| blob | cc788b73a1bb139a297ddd56d96c17add970dfb5 |
2 PKIX1 { }
4 DEFINITIONS IMPLICIT TAGS ::=
6 BEGIN
8 -- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules.
10 id-pkix OBJECT IDENTIFIER ::=
11 { iso(1) identified-organization(3) dod(6) internet(1)
12 security(5) mechanisms(5) pkix(7) }
14 -- ISO arc for standard certificate and CRL extensions
16 -- authority key identifier OID and syntax
18 PrivateKeyUsagePeriod ::= SEQUENCE {
19 notBefore [0] GeneralizedTime OPTIONAL,
20 notAfter [1] GeneralizedTime OPTIONAL }
22 AuthorityKeyIdentifier ::= SEQUENCE {
23 keyIdentifier [0] KeyIdentifier OPTIONAL,
24 authorityCertIssuer [1] GeneralNames OPTIONAL,
25 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
26 -- authorityCertIssuer and authorityCertSerialNumber shall both
27 -- be present or both be absgent
29 KeyIdentifier ::= OCTET STRING
31 -- subject key identifier OID and syntax
33 SubjectKeyIdentifier ::= KeyIdentifier
35 -- key usage extension OID and syntax
37 KeyUsage ::= BIT STRING
39 -- Directory string type --
41 DirectoryString ::= CHOICE {
42 teletexString TeletexString (SIZE (1..MAX)),
43 printableString PrintableString (SIZE (1..MAX)),
44 universalString UniversalString (SIZE (1..MAX)),
45 utf8String UTF8String (SIZE (1..MAX)),
46 bmpString BMPString (SIZE(1..MAX)),
47 -- IA5String is added here to handle old UID encoded as ia5String --
48 -- See tests/userid/ for more information. It shouldn't be here, --
49 -- so if it causes problems, considering dropping it. --
50 ia5String IA5String (SIZE(1..MAX)) }
52 SubjectAltName ::= GeneralNames
54 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
56 GeneralName ::= CHOICE {
57 otherName [0] AnotherName,
58 rfc822Name [1] IA5String,
59 dNSName [2] IA5String,
60 x400Address [3] ANY,
61 -- Changed to work with the libtasn1 parser.
62 directoryName [4] EXPLICIT RDNSequence, --Name,
63 ediPartyName [5] ANY, --EDIPartyName replaced by ANY to save memory
64 uniformResourceIdentifier [6] IA5String,
65 iPAddress [7] OCTET STRING,
66 registeredID [8] OBJECT IDENTIFIER }
68 -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
69 -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
71 AnotherName ::= SEQUENCE {
72 type-id OBJECT IDENTIFIER,
73 value [0] EXPLICIT ANY DEFINED BY type-id }
75 -- issuer alternative name extension OID and syntax
77 IssuerAltName ::= GeneralNames
79 -- basic constraints extension OID and syntax
81 BasicConstraints ::= SEQUENCE {
82 cA BOOLEAN DEFAULT FALSE,
83 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
85 -- CRL distribution points extension OID and syntax
87 CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
89 DistributionPoint ::= SEQUENCE {
90 distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL,
91 reasons [1] ReasonFlags OPTIONAL,
92 cRLIssuer [2] GeneralNames OPTIONAL
93 }
95 DistributionPointName ::= CHOICE {
96 fullName [0] GeneralNames,
97 nameRelativeToCRLIssuer [1] RelativeDistinguishedName
98 }
100 ReasonFlags ::= BIT STRING
102 -- extended key usage extension OID and syntax
104 ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
106 KeyPurposeId ::= OBJECT IDENTIFIER
108 -- authority info access
110 AuthorityInfoAccessSyntax ::=
111 SEQUENCE SIZE (1..MAX) OF AccessDescription
113 AccessDescription ::= SEQUENCE {
114 accessMethod OBJECT IDENTIFIER,
115 accessLocation GeneralName }
117 -- CRL number extension OID and syntax
119 -- CRLNumber ::= INTEGER (0..MAX)
121 -- certificate issuer CRL entry extension OID and syntax
123 -- CertificateIssuer ::= GeneralNames
125 -- --------------------------------------
126 -- EXPLICIT
127 -- --------------------------------------
129 -- UNIVERSAL Types defined in '93 and '98 ASN.1
130 -- but required by this specification
132 NumericString ::= [UNIVERSAL 18] IMPLICIT OCTET STRING
134 IA5String ::= [UNIVERSAL 22] IMPLICIT OCTET STRING
136 TeletexString ::= [UNIVERSAL 20] IMPLICIT OCTET STRING
138 PrintableString ::= [UNIVERSAL 19] IMPLICIT OCTET STRING
140 UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
141 -- UniversalString is defined in ASN.1:1993
143 BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
144 -- BMPString is the subtype of UniversalString and models
145 -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1
147 UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
148 -- The content of this type conforms to RFC 2279.
150 VisibleString ::= [UNIVERSAL 26] IMPLICIT OCTET STRING
152 -- attribute data types --
154 Attribute ::= SEQUENCE {
155 type AttributeType,
156 values SET OF AttributeValue
157 -- at least one value is required --
158 }
160 AttributeType ::= OBJECT IDENTIFIER
162 AttributeValue ::= ANY DEFINED BY type
164 AttributeTypeAndValue ::= SEQUENCE {
165 type AttributeType,
166 value AttributeValue }
168 -- suggested naming attributes: Definition of the following
169 -- information object set may be augmented to meet local
170 -- requirements. Note that deleting members of the set may
171 -- prevent interoperability with conforming implementations.
172 -- presented in pairs: the AttributeType followed by the
173 -- type definition for the corresponding AttributeValue
175 -- Arc for standard naming attributes
176 id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
178 -- Attributes of type NameDirectoryString
180 -- gnutls: Note that the Object ID (id-at*) is being set just before the
181 -- actual definition. This is done in order for asn1_find_structure_from_oid
182 -- to work (locate structure from OID).
183 -- Maybe this is inefficient and memory consuming. Should we replace with
184 -- a table that maps OIDs to structures?
186 -- PostalAddress ::= SEQUENCE OF DirectoryString
188 -- Legacy attributes
190 emailAddress AttributeType ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 1 }
192 -- Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
194 -- naming data types --
196 Name ::= CHOICE { -- only one possibility for now --
197 rdnSequence RDNSequence }
199 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
201 DistinguishedName ::= RDNSequence
203 RelativeDistinguishedName ::=
204 SET SIZE (1 .. MAX) OF AttributeTypeAndValue
208 -- --------------------------------------------------------
209 -- certificate and CRL specific structures begin here
210 -- --------------------------------------------------------
212 Certificate ::= SEQUENCE {
213 tbsCertificate TBSCertificate,
214 signatureAlgorithm AlgorithmIdentifier,
215 signature BIT STRING }
217 TBSCertificate ::= SEQUENCE {
218 version [0] EXPLICIT INTEGER DEFAULT 0,
219 serialNumber CertificateSerialNumber,
220 signature AlgorithmIdentifier,
221 issuer Name,
222 validity Validity,
223 subject Name,
224 subjectPublicKeyInfo SubjectPublicKeyInfo,
225 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
226 -- If present, version shall be v2 or v3
227 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
228 -- If present, version shall be v2 or v3
229 extensions [3] EXPLICIT Extensions OPTIONAL
230 -- If present, version shall be v3 --
231 }
233 CertificateSerialNumber ::= INTEGER
235 Validity ::= SEQUENCE {
236 notBefore Time,
237 notAfter Time }
239 Time ::= CHOICE {
240 utcTime UTCTime,
241 generalTime GeneralizedTime }
243 UniqueIdentifier ::= BIT STRING
245 SubjectPublicKeyInfo ::= SEQUENCE {
246 algorithm AlgorithmIdentifier,
247 subjectPublicKey BIT STRING }
249 Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
251 Extension ::= SEQUENCE {
252 extnID OBJECT IDENTIFIER,
253 critical BOOLEAN DEFAULT FALSE,
254 extnValue OCTET STRING }
257 -- ------------------------------------------
258 -- CRL structures
259 -- ------------------------------------------
261 CertificateList ::= SEQUENCE {
262 tbsCertList TBSCertList,
263 signatureAlgorithm AlgorithmIdentifier,
264 signature BIT STRING }
266 TBSCertList ::= SEQUENCE {
267 version INTEGER OPTIONAL,
268 -- if present, shall be v2
269 signature AlgorithmIdentifier,
270 issuer Name,
271 thisUpdate Time,
272 nextUpdate Time OPTIONAL,
273 revokedCertificates SEQUENCE OF SEQUENCE {
274 userCertificate CertificateSerialNumber,
275 revocationDate Time,
276 crlEntryExtensions Extensions OPTIONAL
277 -- if present, shall be v2
278 } OPTIONAL,
279 crlExtensions [0] EXPLICIT Extensions OPTIONAL
280 -- if present, shall be v2 --
281 }
283 -- Version, Time, CertificateSerialNumber, and Extensions were
284 -- defined earlier for use in the certificate structure
286 AlgorithmIdentifier ::= SEQUENCE {
287 algorithm OBJECT IDENTIFIER,
288 parameters ANY DEFINED BY algorithm OPTIONAL }
289 -- contains a value of the type
290 -- registered for use with the
291 -- algorithm object identifier value
293 -- Algorithm OIDs and parameter structures
295 Dss-Sig-Value ::= SEQUENCE {
296 r INTEGER,
297 s INTEGER
298 }
300 DomainParameters ::= SEQUENCE {
301 p INTEGER, -- odd prime, p=jq +1
302 g INTEGER, -- generator, g
303 q INTEGER, -- factor of p-1
304 j INTEGER OPTIONAL, -- subgroup factor, j>= 2
305 validationParms ValidationParms OPTIONAL }
307 ValidationParms ::= SEQUENCE {
308 seed BIT STRING,
309 pgenCounter INTEGER }
311 Dss-Parms ::= SEQUENCE {
312 p INTEGER,
313 q INTEGER,
314 g INTEGER }
316 -- x400 address syntax starts here
317 -- OR Names
319 CountryName ::= [APPLICATION 1] CHOICE {
320 x121-dcc-code NumericString
321 (SIZE (ub-country-name-numeric-length)),
322 iso-3166-alpha2-code PrintableString
323 (SIZE (ub-country-name-alpha-length)) }
325 OrganizationName ::= PrintableString
326 (SIZE (1..ub-organization-name-length))
327 -- see also teletex-organization-name
329 NumericUserIdentifier ::= NumericString
330 (SIZE (1..ub-numeric-user-id-length))
332 -- see also teletex-personal-name
334 OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
335 OF OrganizationalUnitName
336 -- see also teletex-organizational-unit-names
338 OrganizationalUnitName ::= PrintableString (SIZE
339 (1..ub-organizational-unit-name-length))
341 -- Extension types and attribute values
342 --
344 CommonName ::= PrintableString
346 -- END of PKIX1Implicit88
349 -- BEGIN of RFC2630
351 -- Cryptographic Message Syntax
353 pkcs-7-ContentInfo ::= SEQUENCE {
354 contentType pkcs-7-ContentType,
355 content [0] EXPLICIT ANY DEFINED BY contentType }
357 pkcs-7-DigestInfo ::= SEQUENCE {
358 digestAlgorithm AlgorithmIdentifier,
359 digest OCTET STRING
360 }
362 pkcs-7-ContentType ::= OBJECT IDENTIFIER
364 pkcs-7-SignedData ::= SEQUENCE {
365 version INTEGER,
366 digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers,
367 encapContentInfo pkcs-7-EncapsulatedContentInfo,
368 certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL,
369 crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL,
370 signerInfos pkcs-7-SignerInfos
371 }
373 pkcs-7-DigestAlgorithmIdentifiers ::= SET OF AlgorithmIdentifier
375 pkcs-7-EncapsulatedContentInfo ::= SEQUENCE {
376 eContentType pkcs-7-ContentType,
377 eContent [0] EXPLICIT OCTET STRING OPTIONAL }
379 -- We don't use CertificateList here since we only want
380 -- to read the raw data.
381 pkcs-7-CertificateRevocationLists ::= SET OF ANY
383 pkcs-7-CertificateChoices ::= CHOICE {
384 -- Although the paper uses Certificate type, we
385 -- don't use it since, we don't need to parse it.
386 -- We only need to read and store it.
387 certificate ANY
388 }
390 pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices
392 pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it
393 -- anyway
396 -- BEGIN of RFC2986
398 -- Certificate requests
399 pkcs-10-CertificationRequestInfo ::= SEQUENCE {
400 version INTEGER,
401 subject Name,
402 subjectPKInfo SubjectPublicKeyInfo,
403 attributes [0] Attributes
404 }
406 Attributes ::= SET OF Attribute
408 pkcs-10-CertificationRequest ::= SEQUENCE {
409 certificationRequestInfo pkcs-10-CertificationRequestInfo,
410 signatureAlgorithm AlgorithmIdentifier,
411 signature BIT STRING
412 }
414 -- stuff from PKCS#9
416 pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 7}
418 pkcs-9-challengePassword ::= CHOICE {
419 printableString PrintableString,
420 utf8String UTF8String }
422 pkcs-9-localKeyId ::= OCTET STRING
424 -- PKCS #8 stuff
426 -- Private-key information syntax
428 pkcs-8-PrivateKeyInfo ::= SEQUENCE {
429 version INTEGER,
430 privateKeyAlgorithm AlgorithmIdentifier,
431 privateKey OCTET STRING,
432 attributes [0] Attributes OPTIONAL }
434 pkcs-8-Attributes ::= SET OF Attribute
436 -- Encrypted private-key information syntax
438 pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE {
439 encryptionAlgorithm AlgorithmIdentifier,
440 encryptedData pkcs-8-EncryptedData
441 }
443 pkcs-8-EncryptedData ::= OCTET STRING
445 -- PKCS #5 stuff
447 pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8))
448 pkcs-5-aes128-CBC-params ::= OCTET STRING (SIZE(16))
449 pkcs-5-aes192-CBC-params ::= OCTET STRING (SIZE(16))
450 pkcs-5-aes256-CBC-params ::= OCTET STRING (SIZE(16))
452 pkcs-5-PBES2-params ::= SEQUENCE {
453 keyDerivationFunc AlgorithmIdentifier,
454 encryptionScheme AlgorithmIdentifier }
456 -- PBKDF2
458 -- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::=
459 -- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL}
461 pkcs-5-PBKDF2-params ::= SEQUENCE {
462 salt CHOICE {
463 specified OCTET STRING,
464 otherSource AlgorithmIdentifier
465 },
466 iterationCount INTEGER (1..MAX),
467 keyLength INTEGER (1..MAX) OPTIONAL,
468 prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1
469 }
471 -- PKCS #12 stuff
473 pkcs-12-PFX ::= SEQUENCE {
474 version INTEGER {v3(3)},
475 authSafe pkcs-7-ContentInfo,
476 macData pkcs-12-MacData OPTIONAL
477 }
479 pkcs-12-PbeParams ::= SEQUENCE {
480 salt OCTET STRING,
481 iterations INTEGER
482 }
484 pkcs-12-MacData ::= SEQUENCE {
485 mac pkcs-7-DigestInfo,
486 macSalt OCTET STRING,
487 iterations INTEGER DEFAULT 1
488 -- Note: The default is for historical reasons and its use is
489 -- deprecated. A higher value, like 1024 is recommended.
490 }
492 pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo
493 -- Data if unencrypted
494 -- EncryptedData if password-encrypted
495 -- EnvelopedData if public key-encrypted
497 pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag
499 pkcs-12-SafeBag ::= SEQUENCE {
500 bagId OBJECT IDENTIFIER,
501 bagValue [0] EXPLICIT ANY DEFINED BY badId,
502 bagAttributes SET OF Attribute OPTIONAL
503 }
505 -- CertBag
507 pkcs-12-CertBag ::= SEQUENCE {
508 certId OBJECT IDENTIFIER,
509 certValue [0] EXPLICIT ANY DEFINED BY certId
510 }
512 -- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}}
513 -- DER-encoded X.509 certificate stored in OCTET STRING
515 pkcs-12-CRLBag ::= SEQUENCE {
516 crlId OBJECT IDENTIFIER,
517 crlValue [0] EXPLICIT ANY DEFINED BY crlId
518 }
520 pkcs-12-SecretBag ::= SEQUENCE {
521 secretTypeId OBJECT IDENTIFIER,
522 secretValue [0] EXPLICIT ANY DEFINED BY secretTypeId
523 }
525 -- x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}}
526 -- DER-encoded X.509 CRL stored in OCTET STRING
528 -- PKCS #7 stuff (needed in PKCS 12)
530 pkcs-7-Data ::= OCTET STRING
532 pkcs-7-EncryptedData ::= SEQUENCE {
533 version INTEGER,
534 encryptedContentInfo pkcs-7-EncryptedContentInfo,
535 unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL }
537 pkcs-7-EncryptedContentInfo ::= SEQUENCE {
538 contentType pkcs-7-ContentType,
539 contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier,
540 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL }
542 pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
544 pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
546 -- rfc3820
548 ProxyCertInfo ::= SEQUENCE {
549 pCPathLenConstraint INTEGER (0..MAX) OPTIONAL,
550 proxyPolicy ProxyPolicy }
552 ProxyPolicy ::= SEQUENCE {
553 policyLanguage OBJECT IDENTIFIER,
554 policy OCTET STRING OPTIONAL }
556 -- 2.5.29.32
559 certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
561 PolicyInformation ::= SEQUENCE {
562 policyIdentifier OBJECT IDENTIFIER,
563 policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }
565 PolicyQualifierInfo ::= SEQUENCE {
566 policyQualifierId OBJECT IDENTIFIER,
567 qualifier ANY DEFINED BY policyQualifierId }
569 CPSuri ::= IA5String
571 UserNotice ::= SEQUENCE {
572 noticeRef NoticeReference OPTIONAL,
573 explicitText DisplayText OPTIONAL }
575 NoticeReference ::= SEQUENCE {
576 organization DisplayText,
577 noticeNumbers SEQUENCE OF INTEGER }
579 DisplayText ::= CHOICE {
580 ia5String IA5String (SIZE (1..200)),
581 visibleString VisibleString (SIZE (1..200)),
582 bmpString BMPString (SIZE (1..200)),
583 utf8String UTF8String (SIZE (1..200)) }
585 -- rfc2560
587 OCSPRequest ::= SEQUENCE {
588 tbsRequest TBSRequest,
589 optionalSignature [0] EXPLICIT Signature OPTIONAL }
591 TBSRequest ::= SEQUENCE {
592 version [0] EXPLICIT INTEGER DEFAULT 0,
593 requestorName [1] EXPLICIT GeneralName OPTIONAL,
594 requestList SEQUENCE OF Request,
595 requestExtensions [2] EXPLICIT Extensions OPTIONAL }
597 Signature ::= SEQUENCE {
598 signatureAlgorithm AlgorithmIdentifier,
599 signature BIT STRING,
600 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
602 Request ::= SEQUENCE {
603 reqCert CertID,
604 singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
606 CertID ::= SEQUENCE {
607 hashAlgorithm AlgorithmIdentifier,
608 issuerNameHash OCTET STRING, -- Hash of Issuer's DN
609 issuerKeyHash OCTET STRING, -- Hash of Issuers public key
610 serialNumber CertificateSerialNumber }
612 OCSPResponse ::= SEQUENCE {
613 responseStatus OCSPResponseStatus,
614 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
616 OCSPResponseStatus ::= ENUMERATED {
617 successful (0), --Response has valid confirmations
618 malformedRequest (1), --Illegal confirmation request
619 internalError (2), --Internal error in issuer
620 tryLater (3), --Try again later
621 --(4) is not used
622 sigRequired (5), --Must sign the request
623 unauthorized (6) --Request unauthorized
624 }
626 ResponseBytes ::= SEQUENCE {
627 responseType OBJECT IDENTIFIER,
628 response OCTET STRING }
630 BasicOCSPResponse ::= SEQUENCE {
631 tbsResponseData ResponseData,
632 signatureAlgorithm AlgorithmIdentifier,
633 signature BIT STRING,
634 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
636 ResponseData ::= SEQUENCE {
637 version [0] EXPLICIT INTEGER DEFAULT 0,
638 responderID ResponderID,
639 producedAt GeneralizedTime,
640 responses SEQUENCE OF SingleResponse,
641 responseExtensions [1] EXPLICIT Extensions OPTIONAL }
643 ResponderID ::= CHOICE {
644 -- Changed to work with the libtasn1 parser.
645 byName [1] EXPLICIT RDNSequence, --Name
646 byKey [2] OCTET STRING --SHA-1 hash of responder's public key
647 }
649 SingleResponse ::= SEQUENCE {
650 certID CertID,
651 certStatus CertStatus,
652 thisUpdate GeneralizedTime,
653 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
654 singleExtensions [1] EXPLICIT Extensions OPTIONAL }
656 CertStatus ::= CHOICE {
657 good [0] IMPLICIT NULL,
658 revoked [1] IMPLICIT RevokedInfo,
659 unknown [2] IMPLICIT UnknownInfo }
661 RevokedInfo ::= SEQUENCE {
662 revocationTime GeneralizedTime,
663 revocationReason [0] EXPLICIT CRLReason OPTIONAL }
665 UnknownInfo ::= NULL -- this can be replaced with an enumeration
667 -- rfc5280
669 CRLReason ::= ENUMERATED {
670 unspecified (0),
671 keyCompromise (1),
672 cACompromise (2),
673 affiliationChanged (3),
674 superseded (4),
675 cessationOfOperation (5),
676 certificateHold (6),
677 removeFromCRL (8),
678 privilegeWithdrawn (9),
679 aACompromise (10) }
681 END