CSP Protocol

Compatible with GlobalPlatform Amendment N v0.0.0.39, generated on 29.04.2025.

ASN 7-1ba: CSP Protocol: ASN.1 Definition for the CSPAdminCommand
Tag Length Type Description Presence Default
SEQUENCE 7..n CSPAdminCommand 'CSPAdminCommand': Administrative operations to manage a CSP Application through its SD.
'A0' 5..n CSPAdminCommandChoice 'adminCommandChoice': Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A0 L'
  'TA LA VA'
ASN 7-1bb: CSP Protocol: ASN.1 Definition for CSPAdminCommandChoice
Tag Size Type Description Presence
CHOICE CSPAdminCommandChoice
'A0' 5..n CSPEnforce "enforce": Detect features and/or algorithms supported by this platform. CONDITIONAL
'A1' 9..n CSPRegisterClient "registerApplication": Register the AID of a Client Application for use with this CSP Instance. CONDITIONAL
'A2' 8..23 CSPUnregisterClient "unregisterApplication": Unregister a Client Application from this CSP Instance. CONDITIONAL
'A3' 19..342 CSPCreateResource "createResource": Create a key, certificate, password, counter or timer as resource. CONDITIONAL
'A4' 8..9 CSPDestroyResource "destroyResource": Destroy a resource and free memory. CONDITIONAL
'A5' 8..315 CSPConfigureResource "configureResource": Change the configuration of a resource. CONDITIONAL
'A6' 5..n CSPSetup "setup": Change the general settings of the CSP Instance. CONDITIONAL
'A7' 5..9 CSPActivate "activate": Activate this CSP Instance for operational use. CONDITIONAL
'A8' 5 CSPDeactivate "deactivate": Deactivate this CSP Instance, thus Client Applications cannot use it. CONDITIONAL
'A9' 5 CSPGetConfiguration "getConfig": Retrieve the entire configuration settings of this CSP Instance. CONDITIONAL
'AA' 13..65578 CSPSetValue "setValue": Set the value of a resource (e.g., key value, password, certificate). CONDITIONAL
'AB' 8..9 CSPClearResource "clearResource": Securely wipe the value of a resource. CONDITIONAL
'AC' 8..526 CSPSystemAttestation "systemAttestation": Compute an SE Platform attestation or CSP Config attestation. CONDITIONAL
'AD' 8..9 CSPGenerateKey "generateKey": Generate a symmetric or private key value with random data. CONDITIONAL
'AE' 11..13 CSPComputePublicKey "computePublicKey": Compute the public part of a private key value. CONDITIONAL
'AF' 29..531 CSPDeriveKey "deriveKey": Derive a key from a source key and optional input data. CONDITIONAL
'B0' 15..65559 CSPSetTime "settime": Set the reference time that is used to estimate the system time. CONDITIONAL

Used in: CSPAdminCommand

ASN 7-2: Admin: ASN.1 Definition for CSPEnforce
Tag Length Type Description Presence Default
SEQUENCE 3..n CSPEnforce 'CSPEnforce': Command that checks features and algorithms on the platform.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'A1' 0..n CSPCoreSupport 'coreSupport': Optional core functionality (e.g., policies). OPTIONAL
'A2' 0..n CSPCipherSupport 'cipherSupport': Cipher and padding algorithms. OPTIONAL
'A3' 0..n CSPSignatureSupport 'signatureSupport': Signature algorithms. OPTIONAL
'84' 0 NULL 'transformSupport': Cipher encryption transformation. OPTIONAL
'A5' 0..8 CSPSecureChannelSupport 'secChannelSupport': Secure channel protocols. OPTIONAL
'86' 0 NULL 'confidentialSupport': Confidential data transfer extension of the secure channel service. OPTIONAL
'A7' 0..n CSPAttestationSupport 'attestationSupport': Attestation types. OPTIONAL
'A8' 0..n CSPKeySupport 'keySupport': Key type, size, curve, along with derivation and agreement algorithms. OPTIONAL
'A9' 0..n CSPCertificateSupport 'certificateSupport': Certificate types. OPTIONAL
'AA' 0..n CSPPasswordSupport 'passwordSupport': Password management operations. OPTIONAL
'AB' 0..n CSPCounterSupport 'counterSupport': Counter types. OPTIONAL
'AC' 0..n CSPTimeSupport 'timeSupport': Time management and timer types. OPTIONAL
'AD' 0..n CSPAuditSupport 'auditSupport': Secure auditing and event types. OPTIONAL
'8E' 0 NULL 'offloadingSupport': Resource import and export functionality. OPTIONAL
'AF' 0..n CSPFieldSupport 'fieldSupport': Fields to be included in attestation results and log messages. OPTIONAL
'B0' 0..n CSPPolicySupport 'policySupport': Constraint-based access control using policies. OPTIONAL

Used in: CSPAdminCommandChoice

ASN 7-3: Admin: ASN.1 Definition for CSPRegisterClient
Tag Length Type Description Presence Default
SEQUENCE 7..n CSPRegisterClient 'CSPRegisterClient': Command to register a Client Application or an off-card Client to the CSP.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'A1' 2..n CSPClient 'client': The Client Application or off-card Client to register.

Used in: CSPAdminCommandChoice

ASN 7-4: Admin: ASN.1 Definition for CSPUnregisterClient
Tag Length Type Description Presence Default
SEQUENCE 6..21 CSPUnregisterClient 'CSPUnregisterClient': Command to unregister a CSP Client, revoking its access to the CSP.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'A1' 1..16 CSPClientReference 'client': The client identifier or the AID of a Client Application. Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A1 L'
  'TA LA VA'

Used in: CSPAdminCommandChoice

ASN 7-5: Admin: ASN.1 Definition for CSPCreateResource
Tag Length Type Description Presence Default
SEQUENCE 17..338 CSPCreateResource 'CSPCreateResource': Command to create a key, certificate or password resource.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'A1' 12..331 CSPResource 'resouceData': The resource data (e.g., resource ID, resource type, etc.).

Used in: CSPAdminCommandChoice

ASN 7-6: Admin: ASN.1 Definition for CSPDestroyResource
Tag Length Type Description Presence Default
SEQUENCE 6..7 CSPDestroyResource 'CSPDestroyResource': Command to remove a key or password resource.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'resourceId': The resource ID that shall be unregistered.

Used in: CSPAdminCommandChoice

ASN 7-7: Admin: ASN.1 Definition for CSPConfigureResource
Tag Length Type Description Presence Default
SEQUENCE 6..311 CSPConfigureResource 'CSPConfigureResource': Command to configure a resource.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'resourceId': The resource to be modified.
'A2' 0..45 CSPAccessControl 'accessControl': The access control configuration for the resource. OPTIONAL
'A3' 0..37 CSPAlgorithms 'algorithms': The algorithm configuration of the resource. Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A3 L'
  'TA LA VA'
OPTIONAL
'A4' 0..80 CSPCounters 'counters': Usage counter or authentication counter configurations of the resource. OPTIONAL
'A5' 0..32 CSPTimers 'timers': Validity date, validity period or timeout configurations. OPTIONAL
'A6' 0..100 SET OF CSPResourceEvent 'resourceEvents': The events that shall be logged for this resource. OPTIONAL

Used in: CSPAdminCommandChoice

ASN 7-8: Admin: ASN.1 Definition for CSPSetup
Tag Length Type Description Presence Default
SEQUENCE 3..n CSPSetup 'CSPSetup': Command to setup general settings of the CSP Instance.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'A1' 0..47 CSPSettings 'cspSettings': Version, name, attestation key and error handling of this CSP Instance. OPTIONAL
'A2' 0..13 CSPSecureChannelSettings 'secureChannelSettings': Set the general secure channel authentication timeout. OPTIONAL
'A3' 0..5 CSPPolicySettings 'policySettings': Select policy mode for handling unavailable policy types. OPTIONAL
'A4' 0..5 CSPCounterSettings 'counterSettings': Select counter mode for handling unavailable counter types and sizes. OPTIONAL
'A5' 0..12 CSPTimeSettings 'timeSettings': Configure time management and handling of unavailable time. OPTIONAL
'A6' 0..n CSPAuditSettings 'auditSettings': Configure audit event logging and handling of unavailable event types. OPTIONAL
'A7' 0..5 CSPFieldSettings 'fieldSettings': Select field mode for handling unavailable signature fields. OPTIONAL

Used in: CSPAdminCommandChoice

ASN 7-9: Admin: ASN.1 Definition for CSPActivate
Tag Length Type Description Presence Default
SEQUENCE 3..7 CSPActivate 'CSPActivate': Command to finalize a CSP Configuration.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 0..2 CSPConfigVersion 'configVersion': Custom version of the CSP Configuration chosen by the CSP Admin. OPTIONAL

Used in: CSPAdminCommandChoice

ASN 7-10: Admin: ASN.1 Definition for CSPDeactivate
Tag Length Type Description Presence Default
SEQUENCE 3 CSPDeactivate 'CSPDeactivate': Command to deactivate a CSP Configuration.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.

Used in: CSPAdminCommandChoice

ASN 7-11: Admin: ASN.1 Definition for CSPGetConfiguration
Tag Length Type Description Presence Default
SEQUENCE 3 CSPGetConfiguration 'CSPGetConfiguration': Command to retrieve the entire CSP Configuration.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.

Used in: CSPAdminCommandChoice, CSPRequiresAuthentication

ASN 7-12: Admin: ASN.1 Definition for CSPGetConfigurationResponse
Tag Length Type Description Presence Default
SEQUENCE 84..n CSPGetConfigurationResponse 'CSPGetConfigurationResponse': Response of the CSPGetConfiguration command.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Version of the CSP Admin Protocol used.
'A1' 79..n CSPConfiguration 'cspConfiguration': CSP Configuration of the entire CSP Instance.
ASN 7-13: Resource: ASN.1 Definition for CSPSetValue
Tag Length Type Description Presence Default
SEQUENCE 11..65573 CSPSetValue 'CSPSetValue': Command to set the value of a key, certificate or pwd resource.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'resourceId': The identifier of the resource to set the value for.
'82' 0..2 CSPResourceId 'decryptionResourceId': If set, the data is decrypted before being assigned to the resource. OPTIONAL
'83' 0..65536 OCTET STRING 'data': The value of the resource.
'84' 0..16 OCTET STRING 'initializationData': Algorithm-specific initialization data for decryption, e.g., iv data. OPTIONAL
'85' 1 BOOLEAN 'inTransport': Is this an initial value requiring change (only for passwords)?

Used in: CSPAdminCommandChoice

ASN 7-14a: CSP Protocol: ASN.1 Definition for the CSPClientCommand
Tag Length Type Description Presence Default
SEQUENCE 7..98329 CSPClientCommand 'CSPClientCommand': Client operations to use the cryptographic services of the CSP.
'A0' 5..98324 CSPClientCommandChoice 'clientCommandChoice': Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A0 L'
  'TA LA VA'
ASN 7-14ba: CSP Protocol: ASN.1 Definition for CSPClientCommandChoice
Tag Size Type Description Presence
CHOICE CSPClientCommandChoice
'AC' 8..526 CSPSystemAttestation "systemAttestation": Compute an SE platform attestation or a CSP Config attestation. CONDITIONAL
'B1' 8..32778 CSPProcessSecurity "processAuthentication": Process secure channel authentication defined via authProtocol. CONDITIONAL
'B2' 5..98324 CSPRequiresAuthentication "requiresAuthentication": Command structures that require Client Authentication. CONDITIONAL

Used in: CSPClientCommand

ASN 7-14bb: CSP Protocol: ASN.1 Definition for CSPRequiresAuthentication
Tag Size Type Description Presence
CHOICE CSPRequiresAuthentication
'A0' 5 CSPGetConfiguration "getConfig": Retrieve the entire configuration settings of this CSP Instance. CONDITIONAL
'A1' 8..9 CSPClearResource "clearResource": Securely wipe the value of a resource. CONDITIONAL
'A2' 8..9 CSPGenerateKey "generateKey": Generate a symmetric or private key value with random data. CONDITIONAL
'A3' 11..13 CSPComputePublicKey "computePublicKey": Compute the public part of a private key value. CONDITIONAL
'A4' 29..531 CSPDeriveKey "deriveKey": Derive a key from a source key and optional input data. CONDITIONAL
'A5' 15..65559 CSPSetTime "settime": Set the reference time that is used to estimate the system time. CONDITIONAL
'A6' 10..32782 CSPSign "sign": Create a signature. CONDITIONAL
'A7' 76..98324 CSPVerifySignature "verifySignature": Create a signature. CONDITIONAL
'A8' 10..32800 CSPEncrypt "encrypt": Encrypt data. CONDITIONAL
'A9' 10..32800 CSPDecrypt "decrypt": Decrypt data. CONDITIONAL
'AA' 29..530 CSPResourceAttestation "resourceAttestation": Compute a resource attestation. CONDITIONAL

Used in: CSPClientCommandChoice

ASN 7-15: Secure Channel: ASN.1 Definition for CSPProcessSecurity
Tag Length Type Description Presence Default
SEQUENCE 6..32774 CSPProcessSecurity 'CSPProcessSecurity': Command to process security for secure channel authentication.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..32767 OCTET STRING 'apduData': APDU data for processing security.

Used in: CSPClientCommandChoice

ASN 7-16: Attestations: ASN.1 Definition for CSPProcessSecurityResponse
Tag Length Type Description Presence Default
SEQUENCE 3..32771 CSPProcessSecurityResponse 'CSPProcessSecurityResponse': Response of the CSPProcessSecurity command.
'80' 1..32767 OCTET STRING 'outputData': Output APDU resulting from secure channel processing.
ASN 7-17: Signature: ASN.1 Definition for CSPSign
Tag Length Type Description Presence Default
SEQUENCE 8..32778 CSPSign 'CSPSign': Command for data signing.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'signingResourceId': The resource ID used to compute the signature.
'82' 0..32767 OCTET STRING 'inputData': The data to sign.

Used in: CSPRequiresAuthentication

ASN 7-18: Attestations: ASN.1 Definition for CSPSignResponse
Tag Length Type Description Presence Default
SEQUENCE 66..65541 CSPSignResponse 'CSPSignResponse': Response of the CSPSign command: The signature computed by the CSP.
'80' 64..65536 CSPSignature 'signature':
ASN 7-19: Signature: ASN.1 Definition for CSPVerifySignature
Tag Length Type Description Presence Default
SEQUENCE 74..98319 CSPVerifySignature 'CSPVerifySignature': Command to verify a signature.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'signingResourceId': The resource ID used to compute the signature.
'82' 0..32767 OCTET STRING 'data': The signed data.
'83' 64..65536 CSPSignature 'signature': The signature to verify.

Used in: CSPRequiresAuthentication

ASN 7-20: Attestations: ASN.1 Definition for CSPVerifySignatureResponse
Tag Length Type Description Presence Default
SEQUENCE 4 CSPVerifySignatureResponse 'CSPVerifySignatureResponse': Response of the CSPVerifySignature command.
'80' 2 CSPBoolean 'response':
ASN 7-21: Cipher: ASN.1 Definition for CSPEncrypt
Tag Length Type Description Presence Default
SEQUENCE 8..32796 CSPEncrypt 'CSPEncrypt': Command to encrypt data.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'keyResourceId': The resource ID used to encrypt the data.
'82' 0..16 OCTET STRING 'initializationData': Algorithm-specific initialization data for encryption, e.g., IV data. OPTIONAL
'83' 0..32767 OCTET STRING 'inputData': The data to encrypt.

Used in: CSPRequiresAuthentication

ASN 7-22: Attestations: ASN.1 Definition for CSPEncryptResponse
Name Size Type Description
CSPEncryptResponse 0..32767 OCTET STRING Response of the CSPEncrypt command: the encrypted data.
ASN 7-23: Cipher: ASN.1 Definition for CSPDecrypt
Tag Length Type Description Presence Default
SEQUENCE 8..32796 CSPDecrypt 'CSPDecrypt': Command to decrypt data.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'keyResourceId': The resource ID used to decrypt the data.
'82' 0..16 OCTET STRING 'initializationData': Algorithm-specific initialization data for decryption, e.g., IV data. OPTIONAL
'83' 0..32767 OCTET STRING 'inputData': The data to decrypt.

Used in: CSPRequiresAuthentication

ASN 7-24: Attestations: ASN.1 Definition for CSPDecryptResponse
Name Size Type Description
CSPDecryptResponse 0..32767 OCTET STRING Response of the CSPDecrypt command: the decrypted data.
ASN 7-25: Attestations: ASN.1 Definition for CSPResourceAttestation
Tag Length Type Description Presence Default
SEQUENCE 27..526 CSPResourceAttestation 'CSPResourceAttestation': Command to compute resource attestations.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1 CSPResourceAttestationType 'attestationType': The attestation type used.
'82' 1..2 CSPResourceId 'attestationResourceId': The resource ID used to create the attestation signature.
'83' 16..512 OCTET STRING 'inputData': Additional input data to be included in the attestation.

Used in: CSPRequiresAuthentication

ASN 7-26: Attestations: ASN.1 Definition for CSPResourceAttestationResponse
Tag Size Type Description Presence
CHOICE CSPResourceAttestationResponse
'A0' 103..131144 CSPDataAttestation "dataAttestation": Conditional: Response of a data attestation. CONDITIONAL
'A1' 252..229483 CSPKeyPoPAttestation "keyAttestation": Conditional: Response of the key attestation. CONDITIONAL
ASN 7-27: Resource: ASN.1 Definition for CSPClearResource
Tag Length Type Description Presence Default
SEQUENCE 6..7 CSPClearResource 'CSPClearResource': Command to remove the value of a key or password resource.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'resourceId': The identifier of the resource that shall be cleared.

Used in: CSPAdminCommandChoice, CSPRequiresAuthentication

ASN 7-28: Attestations: ASN.1 Definition for CSPSystemAttestation
Tag Length Type Description Presence Default
SEQUENCE 6..522 CSPSystemAttestation 'CSPSystemAttestation': Command to retrieve signed attestation data of the platform and the CSP.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1 CSPSystemAttestationType 'attestationType': CASD-based CSP platform or CSP-specific config attestation.
'82' 0..512 CSPChallenge 'challenge': Challenge for verification of attestation integrity. OPTIONAL

Used in: CSPAdminCommandChoice, CSPClientCommandChoice

ASN 7-29: Attestations: ASN.1 Definition for CSPSystemAttestationResponse
Tag Size Type Description Presence
CHOICE CSPSystemAttestationResponse
'A0' 2227..n CSPPlatformAttestation "platformAttestation": Conditional: Response of the CASD-based SE platform attestation. CONDITIONAL
'A1' 198..98476 CSPConfigAttestation "configAttestation": Conditional: Response of the CSP-specific config attestation. CONDITIONAL
ASN 7-30: Key: ASN.1 Definition for CSPGenerateKey
Tag Length Type Description Presence Default
SEQUENCE 6..7 CSPGenerateKey 'CSPGenerateKey': Command for key generation.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'keyResourceId': The key for which the value should be generated.

Used in: CSPAdminCommandChoice, CSPRequiresAuthentication

ASN 7-31: Key: ASN.1 Definition for CSPComputePublicKey
Tag Length Type Description Presence Default
SEQUENCE 9..11 CSPComputePublicKey 'CSPComputePublicKey': Command to compute a public key from its private key.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'privateResourceId': The corresponding private key that is already initialized.
'82' 1..2 CSPResourceId 'publicResourceId': The public key that shall be computed.

Used in: CSPAdminCommandChoice, CSPRequiresAuthentication

ASN 7-32: Key: ASN.1 Definition for CSPDeriveKey
Tag Length Type Description Presence Default
SEQUENCE 27..527 CSPDeriveKey 'CSPDeriveKey': Command for key derivation.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 1..2 CSPResourceId 'sourceResourceId': The resource that is base source for key derivation.
'82' 1..2 CSPResourceId 'destResourceId': The destination resource to store the derived key value.
'83' 16..512 OCTET STRING 'inputData': Additional input data given into the derivation algorithm

Used in: CSPAdminCommandChoice, CSPRequiresAuthentication

ASN 7-33: Time: ASN.1 Definition for CSPSetTime
Tag Length Type Description Presence Default
SEQUENCE 13..65554 CSPSetTime 'CSPSetTime': Command to set a new reference time to the CSP Instance.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Minimum API level required for the CSP Protocol.
'81' 8 CSPTimestamp 'newTime': The new reference time.
'82' 0..65536 CSPSignature 'signature': Signature to verify the authenticity of the new reference time. OPTIONAL

Used in: CSPAdminCommandChoice, CSPRequiresAuthentication

ASN 7-34: Attestations: ASN.1 Definition for CSPSetTimeResponse
Tag Length Type Description Presence Default
SEQUENCE 4 CSPSetTimeResponse 'CSPSetTimeResponse': Response of the CSPSetTime command: TRUE if time was successfully updated.
'80' 2 CSPBoolean 'response':
ASN 5-1: Access: ASN.1 Definition for CSPCoreSupport
Tag Length Type Description Presence Default
SEQUENCE 0..8 CSPCoreSupport 'CSPCoreSupport': Supported core features.
'A0' 0..6 SET OF CSPErrorMode 'errorModes': CSP error handling modes. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 5-2: Core: ASN.1 Definition for CSPSettings
Tag Length Type Description Presence Default
SEQUENCE 34..45 CSPSettings 'CSPSettings': Structure representing general configuration settings of the CSP Instance.
'80' 32 CSPConfigName 'configName': Custom name of the CSP Configuration chosen by the CSP Admin.
'81' 0..2 CSPConfigVersion 'configVersion': Custom version of the CSP Configuration chosen by the CSP Admin. OPTIONAL
'82' 0..2 CSPResourceId 'configAttestationKey': The key that shall be used to compute the config attestation. OPTIONAL
'83' 0..1 CSPErrorMode 'errorMode': Specify how the CSP shall handle exceptions. OPTIONAL ERROR_MODE_BASIC

Used in: CSPSetup, CSPConfiguration

ASN 5-3: Core: ASN.1 Definition for CSPProtocolVersion
Name Value Size Type Description
protocolVersion1 1 1 INTEGER API level for the CSP Protocol used.

Used in: CSPEnforce, CSPRegisterClient, CSPUnregisterClient, CSPCreateResource, CSPDestroyResource, CSPConfigureResource, CSPSetup, CSPActivate, CSPDeactivate, CSPGetConfiguration, CSPGetConfigurationResponse, CSPSetValue, CSPProcessSecurity, CSPSign, CSPVerifySignature, CSPEncrypt, CSPDecrypt, CSPResourceAttestation, CSPClearResource, CSPSystemAttestation, CSPGenerateKey, CSPComputePublicKey, CSPDeriveKey, CSPSetTime, CSPPlatform, CSPSignedPlatformData, CSPSignedConfigData, CSPSignedData, CSPSignedPoPData, CSPEventDataUpdateCSP

ASN 5-4: Core: ASN.1 Definition for CSPConfiguration
Tag Length Type Description Presence Default
SEQUENCE 79..n CSPConfiguration 'CSPConfiguration': Structure containing the entire CSP Configuration.
'80' 0..1 CSPMode 'cspMode': Indicates whether this CSP configuration is currently activated. OPTIONAL CSP_MODE_CONFIGURATION
'A1' 0..47 CSPSettings 'cspSettings': Name, version, attestation key and error handling of the CSP Instance. OPTIONAL
'A2' 55..66 CSPPlatform 'cspPlatform': Static (read-only) information about the CSP platform.
'A3' 4..n SET OF CSPClient 'clients': List of CSP Clients registered to this CSP Instance. Implicit encoded as SET OF SEQUENCE:
'A3 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
'A4' 14..n SET OF CSPResource 'resources': List of resources along with their cryptographic configurations. Implicit encoded as SET OF SEQUENCE:
'A4 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
'A5' 0..13 CSPSecureChannelSettings 'secureChannelSettings': Set the general secure channel authentication timeout. OPTIONAL
'A6' 0..5 CSPPolicySettings 'policySettings': Select policy mode for handling unavailable policy types. OPTIONAL
'A7' 0..5 CSPCounterSettings 'counterSettings': Select counter mode for handling unavailable counter types and sizes. OPTIONAL
'A8' 0..12 CSPTimeSettings 'timeSettings': Configure time management and handling of unavailable time. OPTIONAL
'A9' 0..n CSPAuditSettings 'auditSettings': Configure audit event logging and handling of unavailable event types. OPTIONAL
'AA' 0..5 CSPFieldSettings 'fieldSettings': Select field mode for handling unavailable signature fields. OPTIONAL

Used in: CSPGetConfigurationResponse

ASN 5-5: Core: ASN.1 Definition for CSPMode
Name Value Size Type Description
CSP_MODE_CONFIGURATION 0 1 INTEGER The CSP can be configured by the CSP Admin.
CSP_MODE_OPERATIONAL 1 1 INTEGER The CSP can be used by Client Applications.

Used in: CSPConfiguration

ASN 5-6: Core: ASN.1 Definition for CSPConfigVersion
Name Value Size Type Description
CSPConfigVersion 0..32767 1..2 INTEGER Version of the configuration of this CSP Instance.

Used in: CSPActivate, CSPSettings, CSPSignedConfigData, CSPEventDataUpdateConfig

ASN 5-7: Core: ASN.1 Definition for CSPConfigName
Name Size Type Description
CSPConfigName 32 OCTET STRING Name of the configuration of this CSP Instance; set by the CSP Admin.

Used in: CSPSettings, CSPSignedConfigData, CSPEventDataUpdateConfig

ASN 5-8: Core: ASN.1 Definition for CSPErrorMode
Name Value Size Type Description
ERROR_MODE_BASIC 0 1 INTEGER The CSP uses only codes 1000, 2000, 3000, 4000, 5000, 6000, 7000, 8000.
ERROR_MODE_DETAILED 1 1 INTEGER The CSP uses detailed error codes 1xxx-8xxx.

Used in: CSPCoreSupport, CSPSettings

ASN 5-9: Core: ASN.1 Definition for CSPPlatform
Tag Length Type Description Presence Default
SEQUENCE 53..64 CSPPlatform 'CSPPlatform': General information about the CSP platform.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Version of the CSP Protocol (Version).
'81' 3 CSPAPIVersion 'cspApiVersion': Version of the Java Card CSP API (Major, Minor, Patch).
'82' 2 CSPELFVersion 'cspELFVersion': Version of the CSP ELF file (Major, Minor).
'83' 32 OCTET STRING 'platformName': Name and version of the SE platform encoded in ASCII.
'84' 5..16 CSPAID 'cspInstanceAID': AID of the CSP Instance.

Used in: CSPConfiguration, CSPSignedPlatformData, CSPSignedConfigData

ASN 5-10: Core: ASN.1 Definition for CSPAPIVersion
Name Size Type Description
CSPAPIVersion 3 OCTET STRING Version of the Java Card CSP API (Major, Minor, Patch).

Used in: CSPPlatform

ASN 5-11: Core: ASN.1 Definition for CSPELFVersion
Name Size Type Description
CSPELFVersion 2 OCTET STRING Version of an CSP Application Executable Load File (Major, Minor).

Used in: CSPPlatform, CSPEventDataUpdateCSP

ASN 5-12: Core: ASN.1 Definition for CSPAID
Name Size Type Description
CSPAID 5..16 OCTET STRING Application Identifier (AID) of an Application or a Security Domain.

Used in: CSPPlatform, CSPClientReference, CSPClientApplication, CSPApplicationSD

ASN 5-13: Core: ASN.1 Definition for CSPBoolean
Name Size Type Description
CSPBoolean 2 OCTET STRING Secure boolean: TRUE is 0x7878, FALSE is 0x8787, other are not defined.

Used in: CSPVerifySignatureResponse, CSPSetTimeResponse

ASN 5-14: Core: ASN.1 Definition for CSPChallenge
Name Size Type Description
CSPChallenge 16..512 OCTET STRING Challenge or nonce.

Used in: CSPSystemAttestation

ASN 5-15: Core: ASN.1 Definition for CSPSignature
Name Size Type Description
CSPSignature 64..65536 OCTET STRING Digital signature. Covers traditional RSA/ECDSA (512 bytes) and PQC (65KB).

Used in: CSPSignResponse, CSPVerifySignature, CSPSetTime, CSPPlatformAttestation, CSPConfigAttestation, CSPDataAttestation, CSPKeyPoPAttestation, CSPSignedPoPData

ASN 5-16: Resource: ASN.1 Definition for CSPResourceSupport
Tag Length Type Description Presence Default
SEQUENCE 0..17 CSPResourceSupport 'CSPResourceSupport': Supported resource features.
'A0' 0..15 SET OF CSPResourceType 'resourceTypes': Supported resource types. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
ASN 5-17a: Resource: ASN.1 Definition for CSPResource
Tag Length Type Description Presence Default
SEQUENCE 10..327 CSPResource 'CSPResource': Data structure representing a resource.
'80' 1..2 CSPResourceId 'resourceId': Unique identifier of the resource choosen by the CSP Admin.
'A1' 2..14 CSPResourceParams 'resourceParams': The resource-specific parameters (e.g., key type, curve, min-size). Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A1 L'
  'TA LA VA'
'82' 1 CSPUsageType 'usageType': The usage type specifying the CSP operations sllowed for the resource.
'A3' 0..45 CSPAccessControl 'accessControl': Access conrol configuration for the resource. OPTIONAL
'A4' 0..37 CSPAlgorithms 'algorithms': The algorithm configuration of the resource. OPTIONAL
'A5' 0..80 CSPCounters 'counters': OPTIONAL
'A6' 0..32 CSPTimers 'timers': OPTIONAL
'A7' 0..100 SET OF CSPResourceEvent 'resourceEvents': The events that shall be audited for this resource. OPTIONAL

Used in: CSPCreateResource, CSPConfiguration

ASN 5-17b: Resource: ASN.1 Definition for CSPResourceParams
Tag Size Type Description Presence
CHOICE CSPResourceParams
'A0' 8..14 CSPKey "keyParams": Parameters specific to key resources. CONDITIONAL
'A1' 5 CSPCertificate "certificateParams": Parameters specific to certificate resources. CONDITIONAL
'A2' 5..14 CSPPassword "passwordParams": Parameters specific to password resources. CONDITIONAL
'A3' 2..11 CSPCounter "counterParams": Parameters specific to manual counter resources. CONDITIONAL
'A4' 4..9 CSPManualTimer "timerParams": Parameters specific to manual timer resources. CONDITIONAL

Used in: CSPResource

ASN 5-18: Resource: ASN.1 Definition for CSPResourceId
Name Value Size Type Description
CSPResourceId 0..32767 1..2 INTEGER Unique identifier of a Resource.

Used in: CSPDestroyResource, CSPConfigureResource, CSPSetValue, CSPSign, CSPVerifySignature, CSPEncrypt, CSPDecrypt, CSPResourceAttestation, CSPClearResource, CSPGenerateKey, CSPComputePublicKey, CSPDeriveKey, CSPSettings, CSPResource, CSPClient, CSPTimeSettings, CSPAuditSettings, CSPEventDataGeneralError, CSPEventDataResource, CSPEventDataKeyDerivation, CSPEventDataKeyAgreement, CSPEventDataPasswordFailure, CSPSource, CSPFieldValue, CSPPolicy

ASN 5-19: Resource: ASN.1 Definition for CSPResourceState
Name Value Size Type Description
STATE_UNINITIALIZED 1 1 INTEGER Uninitialized state for resources.
STATE_OPERATIONAL 2 1 INTEGER Operational state for resources.
STATE_BLOCKED 9 1 INTEGER Blocked state when the password try limit is reached.
STATE_EXHAUSTED 11 1 INTEGER Exhausted state when a counter exceeds the configured limit.
STATE_EXPIRED 12 1 INTEGER Expired state when a timer expires.
ASN 5-20: Resource: ASN.1 Definition for CSPResourceValue
Name Size Type Description
CSPResourceValue 64..32768 OCTET STRING The value of a public key, counter or timer resource.

Used in: CSPSignedData, CSPPopData

ASN 5-21: Resource: ASN.1 Definition for CSPResourceType
Name Value Size Type Description
RESOURCE_KEY 1 1 INTEGER Key resource type.
RESOURCE_CERTIFICATE 2 1 INTEGER Certificate resource type.
RESOURCE_PASSWORD 3 1 INTEGER Password resource type.
RESOURCE_COUNTER 4 1 INTEGER Counter resource type.
RESOURCE_TIMER 5 1 INTEGER Timer resource type.

Used in: CSPResourceSupport

ASN 5-22: Resource: ASN.1 Definition for CSPUsageType
Name Value Size Type Description
USAGE_CIPHER 1 1 INTEGER Restrict the use to cipher operations (keys).
USAGE_SIGNATURE 2 1 INTEGER Restrict the use to signature operations (keys).
USAGE_TRANSFORM 3 1 INTEGER Restrict the use to encryption transformation operations (keys).
USAGE_SECCHANNEL 4 1 INTEGER Restrict the use to secure message establishment (any).
USAGE_CONFIDENTIAL 5 1 INTEGER Restrict the use to confidential data transfer (keys).
USAGE_ATTESTATION 6 1 INTEGER Restrict the use as attestation signing key (keys).
USAGE_KEY 7 1 INTEGER Restrict the use to key derivation and key agreement (any).
USAGE_PASSWORD 9 1 INTEGER Restrict the use to password verification (passwords only).
USAGE_AUDIT 12 1 INTEGER Restrict the use as audit log message signing key (keys).
USAGE_OFFLOADING 13 1 INTEGER Restrict the use as offloading key for resource import/export (keys).

Used in: CSPResource

ASN 5-23: Resource: ASN.1 Definition for CSPAlgorithms
Tag Size Type Description Presence
CHOICE CSPAlgorithms
'80' 0 NULL "noneAlgorithm": No algorithm configured. CONDITIONAL
'A1' 5..8 CSPCipherAlgorithms "cipherAlgorithms": USAGE_CIPHER, USAGE_TRANSFORM, USAGE_CONFIDENTIAL. CONDITIONAL
'A2' 5..11 CSPSignatureAlgorithms "signatureAlgorithms": USAGE_SIGNATURE, USAGE_AUDIT. CONDITIONAL
'A3' 5 CSPSecureChannelAlgorithms "secChannelAlgorithms": USAGE_SECCHANNEL: secure channel authentication. CONDITIONAL
'A4' 9..37 CSPAttestationAlgorithms "attestationAlgorithm": USAGE_ATTESTATION, USAGE_AUDIT. CONDITIONAL
'A5' 5..8 CSPKeyDerivationAlgorithms "keyDerivationAlgorithm": USAGE_KEY: Key derivation algorithm. CONDITIONAL
'86' 1 CSPKeyAgreementScheme "keyAgreementScheme": USAGE_KEY: Key agreement scheme. CONDITIONAL

Used in: CSPConfigureResource, CSPResource

ASN 5-24: Core: ASN.1 Definition for CSPClient
Tag Length Type Description Presence Default
SEQUENCE 0..n CSPClient 'CSPClient': Data structure representing a Client Application or an off-card Client.
'80' 0..2 INTEGER 'clientId': An identifier of the CSP Client, chosen by the CSP Admin. OPTIONAL
'A1' 0..n CSPClientApplication 'clientApplication': The Client Application registered to the CSP. OPTIONAL
'82' 0..1 CSPProtocolType 'authProtocol': Restrict access to CSP services when a sec channel is fully established. OPTIONAL
'A3' 0..n SET OF CSPResourceId 'authResources': Resources required for the configured authProtocol. Implicit encoded as SET OF INTEGER:
'A3 L'
  '02 L0 V0'
  '02 L1 V1'
  '...'
OPTIONAL

Used in: CSPRegisterClient, CSPConfiguration

ASN 5-25: Core: ASN.1 Definition for CSPClientReference
Tag Size Type Description Presence
CHOICE CSPClientReference
'80' 1..2 INTEGER "clientId": The identifier of the CSP Client to be de-registered. CONDITIONAL
'81' 5..16 CSPAID "aid": The AID of the Client Application that shall be de-registered. CONDITIONAL

Used in: CSPUnregisterClient, CSPAccessControl

ASN 5-26a: Core: ASN.1 Definition for CSPClientApplication
Tag Length Type Description Presence Default
SEQUENCE 10..n CSPClientApplication 'CSPClientApplication': Data structure representing a Client Application.
'80' 5..16 CSPAID 'applicationAID': AID of the Client Application.
'81' 0..n OCTET STRING 'loadFileDataBlockHash': Hash of the load data file block of the Client Application. OPTIONAL
'82' 0..1 BOOLEAN 'requiredDAPVerification': Client Application must be DAP-verified during load. OPTIONAL FALSE
'A3' 1..16 CSPApplicationSD 'applicationSD': AID of the SD of the Client Application. Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A3 L'
  'TA LA VA'

Used in: CSPClient

ASN 5-26b: Core: ASN.1 Definition for CSPApplicationSD
Tag Size Type Description Presence
CHOICE CSPApplicationSD
'80' 1 BOOLEAN "useCspSD": The Client Application uses same SD AID as the CSP Application. CONDITIONAL
'81' 5..16 CSPAID "applicationSDAID": The Client Application uses an other SD AID as the CSP Application. CONDITIONAL

Used in: CSPClientApplication

ASN 5-27: Access: ASN.1 Definition for CSPAccessControl
Tag Length Type Description Presence Default
SEQUENCE 0..n CSPAccessControl 'CSPAccessControl': Data structure for access control configuration of a resource.
'80' 0..2 CSPAccessControlRules 'accessControlRules': ACR bitmask. OPTIONAL ANY_USE
'A1' 0..16 CSPClientReference 'owner': CSP Client that owns this resource . Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A1 L'
  'TA LA VA'
OPTIONAL null
'A2' 0..n SET OF CSPPolicy 'policies': Dynamic policy rules. OPTIONAL

Used in: CSPConfigureResource, CSPResource

ASN 5-28: Access: ASN.1 Definition for CSPAccessControlRules
b15 b14 b13 b12 b11 b10 b9 b8 b7 b6 b5 b4 b3 b2 b1 b0 CSPAccessControlRules
- - - - - - - - - - - 0 - - - 1 "ANY_USE": 1. Bit: all Client Applications are granted with ACCESS_USE.
- - - - - - - - - - 0 - - - 1 - "ANY_SETUP": 2. Bit: all Client Applications are granted with ACCESS_SETUP.
- - - - - - - - - 0 - - - 1 - - "ANY_CLEAR": 3. Bit: all Client Applications are granted with ACCESS_CLEAR.
- - - - - - - - 0 - - - 1 - - - "ANY_MOVE": 4. Bit: all Client Applications are granted with ACCESS_MOVE.
- - - - - - - - - - - 1 - - - 0 "OWNER_USE": 5. Bit: only Owner Application is granted with ACCESS_USE.
- - - - - - - - - - 1 - - - 0 - "OWNER_SETUP": 6. Bit: only Owner Application is granted with ACCESS_SETUP.
- - - - - - - - - 1 - - - 0 - - "OWNER_CLEAR": 7. Bit: only Owner Application is granted with ACCESS_CLEAR.
- - - - - - - - 1 - - - 0 - - - "OWNER_MOVE": 8. Bit: only Owner Application is granted with ACCESS_MOVE.
- - - - - - - 1 - - - - - - - - "ADMIN_USE": 9. Bit: the CSP Admin is granted with ACCESS_USE.
- - - - - - 1 - - - - - - - - - "ADMIN_SETUP": 10. Bit: the CSP Admin is granted with ACCESS_SETUP.
- - - - - 1 - - - - - - - - - - "ADMIN_CLEAR": 11. Bit: the CSP Admin is granted with ACCESS_CLEAR.
- - - - 1 - - - - - - - - - - - "ADMIN_MOVE": 12. Bit: the CSP Admin is granted with ACCESS_MOVE.
- - - 1 - - - - - - - - - - - - "CLIENT_USE": 13. Bit: all off-card Clients are granted with ACCESS_USE.
- - 1 - - - - - - - - - - - - - "CLIENT_SETUP": 14. Bit: all off-card Clients are granted with ACCESS_SETUP.
- 1 - - - - - - - - - - - - - - "CLIENT_CLEAR": 15. Bit: all off-card Clients are granted with ACCESS_CLEAR.
1 - - - - - - - - - - - - - - - "CLIENT_MOVE": 16. Bit: all off-card Client are granted with ACCESS_MOVE.

Used in: CSPAccessControl

ASN 6-1: Cipher: ASN.1 Definition for CSPCipherSupport
Tag Length Type Description Presence Default
SEQUENCE 0..61 CSPCipherSupport 'CSPCipherSupport': Checks for cipher functionality support and supported algorithms.
'A0' 0..36 SET OF CSPPaddingAlgorithm 'paddingsAlgorithms': Padding algorithms. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A1' 0..21 SET OF CSPCipherAlgorithm 'cipherAlgorithms': Cipher algorithms. Implicit encoded as SET OF ENUMERATED:
'A1 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 6-2: Cipher: ASN.1 Definition for CSPCipherAlgorithms
Tag Length Type Description Presence Default
SEQUENCE 3..6 CSPCipherAlgorithms 'CSPCipherAlgorithms': Cipher configuration for a specific resource.
'80' 1 CSPCipherAlgorithm 'cipherAlgorithm': The cipher algorithm.
'81' 0..1 CSPPaddingAlgorithm 'paddingAlgorithm': The padding algorithm. OPTIONAL PAD_NULL

Used in: CSPAlgorithms

ASN 6-3: Cipher: ASN.1 Definition for CSPPaddingAlgorithm
Name Value Size Type Description
PAD_NULL 0 1 INTEGER No padding; for use when padding is not supported by the algorithm.
PAD_NOPAD 1 1 INTEGER No padding is applied to the data, even when the algorithm usually pads.
PAD_ISO9797_1_M2_ALG3 5 1 INTEGER Padding based on the ISO 9797-1 MAC algo 3 with method 2 [ISO 9797-1].
PAD_PKCS1 7 1 INTEGER Padding based on the PKCS#1 v1.5 scheme [RFC 8017].
PAD_PKCS1_PSS 8 1 INTEGER Padding based on the PKCS#1-PSS scheme [IEEE 1363-2000].
PAD_PKCS1_OAEP_SHA256 14 1 INTEGER Padding based on the PKCS#1-OAEP scheme [IEEE 1363-2000] with SHA256.
PAD_PKCS1_OAEP_SHA384 15 1 INTEGER Padding based on the PKCS#1-OAEP scheme [IEEE 1363-2000] with SHA384.
PAD_PKCS1_OAEP_SHA512 16 1 INTEGER Padding based on the PKCS#1-OAEP scheme [IEEE 1363-2000] with SHA512.
PAD_PKCS1_OAEP_SHA3_256 18 1 INTEGER Padding based on the PKCS#1-OAEP scheme [IEEE 1363-2000] with SHA3-256.
PAD_PKCS1_OAEP_SHA3_384 19 1 INTEGER Padding based on the PKCS#1-OAEP scheme [IEEE 1363-2000] with SHA3-384.
PAD_PKCS1_OAEP_SHA3_512 20 1 INTEGER Padding based on the PKCS#1-OAEP scheme [IEEE 1363-2000] with SHA3-512.
PAD_PKCS7 2 1 INTEGER Padding based on the PKCS#7 scheme [RFC 5652].

Used in: CSPCipherSupport, CSPCipherAlgorithms, CSPSignatureAlgorithms

ASN 6-4: Cipher: ASN.1 Definition for CSPCipherAlgorithm
Name Value Size Type Description
CIPHER_AES_CBC 1 1 INTEGER Cipher using AES [FIPS 197] with block size 128 in CBC mode [FIPS 81].
CIPHER_AES_CFB 28 1 INTEGER Cipher using AES [FIPS 197] in Cipher Feedback (CFB) mode [FIPS 81].
CIPHER_AES_CTR 240 1 INTEGER Cipher using AES [FIPS 197] in counter (CTR) mode [ISO 10116].
CIPHER_AES_GCM 241 1 INTEGER Cipher using AES [FIPS 197] Galois/Counter Mode [SP800-38D].
CIPHER_AES_CCM 242 1 INTEGER Cipher using AES [FIPS 197] in Counter with CBC-MAC mode [SP800-38C].
CIPHER_AES_XTS 10 1 INTEGER Cipher using AES [FIPS 197] in XTS mode in [IEEE 1619-2018].
CIPHER_RSA 7 1 INTEGER Cipher using RSA [PKCS #1].

Used in: CSPCipherSupport, CSPCipherAlgorithms

ASN 6-5: Signature: ASN.1 Definition for CSPSignatureSupport
Tag Length Type Description Presence Default
SEQUENCE 0..37 CSPSignatureSupport 'CSPSignatureSupport': Checks for signature functionality support and supported algorithms.
'A0' 0..21 SET OF CSPMessageDigestAlgorithm 'messageDigestAlgorithms': Message digest algorithms. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A1' 0..12 SET OF CSPSignatureAlgorithm 'signatureAlgorithms': Signature algorithms. Implicit encoded as SET OF ENUMERATED:
'A1 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 6-6: Signature: ASN.1 Definition for CSPMessageDigestAlgorithm
Name Value Size Type Description
ALG_NULL 0 1 INTEGER No message digest is applied to the data.
ALG_SHA_256 4 1 INTEGER SHA-256 [FIPS 81] with block size of 64 and hash size of 32 bytes.
ALG_SHA_384 5 1 INTEGER SHA-384 [FIPS 81] with block size of 128 and hash value of 64 bytes.
ALG_SHA_512 6 1 INTEGER SHA-512 [FIPS 81] with block size of 128 and hash size of 64 bytes.
ALG_SHA3_256 9 1 INTEGER SHA3-256 [FIPS 180-4] with block size of 64 and hash size of 32 bytes.
ALG_SHA3_384 10 1 INTEGER SHA3-384 [FIPS 180-4] with block size of 128 and hash size of 64 bytes.
ALG_SHA3_512 11 1 INTEGER SHA3-512 [FIPS 180-4] with block size of 128 and hash size of 64 bytes.

Used in: CSPSignatureSupport, CSPSignatureAlgorithms, CSPKeyDerivationAlgorithms

ASN 6-7: Signature: ASN.1 Definition for CSPSignatureAlgorithm
Name Value Size Type Description
SIG_AES_CMAC128 10 1 INTEGER Signature according to [ISO 9797-1]: AES 128-bit block and 16-byte CMAC.
SIG_AES_MAC128 6 1 INTEGER Signature according to [SP800-38B]: AES 128-bit block and 16-byte MAC.
SIG_HMAC 7 1 INTEGER Signature using HMAC according to [FIPS 198-1].
SIG_RSA 3 1 INTEGER RSA signature according to [IEEE 1363-2000] with PKCS#1-PSS.

Used in: CSPSignatureSupport, CSPSignatureAlgorithms

ASN 6-8: Signature: ASN.1 Definition for CSPSignatureAlgorithms
Tag Length Type Description Presence Default
SEQUENCE 3..9 CSPSignatureAlgorithms 'CSPSignatureAlgorithms': Signature configuration for a specific resource.
'80' 1 CSPSignatureAlgorithm 'signatureAlgorithm': The signature algorithm.
'81' 0..1 CSPPaddingAlgorithm 'paddingAlgorithm': The padding algorithm. OPTIONAL PAD_NULL
'82' 0..1 CSPMessageDigestAlgorithm 'messageDigestAlgorithm': The message digest algorithm. OPTIONAL ALG_NULL

Used in: CSPAlgorithms, CSPAttestationAlgorithms, CSPConfigAttestation, CSPDataAttestation, CSPKeyPoPAttestation

ASN 6-9: SecChannel: ASN.1 Definition for CSPSecureChannelSupport
Tag Length Type Description Presence Default
SEQUENCE 0..6 CSPSecureChannelSupport 'CSPSecureChannelSupport': Checks for secure channel functionality support and supported protocols.
'80' 0..1 CSPProtocolType 'protocolTypes': Secure channel protocol types. OPTIONAL
'81' 0..1 CSPSecurityFunction 'securityFunctions': Secure channel security functions. OPTIONAL

Used in: CSPEnforce

ASN 6-10: SecChannel: ASN.1 Definition for CSPSecureChannelSettings
Tag Length Type Description Presence Default
SEQUENCE 0..11 CSPSecureChannelSettings 'CSPSecureChannelSettings': General secure channel settings for the CSP Instance.
'A0' 0..9 CSPTimeout 'securityTimeout': Secure channel timeout in seconds (TIMER_SECURITY_TIMEOUT). OPTIONAL

Used in: CSPSetup, CSPConfiguration

ASN 6-11: SecChannel: ASN.1 Definition for CSPProtocolType
Name Value Size Type Description
PROTOCOL_PACE 17 1 INTEGER Password Authenticated Connection Establishment [TR-03110-3].
PROTOCOL_EAC_ID 18 1 INTEGER Extended Access Control v2 (PACE, TA2, CA2, CA3) [TR-03110-3].
PROTOCOL_EAC_MRTD 19 1 INTEGER Extended Access Control v1 (PACE, CA1, TA1) [ICAO 9303-11].
PROTOCOL_PACE_CAM 20 1 INTEGER PACE with Chip Authentication Mapping (PACE, CA1, TA1) [ICAO 9303-11].
PROTOCOL_SCP03 5 1 INTEGER GP Secure Channel Protocol '03' [GP Amd D].
PROTOCOL_SCP04 21 1 INTEGER GP Secure Channel Protocol '04' [GP Amd K].

Used in: CSPClient, CSPSecureChannelSupport

ASN 6-12: SecChannel: ASN.1 Definition for CSPSecureChannelAlgorithms
Tag Length Type Description Presence Default
SEQUENCE 3 CSPSecureChannelAlgorithms 'CSPSecureChannelAlgorithms': Secure channel configuration for a specific resource.
'80' 1 CSPSecurityFunction 'securityFunction': The security function of the protocol.

Used in: CSPAlgorithms

ASN 6-13: SecChannel: ASN.1 Definition for CSPSecurityFunction
Name Value Size Type Description
SEC_PACE_PIN 1 1 INTEGER Password Authenticated Connection Establishment (PACE) PIN [TR-03110-2].
SEC_PACE_PUK 2 1 INTEGER Personal Unblocking Key (PUK) for PACE [TR-03110-2].
SEC_PACE_CAN 3 1 INTEGER Personal Unblocking Key (PUK) for PACE [TR-03110-1].
SEC_PACE_MRZ 4 1 INTEGER Personal Unblocking Key (PUK) for PACE [TR-03110-2].
SEC_TA_AT_ROOT 5 1 INTEGER Authentication Terminal Root Certificate (AT-Root) for eID [TR-03110-2].
SEC_TA_IS_ROOT 6 1 INTEGER Inspection System Root Certificate (IS-Root) for MRTD [TR-03110-2].
SEC_CA1 7 1 INTEGER Chip Authentication v1 (CA1) for MRTD [TR-03110-1].
SEC_CA2 8 1 INTEGER Chip Authentication v2 (CA2) group key for eID [TR-03110-2].
SEC_CA2_PRIVILEGED 9 1 INTEGER Chip-specific CA2 key for Privileged Terminals eID [TR-03110-3].
SEC_CA3 10 1 INTEGER Chip Authentication v3 (CA3) group key for eID [TR-03110-2].
SEC_CA3_PSA 11 1 INTEGER Chip-specific CA3 key for Pseudonymous Secure Authentication (PSA) eID.
SEC_TA_DV 12 1 INTEGER Output: Document Verify certificate received during EAC [TR-03110-3].
SEC_TA_TERMINAL 13 1 INTEGER Output: Certificate received from individual terminals [TR-03110-3].
SEC_TA_AT_LINKED 14 1 INTEGER Output: Linked TA certificate for rollover in eID [TR-03110-3].
SEC_TA_IS_LINKED 15 1 INTEGER Output: Linked TA certificate for rollover in MRTD [TR-03110-3].
SEC_KENC 32 1 INTEGER Encryption Key for SCP03 [GP Amd D] and SCP04 [GP Amd K].
SEC_KMAC 33 1 INTEGER MAC Key for SCP03 [GP Amd D] and SCP04 [GP Amd K].

Used in: CSPSecureChannelSupport, CSPSecureChannelAlgorithms

ASN 6-14: Attestation: ASN.1 Definition for CSPAttestationSupport
Tag Length Type Description Presence Default
SEQUENCE 0..11 CSPAttestationSupport 'CSPAttestationSupport': Checks for attestation functionality support and supported algorithms.
'A0' 0..9 SET OF CSPResourceAttestationType 'resourceAttestationTypes': Resource attestation types, such as Data or PoP attestations. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 6-15: Attestations: ASN.1 Definition for CSPSystemAttestationType
Name Value Size Type Description
ATTESTATION_PLATFORM 1 1 INTEGER Attestation of the SE Platform the CSP is operated on.
ATTESTATION_CONFIG 2 1 INTEGER Attestation of the configuration of this CSP Instance.

Used in: CSPSystemAttestation, CSPSignedPlatformData, CSPSignedConfigData

ASN 6-16: Attestations: ASN.1 Definition for CSPResourceAttestationType
Name Value Size Type Description
ATTESTATION_DATA 3 1 INTEGER Attestation of external data with public key, counter or timer.
ATTESTATION_KEY_POP 4 1 INTEGER Attestation of public key with proof of possession for the private key.
ATTESTATION_KEY_GENERATION 5 1 INTEGER Generate a new key pair and returns a PoP attestation.

Used in: CSPResourceAttestation, CSPAttestationSupport, CSPSignedData, CSPPopData

ASN 6-17: Signature: ASN.1 Definition for CSPAttestationAlgorithms
Tag Length Type Description Presence Default
SEQUENCE 7..n CSPAttestationAlgorithms 'CSPAttestationAlgorithms': Attestation configuration for a specific resource.
'A0' 5..11 CSPSignatureAlgorithms 'signatureAlgorithms': The signature, padding and message digest algorithms.
'A1' 0..n SEQUENCE OF CSPField 'fieldsAddedAsPrefix': Add signature fields (e.g., counter) to the beginning of data to sign. Implicit encoded as SEQUENCE OF SEQUENCE:
'A1 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
OPTIONAL
'A2' 0..n SEQUENCE OF CSPField 'fieldsAddedAsSuffix': Add signature fields (e.g., counter) to the end of data to sign. Implicit encoded as SEQUENCE OF SEQUENCE:
'A2 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
OPTIONAL

Used in: CSPAlgorithms

ASN 6-18aa: Attestations: ASN.1 Definition for CSPPlatformAttestation
Tag Length Type Description Presence Default
SEQUENCE 2223..n CSPPlatformAttestation 'CSPPlatformAttestation': Response of a platform attestation.
'A0' 2153..n CSPSignedPlatformData 'signedPlatformData': The attestation data to be signed, including tags and lengths.
'81' 64..65536 CSPSignature 'signature': Signature over the entire signedPlatformData according to [GP Amd A].

Used in: CSPSystemAttestationResponse

ASN 6-18ab: Attestations: ASN.1 Definition for CSPSignedPlatformData
Tag Length Type Description Presence Default
SEQUENCE 2149..n CSPSignedPlatformData 'CSPSignedPlatformData': The attestation data to be signed, including tags and lengths.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Version of the CSP Admin Protocol used.
'81' 0..1 CSPSystemAttestationType 'attestationType': The type of the attestation being computed (i.e., platform). OPTIONAL ATTESTATION_PLATFORM
'A2' 55..66 CSPPlatform 'platform': Information about the CSP platform.
'83' 2048..32768 OCTET STRING 'platform-DLOA-XML': Platform DLOA XML according to A.1 / A.2.1 of [GP DLOA].
'84' 0..32768 OCTET STRING 'csp-application-DLOA-XML': Application DLOA according to A.1 / A.2.2 of [GP DLOA]. OPTIONAL
'85' 0..32768 OCTET STRING 'inputData': Input data, e.g. a challenge, provided within the command. OPTIONAL
'A6' 35..n SecurityEnvironmentTemplate 'SecurityEnvironmentTemplate': Data structure according to [GP Amd A] section 5.3.1.

Used in: CSPPlatformAttestation

ASN 6-18b: Attestations: ASN.1 Definition for ClientApplicationInformation
Tag Length Type Description Presence Default
SEQUENCE 19..n ClientApplicationInformation 'ClientApplicationInformation': Copied from [GP Amd A] section 5.3.1 to avoid ASN.1 compiler issues.
'00' 1 OCTET STRING 'requestedSignatureMode': The signature mode selected by the CSP Application with init().
'01' 5..16 OCTET STRING 'instanceAID': The AID of the CSP Application.
'02' 5..16 OCTET STRING 'executableLoadFileAID': The AID of the CSP ELF.
'03' 0..n OCTET STRING 'executableLoadFileVersionNumber': The version of the CSP ELF; e.g., 2-byte major, minor for CAP file.

Used in: SecurityEnvironmentTemplate

ASN 6-18c: Attestations: ASN.1 Definition for SecurityEnvironmentTemplate
Tag Length Type Description Presence Default
SEQUENCE 33..n SecurityEnvironmentTemplate 'SecurityEnvironmentTemplate': Data structure according to [GP Amd A] section 5.3.1.
'00' 21..n ClientApplicationInformation 'clientApplicationInformation': Information about the CSP Application.
'01' 6..n AlgorithmIdentifier 'signatureAlgorithm': Information about the algorithm used by the CASD.
'02' 0..n OCTET STRING 'keyIdentifier': Identifier of the PK.CASD-SIGN.AUT to verify the signature ([GP Amd A]).

Used in: CSPSignedPlatformData

ASN 6-18d: Attestations: ASN.1 Definition for AlgorithmIdentifier
Tag Length Type Description Presence Default
SEQUENCE 4..n AlgorithmIdentifier 'AlgorithmIdentifier': Data structure according to [GP Amd A] section 5.3.1.
'80' 2..n OBJECT IDENTIFIER 'algorithm': The OID of an ECDSA algorithm as specified in [RFC 5758] section 3.2.

Used in: SecurityEnvironmentTemplate

ASN 6-19a: Attestations: ASN.1 Definition for CSPConfigAttestation
Tag Length Type Description Presence Default
SEQUENCE 195..98471 CSPConfigAttestation 'CSPConfigAttestation': Response of a config attestation.
'A0' 117..32910 CSPSignedConfigData 'signedConfigData': The attestation data to be signed, including tags and lengths.
'81' 64..65536 CSPSignature 'signature': Signature over the signedConfigData using the config attestation key.
'A2' 5..11 CSPSignatureAlgorithms 'signatureAlgorithm': The algorithm used to sign the data.
'A3' 1 CSPKeySizeOrCurve 'signaturKeySizeOrCurve': Key parameters of the attestation key. Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A3 L'
  'TA LA VA'

Used in: CSPSystemAttestationResponse

ASN 6-19b: Attestations: ASN.1 Definition for CSPSignedConfigData
Tag Length Type Description Presence Default
SEQUENCE 115..n CSPSignedConfigData 'CSPSignedConfigData': The attestation data to be signed, including tags and lengths.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Version of the CSP Admin Protocol used.
'81' 0..1 CSPSystemAttestationType 'attestationType': The type of the attestation being computed (i.e., config). OPTIONAL ATTESTATION_CONFIG
'A2' 0..n SET OF CSPField 'fieldsAddedAsPrefix': Additional Fields to be included; configured by the CSP Admin. Implicit encoded as SET OF SEQUENCE:
'A2 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
OPTIONAL
'83' 32 CSPConfigName 'configName': Custom name set by the CSP Admin via CSPSetup.
'84' 1..2 CSPConfigVersion 'configVersion': Custom version set by the CSP Admin via CSPSetup.
'A5' 55..66 CSPPlatform 'cspPlatform': Information about the CSP platform.
'86' 16..32768 OCTET STRING 'inputData': Input data, e.g. a challenge, provided within the command.
'A7' 0..n SET OF CSPField 'fieldsAddedAsSuffix': Additional Fields to be included; configured by the CSP Admin. Implicit encoded as SET OF SEQUENCE:
'A7 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
OPTIONAL

Used in: CSPConfigAttestation

ASN 6-20a: Attestations: ASN.1 Definition for CSPDataAttestation
Tag Length Type Description Presence Default
SEQUENCE 101..131139 CSPDataAttestation 'CSPDataAttestation': Response of a data attestation (signature over external and internal data).
'A0' 23..65577 CSPSignedData 'signedData': The attestation data to be signed, including tags and lengths.
'81' 64..65536 CSPSignature 'signature': Signature over the signedData using the attestation key.
'A2' 5..11 CSPSignatureAlgorithms 'signatureAlgorithm': The algorithm used to sign the data.
'A3' 1 CSPKeySizeOrCurve 'signaturKeySizeOrCurve': Key parameters of the attestation key. Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A3 L'
  'TA LA VA'

Used in: CSPResourceAttestationResponse

ASN 6-20b: Attestations: ASN.1 Definition for CSPSignedData
Tag Length Type Description Presence Default
SEQUENCE 21..n CSPSignedData 'CSPSignedData': The attestation data to be signed, including tags and lengths.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Version of the CSP Admin Protocol used.
'81' 0..1 CSPResourceAttestationType 'attestationType': The type of the attestation being computed (i.e., data attestation). OPTIONAL ATTESTATION_DATA
'A2' 0..n SET OF CSPField 'fieldsAddedAsPrefix': Additional Fields to be included; configured by the CSP Admin. Implicit encoded as SET OF SEQUENCE:
'A2 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
OPTIONAL
'83' 16..32768 OCTET STRING 'inputData': The input data, e.g. a challenge, provided within the command.
'84' 0..32768 CSPResourceValue 'resourceValue': CSP-internal resource value: public key, counter or timer. OPTIONAL
'A5' 0..n SET OF CSPField 'fieldsAddedAsSuffix': Additional Fields to be included; configured by the CSP Admin. Implicit encoded as SET OF SEQUENCE:
'A5 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
OPTIONAL

Used in: CSPDataAttestation

ASN 6-21a: Attestations: ASN.1 Definition for CSPKeyPoPAttestation
Tag Length Type Description Presence Default
SEQUENCE 249..229478 CSPKeyPoPAttestation 'CSPKeyPoPAttestation': Response of a key attestation including a Proof of Possession (PoP).
'A0' 160..163900 CSPSignedPoPData 'signedPoPData': The attestation data to be signed, including tags and lengths.
'81' 64..65536 CSPSignature 'signature': Signature over the entire signedPoPData using the attestation key.
'A2' 5..11 CSPSignatureAlgorithms 'signatureAlgorithm': The algorithm used to sign the signedPoPData.
'A3' 1 CSPKeySizeOrCurve 'signaturKeySizeOrCurve': Key parameters of attestation key. Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A3 L'
  'TA LA VA'
'A4' 5..11 CSPSignatureAlgorithms 'popSignatureAlgorithm': The algorithm used to sign the popData.
'A5' 1 CSPKeySizeOrCurve 'popSignaturKeySizeOrCurve': Key parameters of the private key.

Used in: CSPResourceAttestationResponse

ASN 6-21ba: Attestations: ASN.1 Definition for CSPSignedPoPData
Tag Length Type Description Presence Default
SEQUENCE 157..163895 CSPSignedPoPData 'CSPSignedPoPData': The attestation data to be signed, including tags and lengths.
'80' 1 CSPProtocolVersion 'cspProtocolVersion': Version of the CSP Admin Protocol used.
'A1' 86..98346 CSPPopData 'popData': Proof Of Possession data to be signed, including tags and lengths.
'82' 64..65536 CSPSignature 'popDataSignature': Signature over the popData using the private key.

Used in: CSPKeyPoPAttestation

ASN 6-21bb: Attestations: ASN.1 Definition for CSPPopData
Tag Length Type Description Presence Default
SEQUENCE 84..n CSPPopData 'CSPPopData': Proof Of Possession data to be signed, including tags and lengths.
'80' 0..1 CSPResourceAttestationType 'attestationType': The type of the attestation being computed (i.e., PoP). OPTIONAL ATTESTATION_KEY_POP
'A1' 0..n SET OF CSPField 'fieldsAddedAsPrefix': Additional Fields to be included; configured by the CSP Admin. Implicit encoded as SET OF SEQUENCE:
'A1 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
OPTIONAL
'82' 64..32768 CSPResourceValue 'publicKey': Public key value to attest.
'83' 0..32768 CSPResourceValue 'publicAttestationKey': Public att. key to verify the signature over signedPoPData. OPTIONAL
'84' 16..32768 OCTET STRING 'inputData': Input data, e.g., a challenge, provided within the command.
'A5' 0..n SET OF CSPField 'fieldsAddedAsSuffix': Additional Fields to be included; configured by the CSP Admin. Implicit encoded as SET OF SEQUENCE:
'A5 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
OPTIONAL

Used in: CSPSignedPoPData

ASN 6-22: Key: ASN.1 Definition for CSPKeySupport
Tag Length Type Description Presence Default
SEQUENCE 0..104 CSPKeySupport 'CSPKeySupport': Checks for key management support and supported algorithms.
'A0' 0..57 SET OF CSPKeySize 'keySizes': Key types, such as AES, RSA or ECC with key sizes. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A1' 0..21 SET OF CSPCurve 'curves': Curves / ECC domain parameter sets. Implicit encoded as SET OF ENUMERATED:
'A1 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A2' 0..12 SET OF CSPKeyDerivationAlgorithm 'keyDerivationAlgorithms': Key derivation alorithms. Implicit encoded as SET OF ENUMERATED:
'A2 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A3' 0..6 SET OF CSPKeyAgreementScheme 'keyAgreementSchemes': Key agreement schemes. Implicit encoded as SET OF ENUMERATED:
'A3 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 6-23: Key: ASN.1 Definition for CSPKey
Tag Length Type Description Presence Default
SEQUENCE 6..12 CSPKey 'CSPKey': Additional attributes required by key resources.
'80' 1 CSPKeyType 'type': The cryptographic keyType.
'81' 1 CSPKeySize 'size': The cryptographic keySize; also mandatory for ECC keys.
'82' 0..1 CSPCurve 'curve': ECC curve parameters; only relevant for ECC keys. OPTIONAL
'83' 0..1 BOOLEAN 'transient': Flag indicating the key is transient. OPTIONAL FALSE

Used in: CSPResourceParams

ASN 6-24: Key: ASN.1 Definition for CSPKeyType
Name Value Size Type Description
KEY_AES 1 1 INTEGER Symmetric key used with Advanced Encryption Standard (AES).
KEY_HMAC 2 1 INTEGER Symmetric key used to create HMAC-based signatures.
KEY_ECC_PUBLIC 3 1 INTEGER Public key used for Elliptic Curve Cryptography (ECC).
KEY_ECC_PRIVATE 4 1 INTEGER Private key used for Elliptic Curve Cryptography (ECC).
KEY_RSA_PUBLIC 5 1 INTEGER Public key for Rivest-Shamir-Adleman (RSA) algorithms.
KEY_RSA_PRIVATE 6 1 INTEGER Private key for Rivest-Shamir-Adleman (RSA) algorithms.
MASTER_SECRET 7 1 INTEGER Secret generated within the CSP, used for key derivation.
DERIVED_SECRET 8 1 INTEGER Secret result from key derivation, used for further key derivation.
KEY_SHARED_SECRET 9 1 INTEGER Secret from key agreement, used for key derivation.

Used in: CSPKey

ASN 6-25: Key: ASN.1 Definition for CSPKeySize
Name Value Size Type Description
KEY_AES_128 1 1 INTEGER KEY_AES 128 bit.
KEY_AES_256 3 1 INTEGER KEY_AES 256 bit.
KEY_AES_2_128 5 1 INTEGER KEY_AES 2x128 bit for CIPHER_AES_XTS.
KEY_AES_2_256 7 1 INTEGER KEY_AES 2x256 bit for CIPHER_AES_XTS.
KEY_HMAC_256 10 1 INTEGER KEY_HMAC 256 bit.
KEY_HMAC_384 11 1 INTEGER KEY_HMAC 384 bit.
KEY_HMAC_512 12 1 INTEGER KEY_HMAC 512 bit.
KEY_ECC_256 16 1 INTEGER KEY_ECC_PUBLIC and KEY_ECC_PRIVATE 256 bit.
KEY_ECC_384 17 1 INTEGER KEY_ECC_PUBLIC and KEY_ECC_PRIVATE 384 bit.
KEY_ECC_512 18 1 INTEGER KEY_ECC_PUBLIC and KEY_ECC_PRIVATE 512 bit.
KEY_ECC_521 19 1 INTEGER KEY_ECC_PUBLIC and KEY_ECC_PRIVATE 521 bit.
KEY_RSA_2048 26 1 INTEGER KEY_RSA_PUBLIC and KEY_RSA_PRIVATE 2048 bit.
KEY_RSA_3072 27 1 INTEGER KEY_RSA_PUBLIC and KEY_RSA_PRIVATE 3072 bit.
KEY_RSA_4096 28 1 INTEGER KEY_RSA_* 4096 bit; do not generate, only for import recommended.
KEY_SECRET_128 32 1 INTEGER KEY_MASTER_SECRET, KEY_DERIVED_SECRET and KEY_SHARED_SECRET 128 bit.
KEY_SECRET_256 33 1 INTEGER KEY_MASTER_SECRET, KEY_DERIVED_SECRET and KEY_SHARED_SECRET 256 bit.
KEY_SECRET_384 34 1 INTEGER KEY_MASTER_SECRET, KEY_DERIVED_SECRET and KEY_SHARED_SECRET 384 bit.
KEY_SECRET_512 35 1 INTEGER KEY_MASTER_SECRET, KEY_DERIVED_SECRET and KEY_SHARED_SECRET 512 bit.
KEY_SECRET_576 36 1 INTEGER KEY_MASTER_SECRET and KEY_DERIVED_SECRET.

Used in: CSPKeySupport, CSPKey, CSPKeySizeOrCurve

ASN 6-26: Key: ASN.1 Definition for CSPCurve
Name Value Size Type Description
CURVE_BRAINPOOL_P256_R1 1 1 INTEGER Brainpool P256 r1 [RFC 5639].
CURVE_BRAINPOOL_P384_R1 2 1 INTEGER Brainpool P384 r1 [RFC 5639].
CURVE_BRAINPOOL_P512_R1 3 1 INTEGER Brainpool P512 r1 [RFC 5639].
CURVE_SEC_P256_R1 4 1 INTEGER NIST's P-256 curve [SP800-186].
CURVE_SEC_P384_R1 5 1 INTEGER NIST's P-384 curve [SP800-186].
CURVE_SEC_P521_R1 6 1 INTEGER NIST's P-521 curve [SP800-186].
CURVE_X25519 7 1 INTEGER 256-bit, only key agreement [RFC 7748].

Used in: CSPKeySupport, CSPKey, CSPKeySizeOrCurve

ASN 6-27: Key: ASN.1 Definition for CSPKeySizeOrCurve
Tag Size Type Description Presence
CHOICE CSPKeySizeOrCurve
'80' 1 CSPKeySize "size": The keySize in number of bits (not for ECC_*). CONDITIONAL
'81' 1 CSPCurve "curve": ECC curve relevant for keys of type ECC_*. CONDITIONAL

Used in: CSPConfigAttestation, CSPDataAttestation, CSPKeyPoPAttestation

ASN 6-28: Cipher: ASN.1 Definition for CSPKeyDerivationAlgorithms
Tag Length Type Description Presence Default
SEQUENCE 3..6 CSPKeyDerivationAlgorithms 'CSPKeyDerivationAlgorithms': Key derivation configuration for a specific resource.
'80' 1 CSPKeyDerivationAlgorithm 'keyDerivationAlgorithm': The key derivation algorithm.
'81' 0..1 CSPMessageDigestAlgorithm 'keyDerivationHashAlgorithm': The hash algorithm used for the key derivation. OPTIONAL ALG_NULL

Used in: CSPAlgorithms

ASN 6-29: Key: ASN.1 Definition for CSPKeyDerivationAlgorithm
Name Value Size Type Description
KDF_AES_CMAC 1 1 INTEGER Two-step key derivation [SP800-56C].
KDF_ECC 2 1 INTEGER ECC private key derivation from a secret [TR-03111].
KDF_HKDF 3 1 INTEGER HMAC-based key derivation [RFC 5869].
KDF_PBKDF2 4 1 INTEGER Password-based key derivation [PKCS #5].

Used in: CSPKeySupport, CSPKeyDerivationAlgorithms

ASN 6-30: Key: ASN.1 Definition for CSPKeyAgreementScheme
Name Value Size Type Description
KAS_ECKA_DH 1 1 INTEGER ECC Diffie-Hellman key agreement.
KAS_ECKA_EG 2 1 INTEGER ECC ElGamal key agreement.

Used in: CSPAlgorithms, CSPKeySupport

ASN 6-31: Certificate: ASN.1 Definition for CSPCertificateSupport
Tag Length Type Description Presence Default
SEQUENCE 0..8 CSPCertificateSupport 'CSPCertificateSupport': Checks for certificate management support and supported certificate types.
'A0' 0..6 SET OF CSPCertificateType 'certificateTypes': Certificate types, such as CVC or X.509. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 6-32: Certificate: ASN.1 Definition for CSPCertificate
Tag Length Type Description Presence Default
SEQUENCE 3 CSPCertificate 'CSPCertificate': Additional attributes required by certificate resources.
'80' 1 CSPCertificateType 'type': The certificateType of the certificate.

Used in: CSPResourceParams

ASN 6-33: Certificate: ASN.1 Definition for CSPCertificateType
Name Value Size Type Description
CERT_CVC 1 1 INTEGER Card Verifiable Certificate (CVC) according to [TR-03110-3].
CERT_X509 2 1 INTEGER X.509 Certificate according to [ITU-T X.509].

Used in: CSPCertificateSupport, CSPCertificate

ASN 6-34: Password: ASN.1 Definition for CSPPasswordSupport
Tag Length Type Description Presence Default
SEQUENCE 0..17 CSPPasswordSupport 'CSPPasswordSupport': Checks for password support and supported password types.
'A0' 0..15 SET OF CSPPasswordType 'passwordTypes': Password types, such as numbers only or strong with special characters. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 6-35: Password: ASN.1 Definition for CSPPassword
Tag Length Type Description Presence Default
SEQUENCE 3..12 CSPPassword 'CSPPassword': Additional attributes required by password resources.
'80' 1 CSPPasswordType 'type': The passwordType paramter of the password.
'81' 0..1 INTEGER 'minSize': Minimum number of password characters allowed. OPTIONAL 4
'82' 0..1 INTEGER 'maxSize': Maximum number of password characters allowed. OPTIONAL 20
'83' 0..1 INTEGER 'tryLimit': Incorrect password attempts allowed before blocked (disabled if 0xFF). OPTIONAL 255

Used in: CSPResourceParams

ASN 6-36: Password: ASN.1 Definition for CSPPasswordType
Name Value Size Type Description
PWD_ANY 0 1 INTEGER No rules apply on passwords.
PWD_NUMERIC 1 1 INTEGER Only ASCII numbers (e.g., PIN or PUK).
PWD_ALPHANUMERIC 2 1 INTEGER ASCII alphanumeric (0-9, a-z, A-Z).
PWD_UTF8 3 1 INTEGER UTF-8 charset.
PWD_STRONG 4 1 INTEGER UTF-8 charset, min. 1 uppercase, 1 lowercase, 1 number, 1 special.

Used in: CSPPasswordSupport, CSPPassword

ASN 6-37: Counter: ASN.1 Definition for CSPCounterSupport
Tag Length Type Description Presence Default
SEQUENCE 0..51 CSPCounterSupport 'CSPCounterSupport': Checks for counter functionality support and supported counter types.
'A0' 0..9 SET OF CSPCounterMode 'counterModes': Counter operation modes to specify the handling of unsupported counters. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A1' 0..21 SET OF CSPCounterType 'counterTypes': Counter types. Implicit encoded as SET OF ENUMERATED:
'A1 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A2' 0..12 SET OF CSPCounterCapacity 'counterCapacitites': Counter capacitites. Implicit encoded as SET OF ENUMERATED:
'A2 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'83' 0..1 INTEGER 'largeCounterLimit': Maximum number of counters with large capacity. OPTIONAL

Used in: CSPEnforce

ASN 6-38: Counter: ASN.1 Definition for CSPCounterSettings
Tag Length Type Description Presence Default
SEQUENCE 3 CSPCounterSettings 'CSPCounterSettings': General counter settings for the CSP Instance.
'80' 1 CSPCounterMode 'counterMode': Select counter mode specify the handling of unavailable counter types.

Used in: CSPSetup, CSPConfiguration

ASN 6-39: Counter: ASN.1 Definition for CSPCounterMode
Name Value Size Type Description
COUNTER_MODE_OFF 0 1 INTEGER Counter functionality is disabled or not available.
COUNTER_MODE_IGNORE 1 1 INTEGER Ignore counters configured if not supported by the platform.
COUNTER_MODE_STRICT 2 1 INTEGER Stop operation if a configured counter is not supported.

Used in: CSPCounterSupport, CSPCounterSettings

ASN 6-40: Counter: ASN.1 Definition for CSPCounterType
Name Value Size Type Description
COUNT_MANUAL 1 1 INTEGER Manual counter invoked by the Client Application.
COUNT_USAGE_PER_BLOCK 2 1 INTEGER usage counter counting each computation, including each cipher block.
COUNT_USAGE_COMPLETIONS 3 1 INTEGER usage counter counting complete processes (e.g., only doFinal calls).
COUNT_USAGE_SUCCESS_ONLY 4 1 INTEGER Usage counter counting only successful processes (excluding updates).
COUNT_USAGE_FAILURE_ONLY 5 1 INTEGER Usage counter counting only failed processes (excluding updates).
COUNT_AUTH_USAGE 6 1 INTEGER Password authentication timeout realized as usage counter.
COUNT_TRANSPORT_USAGE 7 1 INTEGER Transport counter (e.g., OTP) for passwords in transport.

Used in: CSPCounterSupport

ASN 6-41: Counter: ASN.1 Definition for CSPCounters
Tag Length Type Description Presence Default
SEQUENCE 0..78 CSPCounters 'CSPCounters': Container for built-in counters that can be configured to a resource.
'A0' 0..11 CSPCounter 'usageCounter': Counter of type COUNT_USAGE. OPTIONAL
'A1' 0..11 CSPCounter 'blockUsageCounter': Counter of type COUNT_USAGE_PER_BLOCK. OPTIONAL
'A2' 0..11 CSPCounter 'successCounter': Counter of type COUNT_USAGE_SUCCESS_ONLY. OPTIONAL
'A3' 0..11 CSPCounter 'failureCounter': Counter of type COUNT_USAGE_FAILURE_ONLY. OPTIONAL
'A4' 0..11 CSPCounter 'authUsageCounter': Counter of type COUNT_AUTH_USAGE. OPTIONAL
'A5' 0..11 CSPCounter 'transportUsageCounter': Counter of type COUNT_TRANSPORT_USAGE. OPTIONAL

Used in: CSPConfigureResource, CSPResource

ASN 6-42: Counter: ASN.1 Definition for CSPCounter
Tag Length Type Description Presence Default
SEQUENCE 0..9 CSPCounter 'CSPCounter': Data structure for a counter configuration.
'80' 0..1 CSPCounterCapacity 'counterCapacity': The structure of the counter defines the max increments supported. OPTIONAL COUNTER_MEDIUM
'81' 0..4 OCTET STRING 'counterLimit': Maximum counter limit before the counter exceeds; is 0 when disabled. OPTIONAL { }

Used in: CSPResourceParams, CSPCounters

ASN 6-43: Counter: ASN.1 Definition for CSPCounterCapacity
Name Value Size Type Description
COUNTER_TINY 1 1 INTEGER Tiny: 1-byte counter supporting 10,000 increments.
COUNTER_SMALL 2 1 INTEGER Small: 2-byte counter supporting 10,000 increments.
COUNTER_MEDIUM 3 1 INTEGER Medium: 4-byte counter supporting 100,000 increments.
COUNTER_LARGE 4 1 INTEGER Large: 4-byte counter supporting 5,000,000 increments.

Used in: CSPCounterSupport, CSPCounter

ASN 6-44: Time: ASN.1 Definition for CSPTimeSupport
Tag Length Type Description Presence Default
SEQUENCE 0..48 CSPTimeSupport 'CSPTimeSupport': Checks for time management support and supported timer types.
'A0' 0..9 SET OF CSPTimeMode 'timeModes': Time operation modes to specify the handling for unsupported time. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'81' 0..1 CSPTimeSynchronization 'timeSynchonization': Time synchronization strategies. OPTIONAL
'A2' 0..21 SET OF CSPTimerType 'timerTypes': Timer types, such as validity date or authentication timeout. Implicit encoded as SET OF ENUMERATED:
'A2 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A3' 0..9 SET OF CSPTimeoutType 'timeoutTypes': Timeout types to specify if a timeout timer is refreshed. Implicit encoded as SET OF ENUMERATED:
'A3 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 6-45: Time: ASN.1 Definition for CSPTimeSettings
Tag Length Type Description Presence Default
SEQUENCE 0..10 CSPTimeSettings 'CSPTimeSettings': General time configuration settings for the CSP Instance.
'80' 0..1 CSPTimeMode 'timeMode': Select time mode to specify the handling of unavailable system time. OPTIONAL TIME_MODE_OFF
'81' 0..1 CSPTimeSynchronization 'timeSynchonization': Configure a strategy to syncronize the reference time. OPTIONAL { }
'82' 0..2 CSPResourceId 'timeVerificationKey': A public key to verify signatures of new timestamps. OPTIONAL

Used in: CSPSetup, CSPConfiguration

ASN 6-46: Time: ASN.1 Definition for CSPTimeMode
Name Value Size Type Description
TIME_MODE_OFF 0 1 INTEGER Time functionality is disabled or not available.
TIME_MODE_IGNORE 1 1 INTEGER Ignore time-related configurations if time is not supported.
TIME_MODE_STRICT 2 1 INTEGER Stop operation if time is not synchronized.

Used in: CSPTimeSupport, CSPTimeSettings

ASN 6-47: Time: ASN.1 Definition for CSPTimeSynchronization
b7 b6 b5 b4 b3 b2 b1 b0 CSPTimeSynchronization
- - - - x x - 1 "TIME_SYNC_FROM_TA": Update the reference time from TA2 certificates during EAC v2.
- - - - x x 1 - "TIME_SYNC_FROM_CLIENT": Permit Client Applications to set the reference time.
- - - 1 x x - - "TIME_SYNC_ENFORCE_NEWER": Accept only newer timestamps.
- - 1 - x x - - "TIME_SYNC_PERSIST": Persist the reference time.
- 1 - - x x - - "TIME_SYNC_VERIFY_SIG": Verify the timestamp signature.
1 - - - x x - - "TIME_SYNC_VERIFY_SIG_WITH_CHALLENGE": Verify the timestamp signature using a challenge generated by CSP.

Used in: CSPTimeSupport, CSPTimeSettings

ASN 6-48: Time: ASN.1 Definition for CSPTimerType
Name Value Size Type Description
TIMER_MANUAL_DATE 1 1 INTEGER Manual timer invoked by the Client Application.
TIMER_MANUAL_PERIOD 2 1 INTEGER Manual timer invoked by the Client Application.
TIMER_VALIDITY_PERIOD 3 1 INTEGER Validity period used to compute (and refresh) the validity date.
TIMER_VALIDITY_DATE 4 1 INTEGER Validity date as specific Unix timestamp.
TIMER_VALIDITY_CERTIFICATE 5 1 INTEGER Validity date extracted from certificates.
TIMER_AUTH_TIMEOUT 6 1 INTEGER Timeout for authenticated passwords.
TIMER_SECURITY_TIMEOUT 7 1 INTEGER Timeout for secure channel service.

Used in: CSPTimeSupport

ASN 6-49: Time: ASN.1 Definition for CSPTimers
Tag Length Type Description Presence Default
SEQUENCE 0..30 CSPTimers 'CSPTimers': Container for built-in timers that can be configured to a resource.
'80' 0..4 CSPDuration 'validityPeriod': Validity period for key or password (TIMER_VALIDITY_PERIOD). OPTIONAL
'81' 0..8 CSPTimestamp 'validityDate': Validity date for key or password (TIMER_VALIDITY_DATE). OPTIONAL
'82' 0..1 BOOLEAN 'validityCertificate': Validity date from certificate (TIMER_VALIDITY_CERTIFICATE). OPTIONAL
'A3' 0..9 CSPTimeout 'authTimeout': Authentication timeout for passwords (TIMER_AUTH_TIMEOUT). OPTIONAL

Used in: CSPConfigureResource, CSPResource

ASN 6-50: Time: ASN.1 Definition for CSPTimestamp
Name Size Type Description
CSPTimestamp 8 OCTET STRING Unix timestamp in seconds as 8-byte signed int (292 billion years >1970).

Used in: CSPSetTime, CSPTimers, CSPManualTimer, CSPEventDataSetTime

ASN 6-51: Time: ASN.1 Definition for CSPDuration
Name Size Type Description
CSPDuration 4 OCTET STRING Duration in seconds, represented as 4-byte signed integer (up to 68 years).

Used in: CSPTimers, CSPManualTimer

ASN 6-52: Time: ASN.1 Definition for CSPTimeout
Tag Length Type Description Presence Default
SEQUENCE 4..7 CSPTimeout 'CSPTimeout': Timeout in seconds, represented as 2-byte signed integer (up to 9 hours).
'80' 2 OCTET STRING 'timeoutValue': Maximum time limit before the timer expires.
'81' 0..1 CSPTimeoutType 'timeoutType': Specifys if the timeout value is re-computed on each resource usage. OPTIONAL TIMEOUT_HARD

Used in: CSPSecureChannelSettings, CSPTimers, CSPManualTimer

ASN 6-53: Time: ASN.1 Definition for CSPTimeoutType
Name Value Size Type Description
TIMEOUT_OFF 0 1 INTEGER Timeout functionality is disabled and/or not available.
TIMEOUT_HARD 1 1 INTEGER Fixed timeout after which the authenticated state is invalidated.
TIMEOUT_SOFT 2 1 INTEGER Dynamic timeout that is refreshed when using the resource.

Used in: CSPTimeSupport, CSPTimeout

ASN 6-54: Time: ASN.1 Definition for CSPManualTimer
Tag Size Type Description Presence
CHOICE CSPManualTimer
'80' 8 CSPTimestamp "expirationDate": The timer has a fixed expiration date. CONDITIONAL
'81' 4 CSPDuration "expirationPerid": Maximum time limit before the timer expires. CONDITIONAL
'A2' 6..9 CSPTimeout "timeoutValue": Specifys if the timer is re-computing the time value on each usage. CONDITIONAL

Used in: CSPResourceParams

ASN 6-55: Audit: ASN.1 Definition for CSPAuditSupport
Tag Length Type Description Presence Default
SEQUENCE 0..133 CSPAuditSupport 'CSPAuditSupport': Checks for secure auditing support and supported events.
'A0' 0..9 SET OF CSPAuditMode 'auditModes': Audit operation modes to specify the handling for unsupported events. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A1' 0..18 SET OF CSPSystemEvent 'systemEvents': Event types of category "system event". Implicit encoded as SET OF ENUMERATED:
'A1 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A2' 0..100 SET OF CSPResourceEvent 'resourceEvents': Event types of category "resource event". Implicit encoded as SET OF ENUMERATED:
'A2 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 6-56: Audit: ASN.1 Definition for CSPAuditSettings
Tag Length Type Description Presence Default
SEQUENCE 0..27 CSPAuditSettings 'CSPAuditSettings': Audit configuration for this CSP Instance.
'80' 0..1 CSPAuditMode 'auditMode': Select audit mode to specify the handling of a full audit event queue. OPTIONAL AUDIT_MODE_OFF
'A1' 0..18 SET OF CSPSystemEvent 'systemEvents': The system events that shall be audited. Implicit encoded as SET OF ENUMERATED:
'A1 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'82' 0..2 CSPResourceId 'auditSigningKey': The key that shall be used to sign the audit log messages. OPTIONAL

Used in: CSPSetup, CSPConfiguration

ASN 6-57: Audit: ASN.1 Definition for CSPAuditMode
Name Value Size Type Description
AUDIT_MODE_OFF 0 1 INTEGER Audit event logging is disabled or not available.
AUDIT_MODE_OVERWRITE 1 1 INTEGER events that are not fetched will be overwritte if audit queue is full.
AUDIT_MODE_STRICT 2 1 INTEGER CSP will throw an exception if audit event queue is full.

Used in: CSPAuditSupport, CSPAuditSettings

ASN 6-58: Audit: ASN.1 Definition for CSPSystemEvent
Name Value Size Type Description
EVENT_CSP_START 1 1 INTEGER Startup of the CSP (0x0001).
EVENT_CSP_UPDATE_STARTED 2 1 INTEGER Start of a CSP software update (0x0002).
EVENT_CSP_UPDATE_FINISHED 3 1 INTEGER CSP software update is finished (0x0003).
EVENT_CSP_CONFIG_UPDATED 4 1 INTEGER The CSP configuration is modified (0x0004).
EVENT_CSP_ERROR 5 1 INTEGER An error occurred that was not yet covered by another event (0x0005).
EVENT_CSP_TIME_SET 176 1 INTEGER A new reference time is set (0x00B0).

Used in: CSPAuditSupport, CSPAuditSettings

ASN 6-59: Audit: ASN.1 Definition for CSPResourceEvent
Name Value Size Type Description
EVENT_RESOURCE_CLEARED 4096 2 INTEGER Resource cleared successfully (0x1000).
EVENT_RESOURCE_VALUE_SET 4097 2 INTEGER Resource modified (0x1001).
EVENT_CIPHER_ENCRYPTED 4112 2 INTEGER Data encrypted successfully (0x1010).
EVENT_CIPHER_DECRYPTED 4113 2 INTEGER Data decrypted successfully (0x1011).
EVENT_SIGNATURE_CREATED 4128 2 INTEGER Signature created successfully (0x1020).
EVENT_SIGNATURE_VERIFIED 4129 2 INTEGER Signature verified successfully (0x1021).
EVENT_SIGNATURE_VERIFICATION_FAILED 4130 2 INTEGER Signature verification failed (0x1022).
EVENT_SECURE_CHANNEL_ESTABLISHED 4160 2 INTEGER Secure messaging successfully established (0x1040).
EVENT_SECURE_CHANNEL_AUTHENTICATION_FAILED 4161 2 INTEGER Authentication for secure messaging failed (0x1041).
EVENT_KEY_GENERATED 4208 2 INTEGER Key successfully generated (0x1070).
EVENT_KEY_DERIVED 4209 2 INTEGER Key derived successfully (0x1071).
EVENT_KEY_SHARED_SECRET_COMPUTED 4210 2 INTEGER Successful key agreement (0x1072).
EVENT_PUBLIC_KEY_IMPORTED 4211 2 INTEGER Successfully imported a new public key value (0x1073).
EVENT_CERTIFICATE_IMPORTED 4224 2 INTEGER Successfully imported a new certificate (0x1080).
EVENT_CERTIFICATE_EXPORTED 4225 2 INTEGER Successfully exported a certificate (0x1081).
EVENT_PASSWORD_UPDATED 4240 2 INTEGER Password changed successfully (0x1090).
EVENT_PASSWORD_UPDATE_FAILED 4241 2 INTEGER Changing a password failed (0x1091).
EVENT_PASSWORD_AUTHENTICATED 4242 2 INTEGER Password verified successfully (0x1092).
EVENT_PASSWORD_CHECK_FAILED 4243 2 INTEGER Password mismatch (0x1093).
EVENT_PASSWORD_BLOCKED 4244 2 INTEGER Password is blocked due to too many incorrect password attempts (0x1094)
EVENT_PASSWORD_UNBLOCKED 4245 2 INTEGER A blocked password was unblocked (0x1095).
EVENT_COUNTER_EXHAUSTED 4256 2 INTEGER Resource counter exhausted (0x10B0).
EVENT_TIMER_EXPIRED 4272 2 INTEGER Resource validity date expired (0x10C0).
EVENT_OFFLOAD_IMPORTED 4304 2 INTEGER Resource imported for offloading (0x10D0).
EVENT_OFFLOAD_EXPORTED 4305 2 INTEGER Resource exported for offloading (0x10D1).

Used in: CSPConfigureResource, CSPResource, CSPAuditSupport

ASN 6-60: Audit: ASN.1 Definition for CSPLogMessage
Tag Length Type Description Presence Default
SEQUENCE 3..n CSPLogMessage 'CSPLogMessage': Log message format, computed by the audit.dequeueEvent operation.
'80' 1..2 INTEGER 'eventType': Event type; value can be taken from CSPSystemEvent or CSPResourceEvent.
'A1' 0..n SET OF CSPField 'fieldsAddedAsPrefix': Additional Fields to be included; configured by the CSP Admin. Implicit encoded as SET OF SEQUENCE:
'A1 L'
  '30 L0 V0'
  '30 L1 V1'
  '...'
OPTIONAL
'A2' 0..44 CSPEventData 'eventData': Event-specific log data. Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A2 L'
  'TA LA VA'
OPTIONAL
'83' 0..65536 OCTET STRING 'inputData': Additional input data provided by the Client through audit.dequeueEvent. OPTIONAL
'A4' 0..n SET OF CSPField 'fieldsAddedAsSuffix': Additional Fields to be included; configured by the CSP Admin. OPTIONAL
ASN 6-61: Audit: ASN.1 Definition for CSPEventData
Tag Size Type Description Presence
CHOICE CSPEventData
'A0' 16 CSPEventDataUpdateCSP "updateCSPEvent": Event-specific data for: CSP software update started or has finished. CONDITIONAL
'A1' 42..44 CSPEventDataUpdateConfig "updateConfigEvent": Event-specific data for: Config updated successful. CONDITIONAL
'A2' 22 CSPEventDataSetTime "setTimeEvent": Event-specific data for: Reference time updated. CONDITIONAL
'A3' 6..10 CSPEventDataGeneralError "generalErrorEvent": Event-specific data for: Reference time updated. CONDITIONAL
'A4' 5..6 CSPEventDataResource "generalResourceEvent": Event-specific data for: General resource-specific events. CONDITIONAL
'A5' 8..10 CSPEventDataKeyDerivation "keyDerivationEvent": Event-specific data for: Successful key derivation. CONDITIONAL
'A6' 11..14 CSPEventDataKeyAgreement "keyAgreementEvent": Event-specific data for: Shared secret computed successfully. CONDITIONAL
'A7' 8..9 CSPEventDataPasswordFailure "passwordCheckFailedEvent": Event-specific data for: Password verification failed. CONDITIONAL

Used in: CSPLogMessage

ASN 6-62: Audit: ASN.1 Definition for CSPEventDataUpdateCSP
Tag Length Type Description Presence Default
SEQUENCE 14 CSPEventDataUpdateCSP 'CSPEventDataUpdateCSP': Event-specific data for 'CSP software update started or has finished'.
'80' 2 CSPELFVersion 'oldCSPELFVersion': The cspELFVersion of the CSP ELF of the before the SW update.
'81' 2 CSPELFVersion 'newCSPELFVersion': The cspELFVersion of the CSP ELF after the SW update.
'82' 1 CSPProtocolVersion 'cspProtocolVersion': The version of the CSP Protocol before the SW update.
'83' 1 CSPProtocolVersion 'newProtocolVersion': The cspProtocolVersion of the CSP Protocol after the SW update.

Used in: CSPEventData

ASN 6-63: Audit: ASN.1 Definition for CSPEventDataUpdateConfig
Tag Length Type Description Presence Default
SEQUENCE 40..42 CSPEventDataUpdateConfig 'CSPEventDataUpdateConfig': Event-specific data for EVENT_CSP_CONFIG_UPDATED: Config updated.
'80' 32 CSPConfigName 'configName': Custom name or identifier set by the CSP Admin via CSPSetup.
'81' 1..2 CSPConfigVersion 'oldConfigVersion': The old configVersion of the CSP Configuration before the update.
'82' 1..2 CSPConfigVersion 'newConfigVersion': The new configVersion of the CSP Configuration after the update.

Used in: CSPEventData

ASN 6-64: Audit: ASN.1 Definition for CSPEventDataSetTime
Tag Length Type Description Presence Default
SEQUENCE 20 CSPEventDataSetTime 'CSPEventDataSetTime': Event-specific data for EVENT_CSP_TIME_SET: Reference time updated.
'80' 8 CSPTimestamp 'oldReferenceTime': The old referenceTime as it was before the update.
'81' 8 CSPTimestamp 'newReferenceTime': The new referenceTime after the update.

Used in: CSPEventData

ASN 6-65: Audit: ASN.1 Definition for CSPEventDataGeneralError
Tag Length Type Description Presence Default
SEQUENCE 4..8 CSPEventDataGeneralError 'CSPEventDataGeneralError': Event-specific data for EVENT_CSP_ERROR: An exception occurred.
'80' 2 OCTET STRING 'reason': Contains the reason of the exception that occurred.
'81' 0..2 CSPResourceId 'resourceId': A resource ID involved to the error (if available). OPTIONAL

Used in: CSPEventData

ASN 6-66: Audit: ASN.1 Definition for CSPEventDataResource
Tag Length Type Description Presence Default
SEQUENCE 3..4 CSPEventDataResource 'CSPEventDataResource': Event-specific data for general resource-specific events.
'80' 1..2 CSPResourceId 'resourceId': The identifier of the resource that triggered this event.

Used in: CSPEventData

ASN 6-67: Audit: ASN.1 Definition for CSPEventDataKeyDerivation
Tag Length Type Description Presence Default
SEQUENCE 6..8 CSPEventDataKeyDerivation 'CSPEventDataKeyDerivation': Event-specific data for EVENT_KEY_DERIVED: Successful key derivation.
'80' 1..2 CSPResourceId 'sourceResourceId': The source resource for key derivation.
'81' 1..2 CSPResourceId 'destResourceId': The target resource where the result is stored.

Used in: CSPEventData

ASN 6-68: Audit: ASN.1 Definition for CSPEventDataKeyAgreement
Tag Length Type Description Presence Default
SEQUENCE 9..12 CSPEventDataKeyAgreement 'CSPEventDataKeyAgreement': Event-specific data for EVENT_KEY_SHARED_SECRET_COMPUTED: Key agreement.
'80' 1..2 CSPResourceId 'privateKeyId': The local or remote private key.
'81' 1..2 CSPResourceId 'publicKeyId': The local or remote public key.
'82' 1..2 CSPResourceId 'sharedSecretId': The resource ID of the destination shared secret.

Used in: CSPEventData

ASN 6-69: Audit: ASN.1 Definition for CSPEventDataPasswordFailure
Tag Length Type Description Presence Default
SEQUENCE 6..7 CSPEventDataPasswordFailure 'CSPEventDataPasswordFailure': Event-specific data for EVENT_PASSWORD_CHECK_FAILED: Verification failed.
'80' 1..2 CSPResourceId 'resourceId': The identifier of the resource that triggered this event.
'81' 1 INTEGER 'tryCounter': The remaining try counter value.

Used in: CSPEventData

ASN 6-70: Access: ASN.1 Definition for CSPFieldSupport
Tag Length Type Description Presence Default
SEQUENCE 0..60 CSPFieldSupport 'CSPFieldSupport': Checks for signing field functionality support.
'A0' 0..9 SET OF CSPFieldMode 'fieldModes': CSP handling modes of how to handle signature fields. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A1' 0..39 SET OF CSPFieldType 'fieldTypes': Signature fields to be added to log messages and attestation data. Implicit encoded as SET OF ENUMERATED:
'A1 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A2' 0..6 SET OF CSPFieldSource 'fieldSources': Available data sources for fields. Implicit encoded as SET OF ENUMERATED:
'A2 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 6-71: Audit: ASN.1 Definition for CSPFieldSettings
Tag Length Type Description Presence Default
SEQUENCE 0..3 CSPFieldSettings 'CSPFieldSettings': Field configuration for this CSP Instance.
'80' 0..1 CSPFieldMode 'fieldMode': Select the mode for handling unsupported fields. OPTIONAL FIELD_MODE_OFF

Used in: CSPSetup, CSPConfiguration

ASN 6-72: Signature: ASN.1 Definition for CSPFieldMode
Name Value Size Type Description
FIELD_MODE_OFF 0 1 INTEGER Fields are disabled or not available.
FIELD_MODE_IGNORE 1 1 INTEGER Ignore field configurations that are not supported by the platform.
FIELD_MODE_STRICT 2 1 INTEGER Stop operation if a field configured is not supported.

Used in: CSPFieldSupport, CSPFieldSettings

ASN 6-73a: Signature: ASN.1 Definition for CSPField
Tag Length Type Description Presence Default
SEQUENCE 6..7 CSPField 'CSPField': Structure to configure a field for attestation data or log messages.
'80' 1 CSPFieldType 'field': Type of the data field.
'A1' 1..2 CSPSource 'source': Source from which the data is taken for the field. Encoded using explicit tagging where 'TA' is the type of the chosen CHOICE alternative:
'A1 L'
  'TA LA VA'

Used in: CSPAttestationAlgorithms, CSPSignedConfigData, CSPSignedData, CSPPopData, CSPLogMessage

ASN 6-73b: Signature: ASN.1 Definition for CSPSource
Tag Size Type Description Presence
CHOICE CSPSource
'80' 1 CSPFieldSource "fieldSource": Type of the source, e.g., signing key or event trigger resource. CONDITIONAL
'81' 1..2 CSPResourceId "resourceId": A specific resource used as the data source. CONDITIONAL

Used in: CSPField

ASN 6-74: Signature: ASN.1 Definition for CSPFieldType
Name Value Size Type Description
FIELD_SYSTEM_TIME 1 1 INTEGER Estimated system time as Unix timestamp in seconds, 8 bytes.
FIELD_TIME_SINCE_BOOT 2 1 INTEGER The time since boot in seconds, 4 bytes.
FIELD_REFERENCE_TIME 3 1 INTEGER The reference time set by CSP Admin or CSP Client.
FIELD_USAGE_COUNTER 4 1 INTEGER The The value of a resource usage counter.
FIELD_CSP_CONFIG_VERSION 5 1 INTEGER The version of the CSP Configuration set by the CSP Admin.
FIELD_CSP_PROTOCOL_VERSION 6 1 INTEGER The version of the CSP Protocol of the platform.
FIELD_CSP_ELF_VERSION 7 1 INTEGER The version of the CSP ELF.
FIELD_RESOURCE_STATE 8 1 INTEGER The resource state.
FIELD_PUBKEY 9 1 INTEGER The value of a public key.
FIELD_MANUAL_COUNTER 10 1 INTEGER The value of a manual counter.
FIELD_MANUAL_COUNTER_LIMIT 11 1 INTEGER The limit set to a manual counter.
FIELD_MANUAL_TIMER 12 1 INTEGER The value of a manual timer.
FIELD_MANUAL_TIMER_LIMIT 13 1 INTEGER The limit of a manual timer.

Used in: CSPFieldSupport, CSPField, CSPFieldValue

ASN 6-75: Signature: ASN.1 Definition for CSPFieldSource
Name Value Size Type Description
DEFAULT_SOURCE 0 1 INTEGER System data or if a resource is required the signing key resource.
EVENT_SOURCE 1 1 INTEGER The resource that triggered the audit event.

Used in: CSPFieldSupport, CSPSource

ASN 6-76: Signature: ASN.1 Definition for CSPFieldValue
Tag Length Type Description Presence Default
SEQUENCE 5..65548 CSPFieldValue 'CSPFieldValue': The concrete value of a data field added to data before it is signed.
'80' 1 CSPFieldType 'field': Type of the data field.
'81' 0..2 CSPResourceId 'resourceId': The resource used as the data source. OPTIONAL
'82' 0..65536 OCTET STRING 'fieldValue': The value of the field.
ASN 6-77: Access: ASN.1 Definition for CSPPolicySupport
Tag Length Type Description Presence Default
SEQUENCE 0..34 CSPPolicySupport 'CSPPolicySupport': Supported policy features.
'A0' 0..9 SET OF CSPPolicyMode 'policyModes': Policy operation modes to specify the handling of unsupported policies. Implicit encoded as SET OF ENUMERATED:
'A0 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL
'A1' 0..21 SET OF CSPPolicyType 'policyTypes': Policy types, e.g., require an authenticated password to allow cipher. Implicit encoded as SET OF ENUMERATED:
'A1 L'
  '0A L0 V0'
  '0A L1 V1'
  '...'
OPTIONAL

Used in: CSPEnforce

ASN 6-78: Access: ASN.1 Definition for CSPPolicySettings
Tag Length Type Description Presence Default
SEQUENCE 3 CSPPolicySettings 'CSPPolicySettings': General policy settings for the CSP Instance.
'80' 1 CSPPolicyMode 'policyMode': Select policy mode to specify the handling of unavailable counter types.

Used in: CSPSetup, CSPConfiguration

ASN 6-79: Access: ASN.1 Definition for CSPPolicyMode
Name Value Size Type Description
POLICY_MODE_OFF 0 1 INTEGER Policy evaluation is disabled or not available.
POLICY_MODE_IGNORE_UNSUPPORTED 1 1 INTEGER Ignore policy configurations that are not supported by the platform.
POLICY_MODE_STRICT 2 1 INTEGER Stop operation if a configured policy is not supported.

Used in: CSPPolicySupport, CSPPolicySettings

ASN 6-80: Access: ASN.1 Definition for CSPPolicy
Tag Length Type Description Presence Default
SEQUENCE 6..17 CSPPolicy 'CSPPolicy': Structure to configure advanced access rules for a resource.
'80' 1 CSPPolicyType 'policyType': The additional condition that needs to be checked.
'81' 1..2 CSPResourceId 'constrainingResourceId': The associated resource that is evaluated for the policy.
'82' 0..8 OCTET STRING 'additionalData': Policy specific data, e.g., required TA access rights. OPTIONAL

Used in: CSPAccessControl

ASN 6-81: Access: ASN.1 Definition for CSPPolicyType
Name Value Size Type Description
POLICY_KEYPAIR 1 1 INTEGER The public key provided must be associated to the private key.
POLICY_SECCHANNEL_ESTABLISHED 2 1 INTEGER An associated secure channel must be fully established.
POLICY_PASSWORD 3 1 INTEGER An associated password must be authenticated.
POLICY_UNBLOCK_PASSWORD 4 1 INTEGER The PUK used to unblock a password must be associated to the password.
POLICY_PRE_BLOCKED 5 1 INTEGER A password with tryCounter=1 requires an associated CAN authenticated.
POLICY_TA2_ACCESS_FLAG 6 1 INTEGER A specific access flag must be present in sec channel TA2 certificates.
POLICY_ASSOCIATION 7 1 INTEGER The second resource involved must be associated to the main resource.

Used in: CSPPolicySupport, CSPPolicy