293 lines
9.9 KiB
Groff
293 lines
9.9 KiB
Groff
PKIXAttributeCertificate-2009
|
|
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)}
|
|
|
|
DEFINITIONS IMPLICIT TAGS ::=
|
|
BEGIN
|
|
|
|
IMPORTS
|
|
|
|
AttributeSet{}, Extensions{}, SecurityCategory{},
|
|
EXTENSION, ATTRIBUTE, SECURITY-CATEGORY
|
|
FROM PKIX-CommonTypes-2009 {
|
|
iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
|
|
|
|
AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM
|
|
FROM AlgorithmInformation-2009 {
|
|
iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
mechanisms(5) pkix(7) id-mod(0)
|
|
id-mod-algorithmInformation-02(58)}
|
|
|
|
-- IMPORTed module OIDs MAY change if [PKIXPROF] changes
|
|
-- PKIX Certificate Extensions
|
|
|
|
CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp,
|
|
id-ad, id-at, SIGNED{}, SignatureAlgorithms
|
|
FROM PKIX1Explicit-2009 {
|
|
iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}
|
|
|
|
GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier,
|
|
ext-AuthorityInfoAccess, ext-CRLDistributionPoints
|
|
FROM PKIX1Implicit-2009 {
|
|
iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
|
|
|
|
ContentInfo
|
|
FROM CryptographicMessageSyntax-2009 {
|
|
iso(1) member-body(2) us(840) rsadsi(113549)
|
|
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) };
|
|
-- Define the set of extensions that can appear.
|
|
-- Some of these are imported from PKIX Cert
|
|
|
|
AttributeCertExtensions EXTENSION ::= {
|
|
ext-auditIdentity | ext-targetInformation |
|
|
ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess |
|
|
ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying |
|
|
ext-aaControls, ... }
|
|
|
|
ext-auditIdentity EXTENSION ::= { SYNTAX
|
|
OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity}
|
|
|
|
ext-targetInformation EXTENSION ::= { SYNTAX
|
|
Targets IDENTIFIED BY id-ce-targetInformation }
|
|
|
|
ext-noRevAvail EXTENSION ::= { SYNTAX
|
|
NULL IDENTIFIED BY id-ce-noRevAvail}
|
|
|
|
ext-ac-proxying EXTENSION ::= { SYNTAX
|
|
ProxyInfo IDENTIFIED BY id-pe-ac-proxying}
|
|
|
|
ext-aaControls EXTENSION ::= { SYNTAX
|
|
AAControls IDENTIFIED BY id-pe-aaControls}
|
|
|
|
-- Define the set of attributes used here
|
|
|
|
AttributesDefined ATTRIBUTE ::= { at-authenticationInfo |
|
|
at-accesIdentity | at-chargingIdentity | at-group |
|
|
at-role | at-clearance | at-encAttrs, ...}
|
|
|
|
at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo
|
|
IDENTIFIED BY id-aca-authenticationInfo}
|
|
|
|
at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo
|
|
IDENTIFIED BY id-aca-accessIdentity}
|
|
|
|
at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax
|
|
IDENTIFIED BY id-aca-chargingIdentity}
|
|
|
|
at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax
|
|
IDENTIFIED BY id-aca-group}
|
|
|
|
at-role ATTRIBUTE ::= { TYPE RoleSyntax
|
|
IDENTIFIED BY id-at-role}
|
|
|
|
at-clearance ATTRIBUTE ::= { TYPE Clearance
|
|
IDENTIFIED BY id-at-clearance}
|
|
at-clearance-RFC3281 ATTRIBUTE ::= {TYPE Clearance-rfc3281
|
|
IDENTIFIED BY id-at-clearance-rfc3281 }
|
|
|
|
at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo
|
|
IDENTIFIED BY id-aca-encAttrs}
|
|
|
|
--
|
|
-- OIDs used by Attribute Certificate Extensions
|
|
--
|
|
|
|
id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 }
|
|
id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 }
|
|
id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 }
|
|
id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 }
|
|
id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 }
|
|
|
|
--
|
|
-- OIDs used by Attribute Certificate Attributes
|
|
--
|
|
|
|
id-aca OBJECT IDENTIFIER ::= { id-pkix 10 }
|
|
|
|
id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 }
|
|
id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 }
|
|
id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 }
|
|
id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 }
|
|
-- { id-aca 5 } is reserved
|
|
id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 }
|
|
|
|
id-at-role OBJECT IDENTIFIER ::= { id-at 72}
|
|
id-at-clearance OBJECT IDENTIFIER ::= {
|
|
joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) }
|
|
|
|
-- Uncomment the following declaration and comment the above line if
|
|
-- using the id-at-clearance attribute as defined in [RFC3281]
|
|
-- id-at-clearance ::= id-at-clearance-3281
|
|
|
|
id-at-clearance-rfc3281 OBJECT IDENTIFIER ::= {
|
|
joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5)
|
|
clearance (55) }
|
|
|
|
--
|
|
-- The syntax of an Attribute Certificate
|
|
--
|
|
|
|
AttributeCertificate ::= SIGNED{AttributeCertificateInfo}
|
|
|
|
AttributeCertificateInfo ::= SEQUENCE {
|
|
version AttCertVersion, -- version is v2
|
|
holder Holder,
|
|
issuer AttCertIssuer,
|
|
signature AlgorithmIdentifier{SIGNATURE-ALGORITHM,
|
|
{SignatureAlgorithms}},
|
|
serialNumber CertificateSerialNumber,
|
|
attrCertValidityPeriod AttCertValidityPeriod,
|
|
attributes SEQUENCE OF
|
|
AttributeSet{{AttributesDefined}},
|
|
issuerUniqueID UniqueIdentifier OPTIONAL,
|
|
extensions Extensions{{AttributeCertExtensions}} OPTIONAL
|
|
}
|
|
|
|
AttCertVersion ::= INTEGER { v2(1) }
|
|
|
|
Holder ::= SEQUENCE {
|
|
baseCertificateID [0] IssuerSerial OPTIONAL,
|
|
-- the issuer and serial number of
|
|
-- the holder's Public Key Certificate
|
|
entityName [1] GeneralNames OPTIONAL,
|
|
-- the name of the claimant or role
|
|
objectDigestInfo [2] ObjectDigestInfo OPTIONAL
|
|
-- used to directly authenticate the
|
|
-- holder, for example, an executable
|
|
}
|
|
|
|
ObjectDigestInfo ::= SEQUENCE {
|
|
digestedObjectType ENUMERATED {
|
|
publicKey (0),
|
|
publicKeyCert (1),
|
|
otherObjectTypes (2) },
|
|
-- otherObjectTypes MUST NOT
|
|
-- be used in this profile
|
|
otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
|
|
digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}},
|
|
objectDigest BIT STRING
|
|
}
|
|
|
|
AttCertIssuer ::= CHOICE {
|
|
v1Form GeneralNames, -- MUST NOT be used in this
|
|
-- profile
|
|
v2Form [0] V2Form -- v2 only
|
|
}
|
|
|
|
V2Form ::= SEQUENCE {
|
|
issuerName GeneralNames OPTIONAL,
|
|
baseCertificateID [0] IssuerSerial OPTIONAL,
|
|
objectDigestInfo [1] ObjectDigestInfo OPTIONAL
|
|
-- issuerName MUST be present in this profile
|
|
-- baseCertificateID and objectDigestInfo MUST
|
|
-- NOT be present in this profile
|
|
}
|
|
|
|
IssuerSerial ::= SEQUENCE {
|
|
issuer GeneralNames,
|
|
serial CertificateSerialNumber,
|
|
issuerUID UniqueIdentifier OPTIONAL
|
|
}
|
|
|
|
AttCertValidityPeriod ::= SEQUENCE {
|
|
notBeforeTime GeneralizedTime,
|
|
notAfterTime GeneralizedTime
|
|
}
|
|
|
|
--
|
|
-- Syntax used by Attribute Certificate Extensions
|
|
--
|
|
|
|
Targets ::= SEQUENCE OF Target
|
|
|
|
Target ::= CHOICE {
|
|
targetName [0] GeneralName,
|
|
targetGroup [1] GeneralName,
|
|
targetCert [2] TargetCert
|
|
}
|
|
|
|
TargetCert ::= SEQUENCE {
|
|
targetCertificate IssuerSerial,
|
|
targetName GeneralName OPTIONAL,
|
|
certDigestInfo ObjectDigestInfo OPTIONAL
|
|
}
|
|
|
|
AAControls ::= SEQUENCE {
|
|
pathLenConstraint INTEGER (0..MAX) OPTIONAL,
|
|
permittedAttrs [0] AttrSpec OPTIONAL,
|
|
excludedAttrs [1] AttrSpec OPTIONAL,
|
|
permitUnSpecified BOOLEAN DEFAULT TRUE
|
|
}
|
|
|
|
AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER
|
|
|
|
ProxyInfo ::= SEQUENCE OF Targets
|
|
|
|
--
|
|
-- Syntax used by Attribute Certificate Attributes
|
|
--
|
|
IetfAttrSyntax ::= SEQUENCE {
|
|
policyAuthority[0] GeneralNames OPTIONAL,
|
|
values SEQUENCE OF CHOICE {
|
|
octets OCTET STRING,
|
|
oid OBJECT IDENTIFIER,
|
|
string UTF8String
|
|
}
|
|
}
|
|
|
|
SvceAuthInfo ::= SEQUENCE {
|
|
service GeneralName,
|
|
ident GeneralName,
|
|
authInfo OCTET STRING OPTIONAL
|
|
}
|
|
|
|
RoleSyntax ::= SEQUENCE {
|
|
roleAuthority [0] GeneralNames OPTIONAL,
|
|
roleName [1] GeneralName
|
|
}
|
|
|
|
Clearance ::= SEQUENCE {
|
|
policyId OBJECT IDENTIFIER,
|
|
classList ClassList DEFAULT {unclassified},
|
|
securityCategories SET OF SecurityCategory
|
|
{{SupportedSecurityCategories}} OPTIONAL
|
|
}
|
|
|
|
-- Uncomment the following lines to support deprecated clearance
|
|
-- syntax and comment out previous Clearance.
|
|
|
|
-- Clearance ::= Clearance-rfc3281
|
|
|
|
Clearance-rfc3281 ::= SEQUENCE {
|
|
policyId [0] OBJECT IDENTIFIER,
|
|
classList [1] ClassList DEFAULT {unclassified},
|
|
securityCategories [2] SET OF SecurityCategory-rfc3281
|
|
{{SupportedSecurityCategories}} OPTIONAL
|
|
}
|
|
|
|
ClassList ::= BIT STRING {
|
|
unmarked (0),
|
|
unclassified (1),
|
|
restricted (2),
|
|
confidential (3),
|
|
secret (4),
|
|
topSecret (5)
|
|
}
|
|
SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }
|
|
|
|
SecurityCategory-rfc3281{SECURITY-CATEGORY:Supported} ::= SEQUENCE {
|
|
type [0] IMPLICIT SECURITY-CATEGORY.&id({Supported}),
|
|
value [1] EXPLICIT SECURITY-CATEGORY.&Type({Supported}{@type})
|
|
}
|
|
|
|
ACClearAttrs ::= SEQUENCE {
|
|
acIssuer GeneralName,
|
|
acSerial INTEGER,
|
|
attrs SEQUENCE OF AttributeSet{{AttributesDefined}}
|
|
}
|
|
|
|
END
|