1 2PKIX1 { } 3 4DEFINITIONS IMPLICIT TAGS ::= 5 6BEGIN 7 8-- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules. 9-- ISO arc for standard certificate and CRL extensions 10 11-- authority key identifier OID and syntax 12 13PrivateKeyUsagePeriod ::= SEQUENCE { 14 notBefore [0] GeneralizedTime OPTIONAL, 15 notAfter [1] GeneralizedTime OPTIONAL } 16 17AuthorityKeyIdentifier ::= SEQUENCE { 18 keyIdentifier [0] OCTET STRING OPTIONAL, --KeyIdentifier 19 authorityCertIssuer [1] GeneralNames OPTIONAL, 20 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } 21 -- authorityCertIssuer and authorityCertSerialNumber shall both 22 -- be present or both be absgent 23 24-- subject key identifier OID and syntax 25 26SubjectKeyIdentifier ::= OCTET STRING 27 28-- key usage extension OID and syntax 29 30KeyUsage ::= BIT STRING 31 32-- Directory string type -- 33 34DirectoryString ::= CHOICE { 35 teletexString TeletexString (SIZE (1..MAX)), 36 printableString PrintableString (SIZE (1..MAX)), 37 universalString UniversalString (SIZE (1..MAX)), 38 utf8String UTF8String (SIZE (1..MAX)), 39 bmpString BMPString (SIZE(1..MAX)), 40 -- IA5String is added here to handle old UID encoded as ia5String -- 41 -- See tests/userid/ for more information. It shouldn't be here, -- 42 -- so if it causes problems, considering dropping it. -- 43 ia5String IA5String (SIZE(1..MAX)) } 44 45SubjectAltName ::= GeneralNames 46 47GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 48 49GeneralName ::= CHOICE { 50 otherName [0] AnotherName, 51 rfc822Name [1] IA5String, 52 dNSName [2] IA5String, 53 x400Address [3] ANY, 54-- Changed to work with the libtasn1 parser. 55 directoryName [4] EXPLICIT SEQUENCE OF RelativeDistinguishedName, --Name, 56 ediPartyName [5] ANY, --EDIPartyName replaced by ANY to save memory 57 uniformResourceIdentifier [6] IA5String, 58 iPAddress [7] OCTET STRING, 59 registeredID [8] OBJECT IDENTIFIER } 60 61-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as 62-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax 63 64AnotherName ::= SEQUENCE { 65 type-id OBJECT IDENTIFIER, 66 value [0] EXPLICIT ANY DEFINED BY type-id } 67 68-- issuer alternative name extension OID and syntax 69 70IssuerAltName ::= GeneralNames 71 72-- basic constraints extension OID and syntax 73 74BasicConstraints ::= SEQUENCE { 75 cA BOOLEAN DEFAULT FALSE, 76 pathLenConstraint INTEGER (0..MAX) OPTIONAL } 77 78-- CRL distribution points extension OID and syntax 79 80CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 81 82DistributionPoint ::= SEQUENCE { 83 distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL, 84 reasons [1] ReasonFlags OPTIONAL, 85 cRLIssuer [2] GeneralNames OPTIONAL 86} 87 88DistributionPointName ::= CHOICE { 89 fullName [0] GeneralNames, 90 nameRelativeToCRLIssuer [1] RelativeDistinguishedName 91} 92 93ReasonFlags ::= BIT STRING 94 95-- extended key usage extension OID and syntax 96 97ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER --ExtKeyUsageSyntax 98 99-- authority info access 100 101AuthorityInfoAccessSyntax ::= 102 SEQUENCE SIZE (1..MAX) OF AccessDescription 103 104AccessDescription ::= SEQUENCE { 105 accessMethod OBJECT IDENTIFIER, 106 accessLocation GeneralName } 107 108-- CRL number extension OID and syntax 109 110-- CRLNumber ::= INTEGER (0..MAX) 111 112-- certificate issuer CRL entry extension OID and syntax 113 114-- CertificateIssuer ::= GeneralNames 115 116-- -------------------------------------- 117-- EXPLICIT 118-- -------------------------------------- 119 120-- attribute data types -- 121 122Attribute ::= SEQUENCE { 123 type OBJECT IDENTIFIER, -- AttributeType 124 values SET OF ANY -- AttributeValue 125 -- at least one value is required -- 126} 127 128-- AttributeType ::= OBJECT IDENTIFIER 129 130-- AttributeValue ::= ANY DEFINED BY type 131 132AttributeTypeAndValue ::= SEQUENCE { 133 type OBJECT IDENTIFIER, -- AttributeType 134 value ANY } -- AttributeValue 135 136Name ::= CHOICE { -- only one possibility for now -- 137 rdnSequence SEQUENCE OF RelativeDistinguishedName } 138 139DistinguishedName ::= SEQUENCE OF RelativeDistinguishedName -- RDNSequence 140 141RelativeDistinguishedName ::= 142 SET SIZE (1 .. MAX) OF AttributeTypeAndValue 143 144 145-- -------------------------------------------------------- 146-- certificate and CRL specific structures begin here 147-- -------------------------------------------------------- 148 149Certificate ::= SEQUENCE { 150 tbsCertificate TBSCertificate, 151 signatureAlgorithm AlgorithmIdentifier, 152 signature BIT STRING } 153 154TBSCertificate ::= SEQUENCE { 155 version [0] EXPLICIT INTEGER DEFAULT 0, 156 serialNumber CertificateSerialNumber, 157 signature AlgorithmIdentifier, 158 issuer Name, 159 validity Validity, 160 subject Name, 161 subjectPublicKeyInfo SubjectPublicKeyInfo, 162 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 163 -- If present, version shall be v2 or v3 164 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 165 -- If present, version shall be v2 or v3 166 extensions [3] EXPLICIT Extensions OPTIONAL 167 -- If present, version shall be v3 -- 168} 169 170CertificateSerialNumber ::= INTEGER 171 172Validity ::= SEQUENCE { 173 notBefore Time, 174 notAfter Time } 175 176Time ::= CHOICE { 177 utcTime UTCTime, 178 generalTime GeneralizedTime } 179 180UniqueIdentifier ::= BIT STRING 181 182SubjectPublicKeyInfo ::= SEQUENCE { 183 algorithm AlgorithmIdentifier, 184 subjectPublicKey BIT STRING } 185 186Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension 187 188Extension ::= SEQUENCE { 189 extnID OBJECT IDENTIFIER, 190 critical BOOLEAN DEFAULT FALSE, 191 extnValue OCTET STRING } 192 193 194-- ------------------------------------------ 195-- CRL structures 196-- ------------------------------------------ 197 198CertificateList ::= SEQUENCE { 199 tbsCertList TBSCertList, 200 signatureAlgorithm AlgorithmIdentifier, 201 signature BIT STRING } 202 203TBSCertList ::= SEQUENCE { 204 version INTEGER OPTIONAL, 205 -- if present, shall be v2 206 signature AlgorithmIdentifier, 207 issuer Name, 208 thisUpdate Time, 209 nextUpdate Time OPTIONAL, 210 revokedCertificates SEQUENCE OF SEQUENCE { 211 userCertificate CertificateSerialNumber, 212 revocationDate Time, 213 crlEntryExtensions Extensions OPTIONAL 214 -- if present, shall be v2 215 } OPTIONAL, 216 crlExtensions [0] EXPLICIT Extensions OPTIONAL 217 -- if present, shall be v2 -- 218} 219 220-- Version, Time, CertificateSerialNumber, and Extensions were 221-- defined earlier for use in the certificate structure 222 223AlgorithmIdentifier ::= SEQUENCE { 224 algorithm OBJECT IDENTIFIER, 225 parameters ANY DEFINED BY algorithm OPTIONAL } 226 -- contains a value of the type 227 -- registered for use with the 228 -- algorithm object identifier value 229 230-- Algorithm OIDs and parameter structures 231 232Dss-Sig-Value ::= SEQUENCE { 233 r INTEGER, 234 s INTEGER 235} 236 237Dss-Parms ::= SEQUENCE { 238 p INTEGER, 239 q INTEGER, 240 g INTEGER } 241 242-- Extension types and attribute values 243-- 244 245-- END of PKIX1Implicit88 246 247 248-- BEGIN of RFC2630 249 250-- Cryptographic Message Syntax 251 252pkcs-7-ContentInfo ::= SEQUENCE { 253 contentType OBJECT IDENTIFIER, 254 content [0] EXPLICIT ANY DEFINED BY contentType } 255 256pkcs-7-DigestInfo ::= SEQUENCE { 257 digestAlgorithm AlgorithmIdentifier, 258 digest OCTET STRING 259} 260 261pkcs-7-SignedData ::= SEQUENCE { 262 version INTEGER, 263 digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers, 264 encapContentInfo pkcs-7-EncapsulatedContentInfo, 265 certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL, 266 crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL, 267 signerInfos pkcs-7-SignerInfos 268} 269 270pkcs-7-DigestAlgorithmIdentifiers ::= SET OF AlgorithmIdentifier 271 272-- rfc5652: eContent [0] EXPLICIT OCTET STRING OPTIONAL 273-- rfc2315: content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL 274 275pkcs-7-EncapsulatedContentInfo ::= SEQUENCE { 276 eContentType OBJECT IDENTIFIER, 277 eContent [0] EXPLICIT ANY OPTIONAL } 278 279-- We don't use CertificateList here since we only want 280-- to read the raw data. 281pkcs-7-CertificateRevocationLists ::= SET OF ANY 282 283pkcs-7-CertificateChoices ::= CHOICE { 284-- Although the paper uses Certificate type, we 285-- don't use it since, we don't need to parse it. 286-- We only need to read and store it. 287 certificate ANY 288} 289 290pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices 291 292IssuerAndSerialNumber ::= SEQUENCE { 293 issuer Name, 294 serialNumber CertificateSerialNumber 295} 296 297pkcs-7-SignerInfo ::= SEQUENCE { 298 version INTEGER, 299 sid SignerIdentifier, 300 digestAlgorithm AlgorithmIdentifier, 301 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 302 signatureAlgorithm AlgorithmIdentifier, 303 signature OCTET STRING, 304 unsignedAttrs [1] IMPLICIT SignedAttributes OPTIONAL } 305 306SignedAttributes ::= SET SIZE (1..MAX) OF Attribute 307 308SignerIdentifier ::= CHOICE { 309 issuerAndSerialNumber IssuerAndSerialNumber, 310 subjectKeyIdentifier [0] OCTET STRING 311} 312 313pkcs-7-SignerInfos ::= SET OF pkcs-7-SignerInfo 314 315 316-- BEGIN of RFC2986 317 318-- Certificate requests 319pkcs-10-CertificationRequestInfo ::= SEQUENCE { 320 version INTEGER, 321 subject Name, 322 subjectPKInfo SubjectPublicKeyInfo, 323 attributes [0] Attributes 324} 325 326Attributes ::= SET OF Attribute 327 328pkcs-10-CertificationRequest ::= SEQUENCE { 329 certificationRequestInfo pkcs-10-CertificationRequestInfo, 330 signatureAlgorithm AlgorithmIdentifier, 331 signature BIT STRING 332} 333 334-- stuff from PKCS#9 335 336pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 7} 337 338pkcs-9-challengePassword ::= CHOICE { 339 printableString PrintableString, 340 utf8String UTF8String } 341 342pkcs-9-localKeyId ::= OCTET STRING 343 344-- PKCS #8 stuff 345 346-- Private-key information syntax 347 348pkcs-8-PrivateKeyInfo ::= SEQUENCE { 349 version INTEGER, 350 privateKeyAlgorithm AlgorithmIdentifier, 351 privateKey OCTET STRING, 352 attributes [0] Attributes OPTIONAL } 353 354-- Encrypted private-key information syntax 355 356pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE { 357 encryptionAlgorithm AlgorithmIdentifier, 358 encryptedData pkcs-8-EncryptedData 359} 360 361pkcs-8-EncryptedData ::= OCTET STRING 362 363-- PKCS #5 stuff 364 365pkcs-5-des-CBC-params ::= OCTET STRING (SIZE(8)) 366pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8)) 367pkcs-5-aes128-CBC-params ::= OCTET STRING (SIZE(16)) 368pkcs-5-aes192-CBC-params ::= OCTET STRING (SIZE(16)) 369pkcs-5-aes256-CBC-params ::= OCTET STRING (SIZE(16)) 370 371-- GOST extension 372Gost28147-89-Parameters ::= SEQUENCE { 373 iv OCTET STRING, -- (SIZE (8)) 374 encryptionParamSet OBJECT IDENTIFIER 375} 376 377pkcs-5-PBE-params ::= SEQUENCE { 378 salt OCTET STRING, 379 iterationCount INTEGER } 380 381pkcs-5-PBES2-params ::= SEQUENCE { 382 keyDerivationFunc AlgorithmIdentifier, 383 encryptionScheme AlgorithmIdentifier } 384 385-- PBKDF2 386 387-- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::= 388-- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL} 389 390pkcs-5-PBKDF2-params ::= SEQUENCE { 391 salt CHOICE { 392 specified OCTET STRING, 393 otherSource AlgorithmIdentifier 394 }, 395 iterationCount INTEGER (1..MAX), 396 keyLength INTEGER (1..MAX) OPTIONAL, 397 prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1 398} 399 400-- PKCS #12 stuff 401 402pkcs-12-PFX ::= SEQUENCE { 403 version INTEGER {v3(3)}, 404 authSafe pkcs-7-ContentInfo, 405 macData pkcs-12-MacData OPTIONAL 406} 407 408pkcs-12-PbeParams ::= SEQUENCE { 409 salt OCTET STRING, 410 iterations INTEGER 411} 412 413pkcs-12-MacData ::= SEQUENCE { 414 mac pkcs-7-DigestInfo, 415 macSalt OCTET STRING, 416 iterations INTEGER DEFAULT 1 417-- Note: The default is for historical reasons and its use is 418-- deprecated. A higher value, like 1024 is recommended. 419} 420 421pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo 422 -- Data if unencrypted 423 -- EncryptedData if password-encrypted 424 -- EnvelopedData if public key-encrypted 425 426pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag 427 428pkcs-12-SafeBag ::= SEQUENCE { 429 bagId OBJECT IDENTIFIER, 430 bagValue [0] EXPLICIT ANY DEFINED BY badId, 431 bagAttributes SET OF Attribute OPTIONAL 432} 433 434-- CertBag 435 436pkcs-12-CertBag ::= SEQUENCE { 437 certId OBJECT IDENTIFIER, 438 certValue [0] EXPLICIT ANY DEFINED BY certId 439} 440 441-- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}} 442-- DER-encoded X.509 certificate stored in OCTET STRING 443 444pkcs-12-CRLBag ::= SEQUENCE { 445 crlId OBJECT IDENTIFIER, 446 crlValue [0] EXPLICIT ANY DEFINED BY crlId 447} 448 449pkcs-12-SecretBag ::= SEQUENCE { 450 secretTypeId OBJECT IDENTIFIER, 451 secretValue [0] EXPLICIT ANY DEFINED BY secretTypeId 452} 453 454-- x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}} 455-- DER-encoded X.509 CRL stored in OCTET STRING 456 457-- PKCS #7 stuff (needed in PKCS 12) 458 459pkcs-7-Data ::= OCTET STRING 460 461pkcs-7-EncryptedData ::= SEQUENCE { 462 version INTEGER, 463 encryptedContentInfo pkcs-7-EncryptedContentInfo, 464 unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL } 465 466pkcs-7-EncryptedContentInfo ::= SEQUENCE { 467 contentType OBJECT IDENTIFIER, 468 contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier, 469 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 470 471pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 472 473pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute 474 475-- rfc3820 476 477ProxyCertInfo ::= SEQUENCE { 478 pCPathLenConstraint INTEGER (0..MAX) OPTIONAL, 479 proxyPolicy ProxyPolicy } 480 481ProxyPolicy ::= SEQUENCE { 482 policyLanguage OBJECT IDENTIFIER, 483 policy OCTET STRING OPTIONAL } 484 485-- 2.5.29.32 486 487 488certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 489 490PolicyInformation ::= SEQUENCE { 491 policyIdentifier OBJECT IDENTIFIER, 492 policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } 493 494PolicyQualifierInfo ::= SEQUENCE { 495 policyQualifierId OBJECT IDENTIFIER, 496 qualifier ANY DEFINED BY policyQualifierId } 497 498CPSuri ::= IA5String 499 500UserNotice ::= SEQUENCE { 501 noticeRef NoticeReference OPTIONAL, 502 explicitText DisplayText OPTIONAL } 503 504NoticeReference ::= SEQUENCE { 505 organization DisplayText, 506 noticeNumbers SEQUENCE OF INTEGER } 507 508DisplayText ::= CHOICE { 509 ia5String IA5String (SIZE (1..200)), 510 visibleString VisibleString (SIZE (1..200)), 511 bmpString BMPString (SIZE (1..200)), 512 utf8String UTF8String (SIZE (1..200)) } 513 514-- rfc2560 515 516OCSPRequest ::= SEQUENCE { 517 tbsRequest TBSRequest, 518 optionalSignature [0] EXPLICIT Signature OPTIONAL } 519 520TBSRequest ::= SEQUENCE { 521 version [0] EXPLICIT INTEGER DEFAULT 0, 522 requestorName [1] EXPLICIT GeneralName OPTIONAL, 523 requestList SEQUENCE OF Request, 524 requestExtensions [2] EXPLICIT Extensions OPTIONAL } 525 526Signature ::= SEQUENCE { 527 signatureAlgorithm AlgorithmIdentifier, 528 signature BIT STRING, 529 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 530 531Request ::= SEQUENCE { 532 reqCert CertID, 533 singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } 534 535CertID ::= SEQUENCE { 536 hashAlgorithm AlgorithmIdentifier, 537 issuerNameHash OCTET STRING, -- Hash of Issuer's DN 538 issuerKeyHash OCTET STRING, -- Hash of Issuers public key 539 serialNumber CertificateSerialNumber } 540 541OCSPResponse ::= SEQUENCE { 542 responseStatus OCSPResponseStatus, 543 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } 544 545OCSPResponseStatus ::= ENUMERATED { 546 successful (0), --Response has valid confirmations 547 malformedRequest (1), --Illegal confirmation request 548 internalError (2), --Internal error in issuer 549 tryLater (3), --Try again later 550 --(4) is not used 551 sigRequired (5), --Must sign the request 552 unauthorized (6) --Request unauthorized 553} 554 555ResponseBytes ::= SEQUENCE { 556 responseType OBJECT IDENTIFIER, 557 response OCTET STRING } 558 559BasicOCSPResponse ::= SEQUENCE { 560 tbsResponseData ResponseData, 561 signatureAlgorithm AlgorithmIdentifier, 562 signature BIT STRING, 563 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 564 565ResponseData ::= SEQUENCE { 566 version [0] EXPLICIT INTEGER DEFAULT 0, 567 responderID ResponderID, 568 producedAt GeneralizedTime, 569 responses SEQUENCE OF SingleResponse, 570 responseExtensions [1] EXPLICIT Extensions OPTIONAL } 571 572ResponderID ::= CHOICE { 573-- Changed to work with the libtasn1 parser. 574 byName [1] EXPLICIT SEQUENCE OF RelativeDistinguishedName, --Name 575 byKey [2] EXPLICIT OCTET STRING --SHA-1 hash of responder's public key 576} 577 578SingleResponse ::= SEQUENCE { 579 certID CertID, 580 certStatus CertStatus, 581 thisUpdate GeneralizedTime, 582 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, 583 singleExtensions [1] EXPLICIT Extensions OPTIONAL } 584 585CertStatus ::= CHOICE { 586 good [0] IMPLICIT NULL, 587 revoked [1] IMPLICIT RevokedInfo, 588 unknown [2] IMPLICIT UnknownInfo } 589 590RevokedInfo ::= SEQUENCE { 591 revocationTime GeneralizedTime, 592 revocationReason [0] EXPLICIT ENUMERATED { unspecified(0) } OPTIONAL } 593 594UnknownInfo ::= NULL -- this can be replaced with an enumeration 595 596-- rfc5280 597 598NameConstraints ::= SEQUENCE { 599 permittedSubtrees [0] GeneralSubtrees OPTIONAL, 600 excludedSubtrees [1] GeneralSubtrees OPTIONAL } 601 602GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 603 604GeneralSubtree ::= SEQUENCE { 605 base GeneralName, 606 minimum [0] INTEGER DEFAULT 0, 607 maximum [1] INTEGER OPTIONAL } 608 609-- rfc7633 610TlsFeatures ::= SEQUENCE OF INTEGER 611 612END 613