448 lines
16 KiB
Groff
448 lines
16 KiB
Groff
PKIX1Implicit-2009
|
|
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
|
|
|
|
DEFINITIONS IMPLICIT TAGS ::=
|
|
BEGIN
|
|
|
|
IMPORTS
|
|
|
|
AttributeSet{}, EXTENSION, ATTRIBUTE
|
|
FROM PKIX-CommonTypes-2009 {
|
|
iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
|
|
|
|
id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name,
|
|
RelativeDistinguishedName, CertificateSerialNumber,
|
|
DirectoryString{}, SupportedAttributes
|
|
FROM PKIX1Explicit-2009 {
|
|
iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
|
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) };
|
|
|
|
CertExtensions EXTENSION ::= {
|
|
ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier |
|
|
ext-KeyUsage | ext-PrivateKeyUsagePeriod |
|
|
ext-CertificatePolicies | ext-PolicyMappings |
|
|
ext-SubjectAltName | ext-IssuerAltName |
|
|
ext-SubjectDirectoryAttributes |
|
|
ext-BasicConstraints | ext-NameConstraints |
|
|
ext-PolicyConstraints | ext-ExtKeyUsage |
|
|
ext-CRLDistributionPoints | ext-InhibitAnyPolicy |
|
|
ext-FreshestCRL | ext-AuthorityInfoAccess |
|
|
ext-SubjectInfoAccessSyntax, ... }
|
|
|
|
CrlExtensions EXTENSION ::= {
|
|
ext-AuthorityKeyIdentifier | ext-IssuerAltName |
|
|
ext-CRLNumber | ext-DeltaCRLIndicator |
|
|
ext-IssuingDistributionPoint | ext-FreshestCRL, ... }
|
|
|
|
CrlEntryExtensions EXTENSION ::= {
|
|
ext-CRLReason | ext-CertificateIssuer |
|
|
ext-HoldInstructionCode | ext-InvalidityDate, ... }
|
|
-- Shared arc for standard certificate and CRL extensions
|
|
|
|
id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }
|
|
|
|
-- authority key identifier OID and syntax
|
|
|
|
ext-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX
|
|
AuthorityKeyIdentifier IDENTIFIED BY
|
|
id-ce-authorityKeyIdentifier }
|
|
id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
|
|
|
|
AuthorityKeyIdentifier ::= SEQUENCE {
|
|
keyIdentifier [0] KeyIdentifier OPTIONAL,
|
|
authorityCertIssuer [1] GeneralNames OPTIONAL,
|
|
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
|
|
(WITH COMPONENTS {
|
|
...,
|
|
authorityCertIssuer PRESENT,
|
|
authorityCertSerialNumber PRESENT
|
|
} |
|
|
WITH COMPONENTS {
|
|
...,
|
|
authorityCertIssuer ABSENT,
|
|
authorityCertSerialNumber ABSENT
|
|
})
|
|
|
|
KeyIdentifier ::= OCTET STRING
|
|
|
|
-- subject key identifier OID and syntax
|
|
|
|
ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX
|
|
KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier }
|
|
id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
|
|
|
|
-- key usage extension OID and syntax
|
|
|
|
ext-KeyUsage EXTENSION ::= { SYNTAX
|
|
KeyUsage IDENTIFIED BY id-ce-keyUsage }
|
|
id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
|
|
|
|
KeyUsage ::= BIT STRING {
|
|
digitalSignature (0),
|
|
nonRepudiation (1), -- recent editions of X.509 have
|
|
-- renamed this bit to
|
|
-- contentCommitment
|
|
keyEncipherment (2),
|
|
dataEncipherment (3),
|
|
keyAgreement (4),
|
|
keyCertSign (5),
|
|
cRLSign (6),
|
|
encipherOnly (7),
|
|
decipherOnly (8)
|
|
}
|
|
|
|
-- private key usage period extension OID and syntax
|
|
|
|
ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX
|
|
PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod }
|
|
id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 }
|
|
|
|
PrivateKeyUsagePeriod ::= SEQUENCE {
|
|
notBefore [0] GeneralizedTime OPTIONAL,
|
|
notAfter [1] GeneralizedTime OPTIONAL }
|
|
(WITH COMPONENTS {..., notBefore PRESENT } |
|
|
WITH COMPONENTS {..., notAfter PRESENT })
|
|
|
|
-- certificate policies extension OID and syntax
|
|
|
|
ext-CertificatePolicies EXTENSION ::= { SYNTAX
|
|
CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies}
|
|
id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
|
|
|
|
CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
|
|
|
|
PolicyInformation ::= SEQUENCE {
|
|
policyIdentifier CertPolicyId,
|
|
policyQualifiers SEQUENCE SIZE (1..MAX) OF
|
|
PolicyQualifierInfo OPTIONAL }
|
|
|
|
CertPolicyId ::= OBJECT IDENTIFIER
|
|
|
|
CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER
|
|
|
|
PolicyQualifierInfo ::= SEQUENCE {
|
|
policyQualifierId CERT-POLICY-QUALIFIER.&id({PolicyQualifierId}),
|
|
qualifier CERT-POLICY-QUALIFIER.&Type({PolicyQualifierId}{@policyQualifierId})}
|
|
|
|
-- Implementations that recognize additional policy qualifiers MUST
|
|
-- augment the following definition for PolicyQualifierId
|
|
|
|
PolicyQualifierId CERT-POLICY-QUALIFIER ::=
|
|
{ pqid-cps | pqid-unotice, ... }
|
|
|
|
pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps }
|
|
pqid-unotice CERT-POLICY-QUALIFIER ::= { UserNotice
|
|
IDENTIFIED BY id-qt-unotice }
|
|
|
|
-- CPS pointer qualifier
|
|
|
|
CPSuri ::= IA5String
|
|
|
|
-- user notice qualifier
|
|
|
|
UserNotice ::= SEQUENCE {
|
|
noticeRef NoticeReference OPTIONAL,
|
|
explicitText DisplayText OPTIONAL}
|
|
|
|
--
|
|
-- This is not made explicit in the text
|
|
--
|
|
-- {WITH COMPONENTS {..., noticeRef PRESENT} |
|
|
-- WITH COMPONENTS {..., DisplayText PRESENT }}
|
|
|
|
NoticeReference ::= SEQUENCE {
|
|
organization DisplayText,
|
|
noticeNumbers SEQUENCE OF INTEGER }
|
|
|
|
DisplayText ::= CHOICE {
|
|
ia5String IA5String (SIZE (1..200)),
|
|
visibleString VisibleString (SIZE (1..200)),
|
|
bmpString BMPString (SIZE (1..200)),
|
|
utf8String UTF8String (SIZE (1..200)) }
|
|
|
|
-- policy mapping extension OID and syntax
|
|
|
|
ext-PolicyMappings EXTENSION ::= { SYNTAX
|
|
PolicyMappings IDENTIFIED BY id-ce-policyMappings }
|
|
id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
|
|
|
|
PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
|
|
issuerDomainPolicy CertPolicyId,
|
|
subjectDomainPolicy CertPolicyId
|
|
}
|
|
|
|
-- subject alternative name extension OID and syntax
|
|
|
|
ext-SubjectAltName EXTENSION ::= { SYNTAX
|
|
GeneralNames IDENTIFIED BY id-ce-subjectAltName }
|
|
id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
|
|
|
|
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
|
|
|
|
GeneralName ::= CHOICE {
|
|
otherName [0] INSTANCE OF OTHER-NAME,
|
|
rfc822Name [1] IA5String,
|
|
dNSName [2] IA5String,
|
|
x400Address [3] ORAddress,
|
|
directoryName [4] Name,
|
|
ediPartyName [5] EDIPartyName,
|
|
uniformResourceIdentifier [6] IA5String,
|
|
iPAddress [7] OCTET STRING,
|
|
registeredID [8] OBJECT IDENTIFIER
|
|
}
|
|
|
|
-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
|
|
-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
|
|
|
|
OTHER-NAME ::= TYPE-IDENTIFIER
|
|
|
|
EDIPartyName ::= SEQUENCE {
|
|
nameAssigner [0] DirectoryString {ubMax} OPTIONAL,
|
|
partyName [1] DirectoryString {ubMax}
|
|
}
|
|
|
|
-- issuer alternative name extension OID and syntax
|
|
|
|
ext-IssuerAltName EXTENSION ::= { SYNTAX
|
|
GeneralNames IDENTIFIED BY id-ce-issuerAltName }
|
|
id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 }
|
|
|
|
ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX
|
|
SubjectDirectoryAttributes IDENTIFIED BY
|
|
id-ce-subjectDirectoryAttributes }
|
|
id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 }
|
|
|
|
SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF
|
|
AttributeSet{{SupportedAttributes}}
|
|
|
|
-- basic constraints extension OID and syntax
|
|
|
|
ext-BasicConstraints EXTENSION ::= { SYNTAX
|
|
BasicConstraints IDENTIFIED BY id-ce-basicConstraints }
|
|
id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
|
|
|
|
BasicConstraints ::= SEQUENCE {
|
|
cA BOOLEAN DEFAULT FALSE,
|
|
pathLenConstraint INTEGER (0..MAX) OPTIONAL
|
|
}
|
|
|
|
-- name constraints extension OID and syntax
|
|
ext-NameConstraints EXTENSION ::= { SYNTAX
|
|
NameConstraints IDENTIFIED BY id-ce-nameConstraints }
|
|
id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
|
|
|
|
NameConstraints ::= SEQUENCE {
|
|
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
|
|
excludedSubtrees [1] GeneralSubtrees OPTIONAL
|
|
}
|
|
--
|
|
-- This is a constraint in the issued certificates by CAs, but is
|
|
-- not a requirement on EEs.
|
|
--
|
|
-- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} |
|
|
-- WITH COMPONENTS { ..., excludedSubtrees PRESENT }}
|
|
|
|
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
|
|
|
|
GeneralSubtree ::= SEQUENCE {
|
|
base GeneralName,
|
|
minimum [0] BaseDistance DEFAULT 0,
|
|
maximum [1] BaseDistance OPTIONAL
|
|
}
|
|
|
|
BaseDistance ::= INTEGER (0..MAX)
|
|
|
|
-- policy constraints extension OID and syntax
|
|
|
|
ext-PolicyConstraints EXTENSION ::= { SYNTAX
|
|
PolicyConstraints IDENTIFIED BY id-ce-policyConstraints }
|
|
id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
|
|
|
|
PolicyConstraints ::= SEQUENCE {
|
|
requireExplicitPolicy [0] SkipCerts OPTIONAL,
|
|
inhibitPolicyMapping [1] SkipCerts OPTIONAL }
|
|
--
|
|
-- This is a constraint in the issued certificates by CAs,
|
|
-- but is not a requirement for EEs
|
|
--
|
|
-- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} |
|
|
-- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT})
|
|
|
|
SkipCerts ::= INTEGER (0..MAX)
|
|
|
|
-- CRL distribution points extension OID and syntax
|
|
|
|
ext-CRLDistributionPoints EXTENSION ::= { SYNTAX
|
|
CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints}
|
|
id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
|
|
CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
|
|
|
|
DistributionPoint ::= SEQUENCE {
|
|
distributionPoint [0] DistributionPointName OPTIONAL,
|
|
reasons [1] ReasonFlags OPTIONAL,
|
|
cRLIssuer [2] GeneralNames OPTIONAL
|
|
}
|
|
--
|
|
-- This is not a requirement in the text, but it seems as if it
|
|
-- should be
|
|
--
|
|
--(WITH COMPONENTS {..., distributionPoint PRESENT} |
|
|
-- WITH COMPONENTS {..., cRLIssuer PRESENT})
|
|
|
|
DistributionPointName ::= CHOICE {
|
|
fullName [0] GeneralNames,
|
|
nameRelativeToCRLIssuer [1] RelativeDistinguishedName
|
|
}
|
|
|
|
ReasonFlags ::= BIT STRING {
|
|
unused (0),
|
|
keyCompromise (1),
|
|
cACompromise (2),
|
|
affiliationChanged (3),
|
|
superseded (4),
|
|
cessationOfOperation (5),
|
|
certificateHold (6),
|
|
privilegeWithdrawn (7),
|
|
aACompromise (8)
|
|
}
|
|
|
|
-- extended key usage extension OID and syntax
|
|
|
|
ext-ExtKeyUsage EXTENSION ::= { SYNTAX
|
|
ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage }
|
|
id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
|
|
|
|
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
|
|
|
|
KeyPurposeId ::= OBJECT IDENTIFIER
|
|
|
|
-- permit unspecified key uses
|
|
|
|
anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
|
|
|
|
-- extended key purpose OIDs
|
|
|
|
id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
|
|
id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
|
|
id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
|
|
id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
|
|
id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
|
|
id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
|
|
|
|
-- inhibit any policy OID and syntax
|
|
|
|
ext-InhibitAnyPolicy EXTENSION ::= {SYNTAX
|
|
SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy }
|
|
id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 }
|
|
|
|
-- freshest (delta)CRL extension OID and syntax
|
|
|
|
ext-FreshestCRL EXTENSION ::= {SYNTAX
|
|
CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL }
|
|
id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 }
|
|
|
|
-- authority info access
|
|
|
|
ext-AuthorityInfoAccess EXTENSION ::= { SYNTAX
|
|
AuthorityInfoAccessSyntax IDENTIFIED BY
|
|
id-pe-authorityInfoAccess }
|
|
id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
|
|
|
|
AuthorityInfoAccessSyntax ::=
|
|
SEQUENCE SIZE (1..MAX) OF AccessDescription
|
|
|
|
AccessDescription ::= SEQUENCE {
|
|
accessMethod OBJECT IDENTIFIER,
|
|
accessLocation GeneralName }
|
|
|
|
-- subject info access
|
|
|
|
ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX
|
|
SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess }
|
|
id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 }
|
|
|
|
SubjectInfoAccessSyntax ::=
|
|
SEQUENCE SIZE (1..MAX) OF AccessDescription
|
|
|
|
-- CRL number extension OID and syntax
|
|
|
|
ext-CRLNumber EXTENSION ::= {SYNTAX
|
|
INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber }
|
|
id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
|
|
|
|
CRLNumber ::= INTEGER (0..MAX)
|
|
-- issuing distribution point extension OID and syntax
|
|
|
|
ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX
|
|
IssuingDistributionPoint IDENTIFIED BY
|
|
id-ce-issuingDistributionPoint }
|
|
id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
|
|
|
|
IssuingDistributionPoint ::= SEQUENCE {
|
|
distributionPoint [0] DistributionPointName OPTIONAL,
|
|
onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
|
|
onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
|
|
onlySomeReasons [3] ReasonFlags OPTIONAL,
|
|
indirectCRL [4] BOOLEAN DEFAULT FALSE,
|
|
onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE
|
|
}
|
|
-- at most one of onlyContainsUserCerts, onlyContainsCACerts,
|
|
-- or onlyContainsAttributeCerts may be set to TRUE.
|
|
|
|
ext-DeltaCRLIndicator EXTENSION ::= { SYNTAX
|
|
CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator }
|
|
id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
|
|
|
|
-- CRL reasons extension OID and syntax
|
|
|
|
ext-CRLReason EXTENSION ::= { SYNTAX
|
|
CRLReason IDENTIFIED BY id-ce-cRLReasons }
|
|
id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
|
|
|
|
CRLReason ::= ENUMERATED {
|
|
unspecified (0),
|
|
keyCompromise (1),
|
|
cACompromise (2),
|
|
affiliationChanged (3),
|
|
superseded (4),
|
|
cessationOfOperation (5),
|
|
certificateHold (6),
|
|
removeFromCRL (8),
|
|
privilegeWithdrawn (9),
|
|
aACompromise (10)
|
|
}
|
|
|
|
-- certificate issuer CRL entry extension OID and syntax
|
|
|
|
ext-CertificateIssuer EXTENSION ::= { SYNTAX
|
|
GeneralNames IDENTIFIED BY id-ce-certificateIssuer }
|
|
id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
|
|
|
|
-- hold instruction extension OID and syntax
|
|
ext-HoldInstructionCode EXTENSION ::= { SYNTAX
|
|
OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode }
|
|
id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
|
|
|
|
-- ANSI x9 holdinstructions
|
|
|
|
holdInstruction OBJECT IDENTIFIER ::=
|
|
{joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
|
|
id-holdinstruction-none OBJECT IDENTIFIER ::=
|
|
{holdInstruction 1} -- deprecated
|
|
id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
|
|
{holdInstruction 2}
|
|
id-holdinstruction-reject OBJECT IDENTIFIER ::=
|
|
{holdInstruction 3}
|
|
|
|
-- invalidity date CRL entry extension OID and syntax
|
|
|
|
ext-InvalidityDate EXTENSION ::= { SYNTAX
|
|
GeneralizedTime IDENTIFIED BY id-ce-invalidityDate }
|
|
id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
|
|
-- Upper bounds
|
|
ubMax INTEGER ::= 32768
|
|
|
|
END
|