diff options
Diffstat (limited to 'lib/public_key/asn1/AuthenticationFramework.asn1')
-rw-r--r-- | lib/public_key/asn1/AuthenticationFramework.asn1 | 367 |
1 files changed, 367 insertions, 0 deletions
diff --git a/lib/public_key/asn1/AuthenticationFramework.asn1 b/lib/public_key/asn1/AuthenticationFramework.asn1 new file mode 100644 index 0000000000..3754486473 --- /dev/null +++ b/lib/public_key/asn1/AuthenticationFramework.asn1 @@ -0,0 +1,367 @@ +AuthenticationFramework {joint-iso-itu-t ds(5) module(1) + authenticationFramework(7) 6} DEFINITIONS ::= +BEGIN + +-- EXPORTS All +-- The types and values defined in this module are exported for use in the other ASN.1 modules contained +-- within the Directory Specifications, and for the use of other applications which will use them to access +-- Directory services. Other applications may use them for their own purposes, but this will not constrain +-- extensions and modifications needed to maintain or improve the Directory service. +IMPORTS + id-at, id-nf, id-oc, informationFramework, selectedAttributeTypes, + basicAccessControl, certificateExtensions + FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) + usefulDefinitions(0) 6} + Name, ATTRIBUTE, OBJECT-CLASS, NAME-FORM, top + FROM InformationFramework informationFramework + UniqueIdentifier, octetStringMatch, commonName, UnboundedDirectoryString + FROM SelectedAttributeTypes selectedAttributeTypes + certificateExactMatch, certificatePairExactMatch, certificateListExactMatch, + KeyUsage, GeneralNames, CertificatePoliciesSyntax, + algorithmIdentifierMatch, CertPolicyId + FROM CertificateExtensions certificateExtensions; + +-- parameterized types +ENCRYPTED{ToBeEnciphered} ::= + BIT STRING + (CONSTRAINED BY { + -- shall be the result of applying an encipherment procedure + -- to the BER-encoded octets of a value of --ToBeEnciphered}) + +HASH{ToBeHashed} ::= SEQUENCE { + algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}}, + hashValue + BIT STRING + (CONSTRAINED BY { + -- shall be the result of applying a hashing procedure to the DER-encoded octets + -- of a value of -- ToBeHashed}) +} + +ENCRYPTED-HASH{ToBeSigned} ::= + BIT STRING + (CONSTRAINED BY { + -- shall be the result of applying a hashing procedure to the DER-encoded (see 6.1) octets + -- of a value of --ToBeSigned -- and then applying an encipherment procedure to those octets --}) + +SIGNATURE{ToBeSigned} ::= SEQUENCE { + algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}}, + encrypted ENCRYPTED-HASH{ToBeSigned} +} + +SIGNED{ToBeSigned} ::= SEQUENCE { + toBeSigned ToBeSigned, + COMPONENTS OF SIGNATURE{ToBeSigned} +} + +-- public-key certificate definition +Certificate ::= SIGNED{CertificateContent} + +CertificateContent ::= SEQUENCE { + version [0] Version DEFAULT v1, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier{{SupportedAlgorithms}}, + issuer Name, + validity Validity, + subject Name, + subjectPublicKeyInfo SubjectPublicKeyInfo, + issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL, + -- if present, version shall be v2 or v3 + subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL, + -- if present, version shall be v2 or v3 + extensions [3] Extensions OPTIONAL + -- If present, version shall be v3 +} + +Version ::= INTEGER {v1(0), v2(1), v3(2)} + +CertificateSerialNumber ::= INTEGER + +AlgorithmIdentifier{ALGORITHM:SupportedAlgorithms} ::= SEQUENCE { + algorithm ALGORITHM.&id({SupportedAlgorithms}), + parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL +} + +-- Definition of the following information object set is deferred, perhaps to standardized +-- profiles or to protocol implementation conformance statements. The set is required to +-- specify a table constraint on the parameters component of AlgorithmIdentifier. +SupportedAlgorithms ALGORITHM ::= + {...} + +Validity ::= SEQUENCE {notBefore Time, + notAfter Time +} + +SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier{{SupportedAlgorithms}}, + subjectPublicKey BIT STRING +} + +Time ::= CHOICE {utcTime UTCTime, + generalizedTime GeneralizedTime +} + +Extensions ::= SEQUENCE OF Extension + +-- For those extensions where ordering of individual extensions within the SEQUENCE is significant, the +-- specification of those individual extensions shall include the rules for the significance of the order therein +Extension ::= SEQUENCE { + extnId EXTENSION.&id({ExtensionSet}), + critical BOOLEAN DEFAULT FALSE, + extnValue + OCTET STRING + (CONTAINING EXTENSION.&ExtnType({ExtensionSet}{@extnId}) + ENCODED BY + der) +} + +der OBJECT IDENTIFIER ::= + {joint-iso-itu-t asn1(1) ber-derived(2) distinguished-encoding(1)} + +ExtensionSet EXTENSION ::= + {...} + +EXTENSION ::= CLASS {&id OBJECT IDENTIFIER UNIQUE, + &ExtnType +}WITH SYNTAX {SYNTAX &ExtnType + IDENTIFIED BY &id +} + +ALGORITHM ::= CLASS {&Type OPTIONAL, + &id OBJECT IDENTIFIER UNIQUE +}WITH SYNTAX {[&Type] + IDENTIFIED BY &id +} + +-- other PKI certificate constructs +Certificates ::= SEQUENCE { + userCertificate Certificate, + certificationPath ForwardCertificationPath OPTIONAL +} + +CertificationPath ::= SEQUENCE { + userCertificate Certificate, + theCACertificates SEQUENCE OF CertificatePair OPTIONAL +} + +ForwardCertificationPath ::= SEQUENCE OF CrossCertificates + +CrossCertificates ::= SET OF Certificate + +PkiPath ::= SEQUENCE OF Certificate + +-- certificate revocation list (CRL) +CertificateList ::= + SIGNED{CertificateListContent} + +CertificateListContent ::= SEQUENCE { + version Version OPTIONAL, + -- if present, version shall be v2 + signature AlgorithmIdentifier{{SupportedAlgorithms}}, + issuer Name, + thisUpdate Time, + nextUpdate Time OPTIONAL, + revokedCertificates + SEQUENCE OF + SEQUENCE {serialNumber CertificateSerialNumber, + revocationDate Time, + crlEntryExtensions Extensions OPTIONAL} OPTIONAL, + crlExtensions [0] Extensions OPTIONAL +} + +-- PKI object classes +pkiUser OBJECT-CLASS ::= { + SUBCLASS OF {top} + KIND auxiliary + MAY CONTAIN {userCertificate} + ID id-oc-pkiUser +} + +pkiCA OBJECT-CLASS ::= { + SUBCLASS OF {top} + KIND auxiliary + MAY CONTAIN + {cACertificate | certificateRevocationList | authorityRevocationList | + crossCertificatePair} + ID id-oc-pkiCA +} + +cRLDistributionPoint OBJECT-CLASS ::= { + SUBCLASS OF {top} + KIND structural + MUST CONTAIN {commonName} + MAY CONTAIN + {certificateRevocationList | authorityRevocationList | deltaRevocationList} + ID id-oc-cRLDistributionPoint +} + +cRLDistPtNameForm NAME-FORM ::= { + NAMES cRLDistributionPoint + WITH ATTRIBUTES {commonName} + ID id-nf-cRLDistPtNameForm +} + +deltaCRL OBJECT-CLASS ::= { + SUBCLASS OF {top} + KIND auxiliary + MAY CONTAIN {deltaRevocationList} + ID id-oc-deltaCRL +} + +cpCps OBJECT-CLASS ::= { + SUBCLASS OF {top} + KIND auxiliary + MAY CONTAIN {certificatePolicy | certificationPracticeStmt} + ID id-oc-cpCps +} + +pkiCertPath OBJECT-CLASS ::= { + SUBCLASS OF {top} + KIND auxiliary + MAY CONTAIN {pkiPath} + ID id-oc-pkiCertPath +} + +-- PKI directory attributes +userCertificate ATTRIBUTE ::= { + WITH SYNTAX Certificate + EQUALITY MATCHING RULE certificateExactMatch + ID id-at-userCertificate +} + +cACertificate ATTRIBUTE ::= { + WITH SYNTAX Certificate + EQUALITY MATCHING RULE certificateExactMatch + ID id-at-cAcertificate +} + +crossCertificatePair ATTRIBUTE ::= { + WITH SYNTAX CertificatePair + EQUALITY MATCHING RULE certificatePairExactMatch + ID id-at-crossCertificatePair +} + +CertificatePair ::= SEQUENCE { + forward [0] Certificate OPTIONAL, + reverse [1] Certificate OPTIONAL + -- at least one of the pair shall be present +} +(WITH COMPONENTS { + ..., + forward PRESENT + } | WITH COMPONENTS { + ..., + reverse PRESENT + }) + +certificateRevocationList ATTRIBUTE ::= { + WITH SYNTAX CertificateList + EQUALITY MATCHING RULE certificateListExactMatch + ID id-at-certificateRevocationList +} + +authorityRevocationList ATTRIBUTE ::= { + WITH SYNTAX CertificateList + EQUALITY MATCHING RULE certificateListExactMatch + ID id-at-authorityRevocationList +} + +deltaRevocationList ATTRIBUTE ::= { + WITH SYNTAX CertificateList + EQUALITY MATCHING RULE certificateListExactMatch + ID id-at-deltaRevocationList +} + +supportedAlgorithms ATTRIBUTE ::= { + WITH SYNTAX SupportedAlgorithm + EQUALITY MATCHING RULE algorithmIdentifierMatch + ID id-at-supportedAlgorithms +} + +SupportedAlgorithm ::= SEQUENCE { + algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}}, + intendedUsage [0] KeyUsage OPTIONAL, + intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL +} + +certificationPracticeStmt ATTRIBUTE ::= { + WITH SYNTAX InfoSyntax + ID id-at-certificationPracticeStmt +} + +InfoSyntax ::= CHOICE { + content UnboundedDirectoryString, + pointer SEQUENCE {name GeneralNames, + hash HASH{HashedPolicyInfo} OPTIONAL} +} + +POLICY ::= TYPE-IDENTIFIER + +HashedPolicyInfo ::= POLICY.&Type({Policies}) + +Policies POLICY ::= + {...} -- Defined by implementors + +certificatePolicy ATTRIBUTE ::= { + WITH SYNTAX PolicySyntax + ID id-at-certificatePolicy +} + +PolicySyntax ::= SEQUENCE { + policyIdentifier PolicyID, + policySyntax InfoSyntax +} + +PolicyID ::= CertPolicyId + +pkiPath ATTRIBUTE ::= {WITH SYNTAX PkiPath + ID id-at-pkiPath +} + +userPassword ATTRIBUTE ::= { + WITH SYNTAX OCTET STRING(SIZE (0..MAX)) + EQUALITY MATCHING RULE octetStringMatch + ID id-at-userPassword +} + +-- object identifier assignments +-- object classes +id-oc-cRLDistributionPoint OBJECT IDENTIFIER ::= + {id-oc 19} + +id-oc-pkiUser OBJECT IDENTIFIER ::= {id-oc 21} + +id-oc-pkiCA OBJECT IDENTIFIER ::= {id-oc 22} + +id-oc-deltaCRL OBJECT IDENTIFIER ::= {id-oc 23} + +id-oc-cpCps OBJECT IDENTIFIER ::= {id-oc 30} + +id-oc-pkiCertPath OBJECT IDENTIFIER ::= {id-oc 31} + +-- name forms +id-nf-cRLDistPtNameForm OBJECT IDENTIFIER ::= {id-nf 14} + +-- directory attributes +id-at-userPassword OBJECT IDENTIFIER ::= {id-at 35} + +id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36} + +id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37} + +id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38} + +id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39} + +id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40} + +id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52} + +id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53} + +id-at-certificationPracticeStmt OBJECT IDENTIFIER ::= {id-at 68} + +id-at-certificatePolicy OBJECT IDENTIFIER ::= {id-at 69} + +id-at-pkiPath OBJECT IDENTIFIER ::= {id-at 70} + +END -- AuthenticationFramework |