xref: /freebsd-11.0-release/crypto/heimdal/lib/asn1/rfc2459.asn1

-- $Id$ --
-- Definitions from rfc2459/rfc3280

RFC2459 DEFINITIONS ::= BEGIN

IMPORTS heim_any FROM heim;

Version ::=  INTEGER {
	rfc3280_version_1(0), 
	rfc3280_version_2(1),
	rfc3280_version_3(2)
}

id-pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
	rsadsi(113549) pkcs(1) 1 }
id-pkcs1-rsaEncryption OBJECT IDENTIFIER ::=		{ id-pkcs-1 1 }
id-pkcs1-md2WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 2 }
id-pkcs1-md5WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 4 }
id-pkcs1-sha1WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 5 }
id-pkcs1-sha256WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 11 }
id-pkcs1-sha384WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 12 }
id-pkcs1-sha512WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 13 }

id-heim-rsa-pkcs1-x509 OBJECT IDENTIFIER ::= { 1  2 752 43 16 1 }

id-pkcs-2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
	rsadsi(113549) pkcs(1) 2 }
id-pkcs2-md2 OBJECT IDENTIFIER ::=		{ id-pkcs-2 2 }
id-pkcs2-md4 OBJECT IDENTIFIER ::=		{ id-pkcs-2 4 }
id-pkcs2-md5 OBJECT IDENTIFIER ::=		{ id-pkcs-2 5 }

id-rsa-digestAlgorithm OBJECT IDENTIFIER ::= 
{ iso(1) member-body(2) us(840) rsadsi(113549) 2 }

id-rsa-digest-md2 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 2 }
id-rsa-digest-md4 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 4 }
id-rsa-digest-md5 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 5 }

id-pkcs-3 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
	rsadsi(113549) pkcs(1) 3 }

id-pkcs3-rc2-cbc OBJECT IDENTIFIER ::=		{ id-pkcs-3 2 }
id-pkcs3-rc4     OBJECT IDENTIFIER ::=		{ id-pkcs-3 4 }
id-pkcs3-des-ede3-cbc OBJECT IDENTIFIER ::=	{ id-pkcs-3 7 }

id-rsadsi-encalg OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
	rsadsi(113549) 3 }

id-rsadsi-rc2-cbc OBJECT IDENTIFIER ::=		{ id-rsadsi-encalg 2 }
id-rsadsi-des-ede3-cbc OBJECT IDENTIFIER ::=	{ id-rsadsi-encalg 7 }

id-secsig-sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
	oiw(14) secsig(3) algorithm(2) 26 }

id-nistAlgorithm OBJECT IDENTIFIER ::= {
   joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 }
   
id-nist-aes-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 1 }

id-aes-128-cbc OBJECT IDENTIFIER ::=		{ id-nist-aes-algs 2 }
id-aes-192-cbc OBJECT IDENTIFIER ::=		{ id-nist-aes-algs 22 }
id-aes-256-cbc OBJECT IDENTIFIER ::=		{ id-nist-aes-algs 42 }

id-nist-sha-algs OBJECT IDENTIFIER ::=		{ id-nistAlgorithm 2 }

id-sha256 OBJECT IDENTIFIER ::=			{ id-nist-sha-algs 1 }
id-sha224 OBJECT IDENTIFIER ::=			{ id-nist-sha-algs 4 }
id-sha384 OBJECT IDENTIFIER ::=			{ id-nist-sha-algs 2 }
id-sha512 OBJECT IDENTIFIER ::=			{ id-nist-sha-algs 3 }

id-dhpublicnumber OBJECT IDENTIFIER ::= {
        iso(1) member-body(2) us(840) ansi-x942(10046)
        number-type(2) 1 }

id-x9-57 OBJECT IDENTIFIER ::= {
        iso(1) member-body(2) us(840) ansi-x942(10046)
	4 }

id-dsa OBJECT IDENTIFIER ::=		{ id-x9-57 1 }
id-dsa-with-sha1 OBJECT IDENTIFIER ::=		{ id-x9-57 3 }

-- x.520 names types

id-x520-at 	OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }

id-at-commonName		OBJECT IDENTIFIER ::= { id-x520-at 3 }
id-at-surname			OBJECT IDENTIFIER ::= { id-x520-at 4 }
id-at-serialNumber		OBJECT IDENTIFIER ::= { id-x520-at 5 }
id-at-countryName		OBJECT IDENTIFIER ::= { id-x520-at 6 }
id-at-localityName		OBJECT IDENTIFIER ::= { id-x520-at 7 }
id-at-stateOrProvinceName	OBJECT IDENTIFIER ::= { id-x520-at 8 }
id-at-streetAddress		OBJECT IDENTIFIER ::= { id-x520-at 9 }
id-at-organizationName		OBJECT IDENTIFIER ::= { id-x520-at 10 }
id-at-organizationalUnitName	OBJECT IDENTIFIER ::= { id-x520-at 11 }
id-at-name			OBJECT IDENTIFIER ::= { id-x520-at 41 }
id-at-givenName			OBJECT IDENTIFIER ::= { id-x520-at 42 }
id-at-initials			OBJECT IDENTIFIER ::= { id-x520-at 43 }
id-at-generationQualifier	OBJECT IDENTIFIER ::= { id-x520-at 44 }
id-at-pseudonym			OBJECT IDENTIFIER ::= { id-x520-at 65 }
-- RFC 2247
id-Userid		      	OBJECT IDENTIFIER ::=
                          { 0 9 2342 19200300 100 1 1 }
id-domainComponent      	OBJECT IDENTIFIER ::=
                          { 0 9 2342 19200300 100 1 25 }


-- rfc3280

id-x509-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29}

AlgorithmIdentifier ::= SEQUENCE {
	algorithm	OBJECT IDENTIFIER,
	parameters	heim_any OPTIONAL
}

AttributeType ::=   OBJECT IDENTIFIER

AttributeValue ::=   heim_any

TeletexStringx ::= [UNIVERSAL 20] IMPLICIT OCTET STRING

DirectoryString ::= CHOICE {
	ia5String	IA5String,
	teletexString	TeletexStringx,
	printableString	PrintableString,
	universalString UniversalString,
	utf8String	UTF8String,
	bmpString	BMPString
}

Attribute ::= SEQUENCE {
        type    AttributeType,
        value   SET OF -- AttributeValue -- heim_any
}

AttributeTypeAndValue ::= SEQUENCE {
        type    AttributeType,
        value   DirectoryString
}

RelativeDistinguishedName ::= SET OF AttributeTypeAndValue

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

Name ::= CHOICE {
	rdnSequence  RDNSequence
}

CertificateSerialNumber ::= INTEGER

Time ::= CHOICE {
     utcTime        UTCTime,
     generalTime    GeneralizedTime
}

Validity ::= SEQUENCE {
     notBefore      Time,
     notAfter       Time
}

UniqueIdentifier  ::=  BIT STRING

SubjectPublicKeyInfo  ::=  SEQUENCE  {
     algorithm            AlgorithmIdentifier,
     subjectPublicKey     BIT STRING
}

Extension  ::=  SEQUENCE  {
     extnID      OBJECT IDENTIFIER,
     critical    BOOLEAN OPTIONAL, -- DEFAULT FALSE XXX
     extnValue   OCTET STRING
}

Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL,
                          -- If present, version shall be v2 or v3
     subjectUniqueID [2]  IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL,
                          -- If present, version shall be v2 or v3
     extensions      [3]  EXPLICIT Extensions OPTIONAL
                          -- If present, version shall be v3
}

Certificate  ::=  SEQUENCE  {
     tbsCertificate       TBSCertificate,
     signatureAlgorithm   AlgorithmIdentifier,
     signatureValue       BIT STRING
}

Certificates ::= SEQUENCE OF Certificate

ValidationParms ::= SEQUENCE {
	seed		BIT STRING,
	pgenCounter	INTEGER
}

DomainParameters ::= SEQUENCE {
	p		INTEGER, -- odd prime, p=jq +1
	g		INTEGER, -- generator, g
	q		INTEGER, -- factor of p-1
	j		INTEGER OPTIONAL, -- subgroup factor
	validationParms	ValidationParms OPTIONAL -- ValidationParms
}

DHPublicKey ::= INTEGER

OtherName ::= SEQUENCE {
	type-id    OBJECT IDENTIFIER,
	value      [0] EXPLICIT heim_any
}

GeneralName ::= CHOICE {
	otherName			[0]     IMPLICIT -- OtherName -- SEQUENCE {
		type-id    OBJECT IDENTIFIER,
		value      [0] EXPLICIT heim_any
	},
	rfc822Name			[1]     IMPLICIT IA5String,
	dNSName				[2]     IMPLICIT IA5String,
--	x400Address			[3]     IMPLICIT ORAddress,--
	directoryName			[4]     IMPLICIT -- Name -- CHOICE {
		rdnSequence  RDNSequence
	},
--	ediPartyName			[5]     IMPLICIT EDIPartyName, --
	uniformResourceIdentifier	[6]     IMPLICIT IA5String,
	iPAddress			[7]     IMPLICIT OCTET STRING,
	registeredID			[8]     IMPLICIT OBJECT IDENTIFIER
}

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

id-x509-ce-keyUsage OBJECT IDENTIFIER ::=  { id-x509-ce 15 }

KeyUsage ::= BIT STRING {
	digitalSignature	(0),
	nonRepudiation		(1),
	keyEncipherment		(2),
	dataEncipherment	(3),
	keyAgreement		(4),
	keyCertSign		(5),
	cRLSign			(6),
	encipherOnly		(7),
	decipherOnly		(8)
}

id-x509-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-x509-ce 35 }

KeyIdentifier ::= OCTET STRING

AuthorityKeyIdentifier ::= SEQUENCE {
	keyIdentifier             [0] IMPLICIT OCTET STRING OPTIONAL,
	authorityCertIssuer       [1] IMPLICIT -- GeneralName -- 
		SEQUENCE -- SIZE (1..MAX) -- OF GeneralName OPTIONAL, 
	authorityCertSerialNumber [2] IMPLICIT INTEGER OPTIONAL
}

id-x509-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-x509-ce 14 }

SubjectKeyIdentifier ::= KeyIdentifier

id-x509-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-x509-ce 19 }

BasicConstraints ::= SEQUENCE {
	cA                      BOOLEAN OPTIONAL -- DEFAULT FALSE --,
	pathLenConstraint	INTEGER (0..4294967295) OPTIONAL 
}

id-x509-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-x509-ce 30 }

BaseDistance ::= INTEGER -- (0..MAX) --

GeneralSubtree ::= SEQUENCE {
	base			GeneralName,
	minimum		[0]	IMPLICIT -- BaseDistance -- INTEGER OPTIONAL -- DEFAULT 0 --,
	maximum		[1]	IMPLICIT -- BaseDistance -- INTEGER OPTIONAL
}

GeneralSubtrees ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralSubtree

NameConstraints ::= SEQUENCE {
	permittedSubtrees       [0]     IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL,
	excludedSubtrees        [1]     IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL
}

id-x509-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-x509-ce 16 }
id-x509-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-x509-ce 32 }
id-x509-ce-policyMappings OBJECT IDENTIFIER ::=  { id-x509-ce 33 }
id-x509-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-x509-ce 17 }
id-x509-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-x509-ce 18 }
id-x509-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-x509-ce 9 }
id-x509-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-x509-ce 36 }

id-x509-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-x509-ce 37}

ExtKeyUsage ::= SEQUENCE OF OBJECT IDENTIFIER

id-x509-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-x509-ce 31 }
id-x509-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-x509-ce 27 }
id-x509-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-x509-ce 28 }
id-x509-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-x509-ce 23 }
id-x509-ce-invalidityDate OBJECT IDENTIFIER ::= { id-x509-ce 24 }
id-x509-ce-certificateIssuer   OBJECT IDENTIFIER ::= { id-x509-ce 29 }
id-x509-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-x509-ce 54 }

DistributionPointReasonFlags ::= BIT STRING {
	unused                  (0),
	keyCompromise           (1),
	cACompromise            (2),
	affiliationChanged      (3),
	superseded              (4),
	cessationOfOperation    (5),
	certificateHold         (6),
	privilegeWithdrawn      (7),
	aACompromise            (8)
}

DistributionPointName ::= CHOICE {
	fullName                [0]     IMPLICIT -- GeneralNames --  SEQUENCE SIZE (1..MAX) OF GeneralName,
	nameRelativeToCRLIssuer [1]     RelativeDistinguishedName
}

DistributionPoint ::= SEQUENCE {
	distributionPoint       [0]     IMPLICIT heim_any -- DistributionPointName -- OPTIONAL,
	reasons                 [1]     IMPLICIT heim_any -- DistributionPointReasonFlags -- OPTIONAL,
	cRLIssuer               [2]     IMPLICIT heim_any -- GeneralNames -- OPTIONAL
}

CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint


-- rfc3279

DSASigValue  ::=  SEQUENCE {
	r	INTEGER,
	s	INTEGER
}

DSAPublicKey ::= INTEGER

DSAParams  ::=  SEQUENCE {
	p	INTEGER,
	q	INTEGER,
	g	INTEGER
}

-- really pkcs1

RSAPublicKey ::= SEQUENCE {
	modulus INTEGER, -- n
	publicExponent INTEGER -- e
}

RSAPrivateKey ::= SEQUENCE {
	version INTEGER (0..4294967295),
	modulus INTEGER, -- n
	publicExponent INTEGER, -- e
	privateExponent INTEGER, -- d
	prime1 INTEGER, -- p
	prime2 INTEGER, -- q
	exponent1 INTEGER, -- d mod (p-1)
	exponent2 INTEGER, -- d mod (q-1)
	coefficient INTEGER -- (inverse of q) mod p
}

DigestInfo ::= SEQUENCE {
	digestAlgorithm AlgorithmIdentifier,
	digest OCTET STRING
}

-- some ms ext

-- szOID_ENROLL_CERTTYPE_EXTENSION "1.3.6.1.4.1.311.20.2" is Encoded as a

-- UNICODESTRING (0x1E tag)

-- szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7" is Encoded as:

-- TemplateVersion ::= INTEGER (0..4294967295) 

-- CertificateTemplate ::= SEQUENCE {
--	templateID OBJECT IDENTIFIER,
--	templateMajorVersion TemplateVersion,
--	templateMinorVersion TemplateVersion OPTIONAL
-- }


--
-- CRL
-- 

TBSCRLCertList ::=  SEQUENCE  {
	version			Version OPTIONAL, -- if present, MUST be v2
	signature		AlgorithmIdentifier,
	issuer			Name,
	thisUpdate		Time,
	nextUpdate		Time OPTIONAL,
	revokedCertificates     SEQUENCE OF SEQUENCE  {
		userCertificate         CertificateSerialNumber,
		revocationDate          Time,
		crlEntryExtensions      Extensions OPTIONAL
						-- if present, MUST be v2
	} OPTIONAL,
	crlExtensions		[0] EXPLICIT Extensions OPTIONAL
						-- if present, MUST be v2
}


CRLCertificateList ::=  SEQUENCE  {
	tbsCertList          TBSCRLCertList,
	signatureAlgorithm   AlgorithmIdentifier,
	signatureValue       BIT STRING
}

id-x509-ce-cRLNumber OBJECT IDENTIFIER ::= { id-x509-ce 20 }
id-x509-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-x509-ce 46 }
id-x509-ce-cRLReason OBJECT IDENTIFIER ::= { id-x509-ce 21 }

CRLReason ::= ENUMERATED {
	unspecified             (0),
	keyCompromise           (1),
	cACompromise            (2),
	affiliationChanged      (3),
	superseded              (4),
	cessationOfOperation    (5),
	certificateHold         (6),
	removeFromCRL           (8),
	privilegeWithdrawn      (9),
	aACompromise           (10)
}

PKIXXmppAddr ::= UTF8String

id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
            dod(6) internet(1) security(5) mechanisms(5) pkix(7) }

id-pkix-on OBJECT IDENTIFIER ::= { id-pkix 8 }
id-pkix-on-xmppAddr OBJECT IDENTIFIER ::= { id-pkix-on 5 }
id-pkix-on-dnsSRV OBJECT IDENTIFIER ::= { id-pkix-on 7 }

id-pkix-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
id-pkix-kp-serverAuth OBJECT IDENTIFIER ::= { id-pkix-kp 1 }
id-pkix-kp-clientAuth OBJECT IDENTIFIER ::= { id-pkix-kp 2 }
id-pkix-kp-emailProtection OBJECT IDENTIFIER ::= { id-pkix-kp 4 }
id-pkix-kp-timeStamping OBJECT IDENTIFIER ::= { id-pkix-kp 8 }
id-pkix-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-pkix-kp 9 }

id-pkix-pe OBJECT IDENTIFIER ::= { id-pkix 1 }

id-pkix-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 1 }

AccessDescription  ::=  SEQUENCE {
	accessMethod          OBJECT IDENTIFIER,
	accessLocation        GeneralName
}

AuthorityInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription

-- RFC 3820 Proxy Certificate Profile

id-pkix-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }

id-pkix-ppl  OBJECT IDENTIFIER ::= { id-pkix 21 }

id-pkix-ppl-anyLanguage     OBJECT IDENTIFIER ::= { id-pkix-ppl 0 }
id-pkix-ppl-inheritAll      OBJECT IDENTIFIER ::= { id-pkix-ppl 1 }
id-pkix-ppl-independent     OBJECT IDENTIFIER ::= { id-pkix-ppl 2 }

ProxyPolicy ::= SEQUENCE {
	policyLanguage		OBJECT IDENTIFIER,
	policy			OCTET STRING OPTIONAL
}

ProxyCertInfo ::= SEQUENCE {
	pCPathLenConstraint	INTEGER (0..4294967295) OPTIONAL, -- really MAX
	proxyPolicy		ProxyPolicy
}

--- U.S. Federal PKI Common Policy Framework
-- Card Authentication key
id-uspkicommon-card-id OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 6 }
id-uspkicommon-piv-interim OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 9 1 }

--- Netscape extentions

id-netscape OBJECT IDENTIFIER ::= 
    { joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) }
id-netscape-cert-comment OBJECT IDENTIFIER ::= { id-netscape 1 13 }

--- MS extentions

id-ms-cert-enroll-domaincontroller OBJECT IDENTIFIER ::= 
    { 1 3 6 1 4 1 311 20 2 }

id-ms-client-authentication OBJECT IDENTIFIER ::= 
 { 1 3 6 1 5 5 7 3 2 }

-- DER:1e:20:00:44:00:6f:00:6d:00:61:00:69:00:6e:00:43:00:6f:00:6e:00:74:00:72:00:6f:00:6c:00:6c:00:65:00:72

END