̳ ; ; , 20.08.2012 1236/5/453
z1401-12, , — 05.12.2017, - z1422-17


̳

20 2012 .
1401/21713


{ , ̳
914/5/268 17.05.2013
1017/5/206 29.03.2017
3599/5/618 17.11.2017}

I.

1.1. ֳ - ( - ) DER- ( - ), , , .

1.2. :

, , - , DER- ;

, , - , DER- , , , , ;

- , ;

- DER- , , ;

( ) - , () , , , .

, , , ̳ 13 2004 903, , 13 2005 3 ( 10 2006 50), ̳ 27 2005 104/10384, - .

1.3. ASN.1, ISO/IEC 8824 Information technology - Open Systems Interconnection - Specification of Abstract Syntax Notation One (ASN.1) / ISO/ 8824-3:2008 㳿. 1 (ASN.1) - 3. (ISO/IEC 8824-3:2002, IDT), 26 2008 508 ( ).

1.4. DER ISO/IEC 8825-1:2002 Information technology - ASN.1 encoding Rules - Part 1: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) AMD1:2004 Support for EX-TENDED-XER.

1.5. ֳ RFC 5652 Cryptographic Message Syntax (CMS) - September 2009, RFC 3126 Electronic Signature Formats for long term electronic signatures ETSI TS 101 733:2009 (ESI). CMS- (CAdES) (ETSI TS 101 733:2008, IDT) ( - ETSI TS 101 733:2009), 15 2009 452.

1.6. ֳ ETSI TS 101 733:2009, RFC 5652 RFC 3126, . .

1.7. . .

. .

1.8. , 4145-2002 㳿. . , . , 28 2002 31 ( - 4145-2002). - :

{ 1.8 I , ̳ 3599/5/618 17.11.2017}

34.311-95 . . , 21 1997 640 ( - 34.311-95);

7564:2014 㳿. . , ̳ 02 2014 1431 ( - 7564-2014).

{ 1.8 I ̳ 1017/5/206 29.03.2017}

1.9. , ' .

1.10. 34.311-95 algorithm AlgorithmIdentifier :

Gost34311 OBJECT IDENTIFIER ::= {iso(1) member-body(2) Ukraine(804) root(2) security(1) cryptography(1) ua-pki(1) alg(1) hash(2) 1}.

{ 1.10 I ̳ 914/5/268 17.05.2013}

parameters .

- H 34.311-95 256 .

- 34.311-95 ( - ), .

- 34.311-95 1, 1 , 12 2007 114, ̳ 25 2007 729/13996 ( ) ( - 1).

1 .

- 34.311-95 , .

1.11. 7564-2014 algorithm AlgorithmIdentifier :

Dstu7564(256) OBJECT IDENTIFIER ::= {iso(1) member-body(2) Ukraine(804) root(2) security(1) cryptography(1) pki(1) alg(1) hash(2) Dstu7564(2) 1}

Dstu7564(384) OBJECT IDENTIFIER ::= {iso(1) member-body(2) Ukraine(804) root(2) security(1) cryptography(1) pki(1) alg(1) hash(2) Dstu7564(2) 2}

Dstu7564(512) OBJECT IDENTIFIER ::= {iso(1) member-body(2) Ukraine(804) root(2) security(1) cryptography(1) pki(1) alg(1) hash(2) Dstu7564(2) 3}

parameters .

7564-2014 - , ̳ , 20 2012 1236/5/453, ̳ 20 2012 1398/21710.

{ 1.11 I , ̳ 3599/5/618 17.11.2017}

- 7564-2014 - 256 .

{ I 1.11 ̳ 1017/5/206 29.03.2017}

II.

2.1. :

ϔ (CAdES Basic Electronic Signature - CAdES-BES ETSI TS 101 733:2009);

(Explicit Policy-based Electronic Signature - CAdES-EPES ETSI TS 101 733:2009);

(ES with Complete validation data references (CAdES-C) ETSI TS 101 733:2009);

(CAdES-X Long ETSI TS 101 733:2009).

2.2. .

2.3. ϔ:

2.3.1. ϔ () ( - ). ϔ on-line ( - ). ϔ , .

2.3.2. ϔ :

, ;

, , ;

, ().

ϔ :

, ;

, , CMS (RFC 5652).

2.3.3. , :

ontent-Type - , EncapsulatedContentInfo, ;

Message-digest - , - eContent OCTET STRING encapContentInfo, ;

ESS signing-certificate v2 - , .

2.3.4. , :

Signing-time - , , ;

content-time-stamp - , , . , , , ;

signature-policy-identifier - , , .

2.4. (CAdES-EPES) ϔ signature-policy-identifier, , .

2.5. (CAdES-C) (CAdES-X Long) ( ).

ֳ , :

;

;

.

, . ϔ . , , . , ̳ , 20 2012 1236/5/453, ̳ 20 2012 1403/21715 ( - ).

2.5.1. ϔ , :

signature-time-stamp - , ;

complete-certificate-references - , , , ;

complete-revocation-references - , OCSP , , .

, , () .

, , , , ϔ , , , .

, , .

2.5.2. ϔ , :

certificate-values - , , ;

revocation-values - OCSP , ( ).

III.

3.1. , , , :

;

, ;

(), () ;

, , content-type;

- ( ) , message-digest.

, , , , .

3.2. , , , :

;

, ;

(), ( , );

, , content-type;

- ( ) , message-digest.

3.3. , , , , .

3.4. , , . ϳ ( ) , .

IV. ,

4.1. ContentInfo.

ContentInfo .


ContentInfo ::= SEQUENCE {


contentType

ContentType,


content

[0]EXPLICIT ANY DEFINED BY contentType}


ContentType ::= OBJECT IDENTIFIER

4.1.1. contentType ᒺ , , content. : ϔ.

ᒺ :

id-data OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }

ϔ ᒺ :

id-signedData OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }

4.1.2. content , contentType.

contentType ContentInfo ᒺ id-signedData, content SignedData, ϔ. ϔ.

4.2. SignedData:


SignedData ::= SEQUENCE {


version

CMSVersion,


digestAlgorithms

DigestAlgorithmIdentifiers,


encapContentInfo

EncapsulatedContentInfo,


certificates

[0]IMPLICIT CertificateSet OPTIONAL,


crls

[1]IMPLICIT RevocationInfoChoices OPTIONAL


signerInfos

SignerInfos}

4.2.1. version . eContentType encapContentInfo id-data, version 1. eContentType encapContentInfo id-data, version 3.

4.2.2. digestAlgorithms , .

DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier

DigestAlgorithmIdentifier ::= AlgorithmIdentifier

digestAlgorithms ᒺ , 34.311-95 7564-2014.

{ϳ 4.2.2 4.2 IV ̳ 1017/5/206 29.03.2017}

4.2.3. encapContentInfo , .

EncapsulatedContentInfo , .


EncapsulatedContentInfo ::= SEQUENCE {


eContentType

ContentType,


eContent

[0]EXPLICIT OCTET STRING OPTIONAL}

eContentType ᒺ .

eContent , . , , ( ).

4.2.4. certificates , .

CertificateSet ::= SET OF Certificate

CAdES-C CAdES-X Long .

4.2.5. crls , .

RevocationInfoChoices ::= SET OF CertificateList

CAdES-X Long ; revocation-values.

4.2.6. signerInfos , .

SignerInfos ::= SET OF SignerInfo

4.3. SignerInfo :


SignerInfo ::= SEQUENCE {



version

CMSVersion,


sid

SignerIdentifier,


digestAlgorithm

DigestAlgorithmIdentifier,


signedAttrs

[0]IMPLICIT SignedAttributes OPTIONAL,


signatureAlgorithm

SignatureAlgorithmIdentifier,


signature

OCTET STRING,


unsignedAttrs

[1]IMPLICIT UnsignedAttributes OPTIONAL}

4.3.1. version SignerInfo. 1.

4.3.2. sid .


SignerIdentifier ::= CHOICE {


issuerAndSerialNumber

IssuerAndSerialNumber,


subjectKeyIdentifier

[0]SubjectKeyIdentifier }

SignerIdentifier .

IssuerAndSerialNumber (distinguished name), , (CertificateSerialNumber).

SubjectKeyIdentifier .


IssuerAndSerialNumber ::= SEQUENCE {


issuer

Name,


serialNumber

CertificateSerialNumber }

Name , ̳ , 20 2012 1236/5/453, ̳ 20 2012 1398/21710 ( - ).

CertificateSerialNumber ::= INTEGER

4.3.3. digestAlgorithm . digestAlgorithms SignedData.

4.3.4. signedAttrs .

SignedAttributes ::= SET SIZE (1..MAX) OF Attribute

4.3.5. signatureAlgorithm .

algorithm signatureAlgorithm -4145:2002 - 7564-2014 :

Dstu4145WithDstu7564(256) OBJECT IDENTIFIER ::= {iso(1) member-body(2) Ukraine(804) root (2) security(1) cryptography(1) pki(1) alg(1)sym(3) Dstu4145WithDstu7564(3) 1}

Dstu4145WithDstu7564(384) OBJECT IDENTIFIER ::= {iso(1) member-body(2) Ukraine(804) root (2) security(1) cryptography(1) pki(1) alg(1)sym(3) Dstu4145WithDstu7564(3) 2}

Dstu4145WithDstu7564(512) OBJECT IDENTIFIER ::= {iso(1) member-body(2) Ukraine(804) root (2) security(1) cryptography(1) pki(1) alg(1)sym(3) Dstu4145WithDstu7564(3) 3}

parameters signatureAlgorithm .

{ϳ 4.3.5 4.3 IV ̳ 1017/5/206 29.03.2017}

4.3.6. signature .

4.3.7. unsignedAttrs .

UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute

Attribute ::= SEQUENCE {attrType OBJECT IDENTIFIER, attrValues SET OF AttributeValue }

AttributeValue ::= ANY

4.4. message-digest - , (encapContentInfo eContent OCTET STRING signed-data - ), , ( ). - V .

ᒺ , message-digest:

id-messageDigest OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4}

message-digest MessageDigest:

MessageDigest ::= OCTET STRING

message-digest . AttributeValue .

4.5. content-type (Content Type), . content-type eContentType encapContentInfo signed-data.

ᒺ , content-type:

id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3}

content-type ContentType

ContentType ::= OBJECT IDENTIFIER

content-type . AttributeValue .

4.6. ESS signing-certificate v2 , .

ᒺ , ESS signing-certificate v2:

ESS signing-certificate v2 :

SigningCertificateV2 ::= SEQUENCE {

certs SEQUENCE OF ESSCertIDv2,

policies SEQUENCE OF PolicyInformation OPTIONAL}

certs .


ESSCertIDv2 ::= SEQUENCE {


hashAlgorithm

AlgorithmIdentifier


certHash

Hash,


issuerSerial

IssuerSerial}


Hash ::= OCTET STRING


IssuerSerial ::= SEQUENCE {


issuer

GeneralNames,


serialNumber

CertificateSerialNumber}

issuerSerial issuerAndSerialNumber SignerIdentifier (SignerInfo). issuer directoryName, Subject , .

hashAlgorithm ' , - DER- .

certHash - .

policies .

4.7. signature-policy-identifier , . ᒺ :

id-aa-ets-sigPolicyId OBJECT IDENTIFIER ::= {iso(1)member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)smime(16) id-aa(2) 15}

signature-policy-identifier SignaturePolicyIdentifier


SignaturePolicyIdentifier ::=CHOICE {


signaturePolicyId SignaturePolicyId }


SignaturePolicyId ::= SEQUENCE {


sigPolicyId

SigPolicyId,


sigPolicyHash

SigPolicyHash OPTIONAL,


sigPolicyQualifiers

SEQUENCE SIZE (1..MAX) OF SigPolicyQualifierInfo OPTIONAL}

SigPolicyId ᒺ , . :

SigPolicyId ::= OBJECT IDENTIFIER

sigPolicyHash - - .

ASN.1, - ( ) , sigPolicyHash.

, , .


SigPolicyHash ::= OtherHashAlgAndValue


OtherHashAlgAndValue ::= SEQUENCE {


hashAlgorithm

AlgorithmIdentifier,


hashValue

OtherHashValue }


OtherHashValue ::= OCTET STRING

. ᒺ sigPolicyQualifierId.

:


SigPolicyQualifierInfo ::= SEQUENCE {


sigPolicyQualifierId

SigPolicyQualifierId,


sigQualifier

ANY DEFINED BY sigPolicyQualifierId}

:

spuri: web URI URL ;

sp-user-notice: , , .

SigPolicyQualifierId ::= OBJECT IDENTIFIER

id-spq-ets-uri OBJECT IDENTIFIER ::= { iso(1)member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)smime(16) id-spq(5) 1}

SPuri ::= IA5String

id-spq-ets-unotice OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-spq(5) 2}


SPUserNotice ::= SEQUENCE {


noticeRef

NoticeReference OPTIONAL,


explicitText

DisplayText OPTIONAL}


NoticeReference ::= SEQUENCE {


Organization

DisplayText,


noticeNumbers

SEQUENCE OF INTEGER }


DisplayText ::= CHOICE {


visibleString

VisibleString (SIZE (1..200)),


bmpString

BMPString (SIZE (1..200)),


utf8String

UTF8String (SIZE (1..200))}

4.8. signing-time , .

ᒺ , signing-time:

id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5}

signing-time SigningTime


SigningTime ::= Time


Time ::= CHOICE {


utcTime

UTCTime,


generalizedTime

GeneralizedTime}

, 31 2049 , SigningTime UTCTime. , 01 2050 , SigningTime GeneralizedTime.

UTCTime YYMMDDHHMMSSZ. , YYMMDD000000Z.

:

YY 50, 19YY;

YY 50, 20YY.

signing-time . AttributeValue .

4.9. content-time-stamp , . .

ᒺ , content-time-stamp:

id-aa-ets-ContentTimeStamp OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-aa(2) 20}

content-time-stamp ContentTimeStamp.

ContentTimeStamp ::= TimeStampToken

TimeStampToken 4.2.2 4.2 IV , ̳ , 20 2012 1236/5/453, ̳ 20 2012 1402/21714 ( - ).

messageImprint TimeStampToken - , message-digest.

, attrValues SET OF AttributeValue, content-time-stamp . AttributeValue .

4.10. signature-time-stamp TimeStampToken, .

ᒺ , signature-time-stamp:

id-aa-signatureTimeStampToken OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 14}

signature-time-stamp SignatureTimeStampToken.

SignatureTimeStampToken ::= TimeStampToken

unsignedAttributes signature-time-stamp (, , ).

.

TimeStampToken 4.2.2 4.2 IV .

messageImprint TimeStampToken - signature SignerInfo ( ) , unsignedAttributes .

4.11. complete-certificate-references , . . ESS signing-certificate v2. . ESS signing-certificate v2.

complete-certificate-references CompleteCertificateRefs.

CompleteCertificateRefs ::= SEQUENCE OF OtherCertID

OtherCertID ::= SEQUENCE {

otherCertHashOtherHash,

issuerSerial IssuerSerial OPTIONAL }

OtherHash ::= CHOICE {

otherHashOtherHashAlgAndValue}

OtherHashValue ::= OCTET STRING

OtherHashAlgAndValue ::= SEQUENCE {

hashAlgorithmAlgorithmIdentifier,

hashValueOtherHashValue }

OtherHashAlgAndValue , 7564-2014 34.311-95.

{ 4.11 IV ̳ 1017/5/206 29.03.2017}

4.12. complete-revocation-references OCSP, .

ᒺ , complete-revocation-references:

id-aa-ets-revocationRefs OBJECT IDENTIFIER ::= {iso(1) member-body(2)us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 22}

complete-certificate-references CompleteRevocationRefs:


CompleteRevocationRefs ::= SEQUENCE OF CrlOcspRef


CrlOcspRef ::= SEQUENCE {


crlids

[0]CRLListID OPTIONAL,


ocspids

[1]OcspListID OPTIONAL,


otherRev

[2]OtherRevRefs OPTIONAL


}

CompleteRevocationRefs CrlOcspRef (signing-certificate).

CrlOcspRef , OtherCertID, . , , CrlOcspRef crlids ocspids.

CRLListID ::= SEQUENCE {

crls SEQUENCE OF CrlValidatedID}

CrlValidatedID ::= SEQUENCE {

crlHash OtherHash,

crlIdentifier CrlIdentifier OPTIONAL}

CrlIdentifier ::= SEQUENCE {

crlissuer Name,

crlIssuedTime UTCTime,

crlNumber INTEGER OPTIONAL

}

OcspListID ::= SEQUENCE {

ocspResponses SEQUENCE OF OcspResponsesID}

OcspResponsesID ::= SEQUENCE {

ocspIdentifier OcspIdentifier,

ocspRepHash OtherHash OPTIONAL

}

OcspIdentifier ::= SEQUENCE {

ocspResponderID ResponderID,

producedAt GeneralizedTime

}

OtherRevRefs ::= SEQUENCE {

otherRevRefType OtherRevRefType,

otherRevRefs ANY DEFINED BY otherRevRefType

}

OtherRevRefType ::= OBJECT IDENTIFIER

(CRL) CRL, -.

ϳ crlValidatedID crlHash DER- (CRL), .

crlIdentifier (CRL) , CRL, CRL, , thisUpdate , crlNumber .

OcspIdentifier OCSP- , OCSP-, OCSP-, , producedAt OCSP-.

CRL, OCSP-, . , , signedData unsignedAttrs signerInfos.

4.13. certificate-values , complete-certificate-references.

ᒺ , certificate-values:

id-aa-ets-certValues OBJECT IDENTIFIER ::= { iso(1) member-body(2)us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 23}

certificate-values CertificateValues:

CertificateValues ::= SEQUENCE OF Certificate

Certificate .

4.14. revocation-values CRL OCSP-, complete-revocation-references.

ᒺ , revocation-values:

id-aa-ets-revocationValues OBJECT IDENTIFIER ::= { iso(1) member-body(2)us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 24}

revocation-values RevocationValues:


RevocationValues ::= SEQUENCE {


crlVals

[0] SEQUENCE OF CertificateList OPTIONAL,


ocspVals

[1] SEQUENCE OF BasicOCSPResponse OPTIONAL,


otherRevVals

[2] OtherRevVals OPTIONAL}


OtherRevVals ::= SEQUENCE {


otherRevValType

OtherRevValType,


otherRevVals

ANY DEFINED BY OtherRevValType}


OtherRevValType ::= OBJECT IDENTIFIER

CertificateList , ̳ , 20 2012 1236/5/453, ̳ 20 2012 1400/21712.

BasicOCSPResponse .

( OtherRevVals).

V. -

5.1. - , ( eContent encapContentInfo signed-data ), , (signedAttrs) .

5.2. , - , , eContent encapContentInfo signed-data, , . - , eContent OCTET STRING. DER- . - .

5.3. , - :

5.3.1. - , , eContent encapContentInfo signed-data, . - , eContent OCTET STRING. DER- .

5.3.2. DER- signedAttrs, message-digest -, .

5.3.3. - DER- signedAttrs, . - .

5.3.4. - 34.311-95 - 1.10 I .

5.3.5. - 7564-2014 - , ̳ , 20 2012 1236/5/453, ̳ 20 2012 1398/21710, 1.11 I .

{ 5.3 V 5.3.5 ̳ 1017/5/206 29.03.2017}


,


̳






..











..







id-data OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1}

id-signedData OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }


ContentInfo ::= SEQUENCE {


contentType

ContentType,


content

[0] EXPLICIT ANY DEFINED BY contentType }


ContentType ::= OBJECT IDENTIFIER


SignedData ::= SEQUENCE {


version

CMSVersion,


digestAlgorithms

DigestAlgorithmIdentifiers,


encapContentInfo

EncapsulatedContentInfo,


certificates

[0] IMPLICIT CertificateSet OPTIONAL,


signerInfos

SignerInfos }


CMSVersion ::= INTEGER {v0(0), v1(1), v2(2), v3(3), v4(4), v5(5)}


DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier


DigestAlgorithmIdentifier ::= AlgorithmIdentifier


EncapsulatedContentInfo ::= SEQUENCE {


eContentType

ContentType,


eContent

[0] EXPLICIT OCTET STRING OPTIONAL}


CertificateSet ::= SET OF Certificate


SignerInfos ::= SET OF SignerInfo


SignerInfo ::= SEQUENCE {


version

CMSVersion,


sid

SignerIdentifier,


digestAlgorithm

DigestAlgorithmIdentifier,


signedAttrs

[0] IMPLICIT SignedAttributes OPTIONAL,


signatureAlgorithm

SignatureAlgorithmIdentifier,


signature

OCTET STRING,


unsignedAttrs

[1] IMPLICIT UnsignedAttributes OPTIONAL }


SignerIdentifier ::= CHOICE

{


issuerAndSerialNumber

IssuerAndSerialNumber}


IssuerAndSerialNumber ::= SEQUENCE {


issuer

Name,


serialNumber

INTEGER}


SignedAttributes ::= SET SIZE (1..MAX) OF Attribute


UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute


SignatureAlgorithmIdentifier ::= AlgorithmIdentifier