-- tmttv2.asn - X.509v3 profile for the BSI Sphinx project -- Copyright (C) 2001 g10 Code GmbH -- -- This file is part of KSBA. -- -- KSBA is free software; you can redistribute it and/or modify -- it under the terms of either -- -- - the GNU Lesser General Public License as published by the Free -- Software Foundation; either version 3 of the License, or (at -- your option) any later version. -- -- or -- -- - the GNU General Public License as published by the Free -- Software Foundation; either version 2 of the License, or (at -- your option) any later version. -- -- or both in parallel, as here. -- -- KSBA is distributed in the hope that it will be useful, but WITHOUT -- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public -- License for more details. -- -- You should have received a copies of the GNU General Public License -- and the GNU Lesser General Public License along with this program; -- if not, see . -- TMTTv2 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) teletrust(1) foo(17)} DEFINITIONS IMPLICIT TAGS ::= BEGIN -- standard object identifiers id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} -- (TMTTv2 3.1) Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING } AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL -- should be used but set to NULL } TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, extensions [3] EXPLICIT Extensions OPTIONAL } -- (TMTTv2 3.1.1) Version ::= INTEGER { v1(0), v2(1), v3(2) } -- Ony v3 is used which is the default anyway -- (TMTTv2 3.1.2) CertificateSerialNumber ::= INTEGER -- Must support length of up to 15 byte -- (TMTTv2 3.1.4) Name ::= CHOICE { rdnSequence RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET OF AttributeTypeAndValue -- pkix defines a SIZE (1 .. MAX), we use a maximum of 1 to avoid -- problems with some LDAP implementations. Attribute ::= SEQUENCE { -- not specified by TMTT type AttributeType, values SET OF AttributeValue } Attributes ::= SET OF Attribute AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANY DirectoryString ::= CHOICE { printableString PrintableString (SIZE (1..maxSize)), teletexString TeletexString (SIZE (1..maxSize)), utf8String UTF8String (SIZE (1..maxSize)), bmpString BMPString (SIZE(1..maxSize)), universalString UniversalString (SIZE (1..maxSize)) } -- For Sphinx conformity maxSize must be: -- BusinessCategory 128 LocalityName 128 StateOrProvince 128 -- CommonName 128 PostalCode 40 SurName 64 -- CountryName 2 OrganizationalUnit 64 Title 64 -- GivenName 64 OrganizationalName 64 -- (TMTTv2 3.1.5) Validity ::= SEQUENCE { notBefore Time, notAfter Time } Time ::= CHOICE { utcTime UTCTime, generalTime GeneralizedTime } -- fixme: explain constraints --(TMTTv2 3.1.7) SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } --(TMTTv2 3.1.9) Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING } UniqueIdentifier ::= BIT STRING -- (TMTTv2 3.2.1) AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] KeyIdentifier OPTIONAL, authorityCertIssuer [1] GeneralNames OPTIONAL, authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } -- Fixme: our parser cant handle this: -- ( WITH COMPONENTS { ..., authorityCertIssuer PRESENT, -- authorityCertSerialNumber PRESENT} -- | WITH COMPONENTS { ..., authorityCertIssuer ABSENT, -- authorityCertSerialNumber ABSENT } -- ) KeyIdentifier ::= OCTET STRING -- (TMTTv2 3.2.3) KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } -- (TMTTv2 3.2.5) CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } CertPolicyId ::= OBJECT IDENTIFIER PolicyQualifierInfo ::= SEQUENCE { policyQualifierId PolicyQualifierId, qualifier ANY DEFINED BY policyQualifierId } PolicyQualifierId ::= OBJECT IDENTIFIER -- missing in TMTTv2 document -- (TMTTv2 3.2.6) PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { issuerDomainPolicy CertPolicyId, subjectDomainPolicy CertPolicyId } -- (TMTTv2 3.2.7) SubjectAltName ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, -- INSTANCE OF OTHER-NAME rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER } OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } EDIPartyName ::= SEQUENCE { nameAssigner [0] DirectoryString OPTIONAL, partyName [1] DirectoryString } -- (TMTTv2 3.2.9) SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute -- (TMTTv2 3.2.10) -- id-biometricData OBJECT IDENTIFIE ::= { fixme 1 } BiometricData ::= SET OF SEQUENCE { typeId OBJECT IDENTIFIER, value ANY DEFINED BY typeId } -- (TMTTv2 3.2.11) BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } -- (TMTTv2 3.2.12) NameConstraints ::= SEQUENCE { permittedSubtrees [0] GeneralSubtrees OPTIONAL, excludedSubtrees [1] GeneralSubtrees OPTIONAL } GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree GeneralSubtree ::= SEQUENCE { base GeneralName, minimum [0] BaseDistance DEFAULT 0, maximum [1] BaseDistance OPTIONAL } BaseDistance ::= INTEGER (0..MAX) -- (TMTTv2 3.2.13) PolicyConstraintsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { requireExplicitPolicy [0] SkipCerts OPTIONAL, inhibitPolicyMapping [1] SkipCerts OPTIONAL } SkipCerts ::= INTEGER (0..MAX) -- (TMTTv2 3.2.14) CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } DistributionPointName ::= CHOICE { fullName [0] GeneralNames, nameRelativeToCRLIssuer [1] RelativeDistinguishedName } ReasonFlags ::= BIT STRING { unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6) } -- (TMTTv2 3.2.15) -- id-issuerCertDistributionPoint OBJECT IDENTIFIER ::= { fixme 28 } IssuerCertDistributionPoint ::= IA5String -- (TMTTv2 3.2.16) -- id-subjectCertDistributionPoint OBJECT IDENTIFIER ::= { fixme 3 } SubjectCertDistributionPoint ::= IA5String -- (TMTTv2 3.2.17) -- id-policyDistributionPoint OBJECT IDENTIFIER ::= { fixme 4 } PolicyDistributionPoint ::= IA5String -- (TMTTv2 3.2.18) -- id-testIdentifier OBECJT IDENTIFIER ::= { fixme 5 } TestIdentifier ::= UTF8String -- -- (TMTTv2 4.1) CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- should be v2 if present signature AlgorithmIdentifier, issuer Name, thisUpdate Time, nextUpdate Time OPTIONAL, -- must be used in TMTT revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL -- should be v2 if present } OPTIONAL, crlExtensions [0] EXPLICIT Extensions OPTIONAL -- v2 is present } -- (TMTTv2 4.2.1) CRLReason ::= ENUMERATED { unspecified (0), -- not allowed in TMTT keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), removeFromCRL (8) -- should not be used because -- Delta-CRLs are not supported } -- (TMTTv2 4.2.3) InvalidityDate ::= GeneralizedTime -- (TMTTv2 4.2.4) CertificateIssuer ::= GeneralNames -- (TMTTv2 4.3.3) cRLNumber ::= INTEGER (1..MAX) -- (TMTTv2 4.3.4) issuingDistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, onlySomeReasons [3] ReasonFlags OPTIONAL, indirectCRL [4] BOOLEAN DEFAULT FALSE } -- -- PKCS-10 -- CertificationRequest ::= SEQUENCE { -- certificationRequestInfo CertificationRequestInfo, -- signatureAlgorithm SignatureAlgorithmIdentifier, -- signature Signature -- } CertificationRequestInfo ::= SEQUENCE { certificationRequestInfo Version, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, attributes [0] IMPLICIT Attributes } -- ------------------------- -- x400 address syntax -- ------------------------- ORAddress ::= SEQUENCE { built-in-standard-attributes BuiltInStandardAttributes, built-in-domain-defined-attributes BuiltInDomainDefinedAttributes OPTIONAL, extension-attributes ExtensionAttributes OPTIONAL } BuiltInStandardAttributes ::= SEQUENCE { country-name CountryName OPTIONAL, administration-domain-name AdministrationDomainName OPTIONAL, network-address [0] EXPLICIT NetworkAddress OPTIONAL, terminal-identifier [1] EXPLICIT TerminalIdentifier OPTIONAL, private-domain-name [2] EXPLICIT PrivateDomainName OPTIONAL, organization-name [3] EXPLICIT OrganizationName OPTIONAL, numeric-user-identifier [4] EXPLICIT NumericUserIdentifier OPTIONAL, personal-name [5] EXPLICIT PersonalName OPTIONAL, organizational-unit-names [6] EXPLICIT OrganizationalUnitNames OPTIONAL } CountryName ::= [APPLICATION 1] CHOICE { x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)), iso-3166-alpha2-code PrintableString (SIZE (ub-country-name-alpha-length)) } AdministrationDomainName ::= [APPLICATION 2] EXPLICIT CHOICE { numeric NumericString (SIZE (0..ub-domain-name-length)), printable PrintableString (SIZE (0..ub-domain-name-length)) } NetworkAddress ::= X121Address -- see also extended-network-address X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length)) PrivateDomainName ::= CHOICE { numeric NumericString (SIZE (1..ub-domain-name-length)), printable PrintableString (SIZE (1..ub-domain-name-length)) } OrganizationName ::= PrintableString (SIZE (1..ub-organization-name-length)) -- see also teletex-organization-name NumericUserIdentifier ::= NumericString (SIZE (1..ub-numeric-user-id-length)) PersonalName ::= SET { -- see also teletex-personal-name surname [0] PrintableString (SIZE (1..ub-surname-length)), given-name [1] PrintableString (SIZE (1..ub-given-name-length)) OPTIONAL, initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL, generation-qualifier [3] PrintableString (SIZE (1..ub-generation-qualifier-length)) OPTIONAL } OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) OF OrganizationalUnitName -- see also teletex-organizational-unit-names OrganizationalUnitName ::= PrintableString (SIZE (1..ub-organizational-unit-name-length)) BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE (1..ub-domain-defined-attributes) OF BuiltInDomainDefinedAttribute BuiltInDomainDefinedAttribute ::= SEQUENCE { type PrintableString (SIZE (1..ub-domain-defined-attribute-type-length)), value PrintableString (SIZE (1..ub-domain-defined-attribute-value-length)) } ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF ExtensionAttribute ExtensionAttribute ::= SEQUENCE { extension-attribute-type [0] EXPLICIT INTEGER (0..ub-extension-attributes), extension-attribute-value [1] EXPLICIT ANY DEFINED BY extension-attribute-type } END