《ISO-7816-15-AMD-1-2007.pdf》由会员分享,可在线阅读,更多相关《ISO-7816-15-AMD-1-2007.pdf(44页珍藏版)》请在三一文库上搜索。
1、 Reference number ISO/IEC 7816-15:2004/Amd.1:2007(E) ISO/IEC 2007 INTERNATIONAL STANDARD ISO/IEC 7816-15 First edition 2004-01-15 AMENDMENT 1 2007-11-15 Identification cards Integrated circuit cards Part 15: Cryptographic information application AMENDMENT 1: Examples of the use of the cryptographic
2、information application Cartes didentification Cartes circuit intgr Partie 15: Application des informations cryptographiques AMENDEMENT 1: Exemples demploi de lapplication des informations cryptographiques ISO/IEC 7816-15:2004/Amd.1:2007(E) PDF disclaimer This PDF file may contain embedded typefaces
3、. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing
4、 Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized
5、 for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2007 All rights reserved. Un
6、less otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO
7、 copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2007 All rights reserved -,-,- ISO/IEC 7816-15:2004/Amd.1:2007(E) ISO/IEC 2007 All rights reserved iii Foreword ISO (the Intern
8、ational Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees establish
9、ed by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the fie
10、ld of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft
11、 International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this d
12、ocument may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Amendment 1 to ISO/IEC 7816-15:2004 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 17, Cards and personal identifica
13、tion. -,-,- -,-,- ISO/IEC 7816-15:2004/Amd.1:2007(E) ISO/IEC 2007 All rights reserved 1 Identification cards Integrated circuit cards Part 15: Cryptographic information application AMENDMENT 1: Examples of the use of the cryptographic information application Insert the following new annex after Anne
14、x D. Annex E (informative) Examples of the use of the cryptographic information application E.1 Introduction The purpose of this informative annex is to provide practical examples of the use of the cryptographic information application. By providing sample program code for each example, programmers
15、can see the programmatic connection between high-level ASN.1 representations and low-level BER representations and thus create more efficient and more compact software that uses the cryptographic information application. Each clause in the annex is a free-standing example and consists of four paragr
16、aphs: 1. Description of the example 2. A specification of the example described in paragraph (1) in commented ISO/IEC 7816-15 ASN.1 constructs, using the formal value notation defined in ISO/IEC 8824-1. 3. Annotated code in the ISO/IEC 9899 TC2 C programming language for BER encoding and decoding ac
17、cording to the ASN.1 specification of paragraph (2). 4. BER encoding of the example as produced by the encoder of paragraph (3). Two examples also include graphic representations of the BER at the end of the Annex. 5. The source code provided in paragraph (3) was compiled and run to generate the out
18、put shown in paragraph (4). A transcription of the ASN.1 encoding of the Cryptographic Information Application listed in Annex A above was used for all examples. A free, publically-available ASN.1 compiler was used to generate the BER encoders and decoders from this ASN.1. E.2 Encoding of a Private
19、Key E.2.1 Cryptographic Information Application Example Description This is an example of an ISO/IEC 7816-15 RSA private key. -,-,- ISO/IEC 7816-15:2004/Amd.1:2007(E) 2 ISO/IEC 2007 All rights reserved E.2.2 ASN.1 Encoding of an RSA Private Key privateKeys objects - SEQUENCE OF - privateRSAKey - SEQ
20、UENCE - commonObjectAttributes - SEQUENCE - label 4b455931H - “KEY1“ -, flags 80H, authId 41444dH - “ADM“ -, userConsent 1 , classAttributes - SEQUENCE - iD 9bH, usage 2040H, native TRUE, accessFlags 98H, keyReference 10 , subClassAttributes - SEQUENCE - keyIdentifiers - SEQUENCE OF - - SEQUENCE - i
21、dType 5, idValue 3132333435363738H - “12345678“ - , typeAttributes - SEQUENCE - value indirect path - SEQUENCE - efidOrPath 3f004041H , modulusLength 1024 E.2.3 Code Encoding and Decoding BER from the ASN.1 /* * Encoding of a Private Key as a Data Object in EF.OD */ void Part15PrivateKey(const char
22、*label, unsigned char objectFlags, unsigned char *authId, unsigned int authIdLength, unsigned int userConsent, unsigned char native, unsigned char *iD, unsigned int iDLength, unsigned short usageFlags, unsigned char accessFlags, unsigned int keyReference, unsigned int identifierType, unsigned char *
23、externalIdentifier, unsigned char *path, unsigned int pathLength, unsigned int modulusLength ) unsigned int l; CIOChoice *cio; PrivateKeyChoice *prk, *prkp; CredentialIdentifier *crid, *cridp; PrivateKeyObject_PrivateRSAKeyAttributes pattr = 0 ; CommonObjectAttributes commonObjAttr = 0 ; CommonKeyAt
24、tributes commonKeyAttr = 0 ; CommonPrivateKeyAttributes commonPrivateKeyAttr = 0 ; PrivateRSAKeyAttributes privateRSAKeyAttr = 0 ; ISO/IEC 7816-15:2004/Amd.1:2007(E) ISO/IEC 2007 All rights reserved 3 Path pathOctets = 0 ; AsnOcts issuerHash = 0 ; char commonObjectFlags1 = 0 ; AsnBits commonFlagsAsn
25、Bits = 3, commonObjectFlags ; char keyUsage2 = 0 ; AsnBits keyUsageAsnBits = 10, keyUsage ; char keyAccessFlags1 = 0 ; AsnBits keyAccessFlagsAsnBits = 5, keyAccessFlags ; /* * Section 8.3 The CIOChoice type * * “EF.OD shall contain the concatenation of 0, 1, or more DER-encoded CIOChoice values.“ */
26、 cio = (CIOChoice *)calloc(1, sizeof(PrivateKeyChoice); cio-choiceId = CIOCHOICE_PRIVATEKEYS; /* * “It is expected that an EF.OD entry will usually reference a separate file (the path * choice of PathOrObjects) containing CIOs of the indicated type. An entry may, however, * hold CIOs directly (the o
27、bjects choice of PathOrObjects), if the objects and the EF.OD * file have the same access control requirements.“ * * PathOrObjectsPrivateKeyChoice */ cio-a.privateKeys = (PrivateKeys *)calloc(1, sizeof(PrivateKeys); cio-a.privateKeys-choiceId = PATHOROBJECTS_PRIVATEKEYCHOICE_OBJECTS; cio-a.privateKe
28、ys-a.objects = AsnListNew(sizeof (void*); /* * Section 8.4.1 PrivateKeyChoice * * “This type contains information pertaining to a private key. Each value * consists of attributes common to any object, any key, any private key, * and attributes particular to the key.“ */ prkp = (PrivateKeyChoice *)As
29、nListAppend(cio-a.privateKeys-a.objects); *prkp = prk = calloc(1, sizeof(PrivateKeyChoice); prk-choiceId = PRIVATEKEYCHOICE_PRIVATERSAKEY; prk-a.privateRSAKey = monObjectAttributes = pattr.classAttributes = pattr.subClassAttributes = pattr.typeAttributes = /* * Section 8.2.8 CommonObjectAttributes *
30、 * “This type is a container for attributes common to all CIOs.“ */ commonObjAttr.label.octs = _strdup(label); commonObjAttr.label.octetLen = strlen(label); commonObjectFlags0 = objectFlags; commonObjAttr.flags = commonFlagsAsnBits; commonObjAttr.authId.octetLen=authIdLength; commonObjAttr.authId.oc
31、ts = authId; commonObjAttr.userConsent = /* * Section 8.2.9 CommonKeyAttributes * * “The iD field shall be unique for each key information object, except when a public * key information object and its corresponding private key object are stored on * the same card. In this case, the information objec
32、ts shall share the same * identifier (which may also be shared with one or several certificate information -,-,- ISO/IEC 7816-15:2004/Amd.1:2007(E) 4 ISO/IEC 2007 All rights reserved * objects .“ */ commonKeyAttr.iD.octs = iD; commonKeyAttr.iD.octetLen = iDLength; keyUsage0 = (unsigned char)(usageFl
33、ags8); keyUsage1 = (unsigned char)(usageFlags); commonKeyAttr.usage = keyUsageAsnBits; keyAccessFlags0 = accessFlags; commonKeyAttr.accessFlags= keyAccessFlagsAsnBits; commonKeyAttr.native = commonKeyAttr.keyReference = /* * Section 8.2.10 CommonPrivateKeyAttributes * * “The name field, when present
34、, names the owner of the key, as specified in a * corresponding certificates subject field. * * Values of the keyIdentifiers field can be matched to identifiers from external * messages or protocols to select the appropriate key to a given operation.“ */ commonPrivateKeyAttr.keyIdentifiers = (Common
35、PrivateKeyAttributesSeqOf *)AsnListNew(sizeof (void*); cridp = (CredentialIdentifier *)AsnListAppend(commonPrivateKeyAttr.keyIdentifiers); *cridp = crid = (CredentialIdentifier *)calloc(1, sizeof(CredentialIdentifier); issuerHash.octs = _strdup(externalIdentifier); issuerHash.octetLen = strlen(exter
36、nalIdentifier); crid-idType = identifierType; crid-idValue.value = SetAnyTypeByInt( /* * Section 8.4.2 Private RSA Key Attributes * * “PrivateRSAKeyAttributes.value: The value shall be a path to a file containing * a private RSA key. If there is no need to specify a path to a file, the path * value
37、may be set to the empty path.“ */ privateRSAKeyAttr.value = (ObjectValue *)calloc(1, sizeof(ObjectValue); privateRSAKeyAttr.value-choiceId = OBJECTVALUE_INDIRECT; privateRSAKeyAttr.value-a.indirect = (ReferencedValue *)calloc(1, sizeof(ReferencedValue); privateRSAKeyAttr.value-a.indirect-choiceId =
38、REFERENCEDVALUE_PATH; pathOctets.efidOrPath.octs = (char *)calloc(1, pathLength); memcpy(pathOctets.efidOrPath.octs, path, pathLength); pathOctets.efidOrPath.octetLen = pathLength; privateRSAKeyAttr.value-a.indirect-a.path = privateRSAKeyAttr.modulusLength = modulusLength; /* * Print the Private Key
39、 Data Object */ PrintCIOChoice(stdout, cio, 3); /* * BER Encode the Private Key Data Object */ BERLength = BEncCIOChoiceContent(gb, cio); /* * Decoding of a Private Key as a Data Object in EF.OD */ PrivateKeyObject_PrivateRSAKeyAttributes *PrivateRSAKey(unsigned char *BER, unsigned int BERLength) IS
40、O/IEC 7816-15:2004/Amd.1:2007(E) ISO/IEC 2007 All rights reserved 5 SBuf b; GenBuf *gb; unsigned int bytesDecoded = 0; ENV_TYPE env; CIOChoice *cio; AsnTag tagId0; AsnLen elmtLen0; if(setjmp(env)!= 0) exit(0); cio = calloc(1, sizeof(CIOChoice); SBufInstallData( SBuftoGenBuf( tagId0 = BDecTag(gb, elm
41、tLen0 = BDecLen(gb, /* * Decode the RSA Private Key Data Object */ BDecCIOChoiceContent(gb, tagId0, elmtLen0, cio, return (PrivateKeyChoice *)(cio-a.privateKeys-a.objects-first-data)-a.privateRSAKey; E.2.4 BER Encoding 0xa0,0x51,0xa0,0x4f,0x30,0x4d,0x30,0x12,0x0c,0x04,0x4b,0x45,0x59,0x31,0x03,0x02,
42、0x05,0x80,0x04,0x03,0x41,0x44,0x4d,0x02,0x01,0x01,0x30,0x12,0x04,0x01,0x9b,0x03, 0x03,0x06,0x20,0x40,0x01,0x01,0xff,0x03,0x02,0x03,0x98,0x02,0x01,0x0a,0xa0,0x13, 0x30,0x11,0xa0,0x0f,0x30,0x0d,0x02,0x01,0x05,0x04,0x08,0x31,0x32,0x33,0x34,0x35, 0x36,0x37,0x38,0xa1,0x0e,0x30,0x0c,0x30,0x06,0x04,0x04,0x
43、3f,0x00,0x40,0x41,0x02, 0x02,0x04,0x00 Table E.1 is a diagrammatic representation of this BER encoding. -,-,- ISO/IEC 7816-15:2004/Amd.1:2007(E) 6 ISO/IEC 2007 All rights reserved Table E.1 EF.PrKD of RSA private Key Data Type A0 51 CIOChoice: Private key data object A0 4F PrivateKeyChoice: Private
44、RSA Key 30 4D Private RSA Key object 30 12 Common object Attribute 0C04 label 4B, 45, 59, 31 UTF8String 03 02 flags 05, 80 BIT STRING 04 03 auth Id 41, 44, 44 OCTET STRING 02 01 userConsent 01 INTEGER 30 12 Common Key Attrribute 04 01 iD 9B OCTET STRING 03 03 usage 06, 20, 40 BIT STRING 01 01 native
45、 FF BOOLEAN 03 02 accessFlags 03, 98 BIT STRING 02 01 keyReference 0A INTEGER -,-,- ISO/IEC 7816-15:2004/Amd.1:2007(E) ISO/IEC 2007 All rights reserved 7 Table E.1 (continued) A0 13 Common Private Key Attribute 30 11 Sequence A00FkeyIdentifier 30 0DSequence 02 01 idType 05 INTEGER 60 08 idValue 31,
46、32, 33, 34, 35, 36, 37, 38 OpenType A1 0e Private RSA key attribute 30 0CSequence 30 06 Path 04 04 efidOrPath 3F, 00, 40, 41 OCTET STRING 02 02 modulusLength 04, 00 INTEGER -,-,- ISO/IEC 7816-15:2004/Amd.1:2007(E) 8 ISO/IEC 2007 All rights reserved E.3 Encoding of a Protected Data Container E.3.1 Cr
47、yptographic Information Application Example Description A data container object with two security conditions, one for READ and one for UPDATE. The data in the data container is a BER-TLV. The secret key SK-1 must be verified in order to change password AO-1. E.3.2 ASN.1 Encoding of the Protected Data Container Object dataContainerObjects objects - SEQUENCE OF - iso7816DO - SEQUENCE - commonObjectAttributes - SEQUENCE - label 444f2d31H - “DO-1“ -, f