$Revision: 1.3 $ Test vectors for PKCS #15 v1.1 NOTE 1 - All examples are shown both in the formal value notation defined in ISO/IEC 8824-1, as an ASN.1 dump, and DER encoded. NOTE 2 - These examples have been developed with the help of the OSS ASN.1 compiler. 1. Example of an EID profile of PKCS #15 application The IC card in this example has on-chip support for RSA and DES-EDE-CBC algorithm computation in addition to pseudo-random number generation. It is assumed that this information can be deduced from the card's ATR string. As a consequence of this, the TokenInfo file contains no supportedAlgorithms field. The PKCS #15 application is profiled for use in an electronic identification environment, in compliance with Appendix B, and has two RSA key pairs and two certificates. One private key is for digital signature purposes only and is protected with a separate authentication object (a PIN). There is also a private data object belonging to an application named "APP". The total overhead for storing the PKCS #15 relevant information is in this case 374 bytes, but without the data object belonging to the "APP" application it would have been 333 bytes. 1.1 Example of EF(DIR) Example contents for a PKCS #15 application template on an IC card using indirect application selection. A non-standard file path for EF(UnusedSpace) is defined, /3F00/5015/4320. 1.1.1 Value notation { aid 'A000000063504B43532D3135'H, label "RSA DSI", path '3F005015'H, ddo { oid { 1 2 840 113549 1 15 4 1 }, unusedPath { path '3F0050154320'H } } } 1.1.2 ASN.1 dump DIRRecord SEQUENCE: tag = [APPLICATION 1] constructed; length = 53 aid OCTET STRING: tag = [APPLICATION 15] primitive; length = 12 0xa000000063504b43532d3135 label UTF8String: tag = [APPLICATION 16] primitive; length = 7 0x52534120445349 path OCTET STRING: tag = [APPLICATION 17] primitive; length = 4 0x3f005015 ddo DDO SEQUENCE: tag = [APPLICATION 19] constructed; length = 22 oid OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 10 { 1 2 840 113549 1 15 4 1 } unusedPath Path SEQUENCE: tag = [1] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f0050154320 1.1.3 DER encoding 61354F0C A0000000 63504B43 532D3135 50075253 41204453 4951043F 00501573 16060A2A 864886F7 0D010F04 01A10804 063F0050 154320 1.2 Example of EF(TokenInfo) 1.2.1 Value notation { version v1, serialNumber '159752222515401240'H, manufacturerID "Acme, Inc.", tokenflags { prnGeneration, eidCompliant } } 1.2.2 ASN.1 dump TokenInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 30 version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 0 serialNumber OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 9 0x159752222515401240 manufacturerID Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 10 0x41636d652c20496e632e tokenflags TokenFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0430 1.2.3 DER encoding 301E0201 00040915 97522225 15401240 0C0A4163 6D652C20 496E632E 03020430 1.3 EF(ODF) As can be seen, the ODF simply consists of four records, and the total size of the data is 32 bytes. 1.3.1 Value notation privateKeys : path : { path '4401'H }, certificates : path : { path '4402'H }, dataObjects : path : { path '4403'H }, authObjects : path : { path '4404'H } 1.3.2 ASN.1 dump PKCS15Objects CHOICE privateKeys : tag = [0] constructed; length = 6 PrivateKeys CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x4401 PKCS15Objects CHOICE certificates : tag = [4] constructed; length = 6 Certificates CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x4402 PKCS15Objects CHOICE dataObjects : tag = [7] constructed; length = 6 DataObjects CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x4403 PKCS15Objects CHOICE authObjects : tag = [8] constructed; length = 6 AuthObjects CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x4404 1.3.3 DER encoding A0063004 04024401 A4063004 04024402 A7063004 04024403 A8063004 04024404 1.4 EF(PrKDF) The content of files 3F00/5015/4B01 and 3F00/5015/4B02 is completely card-specific. Operations possible to perform with keys in these files may either be deduced by looking at the contents of the TokenInfo file or by external knowledge of the card in question (ATR). The size of the data is 123 bytes (one record of 61 bytes and one record of 62 bytes). 1.4.1 Value notation privateRSAKey : { commonObjectAttributes { label "KEY1", flags { private }, authId '01'H }, classAttributes { iD '45'H, usage { decrypt, sign, unwrap } }, subClassAttributes { keyIdentifiers { { idType 4, idValue ParameterString : '4321567890ABCDEF'H } } }, typeAttributes { value indirect : path : { path '4B01'H }, modulusLength 1024 } }, privateRSAKey : { commonObjectAttributes { label "KEY2", flags { private }, authId '02'H }, classAttributes { iD '46'H, usage { sign, nonRepudiation } }, subClassAttributes { keyIdentifiers { { idType 4, idValue ParameterString : '1234567890ABCDEF'H } } }, typeAttributes { value indirect : path : { path '4B02'H }, modulusLength 1024 } } 1.4.2 ASN.1 dump PrivateKeyType CHOICE privateRSAKey SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 59 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 13 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 4 0x4b455931 flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0780 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x01 classAttributes CommonKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 7 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x45 usage KeyUsageFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0264 subClassAttributes : tag = [0] constructed; length = 19 CommonPrivateKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 17 keyIdentifiers SEQUENCE OF: tag = [0] constructed; length = 15 SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 13 idType INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 idValue OpenType 0x04084321567890abcdef typeAttributes : tag = [1] constructed; length = 12 PrivateRSAKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x4b01 modulusLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 PrivateKeyType CHOICE privateRSAKey SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 60 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 13 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 4 0x4b455932 flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0780 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x02 classAttributes CommonKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x46 usage KeyUsageFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 3 0x062040 subClassAttributes : tag = [0] constructed; length = 19 CommonPrivateKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 17 keyIdentifiers SEQUENCE OF: tag = [0] constructed; length = 15 SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 13 idType INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 idValue OpenType 0x04081234567890abcdef typeAttributes : tag = [1] constructed; length = 12 PrivateRSAKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x4b02 modulusLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 1.4.3 DER encoding 303B300D 0C044B45 59310302 07800401 01300704 01450302 0264A013 3011A00F 300D0201 04040843 21567890 ABCDEFA1 0C300A30 0404024B 01020204 00303C30 0D0C044B 45593203 02078004 01023008 04014603 03062040 A0133011 A00F300D 02010404 08123456 7890ABCD EFA10C30 0A300404 024B0202 020400 1.5 EF(CDF) Files 3F00/5015/4331 and 3F00/5015/4332 should contain DER-encoded certificate structures in accordance with ISO/IEC 9594-8. The size of the data is 58 bytes (two records of 29 bytes each). 1.5.1 Value notation x509Certificate : { commonObjectAttributes { label "CERT1", flags { } }, classAttributes { iD '45'H }, typeAttributes { value indirect : path : { path '4331'H } } }, x509Certificate : { commonObjectAttributes { label "CERT2", flags { } }, classAttributes { iD '46'H }, typeAttributes { value indirect : path : { path '4332'H } } } 1.5.2 ASN.1 dump CertificateType CHOICE x509Certificate SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 27 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 5 0x4345525431 flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 1 0x00 classAttributes CommonCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x45 typeAttributes : tag = [1] constructed; length = 8 X509CertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 6 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x4331 CertificateType CHOICE x509Certificate SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 27 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 5 0x4345525432 flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 1 0x00 classAttributes CommonCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x46 typeAttributes : tag = [1] constructed; length = 8 X509CertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 6 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x4332 1.5.3 DER encoding 301B300A 0C054345 52543103 01003003 040145A1 08300630 04040243 31301B30 0A0C0543 45525432 03010030 03040146 A1083006 30040402 4332 1.6 EF(AODF) The content of files 3F00/5015/0100 and 3F00/0000 is card specific and not specified in PKCS #15. The total size of the data is 88 bytes (one record of length 39 bytes, the other of length 49 bytes). 1.6.1 Value notation pin : { commonObjectAttributes { label "PIN1", flags { private } }, classAttributes { authId '01'H }, typeAttributes { pinFlags { change-disabled, initialized, needs-padding }, pinType bcd, minLength 4, storedLength 8, padChar 'FF'H } }, pin : { commonObjectAttributes { label "PIN2", flags { private } }, classAttributes { authId '02'H }, typeAttributes { pinFlags { change-disabled, initialized, needs-padding }, pinType bcd, minLength 4, storedLength 8, padChar 'FF'H, path { path '3F0050150100'H } } } 1.6.2 ASN.1 dump AuthenticationType CHOICE pin SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 37 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 4 0x50494e31 flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0780 classAttributes CommonAuthenticationObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x01 typeAttributes : tag = [1] constructed; length = 18 PinAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 16 pinFlags PinFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x022c pinType PinType ENUMERATED: tag = [UNIVERSAL 10] primitive; length = 1 0 minLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 storedLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 8 padChar OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0xff AuthenticationType CHOICE pin SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 47 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 4 0x50494e32 flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0780 classAttributes CommonAuthenticationObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x02 typeAttributes : tag = [1] constructed; length = 28 PinAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 26 pinFlags PinFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x022c pinType PinType ENUMERATED: tag = [UNIVERSAL 10] primitive; length = 1 0 minLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 storedLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 8 padChar OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0xff path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f0050150100 1.6.3 DER encoding 3025300A 0C045049 4E310302 07803003 040101A1 12301003 02022C0A 01000201 04020108 0401FF30 2F300A0C 0450494E 32030207 80300304 0102A11C 301A0302 022C0A01 00020104 02010804 01FF3008 04063F00 50150100 1.7 EF(DODF) The size of the data is 41 bytes (one record). The data entry in file 3F00/5015/4431 is to be found 64 bytes from the beginning of the file and is 48 bytes long. 1.7.1 Value notation opaqueDO : { commonObjectAttributes { label "OBJECT1", flags { private, modifiable }, authId '02'H }, classAttributes { applicationName "APP" }, typeAttributes indirect : path : { path '4431'H, index 64, length 48 } } 1.7.2 ASN.1 dump DataType CHOICE opaqueDO SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 39 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 16 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 7 0x4f424a45435431 flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x06c0 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x02 classAttributes CommonDataObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 5 applicationName Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 3 0x415050 typeAttributes : tag = [1] constructed; length = 12 Opaque CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x4431 index INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 64 length INTEGER: tag = [0] primitive; length = 1 48 1.7.3 DER encoding 30273010 0C074F42 4A454354 31030206 C0040102 30050C03 415050A1 0C300A04 02443102 01408001 30 2. Example of a PKCS #15 application for a DIN NI-17.4 [7] digital signature card. The IC card in this example has on-chip support for RSA and DES-EDE-CBC algorithm computation in addition to hashing and MACing. This information can be read from the TokenInfo files supportedAlgorithms field. The PKCS #15 application does not contain any files except TokenInfo, ODF, CDF, PrKDF, PuKDF, AODF, and DODF - all objects reside in the (parallell) DIN NI-17.4 application. There are two private keys, and four trusted public keys; each one of these public keys belongs to some CA. One of the private keys is for non-repudiation digital signature purposes only, and is protected with a combination of authentication objects, the other one is for the purpose of authenticating the ICC itself. In the 'trustedCertificates' file there are 4 certificates; one for the cardholder's non-repudiation key, one card-verifiable certificate for the ICC, and two CA certificates. The AODF contains not only PINs two biometric objects and one object containing information about a used 'cha' authentication method. DODF contains pointers to files specified in DIN NI-17.4. 2.1 EF(DIR) The file contains two records. The AID in the second record is the AID for the German digital signature application. 2.1.1 Value notation { aid 'A000000063504B532D3135'H, label "PKCS#15 application", path '3F005015'H }, { aid 'D27600006601'H, label "German digital signature card", path '3F004016'H } 2.1.2 ASN.1 dump DIRRecord SEQUENCE: tag = [APPLICATION 1] constructed; length = 40 aid OCTET STRING: tag = [APPLICATION 15] primitive; length = 11 0xa000000063504b532d3135 label UTF8String: tag = [APPLICATION 16] primitive; length = 19 0x504b4353233135206170706c69636174696f6e path OCTET STRING: tag = [APPLICATION 17] primitive; length = 4 0x3f005015 DIRRecord SEQUENCE: tag = [APPLICATION 1] constructed; length = 45 aid OCTET STRING: tag = [APPLICATION 15] primitive; length = 6 0xd27600006601 label UTF8String: tag = [APPLICATION 16] primitive; length = 29 0x4765726d616e206469676974616c207369676e61747572652063617264 path OCTET STRING: tag = [APPLICATION 17] primitive; length = 4 0x3f004016 2.1.3 DER encoding 61284F0B A0000000 63504B53 2D313550 13504B43 53233135 20617070 6C696361 74696F6E 51043F00 5015612D 4F06D276 00006601 501D4765 726D616E 20646967 6974616C 20736967 6E617475 72652063 61726451 043F0040 16 2.2 EF(TokenInfo) 2.2.1 Value notation { version v1, serialNumber '159752222515401240'H, -- ICSN manufacturerID "XY, Inc.", -- Card manufacturer label "Digital signature card", tokenflags { prnGeneration }, seInfo { { se 1, owner { 1 0 0 } } -- Fictive OID, , the external world must know which features -- the security environment includes. -- recordInfo is not present, i.e. EF(ODF), EF(PrKDF), EF(PuKDF), -- EF(CDF), EF(DODF) and EF(AODF) are transparent files. }, supportedAlgorithms { { reference 1, algorithm 1, parameters NULL : NULL, supportedOperations { hash }, algId { 1 3 14 3 2 26 } }, { reference 2, algorithm 2, -- OID of RSA with DSI according ISO/IEC 9796-2 parameters NULL : NULL, supportedOperations { compute-signature }, algId { 1 3 36 3 4 3 2 1 } }, { reference 3, algorithm 3, parameters NULL : NULL, supportedOperations { compute-checksum, verify-checksum }, algId { 1 0 0 } -- MAC-algorithm: xxx = OID of Retail-MAC with DES }, { reference 4, algorithm 4, -- Triple-DES in CBC-Mode with IV='00' parameters ParameterString : '0000000000000000'H, supportedOperations { encipher, decipher }, algId { 1 2 840 113549 3 7 } } }, issuerId "wxy", -- contains information about the token issuer holderId "vwx", -- contains information about the token holder lastUpdate referencedTime : path : path '4444'H -- local file identifier, contains time of last -- change } } 2.2.2 ASN.1 dump TokenInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 177 version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 0 serialNumber OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 9 0x159752222515401240 manufacturerID Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 8 0x58592c20496e632e label Label UTF8String: tag = [0] primitive; length = 22 0x4469676974616c207369676e61747572652063617264 tokenflags TokenFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0520 seInfo SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 9 SecurityEnvironmentInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 7 se INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 1 owner OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 2 { 1 0 0 } supportedAlgorithms SEQUENCE OF: tag = [2] constructed; length = 94 AlgorithmInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 19 reference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 1 algorithm INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 1 parameters OpenType 0x0500 supportedOperations Operations BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0102 algId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 5 { 1 3 14 3 2 26 } AlgorithmInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 21 reference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 2 algorithm INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 2 parameters OpenType 0x0500 supportedOperations Operations BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0640 algId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 7 { 1 3 36 3 4 3 2 1 } AlgorithmInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 16 reference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 3 algorithm INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 3 parameters OpenType 0x0500 supportedOperations Operations BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x05a0 algId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 2 { 1 0 0 } AlgorithmInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 30 reference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 algorithm INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 parameters OpenType 0x04080000000000000000 supportedOperations Operations BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x020c algId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 8 { 1 2 840 113549 3 7 } issuerId Label UTF8String: tag = [3] primitive; length = 3 0x777879 holderId Label UTF8String: tag = [4] primitive; length = 3 0x767778 lastUpdate : tag = [5] constructed; length = 6 LastUpdate CHOICE referencedTime CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x4444 2.2.3 DER encoding 3081B102 01000409 15975222 25154012 400C0858 592C2049 6E632E80 16446967 6974616C 20736967 6E617475 72652063 61726403 02052030 09300702 01010602 2800A25E 30130201 01020101 05000302 01020605 2B0E0302 1A301502 01020201 02050003 02064006 072B2403 04030201 30100201 03020103 05000302 05A00602 2800301E 02010402 01040408 00000000 00000000 0302020C 06082A86 4886F70D 03078303 77787984 03767778 A5063004 04024444 2.3 EF(ODF) 2.3.1 Value notation privateKeys : path : { path '6034'H, -- path to EF(PrKDF), located under DF.PKCS#15 }, trustedPublicKeys : path : { path '6035'H, -- path to EF(PuKDF), located under DF.PKCS#15 }, trustedCertificates : path : { path '6036'H, -- path to EF(CDF), located under DF.PKCS#15 }, dataObjects: path : { path '6037'H, -- path to EF(DODF), located under DF.PKCS#15 }, authObjects : path : { path '6038'H, -- path to EF(AODF), located under DF.PKCS#15 } 2.3.2 ASN.1 dump PKCS15Objects CHOICE privateKeys : tag = [0] constructed; length = 6 PrivateKeys CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x6034 PKCS15Objects CHOICE trustedPublicKeys : tag = [2] constructed; length = 6 PublicKeys CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x6035 PKCS15Objects CHOICE trustedCertificates : tag = [5] constructed; length = 6 Certificates CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x6036 PKCS15Objects CHOICE dataObjects : tag = [7] constructed; length = 6 DataObjects CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x6037 PKCS15Objects CHOICE authObjects : tag = [8] constructed; length = 6 AuthObjects CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 4 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 2 0x6038 2.3.3 DER encoding A0063004 04026034 A2063004 04026035 A5063004 04026036 A7063004 04026037 A8063004 04026038 2.4 EF(PrKDF) 2.4.1 Value notation privateRSAKey : { commonObjectAttributes { label "PrK.CH.DS", -- PrK of cardholder for digital -- signature userConsent 3, -- new authentication will be required -- before the first, 4th, 7th, etc. access. -- Use the following authentication possiblities accessControlRules { { accessMode {execute}, securityCondition or : {authId : '07'H, authId : '0A'H} } } }, classAttributes { iD '01'H, -- PKCS#15 identifier for the related key usage {nonRepudiation}, keyReference 130 -- 0x82, key id in the card of PrK.ICC.DS }, subClassAttributes { subjectName rdnSequence : {} -- DN of PrK owner as -- specified in the X.509 certificate containing the PuK }, typeAttributes { value indirect : path : { path ''H, -- no FID given }, modulusLength 1024 } }, privateRSAKey : { commonObjectAttributes { label "PrK.ICC.AUT", -- PrK of ICC for authentication flags {private}, authId '07'H }, classAttributes { iD '02'H, usage {sign}, -- corresponds to X.509 digitalSignature keyReference 129 -- 0x81, key id in the card of PrK.ICC.AUT }, typeAttributes { value indirect : path : { path ''H, -- no FID given }, modulusLength 1024 } } 2.4.2 ASN.1 dump PrivateKeyType CHOICE privateRSAKey SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 64 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 30 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 9 0x50724b2e43482e4453 userConsent INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 3 accessControlRules SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 14 AccessControlRule SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 12 accessMode AccessMode BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0520 securityCondition SecurityCondition CHOICE or SEQUENCE OF: tag = [2] constructed; length = 6 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x07 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x0a classAttributes CommonKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 12 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x01 usage KeyUsageFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 3 0x060040 keyReference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 130 subClassAttributes : tag = [0] constructed; length = 4 CommonPrivateKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 2 subjectName Name CHOICE rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 0 typeAttributes : tag = [1] constructed; length = 10 PrivateRSAKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 2 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 0 0x modulusLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 PrivateKeyType CHOICE privateRSAKey SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 47 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 20 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 11 0x50724b2e4943432e415554 flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0780 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x07 classAttributes CommonKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 11 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x02 usage KeyUsageFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0520 keyReference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 129 typeAttributes : tag = [1] constructed; length = 10 PrivateRSAKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 2 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 0 0x modulusLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 2.4.3 DER encoding 3040301E 0C095072 4B2E4348 2E445302 0103300E 300C0302 0520A206 04010704 010A300C 04010103 03060040 02020082 A0043002 3000A10A 30083002 04000202 0400302F 30140C0B 50724B2E 4943432E 41555403 02078004 0107300B 04010203 02052002 020081A1 0A300830 02040002 020400 2.5 EF(PuKDF) 2.5.1 Value notation publicRSAKey : { commonObjectAttributes { label "PuK.RCA.DS", -- Public key of root CA }, classAttributes { iD '03'H, usage {nonRepudiation}, -- corresponds to X.509 keyCertSign keyReference 4 -- key ref as used in the cards, i.e. the -- certificate authority reference, which is taken as -- authority key id }, subClassAttributes { subjectName rdnSequence : {} -- DN of root CA }, typeAttributes { value indirect : path : { path '3F004016B000'H, -- path to EF.PK.RCA.DS }, modulusLength 1024 } }, publicRSAKey : { commonObjectAttributes { label "PuK.CA.DS", -- PuK of CA }, classAttributes { iD '04'H, usage {nonRepudiation}, keyReference 5 }, subClassAttributes { subjectName rdnSequence : {} -- DN of CA }, typeAttributes { value indirect : path : { path '3F004016B001'H, -- path to EF.PK.CA.DS }, modulusLength 1024 } }, publicRSAKey : { commonObjectAttributes { label "PuK.RCA.CS_AUT", }, classAttributes { iD '05'H, usage {nonRepudiation}, keyReference 2 }, subClassAttributes { subjectName rdnSequence : {} -- DN of root CA }, typeAttributes { value indirect : path : { path ''H -- PuK for internal use, no FID given }, modulusLength 1024 } }, publicRSAKey : { commonObjectAttributes { label "PuK.CA.CS_AUT", }, classAttributes { iD '06'H, usage {nonRepudiation}, keyReference 9 -- Key Ref in MSE:SET command }, subClassAttributes { subjectName rdnSequence : {} -- DN of CA }, typeAttributes { value indirect : path : { path ''H -- PuK for internal use, no FID given }, modulusLength 1024 } } 2.5.2 ASN.1 dump PublicKeyType CHOICE publicRSAKey SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 51 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 12 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 10 0x50754b2e5243412e4453 classAttributes CommonKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 11 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x03 usage KeyUsageFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 3 0x060040 keyReference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 subClassAttributes : tag = [0] constructed; length = 4 CommonPublicKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 2 subjectName Name CHOICE rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 0 typeAttributes : tag = [1] constructed; length = 16 PublicRSAKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 14 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f004016b000 modulusLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 PublicKeyType CHOICE publicRSAKey SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 50 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 11 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 9 0x50754b2e43412e4453 classAttributes CommonKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 11 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x04 usage KeyUsageFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 3 0x060040 keyReference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 5 subClassAttributes : tag = [0] constructed; length = 4 CommonPublicKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 2 subjectName Name CHOICE rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 0 typeAttributes : tag = [1] constructed; length = 16 PublicRSAKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 14 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f004016b001 modulusLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 PublicKeyType CHOICE publicRSAKey SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 49 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 16 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 14 0x50754b2e5243412e43535f415554 classAttributes CommonKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 11 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x05 usage KeyUsageFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 3 0x060040 keyReference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 2 subClassAttributes : tag = [0] constructed; length = 4 CommonPublicKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 2 subjectName Name CHOICE rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 0 typeAttributes : tag = [1] constructed; length = 10 PublicRSAKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 2 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 0 0x modulusLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 PublicKeyType CHOICE publicRSAKey SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 48 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 15 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 13 0x50754b2e43412e43535f415554 classAttributes CommonKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 11 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x06 usage KeyUsageFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 3 0x060040 keyReference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 9 subClassAttributes : tag = [0] constructed; length = 4 CommonPublicKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 2 subjectName Name CHOICE rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 0 typeAttributes : tag = [1] constructed; length = 10 PublicRSAKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 2 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 0 0x modulusLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 2.5.3 DER encoding 3033300C 0C0A5075 4B2E5243 412E4453 300B0401 03030306 00400201 04A00430 023000A1 10300E30 0804063F 004016B0 00020204 00303230 0B0C0950 754B2E43 412E4453 300B0401 04030306 00400201 05A00430 023000A1 10300E30 0804063F 004016B0 01020204 00303130 100C0E50 754B2E52 43412E43 535F4155 54300B04 01050303 06004002 0102A004 30023000 A10A3008 30020400 02020400 3030300F 0C0D5075 4B2E4341 2E43535F 41555430 0B040106 03030600 40020109 A0043002 3000A10A 30083002 04000202 0400 2.6 EF(CDF) 2.6.1 Value notation x509Certificate : { commonObjectAttributes { label "C.CH.DS", accessControlRules { { accessMode {read}, securityCondition or : {authId : '07'H, authId : '0A'H} } } }, classAttributes { iD'01'H -- related to private RSA key with id '01'H }, typeAttributes { -- see clause 6.6.2 value indirect : path : { path '3F004016C000'H, -- path to EF.C.CH.DS } } }, x509Certificate : { commonObjectAttributes { label "C.CA.DS", }, classAttributes { iD'04'H, authority TRUE }, typeAttributes { value indirect : path : { path '3F004016C008'H, -- path to EF.C.CA.DS } } }, cvCertificate : { commonObjectAttributes { label "C.ICC.AUT", }, classAttributes { iD '02'H -- related to private RSA key with id '02'H }, typeAttributes { value indirect : path : { path '3F004016C100'H, -- path to EF.C.ICC.AUT } } }, cvCertificate : { commonObjectAttributes { label "C.CA.AUT", }, classAttributes { iD '06'H, authority TRUE }, typeAttributes { value indirect : path : { path '3F004016C108'H, -- path to EF.C.CA.AUT } } } 2.6.2 ASN.1 dump CertificateType CHOICE x509Certificate SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 46 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 25 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 7 0x432e43482e4453 accessControlRules SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 14 AccessControlRule SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 12 accessMode AccessMode BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0780 securityCondition SecurityCondition CHOICE or SEQUENCE OF: tag = [2] constructed; length = 6 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x07 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x0a classAttributes CommonCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x01 typeAttributes : tag = [1] constructed; length = 12 X509CertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f004016c000 CertificateType CHOICE x509Certificate SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 33 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 9 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 7 0x432e43412e4453 classAttributes CommonCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 6 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x04 authority BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1 TRUE typeAttributes : tag = [1] constructed; length = 12 X509CertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f004016c008 CertificateType CHOICE cvCertificate SEQUENCE: tag = [5] constructed; length = 32 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 11 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 9 0x432e4943432e415554 classAttributes CommonCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x02 typeAttributes : tag = [1] constructed; length = 12 CVCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f004016c100 CertificateType CHOICE cvCertificate SEQUENCE: tag = [5] constructed; length = 34 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 8 0x432e43412e415554 classAttributes CommonCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 6 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x06 authority BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1 TRUE typeAttributes : tag = [1] constructed; length = 12 CVCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 value CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f004016c108 2.6.3 DER encoding 302E3019 0C07432E 43482E44 53300E30 0C030207 80A20604 01070401 0A300304 0101A10C 300A3008 04063F00 4016C000 30213009 0C07432E 43412E44 53300604 01040101 FFA10C30 0A300804 063F0040 16C008A5 20300B0C 09432E49 43432E41 55543003 040102A1 0C300A30 0804063F 004016C1 00A52230 0A0C0843 2E43412E 41555430 06040106 0101FFA1 0C300A30 0804063F 004016C1 08 2.7 EF(AODF) 2.7.1 Value notation pin : { commonObjectAttributes { label "PIN authentication", flags {private, modifiable}, authId '08'H -- link to unblocking PIN }, classAttributes { authId '07'H }, typeAttributes { pinFlags {case-sensitive, -- no conversion to uppercase local, -- i.e. DF-specific initialized, exchangeRefData}, pinType utf8, -- character coding for PIN/password minLength 6, storedLength 0, -- not information given maxLength 8, pinReference 81 -- P2 of VERIFY/CHANGE RD command } }, pin : { commonObjectAttributes { label "PIN authentication for resetting code", flags {private} }, classAttributes { authId '08'H }, typeAttributes { pinFlags {local, initialized, unblockingPin}, pinType iso9564-1, minLength 8, storedLength 0, -- no information given maxLength 8, pinReference 81 -- P2 of VERIFY/CHANGE RD command } }, biometricTemplate : { commonObjectAttributes { label "Biometric finger print as user authentication", flags {private, modifiable}, }, classAttributes { authId '0A'H }, typeAttributes { bioFlags {local, -- i.e. DF-specific -- initialized}, templateId {1 0 0}, -- Fake OID, identifies the data structure -- of finger print bioType fingerPrint : { hand right, finger thumb }, bioReference 145, -- 0x91, P2 of VERIFY/CHANGE RD command } }, biometricTemplate : { commonObjectAttributes { label "Biometric iris scan as resetting code", flags {private}, }, classAttributes { authId '0B'H }, typeAttributes { bioFlags {local, -- i.e. DF-specific -- initialized}, templateId {1 0 0}, -- Fake OID, identifies the data structure -- of iris scan bioType irisScan : { eye left }, bioReference 145 -- 0x91, P2 of VERIFY/CHANGE RD command } }, external : { commonObjectAttributes { label "Certificate holder authorisation", }, classAttributes { authId '09'H }, typeAttributes certBasedAttributes : { cha 'D2760000660102'H -- AID with role Id 02 as defined for -- the CV certifcate to be presented as -- part of the authentication procedure -- for getting access to the EF -- containing the display message } } 2.7.2 ASN.1 dump AuthenticationType CHOICE pin SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 58 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 27 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 18 0x50494e2061757468656e7469636174696f6e flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x06c0 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x08 classAttributes CommonAuthenticationObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x07 typeAttributes : tag = [1] constructed; length = 22 PinAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 20 pinFlags PinFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 3 0x04c810 pinType PinType ENUMERATED: tag = [UNIVERSAL 10] primitive; length = 1 2 minLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 6 storedLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 0 maxLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 8 pinReference Reference INTEGER: tag = [0] primitive; length = 1 81 AuthenticationType CHOICE pin SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 73 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 43 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 37 0x50494e2061757468656e7469636174696f6e20666f7220726573657474696e6720636f... flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0780 classAttributes CommonAuthenticationObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x08 typeAttributes : tag = [1] constructed; length = 21 PinAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 19 pinFlags PinFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x014a pinType PinType ENUMERATED: tag = [UNIVERSAL 10] primitive; length = 1 4 minLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 8 storedLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 0 maxLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 8 pinReference Reference INTEGER: tag = [0] primitive; length = 1 81 AuthenticationType CHOICE biometricTemplate SEQUENCE: tag = [0] constructed; length = 82 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 51 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 45 0x42696f6d65747269632066696e676572207072696e7420617320757365722061757468... flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x06c0 classAttributes CommonAuthenticationObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x0a typeAttributes : tag = [1] constructed; length = 22 BiometricAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 20 bioFlags BiometricFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0348 templateId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 2 { 1 0 0 } bioType BiometricType CHOICE fingerPrint FingerPrint SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 6 hand ENUMERATED: tag = [UNIVERSAL 10] primitive; length = 1 1 finger ENUMERATED: tag = [UNIVERSAL 10] primitive; length = 1 0 bioReference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 145 AuthenticationType CHOICE biometricTemplate SEQUENCE: tag = [0] constructed; length = 71 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 43 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 37 0x42696f6d65747269632069726973207363616e20617320726573657474696e6720636f... flags CommonObjectFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0780 classAttributes CommonAuthenticationObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x0b typeAttributes : tag = [1] constructed; length = 19 BiometricAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 17 bioFlags BiometricFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0348 templateId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 2 { 1 0 0 } bioType BiometricType CHOICE irisScan IrisScan SEQUENCE: tag = [0] constructed; length = 3 eye ENUMERATED: tag = [UNIVERSAL 10] primitive; length = 1 0 bioReference Reference INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 145 AuthenticationType CHOICE external SEQUENCE: tag = [2] constructed; length = 54 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 34 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 32 0x436572746966696361746520686f6c64657220617574686f7269736174696f6e classAttributes CommonAuthenticationObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x09 typeAttributes : tag = [1] constructed; length = 11 ExternalAuthObjectAttributes CHOICE certBasedAttributes CertBasedAuthenticationAttributes SEQUENCE: tag = [0] constructed; length = 9 cha OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 7 0xd2760000660102 2.7.3 DER encoding 303A301B 0C125049 4E206175 7468656E 74696361 74696F6E 030206C0 04010830 03040107 A1163014 030304C8 100A0102 02010602 01000201 08800151 3049302B 0C255049 4E206175 7468656E 74696361 74696F6E 20666F72 20726573 65747469 6E672063 6F646503 02078030 03040108 A1153013 0302014A 0A010402 01080201 00020108 800151A0 5230330C 2D42696F 6D657472 69632066 696E6765 72207072 696E7420 61732075 73657220 61757468 656E7469 63617469 6F6E0302 06C03003 04010AA1 16301403 02034806 02280030 060A0101 0A010002 020091A0 47302B0C 2542696F 6D657472 69632069 72697320 7363616E 20617320 72657365 7474696E 6720636F 64650302 07803003 04010BA1 13301103 02034806 022800A0 030A0100 02020091 A2363022 0C204365 72746966 69636174 6520686F 6C646572 20617574 686F7269 73617469 6F6E3003 040109A1 0BA00904 07D27600 00660102 2.8 EF(DODF) 2.8.1 Value notation opaqueDO : { commonObjectAttributes { label "EF.PROT", accessControlRules { { accessMode {read}, securityCondition or: {authId : '07'H , authId : '0A'H} }, { accessMode {update}, securityCondition or: {authId : '07'H , authId : '0A'H} } } }, classAttributes { applicationName "DIN NI-17.4" }, typeAttributes indirect : path : { path '3F004016A000'H, -- path to EF.PROT } }, opaqueDO : { commonObjectAttributes { label "EF.GDO", }, classAttributes { applicationName "DIN NI-17.4" }, typeAttributes indirect : path : { path '3F002F02'H, -- path to EF.GDO } }, opaqueDO : { commonObjectAttributes { label "EF.SSD", }, classAttributes { applicationName "DIN NI-17.4" }, typeAttributes indirect : path : { path '3F0040161F00'H, -- path to EF.SSD } }, opaqueDO : { commonObjectAttributes { label "EF.DM", accessControlRules { { accessMode {read}, -- readable after... securityCondition or : {authId : '09'H, -- entity auth -- binds to EXTERNAL AUTH with CV certificate -- containing the certificate holder authorization authId : '07'H, authId : '0A'H } -- user auth }, { accessMode {update}, -- writable after user auth securityCondition or : {authId : '07'H, authId : '0A'H } } } }, classAttributes { applicationName "DIN NI-17.4" }, typeAttributes indirect : path : { path '3F004016D000'H, -- path to EF.DM } } 2.8.2 ASN.1 dump DataType CHOICE opaqueDO SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 68 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 39 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 7 0x45462e50524f54 accessControlRules SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 28 AccessControlRule SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 12 accessMode AccessMode BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0780 securityCondition SecurityCondition CHOICE or SEQUENCE OF: tag = [2] constructed; length = 6 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x07 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x0a AccessControlRule SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 12 accessMode AccessMode BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0640 securityCondition SecurityCondition CHOICE or SEQUENCE OF: tag = [2] constructed; length = 6 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x07 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x0a classAttributes CommonDataObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 13 applicationName Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 11 0x44494e204e492d31372e34 typeAttributes : tag = [1] constructed; length = 10 Opaque CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f004016a000 DataType CHOICE opaqueDO SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 35 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 6 0x45462e47444f classAttributes CommonDataObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 13 applicationName Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 11 0x44494e204e492d31372e34 typeAttributes : tag = [1] constructed; length = 8 Opaque CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 6 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 4 0x3f002f02 DataType CHOICE opaqueDO SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 37 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 6 0x45462e535344 classAttributes CommonDataObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 13 applicationName Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 11 0x44494e204e492d31372e34 typeAttributes : tag = [1] constructed; length = 10 Opaque CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f0040161f00 DataType CHOICE opaqueDO SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 69 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 40 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 5 0x45462e444d accessControlRules SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 31 AccessControlRule SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 15 accessMode AccessMode BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0780 securityCondition SecurityCondition CHOICE or SEQUENCE OF: tag = [2] constructed; length = 9 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x09 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x07 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x0a AccessControlRule SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 12 accessMode AccessMode BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0640 securityCondition SecurityCondition CHOICE or SEQUENCE OF: tag = [2] constructed; length = 6 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x07 SecurityCondition CHOICE authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x0a classAttributes CommonDataObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 13 applicationName Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 11 0x44494e204e492d31372e34 typeAttributes : tag = [1] constructed; length = 10 Opaque CHOICE indirect CHOICE path Path SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 8 path OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 6 0x3f004016d000 2.8.3 DER encoding 30443027 0C074546 2E50524F 54301C30 0C030207 80A20604 01070401 0A300C03 020640A2 06040107 04010A30 0D0C0B44 494E204E 492D3137 2E34A10A 30080406 3F004016 A0003023 30080C06 45462E47 444F300D 0C0B4449 4E204E49 2D31372E 34A10830 0604043F 002F0230 2530080C 0645462E 53534430 0D0C0B44 494E204E 492D3137 2E34A10A 30080406 3F004016 1F003045 30280C05 45462E44 4D301F30 0F030207 80A20904 01090401 0704010A 300C0302 0640A206 04010704 010A300D 0C0B4449 4E204E49 2D31372E 34A10A30 0804063F 004016D0 00 3 A PKCS15Token example An example of a soft-token consisting of two private keys (both individually encrypted with a session key, in turn encrypted with a key derived from a user password) and three certificates (of which one is a CA certificate). Note - Encrypted values are fictious, the emphasize here has been on correct token structure. 3.1 Value notation value PKCS15Token ::= { version v1, keyManagementInfo { { keyId '01'H, keyInfo passwordInfo : { hint "Authentication password", algId { algorithm { 1 2 840 113549 1 5 12 }, parameters PBKDF2-params : { salt specified : 'A5A5A5A5A5A5A5A5'H, iterationCount 1024 } } } }, { keyId '02'H, keyInfo passwordInfo : { hint "Digital signature password", algId { algorithm { 1 2 840 113549 1 5 12 }, parameters PBKDF2-params : { salt specified : '9696969696969696'H, iterationCount 1024 } } } } }, pkcs15Objects { certificates : objects : { x509Certificate : { commonObjectAttributes { label "CERT1" }, classAttributes { iD '45'H }, typeAttributes { value indirect : url : url : "http://www.certs-r-us.com/cert1.crt" } }, x509Certificate : { commonObjectAttributes { label "CERT2" }, classAttributes { iD '46'H }, typeAttributes { value indirect : url : url : "http://www.certs-r-us.com/cert2.crt" } }, x509Certificate : { commonObjectAttributes { label "My trusted CA" }, classAttributes { iD '04'H, authority TRUE, implicitTrust TRUE }, typeAttributes { value indirect : url : urlWithDigest : { url "http://www.certs-r-us.com/ca-cert.c ...", digest { digest '01234567890123456789012345678901'H } } } } }, privateKeys : objects : { privateRSAKey : { commonObjectAttributes { label "Auth key" }, classAttributes { iD '45'H, usage { decrypt, sign, unwrap }, native FALSE }, subClassAttributes { keyIdentifiers { { idType 4, idValue ParameterString : '4321567890ABCDEF012345678901020304010203'H } } }, typeAttributes { value direct-protected : { version v2, recipientInfos { kekri : { version v4, kekid { keyIdentifier '01'H }, keyEncryptionAlgorithm { algorithm { 1 2 840 113549 1 9 16 3 3 }, parameters CMS3DESwrap : NULL }, encryptedKey ''H } }, encryptedContentInfo { contentType { 1 2 840 113549 1 7 1 }, contentEncryptionAlgorithm { algorithm { 1 2 840 113549 3 7 }, parameters DES-IV : '0807060504030201'H }, encryptedContent ''H } }, modulusLength 1024 } }, privateRSAKey : { commonObjectAttributes { label "Digital signature key", authId '02'H }, classAttributes { iD '46'H, usage { sign, nonRepudiation }, native FALSE }, subClassAttributes { keyIdentifiers { { idType 4, idValue ParameterString : 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'H } } }, typeAttributes { value direct-protected : { version v2, recipientInfos { kekri : { version v4, kekid { keyIdentifier '02'H }, keyEncryptionAlgorithm { algorithm { 1 2 840 113549 1 9 16 3 3 }, parameters CMS3DESwrap : NULL }, encryptedKey ''H } }, encryptedContentInfo { contentType { 1 2 840 113549 1 7 1 }, contentEncryptionAlgorithm { algorithm { 1 2 840 113549 3 7 }, parameters DES-IV : '0102030405060708'H }, encryptedContent ''H } }, modulusLength 1024 } } } } } 3.2 ASN.1 dump 3.2.1 ASN.1 dump of "open types" included in the soft token PBKDF2-params SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 14 salt CHOICE specified OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 8 0xa5a5a5a5a5a5a5a5 iterationCount INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 PBKDF2-params SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 14 salt CHOICE specified OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 8 0x9696969696969696 iterationCount INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 ParameterString OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 20 0x4321567890abcdef012345678901020304010203 CMS3DESwrap NULL: tag = [UNIVERSAL 5] primitive; length = 0 NULL DES-IV OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 8 0x0807060504030201 ParameterString OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 20 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa CMS3DESwrap NULL: tag = [UNIVERSAL 5] primitive; length = 0 NULL DES-IV OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 8 0x0102030405060708 3.2.2 ASN.1 dump of the token PKCS15Token SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 656 version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 0 keyManagementInfo KeyManagementInfo SEQUENCE OF: tag = [0] constructed; length = 125 SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 59 keyId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x01 keyInfo CHOICE passwordInfo PasswordInfo SEQUENCE: tag = [0] constructed; length = 54 hint Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 23 0x41757468656e7469636174696f6e2070617373776f7264 algId SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 27 algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 9 { 1 2 840 113549 1 5 12 } parameters OpenType 0x300e0408a5a5a5a5a5a5a5a502020400 SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 62 keyId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x02 keyInfo CHOICE passwordInfo PasswordInfo SEQUENCE: tag = [0] constructed; length = 57 hint Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 26 0x4469676974616c207369676e61747572652070617373776f7264 algId SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 27 algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 9 { 1 2 840 113549 1 5 12 } parameters OpenType 0x300e0408969696969696969602020400 pkcs15Objects SEQUENCE OF: tag = [UNIVERSAL 16] constructed; length = 522 PKCS15Objects CHOICE certificates : tag = [4] constructed; length = 212 Certificates CHOICE objects SEQUENCE OF: tag = [0] constructed; length = 209 CertificateType CHOICE x509Certificate SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 55 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 7 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 5 0x4345525431 classAttributes CommonCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x45 typeAttributes : tag = [1] constructed; length = 39 X509CertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 37 value CHOICE indirect CHOICE url URL CHOICE url PrintableString: tag = [UNIVERSAL 19] primitive; length = 35 "http://www.certs-r-us.com/cert1.crt" CertificateType CHOICE x509Certificate SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 55 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 7 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 5 0x4345525432 classAttributes CommonCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x46 typeAttributes : tag = [1] constructed; length = 39 X509CertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 37 value CHOICE indirect CHOICE url URL CHOICE url PrintableString: tag = [UNIVERSAL 19] primitive; length = 35 "http://www.certs-r-us.com/cert2.crt" CertificateType CHOICE x509Certificate SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 93 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 15 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 13 0x4d792074727573746564204341 classAttributes CommonCertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 9 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x04 authority BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1 TRUE implicitTrust BOOLEAN: tag = [3] primitive; length = 1 TRUE typeAttributes : tag = [1] constructed; length = 63 X509CertificateAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 61 value CHOICE indirect CHOICE url URL CHOICE urlWithDigest SEQUENCE: tag = [3] constructed; length = 59 url IA5String: tag = [UNIVERSAL 22] primitive; length = 37 "http://www.certs-r-us.com/ca-cert.c..." digest DigestInfoWithDefault SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 18 digest OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 16 0x01234567890123456789012345678901 PKCS15Objects CHOICE privateKeys : tag = [0] constructed; length = 303 PrivateKeys CHOICE objects SEQUENCE OF: tag = [0] constructed; length = 299 PrivateKeyType CHOICE privateRSAKey SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 138 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 8 0x41757468206b6579 classAttributes CommonKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 10 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x45 usage KeyUsageFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 2 0x0264 native BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1 FALSE subClassAttributes : tag = [0] constructed; length = 31 CommonPrivateKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 29 keyIdentifiers SEQUENCE OF: tag = [0] constructed; length = 27 SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 25 idType INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 idValue OpenType 0x04144321567890abcdef012345678901020304010203 typeAttributes : tag = [1] constructed; length = 79 PrivateRSAKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 77 value CHOICE direct-protected SEQUENCE: tag = [2] constructed; length = 71 version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 2 recipientInfos RecipientInfos SET OF: tag = [UNIVERSAL 17] constructed; length = 29 RecipientInfo CHOICE kekri KEKRecipientInfo SEQUENCE: tag = [2] constructed; length = 27 version CMSVersion INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 kekid KEKIdentifier SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 keyIdentifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x01 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 15 algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 11 { 1 2 840 113549 1 9 16 3 3 } parameters OpenType 0x0500 encryptedKey EncryptedKey OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 0 0x encryptedContentInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 35 contentType OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 9 { 1 2 840 113549 1 7 1 } contentEncryptionAlgorithm SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 20 algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 8 { 1 2 840 113549 3 7 } parameters OpenType 0x04080807060504030201 encryptedContent OCTET STRING: tag = [0] primitive; length = 0 0x modulusLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 PrivateKeyType CHOICE privateRSAKey SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 155 commonObjectAttributes CommonObjectAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 26 label Label UTF8String: tag = [UNIVERSAL 12] primitive; length = 21 0x4469676974616c207369676e6174757265206b6579 authId Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x02 classAttributes CommonKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 11 iD Identifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x46 usage KeyUsageFlags BIT STRING: tag = [UNIVERSAL 3] primitive; length = 3 0x062040 native BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1 FALSE subClassAttributes : tag = [0] constructed; length = 31 CommonPrivateKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 29 keyIdentifiers SEQUENCE OF: tag = [0] constructed; length = 27 SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 25 idType INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 idValue OpenType 0x0414aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa typeAttributes : tag = [1] constructed; length = 79 PrivateRSAKeyAttributes SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 77 value CHOICE direct-protected SEQUENCE: tag = [2] constructed; length = 71 version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 2 recipientInfos RecipientInfos SET OF: tag = [UNIVERSAL 17] constructed; length = 29 RecipientInfo CHOICE kekri KEKRecipientInfo SEQUENCE: tag = [2] constructed; length = 27 version CMSVersion INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 4 kekid KEKIdentifier SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 3 keyIdentifier OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 1 0x02 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 15 algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 11 { 1 2 840 113549 1 9 16 3 3 } parameters OpenType 0x0500 encryptedKey EncryptedKey OCTET STRING: tag = [UNIVERSAL 4] primitive; length = 0 0x encryptedContentInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 35 contentType OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 9 { 1 2 840 113549 1 7 1 } contentEncryptionAlgorithm SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 20 algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; length = 8 { 1 2 840 113549 3 7 } parameters OpenType 0x04080102030405060708 encryptedContent OCTET STRING: tag = [0] primitive; length = 0 0x modulusLength INTEGER: tag = [UNIVERSAL 2] primitive; length = 2 1024 3.3 DER encoding 30820290 020100A0 7D303B04 0101A036 0C174175 7468656E 74696361 74696F6E 20706173 73776F72 64301B06 092A8648 86F70D01 050C300E 0408A5A5 A5A5A5A5 A5A50202 0400303E 040102A0 390C1A44 69676974 616C2073 69676E61 74757265 20706173 73776F72 64301B06 092A8648 86F70D01 050C300E 04089696 96969696 96960202 04003082 020AA481 D4A081D1 30373007 0C054345 52543130 03040145 A1273025 13236874 74703A2F 2F777777 2E636572 74732D72 2D75732E 636F6D2F 63657274 312E6372 74303730 070C0543 45525432 30030401 46A12730 25132368 7474703A 2F2F7777 772E6365 7274732D 722D7573 2E636F6D 2F636572 74322E63 7274305D 300F0C0D 4D792074 72757374 65642043 41300904 01040101 FF8301FF A13F303D A33B1625 68747470 3A2F2F77 77772E63 65727473 2D722D75 732E636F 6D2F6361 2D636572 742E6372 74301204 10012345 67890123 45678901 23456789 01A08201 2FA08201 2B30818A 300A0C08 41757468 206B6579 300A0401 45030202 64010100 A01F301D A01B3019 02010404 14432156 7890ABCD EF012345 67890102 03040102 03A14F30 4DA24702 0102311D A21B0201 04300304 0101300F 060B2A86 4886F70D 01091003 03050004 00302306 092A8648 86F70D01 07013014 06082A86 4886F70D 03070408 08070605 04030201 80000202 04003081 9B301A0C 15446967 6974616C 20736967 6E617475 7265206B 65790401 02300B04 01460303 06204001 0100A01F 301DA01B 30190201 040414AA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAA1 4F304DA2 47020102 311DA21B 02010430 03040102 300F060B 2A864886 F70D0109 10030305 00040030 2306092A 864886F7 0D010701 30140608 2A864886 F70D0307 04080102 03040506 07088000 02020400