]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_asn1/asn1/sm_x509af.asn
Security-57740.51.3.tar.gz
[apple/security.git] / OSX / libsecurity_asn1 / asn1 / sm_x509af.asn
1 -- @(#) sm_x509af.asn 1.2 2/24/98 13:40:34
2 AuthenticationFramework
3 --
4 -- oid defined in sm_x501ud.asn
5 --
6 -- {joint-iso-ccitt ds(5) module(1) authenticationFramework(7) 3}
7
8 DEFINITIONS ::=
9
10 BEGIN
11
12 -- EXPORTS All --
13 -- The types and values defined in this module are exported for use in the
14 -- other ASN.1 modules contained
15 -- within the Directory Specifications, and for the use of other applications
16 -- which will use them to access Directory services. Other applications may
17 -- use them for their own purposes, but this will not constrain
18 -- extensions and modifications needed to maintain or improve the Directory
19 -- service.
20
21 IMPORTS
22
23 BigIntegerStr
24 FROM VdaEnhancedTypes
25
26 id-at, informationFramework, upperBounds, selectedAttributeTypes,
27 basicAccessControl, certificateExtensions
28 FROM UsefulDefinitions { usefulDefinitions }
29
30 Name, Attribute, AttributeType
31 FROM InformationFramework { informationFramework }
32
33 ub-password-length
34 FROM UpperBounds { upperBounds }
35
36 -- not used
37 -- AuthenticationLevel
38 -- FROM BasicAccessControl { basicAccessControl }
39
40 -- GeneralNames
41 -- FROM CertificateExtensions { certificateExtensions }
42
43 GeneralNames
44 FROM CommonX509Definitions
45
46 UniqueIdentifier
47 FROM SelectedAttributeTypes { selectedAttributeTypes } ;
48
49 -- basic certificate definition
50
51 Certificate ::= SEQUENCE {
52 certificateToSign CertificateToSign,
53 algorithmIdentifier AlgorithmIdentifier,
54 signatureValue BIT STRING }
55
56 CertificateToSign ::= SEQUENCE {
57 version [0] Version DEFAULT v1,
58 serialNumber CertificateSerialNumber,
59 signature AlgorithmIdentifier,
60 issuer Name,
61 validity Validity,
62 subject Name,
63 subjectPublicKeyInfo SubjectPublicKeyInfo,
64 -- if present, version must be v2 or v3
65 issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL,
66 -- if present, version must be v2 or v3
67 subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL,
68 -- If present, version must be v3
69 extensions [3] Extensions OPTIONAL }
70
71 Version ::= INTEGER { v1(0), v2(1), v3(2) }
72
73 -- CertificateSerialNumber ::= INTEGER
74
75 CertificateSerialNumber ::= BigIntegerStr
76
77
78 AlgorithmIdentifier ::= SEQUENCE {
79 algorithm OBJECT IDENTIFIER,
80 parameters ANY OPTIONAL }
81
82 Validity ::= SEQUENCE {
83 notBefore Time,
84 notAfter Time }
85
86 SubjectPublicKeyInfo ::= SEQUENCE {
87 algorithm AlgorithmIdentifier,
88 subjectPublicKey BIT STRING }
89
90 Time ::= CHOICE {
91 utcTime UTCTime,
92 generalizedTime GeneralizedTime }
93
94 Extensions ::= SEQUENCE OF Extension
95
96 -- For those extensions where ordering of individual extensions within the
97 -- SEQUENCE is significant, the specification of those individual extensions
98 -- shall include the rules for the significance of the order therein
99
100 Extension ::= SEQUENCE {
101 extnId OBJECT IDENTIFIER,
102 critical BOOLEAN DEFAULT FALSE,
103 -- extnValue contains a DER encoding
104 extnValue OCTET STRING }
105
106 -- other certifiate constructs
107
108 Certificates ::= SEQUENCE {
109 userCertificate Certificate,
110 certificationPath ForwardCertificationPath OPTIONAL }
111
112 ForwardCertificationPath ::= SEQUENCE OF CrossCertificates
113
114 CrossCertificates ::= SET OF Certificate
115
116 CertificationPath ::= SEQUENCE {
117 userCertificate Certificate,
118 theCACertificates SEQUENCE OF CertificatePair OPTIONAL }
119
120 CertificatePair ::= SEQUENCE {
121 -- at least one of the pair shall be present
122 forward [0] Certificate OPTIONAL,
123 reverse [1] Certificate OPTIONAL }
124
125 -- certificate revocation list (CRL)
126
127 CertificateList ::= SEQUENCE {
128 crlToSign CRLToSign,
129 algorithmIdentifier AlgorithmIdentifier,
130 signatureValue BIT STRING }
131
132 CRLToSign ::= SEQUENCE {
133 version Version OPTIONAL, -- if present, version must be v2
134 signature AlgorithmIdentifier,
135 issuer Name,
136 thisUpdate Time,
137 nextUpdate Time OPTIONAL,
138 revokedCertificates SEQUENCE OF SEQUENCE {
139 userCertificate CertificateSerialNumber,
140 revocationDate Time,
141 crlEntryExtensions Extensions OPTIONAL } OPTIONAL,
142 crlExtensions [0] Extensions OPTIONAL }
143
144 -- attribute certificate
145 AttributeCertificationPath ::= SEQUENCE {
146 attributeCertificate AttributeCertificate,
147 acPath SEQUENCE OF ACPathData OPTIONAL }
148
149 ACPathData ::= SEQUENCE {
150 certificate [0] Certificate OPTIONAL,
151 attributeCertificate [1] AttributeCertificate OPTIONAL }
152
153 AttributeCertificate ::= SEQUENCE {
154 attributeCertificateInfo AttributeCertificateInfo,
155 algorithmIdentifier AlgorithmIdentifier,
156 signatureValue BIT STRING }
157
158 AttributeCertificateInfo ::= SEQUENCE {
159 version Version DEFAULT v1,
160 subject CHOICE {
161 baseCertificateID [0] IssuerSerial, -- associated with a Public Key
162 -- Certificate
163 subjectName [1] GeneralNames }, -- associated with a name
164 issuer GeneralNames, -- CA issuing the attribute certificate
165 signature AlgorithmIdentifier,
166 serialNumber CertificateSerialNumber,
167 attCertValidityPeriod AttCertValidityPeriod,
168 attributes SEQUENCE OF Attribute,
169 issuerUniqueID UniqueIdentifier OPTIONAL,
170 extensions Extensions OPTIONAL }
171
172 IssuerSerial ::= SEQUENCE {
173 issuer GeneralNames,
174 serial CertificateSerialNumber,
175 issuerUID UniqueIdentifier OPTIONAL}
176
177 AttCertValidityPeriod ::= SEQUENCE {
178 notBeforeTime GeneralizedTime,
179 notAfterTime GeneralizedTime }
180
181 AttributeCertificateAssertion ::= SEQUENCE {
182 -- At least one component of the sequence must be present
183 subject [0] CHOICE {
184 baseCertificateID [0] IssuerSerial,
185 subjectName [1] Name } OPTIONAL,
186 issuer [1] Name OPTIONAL,
187 attCertValidity [2] GeneralizedTime OPTIONAL,
188 attType [3] SET OF AttributeType OPTIONAL }
189
190 -- Apple addenda: abstract "signed CRL or cert". In this case the blob to be
191 -- signed is actually an encoded CertificateToSign or CRLToSign. Representing
192 -- that blob as an ASN ANY field allows for signature verify without decoding
193 -- the entire CertificateToSign or CRLToSign.
194
195 SignedCertOrCrl ::= SEQUENCE {
196 tbsBlob ANY,
197 algIdBlob ANY,
198 signatureValue BIT STRING }
199
200 -- attribute types --
201
202 UserPassword ::= OCTET STRING (SIZE (0..ub-password-length))
203
204 UserCertificate ::= Certificate
205
206 CACertificate ::= Certificate
207
208 CrossCertificatePair ::= CertificatePair
209
210 AuthorityRevocationList ::= CertificateList
211
212 CertificateRevocationList ::= CertificateList
213
214 AttributeCertificateRevocationList ::= CertificateList
215
216 -- object identifier assignments --
217 id-at-userPassword OBJECT IDENTIFIER ::= {id-at 35}
218 id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36}
219 id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37}
220 id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38}
221 id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39}
222 id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40}
223 id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}
224
225 END