hash stored on the card. In the RSA case, the modulus of the public key shall be used, and the hash is to be done on the (network-order) byte string representation of it. The hash-algorithm shall be SHA-1. Note: This is different from the hash method used e.g. in IETF RFC [PKIX, TBD], but it serves the purpose of being independent of certificate format - alternative certificate formats not DER-encoding the public key has been proposed. 7.1.11 PKCS15CommonSecretKeyAttributes This type contains all attributes common to PKCS#15 secret keys, except for PKCS15CommonKeyAttributes and PKCSCommonObjectAttributes. PKCS15CommonSecretKeyAttributes ::= SEQUENCE { access-flags PKCS15KeyAccessFlags OPTIONAL, keyLen INTEGER OPTIONAL -- Used keylength (in bits) } The motivation for the fields of the PKCS15SecretKeyAttributes type above is as follows: The 'access-flags' field is described in section 7.1.10 above. The field is not required to be present in cases where the value can be deduced by other means (e.g. a pure software implementation). The optional 'keyLen' field signals the key length used, in those cases where a particular algorithm can have a varying keylength. 7.1.12 PKCS15CommonPublicKeyAttributes This type contains all attributes common to PKCS#15 public keys, except for PKCS15CommonKeyAttributes and PKCS15CommonObjectAttributes. PKCS15CommonPublicKeyAttributes ::= SEQUENCE { access-flags PKCS15KeyAccessFlags OPTIONAL, ... -- More attributes TBD? } The motivation for the fields of the PKCS15CommonPublicKeyAttributes type above is as follows: The 'access-flags' field is described in section 7.1.10 above. The field is not required to be present in cases where the value can be deduced by other means (e.g. a pure software implementation). 7.1.13 PKCS15KeyInfo This type, which is part of each key type, contains either (IC Card case) a reference to a particular entry in the EF(TokenInfo) file, or explicit information about the key in question (parameters and operations supported by the token) The 'supportedOperations' field is optional and can be absent on tokens which does not support any operations with the key. PKCS15KeyInfo {ParameterType, OperationsType} ::= CHOICE { reference PKCS15Reference, paramsAndOps SEQUENCE { parameters ParameterType, supportedOperations OperationsType OPTIONAL} } 7.1.14 PKCS15CommonCertificateAttributes This type contains all attributes common to PKCS#15 certificates, except for the PKCS15CommonObjectAttributes. PKCS15CommonCertificateAttributes ::= SEQUENCE { iD PKCS15Identifier, flags PKCS15CommonCertificateFlags } PKCS15CommonCertificateFlags ::= BIT STRING { caCert (0), trusted (1), verified (2) } The 'iD' field is only present for X509 certificates in PKCS#11, but has for generality reasons been 'promoted' to a common certificate attribute in this recommendation. The 'flags' field conveys information about the particular certificate: If it is a ca certificate, if it is trusted explicitly or if it has been verified. 7.1.15 PKCS15CommonDataObjectAttributes This type contains all attributes common to PKCS#15 data objects, except for the PKCS15CommonObjectAttributes. PKCS15CommonDataObjectAttributes ::= SEQUENCE { applicationName PKCS15Label OPTIONAL, applicationOID OBJECT IDENTIFIER OPTIONAL } (CONSTRAINED BY {-- at least one value must be present --}) This type is intended to contain the name or the registered object identifier for the application to which the data object in question 'belongs'. In order to avoid application name collisions, the 'applicationOID' alternative is recommended. 7.1.16 PKCS15CommonAuthenticationObjectAttributes This type contains all attributes common to PKCS#15 authentication objects, apart from the PKCS15CommonObjectAttributes. PKCS15CommonAuthenticationObjectAttributes ::= SEQUENCE { authId PKCS15Identifier, ... -- More TBD? } The 'authId' must be a unique PKCS15Identifier. It is used for cross-reference purposes from private PKCS#15 objects. 7.1.17 PKCS15Object This type is a template for all kinds of PKCS#15 objects. It is parameterized with object class attributes, object subclass attributes and object type attributes. PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes} ::= SEQUENCE { commonObjectAttributes PKCS15CommonObjectAttributes, classAttributes ClassAttributes, subClassAttributes [0] SubClassAttributes OPTIONAL, typeAttributes TypeAttributes } 7.2 The PKCS15ODF type The purpose and general contents of ODFs were defined in section 6.5. As mentioned, it will contain references to all objects known to the PKCS#15 application. PKCS15ODF ::= OPTIONALLY-SIGNED { PKCS15ObjectSequence } PKS15ObjectSequence ::= SEQUENCE{ version INTEGER {v1(0)}(v1), pkcs15objects SEQUENCE OF PKCS15Objects } PKCS15Objects ::= CHOICE { privateKeys [0] PKCS15PrivateKeys, publicKeys [1] PKCS15PublicKeys, secretKeys [2] PKCS15SecretKeys, certificates [3] PKCS15Certificates, dataObjects [4] PKCS15DataObjects, authObjects [5] PKCS15AuthObjects, ... -- Allow for future expansion } PKCS15PrivateKeys ::= PKCS15PathOrObjects {PKCS15PrivateKey} PKCS15SecretKeys ::= PKCS15PathOrObjects {PKCS15SecretKey} PKCS15PublicKeys ::= PKCS15PathOrObjects {PKCS15PublicKey} PKCS15Certificates ::= PKCS15PathOrObjects {PKCS15Certificate} PKCS15DataObjects ::= PKCS15PathOrObjects {PKCS15Data} PKCS15AuthObjects ::= PKCS15PathOrObjects {PKCS15Authentication} In the IC Card case, the intention is that the ODF will consist of a number of DOs (records) of type PKCS15Objects, representing different object types. Each DO will reference a file containing a directory of objects of the particular type. Since the 'path' alternative of the PKCS15PathOrObject type is to be chosen, this will result in a record oriented ODF, which simplifies updating. In other cases or when all information has to reside in one file, the type PKCS15ODF type shall be used. In those cases, it is not anticipated that any authentication objects will be present, since they are closely coupled to the use of IC Cards. Examples of PKCS15ODF and PKCS15Objects values can be found in appendix C. 7.3 The PKCS15PrivateKeys type This type contains information pertaining to private key objects in the token. Since, in the IC card case, the 'path' alternative of the PKCS15PathOrObjects type is to be chosen, the PKCS15PrivateKeys entries (records) in the ODF points to files that can be regarded as directories of private keys, 'Private Key Directory Files' (PrKDFs). The contents of a PrKDF must be the value of the DER encoding of a SEQUENCE OF PKCS15PrivateKey. This gives the PrKDFs the same, simple structure as the ODF, namely a number of TLV records. In non-IC Card cases, any of the CHOICE alternatives of PKCS15PathOrObjects may be used. Examples of PKCS15PrivateKey values can be found in appendix C. The PKCS15PrivateKey structure is as follows: PKCS15PrivateKey ::= CHOICE { privateRSAKey [0] PKCS15PrivateKeyObject { PKCS15PrivateRSAKeyAttributes}, privateECKey [1] PKCS15PrivateKeyObject { PKCS15PrivateECKeyAttributes}, ... -- More private key types TBD -- } PKCS15PrivateKeyObject {KeyAttributes} ::= PKCS15Object { PKCS15CommonKeyAttributes, PKCS15CommonPrivateKeyAttributes, KeyAttributes} In other words, in the IC Card case, PrKDFs will consist of a number of context-tagged elements representing different private keys. Each private key element will consist of a number of common object attributes (PKCS15CommonObjectAttributes, PKCS15CommonKeyAttributes and PKCSCommonPrivateKeyAttributes) and, in addition the particular key type's attributes. 7.3.1 Private RSA key objects PKCS15PrivateRSAKeyAttributes ::= SEQUENCE { keyInfo PKCS15KeyInfo {PKCS15RSAParameters, PKCS15PublicKeyOperations}, modulusLength INTEGER, -- modulus length in bits, e.g. 1024 value PKCS15ObjectValue {PKCS15RSAPrivateKey} } PKCS15RSAPrivateKey ::= SEQUENCE { modulus [0] INTEGER OPTIONAL, -- n publicExponent [1] INTEGER OPTIONAL, -- e privateExponent [2] INTEGER OPTIONAL, -- d prime1 [2] INTEGER OPTIONAL, -- p prime2 [3] INTEGER OPTIONAL, -- q exponent1 [4] INTEGER OPTIONAL, -- d mod (p-1) exponent2 [5] INTEGER OPTIONAL, -- d mod (q-1) coefficient [6] INTEGER OPTIONAL -- inv(q) mod p } (CONSTRAINED BY {-- must be possible to reconstruct modulus and -- privateExponent from selected fields --}) The semantics of the fields is as follows: * PKCS15PrivateRSAKeyAttributes.keyInfo: Information about parameters that applies to this key (NULL in the case of RSA keys) and operations the token can carry out with this key. In the IC Card case, the 'reference' alternative of a PKCS15KeyInfo must be used, and the reference shall 'point' to a particular entry in EF(TokenInfo), see below. * PKCS15PrivateRSAKeyAttributes.modulusLength: On many cards, one must be able to format data to be signed prior to sending the data to the card. In order to be able to format the data in a correct manner the length of the key must be known. The length should be expressed in bits, e.g. 1024. * PKCS15PrivateRSAKeyAttributes.value: The value shall, in the IC Card case, be a path to a file containing either the PKCS15RSAPrivateKey structure or (in the case of a card capable of performing on-chip RSA encryption) some card specific representation of a private RSA key. As mentioned, this will be indicated in the 'keyInfo' field. In other cases, the application issuer is free to choose any alternative. Note that, besides the case of RSA capable IC cards, although the PKCS15RSAPrivateKey type is very flexible, it is still constrained by the fact that it must be possible to reconstruct the modulus and the privateExponent from whatever fields present. 7.3.2 Private EC key objects PKCS15PrivateECKeyAttributes ::= SEQUENCE { keyInfo PKCS15KeyInfo {PKCS15ECParameters, PKCS15PublicKeyOperations}, value PKCS15ObjectValue {PKCS15ECPrivateKey} } PKCS15ECPrivateKey ::= INTEGER The semantics of these types is as follows: * PKCS15PrivateECKeyAttributes.keyInfo: Information about parameters that applies to this key and operations the token can carry out with this key. In the IC Card case, the 'reference' alternative of a PKCS15KeyInfo must be used, and the reference shall 'point' to a particular entry in EF(TokenInfo), see below. * PKCS15PrivateECKeyAttributes.value: The value shall, in the IC Card case, be a path to a file containing either the PKCS15ECPrivateKey structure or (in the case of a card capable of performing on-chip EC operations) some card specific representation of a private EC key. As mentioned, this will be indicated in the 'keyInfo' field. In other cases, the application issuer is free to choose any alternative. 7.4 The PKCS15SecretKeys type This data structure contains information pertaining to secret keys on the card. Since, in the IC card case, the 'path' alternative of the PKCS15PathOrObjects type is to be chosen, the PKCS15SecretKeys entries (records) in the ODF points to files that can be regarded as directories of secret keys, 'Secret Key Directory Files' (SKDFs). The contents of a SKDF must be the value of the DER encoding of a SEQUENCE OF PKCS15SecretKey. This gives the SKDFs the same, simple structure as the ODF, namely a number of TLV records. In non-IC Card cases, any of the CHOICE alternatives of PKCS15PathOrObjects may be used. Examples of this type can be found in appendix C. PKCS15SecretKey ::= CHOICE { rc5Key [0] PKCS15SecretKeyObject {PKCS15RC5KeyAttributes}, ... -- More secret key types TBD } PKCS15SecretKeyObject {KeyAttributes} ::= PKCS15Object { PKCS15CommonKeyAttributes, PKCS15CommonSecretKeyAttributes, KeyAttributes} In other words, in the IC Card case, SKDFs will consist of a number of context-tagged elements representing different secret keys. Each element will consist of a number of common object attributes (PKCS15CommonObjectAttributes and PKCS15CommonSecretKeyAttributes) and in addition the particular secret key type's attributes. 7.4.1 RC5 key objects PKCS15RC5KeyAttributes ::= PKCS15SecretKeyAttributes {PKCS15RC5Parameters} PKCS15SecretKeyAttributes {ParamType} ::= SEQUENCE { keyInfo PKCS15KeyInfo {ParamType, PKCS15SecretKeyOperations} value PKCS15ObjectValue { OCTET STRING } } Since most secret keys are of the same type, a common type PKCS15SecretkeyAttributes has been created. The semantic of the fields is as follows: * PKCS15SecretKeyAttributes.keyInfo: Information about parameters that applies to this key and operations the token can carry out with this key. In the IC Card case, the 'reference' alternative of a PKCS15KeyInfo must be used, and the reference shall 'point' to a particular entry in EF(TokenInfo), see below. * PKCS15SecretKeyAttributes.value: The value shall, in the IC Card case, be a path to a file containing either an OCTET STRING or (in the case of a card capable of performing cryptographic operations with this type of key) some card specific representation of the secret key. As mentioned, this will be indicated in the 'keyInfo' field. In other cases, the application issuer is free to choose any alternative. 7.5 The PKCS15PublicKeys type This data structure contains information pertaining to public key objects on the card. Since, in the IC card case, the 'path' alternative of the PKCS15PathOrObjects type is to be chosen, the PKCS15PublicKeys entries (records) in the ODF points to files that can be regarded as directories of certificates, 'Public Key Directory Files' (PuKDFs). The contents of a PuKDF must be the value of the DER encoding of a SEQUENCE OF PKCS15PublicKey. This gives the PuKDFs the same, simple structure as the ODF, namely a number of TLV records. In non-IC Card cases, any of the CHOICE alternatives of PKCS15PathOrObjects may be used. Examples of this type can be found in appendix C. PKCS15PublicKey ::= CHOICE { null [0] NULL -- More public key types TBD } PKCS15PublicKeyObject {KeyAttributes} ::= PKCS15Object { PKCS15CommonKeyAttributes, PKCS15CommonPublicKeyAttributes, KeyAttributes} In other words, in the IC Card case, PuKDFs will consist of a number of context-tagged elements representing different public keys. Each element will consist of a number of common object attributes (PKCS15CommonObjectAttributes and PKCS15CommonKeyAttributes) and in addition the particular public key type's attributes. 7.6 The PKCS15Certificates type This data structure contains information pertaining to certificate objects on the card. Since, in the IC card case, the 'path' alternative of the PKCS15PathOrObjects type is to be chosen, the PKCS15Certificates entries (records) in the ODF points to files that can be regarded as directories of certificates, 'Certificate Directory Files' (CDFs). The contents of a CDF must be the value of the DER encoding of a SEQUENCE OF PKCS15Certificate. This gives the CDFs the same, simple structure as the ODF, namely a number of TLV records. In non-IC Card cases, any of the CHOICE alternatives of PKCS15PathOrObjects may be used. Examples of this type can be found in appendix C. PKCS15Certificate ::= CHOICE { x509Certificate [0] PKCS15CertificateObject { PKCS15X509CertificateAttributes}, x509AttributeCertificate [1] PKCS15CertificateObject { PKCS15X509AttributeCertificateAttributes}, ... -- More certificate types TBD } PKCS15CertificateObject {CertAttributes} ::= PKCS15Object { PKCS15CommonCertificateAttributes, NULL, CertAttributes} In other words, in the IC Card case, CDFs will consist of a number of context-tagged elements representing different certificate objects. Each element will consist of a number of common object attributes (PKCS15CommonObjectAttributes and PKCS15CommonCertificateAttributes) and in addition the particular certificate type's attributes. 7.6.1 X.509 Certificate Objects PKCS15X509CertificateAttributes ::= SEQUENCE { subject [1] Name OPTIONAL, issuer [2] Name OPTIONAL, serialNumber [3] CertificateSerialNumber OPTIONAL, value PKCS15ObjectValue { Certificate } } The semantics of the fields is as follows: * PKCS15X509CertificateAttributes.subject, PKCS15X509CertificateAttributes.issuer and PKCS15X509CertificateAttributes.serialNumber: The semantics of these fields is the same as for the corresponding fields in PKCS#11. The reason for making them optional is to provide some space-efficiency, since they already are present in the certificate itself. * PKCS15X509CertificateAttributes.value: The value shall, in the IC Card case, be a PKCS15ReferencedValue either to a file containing a DER encoded certificate at the given location, or a url to some location where the certificate in question can be found. In other cases, the application issuer is free to choose any alternative. 7.6.2 X.509 Attribute Certificate Objects PKCS15X509AttributeCertificateAttributes ::= SEQUENCE { subject [1] GeneralNames OPTIONAL, issuer [2] GeneralNames OPTIONAL, serialNumber [3] CertificateSerialNumber OPTIONAL, value PKCS15ObjectValue { AttributeCertificate } } The semantics of the fields is as follows: * PKCS15X509AttributeCertificateAttributes.subject, PKCS15X509AttributeCertificateAttributes.issuer and PKCS15X509AttributeCertificateAttributes.serialNumber: The semantics of these fields is the same as for the corresponding fields in ISO/IEC 9594-8. The reason for making them optional is to provide some space-efficiency, since they already are present in the certificate itself. * PKCS15X509AttributeCertificateAttributes.value: The value shall, in the IC Card case, be a PKCS15ReferencedValue either to a file containing a DER encoded attribute certificate at the given location, or a url to some location where the attribute certificate in question can be found. In other cases, the application issuer is free to choose any alternative. 7.7 The PKCS15DataObjects type This data structure contains information pertaining to data objects on the card. Since, in the IC card case, the 'path' alternative of the PKCS15PathOrObjects type is to be chosen, the PKCS15DataObjects entries (records) in the ODF points to files that can be regarded as directories of data objects, 'Data Object Directory Files' (DODFs). The contents of a DODF must be the value of the DER encoding of a SEQUENCE OF PKCS15DataObject. This gives the DODFs the same, simple structure as the ODF, namely a number of TLV records. In non-IC Card cases, any of the CHOICE alternatives of PKCS15PathOrObjects may be used. Examples of this type can be found in appendix C. PKCS15Data ::= CHOICE { loginDataObject [0] PKCS15DataObject { PKCS15LoginObjectAttributes}, externalIDO [1] PKCS15DataObject { PKCS15ExternalIDO} -- More TBD ? } PKCS15DataObject {DataObjectAttributes} ::= PKCS15Object { PKCS15CommonDataObjectAttributes, NULL, DataObjectAttributes} In other words, in the IC Card case, DODFs will consist of a number of context-tagged elements representing different data objects. Each element will consist of a number of common object attributes (PKCS15CommonObjectAttributes and PKCS15CommonDataObjectAttributes) and in addition the particular data object type's attributes. 7.7.1 'Login' Data Objects PKCS15LoginObjectAttributes ::= SEQUENCE { value PKCS15ObjectValue { PKCS15LoginObject } } PKCS15LoginObject ::= SEQUENCE { userName DirectoryString {pkcs15-ub-identifier}, password OCTET STRING (SIZE(1..MAX)), userRole DirectoryString {pkcs15-ub-identifier} OPTIONAL } The semantics of these fields is as follows: * PKCS15LoginObject.userName: This is intended to be the user's login name to the application in question. * PKCS15LoginObject.password: This is the user's password to the application * PKCS15LoginObject.userRole: This optional field is intended to capture the notion of 'roles', if that is applicable to the application in question. 7.7.2 External data objects (IDOs) The DODF may also contain one or several externally defined data objects. In order that these objects follow a compatible tag allocation scheme as defined in section 4.4 of ISO/IEC 7816-6 in the IC card case, they have been defined as follows: PKCS15ExternalIDO ::= PKCS15ObjectValue {PKCS15IDOs} PKCS15IDOs ::= CHOICE { applicationTemplate [APPLICATION 1] PKCS15External, cardHolderData [APPLICATION 5] PKCS15External, cardData [APPLICATION 6] PKCS15External, authenticationData [APPLICATION 7] PKCS15External, applicationRelatedData [APPLICATION 14] PKCS15External } PKCS15External ::= SET { -- Possible data elements are defined in ISO/IEC 7816-6 } Note that all these constructed types are defined in ISO/IEC 7816-6. With this construct, the areas (or files) on an IC card pointed to by the PKCS15ObjectValue {PKCS15ExternalIDO} type, will consist of TLV pairs, each with a tag of either '61', '65', '66', '67' or '6E', which is in accordance with ISO/IEC 7816-6. 7.8 The PKCS15AuthenticationObject type This data structure, only relevant to IC Cards capable of authenticating a cardholder, contains information about how this cardholder authentication shall be carried out. Since, in the IC card case, the 'path' alternative of the PKCS15PathOrObjects type is to be chosen, the PKCS15AuthenticationObject entries (records) in the ODF points to files that can be regarded as directories of authentication objects, 'Authentication Object Directory Files' (AODFs). The contents of an AODF must be the value of the DER encoding of a SEQUENCE OF PKCS15AuthenticationObject. This gives the AODFs the same, simple structure as the ODF, namely a number of TLV records. Examples of this type can be found in appendix C. PKCS15Authentication ::= CHOICE { pinObject [0] PKCS15AuthenticationObject { PKCS15PinAttributes}, ... -- Allow for future extensions, e.g. biometric -- authentication objects } PKCS15AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object { PKCS15CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes} In other words, in the IC Card case, AODFs will consist of a number of context-tagged elements representing different authentication objects. Each element will consist of a number of common object attributes (PKCS15CommonObjectAttributes and PKCS15CommonAuthenticationObjectAttributes) and in addition the particular authentication object type's attributes. Each authentication object must have a distinct PKCS15CommonAuthenticationObjectAttributes.authID, enabling unambiguous authentication object lookup for private objects. 7.8.1 Pin Objects PKCS15PinAttributes ::= SEQUENCE { pinFlags PKCS15PinFlags, pinType PKCS15PinType, minLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength), storedLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-storedPinLength), padChar OCTET STRING (SIZE(1)) OPTIONAL, path PKCS15Path, pinExpirationDate GeneralizedTime OPTIONAL } PKCS15PinFlags ::= BIT STRING { case-sensitive (0), local (1), change-disabled (2), unblock-disabled (3), initialized (4), needs-padding (5) } PKCS15PinType ::= INTEGER {bcd(0), ascii-numeric(1), utf8(2) -- bcd = one nibble contains one digit -- ascii-numeric = one byte contains one ASCII digit -- utf8 = password is stored in UTF8 encoding } The semantics of these fields is as follows: * PKCS15PinAttributes.pinFlags: This field signals whether the PIN is: - case-sensitive, meaning that the entered PIN shall not be converted to all-uppercase before presented to the card (see below) - local, meaning that the PIN is local to the PKCS#15 application - change-disabled, meaning that it is not possible to change the PIN - unblock-disabled, meaning that it is not possible to unblock the PIN - initialized, meaning that the PIN has been initialized - needs-padding, meaning that, depending on the length of the given PIN and the stored length, the PIN may need to be padded before being presented to the card * PKCS15PinAttributes.pinType: This field determines the type of PIN: - bcd (Binary Coded Decimal, each nibble of a byte shall contain one digit of the PIN), - ascii-numeric (Each byte of the PIN contain an ASCII encoded digit) - utf8 (Each character is encoded in accordance with UTF8) * PKCS15PinAttributes.minLength: Minimum length of new PINs (if allowed to change) * PKCS15PinAttributes.storedLength: Stored length. Used to deduce the number of padding characters needed. * PKCS15PinAttributes.padChar: Padding character to use (usually 0xff or 0x00). Not needed if 'pinFlags' indicates that padding isn't needed for this token. If the PKCS15PinAttributes.pinType is of type 'bcd', then padChar should consist of two nibbles of the same value, any nibble could be used as the 'padding nibble'. E.g., '55' is allowed, meaning padding with '01012', but '34' is illegal. * PKCS15PinAttributes.path: Path to the particular PIN. * PKCS15PinAttributes.pinExpirationDate: This optional field is intended to be used in those applications that requires PIN updating at regular intervals. 7.8.1.1 Transforming a supplied PIN The steps taken to transform a user-supplied PIN to something presented to the card shall be as follows: 1. Convert the PIN in accordance with the PIN type: a) If the PIN is a 'utf8' PIN, transform it to UTF8 [RFC 2279]: x = UTF8(PIN). Then, if the case-sensitive flag is off, convert x to uppercase: x = NLSUPPERCASE(x) (NLSUPPERCASE = locale dependent uppercase) b) If the PIN is a 'bcd' PIN, verify that each character is a digit and pack the characters as BCD [see section 3] digits: x = BCD(PIN) c) If the PIN is an 'ascii-numeric' PIN, verify that each character is a digit in the current codepage and -if needed- convert the characters to ascii [ANSI X3.4] digits: x = ASCII(PIN) 2. If indicated in the 'pinFlags' field, pad x to the right with the padding character, padChar, to stored length storedLength: x = PAD(x, padChar, storedLength). Example: (ascii-)Numeric PIN '1234' (ascii), stored length 8 bytes, and padding character 'FF' (hex) gives that the value presented to the card will be '31323334FFFFFFFF' (hex). 7.9 The PKCS#15 Information File, EF(TokenInfo) This file, only relevant to ISO/IEC 7816-4 compliant IC Cards, contains general information about the PKCS#15 application and the token it resides on. It's data structure is defined as follows: PKCS15TokenInfo ::= [APPLICATION 6] SEQUENCE { tokenflags [0] PKCS15TokenFlags, supportedAlgorithms [1] SET OF PKCS15AlgorithmInfo } (CONSTRAINED BY { -- Each PKCS15AlgorithmInfo.reference -- value must be unique --}) PKCS15TokenFlags ::= BIT STRING { readonly (0), loginRequired (1), prnGeneration (2) } PKCS15AlgorithmInfo ::= SEQUENCE { reference PKCS15Reference, algorithm PKCS15-ALGORITHM.&id({PKCS15AlgorithmSet}), parameters PKCS15-ALGORITHM.&Parameters({PKCS15AlgorithmSet}{@algorithm}), supportedOperations PKCS15-ALGORITHM.&Operations({PKCS15AlgorithmSet}{@algorithm}) } pkcs15-alg-null PKCS15-ALGORITHM ::= { PARAMETERS NULL OPERATIONS {{generate-key}} ID 0} pkcs15-alg-rsa PKCS15-ALGORITHM ::= { PARAMETERS PKCS15RSAParameters OPERATIONS {PKCS15PublicKeyOperations} ID 1} pkcs15-alg-ec PKCS15-ALGORITHM ::= { PARAMETERS PKCS15ECParameters OPERATIONS {PKCS15PublicKeyOperations} ID 2} pkcs15-alg-dh PKCS15-ALGORITHM ::= { PARAMETERS PKCS15DHParameters OPERATIONS {PKCS15PublicKeyOperations} ID 3} pkcs15-alg-rc5cbc PKCS15-ALGORITHM ::= { PARAMETERS PKCS15RC5Parameters OPERATIONS {PKCS15SecretKeyOperations} ID 4} pkcs15-alg-sha1 PKCS15-ALGORITHM ::= { PARAMETERS NULL OPERATIONS {PKCS15HashOperations} ID 5} pkcs15-alg-hmac-sha1 PKCS15-ALGORITHM ::= { PARAMETERS NULL OPERATIONS {PKCS15HashOperations} ID 6} PKCS15AlgorithmSet PKCS15-ALGORITHM ::= { pkcs15-alg-null | pkcs15-alg-rsa | pkcs15-alg-ec | pkcs15-alg-dh | pkcs15-alg-rc5cbc | pkcs15-alg-sha1 | pkcs15-alg-hmac-sha1, ...} PKCS15RSAParameters ::= NULL PKCS15ECParameters ::= Parameters -- See ANSI X9.62 PKCS15DHParameters ::= DomainParameters -- See ANSI X9.42 PKCS15RC5Parameters ::= SEQUENCE { wordsize INTEGER (16|32|64), rounds INTEGER (0..255) } PKCS15-ALGORITHM ::= CLASS { &id INTEGER UNIQUE, &Parameters, &Operations PKCS15Operations } WITH SYNTAX { PARAMETERS &Parameters OPERATIONS &Operations ID &id} PKCS15PublicKeyOperations ::= PKCS15Operations PKCS15SecretKeyOperations ::= PKCS15Operations PKCS15HashOperations ::= PKCS15Operations({hash}) PKCS15Operations ::= BIT STRING { compute-checksum (0), -- H/W computation of checksum compute-signature (1), -- H/W computation of signature verify-checksum (2), -- H/W verification of checksum verify-signature (3), -- H/W verification of signature encipher (4), -- H/W encryption of data decipher (5), -- H/W decryption of data hash (6), -- H/W hashing generate-key (7) -- H/W key generation } The use of [APPLICATION 6] is for conformance with ISO/IEC 7816-6. The interpretation of these fields should be as follows: * PKCS15TokenInfo.tokenflags: This field will contain information about the token per se, e.g. if the whole PKCS#15 application is read-only, if login (i.e. authentication) is required before accessing any data, and if the token supports pseudo random number generation. * PKCS15TokenInfo.supportedAlgorithms: The intent of this field is to indicate cryptographic algorithms, associated parameters and operations supported by the card. The 'reference' field of PKCS15AlgorithmInfo is a unique reference which is used for cross-reference purposes from PrKDFs, PuKDFs and SKDFs. Values of the PKCS15Commands field ('compute-checksum', 'compute-signature', 'verify-checksum', 'verify-signature', 'encipher', 'decipher', 'hash' and 'derive-key') signals the operations the token can perform with a particular algorithm. 8 ASN.1 Module This section includes all of the ASN1 type, value and information object class definitions contained in this recommendation, in the form of the ASN.1 module PKCS15Framework. ---- PKCS15Framework {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 15} DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS All -- -- All types and values defined in this module is exported for use in other -- ASN.1 modules. IMPORTS informationFramework, authenticationFramework, selectedAttributeTypes FROM UsefulDefinitions {joint-iso-ccitt ds(5) modules(1) usefulDefinitions(0) 3} Name, ATTRIBUTE FROM InformationFramework informationFramework CertificateSerialNumber, SIGNED{} FROM AuthenticationFramework authenticationFramework DirectoryString FROM SelectedAttributeTypes selectedAttributeTypes Parameters FROM ANSI-X9-62 {iso(1) member-body(2) us(840) ansi-x962(10045) module(4) 1} DomainParameters FROM ANSI-X9-42 {iso(1) member-body(2) us(840) ansi-x942(10046) module(5) 1}; -- Constants pkcs15-ub-identifier INTEGER ::= 32 pkcs15-ub-reference INTEGER ::= 127 pkcs15-ub-index INTEGER ::= 65535 pkcs15-ub-label INTEGER ::= pkcs15-ub-identifier pkcs15-lb-minPinLength INTEGER ::= 4 pkcs15-ub-minPinLength INTEGER ::= 8 pkcs15-ub-storedPinLength INTEGER ::= 64 -- Basic types PKCS15Identifier ::= OCTET STRING (SIZE (1..pkcs15-ub-identifier)) PKCS15Reference ::= INTEGER (0..pkcs15-ub-reference) PKCS15Label ::= UTF8String (SIZE (1..pkcs15-ub-label)) PKCS15ReferencedValue ::= CHOICE { path [0] PKCS15Path, url [1] PrintableString } PKCS15Path ::= SEQUENCE { path [APPLICATION 17] OCTET STRING, --See ISO7816-5 index INTEGER (1..pkcs15-ub-index) OPTIONAL, length [0] INTEGER (1..pkcs15-ub-index) OPTIONAL } (WITH COMPONENTS {..., index PRESENT, length PRESENT} | WITH COMPONENTS {..., index ABSENT, length ABSENT}) PKCS15ObjectValue { Type } ::= CHOICE { indirect [0] PKCS15ReferencedValue, direct [1] Type } (CONSTRAINED BY {-- if indirection is being used, -- then it is expected that the reference points -- either to an object of type -- Type -- or (key -- case) to a card-specific key file --}) PKCS15PathOrObjects {ObjectType} ::= CHOICE { path [0] PKCS15Path, objects [1] SEQUENCE OF ObjectType, encrypted [2] PKCS15-ENCRYPTED {SEQUENCE OF ObjectType} } PKCS15-ENCRYPTED {Type} ::= SEQUENCE { algId AlgorithmIdentifier, data OCTET STRING } (CONSTRAINED BY {-- the contents of data must be the result -- of applying the given algorithm identifier to the complete -- DER-encoding (excluding the outermost tag and length bytes) -- of the value denoted by -- Type}) PKCS15-OPTIONALLY-SIGNED { ToBeSigned } ::= CHOICE { unsigned-data [0] ToBeSigned, signed-data [1] SIGNED {ToBeSigned } } -- PKCS15 Object attributes and associated types -- PKCS15CommonObjectAttributes ::= SEQUENCE { label PKCS15Label, flags PKCS15CommonObjectFlags, authId PKCS15Identifier OPTIONAL } (CONSTRAINED BY {-- authId must be present in the IC Card -- case if flags.private is set. It must equal an -- authID in one AuthRecord in the -- AuthInfo file. --}) PKCS15CommonObjectFlags ::= BIT STRING { private(0), modifiable (1) } PKCS15CommonKeyAttributes ::= SEQUENCE { iD PKCS15Identifier, usage PKCS15KeyUsageFlags, info [0] PKCS15CommonKeyInfo OPTIONAL, -- if not present, the value '0'B is assumed key-reference [1] PKCS15Reference OPTIONAL, startDate [2] GeneralizedTime OPTIONAL, endDate [3] GeneralizedTime OPTIONAL } PKCS15KeyUsageFlags ::= BIT STRING { encrypt (0), decrypt (1), sign (2), signRecover (3), wrap (4), unwrap (5), verify (6), verifyRecover (7), nonRepudiation (8) } PKCS15CommonKeyInfo ::= BIT STRING { derive (0), local (1) } PKCS15CommonPrivateKeyAttributes ::= SEQUENCE { access-flags PKCS15KeyAccessFlags OPTIONAL, keyHash OCTET STRING (SIZE(20)) OPTIONAL } PKCS15KeyAccessFlags ::= BIT STRING { sensitive (0), extractable (1), alwaysSensitive (2), neverExtractable(3) } PKCS15CommonSecretKeyAttributes ::= SEQUENCE { access-flags PKCS15KeyAccessFlags OPTIONAL, keyLen INTEGER OPTIONAL -- Used keylength (in bits) } PKCS15CommonPublicKeyAttributes ::= SEQUENCE { access-flags PKCS15KeyAccessFlags OPTIONAL, ... -- More attributes TBD? } PKCS15KeyInfo {ParameterType, OperationsType} ::= CHOICE { reference PKCS15Reference, paramsAndOps SEQUENCE { parameters ParameterType, supportedOperations OperationsType OPTIONAL} } PKCS15CommonCertificateAttributes ::= SEQUENCE { iD PKCS15Identifier, flags PKCS15CommonCertificateFlags } PKCS15CommonCertificateFlags ::= BIT STRING { caCert (0), trusted (1), verified (2) } PKCS15CommonDataObjectAttributes ::= SEQUENCE { applicationName PKCS15Label OPTIONAL, applicationOID OBJECT IDENTIFIER OPTIONAL } (CONSTRAINED BY {-- at least one value must be present --}) PKCS15CommonAuthenticationObjectAttributes ::= SEQUENCE { authId PKCS15Identifier, ... -- More TBD? } PKCS15PrivateRSAKeyAttributes ::= SEQUENCE { keyInfo PKCS15KeyInfo {PKCS15RSAParameters, PKCS15PublicKeyOperations}, modulusLength INTEGER, -- modulus length in bits, e.g. 1024 value PKCS15ObjectValue {PKCS15RSAPrivateKey} } PKCS15RSAPrivateKey ::= SEQUENCE { modulus [0] INTEGER OPTIONAL, -- n publicExponent [1] INTEGER OPTIONAL, -- e privateExponent [2] INTEGER OPTIONAL, -- d prime1 [2] INTEGER OPTIONAL, -- p prime2 [3] INTEGER OPTIONAL, -- q exponent1 [4] INTEGER OPTIONAL, -- d mod (p-1) exponent2 [5] INTEGER OPTIONAL, -- d mod (q-1) coefficient [6] INTEGER OPTIONAL -- inv(q) mod p } (CONSTRAINED BY {-- must be possible to reconstruct modulus and -- privateExponent from selected fields --}) PKCS15PrivateECKeyAttributes ::= SEQUENCE { keyInfo PKCS15KeyInfo {PKCS15ECParameters, PKCS15PublicKeyOperations}, value PKCS15ObjectValue {PKCS15ECPrivateKey} } PKCS15ECPrivateKey ::= INTEGER PKCS15RC5KeyAttributes ::= PKCS15SecretKeyAttributes {PKCS15RC5Parameters} PKCS15SecretKeyAttributes {ParamType} ::= SEQUENCE { keyInfo PKCS15KeyInfo {ParamType, PKCS15SecretKeyOperations}, value PKCS15ObjectValue { OCTET STRING } } PKCS15X509CertificateAttributes ::= SEQUENCE { subject [1] Name OPTIONAL, issuer [2] Name OPTIONAL, serialNumber [3] CertificateSerialNumber OPTIONAL, value PKCS15ObjectValue { Certificate } } PKCS15X509AttributeCertificateAttributes ::= SEQUENCE { subject [1] GeneralNames OPTIONAL, issuer [2] GeneralNames OPTIONAL, serialNumber [3] CertificateSerialNumber OPTIONAL, value PKCS15ObjectValue { AttributeCertificate } } PKCS15LoginObjectAttributes ::= SEQUENCE { value PKCS15ObjectValue { PKCS15LoginObject } } PKCS15LoginObject ::= SEQUENCE { userName DirectoryString {pkcs15-ub-identifier}, password OCTET STRING (SIZE(1..MAX)), userRole DirectoryString {pkcs15-ub-identifier} OPTIONAL } PKCS15ExternalIDO ::= PKCS15ObjectValue {PKCS15IDOs} PKCS15IDOs ::= CHOICE { applicationTemplate [APPLICATION 1] PKCS15External, cardHolderData [APPLICATION 5] PKCS15External, cardData [APPLICATION 6] PKCS15External, authenticationData [APPLICATION 7] PKCS15External, applicationRelatedData [APPLICATION 14] PKCS15External } PKCS15External ::= SET { -- Possible data elements are defined in ISO/IEC 7816-6 } PKCS15PinAttributes ::= SEQUENCE { pinFlags PKCS15PinFlags, pinType PKCS15PinType, minLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength), storedLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-storedPinLength), padChar OCTET STRING (SIZE(1)) OPTIONAL, path PKCS15Path, pinExpirationDate GeneralizedTime OPTIONAL } PKCS15PinFlags ::= BIT STRING { case-sensitive (0), local (1), change-disabled (2), unblock-disabled (3), initialized (4), needs-padding (5) } PKCS15PinType ::= INTEGER {bcd(0), ascii-numeric(1), utf8(2) -- bcd = one nibble contains one digit -- ascii-numeric = one byte contains one ASCII digit } -- PKCS15 objects and associated types PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes} ::= SEQUENCE { commonObjectAttributes PKCS15CommonObjectAttributes, classAttributes ClassAttributes, subClassAttributes [0] SubClassAttributes OPTIONAL, typeAttributes TypeAttributes } PKCS15PrivateKeyObject {KeyAttributes} ::= PKCS15Object { PKCS15CommonKeyAttributes, PKCS15CommonPrivateKeyAttributes, KeyAttributes} PKCS15SecretKeyObject {KeyAttributes} ::= PKCS15Object { PKCS15CommonKeyAttributes, PKCS15CommonSecretKeyAttributes, KeyAttributes} PKCS15PublicKeyObject {KeyAttributes} ::= PKCS15Object { PKCS15CommonKeyAttributes, PKCS15CommonPublicKeyAttributes, KeyAttributes} PKCS15CertificateObject {CertAttributes} ::= PKCS15Object { PKCS15CommonCertificateAttributes, NULL, CertAttributes} PKCS15DataObject {DataObjectAttributes} ::= PKCS15Object { PKCS15CommonDataObjectAttributes, NULL, DataObjectAttributes} PKCS15AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object { PKCS15CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes} -- 'Container' types PKCS15ODF ::= OPTIONALLY-SIGNED { PKCS15ObjectSequence } PKS15ObjectSequence ::= SEQUENCE{ version INTEGER {v1(0)}(v1), pkcs15objects SEQUENCE OF PKCS15Objects } PKCS15Objects ::= CHOICE { privateKeys [0] PKCS15PrivateKeys, publicKeys [1] PKCS15PublicKeys, secretKeys [2] PKCS15SecretKeys, certificates [3] PKCS15Certificates, dataObjects [4] PKCS15DataObjects, authObjects [5] PKCS15AuthObjects ... -- Allow for future expansion } PKCS15PrivateKeys ::= PKCS15PathOrObjects {PKCS15PrivateKey} PKCS15SecretKeys ::= PKCS15PathOrObjects {PKCS15SecretKey} PKCS15PublicKeys ::= PKCS15PathOrObjects {PKCS15PublicKey} PKCS15Certificates ::= PKCS15PathOrObjects {PKCS15Certificate} PKCS15DataObjects ::= PKCS15PathOrObjects {PKCS15Data} PKCS15AuthObjects ::= PKCS15PathOrObjects {PKCS15Authentication} PKCS15PrivateKey ::= CHOICE { privateRSAKey [0] PKCS15PrivateKeyObject { PKCS15PrivateRSAKeyAttributes}, privateECKey [1] PKCS15PrivateKeyObject { PKCS15PrivateECKeyAttributes}, ... -- More private key types TBD -- } PKCS15SecretKey ::= CHOICE { rc5Key [0] PKCS15SecretKeyObject {PKCS15RC5KeyAttributes}, ... -- More secret key types TBD } PKCS15PublicKey ::= CHOICE { null [0] NULL, ... -- More public key types TBD } PKCS15Certificate ::= CHOICE { x509Certificate [0] PKCS15CertificateObject { PKCS15X509CertificateAttributes}, x509AttributeCertificate [1] PKCS15CertificateObject { PKCS15X509AttributeCertificateAttributes}, ... -- More certificate types TBD } PKCS15Data ::= CHOICE { loginDataObject [0] PKCS15DataObject { PKCS15LoginObjectAttributes}, externalIDO [1] PKCS15DataObject { PKCS15ExternalIDO} -- More TBD ? } PKCS15Authentication ::= CHOICE { pinObject [0] PKCS15AuthenticationObject { PKCS15PinAttributes}, ... -- Allow for future extensions, e.g. biometric -- authentication objects } PKCS15TokenInfo ::= [APPLICATION 6] IMPLICIT SEQUENCE { tokenflags [0] PKCS15TokenFlags, supportedAlgorithms [1] SET OF PKCS15AlgorithmInfo } (CONSTRAINED BY {-- Each PKCS15AlgorithmInfo.reference -- value must be unique --}) PKCS15TokenFlags ::= BIT STRING { readonly (0), loginRequired (1), prnGeneration (2) } PKCS15AlgorithmInfo ::= SEQUENCE { reference PKCS15Reference, algorithm PKCS15-ALGORITHM.&id({PKCS15AlgorithmSet}), parameters PKCS15-ALGORITHM.&Parameters({PKCS15AlgorithmSet}{@algorithm}), supportedOperations PKCS15-ALGORITHM.&Operations({PKCS15AlgorithmSet}{@algorithm}) } -- PKCS15 algorithms amd operations pkcs15-alg-null PKCS15-ALGORITHM ::= { PARAMETERS NULL OPERATIONS {{generate-key}} ID 0} pkcs15-alg-rsa PKCS15-ALGORITHM ::= { PARAMETERS PKCS15RSAParameters OPERATIONS {PKCS15PublicKeyOperations} ID 1} pkcs15-alg-ec PKCS15-ALGORITHM ::= { PARAMETERS PKCS15ECParameters OPERATIONS {PKCS15PublicKeyOperations} ID 2} pkcs15-alg-dh PKCS15-ALGORITHM ::= { PARAMETERS PKCS15DHParameters OPERATIONS {PKCS15PublicKeyOperations} ID 3} pkcs15-alg-rc5cbc PKCS15-ALGORITHM ::= { PARAMETERS PKCS15RC5Parameters OPERATIONS {PKCS15SecretKeyOperations} ID 4} pkcs15-alg-sha1 PKCS15-ALGORITHM ::= { PARAMETERS NULL OPERATIONS {PKCS15HashOperations} ID 5} pkcs15-alg-hmac-sha1 PKCS15-ALGORITHM ::= { PARAMETERS NULL OPERATIONS {PKCS15HashOperations} ID 6} PKCS15AlgorithmSet PKCS15-ALGORITHM ::= { pkcs15-alg-null | pkcs15-alg-rsa | pkcs15-alg-ec | pkcs15-alg-dh | pkcs15-alg-rc5cbc | pkcs15-alg-sha1 | pkcs15-alg-hmac-sha1, ...} PKCS15RSAParameters ::= NULL PKCS15ECParameters ::= Parameters -- See ANSI X9.62 PKCS15DHParameters ::= DomainParameters -- See ANSI X9.42 PKCS15RC5Parameters ::= SEQUENCE { wordsize INTEGER (16|32|64), rounds INTEGER (0..255) } PKCS15-ALGORITHM ::= CLASS { &id INTEGER UNIQUE, &Parameters, &Operations PKCS15Operations } WITH SYNTAX { PARAMETERS &Parameters OPERATIONS &Operations ID &id} -- PKCS15 operations PKCS15PublicKeyOperations ::= PKCS15Operations PKCS15SecretKeyOperations ::= PKCS15Operations PKCS15HashOperations ::= PKCS15Operations({hash}) PKCS15Operations ::= BIT STRING { compute-checksum (0), -- H/W computation of checksum compute-signature (1), -- H/W computation of signature verify-checksum (2), -- H/W verification of checksum verify-signature (3), -- H/W verification of signature encipher (4), -- H/W encryption of data decipher (5), -- H/W decryption of data hash (6), -- H/W hashing generate-key (7) -- H/W key generation } END 9 Revision History Version 0.1 The first draft version of this document was posted in September 1998. Version 0.2 The second draft version of this document was posted for the PKCS Workshop in October 1998. Version 0.3 This is the third draft, posted for public review in November 1998. Changes in this version are based on feedback both from the pkcs-tng mailing list and from the workshop. Appendix A: File Access Conditions (Informational) A.1 Scope This appendix is only applicable to IC Card implementations. A.2 Background Since this recommendation is intended to be independent of particular IC card brands and models, we define 'generic' IC card access methods which should be straightforward to map to actual IC card operating system-native commands (assuming the card is an ISO/IEC 7816-4 compliant IC card). A.3 Read-Only and Read-Write cards Access conditions for files in the PKCS15 application can be set up differently depending on if the application is to be read-only or read-write. A read-only card might be desired for high-security purposes, for example when it has been issued using a secure issuing process, and it is to be certain that it can not be manipulated afterwards. The following is a table of different possible access methods, which is a superset of the 'PKCS15Operations' type. These are generic methods which should be possible to map to all different IC card types (sometimes the mapping might turn out to be a 'No-Op', because the card does not support any similar operation). The exact access methods, and their meaning, varies for each IC card type. In the table, a '*' indicates that the operation is only relevant for files containing keys. File type Access method Meaning --------------------------------------- DF Create Allows new files, both EFs and DFs to be created in the DF. Delete Allows files in the DF to be deleted. Relevant only for cards which support deletion. EF Read The file contents are allowed to be read. Update The file contents are allowed to be updated. Append Information is allowed to be appended to the file Compute checksum * The file can be used when computing a checksum Compute Signature * The file can be used when computing a signature Verify checksum * The file can be used when verifying a checksum Verify signature * The file can be used when verifying a signature Encipher * The file can be used in an enciphering operation Decipher * The file can be used in a deciphering operation Table 3: File access methods Note that it is the directory's access methods, and not the files', which decide if files in the directory are allowed to be created or deleted. Each access method can have the following conditions. These are also generic and should be possible to implement on all IC card types. Type Meaning --------------- NEV The operation is never allowed, not even after cardholder verification. ALW The operation is always allowed, without cardholder verification. CHV The operation is allowed after a successful card holder verification. SYS The operation is allowed after a system key presentation, typically available only to the card issuer (The Security Officer case) Table 4: Possible access conditions The following access conditions are recommended for files related to the PKCS#15 application: File DF R/O card R/W card ------------------------------------------------------------ MF X Create: SYS Same as for R/O card. Delete: SYS PIN files Read: NEV Read: NEV Update: NEV Update: CHV Append: NEV Append: NEV PKCS15 X Create: SYS Create: CHV Delete: SYS Delete: CHV TokenInfo Read: ALW Same as for R/O card. Update: NEV Append: NEV ODF Read: ALW Read: ALW Update: NEV Update: CHV Append: SYS/NEV Append: CHV AODFs Read: ALW Read: ALW Update: NEV Update: NEV/CHV/SYS Append: NEV Append: NEV/CHV/SYS PrKDFs, PuKDFs, SKDFs, CDFs and DODFs Read: ALW/CHV Read: ALW/CHV Update: NEV Update: CHV Append: SYS/NEV Append: CHV Other EFs Read: ALW/CHV Read: ALW/CHV Update: NEV Update: CHV Append: SYS/NEV Append: CHV Crypto-related Crypto-related commands: CHV commands: CHV (if applicable) (if applicable) Table 5: Access conditions for the files The difference between a read-only and a read-write (R-W) card is basically the following: For a R-W card, new files are allowed to be created (to allow addition of new objects) and the ODF file and some EFs (E.g. CDFs only containing references to public objects) are allowed to be updated (to allow adding info about new objects) after correct cardholder verification. It is also possible to replace files on a R-W card. It is recommended that all cards be personalized with the read-write access control settings, unless they are issued for an environment with high security requirements. Appendix B: An Electronic Identification Profile of PKCS#15 This section describes a profile of PKCS#15 suitable for electronic identification (EID) purposes. B.1 PKCS#15 objects Private Keys: A PKCS#15 token issued for EID purposes must contain at least two private keys, of which one should be usable for digital signature purposes and have it's key usage flags set to nonRepudiation only. The union of the key usage flags for the other keys should contain the values 'sign' and 'decrypt'. Authentication objects or encryption must protect all private keys. The nonRepudiation key should be protected with an authentication object used only for this key (alternatively: encrypted with a separate key/password). The key length must be sufficient for intended purposes (e.g. 1024 bits or more in the RSA case and 160 bits or more in the EC case, assuming all other parameters has been chosen in a secure manner). Secret Keys: No requirements. Public Keys: No requirements. Certificates: For each private key at least one corresponding certificate should reside on the card. The certificates shall be of type PKCS15X509Certificate. It is recommended that CA certificates for the issuer of the cardholder's certificates also resides on the card, if space permits. Data objects: No requirements. Authentication objects: As follows from the description above, in the case of an IC Card capable of protecting files with authentication objects, at least two authentication objects must be present on the card. If PIN protection is being used, the PIN must be at least 4 characters long. B.2 Access Control Rules On cryptographically capable IC cards, The private keys must be private objects, and marked as 'sensitive'. Files, which contain private keys, should be protected against deleting and overwriting. The EF(ODF) file should only allow appending records. Appendix C: Examples Note that, similar to section 6.1, when this section talks about or describes 'contents' of IC Card files, this is just a shorthand notation for 'the contents of the files as it appears to someone using standard IC Card commands in accordance with ISO/IEC 7816-4 to access them'. C.1 Example of EF(TokenInfo) Example contents of EF(TokenInfo) for an IC Card with on-chip support for EC algorithm computation and pseudo-random number generation 66 1C 81 02 00 01 -- Flags: prnGeneration A2 16 -- Supported algorithms 30 14 -- 1st supported algorithm 02 01 00 -- Reference #0 02 01 02 -- EC algorithm 06 08 2A 86 48 CE 3D 03 00 01 -- Parameters (from X9.62, the -- 'namedCurve' alternative -- (the curve c2pnb163v1 ) 03 02 02 5C -- Supported operations: Compute and verify -- signatures, encipher and decipher. C.2 Example of a whole PKCS15 application The IC Card in this example has on-chip support for RSA and RC5 algorithm computation in addition to pseudo-random number generation. The PKCS15 application is profiled for use in an electronic identification environment, with two RSA key pairs and two certificates. One key pair is only to be used for non-repudiation purposes and is protected with a separate authentication object (a PIN). There is also a private data object belonging to an application named 'APP'. The total overhead for storing PKCS#15 relevant information is in this case 460 bytes, but without the data object belonging to the 'APP' application it would have been 402 bytes. C.2.1 EF(TokenInfo) 66 28 81 02 00 01 -- Flags: prnGeneration A2 22 -- Supported algorithms 30 0C -- 1st supported algorithm 02 01 00 -- Reference #0 02 01 01 -- RSA Algorithm 05 00 -- NULL parameters 03 02 03 44 -- Supported operations: Compute signature, -- decipher 30 12 -- 2nd supported algorithm 02 01 01 -- Reference #1 02 01 04 -- RC5 CBC algorithm 30 06 -- RC5 Parameters for this token 02 01 20 -- Word size 02 01 10 -- # of rounds 03 02 00 CD -- Supported operations: Compute & verify checksum, -- encipher & decipher and generate key The total size of the data is 42 bytes. C.2.2 EF(ODF) A0 0C -- PKCS15PrivateKeys A0 0A -- PKCS15PathOrObjects, 'path' alternative 30 08 -- PKCS15Path SEQUENCE 51 06 3F 00 50 15 44 01 -- path (to PrKDF) A3 0C -- PKCS15Certificates A0 0A -- PKCS15PathOrObjects, 'path' alternative 30 08 -- PKCS15Path SEQUENCE 51 06 3F 00 50 15 44 02 -- path (to CDF) A4 0C -- PKCS15DataObjects A0 0A -- PKCS15PathOrObjects, 'path' alternative 30 08 -- PKCS15Path SEQUENCE 51 06 3F 00 50 15 44 03 -- path (to DODF) A5 0C -- PKCS15AuthenticationObjects A0 0A -- PKCS15PathOrObjects, 'path' alternative 30 08 -- PKCS15Path SEQUENCE 51 06 3F 00 50 15 44 04 -- path (to AODF) As can be seen, the ODF simply consists of four records, and the total size of the data is 56 bytes. C.2.3 EF(PrKDF) A0 4D -- privateRSAKey #1 30 0D -- Common object attributes SEQUENCE 0C 04 4B 45 59 31 -- UTF8String (Label: "KEY1") 03 02 01 02 -- flags 'private' 04 01 01 -- identifier '01'H for authentication object 30 0B -- Common key attributes SEQUENCE 04 01 45 -- identifier '45'H for the key object 03 03 03 00 C8 -- usage: decrypt, sign, unwrap 02 01 01 -- card specific key reference A0 1A -- Common private key attributes SEQUENCE 03 02 00 0B -- access-flags: (always) sensitive, never -- extractable 04 14 32 45 DF 2D A4 58 4C 34 45 1A AA AD F4 42 54 78 23 18 19 20 -- sha1 hash of modulus of the key 30 13 -- PKCS15PrivateRSAKeyAttributes 02 01 00 -- reference to corresponding entry in -- EF(TokenInfo) 02 02 04 00 -- modulus length (1024 bits) A0 0A -- value - indirect A0 08 -- PKCS15Path 51 06 3F 00 50 15 4B 01 -- path: 3F00/5015/4B01 A0 4D -- privateRSAKey #2 30 0D -- Common object attributes SEQUENCE 0C 04 4B 45 59 32 -- UTF8String (Label: "KEY2") 03 02 01 02 -- flags 'private' 04 01 02 -- identifier '02'H for authentication object 30 0B -- Common key attributes SEQUENCE 04 01 46 -- identifier '46'H for the key object 03 03 00 00 01 -- usage: nonRepudiation 02 01 02 -- card specific key reference A0 1A -- Common private key attributes SEQUENCE 03 02 00 0B -- access-flags: (always) sensitive, never -- extractable 04 14 32 45 DF 2D A4 58 4C 34 45 1A AA AD F4 42 54 78 23 18 19 20 -- sha1 hash of modulus of the key 30 13 -- PKCS15PrivateRSAKeyAttributes 02 01 00 -- reference to corresponding entry in -- EF(TokenInfo) 02 02 04 00 -- modulus length (1024 bits) A0 0A -- value - indirect A0 08 -- PKCS15Path 51 06 3F 00 50 15 4B 01 -- path: 3F00/5015/4B01 The content of files 3F00/5015/4B01 and 3F00/5015/4B02 is completely card-specific. Operations possible to perform with keys in these files can be deduced by looking at the contents of the TokenInfo file. The size of the data is 158 bytes (two records of 79 bytes each). C.2.4 EF(CDF) A0 20 -- X509Certificate #1 30 09 -- Common object attributes SEQUENCE 0C 05 43 45 52 54 31 -- UTF8String (Label: "CERT1") 03 00 -- flags (not 'private', not 'modifiable') 30 05 -- Common certificate attributes SEQUENCE 04 01 45 -- identifier '45'H - binds this cert to 'KEY1' 03 00 -- not a 'caCert', 'trusted' and 'verified' w/o -- meaning, users own cert. 30 0C -- PKCS15X509CertificateAttributes A0 0A -- value - indirect A0 08 -- PKCS15Path 51 06 3F 00 50 15 43 31 -- path: 3F00/5015/4331 A0 20 -- X509Certificate #2 30 09 -- Common object attributes SEQUENCE 0C 05 43 45 52 54 32 -- UTF8String (Label: "CERT2") 03 00 -- flags (not 'private', not 'modifiable') 30 05 -- Common certificate attributes SEQUENCE 04 01 46 -- identifier '46'H - binds this cert to 'KEY2' 03 00 -- not a 'caCert', 'trusted' and 'verified' w/o -- meaning, users own cert. 30 0C -- PKCS15X509CerttificateAttributes A0 0A -- value - indirect A0 08 -- PKCS15Path 51 06 3F 00 41 4E 43 31 -- path: 3F00/414E/4331 Files 3F00/5015/4331 and 3F00/414E/4331 should contain DER-encoded certificate structures in accordance with ISO/IEC 9594-8. Note that the second certificate resides in a different DF under the MF in this example. The size of the data is 68 bytes (two records of 34 bytes each). C.2.5 EF(AODF) A0 2B -- PIN object #1 30 0A -- Common object attributes SEQUENCE 0C 04 50 49 4E 31 -- UTF8String (Label: "PIN1") 03 02 01 02 -- flags ('private', not 'modifiable') 30 03 -- Common authentication object attributes 04 01 01 -- authentication object identifier, binds to -- 'KEY1' 30 18 -- PKCS15PinAttributes 03 02 00 0B -- pinFlags ('change-disabled', 'initialized' -- and 'needs-padding') 02 01 00 -- pinType ('bcd-numeric') 02 01 04 -- minLength 02 01 08 -- storedLength 04 01 FF -- padding character 'FF' 30 06 -- path SEQUENCE 51 04 3F 00 00 00 -- path: 3F00/0000 (Global PIN file) A0 2D -- PIN object #2 30 0A -- Common object attributes SEQUENCE 0C 04 50 49 4E 32 -- UTF8String (Label: "PIN2") 03 02 01 02 -- flags ('private', not 'modifiable') 30 03 -- Common authentication object attributes 04 01 02 -- authentication object identifier - binds to -- 'KEY2' 30 1A -- PKCS15PinAttributes 03 02 00 13 -- pinFlags ('local', 'initialized' and -- 'needs-padding') 02 01 00 -- pinType ('bcd-numeric') 02 01 04 -- minLength 02 01 08 -- storedLength 04 01 FF -- padding character 'FF' 30 08 -- path SEQUENCE 51 06 3F 00 50 15 01 00 -- path: 3F00/5015/0100 The content of files 3F00/5015/0100 and 3F00/0000 is card specific and not specified in PKS#15. The size of the data is 92 bytes (one record of length 45 bytes, the other of length 47 bytes). C.2.6 EF(DODF) A1 2A -- External IDO 30 10 -- Common object attributes SEQUENCE 0C 07 4F 42 4A 45 43 54 31 -- UTF8String (label: "OBJECT1") 03 02 00 03 -- flags ('private' and 'modifiable') 04 01 02 -- protected by authenticaion object '2'H 30 05 -- Common data object attributes 0C 03 41 50 50 -- application name 'APP' A0 0F -- value - indirect A0 0D -- PKCS15Path 51 06 3F 00 50 15 44 31 -- path: 3F00/5015/4431 02 01 03 -- index: 3 02 00 -- length: 0 (Conclusion: this is a record -- oriented file) The size of the data is 44 bytes (one record). The data entry in file 3F00/5015/4431 may look like: 6E 00 -- Application related data template .. -- Any application related DOs (tags to use are -- defined in ISO/IEC 7816-6) C.3 Software example This example is the equivalent of the example in the previous section, only implemented in software (one file). The TokenInfo type is not relevant in this case and omitted. The whole PKCS15ODF type is being used and the 'SIGNED' option as well. Private RSA keys are encrypted with pbeWithMD5AndDESCBC [PKCS#5], each with a separate password, in this example 'pkcs15_1' for the first key and 'pkcs15_2' for the second key. 30 00 -- TBD RSN About PKCS The Public-Key Cryptography Standards are specifications produced by RSA Laboratories in cooperation with secure systems developers worldwide for the purpose of accelerating the deployment of public-key cryptography. First published in 1991 as a result of meetings with a small group of early adopters of public-key technology, the PKCS documents have become widely referenced and implemented. Contributions from the PKCS series have become part of many formal and de facto standards, including ANSI X9.45, PKIX, SET, S/MIME, and SSL. Further development of PKCS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, contact: PKCS Editor RSA Laboratories 2955 Campus Drive, Suite 400 San Mateo, CA 94403-2507 USA (650) 295-7600 (650) 295-7700 (fax) pkcs-editor@rsa.com http://www.rsa.com/rsalabs/pubs/PKCS