[apple/security.git] / OSX / libsecurity_asn1 / asn1 / sm_x509af.asn

-- @(#) sm_x509af.asn 1.2 2/24/98 13:40:34 
AuthenticationFramework 
-- 
-- oid defined in sm_x501ud.asn
--
-- {joint-iso-ccitt ds(5) module(1) authenticationFramework(7) 3}

DEFINITIONS ::=

BEGIN

-- EXPORTS All --
-- The types and values defined in this module are exported for use in the 
-- other ASN.1 modules contained 
-- within the Directory Specifications, and for the use of other applications
-- which will use them to access Directory services. Other applications may 
-- use them for their own purposes, but this will not constrain
-- extensions and modifications needed to maintain or improve the Directory 
-- service.

IMPORTS

   BigIntegerStr
   FROM VdaEnhancedTypes

   id-at, informationFramework, upperBounds, selectedAttributeTypes, 
   basicAccessControl, certificateExtensions
      FROM UsefulDefinitions { usefulDefinitions }

   Name, Attribute, AttributeType
      FROM InformationFramework  { informationFramework }

   ub-password-length
      FROM UpperBounds  { upperBounds }

-- not used
--   AuthenticationLevel
--     FROM BasicAccessControl { basicAccessControl }

--   GeneralNames
--      FROM CertificateExtensions { certificateExtensions }

   GeneralNames
        FROM CommonX509Definitions

   UniqueIdentifier
      FROM SelectedAttributeTypes  { selectedAttributeTypes } ;

-- basic certificate definition

Certificate ::= SEQUENCE {
    certificateToSign    CertificateToSign,
    algorithmIdentifier  AlgorithmIdentifier,
    signatureValue       BIT STRING }

CertificateToSign ::=  SEQUENCE {
   version           [0]  Version DEFAULT v1,
   serialNumber           CertificateSerialNumber,
   signature              AlgorithmIdentifier,
   issuer                 Name,
   validity               Validity,
   subject                Name,
   subjectPublicKeyInfo   SubjectPublicKeyInfo,
                        -- if present, version must be v2 or v3
   issuerUniqueIdentifier   [1]   IMPLICIT UniqueIdentifier OPTIONAL,
                        -- if present, version must be v2 or v3
   subjectUniqueIdentifier  [2]   IMPLICIT UniqueIdentifier OPTIONAL,
                        -- If present, version must be v3 
   extensions         [3]   Extensions OPTIONAL }

Version            ::=   INTEGER { v1(0), v2(1), v3(2) }

-- CertificateSerialNumber   ::=   INTEGER

CertificateSerialNumber ::= BigIntegerStr


AlgorithmIdentifier      ::=   SEQUENCE {
   algorithm       OBJECT IDENTIFIER,
   parameters      ANY OPTIONAL }

Validity            ::=   SEQUENCE {
   notBefore   Time,
   notAfter    Time }

SubjectPublicKeyInfo   ::=   SEQUENCE {
   algorithm          AlgorithmIdentifier,
   subjectPublicKey   BIT STRING }

Time  ::=  CHOICE { 
   utcTime       UTCTime, 
   generalizedTime   GeneralizedTime }

Extensions ::= SEQUENCE OF Extension

-- For those extensions where ordering of individual extensions within the 
-- SEQUENCE is significant, the specification of those individual extensions
--  shall include the rules for the significance of the order therein

Extension ::= SEQUENCE {
   extnId      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
               -- extnValue contains a DER encoding
   extnValue   OCTET STRING }

-- other certifiate constructs

Certificates            ::=   SEQUENCE {
   userCertificate      Certificate,
   certificationPath    ForwardCertificationPath OPTIONAL }

ForwardCertificationPath ::=   SEQUENCE OF CrossCertificates

CrossCertificates ::=   SET OF Certificate

CertificationPath ::=   SEQUENCE {
   userCertificate      Certificate,
   theCACertificates    SEQUENCE OF CertificatePair OPTIONAL }

CertificatePair ::=   SEQUENCE {
   -- at least one of the pair shall be present
   forward      [0]   Certificate OPTIONAL, 
   reverse      [1]   Certificate OPTIONAL }

-- certificate revocation list (CRL)

CertificateList ::= SEQUENCE {
   crlToSign           CRLToSign,
   algorithmIdentifier AlgorithmIdentifier,
   signatureValue      BIT STRING }
   
CRLToSign ::= SEQUENCE {
   version           Version OPTIONAL, -- if present, version must be v2
   signature         AlgorithmIdentifier,
   issuer            Name,
   thisUpdate        Time,
   nextUpdate        Time OPTIONAL,
   revokedCertificates   SEQUENCE OF SEQUENCE {
         userCertificate      CertificateSerialNumber,
         revocationDate       Time,
         crlEntryExtensions   Extensions OPTIONAL } OPTIONAL,
   crlExtensions   [0]  Extensions OPTIONAL }

-- attribute certificate
AttributeCertificationPath  ::=  SEQUENCE {
   attributeCertificate   AttributeCertificate, 
   acPath      SEQUENCE OF ACPathData OPTIONAL }

ACPathData  ::=  SEQUENCE {
   certificate            [0]  Certificate  OPTIONAL,
   attributeCertificate   [1]  AttributeCertificate  OPTIONAL }

AttributeCertificate ::= SEQUENCE {
   attributeCertificateInfo AttributeCertificateInfo,
   algorithmIdentifier      AlgorithmIdentifier,
   signatureValue           BIT STRING }

AttributeCertificateInfo ::= SEQUENCE {
   version         Version DEFAULT v1,
   subject   CHOICE {
      baseCertificateID [0] IssuerSerial,    -- associated  with a Public Key 
                                             -- Certificate 
      subjectName       [1] GeneralNames },  -- associated  with a name 
   issuer                 GeneralNames, -- CA issuing the attribute certificate
   signature              AlgorithmIdentifier,
   serialNumber           CertificateSerialNumber,
   attCertValidityPeriod  AttCertValidityPeriod,
   attributes      SEQUENCE OF Attribute,
   issuerUniqueID   UniqueIdentifier OPTIONAL,
   extensions      Extensions OPTIONAL }

IssuerSerial  ::= SEQUENCE {
   issuer       GeneralNames,
   serial       CertificateSerialNumber,
   issuerUID    UniqueIdentifier OPTIONAL}

AttCertValidityPeriod ::= SEQUENCE {
   notBeforeTime   GeneralizedTime,
   notAfterTime   GeneralizedTime }

AttributeCertificateAssertion  ::=  SEQUENCE  {
   -- At least one component of the sequence must be present
   subject      [0]   CHOICE {
      baseCertificateID   [0]  IssuerSerial,
      subjectName         [1]  Name } OPTIONAL,
   issuer          [1]   Name OPTIONAL,
   attCertValidity [2]   GeneralizedTime OPTIONAL,
   attType         [3]   SET OF AttributeType OPTIONAL }

-- Apple addenda: abstract "signed CRL or cert". In this case the blob to be
-- signed is actually an encoded CertificateToSign or CRLToSign. Representing
-- that blob as an ASN ANY field allows for signature verify without decoding 
-- the entire CertificateToSign or CRLToSign.

SignedCertOrCrl ::= SEQUENCE {
    tbsBlob				ANY,
    algIdBlob  			ANY,
    signatureValue		BIT STRING }

-- attribute types --

UserPassword ::= OCTET STRING (SIZE (0..ub-password-length))

UserCertificate ::= Certificate

CACertificate ::= Certificate

CrossCertificatePair ::= CertificatePair

AuthorityRevocationList ::= CertificateList

CertificateRevocationList ::= CertificateList

AttributeCertificateRevocationList ::= CertificateList

-- object identifier assignments --
id-at-userPassword      OBJECT IDENTIFIER   ::=   {id-at 35} 
id-at-userCertificate      OBJECT IDENTIFIER   ::=   {id-at 36}
id-at-cAcertificate         OBJECT IDENTIFIER   ::=   {id-at 37}
id-at-authorityRevocationList   OBJECT IDENTIFIER   ::=   {id-at 38}
id-at-certificateRevocationList   OBJECT IDENTIFIER   ::=   {id-at 39}
id-at-crossCertificatePair      OBJECT IDENTIFIER   ::=   {id-at 40}
id-at-attributeCertificate      OBJECT IDENTIFIER   ::=   {id-at 58}

END
Commit	Line	Data
b1ab9ed8 A	1	-- @(#) sm_x509af.asn 1.2 2/24/98 13:40:34
	2	AuthenticationFramework
	3	--
	4	-- oid defined in sm_x501ud.asn
	5	--
	6	-- {joint-iso-ccitt ds(5) module(1) authenticationFramework(7) 3}
	7
	8	DEFINITIONS ::=
	9
	10	BEGIN
	11
	12	-- EXPORTS All --
	13	-- The types and values defined in this module are exported for use in the
	14	-- other ASN.1 modules contained
	15	-- within the Directory Specifications, and for the use of other applications
	16	-- which will use them to access Directory services. Other applications may
	17	-- use them for their own purposes, but this will not constrain
	18	-- extensions and modifications needed to maintain or improve the Directory
	19	-- service.
	20
	21	IMPORTS
	22
	23	BigIntegerStr
	24	FROM VdaEnhancedTypes
	25
	26	id-at, informationFramework, upperBounds, selectedAttributeTypes,
	27	basicAccessControl, certificateExtensions
	28	FROM UsefulDefinitions { usefulDefinitions }
	29
	30	Name, Attribute, AttributeType
	31	FROM InformationFramework { informationFramework }
	32
	33	ub-password-length
	34	FROM UpperBounds { upperBounds }
	35
	36	-- not used
	37	-- AuthenticationLevel
	38	-- FROM BasicAccessControl { basicAccessControl }
	39
	40	-- GeneralNames
	41	-- FROM CertificateExtensions { certificateExtensions }
	42
	43	GeneralNames
	44	FROM CommonX509Definitions
	45
	46	UniqueIdentifier
	47	FROM SelectedAttributeTypes { selectedAttributeTypes } ;
	48
	49	-- basic certificate definition
	50
	51	Certificate ::= SEQUENCE {
	52	certificateToSign CertificateToSign,
	53	algorithmIdentifier AlgorithmIdentifier,
	54	signatureValue BIT STRING }
	55
	56	CertificateToSign ::= SEQUENCE {
	57	version [0] Version DEFAULT v1,
	58	serialNumber CertificateSerialNumber,
	59	signature AlgorithmIdentifier,
	60	issuer Name,
	61	validity Validity,
	62	subject Name,
	63	subjectPublicKeyInfo SubjectPublicKeyInfo,
	64	-- if present, version must be v2 or v3
65	issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL,
66	-- if present, version must be v2 or v3
67	subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL,
68	-- If present, version must be v3
69	extensions [3] Extensions OPTIONAL }
70
71	Version ::= INTEGER { v1(0), v2(1), v3(2) }
72
73	-- CertificateSerialNumber ::= INTEGER
74
75	CertificateSerialNumber ::= BigIntegerStr
76
77
78	AlgorithmIdentifier ::= SEQUENCE {
79	algorithm OBJECT IDENTIFIER,
80	parameters ANY OPTIONAL }
81
82	Validity ::= SEQUENCE {
83	notBefore Time,
84	notAfter Time }
85
86	SubjectPublicKeyInfo ::= SEQUENCE {
87	algorithm AlgorithmIdentifier,
88	subjectPublicKey BIT STRING }
89
90	Time ::= CHOICE {
91	utcTime UTCTime,
92	generalizedTime GeneralizedTime }
93
94	Extensions ::= SEQUENCE OF Extension
95
96	-- For those extensions where ordering of individual extensions within the
97	-- SEQUENCE is significant, the specification of those individual extensions
98	-- shall include the rules for the significance of the order therein
99
100	Extension ::= SEQUENCE {
101	extnId OBJECT IDENTIFIER,
102	critical BOOLEAN DEFAULT FALSE,
103	-- extnValue contains a DER encoding
104	extnValue OCTET STRING }
105
106	-- other certifiate constructs
107
108	Certificates ::= SEQUENCE {
109	userCertificate Certificate,
110	certificationPath ForwardCertificationPath OPTIONAL }
111
112	ForwardCertificationPath ::= SEQUENCE OF CrossCertificates
113
114	CrossCertificates ::= SET OF Certificate
115
116	CertificationPath ::= SEQUENCE {
117	userCertificate Certificate,
118	theCACertificates SEQUENCE OF CertificatePair OPTIONAL }
119
120	CertificatePair ::= SEQUENCE {
121	-- at least one of the pair shall be present
122	forward [0] Certificate OPTIONAL,
123	reverse [1] Certificate OPTIONAL }
124
125	-- certificate revocation list (CRL)
126
127	CertificateList ::= SEQUENCE {
128	crlToSign CRLToSign,
129	algorithmIdentifier AlgorithmIdentifier,
130	signatureValue BIT STRING }
131
132	CRLToSign ::= SEQUENCE {
133	version Version OPTIONAL, -- if present, version must be v2
134	signature AlgorithmIdentifier,
135	issuer Name,
136	thisUpdate Time,
137	nextUpdate Time OPTIONAL,
138	revokedCertificates SEQUENCE OF SEQUENCE {
139	userCertificate CertificateSerialNumber,
140	revocationDate Time,
141	crlEntryExtensions Extensions OPTIONAL } OPTIONAL,
142	crlExtensions [0] Extensions OPTIONAL }
143
144	-- attribute certificate
145	AttributeCertificationPath ::= SEQUENCE {
146	attributeCertificate AttributeCertificate,
147	acPath SEQUENCE OF ACPathData OPTIONAL }
148
149	ACPathData ::= SEQUENCE {
150	certificate [0] Certificate OPTIONAL,
151	attributeCertificate [1] AttributeCertificate OPTIONAL }
152
153	AttributeCertificate ::= SEQUENCE {
154	attributeCertificateInfo AttributeCertificateInfo,
155	algorithmIdentifier AlgorithmIdentifier,
156	signatureValue BIT STRING }
157
158	AttributeCertificateInfo ::= SEQUENCE {
159	version Version DEFAULT v1,
160	subject CHOICE {
161	baseCertificateID [0] IssuerSerial, -- associated with a Public Key
162	-- Certificate
163	subjectName [1] GeneralNames }, -- associated with a name
164	issuer GeneralNames, -- CA issuing the attribute certificate
165	signature AlgorithmIdentifier,
166	serialNumber CertificateSerialNumber,
167	attCertValidityPeriod AttCertValidityPeriod,
168	attributes SEQUENCE OF Attribute,
169	issuerUniqueID UniqueIdentifier OPTIONAL,
170	extensions Extensions OPTIONAL }
171
172	IssuerSerial ::= SEQUENCE {
173	issuer GeneralNames,
174	serial CertificateSerialNumber,
175	issuerUID UniqueIdentifier OPTIONAL}
176
177	AttCertValidityPeriod ::= SEQUENCE {
178	notBeforeTime GeneralizedTime,
179	notAfterTime GeneralizedTime }
180
181	AttributeCertificateAssertion ::= SEQUENCE {
182	-- At least one component of the sequence must be present
183	subject [0] CHOICE {
184	baseCertificateID [0] IssuerSerial,
185	subjectName [1] Name } OPTIONAL,
186	issuer [1] Name OPTIONAL,
187	attCertValidity [2] GeneralizedTime OPTIONAL,
188	attType [3] SET OF AttributeType OPTIONAL }
189
190	-- Apple addenda: abstract "signed CRL or cert". In this case the blob to be
191	-- signed is actually an encoded CertificateToSign or CRLToSign. Representing
192	-- that blob as an ASN ANY field allows for signature verify without decoding
193	-- the entire CertificateToSign or CRLToSign.
194
195	SignedCertOrCrl ::= SEQUENCE {
196	tbsBlob ANY,
197	algIdBlob ANY,
198	signatureValue BIT STRING }
199
200	-- attribute types --
201
202	UserPassword ::= OCTET STRING (SIZE (0..ub-password-length))
203
204	UserCertificate ::= Certificate
205
206	CACertificate ::= Certificate
207
208	CrossCertificatePair ::= CertificatePair
209
210	AuthorityRevocationList ::= CertificateList
211
212	CertificateRevocationList ::= CertificateList
213
214	AttributeCertificateRevocationList ::= CertificateList
215
216	-- object identifier assignments --
217	id-at-userPassword OBJECT IDENTIFIER ::= {id-at 35}
218	id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36}
219	id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37}
220	id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38}
221	id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39}
222	id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40}
223	id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}
224
225	END