We reverted the ABI bump.

[gnutls.git] / lib / pkix.asn

PKIX1 { }

DEFINITIONS IMPLICIT TAGS ::=

BEGIN

-- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules.

-- ISO arc for standard certificate and CRL extensions

id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29}


-- authority key identifier OID and syntax

id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }

AuthorityKeyIdentifier ::= SEQUENCE {
      keyIdentifier             [0] KeyIdentifier            OPTIONAL,
      authorityCertIssuer       [1] GeneralNames             OPTIONAL,
      authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
    -- authorityCertIssuer and authorityCertSerialNumber shall both
    -- be present or both be absgent

KeyIdentifier ::= OCTET STRING

-- subject key identifier OID and syntax

id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }

SubjectKeyIdentifier ::= KeyIdentifier

-- key usage extension OID and syntax

id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }

KeyUsage ::= BIT STRING {
     digitalSignature        (0),
     nonRepudiation          (1),
     keyEncipherment         (2),
     dataEncipherment        (3),
     keyAgreement            (4),
     keyCertSign             (5),
     cRLSign                 (6),
     encipherOnly            (7),
     decipherOnly            (8) }

-- private key usage period extension OID and syntax

id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }

PrivateKeyUsagePeriod ::= SEQUENCE {
     notBefore       [0]     GeneralizedTime OPTIONAL,
     notAfter        [1]     GeneralizedTime OPTIONAL }
     -- either notBefore or notAfter shall be present

-- certificate policies extension OID and syntax

id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }

CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

PolicyInformation ::= SEQUENCE {
     policyIdentifier   CertPolicyId,
     policyQualifiers   SEQUENCE SIZE (1..MAX) OF
             PolicyQualifierInfo OPTIONAL }

CertPolicyId ::= OBJECT IDENTIFIER

PolicyQualifierInfo ::= SEQUENCE {
       policyQualifierId  PolicyQualifierId,
       qualifier        ANY DEFINED BY policyQualifierId }

-- Implementations that recognize additional policy qualifiers shall
-- augment the following definition for PolicyQualifierId

PolicyQualifierId ::=
    OBJECT IDENTIFIER  -- ( id-qt-cps | id-qt-unotice )

-- CPS pointer qualifier

CPSuri ::= IA5String

-- user notice qualifier

UserNotice ::= SEQUENCE {
     noticeRef        NoticeReference OPTIONAL,
     explicitText     DisplayText OPTIONAL}

NoticeReference ::= SEQUENCE {
     organization     DisplayText,
     noticeNumbers    SEQUENCE OF INTEGER }

DisplayText ::= CHOICE {
     visibleString    VisibleString  (SIZE (1..200)),
     bmpString        BMPString      (SIZE (1..200)),
     utf8String       UTF8String     (SIZE (1..200)) }

-- policy mapping extension OID and syntax

id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }

PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
     issuerDomainPolicy      CertPolicyId,
     subjectDomainPolicy     CertPolicyId }

-- subject alternative name extension OID and syntax

-- Directory string type --

DirectoryString ::= CHOICE {
      teletexString             TeletexString (SIZE (1..MAX)),
      printableString           PrintableString (SIZE (1..MAX)),
      universalString           UniversalString (SIZE (1..MAX)),
      utf8String              UTF8String (SIZE (1..MAX)),
      bmpString               BMPString (SIZE(1..MAX)),
      -- IA5String is added here to handle old UID encoded as ia5String --
      -- See tests/userid/ for more information.  It shouldn't be here, --
      -- so if it causes problems, considering dropping it. --
      ia5String               IA5String (SIZE(1..MAX)) }

id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }

SubjectAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

GeneralName ::= CHOICE {
     otherName                       [0]     AnotherName,
     rfc822Name                      [1]     IA5String,
     dNSName                         [2]     IA5String,
     x400Address                     [3]     ORAddress,
-- Changed to work with the libtasn1 parser.
     directoryName                   [4]     EXPLICIT RDNSequence, --Name,
     ediPartyName                    [5]     EDIPartyName,
     uniformResourceIdentifier       [6]     IA5String,
     iPAddress                       [7]     OCTET STRING,
     registeredID                    [8]     OBJECT IDENTIFIER }

-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax

AnotherName ::= SEQUENCE {
     type-id    OBJECT IDENTIFIER,
     value      [0] EXPLICIT ANY DEFINED BY type-id }

EDIPartyName ::= SEQUENCE {
     nameAssigner            [0]     DirectoryString OPTIONAL,
     partyName               [1]     DirectoryString }

-- issuer alternative name extension OID and syntax

id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }

IssuerAltName ::= GeneralNames

id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }

SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute

-- basic constraints extension OID and syntax

id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }

BasicConstraints ::= SEQUENCE {
     cA                      BOOLEAN DEFAULT FALSE,
     pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

-- name constraints extension OID and syntax

id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }

NameConstraints ::= SEQUENCE {
     permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
     excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

GeneralSubtree ::= SEQUENCE {
     base                    GeneralName,
     minimum         [0]     BaseDistance DEFAULT 0,
     maximum         [1]     BaseDistance OPTIONAL }

BaseDistance ::= INTEGER (0..MAX)

-- policy constraints extension OID and syntax

id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }

PolicyConstraints ::= SEQUENCE {
     requireExplicitPolicy           [0] SkipCerts OPTIONAL,
     inhibitPolicyMapping            [1] SkipCerts OPTIONAL }

SkipCerts ::= INTEGER (0..MAX)

-- CRL distribution points extension OID and syntax

id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}

CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

DistributionPoint ::= SEQUENCE {
     distributionPoint       [0]     EXPLICIT DistributionPointName OPTIONAL,
     reasons                 [1]     ReasonFlags OPTIONAL,
     cRLIssuer               [2]     GeneralNames OPTIONAL
}

DistributionPointName ::= CHOICE {
    fullName                [0]     GeneralNames,
    nameRelativeToCRLIssuer [1]     RelativeDistinguishedName 
}

ReasonFlags ::= BIT STRING {
     unused                  (0),
     keyCompromise           (1),
     cACompromise            (2),
     affiliationChanged      (3),
     superseded              (4),
     cessationOfOperation    (5),
     certificateHold         (6),
     privilegeWithdrawn      (7),
     aACompromise            (8) }

-- extended key usage extension OID and syntax

id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}

ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

KeyPurposeId ::= OBJECT IDENTIFIER

-- extended key purpose OIDs
id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }
id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }
id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }
id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
id-kp-ipsecEndSystem  OBJECT IDENTIFIER ::= { id-kp 5 }
id-kp-ipsecTunnel     OBJECT IDENTIFIER ::= { id-kp 6 }
id-kp-ipsecUser       OBJECT IDENTIFIER ::= { id-kp 7 }
id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }

-- authority info access

id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }

AuthorityInfoAccessSyntax  ::=
        SEQUENCE SIZE (1..MAX) OF AccessDescription

AccessDescription  ::=  SEQUENCE {
        accessMethod          OBJECT IDENTIFIER,
        accessLocation        GeneralName  }

-- CRL number extension OID and syntax

id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }

CRLNumber ::= INTEGER (0..MAX)

-- issuing distribution point extension OID and syntax

id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }

IssuingDistributionPoint ::= SEQUENCE {
     distributionPoint       [0] DistributionPointName OPTIONAL,
     onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
     onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
     onlySomeReasons         [3] ReasonFlags OPTIONAL,
     indirectCRL             [4] BOOLEAN DEFAULT FALSE }


id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }

-- deltaCRLIndicator ::= BaseCRLNumber

BaseCRLNumber ::= CRLNumber

-- CRL reasons extension OID and syntax

id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }

CRLReason ::= ENUMERATED {
     unspecified             (0),
     keyCompromise           (1),
     cACompromise            (2),
     affiliationChanged      (3),
     superseded              (4),
     cessationOfOperation    (5),
     certificateHold         (6),
     removeFromCRL           (8) }

-- certificate issuer CRL entry extension OID and syntax

id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }

CertificateIssuer ::= GeneralNames

-- hold instruction extension OID and syntax

id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }

HoldInstructionCode ::= OBJECT IDENTIFIER

-- ANSI x9 holdinstructions

-- ANSI x9 arc holdinstruction arc
holdInstruction OBJECT IDENTIFIER ::=
          {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}

-- ANSI X9 holdinstructions referenced by this standard
id-holdinstruction-none OBJECT IDENTIFIER  ::=
                {holdInstruction 1} -- deprecated
id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
                {holdInstruction 2}
id-holdinstruction-reject OBJECT IDENTIFIER ::=
                {holdInstruction 3}

-- invalidity date CRL entry extension OID and syntax

id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }

InvalidityDate ::=  GeneralizedTime


-- --------------------------------------
--  EXPLICIT
-- --------------------------------------

-- UNIVERSAL Types defined in '93 and '98 ASN.1
-- but required by this specification

VisibleString ::= [UNIVERSAL 26] IMPLICIT OCTET STRING

NumericString ::= [UNIVERSAL 18] IMPLICIT OCTET STRING

IA5String ::= [UNIVERSAL 22] IMPLICIT OCTET STRING

TeletexString ::= [UNIVERSAL 20] IMPLICIT OCTET STRING

PrintableString ::= [UNIVERSAL 19] IMPLICIT OCTET STRING

UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
        -- UniversalString is defined in ASN.1:1993

BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
      -- BMPString is the subtype of UniversalString and models
       -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1

UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
        -- The content of this type conforms to RFC 2279.


-- PKIX specific OIDs

id-pkix  OBJECT IDENTIFIER  ::=
         { iso(1) identified-organization(3) dod(6) internet(1)
                    security(5) mechanisms(5) pkix(7) }

-- PKIX arcs

id-pe OBJECT IDENTIFIER  ::=  { id-pkix 1 }
        -- arc for private certificate extensions
id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
        -- arc for policy qualifier types
id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
        -- arc for extended key purpose OIDS
id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
        -- arc for access descriptors

-- policyQualifierIds for Internet policy qualifiers

id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
        -- OID for CPS qualifier
id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
        -- OID for user notice qualifier

-- access descriptor definitions

id-ad-ocsp      OBJECT IDENTIFIER ::= { id-ad 1 }
id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }

-- attribute data types --

Attribute       ::=     SEQUENCE {
        type            AttributeType,
        values  SET OF AttributeValue
                -- at least one value is required -- 
}

AttributeType           ::=   OBJECT IDENTIFIER

AttributeValue          ::=   ANY DEFINED BY type

AttributeTypeAndValue           ::=     SEQUENCE {
        type    AttributeType,
        value   AttributeValue }

-- suggested naming attributes: Definition of the following
--  information object set may be augmented to meet local
--  requirements.  Note that deleting members of the set may
--  prevent interoperability with conforming implementations.
--  presented in pairs: the AttributeType followed by the
--  type definition for the corresponding AttributeValue

-- Arc for standard naming attributes
id-at           OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}

-- Attributes of type NameDirectoryString
id-at-initials          AttributeType ::= { id-at 43 }
X520initials ::= DirectoryString

id-at-generationQualifier AttributeType ::= { id-at 44 }
X520generationQualifier ::= DirectoryString

id-at-surname           AttributeType ::= { id-at 4 }
X520surName ::= DirectoryString

id-at-givenName         AttributeType ::= { id-at 42 }
X520givenName ::= DirectoryString

id-at-name              AttributeType ::= { id-at 41 }
X520name        ::= DirectoryString

id-at-commonName        AttributeType   ::=     {id-at 3}
X520CommonName  ::=      DirectoryString

id-at-localityName      AttributeType   ::=     {id-at 7}
X520LocalityName ::= DirectoryString

id-at-stateOrProvinceName       AttributeType   ::=     {id-at 8}
X520StateOrProvinceName         ::= DirectoryString

id-at-organizationName          AttributeType   ::=     {id-at 10}
X520OrganizationName ::= DirectoryString

id-at-organizationalUnitName    AttributeType   ::=     {id-at 11}
X520OrganizationalUnitName ::= DirectoryString

id-at-title     AttributeType   ::=     {id-at 12}
X520Title ::=   DirectoryString

id-at-description     AttributeType   ::=     {id-at 13}
X520Description ::=   DirectoryString

id-at-dnQualifier       AttributeType   ::=     {id-at 46}
X520dnQualifier ::=     PrintableString

id-at-countryName       AttributeType   ::=     {id-at 6}
X520countryName ::=     PrintableString (SIZE (2)) -- IS 3166 codes

id-at-serialNumber       AttributeType   ::=     {id-at 5}
X520serialNumber ::=     PrintableString

id-at-telephoneNumber       AttributeType   ::=     {id-at 20}
X520telephoneNumber ::=     PrintableString

id-at-facsimileTelephoneNumber       AttributeType   ::=     {id-at 23}
X520facsimileTelephoneNumber ::=     PrintableString

id-at-pseudonym         AttributeType   ::=     {id-at 65}
X520pseudonym ::=       DirectoryString

id-at-name      AttributeType   ::=     {id-at 41}
X520name ::=    DirectoryString

id-at-streetAddress     AttributeType   ::=     {id-at 9}
X520streetAddress ::=   DirectoryString

id-at-postalAddress     AttributeType   ::=     {id-at 16}
X520postalAddress ::= PostalAddress

PostalAddress ::= SEQUENCE OF DirectoryString


 -- Legacy attributes

pkcs OBJECT IDENTIFIER ::=
       { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) }

pkcs-9 OBJECT IDENTIFIER ::=
       { pkcs 9 }


emailAddress AttributeType      ::= { pkcs-9 1 }

Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))

-- naming data types --

Name            ::=   CHOICE { -- only one possibility for now --
                                 rdnSequence  RDNSequence }

RDNSequence     ::=   SEQUENCE OF RelativeDistinguishedName

DistinguishedName       ::=   RDNSequence

RelativeDistinguishedName  ::=
                    SET SIZE (1 .. MAX) OF AttributeTypeAndValue



-- --------------------------------------------------------
-- certificate and CRL specific structures begin here
-- --------------------------------------------------------

Certificate  ::=  SEQUENCE  {
     tbsCertificate       TBSCertificate,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  EXPLICIT Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version shall be v2 or v3
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version shall be v2 or v3
     extensions      [3]  EXPLICIT Extensions OPTIONAL
                          -- If present, version shall be v3 --  
}

Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

CertificateSerialNumber  ::=  INTEGER

Validity ::= SEQUENCE {
     notBefore      Time,
     notAfter       Time }

Time ::= CHOICE {
     utcTime        UTCTime,
     generalTime    GeneralizedTime }

UniqueIdentifier  ::=  BIT STRING

SubjectPublicKeyInfo  ::=  SEQUENCE  {
     algorithm            AlgorithmIdentifier,
     subjectPublicKey     BIT STRING  }

Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

Extension  ::=  SEQUENCE  {
     extnID      OBJECT IDENTIFIER,
     critical    BOOLEAN DEFAULT FALSE,
     extnValue   OCTET STRING  }


-- ------------------------------------------
-- CRL structures
-- ------------------------------------------

CertificateList  ::=  SEQUENCE  {
     tbsCertList          TBSCertList,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }

TBSCertList  ::=  SEQUENCE  {
     version                 Version OPTIONAL,
                                  -- if present, shall be v2
     signature               AlgorithmIdentifier,
     issuer                  Name,
     thisUpdate              Time,
     nextUpdate              Time OPTIONAL,
     revokedCertificates     SEQUENCE OF SEQUENCE  {
          userCertificate         CertificateSerialNumber,
          revocationDate          Time,
          crlEntryExtensions      Extensions OPTIONAL
                                         -- if present, shall be v2
                               }  OPTIONAL,
     crlExtensions           [0] EXPLICIT Extensions OPTIONAL
                                         -- if present, shall be v2 -- 
}

-- Version, Time, CertificateSerialNumber, and Extensions were
-- defined earlier for use in the certificate structure

AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL  }
                                -- contains a value of the type
                                -- registered for use with the
                                -- algorithm object identifier value

-- Algorithm OIDs and parameter structures

pkcs-1 OBJECT IDENTIFIER ::= {
     pkcs 1 }

rsaEncryption OBJECT IDENTIFIER ::=  { pkcs-1 1 }

md2WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 2 }

md5WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 4 }

sha1WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 5 }

id-dsa-with-sha1 OBJECT IDENTIFIER ::=  {
     iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }

Dss-Sig-Value ::= SEQUENCE {
     r       INTEGER,
     s       INTEGER  
}

dhpublicnumber OBJECT IDENTIFIER ::= {
     iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }

DomainParameters ::= SEQUENCE {
     p       INTEGER, -- odd prime, p=jq +1
     g       INTEGER, -- generator, g
     q       INTEGER, -- factor of p-1
     j       INTEGER OPTIONAL, -- subgroup factor, j>= 2
     validationParms  ValidationParms OPTIONAL }

ValidationParms ::= SEQUENCE {
     seed             BIT STRING,
     pgenCounter      INTEGER }

id-dsa OBJECT IDENTIFIER ::= {
     iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }

Dss-Parms  ::=  SEQUENCE  {
     p             INTEGER,
     q             INTEGER,
     g             INTEGER  }

-- x400 address syntax starts here
--      OR Names

ORAddress ::= SEQUENCE {
   built-in-standard-attributes BuiltInStandardAttributes,
   built-in-domain-defined-attributes
                        BuiltInDomainDefinedAttributes OPTIONAL,
   -- see also teletex-domain-defined-attributes
   extension-attributes ExtensionAttributes OPTIONAL }
--      The OR-address is semantically absent from the OR-name if the
--      built-in-standard-attribute sequence is empty and the
--      built-in-domain-defined-attributes and extension-attributes are
--      both omitted.

--      Built-in Standard Attributes

BuiltInStandardAttributes ::= SEQUENCE {
   country-name CountryName OPTIONAL,
   administration-domain-name AdministrationDomainName OPTIONAL,
   network-address      [0] EXPLICIT NetworkAddress OPTIONAL,
   -- see also extended-network-address
   terminal-identifier  [1] EXPLICIT TerminalIdentifier OPTIONAL,
   private-domain-name  [2] EXPLICIT PrivateDomainName OPTIONAL,
   organization-name    [3] EXPLICIT OrganizationName OPTIONAL,
   -- see also teletex-organization-name
   numeric-user-identifier      [4] EXPLICIT NumericUserIdentifier OPTIONAL,
   personal-name        [5] EXPLICIT PersonalName OPTIONAL,
   -- see also teletex-personal-name
   organizational-unit-names    [6] EXPLICIT OrganizationalUnitNames OPTIONAL
   -- see also teletex-organizational-unit-names -- 
}

CountryName ::= [APPLICATION 1] CHOICE {
   x121-dcc-code NumericString
                (SIZE (ub-country-name-numeric-length)),
   iso-3166-alpha2-code PrintableString
                (SIZE (ub-country-name-alpha-length)) }

AdministrationDomainName ::= [APPLICATION 2] EXPLICIT CHOICE {
   numeric NumericString (SIZE (0..ub-domain-name-length)),
   printable PrintableString (SIZE (0..ub-domain-name-length)) }

NetworkAddress ::= X121Address  -- see also extended-network-address

X121Address ::= NumericString (SIZE (1..ub-x121-address-length))

TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))

PrivateDomainName ::= CHOICE {
   numeric NumericString (SIZE (1..ub-domain-name-length)),
   printable PrintableString (SIZE (1..ub-domain-name-length)) }

OrganizationName ::= PrintableString
                            (SIZE (1..ub-organization-name-length))
-- see also teletex-organization-name

NumericUserIdentifier ::= NumericString
                            (SIZE (1..ub-numeric-user-id-length))

PersonalName ::= SET {
   surname [0] PrintableString (SIZE (1..ub-surname-length)),
   given-name [1] PrintableString
                        (SIZE (1..ub-given-name-length)) OPTIONAL,
   initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
   generation-qualifier [3] PrintableString
                (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
-- see also teletex-personal-name

OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
                                        OF OrganizationalUnitName
-- see also teletex-organizational-unit-names

OrganizationalUnitName ::= PrintableString (SIZE
                        (1..ub-organizational-unit-name-length))

--      Built-in Domain-defined Attributes

BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
                                (1..ub-domain-defined-attributes) OF
                                BuiltInDomainDefinedAttribute

BuiltInDomainDefinedAttribute ::= SEQUENCE {
   type PrintableString (SIZE
                        (1..ub-domain-defined-attribute-type-length)),
   value PrintableString (SIZE
                        (1..ub-domain-defined-attribute-value-length))}

--      Extension Attributes

ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
                        ExtensionAttribute

ExtensionAttribute ::=  SEQUENCE {
   extension-attribute-type [0] EXPLICIT INTEGER (0..ub-extension-attributes),
   extension-attribute-value [1] EXPLICIT
                        ANY DEFINED BY extension-attribute-type }

-- Extension types and attribute values
--

common-name INTEGER ::= 1

CommonName ::= PrintableString (SIZE (1..ub-common-name-length))

teletex-common-name INTEGER ::= 2

TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))

teletex-organization-name INTEGER ::= 3

TeletexOrganizationName ::=
                TeletexString (SIZE (1..ub-organization-name-length))

teletex-personal-name INTEGER ::= 4

TeletexPersonalName ::= SET {
   surname [0] EXPLICIT TeletexString (SIZE (1..ub-surname-length)),
   given-name [1] EXPLICIT TeletexString
                (SIZE (1..ub-given-name-length)) OPTIONAL,
   initials [2] EXPLICIT TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
   generation-qualifier [3] EXPLICIT TeletexString (SIZE
                (1..ub-generation-qualifier-length)) OPTIONAL }

teletex-organizational-unit-names INTEGER ::= 5

TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
        (1..ub-organizational-units) OF TeletexOrganizationalUnitName

TeletexOrganizationalUnitName ::= TeletexString
                        (SIZE (1..ub-organizational-unit-name-length))

pds-name INTEGER ::= 7

PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))

physical-delivery-country-name INTEGER ::= 8

PhysicalDeliveryCountryName ::= CHOICE {
   x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
   iso-3166-alpha2-code PrintableString
                        (SIZE (ub-country-name-alpha-length)) }

postal-code INTEGER ::= 9

PostalCode ::= CHOICE {
   numeric-code NumericString (SIZE (1..ub-postal-code-length)),
   printable-code PrintableString (SIZE (1..ub-postal-code-length)) }

physical-delivery-office-name INTEGER ::= 10

PhysicalDeliveryOfficeName ::= PDSParameter

physical-delivery-office-number INTEGER ::= 11

PhysicalDeliveryOfficeNumber ::= PDSParameter

extension-OR-address-components INTEGER ::= 12

ExtensionORAddressComponents ::= PDSParameter

physical-delivery-personal-name INTEGER ::= 13

PhysicalDeliveryPersonalName ::= PDSParameter

physical-delivery-organization-name INTEGER ::= 14

PhysicalDeliveryOrganizationName ::= PDSParameter

extension-physical-delivery-address-components INTEGER ::= 15

ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter

unformatted-postal-address INTEGER ::= 16

UnformattedPostalAddress ::= SET {
   printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
           PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
   teletex-string TeletexString
         (SIZE (1..ub-unformatted-address-length)) OPTIONAL }

street-address INTEGER ::= 17

StreetAddress ::= PDSParameter

post-office-box-address INTEGER ::= 18

PostOfficeBoxAddress ::= PDSParameter

poste-restante-address INTEGER ::= 19

PosteRestanteAddress ::= PDSParameter

unique-postal-name INTEGER ::= 20

UniquePostalName ::= PDSParameter

local-postal-attributes INTEGER ::= 21

LocalPostalAttributes ::= PDSParameter

PDSParameter ::= SET {
   printable-string PrintableString
                (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
   teletex-string TeletexString
                (SIZE(1..ub-pds-parameter-length)) OPTIONAL }

extended-network-address INTEGER ::= 22

ExtendedNetworkAddress ::= CHOICE {
   e163-4-address SEQUENCE {
        number [0] EXPLICIT NumericString (SIZE (1..ub-e163-4-number-length)),
        sub-address [1] EXPLICIT NumericString
                (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
   psap-address [0] EXPLICIT PresentationAddress }

PresentationAddress ::= SEQUENCE {
        pSelector       [0] EXPLICIT OCTET STRING OPTIONAL,
        sSelector       [1] EXPLICIT OCTET STRING OPTIONAL,
        tSelector       [2] EXPLICIT OCTET STRING OPTIONAL,
        nAddresses      [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }

terminal-type  INTEGER ::= 23

TerminalType ::= INTEGER {
   telex (3),
   teletex (4),
   g3-facsimile (5),
   g4-facsimile (6),
   ia5-terminal (7),
   videotex (8) } -- (0..ub-integer-options)

--      Extension Domain-defined Attributes

teletex-domain-defined-attributes INTEGER ::= 6

TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
   (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute

TeletexDomainDefinedAttribute ::= SEQUENCE {
        type TeletexString
               (SIZE (1..ub-domain-defined-attribute-type-length)),
        value TeletexString
               (SIZE (1..ub-domain-defined-attribute-value-length)) }

--  specifications of Upper Bounds shall be regarded as mandatory
--  from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
--  Upper Bounds

--      Upper Bounds
ub-name INTEGER ::=     32768
ub-common-name  INTEGER ::=     64
ub-locality-name        INTEGER ::=     128
ub-state-name   INTEGER ::=     128
ub-organization-name    INTEGER ::=     64
ub-organizational-unit-name     INTEGER ::=     64
ub-title        INTEGER ::=     64
ub-match        INTEGER ::=     128

ub-emailaddress-length INTEGER ::= 128

ub-common-name-length INTEGER ::= 64
ub-country-name-alpha-length INTEGER ::= 2
ub-country-name-numeric-length INTEGER ::= 3
ub-domain-defined-attributes INTEGER ::= 4
ub-domain-defined-attribute-type-length INTEGER ::= 8
ub-domain-defined-attribute-value-length INTEGER ::= 128
ub-domain-name-length INTEGER ::= 16
ub-extension-attributes INTEGER ::= 256
ub-e163-4-number-length INTEGER ::= 15
ub-e163-4-sub-address-length INTEGER ::= 40
ub-generation-qualifier-length INTEGER ::= 3
ub-given-name-length INTEGER ::= 16
ub-initials-length INTEGER ::= 5
ub-integer-options INTEGER ::= 256
ub-numeric-user-id-length INTEGER ::= 32
ub-organization-name-length INTEGER ::= 64
ub-organizational-unit-name-length INTEGER ::= 32
ub-organizational-units INTEGER ::= 4
ub-pds-name-length INTEGER ::= 16
ub-pds-parameter-length INTEGER ::= 30
ub-pds-physical-address-lines INTEGER ::= 6
ub-postal-code-length INTEGER ::= 16
ub-surname-length INTEGER ::= 40
ub-terminal-id-length INTEGER ::= 24
ub-unformatted-address-length INTEGER ::= 180
ub-x121-address-length INTEGER ::= 16

-- Note - upper bounds on string types, such as TeletexString, are
-- measured in characters.  Excepting PrintableString or IA5String, a
-- significantly greater number of octets will be required to hold
-- such a value.  As a minimum, 16 octets, or twice the specified upper
-- bound, whichever is the larger, should be allowed for TeletexString.
-- For UTF8String or UniversalString at least four times the upper
-- bound should be allowed.



-- END of PKIX1Implicit88


-- BEGIN of RFC2630

-- Cryptographic Message Syntax

pkcs-7-ContentInfo ::= SEQUENCE {
  contentType pkcs-7-ContentType,
  content [0] EXPLICIT ANY DEFINED BY contentType }

pkcs-7-DigestInfo ::= SEQUENCE {
  digestAlgorithm pkcs-7-DigestAlgorithmIdentifier,
  digest pkcs-7-Digest 
}

pkcs-7-Digest ::= OCTET STRING

pkcs-7-ContentType ::= OBJECT IDENTIFIER

pkcs-7-SignedData ::= SEQUENCE {
  version pkcs-7-CMSVersion,
  digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers,
  encapContentInfo pkcs-7-EncapsulatedContentInfo,
  certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL,
  crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL,
  signerInfos pkcs-7-SignerInfos 
}

pkcs-7-CMSVersion ::= INTEGER  { v0(0), v1(1), v2(2), v3(3), v4(4) }

pkcs-7-DigestAlgorithmIdentifiers ::= SET OF pkcs-7-DigestAlgorithmIdentifier

pkcs-7-DigestAlgorithmIdentifier ::= AlgorithmIdentifier

pkcs-7-EncapsulatedContentInfo ::= SEQUENCE {
  eContentType pkcs-7-ContentType,
  eContent [0] EXPLICIT OCTET STRING OPTIONAL }

-- We don't use CertificateList here since we only want
-- to read the raw data.
pkcs-7-CertificateRevocationLists ::= SET OF ANY

pkcs-7-CertificateChoices ::= CHOICE {
-- Although the paper uses Certificate type, we
-- don't use it since, we don't need to parse it.
-- We only need to read and store it.
  certificate ANY
}

pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices

pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it
 -- anyway


-- BEGIN of RFC2986

-- Certificate requests
pkcs-10-CertificationRequestInfo ::= SEQUENCE {
     version       INTEGER { v1(0) },
     subject       Name,
     subjectPKInfo SubjectPublicKeyInfo,
     attributes    [0] Attributes
}

Attributes ::= SET OF Attribute

pkcs-10-CertificationRequest ::= SEQUENCE {
     certificationRequestInfo pkcs-10-CertificationRequestInfo,
     signatureAlgorithm AlgorithmIdentifier,
     signature          BIT STRING
}

-- stuff from PKCS#9

pkcs-9-ub-challengePassword   INTEGER ::= 255

pkcs-9-certTypes OBJECT IDENTIFIER ::= {pkcs-9 22}
pkcs-9-crlTypes OBJECT IDENTIFIER ::= {pkcs-9 23}

pkcs-9-at-challengePassword OBJECT IDENTIFIER   ::= {pkcs-9 7}

pkcs-9-challengePassword        ::= CHOICE {
      printableString       PrintableString (SIZE (1..pkcs-9-ub-challengePassword)),
      utf8String            UTF8String (SIZE (1..pkcs-9-ub-challengePassword)) }

pkcs-9-at-localKeyId               OBJECT IDENTIFIER ::= {pkcs-9 21}

pkcs-9-localKeyId ::= OCTET STRING

pkcs-9-at-friendlyName             OBJECT IDENTIFIER ::= {pkcs-9 20}

pkcs-9-friendlyName ::= BMPString      (SIZE (1..255))

-- PKCS #8 stuff

-- Private-key information syntax

pkcs-8-PrivateKeyInfo ::= SEQUENCE {
  version pkcs-8-Version,
  privateKeyAlgorithm AlgorithmIdentifier,
  privateKey pkcs-8-PrivateKey,
  attributes [0] Attributes OPTIONAL }

pkcs-8-Version ::= INTEGER {v1(0)}

pkcs-8-PrivateKey ::= OCTET STRING

pkcs-8-Attributes ::= SET OF Attribute

-- Encrypted private-key information syntax

pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE {
    encryptionAlgorithm AlgorithmIdentifier,
    encryptedData pkcs-8-EncryptedData 
}

pkcs-8-EncryptedData ::= OCTET STRING

-- PKCS #5 stuff

pkcs-5 OBJECT IDENTIFIER ::=
       { pkcs 5 }

pkcs-5-encryptionAlgorithm OBJECT IDENTIFIER ::=
       { iso(1) member-body(2) us(840) rsadsi(113549) 3 }

pkcs-5-des-EDE3-CBC OBJECT IDENTIFIER ::= {pkcs-5-encryptionAlgorithm 7}

pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8))

pkcs-5-id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}

pkcs-5-PBES2-params ::= SEQUENCE {
  keyDerivationFunc AlgorithmIdentifier,
  encryptionScheme AlgorithmIdentifier }

-- PBKDF2

pkcs-5-id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}

-- pkcs-5-id-hmacWithSHA1 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) 2 7}

-- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::=
--   {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL}

pkcs-5-PBKDF2-params ::= SEQUENCE {
  salt CHOICE {
    specified OCTET STRING,
    otherSource AlgorithmIdentifier
  },
  iterationCount INTEGER (1..MAX),
  keyLength INTEGER (1..MAX) OPTIONAL,
  prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1 
}

-- PKCS #12 stuff

pkcs-12 OBJECT IDENTIFIER ::= {pkcs 12}

pkcs-12-PFX ::= SEQUENCE {
        version         INTEGER {v3(3)},
        authSafe        pkcs-7-ContentInfo,
        macData         pkcs-12-MacData OPTIONAL
}

pkcs-12-PbeParams ::= SEQUENCE {
        salt    OCTET STRING,
        iterations INTEGER
}

pkcs-12-MacData ::= SEQUENCE {
        mac             pkcs-7-DigestInfo,
        macSalt         OCTET STRING,
        iterations      INTEGER DEFAULT 1
-- Note: The default is for historical reasons and its use is
-- deprecated. A higher value, like 1024 is recommended.
}

pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo
        -- Data if unencrypted
        -- EncryptedData if password-encrypted
        -- EnvelopedData if public key-encrypted

pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag

pkcs-12-SafeBag ::= SEQUENCE {
        bagId           OBJECT IDENTIFIER,
        bagValue        [0] EXPLICIT ANY DEFINED BY badId,
        bagAttributes   SET OF pkcs-12-PKCS12Attribute OPTIONAL
}

-- Bag types


pkcs-12-bagtypes OBJECT IDENTIFIER ::= {pkcs-12 10 1}

pkcs-12-keyBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 1}
pkcs-12-pkcs8ShroudedKeyBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 2}
pkcs-12-certBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 3}
pkcs-12-crlBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 4}

pkcs-12-KeyBag ::= pkcs-8-PrivateKeyInfo

-- Shrouded KeyBag

pkcs-12-PKCS8ShroudedKeyBag ::= pkcs-8-EncryptedPrivateKeyInfo

-- CertBag

pkcs-12-CertBag ::= SEQUENCE {
        certId    OBJECT IDENTIFIER,
        certValue [0] EXPLICIT ANY DEFINED BY certId
}

-- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}}
-- DER-encoded X.509 certificate stored in OCTET STRING

pkcs-12-CRLBag ::= SEQUENCE {
        crlId           OBJECT IDENTIFIER,
        crlValue        [0] EXPLICIT ANY DEFINED BY crlId
}

-- x509CRL BAG-TYPE ::=
--      {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}}
-- DER-encoded X.509 CRL stored in OCTET STRING

pkcs-12-PKCS12Attribute ::= Attribute

-- PKCS #7 stuff (needed in PKCS 12)

pkcs-7-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }

pkcs-7-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }

pkcs-7-Data ::= OCTET STRING

pkcs-7-EncryptedData ::= SEQUENCE {
    version pkcs-7-CMSVersion,
    encryptedContentInfo pkcs-7-EncryptedContentInfo,
    unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL }

pkcs-7-EncryptedContentInfo ::= SEQUENCE {
    contentType pkcs-7-ContentType,
    contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier,
    encryptedContent [0] IMPLICIT pkcs-7-EncryptedContent OPTIONAL }

pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier

pkcs-7-EncryptedContent ::= OCTET STRING

pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute

-- LDAP stuff
-- may not be correct

id-at-ldap-DC AttributeType ::= { 0 9 2342 19200300 100 1 25 }

ldap-DC ::= IA5String

id-at-ldap-UID AttributeType ::= { 0 9 2342 19200300 100 1 1 }

ldap-UID ::= DirectoryString

-- rfc3039

id-pda  OBJECT IDENTIFIER ::= { id-pkix 9 }

id-pda-dateOfBirth          AttributeType ::= { id-pda 1 }
DateOfBirth ::=             GeneralizedTime

id-pda-placeOfBirth         AttributeType ::= { id-pda 2 }
PlaceOfBirth ::=            DirectoryString

id-pda-gender               AttributeType ::= { id-pda 3 }
Gender ::=                  PrintableString (SIZE(1))
                            -- "M", "F", "m" or "f"

id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
CountryOfCitizenship ::=    PrintableString (SIZE (2))
                            -- ISO 3166 Country Code

id-pda-countryOfResidence   AttributeType ::= { id-pda 5 }
CountryOfResidence ::=      PrintableString (SIZE (2))
                            -- ISO 3166 Country Code

-- rfc3820

id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pe 14 }

id-ppl-inheritAll OBJECT IDENTIFIER ::= { id-pkix 21 1 }
id-ppl-independent OBJECT IDENTIFIER ::= { id-pkix 21 2 }

ProxyCertInfo ::= SEQUENCE {
        pCPathLenConstraint     INTEGER (0..MAX) OPTIONAL,
        proxyPolicy             ProxyPolicy }

ProxyPolicy ::= SEQUENCE {
        policyLanguage  OBJECT IDENTIFIER,
        policy          OCTET STRING OPTIONAL }

-- rfc3920 section 5.1.1

id-on  OBJECT IDENTIFIER ::= { id-pkix 8 }  -- other name forms

id-on-xmppAddr  OBJECT IDENTIFIER ::= { id-on 5 }

XmppAddr ::= UTF8String

END