1 -- @(#) sm_x509af.asn 1.2 2/24/98 13:40:34
2 AuthenticationFramework
4 -- oid defined in sm_x501ud.asn
6 -- {joint-iso-ccitt ds(5) module(1) authenticationFramework(7) 3}
13 -- The types and values defined in this module are exported for use in the
14 -- other ASN.1 modules contained
15 -- within the Directory Specifications, and for the use of other applications
16 -- which will use them to access Directory services. Other applications may
17 -- use them for their own purposes, but this will not constrain
18 -- extensions and modifications needed to maintain or improve the Directory
26 id-at, informationFramework, upperBounds, selectedAttributeTypes,
27 basicAccessControl, certificateExtensions
28 FROM UsefulDefinitions { usefulDefinitions }
30 Name, Attribute, AttributeType
31 FROM InformationFramework { informationFramework }
34 FROM UpperBounds { upperBounds }
37 -- AuthenticationLevel
38 -- FROM BasicAccessControl { basicAccessControl }
41 -- FROM CertificateExtensions { certificateExtensions }
44 FROM CommonX509Definitions
47 FROM SelectedAttributeTypes { selectedAttributeTypes } ;
49 -- basic certificate definition
51 Certificate ::= SEQUENCE {
52 certificateToSign CertificateToSign,
53 algorithmIdentifier AlgorithmIdentifier,
54 signatureValue BIT STRING }
56 CertificateToSign ::= SEQUENCE {
57 version [0] Version DEFAULT v1,
58 serialNumber CertificateSerialNumber,
59 signature AlgorithmIdentifier,
63 subjectPublicKeyInfo SubjectPublicKeyInfo,
64 -- if present, version must be v2 or v3
65 issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL,
66 -- if present, version must be v2 or v3
67 subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL,
68 -- If present, version must be v3
69 extensions [3] Extensions OPTIONAL }
71 Version ::= INTEGER { v1(0), v2(1), v3(2) }
73 -- CertificateSerialNumber ::= INTEGER
75 CertificateSerialNumber ::= BigIntegerStr
78 AlgorithmIdentifier ::= SEQUENCE {
79 algorithm OBJECT IDENTIFIER,
80 parameters ANY OPTIONAL }
82 Validity ::= SEQUENCE {
86 SubjectPublicKeyInfo ::= SEQUENCE {
87 algorithm AlgorithmIdentifier,
88 subjectPublicKey BIT STRING }
92 generalizedTime GeneralizedTime }
94 Extensions ::= SEQUENCE OF Extension
96 -- For those extensions where ordering of individual extensions within the
97 -- SEQUENCE is significant, the specification of those individual extensions
98 -- shall include the rules for the significance of the order therein
100 Extension ::= SEQUENCE {
101 extnId OBJECT IDENTIFIER,
102 critical BOOLEAN DEFAULT FALSE,
103 -- extnValue contains a DER encoding
104 extnValue OCTET STRING }
106 -- other certifiate constructs
108 Certificates ::= SEQUENCE {
109 userCertificate Certificate,
110 certificationPath ForwardCertificationPath OPTIONAL }
112 ForwardCertificationPath ::= SEQUENCE OF CrossCertificates
114 CrossCertificates ::= SET OF Certificate
116 CertificationPath ::= SEQUENCE {
117 userCertificate Certificate,
118 theCACertificates SEQUENCE OF CertificatePair OPTIONAL }
120 CertificatePair ::= SEQUENCE {
121 -- at least one of the pair shall be present
122 forward [0] Certificate OPTIONAL,
123 reverse [1] Certificate OPTIONAL }
125 -- certificate revocation list (CRL)
127 CertificateList ::= SEQUENCE {
129 algorithmIdentifier AlgorithmIdentifier,
130 signatureValue BIT STRING }
132 CRLToSign ::= SEQUENCE {
133 version Version OPTIONAL, -- if present, version must be v2
134 signature AlgorithmIdentifier,
137 nextUpdate Time OPTIONAL,
138 revokedCertificates SEQUENCE OF SEQUENCE {
139 userCertificate CertificateSerialNumber,
141 crlEntryExtensions Extensions OPTIONAL } OPTIONAL,
142 crlExtensions [0] Extensions OPTIONAL }
144 -- attribute certificate
145 AttributeCertificationPath ::= SEQUENCE {
146 attributeCertificate AttributeCertificate,
147 acPath SEQUENCE OF ACPathData OPTIONAL }
149 ACPathData ::= SEQUENCE {
150 certificate [0] Certificate OPTIONAL,
151 attributeCertificate [1] AttributeCertificate OPTIONAL }
153 AttributeCertificate ::= SEQUENCE {
154 attributeCertificateInfo AttributeCertificateInfo,
155 algorithmIdentifier AlgorithmIdentifier,
156 signatureValue BIT STRING }
158 AttributeCertificateInfo ::= SEQUENCE {
159 version Version DEFAULT v1,
161 baseCertificateID [0] IssuerSerial, -- associated with a Public Key
163 subjectName [1] GeneralNames }, -- associated with a name
164 issuer GeneralNames, -- CA issuing the attribute certificate
165 signature AlgorithmIdentifier,
166 serialNumber CertificateSerialNumber,
167 attCertValidityPeriod AttCertValidityPeriod,
168 attributes SEQUENCE OF Attribute,
169 issuerUniqueID UniqueIdentifier OPTIONAL,
170 extensions Extensions OPTIONAL }
172 IssuerSerial ::= SEQUENCE {
174 serial CertificateSerialNumber,
175 issuerUID UniqueIdentifier OPTIONAL}
177 AttCertValidityPeriod ::= SEQUENCE {
178 notBeforeTime GeneralizedTime,
179 notAfterTime GeneralizedTime }
181 AttributeCertificateAssertion ::= SEQUENCE {
182 -- At least one component of the sequence must be present
184 baseCertificateID [0] IssuerSerial,
185 subjectName [1] Name } OPTIONAL,
186 issuer [1] Name OPTIONAL,
187 attCertValidity [2] GeneralizedTime OPTIONAL,
188 attType [3] SET OF AttributeType OPTIONAL }
190 -- Apple addenda: abstract "signed CRL or cert". In this case the blob to be
191 -- signed is actually an encoded CertificateToSign or CRLToSign. Representing
192 -- that blob as an ASN ANY field allows for signature verify without decoding
193 -- the entire CertificateToSign or CRLToSign.
195 SignedCertOrCrl ::= SEQUENCE {
198 signatureValue BIT STRING }
200 -- attribute types --
202 UserPassword ::= OCTET STRING (SIZE (0..ub-password-length))
204 UserCertificate ::= Certificate
206 CACertificate ::= Certificate
208 CrossCertificatePair ::= CertificatePair
210 AuthorityRevocationList ::= CertificateList
212 CertificateRevocationList ::= CertificateList
214 AttributeCertificateRevocationList ::= CertificateList
216 -- object identifier assignments --
217 id-at-userPassword OBJECT IDENTIFIER ::= {id-at 35}
218 id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36}
219 id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37}
220 id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38}
221 id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39}
222 id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40}
223 id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}