Add support for RFC 7906 (#61)

author: Russ Housley <housley@vigilsec.com> 2019-09-03 03:06:48 -0400
committer: Ilya Etingof <etingof@gmail.com> 2019-09-03 09:06:48 +0200
commit: 674015081b7a2d157a832f1ba6a0f7400b859dc4 (patch)
tree: d589e75ba8e299b99c951cd0b2fe4f5ee6be061f
parent: 3f4a9e498ccd2c2998adbf2c9e7ddda87e87d7aa (diff)
download: pyasn1-modules-674015081b7a2d157a832f1ba6a0f7400b859dc4.tar.gz
4 files changed, 905 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index d5b7902..0a4778b 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -20,6 +20,7 @@ Revision 0.2.7, released XX-08-2019
 - Added RFC6211 providing CMS Algorithm Identifier Protection Attribute
 - Added RFC8449 providing Certificate Extension for Hash Of Root Key
 - Updated RFC2459 and RFC5280 for TODO in the certificate extension map
+- Added RFC7906 providing NSA's CMS Key Management Attributes
 
 Revision 0.2.6, released 31-07-2019
 -----------------------------------
diff --git a/pyasn1_modules/rfc7906.py b/pyasn1_modules/rfc7906.py
new file mode 100644
index 0000000..fa5f6b0
--- /dev/null
+++ b/pyasn1_modules/rfc7906.py
@@ -0,0 +1,736 @@
+#
+# This file is part of pyasn1-modules software.
+#
+# Created by Russ Housley.
+#
+# Copyright (c) 2019, Vigil Security, LLC
+# License: http://snmplabs.com/pyasn1/license.html
+#
+# NSA's CMS Key Management Attributes
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc7906.txt
+# https://www.rfc-editor.org/errata/eid5850
+#
+
+from pyasn1.type import char
+from pyasn1.type import constraint
+from pyasn1.type import namedtype
+from pyasn1.type import namedval
+from pyasn1.type import tag
+from pyasn1.type import univ
+
+from pyasn1_modules import rfc2634
+from pyasn1_modules import rfc4108
+from pyasn1_modules import rfc5280
+from pyasn1_modules import rfc5652
+from pyasn1_modules import rfc6010
+from pyasn1_modules import rfc6019
+from pyasn1_modules import rfc7191
+
+MAX = float('inf')
+
+
+# Imports From RFC 2634
+
+id_aa_contentHint = rfc2634.id_aa_contentHint
+
+ContentHints = rfc2634.ContentHints
+
+id_aa_securityLabel = rfc2634.id_aa_securityLabel
+
+SecurityPolicyIdentifier = rfc2634.SecurityPolicyIdentifier
+
+SecurityClassification = rfc2634.SecurityClassification
+
+ESSPrivacyMark = rfc2634.ESSPrivacyMark
+
+SecurityCategories= rfc2634.SecurityCategories
+
+ESSSecurityLabel = rfc2634.ESSSecurityLabel
+
+
+# Imports From RFC 4108
+
+id_aa_communityIdentifiers = rfc4108.id_aa_communityIdentifiers
+
+CommunityIdentifier = rfc4108.CommunityIdentifier
+
+CommunityIdentifiers = rfc4108.CommunityIdentifiers
+
+
+# Imports From RFC 5280
+
+AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
+
+Name = rfc5280.Name
+
+Certificate = rfc5280.Certificate
+
+GeneralNames = rfc5280.GeneralNames
+
+GeneralName = rfc5280.GeneralName
+
+
+SubjectInfoAccessSyntax = rfc5280.SubjectInfoAccessSyntax
+
+id_pkix = rfc5280.id_pkix
+
+id_pe = rfc5280.id_pe
+
+id_pe_subjectInfoAccess = rfc5280.id_pe_subjectInfoAccess
+
+
+# Imports From RFC 6010
+
+CMSContentConstraints = rfc6010.CMSContentConstraints
+
+
+# Imports From RFC 6019
+
+BinaryTime = rfc6019.BinaryTime
+
+id_aa_binarySigningTime = rfc6019.id_aa_binarySigningTime
+
+BinarySigningTime = rfc6019.BinarySigningTime
+
+
+# Imports From RFC 5652
+
+Attribute = rfc5652.Attribute
+
+CertificateSet = rfc5652.CertificateSet
+
+CertificateChoices = rfc5652.CertificateChoices
+
+id_contentType = rfc5652.id_contentType
+
+ContentType = rfc5652.ContentType
+
+id_messageDigest = rfc5652.id_messageDigest
+
+MessageDigest = rfc5652.MessageDigest
+
+
+# Imports From RFC 7191
+
+SIREntityName = rfc7191.SIREntityName
+
+id_aa_KP_keyPkgIdAndReceiptReq = rfc7191.id_aa_KP_keyPkgIdAndReceiptReq
+
+KeyPkgIdentifierAndReceiptReq = rfc7191.KeyPkgIdentifierAndReceiptReq
+
+
+# Key Province Attribute
+
+id_aa_KP_keyProvinceV2 = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.71')
+
+
+class KeyProvinceV2(univ.ObjectIdentifier):
+    pass
+
+
+aa_keyProvince_v2 = Attribute()
+aa_keyProvince_v2['attrType'] = id_aa_KP_keyProvinceV2
+aa_keyProvince_v2['attrValues'][0] = KeyProvinceV2()
+ 
+
+# Manifest Attribute
+
+id_aa_KP_manifest = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.72')
+
+
+class ShortTitle(char.PrintableString):
+    pass
+
+
+class Manifest(univ.SequenceOf):
+    pass
+
+Manifest.componentType = ShortTitle()
+Manifest.subtypeSpec=constraint.ValueSizeConstraint(1, MAX)
+
+
+aa_manifest = Attribute()
+aa_manifest['attrType'] = id_aa_KP_manifest
+aa_manifest['attrValues'][0] = Manifest()
+
+
+# Key Algorithm Attribute
+
+id_kma_keyAlgorithm = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.1')
+
+
+class KeyAlgorithm(univ.Sequence):
+    pass
+
+KeyAlgorithm.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('keyAlg', univ.ObjectIdentifier()),
+    namedtype.OptionalNamedType('checkWordAlg', univ.ObjectIdentifier().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
+    namedtype.OptionalNamedType('crcAlg', univ.ObjectIdentifier().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
+)
+
+
+aa_keyAlgorithm = Attribute()
+aa_keyAlgorithm['attrType'] = id_kma_keyAlgorithm
+aa_keyAlgorithm['attrValues'][0] = KeyAlgorithm()
+
+
+# User Certificate Attribute
+
+id_at_userCertificate = univ.ObjectIdentifier('2.5.4.36')
+
+
+aa_userCertificate = Attribute()
+aa_userCertificate['attrType'] = id_at_userCertificate
+aa_userCertificate['attrValues'][0] =  Certificate()
+
+
+# Key Package Receivers Attribute
+
+id_kma_keyPkgReceiversV2 = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.16')
+
+
+class KeyPkgReceiver(univ.Choice):
+    pass
+
+KeyPkgReceiver.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('sirEntity', SIREntityName().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+    namedtype.NamedType('community', CommunityIdentifier().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
+)
+
+
+class KeyPkgReceiversV2(univ.SequenceOf):
+    pass
+
+KeyPkgReceiversV2.componentType = KeyPkgReceiver()
+KeyPkgReceiversV2.subtypeSpec=constraint.ValueSizeConstraint(1, MAX)
+
+
+aa_keyPackageReceivers_v2 = Attribute()
+aa_keyPackageReceivers_v2['attrType'] = id_kma_keyPkgReceiversV2
+aa_keyPackageReceivers_v2['attrValues'][0] = KeyPkgReceiversV2()
+
+
+# TSEC Nomenclature Attribute
+
+id_kma_TSECNomenclature = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.3')
+
+
+class CharEdition(char.PrintableString):
+    pass
+
+
+class CharEditionRange(univ.Sequence):
+    pass
+
+CharEditionRange.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('firstCharEdition', CharEdition()),
+    namedtype.NamedType('lastCharEdition', CharEdition())
+)
+
+
+class NumEdition(univ.Integer):
+    pass
+
+NumEdition.subtypeSpec = constraint.ValueRangeConstraint(0, 308915776)
+
+
+class NumEditionRange(univ.Sequence):
+    pass
+
+NumEditionRange.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('firstNumEdition', NumEdition()),
+    namedtype.NamedType('lastNumEdition', NumEdition())
+)
+
+
+class EditionID(univ.Choice):
+    pass
+
+EditionID.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('char', univ.Choice(componentType=namedtype.NamedTypes(
+        namedtype.NamedType('charEdition', CharEdition().subtype(
+            implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
+        namedtype.NamedType('charEditionRange', CharEditionRange().subtype(
+            implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2)))
+    ))
+    ),
+    namedtype.NamedType('num', univ.Choice(componentType=namedtype.NamedTypes(
+        namedtype.NamedType('numEdition', NumEdition().subtype(
+            implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))),
+        namedtype.NamedType('numEditionRange', NumEditionRange().subtype(
+            implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4)))
+    ))
+    )
+)
+
+
+class Register(univ.Integer):
+    pass
+
+Register.subtypeSpec = constraint.ValueRangeConstraint(0, 2147483647)
+
+
+class RegisterRange(univ.Sequence):
+    pass
+
+RegisterRange.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('firstRegister', Register()),
+    namedtype.NamedType('lastRegister', Register())
+)
+
+
+class RegisterID(univ.Choice):
+    pass
+
+RegisterID.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('register', Register().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))),
+    namedtype.NamedType('registerRange', RegisterRange().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 6)))
+)
+
+
+class SegmentNumber(univ.Integer):
+    pass
+
+SegmentNumber.subtypeSpec = constraint.ValueRangeConstraint(1, 127)
+
+
+class SegmentRange(univ.Sequence):
+    pass
+
+SegmentRange.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('firstSegment', SegmentNumber()),
+    namedtype.NamedType('lastSegment', SegmentNumber())
+)
+
+
+class SegmentID(univ.Choice):
+    pass
+
+SegmentID.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('segmentNumber', SegmentNumber().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))),
+    namedtype.NamedType('segmentRange', SegmentRange().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 8)))
+)
+
+
+class TSECNomenclature(univ.Sequence):
+    pass
+
+TSECNomenclature.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('shortTitle', ShortTitle()),
+    namedtype.OptionalNamedType('editionID', EditionID()),
+    namedtype.OptionalNamedType('registerID', RegisterID()),
+    namedtype.OptionalNamedType('segmentID', SegmentID())
+)
+
+
+aa_tsecNomenclature = Attribute()
+aa_tsecNomenclature['attrType'] = id_kma_TSECNomenclature
+aa_tsecNomenclature['attrValues'][0] = TSECNomenclature()
+
+
+# Key Purpose Attribute
+
+id_kma_keyPurpose = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.13')
+
+
+class KeyPurpose(univ.Enumerated):
+    pass
+
+KeyPurpose.namedValues = namedval.NamedValues(
+    ('n-a', 0),
+    ('a', 65),
+    ('b', 66),
+    ('l', 76),
+    ('m', 77),
+    ('r', 82),
+    ('s', 83),
+    ('t', 84),
+    ('v', 86),
+    ('x', 88),
+    ('z', 90)
+)
+
+
+aa_keyPurpose = Attribute()
+aa_keyPurpose['attrType'] = id_kma_keyPurpose
+aa_keyPurpose['attrValues'][0] = KeyPurpose()
+
+
+# Key Use Attribute
+
+id_kma_keyUse = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.14')
+
+
+class KeyUse(univ.Enumerated):
+    pass
+
+KeyUse.namedValues = namedval.NamedValues(
+    ('n-a', 0),
+    ('ffk', 1),
+    ('kek', 2),
+    ('kpk', 3),
+    ('msk', 4),
+    ('qkek', 5),
+    ('tek', 6),
+    ('tsk', 7),
+    ('trkek', 8),
+    ('nfk', 9),
+    ('effk', 10),
+    ('ebfk', 11),
+    ('aek', 12),
+    ('wod', 13),
+    ('kesk', 246),
+    ('eik', 247),
+    ('ask', 248),
+    ('kmk', 249),
+    ('rsk', 250),
+    ('csk', 251),
+    ('sak', 252),
+    ('rgk', 253),
+    ('cek', 254),
+    ('exk', 255)
+)
+
+
+aa_keyUse = Attribute()
+aa_keyPurpose['attrType'] = id_kma_keyUse
+aa_keyPurpose['attrValues'][0] = KeyUse()
+
+
+# Transport Key Attribute
+
+id_kma_transportKey = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.15')
+
+
+class TransOp(univ.Enumerated):
+    pass
+
+TransOp.namedValues = namedval.NamedValues(
+    ('transport', 1),
+    ('operational', 2)
+)
+
+
+aa_transportKey = Attribute()
+aa_transportKey['attrType'] = id_kma_transportKey
+aa_transportKey['attrValues'][0] = TransOp()
+
+
+# Key Distribution Period Attribute
+
+id_kma_keyDistPeriod = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.5')
+
+
+class KeyDistPeriod(univ.Sequence):
+    pass
+
+KeyDistPeriod.componentType = namedtype.NamedTypes(
+    namedtype.OptionalNamedType('doNotDistBefore', BinaryTime().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+    namedtype.NamedType('doNotDistAfter', BinaryTime())
+)
+
+
+aa_keyDistributionPeriod = Attribute()
+aa_keyDistributionPeriod['attrType'] = id_kma_keyDistPeriod
+aa_keyDistributionPeriod['attrValues'][0] = KeyDistPeriod()
+
+
+# Key Validity Period Attribute
+
+id_kma_keyValidityPeriod = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.6')
+
+
+class KeyValidityPeriod(univ.Sequence):
+    pass
+
+KeyValidityPeriod.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('doNotUseBefore', BinaryTime()),
+    namedtype.OptionalNamedType('doNotUseAfter', BinaryTime())
+)
+
+
+aa_keyValidityPeriod = Attribute()
+aa_keyValidityPeriod['attrType'] = id_kma_keyValidityPeriod
+aa_keyValidityPeriod['attrValues'][0] = KeyValidityPeriod()
+
+
+# Key Duration Attribute
+
+id_kma_keyDuration = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.7')
+
+
+ub_KeyDuration_months = univ.Integer(72)
+
+ub_KeyDuration_hours = univ.Integer(96)
+
+ub_KeyDuration_days = univ.Integer(732)
+
+ub_KeyDuration_weeks = univ.Integer(104)
+
+ub_KeyDuration_years = univ.Integer(100)
+
+
+class KeyDuration(univ.Choice):
+    pass
+
+KeyDuration.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('hours', univ.Integer().subtype(
+        subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_hours)).subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+    namedtype.NamedType('days', univ.Integer().subtype(
+        subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_days))),
+    namedtype.NamedType('weeks', univ.Integer().subtype(
+        subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_weeks)).subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
+    namedtype.NamedType('months', univ.Integer().subtype(
+        subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_months)).subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))),
+    namedtype.NamedType('years', univ.Integer().subtype(
+        subtypeSpec=constraint.ValueRangeConstraint(1, ub_KeyDuration_years)).subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)))
+)
+
+
+aa_keyDurationPeriod = Attribute()
+aa_keyDurationPeriod['attrType'] = id_kma_keyDuration
+aa_keyDurationPeriod['attrValues'][0] = KeyDuration()
+
+
+# Classification Attribute
+
+id_aa_KP_classification = univ.ObjectIdentifier(id_aa_securityLabel)
+
+
+id_enumeratedPermissiveAttributes = univ.ObjectIdentifier('2.16.840.1.101.2.1.8.3.1')
+
+id_enumeratedRestrictiveAttributes = univ.ObjectIdentifier('2.16.840.1.101.2.1.8.3.4')
+
+id_informativeAttributes = univ.ObjectIdentifier('2.16.840.1.101.2.1.8.3.3')
+
+
+class SecurityAttribute(univ.Integer):
+    pass
+
+SecurityAttribute.subtypeSpec = constraint.ValueRangeConstraint(0, MAX)
+
+
+class EnumeratedTag(univ.Sequence):
+    pass
+
+EnumeratedTag.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('tagName', univ.ObjectIdentifier()),
+    namedtype.NamedType('attributeList', univ.SetOf(componentType=SecurityAttribute()))
+)
+
+
+class FreeFormField(univ.Choice):
+    pass
+
+FreeFormField.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('bitSetAttributes', univ.BitString()), # Not permitted in RFC 7906
+    namedtype.NamedType('securityAttributes', univ.SetOf(componentType=SecurityAttribute()))
+)
+
+
+class InformativeTag(univ.Sequence):
+    pass
+
+InformativeTag.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('tagName', univ.ObjectIdentifier()),
+    namedtype.NamedType('attributes', FreeFormField())
+)
+
+
+class Classification(ESSSecurityLabel):
+    pass
+
+
+aa_classification = Attribute()
+aa_classification['attrType'] = id_aa_KP_classification
+aa_classification['attrValues'][0] = Classification()
+
+
+# Split Identifier Attribute
+
+id_kma_splitID = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.11')
+
+
+class SplitID(univ.Sequence):
+    pass
+
+SplitID.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('half', univ.Enumerated(
+        namedValues=namedval.NamedValues(('a', 0), ('b', 1)))),
+    namedtype.OptionalNamedType('combineAlg', AlgorithmIdentifier())
+)
+
+
+aa_splitIdentifier = Attribute()
+aa_splitIdentifier['attrType'] = id_kma_splitID
+aa_splitIdentifier['attrValues'][0] = SplitID()
+
+
+# Key Package Type Attribute
+
+id_kma_keyPkgType = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.12')
+
+
+class KeyPkgType(univ.ObjectIdentifier):
+    pass
+
+
+aa_keyPackageType = Attribute()
+aa_keyPackageType['attrType'] = id_kma_keyPkgType
+aa_keyPackageType['attrValues'][0] = KeyPkgType()
+
+
+# Signature Usage Attribute
+
+id_kma_sigUsageV3 = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.22')
+
+
+class SignatureUsage(CMSContentConstraints):
+    pass
+
+
+aa_signatureUsage_v3 = Attribute()
+aa_signatureUsage_v3['attrType'] = id_kma_sigUsageV3
+aa_signatureUsage_v3['attrValues'][0] = SignatureUsage()
+
+
+# Other Certificate Format Attribute
+
+id_kma_otherCertFormats = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.19')
+
+
+aa_otherCertificateFormats = Attribute()
+aa_signatureUsage_v3['attrType'] = id_kma_otherCertFormats
+aa_signatureUsage_v3['attrValues'][0] = CertificateChoices()
+
+
+# PKI Path Attribute
+
+id_at_pkiPath = univ.ObjectIdentifier('2.5.4.70')
+
+
+class PkiPath(univ.SequenceOf):
+    pass
+
+PkiPath.componentType = Certificate()
+PkiPath.subtypeSpec=constraint.ValueSizeConstraint(1, MAX)
+
+
+aa_pkiPath = Attribute()
+aa_pkiPath['attrType'] = id_at_pkiPath
+aa_pkiPath['attrValues'][0] = PkiPath()
+
+
+# Useful Certificates Attribute
+
+id_kma_usefulCerts = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.20')
+
+
+aa_usefulCertificates = Attribute()
+aa_usefulCertificates['attrType'] = id_kma_usefulCerts
+aa_usefulCertificates['attrValues'][0] = CertificateSet()
+
+
+# Key Wrap Attribute
+
+id_kma_keyWrapAlgorithm = univ.ObjectIdentifier('2.16.840.1.101.2.1.13.21')
+
+
+aa_keyWrapAlgorithm  = Attribute()
+aa_keyWrapAlgorithm['attrType'] = id_kma_keyWrapAlgorithm
+aa_keyWrapAlgorithm['attrValues'][0] = AlgorithmIdentifier()
+
+
+# Content Decryption Key Identifier Attribute
+
+id_aa_KP_contentDecryptKeyID = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.66')
+
+
+class ContentDecryptKeyID(univ.OctetString):
+    pass
+
+
+aa_contentDecryptKeyIdentifier = Attribute()
+aa_contentDecryptKeyIdentifier['attrType'] = id_aa_KP_contentDecryptKeyID
+aa_contentDecryptKeyIdentifier['attrValues'][0] = ContentDecryptKeyID()
+
+
+# Certificate Pointers Attribute
+
+aa_certificatePointers = Attribute()
+aa_certificatePointers['attrType'] = id_pe_subjectInfoAccess
+aa_certificatePointers['attrValues'][0] = SubjectInfoAccessSyntax()
+
+
+# CRL Pointers Attribute
+
+id_aa_KP_crlPointers = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.70')
+
+
+aa_cRLDistributionPoints = Attribute()
+aa_cRLDistributionPoints['attrType'] = id_aa_KP_crlPointers
+aa_cRLDistributionPoints['attrValues'][0] = GeneralNames()
+
+
+# Extended Error Codes
+
+id_errorCodes = univ.ObjectIdentifier('2.16.840.1.101.2.1.22')
+
+id_missingKeyType = univ.ObjectIdentifier('2.16.840.1.101.2.1.22.1')
+
+id_privacyMarkTooLong = univ.ObjectIdentifier('2.16.840.1.101.2.1.22.2')
+
+id_unrecognizedSecurityPolicy = univ.ObjectIdentifier('2.16.840.1.101.2.1.22.3')
+
+
+# Map of Attribute Type OIDs to Attributes added to the
+# ones that are in rfc5652.py
+
+_cmsAttributesMapUpdate = {
+    id_aa_contentHint: ContentHints(),
+    id_aa_communityIdentifiers: CommunityIdentifiers(),
+    id_aa_binarySigningTime: BinarySigningTime(),
+    id_contentType: ContentType(),
+    id_messageDigest: MessageDigest(),
+    id_aa_KP_keyPkgIdAndReceiptReq: KeyPkgIdentifierAndReceiptReq(),
+    id_aa_KP_keyProvinceV2: KeyProvinceV2(),
+    id_aa_KP_manifest: Manifest(),
+    id_kma_keyAlgorithm: KeyAlgorithm(),
+    id_at_userCertificate: Certificate(),
+    id_kma_keyPkgReceiversV2: KeyPkgReceiversV2(),
+    id_kma_TSECNomenclature: TSECNomenclature(),
+    id_kma_keyPurpose: KeyPurpose(),
+    id_kma_keyUse: KeyUse(),
+    id_kma_transportKey: TransOp(),
+    id_kma_keyDistPeriod: KeyDistPeriod(),
+    id_kma_keyValidityPeriod: KeyValidityPeriod(),
+    id_kma_keyDuration: KeyDuration(),
+    id_aa_KP_classification: Classification(),
+    id_kma_splitID: SplitID(),
+    id_kma_keyPkgType: KeyPkgType(),
+    id_kma_sigUsageV3: SignatureUsage(),
+    id_kma_otherCertFormats: CertificateChoices(),
+    id_at_pkiPath: PkiPath(),
+    id_kma_usefulCerts: CertificateSet(),
+    id_kma_keyWrapAlgorithm: AlgorithmIdentifier(),
+    id_aa_KP_contentDecryptKeyID: ContentDecryptKeyID(),
+    id_pe_subjectInfoAccess: SubjectInfoAccessSyntax(),
+    id_aa_KP_crlPointers: GeneralNames(),
+}
+
+rfc5652.cmsAttributesMap.update(_cmsAttributesMapUpdate)
diff --git a/tests/__main__.py b/tests/__main__.py
index a1f7000..539f7ba 100644
--- a/tests/__main__.py
+++ b/tests/__main__.py
@@ -53,6 +53,7 @@ suite = unittest.TestLoader().loadTestsFromNames(
      'tests.test_rfc7191.suite',
      'tests.test_rfc7292.suite',
      'tests.test_rfc7296.suite',
+     'tests.test_rfc7906.suite',
      'tests.test_rfc8018.suite',
      'tests.test_rfc8103.suite',
      'tests.test_rfc8226.suite',
diff --git a/tests/test_rfc7906.py b/tests/test_rfc7906.py
new file mode 100644
index 0000000..e843bdd
--- /dev/null
+++ b/tests/test_rfc7906.py
@@ -0,0 +1,167 @@
+#
+# This file is part of pyasn1-modules software.
+#
+# Created by Russ Housley
+# Copyright (c) 2019, Vigil Security, LLC
+# License: http://snmplabs.com/pyasn1/license.html
+#
+
+import sys
+
+from pyasn1.codec.der.decoder import decode as der_decode
+from pyasn1.codec.der.encoder import encode as der_encode
+
+from pyasn1.type import univ
+
+from pyasn1_modules import pem
+from pyasn1_modules import rfc2985
+from pyasn1_modules import rfc5652
+from pyasn1_modules import rfc5280
+from pyasn1_modules import rfc7906
+
+try:
+    import unittest2 as unittest
+except ImportError:
+    import unittest
+
+
+class AttributeSetTestCase(unittest.TestCase):
+    attr_set_pem_text = """\
+MYIRmDAQBglghkgBZQIBDQcxA4IBATAQBglghkgBZQIBDQ0xAwoBUzAQBglghkgB
+ZQIBDQ4xAwoBAjAQBglghkgBZQIBDQ8xAwoBATARBglghkgBZQIBBUIxBAQCeQYw
+EgYJYIZIAWUCAQ0LMQUwAwoBATAVBglghkgBZQIBDQUxCDAGAgReAA//MBUGCyqG
+SIb3DQEJEAIuMQYCBF1qowYwGQYJYIZIAWUCAQVHMQwGCisGAQQBgaxgME0wGgYJ
+YIZIAWUCAQ0BMQ0wCwYJYIZIAWUDBAEtMBoGCWCGSAFlAgENDDENBgsqhkiG9w0B
+CRABGTAaBglghkgBZQIBDRUxDTALBglghkgBZQMEAS0wGwYJYIZIAWUCAQ0GMQ4w
+DAIEXQAAAAIEXwAP/zAdBgsqhkiG9w0BCRACKDEOMAwGCisGAQQBgaxgMDAwLQYJ
+YIZIAWUCAQVGMSAwHoYcaHR0cDovL3JlcG8uZXhhbXBsZS5jb20vcGtpLzAvBglg
+hkgBZQIBDQMxIjAgExFCb2d1cyBTaG9ydCBUaXRsZYEFQm9ndXOFATCHAU0wNAYJ
+YIZIAWUCAQVIMScwJRMRQm9ndXMgU2hvcnQgVGl0bGUTEEZha2UgU2hvcnQgVGl0
+bGUwOAYIKwYBBQUHAQsxLDAqMCgGCCsGAQUFBzAFhhxodHRwOi8vcmVwby5leGFt
+cGxlLmNvbS9wa2kvMEEGCyqGSIb3DQEJEAIEMTIwMAwjVGhlc2UgUkZDIDc5MDYg
+YXR0cmlidXRlcyBhcmUgYm9ndXMGCSqGSIb3DQEHATCBggYLKoZIhvcNAQkQAgIx
+czFxAgEBBgorBgEEAYGsYAEBMUwwJIAKYIZIAWUCAQgDA4EWMBQGCisGAQQBgaxg
+MEkxBgIBMAIBSTAkgApghkgBZQIBCAMEgRYwFAYKKwYBBAGBrGAwRTEGAgEwAgFF
+ExJCb2d1cyBQcml2YWN5IE1hcmswgYQGCWCGSAFlAgENFjF3MHUwMAYKYIZIAWUC
+AQJOAjAiMCAGCyqGSIb3DQEJEAwLMREMD2t0YS5leGFtcGxlLmNvbTAxBgsqhkiG
+9w0BCRABGTAiMCAGCyqGSIb3DQEJEAwLMREMD2t0YS5leGFtcGxlLmNvbTAOBgkq
+hkiG9w0BBwEKAQEwgaAGCWCGSAFlAgENEDGBkjCBj6EMBgorBgEEAYGsYDAwoH8G
+CWCGSAFlAgEQAARyMHAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJWQTEQMA4GA1UE
+BxMHSGVybmRvbjEQMA4GA1UEChMHRXhhbXBsZTEOMAwGA1UEAxMFQWxpY2UxIDAe
+BgkqhkiG9w0BCQEWEWFsaWNlQGV4YW1wbGUuY29tMIIBvwYJYIZIAWUCAQVBMYIB
+sDCCAawEFO1lDTbJmd4voc2GDuaMzYO+XJSmMIIBkqCB/jB/BglghkgBZQIBEAAE
+cjBwMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24x
+EDAOBgNVBAoTB0V4YW1wbGUxDjAMBgNVBAMTBUFsaWNlMSAwHgYJKoZIhvcNAQkB
+FhFhbGljZUBleGFtcGxlLmNvbTB7BglghkgBZQIBEAAEbjBsMQswCQYDVQQGEwJV
+UzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xEDAOBgNVBAoTB0V4YW1w
+bGUxDDAKBgNVBAMTA0JvYjEeMBwGCSqGSIb3DQEJARYPYm9iQGV4YW1wbGUuY29t
+MIGOMIGLBglghkgBZQIBEAAEfjB8MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkEx
+EDAOBgNVBAcTB0hlcm5kb24xGzAZBgNVBAoTElZpZ2lsIFNlY3VyaXR5IExMQzEX
+MBUGA1UECxMOS2V5IE1hbmFnZW1lbnQxGDAWBgNVBAMTD2t0YS5leGFtcGxlLmNv
+bTCCAoUGA1UEJDGCAnwwggJ4MIIB/qADAgECAgkApbNUKBuwbjswCgYIKoZIzj0E
+AwMwPzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlZBMRAwDgYDVQQHDAdIZXJuZG9u
+MREwDwYDVQQKDAhCb2d1cyBDQTAeFw0xOTA1MjkxNDQ1NDFaFw0yMDA1MjgxNDQ1
+NDFaMHAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJWQTEQMA4GA1UEBxMHSGVybmRv
+bjEQMA4GA1UEChMHRXhhbXBsZTEOMAwGA1UEAxMFQWxpY2UxIDAeBgkqhkiG9w0B
+CQEWEWFsaWNlQGV4YW1wbGUuY29tMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE+M2f
+By/sRA6V1pKFqecRTE8+LuAHtZxes1wmJZrBBg+bz7uYZfYQxI3dVB0YCSD6Mt3y
+XFlnmfBRwoqyArbjIBYrDbHBv2k8Csg2DhQ7qs/wto8hMKoFgkcscqIbiV7Zo4GU
+MIGRMAsGA1UdDwQEAwIHgDBCBglghkgBhvhCAQ0ENRYzVGhpcyBjZXJ0aWZpY2F0
+ZSBjYW5ub3QgYmUgdHJ1c3RlZCBmb3IgYW55IHB1cnBvc2UuMB0GA1UdDgQWBBTE
+uloOPnrjPIGw9AKqaLsW4JYONTAfBgNVHSMEGDAWgBTyNds0BNqlVfK9aQOZsGLs
+4hUIwTAKBggqhkjOPQQDAwNoADBlAjBjuR/RNbgL3kRhmn+PJTeKaL9sh/oQgHOY
+TgLmSnv3+NDCkhfKuMNoo/tHrkmihYgCMQC94MaerDIrQpi0IDh+v0QSAv9rMife
+8tClafXWtDwwL8MS7oAh0ymT446Uizxx3PUwggSaBgNVBEYxggSRMIIEjTCCAgIw
+ggGIoAMCAQICCQDokdYGkU/O8jAKBggqhkjOPQQDAzA/MQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCVkExEDAOBgNVBAcMB0hlcm5kb24xETAPBgNVBAoMCEJvZ3VzIENB
+MB4XDTE5MDUxNDA4NTgxMVoXDTIxMDUxMzA4NTgxMVowPzELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgMAlZBMRAwDgYDVQQHDAdIZXJuZG9uMREwDwYDVQQKDAhCb2d1cyBD
+QTB2MBAGByqGSM49AgEGBSuBBAAiA2IABPBRdlSx6I5qpZ2sKUMIxun1gUAzzstO
+YWKvKCnMoNT1x+pIKDvMEMimFcLAxxL3NVYOhK0Jty83SPDkKWMdx9/Okdhf3U/z
+xJlEnXDiFrAeM6xbG8zcCRiBnmd92UvsRqNQME4wHQYDVR0OBBYEFPI12zQE2qVV
+8r1pA5mwYuziFQjBMB8GA1UdIwQYMBaAFPI12zQE2qVV8r1pA5mwYuziFQjBMAwG
+A1UdEwQFMAMBAf8wCgYIKoZIzj0EAwMDaAAwZQIwWlGNjb9NyqJSzUSdsEqDSvMZ
+b8yFkxYCIbAVqQ9UqScUUb9tpJKGsPWwbZsnLVvmAjEAt/ypozbUhQw4dSPpWzrn
+5BQ0kKbDM3DQJcBABEUBoIOol1/jYQPmxajQuxcheFlkMIICgzCCAgqgAwIBAgIJ
+AKWzVCgbsG49MAoGCCqGSM49BAMDMD8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJW
+QTEQMA4GA1UEBwwHSGVybmRvbjERMA8GA1UECgwIQm9ndXMgQ0EwHhcNMTkwNjEy
+MTQzMTA0WhcNMjAwNjExMTQzMTA0WjB8MQswCQYDVQQGEwJVUzELMAkGA1UECBMC
+VkExEDAOBgNVBAcTB0hlcm5kb24xGzAZBgNVBAoTElZpZ2lsIFNlY3VyaXR5IExM
+QzEXMBUGA1UECxMOS2V5IE1hbmFnZW1lbnQxGDAWBgNVBAMTD2t0YS5leGFtcGxl
+LmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABJf2XsTdVLcYASKJGtWjOAIFB8sX
+rsiE7G1tC+IP+iOEdJCZ+UvJ9Enx7v6dtaU4uy1FzuWCar45BVpKVK2TNWT8E7XA
+TkGBTIXGN76yJ5S09FdWp+hVkIkmyCJJujXzV6OBlDCBkTALBgNVHQ8EBAMCB4Aw
+QgYJYIZIAYb4QgENBDUWM1RoaXMgY2VydGlmaWNhdGUgY2Fubm90IGJlIHRydXN0
+ZWQgZm9yIGFueSBwdXJwb3NlLjAdBgNVHQ4EFgQUbZtc/QOvtbnVi/FknxpW4LWt
+TQ8wHwYDVR0jBBgwFoAU8jXbNATapVXyvWkDmbBi7OIVCMEwCgYIKoZIzj0EAwMD
+ZwAwZAIwBniWpO11toMsV8fLBpBjA5YGQvd3TAcSw1lNbWpArL+hje1dzQ7pxsln
+kklv3CTxAjBuVebz4mN0Qkew2NK/itwlmi7i+QxPs/MSZ7YFsyTA5Z4h2GbLW+zN
+3xNCC91vfpcwggSgBglghkgBZQIBDRQxggSRMYIEjTCCAgIwggGIoAMCAQICCQDo
+kdYGkU/O8jAKBggqhkjOPQQDAzA/MQswCQYDVQQGEwJVUzELMAkGA1UECAwCVkEx
+EDAOBgNVBAcMB0hlcm5kb24xETAPBgNVBAoMCEJvZ3VzIENBMB4XDTE5MDUxNDA4
+NTgxMVoXDTIxMDUxMzA4NTgxMVowPzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlZB
+MRAwDgYDVQQHDAdIZXJuZG9uMREwDwYDVQQKDAhCb2d1cyBDQTB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABPBRdlSx6I5qpZ2sKUMIxun1gUAzzstOYWKvKCnMoNT1x+pI
+KDvMEMimFcLAxxL3NVYOhK0Jty83SPDkKWMdx9/Okdhf3U/zxJlEnXDiFrAeM6xb
+G8zcCRiBnmd92UvsRqNQME4wHQYDVR0OBBYEFPI12zQE2qVV8r1pA5mwYuziFQjB
+MB8GA1UdIwQYMBaAFPI12zQE2qVV8r1pA5mwYuziFQjBMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwMDaAAwZQIwWlGNjb9NyqJSzUSdsEqDSvMZb8yFkxYCIbAVqQ9U
+qScUUb9tpJKGsPWwbZsnLVvmAjEAt/ypozbUhQw4dSPpWzrn5BQ0kKbDM3DQJcBA
+BEUBoIOol1/jYQPmxajQuxcheFlkMIICgzCCAgqgAwIBAgIJAKWzVCgbsG49MAoG
+CCqGSM49BAMDMD8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UEBwwH
+SGVybmRvbjERMA8GA1UECgwIQm9ndXMgQ0EwHhcNMTkwNjEyMTQzMTA0WhcNMjAw
+NjExMTQzMTA0WjB8MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcT
+B0hlcm5kb24xGzAZBgNVBAoTElZpZ2lsIFNlY3VyaXR5IExMQzEXMBUGA1UECxMO
+S2V5IE1hbmFnZW1lbnQxGDAWBgNVBAMTD2t0YS5leGFtcGxlLmNvbTB2MBAGByqG
+SM49AgEGBSuBBAAiA2IABJf2XsTdVLcYASKJGtWjOAIFB8sXrsiE7G1tC+IP+iOE
+dJCZ+UvJ9Enx7v6dtaU4uy1FzuWCar45BVpKVK2TNWT8E7XATkGBTIXGN76yJ5S0
+9FdWp+hVkIkmyCJJujXzV6OBlDCBkTALBgNVHQ8EBAMCB4AwQgYJYIZIAYb4QgEN
+BDUWM1RoaXMgY2VydGlmaWNhdGUgY2Fubm90IGJlIHRydXN0ZWQgZm9yIGFueSBw
+dXJwb3NlLjAdBgNVHQ4EFgQUbZtc/QOvtbnVi/FknxpW4LWtTQ8wHwYDVR0jBBgw
+FoAU8jXbNATapVXyvWkDmbBi7OIVCMEwCgYIKoZIzj0EAwMDZwAwZAIwBniWpO11
+toMsV8fLBpBjA5YGQvd3TAcSw1lNbWpArL+hje1dzQ7pxslnkklv3CTxAjBuVebz
+4mN0Qkew2NK/itwlmi7i+QxPs/MSZ7YFsyTA5Z4h2GbLW+zN3xNCC91vfpc=
+"""
+
+    def setUp(self):
+        self.asn1Spec = rfc2985.AttributeSet()
+
+    def testDerCodec(self):
+        substrate = pem.readBase64fromText(self.attr_set_pem_text)
+        asn1Object, rest = der_decode (substrate, asn1Spec=self.asn1Spec)
+        assert not rest
+        assert asn1Object.prettyPrint()
+        assert der_encode(asn1Object) == substrate
+
+        for attr in asn1Object:
+            assert attr['type'] in rfc5652.cmsAttributesMap.keys()
+            av, rest = der_decode(attr['values'][0],
+                asn1Spec=rfc5652.cmsAttributesMap[attr['type']])
+            assert not rest
+            assert av.prettyPrint()
+            assert der_encode(av) == attr['values'][0]
+
+            if attr['type'] == rfc7906.id_aa_KP_contentDecryptKeyID:
+                assert av == univ.OctetString(hexValue='7906')
+
+    def testOpenTypes(self):
+        substrate = pem.readBase64fromText(self.attr_set_pem_text)
+        rfc5280.certificateAttributesMap.update(rfc5652.cmsAttributesMap)
+        asn1Object, rest = der_decode (substrate,
+            asn1Spec=self.asn1Spec, decodeOpenTypes=True)
+        assert not rest
+        assert asn1Object.prettyPrint()
+        assert der_encode(asn1Object) == substrate
+
+        for attr in asn1Object:
+            if attr['type'] == rfc7906.id_aa_KP_contentDecryptKeyID:
+                assert attr['values'][0] == univ.OctetString(hexValue='7906')
+
+
+suite = unittest.TestLoader().loadTestsFromModule(sys.modules[__name__])
+
+if __name__ == '__main__':
+    import sys
+
+    result = unittest.TextTestRunner(verbosity=2).run(suite)
+    sys.exit(not result.wasSuccessful())
author	Russ Housley <housley@vigilsec.com>	2019-09-03 03:06:48 -0400
committer	Ilya Etingof <etingof@gmail.com>	2019-09-03 09:06:48 +0200
commit	674015081b7a2d157a832f1ba6a0f7400b859dc4 (patch)
tree	d589e75ba8e299b99c951cd0b2fe4f5ee6be061f
parent	3f4a9e498ccd2c2998adbf2c9e7ddda87e87d7aa (diff)
download	pyasn1-modules-674015081b7a2d157a832f1ba6a0f7400b859dc4.tar.gz