-- @(#) sm_x509ce.asn 1.3 3/4/98 15:25:14
CertificateExtensions
--
-- oid defined sm_x501ud.asn
-- {joint-iso-ccitt ds(5) module(1) certificateExtensions(26) 0}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL
IMPORTS
id-at, id-ce, id-mr, informationFramework, authenticationFramework,
selectedAttributeTypes, upperBounds
FROM UsefulDefinitions { usefulDefinitions }
Name, RelativeDistinguishedName, Attribute
FROM InformationFramework { informationFramework }
GeneralNames, GeneralName
FROM CommonX509Definitions
CertificateSerialNumber, CertificateList, AlgorithmIdentifier
FROM AuthenticationFramework { authenticationFramework }
DirectoryString
FROM SelectedAttributeTypes { selectedAttributeTypes }
ORAddress
FROM MTSAbstractService { mTSAbstractService }
id-pkix
FROM ExtendedSecurityServices { extendedSecurityServices };
-- Unless explicitly noted otherwise, there is no significance to the ordering
-- of components of a SEQUENCE OF construct in this specification.
-- Key and policy information extensions --
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
KeyIdentifier ::= OCTET STRING
SubjectKeyIdentifier ::= KeyIdentifier
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
KeyPurposeId ::= OBJECT IDENTIFIER
-- Added 9/14/00 by dmitch
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
PrivateKeyUsagePeriod ::= SEQUENCE {
notBefore [0] GeneralizedTime OPTIONAL,
notAfter [1] GeneralizedTime OPTIONAL }
( WITH COMPONENTS {..., notBefore PRESENT} |
WITH COMPONENTS {..., notAfter PRESENT} )
CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
PolicyInformation ::= SEQUENCE {
policyIdentifier CertPolicyId,
policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }
CertPolicyId ::= OBJECT IDENTIFIER
PolicyQualifierInfo ::= SEQUENCE {
policyQualifierId OBJECT IDENTIFIER,
qualifier ANY OPTIONAL }
PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
issuerDomainPolicy CertPolicyId,
subjectDomainPolicy CertPolicyId }
SupportedAlgorithm ::= SEQUENCE {
algorithmIdentifier AlgorithmIdentifier,
intendedUsage [0] KeyUsage OPTIONAL,
intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL }
-- Certificate subject and certificate issuer attributes extensions --
SubjectName ::= GeneralNames
-- moved to sm_x509cmn.asn since both sm_x509af.asn and sm_x509ce.asn need
-- it
--
-- GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
-- GeneralName ::= CHOICE {
-- otherName [0] OTHER-NAME,
-- rfc822Name [1] IA5String,
-- dNSName [2] IA5String,
-- x400Address [3] ORAddress,
-- directoryName [4] Name,
-- ediPartyName [5] EDIPartyName,
-- uniformResourceIdentifier [6] IA5String,
-- iPAddress [7] OCTET STRING,
-- registeredID [8] OBJECT IDENTIFIER }
--
-- OTHER-NAME ::= OBJECT IDENTIFIER
-- EDIPartyName ::= SEQUENCE {
-- nameAssigner [0] DirectoryString OPTIONAL,
-- partyName [1] DirectoryString }
--
IssuerAltName ::= GeneralNames
SubjectDirectoryAttributes ::= AttributesSyntax
AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute
-- Certification path constraints extensions --
BasicConstraintsSyntax ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL }
NameConstraintsSyntax ::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
excludedSubtrees [1] GeneralSubtrees OPTIONAL }
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
GeneralSubtree ::= SEQUENCE {
base GeneralName,
minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL }
BaseDistance ::= INTEGER (0..MAX)
PolicyConstraintsSyntax ::= SEQUENCE {
requireExplicitPolicy [0] SkipCerts OPTIONAL,
inhibitPolicyMapping [1] SkipCerts OPTIONAL }
SkipCerts ::= INTEGER (0..MAX)
CertPolicySet ::= SEQUENCE OF CertPolicyId
-- Basic CRL extensions --
CRLNumber ::= INTEGER (0..MAX)
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6), -- note 7 is not used by this spec.
removeFromCRL (8) }
HoldInstruction ::= OBJECT IDENTIFIER
InvalidityDate ::= GeneralizedTime
-- CRL distribution points and delta-CRL extensions --
CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL }
DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
ReasonFlags ::= BIT STRING {
unused (0),
keyCompromise (1),
caCompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6) }
IssuingDistPointSyntax ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
onlySomeReasons [3] ReasonFlags OPTIONAL,
indirectCRL [4] BOOLEAN DEFAULT FALSE }
CertificateIssuer ::= GeneralNames
BaseCRLNumber ::= CRLNumber
DeltaRevocationList ::= CertificateList
-- Matching rules
-- removed. Our ASN.1 compiler does not support matching ruling. We will
-- do this manually -Pierce
--
-- end of Matching rules
-- Object identifier assignments --
id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52}
id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53}
id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9}
id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14}
id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15}
id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16}
id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17}
id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18}
id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19}
id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20}
id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21}
id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23}
id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24}
id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27}
id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28}
id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29}
id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30}
id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32}
id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33}
-- deprecated OBJECT IDENTIFIER ::= {id-ce 34}
id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35}
id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36}
id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34}
id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35}
id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36}
id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37}
id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38}
id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39}
id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40}
id-kp OBJECT IDENTIFIER ::= {id-pkix 3}
id-kp-serverAuth OBJECT IDENTIFIER ::= {id-kp 1}
id-kp-clientAuth OBJECT IDENTIFIER ::= {id-kp 2}
id-kp-codeSigning OBJECT IDENTIFIER ::= {id-kp 3}
id-kp-emailProtection OBJECT IDENTIFIER ::= {id-kp 4}
id-kp-timeStamping OBJECT IDENTIFIER ::= {id-kp 8}
id-netscape-cert-type OBJECT IDENTIFIER ::= {2 16 840 1 113730 1 1}
-- The following OBJECT IDENTIFIERS are not used by this specification:
-- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7},
-- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13},
-- {id-ce 22}, {id-ce 25}, {id-ce 26}
END