pyasn1-alt-modules 0.4.5__py3-none-any.whl → 0.4.6__py3-none-any.whl

pyasn1_alt_modules/rfc9608.py

@@ -3,7 +3,7 @@
 #
 # Created by Russ Housley.
 #
-# Copyright (c) 2024, Vigil Security, LLC
+# Copyright (c) 2024-2025, Vigil Security, LLC
 # License: http://vigilsec.com/pyasn1-alt-modules-license.txt
 #
 # The noRevAvail Certificate Extension

pyasn1_alt_modules/rfc9629.py

@@ -3,7 +3,7 @@
 #
 # Created by Russ Housley with some help from by asn1ate v.0.6.0.
 #
-# Copyright (c) 2023-2024, Vigil Security, LLC
+# Copyright (c) 2023-2025, Vigil Security, LLC
 # License: http://vigilsec.com/pyasn1-alt-modules-license.txt
 #
 # CMS KEMRecipientInfo

pyasn1_alt_modules/rfc9654.py

@@ -5,7 +5,7 @@
 # Modified by Russ Housley to include size constraints for the nonce (RFC 8954).
 # Modified by Russ Housley to adjust size constraints for the nonce (RFC 9654).
 #
-# Copyright (c) 2019-2024, Vigil Security, LLC
+# Copyright (c) 2019-2025, Vigil Security, LLC
 # License: http://vigilsec.com/pyasn1-alt-modules-license.txt
 #
 # Online Certificate Status Protocol (OCSP)

pyasn1_alt_modules/rfc9688.py

@@ -0,0 +1,297 @@
+# This file is part of pyasn1-alt-modules software.
+#
+# Created by Russ Housley
+# Modified by Russ Housley to import items related to KDF2 and KDF3 from
+#   rfc5990, which makes the algorithmIdentifierMap update more simple.
+#
+# Copyright (c) 2024-2025, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+# Use of the SHA3 One-way Hash Functions in the CMS
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc9688.txt
+
+from pyasn1.type import univ
+
+from pyasn1_alt_modules import rfc3279
+from pyasn1_alt_modules import rfc5280
+from pyasn1_alt_modules import rfc5990
+
+from pyasn1_alt_modules import opentypemap
+
+algorithmIdentifierMap = opentypemap.get('algorithmIdentifierMap')
+
+smimeCapabilityMap = opentypemap.get('smimeCapabilityMap')
+
+
+# Imports from RFC 3279
+
+rsaEncryption = rfc3279.rsaEncryption
+
+RSAPublicKey = rfc3279.RSAPublicKey
+
+ECPoint = rfc3279.ECPoint
+
+ECDSA_Sig_Value = rfc3279.ECDSA_Sig_Value
+
+
+# Imports from RFC 5280
+
+AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
+
+
+# Imports from RFC 5990
+
+x9_44 = rfc5990.x9_44
+
+x9_44_components = rfc5990.x9_44_components
+
+id_kdf_kdf2 = rfc5990.id_kdf_kdf2
+
+id_kdf_kdf3 = rfc5990.id_kdf_kdf3
+
+KDF2_HashFunction = rfc5990.KDF2_HashFunction
+
+KDF3_HashFunction = rfc5990.KDF3_HashFunction
+
+KeyDerivationFunction = rfc5990.KeyDerivationFunction
+
+
+# OID  arcs
+
+nistAlgorithm = univ.ObjectIdentifier('2.16.840.1.101.3.4')
+
+hashAlgs = nistAlgorithm + (2, )
+
+sigAlgs = nistAlgorithm + (3, )
+
+id_alg = univ.ObjectIdentifier('1.2.840.113549.1.9.16.3')
+
+
+# SHA3 Hash Algorithms
+
+id_sha3_224 = hashAlgs + (7, )
+
+id_sha3_256 = hashAlgs + (8, )
+
+id_sha3_384 = hashAlgs + (9, )
+
+id_sha3_512 = hashAlgs + (10, )
+
+mda_sha3_224 = rfc5280.AlgorithmIdentifier()
+mda_sha3_224['algorithm'] = id_sha3_224
+# mda_id_sha3_224['parameters'] is absent
+
+mda_sha3_256 = rfc5280.AlgorithmIdentifier()
+mda_sha3_256['algorithm'] = id_sha3_256
+# mda_id_sha3_256['parameters'] is absent
+
+mda_sha3_384 = rfc5280.AlgorithmIdentifier()
+mda_sha3_384['algorithm'] = id_sha3_384
+# mda_id_sha3_384['parameters'] is absent
+
+mda_sha3_512 = rfc5280.AlgorithmIdentifier()
+mda_sha3_512['algorithm'] = id_sha3_512
+# mda_id_sha3_512['parameters'] is absent
+
+class HashAlgorithm(AlgorithmIdentifier):
+    pass
+
+
+# RSASSA PKCS#1 v1.5 with SHA3
+
+id_rsassa_pkcs1_v1_5_with_sha3_224 = sigAlgs + (13, )
+
+id_rsassa_pkcs1_v1_5_with_sha3_256 = sigAlgs + (14, )
+
+id_rsassa_pkcs1_v1_5_with_sha3_384 = sigAlgs + (15, )
+
+id_rsassa_pkcs1_v1_5_with_sha3_512 = sigAlgs + (16, )
+      
+sa_rsassa_pkcs1_v1_5_with_sha3_224 = rfc5280.AlgorithmIdentifier()
+sa_rsassa_pkcs1_v1_5_with_sha3_224['algorithm'] = id_rsassa_pkcs1_v1_5_with_sha3_224
+sa_rsassa_pkcs1_v1_5_with_sha3_224['parameters'] = univ.Null('')
+
+sa_rsassa_pkcs1_v1_5_with_sha3_256 = rfc5280.AlgorithmIdentifier()
+sa_rsassa_pkcs1_v1_5_with_sha3_256['algorithm'] = id_rsassa_pkcs1_v1_5_with_sha3_256
+sa_rsassa_pkcs1_v1_5_with_sha3_256['parameters'] = univ.Null('')
+
+sa_rsassa_pkcs1_v1_5_with_sha3_384 = rfc5280.AlgorithmIdentifier()
+sa_rsassa_pkcs1_v1_5_with_sha3_384['algorithm'] = id_rsassa_pkcs1_v1_5_with_sha3_384
+sa_rsassa_pkcs1_v1_5_with_sha3_384['parameters'] = univ.Null('')
+
+sa_rsassa_pkcs1_v1_5_with_sha3_512 = rfc5280.AlgorithmIdentifier()
+sa_rsassa_pkcs1_v1_5_with_sha3_512['algorithm'] = id_rsassa_pkcs1_v1_5_with_sha3_512
+sa_rsassa_pkcs1_v1_5_with_sha3_512['parameters'] = univ.Null('')
+
+pk_rsassa_pkcs1_v1_5_with_sha3_224 = rfc5280.SubjectPublicKeyInfo()
+pk_rsassa_pkcs1_v1_5_with_sha3_224['algorithm'] = sa_rsassa_pkcs1_v1_5_with_sha3_224
+# pk_rsassa_pkcs1_v1_5_with_sha3_224['subjectPublicKey'] is DER-encoded RSAPublicKey
+
+pk_rsassa_pkcs1_v1_5_with_sha3_256 = rfc5280.SubjectPublicKeyInfo()
+pk_rsassa_pkcs1_v1_5_with_sha3_256['algorithm'] = sa_rsassa_pkcs1_v1_5_with_sha3_256
+# pk_rsassa_pkcs1_v1_5_with_sha3_256['subjectPublicKey'] is DER-encoded RSAPublicKey
+
+pk_rsassa_pkcs1_v1_5_with_sha3_384 = rfc5280.SubjectPublicKeyInfo()
+pk_rsassa_pkcs1_v1_5_with_sha3_384['algorithm'] = sa_rsassa_pkcs1_v1_5_with_sha3_384
+# pk_rsassa_pkcs1_v1_5_with_sha3_384['subjectPublicKey'] is DER-encoded RSAPublicKey
+
+pk_rsassa_pkcs1_v1_5_with_sha3_512 = rfc5280.SubjectPublicKeyInfo()
+pk_rsassa_pkcs1_v1_5_with_sha3_512['algorithm'] = sa_rsassa_pkcs1_v1_5_with_sha3_512
+# pk_rsassa_pkcs1_v1_5_with_sha3_512['subjectPublicKey'] is DER-encoded RSAPublicKey
+
+
+# ECDSA with SHA3
+
+id_ecdsa_with_sha3_224 = sigAlgs + (9, )
+
+id_ecdsa_with_sha3_256 = sigAlgs + (10, )
+
+id_ecdsa_with_sha3_384 = sigAlgs + (11, )
+
+id_ecdsa_with_sha3_512 = sigAlgs + (12, )
+
+sa_ecdsa_with_sha3_224 = rfc5280.AlgorithmIdentifier()
+sa_ecdsa_with_sha3_224['algorithm'] = id_ecdsa_with_sha3_224
+# sa_ecdsa_with_sha3_224['parameters'] is absent
+
+sa_ecdsa_with_sha3_256 = rfc5280.AlgorithmIdentifier()
+sa_ecdsa_with_sha3_256['algorithm'] = id_ecdsa_with_sha3_256
+# sa_ecdsa_with_sha3_256['parameters'] is absent
+
+sa_ecdsa_with_sha3_384 = rfc5280.AlgorithmIdentifier()
+sa_ecdsa_with_sha3_384['algorithm'] = id_ecdsa_with_sha3_384
+# sa_ecdsa_with_sha3_384['parameters'] is absent
+
+sa_ecdsa_with_sha3_512 = rfc5280.AlgorithmIdentifier()
+sa_ecdsa_with_sha3_512['algorithm'] = id_ecdsa_with_sha3_512
+# sa_ecdsa_with_sha3_512['parameters'] is absent
+
+pk_ecdsa_with_sha3_224 = rfc5280.SubjectPublicKeyInfo()
+pk_ecdsa_with_sha3_224['algorithm'] = sa_ecdsa_with_sha3_224
+# pk_ecdsa_with_sha3_224['subjectPublicKey'] is DER-encoded ECPoint
+
+pk_ecdsa_with_sha3_256 = rfc5280.SubjectPublicKeyInfo()
+pk_ecdsa_with_sha3_256['algorithm'] = sa_ecdsa_with_sha3_256
+# pk_ecdsa_with_sha3_256['subjectPublicKey'] is DER-encoded ECPoint
+
+pk_ecdsa_with_sha3_384 = rfc5280.SubjectPublicKeyInfo()
+pk_ecdsa_with_sha3_384['algorithm'] = sa_ecdsa_with_sha3_384
+# pk_ecdsa_with_sha3_384['subjectPublicKey'] is DER-encoded ECPoint
+
+pk_ecdsa_with_sha3_512 = rfc5280.SubjectPublicKeyInfo()
+pk_ecdsa_with_sha3_512['algorithm'] = sa_ecdsa_with_sha3_512
+# pk_ecdsa_with_sha3_512['subjectPublicKey'] is DER-encoded ECPoint
+
+class SignatureAlgorithm(AlgorithmIdentifier):
+    pass
+
+
+# HMAC with SHA3
+
+id_hmacWithSHA3_224 = hashAlgs + (13, )
+
+id_hmacWithSHA3_256 = hashAlgs + (14, )
+
+id_hmacWithSHA3_384 = hashAlgs + (15, )
+
+id_hmacWithSHA3_512 = hashAlgs + (16, )
+
+maca_hmacWithSHA3_224 = rfc5280.AlgorithmIdentifier()
+maca_hmacWithSHA3_224['algorithm'] = id_hmacWithSHA3_224
+# maca_hmacWithSHA3_224['parameters'] are absent
+
+maca_hmacWithSHA3_256 = rfc5280.AlgorithmIdentifier()
+maca_hmacWithSHA3_256['algorithm'] = id_hmacWithSHA3_256
+# maca_hmacWithSHA3_256['parameters'] are absent
+
+maca_hmacWithSHA3_384 = rfc5280.AlgorithmIdentifier()
+maca_hmacWithSHA3_384['algorithm'] = id_hmacWithSHA3_384
+# maca_hmacWithSHA3_384['parameters'] are absent
+
+maca_hmacWithSHA3_512 = rfc5280.AlgorithmIdentifier()
+maca_hmacWithSHA3_512['algorithm'] = id_hmacWithSHA3_512
+# maca_hmacWithSHA3_512['parameters'] are absent
+
+class MACAlgorithm(AlgorithmIdentifier):
+    pass
+
+
+# HKDF with SHA3
+
+id_alg_hkdf_with_sha3_224 = id_alg + (32, )
+
+id_alg_hkdf_with_sha3_256 = id_alg + (33, )
+
+id_alg_hkdf_with_sha3_384 = id_alg + (34, )
+
+id_alg_hkdf_with_sha3_512 = id_alg + (35, )
+
+kda_hkdf_with_sha3_224 = rfc5280.AlgorithmIdentifier()
+kda_hkdf_with_sha3_224['algorithm'] = id_alg_hkdf_with_sha3_224
+# kda_hkdf_with_sha3_224['parameters'] are absent
+
+kda_hkdf_with_sha3_256 = rfc5280.AlgorithmIdentifier()
+kda_hkdf_with_sha3_256['algorithm'] = id_alg_hkdf_with_sha3_256
+# kda_hkdf_with_sha3_256['parameters'] are absent
+
+kda_hkdf_with_sha3_384 = rfc5280.AlgorithmIdentifier()
+kda_hkdf_with_sha3_384['algorithm'] = id_alg_hkdf_with_sha3_384
+# kda_hkdf_with_sha3_384['parameters'] are absent
+
+kda_hkdf_with_sha3_512 = rfc5280.AlgorithmIdentifier()
+kda_hkdf_with_sha3_512['algorithm'] = id_alg_hkdf_with_sha3_512
+# kda_hkdf_with_sha3_512['parameters'] are absent
+
+
+# KDF using KMAC128 and KMAC512
+
+id_kmac128 = hashAlgs + (21, )
+
+id_kmac256 = hashAlgs + (22, )
+
+class Customization(univ.OctetString):
+    pass
+
+kda_kmac128 = rfc5280.AlgorithmIdentifier()
+kda_kmac128['algorithm'] = id_kmac128
+# kda_kmac128['parameters'] are absent when Customization is ''H
+
+kda_kmac256 = rfc5280.AlgorithmIdentifier()
+kda_kmac256['algorithm'] = id_kmac256
+# kda_kmac256['parameters'] are absent when Customization is ''H
+
+
+# KDF2 and KDF3 with SHA3
+
+kda_kdf2 = rfc5280.AlgorithmIdentifier()
+kda_kdf2['algorithm'] = id_kdf_kdf2
+kda_kdf2['parameters'] = id_sha3_256
+# kda_kdf2['parameters'] can be the OID for any hash function
+
+kda_kdf3 = rfc5280.AlgorithmIdentifier()
+kda_kdf3['algorithm'] = id_kdf_kdf3
+kda_kdf3['parameters'] = id_sha3_256
+# kda_kdf3['parameters'] can be the OID for any hash function
+
+
+# Update the algorithm identifiers map and the S/MIME capability map
+#
+# No need to add all of the OIDs to the algorithmIdentifierMap and the
+# smimeCapabilityMap; do not add the ones where the parameters are
+# always absent.  Also, the KDF OIDs do not get added to the S/MIME
+# capability map.
+
+_mapUpdate = {
+    id_rsassa_pkcs1_v1_5_with_sha3_224: univ.Null(),
+    id_rsassa_pkcs1_v1_5_with_sha3_256: univ.Null(),
+    id_rsassa_pkcs1_v1_5_with_sha3_384: univ.Null(),
+    id_rsassa_pkcs1_v1_5_with_sha3_512: univ.Null(),
+    id_kmac128: Customization(),
+    id_kmac256: Customization(),
+}
+
+algorithmIdentifierMap.update(_mapUpdate)
+
+smimeCapabilityMap.update(_mapUpdate)

pyasn1_alt_modules/rfc9690.py

@@ -0,0 +1,200 @@
+#
+# This file is part of pyasn1-alt-modules software.
+#
+# Created by Russ Housley.
+#
+# Copyright (c) 2025, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+# KEM-RSA Algorithm with CMS KEMRecipientInfo
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc9690.txt
+#
+
+from pyasn1.type import univ
+
+from pyasn1_alt_modules import rfc5280
+from pyasn1_alt_modules import rfc4055
+from pyasn1_alt_modules import rfc5990
+
+
+# Alias for Object Identifier
+
+class OID(univ.ObjectIdentifier):
+    pass
+
+
+# Imports from RFC 5280
+
+AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
+
+SubjectPublicKeyInfo = rfc5280.SubjectPublicKeyInfo
+
+
+# Imports from RFC 4055
+
+RSAPublicKey = rfc4055.RSAPublicKey
+
+
+# Imports from RFC 5990
+
+NullParms = rfc5990.NullParms
+
+is18033_2 = rfc5990.is18033_2
+
+nistAlgorithm = rfc5990.nistAlgorithm
+
+pkcs_1 = rfc5990.pkcs_1
+
+x9_44 = rfc5990.x9_44
+
+x9_44_components = rfc5990.x9_44_components
+
+Camellia_KeyWrappingScheme = rfc5990.Camellia_KeyWrappingScheme
+
+DataEncapsulationMechanism = rfc5990.DataEncapsulationMechanism
+
+KDF2_HashFunction = rfc5990.KDF2_HashFunction
+
+KDF3_HashFunction = rfc5990.KDF3_HashFunction
+
+KeyDerivationFunction = rfc5990.KeyDerivationFunction
+
+KeyEncapsulationMechanism = rfc5990.KeyEncapsulationMechanism
+
+X9_SymmetricKeyWrappingScheme = rfc5990.X9_SymmetricKeyWrappingScheme
+
+id_rsa_kem = rfc5990.id_rsa_kem
+
+id_rsa_kem_spki = rfc5990.id_rsa_kem
+
+GenericHybridParameters = rfc5990.GenericHybridParameters
+
+id_kem_rsa = rfc5990.id_kem_rsa
+
+KeyLength = rfc5990.KeyLength
+
+RsaKemParameters = rfc5990.RsaKemParameters
+
+id_kdf_kdf2 = rfc5990.id_kdf_kdf2
+
+id_kdf_kdf3 = rfc5990.id_kdf_kdf3
+
+id_sha1 = rfc5990.id_sha1
+
+id_sha224 = rfc5990.id_sha224
+
+id_sha256 = rfc5990.id_sha256
+
+id_sha384 = rfc5990.id_sha384
+
+id_sha512 = rfc5990.id_sha512
+
+id_aes128_wrap = rfc5990.id_aes128_Wrap
+
+id_aes192_wrap = rfc5990.id_aes192_Wrap
+
+id_aes256_wrap = rfc5990.id_aes256_Wrap
+
+id_alg_CMS3DESwrap = rfc5990.id_alg_CMS3DESwrap
+
+id_camellia128_wrap = rfc5990.id_camellia128_Wrap
+   
+id_camellia192_wrap = rfc5990.id_camellia192_Wrap
+
+id_camellia256_wrap = rfc5990.id_camellia256_Wrap
+
+
+# KEM-RSA Key Encapsulation Mechanism Algorithms
+
+kema_rsa_kem = AlgorithmIdentifier()
+kema_rsa_kem['algorithm'] = id_rsa_kem_spki
+kema_rsa_kem['parameters'] = GenericHybridParameters()
+
+kema_kem_rsa = AlgorithmIdentifier()
+kema_kem_rsa['algorithm'] = id_kem_rsa
+kema_kem_rsa['parameters'] = RsaKemParameters()
+
+
+# RSA Public Key for use only with the KEM-RSA Algorithm 
+
+pk_rsa_kem = SubjectPublicKeyInfo()
+pk_rsa_kem['algorithm']['algorithm'] = id_rsa_kem_spki
+# To limit the KDF or KWA choices, provide parameters:
+# pk_rsa_kem['algorithm']['parameters'] = GenericHybridParameters()
+# To provide the public key value:
+# pubkey = RSAPublicKey()
+# pubkey['modulus'] = n
+# pubkey['publicExponent'] = e
+# encodedpk = der.encoder.encode(pubkey)
+# pk_rsa_kem['subjectPublicKey'] = univ.BitString.fromOctetString(encodedpk)
+
+
+# Key Derivation Functions
+
+kda_kdf2 = AlgorithmIdentifier()
+kda_kdf2['algorithm'] = id_kdf_kdf2
+kda_kdf2['parameters'] = KDF2_HashFunction()
+
+kda_kdf3 = AlgorithmIdentifier()
+kda_kdf3['algorithm'] = id_kdf_kdf3
+kda_kdf3['parameters'] = KDF3_HashFunction()
+
+
+# Hash Functions
+
+mda_sha1 = AlgorithmIdentifier()
+mda_sha1['algorithm'] = id_sha1
+mda_sha1['parameters'] = NullParms("")
+
+mda_sha224 = AlgorithmIdentifier()
+mda_sha224['algorithm'] = id_sha224
+mda_sha224['parameters'] = NullParms("")
+
+mda_sha256 = AlgorithmIdentifier()
+mda_sha256['algorithm'] = id_sha256
+mda_sha256['parameters'] = NullParms("")
+
+mda_sha384 = AlgorithmIdentifier()
+mda_sha384['algorithm'] = id_sha384
+mda_sha384['parameters'] = NullParms("")
+
+mda_sha512 = AlgorithmIdentifier()
+mda_sha512['algorithm'] = id_sha512
+mda_sha512['parameters'] = NullParms("")
+
+
+# Key Wrap Algorithms
+
+kwa_aes128_wrap = AlgorithmIdentifier()
+kwa_aes128_wrap['algorithm'] = id_aes128_wrap
+# kwa_aes128_wrap['parameters'] are absent
+
+kwa_aes192_wrap = AlgorithmIdentifier()
+kwa_aes192_wrap['algorithm'] = id_aes192_wrap
+# kwa_aes192_wrap['parameters'] are absent
+
+kwa_aes256_wrap = AlgorithmIdentifier()
+kwa_aes256_wrap['algorithm'] = id_aes256_wrap
+# kwa_aes256_wrap['parameters'] are absent
+
+kwa_3DESWrap = AlgorithmIdentifier()
+kwa_3DESWrap['algorithm'] = id_alg_CMS3DESwrap
+kwa_3DESWrap['parameters'] = NullParms("")
+
+kwa_camellia128_wrap = AlgorithmIdentifier()
+kwa_camellia128_wrap['algorithm'] = id_camellia128_wrap
+# kwa_camellia128_wrap['parameters'] are absent
+   
+kwa_camellia192_wrap = AlgorithmIdentifier()
+kwa_camellia192_wrap['algorithm'] = id_camellia192_wrap
+# kwa_camellia192_wrap['parameters'] are absent
+
+kwa_camellia256_wrap = AlgorithmIdentifier()
+kwa_camellia256_wrap['algorithm'] = id_camellia256_wrap
+# kwa_camellia256_wrap['parameters'] are absent
+
+
+# No need to update the Algorithm Identifier map or the
+# S/MIME Capabilities map.  Import of rfc5900 already did so.

pyasn1_alt_modules/rfc9691.py

@@ -0,0 +1,75 @@
+#
+# This file is part of pyasn1-alt-modules software.
+#
+# Created by Russ Housley with some assistance from asn1ate v.0.6.0.
+#
+# Copyright (c) 2024-2025, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+# RPKI Signed Trust Anchor List
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc9691.txt
+#
+
+from pyasn1.type import char
+from pyasn1.type import constraint
+from pyasn1.type import namedtype
+from pyasn1.type import tag
+from pyasn1.type import univ
+
+from pyasn1_alt_modules import rfc5280
+from pyasn1_alt_modules import opentypemap
+
+cmsContentTypesMap = opentypemap.get('cmsContentTypesMap')
+
+MAX = float('inf')
+
+
+# Import from RFC 5280
+
+SubjectPublicKeyInfo = rfc5280.SubjectPublicKeyInfo
+
+
+# Signed Trust Anchor List
+ 
+class CertificateURI(char.IA5String):
+    pass
+
+
+class TAKey(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('comments', univ.SequenceOf(
+            componentType=char.UTF8String()).subtype(
+                subtypeSpec=constraint.ValueSizeConstraint(0, MAX))),
+        namedtype.NamedType('certificateURIs', univ.SequenceOf(
+            componentType=CertificateURI()).subtype(
+                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
+        namedtype.NamedType('subjectPublicKeyInfo', SubjectPublicKeyInfo())
+    )
+
+
+class TAK(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.DefaultedNamedType('version',
+            univ.Integer().subtype(value=0)),
+        namedtype.NamedType('current', TAKey()),
+        namedtype.OptionalNamedType('predecessor',
+            TAKey().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 0))),
+        namedtype.OptionalNamedType('successor',
+            TAKey().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatConstructed, 1)))
+)
+
+
+id_ct_signedTAL = univ.ObjectIdentifier((1, 2, 840, 113549, 1, 9, 16, 1, 50))
+
+
+# Update the CMS Content Type Map
+
+_cmsContentTypesMapUpdate = {
+    id_ct_signedTAL: TAK(),
+}
+
+cmsContentTypesMap.update(_cmsContentTypesMapUpdate)

pyasn1_alt_modules/rfc9708.py

@@ -0,0 +1,35 @@
+# This file is part of pyasn1-alt-modules software.
+#
+# Created by Russ Housley
+#
+# Copyright (c) 2024-2025, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+# HSS/LMS Hash-based Signature Algorithm for CMS
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfcXXXX.txt
+
+from pyasn1_alt_modules import rfc8708
+
+
+# Object Identifiers
+
+id_alg_hss_lms_hashsig = rfc8708.id_alg_hss_lms_hashsig
+
+id_alg_mts_hashsig = id_alg_hss_lms_hashsig
+
+
+# Signature Algorithm Identifier
+
+sa_HSS_LMS_HashSig = rfc8708.sa_HSS_LMS_HashSig
+# sa_HSS_LMS_HashSig['parameters'] is alway absent
+
+
+# Public Key
+
+HSS_LMS_HashSig_PublicKey = rfc8708.HSS_LMS_HashSig_PublicKey
+
+pk_HSS_LMS_HashSig = rfc8708.pk_HSS_LMS_HashSig
+# pk_HSS_LMS_HashSig['subjectPublicKey'] CONTAINS the
+#     HSS/LMS public key without any ASN.1 encoding

pyasn1_alt_modules/rfc9709.py

@@ -0,0 +1,66 @@
+#
+# This file is part of pyasn1_alt_modules software.
+#
+# Created by Russ Housley.
+#
+# Copyright (c) 2025, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1_alt_modules_license.txt
+#
+# Encryption Key Derivation in the CMS using HKDF with SHA-256
+#
+# ASN.1 source from:
+# https://www.rfc_editor.org/rfc/rfc9709.txt
+# Current version is based on draft-ietf-lamps-cms-cek-hkdf-sha256-01
+#
+
+from pyasn1.type import univ
+
+from pyasn1_alt_modules import rfc5280
+from pyasn1_alt_modules import rfc5751
+from pyasn1_alt_modules import opentypemap
+
+algorithmIdentifierMap = opentypemap.get('algorithmIdentifierMap')
+
+
+# Import from RFC 5280
+
+AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
+
+
+# Import from RFC 5751
+
+SMIMECapability = rfc5751.SMIMECapability
+
+
+# Algorithm Identifier for CEK_HKDF_SHA256
+
+id_alg_cek_hkdf_sha256 = univ.ObjectIdentifier((1, 2, 840, 113549, 1, 9, 16, 3, 31))
+
+
+class ContentEncryptionAlgorithmIdentifier(AlgorithmIdentifier):
+    pass
+
+
+cea_CEKHKDFSHA256 = ContentEncryptionAlgorithmIdentifier()
+cea_CEKHKDFSHA256['algorithm'] = id_alg_cek_hkdf_sha256
+cea_CEKHKDFSHA256['parameters'] = AlgorithmIdentifier()
+
+
+# S/MIIME Capability for CEK_HKDF_SHA256
+
+cap_CMSCEKHKDFSHA256 = SMIMECapability()
+cap_CMSCEKHKDFSHA256['capabilityID'] = id_alg_cek_hkdf_sha256
+# cap_CMSCEKHKDFSHA256['parameters'] is always absent
+
+
+# Update the Algorithm Identifier map
+
+_algorithmIdentifierMapUpdate = {
+    id_alg_cek_hkdf_sha256: AlgorithmIdentifier(),
+}
+
+algorithmIdentifierMap.update(_algorithmIdentifierMapUpdate)
+
+
+# Do not need to update the SMIMECapability Map because the parameters
+# are always absent.