5 files changed, 722 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/x509af/AuthenticationFramework.asn b/epan/dissectors/asn1/x509af/AuthenticationFramework.asn
new file mode 100644
index 00000000..a978e122
--- /dev/null
+++ b/epan/dissectors/asn1/x509af/AuthenticationFramework.asn
@@ -0,0 +1,287 @@
+-- Module AuthenticationFramework (X.509:08/1997)
+
+AuthenticationFramework {joint-iso-itu-t ds(5) module(1)
+  authenticationFramework(7) 3} DEFINITIONS ::=
+BEGIN
+
+--  EXPORTS All 
+--  The types and values defined in this module are exported for use in the other ASN.1 modules contained
+--  within the Directory Specifications, and for the use of other applications which will use them to access
+--  Directory services. Other applications may use them for their own purposes, but this will not constrain
+--  extensions and modifications needed to maintain or improve the Directory service.
+IMPORTS
+  id-at, id-mr, informationFramework, upperBounds, selectedAttributeTypes,
+    basicAccessControl, certificateExtensions
+    FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
+      usefulDefinitions(0) 3}
+  Name, ATTRIBUTE, AttributeType, MATCHING-RULE, Attribute, RDNSequence
+    FROM InformationFramework informationFramework
+  ub-user-password
+    FROM UpperBounds upperBounds
+  AuthenticationLevel
+    FROM BasicAccessControl basicAccessControl
+  UniqueIdentifier, octetStringMatch
+    FROM SelectedAttributeTypes selectedAttributeTypes
+  certificateExactMatch, certificatePairExactMatch, certificateListExactMatch,
+    GeneralNames
+    FROM CertificateExtensions certificateExtensions;
+
+--  basic certificate definition
+Certificate ::= SEQUENCE {
+  signedCertificate SEQUENCE {
+               version                  [0]  Version DEFAULT v1,
+               serialNumber             CertificateSerialNumber,
+               signature                AlgorithmIdentifier,
+               issuer                   Name, 
+               validity                 Validity,
+               subject                  SubjectName,
+               subjectPublicKeyInfo     SubjectPublicKeyInfo,
+               issuerUniqueIdentifier   [1] IMPLICIT UniqueIdentifier OPTIONAL,
+               --  if present, version must be v2 or v3
+               subjectUniqueIdentifier  [2] IMPLICIT UniqueIdentifier OPTIONAL,
+               --  if present, version must be v2 or v3
+               extensions               [3]  Extensions OPTIONAL
+               --  If present, version must be v3 -- },
+  algorithmIdentifier  AlgorithmIdentifier,
+  encrypted            BIT STRING
+}
+
+-- imported to allow labelling
+SubjectName ::= CHOICE {
+   rdnSequence  RDNSequence
+}
+
+Version ::= INTEGER {v1(0), v2(1), v3(2)}
+
+CertificateSerialNumber ::= INTEGER
+
+AlgorithmIdentifier ::= SEQUENCE {
+  algorithmId OBJECT IDENTIFIER,
+  parameters  ANY OPTIONAL
+}
+
+--	Definition of the following information object set is deferred, perhaps to standardized
+--	profiles or to protocol implementation conformance statements. The set is required to
+--	specify a table constraint on the parameters component of AlgorithmIdentifier.
+--SupportedAlgorithms ALGORITHM ::=
+--{...}
+
+Validity ::= SEQUENCE {notBefore  Time,
+                       notAfter   Time
+}
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+  algorithm         AlgorithmIdentifier,
+  subjectPublicKey  BIT STRING
+}
+
+Time ::= CHOICE {utcTime          UTCTime,
+                 generalizedTime  GeneralizedTime
+}
+
+Extensions ::= SEQUENCE OF Extension
+
+--  For those extensions where ordering of individual extensions within the SEQUENCE is significant, the
+--  specification of those individual extensions shall include the rules for the significance of the order therein
+Extension ::= SEQUENCE {
+  extnId     OBJECT IDENTIFIER,
+  critical   BOOLEAN OPTIONAL,
+  extnValue  OCTET STRING
+--    contains a DER encoding of a value of type &ExtnType
+--    for the extension object identified by extnId 
+}
+
+--ExtensionSet EXTENSION ::=
+--  {...}
+
+EXTENSION ::= CLASS {&id        OBJECT IDENTIFIER UNIQUE,
+                     &ExtnType  
+}WITH SYNTAX {SYNTAX &ExtnType
+              IDENTIFIED BY &id
+}
+
+--  other certificate constructs
+Certificates ::= SEQUENCE {
+  userCertificate    Certificate,
+  certificationPath  ForwardCertificationPath OPTIONAL
+}
+
+ForwardCertificationPath ::= SEQUENCE OF CrossCertificates
+
+CrossCertificates ::= SET OF Certificate
+
+CertificationPath ::= SEQUENCE {
+  userCertificate    Certificate,
+  theCACertificates  SEQUENCE OF CertificatePair OPTIONAL
+}
+
+CertificatePair ::= SEQUENCE {
+  issuedByThisCA  [0]  Certificate OPTIONAL,
+  issuedToThisCA  [1]  Certificate OPTIONAL
+  --  at least one of the pair shall be present 
+}
+
+--  Certificate Revocation List (CRL)
+CertificateList ::= SEQUENCE {
+    signedCertificateList SEQUENCE {
+               version              Version OPTIONAL,
+               --  if present, version must be v2
+               signature            AlgorithmIdentifier,
+               issuer               Name, 
+               thisUpdate           Time,
+               nextUpdate           Time OPTIONAL,
+               revokedCertificates
+                 SEQUENCE OF
+                   SEQUENCE {userCertificate     CertificateSerialNumber,
+                             revocationDate      Time,
+                             crlEntryExtensions  Extensions OPTIONAL} OPTIONAL,
+               crlExtensions        [0]  Extensions OPTIONAL},
+  algorithmIdentifier  AlgorithmIdentifier,
+  encrypted            BIT STRING
+}
+
+--  attribute certificate
+AttributeCertificationPath ::= SEQUENCE {
+  attributeCertificate  AttributeCertificate,
+  acPath                SEQUENCE OF ACPathData OPTIONAL
+}
+
+ACPathData ::= SEQUENCE {
+  certificate           [0]  Certificate OPTIONAL,
+  attributeCertificate  [1]  AttributeCertificate OPTIONAL
+}
+
+--attributeCertificate ATTRIBUTE ::= {
+--  WITH SYNTAX             AttributeCertificate
+--  EQUALITY MATCHING RULE  attributeCertificateMatch
+--  ID                      id-at-attributeCertificate
+--}
+
+AttributeCertificate ::= SEQUENCE {
+  signedAttributeCertificateInfo AttributeCertificateInfo,
+  algorithmIdentifier  AlgorithmIdentifier,
+  encrypted            BIT STRING
+}
+
+AttributeCertificateInfo ::= SEQUENCE {
+  version                Version DEFAULT v1,
+  subject
+    CHOICE {baseCertificateID  [0]  IssuerSerial,
+            subjectName        [1]  GeneralNames
+           },
+  issuer                 GeneralNames,
+  signature              AlgorithmIdentifier,
+  serialNumber           CertificateSerialNumber,
+  attCertValidityPeriod  AttCertValidityPeriod,
+  attributes             SEQUENCE OF Attribute,
+  issuerUniqueID         UniqueIdentifier OPTIONAL,
+  extensions             Extensions OPTIONAL
+}
+
+IssuerSerial ::= SEQUENCE {
+  issuer     GeneralNames,
+  serial     CertificateSerialNumber,
+  issuerUID  UniqueIdentifier OPTIONAL
+}
+
+AttCertValidityPeriod ::= SEQUENCE {
+  notBeforeTime  GeneralizedTime,
+  notAfterTime   GeneralizedTime
+}
+
+--attributeCertificateMatch MATCHING-RULE ::= {
+--  SYNTAX  AttributeCertificateAssertion
+--  ID      id-mr-attributeCertificateMatch
+--}
+
+AttributeCertificateAssertion ::= SEQUENCE {
+  subject
+    [0]  CHOICE {baseCertificateID  [0]  IssuerSerial,
+                 subjectName        [1]  SubjectName} OPTIONAL,
+  issuer           [1]  Name OPTIONAL,
+  attCertValidity  [2]  GeneralizedTime OPTIONAL,
+  attType          [3]  SET OF AttributeType OPTIONAL
+}
+
+--  At least one component of the sequence must be present
+--  attribute types 
+--userPassword ATTRIBUTE ::= {
+--  WITH SYNTAX             OCTET STRING(SIZE (0..ub-user-password))
+--  EQUALITY MATCHING RULE  octetStringMatch
+--  ID                      id-at-userPassword
+--}
+
+--userCertificate ATTRIBUTE ::= {
+--  WITH SYNTAX             Certificate
+--  EQUALITY MATCHING RULE  certificateExactMatch
+--  ID                      id-at-userCertificate
+--}
+
+--cACertificate ATTRIBUTE ::= {
+--  WITH SYNTAX             Certificate
+--  EQUALITY MATCHING RULE  certificateExactMatch
+--  ID                      id-at-cAcertificate
+--}
+
+--crossCertificatePair ATTRIBUTE ::= {
+--  WITH SYNTAX             CertificatePair
+--  EQUALITY MATCHING RULE  certificatePairExactMatch
+--  ID                      id-at-crossCertificatePair
+--}
+
+--authorityRevocationList ATTRIBUTE ::= {
+--  WITH SYNTAX             CertificateList
+--  EQUALITY MATCHING RULE  certificateListExactMatch
+--  ID                      id-at-authorityRevocationList
+--}
+
+--certificateRevocationList ATTRIBUTE ::= {
+--  WITH SYNTAX             CertificateList
+--  EQUALITY MATCHING RULE  certificateListExactMatch
+--  ID                      id-at-certificateRevocationList
+--}
+
+--attributeCertificateRevocationList ATTRIBUTE ::= {
+--  WITH SYNTAX  CertificateList
+--  ID           id-at-attributeCertificateRevocationList
+--}
+
+--  information object classes 
+--ALGORITHM ::= TYPE-IDENTIFIER
+
+--  object identifier assignments 
+--id-at-userPassword OBJECT IDENTIFIER ::=
+--  {id-at 35}
+
+id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36}
+
+id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37}
+
+id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38}
+
+id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39}
+
+id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40}
+
+id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}
+
+id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59}
+
+--id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42}
+
+-- these are sneaked in from DSS - a separate dissector seems OTT
+
+DSS-Params ::= SEQUENCE {
+  p INTEGER,
+  q INTEGER,
+  g INTEGER
+}
+-- WS Add some stuff fytom RFC 1274
+
+ub-user-identifier INTEGER ::= 256
+Userid ::= UTF8String (SIZE (1 .. ub-user-identifier))
+
+END
+
+-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D
+
diff --git a/epan/dissectors/asn1/x509af/CMakeLists.txt b/epan/dissectors/asn1/x509af/CMakeLists.txt
new file mode 100644
index 00000000..213294c9
--- /dev/null
+++ b/epan/dissectors/asn1/x509af/CMakeLists.txt
@@ -0,0 +1,45 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+
+set( PROTOCOL_NAME x509af )
+
+set( PROTO_OPT )
+
+set( EXPORT_FILES
+	${PROTOCOL_NAME}-exp.cnf
+)
+
+set( EXT_ASN_FILE_LIST
+)
+
+set( ASN_FILE_LIST
+	AuthenticationFramework.asn
+)
+
+set( EXTRA_DIST
+	${ASN_FILE_LIST}
+	packet-${PROTOCOL_NAME}-template.c
+	packet-${PROTOCOL_NAME}-template.h
+	${PROTOCOL_NAME}.cnf
+)
+
+set( SRC_FILES
+	${EXTRA_DIST}
+	${EXT_ASN_FILE_LIST}
+)
+
+set( A2W_FLAGS -b )
+
+set( EXTRA_CNF
+	"${CMAKE_CURRENT_BINARY_DIR}/../x509ce/x509ce-exp.cnf"
+	"${CMAKE_CURRENT_BINARY_DIR}/../x509if/x509if-exp.cnf"
+	"${CMAKE_CURRENT_BINARY_DIR}/../x509sat/x509sat-exp.cnf"
+)
+
+ASN2WRS()
diff --git a/epan/dissectors/asn1/x509af/packet-x509af-template.c b/epan/dissectors/asn1/x509af/packet-x509af-template.c
new file mode 100644
index 00000000..314007f2
--- /dev/null
+++ b/epan/dissectors/asn1/x509af/packet-x509af-template.c
@@ -0,0 +1,194 @@
+/* packet-x509af.c
+ * Routines for X.509 Authentication Framework packet dissection
+ *  Ronnie Sahlberg 2004
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/oids.h>
+#include <epan/asn1.h>
+#include <epan/strutil.h>
+
+#include "packet-ber.h"
+#include "packet-x509af.h"
+#include "packet-x509ce.h"
+#include "packet-x509if.h"
+#include "packet-x509sat.h"
+#include "packet-ldap.h"
+#include "packet-pkcs1.h"
+#if defined(HAVE_LIBGNUTLS)
+#include <gnutls/gnutls.h>
+#endif
+
+#define PNAME  "X.509 Authentication Framework"
+#define PSNAME "X509AF"
+#define PFNAME "x509af"
+
+void proto_register_x509af(void);
+void proto_reg_handoff_x509af(void);
+
+static dissector_handle_t pkix_crl_handle;
+
+/* Initialize the protocol and registered fields */
+static int proto_x509af = -1;
+static int hf_x509af_algorithm_id = -1;
+static int hf_x509af_extension_id = -1;
+#include "packet-x509af-hf.c"
+
+/* Initialize the subtree pointers */
+static gint ett_pkix_crl = -1;
+#include "packet-x509af-ett.c"
+static const char *algorithm_id = NULL;
+static void
+x509af_export_publickey(tvbuff_t *tvb, asn1_ctx_t *actx, int offset, int len);
+#include "packet-x509af-fn.c"
+
+/* Exports the SubjectPublicKeyInfo structure as gnutls_datum_t.
+ * actx->private_data is assumed to be a gnutls_datum_t pointer which will be
+ * filled in if non-NULL. */
+static void
+x509af_export_publickey(tvbuff_t *tvb _U_, asn1_ctx_t *actx _U_, int offset _U_, int len _U_)
+{
+#if defined(HAVE_LIBGNUTLS)
+  gnutls_datum_t *subjectPublicKeyInfo = (gnutls_datum_t *)actx->private_data;
+  if (subjectPublicKeyInfo) {
+    subjectPublicKeyInfo->data = (guchar *) tvb_get_ptr(tvb, offset, len);
+    subjectPublicKeyInfo->size = len;
+    actx->private_data = NULL;
+  }
+#endif
+}
+
+const char *x509af_get_last_algorithm_id(void) {
+  return algorithm_id;
+}
+
+
+static int
+dissect_pkix_crl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
+{
+	proto_tree *tree;
+	asn1_ctx_t asn1_ctx;
+	asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "PKIX-CRL");
+
+	col_set_str(pinfo->cinfo, COL_INFO, "Certificate Revocation List");
+
+
+	tree=proto_tree_add_subtree(parent_tree, tvb, 0, -1, ett_pkix_crl, NULL, "Certificate Revocation List");
+
+	return dissect_x509af_CertificateList(FALSE, tvb, 0, &asn1_ctx, tree, -1);
+}
+
+static void
+x509af_cleanup_protocol(void)
+{
+  algorithm_id = NULL;
+}
+
+/*--- proto_register_x509af ----------------------------------------------*/
+void proto_register_x509af(void) {
+
+  /* List of fields */
+  static hf_register_info hf[] = {
+    { &hf_x509af_algorithm_id,
+      { "Algorithm Id", "x509af.algorithm.id",
+        FT_OID, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+    { &hf_x509af_extension_id,
+      { "Extension Id", "x509af.extension.id",
+        FT_OID, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+#include "packet-x509af-hfarr.c"
+  };
+
+  /* List of subtrees */
+  static gint *ett[] = {
+    &ett_pkix_crl,
+#include "packet-x509af-ettarr.c"
+  };
+
+  /* Register protocol */
+  proto_x509af = proto_register_protocol(PNAME, PSNAME, PFNAME);
+
+  /* Register fields and subtrees */
+  proto_register_field_array(proto_x509af, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+
+  register_cleanup_routine(&x509af_cleanup_protocol);
+
+  pkix_crl_handle = register_dissector(PFNAME, dissect_pkix_crl, proto_x509af);
+
+  register_ber_syntax_dissector("Certificate", proto_x509af, dissect_x509af_Certificate_PDU);
+  register_ber_syntax_dissector("CertificateList", proto_x509af, dissect_CertificateList_PDU);
+  register_ber_syntax_dissector("CrossCertificatePair", proto_x509af, dissect_CertificatePair_PDU);
+
+  register_ber_oid_syntax(".cer", NULL, "Certificate");
+  register_ber_oid_syntax(".crt", NULL, "Certificate");
+  register_ber_oid_syntax(".crl", NULL, "CertificateList");
+}
+
+
+/*--- proto_reg_handoff_x509af -------------------------------------------*/
+void proto_reg_handoff_x509af(void) {
+
+	dissector_add_string("media_type", "application/pkix-crl", pkix_crl_handle);
+
+#include "packet-x509af-dis-tab.c"
+
+	/*XXX these should really go to a better place but since
+	  I have not that ITU standard, I'll put it here for the time
+	  being.
+	  Only implemented those algorithms that take no parameters
+	  for the time being,   ronnie
+	*/
+	/* from http://www.alvestrand.no/objectid/1.3.14.3.2.html */
+	register_ber_oid_dissector("1.3.14.3.2.2", dissect_ber_oid_NULL_callback, proto_x509af, "md4WithRSA");
+	register_ber_oid_dissector("1.3.14.3.2.3", dissect_ber_oid_NULL_callback, proto_x509af, "md5WithRSA");
+	register_ber_oid_dissector("1.3.14.3.2.4", dissect_ber_oid_NULL_callback, proto_x509af, "md4WithRSAEncryption");
+	register_ber_oid_dissector("1.3.14.3.2.6", dissect_ber_oid_NULL_callback, proto_x509af, "desECB");
+	register_ber_oid_dissector("1.3.14.3.2.11", dissect_ber_oid_NULL_callback, proto_x509af, "rsaSignature");
+	register_ber_oid_dissector("1.3.14.3.2.14", dissect_ber_oid_NULL_callback, proto_x509af, "mdc2WithRSASignature");
+	register_ber_oid_dissector("1.3.14.3.2.15", dissect_ber_oid_NULL_callback, proto_x509af, "shaWithRSASignature");
+	register_ber_oid_dissector("1.3.14.3.2.16", dissect_ber_oid_NULL_callback, proto_x509af, "dhWithCommonModulus");
+	register_ber_oid_dissector("1.3.14.3.2.17", dissect_ber_oid_NULL_callback, proto_x509af, "desEDE");
+	register_ber_oid_dissector("1.3.14.3.2.18", dissect_ber_oid_NULL_callback, proto_x509af, "sha");
+	register_ber_oid_dissector("1.3.14.3.2.19", dissect_ber_oid_NULL_callback, proto_x509af, "mdc-2");
+	register_ber_oid_dissector("1.3.14.3.2.20", dissect_ber_oid_NULL_callback, proto_x509af, "dsaCommon");
+	register_ber_oid_dissector("1.3.14.3.2.21", dissect_ber_oid_NULL_callback, proto_x509af, "dsaCommonWithSHA");
+	register_ber_oid_dissector("1.3.14.3.2.22", dissect_ber_oid_NULL_callback, proto_x509af, "rsaKeyTransport");
+	register_ber_oid_dissector("1.3.14.3.2.23", dissect_ber_oid_NULL_callback, proto_x509af, "keyed-hash-seal");
+	register_ber_oid_dissector("1.3.14.3.2.24", dissect_ber_oid_NULL_callback, proto_x509af, "md2WithRSASignature");
+	register_ber_oid_dissector("1.3.14.3.2.25", dissect_ber_oid_NULL_callback, proto_x509af, "md5WithRSASignature");
+	register_ber_oid_dissector("1.3.14.3.2.26", dissect_ber_oid_NULL_callback, proto_x509af, "SHA-1");
+	register_ber_oid_dissector("1.3.14.3.2.27", dissect_ber_oid_NULL_callback, proto_x509af, "dsaWithSHA1");
+	register_ber_oid_dissector("1.3.14.3.2.28", dissect_ber_oid_NULL_callback, proto_x509af, "dsaWithCommonSHA1");
+	register_ber_oid_dissector("1.3.14.3.2.29", dissect_ber_oid_NULL_callback, proto_x509af, "sha-1WithRSAEncryption");
+
+	/* these will generally be encoded as ";binary" in LDAP */
+
+	dissector_add_string("ldap.name", "cACertificate", create_dissector_handle(dissect_x509af_Certificate_PDU, proto_x509af));
+	dissector_add_string("ldap.name", "userCertificate", create_dissector_handle(dissect_x509af_Certificate_PDU, proto_x509af));
+
+	dissector_add_string("ldap.name", "certificateRevocationList", create_dissector_handle(dissect_CertificateList_PDU, proto_x509af));
+	dissector_add_string("ldap.name", "crl", create_dissector_handle(dissect_CertificateList_PDU, proto_x509af));
+
+	dissector_add_string("ldap.name", "authorityRevocationList", create_dissector_handle(dissect_CertificateList_PDU, proto_x509af));
+	dissector_add_string("ldap.name", "arl", create_dissector_handle(dissect_CertificateList_PDU, proto_x509af));
+
+	dissector_add_string("ldap.name", "crossCertificatePair", create_dissector_handle(dissect_CertificatePair_PDU, proto_x509af));
+
+	/* RFC 7468 files */
+	dissector_add_string("rfc7468.preeb_label", "CERTIFICATE", create_dissector_handle(dissect_x509af_Certificate_PDU, proto_x509af));
+	dissector_add_string("rfc7468.preeb_label", "X509 CRL", create_dissector_handle(dissect_CertificateList_PDU, proto_x509af));
+	dissector_add_string("rfc7468.preeb_label", "ATTRIBUTE CERTIFICATE", create_dissector_handle(dissect_AttributeCertificate_PDU, proto_x509af));
+	dissector_add_string("rfc7468.preeb_label", "PUBLIC KEY", create_dissector_handle(dissect_SubjectPublicKeyInfo_PDU, proto_x509af));
+}
diff --git a/epan/dissectors/asn1/x509af/packet-x509af-template.h b/epan/dissectors/asn1/x509af/packet-x509af-template.h
new file mode 100644
index 00000000..7e4d971d
--- /dev/null
+++ b/epan/dissectors/asn1/x509af/packet-x509af-template.h
@@ -0,0 +1,20 @@
+/* packet-x509af.h
+ * Routines for X.509 Authentication Framework packet dissection
+ *  Ronnie Sahlberg 2004
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef PACKET_X509AF_H
+#define PACKET_X509AF_H
+
+#include "packet-x509af-exp.h"
+
+extern const char* x509af_get_last_algorithm_id(void);
+
+#endif  /* PACKET_X509AF_H */
+
diff --git a/epan/dissectors/asn1/x509af/x509af.cnf b/epan/dissectors/asn1/x509af/x509af.cnf
new file mode 100644
index 00000000..3061ed2c
--- /dev/null
+++ b/epan/dissectors/asn1/x509af/x509af.cnf
@@ -0,0 +1,176 @@
+# x509.cnf
+# X509 conformation file
+
+#.IMPORT ../x509ce/x509ce-exp.cnf
+#.IMPORT ../x509if/x509if-exp.cnf
+#.IMPORT ../x509sat/x509sat-exp.cnf
+
+#.MODULE_EXPORTS
+EXTENSION
+ACPathData
+AlgorithmIdentifier
+AttCertValidityPeriod
+AttributeCertificate
+AttributeCertificateAssertion
+AttributeCertificateInfo
+AttributeCertificationPath
+Certificate
+Certificate_PDU
+Certificates
+CertificateList
+CertificatePair
+CertificateSerialNumber
+CertificationPath
+CrossCertificates
+Extension
+Extensions
+ForwardCertificationPath
+IssuerSerial
+SubjectPublicKeyInfo
+Time
+Validity
+Version
+
+#.PDU
+SubjectPublicKeyInfo
+
+#.REGISTER
+Certificate				B "2.5.4.36" "id-at-userCertificate"
+Certificate				B "2.5.4.37" "id-at-cAcertificate"
+CertificateList			B "2.5.4.38" "id-at-authorityRevocationList"
+CertificateList			B "2.5.4.39" "id-at-certificateRevocationList"
+CertificatePair			B "2.5.4.40" "id-at-crossCertificatePair"
+CertificateList			B "2.5.4.53" "id-at-deltaRevocationList"
+AttributeCertificate	B "2.5.4.58" "id-at-attributeCertificate"
+CertificateList			B "2.5.4.59" "id-at-attributeCertificateRevocationList"
+
+DSS-Params				B "1.2.840.10040.4.1" "id-dsa"
+# WS Implemet from RFC 1274
+Userid					B "0.9.2342.19200300.100.1.1" "id-userid"
+
+#.TYPE_RENAME
+AttributeCertificateInfo/subject	InfoSubject
+AttributeCertificateAssertion/subject	AssertionSubject
+
+#.FIELD_RENAME
+AttributeCertificateInfo/issuer		issuerName
+AttributeCertificateInfo/subject info_subject
+AttributeCertificateAssertion/subject assertion_subject
+
+AttributeCertificateAssertion/issuer assertionIssuer
+
+AttributeCertificateInfo/subject/subjectName      infoSubjectName
+AttributeCertificateAssertion/subject/subjectName assertionSubjectName
+IssuerSerial/issuer			issuerName
+CertificateList/signedCertificateList/revokedCertificates/_item/userCertificate		revokedUserCertificate
+#.END
+
+#.FN_PARS AlgorithmIdentifier/algorithmId
+  FN_VARIANT = _str  HF_INDEX = hf_x509af_algorithm_id  VAL_PTR = &actx->external.direct_reference
+
+#.FN_BODY AlgorithmIdentifier/algorithmId
+  const char *name;
+
+  %(DEFAULT_BODY)s
+
+  if (algorithm_id) {
+    wmem_free(wmem_file_scope(), (void*)algorithm_id);
+  }
+
+  if(actx->external.direct_reference) {
+    algorithm_id = (const char *)wmem_strdup(wmem_file_scope(), actx->external.direct_reference);
+
+    name = oid_resolved_from_string(actx->pinfo->pool, actx->external.direct_reference);
+
+    proto_item_append_text(tree, " (%%s)", name ? name : actx->external.direct_reference);
+  } else {
+    algorithm_id = NULL;
+  }
+
+#.FN_BODY AlgorithmIdentifier/parameters
+  offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL);
+
+#.FN_HDR SubjectPublicKeyInfo
+  int orig_offset = offset;
+#.FN_FTR SubjectPublicKeyInfo
+  x509af_export_publickey(tvb, actx, orig_offset, offset - orig_offset);
+#.END
+
+#.FN_BODY SubjectPublicKeyInfo/subjectPublicKey
+  tvbuff_t *bs_tvb = NULL;
+# proto_tree *subtree;
+
+  dissect_ber_bitstring(FALSE, actx, NULL, tvb, offset,
+                        NULL, 0, hf_index, -1, &bs_tvb);
+
+  /* See RFC 3279 for possible subjectPublicKey values given an Algorithm ID.
+   * The contents of subjectPublicKey are always explicitly tagged. */
+  if (bs_tvb && !g_strcmp0(algorithm_id, "1.2.840.113549.1.1.1")) { /* id-rsa */
+    offset += dissect_pkcs1_RSAPublicKey(FALSE, bs_tvb, 0, actx, tree, hf_index);
+
+# TODO: PKCS#1 only defines RSA; DH and DSA are from PKIX1Algorithms2008
+# } else if (bs_tvb && !g_strcmp0(algorithm_id, "1.2.840.10040.4.1")) { /* id-dsa */
+#   subtree = proto_item_add_subtree(actx->created_item, ett_subjectpublickey);
+#   offset += dissect_DSAPublicKey(FALSE, bs_tvb, 0, actx, subtree, hf_dsa_y);
+#
+# } else if (bs_tvb && !g_strcmp0(algorithm_id, "1.2.840.10046.2.1")) { /* dhpublicnumber */
+#   subtree = proto_item_add_subtree(actx->created_item, ett_subjectpublickey);
+#   offset += dissect_DHPublicKey(FALSE, bs_tvb, 0, actx, subtree, hf_dh_y);
+#
+  } else {
+    offset = dissect_ber_bitstring(FALSE, actx, tree, tvb, offset,
+                                   NULL, 0, hf_index, -1, NULL);
+  }
+
+#.FN_PARS Extension/extnId
+  FN_VARIANT = _str  HF_INDEX = hf_x509af_extension_id  VAL_PTR = &actx->external.direct_reference
+
+#.FN_BODY Extension/extnId
+  const char *name;
+
+  %(DEFAULT_BODY)s
+
+  if(actx->external.direct_reference) {
+    name = oid_resolved_from_string(actx->pinfo->pool, actx->external.direct_reference);
+
+    proto_item_append_text(tree, " (%%s)", name ? name : actx->external.direct_reference);
+  }
+
+#.FN_BODY Extension/extnValue
+  gint8 ber_class;
+  bool pc, ind;
+  gint32 tag;
+  guint32 len;
+  /* skip past the T and L  */
+  offset = dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &ber_class, &pc, &tag);
+  offset = dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, &ind);
+  offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL);
+
+#.FN_BODY Time/utcTime
+  char *outstr, *newstr;
+  guint32 tvblen;
+
+  /* the 2-digit year can only be in the range 1950..2049 https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1 */
+  offset = dissect_ber_UTCTime(implicit_tag, actx, tree, tvb, offset, hf_index, &outstr, &tvblen);
+  if (hf_index >= 0 && outstr) {
+    newstr = wmem_strconcat(actx->pinfo->pool, outstr[0] < '5' ? "20": "19", outstr, NULL);
+    proto_tree_add_string(tree, hf_index, tvb, offset - tvblen, tvblen, newstr);
+  }
+
+#.FN_BODY SubjectName
+
+  const char* str;
+  %(DEFAULT_BODY)s
+
+  str = x509if_get_last_dn();
+  proto_item_append_text(proto_item_get_parent(tree), " (%%s)", str?str:"");
+
+#.TYPE_ATTR
+CertificateSerialNumber TYPE = FT_BYTES  DISPLAY = BASE_NONE
+DSS-Params/p TYPE = FT_BYTES  DISPLAY = BASE_NONE
+DSS-Params/q TYPE = FT_BYTES  DISPLAY = BASE_NONE
+DSS-Params/g TYPE = FT_BYTES  DISPLAY = BASE_NONE
+
+#.FN_PARS CertificateSerialNumber FN_VARIANT = 64
+
+#.END