I am writing a specification in ASN.1. What is the formally correct syntax to restrict the range of values of an attribute with type OBJECT IDENTIFIER
to a particular OID arc? Eg I would like to achieve something like
foo OBJECT IDENTIFIER ( BELOW SUBTREE { 2 1 1 } )
The keyword BELOW SUBTREE
has been made up by me for the sake of an example to make clear what I am looking for.
Elaborated example
Seemingly, my question above is not sufficiently clear as some answers suggest solutions that do not address the problem. I'll elaborate a little bit more on what I am doing and what I want to achieve. I am writing a X.509 certificate policy and must specify a X.509 profile in chapter 7. This means I have to substantiate some choices or degree of freedom which exist in the general syntax for the scope of my application. Especially, I cannot nor must not change any attribute types because this would make the result incompatible to a X.509 certificate, ie I can only specialize some types as long as the specialization remains compatible to the generalization.
Object identifiers are used all over the place in X.509.
As a tangible example, let's take the attribute policyIdentifier
whose type is an alias of OBJECT IDENTIFIER
within the object of type PolicyInformation
within the certificate extention CertificatePolicies
.
CertificatePolicies ::= SEQUENCE SIZE (1) OF PolicyInformation
PolicyInformation ::= SEQUENCE {
policyIdentifier CertPolicyId,
}
CertPolicyId ::= OBJECT IDENTIFIER
(I have already shortened down the ASN.1 syntax to the needs of my application.)
Let's assume I have defined the following constants
id-cp-my-policies OBJECT IDENTIFIER -- some OID arc in the private enterprise arc under my control
id-cp-my-policy-v10 OBJECT IDENTIFIER ::= { id-cp-my-policies 1 0 }
id-cp-my-policy-v11 OBJECT IDENTIFIER ::= { id-cp-my-policies 1 1 }
id-cp-my-policy-v12 OBJECT IDENTIFIER ::= { id-cp-my-policies 1 2 }
id-cp-my-policy-v20 OBJECT IDENTIFIER ::= { id-cp-my-policies 2 0 }
id-cp-my-policy-v30 OBJECT IDENTIFIER ::= { id-cp-my-policies 3 0 }
id-cp-my-policy-v31 OBJECT IDENTIFIER ::= { id-cp-my-policies 3 1 }
I want to express that CertPolicyId
is a specialization of OBJECT IDENTIFIER
which can only take values from the list above. Of course, I could explicitly enumerate all policy IDs by the "OR"-sytax, ie I could write
CertPolicyId ::= OBJECT IDENTIFIER ( id-cp-my-policy-v10 | id-cp-my-policy-v11 | id-cp-my-policy-v12 | id-cp-my-policy-v20 | id-cp-my-policy-v30 | id-cp-my-policy-v31 )
However, this does not seem very future-proof. Instead, I would like to write something like
CertPolicyId ::= OBJECT IDENTIFIER ( BELOW SUBTREE id-cp-my-policies )
I hope this example helps to understand what I want to do.
没有正式的方法可以将 OBJECT IDENTIFIER 类型限制在某个范围内。
You can use the RELATIVE-OID type
You can either make the root oid implicit (let's say foo is a component of a SEQUENCE)
{
foo RELATIVE-OID -- relative to root { 2 1 1 }
}
or explicit
{
foo SEQUENCE {
root OBJECT IDENTIFIER DEFAULT { 2 1 1 },
object-id RELATIVE-OID -- relative to root
}
}
You can use this approach:
foo OBJECT IDENTIFIER ::= { 1 2 3 }
foo-bar OBJECT IDENTIFIER ::= { foo 4 }
thus, foo-bar
will result in 1.2.3.4
OID value in dotted notation. Is this what you are looking for?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.