diff --git a/33128/r19/TS33128Payloads.asn b/33128/r19/TS33128Payloads.asn index 647a36dadbdfb601f85cf673d697c65f2e15d6c4..182730dd56a2edfa117ed2ec9770afb9e88eba21 100644 --- a/33128/r19/TS33128Payloads.asn +++ b/33128/r19/TS33128Payloads.asn @@ -1245,7 +1245,8 @@ AKMAAFID ::= SEQUENCE UAStarParams ::= CHOICE { tls12 [1] TLS12UAStarParams, - generic [2] GenericUAStarParams + generic [2] GenericUAStarParams, + tls13 [3] TLS13UAStarParams } GenericUAStarParams ::= SEQUENCE @@ -1301,6 +1302,264 @@ TLS12UAStarParams ::= SEQUENCE tLSClientExtensions [19] OCTET STRING (SIZE(0..65535)) OPTIONAL } +-- ================================================== +-- Specific UaStarParams for TLS 1.3 (RFC8446) +-- Inline references below are to clauses of RFC8446. +-- ================================================== + +-- RFC8846, clause 4.2: Available handshake extension types. + +TLS13ExtensionType ::= ENUMERATED +{ + serverName(1), + maxFragmentLength(2), + statusRequest(3), + supportedGroups(4), + signatureAlgorithms(5), + useSRTP(6), + heartbeat(7), + applicationLayerProtocolNegotiation(8), + signedCertificateTimestamp(9), + clientCertificateType(10), + serverCertificateType(11), + padding(12), + presharedKey(13), + earlyData(14), + supportedVersions(15), + cookie(16), + pSKKeyExchangeModes(17), + certificateAuthorities(18), + oIDFilters(19), + postHandshakeAuth(20), + signatureAlgorithmsCert(21), + keyShare(22) +} + +-- RFC8846, clause 4.2: Extensions. +-- Carried as extension to the client's and server's +-- Hello, or, in the server's EncryptedExtensions message. +TLS13Extension ::= SEQUENCE +{ + extensionType [1] TLS13ExtensionType, + extensionData [2] OCTET STRING (SIZE(0..65535)) +} + + +-- RFC8446, clauses 4.1, 4.2, 7.1, and B.4: Cryptographic transforms + +-- RFC8446, clauses 4.1.1 and 4.1.2: Ciphersuite +TLS13CipherSuite ::= CHOICE +{ + rfc8446 [1] TLSCipherSuite + -- Extensible for possible future purposes +} + +-- RFC8446, clause 7.1 and B.4: Key derivation function. +TLS13KDFAlgorithm ::= ENUMERATED +{ + rfc5869(1) -- HKDF +} + +-- RFC8846, clause 4.2.11 and B.4: Hash algorithm. +TLS13PSKHashAlgorithm ::= ENUMERATED +{ + sha256(1), + sha384(2), + sha512(3) +} + + +-- RFC8446, clause 4.4.2: Certificates. + +TLS13CertificateType ::= ENUMERATED +{ + x509(1), + rawPublicKey(2) +} + +TLS13CerificateEntry ::= SEQUENCE +{ + tLSCertificateType [1] TLS13CertificateType, + tLSCertificateData [2] OCTET STRING (SIZE(1..16777215)), + extensions [3] SEQUENCE OF TLS13Extension OPTIONAL +} + +-- This will typically correspond to a certificate chain. +TLS13Certificate ::= SEQUENCE +{ + tLSCertificateRequestContext [1] OCTET STRING (SIZE(0..255)), + tLSCertificateList [2] SEQUENCE OF TLS13CerificateEntry +} + + +-- RFC 8446, clause 4.2.9: Preshared key exchange mode. +TLS13PSKKeyExchangeMode ::= ENUMERATED +{ + pSKKE(1), + pSKDHEKE(2) +} + +-- RFC8446, clause 4.2.11: Preshared keys (PSKs). +-- PSKs obtained from AKMA use a specific prefix as part +-- of the identity: 3GPP-AKMA, see TS 33.535 and 33.222. +TLS13PSKIdentity ::= SEQUENCE +{ + identity [1] OCTET STRING (SIZE(1..65535)), + obfuscatedTicketAge [2] INTEGER (0..4294967295) +} + +TLS13OfferedPSK ::= SEQUENCE +{ + identity [1] TLS13PSKIdentity, + binder [2] OCTET STRING (SIZE(32..255)) +} + +-- Actual TLS PSK, either explicitly provisioned or derived from +-- an earlier issued TLS ticket and a resumptionMasterSecret. +-- For AKMA, the PSK is the AKMA key K_AF. +TLS13PSKInfo ::= SEQUENCE +{ + pSKIdentity [1] TLS13PSKIdentity, + pSKValue [2] OCTET STRING, + pSKKeyExchangeMode [3] TLS13PSKKeyExchangeMode, + hashAlgorithm [4] TLS13PSKHashAlgorithm +} + + + +-- RFC 8446, clause 4.6.1: Tickets/resumption info. + +TLS13NewSessionTicket ::= SEQUENCE +{ + ticketLifeTime [1] INTEGER (0..4294967295), + ticketAgeAdd [2] INTEGER (0..4294967295), + ticketNonce [3] OCTET STRING (SIZE(0..255)), + ticket [4] OCTET STRING (SIZE(1..65535)), + extensions [5] SEQUENCE OF TLS13Extension OPTIONAL +} + + + +-- RFC8446, clause 7.1 and 4.2.8: TLS-internal keys +-- These keys/secrets are never directly used to encrypt +-- data, and are therefore optional to provide as part of +-- TLS13UAStarParams. + +-- RFC8446, clause 4.2.8 +-- Shared Diffie-Hellman secret: derived from client's +-- and server's key shares (as included in extensions). +-- Can later be extended by adding PQC-based secrets, +-- see e.g. draft-ietf-tls-hybrid-design-10. +TLS13EstablishedSecrets ::= SEQUENCE +{ + dHE [1] OCTET STRING (SIZE(1..65535)) OPTIONAL +} + + +-- RFC8446, clause 7.1 +-- The actual encryption keys are derived from the respective secret +-- values below and the provided hashed handshake-message-transcript. +TLS13EarlySecretInfo ::= SEQUENCE +{ + earlySecretValue [1] OCTET STRING (SIZE(1..65535)), + transcriptHash [2] OCTET STRING (SIZE(1..65535)) + -- Hash(ClientHello) +} + +TLS13HandshakeSecretInfo ::= SEQUENCE +{ + handshakeSecretValue [1] OCTET STRING (SIZE(1..65535)), + transcriptHash [2] OCTET STRING (SIZE(1..65535)) + -- Hash(ClientHello..ServerHello) +} + +TLS13MasterSecretInfo ::= SEQUENCE +{ + masterSecretValue [1] OCTET STRING (SIZE(1..65535)), + transcriptHashS [2] OCTET STRING (SIZE(1..65535)), + -- Hash(ClientHello..server Finished) + transcriptHashC [3] OCTET STRING (SIZE(1..65535)) + -- Hash(ClientHello..client Finished) +} + + +-- Complete TLS 1.3 cryptographic context. + +TLS13UAStarParams ::= SEQUENCE +{ + -- Basic cryptographic information. + -- + -- The offeredPSKs, offeredPSKModes and selectedPSK + -- parameters are also provided as part of client and + -- server extensions below. + -- + -- PSKs and key exchange modes offered by the client, see + -- clause 4.2.9, 4.2.11. When AKMA (or other CSP-provided) + -- keys are used, at least one offered PSK and key exchange mode + -- will always be present in the client extensions + offeredPSKs [1] SEQUENCE OF TLS13OfferedPSK, + offeredPSKKeyExchangeModes [2] SEQUENCE OF TLS13PSKKeyExchangeMode, + -- The server-selected PSK, clause 4.2.11 + -- selectedPSKIdentity = j means the server selects j:th offered PSK. + selectedPSKIdentity [3] INTEGER (0..65535), + -- The actual TLS PSK. When AKMA is used, this key will typically also + -- be provided as an associated AFKeyInfo IRI, see below. + selectedPSK [4] TLS13PSKInfo, + -- Cryptographic state: transforms and sequence numbers. + kDFAlgorithm [5] TLS13KDFAlgorithm, -- clause 7.1. + clientSupportedCipherSuites [6] SEQUENCE OF TLS13CipherSuite OPTIONAL, + selectedCipherSuite [7] TLS13CipherSuite, -- clause 4.2 and B.4. + clientSequenceNumber [8] INTEGER, -- clause 5.3 + serverSequenceNumber [9] INTEGER, -- clause 5.3 + -- Handshake parameters, clause 4.1.2 and 4.1.3. + clientRandom [10] OCTET STRING (SIZE(32)), + serverRandom [11] OCTET STRING (SIZE(32)), + legacySessionID [12] OCTET STRING (SIZE(0..32)), + -- Complete contents of handshake extensions, clause 4.2. + tLSClientHelloExtensions [13] SEQUENCE OF TLS13Extension, + tLSServerHelloExtensions [14] SEQUENCE OF TLS13Extension, + -- Encrypted server extensions, clause 4.3.1 (here provided in plaintext). + tLSPlaintextEncryptedExtensions [15] SEQUENCE OF TLS13Extension OPTIONAL, + -- Authentication related parameters, clause 4.4 + -- Certificates are encrypted between client and server, + -- these are the unencrypted certificate(s). + tLSPlaintextClientCertificate [16] TLS13Certificate OPTIONAL, + tLSPlaintextServerCertificate [17] TLS13Certificate OPTIONAL, + -- Session key information fields, clause 7.1 + earlySecret [18] TLS13EarlySecretInfo OPTIONAL, + binderKey [19] OCTET STRING (SIZE(1..65535)) OPTIONAL, + -- The key used by the cipher suite to encrypt early data is + -- derived from clientEarlyTrafficSecret as described in clause 7.3. + clientEarlyTrafficSecret [20] OCTET STRING (SIZE(1..65535)), + earlyExporterMasterSecret [21] OCTET STRING (SIZE(1..65535)), + -- Established shared key (from Diffie-Hellman or similar). + sharedKey [22] TLS13EstablishedSecrets OPTIONAL, + handshakeSecret [23] TLS13HandshakeSecretInfo OPTIONAL, + -- The keys used by the cipher suite to encrypt the handshake are + -- derived from client- and serverHandshakeTrafficSecret as + -- described in clause 7.3. + clientHandshakeTrafficSecret [24] OCTET STRING (SIZE(1..65535)), + serverHandshakeTrafficSecret [25] OCTET STRING (SIZE(1..65535)), + masterSecret [26] TLS13MasterSecretInfo OPTIONAL, + -- The client and server application traffic secrets + -- can change value during an ongoing session due to + -- KeyUdpateRequest messages. The values to be provided below + -- refer to the currently valid ones when the IRI message is + -- generated. + -- The keys used by the cipher suite to encrypt the application + -- traffic are derived from client- and serverApplicationTrafficSecret + -- as described in clause 7.3. + clientApplicationTrafficSecret [27] OCTET STRING (SIZE(1..65535)), + serverApplicationTrafficSecret [28] OCTET STRING (SIZE(1..65535)), + -- Other session-specific keys. + exporterMasterSecret [29] OCTET STRING (SIZE(1..65535)), + resumptionMasterSecret [30] OCTET STRING (SIZE(1..65535)), + -- Tickets for resumption (issued during current session), clause 4.6.2. + tLSResumptionTickets [31] SEQUENCE OF TLS13NewSessionTicket OPTIONAL +} + + + KAF ::= OCTET STRING KAKMA ::= OCTET STRING