fixeria
/
pycrate
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
pycrate/pycrate_asn1dir/ITUT_X509_2012-10/AttributeCertificateDefinit...

550 lines
18 KiB
Groff
Raw Blame History

AttributeCertificateDefinitions {joint-iso-itu-t ds(5) module(1)
attributeCertificateDefinitions(32) 7}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL
IMPORTS
basicAccessControl, id-at, id-ce, id-mr, informationFramework,
authenticationFramework, selectedAttributeTypes, id-oc, certificateExtensions
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 7}
ATTRIBUTE, Attribute{}, AttributeType, MATCHING-RULE, Name, OBJECT-CLASS,
RelativeDistinguishedName, SupportedAttributes, top
FROM InformationFramework informationFramework
AttributeTypeAndValue
FROM BasicAccessControl basicAccessControl
AlgorithmIdentifier, Certificate, CertificateList, CertificateSerialNumber,
EXTENSION, Extensions, InfoSyntax, PolicySyntax, SIGNED{}, SupportedAlgorithms
FROM AuthenticationFramework authenticationFramework
TimeSpecification, UnboundedDirectoryString, UniqueIdentifier
FROM SelectedAttributeTypes selectedAttributeTypes
certificateListExactMatch, GeneralName, GeneralNames, NameConstraintsSyntax
FROM CertificateExtensions certificateExtensions
UserNotice
FROM PKIX1Implicit93 {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-93(4)};
-- Unless explicitly noted otherwise, there is no significance to the ordering
-- of components of a SEQUENCE OF construct in this Specification.
-- attribute certificate constructs
AttributeCertificate ::= SIGNED{AttributeCertificateInfo}
AttributeCertificateInfo ::= SEQUENCE {
version AttCertVersion, -- version is v2
holder Holder,
issuer AttCertIssuer,
signature AlgorithmIdentifier{{SupportedAlgorithms}},
serialNumber CertificateSerialNumber,
attrCertValidityPeriod AttCertValidityPeriod,
attributes SEQUENCE OF Attribute{{SupportedAttributes}},
issuerUniqueID UniqueIdentifier OPTIONAL,
...,
extensions Extensions OPTIONAL }
AttCertVersion ::= INTEGER {v2(1)}
Holder ::= SEQUENCE {
baseCertificateID [0] IssuerSerial OPTIONAL,
entityName [1] GeneralNames OPTIONAL,
objectDigestInfo [2] ObjectDigestInfo OPTIONAL }
(WITH COMPONENTS {..., baseCertificateID PRESENT } |
WITH COMPONENTS {..., entityName PRESENT } |
WITH COMPONENTS {..., objectDigestInfo PRESENT } )
IssuerSerial ::= SEQUENCE {
issuer GeneralNames,
serial CertificateSerialNumber,
issuerUID UniqueIdentifier OPTIONAL,
... }
ObjectDigestInfo ::= SEQUENCE {
digestedObjectType ENUMERATED {
publicKey (0),
publicKeyCert (1),
otherObjectTypes (2)},
otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
digestAlgorithm AlgorithmIdentifier{{SupportedAlgorithms}},
objectDigest BIT STRING,
... }
AttCertIssuer ::= [0] SEQUENCE {
issuerName GeneralNames OPTIONAL,
baseCertificateID [0] IssuerSerial OPTIONAL,
objectDigestInfo [1] ObjectDigestInfo OPTIONAL,
... }
(WITH COMPONENTS {..., issuerName PRESENT } |
WITH COMPONENTS {..., baseCertificateID PRESENT } |
WITH COMPONENTS {..., objectDigestInfo PRESENT } )
AttCertValidityPeriod ::= SEQUENCE {
notBeforeTime GeneralizedTime,
notAfterTime GeneralizedTime,
... }
AttributeCertificationPath ::= SEQUENCE {
attributeCertificate AttributeCertificate,
acPath SEQUENCE OF ACPathData OPTIONAL,
... }
ACPathData ::= SEQUENCE {
certificate [0] Certificate OPTIONAL,
attributeCertificate [1] AttributeCertificate OPTIONAL,
... }
PrivilegePolicy ::= OBJECT IDENTIFIER
-- privilege attributes
role ATTRIBUTE ::= {
WITH SYNTAX RoleSyntax
ID id-at-role }
RoleSyntax ::= SEQUENCE {
roleAuthority [0] GeneralNames OPTIONAL,
roleName [1] GeneralName,
... }
xmlPrivilegeInfo ATTRIBUTE ::= {
WITH SYNTAX UTF8String --contains XML-encoded privilege information
ID id-at-xMLPrivilegeInfo }
permission ATTRIBUTE ::= {
WITH SYNTAX DualStringSyntax
EQUALITY MATCHING RULE dualStringMatch
ID id-at-permission }
DualStringSyntax ::= SEQUENCE {
operation [0] UnboundedDirectoryString,
object [1] UnboundedDirectoryString,
... }
dualStringMatch MATCHING-RULE ::= {
SYNTAX DualStringSyntax
ID id-mr-dualStringMatch }
timeSpecification EXTENSION ::= {
SYNTAX TimeSpecification
IDENTIFIED BY id-ce-timeSpecification }
timeSpecificationMatch MATCHING-RULE ::= {
SYNTAX TimeSpecification
ID id-mr-timeSpecMatch }
targetingInformation EXTENSION ::= {
SYNTAX SEQUENCE SIZE (1..MAX) OF Targets
IDENTIFIED BY id-ce-targetInformation }
Targets ::= SEQUENCE SIZE (1..MAX) OF Target
Target ::= CHOICE {
targetName [0] GeneralName,
targetGroup [1] GeneralName,
targetCert [2] TargetCert,
... }
TargetCert ::= SEQUENCE {
targetCertificate IssuerSerial,
targetName GeneralName OPTIONAL,
certDigestInfo ObjectDigestInfo OPTIONAL }
userNotice EXTENSION ::= {
SYNTAX SEQUENCE SIZE (1..MAX) OF UserNotice
IDENTIFIED BY id-ce-userNotice }
acceptablePrivilegePolicies EXTENSION ::= {
SYNTAX AcceptablePrivilegePoliciesSyntax
IDENTIFIED BY id-ce-acceptablePrivilegePolicies }
AcceptablePrivilegePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PrivilegePolicy
singleUse EXTENSION ::= {
SYNTAX NULL
IDENTIFIED BY id-ce-singleUse }
groupAC EXTENSION ::= {
SYNTAX NULL
IDENTIFIED BY id-ce-groupAC }
noRevAvail EXTENSION ::= {
SYNTAX NULL
IDENTIFIED BY id-ce-noRevAvail }
sOAIdentifier EXTENSION ::= {
SYNTAX NULL
IDENTIFIED BY id-ce-sOAIdentifier }
sOAIdentifierMatch MATCHING-RULE ::= {
SYNTAX NULL
ID id-mr-sOAIdentifierMatch }
attributeDescriptor EXTENSION ::= {
SYNTAX AttributeDescriptorSyntax
IDENTIFIED BY {id-ce-attributeDescriptor} }
AttributeDescriptorSyntax ::= SEQUENCE {
identifier AttributeIdentifier,
attributeSyntax OCTET STRING(SIZE (1..MAX)),
name [0] AttributeName OPTIONAL,
description [1] AttributeDescription OPTIONAL,
dominationRule PrivilegePolicyIdentifier,
... }
AttributeIdentifier ::= ATTRIBUTE.&id({AttributeIDs})
AttributeIDs ATTRIBUTE ::= {...}
AttributeName ::= UTF8String(SIZE (1..MAX))
AttributeDescription ::= UTF8String(SIZE (1..MAX))
PrivilegePolicyIdentifier ::= SEQUENCE {
privilegePolicy PrivilegePolicy,
privPolSyntax InfoSyntax,
... }
attDescriptor MATCHING-RULE ::= {
SYNTAX AttributeDescriptorSyntax
ID id-mr-attDescriptorMatch }
roleSpecCertIdentifier EXTENSION ::= {
SYNTAX RoleSpecCertIdentifierSyntax
IDENTIFIED BY {id-ce-roleSpecCertIdentifier} }
RoleSpecCertIdentifierSyntax ::=
SEQUENCE SIZE (1..MAX) OF RoleSpecCertIdentifier
RoleSpecCertIdentifier ::= SEQUENCE {
roleName [0] GeneralName,
roleCertIssuer [1] GeneralName,
roleCertSerialNumber [2] CertificateSerialNumber OPTIONAL,
roleCertLocator [3] GeneralNames OPTIONAL,
... }
roleSpecCertIdMatch MATCHING-RULE ::= {
SYNTAX RoleSpecCertIdentifierSyntax
ID id-mr-roleSpecCertIdMatch }
basicAttConstraints EXTENSION ::= {
SYNTAX BasicAttConstraintsSyntax
IDENTIFIED BY {id-ce-basicAttConstraints} }
BasicAttConstraintsSyntax ::= SEQUENCE {
authority BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER(0..MAX) OPTIONAL,
... }
basicAttConstraintsMatch MATCHING-RULE ::= {
SYNTAX BasicAttConstraintsSyntax
ID id-mr-basicAttConstraintsMatch }
delegatedNameConstraints EXTENSION ::= {
SYNTAX NameConstraintsSyntax
IDENTIFIED BY id-ce-delegatedNameConstraints }
delegatedNameConstraintsMatch MATCHING-RULE ::= {
SYNTAX NameConstraintsSyntax
ID id-mr-delegatedNameConstraintsMatch }
acceptableCertPolicies EXTENSION ::= {
SYNTAX AcceptableCertPoliciesSyntax
IDENTIFIED BY id-ce-acceptableCertPolicies }
AcceptableCertPoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF CertPolicyId
CertPolicyId ::= OBJECT IDENTIFIER
acceptableCertPoliciesMatch MATCHING-RULE ::= {
SYNTAX AcceptableCertPoliciesSyntax
ID id-mr-acceptableCertPoliciesMatch }
authorityAttributeIdentifier EXTENSION ::= {
SYNTAX AuthorityAttributeIdentifierSyntax
IDENTIFIED BY {id-ce-authorityAttributeIdentifier} }
AuthorityAttributeIdentifierSyntax ::= SEQUENCE SIZE (1..MAX) OF AuthAttId
AuthAttId ::= IssuerSerial
authAttIdMatch MATCHING-RULE ::= {
SYNTAX AuthorityAttributeIdentifierSyntax
ID id-mr-authAttIdMatch }
indirectIssuer EXTENSION ::= {
SYNTAX NULL
IDENTIFIED BY id-ce-indirectIssuer }
issuedOnBehalfOf EXTENSION ::= {
SYNTAX GeneralName
IDENTIFIED BY id-ce-issuedOnBehalfOf }
noAssertion EXTENSION ::= {
SYNTAX NULL
IDENTIFIED BY id-ce-noAssertion }
allowedAttributeAssignments EXTENSION ::= {
SYNTAX AllowedAttributeAssignments
IDENTIFIED BY id-ce-allowedAttAss }
AllowedAttributeAssignments ::= SET OF SEQUENCE {
attributes [0] SET OF CHOICE {
attributeType [0] AttributeType,
attributeTypeandValues [1] Attribute{{SupportedAttributes}},
... },
holderDomain [1] GeneralName,
... }
attributeMappings EXTENSION ::= {
SYNTAX AttributeMappings
IDENTIFIED BY id-ce-attributeMappings }
AttributeMappings ::= SET OF CHOICE {
typeMappings [0] SEQUENCE {
local [0] AttributeType,
remote [1] AttributeType,
... },
typeValueMappings [1] SEQUENCE {
local [0] AttributeTypeAndValue,
remote [1] AttributeTypeAndValue,
... } }
holderNameConstraints EXTENSION ::= {
SYNTAX HolderNameConstraintsSyntax
IDENTIFIED BY id-ce-holderNameConstraints }
HolderNameConstraintsSyntax ::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees,
excludedSubtrees [1] GeneralSubtrees OPTIONAL,
... }
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
GeneralSubtree ::= SEQUENCE {
base GeneralName,
minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL,
... }
BaseDistance ::= INTEGER(0..MAX)
-- PMI object classes
pmiUser OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {attributeCertificateAttribute}
ID id-oc-pmiUser }
pmiAA OBJECT-CLASS ::= { -- a PMI AA
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {aACertificate |
attributeCertificateRevocationList |
attributeAuthorityRevocationList}
ID id-oc-pmiAA }
pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {attributeCertificateRevocationList |
attributeAuthorityRevocationList |
attributeDescriptorCertificate}
ID id-oc-pmiSOA }
attCertCRLDistributionPt OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {attributeCertificateRevocationList |
attributeAuthorityRevocationList}
ID id-oc-attCertCRLDistributionPts }
pmiDelegationPath OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {delegationPath}
ID id-oc-pmiDelegationPath }
privilegePolicy OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {privPolicy}
ID id-oc-privilegePolicy }
protectedPrivilegePolicy OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {protPrivPolicy}
ID id-oc-protectedPrivilegePolicy }
-- PMI directory attributes
attributeCertificateAttribute ATTRIBUTE ::= {
WITH SYNTAX AttributeCertificate
EQUALITY MATCHING RULE attributeCertificateExactMatch
ID id-at-attributeCertificate }
aACertificate ATTRIBUTE ::= {
WITH SYNTAX AttributeCertificate
EQUALITY MATCHING RULE attributeCertificateExactMatch
ID id-at-aACertificate }
attributeDescriptorCertificate ATTRIBUTE ::= {
WITH SYNTAX AttributeCertificate
EQUALITY MATCHING RULE attributeCertificateExactMatch
ID id-at-attributeDescriptorCertificate }
attributeCertificateRevocationList ATTRIBUTE ::= {
WITH SYNTAX CertificateList
EQUALITY MATCHING RULE certificateListExactMatch
ID id-at-attributeCertificateRevocationList }
attributeAuthorityRevocationList ATTRIBUTE ::= {
WITH SYNTAX CertificateList
EQUALITY MATCHING RULE certificateListExactMatch
ID id-at-attributeAuthorityRevocationList }
delegationPath ATTRIBUTE ::= {
WITH SYNTAX AttCertPath
ID id-at-delegationPath }
AttCertPath ::= SEQUENCE OF AttributeCertificate
privPolicy ATTRIBUTE ::= {
WITH SYNTAX PolicySyntax
ID id-at-privPolicy }
protPrivPolicy ATTRIBUTE ::= {
WITH SYNTAX AttributeCertificate
EQUALITY MATCHING RULE attributeCertificateExactMatch
ID id-at-protPrivPolicy }
xmlPrivPolicy ATTRIBUTE ::= {
WITH SYNTAX UTF8String -- XML-encoded privilege policy information
ID id-at-xmlPrivPolicy }
-- Attribute certificate extensions and matching rules
attributeCertificateExactMatch MATCHING-RULE ::= {
SYNTAX AttributeCertificateExactAssertion
ID id-mr-attributeCertificateExactMatch }
AttributeCertificateExactAssertion ::= SEQUENCE {
serialNumber CertificateSerialNumber,
issuer AttCertIssuer,
... }
attributeCertificateMatch MATCHING-RULE ::= {
SYNTAX AttributeCertificateAssertion
ID id-mr-attributeCertificateMatch }
AttributeCertificateAssertion ::= SEQUENCE {
holder [0] CHOICE {
baseCertificateID [0] IssuerSerial,
holderName [1] GeneralNames,
...} OPTIONAL,
issuer [1] GeneralNames OPTIONAL,
attCertValidity [2] GeneralizedTime OPTIONAL,
attType [3] SET OF AttributeType OPTIONAL,
... }
-- At least one component of the sequence shall be present
holderIssuerMatch MATCHING-RULE ::= {
SYNTAX HolderIssuerAssertion
ID id-mr-holderIssuerMatch }
HolderIssuerAssertion ::= SEQUENCE {
holder [0] Holder OPTIONAL,
issuer [1] AttCertIssuer OPTIONAL,
... }
delegationPathMatch MATCHING-RULE ::= {
SYNTAX DelMatchSyntax
ID id-mr-delegationPathMatch }
DelMatchSyntax ::= SEQUENCE {
firstIssuer AttCertIssuer,
lastHolder Holder,
... }
extensionPresenceMatch MATCHING-RULE ::= {
SYNTAX EXTENSION.&id
ID id-mr-extensionPresenceMatch }
-- object identifier assignments
-- object classes
id-oc-pmiUser OBJECT IDENTIFIER ::= {id-oc 24}
id-oc-pmiAA OBJECT IDENTIFIER ::= {id-oc 25}
id-oc-pmiSOA OBJECT IDENTIFIER ::= {id-oc 26}
id-oc-attCertCRLDistributionPts OBJECT IDENTIFIER ::= {id-oc 27}
id-oc-privilegePolicy OBJECT IDENTIFIER ::= {id-oc 32}
id-oc-pmiDelegationPath OBJECT IDENTIFIER ::= {id-oc 33}
id-oc-protectedPrivilegePolicy OBJECT IDENTIFIER ::= {id-oc 34}
-- directory attributes
id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}
id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59}
id-at-aACertificate OBJECT IDENTIFIER ::= {id-at 61}
id-at-attributeDescriptorCertificate OBJECT IDENTIFIER ::= {id-at 62}
id-at-attributeAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 63}
id-at-privPolicy OBJECT IDENTIFIER ::= {id-at 71}
id-at-role OBJECT IDENTIFIER ::= {id-at 72}
id-at-delegationPath OBJECT IDENTIFIER ::= {id-at 73}
id-at-protPrivPolicy OBJECT IDENTIFIER ::= {id-at 74}
id-at-xMLPrivilegeInfo OBJECT IDENTIFIER ::= {id-at 75}
id-at-xmlPrivPolicy OBJECT IDENTIFIER ::= {id-at 76}
id-at-permission OBJECT IDENTIFIER ::= {id-at 82}
-- attribute certificate extensions
id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}
id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}
id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}
id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}
id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}
id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}
id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}
id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}
id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}
id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}
id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}
id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}
id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}
id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}
id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}
id-ce-singleUse OBJECT IDENTIFIER ::= {id-ce 65}
id-ce-groupAC OBJECT IDENTIFIER ::= {id-ce 66}
id-ce-allowedAttAss OBJECT IDENTIFIER ::= {id-ce 67}
id-ce-attributeMappings OBJECT IDENTIFIER ::= {id-ce 68}
id-ce-holderNameConstraints OBJECT IDENTIFIER ::= {id-ce 69}
-- PMI matching rules
id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42}
id-mr-attributeCertificateExactMatch OBJECT IDENTIFIER ::= {id-mr 45}
id-mr-holderIssuerMatch OBJECT IDENTIFIER ::= {id-mr 46}
id-mr-authAttIdMatch OBJECT IDENTIFIER ::= {id-mr 53}
id-mr-roleSpecCertIdMatch OBJECT IDENTIFIER ::= {id-mr 54}
id-mr-basicAttConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 55}
id-mr-delegatedNameConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 56}
id-mr-timeSpecMatch OBJECT IDENTIFIER ::= {id-mr 57}
id-mr-attDescriptorMatch OBJECT IDENTIFIER ::= {id-mr 58}
id-mr-acceptableCertPoliciesMatch OBJECT IDENTIFIER ::= {id-mr 59}
id-mr-delegationPathMatch OBJECT IDENTIFIER ::= {id-mr 61}
id-mr-sOAIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 66}
id-mr-extensionPresenceMatch OBJECT IDENTIFIER ::= {id-mr 67}
id-mr-dualStringMatch OBJECT IDENTIFIER ::= {id-mr 69}
END -- AttributeCertificateDefinitions
Reference in New Issue View Git Blame Copy Permalink