-- Module CertificateExtensions (X.509:03/2000) CertificateExtensions {joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 4} DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL IMPORTS id-at, id-ce, id-mr, informationFramework, authenticationFramework, selectedAttributeTypes, upperBounds FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 4} Name, RelativeDistinguishedName, ATTRIBUTE, Attribute, MATCHING-RULE FROM InformationFramework {joint-iso-itu-t ds(5) module(1) informationFramework(1) 4} CertificateSerialNumber, CertificateList, AlgorithmIdentifier, EXTENSION, Time, PolicyID FROM AuthenticationFramework {joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 4} DirectoryString FROM SelectedAttributeTypes {joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 4} ub-name FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 4} ORAddress FROM MTSAbstractService {joint-iso-itu-t mhs(6) mts(3) modules(0) mts-abstract-service(1) version-1999(1)}; -- Unless explicitly noted otherwise, there is no significance to the ordering -- of components of a SEQUENCE OF construct in this Specification. -- public-key certificate and CRL extensions -- authorityKeyIdentifier EXTENSION ::= { -- SYNTAX AuthorityKeyIdentifier -- IDENTIFIED BY id-ce-authorityKeyIdentifier -- } AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] IMPLICIT KeyIdentifier OPTIONAL, authorityCertIssuer [1] IMPLICIT GeneralNames OPTIONAL, authorityCertSerialNumber [2] IMPLICIT CertificateSerialNumber OPTIONAL } -- (WITH COMPONENTS { -- ..., -- authorityCertIssuer PRESENT, -- authorityCertSerialNumber PRESENT -- } | -- WITH COMPONENTS { -- ..., -- authorityCertIssuer ABSENT, -- authorityCertSerialNumber ABSENT -- }) KeyIdentifier ::= OCTET STRING -- subjectKeyIdentifier EXTENSION ::= { -- SYNTAX SubjectKeyIdentifier -- IDENTIFIED BY id-ce-subjectKeyIdentifier -- } SubjectKeyIdentifier ::= KeyIdentifier -- keyUsage EXTENSION ::= {SYNTAX KeyUsage -- IDENTIFIED BY id-ce-keyUsage -- } KeyUsage ::= BIT STRING { digitalSignature(0), nonRepudiation(1), keyEncipherment(2), dataEncipherment(3), keyAgreement(4), keyCertSign(5), cRLSign(6), encipherOnly(7), decipherOnly(8)} -- extKeyUsage EXTENSION ::= { -- SYNTAX KeyPurposeIDs -- IDENTIFIED BY id-ce-extKeyUsage -- } KeyPurposeIDs ::= SEQUENCE OF KeyPurposeId KeyPurposeId ::= OBJECT IDENTIFIER -- privateKeyUsagePeriod EXTENSION ::= { -- SYNTAX PrivateKeyUsagePeriod -- IDENTIFIED BY id-ce-privateKeyUsagePeriod -- } PrivateKeyUsagePeriod ::= SEQUENCE { notBefore [0] IMPLICIT GeneralizedTime OPTIONAL, notAfter [1] IMPLICIT GeneralizedTime OPTIONAL } -- (WITH COMPONENTS { -- ..., -- notBefore PRESENT -- } | WITH COMPONENTS { -- ..., -- notAfter PRESENT -- }) -- -- certificatePolicies EXTENSION ::= { -- SYNTAX CertificatePoliciesSyntax -- IDENTIFIED BY id-ce-certificatePolicies -- } CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } CertPolicyId ::= OBJECT IDENTIFIER PolicyQualifierId ::= OBJECT IDENTIFIER PolicyQualifierValue ::= ANY PolicyQualifierInfo ::= SEQUENCE { policyQualifierId PolicyQualifierId, qualifier PolicyQualifierValue OPTIONAL } -- SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::= -- {...} -- -- anyPolicy OBJECT IDENTIFIER ::= {2 5 29 32 0} -- -- CERT-POLICY-QUALIFIER ::= CLASS { -- &id OBJECT IDENTIFIER UNIQUE, -- &Qualifier OPTIONAL -- }WITH SYNTAX {POLICY-QUALIFIER-ID &id -- [QUALIFIER-TYPE &Qualifier] -- } -- -- policyMappings EXTENSION ::= { -- SYNTAX PolicyMappingsSyntax -- IDENTIFIED BY id-ce-policyMappings -- } PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {issuerDomainPolicy CertPolicyId, subjectDomainPolicy CertPolicyId} -- subjectAltName EXTENSION ::= { -- SYNTAX GeneralNames -- IDENTIFIED BY id-ce-subjectAltName -- } GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] IMPLICIT --INSTANCE OF OTHER-NAME-- OtherName, rfc822Name [1] IMPLICIT IA5String, dNSName [2] IMPLICIT IA5String, x400Address [3] IMPLICIT ORAddress, directoryName [4] IMPLICIT Name, ediPartyName [5] IMPLICIT EDIPartyName, uniformResourceIdentifier [6] IMPLICIT IA5String, iPAddress [7] IMPLICIT OCTET STRING, registeredID [8] IMPLICIT OBJECT IDENTIFIER } -- OTHER-NAME ::= TYPE-IDENTIFIER OtherName ::= SEQUENCE { type-id OtherNameType, value [0] EXPLICIT OtherNameValue } OtherNameType ::= OBJECT IDENTIFIER OtherNameValue ::= ANY EDIPartyName ::= SEQUENCE { nameAssigner [0] IMPLICIT DirectoryString OPTIONAL, partyName [1] IMPLICIT DirectoryString } -- issuerAltName EXTENSION ::= { -- SYNTAX GeneralNames -- IDENTIFIED BY id-ce-issuerAltName -- } -- -- subjectDirectoryAttributes EXTENSION ::= { -- SYNTAX AttributesSyntax -- IDENTIFIED BY id-ce-subjectDirectoryAttributes -- } AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute -- basicConstraints EXTENSION ::= { -- SYNTAX BasicConstraintsSyntax -- IDENTIFIED BY id-ce-basicConstraints -- } BasicConstraintsSyntax ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER OPTIONAL } -- nameConstraints EXTENSION ::= { -- SYNTAX NameConstraintsSyntax -- IDENTIFIED BY id-ce-nameConstraints -- } NameConstraintsSyntax ::= SEQUENCE { permittedSubtrees [0] IMPLICIT GeneralSubtrees OPTIONAL, excludedSubtrees [1] IMPLICIT GeneralSubtrees OPTIONAL } GeneralSubtrees ::= SEQUENCE OF GeneralSubtree GeneralSubtree ::= SEQUENCE { base GeneralName, minimum [0] IMPLICIT BaseDistance DEFAULT 0, maximum [1] IMPLICIT BaseDistance OPTIONAL } BaseDistance ::= INTEGER(0..MAX) -- policyConstraints EXTENSION ::= { -- SYNTAX PolicyConstraintsSyntax -- IDENTIFIED BY id-ce-policyConstraints -- } PolicyConstraintsSyntax ::= SEQUENCE { requireExplicitPolicy [0] IMPLICIT SkipCerts OPTIONAL, inhibitPolicyMapping [1] IMPLICIT SkipCerts OPTIONAL } SkipCerts ::= INTEGER(0..MAX) -- cRLNumber EXTENSION ::= { -- SYNTAX CRLNumber -- IDENTIFIED BY id-ce-cRLNumber -- } CRLNumber ::= INTEGER(0..MAX) -- reasonCode EXTENSION ::= { -- SYNTAX CRLReason -- IDENTIFIED BY id-ce-reasonCode -- } CRLReason ::= ENUMERATED { unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), superseded(4), cessationOfOperation(5), certificateHold(6), removeFromCRL(8), privilegeWithdrawn(9), aaCompromise(10)} -- holdInstructionCode EXTENSION ::= { -- SYNTAX HoldInstruction -- IDENTIFIED BY id-ce-instructionCode -- } HoldInstruction ::= OBJECT IDENTIFIER -- invalidityDate EXTENSION ::= { -- SYNTAX GeneralizedTime -- IDENTIFIED BY id-ce-invalidityDate -- } -- -- crlScope EXTENSION ::= { -- SYNTAX CRLScopeSyntax -- IDENTIFIED BY id-ce-cRLScope -- } CRLScopeSyntax ::= SEQUENCE SIZE (1..MAX) OF PerAuthorityScope PerAuthorityScope ::= SEQUENCE { authorityName [0] IMPLICIT GeneralName OPTIONAL, distributionPoint [1] IMPLICIT DistributionPointName OPTIONAL, onlyContains [2] IMPLICIT OnlyCertificateTypes OPTIONAL, onlySomeReasons [4] IMPLICIT ReasonFlags OPTIONAL, serialNumberRange [5] IMPLICIT NumberRange OPTIONAL, subjectKeyIdRange [6] IMPLICIT NumberRange OPTIONAL, nameSubtrees [7] IMPLICIT GeneralNames OPTIONAL, baseRevocationInfo [9] IMPLICIT BaseRevocationInfo OPTIONAL } OnlyCertificateTypes ::= BIT STRING { userPublicKey(0), cA(1), userAttribute(2), aA(3), sOAPublicKey(4)} NumberRange ::= SEQUENCE { startingNumber [0] IMPLICIT INTEGER OPTIONAL, endingNumber [1] IMPLICIT INTEGER OPTIONAL, modulus INTEGER OPTIONAL } BaseRevocationInfo ::= SEQUENCE { cRLStreamIdentifier [0] IMPLICIT CRLStreamIdentifier OPTIONAL, cRLNumber [1] IMPLICIT CRLNumber, baseThisUpdate [2] IMPLICIT GeneralizedTime } -- statusReferrals EXTENSION ::= { -- SYNTAX StatusReferrals -- IDENTIFIED BY id-ce-statusReferrals -- } StatusReferrals ::= SEQUENCE SIZE (1..MAX) OF StatusReferral StatusReferral ::= CHOICE { cRLReferral [0] IMPLICIT CRLReferral -- otherReferral [1] IMPLICIT INSTANCE OF OTHER-REFERRAL } CRLReferral ::= SEQUENCE { issuer [0] IMPLICIT GeneralName OPTIONAL, location [1] IMPLICIT GeneralName OPTIONAL, deltaRefInfo [2] IMPLICIT DeltaRefInfo OPTIONAL, cRLScope CRLScopeSyntax, lastUpdate [3] IMPLICIT GeneralizedTime OPTIONAL, lastChangedCRL [4] IMPLICIT GeneralizedTime OPTIONAL } DeltaRefInfo ::= SEQUENCE { deltaLocation GeneralName, lastDelta GeneralizedTime OPTIONAL } -- OTHER-REFERRAL ::= TYPE-IDENTIFIER -- -- cRLStreamIdentifier EXTENSION ::= { -- SYNTAX CRLStreamIdentifier -- IDENTIFIED BY id-ce-cRLStreamIdentifier -- } CRLStreamIdentifier ::= INTEGER(0..MAX) -- orderedList EXTENSION ::= { -- SYNTAX OrderedListSyntax -- IDENTIFIED BY id-ce-orderedList -- } OrderedListSyntax ::= ENUMERATED {ascSerialNum(0), ascRevDate(1)} -- deltaInfo EXTENSION ::= { -- SYNTAX DeltaInformation -- IDENTIFIED BY id-ce-deltaInfo -- } DeltaInformation ::= SEQUENCE { deltaLocation GeneralName, nextDelta GeneralizedTime OPTIONAL } -- cRLDistributionPoints EXTENSION ::= { -- SYNTAX CRLDistPointsSyntax -- IDENTIFIED BY id-ce-cRLDistributionPoints -- } CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] IMPLICIT DistributionPointName OPTIONAL, reasons [1] IMPLICIT ReasonFlags OPTIONAL, cRLIssuer [2] IMPLICIT GeneralNames OPTIONAL } DistributionPointName ::= CHOICE { fullName [0] IMPLICIT GeneralNames, nameRelativeToCRLIssuer [1] IMPLICIT RelativeDistinguishedName } ReasonFlags ::= BIT STRING { unused(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), superseded(4), cessationOfOperation(5), certificateHold(6), privilegeWithdrawn(7), aACompromise(8)} -- issuingDistributionPoint EXTENSION ::= { -- SYNTAX IssuingDistPointSyntax -- IDENTIFIED BY id-ce-issuingDistributionPoint -- } IssuingDistPointSyntax ::= SEQUENCE { -- If containsUserPublicKeyCerts, containsCACerts, containsUserAttributeCerts, -- containsAACerts, and containsSOAPublicKeyCerts s are all absent, or not set to TRUE, (), -- the CRL covers allthese certificate types distributionPoint [0] IMPLICIT DistributionPointName OPTIONAL, containsUserPublicKeyCerts [1] IMPLICIT BOOLEAN DEFAULT FALSE, containsCACerts [2] IMPLICIT BOOLEAN DEFAULT FALSE, onlySomeReasons [3] IMPLICIT ReasonFlags OPTIONAL, indirectCRL [4] IMPLICIT BOOLEAN DEFAULT FALSE, containsUserAttributeCerts [5] IMPLICIT BOOLEAN DEFAULT FALSE, containsAACerts [6] IMPLICIT BOOLEAN DEFAULT FALSE, containsSOAPublicKeyCerts [7] IMPLICIT BOOLEAN DEFAULT FALSE } -- certificateIssuer EXTENSION ::= { -- SYNTAX GeneralNames -- IDENTIFIED BY id-ce-certificateIssuer -- } -- -- deltaCRLIndicator EXTENSION ::= { -- SYNTAX BaseCRLNumber -- IDENTIFIED BY id-ce-deltaCRLIndicator -- } BaseCRLNumber ::= CRLNumber -- baseUpdateTime EXTENSION ::= { -- SYNTAX GeneralizedTime -- IDENTIFIED BY id-ce-baseUpdateTime -- } -- -- freshestCRL EXTENSION ::= { -- SYNTAX CRLDistPointsSyntax -- IDENTIFIED BY id-ce-freshestCRL -- } -- -- inhibitAnyPolicy EXTENSION ::= { -- SYNTAX SkipCerts -- IDENTIFIED BY id-ce-inhibitAnyPolicy -- } -- -- PKI matching rules -- certificateExactMatch MATCHING-RULE ::= { -- SYNTAX CertificateExactAssertion -- ID id-mr-certificateExactMatch -- } CertificateExactAssertion ::= SEQUENCE { serialNumber CertificateSerialNumber, issuer Name } -- certificateMatch MATCHING-RULE ::= { -- SYNTAX CertificateAssertion -- ID id-mr-certificateMatch -- } CertificateAssertion ::= SEQUENCE { serialNumber [0] IMPLICIT CertificateSerialNumber OPTIONAL, issuer [1] IMPLICIT Name OPTIONAL, subjectKeyIdentifier [2] IMPLICIT SubjectKeyIdentifier OPTIONAL, authorityKeyIdentifier [3] IMPLICIT AuthorityKeyIdentifier OPTIONAL, -- certificateValid [4] IMPLICIT Time OPTIONAL, privateKeyValid [5] IMPLICIT GeneralizedTime OPTIONAL, subjectPublicKeyAlgID [6] IMPLICIT OBJECT IDENTIFIER OPTIONAL, keyUsage [7] IMPLICIT KeyUsage OPTIONAL, subjectAltName [8] IMPLICIT AltNameType OPTIONAL, policy [9] IMPLICIT CertPolicySet OPTIONAL, pathToName [10] IMPLICIT Name OPTIONAL, subject [11] IMPLICIT Name OPTIONAL, nameConstraints [12] IMPLICIT NameConstraintsSyntax OPTIONAL } AltNameType ::= CHOICE { builtinNameForm ENUMERATED {rfc822Name(1), dNSName(2), x400Address(3), directoryName(4), ediPartyName(5), uniformResourceIdentifier(6), iPAddress(7), registeredId(8)}, otherNameForm OBJECT IDENTIFIER } CertPolicySet ::= SEQUENCE SIZE (1..MAX) OF CertPolicyId -- certificatePairExactMatch MATCHING-RULE ::= { -- SYNTAX CertificatePairExactAssertion -- ID id-mr-certificatePairExactMatch -- } CertificatePairExactAssertion ::= SEQUENCE { issuedToThisCAAssertion [0] IMPLICIT CertificateExactAssertion OPTIONAL, issuedByThisCAAssertion [1] IMPLICIT CertificateExactAssertion OPTIONAL } -- (WITH COMPONENTS { -- ..., -- issuedToThisCAAssertion PRESENT -- } | WITH COMPONENTS { -- ..., -- issuedByThisCAAssertion PRESENT -- }) -- -- certificatePairMatch MATCHING-RULE ::= { -- SYNTAX CertificatePairAssertion -- ID id-mr-certificatePairMatch -- } CertificatePairAssertion ::= SEQUENCE { issuedToThisCAAssertion [0] IMPLICIT CertificateAssertion OPTIONAL, issuedByThisCAAssertion [1] IMPLICIT CertificateAssertion OPTIONAL } -- (WITH COMPONENTS { -- ..., -- issuedToThisCAAssertion PRESENT -- } | WITH COMPONENTS { -- ..., -- issuedByThisCAAssertion PRESENT -- }) -- -- certificateListExactMatch MATCHING-RULE ::= { -- SYNTAX CertificateListExactAssertion -- ID id-mr-certificateListExactMatch -- } CertificateListExactAssertion ::= SEQUENCE { issuer Name, -- thisUpdate Time, distributionPoint DistributionPointName OPTIONAL } -- certificateListMatch MATCHING-RULE ::= { -- SYNTAX CertificateListAssertion -- ID id-mr-certificateListMatch -- } CertificateListAssertion ::= SEQUENCE { issuer Name OPTIONAL, minCRLNumber [0] IMPLICIT CRLNumber OPTIONAL, maxCRLNumber [1] IMPLICIT CRLNumber OPTIONAL, reasonFlags ReasonFlags OPTIONAL, -- dateAndTime Time OPTIONAL, distributionPoint [2] IMPLICIT DistributionPointName OPTIONAL, authorityKeyIdentifier [3] IMPLICIT AuthorityKeyIdentifier OPTIONAL } -- algorithmIdentifierMatch MATCHING-RULE ::= { -- SYNTAX AlgorithmIdentifier -- ID id-mr-algorithmIdentifierMatch -- } -- -- policyMatch MATCHING-RULE ::= {SYNTAX PolicyID -- ID id-mr-policyMatch -- } -- -- pkiPathMatch MATCHING-RULE ::= { -- SYNTAX PkiPathMatchSyntax -- ID id-mr-pkiPathMatch -- } PkiPathMatchSyntax ::= SEQUENCE {firstIssuer Name, lastSubject Name } -- Object identifier assignments id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9} id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14} id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15} id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16} id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17} id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18} id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19} id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20} id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21} id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23} id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24} id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27} id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28} id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29} id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30} id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32} id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33} -- deprecated OBJECT IDENTIFIER ::= {id-ce 34} id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35} id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36} id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} id-ce-cRLStreamIdentifier OBJECT IDENTIFIER ::= {id-ce 40} id-ce-cRLScope OBJECT IDENTIFIER ::= {id-ce 44} id-ce-statusReferrals OBJECT IDENTIFIER ::= {id-ce 45} id-ce-freshestCRL OBJECT IDENTIFIER ::= {id-ce 46} id-ce-orderedList OBJECT IDENTIFIER ::= {id-ce 47} id-ce-baseUpdateTime OBJECT IDENTIFIER ::= {id-ce 51} id-ce-deltaInfo OBJECT IDENTIFIER ::= {id-ce 53} id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= {id-ce 54} -- matching rule OIDs -- id-mr-certificateExactMatch OBJECT IDENTIFIER ::= -- {id-mr 34} -- -- id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35} -- -- id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36} -- -- id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37} -- -- id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38} -- -- id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39} -- -- id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40} -- -- id-mr-policyMatch OBJECT IDENTIFIER ::= {id-mr 60} -- -- id-mr-pkiPathMatch OBJECT IDENTIFIER ::= {id-mr 62} -- -- The following OBJECT IDENTIFIERS are not used by this Specification: -- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7}, -- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13}, -- {id-ce 22}, {id-ce 25}, {id-ce 26} END -- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D