1 -- @(#) sm_x509ce.asn 1.3 3/4/98 15:25:14
4 -- oid defined sm_x501ud.asn
5 -- {joint-iso-ccitt ds(5) module(1) certificateExtensions(26) 0}
7 DEFINITIONS IMPLICIT TAGS ::=
14 id-at, id-ce, id-mr, informationFramework, authenticationFramework,
15 selectedAttributeTypes, upperBounds
16 FROM UsefulDefinitions { usefulDefinitions }
18 Name, RelativeDistinguishedName, Attribute
19 FROM InformationFramework { informationFramework }
21 GeneralNames, GeneralName
22 FROM CommonX509Definitions
24 CertificateSerialNumber, CertificateList, AlgorithmIdentifier
25 FROM AuthenticationFramework { authenticationFramework }
28 FROM SelectedAttributeTypes { selectedAttributeTypes }
31 FROM MTSAbstractService { mTSAbstractService }
34 FROM ExtendedSecurityServices { extendedSecurityServices };
36 -- Unless explicitly noted otherwise, there is no significance to the ordering
37 -- of components of a SEQUENCE OF construct in this specification.
39 -- Key and policy information extensions --
41 AuthorityKeyIdentifier ::= SEQUENCE {
42 keyIdentifier [0] KeyIdentifier OPTIONAL,
43 authorityCertIssuer [1] GeneralNames OPTIONAL,
44 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
46 KeyIdentifier ::= OCTET STRING
48 SubjectKeyIdentifier ::= KeyIdentifier
50 KeyUsage ::= BIT STRING {
61 KeyPurposeId ::= OBJECT IDENTIFIER
63 -- Added 9/14/00 by dmitch
64 ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
66 PrivateKeyUsagePeriod ::= SEQUENCE {
67 notBefore [0] GeneralizedTime OPTIONAL,
68 notAfter [1] GeneralizedTime OPTIONAL }
69 ( WITH COMPONENTS {..., notBefore PRESENT} |
70 WITH COMPONENTS {..., notAfter PRESENT} )
73 CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
75 PolicyInformation ::= SEQUENCE {
76 policyIdentifier CertPolicyId,
77 policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }
79 CertPolicyId ::= OBJECT IDENTIFIER
81 PolicyQualifierInfo ::= SEQUENCE {
82 policyQualifierId OBJECT IDENTIFIER,
83 qualifier ANY OPTIONAL }
85 PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
86 issuerDomainPolicy CertPolicyId,
87 subjectDomainPolicy CertPolicyId }
89 SupportedAlgorithm ::= SEQUENCE {
90 algorithmIdentifier AlgorithmIdentifier,
91 intendedUsage [0] KeyUsage OPTIONAL,
92 intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL }
94 -- Certificate subject and certificate issuer attributes extensions --
96 SubjectName ::= GeneralNames
98 -- moved to sm_x509cmn.asn since both sm_x509af.asn and sm_x509ce.asn need
101 -- GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
103 -- GeneralName ::= CHOICE {
104 -- otherName [0] OTHER-NAME,
105 -- rfc822Name [1] IA5String,
106 -- dNSName [2] IA5String,
107 -- x400Address [3] ORAddress,
108 -- directoryName [4] Name,
109 -- ediPartyName [5] EDIPartyName,
110 -- uniformResourceIdentifier [6] IA5String,
111 -- iPAddress [7] OCTET STRING,
112 -- registeredID [8] OBJECT IDENTIFIER }
114 -- OTHER-NAME ::= OBJECT IDENTIFIER
116 -- EDIPartyName ::= SEQUENCE {
117 -- nameAssigner [0] DirectoryString OPTIONAL,
118 -- partyName [1] DirectoryString }
121 IssuerAltName ::= GeneralNames
123 SubjectDirectoryAttributes ::= AttributesSyntax
125 AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute
128 -- Certification path constraints extensions --
130 BasicConstraintsSyntax ::= SEQUENCE {
131 cA BOOLEAN DEFAULT FALSE,
132 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
134 NameConstraintsSyntax ::= SEQUENCE {
135 permittedSubtrees [0] GeneralSubtrees OPTIONAL,
136 excludedSubtrees [1] GeneralSubtrees OPTIONAL }
138 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
140 GeneralSubtree ::= SEQUENCE {
142 minimum [0] BaseDistance DEFAULT 0,
143 maximum [1] BaseDistance OPTIONAL }
145 BaseDistance ::= INTEGER (0..MAX)
147 PolicyConstraintsSyntax ::= SEQUENCE {
148 requireExplicitPolicy [0] SkipCerts OPTIONAL,
149 inhibitPolicyMapping [1] SkipCerts OPTIONAL }
151 SkipCerts ::= INTEGER (0..MAX)
153 CertPolicySet ::= SEQUENCE OF CertPolicyId
155 -- Basic CRL extensions --
157 CRLNumber ::= INTEGER (0..MAX)
159 CRLReason ::= ENUMERATED {
163 affiliationChanged (3),
165 cessationOfOperation (5),
166 certificateHold (6), -- note 7 is not used by this spec.
169 HoldInstruction ::= OBJECT IDENTIFIER
172 InvalidityDate ::= GeneralizedTime
174 -- CRL distribution points and delta-CRL extensions --
176 CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
178 DistributionPoint ::= SEQUENCE {
179 distributionPoint [0] DistributionPointName OPTIONAL,
180 reasons [1] ReasonFlags OPTIONAL,
181 cRLIssuer [2] GeneralNames OPTIONAL }
183 DistributionPointName ::= CHOICE {
184 fullName [0] GeneralNames,
185 nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
187 ReasonFlags ::= BIT STRING {
191 affiliationChanged (3),
193 cessationOfOperation (5),
194 certificateHold (6) }
196 IssuingDistPointSyntax ::= SEQUENCE {
197 distributionPoint [0] DistributionPointName OPTIONAL,
198 onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
199 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
200 onlySomeReasons [3] ReasonFlags OPTIONAL,
201 indirectCRL [4] BOOLEAN DEFAULT FALSE }
203 CertificateIssuer ::= GeneralNames
205 BaseCRLNumber ::= CRLNumber
207 DeltaRevocationList ::= CertificateList
211 -- removed. Our ASN.1 compiler does not support matching ruling. We will
212 -- do this manually -Pierce
215 -- end of Matching rules
217 -- Object identifier assignments --
219 id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52}
220 id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53}
221 id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9}
222 id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14}
223 id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15}
224 id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16}
225 id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17}
226 id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18}
227 id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19}
228 id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20}
229 id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21}
230 id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23}
231 id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24}
232 id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27}
233 id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28}
234 id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29}
235 id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30}
236 id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
237 id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32}
238 id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33}
239 -- deprecated OBJECT IDENTIFIER ::= {id-ce 34}
240 id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35}
241 id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36}
242 id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
243 id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34}
244 id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35}
245 id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36}
246 id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37}
247 id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38}
248 id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39}
249 id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40}
251 id-kp OBJECT IDENTIFIER ::= {id-pkix 3}
252 id-kp-serverAuth OBJECT IDENTIFIER ::= {id-kp 1}
253 id-kp-clientAuth OBJECT IDENTIFIER ::= {id-kp 2}
254 id-kp-codeSigning OBJECT IDENTIFIER ::= {id-kp 3}
255 id-kp-emailProtection OBJECT IDENTIFIER ::= {id-kp 4}
256 id-kp-timeStamping OBJECT IDENTIFIER ::= {id-kp 8}
258 id-netscape-cert-type OBJECT IDENTIFIER ::= {2 16 840 1 113730 1 1}
260 -- The following OBJECT IDENTIFIERS are not used by this specification:
261 -- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7},
262 -- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13},
263 -- {id-ce 22}, {id-ce 25}, {id-ce 26}