1-- Module CertificateExtensions (X.509:08/1997) 2 3CertificateExtensions {joint-iso-itu-t ds(5) module(1) 4 certificateExtensions(26) 0} DEFINITIONS IMPLICIT TAGS ::= 5BEGIN 6 7-- EXPORTS ALL 8IMPORTS 9 id-at, id-ce, id-mr, informationFramework, authenticationFramework, 10 selectedAttributeTypes, upperBounds 11 FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) 12 usefulDefinitions(0) 3} 13 Name, RelativeDistinguishedName, ATTRIBUTE, Attribute, MATCHING-RULE 14 FROM InformationFramework informationFramework 15 CertificateSerialNumber, CertificateList, AlgorithmIdentifier, EXTENSION, 16 Time 17 FROM AuthenticationFramework authenticationFramework 18 DirectoryString{} 19 FROM SelectedAttributeTypes selectedAttributeTypes 20 ub-name 21 FROM UpperBounds upperBounds 22 ORAddress 23 FROM MTSAbstractService {joint-iso-itu-t mhs(6) mts(3) modules(0) 24 mts-abstract-service(1) version-1999(1)}; 25 26-- Unless explicitly noted otherwise, there is no significance to the ordering 27-- of components of a SEQUENCE OF construct in this Specification. 28-- Key and policy information extensions 29authorityKeyIdentifier EXTENSION ::= { 30 SYNTAX AuthorityKeyIdentifier 31 IDENTIFIED BY id-ce-authorityKeyIdentifier 32} 33 34AuthorityKeyIdentifier ::= SEQUENCE { 35 keyIdentifier [0] KeyIdentifier OPTIONAL, 36 authorityCertIssuer [1] GeneralNames OPTIONAL, 37 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL 38} 39(WITH COMPONENTS { 40 ..., 41 authorityCertIssuer PRESENT, 42 authorityCertSerialNumber PRESENT 43 } | 44 WITH COMPONENTS { 45 ..., 46 authorityCertIssuer ABSENT, 47 authorityCertSerialNumber ABSENT 48 }) 49 50KeyIdentifier ::= OCTET STRING 51 52subjectKeyIdentifier EXTENSION ::= { 53 SYNTAX SubjectKeyIdentifier 54 IDENTIFIED BY id-ce-subjectKeyIdentifier 55} 56 57SubjectKeyIdentifier ::= KeyIdentifier 58 59keyUsage EXTENSION ::= {SYNTAX KeyUsage 60 IDENTIFIED BY id-ce-keyUsage 61} 62 63KeyUsage ::= BIT STRING { 64 digitalSignature(0), nonRepudiation(1), keyEncipherment(2), 65 dataEncipherment(3), keyAgreement(4), keyCertSign(5), cRLSign(6), 66 encipherOnly(7), decipherOnly(8)} 67 68extKeyUsage EXTENSION ::= { 69 SYNTAX SEQUENCE SIZE (1..MAX) OF KeyPurposeId 70 IDENTIFIED BY id-ce-extKeyUsage 71} 72 73KeyPurposeId ::= OBJECT IDENTIFIER 74 75privateKeyUsagePeriod EXTENSION ::= { 76 SYNTAX PrivateKeyUsagePeriod 77 IDENTIFIED BY id-ce-privateKeyUsagePeriod 78} 79 80PrivateKeyUsagePeriod ::= SEQUENCE { 81 notBefore [0] GeneralizedTime OPTIONAL, 82 notAfter [1] GeneralizedTime OPTIONAL 83} 84(WITH COMPONENTS { 85 ..., 86 notBefore PRESENT 87 } | WITH COMPONENTS { 88 ..., 89 notAfter PRESENT 90 }) 91 92certificatePolicies EXTENSION ::= { 93 SYNTAX CertificatePoliciesSyntax 94 IDENTIFIED BY id-ce-certificatePolicies 95} 96 97CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 98 99PolicyInformation ::= SEQUENCE { 100 policyIdentifier CertPolicyId, 101 policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL 102} 103 104CertPolicyId ::= OBJECT IDENTIFIER 105 106PolicyQualifierInfo ::= SEQUENCE { 107 policyQualifierId CERT-POLICY-QUALIFIER.&id({SupportedPolicyQualifiers}), 108 qualifier 109 CERT-POLICY-QUALIFIER.&Qualifier 110 ({SupportedPolicyQualifiers}{@policyQualifierId}) OPTIONAL 111} 112 113SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::= 114 {...} 115 116CERT-POLICY-QUALIFIER ::= CLASS { 117 &id OBJECT IDENTIFIER UNIQUE, 118 &Qualifier OPTIONAL 119}WITH SYNTAX {POLICY-QUALIFIER-ID &id 120 [QUALIFIER-TYPE &Qualifier] 121} 122 123policyMappings EXTENSION ::= { 124 SYNTAX PolicyMappingsSyntax 125 IDENTIFIED BY id-ce-policyMappings 126} 127 128PolicyMappingsSyntax ::= 129 SEQUENCE SIZE (1..MAX) OF 130 SEQUENCE {issuerDomainPolicy CertPolicyId, 131 subjectDomainPolicy CertPolicyId} 132 133supportedAlgorithms ATTRIBUTE ::= { 134 WITH SYNTAX SupportedAlgorithm 135 EQUALITY MATCHING RULE algorithmIdentifierMatch 136 ID id-at-supportedAlgorithms 137} 138 139SupportedAlgorithm ::= SEQUENCE { 140 algorithmIdentifier AlgorithmIdentifier, 141 intendedUsage [0] KeyUsage OPTIONAL, 142 intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL 143} 144 145-- Certificate subject and certificate issuer attributes extensions 146subjectAltName EXTENSION ::= { 147 SYNTAX GeneralNames 148 IDENTIFIED BY id-ce-subjectAltName 149} 150 151GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 152 153GeneralName ::= CHOICE { 154 otherName [0] INSTANCE OF OTHER-NAME, 155 rfc822Name [1] IA5String, 156 dNSName [2] IA5String, 157 x400Address [3] ORAddress, 158 directoryName [4] Name, 159 ediPartyName [5] EDIPartyName, 160 uniformResourceIdentifier [6] IA5String, 161 iPAddress [7] OCTET STRING, 162 registeredID [8] OBJECT IDENTIFIER 163} 164 165OTHER-NAME ::= TYPE-IDENTIFIER 166 167EDIPartyName ::= SEQUENCE { 168 nameAssigner [0] DirectoryString{ub-name} OPTIONAL, 169 partyName [1] DirectoryString{ub-name} 170} 171 172issuerAltName EXTENSION ::= { 173 SYNTAX GeneralNames 174 IDENTIFIED BY id-ce-issuerAltName 175} 176 177subjectDirectoryAttributes EXTENSION ::= { 178 SYNTAX AttributesSyntax 179 IDENTIFIED BY id-ce-subjectDirectoryAttributes 180} 181 182AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute 183 184-- Certification path constraints extensions 185basicConstraints EXTENSION ::= { 186 SYNTAX BasicConstraintsSyntax 187 IDENTIFIED BY id-ce-basicConstraints 188} 189 190BasicConstraintsSyntax ::= SEQUENCE { 191 cA BOOLEAN DEFAULT FALSE, 192 pathLenConstraint INTEGER(0..MAX) OPTIONAL 193} 194 195nameConstraints EXTENSION ::= { 196 SYNTAX NameConstraintsSyntax 197 IDENTIFIED BY id-ce-nameConstraint 198} 199 200NameConstraintsSyntax ::= SEQUENCE { 201 permittedSubtrees [0] GeneralSubtrees OPTIONAL, 202 excludedSubtrees [1] GeneralSubtrees OPTIONAL, 203 requiredNameForms [2] NameForms OPTIONAL 204} 205 206GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 207 208GeneralSubtree ::= SEQUENCE { 209 base GeneralName, 210 minimum [0] BaseDistance DEFAULT 0, 211 maximum [1] BaseDistance OPTIONAL 212} 213 214BaseDistance ::= INTEGER(0..MAX) 215 216NameForms ::= SEQUENCE { 217 basicNameForms [0] BasicNameForms OPTIONAL, 218 otherNameForms [1] SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL 219}(ALL EXCEPT ({ --none; i.e.:at least one component shall be present--})) 220 221BasicNameForms ::= BIT STRING { 222 rfc822Name(0), dNSName(1), x400Address(2), directoryName(3), ediPartyName(4), 223 uniformResourceIdentifier(5), iPAddress(6), registeredID(7)}(SIZE (1..MAX)) 224 225policyConstraints EXTENSION ::= { 226 SYNTAX PolicyConstraintsSyntax 227 IDENTIFIED BY id-ce-policyConstraints 228} 229 230PolicyConstraintsSyntax ::= SEQUENCE { 231 requireExplicitPolicy [0] SkipCerts OPTIONAL, 232 inhibitPolicyMapping [1] SkipCerts OPTIONAL 233} 234 235SkipCerts ::= INTEGER(0..MAX) 236 237CertPolicySet ::= SEQUENCE SIZE (1..MAX) OF CertPolicyId 238 239-- Basic CRL extensions 240cRLNumber EXTENSION ::= { 241 SYNTAX CRLNumber 242 IDENTIFIED BY id-ce-cRLNumber 243} 244 245CRLNumber ::= INTEGER(0..MAX) 246 247reasonCode EXTENSION ::= { 248 SYNTAX CRLReason 249 IDENTIFIED BY id-ce-reasonCode 250} 251 252CRLReason ::= ENUMERATED { 253 unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), 254 superseded(4), cessationOfOperation(5), certificateHold(6), removeFromCRL(8) 255} 256 257instructionCode EXTENSION ::= { 258 SYNTAX HoldInstruction 259 IDENTIFIED BY id-ce-instructionCode 260} 261 262HoldInstruction ::= OBJECT IDENTIFIER 263 264invalidityDate EXTENSION ::= { 265 SYNTAX GeneralizedTime 266 IDENTIFIED BY id-ce-invalidityDate 267} 268 269-- CRL distribution points and delta-CRL extensions 270cRLDistributionPoints EXTENSION ::= { 271 SYNTAX CRLDistPointsSyntax 272 IDENTIFIED BY id-ce-cRLDistributionPoints 273} 274 275CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 276 277DistributionPoint ::= SEQUENCE { 278 distributionPoint [0] DistributionPointName OPTIONAL, 279 reasons [1] ReasonFlags OPTIONAL, 280 cRLIssuer [2] GeneralNames OPTIONAL 281} 282 283DistributionPointName ::= CHOICE { 284 fullName [0] GeneralNames, 285 nameRelativeToCRLIssuer [1] RelativeDistinguishedName 286} 287 288ReasonFlags ::= BIT STRING { 289 unused(0), keyCompromise(1), caCompromise(2), affiliationChanged(3), 290 superseded(4), cessationOfOperation(5), certificateHold(6)} 291 292issuingDistributionPoint EXTENSION ::= { 293 SYNTAX IssuingDistPointSyntax 294 IDENTIFIED BY id-ce-issuingDistributionPoint 295} 296 297IssuingDistPointSyntax ::= SEQUENCE { 298 distributionPoint [0] DistributionPointName OPTIONAL, 299 onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, 300 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, 301 onlySomeReasons [3] ReasonFlags OPTIONAL, 302 indirectCRL [4] BOOLEAN DEFAULT FALSE 303} 304 305certificateIssuer EXTENSION ::= { 306 SYNTAX GeneralNames 307 IDENTIFIED BY id-ce-certificateIssuer 308} 309 310deltaCRLIndicator EXTENSION ::= { 311 SYNTAX BaseCRLNumber 312 IDENTIFIED BY id-ce-deltaCRLIndicator 313} 314 315BaseCRLNumber ::= CRLNumber 316 317deltaRevocationList ATTRIBUTE ::= { 318 WITH SYNTAX CertificateList 319 EQUALITY MATCHING RULE certificateListExactMatch 320 ID id-at-deltaRevocationList 321} 322 323-- Matching rules 324certificateExactMatch MATCHING-RULE ::= { 325 SYNTAX CertificateExactAssertion 326 ID id-mr-certificateExactMatch 327} 328 329CertificateExactAssertion ::= SEQUENCE { 330 serialNumber CertificateSerialNumber, 331 issuer Name 332} 333 334certificateMatch MATCHING-RULE ::= { 335 SYNTAX CertificateAssertion 336 ID id-mr-certificateMatch 337} 338 339CertificateAssertion ::= SEQUENCE { 340 serialNumber [0] CertificateSerialNumber OPTIONAL, 341 issuer [1] Name OPTIONAL, 342 subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL, 343 authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL, 344 certificateValid [4] Time OPTIONAL, 345 privateKeyValid [5] GeneralizedTime OPTIONAL, 346 subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL, 347 keyUsage [7] KeyUsage OPTIONAL, 348 subjectAltName [8] AltNameType OPTIONAL, 349 policy [9] CertPolicySet OPTIONAL, 350 pathToName [10] Name OPTIONAL 351} 352 353AltNameType ::= CHOICE { 354 builtinNameForm 355 ENUMERATED {rfc822Name(1), dNSName(2), x400Address(3), directoryName(4), 356 ediPartyName(5), uniformResourceIdentifier(6), iPAddress(7), 357 registeredId(8)}, 358 otherNameForm OBJECT IDENTIFIER 359} 360 361certificatePairExactMatch MATCHING-RULE ::= { 362 SYNTAX CertificatePairExactAssertion 363 ID id-mr-certificatePairExactMatch 364} 365 366CertificatePairExactAssertion ::= SEQUENCE { 367 forwardAssertion [0] CertificateExactAssertion OPTIONAL, 368 reverseAssertion [1] CertificateExactAssertion OPTIONAL 369} 370(WITH COMPONENTS { 371 ..., 372 forwardAssertion PRESENT 373 } | WITH COMPONENTS { 374 ..., 375 reverseAssertion PRESENT 376 }) 377 378certificatePairMatch MATCHING-RULE ::= { 379 SYNTAX CertificatePairAssertion 380 ID id-mr-certificatePairMatch 381} 382 383CertificatePairAssertion ::= SEQUENCE { 384 forwardAssertion [0] CertificateAssertion OPTIONAL, 385 reverseAssertion [1] CertificateAssertion OPTIONAL 386} 387(WITH COMPONENTS { 388 ..., 389 forwardAssertion PRESENT 390 } | WITH COMPONENTS { 391 ..., 392 reverseAssertion PRESENT 393 }) 394 395certificateListExactMatch MATCHING-RULE ::= { 396 SYNTAX CertificateListExactAssertion 397 ID id-mr-certificateListExactMatch 398} 399 400CertificateListExactAssertion ::= SEQUENCE { 401 issuer Name, 402 thisUpdate Time, 403 distributionPoint DistributionPointName OPTIONAL 404} 405 406certificateListMatch MATCHING-RULE ::= { 407 SYNTAX CertificateListAssertion 408 ID id-mr-certificateListMatch 409} 410 411CertificateListAssertion ::= SEQUENCE { 412 issuer Name OPTIONAL, 413 minCRLNumber [0] CRLNumber OPTIONAL, 414 maxCRLNumber [1] CRLNumber OPTIONAL, 415 reasonFlags ReasonFlags OPTIONAL, 416 dateAndTime Time OPTIONAL, 417 distributionPoint [2] DistributionPointName OPTIONAL 418} 419 420algorithmIdentifierMatch MATCHING-RULE ::= { 421 SYNTAX AlgorithmIdentifier 422 ID id-mr-algorithmIdentifierMatch 423} 424 425-- Object identifier assignments 426id-at-supportedAlgorithms OBJECT IDENTIFIER ::= 427 {id-at 52} 428 429id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53} 430 431id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9} 432 433id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14} 434 435id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15} 436 437id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16} 438 439id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17} 440 441id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18} 442 443id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19} 444 445id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20} 446 447id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21} 448 449id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23} 450 451id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24} 452 453id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27} 454 455id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28} 456 457id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29} 458 459id-ce-nameConstraint OBJECT IDENTIFIER ::= {id-ce 30 1} 460 461id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} 462 463id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32} 464 465id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33} 466 467-- deprecated OBJECT IDENTIFIER ::= {id-ce 34} 468id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= 469 {id-ce 35} 470 471id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36} 472 473id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} 474 475id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34} 476 477id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35} 478 479id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36} 480 481id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37} 482 483id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38} 484 485id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39} 486 487id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40} 488 489id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= {id-ce 54} 490 491-- The following OBJECT IDENTIFIERS are not used by this Specification: 492-- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7}, 493-- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13}, 494-- {id-ce 22}, {id-ce 25}, {id-ce 26}, {id-ce 30} 495END 496 497-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D 498 499