EtsiTs103097Module { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) v1(0) } DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS Ieee1609Dot2Data, ExplicitCertificate FROM IEEE1609dot2 {iso(1) identified-organization(3) ieee(111) standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2) base (1) schema (1) major-version-2(2)}; EtsiTs103097Certificate::= ExplicitCertificate (WITH COMPONENTS{..., toBeSigned (WITH COMPONENTS{..., id (WITH COMPONENTS{..., linkageData ABSENT, binaryId ABSENT }), certRequestPermissions ABSENT, canRequestRollover ABSENT }) }) SingleEtsiTs103097Certificate ::= SEQUENCE { only EtsiTs103097Certificate } EtsiTs103097Data::=Ieee1609Dot2Data (WITH COMPONENTS {..., content (WITH COMPONENTS {..., signedData (WITH COMPONENTS {..., -- constraints on signed data headers tbsData (WITH COMPONENTS { headerInfo (WITH COMPONENTS {..., generationTime PRESENT, p2pcdLearningRequest ABSENT, missingCrlIdentifier ABSENT }) }), signer (WITH COMPONENTS {..., --constraints on the certificate certificate (SIZE(1)) }) }), encryptedData (WITH COMPONENTS {..., -- constraints on encrypted data headers recipients (WITH COMPONENT ( (WITH COMPONENTS {..., pskRecipInfo ABSENT, symmRecipInfo ABSENT, rekRecipInfo ABSENT }) )) }), signedCertificateRequest ABSENT }) }) EtsiTs103097Data-Signed {ToBeSignedDataContent} ::= EtsiTs103097Data (WITH COMPONENTS {..., content (WITH COMPONENTS { signedData (WITH COMPONENTS {..., tbsData (WITH COMPONENTS { payload (WITH COMPONENTS { data (WITH COMPONENTS {..., content (WITH COMPONENTS { unsecuredData (CONTAINING ToBeSignedDataContent) }) }) PRESENT }) }) }) }) }) EtsiTs103097Data-SignedExternalPayload ::= EtsiTs103097Data (WITH COMPONENTS {..., content (WITH COMPONENTS { signedData (WITH COMPONENTS {..., tbsData (WITH COMPONENTS { payload (WITH COMPONENTS { extDataHash (WITH COMPONENTS { sha256HashedData PRESENT }) PRESENT }) }) }) }) }) EtsiTs103097Data-Encrypted {ToBeEncryptedDataContent} ::= EtsiTs103097Data (WITH COMPONENTS {..., content (WITH COMPONENTS { encryptedData (WITH COMPONENTS {..., ciphertext (WITH COMPONENTS {..., aes128ccm (WITH COMPONENTS {..., ccmCiphertext (CONSTRAINED BY {-- ccm encryption of -- ToBeEncryptedDataContent}) }) }) }) }) }) EtsiTs103097Data-SignedAndEncrypted {ToBesignedAndEncryptedDataContent} ::= EtsiTs103097Data-Encrypted {EtsiTs103097Data-Signed {ToBesignedAndEncryptedDataContent}} END IEEE1609dot2 {iso(1) identified-organization(3) ieee(111) standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2) base (1) schema (1) major-version-2(2)} --****************************************************************************** -- -- IEEE P1609.2 Data Types -- --****************************************************************************** DEFINITIONS AUTOMATIC TAGS ::= BEGIN EXPORTS ALL; IMPORTS CrlSeries, EccP256CurvePoint, EciesP256EncryptedKey, EncryptionKey, GeographicRegion, GroupLinkageValue, HashAlgorithm, HashedId3, HashedId8, Hostname, IValue, LinkageValue, Opaque, Psid, PsidSsp, PsidSspRange, PublicEncryptionKey, PublicVerificationKey, SequenceOfHashedId3, SequenceOfPsidSsp, SequenceOfPsidSspRange, ServiceSpecificPermissions, Signature, SubjectAssurance, SymmetricEncryptionKey, ThreeDLocation, Time64, Uint3, Uint8, Uint16, Uint32, ValidityPeriod FROM IEEE1609dot2BaseTypes {iso(1) identified-organization(3) ieee(111) standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2) base(1) base-types(2) major-version-2 (2)} ; -- --********************************************************************* -- -- Structures for describing secured data -- --********************************************************************* -- Necessary to get certain tools to generate sample PDUs -- TestIeee1609Dot2Data ::= Ieee1609Dot2Data -- TestCertificate ::= Certificate -- this structure belongs later in the file but putting it here avoids -- compiler errors with certain tools SignedDataPayload ::= SEQUENCE { data Ieee1609Dot2Data OPTIONAL, extDataHash HashedData OPTIONAL, ... } (WITH COMPONENTS {..., data PRESENT} | WITH COMPONENTS {..., extDataHash PRESENT}) Ieee1609Dot2Data ::= SEQUENCE { protocolVersion Uint8(3), content Ieee1609Dot2Content } Ieee1609Dot2Content ::= CHOICE { unsecuredData Opaque, signedData SignedData, encryptedData EncryptedData, signedCertificateRequest Opaque, ... } SignedData ::= SEQUENCE { hashId HashAlgorithm, tbsData ToBeSignedData, signer SignerIdentifier, signature Signature } SignerIdentifier ::= CHOICE { digest HashedId8, certificate SequenceOfCertificate, self NULL, ... } ToBeSignedData ::= SEQUENCE { payload SignedDataPayload, headerInfo HeaderInfo } HashedData::= CHOICE { sha256HashedData OCTET STRING (SIZE(32)), ... } HeaderInfo ::= SEQUENCE { psid Psid, generationTime Time64 OPTIONAL, expiryTime Time64 OPTIONAL, generationLocation ThreeDLocation OPTIONAL, p2pcdLearningRequest HashedId3 OPTIONAL, missingCrlIdentifier MissingCrlIdentifier OPTIONAL, encryptionKey EncryptionKey OPTIONAL, ..., inlineP2pcdRequest SequenceOfHashedId3 OPTIONAL, requestedCertificate Certificate OPTIONAL } MissingCrlIdentifier ::= SEQUENCE { cracaId HashedId3, crlSeries CrlSeries, ... } Countersignature ::= Ieee1609Dot2Data (WITH COMPONENTS {..., content (WITH COMPONENTS {..., signedData (WITH COMPONENTS {..., tbsData (WITH COMPONENTS {..., payload (WITH COMPONENTS {..., data ABSENT, extDataHash PRESENT }), headerInfo(WITH COMPONENTS {..., generationTime PRESENT, expiryTime ABSENT, generationLocation ABSENT, p2pcdLearningRequest ABSENT, missingCrlIdentifier ABSENT, encryptionKey ABSENT }) }) }) }) }) --********************************************************************** -- -- Structures for describing encrypted data -- --********************************************************************** EncryptedData ::= SEQUENCE { recipients SequenceOfRecipientInfo, ciphertext SymmetricCiphertext } RecipientInfo ::= CHOICE { pskRecipInfo PreSharedKeyRecipientInfo, symmRecipInfo SymmRecipientInfo, certRecipInfo PKRecipientInfo, signedDataRecipInfo PKRecipientInfo, rekRecipInfo PKRecipientInfo } SequenceOfRecipientInfo ::= SEQUENCE OF RecipientInfo PreSharedKeyRecipientInfo ::= HashedId8 SymmRecipientInfo ::= SEQUENCE { recipientId HashedId8, encKey SymmetricCiphertext } PKRecipientInfo ::= SEQUENCE { recipientId HashedId8, encKey EncryptedDataEncryptionKey } EncryptedDataEncryptionKey ::= CHOICE { eciesNistP256 EciesP256EncryptedKey, eciesBrainpoolP256r1 EciesP256EncryptedKey, ... } SymmetricCiphertext ::= CHOICE { aes128ccm AesCcmCiphertext, ... } AesCcmCiphertext ::= SEQUENCE { nonce OCTET STRING (SIZE (12)), ccmCiphertext Opaque -- 16 bytes longer than plaintext } --********************************************************************** -- -- Certificates and other security management data structures -- --********************************************************************** -- Certificates are implicit (type = implicit, toBeSigned includes -- reconstruction value, signature absent) or explicit (type = explicit, -- toBeSigned includes verification key, signature present). Certificate ::= CertificateBase (ImplicitCertificate | ExplicitCertificate) SequenceOfCertificate ::= SEQUENCE OF Certificate CertificateBase ::= SEQUENCE { version Uint8(3), type CertificateType, issuer IssuerIdentifier, toBeSigned ToBeSignedCertificate, signature Signature OPTIONAL } CertificateType ::= ENUMERATED { explicit, implicit, ... } ImplicitCertificate ::= CertificateBase (WITH COMPONENTS {..., type(implicit), toBeSigned(WITH COMPONENTS {..., verifyKeyIndicator(WITH COMPONENTS {reconstructionValue}) }), signature ABSENT }) ExplicitCertificate ::= CertificateBase (WITH COMPONENTS {..., type(explicit), toBeSigned(WITH COMPONENTS {..., verifyKeyIndicator(WITH COMPONENTS {verificationKey}) }), signature PRESENT }) IssuerIdentifier ::= CHOICE { sha256AndDigest HashedId8, self HashAlgorithm, ..., sha384AndDigest HashedId8 } ToBeSignedCertificate ::= SEQUENCE { id CertificateId, cracaId HashedId3, crlSeries CrlSeries, validityPeriod ValidityPeriod, region GeographicRegion OPTIONAL, assuranceLevel SubjectAssurance OPTIONAL, appPermissions SequenceOfPsidSsp OPTIONAL, certIssuePermissions SequenceOfPsidGroupPermissions OPTIONAL, certRequestPermissions SequenceOfPsidGroupPermissions OPTIONAL, canRequestRollover NULL OPTIONAL, encryptionKey PublicEncryptionKey OPTIONAL, verifyKeyIndicator VerificationKeyIndicator, ... } (WITH COMPONENTS { ..., appPermissions PRESENT} | WITH COMPONENTS { ..., certIssuePermissions PRESENT} | WITH COMPONENTS { ..., certRequestPermissions PRESENT}) CertificateId ::= CHOICE { linkageData LinkageData, name Hostname, binaryId OCTET STRING(SIZE(1..64)), none NULL, ... } LinkageData ::= SEQUENCE { iCert IValue, linkage-value LinkageValue, group-linkage-value GroupLinkageValue OPTIONAL } --EndEntityType ::= BIT STRING {app (0), enrol (1) } (SIZE (8)) (ALL EXCEPT {}) EndEntityType ::= BIT STRING {app (0), enrol (1) } (SIZE (8)) PsidGroupPermissions ::= SEQUENCE { subjectPermissions SubjectPermissions, minChainLength INTEGER DEFAULT 1, chainLengthRange INTEGER DEFAULT 0, eeType EndEntityType DEFAULT '00'H } SequenceOfPsidGroupPermissions ::= SEQUENCE OF PsidGroupPermissions SubjectPermissions ::= CHOICE { explicit SequenceOfPsidSspRange, all NULL, ... } VerificationKeyIndicator ::= CHOICE { verificationKey PublicVerificationKey, reconstructionValue EccP256CurvePoint, ... } END IEEE1609dot2BaseTypes {iso(1) identified-organization(3) ieee(111) standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2) base(1) base-types(2) major-version-2(2)} -- --******************************************************************** -- IEEE P1609.2 Base Data Types -- --******************************************************************** DEFINITIONS AUTOMATIC TAGS ::= BEGIN EXPORTS ALL; IMPORTS; -- ------------------------------------------------------------------ -- -- Integers -- -- ------------------------------------------------------------------ Uint3 ::= INTEGER (0..7) -- (hex) 07 Uint8 ::= INTEGER (0..255) -- (hex) ff Uint16 ::= INTEGER (0..65535) -- (hex) ff ff Uint32 ::= INTEGER (0..4294967295)---- -- (hex) ff ff ff ff Uint64 ::= INTEGER (0..18446744073709551615) -- (hex) ff ff ff ff ff ff ff ff -- Uint64 ::= INTEGER -- -- (hex) ff ff ff ff ff ff ff ff SequenceOfUint8 ::= SEQUENCE OF Uint8 SequenceOfUint16 ::= SEQUENCE OF Uint16 -- ------------------------------------------------------------------ -- -- OCTET STRING types -- -- ------------------------------------------------------------------ Opaque ::= OCTET STRING HashedId10 ::= OCTET STRING (SIZE(10)) HashedId8 ::= OCTET STRING (SIZE(8)) HashedId3 ::= OCTET STRING (SIZE(3)) SequenceOfHashedId3 ::= SEQUENCE OF HashedId3 -- ------------------------------------------------------------------ -- -- Time -- -- ------------------------------------------------------------------ Time32 ::= Uint32 Time64 ::= Uint64 ValidityPeriod ::= SEQUENCE { start Time32, duration Duration } Duration ::= CHOICE { microseconds Uint16, milliseconds Uint16, seconds Uint16, minutes Uint16, hours Uint16, sixtyHours Uint16, years Uint16 } -- ------------------------------------------------------------------ -- -- Location -- -- ------------------------------------------------------------------ GeographicRegion ::= CHOICE { circularRegion CircularRegion, rectangularRegion SequenceOfRectangularRegion, polygonalRegion PolygonalRegion, identifiedRegion SequenceOfIdentifiedRegion, ... } CircularRegion ::= SEQUENCE { center TwoDLocation, radius Uint16 } RectangularRegion ::= SEQUENCE { northWest TwoDLocation, southEast TwoDLocation } SequenceOfRectangularRegion ::= SEQUENCE OF RectangularRegion PolygonalRegion ::= SEQUENCE SIZE(3..MAX) OF TwoDLocation TwoDLocation ::= SEQUENCE { latitude SecLatitude, longitude SecLongitude } IdentifiedRegion ::= CHOICE { countryOnly CountryOnly, countryAndRegions CountryAndRegions, countryAndSubregions CountryAndSubregions, ... } SequenceOfIdentifiedRegion ::= SEQUENCE OF IdentifiedRegion CountryOnly ::= Uint16 CountryAndRegions ::= SEQUENCE { countryOnly CountryOnly, regions SequenceOfUint8 } CountryAndSubregions ::= SEQUENCE { country CountryOnly, regionAndSubregions SequenceOfRegionAndSubregions } RegionAndSubregions ::= SEQUENCE { region Uint8, subregions SequenceOfUint16 } SequenceOfRegionAndSubregions ::= SEQUENCE OF RegionAndSubregions ThreeDLocation ::= SEQUENCE { latitude SecLatitude, longitude SecLongitude, elevation SecElevation } SecLatitude ::= NinetyDegreeInt SecLongitude ::= OneEightyDegreeInt SecElevation ::= ElevInt NinetyDegreeInt ::= INTEGER { min (-900000000), max (900000000), unknown (900000001) } (-900000000..900000001) KnownLatitude ::= NinetyDegreeInt (min..max) -- Minus 90deg to +90deg in microdegree intervals UnknownLatitude ::= NinetyDegreeInt (unknown) OneEightyDegreeInt ::= INTEGER { min (-1799999999), max (1800000000), unknown (1800000001) } (-1799999999..1800000001) KnownLongitude ::= OneEightyDegreeInt (min..max) UnknownLongitude ::= OneEightyDegreeInt (unknown) ElevInt ::= Uint16 -- Range is from -4096 to 61439 in units of one-tenth of a meter -- ------------------------------------------------------------------ -- -- Crypto -- -- ------------------------------------------------------------------ Signature ::= CHOICE { ecdsaNistP256Signature EcdsaP256Signature, ecdsaBrainpoolP256r1Signature EcdsaP256Signature, ..., ecdsaBrainpoolP384r1Signature EcdsaP384Signature } EcdsaP256Signature ::= SEQUENCE { rSig EccP256CurvePoint, sSig OCTET STRING (SIZE (32)) } EcdsaP384Signature ::= SEQUENCE { rSig EccP384CurvePoint, sSig OCTET STRING (SIZE (48)) } EccP256CurvePoint ::= CHOICE { x-only OCTET STRING (SIZE (32)), fill NULL, -- consistency with 1363 / X9.62 compressed-y-0 OCTET STRING (SIZE (32)), compressed-y-1 OCTET STRING (SIZE (32)), uncompressedP256 SEQUENCE { x OCTET STRING (SIZE (32)), y OCTET STRING (SIZE (32)) } } EccP384CurvePoint::= CHOICE { x-only OCTET STRING (SIZE (48)), fill NULL, -- consistency w 1363 / X9.62 compressed-y-0 OCTET STRING (SIZE (48)), compressed-y-1 OCTET STRING (SIZE (48)), uncompressedP384 SEQUENCE { x OCTET STRING (SIZE (48)), y OCTET STRING (SIZE (48)) } } SymmAlgorithm ::= ENUMERATED { aes128Ccm, ... } HashAlgorithm ::= ENUMERATED { sha256, ..., sha384 } EciesP256EncryptedKey ::= SEQUENCE { v EccP256CurvePoint, c OCTET STRING (SIZE (16)), t OCTET STRING (SIZE (16)) } EncryptionKey ::= CHOICE { public PublicEncryptionKey, symmetric SymmetricEncryptionKey } PublicEncryptionKey ::= SEQUENCE { supportedSymmAlg SymmAlgorithm, publicKey BasePublicEncryptionKey } BasePublicEncryptionKey ::= CHOICE { eciesNistP256 EccP256CurvePoint, eciesBrainpoolP256r1 EccP256CurvePoint, ... } PublicVerificationKey ::= CHOICE { ecdsaNistP256 EccP256CurvePoint, ecdsaBrainpoolP256r1 EccP256CurvePoint, ..., ecdsaBrainpoolP384r1 EccP384CurvePoint } SymmetricEncryptionKey ::= CHOICE { aes128Ccm OCTET STRING(SIZE(16)), ... } -- ------------------------------------------------------------------ -- -- PSID / ITS-AID -- -- ------------------------------------------------------------------ PsidSsp ::= SEQUENCE { psid Psid, ssp ServiceSpecificPermissions OPTIONAL } SequenceOfPsidSsp ::= SEQUENCE OF PsidSsp Psid ::= INTEGER (0..MAX) SequenceOfPsid ::= SEQUENCE OF Psid ServiceSpecificPermissions ::= CHOICE { opaque OCTET STRING (SIZE(0..MAX)), ..., bitmapSsp BitmapSsp } BitmapSsp ::= OCTET STRING (SIZE(0..31)) PsidSspRange ::= SEQUENCE { psid Psid, sspRange SspRange OPTIONAL } SequenceOfPsidSspRange ::= SEQUENCE OF PsidSspRange SspRange ::= CHOICE { opaque SequenceOfOctetString, all NULL, ... , bitmapSspRange BitmapSspRange } BitmapSspRange ::= SEQUENCE { sspValue OCTET STRING (SIZE(1..32)), sspBitmask OCTET STRING (SIZE(1..32)) } SequenceOfOctetString ::= SEQUENCE (SIZE (0..MAX)) OF OCTET STRING (SIZE(0..MAX)) -- ------------------------------------------------------------------ -- -- Goes in certs -- -- ------------------------------------------------------------------ SubjectAssurance ::= OCTET STRING (SIZE(1)) CrlSeries ::= Uint16 -- ------------------------------------------------------------------ -- -- Pseudonym Linkage -- -- ------------------------------------------------------------------ IValue ::= Uint16 Hostname ::= UTF8String (SIZE(0..255)) LinkageValue ::= OCTET STRING (SIZE(9)) GroupLinkageValue ::= SEQUENCE { jValue OCTET STRING (SIZE(4)), value OCTET STRING (SIZE(9)) } LaId ::= OCTET STRING (SIZE(2)) LinkageSeed ::= OCTET STRING (SIZE(16)) END EtsiTs102941BaseTypes { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version1(1) } DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS HashedId8, Time32, PublicEncryptionKey, PublicVerificationKey, Signature FROM IEEE1609dot2BaseTypes {iso(1) identified-organization(3) ieee(111) standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2) base(1) base-types(2) major-version-2(2)} CertificateId, SubjectAssurance, SequenceOfPsidSsp, SequenceOfPsidGroupPermissions, ValidityPeriod, GeographicRegion FROM IEEE1609dot2 {iso(1) identified-organization(3) ieee(111) standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2) base (1) schema (1) major-version-2(2)} EtsiTs103097Data-Encrypted, EtsiTs103097Data-Signed, EtsiTs103097Data-SignedExternalPayload FROM EtsiTs103097Module { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)} ; CertificateFormat::= INTEGER { ts103097v131 (1) }(1..255) CertificateSubjectAttributes ::= SEQUENCE { id CertificateId OPTIONAL, validityPeriod ValidityPeriod OPTIONAL, region GeographicRegion OPTIONAL, assuranceLevel SubjectAssurance OPTIONAL, appPermissions SequenceOfPsidSsp OPTIONAL, certIssuePermissions SequenceOfPsidGroupPermissions OPTIONAL, ... }(WITH COMPONENTS { ..., appPermissions PRESENT} | WITH COMPONENTS { ..., certIssuePermissions PRESENT}) EcSignature::= CHOICE { encryptedEcSignature EtsiTs103097Data-Encrypted{EtsiTs103097Data-SignedExternalPayload}, ecSignature EtsiTs103097Data-SignedExternalPayload } PublicKeys ::= SEQUENCE { verificationKey PublicVerificationKey, encryptionKey PublicEncryptionKey OPTIONAL } Version ::= INTEGER {v1(1)} EtsiTs103097Data-Encrypted-Unicast {ToBeEncryptedDataContent} ::= EtsiTs103097Data-Encrypted {ToBeEncryptedDataContent} (WITH COMPONENTS {..., content (WITH COMPONENTS { encryptedData (WITH COMPONENTS {..., recipients (SIZE(1)) }) }) }) EtsiTs103097Data-SignedAndEncrypted-Unicast {ToBesignedAndEncryptedDataContent} ::= EtsiTs103097Data-Encrypted-Unicast {EtsiTs103097Data-Signed {ToBesignedAndEncryptedDataContent}} END /************************************************************************************* This file contains the EtsiTs102941Messages module containing all possible PKI messages. It should be used when all PKI messages needs to be implemented (for example, for CA development) **************************************************************************************/ EtsiTs102941MessagesCa { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) messagesCa(0) version1(1)} DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS EtsiTs103097Data-Signed, EtsiTs103097Data-Encrypted, EtsiTs103097Data-SignedExternalPayload --EtsiTs103097Data-SignedAndEncrypted FROM EtsiTs103097Module { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)} Version, EtsiTs103097Data-Encrypted-Unicast, EtsiTs103097Data-SignedAndEncrypted-Unicast FROM EtsiTs102941BaseTypes { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version1(1) } InnerEcRequestSignedForPop, InnerEcResponse FROM EtsiTs102941TypesEnrolment { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) enrolment(4) version1(1) } InnerAtRequest, InnerAtResponse FROM EtsiTs102941TypesAuthorization { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authorization(5) version1(1) } ToBeSignedCrl, ToBeSignedTlmCtl, ToBeSignedRcaCtl FROM EtsiTs102941TrustLists { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) trustLists(6) version1(1) } AuthorizationValidationRequest, AuthorizationValidationResponse FROM EtsiTs102941TypesAuthorizationValidation { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authValidation(7) version1(1) } CaCertificateRequest FROM EtsiTs102941TypesCaManagement { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) caManagement(8) version1(1) } ; /************ -- Messages ************/ EnrolmentRequestMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{enrolmentRequest PRESENT})})} EnrolmentResponseMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{enrolmentResponse PRESENT})})} AuthorizationRequestMessage ::= EtsiTs103097Data-Encrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationRequest PRESENT})})} AuthorizationRequestMessageWithPop ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationRequest PRESENT})})} AuthorizationResponseMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationResponse PRESENT})})} CertificateRevocationListMessage ::= EtsiTs103097Data-Signed{EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{certificateRevocationList PRESENT})})} TlmCertificateTrustListMessage ::= EtsiTs103097Data-Signed{EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{certificateTrustListTlm PRESENT})})} RcaCertificateTrustListMessage ::= EtsiTs103097Data-Signed{EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{certificateTrustListRca PRESENT})})} AuthorizationValidationRequestMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationValidationRequest PRESENT})})} AuthorizationValidationResponseMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationValidationResponse PRESENT})})} CaCertificateRequestMessage ::= EtsiTs103097Data-Signed {EtsiTs102941Data(WITH COMPONENTS{..., content (WITH COMPONENTS{caCertificateRequest PRESENT})})} CaCertificateRekeyingMessage ::= EtsiTs103097Data-Signed {EtsiTs103097Data-Signed {EtsiTs102941Data(WITH COMPONENTS{..., content (WITH COMPONENTS{caCertificateRequest PRESENT})})}} /************ -- EtsiTs102941Data ************/ EtsiTs102941Data::= SEQUENCE { version Version (v1), content EtsiTs102941DataContent } EtsiTs102941DataContent ::= CHOICE { enrolmentRequest InnerEcRequestSignedForPop, enrolmentResponse InnerEcResponse, authorizationRequest InnerAtRequest, authorizationResponse InnerAtResponse, certificateRevocationList ToBeSignedCrl, certificateTrustListTlm ToBeSignedTlmCtl, certificateTrustListRca ToBeSignedRcaCtl, authorizationValidationRequest AuthorizationValidationRequest, authorizationValidationResponse AuthorizationValidationResponse, caCertificateRequest CaCertificateRequest, ... } END /************************************************************************************* This file contains the EtsiTs102941MessagesItss module providing the ITS-S subset of messages defined in the module EtsiTs102941MessagesCA It should never be imported together with the module EtsiTs102941MessagesCA. Use the EtsiTs102941MessagesCA if all possible PKI message types are needed. This module blocks the usage of unencrypted EC signature for AA requests. **************************************************************************************/ EtsiTs102941MessagesItss { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) messagesItss(1) version1(1)} DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS EtsiTs103097Data-Signed --EtsiTs103097Data-Encrypted, --EtsiTs103097Data-SignedAndEncrypted FROM EtsiTs103097Module { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0) } EtsiTs103097Data-Encrypted-Unicast, EtsiTs103097Data-SignedAndEncrypted-Unicast, Version FROM EtsiTs102941BaseTypes { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version1(1) } InnerEcRequestSignedForPop, InnerEcResponse FROM EtsiTs102941TypesEnrolment { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) enrolment(4) version1(1) } InnerAtRequest, InnerAtResponse FROM EtsiTs102941TypesAuthorization { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authorization(5) version1(1) } ToBeSignedCrl, ToBeSignedTlmCtl, ToBeSignedRcaCtl FROM EtsiTs102941TrustLists { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) trustLists(6) version1(1) } ; /************ -- Messages ************/ EnrolmentRequestMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{enrolmentRequest PRESENT})})} EnrolmentResponseMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{enrolmentResponse PRESENT})})} AuthorizationRequestMessage ::= EtsiTs103097Data-Encrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationRequest PRESENT})})} AuthorizationRequestMessageWithPop ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationRequest PRESENT})})} AuthorizationResponseMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationResponse PRESENT})})} CertificateRevocationListMessage ::= EtsiTs103097Data-Signed{EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{certificateRevocationList PRESENT})})} TlmCertificateTrustListMessage ::= EtsiTs103097Data-Signed{EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{certificateTrustListTlm PRESENT})})} RcaCertificateTrustListMessage ::= EtsiTs103097Data-Signed{EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{certificateTrustListRca PRESENT})})} /************ -- EtsiTs102941Data ************/ EtsiTs102941Data::= SEQUENCE { version Version (v1), content EtsiTs102941DataContent } EtsiTs102941DataContent ::= CHOICE { enrolmentRequest InnerEcRequestSignedForPop, enrolmentResponse InnerEcResponse, authorizationRequest InnerAtRequest, authorizationResponse InnerAtResponse, certificateRevocationList ToBeSignedCrl, certificateTrustListTlm ToBeSignedTlmCtl, certificateTrustListRca ToBeSignedRcaCtl, ... } (WITH COMPONENTS{..., authorizationRequest (WITH COMPONENTS{..., ecSignature (WITH COMPONENTS{..., encryptedEcSignature PRESENT }) }) }) END /************************************************************************************* This file contains the EtsiTs102941MessagesItss-OptionalPrivacy module providing the same subset of messages as the EtsiTs102941MessagesItss module. It should never be used together with the EtsiTs102941MessagesCA and EtsiTs102941MessagesItss This module allows the usage of unencrypted EC signature for AA requests. **************************************************************************************/ EtsiTs102941MessagesItss-OptionalPrivacy { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) messagesItssOp(2) version1(1)} DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS EtsiTs103097Data-Signed --EtsiTs103097Data-Encrypted, --EtsiTs103097Data-SignedAndEncrypted FROM EtsiTs103097Module { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0) } EtsiTs103097Data-Encrypted-Unicast, EtsiTs103097Data-SignedAndEncrypted-Unicast, Version FROM EtsiTs102941BaseTypes { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version1(1) } InnerEcRequestSignedForPop, InnerEcResponse FROM EtsiTs102941TypesEnrolment { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) enrolment(4) version1(1) } InnerAtRequest, InnerAtResponse FROM EtsiTs102941TypesAuthorization { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authorization(5) version1(1) } ToBeSignedCrl, ToBeSignedTlmCtl, ToBeSignedRcaCtl FROM EtsiTs102941TrustLists { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) trustLists(6) version1(1) } ; /************ -- Messages ************/ EnrolmentRequestMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{enrolmentRequest PRESENT})})} EnrolmentResponseMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{enrolmentResponse PRESENT})})} AuthorizationRequestMessage ::= EtsiTs103097Data-Encrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationRequest PRESENT})})} AuthorizationRequestMessageWithPop ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationRequest PRESENT})})} AuthorizationResponseMessage ::= EtsiTs103097Data-SignedAndEncrypted-Unicast {EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{authorizationResponse PRESENT})})} CertificateRevocationListMessage ::= EtsiTs103097Data-Signed{EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{certificateRevocationList PRESENT})})} TlmCertificateTrustListMessage ::= EtsiTs103097Data-Signed{EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{certificateTrustListTlm PRESENT})})} RcaCertificateTrustListMessage ::= EtsiTs103097Data-Signed{EtsiTs102941Data (WITH COMPONENTS{..., content (WITH COMPONENTS{certificateTrustListRca PRESENT})})} /************ -- EtsiTs102941Data ************/ EtsiTs102941Data::= SEQUENCE { version Version (v1), content EtsiTs102941DataContent } EtsiTs102941DataContent ::= CHOICE { enrolmentRequest InnerEcRequestSignedForPop, enrolmentResponse InnerEcResponse, authorizationRequest InnerAtRequest, authorizationResponse InnerAtResponse, certificateRevocationList ToBeSignedCrl, certificateTrustListTlm ToBeSignedTlmCtl, certificateTrustListRca ToBeSignedRcaCtl, ... } END EtsiTs102941TrustLists { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) trustLists(6) version1(1)} DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS EtsiTs103097Certificate, EtsiTs103097Data-SignedAndEncrypted, EtsiTs103097Data-Signed FROM EtsiTs103097Module {itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)} HashedId8, Time32, Version --, CertificateAuthorityConstraints FROM EtsiTs102941BaseTypes {itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version1(1)} ; /************ -- CRL ************/ ToBeSignedCrl ::= SEQUENCE { version Version, thisUpdate Time32, nextUpdate Time32, entries SEQUENCE OF CrlEntry, ... } CrlEntry ::= HashedId8 /************ -- TLM CTL ************/ ToBeSignedTlmCtl ::= CtlFormat (FullCtl | DeltaCtl) (WITH COMPONENTS {..., ctlCommands ( WITH COMPONENT( ( WITH COMPONENTS {..., add ( WITH COMPONENTS {..., ea ABSENT, aa ABSENT }) }) )) }) /************ -- RCA CTL ************/ ToBeSignedRcaCtl ::= CtlFormat (FullCtl | DeltaCtl) ( WITH COMPONENTS {..., ctlCommands ( WITH COMPONENT( ( WITH COMPONENTS {..., add ( WITH COMPONENTS {..., rca ABSENT, tlm ABSENT }) }) )) }) /************ -- CTL ************/ FullCtl::= CtlFormat ( WITH COMPONENTS {..., isFullCtl ( TRUE ), ctlCommands ( WITH COMPONENT( ( WITH COMPONENTS {..., delete ABSENT }) )) }) DeltaCtl::= CtlFormat (WITH COMPONENTS {..., isFullCtl(FALSE) }) CtlFormat ::= SEQUENCE { version Version, nextUpdate Time32, isFullCtl BOOLEAN, ctlSequence INTEGER (0..255), ctlCommands SEQUENCE OF CtlCommand, ... } CtlCommand ::= CHOICE { add CtlEntry, delete CtlDelete, ... } CtlEntry ::= CHOICE { rca RootCaEntry, ea EaEntry, aa AaEntry, dc DcEntry, tlm TlmEntry, ... } CtlDelete ::= CHOICE { cert HashedId8, dc DcDelete, ... } TlmEntry::= SEQUENCE { selfSignedTLMCertificate EtsiTs103097Certificate, linkTLMCertificate EtsiTs103097Certificate OPTIONAL, accessPoint Url } RootCaEntry ::= SEQUENCE { selfsignedRootCa EtsiTs103097Certificate, linkRootCaCertificate EtsiTs103097Certificate OPTIONAL } EaEntry ::= SEQUENCE { eaCertificate EtsiTs103097Certificate, aaAccessPoint Url, itsAccessPoint Url OPTIONAL } AaEntry ::= SEQUENCE { aaCertificate EtsiTs103097Certificate, accessPoint Url } DcEntry ::= SEQUENCE { url Url, cert SEQUENCE OF HashedId8 } DcDelete ::= Url Url::= IA5String END EtsiTs102941TypesAuthorization { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authorization(5) version1(1)} DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS EtsiTs103097Certificate, EtsiTs103097Data-Signed FROM EtsiTs103097Module { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)} CertificateFormat, CertificateSubjectAttributes, EcSignature, HashedId8, PublicKeys, Version FROM EtsiTs102941BaseTypes { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version1(1) } ; /************ -- AuthorizationRequest/Response ************/ AuthorizationResponseCode ::= ENUMERATED { ok(0), -- ITS->AA its-aa-cantparse, -- valid for any structure its-aa-badcontenttype, -- not encrypted, not signed, not authorizationrequest its-aa-imnottherecipient, -- the �recipients� of the outermost encrypted data doesn�t include me its-aa-unknownencryptionalgorithm, -- either kexalg or contentencryptionalgorithm its-aa-decryptionfailed, -- works for ECIES-HMAC and AES-CCM its-aa-keysdontmatch, -- HMAC keyTag verification fails its-aa-incompleterequest, -- some elements are missing its-aa-invalidencryptionkey, -- the responseEncryptionKey is bad its-aa-outofsyncrequest, -- signingTime is outside acceptable limits its-aa-unknownea, -- the EA identified by eaId is unknown to me its-aa-invalidea, -- the EA certificate is revoked its-aa-deniedpermissions, -- I, the AA, deny the requested permissions -- AA->EA aa-ea-cantreachea, -- the EA is unreachable (network error?) -- EA->AA ea-aa-cantparse, -- valid for any structure ea-aa-badcontenttype, -- not encrypted, not signed, not authorizationrequest ea-aa-imnottherecipient, -- the �recipients� of the outermost encrypted data doesn�t include me ea-aa-unknownencryptionalgorithm, -- either kexalg or contentencryptionalgorithm ea-aa-decryptionfailed, -- works for ECIES-HMAC and AES-CCM -- TODO: to be continued... invalidaa, -- the AA certificate presented is invalid/revoked/whatever invalidaasignature, -- the AA certificate presented can�t validate the request signature wrongea, -- the encrypted signature doesn�t designate me as the EA unknownits, -- can�t retrieve the EC/ITS in my DB invalidsignature, -- signature verification of the request by the EC fails invalidencryptionkey, -- signature is good, but the key is bad deniedpermissions, -- permissions not granted deniedtoomanycerts, -- parallel limit ... } InnerAtRequest ::= SEQUENCE { publicKeys PublicKeys, hmacKey OCTET STRING (SIZE(32)), sharedAtRequest SharedAtRequest, ecSignature EcSignature, ... } SharedAtRequest ::= SEQUENCE { eaId HashedId8, keyTag OCTET STRING (SIZE(16)), certificateFormat CertificateFormat, requestedSubjectAttributes CertificateSubjectAttributes (WITH COMPONENTS{certIssuePermissions ABSENT}), ... } InnerAtResponse ::= SEQUENCE { requestHash OCTET STRING (SIZE(16)), responseCode AuthorizationResponseCode, certificate EtsiTs103097Certificate OPTIONAL, ... } (WITH COMPONENTS { responseCode (ok), certificate PRESENT } | WITH COMPONENTS { responseCode (ALL EXCEPT ok), certificate ABSENT } ) END EtsiTs102941TypesAuthorizationValidation { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authValidation(7) version1(1)} DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS EtsiTs103097Certificate FROM EtsiTs103097Module { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)} CertificateFormat, CertificateSubjectAttributes,EcSignature, HashedId8, PublicKeys, Version FROM EtsiTs102941BaseTypes { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version1(1) } SharedAtRequest FROM EtsiTs102941TypesAuthorization { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) authorization(5) version1(1)} ; /************ -- AuthorizationValidationRequest/Response ************/ AuthorizationValidationResponseCode ::= ENUMERATED { ok(0), cantparse, -- valid for any structure badcontenttype, -- not encrypted, not signed, not permissionsverificationrequest imnottherecipient, -- the �recipients� of the outermost encrypted data doesn�t include me unknownencryptionalgorithm, -- either kexalg or contentencryptionalgorithm decryptionfailed, -- works for ECIES-HMAC and AES-CCM invalidaa, -- the AA certificate presented is invalid/revoked/whatever invalidaasignature, -- the AA certificate presented can�t validate the request signature wrongea, -- the encrypted signature doesn�t designate me as the EA unknownits, -- can�t retrieve the EC/ITS in my DB invalidsignature, -- signature verification of the request by the EC fails invalidencryptionkey, -- signature is good, but the responseEncryptionKey is bad deniedpermissions, -- requested permissions not granted deniedtoomanycerts, -- parallel limit deniedrequest, -- any other reason? ... } AuthorizationValidationRequest ::= SEQUENCE { sharedAtRequest SharedAtRequest, ecSignature EcSignature, ... } AuthorizationValidationResponse ::= SEQUENCE { requestHash OCTET STRING (SIZE(16)), responseCode AuthorizationValidationResponseCode, confirmedSubjectAttributes CertificateSubjectAttributes (WITH COMPONENTS{certIssuePermissions ABSENT}) OPTIONAL, ... } END EtsiTs102941TypesCaManagement { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) caManagement(8) version1(1)} DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS EtsiTs103097Certificate, EtsiTs103097Data-Signed FROM EtsiTs103097Module {itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)} PublicKeys, CertificateSubjectAttributes FROM EtsiTs102941BaseTypes { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version1(1)} ; /************ -- CA certificate request ************/ CaCertificateRequest ::= SEQUENCE { publicKeys PublicKeys, requestedSubjectAttributes CertificateSubjectAttributes, ... } END EtsiTs102941TypesEnrolment { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) enrolment(4) version1(1)} DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS EtsiTs103097Certificate, EtsiTs103097Data-Signed FROM EtsiTs103097Module { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(103097) securedMessageV1(0)} CertificateFormat, CertificateSubjectAttributes, EcSignature, HashedId8, PublicKeys, Version FROM EtsiTs102941BaseTypes { itu-t(0) identified-organization(4) etsi(0) itsDomain(5) wg5(5) ts(102941) baseTypes(3) version1(1) } ; /************ -- EnrolmentRequest/Response ************/ EnrolmentResponseCode ::= ENUMERATED { ok(0), cantparse, -- valid for any structure badcontenttype, -- not encrypted, not signed, not enrolmentrequest imnottherecipient, -- the “recipients” doesn’t include me unknownencryptionalgorithm, -- either kexalg or contentencryptionalgorithm decryptionfailed, -- works for ECIES-HMAC and AES-CCM unknownits, -- can’t retrieve the ITS from the itsId invalidsignature, -- signature verification of the request fails invalidencryptionkey, -- signature is good, but the responseEncryptionKey is bad baditsstatus, -- revoked, not yet active incompleterequest, -- some elements are missing deniedpermissions, -- requested permissions are not granted invalidkeys, -- either the verification_key of the encryption_key is bad deniedrequest, -- any other reason? ... } InnerEcRequestSignedForPop::= EtsiTs103097Data-Signed{InnerEcRequest} InnerEcRequest ::= SEQUENCE { itsId IA5String, certificateFormat CertificateFormat, publicKeys PublicKeys, requestedSubjectAttributes CertificateSubjectAttributes (WITH COMPONENTS{certIssuePermissions ABSENT}), ... } InnerEcResponse ::= SEQUENCE { requestHash OCTET STRING (SIZE(16)), responseCode EnrolmentResponseCode, certificate EtsiTs103097Certificate OPTIONAL, ... } (WITH COMPONENTS { responseCode (ok), certificate PRESENT } | WITH COMPONENTS { responseCode (ALL EXCEPT ok), certificate ABSENT } ) END