-- $Id$ -- -- Definitions from RFCs 2459, 3280, 5280 -- -- Note that those RFCs come with *two* ASN.1 modules, one being a default- -- EXPLICIT tagged module, and the other being default-IMPLICIT. Some types -- are in one module, while others are in the other. Here the two modules -- are merged into a single default-EXPLICIT tagged module, with IMPLICIT added -- for all tags for types in the default-IMPLICIT module. RFC2459 DEFINITIONS ::= BEGIN IMPORTS HEIM_ANY FROM heim PrincipalName, Realm FROM krb5; -- For OtherName we really want to also import: -- KRB5PrincipalName FROM pkinit -- PermanentIdentifier FROM rfc4043 -- HardwareModuleName FROM rfc4108; -- But we can't because that creates circular dependencies. Version ::= INTEGER { rfc3280_version_1(0), rfc3280_version_2(1), rfc3280_version_3(2) } id-pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } id-pkcs1-rsaEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 1 } id-pkcs1-md2WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 2 } id-pkcs1-md5WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 4 } id-pkcs1-sha1WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 5 } id-pkcs1-sha256WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 11 } id-pkcs1-sha384WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 12 } id-pkcs1-sha512WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 13 } id-heim-rsa-pkcs1-x509 OBJECT IDENTIFIER ::= { 1 2 752 43 16 1 } id-pkcs-2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 2 } id-pkcs2-md2 OBJECT IDENTIFIER ::= { id-pkcs-2 2 } id-pkcs2-md4 OBJECT IDENTIFIER ::= { id-pkcs-2 4 } id-pkcs2-md5 OBJECT IDENTIFIER ::= { id-pkcs-2 5 } id-rsa-digestAlgorithm OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 2 } id-rsa-digest-md2 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 2 } id-rsa-digest-md4 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 4 } id-rsa-digest-md5 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 5 } id-pkcs-3 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 3 } id-pkcs3-rc2-cbc OBJECT IDENTIFIER ::= { id-pkcs-3 2 } id-pkcs3-rc4 OBJECT IDENTIFIER ::= { id-pkcs-3 4 } id-pkcs3-des-ede3-cbc OBJECT IDENTIFIER ::= { id-pkcs-3 7 } id-rsadsi-encalg OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 3 } id-rsadsi-rc2-cbc OBJECT IDENTIFIER ::= { id-rsadsi-encalg 2 } id-rsadsi-des-ede3-cbc OBJECT IDENTIFIER ::= { id-rsadsi-encalg 7 } id-secsig-sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithm(2) 26 } id-secsig-sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithm(2) 29 } id-nistAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 } id-nist-aes-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 1 } id-aes-128-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 2 } id-aes-192-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 22 } id-aes-256-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 42 } id-nist-sha-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 2 } id-sha256 OBJECT IDENTIFIER ::= { id-nist-sha-algs 1 } id-sha224 OBJECT IDENTIFIER ::= { id-nist-sha-algs 4 } id-sha384 OBJECT IDENTIFIER ::= { id-nist-sha-algs 2 } id-sha512 OBJECT IDENTIFIER ::= { id-nist-sha-algs 3 } id-dhpublicnumber OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } -- ECC id-ecPublicKey OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } id-ecDH OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) schemes(1) ecdh(12) } id-ecMQV OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) schemes(1) ecmqv(13) } id-ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 } id-ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } id-ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 } id-ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 1 } id-ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } -- some EC group ids id-ec-group-secp256r1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 7 } id-ec-group-secp160r1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) 0 8 } id-ec-group-secp160r2 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) 0 30 } id-ec-group-secp224r1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) 0 33 } id-ec-group-secp384r1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) 0 34 } id-ec-group-secp521r1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) 0 35 } -- DSA id-x9-57 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-x942(10046) 4 } id-dsa OBJECT IDENTIFIER ::= { id-x9-57 1 } id-dsa-with-sha1 OBJECT IDENTIFIER ::= { id-x9-57 3 } -- x.520 names types id-x520-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } id-at-commonName OBJECT IDENTIFIER ::= { id-x520-at 3 } id-at-surname OBJECT IDENTIFIER ::= { id-x520-at 4 } id-at-serialNumber OBJECT IDENTIFIER ::= { id-x520-at 5 } id-at-countryName OBJECT IDENTIFIER ::= { id-x520-at 6 } id-at-localityName OBJECT IDENTIFIER ::= { id-x520-at 7 } id-at-stateOrProvinceName OBJECT IDENTIFIER ::= { id-x520-at 8 } id-at-streetAddress OBJECT IDENTIFIER ::= { id-x520-at 9 } id-at-organizationName OBJECT IDENTIFIER ::= { id-x520-at 10 } id-at-organizationalUnitName OBJECT IDENTIFIER ::= { id-x520-at 11 } id-at-title OBJECT IDENTIFIER ::= { id-x520-at 12 } id-at-description OBJECT IDENTIFIER ::= { id-x520-at 13 } id-at-name OBJECT IDENTIFIER ::= { id-x520-at 41 } id-at-givenName OBJECT IDENTIFIER ::= { id-x520-at 42 } id-at-initials OBJECT IDENTIFIER ::= { id-x520-at 43 } id-at-generationQualifier OBJECT IDENTIFIER ::= { id-x520-at 44 } id-at-dnQualifier OBJECT IDENTIFIER ::= { id-x520-at 46 } id-at-pseudonym OBJECT IDENTIFIER ::= { id-x520-at 65 } -- RFC 2247 id-Userid OBJECT IDENTIFIER ::= { 0 9 2342 19200300 100 1 1 } id-domainComponent OBJECT IDENTIFIER ::= { 0 9 2342 19200300 100 1 25 } id-at-emailAddress AttributeType ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 1 } -- rfc3280 id-x509-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters HEIM_ANY OPTIONAL } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= HEIM_ANY DirectoryString ::= CHOICE { ia5String IA5String, teletexString TeletexString, printableString PrintableString, universalString UniversalString, utf8String UTF8String, bmpString BMPString } AttributeValues ::= SET OF AttributeValue Attribute ::= SEQUENCE { type AttributeType, value AttributeValues } AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value DirectoryString } -- RDNs really should be SET OF SingleAttribute per the RFCs, but making that -- change will affect lib/hx509 code, so we'll wait. The issue is that there -- is code in lib/hx509 and in lib/asn1/check-gen.c that assumes that the -- `value` of an rdn is a `DirectoryString` and not an open type. -- -- Also, it's really not worth making this change, as a) it will increase the -- amount of code needed in lib/hx509, and b) it really is useful to be able to -- assume RDN values are ultimately only strings, c) we don't have any attrs -- for RDNs that aren't strings, and d) the non-string attributes from TCG that -- are used in SubjectDirectoryAttributes will never be used here (so we hope). -- -- Until we fix this lib/hx509 cannot support name attributes whose type isn't -- DirectoryString. For example, the UID attribute is broken at this time, as -- that wants NumericString. -- RelativeDistinguishedName ::= SET OF AttributeTypeAndValue -- XXX SingleAttribute RDNSequence ::= SEQUENCE OF RelativeDistinguishedName Name ::= CHOICE { rdnSequence RDNSequence } CertificateSerialNumber ::= INTEGER Time ::= CHOICE { utcTime UTCTime, generalTime GeneralizedTime } Validity ::= SEQUENCE { notBefore Time, notAfter Time } UniqueIdentifier ::= BIT STRING SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } -- XXX Should be _OTHER-NAME ::= _TYPE-IDENTIFIER _OTHER-NAME ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Type } OtherName{_OTHER-NAME:OtherNameSet} ::= SEQUENCE { type-id _OTHER-NAME.&id({OtherNameSet}), value [0] _OTHER-NAME.&Type({OtherNameSet}{@type-id}) } _ATTRIBUTE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Type OPTIONAL, -- &equality-match MATCHING-RULE OPTIONAL, &minCount INTEGER DEFAULT 1, &maxCount INTEGER OPTIONAL } SingleAttribute{_ATTRIBUTE:AttrSet} ::= SEQUENCE { type _ATTRIBUTE.&id({AttrSet}), value _ATTRIBUTE.&Type({AttrSet}{@type}) } AttributeSet{_ATTRIBUTE:AttrSet} ::= SEQUENCE { type _ATTRIBUTE.&id({AttrSet}), values SET --SIZE (1..MAX)-- OF _ATTRIBUTE.&Type({AttrSet}{@type}) } _EXTENSION ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &ExtnType, &Critical BOOLEAN DEFAULT FALSE } Extension{_EXTENSION:ExtensionSet} ::= SEQUENCE { extnID _EXTENSION.&id({ExtensionSet}), critical BOOLEAN -- (EXTENSION.&Critical({ExtensionSet}{@extnID})) DEFAULT FALSE, extnValue OCTET STRING (CONTAINING _EXTENSION.&ExtnType({ExtensionSet}{@extnID})) } Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension TBSCertificate ::= SEQUENCE { version [0] Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL, -- If present, version shall be v2 or v3 subjectUniqueID [2] IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL, -- If present, version shall be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version shall be v3 } Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } Certificates ::= SEQUENCE OF Certificate ValidationParms ::= SEQUENCE { seed BIT STRING, pgenCounter INTEGER } DomainParameters ::= SEQUENCE { p INTEGER, -- odd prime, p=jq +1 g INTEGER, -- generator, g q INTEGER OPTIONAL, -- factor of p-1 j INTEGER OPTIONAL, -- subgroup factor validationParms ValidationParms OPTIONAL -- ValidationParms } -- As defined by PKCS3 DHParameter ::= SEQUENCE { prime INTEGER, -- odd prime, p=jq +1 base INTEGER, -- generator, g privateValueLength INTEGER OPTIONAL } DHPublicKey ::= INTEGER GeneralName ::= CHOICE { otherName [0] IMPLICIT OtherName, rfc822Name [1] IMPLICIT IA5String, dNSName [2] IMPLICIT IA5String, -- x400Address [3] IMPLICIT ORAddress,-- directoryName [4] IMPLICIT Name, -- ediPartyName [5] IMPLICIT EDIPartyName, -- uniformResourceIdentifier [6] IMPLICIT IA5String, iPAddress [7] IMPLICIT OCTET STRING, registeredID [8] IMPLICIT OBJECT IDENTIFIER } GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName id-x509-ce-keyUsage OBJECT IDENTIFIER ::= { id-x509-ce 15 } KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } -- private key usage period extension OID and syntax PrivateKeyUsagePeriod ::= SEQUENCE { notBefore [0] IMPLICIT GeneralizedTime OPTIONAL, notAfter [1] IMPLICIT GeneralizedTime OPTIONAL -- either notBefore or notAfter MUST be present } -- certificate policies extension OID and syntax _POLICYQUALIFIERINFO ::= CLASS { -- Heimdal extension &id OBJECT IDENTIFIER UNIQUE, &Type } CertPolicyId ::= OBJECT IDENTIFIER PolicyQualifierId ::= OBJECT IDENTIFIER -- ( id-qt-cps | id-qt-unotice ) PolicyQualifierInfo{_POLICYQUALIFIERINFO:PolicyQualifierSet} ::= SEQUENCE { policyQualifierId _POLICYQUALIFIERINFO.&id({PolicyQualifierSet}), qualifier _POLICYQUALIFIERINFO.&Type({PolicyQualifierSet}{@policyQualifierId}) } PolicyQualifierInfos ::= SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, policyQualifiers PolicyQualifierInfos OPTIONAL } CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation -- CPS pointer qualifier CPSuri ::= IA5String -- user notice qualifier DisplayText ::= CHOICE { ia5String IA5String, --(SIZE (1..200)) visibleString VisibleString, --(SIZE (1..200)) bmpString BMPString, --(SIZE (1..200)) utf8String UTF8String --(SIZE (1..200)) } NoticeReference ::= SEQUENCE { organization DisplayText, noticeNumbers SEQUENCE OF INTEGER } UserNotice ::= SEQUENCE { noticeRef NoticeReference OPTIONAL, explicitText DisplayText OPTIONAL } -- policy mapping extension OID and syntax PolicyMapping ::= SEQUENCE { issuerDomainPolicy CertPolicyId, subjectDomainPolicy CertPolicyId } PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF PolicyMapping -- subject key identifier OID and syntax id-x509-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-x509-ce 35 } KeyIdentifier ::= OCTET STRING AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] IMPLICIT OCTET STRING OPTIONAL, authorityCertIssuer [1] IMPLICIT -- GeneralName -- SEQUENCE -- SIZE (1..MAX) -- OF GeneralName OPTIONAL, authorityCertSerialNumber [2] IMPLICIT INTEGER OPTIONAL } id-x509-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-x509-ce 14 } SubjectKeyIdentifier ::= KeyIdentifier id-x509-ce-basicConstraints OBJECT IDENTIFIER ::= { id-x509-ce 19 } BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..4294967295) OPTIONAL } id-x509-ce-nameConstraints OBJECT IDENTIFIER ::= { id-x509-ce 30 } BaseDistance ::= INTEGER (0..4294967295) GeneralSubtree ::= SEQUENCE { base GeneralName, minimum [0] IMPLICIT BaseDistance DEFAULT 0, maximum [1] IMPLICIT BaseDistance OPTIONAL } GeneralSubtrees ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralSubtree NameConstraints ::= SEQUENCE { permittedSubtrees [0] IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL, excludedSubtrees [1] IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL } id-x509-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-x509-ce 16 } id-x509-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-x509-ce 32 } id-x509-ce-certificatePolicies-anyPolicy OBJECT IDENTIFIER ::= { id-x509-ce-certificatePolicies 0 } id-x509-ce-policyMappings OBJECT IDENTIFIER ::= { id-x509-ce 33 } id-x509-ce-subjectAltName OBJECT IDENTIFIER ::= { id-x509-ce 17 } id-x509-ce-issuerAltName OBJECT IDENTIFIER ::= { id-x509-ce 18 } id-x509-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-x509-ce 9 } id-x509-ce-policyConstraints OBJECT IDENTIFIER ::= { id-x509-ce 36 } id-x509-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-x509-ce 37} id-x509-ce-anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-x509-ce-extKeyUsage 0 } ExtKeyUsage ::= SEQUENCE OF OBJECT IDENTIFIER id-x509-ce-cRLReasons OBJECT IDENTIFIER ::= { id-x509-ce 21 } id-x509-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-x509-ce 31 } id-x509-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-x509-ce 27 } id-x509-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-x509-ce 28 } id-x509-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-x509-ce 23 } id-x509-ce-invalidityDate OBJECT IDENTIFIER ::= { id-x509-ce 24 } id-x509-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-x509-ce 29 } id-x509-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-x509-ce 54 } -- Heimdal extension id-heim-ce-pkinit-princ-max-life OBJECT IDENTIFIER ::= { iso(1) member-body(2) se(752) su(43) heim-pkix(16) 4 } DistributionPointReasonFlags ::= BIT STRING { unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), privilegeWithdrawn (7), aACompromise (8) } DistributionPointName ::= CHOICE { fullName [0] IMPLICIT -- GeneralNames -- SEQUENCE SIZE (1..MAX) OF GeneralName, nameRelativeToCRLIssuer [1] RelativeDistinguishedName } DistributionPoint ::= SEQUENCE { distributionPoint [0] IMPLICIT DistributionPointName OPTIONAL, reasons [1] IMPLICIT DistributionPointReasonFlags OPTIONAL, cRLIssuer [2] IMPLICIT GeneralNames OPTIONAL } CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint -- rfc3279 DSASigValue ::= SEQUENCE { r INTEGER, s INTEGER } DSAPublicKey ::= INTEGER DSAParams ::= SEQUENCE { p INTEGER, q INTEGER, g INTEGER } -- draft-ietf-pkix-ecc-subpubkeyinfo-11 ECPoint ::= OCTET STRING ECParameters ::= CHOICE { namedCurve OBJECT IDENTIFIER -- implicitCurve NULL -- specifiedCurve SpecifiedECDomain } ECDSA-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER } -- really pkcs1 RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER -- e } RSAPrivateKey ::= SEQUENCE { version INTEGER (0..4294967295), modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER -- (inverse of q) mod p } DigestInfo ::= SEQUENCE { digestAlgorithm AlgorithmIdentifier, digest OCTET STRING } -- some ms ext -- szOID_ENROLL_CERTTYPE_EXTENSION "1.3.6.1.4.1.311.20.2" is Encoded as a -- UNICODESTRING (0x1E tag) -- szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7" is Encoded as: -- TemplateVersion ::= INTEGER (0..4294967295) -- CertificateTemplate ::= SEQUENCE { -- templateID OBJECT IDENTIFIER, -- templateMajorVersion TemplateVersion, -- templateMinorVersion TemplateVersion OPTIONAL -- } -- -- CRL -- TBSCRLCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, MUST be v2 signature AlgorithmIdentifier, issuer Name, thisUpdate Time, nextUpdate Time OPTIONAL, revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2 } OPTIONAL, crlExtensions [0] EXPLICIT Extensions OPTIONAL -- if present, MUST be v2 } CRLCertificateList ::= SEQUENCE { tbsCertList TBSCRLCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } id-x509-ce-cRLNumber OBJECT IDENTIFIER ::= { id-x509-ce 20 } id-x509-ce-freshestCRL OBJECT IDENTIFIER ::= { id-x509-ce 46 } id-x509-ce-cRLReason OBJECT IDENTIFIER ::= { id-x509-ce 21 } CRLReason ::= ENUMERATED { unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) } PKIXXmppAddr ::= UTF8String SRVName ::= IA5String -- (SIZE (1..MAX)), but our compiler doesn't do that id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) } id-pkix-on OBJECT IDENTIFIER ::= { id-pkix 8 } id-pkix-on-xmppAddr OBJECT IDENTIFIER ::= { id-pkix-on 5 } id-pkix-on-dnsSRV OBJECT IDENTIFIER ::= { id-pkix-on 7 } -- From RFC4108 id-pkix-on-hardwareModuleName OBJECT IDENTIFIER ::= { id-pkix-on 4 } HardwareModuleName ::= SEQUENCE { hwType OBJECT IDENTIFIER, hwSerialNum OCTET STRING } -- XXX Not really the right name id-pkix-on-pkinit-san OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) x509-sanan(2) } KRB5PrincipalName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } -- From RFC4043: -- Permanent identifier Object Identifier and Syntax id-pkix-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-pkix-on 3 } PermanentIdentifier ::= SEQUENCE { identifierValue UTF8String OPTIONAL, -- if absent, use the serialNumber attribute -- if there is a single such attribute present -- in the subject DN assigner OBJECT IDENTIFIER OPTIONAL -- if absent, the assigner is -- the certificate issuer } -- EKUs id-pkix-kp OBJECT IDENTIFIER ::= { id-pkix 3 } id-pkix-kp-serverAuth OBJECT IDENTIFIER ::= { id-pkix-kp 1 } id-pkix-kp-clientAuth OBJECT IDENTIFIER ::= { id-pkix-kp 2 } id-pkix-kp-codeSigning OBJECT IDENTIFIER ::= { id-pkix-kp 3 } id-pkix-kp-emailProtection OBJECT IDENTIFIER ::= { id-pkix-kp 4 } id-pkix-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-pkix-kp 5 } id-pkix-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-pkix-kp 6 } id-pkix-kp-ipsecUser OBJECT IDENTIFIER ::= { id-pkix-kp 7 } id-pkix-kp-timeStamping OBJECT IDENTIFIER ::= { id-pkix-kp 8 } id-pkix-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-pkix-kp 9 } -- The following are taken from RFC7299 and others id-pkix-kp-DVCS OBJECT IDENTIFIER ::= { id-pkix-kp 10 } id-pkix-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-pkix-kp 17 } id-pkix-kp-capwapAC OBJECT IDENTIFIER ::= { id-pkix-kp 18 } id-pkix-kp-capwapWTP OBJECT IDENTIFIER ::= { id-pkix-kp 19 } id-pkix-kp-sipDomain OBJECT IDENTIFIER ::= { id-pkix-kp 20 } -- RFC5924 id-pkix-kp-secureShellClient OBJECT IDENTIFIER ::= { id-pkix-kp 21 } id-pkix-kp-secureShellServer OBJECT IDENTIFIER ::= { id-pkix-kp 22 } id-pkix-kp-sendRouter OBJECT IDENTIFIER ::= { id-pkix-kp 23 } id-pkix-kp-sendProxiedRouter OBJECT IDENTIFIER ::= { id-pkix-kp 24 } id-pkix-kp-sendOwner OBJECT IDENTIFIER ::= { id-pkix-kp 25 } id-pkix-kp-sendProxiedOwner OBJECT IDENTIFIER ::= { id-pkix-kp 26 } id-pkix-kp-cmcCA OBJECT IDENTIFIER ::= { id-pkix-kp 27 } -- RFC6402 id-pkix-kp-cmcRA OBJECT IDENTIFIER ::= { id-pkix-kp 28 } -- RFC6402 id-pkix-kp-cmcArchive OBJECT IDENTIFIER ::= { id-pkix-kp 29 } -- RFC6402 id-pkix-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-pkix-kp 30 } -- RFC8209 -- The following are MSFT EKUs taken from OpenSSL id-msft OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 311 } id-msft-kp-msCodeInd OBJECT IDENTIFIER ::= { id-msft 2 1 21 } id-msft-kp-msCodeCom OBJECT IDENTIFIER ::= { id-msft 2 1 22 } id-msft-kp-msCTLSign OBJECT IDENTIFIER ::= { id-msft 10 3 1 } id-msft-kp-msSGC OBJECT IDENTIFIER ::= { id-msft 10 3 3 } id-msft-kp-msEFS OBJECT IDENTIFIER ::= { id-msft 10 3 4 } id-msft-kp-msSmartcardLogin OBJECT IDENTIFIER ::= { id-msft 20 2 2 } id-msft-kp-msUPN OBJECT IDENTIFIER ::= { id-msft 20 2 3 } id-pkix-pe OBJECT IDENTIFIER ::= { id-pkix 1 } id-pkix-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 1 } AccessDescription ::= SEQUENCE { accessMethod OBJECT IDENTIFIER, accessLocation GeneralName } AuthorityInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription -- RFC 3820 Proxy Certificate Profile id-pkix-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 } id-pkix-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 11 } SubjectInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription id-pkix-ppl OBJECT IDENTIFIER ::= { id-pkix 21 } id-pkix-ppl-anyLanguage OBJECT IDENTIFIER ::= { id-pkix-ppl 0 } id-pkix-ppl-inheritAll OBJECT IDENTIFIER ::= { id-pkix-ppl 1 } id-pkix-ppl-independent OBJECT IDENTIFIER ::= { id-pkix-ppl 2 } ProxyPolicy ::= SEQUENCE { policyLanguage OBJECT IDENTIFIER, policy OCTET STRING OPTIONAL } ProxyCertInfo ::= SEQUENCE { pCPathLenConstraint INTEGER (0..4294967295) OPTIONAL, -- really MAX proxyPolicy ProxyPolicy } -- TCG contents: -- See tcg.asn1 for commentary. --TCG specific OIDs tcg OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) international-organizations(23) tcg(133)} tcg-attribute OBJECT IDENTIFIER ::= {tcg 2} tcg-kp OBJECT IDENTIFIER ::= {tcg 8} --TCG Attribute OIDs tcg-at-tpmManufacturer OBJECT IDENTIFIER ::= {tcg-attribute 1} tcg-at-tpmModel OBJECT IDENTIFIER ::= {tcg-attribute 2} tcg-at-tpmVersion OBJECT IDENTIFIER ::= {tcg-attribute 3} tcg-at-tpmSpecification OBJECT IDENTIFIER ::= {tcg-attribute 16} tcg-at-tpmSecurityAssertions OBJECT IDENTIFIER ::= {tcg-attribute 18} --TCG Attribute objects at-TPMSecurityAssertions _ATTRIBUTE ::= { &Type TPMSecurityAssertions, &id tcg-at-tpmSecurityAssertions } at-TPMManufacturer _ATTRIBUTE ::= { &Type AliasUTF8String, --(SIZE (1..STRMAX))-- &id tcg-at-tpmManufacturer } at-TPMModel _ATTRIBUTE ::= { &Type AliasUTF8String, --(SIZE (1..STRMAX))-- &id tcg-at-tpmModel } at-TPMVersion _ATTRIBUTE ::= { &Type AliasUTF8String, --(SIZE (1..STRMAX))-- &id tcg-at-tpmVersion } at-TPMSpecification _ATTRIBUTE ::= { &Type TPMSpecification, &id tcg-at-tpmSpecification } --TCG Extended Key Usage OIDs tcg-kp-EKCertificate OBJECT IDENTIFIER ::= {tcg-kp 1} -- OIDs not in the module in TCG_IWG_EKCredentialProfile_v2p3_r2_pub but in -- TCG_IWG_DevID_v1r2_02dec2020 (missing arc names not mentioned in the TCG -- specs): tcg-tpm20 OBJECT IDENTIFIER ::= {tcg 1 2} -- this OID is not named in the TCG specs tcg-on-ekPermIdSha256 OBJECT IDENTIFIER ::= {tcg 12 1} -- assigner value for PermanentIdentifier SAN tcg-cap-verifiedTPMResidency OBJECT IDENTIFIER ::= {tcg 11 1 1} -- policy OID tcg-cap-verifiedTPMFixed OBJECT IDENTIFIER ::= {tcg 11 1 2} -- policy OID tcg-cap-verifiedTPMRestricted OBJECT IDENTIFIER ::= {tcg 11 1 3} -- policy OID EKGenerationType ::= ENUMERATED { ekgt-internal (0), ekgt-injected (1), ekgt-internalRevocable(2), ekgt-injectedRevocable(3) } EKGenerationLocation ::= ENUMERATED { tpmManufacturer (0), platformManufacturer (1), ekCertSigner (2) } EKCertificateGenerationLocation ::= EKGenerationLocation -- XXX EvaluationAssuranceLevel ::= ENUMERATED { ealevell (1), ealevel2 (2), ealevel3 (3), ealevel4 (4), ealevel5 (5), ealevel6 (6), ealevel7 (7) } SecurityLevel ::= ENUMERATED { sllevel1 (1), sllevel2 (2), sllevel3 (3), sllevel4 (4) } StrengthOfFunction ::= ENUMERATED { sof-basic (0), sof-medium (1), sof-high (2) } URIReference ::= SEQUENCE { uniformResourceIdentifier IA5String, -- (SIZE (1..URIMAX)) hashAlgorithm AlgorithmIdentifier OPTIONAL, hashValue BIT STRING OPTIONAL } EvaluationStatus ::= ENUMERATED { designedToMeet (0), evaluationInProgress (1), evaluationCompleted (2) } --tcg specification attributes for tpm TPMSpecification ::= SEQUENCE { family UTF8String, -- (SIZE (1..STRMAX)) level INTEGER (0..4294967295), revision INTEGER (0..4294967295), ... } --common criteria evaluation CommonCriteriaMeasures ::= SEQUENCE { version IA5String, -- (SIZE (1..STRMAX)) “2.2” or “3.1”;future syntax defined by CC assurancelevel EvaluationAssuranceLevel, evaluationStatus EvaluationStatus, plus BOOLEAN DEFAULT FALSE, strengthOfFunction [0] IMPLICIT StrengthOfFunction OPTIONAL, profileOid [1] IMPLICIT OBJECT IDENTIFIER OPTIONAL, profileUri [2] IMPLICIT URIReference OPTIONAL, targetOid [3] IMPLICIT OBJECT IDENTIFIER OPTIONAL, targetUri [4] IMPLICIT URIReference OPTIONAL, ... } --fips evaluation FIPSLevel ::= SEQUENCE { version IA5String, -- (SIZE (1..STRMAX)) “140-1” or “140-2” level SecurityLevel, plus BOOLEAN DEFAULT FALSE, ... } --tpm security assertions TPMVersion ::= INTEGER { tpm-v1(0) } TPMSecurityAssertions ::= SEQUENCE { version TPMVersion DEFAULT 0, -- v1 fieldUpgradable BOOLEAN DEFAULT FALSE, -- The TCG EK cert profile spec says all these context tags are IMPLICIT, -- but samples in the field have them as EXPLICIT. ekGenerationType [0] EXPLICIT EKGenerationType OPTIONAL, ekGenerationLocation [1] EXPLICIT EKGenerationLocation OPTIONAL, ekCertificateGenerationLocation [2] EXPLICIT EKCertificateGenerationLocation OPTIONAL, ccInfo [3] EXPLICIT CommonCriteriaMeasures OPTIONAL, fipsLevel [4] EXPLICIT FIPSLevel OPTIONAL, iso9000Certified [5] EXPLICIT BOOLEAN DEFAULT FALSE, iso9000Uri IA5String OPTIONAL, -- (SIZE (1..URIMAX)) ... } -- Back to OtherName, SingleAttribute, AttributeSet, and Extension -- XXX Not really the right name for this OID: id-pkix-on-pkinit-ms-san OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 20 2 3 } -- XXX Work around bug (where we don't know the names of universal types in the -- template backend) by creating aliases for universal types we use in IOS -- objects. AliasUTF8String ::= UTF8String AliasIA5String ::= UTF8String AliasPrintableString ::= PrintableString on-xmppAddr _OTHER-NAME ::= { &id id-pkix-on-xmppAddr, &Type AliasUTF8String } on-dnsSRV _OTHER-NAME ::= { &id id-pkix-on-dnsSRV, &Type AliasIA5String } on-hardwareModuleName _OTHER-NAME ::= { &id id-pkix-on-hardwareModuleName, &Type HardwareModuleName } on-permanentIdentifier _OTHER-NAME ::= { &id id-pkix-on-permanentIdentifier, &Type PermanentIdentifier } on-krb5PrincipalName _OTHER-NAME ::= { &id id-pkix-on-pkinit-san, &Type KRB5PrincipalName } on-pkinit-ms-san _OTHER-NAME ::= { &id id-pkix-on-pkinit-ms-san, &Type AliasUTF8String } KnownOtherNameTypes _OTHER-NAME ::= { on-xmppAddr | on-dnsSRV | on-hardwareModuleName | on-permanentIdentifier | on-krb5PrincipalName | on-pkinit-ms-san } OtherName ::= OtherName{KnownOtherNameTypes} X520name ::= DirectoryString --{ub-name} X520CommonName ::= DirectoryString --{ub-common-name} X520LocalityName ::= DirectoryString --{ub-locality-name} X520OrganizationName ::= DirectoryString --{ub-organization-name} X520StateOrProvinceName ::= DirectoryString --{ub-state-name} X520OrganizationalUnitName ::= DirectoryString --{ub-organizational-unit-name} at-name _ATTRIBUTE ::= { &Type X520name, &id id-at-name } at-surname _ATTRIBUTE ::= { &Type X520name, &id id-at-surname } at-givenName _ATTRIBUTE ::= { &Type X520name, &id id-at-givenName } at-initials _ATTRIBUTE ::= { &Type X520name, &id id-at-initials } at-generationQualifier _ATTRIBUTE ::= { &Type X520name, &id id-at-generationQualifier } at-x520CommonName _ATTRIBUTE ::= {&Type X520CommonName, &id id-at-commonName } at-x520LocalityName _ATTRIBUTE ::= { &Type X520LocalityName, &id id-at-localityName } at-x520StateOrProvinceName _ATTRIBUTE ::= { &Type DirectoryString --{ub-state-name}--, &id id-at-stateOrProvinceName } at-x520OrganizationName _ATTRIBUTE ::= { &Type DirectoryString --{ub-organization-name}--, &id id-at-organizationName } at-x520OrganizationalUnitName _ATTRIBUTE ::= { &Type DirectoryString --{ub-organizational-unit-name}--, &id id-at-organizationalUnitName } at-x520Title _ATTRIBUTE ::= { &Type DirectoryString --{ub-title}--, &id id-at-title } at-x520dnQualifier _ATTRIBUTE ::= { &Type AliasPrintableString, &id id-at-dnQualifier } at-x520countryName _ATTRIBUTE ::= { &Type AliasPrintableString --(SIZE (2))--, &id id-at-countryName } at-x520SerialNumber _ATTRIBUTE ::= {&Type AliasPrintableString --(SIZE (1..ub-serial-number))--, &id id-at-serialNumber } at-x520Pseudonym _ATTRIBUTE ::= { &Type DirectoryString --{ub-pseudonym}--, &id id-at-pseudonym } at-domainComponent _ATTRIBUTE ::= { &Type AliasIA5String, &id id-domainComponent } at-emailAddress _ATTRIBUTE ::= { &Type AliasIA5String --(SIZE (1..ub-emailaddress-length))--, &id id-at-emailAddress } SupportedAttributes _ATTRIBUTE ::= { at-name | at-surname | at-givenName | at-initials | at-generationQualifier | at-x520CommonName | at-x520LocalityName | at-x520StateOrProvinceName | at-x520OrganizationName | at-x520OrganizationalUnitName | at-x520Title | at-x520dnQualifier | at-x520countryName | at-x520SerialNumber | at-x520Pseudonym | at-domainComponent | at-emailAddress | at-TPMSecurityAssertions | at-TPMManufacturer | at-TPMModel | at-TPMVersion | at-TPMSpecification } SingleAttribute ::= SingleAttribute{SupportedAttributes} AttributeSet ::= AttributeSet{SupportedAttributes} SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF AttributeSet ext-AuthorityKeyIdentifier _EXTENSION ::= { &id id-x509-ce-authorityKeyIdentifier, &Critical FALSE, &ExtnType AuthorityKeyIdentifier } ext-KeyUsage _EXTENSION ::= { &id id-x509-ce-keyUsage, &Critical FALSE, &ExtnType KeyUsage } ext-SubjectKeyIdentifier _EXTENSION ::= { &id id-x509-ce-subjectKeyIdentifier, &Critical FALSE, &ExtnType SubjectKeyIdentifier } ext-PrivateKeyUsagePeriod _EXTENSION ::= { &id id-x509-ce-privateKeyUsagePeriod, &Critical FALSE, &ExtnType PrivateKeyUsagePeriod } ext-CertificatePolicies _EXTENSION ::= { &id id-x509-ce-certificatePolicies, &Critical FALSE, &ExtnType CertificatePolicies } ext-PolicyMappings _EXTENSION ::= { &id id-x509-ce-policyMappings, &Critical FALSE, &ExtnType PolicyMappings } ext-SubjectAltName _EXTENSION ::= { &id id-x509-ce-subjectAltName, &Critical FALSE, &ExtnType GeneralNames } ext-IssuerAltName _EXTENSION ::= { &id id-x509-ce-issuerAltName, &Critical FALSE, &ExtnType GeneralNames } ext-SubjectDirectoryAttributes _EXTENSION ::= { &id id-x509-ce-subjectDirectoryAttributes, &Critical FALSE, &ExtnType SubjectDirectoryAttributes } ext-BasicConstraints _EXTENSION ::= { &id id-x509-ce-basicConstraints, &Critical FALSE, &ExtnType BasicConstraints } ext-NameConstraints _EXTENSION ::= { &id id-x509-ce-nameConstraints, &Critical FALSE, &ExtnType NameConstraints } SkipCerts ::= INTEGER (0..4294967295) PolicyConstraints ::= SEQUENCE { requireExplicitPolicy [0] IMPLICIT SkipCerts OPTIONAL, inhibitPolicyMapping [1] IMPLICIT SkipCerts OPTIONAL } ext-PolicyConstraints _EXTENSION ::= { &id id-x509-ce-policyConstraints, &Critical FALSE, &ExtnType PolicyConstraints } ext-ExtKeyUsage _EXTENSION ::= { &id id-x509-ce-extKeyUsage, &Critical FALSE, &ExtnType ExtKeyUsage } ext-CRLDistributionPoints _EXTENSION ::= { &id id-x509-ce-cRLDistributionPoints, &Critical FALSE, &ExtnType CRLDistributionPoints } ext-InhibitAnyPolicy _EXTENSION ::= { &id id-x509-ce-inhibitAnyPolicy, &Critical FALSE, &ExtnType SkipCerts } ext-FreshestCRL _EXTENSION ::= { &id id-x509-ce-freshestCRL, &Critical FALSE, &ExtnType CRLDistributionPoints } ext-AuthorityInfoAccess _EXTENSION ::= { &id id-pkix-pe-authorityInfoAccess, &Critical FALSE, &ExtnType AuthorityInfoAccessSyntax } ext-SubjectInfoAccessSyntax _EXTENSION ::= { &id id-pkix-pe-subjectInfoAccess, &Critical FALSE, &ExtnType SubjectInfoAccessSyntax } ext-ProxyCertInfo _EXTENSION ::= { &id id-pkix-pe-proxyCertInfo, &Critical FALSE, &ExtnType ProxyCertInfo } HeimPkinitPrincMaxLifeSecs ::= INTEGER (0..4294967295) ext-HeimPkinitPrincMaxLife _EXTENSION ::= { &id id-heim-ce-pkinit-princ-max-life, &Critical FALSE, &ExtnType HeimPkinitPrincMaxLifeSecs } CertExtensions _EXTENSION ::= { ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier | ext-KeyUsage | ext-PrivateKeyUsagePeriod | ext-CertificatePolicies | ext-PolicyMappings | ext-SubjectAltName | ext-IssuerAltName | ext-SubjectDirectoryAttributes | ext-BasicConstraints | ext-NameConstraints | ext-PolicyConstraints | ext-ExtKeyUsage | ext-CRLDistributionPoints | ext-InhibitAnyPolicy | ext-FreshestCRL | ext-AuthorityInfoAccess | ext-SubjectInfoAccessSyntax | ext-ProxyCertInfo | ext-HeimPkinitPrincMaxLife } Extension ::= Extension { CertExtensions } --- U.S. Federal PKI Common Policy Framework -- Card Authentication key id-uspkicommon-card-id OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 6 } id-uspkicommon-piv-interim OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 9 1 } --- Netscape extensions id-netscape OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) } id-netscape-cert-comment OBJECT IDENTIFIER ::= { id-netscape 1 13 } --- MS extensions id-ms-cert-enroll-domaincontroller OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 311 20 2 } -- This is a duplicate of id-pkix-kp-clientAuth -- id-ms-client-authentication OBJECT IDENTIFIER ::= -- { 1 3 6 1 5 5 7 3 2 } -- DER:1e:20:00:44:00:6f:00:6d:00:61:00:69:00:6e:00:43:00:6f:00:6e:00:74:00:72:00:6f:00:6c:00:6c:00:65:00:72 -- Upper bounds: ub-name INTEGER ::= 32768 ub-common-name INTEGER ::= 64 ub-locality-name INTEGER ::= 128 ub-state-name INTEGER ::= 128 ub-organization-name INTEGER ::= 64 ub-organizational-unit-name INTEGER ::= 64 ub-title INTEGER ::= 64 ub-serial-number INTEGER ::= 64 ub-match INTEGER ::= 128 ub-emailaddress-length INTEGER ::= 255 ub-common-name-length INTEGER ::= 64 ub-country-name-alpha-length INTEGER ::= 2 ub-country-name-numeric-length INTEGER ::= 3 ub-domain-defined-attributes INTEGER ::= 4 ub-domain-defined-attribute-type-length INTEGER ::= 8 ub-domain-defined-attribute-value-length INTEGER ::= 128 ub-domain-name-length INTEGER ::= 16 ub-extension-attributes INTEGER ::= 256 ub-e163-4-number-length INTEGER ::= 15 ub-e163-4-sub-address-length INTEGER ::= 40 ub-generation-qualifier-length INTEGER ::= 3 ub-given-name-length INTEGER ::= 16 ub-initials-length INTEGER ::= 5 ub-integer-options INTEGER ::= 256 ub-numeric-user-id-length INTEGER ::= 32 ub-organization-name-length INTEGER ::= 64 ub-organizational-unit-name-length INTEGER ::= 32 ub-organizational-units INTEGER ::= 4 ub-pds-name-length INTEGER ::= 16 ub-pds-parameter-length INTEGER ::= 30 ub-pds-physical-address-lines INTEGER ::= 6 ub-postal-code-length INTEGER ::= 16 ub-pseudonym INTEGER ::= 128 ub-surname-length INTEGER ::= 40 ub-terminal-id-length INTEGER ::= 24 ub-unformatted-address-length INTEGER ::= 180 ub-x121-address-length INTEGER ::= 16 -- Misc OIDs from RFC5280. We should add related types as well. -- Policy qualifiers id-pkix-qt OBJECT IDENTIFIER ::= { id-pkix 2 } id-pkix-qt-cps OBJECT IDENTIFIER ::= { id-pkix-qt 1 } id-pkix-qt-unotice OBJECT IDENTIFIER ::= { id-pkix-qt 2 } -- Access description id-pkix-ad OBJECT IDENTIFIER ::= { id-pkix 48 } id-pkix-ad-ocsp OBJECT IDENTIFIER ::= { id-pkix-ad 1 } id-pkix-ad-caIssuers OBJECT IDENTIFIER ::= { id-pkix-ad 2 } id-pkix-ad-timeStamping OBJECT IDENTIFIER ::= { id-pkix-ad 3 } id-pkix-ad-caRepository OBJECT IDENTIFIER ::= { id-pkix-ad 5 } pq-CPS _POLICYQUALIFIERINFO ::= { &id id-pkix-qt-cps, &Type AliasIA5String } pq-UserNotice _POLICYQUALIFIERINFO ::= { &id id-pkix-qt-unotice, &Type UserNotice } KnownPolicyQualifiers _POLICYQUALIFIERINFO ::= { pq-CPS | pq-UserNotice } PolicyQualifierInfo ::= PolicyQualifierInfo{KnownPolicyQualifiers} END