4 DEFINITIONS IMPLICIT TAGS ::=
8 -- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules.
10 -- ISO arc for standard certificate and CRL extensions
12 id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29}
15 -- authority key identifier OID and syntax
17 id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
19 AuthorityKeyIdentifier ::= SEQUENCE {
20 keyIdentifier [0] KeyIdentifier OPTIONAL,
21 authorityCertIssuer [1] GeneralNames OPTIONAL,
22 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
23 -- authorityCertIssuer and authorityCertSerialNumber shall both
24 -- be present or both be absgent
26 KeyIdentifier ::= OCTET STRING
28 -- subject key identifier OID and syntax
30 id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
32 SubjectKeyIdentifier ::= KeyIdentifier
34 -- key usage extension OID and syntax
36 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
38 KeyUsage ::= BIT STRING {
49 -- private key usage period extension OID and syntax
51 id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 }
53 PrivateKeyUsagePeriod ::= SEQUENCE {
54 notBefore [0] GeneralizedTime OPTIONAL,
55 notAfter [1] GeneralizedTime OPTIONAL }
56 -- either notBefore or notAfter shall be present
58 -- certificate policies extension OID and syntax
60 id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
62 CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
64 PolicyInformation ::= SEQUENCE {
65 policyIdentifier CertPolicyId,
66 policyQualifiers SEQUENCE SIZE (1..MAX) OF
67 PolicyQualifierInfo OPTIONAL }
69 CertPolicyId ::= OBJECT IDENTIFIER
71 PolicyQualifierInfo ::= SEQUENCE {
72 policyQualifierId PolicyQualifierId,
73 qualifier ANY DEFINED BY policyQualifierId }
75 -- Implementations that recognize additional policy qualifiers shall
76 -- augment the following definition for PolicyQualifierId
79 OBJECT IDENTIFIER -- ( id-qt-cps | id-qt-unotice )
81 -- CPS pointer qualifier
85 -- user notice qualifier
87 UserNotice ::= SEQUENCE {
88 noticeRef NoticeReference OPTIONAL,
89 explicitText DisplayText OPTIONAL}
91 NoticeReference ::= SEQUENCE {
92 organization DisplayText,
93 noticeNumbers SEQUENCE OF INTEGER }
95 DisplayText ::= CHOICE {
96 visibleString VisibleString (SIZE (1..200)),
97 bmpString BMPString (SIZE (1..200)),
98 utf8String UTF8String (SIZE (1..200)) }
100 -- policy mapping extension OID and syntax
102 id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
104 PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
105 issuerDomainPolicy CertPolicyId,
106 subjectDomainPolicy CertPolicyId }
108 -- subject alternative name extension OID and syntax
110 -- Directory string type --
112 DirectoryString ::= CHOICE {
113 teletexString TeletexString (SIZE (1..MAX)),
114 printableString PrintableString (SIZE (1..MAX)),
115 universalString UniversalString (SIZE (1..MAX)),
116 utf8String UTF8String (SIZE (1..MAX)),
117 bmpString BMPString (SIZE(1..MAX)) }
119 id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
121 SubjectAltName ::= GeneralNames
123 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
125 GeneralName ::= CHOICE {
126 otherName [0] AnotherName,
127 rfc822Name [1] IA5String,
128 dNSName [2] IA5String,
129 x400Address [3] ORAddress,
130 -- Changed to work with the libtasn1 parser.
131 directoryName [4] EXPLICIT RDNSequence, --Name,
132 ediPartyName [5] EDIPartyName,
133 uniformResourceIdentifier [6] IA5String,
134 iPAddress [7] OCTET STRING,
135 registeredID [8] OBJECT IDENTIFIER }
137 -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
138 -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
140 AnotherName ::= SEQUENCE {
141 type-id OBJECT IDENTIFIER,
142 value [0] EXPLICIT ANY DEFINED BY type-id }
144 EDIPartyName ::= SEQUENCE {
145 nameAssigner [0] DirectoryString OPTIONAL,
146 partyName [1] DirectoryString }
148 -- issuer alternative name extension OID and syntax
150 id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 }
152 IssuerAltName ::= GeneralNames
154 id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 }
156 SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
158 -- basic constraints extension OID and syntax
160 id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
162 BasicConstraints ::= SEQUENCE {
163 cA BOOLEAN DEFAULT FALSE,
164 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
166 -- name constraints extension OID and syntax
168 id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
170 NameConstraints ::= SEQUENCE {
171 permittedSubtrees [0] GeneralSubtrees OPTIONAL,
172 excludedSubtrees [1] GeneralSubtrees OPTIONAL }
174 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
176 GeneralSubtree ::= SEQUENCE {
178 minimum [0] BaseDistance DEFAULT 0,
179 maximum [1] BaseDistance OPTIONAL }
181 BaseDistance ::= INTEGER (0..MAX)
183 -- policy constraints extension OID and syntax
185 id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
187 PolicyConstraints ::= SEQUENCE {
188 requireExplicitPolicy [0] SkipCerts OPTIONAL,
189 inhibitPolicyMapping [1] SkipCerts OPTIONAL }
191 SkipCerts ::= INTEGER (0..MAX)
193 -- CRL distribution points extension OID and syntax
195 id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
197 CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
199 DistributionPoint ::= SEQUENCE {
200 distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL,
201 reasons [1] ReasonFlags OPTIONAL,
202 cRLIssuer [2] GeneralNames OPTIONAL
205 DistributionPointName ::= CHOICE {
206 fullName [0] GeneralNames,
207 nameRelativeToCRLIssuer [1] RelativeDistinguishedName
210 ReasonFlags ::= BIT STRING {
214 affiliationChanged (3),
216 cessationOfOperation (5),
218 privilegeWithdrawn (7),
221 -- extended key usage extension OID and syntax
223 id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
225 ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
227 KeyPurposeId ::= OBJECT IDENTIFIER
229 -- extended key purpose OIDs
230 id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
231 id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
232 id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
233 id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
234 id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-kp 5 }
235 id-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-kp 6 }
236 id-kp-ipsecUser OBJECT IDENTIFIER ::= { id-kp 7 }
237 id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
239 -- authority info access
241 id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
243 AuthorityInfoAccessSyntax ::=
244 SEQUENCE SIZE (1..MAX) OF AccessDescription
246 AccessDescription ::= SEQUENCE {
247 accessMethod OBJECT IDENTIFIER,
248 accessLocation GeneralName }
250 -- CRL number extension OID and syntax
252 id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
254 CRLNumber ::= INTEGER (0..MAX)
256 -- issuing distribution point extension OID and syntax
258 id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
260 IssuingDistributionPoint ::= SEQUENCE {
261 distributionPoint [0] DistributionPointName OPTIONAL,
262 onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
263 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
264 onlySomeReasons [3] ReasonFlags OPTIONAL,
265 indirectCRL [4] BOOLEAN DEFAULT FALSE }
268 id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
270 -- deltaCRLIndicator ::= BaseCRLNumber
272 BaseCRLNumber ::= CRLNumber
274 -- CRL reasons extension OID and syntax
276 id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
278 CRLReason ::= ENUMERATED {
282 affiliationChanged (3),
284 cessationOfOperation (5),
288 -- certificate issuer CRL entry extension OID and syntax
290 id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
292 CertificateIssuer ::= GeneralNames
294 -- hold instruction extension OID and syntax
296 id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
298 HoldInstructionCode ::= OBJECT IDENTIFIER
300 -- ANSI x9 holdinstructions
302 -- ANSI x9 arc holdinstruction arc
303 holdInstruction OBJECT IDENTIFIER ::=
304 {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
306 -- ANSI X9 holdinstructions referenced by this standard
307 id-holdinstruction-none OBJECT IDENTIFIER ::=
308 {holdInstruction 1} -- deprecated
309 id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
311 id-holdinstruction-reject OBJECT IDENTIFIER ::=
314 -- invalidity date CRL entry extension OID and syntax
316 id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
318 InvalidityDate ::= GeneralizedTime
321 -- --------------------------------------
323 -- --------------------------------------
325 -- UNIVERSAL Types defined in '93 and '98 ASN.1
326 -- but required by this specification
328 VisibleString ::= [UNIVERSAL 26] IMPLICIT OCTET STRING
330 NumericString ::= [UNIVERSAL 18] IMPLICIT OCTET STRING
332 IA5String ::= [UNIVERSAL 22] IMPLICIT OCTET STRING
334 TeletexString ::= [UNIVERSAL 20] IMPLICIT OCTET STRING
336 PrintableString ::= [UNIVERSAL 19] IMPLICIT OCTET STRING
338 UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
339 -- UniversalString is defined in ASN.1:1993
341 BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
342 -- BMPString is the subtype of UniversalString and models
343 -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1
345 UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
346 -- The content of this type conforms to RFC 2279.
349 -- PKIX specific OIDs
351 id-pkix OBJECT IDENTIFIER ::=
352 { iso(1) identified-organization(3) dod(6) internet(1)
353 security(5) mechanisms(5) pkix(7) }
357 id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
358 -- arc for private certificate extensions
359 id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
360 -- arc for policy qualifier types
361 id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
362 -- arc for extended key purpose OIDS
363 id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
364 -- arc for access descriptors
366 -- policyQualifierIds for Internet policy qualifiers
368 id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
369 -- OID for CPS qualifier
370 id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
371 -- OID for user notice qualifier
373 -- access descriptor definitions
375 id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
376 id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
378 -- attribute data types --
380 Attribute ::= SEQUENCE {
382 values SET OF AttributeValue
383 -- at least one value is required --
386 AttributeType ::= OBJECT IDENTIFIER
388 AttributeValue ::= ANY DEFINED BY type
390 AttributeTypeAndValue ::= SEQUENCE {
392 value AttributeValue }
394 -- suggested naming attributes: Definition of the following
395 -- information object set may be augmented to meet local
396 -- requirements. Note that deleting members of the set may
397 -- prevent interoperability with conforming implementations.
398 -- presented in pairs: the AttributeType followed by the
399 -- type definition for the corresponding AttributeValue
401 -- Arc for standard naming attributes
402 id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
404 -- Attributes of type NameDirectoryString
405 id-at-initials AttributeType ::= { id-at 43 }
406 X520initials ::= DirectoryString
408 id-at-generationQualifier AttributeType ::= { id-at 44 }
409 X520generationQualifier ::= DirectoryString
411 id-at-surname AttributeType ::= { id-at 4 }
412 X520surName ::= DirectoryString
414 id-at-givenName AttributeType ::= { id-at 42 }
415 X520givenName ::= DirectoryString
417 id-at-name AttributeType ::= { id-at 41 }
418 X520name ::= DirectoryString
420 id-at-commonName AttributeType ::= {id-at 3}
421 X520CommonName ::= DirectoryString
423 id-at-localityName AttributeType ::= {id-at 7}
424 X520LocalityName ::= DirectoryString
426 id-at-stateOrProvinceName AttributeType ::= {id-at 8}
427 X520StateOrProvinceName ::= DirectoryString
429 id-at-organizationName AttributeType ::= {id-at 10}
430 X520OrganizationName ::= DirectoryString
432 id-at-organizationalUnitName AttributeType ::= {id-at 11}
433 X520OrganizationalUnitName ::= DirectoryString
435 id-at-title AttributeType ::= {id-at 12}
436 X520Title ::= DirectoryString
438 id-at-description AttributeType ::= {id-at 13}
439 X520Description ::= DirectoryString
441 id-at-dnQualifier AttributeType ::= {id-at 46}
442 X520dnQualifier ::= PrintableString
444 id-at-countryName AttributeType ::= {id-at 6}
445 X520countryName ::= PrintableString (SIZE (2)) -- IS 3166 codes
447 id-at-serialNumber AttributeType ::= {id-at 5}
448 X520serialNumber ::= PrintableString
450 id-at-telephoneNumber AttributeType ::= {id-at 20}
451 X520telephoneNumber ::= PrintableString
453 id-at-facsimileTelephoneNumber AttributeType ::= {id-at 23}
454 X520facsimileTelephoneNumber ::= PrintableString
456 id-at-pseudonym AttributeType ::= {id-at 65}
457 X520pseudonym ::= DirectoryString
459 id-at-name AttributeType ::= {id-at 41}
460 X520name ::= DirectoryString
462 id-at-streetAddress AttributeType ::= {id-at 9}
463 X520streetAddress ::= DirectoryString
465 id-at-postalAddress AttributeType ::= {id-at 16}
466 X520postalAddress ::= PostalAddress
468 PostalAddress ::= SEQUENCE OF DirectoryString
473 pkcs OBJECT IDENTIFIER ::=
474 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) }
476 pkcs-9 OBJECT IDENTIFIER ::=
480 emailAddress AttributeType ::= { pkcs-9 1 }
482 Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
484 -- naming data types --
486 Name ::= CHOICE { -- only one possibility for now --
487 rdnSequence RDNSequence }
489 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
491 DistinguishedName ::= RDNSequence
493 RelativeDistinguishedName ::=
494 SET SIZE (1 .. MAX) OF AttributeTypeAndValue
498 -- --------------------------------------------------------
499 -- certificate and CRL specific structures begin here
500 -- --------------------------------------------------------
502 Certificate ::= SEQUENCE {
503 tbsCertificate TBSCertificate,
504 signatureAlgorithm AlgorithmIdentifier,
505 signature BIT STRING }
507 TBSCertificate ::= SEQUENCE {
508 version [0] EXPLICIT Version DEFAULT v1,
509 serialNumber CertificateSerialNumber,
510 signature AlgorithmIdentifier,
514 subjectPublicKeyInfo SubjectPublicKeyInfo,
515 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
516 -- If present, version shall be v2 or v3
517 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
518 -- If present, version shall be v2 or v3
519 extensions [3] EXPLICIT Extensions OPTIONAL
520 -- If present, version shall be v3 --
523 Version ::= INTEGER { v1(0), v2(1), v3(2) }
525 CertificateSerialNumber ::= INTEGER
527 Validity ::= SEQUENCE {
533 generalTime GeneralizedTime }
535 UniqueIdentifier ::= BIT STRING
537 SubjectPublicKeyInfo ::= SEQUENCE {
538 algorithm AlgorithmIdentifier,
539 subjectPublicKey BIT STRING }
541 Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
543 Extension ::= SEQUENCE {
544 extnID OBJECT IDENTIFIER,
545 critical BOOLEAN DEFAULT FALSE,
546 extnValue OCTET STRING }
549 -- ------------------------------------------
551 -- ------------------------------------------
553 CertificateList ::= SEQUENCE {
554 tbsCertList TBSCertList,
555 signatureAlgorithm AlgorithmIdentifier,
556 signature BIT STRING }
558 TBSCertList ::= SEQUENCE {
559 version Version OPTIONAL,
560 -- if present, shall be v2
561 signature AlgorithmIdentifier,
564 nextUpdate Time OPTIONAL,
565 revokedCertificates SEQUENCE OF SEQUENCE {
566 userCertificate CertificateSerialNumber,
568 crlEntryExtensions Extensions OPTIONAL
569 -- if present, shall be v2
571 crlExtensions [0] EXPLICIT Extensions OPTIONAL
572 -- if present, shall be v2 --
575 -- Version, Time, CertificateSerialNumber, and Extensions were
576 -- defined earlier for use in the certificate structure
578 AlgorithmIdentifier ::= SEQUENCE {
579 algorithm OBJECT IDENTIFIER,
580 parameters ANY DEFINED BY algorithm OPTIONAL }
581 -- contains a value of the type
582 -- registered for use with the
583 -- algorithm object identifier value
585 -- Algorithm OIDs and parameter structures
587 pkcs-1 OBJECT IDENTIFIER ::= {
590 rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
592 md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
594 md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
596 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
598 id-dsa-with-sha1 OBJECT IDENTIFIER ::= {
599 iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
601 Dss-Sig-Value ::= SEQUENCE {
606 dhpublicnumber OBJECT IDENTIFIER ::= {
607 iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }
609 DomainParameters ::= SEQUENCE {
610 p INTEGER, -- odd prime, p=jq +1
611 g INTEGER, -- generator, g
612 q INTEGER, -- factor of p-1
613 j INTEGER OPTIONAL, -- subgroup factor, j>= 2
614 validationParms ValidationParms OPTIONAL }
616 ValidationParms ::= SEQUENCE {
618 pgenCounter INTEGER }
620 id-dsa OBJECT IDENTIFIER ::= {
621 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
623 Dss-Parms ::= SEQUENCE {
628 -- x400 address syntax starts here
631 ORAddress ::= SEQUENCE {
632 built-in-standard-attributes BuiltInStandardAttributes,
633 built-in-domain-defined-attributes
634 BuiltInDomainDefinedAttributes OPTIONAL,
635 -- see also teletex-domain-defined-attributes
636 extension-attributes ExtensionAttributes OPTIONAL }
637 -- The OR-address is semantically absent from the OR-name if the
638 -- built-in-standard-attribute sequence is empty and the
639 -- built-in-domain-defined-attributes and extension-attributes are
642 -- Built-in Standard Attributes
644 BuiltInStandardAttributes ::= SEQUENCE {
645 country-name CountryName OPTIONAL,
646 administration-domain-name AdministrationDomainName OPTIONAL,
647 network-address [0] EXPLICIT NetworkAddress OPTIONAL,
648 -- see also extended-network-address
649 terminal-identifier [1] EXPLICIT TerminalIdentifier OPTIONAL,
650 private-domain-name [2] EXPLICIT PrivateDomainName OPTIONAL,
651 organization-name [3] EXPLICIT OrganizationName OPTIONAL,
652 -- see also teletex-organization-name
653 numeric-user-identifier [4] EXPLICIT NumericUserIdentifier OPTIONAL,
654 personal-name [5] EXPLICIT PersonalName OPTIONAL,
655 -- see also teletex-personal-name
656 organizational-unit-names [6] EXPLICIT OrganizationalUnitNames OPTIONAL
657 -- see also teletex-organizational-unit-names --
660 CountryName ::= [APPLICATION 1] CHOICE {
661 x121-dcc-code NumericString
662 (SIZE (ub-country-name-numeric-length)),
663 iso-3166-alpha2-code PrintableString
664 (SIZE (ub-country-name-alpha-length)) }
666 AdministrationDomainName ::= [APPLICATION 2] EXPLICIT CHOICE {
667 numeric NumericString (SIZE (0..ub-domain-name-length)),
668 printable PrintableString (SIZE (0..ub-domain-name-length)) }
670 NetworkAddress ::= X121Address -- see also extended-network-address
672 X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
674 TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
676 PrivateDomainName ::= CHOICE {
677 numeric NumericString (SIZE (1..ub-domain-name-length)),
678 printable PrintableString (SIZE (1..ub-domain-name-length)) }
680 OrganizationName ::= PrintableString
681 (SIZE (1..ub-organization-name-length))
682 -- see also teletex-organization-name
684 NumericUserIdentifier ::= NumericString
685 (SIZE (1..ub-numeric-user-id-length))
687 PersonalName ::= SET {
688 surname [0] PrintableString (SIZE (1..ub-surname-length)),
689 given-name [1] PrintableString
690 (SIZE (1..ub-given-name-length)) OPTIONAL,
691 initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
692 generation-qualifier [3] PrintableString
693 (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
694 -- see also teletex-personal-name
696 OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
697 OF OrganizationalUnitName
698 -- see also teletex-organizational-unit-names
700 OrganizationalUnitName ::= PrintableString (SIZE
701 (1..ub-organizational-unit-name-length))
703 -- Built-in Domain-defined Attributes
705 BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
706 (1..ub-domain-defined-attributes) OF
707 BuiltInDomainDefinedAttribute
709 BuiltInDomainDefinedAttribute ::= SEQUENCE {
710 type PrintableString (SIZE
711 (1..ub-domain-defined-attribute-type-length)),
712 value PrintableString (SIZE
713 (1..ub-domain-defined-attribute-value-length))}
715 -- Extension Attributes
717 ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
720 ExtensionAttribute ::= SEQUENCE {
721 extension-attribute-type [0] EXPLICIT INTEGER (0..ub-extension-attributes),
722 extension-attribute-value [1] EXPLICIT
723 ANY DEFINED BY extension-attribute-type }
725 -- Extension types and attribute values
728 common-name INTEGER ::= 1
730 CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
732 teletex-common-name INTEGER ::= 2
734 TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
736 teletex-organization-name INTEGER ::= 3
738 TeletexOrganizationName ::=
739 TeletexString (SIZE (1..ub-organization-name-length))
741 teletex-personal-name INTEGER ::= 4
743 TeletexPersonalName ::= SET {
744 surname [0] EXPLICIT TeletexString (SIZE (1..ub-surname-length)),
745 given-name [1] EXPLICIT TeletexString
746 (SIZE (1..ub-given-name-length)) OPTIONAL,
747 initials [2] EXPLICIT TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
748 generation-qualifier [3] EXPLICIT TeletexString (SIZE
749 (1..ub-generation-qualifier-length)) OPTIONAL }
751 teletex-organizational-unit-names INTEGER ::= 5
753 TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
754 (1..ub-organizational-units) OF TeletexOrganizationalUnitName
756 TeletexOrganizationalUnitName ::= TeletexString
757 (SIZE (1..ub-organizational-unit-name-length))
759 pds-name INTEGER ::= 7
761 PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
763 physical-delivery-country-name INTEGER ::= 8
765 PhysicalDeliveryCountryName ::= CHOICE {
766 x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
767 iso-3166-alpha2-code PrintableString
768 (SIZE (ub-country-name-alpha-length)) }
770 postal-code INTEGER ::= 9
772 PostalCode ::= CHOICE {
773 numeric-code NumericString (SIZE (1..ub-postal-code-length)),
774 printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
776 physical-delivery-office-name INTEGER ::= 10
778 PhysicalDeliveryOfficeName ::= PDSParameter
780 physical-delivery-office-number INTEGER ::= 11
782 PhysicalDeliveryOfficeNumber ::= PDSParameter
784 extension-OR-address-components INTEGER ::= 12
786 ExtensionORAddressComponents ::= PDSParameter
788 physical-delivery-personal-name INTEGER ::= 13
790 PhysicalDeliveryPersonalName ::= PDSParameter
792 physical-delivery-organization-name INTEGER ::= 14
794 PhysicalDeliveryOrganizationName ::= PDSParameter
796 extension-physical-delivery-address-components INTEGER ::= 15
798 ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter
800 unformatted-postal-address INTEGER ::= 16
802 UnformattedPostalAddress ::= SET {
803 printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
804 PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
805 teletex-string TeletexString
806 (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
808 street-address INTEGER ::= 17
810 StreetAddress ::= PDSParameter
812 post-office-box-address INTEGER ::= 18
814 PostOfficeBoxAddress ::= PDSParameter
816 poste-restante-address INTEGER ::= 19
818 PosteRestanteAddress ::= PDSParameter
820 unique-postal-name INTEGER ::= 20
822 UniquePostalName ::= PDSParameter
824 local-postal-attributes INTEGER ::= 21
826 LocalPostalAttributes ::= PDSParameter
828 PDSParameter ::= SET {
829 printable-string PrintableString
830 (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
831 teletex-string TeletexString
832 (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
834 extended-network-address INTEGER ::= 22
836 ExtendedNetworkAddress ::= CHOICE {
837 e163-4-address SEQUENCE {
838 number [0] EXPLICIT NumericString (SIZE (1..ub-e163-4-number-length)),
839 sub-address [1] EXPLICIT NumericString
840 (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
841 psap-address [0] EXPLICIT PresentationAddress }
843 PresentationAddress ::= SEQUENCE {
844 pSelector [0] EXPLICIT OCTET STRING OPTIONAL,
845 sSelector [1] EXPLICIT OCTET STRING OPTIONAL,
846 tSelector [2] EXPLICIT OCTET STRING OPTIONAL,
847 nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
849 terminal-type INTEGER ::= 23
851 TerminalType ::= INTEGER {
857 videotex (8) } -- (0..ub-integer-options)
859 -- Extension Domain-defined Attributes
861 teletex-domain-defined-attributes INTEGER ::= 6
863 TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
864 (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
866 TeletexDomainDefinedAttribute ::= SEQUENCE {
868 (SIZE (1..ub-domain-defined-attribute-type-length)),
870 (SIZE (1..ub-domain-defined-attribute-value-length)) }
872 -- specifications of Upper Bounds shall be regarded as mandatory
873 -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
877 ub-name INTEGER ::= 32768
878 ub-common-name INTEGER ::= 64
879 ub-locality-name INTEGER ::= 128
880 ub-state-name INTEGER ::= 128
881 ub-organization-name INTEGER ::= 64
882 ub-organizational-unit-name INTEGER ::= 64
883 ub-title INTEGER ::= 64
884 ub-match INTEGER ::= 128
886 ub-emailaddress-length INTEGER ::= 128
888 ub-common-name-length INTEGER ::= 64
889 ub-country-name-alpha-length INTEGER ::= 2
890 ub-country-name-numeric-length INTEGER ::= 3
891 ub-domain-defined-attributes INTEGER ::= 4
892 ub-domain-defined-attribute-type-length INTEGER ::= 8
893 ub-domain-defined-attribute-value-length INTEGER ::= 128
894 ub-domain-name-length INTEGER ::= 16
895 ub-extension-attributes INTEGER ::= 256
896 ub-e163-4-number-length INTEGER ::= 15
897 ub-e163-4-sub-address-length INTEGER ::= 40
898 ub-generation-qualifier-length INTEGER ::= 3
899 ub-given-name-length INTEGER ::= 16
900 ub-initials-length INTEGER ::= 5
901 ub-integer-options INTEGER ::= 256
902 ub-numeric-user-id-length INTEGER ::= 32
903 ub-organization-name-length INTEGER ::= 64
904 ub-organizational-unit-name-length INTEGER ::= 32
905 ub-organizational-units INTEGER ::= 4
906 ub-pds-name-length INTEGER ::= 16
907 ub-pds-parameter-length INTEGER ::= 30
908 ub-pds-physical-address-lines INTEGER ::= 6
909 ub-postal-code-length INTEGER ::= 16
910 ub-surname-length INTEGER ::= 40
911 ub-terminal-id-length INTEGER ::= 24
912 ub-unformatted-address-length INTEGER ::= 180
913 ub-x121-address-length INTEGER ::= 16
915 -- Note - upper bounds on string types, such as TeletexString, are
916 -- measured in characters. Excepting PrintableString or IA5String, a
917 -- significantly greater number of octets will be required to hold
918 -- such a value. As a minimum, 16 octets, or twice the specified upper
919 -- bound, whichever is the larger, should be allowed for TeletexString.
920 -- For UTF8String or UniversalString at least four times the upper
921 -- bound should be allowed.
925 -- END of PKIX1Implicit88
930 -- Cryptographic Message Syntax
932 pkcs-7-ContentInfo ::= SEQUENCE {
933 contentType pkcs-7-ContentType,
934 content [0] EXPLICIT ANY DEFINED BY contentType }
936 pkcs-7-DigestInfo ::= SEQUENCE {
937 digestAlgorithm pkcs-7-DigestAlgorithmIdentifier,
941 pkcs-7-Digest ::= OCTET STRING
943 pkcs-7-ContentType ::= OBJECT IDENTIFIER
945 pkcs-7-SignedData ::= SEQUENCE {
946 version pkcs-7-CMSVersion,
947 digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers,
948 encapContentInfo pkcs-7-EncapsulatedContentInfo,
949 certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL,
950 crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL,
951 signerInfos pkcs-7-SignerInfos
954 pkcs-7-CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
956 pkcs-7-DigestAlgorithmIdentifiers ::= SET OF pkcs-7-DigestAlgorithmIdentifier
958 pkcs-7-DigestAlgorithmIdentifier ::= AlgorithmIdentifier
960 pkcs-7-EncapsulatedContentInfo ::= SEQUENCE {
961 eContentType pkcs-7-ContentType,
962 eContent [0] EXPLICIT OCTET STRING OPTIONAL }
964 -- We don't use CertificateList here since we only want
965 -- to read the raw data.
966 pkcs-7-CertificateRevocationLists ::= SET OF ANY
968 pkcs-7-CertificateChoices ::= CHOICE {
969 -- Although the paper uses Certificate type, we
970 -- don't use it since, we don't need to parse it.
971 -- We only need to read and store it.
975 pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices
977 pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it
983 -- Certificate requests
984 pkcs-10-CertificationRequestInfo ::= SEQUENCE {
985 version INTEGER { v1(0) },
987 subjectPKInfo SubjectPublicKeyInfo,
988 attributes [0] Attributes
991 Attributes ::= SET OF Attribute
993 pkcs-10-CertificationRequest ::= SEQUENCE {
994 certificationRequestInfo pkcs-10-CertificationRequestInfo,
995 signatureAlgorithm AlgorithmIdentifier,
1001 pkcs-9-ub-challengePassword INTEGER ::= 255
1003 pkcs-9-certTypes OBJECT IDENTIFIER ::= {pkcs-9 22}
1004 pkcs-9-crlTypes OBJECT IDENTIFIER ::= {pkcs-9 23}
1006 pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {pkcs-9 7}
1008 pkcs-9-challengePassword ::= CHOICE {
1009 printableString PrintableString (SIZE (1..pkcs-9-ub-challengePassword)),
1010 utf8String UTF8String (SIZE (1..pkcs-9-ub-challengePassword)) }
1012 pkcs-9-at-localKeyId OBJECT IDENTIFIER ::= {pkcs-9 21}
1014 pkcs-9-localKeyId ::= OCTET STRING
1016 pkcs-9-at-friendlyName OBJECT IDENTIFIER ::= {pkcs-9 20}
1018 pkcs-9-friendlyName ::= BMPString (SIZE (1..255))
1022 -- Private-key information syntax
1024 pkcs-8-PrivateKeyInfo ::= SEQUENCE {
1025 version pkcs-8-Version,
1026 privateKeyAlgorithm AlgorithmIdentifier,
1027 privateKey pkcs-8-PrivateKey,
1028 attributes [0] Attributes OPTIONAL }
1030 pkcs-8-Version ::= INTEGER {v1(0)}
1032 pkcs-8-PrivateKey ::= OCTET STRING
1034 pkcs-8-Attributes ::= SET OF Attribute
1036 -- Encrypted private-key information syntax
1038 pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE {
1039 encryptionAlgorithm AlgorithmIdentifier,
1040 encryptedData pkcs-8-EncryptedData
1043 pkcs-8-EncryptedData ::= OCTET STRING
1047 pkcs-5 OBJECT IDENTIFIER ::=
1050 pkcs-5-encryptionAlgorithm OBJECT IDENTIFIER ::=
1051 { iso(1) member-body(2) us(840) rsadsi(113549) 3 }
1053 pkcs-5-des-EDE3-CBC OBJECT IDENTIFIER ::= {pkcs-5-encryptionAlgorithm 7}
1055 pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8))
1057 pkcs-5-id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
1059 pkcs-5-PBES2-params ::= SEQUENCE {
1060 keyDerivationFunc AlgorithmIdentifier,
1061 encryptionScheme AlgorithmIdentifier }
1065 pkcs-5-id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
1067 -- pkcs-5-id-hmacWithSHA1 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) 2 7}
1069 -- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::=
1070 -- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL}
1072 pkcs-5-PBKDF2-params ::= SEQUENCE {
1074 specified OCTET STRING,
1075 otherSource AlgorithmIdentifier
1077 iterationCount INTEGER (1..MAX),
1078 keyLength INTEGER (1..MAX) OPTIONAL,
1079 prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1
1084 pkcs-12 OBJECT IDENTIFIER ::= {pkcs 12}
1086 pkcs-12-PFX ::= SEQUENCE {
1087 version INTEGER {v3(3)},
1088 authSafe pkcs-7-ContentInfo,
1089 macData pkcs-12-MacData OPTIONAL
1092 pkcs-12-PbeParams ::= SEQUENCE {
1097 pkcs-12-MacData ::= SEQUENCE {
1098 mac pkcs-7-DigestInfo,
1099 macSalt OCTET STRING,
1100 iterations INTEGER DEFAULT 1
1101 -- Note: The default is for historical reasons and its use is
1102 -- deprecated. A higher value, like 1024 is recommended.
1105 pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo
1106 -- Data if unencrypted
1107 -- EncryptedData if password-encrypted
1108 -- EnvelopedData if public key-encrypted
1110 pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag
1112 pkcs-12-SafeBag ::= SEQUENCE {
1113 bagId OBJECT IDENTIFIER,
1114 bagValue [0] EXPLICIT ANY DEFINED BY badId,
1115 bagAttributes SET OF pkcs-12-PKCS12Attribute OPTIONAL
1121 pkcs-12-bagtypes OBJECT IDENTIFIER ::= {pkcs-12 10 1}
1123 pkcs-12-keyBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 1}
1124 pkcs-12-pkcs8ShroudedKeyBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 2}
1125 pkcs-12-certBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 3}
1126 pkcs-12-crlBag OBJECT IDENTIFIER ::= {pkcs-12-bagtypes 4}
1128 pkcs-12-KeyBag ::= pkcs-8-PrivateKeyInfo
1132 pkcs-12-PKCS8ShroudedKeyBag ::= pkcs-8-EncryptedPrivateKeyInfo
1136 pkcs-12-CertBag ::= SEQUENCE {
1137 certId OBJECT IDENTIFIER,
1138 certValue [0] EXPLICIT ANY DEFINED BY certId
1141 -- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}}
1142 -- DER-encoded X.509 certificate stored in OCTET STRING
1144 pkcs-12-CRLBag ::= SEQUENCE {
1145 crlId OBJECT IDENTIFIER,
1146 crlValue [0] EXPLICIT ANY DEFINED BY crlId
1149 -- x509CRL BAG-TYPE ::=
1150 -- {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}}
1151 -- DER-encoded X.509 CRL stored in OCTET STRING
1153 pkcs-12-PKCS12Attribute ::= Attribute
1155 -- PKCS #7 stuff (needed in PKCS 12)
1157 pkcs-7-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
1158 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }
1160 pkcs-7-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
1161 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }
1163 pkcs-7-Data ::= OCTET STRING
1165 pkcs-7-EncryptedData ::= SEQUENCE {
1166 version pkcs-7-CMSVersion,
1167 encryptedContentInfo pkcs-7-EncryptedContentInfo,
1168 unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL }
1170 pkcs-7-EncryptedContentInfo ::= SEQUENCE {
1171 contentType pkcs-7-ContentType,
1172 contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier,
1173 encryptedContent [0] IMPLICIT pkcs-7-EncryptedContent OPTIONAL }
1175 pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
1177 pkcs-7-EncryptedContent ::= OCTET STRING
1179 pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
1182 -- may not be correct
1184 id-at-ldap-DC AttributeType ::= { 0 9 2342 19200300 100 1 25 }
1186 ldap-DC ::= IA5String
1188 id-at-ldap-UID AttributeType ::= { 0 9 2342 19200300 100 1 1 }
1190 ldap-UID ::= IA5String
1194 id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
1196 id-pda-dateOfBirth AttributeType ::= { id-pda 1 }
1197 DateOfBirth ::= GeneralizedTime
1199 id-pda-placeOfBirth AttributeType ::= { id-pda 2 }
1200 PlaceOfBirth ::= DirectoryString
1202 id-pda-gender AttributeType ::= { id-pda 3 }
1203 Gender ::= PrintableString (SIZE(1))
1204 -- "M", "F", "m" or "f"
1206 id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
1207 CountryOfCitizenship ::= PrintableString (SIZE (2))
1208 -- ISO 3166 Country Code
1210 id-pda-countryOfResidence AttributeType ::= { id-pda 5 }
1211 CountryOfResidence ::= PrintableString (SIZE (2))
1212 -- ISO 3166 Country Code