diff options
Diffstat (limited to 'epan/dissectors/asn1/crmf')
-rw-r--r-- | epan/dissectors/asn1/crmf/CMakeLists.txt | 43 | ||||
-rw-r--r-- | epan/dissectors/asn1/crmf/CRMF.asn | 311 | ||||
-rw-r--r-- | epan/dissectors/asn1/crmf/crmf.cnf | 49 | ||||
-rw-r--r-- | epan/dissectors/asn1/crmf/packet-crmf-template.c | 75 | ||||
-rw-r--r-- | epan/dissectors/asn1/crmf/packet-crmf-template.h | 18 |
5 files changed, 496 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/crmf/CMakeLists.txt b/epan/dissectors/asn1/crmf/CMakeLists.txt new file mode 100644 index 00000000..434fba7c --- /dev/null +++ b/epan/dissectors/asn1/crmf/CMakeLists.txt @@ -0,0 +1,43 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +# + +set( PROTOCOL_NAME crmf ) + +set( PROTO_OPT ) + +set( EXPORT_FILES + ${PROTOCOL_NAME}-exp.cnf +) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + CRMF.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + packet-${PROTOCOL_NAME}-template.h + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS -b ) + +set( EXTRA_CNF + "${CMAKE_CURRENT_BINARY_DIR}/../cms/cms-exp.cnf" +) + +ASN2WRS() diff --git a/epan/dissectors/asn1/crmf/CRMF.asn b/epan/dissectors/asn1/crmf/CRMF.asn new file mode 100644 index 00000000..e7e4bbe7 --- /dev/null +++ b/epan/dissectors/asn1/crmf/CRMF.asn @@ -0,0 +1,311 @@ +-- Extracted from RFC4211 +-- by Martin Peylo <martin.peylo@nsn.com> +-- +-- Changes to make it work with asn2wrs: +-- - none +-- +-- The copyright statement from the original description in RFC4211 +-- follows below: +-- +-- Full Copyright Statement +-- +-- Copyright (C) The Internet Society (2005). +-- +-- This document is subject to the rights, licenses and restrictions +-- contained in BCP 78, and except as set forth therein, the authors +-- retain all their rights. +-- +-- This document and the information contained herein are provided on an +-- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS +-- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET +-- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, +-- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE +-- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED +-- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6) internet(1) +security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36)} + +DEFINITIONS IMPLICIT TAGS ::= +BEGIN + +IMPORTS + -- Directory Authentication Framework (X.509) + Version, AlgorithmIdentifier, Name, Time, + SubjectPublicKeyInfo, Extensions, UniqueIdentifier, Attribute + FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-pkix1-explicit(18)} -- found in [PROFILE] + + -- Certificate Extensions (X.509) + GeneralName + FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-pkix1-implicit(19)} -- found in [PROFILE] + + -- Cryptographic Message Syntax + EnvelopedData + FROM CryptographicMessageSyntax2004 { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) + modules(0) cms-2004(24) }; -- found in [CMS] + +-- The following definition may be uncommented for use with +-- ASN.1 compilers that do not understand UTF8String. + +-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING + -- The contents of this type correspond to RFC 2279. + +id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) +dod(6) internet(1) security(5) mechanisms(5) 7 } + +-- arc for Internet X.509 PKI protocols and their components + +id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 } + +id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } + +id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types + +-- Core definitions for this module + +CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg + +CertReqMsg ::= SEQUENCE { + certReq CertRequest, + popo ProofOfPossession OPTIONAL, + -- content depends upon key type + regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL } + +CertRequest ::= SEQUENCE { + certReqId INTEGER, -- ID for matching request and reply + certTemplate CertTemplate, -- Selected fields of cert to be issued + controls Controls OPTIONAL } -- Attributes affecting issuance + +CertTemplate ::= SEQUENCE { + version [0] Version OPTIONAL, + serialNumber [1] INTEGER(MIN..MAX) OPTIONAL, -- Wireshark extension to get 64 bit handling + signingAlg [2] AlgorithmIdentifier OPTIONAL, + issuer [3] Name OPTIONAL, + validity [4] OptionalValidity OPTIONAL, + subject [5] Name OPTIONAL, + publicKey [6] SubjectPublicKeyInfo OPTIONAL, + issuerUID [7] UniqueIdentifier OPTIONAL, + subjectUID [8] UniqueIdentifier OPTIONAL, + extensions [9] Extensions OPTIONAL } + +OptionalValidity ::= SEQUENCE { + notBefore [0] Time OPTIONAL, + notAfter [1] Time OPTIONAL } -- at least one MUST be present + +Controls ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue + +AttributeTypeAndValue ::= SEQUENCE { + type OBJECT IDENTIFIER, + value ANY DEFINED BY type } + +ProofOfPossession ::= CHOICE { + raVerified [0] NULL, + -- used if the RA has already verified that the requester is in + -- possession of the private key + signature [1] POPOSigningKey, + keyEncipherment [2] POPOPrivKey, + keyAgreement [3] POPOPrivKey } + +POPOSigningKey ::= SEQUENCE { + poposkInput [0] POPOSigningKeyInput OPTIONAL, + algorithmIdentifier AlgorithmIdentifier, + signature BIT STRING } + + -- The signature (using "algorithmIdentifier") is on the + -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg + -- certReq CertTemplate contains the subject and publicKey values, + -- then poposkInput MUST be omitted and the signature MUST be + -- computed over the DER-encoded value of CertReqMsg certReq. If + -- the CertReqMsg certReq CertTemplate does not contain both the + -- public key and subject values (i.e., if it contains only one + -- of these, or neither), then poposkInput MUST be present and + -- MUST be signed. + +POPOSigningKeyInput ::= SEQUENCE { + authInfo CHOICE { + sender [0] GeneralName, + -- used only if an authenticated identity has been + -- established for the sender (e.g., a DN from a + -- previously-issued and currently-valid certificate) + publicKeyMAC PKMACValue }, + -- used if no authenticated GeneralName currently exists for + -- the sender; publicKeyMAC contains a password-based MAC + -- on the DER-encoded value of publicKey + publicKey SubjectPublicKeyInfo } -- from CertTemplate + +PKMACValue ::= SEQUENCE { +algId AlgorithmIdentifier, +-- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13} +-- parameter value is PBMParameter +value BIT STRING } + +PBMParameter ::= SEQUENCE { + salt OCTET STRING, + owf AlgorithmIdentifier, + -- AlgId for a One-Way Function (SHA-1 recommended) + iterationCount INTEGER, + -- number of times the OWF is applied + mac AlgorithmIdentifier + -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], +} -- or HMAC [HMAC, RFC2202]) + +POPOPrivKey ::= CHOICE { + thisMessage [0] BIT STRING, -- Deprecated + -- possession is proven in this message (which contains the private + -- key itself (encrypted for the CA)) + subsequentMessage [1] SubsequentMessage, + -- possession will be proven in a subsequent message + dhMAC [2] BIT STRING, -- Deprecated + agreeMAC [3] PKMACValue, + encryptedKey [4] EnvelopedData } + + -- for keyAgreement (only), possession is proven in this message + -- (which contains a MAC (over the DER-encoded value of the + -- certReq parameter in CertReqMsg, which MUST include both subject + -- and publicKey) based on a key derived from the end entity's + -- private DH key and the CA's public DH key); + +SubsequentMessage ::= INTEGER { + encrCert (0), + -- requests that resulting certificate be encrypted for the + -- end entity (following which, POP will be proven in a + -- confirmation message) + challengeResp (1) } + -- requests that CA engage in challenge-response exchange with + -- end entity in order to prove private key possession + +-- Object identifier assignments -- + +-- Registration Controls in CRMF +id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 } + + +id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 } +--with syntax: +RegToken ::= UTF8String + +id-regCtrl-authenticator OBJECT IDENTIFIER ::= { id-regCtrl 2 } +--with syntax: +Authenticator ::= UTF8String + +id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 } +--with syntax: + +PKIPublicationInfo ::= SEQUENCE { +action INTEGER { + dontPublish (0), + pleasePublish (1) }, +pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL } + -- pubInfos MUST NOT be present if action is "dontPublish" + -- (if action is "pleasePublish" and pubInfos is omitted, + -- "dontCare" is assumed) + +SinglePubInfo ::= SEQUENCE { + pubMethod INTEGER { + dontCare (0), + x500 (1), + web (2), + ldap (3) }, + pubLocation GeneralName OPTIONAL } + +id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 } +--with syntax: +PKIArchiveOptions ::= CHOICE { + encryptedPrivKey [0] EncryptedKey, + -- the actual value of the private key + keyGenParameters [1] KeyGenParameters, + -- parameters that allow the private key to be re-generated + archiveRemGenPrivKey [2] BOOLEAN } + -- set to TRUE if sender wishes receiver to archive the private + -- key of a key pair that the receiver generates in response to + -- this request; set to FALSE if no archival is desired. + +EncryptedKey ::= CHOICE { + encryptedValue EncryptedValue, -- Deprecated + envelopedData [0] EnvelopedData } + -- The encrypted private key MUST be placed in the envelopedData + -- encryptedContentInfo encryptedContent OCTET STRING. + +EncryptedValue ::= SEQUENCE { + intendedAlg [0] AlgorithmIdentifier OPTIONAL, + -- the intended algorithm for which the value will be used + symmAlg [1] AlgorithmIdentifier OPTIONAL, + -- the symmetric algorithm used to encrypt the value + encSymmKey [2] BIT STRING OPTIONAL, + -- the (encrypted) symmetric key used to encrypt the value + keyAlg [3] AlgorithmIdentifier OPTIONAL, + -- algorithm used to encrypt the symmetric key + valueHint [4] OCTET STRING OPTIONAL, + -- a brief description or identifier of the encValue content + -- (may be meaningful only to the sending entity, and used only + -- if EncryptedValue might be re-examined by the sending entity + -- in the future) + encValue BIT STRING } + -- the encrypted value itself +-- When EncryptedValue is used to carry a private key (as opposed to +-- a certificate), implementations MUST support the encValue field +-- containing an encrypted PrivateKeyInfo as defined in [PKCS11], +-- section 12.11. If encValue contains some other format/encoding +-- for the private key, the first octet of valueHint MAY be used +-- to indicate the format/encoding (but note that the possible values +-- of this octet are not specified at this time). In all cases, the +-- intendedAlg field MUST be used to indicate at least the OID of +-- the intended algorithm of the private key, unless this information +-- is known a priori to both sender and receiver by some other means. + +KeyGenParameters ::= OCTET STRING + +id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 } +--with syntax: +OldCertId ::= CertId + +CertId ::= SEQUENCE { + issuer GeneralName, + serialNumber INTEGER(MIN..MAX) } -- Wireshark extension to get 64 bit handling + +id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= { id-regCtrl 6 } +--with syntax: +ProtocolEncrKey ::= SubjectPublicKeyInfo + +-- Registration Info in CRMF +id-regInfo OBJECT IDENTIFIER ::= { id-pkip 2 } + +id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= { id-regInfo 1 } +--with syntax +UTF8Pairs ::= UTF8String + +id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 } +--with syntax +CertReq ::= CertRequest + +-- id-ct-encKeyWithID is a new content type used for CMS objects. +-- it contains both a private key and an identifier for key escrow +-- agents to check against recovery requestors. + +id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} + +EncKeyWithID ::= SEQUENCE { + privateKey PrivateKeyInfo, + identifier CHOICE { + string UTF8String, + generalName GeneralName + } OPTIONAL +} + +PrivateKeyInfo ::= SEQUENCE { + version INTEGER, + privateKeyAlgorithm AlgorithmIdentifier, + privateKey OCTET STRING, + attributes [0] IMPLICIT Attributes OPTIONAL +} + +Attributes ::= SET OF Attribute + +END diff --git a/epan/dissectors/asn1/crmf/crmf.cnf b/epan/dissectors/asn1/crmf/crmf.cnf new file mode 100644 index 00000000..e10b1438 --- /dev/null +++ b/epan/dissectors/asn1/crmf/crmf.cnf @@ -0,0 +1,49 @@ +# CRMF.cnf +# CRMF conformation file + +#.MODULE_IMPORT +PKIX1Explicit88 pkix1explicit +PKIX1Implicit88 pkix1implicit +CryptographicMessageSyntax2004 cms + +#.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf +#.INCLUDE ../pkix1implicit/pkix1implicit_exp.cnf + +#.EXPORTS +AttributeTypeAndValue +CertId +CertReqMessages +CertTemplate +EncryptedValue +PKIPublicationInfo + +#.REGISTER +EncKeyWithID B "1.2.840.113549.1.9.16.1.21" "id-ct-encKeyWithID" +PBMParameter B "1.2.840.113533.7.66.13" "PasswordBasedMac" +RegToken B "1.3.6.1.5.5.7.5.1.1" "id-regCtrl-regToken" +Authenticator B "1.3.6.1.5.5.7.5.1.2" "id-regCtrl-authenticator" +PKIPublicationInfo B "1.3.6.1.5.5.7.5.1.3" "id-regCtrl-pkiPublicationInfo" +PKIArchiveOptions B "1.3.6.1.5.5.7.5.1.4" "id-regCtrl-pkiArchiveOptions" +OldCertId B "1.3.6.1.5.5.7.5.1.5" "id-regCtrl-oldCertID" +ProtocolEncrKey B "1.3.6.1.5.5.7.5.1.6" "id-regCtrl-protocolEncrKey" +UTF8Pairs B "1.3.6.1.5.5.7.5.2.1" "id-regInfo-utf8Pairs" +CertReq B "1.3.6.1.5.5.7.5.2.2" "id-regInfo-certReq" + +#.NO_EMIT + +#.TYPE_RENAME + +#.FIELD_RENAME +CertTemplate/issuer template_issuer +POPOSigningKey/signature sk_signature +PKMACValue/value pkmac_value +PrivateKeyInfo/version privkey_version +EncKeyWithID/privateKey enckeywid_privkey + +#.FN_PARS AttributeTypeAndValue/type + FN_VARIANT = _str HF_INDEX = hf_crmf_type_oid VAL_PTR = &actx->external.direct_reference + +#.FN_BODY AttributeTypeAndValue/value + offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL); + +#.END diff --git a/epan/dissectors/asn1/crmf/packet-crmf-template.c b/epan/dissectors/asn1/crmf/packet-crmf-template.c new file mode 100644 index 00000000..682f8bd1 --- /dev/null +++ b/epan/dissectors/asn1/crmf/packet-crmf-template.c @@ -0,0 +1,75 @@ +/* packet-crmf.c + * Routines for RFC2511 Certificate Request Message Format packet dissection + * Ronnie Sahlberg 2004 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <epan/packet.h> +#include <epan/oids.h> +#include <epan/asn1.h> + +#include "packet-ber.h" +#include "packet-crmf.h" +#include "packet-cms.h" +#include "packet-pkix1explicit.h" +#include "packet-pkix1implicit.h" + +#define PNAME "Certificate Request Message Format" +#define PSNAME "CRMF" +#define PFNAME "crmf" + +void proto_register_crmf(void); +void proto_reg_handoff_crmf(void); + +/* Initialize the protocol and registered fields */ +static int proto_crmf = -1; +static int hf_crmf_type_oid = -1; +#include "packet-crmf-hf.c" + +/* Initialize the subtree pointers */ +#include "packet-crmf-ett.c" +#include "packet-crmf-fn.c" + + +/*--- proto_register_crmf ----------------------------------------------*/ +void proto_register_crmf(void) { + + /* List of fields */ + static hf_register_info hf[] = { + { &hf_crmf_type_oid, + { "Type", "crmf.type.oid", + FT_STRING, BASE_NONE, NULL, 0, + "Type of AttributeTypeAndValue", HFILL }}, +#include "packet-crmf-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { +#include "packet-crmf-ettarr.c" + }; + + /* Register protocol */ + proto_crmf = proto_register_protocol(PNAME, PSNAME, PFNAME); + + /* Register fields and subtrees */ + proto_register_field_array(proto_crmf, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + +} + + +/*--- proto_reg_handoff_crmf -------------------------------------------*/ +void proto_reg_handoff_crmf(void) { + oid_add_from_string("id-pkip","1.3.6.1.5.5.7.5"); + oid_add_from_string("id-regCtrl","1.3.6.1.5.5.7.5.1"); + oid_add_from_string("id-regInfo","1.3.6.1.5.5.7.5.2"); +#include "packet-crmf-dis-tab.c" +} + diff --git a/epan/dissectors/asn1/crmf/packet-crmf-template.h b/epan/dissectors/asn1/crmf/packet-crmf-template.h new file mode 100644 index 00000000..1028f19a --- /dev/null +++ b/epan/dissectors/asn1/crmf/packet-crmf-template.h @@ -0,0 +1,18 @@ +/* packet-crmf.h + * Routines for RFC2511 Certificate Request Message Format packet dissection + * Ronnie Sahlberg 2004 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_CRMF_H +#define PACKET_CRMF_H + +#include "packet-crmf-exp.h" + +#endif /* PACKET_CRMF_H */ + |