2 -- Definitions from RFCs 2459, 3280, 5280
4 -- Note that those RFCs come with *two* ASN.1 modules, one being a default-
5 -- EXPLICIT tagged module, and the other being default-IMPLICIT. Some types
6 -- are in one module, while others are in the other. Here the two modules
7 -- are merged into a single default-EXPLICIT tagged module, with IMPLICIT added
8 -- for all tags for types in the default-IMPLICIT module.
10 RFC2459 DEFINITIONS ::= BEGIN
12 IMPORTS HEIM_ANY FROM heim
13 PrincipalName, Realm FROM krb5;
14 -- For OtherName we really want to also import:
15 -- KRB5PrincipalName FROM pkinit
16 -- PermanentIdentifier FROM rfc4043
17 -- HardwareModuleName FROM rfc4108;
18 -- But we can't because that creates circular dependencies.
26 id-pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
27 rsadsi(113549) pkcs(1) 1 }
28 id-pkcs1-rsaEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 1 }
29 id-pkcs1-md2WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 2 }
30 id-pkcs1-md5WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 4 }
31 id-pkcs1-sha1WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 5 }
32 id-pkcs1-sha256WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 11 }
33 id-pkcs1-sha384WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 12 }
34 id-pkcs1-sha512WithRSAEncryption OBJECT IDENTIFIER ::= { id-pkcs-1 13 }
36 id-heim-rsa-pkcs1-x509 OBJECT IDENTIFIER ::= { 1 2 752 43 16 1 }
38 id-pkcs-2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
39 rsadsi(113549) pkcs(1) 2 }
40 id-pkcs2-md2 OBJECT IDENTIFIER ::= { id-pkcs-2 2 }
41 id-pkcs2-md4 OBJECT IDENTIFIER ::= { id-pkcs-2 4 }
42 id-pkcs2-md5 OBJECT IDENTIFIER ::= { id-pkcs-2 5 }
44 id-rsa-digestAlgorithm OBJECT IDENTIFIER ::=
45 { iso(1) member-body(2) us(840) rsadsi(113549) 2 }
47 id-rsa-digest-md2 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 2 }
48 id-rsa-digest-md4 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 4 }
49 id-rsa-digest-md5 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 5 }
51 id-pkcs-3 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
52 rsadsi(113549) pkcs(1) 3 }
54 id-pkcs3-rc2-cbc OBJECT IDENTIFIER ::= { id-pkcs-3 2 }
55 id-pkcs3-rc4 OBJECT IDENTIFIER ::= { id-pkcs-3 4 }
56 id-pkcs3-des-ede3-cbc OBJECT IDENTIFIER ::= { id-pkcs-3 7 }
58 id-rsadsi-encalg OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
61 id-rsadsi-rc2-cbc OBJECT IDENTIFIER ::= { id-rsadsi-encalg 2 }
62 id-rsadsi-des-ede3-cbc OBJECT IDENTIFIER ::= { id-rsadsi-encalg 7 }
64 id-secsig-sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
65 oiw(14) secsig(3) algorithm(2) 26 }
67 id-secsig-sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
68 oiw(14) secsig(3) algorithm(2) 29 }
70 id-nistAlgorithm OBJECT IDENTIFIER ::= {
71 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 }
73 id-nist-aes-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 1 }
75 id-aes-128-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 2 }
76 id-aes-192-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 22 }
77 id-aes-256-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 42 }
79 id-nist-sha-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 2 }
81 id-sha256 OBJECT IDENTIFIER ::= { id-nist-sha-algs 1 }
82 id-sha224 OBJECT IDENTIFIER ::= { id-nist-sha-algs 4 }
83 id-sha384 OBJECT IDENTIFIER ::= { id-nist-sha-algs 2 }
84 id-sha512 OBJECT IDENTIFIER ::= { id-nist-sha-algs 3 }
86 id-dhpublicnumber OBJECT IDENTIFIER ::= {
87 iso(1) member-body(2) us(840) ansi-x942(10046)
92 id-ecPublicKey OBJECT IDENTIFIER ::= {
93 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
95 id-ecDH OBJECT IDENTIFIER ::= {
96 iso(1) identified-organization(3) certicom(132) schemes(1)
99 id-ecMQV OBJECT IDENTIFIER ::= {
100 iso(1) identified-organization(3) certicom(132) schemes(1)
103 id-ecdsa-with-SHA512 OBJECT IDENTIFIER ::= {
104 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
105 ecdsa-with-SHA2(3) 4 }
107 id-ecdsa-with-SHA384 OBJECT IDENTIFIER ::= {
108 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
109 ecdsa-with-SHA2(3) 3 }
111 id-ecdsa-with-SHA256 OBJECT IDENTIFIER ::= {
112 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
113 ecdsa-with-SHA2(3) 2 }
115 id-ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
116 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
117 ecdsa-with-SHA2(3) 1 }
119 id-ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
120 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 }
124 id-ec-group-secp256r1 OBJECT IDENTIFIER ::= {
125 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
128 id-ec-group-secp160r1 OBJECT IDENTIFIER ::= {
129 iso(1) identified-organization(3) certicom(132) 0 8 }
131 id-ec-group-secp160r2 OBJECT IDENTIFIER ::= {
132 iso(1) identified-organization(3) certicom(132) 0 30 }
134 id-ec-group-secp224r1 OBJECT IDENTIFIER ::= {
135 iso(1) identified-organization(3) certicom(132) 0 33 }
137 id-ec-group-secp384r1 OBJECT IDENTIFIER ::= {
138 iso(1) identified-organization(3) certicom(132) 0 34 }
140 id-ec-group-secp521r1 OBJECT IDENTIFIER ::= {
141 iso(1) identified-organization(3) certicom(132) 0 35 }
145 id-x9-57 OBJECT IDENTIFIER ::= {
146 iso(1) member-body(2) us(840) ansi-x942(10046) 4 }
148 id-dsa OBJECT IDENTIFIER ::= { id-x9-57 1 }
149 id-dsa-with-sha1 OBJECT IDENTIFIER ::= { id-x9-57 3 }
153 id-x520-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
155 id-at-commonName OBJECT IDENTIFIER ::= { id-x520-at 3 }
156 id-at-surname OBJECT IDENTIFIER ::= { id-x520-at 4 }
157 id-at-serialNumber OBJECT IDENTIFIER ::= { id-x520-at 5 }
158 id-at-countryName OBJECT IDENTIFIER ::= { id-x520-at 6 }
159 id-at-localityName OBJECT IDENTIFIER ::= { id-x520-at 7 }
160 id-at-stateOrProvinceName OBJECT IDENTIFIER ::= { id-x520-at 8 }
161 id-at-streetAddress OBJECT IDENTIFIER ::= { id-x520-at 9 }
162 id-at-organizationName OBJECT IDENTIFIER ::= { id-x520-at 10 }
163 id-at-organizationalUnitName OBJECT IDENTIFIER ::= { id-x520-at 11 }
164 id-at-title OBJECT IDENTIFIER ::= { id-x520-at 12 }
165 id-at-description OBJECT IDENTIFIER ::= { id-x520-at 13 }
166 id-at-name OBJECT IDENTIFIER ::= { id-x520-at 41 }
167 id-at-givenName OBJECT IDENTIFIER ::= { id-x520-at 42 }
168 id-at-initials OBJECT IDENTIFIER ::= { id-x520-at 43 }
169 id-at-generationQualifier OBJECT IDENTIFIER ::= { id-x520-at 44 }
170 id-at-dnQualifier OBJECT IDENTIFIER ::= { id-x520-at 46 }
171 id-at-pseudonym OBJECT IDENTIFIER ::= { id-x520-at 65 }
173 id-Userid OBJECT IDENTIFIER ::=
174 { 0 9 2342 19200300 100 1 1 }
175 id-domainComponent OBJECT IDENTIFIER ::=
176 { 0 9 2342 19200300 100 1 25 }
178 id-at-emailAddress AttributeType ::=
179 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 1 }
185 id-x509-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29}
187 AlgorithmIdentifier ::= SEQUENCE {
188 algorithm OBJECT IDENTIFIER,
189 parameters HEIM_ANY OPTIONAL
192 AttributeType ::= OBJECT IDENTIFIER
194 AttributeValue ::= HEIM_ANY
196 DirectoryString ::= CHOICE {
198 teletexString TeletexString,
199 printableString PrintableString,
200 universalString UniversalString,
201 utf8String UTF8String,
205 AttributeValues ::= SET OF AttributeValue
207 Attribute ::= SEQUENCE {
209 value AttributeValues
212 AttributeTypeAndValue ::= SEQUENCE {
214 value DirectoryString
217 -- RDNs really should be SET OF SingleAttribute per the RFCs, but making that
218 -- change will affect lib/hx509 code, so we'll wait. The issue is that there
219 -- is code in lib/hx509 and in lib/asn1/check-gen.c that assumes that the
220 -- `value` of an rdn is a `DirectoryString` and not an open type.
222 -- Also, it's really not worth making this change, as a) it will increase the
223 -- amount of code needed in lib/hx509, and b) it really is useful to be able to
224 -- assume RDN values are ultimately only strings, c) we don't have any attrs
225 -- for RDNs that aren't strings, and d) the non-string attributes from TCG that
226 -- are used in SubjectDirectoryAttributes will never be used here (so we hope).
228 -- Until we fix this lib/hx509 cannot support name attributes whose type isn't
229 -- DirectoryString. For example, the UID attribute is broken at this time, as
230 -- that wants NumericString.
232 RelativeDistinguishedName ::= SET OF AttributeTypeAndValue -- XXX SingleAttribute
234 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
237 rdnSequence RDNSequence
240 CertificateSerialNumber ::= INTEGER
244 generalTime GeneralizedTime
247 Validity ::= SEQUENCE {
252 UniqueIdentifier ::= BIT STRING
254 SubjectPublicKeyInfo ::= SEQUENCE {
255 algorithm AlgorithmIdentifier,
256 subjectPublicKey BIT STRING
259 -- XXX Should be _OTHER-NAME ::= _TYPE-IDENTIFIER
260 _OTHER-NAME ::= CLASS {
261 &id OBJECT IDENTIFIER UNIQUE,
265 OtherName{_OTHER-NAME:OtherNameSet} ::= SEQUENCE {
266 type-id _OTHER-NAME.&id({OtherNameSet}),
267 value [0] _OTHER-NAME.&Type({OtherNameSet}{@type-id})
270 _ATTRIBUTE ::= CLASS {
271 &id OBJECT IDENTIFIER UNIQUE,
273 -- &equality-match MATCHING-RULE OPTIONAL,
274 &minCount INTEGER DEFAULT 1,
275 &maxCount INTEGER OPTIONAL
278 SingleAttribute{_ATTRIBUTE:AttrSet} ::= SEQUENCE {
279 type _ATTRIBUTE.&id({AttrSet}),
280 value _ATTRIBUTE.&Type({AttrSet}{@type})
283 AttributeSet{_ATTRIBUTE:AttrSet} ::= SEQUENCE {
284 type _ATTRIBUTE.&id({AttrSet}),
285 values SET --SIZE (1..MAX)-- OF _ATTRIBUTE.&Type({AttrSet}{@type})
288 _EXTENSION ::= CLASS {
289 &id OBJECT IDENTIFIER UNIQUE,
291 &Critical BOOLEAN DEFAULT FALSE
294 Extension{_EXTENSION:ExtensionSet} ::= SEQUENCE {
295 extnID _EXTENSION.&id({ExtensionSet}),
297 -- (EXTENSION.&Critical({ExtensionSet}{@extnID}))
299 extnValue OCTET STRING (CONTAINING
300 _EXTENSION.&ExtnType({ExtensionSet}{@extnID}))
303 Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
305 TBSCertificate ::= SEQUENCE {
306 version [0] Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1,
307 serialNumber CertificateSerialNumber,
308 signature AlgorithmIdentifier,
312 subjectPublicKeyInfo SubjectPublicKeyInfo,
313 issuerUniqueID [1] IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL,
314 -- If present, version shall be v2 or v3
315 subjectUniqueID [2] IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL,
316 -- If present, version shall be v2 or v3
317 extensions [3] EXPLICIT Extensions OPTIONAL
318 -- If present, version shall be v3
321 Certificate ::= SEQUENCE {
322 tbsCertificate TBSCertificate,
323 signatureAlgorithm AlgorithmIdentifier,
324 signatureValue BIT STRING
327 Certificates ::= SEQUENCE OF Certificate
329 ValidationParms ::= SEQUENCE {
334 DomainParameters ::= SEQUENCE {
335 p INTEGER, -- odd prime, p=jq +1
336 g INTEGER, -- generator, g
337 q INTEGER OPTIONAL, -- factor of p-1
338 j INTEGER OPTIONAL, -- subgroup factor
339 validationParms ValidationParms OPTIONAL -- ValidationParms
342 -- As defined by PKCS3
343 DHParameter ::= SEQUENCE {
344 prime INTEGER, -- odd prime, p=jq +1
345 base INTEGER, -- generator, g
346 privateValueLength INTEGER OPTIONAL
349 DHPublicKey ::= INTEGER
351 GeneralName ::= CHOICE {
352 otherName [0] IMPLICIT OtherName,
353 rfc822Name [1] IMPLICIT IA5String,
354 dNSName [2] IMPLICIT IA5String,
355 -- x400Address [3] IMPLICIT ORAddress,--
356 directoryName [4] IMPLICIT Name,
357 -- ediPartyName [5] IMPLICIT EDIPartyName, --
358 uniformResourceIdentifier [6] IMPLICIT IA5String,
359 iPAddress [7] IMPLICIT OCTET STRING,
360 registeredID [8] IMPLICIT OBJECT IDENTIFIER
363 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
365 id-x509-ce-keyUsage OBJECT IDENTIFIER ::= { id-x509-ce 15 }
367 KeyUsage ::= BIT STRING {
368 digitalSignature (0),
371 dataEncipherment (3),
379 -- private key usage period extension OID and syntax
381 PrivateKeyUsagePeriod ::= SEQUENCE {
382 notBefore [0] IMPLICIT GeneralizedTime OPTIONAL,
383 notAfter [1] IMPLICIT GeneralizedTime OPTIONAL
384 -- either notBefore or notAfter MUST be present
387 -- certificate policies extension OID and syntax
389 _POLICYQUALIFIERINFO ::= CLASS { -- Heimdal extension
390 &id OBJECT IDENTIFIER UNIQUE,
394 CertPolicyId ::= OBJECT IDENTIFIER
395 PolicyQualifierId ::= OBJECT IDENTIFIER -- ( id-qt-cps | id-qt-unotice )
397 PolicyQualifierInfo{_POLICYQUALIFIERINFO:PolicyQualifierSet} ::= SEQUENCE {
398 policyQualifierId _POLICYQUALIFIERINFO.&id({PolicyQualifierSet}),
399 qualifier _POLICYQUALIFIERINFO.&Type({PolicyQualifierSet}{@policyQualifierId})
402 PolicyQualifierInfos ::= SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo
404 PolicyInformation ::= SEQUENCE {
405 policyIdentifier CertPolicyId,
406 policyQualifiers PolicyQualifierInfos OPTIONAL
409 CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
411 -- CPS pointer qualifier
415 -- user notice qualifier
417 DisplayText ::= CHOICE {
418 ia5String IA5String, --(SIZE (1..200))
419 visibleString VisibleString, --(SIZE (1..200))
420 bmpString BMPString, --(SIZE (1..200))
421 utf8String UTF8String --(SIZE (1..200))
424 NoticeReference ::= SEQUENCE {
425 organization DisplayText,
426 noticeNumbers SEQUENCE OF INTEGER
429 UserNotice ::= SEQUENCE {
430 noticeRef NoticeReference OPTIONAL,
431 explicitText DisplayText OPTIONAL
434 -- policy mapping extension OID and syntax
436 PolicyMapping ::= SEQUENCE {
437 issuerDomainPolicy CertPolicyId,
438 subjectDomainPolicy CertPolicyId
441 PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF PolicyMapping
443 -- subject key identifier OID and syntax
445 id-x509-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-x509-ce 35 }
447 KeyIdentifier ::= OCTET STRING
449 AuthorityKeyIdentifier ::= SEQUENCE {
450 keyIdentifier [0] IMPLICIT OCTET STRING OPTIONAL,
451 authorityCertIssuer [1] IMPLICIT -- GeneralName --
452 SEQUENCE -- SIZE (1..MAX) -- OF GeneralName OPTIONAL,
453 authorityCertSerialNumber [2] IMPLICIT INTEGER OPTIONAL
456 id-x509-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-x509-ce 14 }
458 SubjectKeyIdentifier ::= KeyIdentifier
460 id-x509-ce-basicConstraints OBJECT IDENTIFIER ::= { id-x509-ce 19 }
462 BasicConstraints ::= SEQUENCE {
463 cA BOOLEAN DEFAULT FALSE,
464 pathLenConstraint INTEGER (0..4294967295) OPTIONAL
467 id-x509-ce-nameConstraints OBJECT IDENTIFIER ::= { id-x509-ce 30 }
469 BaseDistance ::= INTEGER (0..4294967295)
471 GeneralSubtree ::= SEQUENCE {
473 minimum [0] IMPLICIT BaseDistance DEFAULT 0,
474 maximum [1] IMPLICIT BaseDistance OPTIONAL
477 GeneralSubtrees ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralSubtree
479 NameConstraints ::= SEQUENCE {
480 permittedSubtrees [0] IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL,
481 excludedSubtrees [1] IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL
484 id-x509-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-x509-ce 16 }
485 id-x509-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-x509-ce 32 }
486 id-x509-ce-certificatePolicies-anyPolicy OBJECT IDENTIFIER ::= { id-x509-ce-certificatePolicies 0 }
487 id-x509-ce-policyMappings OBJECT IDENTIFIER ::= { id-x509-ce 33 }
488 id-x509-ce-subjectAltName OBJECT IDENTIFIER ::= { id-x509-ce 17 }
489 id-x509-ce-issuerAltName OBJECT IDENTIFIER ::= { id-x509-ce 18 }
490 id-x509-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-x509-ce 9 }
491 id-x509-ce-policyConstraints OBJECT IDENTIFIER ::= { id-x509-ce 36 }
493 id-x509-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-x509-ce 37}
494 id-x509-ce-anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-x509-ce-extKeyUsage 0 }
496 ExtKeyUsage ::= SEQUENCE OF OBJECT IDENTIFIER
498 id-x509-ce-cRLReasons OBJECT IDENTIFIER ::= { id-x509-ce 21 }
499 id-x509-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-x509-ce 31 }
500 id-x509-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-x509-ce 27 }
501 id-x509-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-x509-ce 28 }
502 id-x509-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-x509-ce 23 }
503 id-x509-ce-invalidityDate OBJECT IDENTIFIER ::= { id-x509-ce 24 }
504 id-x509-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-x509-ce 29 }
505 id-x509-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-x509-ce 54 }
508 id-heim-ce-pkinit-princ-max-life OBJECT IDENTIFIER ::=
509 { iso(1) member-body(2) se(752) su(43) heim-pkix(16) 4 }
512 DistributionPointReasonFlags ::= BIT STRING {
516 affiliationChanged (3),
518 cessationOfOperation (5),
520 privilegeWithdrawn (7),
524 DistributionPointName ::= CHOICE {
525 fullName [0] IMPLICIT -- GeneralNames -- SEQUENCE SIZE (1..MAX) OF GeneralName,
526 nameRelativeToCRLIssuer [1] RelativeDistinguishedName
529 DistributionPoint ::= SEQUENCE {
530 distributionPoint [0] IMPLICIT DistributionPointName OPTIONAL,
531 reasons [1] IMPLICIT DistributionPointReasonFlags OPTIONAL,
532 cRLIssuer [2] IMPLICIT GeneralNames OPTIONAL
535 CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
540 DSASigValue ::= SEQUENCE {
545 DSAPublicKey ::= INTEGER
547 DSAParams ::= SEQUENCE {
553 -- draft-ietf-pkix-ecc-subpubkeyinfo-11
555 ECPoint ::= OCTET STRING
557 ECParameters ::= CHOICE {
558 namedCurve OBJECT IDENTIFIER
559 -- implicitCurve NULL
560 -- specifiedCurve SpecifiedECDomain
563 ECDSA-Sig-Value ::= SEQUENCE {
570 RSAPublicKey ::= SEQUENCE {
571 modulus INTEGER, -- n
572 publicExponent INTEGER -- e
575 RSAPrivateKey ::= SEQUENCE {
576 version INTEGER (0..4294967295),
577 modulus INTEGER, -- n
578 publicExponent INTEGER, -- e
579 privateExponent INTEGER, -- d
582 exponent1 INTEGER, -- d mod (p-1)
583 exponent2 INTEGER, -- d mod (q-1)
584 coefficient INTEGER -- (inverse of q) mod p
587 DigestInfo ::= SEQUENCE {
588 digestAlgorithm AlgorithmIdentifier,
594 -- szOID_ENROLL_CERTTYPE_EXTENSION "1.3.6.1.4.1.311.20.2" is Encoded as a
596 -- UNICODESTRING (0x1E tag)
598 -- szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7" is Encoded as:
600 -- TemplateVersion ::= INTEGER (0..4294967295)
602 -- CertificateTemplate ::= SEQUENCE {
603 -- templateID OBJECT IDENTIFIER,
604 -- templateMajorVersion TemplateVersion,
605 -- templateMinorVersion TemplateVersion OPTIONAL
613 TBSCRLCertList ::= SEQUENCE {
614 version Version OPTIONAL, -- if present, MUST be v2
615 signature AlgorithmIdentifier,
618 nextUpdate Time OPTIONAL,
619 revokedCertificates SEQUENCE OF SEQUENCE {
620 userCertificate CertificateSerialNumber,
622 crlEntryExtensions Extensions OPTIONAL
623 -- if present, MUST be v2
625 crlExtensions [0] EXPLICIT Extensions OPTIONAL
626 -- if present, MUST be v2
630 CRLCertificateList ::= SEQUENCE {
631 tbsCertList TBSCRLCertList,
632 signatureAlgorithm AlgorithmIdentifier,
633 signatureValue BIT STRING
636 id-x509-ce-cRLNumber OBJECT IDENTIFIER ::= { id-x509-ce 20 }
637 id-x509-ce-freshestCRL OBJECT IDENTIFIER ::= { id-x509-ce 46 }
638 id-x509-ce-cRLReason OBJECT IDENTIFIER ::= { id-x509-ce 21 }
640 CRLReason ::= ENUMERATED {
644 affiliationChanged (3),
646 cessationOfOperation (5),
649 privilegeWithdrawn (9),
653 PKIXXmppAddr ::= UTF8String
655 SRVName ::= IA5String -- (SIZE (1..MAX)), but our compiler doesn't do that
657 id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
658 dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
660 id-pkix-on OBJECT IDENTIFIER ::= { id-pkix 8 }
661 id-pkix-on-xmppAddr OBJECT IDENTIFIER ::= { id-pkix-on 5 }
662 id-pkix-on-dnsSRV OBJECT IDENTIFIER ::= { id-pkix-on 7 }
665 id-pkix-on-hardwareModuleName OBJECT IDENTIFIER ::= { id-pkix-on 4 }
666 HardwareModuleName ::= SEQUENCE {
667 hwType OBJECT IDENTIFIER,
668 hwSerialNum OCTET STRING
671 -- XXX Not really the right name
672 id-pkix-on-pkinit-san OBJECT IDENTIFIER ::=
673 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
675 KRB5PrincipalName ::= SEQUENCE {
677 principalName [1] PrincipalName
681 -- Permanent identifier Object Identifier and Syntax
682 id-pkix-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-pkix-on 3 }
684 PermanentIdentifier ::= SEQUENCE {
685 identifierValue UTF8String OPTIONAL,
686 -- if absent, use the serialNumber attribute
687 -- if there is a single such attribute present
689 assigner OBJECT IDENTIFIER OPTIONAL
690 -- if absent, the assigner is
691 -- the certificate issuer
695 id-pkix-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
696 id-pkix-kp-serverAuth OBJECT IDENTIFIER ::= { id-pkix-kp 1 }
697 id-pkix-kp-clientAuth OBJECT IDENTIFIER ::= { id-pkix-kp 2 }
698 id-pkix-kp-codeSigning OBJECT IDENTIFIER ::= { id-pkix-kp 3 }
699 id-pkix-kp-emailProtection OBJECT IDENTIFIER ::= { id-pkix-kp 4 }
700 id-pkix-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-pkix-kp 5 }
701 id-pkix-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-pkix-kp 6 }
702 id-pkix-kp-ipsecUser OBJECT IDENTIFIER ::= { id-pkix-kp 7 }
703 id-pkix-kp-timeStamping OBJECT IDENTIFIER ::= { id-pkix-kp 8 }
704 id-pkix-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-pkix-kp 9 }
705 -- The following are taken from RFC7299 and others
706 id-pkix-kp-DVCS OBJECT IDENTIFIER ::= { id-pkix-kp 10 }
707 id-pkix-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-pkix-kp 17 }
708 id-pkix-kp-capwapAC OBJECT IDENTIFIER ::= { id-pkix-kp 18 }
709 id-pkix-kp-capwapWTP OBJECT IDENTIFIER ::= { id-pkix-kp 19 }
710 id-pkix-kp-sipDomain OBJECT IDENTIFIER ::= { id-pkix-kp 20 } -- RFC5924
711 id-pkix-kp-secureShellClient OBJECT IDENTIFIER ::= { id-pkix-kp 21 }
712 id-pkix-kp-secureShellServer OBJECT IDENTIFIER ::= { id-pkix-kp 22 }
713 id-pkix-kp-sendRouter OBJECT IDENTIFIER ::= { id-pkix-kp 23 }
714 id-pkix-kp-sendProxiedRouter OBJECT IDENTIFIER ::= { id-pkix-kp 24 }
715 id-pkix-kp-sendOwner OBJECT IDENTIFIER ::= { id-pkix-kp 25 }
716 id-pkix-kp-sendProxiedOwner OBJECT IDENTIFIER ::= { id-pkix-kp 26 }
717 id-pkix-kp-cmcCA OBJECT IDENTIFIER ::= { id-pkix-kp 27 } -- RFC6402
718 id-pkix-kp-cmcRA OBJECT IDENTIFIER ::= { id-pkix-kp 28 } -- RFC6402
719 id-pkix-kp-cmcArchive OBJECT IDENTIFIER ::= { id-pkix-kp 29 } -- RFC6402
720 id-pkix-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-pkix-kp 30 } -- RFC8209
721 -- The following are MSFT EKUs taken from OpenSSL
722 id-msft OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 311 }
723 id-msft-kp-msCodeInd OBJECT IDENTIFIER ::= { id-msft 2 1 21 }
724 id-msft-kp-msCodeCom OBJECT IDENTIFIER ::= { id-msft 2 1 22 }
725 id-msft-kp-msCTLSign OBJECT IDENTIFIER ::= { id-msft 10 3 1 }
726 id-msft-kp-msSGC OBJECT IDENTIFIER ::= { id-msft 10 3 3 }
727 id-msft-kp-msEFS OBJECT IDENTIFIER ::= { id-msft 10 3 4 }
728 id-msft-kp-msSmartcardLogin OBJECT IDENTIFIER ::= { id-msft 20 2 2 }
729 id-msft-kp-msUPN OBJECT IDENTIFIER ::= { id-msft 20 2 3 }
731 id-pkix-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
732 id-pkix-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 1 }
734 AccessDescription ::= SEQUENCE {
735 accessMethod OBJECT IDENTIFIER,
736 accessLocation GeneralName
739 AuthorityInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription
741 -- RFC 3820 Proxy Certificate Profile
743 id-pkix-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }
745 id-pkix-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 11 }
747 SubjectInfoAccessSyntax ::=
748 SEQUENCE SIZE (1..MAX) OF AccessDescription
750 id-pkix-ppl OBJECT IDENTIFIER ::= { id-pkix 21 }
752 id-pkix-ppl-anyLanguage OBJECT IDENTIFIER ::= { id-pkix-ppl 0 }
753 id-pkix-ppl-inheritAll OBJECT IDENTIFIER ::= { id-pkix-ppl 1 }
754 id-pkix-ppl-independent OBJECT IDENTIFIER ::= { id-pkix-ppl 2 }
756 ProxyPolicy ::= SEQUENCE {
757 policyLanguage OBJECT IDENTIFIER,
758 policy OCTET STRING OPTIONAL
761 ProxyCertInfo ::= SEQUENCE {
762 pCPathLenConstraint INTEGER (0..4294967295) OPTIONAL, -- really MAX
763 proxyPolicy ProxyPolicy
768 -- See tcg.asn1 for commentary.
771 tcg OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) international-organizations(23) tcg(133)}
772 tcg-attribute OBJECT IDENTIFIER ::= {tcg 2}
773 tcg-kp OBJECT IDENTIFIER ::= {tcg 8}
776 tcg-at-tpmManufacturer OBJECT IDENTIFIER ::= {tcg-attribute 1}
777 tcg-at-tpmModel OBJECT IDENTIFIER ::= {tcg-attribute 2}
778 tcg-at-tpmVersion OBJECT IDENTIFIER ::= {tcg-attribute 3}
779 tcg-at-tpmSpecification OBJECT IDENTIFIER ::= {tcg-attribute 16}
780 tcg-at-tpmSecurityAssertions OBJECT IDENTIFIER ::= {tcg-attribute 18}
782 --TCG Attribute objects
783 at-TPMSecurityAssertions _ATTRIBUTE ::= { &Type TPMSecurityAssertions, &id tcg-at-tpmSecurityAssertions }
784 at-TPMManufacturer _ATTRIBUTE ::= { &Type AliasUTF8String, --(SIZE (1..STRMAX))-- &id tcg-at-tpmManufacturer }
785 at-TPMModel _ATTRIBUTE ::= { &Type AliasUTF8String, --(SIZE (1..STRMAX))-- &id tcg-at-tpmModel }
786 at-TPMVersion _ATTRIBUTE ::= { &Type AliasUTF8String, --(SIZE (1..STRMAX))-- &id tcg-at-tpmVersion }
787 at-TPMSpecification _ATTRIBUTE ::= { &Type TPMSpecification, &id tcg-at-tpmSpecification }
789 --TCG Extended Key Usage OIDs
790 tcg-kp-EKCertificate OBJECT IDENTIFIER ::= {tcg-kp 1}
792 -- OIDs not in the module in TCG_IWG_EKCredentialProfile_v2p3_r2_pub but in
793 -- TCG_IWG_DevID_v1r2_02dec2020 (missing arc names not mentioned in the TCG
795 tcg-tpm20 OBJECT IDENTIFIER ::= {tcg 1 2} -- this OID is not named in the TCG specs
796 tcg-on-ekPermIdSha256 OBJECT IDENTIFIER ::= {tcg 12 1} -- assigner value for PermanentIdentifier SAN
797 tcg-cap-verifiedTPMResidency OBJECT IDENTIFIER ::= {tcg 11 1 1} -- policy OID
798 tcg-cap-verifiedTPMFixed OBJECT IDENTIFIER ::= {tcg 11 1 2} -- policy OID
799 tcg-cap-verifiedTPMRestricted OBJECT IDENTIFIER ::= {tcg 11 1 3} -- policy OID
801 EKGenerationType ::= ENUMERATED {
804 ekgt-internalRevocable(2),
805 ekgt-injectedRevocable(3)
807 EKGenerationLocation ::= ENUMERATED {
809 platformManufacturer (1),
812 EKCertificateGenerationLocation ::= EKGenerationLocation -- XXX
813 EvaluationAssuranceLevel ::= ENUMERATED {
822 SecurityLevel ::= ENUMERATED {
828 StrengthOfFunction ::= ENUMERATED {
833 URIReference ::= SEQUENCE {
834 uniformResourceIdentifier IA5String, -- (SIZE (1..URIMAX))
835 hashAlgorithm AlgorithmIdentifier OPTIONAL,
836 hashValue BIT STRING OPTIONAL
838 EvaluationStatus ::= ENUMERATED {
840 evaluationInProgress (1),
841 evaluationCompleted (2)
844 --tcg specification attributes for tpm
845 TPMSpecification ::= SEQUENCE {
846 family UTF8String, -- (SIZE (1..STRMAX))
847 level INTEGER (0..4294967295),
848 revision INTEGER (0..4294967295),
853 --common criteria evaluation
854 CommonCriteriaMeasures ::= SEQUENCE {
855 version IA5String, -- (SIZE (1..STRMAX)) “2.2” or “3.1”;future syntax defined by CC
856 assurancelevel EvaluationAssuranceLevel,
857 evaluationStatus EvaluationStatus,
858 plus BOOLEAN DEFAULT FALSE,
859 strengthOfFunction [0] IMPLICIT StrengthOfFunction OPTIONAL,
860 profileOid [1] IMPLICIT OBJECT IDENTIFIER OPTIONAL,
861 profileUri [2] IMPLICIT URIReference OPTIONAL,
862 targetOid [3] IMPLICIT OBJECT IDENTIFIER OPTIONAL,
863 targetUri [4] IMPLICIT URIReference OPTIONAL,
868 FIPSLevel ::= SEQUENCE {
869 version IA5String, -- (SIZE (1..STRMAX)) “140-1” or “140-2”
871 plus BOOLEAN DEFAULT FALSE,
875 --tpm security assertions
876 TPMVersion ::= INTEGER { tpm-v1(0) }
877 TPMSecurityAssertions ::= SEQUENCE {
878 version TPMVersion DEFAULT 0, -- v1
879 fieldUpgradable BOOLEAN DEFAULT FALSE,
880 -- The TCG EK cert profile spec says all these context tags are IMPLICIT,
881 -- but samples in the field have them as EXPLICIT.
882 ekGenerationType [0] EXPLICIT EKGenerationType OPTIONAL,
883 ekGenerationLocation [1] EXPLICIT EKGenerationLocation OPTIONAL,
884 ekCertificateGenerationLocation [2] EXPLICIT EKCertificateGenerationLocation OPTIONAL,
885 ccInfo [3] EXPLICIT CommonCriteriaMeasures OPTIONAL,
886 fipsLevel [4] EXPLICIT FIPSLevel OPTIONAL,
887 iso9000Certified [5] EXPLICIT BOOLEAN DEFAULT FALSE,
888 iso9000Uri IA5String OPTIONAL, -- (SIZE (1..URIMAX))
892 -- Back to OtherName, SingleAttribute, AttributeSet, and Extension
894 -- XXX Not really the right name for this OID:
895 id-pkix-on-pkinit-ms-san OBJECT IDENTIFIER ::=
896 { iso(1) org(3) dod(6) internet(1) private(4)
897 enterprise(1) microsoft(311) 20 2 3 }
899 -- XXX Work around bug (where we don't know the names of universal types in the
900 -- template backend) by creating aliases for universal types we use in IOS
902 AliasUTF8String ::= UTF8String
903 AliasIA5String ::= UTF8String
904 AliasPrintableString ::= PrintableString
905 on-xmppAddr _OTHER-NAME ::= { &id id-pkix-on-xmppAddr, &Type AliasUTF8String }
906 on-dnsSRV _OTHER-NAME ::= { &id id-pkix-on-dnsSRV, &Type AliasIA5String }
907 on-hardwareModuleName _OTHER-NAME ::= {
908 &id id-pkix-on-hardwareModuleName,
909 &Type HardwareModuleName
911 on-permanentIdentifier _OTHER-NAME ::= {
912 &id id-pkix-on-permanentIdentifier,
913 &Type PermanentIdentifier
915 on-krb5PrincipalName _OTHER-NAME ::= {
916 &id id-pkix-on-pkinit-san,
917 &Type KRB5PrincipalName
919 on-pkinit-ms-san _OTHER-NAME ::= {
920 &id id-pkix-on-pkinit-ms-san,
921 &Type AliasUTF8String
924 KnownOtherNameTypes _OTHER-NAME ::= {
927 | on-hardwareModuleName
928 | on-permanentIdentifier
929 | on-krb5PrincipalName
933 OtherName ::= OtherName{KnownOtherNameTypes}
935 X520name ::= DirectoryString --{ub-name}
936 X520CommonName ::= DirectoryString --{ub-common-name}
937 X520LocalityName ::= DirectoryString --{ub-locality-name}
938 X520OrganizationName ::= DirectoryString --{ub-organization-name}
939 X520StateOrProvinceName ::= DirectoryString --{ub-state-name}
940 X520OrganizationalUnitName ::= DirectoryString --{ub-organizational-unit-name}
942 at-name _ATTRIBUTE ::= { &Type X520name, &id id-at-name }
943 at-surname _ATTRIBUTE ::= { &Type X520name, &id id-at-surname }
944 at-givenName _ATTRIBUTE ::= { &Type X520name, &id id-at-givenName }
945 at-initials _ATTRIBUTE ::= { &Type X520name, &id id-at-initials }
946 at-generationQualifier _ATTRIBUTE ::= { &Type X520name, &id id-at-generationQualifier }
947 at-x520CommonName _ATTRIBUTE ::= {&Type X520CommonName, &id id-at-commonName }
948 at-x520LocalityName _ATTRIBUTE ::= { &Type X520LocalityName, &id id-at-localityName }
949 at-x520StateOrProvinceName _ATTRIBUTE ::= { &Type DirectoryString --{ub-state-name}--, &id id-at-stateOrProvinceName }
950 at-x520OrganizationName _ATTRIBUTE ::= { &Type DirectoryString --{ub-organization-name}--, &id id-at-organizationName }
951 at-x520OrganizationalUnitName _ATTRIBUTE ::= { &Type DirectoryString --{ub-organizational-unit-name}--, &id id-at-organizationalUnitName }
952 at-x520Title _ATTRIBUTE ::= { &Type DirectoryString --{ub-title}--, &id id-at-title }
953 at-x520dnQualifier _ATTRIBUTE ::= { &Type AliasPrintableString, &id id-at-dnQualifier }
954 at-x520countryName _ATTRIBUTE ::= { &Type AliasPrintableString --(SIZE (2))--, &id id-at-countryName }
955 at-x520SerialNumber _ATTRIBUTE ::= {&Type AliasPrintableString --(SIZE (1..ub-serial-number))--, &id id-at-serialNumber }
956 at-x520Pseudonym _ATTRIBUTE ::= { &Type DirectoryString --{ub-pseudonym}--, &id id-at-pseudonym }
957 at-domainComponent _ATTRIBUTE ::= { &Type AliasIA5String, &id id-domainComponent }
958 at-emailAddress _ATTRIBUTE ::= { &Type AliasIA5String --(SIZE (1..ub-emailaddress-length))--, &id id-at-emailAddress }
960 SupportedAttributes _ATTRIBUTE ::= {
965 | at-generationQualifier
967 | at-x520LocalityName
968 | at-x520StateOrProvinceName
969 | at-x520OrganizationName
970 | at-x520OrganizationalUnitName
974 | at-x520SerialNumber
978 | at-TPMSecurityAssertions
982 | at-TPMSpecification
985 SingleAttribute ::= SingleAttribute{SupportedAttributes}
986 AttributeSet ::= AttributeSet{SupportedAttributes}
987 SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF AttributeSet
989 ext-AuthorityKeyIdentifier _EXTENSION ::= {
990 &id id-x509-ce-authorityKeyIdentifier,
992 &ExtnType AuthorityKeyIdentifier
994 ext-KeyUsage _EXTENSION ::= {
995 &id id-x509-ce-keyUsage,
999 ext-SubjectKeyIdentifier _EXTENSION ::= {
1000 &id id-x509-ce-subjectKeyIdentifier,
1002 &ExtnType SubjectKeyIdentifier
1004 ext-PrivateKeyUsagePeriod _EXTENSION ::= {
1005 &id id-x509-ce-privateKeyUsagePeriod,
1007 &ExtnType PrivateKeyUsagePeriod
1009 ext-CertificatePolicies _EXTENSION ::= {
1010 &id id-x509-ce-certificatePolicies,
1012 &ExtnType CertificatePolicies
1014 ext-PolicyMappings _EXTENSION ::= {
1015 &id id-x509-ce-policyMappings,
1017 &ExtnType PolicyMappings
1019 ext-SubjectAltName _EXTENSION ::= {
1020 &id id-x509-ce-subjectAltName,
1022 &ExtnType GeneralNames
1024 ext-IssuerAltName _EXTENSION ::= {
1025 &id id-x509-ce-issuerAltName,
1027 &ExtnType GeneralNames
1029 ext-SubjectDirectoryAttributes _EXTENSION ::= {
1030 &id id-x509-ce-subjectDirectoryAttributes,
1032 &ExtnType SubjectDirectoryAttributes
1034 ext-BasicConstraints _EXTENSION ::= {
1035 &id id-x509-ce-basicConstraints,
1037 &ExtnType BasicConstraints
1039 ext-NameConstraints _EXTENSION ::= {
1040 &id id-x509-ce-nameConstraints,
1042 &ExtnType NameConstraints
1044 SkipCerts ::= INTEGER (0..4294967295)
1045 PolicyConstraints ::= SEQUENCE {
1046 requireExplicitPolicy [0] IMPLICIT SkipCerts OPTIONAL,
1047 inhibitPolicyMapping [1] IMPLICIT SkipCerts OPTIONAL
1049 ext-PolicyConstraints _EXTENSION ::= {
1050 &id id-x509-ce-policyConstraints,
1052 &ExtnType PolicyConstraints
1054 ext-ExtKeyUsage _EXTENSION ::= {
1055 &id id-x509-ce-extKeyUsage,
1057 &ExtnType ExtKeyUsage
1059 ext-CRLDistributionPoints _EXTENSION ::= {
1060 &id id-x509-ce-cRLDistributionPoints,
1062 &ExtnType CRLDistributionPoints
1064 ext-InhibitAnyPolicy _EXTENSION ::= {
1065 &id id-x509-ce-inhibitAnyPolicy,
1069 ext-FreshestCRL _EXTENSION ::= {
1070 &id id-x509-ce-freshestCRL,
1072 &ExtnType CRLDistributionPoints
1074 ext-AuthorityInfoAccess _EXTENSION ::= {
1075 &id id-pkix-pe-authorityInfoAccess,
1077 &ExtnType AuthorityInfoAccessSyntax
1079 ext-SubjectInfoAccessSyntax _EXTENSION ::= {
1080 &id id-pkix-pe-subjectInfoAccess,
1082 &ExtnType SubjectInfoAccessSyntax
1084 ext-ProxyCertInfo _EXTENSION ::= {
1085 &id id-pkix-pe-proxyCertInfo,
1087 &ExtnType ProxyCertInfo
1089 HeimPkinitPrincMaxLifeSecs ::= INTEGER (0..4294967295)
1090 ext-HeimPkinitPrincMaxLife _EXTENSION ::= {
1091 &id id-heim-ce-pkinit-princ-max-life,
1093 &ExtnType HeimPkinitPrincMaxLifeSecs
1095 CertExtensions _EXTENSION ::= {
1096 ext-AuthorityKeyIdentifier
1097 | ext-SubjectKeyIdentifier
1099 | ext-PrivateKeyUsagePeriod
1100 | ext-CertificatePolicies
1101 | ext-PolicyMappings
1102 | ext-SubjectAltName
1104 | ext-SubjectDirectoryAttributes
1105 | ext-BasicConstraints
1106 | ext-NameConstraints
1107 | ext-PolicyConstraints
1109 | ext-CRLDistributionPoints
1110 | ext-InhibitAnyPolicy
1112 | ext-AuthorityInfoAccess
1113 | ext-SubjectInfoAccessSyntax
1115 | ext-HeimPkinitPrincMaxLife
1118 Extension ::= Extension { CertExtensions }
1120 --- U.S. Federal PKI Common Policy Framework
1121 -- Card Authentication key
1122 id-uspkicommon-card-id OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 6 }
1123 id-uspkicommon-piv-interim OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 9 1 }
1125 --- Netscape extensions
1127 id-netscape OBJECT IDENTIFIER ::=
1128 { joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) }
1129 id-netscape-cert-comment OBJECT IDENTIFIER ::= { id-netscape 1 13 }
1133 id-ms-cert-enroll-domaincontroller OBJECT IDENTIFIER ::=
1134 { 1 3 6 1 4 1 311 20 2 }
1136 -- This is a duplicate of id-pkix-kp-clientAuth
1137 -- id-ms-client-authentication OBJECT IDENTIFIER ::=
1138 -- { 1 3 6 1 5 5 7 3 2 }
1140 -- DER:1e:20:00:44:00:6f:00:6d:00:61:00:69:00:6e:00:43:00:6f:00:6e:00:74:00:72:00:6f:00:6c:00:6c:00:65:00:72
1144 ub-name INTEGER ::= 32768
1145 ub-common-name INTEGER ::= 64
1146 ub-locality-name INTEGER ::= 128
1147 ub-state-name INTEGER ::= 128
1148 ub-organization-name INTEGER ::= 64
1149 ub-organizational-unit-name INTEGER ::= 64
1150 ub-title INTEGER ::= 64
1151 ub-serial-number INTEGER ::= 64
1152 ub-match INTEGER ::= 128
1153 ub-emailaddress-length INTEGER ::= 255
1154 ub-common-name-length INTEGER ::= 64
1155 ub-country-name-alpha-length INTEGER ::= 2
1156 ub-country-name-numeric-length INTEGER ::= 3
1157 ub-domain-defined-attributes INTEGER ::= 4
1158 ub-domain-defined-attribute-type-length INTEGER ::= 8
1159 ub-domain-defined-attribute-value-length INTEGER ::= 128
1160 ub-domain-name-length INTEGER ::= 16
1161 ub-extension-attributes INTEGER ::= 256
1162 ub-e163-4-number-length INTEGER ::= 15
1163 ub-e163-4-sub-address-length INTEGER ::= 40
1164 ub-generation-qualifier-length INTEGER ::= 3
1165 ub-given-name-length INTEGER ::= 16
1166 ub-initials-length INTEGER ::= 5
1167 ub-integer-options INTEGER ::= 256
1168 ub-numeric-user-id-length INTEGER ::= 32
1169 ub-organization-name-length INTEGER ::= 64
1170 ub-organizational-unit-name-length INTEGER ::= 32
1171 ub-organizational-units INTEGER ::= 4
1172 ub-pds-name-length INTEGER ::= 16
1173 ub-pds-parameter-length INTEGER ::= 30
1174 ub-pds-physical-address-lines INTEGER ::= 6
1175 ub-postal-code-length INTEGER ::= 16
1176 ub-pseudonym INTEGER ::= 128
1177 ub-surname-length INTEGER ::= 40
1178 ub-terminal-id-length INTEGER ::= 24
1179 ub-unformatted-address-length INTEGER ::= 180
1180 ub-x121-address-length INTEGER ::= 16
1182 -- Misc OIDs from RFC5280. We should add related types as well.
1184 -- Policy qualifiers
1185 id-pkix-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
1186 id-pkix-qt-cps OBJECT IDENTIFIER ::= { id-pkix-qt 1 }
1187 id-pkix-qt-unotice OBJECT IDENTIFIER ::= { id-pkix-qt 2 }
1189 -- Access description
1190 id-pkix-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
1191 id-pkix-ad-ocsp OBJECT IDENTIFIER ::= { id-pkix-ad 1 }
1192 id-pkix-ad-caIssuers OBJECT IDENTIFIER ::= { id-pkix-ad 2 }
1193 id-pkix-ad-timeStamping OBJECT IDENTIFIER ::= { id-pkix-ad 3 }
1194 id-pkix-ad-caRepository OBJECT IDENTIFIER ::= { id-pkix-ad 5 }
1196 pq-CPS _POLICYQUALIFIERINFO ::= {
1198 &Type AliasIA5String
1200 pq-UserNotice _POLICYQUALIFIERINFO ::= {
1201 &id id-pkix-qt-unotice,
1204 KnownPolicyQualifiers _POLICYQUALIFIERINFO ::= {
1208 PolicyQualifierInfo ::= PolicyQualifierInfo{KnownPolicyQualifiers}