12. ASN.1 Module for RFC 5272
EnrollmentMessageSyntax-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53)} DEFINITIONS IMPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE FROM PKIX-CommonTypes-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} AlgorithmIdentifier{}, DIGEST-ALGORITHM, KEY-WRAP, KEY-DERIVATION, MAC-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY FROM AlgorithmInformation-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)} CertificateSerialNumber, GeneralName, CRLReason, ReasonFlags, CertExtensions FROM PKIX1Implicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} Name, id-pkix, PublicKeyAlgorithms, SignatureAlgorithms FROM PKIX1Explicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} ContentInfo, IssuerAndSerialNumber, CONTENT-TYPE FROM CryptographicMessageSyntax-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41)} CertReqMsg, PKIPublicationInfo, CertTemplate FROM PKIXCRMF-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)} mda-sha1 FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-algorithms2008-02(56)} kda-PBKDF2, maca-hMAC-SHA1 FROM CryptographicMessageSyntaxAlgorithms-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cmsalg-2001-02(37) } mda-sha256 FROM PKIX1-PSS-OAEP-Algorithms-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54) } ; -- CMS Content types defined in this document CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... } -- Signature Algorithms defined in this document SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature } -- CMS Unsigned Attributes CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData } -- -- id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types -- This is the content type for a request message in the protocol ct-PKIData CONTENT-TYPE ::= { PKIData IDENTIFIED BY id-cct-PKIData } id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 } PKIData ::= SEQUENCE { controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg
} BodyPartID ::= INTEGER(0..4294967295) TaggedAttribute ::= SEQUENCE { bodyPartID BodyPartID, attrType CMC-CONTROL.&id({Cmc-Control-Set}), attrValues SET OF CMC-CONTROL. &Type({Cmc-Control-Set}{@attrType}) } Cmc-Control-Set CMC-CONTROL ::= { cmc-identityProof | cmc-dataReturn | cmc-regInfo | cmc-responseInfo | cmc-queryPending | cmc-popLinkRandom | cmc-popLinkWitness | cmc-identification | cmc-transactionId | cmc-senderNonce | cmc-recipientNonce | cmc-statusInfo | cmc-addExtensions | cmc-encryptedPOP | cmc-decryptedPOP | cmc-lraPOPWitness | cmc-getCert | cmc-getCRL | cmc-revokeRequest | cmc-confirmCertAcceptance | cmc-statusInfoV2 | cmc-trustedAnchors | cmc-authData | cmc-batchRequests | cmc-batchResponses | cmc-publishCert | cmc-modCertTemplate | cmc-controlProcessed | cmc-identityProofV2 | cmc-popLinkWitnessV2, ... } OTHER-REQUEST ::= TYPE-IDENTIFIER -- We do not define any other requests in this document; -- examples might be attribute certification requests OtherRequests OTHER-REQUEST ::= {...} TaggedRequest ::= CHOICE { tcr [0] TaggedCertificationRequest, crm [1] CertReqMsg, orm [2] SEQUENCE { bodyPartID BodyPartID, requestMessageType OTHER-REQUEST.&id({OtherRequests}), requestMessageValue OTHER-REQUEST.&Type({OtherRequests} {@.requestMessageType}) } } TaggedCertificationRequest ::= SEQUENCE { bodyPartID BodyPartID, certificationRequest CertificationRequest } AttributeList ATTRIBUTE ::= {at-extension-req, ...}
CertificationRequest ::= SEQUENCE { certificationRequestInfo SEQUENCE { version INTEGER, subject Name, subjectPublicKeyInfo SEQUENCE { algorithm AlgorithmIdentifier{PUBLIC-KEY, {PublicKeyAlgorithms}}, subjectPublicKey BIT STRING }, attributes [0] IMPLICIT SET OF AttributeSet{{AttributeList}} }, signatureAlgorithm AlgorithmIdentifier {SIGNATURE-ALGORITHM, {SignatureAlgorithms}}, signature BIT STRING } TaggedContentInfo ::= SEQUENCE { bodyPartID BodyPartID, contentInfo ContentInfo } OTHER-MSG ::= TYPE-IDENTIFIER -- No other messages currently defined OtherMsgSet OTHER-MSG ::= {...} OtherMsg ::= SEQUENCE { bodyPartID BodyPartID, otherMsgType OTHER-MSG.&id({OtherMsgSet}), otherMsgValue OTHER-MSG.&Type({OtherMsgSet}{@otherMsgType}) } -- This defines the response message in the protocol ct-PKIResponse CONTENT-TYPE ::= { PKIResponse IDENTIFIED BY id-cct-PKIResponse } id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 } ResponseBody ::= PKIResponse PKIResponse ::= SEQUENCE { controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg }
CMC-CONTROL ::= TYPE-IDENTIFIER -- The following controls have the type OCTET STRING cmc-identityProof CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-identityProof } id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3} cmc-dataReturn CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-dataReturn } id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4} cmc-regInfo CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-regInfo } id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18} cmc-responseInfo CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-responseInfo } id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19} cmc-queryPending CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-queryPending } id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21} cmc-popLinkRandom CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-popLinkRandom } id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22} cmc-popLinkWitness CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-popLinkWitness } id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23} -- The following controls have the type UTF8String cmc-identification CMC-CONTROL ::= { UTF8String IDENTIFIED BY id-cmc-identification } id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2} -- The following controls have the type INTEGER cmc-transactionId CMC-CONTROL ::= { INTEGER IDENTIFIED BY id-cmc-transactionId } id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5} -- The following controls have the type OCTET STRING cmc-senderNonce CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-senderNonce }
id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6} cmc-recipientNonce CMC-CONTROL ::= { OCTET STRING IDENTIFIED BY id-cmc-recipientNonce } id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7} -- Used to return status in a response cmc-statusInfo CMC-CONTROL ::= { CMCStatusInfo IDENTIFIED BY id-cmc-statusInfo } id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1} CMCStatusInfo ::= SEQUENCE { cMCStatus CMCStatus, bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID, statusString UTF8String OPTIONAL, otherInfo CHOICE { failInfo CMCFailInfo, pendInfo PendInfo } OPTIONAL } PendInfo ::= SEQUENCE { pendToken OCTET STRING, pendTime GeneralizedTime } CMCStatus ::= INTEGER { success (0), failed (2), pending (3), noSupport (4), confirmRequired (5), popRequired (6), partial (7) } -- Note: -- The spelling of unsupportedExt is corrected in this version. -- In RFC 2797, it was unsuportedExt. CMCFailInfo ::= INTEGER { badAlg (0), badMessageCheck (1), badRequest (2), badTime (3), badCertId (4), unsuportedExt (5),
mustArchiveKeys (6), badIdentity (7), popRequired (8), popFailed (9), noKeyReuse (10), internalCAError (11), tryLater (12), authDataFail (13) } -- Used for RAs to add extensions to certification requests cmc-addExtensions CMC-CONTROL ::= { AddExtensions IDENTIFIED BY id-cmc-addExtensions } id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8} AddExtensions ::= SEQUENCE { pkiDataReference BodyPartID, certReferences SEQUENCE OF BodyPartID, extensions SEQUENCE OF Extension{{CertExtensions}} } cmc-encryptedPOP CMC-CONTROL ::= { EncryptedPOP IDENTIFIED BY id-cmc-encryptedPOP } cmc-decryptedPOP CMC-CONTROL ::= { DecryptedPOP IDENTIFIED BY id-cmc-decryptedPOP } id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9} id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10} EncryptedPOP ::= SEQUENCE { request TaggedRequest, cms ContentInfo, thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, witnessAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, {WitnessAlgs}}, witness OCTET STRING } POPAlgs MAC-ALGORITHM ::= {maca-hMAC-SHA1, ...} WitnessAlgs DIGEST-ALGORITHM ::= {mda-sha1, ...} DecryptedPOP ::= SEQUENCE { bodyPartID BodyPartID, thePOPAlgID AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, thePOP OCTET STRING } cmc-lraPOPWitness CMC-CONTROL ::=
{ LraPopWitness IDENTIFIED BY id-cmc-lraPOPWitness } id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11} LraPopWitness ::= SEQUENCE { pkiDataBodyid BodyPartID, bodyIds SEQUENCE OF BodyPartID } -- cmc-getCert CMC-CONTROL ::= { GetCert IDENTIFIED BY id-cmc-getCert } id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15} GetCert ::= SEQUENCE { issuerName GeneralName, serialNumber INTEGER } cmc-getCRL CMC-CONTROL ::= { GetCRL IDENTIFIED BY id-cmc-getCRL } id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16} GetCRL ::= SEQUENCE { issuerName Name, cRLName GeneralName OPTIONAL, time GeneralizedTime OPTIONAL, reasons ReasonFlags OPTIONAL } cmc-revokeRequest CMC-CONTROL ::= { RevokeRequest IDENTIFIED BY id-cmc-revokeRequest} id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17} RevokeRequest ::= SEQUENCE { issuerName Name, serialNumber INTEGER, reason CRLReason, invalidityDate GeneralizedTime OPTIONAL, passphrase OCTET STRING OPTIONAL, comment UTF8String OPTIONAL } cmc-confirmCertAcceptance CMC-CONTROL ::= { CMCCertId IDENTIFIED BY id-cmc-confirmCertAcceptance } id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24} CMCCertId ::= IssuerAndSerialNumber -- The following is used to request v3 extensions be added -- to a certificate
at-extension-req ATTRIBUTE ::= { TYPE ExtensionReq IDENTIFIED BY id-ExtensionReq } id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 14} ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF Extension{{CertExtensions}} -- The following allows Diffie-Hellman Certification Request -- Messages to be well-formed sa-noSignature SIGNATURE-ALGORITHM ::= { IDENTIFIER id-alg-noSignature VALUE NoSignatureValue PARAMS TYPE NULL ARE required HASHES { mda-sha1 } } id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2} NoSignatureValue ::= OCTET STRING -- Unauthenticated attribute to carry removable data. id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)} aa-cmc-unsignedData ATTRIBUTE ::= { TYPE CMCUnsignedData IDENTIFIED BY id-aa-cmc-unsignedData } id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34} CMCUnsignedData ::= SEQUENCE { bodyPartPath BodyPartPath, identifier TYPE-IDENTIFIER.&id, content TYPE-IDENTIFIER.&Type } -- Replaces CMC Status Info -- cmc-statusInfoV2 CMC-CONTROL ::= { CMCStatusInfoV2 IDENTIFIED BY id-cmc-statusInfoV2 } id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25} EXTENDED-FAILURE-INFO ::= TYPE-IDENTIFIER ExtendedFailures EXTENDED-FAILURE-INFO ::= {...} CMCStatusInfoV2 ::= SEQUENCE { cMCStatus CMCStatus,
bodyList SEQUENCE SIZE (1..MAX) OF BodyPartReference, statusString UTF8String OPTIONAL, otherInfo CHOICE { failInfo CMCFailInfo, pendInfo PendInfo, extendedFailInfo [1] SEQUENCE { failInfoOID TYPE-IDENTIFIER.&id ({ExtendedFailures}), failInfoValue TYPE-IDENTIFIER.&Type ({ExtendedFailures} {@.failInfoOID}) } } OPTIONAL } BodyPartReference ::= CHOICE { bodyPartID BodyPartID, bodyPartPath BodyPartPath } BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID -- Allow for distribution of trust anchors -- cmc-trustedAnchors CMC-CONTROL ::= { PublishTrustAnchors IDENTIFIED BY id-cmc-trustedAnchors } id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26} PublishTrustAnchors ::= SEQUENCE { seqNumber INTEGER, hashAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {HashAlgorithms}}, anchorHashes SEQUENCE OF OCTET STRING } HashAlgorithms DIGEST-ALGORITHM ::= { mda-sha1 | mda-sha256, ... } cmc-authData CMC-CONTROL ::= { AuthPublish IDENTIFIED BY id-cmc-authData } id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27} AuthPublish ::= BodyPartID -- These two items use BodyPartList
cmc-batchRequests CMC-CONTROL ::= { BodyPartList IDENTIFIED BY id-cmc-batchRequests } id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28} cmc-batchResponses CMC-CONTROL ::= { BodyPartList IDENTIFIED BY id-cmc-batchResponses } id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29} BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID cmc-publishCert CMC-CONTROL ::= { CMCPublicationInfo IDENTIFIED BY id-cmc-publishCert } id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30} CMCPublicationInfo ::= SEQUENCE { hashAlg AlgorithmIdentifier{DIGEST-ALGORITHM, {HashAlgorithms}}, certHashes SEQUENCE OF OCTET STRING, pubInfo PKIPublicationInfo } cmc-modCertTemplate CMC-CONTROL ::= { ModCertTemplate IDENTIFIED BY id-cmc-modCertTemplate } id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31} ModCertTemplate ::= SEQUENCE { pkiDataReference BodyPartPath, certReferences BodyPartList, replace BOOLEAN DEFAULT TRUE, certTemplate CertTemplate } -- Inform follow-on servers that one or more controls have -- already been processed cmc-controlProcessed CMC-CONTROL ::= { ControlsProcessed IDENTIFIED BY id-cmc-controlProcessed } id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32} ControlsProcessed ::= SEQUENCE { bodyList SEQUENCE SIZE(1..MAX) OF BodyPartReference } -- Identity Proof control w/ algorithm agility cmc-identityProofV2 CMC-CONTROL ::= { IdentityProofV2 IDENTIFIED BY id-cmc-identityProofV2 } id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 33 }
IdentityProofV2 ::= SEQUENCE { proofAlgID AlgorithmIdentifier{DIGEST-ALGORITHM, {WitnessAlgs}}, macAlgId AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, witness OCTET STRING } cmc-popLinkWitnessV2 CMC-CONTROL ::= { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 } id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 } PopLinkWitnessV2 ::= SEQUENCE { keyGenAlgorithm AlgorithmIdentifier{KEY-DERIVATION, {KeyDevAlgs}}, macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, witness OCTET STRING } KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...} END13. ASN.1 Module for RFC 5755
PKIXAttributeCertificate-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} DEFINITIONS IMPLICIT TAGS ::= BEGIN IMPORTS AttributeSet{}, Extensions{}, SecurityCategory{}, EXTENSION, ATTRIBUTE, SECURITY-CATEGORY FROM PKIX-CommonTypes-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM FROM AlgorithmInformation-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)} -- IMPORTed module OIDs MAY change if [PKIXPROF] changes -- PKIX Certificate Extensions CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp, id-ad, id-at, SIGNED{}, SignatureAlgorithms
FROM PKIX1Explicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier, ext-AuthorityInfoAccess, ext-CRLDistributionPoints FROM PKIX1Implicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} ContentInfo FROM CryptographicMessageSyntax-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }; -- Define the set of extensions that can appear. -- Some of these are imported from PKIX Cert AttributeCertExtensions EXTENSION ::= { ext-auditIdentity | ext-targetInformation | ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess | ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying | ext-aaControls, ... } ext-auditIdentity EXTENSION ::= { SYNTAX OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity} ext-targetInformation EXTENSION ::= { SYNTAX Targets IDENTIFIED BY id-ce-targetInformation } ext-noRevAvail EXTENSION ::= { SYNTAX NULL IDENTIFIED BY id-ce-noRevAvail} ext-ac-proxying EXTENSION ::= { SYNTAX ProxyInfo IDENTIFIED BY id-pe-ac-proxying} ext-aaControls EXTENSION ::= { SYNTAX AAControls IDENTIFIED BY id-pe-aaControls} -- Define the set of attributes used here AttributesDefined ATTRIBUTE ::= { at-authenticationInfo | at-accesIdentity | at-chargingIdentity | at-group | at-role | at-clearance | at-encAttrs, ...} at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo IDENTIFIED BY id-aca-authenticationInfo} at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo
IDENTIFIED BY id-aca-accessIdentity} at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax IDENTIFIED BY id-aca-chargingIdentity} at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax IDENTIFIED BY id-aca-group} at-role ATTRIBUTE ::= { TYPE RoleSyntax IDENTIFIED BY id-at-role} at-clearance ATTRIBUTE ::= { TYPE Clearance IDENTIFIED BY id-at-clearance} at-clearance-RFC3281 ATTRIBUTE ::= {TYPE Clearance-rfc3281 IDENTIFIED BY id-at-clearance-rfc3281 } at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo IDENTIFIED BY id-aca-encAttrs} -- -- OIDs used by Attribute Certificate Extensions -- id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 } id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 } id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 } id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 } id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 } -- -- OIDs used by Attribute Certificate Attributes -- id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 } id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 } id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 } id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 } -- { id-aca 5 } is reserved id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 } id-at-role OBJECT IDENTIFIER ::= { id-at 72} id-at-clearance OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) } -- Uncomment the following declaration and comment the above line if -- using the id-at-clearance attribute as defined in [RFC3281]
-- id-at-clearance ::= id-at-clearance-3281 id-at-clearance-rfc3281 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5) clearance (55) } -- -- The syntax of an Attribute Certificate -- AttributeCertificate ::= SIGNED{AttributeCertificateInfo} AttributeCertificateInfo ::= SEQUENCE { version AttCertVersion, -- version is v2 holder Holder, issuer AttCertIssuer, signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgorithms}}, serialNumber CertificateSerialNumber, attrCertValidityPeriod AttCertValidityPeriod, attributes SEQUENCE OF AttributeSet{{AttributesDefined}}, issuerUniqueID UniqueIdentifier OPTIONAL, extensions Extensions{{AttributeCertExtensions}} OPTIONAL } AttCertVersion ::= INTEGER { v2(1) } Holder ::= SEQUENCE { baseCertificateID [0] IssuerSerial OPTIONAL, -- the issuer and serial number of -- the holder's Public Key Certificate entityName [1] GeneralNames OPTIONAL, -- the name of the claimant or role objectDigestInfo [2] ObjectDigestInfo OPTIONAL -- used to directly authenticate the -- holder, for example, an executable } ObjectDigestInfo ::= SEQUENCE { digestedObjectType ENUMERATED { publicKey (0), publicKeyCert (1), otherObjectTypes (2) }, -- otherObjectTypes MUST NOT -- be used in this profile otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}},
objectDigest BIT STRING } AttCertIssuer ::= CHOICE { v1Form GeneralNames, -- MUST NOT be used in this -- profile v2Form [0] V2Form -- v2 only } V2Form ::= SEQUENCE { issuerName GeneralNames OPTIONAL, baseCertificateID [0] IssuerSerial OPTIONAL, objectDigestInfo [1] ObjectDigestInfo OPTIONAL -- issuerName MUST be present in this profile -- baseCertificateID and objectDigestInfo MUST -- NOT be present in this profile } IssuerSerial ::= SEQUENCE { issuer GeneralNames, serial CertificateSerialNumber, issuerUID UniqueIdentifier OPTIONAL } AttCertValidityPeriod ::= SEQUENCE { notBeforeTime GeneralizedTime, notAfterTime GeneralizedTime } -- -- Syntax used by Attribute Certificate Extensions -- Targets ::= SEQUENCE OF Target Target ::= CHOICE { targetName [0] GeneralName, targetGroup [1] GeneralName, targetCert [2] TargetCert } TargetCert ::= SEQUENCE { targetCertificate IssuerSerial, targetName GeneralName OPTIONAL, certDigestInfo ObjectDigestInfo OPTIONAL } AAControls ::= SEQUENCE {
pathLenConstraint INTEGER (0..MAX) OPTIONAL, permittedAttrs [0] AttrSpec OPTIONAL, excludedAttrs [1] AttrSpec OPTIONAL, permitUnSpecified BOOLEAN DEFAULT TRUE } AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER ProxyInfo ::= SEQUENCE OF Targets -- -- Syntax used by Attribute Certificate Attributes -- IetfAttrSyntax ::= SEQUENCE { policyAuthority[0] GeneralNames OPTIONAL, values SEQUENCE OF CHOICE { octets OCTET STRING, oid OBJECT IDENTIFIER, string UTF8String } } SvceAuthInfo ::= SEQUENCE { service GeneralName, ident GeneralName, authInfo OCTET STRING OPTIONAL } RoleSyntax ::= SEQUENCE { roleAuthority [0] GeneralNames OPTIONAL, roleName [1] GeneralName } Clearance ::= SEQUENCE { policyId OBJECT IDENTIFIER, classList ClassList DEFAULT {unclassified}, securityCategories SET OF SecurityCategory {{SupportedSecurityCategories}} OPTIONAL } -- Uncomment the following lines to support deprecated clearance -- syntax and comment out previous Clearance. -- Clearance ::= Clearance-rfc3281 Clearance-rfc3281 ::= SEQUENCE { policyId [0] OBJECT IDENTIFIER, classList [1] ClassList DEFAULT {unclassified},
securityCategories [2] SET OF SecurityCategory-rfc3281 {{SupportedSecurityCategories}} OPTIONAL } ClassList ::= BIT STRING { unmarked (0), unclassified (1), restricted (2), confidential (3), secret (4), topSecret (5) } SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } SecurityCategory-rfc3281{SECURITY-CATEGORY:Supported} ::= SEQUENCE { type [0] IMPLICIT SECURITY-CATEGORY. &id({Supported}), value [1] EXPLICIT SECURITY-CATEGORY. &Type({Supported}{@type}) } ACClearAttrs ::= SEQUENCE { acIssuer GeneralName, acSerial INTEGER, attrs SEQUENCE OF AttributeSet{{AttributesDefined}} } END