aboutsummaryrefslogblamecommitdiffstats
path: root/lib/public_key/asn1/PKCS-9.asn1
blob: 9196251ccb0e8f3fca52f94eccc3ee03131f70ba (plain) (tree)





































































































































































































































































































































































































                                                                                          
PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) modules(0) pkcs-9(1)}

-- $Revision$

DEFINITIONS IMPLICIT TAGS ::=

BEGIN

-- EXPORTS All --
-- All types and values defined in this module is exported for use in
-- other ASN.1 modules.

IMPORTS

informationFramework, authenticationFramework, selectedAttributeTypes,
        upperBounds , id-at
        FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
        usefulDefinitions(0) 3}

ub-name
        FROM UpperBounds upperBounds

OBJECT-CLASS, ATTRIBUTE, MATCHING-RULE, Attribute, top, objectIdentifierMatch
        FROM InformationFramework informationFramework

ALGORITHM, Extensions, Time
        FROM AuthenticationFramework authenticationFramework

DirectoryString, octetStringMatch, caseIgnoreMatch, caseExactMatch,
        generalizedTimeMatch, integerMatch, serialNumber
        FROM SelectedAttributeTypes selectedAttributeTypes

ContentInfo, SignerInfo
        FROM CryptographicMessageSyntax {iso(1) member-body(2) us(840)
        rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1)}

EncryptedPrivateKeyInfo
        FROM PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549)
        pkcs(1) pkcs-8(8) modules(1) pkcs-8(1)}

PFX
        FROM PKCS-12 {iso(1) member-body(2) us(840) rsadsi(113549)
        pkcs(1) pkcs-12(12) modules(0) pkcs-12(1)}

PKCS15Token
        FROM PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549)
        pkcs(1) pkcs-15(15) modules(1) pkcs-15(1)};

-- Upper bounds
pkcs-9-ub-pkcs9String          		INTEGER ::= 255
pkcs-9-ub-emailAddress         		INTEGER ::= pkcs-9-ub-pkcs9String
pkcs-9-ub-unstructuredName      	INTEGER ::= pkcs-9-ub-pkcs9String
pkcs-9-ub-unstructuredAddress   	INTEGER ::= pkcs-9-ub-pkcs9String
pkcs-9-ub-challengePassword     	INTEGER ::= pkcs-9-ub-pkcs9String
pkcs-9-ub-friendlyName         		INTEGER ::= pkcs-9-ub-pkcs9String
pkcs-9-ub-signingDescription    	INTEGER ::= pkcs-9-ub-pkcs9String
pkcs-9-ub-match                		INTEGER ::= pkcs-9-ub-pkcs9String
pkcs-9-ub-pseudonym            		INTEGER ::= ub-name
pkcs-9-ub-placeOfBirth         		INTEGER ::= ub-name

-- Object Identifiers

pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
                              rsadsi(113549) pkcs(1) 9}

  -- Main arcs
pkcs-9-mo	OBJECT IDENTIFIER ::= {pkcs-9 0}  -- Modules branch
pkcs-9-oc    	OBJECT IDENTIFIER ::= {pkcs-9 24} -- Object class branch
pkcs-9-at       OBJECT IDENTIFIER ::= {pkcs-9 25} -- Attribute branch, for new  attributes
pkcs-9-sx	OBJECT IDENTIFIER ::= {pkcs-9 26} -- For syntaxes (RFC 2252)
pkcs-9-mr       OBJECT IDENTIFIER ::= {pkcs-9 27} -- Matching rules

  -- Object classes
pkcs-9-oc-pkcsEntity   			OBJECT IDENTIFIER ::= {pkcs-9-oc 1}
pkcs-9-oc-naturalPerson                 OBJECT IDENTIFIER ::= {pkcs-9-oc 2}

  -- Attributes
pkcs-9-at-emailAddress                  OBJECT IDENTIFIER ::= {pkcs-9 1}
pkcs-9-at-unstructuredName              OBJECT IDENTIFIER ::= {pkcs-9 2}
pkcs-9-at-contentType                   OBJECT IDENTIFIER ::= {pkcs-9 3}
pkcs-9-at-messageDigest                 OBJECT IDENTIFIER ::= {pkcs-9 4}
pkcs-9-at-signingTime                   OBJECT IDENTIFIER ::= {pkcs-9 5}
pkcs-9-at-counterSignature              OBJECT IDENTIFIER ::= {pkcs-9 6}
pkcs-9-at-challengePassword             OBJECT IDENTIFIER ::= {pkcs-9 7}
pkcs-9-at-unstructuredAddress           OBJECT IDENTIFIER ::= {pkcs-9 8}
pkcs-9-at-extendedCertificateAttributes OBJECT IDENTIFIER ::= {pkcs-9 9}

-- Obsolete (?) attribute identifiers, purportedly from "tentative
-- PKCS #9 draft"
-- pkcs-9-at-issuerAndSerialNumber      OBJECT IDENTIFIER ::= {pkcs-9 10}
-- pkcs-9-at-passwordCheck              OBJECT IDENTIFIER ::= {pkcs-9 11}
-- pkcs-9-at-publicKey                  OBJECT IDENTIFIER ::= {pkcs-9 12}

pkcs-9-at-signingDescription            OBJECT IDENTIFIER ::= {pkcs-9 13}
pkcs-9-at-extensionRequest              OBJECT IDENTIFIER ::= {pkcs-9 14}
pkcs-9-at-smimeCapabilities             OBJECT IDENTIFIER ::= {pkcs-9 15}

-- Unused (?)
-- pkcs-9-at-?                          OBJECT IDENTIFIER ::= {pkcs-9 17}
-- pkcs-9-at-?                          OBJECT IDENTIFIER ::= {pkcs-9 18}
-- pkcs-9-at-?                          OBJECT IDENTIFIER ::= {pkcs-9 19}

pkcs-9-at-friendlyName                  OBJECT IDENTIFIER ::= {pkcs-9 20}
pkcs-9-at-localKeyId                    OBJECT IDENTIFIER ::= {pkcs-9 21}
pkcs-9-at-userPKCS12                    OBJECT IDENTIFIER ::= {2 16 840 1 113730 3 1 216}
pkcs-9-at-pkcs15Token                   OBJECT IDENTIFIER ::= {pkcs-9-at 1}
pkcs-9-at-encryptedPrivateKeyInfo       OBJECT IDENTIFIER ::= {pkcs-9-at 2}
pkcs-9-at-randomNonce                   OBJECT IDENTIFIER ::= {pkcs-9-at 3}
pkcs-9-at-sequenceNumber                OBJECT IDENTIFIER ::= {pkcs-9-at 4}
pkcs-9-at-pkcs7PDU                      OBJECT IDENTIFIER ::= {pkcs-9-at 5}

  -- IETF PKIX Attribute branch
ietf-at         			OBJECT IDENTIFIER ::= {1 3 6 1 5 5 7 9}

pkcs-9-at-dateOfBirth                   OBJECT IDENTIFIER ::= {ietf-at 1}
pkcs-9-at-placeOfBirth                  OBJECT IDENTIFIER ::= {ietf-at 2}
pkcs-9-at-gender                        OBJECT IDENTIFIER ::= {ietf-at 3}
pkcs-9-at-countryOfCitizenship          OBJECT IDENTIFIER ::= {ietf-at 4}
pkcs-9-at-countryOfResidence            OBJECT IDENTIFIER ::= {ietf-at 5}

  -- Syntaxes (for use with LDAP accessible directories)
pkcs-9-sx-pkcs9String                   OBJECT IDENTIFIER ::= {pkcs-9-sx 1}
pkcs-9-sx-signingTime                   OBJECT IDENTIFIER ::= {pkcs-9-sx 2}

  -- Matching rules
pkcs-9-mr-caseIgnoreMatch               OBJECT IDENTIFIER ::= {pkcs-9-mr 1}
pkcs-9-mr-signingTimeMatch              OBJECT IDENTIFIER ::= {pkcs-9-mr 2}

  -- Arcs with attributes defined elsewhere
smime             			OBJECT IDENTIFIER ::= {pkcs-9 16}
  -- Main arc for S/MIME (RFC 2633)
certTypes         			OBJECT IDENTIFIER ::= {pkcs-9 22}
  -- Main arc for certificate types defined in PKCS #12
crlTypes          			OBJECT IDENTIFIER ::= {pkcs-9 23}
  -- Main arc for crl types defined in PKCS #12

  -- Other object identifiers
id-at-pseudonym				OBJECT IDENTIFIER ::= {id-at 65}

-- Useful types

PKCS9String {INTEGER : maxSize} ::= CHOICE {
        ia5String IA5String (SIZE(1..maxSize)),
        directoryString DirectoryString {maxSize}
}

-- Object classes

pkcsEntity OBJECT-CLASS ::= {
        SUBCLASS OF	{ top }
        KIND           	auxiliary
        MAY CONTAIN	{ PKCSEntityAttributeSet }
        ID              pkcs-9-oc-pkcsEntity
}

naturalPerson OBJECT-CLASS ::= {
        SUBCLASS OF 	{ top }
        KIND 		auxiliary
        MAY CONTAIN 	{ NaturalPersonAttributeSet }
        ID 		pkcs-9-oc-naturalPerson
}

-- Attribute sets

PKCSEntityAttributeSet ATTRIBUTE ::= {
        pKCS7PDU       |
        userPKCS12     |
        pKCS15Token    |
        encryptedPrivateKeyInfo,
        ... -- For future extensions
}

NaturalPersonAttributeSet ATTRIBUTE ::= {
        emailAddress	     |
        unstructuredName     |
        unstructuredAddress  |
        dateOfBirth	     |
        placeOfBirth	     |
        gender		     |
        countryOfCitizenship |
        countryOfResidence   |
        pseudonym	     |
        serialNumber,
        ... -- For future extensions
}

-- Attributes

pKCS7PDU ATTRIBUTE ::= {
        WITH SYNTAX ContentInfo
        ID pkcs-9-at-pkcs7PDU
}

userPKCS12 ATTRIBUTE ::= {
        WITH SYNTAX PFX
        ID pkcs-9-at-userPKCS12
}

pKCS15Token ATTRIBUTE ::= {
        WITH SYNTAX PKCS15Token
        ID pkcs-9-at-pkcs15Token
}

encryptedPrivateKeyInfo ATTRIBUTE ::= {
        WITH SYNTAX EncryptedPrivateKeyInfo
        ID pkcs-9-at-encryptedPrivateKeyInfo
}

emailAddress ATTRIBUTE ::= {
        WITH SYNTAX IA5String (SIZE(1..pkcs-9-ub-emailAddress))
        EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
        ID pkcs-9-at-emailAddress
}

unstructuredName ATTRIBUTE ::= {
        WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
        EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
        ID pkcs-9-at-unstructuredName
}

unstructuredAddress ATTRIBUTE ::= {
        WITH SYNTAX DirectoryString {pkcs-9-ub-unstructuredAddress}
        EQUALITY MATCHING RULE caseIgnoreMatch
        ID pkcs-9-at-unstructuredAddress
}

dateOfBirth ATTRIBUTE ::= {
        WITH SYNTAX GeneralizedTime
        EQUALITY MATCHING RULE generalizedTimeMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-dateOfBirth
}

placeOfBirth ATTRIBUTE ::= {
        WITH SYNTAX DirectoryString {pkcs-9-ub-placeOfBirth}
        EQUALITY MATCHING RULE caseExactMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-placeOfBirth
}

gender ATTRIBUTE ::= {
        WITH SYNTAX PrintableString (SIZE(1) ^ FROM ("M" | "F" | "m" | "f"))
        EQUALITY MATCHING RULE caseIgnoreMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-gender
}

countryOfCitizenship ATTRIBUTE ::= {
        WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY {
        -- Must be a two-letter country acronym in accordance with
        -- ISO/IEC 3166 --})
        EQUALITY MATCHING RULE caseIgnoreMatch
        ID pkcs-9-at-countryOfCitizenship
}

countryOfResidence ATTRIBUTE ::= {
        WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY {
        -- Must be a two-letter country acronym in accordance with
        -- ISO/IEC 3166 --})
        EQUALITY MATCHING RULE caseIgnoreMatch
        ID pkcs-9-at-countryOfResidence
}

pseudonym ATTRIBUTE ::= {
        WITH SYNTAX DirectoryString {pkcs-9-ub-pseudonym}
        EQUALITY MATCHING RULE caseExactMatch
        ID id-at-pseudonym
}

contentType ATTRIBUTE ::= {
        WITH SYNTAX ContentType
        EQUALITY MATCHING RULE objectIdentifierMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-contentType
}

ContentType ::= OBJECT IDENTIFIER

messageDigest ATTRIBUTE ::= {
        WITH SYNTAX MessageDigest
        EQUALITY MATCHING RULE octetStringMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-messageDigest
}

MessageDigest ::= OCTET STRING

signingTime ATTRIBUTE ::= {
        WITH SYNTAX SigningTime
        EQUALITY MATCHING RULE signingTimeMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-signingTime
}

SigningTime ::= Time -- imported from ISO/IEC 9594-8

randomNonce ATTRIBUTE ::= {
        WITH SYNTAX RandomNonce
        EQUALITY MATCHING RULE octetStringMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-randomNonce
}

RandomNonce ::= OCTET STRING (SIZE(4..MAX)) -- At least four bytes long

sequenceNumber ATTRIBUTE ::= {
        WITH SYNTAX SequenceNumber
        EQUALITY MATCHING RULE integerMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-sequenceNumber
}

SequenceNumber ::= INTEGER (1..MAX)

counterSignature ATTRIBUTE ::= {
        WITH SYNTAX SignerInfo
        ID pkcs-9-at-counterSignature
}

challengePassword ATTRIBUTE ::= {
        WITH SYNTAX DirectoryString {pkcs-9-ub-challengePassword}
        EQUALITY MATCHING RULE caseExactMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-challengePassword
}

extensionRequest ATTRIBUTE ::= {
        WITH SYNTAX ExtensionRequest
        SINGLE VALUE TRUE
        ID pkcs-9-at-extensionRequest
}

ExtensionRequest ::= Extensions

extendedCertificateAttributes ATTRIBUTE ::= {
        WITH SYNTAX SET OF Attribute
        SINGLE VALUE TRUE
        ID pkcs-9-at-extendedCertificateAttributes
}

friendlyName ATTRIBUTE ::= {
        WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
        EQUALITY MATCHING RULE caseIgnoreMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-friendlyName
}

localKeyId ATTRIBUTE ::= {
        WITH SYNTAX OCTET STRING
        EQUALITY MATCHING RULE octetStringMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-localKeyId
}

signingDescription ATTRIBUTE ::= {
        WITH SYNTAX DirectoryString {pkcs-9-ub-signingDescription}
        EQUALITY MATCHING RULE caseIgnoreMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-signingDescription
}

smimeCapabilities ATTRIBUTE ::= {
        WITH SYNTAX SMIMECapabilities
        SINGLE VALUE TRUE
        ID pkcs-9-at-smimeCapabilities
}

SMIMECapabilities ::= SEQUENCE OF SMIMECapability

SMIMECapability ::= SEQUENCE {
        algorithm  ALGORITHM.&id ({SMIMEv3Algorithms}),
        parameters ALGORITHM.&Type ({SMIMEv3Algorithms}{@algorithm})
}

SMIMEv3Algorithms ALGORITHM ::= {...-- See RFC 2633 --}

 -- Matching rules

pkcs9CaseIgnoreMatch MATCHING-RULE ::= {
        SYNTAX PKCS9String {pkcs-9-ub-match}
        ID pkcs-9-mr-caseIgnoreMatch
}

signingTimeMatch MATCHING-RULE ::= {
        SYNTAX SigningTime
        ID pkcs-9-mr-signingTimeMatch
}

END