aboutsummaryrefslogblamecommitdiffstats
path: root/lib/asn1/test/asn1_SUITE_data/rfcs/PKIX1Implicit-2009.asn1
blob: 3651a5249b2a04c79703147b00d0ccabfe58b52e (plain) (tree)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447






























































































































































































































































































































































































































































                                                                        
   PKIX1Implicit-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
   DEFINITIONS IMPLICIT TAGS ::=
   BEGIN
   IMPORTS

   AttributeSet{}, EXTENSION, ATTRIBUTE
   FROM PKIX-CommonTypes-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }

   id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name,
       RelativeDistinguishedName, CertificateSerialNumber,
       DirectoryString{}, SupportedAttributes
   FROM PKIX1Explicit-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) };

   CertExtensions EXTENSION ::= {
           ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier |
           ext-KeyUsage | ext-PrivateKeyUsagePeriod |
           ext-CertificatePolicies | ext-PolicyMappings |
           ext-SubjectAltName | ext-IssuerAltName |
           ext-SubjectDirectoryAttributes |
           ext-BasicConstraints | ext-NameConstraints |
           ext-PolicyConstraints | ext-ExtKeyUsage |
           ext-CRLDistributionPoints | ext-InhibitAnyPolicy |
           ext-FreshestCRL | ext-AuthorityInfoAccess |
           ext-SubjectInfoAccessSyntax, ... }

   CrlExtensions EXTENSION ::= {
           ext-AuthorityKeyIdentifier | ext-IssuerAltName |
           ext-CRLNumber | ext-DeltaCRLIndicator |
           ext-IssuingDistributionPoint |  ext-FreshestCRL, ... }

   CrlEntryExtensions EXTENSION ::= {
           ext-CRLReason | ext-CertificateIssuer |
           ext-HoldInstructionCode | ext-InvalidityDate, ... }
   -- Shared arc for standard certificate and CRL extensions

   id-ce OBJECT IDENTIFIER  ::=  { joint-iso-ccitt(2) ds(5) 29 }

   -- authority key identifier OID and syntax

   ext-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX
       AuthorityKeyIdentifier IDENTIFIED BY
       id-ce-authorityKeyIdentifier }
   id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }

   AuthorityKeyIdentifier ::= SEQUENCE {
       keyIdentifier             [0] KeyIdentifier            OPTIONAL,
       authorityCertIssuer       [1] GeneralNames             OPTIONAL,
       authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
   (WITH COMPONENTS {
      ...,
      authorityCertIssuer        PRESENT,
      authorityCertSerialNumber  PRESENT
    } |
    WITH COMPONENTS {
      ...,
      authorityCertIssuer        ABSENT,
      authorityCertSerialNumber  ABSENT
    })

   KeyIdentifier ::= OCTET STRING

   -- subject key identifier OID and syntax

   ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX
       KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier }
   id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }

   -- key usage extension OID and syntax

   ext-KeyUsage EXTENSION ::= { SYNTAX
       KeyUsage IDENTIFIED BY id-ce-keyUsage }
   id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }

   KeyUsage ::= BIT STRING {
        digitalSignature        (0),
        nonRepudiation          (1), --  recent editions of X.509 have
                                     --  renamed this bit to
                                     --  contentCommitment
        keyEncipherment         (2),
        dataEncipherment        (3),
        keyAgreement            (4),
        keyCertSign             (5),
        cRLSign                 (6),
        encipherOnly            (7),
        decipherOnly            (8)
    }

   -- private key usage period extension OID and syntax

   ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX
       PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod }
   id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }

   PrivateKeyUsagePeriod ::= SEQUENCE {
        notBefore       [0]     GeneralizedTime OPTIONAL,
        notAfter        [1]     GeneralizedTime OPTIONAL }
   (WITH COMPONENTS {..., notBefore  PRESENT } |
    WITH COMPONENTS {..., notAfter  PRESENT })

   -- certificate policies extension OID and syntax

   ext-CertificatePolicies EXTENSION ::= { SYNTAX
       CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies}
   id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }

   CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

   PolicyInformation ::= SEQUENCE {
        policyIdentifier   CertPolicyId,
        policyQualifiers   SEQUENCE SIZE (1..MAX) OF
                PolicyQualifierInfo OPTIONAL }

   CertPolicyId ::= OBJECT IDENTIFIER

   CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER

   PolicyQualifierInfo ::= SEQUENCE {
          policyQualifierId  CERT-POLICY-QUALIFIER.
               &id({PolicyQualifierId}),
          qualifier          CERT-POLICY-QUALIFIER.
               &Type({PolicyQualifierId}{@policyQualifierId})}

   -- Implementations that recognize additional policy qualifiers MUST
   -- augment the following definition for PolicyQualifierId

   PolicyQualifierId CERT-POLICY-QUALIFIER ::=
       { pqid-cps | pqid-unotice, ... }

   pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps }
   pqid-unotice CERT-POLICY-QUALIFIER ::= { UserNotice
       IDENTIFIED BY id-qt-unotice }

   -- CPS pointer qualifier

   CPSuri ::= IA5String

   -- user notice qualifier

   UserNotice ::= SEQUENCE {
        noticeRef        NoticeReference OPTIONAL,
        explicitText     DisplayText OPTIONAL}

   --
   --  This is not made explicit in the text
   --
   -- {WITH COMPONENTS {..., noticeRef PRESENT} |
   --  WITH COMPONENTS {..., DisplayText PRESENT }}

   NoticeReference ::= SEQUENCE {
        organization     DisplayText,
        noticeNumbers    SEQUENCE OF INTEGER }

   DisplayText ::= CHOICE {
        ia5String        IA5String      (SIZE (1..200)),
        visibleString    VisibleString  (SIZE (1..200)),
        bmpString        BMPString      (SIZE (1..200)),
        utf8String       UTF8String     (SIZE (1..200)) }

   -- policy mapping extension OID and syntax

   ext-PolicyMappings EXTENSION ::= { SYNTAX
       PolicyMappings IDENTIFIED BY id-ce-policyMappings }
   id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }

   PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
       issuerDomainPolicy      CertPolicyId,
       subjectDomainPolicy     CertPolicyId
   }

   -- subject alternative name extension OID and syntax

   ext-SubjectAltName EXTENSION ::= { SYNTAX
       GeneralNames IDENTIFIED BY id-ce-subjectAltName }
   id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   GeneralName ::= CHOICE {
        otherName                   [0]  INSTANCE OF OTHER-NAME,
        rfc822Name                  [1]  IA5String,
        dNSName                     [2]  IA5String,
        x400Address                 [3]  ORAddress,
        directoryName               [4]  Name,
        ediPartyName                [5]  EDIPartyName,
        uniformResourceIdentifier   [6]  IA5String,
        iPAddress                   [7]  OCTET STRING,
        registeredID                [8]  OBJECT IDENTIFIER
   }

   -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
   -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax

   OTHER-NAME ::= TYPE-IDENTIFIER

   EDIPartyName ::= SEQUENCE {
       nameAssigner    [0] DirectoryString {ubMax} OPTIONAL,
       partyName       [1] DirectoryString {ubMax}
   }

   -- issuer alternative name extension OID and syntax

   ext-IssuerAltName EXTENSION ::= { SYNTAX
       GeneralNames IDENTIFIED BY id-ce-issuerAltName }
   id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }

   ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX
       SubjectDirectoryAttributes IDENTIFIED BY
       id-ce-subjectDirectoryAttributes }
   id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }

   SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF
       AttributeSet{{SupportedAttributes}}

   -- basic constraints extension OID and syntax

   ext-BasicConstraints EXTENSION ::= { SYNTAX
       BasicConstraints IDENTIFIED BY id-ce-basicConstraints }
   id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }

   BasicConstraints ::= SEQUENCE {
        cA                      BOOLEAN DEFAULT FALSE,
        pathLenConstraint       INTEGER (0..MAX) OPTIONAL
   }

   -- name constraints extension OID and syntax
   ext-NameConstraints EXTENSION ::= { SYNTAX
       NameConstraints IDENTIFIED BY id-ce-nameConstraints }
   id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }

   NameConstraints ::= SEQUENCE {
        permittedSubtrees       [0] GeneralSubtrees OPTIONAL,
        excludedSubtrees        [1] GeneralSubtrees OPTIONAL
   }
   --
   --  This is a constraint in the issued certificates by CAs, but is
   --  not a requirement on EEs.
   --
   -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} |
   --  WITH COMPONENTS { ..., excludedSubtrees PRESENT }}

   GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

   GeneralSubtree ::= SEQUENCE {
        base                GeneralName,
        minimum         [0] BaseDistance DEFAULT 0,
        maximum         [1] BaseDistance OPTIONAL
   }

   BaseDistance ::= INTEGER (0..MAX)

   -- policy constraints extension OID and syntax

   ext-PolicyConstraints EXTENSION ::= { SYNTAX
       PolicyConstraints IDENTIFIED BY id-ce-policyConstraints }
   id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }

   PolicyConstraints ::= SEQUENCE {
        requireExplicitPolicy           [0] SkipCerts OPTIONAL,
        inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
   --
   --  This is a constraint in the issued certificates by CAs,
   --  but is not a requirement for EEs
   --
   -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} |
   --  WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT})

   SkipCerts ::= INTEGER (0..MAX)

   -- CRL distribution points extension OID and syntax

   ext-CRLDistributionPoints EXTENSION ::= { SYNTAX
       CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints}
   id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}
   CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

   DistributionPoint ::= SEQUENCE {
        distributionPoint       [0] DistributionPointName OPTIONAL,
        reasons                 [1] ReasonFlags OPTIONAL,
        cRLIssuer               [2] GeneralNames OPTIONAL
   }
   --
   --  This is not a requirement in the text, but it seems as if it
   --      should be
   --
   --(WITH COMPONENTS {..., distributionPoint PRESENT} |
   -- WITH COMPONENTS {..., cRLIssuer PRESENT})

   DistributionPointName ::= CHOICE {
        fullName                [0] GeneralNames,
        nameRelativeToCRLIssuer [1] RelativeDistinguishedName
   }

   ReasonFlags ::= BIT STRING {
        unused                  (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        privilegeWithdrawn      (7),
        aACompromise            (8)
    }

   -- extended key usage extension OID and syntax

   ext-ExtKeyUsage EXTENSION ::= { SYNTAX
       ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage }
   id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}

   ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

   KeyPurposeId ::= OBJECT IDENTIFIER

   -- permit unspecified key uses

   anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }

   -- extended key purpose OIDs

   id-kp-serverAuth       OBJECT IDENTIFIER ::= { id-kp 1 }
   id-kp-clientAuth       OBJECT IDENTIFIER ::= { id-kp 2 }
   id-kp-codeSigning      OBJECT IDENTIFIER ::= { id-kp 3 }
   id-kp-emailProtection  OBJECT IDENTIFIER ::= { id-kp 4 }
   id-kp-timeStamping     OBJECT IDENTIFIER ::= { id-kp 8 }
   id-kp-OCSPSigning      OBJECT IDENTIFIER ::= { id-kp 9 }

   -- inhibit any policy OID and syntax

   ext-InhibitAnyPolicy EXTENSION  ::= {SYNTAX
       SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy }
   id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 }

   -- freshest (delta)CRL extension OID and syntax

   ext-FreshestCRL EXTENSION ::= {SYNTAX
       CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL }
   id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 }

   -- authority info access

   ext-AuthorityInfoAccess EXTENSION ::= { SYNTAX
       AuthorityInfoAccessSyntax IDENTIFIED BY
       id-pe-authorityInfoAccess }
   id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }

   AuthorityInfoAccessSyntax  ::=
           SEQUENCE SIZE (1..MAX) OF AccessDescription

   AccessDescription  ::=  SEQUENCE {
           accessMethod          OBJECT IDENTIFIER,
           accessLocation        GeneralName  }

   -- subject info access

   ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX
       SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess }
   id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 }

   SubjectInfoAccessSyntax  ::=
           SEQUENCE SIZE (1..MAX) OF AccessDescription

   -- CRL number extension OID and syntax

   ext-CRLNumber EXTENSION ::= {SYNTAX
       INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber }
   id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }

   CRLNumber ::= INTEGER (0..MAX)
   -- issuing distribution point extension OID and syntax

   ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX
       IssuingDistributionPoint IDENTIFIED BY
       id-ce-issuingDistributionPoint }
   id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }

   IssuingDistributionPoint ::= SEQUENCE {
        distributionPoint          [0] DistributionPointName OPTIONAL,
        onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
        onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
        onlySomeReasons            [3] ReasonFlags OPTIONAL,
        indirectCRL                [4] BOOLEAN DEFAULT FALSE,
        onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE
   }
           -- at most one of onlyContainsUserCerts, onlyContainsCACerts,
           -- or onlyContainsAttributeCerts may be set to TRUE.

   ext-DeltaCRLIndicator EXTENSION ::= { SYNTAX
       CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator }
   id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }

   -- CRL reasons extension OID and syntax

   ext-CRLReason EXTENSION ::= { SYNTAX
       CRLReason IDENTIFIED BY id-ce-cRLReasons }
   id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }

   CRLReason ::= ENUMERATED {
        unspecified             (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        removeFromCRL           (8),
        privilegeWithdrawn      (9),
        aACompromise           (10)
   }

   -- certificate issuer CRL entry extension OID and syntax

   ext-CertificateIssuer EXTENSION ::= { SYNTAX
       GeneralNames IDENTIFIED BY id-ce-certificateIssuer }
   id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }

   -- hold instruction extension OID and syntax
   ext-HoldInstructionCode EXTENSION ::= { SYNTAX
       OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode }
   id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }

   -- ANSI x9 holdinstructions

   holdInstruction OBJECT IDENTIFIER ::=
             {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
   id-holdinstruction-none OBJECT IDENTIFIER  ::=
                   {holdInstruction 1} -- deprecated
   id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
                   {holdInstruction 2}
   id-holdinstruction-reject OBJECT IDENTIFIER ::=
                   {holdInstruction 3}

   -- invalidity date CRL entry extension OID and syntax

   ext-InvalidityDate EXTENSION  ::=  { SYNTAX
       GeneralizedTime IDENTIFIED BY id-ce-invalidityDate }
   id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
   -- Upper bounds
   ubMax INTEGER ::= 32768

   END