-- ASN module extracted from ITU-T X.509 (10/2019)
-- A.1 - Authentication framework module
AuthenticationFramework
{joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 10}
DEFINITIONS ::=
BEGIN
-- EXPORTS All
/*
The types and values defined in this module are exported for use in the other ASN.1
modules contained within the Directory Specifications, and for the use of other
applications which will use them to access Directory services. Other applications may
use them for their own purposes, but this will not constrain extensions and
modifications needed to maintain or improve the Directory service.
*/
IMPORTS
id-asx, id-at, id-ldx, id-lsx, id-mr, id-nf, id-oa, id-oc, id-sc,
ATTRIBUTE, Attribute{}, commonName, DistinguishedName, Name, NAME-FORM, OBJECT-CLASS,
octetString, octetStringMatch, SYNTAX-NAME, top, UnboundedDirectoryString
FROM UsefulDefinitions
{joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 10} WITH SUCCESSORS
/*
ATTRIBUTE, Attribute{}, DistinguishedName, --distinguishedNameMatch, MATCHING-RULE, -- Name, NAME-FORM, OBJECT-CLASS,
-- objectIdentifierMatch, RelativeDistinguishedName, -- SYNTAX-NAME, top
FROM InformationFramework
{joint-iso-itu-t ds(5) module(1) informationFramework(1) 10} WITH SUCCESSORS
--bitStringMatch, boolean, booleanMatch, caseExactMatch, -- commonName,
-- directoryString, generalizedTime,
-- generalizedTimeMatch, generalizedTimeOrderingMatch, integer, integerMatch,
-- integerOrderingMatch, -- octetString, octetStringMatch,
UnboundedDirectoryString, UniqueIdentifier --, uri
FROM SelectedAttributeTypes
{joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 10} WITH SUCCESSORS
*/
algorithmIdentifierMatch, certificateExactMatch, certificateListExactMatch,
certificatePairExactMatch, CertificatePoliciesSyntax, CertPolicyId, GeneralNames,
KeyUsage, pkiPathMatch, policyMatch,
CertificateAssertion, CertificateExactAssertion, CertificateListAssertion,
CertificateListExactAssertion, CertificatePairAssertion,
CertificatePairExactAssertion
FROM CertificateExtensions
{joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 10} WITH SUCCESSORS ;
-- parameterized types
SIGNATURE ::= SEQUENCE {
agorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
signature BIT STRING,
... }
SIGNED{ToBeSigned} ::= SEQUENCE {
toBeSigned ToBeSigned,
algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
signature BIT STRING,
...,
[[4:
altAlgorithmIdentifier AlgorithmIdentifier{{SupportedAltAlgorithms}} OPTIONAL,
altSignature BIT STRING OPTIONAL]]
} (WITH COMPONENTS {..., altAlgorithmIdentifier PRESENT, altSignature PRESENT } |
WITH COMPONENTS {..., altAlgorithmIdentifier ABSENT, altSignature ABSENT } )
HASH{ToBeHashed} ::= SEQUENCE {
algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
hashValue BIT STRING (CONSTRAINED BY {
-- shall be the result of applying a hashing procedure to the DER-encoded
-- octets of a value of -- ToBeHashed } ),
... }
ENCRYPTED{ToBeEnciphered} ::= BIT STRING (CONSTRAINED BY {
-- shall be the result of applying an encipherment procedure
-- to the BER-encoded octets of a value of -- ToBeEnciphered } )
ENCRYPTED-HASH{ToBeSigned} ::= BIT STRING (CONSTRAINED BY {
-- shall be the result of applying a hashing procedure to the DER-encoded (see 6.2)
-- octets of a value of -- ToBeSigned -- and then applying an encipherment procedure
-- to those octets -- } )
-- Start of X.509 Cor. 1
ALGORITHM ::= CLASS {
&Type OPTIONAL,
&DynParms OPTIONAL,
&id OBJECT IDENTIFIER UNIQUE }
WITH SYNTAX {
[PARMS &Type]
[DYN-PARMS &DynParms ]
IDENTIFIED BY &id }
AlgorithmWithInvoke{ALGORITHM:SupportedAlgorithms} ::= SEQUENCE {
algorithm ALGORITHM.&id({SupportedAlgorithms}),
parameters [0] ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL,
dynamParms [1] ALGORITHM.&DynParms({SupportedAlgorithms}{@algorithm}) OPTIONAL,
... }
AlgorithmIdentifier{ALGORITHM:SupportedAlgorithms} ::= SEQUENCE {
algorithm ALGORITHM.&id({SupportedAlgorithms}),
parameters ALGORITHM.&Type({SupportedAlgorithms}{@algorithm}) OPTIONAL,
... }
AlgoInvoke{ALGORITHM:SupportedAlgorithms} ::=
ALGORITHM.&DynParms({SupportedAlgorithms})
-- End of X.509 Cor. 1
/* The definitions of the following information object sets are deferred to referencing
specifications having a requirement for specific information object sets.*/
SupportedAlgorithms ALGORITHM ::= {...}
SupportedAltAlgorithms ALGORITHM ::= {...}
FingerPrint {ToBeFingerprinted} ::= SEQUENCE {
algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
fingerprint BIT STRING,
... }
ecPublicKey ALGORITHM ::= { -- copied IETF RFC 5480
PARMS SupportedCurves
IDENTIFIED BY id-ecPublicKey }
id-ecPublicKey OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) ansi-X9-62(10045)
keyType(2) 1 }
/* The definitions of the following information value set is deferred to referencing
specifications having a requirement for specific value sets.*/
SupportedCurves OBJECT IDENTIFIER ::= {dummyCurv, ...}
dummyCurv OBJECT IDENTIFIER ::= {2 5 5}
-- public-key certificate definition
Certificate ::= SIGNED{TBSCertificate}
TBSCertificate ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier{{SupportedAlgorithms}},
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL,
...,
[[2: -- if present, version shall be v2 or v3
subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL]],
[[3: -- if present, version shall be v2 or v3
extensions [3] Extensions OPTIONAL ]]
-- If present, version shall be v3]]
} (CONSTRAINED BY { -- shall be DER encoded -- } )
Version ::= INTEGER {v1(0), v2(1), v3(2)}
CertificateSerialNumber ::= INTEGER
Validity ::= SEQUENCE {
notBefore Time,
notAfter Time,
... }
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier{{SupportedAlgorithms}},
subjectPublicKey PublicKey,
... }
PublicKey ::= BIT STRING
Time ::= CHOICE {
utcTime UTCTime,
generalizedTime GeneralizedTime }
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
-- For those extensions where ordering of individual extensions within the SEQUENCE is
-- significant, the specification of those individual extensions shall include the
-- rules for the significance of the order therein
Extension ::= SEQUENCE {
extnId EXTENSION.&id({ExtensionSet}),
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
(CONTAINING EXTENSION.&ExtnType({ExtensionSet}{@extnId})
ENCODED BY der),
... }
der OBJECT IDENTIFIER ::=
{joint-iso-itu-t asn1(1) ber-derived(2) distinguished-encoding(1)}
ExtensionSet EXTENSION ::= {...}
EXTENSION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&ExtnType }
WITH SYNTAX {
SYNTAX &ExtnType
IDENTIFIED BY &id }
-- other PKI certificate constructs
Certificates ::= SEQUENCE {
userCertificate Certificate,
certificationPath ForwardCertificationPath OPTIONAL,
... }
ForwardCertificationPath ::= SEQUENCE SIZE (1..MAX) OF CrossCertificates
CrossCertificates ::= SET SIZE (1..MAX) OF Certificate
CertificationPath ::= SEQUENCE {
userCertificate Certificate,
theCACertificates SEQUENCE SIZE (1..MAX) OF CertificatePair OPTIONAL,
... }
PkiPath ::= SEQUENCE SIZE (1..MAX) OF Certificate
-- certificate revocation list (CRL)
CertificateList ::= SIGNED{CertificateListContent}
CertificateListContent ::= SEQUENCE {
version Version OPTIONAL,
-- if present, version shall be v2
signature AlgorithmIdentifier{{SupportedAlgorithms}},
issuer Name,
thisUpdate Time,
nextUpdate Time OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
serialNumber CertificateSerialNumber,
revocationDate Time,
crlEntryExtensions Extensions OPTIONAL,
...} OPTIONAL,
...,
...,
crlExtensions [0] Extensions OPTIONAL }
CertAVL ::= SIGNED {TBSCertAVL}
TBSCertAVL ::= SEQUENCE {
version [0] IMPLICIT Version DEFAULT v1,
serialNumber AvlSerialNumber OPTIONAL,
signature AlgorithmIdentifier {{SupportedAlgorithms}},
issuer Name,
constrained BOOLEAN,
entries SEQUENCE (SIZE (1..MAX)) OF SEQUENCE {
idType CHOICE {
certIdentifier [0] PKCertIdentifier,
entityGroup DistinguishedName, -- only for constrained = FALSE
... },
entryExtensions [1] IMPLICIT Extensions OPTIONAL,
... },
...,
...,
avlExtensions Extensions OPTIONAL }
AvlSerialNumber ::= INTEGER (0..MAX)
PKCertIdentifier ::= CHOICE {
issuerSerialNumber IssuerSerialNumber,
fingerprintPKC [0] IMPLICIT FingerPrint {Certificate},
fingerprintPK [1] IMPLICIT FingerPrint {PublicKey},
... }
IssuerSerialNumber ::= SEQUENCE {
issuer Name,
serialNumber CertificateSerialNumber,
... }
-- PKI object classes
pkiUser OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {userCertificate}
LDAP-NAME {"pkiUser"}
LDAP-DESC "X.509 PKI User"
ID id-oc-pkiUser }
pkiCA OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {cACertificate |
certificateRevocationList |
eepkCertificateRevocationList |
authorityRevocationList |
crossCertificatePair}
LDAP-NAME {"pkiCA"}
LDAP-DESC "X.509 PKI Certificate Authority"
ID id-oc-pkiCA }
cRLDistributionPoint OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND structural
MUST CONTAIN {commonName}
MAY CONTAIN {certificateRevocationList |
eepkCertificateRevocationList |
authorityRevocationList |
deltaRevocationList}
LDAP-NAME {"cRLDistributionPoint"}
LDAP-DESC "X.509 CRL distribution point"
ID id-oc-cRLDistributionPoint }
cRLDistPtNameForm NAME-FORM ::= {
NAMES cRLDistributionPoint
WITH ATTRIBUTES {commonName}
ID id-nf-cRLDistPtNameForm }
deltaCRL OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {deltaRevocationList}
LDAP-NAME {"deltaCRL"}
LDAP-DESC "X.509 delta CRL"
ID id-oc-deltaCRL }
cpCps OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {certificatePolicy |
certificationPracticeStmt}
LDAP-NAME {"cpCps"}
LDAP-DESC "Certificate Policy and Certification Practice Statement"
ID id-oc-cpCps }
pkiCertPath OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {pkiPath}
LDAP-NAME {"pkiCertPath"}
LDAP-DESC "PKI Certification Path"
ID id-oc-pkiCertPath }
-- PKI directory attributes
userCertificate ATTRIBUTE ::= {
WITH SYNTAX Certificate
EQUALITY MATCHING RULE certificateExactMatch
LDAP-SYNTAX x509Certificate.&id
LDAP-NAME {"userCertificate"}
LDAP-DESC "X.509 user certificate"
ID id-at-userCertificate }
cACertificate ATTRIBUTE ::= {
WITH SYNTAX Certificate
EQUALITY MATCHING RULE certificateExactMatch
LDAP-SYNTAX x509Certificate.&id
LDAP-NAME {"cACertificate"}
LDAP-DESC "X.509 CA certificate"
ID id-at-cAcertificate }
crossCertificatePair ATTRIBUTE ::= {
WITH SYNTAX CertificatePair
EQUALITY MATCHING RULE certificatePairExactMatch
LDAP-SYNTAX x509CertificatePair.&id
LDAP-NAME {"crossCertificatePair"}
LDAP-DESC "X.509 cross certificate pair"
ID id-at-crossCertificatePair }
CertificatePair ::= SEQUENCE {
issuedToThisCA [0] Certificate OPTIONAL,
issuedByThisCA [1] Certificate OPTIONAL,
... }
(WITH COMPONENTS { ..., issuedToThisCA PRESENT} |
WITH COMPONENTS { ..., issuedByThisCA PRESENT})
certificateRevocationList ATTRIBUTE ::= {
WITH SYNTAX CertificateList
EQUALITY MATCHING RULE certificateListExactMatch
LDAP-SYNTAX x509CertificateList.&id
LDAP-NAME {"certificateRevocationList"}
LDAP-DESC "X.509 certificate revocation list"
ID id-at-certificateRevocationList }
eepkCertificateRevocationList ATTRIBUTE ::= {
WITH SYNTAX CertificateList
EQUALITY MATCHING RULE certificateListExactMatch
LDAP-SYNTAX x509CertificateList.&id
LDAP-NAME {"eepkCertificateRevocationList"}
LDAP-DESC "X.509 EEPK certificate revocation list"
ID id-at-eepkCertificateRevocationList }
authorityRevocationList ATTRIBUTE ::= {
WITH SYNTAX CertificateList
EQUALITY MATCHING RULE certificateListExactMatch
LDAP-SYNTAX x509CertificateList.&id
LDAP-NAME {"authorityRevocationList"}
LDAP-DESC "X.509 authority revocation list"
ID id-at-authorityRevocationList }
deltaRevocationList ATTRIBUTE ::= {
WITH SYNTAX CertificateList
EQUALITY MATCHING RULE certificateListExactMatch
LDAP-SYNTAX x509CertificateList.&id
LDAP-NAME {"deltaRevocationList"}
LDAP-DESC "X.509 delta revocation list"
ID id-at-deltaRevocationList }
supportedAlgorithms ATTRIBUTE ::= {
WITH SYNTAX SupportedAlgorithm
EQUALITY MATCHING RULE algorithmIdentifierMatch
LDAP-SYNTAX x509SupportedAlgorithm.&id
LDAP-NAME {"supportedAlgorithms"}
LDAP-DESC "X.509 support algorithms"
ID id-at-supportedAlgorithms }
SupportedAlgorithm ::= SEQUENCE {
algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
intendedUsage [0] KeyUsage OPTIONAL,
intendedCertificatePolicies [1] CertificatePoliciesSyntax OPTIONAL,
... }
certificationPracticeStmt ATTRIBUTE ::= {
WITH SYNTAX InfoSyntax
ID id-at-certificationPracticeStmt }
InfoSyntax ::= CHOICE {
content UnboundedDirectoryString,
pointer SEQUENCE {
name GeneralNames,
hash HASH{HashedPolicyInfo} OPTIONAL,
... },
... }
POLICY ::= TYPE-IDENTIFIER
HashedPolicyInfo ::= POLICY.&Type({Policies})
Policies POLICY ::= {...} -- Defined by implementors
certificatePolicy ATTRIBUTE ::= {
WITH SYNTAX PolicySyntax
EQUALITY MATCHING RULE policyMatch
ID id-at-certificatePolicy }
PolicySyntax ::= SEQUENCE {
policyIdentifier PolicyID,
policySyntax InfoSyntax,
... }
PolicyID ::= CertPolicyId
pkiPath ATTRIBUTE ::= {
WITH SYNTAX PkiPath
EQUALITY MATCHING RULE pkiPathMatch
ID id-at-pkiPath }
supportedPublicKeyAlgorithms ATTRIBUTE ::= {
WITH SYNTAX SupportedPublicKeyAlgorithms
EQUALITY MATCHING RULE algorithmIdentifierMatch
LDAP-SYNTAX x509SupportedPublicKeyAlgos.&id
LDAP-NAME {"supportedPublicKeyAlgorithms"}
LDAP-DESC "X.509 supported publiv key algorithms"
ID id-at-supportedPublicKeyAlgorithms }
SupportedPublicKeyAlgorithms ::= SEQUENCE {
algorithmIdentifier AlgorithmIdentifier{{SupportedPublicKeyAlgos}},
minKeySize INTEGER,
extensions [0] SEQUENCE SIZE (1..MAX) OF OidOrAttr OPTIONAL,
... }
SupportedPublicKeyAlgos ALGORITHM ::= {...}
OidOrAttr ::= CHOICE {
oid ATTRIBUTE.&id ({ ExtAttributes }),
attribute Attribute {{ ExtAttributes }},
... }
ExtAttributes ATTRIBUTE ::= {...}
userPassword ATTRIBUTE ::= {
WITH SYNTAX OCTET STRING(SIZE (0..MAX))
EQUALITY MATCHING RULE octetStringMatch
LDAP-SYNTAX octetString.&id
LDAP-NAME {"userPassword"}
ID id-at-userPassword }
-- LDAP attribute syntaxes defined by this Specification
x509SupportedPublicKeyAlgos SYNTAX-NAME ::= {
LDAP-DESC "X.509 supported publiv key algorithms"
DIRECTORY SYNTAX SupportedPublicKeyAlgorithms
ID id-asx-x509SupportedPublicKeyAlgos }
-- LDAP syntaxes defined by IETF RFC 4523
x509Certificate SYNTAX-NAME ::= {
LDAP-DESC "X.509 Certificate"
DIRECTORY SYNTAX Certificate
ID id-lsx-x509Certificate }
x509CertificateList SYNTAX-NAME ::= {
LDAP-DESC "X.509 Certificate List"
DIRECTORY SYNTAX CertificateList
ID id-lsx-x509CertificateList }
x509CertificatePair SYNTAX-NAME ::= {
LDAP-DESC "X.509 Certificate Pair"
DIRECTORY SYNTAX CertificatePair
ID id-lsx-x509CertificatePair }
x509SupportedAlgorithm SYNTAX-NAME ::= {
LDAP-DESC "X.509 Supported Algorithm"
DIRECTORY SYNTAX SupportedAlgorithm
ID id-lsx-x509SupportedAlgorithm }
-- object identifier assignments
-- object classes
id-oc-cRLDistributionPoint OBJECT IDENTIFIER ::= {id-oc 19}
id-oc-pkiUser OBJECT IDENTIFIER ::= {id-oc 21}
id-oc-pkiCA OBJECT IDENTIFIER ::= {id-oc 22}
id-oc-deltaCRL OBJECT IDENTIFIER ::= {id-oc 23}
id-oc-cpCps OBJECT IDENTIFIER ::= {id-oc 30}
id-oc-pkiCertPath OBJECT IDENTIFIER ::= {id-oc 31}
-- name forms
id-nf-cRLDistPtNameForm OBJECT IDENTIFIER ::= {id-nf 14}
-- directory attributes
id-at-userPassword OBJECT IDENTIFIER ::= {id-at 35}
id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36}
id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37}
id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38}
id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39}
id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40}
id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52}
id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53}
id-at-certificationPracticeStmt OBJECT IDENTIFIER ::= {id-at 68}
id-at-certificatePolicy OBJECT IDENTIFIER ::= {id-at 69}
id-at-pkiPath OBJECT IDENTIFIER ::= {id-at 70}
id-at-eepkCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 101}
id-at-supportedPublicKeyAlgorithms OBJECT IDENTIFIER ::= {id-at 103}
-- Syntaxes defined by this Specification
id-asx-x509SupportedPublicKeyAlgos OBJECT IDENTIFIER ::= {id-asx 10}
-- LDAP defined syntaxes
id-lsx-x509Certificate OBJECT IDENTIFIER ::= {id-lsx 8}
id-lsx-x509CertificateList OBJECT IDENTIFIER ::= {id-lsx 9}
id-lsx-x509CertificatePair OBJECT IDENTIFIER ::= {id-lsx 10}
id-lsx-x509SupportedAlgorithm OBJECT IDENTIFIER ::= {id-lsx 49}
END -- AuthenticationFramework