4 DEFINITIONS IMPLICIT TAGS ::=
8 -- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules.
10 id-pkix OBJECT IDENTIFIER ::=
11 { iso(1) identified-organization(3) dod(6) internet(1)
12 security(5) mechanisms(5) pkix(7) }
14 -- ISO arc for standard certificate and CRL extensions
16 -- authority key identifier OID and syntax
18 PrivateKeyUsagePeriod ::= SEQUENCE {
19 notBefore [0] GeneralizedTime OPTIONAL,
20 notAfter [1] GeneralizedTime OPTIONAL }
22 AuthorityKeyIdentifier ::= SEQUENCE {
23 keyIdentifier [0] KeyIdentifier OPTIONAL,
24 authorityCertIssuer [1] GeneralNames OPTIONAL,
25 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
26 -- authorityCertIssuer and authorityCertSerialNumber shall both
27 -- be present or both be absgent
29 KeyIdentifier ::= OCTET STRING
31 -- subject key identifier OID and syntax
33 SubjectKeyIdentifier ::= KeyIdentifier
35 -- key usage extension OID and syntax
37 KeyUsage ::= BIT STRING
39 -- Directory string type --
41 DirectoryString ::= CHOICE {
42 teletexString TeletexString (SIZE (1..MAX)),
43 printableString PrintableString (SIZE (1..MAX)),
44 universalString UniversalString (SIZE (1..MAX)),
45 utf8String UTF8String (SIZE (1..MAX)),
46 bmpString BMPString (SIZE(1..MAX)),
47 -- IA5String is added here to handle old UID encoded as ia5String --
48 -- See tests/userid/ for more information. It shouldn't be here, --
49 -- so if it causes problems, considering dropping it. --
50 ia5String IA5String (SIZE(1..MAX)) }
52 SubjectAltName ::= GeneralNames
54 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
56 GeneralName ::= CHOICE {
57 otherName [0] AnotherName,
58 rfc822Name [1] IA5String,
59 dNSName [2] IA5String,
61 -- Changed to work with the libtasn1 parser.
62 directoryName [4] EXPLICIT RDNSequence, --Name,
63 ediPartyName [5] ANY, --EDIPartyName replaced by ANY to save memory
64 uniformResourceIdentifier [6] IA5String,
65 iPAddress [7] OCTET STRING,
66 registeredID [8] OBJECT IDENTIFIER }
68 -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
69 -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
71 AnotherName ::= SEQUENCE {
72 type-id OBJECT IDENTIFIER,
73 value [0] EXPLICIT ANY DEFINED BY type-id }
75 -- issuer alternative name extension OID and syntax
77 IssuerAltName ::= GeneralNames
79 -- basic constraints extension OID and syntax
81 BasicConstraints ::= SEQUENCE {
82 cA BOOLEAN DEFAULT FALSE,
83 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
85 -- CRL distribution points extension OID and syntax
87 CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
89 DistributionPoint ::= SEQUENCE {
90 distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL,
91 reasons [1] ReasonFlags OPTIONAL,
92 cRLIssuer [2] GeneralNames OPTIONAL
95 DistributionPointName ::= CHOICE {
96 fullName [0] GeneralNames,
97 nameRelativeToCRLIssuer [1] RelativeDistinguishedName
100 ReasonFlags ::= BIT STRING
102 -- extended key usage extension OID and syntax
104 ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
106 KeyPurposeId ::= OBJECT IDENTIFIER
108 -- authority info access
110 AuthorityInfoAccessSyntax ::=
111 SEQUENCE SIZE (1..MAX) OF AccessDescription
113 AccessDescription ::= SEQUENCE {
114 accessMethod OBJECT IDENTIFIER,
115 accessLocation GeneralName }
117 -- CRL number extension OID and syntax
119 CRLNumber ::= INTEGER (0..MAX)
121 -- certificate issuer CRL entry extension OID and syntax
123 CertificateIssuer ::= GeneralNames
125 -- --------------------------------------
127 -- --------------------------------------
129 -- UNIVERSAL Types defined in '93 and '98 ASN.1
130 -- but required by this specification
132 NumericString ::= [UNIVERSAL 18] IMPLICIT OCTET STRING
134 IA5String ::= [UNIVERSAL 22] IMPLICIT OCTET STRING
136 TeletexString ::= [UNIVERSAL 20] IMPLICIT OCTET STRING
138 PrintableString ::= [UNIVERSAL 19] IMPLICIT OCTET STRING
140 UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
141 -- UniversalString is defined in ASN.1:1993
143 BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
144 -- BMPString is the subtype of UniversalString and models
145 -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1
147 UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
148 -- The content of this type conforms to RFC 2279.
151 -- attribute data types --
153 Attribute ::= SEQUENCE {
155 values SET OF AttributeValue
156 -- at least one value is required --
159 AttributeType ::= OBJECT IDENTIFIER
161 AttributeValue ::= ANY DEFINED BY type
163 AttributeTypeAndValue ::= SEQUENCE {
165 value AttributeValue }
167 -- suggested naming attributes: Definition of the following
168 -- information object set may be augmented to meet local
169 -- requirements. Note that deleting members of the set may
170 -- prevent interoperability with conforming implementations.
171 -- presented in pairs: the AttributeType followed by the
172 -- type definition for the corresponding AttributeValue
174 -- Arc for standard naming attributes
175 id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
177 -- Attributes of type NameDirectoryString
179 -- gnutls: Note that the Object ID (id-at*) is being set just before the
180 -- actual definition. This is done in order for asn1_find_structure_from_oid
181 -- to work (locate structure from OID).
182 -- Maybe this is inefficient and memory consuming. Should we replace with
183 -- a table that maps OIDs to structures?
185 PostalAddress ::= SEQUENCE OF DirectoryString
189 emailAddress AttributeType ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 1 }
191 Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
193 -- naming data types --
195 Name ::= CHOICE { -- only one possibility for now --
196 rdnSequence RDNSequence }
198 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
200 DistinguishedName ::= RDNSequence
202 RelativeDistinguishedName ::=
203 SET SIZE (1 .. MAX) OF AttributeTypeAndValue
207 -- --------------------------------------------------------
208 -- certificate and CRL specific structures begin here
209 -- --------------------------------------------------------
211 Certificate ::= SEQUENCE {
212 tbsCertificate TBSCertificate,
213 signatureAlgorithm AlgorithmIdentifier,
214 signature BIT STRING }
216 TBSCertificate ::= SEQUENCE {
217 version [0] EXPLICIT Version DEFAULT v1,
218 serialNumber CertificateSerialNumber,
219 signature AlgorithmIdentifier,
223 subjectPublicKeyInfo SubjectPublicKeyInfo,
224 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
225 -- If present, version shall be v2 or v3
226 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
227 -- If present, version shall be v2 or v3
228 extensions [3] EXPLICIT Extensions OPTIONAL
229 -- If present, version shall be v3 --
232 Version ::= INTEGER { v1(0), v2(1), v3(2) }
234 CertificateSerialNumber ::= INTEGER
236 Validity ::= SEQUENCE {
242 generalTime GeneralizedTime }
244 UniqueIdentifier ::= BIT STRING
246 SubjectPublicKeyInfo ::= SEQUENCE {
247 algorithm AlgorithmIdentifier,
248 subjectPublicKey BIT STRING }
250 Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
252 Extension ::= SEQUENCE {
253 extnID OBJECT IDENTIFIER,
254 critical BOOLEAN DEFAULT FALSE,
255 extnValue OCTET STRING }
258 -- ------------------------------------------
260 -- ------------------------------------------
262 CertificateList ::= SEQUENCE {
263 tbsCertList TBSCertList,
264 signatureAlgorithm AlgorithmIdentifier,
265 signature BIT STRING }
267 TBSCertList ::= SEQUENCE {
268 version Version OPTIONAL,
269 -- if present, shall be v2
270 signature AlgorithmIdentifier,
273 nextUpdate Time OPTIONAL,
274 revokedCertificates SEQUENCE OF SEQUENCE {
275 userCertificate CertificateSerialNumber,
277 crlEntryExtensions Extensions OPTIONAL
278 -- if present, shall be v2
280 crlExtensions [0] EXPLICIT Extensions OPTIONAL
281 -- if present, shall be v2 --
284 -- Version, Time, CertificateSerialNumber, and Extensions were
285 -- defined earlier for use in the certificate structure
287 AlgorithmIdentifier ::= SEQUENCE {
288 algorithm OBJECT IDENTIFIER,
289 parameters ANY DEFINED BY algorithm OPTIONAL }
290 -- contains a value of the type
291 -- registered for use with the
292 -- algorithm object identifier value
294 -- Algorithm OIDs and parameter structures
296 Dss-Sig-Value ::= SEQUENCE {
301 DomainParameters ::= SEQUENCE {
302 p INTEGER, -- odd prime, p=jq +1
303 g INTEGER, -- generator, g
304 q INTEGER, -- factor of p-1
305 j INTEGER OPTIONAL, -- subgroup factor, j>= 2
306 validationParms ValidationParms OPTIONAL }
308 ValidationParms ::= SEQUENCE {
310 pgenCounter INTEGER }
312 Dss-Parms ::= SEQUENCE {
317 -- x400 address syntax starts here
320 CountryName ::= [APPLICATION 1] CHOICE {
321 x121-dcc-code NumericString
322 (SIZE (ub-country-name-numeric-length)),
323 iso-3166-alpha2-code PrintableString
324 (SIZE (ub-country-name-alpha-length)) }
326 OrganizationName ::= PrintableString
327 (SIZE (1..ub-organization-name-length))
328 -- see also teletex-organization-name
330 NumericUserIdentifier ::= NumericString
331 (SIZE (1..ub-numeric-user-id-length))
333 -- see also teletex-personal-name
335 OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
336 OF OrganizationalUnitName
337 -- see also teletex-organizational-unit-names
339 OrganizationalUnitName ::= PrintableString (SIZE
340 (1..ub-organizational-unit-name-length))
342 -- Extension types and attribute values
345 CommonName ::= PrintableString
347 -- END of PKIX1Implicit88
352 -- Cryptographic Message Syntax
354 pkcs-7-ContentInfo ::= SEQUENCE {
355 contentType pkcs-7-ContentType,
356 content [0] EXPLICIT ANY DEFINED BY contentType }
358 pkcs-7-DigestInfo ::= SEQUENCE {
359 digestAlgorithm pkcs-7-DigestAlgorithmIdentifier,
363 pkcs-7-Digest ::= OCTET STRING
365 pkcs-7-ContentType ::= OBJECT IDENTIFIER
367 pkcs-7-SignedData ::= SEQUENCE {
368 version pkcs-7-CMSVersion,
369 digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers,
370 encapContentInfo pkcs-7-EncapsulatedContentInfo,
371 certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL,
372 crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL,
373 signerInfos pkcs-7-SignerInfos
376 pkcs-7-CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
378 pkcs-7-DigestAlgorithmIdentifiers ::= SET OF pkcs-7-DigestAlgorithmIdentifier
380 pkcs-7-DigestAlgorithmIdentifier ::= AlgorithmIdentifier
382 pkcs-7-EncapsulatedContentInfo ::= SEQUENCE {
383 eContentType pkcs-7-ContentType,
384 eContent [0] EXPLICIT OCTET STRING OPTIONAL }
386 -- We don't use CertificateList here since we only want
387 -- to read the raw data.
388 pkcs-7-CertificateRevocationLists ::= SET OF ANY
390 pkcs-7-CertificateChoices ::= CHOICE {
391 -- Although the paper uses Certificate type, we
392 -- don't use it since, we don't need to parse it.
393 -- We only need to read and store it.
397 pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices
399 pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it
405 -- Certificate requests
406 pkcs-10-CertificationRequestInfo ::= SEQUENCE {
407 version INTEGER { v1(0) },
409 subjectPKInfo SubjectPublicKeyInfo,
410 attributes [0] Attributes
413 Attributes ::= SET OF Attribute
415 pkcs-10-CertificationRequest ::= SEQUENCE {
416 certificationRequestInfo pkcs-10-CertificationRequestInfo,
417 signatureAlgorithm AlgorithmIdentifier,
423 pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 7}
425 pkcs-9-challengePassword ::= CHOICE {
426 printableString PrintableString,
427 utf8String UTF8String }
429 pkcs-9-localKeyId ::= OCTET STRING
433 -- Private-key information syntax
435 pkcs-8-PrivateKeyInfo ::= SEQUENCE {
436 version pkcs-8-Version,
437 privateKeyAlgorithm AlgorithmIdentifier,
438 privateKey pkcs-8-PrivateKey,
439 attributes [0] Attributes OPTIONAL }
441 pkcs-8-Version ::= INTEGER {v1(0)}
443 pkcs-8-PrivateKey ::= OCTET STRING
445 pkcs-8-Attributes ::= SET OF Attribute
447 -- Encrypted private-key information syntax
449 pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE {
450 encryptionAlgorithm AlgorithmIdentifier,
451 encryptedData pkcs-8-EncryptedData
454 pkcs-8-EncryptedData ::= OCTET STRING
458 pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8))
459 pkcs-5-aes128-CBC-params ::= OCTET STRING (SIZE(16))
460 pkcs-5-aes192-CBC-params ::= OCTET STRING (SIZE(16))
461 pkcs-5-aes256-CBC-params ::= OCTET STRING (SIZE(16))
463 pkcs-5-PBES2-params ::= SEQUENCE {
464 keyDerivationFunc AlgorithmIdentifier,
465 encryptionScheme AlgorithmIdentifier }
469 -- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::=
470 -- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL}
472 pkcs-5-PBKDF2-params ::= SEQUENCE {
474 specified OCTET STRING,
475 otherSource AlgorithmIdentifier
477 iterationCount INTEGER (1..MAX),
478 keyLength INTEGER (1..MAX) OPTIONAL,
479 prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1
484 pkcs-12-PFX ::= SEQUENCE {
485 version INTEGER {v3(3)},
486 authSafe pkcs-7-ContentInfo,
487 macData pkcs-12-MacData OPTIONAL
490 pkcs-12-PbeParams ::= SEQUENCE {
495 pkcs-12-MacData ::= SEQUENCE {
496 mac pkcs-7-DigestInfo,
497 macSalt OCTET STRING,
498 iterations INTEGER DEFAULT 1
499 -- Note: The default is for historical reasons and its use is
500 -- deprecated. A higher value, like 1024 is recommended.
503 pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo
504 -- Data if unencrypted
505 -- EncryptedData if password-encrypted
506 -- EnvelopedData if public key-encrypted
508 pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag
510 pkcs-12-SafeBag ::= SEQUENCE {
511 bagId OBJECT IDENTIFIER,
512 bagValue [0] EXPLICIT ANY DEFINED BY badId,
513 bagAttributes SET OF pkcs-12-PKCS12Attribute OPTIONAL
518 pkcs-12-KeyBag ::= pkcs-8-PrivateKeyInfo
522 pkcs-12-PKCS8ShroudedKeyBag ::= pkcs-8-EncryptedPrivateKeyInfo
526 pkcs-12-CertBag ::= SEQUENCE {
527 certId OBJECT IDENTIFIER,
528 certValue [0] EXPLICIT ANY DEFINED BY certId
531 -- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}}
532 -- DER-encoded X.509 certificate stored in OCTET STRING
534 pkcs-12-CRLBag ::= SEQUENCE {
535 crlId OBJECT IDENTIFIER,
536 crlValue [0] EXPLICIT ANY DEFINED BY crlId
539 pkcs-12-SecretBag ::= SEQUENCE {
540 secretTypeId OBJECT IDENTIFIER,
541 secretValue [0] EXPLICIT ANY DEFINED BY secretTypeId
544 -- x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}}
545 -- DER-encoded X.509 CRL stored in OCTET STRING
547 pkcs-12-PKCS12Attribute ::= Attribute
549 -- PKCS #7 stuff (needed in PKCS 12)
551 pkcs-7-Data ::= OCTET STRING
553 pkcs-7-EncryptedData ::= SEQUENCE {
554 version pkcs-7-CMSVersion,
555 encryptedContentInfo pkcs-7-EncryptedContentInfo,
556 unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL }
558 pkcs-7-EncryptedContentInfo ::= SEQUENCE {
559 contentType pkcs-7-ContentType,
560 contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier,
561 encryptedContent [0] IMPLICIT pkcs-7-EncryptedContent OPTIONAL }
563 pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
565 pkcs-7-EncryptedContent ::= OCTET STRING
567 pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
571 ProxyCertInfo ::= SEQUENCE {
572 pCPathLenConstraint INTEGER (0..MAX) OPTIONAL,
573 proxyPolicy ProxyPolicy }
575 ProxyPolicy ::= SEQUENCE {
576 policyLanguage OBJECT IDENTIFIER,
577 policy OCTET STRING OPTIONAL }
581 OCSPRequest ::= SEQUENCE {
582 tbsRequest TBSRequest,
583 optionalSignature [0] EXPLICIT Signature OPTIONAL }
585 TBSRequest ::= SEQUENCE {
586 version [0] EXPLICIT Version DEFAULT v1,
587 requestorName [1] EXPLICIT GeneralName OPTIONAL,
588 requestList SEQUENCE OF Request,
589 requestExtensions [2] EXPLICIT Extensions OPTIONAL }
591 Signature ::= SEQUENCE {
592 signatureAlgorithm AlgorithmIdentifier,
593 signature BIT STRING,
594 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
596 -- comment out, already used above, fortunately with same values and names
597 -- Version ::= INTEGER { v1(0) }
599 Request ::= SEQUENCE {
601 singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
603 CertID ::= SEQUENCE {
604 hashAlgorithm AlgorithmIdentifier,
605 issuerNameHash OCTET STRING, -- Hash of Issuer's DN
606 issuerKeyHash OCTET STRING, -- Hash of Issuers public key
607 serialNumber CertificateSerialNumber }
609 OCSPResponse ::= SEQUENCE {
610 responseStatus OCSPResponseStatus,
611 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
613 OCSPResponseStatus ::= ENUMERATED {
614 successful (0), --Response has valid confirmations
615 malformedRequest (1), --Illegal confirmation request
616 internalError (2), --Internal error in issuer
617 tryLater (3), --Try again later
619 sigRequired (5), --Must sign the request
620 unauthorized (6) --Request unauthorized
623 ResponseBytes ::= SEQUENCE {
624 responseType OBJECT IDENTIFIER,
625 response OCTET STRING }
627 BasicOCSPResponse ::= SEQUENCE {
628 tbsResponseData ResponseData,
629 signatureAlgorithm AlgorithmIdentifier,
630 signature BIT STRING,
631 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
633 ResponseData ::= SEQUENCE {
634 version [0] EXPLICIT Version DEFAULT v1,
635 responderID ResponderID,
636 producedAt GeneralizedTime,
637 responses SEQUENCE OF SingleResponse,
638 responseExtensions [1] EXPLICIT Extensions OPTIONAL }
640 ResponderID ::= CHOICE {
641 -- Changed to work with the libtasn1 parser.
642 byName [1] EXPLICIT RDNSequence, --Name,
645 KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
646 --(excluding the tag and length fields)
648 SingleResponse ::= SEQUENCE {
650 certStatus CertStatus,
651 thisUpdate GeneralizedTime,
652 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
653 singleExtensions [1] EXPLICIT Extensions OPTIONAL }
655 CertStatus ::= CHOICE {
656 good [0] IMPLICIT NULL,
657 revoked [1] IMPLICIT RevokedInfo,
658 unknown [2] IMPLICIT UnknownInfo }
660 RevokedInfo ::= SEQUENCE {
661 revocationTime GeneralizedTime,
662 revocationReason [0] EXPLICIT CRLReason OPTIONAL }
664 UnknownInfo ::= NULL -- this can be replaced with an enumeration
666 ArchiveCutoff ::= GeneralizedTime
668 AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
670 ServiceLocator ::= SEQUENCE {
672 locator AuthorityInfoAccessSyntax }
676 CRLReason ::= ENUMERATED {
680 affiliationChanged (3),
682 cessationOfOperation (5),
685 privilegeWithdrawn (9),