-- @(#) sm_x509af.asn 1.2 2/24/98 13:40:34 
AuthenticationFramework 
-- 
-- oid defined in sm_x501ud.asn
--
-- {joint-iso-ccitt ds(5) module(1) authenticationFramework(7) 3}

DEFINITIONS ::=

BEGIN

-- EXPORTS All --
-- The types and values defined in this module are exported for use in the 
-- other ASN.1 modules contained 
-- within the Directory Specifications, and for the use of other applications
-- which will use them to access Directory services. Other applications may 
-- use them for their own purposes, but this will not constrain
-- extensions and modifications needed to maintain or improve the Directory 
-- service.

IMPORTS

   BigIntegerStr
   FROM VdaEnhancedTypes

   id-at, informationFramework, upperBounds, selectedAttributeTypes, 
   basicAccessControl, certificateExtensions
      FROM UsefulDefinitions { usefulDefinitions }

   Name, Attribute, AttributeType
      FROM InformationFramework  { informationFramework }

   ub-password-length
      FROM UpperBounds  { upperBounds }

-- not used
--   AuthenticationLevel
--     FROM BasicAccessControl { basicAccessControl }

--   GeneralNames
--      FROM CertificateExtensions { certificateExtensions }

   GeneralNames
        FROM CommonX509Definitions

   UniqueIdentifier
      FROM SelectedAttributeTypes  { selectedAttributeTypes } ;

-- basic certificate definition

Certificate ::= SEQUENCE {
    certificateToSign    CertificateToSign,
    algorithmIdentifier  AlgorithmIdentifier,
    signatureValue       BIT STRING }

CertificateToSign ::=  SEQUENCE {
   version           [0]  Version DEFAULT v1,
   serialNumber           CertificateSerialNumber,
   signature              AlgorithmIdentifier,
   issuer                 Name,
   validity               Validity,
   subject                Name,
   subjectPublicKeyInfo   SubjectPublicKeyInfo,
                        -- if present, version must be v2 or v3
   issuerUniqueIdentifier   [1]   IMPLICIT UniqueIdentifier OPTIONAL,
                        -- if present, version must be v2 or v3
   subjectUniqueIdentifier  [2]   IMPLICIT UniqueIdentifier OPTIONAL,
                        -- If present, version must be v3 
   extensions         [3]   Extensions OPTIONAL }

Version            ::=   INTEGER { v1(0), v2(1), v3(2) }

-- CertificateSerialNumber   ::=   INTEGER

CertificateSerialNumber ::= BigIntegerStr


AlgorithmIdentifier      ::=   SEQUENCE {
   algorithm       OBJECT IDENTIFIER,
   parameters      ANY OPTIONAL }

Validity            ::=   SEQUENCE {
   notBefore   Time,
   notAfter    Time }

SubjectPublicKeyInfo   ::=   SEQUENCE {
   algorithm          AlgorithmIdentifier,
   subjectPublicKey   BIT STRING }

Time  ::=  CHOICE { 
   utcTime       UTCTime, 
   generalizedTime   GeneralizedTime }

Extensions ::= SEQUENCE OF Extension

-- For those extensions where ordering of individual extensions within the 
-- SEQUENCE is significant, the specification of those individual extensions
--  shall include the rules for the significance of the order therein

Extension ::= SEQUENCE {
   extnId      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
               -- extnValue contains a DER encoding
   extnValue   OCTET STRING }

-- other certifiate constructs

Certificates            ::=   SEQUENCE {
   userCertificate      Certificate,
   certificationPath    ForwardCertificationPath OPTIONAL }

ForwardCertificationPath ::=   SEQUENCE OF CrossCertificates

CrossCertificates ::=   SET OF Certificate

CertificationPath ::=   SEQUENCE {
   userCertificate      Certificate,
   theCACertificates    SEQUENCE OF CertificatePair OPTIONAL }

CertificatePair ::=   SEQUENCE {
   -- at least one of the pair shall be present
   forward      [0]   Certificate OPTIONAL, 
   reverse      [1]   Certificate OPTIONAL }

-- certificate revocation list (CRL)

CertificateList ::= SEQUENCE {
   crlToSign           CRLToSign,
   algorithmIdentifier AlgorithmIdentifier,
   signatureValue      BIT STRING }
   
CRLToSign ::= SEQUENCE {
   version           Version OPTIONAL, -- if present, version must be v2
   signature         AlgorithmIdentifier,
   issuer            Name,
   thisUpdate        Time,
   nextUpdate        Time OPTIONAL,
   revokedCertificates   SEQUENCE OF SEQUENCE {
         userCertificate      CertificateSerialNumber,
         revocationDate       Time,
         crlEntryExtensions   Extensions OPTIONAL } OPTIONAL,
   crlExtensions   [0]  Extensions OPTIONAL }

-- attribute certificate
AttributeCertificationPath  ::=  SEQUENCE {
   attributeCertificate   AttributeCertificate, 
   acPath      SEQUENCE OF ACPathData OPTIONAL }

ACPathData  ::=  SEQUENCE {
   certificate            [0]  Certificate  OPTIONAL,
   attributeCertificate   [1]  AttributeCertificate  OPTIONAL }

AttributeCertificate ::= SEQUENCE {
   attributeCertificateInfo AttributeCertificateInfo,
   algorithmIdentifier      AlgorithmIdentifier,
   signatureValue           BIT STRING }

AttributeCertificateInfo ::= SEQUENCE {
   version         Version DEFAULT v1,
   subject   CHOICE {
      baseCertificateID [0] IssuerSerial,    -- associated  with a Public Key 
                                             -- Certificate 
      subjectName       [1] GeneralNames },  -- associated  with a name 
   issuer                 GeneralNames, -- CA issuing the attribute certificate
   signature              AlgorithmIdentifier,
   serialNumber           CertificateSerialNumber,
   attCertValidityPeriod  AttCertValidityPeriod,
   attributes      SEQUENCE OF Attribute,
   issuerUniqueID   UniqueIdentifier OPTIONAL,
   extensions      Extensions OPTIONAL }

IssuerSerial  ::= SEQUENCE {
   issuer       GeneralNames,
   serial       CertificateSerialNumber,
   issuerUID    UniqueIdentifier OPTIONAL}

AttCertValidityPeriod ::= SEQUENCE {
   notBeforeTime   GeneralizedTime,
   notAfterTime   GeneralizedTime }

AttributeCertificateAssertion  ::=  SEQUENCE  {
   -- At least one component of the sequence must be present
   subject      [0]   CHOICE {
      baseCertificateID   [0]  IssuerSerial,
      subjectName         [1]  Name } OPTIONAL,
   issuer          [1]   Name OPTIONAL,
   attCertValidity [2]   GeneralizedTime OPTIONAL,
   attType         [3]   SET OF AttributeType OPTIONAL }

-- Apple addenda: abstract "signed CRL or cert". In this case the blob to be
-- signed is actually an encoded CertificateToSign or CRLToSign. Representing
-- that blob as an ASN ANY field allows for signature verify without decoding 
-- the entire CertificateToSign or CRLToSign.

SignedCertOrCrl ::= SEQUENCE {
    tbsBlob				ANY,
    algIdBlob  			ANY,
    signatureValue		BIT STRING }

-- attribute types --

UserPassword ::= OCTET STRING (SIZE (0..ub-password-length))

UserCertificate ::= Certificate

CACertificate ::= Certificate

CrossCertificatePair ::= CertificatePair

AuthorityRevocationList ::= CertificateList

CertificateRevocationList ::= CertificateList

AttributeCertificateRevocationList ::= CertificateList

-- object identifier assignments --
id-at-userPassword      OBJECT IDENTIFIER   ::=   {id-at 35} 
id-at-userCertificate      OBJECT IDENTIFIER   ::=   {id-at 36}
id-at-cAcertificate         OBJECT IDENTIFIER   ::=   {id-at 37}
id-at-authorityRevocationList   OBJECT IDENTIFIER   ::=   {id-at 38}
id-at-certificateRevocationList   OBJECT IDENTIFIER   ::=   {id-at 39}
id-at-crossCertificatePair      OBJECT IDENTIFIER   ::=   {id-at 40}
id-at-attributeCertificate      OBJECT IDENTIFIER   ::=   {id-at 58}

END