-- Module AuthenticationFramework (X.509:08/1997) AuthenticationFramework {joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 3} DEFINITIONS ::= BEGIN -- EXPORTS All -- The types and values defined in this module are exported for use in the other ASN.1 modules contained -- within the Directory Specifications, and for the use of other applications which will use them to access -- Directory services. Other applications may use them for their own purposes, but this will not constrain -- extensions and modifications needed to maintain or improve the Directory service. IMPORTS id-at, id-mr, informationFramework, upperBounds, selectedAttributeTypes, basicAccessControl, certificateExtensions FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 3} Name, ATTRIBUTE, AttributeType, MATCHING-RULE, Attribute, RDNSequence FROM InformationFramework informationFramework ub-user-password FROM UpperBounds upperBounds AuthenticationLevel FROM BasicAccessControl basicAccessControl UniqueIdentifier, octetStringMatch FROM SelectedAttributeTypes selectedAttributeTypes certificateExactMatch, certificatePairExactMatch, certificateListExactMatch, GeneralNames FROM CertificateExtensions certificateExtensions; -- basic certificate definition Certificate ::= SEQUENCE { signedCertificate SEQUENCE { version [0] Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject SubjectName, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL, -- if present, version must be v2 or v3 subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL, -- if present, version must be v2 or v3 extensions [3] Extensions OPTIONAL -- If present, version must be v3 -- }, algorithmIdentifier AlgorithmIdentifier, encrypted BIT STRING } -- imported to allow labelling SubjectName ::= CHOICE { rdnSequence RDNSequence } Version ::= INTEGER {v1(0), v2(1), v3(2)} CertificateSerialNumber ::= INTEGER AlgorithmIdentifier ::= SEQUENCE { algorithmId OBJECT IDENTIFIER, parameters ANY OPTIONAL } -- Definition of the following information object set is deferred, perhaps to standardized -- profiles or to protocol implementation conformance statements. The set is required to -- specify a table constraint on the parameters component of AlgorithmIdentifier. --SupportedAlgorithms ALGORITHM ::= --{...} Validity ::= SEQUENCE {notBefore Time, notAfter Time } SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } Time ::= CHOICE {utcTime UTCTime, generalizedTime GeneralizedTime } Extensions ::= SEQUENCE OF Extension -- For those extensions where ordering of individual extensions within the SEQUENCE is significant, the -- specification of those individual extensions shall include the rules for the significance of the order therein Extension ::= SEQUENCE { extnId OBJECT IDENTIFIER, critical BOOLEAN OPTIONAL, extnValue OCTET STRING -- contains a DER encoding of a value of type &ExtnType -- for the extension object identified by extnId } --ExtensionSet EXTENSION ::= -- {...} EXTENSION ::= CLASS {&id OBJECT IDENTIFIER UNIQUE, &ExtnType }WITH SYNTAX {SYNTAX &ExtnType IDENTIFIED BY &id } -- other certificate constructs Certificates ::= SEQUENCE { userCertificate Certificate, certificationPath ForwardCertificationPath OPTIONAL } ForwardCertificationPath ::= SEQUENCE OF CrossCertificates CrossCertificates ::= SET OF Certificate CertificationPath ::= SEQUENCE { userCertificate Certificate, theCACertificates SEQUENCE OF CertificatePair OPTIONAL } CertificatePair ::= SEQUENCE { issuedByThisCA [0] Certificate OPTIONAL, issuedToThisCA [1] Certificate OPTIONAL -- at least one of the pair shall be present } -- Certificate Revocation List (CRL) CertificateList ::= SEQUENCE { signedCertificateList SEQUENCE { version Version OPTIONAL, -- if present, version must be v2 signature AlgorithmIdentifier, issuer Name, thisUpdate Time, nextUpdate Time OPTIONAL, revokedCertificates SEQUENCE OF SEQUENCE {userCertificate CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL} OPTIONAL, crlExtensions [0] Extensions OPTIONAL}, algorithmIdentifier AlgorithmIdentifier, encrypted BIT STRING } -- attribute certificate AttributeCertificationPath ::= SEQUENCE { attributeCertificate AttributeCertificate, acPath SEQUENCE OF ACPathData OPTIONAL } ACPathData ::= SEQUENCE { certificate [0] Certificate OPTIONAL, attributeCertificate [1] AttributeCertificate OPTIONAL } --attributeCertificate ATTRIBUTE ::= { -- WITH SYNTAX AttributeCertificate -- EQUALITY MATCHING RULE attributeCertificateMatch -- ID id-at-attributeCertificate --} AttributeCertificate ::= SEQUENCE { signedAttributeCertificateInfo AttributeCertificateInfo, algorithmIdentifier AlgorithmIdentifier, encrypted BIT STRING } AttributeCertificateInfo ::= SEQUENCE { version Version DEFAULT v1, subject CHOICE {baseCertificateID [0] IssuerSerial, subjectName [1] GeneralNames }, issuer GeneralNames, signature AlgorithmIdentifier, serialNumber CertificateSerialNumber, attCertValidityPeriod AttCertValidityPeriod, attributes SEQUENCE OF Attribute, issuerUniqueID UniqueIdentifier OPTIONAL, extensions Extensions OPTIONAL } IssuerSerial ::= SEQUENCE { issuer GeneralNames, serial CertificateSerialNumber, issuerUID UniqueIdentifier OPTIONAL } AttCertValidityPeriod ::= SEQUENCE { notBeforeTime GeneralizedTime, notAfterTime GeneralizedTime } --attributeCertificateMatch MATCHING-RULE ::= { -- SYNTAX AttributeCertificateAssertion -- ID id-mr-attributeCertificateMatch --} AttributeCertificateAssertion ::= SEQUENCE { subject [0] CHOICE {baseCertificateID [0] IssuerSerial, subjectName [1] SubjectName} OPTIONAL, issuer [1] Name OPTIONAL, attCertValidity [2] GeneralizedTime OPTIONAL, attType [3] SET OF AttributeType OPTIONAL } -- At least one component of the sequence must be present -- attribute types --userPassword ATTRIBUTE ::= { -- WITH SYNTAX OCTET STRING(SIZE (0..ub-user-password)) -- EQUALITY MATCHING RULE octetStringMatch -- ID id-at-userPassword --} --userCertificate ATTRIBUTE ::= { -- WITH SYNTAX Certificate -- EQUALITY MATCHING RULE certificateExactMatch -- ID id-at-userCertificate --} --cACertificate ATTRIBUTE ::= { -- WITH SYNTAX Certificate -- EQUALITY MATCHING RULE certificateExactMatch -- ID id-at-cAcertificate --} --crossCertificatePair ATTRIBUTE ::= { -- WITH SYNTAX CertificatePair -- EQUALITY MATCHING RULE certificatePairExactMatch -- ID id-at-crossCertificatePair --} --authorityRevocationList ATTRIBUTE ::= { -- WITH SYNTAX CertificateList -- EQUALITY MATCHING RULE certificateListExactMatch -- ID id-at-authorityRevocationList --} --certificateRevocationList ATTRIBUTE ::= { -- WITH SYNTAX CertificateList -- EQUALITY MATCHING RULE certificateListExactMatch -- ID id-at-certificateRevocationList --} --attributeCertificateRevocationList ATTRIBUTE ::= { -- WITH SYNTAX CertificateList -- ID id-at-attributeCertificateRevocationList --} -- information object classes --ALGORITHM ::= TYPE-IDENTIFIER -- object identifier assignments --id-at-userPassword OBJECT IDENTIFIER ::= -- {id-at 35} id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36} id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37} id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38} id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39} id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40} id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58} id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59} --id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42} -- these are sneaked in from DSS - a separate dissector seems OTT DSS-Params ::= SEQUENCE { p INTEGER, q INTEGER, g INTEGER } -- WS Add some stuff fytom RFC 1274 ub-user-identifier INTEGER ::= 256 Userid ::= UTF8String (SIZE (1 .. ub-user-identifier)) END -- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D