[apple/security.git] / OSX / libsecurity_asn1 / asn1 / sm_x509ce.asn

-- @(#) sm_x509ce.asn 1.3 3/4/98 15:25:14 
CertificateExtensions 
--
-- oid defined sm_x501ud.asn
-- {joint-iso-ccitt ds(5) module(1) certificateExtensions(26) 0}

DEFINITIONS IMPLICIT TAGS ::=

BEGIN

-- EXPORTS ALL

IMPORTS
   id-at, id-ce, id-mr, informationFramework, authenticationFramework,
      selectedAttributeTypes, upperBounds
      FROM UsefulDefinitions { usefulDefinitions }

   Name, RelativeDistinguishedName, Attribute
      FROM InformationFramework  { informationFramework }

   GeneralNames, GeneralName
      FROM CommonX509Definitions 

   CertificateSerialNumber, CertificateList, AlgorithmIdentifier
      FROM AuthenticationFramework { authenticationFramework }

   DirectoryString
      FROM SelectedAttributeTypes  { selectedAttributeTypes }

   ORAddress
      FROM MTSAbstractService { mTSAbstractService } 
	   
   id-pkix
	  FROM ExtendedSecurityServices { extendedSecurityServices };

-- Unless explicitly noted otherwise, there is no significance to the ordering
-- of components of a SEQUENCE OF construct in this specification.

-- Key and policy information extensions --

AuthorityKeyIdentifier ::= SEQUENCE {
   keyIdentifier             [0] KeyIdentifier           OPTIONAL,
   authorityCertIssuer       [1] GeneralNames            OPTIONAL,
   authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }

KeyIdentifier ::= OCTET STRING

SubjectKeyIdentifier ::= KeyIdentifier

KeyUsage ::= BIT STRING {
   digitalSignature (0),
   nonRepudiation   (1),
   keyEncipherment  (2),
   dataEncipherment (3),
   keyAgreement     (4),
   keyCertSign      (5),
   cRLSign          (6),
   encipherOnly     (7),
   decipherOnly     (8) }

KeyPurposeId ::= OBJECT IDENTIFIER

-- Added 9/14/00 by dmitch
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

PrivateKeyUsagePeriod ::= SEQUENCE {
   notBefore   [0]   GeneralizedTime OPTIONAL,
   notAfter   [1]   GeneralizedTime OPTIONAL }
   ( WITH COMPONENTS    {..., notBefore PRESENT} |
   WITH COMPONENTS    {..., notAfter PRESENT} )


CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

PolicyInformation ::= SEQUENCE {
   policyIdentifier   CertPolicyId,
   policyQualifiers   SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }

CertPolicyId ::= OBJECT IDENTIFIER

PolicyQualifierInfo ::= SEQUENCE {
   policyQualifierId   OBJECT IDENTIFIER,
   qualifier           ANY OPTIONAL }

PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
   issuerDomainPolicy      CertPolicyId,
   subjectDomainPolicy   CertPolicyId }

SupportedAlgorithm ::= SEQUENCE {
   algorithmIdentifier             AlgorithmIdentifier,
   intendedUsage               [0] KeyUsage OPTIONAL,
   intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL }

-- Certificate subject and certificate issuer attributes extensions --

SubjectName ::= GeneralNames

-- moved to sm_x509cmn.asn since both sm_x509af.asn and sm_x509ce.asn need
-- it
--
-- GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

-- GeneralName ::= CHOICE {
--    otherName        [0]   OTHER-NAME,
   -- rfc822Name       [1]   IA5String,
   -- dNSName          [2]   IA5String,
   -- x400Address      [3]   ORAddress,
   -- directoryName    [4]   Name,
   -- ediPartyName     [5]   EDIPartyName,
   -- uniformResourceIdentifier  [6]   IA5String,
   -- iPAddress                  [7]   OCTET STRING,
   -- registeredID               [8]   OBJECT IDENTIFIER }
-- 
-- OTHER-NAME ::= OBJECT IDENTIFIER

-- EDIPartyName ::= SEQUENCE {
   -- nameAssigner      [0]   DirectoryString  OPTIONAL,
   -- partyName         [1]   DirectoryString  }
-- 

IssuerAltName ::= GeneralNames

SubjectDirectoryAttributes ::= AttributesSyntax

AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute


-- Certification path constraints extensions --

BasicConstraintsSyntax ::= SEQUENCE {
   cA         BOOLEAN DEFAULT FALSE,
   pathLenConstraint    INTEGER (0..MAX) OPTIONAL }

NameConstraintsSyntax ::= SEQUENCE {
   permittedSubtrees   [0]   GeneralSubtrees OPTIONAL,
   excludedSubtrees   [1]   GeneralSubtrees OPTIONAL }

GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

GeneralSubtree ::= SEQUENCE {
   base         GeneralName,
   minimum      [0]   BaseDistance DEFAULT 0,
   maximum      [1]   BaseDistance OPTIONAL }

BaseDistance ::= INTEGER (0..MAX)

PolicyConstraintsSyntax ::= SEQUENCE {
   requireExplicitPolicy   [0] SkipCerts OPTIONAL,
   inhibitPolicyMapping   [1] SkipCerts OPTIONAL }

SkipCerts ::= INTEGER (0..MAX) 

CertPolicySet ::= SEQUENCE OF CertPolicyId

-- Basic CRL extensions --

CRLNumber ::= INTEGER (0..MAX)

CRLReason ::= ENUMERATED {
   unspecified          (0),
   keyCompromise        (1), 
   cACompromise         (2), 
   affiliationChanged   (3), 
   superseded           (4),
   cessationOfOperation (5),
   certificateHold      (6),  -- note 7 is not used by this spec.
   removeFromCRL        (8) }

HoldInstruction ::= OBJECT IDENTIFIER


InvalidityDate ::= GeneralizedTime

-- CRL distribution points and delta-CRL extensions --

CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 

DistributionPoint ::= SEQUENCE {
   distributionPoint   [0]   DistributionPointName OPTIONAL,
   reasons             [1]   ReasonFlags OPTIONAL,
   cRLIssuer           [2]   GeneralNames OPTIONAL }

DistributionPointName ::= CHOICE {
   fullName                [0]   GeneralNames,
   nameRelativeToCRLIssuer [1]   RelativeDistinguishedName }

ReasonFlags ::= BIT STRING {
   unused               (0),
   keyCompromise        (1), 
   caCompromise         (2), 
   affiliationChanged   (3), 
   superseded           (4),
   cessationOfOperation (5),
   certificateHold      (6) }

IssuingDistPointSyntax ::= SEQUENCE {
   distributionPoint      [0] DistributionPointName OPTIONAL,
   onlyContainsUserCerts  [1] BOOLEAN DEFAULT FALSE,
   onlyContainsCACerts    [2] BOOLEAN DEFAULT FALSE,
   onlySomeReasons        [3] ReasonFlags OPTIONAL,
   indirectCRL            [4] BOOLEAN DEFAULT FALSE }

CertificateIssuer ::= GeneralNames

BaseCRLNumber ::= CRLNumber

DeltaRevocationList ::= CertificateList

-- Matching rules 

-- removed.  Our ASN.1 compiler does not support matching ruling.  We will
-- do this manually -Pierce
--

-- end of Matching rules

-- Object identifier assignments --

id-at-supportedAlgorithms      OBJECT IDENTIFIER   ::=   {id-at 52}
id-at-deltaRevocationList         OBJECT IDENTIFIER   ::=   {id-at 53}
id-ce-subjectDirectoryAttributes      OBJECT IDENTIFIER   ::=   {id-ce 9}
id-ce-subjectKeyIdentifier      OBJECT IDENTIFIER   ::=   {id-ce 14}
id-ce-keyUsage            OBJECT IDENTIFIER   ::=   {id-ce 15}
id-ce-privateKeyUsagePeriod      OBJECT IDENTIFIER   ::=   {id-ce 16}
id-ce-subjectAltName         OBJECT IDENTIFIER   ::=   {id-ce 17}
id-ce-issuerAltName         OBJECT IDENTIFIER   ::=   {id-ce 18}
id-ce-basicConstraints         OBJECT IDENTIFIER   ::=   {id-ce 19}
id-ce-cRLNumber            OBJECT IDENTIFIER   ::=   {id-ce 20}
id-ce-reasonCode            OBJECT IDENTIFIER   ::=   {id-ce 21}
id-ce-instructionCode         OBJECT IDENTIFIER   ::=   {id-ce 23}
id-ce-invalidityDate         OBJECT IDENTIFIER   ::=   {id-ce 24}
id-ce-deltaCRLIndicator         OBJECT IDENTIFIER   ::=   {id-ce 27}
id-ce-issuingDistributionPoint      OBJECT IDENTIFIER   ::=   {id-ce 28}
id-ce-certificateIssuer         OBJECT IDENTIFIER   ::=   {id-ce 29}
id-ce-nameConstraints         OBJECT IDENTIFIER   ::=   {id-ce 30}
id-ce-cRLDistributionPoints      OBJECT IDENTIFIER   ::=   {id-ce 31}
id-ce-certificatePolicies         OBJECT IDENTIFIER   ::=   {id-ce 32}
id-ce-policyMappings         OBJECT IDENTIFIER   ::=   {id-ce 33}
-- deprecated               OBJECT IDENTIFIER   ::=   {id-ce 34}
id-ce-authorityKeyIdentifier      OBJECT IDENTIFIER   ::=   {id-ce 35}
id-ce-policyConstraints         OBJECT IDENTIFIER   ::=   {id-ce 36}
id-ce-extKeyUsage         OBJECT IDENTIFIER   ::=   {id-ce 37}
id-mr-certificateExactMatch      OBJECT IDENTIFIER   ::=   {id-mr 34}
id-mr-certificateMatch         OBJECT IDENTIFIER   ::=   {id-mr 35}
id-mr-certificatePairExactMatch      OBJECT IDENTIFIER   ::=   {id-mr 36}
id-mr-certificatePairMatch      OBJECT IDENTIFIER   ::=   {id-mr 37}
id-mr-certificateListExactMatch      OBJECT IDENTIFIER   ::=   {id-mr 38}
id-mr-certificateListMatch      OBJECT IDENTIFIER   ::=   {id-mr 39}
id-mr-algorithmIdentifierMatch      OBJECT IDENTIFIER   ::=   {id-mr 40}

id-kp 						OBJECT IDENTIFIER ::= {id-pkix 3}
id-kp-serverAuth 			OBJECT IDENTIFIER ::= {id-kp 1}
id-kp-clientAuth 			OBJECT IDENTIFIER ::= {id-kp 2}
id-kp-codeSigning 			OBJECT IDENTIFIER ::= {id-kp 3}
id-kp-emailProtection 		OBJECT IDENTIFIER ::= {id-kp 4}
id-kp-timeStamping 			OBJECT IDENTIFIER ::= {id-kp 8}
 
id-netscape-cert-type		OBJECT IDENTIFIER ::= {2 16 840 1 113730 1 1}

-- The following OBJECT IDENTIFIERS are not used by this specification:
-- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7},
-- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13}, 
-- {id-ce 22}, {id-ce 25}, {id-ce 26}

END
Commit	Line	Data
b1ab9ed8 A	1	-- @(#) sm_x509ce.asn 1.3 3/4/98 15:25:14
	2	CertificateExtensions
	3	--
	4	-- oid defined sm_x501ud.asn
	5	-- {joint-iso-ccitt ds(5) module(1) certificateExtensions(26) 0}
	6
	7	DEFINITIONS IMPLICIT TAGS ::=
	8
	9	BEGIN
	10
	11	-- EXPORTS ALL
	12
	13	IMPORTS
	14	id-at, id-ce, id-mr, informationFramework, authenticationFramework,
	15	selectedAttributeTypes, upperBounds
	16	FROM UsefulDefinitions { usefulDefinitions }
	17
	18	Name, RelativeDistinguishedName, Attribute
	19	FROM InformationFramework { informationFramework }
	20
	21	GeneralNames, GeneralName
	22	FROM CommonX509Definitions
	23
	24	CertificateSerialNumber, CertificateList, AlgorithmIdentifier
	25	FROM AuthenticationFramework { authenticationFramework }
	26
	27	DirectoryString
	28	FROM SelectedAttributeTypes { selectedAttributeTypes }
	29
	30	ORAddress
	31	FROM MTSAbstractService { mTSAbstractService }
	32
	33	id-pkix
	34	FROM ExtendedSecurityServices { extendedSecurityServices };
	35
	36	-- Unless explicitly noted otherwise, there is no significance to the ordering
	37	-- of components of a SEQUENCE OF construct in this specification.
	38
	39	-- Key and policy information extensions --
	40
	41	AuthorityKeyIdentifier ::= SEQUENCE {
	42	keyIdentifier [0] KeyIdentifier OPTIONAL,
	43	authorityCertIssuer [1] GeneralNames OPTIONAL,
	44	authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
	45
	46	KeyIdentifier ::= OCTET STRING
	47
	48	SubjectKeyIdentifier ::= KeyIdentifier
	49
	50	KeyUsage ::= BIT STRING {
	51	digitalSignature (0),
	52	nonRepudiation (1),
	53	keyEncipherment (2),
	54	dataEncipherment (3),
	55	keyAgreement (4),
	56	keyCertSign (5),
	57	cRLSign (6),
	58	encipherOnly (7),
	59	decipherOnly (8) }
	60
	61	KeyPurposeId ::= OBJECT IDENTIFIER
	62
	63	-- Added 9/14/00 by dmitch
	64	ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
65
66	PrivateKeyUsagePeriod ::= SEQUENCE {
67	notBefore [0] GeneralizedTime OPTIONAL,
68	notAfter [1] GeneralizedTime OPTIONAL }
69	( WITH COMPONENTS {..., notBefore PRESENT} \|
70	WITH COMPONENTS {..., notAfter PRESENT} )
71
72
73	CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
74
75	PolicyInformation ::= SEQUENCE {
76	policyIdentifier CertPolicyId,
77	policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }
78
79	CertPolicyId ::= OBJECT IDENTIFIER
80
81	PolicyQualifierInfo ::= SEQUENCE {
82	policyQualifierId OBJECT IDENTIFIER,
83	qualifier ANY OPTIONAL }
84
85	PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
86	issuerDomainPolicy CertPolicyId,
87	subjectDomainPolicy CertPolicyId }
88
89	SupportedAlgorithm ::= SEQUENCE {
90	algorithmIdentifier AlgorithmIdentifier,
91	intendedUsage [0] KeyUsage OPTIONAL,
92	intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL }
93
94	-- Certificate subject and certificate issuer attributes extensions --
95
96	SubjectName ::= GeneralNames
97
98	-- moved to sm_x509cmn.asn since both sm_x509af.asn and sm_x509ce.asn need
99	-- it
100	--
101	-- GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
102
103	-- GeneralName ::= CHOICE {
104	-- otherName [0] OTHER-NAME,
105	-- rfc822Name [1] IA5String,
106	-- dNSName [2] IA5String,
107	-- x400Address [3] ORAddress,
108	-- directoryName [4] Name,
109	-- ediPartyName [5] EDIPartyName,
110	-- uniformResourceIdentifier [6] IA5String,
111	-- iPAddress [7] OCTET STRING,
112	-- registeredID [8] OBJECT IDENTIFIER }
113	--
114	-- OTHER-NAME ::= OBJECT IDENTIFIER
115
116	-- EDIPartyName ::= SEQUENCE {
117	-- nameAssigner [0] DirectoryString OPTIONAL,
118	-- partyName [1] DirectoryString }
119	--
120
121	IssuerAltName ::= GeneralNames
122
123	SubjectDirectoryAttributes ::= AttributesSyntax
124
125	AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute
126
127
128	-- Certification path constraints extensions --
129
130	BasicConstraintsSyntax ::= SEQUENCE {
131	cA BOOLEAN DEFAULT FALSE,
132	pathLenConstraint INTEGER (0..MAX) OPTIONAL }
133
134	NameConstraintsSyntax ::= SEQUENCE {
135	permittedSubtrees [0] GeneralSubtrees OPTIONAL,
136	excludedSubtrees [1] GeneralSubtrees OPTIONAL }
137
138	GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
139
140	GeneralSubtree ::= SEQUENCE {
141	base GeneralName,
142	minimum [0] BaseDistance DEFAULT 0,
143	maximum [1] BaseDistance OPTIONAL }
144
145	BaseDistance ::= INTEGER (0..MAX)
146
147	PolicyConstraintsSyntax ::= SEQUENCE {
148	requireExplicitPolicy [0] SkipCerts OPTIONAL,
149	inhibitPolicyMapping [1] SkipCerts OPTIONAL }
150
151	SkipCerts ::= INTEGER (0..MAX)
152
153	CertPolicySet ::= SEQUENCE OF CertPolicyId
154
155	-- Basic CRL extensions --
156
157	CRLNumber ::= INTEGER (0..MAX)
158
159	CRLReason ::= ENUMERATED {
160	unspecified (0),
161	keyCompromise (1),
162	cACompromise (2),
163	affiliationChanged (3),
164	superseded (4),
165	cessationOfOperation (5),
166	certificateHold (6), -- note 7 is not used by this spec.
167	removeFromCRL (8) }
168
169	HoldInstruction ::= OBJECT IDENTIFIER
170
171
172	InvalidityDate ::= GeneralizedTime
173
174	-- CRL distribution points and delta-CRL extensions --
175
176	CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
177
178	DistributionPoint ::= SEQUENCE {
179	distributionPoint [0] DistributionPointName OPTIONAL,
180	reasons [1] ReasonFlags OPTIONAL,
181	cRLIssuer [2] GeneralNames OPTIONAL }
182
183	DistributionPointName ::= CHOICE {
184	fullName [0] GeneralNames,
185	nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
186
187	ReasonFlags ::= BIT STRING {
188	unused (0),
189	keyCompromise (1),
190	caCompromise (2),
191	affiliationChanged (3),
192	superseded (4),
193	cessationOfOperation (5),
194	certificateHold (6) }
195
196	IssuingDistPointSyntax ::= SEQUENCE {
197	distributionPoint [0] DistributionPointName OPTIONAL,
198	onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
199	onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
200	onlySomeReasons [3] ReasonFlags OPTIONAL,
201	indirectCRL [4] BOOLEAN DEFAULT FALSE }
202
203	CertificateIssuer ::= GeneralNames
204
205	BaseCRLNumber ::= CRLNumber
206
207	DeltaRevocationList ::= CertificateList
208
209	-- Matching rules
210
211	-- removed. Our ASN.1 compiler does not support matching ruling. We will
212	-- do this manually -Pierce
213	--
214
215	-- end of Matching rules
216
217	-- Object identifier assignments --
218
219	id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52}
220	id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53}
221	id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9}
222	id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14}
223	id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15}
224	id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16}
225	id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17}
226	id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18}
227	id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19}
228	id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20}
229	id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21}
230	id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23}
231	id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24}
232	id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27}
233	id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28}
234	id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29}
235	id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30}
236	id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
237	id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32}
238	id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33}
239	-- deprecated OBJECT IDENTIFIER ::= {id-ce 34}
240	id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35}
241	id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36}
242	id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
243	id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34}
244	id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35}
245	id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36}
246	id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37}
247	id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38}
248	id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39}
249	id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40}
250
251	id-kp OBJECT IDENTIFIER ::= {id-pkix 3}
252	id-kp-serverAuth OBJECT IDENTIFIER ::= {id-kp 1}
253	id-kp-clientAuth OBJECT IDENTIFIER ::= {id-kp 2}
254	id-kp-codeSigning OBJECT IDENTIFIER ::= {id-kp 3}
255	id-kp-emailProtection OBJECT IDENTIFIER ::= {id-kp 4}
256	id-kp-timeStamping OBJECT IDENTIFIER ::= {id-kp 8}
257
258	id-netscape-cert-type OBJECT IDENTIFIER ::= {2 16 840 1 113730 1 1}
259
260	-- The following OBJECT IDENTIFIERS are not used by this specification:
261	-- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7},
262	-- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13},
263	-- {id-ce 22}, {id-ce 25}, {id-ce 26}
264
265	END