From c17e29d769cf8a87402ff4d819d334389a7faca4 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Tue, 20 Sep 2022 14:07:11 +0700 Subject: Update Asn1.Cmp from bc-java --- crypto/src/asn1/cmp/CAKeyUpdAnnContent.cs | 51 ++-- crypto/src/asn1/cmp/CertAnnContent.cs | 72 ++++++ crypto/src/asn1/cmp/CertConfirmContent.cs | 35 ++- crypto/src/asn1/cmp/CertOrEncCert.cs | 86 +++---- crypto/src/asn1/cmp/CertRepMessage.cs | 59 ++--- crypto/src/asn1/cmp/CertReqTemplateContent.cs | 66 +++++ crypto/src/asn1/cmp/CertResponse.cs | 90 +++---- crypto/src/asn1/cmp/CertStatus.cs | 122 +++++---- crypto/src/asn1/cmp/CertifiedKeyPair.cs | 90 +++---- crypto/src/asn1/cmp/Challenge.cs | 131 ++++++++-- crypto/src/asn1/cmp/CmpCertificate.cs | 93 ++++--- crypto/src/asn1/cmp/CmpObjectIdentifiers.cs | 349 ++++++++++++++++++-------- crypto/src/asn1/cmp/CrlAnnContent.cs | 43 ++-- crypto/src/asn1/cmp/CrlSource.cs | 72 ++++++ crypto/src/asn1/cmp/CrlStatus.cs | 61 +++++ crypto/src/asn1/cmp/DhbmParameter.cs | 56 +++++ crypto/src/asn1/cmp/ErrorMsgContent.cs | 78 +++--- crypto/src/asn1/cmp/GenMsgContent.cs | 51 ++-- crypto/src/asn1/cmp/GenRepContent.cs | 46 ++-- crypto/src/asn1/cmp/InfoTypeAndValue.cs | 52 ++-- crypto/src/asn1/cmp/KeyRecRepContent.cs | 92 +++---- crypto/src/asn1/cmp/NestedMessageContent.cs | 35 +++ crypto/src/asn1/cmp/OobCert.cs | 68 +++++ crypto/src/asn1/cmp/OobCertHash.cs | 65 ++--- crypto/src/asn1/cmp/PKIBody.cs | 192 +++++++------- crypto/src/asn1/cmp/PKIConfirmContent.cs | 34 ++- crypto/src/asn1/cmp/PKIFailureInfo.cs | 8 +- crypto/src/asn1/cmp/PKIFreeText.cs | 73 +++--- crypto/src/asn1/cmp/PKIHeader.cs | 58 ++--- crypto/src/asn1/cmp/PKIMessages.cs | 2 +- crypto/src/asn1/cmp/PbmParameter.cs | 95 ++++--- crypto/src/asn1/cmp/PollRepContent.cs | 111 ++++---- crypto/src/asn1/cmp/PollReqContent.cs | 117 +++++++-- crypto/src/asn1/cmp/PopoDecKeyChallContent.cs | 35 ++- crypto/src/asn1/cmp/PopoDecKeyRespContent.cs | 39 ++- crypto/src/asn1/cmp/ProtectedPart.cs | 50 ++-- crypto/src/asn1/cmp/RevAnnContent.cs | 92 ++++--- crypto/src/asn1/cmp/RevDetails.cs | 71 +++--- crypto/src/asn1/cmp/RevRepContent.cs | 84 +++---- crypto/src/asn1/cmp/RevRepContentBuilder.cs | 26 +- crypto/src/asn1/cmp/RevReqContent.cs | 44 ++-- crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs | 90 +++++++ crypto/src/asn1/crmf/EncryptedKey.cs | 58 ++--- crypto/src/asn1/crmf/EncryptedValue.cs | 62 +++-- 44 files changed, 2051 insertions(+), 1253 deletions(-) create mode 100644 crypto/src/asn1/cmp/CertAnnContent.cs create mode 100644 crypto/src/asn1/cmp/CertReqTemplateContent.cs create mode 100644 crypto/src/asn1/cmp/CrlSource.cs create mode 100644 crypto/src/asn1/cmp/CrlStatus.cs create mode 100644 crypto/src/asn1/cmp/DhbmParameter.cs create mode 100644 crypto/src/asn1/cmp/NestedMessageContent.cs create mode 100644 crypto/src/asn1/cmp/OobCert.cs create mode 100644 crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs diff --git a/crypto/src/asn1/cmp/CAKeyUpdAnnContent.cs b/crypto/src/asn1/cmp/CAKeyUpdAnnContent.cs index b74bac87a..a3ec5e4df 100644 --- a/crypto/src/asn1/cmp/CAKeyUpdAnnContent.cs +++ b/crypto/src/asn1/cmp/CAKeyUpdAnnContent.cs @@ -7,42 +7,33 @@ namespace Org.BouncyCastle.Asn1.Cmp public class CAKeyUpdAnnContent : Asn1Encodable { - private readonly CmpCertificate oldWithNew; - private readonly CmpCertificate newWithOld; - private readonly CmpCertificate newWithNew; + public static CAKeyUpdAnnContent GetInstance(object obj) + { + if (obj is CAKeyUpdAnnContent content) + return content; - private CAKeyUpdAnnContent(Asn1Sequence seq) - { - oldWithNew = CmpCertificate.GetInstance(seq[0]); - newWithOld = CmpCertificate.GetInstance(seq[1]); - newWithNew = CmpCertificate.GetInstance(seq[2]); - } + if (obj is Asn1Sequence seq) + return new CAKeyUpdAnnContent(seq); - public static CAKeyUpdAnnContent GetInstance(object obj) - { - if (obj is CAKeyUpdAnnContent) - return (CAKeyUpdAnnContent)obj; + throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), nameof(obj)); + } - if (obj is Asn1Sequence) - return new CAKeyUpdAnnContent((Asn1Sequence)obj); + private readonly CmpCertificate m_oldWithNew; + private readonly CmpCertificate m_newWithOld; + private readonly CmpCertificate m_newWithNew; - throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj"); - } - - public virtual CmpCertificate OldWithNew - { - get { return oldWithNew; } - } - - public virtual CmpCertificate NewWithOld + private CAKeyUpdAnnContent(Asn1Sequence seq) { - get { return newWithOld; } + m_oldWithNew = CmpCertificate.GetInstance(seq[0]); + m_newWithOld = CmpCertificate.GetInstance(seq[1]); + m_newWithNew = CmpCertificate.GetInstance(seq[2]); } - public virtual CmpCertificate NewWithNew - { - get { return newWithNew; } - } + public virtual CmpCertificate OldWithNew => m_oldWithNew; + + public virtual CmpCertificate NewWithOld => m_newWithOld; + + public virtual CmpCertificate NewWithNew => m_newWithNew; /** * 
@@ -56,7 +47,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			return new DerSequence(oldWithNew, newWithOld, newWithNew);
+			return new DerSequence(m_oldWithNew, m_newWithOld, m_newWithNew);
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/CertAnnContent.cs b/crypto/src/asn1/cmp/CertAnnContent.cs
new file mode 100644
index 000000000..df0188746
--- /dev/null
+++ b/crypto/src/asn1/cmp/CertAnnContent.cs
@@ -0,0 +1,72 @@
+using System;
+using System.IO;
+
+using Org.BouncyCastle.Asn1.X509;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Asn1.Cmp
+{
+    /**
+     *  CertAnnContent ::= CMPCertificate
+     */
+    public class CertAnnContent
+        : CmpCertificate
+    {
+        public static CertAnnContent GetInstance(object obj)
+        {
+            // TODO[cmp]
+            if (obj == null)
+                return null;
+
+            if (obj is CertAnnContent content)
+                return content;
+
+            if (obj is CmpCertificate cmpCertificate)
+                return GetInstance(cmpCertificate.GetEncoded());
+
+            if (obj is byte[] bs)
+            {
+                try
+                {
+                    obj = Asn1Object.FromByteArray(bs);
+                }
+                catch (IOException)
+                {
+                    throw new ArgumentException("Invalid encoding in CertAnnContent");
+                }
+            }
+
+            if (obj is Asn1Sequence)
+                return new CertAnnContent(X509CertificateStructure.GetInstance(obj));
+
+            // TODO[cmp]
+            if (obj is Asn1TaggedObject taggedObject)
+                return new CertAnnContent(taggedObject.TagNo, taggedObject.GetObject());
+
+            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), nameof(obj));
+        }
+
+        public static CertAnnContent GetInstance(Asn1TaggedObject taggedObject, bool declaredExplicit)
+        {
+            // TODO[cmp]
+            if (taggedObject == null)
+                return null;
+
+            if (!declaredExplicit)
+                throw new ArgumentException("tag must be explicit");
+
+            // TODO[cmp]
+            return GetInstance(taggedObject.GetObject());
+        }
+
+        public CertAnnContent(int type, Asn1Object otherCert)
+            : base(type, otherCert)
+        {
+        }
+
+        public CertAnnContent(X509CertificateStructure x509v3PKCert)
+            : base(x509v3PKCert)
+        {
+        }
+    }
+}
diff --git a/crypto/src/asn1/cmp/CertConfirmContent.cs b/crypto/src/asn1/cmp/CertConfirmContent.cs
index 370a9e7d6..8e75dfbd0 100644
--- a/crypto/src/asn1/cmp/CertConfirmContent.cs
+++ b/crypto/src/asn1/cmp/CertConfirmContent.cs
@@ -7,32 +7,27 @@ namespace Org.BouncyCastle.Asn1.Cmp
 	public class CertConfirmContent
 		: Asn1Encodable
 	{
-		private readonly Asn1Sequence content;
-
-		private CertConfirmContent(Asn1Sequence seq)
-		{
-			content = seq;
-		}
-
 		public static CertConfirmContent GetInstance(object obj)
 		{
-			if (obj is CertConfirmContent)
-				return (CertConfirmContent)obj;
+			if (obj is CertConfirmContent content)
+				return content;
 
-			if (obj is Asn1Sequence)
-				return new CertConfirmContent((Asn1Sequence)obj);
+			if (obj is Asn1Sequence seq)
+				return new CertConfirmContent(seq);
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), nameof(obj));
 		}
 
-		public virtual CertStatus[] ToCertStatusArray()
+        private readonly Asn1Sequence m_content;
+
+        private CertConfirmContent(Asn1Sequence seq)
+        {
+            m_content = seq;
+        }
+
+        public virtual CertStatus[] ToCertStatusArray()
 		{
-			CertStatus[] result = new CertStatus[content.Count];
-			for (int i = 0; i != result.Length; i++)
-			{
-				result[i] = CertStatus.GetInstance(content[i]);
-			}
-			return result;
+			return m_content.MapElements(CertStatus.GetInstance);
 		}
 
 		/**
@@ -43,7 +38,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			return content;
+			return m_content;
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/CertOrEncCert.cs b/crypto/src/asn1/cmp/CertOrEncCert.cs
index eb200e1e8..e517b66ce 100644
--- a/crypto/src/asn1/cmp/CertOrEncCert.cs
+++ b/crypto/src/asn1/cmp/CertOrEncCert.cs
@@ -8,79 +8,79 @@ namespace Org.BouncyCastle.Asn1.Cmp
 	public class CertOrEncCert
 		: Asn1Encodable, IAsn1Choice
 	{
-		private readonly CmpCertificate certificate;
-		private readonly EncryptedValue encryptedCert;
+        public static CertOrEncCert GetInstance(object obj)
+        {
+            if (obj is CertOrEncCert certOrEncCert)
+                return certOrEncCert;
 
-		private CertOrEncCert(Asn1TaggedObject tagged)
+            if (obj is Asn1TaggedObject taggedObject)
+                return new CertOrEncCert(taggedObject);
+
+            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), nameof(obj));
+        }
+
+        private readonly CmpCertificate m_certificate;
+		private readonly EncryptedKey m_encryptedCert;
+
+		private CertOrEncCert(Asn1TaggedObject taggedObject)
 		{
-			if (tagged.TagNo == 0)
+			if (taggedObject.TagNo == 0)
 			{
-				certificate = CmpCertificate.GetInstance(tagged.GetObject());
+				m_certificate = CmpCertificate.GetInstance(taggedObject.GetObject());
 			}
-			else if (tagged.TagNo == 1)
+			else if (taggedObject.TagNo == 1)
 			{
-				encryptedCert = EncryptedValue.GetInstance(tagged.GetObject());
+                m_encryptedCert = EncryptedKey.GetInstance(taggedObject.GetObject());
 			}
 			else
 			{
-				throw new ArgumentException("unknown tag: " + tagged.TagNo, "tagged");
-			}
-		}
-		
-		public static CertOrEncCert GetInstance(object obj)
-		{
-			if (obj is CertOrEncCert)
-				return (CertOrEncCert)obj;
-
-			if (obj is Asn1TaggedObject)
-				return new CertOrEncCert((Asn1TaggedObject)obj);
-
-			throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
-		}
+				throw new ArgumentException("unknown tag: " + taggedObject.TagNo, nameof(taggedObject));
+            }
+        }
 
 		public CertOrEncCert(CmpCertificate certificate)
 		{
 			if (certificate == null)
-				throw new ArgumentNullException("certificate");
+				throw new ArgumentNullException(nameof(certificate));
 
-			this.certificate = certificate;
+			m_certificate = certificate;
 		}
 
-		public CertOrEncCert(EncryptedValue encryptedCert)
+		public CertOrEncCert(EncryptedValue encryptedValue)
 		{
-			if (encryptedCert == null)
-				throw new ArgumentNullException("encryptedCert");
+			if (encryptedValue == null)
+				throw new ArgumentNullException(nameof(encryptedValue));
 
-			this.encryptedCert = encryptedCert;
+			m_encryptedCert = new EncryptedKey(encryptedValue);
 		}
 
-		public virtual CmpCertificate Certificate
-		{
-			get { return certificate; }
-		}
+        public CertOrEncCert(EncryptedKey encryptedKey)
+        {
+            if (encryptedKey == null)
+                throw new ArgumentNullException(nameof(encryptedKey));
 
-		public virtual EncryptedValue EncryptedCert
-		{
-			get { return encryptedCert; }
-		}
+            m_encryptedCert = encryptedKey;
+        }
 
-		/**
+		public virtual CmpCertificate Certificate => m_certificate;
+
+		public virtual EncryptedKey EncryptedCert => m_encryptedCert;
+
+        /**
 		 * 
 		 * CertOrEncCert ::= CHOICE {
 		 *                      certificate     [0] CMPCertificate,
-		 *                      encryptedCert   [1] EncryptedValue
+		 *                      encryptedCert   [1] EncryptedKey
 		 *           }
 		 * 

 		 * @return a basic ASN.1 object representation.
 		 */
-		public override Asn1Object ToAsn1Object()
+        public override Asn1Object ToAsn1Object()
 		{
-			if (certificate != null)
-			{
-				return new DerTaggedObject(true, 0, certificate);
-			}
+			if (m_certificate != null)
+				return new DerTaggedObject(true, 0, m_certificate);
 
-			return new DerTaggedObject(true, 1, encryptedCert);
+			return new DerTaggedObject(true, 1, m_encryptedCert);
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/CertRepMessage.cs b/crypto/src/asn1/cmp/CertRepMessage.cs
index d24dd963b..696cfde47 100644
--- a/crypto/src/asn1/cmp/CertRepMessage.cs
+++ b/crypto/src/asn1/cmp/CertRepMessage.cs
@@ -7,8 +7,19 @@ namespace Org.BouncyCastle.Asn1.Cmp
 	public class CertRepMessage
 		: Asn1Encodable
 	{
-		private readonly Asn1Sequence caPubs;
-		private readonly Asn1Sequence response;
+        public static CertRepMessage GetInstance(object obj)
+        {
+            if (obj is CertRepMessage certRepMessage)
+                return certRepMessage;
+
+            if (obj != null)
+				return new CertRepMessage(Asn1Sequence.GetInstance(obj));
+
+			return null;
+        }
+
+        private readonly Asn1Sequence m_caPubs;
+		private readonly Asn1Sequence m_response;
 		
 		private CertRepMessage(Asn1Sequence seq)
 		{
@@ -16,57 +27,33 @@ namespace Org.BouncyCastle.Asn1.Cmp
 
 			if (seq.Count > 1)
 			{
-				caPubs = Asn1Sequence.GetInstance((Asn1TaggedObject)seq[index++], true);
+				m_caPubs = Asn1Sequence.GetInstance((Asn1TaggedObject)seq[index++], true);
 			}
 
-			response = Asn1Sequence.GetInstance(seq[index]);
-		}
-
-		public static CertRepMessage GetInstance(object obj)
-		{
-			if (obj is CertRepMessage)
-				return (CertRepMessage)obj;
-
-			if (obj is Asn1Sequence)
-				return new CertRepMessage((Asn1Sequence)obj);
-
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+			m_response = Asn1Sequence.GetInstance(seq[index]);
 		}
 
 		public CertRepMessage(CmpCertificate[] caPubs, CertResponse[] response)
 		{
 			if (response == null)
-				throw new ArgumentNullException("response");
+				throw new ArgumentNullException(nameof(response));
 
 			if (caPubs != null)
 			{
-				this.caPubs = new DerSequence(caPubs);
+				m_caPubs = new DerSequence(caPubs);
 			}
 
-			this.response = new DerSequence(response);
+			m_response = new DerSequence(response);
 		}
 
 		public virtual CmpCertificate[] GetCAPubs()
 		{
-			if (caPubs == null)
-				return null;
-
-			CmpCertificate[] results = new CmpCertificate[caPubs.Count];
-			for (int i = 0; i != results.Length; ++i)
-			{
-				results[i] = CmpCertificate.GetInstance(caPubs[i]);
-			}
-			return results;
+			return m_caPubs == null ? null : m_caPubs.MapElements(CmpCertificate.GetInstance);
 		}
 
 		public virtual CertResponse[] GetResponse()
 		{
-			CertResponse[] results = new CertResponse[response.Count];
-			for (int i = 0; i != results.Length; ++i)
-			{
-				results[i] = CertResponse.GetInstance(response[i]);
-			}
-			return results;
+            return m_response.MapElements(CertResponse.GetInstance);
 		}
 
 		/**
@@ -81,9 +68,9 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			Asn1EncodableVector v = new Asn1EncodableVector();
-            v.AddOptionalTagged(true, 1, caPubs);
-			v.Add(response);
+			Asn1EncodableVector v = new Asn1EncodableVector(2);
+            v.AddOptionalTagged(true, 1, m_caPubs);
+			v.Add(m_response);
 			return new DerSequence(v);
 		}
 	}
diff --git a/crypto/src/asn1/cmp/CertReqTemplateContent.cs b/crypto/src/asn1/cmp/CertReqTemplateContent.cs
new file mode 100644
index 000000000..b229cd28b
--- /dev/null
+++ b/crypto/src/asn1/cmp/CertReqTemplateContent.cs
@@ -0,0 +1,66 @@
+using System;
+
+using Org.BouncyCastle.Asn1.Crmf;
+
+namespace Org.BouncyCastle.Asn1.Cmp
+{
+    /**
+     * GenMsg:    {id-it 19}, < absent >
+     * GenRep:    {id-it 19}, CertReqTemplateContent | < absent >
+     * 

+     * CertReqTemplateValue  ::= CertReqTemplateContent
+     * 

+     * CertReqTemplateContent ::= SEQUENCE {
+     * certTemplate           CertTemplate,
+     * keySpec                Controls OPTIONAL }
+     * 

+     * Controls  ::= SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue
+     */
+    public class CertReqTemplateContent
+        : Asn1Encodable
+    {
+        public static CertReqTemplateContent GetInstance(object obj)
+        {
+            if (obj is CertReqTemplateContent certReqTemplateContent)
+                return certReqTemplateContent;
+
+            if (obj != null)
+                return new CertReqTemplateContent(Asn1Sequence.GetInstance(obj));
+
+            return null;
+        }
+
+        private readonly CertTemplate m_certTemplate;
+        private readonly Asn1Sequence m_keySpec;
+
+        private CertReqTemplateContent(Asn1Sequence seq)
+        {
+            if (seq.Count != 1 && seq.Count != 2)
+                throw new ArgumentException("expected sequence size of 1 or 2");
+
+            m_certTemplate = CertTemplate.GetInstance(seq[0]);
+
+            if (seq.Count > 1)
+            {
+                m_keySpec = Asn1Sequence.GetInstance(seq[1]);
+            }
+        }
+
+        public CertReqTemplateContent(CertTemplate certTemplate, Asn1Sequence keySpec)
+        {
+            m_certTemplate = certTemplate;
+            m_keySpec = keySpec;
+        }
+
+        public virtual CertTemplate CertTemplate => m_certTemplate;
+
+        public virtual Asn1Sequence KeySpec => m_keySpec;
+
+        public override Asn1Object ToAsn1Object()
+        {
+            Asn1EncodableVector v = new Asn1EncodableVector(m_certTemplate);
+            v.AddOptional(m_keySpec);
+            return new DerSequence(v);
+        }
+    }
+}
diff --git a/crypto/src/asn1/cmp/CertResponse.cs b/crypto/src/asn1/cmp/CertResponse.cs
index 843fd9299..72a44c93e 100644
--- a/crypto/src/asn1/cmp/CertResponse.cs
+++ b/crypto/src/asn1/cmp/CertResponse.cs
@@ -1,21 +1,30 @@
 using System;
 
-using Org.BouncyCastle.Utilities;
-
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class CertResponse
 		: Asn1Encodable
 	{
-		private readonly DerInteger certReqId;
-		private readonly PkiStatusInfo status;
-		private readonly CertifiedKeyPair certifiedKeyPair;
-		private readonly Asn1OctetString rspInfo;
+        public static CertResponse GetInstance(object obj)
+        {
+			if (obj is CertResponse certResponse)
+				return certResponse;
+
+			if (obj != null)
+				return new CertResponse(Asn1Sequence.GetInstance(obj));
+
+			return null;
+        }
+
+        private readonly DerInteger m_certReqId;
+		private readonly PkiStatusInfo m_status;
+		private readonly CertifiedKeyPair m_certifiedKeyPair;
+		private readonly Asn1OctetString m_rspInfo;
 
 		private CertResponse(Asn1Sequence seq)
 		{
-			certReqId = DerInteger.GetInstance(seq[0]);
-			status = PkiStatusInfo.GetInstance(seq[1]);
+			m_certReqId = DerInteger.GetInstance(seq[0]);
+			m_status = PkiStatusInfo.GetInstance(seq[1]);
 
 			if (seq.Count >= 3)
 			{
@@ -24,71 +33,46 @@ namespace Org.BouncyCastle.Asn1.Cmp
 					Asn1Encodable o = seq[2];
 					if (o is Asn1OctetString)
 					{
-						rspInfo = Asn1OctetString.GetInstance(o);
+						m_rspInfo = Asn1OctetString.GetInstance(o);
 					}
 					else
 					{
-						certifiedKeyPair = CertifiedKeyPair.GetInstance(o);
+						m_certifiedKeyPair = CertifiedKeyPair.GetInstance(o);
 					}
 				}
 				else
 				{
-					certifiedKeyPair = CertifiedKeyPair.GetInstance(seq[2]);
-					rspInfo = Asn1OctetString.GetInstance(seq[3]);
+					m_certifiedKeyPair = CertifiedKeyPair.GetInstance(seq[2]);
+					m_rspInfo = Asn1OctetString.GetInstance(seq[3]);
 				}
 			}
 		}
 
-		public static CertResponse GetInstance(object obj)
-		{
-			if (obj is CertResponse)
-				return (CertResponse)obj;
-
-			if (obj is Asn1Sequence)
-				return new CertResponse((Asn1Sequence)obj);
-
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
-		}
-
-		public CertResponse(
-			DerInteger certReqId,
-			PkiStatusInfo status)
+		public CertResponse(DerInteger certReqId, PkiStatusInfo status)
 			: this(certReqId, status, null, null)
 		{
 		}
 
-		public CertResponse(
-			DerInteger			certReqId,
-			PkiStatusInfo		status,
-			CertifiedKeyPair	certifiedKeyPair,
-			Asn1OctetString		rspInfo)
-		{
-			if (certReqId == null)
-				throw new ArgumentNullException("certReqId");
+        public CertResponse(DerInteger certReqId, PkiStatusInfo status, CertifiedKeyPair certifiedKeyPair,
+            Asn1OctetString rspInfo)
+        {
+            if (certReqId == null)
+				throw new ArgumentNullException(nameof(certReqId));
 
 			if (status == null)
-				throw new ArgumentNullException("status");
+				throw new ArgumentNullException(nameof(status));
 
-			this.certReqId = certReqId;
-			this.status = status;
-			this.certifiedKeyPair = certifiedKeyPair;
-			this.rspInfo = rspInfo;
+			m_certReqId = certReqId;
+			m_status = status;
+			m_certifiedKeyPair = certifiedKeyPair;
+			m_rspInfo = rspInfo;
 		}
 
-		public virtual DerInteger CertReqID
-		{
-			get { return certReqId; }
-		}
+		public virtual DerInteger CertReqID => m_certReqId;
 
-		public virtual PkiStatusInfo Status
-		{
-			get { return status; }
-		}
+		public virtual PkiStatusInfo Status => m_status;
 
-		public virtual CertifiedKeyPair CertifiedKeyPair
-		{
-			get { return certifiedKeyPair; }
-		}
+		public virtual CertifiedKeyPair CertifiedKeyPair => m_certifiedKeyPair;
 
 		/**
 		 * 
@@ -108,8 +92,8 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			Asn1EncodableVector v = new Asn1EncodableVector(certReqId, status);
-			v.AddOptional(certifiedKeyPair, rspInfo);
+			Asn1EncodableVector v = new Asn1EncodableVector(m_certReqId, m_status);
+			v.AddOptional(m_certifiedKeyPair, m_rspInfo);
 			return new DerSequence(v);
 		}
 	}
diff --git a/crypto/src/asn1/cmp/CertStatus.cs b/crypto/src/asn1/cmp/CertStatus.cs
index d437b57b2..6eb36c6fb 100644
--- a/crypto/src/asn1/cmp/CertStatus.cs
+++ b/crypto/src/asn1/cmp/CertStatus.cs
@@ -1,84 +1,102 @@
 using System;
 
+using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Math;
-using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class CertStatus
 		: Asn1Encodable
 	{
-		private readonly Asn1OctetString certHash;
-		private readonly DerInteger certReqId;
-		private readonly PkiStatusInfo statusInfo;
+        public static CertStatus GetInstance(object obj)
+        {
+			if (obj is CertStatus certStatus)
+				return certStatus;
 
-		private CertStatus(Asn1Sequence seq)
+			if (obj != null)
+				return new CertStatus(Asn1Sequence.GetInstance(obj));
+
+			return null;
+        }
+
+        private readonly Asn1OctetString m_certHash;
+		private readonly DerInteger m_certReqID;
+		private readonly PkiStatusInfo m_statusInfo;
+        private readonly AlgorithmIdentifier m_hashAlg;
+
+        private CertStatus(Asn1Sequence seq)
 		{
-			certHash = Asn1OctetString.GetInstance(seq[0]);
-			certReqId = DerInteger.GetInstance(seq[1]);
+			m_certHash = Asn1OctetString.GetInstance(seq[0]);
+			m_certReqID = DerInteger.GetInstance(seq[1]);
 
 			if (seq.Count > 2)
 			{
-				statusInfo = PkiStatusInfo.GetInstance(seq[2]);
+				for (int t = 2; t < seq.Count; t++)
+				{
+					Asn1Object p = seq[t].ToAsn1Object();
+					if (p is Asn1Sequence s)
+					{
+						m_statusInfo = PkiStatusInfo.GetInstance(s);
+					}
+					if (p is Asn1TaggedObject dto)
+					{
+						if (dto.TagNo != 0)
+							throw new ArgumentException("unknown tag " + dto.TagNo);
+
+						m_hashAlg = AlgorithmIdentifier.GetInstance(dto, true);
+					}
+				}
 			}
 		}
 
-		public CertStatus(byte[] certHash, BigInteger certReqId)
+		public CertStatus(byte[] certHash, BigInteger certReqID)
 		{
-			this.certHash = new DerOctetString(certHash);
-			this.certReqId = new DerInteger(certReqId);
+			m_certHash = new DerOctetString(certHash);
+			m_certReqID = new DerInteger(certReqID);
 		}
 
-		public CertStatus(byte[] certHash, BigInteger certReqId, PkiStatusInfo statusInfo)
+		public CertStatus(byte[] certHash, BigInteger certReqID, PkiStatusInfo statusInfo)
 		{
-			this.certHash = new DerOctetString(certHash);
-			this.certReqId = new DerInteger(certReqId);
-			this.statusInfo = statusInfo;
+            m_certHash = new DerOctetString(certHash);
+            m_certReqID = new DerInteger(certReqID);
+            m_statusInfo = statusInfo;
 		}
 
-		public static CertStatus GetInstance(object obj)
-		{
-			if (obj is CertStatus)
-				return (CertStatus)obj;
+        public CertStatus(byte[] certHash, BigInteger certReqID, PkiStatusInfo statusInfo, AlgorithmIdentifier hashAlg)
+        {
+            m_certHash = new DerOctetString(certHash);
+            m_certReqID = new DerInteger(certReqID);
+            m_statusInfo = statusInfo;
+            m_hashAlg = hashAlg;
+        }
 
-			if (obj is Asn1Sequence)
-				return new CertStatus((Asn1Sequence)obj);
+        public virtual Asn1OctetString CertHash => m_certHash;
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
-		}
+		public virtual DerInteger CertReqID => m_certReqID;
 
-		public virtual Asn1OctetString CertHash
-		{
-			get { return certHash; }
-		}
-
-		public virtual DerInteger CertReqID
-		{
-			get { return certReqId; }
-		}
+		public virtual PkiStatusInfo StatusInfo => m_statusInfo;
 
-		public virtual PkiStatusInfo StatusInfo
-		{
-			get { return statusInfo; }
-		}
+		public virtual AlgorithmIdentifier HashAlg => m_hashAlg;
 
-		/**
-		 * 
-		 * CertStatus ::= SEQUENCE {
-		 *                   certHash    OCTET STRING,
-		 *                   -- the hash of the certificate, using the same hash algorithm
-		 *                   -- as is used to create and verify the certificate signature
-		 *                   certReqId   INTEGER,
-		 *                   -- to match this confirmation with the corresponding req/rep
-		 *                   statusInfo  PKIStatusInfo OPTIONAL
-		 * }
-		 * 

-		 * @return a basic ASN.1 object representation.
-		 */
-		public override Asn1Object ToAsn1Object()
+        /**
+         * 
+         *
+         *  CertStatus ::= SEQUENCE {
+         *     certHash    OCTET STRING,
+         *     certReqId   INTEGER,
+         *     statusInfo  PKIStatusInfo OPTIONAL,
+         *     hashAlg [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} OPTIONAL
+         *   }
+         *
+         * 

+         *
+         * @return a basic ASN.1 object representation.
+         */
+        public override Asn1Object ToAsn1Object()
 		{
-			Asn1EncodableVector v = new Asn1EncodableVector(certHash, certReqId);
-			v.AddOptional(statusInfo);
+			Asn1EncodableVector v = new Asn1EncodableVector(m_certHash, m_certReqID);
+			v.AddOptional(m_statusInfo);
+			v.AddOptionalTagged(true, 0, m_hashAlg);
 			return new DerSequence(v);
 		}
 	}
diff --git a/crypto/src/asn1/cmp/CertifiedKeyPair.cs b/crypto/src/asn1/cmp/CertifiedKeyPair.cs
index 0b1c5d44d..a40a2730a 100644
--- a/crypto/src/asn1/cmp/CertifiedKeyPair.cs
+++ b/crypto/src/asn1/cmp/CertifiedKeyPair.cs
@@ -1,20 +1,30 @@
 using System;
 
 using Org.BouncyCastle.Asn1.Crmf;
-using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class CertifiedKeyPair
 		: Asn1Encodable
 	{
-		private readonly CertOrEncCert certOrEncCert;
-		private readonly EncryptedValue privateKey;
-		private readonly PkiPublicationInfo publicationInfo;
+        public static CertifiedKeyPair GetInstance(object obj)
+        {
+            if (obj is CertifiedKeyPair certifiedKeyPair)
+                return certifiedKeyPair;
 
-		private CertifiedKeyPair(Asn1Sequence seq)
+            if (obj != null)
+                return new CertifiedKeyPair(Asn1Sequence.GetInstance(obj));
+
+            return null;
+        }
+
+        private readonly CertOrEncCert m_certOrEncCert;
+		private readonly EncryptedKey m_privateKey;
+		private readonly PkiPublicationInfo m_publicationInfo;
+
+        private CertifiedKeyPair(Asn1Sequence seq)
 		{
-			certOrEncCert = CertOrEncCert.GetInstance(seq[0]);
+			m_certOrEncCert = CertOrEncCert.GetInstance(seq[0]);
 
 			if (seq.Count >= 2)
 			{
@@ -23,66 +33,48 @@ namespace Org.BouncyCastle.Asn1.Cmp
 					Asn1TaggedObject tagged = Asn1TaggedObject.GetInstance(seq[1]);
 					if (tagged.TagNo == 0)
 					{
-						privateKey = EncryptedValue.GetInstance(tagged.GetObject());
+						m_privateKey = EncryptedKey.GetInstance(tagged.GetObject());
 					}
 					else
 					{
-						publicationInfo = PkiPublicationInfo.GetInstance(tagged.GetObject());
+						m_publicationInfo = PkiPublicationInfo.GetInstance(tagged.GetObject());
 					}
 				}
 				else
 				{
-					privateKey = EncryptedValue.GetInstance(Asn1TaggedObject.GetInstance(seq[1]));
-					publicationInfo = PkiPublicationInfo.GetInstance(Asn1TaggedObject.GetInstance(seq[2]));
+					m_privateKey = EncryptedKey.GetInstance(Asn1TaggedObject.GetInstance(seq[1]));
+					m_publicationInfo = PkiPublicationInfo.GetInstance(Asn1TaggedObject.GetInstance(seq[2]));
 				}
 			}
 		}
 
-		public static CertifiedKeyPair GetInstance(object obj)
+		public CertifiedKeyPair(CertOrEncCert certOrEncCert)
+			: this(certOrEncCert, (EncryptedKey)null, null)
 		{
-			if (obj is CertifiedKeyPair)
-				return (CertifiedKeyPair)obj;
-
-			if (obj is Asn1Sequence)
-				return new CertifiedKeyPair((Asn1Sequence)obj);
-
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
 		}
 
-		public CertifiedKeyPair(
-			CertOrEncCert certOrEncCert)
-			: this(certOrEncCert, null, null)
-		{
-		}
+        public CertifiedKeyPair(CertOrEncCert certOrEncCert, EncryptedValue privateKey,
+            PkiPublicationInfo publicationInfo)
+            : this(certOrEncCert, privateKey == null ? null : new EncryptedKey(privateKey), publicationInfo)
+        {
+        }
 
-		public CertifiedKeyPair(
-			CertOrEncCert		certOrEncCert,
-			EncryptedValue		privateKey,
-			PkiPublicationInfo	publicationInfo
-		)
-		{
+        public CertifiedKeyPair(CertOrEncCert certOrEncCert, EncryptedKey privateKey,
+			PkiPublicationInfo publicationInfo)
+        {
 			if (certOrEncCert == null)
-				throw new ArgumentNullException("certOrEncCert");
+				throw new ArgumentNullException(nameof(certOrEncCert));
 
-			this.certOrEncCert = certOrEncCert;
-			this.privateKey = privateKey;
-			this.publicationInfo = publicationInfo;
-		}
+            m_certOrEncCert = certOrEncCert;
+            m_privateKey = privateKey;
+            m_publicationInfo = publicationInfo;
+        }
 
-		public virtual CertOrEncCert CertOrEncCert
-		{
-			get { return certOrEncCert; }
-		}
+		public virtual CertOrEncCert CertOrEncCert => m_certOrEncCert;
 
-		public virtual EncryptedValue PrivateKey
-		{
-			get { return privateKey; }
-		}
+		public virtual EncryptedKey PrivateKey => m_privateKey;
 
-		public virtual PkiPublicationInfo PublicationInfo
-		{
-			get { return publicationInfo; }
-		}
+		public virtual PkiPublicationInfo PublicationInfo => m_publicationInfo;
 
 		/**
 		 * 
@@ -97,9 +89,9 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			Asn1EncodableVector v = new Asn1EncodableVector(certOrEncCert);
-            v.AddOptionalTagged(true, 0, privateKey);
-            v.AddOptionalTagged(true, 1, publicationInfo);
+			Asn1EncodableVector v = new Asn1EncodableVector(m_certOrEncCert);
+            v.AddOptionalTagged(true, 0, m_privateKey);
+            v.AddOptionalTagged(true, 1, m_publicationInfo);
 			return new DerSequence(v);
 		}
 	}
diff --git a/crypto/src/asn1/cmp/Challenge.cs b/crypto/src/asn1/cmp/Challenge.cs
index 016c082e2..ca3d06339 100644
--- a/crypto/src/asn1/cmp/Challenge.cs
+++ b/crypto/src/asn1/cmp/Challenge.cs
@@ -1,16 +1,52 @@
 using System;
 
 using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
-	public class Challenge
+    /**
+     * 
+     * Challenge ::= SEQUENCE {
+     *          owf                 AlgorithmIdentifier  OPTIONAL,
+     *
+     *          -- MUST be present in the first Challenge; MAY be omitted in
+     *          -- any subsequent Challenge in POPODecKeyChallContent (if
+     *          -- omitted, then the owf used in the immediately preceding
+     *          -- Challenge is to be used).
+     *
+     *          witness             OCTET STRING,
+     *          -- the result of applying the one-way function (owf) to a
+     *          -- randomly-generated INTEGER, A.  [Note that a different
+     *          -- INTEGER MUST be used for each Challenge.]
+     *          challenge           OCTET STRING
+     *          -- the encryption (under the public key for which the cert.
+     *          -- request is being made) of Rand, where Rand is specified as
+     *          --   Rand ::= SEQUENCE {
+     *          --      int      INTEGER,
+     *          --       - the randomly-generated INTEGER A (above)
+     *          --      sender   GeneralName
+     *          --       - the sender's name (as included in PKIHeader)
+     *          --   }
+     *      }
+     *      

+     */
+    public class Challenge
 		: Asn1Encodable
 	{
-		private readonly AlgorithmIdentifier owf;
-		private readonly Asn1OctetString witness;
-		private readonly Asn1OctetString challenge;
+        public static Challenge GetInstance(object obj)
+        {
+            if (obj is Challenge challenge)
+                return challenge;
+
+            if (obj != null)
+                return new Challenge(Asn1Sequence.GetInstance(obj));
+
+            return null;
+        }
+
+        private readonly AlgorithmIdentifier m_owf;
+		private readonly Asn1OctetString m_witness;
+		private readonly Asn1OctetString m_challenge;
 
 		private Challenge(Asn1Sequence seq)
 		{
@@ -18,30 +54,32 @@ namespace Org.BouncyCastle.Asn1.Cmp
 
 			if (seq.Count == 3)
 			{
-				owf = AlgorithmIdentifier.GetInstance(seq[index++]);
+				m_owf = AlgorithmIdentifier.GetInstance(seq[index++]);
 			}
 
-			witness = Asn1OctetString.GetInstance(seq[index++]);
-			challenge = Asn1OctetString.GetInstance(seq[index]);
+			m_witness = Asn1OctetString.GetInstance(seq[index++]);
+			m_challenge = Asn1OctetString.GetInstance(seq[index]);
 		}
 
-		public static Challenge GetInstance(object obj)
-		{
-			if (obj is Challenge)
-				return (Challenge)obj;
+        public Challenge(byte[] witness, byte[] challenge)
+            : this(null, witness, challenge)
+        {
+        }
 
-			if (obj is Asn1Sequence)
-				return new Challenge((Asn1Sequence)obj);
+        public Challenge(AlgorithmIdentifier owf, byte[] witness, byte[] challenge)
+        {
+            m_owf = owf;
+            m_witness = new DerOctetString(witness);
+            m_challenge = new DerOctetString(challenge);
+        }
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
-		}
+        public virtual AlgorithmIdentifier Owf => m_owf;
 
-		public virtual AlgorithmIdentifier Owf
-		{
-			get { return owf; }
-		}
+		public virtual Asn1OctetString Witness => m_witness;
+
+		public virtual Asn1OctetString ChallengeValue => m_challenge;
 
-		/**
+        /**
 		 * 
 		 * Challenge ::= SEQUENCE {
 		 *                 owf                 AlgorithmIdentifier  OPTIONAL,
@@ -68,12 +106,57 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 * 

 		 * @return a basic ASN.1 object representation.
 		 */
-		public override Asn1Object ToAsn1Object()
+        public override Asn1Object ToAsn1Object()
 		{
 			Asn1EncodableVector v = new Asn1EncodableVector();
-			v.AddOptional(owf);
-			v.Add(witness, challenge);
+			v.AddOptional(m_owf);
+			v.Add(m_witness, m_challenge);
 			return new DerSequence(v);
 		}
+
+        /**
+         * Rand is the inner type
+         */
+        public class Rand
+            : Asn1Encodable
+        {
+            public static Rand GetInstance(object obj)
+            {
+                if (obj is Rand rand)
+                    return rand;
+
+                if (obj != null)
+                    return new Rand(Asn1Sequence.GetInstance(obj));
+
+                return null;
+            }
+
+            private readonly DerInteger m_intVal;
+            private readonly GeneralName m_sender;
+
+            public Rand(DerInteger intVal, GeneralName sender)
+            {
+                m_intVal = intVal;
+                m_sender = sender;
+            }
+
+            public Rand(Asn1Sequence seq)
+            {
+                if (seq.Count != 2)
+                    throw new ArgumentException("expected sequence size of 2");
+
+                m_intVal = DerInteger.GetInstance(seq[0]);
+                m_sender = GeneralName.GetInstance(seq[1]);
+            }
+
+            public virtual DerInteger IntVal => m_intVal;
+
+			public virtual GeneralName Sender => m_sender;
+
+			public override Asn1Object ToAsn1Object()
+			{
+                return new DerSequence(m_intVal, m_sender);
+            }
+        }
 	}
 }
diff --git a/crypto/src/asn1/cmp/CmpCertificate.cs b/crypto/src/asn1/cmp/CmpCertificate.cs
index 33356b486..af433ec4d 100644
--- a/crypto/src/asn1/cmp/CmpCertificate.cs
+++ b/crypto/src/asn1/cmp/CmpCertificate.cs
@@ -1,4 +1,5 @@
 using System;
+using System.IO;
 
 using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Utilities;
@@ -8,54 +9,84 @@ namespace Org.BouncyCastle.Asn1.Cmp
     public class CmpCertificate
         : Asn1Encodable, IAsn1Choice
     {
-        private readonly X509CertificateStructure x509v3PKCert;
-        private readonly AttributeCertificate x509v2AttrCert;
-
-        /**
-         * Note: the addition of attribute certificates is a BC extension.
-         */
-        public CmpCertificate(AttributeCertificate x509v2AttrCert)
+        public static CmpCertificate GetInstance(object obj)
         {
-            this.x509v2AttrCert = x509v2AttrCert;
-        }
+            // TODO[cmp] Review this whole metho
 
-        public CmpCertificate(X509CertificateStructure x509v3PKCert)
-        {
-            if (x509v3PKCert.Version != 3)
-                throw new ArgumentException("only version 3 certificates allowed", "x509v3PKCert");
+            if (obj == null)
+                return null;
 
-            this.x509v3PKCert = x509v3PKCert;
-        }
+            if (obj is CmpCertificate cmpCertificate)
+                return cmpCertificate;
 
-        public static CmpCertificate GetInstance(object obj)
-        {
-            if (obj is CmpCertificate)
-                return (CmpCertificate)obj;
+            if (obj is byte[] bs)
+            {
+                try
+                {
+                    obj = Asn1Object.FromByteArray(bs);
+                }
+                catch (IOException)
+                {
+                    throw new ArgumentException("Invalid encoding in CmpCertificate");
+                }
+            }
 
             if (obj is Asn1Sequence)
                 return new CmpCertificate(X509CertificateStructure.GetInstance(obj));
 
-            if (obj is Asn1TaggedObject)
-                return new CmpCertificate(AttributeCertificate.GetInstance(((Asn1TaggedObject)obj).GetObject()));
+            if (obj is Asn1TaggedObject taggedObject)
+                return new CmpCertificate(taggedObject.TagNo, taggedObject.GetObject());
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), nameof(obj));
         }
 
-        public virtual bool IsX509v3PKCert
+        public static CmpCertificate GetInstance(Asn1TaggedObject taggedObject, bool declaredExplicit)
         {
-            get { return x509v3PKCert != null; }
+            // TODO[cmp]
+            if (taggedObject == null)
+                return null;
+
+            if (!declaredExplicit)
+                throw new ArgumentException("tag must be explicit");
+
+            // TODO[cmp]
+            return GetInstance(taggedObject.GetObject());
         }
 
-        public virtual X509CertificateStructure X509v3PKCert
+        private readonly X509CertificateStructure m_x509v3PKCert;
+
+        private readonly int m_otherTagValue;
+        private readonly Asn1Encodable m_otherCert;
+
+        /**
+         * Note: the addition of other certificates is a BC extension. If you use this constructor they
+         * will be added with an explicit tag value of type.
+         *
+         * @param type      the type of the certificate (used as a tag value).
+         * @param otherCert the object representing the certificate
+         */
+        public CmpCertificate(int type, Asn1Encodable otherCert)
         {
-            get { return x509v3PKCert; }
+            m_otherTagValue = type;
+            m_otherCert = otherCert;
         }
 
-        public virtual AttributeCertificate X509v2AttrCert
+        public CmpCertificate(X509CertificateStructure x509v3PKCert)
         {
-            get { return x509v2AttrCert; }
+            if (x509v3PKCert.Version != 3)
+                throw new ArgumentException("only version 3 certificates allowed", nameof(x509v3PKCert));
+
+            m_x509v3PKCert = x509v3PKCert;
         }
 
+        public virtual bool IsX509v3PKCert => m_x509v3PKCert != null;
+
+        public virtual X509CertificateStructure X509v3PKCert => m_x509v3PKCert;
+
+        public virtual int OtherCertTag => m_otherTagValue;
+
+        public virtual Asn1Encodable OtherCert => m_otherCert;
+
         /**
          * 
          * CMPCertificate ::= CHOICE {
@@ -69,13 +100,13 @@ namespace Org.BouncyCastle.Asn1.Cmp
          */
         public override Asn1Object ToAsn1Object()
         {
-            if (x509v2AttrCert != null)
+            if (m_otherCert != null)
             {
                 // explicit following CMP conventions
-                return new DerTaggedObject(true, 1, x509v2AttrCert);
+                return new DerTaggedObject(true, m_otherTagValue, m_otherCert);
             }
 
-            return x509v3PKCert.ToAsn1Object();
+            return m_x509v3PKCert.ToAsn1Object();
         }
     }
 }
diff --git a/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs b/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs
index 7e8274175..fa83841a4 100644
--- a/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs
+++ b/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs
@@ -2,105 +2,256 @@ using System;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
-	public abstract class CmpObjectIdentifiers
+	public static class CmpObjectIdentifiers
 	{
-		// RFC 4210
-
-		// id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
-		public static readonly DerObjectIdentifier passwordBasedMac = new DerObjectIdentifier("1.2.840.113533.7.66.13");
-
-		// id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
-		public static readonly DerObjectIdentifier dhBasedMac = new DerObjectIdentifier("1.2.840.113533.7.66.30");
-
-		// Example InfoTypeAndValue contents include, but are not limited
-		// to, the following (un-comment in this ASN.1 module and use as
-		// appropriate for a given environment):
-		//
-		// id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1}
-		// CAProtEncCertValue ::= CMPCertificate
-		// id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2}
-		// SignKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier
-		// id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3}
-		// EncKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier
-		// id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4}
-		// PreferredSymmAlgValue ::= AlgorithmIdentifier
-		// id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5}
-		// CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent
-		// id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6}
-		// CurrentCRLValue ::= CertificateList
-		// id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7}
-		// UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER
-		// id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10}
-		// KeyPairParamReqValue ::= OBJECT IDENTIFIER
-		// id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11}
-		// KeyPairParamRepValue ::= AlgorithmIdentifer
-		// id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12}
-		// RevPassphraseValue ::= EncryptedValue
-		// id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13}
-		// ImplicitConfirmValue ::= NULL
-		// id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14}
-		// ConfirmWaitTimeValue ::= GeneralizedTime
-		// id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15}
-		// OrigPKIMessageValue ::= PKIMessages
-		// id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16}
-		// SuppLangTagsValue ::= SEQUENCE OF UTF8String
-		//
-		// where
-		//
-		// id-pkix OBJECT IDENTIFIER ::= {
-		// iso(1) identified-organization(3)
-		// dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
-		// and
-		// id-it OBJECT IDENTIFIER ::= {id-pkix 4}
-		public static readonly DerObjectIdentifier it_caProtEncCert = new DerObjectIdentifier("1.3.6.1.5.5.7.4.1");
-		public static readonly DerObjectIdentifier it_signKeyPairTypes = new DerObjectIdentifier("1.3.6.1.5.5.7.4.2");
-		public static readonly DerObjectIdentifier it_encKeyPairTypes = new DerObjectIdentifier("1.3.6.1.5.5.7.4.3");
-		public static readonly DerObjectIdentifier it_preferredSymAlg = new DerObjectIdentifier("1.3.6.1.5.5.7.4.4");
-		public static readonly DerObjectIdentifier it_caKeyUpdateInfo = new DerObjectIdentifier("1.3.6.1.5.5.7.4.5");
-		public static readonly DerObjectIdentifier it_currentCRL = new DerObjectIdentifier("1.3.6.1.5.5.7.4.6");
-		public static readonly DerObjectIdentifier it_unsupportedOIDs = new DerObjectIdentifier("1.3.6.1.5.5.7.4.7");
-		public static readonly DerObjectIdentifier it_keyPairParamReq = new DerObjectIdentifier("1.3.6.1.5.5.7.4.10");
-		public static readonly DerObjectIdentifier it_keyPairParamRep = new DerObjectIdentifier("1.3.6.1.5.5.7.4.11");
-		public static readonly DerObjectIdentifier it_revPassphrase = new DerObjectIdentifier("1.3.6.1.5.5.7.4.12");
-		public static readonly DerObjectIdentifier it_implicitConfirm = new DerObjectIdentifier("1.3.6.1.5.5.7.4.13");
-		public static readonly DerObjectIdentifier it_confirmWaitTime = new DerObjectIdentifier("1.3.6.1.5.5.7.4.14");
-		public static readonly DerObjectIdentifier it_origPKIMessage = new DerObjectIdentifier("1.3.6.1.5.5.7.4.15");
-		public static readonly DerObjectIdentifier it_suppLangTags = new DerObjectIdentifier("1.3.6.1.5.5.7.4.16");
-
-		// RFC 4211
-
-		// id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
-		// dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
-		//
-		// arc for Internet X.509 PKI protocols and their components
-		// id-pkip OBJECT IDENTIFIER :: { id-pkix pkip(5) }
-		//
-		// arc for Registration Controls in CRMF
-		// id-regCtrl OBJECT IDENTIFIER ::= { id-pkip regCtrl(1) }
-		//
-		// arc for Registration Info in CRMF
-		// id-regInfo OBJECT IDENTIFIER ::= { id-pkip id-regInfo(2) }
-
-		public static readonly DerObjectIdentifier regCtrl_regToken = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.1");
-		public static readonly DerObjectIdentifier regCtrl_authenticator = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.2");
-		public static readonly DerObjectIdentifier regCtrl_pkiPublicationInfo = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.3");
-		public static readonly DerObjectIdentifier regCtrl_pkiArchiveOptions = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.4");
-		public static readonly DerObjectIdentifier regCtrl_oldCertID = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.5");
-		public static readonly DerObjectIdentifier regCtrl_protocolEncrKey = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.6");
-
-		// From RFC4210:
-		// id-regCtrl-altCertTemplate OBJECT IDENTIFIER ::= {id-regCtrl 7}
-		public static readonly DerObjectIdentifier regCtrl_altCertTemplate = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.7");
-
-		public static readonly DerObjectIdentifier regInfo_utf8Pairs = new DerObjectIdentifier("1.3.6.1.5.5.7.5.2.1");
-		public static readonly DerObjectIdentifier regInfo_certReq = new DerObjectIdentifier("1.3.6.1.5.5.7.5.2.2");
-
-		// id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
-		// us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
-		//
-		// id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types
-		//
-		// id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
-		public static readonly DerObjectIdentifier ct_encKeyWithID = new DerObjectIdentifier("1.2.840.113549.1.9.16.1.21");
+        // RFC 4210
+
+        /**
+         * id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
+         */
+        public static readonly DerObjectIdentifier passwordBasedMac = new DerObjectIdentifier("1.2.840.113533.7.66.13");
+
+        /**
+         * id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
+         */
+        public static readonly DerObjectIdentifier dhBasedMac = new DerObjectIdentifier("1.2.840.113533.7.66.30");
+
+        // Example InfoTypeAndValue contents include, but are not limited
+        // to, the following (un-comment in this ASN.1 module and use as
+        // appropriate for a given environment):
+        //
+        //   id-it-caProtEncCert    OBJECT IDENTIFIER ::= {id-it 1}
+        //      CAProtEncCertValue      ::= CMPCertificate
+        //   id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2}
+        //      SignKeyPairTypesValue   ::= SEQUENCE OF AlgorithmIdentifier
+        //   id-it-encKeyPairTypes  OBJECT IDENTIFIER ::= {id-it 3}
+        //      EncKeyPairTypesValue    ::= SEQUENCE OF AlgorithmIdentifier
+        //   id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4}
+        //      PreferredSymmAlgValue   ::= AlgorithmIdentifier
+        //   id-it-caKeyUpdateInfo  OBJECT IDENTIFIER ::= {id-it 5}
+        //      CAKeyUpdateInfoValue    ::= CAKeyUpdAnnContent
+        //   id-it-currentCRL       OBJECT IDENTIFIER ::= {id-it 6}
+        //      CurrentCRLValue         ::= CertificateList
+        //   id-it-unsupportedOIDs  OBJECT IDENTIFIER ::= {id-it 7}
+        //      UnsupportedOIDsValue    ::= SEQUENCE OF OBJECT IDENTIFIER
+        //   id-it-keyPairParamReq  OBJECT IDENTIFIER ::= {id-it 10}
+        //      KeyPairParamReqValue    ::= OBJECT IDENTIFIER
+        //   id-it-keyPairParamRep  OBJECT IDENTIFIER ::= {id-it 11}
+        //      KeyPairParamRepValue    ::= AlgorithmIdentifer
+        //   id-it-revPassphrase    OBJECT IDENTIFIER ::= {id-it 12}
+        //      RevPassphraseValue      ::= EncryptedValue
+        //   id-it-implicitConfirm  OBJECT IDENTIFIER ::= {id-it 13}
+        //      ImplicitConfirmValue    ::= NULL
+        //   id-it-confirmWaitTime  OBJECT IDENTIFIER ::= {id-it 14}
+        //      ConfirmWaitTimeValue    ::= GeneralizedTime
+        //   id-it-origPKIMessage   OBJECT IDENTIFIER ::= {id-it 15}
+        //      OrigPKIMessageValue     ::= PKIMessages
+        //   id-it-suppLangTags     OBJECT IDENTIFIER ::= {id-it 16}
+        //      SuppLangTagsValue       ::= SEQUENCE OF UTF8String
+        //   id-it-certProfile  OBJECT IDENTIFIER ::= {id-it 21}
+        //      CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String
+        // where
+        //
+        //   id-pkix OBJECT IDENTIFIER ::= {
+        //      iso(1) identified-organization(3)
+        //      dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
+        // and
+        //   id-it   OBJECT IDENTIFIER ::= {id-pkix 4}
+
+        /** RFC 4120: it-id: PKIX.4 = 1.3.6.1.5.5.7.4 */
+
+
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.1
+         */
+        public static readonly DerObjectIdentifier it_caProtEncCert = new DerObjectIdentifier("1.3.6.1.5.5.7.4.1");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.2
+         */
+        public static readonly DerObjectIdentifier it_signKeyPairTypes = new DerObjectIdentifier("1.3.6.1.5.5.7.4.2");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.3
+         */
+        public static readonly DerObjectIdentifier it_encKeyPairTypes = new DerObjectIdentifier("1.3.6.1.5.5.7.4.3");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.4
+         */
+        public static readonly DerObjectIdentifier it_preferredSymAlg = new DerObjectIdentifier("1.3.6.1.5.5.7.4.4");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.5
+         */
+        public static readonly DerObjectIdentifier it_caKeyUpdateInfo = new DerObjectIdentifier("1.3.6.1.5.5.7.4.5");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.6
+         */
+        public static readonly DerObjectIdentifier it_currentCRL = new DerObjectIdentifier("1.3.6.1.5.5.7.4.6");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.7
+         */
+        public static readonly DerObjectIdentifier it_unsupportedOIDs = new DerObjectIdentifier("1.3.6.1.5.5.7.4.7");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.10
+         */
+        public static readonly DerObjectIdentifier it_keyPairParamReq = new DerObjectIdentifier("1.3.6.1.5.5.7.4.10");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.11
+         */
+        public static readonly DerObjectIdentifier it_keyPairParamRep = new DerObjectIdentifier("1.3.6.1.5.5.7.4.11");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.12
+         */
+        public static readonly DerObjectIdentifier it_revPassphrase = new DerObjectIdentifier("1.3.6.1.5.5.7.4.12");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.13
+         */
+        public static readonly DerObjectIdentifier it_implicitConfirm = new DerObjectIdentifier("1.3.6.1.5.5.7.4.13");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.14
+         */
+        public static readonly DerObjectIdentifier it_confirmWaitTime = new DerObjectIdentifier("1.3.6.1.5.5.7.4.14");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.15
+         */
+        public static readonly DerObjectIdentifier it_origPKIMessage = new DerObjectIdentifier("1.3.6.1.5.5.7.4.15");
+        /**
+         * RFC 4120: 1.3.6.1.5.5.7.4.16
+         */
+        public static readonly DerObjectIdentifier it_suppLangTags = new DerObjectIdentifier("1.3.6.1.5.5.7.4.16");
+
+        /**
+         * Update 16, RFC 4210
+         * {id-it 17}
+         */
+        public static readonly DerObjectIdentifier id_it_caCerts = new DerObjectIdentifier("1.3.6.1.5.5.7.4.17");
+
+
+        /**
+         * Update 16, RFC 4210
+         * GenRep:    {id-it 18}, RootCaKeyUpdateContent
+         */
+        public static readonly DerObjectIdentifier id_it_rootCaKeyUpdate = new DerObjectIdentifier("1.3.6.1.5.5.7.4.18");
+
+
+        /**
+         * Update 16, RFC 4210
+         * {id-it 19}
+         */
+        public static readonly DerObjectIdentifier id_it_certReqTemplate = new DerObjectIdentifier("1.3.6.1.5.5.7.4.19");
+
+
+        /**
+         * Update 16, RFC 4210
+         * GenMsg:    {id-it 20}, RootCaCertValue
+         */
+        public static readonly DerObjectIdentifier id_it_rootCaCert = new DerObjectIdentifier("1.3.6.1.5.5.7.4.20");
+
+        /**
+         * Update-16 to RFC 4210
+         * id-it-certProfile  OBJECT IDENTIFIER ::= {id-it 21}
+         */
+        public static readonly DerObjectIdentifier id_it_certProfile = new DerObjectIdentifier("1.3.6.1.5.5.7.4.21");
+
+        public static readonly DerObjectIdentifier id_it_crlStatusList = new DerObjectIdentifier("1.3.6.1.5.5.7.4.22");
+
+        public static readonly DerObjectIdentifier id_it_crls = new DerObjectIdentifier("1.3.6.1.5.5.7.4.23");
+
+        // Not yet formally defined.
+
+        //public static readonly DerObjectIdentifier id_it_crlStatusList = null;
+        //public static readonly DerObjectIdentifier id_it_crls = null;
+
+
+        // RFC 4211
+
+        // id-pkix  OBJECT IDENTIFIER  ::= { iso(1) identified-organization(3)
+        //     dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
+        //
+        // arc for Internet X.509 PKI protocols and their components
+        // id-pkip  OBJECT IDENTIFIER :: { id-pkix pkip(5) }
+        //
+        // arc for Registration Controls in CRMF
+        // id-regCtrl  OBJECT IDENTIFIER ::= { id-pkip regCtrl(1) }
+        //
+        // arc for Registration Info in CRMF
+        // id-regInfo       OBJECT IDENTIFIER ::= { id-pkip id-regInfo(2) }
+
+        /**
+         * RFC 4211: it-pkip: PKIX.5 = 1.3.6.1.5.5.7.5
+         */
+        public static readonly DerObjectIdentifier id_pkip = new DerObjectIdentifier("1.3.6.1.5.5.7.5");
+
+        /**
+         * RFC 4211: it-regCtrl: 1.3.6.1.5.5.7.5.1
+         */
+        public static readonly DerObjectIdentifier id_regCtrl = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1");
+        /**
+         * RFC 4211: it-regInfo: 1.3.6.1.5.5.7.5.2
+         */
+        public static readonly DerObjectIdentifier id_regInfo = new DerObjectIdentifier("1.3.6.1.5.5.7.5.2");
+
+
+        /**
+         * 1.3.6.1.5.5.7.5.1.1
+         */
+        public static readonly DerObjectIdentifier regCtrl_regToken = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.1");
+        /**
+         * 1.3.6.1.5.5.7.5.1.2
+         */
+        public static readonly DerObjectIdentifier regCtrl_authenticator = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.2");
+        /**
+         * 1.3.6.1.5.5.7.5.1.3
+         */
+        public static readonly DerObjectIdentifier regCtrl_pkiPublicationInfo = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.3");
+        /**
+         * 1.3.6.1.5.5.7.5.1.4
+         */
+        public static readonly DerObjectIdentifier regCtrl_pkiArchiveOptions = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.4");
+        /**
+         * 1.3.6.1.5.5.7.5.1.5
+         */
+        public static readonly DerObjectIdentifier regCtrl_oldCertID = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.5");
+        /**
+         * 1.3.6.1.5.5.7.5.1.6
+         */
+        public static readonly DerObjectIdentifier regCtrl_protocolEncrKey = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.6");
+
+        /**
+         * From RFC4210:
+         * id-regCtrl-altCertTemplate OBJECT IDENTIFIER ::= {id-regCtrl 7}; 1.3.6.1.5.5.7.1.7
+         */
+        public static readonly DerObjectIdentifier regCtrl_altCertTemplate = new DerObjectIdentifier("1.3.6.1.5.5.7.5.1.7");
+
+        /**
+         * RFC 4211: it-regInfo-utf8Pairs: 1.3.6.1.5.5.7.5.2.1
+         */
+        public static readonly DerObjectIdentifier regInfo_utf8Pairs = new DerObjectIdentifier("1.3.6.1.5.5.7.5.2.1");
+        /**
+         * RFC 4211: it-regInfo-certReq: 1.3.6.1.5.5.7.5.2.1
+         */
+        public static readonly DerObjectIdentifier regInfo_certReq = new DerObjectIdentifier("1.3.6.1.5.5.7.5.2.2");
+
+        /**
+         * 1.2.840.113549.1.9.16.1.21
+         * 

+         * id-ct   OBJECT IDENTIFIER ::= { id-smime  1 }  -- content types
+         * 

+         * id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
+         */
+        public static readonly DerObjectIdentifier ct_encKeyWithID = new DerObjectIdentifier("1.2.840.113549.1.9.16.1.21");
+
+
+        /**
+         * id-regCtrl-algId OBJECT IDENTIFIER ::= { iso(1)
+         * identified-organization(3) dod(6) internet(1) security(5)
+         * mechanisms(5) pkix(7) pkip(5) regCtrl(1) 11 }
+         */
+        public static readonly DerObjectIdentifier id_regCtrl_algId = id_pkip.Branch("1.11");
+
+        /**
+         * id-regCtrl-rsaKeyLen OBJECT IDENTIFIER ::= { iso(1)
+         * identified-organization(3) dod(6) internet(1) security(5)
+         * mechanisms(5) pkix(7) pkip(5) regCtrl(1) 12 }
+         */
+        public static readonly DerObjectIdentifier id_regCtrl_rsaKeyLen = id_pkip.Branch("1.12");
 	}
 }
diff --git a/crypto/src/asn1/cmp/CrlAnnContent.cs b/crypto/src/asn1/cmp/CrlAnnContent.cs
index db8ecfa40..0da25cd0e 100644
--- a/crypto/src/asn1/cmp/CrlAnnContent.cs
+++ b/crypto/src/asn1/cmp/CrlAnnContent.cs
@@ -1,39 +1,36 @@
-using System;
-
 using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class CrlAnnContent
 		: Asn1Encodable
 	{
-		private readonly Asn1Sequence content;
+        public static CrlAnnContent GetInstance(object obj)
+        {
+			if (obj is CrlAnnContent crlAnnContent)
+				return crlAnnContent;
 
-		private CrlAnnContent(Asn1Sequence seq)
-		{
-			content = seq;
-		}
+			if (obj != null)
+				return new CrlAnnContent(Asn1Sequence.GetInstance(obj));
 
-		public static CrlAnnContent GetInstance(object obj)
-		{
-			if (obj is CrlAnnContent)
-				return (CrlAnnContent)obj;
+			return null;
+        }
 
-			if (obj is Asn1Sequence)
-				return new CrlAnnContent((Asn1Sequence)obj);
+        private readonly Asn1Sequence m_content;
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+		private CrlAnnContent(Asn1Sequence seq)
+		{
+			m_content = seq;
 		}
 
-		public virtual CertificateList[] ToCertificateListArray()
+        public CrlAnnContent(CertificateList crl)
+        {
+            m_content = new DerSequence(crl);
+        }
+
+        public virtual CertificateList[] ToCertificateListArray()
 		{
-			CertificateList[] result = new CertificateList[content.Count];
-			for (int i = 0; i != result.Length; ++ i)
-			{
-				result[i] = CertificateList.GetInstance(content[i]);
-			}
-			return result;
+			return m_content.MapElements(CertificateList.GetInstance);
 		}
 
 		/**
@@ -44,7 +41,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			return content;
+			return m_content;
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/CrlSource.cs b/crypto/src/asn1/cmp/CrlSource.cs
new file mode 100644
index 000000000..13aaa526a
--- /dev/null
+++ b/crypto/src/asn1/cmp/CrlSource.cs
@@ -0,0 +1,72 @@
+using System;
+
+using Org.BouncyCastle.Asn1.X509;
+
+namespace Org.BouncyCastle.Asn1.Cmp
+{
+    /**
+     * GenMsg:    {id-it TBD1}, SEQUENCE SIZE (1..MAX) OF CRLStatus
+     * GenRep:    {id-it TBD2}, SEQUENCE SIZE (1..MAX) OF
+     * CertificateList  |  < absent >
+     * 

+     * CRLSource ::= CHOICE {
+     * dpn          [0] DistributionPointName,
+     * issuer       [1] GeneralNames }
+     * 

+     */
+    public class CrlSource
+        : Asn1Encodable, IAsn1Choice
+    {
+        public static CrlSource GetInstance(object obj)
+        {
+            if (obj is CrlSource crlSource)
+                return crlSource;
+
+            if (obj != null)
+                return new CrlSource(Asn1TaggedObject.GetInstance(obj));
+
+            return null;
+        }
+
+        private readonly DistributionPointName m_dpn;
+        private readonly GeneralNames m_issuer;
+
+        private CrlSource(Asn1TaggedObject taggedObject)
+        {
+            switch (taggedObject.TagNo)
+            {
+            case 0:
+                m_dpn = DistributionPointName.GetInstance(taggedObject, true);
+                m_issuer = null;
+                break;
+            case 1:
+                m_dpn = null;
+                m_issuer = GeneralNames.GetInstance(taggedObject, true);
+                break;
+            default:
+                throw new ArgumentException("unknown tag: " + Asn1Utilities.GetTagText(taggedObject));
+            }
+        }
+
+        public CrlSource(DistributionPointName dpn, GeneralNames issuer)
+        {
+            if ((dpn == null) == (issuer == null))
+                throw new ArgumentException("either dpn or issuer must be set");
+
+            m_dpn = dpn;
+            m_issuer = issuer;
+        }
+
+        public virtual DistributionPointName Dpn => m_dpn;
+
+        public virtual GeneralNames Issuer => m_issuer;
+
+        public override Asn1Object ToAsn1Object()
+        {
+            if (m_dpn != null)
+                return new DerTaggedObject(true, 0, m_dpn);
+
+            return new DerTaggedObject(true, 1, m_issuer);
+        }
+    }
+}
diff --git a/crypto/src/asn1/cmp/CrlStatus.cs b/crypto/src/asn1/cmp/CrlStatus.cs
new file mode 100644
index 000000000..5bacbbbcc
--- /dev/null
+++ b/crypto/src/asn1/cmp/CrlStatus.cs
@@ -0,0 +1,61 @@
+using System;
+
+using Org.BouncyCastle.Asn1.X509;
+
+namespace Org.BouncyCastle.Asn1.Cmp
+{
+    /**
+     * CRLStatus ::= SEQUENCE {
+     * source       CRLSource,
+     * thisUpdate   Time OPTIONAL }
+     */
+    public class CrlStatus
+        : Asn1Encodable
+    {
+        public static CrlStatus GetInstance(object obj)
+        {
+            if (obj is CrlStatus crlStatus)
+                return crlStatus;
+
+            if (obj != null)
+                return new CrlStatus(Asn1Sequence.GetInstance(obj));
+
+            return null;
+        }
+
+        private readonly CrlSource m_source;
+        private readonly Time m_thisUpdate;
+
+        private CrlStatus(Asn1Sequence sequence)
+        {
+            int count = sequence.Count;
+            if (count < 1 || count > 2)
+                throw new ArgumentException("expected sequence size of 1 or 2, got " + count);
+
+            m_source = CrlSource.GetInstance(sequence[0]);
+
+            if (sequence.Count == 2)
+            {
+                m_thisUpdate = Time.GetInstance(sequence[1]);
+            }
+        }
+
+        public CrlStatus(CrlSource source, Time thisUpdate)
+        {
+            m_source = source;
+            m_thisUpdate = thisUpdate;
+        }
+
+        public virtual CrlSource Source => m_source;
+
+        public virtual Time ThisUpdate => m_thisUpdate;
+
+        public override Asn1Object ToAsn1Object()
+        {
+            if (m_thisUpdate == null)
+                return new DerSequence(m_source);
+
+            return new DerSequence(m_source, m_thisUpdate);
+        }
+    }
+}
diff --git a/crypto/src/asn1/cmp/DhbmParameter.cs b/crypto/src/asn1/cmp/DhbmParameter.cs
new file mode 100644
index 000000000..aaf71f70e
--- /dev/null
+++ b/crypto/src/asn1/cmp/DhbmParameter.cs
@@ -0,0 +1,56 @@
+using System;
+
+using Org.BouncyCastle.Asn1.X509;
+
+namespace Org.BouncyCastle.Asn1.Cmp
+{
+    /**
+     * DHBMParameter ::= SEQUENCE {
+     * owf                 AlgorithmIdentifier,
+     * -- AlgId for a One-Way Function (SHA-1 recommended)
+     * mac                 AlgorithmIdentifier
+     * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+     * }   -- or HMAC [RFC2104, RFC2202])
+     */
+    public class DhbmParameter
+        : Asn1Encodable
+    {
+        public static DhbmParameter GetInstance(object obj)
+        {
+            if (obj is DhbmParameter dhbmParameter)
+                return dhbmParameter;
+
+            if (obj != null)
+                return new DhbmParameter(Asn1Sequence.GetInstance(obj));
+
+            return null;
+        }
+
+        private readonly AlgorithmIdentifier m_owf;
+        private readonly AlgorithmIdentifier m_mac;
+
+        private DhbmParameter(Asn1Sequence sequence)
+        {
+            if (sequence.Count != 2)
+                throw new ArgumentException("expecting sequence size of 2");
+
+            m_owf = AlgorithmIdentifier.GetInstance(sequence[0]);
+            m_mac = AlgorithmIdentifier.GetInstance(sequence[1]);
+        }
+
+        public DhbmParameter(AlgorithmIdentifier owf, AlgorithmIdentifier mac)
+        {
+            m_owf = owf;
+            m_mac = mac;
+        }
+
+        public virtual AlgorithmIdentifier Owf => m_owf;
+
+        public virtual AlgorithmIdentifier Mac => m_mac;
+
+        public override Asn1Object ToAsn1Object()
+        {
+            return new DerSequence(m_owf, m_mac);
+        }
+    }
+}
diff --git a/crypto/src/asn1/cmp/ErrorMsgContent.cs b/crypto/src/asn1/cmp/ErrorMsgContent.cs
index 5d2132bb8..fe8318aab 100644
--- a/crypto/src/asn1/cmp/ErrorMsgContent.cs
+++ b/crypto/src/asn1/cmp/ErrorMsgContent.cs
@@ -1,45 +1,54 @@
 using System;
 
-using Org.BouncyCastle.Utilities;
-
 namespace Org.BouncyCastle.Asn1.Cmp
 {
-	public class ErrorMsgContent
+    /**
+     * 
+     *      ErrorMsgContent ::= SEQUENCE {
+     *          pKIStatusInfo          PKIStatusInfo,
+     *          errorCode              INTEGER           OPTIONAL,
+     *          -- implementation-specific error codes
+     *          errorDetails           PKIFreeText       OPTIONAL
+     *          -- implementation-specific error details
+     *      }
+     * 

+     */
+    public class ErrorMsgContent
 		: Asn1Encodable
 	{
-		private readonly PkiStatusInfo pkiStatusInfo;
-		private readonly DerInteger errorCode;
-		private readonly PkiFreeText errorDetails;
+        public static ErrorMsgContent GetInstance(object obj)
+        {
+            if (obj is ErrorMsgContent errorMsgContent)
+                return errorMsgContent;
+
+            if (obj != null)
+                return new ErrorMsgContent(Asn1Sequence.GetInstance(obj));
+
+            return null;
+        }
+
+        private readonly PkiStatusInfo m_pkiStatusInfo;
+		private readonly DerInteger m_errorCode;
+		private readonly PkiFreeText m_errorDetails;
 
 		private ErrorMsgContent(Asn1Sequence seq)
 		{
-			pkiStatusInfo = PkiStatusInfo.GetInstance(seq[0]);
+			m_pkiStatusInfo = PkiStatusInfo.GetInstance(seq[0]);
 
 			for (int pos = 1; pos < seq.Count; ++pos)
 			{
 				Asn1Encodable ae = seq[pos];
 				if (ae is DerInteger)
 				{
-					errorCode = DerInteger.GetInstance(ae);
+					m_errorCode = DerInteger.GetInstance(ae);
 				}
 				else
 				{
-					errorDetails = PkiFreeText.GetInstance(ae);
+					m_errorDetails = PkiFreeText.GetInstance(ae);
 				}
 			}
 		}
 
-		public static ErrorMsgContent GetInstance(object obj)
-		{
-			if (obj is ErrorMsgContent)
-				return (ErrorMsgContent)obj;
-
-			if (obj is Asn1Sequence)
-				return new ErrorMsgContent((Asn1Sequence)obj);
-
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
-		}
-
 		public ErrorMsgContent(PkiStatusInfo pkiStatusInfo)
 			: this(pkiStatusInfo, null, null)
 		{
@@ -51,27 +60,18 @@ namespace Org.BouncyCastle.Asn1.Cmp
 			PkiFreeText		errorDetails)
 		{
 			if (pkiStatusInfo == null)
-				throw new ArgumentNullException("pkiStatusInfo");
+				throw new ArgumentNullException(nameof(pkiStatusInfo));
 
-			this.pkiStatusInfo = pkiStatusInfo;
-			this.errorCode = errorCode;
-			this.errorDetails = errorDetails;
-		}
-		
-		public virtual PkiStatusInfo PkiStatusInfo
-		{
-			get { return pkiStatusInfo; }
+			m_pkiStatusInfo = pkiStatusInfo;
+			m_errorCode = errorCode;
+			m_errorDetails = errorDetails;
 		}
 
-		public virtual DerInteger ErrorCode
-		{
-			get { return errorCode; }
-		}
+		public virtual PkiStatusInfo PkiStatusInfo => m_pkiStatusInfo;
 
-		public virtual PkiFreeText ErrorDetails
-		{
-			get { return errorDetails; }
-		}
+		public virtual DerInteger ErrorCode => m_errorCode;
+
+		public virtual PkiFreeText ErrorDetails => m_errorDetails;
 
 		/**
 		 * 
@@ -87,8 +87,8 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			Asn1EncodableVector v = new Asn1EncodableVector(pkiStatusInfo);
-			v.AddOptional(errorCode, errorDetails);
+			Asn1EncodableVector v = new Asn1EncodableVector(m_pkiStatusInfo);
+			v.AddOptional(m_errorCode, m_errorDetails);
 			return new DerSequence(v);
 		}
 	}
diff --git a/crypto/src/asn1/cmp/GenMsgContent.cs b/crypto/src/asn1/cmp/GenMsgContent.cs
index f3142b5c6..b4673b76a 100644
--- a/crypto/src/asn1/cmp/GenMsgContent.cs
+++ b/crypto/src/asn1/cmp/GenMsgContent.cs
@@ -1,43 +1,42 @@
-using System;
-
-using Org.BouncyCastle.Utilities;
-
 namespace Org.BouncyCastle.Asn1.Cmp
 {
-	public class GenMsgContent
+    /**
+     * 
GenMsgContent ::= SEQUENCE OF InfoTypeAndValue

+     */
+    public class GenMsgContent
 		: Asn1Encodable
 	{
-		private readonly Asn1Sequence content;
+        public static GenMsgContent GetInstance(object obj)
+        {
+			if (obj is GenMsgContent genMsgContent)
+				return genMsgContent;
 
-		private GenMsgContent(Asn1Sequence seq)
-		{
-			content = seq;
-		}
+			if (obj != null)
+				return new GenMsgContent(Asn1Sequence.GetInstance(obj));
 
-		public static GenMsgContent GetInstance(object obj)
-		{
-			if (obj is GenMsgContent)
-				return (GenMsgContent)obj;
+			return null;
+        }
 
-			if (obj is Asn1Sequence)
-				return new GenMsgContent((Asn1Sequence)obj);
+        private readonly Asn1Sequence m_content;
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+		private GenMsgContent(Asn1Sequence seq)
+		{
+			m_content = seq;
 		}
 
-		public GenMsgContent(params InfoTypeAndValue[] itv)
+        public GenMsgContent(InfoTypeAndValue itv)
+        {
+            m_content = new DerSequence(itv);
+        }
+
+        public GenMsgContent(params InfoTypeAndValue[] itvs)
 		{
-			content = new DerSequence(itv);
+			m_content = new DerSequence(itvs);
 		}
 
 		public virtual InfoTypeAndValue[] ToInfoTypeAndValueArray()
 		{
-			InfoTypeAndValue[] result = new InfoTypeAndValue[content.Count];
-			for (int i = 0; i != result.Length; ++i)
-			{
-				result[i] = InfoTypeAndValue.GetInstance(content[i]);
-			}
-			return result;
+			return m_content.MapElements(InfoTypeAndValue.GetInstance);
 		}
 
 		/**
@@ -48,7 +47,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			return content;
+			return m_content;
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/GenRepContent.cs b/crypto/src/asn1/cmp/GenRepContent.cs
index 3c3573e37..38f91061c 100644
--- a/crypto/src/asn1/cmp/GenRepContent.cs
+++ b/crypto/src/asn1/cmp/GenRepContent.cs
@@ -1,43 +1,39 @@
-using System;
-
-using Org.BouncyCastle.Utilities;
-
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class GenRepContent
 		: Asn1Encodable
 	{
-		private readonly Asn1Sequence content;
+        public static GenRepContent GetInstance(object obj)
+        {
+            if (obj is GenRepContent genRepContent)
+                return genRepContent;
 
-		private GenRepContent(Asn1Sequence seq)
-		{
-			content = seq;
-		}
+            if (obj != null)
+                return new GenRepContent(Asn1Sequence.GetInstance(obj));
 
-		public static GenRepContent GetInstance(object obj)
-		{
-			if (obj is GenRepContent)
-				return (GenRepContent)obj;
+            return null;
+        }
 
-			if (obj is Asn1Sequence)
-				return new GenRepContent((Asn1Sequence)obj);
+        private readonly Asn1Sequence m_content;
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+		private GenRepContent(Asn1Sequence seq)
+		{
+			m_content = seq;
 		}
 
-		public GenRepContent(params InfoTypeAndValue[] itv)
+        public GenRepContent(InfoTypeAndValue itv)
+        {
+            m_content = new DerSequence(itv);
+        }
+
+        public GenRepContent(params InfoTypeAndValue[] itvs)
 		{
-			content = new DerSequence(itv);
+			m_content = new DerSequence(itvs);
 		}
 
 		public virtual InfoTypeAndValue[] ToInfoTypeAndValueArray()
 		{
-			InfoTypeAndValue[] result = new InfoTypeAndValue[content.Count];
-			for (int i = 0; i != result.Length; ++i)
-			{
-				result[i] = InfoTypeAndValue.GetInstance(content[i]);
-			}
-			return result;
+            return m_content.MapElements(InfoTypeAndValue.GetInstance);
 		}
 
 		/**
@@ -48,7 +44,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			return content;
+			return m_content;
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/InfoTypeAndValue.cs b/crypto/src/asn1/cmp/InfoTypeAndValue.cs
index 305d6e5e7..08ad68a42 100644
--- a/crypto/src/asn1/cmp/InfoTypeAndValue.cs
+++ b/crypto/src/asn1/cmp/InfoTypeAndValue.cs
@@ -50,54 +50,47 @@ namespace Org.BouncyCastle.Asn1.Cmp
     public class InfoTypeAndValue
         : Asn1Encodable
     {
-        private readonly DerObjectIdentifier infoType;
-        private readonly Asn1Encodable infoValue;
+        private readonly DerObjectIdentifier m_infoType;
+        private readonly Asn1Encodable m_infoValue;
 
         private InfoTypeAndValue(Asn1Sequence seq)
         {
-            infoType = DerObjectIdentifier.GetInstance(seq[0]);
+            m_infoType = DerObjectIdentifier.GetInstance(seq[0]);
 
             if (seq.Count > 1)
             {
-                infoValue = (Asn1Encodable)seq[1];
+                m_infoValue = seq[1];
             }
         }
 
         public static InfoTypeAndValue GetInstance(object obj)
         {
-            if (obj is InfoTypeAndValue)
-                return (InfoTypeAndValue)obj;
+            if (obj is InfoTypeAndValue infoTypeAndValue)
+                return infoTypeAndValue;
 
-            if (obj is Asn1Sequence)
-                return new InfoTypeAndValue((Asn1Sequence)obj);
+            if (obj != null)
+                return new InfoTypeAndValue(Asn1Sequence.GetInstance(obj));
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+            return null;
         }
 
-        public InfoTypeAndValue(
-            DerObjectIdentifier infoType)
+        public InfoTypeAndValue(DerObjectIdentifier infoType)
+            : this(infoType, null)
         {
-            this.infoType = infoType;
-            this.infoValue = null;
         }
 
-        public InfoTypeAndValue(
-            DerObjectIdentifier infoType,
-            Asn1Encodable       optionalValue)
+        public InfoTypeAndValue(DerObjectIdentifier infoType, Asn1Encodable infoValue)
         {
-            this.infoType = infoType;
-            this.infoValue = optionalValue;
-        }
+            if (infoType == null)
+                throw new ArgumentNullException(nameof(infoType));
 
-        public virtual DerObjectIdentifier InfoType
-        {
-            get { return infoType; }
+            m_infoType = infoType;
+            m_infoValue = infoValue;
         }
 
-        public virtual Asn1Encodable InfoValue
-        {
-            get { return infoValue; }
-        }
+        public virtual DerObjectIdentifier InfoType => m_infoType;
+
+        public virtual Asn1Encodable InfoValue => m_infoValue;
 
         /**
          * 
@@ -110,9 +103,10 @@ namespace Org.BouncyCastle.Asn1.Cmp
          */
         public override Asn1Object ToAsn1Object()
         {
-            Asn1EncodableVector v = new Asn1EncodableVector(infoType);
-            v.AddOptional(infoValue);
-            return new DerSequence(v);
+            if (m_infoValue == null)
+                return new DerSequence(m_infoType);
+
+            return new DerSequence(m_infoType, m_infoValue);
         }
     }
 }
diff --git a/crypto/src/asn1/cmp/KeyRecRepContent.cs b/crypto/src/asn1/cmp/KeyRecRepContent.cs
index e35c0e351..6c5ef62f2 100644
--- a/crypto/src/asn1/cmp/KeyRecRepContent.cs
+++ b/crypto/src/asn1/cmp/KeyRecRepContent.cs
@@ -1,20 +1,29 @@
 using System;
 
-using Org.BouncyCastle.Utilities;
-
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class KeyRecRepContent
 		: Asn1Encodable
 	{
-		private readonly PkiStatusInfo status;
-		private readonly CmpCertificate newSigCert;
-		private readonly Asn1Sequence caCerts;
-		private readonly Asn1Sequence keyPairHist;
+        public static KeyRecRepContent GetInstance(object obj)
+        {
+			if (obj is KeyRecRepContent keyRecRepContent)
+				return keyRecRepContent;
+
+			if (obj != null)
+				return new KeyRecRepContent(Asn1Sequence.GetInstance(obj));
+
+			return null;
+        }
+
+        private readonly PkiStatusInfo m_status;
+		private readonly CmpCertificate m_newSigCert;
+		private readonly Asn1Sequence m_caCerts;
+		private readonly Asn1Sequence m_keyPairHist;
 
 		private KeyRecRepContent(Asn1Sequence seq)
 		{
-			status = PkiStatusInfo.GetInstance(seq[0]);
+			m_status = PkiStatusInfo.GetInstance(seq[0]);
 
 			for (int pos = 1; pos < seq.Count; ++pos)
 			{
@@ -22,66 +31,39 @@ namespace Org.BouncyCastle.Asn1.Cmp
 
 				switch (tObj.TagNo)
 				{
-					case 0:
-						newSigCert = CmpCertificate.GetInstance(tObj.GetObject());
-						break;
-					case 1:
-						caCerts = Asn1Sequence.GetInstance(tObj.GetObject());
-						break;
-					case 2:
-						keyPairHist = Asn1Sequence.GetInstance(tObj.GetObject());
-						break;
-					default:
-						throw new ArgumentException("unknown tag number: " + tObj.TagNo, "seq");
+				case 0:
+					m_newSigCert = CmpCertificate.GetInstance(tObj.GetObject());
+					break;
+				case 1:
+					m_caCerts = Asn1Sequence.GetInstance(tObj.GetObject());
+					break;
+				case 2:
+					m_keyPairHist = Asn1Sequence.GetInstance(tObj.GetObject());
+					break;
+				default:
+					throw new ArgumentException("unknown tag number: " + tObj.TagNo, "seq");
 				}
 			}
 		}
 
-		public static KeyRecRepContent GetInstance(object obj)
-		{
-			if (obj is KeyRecRepContent)
-				return (KeyRecRepContent)obj;
+		public virtual PkiStatusInfo Status => m_status;
 
-			if (obj is Asn1Sequence)
-				return new KeyRecRepContent((Asn1Sequence)obj);
-
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
-		}
-
-		public virtual PkiStatusInfo Status
-		{
-			get { return status; }
-		}
-
-		public virtual CmpCertificate NewSigCert
-		{
-			get { return newSigCert; }
-		}
+		public virtual CmpCertificate NewSigCert => m_newSigCert;
 
 		public virtual CmpCertificate[] GetCACerts()
 		{
-			if (caCerts == null)
+			if (m_caCerts == null)
 				return null;
 
-			CmpCertificate[] results = new CmpCertificate[caCerts.Count];
-			for (int i = 0; i != results.Length; ++i)
-			{
-				results[i] = CmpCertificate.GetInstance(caCerts[i]);
-			}
-			return results;
+			return m_caCerts.MapElements(CmpCertificate.GetInstance);
 		}
 
 		public virtual CertifiedKeyPair[] GetKeyPairHist()
 		{
-			if (keyPairHist == null)
+			if (m_keyPairHist == null)
 				return null;
 
-			CertifiedKeyPair[] results = new CertifiedKeyPair[keyPairHist.Count];
-			for (int i = 0; i != results.Length; ++i)
-			{
-				results[i] = CertifiedKeyPair.GetInstance(keyPairHist[i]);
-			}
-			return results;
+			return m_keyPairHist.MapElements(CertifiedKeyPair.GetInstance);
 		}
 
 		/**
@@ -99,10 +81,10 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			Asn1EncodableVector v = new Asn1EncodableVector(status);
-            v.AddOptionalTagged(true, 0, newSigCert);
-            v.AddOptionalTagged(true, 1, caCerts);
-            v.AddOptionalTagged(true, 2, keyPairHist);
+			Asn1EncodableVector v = new Asn1EncodableVector(m_status);
+            v.AddOptionalTagged(true, 0, m_newSigCert);
+            v.AddOptionalTagged(true, 1, m_caCerts);
+            v.AddOptionalTagged(true, 2, m_keyPairHist);
 			return new DerSequence(v);
 		}
 	}
diff --git a/crypto/src/asn1/cmp/NestedMessageContent.cs b/crypto/src/asn1/cmp/NestedMessageContent.cs
new file mode 100644
index 000000000..907fc7135
--- /dev/null
+++ b/crypto/src/asn1/cmp/NestedMessageContent.cs
@@ -0,0 +1,35 @@
+namespace Org.BouncyCastle.Asn1.Cmp
+{
+    /**
+     * NestedMessageContent ::= PKIMessages
+     */
+    public class NestedMessageContent
+        : PkiMessages
+    {
+        public static NestedMessageContent GetInstance(object obj)
+        {
+            if (obj is NestedMessageContent nestedMessageContent)
+                return nestedMessageContent;
+
+            if (obj != null)
+                return new NestedMessageContent(Asn1Sequence.GetInstance(obj));
+
+            return null;
+        }
+
+        public NestedMessageContent(PkiMessage msg)
+            : base(msg)
+        {
+        }
+
+        public NestedMessageContent(PkiMessage[] msgs)
+            : base(msgs)
+        {
+        }
+
+        public NestedMessageContent(Asn1Sequence seq)
+            : base(seq)
+        {
+        }
+    }
+}
diff --git a/crypto/src/asn1/cmp/OobCert.cs b/crypto/src/asn1/cmp/OobCert.cs
new file mode 100644
index 000000000..d47b87215
--- /dev/null
+++ b/crypto/src/asn1/cmp/OobCert.cs
@@ -0,0 +1,68 @@
+using System;
+using System.IO;
+
+using Org.BouncyCastle.Asn1.X509;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Asn1.Cmp
+{
+    /**
+     * OOBCert ::= CMPCertificate
+     */
+    public class OobCert
+        : CmpCertificate
+    {
+        public static OobCert GetInstance(object obj)
+        {
+            if (obj == null)
+                return null;
+
+            if (obj is OobCert oobCert)
+                return oobCert;
+
+            if (obj is CmpCertificate cmpCertificate)
+                return GetInstance(cmpCertificate.GetEncoded());
+
+            if (obj is byte[] bs)
+            {
+                try
+                {
+                    obj = Asn1Object.FromByteArray(bs);
+                }
+                catch (IOException)
+                {
+                    throw new ArgumentException("Invalid encoding in OobCert");
+                }
+            }
+
+            if (obj is Asn1Sequence seq)
+                return new OobCert(X509CertificateStructure.GetInstance(obj));
+
+            if (obj is Asn1TaggedObject taggedObject)
+                return new OobCert(taggedObject.TagNo, taggedObject.GetObject());
+
+            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), nameof(obj));
+        }
+
+        public static OobCert GetInstance(Asn1TaggedObject taggedObject, bool declaredExplicit)
+        {
+            if (taggedObject == null)
+                return null;
+
+            if (!declaredExplicit)
+                throw new ArgumentException("tag must be explicit");
+
+            return GetInstance(taggedObject.GetObject());
+        }
+
+        public OobCert(int type, Asn1Encodable otherCert)
+            : base(type, otherCert)
+        {
+        }
+
+        public OobCert(X509CertificateStructure x509v3PKCert)
+            : base(x509v3PKCert)
+        {
+        }
+    }
+}
diff --git a/crypto/src/asn1/cmp/OobCertHash.cs b/crypto/src/asn1/cmp/OobCertHash.cs
index 434939c0e..a18ff300d 100644
--- a/crypto/src/asn1/cmp/OobCertHash.cs
+++ b/crypto/src/asn1/cmp/OobCertHash.cs
@@ -6,18 +6,40 @@ using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
-	public class OobCertHash
+    /**
+     * 
+     * OOBCertHash ::= SEQUENCE {
+     * hashAlg     [0] AlgorithmIdentifier     OPTIONAL,
+     * certId      [1] CertId                  OPTIONAL,
+     * hashVal         BIT STRING
+     * -- hashVal is calculated over the DER encoding of the
+     * -- self-signed certificate with the identifier certID.
+     * }
+     * 

+     */
+    public class OobCertHash
 		: Asn1Encodable
 	{
-		private readonly AlgorithmIdentifier hashAlg;
-		private readonly CertId certId;
-		private readonly DerBitString  hashVal;
+        public static OobCertHash GetInstance(object obj)
+        {
+			if (obj is OobCertHash oobCertHash)
+				return oobCertHash;
+
+			if (obj != null)
+				return new OobCertHash(Asn1Sequence.GetInstance(obj));
+
+			return null;
+        }
+
+        private readonly AlgorithmIdentifier m_hashAlg;
+		private readonly CertId m_certId;
+		private readonly DerBitString m_hashVal;
 
 		private OobCertHash(Asn1Sequence seq)
 		{
 			int index = seq.Count - 1;
 
-			hashVal = DerBitString.GetInstance(seq[index--]);
+			m_hashVal = DerBitString.GetInstance(seq[index--]);
 
 			for (int i = index; i >= 0; i--)
 			{
@@ -25,36 +47,21 @@ namespace Org.BouncyCastle.Asn1.Cmp
 
 				if (tObj.TagNo == 0)
 				{
-					hashAlg = AlgorithmIdentifier.GetInstance(tObj, true);
+					m_hashAlg = AlgorithmIdentifier.GetInstance(tObj, true);
 				}
 				else
 				{
-					certId = CertId.GetInstance(tObj, true);
+					m_certId = CertId.GetInstance(tObj, true);
 				}
 			}
 		}
 
-		public static OobCertHash GetInstance(object obj)
-		{
-			if (obj is OobCertHash)
-				return (OobCertHash)obj;
+		public virtual CertId CertID => m_certId;
 
-			if (obj is Asn1Sequence)
-				return new OobCertHash((Asn1Sequence)obj);
+        public virtual AlgorithmIdentifier HashAlg => m_hashAlg;
+
+		public virtual DerBitString HashVal => m_hashVal;
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
-		}
-		
-		public virtual AlgorithmIdentifier HashAlg
-		{
-			get { return hashAlg; }
-		}
-		
-		public virtual CertId CertID
-		{
-			get { return certId; }
-		}
-		
 		/**
 		 * 
 		 * OobCertHash ::= SEQUENCE {
@@ -70,9 +77,9 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		public override Asn1Object ToAsn1Object()
 		{
 			Asn1EncodableVector v = new Asn1EncodableVector();
-            v.AddOptionalTagged(true, 0, hashAlg);
-            v.AddOptionalTagged(true, 1, certId);
-			v.Add(hashVal);
+            v.AddOptionalTagged(true, 0, m_hashAlg);
+            v.AddOptionalTagged(true, 1, m_certId);
+			v.Add(m_hashVal);
 			return new DerSequence(v);
 		}
 	}
diff --git a/crypto/src/asn1/cmp/PKIBody.cs b/crypto/src/asn1/cmp/PKIBody.cs
index f17eed64d..68f63ab0b 100644
--- a/crypto/src/asn1/cmp/PKIBody.cs
+++ b/crypto/src/asn1/cmp/PKIBody.cs
@@ -6,6 +6,37 @@ using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
+    /**
+     * PKIBody ::= CHOICE {       -- message-specific body elements
+     *          ir       [0]  CertReqMessages,        --Initialization Request
+     *          ip       [1]  CertRepMessage,         --Initialization Response
+     *          cr       [2]  CertReqMessages,        --Certification Request
+     *          cp       [3]  CertRepMessage,         --Certification Response
+     *          p10cr    [4]  CertificationRequest,   --imported from [PKCS10]
+     *          popdecc  [5]  POPODecKeyChallContent, --pop Challenge
+     *          popdecr  [6]  POPODecKeyRespContent,  --pop Response
+     *          kur      [7]  CertReqMessages,        --Key Update Request
+     *          kup      [8]  CertRepMessage,         --Key Update Response
+     *          krr      [9]  CertReqMessages,        --Key Recovery Request
+     *          krp      [10] KeyRecRepContent,       --Key Recovery Response
+     *          rr       [11] RevReqContent,          --Revocation Request
+     *          rp       [12] RevRepContent,          --Revocation Response
+     *          ccr      [13] CertReqMessages,        --Cross-Cert. Request
+     *          ccp      [14] CertRepMessage,         --Cross-Cert. Response
+     *          ckuann   [15] CAKeyUpdAnnContent,     --CA Key Update Ann.
+     *          cann     [16] CertAnnContent,         --Certificate Ann.
+     *          rann     [17] RevAnnContent,          --Revocation Ann.
+     *          crlann   [18] CRLAnnContent,          --CRL Announcement
+     *          pkiconf  [19] PKIConfirmContent,      --Confirmation
+     *          nested   [20] NestedMessageContent,   --Nested Message
+     *          genm     [21] GenMsgContent,          --General Message
+     *          genp     [22] GenRepContent,          --General Response
+     *          error    [23] ErrorMsgContent,        --Error Message
+     *          certConf [24] CertConfirmContent,     --Certificate confirm
+     *          pollReq  [25] PollReqContent,         --Polling request
+     *          pollRep  [26] PollRepContent          --Polling response
+     *      }
+     */
     public class PkiBody
         : Asn1Encodable, IAsn1Choice
     {
@@ -37,24 +68,27 @@ namespace Org.BouncyCastle.Asn1.Cmp
         public const int TYPE_POLL_REQ = 25;
         public const int TYPE_POLL_REP = 26;
 
-        private int tagNo;
-        private Asn1Encodable body;
-
         public static PkiBody GetInstance(object obj)
         {
-            if (obj is PkiBody)
-                return (PkiBody)obj;
+            if (obj == null)
+                return null;
+
+            if (obj is PkiBody pkiBody)
+                return pkiBody;
 
-            if (obj is Asn1TaggedObject)
-                return new PkiBody((Asn1TaggedObject)obj);
+            if (obj is Asn1TaggedObject taggedObject)
+                return new PkiBody(taggedObject);
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), nameof(obj));
         }
 
-        private PkiBody(Asn1TaggedObject tagged)
+        private readonly int m_tagNo;
+        private readonly Asn1Encodable m_body;
+
+        private PkiBody(Asn1TaggedObject taggedObject)
         {
-            tagNo = tagged.TagNo;
-            body = GetBodyForType(tagNo, tagged.GetObject());
+            m_tagNo = taggedObject.TagNo;
+            m_body = GetBodyForType(m_tagNo, taggedObject.GetObject());
         }
 
         /**
@@ -62,88 +96,78 @@ namespace Org.BouncyCastle.Asn1.Cmp
          * @param type one of the TYPE_* constants
          * @param content message content
          */
-        public PkiBody(
-            int type,
-            Asn1Encodable content)
+        public PkiBody(int type, Asn1Encodable content)
         {
-            tagNo = type;
-            body = GetBodyForType(type, content);
+            m_tagNo = type;
+            m_body = GetBodyForType(type, content);
         }
 
-        private static Asn1Encodable GetBodyForType(
-            int type,
-            Asn1Encodable o)
+        private static Asn1Encodable GetBodyForType(int type, Asn1Encodable o)
         {
             switch (type)
             {
-                case TYPE_INIT_REQ:
-                    return CertReqMessages.GetInstance(o);
-	            case TYPE_INIT_REP:
-	                return CertRepMessage.GetInstance(o);
-                case TYPE_CERT_REQ:
-                    return CertReqMessages.GetInstance(o);
-	            case TYPE_CERT_REP:
-	                return CertRepMessage.GetInstance(o);
-	            case TYPE_P10_CERT_REQ:
-	                return CertificationRequest.GetInstance(o);
-	            case TYPE_POPO_CHALL:
-	                return PopoDecKeyChallContent.GetInstance(o);
-	            case TYPE_POPO_REP:
-	                return PopoDecKeyRespContent.GetInstance(o);
-                case TYPE_KEY_UPDATE_REQ:
-                    return CertReqMessages.GetInstance(o);
-	            case TYPE_KEY_UPDATE_REP:
-	                return CertRepMessage.GetInstance(o);
-                case TYPE_KEY_RECOVERY_REQ:
-                    return CertReqMessages.GetInstance(o);
-	            case TYPE_KEY_RECOVERY_REP:
-	                return KeyRecRepContent.GetInstance(o);
-	            case TYPE_REVOCATION_REQ:
-	                return RevReqContent.GetInstance(o);
-	            case TYPE_REVOCATION_REP:
-	                return RevRepContent.GetInstance(o);
-                case TYPE_CROSS_CERT_REQ:
-                    return CertReqMessages.GetInstance(o);
-	            case TYPE_CROSS_CERT_REP:
-	                return CertRepMessage.GetInstance(o);
-	            case TYPE_CA_KEY_UPDATE_ANN:
-	                return CAKeyUpdAnnContent.GetInstance(o);
-	            case TYPE_CERT_ANN:
-	                return CmpCertificate.GetInstance(o);
-	            case TYPE_REVOCATION_ANN:
-	                return RevAnnContent.GetInstance(o);
-	            case TYPE_CRL_ANN:
-	                return CrlAnnContent.GetInstance(o);
-	            case TYPE_CONFIRM:
-	                return PkiConfirmContent.GetInstance(o);
-                case TYPE_NESTED:
-                    return PkiMessages.GetInstance(o);
-	            case TYPE_GEN_MSG:
-	                return GenMsgContent.GetInstance(o);
-	            case TYPE_GEN_REP:
-	                return GenRepContent.GetInstance(o);
-	            case TYPE_ERROR:
-	                return ErrorMsgContent.GetInstance(o);
-	            case TYPE_CERT_CONFIRM:
-	                return CertConfirmContent.GetInstance(o);
-	            case TYPE_POLL_REQ:
-	                return PollReqContent.GetInstance(o);
-	            case TYPE_POLL_REP:
-	                return PollRepContent.GetInstance(o);
-	            default:
-	                throw new ArgumentException("unknown tag number: " + type, "type");
+            case TYPE_INIT_REQ:
+                return CertReqMessages.GetInstance(o);
+            case TYPE_INIT_REP:
+                return CertRepMessage.GetInstance(o);
+            case TYPE_CERT_REQ:
+                return CertReqMessages.GetInstance(o);
+            case TYPE_CERT_REP:
+                return CertRepMessage.GetInstance(o);
+            case TYPE_P10_CERT_REQ:
+                return CertificationRequest.GetInstance(o);
+            case TYPE_POPO_CHALL:
+                return PopoDecKeyChallContent.GetInstance(o);
+            case TYPE_POPO_REP:
+                return PopoDecKeyRespContent.GetInstance(o);
+            case TYPE_KEY_UPDATE_REQ:
+                return CertReqMessages.GetInstance(o);
+            case TYPE_KEY_UPDATE_REP:
+                return CertRepMessage.GetInstance(o);
+            case TYPE_KEY_RECOVERY_REQ:
+                return CertReqMessages.GetInstance(o);
+            case TYPE_KEY_RECOVERY_REP:
+                return KeyRecRepContent.GetInstance(o);
+            case TYPE_REVOCATION_REQ:
+                return RevReqContent.GetInstance(o);
+            case TYPE_REVOCATION_REP:
+                return RevRepContent.GetInstance(o);
+            case TYPE_CROSS_CERT_REQ:
+                return CertReqMessages.GetInstance(o);
+            case TYPE_CROSS_CERT_REP:
+                return CertRepMessage.GetInstance(o);
+            case TYPE_CA_KEY_UPDATE_ANN:
+                return CAKeyUpdAnnContent.GetInstance(o);
+            case TYPE_CERT_ANN:
+                return CmpCertificate.GetInstance(o);
+            case TYPE_REVOCATION_ANN:
+                return RevAnnContent.GetInstance(o);
+            case TYPE_CRL_ANN:
+                return CrlAnnContent.GetInstance(o);
+            case TYPE_CONFIRM:
+                return PkiConfirmContent.GetInstance(o);
+            case TYPE_NESTED:
+                return PkiMessages.GetInstance(o);
+            case TYPE_GEN_MSG:
+                return GenMsgContent.GetInstance(o);
+            case TYPE_GEN_REP:
+                return GenRepContent.GetInstance(o);
+            case TYPE_ERROR:
+                return ErrorMsgContent.GetInstance(o);
+            case TYPE_CERT_CONFIRM:
+                return CertConfirmContent.GetInstance(o);
+            case TYPE_POLL_REQ:
+                return PollReqContent.GetInstance(o);
+            case TYPE_POLL_REP:
+                return PollRepContent.GetInstance(o);
+            default:
+	            throw new ArgumentException("unknown tag number: " + type, nameof(type));
             }
         }
 
-        public virtual int Type
-        {
-            get { return tagNo; }
-        }
+        public virtual Asn1Encodable Content => m_body;
 
-        public virtual Asn1Encodable Content
-        {
-            get { return body; }
-        }
+        public virtual int Type => m_tagNo;
 
         /**
          * 
@@ -181,7 +205,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
          */
         public override Asn1Object ToAsn1Object()
         {
-            return new DerTaggedObject(true, tagNo, body);
+            return new DerTaggedObject(true, m_tagNo, m_body);
         }
     }
 }
diff --git a/crypto/src/asn1/cmp/PKIConfirmContent.cs b/crypto/src/asn1/cmp/PKIConfirmContent.cs
index d154427a4..ecebb22a8 100644
--- a/crypto/src/asn1/cmp/PKIConfirmContent.cs
+++ b/crypto/src/asn1/cmp/PKIConfirmContent.cs
@@ -4,24 +4,38 @@ using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
-	public class PkiConfirmContent
+    /**
+     *  PKIConfirmContent ::= NULL
+     */
+    public class PkiConfirmContent
 		: Asn1Encodable
 	{
 		public static PkiConfirmContent GetInstance(object obj)
 		{
-			if (obj is PkiConfirmContent)
-				return (PkiConfirmContent)obj;
+			if (obj == null)
+				return null;
 
-			if (obj is Asn1Null)
-				return new PkiConfirmContent();
+			if (obj is PkiConfirmContent pkiConfirmContent)
+				return pkiConfirmContent;
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
-		}
+			if (obj is Asn1Null asn1Null)
+				return new PkiConfirmContent(asn1Null);
 
-		public PkiConfirmContent()
-		{
+            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), nameof(obj));
 		}
 
+        private readonly Asn1Null m_val;
+
+        public PkiConfirmContent()
+            : this(DerNull.Instance)
+        {
+        }
+
+        private PkiConfirmContent(Asn1Null val)
+        {
+            m_val = val;
+        }
+
 		/**
 		 * 
 		 * PkiConfirmContent ::= NULL
@@ -30,7 +44,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			return DerNull.Instance;
+			return m_val;
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/PKIFailureInfo.cs b/crypto/src/asn1/cmp/PKIFailureInfo.cs
index 75a3ff0d7..fd37665b9 100644
--- a/crypto/src/asn1/cmp/PKIFailureInfo.cs
+++ b/crypto/src/asn1/cmp/PKIFailureInfo.cs
@@ -21,7 +21,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
      * certRevoked         (10),
      * certConfirmed       (11),
      * wrongIntegrity      (12),
-     * badRecipientNonce   (13), 
+     * badRecipientNonce   (13),
      * timeNotAvailable    (14),
      *   -- the TSA's time source is not available
      * unacceptedPolicy    (15),
@@ -37,13 +37,13 @@ namespace Org.BouncyCastle.Asn1.Cmp
      * transactionIdInUse  (21),
      * unsupportedVersion  (22),
      * notAuthorized       (23),
-     * systemUnavail       (24),    
+     * systemUnavail       (24),
      * systemFailure       (25),
      *   -- the request cannot be handled due to system failure
-     * duplicateCertReq    (26) 
+     * duplicateCertReq    (26)
      * 

      */
-	public class PkiFailureInfo
+    public class PkiFailureInfo
 		: DerBitString
 	{
         public const int BadAlg               = (1 << 7); // unrecognized or unsupported Algorithm Identifier
diff --git a/crypto/src/asn1/cmp/PKIFreeText.cs b/crypto/src/asn1/cmp/PKIFreeText.cs
index 006930320..f3a4b8a81 100644
--- a/crypto/src/asn1/cmp/PKIFreeText.cs
+++ b/crypto/src/asn1/cmp/PKIFreeText.cs
@@ -1,61 +1,66 @@
 using System;
 
-using Org.BouncyCastle.Utilities;
-
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class PkiFreeText
 		: Asn1Encodable
 	{
-		internal Asn1Sequence strings;
-
-		public static PkiFreeText GetInstance(
-			Asn1TaggedObject	obj,
-			bool				isExplicit)
+		public static PkiFreeText GetInstance(object obj)
 		{
-			return GetInstance(Asn1Sequence.GetInstance(obj, isExplicit));
+			if (obj is PkiFreeText pkiFreeText)
+				return pkiFreeText;
+
+			if (obj != null)
+                return new PkiFreeText(Asn1Sequence.GetInstance(obj));
+
+            return null;
 		}
 
-		public static PkiFreeText GetInstance(
-			object obj)
+        public static PkiFreeText GetInstance(Asn1TaggedObject taggedObject, bool declaredExplicit)
+        {
+            return GetInstance(Asn1Sequence.GetInstance(taggedObject, declaredExplicit));
+        }
+
+        internal Asn1Sequence m_strings;
+
+        internal PkiFreeText(Asn1Sequence seq)
 		{
-			if (obj is PkiFreeText)
-			{
-				return (PkiFreeText)obj;
-			}
-			else if (obj is Asn1Sequence)
+			foreach (var element in seq)
 			{
-				return new PkiFreeText((Asn1Sequence)obj);
+				if (!(element is DerUtf8String))
+					throw new ArgumentException("attempt to insert non UTF8 STRING into PkiFreeText");
 			}
 
-            throw new ArgumentException("Unknown object in factory: " + Platform.GetTypeName(obj), "obj");
+			m_strings = seq;
 		}
 
-		public PkiFreeText(
-			Asn1Sequence seq)
+		public PkiFreeText(DerUtf8String p)
 		{
-			foreach (object o in seq)
-			{
-				if (!(o is DerUtf8String))
-				{
-					throw new ArgumentException("attempt to insert non UTF8 STRING into PkiFreeText");
-				}
-			}
+			m_strings = new DerSequence(p);
+		}
 
-			this.strings = seq;
+		public PkiFreeText(string p)
+			: this(new DerUtf8String(p))
+		{
 		}
 
-		public PkiFreeText(
-			DerUtf8String p)
+		public PkiFreeText(DerUtf8String[] strs)
 		{
-			strings = new DerSequence(p);
+			m_strings = new DerSequence(strs);
 		}
 
-		public int Count
+		public PkiFreeText(string[] strs)
 		{
-			get { return strings.Count; }
+			Asn1EncodableVector v = new Asn1EncodableVector(strs.Length);
+			for (int i = 0; i < strs.Length; i++)
+			{
+				v.Add(new DerUtf8String(strs[i]));
+			}
+			m_strings = new DerSequence(v);
 		}
 
+		public virtual int Count => m_strings.Count;
+
 		/**
 		 * Return the UTF8STRING at index.
 		 *
@@ -64,7 +69,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public DerUtf8String this[int index]
 		{
-			get { return (DerUtf8String) strings[index]; }
+			get { return (DerUtf8String)m_strings[index]; }
 		}
 
 		/**
@@ -74,7 +79,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			return strings;
+			return m_strings;
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/PKIHeader.cs b/crypto/src/asn1/cmp/PKIHeader.cs
index 7b6296279..553a81bc0 100644
--- a/crypto/src/asn1/cmp/PKIHeader.cs
+++ b/crypto/src/asn1/cmp/PKIHeader.cs
@@ -41,35 +41,35 @@ namespace Org.BouncyCastle.Asn1.Cmp
 
                 switch (tObj.TagNo)
                 {
-                    case 0:
-                        messageTime = DerGeneralizedTime.GetInstance(tObj, true);
-                        break;
-                    case 1:
-                        protectionAlg = AlgorithmIdentifier.GetInstance(tObj, true);
-                        break;
-                    case 2:
-                        senderKID = Asn1OctetString.GetInstance(tObj, true);
-                        break;
-                    case 3:
-                        recipKID = Asn1OctetString.GetInstance(tObj, true);
-                        break;
-                    case 4:
-                        transactionID = Asn1OctetString.GetInstance(tObj, true);
-                        break;
-                    case 5:
-                        senderNonce = Asn1OctetString.GetInstance(tObj, true);
-                        break;
-                    case 6:
-                        recipNonce = Asn1OctetString.GetInstance(tObj, true);
-                        break;
-                    case 7:
-                        freeText = PkiFreeText.GetInstance(tObj, true);
-                        break;
-                    case 8:
-                        generalInfo = Asn1Sequence.GetInstance(tObj, true);
-                        break;
-                    default:
-                        throw new ArgumentException("unknown tag number: " + tObj.TagNo, "seq");
+                case 0:
+                    messageTime = DerGeneralizedTime.GetInstance(tObj, true);
+                    break;
+                case 1:
+                    protectionAlg = AlgorithmIdentifier.GetInstance(tObj, true);
+                    break;
+                case 2:
+                    senderKID = Asn1OctetString.GetInstance(tObj, true);
+                    break;
+                case 3:
+                    recipKID = Asn1OctetString.GetInstance(tObj, true);
+                    break;
+                case 4:
+                    transactionID = Asn1OctetString.GetInstance(tObj, true);
+                    break;
+                case 5:
+                    senderNonce = Asn1OctetString.GetInstance(tObj, true);
+                    break;
+                case 6:
+                    recipNonce = Asn1OctetString.GetInstance(tObj, true);
+                    break;
+                case 7:
+                    freeText = PkiFreeText.GetInstance(tObj, true);
+                    break;
+                case 8:
+                    generalInfo = Asn1Sequence.GetInstance(tObj, true);
+                    break;
+                default:
+                    throw new ArgumentException("unknown tag number: " + tObj.TagNo, nameof(seq));
                 }
             }
         }
diff --git a/crypto/src/asn1/cmp/PKIMessages.cs b/crypto/src/asn1/cmp/PKIMessages.cs
index eb01e544a..0008f476a 100644
--- a/crypto/src/asn1/cmp/PKIMessages.cs
+++ b/crypto/src/asn1/cmp/PKIMessages.cs
@@ -9,7 +9,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
     {
         private Asn1Sequence content;
 
-        private PkiMessages(Asn1Sequence seq)
+        internal PkiMessages(Asn1Sequence seq)
         {
             content = seq;
         }
diff --git a/crypto/src/asn1/cmp/PbmParameter.cs b/crypto/src/asn1/cmp/PbmParameter.cs
index 206b89ba1..f4b702ed5 100644
--- a/crypto/src/asn1/cmp/PbmParameter.cs
+++ b/crypto/src/asn1/cmp/PbmParameter.cs
@@ -1,77 +1,74 @@
 using System;
 
 using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
+    /**
+     *  PBMParameter ::= SEQUENCE {
+     *          salt                OCTET STRING,
+     *          -- note:  implementations MAY wish to limit acceptable sizes
+     *          -- of this string to values appropriate for their environment
+     *          -- in order to reduce the risk of denial-of-service attacks
+     *          owf                 AlgorithmIdentifier,
+     *          -- AlgId for a One-Way Function (SHA-1 recommended)
+     *          iterationCount      INTEGER,
+     *          -- number of times the OWF is applied
+     *          -- note:  implementations MAY wish to limit acceptable sizes
+     *          -- of this integer to values appropriate for their environment
+     *          -- in order to reduce the risk of denial-of-service attacks
+     *          mac                 AlgorithmIdentifier
+     *          -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+     *      }   -- or HMAC [RFC2104, RFC2202])
+     */
     public class PbmParameter
         : Asn1Encodable
     {
-        private Asn1OctetString salt;
-        private AlgorithmIdentifier owf;
-        private DerInteger iterationCount;
-        private AlgorithmIdentifier mac;
-
-        private PbmParameter(Asn1Sequence seq)
-        {
-            salt = Asn1OctetString.GetInstance(seq[0]);
-            owf = AlgorithmIdentifier.GetInstance(seq[1]);
-            iterationCount = DerInteger.GetInstance(seq[2]);
-            mac = AlgorithmIdentifier.GetInstance(seq[3]);
-        }
-
         public static PbmParameter GetInstance(object obj)
         {
-            if (obj is PbmParameter)
-                return (PbmParameter)obj;
+            if (obj is PbmParameter pbmParameter)
+                return pbmParameter;
 
-            if (obj is Asn1Sequence)
-                return new PbmParameter((Asn1Sequence)obj);
+            if (obj != null)
+                return new PbmParameter(Asn1Sequence.GetInstance(obj));
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+            return null;
         }
 
-        public PbmParameter(
-            byte[] salt,
-            AlgorithmIdentifier owf,
-            int iterationCount,
-            AlgorithmIdentifier mac)
-            : this(new DerOctetString(salt), owf, new DerInteger(iterationCount), mac)
-        {
-        }
+        private readonly Asn1OctetString m_salt;
+        private readonly AlgorithmIdentifier m_owf;
+        private readonly DerInteger m_iterationCount;
+        private readonly AlgorithmIdentifier m_mac;
 
-        public PbmParameter(
-            Asn1OctetString salt,
-            AlgorithmIdentifier owf,
-            DerInteger iterationCount,
-            AlgorithmIdentifier mac)
+        private PbmParameter(Asn1Sequence seq)
         {
-            this.salt = salt;
-            this.owf = owf;
-            this.iterationCount = iterationCount;
-            this.mac = mac;
+            m_salt = Asn1OctetString.GetInstance(seq[0]);
+            m_owf = AlgorithmIdentifier.GetInstance(seq[1]);
+            m_iterationCount = DerInteger.GetInstance(seq[2]);
+            m_mac = AlgorithmIdentifier.GetInstance(seq[3]);
         }
 
-        public virtual Asn1OctetString Salt
+        public PbmParameter(byte[] salt, AlgorithmIdentifier owf, int iterationCount, AlgorithmIdentifier mac)
+            : this(new DerOctetString(salt), owf, new DerInteger(iterationCount), mac)
         {
-            get { return salt; }
         }
 
-        public virtual AlgorithmIdentifier Owf
+        public PbmParameter(Asn1OctetString salt, AlgorithmIdentifier owf, DerInteger iterationCount,
+            AlgorithmIdentifier mac)
         {
-            get { return owf; }
+            m_salt = salt;
+            m_owf = owf;
+            m_iterationCount = iterationCount;
+            m_mac = mac;
         }
 
-        public virtual DerInteger IterationCount
-        {
-            get { return iterationCount; }
-        }
+        public virtual DerInteger IterationCount => m_iterationCount;
 
-        public virtual AlgorithmIdentifier Mac
-        {
-            get { return mac; }
-        }
+        public virtual AlgorithmIdentifier Mac => m_mac;
+
+        public virtual AlgorithmIdentifier Owf => m_owf;
+
+        public virtual Asn1OctetString Salt => m_salt;
 
         /**
          * 
@@ -95,7 +92,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
          */
         public override Asn1Object ToAsn1Object()
         {
-            return new DerSequence(salt, owf, iterationCount, mac);
+            return new DerSequence(m_salt, m_owf, m_iterationCount, m_mac);
         }
     }
 }
diff --git a/crypto/src/asn1/cmp/PollRepContent.cs b/crypto/src/asn1/cmp/PollRepContent.cs
index ff75d7d6d..15f153a5d 100644
--- a/crypto/src/asn1/cmp/PollRepContent.cs
+++ b/crypto/src/asn1/cmp/PollRepContent.cs
@@ -1,71 +1,69 @@
-using System;
-
-using Org.BouncyCastle.Utilities;
-
 namespace Org.BouncyCastle.Asn1.Cmp
 {
-	public class PollRepContent
+    /**
+     * PollRepContent ::= SEQUENCE OF SEQUENCE {
+     * certReqId    INTEGER,
+     * checkAfter   INTEGER,  -- time in seconds
+     * reason       PKIFreeText OPTIONAL }
+     */
+    public class PollRepContent
 		: Asn1Encodable
 	{
-		private readonly DerInteger certReqId;
-		private readonly DerInteger checkAfter;
-		private readonly PkiFreeText reason;
+        public static PollRepContent GetInstance(object obj)
+        {
+			if (obj is PollRepContent pollRepContent)
+				return pollRepContent;
+
+			if (obj != null)
+				return new PollRepContent(Asn1Sequence.GetInstance(obj));
+
+			return null;
+        }
+
+        private readonly DerInteger[] m_certReqID;
+		private readonly DerInteger[] m_checkAfter;
+		private readonly PkiFreeText[] m_reason;
 
 		private PollRepContent(Asn1Sequence seq)
 		{
-			certReqId = DerInteger.GetInstance(seq[0]);
-			checkAfter = DerInteger.GetInstance(seq[1]);
+			int count = seq.Count;
+			m_certReqID = new DerInteger[count];
+			m_checkAfter = new DerInteger[count];
+			m_reason = new PkiFreeText[count];
 
-			if (seq.Count > 2)
+			for (int i = 0; i != count; i++)
 			{
-				reason = PkiFreeText.GetInstance(seq[2]);
-			}
-		}
-
-		public static PollRepContent GetInstance(object obj)
-		{
-			if (obj is PollRepContent)
-				return (PollRepContent)obj;
+				Asn1Sequence s = Asn1Sequence.GetInstance(seq[i]);
 
-			if (obj is Asn1Sequence)
-				return new PollRepContent((Asn1Sequence)obj);
+				m_certReqID[i] = DerInteger.GetInstance(s[0]);
+				m_checkAfter[i] = DerInteger.GetInstance(s[1]);
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+				if (s.Count > 2)
+				{
+					m_reason[i] = PkiFreeText.GetInstance(s[2]);
+				}
+			}
 		}
 
-	    public PollRepContent(
-	        DerInteger certReqId,
-	        DerInteger checkAfter)
+	    public PollRepContent(DerInteger certReqID, DerInteger checkAfter)
+			: this(certReqID, checkAfter, null)
 	    {
-	        this.certReqId = certReqId;
-	        this.checkAfter = checkAfter;
-	        this.reason = null;
 	    }
 
-        public PollRepContent(
-	        DerInteger certReqId,
-	        DerInteger checkAfter,
-	        PkiFreeText reason)
+        public PollRepContent(DerInteger certReqID, DerInteger checkAfter, PkiFreeText reason)
 	    {
-	        this.certReqId = certReqId;
-	        this.checkAfter = checkAfter;
-	        this.reason = reason;
-	    }
+            m_certReqID = new DerInteger[1]{ certReqID };
+            m_checkAfter = new DerInteger[1]{ checkAfter };
+            m_reason = new PkiFreeText[1]{ reason };
+        }
 
-		public virtual DerInteger CertReqID
-		{
-			get { return certReqId; }
-		}
+        public virtual int Count => m_certReqID.Length;
 
-		public virtual DerInteger CheckAfter
-		{
-			get { return checkAfter; }
-		}
+        public virtual DerInteger GetCertReqID(int index) => m_certReqID[index];
 
-		public virtual PkiFreeText Reason
-		{
-			get { return reason; }
-		}
+		public virtual DerInteger GetCheckAfter(int index) => m_checkAfter[index];
+
+		public virtual PkiFreeText GetReason(int index) => m_reason[index];
 
 		/**
 		 * 
@@ -79,9 +77,20 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			Asn1EncodableVector v = new Asn1EncodableVector(certReqId, checkAfter);
-			v.AddOptional(reason);
-			return new DerSequence(v);
+			Asn1EncodableVector outer = new Asn1EncodableVector(m_certReqID.Length);
+
+			for (int i = 0; i != m_certReqID.Length; i++)
+			{
+				Asn1EncodableVector v = new Asn1EncodableVector(3);
+
+				v.Add(m_certReqID[i]);
+				v.Add(m_checkAfter[i]);
+				v.AddOptional(m_reason[i]);
+
+				outer.Add(new DerSequence(v));
+			}
+
+			return new DerSequence(outer);
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/PollReqContent.cs b/crypto/src/asn1/cmp/PollReqContent.cs
index dd9b0c352..80a39348a 100644
--- a/crypto/src/asn1/cmp/PollReqContent.cs
+++ b/crypto/src/asn1/cmp/PollReqContent.cs
@@ -1,51 +1,91 @@
-using System;
-
-using Org.BouncyCastle.Utilities;
+using Org.BouncyCastle.Math;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class PollReqContent
 		: Asn1Encodable
 	{
-		private readonly Asn1Sequence content;
+        public static PollReqContent GetInstance(object obj)
+        {
+			if (obj is PollReqContent pollReqContent)
+				return pollReqContent;
+
+			if (obj != null)
+				return new PollReqContent(Asn1Sequence.GetInstance(obj));
+
+			return null;
+        }
+
+        private readonly Asn1Sequence m_content;
 
 		private PollReqContent(Asn1Sequence seq)
 		{
-			content = seq;
+			m_content = seq;
 		}
 
-		public static PollReqContent GetInstance(object obj)
+		/**
+		 * Create a pollReqContent for a single certReqId.
+		 *
+		 * @param certReqId the certificate request ID.
+		 */
+		public PollReqContent(DerInteger certReqId)
+			: this(new DerSequence(new DerSequence(certReqId)))
 		{
-			if (obj is PollReqContent)
-				return (PollReqContent)obj;
+		}
 
-			if (obj is Asn1Sequence)
-				return new PollReqContent((Asn1Sequence)obj);
+		/**
+		 * Create a pollReqContent for a multiple certReqIds.
+		 *
+		 * @param certReqIds the certificate request IDs.
+		 */
+		public PollReqContent(DerInteger[] certReqIds)
+			: this(new DerSequence(IntsToSequence(certReqIds)))
+		{
+		}
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+		/**
+		 * Create a pollReqContent for a single certReqId.
+		 *
+		 * @param certReqId the certificate request ID.
+		 */
+		public PollReqContent(BigInteger certReqId)
+			: this(new DerInteger(certReqId))
+		{
 		}
 
-		public virtual DerInteger[][] GetCertReqIDs()
+		/**
+		 * Create a pollReqContent for a multiple certReqIds.
+		 *
+		 * @param certReqIds the certificate request IDs.
+		 */
+		public PollReqContent(BigInteger[] certReqIds)
+			: this(IntsToAsn1(certReqIds))
 		{
-			DerInteger[][] result = new DerInteger[content.Count][];
-			for (int i = 0; i != result.Length; ++i)
-			{
-				result[i] = SequenceToDerIntegerArray((Asn1Sequence)content[i]);
-			}
-			return result;
 		}
 
-		private static DerInteger[] SequenceToDerIntegerArray(Asn1Sequence seq)
+		public virtual DerInteger[][] GetCertReqIDs()
 		{
-			DerInteger[] result = new DerInteger[seq.Count];
+			DerInteger[][] result = new DerInteger[m_content.Count][];
 			for (int i = 0; i != result.Length; ++i)
 			{
-				result[i] = DerInteger.GetInstance(seq[i]);
+				result[i] = SequenceToDerIntegerArray((Asn1Sequence)m_content[i]);
 			}
 			return result;
 		}
 
-		/**
+        public virtual BigInteger[] GetCertReqIDValues()
+        {
+            BigInteger[] result = new BigInteger[m_content.Count];
+
+            for (int i = 0; i != result.Length; i++)
+            {
+                result[i] = DerInteger.GetInstance(Asn1Sequence.GetInstance(m_content[i])[0]).Value;
+            }
+
+            return result;
+        }
+
+        /**
 		 * 
 		 * PollReqContent ::= SEQUENCE OF SEQUENCE {
 		 *                        certReqId              INTEGER
@@ -53,9 +93,38 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 * 

 		 * @return a basic ASN.1 object representation.
 		 */
-		public override Asn1Object ToAsn1Object()
+        public override Asn1Object ToAsn1Object()
+		{
+			return m_content;
+		}
+
+		private static DerInteger[] SequenceToDerIntegerArray(Asn1Sequence seq)
+		{
+			return seq.MapElements(DerInteger.GetInstance);
+		}
+
+		private static DerSequence[] IntsToSequence(DerInteger[] ids)
 		{
-			return content;
+			DerSequence[] result = new DerSequence[ids.Length];
+
+			for (int i = 0; i != result.Length; i++)
+			{
+				result[i] = new DerSequence(ids[i]);
+			}
+
+			return result;
+		}
+
+		private static DerInteger[] IntsToAsn1(BigInteger[] ids)
+		{
+			DerInteger[] result = new DerInteger[ids.Length];
+
+			for (int i = 0; i != result.Length; i++)
+			{
+				result[i] = new DerInteger(ids[i]);
+			}
+
+			return result;
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/PopoDecKeyChallContent.cs b/crypto/src/asn1/cmp/PopoDecKeyChallContent.cs
index 03a13a5d5..0bd1597c8 100644
--- a/crypto/src/asn1/cmp/PopoDecKeyChallContent.cs
+++ b/crypto/src/asn1/cmp/PopoDecKeyChallContent.cs
@@ -1,38 +1,31 @@
 using System;
 
-using Org.BouncyCastle.Utilities;
-
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class PopoDecKeyChallContent
 	    : Asn1Encodable
 	{
-	    private readonly Asn1Sequence content;
+        public static PopoDecKeyChallContent GetInstance(object obj)
+        {
+			if (obj is PopoDecKeyChallContent popoDecKeyChallContent)
+				return popoDecKeyChallContent;
 
-	    private PopoDecKeyChallContent(Asn1Sequence seq)
-	    {
-	        content = seq;
-	    }
+            if (obj != null)
+                return new PopoDecKeyChallContent(Asn1Sequence.GetInstance(obj));
 
-	    public static PopoDecKeyChallContent GetInstance(object obj)
-	    {
-	        if (obj is PopoDecKeyChallContent)
-	            return (PopoDecKeyChallContent)obj;
+            return null;
+        }
 
-			if (obj is Asn1Sequence)
-	            return new PopoDecKeyChallContent((Asn1Sequence)obj);
+        private readonly Asn1Sequence m_content;
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+	    private PopoDecKeyChallContent(Asn1Sequence seq)
+	    {
+	        m_content = seq;
 	    }
 
 	    public virtual Challenge[] ToChallengeArray()
 	    {
-	        Challenge[] result = new Challenge[content.Count];
-	        for (int i = 0; i != result.Length; ++i)
-	        {
-	            result[i] = Challenge.GetInstance(content[i]);
-	        }
-	        return result;
+			return m_content.MapElements(Challenge.GetInstance);
 	    }
 
 	    /**
@@ -43,7 +36,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 	     */
 	    public override Asn1Object ToAsn1Object()
 	    {
-	        return content;
+	        return m_content;
 	    }
 	}
 }
diff --git a/crypto/src/asn1/cmp/PopoDecKeyRespContent.cs b/crypto/src/asn1/cmp/PopoDecKeyRespContent.cs
index 73f59b7c1..77d720271 100644
--- a/crypto/src/asn1/cmp/PopoDecKeyRespContent.cs
+++ b/crypto/src/asn1/cmp/PopoDecKeyRespContent.cs
@@ -1,38 +1,29 @@
-using System;
-
-using Org.BouncyCastle.Utilities;
-
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class PopoDecKeyRespContent
 		: Asn1Encodable
 	{
-		private readonly Asn1Sequence content;
+        public static PopoDecKeyRespContent GetInstance(object obj)
+        {
+			if (obj is PopoDecKeyRespContent popoDecKeyRespContent)
+				return popoDecKeyRespContent;
 
-		private PopoDecKeyRespContent(Asn1Sequence seq)
-		{
-			content = seq;
-		}
+			if (obj != null)
+				return new PopoDecKeyRespContent(Asn1Sequence.GetInstance(obj));
 
-		public static PopoDecKeyRespContent GetInstance(object obj)
-		{
-			if (obj is PopoDecKeyRespContent)
-				return (PopoDecKeyRespContent)obj;
+			return null;
+        }
 
-			if (obj is Asn1Sequence)
-				return new PopoDecKeyRespContent((Asn1Sequence)obj);
+        private readonly Asn1Sequence m_content;
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+		private PopoDecKeyRespContent(Asn1Sequence seq)
+		{
+			m_content = seq;
 		}
 
-		public virtual DerInteger[] ToDerIntegerArray()
+		public virtual DerInteger[] ToIntegerArray()
 		{
-			DerInteger[] result = new DerInteger[content.Count];
-			for (int i = 0; i != result.Length; ++i)
-			{
-				result[i] = DerInteger.GetInstance(content[i]);
-			}
-			return result;
+			return m_content.MapElements(DerInteger.GetInstance);
 		}
 
 		/**
@@ -43,7 +34,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			return content;
+			return m_content;
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/ProtectedPart.cs b/crypto/src/asn1/cmp/ProtectedPart.cs
index ed90708f9..fc83ac6c6 100644
--- a/crypto/src/asn1/cmp/ProtectedPart.cs
+++ b/crypto/src/asn1/cmp/ProtectedPart.cs
@@ -1,47 +1,37 @@
-using System;
-
-using Org.BouncyCastle.Utilities;
-
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class ProtectedPart
 		: Asn1Encodable
 	{
-		private readonly PkiHeader header;
-		private readonly PkiBody body;
-		
-		private ProtectedPart(Asn1Sequence seq)
-		{
-			header = PkiHeader.GetInstance(seq[0]);
-			body = PkiBody.GetInstance(seq[1]);
-		}
+        public static ProtectedPart GetInstance(object obj)
+        {
+			if (obj is ProtectedPart protectedPart)
+				return protectedPart;
 
-		public static ProtectedPart GetInstance(object obj)
-		{
-			if (obj is ProtectedPart)
-				return (ProtectedPart)obj;
+			if (obj != null)
+				return new ProtectedPart(Asn1Sequence.GetInstance(obj));
 
-			if (obj is Asn1Sequence)
-				return new ProtectedPart((Asn1Sequence)obj);
+			return null;
+        }
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
-		}
+        private readonly PkiHeader m_header;
+		private readonly PkiBody m_body;
 
-		public ProtectedPart(PkiHeader header, PkiBody body)
+		private ProtectedPart(Asn1Sequence seq)
 		{
-			this.header = header;
-			this.body = body;
+			m_header = PkiHeader.GetInstance(seq[0]);
+			m_body = PkiBody.GetInstance(seq[1]);
 		}
 
-		public virtual PkiHeader Header
+		public ProtectedPart(PkiHeader header, PkiBody body)
 		{
-			get { return header; }
+			m_header = header;
+			m_body = body;
 		}
 
-		public virtual PkiBody Body
-		{
-			get { return body; }
-		}
+		public virtual PkiHeader Header => m_header;
+
+		public virtual PkiBody Body => m_body;
 
 		/**
 		 * 
@@ -54,7 +44,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			return new DerSequence(header, body);
+			return new DerSequence(m_header, m_body);
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/RevAnnContent.cs b/crypto/src/asn1/cmp/RevAnnContent.cs
index d5d42625c..4ef6fdbf7 100644
--- a/crypto/src/asn1/cmp/RevAnnContent.cs
+++ b/crypto/src/asn1/cmp/RevAnnContent.cs
@@ -1,68 +1,66 @@
-using System;
-
 using Org.BouncyCastle.Asn1.Crmf;
 using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class RevAnnContent
 		: Asn1Encodable
 	{
-		private readonly PkiStatusEncodable status;
-		private readonly CertId certId;
-		private readonly DerGeneralizedTime willBeRevokedAt;
-		private readonly DerGeneralizedTime badSinceDate;
-		private readonly X509Extensions crlDetails;
+        public static RevAnnContent GetInstance(object obj)
+        {
+			if (obj is RevAnnContent revAnnContent)
+				return revAnnContent;
 
-		private RevAnnContent(Asn1Sequence seq)
-		{
-			status = PkiStatusEncodable.GetInstance(seq[0]);
-			certId = CertId.GetInstance(seq[1]);
-			willBeRevokedAt = DerGeneralizedTime.GetInstance(seq[2]);
-			badSinceDate = DerGeneralizedTime.GetInstance(seq[3]);
+			if (obj != null)
+				return new RevAnnContent(Asn1Sequence.GetInstance(obj));
 
-			if (seq.Count > 4)
-			{
-				crlDetails = X509Extensions.GetInstance(seq[4]);
-			}
-		}
+			return null;
+        }
 
-		public static RevAnnContent GetInstance(object obj)
-		{
-			if (obj is RevAnnContent)
-				return (RevAnnContent)obj;
-
-			if (obj is Asn1Sequence)
-				return new RevAnnContent((Asn1Sequence)obj);
+        private readonly PkiStatusEncodable m_status;
+		private readonly CertId m_certID;
+		private readonly DerGeneralizedTime m_willBeRevokedAt;
+		private readonly DerGeneralizedTime m_badSinceDate;
+		private readonly X509Extensions m_crlDetails;
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+        public RevAnnContent(PkiStatusEncodable status, CertId certID, DerGeneralizedTime willBeRevokedAt,
+			DerGeneralizedTime badSinceDate)
+            : this(status, certID, willBeRevokedAt, badSinceDate, null)
+        {
 		}
 
-		public virtual PkiStatusEncodable Status
-		{
-			get { return status; }
-		}
+        public RevAnnContent(PkiStatusEncodable status, CertId certID, DerGeneralizedTime willBeRevokedAt,
+			DerGeneralizedTime badSinceDate, X509Extensions crlDetails)
+        {
+            m_status = status;
+            m_certID = certID;
+            m_willBeRevokedAt = willBeRevokedAt;
+            m_badSinceDate = badSinceDate;
+            m_crlDetails = crlDetails;
+        }
 
-		public virtual CertId CertID
+        private RevAnnContent(Asn1Sequence seq)
 		{
-			get { return certId; }
-		}
+			m_status = PkiStatusEncodable.GetInstance(seq[0]);
+			m_certID = CertId.GetInstance(seq[1]);
+			m_willBeRevokedAt = DerGeneralizedTime.GetInstance(seq[2]);
+			m_badSinceDate = DerGeneralizedTime.GetInstance(seq[3]);
 
-		public virtual DerGeneralizedTime WillBeRevokedAt
-		{
-			get { return willBeRevokedAt; }
+			if (seq.Count > 4)
+			{
+				m_crlDetails = X509Extensions.GetInstance(seq[4]);
+			}
 		}
 
-		public virtual DerGeneralizedTime BadSinceDate
-		{
-			get { return badSinceDate; }
-		}
+		public virtual PkiStatusEncodable Status => m_status;
 
-		public virtual X509Extensions CrlDetails
-		{
-			get { return crlDetails; }
-		}
+		public virtual CertId CertID => m_certID;
+
+		public virtual DerGeneralizedTime WillBeRevokedAt => m_willBeRevokedAt;
+
+		public virtual DerGeneralizedTime BadSinceDate => m_badSinceDate;
+
+		public virtual X509Extensions CrlDetails => m_crlDetails;
 
 		/**
 		 * 
@@ -79,8 +77,8 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			Asn1EncodableVector v = new Asn1EncodableVector(status, certId, willBeRevokedAt, badSinceDate);
-			v.AddOptional(crlDetails);
+			Asn1EncodableVector v = new Asn1EncodableVector(m_status, m_certID, m_willBeRevokedAt, m_badSinceDate);
+			v.AddOptional(m_crlDetails);
 			return new DerSequence(v);
 		}
 	}
diff --git a/crypto/src/asn1/cmp/RevDetails.cs b/crypto/src/asn1/cmp/RevDetails.cs
index 7d2a65ab9..9472d7775 100644
--- a/crypto/src/asn1/cmp/RevDetails.cs
+++ b/crypto/src/asn1/cmp/RevDetails.cs
@@ -1,56 +1,61 @@
-using System;
-
 using Org.BouncyCastle.Asn1.Crmf;
 using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
-	public class RevDetails
+    /**
+     * 
+     * RevDetails ::= SEQUENCE {
+     *          certDetails         CertTemplate,
+     *          -- allows requester to specify as much as they can about
+     *          -- the cert. for which revocation is requested
+     *          -- (e.g., for cases in which serialNumber is not available)
+     *          crlEntryDetails     Extensions       OPTIONAL
+     *          -- requested crlEntryExtensions
+     *      }
+     * 

+     */
+    public class RevDetails
 		: Asn1Encodable
 	{
-		private readonly CertTemplate certDetails;
-		private readonly X509Extensions crlEntryDetails;
+        public static RevDetails GetInstance(object obj)
+        {
+			if (obj is RevDetails revDetails)
+				return revDetails;
 
-        private RevDetails(Asn1Sequence seq)
-		{
-			certDetails = CertTemplate.GetInstance(seq[0]);
-            crlEntryDetails = seq.Count <= 1
-                ?   null
-                :   X509Extensions.GetInstance(seq[1]);
-		}
+			if (obj != null)
+				return new RevDetails(Asn1Sequence.GetInstance(obj));
 
-        public static RevDetails GetInstance(object obj)
-		{
-			if (obj is RevDetails)
-				return (RevDetails)obj;
+			return null;
+        }
 
-			if (obj is Asn1Sequence)
-				return new RevDetails((Asn1Sequence)obj);
+        private readonly CertTemplate m_certDetails;
+		private readonly X509Extensions m_crlEntryDetails;
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+        private RevDetails(Asn1Sequence seq)
+		{
+			m_certDetails = CertTemplate.GetInstance(seq[0]);
+
+            if (seq.Count > 1)
+            {
+                m_crlEntryDetails = X509Extensions.GetInstance(seq[1]);
+            }
 		}
 
 		public RevDetails(CertTemplate certDetails)
-            :   this(certDetails, null)
+            : this(certDetails, null)
 		{
 		}
 
         public RevDetails(CertTemplate certDetails, X509Extensions crlEntryDetails)
 		{
-            this.certDetails = certDetails;
-            this.crlEntryDetails = crlEntryDetails;
+            m_certDetails = certDetails;
+            m_crlEntryDetails = crlEntryDetails;
 		}
 
-        public virtual CertTemplate CertDetails
-		{
-			get { return certDetails; }
-		}
+		public virtual CertTemplate CertDetails => m_certDetails;
 
-        public virtual X509Extensions CrlEntryDetails
-		{
-			get { return crlEntryDetails; }
-		}
+        public virtual X509Extensions CrlEntryDetails => m_crlEntryDetails;
 
 		/**
 		* 
@@ -67,8 +72,8 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		*/
 		public override Asn1Object ToAsn1Object()
 		{
-			Asn1EncodableVector v = new Asn1EncodableVector(certDetails);
-			v.AddOptional(crlEntryDetails);
+			Asn1EncodableVector v = new Asn1EncodableVector(m_certDetails);
+			v.AddOptional(m_crlEntryDetails);
 			return new DerSequence(v);
 		}
 	}
diff --git a/crypto/src/asn1/cmp/RevRepContent.cs b/crypto/src/asn1/cmp/RevRepContent.cs
index 4b3f82b96..841b3cf94 100644
--- a/crypto/src/asn1/cmp/RevRepContent.cs
+++ b/crypto/src/asn1/cmp/RevRepContent.cs
@@ -1,21 +1,43 @@
-using System;
-
 using Org.BouncyCastle.Asn1.Crmf;
 using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Asn1.Cmp
 {
-	public class RevRepContent
+    /**
+     * 
+     * RevRepContent ::= SEQUENCE {
+     *          status       SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
+     *          -- in same order as was sent in RevReqContent
+     *          revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
+     *                                              OPTIONAL,
+     *          -- IDs for which revocation was requested
+     *          -- (same order as status)
+     *          crls     [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL
+     *          -- the resulting CRLs (there may be more than one)
+     *      }
+     *

+     */
+    public class RevRepContent
 		: Asn1Encodable
 	{
-		private readonly Asn1Sequence status;
-		private readonly Asn1Sequence revCerts;
-		private readonly Asn1Sequence crls;
+        public static RevRepContent GetInstance(object obj)
+        {
+			if (obj is RevRepContent revRepContent)
+				return revRepContent;
+
+			if (obj != null)
+				return new RevRepContent(Asn1Sequence.GetInstance(obj));
+
+			return null;
+        }
+
+        private readonly Asn1Sequence m_status;
+		private readonly Asn1Sequence m_revCerts;
+		private readonly Asn1Sequence m_crls;
 
 		private RevRepContent(Asn1Sequence seq)
 		{
-			status = Asn1Sequence.GetInstance(seq[0]);
+			m_status = Asn1Sequence.GetInstance(seq[0]);
 
 			for (int pos = 1; pos < seq.Count; ++pos)
 			{
@@ -23,60 +45,34 @@ namespace Org.BouncyCastle.Asn1.Cmp
 
 				if (tObj.TagNo == 0)
 				{
-					revCerts = Asn1Sequence.GetInstance(tObj, true);
+					m_revCerts = Asn1Sequence.GetInstance(tObj, true);
 				}
 				else
 				{
-					crls = Asn1Sequence.GetInstance(tObj, true);
+					m_crls = Asn1Sequence.GetInstance(tObj, true);
 				}
 			}
 		}
 
-		public static RevRepContent GetInstance(object obj)
-		{
-			if (obj is RevRepContent)
-				return (RevRepContent)obj;
-
-			if (obj is Asn1Sequence)
-				return new RevRepContent((Asn1Sequence)obj);
-
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
-		}
-		
 		public virtual PkiStatusInfo[] GetStatus()
 		{
-			PkiStatusInfo[] results = new PkiStatusInfo[status.Count];
-			for (int i = 0; i != results.Length; ++i)
-			{
-				results[i] = PkiStatusInfo.GetInstance(status[i]);
-			}
-			return results;
+			return m_status.MapElements(PkiStatusInfo.GetInstance);
 		}
 
 		public virtual CertId[] GetRevCerts()
 		{
-			if (revCerts == null)
+			if (m_revCerts == null)
 				return null;
 
-			CertId[] results = new CertId[revCerts.Count];
-			for (int i = 0; i != results.Length; ++i)
-			{
-				results[i] = CertId.GetInstance(revCerts[i]);
-			}
-			return results;
+			return m_revCerts.MapElements(CertId.GetInstance);
 		}
 
 		public virtual CertificateList[] GetCrls()
 		{
-			if (crls == null)
+			if (m_crls == null)
 				return null;
 
-			CertificateList[] results = new CertificateList[crls.Count];
-			for (int i = 0; i != results.Length; ++i)
-			{
-				results[i] = CertificateList.GetInstance(crls[i]);
-			}
-			return results;
+			return m_crls.MapElements(CertificateList.GetInstance);
 		}
 
 		/**
@@ -95,9 +91,9 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			Asn1EncodableVector v = new Asn1EncodableVector(status);
-            v.AddOptionalTagged(true, 0, revCerts);
-            v.AddOptionalTagged(true, 1, crls);
+			Asn1EncodableVector v = new Asn1EncodableVector(m_status);
+            v.AddOptionalTagged(true, 0, m_revCerts);
+            v.AddOptionalTagged(true, 1, m_crls);
 			return new DerSequence(v);
 		}
 	}
diff --git a/crypto/src/asn1/cmp/RevRepContentBuilder.cs b/crypto/src/asn1/cmp/RevRepContentBuilder.cs
index cc17d1d4c..f23bed8b5 100644
--- a/crypto/src/asn1/cmp/RevRepContentBuilder.cs
+++ b/crypto/src/asn1/cmp/RevRepContentBuilder.cs
@@ -7,29 +7,29 @@ namespace Org.BouncyCastle.Asn1.Cmp
 {
 	public class RevRepContentBuilder
 	{
-		private readonly Asn1EncodableVector status = new Asn1EncodableVector();
-		private readonly Asn1EncodableVector revCerts = new Asn1EncodableVector();
-		private readonly Asn1EncodableVector crls = new Asn1EncodableVector();
+		private readonly Asn1EncodableVector m_status = new Asn1EncodableVector();
+		private readonly Asn1EncodableVector m_revCerts = new Asn1EncodableVector();
+		private readonly Asn1EncodableVector m_crls = new Asn1EncodableVector();
 
 		public virtual RevRepContentBuilder Add(PkiStatusInfo status)
 		{
-			this.status.Add(status);
+			m_status.Add(status);
 			return this;
 		}
 
 		public virtual RevRepContentBuilder Add(PkiStatusInfo status, CertId certId)
 		{
-			if (this.status.Count != this.revCerts.Count)
+			if (m_status.Count != m_revCerts.Count)
 				throw new InvalidOperationException("status and revCerts sequence must be in common order");
 
-			this.status.Add(status);
-			this.revCerts.Add(certId);
+			m_status.Add(status);
+			m_revCerts.Add(certId);
 			return this;
 		}
 
 		public virtual RevRepContentBuilder AddCrl(CertificateList crl)
 		{
-			this.crls.Add(crl);
+			m_crls.Add(crl);
 			return this;
 		}
 
@@ -37,16 +37,16 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		{
 			Asn1EncodableVector v = new Asn1EncodableVector();
 
-			v.Add(new DerSequence(status));
+			v.Add(new DerSequence(m_status));
 
-			if (revCerts.Count != 0)
+			if (m_revCerts.Count != 0)
 			{
-				v.Add(new DerTaggedObject(true, 0, new DerSequence(revCerts)));
+				v.Add(new DerTaggedObject(true, 0, new DerSequence(m_revCerts)));
 			}
 
-			if (crls.Count != 0)
+			if (m_crls.Count != 0)
 			{
-				v.Add(new DerTaggedObject(true, 1, new DerSequence(crls)));
+				v.Add(new DerTaggedObject(true, 1, new DerSequence(m_crls)));
 			}
 
 			return RevRepContent.GetInstance(new DerSequence(v));
diff --git a/crypto/src/asn1/cmp/RevReqContent.cs b/crypto/src/asn1/cmp/RevReqContent.cs
index 1522d3789..c390530a8 100644
--- a/crypto/src/asn1/cmp/RevReqContent.cs
+++ b/crypto/src/asn1/cmp/RevReqContent.cs
@@ -7,37 +7,37 @@ namespace Org.BouncyCastle.Asn1.Cmp
 	public class RevReqContent
 		: Asn1Encodable
 	{
-		private readonly Asn1Sequence content;
-		
-		private RevReqContent(Asn1Sequence seq)
-		{
-			content = seq;
-		}
+        public static RevReqContent GetInstance(object obj)
+        {
+			if (obj is RevReqContent revReqContent)
+				return revReqContent;
 
-		public static RevReqContent GetInstance(object obj)
-		{
-			if (obj is RevReqContent)
-				return (RevReqContent)obj;
+			if (obj != null)
+				return new RevReqContent(Asn1Sequence.GetInstance(obj));
 
-			if (obj is Asn1Sequence)
-				return new RevReqContent((Asn1Sequence)obj);
+			return null;
+        }
 
-            throw new ArgumentException("Invalid object: " + Platform.GetTypeName(obj), "obj");
+        private readonly Asn1Sequence m_content;
+
+		private RevReqContent(Asn1Sequence seq)
+		{
+			m_content = seq;
 		}
 
-		public RevReqContent(params RevDetails[] revDetails)
+        public RevReqContent(RevDetails revDetails)
+        {
+            m_content = new DerSequence(revDetails);
+        }
+
+        public RevReqContent(params RevDetails[] revDetailsArray)
 		{
-			this.content = new DerSequence(revDetails);
+			m_content = new DerSequence(revDetailsArray);
 		}
 
 		public virtual RevDetails[] ToRevDetailsArray()
 		{
-			RevDetails[] result = new RevDetails[content.Count];
-			for (int i = 0; i != result.Length; ++i)
-			{
-				result[i] = RevDetails.GetInstance(content[i]);
-			}
-			return result;
+			return m_content.MapElements(RevDetails.GetInstance);
 		}
 
 		/**
@@ -48,7 +48,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
 		 */
 		public override Asn1Object ToAsn1Object()
 		{
-			return content;
+			return m_content;
 		}
 	}
 }
diff --git a/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs b/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs
new file mode 100644
index 000000000..b1eaf616d
--- /dev/null
+++ b/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs
@@ -0,0 +1,90 @@
+using System;
+
+namespace Org.BouncyCastle.Asn1.Cmp
+{
+    /**
+     * GenMsg:    {id-it 20}, RootCaCertValue | < absent >
+     * GenRep:    {id-it 18}, RootCaKeyUpdateContent | < absent >
+     * 

+     * RootCaCertValue ::= CMPCertificate
+     * 

+     * RootCaKeyUpdateValue ::= RootCaKeyUpdateContent
+     * 

+     * RootCaKeyUpdateContent ::= SEQUENCE {
+     * newWithNew       CMPCertificate,
+     * newWithOld   [0] CMPCertificate OPTIONAL,
+     * oldWithNew   [1] CMPCertificate OPTIONAL
+     * }
+     */
+    public class RootCaKeyUpdateContent
+        : Asn1Encodable
+    {
+        public static RootCaKeyUpdateContent GetInstance(object obj)
+        {
+            if (obj is RootCaKeyUpdateContent rootCaKeyUpdateContent)
+                return rootCaKeyUpdateContent;
+
+            if (obj != null)
+                return new RootCaKeyUpdateContent(Asn1Sequence.GetInstance(obj));
+
+            return null;
+        }
+
+        private readonly CmpCertificate m_newWithNew;
+        private readonly CmpCertificate m_newWithOld;
+        private readonly CmpCertificate m_oldWithNew;
+
+        public RootCaKeyUpdateContent(CmpCertificate newWithNew, CmpCertificate newWithOld, CmpCertificate oldWithNew)
+        {
+            if (newWithNew == null)
+                throw new ArgumentNullException(nameof(newWithNew));
+
+            m_newWithNew = newWithNew;
+            m_newWithOld = newWithOld;
+            m_oldWithNew = oldWithNew;
+        }
+
+        private RootCaKeyUpdateContent(Asn1Sequence seq)
+        {
+            if (seq.Count < 1 || seq.Count > 3)
+                throw new ArgumentException("expected sequence of 1 to 3 elements only");
+
+            CmpCertificate newWithNew;
+            CmpCertificate newWithOld = null;
+            CmpCertificate oldWithNew = null;
+
+            newWithNew = CmpCertificate.GetInstance(seq[0]);
+
+            for (int pos = 1; pos < seq.Count; ++pos)
+            {
+                Asn1TaggedObject ato = Asn1TaggedObject.GetInstance(seq[pos]);
+                if (ato.TagNo == 0)
+                {
+                    newWithOld = CmpCertificate.GetInstance(ato, true);
+                }
+                else if (ato.TagNo == 1)
+                {
+                    oldWithNew = CmpCertificate.GetInstance(ato, true);
+                }
+            }
+
+            m_newWithNew = newWithNew;
+            m_newWithOld = newWithOld;
+            m_oldWithNew = oldWithNew;
+        }
+
+        public virtual CmpCertificate NewWithNew => m_newWithNew;
+
+        public virtual CmpCertificate NewWithOld => m_newWithOld;
+
+        public virtual CmpCertificate OldWithNew => m_oldWithNew;
+
+        public override Asn1Object ToAsn1Object()
+        {
+            Asn1EncodableVector v = new Asn1EncodableVector(m_newWithNew);
+            v.AddOptionalTagged(true, 0, m_newWithOld);
+            v.AddOptionalTagged(true, 1, m_oldWithNew);
+            return new DerSequence(v);
+        }
+    }
+}
diff --git a/crypto/src/asn1/crmf/EncryptedKey.cs b/crypto/src/asn1/crmf/EncryptedKey.cs
index 850fbd219..d4ff250c5 100644
--- a/crypto/src/asn1/crmf/EncryptedKey.cs
+++ b/crypto/src/asn1/crmf/EncryptedKey.cs
@@ -1,58 +1,44 @@
-using System;
-
-using Org.BouncyCastle.Asn1.Cms;
+using Org.BouncyCastle.Asn1.Cms;
 
 namespace Org.BouncyCastle.Asn1.Crmf
 {
     public class EncryptedKey
         : Asn1Encodable, IAsn1Choice
     {
-        private readonly EnvelopedData envelopedData;
-        private readonly EncryptedValue encryptedValue;
-
-        public static EncryptedKey GetInstance(object o)
+        public static EncryptedKey GetInstance(object obj)
         {
-            if (o is EncryptedKey)
-            {
-                return (EncryptedKey)o;
-            }
-            else if (o is Asn1TaggedObject)
-            {
-                return new EncryptedKey(EnvelopedData.GetInstance((Asn1TaggedObject)o, false));
-            }
-            else if (o is EncryptedValue)
-            {
-                return new EncryptedKey((EncryptedValue)o);
-            }
-            else
-            {
-                return new EncryptedKey(EncryptedValue.GetInstance(o));
-            }
+            if (obj is EncryptedKey encryptedKey)
+                return encryptedKey;
+
+            if (obj is Asn1TaggedObject taggedObject)
+                return new EncryptedKey(EnvelopedData.GetInstance(taggedObject, false));
+
+            return new EncryptedKey(EncryptedValue.GetInstance(obj));
         }
 
+        private readonly EnvelopedData m_envelopedData;
+        private readonly EncryptedValue m_encryptedValue;
+
         public EncryptedKey(EnvelopedData envelopedData)
         {
-            this.envelopedData = envelopedData;
+            m_envelopedData = envelopedData;
         }
 
         public EncryptedKey(EncryptedValue encryptedValue)
         {
-            this.encryptedValue = encryptedValue;
+            m_encryptedValue = encryptedValue;
         }
 
-        public virtual bool IsEncryptedValue
-        {
-            get { return encryptedValue != null; }
-        }
+        public virtual bool IsEncryptedValue => m_encryptedValue != null;
 
         public virtual Asn1Encodable Value
         {
             get
             {
-                if (encryptedValue != null)
-                    return encryptedValue;
+                if (m_encryptedValue != null)
+                    return m_encryptedValue;
 
-                return envelopedData;
+                return m_envelopedData;
             }
         }
 
@@ -67,12 +53,10 @@ namespace Org.BouncyCastle.Asn1.Crmf
          */
         public override Asn1Object ToAsn1Object()
         {
-            if (encryptedValue != null)
-            {
-                return encryptedValue.ToAsn1Object();
-            }
+            if (m_encryptedValue != null)
+                return m_encryptedValue.ToAsn1Object();
 
-            return new DerTaggedObject(false, 0, envelopedData);
+            return new DerTaggedObject(false, 0, m_envelopedData);
         }
     }
 }
diff --git a/crypto/src/asn1/crmf/EncryptedValue.cs b/crypto/src/asn1/crmf/EncryptedValue.cs
index 7c5cf18b4..ad3a4c3f7 100644
--- a/crypto/src/asn1/crmf/EncryptedValue.cs
+++ b/crypto/src/asn1/crmf/EncryptedValue.cs
@@ -7,6 +7,17 @@ namespace Org.BouncyCastle.Asn1.Crmf
     public class EncryptedValue
         : Asn1Encodable
     {
+        public static EncryptedValue GetInstance(object obj)
+        {
+            if (obj is EncryptedValue)
+                return (EncryptedValue)obj;
+
+            if (obj != null)
+                return new EncryptedValue(Asn1Sequence.GetInstance(obj));
+
+            return null;
+        }
+
         private readonly AlgorithmIdentifier intendedAlg;
         private readonly AlgorithmIdentifier symmAlg;
         private readonly DerBitString encSymmKey;
@@ -17,45 +28,31 @@ namespace Org.BouncyCastle.Asn1.Crmf
         private EncryptedValue(Asn1Sequence seq)
         {
             int index = 0;
-            while (seq[index] is Asn1TaggedObject)
+            while (seq[index++] is Asn1TaggedObject tObj)
             {
-                Asn1TaggedObject tObj = (Asn1TaggedObject)seq[index];
-
                 switch (tObj.TagNo)
                 {
-                    case 0:
-                        intendedAlg = AlgorithmIdentifier.GetInstance(tObj, false);
-                        break;
-                    case 1:
-                        symmAlg = AlgorithmIdentifier.GetInstance(tObj, false);
-                        break;
-                    case 2:
-                        encSymmKey = DerBitString.GetInstance(tObj, false);
-                        break;
-                    case 3:
-                        keyAlg = AlgorithmIdentifier.GetInstance(tObj, false);
-                        break;
-                    case 4:
-                        valueHint = Asn1OctetString.GetInstance(tObj, false);
-                        break;
+                case 0:
+                    intendedAlg = AlgorithmIdentifier.GetInstance(tObj, false);
+                    break;
+                case 1:
+                    symmAlg = AlgorithmIdentifier.GetInstance(tObj, false);
+                    break;
+                case 2:
+                    encSymmKey = DerBitString.GetInstance(tObj, false);
+                    break;
+                case 3:
+                    keyAlg = AlgorithmIdentifier.GetInstance(tObj, false);
+                    break;
+                case 4:
+                    valueHint = Asn1OctetString.GetInstance(tObj, false);
+                    break;
                 }
-                ++index;
             }
 
             encValue = DerBitString.GetInstance(seq[index]);
         }
 
-        public static EncryptedValue GetInstance(object obj)
-        {
-            if (obj is EncryptedValue)
-                return (EncryptedValue)obj;
-
-            if (obj != null)
-                return new EncryptedValue(Asn1Sequence.GetInstance(obj));
-
-            return null;
-        }
-
         public EncryptedValue(
             AlgorithmIdentifier intendedAlg,
             AlgorithmIdentifier symmAlg,
@@ -65,9 +62,7 @@ namespace Org.BouncyCastle.Asn1.Crmf
             DerBitString encValue)
         {
             if (encValue == null)
-            {
-                throw new ArgumentNullException("encValue");
-            }
+                throw new ArgumentNullException(nameof(encValue));
 
             this.intendedAlg = intendedAlg;
             this.symmAlg = symmAlg;
@@ -109,6 +104,7 @@ namespace Org.BouncyCastle.Asn1.Crmf
 
         /**
          * 
+         * (IMPLICIT TAGS)
          * EncryptedValue ::= SEQUENCE {
          *                     intendedAlg   [0] AlgorithmIdentifier  OPTIONAL,
          *                     -- the intended algorithm for which the value will be used
-- 
cgit 1.4.1