1# 2# X.509 v3 by ITU-T Recommendation (11/93) & PKCS7 & PKCS10 3# 4 5X509: module { 6 7 PATH: con "/dis/lib/crypt/x509.dis"; 8 9 init: fn(): string; 10 11 ## x509 (id_at) and x509 extention v3 (id_ce) Object Identifiers 12 13 objIdTab : array of ASN1->Oid; 14 15 id_at, 16 id_at_commonName, 17 id_at_countryName, 18 id_at_localityName, 19 id_at_stateOrProvinceName, 20 id_at_organizationName, 21 id_at_organizationalUnitName, 22 id_at_userPassword, 23 id_at_userCertificate, 24 id_at_cAcertificate, 25 id_at_authorityRevocationList, 26 id_at_certificateRevocationList, 27 id_at_crossCertificatePair, 28 id_at_supportedAlgorithms, 29 id_at_deltaRevocationList, 30 id_ce, 31 id_ce_subjectDirectoryAttributes, 32 id_ce_subjectKeyIdentifier, 33 id_ce_keyUsage, 34 id_ce_privateKeyUsage, 35 id_ce_subjectAltName, 36 id_ce_issuerAltName, 37 id_ce_basicConstraints, 38 id_ce_cRLNumber, 39 id_ce_reasonCode, 40 id_ce_instructionCode, 41 id_ce_invalidityDate, 42 id_ce_deltaCRLIndicator, 43 id_ce_issuingDistributionPoint, 44 id_ce_certificateIssuer, 45 id_ce_nameConstraints, 46 id_ce_cRLDistributionPoint, 47 id_ce_certificatePolicies, 48 id_ce_policyMapping, 49 id_ce_authorityKeyIdentifier, 50 id_ce_policyConstraints, 51 id_mr, 52 id_mr_certificateExactMatch, 53 id_mr_certificateMatch, 54 id_mr_certificatePairExactMatch, 55 id_mr_certificatePairMatch, 56 id_mr_certificateListExactMatch, 57 id_mr_certificateListMatch, 58 id_mr_algorithmidentifierMatch : con iota; 59 60 ## Signed (as Public Key, CRL, Attribute Certificates and CertificationRequest) 61 62 Signed: adt { 63 tobe_signed : array of byte; 64 alg : ref AlgIdentifier; 65 signature : array of byte; # BIT STRING, DER encoding 66 67 decode: fn(a: array of byte): (string, ref Signed); 68 encode: fn(s: self ref Signed): (string, array of byte); 69 sign: fn(s: self ref Signed, sk: ref PrivateKey, hash: int): (string, array of byte); 70 verify: fn(s: self ref Signed, pk: ref PublicKey, hash: int): int; 71 tostring: fn(s: self ref Signed): string; 72 }; 73 74 ## Certificate Path 75 76 verify_certchain: fn(cs: list of array of byte): (int, string); 77 verify_certpath: fn(cp: list of (ref Signed, ref Certificate)): (int, string); 78 79 ## TBS (Public Key) Certificate 80 81 Certificate: adt { 82 version : int; # v1(0; default) or v2(1) or v3(2) 83 serial_number : ref Keyring->IPint; 84 sig : ref AlgIdentifier; 85 issuer : ref Name; 86 validity : ref Validity; 87 subject : ref Name; 88 subject_pkinfo : ref SubjectPKInfo; 89 # OPTIONAL for v2 and v3; must be in order 90 issuer_uid : array of byte; # v2 91 subject_uid : array of byte; # v2 or v3 92 exts : list of ref Extension; # v3 93 94 decode: fn(a: array of byte): (string, ref Certificate); 95 encode: fn(c: self ref Certificate): (string, array of byte); 96 tostring: fn(c: self ref Certificate): string; 97 is_expired: fn(c: self ref Certificate, date: int): int; 98 }; 99 100 AlgIdentifier: adt { 101 oid : ref ASN1->Oid; 102 parameter : array of byte; 103 104 tostring: fn(a: self ref AlgIdentifier): string; 105 }; 106 107 Name: adt { 108 rd_names : list of ref RDName; 109 110 equal: fn(a: self ref Name, b: ref Name): int; 111 tostring: fn(n: self ref Name): string; 112 }; 113 114 RDName: adt { 115 avas : list of ref AVA; 116 117 equal: fn(a: self ref RDName, b: ref RDName): int; 118 tostring: fn(r: self ref RDName): string; 119 }; 120 121 AVA: adt { 122 oid : ref ASN1->Oid; 123 value : string; 124 125 equal: fn(a: self ref AVA, b: ref AVA): int; 126 tostring: fn(a: self ref AVA): string; 127 }; 128 129 Validity: adt { 130 not_before : int; 131 not_after : int; 132 133 tostring: fn(v: self ref Validity, format: string): string; 134 }; 135 136 SubjectPKInfo: adt { 137 alg_id : ref AlgIdentifier; 138 subject_pk : array of byte; # BIT STRING 139 140 getPublicKey: fn(c: self ref SubjectPKInfo): (string, int, ref PublicKey); 141 tostring: fn(c: self ref SubjectPKInfo): string; 142 }; 143 144 Extension: adt{ 145 oid : ref ASN1->Oid; 146 critical : int; # default false 147 value : array of byte; 148 149 tostring: fn(e: self ref Extension): string; 150 }; 151 152 PublicKey: adt { 153 pick { 154 RSA => 155 pk : ref PKCS->RSAKey; 156 DSS => 157 pk : ref PKCS->DSSPublicKey; 158 DH => 159 pk : ref PKCS->DHPublicKey; 160 } 161 }; 162 163 PrivateKey: adt { 164 pick { 165 RSA => 166 sk : ref PKCS->RSAKey; 167 DSS => 168 sk : ref PKCS->DSSPrivateKey; 169 DH => 170 sk : ref PKCS->DHPrivateKey; 171 } 172 }; 173 174 ## Certificate Revocation List 175 176 CRL: adt { 177 version : int; # OPTIONAL; v2 178 sig : ref AlgIdentifier; 179 issuer : ref Name; 180 this_update : int; 181 next_update : int; # OPTIONAL 182 revoked_certs : list of ref RevokedCert; # OPTIONAL 183 exts : list of ref Extension; # OPTIONAL 184 185 decode: fn(a: array of byte): (string, ref CRL); 186 encode: fn(c: self ref CRL): (string, array of byte); 187 tostring: fn(c: self ref CRL): string; 188 is_revoked: fn(c: self ref CRL, sn: ref Keyring->IPint): int; 189 }; 190 191 RevokedCert: adt { 192 user_cert : ref Keyring->IPint; # serial_number 193 revoc_date : int; # OPTIONAL 194 exts : list of ref Extension; # OPTIONAL; CRL entry extensions 195 196 tostring: fn(rc: self ref RevokedCert): string; 197 }; 198 199 ## Certificate Extensions 200 201 # get critical extensions 202 cr_exts: fn(es: list of ref Extension): list of ref Extension; 203 204 # get non-critical extensions 205 noncr_exts: fn(es: list of ref Extension): list of ref Extension; 206 207 # decode a list of extensions 208 parse_exts: fn(es: list of ref Extension): (string, list of ref ExtClass); 209 210 # extension classes 211 ExtClass: adt { 212 pick { 213 AuthorityKeyIdentifier => 214 id : array of byte; # OCTET STRING 215 issuer : ref GeneralName; 216 serial_number : ref Keyring->IPint; 217 SubjectKeyIdentifier => 218 id : array of byte; # OCTET STRING 219 BasicConstraints => 220 depth : int; # certificate path constraints 221 KeyUsage => 222 usage : int; 223 PrivateKeyUsage => 224 period : ref Validity; 225 PolicyMapping => # (issuer, subject) domain policy pairs 226 pairs : list of (ref ASN1->Oid, ref ASN1->Oid); 227 CertificatePolicies => 228 policies : list of ref PolicyInfo; 229 IssuerAltName => 230 alias : list of ref GeneralName; 231 SubjectAltName => 232 alias : list of ref GeneralName; 233 NameConstraints => 234 permitted : list of ref GSubtree; 235 excluded : list of ref GSubtree; 236 PolicyConstraints => 237 require : int; 238 inhibit : int; 239 CRLNumber => 240 curr : int; 241 ReasonCode => 242 code : int; 243 InstructionCode => 244 oid : ref ASN1->Oid; # hold instruction code field 245 InvalidityDate => 246 date : int; 247 CRLDistributionPoint => 248 ps : list of ref DistrPoint; 249 IssuingDistributionPoint => 250 name : ref DistrPointName; 251 only_usercerts : int; # DEFAULT FALSE 252 only_cacerts : int; # DEFAULT FALSE 253 only_reasons : int; 254 indirect_crl : int; # DEFAULT FALSE 255 CertificateIssuer => 256 names : list of ref GeneralName; 257 DeltaCRLIndicator => 258 number : ref Keyring->IPint; 259 SubjectDirectoryAttributes => 260 attrs : list of ref Attribute; 261 UnknownType => 262 ext : ref Extension; 263 } 264 265 decode: fn(ext: ref Extension): (string, ref ExtClass); 266 encode: fn(et: self ref ExtClass, critical: int): ref Extension; 267 tostring: fn(et: self ref ExtClass): string; 268 }; 269 270 # key usage 271 KeyUsage_DigitalSignature, KeyUsage_NonRepudiation, KeyUsage_KeyEncipherment, 272 KeyUsage_DataEncipherment, KeyUsage_KeyAgreement, KeyUsage_KeyCertSign, 273 KeyUsage_CRLSign, KeyUsage_EncipherOnly, KeyUsage_DecipherOnly : con iota << 1; 274 275 # CRL reason 276 Reason_Unspecified, Reason_KeyCompromise, Reason_CACompromise, 277 Reason_AffiliationChanged, Reason_Superseded, Reason_CessationOfOperation, 278 Reason_CertificateHold, Reason_RemoveFromCRL : con iota << 1; 279 280 # General Name 281 GeneralName: adt { 282 pick { 283 otherName or # [0] 284 rfc822Name or # [1] 285 dNSName or # [2] 286 x400Address or # [3] 287 uniformResourceIdentifier => # [6] 288 str : string; 289 iPAddress => # [7] 290 ip : array of byte; 291 registeredID => # [8] 292 oid : ref ASN1->Oid; 293 ediPartyName => # [5] 294 nameAssigner : ref Name; # [0] 295 partyName : ref Name; # [1] 296 directoryName => # [4] 297 dir : ref Name; 298 } 299 300 tostring: fn(g: self ref GeneralName): string; 301 }; 302 303 # security policies 304 PolicyInfo: adt { 305 oid : ref ASN1->Oid; 306 qualifiers : list of ref PolicyQualifier; 307 308 tostring: fn(pi: self ref PolicyInfo): string; 309 }; 310 311 PolicyQualifier: adt { 312 oid : ref ASN1->Oid; 313 value : array of byte; # OCTET STRING; OPTIONAL 314 315 tostring: fn(pq: self ref PolicyQualifier): string; 316 }; 317 318 GSubtree: adt { 319 base : ref GeneralName; 320 min : int; 321 max : int; 322 323 tostring: fn(gs: self ref GSubtree): string; 324 }; 325 326 # crl distribution point 327 # with known reason code 328 # Unused [0], KeyCompromise [1], CACompromise [2], AffilationChanged [3], 329 # Superseded [4], CessationOfOperation [5], CertificateHold [6] 330 DistrPoint: adt{ 331 name : ref DistrPointName; 332 reasons : int; 333 issuer : list of ref GeneralName; 334 335 tostring: fn(dp: self ref DistrPoint): string; 336 }; 337 338 DistrPointName: adt { 339 full_name : list of ref GeneralName; 340 rdname : list of ref RDName; 341 }; 342 343 Attribute: adt { 344 id : ASN1->Oid; 345 value : array of byte; 346 }; 347}; 348 349#X509Attribute: module { 350# 351# ## Attribute Certificate 352# 353# AttrCert: adt { 354# version : int; # default v1 355# base_certid : ref IssuerSerial; # [0] 356# subject_name : list of ref GeneralName; # [1] 357# issuer : list of ref GeneralName; 358# serial_number : ref IPint; 359# validity : ref Validity; 360# attrs : list of ref Attribute; 361# issuer_uid : array of byte; # OPTIONAL 362# exts : list of ref Extension; # OPTIONAL 363# }; 364# 365# IssuerSerial: adt { 366# issuer : list of ref GeneralName; 367# serial : ref IPint; 368# issuer_uid : array of byte; # OPTIONAL 369# }; 370#}; 371