1
SSL-PKIX {iso(1) identified-organization(3) dod(6) internet(1)
2
private(4) enterprices(1) ericsson(193) otp(19) ssl(10)
5
DEFINITIONS EXPLICIT TAGS ::=
12
-- Certificate (parts of)
14
CertificateSerialNumber,
15
--AlgorithmIdentifier,
19
-- AttribyteTypeAndValue
26
id-at-generationQualifier, X520name,
27
id-at-commonName, X520CommonName,
28
id-at-localityName, X520LocalityName,
29
id-at-stateOrProvinceName, X520StateOrProvinceName,
30
id-at-organizationName, X520OrganizationName,
31
id-at-organizationalUnitName, X520OrganizationalUnitName,
32
id-at-title, X520Title,
33
id-at-dnQualifier, X520dnQualifier,
34
id-at-countryName, X520countryName,
35
id-at-serialNumber, X520SerialNumber,
36
id-at-pseudonym, X520Pseudonym,
37
id-domainComponent, DomainComponent,
38
id-emailAddress, EmailAddress,
40
-- Extension Attributes
41
common-name, CommonName,
42
teletex-common-name, TeletexCommonName,
43
teletex-personal-name, TeletexPersonalName,
45
physical-delivery-country-name, PhysicalDeliveryCountryName,
46
postal-code, PostalCode,
47
physical-delivery-office-name, PhysicalDeliveryOfficeName,
48
physical-delivery-office-number, PhysicalDeliveryOfficeNumber,
49
extension-OR-address-components, ExtensionORAddressComponents,
50
physical-delivery-personal-name, PhysicalDeliveryPersonalName,
51
physical-delivery-organization-name, PhysicalDeliveryOrganizationName,
52
extension-physical-delivery-address-components,
53
ExtensionPhysicalDeliveryAddressComponents,
54
unformatted-postal-address, UnformattedPostalAddress,
55
street-address, StreetAddress,
56
post-office-box-address, PostOfficeBoxAddress,
57
poste-restante-address, PosteRestanteAddress,
58
unique-postal-name, UniquePostalName,
59
local-postal-attributes, LocalPostalAttributes,
60
extended-network-address, ExtendedNetworkAddress,
61
terminal-type, TerminalType,
62
teletex-domain-defined-attributes, TeletexDomainDefinedAttributes
64
FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6)
65
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
66
id-pkix1-explicit(18) }
69
id-ce-authorityKeyIdentifier, AuthorityKeyIdentifier,
70
id-ce-subjectKeyIdentifier, SubjectKeyIdentifier,
71
id-ce-keyUsage, KeyUsage,
72
id-ce-privateKeyUsagePeriod, PrivateKeyUsagePeriod,
73
id-ce-certificatePolicies, CertificatePolicies,
74
id-ce-policyMappings, PolicyMappings,
75
id-ce-subjectAltName, SubjectAltName,
76
id-ce-issuerAltName, IssuerAltName,
77
id-ce-subjectDirectoryAttributes, SubjectDirectoryAttributes,
78
id-ce-basicConstraints, BasicConstraints,
79
id-ce-nameConstraints, NameConstraints,
80
id-ce-policyConstraints, PolicyConstraints,
81
id-ce-cRLDistributionPoints, CRLDistributionPoints,
82
id-ce-extKeyUsage, ExtKeyUsageSyntax,
83
id-ce-inhibitAnyPolicy, InhibitAnyPolicy,
84
id-ce-freshestCRL, FreshestCRL,
85
id-pe-authorityInfoAccess, AuthorityInfoAccessSyntax,
86
id-pe-subjectInfoAccess, SubjectInfoAccessSyntax,
87
id-ce-cRLNumber, CRLNumber,
88
id-ce-issuingDistributionPoint, IssuingDistributionPoint,
89
id-ce-deltaCRLIndicator, BaseCRLNumber,
90
id-ce-cRLReasons, CRLReason,
91
id-ce-certificateIssuer, CertificateIssuer,
92
id-ce-holdInstructionCode, HoldInstructionCode,
93
id-ce-invalidityDate, InvalidityDate
95
FROM PKIX1Implicit88 { iso(1) identified-organization(3) dod(6)
96
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
97
id-pkix1-implicit(19) }
100
id-dsa, Dss-Parms, DSAPublicKey,
102
md2WithRSAEncryption,
103
md5WithRSAEncryption,
104
sha1WithRSAEncryption,
105
rsaEncryption, RSAPublicKey,
106
dhpublicnumber, DomainParameters, DHPublicKey,
107
id-keyExchangeAlgorithm, KEA-Parms-Id, --KEA-PublicKey,
109
prime-field, Prime-p,
110
characteristic-two-field, --Characteristic-two,
113
ppBasis, Pentanomial,
114
id-ecPublicKey, EcpkParameters, ECPoint
115
FROM PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6)
116
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
117
id-mod-pkix1-algorithms(17) };
123
Certificate ::= SEQUENCE {
124
tbsCertificate TBSCertificate,
125
signatureAlgorithm SignatureAlgorithm,
126
signature BIT STRING }
128
TBSCertificate ::= SEQUENCE {
129
version [0] Version DEFAULT v1,
130
serialNumber CertificateSerialNumber,
131
signature SignatureAlgorithm,
135
subjectPublicKeyInfo SubjectPublicKeyInfo,
136
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
137
-- If present, version MUST be v2 or v3
138
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
139
-- If present, version MUST be v2 or v3
140
extensions [3] Extensions OPTIONAL
141
-- If present, version MUST be v3 -- }
144
-- Attribute type and values
147
ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= CLASS {
148
&id AttributeType UNIQUE,
154
AttributeTypeAndValue ::= SEQUENCE {
155
type ATTRIBUTE-TYPE-AND-VALUE-CLASS.&id
156
({SupportedAttributeTypeAndValues}),
157
value ATTRIBUTE-TYPE-AND-VALUE-CLASS.&Type
158
({SupportedAttributeTypeAndValues}{@type}) }
160
SupportedAttributeTypeAndValues ATTRIBUTE-TYPE-AND-VALUE-CLASS ::=
161
{ name | surname | givenName | initials | generationQualifier |
162
commonName | localityName | stateOrProvinceName | organizationName |
163
organizationalUnitName | title | dnQualifier | countryName |
164
serialNumber | pseudonym | domainComponent | emailAddress }
166
name ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
170
surname ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
174
givenName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
178
initials ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
182
generationQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
183
ID id-at-generationQualifier
186
commonName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
188
TYPE X520CommonName }
190
localityName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
191
ID id-at-localityName
192
TYPE X520LocalityName }
194
stateOrProvinceName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
195
ID id-at-stateOrProvinceName
196
TYPE X520StateOrProvinceName }
198
organizationName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
199
ID id-at-organizationName
200
TYPE X520OrganizationName }
202
organizationalUnitName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
203
ID id-at-organizationalUnitName
204
TYPE X520OrganizationalUnitName }
206
title ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
210
dnQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
212
TYPE X520dnQualifier }
214
countryName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
216
TYPE X520countryName }
218
serialNumber ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
219
ID id-at-serialNumber
220
TYPE X520SerialNumber }
222
pseudonym ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
226
domainComponent ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
227
ID id-domainComponent
228
TYPE DomainComponent }
230
emailAddress ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
235
-- Signature and Public Key Algorithms
238
SubjectPublicKeyInfo ::= SEQUENCE {
240
algo PUBLIC-KEY-ALGORITHM-CLASS.&id
241
({SupportedPublicKeyAlgorithms}),
242
parameters PUBLIC-KEY-ALGORITHM-CLASS.&Type
243
({SupportedPublicKeyAlgorithms}{@.algo})
246
subjectPublicKey PUBLIC-KEY-ALGORITHM-CLASS.&PublicKeyType
247
({SupportedPublicKeyAlgorithms}{@algorithm.algo}) }
249
-- The following is needed for conversion of SubjectPublicKeyInfo.
251
SubjectPublicKeyInfo-Any ::= SEQUENCE {
252
algorithm PublicKeyAlgorithm,
253
subjectPublicKey ANY }
256
SIGNATURE-ALGORITHM-CLASS ::= CLASS {
257
&id OBJECT IDENTIFIER UNIQUE,
263
PUBLIC-KEY-ALGORITHM-CLASS ::= CLASS {
264
&id OBJECT IDENTIFIER UNIQUE,
266
&PublicKeyType OPTIONAL }
270
[PUBLIC-KEY-TYPE &PublicKeyType] }
272
SignatureAlgorithm ::= SEQUENCE {
273
algorithm SIGNATURE-ALGORITHM-CLASS.&id
274
({SupportedSignatureAlgorithms}),
275
parameters SIGNATURE-ALGORITHM-CLASS.&Type
276
({SupportedSignatureAlgorithms}{@algorithm})
279
SignatureAlgorithm-Any ::= SEQUENCE {
280
algorithm OBJECT IDENTIFIER,
281
parameters ANY OPTIONAL }
283
PublicKeyAlgorithm ::= SEQUENCE {
284
algorithm PUBLIC-KEY-ALGORITHM-CLASS.&id
285
({SupportedPublicKeyAlgorithms}),
286
parameters PUBLIC-KEY-ALGORITHM-CLASS.&Type
287
({SupportedPublicKeyAlgorithms}{@algorithm})
290
SupportedSignatureAlgorithms SIGNATURE-ALGORITHM-CLASS ::= {
291
dsa-with-sha1 | md2-with-rsa-encryption |
292
md5-with-rsa-encryption | sha1-with-rsa-encryption |
295
SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {
296
dsa | rsa-encryption | dh | kea | ec-public-key }
298
-- DSA Keys and Signatures
300
-- SubjectPublicKeyInfo:
302
dsa PUBLIC-KEY-ALGORITHM-CLASS ::= {
304
TYPE Dss-Parms -- XXX Must be OPTIONAL
305
PUBLIC-KEY-TYPE DSAPublicKey }
307
-- Certificate.signatureAlgorithm
309
dsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
311
TYPE NULL } -- XXX Must be empty and not NULL
314
-- RSA Keys and Signatures
317
-- Certificate.signatureAlgorithm
319
md2-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
320
ID md2WithRSAEncryption
323
md5-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
324
ID md5WithRSAEncryption
327
sha1-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
328
ID sha1WithRSAEncryption
331
-- Certificate.signature
332
-- See PKCS #1 (RFC 2313). XXX
334
-- SubjectPublicKeyInfo:
336
rsa-encryption PUBLIC-KEY-ALGORITHM-CLASS ::= {
339
PUBLIC-KEY-TYPE RSAPublicKey }
342
-- Diffie-Hellman Keys
345
-- SubjectPublicKeyInfo:
347
dh PUBLIC-KEY-ALGORITHM-CLASS ::= {
349
TYPE DomainParameters
350
PUBLIC-KEY-TYPE DHPublicKey }
352
-- There are no Diffie-Hellman signature algorithms
358
-- SubjectPublicKeyInfo:
360
KEA-PublicKey ::= INTEGER
362
kea PUBLIC-KEY-ALGORITHM-CLASS ::= {
363
ID id-keyExchangeAlgorithm
365
PUBLIC-KEY-TYPE KEA-PublicKey }
367
-- There are no KEA signature algorithms
370
-- Elliptic Curve Keys, Signatures, and Curves
373
-- Certificate.signatureAlgorithm
375
ecdsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
377
TYPE NULL } -- XXX Must be empty and not NULL
379
FIELD-ID-CLASS ::= CLASS {
380
&id OBJECT IDENTIFIER UNIQUE,
386
FieldID ::= SEQUENCE { -- Finite field
387
fieldType FIELD-ID-CLASS.&id({SupportedFieldIds}),
388
parameters FIELD-ID-CLASS.&Type({SupportedFieldIds}{@fieldType}) }
390
SupportedFieldIds FIELD-ID-CLASS ::= {
391
field-prime-field | field-characteristic-two }
393
field-prime-field FIELD-ID-CLASS ::= {
397
CHARACTERISTIC-TWO-CLASS ::= CLASS {
398
&id OBJECT IDENTIFIER UNIQUE,
404
Characteristic-two ::= SEQUENCE { -- Finite field
405
m INTEGER, -- Field size 2^m
406
basis CHARACTERISTIC-TWO-CLASS.&id({SupportedCharacteristicTwos}),
407
parameters CHARACTERISTIC-TWO-CLASS.&Type
408
({SupportedCharacteristicTwos}{@basis}) }
410
SupportedCharacteristicTwos CHARACTERISTIC-TWO-CLASS ::= {
411
gn-basis | tp-basis | pp-basis }
413
field-characteristic-two FIELD-ID-CLASS ::= {
414
ID characteristic-two-field
415
TYPE Characteristic-two }
417
gn-basis CHARACTERISTIC-TWO-CLASS ::= {
421
tp-basis CHARACTERISTIC-TWO-CLASS ::= {
425
pp-basis CHARACTERISTIC-TWO-CLASS ::= {
429
-- SubjectPublicKeyInfo.algorithm
431
ec-public-key PUBLIC-KEY-ALGORITHM-CLASS ::= {
434
PUBLIC-KEY-TYPE ECPoint }
437
-- Extension Attributes
440
EXTENSION-ATTRIBUTE-CLASS ::= CLASS {
447
ExtensionAttributes ::= SET SIZE (1..MAX) OF ExtensionAttribute
449
-- XXX Below we should have extension-attribute-type and extension-
450
-- attribute-value but Erlang ASN1 does not like it.
451
ExtensionAttribute ::= SEQUENCE {
452
extensionAttributeType [0] IMPLICIT EXTENSION-ATTRIBUTE-CLASS.&id
453
({SupportedExtensionAttributes}),
454
extensionAttributeValue [1] EXTENSION-ATTRIBUTE-CLASS.&Type
455
({SupportedExtensionAttributes}{@extensionAttributeType}) }
457
SupportedExtensionAttributes EXTENSION-ATTRIBUTE-CLASS ::= {
459
x400-teletex-common-name |
460
x400-teletex-personal-name |
462
x400-physical-delivery-country-name |
464
x400-physical-delivery-office-name |
465
x400-physical-delivery-office-number |
466
x400-extension-OR-address-components |
467
x400-physical-delivery-personal-name |
468
x400-physical-delivery-organization-name |
469
x400-extension-physical-delivery-address-components |
470
x400-unformatted-postal-address |
471
x400-street-address |
472
x400-post-office-box-address |
473
x400-poste-restante-address |
474
x400-unique-postal-name |
475
x400-local-postal-attributes |
476
x400-extended-network-address |
478
x400-teletex-domain-defined-attributes }
480
-- Extension types and attribute values
482
x400-common-name EXTENSION-ATTRIBUTE-CLASS ::= {
486
x400-teletex-common-name EXTENSION-ATTRIBUTE-CLASS ::= {
487
ID teletex-common-name
488
TYPE TeletexCommonName }
490
x400-teletex-personal-name EXTENSION-ATTRIBUTE-CLASS ::= {
491
ID teletex-personal-name
492
TYPE TeletexPersonalName }
494
x400-pds-name EXTENSION-ATTRIBUTE-CLASS ::= {
498
x400-physical-delivery-country-name EXTENSION-ATTRIBUTE-CLASS ::= {
499
ID physical-delivery-country-name
500
TYPE PhysicalDeliveryCountryName }
502
x400-postal-code EXTENSION-ATTRIBUTE-CLASS ::= {
506
x400-physical-delivery-office-name EXTENSION-ATTRIBUTE-CLASS ::= {
507
ID physical-delivery-office-name
508
TYPE PhysicalDeliveryOfficeName }
510
x400-physical-delivery-office-number EXTENSION-ATTRIBUTE-CLASS ::= {
511
ID physical-delivery-office-number
512
TYPE PhysicalDeliveryOfficeNumber }
514
x400-extension-OR-address-components EXTENSION-ATTRIBUTE-CLASS ::= {
515
ID extension-OR-address-components
516
TYPE ExtensionORAddressComponents }
518
x400-physical-delivery-personal-name EXTENSION-ATTRIBUTE-CLASS ::= {
519
ID physical-delivery-personal-name
520
TYPE PhysicalDeliveryPersonalName }
522
x400-physical-delivery-organization-name EXTENSION-ATTRIBUTE-CLASS ::= {
523
ID physical-delivery-organization-name
524
TYPE PhysicalDeliveryOrganizationName }
526
x400-extension-physical-delivery-address-components
527
EXTENSION-ATTRIBUTE-CLASS ::= {
528
ID extension-physical-delivery-address-components
529
TYPE ExtensionPhysicalDeliveryAddressComponents }
531
x400-unformatted-postal-address EXTENSION-ATTRIBUTE-CLASS ::= {
532
ID unformatted-postal-address
533
TYPE UnformattedPostalAddress }
535
x400-street-address EXTENSION-ATTRIBUTE-CLASS ::= {
539
x400-post-office-box-address EXTENSION-ATTRIBUTE-CLASS ::= {
540
ID post-office-box-address
541
TYPE PostOfficeBoxAddress }
543
x400-poste-restante-address EXTENSION-ATTRIBUTE-CLASS ::= {
544
ID poste-restante-address
545
TYPE PosteRestanteAddress }
547
x400-unique-postal-name EXTENSION-ATTRIBUTE-CLASS ::= {
548
ID unique-postal-name
549
TYPE UniquePostalName }
551
x400-local-postal-attributes EXTENSION-ATTRIBUTE-CLASS ::= {
552
ID local-postal-attributes
553
TYPE LocalPostalAttributes }
555
x400-extended-network-address EXTENSION-ATTRIBUTE-CLASS ::= {
556
ID extended-network-address
557
TYPE ExtendedNetworkAddress }
559
x400-terminal-type EXTENSION-ATTRIBUTE-CLASS ::= {
563
x400-teletex-domain-defined-attributes EXTENSION-ATTRIBUTE-CLASS ::= {
564
ID teletex-domain-defined-attributes
565
TYPE TeletexDomainDefinedAttributes }
569
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
571
EXTENSION-CLASS ::= CLASS {
572
&id OBJECT IDENTIFIER UNIQUE,
578
Extension ::= SEQUENCE {
579
extnID EXTENSION-CLASS.&id({SupportedExtensions}),
580
critical BOOLEAN DEFAULT FALSE,
581
extnValue EXTENSION-CLASS.&Type({SupportedExtensions}{@extnID}) }
583
-- The following is needed for conversion between Extension and Extension-Cd
585
ObjId ::= OBJECT IDENTIFIER
589
Extension-Any ::= SEQUENCE {
590
extnID OBJECT IDENTIFIER,
591
critical BOOLEAN DEFAULT FALSE,
594
SupportedExtensions EXTENSION-CLASS ::= { authorityKeyIdentifier |
595
subjectKeyIdentifier | keyUsage | privateKeyUsagePeriod |
596
certificatePolicies | policyMappings | subjectAltName |
597
issuerAltName | subjectDirectoryAttributes | basicConstraints |
598
nameConstraints | policyConstraints | cRLDistributionPoints |
599
extKeyUsage | inhibitAnyPolicy | freshestCRL | authorityInfoAccess |
600
subjectInfoAccess | cRLNumber | issuingDistributionPoint |
601
deltaCRLIndicator | cRLReasons | certificateIssuer |
602
holdInstructionCode | invalidityDate }
604
authorityKeyIdentifier EXTENSION-CLASS ::= {
605
ID id-ce-authorityKeyIdentifier
606
TYPE AuthorityKeyIdentifier }
608
subjectKeyIdentifier EXTENSION-CLASS ::= {
609
ID id-ce-subjectKeyIdentifier
610
TYPE SubjectKeyIdentifier }
612
keyUsage EXTENSION-CLASS ::= {
616
privateKeyUsagePeriod EXTENSION-CLASS ::= {
617
ID id-ce-privateKeyUsagePeriod
618
TYPE PrivateKeyUsagePeriod }
620
certificatePolicies EXTENSION-CLASS ::= {
621
ID id-ce-certificatePolicies
622
TYPE CertificatePolicies }
624
policyMappings EXTENSION-CLASS ::= {
625
ID id-ce-policyMappings
626
TYPE PolicyMappings }
628
subjectAltName EXTENSION-CLASS ::= {
629
ID id-ce-subjectAltName
630
TYPE SubjectAltName }
632
issuerAltName EXTENSION-CLASS ::= {
633
ID id-ce-issuerAltName
636
subjectDirectoryAttributes EXTENSION-CLASS ::= {
637
ID id-ce-subjectDirectoryAttributes
638
TYPE SubjectDirectoryAttributes }
640
basicConstraints EXTENSION-CLASS ::= {
641
ID id-ce-basicConstraints
642
TYPE BasicConstraints }
644
nameConstraints EXTENSION-CLASS ::= {
645
ID id-ce-nameConstraints
646
TYPE NameConstraints }
648
policyConstraints EXTENSION-CLASS ::= {
649
ID id-ce-policyConstraints
650
TYPE PolicyConstraints }
652
cRLDistributionPoints EXTENSION-CLASS ::= {
653
ID id-ce-cRLDistributionPoints
654
TYPE CRLDistributionPoints }
656
extKeyUsage EXTENSION-CLASS ::= {
658
TYPE ExtKeyUsageSyntax }
660
inhibitAnyPolicy EXTENSION-CLASS ::= {
661
ID id-ce-inhibitAnyPolicy
662
TYPE InhibitAnyPolicy }
664
freshestCRL EXTENSION-CLASS ::= {
668
authorityInfoAccess EXTENSION-CLASS ::= {
669
ID id-pe-authorityInfoAccess
670
TYPE AuthorityInfoAccessSyntax }
672
subjectInfoAccess EXTENSION-CLASS ::= {
673
ID id-pe-subjectInfoAccess
674
TYPE SubjectInfoAccessSyntax }
676
cRLNumber EXTENSION-CLASS ::= {
680
issuingDistributionPoint EXTENSION-CLASS ::= {
681
ID id-ce-issuingDistributionPoint
682
TYPE IssuingDistributionPoint }
684
deltaCRLIndicator EXTENSION-CLASS ::= {
685
ID id-ce-deltaCRLIndicator
688
cRLReasons EXTENSION-CLASS ::= {
692
certificateIssuer EXTENSION-CLASS ::= {
693
ID id-ce-certificateIssuer
694
TYPE CertificateIssuer }
696
holdInstructionCode EXTENSION-CLASS ::= {
697
ID id-ce-holdInstructionCode
698
TYPE HoldInstructionCode }
700
invalidityDate EXTENSION-CLASS ::= {
701
ID id-ce-invalidityDate
702
TYPE InvalidityDate }