--------------------------------------------------------------------------
--  ESS.ASN
--
--  ASN.1 definitions for S/MIME Extended Security Services
--------------------------------------------------------------------------

ExtendedSecurityServices
--     { iso(1) member-body(2) us(840) rsadsi(113549)
--       pkcs(1) pkcs-9(9) smime(16) modules(0) ess(2) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN

--IMPORTS
--  Cryptographic Message Syntax (CMS)
---    ContentType, EntityIdentifier, SubjectKeyIdentifier, Version
---    FROM CryptographicMessageSyntax { iso(1) member-body(2) us(840)
---    rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1) };

--   EntityIdentifier ::= CHOICE {
--     issuerAndSerialNumber IssuerAndSerialNumber,
--     subjectKeyIdentifier SubjectKeyIdentifier }
    ObjectIdentifier ::= OBJECT IDENTIFIER --<PDU>-- --<OBJECTID 16>--

   ContentType ::= ObjectIdentifier
   Version ::= INTEGER { v0(0), v1(1), v2(2), v3(3) }
   IssuerAndSerialNumber ::= SEQUENCE {
     issuer NOCOPYANY,
     serialNumber SerialNumber }


    HUGEINTEGER ::= INTEGER --<HUGE>--                      -- tag 0x02

   SerialNumber ::= HUGEINTEGER
   CertificateSerialNumber ::= SerialNumber
   PolicyInformation ::= NOCOPYANY

-- X.509
--    GeneralNames FROM CertificateExtensions
--    {joint-iso-ccitt ds(5) module(1) certificateExtensions(26) 0};


   OCTETSTRING ::= OCTET STRING --<UNBOUNDED>-- --<NOCOPY>-- -- tag 0x04
   NOCOPYANY ::= ANY --<ENCODABLE>-- --<NOCOPY>--
   
   SubjectKeyIdentifier ::= OCTETSTRING
   GeneralNames ::= NOCOPYANY

-- UNIVERSAL type defined in ASN.1 1997 but required for
-- this specification

-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING

-- Extended Security Services

-- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
-- constructs in this module. A valid ASN.1 SEQUENCE can have zero or
-- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE to 
-- have at least one entry. MAX indicates the upper bound is unspecified.
-- Implementations are free to choose an upper bound that suits their
-- environment.

-- Section 2.7

ReceiptRequest ::= SEQUENCE {
  signedContentIdentifier ContentIdentifier,
  receiptsFrom ReceiptsFrom,
  receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames } --<PDU>--

ub-receiptsTo INTEGER ::= 16

id-aa-receiptRequest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 1}

ContentIdentifier ::= OCTET STRING

id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7}

ReceiptsFrom ::= CHOICE {
  allOrFirstTier [0] AllOrFirstTier,
  -- formerly "allOrNone [0]AllOrNone"
  receiptList [1] SEQUENCE OF GeneralNames }

AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone
  allReceipts (0),
  firstTierRecipients (1) }


-- Section 2.8

Receipt ::= SEQUENCE {
  version Version,  -- Version is imported from [CMS]
  contentType ContentType,
  signedContentIdentifier ContentIdentifier,
  originatorSignatureValue OCTETSTRING } --<PDU>--

id-ct-receipt OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 
   rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-ct(1) 1}


-- Section 2.9

--  contentDescription UTF8String SIZE (1..MAX) OPTIONAL,

ContentHints ::= SEQUENCE {
  contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL,
    -- If contentDescription is used, its contents MUST be in UTF8 format
  contentType ObjectIdentifier } --<PDU>--

id-aa-contentHint OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 
    rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 4}


-- Section 2.10

MsgSigDigest ::= OCTET STRING

id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5}

-- Section 2.11

ContentReference ::= SEQUENCE {
  contentType ContentType,
  signedContentIdentifier ContentIdentifier,
  originatorSignatureValue OCTET STRING }

id-aa-contentReference   OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 10 }

-- Section 3.2

ESSSecurityLabel ::= SET {
  security-policy-identifier SecurityPolicyIdentifier,
  security-classification SecurityClassification OPTIONAL,
  privacy-mark ESSPrivacyMark OPTIONAL,
  security-categories SecurityCategories OPTIONAL } --<PDU>--

id-aa-securityLabel OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 2}

SecurityPolicyIdentifier ::= ObjectIdentifier

SecurityClassification ::= INTEGER {
  unmarked (0),
  unclassified (1),
  restricted (2),
  confidential (3),
  secret (4),
  top-secret (5) } (0..ub-integer-options)

ub-integer-options INTEGER ::= 256

ESSPrivacyMark ::= CHOICE {
    pString      PrintableString (SIZE (1..ub-privacy-mark-length)),
    utf8String   UTF8String (SIZE (1..MAX))
}

ub-privacy-mark-length INTEGER ::= 128

SecurityCategories ::= SET SIZE (1..ub-security-categories) OF
        SecurityCategory

ub-security-categories INTEGER ::= 64

SecurityCategory ::= SEQUENCE {
  type  [0] ObjectIdentifier,
--  value [1] ANY - - defined by type
  value [1] NOCOPYANY -- defined by type
}

-- Note: The aforementioned SecurityCategory syntax produces identical
-- hex encodings as the following SecurityCategory syntax that is
-- documented in the X.411 specification:
--
-- SecurityCategory ::= SEQUENCE {
--     type  [0]  SECURITY-CATEGORY,
--     value [1]  ANY DEFINED BY type }
--
-- SECURITY-CATEGORY MACRO ::=
-- BEGIN
-- TYPE NOTATION ::= type | empty
-- VALUE NOTATION ::= value (VALUE OBJECT IDENTIFIER)
-- END

-- Section 3.4

EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel

id-aa-equivalentLabels OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 9}


-- Section 4.4

MLExpansionHistory ::= SEQUENCE --<PDU>-- SIZE (1..ub-ml-expansion-history) OF MLData 

id-aa-mlExpandHistory OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 3}

ub-ml-expansion-history INTEGER ::= 64

MLData ::= SEQUENCE {
  mailListIdentifier EntityIdentifier,
        -- EntityIdentifier is imported from [CMS]
  expansionTime GeneralizedTime,
  mlReceiptPolicy MLReceiptPolicy OPTIONAL }

EntityIdentifier ::= CHOICE {
  issuerAndSerialNumber IssuerAndSerialNumber,
  subjectKeyIdentifier SubjectKeyIdentifier }   

MLReceiptPolicy ::= CHOICE {
  none [0] NULL,
  insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames,
  inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames }

-- Section 5.4

SigningCertificate ::=  SEQUENCE {
    certs        SEQUENCE OF ESSCertID,
    policies     SEQUENCE OF PolicyInformation OPTIONAL
}

id-aa-signingCertificate OBJECT IDENTIFIER ::= { iso(1)
    member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
    smime(16) id-aa(2) 12 }

ESSCertID ::=  SEQUENCE {
     certHash                 Hash,
     issuerSerial             IssuerSerial OPTIONAL
}

Hash ::= OCTET STRING -- SHA1 hash of entire certificate

IssuerSerial ::= SEQUENCE {
     issuer                   GeneralNames,
     serialNumber             CertificateSerialNumber
}

END -- of ExtendedSecurityServices