OTP-PKIX {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprices(1) ericsson(193) otp(19) ssl(10) pkix1(1)} DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL IMPORTS -- Certificate (parts of) Version, CertificateSerialNumber, --AlgorithmIdentifier, Validity, UniqueIdentifier, -- AttribyteTypeAndValue Name, AttributeType, id-at-name, id-at-surname, id-at-givenName, id-at-initials, id-at-generationQualifier, X520name, id-at-commonName, X520CommonName, id-at-localityName, X520LocalityName, id-at-stateOrProvinceName, X520StateOrProvinceName, id-at-organizationName, X520OrganizationName, id-at-organizationalUnitName, X520OrganizationalUnitName, id-at-title, X520Title, id-at-dnQualifier, X520dnQualifier, id-at-countryName, X520countryName, id-at-serialNumber, X520SerialNumber, id-at-pseudonym, X520Pseudonym, id-domainComponent, DomainComponent, id-emailAddress, EmailAddress, -- Extension Attributes common-name, CommonName, teletex-common-name, TeletexCommonName, teletex-personal-name, TeletexPersonalName, pds-name, PDSName, physical-delivery-country-name, PhysicalDeliveryCountryName, postal-code, PostalCode, physical-delivery-office-name, PhysicalDeliveryOfficeName, physical-delivery-office-number, PhysicalDeliveryOfficeNumber, extension-OR-address-components, ExtensionORAddressComponents, physical-delivery-personal-name, PhysicalDeliveryPersonalName, physical-delivery-organization-name, PhysicalDeliveryOrganizationName, extension-physical-delivery-address-components, ExtensionPhysicalDeliveryAddressComponents, unformatted-postal-address, UnformattedPostalAddress, street-address, StreetAddress, post-office-box-address, PostOfficeBoxAddress, poste-restante-address, PosteRestanteAddress, unique-postal-name, UniquePostalName, local-postal-attributes, LocalPostalAttributes, extended-network-address, ExtendedNetworkAddress, terminal-type, TerminalType, teletex-domain-defined-attributes, TeletexDomainDefinedAttributes FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } -- Extensions id-ce-authorityKeyIdentifier, AuthorityKeyIdentifier, id-ce-subjectKeyIdentifier, SubjectKeyIdentifier, id-ce-keyUsage, KeyUsage, id-ce-privateKeyUsagePeriod, PrivateKeyUsagePeriod, id-ce-certificatePolicies, CertificatePolicies, id-ce-policyMappings, PolicyMappings, id-ce-subjectAltName, SubjectAltName, id-ce-issuerAltName, IssuerAltName, id-ce-subjectDirectoryAttributes, SubjectDirectoryAttributes, id-ce-basicConstraints, BasicConstraints, id-ce-nameConstraints, NameConstraints, id-ce-policyConstraints, PolicyConstraints, id-ce-cRLDistributionPoints, CRLDistributionPoints, id-ce-extKeyUsage, ExtKeyUsageSyntax, id-ce-inhibitAnyPolicy, InhibitAnyPolicy, id-ce-freshestCRL, FreshestCRL, id-pe-authorityInfoAccess, AuthorityInfoAccessSyntax, id-pe-subjectInfoAccess, SubjectInfoAccessSyntax, id-ce-cRLNumber, CRLNumber, id-ce-issuingDistributionPoint, IssuingDistributionPoint, id-ce-deltaCRLIndicator, BaseCRLNumber, id-ce-cRLReasons, CRLReason, id-ce-certificateIssuer, CertificateIssuer, id-ce-holdInstructionCode, HoldInstructionCode, id-ce-invalidityDate, InvalidityDate FROM PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } --Keys and Signatures id-dsa, Dss-Parms, DSAPublicKey, id-dsa-with-sha1, md2WithRSAEncryption, md5WithRSAEncryption, sha1WithRSAEncryption, rsaEncryption, RSAPublicKey, dhpublicnumber, DomainParameters, DHPublicKey, id-keyExchangeAlgorithm, KEA-Parms-Id, --KEA-PublicKey, ecdsa-with-SHA1, prime-field, Prime-p, characteristic-two-field, --Characteristic-two, gnBasis, tpBasis, Trinomial, ppBasis, Pentanomial, id-ecPublicKey, EcpkParameters, ECPoint FROM PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-algorithms(17) } md2WithRSAEncryption, md5WithRSAEncryption, sha1WithRSAEncryption, sha224WithRSAEncryption, sha256WithRSAEncryption, sha384WithRSAEncryption, sha512WithRSAEncryption FROM PKCS-1 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) modules(0) pkcs-1(1) }; -- -- Certificate -- OTPCertificate ::= SEQUENCE { tbsCertificate OTPTBSCertificate, signatureAlgorithm SignatureAlgorithm, signature BIT STRING } OTPTBSCertificate ::= SEQUENCE { version [0] Version DEFAULT v1, serialNumber CertificateSerialNumber, signature SignatureAlgorithm, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo OTPSubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 extensions [3] Extensions OPTIONAL -- If present, version MUST be v3 -- } -- Attribute type and values -- ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= CLASS { &id AttributeType UNIQUE, &Type } WITH SYNTAX { ID &id TYPE &Type } OTPAttributeTypeAndValue ::= SEQUENCE { type ATTRIBUTE-TYPE-AND-VALUE-CLASS.&id ({SupportedAttributeTypeAndValues}), value ATTRIBUTE-TYPE-AND-VALUE-CLASS.&Type ({SupportedAttributeTypeAndValues}{@type}) } SupportedAttributeTypeAndValues ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { name | surname | givenName | initials | generationQualifier | commonName | localityName | stateOrProvinceName | organizationName | organizationalUnitName | title | dnQualifier | countryName | serialNumber | pseudonym | domainComponent | emailAddress } name ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-name TYPE X520name } surname ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-surname TYPE X520name } givenName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-givenName TYPE X520name } initials ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-initials TYPE X520name } generationQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-generationQualifier TYPE X520name } commonName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-commonName TYPE X520CommonName } localityName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-localityName TYPE X520LocalityName } stateOrProvinceName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-stateOrProvinceName TYPE X520StateOrProvinceName } organizationName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-organizationName TYPE X520OrganizationName } organizationalUnitName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-organizationalUnitName TYPE X520OrganizationalUnitName } title ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-title TYPE X520Title } dnQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-dnQualifier TYPE X520dnQualifier } countryName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-countryName TYPE X520countryName } -- this is currently not used when decoding -- The decoding and mapping between ID and Type is done in the code -- in module publickey_cert_records via the function attribute_type -- To be more forgiving and compatible with other SSL implementations -- regarding how to handle and sometimes accept incorrect certificates -- we define and use the type below instead of X520countryName OTP-X520countryname ::= CHOICE { printableString PrintableString (SIZE (2)), utf8String UTF8String (SIZE (2)) } serialNumber ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-serialNumber TYPE X520SerialNumber } pseudonym ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-at-pseudonym TYPE X520Pseudonym } domainComponent ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-domainComponent TYPE DomainComponent } emailAddress ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { ID id-emailAddress TYPE EmailAddress } -- -- Signature and Public Key Algorithms -- OTPOLDSubjectPublicKeyInfo ::= SEQUENCE { algorithm SEQUENCE { algo PUBLIC-KEY-ALGORITHM-CLASS.&id ({SupportedPublicKeyAlgorithms}), parameters PUBLIC-KEY-ALGORITHM-CLASS.&Type ({SupportedPublicKeyAlgorithms}{@.algo}) OPTIONAL }, subjectPublicKey PUBLIC-KEY-ALGORITHM-CLASS.&PublicKeyType ({SupportedPublicKeyAlgorithms}{@algorithm.algo}) } OTPSubjectPublicKeyInfo ::= SEQUENCE { algorithm PublicKeyAlgorithm, subjectPublicKey BIT STRING } -- The following is needed for conversion of SubjectPublicKeyInfo. OTPSubjectPublicKeyInfo-Any ::= SEQUENCE { algorithm PublicKeyAlgorithm, subjectPublicKey ANY } SIGNATURE-ALGORITHM-CLASS ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Type OPTIONAL } WITH SYNTAX { ID &id [TYPE &Type] } PUBLIC-KEY-ALGORITHM-CLASS ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Type OPTIONAL, &PublicKeyType OPTIONAL } WITH SYNTAX { ID &id [TYPE &Type] [PUBLIC-KEY-TYPE &PublicKeyType] } SignatureAlgorithm ::= SEQUENCE { algorithm SIGNATURE-ALGORITHM-CLASS.&id ({SupportedSignatureAlgorithms}), parameters SIGNATURE-ALGORITHM-CLASS.&Type ({SupportedSignatureAlgorithms}{@algorithm}) OPTIONAL } SignatureAlgorithm-Any ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY OPTIONAL } PublicKeyAlgorithm ::= SEQUENCE { algorithm PUBLIC-KEY-ALGORITHM-CLASS.&id ({SupportedPublicKeyAlgorithms}), parameters PUBLIC-KEY-ALGORITHM-CLASS.&Type ({SupportedPublicKeyAlgorithms}{@algorithm}) OPTIONAL } SupportedSignatureAlgorithms SIGNATURE-ALGORITHM-CLASS ::= { dsa-with-sha1 | md2-with-rsa-encryption | md5-with-rsa-encryption | sha1-with-rsa-encryption | sha224-with-rsa-encryption | sha256-with-rsa-encryption | sha384-with-rsa-encryption | sha512-with-rsa-encryption | ecdsa-with-sha1 } SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= { dsa | rsa-encryption | dh | kea | ec-public-key } -- DSA Keys and Signatures DSAParams ::= CHOICE { params Dss-Parms, null NULL } -- SubjectPublicKeyInfo: dsa PUBLIC-KEY-ALGORITHM-CLASS ::= { ID id-dsa TYPE DSAParams -- XXX Must be OPTIONAL PUBLIC-KEY-TYPE DSAPublicKey } -- Certificate.signatureAlgorithm dsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= { ID id-dsa-with-sha1 TYPE DSAParams } -- -- RSA Keys and Signatures -- -- Certificate.signatureAlgorithm md2-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= { ID md2WithRSAEncryption TYPE NULL } md5-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= { ID md5WithRSAEncryption TYPE NULL } sha1-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= { ID sha1WithRSAEncryption TYPE NULL } sha224-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= { ID sha224WithRSAEncryption TYPE NULL } sha256-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= { ID sha256WithRSAEncryption TYPE NULL } sha384-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= { ID sha384WithRSAEncryption TYPE NULL } sha512-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= { ID sha512WithRSAEncryption TYPE NULL } -- Certificate.signature -- See PKCS #1 (RFC 2313). XXX -- SubjectPublicKeyInfo: rsa-encryption PUBLIC-KEY-ALGORITHM-CLASS ::= { ID rsaEncryption TYPE NULL PUBLIC-KEY-TYPE RSAPublicKey } -- -- Diffie-Hellman Keys -- -- SubjectPublicKeyInfo: dh PUBLIC-KEY-ALGORITHM-CLASS ::= { ID dhpublicnumber TYPE DomainParameters PUBLIC-KEY-TYPE DHPublicKey } -- There are no Diffie-Hellman signature algorithms -- -- KEA Keys -- -- SubjectPublicKeyInfo: KEA-PublicKey ::= INTEGER kea PUBLIC-KEY-ALGORITHM-CLASS ::= { ID id-keyExchangeAlgorithm TYPE KEA-Parms-Id PUBLIC-KEY-TYPE KEA-PublicKey } -- There are no KEA signature algorithms -- -- Elliptic Curve Keys, Signatures, and Curves -- -- Certificate.signatureAlgorithm ecdsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= { ID ecdsa-with-SHA1 TYPE NULL } -- XXX Must be empty and not NULL FIELD-ID-CLASS ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Type } WITH SYNTAX { ID &id TYPE &Type } OTPFieldID ::= SEQUENCE { -- Finite field fieldType FIELD-ID-CLASS.&id({SupportedFieldIds}), parameters FIELD-ID-CLASS.&Type({SupportedFieldIds}{@fieldType}) } SupportedFieldIds FIELD-ID-CLASS ::= { field-prime-field | field-characteristic-two } field-prime-field FIELD-ID-CLASS ::= { ID prime-field TYPE Prime-p } CHARACTERISTIC-TWO-CLASS ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Type } WITH SYNTAX { ID &id TYPE &Type } OTPCharacteristic-two ::= SEQUENCE { -- Finite field m INTEGER, -- Field size 2^m basis CHARACTERISTIC-TWO-CLASS.&id({SupportedCharacteristicTwos}), parameters CHARACTERISTIC-TWO-CLASS.&Type ({SupportedCharacteristicTwos}{@basis}) } SupportedCharacteristicTwos CHARACTERISTIC-TWO-CLASS ::= { gn-basis | tp-basis | pp-basis } field-characteristic-two FIELD-ID-CLASS ::= { ID characteristic-two-field TYPE Characteristic-two } gn-basis CHARACTERISTIC-TWO-CLASS ::= { ID gnBasis TYPE NULL } tp-basis CHARACTERISTIC-TWO-CLASS ::= { ID tpBasis TYPE Trinomial } pp-basis CHARACTERISTIC-TWO-CLASS ::= { ID ppBasis TYPE Pentanomial } -- SubjectPublicKeyInfo.algorithm ec-public-key PUBLIC-KEY-ALGORITHM-CLASS ::= { ID id-ecPublicKey TYPE EcpkParameters PUBLIC-KEY-TYPE ECPoint } -- -- Extension Attributes -- EXTENSION-ATTRIBUTE-CLASS ::= CLASS { &id INTEGER UNIQUE, &Type } WITH SYNTAX { ID &id TYPE &Type } OTPExtensionAttributes ::= SET SIZE (1..MAX) OF ExtensionAttribute -- XXX Below we should have extension-attribute-type and extension- -- attribute-value but Erlang ASN1 does not like it. OTPExtensionAttribute ::= SEQUENCE { extensionAttributeType [0] IMPLICIT EXTENSION-ATTRIBUTE-CLASS.&id ({SupportedExtensionAttributes}), extensionAttributeValue [1] EXTENSION-ATTRIBUTE-CLASS.&Type ({SupportedExtensionAttributes}{@extensionAttributeType}) } SupportedExtensionAttributes EXTENSION-ATTRIBUTE-CLASS ::= { x400-common-name | x400-teletex-common-name | x400-teletex-personal-name | x400-pds-name | x400-physical-delivery-country-name | x400-postal-code | x400-physical-delivery-office-name | x400-physical-delivery-office-number | x400-extension-OR-address-components | x400-physical-delivery-personal-name | x400-physical-delivery-organization-name | x400-extension-physical-delivery-address-components | x400-unformatted-postal-address | x400-street-address | x400-post-office-box-address | x400-poste-restante-address | x400-unique-postal-name | x400-local-postal-attributes | x400-extended-network-address | x400-terminal-type | x400-teletex-domain-defined-attributes } -- Extension types and attribute values x400-common-name EXTENSION-ATTRIBUTE-CLASS ::= { ID common-name TYPE CommonName } x400-teletex-common-name EXTENSION-ATTRIBUTE-CLASS ::= { ID teletex-common-name TYPE TeletexCommonName } x400-teletex-personal-name EXTENSION-ATTRIBUTE-CLASS ::= { ID teletex-personal-name TYPE TeletexPersonalName } x400-pds-name EXTENSION-ATTRIBUTE-CLASS ::= { ID pds-name TYPE PDSName } x400-physical-delivery-country-name EXTENSION-ATTRIBUTE-CLASS ::= { ID physical-delivery-country-name TYPE PhysicalDeliveryCountryName } x400-postal-code EXTENSION-ATTRIBUTE-CLASS ::= { ID postal-code TYPE PostalCode } x400-physical-delivery-office-name EXTENSION-ATTRIBUTE-CLASS ::= { ID physical-delivery-office-name TYPE PhysicalDeliveryOfficeName } x400-physical-delivery-office-number EXTENSION-ATTRIBUTE-CLASS ::= { ID physical-delivery-office-number TYPE PhysicalDeliveryOfficeNumber } x400-extension-OR-address-components EXTENSION-ATTRIBUTE-CLASS ::= { ID extension-OR-address-components TYPE ExtensionORAddressComponents } x400-physical-delivery-personal-name EXTENSION-ATTRIBUTE-CLASS ::= { ID physical-delivery-personal-name TYPE PhysicalDeliveryPersonalName } x400-physical-delivery-organization-name EXTENSION-ATTRIBUTE-CLASS ::= { ID physical-delivery-organization-name TYPE PhysicalDeliveryOrganizationName } x400-extension-physical-delivery-address-components EXTENSION-ATTRIBUTE-CLASS ::= { ID extension-physical-delivery-address-components TYPE ExtensionPhysicalDeliveryAddressComponents } x400-unformatted-postal-address EXTENSION-ATTRIBUTE-CLASS ::= { ID unformatted-postal-address TYPE UnformattedPostalAddress } x400-street-address EXTENSION-ATTRIBUTE-CLASS ::= { ID street-address TYPE StreetAddress } x400-post-office-box-address EXTENSION-ATTRIBUTE-CLASS ::= { ID post-office-box-address TYPE PostOfficeBoxAddress } x400-poste-restante-address EXTENSION-ATTRIBUTE-CLASS ::= { ID poste-restante-address TYPE PosteRestanteAddress } x400-unique-postal-name EXTENSION-ATTRIBUTE-CLASS ::= { ID unique-postal-name TYPE UniquePostalName } x400-local-postal-attributes EXTENSION-ATTRIBUTE-CLASS ::= { ID local-postal-attributes TYPE LocalPostalAttributes } x400-extended-network-address EXTENSION-ATTRIBUTE-CLASS ::= { ID extended-network-address TYPE ExtendedNetworkAddress } x400-terminal-type EXTENSION-ATTRIBUTE-CLASS ::= { ID terminal-type TYPE TerminalType } x400-teletex-domain-defined-attributes EXTENSION-ATTRIBUTE-CLASS ::= { ID teletex-domain-defined-attributes TYPE TeletexDomainDefinedAttributes } -- Extensions OTPExtensions ::= SEQUENCE SIZE (1..MAX) OF Extension EXTENSION-CLASS ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Type OPTIONAL} WITH SYNTAX { ID &id [TYPE &Type] } OTPExtension ::= SEQUENCE { extnID EXTENSION-CLASS.&id({SupportedExtensions}), critical BOOLEAN DEFAULT FALSE, extnValue EXTENSION-CLASS.&Type({SupportedExtensions}{@extnID}) } -- The following is needed for conversion between Extension and Extension-Cd ObjId ::= OBJECT IDENTIFIER Boolean ::= BOOLEAN Any ::= ANY Extension-Any ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue ANY } SupportedExtensions EXTENSION-CLASS ::= { authorityKeyIdentifier | subjectKeyIdentifier | keyUsage | privateKeyUsagePeriod | certificatePolicies | policyMappings | subjectAltName | issuerAltName | subjectDirectoryAttributes | basicConstraints | nameConstraints | policyConstraints | cRLDistributionPoints | extKeyUsage | inhibitAnyPolicy | freshestCRL | authorityInfoAccess | subjectInfoAccess | cRLNumber | issuingDistributionPoint | deltaCRLIndicator | cRLReasons | certificateIssuer | holdInstructionCode | invalidityDate } authorityKeyIdentifier EXTENSION-CLASS ::= { ID id-ce-authorityKeyIdentifier TYPE AuthorityKeyIdentifier } subjectKeyIdentifier EXTENSION-CLASS ::= { ID id-ce-subjectKeyIdentifier TYPE SubjectKeyIdentifier } keyUsage EXTENSION-CLASS ::= { ID id-ce-keyUsage TYPE KeyUsage } privateKeyUsagePeriod EXTENSION-CLASS ::= { ID id-ce-privateKeyUsagePeriod TYPE PrivateKeyUsagePeriod } certificatePolicies EXTENSION-CLASS ::= { ID id-ce-certificatePolicies TYPE CertificatePolicies } policyMappings EXTENSION-CLASS ::= { ID id-ce-policyMappings TYPE PolicyMappings } subjectAltName EXTENSION-CLASS ::= { ID id-ce-subjectAltName TYPE SubjectAltName } issuerAltName EXTENSION-CLASS ::= { ID id-ce-issuerAltName TYPE IssuerAltName } subjectDirectoryAttributes EXTENSION-CLASS ::= { ID id-ce-subjectDirectoryAttributes TYPE SubjectDirectoryAttributes } basicConstraints EXTENSION-CLASS ::= { ID id-ce-basicConstraints TYPE BasicConstraints } nameConstraints EXTENSION-CLASS ::= { ID id-ce-nameConstraints TYPE NameConstraints } policyConstraints EXTENSION-CLASS ::= { ID id-ce-policyConstraints TYPE PolicyConstraints } cRLDistributionPoints EXTENSION-CLASS ::= { ID id-ce-cRLDistributionPoints TYPE CRLDistributionPoints } extKeyUsage EXTENSION-CLASS ::= { ID id-ce-extKeyUsage TYPE ExtKeyUsageSyntax } inhibitAnyPolicy EXTENSION-CLASS ::= { ID id-ce-inhibitAnyPolicy TYPE InhibitAnyPolicy } freshestCRL EXTENSION-CLASS ::= { ID id-ce-freshestCRL TYPE FreshestCRL } authorityInfoAccess EXTENSION-CLASS ::= { ID id-pe-authorityInfoAccess TYPE AuthorityInfoAccessSyntax } subjectInfoAccess EXTENSION-CLASS ::= { ID id-pe-subjectInfoAccess TYPE SubjectInfoAccessSyntax } cRLNumber EXTENSION-CLASS ::= { ID id-ce-cRLNumber TYPE CRLNumber } issuingDistributionPoint EXTENSION-CLASS ::= { ID id-ce-issuingDistributionPoint TYPE IssuingDistributionPoint } deltaCRLIndicator EXTENSION-CLASS ::= { ID id-ce-deltaCRLIndicator TYPE BaseCRLNumber } cRLReasons EXTENSION-CLASS ::= { ID id-ce-cRLReasons TYPE CRLReason } certificateIssuer EXTENSION-CLASS ::= { ID id-ce-certificateIssuer TYPE CertificateIssuer } holdInstructionCode EXTENSION-CLASS ::= { ID id-ce-holdInstructionCode TYPE HoldInstructionCode } invalidityDate EXTENSION-CLASS ::= { ID id-ce-invalidityDate TYPE InvalidityDate } END