Table of Contents
Background and Goals
The bootstrap process enables the OBE to interact with the SCMS.
Bootstrapping is executed at the start of the OBE's lifecycle. At the start of bootstrapping, the OBE has no SCMS certificates and no knowledge of how to contact the SCMS. At the end of bootstrapping the OBE has the following:
- Certificates and information that allows an OBE to trust the SCMS:
- The required Root CA certificate(s), optional Intermediate CA and Pseudonym CA certificates to allow it to verify received messages. The OBE can learn unknown PCA and ICA certificates in ongoing operation as defined in IEEE 1609.2 P2P CD. At minimum, any EE needs the certificate chain of the PCA that issued certificates to it.
- The latest CRL (includes the CRL Generator certificate, which in turn includes the FQDN of the CRL store)
- The MA certificate to encrypt misbehavior reports, before submitting them to the RA
- Credentials and information allowing an OBE to communicate with the SCMS:
- A correctly issued enrollment certificate, private key reconstruction value, and ECA certificate.
- The RA certificate (which includes the FQDN of the RA).
Bootstrapping must protect the OBE from getting incorrect information, and the ECA from issuing a certificate to an unauthorized OBE. Any bootstrapping process is acceptable, that results in secure placement of this information on an OBE device.
Assumptions and Preconditions
- A documented procedure for performing the enrollment process.
-
A “secure environment” as defined in Secure Environment for Device Enrollment, ensures that the OBE is under control of the operator running the bootstrapping operation.
- One or more authorized devices (computers) for managing the enrollment process.
- An activity log or recording of the enrollment operations performed.
- A user account at the USDOT workflow tool.
Process Steps
Manual Bootstrapping Process - QA Environment
The CV Pilot will initially use a manual bootstrapping process that combines device initialization and enrollment. The following process applies to the SCMS QA stage. The vendor will initiate this process by requesting device initialization information and enrollment certificate from a DOT Workflow Approval tool, as depicted in this process:
| Step | Actor | Description | Status | Assignee |
|---|---|---|---|---|
| 1 | Vendor | Logs into CVCS Samanage, initiates an enrollment certificate request. There is a dedicated form for that. |
New |
USDOT |
| 2 | USDOT |
Logs into CVCS Samanage and reviews the enrollment certificate request form. They ensure that:
USDOT Personnel approve the request, if it meets the above criteria, and USDOT sends the request back to the Vendor for them add the enrollment certificate signing request. |
Awaiting Customer Input |
Leidos |
| 3 | Vendor |
The vendor in his secure
environment generates in each OBE a verification key pair (see
Public Key Algorithms in CB2: Types of Cryptographic Algorithms). The
private key is used to sign the enrollment certificate request (CSR) in step 4. The public key is
added to the request and used by the ECA subsequently as input to calculating the public value
within the implicit certificate, issued at end of this process. |
Awaiting Customer Input |
Leidos |
| 4 | Vendor |
The vendor in a secure environment creates an enrollment certificate signing request for each device, a signed structure called SignedEeEnrollmentCertRequest. The CSR includes the verification public key to use to create the public key reconstruction value in the enrollment certificate. The enrollment certificate request permissions (PSIDs, SSPs, Geographic Region) and lifetime are stated in the CSR as well. The vendor signs the CSR with the device’s private key, and writes the CSR to a file with filename format <enrollment pub hex>.oer in OER encoding. The vendor then collects multiple CSRs, places them in a flat directory and zips the directory. The directory structure within the zip file should look identical to the following example. IMPORTANT: DUE TO AUTOMATED PROCESSING OF REQUESTS, DEVIATIONS FROM THIS ZIPFILE AND DIRECTORY STRUCTURE WILL RESULT IN REQUESTS FAILING TO BE PROCESSED. |
Awaiting Customer Input |
Leidos |
| 5 | Vendor |
Vendor logs into CVCS Samanage and attaches the enrollment request zip file to the previous enrollment request form. |
Awaiting Customer Input |
Leidos |
| 6 | Leidos |
Reviews Enrollment Request Form and ensures files have been attached and manually verifies the following fields:
|
Assigned |
SCMS Operations |
| 7 | SCMS Operations |
Logs into CVCS Samanage and downloads the enrollment certificate request zip file. |
Work in Progress |
SCMS Operations |
| 8 | SCMS Operations |
Executes their enrollment requests script to create enrollment certificates. If successful move to Step 9. The ECA generates and returns an enrollment certificate for each individual request. The response is a signed structure called SignedEeEnrollmentCertResponse. The SCMS operator collects all ECA responses, creates a directory structure that includes bootstrapping information as well as one directory per CSR using the filename of the CSR as directory name. Each of those directories contains the RA certificate to be used by the OBE to communicate with the SCMS, the certificate of the ECA that signed the enrollment certificate, as well as the enrollmentCert itself and the privKeyReconstruction. The SCMS operator zips all files into a single zip file. Following the example in step 4, the directory structure within the zip file would look like this (please be aware that the Root CA certificate is explicitly given in the file root.oer): |
Work in Progress |
SCMS Operations |
| 8a | SCMS Operations |
If SCMS Operations finds an error within the request, SCMS Operations will send the Error Response to the Vendor through the CVCS enrollment request. |
Awaiting Customer Input |
SCMS Operator |
| 8b | Vendor |
Requests help/clarification in understanding the error found in the enrollment certificate signing request as a comment to the Enrollment Request Form. |
Work in Progress |
Leidos |
| 8c | Vendor |
Looks for an existing solution that will fix the vendors error. If they find a solution they provide it to the vendor. |
Awaiting Customer Input |
SCMS Operator |
| 8d | Vendor |
If an existing solution cannot be found, Leidos requests the vendor submit the Technical Support form and sends the Vendor the link. |
Awaiting Customer Input |
SCMS Operator |
| 8e | Vendor |
Corrects the error and reattaches the enrollment certificate signing request to the Enrollment Request Form. |
Awaiting Customer Input |
SCMS Operator |
| 9 | SCMS Operator |
Logs into the CVCS Samanage and creates an enrollment certificate response for the appropriate vendor and attaches the enrollment response zip file. |
Resolved |
Vendor |
| 10 | Vendor |
Vendor logs into CVCS Samanage and downloads their device enrollment certificates in their secure environment. |
Resolved |
Vendor |
| 11 | Vendor |
The vendor loads the appropriate enrollment certificate onto the appropriate device, in their secure environment. |
Resolved |
Vendor |
Manual Bootstrapping Process - PROD Environment
The CV Pilot will initially use a manual Bootstrap Process that combines device initialization and enrollment. The process on the SCMS PROD stage is essentially the same as for QA (see QA process above) with the exception that the vendor must first submit their OBE device to a certification lab for certification before requesting the device enrollment certificate. The complete process is described below:
- Vendor submits their device to one of the device certification companies for certification. Vendor logs into DOT Workflow Approval tool and creates a device certification request, for a specific model of device, selecting the appropriate device certification company.
- Device certification company conducts device certification testing. After successful completion of certification, device certification company notifies DOT Workflow Approval tool of certification for the specific device model, and attaches certification documentation. DOT Workflow Approval tool notifies the vendor and USDOT of the approval, and maintains device certification documentation in database of certified devices.
- to 11. Same as step 1-9 in QA
Enrollment certificate request checks
The following checks have to be done in step 6:
- The CSR only contains PSID from SCMS PoC Supported V2X Applications
- The CSR only contains PSIDs the device is eligible to
- The CSR contains the right SSP values for the requested PSID
- The CSR only contains SSP values the device is eligible to
- The CSR only contains Region USA
- The CSR does not contain a public key that was used with a previous enrollment cert request
- The CSR does have a validity period that fits the ECA's validity period
- The CSR contains the correct cracaId
- The CSR contains the correct crlSeries
- The CSR contains a useful CertificateId
OBE Bootstrap Process Logging Requirement
The following bootstrap operation information must be logged and maintained by the organization performing the PROD bootstrapping process, for each unique device, and for each enrollment certificate, if multiple enrollment certificates are requested for a single device.
- OBE serial number or unique unit identifier
- Initial Bootstrap Start Date
- Bootstrap LCCF file version identifier
- Bootstrap LPF file version identifier
- Enrollment cert
- Bootstrap Complete Date
Enrollment Certificate Request Example
The following clear text is an example for an enrollment certificate request that we provide in an OER encoded version, as it is supposed to be sent during manual enrollment.
Additional Reference Information
- CB2: Types of Cryptographic Algorithms
- Approved Cryptographic Algorithms
- Approved Random Number Generators
ASN.1 Specification
--
-- Copyright 2017 Crash Avoidance Metrics Partner, VSC5 Consortium
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
-- @namespace IEEE1609dot2ScmsProtocol
IEEE1609dot2ScmsProtocol {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) protocol(1)}
DEFINITIONS AUTOMATIC TAGS ::= BEGIN
EXPORTS ALL;
IMPORTS
HashAlgorithm,
HashedId32,
SequenceOfPsid,
SequenceOfPsidSsp,
Uint8,
Uint16
FROM IEEE1609dot2BaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base(1) base-types(2)}
Certificate,
Ieee1609Dot2Data,
SequenceOfCertificate,
Signature,
SignerIdentifier
FROM IEEE1609dot2 {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base (1) schema (1)}
MisbehaviorReportingPsid,
SecurityMgmtPsid
FROM Ieee1609dot2ScmsBaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2)
scms (2) interfaces(1) base-types (2)}
ScmsComponentCertificateManagementPDU
FROM Ieee1609Dot2ScmsComponentCertificateManagement
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) component-certificate-management(3)}
EcaEndEntityInterfacePDU
FROM Ieee1609Dot2EcaEndEntityInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) eca-ee(5)}
EndEntityMaInterfacePDU
FROM Ieee1609Dot2EndEntityMaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) ee-ma(7)}
EndEntityRaInterfacePDU
FROM Ieee1609Dot2EndEntityRaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) ee-ra(8)}
LaMaInterfacePDU
FROM Ieee1609Dot2LaMaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) la-ma(9)}
LaPcaInterfacePDU
FROM Ieee1609Dot2LaPcaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) la-pca(10)}
LaRaInterfacePDU
FROM Ieee1609Dot2LaRaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) la-ra(11)}
MaPcaInterfacePDU
FROM Ieee1609Dot2MaPcaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) ma-pca(13)}
MaRaInterfacePDU
FROM Ieee1609Dot2MaRaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) ma-ra(14)}
PcaRaInterfacePDU
FROM Ieee1609Dot2PcaRaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) pca-ra(15)}
RaPgInterfacePDU
FROM Ieee1609Dot2RaPgInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2)
scms(2) interfaces(1) ra-pg(16)}
CertificateChainFiles
FROM IEEE1609dot2-cert-chains {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base (1) cert-chains (4)}
PolicyFiles
FROM Ieee1609dot2ScmsPolicyTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2)
scms (2) interfaces(1) policy-types (500)}
;
---
-- @brief The ScmsPDU is the parent structure that encompasses all parent
-- structures of interfaces defined in the SCMS.
-- @class ScmsPDU
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @param content encloses the information of an SCMS interface.
-- @param ccm contains the component certificate management interface
-- structure.
-- @param eca-ee contains the interface structure defined for interaction
-- between Enrollment Certificate Authority (ECA) and an End
-- Entity (EE).
-- @param ee-ma contains the interface structure defined for interaction
-- between an End Entity (EE) and Misbehavior Authority (MA).
-- @param ee-ra contains the interface structure defined for interaction
-- between an End Entity (EE) and Registration Authority (RA).
-- @param la-ma contains the interface structure defined for interaction
-- between Linkage Authority (LA) and Misbehavior Authority (MA).
-- @param la-pca contains the interface structure defined for interaction
-- between Linkage Authority (LA) and Pseudonym Certificate
-- Authority (PCA).
-- @param la-ra contains the interface structure defined for interaction
-- between Linkage Authority (LA) and Registration Authority (RA).
-- @param ma-pca contains the interface st@ucture defined for interaction
-- between Misbehavior Authority (MA) and Pseudonym Certificate
-- Authority (PCA).
-- @param ma-ra contains the interface structure defined for interactions
-- between Misbehavior Authority (MA) and Registration Authority
-- (RA).
-- @param pca-ra contains the interface structure defined for interactions
-- between Pseudonym Certificate Authority (PCA) and Registration
-- Authority (RA).
-- @param ra-pg contains the interface structure defined for interactions
-- between Registration Authority (RA) and Policy Generator (PG).
ScmsPDU ::= SEQUENCE {
version Uint8(1),
content CHOICE {
ccm ScmsComponentCertificateManagementPDU,
eca-ee EcaEndEntityInterfacePDU,
ee-ma EndEntityMaInterfacePDU,
ee-ra EndEntityRaInterfacePDU,
la-ma LaMaInterfacePDU,
la-pca LaPcaInterfacePDU,
la-ra LaRaInterfacePDU,
ma-pca MaPcaInterfacePDU,
ma-ra MaRaInterfacePDU,
pca-ra PcaRaInterfacePDU,
ra-pg RaPgInterfacePDU,
...
}
}
---
-- @brief This is a collection structure designed for transferring certificate
-- and policy files among SCMS entities.
-- @class ScmsFile
-- @param version contains the current version of the data type. The
-- version specified in this document is version 1,
-- represented by the integer 1.
-- @param content encloses information of an SCMS file.
-- @param cert-chain contains the chain of certificates through which the
-- necessary entities can be recursively verified.
-- @param policy contains files that define policies about certificates
-- (e.g. certificate lifetimes)
ScmsFile ::= SEQUENCE {
version Uint8(1),
content CHOICE {
cert-chain CertificateChainFiles,
policy PolicyFiles,
...
}
}
-- *************************************************************************
--
-- Scoped
--
-- *************************************************************************
-- *** EE-CA ***************************************************************
---
-- @brief This structure defines the EeEcaCertRequest as a scoped version of
-- the ScmsPDU.
-- @class ScopedEeEnrollmentCertRequest
ScopedEeEnrollmentCertRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
eca-ee (WITH COMPONENTS {
eeEcaCertRequest
})
})
})
---
-- @brief This structure defines the EcaEeCertResponse as a scoped version of
-- the ScmsPDU.
-- @class ScopedEeEnrollmentCertResponse
ScopedEeEnrollmentCertResponse ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
eca-ee (WITH COMPONENTS {
ecaEeCertResponse
})
})
})
-- *** EE-MA ***************************************************************
---
-- @brief This structure defines the MisbehaviorReport as a scoped version of
-- the ScmsPDU.
-- @class ScopedMisbehaviorReport
ScopedMisbehaviorReport ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ee-ma (WITH COMPONENTS {
misbehaviorReport
})
})
})
-- *** EE-RA ***************************************************************
---
-- @brief This structure defines the EeRaCertRequest as a scoped version of the
-- ScmsPDU.
-- @class ScopedEeRaCertRequest
ScopedEeRaCertRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ee-ra (WITH COMPONENTS {
eeRaCertRequest
})
})
})
---
-- @brief This structure defines the RaEeCertResponse as a scoped version of
-- the ScmsPDU.
-- @class ScopedRaEeCertResponse
ScopedRaEeCertResponse ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ee-ra (WITH COMPONENTS {
raEeCertResponse
})
})
})
---
-- @brief This structure defines the EeRaPseudonymCertProvisioningRequest as a
-- scoped version of the ScmsPDU.
-- @class ScopedPseudonymCertProvisioningRequest
ScopedPseudonymCertProvisioningRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ee-ra (WITH COMPONENTS {
eeRaPseudonymCertProvisioningRequest
})
})
})
---
-- @brief This structure defines the RaEePseudonymCertProvisioningAck as a
-- scoped version of the ScmsPDU.
-- @class ScopedPseudonymCertProvisioningAck
ScopedPseudonymCertProvisioningAck ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ee-ra (WITH COMPONENTS {
raEePseudonymCertProvisioningAck
})
})
})
---
-- @brief This structure defines the EeRaIdCertProvisioningRequest as a scoped
-- version of the ScmsPDU.
-- @class ScopedIdCertProvisioningRequest
ScopedIdCertProvisioningRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ee-ra (WITH COMPONENTS {
eeRaIdCertProvisioningRequest
})
})
})
---
-- @brief This structure defines the RaEeIdCertProvisioningAck as a scoped
-- version of the ScmsPDU.
-- @class ScopedIdCertProvisioningAck
ScopedIdCertProvisioningAck ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ee-ra (WITH COMPONENTS {
raEeIdCertProvisioningAck
})
})
})
---
-- @brief This structure defines the EeRaAppCertProvisioningRequest as a
-- scoped version of the ScmsPDU.
-- @class ScopedAppCertProvisioningRequest
ScopedAppCertProvisioningRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ee-ra (WITH COMPONENTS {
eeRaAppCertProvisioningRequest
})
})
})
---
-- @brief This structure defines the RaEeAppCertProvisioningAck as a scoped
-- version of the ScmsPDU.
-- @class ScopedAppCertProvisioningAck
ScopedAppCertProvisioningAck ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ee-ra (WITH COMPONENTS {
raEeAppCertProvisioningAck
})
})
})
---
-- @brief This structure defines the GlobalCertificateChainFile as a scoped
-- version of the ScmsPDU.
-- @class ScopedGlobalCertificateChainFile
ScopedGlobalCertificateChainFile ::=
ScmsFile (WITH COMPONENTS {...,
content (WITH COMPONENTS {
cert-chain( WITH COMPONENTS {
globalCertificateChainFile
})
})
})
---
-- @brief This structure defines the LocalCertificateChainFile as a scoped
-- version of the ScmsPDU.
-- @class ScopedLocalCertificateChainFile
ScopedLocalCertificateChainFile ::=
ScmsFile (WITH COMPONENTS {...,
content (WITH COMPONENTS {
cert-chain( WITH COMPONENTS {
localCertificateChainFile
})
})
})
---
-- @brief This structure defines the GlobalPolicyFile as a scoped version of
-- the ScmsPDU.
-- @class ScopedGlobalPolicyFile
ScopedGlobalPolicyFile ::=
ScmsFile (WITH COMPONENTS {...,
content (WITH COMPONENTS {
policy( WITH COMPONENTS {
globalPolicyFile
})
})
})
---
-- @brief This structure defines the LocalPolicyFile as a scoped version of
-- the ScmsPDU.
-- @class ScopedLocalPolicyFile
ScopedLocalPolicyFile ::=
ScmsFile (WITH COMPONENTS {...,
content (WITH COMPONENTS {
policy( WITH COMPONENTS {
localPolicyFile
})
})
})
---
-- @brief This structure defines the EeRaAuthenticatedDownloadRequest as a
-- scoped version of the ScmsPDU.
-- @class ScopedAuthenticatedDownloadRequest
ScopedAuthenticatedDownloadRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ee-ra (WITH COMPONENTS {
eeRaAuthenticatedDownloadRequest
})
})
})
-- *** LA-MA ***************************************************************
---
-- @brief This structure defines the MaLaLinkageInfoRequest as a scoped
-- version of the ScmsPDU.
-- @class ScopedLIRequest
ScopedLIRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
la-ma (WITH COMPONENTS {
maLaLinkageInfoRequest
})
})
})
---
-- @brief This structure defines the LaMaLinkageInfoResponse as a scoped
-- version of the ScmsPDU.
-- @class ScopedLIReply
ScopedLIReply ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
la-ma (WITH COMPONENTS {
laMaLinkageInfoResponse
})
})
})
---
-- @brief This structure defines the MaLaLinkageSeedRequest as a scoped
-- version of the ScmsPDU.
-- @class ScopedLSRequest
ScopedLSRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
la-ma (WITH COMPONENTS {
maLaLinkageSeedRequest
})
})
})
---
-- @brief This structure defines the LaMaLinkageSeedResponse as a scoped
-- version of the ScmsPDU.
-- @class ScopedLSReply
ScopedLSReply ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
la-ma (WITH COMPONENTS {
laMaLinkageSeedResponse
})
})
})
-- *** LA-PCA **************************************************************
---
-- @brief This structure defines the PcaLaKeyAgreementRequest as a scoped
-- version of the ScmsPDU.
-- @class ScopedPcaLaKeyAgreementRequest
ScopedPcaLaKeyAgreementRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
la-pca (WITH COMPONENTS {
pcaLaKeyAgreementRequest
})
})
})
---
-- @brief This structure defines the LaPcaKeyAgreementResponse as a scoped
-- version of the ScmsPDU.
-- @class ScopedLaPcaKeyAgreementResponse
ScopedLaPcaKeyAgreementResponse ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
la-pca (WITH COMPONENTS {
laPcaKeyAgreementResponse
})
})
})
---
-- @brief This structure defines the PcaLaKeyAgreementAck as a scoped version
-- of the ScmsPDU.
-- @class ScopedPcaLaKeyAgreementAck
ScopedPcaLaKeyAgreementAck ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
la-pca (WITH COMPONENTS {
pcaLaKeyAgreementAck
})
})
})
-- *** LA-RA ***************************************************************
---
-- @brief This structure defines the RaLaIndividualPreLinkageValueRequest as a
-- scoped version of the ScmsPDU.
-- @class ScopedRaLaIndividualPreLinkageValueRequest
ScopedRaLaIndividualPreLinkageValueRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
la-ra (WITH COMPONENTS {
raLaIndividualPreLinkageValueRequest
})
})
})
---
-- @brief This structure defines the RaLaGroupPreLinkageValueRequest as a
-- scoped version of the ScmsPDU.
-- @class ScopedRaLaGroupPreLinkageValueRequest
ScopedRaLaGroupPreLinkageValueRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
la-ra (WITH COMPONENTS {
raLaGroupPreLinkageValueRequest
})
})
})
---
-- @brief This structure defines the LaRaPreLinkageValueResponse as a scoped
-- version of the ScmsPDU.
-- @class ScopedLaRaPreLinkageValueResponse
ScopedLaRaPreLinkageValueResponse ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
la-ra (WITH COMPONENTS {
laRaPreLinkageValueResponse
})
})
})
-- *** MA-PCA **************************************************************
---
-- @brief This structure defines the MaPcaPreLinkageValueRequest as a scoped
-- version of the ScmsPDU.
-- @class ScopedMaPcaPreLinkageValueRequest
ScopedMaPcaPreLinkageValueRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ma-pca (WITH COMPONENTS {
maPcaPreLinkageValueRequest
})
})
})
---
-- @brief This structure defines the PcaMaPreLinkageValueResponse as a scoped
-- version of the ScmsPDU.
-- @class ScopedPcaMaPreLinkageValueResponse
ScopedPcaMaPreLinkageValueResponse ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ma-pca (WITH COMPONENTS {
pcaMaPreLinkageValueResponse
})
})
})
---
-- @brief This structure defines the MaPcaHPCRRequest as a scoped version of
-- the ScmsPDU.
-- @class ScopedMaPcaHPCRRequest
ScopedMaPcaHPCRRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ma-pca (WITH COMPONENTS {
maPcaHPCRRequest
})
})
})
---
-- @brief This structure defines the PcaMaHPCRResponse as a scoped version of
-- the ScmsPDU.
-- @class ScopedPcaMaHPCRResponse
ScopedPcaMaHPCRResponse ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ma-pca (WITH COMPONENTS {
pcaMaHPCRResponse
})
})
})
-- *** MA-RA **************************************************************
---
-- @brief This structure defines the MaRaBlacklistRequest as a scoped version
-- of the ScmsPDU.
-- @class ScopedBlacklistRequest
ScopedBlacklistRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ma-ra (WITH COMPONENTS {
maRaBlacklistRequest
})
})
})
---
-- @brief This structure defines the RaMaBlacklistResponse as a scoped version
-- of the ScmsPDU.
-- @class ScopedBlacklistResponse
ScopedBlacklistResponse ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ma-ra (WITH COMPONENTS {
raMaBlacklistResponse
})
})
})
---
-- @brief This structure defines the MaRaLCIRequest as a scoped version of the
-- ScmsPDU.
-- @class ScopedLCIRequest
ScopedLCIRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ma-ra (WITH COMPONENTS {
maRaLCIRequest
})
})
})
---
-- @brief This structure defines the RaMaLCIResponse as a scoped version of
-- the ScmsPDU.
-- @class ScopedLCIResponse
ScopedLCIResponse ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ma-ra (WITH COMPONENTS {
raMaLCIResponse
})
})
})
---
-- @brief This structure defines the MaRaRseObeIdBlacklistRequest as a scoped
-- version of the ScmsPDU.
-- @class ScopedRseObeIdBlacklistRequest
ScopedRseObeIdBlacklistRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ma-ra (WITH COMPONENTS {
maRaRseObeIdBlacklistRequest
})
})
})
---
-- @brief This structure defines the RaMaRseObeIdBlacklistResponse as a scoped
-- version of the ScmsPDU.
-- @class ScopedRseObeIdBlacklistResponse
ScopedRseObeIdBlacklistResponse ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ma-ra (WITH COMPONENTS {
raMaRseObeIdBlacklistResponse
})
})
})
-- *** PCA-RA *************************************************************
---
-- @brief This structure defines the RaPcaCertRequest as a scoped version of
-- the ScmsPDU.
-- @class ScopedRaPcaCertificateRequest
ScopedRaPcaCertificateRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
pca-ra (WITH COMPONENTS {
raPcaCertRequest
})
})
})
---
-- @brief This structure defines the PcaRaCertResponse as a scoped version of
-- the ScmsPDU.
-- @class ScopedPcaRaCertificateRequestReply
ScopedPcaRaCertificateRequestReply ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
pca-ra (WITH COMPONENTS {
pcaRaCertResponse
})
})
})
-- *** RA-PG *************************************************************
---
-- @brief This structure defines the RaPgPolicySignatureRequest as a scoped
-- version of the ScmsPDU.
-- @class ScopedRaPgPolicySignatureRequest
ScopedRaPgPolicySignatureRequest ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ra-pg (WITH COMPONENTS {
raPgPolicySignatureRequest
})
})
})
---
-- @brief This structure defines the RaPgPolicySignatureRequestReply as a
-- scoped version of the ScmsPDU.
-- @class ScopedRaPgPolicySignatureRequestReply
ScopedRaPgPolicySignatureRequestReply ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ra-pg (WITH COMPONENTS {
raPgPolicySignatureRequestReply
})
})
})
-- *** Scoped certificate requests **************************************
---
-- @brief This structure defines the all certificate requests messages as
-- scoped version of the ScmsPDU.
-- @class ScopedCertificateRequest
ScopedCertificateRequest ::= ScmsPDU (
ScopedEeRaCertRequest |
ScopedEeEnrollmentCertRequest |
ScopedPseudonymCertProvisioningRequest |
ScopedIdCertProvisioningRequest |
ScopedAppCertProvisioningRequest |
ScopedRaPcaCertificateRequest |
ScopedAuthenticatedDownloadRequest )
--*************************************************************************
--
-- Certificate Request
--
--**********************************************************************
---
-- @brief This structure defines the a format of a signed certificate
-- request.
-- @class SignedCertificateRequest
-- @param hashId is the hash of the current request.
-- @param tbsRequest contains the certificate request information that
-- is signed by the recipient.
-- @param signer denotes the signing entity's identifier.
-- @param signature contains the request sender's signature.
SignedCertificateRequest ::= SEQUENCE {
hashId HashAlgorithm,
tbsRequest ScopedCertificateRequest,
signer SignerIdentifier,
signature Signature
}
-- *************************************************************************
-- *************************************************************************
--
-- Secured
--
-- *************************************************************************
-- *************************************************************************
---
-- @brief This structure contains either secured (encrypted) or unsecured
-- (plaintext) data as per need. It follows the same structure defined
-- for Ieee1609Dot2Data in
-- 1609dot2-schema.asn.
-- @class SecuredScmsPDU
SecuredScmsPDU ::= Ieee1609Dot2Data
-- *************************************************************************
--
-- EE-ECA
--
-- *************************************************************************
---
-- @brief This structure contains the ScopedEeEnrollmentCertRequest which
-- encloses the EeEcaCertRequest. EE sends this message to the ECA to
-- request enrollment certificates for itself. EE signs this message
-- using its private key generated during bootstrapping.
-- @class SignedEeEnrollmentCertRequest
-- @param content contains an EEs enrollment certificate request and the EEs
-- self signature.
-- @see EeEcaCertRequest
SignedEeEnrollmentCertRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedCertificateRequest (CONTAINING
SignedCertificateRequest (WITH COMPONENTS {...,
tbsRequest (ScopedEeEnrollmentCertRequest),
signer (WITH COMPONENTS {
self
})
})
)
})
})
---
-- @brief This structure contains the ScopedEeEnrollmentCertResponse which
-- encloses the EcaEeCertResponse. ECA responds on an EE's
-- SignedEeEnrollmentCertRequest using this message. ECA signs this
-- message using its private key corresponding to its EcaCertificate.
-- @class SignedEeEnrollmentCertResponse
-- @param content contains the ScopedEeEnrollmentCertResponse.
-- @see EcaEeCertResponse, EcaCertificate
SignedEeEnrollmentCertResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedEeEnrollmentCertResponse)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
-- *************************************************************************
--
-- EE-MA
--
-- *************************************************************************
---
-- @brief This structure contains SignedMisbehaviorReport and is sent by an EE
-- to MA through RA. EE sends this misbehavior reports to MA using
-- using structure. EE encrypts this message using MA's public key from
-- MaCertificate that it obtains during bootstrapping.
-- @class SecuredMisbehaviorReport
-- @param content contains the encrypted misbehavior reports generated by an
-- EE; decrypts to a SignedMisbehaviorReport.
-- @see MisbehaviorReportContents, MaCertificate
SecuredMisbehaviorReport ::= SecuredScmsPDU(WITH COMPONENTS {...,
content(WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains the misbehavior reports generated by an EE
-- and sent to the RA. The RA forwards this message to the MA in the
-- form of SecuredMisbehaviorReport. The reporting EE signs this message
-- using its private key corresponding to its active
-- ObePseudonymCertificate.
-- @class SignedMisbehaviorReport, ObePseudonymCertificate
-- @param content contains the misbehavior report in the form of
-- ScopedMisbehaviorReport generated by the reporting EE.
-- @see MisbehaviorReportContents
SignedMisbehaviorReport ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedMisbehaviorReport)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (MisbehaviorReportingPsid),
generationTime PRESENT,
expiryTime ABSENT,
generationLocation PRESENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
}),
signer (WITH COMPONENTS {...,
certificate (SequenceOfCertificate (SIZE(1)))
})
})
})
})
-- *************************************************************************
--
-- EE-RA
--
-- *************************************************************************
---
-- @brief This structure contains the encrypted ScopedEeRaCertRequest which
-- contains the EeRaCertRequestMsg. EE sends this message to RA to
-- request RA's currently active RaCertificate. EE encrypts this message
-- using the RA's public key obtained from RaCertificate. If EE
-- requests RA's certificate for the first time, it will encrypt using
-- the key obtained at the time of device bootstrapping.
-- @class SecuredRACertRequest
-- @param content contains the ScopedEeRaCertRequest.
-- @see EeRaCertRequestMsg, RaCertificate
SecuredRACertRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
unsecuredData (CONTAINING ScopedEeRaCertRequest)
})
})
---
-- @brief This structure contains the encrypted ScopedRaEeCertResponse which
-- contains the RaEeCertResponseMsg. RA responds to
-- SecuredRACertRequest using this structure with its active
-- RaCertificate.
-- NOTE ERROR: RA cannot encrypt this message since EE does not send its encryptionKey in its ObeEnrollmentCertificate with SecuredRACertRequest.
-- @class SecuredRACertResponse
-- @param content contains the ScopedRaEeCertResponse
-- @see RaEeCertResponseMsg, ObeEnrollmentCertificate
SecuredRACertResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
unsecuredData (CONTAINING ScopedRaEeCertResponse)
})
})
---
-- @brief This structure contains the ScopedPseudonymCertProvisioningRequest
-- which contains the EeRaPseudonymCertProvisioningRequest structure.
-- EE sends this message to PCA through RA to request
-- ObePseudonymCertificate. EE signs this message using its private key
-- corresponding to its ObeEnrollmentCertificate.
-- @class SignedPseudonymCertProvisioningRequest
-- @param content contains the pseudonym certificate provisioning request and
-- requesting EE's ObeEnrollmentCertificate.
-- @see EeRaPseudonymCertProvisioningRequest, ObePseudonymCertificate,
-- ObeEnrollmentCertificate
SignedPseudonymCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedCertificateRequest (CONTAINING
SignedCertificateRequest (WITH COMPONENTS {...,
tbsRequest (ScopedPseudonymCertProvisioningRequest),
signer (WITH COMPONENTS {
certificate (SequenceOfCertificate (SIZE(1)))
})
})
)
})
})
---
-- @brief This structure contains SignedPseudonymCertProvisioningRequest
-- generated by the requesting EE and sent to the RA. The RA forwards
-- this request to the PCA. EE encrypts this message using PCA's public
-- key obtained during device bootstrapping.
-- @class SecuredPseudonymCertProvisioningRequest
-- @param content contains the encrypted pseudonym certificate provisioning
-- request generated by an EE; decrypts to a
-- SignedPseudonymCertProvisioningRequest.
-- @see EeRaPseudonymCertProvisioningRequest
SecuredPseudonymCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedPseudonymCertProvisioningAck which
-- contains RaEePseudonymCertProvisioningAck. RA acknowledges receipt
-- of an EE's SignedPseudonymCertProvisioningRequest using this
-- structure. RA signs this message using its private key corresponding
-- to its RaCertificate.
-- @class SignedPseudonymCertProvisioningAck
-- @param content contains the ScopedPseudonymCertProvisioningAck.
-- @see RaEePseudonymCertProvisioningAck, RaCertificate
SignedPseudonymCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedPseudonymCertProvisioningAck)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains the SignedPseudonymCertProvisioningAck.
-- NOTE ERROR: PCA cannot encrypt this message since EE does not send an encryptionKey in ObeEnrollmentCertificate in SignedPseudonymCertProvisioningRequest.
-- @class SecuredPseudonymCertProvisioningAck
-- @param content contains the encrypted acknowledgement for pseudonym
-- certificate provisioning; decrypts to
-- SignedPseudonymCertProvisioningAck.
-- @see RaEePseudonymCertProvisioningAck, ObeEnrollmentCertificate
SecuredPseudonymCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains the ScopedIdCertProvisioningRequest
-- which contains the EeRaIdCertProvisioningRequest structure.
-- EE signs this message using its private key corresponding to its
-- ObeEnrollmentCertificate.
-- @class SignedIdCertProvisioningRequest
-- @param content contains the pseudonym certificate provisioning request and
-- requesting EE's enrollment certificate.
-- @see EeRaIdCertProvisioningRequest, ObeEnrollmentCertificate
SignedIdCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedCertificateRequest (CONTAINING
SignedCertificateRequest (WITH COMPONENTS {...,
tbsRequest (ScopedIdCertProvisioningRequest),
signer (WITH COMPONENTS {
certificate (SequenceOfCertificate (SIZE(1)))
})
})
)
})
})
---
-- @brief This structure contains SignedIdCertProvisioningRequest
-- generated by the requesting EE and sent to the RA. The RA forwards
-- this request to the PCA. EE encrypts this message using PCA's public
-- key obtained during device bootstrapping.
-- @class SecuredIdCertProvisioningRequest
-- @param content contains the encrypted pseudonym certificate provisioning
-- request generated by an EE; decrypts to a
-- SignedIdCertProvisioningRequest.
-- @see EeRaIdCertProvisioningRequest
SecuredIdCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains the ScopedIdCertProvisioningAck which
-- contains the RaEeIdCertProvisioningAck. RA signs this message using
-- its private key corresponding to its RaCertificate. RA sends this
-- message to an EE in the form of SecuredIdCertProvisioningAck.
-- @class SignedIdCertProvisioningAck
-- @param content contains the ScopedIdCertProvisioningAck which encloses the
-- RaEeIdCertProvisioningAck.
-- @see RaEeIdCertProvisioningAck, RaCertificate
SignedIdCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedIdCertProvisioningAck)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains the SignedIdCertProvisioningAck.
-- NOTE ERROR: PCA cannot encrypt this message since EE does not send an encryptionKey in ObeEnrollmentCertificate in SignedIdCertProvisioningRequest.
-- @class SecuredIdCertProvisioningAck
-- @param content contains the encrypted acknowledgement for identification
-- certificate provisioning; decrypts to
-- SignedIdCertProvisioningAck.
-- @see RaEeIdCertProvisioningAck, ObeEnrollmentCertificate
SecuredIdCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains the ScopedAppCertProvisioningRequest
-- which contains the EeRaAppCertProvisioningRequest structure.
-- EE signs this message using its private key corresponding to its
-- ObeEnrollmentCertificate.
-- @class SignedAppCertProvisioningRequest
-- @param content contains the pseudonym certificate provisioning request and
-- requesting EE's enrollment certificate.
-- @see EeRaAppCertProvisioningRequest
SignedAppCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedCertificateRequest (CONTAINING
SignedCertificateRequest (WITH COMPONENTS {...,
tbsRequest (ScopedAppCertProvisioningRequest),
signer (WITH COMPONENTS {
certificate (SequenceOfCertificate (SIZE(1)))
})
})
)
})
})
---
-- @brief This structure contains SignedAppCertProvisioningRequest
-- generated by the requesting EE and sent to the RA. The RA forwards
-- this request to the PCA. EE encrypts this message using PCA's public
-- key obtained during device bootstrapping.
-- @class SecuredAppCertProvisioningRequest
-- @param content contains the encrypted pseudonym certificate provisioning
-- request generated by an EE; decrypts to a
-- SignedAppCertProvisioningRequest.
-- @see EeRaAppCertProvisioningRequest
SecuredAppCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains the ScopedAppCertProvisioningAck which
-- contains the RaEeAppCertProvisioningAck. RA signs this message using
-- its private key corresponding to its RaCertificate. RA sends this
-- message to an EE in the form of SecuredAppCertProvisioningAck.
-- @class SignedAppCertProvisioningAck
-- @param content contains the ScopedAppCertProvisioningAck which encloses the
-- RaEeAppCertProvisioningAck.
-- @see RaEeAppCertProvisioningAck, RaCertificate
SignedAppCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedAppCertProvisioningAck)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains the SignedAppCertProvisioningAck.
-- NOTE ERROR: PCA cannot encrypt this message since EE does not send an encryptionKey in ObeEnrollmentCertificate in SignedAppCertProvisioningRequest.
-- @class SecuredAppCertProvisioningAck
-- @param content contains the encrypted acknowledgement for application
-- certificate provisioning; decrypts to
-- SignedAppCertProvisioningAck.
-- @see RaEeAppCertProvisioningAck, ObeEnrollmentCertificate
SecuredAppCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains the ScopedAuthenticatedDownloadRequest which
-- contains the AuthenticatedDownloadRequest. EE signs this message
-- using its private key corresponding to its ObeEnrollmentCertificate.
-- EE sends this message to RA in the form of
-- SecuredAuthenticatedDownloadRequest.
-- @class SignedAuthenticatedDownloadRequest
-- @param content contains the authenticated download request and EE's
-- enrollment certificate.
-- @see AuthenticatedDownloadRequest, ObeEnrollmentCertificate
SignedAuthenticatedDownloadRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedCertificateRequest (CONTAINING
SignedCertificateRequest (WITH COMPONENTS {...,
tbsRequest (ScopedAuthenticatedDownloadRequest),
signer (WITH COMPONENTS {
certificate (SequenceOfCertificate (SIZE(1)))
})
})
)
})
})
---
-- @brief This structure contains the SignedAuthenticatedDownloadRequest and
-- is sent by an EE to the RA. EE encrypts this message using RA's
-- public key obtained at device bootstrapping.
-- @class SecuredAuthenticatedDownloadRequest
-- @param content contains the authenticated download request signed by an EE;
-- decrypts to SignedAuthenticatedDownloadRequest.
-- @see AuthenticatedDownloadRequest
SecuredAuthenticatedDownloadRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedGlobalPolicyFile which contains
-- GlobalPolicyFile. PG signs this message using its private key
-- corresponding to its PgCertificate.
-- @class SignedGlobalPolicyFile
-- @param content contains the ScopedGlobalPolicyFile.
-- @see GlobalPolicyFile, PgCertificate
SignedGlobalPolicyFile ::= Ieee1609Dot2Data( WITH COMPONENTS{...,
content( WITH COMPONENTS{...,
signedData( WITH COMPONENTS{...,
tbsData( WITH COMPONENTS{...,
payload( WITH COMPONENTS{...,
data( WITH COMPONENTS{...,
content( WITH COMPONENTS{...,
unsecuredData( CONTAINING ScopedGlobalPolicyFile )
})
})
})
})
})
})
})
---
-- @brief This structure contains ScopedLocalPolicyFile which contains
-- LocalPolicyFile. PG signs this message using its private key
-- corressponding to its PgCertificate.
-- @class SignedLocalPolicyFile
-- @param content contains the ScopedLocalPolicyFile.
-- @see LocalPolicyFile, PgCertificate
SignedLocalPolicyFile ::= Ieee1609Dot2Data( WITH COMPONENTS{...,
content( WITH COMPONENTS{...,
signedData( WITH COMPONENTS{...,
tbsData( WITH COMPONENTS{...,
payload( WITH COMPONENTS{...,
data( WITH COMPONENTS{...,
content( WITH COMPONENTS{...,
unsecuredData( CONTAINING ScopedLocalPolicyFile )
})
})
})
})
})
})
})
-- *************************************************************************
--
-- LA-MA
--
-- *************************************************************************
---
-- @brief This structure contains ScopedLIRequest which contains
-- MaLaLinkageInfoRequest. MA signs this message using its private key
-- corresponding to its MaCertificate.
-- @class SignedLIRequest
-- @param content contains the ScopedLIRequest.
-- @see MaLaLinkageInfoRequest
SignedLIRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedLIRequest)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This stucture contains SignedLIRequest and is sent by MA to LA.
-- MA encrypts this message using LA's public key that it obtains
-- from LaCertificate received from ICA at Add LA stage.
-- @class SecuredLIRequest
-- @param contains encrypted linkage information signed by MA; decrypts to a
-- SignedLIRequest.
-- @see MaLaLinkageInfoRequest, LaCertificate
SecuredLIRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedLIReply which contains
-- LaMaLinkageInfoResponseMsg. LA signs this message using its private
-- key corresponding to its LaCertificate.
-- @class SignedLIReply
-- @param content contains ScopedLIReply.
-- @see LaMaLinkageInfoResponseMsg, LaCertificate
SignedLIReply ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedLIReply)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedLIReply and is sent by LA to an MA's
-- SecuredLIRequest. LA encrypts this message using encryptionKey
-- obtained from MaCertificate.
-- @class SecuredLIReply
-- @param content contains LA's response with linkage information; decrypts to
-- a SignedLIReply.
-- @see LaMaLinkageInfoResponseMsg, MaCertificate
SecuredLIReply ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedLSRequest which contains
-- MaLaLinkageSeedRequestMsg. MA signs this message using its private
-- key corresponding to its MaCertificate.
-- @class SignedLSRequest
-- @param content contains ScopedLSRequest.
-- @see MaLaLinkageSeedRequestMsg, MaCertificate
SignedLSRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedLSRequest)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedLSRequest that is sent by MA to LA to
-- request linkage seed information for misbehavior report analysis. MA
-- encrypts this request using LA's public key that it obtains from
-- LaCertificate received from ICA at Add LA stage.
-- @class SecuredLSRequest
-- @param content contains encrypted linkage seed request message signed by MA
-- ; decrypts to a SignedLSRequest.
-- @see MaLaLinkageSeedRequestMsg, LaCertificate
SecuredLSRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedLSReply which contains
-- LaMaLinkageSeedResponseMsg. LA signs this message using its private
-- key corresponding to its LaCertificate.
-- @class SignedLSReply
-- @param content contains ScopedLSReply.
-- @see LaMaLinkageSeedResponseMsg, LaCertificate
SignedLSReply ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedLSReply)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedLSReply and is sent by LA to an MA's
-- SecuredLSRequest. LA encrypts this message using encryptionKey in
-- MaCertificate.
-- @class SecuredLSReply
-- @param content contains LA's response with linkage information; decrypts to
-- a SignedLSReply.
-- @see LaMaLinkageSeedResponseMsg
SecuredLSReply ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData -- decrypts to a SignedLSReply
})
})
-- *************************************************************************
--
-- LA-PCA
--
-- *************************************************************************
---
-- @brief This structure contains ScopedPcaLaKeyAgreementRequest which
-- contains PcaLaKeyAgreementRequestMsg and is sent from PCA to LA to
-- initiate key agreement. PCA signs this message using its private key
-- corresponding to its PcaCertificate.
-- @class SignedPcaLaKeyAgreementRequest
-- @param content contains ScopedPcaLaKeyAgreementRequest.
-- @see PcaLaKeyAgreementRequestMsg
SignedPcaLaKeyAgreementRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedPcaLaKeyAgreementRequest)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains ScopedLaPcaKeyAgreementResponse which
-- contains LaPcaKeyAgreementResponse and is sent from LA to PCA. LA
-- signs this message using its private key corresponding to its
-- LaCertificate.
-- @class SignedLaPcaKeyAgreementResponse
-- @param content contains ScopedLaPcaKeyAgreementResponse.
-- @see LaPcaKeyAgreementResponse, LaCertificate
SignedLaPcaKeyAgreementResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedLaPcaKeyAgreementResponse)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains ScopedPcaLaKeyAgreementAck which contains
-- PcaLaKeyAgreementAck and is sent from PCA to LA. PCA signs this
-- message using private key corresponding to its PcaCertificate.
-- @class SignedPcaLaKeyAgreementAck
-- @param content contains ScopedPcaLaKeyAgreementAck.
-- @see PcaLaKeyAgreementAck, PcaCertificate
SignedPcaLaKeyAgreementAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedPcaLaKeyAgreementAck)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
-- *************************************************************************
--
-- LA-RA
--
-- *************************************************************************
---
-- @brief This structure contains ScopedRaLaIndividualPreLinkageValueRequest
-- which contains RaLaIndividualPreLinkageValueRequest and is sent from
-- RA to LA. RA signs this message using its private key corresponding
-- to its RaCertificate. Generation time is present to prevent replay,
-- keep message for replay check until time corresponding to iMin has
-- been reached.
-- @class SignedRaLaIndividualPreLinkageValueRequest
-- @param content contains ScopedRaLaIndividualPreLinkageValueRequest.
-- @see RaLaIndividualPreLinkageValueRequest, RaCertificate
SignedRaLaIndividualPreLinkageValueRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedRaLaIndividualPreLinkageValueRequest)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime PRESENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains ScopedRaLaGroupPreLinkageValueRequest which
-- contains RaLaGroupPreLinkageValueRequest and is sent by RA to LA. RA
-- signs this message using its private key corresponding to its
-- RaCertificate. Generation time is present to prevent replay,
-- keep message for replay check until time corresponding to iMin has
-- been reached.
-- @class SignedRaLaGroupPreLinkageValueRequest
-- @param content contains ScopedRaLaGroupPreLinkageValueRequest.
-- @see RaLaGroupPreLinkageValueRequest, RaCertificate
SignedRaLaGroupPreLinkageValueRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedRaLaGroupPreLinkageValueRequest)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime PRESENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains ScopedLaRaPreLinkageValueResponse which
-- contains LaRaPreLinkageValueResponse and is sent by LA to RA. LA
-- signs this message using its private key corresponding to its
-- LaCertificate. Generation time is present to prevent replay,
-- keep message for replay check until time corresponding to iMin has
-- been reached.
-- @class SignedLaRaPreLinkageValueResponse
-- @param content contains ScopedLaRaPreLinkageValueResponse.
-- @see LaRaPreLinkageValueResponse, LaCertificate
SignedLaRaPreLinkageValueResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedLaRaPreLinkageValueResponse)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime PRESENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
-- *************************************************************************
--
-- MA-PCA
--
-- *************************************************************************
---
-- @brief This structure contains ScopedMaPcaPreLinkageValueRequest which
-- contains MaPcaPreLinkageValueRequest and is sent from MA to PCA. MA
-- signs this message using its private key corresponding to its
-- MaCertificate.
-- @class SignedMaPcaPreLinkageValueRequest
-- @param content contains ScopedMaPcaPreLinkageValueRequest.
-- @see MaPcaPreLinkageValueRequest, MaCertificate
SignedMaPcaPreLinkageValueRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedMaPcaPreLinkageValueRequest)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedMaPcaPreLinkageValueRequest and is
-- sent by MA to PCA. MA encrypts this message using encryptionKey from
-- PCA's PcaCertificate.
-- @class SecuredMaPcaPreLinkageValueRequest
-- @param content contains MA's request to gain pre-linkage values from PCA;
-- decrypts to a SignedMaPcaPreLinkageValueRequest.
-- @see PcaCertificate
SecuredMaPcaPreLinkageValueRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedPcaMaPreLinkageValueResponse which
-- contains PcaMaPreLinkageValueResponse and is sent by PCA to MA. PCA
-- signs this message using its private key corresponding to its
-- PcaCertificate.
-- @class SignedPcaMaPreLinkageValueResponse
-- @param content contains ScopedPcaMaPreLinkageValueResponse.
-- @see PcaMaPreLinkageValueResponse, PcaCertificate
SignedPcaMaPreLinkageValueResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedPcaMaPreLinkageValueResponse)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedPcaMaPreLinkageValueResponse and is
-- sent by PCA to MA. PCA encrypts this message using the encryptionKey
-- in MaCertificate.
-- @class SecuredPcaMaPreLinkageValueResponse
-- @param content contains response from PCA with pre-linkage values requested
-- by MA; decrypts to a SignedPcaMaPreLinkageValueResponse.
-- @see MaCertificate
SecuredPcaMaPreLinkageValueResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedMaPcaHPCRRequest which contains
-- MaPcaHPCRRequest and is sent by MA to PCA. MA signs this message
-- using its private key corresponding to its MaCertificate.
-- @class SignedMaPcaHPCRRequest
-- @param content contains ScopedMaPcaHPCRRequest.
-- @see MaPcaHPCRRequest, MaCertificate
SignedMaPcaHPCRRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedMaPcaHPCRRequest)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedMaPcaHPCRRequest and is sent by MA to
-- PCA. MA encrypts this message using encryptionKey in PCA's
-- PcaCertificate.
-- @class SecuredMaPcaHPCRRequest
-- @param content contains the encrypted HPCR request from MA; decrypts to a
-- SignedMaPcaHPCRRequest.
SecuredMaPcaHPCRRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedPcaMaHPCRResponse which contains
-- PcaMaHPCRResponse and is sent by PCA to MA. PCA signs this message
-- using its private key corresponding to its PcaCertificate.
-- @class SignedPcaMaHPCRResponse
-- @param content contains ScopedPcaMaHPCRResponse.
-- @see PcaMaHPCRResponse, PcaCertificate
SignedPcaMaHPCRResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedPcaMaHPCRResponse)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedPcaMaHPCRResponse and is sent by PCA
-- to MA as a response to MA's SecuredMaPcaHPCRRequest. PCA encrypts
-- data in this message using encryptionKey in MaCertificate.
-- @class SecuredPcaMaHPCRResponse
-- @param content contains the encrypted response from PCA wih HPCR; decrypts
-- to a SignedPcaMaHPCRResponse.
-- @see MaCertificate
SecuredPcaMaHPCRResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData --
})
})
-- *************************************************************************
--
-- MA-RA
--
-- *************************************************************************
---
-- @brief This structure contains ScopedBlacklistRequest which contains
-- MaRaBlacklistRequest and is sent by MA to RA. MA signs this message
-- using the private key corresponding to its MaCertificate.
-- @class SignedBlacklistRequest
-- @param content contains ScopedBlacklistRequest that indicates which
-- pseudonym certificates have been revoked by MA.
-- @see MaRaBlacklistRequest, MaCertificate
SignedBlacklistRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedBlacklistRequest)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedBlacklistRequest and is sent my MA to
-- RA. MA encrypts the data in this message using encryptionKey in RA's
-- RaCertificate.
-- @class SecuredBlacklistRequest
-- @param content contains encrypted request to update RA's internal blacklist;
-- decrypts to a SignedBlacklistRequest.
-- @see RaCertificate
SecuredBlacklistRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedBlacklistResponse which contains
-- RaMaBlacklistResponse and is sent by RA to MA. RA signs this message
-- using the private key corresponding to its RaCertificate.
-- @class SignedBlacklistResponse
-- @param content contains ScopedBlacklistResponse that indicates status of
-- revoked pseudonym certificates.
-- @see RaMaBlacklistResponse, RaCertificate
SignedBlacklistResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedBlacklistResponse)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedBlacklistResponse and is sent as a
-- response by RA to MA's SecuredBlacklistRequest. RA encrypts the data
-- in this message using encryptionKey in MA's MaCertificate.
-- @class SecuredBlacklistResponse
-- @param content contains encrypted status of revoked pseudonym certificates;
-- decrypts to a SignedBlacklistResponse.
-- @see MaCertificate
SecuredBlacklistResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedRseObeIdBlacklistRequest which
-- contains MaRaRseObeIdBlacklistRequest and is sent by MA to RA. MA
-- signs this message using the private key corresponding to its
-- MaCertificate.
-- @class SignedRseObeIdBlacklistRequest
-- @param content contains ScopedRseObeIdBlacklistRequest.
-- @see MaRaRseObeIdBlacklistRequest, MaCertificate
SignedRseObeIdBlacklistRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedRseObeIdBlacklistRequest)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedRseObeIdBlacklistRequest and is sent
-- by MA to RA. MA encrypts this message using the encryptionKey in RA's
-- RaCertificate.
-- @class SecuredRseObeIdBlacklistRequest
-- @param content contains the encrypted status report of revoked
-- identification and application certificates; decrypts to a
-- SignedRseObeIdBlacklistRequest.
-- @see RaCertificate
SecuredRseObeIdBlacklistRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedBlacklistResponse which contains
-- RaMaBlacklistResponse and is sent by RA to MA. RA signs this message
-- using the private key corresponding to its RaCertificate.
-- @class SignedRseObeIdBlacklistResponse
-- @param content contains ScopedBlacklistResponse that notifies the status of
-- revoked identification certificates and application
-- certificates.
-- @see RaMaBlacklistResponse, RaCertificate
SignedRseObeIdBlacklistResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedBlacklistResponse)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedRseObeIdBlacklistResponse and is sent
-- by RA to MA. RA encrypts this message using the encryptionKey in MA's
-- MaCertificate.
-- @class SecuredRseObeIdBlacklistResponse
-- @param content contains encrypted status report of revoked identification
-- and pseudonym certificates; decrypts to a
-- SignedRseObeIdBlacklistResponse.
-- @see MaCertificate
SecuredRseObeIdBlacklistResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
---
-- @brief This structure contains ScopedLCIRequest which contains
-- MaRaLCIRequest and is sent by MA to RA. MA signs this message using
-- the private key corresponding to its MaCertificate.
-- @class SignedLCIRequest
-- @param content contains ScopedLCIRequest.
-- @see MaRaLCIRequest, MaCertificate
SignedLCIRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedLCIRequest)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedLCIRequest and is sent by MA to RA. MA
-- encrypts the data in this message using the encryptionKey in RA's
-- RaCertificate.
-- @class SecuredLCIRequest
-- @param content contains encrypted request for linkage chain identifiers;
-- decrypts to a SignedLCIRequest.
-- @see RaCertificate
SecuredLCIRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData --
})
})
---
-- @brief This structure contains ScopedLCIResponse which contains
-- RaMaLCIResponse and is sent by RA to MA. RA signs this message using
-- the private key corresponding to its RaCertificate.
-- @class SignedLCIResponse
-- @param content contains ScopedLCIResponse
-- @see RaMaLCIResponse, RaCertificate
SignedLCIResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedLCIResponse)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure contains SignedLCIResponse and is sent by RA to MA.
-- RA signs the data in this message using the encryptionKey in MA's
-- MaCertificate.
-- @class SecuredLCIResponse
-- @param content contains encrypted linkage chain identifiers sent by RA;
-- decrypts to a SignedLCIResponse.
-- @see MaCertificate
SecuredLCIResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
encryptedData
})
})
-- *************************************************************************
--
-- PCA-RA
--
-- *************************************************************************
---
-- @brief This structure contains ScopedRaPcaCertificateRequest which contains
-- RaPcaCertRequestMsg. RA encrypts this message before sending it to
-- PCA using encryptionKey in PCA's PcaCertificate sent by the ICA
-- during Add PCA stage.
-- @class SecuredRaPcaCertificateRequest
-- @param content contains ScopedRaPcaCertificateRequest and RA's certificate.
-- @see RaPcaCertRequestMsg
SecuredRaPcaCertificateRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedCertificateRequest (CONTAINING
SignedCertificateRequest (WITH COMPONENTS {...,
tbsRequest (ScopedRaPcaCertificateRequest),
signer (WITH COMPONENTS {
certificate (SequenceOfCertificate (SIZE(1))
)
-- certificate (SequenceOfCertificate (SIZE(1)) (CONSTRAINED BY {
-- Certificate(EndEntityEnrollmentPseudonymCertificate)
-- }))
})
})
)
})
})
---
-- @brief This structure contains ScopedPcaRaCertificateRequestReply which
-- contains PcaRaCertResponseMsg. PCA encrypts this message before
-- sending it to RA using the encryptionKey in RA's RaCertificate.
-- @class SecuredPcaRaCertificateRequestReply
-- @param content contains ScopedPcaRaCertificateRequestReply.
-- @see PcaRaCertResponseMsg
SecuredPcaRaCertificateRequestReply ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedPcaRaCertificateRequestReply)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime ABSENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
---
-- @brief This structure defines the TbsElectorEndorsement as a scoped version
-- of the ScmsPDU.
-- @class ScopedElectorEndorsement
-- @param content contains TbsElectorEndorsement
-- @see TbsElectorEndorsement
ScopedElectorEndorsement ::=
ScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {
ccm (WITH COMPONENTS {
tbsElectorEndorsement
})
})
})
---
-- @brief This structure contains ScopedElectorEndorsement which contains
-- TbsElectorEndorsement and is used by Electors to endorse addition of
-- a new Elector to the SCMS. The existing Electors sign their
-- endorsements using their private keys corresponding to their
-- respective ElectorCertificate.
-- @class SignedElectorEndorsement
-- @param content contains ScopedElectorEndorsement.
-- @see TbsElectorEndorsement
SignedElectorEndorsement ::= SecuredScmsPDU (WITH COMPONENTS {...,
content (WITH COMPONENTS {...,
signedData (WITH COMPONENTS {...,
tbsData (WITH COMPONENTS {...,
payload (WITH COMPONENTS {...,
data (WITH COMPONENTS {...,
content (WITH COMPONENTS {
unsecuredData (CONTAINING ScopedElectorEndorsement)
})
})
}),
headerInfo (WITH COMPONENTS {...,
psid (SecurityMgmtPsid),
generationTime PRESENT,
expiryTime ABSENT,
generationLocation ABSENT,
p2pcdLearningRequest ABSENT,
missingCrlIdentifier ABSENT,
encryptionKey ABSENT
})
})
})
})
})
-- *************************************************************************
--
-- SSP
--
-- *************************************************************************
---
-- @brief The ScmsSsp is the parent structure that encompasses all Service
-- Specific Permission (SSP) structures defined in the SCMS.
-- @class ScmsSsp
-- @param elector contains SSP defined for an Elector.
-- @param root contains SSP defined for a Root CA.
-- @param pg contains SSP defined for a Policy Generator (PG).
-- @param ica contains SSP defined for an Intermediate Certification Authority (ICA).
-- @param eca contains SSP defined for an Enrollment Certification Authority (ECA).
-- @param pca contains SSP defined for a Pseudonym Certification Authority (PCA).
-- @param crl contains SSP defined for a Certification Revocation List (CRL).
-- @param dcm contains SSP defined for a Device Configuration Manager (DCM).
-- @param la contains SSP defined for a Linkage Authority (LA).
-- @param lop contains SSP defined for a Location Obscurer Proxy (LOP).
-- @param ma contains SSP defined for a Misbehavior Authority (MA).
-- @param ra contains SSP defined for a Registration Authority (RA).
ScmsSsp ::= CHOICE {
elector ElectorSsp,
root RootCaSsp,
pg PGSsp,
ica IcaSsp,
eca EcaSsp,
pca PcaSsp,
crl CrlSignerSsp,
dcm DcmSsp,
la LaSsp,
lop LopSsp,
ma MaSsp,
ra RaSsp,
...
}
---
-- @brief This structure defines the SSP for an Elector.
-- @class ElectorSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
ElectorSsp ::= SEQUENCE {
version Uint8(1),
...
}
---
-- @brief This structure defines the SSP for a Root CA.
-- @class RootCaSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
RootCaSsp ::= SEQUENCE {
version Uint8(1),
...
}
---
-- @brief This structure defines the SSP for a PG.
-- @class PGSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
PGSsp ::= SEQUENCE {
version Uint8(1),
...
}
---
-- @brief This structure defines the SSP for an ICA.
-- @class IcaSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
IcaSsp ::= SEQUENCE {
version Uint8(1),
...
}
---
-- @brief This structure defines the SSP for an ECA.
-- @class EcaSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
EcaSsp ::= SEQUENCE {
version Uint8(1),
...
}
---
-- @brief This structure defines the SSP for a PCA.
-- @class PcaSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
PcaSsp ::= SEQUENCE {
version Uint8(1),
...
}
---
-- @brief This structure defines the SSP for a CRL signer.
-- @class CrlSignerSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
CrlSignerSsp ::= SEQUENCE {
version Uint8(1),
...
}
---
-- @brief This structure defines the SSP for a DCM.
-- @class DcmSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
DcmSsp ::= SEQUENCE {
version Uint8(1),
...
}
---
-- @brief This structure defines the SSP for an LA.
-- @class LaSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
LaSsp ::= SEQUENCE {
version Uint8(1),
laId Uint16,
...
}
---
-- @brief This structure defines the SSP for an LOP.
-- @class LopSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
LopSsp ::= SEQUENCE {
version Uint8(1),
...
}
---
-- @brief This structure defines the SSP for an MA.
-- @class MaSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
MaSsp ::= SEQUENCE {
version Uint8(1),
relevantPsids SequenceOfPsid,
...
}
---
-- @brief This structure defines the SSP for an RA.
-- @class RaSsp
-- @param version contains the current version of the data type. The version
-- specified in this document is version 1, represented by the
-- integer 1.
-- @see Uint8
RaSsp ::= SEQUENCE {
version Uint8(1),
...
}
END
--
-- Copyright 2017 Crash Avoidance Metrics Partner, VSC5 Consortium
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
-- @namespace Ieee1609Dot2EcaEndEntityInterface
Ieee1609Dot2EcaEndEntityInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) eca-ee (5)}
DEFINITIONS AUTOMATIC TAGS ::= BEGIN
EXPORTS ALL;
IMPORTS
HashedId8,
Time32,
Uint8
FROM IEEE1609dot2BaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base(1) base-types(2)}
Certificate,
ImplicitCertificate,
ToBeSignedCertificate
FROM IEEE1609dot2 {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base (1) schema (1)}
EccP256PrivateKeyReconstruction
FROM Ieee1609dot2ScmsBaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2)
scms (2) interfaces(1) base-types (2)}
;
---
-- @brief The EcaEndEntityInterfacePDU is the parent message type for messages
-- sent between Enrollment Certificate Authority (ECA) and End Entities
-- (EE).
-- @class EcaEndEntityInterfacePDU
-- @param eeEcaCertRequest contains the enrollment certificate request sent
-- by the EE to the ECA.
-- @param ecaEeCertResponse contains the enrollment certificate response sent
-- by the ECA to an EE.
EcaEndEntityInterfacePDU::= CHOICE {
eeEcaCertRequest EeEcaCertRequest,
ecaEeCertResponse EcaEeCertResponse,
...
}
---
-- @brief This data type is used by the EE to request an enrollment
-- certificate from the ECA. It is signed using the private key
-- generated by the EE and the corresponding public key is placed in
-- verificationKey for use by the ECA to generate the enrollment
-- certificate. All the fields of ToBeSignedCertificate are filled by
-- the EE/DCM, but the ECA may override them.
-- @class EeEcaCertRequest
-- @param version contains the current version of the data type. The
-- version specified in this document is version 1,
-- represented by the integer 1.
-- @param currentTime contains the time of creation of EeEcaCertRequest.
-- @param tbsData contains the ToBeSignedCertificate data used by the ECA
-- to generate the EE’s enrollment certificate. The
-- ToBeSignedCertificate is specified in Section 6.4.8 of
-- IEEE 1609.2-2016.
-- @see Uint8, Time32, ToBeSignedCertificate
EeEcaCertRequest ::= SEQUENCE {
version Uint8(1),
currentTime Time32,
tbsData ToBeSignedCertificate (WITH COMPONENTS { ...,
id(WITH COMPONENTS { ...,
linkageData ABSENT }),
region PRESENT,
appPermissions ABSENT,
certIssuePermissions ABSENT,
certRequestPermissions PRESENT,
verifyKeyIndicator (WITH COMPONENTS {
verificationKey }) }),
...
}
---
-- @brief This data type is used by the ECA to respond to an EE’s enrollment
-- certificate request. Additional bootstrapping information including
-- the RA's certificate are provided by the DCM in a zipped file.
-- @class EcaEeCertResponse
-- @param version contains the current version of the data type.
-- The version specified in this document is
-- version 1, represented by the integer 1.
-- @param requestHash contains the hash of the original
-- EeEcaCertRequest message.
-- @param ecaCert contains the Enrollment Certificate Authority
-- certificate.
-- @param enrollmentCert contains the Implicit Certificate structure of
-- the enrollment certificate, as specified in
-- Section 6.4.5 of IEEE 1609.2-2016.
-- @param privKeyReconstruction contains the private key reconstruction value
-- required by the EE to transform its private
-- key into an operational private key.
-- @see Uint8, HashedId8, Certificate, ImplicitCertificate,
-- EccP256PrivateKeyReconstruction
EcaEeCertResponse ::= SEQUENCE {
version Uint8(1),
requestHash HashedId8,
ecaCert Certificate,
enrollmentCert ImplicitCertificate,
privKeyReconstruction EccP256PrivateKeyReconstruction,
...
}
END
--
-- Copyright 2017 Crash Avoidance Metrics Partner, VSC5 Consortium
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
-- @namespace Ieee1609dot2ScmsPolicyTypes
Ieee1609dot2ScmsPolicyTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2)
scms (2) interfaces(1) policy-types (500)}
DEFINITIONS AUTOMATIC TAGS ::= BEGIN
EXPORTS ALL;
IMPORTS
Countersignature,
ExplicitCertificate,
Ieee1609Dot2Data,
SequenceOfCertificate
FROM IEEE1609dot2 {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base (1) schema (1)}
Duration,
Hostname,
Opaque,
Time64,
Uint8,
Uint16,
Uint32,
Uint64
FROM IEEE1609dot2BaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base(1) base-types(2)}
LaHostnameId,
PcaHostnameId,
RaHostnameId
FROM Ieee1609dot2ScmsBaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2)
scms (2) interfaces(1) base-types (2)}
;
---
-- @brief The PolicyFiles structure defines the parent structure for all
-- policy files (GCCF & LCCF). Each policy file resides in its own file
-- and its signed by one or more components. to ensure the policy is
-- valid.
-- @class PolicyFiles
-- @param globalPolicyFile contains the global policy file generated by Policy
-- Generator (PG).
-- @param localPolicyFile contains the local policy file genrated by a
-- Registration Authority (RA). Note that RA has to
-- get this signed by PG before sending to EEs.
PolicyFiles ::= CHOICE {
globalPolicyFile GlobalPolicyFile,
localPolicyFile LocalPolicyFile,
...
}
---
-- @brief This data type defines the inherent policy file structure created
-- either by PG or RA.
-- @class BasePolicyFile
-- @param version defines the version of BasePolicyFile. Currently, it is
-- denoted by integer 1.
-- @param tbsData is the policy data that is signed by PG at the scms
-- protocol level.
-- @param signatures denote the counter signatures that are generated by
-- auditors of the policy file. Note that PG or RA must
-- obtain these signatures before sending to any EE.
-- @see Uint8, Countersignature
BasePolicyFile ::= SEQUENCE {
version Uint8(1),
tbsData ToBeSignedPolicyData,
-- countersignatures generated by auditors of the policy file
signatures SEQUENCE SIZE(1..MAX) OF Countersignature,
...
}
---
-- @brief This data type contains the policy file data that is signed by the
-- PG at scms-protocol level.
-- @class ToBeSignedPolicyData
-- @param policyID denotes the unique identifier for a policy file.
-- @param generationTime is the point of time when a policy file was generated.
-- @param activeTime is the duration of time for which the policy file is
-- valid.
-- @param policy is the policy data for either global, local or custom
-- file.
-- @see Time64
ToBeSignedPolicyData ::= SEQUENCE {
policyID OCTET STRING (SIZE (0..32)),
generationTime Time64,
activeTime Time64,
policy Policy,
...
}
---
-- @brief This data type is generated by PG and contains global policy data.
-- @class GlobalPolicyFile
-- @param tbsData is the policy data that is signed by PG at scms-protocol level.
GlobalPolicyFile ::= BasePolicyFile (WITH COMPONENTS {...,
tbsData( WITH COMPONENTS {...,
policy(WITH COMPONENTS {...,
global PRESENT
})
})
})
---
-- @brief This data type is generated by an RA and contains local policy data
-- derived from global policy data.
-- @class LocalPolicyFile
-- @param globalParameters denotes all the values inherited from
-- GlobalPolicyFile.
-- @param localParameters denotes all values defined by RA for local policy
-- file specifically.
LocalPolicyFile ::= SEQUENCE {
globalParameters BasePolicyFile (WITH COMPONENTS {...,
tbsData( WITH COMPONENTS {...,
policy( WITH COMPONENTS {...,
custom PRESENT
})
})
}),
localParamters BasePolicyFile (WITH COMPONENTS {...,
tbsData( WITH COMPONENTS {...,
policy( WITH COMPONENTS {...,
local PRESENT
})
})
})
}
---
-- @brief This data type contains policy file data depending on the type of
-- policy file i.e. global, local or custom.
-- @class Policy
-- @param global denotes global policy data.
-- @param custom denotes custom policy data.
-- @param local denotes local policy data.
Policy ::= CHOICE {
global GlobalPolicyData,
custom CustomPolicyData,
local LocalPolicyData,
...
}
---
-- @brief This data type contains global policy data generated by PG.
-- @class GlobalPolicyData
-- @param temporalSeriesOfScmsVersion SCMS Version, default value is 1
-- @param temporalSeriesOfCertChainFileID File ID number of the current GCCF
-- @param temporalSeriesOfOverdueCrlTolerance max time to operate without a new
-- CRL, specified in weeks (4 bytes)
-- @param temporalSeriesOfIPeriod i-value / i-period; default: 1 week
-- @param temporalSeriesOfMinCertsPerIPeriod minimum certs per i-period; default: 20
-- @param temporalSeriesOfCertValidityModel pseudonym cert validity model -
-- "concurrent" or "non-concurrent"
-- @param temporalSeriesOfMaxAvailableCertSupply max time covered by a certificate
-- batch in years, default: 3 years
-- @param temporalSeriesOfMaxCertRequestAge maximum time for individual cert
-- request; to remain in aggregator;
-- default: 2 days
-- @param temporalSeriesOfShuffleThreshold minimum # of individual cert requests
-- before shuffle/send to PCA; default: 1000
-- @param temporalSeriesOfHashOfRequestSize bytes in "hash of request" between
-- PCA and RA for individual cert requests; default: 32
-- @param temporalSeriesOfMaxGpfGccfRetrievalInterval maximum interval (in hours) before
-- retreiving new GPF or GCCF; default: 1 hour
-- @param temporalSeriesOfRseApplicationCertValidity validity time for an RSE cert (in hours)
-- Default value is 1 week + 1 hour = 168 hours
-- @param temporalSeriesOfRseApplicationCertOVerlap RSE application cert overlap; Default value is 1 hour
-- @see Time64
GlobalPolicyData ::= SEQUENCE {
temporalSeriesOfScmsVersion SEQUENCE {
initialScmsVersion ScmsVersion DEFAULT 1,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
scmsVersion ScmsVersion
}
} OPTIONAL,
temporalSeriesOfCertChainFileID SEQUENCE {
initialGlobalCertChainFileID GlobalCertChainFileID,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
globalCertChainFileID GlobalCertChainFileID
}
} OPTIONAL,
temporalSeriesOfOverdueCrlTolerance SEQUENCE {
initialOverdueCrlTolerance OverdueCrlTolerance,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
overdueCrlTolerance OverdueCrlTolerance
}
} OPTIONAL,
temporalSeriesOfIPeriod SEQUENCE {
initialIPeriod IPeriod,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
iPeriod IPeriod
}
} OPTIONAL,
temporalSeriesOfMinCertsPerIPeriod SEQUENCE {
initialMinCertsPerIPeriod MinCertsPerIPeriod DEFAULT 20,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
minCertsPerIPeriod MinCertsPerIPeriod
}
} OPTIONAL,
temporalSeriesOfCertValidityModel SEQUENCE {
initialCertValidityModel CertValidityModel,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
certValidityModel CertValidityModel
}
} OPTIONAL,
temporalSeriesOfMaxAvailableCertSupply SEQUENCE {
initialMaxAvailableCertSupply MaxAvailableCertSupply,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
maxAvailableCertSupply MaxAvailableCertSupply
}
} OPTIONAL,
temporalSeriesOfMaxCertRequestAge SEQUENCE {
initialMaxCertRequestAge MaxCertRequestAge,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
maxCertRequestAge MaxCertRequestAge
}
} OPTIONAL,
temporalSeriesOfShuffleThreshold SEQUENCE {
initialShuffleThreshold ShuffleThreshold DEFAULT 1000,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
shuffleThreshold ShuffleThreshold
}
} OPTIONAL,
temporalSeriesOfHashOfRequestSize SEQUENCE {
initialHashOfRequestSize HashOfRequestSize DEFAULT 32,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
hashOfRequestSize HashOfRequestSize
}
} OPTIONAL,
temporalSeriesOfMaxGpfGccfRetrievalInterval SEQUENCE {
initialMaxGpfGccfRetrievalInterval MaxGpfGccfRetrievalInterval,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
maxGpfGccfRetrievalInterval MaxGpfGccfRetrievalInterval
}
} OPTIONAL,
temporalSeriesOfRseApplicationCertValidity SEQUENCE {
initialRseApplicationCertValidity RseApplicationCertValidity,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
rseApplicationCertValidity RseApplicationCertValidity
}
} OPTIONAL,
temporalSeriesOfRseApplicationCertOVerlap SEQUENCE {
initialRseApplicationCertOverlap RseApplicationCertOverlap,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
rseApplicationCertOverlap RseApplicationCertOverlap
}
} OPTIONAL,
...
}
---
-- @brief This data type defines the current scms version.
-- @class ScmsVersion
ScmsVersion ::= Uint8
---
-- @brief This data type denotes the 16-byte global certificate chain ID.
-- @class GlobalCertChainFileID
GlobalCertChainFileID ::= Uint16
---
-- @brief This data type denotes the maximum time to operate without a new CRL,
-- specified in weeks (4 bytes)
-- @class OverdueCrlTolerance
OverdueCrlTolerance ::= Duration
---
-- @brief This data type denotes the i-value / i-period; default
-- @class IPeriod
IPeriod ::= Duration
---
-- @brief This data type denotes the minimum certs per i-period
-- @class MinCertsPerIPeriod
MinCertsPerIPeriod ::= Uint8
---
-- @brief This data type denotes the pseudonym cert validity model -
-- concurrent" or "non-concurrent"
-- @class CertValidityModel
-- @param concurrent denotes the certificate can be used with other active
-- certificates.
-- @param non-concurrent denotes the certificate cannot be used with other
-- active certificates.
CertValidityModel ::= ENUMERATED {
concurrent (1),
non-concurrent (2),
...
}
---
-- @brief This data type denotes the maximum time covered by a certificate
-- batch in years.
-- @class MaxAvailableCertSupply
MaxAvailableCertSupply ::= Duration
---
-- @brief This data type denotes the maximum time for individual certificate
-- request.
-- @class MaxCertRequestAge
MaxCertRequestAge ::= Duration
---
-- @brief This data type denotes the minimum number of individual certificate
-- requests before shuffle/send to PCA.
-- @class ShuffleThreshold
ShuffleThreshold ::= Uint32
---
-- @brief This data type denotes the number of bytes in "has of request"
-- between PCA and RA for indicidaul certificate requests.
-- @class HashOfRequestSize
HashOfRequestSize ::= Uint8
---
-- @brief This data type denotes the maximum interval (in hours) before
-- retrieving new GPF and GCCF.
-- @class MaxGpfGccfRetrievalInterval
MaxGpfGccfRetrievalInterval ::= Duration
---
-- @brief This data type denotes the validity time for an RSE certificate (in
-- hours).
-- @class RseApplicationCertValidity
RseApplicationCertValidity ::= Duration
---
-- @brief This data type denotes the RSE certificate overlap period (in hours).
-- @class RseApplicationCertOverlap
RseApplicationCertOverlap ::= Duration
---
-- @brief This type is used by an RA that wants to create a custom version of
-- the GlobalPolicyData. This structure adds an element with the RA's
-- ID to differentiate it from a conventional GlobalPolicyFile.
-- @class CustomPolicyData
-- @param requestingRaHostname is the 256-bit unique hostname of the RA
-- requesting custom policy data.
-- @param globalPolicy is the global policy file data.
-- @see RaHostnameId
CustomPolicyData ::= SEQUENCE {
requestingRaHostname RaHostnameId OPTIONAL,
-- Hostname of the RA that customized this policy data
globalPolicy GlobalPolicyData,
...
}
---
-- @brief This data type contains local policy data generated by RA from
-- global policy data derived from GPF of PG.
-- @class LocalPolicyData
-- @param temporalSeriesOfShuffleThreshold minimum # of individual cert
-- requests before shuffle/send
-- to PCA.
-- @param temporalSeriesOfCertsPerIPeriod certs per i-period.
-- overrides global value);
-- default: 20
-- @param temporalSeriesOfLaOneHost LA1 256-bit unique hostname.
-- @param temporalSeriesOfLaTwoHost LA2 256-bit unique hostname.
-- @param temporalSeriesOfPcaHost PCA 256-bit unique hostname.
-- @param temporalSeriesOfRaX509TlsCert RA TLS certificate for
-- connection over HTTP.
-- @param temporalSeriesOfLaX509TlsCert LA TLS certificate.
-- @param temporalSeriesOfPcaX509TlsCert PCA TLS certificate.
-- @param temporalSeriesOfSharedKeyUpdateInterval maximum time between changes
-- to pre-linkage value enc/dec
-- key.
-- @see Time64, LaHostnameId, RaHostnameId, PcaHostnameId
LocalPolicyData ::= SEQUENCE {
temporalSeriesOfShuffleThreshold SEQUENCE {
initialShuffleThreshold ShuffleThreshold,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
shuffleThreshold ShuffleThreshold
}
} OPTIONAL,
temporalSeriesOfCertsPerIPeriod SEQUENCE {
initialCertsPerIPeriod CertsPerIPeriod DEFAULT 20,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
certsPerIPeriod CertsPerIPeriod
}
} OPTIONAL,
temporalSeriesOfLaOneHost SEQUENCE {
initialLaOneHost LaHostnameId,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
laOneHost LaHostnameId
}
} OPTIONAL,
temporalSeriesOfLaTwoHost SEQUENCE {
initialLaTwoHost LaHostnameId,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
laTwoHost LaHostnameId
}
} OPTIONAL,
temporalSeriesOfPcaHost SEQUENCE {
initialPcaHost PcaHostnameId,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
pcaHost PcaHostnameId
}
} OPTIONAL,
temporalSeriesOfRaX509TlsCert SEQUENCE {
initialRaX509TlsCert X509TlsCert,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
raX509TlsCert X509TlsCert
}
} OPTIONAL,
temporalSeriesOfLaX509TlsCert SEQUENCE {
initialLaX509TlsCert X509TlsCert,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
laX509TlsCert X509TlsCert
}
} OPTIONAL,
temporalSeriesOfPcaX509TlsCert SEQUENCE {
initialPcaX509TlsCert X509TlsCert,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
pcaX509TlsCert X509TlsCert
}
} OPTIONAL,
temporalSeriesOfSharedKeyUpdateInterval SEQUENCE {
initialSharedKeyUpdateInterval SharedKeyUpdateInterval,
intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
startTime Time64,
sharedKeyUpdateInterval SharedKeyUpdateInterval
}
} OPTIONAL,
...
}
---
-- @brief This data type denotes the certificates per i-period. This overrides
-- the global value.
-- @class CertsPerIPeriod
CertsPerIPeriod ::= Uint8
---
-- @brief This data type denotes the TLS certificate for secure communication
-- over HTTP.
-- @class X509TlsCert
X509TlsCert ::= Opaque
---
-- @brief This data type denotes the maximum time between changes to pre
-- linkage value encryption/decryption key.
-- @class SharedKeyUpdateInterval
SharedKeyUpdateInterval ::= Duration
END
Attachments:
image2017-3-24_14-50-53.png (image/png)
root.oer (application/octet-stream)
ee-eca-cert-request.oer (application/octet-stream)
QA-Enrollment-Process.jpg (image/jpeg)