ASN1ModuleIncludes.asn

PKIX-CommonTypes-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}

  DEFINITIONS EXPLICIT TAGS ::=
  BEGIN

  --  ATTRIBUTE
  --
  --  Describe the set of data associated with an attribute of some type
  --
  --  &id is an OID identifying the attribute
  --  &Type is the ASN.1 type structure for the attribute; not all
  --      attributes have a data structure, so this field is optional
  --  &minCount contains the minimum number of times the attribute can
  --      occur in an AttributeSet
  --  &maxCount contains the maximum number of times the attribute can
  --      appear in an AttributeSet
  --      Note: this cannot be automatically enforced as the field
  --      cannot be defaulted to MAX.
  --  &equality-match contains information about how matching should be
  --      done
  --
  --  Currently we are using two different prefixes for attributes.
  --
  --  at- for certificate attributes
  --  aa- for CMS attributes
  --

  ATTRIBUTE ::= CLASS {
      &id             OBJECT IDENTIFIER UNIQUE,
      &Type           OPTIONAL,
      &equality-match MATCHING-RULE OPTIONAL,
      &minCount       INTEGER DEFAULT 1,
      &maxCount       INTEGER OPTIONAL
  } WITH SYNTAX {
      [TYPE &Type]
      [EQUALITY MATCHING RULE &equality-match]
      [COUNTS [MIN &minCount] [MAX &maxCount]]
      IDENTIFIED BY &id
  }

-- Specification of MATCHING-RULE information object class
  --

  MATCHING-RULE ::= CLASS {
    &ParentMatchingRules   MATCHING-RULE OPTIONAL,
    &AssertionType         OPTIONAL,
    &uniqueMatchIndicator  ATTRIBUTE OPTIONAL,
    &id                    OBJECT IDENTIFIER UNIQUE
  }
  WITH SYNTAX {
    [PARENT &ParentMatchingRules]
    [SYNTAX &AssertionType]
    [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator]
    ID &id
  }

  --  AttributeSet
  --
  --  Used when a set of attributes is to occur.
  --
  --  type contains the identifier of the attribute
  --  values contains a set of values where the structure of the ASN.1
  --      is defined by the attribute
  --
  --  The parameter contains the set of objects describing
  --      those attributes that can occur in this location.
  --

  AttributeSet{ATTRIBUTE:AttrSet} ::= SEQUENCE {
      type      ATTRIBUTE.&id({AttrSet}),
      values    SET SIZE (1..MAX) OF ATTRIBUTE.
                    &Type({AttrSet}{@type})
  }

  --  SingleAttribute
  --
  --  Used for a single valued attribute
  --
  --  The parameter contains the set of objects describing the
  --      attributes that can occur in this location
  --

  SingleAttribute{ATTRIBUTE:AttrSet} ::= SEQUENCE {
      type      ATTRIBUTE.&id({AttrSet}),
      value     ATTRIBUTE.&Type({AttrSet}{@type})
  }

  --  EXTENSION
--
  --  This class definition is used to describe the association of
  --      object identifier and ASN.1 type structure for extensions
  --
  --  All extensions are prefixed with ext-
  --
  --  &id contains the object identifier for the extension
  --  &ExtnType specifies the ASN.1 type structure for the extension
  --  &Critical contains the set of legal values for the critical field.
  --      This is normally {TRUE|FALSE} but in some instances may be
  --      restricted to just one of these values.
  --

  EXTENSION ::= CLASS {
      &id  OBJECT IDENTIFIER UNIQUE,
      &ExtnType,
      &Critical    BOOLEAN DEFAULT {TRUE | FALSE }
  } WITH SYNTAX {
      SYNTAX &ExtnType IDENTIFIED BY &id
      [CRITICALITY &Critical]
  }

  --  Extensions
  --
  --  Used for a sequence of extensions.
  --
  --  The parameter contains the set of legal extensions that can
  --  occur in this sequence.
  --

  Extensions{EXTENSION:ExtensionSet} ::=
      SEQUENCE SIZE (1..MAX) OF Extension{{ExtensionSet}}

  --  Extension
  --
  --  Used for a single extension
  --
  --  The parameter contains the set of legal extensions that can
  --      occur in this extension.
  --
  --  The restriction on the critical field has been commented out
  --  the authors are not completely sure it is correct.
  --  The restriction could be done using custom code rather than
  --  compiler-generated code, however.
  --

  Extension{EXTENSION:ExtensionSet} ::= SEQUENCE {
      extnID      EXTENSION.&id({ExtensionSet}),

     critical    BOOLEAN
  --                     (EXTENSION.&Critical({ExtensionSet}{@extnID}))
                       DEFAULT FALSE,
      extnValue   OCTET STRING (CONTAINING
                  EXTENSION.&ExtnType({ExtensionSet}{@extnID}))
                  --  contains the DER encoding of the ASN.1 value
                  --  corresponding to the extension type identified
                  --  by extnID
  }

  --  Security Category
  --
  --  Security categories are used both for specifying clearances and
  --  for labeling objects.  We move this here from RFC 3281 so that
  --  they will use a common single object class to express this
  --  information.
  --

  SECURITY-CATEGORY ::= TYPE-IDENTIFIER

  SecurityCategory{SECURITY-CATEGORY:Supported} ::= SEQUENCE {
      type      [0]  IMPLICIT SECURITY-CATEGORY.
              &id({Supported}),
      value     [1]  EXPLICIT SECURITY-CATEGORY.
              &Type({Supported}{@type})
  }

  END


AlgorithmInformation-2009
    {iso(1) identified-organization(3) dod(6) internet(1) security(5)
    mechanisms(5) pkix(7) id-mod(0)
    id-mod-algorithmInformation-02(58)}

DEFINITIONS EXPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS

KeyUsage
FROM PKIX1Implicit-2009
    {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
    id-mod-pkix1-implicit-02(59)} ;

--  Suggested prefixes for algorithm objects are:
--
--  mda-   Message Digest Algorithms
--  sa-    Signature Algorithms
--  kta-   Key Transport Algorithms (Asymmetric)
--  kaa-   Key Agreement Algorithms  (Asymmetric)
--  kwa-   Key Wrap Algorithms (Symmetric)
--  kda-   Key Derivation Algorithms
--  maca-  Message Authentication Code Algorithms
--  pk-    Public Key
--  cea-   Content (symmetric) Encryption Algorithms
--  cap-   S/MIME Capabilities

ParamOptions ::= ENUMERATED {
   required,         -- Parameters MUST be encoded in structure
   preferredPresent, -- Parameters SHOULD be encoded in structure
   preferredAbsent,  -- Parameters SHOULD NOT be encoded in structure
   absent,           -- Parameters MUST NOT be encoded in structure
   inheritable,      -- Parameters are inherited if not present
   optional,         -- Parameters MAY be encoded in the structure
   ...
}

--  DIGEST-ALGORITHM
--
--  Describes the basic information for ASN.1 and a digest
--      algorithm.
--
--  &id - contains the OID identifying the digest algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--
--  Additional information such as the length of the hash could have
--      been encoded.  Without a clear understanding of what information
--      is needed by applications, such extraneous information was not
--      considered to be of sufficent importance.
--
--  Example:
--  mda-sha1 DIGEST-ALGORITHM ::= {
--      IDENTIFIER id-sha1
--      PARAMS TYPE NULL ARE preferredAbsent
--  }

DIGEST-ALGORITHM ::= CLASS {
 &id                 OBJECT IDENTIFIER UNIQUE,
    &Params             OPTIONAL,
    &paramPresence      ParamOptions DEFAULT absent
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence ]
}

--  SIGNATURE-ALGORITHM
--
--  Describes the basic properties of a signature algorithm
--
--  &id - contains the OID identifying the signature algorithm
--  &Value - contains a type definition for the value structure of
--              the signature; if absent, implies that no ASN.1
--              encoding is performed on the value
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &HashSet - The set of hash algorithms used with this
--                  signature algorithm
--  &PublicKeySet - the set of public key algorithms for this
--                  signature algorithm
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
--     IDENTIFIER id-RSASSA-PSS
--     PARAMS TYPE RSASSA-PSS-params ARE required
--     HASHES { mda-sha1 | mda-md5, ... }
--     PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- }

SIGNATURE-ALGORITHM ::= CLASS {
    &id             OBJECT IDENTIFIER UNIQUE,
    &Value          OPTIONAL,
    &Params         OPTIONAL,
    &paramPresence  ParamOptions DEFAULT absent,
    &HashSet        DIGEST-ALGORITHM OPTIONAL,
    &PublicKeySet   PUBLIC-KEY OPTIONAL,
    &smimeCaps      SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [VALUE &Value]
    [PARAMS [TYPE &Params] ARE &paramPresence ]
    [HASHES &HashSet]
    [PUBLIC-KEYS &PublicKeySet]
[SMIME-CAPS &smimeCaps]
}

--  PUBLIC-KEY
--
--  Describes the basic properties of a public key
--
--  &id - contains the OID identifying the public key
--  &KeyValue - contains the type for the key value
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &keyUsage - contains the set of bits that are legal for this
--              key type.  Note that is does not make any statement
--              about how bits may be paired.
--  &PrivateKey - contains a type structure for encoding the private
--              key information.
--
--  Example:
--  pk-rsa-pss PUBLIC-KEY ::= {
--      IDENTIFIER id-RSASSA-PSS
--      KEY RSAPublicKey
--      PARAMS TYPE RSASSA-PSS-params ARE optional
--      CERT-KEY-USAGE { .... }
--  }

PUBLIC-KEY ::= CLASS {
    &id             OBJECT IDENTIFIER UNIQUE,
    &KeyValue       OPTIONAL,
    &Params         OPTIONAL,
    &paramPresence  ParamOptions DEFAULT absent,
    &keyUsage       KeyUsage OPTIONAL,
    &PrivateKey     OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [KEY &KeyValue]
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [CERT-KEY-USAGE &keyUsage]
    [PRIVATE-KEY &PrivateKey]
}

--  KEY-TRANSPORT
--
--  Describes the basic properties of a key transport algorithm
--
--  &id - contains the OID identifying the key transport algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &PublicKeySet - specifies which public keys are used with
--                       this algorithm
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  kta-rsaTransport KEY-TRANSPORT ::= {
--      IDENTIFIER &id
--      PARAMS TYPE NULL ARE required
--      PUBLIC-KEYS  { pk-rsa | pk-rsa-pss }
--  }

KEY-TRANSPORT ::= CLASS {
    &id                 OBJECT IDENTIFIER UNIQUE,
    &Params             OPTIONAL,
    &paramPresence      ParamOptions DEFAULT absent,
    &PublicKeySet       PUBLIC-KEY OPTIONAL,
    &smimeCaps          SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [PUBLIC-KEYS &PublicKeySet]
    [SMIME-CAPS &smimeCaps]
}

--  KEY-AGREE
--
--  Describes the basic properties of a key agreement algorithm
--
--  &id - contains the OID identifying the key agreement algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &PublicKeySet - specifies which public keys are used with
--                        this algorithm
--  &Ukm - type of user keying material used
--  &ukmPresence - specifies the requirements to define the UKM field
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  kaa-dh-static-ephemeral KEY-AGREE ::= {
--      IDENTIFIER id-alg-ESDH
--      PARAMS TYPE KeyWrapAlgorithm ARE required
--      PUBLIC-KEYS {
--         {IDENTIFIER dh-public-number KEY DHPublicKey
--            PARAMS TYPE DHDomainParameters ARE inheritable }
--      }
--      - - UKM should be present but is not separately ASN.1-encoded
--      UKM ARE preferredPresent
--  }

KEY-AGREE ::= CLASS {
    &id             OBJECT IDENTIFIER UNIQUE,
    &Params         OPTIONAL,
    &paramPresence  ParamOptions DEFAULT absent,
    &PublicKeySet   PUBLIC-KEY OPTIONAL,
    &Ukm            OPTIONAL,
    &ukmPresence    ParamOptions DEFAULT absent,
    &smimeCaps      SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [PUBLIC-KEYS &PublicKeySet]
    [UKM [TYPE &Ukm] ARE &ukmPresence]
    [SMIME-CAPS &smimeCaps]
}

--  KEY-WRAP
--
--  Describes the basic properties of a key wrap algorithm
--
--  &id - contains the OID identifying the key wrap algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  kwa-cms3DESwrap KEY-WRAP ::= {
--      IDENTIFIER id-alg-CMS3DESwrap
--      PARAMS TYPE NULL ARE required
--  }

KEY-WRAP ::= CLASS {
    &id                OBJECT IDENTIFIER UNIQUE,
    &Params            OPTIONAL,
    &paramPresence     ParamOptions DEFAULT absent,
    &smimeCaps         SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [SMIME-CAPS &smimeCaps]
}
--  KEY-DERIVATION
--
--  Describes the basic properties of a key derivation algorithm
--
--  &id - contains the OID identifying the key derivation algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  kda-pbkdf2 KEY-DERIVATION ::= {
--      IDENTIFIER id-PBKDF2
--      PARAMS TYPE PBKDF2-params ARE required
--  }

KEY-DERIVATION ::= CLASS {
    &id                OBJECT IDENTIFIER UNIQUE,
    &Params            OPTIONAL,
    &paramPresence     ParamOptions DEFAULT absent,
    &smimeCaps         SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [SMIME-CAPS &smimeCaps]
}

-- MAC-ALGORITHM
--
--  Describes the basic properties of a message
--      authentication code (MAC) algorithm
--
--  &id - contains the OID identifying the MAC algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &keyed - MAC algorithm is a keyed MAC algorithm
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Some parameters that perhaps should have been added would be
--  fields with the minimum and maximum MAC lengths for
--  those MAC algorithms that allow truncations.
--
--  Example:
--  maca-hmac-sha1 MAC-ALGORITHM ::= {
--      IDENTIFIER hMAC-SHA1
--      PARAMS TYPE NULL ARE preferredAbsent
--      IS KEYED MAC TRUE
--      SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
--  }

MAC-ALGORITHM ::= CLASS {
    &id                 OBJECT IDENTIFIER UNIQUE,
    &Params             OPTIONAL,
    &paramPresence      ParamOptions DEFAULT absent,
    &keyed              BOOLEAN,
    &smimeCaps          SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    IS-KEYED-MAC &keyed
    [SMIME-CAPS &smimeCaps]
}

--  CONTENT-ENCRYPTION
--
--  Describes the basic properties of a content encryption
--      algorithm
--
--  &id - contains the OID identifying the content
--        encryption algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  cea-3DES-cbc CONTENT-ENCRYPTION ::= {
--      IDENTIFIER des-ede3-cbc
--      PARAMS TYPE IV ARE required
--      SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
--  }

CONTENT-ENCRYPTION ::= CLASS {
    &id                OBJECT IDENTIFIER UNIQUE,
    &Params            OPTIONAL,
    &paramPresence     ParamOptions DEFAULT absent,
    &smimeCaps         SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [SMIME-CAPS &smimeCaps]
}
-- ALGORITHM
--
-- Describes a generic algorithm identifier
--
--  &id - contains the OID identifying the algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  This would be used for cases where an algorithm of an unknown
--  type is used.  In general however, one should either define
--  a more complete algorithm structure (such as the one above)
--  or use the TYPE-IDENTIFIER class.

ALGORITHM ::= CLASS {
    &id OBJECT   IDENTIFIER UNIQUE,
    &Params      OPTIONAL,
    &paramPresence ParamOptions DEFAULT absent,
    &smimeCaps   SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [SMIME-CAPS &smimeCaps]
}

-- AlgorithmIdentifier
--
-- Provides the generic structure that is used to encode algorithm
--    identification and the parameters associated with the
--    algorithm.
--
-- The first parameter represents the type of the algorithm being
--    used.
-- The second parameter represents an object set containing the
--    algorithms that may occur in this situation.
--    The initial list of required algorithms should occur to the
--      left of an extension marker; all other algorithms should
--      occur to the right of an extension marker.
--
-- The object class ALGORITHM can be used for generic unspecified
--     items.
-- If new ALGORITHM classes are defined, the fields &id and &Params
--     need to be present as fields in the object in order to use
--     this parameterized type.
--
-- Example:
--    SignatureAlgorithmIdentifier ::=
--       AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgSet}}

AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
        SEQUENCE {
            algorithm   ALGORITHM-TYPE.&id({AlgorithmSet}),
            parameters  ALGORITHM-TYPE.
                   &Params({AlgorithmSet}{@algorithm}) OPTIONAL
        }

--  S/MIME Capabilities
--
--  We have moved the SMIME-CAPS from the module for RFC 3851 to here
--  because it is used in RFC 4262 (X.509 Certificate Extension for
--  S/MIME Capabilities)
--
--
--  This class is used to represent an S/MIME capability.  S/MIME
--  capabilities are used to represent what algorithm capabilities
--  an individual has.  The classic example was the content encryption
--  algorithm RC2 where the algorithm id and the RC2 key lengths
--  supported needed to be advertised, but the IV used is not fixed.
--  Thus, for RC2 we used
--
--  cap-RC2CBC SMIME-CAPS ::= {
--      TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc }
--
--  where 40 and 128 represent the RC2 key length in number of bits.
--
--  Another example where information needs to be shown is for
--  RSA-OAEP where only specific hash functions or mask generation
--  functions are supported, but the saltLength is specified by the
--  sender and not the recipient.  In this case, one can either
--  generate a number of capability items,
--  or a new S/MIME capability type could be generated where
--  multiple hash functions could be specified.
--
--
--  SMIME-CAP
--
--  This class is used to associate the type that describes the
--  capabilities with the object identifier.
--

SMIME-CAPS ::= CLASS {
    &id         OBJECT IDENTIFIER UNIQUE,
    &Type       OPTIONAL
}

WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id }

--
--  Generic type - this is used for defining values.
--

--  Define a single S/MIME capability encoding

SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE {
    capabilityID        SMIME-CAPS.&id({CapabilitySet}),
    parameters          SMIME-CAPS.&Type({CapabilitySet}
                            {@capabilityID}) OPTIONAL
}

--  Define a sequence of S/MIME capability values

SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::=
        SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} }

END


PKIX1Implicit-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
   DEFINITIONS IMPLICIT TAGS ::=
   BEGIN
   IMPORTS

   AttributeSet{}, EXTENSION, ATTRIBUTE
   FROM PKIX-CommonTypes-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }

   id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name,
       RelativeDistinguishedName, CertificateSerialNumber,
       DirectoryString{}, SupportedAttributes
   FROM PKIX1Explicit-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) };

   CertExtensions EXTENSION ::= {
           ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier |
           ext-KeyUsage | ext-PrivateKeyUsagePeriod |
           ext-CertificatePolicies | ext-PolicyMappings |
           ext-SubjectAltName | ext-IssuerAltName |
           ext-SubjectDirectoryAttributes |
           ext-BasicConstraints | ext-NameConstraints |
           ext-PolicyConstraints | ext-ExtKeyUsage |
           ext-CRLDistributionPoints | ext-InhibitAnyPolicy |
           ext-FreshestCRL | ext-AuthorityInfoAccess |
           ext-SubjectInfoAccessSyntax, ... }

   CrlExtensions EXTENSION ::= {
ext-AuthorityKeyIdentifier | ext-IssuerAltName |
           ext-CRLNumber | ext-DeltaCRLIndicator |
           ext-IssuingDistributionPoint |  ext-FreshestCRL, ... }

   CrlEntryExtensions EXTENSION ::= {
           ext-CRLReason | ext-CertificateIssuer |
           ext-HoldInstructionCode | ext-InvalidityDate, ... }
   -- Shared arc for standard certificate and CRL extensions

   id-ce OBJECT IDENTIFIER  ::=  { joint-iso-ccitt(2) ds(5) 29 }

   -- authority key identifier OID and syntax

   ext-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX
       AuthorityKeyIdentifier IDENTIFIED BY
       id-ce-authorityKeyIdentifier }
   id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }

   AuthorityKeyIdentifier ::= SEQUENCE {
       keyIdentifier             [0] KeyIdentifier            OPTIONAL,
       authorityCertIssuer       [1] GeneralNames             OPTIONAL,
       authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
   (WITH COMPONENTS {
      ...,
      authorityCertIssuer        PRESENT,
      authorityCertSerialNumber  PRESENT
    } |
    WITH COMPONENTS {
      ...,
      authorityCertIssuer        ABSENT,
      authorityCertSerialNumber  ABSENT
    })

   KeyIdentifier ::= OCTET STRING

   -- subject key identifier OID and syntax

   ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX
       KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier }
   id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }

   -- key usage extension OID and syntax

   ext-KeyUsage EXTENSION ::= { SYNTAX
       KeyUsage IDENTIFIED BY id-ce-keyUsage }
   id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }

   KeyUsage ::= BIT STRING {
digitalSignature        (0),
        nonRepudiation          (1), --  recent editions of X.509 have
                                     --  renamed this bit to
                                     --  contentCommitment
        keyEncipherment         (2),
        dataEncipherment        (3),
        keyAgreement            (4),
        keyCertSign             (5),
        cRLSign                 (6),
        encipherOnly            (7),
        decipherOnly            (8)
    }

   -- private key usage period extension OID and syntax

   ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX
       PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod }
   id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }

   PrivateKeyUsagePeriod ::= SEQUENCE {
        notBefore       [0]     GeneralizedTime OPTIONAL,
        notAfter        [1]     GeneralizedTime OPTIONAL }
   (WITH COMPONENTS {..., notBefore  PRESENT } |
    WITH COMPONENTS {..., notAfter  PRESENT })

   -- certificate policies extension OID and syntax

   ext-CertificatePolicies EXTENSION ::= { SYNTAX
       CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies}
   id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }

   CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

   PolicyInformation ::= SEQUENCE {
        policyIdentifier   CertPolicyId,
        policyQualifiers   SEQUENCE SIZE (1..MAX) OF
                PolicyQualifierInfo OPTIONAL }

   CertPolicyId ::= OBJECT IDENTIFIER

   CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER

   PolicyQualifierInfo ::= SEQUENCE {
          policyQualifierId  CERT-POLICY-QUALIFIER.
               &id({PolicyQualifierId}),
          qualifier          CERT-POLICY-QUALIFIER.
               &Type({PolicyQualifierId}{@policyQualifierId})}
-- Implementations that recognize additional policy qualifiers MUST
   -- augment the following definition for PolicyQualifierId

   PolicyQualifierId CERT-POLICY-QUALIFIER ::=
       { pqid-cps | pqid-unotice, ... }

   pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps }
   pqid-unotice CERT-POLICY-QUALIFIER ::= { UserNotice
       IDENTIFIED BY id-qt-unotice }

   -- CPS pointer qualifier

   CPSuri ::= IA5String

   -- user notice qualifier

   UserNotice ::= SEQUENCE {
        noticeRef        NoticeReference OPTIONAL,
        explicitText     DisplayText OPTIONAL}

   --
   --  This is not made explicit in the text
   --
   -- {WITH COMPONENTS {..., noticeRef PRESENT} |
   --  WITH COMPONENTS {..., DisplayText PRESENT }}

   NoticeReference ::= SEQUENCE {
        organization     DisplayText,
        noticeNumbers    SEQUENCE OF INTEGER }

   DisplayText ::= CHOICE {
        ia5String        IA5String      (SIZE (1..200)),
        visibleString    VisibleString  (SIZE (1..200)),
        bmpString        BMPString      (SIZE (1..200)),
        utf8String       UTF8String     (SIZE (1..200)) }

   -- policy mapping extension OID and syntax

   ext-PolicyMappings EXTENSION ::= { SYNTAX
       PolicyMappings IDENTIFIED BY id-ce-policyMappings }
   id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }

   PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
       issuerDomainPolicy      CertPolicyId,
       subjectDomainPolicy     CertPolicyId
   }

   -- subject alternative name extension OID and syntax
ext-SubjectAltName EXTENSION ::= { SYNTAX
       GeneralNames IDENTIFIED BY id-ce-subjectAltName }
   id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   GeneralName ::= CHOICE {
        otherName                   [0]  INSTANCE OF OTHER-NAME,
        rfc822Name                  [1]  IA5String,
        dNSName                     [2]  IA5String,
        x400Address                 [3]  ORAddress,
        directoryName               [4]  Name,
        ediPartyName                [5]  EDIPartyName,
        uniformResourceIdentifier   [6]  IA5String,
        iPAddress                   [7]  OCTET STRING,
        registeredID                [8]  OBJECT IDENTIFIER
   }

   -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
   -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax

   OTHER-NAME ::= TYPE-IDENTIFIER

   EDIPartyName ::= SEQUENCE {
       nameAssigner    [0] DirectoryString {ubMax} OPTIONAL,
       partyName       [1] DirectoryString {ubMax}
   }

   -- issuer alternative name extension OID and syntax

   ext-IssuerAltName EXTENSION ::= { SYNTAX
       GeneralNames IDENTIFIED BY id-ce-issuerAltName }
   id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }

   ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX
       SubjectDirectoryAttributes IDENTIFIED BY
       id-ce-subjectDirectoryAttributes }
   id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }

   SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF
       AttributeSet{{SupportedAttributes}}

   -- basic constraints extension OID and syntax

   ext-BasicConstraints EXTENSION ::= { SYNTAX
       BasicConstraints IDENTIFIED BY id-ce-basicConstraints }
   id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
BasicConstraints ::= SEQUENCE {
        cA                      BOOLEAN DEFAULT FALSE,
        pathLenConstraint       INTEGER (0..MAX) OPTIONAL
   }

   -- name constraints extension OID and syntax
   ext-NameConstraints EXTENSION ::= { SYNTAX
       NameConstraints IDENTIFIED BY id-ce-nameConstraints }
   id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }

   NameConstraints ::= SEQUENCE {
        permittedSubtrees       [0] GeneralSubtrees OPTIONAL,
        excludedSubtrees        [1] GeneralSubtrees OPTIONAL
   }
   --
   --  This is a constraint in the issued certificates by CAs, but is
   --  not a requirement on EEs.
   --
   -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} |
   --  WITH COMPONENTS { ..., excludedSubtrees PRESENT }}

   GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

   GeneralSubtree ::= SEQUENCE {
        base                GeneralName,
        minimum         [0] BaseDistance DEFAULT 0,
        maximum         [1] BaseDistance OPTIONAL
   }

   BaseDistance ::= INTEGER (0..MAX)

   -- policy constraints extension OID and syntax

   ext-PolicyConstraints EXTENSION ::= { SYNTAX
       PolicyConstraints IDENTIFIED BY id-ce-policyConstraints }
   id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }

   PolicyConstraints ::= SEQUENCE {
        requireExplicitPolicy           [0] SkipCerts OPTIONAL,
        inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
   --
   --  This is a constraint in the issued certificates by CAs,
   --  but is not a requirement for EEs
   --
   -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} |
   --  WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT})

   SkipCerts ::= INTEGER (0..MAX)
-- CRL distribution points extension OID and syntax

   ext-CRLDistributionPoints EXTENSION ::= { SYNTAX
       CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints}
   id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}
   CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

   DistributionPoint ::= SEQUENCE {
        distributionPoint       [0] DistributionPointName OPTIONAL,
        reasons                 [1] ReasonFlags OPTIONAL,
        cRLIssuer               [2] GeneralNames OPTIONAL
   }
   --
   --  This is not a requirement in the text, but it seems as if it
   --      should be
   --
   --(WITH COMPONENTS {..., distributionPoint PRESENT} |
   -- WITH COMPONENTS {..., cRLIssuer PRESENT})

   DistributionPointName ::= CHOICE {
        fullName                [0] GeneralNames,
        nameRelativeToCRLIssuer [1] RelativeDistinguishedName
   }

   ReasonFlags ::= BIT STRING {
        unused                  (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        privilegeWithdrawn      (7),
        aACompromise            (8)
    }

   -- extended key usage extension OID and syntax

   ext-ExtKeyUsage EXTENSION ::= { SYNTAX
       ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage }
   id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}

   ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

   KeyPurposeId ::= OBJECT IDENTIFIER

   -- permit unspecified key uses
 anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }

   -- extended key purpose OIDs

   id-kp-serverAuth       OBJECT IDENTIFIER ::= { id-kp 1 }
   id-kp-clientAuth       OBJECT IDENTIFIER ::= { id-kp 2 }
   id-kp-codeSigning      OBJECT IDENTIFIER ::= { id-kp 3 }
   id-kp-emailProtection  OBJECT IDENTIFIER ::= { id-kp 4 }
   id-kp-timeStamping     OBJECT IDENTIFIER ::= { id-kp 8 }
   id-kp-OCSPSigning      OBJECT IDENTIFIER ::= { id-kp 9 }

   -- inhibit any policy OID and syntax

   ext-InhibitAnyPolicy EXTENSION  ::= {SYNTAX
       SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy }
   id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 }

   -- freshest (delta)CRL extension OID and syntax

   ext-FreshestCRL EXTENSION ::= {SYNTAX
       CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL }
   id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 }

   -- authority info access

   ext-AuthorityInfoAccess EXTENSION ::= { SYNTAX
       AuthorityInfoAccessSyntax IDENTIFIED BY
       id-pe-authorityInfoAccess }
   id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }

   AuthorityInfoAccessSyntax  ::=
           SEQUENCE SIZE (1..MAX) OF AccessDescription

   AccessDescription  ::=  SEQUENCE {
           accessMethod          OBJECT IDENTIFIER,
           accessLocation        GeneralName  }

   -- subject info access

   ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX
       SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess }
   id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 }

   SubjectInfoAccessSyntax  ::=
           SEQUENCE SIZE (1..MAX) OF AccessDescription

   -- CRL number extension OID and syntax
ext-CRLNumber EXTENSION ::= {SYNTAX
       INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber }
   id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }

   CRLNumber ::= INTEGER (0..MAX)
   -- issuing distribution point extension OID and syntax

   ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX
       IssuingDistributionPoint IDENTIFIED BY
       id-ce-issuingDistributionPoint }
   id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }

   IssuingDistributionPoint ::= SEQUENCE {
        distributionPoint          [0] DistributionPointName OPTIONAL,
        onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
        onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
        onlySomeReasons            [3] ReasonFlags OPTIONAL,
        indirectCRL                [4] BOOLEAN DEFAULT FALSE,
        onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE
   }
           -- at most one of onlyContainsUserCerts, onlyContainsCACerts,
           -- or onlyContainsAttributeCerts may be set to TRUE.

   ext-DeltaCRLIndicator EXTENSION ::= { SYNTAX
       CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator }
   id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }

   -- CRL reasons extension OID and syntax

   ext-CRLReason EXTENSION ::= { SYNTAX
       CRLReason IDENTIFIED BY id-ce-cRLReasons }
   id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }

   CRLReason ::= ENUMERATED {
        unspecified             (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        removeFromCRL           (8),
        privilegeWithdrawn      (9),
        aACompromise           (10)
   }

   -- certificate issuer CRL entry extension OID and syntax
 ext-CertificateIssuer EXTENSION ::= { SYNTAX
       GeneralNames IDENTIFIED BY id-ce-certificateIssuer }
   id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }

   -- hold instruction extension OID and syntax
   ext-HoldInstructionCode EXTENSION ::= { SYNTAX
       OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode }
   id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }

   -- ANSI x9 holdinstructions

   holdInstruction OBJECT IDENTIFIER ::=
             {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
   id-holdinstruction-none OBJECT IDENTIFIER  ::=
                   {holdInstruction 1} -- deprecated
   id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
                   {holdInstruction 2}
   id-holdinstruction-reject OBJECT IDENTIFIER ::=
                   {holdInstruction 3}

   -- invalidity date CRL entry extension OID and syntax

   ext-InvalidityDate EXTENSION  ::=  { SYNTAX
       GeneralizedTime IDENTIFIED BY id-ce-invalidityDate }
   id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
   -- Upper bounds
   ubMax INTEGER ::= 32768

   END


  --
  --  This module is used to isolate all the X.400 naming information.
  --  There is no reason to expect this to occur in a PKIX certificate.
  --

  PKIX-X400Address-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60) }
  DEFINITIONS EXPLICIT TAGS ::=
  BEGIN

  -- X.400 address syntax starts here

  ORAddress ::= SEQUENCE {
     built-in-standard-attributes BuiltInStandardAttributes,
     built-in-domain-defined-attributes
                     BuiltInDomainDefinedAttributes OPTIONAL,
-- see also teletex-domain-defined-attributes
     extension-attributes ExtensionAttributes OPTIONAL }

  -- Built-in Standard Attributes

  BuiltInStandardAttributes ::= SEQUENCE {
     country-name                  CountryName OPTIONAL,
     administration-domain-name    AdministrationDomainName OPTIONAL,
     network-address           [0] IMPLICIT NetworkAddress OPTIONAL,
       -- see also extended-network-address
     terminal-identifier       [1] IMPLICIT TerminalIdentifier OPTIONAL,
     private-domain-name       [2] PrivateDomainName OPTIONAL,
     organization-name         [3] IMPLICIT OrganizationName OPTIONAL,
       -- see also teletex-organization-name
     numeric-user-identifier   [4] IMPLICIT NumericUserIdentifier
                                   OPTIONAL,
     personal-name             [5] IMPLICIT PersonalName OPTIONAL,
       -- see also teletex-personal-name
     organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
                                   OPTIONAL }
       -- see also teletex-organizational-unit-names

  CountryName ::= [APPLICATION 1] CHOICE {
     x121-dcc-code         NumericString
                             (SIZE (ub-country-name-numeric-length)),
     iso-3166-alpha2-code  PrintableString
                             (SIZE (ub-country-name-alpha-length)) }

  AdministrationDomainName ::= [APPLICATION 2] CHOICE {
     numeric   NumericString   (SIZE (0..ub-domain-name-length)),
     printable PrintableString (SIZE (0..ub-domain-name-length)) }

  NetworkAddress ::= X121Address  -- see also extended-network-address

  X121Address ::= NumericString (SIZE (1..ub-x121-address-length))

  TerminalIdentifier ::= PrintableString (SIZE
  (1..ub-terminal-id-length))

  PrivateDomainName ::= CHOICE {
     numeric   NumericString   (SIZE (1..ub-domain-name-length)),
     printable PrintableString (SIZE (1..ub-domain-name-length)) }

  OrganizationName ::= PrintableString
                              (SIZE (1..ub-organization-name-length))
    -- see also teletex-organization-name

  NumericUserIdentifier ::= NumericString
                     (SIZE (1..ub-numeric-user-id-length))

  PersonalName ::= SET {
     surname     [0] IMPLICIT PrintableString
                      (SIZE (1..ub-surname-length)),
     given-name  [1] IMPLICIT PrintableString
                      (SIZE (1..ub-given-name-length)) OPTIONAL,
     initials    [2] IMPLICIT PrintableString
                      (SIZE (1..ub-initials-length)) OPTIONAL,
     generation-qualifier [3] IMPLICIT PrintableString
                      (SIZE (1..ub-generation-qualifier-length))
                      OPTIONAL }
    -- see also teletex-personal-name

  OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
                               OF OrganizationalUnitName
    -- see also teletex-organizational-unit-names

  OrganizationalUnitName ::= PrintableString (SIZE
                      (1..ub-organizational-unit-name-length))

  -- Built-in Domain-defined Attributes

  BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
                      (1..ub-domain-defined-attributes) OF
                      BuiltInDomainDefinedAttribute

  BuiltInDomainDefinedAttribute ::= SEQUENCE {
     type PrintableString (SIZE
                     (1..ub-domain-defined-attribute-type-length)),
     value PrintableString (SIZE
                     (1..ub-domain-defined-attribute-value-length)) }

  -- Extension Attributes

  ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
                 ExtensionAttribute

  EXTENSION-ATTRIBUTE ::= CLASS {
      &id             INTEGER (0..ub-extension-attributes) UNIQUE,
      &Type
  } WITH SYNTAX { &Type IDENTIFIED BY &id }

  ExtensionAttribute ::=  SEQUENCE {
     extension-attribute-type [0] IMPLICIT EXTENSION-ATTRIBUTE.
          &id({SupportedExtensionAttributes}),
     extension-attribute-value [1] EXTENSION-ATTRIBUTE.
          &Type({SupportedExtensionAttributes}
            {@extension-attribute-type})}

  SupportedExtensionAttributes EXTENSION-ATTRIBUTE ::= {
      ea-commonName | ea-teletexCommonName | ea-teletexOrganizationName
      | ea-teletexPersonalName | ea-teletexOrganizationalUnitNames |
      ea-pDSName | ea-physicalDeliveryCountryName | ea-postalCode |
      ea-physicalDeliveryOfficeName | ea-physicalDeliveryOfficeNumber |
      ea-extensionORAddressComponents | ea-physicalDeliveryPersonalName
      | ea-physicalDeliveryOrganizationName |
      ea-extensionPhysicalDeliveryAddressComponents |
      ea-unformattedPostalAddress | ea-streetAddress |
      ea-postOfficeBoxAddress | ea-posteRestanteAddress |
      ea-uniquePostalName | ea-localPostalAttributes |
      ea-extendedNetworkAddress | ea-terminalType |
      ea-teletexDomainDefinedAttributes, ... }

  -- Extension types and attribute values

  ea-commonName EXTENSION-ATTRIBUTE ::= { PrintableString
      (SIZE (1..ub-common-name-length)) IDENTIFIED BY 1 }

  ea-teletexCommonName EXTENSION-ATTRIBUTE ::= {TeletexString
      (SIZE (1..ub-common-name-length)) IDENTIFIED BY 2 }

  ea-teletexOrganizationName EXTENSION-ATTRIBUTE::= { TeletexString
      (SIZE (1..ub-organization-name-length)) IDENTIFIED BY 3 }

  ea-teletexPersonalName EXTENSION-ATTRIBUTE ::= {SET {
     surname     [0] IMPLICIT TeletexString
                      (SIZE (1..ub-surname-length)),
     given-name  [1] IMPLICIT TeletexString
                      (SIZE (1..ub-given-name-length)) OPTIONAL,
     initials    [2] IMPLICIT TeletexString
                      (SIZE (1..ub-initials-length)) OPTIONAL,
     generation-qualifier [3] IMPLICIT TeletexString
                      (SIZE (1..ub-generation-qualifier-length))
                      OPTIONAL } IDENTIFIED BY 4 }

  ea-teletexOrganizationalUnitNames EXTENSION-ATTRIBUTE ::=
      { SEQUENCE SIZE (1..ub-organizational-units) OF
            TeletexOrganizationalUnitName IDENTIFIED BY 5 }

  TeletexOrganizationalUnitName ::= TeletexString
      (SIZE (1..ub-organizational-unit-name-length))

  ea-pDSName EXTENSION-ATTRIBUTE ::= {PrintableString
      (SIZE (1..ub-pds-name-length)) IDENTIFIED BY 7 }
 ea-physicalDeliveryCountryName EXTENSION-ATTRIBUTE ::= { CHOICE {
       x121-dcc-code NumericString (SIZE
          (ub-country-name-numeric-length)),
       iso-3166-alpha2-code PrintableString
          (SIZE (ub-country-name-alpha-length)) }
       IDENTIFIED BY 8 }

  ea-postalCode EXTENSION-ATTRIBUTE ::= { CHOICE {
     numeric-code NumericString (SIZE (1..ub-postal-code-length)),
     printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
     IDENTIFIED BY 9 }

  ea-physicalDeliveryOfficeName EXTENSION-ATTRIBUTE ::=
      { PDSParameter IDENTIFIED BY 10 }

  ea-physicalDeliveryOfficeNumber EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 11 }

  ea-extensionORAddressComponents EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 12 }

  ea-physicalDeliveryPersonalName EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 13}

  ea-physicalDeliveryOrganizationName EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 14 }

  ea-extensionPhysicalDeliveryAddressComponents EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 15 }

  ea-unformattedPostalAddress EXTENSION-ATTRIBUTE ::= { SET {
     printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines)
           OF PrintableString (SIZE (1..ub-pds-parameter-length))
           OPTIONAL,
     teletex-string TeletexString
           (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
     IDENTIFIED BY 16 }

  ea-streetAddress EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 17 }

  ea-postOfficeBoxAddress EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 18 }

  ea-posteRestanteAddress EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 19 }

  ea-uniquePostalName EXTENSION-ATTRIBUTE ::=
{ PDSParameter IDENTIFIED BY 20 }

  ea-localPostalAttributes EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 21 }
  PDSParameter ::= SET {
     printable-string PrintableString
                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
     teletex-string TeletexString
                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL }

  ea-extendedNetworkAddress EXTENSION-ATTRIBUTE ::= {
     CHOICE {
         e163-4-address SEQUENCE {
             number      [0] IMPLICIT NumericString
                   (SIZE (1..ub-e163-4-number-length)),
             sub-address [1] IMPLICIT NumericString
                   (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL
         },
         psap-address [0] IMPLICIT PresentationAddress
     } IDENTIFIED BY 22
  }

  PresentationAddress ::= SEQUENCE {
      pSelector     [0] EXPLICIT OCTET STRING OPTIONAL,
      sSelector     [1] EXPLICIT OCTET STRING OPTIONAL,
      tSelector     [2] EXPLICIT OCTET STRING OPTIONAL,
      nAddresses    [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }

  ea-terminalType EXTENSION-ATTRIBUTE ::= {INTEGER {
     telex (3),
     teletex (4),
     g3-facsimile (5),
     g4-facsimile (6),
     ia5-terminal (7),
     videotex (8) } (0..ub-integer-options)
     IDENTIFIED BY 23 }

  -- Extension Domain-defined Attributes

  ea-teletexDomainDefinedAttributes EXTENSION-ATTRIBUTE ::=
      { SEQUENCE SIZE (1..ub-domain-defined-attributes) OF
           TeletexDomainDefinedAttribute IDENTIFIED BY 6 }

  TeletexDomainDefinedAttribute ::= SEQUENCE {
      type TeletexString
          (SIZE (1..ub-domain-defined-attribute-type-length)),
      value TeletexString
          (SIZE (1..ub-domain-defined-attribute-value-length)) }


 --  specifications of Upper Bounds MUST be regarded as mandatory
  --  from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
  --  Upper Bounds
  -- Upper Bounds
  ub-match INTEGER ::= 128
  ub-common-name-length INTEGER ::= 64
  ub-country-name-alpha-length INTEGER ::= 2
  ub-country-name-numeric-length INTEGER ::= 3
  ub-domain-defined-attributes INTEGER ::= 4
  ub-domain-defined-attribute-type-length INTEGER ::= 8
  ub-domain-defined-attribute-value-length INTEGER ::= 128
  ub-domain-name-length INTEGER ::= 16
  ub-extension-attributes INTEGER ::= 256
  ub-e163-4-number-length INTEGER ::= 15
  ub-e163-4-sub-address-length INTEGER ::= 40
  ub-generation-qualifier-length INTEGER ::= 3
  ub-given-name-length INTEGER ::= 16
  ub-initials-length INTEGER ::= 5
  ub-integer-options INTEGER ::= 256
  ub-numeric-user-id-length INTEGER ::= 32
  ub-organization-name-length INTEGER ::= 64
  ub-organizational-unit-name-length INTEGER ::= 32
  ub-organizational-units INTEGER ::= 4
  ub-pds-name-length INTEGER ::= 16
  ub-pds-parameter-length INTEGER ::= 30
  ub-pds-physical-address-lines INTEGER ::= 6
  ub-postal-code-length INTEGER ::= 16
  ub-surname-length INTEGER ::= 40
  ub-terminal-id-length INTEGER ::= 24
  ub-unformatted-address-length INTEGER ::= 180
  ub-x121-address-length INTEGER ::= 16

  -- Note - upper bounds on string types, such as TeletexString, are
  -- measured in characters.  Excepting PrintableString or IA5String, a
  -- significantly greater number of octets will be required to hold
  -- such a value.  As a minimum, 16 octets or twice the specified
  -- upper bound, whichever is the larger, should be allowed for
  -- TeletexString.  For UTF8String or UniversalString, at least four
  -- times the upper bound should be allowed.

END

KEMAlgorithmInformation-2023
    { iso(1) identified-organization(3) dod(6) internet(1)
      security(5) mechanisms(5) pkix(7) id-mod(0)
          id-mod-kemAlgorithmInformation-2023(99) }

  DEFINITIONS EXPLICIT TAGS ::=
  BEGIN
  -- EXPORTS ALL;
  IMPORTS
    ParamOptions, PUBLIC-KEY, SMIME-CAPS
    FROM AlgorithmInformation-2009
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) id-mod(0)
        id-mod-algorithmInformation-02(58) } ;

  --  KEM-ALGORITHM
  --
  --  Describes the basic properties of a KEM algorithm
  --
  -- Suggested prefixes for KEM algorithm objects is: kema-
  --
  --  &id - contains the OID identifying the KEM algorithm
  --  &Value - if present, contains a type definition for the kemct;
  --               if absent, implies that no ASN.1 encoding is
  --               performed on the kemct value
  --  &Params - if present, contains the type for the algorithm
  --               parameters; if absent, implies no parameters
  --  &paramPresence - parameter presence requirement
  --  &PublicKeySet - specifies which public keys are used with
  --               this algorithm
  --  &Ukm - if absent, type for user keying material
  --  &ukmPresence - specifies the requirements to define the UKM
  --               field
  --  &smimeCaps - contains the object describing how the S/MIME
  --               capabilities are presented.
  --
  -- Example:
  -- kema-kem-rsa KEM-ALGORITHM ::= {
  --    IDENTIFIER id-kem-rsa
  --    PARAMS TYPE RsaKemParameters ARE optional
  --    PUBLIC-KEYS { pk-rsa | pk-rsa-kem }
  --    UKM ARE optional
  --    SMIME-CAPS { TYPE GenericHybridParameters
  --        IDENTIFIED BY id-rsa-kem }
  -- }

  KEM-ALGORITHM ::= CLASS {
    &id             OBJECT IDENTIFIER UNIQUE,
    &Value          OPTIONAL,
    &Params         OPTIONAL,
    &paramPresence  ParamOptions DEFAULT absent,
    &PublicKeySet   PUBLIC-KEY OPTIONAL,
    &Ukm            OPTIONAL,
    &ukmPresence    ParamOptions DEFAULT absent,
    &smimeCaps      SMIME-CAPS OPTIONAL
  } WITH SYNTAX {
    IDENTIFIER &id
    [VALUE &Value]
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [PUBLIC-KEYS &PublicKeySet]
    [UKM [TYPE &Ukm] ARE &ukmPresence]
    [SMIME-CAPS &smimeCaps]
  }


  END


   CMS-RSA-KEM
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
        pkcs-9(9) smime(16) modules(0) cms-rsa-kem(21) }

   DEFINITIONS ::=

   BEGIN

   -- EXPORTS ALL

   -- IMPORTS None

   -- Useful types and definitions

   OID ::= OBJECT IDENTIFIER  -- alias

   -- Unless otherwise stated, if an object identifier has associated
   -- parameters (i.e., the PARMS element is specified), the
   -- parameters field shall be included in algorithm identifier
   -- values.  The parameters field shall be omitted if and only if
   -- the object identifier does not have associated parameters
   -- (i.e., the PARMS element is omitted), unless otherwise stated.

   ALGORITHM ::= CLASS {
      &id    OBJECT IDENTIFIER  UNIQUE,
      &Type  OPTIONAL
   }
   WITH SYNTAX { OID &id [PARMS &Type] }

   AlgorithmIdentifier { ALGORITHM:IOSet } ::= SEQUENCE {
      algorithm   ALGORITHM.&id( {IOSet} ),
      parameters  ALGORITHM.&Type( {IOSet}{@algorithm} ) OPTIONAL
   }

   NullParms ::= NULL

   -- ISO/IEC 18033-2 arc

   is18033-2 OID ::= { iso(1) standard(0) is18033(18033) part2(2) }

   -- NIST algorithm arc

   nistAlgorithm OID ::= {
      joint-iso-itu-t(2) country(16) us(840) organization(1)
      gov(101) csor(3) nistAlgorithm(4)
   }

   -- PKCS #1 arc

   pkcs-1 OID ::= {
      iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
   }

   -- RSA-KEM Key Transport Algorithm

   id-rsa-kem OID ::= {
      iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
      pkcs-9(9) smime(16) alg(3) 14
   }

   GenericHybridParameters ::= SEQUENCE {
      kem  KeyEncapsulationMechanism,
      dem  DataEncapsulationMechanism
   }

   KeyEncapsulationMechanism ::= AlgorithmIdentifier {{KEMAlgorithms}}

   KEMAlgorithms ALGORITHM ::= { kem-rsa, ... }

   kem-rsa ALGORITHM ::= { OID id-kem-rsa PARMS RsaKemParameters }

   id-kem-rsa OID ::= {
      is18033-2 key-encapsulation-mechanism(2) rsa(4)
   }

   RsaKemParameters ::= SEQUENCE {
      keyDerivationFunction  KeyDerivationFunction,
      keyLength              KeyLength
   }

   KeyDerivationFunction ::= AlgorithmIdentifier {{KDFAlgorithms}}

   KDFAlgorithms ALGORITHM ::= {
      kdf2 | kdf3,
      ...  -- implementations may define other methods
   }

   KeyLength ::= INTEGER (1..MAX)

   DataEncapsulationMechanism ::= AlgorithmIdentifier {{DEMAlgorithms}}

   DEMAlgorithms ALGORITHM ::= {
      X9-SymmetricKeyWrappingSchemes |
      Camellia-KeyWrappingSchemes,
      ...  -- implementations may define other methods
   }

   X9-SymmetricKeyWrappingSchemes ALGORITHM ::= {
      aes128-Wrap | aes192-Wrap | aes256-Wrap | tdes-Wrap,
      ...  -- allows for future expansion
   }

   X9-SymmetricKeyWrappingScheme ::=
               AlgorithmIdentifier {{ X9-SymmetricKeyWrappingSchemes }}

END