[cabfpub] CA/Browser Forum ASN.1 module
Peter Bowen
pzb at amzn.com
Mon Feb 27 17:25:40 UTC 2017
There have been some questions about expected ASN.1 grammar for BR & EV certificates. I’ve created a module that attempts to collect it all.
I found a couple of errors in the tor appendix. I think I got the intent right, but can someone please confirm?
Li-Chun: does this resolve your concerns about lack of documentation?
Thanks,
Peter
CABFSelectedAttributeTypes {joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) module(4) cabfSelectedAttributeTypes(1) 1}
DEFINITIONS ::=
BEGIN
-- EXPORTS All
-- The types and values defined in this module are exported for use in X.509
-- certificates that comply with CA/Browser Forum guidelines. Some definitions
-- are taken from Rec. ITU-T X.520 | ISO/IEC 9594-6, but the Forum does not
-- assume the existence of a Directory, Directory Information Base (DIB), or
-- Directory Information Tree. CABFName does not have tree semantics except
-- when being processed for name constraints.
IMPORTS
-- from Rec. ITU-T X.501 | ISO/IEC 9594-2
informationFramework, selectedAttributeTypes, ID, ldap-enterprise
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 7}
Attribute{}, AttributeTypeAndValue
FROM InformationFramework informationFramework
-- from the X.500 series
ub-common-name, ub-surname, ub-organization-name, ub-street-address, ub-locality-name,
ub-state-name, ub-postal-code, ub-organizational-unit-name, ub-business-category,
ub-serial-number
FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 7}
-- from Rec. ITU-T X.520 | ISO/IEC 9594-6
DirectoryString{}, UnboundedDirectoryString, caseIgnoreMatch, caseIgnoreSubstringsMatch,
CountryName, id-at-commonName, id-at-surname, id-at-givenName, id-at-givenName,
id-at-organizationName, id-at-streetAddress, id-at-localityName, id-at-stateOrProvinceName,
id-at-postalCode, id-at-countryName, id-at-organizationalUnitName, name, id-at-serialNumber,
id-at-businessCategory, octetStringMatch
FROM SelectedAttributeTypes selectedAttributeTypes;
-- to be used TBSCertificate.subject and TBSCertificate.issuer
-- when encoded using BER/CER/DER, can be decoded as RDNSequence
CABFName ::= SEQUENCE OF SET SIZE (1..MAX) OF AttributeTypeAndValue
cabfCommonName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX DirectoryString{ub-common-name}
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"cn", "commonName"}
ID id-at-commonName }
cabfSurname ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX DirectoryString{ub-surname}
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"sn"}
ID id-at-surname }
cabfGivenName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX UnboundeDirectoryString
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"givenName"}
ID id-at-givenName }
cabfOrganizationName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX DirectoryString{ub-organization-name}
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"o"}
ID id-at-organizationName }
cabfStreetAddress ATTRIBUTE ::= {
WITH SYNTAX DirectoryString{ub-street-address}
EQUALITY MATCHING RULE caseIgnoreMatch
SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"street"}
ID id-at-streetAddress }
cabfLocalityName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX DirectoryString{ub-locality-name}
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"l"}
ID id-at-localityName }
cabfStateOrProvinceName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX DirectoryString{ub-state-name}
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"st"}
ID id-at-stateOrProvinceName }
cabfPostalCode ATTRIBUTE ::= {
WITH SYNTAX DirectoryString{ub-postal-code}
EQUALITY MATCHING RULE caseIgnoreMatch
SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"postalCode"}
ID id-at-postalCode }
cabfCountryName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX CountryName
SINGLE VALUE TRUE
LDAP-SYNTAX countryString.&id
LDAP-NAME {"c"}
ID id-at-countryName }
cabfOrganizationalUnitName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX DirectoryString{ub-organizational-unit-name}
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"ou"}
ID id-at-organizationalUnitName }
cabfBusinessCategory ATTRIBUTE ::= {
WITH SYNTAX DirectoryString{ub-business-category}
EQUALITY MATCHING RULE caseIgnoreMatch
SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"businessCategory"}
ID id-at-businessCategory }
cabfSerialNumber ATTRIBUTE ::= {
WITH SYNTAX PrintableString(SIZE (1..ub-serial-number))
EQUALITY MATCHING RULE caseIgnoreMatch
SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
LDAP-SYNTAX printableString.&id
LDAP-NAME {"serialNumber"}
ID id-at-serialNumber }
id-evat-joi ID ::= {ldap-enterprise 311 ev(60) 2 1}
id-evat-joi-localityName ID ::= {id-evat-joi 1}
id-evat-joi-stateOrProvinceName ID ::= {id-evat-joi 2}
id-evat-joi-countryName ID ::= {id-evat-joi 3}
jurisdictionLocalityName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX DirectoryString{ub-locality-name}
LDAP-SYNTAX directoryString.&id
ID id-evat-joi-localityName }
jurisdictionStateOrProvinceName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX DirectoryString{ub-state-name}
LDAP-SYNTAX directoryString.&id
ID id-evat-joi-stateOrProvinceName }
jurisdictionCountryName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX CountryName
SINGLE VALUE TRUE
LDAP-SYNTAX countryString.&id
ID id-evat-joi-countryName }
cabf ID ::= { joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) }
cabf-policies ::= { cabf certificate-policies(1) }
torServiceDescriptor EXTENSION ::= {
SYNTAX TorServiceDescriptorSyntax
IDENTIFIED BY cabf-TorServiceDescriptor }
cabf-TorServiceDescriptor OBJECT IDENTIFIER ::= { cabf-policies 31 }
TorServiceDescriptorSyntax ::= SEQUENCE ( 1..MAX ) of TorServiceDescriptorHash
TorServiceDescriptorHash:: = SEQUENCE {
onionURI UTF8String
algorithm AlgorithmIdentifier
subjectPublicKeyHash BIT STRING
}
cabfCountryName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX CountryName
SINGLE VALUE TRUE
LDAP-SYNTAX countryString.&id
LDAP-NAME {"c"}
ID id-at-countryName }
caSigningNonce ATTRIBUTE ::= {
WITH SYNTAX OCTET STRING
EQUALITY MATCHING RULE octetStringMatch
SINGLE VALUE TRUE
ID cabf-caSigningNonce }
cabf-caSigningNonce OBJECT IDENTIFIER ::= { cabf 41 }
applicantSigningNonce ATTRIBUTE ::= {
WITH SYNTAX OCTET STRING
EQUALITY MATCHING RULE octetStringMatch
SINGLE VALUE TRUE
ID cabf-applicantSigningNonce }
cabf-applicantSigningNonce OBJECT IDENTIFIER ::= { cabf 42 }
END
More information about the Public
mailing list