7 files changed, 1305 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/x509ce/CMakeLists.txt b/epan/dissectors/asn1/x509ce/CMakeLists.txt
new file mode 100644
index 00000000..00749863
--- /dev/null
+++ b/epan/dissectors/asn1/x509ce/CMakeLists.txt
@@ -0,0 +1,52 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+
+set( PROTOCOL_NAME x509ce )
+
+set( PROTO_OPT )
+
+set( EXPORT_FILES
+	${PROTOCOL_NAME}-exp.cnf
+)
+
+set( EXT_ASN_FILE_LIST
+)
+
+set( ASN_FILE_LIST
+	CertificateExtensions.asn
+	CertificateExtensionsRFC9310.asn
+	CertificateExtensionsCiplus.asn
+)
+
+set( EXTRA_DIST
+	${ASN_FILE_LIST}
+	packet-${PROTOCOL_NAME}-template.c
+	packet-${PROTOCOL_NAME}-template.h
+	${PROTOCOL_NAME}.cnf
+)
+
+set( SRC_FILES
+	${EXTRA_DIST}
+	${EXT_ASN_FILE_LIST}
+)
+
+set( A2W_FLAGS -b )
+
+set( EXTRA_CNF
+	"${CMAKE_CURRENT_BINARY_DIR}/../p1/p1-exp.cnf"
+	"${CMAKE_CURRENT_BINARY_DIR}/../x509af/x509af-exp.cnf"
+	"${CMAKE_CURRENT_BINARY_DIR}/../x509if/x509if-exp.cnf"
+	"${CMAKE_CURRENT_BINARY_DIR}/../x509sat/x509sat-exp.cnf"
+)
+
+set( EXPORT_DEPENDS
+	"${CMAKE_CURRENT_BINARY_DIR}/../x509af/x509af-exp.cnf"
+)
+
+ASN2WRS()
diff --git a/epan/dissectors/asn1/x509ce/CertificateExtensions.asn b/epan/dissectors/asn1/x509ce/CertificateExtensions.asn
new file mode 100644
index 00000000..3fad9fb8
--- /dev/null
+++ b/epan/dissectors/asn1/x509ce/CertificateExtensions.asn
@@ -0,0 +1,757 @@
+-- Module CertificateExtensions (X.509:08/2005)
+CertificateExtensions {joint-iso-itu-t ds(5) module(1)
+  certificateExtensions(26) 5} DEFINITIONS IMPLICIT TAGS ::=
+BEGIN
+
+-- EXPORTS ALL
+IMPORTS
+  id-at, id-ce, id-mr, informationFramework, authenticationFramework,
+    selectedAttributeTypes, upperBounds
+    FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
+      usefulDefinitions(0) 5}
+  Name, RelativeDistinguishedName, ATTRIBUTE, Attribute, MATCHING-RULE
+    FROM InformationFramework informationFramework
+  CertificateSerialNumber, CertificateList, AlgorithmIdentifier, EXTENSION,
+    Time, PolicyID
+    FROM AuthenticationFramework authenticationFramework
+  DirectoryString{}
+    FROM SelectedAttributeTypes selectedAttributeTypes
+  ub-name
+    FROM UpperBounds upperBounds
+  ORAddress
+    FROM MTSAbstractService {joint-iso-itu-t mhs(6) mts(3) modules(0)
+      mts-abstract-service(1) version-1999(1)};
+
+-- Unless explicitly noted otherwise, there is no significance to the ordering
+-- of components of a SEQUENCE OF construct in this Specification.
+-- public-key certificate and CRL extensions
+authorityKeyIdentifier EXTENSION ::= {
+  SYNTAX         AuthorityKeyIdentifier
+  IDENTIFIED BY  id-ce-authorityKeyIdentifier
+}
+
+AuthorityKeyIdentifier ::= SEQUENCE {
+  keyIdentifier              [0]  KeyIdentifier OPTIONAL,
+  authorityCertIssuer        [1]  GeneralNames OPTIONAL,
+  authorityCertSerialNumber  [2]  CertificateSerialNumber OPTIONAL
+}
+(WITH COMPONENTS {
+   ...,
+   authorityCertIssuer        PRESENT,
+   authorityCertSerialNumber  PRESENT
+ } |
+ WITH COMPONENTS {
+   ...,
+   authorityCertIssuer        ABSENT,
+   authorityCertSerialNumber  ABSENT
+ })
+
+KeyIdentifier ::= OCTET STRING
+
+subjectKeyIdentifier EXTENSION ::= {
+  SYNTAX         SubjectKeyIdentifier
+  IDENTIFIED BY  id-ce-subjectKeyIdentifier
+}
+
+SubjectKeyIdentifier ::= KeyIdentifier
+
+keyUsage EXTENSION ::= {SYNTAX         KeyUsage
+                        IDENTIFIED BY  id-ce-keyUsage
+}
+
+KeyUsage ::= BIT STRING {
+  digitalSignature(0), contentCommitment(1), keyEncipherment(2),
+  dataEncipherment(3), keyAgreement(4), keyCertSign(5), cRLSign(6),
+  encipherOnly(7), decipherOnly(8)}
+
+extKeyUsage EXTENSION ::= {
+  SYNTAX         SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+  IDENTIFIED BY  id-ce-extKeyUsage
+}
+
+KeyPurposeId ::= OBJECT IDENTIFIER
+
+KeyPurposeIDs ::= SEQUENCE OF KeyPurposeId
+
+privateKeyUsagePeriod EXTENSION ::= {
+  SYNTAX         PrivateKeyUsagePeriod
+  IDENTIFIED BY  id-ce-privateKeyUsagePeriod
+}
+
+PrivateKeyUsagePeriod ::= SEQUENCE {
+  notBefore  [0]  GeneralizedTime OPTIONAL,
+  notAfter   [1]  GeneralizedTime OPTIONAL
+}
+(WITH COMPONENTS {
+   ...,
+   notBefore  PRESENT
+ } | WITH COMPONENTS {
+       ...,
+       notAfter  PRESENT
+     })
+
+certificatePolicies EXTENSION ::= {
+  SYNTAX         CertificatePoliciesSyntax
+  IDENTIFIED BY  id-ce-certificatePolicies
+}
+
+CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+
+PolicyInformation ::= SEQUENCE {
+  policyIdentifier  CertPolicyId,
+  policyQualifiers  SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL
+}
+
+CertPolicyId ::= OBJECT IDENTIFIER
+
+PolicyQualifierInfo ::= SEQUENCE {
+  policyQualifierId  CERT-POLICY-QUALIFIER.&id({SupportedPolicyQualifiers}),
+  qualifier
+    CERT-POLICY-QUALIFIER.&Qualifier
+      ({SupportedPolicyQualifiers}{@policyQualifierId}) OPTIONAL
+}
+
+SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::=
+  {...}
+
+anyPolicy OBJECT IDENTIFIER ::= {2 5 29 32 0}
+
+CERT-POLICY-QUALIFIER ::= CLASS {
+  &id         OBJECT IDENTIFIER UNIQUE,
+  &Qualifier  OPTIONAL
+}WITH SYNTAX {POLICY-QUALIFIER-ID &id
+              [QUALIFIER-TYPE &Qualifier]
+}
+
+policyMappings EXTENSION ::= {
+  SYNTAX         PolicyMappingsSyntax
+  IDENTIFIED BY  id-ce-policyMappings
+}
+
+PolicyMappingsSyntax ::=
+  SEQUENCE SIZE (1..MAX) OF
+    SEQUENCE {issuerDomainPolicy   CertPolicyId,
+              subjectDomainPolicy  CertPolicyId}
+
+subjectAltName EXTENSION ::= {
+  SYNTAX         GeneralNames
+  IDENTIFIED BY  id-ce-subjectAltName
+}
+
+GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+
+GeneralName ::= CHOICE {
+  otherName                  [0]  -- INSTANCE OF OTHER-NAME-- OtherName,
+  rfc822Name                 [1]  IA5String,
+  dNSName                    [2]  IA5String,
+  x400Address                [3]  ORAddress,
+  directoryName              [4]  Name,
+  ediPartyName               [5]  EDIPartyName,
+  uniformResourceIdentifier  [6]  IA5String,
+  iPAddress                  [7]  OCTET STRING,
+  registeredID               [8]  OBJECT IDENTIFIER
+}
+
+-- OTHER-NAME ::= TYPE-IDENTIFIER
+
+OtherName ::= SEQUENCE {
+  type-id	OtherNameType,
+  value		[0] EXPLICIT OtherNameValue
+}
+
+OtherNameType ::= OBJECT IDENTIFIER
+OtherNameValue ::= ANY
+
+EDIPartyName ::= SEQUENCE {
+  nameAssigner  [0]  DirectoryString{ub-name} OPTIONAL,
+  partyName     [1]  DirectoryString{ub-name}
+}
+
+issuerAltName EXTENSION ::= {
+  SYNTAX         GeneralNames
+  IDENTIFIED BY  id-ce-issuerAltName
+}
+
+subjectDirectoryAttributes EXTENSION ::= {
+  SYNTAX         AttributesSyntax
+  IDENTIFIED BY  id-ce-subjectDirectoryAttributes
+}
+
+AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute
+
+basicConstraints EXTENSION ::= {
+  SYNTAX         BasicConstraintsSyntax
+  IDENTIFIED BY  id-ce-basicConstraints
+}
+
+BasicConstraintsSyntax ::= SEQUENCE {
+  cA                 BOOLEAN DEFAULT FALSE,
+  pathLenConstraint  INTEGER(0..MAX) OPTIONAL
+}
+
+nameConstraints EXTENSION ::= {
+  SYNTAX         NameConstraintsSyntax
+  IDENTIFIED BY  id-ce-nameConstraints
+}
+
+NameConstraintsSyntax ::= SEQUENCE {
+  permittedSubtrees  [0]  GeneralSubtrees OPTIONAL,
+  excludedSubtrees   [1]  GeneralSubtrees OPTIONAL
+}(-- ALL EXCEPT -- ({ --none; at least one component shall be present--}))
+
+GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+
+GeneralSubtree ::= SEQUENCE {
+  base     GeneralName,
+  minimum  [0]  BaseDistance DEFAULT 0,
+  maximum  [1]  BaseDistance OPTIONAL
+}
+
+BaseDistance ::= INTEGER(0..MAX)
+
+policyConstraints EXTENSION ::= {
+  SYNTAX         PolicyConstraintsSyntax
+  IDENTIFIED BY  id-ce-policyConstraints
+}
+
+PolicyConstraintsSyntax ::= SEQUENCE {
+  requireExplicitPolicy  [0]  SkipCerts OPTIONAL,
+  inhibitPolicyMapping   [1]  SkipCerts OPTIONAL
+}
+
+SkipCerts ::= INTEGER(0..MAX)
+
+cRLNumber EXTENSION ::= {
+  SYNTAX         CRLNumber
+  IDENTIFIED BY  id-ce-cRLNumber
+}
+
+CRLNumber ::= INTEGER(0..MAX)
+
+reasonCode EXTENSION ::= {
+  SYNTAX         CRLReason
+  IDENTIFIED BY  id-ce-reasonCode
+}
+
+CRLReason ::= ENUMERATED {
+  unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3),
+  superseded(4), cessationOfOperation(5), certificateHold(6), removeFromCRL(8),
+  privilegeWithdrawn(9), aaCompromise(10)}
+
+holdInstructionCode EXTENSION ::= {
+  SYNTAX         HoldInstruction
+  IDENTIFIED BY  id-ce-instructionCode
+}
+
+HoldInstruction ::= OBJECT IDENTIFIER
+
+invalidityDate EXTENSION ::= {
+  SYNTAX         GeneralizedTime
+  IDENTIFIED BY  id-ce-invalidityDate
+}
+
+crlScope EXTENSION ::= {
+  SYNTAX         CRLScopeSyntax
+  IDENTIFIED BY  id-ce-cRLScope
+}
+
+CRLScopeSyntax ::= SEQUENCE SIZE (1..MAX) OF PerAuthorityScope
+
+PerAuthorityScope ::= SEQUENCE {
+  authorityName       [0]  GeneralName OPTIONAL,
+  distributionPoint   [1]  DistributionPointName OPTIONAL,
+  onlyContains        [2]  OnlyCertificateTypes OPTIONAL,
+  onlySomeReasons     [4]  ReasonFlags OPTIONAL,
+  serialNumberRange   [5]  NumberRange OPTIONAL,
+  subjectKeyIdRange   [6]  NumberRange OPTIONAL,
+  nameSubtrees        [7]  GeneralNames OPTIONAL,
+  baseRevocationInfo  [9]  BaseRevocationInfo OPTIONAL
+}
+
+OnlyCertificateTypes ::= BIT STRING {user(0), authority(1), attribute(2)}
+
+NumberRange ::= SEQUENCE {
+  startingNumber  [0]  INTEGER OPTIONAL,
+  endingNumber    [1]  INTEGER OPTIONAL,
+  modulus         INTEGER OPTIONAL
+}
+
+BaseRevocationInfo ::= SEQUENCE {
+  cRLStreamIdentifier  [0]  CRLStreamIdentifier OPTIONAL,
+  cRLNumber            [1]  CRLNumber,
+  baseThisUpdate       [2]  GeneralizedTime
+}
+
+statusReferrals EXTENSION ::= {
+  SYNTAX         StatusReferrals
+  IDENTIFIED BY  id-ce-statusReferrals
+}
+
+StatusReferrals ::= SEQUENCE SIZE (1..MAX) OF StatusReferral
+
+StatusReferral ::= CHOICE {
+  cRLReferral    [0]  CRLReferral
+--  otherReferral  [1]  INSTANCE OF OTHER-REFERRAL
+}
+
+CRLReferral ::= SEQUENCE {
+  issuer          [0]  GeneralName OPTIONAL,
+  location        [1]  GeneralName OPTIONAL,
+  deltaRefInfo    [2]  DeltaRefInfo OPTIONAL,
+  cRLScope        CRLScopeSyntax,
+  lastUpdate      [3]  GeneralizedTime OPTIONAL,
+  lastChangedCRL  [4]  GeneralizedTime OPTIONAL
+}
+
+DeltaRefInfo ::= SEQUENCE {
+  deltaLocation  GeneralName,
+  lastDelta      GeneralizedTime OPTIONAL
+}
+
+--OTHER-REFERRAL ::= TYPE-IDENTIFIER
+--
+cRLStreamIdentifier EXTENSION ::= {
+  SYNTAX         CRLStreamIdentifier
+  IDENTIFIED BY  id-ce-cRLStreamIdentifier
+}
+
+CRLStreamIdentifier ::= INTEGER(0..MAX)
+
+orderedList EXTENSION ::= {
+  SYNTAX         OrderedListSyntax
+  IDENTIFIED BY  id-ce-orderedList
+}
+
+OrderedListSyntax ::= ENUMERATED {ascSerialNum(0), ascRevDate(1)}
+
+deltaInfo EXTENSION ::= {
+  SYNTAX         DeltaInformation
+  IDENTIFIED BY  id-ce-deltaInfo
+}
+
+DeltaInformation ::= SEQUENCE {
+  deltaLocation  GeneralName,
+  nextDelta      GeneralizedTime OPTIONAL
+}
+
+cRLDistributionPoints EXTENSION ::= {
+  SYNTAX         CRLDistPointsSyntax
+  IDENTIFIED BY  id-ce-cRLDistributionPoints
+}
+
+CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+
+DistributionPoint ::= SEQUENCE {
+  distributionPoint  [0]  DistributionPointName OPTIONAL,
+  reasons            [1]  ReasonFlags OPTIONAL,
+  cRLIssuer          [2]  GeneralNames OPTIONAL
+}
+
+DistributionPointName ::= CHOICE {
+  fullName                 [0]  GeneralNames,
+  nameRelativeToCRLIssuer  [1]  RelativeDistinguishedName
+}
+
+ReasonFlags ::= BIT STRING {
+  unused(0), keyCompromise(1), cACompromise(2), affiliationChanged(3),
+  superseded(4), cessationOfOperation(5), certificateHold(6),
+  privilegeWithdrawn(7), aACompromise(8)}
+
+issuingDistributionPoint EXTENSION ::= {
+  SYNTAX         IssuingDistPointSyntax
+  IDENTIFIED BY  id-ce-issuingDistributionPoint
+}
+
+IssuingDistPointSyntax ::= SEQUENCE {
+  -- If onlyContainsUserPublicKeyCerts and onlyContainsCACerts are both FALSE,
+  -- the CRL covers both certificate types
+  distributionPoint               [0]  DistributionPointName OPTIONAL,
+  onlyContainsUserPublicKeyCerts  [1]  BOOLEAN DEFAULT FALSE,
+  onlyContainsCACerts             [2]  BOOLEAN DEFAULT FALSE,
+  onlySomeReasons                 [3]  ReasonFlags OPTIONAL,
+  indirectCRL                     [4]  BOOLEAN DEFAULT FALSE
+}
+
+certificateIssuer EXTENSION ::= {
+  SYNTAX         GeneralNames
+  IDENTIFIED BY  id-ce-certificateIssuer
+}
+
+deltaCRLIndicator EXTENSION ::= {
+  SYNTAX         BaseCRLNumber
+  IDENTIFIED BY  id-ce-deltaCRLIndicator
+}
+
+BaseCRLNumber ::= CRLNumber
+
+toBeRevoked EXTENSION ::= {
+  SYNTAX         ToBeRevokedSyntax
+  IDENTIFIED BY  id-ce-toBeRevoked
+}
+
+ToBeRevokedSyntax ::= SEQUENCE SIZE (1..MAX) OF ToBeRevokedGroup
+
+ToBeRevokedGroup ::= SEQUENCE {
+  certificateIssuer  [0]  GeneralName OPTIONAL,
+  reasonInfo         [1]  ReasonInfo OPTIONAL,
+  revocationTime     GeneralizedTime,
+  certificateGroup   CertificateGroup
+}
+
+ReasonInfo ::= SEQUENCE {
+  reasonCode           CRLReason,
+  holdInstructionCode  HoldInstruction OPTIONAL
+}
+
+CertificateGroup ::= CHOICE {
+  serialNumbers      [0]  CertificateSerialNumbers,
+  serialNumberRange  [1]  CertificateGroupNumberRange,
+  nameSubtree        [2]  GeneralName
+}
+
+CertificateGroupNumberRange ::= SEQUENCE {
+  startingNumber  [0]  INTEGER,
+  endingNumber    [1]  INTEGER
+}
+
+CertificateSerialNumbers ::= SEQUENCE SIZE (1..MAX) OF CertificateSerialNumber
+
+revokedGroups EXTENSION ::= {
+  SYNTAX         RevokedGroupsSyntax
+  IDENTIFIED BY  id-ce-RevokedGroups
+}
+
+RevokedGroupsSyntax ::= SEQUENCE SIZE (1..MAX) OF RevokedGroup
+
+RevokedGroup ::= SEQUENCE {
+  certificateIssuer        [0]  GeneralName OPTIONAL,
+  reasonInfo               [1]  ReasonInfo OPTIONAL,
+  invalidityDate           [2]  GeneralizedTime OPTIONAL,
+  revokedcertificateGroup  [3]  RevokedCertificateGroup
+}
+
+RevokedCertificateGroup ::= CHOICE {
+  serialNumberRange  NumberRange,
+  nameSubtree        GeneralName
+}
+
+expiredCertsOnCRL EXTENSION ::= {
+  SYNTAX         ExpiredCertsOnCRL
+  IDENTIFIED BY  id-ce-expiredCertsOnCRL
+}
+
+ExpiredCertsOnCRL ::= GeneralizedTime
+
+baseUpdateTime EXTENSION ::= {
+  SYNTAX         GeneralizedTime
+  IDENTIFIED BY  id-ce-baseUpdateTime
+}
+
+freshestCRL EXTENSION ::= {
+  SYNTAX         CRLDistPointsSyntax
+  IDENTIFIED BY  id-ce-freshestCRL
+}
+
+aAissuingDistributionPoint EXTENSION ::= {
+  SYNTAX         AAIssuingDistPointSyntax
+  IDENTIFIED BY  id-ce-aAissuingDistributionPoint
+}
+
+AAIssuingDistPointSyntax ::= SEQUENCE {
+  distributionPoint           [0]  DistributionPointName OPTIONAL,
+  onlySomeReasons             [1]  ReasonFlags OPTIONAL,
+  indirectCRL                 [2]  BOOLEAN DEFAULT FALSE,
+  containsUserAttributeCerts  [3]  BOOLEAN DEFAULT TRUE,
+  containsAACerts             [4]  BOOLEAN DEFAULT TRUE,
+  containsSOAPublicKeyCerts   [5]  BOOLEAN DEFAULT TRUE
+}
+
+inhibitAnyPolicy EXTENSION ::= {
+  SYNTAX         SkipCerts
+  IDENTIFIED BY  id-ce-inhibitAnyPolicy
+}
+
+-- PKI matching rules
+certificateExactMatch MATCHING-RULE ::= {
+  SYNTAX  CertificateExactAssertion
+  ID      id-mr-certificateExactMatch
+}
+
+CertificateExactAssertion ::= SEQUENCE {
+  serialNumber  CertificateSerialNumber,
+  issuer        Name
+}
+
+certificateMatch MATCHING-RULE ::= {
+  SYNTAX  CertificateAssertion
+  ID      id-mr-certificateMatch
+}
+
+CertificateAssertion ::= SEQUENCE {
+  serialNumber            [0]  CertificateSerialNumber OPTIONAL,
+  issuer                  [1]  Name OPTIONAL,
+  subjectKeyIdentifier    [2]  SubjectKeyIdentifier OPTIONAL,
+  authorityKeyIdentifier  [3]  AuthorityKeyIdentifier OPTIONAL,
+  certificateValid        [4]  Time OPTIONAL,
+  privateKeyValid         [5]  GeneralizedTime OPTIONAL,
+  subjectPublicKeyAlgID   [6]  OBJECT IDENTIFIER OPTIONAL,
+  keyUsage                [7]  KeyUsage OPTIONAL,
+  subjectAltName          [8]  AltNameType OPTIONAL,
+  policy                  [9]  CertPolicySet OPTIONAL,
+  pathToName              [10]  Name OPTIONAL,
+  subject                 [11]  Name OPTIONAL,
+  nameConstraints         [12]  NameConstraintsSyntax OPTIONAL
+}
+
+AltNameType ::= CHOICE {
+  builtinNameForm
+    ENUMERATED {rfc822Name(1), dNSName(2), x400Address(3), directoryName(4),
+                ediPartyName(5), uniformResourceIdentifier(6), iPAddress(7),
+                registeredId(8)},
+  otherNameForm    OBJECT IDENTIFIER
+}
+
+CertPolicySet ::= SEQUENCE SIZE (1..MAX) OF CertPolicyId
+
+certificatePairExactMatch MATCHING-RULE ::= {
+  SYNTAX  CertificatePairExactAssertion
+  ID      id-mr-certificatePairExactMatch
+}
+
+CertificatePairExactAssertion ::= SEQUENCE {
+  issuedToThisCAAssertion  [0]  CertificateExactAssertion OPTIONAL,
+  issuedByThisCAAssertion  [1]  CertificateExactAssertion OPTIONAL
+}
+(WITH COMPONENTS {
+   ...,
+   issuedToThisCAAssertion  PRESENT
+ } | WITH COMPONENTS {
+       ...,
+       issuedByThisCAAssertion  PRESENT
+     })
+
+certificatePairMatch MATCHING-RULE ::= {
+  SYNTAX  CertificatePairAssertion
+  ID      id-mr-certificatePairMatch
+}
+
+CertificatePairAssertion ::= SEQUENCE {
+  issuedToThisCAAssertion  [0]  CertificateAssertion OPTIONAL,
+  issuedByThisCAAssertion  [1]  CertificateAssertion OPTIONAL
+}
+(WITH COMPONENTS {
+   ...,
+   issuedToThisCAAssertion  PRESENT
+ } | WITH COMPONENTS {
+       ...,
+       issuedByThisCAAssertion  PRESENT
+     })
+
+certificateListExactMatch MATCHING-RULE ::= {
+  SYNTAX  CertificateListExactAssertion
+  ID      id-mr-certificateListExactMatch
+}
+
+CertificateListExactAssertion ::= SEQUENCE {
+  issuer             Name,
+  thisUpdate         Time,
+  distributionPoint  DistributionPointName OPTIONAL
+}
+
+certificateListMatch MATCHING-RULE ::= {
+  SYNTAX  CertificateListAssertion
+  ID      id-mr-certificateListMatch
+}
+
+CertificateListAssertion ::= SEQUENCE {
+  issuer                  Name OPTIONAL,
+  minCRLNumber            [0]  CRLNumber OPTIONAL,
+  maxCRLNumber            [1]  CRLNumber OPTIONAL,
+  reasonFlags             ReasonFlags OPTIONAL,
+  dateAndTime             Time OPTIONAL,
+  distributionPoint       [2]  DistributionPointName OPTIONAL,
+  authorityKeyIdentifier  [3]  AuthorityKeyIdentifier OPTIONAL
+}
+
+algorithmIdentifierMatch MATCHING-RULE ::= {
+  SYNTAX  AlgorithmIdentifier
+  ID      id-mr-algorithmIdentifierMatch
+}
+
+policyMatch MATCHING-RULE ::= {SYNTAX  PolicyID
+                               ID      id-mr-policyMatch
+}
+
+pkiPathMatch MATCHING-RULE ::= {
+  SYNTAX  PkiPathMatchSyntax
+  ID      id-mr-pkiPathMatch
+}
+
+PkiPathMatchSyntax ::= SEQUENCE {firstIssuer  Name,
+                                 lastSubject  Name
+}
+
+enhancedCertificateMatch MATCHING-RULE ::= {
+  SYNTAX  EnhancedCertificateAssertion
+  ID      id-mr-enhancedCertificateMatch
+}
+
+EnhancedCertificateAssertion ::= SEQUENCE {
+  serialNumber            [0]  CertificateSerialNumber OPTIONAL,
+  issuer                  [1]  Name OPTIONAL,
+  subjectKeyIdentifier    [2]  SubjectKeyIdentifier OPTIONAL,
+  authorityKeyIdentifier  [3]  AuthorityKeyIdentifier OPTIONAL,
+  certificateValid        [4]  Time OPTIONAL,
+  privateKeyValid         [5]  GeneralizedTime OPTIONAL,
+  subjectPublicKeyAlgID   [6]  OBJECT IDENTIFIER OPTIONAL,
+  keyUsage                [7]  KeyUsage OPTIONAL,
+  subjectAltName          [8]  AltName OPTIONAL,
+  policy                  [9]  CertPolicySet OPTIONAL,
+  pathToName              [10]  GeneralNames OPTIONAL,
+  subject                 [11]  Name OPTIONAL,
+  nameConstraints         [12]  NameConstraintsSyntax OPTIONAL
+}(--ALL EXCEPT-- ({ -- none; at least one component shall be present --}))
+
+AltName ::= SEQUENCE {
+  altnameType   AltNameType,
+  altNameValue  GeneralName OPTIONAL
+}
+
+-- Object identifier assignments
+id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=
+  {id-ce 9}
+
+id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14}
+
+id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15}
+
+id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16}
+
+id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17}
+
+id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18}
+
+id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19}
+
+id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20}
+
+id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21}
+
+id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23}
+
+id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24}
+
+id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27}
+
+id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28}
+
+id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29}
+
+id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30}
+
+id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
+
+id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32}
+
+id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33}
+
+-- deprecated							OBJECT IDENTIFIER	::=	{id-ce 34}
+id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=
+  {id-ce 35}
+
+id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36}
+
+id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
+
+id-ce-cRLStreamIdentifier OBJECT IDENTIFIER ::= {id-ce 40}
+
+id-ce-cRLScope OBJECT IDENTIFIER ::= {id-ce 44}
+
+id-ce-statusReferrals OBJECT IDENTIFIER ::= {id-ce 45}
+
+id-ce-freshestCRL OBJECT IDENTIFIER ::= {id-ce 46}
+
+id-ce-orderedList OBJECT IDENTIFIER ::= {id-ce 47}
+
+id-ce-baseUpdateTime OBJECT IDENTIFIER ::= {id-ce 51}
+
+id-ce-deltaInfo OBJECT IDENTIFIER ::= {id-ce 53}
+
+id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= {id-ce 54}
+
+id-ce-toBeRevoked OBJECT IDENTIFIER ::= {id-ce 58}
+
+id-ce-RevokedGroups OBJECT IDENTIFIER ::= {id-ce 59}
+
+id-ce-expiredCertsOnCRL OBJECT IDENTIFIER ::= {id-ce 60}
+
+id-ce-aAissuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 63}
+
+-- matching rule OIDs
+id-mr-certificateExactMatch OBJECT IDENTIFIER ::=
+  {id-mr 34}
+
+id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35}
+
+id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36}
+
+id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37}
+
+id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38}
+
+id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39}
+
+id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40}
+
+id-mr-policyMatch OBJECT IDENTIFIER ::= {id-mr 60}
+
+id-mr-pkiPathMatch OBJECT IDENTIFIER ::= {id-mr 62}
+
+id-mr-enhancedCertificateMatch OBJECT IDENTIFIER ::= {id-mr 65}
+
+
+-- The following OBJECT IDENTIFIERS are not used by this Specification:
+-- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7},
+-- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13},
+-- {id-ce 22}, {id-ce 25}, {id-ce 26}
+
+-- Microsoft Certificate Extension
+
+CertificateTemplate ::= SEQUENCE {
+  templateID           OBJECT IDENTIFIER,
+  templateMajorVersion INTEGER,
+  templateMinorVersion INTEGER OPTIONAL
+}
+
+-- Microsoft NTDS CA Security Extension
+NtdsCaSecurity ::= SEQUENCE {
+  ntdsObjectSid NtdsObjectSid
+}
+
+NtdsObjectSid ::= [0] SEQUENCE {
+  type-id OBJECT IDENTIFIER,
+  sid [0] PrintableString
+}
+
+
+
+-- Entrust Certificate Extension
+
+EntrustVersionInfo ::= SEQUENCE {
+ entrustVers GeneralString,
+ entrustVersInfoFlags EntrustInfoFlags OPTIONAL
+}
+
+EntrustInfoFlags ::=  BIT STRING {
+  keyUpdateAllowed(0),
+  newExtensions(1),
+  pKIXCertificate(2),
+  enterpriseCategory(3),
+  webCategory(4),
+  sETCategory(5)
+}
+
+END
+
+-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D
+
diff --git a/epan/dissectors/asn1/x509ce/CertificateExtensionsCiplus.asn b/epan/dissectors/asn1/x509ce/CertificateExtensionsCiplus.asn
new file mode 100644
index 00000000..9f824c8e
--- /dev/null
+++ b/epan/dissectors/asn1/x509ce/CertificateExtensionsCiplus.asn
@@ -0,0 +1,56 @@
+-- Module CertificateExtensionsCiplus
+--  X.509 certificate extensions defined by CI+ (www.ci-plus.com)
+CertificateExtensionsCiplus DEFINITIONS IMPLICIT TAGS ::=
+BEGIN
+
+-- EXPORTS ALL 
+IMPORTS
+  id-pkix
+  FROM PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) internet(1)
+   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-93(3)}
+  EXTENSION
+  FROM AuthenticationFramework { joint-iso-itu-t ds(5)
+                      module(1) authenticationFramework(7) 3 };
+
+scramblerCapabilities EXTENSION ::= {
+   SYNTAX         ScramblerCapabilities
+   IDENTIFIED BY  id-pe-scramblerCapabilities
+}
+
+ScramblerCapabilities ::= SEQUENCE {
+   capability INTEGER (0..MAX),
+   version    INTEGER (0..MAX)
+}
+
+
+ciplusInfo EXTENSION ::= {
+   SYNTAX    CiplusInfo
+   IDENTIFIED BY  id-pe-ciplusInfo
+}
+
+CiplusInfo ::= BIT STRING
+
+
+cicamBrandId EXTENSION ::= {
+   SYNTAX    CicamBrandId
+   IDENTIFIED BY  id-pe-cicamBrandId
+}
+
+CicamBrandId ::= INTEGER(1..65535)
+
+
+securityLevel EXTENSION ::= {
+   SYNTAX    SecurityLevel
+   IDENTIFIED BY  id-pe-securityLevel
+}
+
+SecurityLevel ::= INTEGER (0..MAX)
+
+
+-- Object identifier assignments 
+id-pe-scramblerCapabilities OBJECT IDENTIFIER ::= { id-pkix id-pe(1) 25 }
+id-pe-ciplusInfo OBJECT IDENTIFIER ::= { id-pkix id-pe(1) 26 }
+id-pe-cicamBrandId OBJECT IDENTIFIER ::= { id-pkix id-pe(1) 27 }
+id-pe-securityLevel OBJECT IDENTIFIER ::= { id-pkix id-pe(1) 50 }
+
+END
diff --git a/epan/dissectors/asn1/x509ce/CertificateExtensionsRFC9310.asn b/epan/dissectors/asn1/x509ce/CertificateExtensionsRFC9310.asn
new file mode 100644
index 00000000..9d432be8
--- /dev/null
+++ b/epan/dissectors/asn1/x509ce/CertificateExtensionsRFC9310.asn
@@ -0,0 +1,28 @@
+     -- ASN.1 file from the RFC9310 definition
+     NFTypeCertExtn
+       { iso(1) identified-organization(3) dod(6) internet(1)
+         security(5) mechanisms(5) pkix(7) id-mod(0)
+         id-mod-nftype(106) }
+
+     DEFINITIONS IMPLICIT TAGS ::=
+     BEGIN
+
+     -- NFTypes Certificate Extension
+
+     ext-NFType EXTENSION ::= {
+       SYNTAX NFTypes
+       IDENTIFIED BY id-pe-nftype }
+
+     -- NFTypes Certificate Extension OID
+
+     id-pe-nftype  OBJECT IDENTIFIER ::=
+        { iso(1) identified-organization(3) dod(6) internet(1)
+          security(5) mechanisms(5) pkix(7) id-pe(1) 34 }
+
+     -- NFTypes Certificate Extension Syntax
+
+     NFTypes ::= SEQUENCE SIZE (1..MAX) OF NFType
+
+     NFType ::= IA5String (SIZE (1..32))
+
+     END
diff --git a/epan/dissectors/asn1/x509ce/packet-x509ce-template.c b/epan/dissectors/asn1/x509ce/packet-x509ce-template.c
new file mode 100644
index 00000000..1817c428
--- /dev/null
+++ b/epan/dissectors/asn1/x509ce/packet-x509ce-template.c
@@ -0,0 +1,164 @@
+/* packet-x509ce.c
+ * Routines for X.509 Certificate Extensions packet dissection
+ *  Ronnie Sahlberg 2004
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/asn1.h>
+#include <epan/oids.h>
+
+#include "packet-ber.h"
+#include "packet-x509ce.h"
+#include "packet-x509af.h"
+#include "packet-x509if.h"
+#include "packet-x509sat.h"
+#include "packet-p1.h"
+
+#define PNAME  "X.509 Certificate Extensions"
+#define PSNAME "X509CE"
+#define PFNAME "x509ce"
+
+void proto_register_x509ce(void);
+void proto_reg_handoff_x509ce(void);
+
+/* Initialize the protocol and registered fields */
+static int proto_x509ce = -1;
+static int hf_x509ce_id_ce_invalidityDate = -1;
+static int hf_x509ce_id_ce_baseUpdateTime = -1;
+static int hf_x509ce_object_identifier_id = -1;
+static int hf_x509ce_IPAddress_ipv4 = -1;
+static int hf_x509ce_IPAddress_ipv6 = -1;
+#include "packet-x509ce-hf.c"
+
+/* Initialize the subtree pointers */
+#include "packet-x509ce-ett.c"
+#include "packet-x509ce-fn.c"
+
+static const val64_string ciplus_scr_cap[] = {
+    { 0, "DES" },
+    { 1, "DES and AES" },
+    { 0, NULL }
+};
+
+static const val64_string ciplus_security_level[] = {
+    { 0, "Standard Security Level" },
+    { 1, "ECP Security Level" },
+    { 0, NULL }
+};
+
+/* CI+ (www.ci-plus.com) defines some X.509 certificate extensions
+   that use OIDs which are not officially assigned
+   dissection of these extensions can be enabled temporarily using the
+   functions below */
+void
+x509ce_enable_ciplus(void)
+{
+  dissector_handle_t dh25, dh26, dh27, dh50;
+
+  dh25 = create_dissector_handle(dissect_ScramblerCapabilities_PDU, proto_x509ce);
+  dissector_change_string("ber.oid", "1.3.6.1.5.5.7.1.25", dh25);
+  dh26 = create_dissector_handle(dissect_CiplusInfo_PDU, proto_x509ce);
+  dissector_change_string("ber.oid", "1.3.6.1.5.5.7.1.26", dh26);
+  dh27 = create_dissector_handle(dissect_CicamBrandId_PDU, proto_x509ce);
+  dissector_change_string("ber.oid", "1.3.6.1.5.5.7.1.27", dh27);
+  dh50 = create_dissector_handle(dissect_SecurityLevel_PDU, proto_x509ce);
+  dissector_change_string("ber.oid", "1.3.6.1.5.5.7.1.50", dh50);
+}
+
+void
+x509ce_disable_ciplus(void)
+{
+  dissector_reset_string("ber.oid", "1.3.6.1.5.5.7.1.25");
+  dissector_reset_string("ber.oid", "1.3.6.1.5.5.7.1.26");
+  dissector_reset_string("ber.oid", "1.3.6.1.5.5.7.1.27");
+  dissector_reset_string("ber.oid", "1.3.6.1.5.5.7.1.50");
+}
+
+
+static int
+dissect_x509ce_invalidityDate_callback(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+  asn1_ctx_t asn1_ctx;
+  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+
+  return dissect_x509ce_GeneralizedTime(FALSE, tvb, 0, &asn1_ctx, tree, hf_x509ce_id_ce_invalidityDate);
+}
+
+static int
+dissect_x509ce_baseUpdateTime_callback(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+  asn1_ctx_t asn1_ctx;
+  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+  return dissect_x509ce_GeneralizedTime(FALSE, tvb, 0, &asn1_ctx, tree, hf_x509ce_id_ce_baseUpdateTime);
+}
+
+/*--- proto_register_x509ce ----------------------------------------------*/
+void proto_register_x509ce(void) {
+
+  /* List of fields */
+  static hf_register_info hf[] = {
+    { &hf_x509ce_id_ce_baseUpdateTime,
+      { "baseUpdateTime", "x509ce.id_ce_baseUpdateTime",
+        FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0,
+        NULL, HFILL }},
+    { &hf_x509ce_id_ce_invalidityDate,
+      { "invalidityDate", "x509ce.id_ce_invalidityDate",
+        FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0,
+        NULL, HFILL }},
+    { &hf_x509ce_object_identifier_id,
+      { "Id", "x509ce.id", FT_OID, BASE_NONE, NULL, 0,
+        "Object identifier Id", HFILL }},
+    { &hf_x509ce_IPAddress_ipv4,
+      { "iPAddress", "x509ce.IPAddress.ipv4", FT_IPv4, BASE_NONE, NULL, 0,
+        "IPv4 address", HFILL }},
+    { &hf_x509ce_IPAddress_ipv6,
+      { "iPAddress", "x509ce.IPAddress.ipv6", FT_IPv6, BASE_NONE, NULL, 0,
+        "IPv6 address", HFILL }},
+
+#include "packet-x509ce-hfarr.c"
+  };
+
+  /* List of subtrees */
+  static gint *ett[] = {
+#include "packet-x509ce-ettarr.c"
+  };
+
+  /* Register protocol */
+  proto_x509ce = proto_register_protocol(PNAME, PSNAME, PFNAME);
+
+  /* Register fields and subtrees */
+  proto_register_field_array(proto_x509ce, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+
+}
+
+
+/*--- proto_reg_handoff_x509ce -------------------------------------------*/
+void proto_reg_handoff_x509ce(void) {
+#include "packet-x509ce-dis-tab.c"
+  register_ber_oid_dissector("2.5.29.24", dissect_x509ce_invalidityDate_callback, proto_x509ce, "id-ce-invalidityDate");
+  register_ber_oid_dissector("2.5.29.51", dissect_x509ce_baseUpdateTime_callback, proto_x509ce, "id-ce-baseUpdateTime");
+  oid_add_from_string("anyPolicy","2.5.29.32.0");
+}
+
+
+/*
+ * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
+ *
+ * Local Variables:
+ * c-basic-offset: 2
+ * tab-width: 8
+ * indent-tabs-mode: nil
+ * End:
+ *
+ * vi: set shiftwidth=2 tabstop=8 expandtab:
+ * :indentSize=2:tabSize=8:noTabs=true:
+ */
diff --git a/epan/dissectors/asn1/x509ce/packet-x509ce-template.h b/epan/dissectors/asn1/x509ce/packet-x509ce-template.h
new file mode 100644
index 00000000..ad30d59d
--- /dev/null
+++ b/epan/dissectors/asn1/x509ce/packet-x509ce-template.h
@@ -0,0 +1,33 @@
+/* packet-x509ce.h
+ * Routines for X.509 Certificate Extensions packet dissection
+ *  Ronnie Sahlberg 2004
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef PACKET_X509CE_H
+#define PACKET_X509CE_H
+
+#include "packet-x509ce-exp.h"
+
+void x509ce_enable_ciplus(void);
+void x509ce_disable_ciplus(void);
+
+#endif  /* PACKET_X509CE_H */
+
+/*
+ * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
+ *
+ * Local Variables:
+ * c-basic-offset: 2
+ * tab-width: 8
+ * indent-tabs-mode: nil
+ * End:
+ *
+ * vi: set shiftwidth=2 tabstop=8 expandtab:
+ * :indentSize=2:tabSize=8:noTabs=true:
+ */
diff --git a/epan/dissectors/asn1/x509ce/x509ce.cnf b/epan/dissectors/asn1/x509ce/x509ce.cnf
new file mode 100644
index 00000000..ae0090a7
--- /dev/null
+++ b/epan/dissectors/asn1/x509ce/x509ce.cnf
@@ -0,0 +1,215 @@
+# x509ce.cnf
+# X509CE conformation file
+
+#.IMPORT ../x509if/x509if-exp.cnf
+#.IMPORT ../x509af/x509af-exp.cnf
+#.IMPORT ../x509sat/x509sat-exp.cnf
+#.IMPORT ../p1/p1-exp.cnf
+
+# Forward declaration
+#.CLASS CERT-POLICY-QUALIFIER
+&id         ObjectIdentifierType
+&Qualifier
+#.END
+
+# InformationFramework classes
+# #.CLASS ATTRIBUTE
+#&derivation            ClassReference ATTRIBUTE
+#&Type
+#&equality-match        ClassReference MATCHING-RULE
+#&ordering-match        ClassReference MATCHING-RULE
+#&substrings-match      ClassReference MATCHING-RULE
+#&single-valued         BooleanType
+#&collective            BooleanType
+#&no-user-modification  BooleanType
+#&usage
+#&id                    ObjectIdentifierType
+# #.END
+
+#.CLASS MATCHING-RULE
+&ParentMatchingRules   ClassReference MATCHING-RULE
+&AssertionType
+&uniqueMatchIndicator  ClassReference ATTRIBUTE
+&id                    ObjectIdentifierType
+#.END
+#.EXPORTS
+AltNameType
+AttributesSyntax
+AuthorityKeyIdentifier
+BaseCRLNumber
+BaseDistance
+BaseRevocationInfo
+BasicConstraintsSyntax
+CertificateAssertion
+CertificateExactAssertion
+CertificateListAssertion
+CertificateListExactAssertion
+CertificatePairAssertion
+CertificatePairExactAssertion
+CertificatePoliciesSyntax
+CertPolicySet
+CRLDistPointsSyntax
+CRLNumber
+CRLReason
+CRLReferral
+CRLScopeSyntax
+CRLStreamIdentifier
+DeltaInformation
+DeltaRefInfo
+DistributionPoint
+DistributionPointName
+EDIPartyName
+GeneralName
+GeneralNames
+GeneralSubtree
+GeneralSubtrees
+HoldInstruction
+IssuingDistPointSyntax
+KeyIdentifier
+KeyPurposeId
+KeyPurposeIDs
+KeyUsage
+NameConstraintsSyntax
+NumberRange
+OnlyCertificateTypes
+OrderedListSyntax
+PerAuthorityScope
+PkiPathMatchSyntax
+PolicyConstraintsSyntax
+PolicyInformation
+PolicyMappingsSyntax
+PolicyQualifierInfo
+PrivateKeyUsagePeriod
+ReasonFlags
+SkipCerts
+StatusReferral
+StatusReferrals
+SubjectKeyIdentifier
+ScramblerCapabilities
+CiplusInfo
+CicamBrandId
+SecurityLevel
+
+#.PDU
+ScramblerCapabilities
+CiplusInfo
+CicamBrandId
+SecurityLevel
+
+
+#.REGISTER
+CertificatePoliciesSyntax B "2.5.29.3"  "id-ce-certificatePolicies"
+AttributesSyntax          B "2.5.29.9"  "id-ce-subjectDirectoryAttributes"
+SubjectKeyIdentifier      B "2.5.29.14" "id-ce-subjectKeyIdentifier"
+KeyUsage                  B "2.5.29.15" "id-ce-keyUsage"
+PrivateKeyUsagePeriod     B "2.5.29.16" "id-ce-privateKeyUsagePeriod"
+GeneralNames              B "2.5.29.17" "id-ce-subjectAltName"
+GeneralNames              B "2.5.29.18" "id-ce-issuerAltName"
+BasicConstraintsSyntax    B "2.5.29.19" "id-ce-basicConstraints"
+CRLNumber                 B "2.5.29.20" "id-ce-cRLNumber"
+CRLReason                 B "2.5.29.21" "id-ce-reasonCode"
+HoldInstruction           B "2.5.29.23" "id-ce-instructionCode"
+BaseCRLNumber             B "2.5.29.27" "id-ce-deltaCRLIndicator"
+IssuingDistPointSyntax    B "2.5.29.28" "id-ce-issuingDistributionPoint"
+GeneralNames              B "2.5.29.29" "id-ce-certificateIssuer"
+NameConstraintsSyntax     B "2.5.29.30" "id-ce-nameConstraints"
+CRLDistPointsSyntax       B "2.5.29.31" "id-ce-cRLDistributionPoints"
+CertificatePoliciesSyntax B "2.5.29.32" "id-ce-certificatePolicies"
+PolicyMappingsSyntax      B "2.5.29.33" "id-ce-policyMappings"
+AuthorityKeyIdentifier    B "2.5.29.35" "id-ce-authorityKeyIdentifier"
+PolicyConstraintsSyntax   B "2.5.29.36" "id-ce-policyConstraints"
+KeyPurposeIDs             B "2.5.29.37" "id-ce-extKeyUsage"
+CRLStreamIdentifier       B "2.5.29.40" "id-ce-cRLStreamIdentifier"
+CRLScopeSyntax            B "2.5.29.44" "id-ce-cRLScope"
+StatusReferrals           B "2.5.29.45" "id-ce-statusReferrals"
+CRLDistPointsSyntax       B "2.5.29.46" "id-ce-freshestCRL"
+OrderedListSyntax         B "2.5.29.47" "id-ce-orderedList"
+DeltaInformation          B "2.5.29.53" "id-ce-deltaInfo"
+SkipCerts                 B "2.5.29.54" "id-ce-inhibitAnyPolicy"
+ToBeRevokedSyntax         B "2.5.29.58" "id-ce-toBeRevoked"
+RevokedGroupsSyntax       B "2.5.29.59" "id-ce-RevokedGroups"
+ExpiredCertsOnCRL         B "2.5.29.60" "id-ce-expiredCertsOnCRL"
+AAIssuingDistPointSyntax  B "2.5.29.61" "id-ce-aAissuingDistributionPoint"
+NFTypes                   B "1.3.6.1.5.5.7.1.34" "id-pe-nftype"
+
+CertificateAssertion      B "2.5.13.35" "id-mr-certificateMatch"
+CertificatePairExactAssertion B "2.5.13.36" "id-mr-certificatePairExactMatch"
+CertificatePairAssertion  B "2.5.13.37" "id-mr-certificatePairMatch"
+CertificateListExactAssertion B "2.5.13.38" "id-mr-certificateListExactMatch"
+CertificateListAssertion  B "2.5.13.39" "id-mr-certificateListMatch"
+PkiPathMatchSyntax        B "2.5.13.62" "id-mr-pkiPathMatch"
+EnhancedCertificateAssertion  B "2.5.13.65" "id-mr-enhancedCertificateMatch"
+
+# These are obsolete???
+# The following OBJECT IDENTIFIERS are not used by this Specification:
+# {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7},
+# {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13},
+# {id-ce 22}, {id-ce 25}, {id-ce 26}
+
+# Microsoft extensions
+CertificateTemplate       B "1.3.6.1.4.1.311.21.7"  "id-ms-certificate-template"
+CertificatePoliciesSyntax B "1.3.6.1.4.1.311.21.10" "id-ms-application-certificate-policies"
+NtdsCaSecurity            B "1.3.6.1.4.1.311.25.2" "id-ms-ntds-ca-security"
+NtdsObjectSid             B "1.3.6.1.4.1.311.25.2.1" "id-ms-ntds-object-sid"
+
+# Entrust extensions
+EntrustVersionInfo        B "1.2.840.113533.7.65.0" "id-ce-entrustVersionInfo"
+
+#.NO_EMIT
+
+#.TYPE_RENAME
+
+#.TYPE_ATTR
+ScramblerCapabilities/capability DISPLAY = BASE_DEC STRINGS = VALS64(ciplus_scr_cap)
+SecurityLevel DISPLAY = BASE_DEC STRINGS = VALS64(ciplus_security_level)
+
+#.FIELD_RENAME
+CRLReferral/issuer  crlr_issuer
+CertificatePairExactAssertion/issuedToThisCAAssertion   cpea_issuedToThisCAAssertion
+CertificatePairExactAssertion/issuedByThisCAAssertion   cpea_issuedByThisCAAssertion
+CertificateGroup/serialNumberRange                      certificateGroupNumberRange
+CertificateAssertion/subjectAltName                     subjectAltNameType
+EnhancedCertificateAssertion/pathToName                 enhancedPathToName
+
+#.FN_PARS PolicyQualifierInfo/policyQualifierId
+  FN_VARIANT = _str  HF_INDEX = hf_x509ce_object_identifier_id  VAL_PTR = &actx->external.direct_reference
+
+#.FN_BODY PolicyQualifierInfo/qualifier
+  offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL);
+
+#.FN_BODY GeneralName/iPAddress
+  switch (tvb_reported_length(tvb)) {
+  case 4: /* IPv4 */
+    proto_tree_add_item(tree, hf_x509ce_IPAddress_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN);
+    offset += 4;
+    break;
+  case 16: /* IPv6 */
+    proto_tree_add_item(tree, hf_x509ce_IPAddress_ipv6, tvb, offset, 16, ENC_NA);
+    offset += 16;
+    break;
+  }
+
+#.FN_PARS OtherNameType
+  FN_VARIANT = _str  VAL_PTR = &actx->external.direct_reference
+
+#.FN_BODY OtherNameValue
+  offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL);
+
+#.FN_FTR GeneralName/uniformResourceIdentifier
+
+  proto_item_set_url(actx->created_item);
+
+#.END
+
+#
+# Editor modelines  -  https://www.wireshark.org/tools/modelines.html
+#
+# Local variables:
+# c-basic-offset: 2
+# tab-width: 8
+# indent-tabs-mode: nil
+# End:
+#
+# vi: set shiftwidth=2 tabstop=8 expandtab:
+# :indentSize=2:tabSize=8:noTabs=true:
+#