aboutsummaryrefslogblamecommitdiffstats
path: root/lib/public_key/asn1/OTP-PKIX.asn1
blob: 911a156d6c8140527d145e7c1513226597176227 (plain) (tree)




























































































                                                                             
       




                                                                       


                                         


                                    
                                                       
                                                               

                                                                




                                                        
                                                             

                                                                         
                                          


                             
                               








                                                                     
































































































                                                                              










                                                                          














































































                                                                             

                                                                                                   
                                                


                                                




                                       

                                                              
                                                                       


                               






                             



                                       
                                             




                                                

                                    
 




                                                

















                                                           



                                                           



                                                             











                                                             















































                                                      















                                                     

















































                                                                              
 



















































































































































































































































































                                                                            
OTP-PKIX {iso(1) identified-organization(3) dod(6) internet(1)
	private(4) enterprices(1) ericsson(193) otp(19) ssl(10)
	pkix1(1)}

DEFINITIONS EXPLICIT TAGS ::=

BEGIN

-- EXPORTS ALL

IMPORTS
	-- Certificate (parts of)
	Version, 
	CertificateSerialNumber,
	--AlgorithmIdentifier,
	Validity,
	UniqueIdentifier,

	-- AttribyteTypeAndValue
	Name, 
	AttributeType, 	
	id-at-name,
	id-at-surname,
	id-at-givenName,
	id-at-initials,
	id-at-generationQualifier, X520name,
 	id-at-commonName, X520CommonName,
	id-at-localityName, X520LocalityName,
	id-at-stateOrProvinceName, X520StateOrProvinceName,
	id-at-organizationName, X520OrganizationName,
	id-at-organizationalUnitName, X520OrganizationalUnitName,
	id-at-title, X520Title,
	id-at-dnQualifier, X520dnQualifier,
	id-at-countryName, X520countryName,
	id-at-serialNumber, X520SerialNumber,
	id-at-pseudonym, X520Pseudonym,
	id-domainComponent, DomainComponent,
	id-emailAddress, EmailAddress,

	-- Extension Attributes
       common-name, CommonName,
       teletex-common-name, TeletexCommonName,
       teletex-personal-name, TeletexPersonalName,
       pds-name, PDSName,
       physical-delivery-country-name, PhysicalDeliveryCountryName,
       postal-code, PostalCode,
       physical-delivery-office-name, PhysicalDeliveryOfficeName,
       physical-delivery-office-number, PhysicalDeliveryOfficeNumber,
       extension-OR-address-components, ExtensionORAddressComponents,
       physical-delivery-personal-name, PhysicalDeliveryPersonalName,
       physical-delivery-organization-name, PhysicalDeliveryOrganizationName,
       extension-physical-delivery-address-components, 
              ExtensionPhysicalDeliveryAddressComponents,
       unformatted-postal-address, UnformattedPostalAddress,
       street-address, StreetAddress,
       post-office-box-address, PostOfficeBoxAddress,
       poste-restante-address,  PosteRestanteAddress,
       unique-postal-name, UniquePostalName,
       local-postal-attributes, LocalPostalAttributes,
       extended-network-address, ExtendedNetworkAddress,
       terminal-type, TerminalType,
       teletex-domain-defined-attributes, TeletexDomainDefinedAttributes

	FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) 
	     internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 
	     id-pkix1-explicit(18) }

       -- Extensions
       id-ce-authorityKeyIdentifier, AuthorityKeyIdentifier,
       id-ce-subjectKeyIdentifier, SubjectKeyIdentifier,
       id-ce-keyUsage, KeyUsage,
       id-ce-privateKeyUsagePeriod, PrivateKeyUsagePeriod,
       id-ce-certificatePolicies, CertificatePolicies,
       id-ce-policyMappings, PolicyMappings,
       id-ce-subjectAltName, SubjectAltName,
       id-ce-issuerAltName, IssuerAltName,
       id-ce-subjectDirectoryAttributes, SubjectDirectoryAttributes,
       id-ce-basicConstraints, BasicConstraints,
       id-ce-nameConstraints, NameConstraints,
       id-ce-policyConstraints, PolicyConstraints,
       id-ce-cRLDistributionPoints, CRLDistributionPoints,
       id-ce-extKeyUsage, ExtKeyUsageSyntax,
       id-ce-inhibitAnyPolicy, InhibitAnyPolicy,
       id-ce-freshestCRL, FreshestCRL,
       id-pe-authorityInfoAccess, AuthorityInfoAccessSyntax,
       id-pe-subjectInfoAccess, SubjectInfoAccessSyntax,
       id-ce-cRLNumber, CRLNumber,
       id-ce-issuingDistributionPoint, IssuingDistributionPoint,
       id-ce-deltaCRLIndicator, BaseCRLNumber,
       id-ce-cRLReasons, CRLReason,
       id-ce-certificateIssuer, CertificateIssuer,
       id-ce-holdInstructionCode, HoldInstructionCode,
       id-ce-invalidityDate, InvalidityDate
       
       FROM PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) 
       internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 
       id-pkix1-implicit(19) }

	--Keys and Signatures
	id-dsa, Dss-Parms, DSAPublicKey,
	id-dsa-with-sha1, id-dsaWithSHA1,
        md2WithRSAEncryption,
	md5WithRSAEncryption,
	sha1WithRSAEncryption,
	rsaEncryption, RSAPublicKey,
	dhpublicnumber, DomainParameters, DHPublicKey, 
	id-keyExchangeAlgorithm, KEA-Parms-Id, --KEA-PublicKey,
	ecdsa-with-SHA1, ecdsa-with-SHA224,
	ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512,
	prime-field, Prime-p, 
	characteristic-two-field, --Characteristic-two, 
	gnBasis, 
	tpBasis, Trinomial,
	ppBasis, Pentanomial,
	id-ecPublicKey, EcpkParameters, ECParameters, ECPoint
	FROM PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6)
	     internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
	     id-mod-pkix1-algorithms(17) }
       md2WithRSAEncryption,
       md5WithRSAEncryption,
       sha1WithRSAEncryption,
       sha224WithRSAEncryption,
       sha256WithRSAEncryption,
       sha384WithRSAEncryption,
       sha512WithRSAEncryption	     
    	     
      FROM PKCS-1 {
       iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
        modules(0) pkcs-1(1)
	};	   
	     
--
-- Certificate
--

OTPCertificate  ::=  SEQUENCE  {
     tbsCertificate       OTPTBSCertificate,
     signatureAlgorithm   SignatureAlgorithm,
     signature            BIT STRING  }

OTPTBSCertificate  ::=  SEQUENCE  {
     version         [0]  Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            SignatureAlgorithm,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo OTPSubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     extensions      [3]  Extensions OPTIONAL
                          -- If present, version MUST be v3 --  }


-- Attribute type and values
--

ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= CLASS {
	&id AttributeType UNIQUE,
	&Type }
   WITH SYNTAX {
	ID &id
	TYPE &Type }
	
OTPAttributeTypeAndValue ::=  SEQUENCE {
        type    ATTRIBUTE-TYPE-AND-VALUE-CLASS.&id
		({SupportedAttributeTypeAndValues}),
        value   ATTRIBUTE-TYPE-AND-VALUE-CLASS.&Type
		({SupportedAttributeTypeAndValues}{@type}) }

SupportedAttributeTypeAndValues ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= 
	{ name | surname | givenName | initials | generationQualifier |
	  commonName | localityName | stateOrProvinceName | organizationName |
	  organizationalUnitName | title | dnQualifier | countryName |
	  serialNumber | pseudonym | domainComponent | emailAddress }

name ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-name
	TYPE X520name }

surname ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-surname
	TYPE X520name }

givenName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-givenName
	TYPE X520name }

initials ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-initials
	TYPE X520name }

generationQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-generationQualifier
	TYPE X520name }

commonName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-commonName
	TYPE X520CommonName }

localityName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-localityName
	TYPE X520LocalityName }

stateOrProvinceName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-stateOrProvinceName
	TYPE X520StateOrProvinceName }

organizationName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-organizationName
	TYPE X520OrganizationName }

organizationalUnitName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-organizationalUnitName
	TYPE X520OrganizationalUnitName }

title ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-title
	TYPE X520Title }

dnQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-dnQualifier
	TYPE X520dnQualifier }

countryName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-countryName
        TYPE X520countryName } -- this is currently not used when decoding
 -- The decoding and mapping between ID and Type is done in the code
 -- in module publickey_cert_records via the function attribute_type
 -- To be more forgiving and compatible with other SSL implementations
 -- regarding how to handle and sometimes accept incorrect certificates
 -- we define and use the type below instead of X520countryName

 OTP-X520countryname ::= CHOICE {
       printableString   PrintableString (SIZE (2)),
       utf8String        UTF8String      (SIZE (2))
}

serialNumber ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-serialNumber
	TYPE X520SerialNumber }

pseudonym ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-at-pseudonym
	TYPE X520Pseudonym }

domainComponent ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-domainComponent
	TYPE DomainComponent }

emailAddress ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
	ID id-emailAddress
	TYPE EmailAddress }

--
-- Signature and Public Key Algorithms
--

OTPOLDSubjectPublicKeyInfo ::=  SEQUENCE  {
     algorithm SEQUENCE {
               algo     PUBLIC-KEY-ALGORITHM-CLASS.&id
			     ({SupportedPublicKeyAlgorithms}), 
	       parameters    PUBLIC-KEY-ALGORITHM-CLASS.&Type
			     ({SupportedPublicKeyAlgorithms}{@.algo}) 
			     OPTIONAL
               }, 
     subjectPublicKey  PUBLIC-KEY-ALGORITHM-CLASS.&PublicKeyType
		       ({SupportedPublicKeyAlgorithms}{@algorithm.algo}) }

OTPSubjectPublicKeyInfo ::=  SEQUENCE  {
      algorithm PublicKeyAlgorithm,
      subjectPublicKey  BIT STRING }


-- The following is needed for conversion of SubjectPublicKeyInfo.

OTPSubjectPublicKeyInfo-Any  ::=  SEQUENCE  {
     algorithm            PublicKeyAlgorithm,
     subjectPublicKey     ANY }


SIGNATURE-ALGORITHM-CLASS ::= CLASS {
	&id OBJECT IDENTIFIER UNIQUE,
	&Type OPTIONAL }
   WITH SYNTAX {
	ID &id
	[TYPE &Type] }

PUBLIC-KEY-ALGORITHM-CLASS ::= CLASS {
	&id OBJECT IDENTIFIER UNIQUE,
	&Type OPTIONAL,
	&PublicKeyType OPTIONAL }
   WITH SYNTAX {
	ID &id
	[TYPE &Type] 
	[PUBLIC-KEY-TYPE &PublicKeyType] }
	
SignatureAlgorithm ::=  SEQUENCE  {
     algorithm     SIGNATURE-ALGORITHM-CLASS.&id
				({SupportedSignatureAlgorithms}), 
     parameters    SIGNATURE-ALGORITHM-CLASS.&Type
				({SupportedSignatureAlgorithms}{@algorithm}) 
		   OPTIONAL } 

SignatureAlgorithm-Any ::=  SEQUENCE  {
     algorithm     OBJECT IDENTIFIER, 
     parameters    ANY OPTIONAL } 

PublicKeyAlgorithm ::=  SEQUENCE  {
     algorithm     PUBLIC-KEY-ALGORITHM-CLASS.&id
			({SupportedPublicKeyAlgorithms}), 
     parameters    PUBLIC-KEY-ALGORITHM-CLASS.&Type
			({SupportedPublicKeyAlgorithms}{@algorithm}) 
		   OPTIONAL } 

SupportedSignatureAlgorithms SIGNATURE-ALGORITHM-CLASS ::= { 
		    dsa-with-sha1 | dsaWithSHA1 |  md2-with-rsa-encryption |
		    md5-with-rsa-encryption | sha1-with-rsa-encryption | sha-1with-rsa-encryption |
		    sha224-with-rsa-encryption |
		    sha256-with-rsa-encryption |
		    sha384-with-rsa-encryption |
		    sha512-with-rsa-encryption |
		    ecdsa-with-sha1 |
		    ecdsa-with-sha224 |
		    ecdsa-with-sha256 |
		    ecdsa-with-sha384 |
		    ecdsa-with-sha512 }

SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= { 
		    dsa | rsa-encryption | dh  | kea  | ec-public-key }

   --   DSA Keys and Signatures


      DSAParams  ::=  CHOICE
       {
        params     Dss-Parms,
        null       NULL
       }

   -- SubjectPublicKeyInfo:

   dsa PUBLIC-KEY-ALGORITHM-CLASS ::= {
       ID id-dsa
       TYPE DSAParams -- XXX Must be OPTIONAL
       PUBLIC-KEY-TYPE DSAPublicKey }

   -- Certificate.signatureAlgorithm

   dsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
		 ID id-dsa-with-sha1
		 TYPE  DSAParams }


   dsaWithSHA1	 SIGNATURE-ALGORITHM-CLASS ::= {
		 ID id-dsaWithSHA1
		 TYPE  DSAParams }

				  --
   --   RSA Keys and Signatures
   --

   -- Certificate.signatureAlgorithm

   md2-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
			   ID md2WithRSAEncryption 
			   TYPE NULL }

   md5-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
			   ID md5WithRSAEncryption 
			   TYPE NULL }

   sha1-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
			    ID sha1WithRSAEncryption 
			    TYPE NULL }

   sha-1with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
			    ID sha-1WithRSAEncryption
			    TYPE NULL }

   sha224-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
			    ID sha224WithRSAEncryption 
			    TYPE NULL }

   sha256-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
			    ID sha256WithRSAEncryption 
			    TYPE NULL }

   sha384-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
			    ID sha384WithRSAEncryption 
			    TYPE NULL }
	    
   sha512-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
			    ID sha512WithRSAEncryption 
			    TYPE NULL }

   -- Certificate.signature
   -- See PKCS #1 (RFC 2313). XXX

   -- SubjectPublicKeyInfo:

   rsa-encryption PUBLIC-KEY-ALGORITHM-CLASS ::= {
		  ID rsaEncryption
		  TYPE NULL
		  PUBLIC-KEY-TYPE RSAPublicKey }

   --
   --   Diffie-Hellman Keys
   --

   -- SubjectPublicKeyInfo:

   dh PUBLIC-KEY-ALGORITHM-CLASS ::= {
      ID dhpublicnumber
      TYPE DomainParameters
      PUBLIC-KEY-TYPE DHPublicKey }

   -- There are no Diffie-Hellman signature algorithms

   --
   --   KEA Keys
   --

   -- SubjectPublicKeyInfo:

   KEA-PublicKey ::= INTEGER

   kea PUBLIC-KEY-ALGORITHM-CLASS ::= {
       ID id-keyExchangeAlgorithm
       TYPE KEA-Parms-Id
       PUBLIC-KEY-TYPE KEA-PublicKey }

   -- There are no KEA signature algorithms

   --
   --   Elliptic Curve Keys, Signatures, and Curves
   --

   -- Certificate.signatureAlgorithm

   ecdsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
       ID ecdsa-with-SHA1
       TYPE NULL }  -- XXX Must be empty and not NULL

   ecdsa-with-sha224 SIGNATURE-ALGORITHM-CLASS ::= {
       ID ecdsa-with-SHA224
       TYPE NULL }  -- XXX Must be empty and not NULL

   ecdsa-with-sha256 SIGNATURE-ALGORITHM-CLASS ::= {
       ID ecdsa-with-SHA256
       TYPE NULL }  -- XXX Must be empty and not NULL

   ecdsa-with-sha384 SIGNATURE-ALGORITHM-CLASS ::= {
       ID ecdsa-with-SHA384
       TYPE NULL }  -- XXX Must be empty and not NULL

   ecdsa-with-sha512 SIGNATURE-ALGORITHM-CLASS ::= {
       ID ecdsa-with-SHA512
       TYPE NULL }  -- XXX Must be empty and not NULL

   FIELD-ID-CLASS ::= CLASS {
	&id OBJECT IDENTIFIER UNIQUE,
	&Type }
   WITH SYNTAX {
	ID &id
	TYPE &Type }

   OTPFieldID ::= SEQUENCE {                    -- Finite field
      fieldType   FIELD-ID-CLASS.&id({SupportedFieldIds}),
      parameters  FIELD-ID-CLASS.&Type({SupportedFieldIds}{@fieldType}) }

   SupportedFieldIds FIELD-ID-CLASS ::= {
		     field-prime-field | field-characteristic-two }

   field-prime-field FIELD-ID-CLASS ::= {
		     ID prime-field
		     TYPE Prime-p }

   CHARACTERISTIC-TWO-CLASS ::= CLASS {
	&id OBJECT IDENTIFIER UNIQUE,
	&Type }
   WITH SYNTAX {
	ID &id
	TYPE &Type }

   OTPCharacteristic-two ::= SEQUENCE {                    -- Finite field
      m           INTEGER,                   -- Field size 2^m
      basis       CHARACTERISTIC-TWO-CLASS.&id({SupportedCharacteristicTwos}),
      parameters  CHARACTERISTIC-TWO-CLASS.&Type
		  ({SupportedCharacteristicTwos}{@basis}) }

   SupportedCharacteristicTwos CHARACTERISTIC-TWO-CLASS ::= {
			       gn-basis | tp-basis | pp-basis }

   field-characteristic-two FIELD-ID-CLASS ::= {
		     ID characteristic-two-field
		     TYPE Characteristic-two }

   gn-basis CHARACTERISTIC-TWO-CLASS ::= {
	    ID gnBasis
	    TYPE NULL }

   tp-basis CHARACTERISTIC-TWO-CLASS ::= {
	    ID tpBasis
	    TYPE Trinomial }

   pp-basis CHARACTERISTIC-TWO-CLASS ::= {
	    ID ppBasis
	    TYPE Pentanomial }


   -- SubjectPublicKeyInfo.algorithm

   ec-public-key PUBLIC-KEY-ALGORITHM-CLASS ::= {
      ID id-ecPublicKey
      TYPE EcpkParameters
      PUBLIC-KEY-TYPE ECPoint }

--
-- Extension Attributes
--

EXTENSION-ATTRIBUTE-CLASS ::= CLASS {
	&id INTEGER UNIQUE, 
	&Type }
   WITH SYNTAX {
	ID &id
	TYPE &Type }
	
OTPExtensionAttributes ::= SET SIZE (1..MAX) OF ExtensionAttribute

-- XXX Below we should have extension-attribute-type and extension-
-- attribute-value but Erlang ASN1 does not like it. 
OTPExtensionAttribute ::=  SEQUENCE {
   extensionAttributeType [0] IMPLICIT EXTENSION-ATTRIBUTE-CLASS.&id
		({SupportedExtensionAttributes}),
   extensionAttributeValue [1] EXTENSION-ATTRIBUTE-CLASS.&Type
		({SupportedExtensionAttributes}{@extensionAttributeType}) } 

SupportedExtensionAttributes EXTENSION-ATTRIBUTE-CLASS ::= {
	     x400-common-name |
	     x400-teletex-common-name |
	     x400-teletex-personal-name |
	     x400-pds-name |
	     x400-physical-delivery-country-name |
	     x400-postal-code |
	     x400-physical-delivery-office-name |
	     x400-physical-delivery-office-number |
	     x400-extension-OR-address-components |
	     x400-physical-delivery-personal-name |
	     x400-physical-delivery-organization-name |
	     x400-extension-physical-delivery-address-components |
	     x400-unformatted-postal-address |
	     x400-street-address |
	     x400-post-office-box-address |
	     x400-poste-restante-address |
	     x400-unique-postal-name |
	     x400-local-postal-attributes |
	     x400-extended-network-address |
	     x400-terminal-type |
	     x400-teletex-domain-defined-attributes }

-- Extension types and attribute values

x400-common-name  EXTENSION-ATTRIBUTE-CLASS ::= {
       ID common-name
       TYPE CommonName }

x400-teletex-common-name  EXTENSION-ATTRIBUTE-CLASS ::= {
			  ID teletex-common-name
			  TYPE TeletexCommonName }

x400-teletex-personal-name  EXTENSION-ATTRIBUTE-CLASS ::= {
			    ID teletex-personal-name
			    TYPE TeletexPersonalName }

x400-pds-name  EXTENSION-ATTRIBUTE-CLASS ::= {
	       ID pds-name
	       TYPE PDSName }

x400-physical-delivery-country-name EXTENSION-ATTRIBUTE-CLASS ::= {
				    ID physical-delivery-country-name
				    TYPE PhysicalDeliveryCountryName }

x400-postal-code  EXTENSION-ATTRIBUTE-CLASS ::= {
		  ID postal-code
		  TYPE PostalCode }

x400-physical-delivery-office-name EXTENSION-ATTRIBUTE-CLASS ::= { 
				   ID physical-delivery-office-name 
				   TYPE PhysicalDeliveryOfficeName }

x400-physical-delivery-office-number EXTENSION-ATTRIBUTE-CLASS ::= {
				     ID physical-delivery-office-number
				     TYPE PhysicalDeliveryOfficeNumber }

x400-extension-OR-address-components EXTENSION-ATTRIBUTE-CLASS ::= {
				     ID extension-OR-address-components
				     TYPE ExtensionORAddressComponents }

x400-physical-delivery-personal-name EXTENSION-ATTRIBUTE-CLASS ::= {
				     ID physical-delivery-personal-name
				     TYPE PhysicalDeliveryPersonalName }

x400-physical-delivery-organization-name  EXTENSION-ATTRIBUTE-CLASS ::= {
       ID physical-delivery-organization-name
       TYPE PhysicalDeliveryOrganizationName }

x400-extension-physical-delivery-address-components 
    EXTENSION-ATTRIBUTE-CLASS ::= {
       ID extension-physical-delivery-address-components
       TYPE ExtensionPhysicalDeliveryAddressComponents }

x400-unformatted-postal-address  EXTENSION-ATTRIBUTE-CLASS ::= {
				 ID unformatted-postal-address
				 TYPE UnformattedPostalAddress }

x400-street-address  EXTENSION-ATTRIBUTE-CLASS ::= {
		     ID street-address
		     TYPE StreetAddress }

x400-post-office-box-address  EXTENSION-ATTRIBUTE-CLASS ::= {
			      ID post-office-box-address
			      TYPE PostOfficeBoxAddress }

x400-poste-restante-address EXTENSION-ATTRIBUTE-CLASS ::= {
			    ID poste-restante-address
			    TYPE PosteRestanteAddress }

x400-unique-postal-name EXTENSION-ATTRIBUTE-CLASS ::= {
			ID unique-postal-name
			TYPE UniquePostalName }

x400-local-postal-attributes EXTENSION-ATTRIBUTE-CLASS ::= {
			      ID local-postal-attributes
			      TYPE LocalPostalAttributes }

x400-extended-network-address EXTENSION-ATTRIBUTE-CLASS ::= {
       ID extended-network-address
       TYPE ExtendedNetworkAddress }

x400-terminal-type  EXTENSION-ATTRIBUTE-CLASS ::= {
		    ID terminal-type
		    TYPE TerminalType }

x400-teletex-domain-defined-attributes  EXTENSION-ATTRIBUTE-CLASS ::= {
       ID teletex-domain-defined-attributes
       TYPE TeletexDomainDefinedAttributes }

-- Extensions

OTPExtensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

EXTENSION-CLASS ::= CLASS {
	&id OBJECT IDENTIFIER UNIQUE,
	&Type OPTIONAL}
   WITH SYNTAX {
	ID &id
	[TYPE &Type] }

OTPExtension ::=  SEQUENCE {
        extnID	  EXTENSION-CLASS.&id({SupportedExtensions}),
	critical  BOOLEAN DEFAULT FALSE,
        extnValue EXTENSION-CLASS.&Type({SupportedExtensions}{@extnID}) }

-- The following is needed for conversion between Extension and Extension-Cd

ObjId ::= OBJECT IDENTIFIER
Boolean ::= BOOLEAN
Any ::= ANY

Extension-Any  ::=  SEQUENCE  {
     extnID      OBJECT IDENTIFIER,
     critical    BOOLEAN DEFAULT FALSE,
     extnValue   ANY }

SupportedExtensions EXTENSION-CLASS ::= { authorityKeyIdentifier |
	subjectKeyIdentifier | keyUsage | privateKeyUsagePeriod |
	certificatePolicies | policyMappings | subjectAltName | 
	issuerAltName | subjectDirectoryAttributes | basicConstraints |
	nameConstraints | policyConstraints | cRLDistributionPoints | 
	extKeyUsage | inhibitAnyPolicy | freshestCRL | authorityInfoAccess |
	subjectInfoAccess | cRLNumber | issuingDistributionPoint |
	deltaCRLIndicator | cRLReasons | certificateIssuer |
	holdInstructionCode | invalidityDate }

authorityKeyIdentifier EXTENSION-CLASS ::= {
		ID id-ce-authorityKeyIdentifier
		TYPE AuthorityKeyIdentifier }

subjectKeyIdentifier EXTENSION-CLASS ::= {
	ID id-ce-subjectKeyIdentifier
	TYPE SubjectKeyIdentifier }

keyUsage EXTENSION-CLASS ::= {
	ID id-ce-keyUsage 
	TYPE KeyUsage }

privateKeyUsagePeriod EXTENSION-CLASS ::= {
	ID id-ce-privateKeyUsagePeriod
	TYPE PrivateKeyUsagePeriod }

certificatePolicies EXTENSION-CLASS ::= {
	ID id-ce-certificatePolicies
	TYPE CertificatePolicies }

policyMappings EXTENSION-CLASS ::= {
	ID id-ce-policyMappings
	TYPE PolicyMappings }

subjectAltName EXTENSION-CLASS ::= {
	ID id-ce-subjectAltName 
	TYPE SubjectAltName }

issuerAltName EXTENSION-CLASS ::= {
	ID id-ce-issuerAltName
	TYPE IssuerAltName }

subjectDirectoryAttributes EXTENSION-CLASS ::= {
	ID id-ce-subjectDirectoryAttributes
	TYPE SubjectDirectoryAttributes }

basicConstraints EXTENSION-CLASS ::= {
	ID id-ce-basicConstraints
	TYPE BasicConstraints }

nameConstraints EXTENSION-CLASS ::= {
	ID id-ce-nameConstraints
	TYPE NameConstraints }

policyConstraints EXTENSION-CLASS ::= {
	ID id-ce-policyConstraints 
	TYPE PolicyConstraints  }

cRLDistributionPoints EXTENSION-CLASS ::= {
	ID id-ce-cRLDistributionPoints
	TYPE CRLDistributionPoints }

extKeyUsage EXTENSION-CLASS ::= {
	ID id-ce-extKeyUsage
	TYPE ExtKeyUsageSyntax }

inhibitAnyPolicy EXTENSION-CLASS ::= {
	ID id-ce-inhibitAnyPolicy 
	TYPE InhibitAnyPolicy }

freshestCRL EXTENSION-CLASS ::= {
	ID id-ce-freshestCRL
	TYPE FreshestCRL }

authorityInfoAccess EXTENSION-CLASS ::= {
	ID id-pe-authorityInfoAccess
	TYPE AuthorityInfoAccessSyntax }

subjectInfoAccess EXTENSION-CLASS ::= {
	ID id-pe-subjectInfoAccess 
	TYPE SubjectInfoAccessSyntax }

cRLNumber EXTENSION-CLASS ::= {
	ID id-ce-cRLNumber 
	TYPE CRLNumber }

issuingDistributionPoint EXTENSION-CLASS ::= {
	ID id-ce-issuingDistributionPoint
	TYPE IssuingDistributionPoint }

deltaCRLIndicator EXTENSION-CLASS ::= {
	ID id-ce-deltaCRLIndicator
	TYPE BaseCRLNumber }

cRLReasons EXTENSION-CLASS ::= {
	ID id-ce-cRLReasons
	TYPE CRLReason }

certificateIssuer EXTENSION-CLASS ::= {
	ID id-ce-certificateIssuer
	TYPE CertificateIssuer }

holdInstructionCode EXTENSION-CLASS ::= {
	ID id-ce-holdInstructionCode
	TYPE HoldInstructionCode }

invalidityDate EXTENSION-CLASS ::= {
	ID id-ce-invalidityDate 
	TYPE InvalidityDate }

END