749 lines
26 KiB
Groff
749 lines
26 KiB
Groff
CertificateExtensions {joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 8}
|
|
DEFINITIONS IMPLICIT TAGS ::=
|
|
BEGIN
|
|
|
|
-- EXPORTS ALL
|
|
|
|
IMPORTS
|
|
id-at, id-ce, id-ldx, id-mr, informationFramework, authenticationFramework,
|
|
pkiPmiExternalDataTypes, selectedAttributeTypes
|
|
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 8}
|
|
|
|
Name, RelativeDistinguishedName, Attribute{}, MATCHING-RULE,
|
|
SupportedAttributes, SYNTAX-NAME
|
|
FROM InformationFramework informationFramework
|
|
|
|
AvlSerialNumber, CertificateSerialNumber, CertificateList, AlgorithmIdentifier{},
|
|
EXTENSION, Time, PolicyID, SupportedAlgorithms
|
|
FROM AuthenticationFramework authenticationFramework
|
|
|
|
UnboundedDirectoryString
|
|
FROM SelectedAttributeTypes selectedAttributeTypes
|
|
|
|
ORAddress
|
|
FROM PkiPmiExternalDataTypes pkiPmiExternalDataTypes;
|
|
|
|
-- Unless explicitly noted otherwise, there is no significance to the ordering
|
|
-- of components of a SEQUENCE OF construct in this Specification.
|
|
|
|
-- public-key certificate and CRL extensions
|
|
|
|
authorityKeyIdentifier EXTENSION ::= {
|
|
SYNTAX AuthorityKeyIdentifier
|
|
IDENTIFIED BY id-ce-authorityKeyIdentifier }
|
|
|
|
AuthorityKeyIdentifier ::= SEQUENCE {
|
|
keyIdentifier [0] KeyIdentifier OPTIONAL,
|
|
authorityCertIssuer [1] GeneralNames OPTIONAL,
|
|
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL,
|
|
... }
|
|
(WITH COMPONENTS {..., authorityCertIssuer PRESENT,
|
|
authorityCertSerialNumber PRESENT } |
|
|
WITH COMPONENTS {..., authorityCertIssuer ABSENT,
|
|
authorityCertSerialNumber ABSENT } )
|
|
|
|
KeyIdentifier ::= OCTET STRING
|
|
|
|
subjectKeyIdentifier EXTENSION ::= {
|
|
SYNTAX SubjectKeyIdentifier
|
|
IDENTIFIED BY id-ce-subjectKeyIdentifier }
|
|
|
|
SubjectKeyIdentifier ::= KeyIdentifier
|
|
|
|
keyUsage EXTENSION ::= {
|
|
SYNTAX KeyUsage
|
|
IDENTIFIED BY id-ce-keyUsage }
|
|
|
|
KeyUsage ::= BIT STRING {
|
|
digitalSignature (0),
|
|
contentCommitment (1),
|
|
keyEncipherment (2),
|
|
dataEncipherment (3),
|
|
keyAgreement (4),
|
|
keyCertSign (5),
|
|
cRLSign (6),
|
|
encipherOnly (7),
|
|
decipherOnly (8) }
|
|
|
|
extKeyUsage EXTENSION ::= {
|
|
SYNTAX SEQUENCE SIZE (1..MAX) OF KeyPurposeId
|
|
IDENTIFIED BY id-ce-extKeyUsage }
|
|
|
|
KeyPurposeId ::= OBJECT IDENTIFIER
|
|
|
|
privateKeyUsagePeriod EXTENSION ::= {
|
|
SYNTAX PrivateKeyUsagePeriod
|
|
IDENTIFIED BY id-ce-privateKeyUsagePeriod }
|
|
|
|
PrivateKeyUsagePeriod ::= SEQUENCE {
|
|
notBefore [0] GeneralizedTime OPTIONAL,
|
|
notAfter [1] GeneralizedTime OPTIONAL,
|
|
... }
|
|
(WITH COMPONENTS {..., notBefore PRESENT } |
|
|
WITH COMPONENTS {..., notAfter PRESENT } )
|
|
|
|
certificatePolicies EXTENSION ::= {
|
|
SYNTAX CertificatePoliciesSyntax
|
|
IDENTIFIED BY id-ce-certificatePolicies }
|
|
|
|
CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
|
|
|
|
PolicyInformation ::= SEQUENCE {
|
|
policyIdentifier CertPolicyId,
|
|
policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL,
|
|
... }
|
|
|
|
CertPolicyId ::= OBJECT IDENTIFIER
|
|
|
|
PolicyQualifierInfo ::= SEQUENCE {
|
|
policyQualifierId CERT-POLICY-QUALIFIER.&id({SupportedPolicyQualifiers}),
|
|
qualifier CERT-POLICY-QUALIFIER.&Qualifier
|
|
({SupportedPolicyQualifiers}{@policyQualifierId}) OPTIONAL,
|
|
... }
|
|
|
|
SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::= {...}
|
|
|
|
anyPolicy OBJECT IDENTIFIER ::= {id-ce-certificatePolicies 0}
|
|
|
|
CERT-POLICY-QUALIFIER ::= CLASS {
|
|
&id OBJECT IDENTIFIER UNIQUE,
|
|
&Qualifier OPTIONAL }
|
|
WITH SYNTAX {
|
|
POLICY-QUALIFIER-ID &id
|
|
[QUALIFIER-TYPE &Qualifier] }
|
|
|
|
policyMappings EXTENSION ::= {
|
|
SYNTAX PolicyMappingsSyntax
|
|
IDENTIFIED BY id-ce-policyMappings }
|
|
|
|
PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
|
|
issuerDomainPolicy CertPolicyId,
|
|
subjectDomainPolicy CertPolicyId,
|
|
... }
|
|
|
|
authorizationValidation EXTENSION ::= {
|
|
SYNTAX AvlId
|
|
IDENTIFIED BY id-ce-authorizationValidation }
|
|
|
|
AvlId ::= SEQUENCE {
|
|
issuer Name,
|
|
serialNumber AvlSerialNumber OPTIONAL,
|
|
... }
|
|
|
|
subjectAltName EXTENSION ::= {
|
|
SYNTAX GeneralNames
|
|
IDENTIFIED BY id-ce-subjectAltName }
|
|
|
|
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
|
|
|
|
GeneralName ::= CHOICE {
|
|
otherName [0] INSTANCE OF OTHER-NAME,
|
|
rfc822Name [1] IA5String,
|
|
dNSName [2] IA5String,
|
|
x400Address [3] ORAddress,
|
|
directoryName [4] Name,
|
|
ediPartyName [5] EDIPartyName,
|
|
uniformResourceIdentifier [6] IA5String,
|
|
iPAddress [7] OCTET STRING,
|
|
registeredID [8] OBJECT IDENTIFIER,
|
|
... }
|
|
|
|
OTHER-NAME ::= TYPE-IDENTIFIER
|
|
|
|
EDIPartyName ::= SEQUENCE {
|
|
nameAssigner [0] UnboundedDirectoryString OPTIONAL,
|
|
partyName [1] UnboundedDirectoryString,
|
|
... }
|
|
|
|
issuerAltName EXTENSION ::= {
|
|
SYNTAX GeneralNames
|
|
IDENTIFIED BY id-ce-issuerAltName }
|
|
|
|
subjectDirectoryAttributes EXTENSION ::= {
|
|
SYNTAX AttributesSyntax
|
|
IDENTIFIED BY id-ce-subjectDirectoryAttributes }
|
|
|
|
AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute{{SupportedAttributes}}
|
|
|
|
basicConstraints EXTENSION ::= {
|
|
SYNTAX BasicConstraintsSyntax
|
|
IDENTIFIED BY id-ce-basicConstraints }
|
|
|
|
BasicConstraintsSyntax ::= SEQUENCE {
|
|
cA BOOLEAN DEFAULT FALSE,
|
|
pathLenConstraint INTEGER(0..MAX) OPTIONAL,
|
|
... }
|
|
|
|
nameConstraints EXTENSION ::= {
|
|
SYNTAX NameConstraintsSyntax
|
|
IDENTIFIED BY id-ce-nameConstraints }
|
|
|
|
NameConstraintsSyntax ::= SEQUENCE {
|
|
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
|
|
excludedSubtrees [1] GeneralSubtrees OPTIONAL,
|
|
... }
|
|
(WITH COMPONENTS {..., permittedSubtrees PRESENT } |
|
|
WITH COMPONENTS {..., excludedSubtrees PRESENT } )
|
|
|
|
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
|
|
|
|
GeneralSubtree ::= SEQUENCE {
|
|
base GeneralName,
|
|
minimum [0] BaseDistance DEFAULT 0,
|
|
maximum [1] BaseDistance OPTIONAL,
|
|
... }
|
|
|
|
BaseDistance ::= INTEGER(0..MAX)
|
|
|
|
policyConstraints EXTENSION ::= {
|
|
SYNTAX PolicyConstraintsSyntax
|
|
IDENTIFIED BY id-ce-policyConstraints }
|
|
|
|
PolicyConstraintsSyntax ::= SEQUENCE {
|
|
requireExplicitPolicy [0] SkipCerts OPTIONAL,
|
|
inhibitPolicyMapping [1] SkipCerts OPTIONAL,
|
|
... }
|
|
(WITH COMPONENTS {..., requireExplicitPolicy PRESENT } |
|
|
WITH COMPONENTS {..., inhibitPolicyMapping PRESENT } )
|
|
|
|
SkipCerts ::= INTEGER(0..MAX)
|
|
|
|
inhibitAnyPolicy EXTENSION ::= {
|
|
SYNTAX SkipCerts
|
|
IDENTIFIED BY id-ce-inhibitAnyPolicy }
|
|
|
|
cRLNumber EXTENSION ::= {
|
|
SYNTAX CRLNumber
|
|
IDENTIFIED BY id-ce-cRLNumber }
|
|
|
|
CRLNumber ::= INTEGER(0..MAX)
|
|
|
|
crlScope EXTENSION ::= {
|
|
SYNTAX CRLScopeSyntax
|
|
IDENTIFIED BY id-ce-cRLScope }
|
|
|
|
CRLScopeSyntax ::= SEQUENCE SIZE (1..MAX) OF PerAuthorityScope
|
|
|
|
PerAuthorityScope ::= SEQUENCE {
|
|
authorityName [0] GeneralName OPTIONAL,
|
|
distributionPoint [1] DistributionPointName OPTIONAL,
|
|
onlyContains [2] OnlyCertificateTypes OPTIONAL,
|
|
onlySomeReasons [4] ReasonFlags OPTIONAL,
|
|
serialNumberRange [5] NumberRange OPTIONAL,
|
|
subjectKeyIdRange [6] NumberRange OPTIONAL,
|
|
nameSubtrees [7] GeneralNames OPTIONAL,
|
|
baseRevocationInfo [9] BaseRevocationInfo OPTIONAL,
|
|
... }
|
|
|
|
OnlyCertificateTypes ::= BIT STRING {
|
|
user (0),
|
|
authority (1),
|
|
attribute (2)}
|
|
|
|
NumberRange ::= SEQUENCE {
|
|
startingNumber [0] INTEGER OPTIONAL,
|
|
endingNumber [1] INTEGER OPTIONAL,
|
|
modulus INTEGER OPTIONAL,
|
|
... }
|
|
|
|
BaseRevocationInfo ::= SEQUENCE {
|
|
cRLStreamIdentifier [0] CRLStreamIdentifier OPTIONAL,
|
|
cRLNumber [1] CRLNumber,
|
|
baseThisUpdate [2] GeneralizedTime,
|
|
... }
|
|
|
|
statusReferrals EXTENSION ::= {
|
|
SYNTAX StatusReferrals
|
|
IDENTIFIED BY id-ce-statusReferrals }
|
|
|
|
StatusReferrals ::= SEQUENCE SIZE (1..MAX) OF StatusReferral
|
|
|
|
StatusReferral ::= CHOICE {
|
|
cRLReferral [0] CRLReferral,
|
|
otherReferral [1] INSTANCE OF OTHER-REFERRAL,
|
|
... }
|
|
|
|
CRLReferral ::= SEQUENCE {
|
|
issuer [0] GeneralName OPTIONAL,
|
|
location [1] GeneralName OPTIONAL,
|
|
deltaRefInfo [2] DeltaRefInfo OPTIONAL,
|
|
cRLScope CRLScopeSyntax,
|
|
lastUpdate [3] GeneralizedTime OPTIONAL,
|
|
lastChangedCRL [4] GeneralizedTime OPTIONAL,
|
|
...
|
|
}
|
|
|
|
DeltaRefInfo ::= SEQUENCE {
|
|
deltaLocation GeneralName,
|
|
lastDelta GeneralizedTime OPTIONAL,
|
|
... }
|
|
|
|
OTHER-REFERRAL ::= TYPE-IDENTIFIER
|
|
|
|
cRLStreamIdentifier EXTENSION ::= {
|
|
SYNTAX CRLStreamIdentifier
|
|
IDENTIFIED BY id-ce-cRLStreamIdentifier }
|
|
|
|
CRLStreamIdentifier ::= INTEGER (0..MAX)
|
|
|
|
orderedList EXTENSION ::= {
|
|
SYNTAX OrderedListSyntax
|
|
IDENTIFIED BY id-ce-orderedList }
|
|
|
|
OrderedListSyntax ::= ENUMERATED {
|
|
ascSerialNum (0),
|
|
ascRevDate (1),
|
|
...}
|
|
|
|
deltaInfo EXTENSION ::= {
|
|
SYNTAX DeltaInformation
|
|
IDENTIFIED BY id-ce-deltaInfo }
|
|
|
|
DeltaInformation ::= SEQUENCE {
|
|
deltaLocation GeneralName,
|
|
nextDelta GeneralizedTime OPTIONAL,
|
|
... }
|
|
|
|
toBeRevoked EXTENSION ::= {
|
|
SYNTAX ToBeRevokedSyntax
|
|
IDENTIFIED BY id-ce-toBeRevoked }
|
|
|
|
ToBeRevokedSyntax ::= SEQUENCE SIZE (1..MAX) OF ToBeRevokedGroup
|
|
|
|
ToBeRevokedGroup ::= SEQUENCE {
|
|
certificateIssuer [0] GeneralName OPTIONAL,
|
|
reasonInfo [1] ReasonInfo OPTIONAL,
|
|
revocationTime GeneralizedTime,
|
|
certificateGroup CertificateGroup,
|
|
... }
|
|
|
|
ReasonInfo ::= SEQUENCE {
|
|
reasonCode CRLReason,
|
|
holdInstructionCode HoldInstruction OPTIONAL,
|
|
... }
|
|
|
|
CertificateGroup ::= CHOICE {
|
|
serialNumbers [0] CertificateSerialNumbers,
|
|
serialNumberRange [1] CertificateGroupNumberRange,
|
|
nameSubtree [2] GeneralName,
|
|
... }
|
|
|
|
CertificateGroupNumberRange ::= SEQUENCE {
|
|
startingNumber [0] INTEGER,
|
|
endingNumber [1] INTEGER,
|
|
... }
|
|
|
|
CertificateSerialNumbers ::= SEQUENCE SIZE (1..MAX) OF CertificateSerialNumber
|
|
|
|
revokedGroups EXTENSION ::= {
|
|
SYNTAX RevokedGroupsSyntax
|
|
IDENTIFIED BY id-ce-revokedGroups }
|
|
|
|
RevokedGroupsSyntax ::= SEQUENCE SIZE (1..MAX) OF RevokedGroup
|
|
|
|
RevokedGroup ::= SEQUENCE {
|
|
certificateIssuer [0] GeneralName OPTIONAL,
|
|
reasonInfo [1] ReasonInfo OPTIONAL,
|
|
invalidityDate [2] GeneralizedTime OPTIONAL,
|
|
revokedcertificateGroup [3] RevokedCertificateGroup,
|
|
... }
|
|
|
|
RevokedCertificateGroup ::= CHOICE {
|
|
serialNumberRange NumberRange,
|
|
nameSubtree GeneralName }
|
|
|
|
expiredCertsOnCRL EXTENSION ::= {
|
|
SYNTAX ExpiredCertsOnCRL
|
|
IDENTIFIED BY id-ce-expiredCertsOnCRL }
|
|
|
|
ExpiredCertsOnCRL ::= GeneralizedTime
|
|
|
|
reasonCode EXTENSION ::= {
|
|
SYNTAX CRLReason
|
|
IDENTIFIED BY id-ce-reasonCode }
|
|
|
|
CRLReason ::= ENUMERATED {
|
|
unspecified (0),
|
|
keyCompromise (1),
|
|
cACompromise (2),
|
|
affiliationChanged (3),
|
|
superseded (4),
|
|
cessationOfOperation (5),
|
|
certificateHold (6),
|
|
removeFromCRL (8),
|
|
privilegeWithdrawn (9),
|
|
aACompromise (10),
|
|
...,
|
|
weakAlgorithmOrKey (11) }
|
|
|
|
holdInstructionCode EXTENSION ::= {
|
|
SYNTAX HoldInstruction
|
|
IDENTIFIED BY id-ce-holdInstructionCode }
|
|
|
|
HoldInstruction ::= OBJECT IDENTIFIER
|
|
|
|
invalidityDate EXTENSION ::= {
|
|
SYNTAX GeneralizedTime
|
|
IDENTIFIED BY id-ce-invalidityDate }
|
|
|
|
cRLDistributionPoints EXTENSION ::= {
|
|
SYNTAX CRLDistPointsSyntax
|
|
IDENTIFIED BY id-ce-cRLDistributionPoints }
|
|
|
|
CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
|
|
|
|
DistributionPoint ::= SEQUENCE {
|
|
distributionPoint [0] DistributionPointName OPTIONAL,
|
|
reasons [1] ReasonFlags OPTIONAL,
|
|
cRLIssuer [2] GeneralNames OPTIONAL,
|
|
... }
|
|
|
|
DistributionPointName ::= CHOICE {
|
|
fullName [0] GeneralNames,
|
|
nameRelativeToCRLIssuer [1] RelativeDistinguishedName,
|
|
... }
|
|
|
|
ReasonFlags ::= BIT STRING {
|
|
unused (0),
|
|
keyCompromise (1),
|
|
cACompromise (2),
|
|
affiliationChanged (3),
|
|
superseded (4),
|
|
cessationOfOperation (5),
|
|
certificateHold (6),
|
|
privilegeWithdrawn (7),
|
|
aACompromise (8),
|
|
weakAlgorithmOrKey (9) }
|
|
|
|
issuingDistributionPoint EXTENSION ::= {
|
|
SYNTAX IssuingDistPointSyntax
|
|
IDENTIFIED BY id-ce-issuingDistributionPoint }
|
|
|
|
IssuingDistPointSyntax ::= SEQUENCE {
|
|
-- If onlyContainsUserPublicKeyCerts and onlyContainsCACerts are both FALSE,
|
|
-- the CRL covers both public-key certificate types
|
|
distributionPoint [0] DistributionPointName OPTIONAL,
|
|
onlyContainsUserPublicKeyCerts [1] BOOLEAN DEFAULT FALSE,
|
|
onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
|
|
onlySomeReasons [3] ReasonFlags OPTIONAL,
|
|
indirectCRL [4] BOOLEAN DEFAULT FALSE,
|
|
onlyContainsAttributeCerts [5] BOOLEAN OPTIONAL, -- Use is strongly deprecated
|
|
... }
|
|
|
|
certificateIssuer EXTENSION ::= {
|
|
SYNTAX GeneralNames
|
|
IDENTIFIED BY id-ce-certificateIssuer }
|
|
|
|
deltaCRLIndicator EXTENSION ::= {
|
|
SYNTAX BaseCRLNumber
|
|
IDENTIFIED BY id-ce-deltaCRLIndicator }
|
|
|
|
BaseCRLNumber ::= CRLNumber
|
|
|
|
baseUpdateTime EXTENSION ::= {
|
|
SYNTAX GeneralizedTime
|
|
IDENTIFIED BY id-ce-baseUpdateTime }
|
|
|
|
freshestCRL EXTENSION ::= {
|
|
SYNTAX CRLDistPointsSyntax
|
|
IDENTIFIED BY id-ce-freshestCRL }
|
|
|
|
aAissuingDistributionPoint EXTENSION ::= {
|
|
SYNTAX AAIssuingDistPointSyntax
|
|
IDENTIFIED BY id-ce-aAissuingDistributionPoint }
|
|
|
|
AAIssuingDistPointSyntax ::= SEQUENCE {
|
|
distributionPoint [0] DistributionPointName OPTIONAL,
|
|
onlySomeReasons [1] ReasonFlags OPTIONAL,
|
|
indirectCRL [2] BOOLEAN DEFAULT FALSE,
|
|
containsUserAttributeCerts [3] BOOLEAN DEFAULT TRUE,
|
|
containsAACerts [4] BOOLEAN DEFAULT TRUE,
|
|
containsSOAPublicKeyCerts [5] BOOLEAN DEFAULT TRUE,
|
|
... }
|
|
|
|
-- PKI matching rules
|
|
|
|
certificateExactMatch MATCHING-RULE ::= {
|
|
SYNTAX CertificateExactAssertion
|
|
LDAP-SYNTAX certExactAssertion.&id
|
|
LDAP-NAME {"certificateExactMatch"}
|
|
LDAP-DESC "X.509 Certificate Exact Match"
|
|
ID id-mr-certificateExactMatch }
|
|
|
|
CertificateExactAssertion ::= SEQUENCE {
|
|
serialNumber CertificateSerialNumber,
|
|
issuer Name,
|
|
... }
|
|
|
|
certificateMatch MATCHING-RULE ::= {
|
|
SYNTAX CertificateAssertion
|
|
LDAP-SYNTAX certAssertion.&id
|
|
LDAP-NAME {"certificateMatch"}
|
|
LDAP-DESC "X.509 Certificate Match"
|
|
ID id-mr-certificateMatch }
|
|
|
|
CertificateAssertion ::= SEQUENCE {
|
|
serialNumber [0] CertificateSerialNumber OPTIONAL,
|
|
issuer [1] Name OPTIONAL,
|
|
subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL,
|
|
authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL,
|
|
certificateValid [4] Time OPTIONAL,
|
|
privateKeyValid [5] GeneralizedTime OPTIONAL,
|
|
subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL,
|
|
keyUsage [7] KeyUsage OPTIONAL,
|
|
subjectAltName [8] AltNameType OPTIONAL,
|
|
policy [9] CertPolicySet OPTIONAL,
|
|
pathToName [10] Name OPTIONAL,
|
|
subject [11] Name OPTIONAL,
|
|
nameConstraints [12] NameConstraintsSyntax OPTIONAL,
|
|
... }
|
|
|
|
AltNameType ::= CHOICE {
|
|
builtinNameForm ENUMERATED {
|
|
rfc822Name (1),
|
|
dNSName (2),
|
|
x400Address (3),
|
|
directoryName (4),
|
|
ediPartyName (5),
|
|
uniformResourceIdentifier (6),
|
|
iPAddress (7),
|
|
registeredId (8),
|
|
...},
|
|
otherNameForm OBJECT IDENTIFIER,
|
|
... }
|
|
|
|
CertPolicySet ::= SEQUENCE SIZE (1..MAX) OF CertPolicyId
|
|
|
|
certificatePairExactMatch MATCHING-RULE ::= {
|
|
SYNTAX CertificatePairExactAssertion
|
|
LDAP-SYNTAX certPairExactAssertion.&id
|
|
LDAP-NAME {"certificatePairExactMatch"}
|
|
LDAP-DESC "X.509 Certificate Pair Exact Match"
|
|
ID id-mr-certificatePairExactMatch }
|
|
|
|
CertificatePairExactAssertion ::= SEQUENCE {
|
|
issuedToThisCAAssertion [0] CertificateExactAssertion OPTIONAL,
|
|
issuedByThisCAAssertion [1] CertificateExactAssertion OPTIONAL,
|
|
... }
|
|
(WITH COMPONENTS { ..., issuedToThisCAAssertion PRESENT } |
|
|
WITH COMPONENTS { ..., issuedByThisCAAssertion PRESENT } )
|
|
|
|
certificatePairMatch MATCHING-RULE ::= {
|
|
SYNTAX CertificatePairAssertion
|
|
LDAP-SYNTAX certPairAssertion.&id
|
|
LDAP-NAME {"certificatePairMatch"}
|
|
LDAP-DESC "X.509 Certificate Pair Match"
|
|
ID id-mr-certificatePairMatch }
|
|
|
|
CertificatePairAssertion ::= SEQUENCE {
|
|
issuedToThisCAAssertion [0] CertificateAssertion OPTIONAL,
|
|
issuedByThisCAAssertion [1] CertificateAssertion OPTIONAL,
|
|
... }
|
|
(WITH COMPONENTS {..., issuedToThisCAAssertion PRESENT } |
|
|
WITH COMPONENTS {..., issuedByThisCAAssertion PRESENT } )
|
|
|
|
certificateListExactMatch MATCHING-RULE ::= {
|
|
SYNTAX CertificateListExactAssertion
|
|
LDAP-SYNTAX certListExactAssertion.&id
|
|
LDAP-NAME {"certificateListExactMatch"}
|
|
LDAP-DESC "X.509 Certificate List Exact Match"
|
|
ID id-mr-certificateListExactMatch }
|
|
|
|
CertificateListExactAssertion ::= SEQUENCE {
|
|
issuer Name,
|
|
thisUpdate Time,
|
|
distributionPoint DistributionPointName OPTIONAL }
|
|
|
|
certificateListMatch MATCHING-RULE ::= {
|
|
SYNTAX CertificateListAssertion
|
|
LDAP-SYNTAX certListAssertion.&id
|
|
LDAP-NAME {"certificateListMatch"}
|
|
LDAP-DESC "X.509 Certificate List Match"
|
|
ID id-mr-certificateListMatch }
|
|
|
|
CertificateListAssertion ::= SEQUENCE {
|
|
issuer Name OPTIONAL,
|
|
minCRLNumber [0] CRLNumber OPTIONAL,
|
|
maxCRLNumber [1] CRLNumber OPTIONAL,
|
|
reasonFlags ReasonFlags OPTIONAL,
|
|
dateAndTime Time OPTIONAL,
|
|
distributionPoint [2] DistributionPointName OPTIONAL,
|
|
authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL,
|
|
... }
|
|
|
|
algorithmIdentifierMatch MATCHING-RULE ::= {
|
|
SYNTAX AlgorithmIdentifier {{SupportedAlgorithms}}
|
|
LDAP-SYNTAX algorithmIdentifier.&id
|
|
LDAP-NAME {"algorithmIdentifierMatch"}
|
|
LDAP-DESC "X.509 Algorithm Identifier Match"
|
|
ID id-mr-algorithmIdentifierMatch }
|
|
|
|
policyMatch MATCHING-RULE ::= {
|
|
SYNTAX PolicyID
|
|
ID id-mr-policyMatch }
|
|
|
|
pkiPathMatch MATCHING-RULE ::= {
|
|
SYNTAX PkiPathMatchSyntax
|
|
ID id-mr-pkiPathMatch }
|
|
|
|
PkiPathMatchSyntax ::= SEQUENCE {
|
|
firstIssuer Name,
|
|
lastSubject Name,
|
|
... }
|
|
|
|
enhancedCertificateMatch MATCHING-RULE ::= {
|
|
SYNTAX EnhancedCertificateAssertion
|
|
ID id-mr-enhancedCertificateMatch }
|
|
|
|
EnhancedCertificateAssertion ::= SEQUENCE {
|
|
serialNumber [0] CertificateSerialNumber OPTIONAL,
|
|
issuer [1] Name OPTIONAL,
|
|
subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL,
|
|
authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL,
|
|
certificateValid [4] Time OPTIONAL,
|
|
privateKeyValid [5] GeneralizedTime OPTIONAL,
|
|
subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL,
|
|
keyUsage [7] KeyUsage OPTIONAL,
|
|
subjectAltName [8] AltName OPTIONAL,
|
|
policy [9] CertPolicySet OPTIONAL,
|
|
pathToName [10] GeneralNames OPTIONAL,
|
|
subject [11] Name OPTIONAL,
|
|
nameConstraints [12] NameConstraintsSyntax OPTIONAL,
|
|
... }
|
|
(ALL EXCEPT ({ -- none; at least one component shall be present --}))
|
|
|
|
AltName ::= SEQUENCE {
|
|
altnameType AltNameType,
|
|
altNameValue GeneralName OPTIONAL }
|
|
|
|
certExactAssertion SYNTAX-NAME ::= {
|
|
LDAP-DESC "X.509 Certificate Exact Assertion"
|
|
DIRECTORY SYNTAX CertificateExactAssertion
|
|
ID id-ldx-certExactAssertion }
|
|
|
|
certAssertion SYNTAX-NAME ::= {
|
|
LDAP-DESC "X.509 Certificate Assertion"
|
|
DIRECTORY SYNTAX CertificateAssertion
|
|
ID id-ldx-certAssertion }
|
|
|
|
certPairExactAssertion SYNTAX-NAME ::= {
|
|
LDAP-DESC "X.509 Certificate Pair Exact Assertion"
|
|
DIRECTORY SYNTAX CertificatePairExactAssertion
|
|
ID id-ldx-certPairExactAssertion }
|
|
|
|
certPairAssertion SYNTAX-NAME ::= {
|
|
LDAP-DESC "X.509 Certificate Pair Assertion"
|
|
DIRECTORY SYNTAX CertificatePairAssertion
|
|
ID id-ldx-certPairAssertion }
|
|
|
|
certListExactAssertion SYNTAX-NAME ::= {
|
|
LDAP-DESC "X.509 Certificate List Exact Assertion"
|
|
DIRECTORY SYNTAX CertificateListExactAssertion
|
|
ID id-ldx-certListExactAssertion }
|
|
|
|
certListAssertion SYNTAX-NAME ::= {
|
|
LDAP-DESC "X.509 Certificate List Assertion"
|
|
DIRECTORY SYNTAX CertificateListAssertion
|
|
ID id-ldx-certListAssertion }
|
|
|
|
algorithmIdentifier SYNTAX-NAME ::= {
|
|
LDAP-DESC "X.509 Algorithm Identifier"
|
|
DIRECTORY SYNTAX AlgorithmIdentifier{{SupportedAlgorithms}}
|
|
ID id-ldx-algorithmIdentifier }
|
|
|
|
-- Object identifier assignments
|
|
|
|
-- {id-ce 2} not used
|
|
-- {id-ce 3} not used
|
|
-- {id-ce 4} not used
|
|
-- {id-ce 5} not used
|
|
-- {id-ce 6} not used
|
|
-- {id-ce 7} not used
|
|
-- {id-ce 8} not used
|
|
id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9}
|
|
-- {id-ce 10} not used
|
|
-- {id-ce 11} not used
|
|
-- {id-ce 12} not used
|
|
-- {id-ce 13} not used
|
|
id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14}
|
|
id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15}
|
|
id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16}
|
|
id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17}
|
|
id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18}
|
|
id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19}
|
|
id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20}
|
|
id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21}
|
|
-- {id-ce 22} not used
|
|
id-ce-holdInstructionCode OBJECT IDENTIFIER ::= {id-ce 23}
|
|
id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24}
|
|
-- {id-ce 25} not used
|
|
-- {id-ce 26} not used
|
|
id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27}
|
|
id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28}
|
|
id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29}
|
|
id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30}
|
|
id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
|
|
id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32}
|
|
id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33}
|
|
-- deprecated OBJECT IDENTIFIER ::= {id-ce 34}
|
|
id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35}
|
|
id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36}
|
|
id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
|
|
-- id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}
|
|
-- id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}
|
|
id-ce-cRLStreamIdentifier OBJECT IDENTIFIER ::= {id-ce 40}
|
|
-- id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}
|
|
-- id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}
|
|
-- id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}
|
|
id-ce-cRLScope OBJECT IDENTIFIER ::= {id-ce 44}
|
|
id-ce-statusReferrals OBJECT IDENTIFIER ::= {id-ce 45}
|
|
id-ce-freshestCRL OBJECT IDENTIFIER ::= {id-ce 46}
|
|
id-ce-orderedList OBJECT IDENTIFIER ::= {id-ce 47}
|
|
-- id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}
|
|
-- id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}
|
|
-- id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}
|
|
id-ce-baseUpdateTime OBJECT IDENTIFIER ::= {id-ce 51}
|
|
-- id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}
|
|
id-ce-deltaInfo OBJECT IDENTIFIER ::= {id-ce 53}
|
|
id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= {id-ce 54}
|
|
-- id-ce-targetingInformation OBJECT IDENTIFIER ::= {id-ce 55}
|
|
-- id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}
|
|
-- id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}
|
|
id-ce-toBeRevoked OBJECT IDENTIFIER ::= {id-ce 58}
|
|
id-ce-revokedGroups OBJECT IDENTIFIER ::= {id-ce 59}
|
|
id-ce-expiredCertsOnCRL OBJECT IDENTIFIER ::= {id-ce 60}
|
|
-- id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}
|
|
-- id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}
|
|
id-ce-aAissuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 63}
|
|
-- id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}
|
|
-- id-ce-singleUse OBJECT IDENTIFIER ::= {id-ce 65}
|
|
-- id-ce-groupAC OBJECT IDENTIFIER ::= {id-ce 66}
|
|
-- id-ce-allowedAttAss OBJECT IDENTIFIER ::= {id-ce 67}
|
|
-- id-ce-attributeMappings OBJECT IDENTIFIER ::= {id-ce 68}
|
|
-- id-ce-holderNameConstraints OBJECT IDENTIFIER ::= {id-ce 69}
|
|
id-ce-authorizationValidation OBJECT IDENTIFIER ::= {id-ce 70}
|
|
|
|
-- matching rule OIDs
|
|
|
|
id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34}
|
|
id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35}
|
|
id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36}
|
|
id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37}
|
|
id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38}
|
|
id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39}
|
|
id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40}
|
|
id-mr-policyMatch OBJECT IDENTIFIER ::= {id-mr 60}
|
|
id-mr-pkiPathMatch OBJECT IDENTIFIER ::= {id-mr 62}
|
|
id-mr-enhancedCertificateMatch OBJECT IDENTIFIER ::= {id-mr 65}
|
|
|
|
-- Object identifiers for LDAP X.509 assertion syntaxes
|
|
|
|
id-ldx-certExactAssertion OBJECT IDENTIFIER ::= {id-ldx 1}
|
|
id-ldx-certAssertion OBJECT IDENTIFIER ::= {id-ldx 2}
|
|
id-ldx-certPairExactAssertion OBJECT IDENTIFIER ::= {id-ldx 3}
|
|
id-ldx-certPairAssertion OBJECT IDENTIFIER ::= {id-ldx 4}
|
|
id-ldx-certListExactAssertion OBJECT IDENTIFIER ::= {id-ldx 5}
|
|
id-ldx-certListAssertion OBJECT IDENTIFIER ::= {id-ldx 6}
|
|
id-ldx-algorithmIdentifier OBJECT IDENTIFIER ::= {id-ldx 7}
|
|
|
|
END -- CertificateExtensions |