1PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) internet(1) 2 security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } 3 4DEFINITIONS IMPLICIT TAGS ::= 5 6BEGIN 7 8-- EXPORTS ALL -- 9 10IMPORTS 11 id-pe, id-kp, id-qt-unotice, id-qt-cps, 12 -- delete following line if "new" types are supported -- 13 -- BMPString, 14 -- UTF8String, end "new" types 15 ORAddress, Name, RelativeDistinguishedName, 16 CertificateSerialNumber, Attribute, DirectoryString 17 FROM PKIX1Explicit88 { iso(1) identified-organization(3) 18 dod(6) internet(1) security(5) mechanisms(5) pkix(7) 19 id-mod(0) id-pkix1-explicit(18) }; 20 21 22-- ISO arc for standard certificate and CRL extensions 23 24id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} 25 26-- authority key identifier OID and syntax 27 28id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } 29 30AuthorityKeyIdentifier ::= SEQUENCE { 31 keyIdentifier [0] KeyIdentifier OPTIONAL, 32 authorityCertIssuer [1] GeneralNames OPTIONAL, 33 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } 34 -- authorityCertIssuer and authorityCertSerialNumber MUST both 35 -- be present or both be absent 36 37KeyIdentifier ::= OCTET STRING 38 39-- subject key identifier OID and syntax 40 41id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } 42 43SubjectKeyIdentifier ::= KeyIdentifier 44 45-- key usage extension OID and syntax 46 47id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } 48 49KeyUsage ::= BIT STRING { 50 digitalSignature (0), 51 nonRepudiation (1), 52 keyEncipherment (2), 53 dataEncipherment (3), 54 keyAgreement (4), 55 keyCertSign (5), 56 cRLSign (6), 57 encipherOnly (7), 58 decipherOnly (8) } 59 60-- private key usage period extension OID and syntax 61 62id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } 63 64PrivateKeyUsagePeriod ::= SEQUENCE { 65 notBefore [0] GeneralizedTime OPTIONAL, 66 notAfter [1] GeneralizedTime OPTIONAL } 67 -- either notBefore or notAfter MUST be present 68 69-- certificate policies extension OID and syntax 70 71id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } 72 73anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } 74 75CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 76 77PolicyInformation ::= SEQUENCE { 78 policyIdentifier CertPolicyId, 79 policyQualifiers SEQUENCE SIZE (1..MAX) OF 80 PolicyQualifierInfo OPTIONAL } 81 82CertPolicyId ::= OBJECT IDENTIFIER 83 84PolicyQualifierInfo ::= SEQUENCE { 85 policyQualifierId PolicyQualifierId, 86 qualifier ANY DEFINED BY policyQualifierId } 87 88-- Implementations that recognize additional policy qualifiers MUST 89-- augment the following definition for PolicyQualifierId 90 91PolicyQualifierId ::= 92 OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) 93 94-- CPS pointer qualifier 95 96CPSuri ::= IA5String 97 98-- user notice qualifier 99 100UserNotice ::= SEQUENCE { 101 noticeRef NoticeReference OPTIONAL, 102 explicitText DisplayText OPTIONAL} 103 104NoticeReference ::= SEQUENCE { 105 organization DisplayText, 106 noticeNumbers SEQUENCE OF INTEGER } 107 108DisplayText ::= CHOICE { 109 ia5String IA5String (SIZE (1..200)), 110 visibleString VisibleString (SIZE (1..200)), 111 bmpString BMPString (SIZE (1..200)), 112 utf8String UTF8String (SIZE (1..200)) } 113 114-- policy mapping extension OID and syntax 115 116id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } 117 118PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { 119 issuerDomainPolicy CertPolicyId, 120 subjectDomainPolicy CertPolicyId } 121 122-- subject alternative name extension OID and syntax 123 124id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } 125 126SubjectAltName ::= GeneralNames 127 128GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 129 130GeneralName ::= CHOICE { 131 otherName [0] AnotherName, 132 rfc822Name [1] IA5String, 133 dNSName [2] IA5String, 134 x400Address [3] ORAddress, 135 directoryName [4] Name, 136 ediPartyName [5] EDIPartyName, 137 uniformResourceIdentifier [6] IA5String, 138 iPAddress [7] OCTET STRING, 139 registeredID [8] OBJECT IDENTIFIER } 140 141-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as 142-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax 143 144AnotherName ::= SEQUENCE { 145 type-id OBJECT IDENTIFIER, 146 value [0] EXPLICIT ANY DEFINED BY type-id } 147 148EDIPartyName ::= SEQUENCE { 149 nameAssigner [0] DirectoryString OPTIONAL, 150 partyName [1] DirectoryString } 151 152-- issuer alternative name extension OID and syntax 153 154id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } 155 156IssuerAltName ::= GeneralNames 157 158id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } 159 160SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute 161 162-- basic constraints extension OID and syntax 163 164id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 165 166BasicConstraints ::= SEQUENCE { 167 cA BOOLEAN DEFAULT FALSE, 168 pathLenConstraint INTEGER (0..MAX) OPTIONAL } 169 170-- name constraints extension OID and syntax 171 172id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } 173 174NameConstraints ::= SEQUENCE { 175 permittedSubtrees [0] GeneralSubtrees OPTIONAL, 176 excludedSubtrees [1] GeneralSubtrees OPTIONAL } 177 178GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 179 180GeneralSubtree ::= SEQUENCE { 181 base GeneralName, 182 minimum [0] BaseDistance DEFAULT 0, 183 maximum [1] BaseDistance OPTIONAL } 184 185BaseDistance ::= INTEGER (0..MAX) 186 187-- policy constraints extension OID and syntax 188 189id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } 190 191PolicyConstraints ::= SEQUENCE { 192 requireExplicitPolicy [0] SkipCerts OPTIONAL, 193 inhibitPolicyMapping [1] SkipCerts OPTIONAL } 194 195SkipCerts ::= INTEGER (0..MAX) 196 197-- CRL distribution points extension OID and syntax 198 199id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} 200 201CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 202 203DistributionPoint ::= SEQUENCE { 204 distributionPoint [0] DistributionPointName OPTIONAL, 205 reasons [1] ReasonFlags OPTIONAL, 206 cRLIssuer [2] GeneralNames OPTIONAL } 207 208DistributionPointName ::= CHOICE { 209 fullName [0] GeneralNames, 210 nameRelativeToCRLIssuer [1] RelativeDistinguishedName } 211 212ReasonFlags ::= BIT STRING { 213 unused (0), 214 keyCompromise (1), 215 cACompromise (2), 216 affiliationChanged (3), 217 superseded (4), 218 cessationOfOperation (5), 219 certificateHold (6), 220 privilegeWithdrawn (7), 221 aACompromise (8) } 222 223-- extended key usage extension OID and syntax 224 225id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} 226 227ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 228 229 230KeyPurposeId ::= OBJECT IDENTIFIER 231 232-- permit unspecified key uses 233 234anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } 235 236-- extended key purpose OIDs 237 238id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } 239id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } 240id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } 241id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } 242id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } 243id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 244 245-- inhibit any policy OID and syntax 246 247id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } 248 249InhibitAnyPolicy ::= SkipCerts 250 251-- freshest (delta)CRL extension OID and syntax 252 253id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } 254 255FreshestCRL ::= CRLDistributionPoints 256 257-- authority info access 258 259id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } 260 261AuthorityInfoAccessSyntax ::= 262 SEQUENCE SIZE (1..MAX) OF AccessDescription 263 264AccessDescription ::= SEQUENCE { 265 accessMethod OBJECT IDENTIFIER, 266 accessLocation GeneralName } 267 268-- subject info access 269 270id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } 271 272SubjectInfoAccessSyntax ::= 273 SEQUENCE SIZE (1..MAX) OF AccessDescription 274 275-- CRL number extension OID and syntax 276 277id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } 278 279CRLNumber ::= INTEGER (0..MAX) 280 281-- issuing distribution point extension OID and syntax 282 283id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } 284 285IssuingDistributionPoint ::= SEQUENCE { 286 distributionPoint [0] DistributionPointName OPTIONAL, 287 onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, 288 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, 289 onlySomeReasons [3] ReasonFlags OPTIONAL, 290 indirectCRL [4] BOOLEAN DEFAULT FALSE, 291 onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE } 292 293id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } 294 295BaseCRLNumber ::= CRLNumber 296 297-- CRL reasons extension OID and syntax 298 299id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } 300 301CRLReason ::= ENUMERATED { 302 unspecified (0), 303 keyCompromise (1), 304 cACompromise (2), 305 affiliationChanged (3), 306 superseded (4), 307 cessationOfOperation (5), 308 certificateHold (6), 309 removeFromCRL (8), 310 privilegeWithdrawn (9), 311 aACompromise (10) } 312 313-- certificate issuer CRL entry extension OID and syntax 314 315id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } 316 317CertificateIssuer ::= GeneralNames 318 319-- hold instruction extension OID and syntax 320 321id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } 322 323HoldInstructionCode ::= OBJECT IDENTIFIER 324 325-- ANSI x9 holdinstructions 326 327-- ANSI x9 arc holdinstruction arc 328 329holdInstruction OBJECT IDENTIFIER ::= 330 {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} 331 332-- ANSI X9 holdinstructions referenced by this standard 333 334id-holdinstruction-none OBJECT IDENTIFIER ::= 335 {holdInstruction 1} -- deprecated 336 337id-holdinstruction-callissuer OBJECT IDENTIFIER ::= 338 {holdInstruction 2} 339 340id-holdinstruction-reject OBJECT IDENTIFIER ::= 341 {holdInstruction 3} 342 343-- invalidity date CRL entry extension OID and syntax 344 345id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } 346 347InvalidityDate ::= GeneralizedTime 348 349END 350