1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
|
PKIXAttributeCertificate-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
AttributeSet{}, Extensions{}, SecurityCategory{},
EXTENSION, ATTRIBUTE, SECURITY-CATEGORY
FROM PKIX-CommonTypes-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
-- IMPORTed module OIDs MAY change if [PKIXPROF] changes
-- PKIX Certificate Extensions
CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp,
id-ad, id-at, SIGNED{}, SignatureAlgorithms
FROM PKIX1Explicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}
GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier,
ext-AuthorityInfoAccess, ext-CRLDistributionPoints
FROM PKIX1Implicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
ContentInfo
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) };
-- Define the set of extensions that can appear.
-- Some of these are imported from PKIX Cert
AttributeCertExtensions EXTENSION ::= {
ext-auditIdentity | ext-targetInformation |
ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess |
ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying |
ext-aaControls, ... }
ext-auditIdentity EXTENSION ::= { SYNTAX
OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity}
ext-targetInformation EXTENSION ::= { SYNTAX
Targets IDENTIFIED BY id-ce-targetInformation }
ext-noRevAvail EXTENSION ::= { SYNTAX
NULL IDENTIFIED BY id-ce-noRevAvail}
ext-ac-proxying EXTENSION ::= { SYNTAX
ProxyInfo IDENTIFIED BY id-pe-ac-proxying}
ext-aaControls EXTENSION ::= { SYNTAX
AAControls IDENTIFIED BY id-pe-aaControls}
-- Define the set of attributes used here
AttributesDefined ATTRIBUTE ::= { at-authenticationInfo |
at-accesIdentity | at-chargingIdentity | at-group |
at-role | at-clearance | at-encAttrs, ...}
at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo
IDENTIFIED BY id-aca-authenticationInfo}
at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo
IDENTIFIED BY id-aca-accessIdentity}
at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax
IDENTIFIED BY id-aca-chargingIdentity}
at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax
IDENTIFIED BY id-aca-group}
at-role ATTRIBUTE ::= { TYPE RoleSyntax
IDENTIFIED BY id-at-role}
at-clearance ATTRIBUTE ::= { TYPE Clearance
IDENTIFIED BY id-at-clearance}
at-clearance-RFC3281 ATTRIBUTE ::= {TYPE Clearance-rfc3281
IDENTIFIED BY id-at-clearance-rfc3281 }
at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo
IDENTIFIED BY id-aca-encAttrs}
--
-- OIDs used by Attribute Certificate Extensions
--
id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 }
id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 }
id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 }
id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 }
id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 }
--
-- OIDs used by Attribute Certificate Attributes
--
id-aca OBJECT IDENTIFIER ::= { id-pkix 10 }
id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 }
id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 }
id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 }
id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 }
-- { id-aca 5 } is reserved
id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 }
id-at-role OBJECT IDENTIFIER ::= { id-at 72}
id-at-clearance OBJECT IDENTIFIER ::= {
joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) }
-- Uncomment the following declaration and comment the above line if
-- using the id-at-clearance attribute as defined in [RFC3281]
-- id-at-clearance ::= id-at-clearance-3281
id-at-clearance-rfc3281 OBJECT IDENTIFIER ::= {
joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5)
clearance (55) }
--
-- The syntax of an Attribute Certificate
--
AttributeCertificate ::= SIGNED{AttributeCertificateInfo}
AttributeCertificateInfo ::= SEQUENCE {
version AttCertVersion, -- version is v2
holder Holder,
issuer AttCertIssuer,
signature AlgorithmIdentifier{SIGNATURE-ALGORITHM,
{SignatureAlgorithms}},
serialNumber CertificateSerialNumber,
attrCertValidityPeriod AttCertValidityPeriod,
attributes SEQUENCE OF
AttributeSet{{AttributesDefined}},
issuerUniqueID UniqueIdentifier OPTIONAL,
extensions Extensions{{AttributeCertExtensions}} OPTIONAL
}
AttCertVersion ::= INTEGER { v2(1) }
Holder ::= SEQUENCE {
baseCertificateID [0] IssuerSerial OPTIONAL,
-- the issuer and serial number of
-- the holder's Public Key Certificate
entityName [1] GeneralNames OPTIONAL,
-- the name of the claimant or role
objectDigestInfo [2] ObjectDigestInfo OPTIONAL
-- used to directly authenticate the
-- holder, for example, an executable
}
ObjectDigestInfo ::= SEQUENCE {
digestedObjectType ENUMERATED {
publicKey (0),
publicKeyCert (1),
otherObjectTypes (2) },
-- otherObjectTypes MUST NOT
-- be used in this profile
otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}},
objectDigest BIT STRING
}
AttCertIssuer ::= CHOICE {
v1Form GeneralNames, -- MUST NOT be used in this
-- profile
v2Form [0] V2Form -- v2 only
}
V2Form ::= SEQUENCE {
issuerName GeneralNames OPTIONAL,
baseCertificateID [0] IssuerSerial OPTIONAL,
objectDigestInfo [1] ObjectDigestInfo OPTIONAL
-- issuerName MUST be present in this profile
-- baseCertificateID and objectDigestInfo MUST
-- NOT be present in this profile
}
IssuerSerial ::= SEQUENCE {
issuer GeneralNames,
serial CertificateSerialNumber,
issuerUID UniqueIdentifier OPTIONAL
}
AttCertValidityPeriod ::= SEQUENCE {
notBeforeTime GeneralizedTime,
notAfterTime GeneralizedTime
}
--
-- Syntax used by Attribute Certificate Extensions
--
Targets ::= SEQUENCE OF Target
Target ::= CHOICE {
targetName [0] GeneralName,
targetGroup [1] GeneralName,
targetCert [2] TargetCert
}
TargetCert ::= SEQUENCE {
targetCertificate IssuerSerial,
targetName GeneralName OPTIONAL,
certDigestInfo ObjectDigestInfo OPTIONAL
}
AAControls ::= SEQUENCE {
pathLenConstraint INTEGER (0..MAX) OPTIONAL,
permittedAttrs [0] AttrSpec OPTIONAL,
excludedAttrs [1] AttrSpec OPTIONAL,
permitUnSpecified BOOLEAN DEFAULT TRUE
}
AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER
ProxyInfo ::= SEQUENCE OF Targets
--
-- Syntax used by Attribute Certificate Attributes
--
IetfAttrSyntax ::= SEQUENCE {
policyAuthority[0] GeneralNames OPTIONAL,
values SEQUENCE OF CHOICE {
octets OCTET STRING,
oid OBJECT IDENTIFIER,
string UTF8String
}
}
SvceAuthInfo ::= SEQUENCE {
service GeneralName,
ident GeneralName,
authInfo OCTET STRING OPTIONAL
}
RoleSyntax ::= SEQUENCE {
roleAuthority [0] GeneralNames OPTIONAL,
roleName [1] GeneralName
}
Clearance ::= SEQUENCE {
policyId OBJECT IDENTIFIER,
classList ClassList DEFAULT {unclassified},
securityCategories SET OF SecurityCategory
{{SupportedSecurityCategories}} OPTIONAL
}
-- Uncomment the following lines to support deprecated clearance
-- syntax and comment out previous Clearance.
-- Clearance ::= Clearance-rfc3281
Clearance-rfc3281 ::= SEQUENCE {
policyId [0] OBJECT IDENTIFIER,
classList [1] ClassList DEFAULT {unclassified},
securityCategories [2] SET OF SecurityCategory-rfc3281
{{SupportedSecurityCategories}} OPTIONAL
}
ClassList ::= BIT STRING {
unmarked (0),
unclassified (1),
restricted (2),
confidential (3),
secret (4),
topSecret (5)
}
SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }
SecurityCategory-rfc3281{SECURITY-CATEGORY:Supported} ::= SEQUENCE {
type [0] IMPLICIT SECURITY-CATEGORY.
&id({Supported}),
value [1] EXPLICIT SECURITY-CATEGORY.
&Type({Supported}{@type})
}
ACClearAttrs ::= SEQUENCE {
acIssuer GeneralName,
acSerial INTEGER,
attrs SEQUENCE OF AttributeSet{{AttributesDefined}}
}
END
|
