HTML Annotations, Copyright 1996, T.M.A. Lomas,
Computer Security Group,
University of Cambridge
Computer Laboratory.
All Rights Reserved.
These are based upon a protocol description issued 8th August 1996 by MasterCard and VISA, who we presume to retain copyright in the text of these documents.
Permission is granted to use or distribute these files provided this copyright information is preserved, and subject to any conditions imposed by MasterCard and VISA.
1372 SetCertificateExtensions DEFINITIONS IMPLICIT TAGS ::= BEGIN
1373
1374 --
1375 -- Defines X.509 Version 3 certificate extensions.
1376 --
1377
1378 -- EXPORTS All;
1379
1380 IMPORTS
1381
1382 DirectoryString {}, Name, ub-name
1383 FROM SetAttribute
1384
1385 CertificateSerialNumber
1386 FROM SetCertificate
1387
1388 BIN, MerchantID
1389 FROM SetMessage
1390
1391 DAlgorithmIdentifier, DetachedDigest, Digest
1392 FROM SetPKCS7Plus;
1393
1394
1395 -- X.509v3 Certificate Extensions
1396
1397 EXTENSION ::= CLASS {
1398 &id OBJECT IDENTIFIER UNIQUE,
1399 &critical BOOLEAN DEFAULT FALSE,
1400 &ExtenType
1401 }
1402 WITH SYNTAX {
1403 SYNTAX &ExtenType
1404 [ CRITICAL &critical ]
1405 IDENTIFIED BY &id
1406 }
1407
1408 Extensions ::= SEQUENCE OF Extension
1409
1410 ExtensionSet EXTENSION ::= { -- Information Object Set
1411 --
1412 -- Standard X.509v3 extensions
1413 --
1414 authorityKeyIdentifier |
1415 subjectKeyIdentifier |
1416 keyUsage |
1417 privateKeyUsagePeriod |
1418 certificatePolicies |
1419 subjectAltName |
1420 issuerAltName |
1421 basicConstraints |
1422 cRLNumber |
1423 --
1424 -- SET Private extensions
1425 --
1426 hashedRootKey |
1427 certificateType |
1428 merchantData |
1429 cardCertRequired |
1430 tunneling |
1431 setQualifier
1432 }
1433
1434 Extension ::= SEQUENCE {
1435 extnID EXTENSION.&id({ExtensionSet}),
1436 critical EXTENSION.&critical({ExtensionSet}{@extnID}),
1437 extnValue OCTET STRING -- DER representation of &ExtenType extension
1438 -- object for the object identified by extnID
1439 }
1440
1441 -- Key and policy information extensions --
1442
1443 authorityKeyIdentifier EXTENSION ::= {
1444 SYNTAX AuthorityKeyIdentifier
1445 IDENTIFIED BY { id-ce-authorityKeyIdentifier }
1446 }
1447
1448 AuthorityKeyIdentifier ::= SEQUENCE {
1449 keyIdentifier [0] KeyIdentifier OPTIONAL,
1450 authorityCertIssuer [1] GeneralNames OPTIONAL,
1451 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL
1452 } ( WITH COMPONENTS { ...,
1453 authorityCertIssuer PRESENT, authorityCertSerialNumber PRESENT } |
1454 WITH COMPONENTS { ...,
1455 authorityCertIssuer ABSENT, authorityCertSerialNumber ABSENT } )
1456
1457 KeyIdentifier ::= OCTET STRING
1458
1459 subjectKeyIdentifier EXTENSION ::= {
1460 SYNTAX SubjectKeyIdentifier
1461 IDENTIFIED BY { id-ce-subjectKeyIdentifier }
1462 }
1463
1464 SubjectKeyIdentifier ::= KeyIdentifier
1465
1466 keyUsage EXTENSION ::= {
1467 SYNTAX KeyUsage
1468 CRITICAL TRUE
1469 IDENTIFIED BY { id-ce-keyUsage }
1470 }
1471
1472 KeyUsage ::= BIT STRING {
1473 digitalSignature (0),
1474 nonRepudiation (1),
1475 keyEncipherment (2),
1476 dataEncipherment (3),
1477 keyAgreement (4),
1478 keyCertSign (5), -- For use in CA-certificates only
1479 cRLSign (6) -- For use in CA-certificates only
1480 }
1481
1482 privateKeyUsagePeriod EXTENSION ::= {
1483 SYNTAX PrivateKeyUsagePeriod
1484 CRITICAL TRUE
1485 IDENTIFIED BY { id-ce-privateKeyUsagePeriod }
1486 }
1487
1488 PrivateKeyUsagePeriod ::= SEQUENCE {
1489 notBefore [0] GeneralizedTime OPTIONAL,
1490 notAfter [1] GeneralizedTime OPTIONAL
1491 } ( WITH COMPONENTS { ..., notBefore PRESENT } |
1492 WITH COMPONENTS { ..., notAfter PRESENT } )
1493
1494 certificatePolicies EXTENSION ::= {
1495 SYNTAX CertificatePoliciesSyntax
1496 CRITICAL TRUE
1497 IDENTIFIED BY { id-ce-certificatePolicies }
1498 }
1499
1500 CertificatePoliciesSyntax ::= SEQUENCE SIZE(1..MAX) OF PolicyInformation
1501
1502 PolicyInformation ::= SEQUENCE {
1503 policyIdentifier CertPolicyId,
1504 policyQualifiers SEQUENCE SIZE(1..MAX) OF
1505 PolicyQualifierInfo OPTIONAL
1506 }
1507
1508 CertPolicyId ::= OBJECT IDENTIFIER
1509
1510 PolicyQualifierInfo ::= SEQUENCE {
1511 policyQualifierId CERT-POLICY-QUALIFIER.&id
1512 ({SupportedPolicyQualifiers}),
1513 qualifier CERT-POLICY-QUALIFIER.&Qualifier
1514 ({SupportedPolicyQualifiers}{@policyQualifierId})
1515 OPTIONAL
1516 }
1517
1518 SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::= { ... }
1519
1520 CERT-POLICY-QUALIFIER ::= CLASS {
1521 &id OBJECT IDENTIFIER UNIQUE,
1522 &Qualifier OPTIONAL
1523 }
1524 WITH SYNTAX {
1525 POLICY-QUALIFIER-ID &id
1526 [ QUALIFIER-TYPE &Qualifier ]
1527 }
1528
1529 -- Certificate subject and certificate issuer attributes extensions --
1530
1531 subjectAltName EXTENSION ::= {
1532 SYNTAX GeneralNames
1533 IDENTIFIED BY { id-ce-subjectAltName }
1534 }
1535
1536 GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName
1537
1538 GeneralName ::= CHOICE {
1539 otherName [0] INSTANCE OF OTHER-NAME,
1540 rfc822Name [1] IA5String,
1541 dNSName [2] IA5String,
1542 x400Address [3] EXPLICIT OR-ADDRESS.&Type,
1543 directoryName [4] EXPLICIT Name, -- Only choice in Set
1544 ediPartyName [5] EDIPartyName,
1545 uniformResourceIdentifier [6] IA5String,
1546 iPAddress [7] OCTET STRING,
1547 registeredID [8] OBJECT IDENTIFIER
1548
1549 } (WITH COMPONENTS { directoryName PRESENT })
1550
1551 OTHER-NAME ::= TYPE-IDENTIFIER
1552
1553 EDIPartyName ::= SEQUENCE {
1554 nameAssigner [0] EXPLICIT DirectoryString { ub-name } OPTIONAL,
1555 partyName [1] EXPLICIT DirectoryString { ub-name }
1556 }
1557
1558 OR-ADDRESS ::= TYPE-IDENTIFIER
1559
1560 issuerAltName EXTENSION ::= {
1561 SYNTAX GeneralNames
1562 IDENTIFIED BY { id-ce-issuerAltName }
1563 }
1564
1565 -- Certification path constraints extensions --
1566
1567 basicConstraints EXTENSION ::= {
1568 SYNTAX BasicConstraintsSyntax
1569 CRITICAL TRUE
1570 IDENTIFIED BY { id-ce-basicConstraints }
1571 }
1572
1573 BasicConstraintsSyntax ::= SEQUENCE {
1574 cA BOOLEAN DEFAULT FALSE,
1575 pathLenConstraint INTEGER (0..MAX) OPTIONAL
1576 }
1577
1578 -- Basic CRL extensions --
1579
1580 cRLNumber EXTENSION ::= { -- For use in CRLs only
1581 SYNTAX CRLNumber
1582 IDENTIFIED BY { id-ce-cRLNumber }
1583 }
1584
1585 CRLNumber ::= INTEGER (0..MAX)
1586
1587 -- Set protocol private extensions --
1588
1589 hashedRootKey EXTENSION ::= { -- Only in root certificates
1590 SYNTAX HashedRootKeySyntax
1591 CRITICAL TRUE
1592 IDENTIFIED BY { id-set-hashedRootKey }
1593 }
1594
1595 HashedRootKeySyntax ::= RootKeyThumb
1596
1597 RootKeyThumb ::= SEQUENCE {
1598 digestAlgorithm DAlgorithmIdentifier -- (sha1) --,
1599 rootKeyThumbprint Digest
1600 }
1601
1602 certificateType EXTENSION ::= {
1603 SYNTAX CertificateTypeSyntax
1604 CRITICAL TRUE
1605 IDENTIFIED BY { id-set-certificateType }
1606 }
1607
1608 CertificateTypeSyntax ::= BIT STRING {
1609 card (0),
1610 mer (1),
1611 pgwy (2),
1612 cca (3),
1613 mca (4),
1614 pca (5),
1615 gca (6),
1616 bca (7),
1617 rca (8),
1618 acq (9)
1619 }
1620
1621 merchantData EXTENSION ::= {
1622 SYNTAX MerchantDataSyntax
1623 IDENTIFIED BY { id-set-merchantData }
1624 }
1625
1626 MerchantDataSyntax ::= SEQUENCE {
1627 merID MerchantID,
1628 merAcquirerBIN BIN,
1629 merName DirectoryString { ub-merName },
1630 merCity DirectoryString { ub-merCity },
1631 merStateProvince DirectoryString { ub-merStateProvince },
1632 merPostalCode DirectoryString { ub-merPostalCode },
1633 merCountry DirectoryString { ub-merCountry },
1634 merAuthFlag BOOLEAN
1635 }
1636
1637 cardCertRequired EXTENSION ::= {
1638 SYNTAX BOOLEAN
1639 IDENTIFIED BY { id-set-cardCertRequired }
1640 }
1641
1642 tunneling EXTENSION ::= {
1643 SYNTAX TunnelingSyntax
1644 IDENTIFIED BY { id-set-tunneling }
1645 }
1646
1647 TunnelingSyntax ::= SEQUENCE {
1648 tunneling BOOLEAN,
1649 tunnelAlgIDs TunnelAlg
1650 }
1651
1652 TunnelAlg ::= SEQUENCE OF OBJECT IDENTIFIER
1653
1654 setQualifier EXTENSION ::= {
1655 SYNTAX SETQualifierSyntax
1656 IDENTIFIED BY { id-set-setQualifier }
1657 }
1658
1659 SETQualifierSyntax ::= SEQUENCE {
1660 policyDigest DetachedDigest OPTIONAL,
1661 terseStatement DirectoryString { ub-terseStatement } OPTIONAL,
1662 policyURL [0] IA5String OPTIONAL,
1663 policyEmail [1] IA5String OPTIONAL
1664 }
1665
1666 -- Upper bounds of DirectoryString{} types
1667
1668 ub-merCity INTEGER ::= 13
1669 ub-merCountry INTEGER ::= 3
1670 ub-merName INTEGER ::= 25
1671 ub-merPostalCode INTEGER ::= 14
1672 ub-merStateProvince INTEGER ::= 3
1673 ub-terseStatement INTEGER ::= 2048
1674
1675 -- Object identifiers
1676
1677 id-ce OBJECT IDENTIFIER ::= { 2 5 29 }
1678 id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
1679 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
1680 id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 }
1681 id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
1682 id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 }
1683 id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
1684 id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
1685 id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
1686 id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
1687
1688 id-set OBJECT IDENTIFIER ::= { 2 99999 } -- Will change when SET gets a
1689 -- registered number.
1690
1691 id-set-hashedRootKey OBJECT IDENTIFIER ::= { id-set 2 }
1692 id-set-certificateType OBJECT IDENTIFIER ::= { id-set 3 }
1693 id-set-merchantData OBJECT IDENTIFIER ::= { id-set 4 }
1694 id-set-cardCertRequired OBJECT IDENTIFIER ::= { id-set 5 }
1695 id-set-tunneling OBJECT IDENTIFIER ::= { id-set 6 }
1696 id-set-setQualifier OBJECT IDENTIFIER ::= { id-set 7 }
1697
1698
1699 END