]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_asn1/asn1/sm_x509ce.asn
Security-57336.1.9.tar.gz
[apple/security.git] / OSX / libsecurity_asn1 / asn1 / sm_x509ce.asn
1 -- @(#) sm_x509ce.asn 1.3 3/4/98 15:25:14
2 CertificateExtensions
3 --
4 -- oid defined sm_x501ud.asn
5 -- {joint-iso-ccitt ds(5) module(1) certificateExtensions(26) 0}
6
7 DEFINITIONS IMPLICIT TAGS ::=
8
9 BEGIN
10
11 -- EXPORTS ALL
12
13 IMPORTS
14 id-at, id-ce, id-mr, informationFramework, authenticationFramework,
15 selectedAttributeTypes, upperBounds
16 FROM UsefulDefinitions { usefulDefinitions }
17
18 Name, RelativeDistinguishedName, Attribute
19 FROM InformationFramework { informationFramework }
20
21 GeneralNames, GeneralName
22 FROM CommonX509Definitions
23
24 CertificateSerialNumber, CertificateList, AlgorithmIdentifier
25 FROM AuthenticationFramework { authenticationFramework }
26
27 DirectoryString
28 FROM SelectedAttributeTypes { selectedAttributeTypes }
29
30 ORAddress
31 FROM MTSAbstractService { mTSAbstractService }
32
33 id-pkix
34 FROM ExtendedSecurityServices { extendedSecurityServices };
35
36 -- Unless explicitly noted otherwise, there is no significance to the ordering
37 -- of components of a SEQUENCE OF construct in this specification.
38
39 -- Key and policy information extensions --
40
41 AuthorityKeyIdentifier ::= SEQUENCE {
42 keyIdentifier [0] KeyIdentifier OPTIONAL,
43 authorityCertIssuer [1] GeneralNames OPTIONAL,
44 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
45
46 KeyIdentifier ::= OCTET STRING
47
48 SubjectKeyIdentifier ::= KeyIdentifier
49
50 KeyUsage ::= BIT STRING {
51 digitalSignature (0),
52 nonRepudiation (1),
53 keyEncipherment (2),
54 dataEncipherment (3),
55 keyAgreement (4),
56 keyCertSign (5),
57 cRLSign (6),
58 encipherOnly (7),
59 decipherOnly (8) }
60
61 KeyPurposeId ::= OBJECT IDENTIFIER
62
63 -- Added 9/14/00 by dmitch
64 ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
65
66 PrivateKeyUsagePeriod ::= SEQUENCE {
67 notBefore [0] GeneralizedTime OPTIONAL,
68 notAfter [1] GeneralizedTime OPTIONAL }
69 ( WITH COMPONENTS {..., notBefore PRESENT} |
70 WITH COMPONENTS {..., notAfter PRESENT} )
71
72
73 CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
74
75 PolicyInformation ::= SEQUENCE {
76 policyIdentifier CertPolicyId,
77 policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }
78
79 CertPolicyId ::= OBJECT IDENTIFIER
80
81 PolicyQualifierInfo ::= SEQUENCE {
82 policyQualifierId OBJECT IDENTIFIER,
83 qualifier ANY OPTIONAL }
84
85 PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
86 issuerDomainPolicy CertPolicyId,
87 subjectDomainPolicy CertPolicyId }
88
89 SupportedAlgorithm ::= SEQUENCE {
90 algorithmIdentifier AlgorithmIdentifier,
91 intendedUsage [0] KeyUsage OPTIONAL,
92 intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL }
93
94 -- Certificate subject and certificate issuer attributes extensions --
95
96 SubjectName ::= GeneralNames
97
98 -- moved to sm_x509cmn.asn since both sm_x509af.asn and sm_x509ce.asn need
99 -- it
100 --
101 -- GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
102
103 -- GeneralName ::= CHOICE {
104 -- otherName [0] OTHER-NAME,
105 -- rfc822Name [1] IA5String,
106 -- dNSName [2] IA5String,
107 -- x400Address [3] ORAddress,
108 -- directoryName [4] Name,
109 -- ediPartyName [5] EDIPartyName,
110 -- uniformResourceIdentifier [6] IA5String,
111 -- iPAddress [7] OCTET STRING,
112 -- registeredID [8] OBJECT IDENTIFIER }
113 --
114 -- OTHER-NAME ::= OBJECT IDENTIFIER
115
116 -- EDIPartyName ::= SEQUENCE {
117 -- nameAssigner [0] DirectoryString OPTIONAL,
118 -- partyName [1] DirectoryString }
119 --
120
121 IssuerAltName ::= GeneralNames
122
123 SubjectDirectoryAttributes ::= AttributesSyntax
124
125 AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute
126
127
128 -- Certification path constraints extensions --
129
130 BasicConstraintsSyntax ::= SEQUENCE {
131 cA BOOLEAN DEFAULT FALSE,
132 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
133
134 NameConstraintsSyntax ::= SEQUENCE {
135 permittedSubtrees [0] GeneralSubtrees OPTIONAL,
136 excludedSubtrees [1] GeneralSubtrees OPTIONAL }
137
138 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
139
140 GeneralSubtree ::= SEQUENCE {
141 base GeneralName,
142 minimum [0] BaseDistance DEFAULT 0,
143 maximum [1] BaseDistance OPTIONAL }
144
145 BaseDistance ::= INTEGER (0..MAX)
146
147 PolicyConstraintsSyntax ::= SEQUENCE {
148 requireExplicitPolicy [0] SkipCerts OPTIONAL,
149 inhibitPolicyMapping [1] SkipCerts OPTIONAL }
150
151 SkipCerts ::= INTEGER (0..MAX)
152
153 CertPolicySet ::= SEQUENCE OF CertPolicyId
154
155 -- Basic CRL extensions --
156
157 CRLNumber ::= INTEGER (0..MAX)
158
159 CRLReason ::= ENUMERATED {
160 unspecified (0),
161 keyCompromise (1),
162 cACompromise (2),
163 affiliationChanged (3),
164 superseded (4),
165 cessationOfOperation (5),
166 certificateHold (6), -- note 7 is not used by this spec.
167 removeFromCRL (8) }
168
169 HoldInstruction ::= OBJECT IDENTIFIER
170
171
172 InvalidityDate ::= GeneralizedTime
173
174 -- CRL distribution points and delta-CRL extensions --
175
176 CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
177
178 DistributionPoint ::= SEQUENCE {
179 distributionPoint [0] DistributionPointName OPTIONAL,
180 reasons [1] ReasonFlags OPTIONAL,
181 cRLIssuer [2] GeneralNames OPTIONAL }
182
183 DistributionPointName ::= CHOICE {
184 fullName [0] GeneralNames,
185 nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
186
187 ReasonFlags ::= BIT STRING {
188 unused (0),
189 keyCompromise (1),
190 caCompromise (2),
191 affiliationChanged (3),
192 superseded (4),
193 cessationOfOperation (5),
194 certificateHold (6) }
195
196 IssuingDistPointSyntax ::= SEQUENCE {
197 distributionPoint [0] DistributionPointName OPTIONAL,
198 onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
199 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
200 onlySomeReasons [3] ReasonFlags OPTIONAL,
201 indirectCRL [4] BOOLEAN DEFAULT FALSE }
202
203 CertificateIssuer ::= GeneralNames
204
205 BaseCRLNumber ::= CRLNumber
206
207 DeltaRevocationList ::= CertificateList
208
209 -- Matching rules
210
211 -- removed. Our ASN.1 compiler does not support matching ruling. We will
212 -- do this manually -Pierce
213 --
214
215 -- end of Matching rules
216
217 -- Object identifier assignments --
218
219 id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52}
220 id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53}
221 id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9}
222 id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14}
223 id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15}
224 id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16}
225 id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17}
226 id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18}
227 id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19}
228 id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20}
229 id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21}
230 id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23}
231 id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24}
232 id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27}
233 id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28}
234 id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29}
235 id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30}
236 id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
237 id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32}
238 id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33}
239 -- deprecated OBJECT IDENTIFIER ::= {id-ce 34}
240 id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35}
241 id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36}
242 id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
243 id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34}
244 id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35}
245 id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36}
246 id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37}
247 id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38}
248 id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39}
249 id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40}
250
251 id-kp OBJECT IDENTIFIER ::= {id-pkix 3}
252 id-kp-serverAuth OBJECT IDENTIFIER ::= {id-kp 1}
253 id-kp-clientAuth OBJECT IDENTIFIER ::= {id-kp 2}
254 id-kp-codeSigning OBJECT IDENTIFIER ::= {id-kp 3}
255 id-kp-emailProtection OBJECT IDENTIFIER ::= {id-kp 4}
256 id-kp-timeStamping OBJECT IDENTIFIER ::= {id-kp 8}
257
258 id-netscape-cert-type OBJECT IDENTIFIER ::= {2 16 840 1 113730 1 1}
259
260 -- The following OBJECT IDENTIFIERS are not used by this specification:
261 -- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7},
262 -- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13},
263 -- {id-ce 22}, {id-ce 25}, {id-ce 26}
264
265 END