sm_x509ce.asn

-- @(#) sm_x509ce.asn 1.3 3/4/98 15:25:14 
CertificateExtensions 
--
-- oid defined sm_x501ud.asn
-- {joint-iso-ccitt ds(5) module(1) certificateExtensions(26) 0}

DEFINITIONS IMPLICIT TAGS ::=

BEGIN

-- EXPORTS ALL

IMPORTS
   id-at, id-ce, id-mr, informationFramework, authenticationFramework,
      selectedAttributeTypes, upperBounds
      FROM UsefulDefinitions { usefulDefinitions }

   Name, RelativeDistinguishedName, Attribute
      FROM InformationFramework  { informationFramework }

   GeneralNames, GeneralName
      FROM CommonX509Definitions 

   CertificateSerialNumber, CertificateList, AlgorithmIdentifier
      FROM AuthenticationFramework { authenticationFramework }

   DirectoryString
      FROM SelectedAttributeTypes  { selectedAttributeTypes }

   ORAddress
      FROM MTSAbstractService { mTSAbstractService } 
	   
   id-pkix
	  FROM ExtendedSecurityServices { extendedSecurityServices };

-- Unless explicitly noted otherwise, there is no significance to the ordering
-- of components of a SEQUENCE OF construct in this specification.

-- Key and policy information extensions --

AuthorityKeyIdentifier ::= SEQUENCE {
   keyIdentifier             [0] KeyIdentifier           OPTIONAL,
   authorityCertIssuer       [1] GeneralNames            OPTIONAL,
   authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }

KeyIdentifier ::= OCTET STRING

SubjectKeyIdentifier ::= KeyIdentifier

KeyUsage ::= BIT STRING {
   digitalSignature (0),
   nonRepudiation   (1),
   keyEncipherment  (2),
   dataEncipherment (3),
   keyAgreement     (4),
   keyCertSign      (5),
   cRLSign          (6),
   encipherOnly     (7),
   decipherOnly     (8) }

KeyPurposeId ::= OBJECT IDENTIFIER

-- Added 9/14/00 by dmitch
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

PrivateKeyUsagePeriod ::= SEQUENCE {
   notBefore   [0]   GeneralizedTime OPTIONAL,
   notAfter   [1]   GeneralizedTime OPTIONAL }
   ( WITH COMPONENTS    {..., notBefore PRESENT} |
   WITH COMPONENTS    {..., notAfter PRESENT} )


CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

PolicyInformation ::= SEQUENCE {
   policyIdentifier   CertPolicyId,
   policyQualifiers   SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }

CertPolicyId ::= OBJECT IDENTIFIER

PolicyQualifierInfo ::= SEQUENCE {
   policyQualifierId   OBJECT IDENTIFIER,
   qualifier           ANY OPTIONAL }

PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
   issuerDomainPolicy      CertPolicyId,
   subjectDomainPolicy   CertPolicyId }

SupportedAlgorithm ::= SEQUENCE {
   algorithmIdentifier             AlgorithmIdentifier,
   intendedUsage               [0] KeyUsage OPTIONAL,
   intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL }

-- Certificate subject and certificate issuer attributes extensions --

SubjectName ::= GeneralNames

-- moved to sm_x509cmn.asn since both sm_x509af.asn and sm_x509ce.asn need
-- it
--
-- GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

-- GeneralName ::= CHOICE {
--    otherName        [0]   OTHER-NAME,
   -- rfc822Name       [1]   IA5String,
   -- dNSName          [2]   IA5String,
   -- x400Address      [3]   ORAddress,
   -- directoryName    [4]   Name,
   -- ediPartyName     [5]   EDIPartyName,
   -- uniformResourceIdentifier  [6]   IA5String,
   -- iPAddress                  [7]   OCTET STRING,
   -- registeredID               [8]   OBJECT IDENTIFIER }
-- 
-- OTHER-NAME ::= OBJECT IDENTIFIER

-- EDIPartyName ::= SEQUENCE {
   -- nameAssigner      [0]   DirectoryString  OPTIONAL,
   -- partyName         [1]   DirectoryString  }
-- 

IssuerAltName ::= GeneralNames

SubjectDirectoryAttributes ::= AttributesSyntax

AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute


-- Certification path constraints extensions --

BasicConstraintsSyntax ::= SEQUENCE {
   cA         BOOLEAN DEFAULT FALSE,
   pathLenConstraint    INTEGER (0..MAX) OPTIONAL }

NameConstraintsSyntax ::= SEQUENCE {
   permittedSubtrees   [0]   GeneralSubtrees OPTIONAL,
   excludedSubtrees   [1]   GeneralSubtrees OPTIONAL }

GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

GeneralSubtree ::= SEQUENCE {
   base         GeneralName,
   minimum      [0]   BaseDistance DEFAULT 0,
   maximum      [1]   BaseDistance OPTIONAL }

BaseDistance ::= INTEGER (0..MAX)

PolicyConstraintsSyntax ::= SEQUENCE {
   requireExplicitPolicy   [0] SkipCerts OPTIONAL,
   inhibitPolicyMapping   [1] SkipCerts OPTIONAL }

SkipCerts ::= INTEGER (0..MAX) 

CertPolicySet ::= SEQUENCE OF CertPolicyId

-- Basic CRL extensions --

CRLNumber ::= INTEGER (0..MAX)

CRLReason ::= ENUMERATED {
   unspecified          (0),
   keyCompromise        (1), 
   cACompromise         (2), 
   affiliationChanged   (3), 
   superseded           (4),
   cessationOfOperation (5),
   certificateHold      (6),  -- note 7 is not used by this spec.
   removeFromCRL        (8) }

HoldInstruction ::= OBJECT IDENTIFIER


InvalidityDate ::= GeneralizedTime

-- CRL distribution points and delta-CRL extensions --

CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 

DistributionPoint ::= SEQUENCE {
   distributionPoint   [0]   DistributionPointName OPTIONAL,
   reasons             [1]   ReasonFlags OPTIONAL,
   cRLIssuer           [2]   GeneralNames OPTIONAL }

DistributionPointName ::= CHOICE {
   fullName                [0]   GeneralNames,
   nameRelativeToCRLIssuer [1]   RelativeDistinguishedName }

ReasonFlags ::= BIT STRING {
   unused               (0),
   keyCompromise        (1), 
   caCompromise         (2), 
   affiliationChanged   (3), 
   superseded           (4),
   cessationOfOperation (5),
   certificateHold      (6) }

IssuingDistPointSyntax ::= SEQUENCE {
   distributionPoint      [0] DistributionPointName OPTIONAL,
   onlyContainsUserCerts  [1] BOOLEAN DEFAULT FALSE,
   onlyContainsCACerts    [2] BOOLEAN DEFAULT FALSE,
   onlySomeReasons        [3] ReasonFlags OPTIONAL,
   indirectCRL            [4] BOOLEAN DEFAULT FALSE }

CertificateIssuer ::= GeneralNames

BaseCRLNumber ::= CRLNumber

DeltaRevocationList ::= CertificateList

-- Matching rules 

-- removed.  Our ASN.1 compiler does not support matching ruling.  We will
-- do this manually -Pierce
--

-- end of Matching rules

-- Object identifier assignments --

id-at-supportedAlgorithms      OBJECT IDENTIFIER   ::=   {id-at 52}
id-at-deltaRevocationList         OBJECT IDENTIFIER   ::=   {id-at 53}
id-ce-subjectDirectoryAttributes      OBJECT IDENTIFIER   ::=   {id-ce 9}
id-ce-subjectKeyIdentifier      OBJECT IDENTIFIER   ::=   {id-ce 14}
id-ce-keyUsage            OBJECT IDENTIFIER   ::=   {id-ce 15}
id-ce-privateKeyUsagePeriod      OBJECT IDENTIFIER   ::=   {id-ce 16}
id-ce-subjectAltName         OBJECT IDENTIFIER   ::=   {id-ce 17}
id-ce-issuerAltName         OBJECT IDENTIFIER   ::=   {id-ce 18}
id-ce-basicConstraints         OBJECT IDENTIFIER   ::=   {id-ce 19}
id-ce-cRLNumber            OBJECT IDENTIFIER   ::=   {id-ce 20}
id-ce-reasonCode            OBJECT IDENTIFIER   ::=   {id-ce 21}
id-ce-instructionCode         OBJECT IDENTIFIER   ::=   {id-ce 23}
id-ce-invalidityDate         OBJECT IDENTIFIER   ::=   {id-ce 24}
id-ce-deltaCRLIndicator         OBJECT IDENTIFIER   ::=   {id-ce 27}
id-ce-issuingDistributionPoint      OBJECT IDENTIFIER   ::=   {id-ce 28}
id-ce-certificateIssuer         OBJECT IDENTIFIER   ::=   {id-ce 29}
id-ce-nameConstraints         OBJECT IDENTIFIER   ::=   {id-ce 30}
id-ce-cRLDistributionPoints      OBJECT IDENTIFIER   ::=   {id-ce 31}
id-ce-certificatePolicies         OBJECT IDENTIFIER   ::=   {id-ce 32}
id-ce-policyMappings         OBJECT IDENTIFIER   ::=   {id-ce 33}
-- deprecated               OBJECT IDENTIFIER   ::=   {id-ce 34}
id-ce-authorityKeyIdentifier      OBJECT IDENTIFIER   ::=   {id-ce 35}
id-ce-policyConstraints         OBJECT IDENTIFIER   ::=   {id-ce 36}
id-ce-extKeyUsage         OBJECT IDENTIFIER   ::=   {id-ce 37}
id-mr-certificateExactMatch      OBJECT IDENTIFIER   ::=   {id-mr 34}
id-mr-certificateMatch         OBJECT IDENTIFIER   ::=   {id-mr 35}
id-mr-certificatePairExactMatch      OBJECT IDENTIFIER   ::=   {id-mr 36}
id-mr-certificatePairMatch      OBJECT IDENTIFIER   ::=   {id-mr 37}
id-mr-certificateListExactMatch      OBJECT IDENTIFIER   ::=   {id-mr 38}
id-mr-certificateListMatch      OBJECT IDENTIFIER   ::=   {id-mr 39}
id-mr-algorithmIdentifierMatch      OBJECT IDENTIFIER   ::=   {id-mr 40}

id-kp 						OBJECT IDENTIFIER ::= {id-pkix 3}
id-kp-serverAuth 			OBJECT IDENTIFIER ::= {id-kp 1}
id-kp-clientAuth 			OBJECT IDENTIFIER ::= {id-kp 2}
id-kp-codeSigning 			OBJECT IDENTIFIER ::= {id-kp 3}
id-kp-emailProtection 		OBJECT IDENTIFIER ::= {id-kp 4}
id-kp-timeStamping 			OBJECT IDENTIFIER ::= {id-kp 8}
 
id-netscape-cert-type		OBJECT IDENTIFIER ::= {2 16 840 1 113730 1 1}

-- The following OBJECT IDENTIFIERS are not used by this specification:
-- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7},
-- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13}, 
-- {id-ce 22}, {id-ce 25}, {id-ce 26}

END