5 files changed, 496 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/crmf/CMakeLists.txt b/epan/dissectors/asn1/crmf/CMakeLists.txt
new file mode 100644
index 00000000..434fba7c
--- /dev/null
+++ b/epan/dissectors/asn1/crmf/CMakeLists.txt
@@ -0,0 +1,43 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+
+set( PROTOCOL_NAME crmf )
+
+set( PROTO_OPT )
+
+set( EXPORT_FILES
+	${PROTOCOL_NAME}-exp.cnf
+)
+
+set( EXT_ASN_FILE_LIST
+)
+
+set( ASN_FILE_LIST
+	CRMF.asn
+)
+
+set( EXTRA_DIST
+	${ASN_FILE_LIST}
+	packet-${PROTOCOL_NAME}-template.c
+	packet-${PROTOCOL_NAME}-template.h
+	${PROTOCOL_NAME}.cnf
+)
+
+set( SRC_FILES
+	${EXTRA_DIST}
+	${EXT_ASN_FILE_LIST}
+)
+
+set( A2W_FLAGS -b )
+
+set( EXTRA_CNF
+	"${CMAKE_CURRENT_BINARY_DIR}/../cms/cms-exp.cnf"
+)
+
+ASN2WRS()
diff --git a/epan/dissectors/asn1/crmf/CRMF.asn b/epan/dissectors/asn1/crmf/CRMF.asn
new file mode 100644
index 00000000..e7e4bbe7
--- /dev/null
+++ b/epan/dissectors/asn1/crmf/CRMF.asn
@@ -0,0 +1,311 @@
+-- Extracted from RFC4211
+-- by Martin Peylo <martin.peylo@nsn.com>
+-- 
+-- Changes to make it work with asn2wrs:
+--   - none
+--   
+-- The copyright statement from the original description in RFC4211
+-- follows below:
+--
+-- Full Copyright Statement
+--
+--   Copyright (C) The Internet Society (2005).
+--
+--   This document is subject to the rights, licenses and restrictions
+--   contained in BCP 78, and except as set forth therein, the authors
+--   retain all their rights.
+--
+--   This document and the information contained herein are provided on an
+--   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+--   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+--   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+--   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+--   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+--   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6) internet(1)
+security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36)}
+
+DEFINITIONS IMPLICIT TAGS ::=
+BEGIN
+
+IMPORTS
+  -- Directory Authentication Framework (X.509)
+     Version, AlgorithmIdentifier, Name, Time,
+     SubjectPublicKeyInfo, Extensions, UniqueIdentifier, Attribute
+        FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
+            internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+            id-pkix1-explicit(18)} -- found in [PROFILE]
+
+  -- Certificate Extensions (X.509)
+     GeneralName
+        FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
+               internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+               id-pkix1-implicit(19)}  -- found in [PROFILE]
+
+  -- Cryptographic Message Syntax
+     EnvelopedData
+        FROM CryptographicMessageSyntax2004 { iso(1) member-body(2)
+             us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
+             modules(0) cms-2004(24) };  -- found in [CMS]
+
+-- The following definition may be uncommented for use with
+-- ASN.1 compilers that do not understand UTF8String.
+
+-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
+       -- The contents of this type correspond to RFC 2279.
+
+id-pkix  OBJECT IDENTIFIER  ::= { iso(1) identified-organization(3)
+dod(6) internet(1) security(5) mechanisms(5) 7 }
+
+-- arc for Internet X.509 PKI protocols and their components
+
+id-pkip  OBJECT IDENTIFIER ::= { id-pkix 5 }
+
+id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+             us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
+
+id-ct   OBJECT IDENTIFIER ::= { id-smime  1 }  -- content types
+
+-- Core definitions for this module
+
+CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
+
+CertReqMsg ::= SEQUENCE {
+ certReq   CertRequest,
+ popo       ProofOfPossession  OPTIONAL,
+ -- content depends upon key type
+ regInfo   SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL }
+
+CertRequest ::= SEQUENCE {
+ certReqId     INTEGER,          -- ID for matching request and reply
+ certTemplate  CertTemplate,  -- Selected fields of cert to be issued
+ controls      Controls OPTIONAL }   -- Attributes affecting issuance
+
+CertTemplate ::= SEQUENCE {
+ version      [0] Version               OPTIONAL,
+ serialNumber [1] INTEGER(MIN..MAX)     OPTIONAL,   -- Wireshark extension to get 64 bit handling
+ signingAlg   [2] AlgorithmIdentifier   OPTIONAL,
+ issuer       [3] Name                  OPTIONAL,
+ validity     [4] OptionalValidity      OPTIONAL,
+ subject      [5] Name                  OPTIONAL,
+ publicKey    [6] SubjectPublicKeyInfo  OPTIONAL,
+ issuerUID    [7] UniqueIdentifier      OPTIONAL,
+ subjectUID   [8] UniqueIdentifier      OPTIONAL,
+ extensions   [9] Extensions            OPTIONAL }
+
+OptionalValidity ::= SEQUENCE {
+ notBefore  [0] Time OPTIONAL,
+ notAfter   [1] Time OPTIONAL } -- at least one MUST be present
+
+Controls  ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue
+
+AttributeTypeAndValue ::= SEQUENCE {
+ type         OBJECT IDENTIFIER,
+ value        ANY DEFINED BY type }
+
+ProofOfPossession ::= CHOICE {
+ raVerified        [0] NULL,
+ -- used if the RA has already verified that the requester is in
+ -- possession of the private key
+ signature         [1] POPOSigningKey,
+ keyEncipherment   [2] POPOPrivKey,
+ keyAgreement      [3] POPOPrivKey }
+
+POPOSigningKey ::= SEQUENCE {
+ poposkInput           [0] POPOSigningKeyInput OPTIONAL,
+ algorithmIdentifier   AlgorithmIdentifier,
+ signature             BIT STRING }
+
+ -- The signature (using "algorithmIdentifier") is on the
+ -- DER-encoded value of poposkInput.  NOTE: If the CertReqMsg
+ -- certReq CertTemplate contains the subject and publicKey values,
+ -- then poposkInput MUST be omitted and the signature MUST be
+ -- computed over the DER-encoded value of CertReqMsg certReq.  If
+ -- the CertReqMsg certReq CertTemplate does not contain both the
+ -- public key and subject values (i.e., if it contains only one
+ -- of these, or neither), then poposkInput MUST be present and
+ -- MUST be signed.
+
+POPOSigningKeyInput ::= SEQUENCE {
+ authInfo            CHOICE {
+     sender              [0] GeneralName,
+     -- used only if an authenticated identity has been
+     -- established for the sender (e.g., a DN from a
+     -- previously-issued and currently-valid certificate)
+     publicKeyMAC        PKMACValue },
+     -- used if no authenticated GeneralName currently exists for
+     -- the sender; publicKeyMAC contains a password-based MAC
+     -- on the DER-encoded value of publicKey
+ publicKey           SubjectPublicKeyInfo }  -- from CertTemplate
+
+PKMACValue ::= SEQUENCE {
+algId  AlgorithmIdentifier,
+-- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
+-- parameter value is PBMParameter
+value  BIT STRING }
+
+PBMParameter ::= SEQUENCE {
+   salt                OCTET STRING,
+   owf                 AlgorithmIdentifier,
+   -- AlgId for a One-Way Function (SHA-1 recommended)
+   iterationCount      INTEGER,
+   -- number of times the OWF is applied
+   mac                 AlgorithmIdentifier
+   -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+}   -- or HMAC [HMAC, RFC2202])
+
+POPOPrivKey ::= CHOICE {
+ thisMessage       [0] BIT STRING,         -- Deprecated
+ -- possession is proven in this message (which contains the private
+ -- key itself (encrypted for the CA))
+ subsequentMessage [1] SubsequentMessage,
+ -- possession will be proven in a subsequent message
+ dhMAC             [2] BIT STRING,         -- Deprecated
+ agreeMAC          [3] PKMACValue,
+ encryptedKey      [4] EnvelopedData }
+
+ -- for keyAgreement (only), possession is proven in this message
+ -- (which contains a MAC (over the DER-encoded value of the
+ -- certReq parameter in CertReqMsg, which MUST include both subject
+ -- and publicKey) based on a key derived from the end entity's
+ -- private DH key and the CA's public DH key);
+
+SubsequentMessage ::= INTEGER {
+ encrCert (0),
+ -- requests that resulting certificate be encrypted for the
+ -- end entity (following which, POP will be proven in a
+ -- confirmation message)
+ challengeResp (1) }
+ -- requests that CA engage in challenge-response exchange with
+ -- end entity in order to prove private key possession
+
+-- Object identifier assignments --
+
+-- Registration Controls in CRMF
+id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 }
+
+
+id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 }
+--with syntax:
+RegToken ::= UTF8String
+
+id-regCtrl-authenticator OBJECT IDENTIFIER ::= { id-regCtrl 2 }
+--with syntax:
+Authenticator ::= UTF8String
+
+id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 }
+--with syntax:
+
+PKIPublicationInfo ::= SEQUENCE {
+action     INTEGER {
+             dontPublish (0),
+             pleasePublish (1) },
+pubInfos  SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }
+  -- pubInfos MUST NOT be present if action is "dontPublish"
+  -- (if action is "pleasePublish" and pubInfos is omitted,
+  -- "dontCare" is assumed)
+
+SinglePubInfo ::= SEQUENCE {
+ pubMethod    INTEGER {
+     dontCare    (0),
+     x500        (1),
+     web         (2),
+     ldap        (3) },
+ pubLocation  GeneralName OPTIONAL }
+
+id-regCtrl-pkiArchiveOptions     OBJECT IDENTIFIER ::= { id-regCtrl 4 }
+--with syntax:
+PKIArchiveOptions ::= CHOICE {
+ encryptedPrivKey     [0] EncryptedKey,
+ -- the actual value of the private key
+ keyGenParameters     [1] KeyGenParameters,
+ -- parameters that allow the private key to be re-generated
+ archiveRemGenPrivKey [2] BOOLEAN }
+ -- set to TRUE if sender wishes receiver to archive the private
+ -- key of a key pair that the receiver generates in response to
+ -- this request; set to FALSE if no archival is desired.
+
+EncryptedKey ::= CHOICE {
+ encryptedValue        EncryptedValue,   -- Deprecated
+ envelopedData     [0] EnvelopedData }
+ -- The encrypted private key MUST be placed in the envelopedData
+ -- encryptedContentInfo encryptedContent OCTET STRING.
+
+EncryptedValue ::= SEQUENCE {
+ intendedAlg   [0] AlgorithmIdentifier  OPTIONAL,
+ -- the intended algorithm for which the value will be used
+ symmAlg       [1] AlgorithmIdentifier  OPTIONAL,
+ -- the symmetric algorithm used to encrypt the value
+ encSymmKey    [2] BIT STRING           OPTIONAL,
+ -- the (encrypted) symmetric key used to encrypt the value
+ keyAlg        [3] AlgorithmIdentifier  OPTIONAL,
+ -- algorithm used to encrypt the symmetric key
+ valueHint     [4] OCTET STRING         OPTIONAL,
+ -- a brief description or identifier of the encValue content
+ -- (may be meaningful only to the sending entity, and used only
+ -- if EncryptedValue might be re-examined by the sending entity
+ -- in the future)
+ encValue       BIT STRING }
+ -- the encrypted value itself
+-- When EncryptedValue is used to carry a private key (as opposed to
+-- a certificate), implementations MUST support the encValue field
+-- containing an encrypted PrivateKeyInfo as defined in [PKCS11],
+-- section 12.11.  If encValue contains some other format/encoding
+-- for the private key, the first octet of valueHint MAY be used
+-- to indicate the format/encoding (but note that the possible values
+-- of this octet are not specified at this time).  In all cases, the
+-- intendedAlg field MUST be used to indicate at least the OID of
+-- the intended algorithm of the private key, unless this information
+-- is known a priori to both sender and receiver by some other means.
+
+KeyGenParameters ::= OCTET STRING
+
+id-regCtrl-oldCertID          OBJECT IDENTIFIER ::= { id-regCtrl 5 }
+--with syntax:
+OldCertId ::= CertId
+
+CertId ::= SEQUENCE {
+ issuer           GeneralName,
+ serialNumber     INTEGER(MIN..MAX) }  -- Wireshark extension to get 64 bit handling
+
+id-regCtrl-protocolEncrKey    OBJECT IDENTIFIER ::= { id-regCtrl 6 }
+--with syntax:
+ProtocolEncrKey ::= SubjectPublicKeyInfo
+
+-- Registration Info in CRMF
+id-regInfo OBJECT IDENTIFIER ::= { id-pkip 2 }
+
+id-regInfo-utf8Pairs    OBJECT IDENTIFIER ::= { id-regInfo 1 }
+--with syntax
+UTF8Pairs ::= UTF8String
+
+id-regInfo-certReq       OBJECT IDENTIFIER ::= { id-regInfo 2 }
+--with syntax
+CertReq ::= CertRequest
+
+-- id-ct-encKeyWithID is a new content type used for CMS objects.
+-- it contains both a private key and an identifier for key escrow
+-- agents to check against recovery requestors.
+
+id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
+
+EncKeyWithID ::= SEQUENCE {
+  privateKey           PrivateKeyInfo,
+  identifier CHOICE {
+    string             UTF8String,
+    generalName        GeneralName
+  } OPTIONAL
+}
+
+PrivateKeyInfo ::= SEQUENCE {
+   version                   INTEGER,
+   privateKeyAlgorithm       AlgorithmIdentifier,
+   privateKey                OCTET STRING,
+   attributes                [0] IMPLICIT Attributes OPTIONAL
+}
+
+Attributes ::= SET OF Attribute
+
+END
diff --git a/epan/dissectors/asn1/crmf/crmf.cnf b/epan/dissectors/asn1/crmf/crmf.cnf
new file mode 100644
index 00000000..e10b1438
--- /dev/null
+++ b/epan/dissectors/asn1/crmf/crmf.cnf
@@ -0,0 +1,49 @@
+# CRMF.cnf
+# CRMF conformation file
+
+#.MODULE_IMPORT
+PKIX1Explicit88	pkix1explicit
+PKIX1Implicit88	pkix1implicit
+CryptographicMessageSyntax2004 cms
+
+#.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf
+#.INCLUDE ../pkix1implicit/pkix1implicit_exp.cnf
+
+#.EXPORTS
+AttributeTypeAndValue
+CertId
+CertReqMessages
+CertTemplate
+EncryptedValue
+PKIPublicationInfo
+
+#.REGISTER
+EncKeyWithID         B "1.2.840.113549.1.9.16.1.21" "id-ct-encKeyWithID"
+PBMParameter         B "1.2.840.113533.7.66.13"     "PasswordBasedMac"
+RegToken             B "1.3.6.1.5.5.7.5.1.1"        "id-regCtrl-regToken"
+Authenticator        B "1.3.6.1.5.5.7.5.1.2"        "id-regCtrl-authenticator"
+PKIPublicationInfo   B "1.3.6.1.5.5.7.5.1.3"        "id-regCtrl-pkiPublicationInfo"
+PKIArchiveOptions    B "1.3.6.1.5.5.7.5.1.4"        "id-regCtrl-pkiArchiveOptions"
+OldCertId            B "1.3.6.1.5.5.7.5.1.5"        "id-regCtrl-oldCertID"
+ProtocolEncrKey      B "1.3.6.1.5.5.7.5.1.6"        "id-regCtrl-protocolEncrKey"
+UTF8Pairs            B "1.3.6.1.5.5.7.5.2.1"        "id-regInfo-utf8Pairs"
+CertReq              B "1.3.6.1.5.5.7.5.2.2"        "id-regInfo-certReq"
+
+#.NO_EMIT
+
+#.TYPE_RENAME
+
+#.FIELD_RENAME
+CertTemplate/issuer		template_issuer
+POPOSigningKey/signature	sk_signature
+PKMACValue/value		pkmac_value
+PrivateKeyInfo/version          privkey_version
+EncKeyWithID/privateKey         enckeywid_privkey
+
+#.FN_PARS AttributeTypeAndValue/type
+  FN_VARIANT = _str  HF_INDEX = hf_crmf_type_oid  VAL_PTR = &actx->external.direct_reference
+
+#.FN_BODY AttributeTypeAndValue/value
+  offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL);
+
+#.END
diff --git a/epan/dissectors/asn1/crmf/packet-crmf-template.c b/epan/dissectors/asn1/crmf/packet-crmf-template.c
new file mode 100644
index 00000000..682f8bd1
--- /dev/null
+++ b/epan/dissectors/asn1/crmf/packet-crmf-template.c
@@ -0,0 +1,75 @@
+/* packet-crmf.c
+ * Routines for RFC2511 Certificate Request Message Format packet dissection
+ *   Ronnie Sahlberg 2004
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/oids.h>
+#include <epan/asn1.h>
+
+#include "packet-ber.h"
+#include "packet-crmf.h"
+#include "packet-cms.h"
+#include "packet-pkix1explicit.h"
+#include "packet-pkix1implicit.h"
+
+#define PNAME  "Certificate Request Message Format"
+#define PSNAME "CRMF"
+#define PFNAME "crmf"
+
+void proto_register_crmf(void);
+void proto_reg_handoff_crmf(void);
+
+/* Initialize the protocol and registered fields */
+static int proto_crmf = -1;
+static int hf_crmf_type_oid = -1;
+#include "packet-crmf-hf.c"
+
+/* Initialize the subtree pointers */
+#include "packet-crmf-ett.c"
+#include "packet-crmf-fn.c"
+
+
+/*--- proto_register_crmf ----------------------------------------------*/
+void proto_register_crmf(void) {
+
+  /* List of fields */
+  static hf_register_info hf[] = {
+    { &hf_crmf_type_oid,
+      { "Type", "crmf.type.oid",
+        FT_STRING, BASE_NONE, NULL, 0,
+        "Type of AttributeTypeAndValue", HFILL }},
+#include "packet-crmf-hfarr.c"
+  };
+
+  /* List of subtrees */
+  static gint *ett[] = {
+#include "packet-crmf-ettarr.c"
+  };
+
+  /* Register protocol */
+  proto_crmf = proto_register_protocol(PNAME, PSNAME, PFNAME);
+
+  /* Register fields and subtrees */
+  proto_register_field_array(proto_crmf, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+
+}
+
+
+/*--- proto_reg_handoff_crmf -------------------------------------------*/
+void proto_reg_handoff_crmf(void) {
+	oid_add_from_string("id-pkip","1.3.6.1.5.5.7.5");
+	oid_add_from_string("id-regCtrl","1.3.6.1.5.5.7.5.1");
+	oid_add_from_string("id-regInfo","1.3.6.1.5.5.7.5.2");
+#include "packet-crmf-dis-tab.c"
+}
+
diff --git a/epan/dissectors/asn1/crmf/packet-crmf-template.h b/epan/dissectors/asn1/crmf/packet-crmf-template.h
new file mode 100644
index 00000000..1028f19a
--- /dev/null
+++ b/epan/dissectors/asn1/crmf/packet-crmf-template.h
@@ -0,0 +1,18 @@
+/* packet-crmf.h
+ * Routines for RFC2511 Certificate Request Message Format packet dissection
+ *   Ronnie Sahlberg 2004
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef PACKET_CRMF_H
+#define PACKET_CRMF_H
+
+#include "packet-crmf-exp.h"
+
+#endif  /* PACKET_CRMF_H */
+