Redigera

Dela via


CMC Attributes

In practice, the structure of a CMC request, shown by the following syntax, is relatively complex because it often contains nested requests. For example, a CMC request can contain zero or one PKCS #10 requests in a TaggedRequest sequence, and it can contain zero or one PKCS #7 messages in a TaggedContentInfo sequence. Each nested PKCS #7 message can contain a CMC request which can, in turn, contain more requests. The number of nesting levels is theoretically unlimited, but the certification authority (CA) is typically configured to limit the size of a request. Attributes can be applied to the top level request or to the nested requests. This is discussed in the following sections.

CMCData Structure

A CMC request contains sequences of TaggedAttribute, TaggedRequest, and TaggedContentInfo ASN.1 structures.

CmcData ::= SEQUENCE 
{
   controlSequence         ControlSequence,
   reqSequence             ReqSequence,
   cmsSequence             CmsSequence,
   otherMsgSequence        OtherMsgSequence
}


ControlSequence  ::=    SEQUENCE OF TaggedAttribute
ReqSequence      ::=    SEQUENCE OF TaggedRequest
CmsSequence      ::=    SEQUENCE OF TaggedContentInfo

TaggedAttribute ::= SEQUENCE 
{
   bodyPartID              BodyPartID,
   type                    EncodedObjectID,
   values                  AttributeSetValue
}

TaggedRequest ::= CHOICE 
{
   tcr                     [0] IMPLICIT TaggedCertificationRequest
}

TaggedContentInfo ::= SEQUENCE 
{
   bodyPartID              BodyPartID,
   contentInfo             ANY
}

BodyPartID ::= INTEGER (0..4294967295)
EncodedObjectID ::= OBJECT IDENTIFIER
AttributeSetValue ::= SET OF ANY

TaggedAttribute Structure

Attributes are included in a CMC certificate request by adding them to the TaggedAttribute collection. Each structure in the collection contains an integer ID, an ASN.1 object identifier (OID), and a set of values. The possible values can be any of the following.

CmcAddAttributes ::= SEQUENCE 
{
   pkiDataReference        BodyPartID,
   certReferences          BodyPartIDSequence,
   attributes              Attributes
}

Attributes ::= SET OF Attribute
Attribute ::= SEQUENCE 
{
   type       EncodedObjectID,
   values     AttributeSetValue
}

CmcAddExtensions ::= SEQUENCE 
{
   pkiDataReference        BodyPartID,
   certReferences          BodyPartIDSequence,
   extensions              Extensions
}

Extensions ::= SEQUENCE OF Extension

Extension ::= SEQUENCE 
{
   extnId              EncodedObjectID,
   critical            BOOLEAN DEFAULT FALSE,
   extnValue           OCTETSTRING
}

SenderNonce ::= OCTET STRING

TransactID ::= OCTET STRING

RegInfo ::= OCTET STRING

CMCAddAttributes

If the attributes in this structure apply to a nested PKCS #10 request, the certReferences field will contain the BodyPartID that identifies the request. If the attributes apply to a nested CMC request, the pkiDataReference field will contain the BodyPartID of the request. Currently, only one of these fields can be nonzero. The attributes that can be included are listed in the Supported Attributes topic.

CmcAddExtensions

This structure can contain X.509 version 3 extensions plus extensions defined by Microsoft. This attribute is defined by using the IX509AttributeExtensions interface. If the extensions apply to a nested PKCS #10 request, the certReferences field will contain the BodyPartID that identifies the request. If the extensions apply to a nested CMC request, the pkiDataReference field will contain the BodyPartID of the request. Currently, only one of these fields can be nonzero.

SenderNonce

A nonce is random or pseudo-random binary data that can be included in a certificate request and response transaction to help ensure that the response or request is not a repeat of a previous message. For more information, see the SenderNonce property.

TransactID

A round trip certificate request and response transaction can be tracked using an identifier. The client generates a transaction ID and retains it until the certificate or registration authority responds with a message that completes the transaction. The response includes the identifier. For more information, see the TransactionId property.

RegInfo

This attribute can be used to contain any registration information that the client chooses to put into the CMC request. The attribute value is string that contains concatenated name-value pairs. For more information, see the NameValuePairs property.

Supported Attributes