aa2b2c82ab
svn path=/trunk/; revision=21149
629 lines
19 KiB
Groff
629 lines
19 KiB
Groff
-- Module CertificateExtensions (X.509:03/2000)
|
|
CertificateExtensions {joint-iso-itu-t ds(5) module(1)
|
|
certificateExtensions(26) 4} DEFINITIONS IMPLICIT TAGS ::=
|
|
BEGIN
|
|
|
|
-- EXPORTS ALL
|
|
IMPORTS
|
|
id-at, id-ce, id-mr, informationFramework, authenticationFramework,
|
|
selectedAttributeTypes, upperBounds
|
|
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
|
|
usefulDefinitions(0) 4}
|
|
Name, RelativeDistinguishedName, ATTRIBUTE, Attribute, MATCHING-RULE
|
|
FROM InformationFramework {joint-iso-itu-t ds(5) module(1)
|
|
informationFramework(1) 4}
|
|
CertificateSerialNumber, CertificateList, AlgorithmIdentifier, EXTENSION,
|
|
Time, PolicyID
|
|
FROM AuthenticationFramework {joint-iso-itu-t ds(5) module(1)
|
|
authenticationFramework(7) 4}
|
|
DirectoryString
|
|
FROM SelectedAttributeTypes {joint-iso-itu-t ds(5) module(1)
|
|
selectedAttributeTypes(5) 4}
|
|
ub-name
|
|
FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 4}
|
|
ORAddress
|
|
FROM MTSAbstractService {joint-iso-itu-t mhs(6) mts(3) modules(0)
|
|
mts-abstract-service(1) version-1999(1)};
|
|
|
|
-- Unless explicitly noted otherwise, there is no significance to the ordering
|
|
-- of components of a SEQUENCE OF construct in this Specification.
|
|
-- public-key certificate and CRL extensions
|
|
-- authorityKeyIdentifier EXTENSION ::= {
|
|
-- SYNTAX AuthorityKeyIdentifier
|
|
-- IDENTIFIED BY id-ce-authorityKeyIdentifier
|
|
-- }
|
|
|
|
AuthorityKeyIdentifier ::= SEQUENCE {
|
|
keyIdentifier [0] IMPLICIT KeyIdentifier OPTIONAL,
|
|
authorityCertIssuer [1] IMPLICIT GeneralNames OPTIONAL,
|
|
authorityCertSerialNumber [2] IMPLICIT CertificateSerialNumber OPTIONAL
|
|
}
|
|
-- (WITH COMPONENTS {
|
|
-- ...,
|
|
-- authorityCertIssuer PRESENT,
|
|
-- authorityCertSerialNumber PRESENT
|
|
-- } |
|
|
-- WITH COMPONENTS {
|
|
-- ...,
|
|
-- authorityCertIssuer ABSENT,
|
|
-- authorityCertSerialNumber ABSENT
|
|
-- })
|
|
|
|
KeyIdentifier ::= OCTET STRING
|
|
|
|
-- subjectKeyIdentifier EXTENSION ::= {
|
|
-- SYNTAX SubjectKeyIdentifier
|
|
-- IDENTIFIED BY id-ce-subjectKeyIdentifier
|
|
-- }
|
|
|
|
SubjectKeyIdentifier ::= KeyIdentifier
|
|
|
|
-- keyUsage EXTENSION ::= {SYNTAX KeyUsage
|
|
-- IDENTIFIED BY id-ce-keyUsage
|
|
-- }
|
|
|
|
KeyUsage ::= BIT STRING {
|
|
digitalSignature(0), nonRepudiation(1), keyEncipherment(2),
|
|
dataEncipherment(3), keyAgreement(4), keyCertSign(5), cRLSign(6),
|
|
encipherOnly(7), decipherOnly(8)}
|
|
|
|
-- extKeyUsage EXTENSION ::= {
|
|
-- SYNTAX KeyPurposeIDs
|
|
-- IDENTIFIED BY id-ce-extKeyUsage
|
|
-- }
|
|
|
|
KeyPurposeIDs ::= SEQUENCE OF KeyPurposeId
|
|
|
|
KeyPurposeId ::= OBJECT IDENTIFIER
|
|
|
|
-- privateKeyUsagePeriod EXTENSION ::= {
|
|
-- SYNTAX PrivateKeyUsagePeriod
|
|
-- IDENTIFIED BY id-ce-privateKeyUsagePeriod
|
|
-- }
|
|
|
|
PrivateKeyUsagePeriod ::= SEQUENCE {
|
|
notBefore [0] IMPLICIT GeneralizedTime OPTIONAL,
|
|
notAfter [1] IMPLICIT GeneralizedTime OPTIONAL
|
|
}
|
|
-- (WITH COMPONENTS {
|
|
-- ...,
|
|
-- notBefore PRESENT
|
|
-- } | WITH COMPONENTS {
|
|
-- ...,
|
|
-- notAfter PRESENT
|
|
-- })
|
|
--
|
|
-- certificatePolicies EXTENSION ::= {
|
|
-- SYNTAX CertificatePoliciesSyntax
|
|
-- IDENTIFIED BY id-ce-certificatePolicies
|
|
-- }
|
|
|
|
CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
|
|
|
|
PolicyInformation ::= SEQUENCE {
|
|
policyIdentifier CertPolicyId,
|
|
policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL
|
|
}
|
|
|
|
CertPolicyId ::= OBJECT IDENTIFIER
|
|
|
|
PolicyQualifierId ::= OBJECT IDENTIFIER
|
|
|
|
PolicyQualifierValue ::= ANY
|
|
|
|
PolicyQualifierInfo ::= SEQUENCE {
|
|
policyQualifierId PolicyQualifierId,
|
|
qualifier PolicyQualifierValue OPTIONAL
|
|
}
|
|
|
|
-- SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::=
|
|
-- {...}
|
|
--
|
|
-- anyPolicy OBJECT IDENTIFIER ::= {2 5 29 32 0}
|
|
--
|
|
-- CERT-POLICY-QUALIFIER ::= CLASS {
|
|
-- &id OBJECT IDENTIFIER UNIQUE,
|
|
-- &Qualifier OPTIONAL
|
|
-- }WITH SYNTAX {POLICY-QUALIFIER-ID &id
|
|
-- [QUALIFIER-TYPE &Qualifier]
|
|
-- }
|
|
--
|
|
-- policyMappings EXTENSION ::= {
|
|
-- SYNTAX PolicyMappingsSyntax
|
|
-- IDENTIFIED BY id-ce-policyMappings
|
|
-- }
|
|
|
|
PolicyMappingsSyntax ::=
|
|
SEQUENCE SIZE (1..MAX) OF
|
|
SEQUENCE {issuerDomainPolicy CertPolicyId,
|
|
subjectDomainPolicy CertPolicyId}
|
|
|
|
-- subjectAltName EXTENSION ::= {
|
|
-- SYNTAX GeneralNames
|
|
-- IDENTIFIED BY id-ce-subjectAltName
|
|
-- }
|
|
|
|
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
|
|
|
|
GeneralName ::= CHOICE {
|
|
otherName [0] IMPLICIT --INSTANCE OF OTHER-NAME-- OtherName,
|
|
rfc822Name [1] IMPLICIT IA5String,
|
|
dNSName [2] IMPLICIT IA5String,
|
|
x400Address [3] IMPLICIT ORAddress,
|
|
directoryName [4] IMPLICIT Name,
|
|
ediPartyName [5] IMPLICIT EDIPartyName,
|
|
uniformResourceIdentifier [6] IMPLICIT IA5String,
|
|
iPAddress [7] IMPLICIT OCTET STRING,
|
|
registeredID [8] IMPLICIT OBJECT IDENTIFIER
|
|
}
|
|
|
|
-- OTHER-NAME ::= TYPE-IDENTIFIER
|
|
|
|
OtherName ::= SEQUENCE {
|
|
type-id OtherNameType,
|
|
value [0] EXPLICIT OtherNameValue
|
|
}
|
|
|
|
OtherNameType ::= OBJECT IDENTIFIER
|
|
OtherNameValue ::= ANY
|
|
|
|
EDIPartyName ::= SEQUENCE {
|
|
nameAssigner [0] IMPLICIT DirectoryString OPTIONAL,
|
|
partyName [1] IMPLICIT DirectoryString
|
|
}
|
|
|
|
-- issuerAltName EXTENSION ::= {
|
|
-- SYNTAX GeneralNames
|
|
-- IDENTIFIED BY id-ce-issuerAltName
|
|
-- }
|
|
--
|
|
-- subjectDirectoryAttributes EXTENSION ::= {
|
|
-- SYNTAX AttributesSyntax
|
|
-- IDENTIFIED BY id-ce-subjectDirectoryAttributes
|
|
-- }
|
|
|
|
AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute
|
|
|
|
-- basicConstraints EXTENSION ::= {
|
|
-- SYNTAX BasicConstraintsSyntax
|
|
-- IDENTIFIED BY id-ce-basicConstraints
|
|
-- }
|
|
|
|
BasicConstraintsSyntax ::= SEQUENCE {
|
|
cA BOOLEAN DEFAULT FALSE,
|
|
pathLenConstraint INTEGER OPTIONAL
|
|
}
|
|
|
|
-- nameConstraints EXTENSION ::= {
|
|
-- SYNTAX NameConstraintsSyntax
|
|
-- IDENTIFIED BY id-ce-nameConstraints
|
|
-- }
|
|
|
|
NameConstraintsSyntax ::= SEQUENCE {
|
|
permittedSubtrees [0] IMPLICIT GeneralSubtrees OPTIONAL,
|
|
excludedSubtrees [1] IMPLICIT GeneralSubtrees OPTIONAL
|
|
}
|
|
|
|
GeneralSubtrees ::= SEQUENCE OF GeneralSubtree
|
|
|
|
GeneralSubtree ::= SEQUENCE {
|
|
base GeneralName,
|
|
minimum [0] IMPLICIT BaseDistance DEFAULT 0,
|
|
maximum [1] IMPLICIT BaseDistance OPTIONAL
|
|
}
|
|
|
|
BaseDistance ::= INTEGER(0..MAX)
|
|
|
|
-- policyConstraints EXTENSION ::= {
|
|
-- SYNTAX PolicyConstraintsSyntax
|
|
-- IDENTIFIED BY id-ce-policyConstraints
|
|
-- }
|
|
|
|
PolicyConstraintsSyntax ::= SEQUENCE {
|
|
requireExplicitPolicy [0] IMPLICIT SkipCerts OPTIONAL,
|
|
inhibitPolicyMapping [1] IMPLICIT SkipCerts OPTIONAL
|
|
}
|
|
|
|
SkipCerts ::= INTEGER(0..MAX)
|
|
|
|
-- cRLNumber EXTENSION ::= {
|
|
-- SYNTAX CRLNumber
|
|
-- IDENTIFIED BY id-ce-cRLNumber
|
|
-- }
|
|
|
|
CRLNumber ::= INTEGER(0..MAX)
|
|
|
|
-- reasonCode EXTENSION ::= {
|
|
-- SYNTAX CRLReason
|
|
-- IDENTIFIED BY id-ce-reasonCode
|
|
-- }
|
|
|
|
CRLReason ::= ENUMERATED {
|
|
unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3),
|
|
superseded(4), cessationOfOperation(5), certificateHold(6), removeFromCRL(8),
|
|
privilegeWithdrawn(9), aaCompromise(10)}
|
|
|
|
-- holdInstructionCode EXTENSION ::= {
|
|
-- SYNTAX HoldInstruction
|
|
-- IDENTIFIED BY id-ce-instructionCode
|
|
-- }
|
|
|
|
HoldInstruction ::= OBJECT IDENTIFIER
|
|
|
|
-- invalidityDate EXTENSION ::= {
|
|
-- SYNTAX GeneralizedTime
|
|
-- IDENTIFIED BY id-ce-invalidityDate
|
|
-- }
|
|
--
|
|
-- crlScope EXTENSION ::= {
|
|
-- SYNTAX CRLScopeSyntax
|
|
-- IDENTIFIED BY id-ce-cRLScope
|
|
-- }
|
|
|
|
CRLScopeSyntax ::= SEQUENCE SIZE (1..MAX) OF PerAuthorityScope
|
|
|
|
PerAuthorityScope ::= SEQUENCE {
|
|
authorityName [0] IMPLICIT GeneralName OPTIONAL,
|
|
distributionPoint [1] IMPLICIT DistributionPointName OPTIONAL,
|
|
onlyContains [2] IMPLICIT OnlyCertificateTypes OPTIONAL,
|
|
onlySomeReasons [4] IMPLICIT ReasonFlags OPTIONAL,
|
|
serialNumberRange [5] IMPLICIT NumberRange OPTIONAL,
|
|
subjectKeyIdRange [6] IMPLICIT NumberRange OPTIONAL,
|
|
nameSubtrees [7] IMPLICIT GeneralNames OPTIONAL,
|
|
baseRevocationInfo [9] IMPLICIT BaseRevocationInfo OPTIONAL
|
|
}
|
|
|
|
OnlyCertificateTypes ::= BIT STRING {
|
|
userPublicKey(0), cA(1), userAttribute(2), aA(3), sOAPublicKey(4)}
|
|
|
|
NumberRange ::= SEQUENCE {
|
|
startingNumber [0] IMPLICIT INTEGER OPTIONAL,
|
|
endingNumber [1] IMPLICIT INTEGER OPTIONAL,
|
|
modulus INTEGER OPTIONAL
|
|
}
|
|
|
|
BaseRevocationInfo ::= SEQUENCE {
|
|
cRLStreamIdentifier [0] IMPLICIT CRLStreamIdentifier OPTIONAL,
|
|
cRLNumber [1] IMPLICIT CRLNumber,
|
|
baseThisUpdate [2] IMPLICIT GeneralizedTime
|
|
}
|
|
|
|
-- statusReferrals EXTENSION ::= {
|
|
-- SYNTAX StatusReferrals
|
|
-- IDENTIFIED BY id-ce-statusReferrals
|
|
-- }
|
|
|
|
StatusReferrals ::= SEQUENCE SIZE (1..MAX) OF StatusReferral
|
|
|
|
StatusReferral ::= CHOICE {
|
|
cRLReferral [0] IMPLICIT CRLReferral
|
|
-- otherReferral [1] IMPLICIT INSTANCE OF OTHER-REFERRAL
|
|
}
|
|
|
|
CRLReferral ::= SEQUENCE {
|
|
issuer [0] IMPLICIT GeneralName OPTIONAL,
|
|
location [1] IMPLICIT GeneralName OPTIONAL,
|
|
deltaRefInfo [2] IMPLICIT DeltaRefInfo OPTIONAL,
|
|
cRLScope CRLScopeSyntax,
|
|
lastUpdate [3] IMPLICIT GeneralizedTime OPTIONAL,
|
|
lastChangedCRL [4] IMPLICIT GeneralizedTime OPTIONAL
|
|
}
|
|
|
|
DeltaRefInfo ::= SEQUENCE {
|
|
deltaLocation GeneralName,
|
|
lastDelta GeneralizedTime OPTIONAL
|
|
}
|
|
|
|
-- OTHER-REFERRAL ::= TYPE-IDENTIFIER
|
|
--
|
|
-- cRLStreamIdentifier EXTENSION ::= {
|
|
-- SYNTAX CRLStreamIdentifier
|
|
-- IDENTIFIED BY id-ce-cRLStreamIdentifier
|
|
-- }
|
|
|
|
CRLStreamIdentifier ::= INTEGER(0..MAX)
|
|
|
|
-- orderedList EXTENSION ::= {
|
|
-- SYNTAX OrderedListSyntax
|
|
-- IDENTIFIED BY id-ce-orderedList
|
|
-- }
|
|
|
|
OrderedListSyntax ::= ENUMERATED {ascSerialNum(0), ascRevDate(1)}
|
|
|
|
-- deltaInfo EXTENSION ::= {
|
|
-- SYNTAX DeltaInformation
|
|
-- IDENTIFIED BY id-ce-deltaInfo
|
|
-- }
|
|
|
|
DeltaInformation ::= SEQUENCE {
|
|
deltaLocation GeneralName,
|
|
nextDelta GeneralizedTime OPTIONAL
|
|
}
|
|
|
|
-- cRLDistributionPoints EXTENSION ::= {
|
|
-- SYNTAX CRLDistPointsSyntax
|
|
-- IDENTIFIED BY id-ce-cRLDistributionPoints
|
|
-- }
|
|
|
|
CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
|
|
|
|
DistributionPoint ::= SEQUENCE {
|
|
distributionPoint [0] IMPLICIT DistributionPointName OPTIONAL,
|
|
reasons [1] IMPLICIT ReasonFlags OPTIONAL,
|
|
cRLIssuer [2] IMPLICIT GeneralNames OPTIONAL
|
|
}
|
|
|
|
DistributionPointName ::= CHOICE {
|
|
fullName [0] IMPLICIT GeneralNames,
|
|
nameRelativeToCRLIssuer [1] IMPLICIT RelativeDistinguishedName
|
|
}
|
|
|
|
ReasonFlags ::= BIT STRING {
|
|
unused(0), keyCompromise(1), cACompromise(2), affiliationChanged(3),
|
|
superseded(4), cessationOfOperation(5), certificateHold(6),
|
|
privilegeWithdrawn(7), aACompromise(8)}
|
|
|
|
-- issuingDistributionPoint EXTENSION ::= {
|
|
-- SYNTAX IssuingDistPointSyntax
|
|
-- IDENTIFIED BY id-ce-issuingDistributionPoint
|
|
-- }
|
|
|
|
IssuingDistPointSyntax ::= SEQUENCE {
|
|
-- If containsUserPublicKeyCerts, containsCACerts, containsUserAttributeCerts,
|
|
-- containsAACerts, and containsSOAPublicKeyCerts s are all absent, or not set to TRUE, (),
|
|
-- the CRL covers allthese certificate types
|
|
distributionPoint [0] IMPLICIT DistributionPointName OPTIONAL,
|
|
containsUserPublicKeyCerts [1] IMPLICIT BOOLEAN DEFAULT FALSE,
|
|
containsCACerts [2] IMPLICIT BOOLEAN DEFAULT FALSE,
|
|
onlySomeReasons [3] IMPLICIT ReasonFlags OPTIONAL,
|
|
indirectCRL [4] IMPLICIT BOOLEAN DEFAULT FALSE,
|
|
containsUserAttributeCerts [5] IMPLICIT BOOLEAN DEFAULT FALSE,
|
|
containsAACerts [6] IMPLICIT BOOLEAN DEFAULT FALSE,
|
|
containsSOAPublicKeyCerts [7] IMPLICIT BOOLEAN DEFAULT FALSE
|
|
}
|
|
|
|
-- certificateIssuer EXTENSION ::= {
|
|
-- SYNTAX GeneralNames
|
|
-- IDENTIFIED BY id-ce-certificateIssuer
|
|
-- }
|
|
--
|
|
-- deltaCRLIndicator EXTENSION ::= {
|
|
-- SYNTAX BaseCRLNumber
|
|
-- IDENTIFIED BY id-ce-deltaCRLIndicator
|
|
-- }
|
|
|
|
BaseCRLNumber ::= CRLNumber
|
|
|
|
-- baseUpdateTime EXTENSION ::= {
|
|
-- SYNTAX GeneralizedTime
|
|
-- IDENTIFIED BY id-ce-baseUpdateTime
|
|
-- }
|
|
--
|
|
-- freshestCRL EXTENSION ::= {
|
|
-- SYNTAX CRLDistPointsSyntax
|
|
-- IDENTIFIED BY id-ce-freshestCRL
|
|
-- }
|
|
--
|
|
-- inhibitAnyPolicy EXTENSION ::= {
|
|
-- SYNTAX SkipCerts
|
|
-- IDENTIFIED BY id-ce-inhibitAnyPolicy
|
|
-- }
|
|
--
|
|
-- PKI matching rules
|
|
-- certificateExactMatch MATCHING-RULE ::= {
|
|
-- SYNTAX CertificateExactAssertion
|
|
-- ID id-mr-certificateExactMatch
|
|
-- }
|
|
|
|
CertificateExactAssertion ::= SEQUENCE {
|
|
serialNumber CertificateSerialNumber,
|
|
issuer Name
|
|
}
|
|
|
|
-- certificateMatch MATCHING-RULE ::= {
|
|
-- SYNTAX CertificateAssertion
|
|
-- ID id-mr-certificateMatch
|
|
-- }
|
|
|
|
CertificateAssertion ::= SEQUENCE {
|
|
serialNumber [0] IMPLICIT CertificateSerialNumber OPTIONAL,
|
|
issuer [1] IMPLICIT Name OPTIONAL,
|
|
subjectKeyIdentifier [2] IMPLICIT SubjectKeyIdentifier OPTIONAL,
|
|
authorityKeyIdentifier [3] IMPLICIT AuthorityKeyIdentifier OPTIONAL,
|
|
-- certificateValid [4] IMPLICIT Time OPTIONAL,
|
|
privateKeyValid [5] IMPLICIT GeneralizedTime OPTIONAL,
|
|
subjectPublicKeyAlgID [6] IMPLICIT OBJECT IDENTIFIER OPTIONAL,
|
|
keyUsage [7] IMPLICIT KeyUsage OPTIONAL,
|
|
subjectAltName [8] IMPLICIT AltNameType OPTIONAL,
|
|
policy [9] IMPLICIT CertPolicySet OPTIONAL,
|
|
pathToName [10] IMPLICIT Name OPTIONAL,
|
|
subject [11] IMPLICIT Name OPTIONAL,
|
|
nameConstraints [12] IMPLICIT NameConstraintsSyntax OPTIONAL
|
|
}
|
|
|
|
AltNameType ::= CHOICE {
|
|
builtinNameForm
|
|
ENUMERATED {rfc822Name(1), dNSName(2), x400Address(3), directoryName(4),
|
|
ediPartyName(5), uniformResourceIdentifier(6), iPAddress(7),
|
|
registeredId(8)},
|
|
otherNameForm OBJECT IDENTIFIER
|
|
}
|
|
|
|
CertPolicySet ::= SEQUENCE SIZE (1..MAX) OF CertPolicyId
|
|
|
|
-- certificatePairExactMatch MATCHING-RULE ::= {
|
|
-- SYNTAX CertificatePairExactAssertion
|
|
-- ID id-mr-certificatePairExactMatch
|
|
-- }
|
|
|
|
CertificatePairExactAssertion ::= SEQUENCE {
|
|
issuedToThisCAAssertion [0] IMPLICIT CertificateExactAssertion OPTIONAL,
|
|
issuedByThisCAAssertion [1] IMPLICIT CertificateExactAssertion OPTIONAL
|
|
}
|
|
-- (WITH COMPONENTS {
|
|
-- ...,
|
|
-- issuedToThisCAAssertion PRESENT
|
|
-- } | WITH COMPONENTS {
|
|
-- ...,
|
|
-- issuedByThisCAAssertion PRESENT
|
|
-- })
|
|
--
|
|
-- certificatePairMatch MATCHING-RULE ::= {
|
|
-- SYNTAX CertificatePairAssertion
|
|
-- ID id-mr-certificatePairMatch
|
|
-- }
|
|
|
|
CertificatePairAssertion ::= SEQUENCE {
|
|
issuedToThisCAAssertion [0] IMPLICIT CertificateAssertion OPTIONAL,
|
|
issuedByThisCAAssertion [1] IMPLICIT CertificateAssertion OPTIONAL
|
|
}
|
|
-- (WITH COMPONENTS {
|
|
-- ...,
|
|
-- issuedToThisCAAssertion PRESENT
|
|
-- } | WITH COMPONENTS {
|
|
-- ...,
|
|
-- issuedByThisCAAssertion PRESENT
|
|
-- })
|
|
--
|
|
-- certificateListExactMatch MATCHING-RULE ::= {
|
|
-- SYNTAX CertificateListExactAssertion
|
|
-- ID id-mr-certificateListExactMatch
|
|
-- }
|
|
|
|
CertificateListExactAssertion ::= SEQUENCE {
|
|
issuer Name,
|
|
-- thisUpdate Time,
|
|
distributionPoint DistributionPointName OPTIONAL
|
|
}
|
|
|
|
-- certificateListMatch MATCHING-RULE ::= {
|
|
-- SYNTAX CertificateListAssertion
|
|
-- ID id-mr-certificateListMatch
|
|
-- }
|
|
|
|
CertificateListAssertion ::= SEQUENCE {
|
|
issuer Name OPTIONAL,
|
|
minCRLNumber [0] IMPLICIT CRLNumber OPTIONAL,
|
|
maxCRLNumber [1] IMPLICIT CRLNumber OPTIONAL,
|
|
reasonFlags ReasonFlags OPTIONAL,
|
|
-- dateAndTime Time OPTIONAL,
|
|
distributionPoint [2] IMPLICIT DistributionPointName OPTIONAL,
|
|
authorityKeyIdentifier [3] IMPLICIT AuthorityKeyIdentifier OPTIONAL
|
|
}
|
|
|
|
-- algorithmIdentifierMatch MATCHING-RULE ::= {
|
|
-- SYNTAX AlgorithmIdentifier
|
|
-- ID id-mr-algorithmIdentifierMatch
|
|
-- }
|
|
--
|
|
-- policyMatch MATCHING-RULE ::= {SYNTAX PolicyID
|
|
-- ID id-mr-policyMatch
|
|
-- }
|
|
--
|
|
-- pkiPathMatch MATCHING-RULE ::= {
|
|
-- SYNTAX PkiPathMatchSyntax
|
|
-- ID id-mr-pkiPathMatch
|
|
-- }
|
|
|
|
PkiPathMatchSyntax ::= SEQUENCE {firstIssuer Name,
|
|
lastSubject Name
|
|
}
|
|
|
|
-- Object identifier assignments
|
|
id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9}
|
|
|
|
id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14}
|
|
|
|
id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15}
|
|
|
|
id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16}
|
|
|
|
id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17}
|
|
|
|
id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18}
|
|
|
|
id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19}
|
|
|
|
id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20}
|
|
|
|
id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21}
|
|
|
|
id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23}
|
|
|
|
id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24}
|
|
|
|
id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27}
|
|
|
|
id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28}
|
|
|
|
id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29}
|
|
|
|
id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30}
|
|
|
|
id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
|
|
|
|
id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32}
|
|
|
|
id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33}
|
|
|
|
-- deprecated OBJECT IDENTIFIER ::= {id-ce 34}
|
|
|
|
id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35}
|
|
|
|
id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36}
|
|
|
|
id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
|
|
|
|
id-ce-cRLStreamIdentifier OBJECT IDENTIFIER ::= {id-ce 40}
|
|
|
|
id-ce-cRLScope OBJECT IDENTIFIER ::= {id-ce 44}
|
|
|
|
id-ce-statusReferrals OBJECT IDENTIFIER ::= {id-ce 45}
|
|
|
|
id-ce-freshestCRL OBJECT IDENTIFIER ::= {id-ce 46}
|
|
|
|
id-ce-orderedList OBJECT IDENTIFIER ::= {id-ce 47}
|
|
|
|
id-ce-baseUpdateTime OBJECT IDENTIFIER ::= {id-ce 51}
|
|
|
|
id-ce-deltaInfo OBJECT IDENTIFIER ::= {id-ce 53}
|
|
|
|
id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= {id-ce 54}
|
|
|
|
-- matching rule OIDs
|
|
-- id-mr-certificateExactMatch OBJECT IDENTIFIER ::=
|
|
-- {id-mr 34}
|
|
--
|
|
-- id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35}
|
|
--
|
|
-- id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36}
|
|
--
|
|
-- id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37}
|
|
--
|
|
-- id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38}
|
|
--
|
|
-- id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39}
|
|
--
|
|
-- id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40}
|
|
--
|
|
-- id-mr-policyMatch OBJECT IDENTIFIER ::= {id-mr 60}
|
|
--
|
|
-- id-mr-pkiPathMatch OBJECT IDENTIFIER ::= {id-mr 62}
|
|
--
|
|
-- The following OBJECT IDENTIFIERS are not used by this Specification:
|
|
-- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7},
|
|
-- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13},
|
|
-- {id-ce 22}, {id-ce 25}, {id-ce 26}
|
|
|
|
-- Microsoft Certificate Extension
|
|
|
|
CertificateTemplate ::= SEQUENCE {
|
|
templateID OBJECT IDENTIFIER,
|
|
templateMajorVersion INTEGER,
|
|
templateMinorVersion INTEGER OPTIONAL
|
|
}
|
|
|
|
END
|
|
|
|
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D
|