PKIX1 { }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules.
-- ISO arc for standard certificate and CRL extensions
-- authority key identifier OID and syntax
PrivateKeyUsagePeriod ::= SEQUENCE {
notBefore [0] GeneralizedTime OPTIONAL,
notAfter [1] GeneralizedTime OPTIONAL }
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] OCTET STRING OPTIONAL, --KeyIdentifier
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
-- authorityCertIssuer and authorityCertSerialNumber shall both
-- be present or both be absgent
-- subject key identifier OID and syntax
SubjectKeyIdentifier ::= OCTET STRING
-- key usage extension OID and syntax
KeyUsage ::= BIT STRING
-- Directory string type --
DirectoryString ::= CHOICE {
teletexString TeletexString (SIZE (1..MAX)),
printableString PrintableString (SIZE (1..MAX)),
universalString UniversalString (SIZE (1..MAX)),
utf8String UTF8String (SIZE (1..MAX)),
bmpString BMPString (SIZE(1..MAX)),
-- IA5String is added here to handle old UID encoded as ia5String --
-- See tests/userid/ for more information. It shouldn't be here, --
-- so if it causes problems, considering dropping it. --
ia5String IA5String (SIZE(1..MAX)) }
SubjectAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralName ::= CHOICE {
otherName [0] AnotherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ANY,
-- Changed to work with the libtasn1 parser.
directoryName [4] EXPLICIT SEQUENCE OF RelativeDistinguishedName, --Name,
ediPartyName [5] ANY, --EDIPartyName replaced by ANY to save memory
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
AnotherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
-- issuer alternative name extension OID and syntax
IssuerAltName ::= GeneralNames
-- basic constraints extension OID and syntax
BasicConstraints ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL }
-- CRL distribution points extension OID and syntax
CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE {
distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL
}
DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName
}
ReasonFlags ::= BIT STRING
-- extended key usage extension OID and syntax
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER --ExtKeyUsageSyntax
-- authority info access
AuthorityInfoAccessSyntax ::=
SEQUENCE SIZE (1..MAX) OF AccessDescription
AccessDescription ::= SEQUENCE {
accessMethod OBJECT IDENTIFIER,
accessLocation GeneralName }
-- CRL number extension OID and syntax
-- CRLNumber ::= INTEGER (0..MAX)
-- certificate issuer CRL entry extension OID and syntax
-- CertificateIssuer ::= GeneralNames
-- --------------------------------------
-- EXPLICIT
-- --------------------------------------
-- attribute data types --
Attribute ::= SEQUENCE {
type OBJECT IDENTIFIER, -- AttributeType
values SET OF ANY -- AttributeValue
-- at least one value is required --
}
-- AttributeType ::= OBJECT IDENTIFIER
-- AttributeValue ::= ANY DEFINED BY type
AttributeTypeAndValue ::= SEQUENCE {
type OBJECT IDENTIFIER, -- AttributeType
value ANY } -- AttributeValue
Name ::= CHOICE { -- only one possibility for now --
rdnSequence SEQUENCE OF RelativeDistinguishedName }
DistinguishedName ::= SEQUENCE OF RelativeDistinguishedName -- RDNSequence
RelativeDistinguishedName ::=
SET SIZE (1 .. MAX) OF AttributeTypeAndValue
-- --------------------------------------------------------
-- certificate and CRL specific structures begin here
-- --------------------------------------------------------
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT INTEGER DEFAULT 0,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version shall be v3 --
}
CertificateSerialNumber ::= INTEGER
Validity ::= SEQUENCE {
notBefore Time,
notAfter Time }
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
UniqueIdentifier ::= BIT STRING
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING }
-- ------------------------------------------
-- CRL structures
-- ------------------------------------------
CertificateList ::= SEQUENCE {
tbsCertList TBSCertList,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
TBSCertList ::= SEQUENCE {
version INTEGER OPTIONAL,
-- if present, shall be v2
signature AlgorithmIdentifier,
issuer Name,
thisUpdate Time,
nextUpdate Time OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate Time,
crlEntryExtensions Extensions OPTIONAL
-- if present, shall be v2
} OPTIONAL,
crlExtensions [0] EXPLICIT Extensions OPTIONAL
-- if present, shall be v2 --
}
-- Version, Time, CertificateSerialNumber, and Extensions were
-- defined earlier for use in the certificate structure
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
-- contains a value of the type
-- registered for use with the
-- algorithm object identifier value
-- Algorithm OIDs and parameter structures
Dss-Sig-Value ::= SEQUENCE {
r INTEGER,
s INTEGER
}
Dss-Parms ::= SEQUENCE {
p INTEGER,
q INTEGER,
g INTEGER }
-- Extension types and attribute values
--
-- END of PKIX1Implicit88
-- BEGIN of RFC2630
-- Cryptographic Message Syntax
pkcs-7-ContentInfo ::= SEQUENCE {
contentType OBJECT IDENTIFIER,
content [0] EXPLICIT ANY DEFINED BY contentType }
pkcs-7-DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}
pkcs-7-SignedData ::= SEQUENCE {
version INTEGER,
digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers,
encapContentInfo pkcs-7-EncapsulatedContentInfo,
certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL,
crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL,
signerInfos pkcs-7-SignerInfos
}
pkcs-7-DigestAlgorithmIdentifiers ::= SET OF AlgorithmIdentifier
-- rfc5652: eContent [0] EXPLICIT OCTET STRING OPTIONAL
-- rfc2315: content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
pkcs-7-EncapsulatedContentInfo ::= SEQUENCE {
eContentType OBJECT IDENTIFIER,
eContent [0] EXPLICIT ANY OPTIONAL }
-- We don't use CertificateList here since we only want
-- to read the raw data.
pkcs-7-CertificateRevocationLists ::= SET OF ANY
pkcs-7-CertificateChoices ::= CHOICE {
-- Although the paper uses Certificate type, we
-- don't use it since, we don't need to parse it.
-- We only need to read and store it.
certificate ANY
}
pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices
IssuerAndSerialNumber ::= SEQUENCE {
issuer Name,
serialNumber CertificateSerialNumber
}
pkcs-7-SignerInfo ::= SEQUENCE {
version INTEGER,
sid SignerIdentifier,
digestAlgorithm AlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm AlgorithmIdentifier,
signature OCTET STRING,
unsignedAttrs [1] IMPLICIT SignedAttributes OPTIONAL }
SignedAttributes ::= SET SIZE (1..MAX) OF Attribute
SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] OCTET STRING
}
pkcs-7-SignerInfos ::= SET OF pkcs-7-SignerInfo
-- BEGIN of RFC2986
-- Certificate requests
pkcs-10-CertificationRequestInfo ::= SEQUENCE {
version INTEGER,
subject Name,
subjectPKInfo SubjectPublicKeyInfo,
attributes [0] Attributes
}
Attributes ::= SET OF Attribute
pkcs-10-CertificationRequest ::= SEQUENCE {
certificationRequestInfo pkcs-10-CertificationRequestInfo,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING
}
-- stuff from PKCS#9
pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 7}
pkcs-9-challengePassword ::= CHOICE {
printableString PrintableString,
utf8String UTF8String }
pkcs-9-localKeyId ::= OCTET STRING
-- PKCS #8 stuff
-- Private-key information syntax
pkcs-8-PrivateKeyInfo ::= SEQUENCE {
version INTEGER,
privateKeyAlgorithm AlgorithmIdentifier,
privateKey OCTET STRING,
attributes [0] Attributes OPTIONAL }
-- Encrypted private-key information syntax
pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE {
encryptionAlgorithm AlgorithmIdentifier,
encryptedData pkcs-8-EncryptedData
}
pkcs-8-EncryptedData ::= OCTET STRING
-- PKCS #5 stuff
pkcs-5-des-CBC-params ::= OCTET STRING (SIZE(8))
pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8))
pkcs-5-aes128-CBC-params ::= OCTET STRING (SIZE(16))
pkcs-5-aes192-CBC-params ::= OCTET STRING (SIZE(16))
pkcs-5-aes256-CBC-params ::= OCTET STRING (SIZE(16))
-- GOST extension
Gost28147-89-Parameters ::= SEQUENCE {
iv OCTET STRING, -- (SIZE (8))
encryptionParamSet OBJECT IDENTIFIER
}
pkcs-5-PBE-params ::= SEQUENCE {
salt OCTET STRING,
iterationCount INTEGER }
pkcs-5-PBES2-params ::= SEQUENCE {
keyDerivationFunc AlgorithmIdentifier,
encryptionScheme AlgorithmIdentifier }
-- PBKDF2
-- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::=
-- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL}
pkcs-5-PBKDF2-params ::= SEQUENCE {
salt CHOICE {
specified OCTET STRING,
otherSource AlgorithmIdentifier
},
iterationCount INTEGER (1..MAX),
keyLength INTEGER (1..MAX) OPTIONAL,
prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1
}
-- PKCS #12 stuff
pkcs-12-PFX ::= SEQUENCE {
version INTEGER {v3(3)},
authSafe pkcs-7-ContentInfo,
macData pkcs-12-MacData OPTIONAL
}
pkcs-12-PbeParams ::= SEQUENCE {
salt OCTET STRING,
iterations INTEGER
}
pkcs-12-MacData ::= SEQUENCE {
mac pkcs-7-DigestInfo,
macSalt OCTET STRING,
iterations INTEGER DEFAULT 1
-- Note: The default is for historical reasons and its use is
-- deprecated. A higher value, like 1024 is recommended.
}
pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo
-- Data if unencrypted
-- EncryptedData if password-encrypted
-- EnvelopedData if public key-encrypted
pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag
pkcs-12-SafeBag ::= SEQUENCE {
bagId OBJECT IDENTIFIER,
bagValue [0] EXPLICIT ANY DEFINED BY badId,
bagAttributes SET OF Attribute OPTIONAL
}
-- CertBag
pkcs-12-CertBag ::= SEQUENCE {
certId OBJECT IDENTIFIER,
certValue [0] EXPLICIT ANY DEFINED BY certId
}
-- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}}
-- DER-encoded X.509 certificate stored in OCTET STRING
pkcs-12-CRLBag ::= SEQUENCE {
crlId OBJECT IDENTIFIER,
crlValue [0] EXPLICIT ANY DEFINED BY crlId
}
pkcs-12-SecretBag ::= SEQUENCE {
secretTypeId OBJECT IDENTIFIER,
secretValue [0] EXPLICIT ANY DEFINED BY secretTypeId
}
-- x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}}
-- DER-encoded X.509 CRL stored in OCTET STRING
-- PKCS #7 stuff (needed in PKCS 12)
pkcs-7-Data ::= OCTET STRING
pkcs-7-EncryptedData ::= SEQUENCE {
version INTEGER,
encryptedContentInfo pkcs-7-EncryptedContentInfo,
unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL }
pkcs-7-EncryptedContentInfo ::= SEQUENCE {
contentType OBJECT IDENTIFIER,
contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL }
pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
-- rfc3820
ProxyCertInfo ::= SEQUENCE {
pCPathLenConstraint INTEGER (0..MAX) OPTIONAL,
proxyPolicy ProxyPolicy }
ProxyPolicy ::= SEQUENCE {
policyLanguage OBJECT IDENTIFIER,
policy OCTET STRING OPTIONAL }
-- 2.5.29.32
certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
PolicyInformation ::= SEQUENCE {
policyIdentifier OBJECT IDENTIFIER,
policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }
PolicyQualifierInfo ::= SEQUENCE {
policyQualifierId OBJECT IDENTIFIER,
qualifier ANY DEFINED BY policyQualifierId }
CPSuri ::= IA5String
UserNotice ::= SEQUENCE {
noticeRef NoticeReference OPTIONAL,
explicitText DisplayText OPTIONAL }
NoticeReference ::= SEQUENCE {
organization DisplayText,
noticeNumbers SEQUENCE OF INTEGER }
DisplayText ::= CHOICE {
ia5String IA5String (SIZE (1..200)),
visibleString VisibleString (SIZE (1..200)),
bmpString BMPString (SIZE (1..200)),
utf8String UTF8String (SIZE (1..200)) }
-- rfc2560
OCSPRequest ::= SEQUENCE {
tbsRequest TBSRequest,
optionalSignature [0] EXPLICIT Signature OPTIONAL }
TBSRequest ::= SEQUENCE {
version [0] EXPLICIT INTEGER DEFAULT 0,
requestorName [1] EXPLICIT GeneralName OPTIONAL,
requestList SEQUENCE OF Request,
requestExtensions [2] EXPLICIT Extensions OPTIONAL }
Signature ::= SEQUENCE {
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
Request ::= SEQUENCE {
reqCert CertID,
singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
issuerNameHash OCTET STRING, -- Hash of Issuer's DN
issuerKeyHash OCTET STRING, -- Hash of Issuers public key
serialNumber CertificateSerialNumber }
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
OCSPResponseStatus ::= ENUMERATED {
successful (0), --Response has valid confirmations
malformedRequest (1), --Illegal confirmation request
internalError (2), --Internal error in issuer
tryLater (3), --Try again later
--(4) is not used
sigRequired (5), --Must sign the request
unauthorized (6) --Request unauthorized
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING }
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
ResponseData ::= SEQUENCE {
version [0] EXPLICIT INTEGER DEFAULT 0,
responderID ResponderID,
producedAt GeneralizedTime,
responses SEQUENCE OF SingleResponse,
responseExtensions [1] EXPLICIT Extensions OPTIONAL }
ResponderID ::= CHOICE {
-- Changed to work with the libtasn1 parser.
byName [1] EXPLICIT SEQUENCE OF RelativeDistinguishedName, --Name
byKey [2] EXPLICIT OCTET STRING --SHA-1 hash of responder's public key
}
SingleResponse ::= SEQUENCE {
certID CertID,
certStatus CertStatus,
thisUpdate GeneralizedTime,
nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
singleExtensions [1] EXPLICIT Extensions OPTIONAL }
CertStatus ::= CHOICE {
good [0] IMPLICIT NULL,
revoked [1] IMPLICIT RevokedInfo,
unknown [2] IMPLICIT UnknownInfo }
RevokedInfo ::= SEQUENCE {
revocationTime GeneralizedTime,
revocationReason [0] EXPLICIT ENUMERATED { unspecified(0) } OPTIONAL }
UnknownInfo ::= NULL -- this can be replaced with an enumeration
-- rfc5280
NameConstraints ::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
excludedSubtrees [1] GeneralSubtrees OPTIONAL }
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
GeneralSubtree ::= SEQUENCE {
base GeneralName,
minimum [0] INTEGER DEFAULT 0,
maximum [1] INTEGER OPTIONAL }
-- rfc7633
TlsFeatures ::= SEQUENCE OF INTEGER
END