-- Module AuthenticationFramework (X.509:03/2000) AuthenticationFramework {joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 4} DEFINITIONS ::= BEGIN -- EXPORTS All -- The types and values defined in this module are exported for use in the other ASN.1 modules contained -- within the Directory Specifications, and for the use of other applications which will use them to access -- Directory services. Other applications may use them for their own purposes, but this will not constrain -- extensions and modifications needed to maintain or improve the Directory service. IMPORTS id-at, id-nf, id-oc, informationFramework, upperBounds, selectedAttributeTypes, basicAccessControl, certificateExtensions FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 4} Name, ATTRIBUTE, OBJECT-CLASS, NAME-FORM, top FROM InformationFramework {joint-iso-itu-t ds(5) module(1) informationFramework(1) 4} ub-user-password, ub-content FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 4} UniqueIdentifier, octetStringMatch, DirectoryString{}, commonName FROM SelectedAttributeTypes {joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 4} certificateExactMatch, certificatePairExactMatch, certificateListExactMatch, KeyUsage, GeneralNames, CertificatePoliciesSyntax, algorithmIdentifierMatch, CertPolicyId FROM CertificateExtensions {joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 4}; -- public-key certificate definition Certificate ::= SIGNED {SEQUENCE {version [0] Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL, -- if present, version shall be v2 or v3 subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL, -- if present, version shall be v2 or v3 extensions [3] Extensions OPTIONAL }} -- If present, version shall be v3 Version ::= INTEGER {v1(0), v2(1), v3(2)} CertificateSerialNumber ::= INTEGER AlgorithmIdentifier ::= SEQUENCE { algorithm ALGORITHM.&id({SupportedAlgorithms}), parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL } -- Definition of the following information object set is deferred, perhaps to standardized -- profiles or to protocol implementation conformance statements. The set is required to -- specify a table constraint on the parameters component of AlgorithmIdentifier. SupportedAlgorithms ALGORITHM ::= {...} Validity ::= SEQUENCE {notBefore Time, notAfter Time } SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } Time ::= CHOICE {utcTime UTCTime, generalizedTime GeneralizedTime } Extensions ::= SEQUENCE OF Extension -- For those extensions where ordering of individual extensions within the SEQUENCE is significant, the -- specification of those individual extensions shall include the rules for the significance of the order therein Extension ::= SEQUENCE { extnId EXTENSION.&id({ExtensionSet}), critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING } -- contains a DER encoding of a value of type &ExtnType -- for the extension object identified by extnId ExtensionSet EXTENSION ::= {...} EXTENSION ::= CLASS {&id OBJECT IDENTIFIER UNIQUE, &ExtnType }WITH SYNTAX {SYNTAX &ExtnType IDENTIFIED BY &id } -- other PKI certificate constructs Certificates ::= SEQUENCE { userCertificate Certificate, certificationPath ForwardCertificationPath OPTIONAL } ForwardCertificationPath ::= SEQUENCE OF CrossCertificates CrossCertificates ::= SET OF Certificate CertificationPath ::= SEQUENCE { userCertificate Certificate, theCACertificates SEQUENCE OF CertificatePair OPTIONAL } CertificatePair ::= SEQUENCE { forward [0] Certificate OPTIONAL, reverse [1] Certificate OPTIONAL } -- at least one of the pair shall be present (WITH COMPONENTS { ..., forward PRESENT } | WITH COMPONENTS { ..., reverse PRESENT }) -- certificate revocation list (CRL) CertificateList ::= SIGNED {SEQUENCE {version Version OPTIONAL, -- if present, version shall be v2 signature AlgorithmIdentifier, issuer Name, thisUpdate Time, nextUpdate Time OPTIONAL, revokedCertificates SEQUENCE OF SEQUENCE {serialNumber CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL} OPTIONAL, crlExtensions [0] Extensions OPTIONAL}} -- information object classes ALGORITHM ::= TYPE-IDENTIFIER -- parameterized types HASH{ToBeHashed} ::= SEQUENCE { algorithmIdentifier AlgorithmIdentifier, hashValue BIT STRING (CONSTRAINED BY { -- shall be the result of applying a hashing procedure to the DER-encoded octets -- of a value of -- ToBeHashed}) } ENCRYPTED-HASH{ToBeSigned} ::= BIT STRING (CONSTRAINED BY { -- shall be the result of applying a hashing procedure to the DER-encoded (see 6.1) octets -- of a value of --ToBeSigned -- and then applying an encipherment procedure to those octets --}) ENCRYPTED{ToBeEnciphered} ::= BIT STRING (CONSTRAINED BY { -- shall be the result of applying an encipherment procedure -- to the BER-encoded octets of a value of --ToBeEnciphered}) SIGNATURE{ToBeSigned} ::= SEQUENCE { algorithmIdentifier AlgorithmIdentifier, encrypted ENCRYPTED-HASH{ToBeSigned} } SIGNED{ToBeSigned} ::= SEQUENCE { toBeSigned ToBeSigned, COMPONENTS OF SIGNATURE{ToBeSigned} } -- PKI object classes pkiUser OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {userCertificate} ID id-oc-pkiUser } pkiCA OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {cACertificate | certificateRevocationList | authorityRevocationList | crossCertificatePair} ID id-oc-pkiCA } cRLDistributionPoint OBJECT-CLASS ::= { SUBCLASS OF {top} KIND structural MUST CONTAIN {commonName} MAY CONTAIN {certificateRevocationList | authorityRevocationList | deltaRevocationList} ID id-oc-cRLDistributionPoint } cRLDistPtNameForm NAME-FORM ::= { NAMES cRLDistributionPoint WITH ATTRIBUTES {commonName} ID id-nf-cRLDistPtNameForm } deltaCRL OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {deltaRevocationList} ID id-oc-deltaCRL } cpCps OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {certificatePolicy | certificationPracticeStmt} ID id-oc-cpCps } pkiCertPath OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {pkiPath} ID id-oc-pkiCertPath } -- PKI directory attributes userCertificate ATTRIBUTE ::= { WITH SYNTAX Certificate EQUALITY MATCHING RULE certificateExactMatch ID id-at-userCertificate } cACertificate ATTRIBUTE ::= { WITH SYNTAX Certificate EQUALITY MATCHING RULE certificateExactMatch ID id-at-cAcertificate } crossCertificatePair ATTRIBUTE ::= { WITH SYNTAX CertificatePair EQUALITY MATCHING RULE certificatePairExactMatch ID id-at-crossCertificatePair } certificateRevocationList ATTRIBUTE ::= { WITH SYNTAX CertificateList EQUALITY MATCHING RULE certificateListExactMatch ID id-at-certificateRevocationList } authorityRevocationList ATTRIBUTE ::= { WITH SYNTAX CertificateList EQUALITY MATCHING RULE certificateListExactMatch ID id-at-authorityRevocationList } deltaRevocationList ATTRIBUTE ::= { WITH SYNTAX CertificateList EQUALITY MATCHING RULE certificateListExactMatch ID id-at-deltaRevocationList } supportedAlgorithms ATTRIBUTE ::= { WITH SYNTAX SupportedAlgorithm EQUALITY MATCHING RULE algorithmIdentifierMatch ID id-at-supportedAlgorithms } SupportedAlgorithm ::= SEQUENCE { algorithmIdentifier AlgorithmIdentifier, intendedUsage [0] KeyUsage OPTIONAL, intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL } certificationPracticeStmt ATTRIBUTE ::= { WITH SYNTAX InfoSyntax ID id-at-certificationPracticeStmt } InfoSyntax ::= CHOICE { content DirectoryString{ub-content}, pointer SEQUENCE {name GeneralNames, hash HASH{HashedPolicyInfo} OPTIONAL} } POLICY ::= TYPE-IDENTIFIER HashedPolicyInfo ::= POLICY.&Type({Policies}) Policies POLICY ::= {...} -- Defined by implementors certificatePolicy ATTRIBUTE ::= { WITH SYNTAX PolicySyntax ID id-at-certificatePolicy } PolicySyntax ::= SEQUENCE { policyIdentifier PolicyID, policySyntax InfoSyntax } PolicyID ::= CertPolicyId pkiPath ATTRIBUTE ::= {WITH SYNTAX PkiPath ID id-at-pkiPath } PkiPath ::= SEQUENCE OF CrossCertificates userPassword ATTRIBUTE ::= { WITH SYNTAX OCTET STRING(SIZE (0..ub-user-password)) EQUALITY MATCHING RULE octetStringMatch ID id-at-userPassword } -- object identifier assignments -- object classes id-oc-cRLDistributionPoint OBJECT IDENTIFIER ::= {id-oc 19} id-oc-pkiUser OBJECT IDENTIFIER ::= {id-oc 21} id-oc-pkiCA OBJECT IDENTIFIER ::= {id-oc 22} id-oc-deltaCRL OBJECT IDENTIFIER ::= {id-oc 23} id-oc-cpCps OBJECT IDENTIFIER ::= {id-oc 30} id-oc-pkiCertPath OBJECT IDENTIFIER ::= {id-oc 31} --name forms id-nf-cRLDistPtNameForm OBJECT IDENTIFIER ::= {id-nf 14} --directory attributes id-at-userPassword OBJECT IDENTIFIER ::= {id-at 35} id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36} id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37} id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38} id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39} id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40} id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52} id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53} id-at-certificationPracticeStmt OBJECT IDENTIFIER ::= {id-at 68} id-at-certificatePolicy OBJECT IDENTIFIER ::= {id-at 69} id-at-pkiPath OBJECT IDENTIFIER ::= {id-at 70} END -- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D