4726aec5b0
svn path=/trunk/; revision=26740
284 lines
9.2 KiB
Groff
284 lines
9.2 KiB
Groff
-- Module AuthenticationFramework (X.509:08/1997)
|
|
|
|
AuthenticationFramework {joint-iso-itu-t ds(5) module(1)
|
|
authenticationFramework(7) 3} DEFINITIONS ::=
|
|
BEGIN
|
|
|
|
-- EXPORTS All
|
|
-- The types and values defined in this module are exported for use in the other ASN.1 modules contained
|
|
-- within the Directory Specifications, and for the use of other applications which will use them to access
|
|
-- Directory services. Other applications may use them for their own purposes, but this will not constrain
|
|
-- extensions and modifications needed to maintain or improve the Directory service.
|
|
IMPORTS
|
|
id-at, id-mr, informationFramework, upperBounds, selectedAttributeTypes,
|
|
basicAccessControl, certificateExtensions
|
|
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
|
|
usefulDefinitions(0) 3}
|
|
Name, ATTRIBUTE, AttributeType, MATCHING-RULE, Attribute, RDNSequence
|
|
FROM InformationFramework informationFramework
|
|
ub-user-password
|
|
FROM UpperBounds upperBounds
|
|
AuthenticationLevel
|
|
FROM BasicAccessControl basicAccessControl
|
|
UniqueIdentifier, octetStringMatch
|
|
FROM SelectedAttributeTypes selectedAttributeTypes
|
|
certificateExactMatch, certificatePairExactMatch, certificateListExactMatch,
|
|
GeneralNames
|
|
FROM CertificateExtensions certificateExtensions;
|
|
|
|
-- basic certificate definition
|
|
Certificate ::= SEQUENCE {
|
|
signedCertificate SEQUENCE {
|
|
version [0] Version DEFAULT v1,
|
|
serialNumber CertificateSerialNumber,
|
|
signature AlgorithmIdentifier,
|
|
issuer Name,
|
|
validity Validity,
|
|
subject SubjectName,
|
|
subjectPublicKeyInfo SubjectPublicKeyInfo,
|
|
issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL,
|
|
-- if present, version must be v2 or v3
|
|
subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL,
|
|
-- if present, version must be v2 or v3
|
|
extensions [3] Extensions OPTIONAL
|
|
-- If present, version must be v3 -- },
|
|
algorithmIdentifier AlgorithmIdentifier,
|
|
encrypted BIT STRING
|
|
}
|
|
|
|
-- imported to allow labelling
|
|
SubjectName ::= CHOICE {
|
|
rdnSequence RDNSequence
|
|
}
|
|
|
|
Version ::= INTEGER {v1(0), v2(1), v3(2)}
|
|
|
|
CertificateSerialNumber ::= INTEGER
|
|
|
|
AlgorithmIdentifier ::= SEQUENCE {
|
|
algorithmId OBJECT IDENTIFIER,
|
|
parameters ANY OPTIONAL
|
|
}
|
|
|
|
-- Definition of the following information object set is deferred, perhaps to standardized
|
|
-- profiles or to protocol implementation conformance statements. The set is required to
|
|
-- specify a table constraint on the parameters component of AlgorithmIdentifier.
|
|
--SupportedAlgorithms ALGORITHM ::=
|
|
--{...}
|
|
|
|
Validity ::= SEQUENCE {notBefore Time,
|
|
notAfter Time
|
|
}
|
|
|
|
SubjectPublicKeyInfo ::= SEQUENCE {
|
|
algorithm AlgorithmIdentifier,
|
|
subjectPublicKey BIT STRING
|
|
}
|
|
|
|
Time ::= CHOICE {utcTime UTCTime,
|
|
generalizedTime GeneralizedTime
|
|
}
|
|
|
|
Extensions ::= SEQUENCE OF Extension
|
|
|
|
-- For those extensions where ordering of individual extensions within the SEQUENCE is significant, the
|
|
-- specification of those individual extensions shall include the rules for the significance of the order therein
|
|
Extension ::= SEQUENCE {
|
|
extnId OBJECT IDENTIFIER,
|
|
critical BOOLEAN OPTIONAL,
|
|
extnValue OCTET STRING
|
|
-- contains a DER encoding of a value of type &ExtnType
|
|
-- for the extension object identified by extnId
|
|
}
|
|
|
|
--ExtensionSet EXTENSION ::=
|
|
-- {...}
|
|
|
|
EXTENSION ::= CLASS {&id OBJECT IDENTIFIER UNIQUE,
|
|
&ExtnType
|
|
}WITH SYNTAX {SYNTAX &ExtnType
|
|
IDENTIFIED BY &id
|
|
}
|
|
|
|
-- other certificate constructs
|
|
Certificates ::= SEQUENCE {
|
|
userCertificate Certificate,
|
|
certificationPath ForwardCertificationPath OPTIONAL
|
|
}
|
|
|
|
ForwardCertificationPath ::= SEQUENCE OF CrossCertificates
|
|
|
|
CrossCertificates ::= SET OF Certificate
|
|
|
|
CertificationPath ::= SEQUENCE {
|
|
userCertificate Certificate,
|
|
theCACertificates SEQUENCE OF CertificatePair OPTIONAL
|
|
}
|
|
|
|
CertificatePair ::= SEQUENCE {
|
|
issuedByThisCA [0] Certificate OPTIONAL,
|
|
issuedToThisCA [1] Certificate OPTIONAL
|
|
-- at least one of the pair shall be present
|
|
}
|
|
|
|
-- Certificate Revocation List (CRL)
|
|
CertificateList ::= SEQUENCE {
|
|
signedCertificateList SEQUENCE {
|
|
version Version OPTIONAL,
|
|
-- if present, version must be v2
|
|
signature AlgorithmIdentifier,
|
|
issuer Name,
|
|
thisUpdate Time,
|
|
nextUpdate Time OPTIONAL,
|
|
revokedCertificates
|
|
SEQUENCE OF
|
|
SEQUENCE {userCertificate CertificateSerialNumber,
|
|
revocationDate Time,
|
|
crlEntryExtensions Extensions OPTIONAL} OPTIONAL,
|
|
crlExtensions [0] Extensions OPTIONAL},
|
|
algorithmIdentifier AlgorithmIdentifier,
|
|
encrypted BIT STRING
|
|
}
|
|
|
|
-- attribute certificate
|
|
AttributeCertificationPath ::= SEQUENCE {
|
|
attributeCertificate AttributeCertificate,
|
|
acPath SEQUENCE OF ACPathData OPTIONAL
|
|
}
|
|
|
|
ACPathData ::= SEQUENCE {
|
|
certificate [0] Certificate OPTIONAL,
|
|
attributeCertificate [1] AttributeCertificate OPTIONAL
|
|
}
|
|
|
|
--attributeCertificate ATTRIBUTE ::= {
|
|
-- WITH SYNTAX AttributeCertificate
|
|
-- EQUALITY MATCHING RULE attributeCertificateMatch
|
|
-- ID id-at-attributeCertificate
|
|
--}
|
|
|
|
AttributeCertificate ::= SEQUENCE {
|
|
signedAttributeCertificateInfo AttributeCertificateInfo,
|
|
algorithmIdentifier AlgorithmIdentifier,
|
|
encrypted BIT STRING
|
|
}
|
|
|
|
AttributeCertificateInfo ::= SEQUENCE {
|
|
version Version DEFAULT v1,
|
|
subject
|
|
CHOICE {baseCertificateID [0] IssuerSerial,
|
|
subjectName [1] GeneralNames
|
|
},
|
|
issuer GeneralNames,
|
|
signature AlgorithmIdentifier,
|
|
serialNumber CertificateSerialNumber,
|
|
attCertValidityPeriod AttCertValidityPeriod,
|
|
attributes SEQUENCE OF Attribute,
|
|
issuerUniqueID UniqueIdentifier OPTIONAL,
|
|
extensions Extensions OPTIONAL
|
|
}
|
|
|
|
IssuerSerial ::= SEQUENCE {
|
|
issuer GeneralNames,
|
|
serial CertificateSerialNumber,
|
|
issuerUID UniqueIdentifier OPTIONAL
|
|
}
|
|
|
|
AttCertValidityPeriod ::= SEQUENCE {
|
|
notBeforeTime GeneralizedTime,
|
|
notAfterTime GeneralizedTime
|
|
}
|
|
|
|
--attributeCertificateMatch MATCHING-RULE ::= {
|
|
-- SYNTAX AttributeCertificateAssertion
|
|
-- ID id-mr-attributeCertificateMatch
|
|
--}
|
|
|
|
AttributeCertificateAssertion ::= SEQUENCE {
|
|
subject
|
|
[0] CHOICE {baseCertificateID [0] IssuerSerial,
|
|
subjectName [1] SubjectName} OPTIONAL,
|
|
issuer [1] Name OPTIONAL,
|
|
attCertValidity [2] GeneralizedTime OPTIONAL,
|
|
attType [3] SET OF AttributeType OPTIONAL
|
|
}
|
|
|
|
-- At least one component of the sequence must be present
|
|
-- attribute types
|
|
--userPassword ATTRIBUTE ::= {
|
|
-- WITH SYNTAX OCTET STRING(SIZE (0..ub-user-password))
|
|
-- EQUALITY MATCHING RULE octetStringMatch
|
|
-- ID id-at-userPassword
|
|
--}
|
|
|
|
--userCertificate ATTRIBUTE ::= {
|
|
-- WITH SYNTAX Certificate
|
|
-- EQUALITY MATCHING RULE certificateExactMatch
|
|
-- ID id-at-userCertificate
|
|
--}
|
|
|
|
--cACertificate ATTRIBUTE ::= {
|
|
-- WITH SYNTAX Certificate
|
|
-- EQUALITY MATCHING RULE certificateExactMatch
|
|
-- ID id-at-cAcertificate
|
|
--}
|
|
|
|
--crossCertificatePair ATTRIBUTE ::= {
|
|
-- WITH SYNTAX CertificatePair
|
|
-- EQUALITY MATCHING RULE certificatePairExactMatch
|
|
-- ID id-at-crossCertificatePair
|
|
--}
|
|
|
|
--authorityRevocationList ATTRIBUTE ::= {
|
|
-- WITH SYNTAX CertificateList
|
|
-- EQUALITY MATCHING RULE certificateListExactMatch
|
|
-- ID id-at-authorityRevocationList
|
|
--}
|
|
|
|
--certificateRevocationList ATTRIBUTE ::= {
|
|
-- WITH SYNTAX CertificateList
|
|
-- EQUALITY MATCHING RULE certificateListExactMatch
|
|
-- ID id-at-certificateRevocationList
|
|
--}
|
|
|
|
--attributeCertificateRevocationList ATTRIBUTE ::= {
|
|
-- WITH SYNTAX CertificateList
|
|
-- ID id-at-attributeCertificateRevocationList
|
|
--}
|
|
|
|
-- information object classes
|
|
--ALGORITHM ::= TYPE-IDENTIFIER
|
|
|
|
-- object identifier assignments
|
|
--id-at-userPassword OBJECT IDENTIFIER ::=
|
|
-- {id-at 35}
|
|
|
|
id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36}
|
|
|
|
id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37}
|
|
|
|
id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38}
|
|
|
|
id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39}
|
|
|
|
id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40}
|
|
|
|
id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}
|
|
|
|
id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59}
|
|
|
|
--id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42}
|
|
|
|
-- these are sneaked in from DSS - a separate dissector seems OTT
|
|
|
|
DSS-Params ::= SEQUENCE {
|
|
p INTEGER,
|
|
q INTEGER,
|
|
g INTEGER
|
|
}
|
|
|
|
END
|
|
|
|
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D
|
|
|