PKIX1Implicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} DEFINITIONS IMPLICIT TAGS ::= BEGIN IMPORTS AttributeSet{}, EXTENSION, ATTRIBUTE FROM PKIX-CommonTypes-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name, RelativeDistinguishedName, CertificateSerialNumber, DirectoryString{}, SupportedAttributes FROM PKIX1Explicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }; CertExtensions EXTENSION ::= { ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier | ext-KeyUsage | ext-PrivateKeyUsagePeriod | ext-CertificatePolicies | ext-PolicyMappings | ext-SubjectAltName | ext-IssuerAltName | ext-SubjectDirectoryAttributes | ext-BasicConstraints | ext-NameConstraints | ext-PolicyConstraints | ext-ExtKeyUsage | ext-CRLDistributionPoints | ext-InhibitAnyPolicy | ext-FreshestCRL | ext-AuthorityInfoAccess | ext-SubjectInfoAccessSyntax, ... } CrlExtensions EXTENSION ::= { ext-AuthorityKeyIdentifier | ext-IssuerAltName | ext-CRLNumber | ext-DeltaCRLIndicator | ext-IssuingDistributionPoint | ext-FreshestCRL, ... } CrlEntryExtensions EXTENSION ::= { ext-CRLReason | ext-CertificateIssuer | ext-HoldInstructionCode | ext-InvalidityDate, ... } -- Shared arc for standard certificate and CRL extensions id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 } -- authority key identifier OID and syntax ext-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX AuthorityKeyIdentifier IDENTIFIED BY id-ce-authorityKeyIdentifier } id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] KeyIdentifier OPTIONAL, authorityCertIssuer [1] GeneralNames OPTIONAL, authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } (WITH COMPONENTS { ..., authorityCertIssuer PRESENT, authorityCertSerialNumber PRESENT } | WITH COMPONENTS { ..., authorityCertIssuer ABSENT, authorityCertSerialNumber ABSENT }) KeyIdentifier ::= OCTET STRING -- subject key identifier OID and syntax ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier } id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } -- key usage extension OID and syntax ext-KeyUsage EXTENSION ::= { SYNTAX KeyUsage IDENTIFIED BY id-ce-keyUsage } id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), -- recent editions of X.509 have -- renamed this bit to -- contentCommitment keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } -- private key usage period extension OID and syntax ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod } id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } PrivateKeyUsagePeriod ::= SEQUENCE { notBefore [0] GeneralizedTime OPTIONAL, notAfter [1] GeneralizedTime OPTIONAL } (WITH COMPONENTS {..., notBefore PRESENT } | WITH COMPONENTS {..., notAfter PRESENT }) -- certificate policies extension OID and syntax ext-CertificatePolicies EXTENSION ::= { SYNTAX CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies} id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } CertPolicyId ::= OBJECT IDENTIFIER CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER PolicyQualifierInfo ::= SEQUENCE { policyQualifierId CERT-POLICY-QUALIFIER. &id({PolicyQualifierId}), qualifier CERT-POLICY-QUALIFIER. &Type({PolicyQualifierId}{@policyQualifierId})} -- Implementations that recognize additional policy qualifiers MUST -- augment the following definition for PolicyQualifierId PolicyQualifierId CERT-POLICY-QUALIFIER ::= { pqid-cps | pqid-unotice, ... } pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps } pqid-unotice CERT-POLICY-QUALIFIER ::= { UserNotice IDENTIFIED BY id-qt-unotice } -- CPS pointer qualifier CPSuri ::= IA5String -- user notice qualifier UserNotice ::= SEQUENCE { noticeRef NoticeReference OPTIONAL, explicitText DisplayText OPTIONAL} -- -- This is not made explicit in the text -- -- {WITH COMPONENTS {..., noticeRef PRESENT} | -- WITH COMPONENTS {..., DisplayText PRESENT }} NoticeReference ::= SEQUENCE { organization DisplayText, noticeNumbers SEQUENCE OF INTEGER } DisplayText ::= CHOICE { ia5String IA5String (SIZE (1..200)), visibleString VisibleString (SIZE (1..200)), bmpString BMPString (SIZE (1..200)), utf8String UTF8String (SIZE (1..200)) } -- policy mapping extension OID and syntax ext-PolicyMappings EXTENSION ::= { SYNTAX PolicyMappings IDENTIFIED BY id-ce-policyMappings } id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { issuerDomainPolicy CertPolicyId, subjectDomainPolicy CertPolicyId } -- subject alternative name extension OID and syntax ext-SubjectAltName EXTENSION ::= { SYNTAX GeneralNames IDENTIFIED BY id-ce-subjectAltName } id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] INSTANCE OF OTHER-NAME, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER } -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax OTHER-NAME ::= TYPE-IDENTIFIER EDIPartyName ::= SEQUENCE { nameAssigner [0] DirectoryString {ubMax} OPTIONAL, partyName [1] DirectoryString {ubMax} } -- issuer alternative name extension OID and syntax ext-IssuerAltName EXTENSION ::= { SYNTAX GeneralNames IDENTIFIED BY id-ce-issuerAltName } id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX SubjectDirectoryAttributes IDENTIFIED BY id-ce-subjectDirectoryAttributes } id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{SupportedAttributes}} -- basic constraints extension OID and syntax ext-BasicConstraints EXTENSION ::= { SYNTAX BasicConstraints IDENTIFIED BY id-ce-basicConstraints } id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } -- name constraints extension OID and syntax ext-NameConstraints EXTENSION ::= { SYNTAX NameConstraints IDENTIFIED BY id-ce-nameConstraints } id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } NameConstraints ::= SEQUENCE { permittedSubtrees [0] GeneralSubtrees OPTIONAL, excludedSubtrees [1] GeneralSubtrees OPTIONAL } -- -- This is a constraint in the issued certificates by CAs, but is -- not a requirement on EEs. -- -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} | -- WITH COMPONENTS { ..., excludedSubtrees PRESENT }} GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree GeneralSubtree ::= SEQUENCE { base GeneralName, minimum [0] BaseDistance DEFAULT 0, maximum [1] BaseDistance OPTIONAL } BaseDistance ::= INTEGER (0..MAX) -- policy constraints extension OID and syntax ext-PolicyConstraints EXTENSION ::= { SYNTAX PolicyConstraints IDENTIFIED BY id-ce-policyConstraints } id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } PolicyConstraints ::= SEQUENCE { requireExplicitPolicy [0] SkipCerts OPTIONAL, inhibitPolicyMapping [1] SkipCerts OPTIONAL } -- -- This is a constraint in the issued certificates by CAs, -- but is not a requirement for EEs -- -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} | -- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT}) SkipCerts ::= INTEGER (0..MAX) -- CRL distribution points extension OID and syntax ext-CRLDistributionPoints EXTENSION ::= { SYNTAX CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints} id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } -- -- This is not a requirement in the text, but it seems as if it -- should be -- --(WITH COMPONENTS {..., distributionPoint PRESENT} | -- WITH COMPONENTS {..., cRLIssuer PRESENT}) DistributionPointName ::= CHOICE { fullName [0] GeneralNames, nameRelativeToCRLIssuer [1] RelativeDistinguishedName } ReasonFlags ::= BIT STRING { unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), privilegeWithdrawn (7), aACompromise (8) } -- extended key usage extension OID and syntax ext-ExtKeyUsage EXTENSION ::= { SYNTAX ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage } id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeId ::= OBJECT IDENTIFIER -- permit unspecified key uses anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } -- extended key purpose OIDs id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } -- inhibit any policy OID and syntax ext-InhibitAnyPolicy EXTENSION ::= {SYNTAX SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy } id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } -- freshest (delta)CRL extension OID and syntax ext-FreshestCRL EXTENSION ::= {SYNTAX CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL } id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } -- authority info access ext-AuthorityInfoAccess EXTENSION ::= { SYNTAX AuthorityInfoAccessSyntax IDENTIFIED BY id-pe-authorityInfoAccess } id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } AuthorityInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription AccessDescription ::= SEQUENCE { accessMethod OBJECT IDENTIFIER, accessLocation GeneralName } -- subject info access ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess } id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } SubjectInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription -- CRL number extension OID and syntax ext-CRLNumber EXTENSION ::= {SYNTAX INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber } id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } CRLNumber ::= INTEGER (0..MAX) -- issuing distribution point extension OID and syntax ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX IssuingDistributionPoint IDENTIFIED BY id-ce-issuingDistributionPoint } id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } IssuingDistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, onlySomeReasons [3] ReasonFlags OPTIONAL, indirectCRL [4] BOOLEAN DEFAULT FALSE, onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE } -- at most one of onlyContainsUserCerts, onlyContainsCACerts, -- or onlyContainsAttributeCerts may be set to TRUE. ext-DeltaCRLIndicator EXTENSION ::= { SYNTAX CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator } id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } -- CRL reasons extension OID and syntax ext-CRLReason EXTENSION ::= { SYNTAX CRLReason IDENTIFIED BY id-ce-cRLReasons } id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } CRLReason ::= ENUMERATED { unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) } -- certificate issuer CRL entry extension OID and syntax ext-CertificateIssuer EXTENSION ::= { SYNTAX GeneralNames IDENTIFIED BY id-ce-certificateIssuer } id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } -- hold instruction extension OID and syntax ext-HoldInstructionCode EXTENSION ::= { SYNTAX OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode } id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } -- ANSI x9 holdinstructions holdInstruction OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1} -- deprecated id-holdinstruction-callissuer OBJECT IDENTIFIER ::= {holdInstruction 2} id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3} -- invalidity date CRL entry extension OID and syntax ext-InvalidityDate EXTENSION ::= { SYNTAX GeneralizedTime IDENTIFIED BY id-ce-invalidityDate } id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } -- Upper bounds ubMax INTEGER ::= 32768 END