1
-- Module CertificateExtensions (X.509:08/1997)
3
CertificateExtensions {joint-iso-itu-t ds(5) module(1)
4
certificateExtensions(26) 0} DEFINITIONS IMPLICIT TAGS ::=
9
id-at, id-ce, id-mr, informationFramework, authenticationFramework,
10
selectedAttributeTypes, upperBounds
11
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
12
usefulDefinitions(0) 3}
13
Name, RelativeDistinguishedName, ATTRIBUTE, Attribute, MATCHING-RULE
14
FROM InformationFramework informationFramework
15
CertificateSerialNumber, CertificateList, AlgorithmIdentifier, EXTENSION,
17
FROM AuthenticationFramework authenticationFramework
19
FROM SelectedAttributeTypes selectedAttributeTypes
21
FROM UpperBounds upperBounds
23
FROM MTSAbstractService {joint-iso-itu-t mhs(6) mts(3) modules(0)
24
mts-abstract-service(1) version-1999(1)};
26
-- Unless explicitly noted otherwise, there is no significance to the ordering
27
-- of components of a SEQUENCE OF construct in this Specification.
28
-- Key and policy information extensions
29
authorityKeyIdentifier EXTENSION ::= {
30
SYNTAX AuthorityKeyIdentifier
31
IDENTIFIED BY id-ce-authorityKeyIdentifier
34
AuthorityKeyIdentifier ::= SEQUENCE {
35
keyIdentifier [0] KeyIdentifier OPTIONAL,
36
authorityCertIssuer [1] GeneralNames OPTIONAL,
37
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL
41
authorityCertIssuer PRESENT,
42
authorityCertSerialNumber PRESENT
46
authorityCertIssuer ABSENT,
47
authorityCertSerialNumber ABSENT
50
KeyIdentifier ::= OCTET STRING
52
subjectKeyIdentifier EXTENSION ::= {
53
SYNTAX SubjectKeyIdentifier
54
IDENTIFIED BY id-ce-subjectKeyIdentifier
57
SubjectKeyIdentifier ::= KeyIdentifier
59
keyUsage EXTENSION ::= {SYNTAX KeyUsage
60
IDENTIFIED BY id-ce-keyUsage
63
KeyUsage ::= BIT STRING {
64
digitalSignature(0), nonRepudiation(1), keyEncipherment(2),
65
dataEncipherment(3), keyAgreement(4), keyCertSign(5), cRLSign(6),
66
encipherOnly(7), decipherOnly(8)}
68
extKeyUsage EXTENSION ::= {
69
SYNTAX SEQUENCE SIZE (1..MAX) OF KeyPurposeId
70
IDENTIFIED BY id-ce-extKeyUsage
73
KeyPurposeId ::= OBJECT IDENTIFIER
75
privateKeyUsagePeriod EXTENSION ::= {
76
SYNTAX PrivateKeyUsagePeriod
77
IDENTIFIED BY id-ce-privateKeyUsagePeriod
80
PrivateKeyUsagePeriod ::= SEQUENCE {
81
notBefore [0] GeneralizedTime OPTIONAL,
82
notAfter [1] GeneralizedTime OPTIONAL
92
certificatePolicies EXTENSION ::= {
93
SYNTAX CertificatePoliciesSyntax
94
IDENTIFIED BY id-ce-certificatePolicies
97
CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
99
PolicyInformation ::= SEQUENCE {
100
policyIdentifier CertPolicyId,
101
policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL
104
CertPolicyId ::= OBJECT IDENTIFIER
106
PolicyQualifierInfo ::= SEQUENCE {
107
policyQualifierId CERT-POLICY-QUALIFIER.&id({SupportedPolicyQualifiers}),
109
CERT-POLICY-QUALIFIER.&Qualifier
110
({SupportedPolicyQualifiers}{@policyQualifierId}) OPTIONAL
113
SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::=
116
CERT-POLICY-QUALIFIER ::= CLASS {
117
&id OBJECT IDENTIFIER UNIQUE,
119
}WITH SYNTAX {POLICY-QUALIFIER-ID &id
120
[QUALIFIER-TYPE &Qualifier]
123
policyMappings EXTENSION ::= {
124
SYNTAX PolicyMappingsSyntax
125
IDENTIFIED BY id-ce-policyMappings
128
PolicyMappingsSyntax ::=
129
SEQUENCE SIZE (1..MAX) OF
130
SEQUENCE {issuerDomainPolicy CertPolicyId,
131
subjectDomainPolicy CertPolicyId}
133
supportedAlgorithms ATTRIBUTE ::= {
134
WITH SYNTAX SupportedAlgorithm
135
EQUALITY MATCHING RULE algorithmIdentifierMatch
136
ID id-at-supportedAlgorithms
139
SupportedAlgorithm ::= SEQUENCE {
140
algorithmIdentifier AlgorithmIdentifier,
141
intendedUsage [0] KeyUsage OPTIONAL,
142
intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL
145
-- Certificate subject and certificate issuer attributes extensions
146
subjectAltName EXTENSION ::= {
148
IDENTIFIED BY id-ce-subjectAltName
151
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
153
GeneralName ::= CHOICE {
154
otherName [0] INSTANCE OF OTHER-NAME,
155
rfc822Name [1] IA5String,
156
dNSName [2] IA5String,
157
x400Address [3] ORAddress,
158
directoryName [4] Name,
159
ediPartyName [5] EDIPartyName,
160
uniformResourceIdentifier [6] IA5String,
161
iPAddress [7] OCTET STRING,
162
registeredID [8] OBJECT IDENTIFIER
165
OTHER-NAME ::= TYPE-IDENTIFIER
167
EDIPartyName ::= SEQUENCE {
168
nameAssigner [0] DirectoryString{ub-name} OPTIONAL,
169
partyName [1] DirectoryString{ub-name}
172
issuerAltName EXTENSION ::= {
174
IDENTIFIED BY id-ce-issuerAltName
177
subjectDirectoryAttributes EXTENSION ::= {
178
SYNTAX AttributesSyntax
179
IDENTIFIED BY id-ce-subjectDirectoryAttributes
182
AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute
184
-- Certification path constraints extensions
185
basicConstraints EXTENSION ::= {
186
SYNTAX BasicConstraintsSyntax
187
IDENTIFIED BY id-ce-basicConstraints
190
BasicConstraintsSyntax ::= SEQUENCE {
191
cA BOOLEAN DEFAULT FALSE,
192
pathLenConstraint INTEGER(0..MAX) OPTIONAL
195
nameConstraints EXTENSION ::= {
196
SYNTAX NameConstraintsSyntax
197
IDENTIFIED BY id-ce-nameConstraint
200
NameConstraintsSyntax ::= SEQUENCE {
201
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
202
excludedSubtrees [1] GeneralSubtrees OPTIONAL,
203
requiredNameForms [2] NameForms OPTIONAL
206
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
208
GeneralSubtree ::= SEQUENCE {
210
minimum [0] BaseDistance DEFAULT 0,
211
maximum [1] BaseDistance OPTIONAL
214
BaseDistance ::= INTEGER(0..MAX)
216
NameForms ::= SEQUENCE {
217
basicNameForms [0] BasicNameForms OPTIONAL,
218
otherNameForms [1] SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL
219
}(ALL EXCEPT ({ --none; i.e.:at least one component shall be present--}))
221
BasicNameForms ::= BIT STRING {
222
rfc822Name(0), dNSName(1), x400Address(2), directoryName(3), ediPartyName(4),
223
uniformResourceIdentifier(5), iPAddress(6), registeredID(7)}(SIZE (1..MAX))
225
policyConstraints EXTENSION ::= {
226
SYNTAX PolicyConstraintsSyntax
227
IDENTIFIED BY id-ce-policyConstraints
230
PolicyConstraintsSyntax ::= SEQUENCE {
231
requireExplicitPolicy [0] SkipCerts OPTIONAL,
232
inhibitPolicyMapping [1] SkipCerts OPTIONAL
235
SkipCerts ::= INTEGER(0..MAX)
237
CertPolicySet ::= SEQUENCE SIZE (1..MAX) OF CertPolicyId
239
-- Basic CRL extensions
240
cRLNumber EXTENSION ::= {
242
IDENTIFIED BY id-ce-cRLNumber
245
CRLNumber ::= INTEGER(0..MAX)
247
reasonCode EXTENSION ::= {
249
IDENTIFIED BY id-ce-reasonCode
252
CRLReason ::= ENUMERATED {
253
unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3),
254
superseded(4), cessationOfOperation(5), certificateHold(6), removeFromCRL(8)
257
instructionCode EXTENSION ::= {
258
SYNTAX HoldInstruction
259
IDENTIFIED BY id-ce-instructionCode
262
HoldInstruction ::= OBJECT IDENTIFIER
264
invalidityDate EXTENSION ::= {
265
SYNTAX GeneralizedTime
266
IDENTIFIED BY id-ce-invalidityDate
269
-- CRL distribution points and delta-CRL extensions
270
cRLDistributionPoints EXTENSION ::= {
271
SYNTAX CRLDistPointsSyntax
272
IDENTIFIED BY id-ce-cRLDistributionPoints
275
CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
277
DistributionPoint ::= SEQUENCE {
278
distributionPoint [0] DistributionPointName OPTIONAL,
279
reasons [1] ReasonFlags OPTIONAL,
280
cRLIssuer [2] GeneralNames OPTIONAL
283
DistributionPointName ::= CHOICE {
284
fullName [0] GeneralNames,
285
nameRelativeToCRLIssuer [1] RelativeDistinguishedName
288
ReasonFlags ::= BIT STRING {
289
unused(0), keyCompromise(1), caCompromise(2), affiliationChanged(3),
290
superseded(4), cessationOfOperation(5), certificateHold(6)}
292
issuingDistributionPoint EXTENSION ::= {
293
SYNTAX IssuingDistPointSyntax
294
IDENTIFIED BY id-ce-issuingDistributionPoint
297
IssuingDistPointSyntax ::= SEQUENCE {
298
distributionPoint [0] DistributionPointName OPTIONAL,
299
onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
300
onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
301
onlySomeReasons [3] ReasonFlags OPTIONAL,
302
indirectCRL [4] BOOLEAN DEFAULT FALSE
305
certificateIssuer EXTENSION ::= {
307
IDENTIFIED BY id-ce-certificateIssuer
310
deltaCRLIndicator EXTENSION ::= {
312
IDENTIFIED BY id-ce-deltaCRLIndicator
315
BaseCRLNumber ::= CRLNumber
317
deltaRevocationList ATTRIBUTE ::= {
318
WITH SYNTAX CertificateList
319
EQUALITY MATCHING RULE certificateListExactMatch
320
ID id-at-deltaRevocationList
324
certificateExactMatch MATCHING-RULE ::= {
325
SYNTAX CertificateExactAssertion
326
ID id-mr-certificateExactMatch
329
CertificateExactAssertion ::= SEQUENCE {
330
serialNumber CertificateSerialNumber,
334
certificateMatch MATCHING-RULE ::= {
335
SYNTAX CertificateAssertion
336
ID id-mr-certificateMatch
339
CertificateAssertion ::= SEQUENCE {
340
serialNumber [0] CertificateSerialNumber OPTIONAL,
341
issuer [1] Name OPTIONAL,
342
subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL,
343
authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL,
344
certificateValid [4] Time OPTIONAL,
345
privateKeyValid [5] GeneralizedTime OPTIONAL,
346
subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL,
347
keyUsage [7] KeyUsage OPTIONAL,
348
subjectAltName [8] AltNameType OPTIONAL,
349
policy [9] CertPolicySet OPTIONAL,
350
pathToName [10] Name OPTIONAL
353
AltNameType ::= CHOICE {
355
ENUMERATED {rfc822Name(1), dNSName(2), x400Address(3), directoryName(4),
356
ediPartyName(5), uniformResourceIdentifier(6), iPAddress(7),
358
otherNameForm OBJECT IDENTIFIER
361
certificatePairExactMatch MATCHING-RULE ::= {
362
SYNTAX CertificatePairExactAssertion
363
ID id-mr-certificatePairExactMatch
366
CertificatePairExactAssertion ::= SEQUENCE {
367
forwardAssertion [0] CertificateExactAssertion OPTIONAL,
368
reverseAssertion [1] CertificateExactAssertion OPTIONAL
372
forwardAssertion PRESENT
373
} | WITH COMPONENTS {
375
reverseAssertion PRESENT
378
certificatePairMatch MATCHING-RULE ::= {
379
SYNTAX CertificatePairAssertion
380
ID id-mr-certificatePairMatch
383
CertificatePairAssertion ::= SEQUENCE {
384
forwardAssertion [0] CertificateAssertion OPTIONAL,
385
reverseAssertion [1] CertificateAssertion OPTIONAL
389
forwardAssertion PRESENT
390
} | WITH COMPONENTS {
392
reverseAssertion PRESENT
395
certificateListExactMatch MATCHING-RULE ::= {
396
SYNTAX CertificateListExactAssertion
397
ID id-mr-certificateListExactMatch
400
CertificateListExactAssertion ::= SEQUENCE {
403
distributionPoint DistributionPointName OPTIONAL
406
certificateListMatch MATCHING-RULE ::= {
407
SYNTAX CertificateListAssertion
408
ID id-mr-certificateListMatch
411
CertificateListAssertion ::= SEQUENCE {
412
issuer Name OPTIONAL,
413
minCRLNumber [0] CRLNumber OPTIONAL,
414
maxCRLNumber [1] CRLNumber OPTIONAL,
415
reasonFlags ReasonFlags OPTIONAL,
416
dateAndTime Time OPTIONAL,
417
distributionPoint [2] DistributionPointName OPTIONAL
420
algorithmIdentifierMatch MATCHING-RULE ::= {
421
SYNTAX AlgorithmIdentifier
422
ID id-mr-algorithmIdentifierMatch
425
-- Object identifier assignments
426
id-at-supportedAlgorithms OBJECT IDENTIFIER ::=
429
id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53}
431
id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9}
433
id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14}
435
id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15}
437
id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16}
439
id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17}
441
id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18}
443
id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19}
445
id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20}
447
id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21}
449
id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23}
451
id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24}
453
id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27}
455
id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28}
457
id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29}
459
id-ce-nameConstraint OBJECT IDENTIFIER ::= {id-ce 30 1}
461
id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
463
id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32}
465
id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33}
467
-- deprecated OBJECT IDENTIFIER ::= {id-ce 34}
468
id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=
471
id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36}
473
id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
475
id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34}
477
id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35}
479
id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36}
481
id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37}
483
id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38}
485
id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39}
487
id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40}
489
id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= {id-ce 54}
491
-- The following OBJECT IDENTIFIERS are not used by this Specification:
492
-- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7},
493
-- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13},
494
-- {id-ce 22}, {id-ce 25}, {id-ce 26}, {id-ce 30}
497
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D