public_key: Add PKCS-7

First attempt to add PKCS-7 does not compile

13 files changed, 5104 insertions, 5 deletions

diff --git a/lib/public_key/asn1/AuthenticationFramework.asn1 b/lib/public_key/asn1/AuthenticationFramework.asn1
new file mode 100644
index 0000000000..3754486473
--- /dev/null
+++ b/lib/public_key/asn1/AuthenticationFramework.asn1
@@ -0,0 +1,367 @@
+AuthenticationFramework {joint-iso-itu-t ds(5) module(1)
+  authenticationFramework(7) 6} DEFINITIONS ::=
+BEGIN
+
+-- EXPORTS All
+-- The types and values defined in this module are exported for use in the other ASN.1 modules contained
+-- within the Directory Specifications, and for the use of other applications which will use them to access
+-- Directory services. Other applications may use them for their own purposes, but this will not constrain
+-- extensions and modifications needed to maintain or improve the Directory service.
+IMPORTS
+  id-at, id-nf, id-oc, informationFramework, selectedAttributeTypes,
+    basicAccessControl, certificateExtensions
+    FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
+      usefulDefinitions(0) 6}
+  Name, ATTRIBUTE, OBJECT-CLASS, NAME-FORM, top
+    FROM InformationFramework informationFramework
+  UniqueIdentifier, octetStringMatch, commonName, UnboundedDirectoryString
+    FROM SelectedAttributeTypes selectedAttributeTypes
+  certificateExactMatch, certificatePairExactMatch, certificateListExactMatch,
+    KeyUsage, GeneralNames, CertificatePoliciesSyntax,
+    algorithmIdentifierMatch, CertPolicyId
+    FROM CertificateExtensions certificateExtensions;
+
+-- parameterized types
+ENCRYPTED{ToBeEnciphered} ::=
+  BIT STRING
+    (CONSTRAINED BY {
+       -- shall be the result of applying an encipherment procedure
+       -- to the BER-encoded octets of a value of --ToBeEnciphered})
+
+HASH{ToBeHashed} ::= SEQUENCE {
+  algorithmIdentifier  AlgorithmIdentifier{{SupportedAlgorithms}},
+  hashValue
+    BIT STRING
+      (CONSTRAINED BY {
+         -- shall be the result of applying a hashing procedure to the DER-encoded octets
+         -- of a value of -- ToBeHashed})
+}
+
+ENCRYPTED-HASH{ToBeSigned} ::=
+  BIT STRING
+    (CONSTRAINED BY {
+       -- shall be the result of applying a hashing procedure to the DER-encoded (see 6.1) octets
+       -- of a value of --ToBeSigned -- and then applying an encipherment procedure to those octets --})
+
+SIGNATURE{ToBeSigned} ::= SEQUENCE {
+  algorithmIdentifier  AlgorithmIdentifier{{SupportedAlgorithms}},
+  encrypted            ENCRYPTED-HASH{ToBeSigned}
+}
+
+SIGNED{ToBeSigned} ::= SEQUENCE {
+  toBeSigned  ToBeSigned,
+  COMPONENTS OF SIGNATURE{ToBeSigned}
+}
+
+-- public-key certificate definition
+Certificate ::= SIGNED{CertificateContent}
+
+CertificateContent ::= SEQUENCE {
+  version                  [0]  Version DEFAULT v1,
+  serialNumber             CertificateSerialNumber,
+  signature                AlgorithmIdentifier{{SupportedAlgorithms}},
+  issuer                   Name,
+  validity                 Validity,
+  subject                  Name,
+  subjectPublicKeyInfo     SubjectPublicKeyInfo,
+  issuerUniqueIdentifier   [1] IMPLICIT UniqueIdentifier OPTIONAL,
+  -- if present, version shall be v2 or v3
+  subjectUniqueIdentifier  [2] IMPLICIT UniqueIdentifier OPTIONAL,
+  -- if present, version shall be v2 or v3
+  extensions               [3]  Extensions OPTIONAL
+  -- If present, version shall be v3
+}
+
+Version ::= INTEGER {v1(0), v2(1), v3(2)}
+
+CertificateSerialNumber ::= INTEGER
+
+AlgorithmIdentifier{ALGORITHM:SupportedAlgorithms} ::= SEQUENCE {
+  algorithm   ALGORITHM.&id({SupportedAlgorithms}),
+  parameters  ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL
+}
+
+-- Definition of the following information object set is deferred, perhaps to standardized
+-- profiles or to protocol implementation conformance statements. The set is required to
+-- specify a table constraint on the parameters component of AlgorithmIdentifier.
+SupportedAlgorithms ALGORITHM ::=
+  {...}
+
+Validity ::= SEQUENCE {notBefore  Time,
+                       notAfter   Time
+}
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+  algorithm         AlgorithmIdentifier{{SupportedAlgorithms}},
+  subjectPublicKey  BIT STRING
+}
+
+Time ::= CHOICE {utcTime          UTCTime,
+                 generalizedTime  GeneralizedTime
+}
+
+Extensions ::= SEQUENCE OF Extension
+
+-- For those extensions where ordering of individual extensions within the SEQUENCE is significant, the
+-- specification of those individual extensions shall include the rules for the significance of the order therein
+Extension ::= SEQUENCE {
+  extnId     EXTENSION.&id({ExtensionSet}),
+  critical   BOOLEAN DEFAULT FALSE,
+  extnValue
+    OCTET STRING
+      (CONTAINING EXTENSION.&ExtnType({ExtensionSet}{@extnId})
+       ENCODED BY
+       der)
+}
+
+der OBJECT IDENTIFIER ::=
+  {joint-iso-itu-t asn1(1) ber-derived(2) distinguished-encoding(1)}
+
+ExtensionSet EXTENSION ::=
+  {...}
+
+EXTENSION ::= CLASS {&id        OBJECT IDENTIFIER UNIQUE,
+                     &ExtnType
+}WITH SYNTAX {SYNTAX &ExtnType
+              IDENTIFIED BY &id
+}
+
+ALGORITHM ::= CLASS {&Type  OPTIONAL,
+                     &id    OBJECT IDENTIFIER UNIQUE
+}WITH SYNTAX {[&Type]
+              IDENTIFIED BY &id
+}
+
+-- other PKI certificate constructs
+Certificates ::= SEQUENCE {
+  userCertificate    Certificate,
+  certificationPath  ForwardCertificationPath OPTIONAL
+}
+
+CertificationPath ::= SEQUENCE {
+  userCertificate    Certificate,
+  theCACertificates  SEQUENCE OF CertificatePair OPTIONAL
+}
+
+ForwardCertificationPath ::= SEQUENCE OF CrossCertificates
+
+CrossCertificates ::= SET OF Certificate
+
+PkiPath ::= SEQUENCE OF Certificate
+
+-- certificate revocation list (CRL)
+CertificateList ::=
+  SIGNED{CertificateListContent}
+
+CertificateListContent ::= SEQUENCE {
+  version              Version OPTIONAL,
+  -- if present, version shall be v2
+  signature            AlgorithmIdentifier{{SupportedAlgorithms}},
+  issuer               Name,
+  thisUpdate           Time,
+  nextUpdate           Time OPTIONAL,
+  revokedCertificates
+    SEQUENCE OF
+      SEQUENCE {serialNumber        CertificateSerialNumber,
+                revocationDate      Time,
+                crlEntryExtensions  Extensions OPTIONAL} OPTIONAL,
+  crlExtensions        [0]  Extensions OPTIONAL
+}
+
+-- PKI object classes
+pkiUser OBJECT-CLASS ::= {
+  SUBCLASS OF  {top}
+  KIND         auxiliary
+  MAY CONTAIN  {userCertificate}
+  ID           id-oc-pkiUser
+}
+
+pkiCA OBJECT-CLASS ::= {
+  SUBCLASS OF  {top}
+  KIND         auxiliary
+  MAY CONTAIN
+    {cACertificate | certificateRevocationList | authorityRevocationList |
+      crossCertificatePair}
+  ID           id-oc-pkiCA
+}
+
+cRLDistributionPoint OBJECT-CLASS ::= {
+  SUBCLASS OF   {top}
+  KIND          structural
+  MUST CONTAIN  {commonName}
+  MAY CONTAIN
+    {certificateRevocationList | authorityRevocationList | deltaRevocationList}
+  ID            id-oc-cRLDistributionPoint
+}
+
+cRLDistPtNameForm NAME-FORM ::= {
+  NAMES            cRLDistributionPoint
+  WITH ATTRIBUTES  {commonName}
+  ID               id-nf-cRLDistPtNameForm
+}
+
+deltaCRL OBJECT-CLASS ::= {
+  SUBCLASS OF  {top}
+  KIND         auxiliary
+  MAY CONTAIN  {deltaRevocationList}
+  ID           id-oc-deltaCRL
+}
+
+cpCps OBJECT-CLASS ::= {
+  SUBCLASS OF  {top}
+  KIND         auxiliary
+  MAY CONTAIN  {certificatePolicy | certificationPracticeStmt}
+  ID           id-oc-cpCps
+}
+
+pkiCertPath OBJECT-CLASS ::= {
+  SUBCLASS OF  {top}
+  KIND         auxiliary
+  MAY CONTAIN  {pkiPath}
+  ID           id-oc-pkiCertPath
+}
+
+-- PKI directory attributes
+userCertificate ATTRIBUTE ::= {
+  WITH SYNTAX             Certificate
+  EQUALITY MATCHING RULE  certificateExactMatch
+  ID                      id-at-userCertificate
+}
+
+cACertificate ATTRIBUTE ::= {
+  WITH SYNTAX             Certificate
+  EQUALITY MATCHING RULE  certificateExactMatch
+  ID                      id-at-cAcertificate
+}
+
+crossCertificatePair ATTRIBUTE ::= {
+  WITH SYNTAX             CertificatePair
+  EQUALITY MATCHING RULE  certificatePairExactMatch
+  ID                      id-at-crossCertificatePair
+}
+
+CertificatePair ::= SEQUENCE {
+  forward  [0]  Certificate OPTIONAL,
+  reverse  [1]  Certificate OPTIONAL
+  -- at least one of the pair shall be present
+}
+(WITH COMPONENTS {
+   ...,
+   forward  PRESENT
+ } | WITH COMPONENTS {
+       ...,
+       reverse  PRESENT
+     })
+
+certificateRevocationList ATTRIBUTE ::= {
+  WITH SYNTAX             CertificateList
+  EQUALITY MATCHING RULE  certificateListExactMatch
+  ID                      id-at-certificateRevocationList
+}
+
+authorityRevocationList ATTRIBUTE ::= {
+  WITH SYNTAX             CertificateList
+  EQUALITY MATCHING RULE  certificateListExactMatch
+  ID                      id-at-authorityRevocationList
+}
+
+deltaRevocationList ATTRIBUTE ::= {
+  WITH SYNTAX             CertificateList
+  EQUALITY MATCHING RULE  certificateListExactMatch
+  ID                      id-at-deltaRevocationList
+}
+
+supportedAlgorithms ATTRIBUTE ::= {
+  WITH SYNTAX             SupportedAlgorithm
+  EQUALITY MATCHING RULE  algorithmIdentifierMatch
+  ID                      id-at-supportedAlgorithms
+}
+
+SupportedAlgorithm ::= SEQUENCE {
+  algorithmIdentifier          AlgorithmIdentifier{{SupportedAlgorithms}},
+  intendedUsage                [0]  KeyUsage OPTIONAL,
+  intendedCertificatePolicies  [1]  CertificatePoliciesSyntax OPTIONAL
+}
+
+certificationPracticeStmt ATTRIBUTE ::= {
+  WITH SYNTAX  InfoSyntax
+  ID           id-at-certificationPracticeStmt
+}
+
+InfoSyntax ::= CHOICE {
+  content  UnboundedDirectoryString,
+  pointer  SEQUENCE {name  GeneralNames,
+                     hash  HASH{HashedPolicyInfo} OPTIONAL}
+}
+
+POLICY ::= TYPE-IDENTIFIER
+
+HashedPolicyInfo ::= POLICY.&Type({Policies})
+
+Policies POLICY ::=
+  {...} -- Defined by implementors
+
+certificatePolicy ATTRIBUTE ::= {
+  WITH SYNTAX  PolicySyntax
+  ID           id-at-certificatePolicy
+}
+
+PolicySyntax ::= SEQUENCE {
+  policyIdentifier  PolicyID,
+  policySyntax      InfoSyntax
+}
+
+PolicyID ::= CertPolicyId
+
+pkiPath ATTRIBUTE ::= {WITH SYNTAX  PkiPath
+                       ID           id-at-pkiPath
+}
+
+userPassword ATTRIBUTE ::= {
+  WITH SYNTAX             OCTET STRING(SIZE (0..MAX))
+  EQUALITY MATCHING RULE  octetStringMatch
+  ID                      id-at-userPassword
+}
+
+-- object identifier assignments
+-- object classes
+id-oc-cRLDistributionPoint OBJECT IDENTIFIER ::=
+  {id-oc 19}
+
+id-oc-pkiUser OBJECT IDENTIFIER ::= {id-oc 21}
+
+id-oc-pkiCA OBJECT IDENTIFIER ::= {id-oc 22}
+
+id-oc-deltaCRL OBJECT IDENTIFIER ::= {id-oc 23}
+
+id-oc-cpCps OBJECT IDENTIFIER ::= {id-oc 30}
+
+id-oc-pkiCertPath OBJECT IDENTIFIER ::= {id-oc 31}
+
+-- name forms
+id-nf-cRLDistPtNameForm OBJECT IDENTIFIER ::= {id-nf 14}
+
+-- directory attributes
+id-at-userPassword OBJECT IDENTIFIER ::= {id-at 35}
+
+id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36}
+
+id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37}
+
+id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38}
+
+id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39}
+
+id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40}
+
+id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52}
+
+id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53}
+
+id-at-certificationPracticeStmt OBJECT IDENTIFIER ::= {id-at 68}
+
+id-at-certificatePolicy OBJECT IDENTIFIER ::= {id-at 69}
+
+id-at-pkiPath OBJECT IDENTIFIER ::= {id-at 70}
+
+END -- AuthenticationFramework
diff --git a/lib/public_key/asn1/CryptographicMessageSyntax.asn1 b/lib/public_key/asn1/CryptographicMessageSyntax.asn1
new file mode 100644
index 0000000000..05ecdf2448
--- /dev/null
+++ b/lib/public_key/asn1/CryptographicMessageSyntax.asn1
@@ -0,0 +1,376 @@
+CryptographicMessageSyntax {iso(1) member-body(2) us(840) rsadsi(113549)
+  pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1)}
+--
+-- Copyright (C) The Internet Society (1999). This version of
+-- this ASN.1 module is part of RFC 2630;
+-- see the RFC itself for full legal notices.
+--
+DEFINITIONS IMPLICIT TAGS ::=
+BEGIN
+
+-- EXPORTS All
+-- The types and values defined in this module are exported for use in
+-- the other ASN.1 modules.  Other applications may use them for their
+-- own purposes.
+IMPORTS
+  -- Directory Information Framework (X.501)
+  Name
+    FROM InformationFramework {joint-iso-itu-t ds(5) module(1)
+      informationFramework(1) 3}
+  -- Directory Authentication Framework (X.509)
+  AlgorithmIdentifier, AttributeCertificate, Certificate, CertificateList,
+    CertificateSerialNumber
+    FROM AuthenticationFramework {joint-iso-itu-t ds(5) module(1)
+      authenticationFramework(7) 3};
+
+ContentInfo ::= SEQUENCE {
+  content-type   CMS-CONTENT-TYPE.&id({CMSContentTable}),
+  pkcs7-content  [0]  CMS-CONTENT-TYPE.&Type({CMSContentTable})
+}
+
+CMS-CONTENT-TYPE ::= TYPE-IDENTIFIER
+
+CMSContentTable CMS-CONTENT-TYPE ::=
+  {...}
+
+ContentType ::= OBJECT IDENTIFIER
+
+SignedData ::= SEQUENCE {
+  version           CMSVersion,
+  digestAlgorithms  DigestAlgorithmIdentifiers,
+  encapContentInfo  EncapsulatedContentInfo,
+  certificates      [0] IMPLICIT CertificateSet OPTIONAL,
+  crls              [1] IMPLICIT CertificateRevocationLists OPTIONAL,
+  signerInfos       SignerInfos
+}
+
+DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
+
+SignerInfos ::= SET OF SignerInfo
+
+EncapsulatedContentInfo ::= SEQUENCE {
+  eContentType  ContentType,
+  eContent      [0] EXPLICIT OCTET STRING OPTIONAL
+}
+
+SignerInfo ::= SEQUENCE {
+  version             CMSVersion,
+  sid                 SignerIdentifier,
+  digestAlgorithm     DigestAlgorithmIdentifier,
+  signedAttrs         [0] IMPLICIT SignedAttributes OPTIONAL,
+  signatureAlgorithm  SignatureAlgorithmIdentifier,
+  signature           SignatureValue,
+  unsignedAttrs       [1] IMPLICIT UnsignedAttributes OPTIONAL
+}
+
+SignerIdentifier ::= CHOICE {
+  issuerAndSerialNumber  IssuerAndSerialNumber,
+  subjectKeyIdentifier   [0]  SubjectKeyIdentifier
+}
+
+SignedAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+Attribute ::= SEQUENCE {
+  attrType    OBJECT IDENTIFIER,
+  attrValues  SET OF AttributeValue
+}
+
+OPEN ::= CLASS {&Type
+}WITH SYNTAX {TYPE &Type
+}
+
+AttributeValue ::= OPEN.&Type
+
+SignatureValue ::= OCTET STRING
+
+EnvelopedData ::= SEQUENCE {
+  version               CMSVersion,
+  originatorInfo        [0] IMPLICIT OriginatorInfo OPTIONAL,
+  recipientInfos        RecipientInfos,
+  encryptedContentInfo  EncryptedContentInfo,
+  unprotectedAttrs      [1] IMPLICIT UnprotectedAttributes OPTIONAL
+}
+
+OriginatorInfo ::= SEQUENCE {
+  certs  [0] IMPLICIT CertificateSet OPTIONAL,
+  crls   [1] IMPLICIT CertificateRevocationLists OPTIONAL
+}
+
+RecipientInfos ::= SET OF RecipientInfo
+
+EncryptedContentInfo ::= SEQUENCE {
+  contentType                 ContentType,
+  contentEncryptionAlgorithm  ContentEncryptionAlgorithmIdentifier,
+  encryptedContent            [0] IMPLICIT EncryptedContent OPTIONAL
+}
+
+EncryptedContent ::= OCTET STRING
+
+UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+RecipientInfo ::= CHOICE {
+  ktri   KeyTransRecipientInfo,
+  kari   [1]  KeyAgreeRecipientInfo,
+  kekri  [2]  KEKRecipientInfo
+}
+
+EncryptedKey ::= OCTET STRING
+
+KeyTransRecipientInfo ::= SEQUENCE {
+  version                 CMSVersion, -- always set to 0 or 2
+  rid                     RecipientIdentifier,
+  keyEncryptionAlgorithm  KeyEncryptionAlgorithmIdentifier,
+  encryptedKey            EncryptedKey
+}
+
+RecipientIdentifier ::= CHOICE {
+  issuerAndSerialNumber  IssuerAndSerialNumber,
+  subjectKeyIdentifier   [0]  SubjectKeyIdentifier
+}
+
+KeyAgreeRecipientInfo ::= SEQUENCE {
+  version                 CMSVersion, -- always set to 3
+  originator              [0] EXPLICIT OriginatorIdentifierOrKey,
+  ukm                     [1] EXPLICIT UserKeyingMaterial OPTIONAL,
+  keyEncryptionAlgorithm  KeyEncryptionAlgorithmIdentifier,
+  recipientEncryptedKeys  RecipientEncryptedKeys
+}
+
+OriginatorIdentifierOrKey ::= CHOICE {
+  issuerAndSerialNumber  IssuerAndSerialNumber,
+  subjectKeyIdentifier   [0]  SubjectKeyIdentifier,
+  originatorKey          [1]  OriginatorPublicKey
+}
+
+OriginatorPublicKey ::= SEQUENCE {
+  algorithm  AlgorithmIdentifier,
+  publicKey  BIT STRING
+}
+
+RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
+
+RecipientEncryptedKey ::= SEQUENCE {
+  rid           KeyAgreeRecipientIdentifier,
+  encryptedKey  EncryptedKey
+}
+
+KeyAgreeRecipientIdentifier ::= CHOICE {
+  issuerAndSerialNumber  IssuerAndSerialNumber,
+  rKeyId                 [0] IMPLICIT RecipientKeyIdentifier
+}
+
+RecipientKeyIdentifier ::= SEQUENCE {
+  subjectKeyIdentifier  SubjectKeyIdentifier,
+  date                  GeneralizedTime OPTIONAL,
+  other                 OtherKeyAttribute OPTIONAL
+}
+
+SubjectKeyIdentifier ::= OCTET STRING
+
+KEKRecipientInfo ::= SEQUENCE {
+  version                 CMSVersion, -- always set to 4
+  kekid                   KEKIdentifier,
+  keyEncryptionAlgorithm  KeyEncryptionAlgorithmIdentifier,
+  encryptedKey            EncryptedKey
+}
+
+KEKIdentifier ::= SEQUENCE {
+  keyIdentifier  OCTET STRING,
+  date           GeneralizedTime OPTIONAL,
+  other          OtherKeyAttribute OPTIONAL
+}
+
+DigestedData ::= SEQUENCE {
+  version           CMSVersion,
+  digestAlgorithm   DigestAlgorithmIdentifier,
+  encapContentInfo  EncapsulatedContentInfo,
+  digest            Digest
+}
+
+Digest ::= OCTET STRING
+
+EncryptedData ::= SEQUENCE {
+  version               CMSVersion,
+  encryptedContentInfo  EncryptedContentInfo,
+  unprotectedAttrs      [1] IMPLICIT UnprotectedAttributes OPTIONAL
+}
+
+AuthenticatedData ::= SEQUENCE {
+  version                    CMSVersion,
+  originatorInfo             [0] IMPLICIT OriginatorInfo OPTIONAL,
+  recipientInfos             RecipientInfos,
+  macAlgorithm               MessageAuthenticationCodeAlgorithm,
+  digestAlgorithm            [1]  DigestAlgorithmIdentifier OPTIONAL,
+  encapContentInfo           EncapsulatedContentInfo,
+  authenticatedAttributes    [2] IMPLICIT AuthAttributes OPTIONAL,
+  mac                        MessageAuthenticationCode,
+  unauthenticatedAttributes  [3] IMPLICIT UnauthAttributes OPTIONAL
+}
+
+AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+MessageAuthenticationCode ::= OCTET STRING
+
+DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+
+SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
+
+KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+
+ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+
+MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
+
+CertificateRevocationLists ::= SET OF CertificateList
+
+CertificateChoices ::= CHOICE {
+  certificate          Certificate, -- See X.509
+  extendedCertificate  [0] IMPLICIT ExtendedCertificate, -- Obsolete
+  attrCert             [1] IMPLICIT AttributeCertificate
+} -- See X.509 & X9.57
+
+CertificateSet ::= SET OF CertificateChoices
+
+IssuerAndSerialNumber ::= SEQUENCE {
+  issuer        Name,
+  serialNumber  CertificateSerialNumber
+}
+
+CMSVersion ::= INTEGER {v0(0), v1(1), v2(2), v3(3), v4(4)}
+
+UserKeyingMaterial ::= OCTET STRING
+
+OtherKeyAttribute ::= SEQUENCE {
+  keyAttributeIdentifier  OTHER-KEY-ATTRIBUTE.&id({OtherKeyAttributeTable}),
+  keyAttribute
+    OTHER-KEY-ATTRIBUTE.&Type
+      ({OtherKeyAttributeTable}{@keyAttributeIdentifier}) OPTIONAL
+}
+
+OTHER-KEY-ATTRIBUTE ::= TYPE-IDENTIFIER
+
+OtherKeyAttributeTable OTHER-KEY-ATTRIBUTE ::=
+  {...}
+
+-- CMS Attributes
+MessageDigest ::= OCTET STRING
+
+SigningTime ::= Time
+
+Time ::= CHOICE {utcTime      UTCTime,
+                 generalTime  GeneralizedTime
+}
+
+Countersignature ::= SignerInfo
+
+-- Algorithm Identifiers
+sha-1 OBJECT IDENTIFIER ::=
+  {iso(1) identified-organization(3) oiw(14) secsig(3) algorithm(2) 26}
+
+md5 OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5}
+
+id-dsa-with-sha1 OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3}
+
+rsaEncryption OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1}
+
+dh-public-number OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1}
+
+id-alg-ESDH OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
+   alg(3) 5}
+
+id-alg-CMS3DESwrap OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
+   alg(3) 6}
+
+id-alg-CMSRC2wrap OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
+   alg(3) 7}
+
+des-ede3-cbc OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) encryptionAlgorithm(3) 7}
+
+rc2-cbc OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) encryptionAlgorithm(3) 2}
+
+hMAC-SHA1 OBJECT IDENTIFIER ::=
+  {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+   mechanisms(5) 8 1 2}
+
+-- Algorithm Parameters
+KeyWrapAlgorithm ::= AlgorithmIdentifier
+
+RC2wrapParameter ::= RC2ParameterVersion
+
+RC2ParameterVersion ::= INTEGER
+
+CBCParameter ::= IV
+
+IV ::= OCTET STRING -- exactly 8 octets
+
+RC2CBCParameter ::= SEQUENCE {
+  rc2ParameterVersion  INTEGER,
+  iv                   OCTET STRING
+} -- exactly 8 octets
+
+-- Content Type Object Identifiers
+id-ct-contentInfo OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
+   ct(1) 6}
+
+id-data OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1}
+
+id-signedData OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2}
+
+id-envelopedData OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3}
+
+id-digestedData OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5}
+
+id-encryptedData OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6}
+
+id-ct-authData OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
+   ct(1) 2}
+
+-- Attribute Object Identifiers
+id-contentType OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3}
+
+id-messageDigest OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4}
+
+id-signingTime OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5}
+
+id-countersignature OBJECT IDENTIFIER ::=
+  {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6}
+
+-- Obsolete Extended Certificate syntax from PKCS#6
+ExtendedCertificate ::= SEQUENCE {
+  extendedCertificateInfo  ExtendedCertificateInfo,
+  signatureAlgorithm       SignatureAlgorithmIdentifier,
+  signature                Signature
+}
+
+ExtendedCertificateInfo ::= SEQUENCE {
+  version      CMSVersion,
+  certificate  Certificate,
+  attributes   UnauthAttributes
+}
+
+Signature ::= BIT STRING
+
+END -- of CryptographicMessageSyntax
diff --git a/lib/public_key/asn1/InformationFramework.asn1 b/lib/public_key/asn1/InformationFramework.asn1
new file mode 100644
index 0000000000..4aed43a39e
--- /dev/null
+++ b/lib/public_key/asn1/InformationFramework.asn1
@@ -0,0 +1,682 @@
+InformationFramework {joint-iso-itu-t ds(5) module(1) informationFramework(1)
+  6} DEFINITIONS ::=
+BEGIN
+
+-- EXPORTS All
+-- The types and values defined in this module are exported for use in the other ASN.1 modules contained
+-- within the Directory Specifications, and for the use of other applications which will use them to access
+-- Directory services. Other applications may use them for their own purposes, but this will not constrain
+-- extensions and modifications needed to maintain or improve the Directory service.
+IMPORTS
+  -- from ITU-T Rec. X.501 | ISO/IEC 9594-2
+  directoryAbstractService, id-ar, id-at, id-mr, id-nf, id-oa, id-oc,
+    id-sc, selectedAttributeTypes, serviceAdministration
+    FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
+      usefulDefinitions(0) 6}
+  SearchRule
+    FROM ServiceAdministration serviceAdministration
+  -- from ITU-T Rec. X.511 | ISO/IEC 9594-3
+  TypeAndContextAssertion
+    FROM DirectoryAbstractService directoryAbstractService
+  -- from ITU-T Rec. X.520 | ISO/IEC 9594-6
+  booleanMatch, commonName, generalizedTimeMatch, generalizedTimeOrderingMatch,
+    integerFirstComponentMatch, integerMatch, integerOrderingMatch,
+    objectIdentifierFirstComponentMatch, UnboundedDirectoryString
+    FROM SelectedAttributeTypes selectedAttributeTypes;
+
+-- attribute data types
+Attribute{ATTRIBUTE:SupportedAttributes} ::= SEQUENCE {
+  type               ATTRIBUTE.&id({SupportedAttributes}),
+  values
+    SET SIZE (0..MAX) OF ATTRIBUTE.&Type({SupportedAttributes}{@type}),
+  valuesWithContext
+    SET SIZE (1..MAX) OF
+      SEQUENCE {value        ATTRIBUTE.&Type({SupportedAttributes}{@type}),
+                contextList  SET SIZE (1..MAX) OF Context} OPTIONAL
+}
+
+AttributeType ::= ATTRIBUTE.&id
+
+AttributeValue ::= ATTRIBUTE.&Type
+
+Context ::= SEQUENCE {
+  contextType    CONTEXT.&id({SupportedContexts}),
+  contextValues
+    SET SIZE (1..MAX) OF CONTEXT.&Type({SupportedContexts}{@contextType}),
+  fallback       BOOLEAN DEFAULT FALSE
+}
+
+AttributeValueAssertion ::= SEQUENCE {
+  type              ATTRIBUTE.&id({SupportedAttributes}),
+  assertion
+    ATTRIBUTE.&equality-match.&AssertionType
+      ({SupportedAttributes}{@type}),
+  assertedContexts
+    CHOICE {allContexts       [0]  NULL,
+            selectedContexts  [1]  SET SIZE (1..MAX) OF ContextAssertion
+  } OPTIONAL
+}
+
+ContextAssertion ::= SEQUENCE {
+  contextType    CONTEXT.&id({SupportedContexts}),
+  contextValues
+    SET SIZE (1..MAX) OF
+      CONTEXT.&Assertion({SupportedContexts}{@contextType})
+}
+
+AttributeTypeAssertion ::= SEQUENCE {
+  type              ATTRIBUTE.&id({SupportedAttributes}),
+  assertedContexts  SEQUENCE SIZE (1..MAX) OF ContextAssertion OPTIONAL
+}
+
+-- Definition of the following information object set is deferred, perhaps to standardized
+-- profiles or to protocol implementation conformance statements. The set is required to
+-- specify a table constraint on the values component of Attribute, the value component
+-- of AttributeTypeAndValue, and the assertion component of AttributeValueAssertion.
+SupportedAttributes ATTRIBUTE ::=
+  {objectClass | aliasedEntryName, ...}
+
+-- Definition of the following information object set is deferred, perhaps to standardized
+-- profiles or to protocol implementation conformance statements. The set is required to
+-- specify a table constraint on the context specifications
+SupportedContexts CONTEXT ::=
+  {...}
+
+-- naming data types
+Name ::= CHOICE { -- only one possibility for now --rdnSequence  RDNSequence
+}
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+DistinguishedName ::= RDNSequence
+
+RelativeDistinguishedName ::=
+  SET SIZE (1..MAX) OF AttributeTypeAndDistinguishedValue
+
+AttributeTypeAndDistinguishedValue ::= SEQUENCE {
+  type                  ATTRIBUTE.&id({SupportedAttributes}),
+  value                 ATTRIBUTE.&Type({SupportedAttributes}{@type}),
+  primaryDistinguished  BOOLEAN DEFAULT TRUE,
+  valuesWithContext
+    SET SIZE (1..MAX) OF
+      SEQUENCE {distingAttrValue
+                  [0]  ATTRIBUTE.&Type({SupportedAttributes}{@type})
+                    OPTIONAL,
+                contextList       SET SIZE (1..MAX) OF Context} OPTIONAL
+}
+
+-- subtree data types
+SubtreeSpecification ::= SEQUENCE {
+  base                 [0]  LocalName DEFAULT {},
+  COMPONENTS OF ChopSpecification,
+  specificationFilter  [4]  Refinement OPTIONAL
+}
+
+-- empty sequence specifies whole administrative area
+LocalName ::= RDNSequence
+
+ChopSpecification ::= SEQUENCE {
+  specificExclusions
+    [1]  SET SIZE (1..MAX) OF
+           CHOICE {chopBefore  [0]  LocalName,
+                   chopAfter   [1]  LocalName} OPTIONAL,
+  minimum             [2]  BaseDistance DEFAULT 0,
+  maximum             [3]  BaseDistance OPTIONAL
+}
+
+BaseDistance ::= INTEGER(0..MAX)
+
+Refinement ::= CHOICE {
+  item  [0]  OBJECT-CLASS.&id,
+  and   [1]  SET SIZE (1..MAX) OF Refinement,
+  or    [2]  SET SIZE (1..MAX) OF Refinement,
+  not   [3]  Refinement
+}
+
+-- OBJECT-CLASS information object class specification
+OBJECT-CLASS ::= CLASS {
+  &Superclasses         OBJECT-CLASS OPTIONAL,
+  &kind                 ObjectClassKind DEFAULT structural,
+  &MandatoryAttributes  ATTRIBUTE OPTIONAL,
+  &OptionalAttributes   ATTRIBUTE OPTIONAL,
+  &id                   OBJECT IDENTIFIER UNIQUE
+}
+WITH SYNTAX {
+  [SUBCLASS OF &Superclasses]
+  [KIND &kind]
+  [MUST CONTAIN &MandatoryAttributes]
+  [MAY CONTAIN &OptionalAttributes]
+  ID &id
+}
+
+ObjectClassKind ::= ENUMERATED {abstract(0), structural(1), auxiliary(2)}
+
+-- object classes
+top OBJECT-CLASS ::= {
+  KIND          abstract
+  MUST CONTAIN  {objectClass}
+  ID            id-oc-top
+}
+
+alias OBJECT-CLASS ::= {
+  SUBCLASS OF   {top}
+  MUST CONTAIN  {aliasedEntryName}
+  ID            id-oc-alias
+}
+
+parent OBJECT-CLASS ::= {KIND  abstract
+                         ID    id-oc-parent
+}
+
+child OBJECT-CLASS ::= {KIND  auxiliary
+                        ID    id-oc-child
+}
+
+-- ATTRIBUTE information object class specification
+ATTRIBUTE ::= CLASS {
+  &derivation            ATTRIBUTE OPTIONAL,
+  &Type                  OPTIONAL, -- either &Type or &derivation required
+  &equality-match        MATCHING-RULE OPTIONAL,
+  &ordering-match        MATCHING-RULE OPTIONAL,
+  &substrings-match      MATCHING-RULE OPTIONAL,
+  &single-valued         BOOLEAN DEFAULT FALSE,
+  &collective            BOOLEAN DEFAULT FALSE,
+  &dummy                 BOOLEAN DEFAULT FALSE,
+  -- operational extensions
+  &no-user-modification  BOOLEAN DEFAULT FALSE,
+  &usage                 AttributeUsage DEFAULT userApplications,
+  &id                    OBJECT IDENTIFIER UNIQUE
+}
+WITH SYNTAX {
+  [SUBTYPE OF &derivation]
+  [WITH SYNTAX &Type]
+  [EQUALITY MATCHING RULE &equality-match]
+  [ORDERING MATCHING RULE &ordering-match]
+  [SUBSTRINGS MATCHING RULE &substrings-match]
+  [SINGLE VALUE &single-valued]
+  [COLLECTIVE &collective]
+  [DUMMY &dummy]
+  [NO USER MODIFICATION &no-user-modification]
+  [USAGE &usage]
+  ID &id
+}
+
+AttributeUsage ::= ENUMERATED {
+  userApplications(0), directoryOperation(1), distributedOperation(2),
+  dSAOperation(3)}
+
+-- attributes
+objectClass ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  ID                      id-at-objectClass
+}
+
+aliasedEntryName ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  SINGLE VALUE            TRUE
+  ID                      id-at-aliasedEntryName
+}
+
+-- MATCHING-RULE information object class specification
+MATCHING-RULE ::= CLASS {
+  &ParentMatchingRules   MATCHING-RULE OPTIONAL,
+  &AssertionType         OPTIONAL,
+  &uniqueMatchIndicator  ATTRIBUTE OPTIONAL,
+  &id                    OBJECT IDENTIFIER UNIQUE
+}
+WITH SYNTAX {
+  [PARENT &ParentMatchingRules]
+  [SYNTAX &AssertionType]
+  [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator]
+  ID &id
+}
+
+-- matching rules
+objectIdentifierMatch MATCHING-RULE ::= {
+  SYNTAX  OBJECT IDENTIFIER
+  ID      id-mr-objectIdentifierMatch
+}
+
+distinguishedNameMatch MATCHING-RULE ::= {
+  SYNTAX  DistinguishedName
+  ID      id-mr-distinguishedNameMatch
+}
+
+MAPPING-BASED-MATCHING{SelectedBy, BOOLEAN:combinable, MappingResult,
+                       OBJECT IDENTIFIER:matchingRule} ::= CLASS {
+  &selectBy          SelectedBy OPTIONAL,
+  &ApplicableTo      ATTRIBUTE,
+  &subtypesIncluded  BOOLEAN DEFAULT TRUE,
+  &combinable        BOOLEAN(combinable),
+  &mappingResults    MappingResult OPTIONAL,
+  &userControl       BOOLEAN DEFAULT FALSE,
+  &exclusive         BOOLEAN DEFAULT TRUE,
+  &matching-rule     MATCHING-RULE.&id(matchingRule),
+  &id                OBJECT IDENTIFIER UNIQUE
+}
+WITH SYNTAX {
+  [SELECT BY &selectBy]
+  APPLICABLE TO &ApplicableTo
+  [SUBTYPES INCLUDED &subtypesIncluded]
+  COMBINABLE &combinable
+  [MAPPING RESULTS &mappingResults]
+  [USER CONTROL &userControl]
+  [EXCLUSIVE &exclusive]
+  MATCHING RULE &matching-rule
+  ID &id
+}
+
+-- NAME-FORM information object class specification
+NAME-FORM ::= CLASS {
+  &namedObjectClass     OBJECT-CLASS,
+  &MandatoryAttributes  ATTRIBUTE,
+  &OptionalAttributes   ATTRIBUTE OPTIONAL,
+  &id                   OBJECT IDENTIFIER UNIQUE
+}
+WITH SYNTAX {
+  NAMES &namedObjectClass
+  WITH ATTRIBUTES &MandatoryAttributes
+  [AND OPTIONALLY &OptionalAttributes]
+  ID &id
+}
+
+-- STRUCTURE-RULE class and DIT structure rule data types
+DITStructureRule ::= SEQUENCE {
+  ruleIdentifier          RuleIdentifier,
+  -- shall be unique within the scope of the subschema
+  nameForm                NAME-FORM.&id,
+  superiorStructureRules  SET SIZE (1..MAX) OF RuleIdentifier OPTIONAL
+}
+
+RuleIdentifier ::= INTEGER
+
+STRUCTURE-RULE ::= CLASS {
+  &nameForm                NAME-FORM,
+  &SuperiorStructureRules  STRUCTURE-RULE OPTIONAL,
+  &id                      RuleIdentifier
+}
+WITH SYNTAX {
+  NAME FORM &nameForm
+  [SUPERIOR RULES &SuperiorStructureRules]
+  ID &id
+}
+
+-- DIT content rule data type and CONTENT-RULE class
+DITContentRule ::= SEQUENCE {
+  structuralObjectClass  OBJECT-CLASS.&id,
+  auxiliaries            SET SIZE (1..MAX) OF OBJECT-CLASS.&id OPTIONAL,
+  mandatory              [1]  SET SIZE (1..MAX) OF ATTRIBUTE.&id OPTIONAL,
+  optional               [2]  SET SIZE (1..MAX) OF ATTRIBUTE.&id OPTIONAL,
+  precluded              [3]  SET SIZE (1..MAX) OF ATTRIBUTE.&id OPTIONAL
+}
+
+CONTENT-RULE ::= CLASS {
+  &structuralClass  OBJECT-CLASS.&id UNIQUE,
+  &Auxiliaries      OBJECT-CLASS OPTIONAL,
+  &Mandatory        ATTRIBUTE OPTIONAL,
+  &Optional         ATTRIBUTE OPTIONAL,
+  &Precluded        ATTRIBUTE OPTIONAL
+}
+WITH SYNTAX {
+  STRUCTURAL OBJECT-CLASS &structuralClass
+  [AUXILIARY OBJECT-CLASSES &Auxiliaries]
+  [MUST CONTAIN &Mandatory]
+  [MAY CONTAIN &Optional]
+  [MUST-NOT CONTAIN &Precluded]
+}
+
+CONTEXT ::= CLASS {
+  &Type          ,
+  &DefaultValue  OPTIONAL,
+  &Assertion     OPTIONAL,
+  &absentMatch   BOOLEAN DEFAULT TRUE,
+  &id            OBJECT IDENTIFIER UNIQUE
+}
+WITH SYNTAX {
+  WITH SYNTAX &Type
+  [DEFAULT-VALUE &DefaultValue]
+  [ASSERTED AS &Assertion]
+  [ABSENT-MATCH &absentMatch]
+  ID &id
+}
+
+DITContextUse ::= SEQUENCE {
+  attributeType      ATTRIBUTE.&id,
+  mandatoryContexts  [1]  SET SIZE (1..MAX) OF CONTEXT.&id OPTIONAL,
+  optionalContexts   [2]  SET SIZE (1..MAX) OF CONTEXT.&id OPTIONAL
+}
+
+DIT-CONTEXT-USE-RULE ::= CLASS {
+  &attributeType  ATTRIBUTE.&id UNIQUE,
+  &Mandatory      CONTEXT OPTIONAL,
+  &Optional       CONTEXT OPTIONAL
+}
+WITH SYNTAX {
+  ATTRIBUTE TYPE &attributeType
+  [MANDATORY CONTEXTS &Mandatory]
+  [OPTIONAL CONTEXTS &Optional]
+}
+
+FRIENDS ::= CLASS {
+  &anchor   ATTRIBUTE.&id UNIQUE,
+  &Friends  ATTRIBUTE
+}WITH SYNTAX {ANCHOR &anchor
+              FRIENDS &Friends
+}
+
+-- system schema information objects
+-- object classes
+subentry OBJECT-CLASS ::= {
+  SUBCLASS OF   {top}
+  KIND          structural
+  MUST CONTAIN  {commonName | subtreeSpecification}
+  ID            id-sc-subentry
+}
+
+subentryNameForm NAME-FORM ::= {
+  NAMES            subentry
+  WITH ATTRIBUTES  {commonName}
+  ID               id-nf-subentryNameForm
+}
+
+subtreeSpecification ATTRIBUTE ::= {
+  WITH SYNTAX  SubtreeSpecification
+  USAGE        directoryOperation
+  ID           id-oa-subtreeSpecification
+}
+
+administrativeRole ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT-CLASS.&id
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  USAGE                   directoryOperation
+  ID                      id-oa-administrativeRole
+}
+
+createTimestamp ATTRIBUTE ::= {
+  WITH SYNTAX             GeneralizedTime
+  -- as per 46.3 b) or c) of ITU-T Rec. X.680 | ISO/IEC 8824-1
+  EQUALITY MATCHING RULE  generalizedTimeMatch
+  ORDERING MATCHING RULE  generalizedTimeOrderingMatch
+  SINGLE VALUE            TRUE
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-createTimestamp
+}
+
+modifyTimestamp ATTRIBUTE ::= {
+  WITH SYNTAX             GeneralizedTime
+  -- as per 46.3 b) or c) of ITU-T Rec. X.680 | ISO/IEC 8824-1
+  EQUALITY MATCHING RULE  generalizedTimeMatch
+  ORDERING MATCHING RULE  generalizedTimeOrderingMatch
+  SINGLE VALUE            TRUE
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-modifyTimestamp
+}
+
+subschemaTimestamp ATTRIBUTE ::= {
+  WITH SYNTAX             GeneralizedTime
+  -- as per 46.3 b) or c) of ITU-T Rec. X.680 | ISO/IEC 8824-1
+  EQUALITY MATCHING RULE  generalizedTimeMatch
+  ORDERING MATCHING RULE  generalizedTimeOrderingMatch
+  SINGLE VALUE            TRUE
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-subschemaTimestamp
+}
+
+creatorsName ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  SINGLE VALUE            TRUE
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-creatorsName
+}
+
+modifiersName ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  SINGLE VALUE            TRUE
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-modifiersName
+}
+
+subschemaSubentryList ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  SINGLE VALUE            TRUE
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-subschemaSubentryList
+}
+
+accessControlSubentryList ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-accessControlSubentryList
+}
+
+collectiveAttributeSubentryList ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-collectiveAttributeSubentryList
+}
+
+contextDefaultSubentryList ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-contextDefaultSubentryList
+}
+
+serviceAdminSubentryList ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-serviceAdminSubentryList
+}
+
+hasSubordinates ATTRIBUTE ::= {
+  WITH SYNTAX             BOOLEAN
+  EQUALITY MATCHING RULE  booleanMatch
+  SINGLE VALUE            TRUE
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-hasSubordinates
+}
+
+accessControlSubentry OBJECT-CLASS ::= {
+  KIND  auxiliary
+  ID    id-sc-accessControlSubentry
+}
+
+collectiveAttributeSubentry OBJECT-CLASS ::= {
+  KIND  auxiliary
+  ID    id-sc-collectiveAttributeSubentry
+}
+
+collectiveExclusions ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  USAGE                   directoryOperation
+  ID                      id-oa-collectiveExclusions
+}
+
+contextAssertionSubentry OBJECT-CLASS ::= {
+  KIND          auxiliary
+  MUST CONTAIN  {contextAssertionDefaults}
+  ID            id-sc-contextAssertionSubentry
+}
+
+contextAssertionDefaults ATTRIBUTE ::= {
+  WITH SYNTAX             TypeAndContextAssertion
+  EQUALITY MATCHING RULE  objectIdentifierFirstComponentMatch
+  USAGE                   directoryOperation
+  ID                      id-oa-contextAssertionDefault
+}
+
+serviceAdminSubentry OBJECT-CLASS ::= {
+  KIND          auxiliary
+  MUST CONTAIN  {searchRules}
+  ID            id-sc-serviceAdminSubentry
+}
+
+searchRules ATTRIBUTE ::= {
+  WITH SYNTAX             SearchRuleDescription
+  EQUALITY MATCHING RULE  integerFirstComponentMatch
+  USAGE                   directoryOperation
+  ID                      id-oa-searchRules
+}
+
+SearchRuleDescription ::= SEQUENCE {
+  COMPONENTS OF SearchRule,
+  name         [28]  SET SIZE (1..MAX) OF UnboundedDirectoryString OPTIONAL,
+  description  [29]  UnboundedDirectoryString OPTIONAL
+}
+
+hierarchyLevel ATTRIBUTE ::= {
+  WITH SYNTAX             HierarchyLevel
+  EQUALITY MATCHING RULE  integerMatch
+  ORDERING MATCHING RULE  integerOrderingMatch
+  SINGLE VALUE            TRUE
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-hierarchyLevel
+}
+
+HierarchyLevel ::= INTEGER
+
+hierarchyBelow ATTRIBUTE ::= {
+  WITH SYNTAX             HierarchyBelow
+  EQUALITY MATCHING RULE  booleanMatch
+  SINGLE VALUE            TRUE
+  NO USER MODIFICATION    TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-hierarchyBelow
+}
+
+HierarchyBelow ::= BOOLEAN
+
+hierarchyParent ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  SINGLE VALUE            TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-hierarchyParent
+}
+
+hierarchyTop ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  SINGLE VALUE            TRUE
+  USAGE                   directoryOperation
+  ID                      id-oa-hierarchyTop
+}
+
+-- object identifier assignments
+-- object classes
+id-oc-top OBJECT IDENTIFIER ::=
+  {id-oc 0}
+
+id-oc-alias OBJECT IDENTIFIER ::= {id-oc 1}
+
+id-oc-parent OBJECT IDENTIFIER ::= {id-oc 28}
+
+id-oc-child OBJECT IDENTIFIER ::= {id-oc 29}
+
+-- attributes
+id-at-objectClass OBJECT IDENTIFIER ::= {id-at 0}
+
+id-at-aliasedEntryName OBJECT IDENTIFIER ::= {id-at 1}
+
+-- matching rules
+id-mr-objectIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 0}
+
+id-mr-distinguishedNameMatch OBJECT IDENTIFIER ::= {id-mr 1}
+
+-- operational attributes
+id-oa-excludeAllCollectiveAttributes OBJECT IDENTIFIER ::=
+  {id-oa 0}
+
+id-oa-createTimestamp OBJECT IDENTIFIER ::= {id-oa 1}
+
+id-oa-modifyTimestamp OBJECT IDENTIFIER ::= {id-oa 2}
+
+id-oa-creatorsName OBJECT IDENTIFIER ::= {id-oa 3}
+
+id-oa-modifiersName OBJECT IDENTIFIER ::= {id-oa 4}
+
+id-oa-administrativeRole OBJECT IDENTIFIER ::= {id-oa 5}
+
+id-oa-subtreeSpecification OBJECT IDENTIFIER ::= {id-oa 6}
+
+id-oa-collectiveExclusions OBJECT IDENTIFIER ::= {id-oa 7}
+
+id-oa-subschemaTimestamp OBJECT IDENTIFIER ::= {id-oa 8}
+
+id-oa-hasSubordinates OBJECT IDENTIFIER ::= {id-oa 9}
+
+id-oa-subschemaSubentryList OBJECT IDENTIFIER ::= {id-oa 10}
+
+id-oa-accessControlSubentryList OBJECT IDENTIFIER ::= {id-oa 11}
+
+id-oa-collectiveAttributeSubentryList OBJECT IDENTIFIER ::= {id-oa 12}
+
+id-oa-contextDefaultSubentryList OBJECT IDENTIFIER ::= {id-oa 13}
+
+id-oa-contextAssertionDefault OBJECT IDENTIFIER ::= {id-oa 14}
+
+id-oa-serviceAdminSubentryList OBJECT IDENTIFIER ::= {id-oa 15}
+
+id-oa-searchRules OBJECT IDENTIFIER ::= {id-oa 16}
+
+id-oa-hierarchyLevel OBJECT IDENTIFIER ::= {id-oa 17}
+
+id-oa-hierarchyBelow OBJECT IDENTIFIER ::= {id-oa 18}
+
+id-oa-hierarchyParent OBJECT IDENTIFIER ::= {id-oa 19}
+
+id-oa-hierarchyTop OBJECT IDENTIFIER ::= {id-oa 20}
+
+-- subentry classes
+id-sc-subentry OBJECT IDENTIFIER ::= {id-sc 0}
+
+id-sc-accessControlSubentry OBJECT IDENTIFIER ::= {id-sc 1}
+
+id-sc-collectiveAttributeSubentry OBJECT IDENTIFIER ::= {id-sc 2}
+
+id-sc-contextAssertionSubentry OBJECT IDENTIFIER ::= {id-sc 3}
+
+id-sc-serviceAdminSubentry OBJECT IDENTIFIER ::= {id-sc 4}
+
+--  Name forms
+id-nf-subentryNameForm OBJECT IDENTIFIER ::= {id-nf 16}
+
+-- administrative roles
+id-ar-autonomousArea OBJECT IDENTIFIER ::= {id-ar 1}
+
+id-ar-accessControlSpecificArea OBJECT IDENTIFIER ::= {id-ar 2}
+
+id-ar-accessControlInnerArea OBJECT IDENTIFIER ::= {id-ar 3}
+
+id-ar-subschemaAdminSpecificArea OBJECT IDENTIFIER ::= {id-ar 4}
+
+id-ar-collectiveAttributeSpecificArea OBJECT IDENTIFIER ::= {id-ar 5}
+
+id-ar-collectiveAttributeInnerArea OBJECT IDENTIFIER ::= {id-ar 6}
+
+id-ar-contextDefaultSpecificArea OBJECT IDENTIFIER ::= {id-ar 7}
+
+id-ar-serviceSpecificArea OBJECT IDENTIFIER ::= {id-ar 8}
+
+END -- InformationFramework
diff --git a/lib/public_key/asn1/Makefile b/lib/public_key/asn1/Makefile
index 4bd043ee5d..8b76d957f0 100644
--- a/lib/public_key/asn1/Makefile
+++ b/lib/public_key/asn1/Makefile
@@ -40,7 +40,8 @@ RELSYSDIR = $(RELEASE_PATH)/lib/public_key-$(VSN)
 
 ASN_TOP = OTP-PUB-KEY PKCS-FRAME
 ASN_MODULES = PKIX1Explicit88 PKIX1Implicit88 PKIX1Algorithms88 \
-	PKIXAttributeCertificate PKCS-1 PKCS-3 PKCS-8 PKCS5v2-0  OTP-PKIX 
+	PKIXAttributeCertificate PKCS-1 PKCS-3 PKCS-7 PKCS-8 PKCS-9  PKCS-15 PKCS-12 PKCS5v2-0 OTP-PKIX \
+	AuthenticationFramework InformationFramework UsefulDefinitions SelectedAttributeTypes
 ASN_ASNS = $(ASN_MODULES:%=%.asn1)
 ASN_ERLS = $(ASN_TOP:%=%.erl)
 ASN_HRLS = $(ASN_TOP:%=%.hrl)
@@ -117,4 +118,14 @@ OTP-PUB-KEY.asn1db:		PKIX1Algorithms88.asn1 \
 $(EBIN)/PKCS-FRAME.beam: 	        PKCS-FRAME.erl PKCS-FRAME.hrl
 PKCS-FRAME.erl PKCS-FRAME.hrl:			PKCS-FRAME.asn1db
 PKCS-FRAME.asn1db:			PKCS-8.asn1\
+					PKCS-7.asn1\
+					PKCS-9.asn1\
+					PKCS-15.asn1\
+					PKCS-12.asn1\
+					AuthenticationFramework.asn1\
+					InformationFramework.asn1\
+					UsefulDefinitions.asn1\
+					SelectedAttributeTypes.asn1\
+	                                CryptographicMessageSyntax.asn1\
+					UpperBounds.asn1\
 					PKCS5v2-0.asn1
\ No newline at end of file
diff --git a/lib/public_key/asn1/PKCS-12.asn1 b/lib/public_key/asn1/PKCS-12.asn1
new file mode 100644
index 0000000000..078089f7b5
--- /dev/null
+++ b/lib/public_key/asn1/PKCS-12.asn1
@@ -0,0 +1,174 @@
+PKCS-12 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+                 pkcs-12(12) modules(0)  pkcs-12(1)}
+
+-- $Revision$
+
+DEFINITIONS IMPLICIT TAGS ::=
+
+BEGIN
+
+-- EXPORTS ALL
+-- All types and values defined in this module is exported for use in
+-- other ASN.1 modules.
+
+IMPORTS
+
+informationFramework
+        FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
+        usefulDefinitions(0) 3}
+
+ATTRIBUTE
+	FROM InformationFramework informationFramework
+
+ContentInfo, DigestInfo
+	FROM PKCS-7 {iso(1) member-body(2) us(840) rsadsi(113549)
+	pkcs(1) pkcs-7(7) modules(0) pkcs-7(1)}
+
+PrivateKeyInfo, EncryptedPrivateKeyInfo
+	FROM PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549)
+	pkcs(1) pkcs-8(8) modules(1) pkcs-8(1)}
+
+pkcs-9, friendlyName, localKeyId, certTypes, crlTypes
+	FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549)
+	pkcs(1) pkcs-9(9) modules(0) pkcs-9(1)};
+
+-- Object identifiers
+
+rsadsi	OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549)}
+pkcs    OBJECT IDENTIFIER ::= {rsadsi pkcs(1)}
+pkcs-12	OBJECT IDENTIFIER ::= {pkcs 12}
+pkcs-12PbeIds                  	OBJECT IDENTIFIER ::= {pkcs-12 1}
+pbeWithSHAAnd128BitRC4          OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1}
+pbeWithSHAAnd40BitRC4           OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2}
+pbeWithSHAAnd3-KeyTripleDES-CBC	OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3}
+pbeWithSHAAnd2-KeyTripleDES-CBC	OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4}
+pbeWithSHAAnd128BitRC2-CBC      OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5}
+pbewithSHAAnd40BitRC2-CBC       OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6}
+
+bagtypes			OBJECT IDENTIFIER ::= {pkcs-12 10 1}
+
+-- The PFX PDU
+
+PFX ::= SEQUENCE {
+	version		INTEGER {v3(3)}(v3,...),
+	authSafe	ContentInfo,
+	macData    	MacData OPTIONAL
+}
+
+MacData ::= SEQUENCE {
+	mac 		DigestInfo,
+	macSalt	        OCTET STRING,
+	iterations	INTEGER DEFAULT 1
+-- Note: The default is for historical reasons and its use is
+-- deprecated. A higher value, like 1024 is recommended.
+}
+
+AuthenticatedSafe ::= SEQUENCE OF ContentInfo
+	-- Data if unencrypted
+	-- EncryptedData if password-encrypted
+	-- EnvelopedData if public key-encrypted
+
+SafeContents ::= SEQUENCE OF SafeBag
+
+SafeBag ::= SEQUENCE {
+	bagId	      	BAG-TYPE.&id ({PKCS12BagSet}),
+	bagValue      	[0] EXPLICIT BAG-TYPE.&Type({PKCS12BagSet}{@bagId}),
+	bagAttributes 	SET OF PKCS12Attribute OPTIONAL
+}
+
+-- Bag types
+
+keyBag 	  BAG-TYPE ::=
+	{KeyBag IDENTIFIED BY {bagtypes 1}}
+pkcs8ShroudedKeyBag BAG-TYPE ::=
+	{PKCS8ShroudedKeyBag IDENTIFIED BY {bagtypes 2}}
+certBag BAG-TYPE ::=
+	{CertBag IDENTIFIED BY {bagtypes 3}}
+crlBag BAG-TYPE ::=
+	{CRLBag IDENTIFIED BY {bagtypes 4}}
+secretBag BAG-TYPE ::=
+	{SecretBag IDENTIFIED BY {bagtypes 5}}
+safeContentsBag BAG-TYPE ::=
+	{SafeContents IDENTIFIED BY {bagtypes 6}}
+
+PKCS12BagSet BAG-TYPE ::= {
+	keyBag |
+	pkcs8ShroudedKeyBag |
+	certBag |
+	crlBag |
+	secretBag |
+	safeContentsBag,
+	... -- For future extensions
+}
+
+BAG-TYPE ::= TYPE-IDENTIFIER
+
+-- KeyBag
+
+KeyBag ::= PrivateKeyInfo
+
+-- Shrouded KeyBag
+
+PKCS8ShroudedKeyBag ::= EncryptedPrivateKeyInfo
+
+-- CertBag
+
+CertBag ::= SEQUENCE {
+	certId    BAG-TYPE.&id   ({CertTypes}),
+	certValue [0] EXPLICIT BAG-TYPE.&Type ({CertTypes}{@certId})
+}
+
+x509Certificate BAG-TYPE ::=
+	{OCTET STRING IDENTIFIED BY {certTypes 1}}
+	-- DER-encoded X.509 certificate stored in OCTET STRING
+sdsiCertificate BAG-TYPE ::=
+	{IA5String IDENTIFIED BY {certTypes 2}}
+	-- Base64-encoded SDSI certificate stored in IA5String
+
+CertTypes BAG-TYPE ::= {
+	x509Certificate |
+	sdsiCertificate,
+	... -- For future extensions
+}
+
+-- CRLBag
+
+CRLBag ::= SEQUENCE {
+	crlId     	BAG-TYPE.&id ({CRLTypes}),
+	crlValue 	[0] EXPLICIT BAG-TYPE.&Type ({CRLTypes}{@crlId})
+}
+
+x509CRL BAG-TYPE ::=
+	{OCTET STRING IDENTIFIED BY {crlTypes 1}}
+	-- DER-encoded X.509 CRL stored in OCTET STRING
+
+CRLTypes BAG-TYPE ::= {
+	x509CRL,
+	... -- For future extensions
+}
+
+-- Secret Bag
+
+SecretBag ::= SEQUENCE {
+	secretTypeId BAG-TYPE.&id ({SecretTypes}),
+	secretValue  [0] EXPLICIT BAG-TYPE.&Type ({SecretTypes}{@secretTypeId})
+}
+
+SecretTypes BAG-TYPE ::= {
+	... -- For future extensions
+}
+
+-- Attributes
+
+PKCS12Attribute ::= SEQUENCE {
+	attrId	   	ATTRIBUTE.&id ({PKCS12AttrSet}),
+	attrValues 	SET OF ATTRIBUTE.&Type ({PKCS12AttrSet}{@attrId})
+} -- This type is compatible with the X.500 type 'Attribute'
+
+PKCS12AttrSet ATTRIBUTE ::= {
+	friendlyName |
+	localKeyId,
+	... -- Other attributes are allowed
+}
+
+END
diff --git a/lib/public_key/asn1/PKCS-15.asn1 b/lib/public_key/asn1/PKCS-15.asn1
new file mode 100644
index 0000000000..6d352e1014
--- /dev/null
+++ b/lib/public_key/asn1/PKCS-15.asn1
@@ -0,0 +1,869 @@
+PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+         pkcs-15(15) modules(1) pkcs-15(1)}
+
+-- $Revision: 1.7 $ --
+
+DEFINITIONS IMPLICIT TAGS ::=
+
+BEGIN
+
+IMPORTS
+
+informationFramework, authenticationFramework, certificateExtensions
+        FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
+                                usefulDefinitions(0) 3}
+
+Name, Attribute
+        FROM InformationFramework informationFramework
+
+Certificate, AttributeCertificate, CertificateSerialNumber,
+        SubjectPublicKeyInfo
+        FROM AuthenticationFramework authenticationFramework
+
+GeneralNames, KeyUsage
+        FROM CertificateExtensions certificateExtensions
+
+RecipientInfos, RecipientInfo, OriginatorInfo, sha-1,
+	id-alg-CMS3DESwrap, id-alg-CMSRC2wrap, hMAC-SHA1, des-ede3-cbc
+	FROM CryptographicMessageSyntax {iso(1) member-body(2)
+	us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)
+	cms(1)}
+
+RSAPublicKey
+	FROM PKCS-1 {iso(1) member-body(2) us(840) rsadsi(113549)
+	pkcs(1) pkcs-1(1) modules(0) pkcs-1(1)}
+
+AlgorithmIdentifier, SupportingAlgorithms, PBKDF2Algorithms,
+	ALGORITHM-IDENTIFIER, id-hmacWithSHA1
+	FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
+	pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)}
+
+ECPoint, Parameters
+        FROM ANSI-X9-62 {iso(1) member-body(2) us(840)
+        ansi-x962(10045) module(4) 1}
+
+DiffieHellmanPublicNumber, DomainParameters
+        FROM ANSI-X9-42 {iso(1) member-body(2) us(840)
+        ansi-x942(10046) module(5) 1}
+
+OOBCertHash
+        FROM PKIXCMP {iso(1) identified-organization(3) dod(6)
+        internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+        id-mod-cmp(9)};
+
+-- Constants
+
+pkcs15-ub-identifier          INTEGER ::= 255
+pkcs15-ub-reference           INTEGER ::= 255
+pkcs15-ub-index               INTEGER ::= 65535
+pkcs15-ub-label               INTEGER ::= pkcs15-ub-identifier
+pkcs15-lb-minPinLength        INTEGER ::= 4
+pkcs15-ub-minPinLength        INTEGER ::= 8
+pkcs15-ub-storedPinLength     INTEGER ::= 64
+pkcs15-ub-recordLength        INTEGER ::= 16383
+pkcs15-ub-userConsent         INTEGER ::= 15
+pkcs15-ub-securityConditions  INTEGER ::= 255
+pkcs15-ub-seInfo              INTEGER ::= 255
+
+-- Object Identifiers
+
+pkcs15 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+                               rsadsi(113549) pkcs(1) pkcs-15(15)}
+pkcs15-mo OBJECT IDENTIFIER ::= {pkcs15 1} -- Modules branch
+pkcs15-at OBJECT IDENTIFIER ::= {pkcs15 2} -- Attribute branch
+pkcs15-ct OBJECT IDENTIFIER ::= {pkcs15 3} -- Content type branch
+
+-- Content Types
+
+pkcs15-ct-PKCS15Token OBJECT IDENTIFIER ::= {pkcs15-ct 1}
+
+-- Basic types
+
+Identifier ::= OCTET STRING (SIZE (0..pkcs15-ub-identifier))
+
+Reference ::= INTEGER (0..pkcs15-ub-reference)
+
+Label ::= UTF8String (SIZE(0..pkcs15-ub-label))
+
+KEY-IDENTIFIER ::= CLASS {
+    &id  INTEGER UNIQUE,
+    &Value
+} WITH SYNTAX {
+    SYNTAX &Value IDENTIFIED BY &id
+}
+
+CredentialIdentifier {KEY-IDENTIFIER : IdentifierSet} ::= SEQUENCE {
+    idType  KEY-IDENTIFIER.&id ({IdentifierSet}),
+    idValue KEY-IDENTIFIER.&Value ({IdentifierSet}{@idType})
+}
+
+KeyIdentifiers KEY-IDENTIFIER ::= {
+    issuerAndSerialNumber|
+    issuerAndSerialNumberHash|
+    subjectKeyId|
+    subjectKeyHash |
+    issuerKeyHash |
+    issuerNameHash |
+    subjectNameHash,
+    ...
+}
+
+issuerAndSerialNumber KEY-IDENTIFIER::=
+        {SYNTAX PKCS15-OPAQUE.&Type IDENTIFIED BY 1}
+        -- As defined in RFC 2630
+subjectKeyId KEY-IDENTIFIER ::=
+        {SYNTAX OCTET STRING IDENTIFIED BY 2}
+        -- From x509v3 certificate extension
+issuerAndSerialNumberHash KEY-IDENTIFIER ::=
+        {SYNTAX OCTET STRING IDENTIFIED BY 3}
+        -- Assumes SHA-1 hash of DER encoding of IssuerAndSerialNumber
+subjectKeyHash KEY-IDENTIFIER ::=
+        {SYNTAX OCTET STRING IDENTIFIED BY 4}
+issuerKeyHash KEY-IDENTIFIER ::=
+        {SYNTAX OCTET STRING IDENTIFIED BY 5}
+issuerNameHash KEY-IDENTIFIER ::=
+	{SYNTAX OCTET STRING IDENTIFIED BY 6}
+	-- SHA-1 hash of DER-encoded issuer name
+subjectNameHash KEY-IDENTIFIER ::=
+        {SYNTAX OCTET STRING IDENTIFIED BY 7}
+	-- SHA-1 hash of DER-encoded subject name
+
+ReferencedValue {Type} ::= CHOICE {
+    path	Path,
+    url		URL
+} (CONSTRAINED BY {-- 'path' or 'url' shall point to an object of
+   -- type -- Type})
+
+URL ::= CHOICE {
+    url		PrintableString,
+    urlWithDigest [3] SEQUENCE {
+	url	IA5String,
+	digest	DigestInfoWithDefault
+	}
+}
+
+alg-id-sha1 AlgorithmIdentifier {{DigestAlgorithms}} ::= {
+    algorithm  sha-1,
+    parameters SHA1Parameters : NULL}
+
+SHA1Parameters ::= NULL
+
+DigestInfoWithDefault ::= SEQUENCE {
+    digestAlg	AlgorithmIdentifier {{DigestAlgorithms}} DEFAULT alg-id-sha1,
+    digest	OCTET STRING (SIZE(8..128))
+}
+
+Path ::= SEQUENCE {
+    path 	OCTET STRING,
+    index  	INTEGER (0..pkcs15-ub-index) OPTIONAL,
+    length 	[0] INTEGER (0..pkcs15-ub-index) OPTIONAL
+    }( WITH COMPONENTS {..., index PRESENT, length PRESENT}|
+       WITH COMPONENTS {..., index ABSENT, length ABSENT})
+
+ObjectValue { Type } ::= CHOICE {
+    indirect 	        ReferencedValue {Type},
+    direct 	        [0] Type,
+    indirect-protected	[1] ReferencedValue {EnvelopedData {Type}},
+    direct-protected	[2] EnvelopedData {Type}
+    }(CONSTRAINED BY {-- if indirection is being used, then it is
+    -- expected that the reference points either to a (possibly
+    -- enveloped) object of type -- Type -- or (key case) to a card-
+    -- specific key file --})
+
+PathOrObjects {ObjectType} ::= CHOICE {
+    path  	Path,
+    objects  	[0] SEQUENCE OF ObjectType,
+    ...,
+    indirect-protected [1] ReferencedValue {EnvelopedData {SEQUENCE OF ObjectType}},
+    direct-protected [2] EnvelopedData {SEQUENCE OF ObjectType}
+    }
+
+CommonObjectAttributes ::= SEQUENCE {
+    label		Label OPTIONAL,
+    flags  		CommonObjectFlags OPTIONAL,
+    authId 		Identifier OPTIONAL,
+    ...,
+    userConsent 	INTEGER (1..pkcs15-ub-userConsent) OPTIONAL,
+    accessControlRules	SEQUENCE SIZE (1..MAX) OF AccessControlRule OPTIONAL
+} (CONSTRAINED BY {-- authId should be present in the IC card case if
+    -- flags.private is set. It must equal an authID in one AuthRecord
+    -- in the AODF -- })
+
+CommonObjectFlags ::= BIT STRING {
+    private	(0),
+    modifiable 	(1)
+}
+
+AccessControlRule ::= SEQUENCE {
+    accessMode		AccessMode,
+    securityCondition 	SecurityCondition,
+    ... -- For future extensions
+}
+
+AccessMode ::= BIT STRING {
+    read	(0),
+    update	(1),
+    execute	(2)
+}
+
+SecurityCondition ::= CHOICE {
+    authId	Identifier,
+    not    	[0] SecurityCondition,
+    and    	[1] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
+                OF SecurityCondition,
+    or     	[2] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
+                OF SecurityCondition,
+    ... -- For future extensions
+}
+
+CommonKeyAttributes ::= SEQUENCE {
+    iD 		 Identifier,
+    usage 	 KeyUsageFlags,
+    native	 BOOLEAN DEFAULT TRUE,
+    accessFlags	 KeyAccessFlags OPTIONAL,
+    keyReference Reference OPTIONAL,
+    startDate 	 GeneralizedTime OPTIONAL,
+    endDate  	 [0] GeneralizedTime OPTIONAL,
+    ... -- For future extensions
+}
+
+KeyUsageFlags ::= BIT STRING {
+    encrypt 			(0),
+    decrypt 			(1),
+    sign 			(2),
+    signRecover 		(3),
+    wrap 			(4),
+    unwrap 			(5),
+    verify 			(6),
+    verifyRecover  		(7),
+    derive 			(8),
+    nonRepudiation		(9)
+}
+
+KeyAccessFlags ::= BIT STRING {
+    sensitive  		(0),
+    extractable 	(1),
+    alwaysSensitive 	(2),
+    neverExtractable	(3),
+    local		(4)
+}
+
+CommonPrivateKeyAttributes ::= SEQUENCE {
+    subjectName	Name OPTIONAL,
+    keyIdentifiers 	[0] SEQUENCE OF CredentialIdentifier
+                        {{KeyIdentifiers}} OPTIONAL,
+    ... -- For future extensions
+}
+
+CommonPublicKeyAttributes ::= SEQUENCE {
+    subjectName	 Name OPTIONAL,
+    ...,
+    trustedUsage [0] Usage OPTIONAL
+}
+
+CommonSecretKeyAttributes ::= SEQUENCE {
+    keyLen	INTEGER OPTIONAL, -- keylength (in bits)
+    ... -- For future extensions
+}
+
+KeyInfo {ParameterType, OperationsType} ::= CHOICE {
+    reference		Reference,
+    paramsAndOps 	SEQUENCE {
+	parameters 		ParameterType,
+	supportedOperations 	OperationsType OPTIONAL
+	}
+}
+
+CommonCertificateAttributes ::= SEQUENCE {
+    iD 		Identifier,
+    authority	BOOLEAN DEFAULT FALSE,
+    identifier 	CredentialIdentifier {{KeyIdentifiers}} OPTIONAL,
+    certHash	[0] OOBCertHash OPTIONAL,
+    ...,
+    trustedUsage [1] Usage OPTIONAL,
+    identifiers	[2] SEQUENCE OF CredentialIdentifier{{KeyIdentifiers}} OPTIONAL,
+    implicitTrust [3] BOOLEAN DEFAULT FALSE
+}
+
+Usage ::= SEQUENCE {
+    keyUsage	KeyUsage OPTIONAL,
+    extKeyUsage	SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL
+    }(WITH COMPONENTS {..., keyUsage PRESENT} |
+      WITH COMPONENTS {..., extKeyUsage PRESENT})
+
+CommonDataObjectAttributes ::= SEQUENCE {
+    applicationName	Label OPTIONAL,
+    applicationOID 	OBJECT IDENTIFIER OPTIONAL,
+    ... -- For future extensions
+    } (WITH COMPONENTS {..., applicationName PRESENT}|
+       WITH COMPONENTS {..., applicationOID PRESENT})
+
+CommonAuthenticationObjectAttributes ::= SEQUENCE {
+    authId Identifier,
+    ... -- For future extensions
+}
+
+PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes}
+    ::= SEQUENCE {
+    commonObjectAttributes	CommonObjectAttributes,
+    classAttributes		ClassAttributes,
+    subClassAttributes 		[0] SubClassAttributes OPTIONAL,
+    typeAttributes		[1] TypeAttributes
+}
+
+PKCS15Objects ::= CHOICE {
+    privateKeys 	[0] PrivateKeys,
+    publicKeys 		[1] PublicKeys,
+    trustedPublicKeys  	[2] PublicKeys,
+    secretKeys 		[3] SecretKeys,
+    certificates	[4] Certificates,
+    trustedCertificates [5] Certificates,
+    usefulCertificates 	[6] Certificates,
+    dataObjects 	[7] DataObjects,
+    authObjects 	[8] AuthObjects,
+    ... -- For future extensions
+}
+
+PrivateKeys  ::= PathOrObjects {PrivateKeyType}
+
+SecretKeys   ::= PathOrObjects {SecretKeyType}
+
+PublicKeys   ::= PathOrObjects {PublicKeyType}
+
+Certificates ::= PathOrObjects {CertificateType}
+
+DataObjects  ::= PathOrObjects {DataType}
+
+AuthObjects  ::= PathOrObjects {AuthenticationType}
+
+PrivateKeyType ::= CHOICE {
+    privateRSAKey	PrivateKeyObject {PrivateRSAKeyAttributes},
+    privateECKey 	[0] PrivateKeyObject {PrivateECKeyAttributes},
+    privateDHKey 	[1] PrivateKeyObject {PrivateDHKeyAttributes},
+    privateDSAKey	[2] PrivateKeyObject {PrivateDSAKeyAttributes},
+    privateKEAKey	[3] PrivateKeyObject {PrivateKEAKeyAttributes},
+    ... -- For future extensions
+}
+
+PrivateKeyObject {KeyAttributes} ::= PKCS15Object {
+    CommonKeyAttributes, CommonPrivateKeyAttributes, KeyAttributes}
+
+PrivateRSAKeyAttributes ::= SEQUENCE {
+    value 		ObjectValue {RSAPrivateKeyObject},
+    modulusLength 	INTEGER, -- modulus length in bits, e.g. 1024
+    keyInfo  		KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
+    ... -- For future extensions
+}
+
+RSAPrivateKeyObject ::= SEQUENCE {
+    modulus 		[0] INTEGER OPTIONAL, -- n
+    publicExponent 	[1] INTEGER OPTIONAL, -- e
+    privateExponent 	[2] INTEGER OPTIONAL, -- d
+    prime1 		[3] INTEGER OPTIONAL, -- p
+    prime2 		[4] INTEGER OPTIONAL, -- q
+    exponent1  		[5] INTEGER OPTIONAL, -- d mod (p-1)
+    exponent2  		[6] INTEGER OPTIONAL, -- d mod (q-1)
+    coefficient 	[7] INTEGER OPTIONAL -- inv(q) mod p
+} (CONSTRAINED BY {-- must be possible to reconstruct modulus and
+   -- privateExponent from selected fields --})
+
+PrivateECKeyAttributes ::= SEQUENCE {
+    value  	ObjectValue {ECPrivateKey},
+    keyInfo 	KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
+    ... -- For future extensions
+}
+
+ECPrivateKey ::= INTEGER
+
+PrivateDHKeyAttributes ::= SEQUENCE {
+    value  	ObjectValue {DHPrivateKey},
+    keyInfo 	KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
+    ... -- For future extensions
+}
+
+DHPrivateKey ::= INTEGER -- Diffie-Hellman exponent
+
+PrivateDSAKeyAttributes ::= SEQUENCE {
+    value  	ObjectValue {DSAPrivateKey},
+    keyInfo 	KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
+    ... -- For future extensions
+}
+
+DSAPrivateKey ::= INTEGER
+
+PrivateKEAKeyAttributes ::= SEQUENCE {
+    value  	ObjectValue {KEAPrivateKey},
+    keyInfo 	KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
+    ... -- For future extensions
+}
+
+KEAPrivateKey ::= INTEGER
+
+PublicKeyType ::= CHOICE {
+    publicRSAKey 	PublicKeyObject {PublicRSAKeyAttributes},
+    publicECKey 	[0] PublicKeyObject {PublicECKeyAttributes},
+    publicDHKey 	[1] PublicKeyObject {PublicDHKeyAttributes},
+    publicDSAKey 	[2] PublicKeyObject {PublicDSAKeyAttributes},
+    publicKEAKey 	[3] PublicKeyObject {PublicKEAKeyAttributes},
+    ... -- For future extensions
+}
+
+PublicKeyObject {KeyAttributes} ::= PKCS15Object {
+    CommonKeyAttributes, CommonPublicKeyAttributes, KeyAttributes}
+
+PublicRSAKeyAttributes ::= SEQUENCE {
+    value		ObjectValue {RSAPublicKeyChoice},
+    modulusLength 	INTEGER, -- modulus length in bits, e.g. 1024
+    keyInfo		KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
+    ... -- For future extensions
+}
+
+RSAPublicKeyChoice ::= CHOICE {
+    raw	 RSAPublicKey,
+    spki [1] SubjectPublicKeyInfo, -- See X.509. Must contain a
+    -- public RSA key
+    ...
+}
+
+PublicECKeyAttributes ::= SEQUENCE {
+    value  	ObjectValue {ECPublicKeyChoice},
+    keyInfo 	KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
+    ... -- For future extensions
+}
+
+ECPublicKeyChoice ::= CHOICE {
+    raw	 ECPoint,
+    spki SubjectPublicKeyInfo, -- See X.509. Must contain a public EC key
+    ...
+}
+
+PublicDHKeyAttributes ::= SEQUENCE {
+    value  	ObjectValue {DHPublicKeyChoice},
+    keyInfo 	KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
+    ... -- For future extensions
+}
+
+DHPublicKeyChoice ::= CHOICE {
+    raw	 DiffieHellmanPublicNumber,
+    spki SubjectPublicKeyInfo, -- See X.509. Must contain a public D-H key
+    ...
+}
+
+PublicDSAKeyAttributes ::= SEQUENCE {
+    value  	ObjectValue {DSAPublicKeyChoice},
+    keyInfo 	KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
+    ... -- For future extensions
+}
+
+DSAPublicKeyChoice ::= CHOICE {
+    raw	 INTEGER,
+    spki SubjectPublicKeyInfo, -- See X.509. Must contain a public DSA key.
+    ...
+}
+
+PublicKEAKeyAttributes ::= SEQUENCE {
+    value  	ObjectValue {KEAPublicKeyChoice},
+    keyInfo 	KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
+    ... -- For future extensions
+}
+
+KEAPublicKeyChoice ::= CHOICE {
+    raw	 INTEGER,
+    spki SubjectPublicKeyInfo, -- See X.509. Must contain a public KEA key
+    ...
+}
+
+SecretKeyType ::= CHOICE {
+    genericSecretKey	SecretKeyObject {GenericSecretKeyAttributes},
+    rc2key 		[0] SecretKeyObject {GenericSecretKeyAttributes},
+    rc4key 		[1] SecretKeyObject {GenericSecretKeyAttributes},
+    desKey 		[2] SecretKeyObject {GenericSecretKeyAttributes},
+    des2Key		[3] SecretKeyObject {GenericSecretKeyAttributes},
+    des3Key    	        [4] SecretKeyObject {GenericSecretKeyAttributes},
+    castKey 		[5] SecretKeyObject {GenericSecretKeyAttributes},
+    cast3Key 		[6] SecretKeyObject {GenericSecretKeyAttributes},
+    cast128Key  	[7] SecretKeyObject {GenericSecretKeyAttributes},
+    rc5Key  		[8] SecretKeyObject {GenericSecretKeyAttributes},
+    ideaKey 		[9] SecretKeyObject {GenericSecretKeyAttributes},
+    skipjackKey 	[10] SecretKeyObject {GenericSecretKeyAttributes},
+    batonKey		[11] SecretKeyObject {GenericSecretKeyAttributes},
+    juniperKey  	[12] SecretKeyObject {GenericSecretKeyAttributes},
+    rc6Key 		[13] SecretKeyObject {GenericSecretKeyAttributes},
+    otherKey		[14] OtherKey,
+... -- For future extensions
+}
+
+SecretKeyObject {KeyAttributes} ::= PKCS15Object {
+     CommonKeyAttributes, CommonSecretKeyAttributes, KeyAttributes}
+
+OtherKey ::= SEQUENCE {
+    keyType	OBJECT IDENTIFIER,
+    keyAttr	SecretKeyObject {GenericSecretKeyAttributes}
+}
+
+GenericSecretKeyAttributes ::= SEQUENCE {
+    value	ObjectValue { OCTET STRING },
+    ... -- For future extensions
+}
+
+CertificateType ::= CHOICE {
+    x509Certificate  	CertificateObject { X509CertificateAttributes},
+    x509AttributeCertificate [0] CertificateObject
+                        {X509AttributeCertificateAttributes},
+    spkiCertificate 	[1] CertificateObject {SPKICertificateAttributes},
+    pgpCertificate  	[2] CertificateObject {PGPCertificateAttributes},
+    wtlsCertificate 	[3] CertificateObject {WTLSCertificateAttributes},
+    x9-68Certificate 	[4] CertificateObject {X9-68CertificateAttributes},
+    ...,
+    cvCertificate	[5] CertificateObject {CVCertificateAttributes}
+}
+
+CertificateObject {CertAttributes} ::= PKCS15Object {
+    CommonCertificateAttributes, NULL, CertAttributes}
+
+X509CertificateAttributes ::= SEQUENCE {
+    value		ObjectValue { Certificate },
+    subject  		Name OPTIONAL,
+    issuer 		[0] Name OPTIONAL,
+    serialNumber 	CertificateSerialNumber OPTIONAL,
+    ... -- For future extensions
+}
+
+X509AttributeCertificateAttributes ::= SEQUENCE {
+    value	ObjectValue { AttributeCertificate },
+    issuer	GeneralNames OPTIONAL,
+    serialNumber CertificateSerialNumber OPTIONAL,
+    attrTypes 	[0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+    ... -- For future extensions
+}
+
+SPKICertificateAttributes ::= SEQUENCE {
+    value	ObjectValue { PKCS15-OPAQUE.&Type },
+    ... -- For future extensions
+}
+
+PGPCertificateAttributes ::= SEQUENCE {
+    value	ObjectValue { PKCS15-OPAQUE.&Type },
+    ... -- For future extensions
+}
+
+WTLSCertificateAttributes ::= SEQUENCE {
+    value	ObjectValue { PKCS15-OPAQUE.&Type },
+    ... -- For future extensions
+}
+
+X9-68CertificateAttributes ::= SEQUENCE {
+    value	ObjectValue { PKCS15-OPAQUE.&Type },
+    ... -- For future extensions
+}
+CVCertificateAttributes ::= SEQUENCE {
+    value	ObjectValue { PKCS15-OPAQUE.&Type},
+    ... -- For future extensions
+}
+
+DataType ::= CHOICE {
+    opaqueDO	DataObject {Opaque},
+    externalIDO	[0] DataObject {ExternalIDO},
+    oidDO  	[1] DataObject {OidDO},
+    ... -- For future extensions
+}
+
+DataObject {DataObjectAttributes} ::= PKCS15Object {
+    CommonDataObjectAttributes, NULL, DataObjectAttributes}
+
+Opaque ::= ObjectValue {PKCS15-OPAQUE.&Type}
+
+ExternalIDO ::= ObjectValue {PKCS15-OPAQUE.&Type}
+    (CONSTRAINED BY {-- All data objects must be defined in
+    -- accordance with ISO/IEC 7816-6 --})
+
+OidDO ::= SEQUENCE {
+    id		OBJECT IDENTIFIER,
+    value 	ObjectValue {PKCS15-OPAQUE.&Type}
+}
+
+AuthenticationType ::= CHOICE {
+    pin	AuthenticationObject { PinAttributes },
+    ...,
+    biometricTemplate [0] AuthenticationObject {BiometricAttributes},
+    authKey  [1] AuthenticationObject {AuthKeyAttributes},
+    external [2] AuthenticationObject {ExternalAuthObjectAttributes}
+}
+
+AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object {
+    CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes}
+
+PinAttributes ::= SEQUENCE {
+    pinFlags  	  PinFlags,
+    pinType  	  PinType,
+    minLength 	  INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength),
+    storedLength  INTEGER (0..pkcs15-ub-storedPinLength),
+    maxLength 	  INTEGER OPTIONAL,
+    pinReference  [0] Reference DEFAULT 0,
+    padChar  	  OCTET STRING (SIZE(1)) OPTIONAL,
+    lastPinChange GeneralizedTime OPTIONAL,
+    path 	  Path OPTIONAL,
+    ... -- For future extensions
+}
+
+PinFlags ::= BIT STRING {
+    case-sensitive		(0),
+    local 			(1),
+    change-disabled 		(2),
+    unblock-disabled 		(3),
+    initialized  		(4),
+    needs-padding 		(5),
+    unblockingPin 		(6),
+    soPin 			(7),
+    disable-allowed 		(8),
+    integrity-protected		(9),
+    confidentiality-protected	(10),
+    exchangeRefData		(11)
+} (CONSTRAINED BY { -- 'unblockingPin' and 'soPIN' cannot both be set -- })
+
+PinType ::= ENUMERATED {bcd, ascii-numeric, utf8, ...,
+    half-nibble-bcd, iso9564-1}
+
+BiometricAttributes ::= SEQUENCE {
+    bioFlags		BiometricFlags,
+    templateId		OBJECT IDENTIFIER,
+    bioType		BiometricType,
+    bioReference	Reference DEFAULT 0,
+    lastChange		GeneralizedTime OPTIONAL,
+    path		Path OPTIONAL,
+... -- For future extensions
+}
+
+BiometricFlags ::= BIT STRING {
+    local		(1),
+    change-disabled	(2),
+    unblock-disabled	(3),
+    initialized		(4),
+    disable-allowed	(8),
+    integrity-protected	(9),
+    confidentiality-protected	(10)
+    } -- Note: bits 0, 5, 6, and 7 are reserved for future use
+
+BiometricType ::= CHOICE {
+    fingerPrint		FingerPrint,
+    irisScan		[0] IrisScan,
+    -- Possible extensions:
+    -- voiceScan	VoiceScan,
+    -- faceScan		FaceScan,
+    -- retinaScan	Retinascan,
+    -- handGeometry	HandGeometry,
+    -- writeDynamics	WriteDynamics,
+    -- keyStrokeDynamicsKeyStrokeDynamics,
+    -- lipDynamics	LipDynamics,
+    ... -- For future extensions
+}
+
+FingerPrint ::= SEQUENCE {
+    hand	ENUMERATED {left, right},
+    finger	ENUMERATED {thumb, pointerFinger, middleFinger,
+                    ringFinger, littleFinger},
+    ...
+}
+
+IrisScan ::= SEQUENCE {
+    eye	ENUMERATED {left, right},
+    ...
+}
+
+ExternalAuthObjectAttributes ::= CHOICE {
+    authKeyAttributes	AuthKeyAttributes,
+    certBasedAttributes	[0] CertBasedAuthenticationAttributes,
+    ... -- For future extensions
+}
+
+AuthKeyAttributes ::= SEQUENCE {
+    derivedKey	BOOLEAN DEFAULT TRUE,
+    authKeyId	Identifier,
+    ... -- For future extensions
+}
+
+CertBasedAuthenticationAttributes ::= SEQUENCE {
+    cha	OCTET STRING,
+    ...
+}
+
+TokenInfo ::= SEQUENCE {
+    version		INTEGER {v1(0)} (v1,...),
+    serialNumber	OCTET STRING,
+    manufacturerID 	Label OPTIONAL,
+    label 		[0] Label OPTIONAL,
+    tokenflags 		TokenFlags,
+    seInfo 		SEQUENCE OF SecurityEnvironmentInfo OPTIONAL,
+    recordInfo 		[1] RecordInfo OPTIONAL,
+    supportedAlgorithms	[2] SEQUENCE OF AlgorithmInfo OPTIONAL,
+    ...,
+    issuerId		[3] Label OPTIONAL,
+    holderId		[4] Label OPTIONAL,
+    lastUpdate		[5] LastUpdate OPTIONAL,
+    preferredLanguage	PrintableString OPTIONAL -- In accordance with
+    -- IETF RFC 1766
+} (CONSTRAINED BY { -- Each AlgorithmInfo.reference value must be unique --})
+
+TokenFlags ::= BIT STRING {
+    readonly		(0),
+    loginRequired 	(1),
+    prnGeneration 	(2),
+    eidCompliant  	(3)
+}
+
+SecurityEnvironmentInfo ::= SEQUENCE {
+    se		INTEGER (0..pkcs15-ub-seInfo),
+    owner 	OBJECT IDENTIFIER,
+    ... -- For future extensions
+}
+
+RecordInfo ::= SEQUENCE {
+    oDFRecordLength  	[0] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
+    prKDFRecordLength 	[1] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
+    puKDFRecordLength	[2] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
+    sKDFRecordLength 	[3] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
+    cDFRecordLength  	[4] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
+    dODFRecordLength 	[5] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
+    aODFRecordLength 	[6] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL
+}
+
+AlgorithmInfo ::= SEQUENCE {
+    reference  	Reference,
+    algorithm  	PKCS15-ALGORITHM.&id({AlgorithmSet}),
+    parameters 	PKCS15-ALGORITHM.&Parameters({AlgorithmSet}{@algorithm}),
+    supportedOperations
+		PKCS15-ALGORITHM.&Operations({AlgorithmSet}{@algorithm}),
+    algId       PKCS15-ALGORITHM.&objectIdentifier({AlgorithmSet}{@algorithm})
+                    OPTIONAL,
+    algRef	Reference OPTIONAL
+}
+
+PKCS15-ALGORITHM ::= CLASS {
+        &id INTEGER UNIQUE,
+        &Parameters,
+        &Operations Operations,
+	&objectIdentifier OBJECT IDENTIFIER OPTIONAL
+} WITH SYNTAX {
+  PARAMETERS &Parameters OPERATIONS &Operations ID &id [OID &objectIdentifier]}
+
+PKCS15-OPAQUE ::= TYPE-IDENTIFIER
+
+PublicKeyOperations ::= Operations
+
+Operations ::= BIT STRING {
+        compute-checksum  (0), -- H/W computation of checksum
+        compute-signature (1), -- H/W computation of signature
+        verify-checksum   (2), -- H/W verification of checksum
+        verify-signature  (3), -- H/W verification of signature
+        encipher          (4), -- H/W encryption of data
+        decipher          (5), -- H/W decryption of data
+        hash              (6), -- H/W hashing
+        generate-key      (7)  -- H/W key generation
+        }
+
+pkcs15-alg-null      PKCS15-ALGORITHM ::= {
+        PARAMETERS NULL OPERATIONS {{generate-key}} ID -1}
+
+AlgorithmSet PKCS15-ALGORITHM ::= {
+        pkcs15-alg-null,
+        ... -- See PKCS #11 for values for the &id field (and parameters)
+        }
+
+LastUpdate ::= CHOICE {
+        generalizedTime GeneralizedTime,
+        referencedTime ReferencedValue {GeneralizedTime},
+	... -- For future extensions
+	}
+
+-- Soft token related types and objects
+
+EnvelopedData {Type} ::= SEQUENCE {
+    version		 INTEGER{v0(0),v1(1),v2(2),v3(3),v4(4)}(v0|v1|v2,...),
+    originatorInfo	 [0] OriginatorInfo OPTIONAL,
+    recipientInfos 	 RecipientInfos,
+    encryptedContentInfo EncryptedContentInfo{Type},
+    unprotectedAttrs	 [1] SET SIZE (1..MAX) OF Attribute OPTIONAL
+}
+
+EncryptedContentInfo {Type} ::= SEQUENCE {
+    contentType		       OBJECT IDENTIFIER,
+    contentEncryptionAlgorithm AlgorithmIdentifier {{KeyDerivationAlgorithms}},
+    encryptedContent 	       [0] OCTET STRING OPTIONAL
+}(CONSTRAINED BY {-- 'encryptedContent' shall be the result of
+  -- encrypting DER-encoded value of type -- Type})
+
+PKCS15Token ::= SEQUENCE {
+    version		INTEGER {v1(0)} (v1,...),
+    keyManagementInfo	[0] KeyManagementInfo OPTIONAL,
+    pkcs15Objects	SEQUENCE OF PKCS15Objects
+}
+
+KeyManagementInfo ::= SEQUENCE OF SEQUENCE {
+    keyId		Identifier,
+    keyInfo		CHOICE {
+	recipientInfo	RecipientInfo,
+	passwordInfo	[0] PasswordInfo
+	}
+} (CONSTRAINED BY {-- Each keyID must be unique --})
+
+PasswordInfo ::= SEQUENCE {
+    hint	Label OPTIONAL,
+    algId	AlgorithmIdentifier {{KeyDerivationAlgorithms}},
+    ...
+} (CONSTRAINED BY {--keyID shall point to a KEKRecipientInfo--})
+
+KeyDerivationAlgorithms ALGORITHM-IDENTIFIER ::= {
+    PBKDF2Algorithms,
+    ... -- For future extensions
+}
+
+CMS3DESwrap ::= NULL
+
+KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
+    {CMS3DESwrap IDENTIFIED BY id-alg-CMS3DESwrap} |
+    {INTEGER IDENTIFIED BY id-alg-CMSRC2wrap},
+    ... -- For future extensions
+}
+
+DES-IV ::= OCTET STRING (SIZE(8))
+
+ContentEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
+    SupportingAlgorithms EXCEPT {NULL IDENTIFIED BY id-hmacWithSHA1},
+    ... -- For future extensions
+}
+
+MACAlgorithms ALGORITHM-IDENTIFIER ::= {
+    {NULL IDENTIFIED BY hMAC-SHA1},
+    ... -- For future extensions
+}
+
+DigestAlgorithms ALGORITHM-IDENTIFIER ::= {
+    {NULL IDENTIFIED BY sha-1},
+    ... -- For future extensions
+}
+
+-- Misc
+
+DDO ::= SEQUENCE {
+    oid  	  OBJECT IDENTIFIER,
+    odfPath  	  Path OPTIONAL,
+    tokenInfoPath [0] Path OPTIONAL,
+    unusedPath 	  [1] Path OPTIONAL,
+    ... -- For future extensions
+}
+
+DIRRecord ::=   [APPLICATION 1] SEQUENCE {
+    aid  	[APPLICATION 15] OCTET STRING,
+    label 	[APPLICATION 16] UTF8String OPTIONAL,
+    path 	[APPLICATION 17] OCTET STRING,
+    ddo  	[APPLICATION 19] DDO OPTIONAL
+}
+
+UnusedSpace ::= SEQUENCE {
+    path  	Path (WITH COMPONENTS {..., index PRESENT, length PRESENT}),
+    authId 	Identifier OPTIONAL,
+    ...,
+    accessControlRules SEQUENCE OF AccessControlRule OPTIONAL
+}
+
+END
diff --git a/lib/public_key/asn1/PKCS-7.asn1 b/lib/public_key/asn1/PKCS-7.asn1
new file mode 100644
index 0000000000..3af6449f58
--- /dev/null
+++ b/lib/public_key/asn1/PKCS-7.asn1
@@ -0,0 +1,326 @@
+PKCS-7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)
+        modules(0) pkcs-7(1)}
+
+DEFINITIONS EXPLICIT TAGS ::=
+BEGIN
+
+--
+-- 3. Definitions
+--
+
+-- EXPORTS All;
+
+IMPORTS
+
+informationFramework, authenticationFramework
+    FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
+                            usefulDefinitions(0) 3}
+
+  Name, ATTRIBUTE
+    FROM InformationFramework informationFramework
+
+  ALGORITHM, Certificate, CertificateSerialNumber,
+    CertificateList
+    FROM AuthenticationFramework authenticationFramework
+
+  contentType, messageDigest, signingTime, counterSignature
+    FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+                 pkcs-9(9) modules(0) pkcs-9(1)};
+--
+-- 6. Useful types
+--
+
+-- Also defined in X.509
+-- Redeclared here as a parameterized type
+AlgorithmIdentifier {ALGORITHM:IOSet} ::= SEQUENCE {
+   algorithm   ALGORITHM.&id({IOSet}),
+   parameters  ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
+}
+
+-- Also defined in X.501
+-- Redeclared here as a parameterized type
+Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
+  type    ATTRIBUTE.&id({IOSet}),
+  values  SET SIZE (1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
+}
+
+CertificateRevocationLists ::=
+  SET OF CertificateList
+
+Certificates ::=
+  SEQUENCE OF Certificate
+
+CRLSequence ::=
+  SEQUENCE OF CertificateList
+
+ContentEncryptionAlgorithmIdentifier ::=
+  AlgorithmIdentifier {{ContentEncryptionAlgorithms}}
+
+ContentEncryptionAlgorithms ALGORITHM ::= {
+  ...  -- add any application-specific algorithms here
+}
+
+DigestAlgorithmIdentifier ::=
+  AlgorithmIdentifier {{DigestAlgorithms}}
+
+DigestAlgorithms ALGORITHM ::= {
+   ...  -- add any application-specific algorithms here
+}
+
+DigestEncryptionAlgorithmIdentifier ::=
+  AlgorithmIdentifier {{DigestEncryptionAlgorithms}}
+
+DigestEncryptionAlgorithms ALGORITHM ::= {
+  ...  -- add any application-specific algorithms here
+}
+
+ExtendedCertificateOrCertificate ::= CHOICE {
+  certificate          Certificate,                      -- X.509
+  extendedCertificate  [0] IMPLICIT ExtendedCertificate  -- PKCS#6
+}
+
+ExtendedCertificate ::= Certificate -- cheating
+
+ExtendedCertificatesAndCertificates ::=
+  SET OF ExtendedCertificateOrCertificate
+
+IssuerAndSerialNumber ::= SEQUENCE {
+  issuer        Name,
+  serialNumber  CertificateSerialNumber
+}
+
+KeyEncryptionAlgorithmIdentifier ::=
+  AlgorithmIdentifier {{KeyEncryptionAlgorithms}}
+
+KeyEncryptionAlgorithms ALGORITHM ::= {
+  ...  -- add any application-specific algorithms here
+}
+
+--
+-- 7. General syntax
+--
+
+ContentInfo ::= SEQUENCE {
+  contentType  ContentType,
+  content      [0] EXPLICIT CONTENTS.&Type({Contents}{@contentType})
+OPTIONAL
+}
+
+CONTENTS ::= TYPE-IDENTIFIER
+
+Contents CONTENTS ::= {
+  {Data                    IDENTIFIED BY data}                   |
+  {SignedData              IDENTIFIED BY signedData}             |
+  {EnvelopedData           IDENTIFIED BY envelopedData}          |
+  {SignedAndEnvelopedData  IDENTIFIED BY signedAndEnvelopedData} |
+  {DigestedData            IDENTIFIED BY digestedData}           |
+  {EncryptedData           IDENTIFIED BY encryptedData},
+  ...  -- add any application-specific types/contents here
+}
+
+ContentType ::= CONTENTS.&id({Contents})
+
+--
+-- 8. Data content type
+--
+
+Data ::= OCTET STRING
+
+--
+-- 9. Signed-data content type
+--
+
+SignedData ::= SEQUENCE {
+  version         INTEGER {sdVer1(1), sdVer2(2)} (sdVer1 | sdVer2),
+  digestAlgorithms
+                  DigestAlgorithmIdentifiers,
+  contentInfo     ContentInfo,
+  certificates CHOICE {
+    certSet       [0] IMPLICIT ExtendedCertificatesAndCertificates,
+    certSequence  [2] IMPLICIT Certificates
+  } OPTIONAL,
+  crls CHOICE {
+    crlSet        [1] IMPLICIT CertificateRevocationLists,
+    crlSequence   [3] IMPLICIT CRLSequence
+  } OPTIONAL,
+  signerInfos     SignerInfos
+} (WITH COMPONENTS { ..., version (sdVer1),
+     digestAlgorithms   (WITH COMPONENTS { ..., daSet PRESENT }),
+     certificates       (WITH COMPONENTS { ..., certSequence ABSENT }),
+     crls               (WITH COMPONENTS { ..., crlSequence ABSENT }),
+     signerInfos        (WITH COMPONENTS { ..., siSet PRESENT })
+   } |
+   WITH COMPONENTS { ..., version (sdVer2),
+      digestAlgorithms  (WITH COMPONENTS { ..., daSequence PRESENT }),
+      certificates      (WITH COMPONENTS { ..., certSet ABSENT }),
+      crls              (WITH COMPONENTS { ..., crlSet ABSENT }),
+      signerInfos       (WITH COMPONENTS { ..., siSequence PRESENT })
+})
+
+SignerInfos ::= CHOICE {
+    siSet         SET OF SignerInfo,
+    siSequence    SEQUENCE OF SignerInfo
+}
+
+DigestAlgorithmIdentifiers ::= CHOICE {
+  daSet           SET OF DigestAlgorithmIdentifier,
+  daSequence      SEQUENCE OF DigestAlgorithmIdentifier
+}
+
+SignerInfo ::= SEQUENCE {
+  version         INTEGER {siVer1(1), siVer2(2)} (siVer1 | siVer2),
+  issuerAndSerialNumber
+                  IssuerAndSerialNumber,
+  digestAlgorithm DigestAlgorithmIdentifier,
+  authenticatedAttributes CHOICE {
+    aaSet         [0] IMPLICIT SET OF Attribute {{Authenticated}},
+    aaSequence    [2] EXPLICIT SEQUENCE OF Attribute {{Authenticated}}
+    -- Explicit because easier to compute digest on sequence of attributes and then reuse
+    -- encoded sequence in aaSequence.
+  } OPTIONAL,
+  digestEncryptionAlgorithm
+                  DigestEncryptionAlgorithmIdentifier,
+  encryptedDigest EncryptedDigest,
+  unauthenticatedAttributes CHOICE {
+    uaSet         [1] IMPLICIT SET OF Attribute {{Unauthenticated}},
+    uaSequence    [3] IMPLICIT SEQUENCE OF Attribute {{Unauthenticated}}
+  } OPTIONAL
+} (WITH COMPONENTS { ..., version (siVer1),
+  authenticatedAttributes       (WITH COMPONENTS { ..., aaSequence ABSENT }),
+  unauthenticatedAttributes     (WITH COMPONENTS { ..., uaSequence ABSENT })
+} | WITH COMPONENTS { ..., version (siVer2),
+  authenticatedAttributes       (WITH COMPONENTS { ..., aaSet ABSENT }),
+  unauthenticatedAttributes     (WITH COMPONENTS { ..., uaSet ABSENT })
+})
+
+Authenticated ATTRIBUTE ::= {
+  contentType |
+  messageDigest,
+  ...,  -- add application-specific attributes here
+  signingTime
+}
+
+Unauthenticated ATTRIBUTE ::= {
+  ...,  -- add application-specific attributes here
+  counterSignature
+}
+
+EncryptedDigest ::= OCTET STRING
+
+DigestInfo ::= SEQUENCE {
+  digestAlgorithm DigestAlgorithmIdentifier,
+  digest          Digest
+}
+
+Digest ::= OCTET STRING
+
+--
+-- 10. Enveloped-data content type
+--
+
+EnvelopedData ::= SEQUENCE {
+  version         INTEGER {edVer0(0), edVer1(1)} (edVer0 | edVer1),
+  recipientInfos  RecipientInfos,
+  encryptedContentInfo
+                  EncryptedContentInfo
+} (WITH COMPONENTS { ..., version (edVer0),
+    recipientInfos      (WITH COMPONENTS { ..., riSet PRESENT })
+} | WITH COMPONENTS { ..., version (edVer1),
+    recipientInfos      (WITH COMPONENTS { ..., riSequence PRESENT })
+})
+
+RecipientInfos ::= CHOICE {
+  riSet           SET OF RecipientInfo,
+  riSequence      SEQUENCE OF RecipientInfo
+}
+
+EncryptedContentInfo ::= SEQUENCE {
+  contentType     ContentType,
+  contentEncryptionAlgorithm
+                  ContentEncryptionAlgorithmIdentifier,
+  encryptedContent
+                  [0] IMPLICIT EncryptedContent OPTIONAL
+}
+
+EncryptedContent ::= OCTET STRING
+
+RecipientInfo ::= SEQUENCE {
+  version         INTEGER {riVer0(0)} (riVer0),
+  issuerAndSerialNumber
+                  IssuerAndSerialNumber,
+  keyEncryptionAlgorithm
+                  KeyEncryptionAlgorithmIdentifier,
+  encryptedKey    EncryptedKey
+}
+
+EncryptedKey ::= OCTET STRING
+
+--
+-- 11. Signed-and-enveloped-data content type
+--
+
+SignedAndEnvelopedData ::= SEQUENCE {
+  version         INTEGER {seVer1(1), seVer2(2)} (seVer1 | seVer2),
+  recipientInfos  RecipientInfos,
+  digestAlgorithms
+                  DigestAlgorithmIdentifiers,
+  encryptedContentInfo
+                  EncryptedContentInfo,
+  certificates CHOICE {
+    certSet       [0] IMPLICIT ExtendedCertificatesAndCertificates,
+    certSequence  [2] IMPLICIT Certificates
+  } OPTIONAL,
+  crls CHOICE {
+    crlSet        [1] IMPLICIT CertificateRevocationLists,
+    crlSequence   [3] IMPLICIT CRLSequence
+  } OPTIONAL,
+  signerInfos     SignerInfos
+} (WITH COMPONENTS { ..., version (seVer1),
+    recipientInfos   (WITH COMPONENTS { ..., riSet PRESENT }),
+    digestAlgorithms (WITH COMPONENTS { ..., daSet PRESENT }),
+    certificates     (WITH COMPONENTS { ..., certSequence ABSENT }),
+    crls             (WITH COMPONENTS { ..., crlSequence ABSENT }),
+    signerInfos      (WITH COMPONENTS { ..., siSet PRESENT })
+} |
+  WITH COMPONENTS { ..., version (seVer2),
+    recipientInfos   (WITH COMPONENTS { ..., riSequence PRESENT }),
+    digestAlgorithms (WITH COMPONENTS { ..., daSequence PRESENT }),
+    certificates     (WITH COMPONENTS { ..., certSet ABSENT }),
+    crls             (WITH COMPONENTS { ..., crlSet ABSENT }),
+    signerInfos      (WITH COMPONENTS { ..., siSequence PRESENT })
+})
+
+--
+-- 12. Digested-data content type
+--
+
+DigestedData ::= SEQUENCE {
+  version         INTEGER {ddVer0(0)} (ddVer0),
+  digestAlgorithm DigestAlgorithmIdentifier,
+  contentInfo     ContentInfo,
+  digest          Digest
+}
+
+--
+-- 13. Encrypted-data content type
+--
+
+EncryptedData ::= SEQUENCE {
+  version		INTEGER {edVer0(0)} (edVer0),
+  encryptedContentInfo  EncryptedContentInfo
+}
+
+--
+-- 14. Object Identifiers
+--
+
+pkcs-7                  OBJECT IDENTIFIER ::=
+  { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 }
+data                    OBJECT IDENTIFIER ::= { pkcs-7 1 }
+signedData              OBJECT IDENTIFIER ::= { pkcs-7 2 }
+envelopedData           OBJECT IDENTIFIER ::= { pkcs-7 3 }
+signedAndEnvelopedData  OBJECT IDENTIFIER ::= { pkcs-7 4 }
+digestedData            OBJECT IDENTIFIER ::= { pkcs-7 5 }
+encryptedData           OBJECT IDENTIFIER ::= { pkcs-7 6 }
+
+END
diff --git a/lib/public_key/asn1/PKCS-9.asn1 b/lib/public_key/asn1/PKCS-9.asn1
new file mode 100644
index 0000000000..9196251ccb
--- /dev/null
+++ b/lib/public_key/asn1/PKCS-9.asn1
@@ -0,0 +1,390 @@
+PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+pkcs-9(9) modules(0) pkcs-9(1)}
+
+-- $Revision$
+
+DEFINITIONS IMPLICIT TAGS ::=
+
+BEGIN
+
+-- EXPORTS All --
+-- All types and values defined in this module is exported for use in
+-- other ASN.1 modules.
+
+IMPORTS
+
+informationFramework, authenticationFramework, selectedAttributeTypes,
+        upperBounds , id-at
+        FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
+        usefulDefinitions(0) 3}
+
+ub-name
+        FROM UpperBounds upperBounds
+
+OBJECT-CLASS, ATTRIBUTE, MATCHING-RULE, Attribute, top, objectIdentifierMatch
+        FROM InformationFramework informationFramework
+
+ALGORITHM, Extensions, Time
+        FROM AuthenticationFramework authenticationFramework
+
+DirectoryString, octetStringMatch, caseIgnoreMatch, caseExactMatch,
+        generalizedTimeMatch, integerMatch, serialNumber
+        FROM SelectedAttributeTypes selectedAttributeTypes
+
+ContentInfo, SignerInfo
+        FROM CryptographicMessageSyntax {iso(1) member-body(2) us(840)
+        rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1)}
+
+EncryptedPrivateKeyInfo
+        FROM PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549)
+        pkcs(1) pkcs-8(8) modules(1) pkcs-8(1)}
+
+PFX
+        FROM PKCS-12 {iso(1) member-body(2) us(840) rsadsi(113549)
+        pkcs(1) pkcs-12(12) modules(0) pkcs-12(1)}
+
+PKCS15Token
+        FROM PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549)
+        pkcs(1) pkcs-15(15) modules(1) pkcs-15(1)};
+
+-- Upper bounds
+pkcs-9-ub-pkcs9String          		INTEGER ::= 255
+pkcs-9-ub-emailAddress         		INTEGER ::= pkcs-9-ub-pkcs9String
+pkcs-9-ub-unstructuredName      	INTEGER ::= pkcs-9-ub-pkcs9String
+pkcs-9-ub-unstructuredAddress   	INTEGER ::= pkcs-9-ub-pkcs9String
+pkcs-9-ub-challengePassword     	INTEGER ::= pkcs-9-ub-pkcs9String
+pkcs-9-ub-friendlyName         		INTEGER ::= pkcs-9-ub-pkcs9String
+pkcs-9-ub-signingDescription    	INTEGER ::= pkcs-9-ub-pkcs9String
+pkcs-9-ub-match                		INTEGER ::= pkcs-9-ub-pkcs9String
+pkcs-9-ub-pseudonym            		INTEGER ::= ub-name
+pkcs-9-ub-placeOfBirth         		INTEGER ::= ub-name
+
+-- Object Identifiers
+
+pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
+                              rsadsi(113549) pkcs(1) 9}
+
+  -- Main arcs
+pkcs-9-mo	OBJECT IDENTIFIER ::= {pkcs-9 0}  -- Modules branch
+pkcs-9-oc    	OBJECT IDENTIFIER ::= {pkcs-9 24} -- Object class branch
+pkcs-9-at       OBJECT IDENTIFIER ::= {pkcs-9 25} -- Attribute branch, for new  attributes
+pkcs-9-sx	OBJECT IDENTIFIER ::= {pkcs-9 26} -- For syntaxes (RFC 2252)
+pkcs-9-mr       OBJECT IDENTIFIER ::= {pkcs-9 27} -- Matching rules
+
+  -- Object classes
+pkcs-9-oc-pkcsEntity   			OBJECT IDENTIFIER ::= {pkcs-9-oc 1}
+pkcs-9-oc-naturalPerson                 OBJECT IDENTIFIER ::= {pkcs-9-oc 2}
+
+  -- Attributes
+pkcs-9-at-emailAddress                  OBJECT IDENTIFIER ::= {pkcs-9 1}
+pkcs-9-at-unstructuredName              OBJECT IDENTIFIER ::= {pkcs-9 2}
+pkcs-9-at-contentType                   OBJECT IDENTIFIER ::= {pkcs-9 3}
+pkcs-9-at-messageDigest                 OBJECT IDENTIFIER ::= {pkcs-9 4}
+pkcs-9-at-signingTime                   OBJECT IDENTIFIER ::= {pkcs-9 5}
+pkcs-9-at-counterSignature              OBJECT IDENTIFIER ::= {pkcs-9 6}
+pkcs-9-at-challengePassword             OBJECT IDENTIFIER ::= {pkcs-9 7}
+pkcs-9-at-unstructuredAddress           OBJECT IDENTIFIER ::= {pkcs-9 8}
+pkcs-9-at-extendedCertificateAttributes OBJECT IDENTIFIER ::= {pkcs-9 9}
+
+-- Obsolete (?) attribute identifiers, purportedly from "tentative
+-- PKCS #9 draft"
+-- pkcs-9-at-issuerAndSerialNumber      OBJECT IDENTIFIER ::= {pkcs-9 10}
+-- pkcs-9-at-passwordCheck              OBJECT IDENTIFIER ::= {pkcs-9 11}
+-- pkcs-9-at-publicKey                  OBJECT IDENTIFIER ::= {pkcs-9 12}
+
+pkcs-9-at-signingDescription            OBJECT IDENTIFIER ::= {pkcs-9 13}
+pkcs-9-at-extensionRequest              OBJECT IDENTIFIER ::= {pkcs-9 14}
+pkcs-9-at-smimeCapabilities             OBJECT IDENTIFIER ::= {pkcs-9 15}
+
+-- Unused (?)
+-- pkcs-9-at-?                          OBJECT IDENTIFIER ::= {pkcs-9 17}
+-- pkcs-9-at-?                          OBJECT IDENTIFIER ::= {pkcs-9 18}
+-- pkcs-9-at-?                          OBJECT IDENTIFIER ::= {pkcs-9 19}
+
+pkcs-9-at-friendlyName                  OBJECT IDENTIFIER ::= {pkcs-9 20}
+pkcs-9-at-localKeyId                    OBJECT IDENTIFIER ::= {pkcs-9 21}
+pkcs-9-at-userPKCS12                    OBJECT IDENTIFIER ::= {2 16 840 1 113730 3 1 216}
+pkcs-9-at-pkcs15Token                   OBJECT IDENTIFIER ::= {pkcs-9-at 1}
+pkcs-9-at-encryptedPrivateKeyInfo       OBJECT IDENTIFIER ::= {pkcs-9-at 2}
+pkcs-9-at-randomNonce                   OBJECT IDENTIFIER ::= {pkcs-9-at 3}
+pkcs-9-at-sequenceNumber                OBJECT IDENTIFIER ::= {pkcs-9-at 4}
+pkcs-9-at-pkcs7PDU                      OBJECT IDENTIFIER ::= {pkcs-9-at 5}
+
+  -- IETF PKIX Attribute branch
+ietf-at         			OBJECT IDENTIFIER ::= {1 3 6 1 5 5 7 9}
+
+pkcs-9-at-dateOfBirth                   OBJECT IDENTIFIER ::= {ietf-at 1}
+pkcs-9-at-placeOfBirth                  OBJECT IDENTIFIER ::= {ietf-at 2}
+pkcs-9-at-gender                        OBJECT IDENTIFIER ::= {ietf-at 3}
+pkcs-9-at-countryOfCitizenship          OBJECT IDENTIFIER ::= {ietf-at 4}
+pkcs-9-at-countryOfResidence            OBJECT IDENTIFIER ::= {ietf-at 5}
+
+  -- Syntaxes (for use with LDAP accessible directories)
+pkcs-9-sx-pkcs9String                   OBJECT IDENTIFIER ::= {pkcs-9-sx 1}
+pkcs-9-sx-signingTime                   OBJECT IDENTIFIER ::= {pkcs-9-sx 2}
+
+  -- Matching rules
+pkcs-9-mr-caseIgnoreMatch               OBJECT IDENTIFIER ::= {pkcs-9-mr 1}
+pkcs-9-mr-signingTimeMatch              OBJECT IDENTIFIER ::= {pkcs-9-mr 2}
+
+  -- Arcs with attributes defined elsewhere
+smime             			OBJECT IDENTIFIER ::= {pkcs-9 16}
+  -- Main arc for S/MIME (RFC 2633)
+certTypes         			OBJECT IDENTIFIER ::= {pkcs-9 22}
+  -- Main arc for certificate types defined in PKCS #12
+crlTypes          			OBJECT IDENTIFIER ::= {pkcs-9 23}
+  -- Main arc for crl types defined in PKCS #12
+
+  -- Other object identifiers
+id-at-pseudonym				OBJECT IDENTIFIER ::= {id-at 65}
+
+-- Useful types
+
+PKCS9String {INTEGER : maxSize} ::= CHOICE {
+        ia5String IA5String (SIZE(1..maxSize)),
+        directoryString DirectoryString {maxSize}
+}
+
+-- Object classes
+
+pkcsEntity OBJECT-CLASS ::= {
+        SUBCLASS OF	{ top }
+        KIND           	auxiliary
+        MAY CONTAIN	{ PKCSEntityAttributeSet }
+        ID              pkcs-9-oc-pkcsEntity
+}
+
+naturalPerson OBJECT-CLASS ::= {
+        SUBCLASS OF 	{ top }
+        KIND 		auxiliary
+        MAY CONTAIN 	{ NaturalPersonAttributeSet }
+        ID 		pkcs-9-oc-naturalPerson
+}
+
+-- Attribute sets
+
+PKCSEntityAttributeSet ATTRIBUTE ::= {
+        pKCS7PDU       |
+        userPKCS12     |
+        pKCS15Token    |
+        encryptedPrivateKeyInfo,
+        ... -- For future extensions
+}
+
+NaturalPersonAttributeSet ATTRIBUTE ::= {
+        emailAddress	     |
+        unstructuredName     |
+        unstructuredAddress  |
+        dateOfBirth	     |
+        placeOfBirth	     |
+        gender		     |
+        countryOfCitizenship |
+        countryOfResidence   |
+        pseudonym	     |
+        serialNumber,
+        ... -- For future extensions
+}
+
+-- Attributes
+
+pKCS7PDU ATTRIBUTE ::= {
+        WITH SYNTAX ContentInfo
+        ID pkcs-9-at-pkcs7PDU
+}
+
+userPKCS12 ATTRIBUTE ::= {
+        WITH SYNTAX PFX
+        ID pkcs-9-at-userPKCS12
+}
+
+pKCS15Token ATTRIBUTE ::= {
+        WITH SYNTAX PKCS15Token
+        ID pkcs-9-at-pkcs15Token
+}
+
+encryptedPrivateKeyInfo ATTRIBUTE ::= {
+        WITH SYNTAX EncryptedPrivateKeyInfo
+        ID pkcs-9-at-encryptedPrivateKeyInfo
+}
+
+emailAddress ATTRIBUTE ::= {
+        WITH SYNTAX IA5String (SIZE(1..pkcs-9-ub-emailAddress))
+        EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
+        ID pkcs-9-at-emailAddress
+}
+
+unstructuredName ATTRIBUTE ::= {
+        WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
+        EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
+        ID pkcs-9-at-unstructuredName
+}
+
+unstructuredAddress ATTRIBUTE ::= {
+        WITH SYNTAX DirectoryString {pkcs-9-ub-unstructuredAddress}
+        EQUALITY MATCHING RULE caseIgnoreMatch
+        ID pkcs-9-at-unstructuredAddress
+}
+
+dateOfBirth ATTRIBUTE ::= {
+        WITH SYNTAX GeneralizedTime
+        EQUALITY MATCHING RULE generalizedTimeMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-dateOfBirth
+}
+
+placeOfBirth ATTRIBUTE ::= {
+        WITH SYNTAX DirectoryString {pkcs-9-ub-placeOfBirth}
+        EQUALITY MATCHING RULE caseExactMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-placeOfBirth
+}
+
+gender ATTRIBUTE ::= {
+        WITH SYNTAX PrintableString (SIZE(1) ^ FROM ("M" | "F" | "m" | "f"))
+        EQUALITY MATCHING RULE caseIgnoreMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-gender
+}
+
+countryOfCitizenship ATTRIBUTE ::= {
+        WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY {
+        -- Must be a two-letter country acronym in accordance with
+        -- ISO/IEC 3166 --})
+        EQUALITY MATCHING RULE caseIgnoreMatch
+        ID pkcs-9-at-countryOfCitizenship
+}
+
+countryOfResidence ATTRIBUTE ::= {
+        WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY {
+        -- Must be a two-letter country acronym in accordance with
+        -- ISO/IEC 3166 --})
+        EQUALITY MATCHING RULE caseIgnoreMatch
+        ID pkcs-9-at-countryOfResidence
+}
+
+pseudonym ATTRIBUTE ::= {
+        WITH SYNTAX DirectoryString {pkcs-9-ub-pseudonym}
+        EQUALITY MATCHING RULE caseExactMatch
+        ID id-at-pseudonym
+}
+
+contentType ATTRIBUTE ::= {
+        WITH SYNTAX ContentType
+        EQUALITY MATCHING RULE objectIdentifierMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-contentType
+}
+
+ContentType ::= OBJECT IDENTIFIER
+
+messageDigest ATTRIBUTE ::= {
+        WITH SYNTAX MessageDigest
+        EQUALITY MATCHING RULE octetStringMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-messageDigest
+}
+
+MessageDigest ::= OCTET STRING
+
+signingTime ATTRIBUTE ::= {
+        WITH SYNTAX SigningTime
+        EQUALITY MATCHING RULE signingTimeMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-signingTime
+}
+
+SigningTime ::= Time -- imported from ISO/IEC 9594-8
+
+randomNonce ATTRIBUTE ::= {
+        WITH SYNTAX RandomNonce
+        EQUALITY MATCHING RULE octetStringMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-randomNonce
+}
+
+RandomNonce ::= OCTET STRING (SIZE(4..MAX)) -- At least four bytes long
+
+sequenceNumber ATTRIBUTE ::= {
+        WITH SYNTAX SequenceNumber
+        EQUALITY MATCHING RULE integerMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-sequenceNumber
+}
+
+SequenceNumber ::= INTEGER (1..MAX)
+
+counterSignature ATTRIBUTE ::= {
+        WITH SYNTAX SignerInfo
+        ID pkcs-9-at-counterSignature
+}
+
+challengePassword ATTRIBUTE ::= {
+        WITH SYNTAX DirectoryString {pkcs-9-ub-challengePassword}
+        EQUALITY MATCHING RULE caseExactMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-challengePassword
+}
+
+extensionRequest ATTRIBUTE ::= {
+        WITH SYNTAX ExtensionRequest
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-extensionRequest
+}
+
+ExtensionRequest ::= Extensions
+
+extendedCertificateAttributes ATTRIBUTE ::= {
+        WITH SYNTAX SET OF Attribute
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-extendedCertificateAttributes
+}
+
+friendlyName ATTRIBUTE ::= {
+        WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
+        EQUALITY MATCHING RULE caseIgnoreMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-friendlyName
+}
+
+localKeyId ATTRIBUTE ::= {
+        WITH SYNTAX OCTET STRING
+        EQUALITY MATCHING RULE octetStringMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-localKeyId
+}
+
+signingDescription ATTRIBUTE ::= {
+        WITH SYNTAX DirectoryString {pkcs-9-ub-signingDescription}
+        EQUALITY MATCHING RULE caseIgnoreMatch
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-signingDescription
+}
+
+smimeCapabilities ATTRIBUTE ::= {
+        WITH SYNTAX SMIMECapabilities
+        SINGLE VALUE TRUE
+        ID pkcs-9-at-smimeCapabilities
+}
+
+SMIMECapabilities ::= SEQUENCE OF SMIMECapability
+
+SMIMECapability ::= SEQUENCE {
+        algorithm  ALGORITHM.&id ({SMIMEv3Algorithms}),
+        parameters ALGORITHM.&Type ({SMIMEv3Algorithms}{@algorithm})
+}
+
+SMIMEv3Algorithms ALGORITHM ::= {...-- See RFC 2633 --}
+
+ -- Matching rules
+
+pkcs9CaseIgnoreMatch MATCHING-RULE ::= {
+        SYNTAX PKCS9String {pkcs-9-ub-match}
+        ID pkcs-9-mr-caseIgnoreMatch
+}
+
+signingTimeMatch MATCHING-RULE ::= {
+        SYNTAX SigningTime
+        ID pkcs-9-mr-signingTimeMatch
+}
+
+END
diff --git a/lib/public_key/asn1/PKCS-FRAME.set.asn b/lib/public_key/asn1/PKCS-FRAME.set.asn
index 69b6727bef..00219bccba 100644
--- a/lib/public_key/asn1/PKCS-FRAME.set.asn
+++ b/lib/public_key/asn1/PKCS-FRAME.set.asn
@@ -1,2 +1,4 @@
 PKCS-8.asn1
+PKCS-7.asn1
+PKCS-9.asn1
 PKCS5v2-0.asn1
diff --git a/lib/public_key/asn1/SelectedAttributeTypes.asn1 b/lib/public_key/asn1/SelectedAttributeTypes.asn1
new file mode 100644
index 0000000000..3ef7077370
--- /dev/null
+++ b/lib/public_key/asn1/SelectedAttributeTypes.asn1
@@ -0,0 +1,1575 @@
+SelectedAttributeTypes {joint-iso-itu-t ds(5) module(1)
+  selectedAttributeTypes(5) 6} DEFINITIONS ::=
+BEGIN
+
+-- EXPORTS All
+-- The types and values defined in this module are exported for use in the other ASN.1 modules contained
+-- within the Directory Specifications, and for the use of other applications which will use them to access
+-- Directory services. Other applications may use them for their own purposes, but this will not constrain
+-- extensions and modifications needed to maintain or improve the Directory service.
+IMPORTS
+  -- from ITU-T Rec. X.501 | ISO/IEC 9594-2
+  directoryAbstractService, id-at, id-avc, id-cat, id-mr, id-not, id-pr,
+    informationFramework, serviceAdministration
+    FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
+      usefulDefinitions(0) 6}
+  Attribute{}, ATTRIBUTE, AttributeType, AttributeValueAssertion, CONTEXT,
+    ContextAssertion, DistinguishedName, distinguishedNameMatch,
+    MAPPING-BASED-MATCHING{}, MATCHING-RULE, OBJECT-CLASS,
+    objectIdentifierMatch, SupportedAttributes
+    FROM InformationFramework informationFramework
+  AttributeCombination, ContextCombination, MRMapping
+    FROM ServiceAdministration serviceAdministration
+  -- from ITU-T Rec. X.511 | ISO/IEC 9594-3
+  FilterItem, HierarchySelections, SearchControlOptions, ServiceControlOptions
+    FROM DirectoryAbstractService directoryAbstractService
+  -- from ITU-T Rec. X.411 | ISO/IEC 10021-4
+  G3FacsimileNonBasicParameters
+    FROM MTSAbstractService {joint-iso-itu-t mhs(6) mts(3) modules(0)
+      mts-abstract-service(1) version-1999(1)};
+
+/*from IETF RFC 3727
+
+The following import is provided for information only (see 7.2.16), it is not referenced by any ASN.1 construct within these Directory Specifications. Note that the ASN.1 module in RFC 3727 imports from the InformationFramework module of edition 4 of ITU-T Rec. X.501 | ISO/IEC 9594-2. A specification importing from both these Directory Specifications and from RFC 3727 should take corrective actions, e.g., by making a copy of the ASN.1 module of
+RFC 3727 and then update the IMPORT statement.
+
+	allComponentsMatch, componentFilterMatch, directoryComponentsMatch, presentMatch, rdnMatch
+		FROM ComponentMatching {iso(1) 2 36 79672281 xed(3) module (0)
+		component-matching(4)} */
+-- Directory string type
+UnboundedDirectoryString ::= CHOICE {
+  teletexString    TeletexString(SIZE (1..MAX)),
+  printableString  PrintableString(SIZE (1..MAX)),
+  bmpString        BMPString(SIZE (1..MAX)),
+  universalString  UniversalString(SIZE (1..MAX)),
+  uTF8String       UTF8String(SIZE (1..MAX))
+}
+
+DirectoryString{INTEGER:maxSize} ::= CHOICE {
+  teletexString    TeletexString(SIZE (1..maxSize)),
+  printableString  PrintableString(SIZE (1..maxSize)),
+  bmpString        BMPString(SIZE (1..maxSize)),
+  universalString  UniversalString(SIZE (1..maxSize)),
+  uTF8String       UTF8String(SIZE (1..maxSize))
+}
+
+-- Attribute types
+knowledgeInformation ATTRIBUTE ::= {
+  WITH SYNTAX             UnboundedDirectoryString
+  EQUALITY MATCHING RULE  caseIgnoreMatch
+  ID                      id-at-knowledgeInformation
+}
+
+name ATTRIBUTE ::= {
+  WITH SYNTAX               UnboundedDirectoryString
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-name
+}
+
+commonName ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-commonName
+}
+
+surname ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-surname
+}
+
+givenName ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-givenName
+}
+
+initials ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-initials
+}
+
+generationQualifier ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-generationQualifier
+}
+
+uniqueIdentifier ATTRIBUTE ::= {
+  WITH SYNTAX             UniqueIdentifier
+  EQUALITY MATCHING RULE  bitStringMatch
+  ID                      id-at-uniqueIdentifier
+}
+
+UniqueIdentifier ::= BIT STRING
+
+dnQualifier ATTRIBUTE ::= {
+  WITH SYNTAX               PrintableString
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  ORDERING MATCHING RULE    caseIgnoreOrderingMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-dnQualifier
+}
+
+serialNumber ATTRIBUTE ::= {
+  WITH SYNTAX               PrintableString(SIZE (1..MAX))
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-serialNumber
+}
+
+pseudonym ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-pseudonym
+}
+
+uUIDPair ATTRIBUTE ::= {
+  WITH SYNTAX             UUIDPair
+  EQUALITY MATCHING RULE  uUIDPairMatch
+  ID                      id-at-uuidpair
+}
+
+UUIDPair ::= SEQUENCE {issuerUUID   UUID,
+                       subjectUUID  UUID
+}
+
+UUID ::= OCTET STRING(SIZE (16)) -- UUID format only
+
+
+countryName ATTRIBUTE ::= {
+  SUBTYPE OF    name
+  WITH SYNTAX   CountryName
+  SINGLE VALUE  TRUE
+  ID            id-at-countryName
+}
+
+CountryName ::= PrintableString(SIZE (2)) -- ISO 3166 codes only
+
+
+localityName ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-localityName
+}
+
+collectiveLocalityName ATTRIBUTE ::= {
+  SUBTYPE OF  localityName
+  COLLECTIVE  TRUE
+  ID          id-at-collectiveLocalityName
+}
+
+stateOrProvinceName ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-stateOrProvinceName
+}
+
+collectiveStateOrProvinceName ATTRIBUTE ::= {
+  SUBTYPE OF  stateOrProvinceName
+  COLLECTIVE  TRUE
+  ID          id-at-collectiveStateOrProvinceName
+}
+
+streetAddress ATTRIBUTE ::= {
+  WITH SYNTAX               UnboundedDirectoryString
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-streetAddress
+}
+
+collectiveStreetAddress ATTRIBUTE ::= {
+  SUBTYPE OF  streetAddress
+  COLLECTIVE  TRUE
+  ID          id-at-collectiveStreetAddress
+}
+
+houseIdentifier ATTRIBUTE ::= {
+  WITH SYNTAX               UnboundedDirectoryString
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-houseIdentifier
+}
+
+organizationName ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-organizationName
+}
+
+collectiveOrganizationName ATTRIBUTE ::= {
+  SUBTYPE OF  organizationName
+  COLLECTIVE  TRUE
+  ID          id-at-collectiveOrganizationName
+}
+
+organizationalUnitName ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-organizationalUnitName
+}
+
+collectiveOrganizationalUnitName ATTRIBUTE ::= {
+  SUBTYPE OF  organizationalUnitName
+  COLLECTIVE  TRUE
+  ID          id-at-collectiveOrganizationalUnitName
+}
+
+title ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-title
+}
+
+description ATTRIBUTE ::= {
+  WITH SYNTAX               UnboundedDirectoryString
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-description
+}
+
+searchGuide ATTRIBUTE ::= {WITH SYNTAX  Guide
+                           ID           id-at-searchGuide
+}
+
+Guide ::= SET {
+  objectClass  [0]  OBJECT-CLASS.&id OPTIONAL,
+  criteria     [1]  Criteria
+}
+
+Criteria ::= CHOICE {
+  type  [0]  CriteriaItem,
+  and   [1]  SET OF Criteria,
+  or    [2]  SET OF Criteria,
+  not   [3]  Criteria
+}
+
+CriteriaItem ::= CHOICE {
+  equality          [0]  AttributeType,
+  substrings        [1]  AttributeType,
+  greaterOrEqual    [2]  AttributeType,
+  lessOrEqual       [3]  AttributeType,
+  approximateMatch  [4]  AttributeType
+}
+
+enhancedSearchGuide ATTRIBUTE ::= {
+  WITH SYNTAX  EnhancedGuide
+  ID           id-at-enhancedSearchGuide
+}
+
+EnhancedGuide ::= SEQUENCE {
+  objectClass  [0]  OBJECT-CLASS.&id,
+  criteria     [1]  Criteria,
+  subset
+    [2]  INTEGER {baseObject(0), oneLevel(1), wholeSubtree(2)} DEFAULT oneLevel
+}
+
+businessCategory ATTRIBUTE ::= {
+  WITH SYNTAX               UnboundedDirectoryString
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-businessCategory
+}
+
+postalAddress ATTRIBUTE ::= {
+  WITH SYNTAX               PostalAddress
+  EQUALITY MATCHING RULE    caseIgnoreListMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreListSubstringsMatch
+  ID                        id-at-postalAddress
+}
+
+PostalAddress ::= SEQUENCE SIZE (1..MAX) OF UnboundedDirectoryString
+
+collectivePostalAddress ATTRIBUTE ::= {
+  SUBTYPE OF  postalAddress
+  COLLECTIVE  TRUE
+  ID          id-at-collectivePostalAddress
+}
+
+postalCode ATTRIBUTE ::= {
+  WITH SYNTAX               UnboundedDirectoryString
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-postalCode
+}
+
+collectivePostalCode ATTRIBUTE ::= {
+  SUBTYPE OF  postalCode
+  COLLECTIVE  TRUE
+  ID          id-at-collectivePostalCode
+}
+
+postOfficeBox ATTRIBUTE ::= {
+  WITH SYNTAX               UnboundedDirectoryString
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-postOfficeBox
+}
+
+collectivePostOfficeBox ATTRIBUTE ::= {
+  SUBTYPE OF  postOfficeBox
+  COLLECTIVE  TRUE
+  ID          id-at-collectivePostOfficeBox
+}
+
+physicalDeliveryOfficeName ATTRIBUTE ::= {
+  WITH SYNTAX               UnboundedDirectoryString
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-physicalDeliveryOfficeName
+}
+
+collectivePhysicalDeliveryOfficeName ATTRIBUTE ::= {
+  SUBTYPE OF  physicalDeliveryOfficeName
+  COLLECTIVE  TRUE
+  ID          id-at-collectivePhysicalDeliveryOfficeName
+}
+
+telephoneNumber ATTRIBUTE ::= {
+  WITH SYNTAX               TelephoneNumber
+  EQUALITY MATCHING RULE    telephoneNumberMatch
+  SUBSTRINGS MATCHING RULE  telephoneNumberSubstringsMatch
+  ID                        id-at-telephoneNumber
+}
+
+TelephoneNumber ::= PrintableString(SIZE (1..ub-telephone-number))
+
+-- String complying with ITU-T Rec. E.123 only
+ub-telephone-number INTEGER ::=
+  32
+
+collectiveTelephoneNumber ATTRIBUTE ::= {
+  SUBTYPE OF  telephoneNumber
+  COLLECTIVE  TRUE
+  ID          id-at-collectiveTelephoneNumber
+}
+
+telexNumber ATTRIBUTE ::= {
+  WITH SYNTAX  TelexNumber
+  ID           id-at-telexNumber
+}
+
+TelexNumber ::= SEQUENCE {
+  telexNumber  PrintableString(SIZE (1..ub-telex-number)),
+  countryCode  PrintableString(SIZE (1..ub-country-code)),
+  answerback   PrintableString(SIZE (1..ub-answerback))
+}
+
+ub-telex-number INTEGER ::= 14
+
+ub-country-code INTEGER ::= 4
+
+ub-answerback INTEGER ::= 8
+
+collectiveTelexNumber ATTRIBUTE ::= {
+  SUBTYPE OF  telexNumber
+  COLLECTIVE  TRUE
+  ID          id-at-collectiveTelexNumber
+}
+
+facsimileTelephoneNumber ATTRIBUTE ::= {
+  WITH SYNTAX               FacsimileTelephoneNumber
+  EQUALITY MATCHING RULE    facsimileNumberMatch
+  SUBSTRINGS MATCHING RULE  facsimileNumberSubstringsMatch
+  ID                        id-at-facsimileTelephoneNumber
+}
+
+FacsimileTelephoneNumber ::= SEQUENCE {
+  telephoneNumber  TelephoneNumber,
+  parameters       G3FacsimileNonBasicParameters OPTIONAL
+}
+
+collectiveFacsimileTelephoneNumber ATTRIBUTE ::= {
+  SUBTYPE OF  facsimileTelephoneNumber
+  COLLECTIVE  TRUE
+  ID          id-at-collectiveFacsimileTelephoneNumber
+}
+
+x121Address ATTRIBUTE ::= {
+  WITH SYNTAX               X121Address
+  EQUALITY MATCHING RULE    numericStringMatch
+  SUBSTRINGS MATCHING RULE  numericStringSubstringsMatch
+  ID                        id-at-x121Address
+}
+
+X121Address ::= NumericString(SIZE (1..ub-x121-address))
+
+-- String as defined by ITU-T Rec. X.121
+ub-x121-address INTEGER ::= 15
+
+internationalISDNNumber ATTRIBUTE ::= {
+  WITH SYNTAX               InternationalISDNNumber
+  EQUALITY MATCHING RULE    numericStringMatch
+  SUBSTRINGS MATCHING RULE  numericStringSubstringsMatch
+  ID                        id-at-internationalISDNNumber
+}
+
+InternationalISDNNumber ::=
+  NumericString(SIZE (1..ub-international-isdn-number))
+
+-- String complying with ITU-T Rec. E.164 only
+ub-international-isdn-number INTEGER ::=
+  16
+
+collectiveInternationalISDNNumber ATTRIBUTE ::= {
+  SUBTYPE OF  internationalISDNNumber
+  COLLECTIVE  TRUE
+  ID          id-at-collectiveInternationalISDNNumber
+}
+
+registeredAddress ATTRIBUTE ::= {
+  SUBTYPE OF   postalAddress
+  WITH SYNTAX  PostalAddress
+  ID           id-at-registeredAddress
+}
+
+destinationIndicator ATTRIBUTE ::= {
+  WITH SYNTAX               DestinationIndicator
+  EQUALITY MATCHING RULE    caseIgnoreMatch
+  SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
+  ID                        id-at-destinationIndicator
+}
+
+DestinationIndicator ::= PrintableString(SIZE (1..MAX))
+
+-- alphabetical characters only
+communicationsService ATTRIBUTE ::= {
+  WITH SYNTAX             CommunicationsService
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  ID                      id-at-communicationsService
+}
+
+CommunicationsService ::= OBJECT IDENTIFIER
+
+communicationsNetwork ATTRIBUTE ::= {
+  WITH SYNTAX             CommunicationsNetwork
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  SINGLE VALUE            TRUE
+  ID                      id-at-communicationsNetwork
+}
+
+CommunicationsNetwork ::= OBJECT IDENTIFIER
+
+preferredDeliveryMethod ATTRIBUTE ::= {
+  WITH SYNTAX   PreferredDeliveryMethod
+  SINGLE VALUE  TRUE
+  ID            id-at-preferredDeliveryMethod
+}
+
+PreferredDeliveryMethod ::=
+  SEQUENCE OF
+    INTEGER {any-delivery-method(0), mhs-delivery(1), physical-delivery(2),
+             telex-delivery(3), teletex-delivery(4), g3-facsimile-delivery(5),
+             g4-facsimile-delivery(6), ia5-terminal-delivery(7),
+             videotex-delivery(8), telephone-delivery(9)}
+
+presentationAddress ATTRIBUTE ::= {
+  WITH SYNTAX             PresentationAddress
+  EQUALITY MATCHING RULE  presentationAddressMatch
+  SINGLE VALUE            TRUE
+  ID                      id-at-presentationAddress
+}
+
+PresentationAddress ::= SEQUENCE {
+  pSelector   [0]  OCTET STRING OPTIONAL,
+  sSelector   [1]  OCTET STRING OPTIONAL,
+  tSelector   [2]  OCTET STRING OPTIONAL,
+  nAddresses  [3]  SET SIZE (1..MAX) OF OCTET STRING
+}
+
+supportedApplicationContext ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  ID                      id-at-supportedApplicationContext
+}
+
+protocolInformation ATTRIBUTE ::= {
+  WITH SYNTAX             ProtocolInformation
+  EQUALITY MATCHING RULE  protocolInformationMatch
+  ID                      id-at-protocolInformation
+}
+
+ProtocolInformation ::= SEQUENCE {
+  nAddress  OCTET STRING,
+  profiles  SET OF OBJECT IDENTIFIER
+}
+
+distinguishedName ATTRIBUTE ::= {
+  WITH SYNTAX             DistinguishedName
+  EQUALITY MATCHING RULE  distinguishedNameMatch
+  ID                      id-at-distinguishedName
+}
+
+member ATTRIBUTE ::= {SUBTYPE OF  distinguishedName
+                      ID          id-at-member
+}
+
+uniqueMember ATTRIBUTE ::= {
+  WITH SYNTAX             NameAndOptionalUID
+  EQUALITY MATCHING RULE  uniqueMemberMatch
+  ID                      id-at-uniqueMember
+}
+
+NameAndOptionalUID ::= SEQUENCE {
+  dn   DistinguishedName,
+  uid  UniqueIdentifier OPTIONAL
+}
+
+owner ATTRIBUTE ::= {SUBTYPE OF  distinguishedName
+                     ID          id-at-owner
+}
+
+roleOccupant ATTRIBUTE ::= {
+  SUBTYPE OF  distinguishedName
+  ID          id-at-roleOccupant
+}
+
+seeAlso ATTRIBUTE ::= {SUBTYPE OF  distinguishedName
+                       ID          id-at-seeAlso
+}
+
+dmdName ATTRIBUTE ::= {
+  SUBTYPE OF   name
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-dmdName
+}
+
+--  Attributes for tag-based identification
+tagOid ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  SINGLE VALUE            TRUE
+  ID                      id-at-tagOid
+}
+
+uiiFormat ATTRIBUTE ::= {
+  WITH SYNTAX   UnboundedDirectoryString
+  SINGLE VALUE  TRUE
+  ID            id-at-uiiFormat
+}
+
+uiiInUrn ATTRIBUTE ::= {
+  WITH SYNTAX             UTF8String
+  EQUALITY MATCHING RULE  caseExactMatch
+  SINGLE VALUE            TRUE
+  ID                      id-at-uiiInUrn
+}
+
+contentUri ATTRIBUTE ::= {
+  WITH SYNTAX  UnboundedDirectoryString
+  ID           id-at-contentUri
+}
+
+-- Notification attributes
+dSAProblem ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  ID                      id-not-dSAProblem
+}
+
+searchServiceProblem ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  SINGLE VALUE            TRUE
+  ID                      id-not-searchServiceProblem
+}
+
+serviceType ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  SINGLE VALUE            TRUE
+  ID                      id-not-serviceType
+}
+
+attributeTypeList ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  ID                      id-not-attributeTypeList
+}
+
+matchingRuleList ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  ID                      id-not-matchingRuleList
+}
+
+filterItem ATTRIBUTE ::= {
+  WITH SYNTAX  FilterItem
+  ID           id-not-filterItem
+}
+
+attributeCombinations ATTRIBUTE ::= {
+  WITH SYNTAX  AttributeCombination
+  ID           id-not-attributeCombinations
+}
+
+contextTypeList ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  ID                      id-not-contextTypeList
+}
+
+contextList ATTRIBUTE ::= {
+  WITH SYNTAX  ContextAssertion
+  ID           id-not-contextList
+}
+
+contextCombinations ATTRIBUTE ::= {
+  WITH SYNTAX  ContextCombination
+  ID           id-not-contextCombinations
+}
+
+hierarchySelectList ATTRIBUTE ::= {
+  WITH SYNTAX   HierarchySelections
+  SINGLE VALUE  TRUE
+  ID            id-not-hierarchySelectList
+}
+
+searchControlOptionsList ATTRIBUTE ::= {
+  WITH SYNTAX   SearchControlOptions
+  SINGLE VALUE  TRUE
+  ID            id-not-searchControlOptionsList
+}
+
+serviceControlOptionsList ATTRIBUTE ::= {
+  WITH SYNTAX   ServiceControlOptions
+  SINGLE VALUE  TRUE
+  ID            id-not-serviceControlOptionsList
+}
+
+multipleMatchingLocalities ATTRIBUTE ::= {
+  WITH SYNTAX  MultipleMatchingLocalities
+  ID           id-not-multipleMatchingLocalities
+}
+
+MultipleMatchingLocalities ::= SEQUENCE {
+  matchingRuleUsed  MATCHING-RULE.&id OPTIONAL,
+  attributeList     SEQUENCE OF AttributeValueAssertion
+}
+
+proposedRelaxation ATTRIBUTE ::= {
+  WITH SYNTAX  MRMappings
+  ID           id-not-proposedRelaxation
+}
+
+MRMappings ::= SEQUENCE OF MRMapping
+
+appliedRelaxation ATTRIBUTE ::= {
+  WITH SYNTAX             OBJECT IDENTIFIER
+  EQUALITY MATCHING RULE  objectIdentifierMatch
+  ID                      id-not-appliedRelaxation
+}
+
+-- Matching rules
+caseExactMatch MATCHING-RULE ::= {
+  SYNTAX  UnboundedDirectoryString
+  ID      id-mr-caseExactMatch
+}
+
+caseIgnoreMatch MATCHING-RULE ::= {
+  SYNTAX  UnboundedDirectoryString
+  ID      id-mr-caseIgnoreMatch
+}
+
+caseExactOrderingMatch MATCHING-RULE ::= {
+  SYNTAX  UnboundedDirectoryString
+  ID      id-mr-caseExactOrderingMatch
+}
+
+caseIgnoreOrderingMatch MATCHING-RULE ::= {
+  SYNTAX  UnboundedDirectoryString
+  ID      id-mr-caseIgnoreOrderingMatch
+}
+
+caseExactSubstringsMatch MATCHING-RULE ::= {
+  SYNTAX  SubstringAssertion -- only the PrintableString choice
+  ID      id-mr-caseExactSubstringsMatch
+}
+
+caseIgnoreSubstringsMatch MATCHING-RULE ::= {
+  SYNTAX  SubstringAssertion
+  ID      id-mr-caseIgnoreSubstringsMatch
+}
+
+SubstringAssertion ::=
+  SEQUENCE OF
+    CHOICE {initial  [0]  UnboundedDirectoryString,
+            any      [1]  UnboundedDirectoryString,
+            final    [2]  UnboundedDirectoryString,
+            control  Attribute{{SupportedAttributes}}
+    } --  Used to specify interpretation of the following items
+
+-- at most one initial and one final component
+numericStringMatch MATCHING-RULE ::= {
+  SYNTAX  NumericString
+  ID      id-mr-numericStringMatch
+}
+
+numericStringOrderingMatch MATCHING-RULE ::= {
+  SYNTAX  NumericString
+  ID      id-mr-numericStringOrderingMatch
+}
+
+numericStringSubstringsMatch MATCHING-RULE ::= {
+  SYNTAX  SubstringAssertion
+  ID      id-mr-numericStringSubstringsMatch
+}
+
+caseIgnoreListMatch MATCHING-RULE ::= {
+  SYNTAX  CaseIgnoreList
+  ID      id-mr-caseIgnoreListMatch
+}
+
+CaseIgnoreList ::= SEQUENCE OF UnboundedDirectoryString
+
+caseIgnoreListSubstringsMatch MATCHING-RULE ::= {
+  SYNTAX  SubstringAssertion
+  ID      id-mr-caseIgnoreListSubstringsMatch
+}
+
+storedPrefixMatch MATCHING-RULE ::= {
+  SYNTAX  UnboundedDirectoryString
+  ID      id-mr-storedPrefixMatch
+}
+
+booleanMatch MATCHING-RULE ::= {SYNTAX  BOOLEAN
+                                ID      id-mr-booleanMatch
+}
+
+integerMatch MATCHING-RULE ::= {SYNTAX  INTEGER
+                                ID      id-mr-integerMatch
+}
+
+integerOrderingMatch MATCHING-RULE ::= {
+  SYNTAX  INTEGER
+  ID      id-mr-integerOrderingMatch
+}
+
+bitStringMatch MATCHING-RULE ::= {
+  SYNTAX  BIT STRING
+  ID      id-mr-bitStringMatch
+}
+
+octetStringMatch MATCHING-RULE ::= {
+  SYNTAX  OCTET STRING
+  ID      id-mr-octetStringMatch
+}
+
+octetStringOrderingMatch MATCHING-RULE ::= {
+  SYNTAX  OCTET STRING
+  ID      id-mr-octetStringOrderingMatch
+}
+
+octetStringSubstringsMatch MATCHING-RULE ::= {
+  SYNTAX  OctetSubstringAssertion
+  ID      id-mr-octetStringSubstringsMatch
+}
+
+OctetSubstringAssertion ::=
+  SEQUENCE OF
+    CHOICE {initial  [0]  OCTET STRING,
+            any      [1]  OCTET STRING,
+            final    [2]  OCTET STRING}
+
+-- at most one initial and one final component
+telephoneNumberMatch MATCHING-RULE ::= {
+  SYNTAX  TelephoneNumber
+  ID      id-mr-telephoneNumberMatch
+}
+
+telephoneNumberSubstringsMatch MATCHING-RULE ::= {
+  SYNTAX  SubstringAssertion
+  ID      id-mr-telephoneNumberSubstringsMatch
+}
+
+presentationAddressMatch MATCHING-RULE ::= {
+  SYNTAX  PresentationAddress
+  ID      id-mr-presentationAddressMatch
+}
+
+uniqueMemberMatch MATCHING-RULE ::= {
+  SYNTAX  NameAndOptionalUID
+  ID      id-mr-uniqueMemberMatch
+}
+
+protocolInformationMatch MATCHING-RULE ::= {
+  SYNTAX  OCTET STRING
+  ID      id-mr-protocolInformationMatch
+}
+
+facsimileNumberMatch MATCHING-RULE ::= {
+  SYNTAX  TelephoneNumber
+  ID      id-mr-facsimileNumberMatch
+}
+
+facsimileNumberSubstringsMatch MATCHING-RULE ::= {
+  SYNTAX  SubstringAssertion
+  ID      id-mr-facsimileNumberSubstringsMatch
+}
+
+uUIDPairMatch MATCHING-RULE ::= {SYNTAX  UUIDPair
+                                 ID      id-mr-uuidpairmatch
+}
+
+uTCTimeMatch MATCHING-RULE ::= {SYNTAX  UTCTime
+                                ID      id-mr-uTCTimeMatch
+}
+
+uTCTimeOrderingMatch MATCHING-RULE ::= {
+  SYNTAX  UTCTime
+  ID      id-mr-uTCTimeOrderingMatch
+}
+
+generalizedTimeMatch MATCHING-RULE ::= {
+  SYNTAX  GeneralizedTime
+  -- as per 46.3 b) or c) of ITU-T Rec. X.680 | ISO/IEC 8824-1
+  ID      id-mr-generalizedTimeMatch
+}
+
+generalizedTimeOrderingMatch MATCHING-RULE ::= {
+  SYNTAX  GeneralizedTime
+  -- as per 46.3 b) or c) of ITU-T Rec. X.680 | ISO/IEC 8824-1
+  ID      id-mr-generalizedTimeOrderingMatch
+}
+
+systemProposedMatch MATCHING-RULE ::= {ID  id-mr-systemProposedMatch
+}
+
+integerFirstComponentMatch MATCHING-RULE ::= {
+  SYNTAX  INTEGER
+  ID      id-mr-integerFirstComponentMatch
+}
+
+objectIdentifierFirstComponentMatch MATCHING-RULE ::= {
+  SYNTAX  OBJECT IDENTIFIER
+  ID      id-mr-objectIdentifierFirstComponentMatch
+}
+
+directoryStringFirstComponentMatch MATCHING-RULE ::= {
+  SYNTAX  UnboundedDirectoryString
+  ID      id-mr-directoryStringFirstComponentMatch
+}
+
+wordMatch MATCHING-RULE ::= {
+  SYNTAX  UnboundedDirectoryString
+  ID      id-mr-wordMatch
+}
+
+keywordMatch MATCHING-RULE ::= {
+  SYNTAX  UnboundedDirectoryString
+  ID      id-mr-keywordMatch
+}
+
+generalWordMatch MATCHING-RULE ::= {
+  SYNTAX  SubstringAssertion
+  ID      id-mr-generalWordMatch
+}
+
+sequenceMatchType ATTRIBUTE ::= {
+  WITH SYNTAX   SequenceMatchType
+  SINGLE VALUE  TRUE
+  ID            id-cat-sequenceMatchType
+} -- defaulting to sequenceExact
+
+SequenceMatchType ::= ENUMERATED {
+  sequenceExact(0), sequenceDeletion(1), sequenceRestrictedDeletion(2),
+  sequencePermutation(3), sequencePermutationAndDeletion(4),
+  sequenceProviderDefined(5)}
+
+wordMatchTypes ATTRIBUTE ::= {
+  WITH SYNTAX   WordMatchTypes
+  SINGLE VALUE  TRUE
+  ID            id-cat-wordMatchType
+} -- defaulting to wordExact
+
+WordMatchTypes ::= ENUMERATED {
+  wordExact(0), wordTruncated(1), wordPhonetic(2), wordProviderDefined(3)
+}
+
+characterMatchTypes ATTRIBUTE ::= {
+  WITH SYNTAX   CharacterMatchTypes
+  SINGLE VALUE  TRUE
+  ID            id-cat-characterMatchTypes
+}
+
+CharacterMatchTypes ::= ENUMERATED {
+  characterExact(0), characterCaseIgnore(1), characterMapped(2)}
+
+selectedContexts ATTRIBUTE ::= {
+  WITH SYNTAX  ContextAssertion
+  ID           id-cat-selectedContexts
+}
+
+approximateStringMatch MATCHING-RULE ::= {ID  id-mr-approximateStringMatch
+}
+
+ignoreIfAbsentMatch MATCHING-RULE ::= {ID  id-mr-ignoreIfAbsentMatch
+}
+
+nullMatch MATCHING-RULE ::= {ID  id-mr-nullMatch
+}
+
+ZONAL-MATCHING ::=
+  MAPPING-BASED-MATCHING{ZonalSelect, TRUE, ZonalResult, zonalMatch.&id}
+
+ZonalSelect ::= SEQUENCE OF AttributeType
+
+ZonalResult ::= ENUMERATED {
+  cannot-select-mapping(0), zero-mappings(2), multiple-mappings(3)}
+
+zonalMatch MATCHING-RULE ::= {
+  UNIQUE-MATCH-INDICATOR  multipleMatchingLocalities
+  ID                      id-mr-zonalMatch
+}
+
+-- Contexts
+languageContext CONTEXT ::= {
+  WITH SYNTAX  LanguageContextSyntax
+  ID           id-avc-language
+}
+
+LanguageContextSyntax ::= PrintableString(SIZE (2..3)) -- ISO 639-2 codes only
+
+
+temporalContext CONTEXT ::= {
+  WITH SYNTAX  TimeSpecification
+  ASSERTED AS  TimeAssertion
+  ID           id-avc-temporal
+}
+
+TimeSpecification ::= SEQUENCE {
+  time
+    CHOICE {absolute
+              SEQUENCE {startTime  [0]  GeneralizedTime OPTIONAL,
+                        endTime    [1]  GeneralizedTime OPTIONAL},
+            periodic  SET SIZE (1..MAX) OF Period},
+  notThisTime  BOOLEAN DEFAULT FALSE,
+  timeZone     TimeZone OPTIONAL
+}
+
+Period ::= SEQUENCE {
+  timesOfDay  [0]  SET SIZE (1..MAX) OF DayTimeBand OPTIONAL,
+  days
+    [1]  CHOICE {intDay  SET OF INTEGER,
+                 bitDay
+                   BIT STRING {sunday(0), monday(1), tuesday(2), wednesday(3),
+                               thursday(4), friday(5), saturday(6)},
+                 dayOf   XDayOf} OPTIONAL,
+  weeks
+    [2]  CHOICE {allWeeks  NULL,
+                 intWeek   SET OF INTEGER,
+                 bitWeek
+                   BIT STRING {week1(0), week2(1), week3(2), week4(3), week5(4)}
+  } OPTIONAL,
+  months
+    [3]  CHOICE {allMonths  NULL,
+                 intMonth   SET OF INTEGER,
+                 bitMonth
+                   BIT STRING {january(0), february(1), march(2), april(3),
+                               may(4), june(5), july(6), august(7),
+                               september(8), october(9), november(10),
+                               december(11)}} OPTIONAL,
+  years       [4]  SET OF INTEGER(1000..MAX) OPTIONAL
+}
+
+XDayOf ::= CHOICE {
+  first   [1]  NamedDay,
+  second  [2]  NamedDay,
+  third   [3]  NamedDay,
+  fourth  [4]  NamedDay,
+  fifth   [5]  NamedDay
+}
+
+NamedDay ::= CHOICE {
+  intNamedDays
+    ENUMERATED {sunday(1), monday(2), tuesday(3), wednesday(4), thursday(5),
+                friday(6), saturday(7)},
+  bitNamedDays
+    BIT STRING {sunday(0), monday(1), tuesday(2), wednesday(3), thursday(4),
+                friday(5), saturday(6)}
+}
+
+DayTimeBand ::= SEQUENCE {
+  startDayTime  [0]  DayTime DEFAULT {hour 0},
+  endDayTime    [1]  DayTime DEFAULT {hour 23, minute 59, second 59}
+}
+
+DayTime ::= SEQUENCE {
+  hour    [0]  INTEGER(0..23),
+  minute  [1]  INTEGER(0..59) DEFAULT 0,
+  second  [2]  INTEGER(0..59) DEFAULT 0
+}
+
+TimeZone ::= INTEGER(-12..12)
+
+TimeAssertion ::= CHOICE {
+  now      NULL,
+  at       GeneralizedTime,
+  between
+    SEQUENCE {startTime  [0]  GeneralizedTime,
+              endTime    [1]  GeneralizedTime OPTIONAL,
+              entirely   BOOLEAN DEFAULT FALSE}
+}
+
+localeContext CONTEXT ::= {
+  WITH SYNTAX  LocaleContextSyntax
+  ID           id-avc-locale
+}
+
+LocaleContextSyntax ::= CHOICE {
+  localeID1  OBJECT IDENTIFIER,
+  localeID2  UnboundedDirectoryString
+}
+
+ldapAttributeOptionContext CONTEXT ::= {
+  WITH SYNTAX   AttributeOptionList
+  ASSERTED AS   AttributeOptionList
+  ABSENT-MATCH  FALSE
+  ID            id-avc-ldapAttributeOption
+}
+
+AttributeOptionList ::= SEQUENCE OF UTF8String
+
+-- Object identifier assignments
+-- object identifiers assigned in other modules are shown in comments
+-- Attributes
+-- id-at-objectClass							OBJECT IDENTIFIER	::=	{id-at 0}
+-- id-at-aliasedEntryName					OBJECT IDENTIFIER	::=	{id-at 1}
+-- id-at-encryptedAliasedEntryName				OBJECT IDENTIFIER	::=	{id-at 1 2}
+id-at-knowledgeInformation OBJECT IDENTIFIER ::=
+  {id-at 2}
+
+id-at-commonName OBJECT IDENTIFIER ::= {id-at 3}
+
+-- id-at-encryptedCommonName 				OBJECT IDENTIFIER	::=	{id-at 3 2}
+id-at-surname OBJECT IDENTIFIER ::=
+  {id-at 4}
+
+-- id-at-encryptedSurname 					OBJECT IDENTIFIER	::=	{id-at 4 2}
+id-at-serialNumber OBJECT IDENTIFIER ::=
+  {id-at 5}
+
+-- id-at-encryptedSerialNumbe   r				OBJECT IDENTIFIER	::=	{id-at 5 2}
+id-at-countryName OBJECT IDENTIFIER ::=
+  {id-at 6}
+
+-- id-at-encryptedCountryName   				OBJECT IDENTIFIER	::=	{id-at 6 2}
+id-at-localityName OBJECT IDENTIFIER ::=
+  {id-at 7}
+
+-- id-at-encryptedLocalityName    	 			OBJECT IDENTIFIER	::=	{id-at 7 2}
+id-at-collectiveLocalityName OBJECT IDENTIFIER ::=
+  {id-at 7 1}
+
+-- id-at-encryptedCollectiveLocalityName			OBJECT IDENTIFIER	::=	{id-at 7 1 2}
+id-at-stateOrProvinceName OBJECT IDENTIFIER ::=
+  {id-at 8}
+
+-- id-at-encryptedStateOrProvinceName			OBJECT IDENTIFIER	::=	{id-at 8 2}
+id-at-collectiveStateOrProvinceName OBJECT IDENTIFIER ::=
+  {id-at 8 1}
+
+-- id-at-encryptedCollectiveStateOrProvinceName   	OBJECT IDENTIFIER	::=	{id-at 8 1 2}
+id-at-streetAddress OBJECT IDENTIFIER ::=
+  {id-at 9}
+
+-- id-at-encryptedStreetAddress    				OBJECT IDENTIFIER	::=	{id-at 9 2}
+id-at-collectiveStreetAddress OBJECT IDENTIFIER ::=
+  {id-at 9 1}
+
+-- id-at-encryptedCollectiveStreetAddress			OBJECT IDENTIFIER	::=	{id-at 9 1 2}
+id-at-organizationName OBJECT IDENTIFIER ::=
+  {id-at 10}
+
+-- id-at-encryptedOrganizationName				OBJECT IDENTIFIER	::=	{id-at 10 2}
+id-at-collectiveOrganizationName OBJECT IDENTIFIER ::=
+  {id-at 10 1}
+
+-- id-at-encryptedCollectiveOrganizationName		OBJECT IDENTIFIER	::=	{id-at 10 1 2}
+id-at-organizationalUnitName OBJECT IDENTIFIER ::=
+  {id-at 11}
+
+-- id-at-encryptedOrganizationalUnitName			OBJECT IDENTIFIER	::=	{id-at 11 2}
+id-at-collectiveOrganizationalUnitName OBJECT IDENTIFIER ::=
+  {id-at 11 1}
+
+-- id-at-encryptedCollectiveOrganizationalUnitNam    	OBJECT IDENTIFIER	::=	{id-at 11 1 2}
+id-at-title OBJECT IDENTIFIER ::=
+  {id-at 12}
+
+-- id-at-encryptedTitle						OBJECT IDENTIFIER	::=	{id-at 12 2}
+id-at-description OBJECT IDENTIFIER ::=
+  {id-at 13}
+
+-- id-at-encryptedDescription					OBJECT IDENTIFIER	::=	{id-at 13 2}
+id-at-searchGuide OBJECT IDENTIFIER ::=
+  {id-at 14}
+
+-- id-at-encryptedSearchGuide					OBJECT IDENTIFIER	::=	{id-at 14 2}
+id-at-businessCategory OBJECT IDENTIFIER ::=
+  {id-at 15}
+
+-- id-at-encryptedBusinessCategory				OBJECT IDENTIFIER	::=	{id-at 15 2}
+id-at-postalAddress OBJECT IDENTIFIER ::=
+  {id-at 16}
+
+-- id-at-encryptedPostalAddress					OBJECT IDENTIFIER	::=	{id-at 16 2}
+id-at-collectivePostalAddress OBJECT IDENTIFIER ::=
+  {id-at 16 1}
+
+-- id-at-encryptedCollectivePostalAddress			OBJECT IDENTIFIER	::=	{id-at 16 1 2}
+id-at-postalCode OBJECT IDENTIFIER ::=
+  {id-at 17}
+
+-- id-at-encryptedPostalCode					OBJECT IDENTIFIER	::=	{id-at 17 2}
+id-at-collectivePostalCode OBJECT IDENTIFIER ::=
+  {id-at 17 1}
+
+-- id-at-encryptedCollectivePostalCode			OBJECT IDENTIFIER	::=	{id-at 17 1 2}
+id-at-postOfficeBox OBJECT IDENTIFIER ::=
+  {id-at 18}
+
+id-at-collectivePostOfficeBox OBJECT IDENTIFIER ::= {id-at 18 1}
+
+-- id-at-encryptedPostOfficeBox   				OBJECT IDENTIFIER	::=	{id-at 18 2}
+-- id-at-encryptedCollectivePostOfficeBox			OBJECT IDENTIFIER	::=	{id-at 18 1 2}
+id-at-physicalDeliveryOfficeName OBJECT IDENTIFIER ::=
+  {id-at 19}
+
+id-at-collectivePhysicalDeliveryOfficeName OBJECT IDENTIFIER ::= {id-at 19 1}
+
+-- id-at-encryptedPhysicalDeliveryOfficeName		OBJECT IDENTIFIER	::=	{id-at 19 2}
+-- id-at-encryptedCollectivePhysicalDeliveryOfficeName	OBJECT IDENTIFIER	::=	{id-at 19 1 2}
+id-at-telephoneNumber OBJECT IDENTIFIER ::=
+  {id-at 20}
+
+-- id-at-encryptedTelephoneNumber				OBJECT IDENTIFIER	::=	{id-at 20 2}
+id-at-collectiveTelephoneNumber OBJECT IDENTIFIER ::=
+  {id-at 20 1}
+
+-- id-at-encryptedCollectiveTelephoneNumber		OBJECT IDENTIFIER	::=	{id-at 20 1 2}
+id-at-telexNumber OBJECT IDENTIFIER ::=
+  {id-at 21}
+
+-- id-at-encryptedTelexNumber					OBJECT IDENTIFIER	::=	{id-at 21 2}
+id-at-collectiveTelexNumber OBJECT IDENTIFIER ::=
+  {id-at 21 1}
+
+-- id-at-encryptedCollectiveTelexNumber			OBJECT IDENTIFIER	::=	{id-at 21 1 2}
+-- id-at-teletexTerminalIdentifier   				OBJECT IDENTIFIER	::=	{id-at 22}
+-- id-at-encryptedTeletexTerminalIdentifier			OBJECT IDENTIFIER	::=	{id-at 22 2}
+-- id-at-collectiveTeletexTerminalIdentifier			OBJECT IDENTIFIER	::=	{id-at 22 1}
+-- id-at-encryptedCollectiveTeletexTerminalIdentifier	OBJECT IDENTIFIER	::=	{id-at 22 1 2}
+id-at-facsimileTelephoneNumber OBJECT IDENTIFIER ::=
+  {id-at 23}
+
+-- id-at-encryptedFacsimileTelephoneNumber		OBJECT IDENTIFIER	::=	{id-at 23 2}
+id-at-collectiveFacsimileTelephoneNumber OBJECT IDENTIFIER ::=
+  {id-at 23 1}
+
+-- id-at-encryptedCollectiveFacsimileTelephoneNumber	OBJECT IDENTIFIER	::=	{id-at 23 1 2}
+id-at-x121Address OBJECT IDENTIFIER ::=
+  {id-at 24}
+
+-- id-at-encryptedX121Address    	 			OBJECT IDENTIFIER	::=	{id-at 24 2}
+id-at-internationalISDNNumber OBJECT IDENTIFIER ::=
+  {id-at 25}
+
+-- id-at-encryptedInternationalISDNNumber			OBJECT IDENTIFIER	::=	{id-at 25 2}
+id-at-collectiveInternationalISDNNumber OBJECT IDENTIFIER ::=
+  {id-at 25 1}
+
+-- id-at-encryptedCollectiveInternationalISDNNumber	OBJECT IDENTIFIER	::=	{id-at 25 1 2}
+id-at-registeredAddress OBJECT IDENTIFIER ::=
+  {id-at 26}
+
+-- id-at-encryptedRegisteredAddress				OBJECT IDENTIFIER	::=	{id-at 26 2}
+id-at-destinationIndicator OBJECT IDENTIFIER ::=
+  {id-at 27}
+
+-- id-at-encryptedDestinationIndicator   			OBJECT IDENTIFIER	::=	{id-at 27 2}
+id-at-preferredDeliveryMethod OBJECT IDENTIFIER ::=
+  {id-at 28}
+
+-- id-at-encryptedPreferredDeliveryMethod			OBJECT IDENTIFIER	::=	{id-at 28 2}
+id-at-presentationAddress OBJECT IDENTIFIER ::=
+  {id-at 29}
+
+-- id-at-encryptedPresentationAddress				OBJECT IDENTIFIER	::=	{id-at 29 2}
+id-at-supportedApplicationContext OBJECT IDENTIFIER ::=
+  {id-at 30}
+
+-- id-at-encryptedSupportedApplicationContext		OBJECT IDENTIFIER	::=	{id-at 30 2}
+id-at-member OBJECT IDENTIFIER ::=
+  {id-at 31}
+
+-- id-at-encryptedMember						OBJECT IDENTIFIER	::=	{id-at 31 2}
+id-at-owner OBJECT IDENTIFIER ::=
+  {id-at 32}
+
+-- id-at-encryptedOwner						OBJECT IDENTIFIER	::=	{id-at 32 2}
+id-at-roleOccupant OBJECT IDENTIFIER ::=
+  {id-at 33}
+
+-- id-at-encryptedRoleOccupant   				OBJECT IDENTIFIER	::=	{id-at 33 2}
+id-at-seeAlso OBJECT IDENTIFIER ::=
+  {id-at 34}
+
+-- id-at-encryptedSeeAlso	 					OBJECT IDENTIFIER	::=	{id-at 34 2}
+-- id-at-userPassword						OBJECT IDENTIFIER	::=	{id-at 35}	X.509|Part8
+-- id-at-encryptedUserPassword					OBJECT IDENTIFIER	::=	{id-at 35 2}
+-- id-at-userCertificate						OBJECT IDENTIFIER	::=	{id-at 36} 	X.509|Part8
+-- id-at-encryptedUserCertificate				OBJECT IDENTIFIER	::=	{id-at 36 2}
+-- id-at-cACertificate						OBJECT IDENTIFIER	::=	{id-at 37} 	X.509|Part8
+-- id-at-encryptedCACertificate    	 			OBJECT IDENTIFIER	::=	{id-at 37 2}
+-- id-at-authorityRevocationList    				OBJECT IDENTIFIER	::=	{id-at 38} 	X.509|Part8
+-- id-at-encryptedAuthorityRevocationList			OBJECT IDENTIFIER	::=	{id-at 38 2}
+-- id-at-certificateRevocationList   				OBJECT IDENTIFIER	::=	{id-at 39} 	X.509|Part8
+-- id-at-encryptedCertificateRevocationList	 		OBJECT IDENTIFIER	::=	{id-at 39 2}
+-- id-at-crossCertificatePair					OBJECT IDENTIFIER	::=	{id-at 40} 	X.509|Part8
+-- id-at-encryptedCrossCertificatePair   			OBJECT IDENTIFIER	::=	{id-at 40 2}
+id-at-name OBJECT IDENTIFIER ::=
+  {id-at 41}
+
+id-at-givenName OBJECT IDENTIFIER ::= {id-at 42}
+
+-- id-at-encryptedGivenName					OBJECT IDENTIFIER	::=	{id-at 42 2}
+id-at-initials OBJECT IDENTIFIER ::=
+  {id-at 43}
+
+-- id-at-encryptedInitials						OBJECT IDENTIFIER	::=	{id-at 43 2}
+id-at-generationQualifier OBJECT IDENTIFIER ::=
+  {id-at 44}
+
+-- id-at-encryptedGenerationQualifier    	 		OBJECT IDENTIFIER	::=	{id-at 44 2}
+id-at-uniqueIdentifier OBJECT IDENTIFIER ::=
+  {id-at 45}
+
+-- id-at-encryptedUniqueIdentifier				OBJECT IDENTIFIER	::=	{id-at 45 2}
+id-at-dnQualifier OBJECT IDENTIFIER ::=
+  {id-at 46}
+
+-- id-at-encryptedDnQualifier					OBJECT IDENTIFIER	::=	{id-at 46 2}
+id-at-enhancedSearchGuide OBJECT IDENTIFIER ::=
+  {id-at 47}
+
+-- id-at-encryptedEnhancedSearchGuide			OBJECT IDENTIFIER	::=	{id-at 47 2}
+id-at-protocolInformation OBJECT IDENTIFIER ::=
+  {id-at 48}
+
+-- id-at-encryptedProtocolInformation				OBJECT IDENTIFIER	::=	{id-at 48 2}
+id-at-distinguishedName OBJECT IDENTIFIER ::=
+  {id-at 49}
+
+-- id-at-encryptedDistinguishedName   			OBJECT IDENTIFIER	::=	{id-at 49 2}
+id-at-uniqueMember OBJECT IDENTIFIER ::=
+  {id-at 50}
+
+-- id-at-encryptedUniqueMember				OBJECT IDENTIFIER	::=	{id-at 50 2}
+id-at-houseIdentifier OBJECT IDENTIFIER ::=
+  {id-at 51}
+
+-- id-at-encryptedHouseIdentifier				OBJECT IDENTIFIER	::=	{id-at 51 2}
+-- id-at-supportedAlgorithms					OBJECT IDENTIFIER	::=	{id-at 52} 	X.509|Part8
+-- id-at-encryptedSupportedAlgorithms				OBJECT IDENTIFIER	::=	{id-at 52 2}
+-- id-at-deltaRevocationList					OBJECT IDENTIFIER	::=	{id-at 53} 	X.509|Part8
+-- id-at-encryptedDeltaRevocationList    			OBJECT IDENTIFIER	::=	{id-at 53 2}
+id-at-dmdName OBJECT IDENTIFIER ::=
+  {id-at 54}
+
+-- id-at-encryptedDmdName					OBJECT IDENTIFIER	::=	{id-at 54 2}
+-- id-at-clearance	 						OBJECT IDENTIFIER	::=	{id-at 55}
+-- id-at-encryptedClearance					OBJECT IDENTIFIER	::=	{id-at 55 2}
+-- id-at-defaultDirQop						OBJECT IDENTIFIER	::=	{id-at 56}
+-- id-at-encryptedDefaultDirQop   				OBJECT IDENTIFIER	::=	{id-at 56 2}
+-- id-at-attributeIntegrityInfo					OBJECT IDENTIFIER	::=	{id-at 57}
+-- id-at-encryptedAttributeIntegrityInfo   			OBJECT IDENTIFIER	::=	{id-at 57 2}
+-- id-at-attributeCertificate						OBJECT IDENTIFIER	::=	{id-at 58} 	X.509|Part8
+-- id-at-encryptedAttributeCertificate				OBJECT IDENTIFIER	::=	{id-at 58 2}
+-- id-at-attributeCertificateRevocationList			OBJECT IDENTIFIER	::=	{id-at 59} 	X.509|Part8
+-- id-at-encryptedAttributeCertificateRevocationList   	OBJECT IDENTIFIER	::=	{id-at 59 2}
+-- id-at-confKeyInfo							OBJECT IDENTIFIER	::=	{id-at 60}
+-- id-at-encryptedConfKeyInfo					OBJECT IDENTIFIER	::=	{id-at 60 2}
+-- id-at-aACertificate						OBJECT IDENTIFIER	::=	{id-at 61} 	X.509|Part8
+-- id-at-attributeDescriptorCertificate				OBJECT IDENTIFIER	::=	{id-at 62} 	X.509|Part8
+-- id-at-attributeAuthorityRevocationList			OBJECT IDENTIFIER	::=	{id-at 63} 	X.509|Part8
+-- id-at-family-information	 					OBJECT IDENTIFIER	::=	{id-at 64}
+id-at-pseudonym OBJECT IDENTIFIER ::=
+  {id-at 65}
+
+id-at-communicationsService OBJECT IDENTIFIER ::= {id-at 66}
+
+id-at-communicationsNetwork OBJECT IDENTIFIER ::= {id-at 67}
+
+-- id-at-certificationPracticeStmt   				OBJECT IDENTIFIER	::=	{id-at 68} 	X.509|Part8
+-- id-at-certificatePolicy						OBJECT IDENTIFIER	::=	{id-at 69} 	X.509|Part8
+-- id-at-pkiPath							OBJECT IDENTIFIER	::=	{id-at 70} 	X.509|Part8
+-- id-at-privPolicy							OBJECT IDENTIFIER	::=	{id-at 71} 	X.509|Part8
+-- id-at-role    							OBJECT IDENTIFIER	::=	{id-at 72} 	X.509|Part8
+-- id-at-delegationPath						OBJECT IDENTIFIER	::=	{id-at 73} 	X.509|Part8
+-- id-at-protPrivPolicy						OBJECT IDENTIFIER	::=	{id-at 74} 	X.509|Part8
+-- id-at-xMLPrivilegeInfo 						OBJECT IDENTIFIER	::=	{id-at 75} 	X.509|Part8
+-- id-at-xmlPrivPolicy						OBJECT IDENTIFIER	::=	{id-at 76} 	X.509|Part8
+id-at-uuidpair OBJECT IDENTIFIER ::=
+  {id-at 77}
+
+id-at-tagOid OBJECT IDENTIFIER ::= {id-at 78}
+
+id-at-uiiFormat OBJECT IDENTIFIER ::= {id-at 79}
+
+id-at-uiiInUrn OBJECT IDENTIFIER ::= {id-at 80}
+
+id-at-contentUri OBJECT IDENTIFIER ::= {id-at 81}
+
+-- id-at-permission   						OBJECT IDENTIFIER	::=	{id-at 82} 	X.509|Part8
+-- Control  attributes
+id-cat-sequenceMatchType OBJECT IDENTIFIER ::=
+  {id-cat 1}
+
+id-cat-wordMatchType OBJECT IDENTIFIER ::= {id-cat 2}
+
+id-cat-characterMatchTypes OBJECT IDENTIFIER ::= {id-cat 3}
+
+id-cat-selectedContexts OBJECT IDENTIFIER ::= {id-cat 4}
+
+-- Notification attributes
+id-not-dSAProblem OBJECT IDENTIFIER ::= {id-not 0}
+
+id-not-searchServiceProblem OBJECT IDENTIFIER ::= {id-not 1}
+
+id-not-serviceType OBJECT IDENTIFIER ::= {id-not 2}
+
+id-not-attributeTypeList OBJECT IDENTIFIER ::= {id-not 3}
+
+id-not-matchingRuleList OBJECT IDENTIFIER ::= {id-not 4}
+
+id-not-filterItem OBJECT IDENTIFIER ::= {id-not 5}
+
+id-not-attributeCombinations OBJECT IDENTIFIER ::= {id-not 6}
+
+id-not-contextTypeList OBJECT IDENTIFIER ::= {id-not 7}
+
+id-not-contextList OBJECT IDENTIFIER ::= {id-not 8}
+
+id-not-contextCombinations OBJECT IDENTIFIER ::= {id-not 9}
+
+id-not-hierarchySelectList OBJECT IDENTIFIER ::= {id-not 10}
+
+id-not-searchControlOptionsList OBJECT IDENTIFIER ::= {id-not 11}
+
+id-not-serviceControlOptionsList OBJECT IDENTIFIER ::= {id-not 12}
+
+id-not-multipleMatchingLocalities OBJECT IDENTIFIER ::= {id-not 13}
+
+id-not-proposedRelaxation OBJECT IDENTIFIER ::= {id-not 14}
+
+id-not-appliedRelaxation OBJECT IDENTIFIER ::= {id-not 15}
+
+-- Problem definitions
+id-pr-targetDsaUnavailable OBJECT IDENTIFIER ::=
+  {id-pr 1}
+
+id-pr-dataSourceUnavailable OBJECT IDENTIFIER ::= {id-pr 2}
+
+id-pr-unidentifiedOperation OBJECT IDENTIFIER ::= {id-pr 3}
+
+id-pr-unavailableOperation OBJECT IDENTIFIER ::= {id-pr 4}
+
+id-pr-searchAttributeViolation OBJECT IDENTIFIER ::= {id-pr 5}
+
+id-pr-searchAttributeCombinationViolation OBJECT IDENTIFIER ::= {id-pr 6}
+
+id-pr-searchValueNotAllowed OBJECT IDENTIFIER ::= {id-pr 7}
+
+id-pr-missingSearchAttribute OBJECT IDENTIFIER ::= {id-pr 8}
+
+id-pr-searchValueViolation OBJECT IDENTIFIER ::= {id-pr 9}
+
+id-pr-attributeNegationViolation OBJECT IDENTIFIER ::= {id-pr 10}
+
+id-pr-searchValueRequired OBJECT IDENTIFIER ::= {id-pr 11}
+
+id-pr-invalidSearchValue OBJECT IDENTIFIER ::= {id-pr 12}
+
+id-pr-searchContextViolation OBJECT IDENTIFIER ::= {id-pr 13}
+
+id-pr-searchContextCombinationViolation OBJECT IDENTIFIER ::= {id-pr 14}
+
+id-pr-missingSearchContext OBJECT IDENTIFIER ::= {id-pr 15}
+
+id-pr-searchContextValueViolation OBJECT IDENTIFIER ::= {id-pr 16}
+
+id-pr-searchContextValueRequired OBJECT IDENTIFIER ::= {id-pr 17}
+
+id-pr-invalidContextSearchValue OBJECT IDENTIFIER ::= {id-pr 18}
+
+id-pr-unsupportedMatchingRule OBJECT IDENTIFIER ::= {id-pr 19}
+
+id-pr-attributeMatchingViolation OBJECT IDENTIFIER ::= {id-pr 20}
+
+id-pr-unsupportedMatchingUse OBJECT IDENTIFIER ::= {id-pr 21}
+
+id-pr-matchingUseViolation OBJECT IDENTIFIER ::= {id-pr 22}
+
+id-pr-hierarchySelectForbidden OBJECT IDENTIFIER ::= {id-pr 23}
+
+id-pr-invalidHierarchySelect OBJECT IDENTIFIER ::= {id-pr 24}
+
+id-pr-unavailableHierarchySelect OBJECT IDENTIFIER ::= {id-pr 25}
+
+id-pr-invalidSearchControlOptions OBJECT IDENTIFIER ::= {id-pr 26}
+
+id-pr-invalidServiceControlOptions OBJECT IDENTIFIER ::= {id-pr 27}
+
+id-pr-searchSubsetViolation OBJECT IDENTIFIER ::= {id-pr 28}
+
+id-pr-unmatchedKeyAttributes OBJECT IDENTIFIER ::= {id-pr 29}
+
+id-pr-ambiguousKeyAttributes OBJECT IDENTIFIER ::= {id-pr 30}
+
+id-pr-unavailableRelaxationLevel OBJECT IDENTIFIER ::= {id-pr 31}
+
+id-pr-emptyHierarchySelection OBJECT IDENTIFIER ::= {id-pr 32}
+
+id-pr-administratorImposedLimit OBJECT IDENTIFIER ::= {id-pr 33}
+
+id-pr-permanentRestriction OBJECT IDENTIFIER ::= {id-pr 34}
+
+id-pr-temporaryRestriction OBJECT IDENTIFIER ::= {id-pr 35}
+
+id-pr-relaxationNotSupported OBJECT IDENTIFIER ::= {id-pr 36}
+
+-- Matching rules
+-- id-mr-objectIdentifierMatch 					OBJECT IDENTIFIER	::=	{id-mr 0} 	X.501|Part2
+-- id-mr-distinguishedNameMatch				OBJECT IDENTIFIER	::=	{id-mr 1} 	X.501|Part2
+id-mr-caseIgnoreMatch OBJECT IDENTIFIER ::=
+  {id-mr 2}
+
+id-mr-caseIgnoreOrderingMatch OBJECT IDENTIFIER ::= {id-mr 3}
+
+id-mr-caseIgnoreSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 4}
+
+id-mr-caseExactMatch OBJECT IDENTIFIER ::= {id-mr 5}
+
+id-mr-caseExactOrderingMatch OBJECT IDENTIFIER ::= {id-mr 6}
+
+id-mr-caseExactSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 7}
+
+id-mr-numericStringMatch OBJECT IDENTIFIER ::= {id-mr 8}
+
+id-mr-numericStringOrderingMatch OBJECT IDENTIFIER ::= {id-mr 9}
+
+id-mr-numericStringSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 10}
+
+id-mr-caseIgnoreListMatch OBJECT IDENTIFIER ::= {id-mr 11}
+
+id-mr-caseIgnoreListSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 12}
+
+id-mr-booleanMatch OBJECT IDENTIFIER ::= {id-mr 13}
+
+id-mr-integerMatch OBJECT IDENTIFIER ::= {id-mr 14}
+
+id-mr-integerOrderingMatch OBJECT IDENTIFIER ::= {id-mr 15}
+
+id-mr-bitStringMatch OBJECT IDENTIFIER ::= {id-mr 16}
+
+id-mr-octetStringMatch OBJECT IDENTIFIER ::= {id-mr 17}
+
+id-mr-octetStringOrderingMatch OBJECT IDENTIFIER ::= {id-mr 18}
+
+id-mr-octetStringSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 19}
+
+id-mr-telephoneNumberMatch OBJECT IDENTIFIER ::= {id-mr 20}
+
+id-mr-telephoneNumberSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 21}
+
+id-mr-presentationAddressMatch OBJECT IDENTIFIER ::= {id-mr 22}
+
+id-mr-uniqueMemberMatch OBJECT IDENTIFIER ::= {id-mr 23}
+
+id-mr-protocolInformationMatch OBJECT IDENTIFIER ::= {id-mr 24}
+
+id-mr-uTCTimeMatch OBJECT IDENTIFIER ::= {id-mr 25}
+
+id-mr-uTCTimeOrderingMatch OBJECT IDENTIFIER ::= {id-mr 26}
+
+id-mr-generalizedTimeMatch OBJECT IDENTIFIER ::= {id-mr 27}
+
+id-mr-generalizedTimeOrderingMatch OBJECT IDENTIFIER ::= {id-mr 28}
+
+id-mr-integerFirstComponentMatch OBJECT IDENTIFIER ::= {id-mr 29}
+
+id-mr-objectIdentifierFirstComponentMatch OBJECT IDENTIFIER ::= {id-mr 30}
+
+id-mr-directoryStringFirstComponentMatch OBJECT IDENTIFIER ::= {id-mr 31}
+
+id-mr-wordMatch OBJECT IDENTIFIER ::= {id-mr 32}
+
+id-mr-keywordMatch OBJECT IDENTIFIER ::= {id-mr 33}
+
+-- id-mr-certificateExactMatch					OBJECT IDENTIFIER	::=	{id-mr 34} 	X.509|Part8
+-- id-mr-certificateMatch						OBJECT IDENTIFIER	::=	{id-mr 35} 	X.509|Part8
+-- id-mr-certificatePairExactMatch				OBJECT IDENTIFIER	::=	{id-mr 36} 	X.509|Part8
+-- id-mr-certificatePairMatch					OBJECT IDENTIFIER	::=	{id-mr 37} 	X.509|Part8
+-- id-mr-certificateListExactMatch				OBJECT IDENTIFIER	::=	{id-mr 38} 	X.509|Part8
+-- id-mr-certificateListMatch					OBJECT IDENTIFIER	::=	{id-mr 39} 	X.509|Part8
+-- id-mr-algorithmIdentifierMatch				OBJECT IDENTIFIER	::=	{id-mr 40} 	X.509|Part8
+id-mr-storedPrefixMatch OBJECT IDENTIFIER ::=
+  {id-mr 41}
+
+-- id-mr-attributeCertificateMatch				OBJECT IDENTIFIER	::=	{id-mr 42} 	X.509|Part8
+-- id-mr-readerAndKeyIDMatch   				OBJECT IDENTIFIER	::=	{id-mr 43}
+-- id-mr-attributeIntegrityMatch					OBJECT IDENTIFIER	::=	{id-mr 44}
+-- id-mr-attributeCertificateExactMatch   			OBJECT IDENTIFIER	::=	{id-mr 45} 	X.509|Part8
+-- id-mr-holderIssuerMatch					OBJECT IDENTIFIER	::=	{id-mr 46} 	X.509|Part8
+id-mr-systemProposedMatch OBJECT IDENTIFIER ::=
+  {id-mr 47}
+
+id-mr-generalWordMatch OBJECT IDENTIFIER ::= {id-mr 48}
+
+id-mr-approximateStringMatch OBJECT IDENTIFIER ::= {id-mr 49}
+
+id-mr-ignoreIfAbsentMatch OBJECT IDENTIFIER ::= {id-mr 50}
+
+id-mr-nullMatch OBJECT IDENTIFIER ::= {id-mr 51}
+
+id-mr-zonalMatch OBJECT IDENTIFIER ::= {id-mr 52}
+
+-- id-mr-authAttIdMatch						OBJECT IDENTIFIER	::=	{id-mr 53} 	X.509|Part8
+-- id-mr-roleSpecCertIdMatch					OBJECT IDENTIFIER	::=	{id-mr 54} 	X.509|Part8
+-- id-mr-basicAttConstraintsMatch				OBJECT IDENTIFIER	::=	{id-mr 55} 	X.509|Part8
+-- id-mr-delegatedNameConstraintsMatch			OBJECT IDENTIFIER	::=	{id-mr 56} 	X.509|Part8
+-- id-mr-timeSpecMatch						OBJECT IDENTIFIER	::=	{id-mr 57} 	X.509|Part8
+-- id-mr-attDescriptorMatch					OBJECT IDENTIFIER	::=	{id-mr 58} 	X.509|Part8
+-- id-mr-acceptableCertPoliciesMatch    			OBJECT IDENTIFIER	::=	{id-mr 59} 	X.509|Part8
+-- id-mr-policyMatch						OBJECT IDENTIFIER	::=	{id-mr 60} 	X.509|Part8
+-- id-mr-delegationPathMatch					OBJECT IDENTIFIER	::=	{id-mr 61} 	X.509|Part8
+-- id-mr-pkiPathMatch						OBJECT IDENTIFIER	::=	{id-mr 62} 	X.509|Part8
+id-mr-facsimileNumberMatch OBJECT IDENTIFIER ::=
+  {id-mr 63}
+
+id-mr-facsimileNumberSubstringsMatch OBJECT IDENTIFIER ::= {id-mr 64}
+
+-- id-mr-enhancedCertificateMatch				OBJECT IDENTIFIER	::=	{id-mr 65} 	X.509|Part8
+-- id-mr-sOAIdentifierMatch					OBJECT IDENTIFIER	::=	{id-mr 66} 	X.509|Part8
+-- id-mr-extensionPresenceMatch				OBJECT IDENTIFIER	::=	{id-mr 67} 	X.509|Part8
+id-mr-uuidpairmatch OBJECT IDENTIFIER ::=
+  {id-mr 68}
+
+-- id-mr-dualStringMatch   					OBJECT IDENTIFIER	::=	{id-mr 69} 	X.509|Part8
+-- contexts
+id-avc-language OBJECT IDENTIFIER ::=
+  {id-avc 0}
+
+id-avc-temporal OBJECT IDENTIFIER ::= {id-avc 1}
+
+id-avc-locale OBJECT IDENTIFIER ::= {id-avc 2}
+
+-- id-avc-attributeValueSecurityLabelContext 		OBJECT IDENTIFIER	::=	{id-avc 3}
+-- id-avc-attributeValueIntegrityInfoContext			OBJECT IDENTIFIER	::=	{id-avc 4}
+id-avc-ldapAttributeOption OBJECT IDENTIFIER ::=
+  {id-avc 5}
+
+END -- SelectedAttributeTypes
diff --git a/lib/public_key/asn1/UpperBounds.asn1 b/lib/public_key/asn1/UpperBounds.asn1
new file mode 100644
index 0000000000..71c2a7ba7a
--- /dev/null
+++ b/lib/public_key/asn1/UpperBounds.asn1
@@ -0,0 +1,88 @@
+UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 5} DEFINITIONS ::=
+BEGIN
+
+-- EXPORTS All
+-- The types and values defined in this module are exported for use in the other ASN.1 modules contained
+-- within the Directory Specifications, and for the use of other applications which will use them to access
+-- Directory services. Other applications may use them for their own purposes, but this will not constrain
+-- extensions and modifications needed to maintain or improve the Directory service.
+ub-answerback INTEGER ::=
+  8
+
+ub-business-category INTEGER ::= 128
+
+ub-common-name INTEGER ::= 64
+
+ub-content INTEGER ::= 32768
+
+ub-country-code INTEGER ::= 4
+
+ub-description INTEGER ::= 1024
+
+ub-destination-indicator INTEGER ::= 128
+
+ub-directory-string-first-component-match INTEGER ::= 32768
+
+ub-domainLocalID INTEGER ::= 64
+
+ub-international-isdn-number INTEGER ::= 16
+
+ub-knowledge-information INTEGER ::= 32768
+
+ub-labeledURI INTEGER ::= 32768
+
+ub-localeContextSyntax INTEGER ::= 128
+
+ub-locality-name INTEGER ::= 128
+
+ub-match INTEGER ::= 128
+
+ub-name INTEGER ::= 64
+
+ub-organization-name INTEGER ::= 64
+
+ub-organizational-unit-name INTEGER ::= 64
+
+ub-physical-office-name INTEGER ::= 128
+
+ub-post-office-box INTEGER ::= 40
+
+ub-postal-code INTEGER ::= 40
+
+ub-postal-line INTEGER ::= 6
+
+ub-postal-string INTEGER ::= 30
+
+ub-privacy-mark-length INTEGER ::= 128
+
+ub-pseudonym INTEGER ::= 128
+
+ub-saslMechanism INTEGER ::= 64
+
+ub-schema INTEGER ::= 1024
+
+ub-search INTEGER ::= 32768
+
+ub-serial-number INTEGER ::= 64
+
+ub-state-name INTEGER ::= 128
+
+ub-street-address INTEGER ::= 128
+
+ub-surname INTEGER ::= 64
+
+ub-tag INTEGER ::= 64
+
+ub-telephone-number INTEGER ::= 32
+
+ub-teletex-terminal-id INTEGER ::= 1024
+
+ub-telex-number INTEGER ::= 14
+
+ub-title INTEGER ::= 64
+
+ub-user-password INTEGER ::= 128
+
+ub-x121-address INTEGER ::= 15
+
+END -- UpperBounds
diff --git a/lib/public_key/asn1/UsefulDefinitions.asn1 b/lib/public_key/asn1/UsefulDefinitions.asn1
new file mode 100644
index 0000000000..a200aac6e2
--- /dev/null
+++ b/lib/public_key/asn1/UsefulDefinitions.asn1
@@ -0,0 +1,234 @@
+UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 3}
+DEFINITIONS ::=
+BEGIN
+
+-- EXPORTS All -
+-- The types and values defined in this module are exported for use in the other ASN.1 modules contained
+-- within the Directory Specifications, and for the use of other applications which will use them to access
+-- Directory services. Other applications may use them for their own purposes, but this will not constrain
+-- extensions and modifications needed to maintain or improve the Directory service.
+ID ::= OBJECT IDENTIFIER
+
+ds ID ::= {joint-iso-itu-t ds(5)}
+
+-- categories of information object
+module ID ::= {ds  1}
+
+serviceElement ID ::= {ds  2}
+
+applicationContext ID ::= {ds  3}
+
+attributeType ID ::= {ds  4}
+
+attributeSyntax ID ::= {ds  5}
+
+objectClass ID ::= {ds  6}
+
+-- attributeSet			ID	::=	{ds 7}
+algorithm ID ::= {ds  8}
+
+abstractSyntax ID ::= {ds  9}
+
+-- object			ID	::= 	{ds 10}
+-- port				ID	::= 	{ds 11}
+dsaOperationalAttribute ID ::=
+  {ds  12}
+
+matchingRule ID ::= {ds  13}
+
+knowledgeMatchingRule ID ::= {ds  14}
+
+nameForm ID ::= {ds  15}
+
+group ID ::= {ds  16}
+
+subentry ID ::= {ds  17}
+
+operationalAttributeType ID ::= {ds  18}
+
+operationalBinding ID ::= {ds  19}
+
+schemaObjectClass ID ::= {ds  20}
+
+schemaOperationalAttribute ID ::= {ds  21}
+
+administrativeRoles ID ::= {ds  23}
+
+accessControlAttribute ID ::= {ds  24}
+
+rosObject ID ::= {ds  25}
+
+contract ID ::= {ds  26}
+
+package ID ::= {ds  27}
+
+accessControlSchemes ID ::= {ds  28}
+
+certificateExtension ID ::= {ds  29}
+
+managementObject ID ::= {ds  30}
+
+attributeValueContext ID ::= {ds  31}
+
+-- securityExchange		ID	::=	{ds 32}
+idmProtocol ID ::= {ds  33}
+
+problem ID ::= {ds  34}
+
+notification ID ::= {ds  35}
+
+matchingRestriction ID ::=
+  {ds  36} -- None are currently defined by this specification
+
+controlAttributeType ID ::= {ds  37}
+
+-- modules
+usefulDefinitions ID ::= {module usefulDefinitions(0) 3}
+
+informationFramework ID ::= {module informationFramework(1) 3}
+
+directoryAbstractService ID ::= {module directoryAbstractService(2) 3}
+
+distributedOperations ID ::= {module distributedOperations(3) 3}
+
+protocolObjectIdentifiers ID ::= {module protocolObjectIdentifiers(4) 3}
+
+selectedAttributeTypes ID ::= {module selectedAttributeTypes(5) 3}
+
+selectedObjectClasses ID ::= {module selectedObjectClasses(6) 3}
+
+authenticationFramework ID ::= {module authenticationFramework(7) 3}
+
+algorithmObjectIdentifiers ID ::= {module algorithmObjectIdentifiers(8) 3}
+
+directoryObjectIdentifiers ID ::= {module directoryObjectIdentifiers(9) 3}
+
+upperBounds ID ::= {module upperBounds(10) 3}
+
+dap ID ::= {module dap(11) 3}
+
+dsp ID ::= {module dsp(12) 3}
+
+distributedDirectoryOIDs ID ::= {module distributedDirectoryOIDs(13) 3}
+
+directoryShadowOIDs ID ::= {module directoryShadowOIDs(14) 3}
+
+directoryShadowAbstractService ID ::=
+  {module directoryShadowAbstractService(15) 3}
+
+disp ID ::= {module disp(16) 3}
+
+dop ID ::= {module dop(17) 3}
+
+opBindingManagement ID ::= {module opBindingManagement(18) 3}
+
+opBindingOIDs ID ::= {module opBindingOIDs(19) 3}
+
+hierarchicalOperationalBindings ID ::=
+  {module hierarchicalOperationalBindings(20) 3}
+
+dsaOperationalAttributeTypes ID ::= {module dsaOperationalAttributeTypes(22) 3}
+
+schemaAdministration ID ::= {module schemaAdministration(23) 3}
+
+basicAccessControl ID ::= {module basicAccessControl(24) 3}
+
+directoryOperationalBindingTypes ID ::=
+  {module directoryOperationalBindingTypes(25) 3}
+
+certificateExtensions ID ::= {module certificateExtensions(26) 0}
+
+directoryManagement ID ::= {module directoryManagement(27) 1}
+
+enhancedSecurity ID ::= {module enhancedSecurity(28) 1}
+
+iDMProtocolSpecification ID ::= {module iDMProtocolSpecification(30) 4}
+
+directoryIDMProtocols ID ::= {module directoryIDMProtocols(31) 4}
+
+-- directorySecurityExchanges			ID	::=	{module directorySecurityExchanges (29) 1}
+-- synonyms
+id-oc ID ::=
+  objectClass
+
+id-at ID ::= attributeType
+
+id-as ID ::= abstractSyntax
+
+id-mr ID ::= matchingRule
+
+id-nf ID ::= nameForm
+
+id-sc ID ::= subentry
+
+id-oa ID ::= operationalAttributeType
+
+id-ob ID ::= operationalBinding
+
+id-doa ID ::= dsaOperationalAttribute
+
+id-kmr ID ::= knowledgeMatchingRule
+
+id-soc ID ::= schemaObjectClass
+
+id-soa ID ::= schemaOperationalAttribute
+
+id-ar ID ::= administrativeRoles
+
+id-aca ID ::= accessControlAttribute
+
+id-ac ID ::= applicationContext
+
+id-rosObject ID ::= rosObject
+
+id-contract ID ::= contract
+
+id-package ID ::= package
+
+id-acScheme ID ::= accessControlSchemes
+
+id-ce ID ::= certificateExtension
+
+id-mgt ID ::= managementObject
+
+id-idm ID ::= idmProtocol
+
+id-avc ID ::= attributeValueContext
+
+-- id-se   					ID	::=	securityExchange
+id-pr ID ::= problem
+
+id-not ID ::= notification
+
+id-mre ID ::= matchingRestriction
+
+id-cat ID ::= controlAttributeType
+
+-- obsolete module identifiers
+--	usefulDefinition	 			ID	::=	{module 0}
+--	informationFramework				ID	::=	{module 1}
+-- 	directoryAbstractService  			ID	::=	{module 2}
+-- 	distributedOperations				ID	::=	{module 3}
+--	protocolObjectIdentifiers  			ID	::=	{module 4}
+-- 	selectedAttributeTypes				ID	::=	{module 5}
+-- 	selectedObjectClasses				ID	::=	{module 6}
+--	authenticationFramework			ID	::=	{module 7}
+--	algorithmObjectIdentifiers			ID	::=	{module 8}
+--	directoryObjectIdentifiers			ID	::=	{module 9}
+--	upperBounds					ID	::=	{module 10}
+--	dap							ID	::=	{module 11}
+--	dsp							ID	::=	{module 12}
+--	distributedDirectoryObjectIdentifiers	ID	::=	{module 13}
+-- unused module identifiers
+--	directoryShadowOIDs				ID	::=	{module 14}
+--	directoryShadowAbstractService		ID	::=	{module 15}
+--	disp							ID	::=	{module 16}
+--	dop							ID	::=	{module 17}
+--	opBindingManagement			ID	::=	{module 18}
+--	opBindingOIDs					ID	::=	{module 19}
+--	hierarchicalOperationalBindings		ID	::=	{module 20}
+--	dsaOperationalAttributeTypes		ID	::=	{module 22}
+--	schemaAdministration				ID	::=	{module 23}
+--	basicAccessControl				ID	::=	{module 24}
+--	operationalBindingOIDs			ID	::=	{module 25}
+END -- UsefulDefinitions
diff --git a/lib/public_key/src/pubkey_pem.erl b/lib/public_key/src/pubkey_pem.erl
index 910473d629..f51d59a789 100644
--- a/lib/public_key/src/pubkey_pem.erl
+++ b/lib/public_key/src/pubkey_pem.erl
@@ -194,7 +194,10 @@ pem_start('SubjectPublicKeyInfo') ->
 pem_start('DSAPrivateKey') ->
     <<"-----BEGIN DSA PRIVATE KEY-----">>;
 pem_start('DHParameter') ->
-    <<"-----BEGIN DH PARAMETERS-----">>.
+    <<"-----BEGIN DH PARAMETERS-----">>;
+pem_start('ContentInfo') ->
+    <<"-----BEGIN PKCS7-----">>.
+
 pem_end(<<"-----BEGIN CERTIFICATE-----">>) ->
     <<"-----END CERTIFICATE-----">>;
 pem_end(<<"-----BEGIN RSA PRIVATE KEY-----">>) ->
@@ -211,8 +214,8 @@ pem_end(<<"-----BEGIN PRIVATE KEY-----">>) ->
     <<"-----END PRIVATE KEY-----">>;
 pem_end(<<"-----BEGIN ENCRYPTED PRIVATE KEY-----">>) ->
     <<"-----END ENCRYPTED PRIVATE KEY-----">>;
-pem_end(_) ->
-    undefined.
+pem_end(<<"-----BEGIN PKCS7-----">>) ->
+    <<"-----END PKCS7-----">>.
 
 asn1_type(<<"-----BEGIN CERTIFICATE-----">>) ->
     'Certificate';
@@ -229,7 +232,9 @@ asn1_type(<<"-----BEGIN DH PARAMETERS-----">>) ->
 asn1_type(<<"-----BEGIN PRIVATE KEY-----">>) ->
     'PrivateKeyInfo';
 asn1_type(<<"-----BEGIN ENCRYPTED PRIVATE KEY-----">>) ->
-    'EncryptedPrivateKeyInfo'.
+    'EncryptedPrivateKeyInfo';
+asn1_type(<<"-----BEGIN PKCS7-----">>) ->
+    'ContentInfo'.
 
 pem_decrypt() ->
     <<"Proc-Type: 4,ENCRYPTED">>.