1
-- Module AuthenticationFramework (X.509:08/1997)
3
AuthenticationFramework {joint-iso-itu-t ds(5) module(1)
4
authenticationFramework(7) 3} DEFINITIONS ::=
8
-- The types and values defined in this module are exported for use in the other ASN.1 modules contained
9
-- within the Directory Specifications, and for the use of other applications which will use them to access
10
-- Directory services. Other applications may use them for their own purposes, but this will not constrain
11
-- extensions and modifications needed to maintain or improve the Directory service.
13
id-at, id-mr, informationFramework, upperBounds, selectedAttributeTypes,
14
basicAccessControl, certificateExtensions
15
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
16
usefulDefinitions(0) 3}
17
Name, ATTRIBUTE, AttributeType, MATCHING-RULE, Attribute
18
FROM InformationFramework informationFramework
20
FROM UpperBounds upperBounds
22
FROM BasicAccessControl basicAccessControl
23
UniqueIdentifier, octetStringMatch
24
FROM SelectedAttributeTypes selectedAttributeTypes
25
certificateExactMatch, certificatePairExactMatch, certificateListExactMatch,
27
FROM CertificateExtensions certificateExtensions;
29
-- basic certificate definition
32
{SEQUENCE {version [0] Version DEFAULT v1,
33
serialNumber CertificateSerialNumber,
34
signature AlgorithmIdentifier,
38
subjectPublicKeyInfo SubjectPublicKeyInfo,
39
issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL,
40
-- if present, version must be v2 or v3
41
subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL,
42
-- if present, version must be v2 or v3
43
extensions [3] Extensions OPTIONAL
44
-- If present, version must be v3 -- }}
46
Version ::= INTEGER {v1(0), v2(1), v3(2)}
48
CertificateSerialNumber ::= INTEGER
50
AlgorithmIdentifier ::= SEQUENCE {
51
algorithm ALGORITHM.&id({SupportedAlgorithms}),
52
parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL
55
-- Definition of the following information object set is deferred, perhaps to standardized
56
-- profiles or to protocol implementation conformance statements. The set is required to
57
-- specify a table constraint on the parameters component of AlgorithmIdentifier.
58
SupportedAlgorithms ALGORITHM ::=
61
Validity ::= SEQUENCE {notBefore Time,
65
SubjectPublicKeyInfo ::= SEQUENCE {
66
algorithm AlgorithmIdentifier,
67
subjectPublicKey BIT STRING
70
Time ::= CHOICE {utcTime UTCTime,
71
generalizedTime GeneralizedTime
74
Extensions ::= SEQUENCE OF Extension
76
-- For those extensions where ordering of individual extensions within the SEQUENCE is significant, the
77
-- specification of those individual extensions shall include the rules for the significance of the order therein
78
Extension ::= SEQUENCE {
79
extnId EXTENSION.&id({ExtensionSet}),
80
critical BOOLEAN DEFAULT FALSE,
81
extnValue OCTET STRING-- contains a DER encoding of a value of type &ExtnType
82
-- for the extension object identified by extnId
85
ExtensionSet EXTENSION ::=
88
EXTENSION ::= CLASS {&id OBJECT IDENTIFIER UNIQUE,
90
}WITH SYNTAX {SYNTAX &ExtnType
94
-- other certificate constructs
95
Certificates ::= SEQUENCE {
96
userCertificate Certificate,
97
certificationPath ForwardCertificationPath OPTIONAL
100
ForwardCertificationPath ::= SEQUENCE OF CrossCertificates
102
CrossCertificates ::= SET OF Certificate
104
CertificationPath ::= SEQUENCE {
105
userCertificate Certificate,
106
theCACertificates SEQUENCE OF CertificatePair OPTIONAL
109
CertificatePair ::= SEQUENCE {
110
issuedByThisCA [0] Certificate OPTIONAL,
111
issuedToThisCA [1] Certificate OPTIONAL
112
-- at least one of the pair shall be present
115
-- Certificate Revocation List (CRL)
118
{SEQUENCE {version Version OPTIONAL,
119
-- if present, version must be v2
120
signature AlgorithmIdentifier,
123
nextUpdate Time OPTIONAL,
126
SEQUENCE {userCertificate CertificateSerialNumber,
128
crlEntryExtensions Extensions OPTIONAL} OPTIONAL,
129
crlExtensions [0] Extensions OPTIONAL}}
131
-- attribute certificate
132
AttributeCertificationPath ::= SEQUENCE {
133
attributeCertificate AttributeCertificate,
134
acPath SEQUENCE OF ACPathData OPTIONAL
137
ACPathData ::= SEQUENCE {
138
certificate [0] Certificate OPTIONAL,
139
attributeCertificate [1] AttributeCertificate OPTIONAL
142
attributeCertificate ATTRIBUTE ::= {
143
WITH SYNTAX AttributeCertificate
144
EQUALITY MATCHING RULE attributeCertificateMatch
145
ID id-at-attributeCertificate
148
AttributeCertificate ::= SIGNED{AttributeCertificateInfo}
150
AttributeCertificateInfo ::= SEQUENCE {
151
version Version DEFAULT v1,
153
CHOICE {baseCertificateID [0] IssuerSerial, -- associated with a Public Key Certificate--
154
subjectName [1] GeneralNames}, -- associated with a name
155
issuer GeneralNames, -- CA issuing the attribute certificate
156
signature AlgorithmIdentifier,
157
serialNumber CertificateSerialNumber,
158
attCertValidityPeriod AttCertValidityPeriod,
159
attributes SEQUENCE OF Attribute,
160
issuerUniqueID UniqueIdentifier OPTIONAL,
161
extensions Extensions OPTIONAL
164
IssuerSerial ::= SEQUENCE {
166
serial CertificateSerialNumber,
167
issuerUID UniqueIdentifier OPTIONAL
170
AttCertValidityPeriod ::= SEQUENCE {
171
notBeforeTime GeneralizedTime,
172
notAfterTime GeneralizedTime
175
attributeCertificateMatch MATCHING-RULE ::= {
176
SYNTAX AttributeCertificateAssertion
177
ID id-mr-attributeCertificateMatch
180
AttributeCertificateAssertion ::= SEQUENCE {
182
[0] CHOICE {baseCertificateID [0] IssuerSerial,
183
subjectName [1] Name} OPTIONAL,
184
issuer [1] Name OPTIONAL,
185
attCertValidity [2] GeneralizedTime OPTIONAL,
186
attType [3] SET OF AttributeType OPTIONAL
189
-- At least one component of the sequence must be present
191
userPassword ATTRIBUTE ::= {
192
WITH SYNTAX OCTET STRING(SIZE (0..ub-user-password))
193
EQUALITY MATCHING RULE octetStringMatch
194
ID id-at-userPassword
197
userCertificate ATTRIBUTE ::= {
198
WITH SYNTAX Certificate
199
EQUALITY MATCHING RULE certificateExactMatch
200
ID id-at-userCertificate
203
cACertificate ATTRIBUTE ::= {
204
WITH SYNTAX Certificate
205
EQUALITY MATCHING RULE certificateExactMatch
206
ID id-at-cAcertificate
209
crossCertificatePair ATTRIBUTE ::= {
210
WITH SYNTAX CertificatePair
211
EQUALITY MATCHING RULE certificatePairExactMatch
212
ID id-at-crossCertificatePair
215
authorityRevocationList ATTRIBUTE ::= {
216
WITH SYNTAX CertificateList
217
EQUALITY MATCHING RULE certificateListExactMatch
218
ID id-at-authorityRevocationList
221
certificateRevocationList ATTRIBUTE ::= {
222
WITH SYNTAX CertificateList
223
EQUALITY MATCHING RULE certificateListExactMatch
224
ID id-at-certificateRevocationList
227
attributeCertificateRevocationList ATTRIBUTE ::= {
228
WITH SYNTAX CertificateList
229
ID id-at-attributeCertificateRevocationList
232
-- information object classes
233
ALGORITHM ::= TYPE-IDENTIFIER
235
-- parameterized types
236
HASH{ToBeHashed} ::= SEQUENCE {
237
algorithmIdentifier AlgorithmIdentifier,
241
-- must be the result of applying a hashing procedure to the DER-encoded octets
242
-- of a value of -- ToBeHashed})
245
ENCRYPTED-HASH{ToBeSigned} ::=
248
-- must be the result of applying a hashing procedure to the DER-encoded octets
249
-- of a value of --ToBeSigned -- and then applying an encipherment procedure to those octets --})
251
ENCRYPTED{ToBeEnciphered} ::=
254
-- must be the result of applying an encipherment procedure
255
-- to the BER-encoded octets of a value of --ToBeEnciphered})
257
SIGNATURE{ToBeSigned} ::= SEQUENCE {
258
algorithmIdentifier AlgorithmIdentifier,
259
encrypted ENCRYPTED-HASH{ToBeSigned}
262
SIGNED{ToBeSigned} ::= SEQUENCE {
263
toBeSigned ToBeSigned,
264
COMPONENTS OF SIGNATURE{ToBeSigned}
267
-- object identifier assignments
268
id-at-userPassword OBJECT IDENTIFIER ::=
271
id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36}
273
id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37}
275
id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38}
277
id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39}
279
id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40}
281
id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}
283
id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59}
285
id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42}
289
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D