1-- $Id$ -- 2-- Definitions from rfc2459/rfc3280 3 4RFC2459 DEFINITIONS ::= BEGIN 5 6IMPORTS heim_any FROM heim; 7 8Version ::= INTEGER { 9 rfc3280_version_1(0), 10 rfc3280_version_2(1), 11 rfc3280_version_3(2) 12} 13 14id-pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 15 rsadsi(113549) pkcs(1) 1 } 16id-pkcs1-rsaEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 1 } 17id-pkcs1-md2WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 2 } 18id-pkcs1-md5WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 4 } 19id-pkcs1-sha1WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 5 } 20id-pkcs1-sha256WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 11 } 21id-pkcs1-sha384WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 12 } 22id-pkcs1-sha512WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 13 } 23 24id-heim-rsa-pkcs1-x509 OBJECT IDENTIFIER ::= { 1 2 752 43 16 1 } 25 26id-pkcs-2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 27 rsadsi(113549) pkcs(1) 2 } 28id-pkcs2-md2 OBJECT IDENTIFIER ::= { id-pkcs-2 2 } 29id-pkcs2-md4 OBJECT IDENTIFIER ::= { id-pkcs-2 4 } 30id-pkcs2-md5 OBJECT IDENTIFIER ::= { id-pkcs-2 5 } 31 32id-rsa-digestAlgorithm OBJECT IDENTIFIER ::= 33{ iso(1) member-body(2) us(840) rsadsi(113549) 2 } 34 35id-rsa-digest-md2 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 2 } 36id-rsa-digest-md4 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 4 } 37id-rsa-digest-md5 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 5 } 38 39id-pkcs-3 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 40 rsadsi(113549) pkcs(1) 3 } 41 42id-pkcs3-rc2-cbc OBJECT IDENTIFIER ::= { id-pkcs-3 2 } 43id-pkcs3-rc4 OBJECT IDENTIFIER ::= { id-pkcs-3 4 } 44id-pkcs3-des-ede3-cbc OBJECT IDENTIFIER ::= { id-pkcs-3 7 } 45 46id-rsadsi-encalg OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 47 rsadsi(113549) 3 } 48 49id-rsadsi-rc2-cbc OBJECT IDENTIFIER ::= { id-rsadsi-encalg 2 } 50id-rsadsi-des-ede3-cbc OBJECT IDENTIFIER ::= { id-rsadsi-encalg 7 } 51 52id-secsig-sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 53 oiw(14) secsig(3) algorithm(2) 26 } 54 55id-nistAlgorithm OBJECT IDENTIFIER ::= { 56 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 } 57 58id-nist-aes-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 1 } 59 60id-aes-128-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 2 } 61id-aes-192-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 22 } 62id-aes-256-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 42 } 63 64id-nist-sha-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 2 } 65 66id-sha256 OBJECT IDENTIFIER ::= { id-nist-sha-algs 1 } 67id-sha224 OBJECT IDENTIFIER ::= { id-nist-sha-algs 4 } 68id-sha384 OBJECT IDENTIFIER ::= { id-nist-sha-algs 2 } 69id-sha512 OBJECT IDENTIFIER ::= { id-nist-sha-algs 3 } 70 71id-dhpublicnumber OBJECT IDENTIFIER ::= { 72 iso(1) member-body(2) us(840) ansi-x942(10046) 73 number-type(2) 1 } 74 75id-x9-57 OBJECT IDENTIFIER ::= { 76 iso(1) member-body(2) us(840) ansi-x942(10046) 77 4 } 78 79id-dsa OBJECT IDENTIFIER ::= { id-x9-57 1 } 80id-dsa-with-sha1 OBJECT IDENTIFIER ::= { id-x9-57 3 } 81 82-- x.520 names types 83 84id-x520-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } 85 86id-at-commonName OBJECT IDENTIFIER ::= { id-x520-at 3 } 87id-at-surname OBJECT IDENTIFIER ::= { id-x520-at 4 } 88id-at-serialNumber OBJECT IDENTIFIER ::= { id-x520-at 5 } 89id-at-countryName OBJECT IDENTIFIER ::= { id-x520-at 6 } 90id-at-localityName OBJECT IDENTIFIER ::= { id-x520-at 7 } 91id-at-stateOrProvinceName OBJECT IDENTIFIER ::= { id-x520-at 8 } 92id-at-streetAddress OBJECT IDENTIFIER ::= { id-x520-at 9 } 93id-at-organizationName OBJECT IDENTIFIER ::= { id-x520-at 10 } 94id-at-organizationalUnitName OBJECT IDENTIFIER ::= { id-x520-at 11 } 95id-at-name OBJECT IDENTIFIER ::= { id-x520-at 41 } 96id-at-givenName OBJECT IDENTIFIER ::= { id-x520-at 42 } 97id-at-initials OBJECT IDENTIFIER ::= { id-x520-at 43 } 98id-at-generationQualifier OBJECT IDENTIFIER ::= { id-x520-at 44 } 99id-at-pseudonym OBJECT IDENTIFIER ::= { id-x520-at 65 } 100-- RFC 2247 101id-Userid OBJECT IDENTIFIER ::= 102 { 0 9 2342 19200300 100 1 1 } 103id-domainComponent OBJECT IDENTIFIER ::= 104 { 0 9 2342 19200300 100 1 25 } 105 106 107-- rfc3280 108 109id-x509-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} 110 111AlgorithmIdentifier ::= SEQUENCE { 112 algorithm OBJECT IDENTIFIER, 113 parameters heim_any OPTIONAL 114} 115 116AttributeType ::= OBJECT IDENTIFIER 117 118AttributeValue ::= heim_any 119 120TeletexStringx ::= [UNIVERSAL 20] IMPLICIT OCTET STRING 121 122DirectoryString ::= CHOICE { 123 ia5String IA5String, 124 teletexString TeletexStringx, 125 printableString PrintableString, 126 universalString UniversalString, 127 utf8String UTF8String, 128 bmpString BMPString 129} 130 131Attribute ::= SEQUENCE { 132 type AttributeType, 133 value SET OF -- AttributeValue -- heim_any 134} 135 136AttributeTypeAndValue ::= SEQUENCE { 137 type AttributeType, 138 value DirectoryString 139} 140 141RelativeDistinguishedName ::= SET OF AttributeTypeAndValue 142 143RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 144 145Name ::= CHOICE { 146 rdnSequence RDNSequence 147} 148 149CertificateSerialNumber ::= INTEGER 150 151Time ::= CHOICE { 152 utcTime UTCTime, 153 generalTime GeneralizedTime 154} 155 156Validity ::= SEQUENCE { 157 notBefore Time, 158 notAfter Time 159} 160 161UniqueIdentifier ::= BIT STRING 162 163SubjectPublicKeyInfo ::= SEQUENCE { 164 algorithm AlgorithmIdentifier, 165 subjectPublicKey BIT STRING 166} 167 168Extension ::= SEQUENCE { 169 extnID OBJECT IDENTIFIER, 170 critical BOOLEAN OPTIONAL, -- DEFAULT FALSE XXX 171 extnValue OCTET STRING 172} 173 174Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension 175 176TBSCertificate ::= SEQUENCE { 177 version [0] Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1, 178 serialNumber CertificateSerialNumber, 179 signature AlgorithmIdentifier, 180 issuer Name, 181 validity Validity, 182 subject Name, 183 subjectPublicKeyInfo SubjectPublicKeyInfo, 184 issuerUniqueID [1] IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL, 185 -- If present, version shall be v2 or v3 186 subjectUniqueID [2] IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL, 187 -- If present, version shall be v2 or v3 188 extensions [3] EXPLICIT Extensions OPTIONAL 189 -- If present, version shall be v3 190} 191 192Certificate ::= SEQUENCE { 193 tbsCertificate TBSCertificate, 194 signatureAlgorithm AlgorithmIdentifier, 195 signatureValue BIT STRING 196} 197 198Certificates ::= SEQUENCE OF Certificate 199 200ValidationParms ::= SEQUENCE { 201 seed BIT STRING, 202 pgenCounter INTEGER 203} 204 205DomainParameters ::= SEQUENCE { 206 p INTEGER, -- odd prime, p=jq +1 207 g INTEGER, -- generator, g 208 q INTEGER, -- factor of p-1 209 j INTEGER OPTIONAL, -- subgroup factor 210 validationParms ValidationParms OPTIONAL -- ValidationParms 211} 212 213DHPublicKey ::= INTEGER 214 215OtherName ::= SEQUENCE { 216 type-id OBJECT IDENTIFIER, 217 value [0] EXPLICIT heim_any 218} 219 220GeneralName ::= CHOICE { 221 otherName [0] IMPLICIT -- OtherName -- SEQUENCE { 222 type-id OBJECT IDENTIFIER, 223 value [0] EXPLICIT heim_any 224 }, 225 rfc822Name [1] IMPLICIT IA5String, 226 dNSName [2] IMPLICIT IA5String, 227-- x400Address [3] IMPLICIT ORAddress,-- 228 directoryName [4] IMPLICIT -- Name -- CHOICE { 229 rdnSequence RDNSequence 230 }, 231-- ediPartyName [5] IMPLICIT EDIPartyName, -- 232 uniformResourceIdentifier [6] IMPLICIT IA5String, 233 iPAddress [7] IMPLICIT OCTET STRING, 234 registeredID [8] IMPLICIT OBJECT IDENTIFIER 235} 236 237GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 238 239id-x509-ce-keyUsage OBJECT IDENTIFIER ::= { id-x509-ce 15 } 240 241KeyUsage ::= BIT STRING { 242 digitalSignature (0), 243 nonRepudiation (1), 244 keyEncipherment (2), 245 dataEncipherment (3), 246 keyAgreement (4), 247 keyCertSign (5), 248 cRLSign (6), 249 encipherOnly (7), 250 decipherOnly (8) 251} 252 253id-x509-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-x509-ce 35 } 254 255KeyIdentifier ::= OCTET STRING 256 257AuthorityKeyIdentifier ::= SEQUENCE { 258 keyIdentifier [0] IMPLICIT OCTET STRING OPTIONAL, 259 authorityCertIssuer [1] IMPLICIT -- GeneralName -- 260 SEQUENCE -- SIZE (1..MAX) -- OF GeneralName OPTIONAL, 261 authorityCertSerialNumber [2] IMPLICIT INTEGER OPTIONAL 262} 263 264id-x509-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-x509-ce 14 } 265 266SubjectKeyIdentifier ::= KeyIdentifier 267 268id-x509-ce-basicConstraints OBJECT IDENTIFIER ::= { id-x509-ce 19 } 269 270BasicConstraints ::= SEQUENCE { 271 cA BOOLEAN OPTIONAL -- DEFAULT FALSE --, 272 pathLenConstraint INTEGER (0..4294967295) OPTIONAL 273} 274 275id-x509-ce-nameConstraints OBJECT IDENTIFIER ::= { id-x509-ce 30 } 276 277BaseDistance ::= INTEGER -- (0..MAX) -- 278 279GeneralSubtree ::= SEQUENCE { 280 base GeneralName, 281 minimum [0] IMPLICIT -- BaseDistance -- INTEGER OPTIONAL -- DEFAULT 0 --, 282 maximum [1] IMPLICIT -- BaseDistance -- INTEGER OPTIONAL 283} 284 285GeneralSubtrees ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralSubtree 286 287NameConstraints ::= SEQUENCE { 288 permittedSubtrees [0] IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL, 289 excludedSubtrees [1] IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL 290} 291 292id-x509-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-x509-ce 16 } 293id-x509-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-x509-ce 32 } 294id-x509-ce-policyMappings OBJECT IDENTIFIER ::= { id-x509-ce 33 } 295id-x509-ce-subjectAltName OBJECT IDENTIFIER ::= { id-x509-ce 17 } 296id-x509-ce-issuerAltName OBJECT IDENTIFIER ::= { id-x509-ce 18 } 297id-x509-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-x509-ce 9 } 298id-x509-ce-policyConstraints OBJECT IDENTIFIER ::= { id-x509-ce 36 } 299 300id-x509-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-x509-ce 37} 301 302ExtKeyUsage ::= SEQUENCE OF OBJECT IDENTIFIER 303 304id-x509-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-x509-ce 31 } 305id-x509-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-x509-ce 27 } 306id-x509-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-x509-ce 28 } 307id-x509-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-x509-ce 23 } 308id-x509-ce-invalidityDate OBJECT IDENTIFIER ::= { id-x509-ce 24 } 309id-x509-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-x509-ce 29 } 310id-x509-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-x509-ce 54 } 311 312DistributionPointReasonFlags ::= BIT STRING { 313 unused (0), 314 keyCompromise (1), 315 cACompromise (2), 316 affiliationChanged (3), 317 superseded (4), 318 cessationOfOperation (5), 319 certificateHold (6), 320 privilegeWithdrawn (7), 321 aACompromise (8) 322} 323 324DistributionPointName ::= CHOICE { 325 fullName [0] IMPLICIT -- GeneralNames -- SEQUENCE SIZE (1..MAX) OF GeneralName, 326 nameRelativeToCRLIssuer [1] RelativeDistinguishedName 327} 328 329DistributionPoint ::= SEQUENCE { 330 distributionPoint [0] IMPLICIT heim_any -- DistributionPointName -- OPTIONAL, 331 reasons [1] IMPLICIT heim_any -- DistributionPointReasonFlags -- OPTIONAL, 332 cRLIssuer [2] IMPLICIT heim_any -- GeneralNames -- OPTIONAL 333} 334 335CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 336 337 338-- rfc3279 339 340DSASigValue ::= SEQUENCE { 341 r INTEGER, 342 s INTEGER 343} 344 345DSAPublicKey ::= INTEGER 346 347DSAParams ::= SEQUENCE { 348 p INTEGER, 349 q INTEGER, 350 g INTEGER 351} 352 353-- really pkcs1 354 355RSAPublicKey ::= SEQUENCE { 356 modulus INTEGER, -- n 357 publicExponent INTEGER -- e 358} 359 360RSAPrivateKey ::= SEQUENCE { 361 version INTEGER (0..4294967295), 362 modulus INTEGER, -- n 363 publicExponent INTEGER, -- e 364 privateExponent INTEGER, -- d 365 prime1 INTEGER, -- p 366 prime2 INTEGER, -- q 367 exponent1 INTEGER, -- d mod (p-1) 368 exponent2 INTEGER, -- d mod (q-1) 369 coefficient INTEGER -- (inverse of q) mod p 370} 371 372DigestInfo ::= SEQUENCE { 373 digestAlgorithm AlgorithmIdentifier, 374 digest OCTET STRING 375} 376 377-- some ms ext 378 379-- szOID_ENROLL_CERTTYPE_EXTENSION "1.3.6.1.4.1.311.20.2" is Encoded as a 380 381-- UNICODESTRING (0x1E tag) 382 383-- szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7" is Encoded as: 384 385-- TemplateVersion ::= INTEGER (0..4294967295) 386 387-- CertificateTemplate ::= SEQUENCE { 388-- templateID OBJECT IDENTIFIER, 389-- templateMajorVersion TemplateVersion, 390-- templateMinorVersion TemplateVersion OPTIONAL 391-- } 392 393 394-- 395-- CRL 396-- 397 398TBSCRLCertList ::= SEQUENCE { 399 version Version OPTIONAL, -- if present, MUST be v2 400 signature AlgorithmIdentifier, 401 issuer Name, 402 thisUpdate Time, 403 nextUpdate Time OPTIONAL, 404 revokedCertificates SEQUENCE OF SEQUENCE { 405 userCertificate CertificateSerialNumber, 406 revocationDate Time, 407 crlEntryExtensions Extensions OPTIONAL 408 -- if present, MUST be v2 409 } OPTIONAL, 410 crlExtensions [0] EXPLICIT Extensions OPTIONAL 411 -- if present, MUST be v2 412} 413 414 415CRLCertificateList ::= SEQUENCE { 416 tbsCertList TBSCRLCertList, 417 signatureAlgorithm AlgorithmIdentifier, 418 signatureValue BIT STRING 419} 420 421id-x509-ce-cRLNumber OBJECT IDENTIFIER ::= { id-x509-ce 20 } 422id-x509-ce-freshestCRL OBJECT IDENTIFIER ::= { id-x509-ce 46 } 423id-x509-ce-cRLReason OBJECT IDENTIFIER ::= { id-x509-ce 21 } 424 425CRLReason ::= ENUMERATED { 426 unspecified (0), 427 keyCompromise (1), 428 cACompromise (2), 429 affiliationChanged (3), 430 superseded (4), 431 cessationOfOperation (5), 432 certificateHold (6), 433 removeFromCRL (8), 434 privilegeWithdrawn (9), 435 aACompromise (10) 436} 437 438PKIXXmppAddr ::= UTF8String 439 440id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 441 dod(6) internet(1) security(5) mechanisms(5) pkix(7) } 442 443id-pkix-on OBJECT IDENTIFIER ::= { id-pkix 8 } 444id-pkix-on-xmppAddr OBJECT IDENTIFIER ::= { id-pkix-on 5 } 445id-pkix-on-dnsSRV OBJECT IDENTIFIER ::= { id-pkix-on 7 } 446 447id-pkix-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 448id-pkix-kp-serverAuth OBJECT IDENTIFIER ::= { id-pkix-kp 1 } 449id-pkix-kp-clientAuth OBJECT IDENTIFIER ::= { id-pkix-kp 2 } 450id-pkix-kp-emailProtection OBJECT IDENTIFIER ::= { id-pkix-kp 4 } 451id-pkix-kp-timeStamping OBJECT IDENTIFIER ::= { id-pkix-kp 8 } 452id-pkix-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-pkix-kp 9 } 453 454id-pkix-pe OBJECT IDENTIFIER ::= { id-pkix 1 } 455 456id-pkix-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 1 } 457 458AccessDescription ::= SEQUENCE { 459 accessMethod OBJECT IDENTIFIER, 460 accessLocation GeneralName 461} 462 463AuthorityInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription 464 465-- RFC 3820 Proxy Certificate Profile 466 467id-pkix-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 } 468 469id-pkix-ppl OBJECT IDENTIFIER ::= { id-pkix 21 } 470 471id-pkix-ppl-anyLanguage OBJECT IDENTIFIER ::= { id-pkix-ppl 0 } 472id-pkix-ppl-inheritAll OBJECT IDENTIFIER ::= { id-pkix-ppl 1 } 473id-pkix-ppl-independent OBJECT IDENTIFIER ::= { id-pkix-ppl 2 } 474 475ProxyPolicy ::= SEQUENCE { 476 policyLanguage OBJECT IDENTIFIER, 477 policy OCTET STRING OPTIONAL 478} 479 480ProxyCertInfo ::= SEQUENCE { 481 pCPathLenConstraint INTEGER (0..4294967295) OPTIONAL, -- really MAX 482 proxyPolicy ProxyPolicy 483} 484 485--- U.S. Federal PKI Common Policy Framework 486-- Card Authentication key 487id-uspkicommon-card-id OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 6 } 488id-uspkicommon-piv-interim OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 9 1 } 489 490--- Netscape extentions 491 492id-netscape OBJECT IDENTIFIER ::= 493 { joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) } 494id-netscape-cert-comment OBJECT IDENTIFIER ::= { id-netscape 1 13 } 495 496--- MS extentions 497 498id-ms-cert-enroll-domaincontroller OBJECT IDENTIFIER ::= 499 { 1 3 6 1 4 1 311 20 2 } 500 501id-ms-client-authentication OBJECT IDENTIFIER ::= 502 { 1 3 6 1 5 5 7 3 2 } 503 504-- DER:1e:20:00:44:00:6f:00:6d:00:61:00:69:00:6e:00:43:00:6f:00:6e:00:74:00:72:00:6f:00:6c:00:6c:00:65:00:72 505 506END 507