X.509 v3 Certificate ASN.1

AuthenticationFramework {joint-iso-ccitt ds(5) modules(1) authenticationFramework(7) 2}
DEFINITIONS ::=
BEGIN
– EXPORTS All –
– The types and values defined in this module are exported for use in the other ASN.1
– modules contained within the Directory Specifications, and for the use of other applications
– which will use them to access Directory services. Other applications may use them for
– their own purposes, but this will not constrain extensions and modifications needed to
– maintain or improve the Directory service.
IMPORTS
id-at, informationFramework, upperBounds selectedAttributeTypes, basicAccessControl
FROM UsefulDefinitions {joint-iso-ccitt ds(5) modules(1) usefulDefinitions(0) 2}
Name, ATTRIBUTE
FROM InformationFramework informationFramework
ub-user-password
FROM UpperBounds upperBounds
AuthenticationLevel
FROM BasicAccessControl basicAccessControl
UniqueIdentifier
FROM SelectedAttributeTypes selectedAttributeTypes ;
– types –
Certificate ::= SIGNED {SEQUENCE{
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo}
issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL,
—if present, version must be v1 or v2–
subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL,
—if present, version must be v1 or v2–
extensions [3] Extensions OPTIONAL
–if present, version must be v3– }
Version ::= INTEGER {v1(0), v2(1), v3(2) }
CertificateSerialNumber ::= INTEGER
Algorithmidentifier ::= SEQUENCE{
algorithm ALGORITHM.&id({SupportedAlgorithms}),
parameters ALGORITHM.&Type ({SupportedAlgorithms}{ @algorithm}) OPTIONAL }
– Definition of the following information object is deferred, perhaps to standardized
– profiles of to protocol implementation conformance statements. This set is required to
– specify a table constraint on the Parameters component of Algorithmidentifier.
– SupportedAlgorithms ALGORITHM ::= { …|… }
Validity ::= SEQUENCE{
notBefore ChoiceOfTime,
notAfter ChoiceOfTime }
ChoiceOfTime ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
SubjectPublicKeyInfo ::= SEQUENCE{
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING}
Extensions ::= SEQUENCE OF Extension
Extension ::= SEQUENCE {
extnId EXTENSION.&id ({ExtensionSet}),
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
– contains a DER encoding of a value of type &ExtnType for the
– extension object identified by extnId –
– Definition of the following information object set is deferred, perhaps to
– standardized profiles or to protocol implementation conformance statements.
– The set is required to specify a table constraint on the critical component
– of Extension.
– ExtensionSet EXTENSION ::= { … | … }
EXTENSION ::= CLASS
{
&id OBJECT IDENTIFIER UNIQUE,
&ExtnType
}
WITH SYNTAX
{
SYNTAX &ExtnType
IDENTIFIED BY &id
}
Certificates ::= SEQUENCE {
certificate Certificate,
certificationPath ForwardCertificationPath OPTIONAL}
ForwardCertificationPath ::= SEQUENCE OF CrossCertificates
CertificationPath ::= SEQUENCE {
userCertificate Certificate,
theCACertificates SEQUENCE OF CertificatePair OPTIONAL}
CrossCertificates ::= SET OF Certificate
CertificateList ::= SIGNED { SEQUENCE {
version Version OPTIONAL, – if present, must be v2
signature AlgorithmIdentifier,
issuer Name,
thisUpdate ChoiceOfTime,
nextUpdate ChoiceOfTime OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate ChoiceOfTime,
crlEntryExtensions Extensions OPTIONAL } OPTIONAL,
crlExtensions [0] Extensions OPTIONAL }}
CertificatePair ::= SEQUENCE {
forward [0] Certificate OPTIONAL,
reverse [1] Certificate OPTIONAL
– at least one of the pair shall be present – }
– attribute types–
userPassword ATTRIBUTE ::= {
WITH SYNTAX OCTET STRING (SIZE (0..ub-user-password))
EQUALITY MATCHING RULE octetStringMatch
ID id-at-userPassword }
userCertificate ATTRIBUTE ::= {
WITH SYNTAX Certificate
ID id-at-userCertificate }
cACertificate ATTRIBUTE ::= {
WITH SYNTAX Certificate
ID id-at-cACertificate }
authorityRevocationList ATTRIBUTE ::= {
WITH SYNTAX CertificateList
ID id-at-authorityRevocationList }
certificateRevocationList ATTRIBUTE ::= {
WITH SYNTAX CertificateList
ID id-at-certificateRevocationList }
crossCertificatePair ATTRIBUTE ::= {
WITH SYNTAX CertificatePair
ID id-at-crossCertificatePair }
– information object classes –
ALGORITHM ::= TYPE-IDENTIFIER
– Parameterized Types –
HASHED {ToBeHashed} ::= OCTET STRING ( CONSTRAINED-BY {
–must be the result of applying a hashing procedure to the –
–DER-encoded octets of a value of – ToBeHashed })
ENCRYPTED { To\BeEnciphered} := BIT STRING ( CONSTRAINED BY {
–must be the result of applying an encipherment procedure to the –
–BER-encoded octets of a value of – ToBeEnciphered })
SIGNED { ToBeSigned } ::= SEQUENCE{
ToBeSigned,
COMPONENTS OF SIGNATURE { ToBeSigned }),
SIGNATURE { OfSignature } ::= SEQUENCE {
AlgorithmIdentifier,
ENCRYPTED { HASHED { OfSignature }}}
– object identifier assignments –
id-at-userPassword OBJECT IDENTIFIER ::= {id-at 35}
id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36}
id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37}
id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38}
id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39}
id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40}
id-at-supportedAlgorithms OBJECT IDENTIFIER ::= {id-at 52}
id-at-deltaRevocationList OBJECT IDENTIFIER ::= {id-at 53}
END