1 PKIX1Explicit-2009 2 {iso(1) identified-organization(3) dod(6) internet(1) 3 security(5) mechanisms(5) pkix(7) id-mod(0) 4 id-mod-pkix1-explicit-02(51)} 5 DEFINITIONS EXPLICIT TAGS ::= 6 BEGIN 7 8 IMPORTS 9 10 Extensions{}, EXTENSION, ATTRIBUTE, SingleAttribute{} 11 FROM PKIX-CommonTypes-2009 12 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 13 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 14 15 AlgorithmIdentifier{}, PUBLIC-KEY, SIGNATURE-ALGORITHM 16 FROM AlgorithmInformation-2009 17 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 18 mechanisms(5) pkix(7) id-mod(0) 19 id-mod-algorithmInformation-02(58)} 20 21 CertExtensions, CrlExtensions, CrlEntryExtensions 22 FROM PKIX1Implicit-2009 23 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 24 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 25 SignatureAlgs, PublicKeys 26 FROM PKIXAlgs-2009 27 {iso(1) identified-organization(3) dod(6) 28 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 56} 29 30 SignatureAlgs, PublicKeys 31 FROM PKIX1-PSS-OAEP-Algorithms-2009 32 {iso(1) identified-organization(3) dod(6) 33 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 34 id-mod-pkix1-rsa-pkalgs-02(54)} 35 36 ORAddress 37 FROM PKIX-X400Address-2009 38 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 39 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60)}; 40 41 id-pkix OBJECT IDENTIFIER ::= 42 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 43 mechanisms(5) pkix(7)} 44 45 -- PKIX arcs 46 47 id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } 48 -- arc for private certificate extensions 49 id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 50 -- arc for policy qualifier types 51 id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 52 -- arc for extended key purpose OIDs 53 id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } 54 -- arc for access descriptors 55 56 -- policyQualifierIds for Internet policy qualifiers 57 58 id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 59 -- OID for CPS qualifier 60 id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 61 -- OID for user notice qualifier 62 63 -- access descriptor definitions 64 65 id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } 66 id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } 67 id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 } 68 id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 } 69 70 -- attribute data types 71 AttributeType ::= ATTRIBUTE.&id 72 73 -- Replaced by SingleAttribute{} 74 -- 75 -- AttributeTypeAndValue ::= SEQUENCE { 76 -- type ATTRIBUTE.&id({SupportedAttributes}), 77 -- value ATTRIBUTE.&Type({SupportedAttributes}{@type}) } 78 -- 79 80 -- Suggested naming attributes: Definition of the following 81 -- information object set may be augmented to meet local 82 -- requirements. Note that deleting members of the set may 83 -- prevent interoperability with conforming implementations. 84 -- All attributes are presented in pairs: the AttributeType 85 -- followed by the type definition for the corresponding 86 -- AttributeValue. 87 88 -- Arc for standard naming attributes 89 90 id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } 91 92 -- Naming attributes of type X520name 93 94 id-at-name AttributeType ::= { id-at 41 } 95 at-name ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-name } 96 97 id-at-surname AttributeType ::= { id-at 4 } 98 at-surname ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-surname } 99 100 id-at-givenName AttributeType ::= { id-at 42 } 101 at-givenName ATTRIBUTE ::= 102 { TYPE X520name IDENTIFIED BY id-at-givenName } 103 104 id-at-initials AttributeType ::= { id-at 43 } 105 at-initials ATTRIBUTE ::= 106 { TYPE X520name IDENTIFIED BY id-at-initials } 107 108 id-at-generationQualifier AttributeType ::= { id-at 44 } 109 at-generationQualifier ATTRIBUTE ::= 110 { TYPE X520name IDENTIFIED BY id-at-generationQualifier } 111 112 -- Directory string type -- 113 114 DirectoryString{INTEGER:maxSize} ::= CHOICE { 115 teletexString TeletexString(SIZE (1..maxSize)), 116 printableString PrintableString(SIZE (1..maxSize)), 117 bmpString BMPString(SIZE (1..maxSize)), 118 universalString UniversalString(SIZE (1..maxSize)), 119 uTF8String UTF8String(SIZE (1..maxSize)) 120 } 121 122 X520name ::= DirectoryString {ub-name} 123 124 -- Naming attributes of type X520CommonName 125 126 id-at-commonName AttributeType ::= { id-at 3 } 127 128 at-x520CommonName ATTRIBUTE ::= 129 {TYPE X520CommonName IDENTIFIED BY id-at-commonName } 130 131 X520CommonName ::= DirectoryString {ub-common-name} 132 133 -- Naming attributes of type X520LocalityName 134 135 id-at-localityName AttributeType ::= { id-at 7 } 136 137 at-x520LocalityName ATTRIBUTE ::= 138 { TYPE X520LocalityName IDENTIFIED BY id-at-localityName } 139 X520LocalityName ::= DirectoryString {ub-locality-name} 140 141 -- Naming attributes of type X520StateOrProvinceName 142 143 id-at-stateOrProvinceName AttributeType ::= { id-at 8 } 144 145 at-x520StateOrProvinceName ATTRIBUTE ::= 146 { TYPE DirectoryString {ub-state-name} 147 IDENTIFIED BY id-at-stateOrProvinceName } 148 X520StateOrProvinceName ::= DirectoryString {ub-state-name} 149 150 -- Naming attributes of type X520OrganizationName 151 152 id-at-organizationName AttributeType ::= { id-at 10 } 153 154 at-x520OrganizationName ATTRIBUTE ::= 155 { TYPE DirectoryString {ub-organization-name} 156 IDENTIFIED BY id-at-organizationName } 157 X520OrganizationName ::= DirectoryString {ub-organization-name} 158 159 -- Naming attributes of type X520OrganizationalUnitName 160 161 id-at-organizationalUnitName AttributeType ::= { id-at 11 } 162 163 at-x520OrganizationalUnitName ATTRIBUTE ::= 164 { TYPE DirectoryString {ub-organizational-unit-name} 165 IDENTIFIED BY id-at-organizationalUnitName } 166 X520OrganizationalUnitName ::= DirectoryString 167 {ub-organizational-unit-name} 168 169 -- Naming attributes of type X520Title 170 171 id-at-title AttributeType ::= { id-at 12 } 172 173 at-x520Title ATTRIBUTE ::= { TYPE DirectoryString { ub-title } 174 IDENTIFIED BY id-at-title } 175 176 -- Naming attributes of type X520dnQualifier 177 178 id-at-dnQualifier AttributeType ::= { id-at 46 } 179 180 at-x520dnQualifier ATTRIBUTE ::= { TYPE PrintableString 181 IDENTIFIED BY id-at-dnQualifier } 182 183 -- Naming attributes of type X520countryName (digraph from IS 3166) 184 185 id-at-countryName AttributeType ::= { id-at 6 } 186 187 at-x520countryName ATTRIBUTE ::= { TYPE PrintableString (SIZE (2)) 188 IDENTIFIED BY id-at-countryName } 189 190 -- Naming attributes of type X520SerialNumber 191 192 id-at-serialNumber AttributeType ::= { id-at 5 } 193 194 at-x520SerialNumber ATTRIBUTE ::= {TYPE PrintableString 195 (SIZE (1..ub-serial-number)) IDENTIFIED BY id-at-serialNumber } 196 197 -- Naming attributes of type X520Pseudonym 198 199 id-at-pseudonym AttributeType ::= { id-at 65 } 200 201 at-x520Pseudonym ATTRIBUTE ::= { TYPE DirectoryString {ub-pseudonym} 202 IDENTIFIED BY id-at-pseudonym } 203 204 -- Naming attributes of type DomainComponent (from RFC 2247) 205 206 id-domainComponent AttributeType ::= 207 { itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) 208 pilotAttributeType(1) 25 } 209 210 at-domainComponent ATTRIBUTE ::= {TYPE IA5String 211 IDENTIFIED BY id-domainComponent } 212 213 -- Legacy attributes 214 215 pkcs-9 OBJECT IDENTIFIER ::= 216 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } 217 id-emailAddress AttributeType ::= { pkcs-9 1 } 218 219 at-emailAddress ATTRIBUTE ::= {TYPE IA5String 220 (SIZE (1..ub-emailaddress-length)) IDENTIFIED BY 221 id-emailAddress } 222 223 -- naming data types -- 224 225 Name ::= CHOICE { -- only one possibility for now -- 226 rdnSequence RDNSequence } 227 228 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 229 230 DistinguishedName ::= RDNSequence 231 232 RelativeDistinguishedName ::= 233 SET SIZE (1 .. MAX) OF SingleAttribute { {SupportedAttributes} } 234 235 -- These are the known name elements for a DN 236 237 SupportedAttributes ATTRIBUTE ::= { 238 at-name | at-surname | at-givenName | at-initials | 239 at-generationQualifier | at-x520CommonName | 240 at-x520LocalityName | at-x520StateOrProvinceName | 241 at-x520OrganizationName | at-x520OrganizationalUnitName | 242 at-x520Title | at-x520dnQualifier | at-x520countryName | 243 at-x520SerialNumber | at-x520Pseudonym | at-domainComponent | 244 at-emailAddress, ... } 245 246 -- 247 -- Certificate- and CRL-specific structures begin here 248 -- 249 250 Certificate ::= SIGNED{TBSCertificate} 251 252 TBSCertificate ::= SEQUENCE { 253 version [0] Version DEFAULT v1, 254 serialNumber CertificateSerialNumber, 255 signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, 256 {SignatureAlgorithms}}, 257 issuer Name, 258 validity Validity, 259 subject Name, 260 subjectPublicKeyInfo SubjectPublicKeyInfo, 261 ... , 262 [[2: -- If present, version MUST be v2 263 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 264 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL 265 ]], 266 [[3: -- If present, version MUST be v3 -- 267 extensions [3] Extensions{{CertExtensions}} OPTIONAL 268 ]], ... } 269 270 Version ::= INTEGER { v1(0), v2(1), v3(2) } 271 272 CertificateSerialNumber ::= INTEGER 273 274 Validity ::= SEQUENCE { 275 notBefore Time, 276 notAfter Time } 277 278 Time ::= CHOICE { 279 utcTime UTCTime, 280 generalTime GeneralizedTime } 281 282 UniqueIdentifier ::= BIT STRING 283 284 SubjectPublicKeyInfo ::= SEQUENCE { 285 algorithm AlgorithmIdentifier{PUBLIC-KEY, 286 {PublicKeyAlgorithms}}, 287 subjectPublicKey BIT STRING } 288 289 -- CRL structures 290 291 CertificateList ::= SIGNED{TBSCertList} 292 293 TBSCertList ::= SEQUENCE { 294 version Version OPTIONAL, 295 -- if present, MUST be v2 296 signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, 297 {SignatureAlgorithms}}, 298 issuer Name, 299 thisUpdate Time, 300 nextUpdate Time OPTIONAL, 301 revokedCertificates SEQUENCE SIZE (1..MAX) OF SEQUENCE { 302 userCertificate CertificateSerialNumber, 303 revocationDate Time, 304 ... , 305 [[2: -- if present, version MUST be v2 306 crlEntryExtensions Extensions{{CrlEntryExtensions}} 307 OPTIONAL 308 ]], ... 309 } OPTIONAL, 310 ... , 311 [[2: -- if present, version MUST be v2 312 crlExtensions [0] Extensions{{CrlExtensions}} 313 OPTIONAL 314 ]], ... } 315 316 -- Version, Time, CertificateSerialNumber, and Extensions were 317 -- defined earlier for use in the certificate structure 318 319 -- 320 -- The two object sets below should be expanded to include 321 -- those algorithms which are supported by the system. 322 -- 323 -- For example: 324 -- SignatureAlgorithms SIGNATURE-ALGORITHM ::= { 325 -- PKIXAlgs-2008.SignatureAlgs, ..., 326 -- - - RFC 3279 provides the base set 327 -- PKIX1-PSS-OAEP-ALGORITHMS.SignatureAlgs | 328 -- - - RFC 4055 provides extension algs 329 -- OtherModule.SignatureAlgs 330 -- - - RFC XXXX provides additional extension algs 331 -- } 332 333 SignatureAlgorithms SIGNATURE-ALGORITHM ::= { 334 PKIXAlgs-2009.SignatureAlgs, ..., 335 PKIX1-PSS-OAEP-Algorithms-2009.SignatureAlgs } 336 337 PublicKeyAlgorithms PUBLIC-KEY ::= { 338 PKIXAlgs-2009.PublicKeys, ..., 339 PKIX1-PSS-OAEP-Algorithms-2009.PublicKeys} 340 341 -- Upper Bounds 342 343 ub-state-name INTEGER ::= 128 344 ub-organization-name INTEGER ::= 64 345 ub-organizational-unit-name INTEGER ::= 64 346 ub-title INTEGER ::= 64 347 ub-serial-number INTEGER ::= 64 348 ub-pseudonym INTEGER ::= 128 349 ub-emailaddress-length INTEGER ::= 255 350 ub-locality-name INTEGER ::= 128 351 ub-common-name INTEGER ::= 64 352 ub-name INTEGER ::= 32768 353 354 -- Note - upper bounds on string types, such as TeletexString, are 355 -- measured in characters. Excepting PrintableString or IA5String, a 356 -- significantly greater number of octets will be required to hold 357 -- such a value. As a minimum, 16 octets or twice the specified 358 -- upper bound, whichever is the larger, should be allowed for 359 -- TeletexString. For UTF8String or UniversalString, at least four 360 -- times the upper bound should be allowed. 361 362 -- Information object classes used in the definition 363 -- of certificates and CRLs 364 365 -- Parameterized Type SIGNED 366 -- 367 -- Three different versions of doing SIGNED: 368 -- 1. Simple and close to the previous version 369 -- 370 -- SIGNED{ToBeSigned} ::= SEQUENCE { 371 -- toBeSigned ToBeSigned, 372 -- algorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, 373 -- {SignatureAlgorithms}}, 374 -- signature BIT STRING 375 -- } 376 377 -- 2. From Authenticated Framework 378 -- 379 -- SIGNED{ToBeSigned} ::= SEQUENCE { 380 -- toBeSigned ToBeSigned, 381 -- COMPONENTS OF SIGNATURE{ToBeSigned} 382 -- } 383 -- SIGNATURE{ToBeSigned} ::= SEQUENCE { 384 -- algorithmIdentifier AlgorithmIdentifier, 385 -- encrypted ENCRYPTED-HASH{ToBeSigned} 386 -- } 387 -- ENCRYPTED-HASH{ToBeSigned} ::= 388 -- BIT STRING 389 -- (CONSTRAINED BY { 390 -- shall be the result of applying a hashing procedure to 391 -- the DER-encoded (see 4.1) octets of a value of 392 -- ToBeSigned and then applying an encipherment procedure 393 -- to those octets 394 -- }) 395 -- 396 -- 397 -- 3. A more complex version, but one that automatically ties 398 -- together both the signature algorithm and the 399 -- signature value for automatic decoding. 400 -- 401 SIGNED{ToBeSigned} ::= SEQUENCE { 402 toBeSigned ToBeSigned, 403 algorithmIdentifier SEQUENCE { 404 algorithm SIGNATURE-ALGORITHM. 405 &id({SignatureAlgorithms}), 406 parameters SIGNATURE-ALGORITHM. 407 &Params({SignatureAlgorithms} 408 {@algorithmIdentifier.algorithm}) OPTIONAL 409 }, 410 signature BIT STRING (CONTAINING SIGNATURE-ALGORITHM.&Value( 411 {SignatureAlgorithms} 412 {@algorithmIdentifier.algorithm})) 413 } 414 415 END 416