-- ASN module extracted from ITU-T X.509 (10/2019)
-- A.2 - Certificate extensions module
CertificateExtensions {joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 9}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL
IMPORTS
id-at, id-ce, id-ldx, id-mr
FROM UsefulDefinitions
{joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 9} WITH SUCCESSORS
Name, RelativeDistinguishedName, Attribute{}, MATCHING-RULE,
SupportedAttributes, SYNTAX-NAME
FROM InformationFramework
{joint-iso-itu-t ds(5) module(1) informationFramework(1) 9} WITH SUCCESSORS
AvlSerialNumber, CertificateSerialNumber, CertificateList, AlgorithmIdentifier{},
EXTENSION, Time, PolicyID, SupportedAlgorithms
FROM AuthenticationFramework
{joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 9} WITH SUCCESSORS
UnboundedDirectoryString
FROM SelectedAttributeTypes
{joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 9} WITH SUCCESSORS
ORAddress
FROM PkiPmiExternalDataTypes
{joint-iso-itu-t ds(5) module(1) pkiPmiExternalDataTypes(40) 9} WITH SUCCESSORS ;
-- Unless explicitly noted otherwise, there is no significance to the ordering
-- of components of a SEQUENCE OF construct in this Specification.
-- public-key certificate and CRL extensions
authorityKeyIdentifier EXTENSION ::= {
SYNTAX AuthorityKeyIdentifier
IDENTIFIED BY id-ce-authorityKeyIdentifier }
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL,
... }
(WITH COMPONENTS {..., authorityCertIssuer PRESENT,
authorityCertSerialNumber PRESENT } |
WITH COMPONENTS {..., authorityCertIssuer ABSENT,
authorityCertSerialNumber ABSENT } )
KeyIdentifier ::= OCTET STRING
subjectKeyIdentifier EXTENSION ::= {
SYNTAX SubjectKeyIdentifier
IDENTIFIED BY id-ce-subjectKeyIdentifier }
SubjectKeyIdentifier ::= KeyIdentifier
keyUsage EXTENSION ::= {
SYNTAX KeyUsage
IDENTIFIED BY id-ce-keyUsage }
KeyUsage ::= BIT STRING {
digitalSignature (0),
contentCommitment (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
extKeyUsage EXTENSION ::= {
SYNTAX SEQUENCE SIZE (1..MAX) OF KeyPurposeId
IDENTIFIED BY id-ce-extKeyUsage }
KeyPurposeId ::= OBJECT IDENTIFIER
privateKeyUsagePeriod EXTENSION ::= {
SYNTAX PrivateKeyUsagePeriod
IDENTIFIED BY id-ce-privateKeyUsagePeriod }
PrivateKeyUsagePeriod ::= SEQUENCE {
notBefore [0] GeneralizedTime OPTIONAL,
notAfter [1] GeneralizedTime OPTIONAL,
... }
(WITH COMPONENTS {..., notBefore PRESENT } |
WITH COMPONENTS {..., notAfter PRESENT } )
certificatePolicies EXTENSION ::= {
SYNTAX CertificatePoliciesSyntax
IDENTIFIED BY id-ce-certificatePolicies }
CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
PolicyInformation ::= SEQUENCE {
policyIdentifier CertPolicyId,
policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL,
... }
CertPolicyId ::= OBJECT IDENTIFIER
PolicyQualifierInfo ::= SEQUENCE {
policyQualifierId CERT-POLICY-QUALIFIER.&id({SupportedPolicyQualifiers}),
qualifier CERT-POLICY-QUALIFIER.&Qualifier
({SupportedPolicyQualifiers}{@policyQualifierId}) OPTIONAL,
... }
SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::= {...}
anyPolicy OBJECT IDENTIFIER ::= {id-ce-certificatePolicies 0}
CERT-POLICY-QUALIFIER ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Qualifier OPTIONAL }
WITH SYNTAX {
POLICY-QUALIFIER-ID &id
[QUALIFIER-TYPE &Qualifier] }
policyMappings EXTENSION ::= {
SYNTAX PolicyMappingsSyntax
IDENTIFIED BY id-ce-policyMappings }
PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
issuerDomainPolicy CertPolicyId,
subjectDomainPolicy CertPolicyId,
... }
authorizationValidation EXTENSION ::= {
SYNTAX AvlId
IDENTIFIED BY id-ce-authorizationValidation }
AvlId ::= SEQUENCE {
issuer Name,
serialNumber AvlSerialNumber OPTIONAL,
... }
subjectAltName EXTENSION ::= {
SYNTAX GeneralNames
IDENTIFIED BY id-ce-subjectAltName }
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralName ::= CHOICE {
otherName [0] INSTANCE OF OTHER-NAME,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER,
... }
OTHER-NAME ::= TYPE-IDENTIFIER
EDIPartyName ::= SEQUENCE {
nameAssigner [0] UnboundedDirectoryString OPTIONAL,
partyName [1] UnboundedDirectoryString,
... }
issuerAltName EXTENSION ::= {
SYNTAX GeneralNames
IDENTIFIED BY id-ce-issuerAltName }
subjectDirectoryAttributes EXTENSION ::= {
SYNTAX AttributesSyntax
IDENTIFIED BY id-ce-subjectDirectoryAttributes }
AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute{{SupportedAttributes}}
associatedInformation EXTENSION ::= {
SYNTAX AttributesSyntax
IDENTIFIED BY id-ce-associatedInformation }
basicConstraints EXTENSION ::= {
SYNTAX BasicConstraintsSyntax
IDENTIFIED BY id-ce-basicConstraints }
BasicConstraintsSyntax ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER(0..MAX) OPTIONAL,
... }
nameConstraints EXTENSION ::= {
SYNTAX NameConstraintsSyntax
IDENTIFIED BY id-ce-nameConstraints }
NameConstraintsSyntax ::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
excludedSubtrees [1] GeneralSubtrees OPTIONAL,
... }
(WITH COMPONENTS {..., permittedSubtrees PRESENT } |
WITH COMPONENTS {..., excludedSubtrees PRESENT } )
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
GeneralSubtree ::= SEQUENCE {
base GeneralName,
minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL,
... }
BaseDistance ::= INTEGER(0..MAX)
policyConstraints EXTENSION ::= {
SYNTAX PolicyConstraintsSyntax
IDENTIFIED BY id-ce-policyConstraints }
PolicyConstraintsSyntax ::= SEQUENCE {
requireExplicitPolicy [0] SkipCerts OPTIONAL,
inhibitPolicyMapping [1] SkipCerts OPTIONAL,
... }
(WITH COMPONENTS {..., requireExplicitPolicy PRESENT } |
WITH COMPONENTS {..., inhibitPolicyMapping PRESENT } )
SkipCerts ::= INTEGER(0..MAX)
inhibitAnyPolicy EXTENSION ::= {
SYNTAX SkipCerts
IDENTIFIED BY id-ce-inhibitAnyPolicy }
cRLNumber EXTENSION ::= {
SYNTAX CRLNumber
IDENTIFIED BY id-ce-cRLNumber }
CRLNumber ::= INTEGER(0..MAX)
crlScope EXTENSION ::= {
SYNTAX CRLScopeSyntax
IDENTIFIED BY id-ce-cRLScope }
CRLScopeSyntax ::= SEQUENCE SIZE (1..MAX) OF PerAuthorityScope
PerAuthorityScope ::= SEQUENCE {
authorityName [0] GeneralName OPTIONAL,
distributionPoint [1] DistributionPointName OPTIONAL,
onlyContains [2] OnlyCertificateTypes OPTIONAL,
onlySomeReasons [4] ReasonFlags OPTIONAL,
serialNumberRange [5] NumberRange OPTIONAL,
subjectKeyIdRange [6] NumberRange OPTIONAL,
nameSubtrees [7] GeneralNames OPTIONAL,
baseRevocationInfo [9] BaseRevocationInfo OPTIONAL,
... }
OnlyCertificateTypes ::= BIT STRING {
user (0),
authority (1),
attribute (2)}
NumberRange ::= SEQUENCE {
startingNumber [0] INTEGER OPTIONAL,
endingNumber [1] INTEGER OPTIONAL,
modulus INTEGER OPTIONAL,
... }
BaseRevocationInfo ::= SEQUENCE {
cRLStreamIdentifier [0] CRLStreamIdentifier OPTIONAL,
cRLNumber [1] CRLNumber,
baseThisUpdate [2] GeneralizedTime,
... }
statusReferrals EXTENSION ::= {
SYNTAX StatusReferrals
IDENTIFIED BY id-ce-statusReferrals }
StatusReferrals ::= SEQUENCE SIZE (1..MAX) OF StatusReferral
StatusReferral ::= CHOICE {
cRLReferral [0] CRLReferral,
otherReferral [1] INSTANCE OF OTHER-REFERRAL,
... }
CRLReferral ::= SEQUENCE {
issuer [0] GeneralName OPTIONAL,
location [1] GeneralName OPTIONAL,
deltaRefInfo [2] DeltaRefInfo OPTIONAL,
cRLScope CRLScopeSyntax,
lastUpdate [3] GeneralizedTime OPTIONAL,
lastChangedCRL [4] GeneralizedTime OPTIONAL,
...
}
DeltaRefInfo ::= SEQUENCE {
deltaLocation GeneralName,
lastDelta GeneralizedTime OPTIONAL,
... }
OTHER-REFERRAL ::= TYPE-IDENTIFIER
cRLStreamIdentifier EXTENSION ::= {
SYNTAX CRLStreamIdentifier
IDENTIFIED BY id-ce-cRLStreamIdentifier }
CRLStreamIdentifier ::= INTEGER (0..MAX)
orderedList EXTENSION ::= {
SYNTAX OrderedListSyntax
IDENTIFIED BY id-ce-orderedList }
OrderedListSyntax ::= ENUMERATED {
ascSerialNum (0),
ascRevDate (1),
...}
deltaInfo EXTENSION ::= {
SYNTAX DeltaInformation
IDENTIFIED BY id-ce-deltaInfo }
DeltaInformation ::= SEQUENCE {
deltaLocation GeneralName,
nextDelta GeneralizedTime OPTIONAL,
... }
toBeRevoked EXTENSION ::= {
SYNTAX ToBeRevokedSyntax
IDENTIFIED BY id-ce-toBeRevoked }
ToBeRevokedSyntax ::= SEQUENCE SIZE (1..MAX) OF ToBeRevokedGroup
ToBeRevokedGroup ::= SEQUENCE {
certificateIssuer [0] GeneralName OPTIONAL,
reasonInfo [1] ReasonInfo OPTIONAL,
revocationTime GeneralizedTime,
certificateGroup CertificateGroup,
... }
ReasonInfo ::= SEQUENCE {
reasonCode CRLReason,
holdInstructionCode HoldInstruction OPTIONAL,
... }
CertificateGroup ::= CHOICE {
serialNumbers [0] CertificateSerialNumbers,
serialNumberRange [1] CertificateGroupNumberRange,
nameSubtree [2] GeneralName,
... }
CertificateGroupNumberRange ::= SEQUENCE {
startingNumber [0] INTEGER,
endingNumber [1] INTEGER,
... }
CertificateSerialNumbers ::= SEQUENCE SIZE (1..MAX) OF CertificateSerialNumber
revokedGroups EXTENSION ::= {
SYNTAX RevokedGroupsSyntax
IDENTIFIED BY id-ce-revokedGroups }
RevokedGroupsSyntax ::= SEQUENCE SIZE (1..MAX) OF RevokedGroup
RevokedGroup ::= SEQUENCE {
certificateIssuer [0] GeneralName OPTIONAL,
reasonInfo [1] ReasonInfo OPTIONAL,
invalidityDate [2] GeneralizedTime OPTIONAL,
revokedcertificateGroup [3] RevokedCertificateGroup,
... }
RevokedCertificateGroup ::= CHOICE {
serialNumberRange NumberRange,
nameSubtree GeneralName }
expiredCertsOnCRL EXTENSION ::= {
SYNTAX ExpiredCertsOnCRL
IDENTIFIED BY id-ce-expiredCertsOnCRL }
ExpiredCertsOnCRL ::= GeneralizedTime
reasonCode EXTENSION ::= {
SYNTAX CRLReason
IDENTIFIED BY id-ce-reasonCode }
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10),
...,
weakAlgorithmOrKey (11) }
holdInstructionCode EXTENSION ::= {
SYNTAX HoldInstruction
IDENTIFIED BY id-ce-holdInstructionCode }
HoldInstruction ::= OBJECT IDENTIFIER
invalidityDate EXTENSION ::= {
SYNTAX GeneralizedTime
IDENTIFIED BY id-ce-invalidityDate }
cRLDistributionPoints EXTENSION ::= {
SYNTAX CRLDistPointsSyntax
IDENTIFIED BY id-ce-cRLDistributionPoints }
CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL,
... }
DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName,
... }
ReasonFlags ::= BIT STRING {
unused (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
privilegeWithdrawn (7),
aACompromise (8),
weakAlgorithmOrKey (9) }
issuingDistributionPoint EXTENSION ::= {
SYNTAX IssuingDistPointSyntax
IDENTIFIED BY id-ce-issuingDistributionPoint }
IssuingDistPointSyntax ::= SEQUENCE {
-- If onlyContainsUserPublicKeyCerts and onlyContainsCACerts are both FALSE,
-- the CRL covers both public-key certificate types
distributionPoint [0] DistributionPointName OPTIONAL,
onlyContainsUserPublicKeyCerts [1] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
onlySomeReasons [3] ReasonFlags OPTIONAL,
indirectCRL [4] BOOLEAN DEFAULT FALSE,
onlyContainsAttributeCerts [5] BOOLEAN OPTIONAL, -- Use is strongly deprecated
... }
certificateIssuer EXTENSION ::= {
SYNTAX GeneralNames
IDENTIFIED BY id-ce-certificateIssuer }
deltaCRLIndicator EXTENSION ::= {
SYNTAX BaseCRLNumber
IDENTIFIED BY id-ce-deltaCRLIndicator }
BaseCRLNumber ::= CRLNumber
baseUpdateTime EXTENSION ::= {
SYNTAX GeneralizedTime
IDENTIFIED BY id-ce-baseUpdateTime }
freshestCRL EXTENSION ::= {
SYNTAX CRLDistPointsSyntax
IDENTIFIED BY id-ce-freshestCRL }
protRestrict EXTENSION ::= {
SYNTAX ProtRestriction
IDENTIFIED BY id-ce-protRestrict }
ProtRestriction ::= SEQUENCE (SIZE (1..MAX)) OF OBJECT IDENTIFIER
subjectAltPublicKeyInfo EXTENSION ::= {
SYNTAX SubjectAltPublicKeyInfo
IDENTIFIED BY id-ce-subjectAltPublicKeyInfo }
SubjectAltPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier{{SupportedAlgorithms}},
subjectAltPublicKey BIT STRING }
altSignatureAlgorithm EXTENSION ::= {
SYNTAX AltSignatureAlgorithm
IDENTIFIED BY id-ce-altSignatureAlgorithm }
AltSignatureAlgorithm ::= AlgorithmIdentifier{{SupportedAlgorithms}}
altSignatureValue EXTENSION ::= {
SYNTAX AltSignatureValue
IDENTIFIED BY id-ce-altSignatureValue }
AltSignatureValue ::= BIT STRING
aAissuingDistributionPoint EXTENSION ::= {
SYNTAX AAIssuingDistPointSyntax
IDENTIFIED BY id-ce-aAissuingDistributionPoint }
AAIssuingDistPointSyntax ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
onlySomeReasons [1] ReasonFlags OPTIONAL,
indirectCRL [2] BOOLEAN DEFAULT FALSE,
containsUserAttributeCerts [3] BOOLEAN DEFAULT TRUE,
containsAACerts [4] BOOLEAN DEFAULT TRUE,
containsSOAPublicKeyCerts [5] BOOLEAN DEFAULT TRUE,
... }
-- PKI matching rules
certificateExactMatch MATCHING-RULE ::= {
SYNTAX CertificateExactAssertion
LDAP-SYNTAX certExactAssertion.&id
LDAP-NAME {"certificateExactMatch"}
LDAP-DESC "X.509 Certificate Exact Match"
ID id-mr-certificateExactMatch }
CertificateExactAssertion ::= SEQUENCE {
serialNumber CertificateSerialNumber,
issuer Name,
... }
certificateMatch MATCHING-RULE ::= {
SYNTAX CertificateAssertion
LDAP-SYNTAX certAssertion.&id
LDAP-NAME {"certificateMatch"}
LDAP-DESC "X.509 Certificate Match"
ID id-mr-certificateMatch }
CertificateAssertion ::= SEQUENCE {
serialNumber [0] CertificateSerialNumber OPTIONAL,
issuer [1] Name OPTIONAL,
subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL,
authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL,
certificateValid [4] Time OPTIONAL,
privateKeyValid [5] GeneralizedTime OPTIONAL,
subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL,
keyUsage [7] KeyUsage OPTIONAL,
subjectAltName [8] AltNameType OPTIONAL,
policy [9] CertPolicySet OPTIONAL,
pathToName [10] Name OPTIONAL,
subject [11] Name OPTIONAL,
nameConstraints [12] NameConstraintsSyntax OPTIONAL,
... }
AltNameType ::= CHOICE {
builtinNameForm ENUMERATED {
rfc822Name (1),
dNSName (2),
x400Address (3),
directoryName (4),
ediPartyName (5),
uniformResourceIdentifier (6),
iPAddress (7),
registeredId (8),
...},
otherNameForm OBJECT IDENTIFIER,
... }
CertPolicySet ::= SEQUENCE SIZE (1..MAX) OF CertPolicyId
certificatePairExactMatch MATCHING-RULE ::= {
SYNTAX CertificatePairExactAssertion
LDAP-SYNTAX certPairExactAssertion.&id
LDAP-NAME {"certificatePairExactMatch"}
LDAP-DESC "X.509 Certificate Pair Exact Match"
ID id-mr-certificatePairExactMatch }
CertificatePairExactAssertion ::= SEQUENCE {
issuedToThisCAAssertion [0] CertificateExactAssertion OPTIONAL,
issuedByThisCAAssertion [1] CertificateExactAssertion OPTIONAL,
... }
(WITH COMPONENTS { ..., issuedToThisCAAssertion PRESENT } |
WITH COMPONENTS { ..., issuedByThisCAAssertion PRESENT } )
certificatePairMatch MATCHING-RULE ::= {
SYNTAX CertificatePairAssertion
LDAP-SYNTAX certPairAssertion.&id
LDAP-NAME {"certificatePairMatch"}
LDAP-DESC "X.509 Certificate Pair Match"
ID id-mr-certificatePairMatch }
CertificatePairAssertion ::= SEQUENCE {
issuedToThisCAAssertion [0] CertificateAssertion OPTIONAL,
issuedByThisCAAssertion [1] CertificateAssertion OPTIONAL,
... }
(WITH COMPONENTS {..., issuedToThisCAAssertion PRESENT } |
WITH COMPONENTS {..., issuedByThisCAAssertion PRESENT } )
certificateListExactMatch MATCHING-RULE ::= {
SYNTAX CertificateListExactAssertion
LDAP-SYNTAX certListExactAssertion.&id
LDAP-NAME {"certificateListExactMatch"}
LDAP-DESC "X.509 Certificate List Exact Match"
ID id-mr-certificateListExactMatch }
CertificateListExactAssertion ::= SEQUENCE {
issuer Name,
thisUpdate Time,
distributionPoint DistributionPointName OPTIONAL }
certificateListMatch MATCHING-RULE ::= {
SYNTAX CertificateListAssertion
LDAP-SYNTAX certListAssertion.&id
LDAP-NAME {"certificateListMatch"}
LDAP-DESC "X.509 Certificate List Match"
ID id-mr-certificateListMatch }
CertificateListAssertion ::= SEQUENCE {
issuer Name OPTIONAL,
minCRLNumber [0] CRLNumber OPTIONAL,
maxCRLNumber [1] CRLNumber OPTIONAL,
reasonFlags ReasonFlags OPTIONAL,
dateAndTime Time OPTIONAL,
distributionPoint [2] DistributionPointName OPTIONAL,
authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL,
... }
algorithmIdentifierMatch MATCHING-RULE ::= {
SYNTAX AlgorithmIdentifier {{SupportedAlgorithms}}
LDAP-SYNTAX algorithmIdentifier.&id
LDAP-NAME {"algorithmIdentifierMatch"}
LDAP-DESC "X.509 Algorithm Identifier Match"
ID id-mr-algorithmIdentifierMatch }
policyMatch MATCHING-RULE ::= {
SYNTAX PolicyID
ID id-mr-policyMatch }
pkiPathMatch MATCHING-RULE ::= {
SYNTAX PkiPathMatchSyntax
ID id-mr-pkiPathMatch }
PkiPathMatchSyntax ::= SEQUENCE {
firstIssuer Name,
lastSubject Name,
... }
enhancedCertificateMatch MATCHING-RULE ::= {
SYNTAX EnhancedCertificateAssertion
ID id-mr-enhancedCertificateMatch }
EnhancedCertificateAssertion ::= SEQUENCE {
serialNumber [0] CertificateSerialNumber OPTIONAL,
issuer [1] Name OPTIONAL,
subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL,
authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL,
certificateValid [4] Time OPTIONAL,
privateKeyValid [5] GeneralizedTime OPTIONAL,
subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL,
keyUsage [7] KeyUsage OPTIONAL,
subjectAltName [8] AltName OPTIONAL,
policy [9] CertPolicySet OPTIONAL,
pathToName [10] GeneralNames OPTIONAL,
subject [11] Name OPTIONAL,
nameConstraints [12] NameConstraintsSyntax OPTIONAL,
... }
(ALL EXCEPT ({ -- none; at least one component shall be present --}))
AltName ::= SEQUENCE {
altnameType AltNameType,
altNameValue GeneralName OPTIONAL }
certExactAssertion SYNTAX-NAME ::= {
LDAP-DESC "X.509 Certificate Exact Assertion"
DIRECTORY SYNTAX CertificateExactAssertion
ID id-ldx-certExactAssertion }
certAssertion SYNTAX-NAME ::= {
LDAP-DESC "X.509 Certificate Assertion"
DIRECTORY SYNTAX CertificateAssertion
ID id-ldx-certAssertion }
certPairExactAssertion SYNTAX-NAME ::= {
LDAP-DESC "X.509 Certificate Pair Exact Assertion"
DIRECTORY SYNTAX CertificatePairExactAssertion
ID id-ldx-certPairExactAssertion }
certPairAssertion SYNTAX-NAME ::= {
LDAP-DESC "X.509 Certificate Pair Assertion"
DIRECTORY SYNTAX CertificatePairAssertion
ID id-ldx-certPairAssertion }
certListExactAssertion SYNTAX-NAME ::= {
LDAP-DESC "X.509 Certificate List Exact Assertion"
DIRECTORY SYNTAX CertificateListExactAssertion
ID id-ldx-certListExactAssertion }
certListAssertion SYNTAX-NAME ::= {
LDAP-DESC "X.509 Certificate List Assertion"
DIRECTORY SYNTAX CertificateListAssertion
ID id-ldx-certListAssertion }
algorithmIdentifier SYNTAX-NAME ::= {
LDAP-DESC "X.509 Algorithm Identifier"
DIRECTORY SYNTAX AlgorithmIdentifier{{SupportedAlgorithms}}
ID id-ldx-algorithmIdentifier }
-- Object identifier assignments
-- {id-ce 2} not used
-- {id-ce 3} not used
-- {id-ce 4} not used
-- {id-ce 5} not used
-- {id-ce 6} not used
-- {id-ce 7} not used
-- {id-ce 8} not used
id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9}
-- {id-ce 10} not used
-- {id-ce 11} not used
-- {id-ce 12} not used
-- {id-ce 13} not used
id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14}
id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15}
id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16}
id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17}
id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18}
id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19}
id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20}
id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21}
-- {id-ce 22} not used
id-ce-holdInstructionCode OBJECT IDENTIFIER ::= {id-ce 23}
id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24}
-- {id-ce 25} not used
-- {id-ce 26} not used
id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27}
id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28}
id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29}
id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30}
id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32}
id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33}
-- deprecated OBJECT IDENTIFIER ::= {id-ce 34}
id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35}
id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36}
id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
-- id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}
-- id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}
id-ce-cRLStreamIdentifier OBJECT IDENTIFIER ::= {id-ce 40}
-- id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}
-- id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}
-- id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}
id-ce-cRLScope OBJECT IDENTIFIER ::= {id-ce 44}
id-ce-statusReferrals OBJECT IDENTIFIER ::= {id-ce 45}
id-ce-freshestCRL OBJECT IDENTIFIER ::= {id-ce 46}
id-ce-orderedList OBJECT IDENTIFIER ::= {id-ce 47}
-- id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}
-- id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}
-- id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}
id-ce-baseUpdateTime OBJECT IDENTIFIER ::= {id-ce 51}
-- id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}
id-ce-deltaInfo OBJECT IDENTIFIER ::= {id-ce 53}
id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= {id-ce 54}
-- id-ce-targetingInformation OBJECT IDENTIFIER ::= {id-ce 55}
-- id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}
-- id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}
id-ce-toBeRevoked OBJECT IDENTIFIER ::= {id-ce 58}
id-ce-revokedGroups OBJECT IDENTIFIER ::= {id-ce 59}
id-ce-expiredCertsOnCRL OBJECT IDENTIFIER ::= {id-ce 60}
-- id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}
-- id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}
id-ce-aAissuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 63}
-- id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}
-- id-ce-singleUse OBJECT IDENTIFIER ::= {id-ce 65}
-- id-ce-groupAC OBJECT IDENTIFIER ::= {id-ce 66}
-- id-ce-allowedAttAss OBJECT IDENTIFIER ::= {id-ce 67}
-- id-ce-attributeMappings OBJECT IDENTIFIER ::= {id-ce 68}
-- id-ce-holderNameConstraints OBJECT IDENTIFIER ::= {id-ce 69}
id-ce-authorizationValidation OBJECT IDENTIFIER ::= {id-ce 70}
id-ce-protRestrict OBJECT IDENTIFIER ::= {id-ce 71}
id-ce-subjectAltPublicKeyInfo OBJECT IDENTIFIER ::= {id-ce 72}
id-ce-altSignatureAlgorithm OBJECT IDENTIFIER ::= {id-ce 73}
id-ce-altSignatureValue OBJECT IDENTIFIER ::= {id-ce 74}
id-ce-associatedInformation OBJECT IDENTIFIER ::= {id-ce 75}
-- matching rule OIDs
id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34}
id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35}
id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36}
id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37}
id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38}
id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39}
id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40}
id-mr-policyMatch OBJECT IDENTIFIER ::= {id-mr 60}
id-mr-pkiPathMatch OBJECT IDENTIFIER ::= {id-mr 62}
id-mr-enhancedCertificateMatch OBJECT IDENTIFIER ::= {id-mr 65}
-- Object identifiers for LDAP X.509 assertion syntaxes
id-ldx-certExactAssertion OBJECT IDENTIFIER ::= {id-ldx 1}
id-ldx-certAssertion OBJECT IDENTIFIER ::= {id-ldx 2}
id-ldx-certPairExactAssertion OBJECT IDENTIFIER ::= {id-ldx 3}
id-ldx-certPairAssertion OBJECT IDENTIFIER ::= {id-ldx 4}
id-ldx-certListExactAssertion OBJECT IDENTIFIER ::= {id-ldx 5}
id-ldx-certListAssertion OBJECT IDENTIFIER ::= {id-ldx 6}
id-ldx-algorithmIdentifier OBJECT IDENTIFIER ::= {id-ldx 7}
END -- CertificateExtensions