diff options
Diffstat (limited to 'epan/dissectors/asn1/cms')
-rw-r--r-- | epan/dissectors/asn1/cms/AttributeCertificateVersion1.asn | 51 | ||||
-rw-r--r-- | epan/dissectors/asn1/cms/CMSFirmwareWrapper.asn | 220 | ||||
-rw-r--r-- | epan/dissectors/asn1/cms/CMakeLists.txt | 52 | ||||
-rw-r--r-- | epan/dissectors/asn1/cms/CryptographicMessageSyntax.asn | 485 | ||||
-rw-r--r-- | epan/dissectors/asn1/cms/cms.cnf | 293 | ||||
-rw-r--r-- | epan/dissectors/asn1/cms/packet-cms-template.c | 211 | ||||
-rw-r--r-- | epan/dissectors/asn1/cms/packet-cms-template.h | 20 |
7 files changed, 1332 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/cms/AttributeCertificateVersion1.asn b/epan/dissectors/asn1/cms/AttributeCertificateVersion1.asn new file mode 100644 index 00000000..1187616e --- /dev/null +++ b/epan/dissectors/asn1/cms/AttributeCertificateVersion1.asn @@ -0,0 +1,51 @@ +-- Extracted from RFC5652 +AttributeCertificateVersion1 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) v1AttrCert(15) } + +DEFINITIONS IMPLICIT TAGS ::= +BEGIN + +-- EXPORTS All + +IMPORTS + -- Directory Authentication Framework (X.509) + AttCertValidityPeriod, Extensions, IssuerSerial + FROM AuthenticationFramework { joint-iso-itu-t ds(5) + module(1) authenticationFramework(7) 3 } + + GeneralNames + FROM CertificateExtensions { joint-iso-ccitt ds(5) + module(1) certificateExtensions(26) 0 } + + UniqueIdentifier + FROM SelectedAttributeTypes { joint-iso-itu-t ds(5) module(1) + selectedAttributeTypes(5) 3 }; + + +-- Definition extracted from X.509-1997 [X.509-97], but +-- different type names are used to avoid collisions. + +AttributeCertificateV1 ::= SEQUENCE { + acInfo AttributeCertificateInfoV1, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING } + +AttributeCertificateInfoV1 ::= SEQUENCE { + version AttCertVersionV1 DEFAULT v1, + subject CHOICE { + baseCertificateID [0] IssuerSerial, + -- associated with a Public Key Certificate + subjectName [1] GeneralNames }, + -- associated with a name + issuer GeneralNames, + signature AlgorithmIdentifier, + serialNumber CertificateSerialNumber, + attCertValidityPeriod AttCertValidityPeriod, + attributes SEQUENCE OF Attribute, + issuerUniqueID UniqueIdentifier OPTIONAL, + extensions Extensions OPTIONAL } + +AttCertVersionV1 ::= INTEGER { v1(0) } + +END -- of AttributeCertificateVersion1 diff --git a/epan/dissectors/asn1/cms/CMSFirmwareWrapper.asn b/epan/dissectors/asn1/cms/CMSFirmwareWrapper.asn new file mode 100644 index 00000000..7842d648 --- /dev/null +++ b/epan/dissectors/asn1/cms/CMSFirmwareWrapper.asn @@ -0,0 +1,220 @@ +-- Verbatim copy of Appendix A of RFC 4108 followed by Errata ID 4093 + +CMSFirmwareWrapper + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) modules(0) cms-firmware-wrap(22) } + +DEFINITIONS IMPLICIT TAGS ::= BEGIN + +IMPORTS + EnvelopedData + FROM CryptographicMessageSyntax -- [CMS] + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) }; + + +-- Firmware Package Content Type and Object Identifier + +id-ct-firmwarePackage OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) ct(1) 16 } + +FirmwarePkgData ::= OCTET STRING + + +-- Firmware Package Signed Attributes and Object Identifiers + +id-aa-firmwarePackageID OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 35 } + +FirmwarePackageIdentifier ::= SEQUENCE { + name PreferredOrLegacyPackageIdentifier, + stale PreferredOrLegacyStalePackageIdentifier OPTIONAL } + +PreferredOrLegacyPackageIdentifier ::= CHOICE { + preferred PreferredPackageIdentifier, + legacy OCTET STRING } + +PreferredPackageIdentifier ::= SEQUENCE { + fwPkgID OBJECT IDENTIFIER, + verNum INTEGER (0..MAX) } + +PreferredOrLegacyStalePackageIdentifier ::= CHOICE { + preferredStaleVerNum INTEGER (0..MAX), + legacyStaleVersion OCTET STRING } + + +id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 36 } + +TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER + + +id-aa-decryptKeyID OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 37 } + +DecryptKeyIdentifier ::= OCTET STRING + + +id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 38 } + +ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER + +id-aa-implCompressAlgs OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 43 } + +ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER + + +id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 40 } + +CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier + +CommunityIdentifier ::= CHOICE { + communityOID OBJECT IDENTIFIER, + hwModuleList HardwareModules } + +HardwareModules ::= SEQUENCE { + hwType OBJECT IDENTIFIER, + hwSerialEntries SEQUENCE OF HardwareSerialEntry } + + +HardwareSerialEntry ::= CHOICE { + all NULL, + single OCTET STRING, + block SEQUENCE { + low OCTET STRING, + high OCTET STRING } } + + +id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 42 } + +FirmwarePackageInfo ::= SEQUENCE { + fwPkgType INTEGER OPTIONAL, + dependencies SEQUENCE OF + PreferredOrLegacyPackageIdentifier OPTIONAL } + + +-- Firmware Package Unsigned Attributes and Object Identifiers + +id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 39 } + +WrappedFirmwareKey ::= EnvelopedData + + +-- Firmware Package Load Receipt Content Type and Object Identifier + +id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) ct(1) 17 } + +FirmwarePackageLoadReceipt ::= SEQUENCE { + version FWReceiptVersion DEFAULT v1, + hwType OBJECT IDENTIFIER, + hwSerialNum OCTET STRING, + fwPkgName PreferredOrLegacyPackageIdentifier, + trustAnchorKeyID OCTET STRING OPTIONAL, + decryptKeyID [1] OCTET STRING OPTIONAL } + +FWReceiptVersion ::= INTEGER { v1(1) } + + +-- Firmware Package Load Error Report Content Type +-- and Object Identifier + +id-ct-firmwareLoadError OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) ct(1) 18 } + +FirmwarePackageLoadError ::= SEQUENCE { + version FWErrorVersion DEFAULT v1, + hwType OBJECT IDENTIFIER, + hwSerialNum OCTET STRING, + errorCode FirmwarePackageLoadErrorCode, + vendorErrorCode VendorLoadErrorCode OPTIONAL, + fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL, + config [1] SEQUENCE OF CurrentFWConfig OPTIONAL } + +FWErrorVersion ::= INTEGER { v1(1) } + +CurrentFWConfig ::= SEQUENCE { + fwPkgType INTEGER OPTIONAL, + fwPkgName PreferredOrLegacyPackageIdentifier } + +FirmwarePackageLoadErrorCode ::= ENUMERATED { + decodeFailure (1), + badContentInfo (2), + badSignedData (3), + badEncapContent (4), + badCertificate (5), + badSignerInfo (6), + badSignedAttrs (7), + badUnsignedAttrs (8), + missingContent (9), + noTrustAnchor (10), + notAuthorized (11), + badDigestAlgorithm (12), + badSignatureAlgorithm (13), + unsupportedKeySize (14), + signatureFailure (15), + contentTypeMismatch (16), + badEncryptedData (17), + unprotectedAttrsPresent (18), + badEncryptContent (19), + badEncryptAlgorithm (20), + missingCiphertext (21), + noDecryptKey (22), + decryptFailure (23), + badCompressAlgorithm (24), + missingCompressedContent (25), + decompressFailure (26), + wrongHardware (27), + stalePackage (28), + notInCommunity (29), + unsupportedPackageType (30), + missingDependency (31), + wrongDependencyVersion (32), + insufficientMemory (33), + badFirmware (34), + unsupportedParameters (35), + breaksDependency (36), + otherError (99) } + +VendorLoadErrorCode ::= INTEGER + + +-- Other Name syntax for Hardware Module Name + +id-on-hardwareModuleName OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) on(8) 4 } + +HardwareModuleName ::= SEQUENCE { + hwType OBJECT IDENTIFIER, + hwSerialNum OCTET STRING } + + + +-- From Errata ID 4093: Elements defined Section 2.2.10 and missing in the appendix + +id-aa-fwPkgMessageDigest OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) aa(2) 41 } + +FirmwarePackageMessageDigest ::= SEQUENCE { + algorithm AlgorithmIdentifier, + msgDigest OCTET STRING } + +END diff --git a/epan/dissectors/asn1/cms/CMakeLists.txt b/epan/dissectors/asn1/cms/CMakeLists.txt new file mode 100644 index 00000000..6fc91bd2 --- /dev/null +++ b/epan/dissectors/asn1/cms/CMakeLists.txt @@ -0,0 +1,52 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +# + +set( PROTOCOL_NAME cms ) + +set( PROTO_OPT ) + +set( EXPORT_FILES + ${PROTOCOL_NAME}-exp.cnf +) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + CryptographicMessageSyntax.asn + AttributeCertificateVersion1.asn + CMSFirmwareWrapper.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + packet-${PROTOCOL_NAME}-template.h + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS -b -C ) + +set( EXTRA_CNF + "${CMAKE_CURRENT_BINARY_DIR}/../x509af/x509af-exp.cnf" + "${CMAKE_CURRENT_BINARY_DIR}/../x509ce/x509ce-exp.cnf" + "${CMAKE_CURRENT_BINARY_DIR}/../x509if/x509if-exp.cnf" + "${CMAKE_CURRENT_BINARY_DIR}/../x509sat/x509sat-exp.cnf" +) + +set ( EXPORT_DEPENDS + "${CMAKE_CURRENT_BINARY_DIR}/../x509af/x509af-exp.cnf" +) + +ASN2WRS() diff --git a/epan/dissectors/asn1/cms/CryptographicMessageSyntax.asn b/epan/dissectors/asn1/cms/CryptographicMessageSyntax.asn new file mode 100644 index 00000000..a2b9d921 --- /dev/null +++ b/epan/dissectors/asn1/cms/CryptographicMessageSyntax.asn @@ -0,0 +1,485 @@ +-- Extracted from RFC5652 +-- and massaged/modified so it passes through our asn2wrs compiler + +CryptographicMessageSyntax + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } + +DEFINITIONS IMPLICIT TAGS ::= +BEGIN + +-- EXPORTS All +-- The types and values defined in this module are exported for use +-- in the other ASN.1 modules. Other applications may use them for +-- their own purposes. + +IMPORTS + -- Directory Information Framework (X.501) + Name + FROM InformationFramework { joint-iso-itu-t ds(5) modules(1) + informationFramework(1) 3 } + + -- Directory Authentication Framework (X.509) + AlgorithmIdentifier, AttributeCertificate, Certificate, + CertificateList, CertificateSerialNumber + FROM AuthenticationFramework { joint-iso-itu-t ds(5) + module(1) authenticationFramework(7) 3 } ; + + +-- Cryptographic Message Syntax + +ContentInfo ::= SEQUENCE { + contentType ContentType, + content [0] EXPLICIT ANY DEFINED BY contentType } + +ContentType ::= OBJECT IDENTIFIER + +SignedData ::= SEQUENCE { + version CMSVersion, + digestAlgorithms DigestAlgorithmIdentifiers, + encapContentInfo EncapsulatedContentInfo, + certificates [0] IMPLICIT CertificateSet OPTIONAL, + crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, + signerInfos SignerInfos } + +DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier + +SignerInfos ::= SET OF SignerInfo + +-- Implemented by hand in the template +EncapsulatedContentInfo ::= SEQUENCE { + eContentType ContentType, + eContent [0] EXPLICIT OCTET STRING OPTIONAL } + +SignerInfo ::= SEQUENCE { + version CMSVersion, + sid SignerIdentifier, + digestAlgorithm DigestAlgorithmIdentifier, + signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, + signatureAlgorithm SignatureAlgorithmIdentifier, + signature SignatureValue, + unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL } + +SignerIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + subjectKeyIdentifier [0] SubjectKeyIdentifier } + +SignedAttributes ::= SET SIZE (1..MAX) OF Attribute + +UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute + +Attribute ::= SEQUENCE { + attrType OBJECT IDENTIFIER, + attrValues SET OF AttributeValue } + +AttributeValue ::= ANY + +SignatureValue ::= OCTET STRING + +EnvelopedData ::= SEQUENCE { + version CMSVersion, + originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, + recipientInfos RecipientInfos, + encryptedContentInfo EncryptedContentInfo, + unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL } + +OriginatorInfo ::= SEQUENCE { + certs [0] IMPLICIT CertificateSet OPTIONAL, + crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } + +RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo + +EncryptedContentInfo ::= SEQUENCE { + contentType ContentType, + contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, + encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL } + +EncryptedContent ::= OCTET STRING + +UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute + +RecipientInfo ::= CHOICE { + ktri KeyTransRecipientInfo, + kari [1] KeyAgreeRecipientInfo, + kekri [2] KEKRecipientInfo, + pwri [3] PasswordRecipientInfo, + ori [4] OtherRecipientInfo } + +EncryptedKey ::= OCTET STRING + +KeyTransRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 or 2 + rid RecipientIdentifier, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + encryptedKey EncryptedKey } + +RecipientIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + subjectKeyIdentifier [0] SubjectKeyIdentifier } + +KeyAgreeRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 3 + originator [0] EXPLICIT OriginatorIdentifierOrKey, + ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + recipientEncryptedKeys RecipientEncryptedKeys } + +OriginatorIdentifierOrKey ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + subjectKeyIdentifier [0] SubjectKeyIdentifier, + originatorKey [1] OriginatorPublicKey } + +OriginatorPublicKey ::= SEQUENCE { + algorithm AlgorithmIdentifier, + publicKey BIT STRING } + +RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey + +RecipientEncryptedKey ::= SEQUENCE { + rid KeyAgreeRecipientIdentifier, + encryptedKey EncryptedKey } + +KeyAgreeRecipientIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + rKeyId [0] IMPLICIT RecipientKeyIdentifier } + +RecipientKeyIdentifier ::= SEQUENCE { + subjectKeyIdentifier SubjectKeyIdentifier, + date GeneralizedTime OPTIONAL, + other OtherKeyAttribute OPTIONAL } + +SubjectKeyIdentifier ::= OCTET STRING + +KEKRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 4 + kekid KEKIdentifier, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + encryptedKey EncryptedKey } + +KEKIdentifier ::= SEQUENCE { + keyIdentifier OCTET STRING, + date GeneralizedTime OPTIONAL, + other OtherKeyAttribute OPTIONAL } + +PasswordRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 + keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier + OPTIONAL, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + encryptedKey EncryptedKey } + +OtherRecipientInfo ::= SEQUENCE { + oriType OBJECT IDENTIFIER, + oriValue ANY DEFINED BY oriType } + +DigestedData ::= SEQUENCE { + version CMSVersion, + digestAlgorithm DigestAlgorithmIdentifier, + encapContentInfo EncapsulatedContentInfo, + digest Digest } + +Digest ::= OCTET STRING + +EncryptedData ::= SEQUENCE { + version CMSVersion, + encryptedContentInfo EncryptedContentInfo, + unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL } + +AuthenticatedData ::= SEQUENCE { + version CMSVersion, + originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, + recipientInfos RecipientInfos, + macAlgorithm MessageAuthenticationCodeAlgorithm, + digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, + encapContentInfo EncapsulatedContentInfo, + authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, + mac MessageAuthenticationCode, + unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } + +AuthAttributes ::= SET SIZE (1..MAX) OF Attribute + +UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute + +MessageAuthenticationCode ::= OCTET STRING + +DigestAlgorithmIdentifier ::= AlgorithmIdentifier + +SignatureAlgorithmIdentifier ::= AlgorithmIdentifier + +KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier + +ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier + +MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier + +KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier + +RevocationInfoChoices ::= SET OF RevocationInfoChoice + +RevocationInfoChoice ::= CHOICE { + crl CertificateList, + other [1] IMPLICIT OtherRevocationInfoFormat } + +OtherRevocationInfoFormat ::= SEQUENCE { + otherRevInfoFormat OBJECT IDENTIFIER, + otherRevInfo ANY DEFINED BY otherRevInfoFormat } + +CertificateChoices ::= CHOICE { + certificate Certificate, + extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete + v1AttrCert [1] IMPLICIT AttributeCertificateV1, -- Obsolete + v2AttrCert [2] IMPLICIT AttributeCertificateV2 } + +AttributeCertificateV2 ::= AttributeCertificate + +CertificateSet ::= SET OF CertificateChoices + +IssuerAndSerialNumber ::= SEQUENCE { + issuer Name, + serialNumber CertificateSerialNumber } + +CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } + +UserKeyingMaterial ::= OCTET STRING + +OtherKeyAttribute ::= SEQUENCE { + keyAttrId OBJECT IDENTIFIER, + keyAttr ANY DEFINED BY keyAttrId OPTIONAL } + +-- Content Type Object Identifiers + +id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } + +id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } + +id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } + +id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } + +id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } + +id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } + +id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } + +-- The CMS Attributes + +MessageDigest ::= OCTET STRING + +SigningTime ::= Time + +Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime } + +Countersignature ::= SignerInfo + +-- Algorithm Identifiers +-- +-- sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) +-- oiw(14) secsig(3) algorithm(2) 26 } +-- +-- md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) +-- rsadsi(113549) digestAlgorithm(2) 5 } +-- +-- id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) +-- us(840) x9-57 (10040) x9cm(4) 3 } +-- +-- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) +-- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } +-- +-- dh-public-number OBJECT IDENTIFIER ::= { iso(1) member-body(2) +-- us(840) ansi-x942(10046) number-type(2) 1 } +-- +-- id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) +-- rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 } +-- +-- id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) +-- us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } +-- +-- id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) +-- us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 } +-- +-- des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) +-- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } +-- +-- rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) +-- rsadsi(113549) encryptionAlgorithm(3) 2 } +-- +-- hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) +-- dod(6) internet(1) security(5) mechanisms(5) 8 1 2 } +-- +-- +-- Algorithm Parameters +-- +KeyWrapAlgorithm ::= AlgorithmIdentifier + +RC2WrapParameter ::= RC2ParameterVersion + +RC2ParameterVersion ::= INTEGER + +CBCParameter ::= IV + +IV ::= OCTET STRING + +RC2CBCParameter ::= SEQUENCE { + rc2ParameterVersion INTEGER, + iv OCTET STRING } + +-- Attribute Object Identifiers + +id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } + +id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } + +id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } + +id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } + +-- Obsolete Extended Certificate syntax from PKCS #6 + +ExtendedCertificateOrCertificate ::= CHOICE { + certificate Certificate, + extendedCertificate [0] IMPLICIT ExtendedCertificate } + +ExtendedCertificate ::= SEQUENCE { + extendedCertificateInfo ExtendedCertificateInfo, + signatureAlgorithm SignatureAlgorithmIdentifier, + signature Signature } + +ExtendedCertificateInfo ::= SEQUENCE { + version CMSVersion, + certificate Certificate, + attributes UnauthAttributes } + +Signature ::= BIT STRING + +-- PKCS #7 type that was removed from CMS + +DigestInfo ::= SEQUENCE { + digestAlgorithm DigestAlgorithmIdentifier, + digest Digest } + +-- From S/MIME + +SMIMECapabilities ::= SEQUENCE OF SMIMECapability + +SMIMECapability ::= SEQUENCE { + capability OBJECT IDENTIFIER, + parameters ANY OPTIONAL +} + +SMIMEEncryptionKeyPreference ::= CHOICE { + issuerAndSerialNumber [0] IssuerAndSerialNumber, + recipientKeyId [1] RecipientKeyIdentifier, + subjectAltKeyIdentifier [2] SubjectKeyIdentifier + +} + +-- some implememtations do not seem to use the RC2CBCParameter with 1.2.840.113549.3.2 as per RFC 2630 12.4.2 +-- so we create this CHOICE to workaround this problem until we understand what is really the correct solution + +RC2CBCParameters ::= CHOICE { + rc2WrapParameter RC2WrapParameter, + rc2CBCParameter RC2CBCParameter + +} + + +END -- of CryptographicMessageSyntax2004 + +CMS-AuthEnvelopedData-2007 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData(31) } + +DEFINITIONS IMPLICIT TAGS ::= +BEGIN + +-- EXPORTS All +-- The types and values defined in this module are exported for use +-- in the other ASN.1 modules. Other applications may use them for +-- their own purposes. + +-- IMPORTS + +-- Imports from RFC 3852 [CMS], Section 12.1 +-- AuthAttributes, +-- CMSVersion, +-- EncryptedContentInfo, +-- MessageAuthenticationCode, +-- OriginatorInfo, +-- RecipientInfos, +-- UnauthAttributes +-- FROM CryptographicMessageSyntax2004 +-- { iso(1) member-body(2) us(840) rsadsi(113549) +-- pkcs(1) pkcs-9(9) smime(16) modules(0) +-- cms-2004(24) } ; + + +AuthEnvelopedData ::= SEQUENCE { + version CMSVersion, + originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, + recipientInfos RecipientInfos, + authEncryptedContentInfo EncryptedContentInfo, + authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, + mac MessageAuthenticationCode, + unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL } + +id-ct-authEnvelopedData OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) ct(1) 23 } + +END -- of CMS-AuthEnvelopedData-2007 + +CMS-AES-CCM-and-AES-GCM + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) } + +DEFINITIONS IMPLICIT TAGS ::= BEGIN + +-- EXPORTS All + +-- Object Identifiers + +aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) + organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } + +id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 } + +id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 } + +id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 } + +id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 } + +id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 } + +id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 } + + +-- Parameters for AigorithmIdentifier + +CCMParameters ::= SEQUENCE { + aes-nonce OCTET STRING (SIZE(7..13)), + aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } + +AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) + +GCMParameters ::= SEQUENCE { + aes-nonce OCTET STRING, -- recommended size is 12 octets + aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } + +AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) + +END + diff --git a/epan/dissectors/asn1/cms/cms.cnf b/epan/dissectors/asn1/cms/cms.cnf new file mode 100644 index 00000000..77da3143 --- /dev/null +++ b/epan/dissectors/asn1/cms/cms.cnf @@ -0,0 +1,293 @@ +# CMS.cnf +# CMS conformation file + +#.IMPORT ../x509af/x509af-exp.cnf +#.IMPORT ../x509ce/x509ce-exp.cnf +#.IMPORT ../x509if/x509if-exp.cnf +#.IMPORT ../x509sat/x509sat-exp.cnf + +#.OMIT_ASSIGNMENT +CBCParameter +ExtendedCertificateOrCertificate +#.END + +#.EXPORTS +ContentInfo +ContentType +Countersignature +Digest +DigestAlgorithmIdentifier +DigestAlgorithmIdentifiers +DigestInfo +EncapsulatedContentInfo +EnvelopedData +AuthEnvelopedData +IssuerAndSerialNumber +SignedAttributes +SignedData +SignerIdentifier +SignerInfo +SignerInfos +SignatureValue +UnsignedAttributes + +#.REGISTER +ContentInfo B "1.2.840.113549.1.9.16.1.6" "id-ct-contentInfo" +#OctetString B "1.2.840.113549.1.7.1" "id-data" see x509sat.cnf +SignedData B "1.2.840.113549.1.7.2" "id-signedData" +EnvelopedData B "1.2.840.113549.1.7.3" "id-envelopedData" +DigestedData B "1.2.840.113549.1.7.5" "id-digestedData" +EncryptedData B "1.2.840.113549.1.7.6" "id-encryptedData" +AuthenticatedData B "1.2.840.113549.1.9.16.1.2" "id-ct-authenticatedData" +EncryptedContentInfo B "1.2.840.113549.1.9.16.1.9" "id-ct-compressedData" +AuthEnvelopedData B "1.2.840.113549.1.9.16.1.23" "id-ct-authEnvelopedData" + +ContentType B "1.2.840.113549.1.9.3" "id-contentType" +MessageDigest B "1.2.840.113549.1.9.4" "id-messageDigest" +SigningTime B "1.2.840.113549.1.9.5" "id-signingTime" +Countersignature B "1.2.840.113549.1.9.6" "id-counterSignature" + +ContentInfo B "2.6.1.4.18" "id-et-pkcs7" + +IssuerAndSerialNumber B "1.3.6.1.4.1.311.16.4" "ms-oe-encryption-key-preference" +SMIMECapabilities B "1.2.840.113549.1.9.15" "id-smime-capabilities" +SMIMEEncryptionKeyPreference B "1.2.840.113549.1.9.16.2.11" "id-encryption-key-preference" + +# I think the following should be RC2CBCParameter - but that appears to be incorrect +RC2CBCParameters B "1.2.840.113549.3.4" "id-alg-rc4" + +KeyEncryptionAlgorithmIdentifier B "0.4.0.127.0.7.1.1.5.1.1.3" "ecka-eg-X963KDF-SHA256" +KeyEncryptionAlgorithmIdentifier B "0.4.0.127.0.7.1.1.5.1.1.4" "ecka-eg-X963KDF-SHA384" +KeyEncryptionAlgorithmIdentifier B "0.4.0.127.0.7.1.1.5.1.1.5" "ecka-eg-X963KDF-SHA512" + +KeyEncryptionAlgorithmIdentifier B "2.16.840.1.101.3.4.1.5" "id-aes128-wrap" +KeyEncryptionAlgorithmIdentifier B "2.16.840.1.101.3.4.1.25" "id-aes192-wrap" +KeyEncryptionAlgorithmIdentifier B "2.16.840.1.101.3.4.1.45" "id-aes256-wrap" + +GCMParameters B "2.16.840.1.101.3.4.1.6" "id-aes128-GCM" +GCMParameters B "2.16.840.1.101.3.4.1.26" "id-aes192-GCM" +GCMParameters B "2.16.840.1.101.3.4.1.46" "id-aes256-GCM" + +CCMParameters B "2.16.840.1.101.3.4.1.7" "id-aes128-CCM" +CCMParameters B "2.16.840.1.101.3.4.1.27" "id-aes192-CCM" +CCMParameters B "2.16.840.1.101.3.4.1.44" "id-aes256-CCM" + +# EC algorithms from RFC 3278 / RFC 5753 +KeyWrapAlgorithm B "1.3.133.16.840.63.0.2" "dhSinglePass-stdDH-sha1kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.11.0" "dhSinglePass-stdDH-sha224kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.11.1" "dhSinglePass-stdDH-sha256kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.11.2" "dhSinglePass-stdDH-sha384kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.11.3" "dhSinglePass-stdDH-sha512kdf-scheme" +KeyWrapAlgorithm B "1.3.133.16.840.63.0.3" "dhSinglePass-cofactorDH-sha1kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.14.0" "dhSinglePass-cofactorDH-sha224kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.14.1" "dhSinglePass-cofactorDH-sha256kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.14.2" "dhSinglePass-cofactorDH-sha384kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.14.3" "dhSinglePass-cofactorDH-sha512kdf-scheme" +KeyWrapAlgorithm B "1.3.133.16.840.63.0.16" "mqvSinglePass-sha1kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.15.0" "mqvSinglePass-sha224kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.15.1" "mqvSinglePass-sha256kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.15.2" "mqvSinglePass-sha384kdf-scheme" +KeyWrapAlgorithm B "1.3.132.1.15.3" "mqvSinglePass-sha512kdf-scheme" + +# RFC 3370 [CMS-ASN] (and RFC 5911 section 3) +# - section 4.3.1 - registered in packet-cms-template.c +# NULL B "1.2.840.113549.1.9.16.3.6" "id-alg-CMS3DESwrap" +# - section 4.3.2 +RC2WrapParameter B "1.2.840.113549.1.9.16.3.7" "id-alg-CMSRC2-wrap" +# - section 4.4.1 - PBKDF2-params defined in PKCS#5 / RFC 8018 - not yet implemented +# PBKDF2-params B "1.2.840.113549.1.5.12" "id-PBKDF2" +# - section 5.1 +IV B "1.2.840.113549.3.7" "des-ede3-cbc" +# - section 5.2 +RC2CBCParameters B "1.2.840.113549.3.2" "rc2-cbc" + +# RFC 2798 Attributes - see master list in x509sat.cnf +SignedData B "2.16.840.1.113730.3.1.40" "userSMIMECertificate" + +# RFC 4108 Attributes (in CMSFirmwareWrapper.asn) +FirmwarePkgData B "1.2.840.113549.1.9.16.1.16" "id-ct-firmwarePackage" +FirmwarePackageIdentifier B "1.2.840.113549.1.9.16.2.35" "id-aa-firmwarePackageID" +TargetHardwareIdentifiers B "1.2.840.113549.1.9.16.2.36" "id-aa-targetHardwareIDs" +DecryptKeyIdentifier B "1.2.840.113549.1.9.16.2.37" "id-aa-decryptKeyID" +ImplementedCryptoAlgorithms B "1.2.840.113549.1.9.16.2.38" "id-aa-implCryptoAlgs" +ImplementedCompressAlgorithms B "1.2.840.113549.1.9.16.2.43" "id-aa-implCompressAlgs" +CommunityIdentifiers B "1.2.840.113549.1.9.16.2.40" "id-aa-communityIdentifiers" +FirmwarePackageInfo B "1.2.840.113549.1.9.16.2.42" "id-aa-firmwarePackageInfo" +WrappedFirmwareKey B "1.2.840.113549.1.9.16.2.39" "id-aa-wrappedFirmwareKey" +FirmwarePackageLoadReceipt B "1.2.840.113549.1.9.16.1.17" "id-ct-firmwareLoadReceipt" +FirmwarePackageLoadError B "1.2.840.113549.1.9.16.1.18" "id-ct-firmwareLoadError" +HardwareModuleName B "1.3.6.1.5.5.7.8.4" "id-on-hardwareModuleName" +FirmwarePackageMessageDigest B "1.2.840.113549.1.9.16.2.41" "id-aa-fwPkgMessageDigest" + +#.NO_EMIT + +#.TYPE_RENAME + +#.FIELD_RENAME +SignerInfo/signature signatureValue +RecipientEncryptedKey/rid rekRid +EncryptedContentInfo/contentType encryptedContentType +AttributeCertificateV1/signature signatureValue_v1 +AttributeCertificateV1/signatureAlgorithm signatureAlgorithm_v1 +AttributeCertificateInfoV1/attributes attributes_v1 +AttributeCertificateInfoV1/issuer issuer_v1 +AttributeCertificateInfoV1/signature signature_v1 +AttributeCertificateInfoV1/version version_v1 +RevocationInfoChoice/other otherRIC +FirmwarePackageLoadReceipt/version fwReceiptVersion +FirmwarePackageLoadError/version fwErrorVersion + +#.FN_BODY ContentInfo + top_tree = tree; + %(DEFAULT_BODY)s + top_tree = NULL; + +#.FN_PARS ContentType + FN_VARIANT = _str VAL_PTR = &cms_data->object_identifier_id + +#.FN_BODY ContentType + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + cms_data->object_identifier_id = NULL; + const char *name = NULL; + + %(DEFAULT_BODY)s + + if(cms_data->object_identifier_id) { + name = oid_resolved_from_string(actx->pinfo->pool, cms_data->object_identifier_id); + proto_item_append_text(tree, " (%%s)", name ? name : cms_data->object_identifier_id); + } + +#.FN_BODY ContentInfo/content + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + + +#.FN_BODY EncapsulatedContentInfo/eContent + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + cms_data->content_tvb = NULL; + offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &cms_data->content_tvb); + + if(cms_data->content_tvb) { + proto_item_set_text(actx->created_item, "eContent (%%u bytes)", tvb_reported_length(cms_data->content_tvb)); + + call_ber_oid_callback(cms_data->object_identifier_id, cms_data->content_tvb, 0, actx->pinfo, top_tree ? top_tree : tree, NULL); + } + +#.FN_PARS OtherRecipientInfo/oriType + FN_VARIANT = _str VAL_PTR = &cms_data->object_identifier_id + +#.FN_HDR OtherRecipientInfo/oriType + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + cms_data->object_identifier_id = NULL; + +#.FN_BODY OtherRecipientInfo/oriValue + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + +#.FN_PARS OtherKeyAttribute/keyAttrId + FN_VARIANT = _str HF_INDEX = hf_cms_ci_contentType VAL_PTR = &cms_data->object_identifier_id + +#.FN_HDR OtherKeyAttribute/keyAttrId + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + cms_data->object_identifier_id = NULL; + +#.FN_BODY OtherKeyAttribute/keyAttr + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + +#.FN_PARS OtherRevocationInfoFormat/otherRevInfoFormat + FN_VARIANT = _str VAL_PTR = &cms_data->object_identifier_id + +#.FN_HDR OtherRevocationInfoFormat/otherRevInfoFormat + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + cms_data->object_identifier_id = NULL; + +#.FN_BODY OtherRevocationInfoFormat/otherRevInfo + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + +#.FN_PARS Attribute/attrType + FN_VARIANT = _str HF_INDEX = hf_cms_attrType VAL_PTR = &cms_data->object_identifier_id + +#.FN_BODY Attribute/attrType + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + cms_data->object_identifier_id = NULL; + const char *name = NULL; + + %(DEFAULT_BODY)s + + if(cms_data->object_identifier_id) { + name = oid_resolved_from_string(actx->pinfo->pool, cms_data->object_identifier_id); + proto_item_append_text(tree, " (%%s)", name ? name : cms_data->object_identifier_id); + } + +#.FN_BODY AttributeValue + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + + offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + +#.FN_BODY MessageDigest + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + proto_item *pi; + int old_offset = offset; + + %(DEFAULT_BODY)s + + pi = actx->created_item; + + /* move past TLV */ + old_offset = get_ber_identifier(tvb, old_offset, NULL, NULL, NULL); + old_offset = get_ber_length(tvb, old_offset, NULL, NULL); + + if(cms_data->content_tvb) + cms_verify_msg_digest(pi, cms_data->content_tvb, x509af_get_last_algorithm_id(), tvb, old_offset); + +#.FN_PARS SMIMECapability/capability + FN_VARIANT = _str HF_INDEX = hf_cms_attrType VAL_PTR = &cms_data->object_identifier_id + +#.FN_BODY SMIMECapability/capability + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + cms_data->object_identifier_id = NULL; + const char *name = NULL; + + %(DEFAULT_BODY)s + + if(cms_data->object_identifier_id) { + name = oid_resolved_from_string(actx->pinfo->pool, cms_data->object_identifier_id); + proto_item_append_text(tree, " %%s", name ? name : cms_data->object_identifier_id); + cap_tree = tree; + } + +#.FN_BODY SMIMECapability/parameters + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + + offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); + +#.FN_PARS RC2ParameterVersion + VAL_PTR = &length + +#.FN_BODY RC2ParameterVersion + guint32 length = 0; + + %(DEFAULT_BODY)s + + if(cap_tree != NULL) + proto_item_append_text(cap_tree, " (%%d bits)", length); + +#.FN_PARS EncryptedContent VAL_PTR = &encrypted_tvb + +#.FN_HDR EncryptedContent + tvbuff_t *encrypted_tvb; + proto_item *item; +#.END + +#.FN_FTR EncryptedContent + struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo); + + item = actx->created_item; + + PBE_decrypt_data(cms_data->object_identifier_id, encrypted_tvb, actx->pinfo, actx, item); + +#.END + + diff --git a/epan/dissectors/asn1/cms/packet-cms-template.c b/epan/dissectors/asn1/cms/packet-cms-template.c new file mode 100644 index 00000000..aca1ecb0 --- /dev/null +++ b/epan/dissectors/asn1/cms/packet-cms-template.c @@ -0,0 +1,211 @@ +/* packet-cms.c + * Routines for RFC5652 Cryptographic Message Syntax packet dissection + * Ronnie Sahlberg 2004 + * Stig Bjorlykke 2010 + * Uwe Heuert 2022 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <epan/packet.h> +#include <epan/oids.h> +#include <epan/asn1.h> +#include <epan/proto_data.h> +#include <wsutil/wsgcrypt.h> + +#include "packet-ber.h" +#include "packet-cms.h" +#include "packet-x509af.h" +#include "packet-x509ce.h" +#include "packet-x509if.h" +#include "packet-x509sat.h" +#include "packet-pkcs12.h" + +#define PNAME "Cryptographic Message Syntax" +#define PSNAME "CMS" +#define PFNAME "cms" + +void proto_register_cms(void); +void proto_reg_handoff_cms(void); + +/* Initialize the protocol and registered fields */ +static int proto_cms = -1; +static int hf_cms_ci_contentType = -1; +#include "packet-cms-hf.c" + +/* Initialize the subtree pointers */ +static gint ett_cms = -1; +#include "packet-cms-ett.c" + +static dissector_handle_t cms_handle = NULL; + +static int dissect_cms_OCTET_STRING(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) ; /* XXX kill a compiler warning until asn2wrs stops generating these silly wrappers */ + +struct cms_private_data { + const char *object_identifier_id; + tvbuff_t *content_tvb; +}; + +static proto_tree *top_tree=NULL; +static proto_tree *cap_tree=NULL; + +#define HASH_SHA1 "1.3.14.3.2.26" + +#define HASH_MD5 "1.2.840.113549.2.5" + + +/* SHA-2 variants */ +#define HASH_SHA224 "2.16.840.1.101.3.4.2.4" +#define SHA224_BUFFER_SIZE 32 /* actually 28 */ +#define HASH_SHA256 "2.16.840.1.101.3.4.2.1" +#define SHA256_BUFFER_SIZE 32 + +unsigned char digest_buf[MAX(HASH_SHA1_LENGTH, HASH_MD5_LENGTH)]; + +/* +* Dissect CMS PDUs inside a PPDU. +*/ +static int +dissect_cms(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void* data _U_) +{ + int offset = 0; + proto_item *item=NULL; + proto_tree *tree=NULL; + asn1_ctx_t asn1_ctx; + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + + if(parent_tree){ + item = proto_tree_add_item(parent_tree, proto_cms, tvb, 0, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_cms); + } + col_set_str(pinfo->cinfo, COL_PROTOCOL, "CMS"); + col_clear(pinfo->cinfo, COL_INFO); + + while (tvb_reported_length_remaining(tvb, offset) > 0){ + offset=dissect_cms_ContentInfo(FALSE, tvb, offset, &asn1_ctx , tree, -1); + } + return tvb_captured_length(tvb); +} + +static struct cms_private_data* +cms_get_private_data(packet_info *pinfo) +{ + struct cms_private_data *cms_data = (struct cms_private_data*)p_get_proto_data(pinfo->pool, pinfo, proto_cms, 0); + if (!cms_data) { + cms_data = wmem_new0(pinfo->pool, struct cms_private_data); + p_add_proto_data(pinfo->pool, pinfo, proto_cms, 0, cms_data); + } + return cms_data; +} + +static void +cms_verify_msg_digest(proto_item *pi, tvbuff_t *content, const char *alg, tvbuff_t *tvb, int offset) +{ + int i= 0, buffer_size = 0; + + /* we only support two algorithms at the moment - if we do add SHA2 + we should add a registration process to use a registration process */ + + if(strcmp(alg, HASH_SHA1) == 0) { + gcry_md_hash_buffer(GCRY_MD_SHA1, digest_buf, tvb_get_ptr(content, 0, tvb_captured_length(content)), tvb_captured_length(content)); + buffer_size = HASH_SHA1_LENGTH; + + } else if(strcmp(alg, HASH_MD5) == 0) { + gcry_md_hash_buffer(GCRY_MD_MD5, digest_buf, tvb_get_ptr(content, 0, tvb_captured_length(content)), tvb_captured_length(content)); + buffer_size = HASH_MD5_LENGTH; + } + + if(buffer_size) { + /* compare our computed hash with what we have received */ + + if(tvb_bytes_exist(tvb, offset, buffer_size) && + (tvb_memeql(tvb, offset, digest_buf, buffer_size) != 0)) { + proto_item_append_text(pi, " [incorrect, should be "); + for(i = 0; i < buffer_size; i++) + proto_item_append_text(pi, "%02X", digest_buf[i]); + + proto_item_append_text(pi, "]"); + } + else + proto_item_append_text(pi, " [correct]"); + } else { + proto_item_append_text(pi, " [unable to verify]"); + } + +} + +#include "packet-cms-fn.c" + +/*--- proto_register_cms ----------------------------------------------*/ +void proto_register_cms(void) { + + /* List of fields */ + static hf_register_info hf[] = { + { &hf_cms_ci_contentType, + { "contentType", "cms.contentInfo.contentType", + FT_OID, BASE_NONE, NULL, 0, + NULL, HFILL }}, +#include "packet-cms-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { + &ett_cms, +#include "packet-cms-ettarr.c" + }; + + /* Register protocol */ + proto_cms = proto_register_protocol(PNAME, PSNAME, PFNAME); + + cms_handle = register_dissector(PFNAME, dissect_cms, proto_cms); + + /* Register fields and subtrees */ + proto_register_field_array(proto_cms, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + register_ber_syntax_dissector("ContentInfo", proto_cms, dissect_ContentInfo_PDU); + register_ber_syntax_dissector("SignedData", proto_cms, dissect_SignedData_PDU); + register_ber_oid_syntax(".p7s", NULL, "ContentInfo"); + register_ber_oid_syntax(".p7m", NULL, "ContentInfo"); + register_ber_oid_syntax(".p7c", NULL, "ContentInfo"); + + +} + + +/*--- proto_reg_handoff_cms -------------------------------------------*/ +void proto_reg_handoff_cms(void) { + dissector_handle_t content_info_handle; +#include "packet-cms-dis-tab.c" + + /* RFC 3370 [CMS-ASN} section 4.3.1 */ + register_ber_oid_dissector("1.2.840.113549.1.9.16.3.6", dissect_ber_oid_NULL_callback, proto_cms, "id-alg-CMS3DESwrap"); + + oid_add_from_string("id-data","1.2.840.113549.1.7.1"); + oid_add_from_string("id-alg-des-ede3-cbc","1.2.840.113549.3.7"); + oid_add_from_string("id-alg-des-cbc","1.3.14.3.2.7"); + + oid_add_from_string("id-ct-authEnvelopedData","1.2.840.113549.1.9.16.1.23"); + oid_add_from_string("id-aes-CBC-CMAC-128","0.4.0.127.0.7.1.3.1.1.2"); + oid_add_from_string("id-aes-CBC-CMAC-192","0.4.0.127.0.7.1.3.1.1.3"); + oid_add_from_string("id-aes-CBC-CMAC-256","0.4.0.127.0.7.1.3.1.1.4"); + oid_add_from_string("ecdsaWithSHA256","1.2.840.10045.4.3.2"); + oid_add_from_string("ecdsaWithSHA384","1.2.840.10045.4.3.3"); + oid_add_from_string("ecdsaWithSHA512","1.2.840.10045.4.3.4"); + + content_info_handle = create_dissector_handle (dissect_ContentInfo_PDU, proto_cms); + + dissector_add_string("media_type", "application/pkcs7-mime", content_info_handle); + dissector_add_string("media_type", "application/pkcs7-signature", content_info_handle); + + dissector_add_string("media_type", "application/vnd.de-dke-k461-ic1+xml", content_info_handle); + dissector_add_string("media_type", "application/vnd.de-dke-k461-ic1+xml; encap=cms-tr03109", content_info_handle); + dissector_add_string("media_type", "application/vnd.de-dke-k461-ic1+xml; encap=cms-tr03109-zlib", content_info_handle); + dissector_add_string("media_type", "application/hgp;encap=cms", content_info_handle); +} diff --git a/epan/dissectors/asn1/cms/packet-cms-template.h b/epan/dissectors/asn1/cms/packet-cms-template.h new file mode 100644 index 00000000..eb1f45fb --- /dev/null +++ b/epan/dissectors/asn1/cms/packet-cms-template.h @@ -0,0 +1,20 @@ +/* packet-cms.h + * Routines for RFC5652 Cryptographic Message Syntax packet dissection + * Ronnie Sahlberg 2004 + * Stig Bjorlykke 2010 + * Uwe Heuert 2022 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_CMS_H +#define PACKET_CMS_H + +#include "packet-cms-exp.h" + +#endif /* PACKET_CMS_H */ + |