Add support for RFC 3125 and RFC 5126 (#107)

author: Russ Housley <housley@vigilsec.com> 2019-11-18 00:40:42 -0500
committer: Ilya Etingof <etingof@gmail.com> 2019-11-18 06:40:42 +0100
commit: a7361736347118128c359182fbea22f863f50da2 (patch)
tree: 613df55eb8b84fe921f00a99e20360d69cf9ccdc
parent: 238ef5e74c1cb3181e0c9345378111cf5354d3a0 (diff)
download: pyasn1-modules-a7361736347118128c359182fbea22f863f50da2.tar.gz
6 files changed, 1261 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index e25af18..f278ad0 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -46,6 +46,8 @@ Revision 0.2.8, released 16-11-2019
 - Update RFC3770 to support openType for attributes and reported errata
 - Add RFC4334 providing Certificate Extensions and Attributes for
   Authentication in PPP and Wireless LAN Networks
+- Add RFC3125 providing Electronic Signature Policies
+- Add RFC5126 providing CMS Advanced Electronic Signatures (CAdES)
 
 Revision 0.2.7, released 09-10-2019
 -----------------------------------
diff --git a/pyasn1_modules/rfc3125.py b/pyasn1_modules/rfc3125.py
new file mode 100644
index 0000000..00ff9bf
--- /dev/null
+++ b/pyasn1_modules/rfc3125.py
@@ -0,0 +1,469 @@
+#
+# This file is part of pyasn1-modules software.
+#
+# Created by Russ Housley with assistance from asn1ate v.0.6.0.
+#
+# Copyright (c) 2019, Vigil Security, LLC
+# License: http://snmplabs.com/pyasn1/license.html
+#
+# Electronic Signature Policies
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc3125.txt
+# https://www.rfc-editor.org/errata/eid5901
+# https://www.rfc-editor.org/errata/eid5902
+#
+
+from pyasn1.type import constraint
+from pyasn1.type import namedtype
+from pyasn1.type import namedval
+from pyasn1.type import tag
+from pyasn1.type import useful
+from pyasn1.type import univ
+
+from pyasn1_modules import rfc5280
+
+MAX = float('inf')
+
+
+# Imports from RFC 5280
+
+AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
+
+Attribute = rfc5280.Attribute
+
+AttributeType = rfc5280.AttributeType
+
+AttributeTypeAndValue = rfc5280.AttributeTypeAndValue
+
+AttributeValue = rfc5280.AttributeValue
+
+Certificate = rfc5280.Certificate
+
+CertificateList = rfc5280.CertificateList
+
+DirectoryString = rfc5280.DirectoryString
+
+GeneralName = rfc5280.GeneralName
+
+GeneralNames = rfc5280.GeneralNames
+
+Name = rfc5280.Name
+
+PolicyInformation = rfc5280.PolicyInformation
+
+
+# Electronic Signature Policies
+
+class CertPolicyId(univ.ObjectIdentifier):
+    pass
+
+
+class AcceptablePolicySet(univ.SequenceOf):
+    componentType = CertPolicyId()
+
+
+class SignPolExtn(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('extnID', univ.ObjectIdentifier()),
+        namedtype.NamedType('extnValue', univ.OctetString())
+    )
+
+
+class SignPolExtensions(univ.SequenceOf):
+    componentType = SignPolExtn()
+
+
+class AlgAndLength(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('algID', univ.ObjectIdentifier()),
+        namedtype.OptionalNamedType('minKeyLength', univ.Integer()),
+        namedtype.OptionalNamedType('other', SignPolExtensions())
+    )
+
+
+class AlgorithmConstraints(univ.SequenceOf):
+    componentType = AlgAndLength()
+
+
+class AlgorithmConstraintSet(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('signerAlgorithmConstraints',
+            AlgorithmConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('eeCertAlgorithmConstraints',
+            AlgorithmConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1))),
+        namedtype.OptionalNamedType('caCertAlgorithmConstraints',
+            AlgorithmConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 2))),
+        namedtype.OptionalNamedType('aaCertAlgorithmConstraints',
+            AlgorithmConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 3))),
+        namedtype.OptionalNamedType('tsaCertAlgorithmConstraints',
+            AlgorithmConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 4)))
+    )
+
+
+class AttributeValueConstraints(univ.SequenceOf):
+    componentType = AttributeTypeAndValue()
+
+
+class AttributeTypeConstraints(univ.SequenceOf):
+    componentType = AttributeType()
+
+
+class AttributeConstraints(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('attributeTypeConstarints',
+            AttributeTypeConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('attributeValueConstarints',
+            AttributeValueConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1)))
+    )
+
+
+class HowCertAttribute(univ.Enumerated):
+    namedValues = namedval.NamedValues(
+        ('claimedAttribute', 0),
+        ('certifiedAttribtes', 1),
+        ('either', 2)
+    )
+
+
+class SkipCerts(univ.Integer):
+    subtypeSpec = constraint.ValueRangeConstraint(0, MAX)
+
+
+class PolicyConstraints(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('requireExplicitPolicy',
+            SkipCerts().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('inhibitPolicyMapping',
+            SkipCerts().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1)))
+    )
+
+
+class BaseDistance(univ.Integer):
+    subtypeSpec = constraint.ValueRangeConstraint(0, MAX)
+
+
+class GeneralSubtree(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('base', GeneralName()),
+        namedtype.DefaultedNamedType('minimum',
+            BaseDistance().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0)).subtype(
+                    value=0)),
+        namedtype.OptionalNamedType('maximum',
+            BaseDistance().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1)))
+    )
+
+
+class GeneralSubtrees(univ.SequenceOf):
+    componentType = GeneralSubtree()
+    subtypeSpec = constraint.ValueSizeConstraint(1, MAX)
+
+
+class NameConstraints(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('permittedSubtrees',
+            GeneralSubtrees().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('excludedSubtrees',
+            GeneralSubtrees().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1)))
+    )
+
+
+class PathLenConstraint(univ.Integer):
+    subtypeSpec = constraint.ValueRangeConstraint(0, MAX)
+
+
+class CertificateTrustPoint(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('trustpoint', Certificate()),
+        namedtype.OptionalNamedType('pathLenConstraint',
+            PathLenConstraint().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('acceptablePolicySet',
+            AcceptablePolicySet().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1))),
+        namedtype.OptionalNamedType('nameConstraints',
+            NameConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 2))),
+        namedtype.OptionalNamedType('policyConstraints',
+            PolicyConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 3)))
+    )
+
+
+class CertificateTrustTrees(univ.SequenceOf):
+    componentType = CertificateTrustPoint()
+
+
+class EnuRevReq(univ.Enumerated):
+    namedValues = namedval.NamedValues(
+        ('clrCheck', 0),
+        ('ocspCheck', 1),
+        ('bothCheck', 2),
+        ('eitherCheck', 3),
+        ('noCheck', 4),
+        ('other', 5)
+    )
+
+
+class RevReq(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('enuRevReq', EnuRevReq()),
+        namedtype.OptionalNamedType('exRevReq', SignPolExtensions())
+    )
+
+
+class CertRevReq(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('endCertRevReq', RevReq()),
+        namedtype.NamedType('caCerts',
+            RevReq().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 0)))
+    )
+
+
+class AttributeTrustCondition(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('attributeMandated', univ.Boolean()),
+        namedtype.NamedType('howCertAttribute', HowCertAttribute()),
+        namedtype.OptionalNamedType('attrCertificateTrustTrees',
+            CertificateTrustTrees().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('attrRevReq',
+            CertRevReq().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 1))),
+        namedtype.OptionalNamedType('attributeConstraints',
+            AttributeConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 2)))
+    )
+
+
+class CMSAttrs(univ.SequenceOf):
+    componentType = univ.ObjectIdentifier()
+
+
+class CertInfoReq(univ.Enumerated):
+    namedValues = namedval.NamedValues(
+        ('none', 0),
+        ('signerOnly', 1),
+        ('fullPath', 2)
+    )
+
+
+class CertRefReq(univ.Enumerated):
+    namedValues = namedval.NamedValues(
+        ('signerOnly', 1),
+        ('fullPath', 2)
+    )
+
+
+class DeltaTime(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('deltaSeconds', univ.Integer()),
+        namedtype.NamedType('deltaMinutes', univ.Integer()),
+        namedtype.NamedType('deltaHours', univ.Integer()),
+        namedtype.NamedType('deltaDays', univ.Integer())
+    )
+
+
+class TimestampTrustCondition(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('ttsCertificateTrustTrees',
+            CertificateTrustTrees().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('ttsRevReq',
+            CertRevReq().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 1))),
+        namedtype.OptionalNamedType('ttsNameConstraints',
+            NameConstraints().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 2))),
+        namedtype.OptionalNamedType('cautionPeriod',
+            DeltaTime().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 3))),
+        namedtype.OptionalNamedType('signatureTimestampDelay',
+            DeltaTime().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 4)))
+    )
+
+
+class SignerRules(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('externalSignedData', univ.Boolean()),
+        namedtype.NamedType('mandatedSignedAttr', CMSAttrs()),
+        namedtype.NamedType('mandatedUnsignedAttr', CMSAttrs()),
+        namedtype.DefaultedNamedType('mandatedCertificateRef',
+            CertRefReq().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0)).subtype(
+                    value='signerOnly')),
+        namedtype.DefaultedNamedType('mandatedCertificateInfo',
+            CertInfoReq().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1)).subtype(
+                    value='none')),
+        namedtype.OptionalNamedType('signPolExtensions',
+            SignPolExtensions().subtype(explicitTag=tag.Tag(
+                 tag.tagClassContext, tag.tagFormatSimple, 2)))
+    )
+
+
+class MandatedUnsignedAttr(CMSAttrs):
+    pass
+
+
+class VerifierRules(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('mandatedUnsignedAttr', MandatedUnsignedAttr()),
+        namedtype.OptionalNamedType('signPolExtensions', SignPolExtensions())
+    )
+
+
+class SignerAndVerifierRules(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('signerRules', SignerRules()),
+        namedtype.NamedType('verifierRules', VerifierRules())
+    )
+
+
+class SigningCertTrustCondition(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('signerTrustTrees', CertificateTrustTrees()),
+        namedtype.NamedType('signerRevReq', CertRevReq())
+    )
+
+
+class CommitmentTypeIdentifier(univ.ObjectIdentifier):
+    pass
+
+
+class FieldOfApplication(DirectoryString):
+    pass
+
+
+class CommitmentType(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('identifier', CommitmentTypeIdentifier()),
+        namedtype.OptionalNamedType('fieldOfApplication',
+            FieldOfApplication().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('semantics',
+            DirectoryString().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1)))
+    )
+
+
+class SelectedCommitmentTypes(univ.SequenceOf):
+    componentType = univ.Choice(componentType=namedtype.NamedTypes(
+        namedtype.NamedType('empty', univ.Null()),
+        namedtype.NamedType('recognizedCommitmentType', CommitmentType())
+    ))
+
+
+class CommitmentRule(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('selCommitmentTypes', SelectedCommitmentTypes()),
+        namedtype.OptionalNamedType('signerAndVeriferRules',
+            SignerAndVerifierRules().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 0))),
+        namedtype.OptionalNamedType('signingCertTrustCondition',
+            SigningCertTrustCondition().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 1))),
+        namedtype.OptionalNamedType('timeStampTrustCondition',
+            TimestampTrustCondition().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 2))),
+        namedtype.OptionalNamedType('attributeTrustCondition',
+            AttributeTrustCondition().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 3))),
+        namedtype.OptionalNamedType('algorithmConstraintSet',
+            AlgorithmConstraintSet().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 4))),
+        namedtype.OptionalNamedType('signPolExtensions',
+            SignPolExtensions().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 5)))
+    )
+
+
+class CommitmentRules(univ.SequenceOf):
+    componentType = CommitmentRule()
+
+
+class CommonRules(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('signerAndVeriferRules',
+            SignerAndVerifierRules().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 0))),
+        namedtype.OptionalNamedType('signingCertTrustCondition',
+            SigningCertTrustCondition().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 1))),
+        namedtype.OptionalNamedType('timeStampTrustCondition',
+            TimestampTrustCondition().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 2))),
+        namedtype.OptionalNamedType('attributeTrustCondition',
+            AttributeTrustCondition().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 3))),
+        namedtype.OptionalNamedType('algorithmConstraintSet',
+            AlgorithmConstraintSet().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 4))),
+        namedtype.OptionalNamedType('signPolExtensions',
+            SignPolExtensions().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 5)))
+    )
+
+
+class PolicyIssuerName(GeneralNames):
+    pass
+
+
+class SignPolicyHash(univ.OctetString):
+    pass
+
+
+class SignPolicyId(univ.ObjectIdentifier):
+    pass
+
+
+class SigningPeriod(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('notBefore', useful.GeneralizedTime()),
+        namedtype.OptionalNamedType('notAfter', useful.GeneralizedTime())
+    )
+
+
+class SignatureValidationPolicy(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('signingPeriod', SigningPeriod()),
+        namedtype.NamedType('commonRules', CommonRules()),
+        namedtype.NamedType('commitmentRules', CommitmentRules()),
+        namedtype.OptionalNamedType('signPolExtensions', SignPolExtensions())
+    )
+
+
+class SignPolicyInfo(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('signPolicyIdentifier', SignPolicyId()),
+        namedtype.NamedType('dateOfIssue', useful.GeneralizedTime()),
+        namedtype.NamedType('policyIssuerName', PolicyIssuerName()),
+        namedtype.NamedType('fieldOfApplication', FieldOfApplication()),
+        namedtype.NamedType('signatureValidationPolicy', SignatureValidationPolicy()),
+        namedtype.OptionalNamedType('signPolExtensions', SignPolExtensions())
+    )
+
+
+class SignaturePolicy(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('signPolicyHashAlg', AlgorithmIdentifier()),
+        namedtype.NamedType('signPolicyInfo', SignPolicyInfo()),
+        namedtype.OptionalNamedType('signPolicyHash', SignPolicyHash())
+    )
+
+
diff --git a/pyasn1_modules/rfc5126.py b/pyasn1_modules/rfc5126.py
new file mode 100644
index 0000000..8e016c2
--- /dev/null
+++ b/pyasn1_modules/rfc5126.py
@@ -0,0 +1,577 @@
+#
+# This file is part of pyasn1-modules software.
+#
+# Created by Russ Housley with assistance from asn1ate v.0.6.0.
+#
+# Copyright (c) 2019, Vigil Security, LLC
+# License: http://snmplabs.com/pyasn1/license.html
+#
+# CMS Advanced Electronic Signatures (CAdES)
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc5126.txt
+#
+
+from pyasn1.type import char
+from pyasn1.type import constraint
+from pyasn1.type import namedtype
+from pyasn1.type import opentype
+from pyasn1.type import tag
+from pyasn1.type import useful
+from pyasn1.type import univ
+
+from pyasn1_modules import rfc5280
+from pyasn1_modules import rfc5652
+from pyasn1_modules import rfc5035
+from pyasn1_modules import rfc5755
+from pyasn1_modules import rfc6960
+from pyasn1_modules import rfc3161
+
+MAX = float('inf')
+
+
+# Maps for OpenTypes
+
+commitmentQualifierMap = { }
+
+sigQualifiersMap = { }
+
+otherRevRefMap = { }
+
+otherRevValMap = { }
+
+
+# Imports from RFC 5652
+
+ContentInfo = rfc5652.ContentInfo
+
+ContentType = rfc5652.ContentType
+
+SignedData = rfc5652.SignedData
+
+EncapsulatedContentInfo = rfc5652.EncapsulatedContentInfo
+
+SignerInfo = rfc5652.SignerInfo
+
+MessageDigest = rfc5652.MessageDigest
+
+SigningTime = rfc5652.SigningTime
+
+Countersignature = rfc5652.Countersignature
+
+id_data = rfc5652.id_data
+
+id_signedData = rfc5652.id_signedData
+
+id_contentType= rfc5652.id_contentType
+
+id_messageDigest = rfc5652.id_messageDigest
+
+id_signingTime = rfc5652.id_signingTime
+
+id_countersignature = rfc5652.id_countersignature
+
+
+# Imports from RFC 5035
+
+SigningCertificate = rfc5035.SigningCertificate
+
+IssuerSerial = rfc5035.IssuerSerial
+
+ContentReference = rfc5035.ContentReference
+
+ContentIdentifier = rfc5035.ContentIdentifier
+
+id_aa_contentReference = rfc5035.id_aa_contentReference
+
+id_aa_contentIdentifier = rfc5035.id_aa_contentIdentifier
+    
+id_aa_signingCertificate = rfc5035.id_aa_signingCertificate
+
+id_aa_signingCertificateV2 = rfc5035.id_aa_signingCertificateV2
+
+
+# Imports from RFC 5280
+
+Certificate = rfc5280.Certificate
+
+AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
+
+CertificateList = rfc5280.CertificateList
+
+Name = rfc5280.Name
+
+Attribute = rfc5280.Attribute
+
+GeneralNames = rfc5280.GeneralNames
+
+GeneralName = rfc5280.GeneralName
+
+PolicyInformation = rfc5280.PolicyInformation
+
+DirectoryString = rfc5280.DirectoryString
+
+
+# Imports from RFC 5755
+
+AttributeCertificate = rfc5755.AttributeCertificate
+
+
+# Imports from RFC 6960
+
+BasicOCSPResponse = rfc6960.BasicOCSPResponse
+
+ResponderID = rfc6960.ResponderID
+
+
+# Imports from RFC 3161
+
+TimeStampToken = rfc3161.TimeStampToken
+
+
+# OID used referencing electronic signature mechanisms
+
+id_etsi_es_IDUP_Mechanism_v1 = univ.ObjectIdentifier('0.4.0.1733.1.4.1')
+
+
+# OtherSigningCertificate - deprecated
+
+id_aa_ets_otherSigCert = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.19')
+
+
+class OtherHashValue(univ.OctetString):
+    pass
+
+
+class OtherHashAlgAndValue(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('hashAlgorithm', AlgorithmIdentifier()),
+        namedtype.NamedType('hashValue', OtherHashValue())
+    )
+
+
+class OtherHash(univ.Choice):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('sha1Hash', OtherHashValue()),
+        namedtype.NamedType('otherHash', OtherHashAlgAndValue())
+    )
+
+
+class OtherCertID(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('otherCertHash', OtherHash()),
+        namedtype.OptionalNamedType('issuerSerial', IssuerSerial())
+    )
+
+
+class OtherSigningCertificate(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('certs',
+            univ.SequenceOf(componentType=OtherCertID())),
+        namedtype.OptionalNamedType('policies',
+            univ.SequenceOf(componentType=PolicyInformation()))
+    )
+
+
+# Signature Policy Identifier
+
+id_aa_ets_sigPolicyId = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.15')
+
+
+class SigPolicyId(univ.ObjectIdentifier):
+    pass
+
+
+class SigPolicyHash(OtherHashAlgAndValue):
+    pass
+
+
+class SigPolicyQualifierId(univ.ObjectIdentifier):
+    pass
+
+
+class SigPolicyQualifierInfo(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('sigPolicyQualifierId', SigPolicyQualifierId()),
+        namedtype.NamedType('sigQualifier', univ.Any(),
+            openType=opentype.OpenType('sigPolicyQualifierId', sigQualifiersMap))
+    )
+
+
+class SignaturePolicyId(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('sigPolicyId', SigPolicyId()),
+        namedtype.NamedType('sigPolicyHash', SigPolicyHash()),
+        namedtype.OptionalNamedType('sigPolicyQualifiers',
+            univ.SequenceOf(componentType=SigPolicyQualifierInfo()).subtype(
+                subtypeSpec=constraint.ValueSizeConstraint(1, MAX)))
+    )
+
+
+class SignaturePolicyImplied(univ.Null):
+    pass
+
+
+class SignaturePolicy(univ.Choice):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('signaturePolicyId', SignaturePolicyId()),
+        namedtype.NamedType('signaturePolicyImplied', SignaturePolicyImplied())
+    )
+
+
+id_spq_ets_unotice = univ.ObjectIdentifier('1.2.840.113549.1.9.16.5.2')
+
+
+class DisplayText(univ.Choice):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('visibleString', char.VisibleString().subtype(
+            subtypeSpec=constraint.ValueSizeConstraint(1, 200))),
+        namedtype.NamedType('bmpString', char.BMPString().subtype(
+            subtypeSpec=constraint.ValueSizeConstraint(1, 200))),
+        namedtype.NamedType('utf8String', char.UTF8String().subtype(
+            subtypeSpec=constraint.ValueSizeConstraint(1, 200)))
+    )
+
+
+class NoticeReference(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('organization', DisplayText()),
+        namedtype.NamedType('noticeNumbers',
+            univ.SequenceOf(componentType=univ.Integer()))
+    )
+
+class SPUserNotice(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('noticeRef', NoticeReference()),
+        namedtype.OptionalNamedType('explicitText', DisplayText())
+    )
+
+
+noticeToUser = SigPolicyQualifierInfo()
+noticeToUser['sigPolicyQualifierId'] = id_spq_ets_unotice
+noticeToUser['sigQualifier'] = SPUserNotice()
+
+
+id_spq_ets_uri = univ.ObjectIdentifier('1.2.840.113549.1.9.16.5.1')
+
+
+class SPuri(char.IA5String):
+    pass
+
+
+pointerToSigPolSpec = SigPolicyQualifierInfo()
+pointerToSigPolSpec['sigPolicyQualifierId'] = id_spq_ets_uri
+pointerToSigPolSpec['sigQualifier'] = SPuri()
+
+
+# Commitment Type
+
+id_aa_ets_commitmentType = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.16')
+
+
+class CommitmentTypeIdentifier(univ.ObjectIdentifier):
+    pass
+
+
+class CommitmentTypeQualifier(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('commitmentTypeIdentifier',
+             CommitmentTypeIdentifier()),
+        namedtype.NamedType('qualifier', univ.Any(),
+            openType=opentype.OpenType('commitmentTypeIdentifier',
+                 commitmentQualifierMap))
+    )
+
+
+class CommitmentTypeIndication(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('commitmentTypeId', CommitmentTypeIdentifier()),
+        namedtype.OptionalNamedType('commitmentTypeQualifier',
+            univ.SequenceOf(componentType=CommitmentTypeQualifier()).subtype(
+                subtypeSpec=constraint.ValueSizeConstraint(1, MAX)))
+    )
+
+
+id_cti_ets_proofOfOrigin = univ.ObjectIdentifier('1.2.840.113549.1.9.16.6.1')
+
+id_cti_ets_proofOfReceipt = univ.ObjectIdentifier('1.2.840.113549.1.9.16.6.2')
+
+id_cti_ets_proofOfDelivery = univ.ObjectIdentifier('1.2.840.113549.1.9.16.6.3')
+
+id_cti_ets_proofOfSender = univ.ObjectIdentifier('1.2.840.113549.1.9.16.6.4')
+
+id_cti_ets_proofOfApproval = univ.ObjectIdentifier('1.2.840.113549.1.9.16.6.5')
+
+id_cti_ets_proofOfCreation = univ.ObjectIdentifier('1.2.840.113549.1.9.16.6.6')
+
+
+# Signer Location
+
+id_aa_ets_signerLocation = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.17')
+
+
+class PostalAddress(univ.SequenceOf):
+    componentType = DirectoryString()
+    subtypeSpec = constraint.ValueSizeConstraint(1, 6)
+
+
+class SignerLocation(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('countryName',
+            DirectoryString().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('localityName',
+            DirectoryString().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1))),
+        namedtype.OptionalNamedType('postalAdddress',
+            PostalAddress().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 2)))
+    )
+
+
+# Signature Timestamp
+
+id_aa_signatureTimeStampToken = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.14')
+
+
+class SignatureTimeStampToken(TimeStampToken):
+    pass
+
+
+# Content Timestamp
+
+id_aa_ets_contentTimestamp = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.20')
+
+
+class ContentTimestamp(TimeStampToken):
+    pass
+
+
+# Signer Attributes
+
+id_aa_ets_signerAttr = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.18')
+
+
+class ClaimedAttributes(univ.SequenceOf):
+    componentType = Attribute()
+
+
+class CertifiedAttributes(AttributeCertificate):
+    pass
+
+
+class SignerAttribute(univ.SequenceOf):
+    componentType = univ.Choice(componentType=namedtype.NamedTypes(
+        namedtype.NamedType('claimedAttributes',
+            ClaimedAttributes().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.NamedType('certifiedAttributes',
+            CertifiedAttributes().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1)))
+    ))
+
+
+# Complete Certificate Refs
+
+id_aa_ets_certificateRefs = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.21')
+
+
+class CompleteCertificateRefs(univ.SequenceOf):
+    componentType = OtherCertID()
+
+
+# Complete Revocation Refs
+
+id_aa_ets_revocationRefs = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.22')
+
+
+class CrlIdentifier(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('crlissuer', Name()),
+        namedtype.NamedType('crlIssuedTime', useful.UTCTime()),
+        namedtype.OptionalNamedType('crlNumber', univ.Integer())
+    )
+
+
+class CrlValidatedID(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('crlHash', OtherHash()),
+        namedtype.OptionalNamedType('crlIdentifier', CrlIdentifier())
+    )
+
+
+class CRLListID(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('crls',
+            univ.SequenceOf(componentType=CrlValidatedID()))
+    )
+
+
+class OcspIdentifier(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('ocspResponderID', ResponderID()),
+        namedtype.NamedType('producedAt', useful.GeneralizedTime())
+    )
+
+
+class OcspResponsesID(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('ocspIdentifier', OcspIdentifier()),
+        namedtype.OptionalNamedType('ocspRepHash', OtherHash())
+    )
+
+
+class OcspListID(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('ocspResponses',
+            univ.SequenceOf(componentType=OcspResponsesID()))
+    )
+
+
+class OtherRevRefType(univ.ObjectIdentifier):
+    pass
+
+
+class OtherRevRefs(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('otherRevRefType', OtherRevRefType()),
+        namedtype.NamedType('otherRevRefs', univ.Any(),
+            openType=opentype.OpenType('otherRevRefType', otherRevRefMap))
+    )
+
+
+class CrlOcspRef(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('crlids',
+            CRLListID().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 0))),
+        namedtype.OptionalNamedType('ocspids',
+            OcspListID().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 1))),
+        namedtype.OptionalNamedType('otherRev',
+            OtherRevRefs().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 2)))
+    )
+
+
+class CompleteRevocationRefs(univ.SequenceOf):
+    componentType = CrlOcspRef()
+
+
+# Certificate Values
+
+id_aa_ets_certValues = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.23')
+
+
+class CertificateValues(univ.SequenceOf):
+    componentType = Certificate()
+
+
+# Certificate Revocation Values
+
+id_aa_ets_revocationValues = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.24')
+
+
+class OtherRevValType(univ.ObjectIdentifier):
+    pass
+
+
+class OtherRevVals(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('otherRevValType', OtherRevValType()),
+        namedtype.NamedType('otherRevVals', univ.Any(),
+            openType=opentype.OpenType('otherRevValType', otherRevValMap))
+    )
+
+
+class RevocationValues(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('crlVals',
+            univ.SequenceOf(componentType=CertificateList()).subtype(
+                explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('ocspVals',
+            univ.SequenceOf(componentType=BasicOCSPResponse()).subtype(
+                explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
+        namedtype.OptionalNamedType('otherRevVals',
+            OtherRevVals().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 2)))
+    )
+
+
+# CAdES-C Timestamp
+
+id_aa_ets_escTimeStamp = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.25')
+
+
+class ESCTimeStampToken(TimeStampToken):
+    pass
+
+
+# Time-Stamped Certificates and CRLs
+
+id_aa_ets_certCRLTimestamp = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.26')
+
+
+class TimestampedCertsCRLs(TimeStampToken):
+    pass
+
+
+# Archive Timestamp
+
+id_aa_ets_archiveTimestampV2 = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.48')
+
+
+class ArchiveTimeStampToken(TimeStampToken):
+    pass
+
+
+# Attribute certificate references
+
+id_aa_ets_attrCertificateRefs = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.44')
+
+
+class AttributeCertificateRefs(univ.SequenceOf):
+    componentType = OtherCertID()
+
+
+# Attribute revocation references
+
+id_aa_ets_attrRevocationRefs = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.45')
+
+
+class AttributeRevocationRefs(univ.SequenceOf):
+    componentType = CrlOcspRef()
+
+
+# Update the sigQualifiersMap
+
+_sigQualifiersMapUpdate = {
+    id_spq_ets_unotice: SPUserNotice(),
+    id_spq_ets_uri: SPuri(),
+}
+
+sigQualifiersMap.update(_sigQualifiersMapUpdate)
+
+
+# Update the CMS Attribute Map in rfc5652.py
+
+_cmsAttributesMapUpdate = {
+    id_aa_ets_otherSigCert: OtherSigningCertificate(),
+    id_aa_ets_sigPolicyId: SignaturePolicy(),
+    id_aa_ets_commitmentType: CommitmentTypeIndication(),
+    id_aa_ets_signerLocation: SignerLocation(),
+    id_aa_signatureTimeStampToken: SignatureTimeStampToken(),
+    id_aa_ets_contentTimestamp: ContentTimestamp(),
+    id_aa_ets_signerAttr: SignerAttribute(),
+    id_aa_ets_certificateRefs: CompleteCertificateRefs(),
+    id_aa_ets_revocationRefs: CompleteRevocationRefs(),
+    id_aa_ets_certValues: CertificateValues(),
+    id_aa_ets_revocationValues: RevocationValues(),
+    id_aa_ets_escTimeStamp: ESCTimeStampToken(),
+    id_aa_ets_certCRLTimestamp: TimestampedCertsCRLs(),
+    id_aa_ets_archiveTimestampV2: ArchiveTimeStampToken(),
+    id_aa_ets_attrCertificateRefs: AttributeCertificateRefs(),
+    id_aa_ets_attrRevocationRefs: AttributeRevocationRefs(),
+}
+
+rfc5652.cmsAttributesMap.update(_cmsAttributesMapUpdate)
diff --git a/tests/__main__.py b/tests/__main__.py
index 6f41808..6a28f01 100644
--- a/tests/__main__.py
+++ b/tests/__main__.py
@@ -19,6 +19,7 @@ suite = unittest.TestLoader().loadTestsFromNames(
      'tests.test_rfc2985.suite',
      'tests.test_rfc2986.suite',
      'tests.test_rfc3114.suite',
+     'tests.test_rfc3125.suite',
      'tests.test_rfc3161.suite',
      'tests.test_rfc3274.suite',
      'tests.test_rfc3279.suite',
@@ -42,6 +43,7 @@ suite = unittest.TestLoader().loadTestsFromNames(
      'tests.test_rfc5035.suite',
      'tests.test_rfc5083.suite',
      'tests.test_rfc5084.suite',
+     'tests.test_rfc5126.suite',
      'tests.test_rfc5208.suite',
      'tests.test_rfc5280.suite',
      'tests.test_rfc5480.suite',
diff --git a/tests/test_rfc3125.py b/tests/test_rfc3125.py
new file mode 100644
index 0000000..9c132e3
--- /dev/null
+++ b/tests/test_rfc3125.py
@@ -0,0 +1,113 @@
+#
+# This file is part of pyasn1-modules software.
+#
+# Created by Russ Housley
+# Copyright (c) 2019, Vigil Security, LLC
+# License: http://snmplabs.com/pyasn1/license.html
+#
+
+import sys
+
+from pyasn1.codec.der.decoder import decode as der_decode
+from pyasn1.codec.der.encoder import encode as der_encode
+
+from pyasn1_modules import pem
+from pyasn1_modules import rfc2985
+from pyasn1_modules import rfc3125
+
+
+try:
+    import unittest2 as unittest
+
+except ImportError:
+    import unittest
+
+
+class SignaturePolicyTestCase(unittest.TestCase):
+    pem_text = """\
+MIIMYzALBglghkgBZQMEAgEwggwwBgorgR6RmYQFAQICGA8yMDE2MTAwMjAwMDAwMFowgaSk
+XjBcMQswCQYDVQQGEwJTSzETMBEGA1UEBwwKQnJhdGlzbGF2YTEiMCAGA1UECgwZTmFyb2Ru
+eSBiZXpwZWNub3N0bnkgdXJhZDEUMBIGA1UECwwLU2VrY2lhIElCRVCGQmh0dHA6Ly9lcC5u
+YnVzci5zay90cnVzdGVkX2RhdGEvMjAxNjEwMDIwMDAwMDB6c2lnbmF0dXJlcG9saWN5LmRl
+cgyBz0VOOiBFbC4gc2lnbmF0dXJlL3NlYWwsIG9wdGlvbmFsIGVsLiB0aW1lLXN0YW1wIG92
+ZXIgT0NTUCwgYWNjb3JkaW5nIHRvIFJlZ3VsYXRpb24gKEVVKSBObyA5MTAvMjAxNC4gU0s6
+IEVsLiBwb2RwaXMvcGXEjWHFpSwgdm9saXRlxL5uw6EgZWwuIMSNYXNvdsOhIHBlxI1pYXRr
+YSBuYWQgT0NTUCwgcG9kxL5hIG5hcmlhZGVuaWEgKEXDmikgxI0uIDkxMC8yMDE0LjCCCpYw
+IhgPMjAxNjEwMDIwMDAwMDBaGA8yMDIxMTAwMjAwMDAwMFowggpsoD8wPTA3MC4GCSqGSIb3
+DQEJAwYJKoZIhvcNAQkEBgkqhkiG9w0BCQUGCyqGSIb3DQEJEAIvMAChAwoBAjACMACiEjAQ
+ow4wDAIBAAIBAAIBAAIBAaSCChMwggoPoIIB/zCCAfswCwYJYIZIAWUDBAIBMAsGCWCGSAFl
+AwQCAjALBglghkgBZQMEAgMwCwYJYIZIAWUDBAIGMAsGCWCGSAFlAwQCCDALBglghkgBZQME
+AgkwCwYJYIZIAWUDBAIKMA8GCWCGSAFlAwQDAgICCAAwDwYJYIZIAWUDBAMDAgIIADAPBglg
+hkgBZQMEAwQCAggAMA8GCWCGSAFlAwQDBgICCAAwDwYJYIZIAWUDBAMHAgIIADAPBglghkgB
+ZQMEAwgCAggAMA4GCCqGSM49BAMCAgIBADAOBggqhkjOPQQDAwICAQAwDgYIKoZIzj0EAwQC
+AgEAMA8GCWCGSAFlAwQDCgICAQAwDwYJYIZIAWUDBAMLAgIBADAPBglghkgBZQMEAwwCAgEA
+MA8GCSqGSIb3DQEBCwICCAAwDwYJKoZIhvcNAQEMAgIIADAPBgkqhkiG9w0BAQ0CAggAMA8G
+CWCGSAFlAwQDDgICCAAwDwYJYIZIAWUDBAMPAgIIADAPBglghkgBZQMEAxACAggAMA8GCSqG
+SIb3DQEBCgICCAAwDwYJKoZIhvcNAQEBAgIIADANBgcqhkjOPQIBAgIBADAOBggrJAMDAgUC
+AQICAQAwDgYIKyQDAwIFBAQCAgEAMA4GCCskAwMCBQQFAgIBADAOBggrJAMDAgUEBgICAQCh
+ggH/MIIB+zALBglghkgBZQMEAgEwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCAzALBglghkgB
+ZQMEAgYwCwYJYIZIAWUDBAIIMAsGCWCGSAFlAwQCCTALBglghkgBZQMEAgowDwYJYIZIAWUD
+BAMCAgIIADAPBglghkgBZQMEAwMCAggAMA8GCWCGSAFlAwQDBAICCAAwDwYJYIZIAWUDBAMG
+AgIIADAPBglghkgBZQMEAwcCAggAMA8GCWCGSAFlAwQDCAICCAAwDgYIKoZIzj0EAwICAgEA
+MA4GCCqGSM49BAMDAgIBADAOBggqhkjOPQQDBAICAQAwDwYJYIZIAWUDBAMKAgIBADAPBglg
+hkgBZQMEAwsCAgEAMA8GCWCGSAFlAwQDDAICAQAwDwYJKoZIhvcNAQELAgIIADAPBgkqhkiG
+9w0BAQwCAggAMA8GCSqGSIb3DQEBDQICCAAwDwYJYIZIAWUDBAMOAgIIADAPBglghkgBZQME
+Aw8CAggAMA8GCWCGSAFlAwQDEAICCAAwDwYJKoZIhvcNAQEKAgIIADAPBgkqhkiG9w0BAQEC
+AggAMA0GByqGSM49AgECAgEAMA4GCCskAwMCBQIBAgIBADAOBggrJAMDAgUEBAICAQAwDgYI
+KyQDAwIFBAUCAgEAMA4GCCskAwMCBQQGAgIBAKKCAf8wggH7MAsGCWCGSAFlAwQCATALBglg
+hkgBZQMEAgIwCwYJYIZIAWUDBAIDMAsGCWCGSAFlAwQCBjALBglghkgBZQMEAggwCwYJYIZI
+AWUDBAIJMAsGCWCGSAFlAwQCCjAPBglghkgBZQMEAwICAggAMA8GCWCGSAFlAwQDAwICCAAw
+DwYJYIZIAWUDBAMEAgIIADAPBglghkgBZQMEAwYCAggAMA8GCWCGSAFlAwQDBwICCAAwDwYJ
+YIZIAWUDBAMIAgIIADAOBggqhkjOPQQDAgICAQAwDgYIKoZIzj0EAwMCAgEAMA4GCCqGSM49
+BAMEAgIBADAPBglghkgBZQMEAwoCAgEAMA8GCWCGSAFlAwQDCwICAQAwDwYJYIZIAWUDBAMM
+AgIBADAPBgkqhkiG9w0BAQsCAggAMA8GCSqGSIb3DQEBDAICCAAwDwYJKoZIhvcNAQENAgII
+ADAPBglghkgBZQMEAw4CAggAMA8GCWCGSAFlAwQDDwICCAAwDwYJYIZIAWUDBAMQAgIIADAP
+BgkqhkiG9w0BAQoCAggAMA8GCSqGSIb3DQEBAQICCAAwDQYHKoZIzj0CAQICAQAwDgYIKyQD
+AwIFAgECAgEAMA4GCCskAwMCBQQEAgIBADAOBggrJAMDAgUEBQICAQAwDgYIKyQDAwIFBAYC
+AgEAo4IB/zCCAfswCwYJYIZIAWUDBAIBMAsGCWCGSAFlAwQCAjALBglghkgBZQMEAgMwCwYJ
+YIZIAWUDBAIGMAsGCWCGSAFlAwQCCDALBglghkgBZQMEAgkwCwYJYIZIAWUDBAIKMA8GCWCG
+SAFlAwQDAgICCAAwDwYJYIZIAWUDBAMDAgIIADAPBglghkgBZQMEAwQCAggAMA8GCWCGSAFl
+AwQDBgICCAAwDwYJYIZIAWUDBAMHAgIIADAPBglghkgBZQMEAwgCAggAMA4GCCqGSM49BAMC
+AgIBADAOBggqhkjOPQQDAwICAQAwDgYIKoZIzj0EAwQCAgEAMA8GCWCGSAFlAwQDCgICAQAw
+DwYJYIZIAWUDBAMLAgIBADAPBglghkgBZQMEAwwCAgEAMA8GCSqGSIb3DQEBCwICCAAwDwYJ
+KoZIhvcNAQEMAgIIADAPBgkqhkiG9w0BAQ0CAggAMA8GCWCGSAFlAwQDDgICCAAwDwYJYIZI
+AWUDBAMPAgIIADAPBglghkgBZQMEAxACAggAMA8GCSqGSIb3DQEBCgICCAAwDwYJKoZIhvcN
+AQEBAgIIADANBgcqhkjOPQIBAgIBADAOBggrJAMDAgUCAQICAQAwDgYIKyQDAwIFBAQCAgEA
+MA4GCCskAwMCBQQFAgIBADAOBggrJAMDAgUEBgICAQCkggH/MIIB+zALBglghkgBZQMEAgEw
+CwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCAzALBglghkgBZQMEAgYwCwYJYIZIAWUDBAIIMAsG
+CWCGSAFlAwQCCTALBglghkgBZQMEAgowDwYJYIZIAWUDBAMCAgIIADAPBglghkgBZQMEAwMC
+AggAMA8GCWCGSAFlAwQDBAICCAAwDwYJYIZIAWUDBAMGAgIIADAPBglghkgBZQMEAwcCAggA
+MA8GCWCGSAFlAwQDCAICCAAwDgYIKoZIzj0EAwICAgEAMA4GCCqGSM49BAMDAgIBADAOBggq
+hkjOPQQDBAICAQAwDwYJYIZIAWUDBAMKAgIBADAPBglghkgBZQMEAwsCAgEAMA8GCWCGSAFl
+AwQDDAICAQAwDwYJKoZIhvcNAQELAgIIADAPBgkqhkiG9w0BAQwCAggAMA8GCSqGSIb3DQEB
+DQICCAAwDwYJYIZIAWUDBAMOAgIIADAPBglghkgBZQMEAw8CAggAMA8GCWCGSAFlAwQDEAIC
+CAAwDwYJKoZIhvcNAQEKAgIIADAPBgkqhkiG9w0BAQECAggAMA0GByqGSM49AgECAgEAMA4G
+CCskAwMCBQIBAgIBADAOBggrJAMDAgUEBAICAQAwDgYIKyQDAwIFBAUCAgEAMA4GCCskAwMC
+BQQGAgIBADAABCAaWobQZ1EuANtF/NjfuaBXR0nR0fKnGJ7Z8t/mregtvQ==
+"""
+
+    def setUp(self):
+        self.asn1Spec = rfc3125.SignaturePolicy()
+
+    def testDerCodec(self):
+        substrate = pem.readBase64fromText(self.pem_text)
+        asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
+        assert not rest
+        assert asn1Object.prettyPrint()
+        assert der_encode(asn1Object) == substrate
+
+        svp = asn1Object['signPolicyInfo']['signatureValidationPolicy']
+        sr = svp['commonRules']['signerAndVeriferRules']['signerRules']
+        msa = sr['mandatedSignedAttr']
+        assert rfc2985.pkcs_9_at_contentType in msa
+        assert rfc2985.pkcs_9_at_messageDigest in msa
+        assert rfc2985.pkcs_9_at_signingTime in msa
+
+
+suite = unittest.TestLoader().loadTestsFromModule(sys.modules[__name__])
+
+if __name__ == '__main__':
+    import sys
+
+    result = unittest.TextTestRunner(verbosity=2).run(suite)
+    sys.exit(not result.wasSuccessful())
diff --git a/tests/test_rfc5126.py b/tests/test_rfc5126.py
new file mode 100644
index 0000000..df42e81
--- /dev/null
+++ b/tests/test_rfc5126.py
@@ -0,0 +1,98 @@
+#
+# This file is part of pyasn1-modules software.
+#
+# Copyright (c) 2019, Vigil Security, LLC
+# License: http://snmplabs.com/pyasn1/license.html
+#
+import sys
+
+from pyasn1.codec.der.decoder import decode as der_decode
+from pyasn1.codec.der.encoder import encode as der_encode
+
+from pyasn1.type import univ
+
+from pyasn1_modules import pem
+from pyasn1_modules import rfc4055
+from pyasn1_modules import rfc5652
+from pyasn1_modules import rfc5126
+
+try:
+    import unittest2 as unittest
+except ImportError:
+    import unittest
+
+
+class SignedAttributesTestCase(unittest.TestCase):
+    pem_text = """\
+MYIBUzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMCsGCSqGSIb3DQEJNDEeMBww
+DQYJYIZIAWUDBAIBBQChCwYJKoZIhvcNAQELMC8GCSqGSIb3DQEJBDEiBCCyqtCC
+Gosj/GT4YPPAqKheze4A1QBU5O3tniTsVPGr7jBBBgsqhkiG9w0BCRACETEyMDCg
+BBMCVVOhBBMCVkGiIjAgExExMjMgU29tZXBsYWNlIFdheRMLSGVybmRvbiwgVkEw
+RgYLKoZIhvcNAQkQAi8xNzA1MDMwMTANBglghkgBZQMEAgEFAAQgJPmqUmGQnQ4q
+RkVtUHecJXIkozOzX8+pZQj/UD5JcnQwTgYLKoZIhvcNAQkQAg8xPzA9BgorBgEE
+AYGsYDAUMC8wCwYJYIZIAWUDBAIBBCDWjjVmAeXgZBkE/rG8Pf8pTCs4Ikowc8Vm
+l+AOeKdFgg==
+"""
+
+    def setUp(self):
+        self.asn1Spec = rfc5652.SignedAttributes()
+
+    def testDerCodec(self):
+        substrate = pem.readBase64fromText(self.pem_text)
+        asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
+        assert not rest
+        assert asn1Object.prettyPrint()
+        assert der_encode(asn1Object) == substrate
+
+        count = 0
+        for attr in asn1Object:
+            if attr['attrType'] in rfc5652.cmsAttributesMap.keys():
+                av, rest = der_decode (attr['attrValues'][0],
+                    asn1Spec=rfc5652.cmsAttributesMap[attr['attrType']])
+                assert not rest
+                assert av.prettyPrint()
+                assert der_encode(av) == attr['attrValues'][0]
+                count += 1
+
+        assert count == 6
+
+    def testOpenTypes(self):
+        substrate = pem.readBase64fromText(self.pem_text)
+        asn1Object, rest = der_decode(substrate,
+            asn1Spec=self.asn1Spec,
+            decodeOpenTypes=True)
+        assert not rest
+        assert asn1Object.prettyPrint()
+        assert der_encode(asn1Object) == substrate
+
+        attr_type_list = [ ]
+        spid_oid = rfc5126.SigPolicyId('1.3.6.1.4.1.22112.48.20')
+
+        for attr in asn1Object:
+            if attr['attrType'] == rfc5126.id_aa_ets_sigPolicyId:
+                spid = attr['attrValues'][0]['signaturePolicyId']
+                assert spid['sigPolicyId'] == spid_oid
+                attr_type_list.append(rfc5126.id_aa_ets_sigPolicyId)
+
+            if attr['attrType'] == rfc5126.id_aa_ets_signerLocation:
+                cn = attr['attrValues'][0]['countryName']
+                assert cn['printableString'] == 'US'
+                attr_type_list.append(rfc5126.id_aa_ets_signerLocation)
+
+            if attr['attrType'] == rfc5126.id_aa_signingCertificateV2:
+                ha = attr['attrValues'][0]['certs'][0]['hashAlgorithm']
+                assert ha['algorithm'] == rfc4055.id_sha256
+                attr_type_list.append(rfc5126.id_aa_signingCertificateV2)
+
+        assert rfc5126.id_aa_ets_sigPolicyId in attr_type_list
+        assert rfc5126.id_aa_ets_signerLocation in attr_type_list
+        assert rfc5126.id_aa_signingCertificateV2 in attr_type_list
+
+
+suite = unittest.TestLoader().loadTestsFromModule(sys.modules[__name__])
+
+if __name__ == '__main__':
+    import sys
+
+    result = unittest.TextTestRunner(verbosity=2).run(suite)
+    sys.exit(not result.wasSuccessful())
author	Russ Housley <housley@vigilsec.com>	2019-11-18 00:40:42 -0500
committer	Ilya Etingof <etingof@gmail.com>	2019-11-18 06:40:42 +0100
commit	a7361736347118128c359182fbea22f863f50da2 (patch)
tree	613df55eb8b84fe921f00a99e20360d69cf9ccdc
parent	238ef5e74c1cb3181e0c9345378111cf5354d3a0 (diff)
download	pyasn1-modules-a7361736347118128c359182fbea22f863f50da2.tar.gz