1 2PKIX1 { } 3 4DEFINITIONS IMPLICIT TAGS ::= 5 6BEGIN 7 8-- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules. 9 10-- ISO arc for standard certificate and CRL extensions 11 12id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} 13 14 15-- authority key identifier OID and syntax 16 17id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } 18 19AuthorityKeyIdentifier ::= SEQUENCE { 20 keyIdentifier [0] KeyIdentifier OPTIONAL, 21 authorityCertIssuer [1] GeneralNames OPTIONAL, 22 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } 23 -- authorityCertIssuer and authorityCertSerialNumber shall both 24 -- be present or both be absgent 25 26KeyIdentifier ::= OCTET STRING 27 28-- subject key identifier OID and syntax 29 30id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } 31 32SubjectKeyIdentifier ::= KeyIdentifier 33 34-- key usage extension OID and syntax 35 36id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } 37 38KeyUsage ::= BIT STRING { 39 digitalSignature (0), 40 nonRepudiation (1), 41 keyEncipherment (2), 42 dataEncipherment (3), 43 keyAgreement (4), 44 keyCertSign (5), 45 cRLSign (6), 46 encipherOnly (7), 47 decipherOnly (8) } 48 49-- private key usage period extension OID and syntax 50 51id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } 52 53PrivateKeyUsagePeriod ::= SEQUENCE { 54 notBefore [0] GeneralizedTime OPTIONAL, 55 notAfter [1] GeneralizedTime OPTIONAL } 56 -- either notBefore or notAfter shall be present 57 58-- certificate policies extension OID and syntax 59 60id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } 61 62CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 63 64PolicyInformation ::= SEQUENCE { 65 policyIdentifier CertPolicyId, 66 policyQualifiers SEQUENCE SIZE (1..MAX) OF 67 PolicyQualifierInfo OPTIONAL } 68 69CertPolicyId ::= OBJECT IDENTIFIER 70 71PolicyQualifierInfo ::= SEQUENCE { 72 policyQualifierId PolicyQualifierId, 73 qualifier ANY DEFINED BY policyQualifierId } 74 75-- Implementations that recognize additional policy qualifiers shall 76-- augment the following definition for PolicyQualifierId 77 78PolicyQualifierId ::= 79 OBJECT IDENTIFIER -- ( id-qt-cps | id-qt-unotice ) 80 81-- CPS pointer qualifier 82 83CPSuri ::= IA5String 84 85-- user notice qualifier 86 87UserNotice ::= SEQUENCE { 88 noticeRef NoticeReference OPTIONAL, 89 explicitText DisplayText OPTIONAL} 90 91NoticeReference ::= SEQUENCE { 92 organization DisplayText, 93 noticeNumbers SEQUENCE OF INTEGER } 94 95DisplayText ::= CHOICE { 96 visibleString VisibleString (SIZE (1..200)), 97 bmpString BMPString (SIZE (1..200)), 98 utf8String UTF8String (SIZE (1..200)) } 99 100-- policy mapping extension OID and syntax 101 102id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } 103 104PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { 105 issuerDomainPolicy CertPolicyId, 106 subjectDomainPolicy CertPolicyId } 107 108-- subject alternative name extension OID and syntax 109 110-- Directory string type -- 111 112DirectoryString ::= CHOICE { 113 teletexString TeletexString (SIZE (1..MAX)), 114 printableString PrintableString (SIZE (1..MAX)), 115 universalString UniversalString (SIZE (1..MAX)), 116 utf8String UTF8String (SIZE (1..MAX)), 117 bmpString BMPString (SIZE(1..MAX)), 118 -- IA5String is added here to handle old UID encoded as ia5String -- 119 -- See tests/userid/ for more information. It shouldn't be here, -- 120 -- so if it causes problems, considering dropping it. -- 121 ia5String IA5String (SIZE(1..MAX)) } 122 123id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } 124 125SubjectAltName ::= GeneralNames 126 127GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 128 129GeneralName ::= CHOICE { 130 otherName [0] AnotherName, 131 rfc822Name [1] IA5String, 132 dNSName [2] IA5String, 133 x400Address [3] ORAddress, 134-- Changed to work with the libtasn1 parser. 135 directoryName [4] EXPLICIT RDNSequence, --Name, 136 ediPartyName [5] EDIPartyName, 137 uniformResourceIdentifier [6] IA5String, 138 iPAddress [7] OCTET STRING, 139 registeredID [8] OBJECT IDENTIFIER } 140 141-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as 142-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax 143 144AnotherName ::= SEQUENCE { 145 type-id OBJECT IDENTIFIER, 146 value [0] EXPLICIT ANY DEFINED BY type-id } 147 148EDIPartyName ::= SEQUENCE { 149 nameAssigner [0] DirectoryString OPTIONAL, 150 partyName [1] DirectoryString } 151 152-- issuer alternative name extension OID and syntax 153 154id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } 155 156IssuerAltName ::= GeneralNames 157 158id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } 159 160SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute 161 162-- basic constraints extension OID and syntax 163 164id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 165 166BasicConstraints ::= SEQUENCE { 167 cA BOOLEAN DEFAULT FALSE, 168 pathLenConstraint INTEGER (0..MAX) OPTIONAL } 169 170-- name constraints extension OID and syntax 171 172id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } 173 174NameConstraints ::= SEQUENCE { 175 permittedSubtrees [0] GeneralSubtrees OPTIONAL, 176 excludedSubtrees [1] GeneralSubtrees OPTIONAL } 177 178GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 179 180GeneralSubtree ::= SEQUENCE { 181 base GeneralName, 182 minimum [0] BaseDistance DEFAULT 0, 183 maximum [1] BaseDistance OPTIONAL } 184 185BaseDistance ::= INTEGER (0..MAX) 186 187-- policy constraints extension OID and syntax 188 189id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } 190 191PolicyConstraints ::= SEQUENCE { 192 requireExplicitPolicy [0] SkipCerts OPTIONAL, 193 inhibitPolicyMapping [1] SkipCerts OPTIONAL } 194 195SkipCerts ::= INTEGER (0..MAX) 196 197-- CRL distribution points extension OID and syntax 198 199id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} 200 201CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 202 203DistributionPoint ::= SEQUENCE { 204 distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL, 205 reasons [1] ReasonFlags OPTIONAL, 206 cRLIssuer [2] GeneralNames OPTIONAL 207} 208 209DistributionPointName ::= CHOICE { 210 fullName [0] GeneralNames, 211 nameRelativeToCRLIssuer [1] RelativeDistinguishedName 212} 213 214ReasonFlags ::= BIT STRING { 215 unused (0), 216 keyCompromise (1), 217 cACompromise (2), 218 affiliationChanged (3), 219 superseded (4), 220 cessationOfOperation (5), 221 certificateHold (6), 222 privilegeWithdrawn (7), 223 aACompromise (8) } 224 225-- extended key usage extension OID and syntax 226 227id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} 228 229ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 230 231KeyPurposeId ::= OBJECT IDENTIFIER 232 233-- extended key purpose OIDs 234id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } 235id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } 236id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } 237id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } 238id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-kp 5 } 239id-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-kp 6 } 240id-kp-ipsecUser OBJECT IDENTIFIER ::= { id-kp 7 } 241id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } 242 243-- authority info access 244 245id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } 246 247AuthorityInfoAccessSyntax ::= 248 SEQUENCE SIZE (1..MAX) OF AccessDescription 249 250AccessDescription ::= SEQUENCE { 251 accessMethod OBJECT IDENTIFIER, 252 accessLocation GeneralName } 253 254-- CRL number extension OID and syntax 255 256id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } 257 258CRLNumber ::= INTEGER (0..MAX) 259 260-- issuing distribution point extension OID and syntax 261 262id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } 263 264IssuingDistributionPoint ::= SEQUENCE { 265 distributionPoint [0] DistributionPointName OPTIONAL, 266 onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, 267 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, 268 onlySomeReasons [3] ReasonFlags OPTIONAL, 269 indirectCRL [4] BOOLEAN DEFAULT FALSE } 270 271 272id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } 273 274-- deltaCRLIndicator ::= BaseCRLNumber 275 276BaseCRLNumber ::= CRLNumber 277 278-- CRL reasons extension OID and syntax 279 280id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } 281 282CRLReason ::= ENUMERATED { 283 unspecified (0), 284 keyCompromise (1), 285 cACompromise (2), 286 affiliationChanged (3), 287 superseded (4), 288 cessationOfOperation (5), 289 certificateHold (6), 290 removeFromCRL (8) } 291 292-- certificate issuer CRL entry extension OID and syntax 293 294id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } 295 296CertificateIssuer ::= GeneralNames 297 298-- hold instruction extension OID and syntax 299 300id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } 301 302HoldInstructionCode ::= OBJECT IDENTIFIER 303 304-- ANSI x9 holdinstructions 305 306-- ANSI x9 arc holdinstruction arc 307holdInstruction OBJECT IDENTIFIER ::= 308 {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} 309 310-- ANSI X9 holdinstructions referenced by this standard 311id-holdinstruction-none OBJECT IDENTIFIER ::= 312 {holdInstruction 1} -- deprecated 313id-holdinstruction-callissuer OBJECT IDENTIFIER ::= 314 {holdInstruction 2} 315id-holdinstruction-reject OBJECT IDENTIFIER ::= 316 {holdInstruction 3} 317 318-- invalidity date CRL entry extension OID and syntax 319 320id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } 321 322InvalidityDate ::= GeneralizedTime 323 324 325-- -------------------------------------- 326-- EXPLICIT 327-- -------------------------------------- 328 329-- UNIVERSAL Types defined in '93 and '98 ASN.1 330-- but required by this specification 331 332VisibleString ::= [UNIVERSAL 26] IMPLICIT OCTET STRING 333 334NumericString ::= [UNIVERSAL 18] IMPLICIT OCTET STRING 335 336IA5String ::= [UNIVERSAL 22] IMPLICIT OCTET STRING 337 338TeletexString ::= [UNIVERSAL 20] IMPLICIT OCTET STRING 339 340PrintableString ::= [UNIVERSAL 19] IMPLICIT OCTET STRING 341 342UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING 343 -- UniversalString is defined in ASN.1:1993 344 345BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING 346 -- BMPString is the subtype of UniversalString and models 347 -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1 348 349UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING 350 -- The content of this type conforms to RFC 2279. 351 352 353-- PKIX specific OIDs 354 355id-pkix OBJECT IDENTIFIER ::= 356 { iso(1) identified-organization(3) dod(6) internet(1) 357 security(5) mechanisms(5) pkix(7) } 358 359-- PKIX arcs 360 361id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } 362 -- arc for private certificate extensions 363id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 364 -- arc for policy qualifier types 365id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 366 -- arc for extended key purpose OIDS 367id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } 368 -- arc for access descriptors 369 370-- policyQualifierIds for Internet policy qualifiers 371 372id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 373 -- OID for CPS qualifier 374id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 375 -- OID for user notice qualifier 376 377-- access descriptor definitions 378 379id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } 380id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } 381 382-- attribute data types -- 383 384Attribute ::= SEQUENCE { 385 type AttributeType, 386 values SET OF AttributeValue 387 -- at least one value is required -- 388} 389 390AttributeType ::= OBJECT IDENTIFIER 391 392AttributeValue ::= ANY DEFINED BY type 393 394AttributeTypeAndValue ::= SEQUENCE { 395 type AttributeType, 396 value AttributeValue } 397 398-- suggested naming attributes: Definition of the following 399-- information object set may be augmented to meet local 400-- requirements. Note that deleting members of the set may 401-- prevent interoperability with conforming implementations. 402-- presented in pairs: the AttributeType followed by the 403-- type definition for the corresponding AttributeValue 404 405-- Arc for standard naming attributes 406id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4} 407 408-- Attributes of type NameDirectoryString 409id-at-initials AttributeType ::= { id-at 43 } 410X520initials ::= DirectoryString 411 412id-at-generationQualifier AttributeType ::= { id-at 44 } 413X520generationQualifier ::= DirectoryString 414 415id-at-surname AttributeType ::= { id-at 4 } 416X520surName ::= DirectoryString 417 418id-at-givenName AttributeType ::= { id-at 42 } 419X520givenName ::= DirectoryString 420 421id-at-name AttributeType ::= { id-at 41 } 422X520name ::= DirectoryString 423 424id-at-commonName AttributeType ::= {id-at 3} 425X520CommonName ::= DirectoryString 426 427id-at-localityName AttributeType ::= {id-at 7} 428X520LocalityName ::= DirectoryString 429 430id-at-stateOrProvinceName AttributeType ::= {id-at 8} 431X520StateOrProvinceName ::= DirectoryString 432 433id-at-organizationName AttributeType ::= {id-at 10} 434X520OrganizationName ::= DirectoryString 435 436id-at-organizationalUnitName AttributeType ::= {id-at 11} 437X520OrganizationalUnitName ::= DirectoryString 438 439id-at-title AttributeType ::= {id-at 12} 440X520Title ::= DirectoryString 441 442id-at-description AttributeType ::= {id-at 13} 443X520Description ::= DirectoryString 444 445id-at-dnQualifier AttributeType ::= {id-at 46} 446X520dnQualifier ::= PrintableString 447 448id-at-countryName AttributeType ::= {id-at 6} 449X520countryName ::= PrintableString (SIZE (2)) -- IS 3166 codes 450 451id-at-serialNumber AttributeType ::= {id-at 5} 452X520serialNumber ::= PrintableString 453 454id-at-telephoneNumber AttributeType ::= {id-at 20} 455X520telephoneNumber ::= PrintableString 456 457id-at-facsimileTelephoneNumber AttributeType ::= {id-at 23} 458X520facsimileTelephoneNumber ::= PrintableString 459 460id-at-pseudonym AttributeType ::= {id-at 65} 461X520pseudonym ::= DirectoryString 462 463id-at-name AttributeType ::= {id-at 41} 464X520name ::= DirectoryString 465 466id-at-streetAddress AttributeType ::= {id-at 9} 467X520streetAddress ::= DirectoryString 468 469id-at-postalAddress AttributeType ::= {id-at 16} 470X520postalAddress ::= PostalAddress 471 472PostalAddress ::= SEQUENCE OF DirectoryString 473 474 475 -- Legacy attributes 476 477pkcs OBJECT IDENTIFIER ::= 478 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) } 479 480pkcs-9 OBJECT IDENTIFIER ::= 481 { pkcs 9 } 482 483 484emailAddress AttributeType ::= { pkcs-9 1 } 485 486Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length)) 487 488-- naming data types -- 489 490Name ::= CHOICE { -- only one possibility for now -- 491 rdnSequence RDNSequence } 492 493RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 494 495DistinguishedName ::= RDNSequence 496 497RelativeDistinguishedName ::= 498 SET SIZE (1 .. MAX) OF AttributeTypeAndValue 499 500 501 502-- -------------------------------------------------------- 503-- certificate and CRL specific structures begin here 504-- -------------------------------------------------------- 505 506Certificate ::= SEQUENCE { 507 tbsCertificate TBSCertificate, 508 signatureAlgorithm AlgorithmIdentifier, 509 signature BIT STRING } 510 511TBSCertificate ::= SEQUENCE { 512 version [0] EXPLICIT Version DEFAULT v1, 513 serialNumber CertificateSerialNumber, 514 signature AlgorithmIdentifier, 515 issuer Name, 516 validity Validity, 517 subject Name, 518 subjectPublicKeyInfo SubjectPublicKeyInfo, 519 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 520 -- If present, version shall be v2 or v3 521 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 522 -- If present, version shall be v2 or v3 523 extensions [3] EXPLICIT Extensions OPTIONAL 524 -- If present, version shall be v3 -- 525} 526 527Version ::= INTEGER { v1(0), v2(1), v3(2) } 528 529CertificateSerialNumber ::= INTEGER 530 531Validity ::= SEQUENCE { 532 notBefore Time, 533 notAfter Time } 534 535Time ::= CHOICE { 536 utcTime UTCTime, 537 generalTime GeneralizedTime } 538 539UniqueIdentifier ::= BIT STRING 540 541SubjectPublicKeyInfo ::= SEQUENCE { 542 algorithm AlgorithmIdentifier, 543 subjectPublicKey BIT STRING } 544 545Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension 546 547Extension ::= SEQUENCE { 548 extnID OBJECT IDENTIFIER, 549 critical BOOLEAN DEFAULT FALSE, 550 extnValue OCTET STRING } 551 552 553-- ------------------------------------------ 554-- CRL structures 555-- ------------------------------------------ 556 557CertificateList ::= SEQUENCE { 558 tbsCertList TBSCertList, 559 signatureAlgorithm AlgorithmIdentifier, 560 signature BIT STRING } 561 562TBSCertList ::= SEQUENCE { 563 version Version OPTIONAL, 564 -- if present, shall be v2 565 signature AlgorithmIdentifier, 566 issuer Name, 567 thisUpdate Time, 568 nextUpdate Time OPTIONAL, 569 revokedCertificates SEQUENCE OF SEQUENCE { 570 userCertificate CertificateSerialNumber, 571 revocationDate Time, 572 crlEntryExtensions Extensions OPTIONAL 573 -- if present, shall be v2 574 } OPTIONAL, 575 crlExtensions [0] EXPLICIT Extensions OPTIONAL 576 -- if present, shall be v2 -- 577} 578 579-- Version, Time, CertificateSerialNumber, and Extensions were 580-- defined earlier for use in the certificate structure 581 582AlgorithmIdentifier ::= SEQUENCE { 583 algorithm OBJECT IDENTIFIER, 584 parameters ANY DEFINED BY algorithm OPTIONAL } 585 -- contains a value of the type 586 -- registered for use with the 587 -- algorithm object identifier value 588 589-- Algorithm OIDs and parameter structures 590 591pkcs-1 OBJECT IDENTIFIER ::= { 592 pkcs 1 } 593 594rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } 595 596md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } 597 598md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } 599 600sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } 601 602id-dsa-with-sha1 OBJECT IDENTIFIER ::= { 603 iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 } 604 605Dss-Sig-Value ::= SEQUENCE { 606 r INTEGER, 607 s INTEGER 608} 609 610dhpublicnumber OBJECT IDENTIFIER ::= { 611 iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } 612 613DomainParameters ::= SEQUENCE { 614 p INTEGER, -- odd prime, p=jq +1 615 g INTEGER, -- generator, g 616 q INTEGER, -- factor of p-1 617 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 618 validationParms ValidationParms OPTIONAL } 619 620ValidationParms ::= SEQUENCE { 621 seed BIT STRING, 622 pgenCounter INTEGER } 623 624id-dsa OBJECT IDENTIFIER ::= { 625 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 626 627Dss-Parms ::= SEQUENCE { 628 p INTEGER, 629 q INTEGER, 630 g INTEGER } 631 632-- x400 address syntax starts here 633-- OR Names 634 635ORAddress ::= SEQUENCE { 636 built-in-standard-attributes BuiltInStandardAttributes, 637 built-in-domain-defined-attributes 638 BuiltInDomainDefinedAttributes OPTIONAL, 639 -- see also teletex-domain-defined-attributes 640 extension-attributes ExtensionAttributes OPTIONAL } 641-- The OR-address is semantically absent from the OR-name if the 642-- built-in-standard-attribute sequence is empty and the 643-- built-in-domain-defined-attributes and extension-attributes are 644-- both omitted. 645 646-- Built-in Standard Attributes 647 648BuiltInStandardAttributes ::= SEQUENCE { 649 country-name CountryName OPTIONAL, 650 administration-domain-name AdministrationDomainName OPTIONAL, 651 network-address [0] EXPLICIT NetworkAddress OPTIONAL, 652 -- see also extended-network-address 653 terminal-identifier [1] EXPLICIT TerminalIdentifier OPTIONAL, 654 private-domain-name [2] EXPLICIT PrivateDomainName OPTIONAL, 655 organization-name [3] EXPLICIT OrganizationName OPTIONAL, 656 -- see also teletex-organization-name 657 numeric-user-identifier [4] EXPLICIT NumericUserIdentifier OPTIONAL, 658 personal-name [5] EXPLICIT PersonalName OPTIONAL, 659 -- see also teletex-personal-name 660 organizational-unit-names [6] EXPLICIT OrganizationalUnitNames OPTIONAL 661 -- see also teletex-organizational-unit-names -- 662} 663 664CountryName ::= [APPLICATION 1] CHOICE { 665 x121-dcc-code NumericString 666 (SIZE (ub-country-name-numeric-length)), 667 iso-3166-alpha2-code PrintableString 668 (SIZE (ub-country-name-alpha-length)) } 669 670AdministrationDomainName ::= [APPLICATION 2] EXPLICIT CHOICE { 671 numeric NumericString (SIZE (0..ub-domain-name-length)), 672 printable PrintableString (SIZE (0..ub-domain-name-length)) } 673 674NetworkAddress ::= X121Address -- see also extended-network-address 675 676X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) 677 678TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length)) 679 680PrivateDomainName ::= CHOICE { 681 numeric NumericString (SIZE (1..ub-domain-name-length)), 682 printable PrintableString (SIZE (1..ub-domain-name-length)) } 683 684OrganizationName ::= PrintableString 685 (SIZE (1..ub-organization-name-length)) 686-- see also teletex-organization-name 687 688NumericUserIdentifier ::= NumericString 689 (SIZE (1..ub-numeric-user-id-length)) 690 691PersonalName ::= SET { 692 surname [0] PrintableString (SIZE (1..ub-surname-length)), 693 given-name [1] PrintableString 694 (SIZE (1..ub-given-name-length)) OPTIONAL, 695 initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL, 696 generation-qualifier [3] PrintableString 697 (SIZE (1..ub-generation-qualifier-length)) OPTIONAL } 698-- see also teletex-personal-name 699 700OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) 701 OF OrganizationalUnitName 702-- see also teletex-organizational-unit-names 703 704OrganizationalUnitName ::= PrintableString (SIZE 705 (1..ub-organizational-unit-name-length)) 706 707-- Built-in Domain-defined Attributes 708 709BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE 710 (1..ub-domain-defined-attributes) OF 711 BuiltInDomainDefinedAttribute 712 713BuiltInDomainDefinedAttribute ::= SEQUENCE { 714 type PrintableString (SIZE 715 (1..ub-domain-defined-attribute-type-length)), 716 value PrintableString (SIZE 717 (1..ub-domain-defined-attribute-value-length))} 718 719-- Extension Attributes 720 721ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF 722 ExtensionAttribute 723 724ExtensionAttribute ::= SEQUENCE { 725 extension-attribute-type [0] EXPLICIT INTEGER (0..ub-extension-attributes), 726 extension-attribute-value [1] EXPLICIT 727 ANY DEFINED BY extension-attribute-type } 728 729-- Extension types and attribute values 730-- 731 732common-name INTEGER ::= 1 733 734CommonName ::= PrintableString (SIZE (1..ub-common-name-length)) 735 736teletex-common-name INTEGER ::= 2 737 738TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length)) 739 740teletex-organization-name INTEGER ::= 3 741 742TeletexOrganizationName ::= 743 TeletexString (SIZE (1..ub-organization-name-length)) 744 745teletex-personal-name INTEGER ::= 4 746 747TeletexPersonalName ::= SET { 748 surname [0] EXPLICIT TeletexString (SIZE (1..ub-surname-length)), 749 given-name [1] EXPLICIT TeletexString 750 (SIZE (1..ub-given-name-length)) OPTIONAL, 751 initials [2] EXPLICIT TeletexString (SIZE (1..ub-initials-length)) OPTIONAL, 752 generation-qualifier [3] EXPLICIT TeletexString (SIZE 753 (1..ub-generation-qualifier-length)) OPTIONAL } 754 755teletex-organizational-unit-names INTEGER ::= 5 756 757TeletexOrganizationalUnitNames ::= SEQUENCE SIZE 758 (1..ub-organizational-units) OF TeletexOrganizationalUnitName 759 760TeletexOrganizationalUnitName ::= TeletexString 761 (SIZE (1..ub-organizational-unit-name-length)) 762 763pds-name INTEGER ::= 7 764 765PDSName ::= PrintableString (SIZE (1..ub-pds-name-length)) 766 767physical-delivery-country-name INTEGER ::= 8 768 769PhysicalDeliveryCountryName ::= CHOICE { 770 x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)), 771 iso-3166-alpha2-code PrintableString 772 (SIZE (ub-country-name-alpha-length)) } 773 774postal-code INTEGER ::= 9 775 776PostalCode ::= CHOICE { 777 numeric-code NumericString (SIZE (1..ub-postal-code-length)), 778 printable-code PrintableString (SIZE (1..ub-postal-code-length)) } 779 780physical-delivery-office-name INTEGER ::= 10 781 782PhysicalDeliveryOfficeName ::= PDSParameter 783 784physical-delivery-office-number INTEGER ::= 11 785 786PhysicalDeliveryOfficeNumber ::= PDSParameter 787 788extension-OR-address-components INTEGER ::= 12 789 790ExtensionORAddressComponents ::= PDSParameter 791 792physical-delivery-personal-name INTEGER ::= 13 793 794PhysicalDeliveryPersonalName ::= PDSParameter 795 796physical-delivery-organization-name INTEGER ::= 14 797 798PhysicalDeliveryOrganizationName ::= PDSParameter 799 800extension-physical-delivery-address-components INTEGER ::= 15 801 802ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter 803 804unformatted-postal-address INTEGER ::= 16 805 806UnformattedPostalAddress ::= SET { 807 printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF 808 PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL, 809 teletex-string TeletexString 810 (SIZE (1..ub-unformatted-address-length)) OPTIONAL } 811 812street-address INTEGER ::= 17 813 814StreetAddress ::= PDSParameter 815 816post-office-box-address INTEGER ::= 18 817 818PostOfficeBoxAddress ::= PDSParameter 819 820poste-restante-address INTEGER ::= 19 821 822PosteRestanteAddress ::= PDSParameter 823 824unique-postal-name INTEGER ::= 20 825 826UniquePostalName ::= PDSParameter 827 828local-postal-attributes INTEGER ::= 21 829 830LocalPostalAttributes ::= PDSParameter 831 832PDSParameter ::= SET { 833 printable-string PrintableString 834 (SIZE(1..ub-pds-parameter-length)) OPTIONAL, 835 teletex-string TeletexString 836 (SIZE(1..ub-pds-parameter-length)) OPTIONAL } 837 838extended-network-address INTEGER ::= 22 839 840ExtendedNetworkAddress ::= CHOICE { 841 e163-4-address SEQUENCE { 842 number [0] EXPLICIT NumericString (SIZE (1..ub-e163-4-number-length)), 843 sub-address [1] EXPLICIT NumericString 844 (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL }, 845 psap-address [0] EXPLICIT PresentationAddress } 846 847PresentationAddress ::= SEQUENCE { 848 pSelector [0] EXPLICIT OCTET STRING OPTIONAL, 849 sSelector [1] EXPLICIT OCTET STRING OPTIONAL, 850 tSelector [2] EXPLICIT OCTET STRING OPTIONAL, 851 nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING } 852 853terminal-type INTEGER ::= 23 854 855TerminalType ::= INTEGER { 856 telex (3), 857 teletex (4), 858 g3-facsimile (5), 859 g4-facsimile (6), 860 ia5-terminal (7), 861 videotex (8) } -- (0..ub-integer-options) 862 863-- Extension Domain-defined Attributes 864 865teletex-domain-defined-attributes INTEGER ::= 6 866 867TeletexDomainDefinedAttributes ::= SEQUENCE SIZE 868 (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute 869 870TeletexDomainDefinedAttribute ::= SEQUENCE { 871 type TeletexString 872 (SIZE (1..ub-domain-defined-attribute-type-length)), 873 value TeletexString 874 (SIZE (1..ub-domain-defined-attribute-value-length)) } 875 876-- specifications of Upper Bounds shall be regarded as mandatory 877-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter 878-- Upper Bounds 879 880-- Upper Bounds 881ub-name INTEGER ::= 32768 882ub-common-name INTEGER ::= 64 883ub-locality-name INTEGER ::= 128 884ub-state-name INTEGER ::= 128 885ub-organization-name INTEGER ::= 64 886ub-organizational-unit-name INTEGER ::= 64 887ub-title INTEGER ::= 64 888ub-match INTEGER ::= 128 889 890ub-emailaddress-length INTEGER ::= 128 891 892ub-common-name-length INTEGER ::= 64 893ub-country-name-alpha-length INTEGER ::= 2 894ub-country-name-numeric-length INTEGER ::= 3 895ub-domain-defined-attributes INTEGER ::= 4 896ub-domain-defined-attribute-type-length INTEGER ::= 8 897ub-domain-defined-attribute-value-length INTEGER ::= 128 898ub-domain-name-length INTEGER ::= 16 899ub-extension-attributes INTEGER ::= 256 900ub-e163-4-number-length INTEGER ::= 15 901ub-e163-4-sub-address-length INTEGER ::= 40 902ub-generation-qualifier-length INTEGER ::= 3 903ub-given-name-length INTEGER ::= 16 904ub-initials-length INTEGER ::= 5 905ub-integer-options INTEGER ::= 256 906ub-numeric-user-id-length INTEGER ::= 32 907ub-organization-name-length INTEGER ::= 64 908ub-organizational-unit-name-length INTEGER ::= 32 909ub-organizational-units INTEGER ::= 4 910ub-pds-name-length INTEGER ::= 16 911ub-pds-parameter-length INTEGER ::= 30 912ub-pds-physical-address-lines INTEGER ::= 6 913ub-postal-code-length INTEGER ::= 16 914ub-surname-length INTEGER ::= 40 915ub-terminal-id-length INTEGER ::= 24 916ub-unformatted-address-length INTEGER ::= 180 917ub-x121-address-length INTEGER ::= 16 918 919-- Note - upper bounds on string types, such as TeletexString, are 920-- measured in characters. Excepting PrintableString or IA5String, a 921-- significantly greater number of octets will be required to hold 922-- such a value. As a minimum, 16 octets, or twice the specified upper 923-- bound, whichever is the larger, should be allowed for TeletexString. 924-- For UTF8String or UniversalString at least four times the upper 925-- bound should be allowed. 926 927 928 929-- END of PKIX1Implicit88 930 931 932-- BEGIN of RFC2630 933 934-- Cryptographic Message Syntax 935 936pkcs-7-ContentInfo ::= SEQUENCE { 937 contentType pkcs-7-ContentType, 938 content [0] EXPLICIT ANY DEFINED BY contentType } 939 940pkcs-7-DigestInfo ::= SEQUENCE { 941 digestAlgorithm pkcs-7-DigestAlgorithmIdentifier, 942 digest pkcs-7-Digest 943} 944 945pkcs-7-Digest ::= OCTET STRING 946 947pkcs-7-ContentType ::= OBJECT IDENTIFIER 948 949pkcs-7-SignedData ::= SEQUENCE { 950 version pkcs-7-CMSVersion, 951 digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers, 952 encapContentInfo pkcs-7-EncapsulatedContentInfo, 953 certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL, 954 crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL, 955 signerInfos pkcs-7-SignerInfos 956} 957 958pkcs-7-CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) } 959 960pkcs-7-DigestAlgorithmIdentifiers ::= SET OF pkcs-7-DigestAlgorithmIdentifier 961 962pkcs-7-DigestAlgorithmIdentifier ::= AlgorithmIdentifier 963 964pkcs-7-EncapsulatedContentInfo ::= SEQUENCE { 965 eContentType pkcs-7-ContentType, 966 eContent [0] EXPLICIT OCTET STRING OPTIONAL } 967 968-- We don't use CertificateList here since we only want 969-- to read the raw data. 970pkcs-7-CertificateRevocationLists ::= SET OF ANY 971 972pkcs-7-CertificateChoices ::= CHOICE { 973-- Although the paper uses Certificate type, we 974-- don't use it since, we don't need to parse it. 975-- We only need to read and store it. 976 certificate ANY 977} 978 979pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices 980 981pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it 982 -- anyway 983 984 985-- BEGIN of RFC2986 986 987-- Certificate requests 988pkcs-10-CertificationRequestInfo ::= SEQUENCE { 989 version INTEGER { v1(0) }, 990 subject Name, 991 subjectPKInfo SubjectPublicKeyInfo, 992 attributes [0] Attributes 993} 994 995Attributes ::= SET OF Attribute 996 997pkcs-10-CertificationRequest ::= SEQUENCE { 998 certificationRequestInfo pkcs-10-CertificationRequestInfo, 999 signatureAlgorithm AlgorithmIdentifier, 1000 signature BIT STRING 1001} 1002 1003-- stuff from PKCS#9 1004 1005pkcs-9-ub-challengePassword INTEGER ::= 255 1006 1007pkcs-9-certTypes OBJECT IDENTIFIER ::= {pkcs-9 22} 1008pkcs-9-crlTypes OBJECT IDENTIFIER ::= {pkcs-9 23} 1009 1010pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {pkcs-9 7} 1011 1012pkcs-9-challengePassword ::= CHOICE { 1013 printableString PrintableString (SIZE (1..pkcs-9-ub-challengePassword)), 1014 utf8String UTF8String (SIZE (1..pkcs-9-ub-challengePassword)) } 1015 1016pkcs-9-at-localKeyId OBJECT IDENTIFIER ::= {pkcs-9 21} 1017 1018pkcs-9-localKeyId ::= OCTET STRING 1019 1020pkcs-9-at-friendlyName OBJECT IDENTIFIER ::= {pkcs-9 20} 1021 1022pkcs-9-friendlyName ::= BMPString (SIZE (1..255)) 1023 1024-- PKCS #8 stuff 1025 1026-- Private-key information syntax 1027 1028pkcs-8-PrivateKeyInfo ::= SEQUENCE { 1029 version pkcs-8-Version, 1030 privateKeyAlgorithm AlgorithmIdentifier, 1031 privateKey pkcs-8-PrivateKey, 1032 attributes [0] Attributes OPTIONAL } 1033 1034pkcs-8-Version ::= INTEGER {v1(0)} 1035 1036pkcs-8-PrivateKey ::= OCTET STRING 1037 1038pkcs-8-Attributes ::= SET OF Attribute 1039 1040-- Encrypted private-key information syntax 1041 1042pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE { 1043 encryptionAlgorithm AlgorithmIdentifier, 1044 encryptedData pkcs-8-EncryptedData 1045} 1046 1047pkcs-8-EncryptedData ::= OCTET STRING 1048 1049-- PKCS #5 stuff 1050 1051pkcs-5 OBJECT IDENTIFIER ::= 1052 { pkcs 5 } 1053 1054pkcs-5-encryptionAlgorithm OBJECT IDENTIFIER ::= 1055 { iso(1) member-body(2) us(840) rsadsi(113549) 3 } 1056 1057pkcs-5-des-EDE3-CBC OBJECT IDENTIFIER ::= {pkcs-5-encryptionAlgorithm 7} 1058 1059pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8)) 1060 1061pkcs-5-des-CBC-params ::= OCTET STRING (SIZE(8)) 1062 1063pkcs-5-rc2-CBC-params ::= SEQUENCE { 1064 rc2ParameterVersion INTEGER OPTIONAL, 1065 iv OCTET STRING (SIZE(8)) 1066} 1067 1068pkcs-5-PBE-params ::= SEQUENCE { 1069 salt OCTET STRING (SIZE(8)), 1070 iterationCount INTEGER 1071} 1072 1073pkcs-5-id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13} 1074 1075pkcs-5-PBES2-params ::= SEQUENCE { 1076 keyDerivationFunc AlgorithmIdentifier, 1077 encryptionScheme AlgorithmIdentifier } 1078 1079-- PBKDF2 1080 1081pkcs-5-id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12} 1082 1083-- pkcs-5-id-hmacWithSHA1 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) 2 7} 1084 1085-- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::= 1086-- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL} 1087 1088pkcs-5-PBKDF2-params ::= SEQUENCE { 1089 salt CHOICE { 1090 specified OCTET STRING, 1091 otherSource AlgorithmIdentifier 1092 }, 1093 iterationCount INTEGER (1..MAX), 1094 keyLength INTEGER (1..MAX) OPTIONAL, 1095 prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1 1096} 1097 1098-- PKCS #12 stuff 1099 1100pkcs-12 OBJECT IDENTIFIER ::= {pkcs 12} 1101 1102pkcs-12-PFX ::= SEQUENCE { 1103 version INTEGER {v3(3)}, 1104 authSafe pkcs-7-ContentInfo, 1105 macData pkcs-12-MacData OPTIONAL 1106} 1107 1108pkcs-12-PbeParams ::= SEQUENCE { 1109 salt OCTET STRING, 1110 iterations INTEGER 1111} 1112 1113pkcs-12-MacData ::= SEQUENCE { 1114 mac pkcs-7-DigestInfo, 1115 macSalt OCTET STRING, 1116 iterations INTEGER DEFAULT 1 1117-- Note: The default is for historical reasons and its use is 1118-- deprecated. A higher value, like 1024 is recommended. 1119} 1120 1121pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo 1122 -- Data if unencrypted 1123 -- EncryptedData if password-encrypted 1124 -- EnvelopedData if public key-encrypted 1125 1126pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag 1127 1128pkcs-12-SafeBag ::= SEQUENCE { 1129 bagId OBJECT IDENTIFIER, 1130 bagValue [0] EXPLICIT ANY DEFINED BY badId, 1131 bagAttributes SET OF pkcs-12-PKCS12Attribute OPTIONAL 1132} 1133 1134-- Bag types 1135 1136 1137pkcs-12-bagtypes OBJECT IDENTIFIER ::= {pkcs-12 10 1} 1138 1139pkcs-12-keyBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 1} 1140pkcs-12-pkcs8ShroudedKeyBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 2} 1141pkcs-12-certBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 3} 1142pkcs-12-crlBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 4} 1143 1144pkcs-12-KeyBag ::= pkcs-8-PrivateKeyInfo 1145 1146-- Shrouded KeyBag 1147 1148pkcs-12-PKCS8ShroudedKeyBag ::= pkcs-8-EncryptedPrivateKeyInfo 1149 1150-- CertBag 1151 1152pkcs-12-CertBag ::= SEQUENCE { 1153 certId OBJECT IDENTIFIER, 1154 certValue [0] EXPLICIT ANY DEFINED BY certId 1155} 1156 1157-- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}} 1158-- DER-encoded X.509 certificate stored in OCTET STRING 1159 1160pkcs-12-CRLBag ::= SEQUENCE { 1161 crlId OBJECT IDENTIFIER, 1162 crlValue [0] EXPLICIT ANY DEFINED BY crlId 1163} 1164 1165-- x509CRL BAG-TYPE ::= 1166-- {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}} 1167-- DER-encoded X.509 CRL stored in OCTET STRING 1168 1169pkcs-12-PKCS12Attribute ::= Attribute 1170 1171-- PKCS #7 stuff (needed in PKCS 12) 1172 1173pkcs-7-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1174 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1175 1176pkcs-7-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1177 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1178 1179pkcs-7-Data ::= OCTET STRING 1180 1181pkcs-7-EncryptedData ::= SEQUENCE { 1182 version pkcs-7-CMSVersion, 1183 encryptedContentInfo pkcs-7-EncryptedContentInfo, 1184 unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL } 1185 1186pkcs-7-EncryptedContentInfo ::= SEQUENCE { 1187 contentType pkcs-7-ContentType, 1188 contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier, 1189 encryptedContent [0] IMPLICIT pkcs-7-EncryptedContent OPTIONAL } 1190 1191pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1192 1193pkcs-7-EncryptedContent ::= OCTET STRING 1194 1195pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute 1196 1197-- LDAP stuff 1198 1199id-at-domainComponent AttributeType ::= { 0 9 2342 19200300 100 1 25 } 1200 1201domainComponent ::= IA5String 1202 1203id-at-userId AttributeType ::= { 0 9 2342 19200300 100 1 1 } 1204 1205userId ::= DirectoryString 1206 1207-- rfc3039 1208 1209id-pda OBJECT IDENTIFIER ::= { id-pkix 9 } 1210 1211id-pda-dateOfBirth AttributeType ::= { id-pda 1 } 1212DateOfBirth ::= GeneralizedTime 1213 1214id-pda-placeOfBirth AttributeType ::= { id-pda 2 } 1215PlaceOfBirth ::= DirectoryString 1216 1217id-pda-gender AttributeType ::= { id-pda 3 } 1218Gender ::= PrintableString (SIZE(1)) 1219 -- "M", "F", "m" or "f" 1220 1221id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 } 1222CountryOfCitizenship ::= PrintableString (SIZE (2)) 1223 -- ISO 3166 Country Code 1224 1225id-pda-countryOfResidence AttributeType ::= { id-pda 5 } 1226CountryOfResidence ::= PrintableString (SIZE (2)) 1227 -- ISO 3166 Country Code 1228 1229END 1230