-- @(#) sm_x509ce.asn 1.3 3/4/98 15:25:14 CertificateExtensions -- -- oid defined sm_x501ud.asn -- {joint-iso-ccitt ds(5) module(1) certificateExtensions(26) 0} DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL IMPORTS id-at, id-ce, id-mr, informationFramework, authenticationFramework, selectedAttributeTypes, upperBounds FROM UsefulDefinitions { usefulDefinitions } Name, RelativeDistinguishedName, Attribute FROM InformationFramework { informationFramework } GeneralNames, GeneralName FROM CommonX509Definitions CertificateSerialNumber, CertificateList, AlgorithmIdentifier FROM AuthenticationFramework { authenticationFramework } DirectoryString FROM SelectedAttributeTypes { selectedAttributeTypes } ORAddress FROM MTSAbstractService { mTSAbstractService } id-pkix FROM ExtendedSecurityServices { extendedSecurityServices }; -- Unless explicitly noted otherwise, there is no significance to the ordering -- of components of a SEQUENCE OF construct in this specification. -- Key and policy information extensions -- AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] KeyIdentifier OPTIONAL, authorityCertIssuer [1] GeneralNames OPTIONAL, authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } KeyIdentifier ::= OCTET STRING SubjectKeyIdentifier ::= KeyIdentifier KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } KeyPurposeId ::= OBJECT IDENTIFIER -- Added 9/14/00 by dmitch ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId PrivateKeyUsagePeriod ::= SEQUENCE { notBefore [0] GeneralizedTime OPTIONAL, notAfter [1] GeneralizedTime OPTIONAL } ( WITH COMPONENTS {..., notBefore PRESENT} | WITH COMPONENTS {..., notAfter PRESENT} ) CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } CertPolicyId ::= OBJECT IDENTIFIER PolicyQualifierInfo ::= SEQUENCE { policyQualifierId OBJECT IDENTIFIER, qualifier ANY OPTIONAL } PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { issuerDomainPolicy CertPolicyId, subjectDomainPolicy CertPolicyId } SupportedAlgorithm ::= SEQUENCE { algorithmIdentifier AlgorithmIdentifier, intendedUsage [0] KeyUsage OPTIONAL, intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL } -- Certificate subject and certificate issuer attributes extensions -- SubjectName ::= GeneralNames -- moved to sm_x509cmn.asn since both sm_x509af.asn and sm_x509ce.asn need -- it -- -- GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName -- GeneralName ::= CHOICE { -- otherName [0] OTHER-NAME, -- rfc822Name [1] IA5String, -- dNSName [2] IA5String, -- x400Address [3] ORAddress, -- directoryName [4] Name, -- ediPartyName [5] EDIPartyName, -- uniformResourceIdentifier [6] IA5String, -- iPAddress [7] OCTET STRING, -- registeredID [8] OBJECT IDENTIFIER } -- -- OTHER-NAME ::= OBJECT IDENTIFIER -- EDIPartyName ::= SEQUENCE { -- nameAssigner [0] DirectoryString OPTIONAL, -- partyName [1] DirectoryString } -- IssuerAltName ::= GeneralNames SubjectDirectoryAttributes ::= AttributesSyntax AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute -- Certification path constraints extensions -- BasicConstraintsSyntax ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } NameConstraintsSyntax ::= SEQUENCE { permittedSubtrees [0] GeneralSubtrees OPTIONAL, excludedSubtrees [1] GeneralSubtrees OPTIONAL } GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree GeneralSubtree ::= SEQUENCE { base GeneralName, minimum [0] BaseDistance DEFAULT 0, maximum [1] BaseDistance OPTIONAL } BaseDistance ::= INTEGER (0..MAX) PolicyConstraintsSyntax ::= SEQUENCE { requireExplicitPolicy [0] SkipCerts OPTIONAL, inhibitPolicyMapping [1] SkipCerts OPTIONAL } SkipCerts ::= INTEGER (0..MAX) CertPolicySet ::= SEQUENCE OF CertPolicyId -- Basic CRL extensions -- CRLNumber ::= INTEGER (0..MAX) CRLReason ::= ENUMERATED { unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), -- note 7 is not used by this spec. removeFromCRL (8) } HoldInstruction ::= OBJECT IDENTIFIER InvalidityDate ::= GeneralizedTime -- CRL distribution points and delta-CRL extensions -- CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } DistributionPointName ::= CHOICE { fullName [0] GeneralNames, nameRelativeToCRLIssuer [1] RelativeDistinguishedName } ReasonFlags ::= BIT STRING { unused (0), keyCompromise (1), caCompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6) } IssuingDistPointSyntax ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, onlySomeReasons [3] ReasonFlags OPTIONAL, indirectCRL [4] BOOLEAN DEFAULT FALSE } CertificateIssuer ::= GeneralNames BaseCRLNumber ::= CRLNumber DeltaRevocationList ::= CertificateList -- Matching rules -- removed. Our ASN.1 compiler does not support matching ruling. We will -- do this manually -Pierce -- -- end of Matching rules -- Object identifier assignments -- id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52} id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53} id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9} id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14} id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15} id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16} id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17} id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18} id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19} id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20} id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21} id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23} id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24} id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27} id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28} id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29} id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30} id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32} id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33} -- deprecated OBJECT IDENTIFIER ::= {id-ce 34} id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35} id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36} id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34} id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35} id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36} id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37} id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38} id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39} id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40} id-kp OBJECT IDENTIFIER ::= {id-pkix 3} id-kp-serverAuth OBJECT IDENTIFIER ::= {id-kp 1} id-kp-clientAuth OBJECT IDENTIFIER ::= {id-kp 2} id-kp-codeSigning OBJECT IDENTIFIER ::= {id-kp 3} id-kp-emailProtection OBJECT IDENTIFIER ::= {id-kp 4} id-kp-timeStamping OBJECT IDENTIFIER ::= {id-kp 8} id-netscape-cert-type OBJECT IDENTIFIER ::= {2 16 840 1 113730 1 1} -- The following OBJECT IDENTIFIERS are not used by this specification: -- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7}, -- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13}, -- {id-ce 22}, {id-ce 25}, {id-ce 26} END