1 /* asn1x509-2.1.10.js (c) 2013-2021 Kenji Urushima | kjur.github.io/jsrsasign/license
  2  */
  3 /*
  4  * asn1x509.js - ASN.1 DER encoder classes for X.509 certificate
  5  *
  6  * Copyright (c) 2013-2021 Kenji Urushima (kenji.urushima@gmail.com)
  7  *
  8  * This software is licensed under the terms of the MIT License.
  9  * https://kjur.github.io/jsrsasign/license
 10  *
 11  * The above copyright and license notice shall be
 12  * included in all copies or substantial portions of the Software.
 13  */
 14 
 15 /**
 16  * @fileOverview
 17  * @name asn1x509-1.0.js
 18  * @author Kenji Urushima kenji.urushima@gmail.com
 19  * @version jsrsasign 10.5.0 asn1x509 2.1.10 (2021-Nov-21)
 20  * @since jsrsasign 2.1
 21  * @license <a href="https://kjur.github.io/jsrsasign/license/">MIT License</a>
 22  */
 23 
 24 /**
 25  * kjur's class library name space
 26  * // already documented in asn1-1.0.js
 27  * @name KJUR
 28  * @namespace kjur's class library name space
 29  */
 30 if (typeof KJUR == "undefined" || !KJUR) KJUR = {};
 31 
 32 /**
 33  * kjur's ASN.1 class library name space
 34  * // already documented in asn1-1.0.js
 35  * @name KJUR.asn1
 36  * @namespace
 37  */
 38 if (typeof KJUR.asn1 == "undefined" || !KJUR.asn1) KJUR.asn1 = {};
 39 
 40 /**
 41  * kjur's ASN.1 class for X.509 certificate library name space
 42  * <p>
 43  * <h4>FEATURES</h4>
 44  * <ul>
 45  * <li>easily issue any kind of certificate</li>
 46  * <li>APIs are very similar to BouncyCastle library ASN.1 classes. So easy to learn.</li>
 47  * </ul>
 48  * </p>
 49  * <h4>PROVIDED CLASSES</h4>
 50  * <ul>
 51  * <li>{@link KJUR.asn1.x509.Certificate}</li>
 52  * <li>{@link KJUR.asn1.x509.TBSCertificate}</li>
 53  * <li>{@link KJUR.asn1.x509.Extension} abstract class</li>
 54  * <li>{@link KJUR.asn1.x509.Extensions}</li>
 55  * <li>{@link KJUR.asn1.x509.SubjectPublicKeyInfo}</li>
 56  * <li>{@link KJUR.asn1.x509.AlgorithmIdentifier}</li>
 57  * <li>{@link KJUR.asn1.x509.GeneralNames}</li>
 58  * <li>{@link KJUR.asn1.x509.GeneralName}</li>
 59  * <li>{@link KJUR.asn1.x509.X500Name}</li>
 60  * <li>{@link KJUR.asn1.x509.RDN}</li>
 61  * <li>{@link KJUR.asn1.x509.AttributeTypeAndValue}</li>
 62  * <li>{@link KJUR.asn1.x509.DistributionPointName}</li>
 63  * <li>{@link KJUR.asn1.x509.DistributionPoint}</li>
 64  * <li>{@link KJUR.asn1.x509.PolicyInformation}</li>
 65  * <li>{@link KJUR.asn1.x509.PolicyQualifierInfo}</li>
 66  * <li>{@link KJUR.asn1.x509.UserNotice}</li>
 67  * <li>{@link KJUR.asn1.x509.NoticeReference}</li>
 68  * <li>{@link KJUR.asn1.x509.DisplayText}</li>
 69  * <li>{@link KJUR.asn1.x509.CRL}</li>
 70  * <li>{@link KJUR.asn1.x509.TBSCertList}</li>
 71  * <li>{@link KJUR.asn1.x509.CRLEntry} (DEPRECATED)</li>
 72  * <li>{@link KJUR.asn1.x509.OID}</li>
 73  * </ul>
 74  * <h4>SUPPORTED EXTENSIONS</h4>
 75  * <ul>
 76  * <li>{@link KJUR.asn1.x509.BasicConstraints}</li>
 77  * <li>{@link KJUR.asn1.x509.KeyUsage}</li>
 78  * <li>{@link KJUR.asn1.x509.CRLDistributionPoints}</li>
 79  * <li>{@link KJUR.asn1.x509.CertificatePolicies}</li>
 80  * <li>{@link KJUR.asn1.x509.ExtKeyUsage}</li>
 81  * <li>{@link KJUR.asn1.x509.AuthorityKeyIdentifier}</li>
 82  * <li>{@link KJUR.asn1.x509.SubjectKeyIdentifier}</li>
 83  * <li>{@link KJUR.asn1.x509.AuthorityInfoAccess}</li>
 84  * <li>{@link KJUR.asn1.x509.SubjectAltName}</li>
 85  * <li>{@link KJUR.asn1.x509.IssuerAltName}</li>
 86  * <li>{@link KJUR.asn1.x509.CertificatePolicies}</li>
 87  * <li>{@link KJUR.asn1.x509.CRLNumber}</li>
 88  * <li>{@link KJUR.asn1.x509.CRLReason}</li>
 89  * <li>{@link KJUR.asn1.x509.OCSPNonce}</li>
 90  * <li>{@link KJUR.asn1.x509.OCSPNoCheck}</li>
 91  * <li>{@link KJUR.asn1.x509.AdobeTimeStamp}</li>
 92  * <li>{@link KJUR.asn1.x509.SubjectDirectoryAttributes}</li>
 93  * <li>{@link KJUR.asn1.x509.PrivateExtension}</li>
 94  * </ul>
 95  * NOTE1: Please ignore method summary and document of this namespace. This caused by a bug of jsdoc2.<br/>
 96  * NOTE2: SubjectAltName and IssuerAltName supported since 
 97  * jsrsasign 6.2.3 asn1x509 1.0.19.<br/>
 98  * NOTE3: CeritifcatePolicies supported supported since
 99  * jsrsasign 8.0.23 asn1x509 1.1.12<br/>
100  * @name KJUR.asn1.x509
101  * @namespace
102  */
103 if (typeof KJUR.asn1.x509 == "undefined" || !KJUR.asn1.x509) KJUR.asn1.x509 = {};
104 
105 // === BEGIN Certificate ===================================================
106 
107 /**
108  * X.509 Certificate class to sign and generate hex encoded certificate
109  * @name KJUR.asn1.x509.Certificate
110  * @class X.509 Certificate class to sign and generate hex encoded certificate
111  * @property {Array} params JSON object of parameters
112  * @param {Array} params JSON object for Certificate parameters
113  * @extends KJUR.asn1.ASN1Object
114  * @description
115  * <br/>
116  * This class provides Certificate ASN.1 class structure
117  * defined in 
118  * <a href="https://tools.ietf.org/html/rfc5280#section-4.1">
119  * RFC 5280 4.1</a>.
120  * <pre>
121  * Certificate  ::=  SEQUENCE  {
122  *      tbsCertificate       TBSCertificate,
123  *      signatureAlgorithm   AlgorithmIdentifier,
124  *      signatureValue       BIT STRING  }
125  * </pre>
126  * Parameter "params" JSON object can be
127  * the same as {@link KJUR.asn1.x509.TBSCertificate}. 
128  * Then they are used to generate TBSCertificate.
129  * Additionally just for Certificate, following parameters can be used:
130  * <ul>
131  * <li>{TBSCertfificate}tbsobj - 
132  * specifies {@link KJUR.asn1.x509.TBSCertificate} 
133  * object to be signed if needed. 
134  * When this isn't specified, 
135  * this will be set from other parametes of TBSCertificate.</li>
136  * <li>{Object}cakey (OPTION) - specifies certificate signing private key.
137  * Parameter "cakey" or "sighex" shall be specified. Following
138  * values can be specified:
139  *   <ul>
140  *   <li>PKCS#1/5 or PKCS#8 PEM string of private key</li>
141  *   <li>RSAKey/DSA/ECDSA key object. {@link KEYUTIL.getKey} is useful
142  *   to generate a key object.</li>
143  *   </ul>
144  * </li>
145  * <li>{String}sighex (OPTION) - hexadecimal string of signature value
146  * (i.e. ASN.1 value(V) of signatureValue BIT STRING without
147  * unused bits)</li>
148  * </ul>
149  * CAUTION: APIs of this class have been totally updated without
150  * backward compatibility since jsrsasign 9.0.0.<br/>
151  * NOTE1: 'params' can be omitted.<br/>
152  * NOTE2: DSA/ECDSA is also supported for CA signging key from asn1x509 1.0.6.
153  * @example
154  * var cert = new KJUR.asn1.x509.Certificate({
155  *  version: 3,
156  *  serial: {hex: "1234..."},
157  *  sigalg: "SHA256withRSAandMGF1",
158  *  ...
159  *  sighex: "1d3f..." // sign() method won't be called
160  * });
161  *
162  * // sighex will by calculated by signing with cakey
163  * var cert = new KJUR.asn1.x509.Certificate({
164  *  version: 3,
165  *  serial: {hex: "2345..."},
166  *  sigalg: "SHA256withRSA",
167  *  ...
168  *  cakey: "-----BEGIN PRIVATE KEY..."
169  * });
170  *
171  * // use TBSCertificate object to sign
172  * var cert = new KJUR.asn1.x509.Certificate({
173  *  tbsobj: <<OBJ>>,
174  *  sigalg: "SHA256withRSA",
175  *  cakey: "-----BEGIN PRIVATE KEY..."
176  * });
177  */
178 KJUR.asn1.x509.Certificate = function(params) {
179     KJUR.asn1.x509.Certificate.superclass.constructor.call(this);
180     var _KJUR = KJUR,
181 	_KJUR_asn1 = _KJUR.asn1,
182 	_DERBitString = _KJUR_asn1.DERBitString,
183 	_DERSequence = _KJUR_asn1.DERSequence,
184 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
185 	_TBSCertificate = _KJUR_asn1_x509.TBSCertificate,
186 	_AlgorithmIdentifier = _KJUR_asn1_x509.AlgorithmIdentifier;
187 
188     this.params = undefined;
189 
190     /**
191      * set parameter<br/>
192      * @name setByParam
193      * @memberOf KJUR.asn1.x509.Certificate#
194      * @function
195      * @param params {Array} JSON object of certificate parameters
196      * @since jsrsasign 9.0.0 asn1hex 2.0.0
197      * @description
198      * This method will set parameter 
199      * {@link KJUR.asn1.x509.Certificate#params}
200      * to this object.
201      * @example
202      * cert = new KJUR.asn1.x509.Certificate();
203      * cert.setByParam({
204      *   version: 3,
205      *   serial: {hex: "1234..."},
206      *   ...
207      * });
208      */
209     this.setByParam = function(params) {
210 	this.params = params;
211     };
212 
213     /**
214      * sign certificate<br/>
215      * @name sign
216      * @memberOf KJUR.asn1.x509.Certificate#
217      * @function
218      * @description
219      * This method signs TBSCertificate with a specified 
220      * private key and algorithm by 
221      * this.params.cakey and this.params.sigalg parameter.
222      * @example
223      * cert = new KJUR.asn1.x509.Certificate({...});
224      * cert.sign()
225      */
226     this.sign = function() {
227 	var params = this.params;
228 
229 	var sigalg = params.sigalg;
230 	if (params.sigalg.name != undefined) 
231 	    sigalg = params.sigalg.name;
232 
233 	var hTBS = params.tbsobj.getEncodedHex();
234 	var sig = new KJUR.crypto.Signature({alg: sigalg});
235 	sig.init(params.cakey);
236 	sig.updateHex(hTBS);
237 	params.sighex = sig.sign();
238     };
239 
240     /**
241      * get PEM formatted certificate string after signed
242      * @name getPEM
243      * @memberOf KJUR.asn1.x509.Certificate#
244      * @function
245      * @return PEM formatted string of certificate
246      * @since jsrsasign 9.0.0 asn1hex 2.0.0
247      * @description
248      * This method returns a string of PEM formatted 
249      * certificate.
250      * @example
251      * cert = new KJUR.asn1.x509.Certificate({...});
252      * cert.getPEM() →
253      * "-----BEGIN CERTIFICATE-----\r\n..."
254      */
255     this.getPEM = function() {
256 	return hextopem(this.getEncodedHex(), "CERTIFICATE");
257     };
258 
259     this.getEncodedHex = function() {
260 	var params = this.params;
261 	
262 	if (params.tbsobj == undefined || params.tbsobj == null) {
263 	    params.tbsobj = new _TBSCertificate(params);
264 	}
265 
266 	if (params.sighex == undefined && params.cakey != undefined) {
267 	    this.sign();
268 	}
269 
270 	if (params.sighex == undefined) {
271 	    throw new Error("sighex or cakey parameter not defined");
272 	}
273 
274 	var a = [];
275 	a.push(params.tbsobj);
276 	a.push(new _AlgorithmIdentifier({name: params.sigalg}));
277 	a.push(new _DERBitString({hex: "00" + params.sighex}));
278 	var seq = new _DERSequence({array: a});
279 	return seq.getEncodedHex();
280     };
281 
282     if (params != undefined) this.params = params;
283 };
284 extendClass(KJUR.asn1.x509.Certificate, KJUR.asn1.ASN1Object);
285 
286 /**
287  * ASN.1 TBSCertificate structure class<br/>
288  * @name KJUR.asn1.x509.TBSCertificate
289  * @class ASN.1 TBSCertificate structure class
290  * @property {Array} params JSON object of parameters
291  * @param {Array} params JSON object of TBSCertificate parameters
292  * @extends KJUR.asn1.ASN1Object
293  * @see KJUR.asn1.x509.Certificate
294  *
295  * @description
296  * <br/>
297  * NOTE: TBSCertificate class is updated without backward 
298  * compatibility from jsrsasign 9.0.0 asn1x509 2.0.0.
299  * Most of methods are removed and parameters can be set
300  * by JSON object.
301  *
302  * @example
303  * new TBSCertificate({
304  *  version: 3, // this can be omitted, the default is 3.
305  *  serial: {hex: "1234..."}, // DERInteger parameter
306  *  sigalg: "SHA256withRSA",
307  *  issuer: {array:[[{type:'O',value:'Test',ds:'prn'}]]}, // X500Name parameter
308  *  notbefore: "151231235959Z", // string, passed to Time
309  *  notafter: "251231235959Z", // string, passed to Time
310  *  subject: {array:[[{type:'O',value:'Test',ds:'prn'}]]}, // X500Name parameter
311  *  sbjpubkey: "-----BEGIN...", // KEYUTIL.getKey pubkey parameter
312  *  // As for extension parameters, please see extension class
313  *  // All extension parameters need to have "extname" parameter additionaly.
314  *  ext:[{ 
315  *   extname:"keyUsage",critical:true,
316  *   names:["digitalSignature","keyEncipherment"]
317  *  },{
318  *   extname:"cRLDistributionPoints",
319  *   array:[{dpname:{full:[{uri:"http://example.com/a1.crl"}]}}]
320  *  }, ...]
321  * })
322  *
323  * var tbsc = new TBSCertificate();
324  * tbsc.setByParam({version:3,serial:{hex:'1234...'},...});
325  */
326 KJUR.asn1.x509.TBSCertificate = function(params) {
327     KJUR.asn1.x509.TBSCertificate.superclass.constructor.call(this);
328     var _KJUR = KJUR,
329 	_KJUR_asn1 = _KJUR.asn1,
330 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
331 	_DERTaggedObject = _KJUR_asn1.DERTaggedObject,
332 	_DERInteger = _KJUR_asn1.DERInteger,
333 	_DERSequence = _KJUR_asn1.DERSequence,
334 	_AlgorithmIdentifier = _KJUR_asn1_x509.AlgorithmIdentifier,
335 	_Time = _KJUR_asn1_x509.Time,
336 	_X500Name = _KJUR_asn1_x509.X500Name,
337 	_Extensions = _KJUR_asn1_x509.Extensions,
338 	_SubjectPublicKeyInfo = _KJUR_asn1_x509.SubjectPublicKeyInfo;
339 
340     this.params = null;
341 
342     /**
343      * get array of ASN.1 object for extensions<br/>
344      * @name setByParam
345      * @memberOf KJUR.asn1.x509.TBSCertificate#
346      * @function
347      * @param {Array} JSON object of TBSCertificate parameters
348      * @example
349      * tbsc = new KJUR.asn1.x509.TBSCertificate();
350      * tbsc.setByParam({version:3, serial:{hex:'1234...'},...});
351      */
352     this.setByParam = function(params) {
353 	this.params = params;
354     };
355 
356     this.getEncodedHex = function() {
357 	var a = [];
358 	var params = this.params;
359 
360 	// X.509v3 default if params.version not defined
361 	if (params.version != undefined || params.version != 1) {
362 	    var version = 2; 
363 	    if (params.version != undefined) version = params.version - 1;
364 	    var obj = 
365 		new _DERTaggedObject({obj: new _DERInteger({'int': version})}) 
366 	    a.push(obj);
367 	}
368 
369 	a.push(new _DERInteger(params.serial));
370 	a.push(new _AlgorithmIdentifier({name: params.sigalg}));
371 	a.push(new _X500Name(params.issuer));
372 	a.push(new _DERSequence({array:[new _Time(params.notbefore),
373 					new _Time(params.notafter)]}));
374 	a.push(new _X500Name(params.subject));
375 	a.push(new _SubjectPublicKeyInfo(KEYUTIL.getKey(params.sbjpubkey)));
376 	if (params.ext !== undefined && params.ext.length > 0) {
377 	    a.push(new _DERTaggedObject({tag: "a3",
378 					 obj: new _Extensions(params.ext)}));
379 	}
380 
381 	var seq = new KJUR.asn1.DERSequence({array: a});
382 	return seq.getEncodedHex();
383     };
384 
385     if (params !== undefined) this.setByParam(params);
386 };
387 extendClass(KJUR.asn1.x509.TBSCertificate, KJUR.asn1.ASN1Object);
388 
389 /**
390  * Extensions ASN.1 structure class<br/>
391  * @name KJUR.asn1.x509.Extensions
392  * @class Extensions ASN.1 structure class
393  * @param {Array} aParam array of JSON extension parameter
394  * @extends KJUR.asn1.ASN1Object
395  * @since jsrsasign 9.1.0 asn1x509 2.1.0
396  * @see KJUR.asn1.x509.TBSCertificate
397  * @see KJUR.asn1.x509.TBSCertList
398  * @see KJUR.asn1.csr.CertificationRequestInfo
399  * @see KJUR.asn1.x509.PrivateExtension
400  * @see KJUR.asn1.ocsp.ResponseData
401  * @see KJUR.asn1.ocsp.BasicOCSPResponse 
402  *
403  * @description
404  * This class represents
405  * <a href="https://tools.ietf.org/html/rfc5280#section-4.1">
406  * Extensions defined in RFC 5280 4.1</a> and
407  * <a href="https://tools.ietf.org/html/rfc5280#section-4.1.2.9">
408  * 4.1.2.9</a>.
409  * <pre>
410  * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
411  * </pre>
412  * <p>NOTE: From jsrsasign 9.1.1, private extension or
413  * undefined extension have been supported by
414  * {@link KJUR.asn1.x509.PrivateExtension}.</p>
415  * 
416  * Here is a list of available extensions:
417  * <ul>
418  * <li>{@link KJUR.asn1.x509.BasicConstraints}</li>
419  * <li>{@link KJUR.asn1.x509.KeyUsage}</li>
420  * <li>{@link KJUR.asn1.x509.SubjectKeyIdentifier}</li>
421  * <li>{@link KJUR.asn1.x509.AuthorityKeyIdentifier}</li>
422  * <li>{@link KJUR.asn1.x509.SubjectAltName}</li>
423  * <li>{@link KJUR.asn1.x509.IssuerAltName}</li>
424  * <li>{@link KJUR.asn1.x509.CRLDistributionPoints}</li>
425  * <li>{@link KJUR.asn1.x509.CertificatePolicies}</li>
426  * <li>{@link KJUR.asn1.x509.CRLNumber}</li>
427  * <li>{@link KJUR.asn1.x509.CRLReason}</li>
428  * <li>{@link KJUR.asn1.x509.OCSPNonce}</li>
429  * <li>{@link KJUR.asn1.x509.OCSPNoCheck}</li>
430  * <li>{@link KJUR.asn1.x509.AdobeTimeStamp}</li>
431  * <li>{@link KJUR.asn1.x509.SubjectDirectoryAttributes}</li>
432  * <li>{@link KJUR.asn1.x509.PrivateExtension}</li>
433  * </ul>
434  * You can also use {@link KJUR.asn1.x509.PrivateExtension} object
435  * to specify a unsupported extension.
436  *
437  * @example
438  * o = new KJUR.asn1.x509.Extensions([
439  *   {extname:"keyUsage",critical:true,names:["digitalSignature"]},
440  *   {extname:"subjectAltName",array:[{dns:"example.com"}]},
441  *   {extname:"1.2.3.4",extn:{prnstr:"aa"}} // private extension
442  * ]);
443  * o.getEncodedHex() → "30..."
444  */
445 KJUR.asn1.x509.Extensions = function(aParam) {
446     KJUR.asn1.x509.Extensions.superclass.constructor.call(this);
447     var _KJUR = KJUR,
448 	_KJUR_asn1 = _KJUR.asn1,
449 	_DERSequence = _KJUR_asn1.DERSequence,
450 	_KJUR_asn1_x509 = _KJUR_asn1.x509;
451     this.aParam = [];
452 
453     this.setByParam = function(aParam) { this.aParam = aParam; }
454 
455     this.getEncodedHex = function() {
456 	var a = [];
457 	for (var i = 0; i < this.aParam.length; i++) {
458 	    var param = this.aParam[i];
459 	    var extname = param.extname;
460 	    var obj = null;
461 
462 	    if (param.extn != undefined) {
463 		obj = new _KJUR_asn1_x509.PrivateExtension(param);
464 	    } else if (extname == "subjectKeyIdentifier") {
465 		obj = new _KJUR_asn1_x509.SubjectKeyIdentifier(param);
466 	    } else if (extname == "keyUsage") {
467 		obj = new _KJUR_asn1_x509.KeyUsage(param);
468 	    } else if (extname == "subjectAltName") {
469 		obj = new _KJUR_asn1_x509.SubjectAltName(param);
470 	    } else if (extname == "issuerAltName") {
471 		obj = new _KJUR_asn1_x509.IssuerAltName(param);
472 	    } else if (extname == "basicConstraints") {
473 		obj = new _KJUR_asn1_x509.BasicConstraints(param);
474 	    } else if (extname == "cRLDistributionPoints") {
475 		obj = new _KJUR_asn1_x509.CRLDistributionPoints(param);
476 	    } else if (extname == "certificatePolicies") {
477 		obj = new _KJUR_asn1_x509.CertificatePolicies(param);
478 	    } else if (extname == "authorityKeyIdentifier") {
479 		obj = new _KJUR_asn1_x509.AuthorityKeyIdentifier(param);
480 	    } else if (extname == "extKeyUsage") {
481 		obj = new _KJUR_asn1_x509.ExtKeyUsage(param);
482 	    } else if (extname == "authorityInfoAccess") {
483 		obj = new _KJUR_asn1_x509.AuthorityInfoAccess(param);
484 	    } else if (extname == "cRLNumber") {
485 		obj = new _KJUR_asn1_x509.CRLNumber(param);
486 	    } else if (extname == "cRLReason") {
487 		obj = new _KJUR_asn1_x509.CRLReason(param);
488 	    } else if (extname == "ocspNonce") {
489 		obj = new _KJUR_asn1_x509.OCSPNonce(param);
490 	    } else if (extname == "ocspNoCheck") {
491 		obj = new _KJUR_asn1_x509.OCSPNoCheck(param);
492 	    } else if (extname == "adobeTimeStamp") {
493 		obj = new _KJUR_asn1_x509.AdobeTimeStamp(param);
494 	    } else if (extname == "subjectDirectoryAttributes") {
495 		obj = new _KJUR_asn1_x509.SubjectDirectoryAttributes(param);
496 	    } else {
497 		throw new Error("extension not supported:"
498 				+ JSON.stringify(param));
499 	    }
500 	    if (obj != null) a.push(obj);
501 	}
502 
503 	var seq = new _DERSequence({array: a});
504 	return seq.getEncodedHex();
505     };
506 
507     if (aParam != undefined) this.setByParam(aParam);
508 };
509 extendClass(KJUR.asn1.x509.Extensions, KJUR.asn1.ASN1Object);
510 
511 
512 // === END   TBSCertificate ===================================================
513 
514 // === BEGIN X.509v3 Extensions Related =======================================
515 
516 /**
517  * base Extension ASN.1 structure class
518  * @name KJUR.asn1.x509.Extension
519  * @class base Extension ASN.1 structure class
520  * @param {Array} params associative array of parameters (ex. {'critical': true})
521  * @extends KJUR.asn1.ASN1Object
522  * @description
523  * <pre>
524  * Extension  ::=  SEQUENCE  {
525  *     extnID      OBJECT IDENTIFIER,
526  *     critical    BOOLEAN DEFAULT FALSE,
527  *     extnValue   OCTET STRING  }
528  * </pre>
529  * @example
530  */
531 KJUR.asn1.x509.Extension = function(params) {
532     KJUR.asn1.x509.Extension.superclass.constructor.call(this);
533     var asn1ExtnValue = null,
534 	_KJUR = KJUR,
535 	_KJUR_asn1 = _KJUR.asn1,
536 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
537 	_DEROctetString = _KJUR_asn1.DEROctetString,
538 	_DERBitString = _KJUR_asn1.DERBitString,
539 	_DERBoolean = _KJUR_asn1.DERBoolean,
540 	_DERSequence = _KJUR_asn1.DERSequence;
541 
542     this.getEncodedHex = function() {
543         var asn1Oid = new _DERObjectIdentifier({'oid': this.oid});
544         var asn1EncapExtnValue =
545             new _DEROctetString({'hex': this.getExtnValueHex()});
546 
547         var asn1Array = new Array();
548         asn1Array.push(asn1Oid);
549         if (this.critical) asn1Array.push(new _DERBoolean());
550         asn1Array.push(asn1EncapExtnValue);
551 
552         var asn1Seq = new _DERSequence({'array': asn1Array});
553         return asn1Seq.getEncodedHex();
554     };
555 
556     this.critical = false;
557     if (params !== undefined) {
558         if (params.critical !== undefined) {
559             this.critical = params.critical;
560         }
561     }
562 };
563 extendClass(KJUR.asn1.x509.Extension, KJUR.asn1.ASN1Object);
564 
565 /**
566  * KeyUsage ASN.1 structure class
567  * @name KJUR.asn1.x509.KeyUsage
568  * @class KeyUsage ASN.1 structure class
569  * @param {Array} params associative array of parameters (ex. {'bin': '11', 'critical': true})
570  * @extends KJUR.asn1.x509.Extension
571  * @description
572  * This class is for <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.3" target="_blank">KeyUsage</a> X.509v3 extension.
573  * <pre>
574  * id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
575  * KeyUsage ::= BIT STRING {
576  *   digitalSignature   (0),
577  *   nonRepudiation     (1),
578  *   keyEncipherment    (2),
579  *   dataEncipherment   (3),
580  *   keyAgreement       (4),
581  *   keyCertSign        (5),
582  *   cRLSign            (6),
583  *   encipherOnly       (7),
584  *   decipherOnly       (8) }
585  * </pre><br/>
586  * NOTE: 'names' parameter is supprted since jsrsasign 8.0.14.
587  * @example
588  * o = new KJUR.asn1.x509.KeyUsage({bin: "11"});
589  * o = new KJUR.asn1.x509.KeyUsage({critical: true, bin: "11"});
590  * o = new KJUR.asn1.x509.KeyUsage({names: ['digitalSignature', 'keyAgreement']});
591  */
592 KJUR.asn1.x509.KeyUsage = function(params) {
593     KJUR.asn1.x509.KeyUsage.superclass.constructor.call(this, params);
594     var _KEYUSAGE_NAME = X509.KEYUSAGE_NAME;
595 
596     this.getExtnValueHex = function() {
597         return this.asn1ExtnValue.getEncodedHex();
598     };
599 
600     this.oid = "2.5.29.15";
601     if (params !== undefined) {
602         if (params.bin !== undefined) {
603             this.asn1ExtnValue = new KJUR.asn1.DERBitString(params);
604         }
605 	if (params.names !== undefined &&
606 	    params.names.length !== undefined) {
607 	    var names = params.names;
608 	    var s = "000000000";
609 	    for (var i = 0; i < names.length; i++) {
610 		for (var j = 0; j < _KEYUSAGE_NAME.length; j++) {
611 		    if (names[i] === _KEYUSAGE_NAME[j]) {
612 			s = s.substring(0, j) + '1' + 
613 			    s.substring(j + 1, s.length);
614 		    }
615 		}
616 	    }
617             this.asn1ExtnValue = new KJUR.asn1.DERBitString({bin: s});
618 	}
619     }
620 };
621 extendClass(KJUR.asn1.x509.KeyUsage, KJUR.asn1.x509.Extension);
622 
623 /**
624  * BasicConstraints ASN.1 structure class
625  * @name KJUR.asn1.x509.BasicConstraints
626  * @class BasicConstraints ASN.1 structure class
627  * @param {Array} params JSON object for parameters (ex. {cA:true,critical:true})
628  * @extends KJUR.asn1.x509.Extension
629  * @see {@link X509#getExtBasicConstraints}
630  * @description
631  * This class represents 
632  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.9">
633  * BasicConstraints extension defined in RFC 5280 4.2.1.9</a>.
634  * <pre>
635  *  id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
636  *  BasicConstraints ::= SEQUENCE {
637  *       cA                      BOOLEAN DEFAULT FALSE,
638  *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
639  * </pre>
640  * Its constructor can have following parameters:
641  * <ul>
642  * <li>{Boolean}cA - cA flag</li>
643  * <li>{Integer}pathLen - pathLen field value</li>
644  * <li>{Boolean}critical - critical flag</li>
645  * </ul>
646  * @example
647  * new KJUR.asn1.x509.BasicConstraints({
648  *   cA: true,
649  *   pathLen: 3,
650  *   critical: true
651  * })
652  */
653 KJUR.asn1.x509.BasicConstraints = function(params) {
654     KJUR.asn1.x509.BasicConstraints.superclass.constructor.call(this, params);
655     var _KJUR_asn1 = KJUR.asn1,
656 	_DERBoolean = _KJUR_asn1.DERBoolean,
657 	_DERInteger = _KJUR_asn1.DERInteger,
658 	_DERSequence = _KJUR_asn1.DERSequence;
659 
660     var cA = false;
661     var pathLen = -1;
662 
663     this.getExtnValueHex = function() {
664         var asn1Array = new Array();
665         if (this.cA) asn1Array.push(new _DERBoolean());
666         if (this.pathLen > -1)
667             asn1Array.push(new _DERInteger({'int': this.pathLen}));
668         var asn1Seq = new _DERSequence({'array': asn1Array});
669         this.asn1ExtnValue = asn1Seq;
670         return this.asn1ExtnValue.getEncodedHex();
671     };
672 
673     this.oid = "2.5.29.19";
674     this.cA = false;
675     this.pathLen = -1;
676     if (params !== undefined) {
677         if (params.cA !== undefined) {
678             this.cA = params.cA;
679         }
680         if (params.pathLen !== undefined) {
681             this.pathLen = params.pathLen;
682         }
683     }
684 };
685 extendClass(KJUR.asn1.x509.BasicConstraints, KJUR.asn1.x509.Extension);
686 
687 /**
688  * CRLDistributionPoints ASN.1 structure class
689  * @name KJUR.asn1.x509.CRLDistributionPoints
690  * @class CRLDistributionPoints ASN.1 structure class
691  * @param {Array} params associative array of parameters (ex. {'uri': 'http://a.com/', 'critical': true})
692  * @extends KJUR.asn1.x509.Extension
693  * @see {@link X509#getExtCRLDistributionPoints}
694  * @see {@link KJUR.asn1.x509.DistributionPoint}
695  * @see {@link KJUR.asn1.x509.GeneralNames}
696  * @description
697  * This class represents 
698  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.13">
699  * CRLDistributionPoints extension defined in RFC 5280 4.2.1.13</a>.
700  * <pre>
701  * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 }
702  * CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
703  * DistributionPoint ::= SEQUENCE {
704  *      distributionPoint       [0]     DistributionPointName OPTIONAL,
705  *      reasons                 [1]     ReasonFlags OPTIONAL,
706  *      cRLIssuer               [2]     GeneralNames OPTIONAL }
707  * DistributionPointName ::= CHOICE {
708  *      fullName                [0]     GeneralNames,
709  *      nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
710  * </pre>
711  * Constructor can have following parameter:
712  * <ul>
713  * <li>{Array}array - array of {@link KJUR.asn1.x509.DistributionPoint} parameter</li>
714  * <li>{Boolean}critical - critical flag</li>
715  * </ul>
716  * @example
717  * new KJUR.asn1.x509.CRLDistributionPoints({
718  *   array: [{fulluri: "http://aaa.com/"}, {fulluri: "ldap://aaa.com/"}],
719  *   critical: true
720  * })
721  */
722 KJUR.asn1.x509.CRLDistributionPoints = function(params) {
723     KJUR.asn1.x509.CRLDistributionPoints.superclass.constructor.call(this, params);
724     var _KJUR = KJUR,
725 	_KJUR_asn1 = _KJUR.asn1,
726 	_KJUR_asn1_x509 = _KJUR_asn1.x509;
727 
728     this.getExtnValueHex = function() {
729         return this.asn1ExtnValue.getEncodedHex();
730     };
731 
732     this.setByDPArray = function(dpArray) {
733 	var asn1Array = [];
734 	for (var i = 0; i < dpArray.length; i++) {
735 	    if (dpArray[i] instanceof KJUR.asn1.ASN1Object) {
736 		asn1Array.push(dpArray[i]);
737 	    } else {
738 		var dp = new _KJUR_asn1_x509.DistributionPoint(dpArray[i]);
739 		asn1Array.push(dp);
740 	    }
741 	}
742         this.asn1ExtnValue = new _KJUR_asn1.DERSequence({'array': asn1Array});
743     };
744 
745     this.setByOneURI = function(uri) {
746         var dp1 = new _KJUR_asn1_x509.DistributionPoint({fulluri: uri});
747         this.setByDPArray([dp1]);
748     };
749 
750     this.oid = "2.5.29.31";
751     if (params !== undefined) {
752         if (params.array !== undefined) {
753             this.setByDPArray(params.array);
754         } else if (params.uri !== undefined) {
755             this.setByOneURI(params.uri);
756         }
757     }
758 };
759 extendClass(KJUR.asn1.x509.CRLDistributionPoints, KJUR.asn1.x509.Extension);
760 
761 /**
762  * DistributionPoint ASN.1 structure class<br/>
763  * @name KJUR.asn1.x509.DistributionPoint
764  * @class DistributionPoint ASN.1 structure class
765  * @param {Array} params JSON object of parameters (OPTIONAL)
766  * @extends KJUR.asn1.ASN1Object
767  * @see {@link KJUR.asn1.x509.CRLDistributionPoints}
768  * @see {@link KJUR.asn1.x509.DistributionPointName}
769  * @see {@link KJUR.asn1.x509.GeneralNames}
770  * @see {@link X509#getDistributionPoint}
771  * @description
772  * This class represents 
773  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.13">
774  * DistributionPoint defined in RFC 5280 4.2.1.13</a>.
775  * <pre>
776  * DistributionPoint ::= SEQUENCE {
777  *      distributionPoint       [0]     DistributionPointName OPTIONAL,
778  *      reasons                 [1]     ReasonFlags OPTIONAL,
779  *      cRLIssuer               [2]     GeneralNames OPTIONAL }
780  * </pre>
781  * Constructor can have following parameter:
782  * <ul>
783  * <li>{String}fulluri - uri string for fullName uri. This has the same meaning for '{dpname: {full: [{uri: "..."]}}'.</li>
784  * <li>{Array}dpname - JSON object for {@link KJUR.asn1.x509.DistributionPointName} parameters</li>
785  * <li>{DistrubutionPoint}dpobj - {@link KJUR.asn1.x509.DistributionPointName} object (DEPRECATED)</li>
786  * </ul>
787  * <br/>
788  * NOTE1: Parameter "fulluri" and "dpname" supported 
789  * since jsrsasign 9.0.0 asn1x509 2.0.0.
790  * <br/>
791  * NOTE2: The "reasons" and "cRLIssuer" fields are currently
792  * not supported.
793  * @example
794  * new KJUR.asn1.x509.DistributionPoint(
795  *   {fulluri: "http://example.com/crl1.crl"})
796  * new KJUR.asn1.x509.DistributionPoint(
797  *   {dpname: {full: [{uri: "http://example.com/crl1.crl"}]}})
798  * new KJUR.asn1.x509.DistributionPoint(
799  *   {dpobj: new DistributionPoint(...)})
800  */
801 KJUR.asn1.x509.DistributionPoint = function(params) {
802     KJUR.asn1.x509.DistributionPoint.superclass.constructor.call(this);
803     var asn1DP = null,
804 	_KJUR = KJUR,
805 	_KJUR_asn1 = _KJUR.asn1,
806 	_DistributionPointName = _KJUR_asn1.x509.DistributionPointName;
807 
808     this.getEncodedHex = function() {
809         var seq = new _KJUR_asn1.DERSequence();
810         if (this.asn1DP != null) {
811             var o1 = new _KJUR_asn1.DERTaggedObject({'explicit': true,
812                                                      'tag': 'a0',
813                                                      'obj': this.asn1DP});
814             seq.appendASN1Object(o1);
815         }
816         this.hTLV = seq.getEncodedHex();
817         return this.hTLV;
818     };
819 
820     if (params !== undefined) {
821         if (params.dpobj !== undefined) {
822             this.asn1DP = params.dpobj;
823         } else if (params.dpname !== undefined) {
824             this.asn1DP = new _DistributionPointName(params.dpname);
825 	} else if (params.fulluri !== undefined) {
826             this.asn1DP = new _DistributionPointName({full: [{uri: params.fulluri}]});
827 	}
828     }
829 };
830 extendClass(KJUR.asn1.x509.DistributionPoint, KJUR.asn1.ASN1Object);
831 
832 /**
833  * DistributionPointName ASN.1 structure class<br/>
834  * @name KJUR.asn1.x509.DistributionPointName
835  * @class DistributionPointName ASN.1 structure class
836  * @param {Array} params JSON object of parameters or GeneralNames object
837  * @extends KJUR.asn1.ASN1Object
838  * @see {@link KJUR.asn1.x509.CRLDistributionPoints}
839  * @see {@link KJUR.asn1.x509.DistributionPoint}
840  * @see {@link KJUR.asn1.x509.GeneralNames}
841  * @see {@link X509#getDistributionPointName}
842  * @description
843  * This class represents 
844  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.13">
845  * DistributionPointName defined in RFC 5280 4.2.1.13</a>.
846  * <pre>
847  * DistributionPointName ::= CHOICE {
848  *      fullName                [0]     GeneralNames,
849  *      nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
850  * </pre>
851  * Constructor can have following parameter:
852  * <ul>
853  * <li>{String}full - JSON object parameter of {@link KJUR.asn1.x509.GeneralNames} for 'fullName' field</li>
854  * <li>{GeneralNames} - {@link KJUR.asn1.x509.GeneralNames} object for 'fullName'</li>
855  * </ul>
856  * NOTE1: 'full' parameter have been suppored since jsrsasign 9.0.0 asn1x509 2.0.0.
857  * <br>
858  * NOTE2: The 'nameRelativeToCRLIssuer' field is currently not supported.
859  * @example
860  * new KJUR.asn1.x509.DistributionPointName({full: <<GeneralNamesParameter>>})
861  * new KJUR.asn1.x509.DistributionPointName({full: [{uri: <<CDPURI>>}]})
862  * new KJUR.asn1.x509.DistributionPointName({full: [{dn: <<DN Parameter>>}]}
863  * new KJUR.asn1.x509.DistributionPointName({full: [{uri: "http://example.com/root.crl"}]})
864  * new KJUR.asn1.x509.DistributionPointName({full: [{dn {str: "/C=US/O=Test"}}]})
865  * new KJUR.asn1.x509.DistributionPointName(new GeneralNames(...))
866  */
867 KJUR.asn1.x509.DistributionPointName = function(params) {
868     KJUR.asn1.x509.DistributionPointName.superclass.constructor.call(this);
869     var asn1Obj = null,
870 	type = null,
871 	tag = null,
872 	asn1V = null,
873 	_KJUR = KJUR,
874 	_KJUR_asn1 = _KJUR.asn1,
875 	_DERTaggedObject = _KJUR_asn1.DERTaggedObject;
876 
877     this.getEncodedHex = function() {
878         if (this.type != "full")
879             throw new Error("currently type shall be 'full': " + this.type);
880         this.asn1Obj = new _DERTaggedObject({'explicit': false,
881                                              'tag': this.tag,
882                                              'obj': this.asn1V});
883         this.hTLV = this.asn1Obj.getEncodedHex();
884         return this.hTLV;
885     };
886 
887     if (params !== undefined) {
888         if (_KJUR_asn1.x509.GeneralNames.prototype.isPrototypeOf(params)) {
889             this.type = "full";
890             this.tag = "a0";
891             this.asn1V = params;
892 	} else if (params.full !== undefined) {
893             this.type = "full";
894             this.tag = "a0";
895             this.asn1V = new _KJUR_asn1.x509.GeneralNames(params.full);
896         } else {
897             throw new Error("This class supports GeneralNames only as argument");
898         }
899     }
900 };
901 extendClass(KJUR.asn1.x509.DistributionPointName, KJUR.asn1.ASN1Object);
902 
903 /**
904  * CertificatePolicies ASN.1 structure class
905  * @name KJUR.asn1.x509.CertificatePolicies
906  * @class CertificatePolicies ASN.1 structure class
907  * @param {Array} params associative array of parameters
908  * @extends KJUR.asn1.x509.Extension
909  * @since jsrsasign 8.0.23 asn1x509 1.1.12
910  * @see KJUR.asn1.x509.CertificatePolicies
911  * @see KJUR.asn1.x509.PolicyInformation
912  * @see KJUR.asn1.x509.PolicyQualifierInfo
913  * @see KJUR.asn1.x509.UserNotice
914  * @see KJUR.asn1.x509.NoticeReference
915  * @see KJUR.asn1.x509.DisplayText
916  * @description
917  * This class represents 
918  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
919  * CertificatePolicies extension defined in RFC 5280 4.2.1.4</a>.
920  * <pre>
921  * id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
922  * CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
923  * </pre>
924  * Its constructor can have following parameters:
925  * <ul>
926  * <li>array - array of {@link KJUR.asn1.x509.PolicyInformation} parameter</li>
927  * <li>critical - boolean: critical flag</li>
928  * </ul>
929  * NOTE: Returned JSON value format have been changed without 
930  * backward compatibility since jsrsasign 9.0.0 asn1x509 2.0.0.
931  * @example
932  * e1 = new KJUR.asn1.x509.CertificatePolicies({
933  *   array: [
934  *     { policyoid: "1.2.3.4.5",
935  *       array: [
936  *         { cps: "https://example.com/repository" },
937  *         { unotice: {
938  *           noticeref: { // CA SHOULD NOT use this by RFC
939  *             org: {type: "ia5", str: "Sample Org"},
940  *             noticenum: [{int: 5}, {hex: "01af"}]
941  *           },
942  *           exptext: {type: "ia5", str: "Sample Policy"}
943  *         }}
944  *       ]
945  *     }
946  *   ],
947  *   critical: true
948  * });
949  */
950 KJUR.asn1.x509.CertificatePolicies = function(params) {
951     KJUR.asn1.x509.CertificatePolicies.superclass.constructor.call(this, params);
952     var _KJUR = KJUR,
953 	_KJUR_asn1 = _KJUR.asn1,
954 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
955 	_DERSequence = _KJUR_asn1.DERSequence,
956 	_PolicyInformation = _KJUR_asn1_x509.PolicyInformation;
957 
958     this.params = null;
959 
960     this.getExtnValueHex = function() {
961 	var aPI = [];
962 	for (var i = 0; i < this.params.array.length; i++) {
963 	    aPI.push(new _PolicyInformation(this.params.array[i]));
964 	}
965 	var seq = new _DERSequence({array: aPI});
966 	this.asn1ExtnValue = seq;
967         return this.asn1ExtnValue.getEncodedHex();
968     };
969 
970     this.oid = "2.5.29.32";
971     if (params !== undefined) {
972 	this.params = params;
973     }
974 };
975 extendClass(KJUR.asn1.x509.CertificatePolicies, KJUR.asn1.x509.Extension);
976 
977 // ===== BEGIN CertificatePolicies related classes =====
978 /**
979  * PolicyInformation ASN.1 structure class
980  * @name KJUR.asn1.x509.PolicyInformation
981  * @class PolicyInformation ASN.1 structure class
982  * @param {Array} params JSON object of parameters
983  * @extends KJUR.asn1.ASN1Object
984  * @since jsrsasign 8.0.23 asn1x509 1.1.12
985  * @see KJUR.asn1.x509.CertificatePolicies
986  * @see KJUR.asn1.x509.PolicyInformation
987  * @see KJUR.asn1.x509.PolicyQualifierInfo
988  * @see KJUR.asn1.x509.UserNotice
989  * @see KJUR.asn1.x509.NoticeReference
990  * @see KJUR.asn1.x509.DisplayText
991  * @description
992  * This class represents 
993  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
994  * PolicyInformation defined in RFC 5280 4.2.1.4</a>.
995  * <pre>
996  * PolicyInformation ::= SEQUENCE {
997  *      policyIdentifier   CertPolicyId,
998  *      policyQualifiers   SEQUENCE SIZE (1..MAX) OF
999  *                         PolicyQualifierInfo OPTIONAL }
1000  * CertPolicyId ::= OBJECT IDENTIFIER
1001  * Its constructor can have following parameters:
1002  * <ul>
1003  * <li>{String}policyoid - policy OID (ex. "1.2.3.4.5")</li>
1004  * <li>{Object}array - array of {@link KJUR.asn1.x509.PolicyQualifierInfo}
1005  * parameters (OPTIONAL)</li>
1006  * </ul>
1007  * @example
1008  * new KJUR.asn1.x509.PolicyInformation({
1009  *   policyoid: "1.2.3.4.5",
1010  *   array: [
1011  *     { cps: "https://example.com/repository" },
1012  *     { unotice: {
1013  *       noticeref: { // CA SHOULD NOT use this by RFC
1014  *         org: {type: "ia5", str: "Sample Org"},
1015  *         noticenum: [{int: 5}, {hex: "01af"}]
1016  *       },
1017  *       exptext: {type: "ia5", str: "Sample Policy"}
1018  *     }}
1019  *   ]
1020  * })
1021  */
1022 KJUR.asn1.x509.PolicyInformation = function(params) {
1023     KJUR.asn1.x509.PolicyInformation.superclass.constructor.call(this,
1024 								 params);
1025     var _KJUR_asn1 = KJUR.asn1,
1026 	_DERSequence = _KJUR_asn1.DERSequence,
1027 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
1028 	_PolicyQualifierInfo = _KJUR_asn1.x509.PolicyQualifierInfo;
1029 
1030     this.params = null;
1031 
1032     this.getEncodedHex = function() {
1033 	if (this.params.policyoid === undefined &&
1034 	    this.params.array === undefined)
1035 	    throw new Error("parameter oid and array missing");
1036 
1037 	// policy oid
1038 	var a = [new _DERObjectIdentifier(this.params.policyoid)];
1039 
1040 	// array of ASN1Object of PolicyQualifierInfo
1041 	if (this.params.array !== undefined) {
1042 	    var aPQI = [];
1043 	    for (var i = 0; i < this.params.array.length; i++) {
1044 		aPQI.push(new _PolicyQualifierInfo(this.params.array[i]));
1045 	    }
1046 	    if (aPQI.length > 0) {
1047 		a.push(new _DERSequence({array: aPQI}));
1048 	    }
1049 	}
1050 
1051 	var seq = new _DERSequence({array: a});
1052 	return seq.getEncodedHex();
1053     };
1054 
1055     if (params !== undefined) {
1056 	this.params = params;
1057     }
1058 };
1059 extendClass(KJUR.asn1.x509.PolicyInformation, KJUR.asn1.ASN1Object);
1060 
1061 /**
1062  * PolicyQualifierInfo ASN.1 structure class
1063  * @name KJUR.asn1.x509.PolicyQualifierInfo
1064  * @class PolicyQualifierInfo ASN.1 structure class
1065  * @param {Array} params associative array of parameters
1066  * @extends KJUR.asn1.ASN1Object
1067  * @since jsrsasign 8.0.23 asn1x509 1.1.12
1068  * @description
1069  * This class represents 
1070  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
1071  * PolicyQualifierInfo defined in RFC 5280 4.2.1.4</a>.
1072  * <pre>
1073  * PolicyQualifierInfo ::= SEQUENCE {
1074  *      policyQualifierId  PolicyQualifierId,
1075  *      qualifier          ANY DEFINED BY policyQualifierId }
1076  * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
1077  * CPSuri ::= IA5String
1078  * </pre>
1079  * Its constructor can have one of following two parameters:
1080  * <ul>
1081  * <li>{String}cps - URI string for CPS</li>
1082  * <li>{Object}unotice - {@link KJUR.asn1.x509.UserNotice} parameter</li>
1083  * </ul>
1084  * @example
1085  * new PolicyQualifierInfo({
1086  *   cps: "https://example.com/repository/cps"
1087  * })
1088  *
1089  * new PolicyQualifierInfo({
1090  *   unotice: {
1091  *     noticeref: { // CA SHOULD NOT use this by RFC
1092  *       org: {type: "bmp", str: "Sample Org"},
1093  *       noticenum: [{int: 3}, {hex: "01af"}]
1094  *     },
1095  *     exptext: {type: "ia5", str: "Sample Policy"}
1096  *   }
1097  * })
1098  */
1099 KJUR.asn1.x509.PolicyQualifierInfo = function(params) {
1100     KJUR.asn1.x509.PolicyQualifierInfo.superclass.constructor.call(this,
1101 								   params);
1102     var _KJUR_asn1 = KJUR.asn1,
1103 	_DERSequence = _KJUR_asn1.DERSequence,
1104 	_DERIA5String = _KJUR_asn1.DERIA5String,
1105 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
1106 	_UserNotice = _KJUR_asn1.x509.UserNotice;
1107 
1108     this.params = null;
1109 
1110     this.getEncodedHex = function() {
1111 	if (this.params.cps !== undefined) {
1112 	    var seq = new _DERSequence({array: [
1113 		new _DERObjectIdentifier({oid: '1.3.6.1.5.5.7.2.1'}),
1114 		new _DERIA5String({str: this.params.cps})
1115 	    ]});
1116 	    return seq.getEncodedHex();
1117 	}
1118 	if (this.params.unotice != undefined) {
1119 	    var seq = new _DERSequence({array: [
1120 		new _DERObjectIdentifier({oid: '1.3.6.1.5.5.7.2.2'}),
1121 		new _UserNotice(this.params.unotice)
1122 	    ]});
1123 	    return seq.getEncodedHex();
1124 	}
1125     };
1126 
1127     if (params !== undefined) {
1128 	this.params = params;
1129     }
1130 };
1131 extendClass(KJUR.asn1.x509.PolicyQualifierInfo, KJUR.asn1.ASN1Object);
1132 
1133 
1134 /**
1135  * UserNotice ASN.1 structure class
1136  * @name KJUR.asn1.x509.UserNotice
1137  * @class UserNotice ASN.1 structure class
1138  * @param {Array} params associative array of parameters
1139  * @extends KJUR.asn1.ASN1Object
1140  * @since jsrsasign 8.0.23 asn1x509 1.1.12
1141  * @description
1142  * This class represents 
1143  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
1144  * UserNotice defined in RFC 5280 4.2.1.4</a>.
1145  * <pre>
1146  * UserNotice ::= SEQUENCE {
1147  *      noticeRef        NoticeReference OPTIONAL,
1148  *      explicitText     DisplayText OPTIONAL }
1149  * </pre>
1150  * Its constructor can have following two parameters:
1151  * <ul>
1152  * <li>{Object}noticeref - {@link KJUR.asn1.x509.NoticeReference} parameter.
1153  * This SHALL NOT be set for conforming CA by RFC 5280. (OPTIONAL)</li>
1154  * <li>{Object}exptext - explicitText value
1155  * by {@link KJUR.asn1.x509.DisplayText} parameter (OPTIONAL)</li>
1156  * </ul>
1157  * @example
1158  * new UserNotice({
1159  *   noticeref: {
1160  *     org: {type: "bmp", str: "Sample Org"},
1161  *     noticenum: [{int: 3}, {hex: "01af"}]
1162  *   },
1163  *   exptext: {type: "ia5", str: "Sample Policy"}
1164  * })
1165  */
1166 KJUR.asn1.x509.UserNotice = function(params) {
1167     KJUR.asn1.x509.UserNotice.superclass.constructor.call(this, params);
1168     var _DERSequence = KJUR.asn1.DERSequence,
1169 	_DERInteger = KJUR.asn1.DERInteger,
1170 	_DisplayText = KJUR.asn1.x509.DisplayText,
1171 	_NoticeReference = KJUR.asn1.x509.NoticeReference;
1172 
1173     this.params = null;
1174 
1175     this.getEncodedHex = function() {
1176 	var a = [];
1177 	if (this.params.noticeref !== undefined) {
1178 	    a.push(new _NoticeReference(this.params.noticeref));
1179 	}
1180 	if (this.params.exptext !== undefined) {
1181 	    a.push(new _DisplayText(this.params.exptext));
1182 	}
1183 	var seq = new _DERSequence({array: a});
1184 	return seq.getEncodedHex();
1185     };
1186 
1187     if (params !== undefined) {
1188 	this.params = params;
1189     }
1190 };
1191 extendClass(KJUR.asn1.x509.UserNotice, KJUR.asn1.ASN1Object);
1192 
1193 /**
1194  * NoticeReference ASN.1 structure class
1195  * @name KJUR.asn1.x509.NoticeReference
1196  * @class NoticeReference ASN.1 structure class
1197  * @param {Array} params associative array of parameters
1198  * @extends KJUR.asn1.ASN1Object
1199  * @since jsrsasign 8.0.23 asn1x509 1.1.12
1200  * @description
1201  * This class represents 
1202  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
1203  * NoticeReference defined in RFC 5280 4.2.1.4</a>.
1204  * <pre>
1205  * NoticeReference ::= SEQUENCE {
1206  *      organization     DisplayText,
1207  *      noticeNumbers    SEQUENCE OF INTEGER }
1208  * </pre>
1209  * Its constructor can have following two parameters:
1210  * <ul>
1211  * <li>{Object}org - organization by {@link KJUR.asn1.x509.DisplayText}
1212  * parameter.</li>
1213  * <li>{Object}noticenum - noticeNumbers value by an array of
1214  * {@link KJUR.asn1.DERInteger} parameter</li>
1215  * </ul>
1216  * @example
1217  * new NoticeReference({
1218  *   org: {type: "bmp", str: "Sample Org"},
1219  *   noticenum: [{int: 3}, {hex: "01af"}]
1220  * })
1221  */
1222 KJUR.asn1.x509.NoticeReference = function(params) {
1223     KJUR.asn1.x509.NoticeReference.superclass.constructor.call(this, params);
1224     var _DERSequence = KJUR.asn1.DERSequence,
1225 	_DERInteger = KJUR.asn1.DERInteger,
1226 	_DisplayText = KJUR.asn1.x509.DisplayText;
1227 
1228     this.params = null;
1229 
1230     this.getEncodedHex = function() {
1231 	var a = [];
1232 	if (this.params.org !== undefined) {
1233 	    a.push(new _DisplayText(this.params.org));
1234 	}
1235 	if (this.params.noticenum !== undefined) {
1236 	    var aNoticeNum = [];
1237 	    var aNumParam = this.params.noticenum;
1238 	    for (var i = 0; i < aNumParam.length; i++) {
1239 		aNoticeNum.push(new _DERInteger(aNumParam[i]));
1240 	    }
1241 	    a.push(new _DERSequence({array: aNoticeNum}));
1242 	}
1243 	if (a.length == 0) throw new Error("parameter is empty");
1244 	var seq = new _DERSequence({array: a});
1245 	return seq.getEncodedHex();
1246     }
1247 
1248     if (params !== undefined) {
1249 	this.params = params;
1250     }
1251 };
1252 extendClass(KJUR.asn1.x509.NoticeReference, KJUR.asn1.ASN1Object);
1253 
1254 /**
1255  * DisplayText ASN.1 structure class
1256  * @name KJUR.asn1.x509.DisplayText
1257  * @class DisplayText ASN.1 structure class
1258  * @param {Array} params associative array of parameters
1259  * @extends KJUR.asn1.DERAbstractString
1260  * @since jsrsasign 8.0.23 asn1x509 1.1.12
1261  * @description
1262  * This class represents 
1263  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
1264  * DisplayText defined in RFC 5280 4.2.1.4</a>.
1265  * <pre>
1266  * -- from RFC 5280 Appendix A
1267  * DisplayText ::= CHOICE {
1268  *      ia5String        IA5String      (SIZE (1..200)),
1269  *      visibleString    VisibleString  (SIZE (1..200)),
1270  *      bmpString        BMPString      (SIZE (1..200)),
1271  *      utf8String       UTF8String     (SIZE (1..200)) }
1272  * </pre>
1273  * {@link KJUR.asn1.DERAbstractString} parameters and methods
1274  * can be used.
1275  * Its constructor can also have following parameter:
1276  * <ul>
1277  * <li>{String} type - DirectoryString type of DisplayText.
1278  * "ia5" for IA5String, "vis" for VisibleString,
1279  * "bmp" for BMPString and "utf8" for UTF8String.
1280  * Default is "utf8". (OPTIONAL)</li>
1281  * </ul>
1282  * @example
1283  * new DisplayText({type: "bmp", str: "Sample Org"})
1284  * new DisplayText({type: "ia5", str: "Sample Org"})
1285  * new DisplayText({str: "Sample Org"})
1286  */
1287 KJUR.asn1.x509.DisplayText = function(params) {
1288     KJUR.asn1.x509.DisplayText.superclass.constructor.call(this, params);
1289 
1290     this.hT = "0c"; // DEFAULT "utf8"
1291 
1292     if (params !== undefined) {
1293 	if (params.type === "ia5") {
1294 	    this.hT = "16";
1295 	} else if (params.type === "vis") {
1296 	    this.hT = "1a";
1297 	} else if (params.type === "bmp") {
1298 	    this.hT = "1e";
1299 	}
1300     }
1301 };
1302 extendClass(KJUR.asn1.x509.DisplayText, KJUR.asn1.DERAbstractString);
1303 // ===== END CertificatePolicies related classes =====
1304 
1305 // =====================================================================
1306 /**
1307  * KeyUsage ASN.1 structure class
1308  * @name KJUR.asn1.x509.ExtKeyUsage
1309  * @class ExtKeyUsage ASN.1 structure class
1310  * @param {Array} params associative array of parameters
1311  * @extends KJUR.asn1.x509.Extension
1312  * @description
1313  * @example
1314  * e1 = new KJUR.asn1.x509.ExtKeyUsage({
1315  *   critical: true,
1316  *   array: [
1317  *     {oid: '2.5.29.37.0'},  // anyExtendedKeyUsage
1318  *     {name: 'clientAuth'},
1319  *     "1.2.3.4",
1320  *     "serverAuth"
1321  *   ]
1322  * });
1323  * // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
1324  * // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
1325  * // KeyPurposeId ::= OBJECT IDENTIFIER
1326  */
1327 KJUR.asn1.x509.ExtKeyUsage = function(params) {
1328     KJUR.asn1.x509.ExtKeyUsage.superclass.constructor.call(this, params);
1329     var _KJUR = KJUR,
1330 	_KJUR_asn1 = _KJUR.asn1;
1331 
1332     this.setPurposeArray = function(purposeArray) {
1333         this.asn1ExtnValue = new _KJUR_asn1.DERSequence();
1334         for (var i = 0; i < purposeArray.length; i++) {
1335             var o = new _KJUR_asn1.DERObjectIdentifier(purposeArray[i]);
1336             this.asn1ExtnValue.appendASN1Object(o);
1337         }
1338     };
1339 
1340     this.getExtnValueHex = function() {
1341         return this.asn1ExtnValue.getEncodedHex();
1342     };
1343 
1344     this.oid = "2.5.29.37";
1345     if (params !== undefined) {
1346         if (params.array !== undefined) {
1347             this.setPurposeArray(params.array);
1348         }
1349     }
1350 };
1351 extendClass(KJUR.asn1.x509.ExtKeyUsage, KJUR.asn1.x509.Extension);
1352 
1353 /**
1354  * AuthorityKeyIdentifier ASN.1 structure class
1355  * @name KJUR.asn1.x509.AuthorityKeyIdentifier
1356  * @class AuthorityKeyIdentifier ASN.1 structure class
1357  * @param {Array} params associative array of parameters (ex. {kid: {hex: '89ab...'}, critical: true})
1358  * @extends KJUR.asn1.x509.Extension
1359  * @since asn1x509 1.0.8
1360  * @description
1361  * This class represents ASN.1 structure for <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.1">AuthorityKeyIdentifier in RFC 5280</a>.
1362  * Constructor of this class may have following parameters.: 
1363  * <ul>
1364  * <li>kid - When key object (RSA, KJUR.crypto.ECDSA/DSA) or PEM string of issuing authority public key or issuer certificate is specified, key identifier will be automatically calculated by the method specified in RFC 5280. When a hexadecimal string is specifed, kid will be set explicitly by it.</li>
1365  * <li>isscert - When PEM string of authority certificate is specified, both authorityCertIssuer and authorityCertSerialNumber will be set by the certificate.</li>
1366  * <li>issuer - {@link KJUR.asn1.x509.X500Name} parameter to specify issuer name explicitly.</li>
1367  * <li>sn - hexadecimal string to specify serial number explicitly.</li>
1368  * <li>critical - boolean to specify criticality of this extension
1369  * however conforming CA must mark this extension as non-critical in RFC 5280.</li>
1370  * </ul>
1371  * 
1372  * <pre>
1373  * d-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
1374  * AuthorityKeyIdentifier ::= SEQUENCE {
1375  *    keyIdentifier             [0] KeyIdentifier           OPTIONAL,
1376  *    authorityCertIssuer       [1] GeneralNames            OPTIONAL,
1377  *    authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
1378  * KeyIdentifier ::= OCTET STRING
1379  * </pre>
1380  *
1381  * @example
1382  * // 1. kid by key object
1383  * keyobj = KEYUTIL.getKey("-----BEGIN PUBLIC KEY...");
1384  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({kid: keyobj});
1385  * // 2. kid by PEM string of authority certificate or public key
1386  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({kid: "-----BEGIN..."});
1387  * // 3. specify kid explicitly
1388  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({kid: "8ab1d3..."});
1389  * });
1390  * // 4. issuer and serial number by auhtority PEM certificate
1391  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({isscert: "-----BEGIN..."});
1392  * // 5. issuer and serial number explicitly
1393  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({
1394  *   issuer: {ldapstr: "O=test,C=US"},
1395  *   sn: {hex: "1ac7..."}});
1396  * // 6. combination
1397  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({
1398  *   kid: "-----BEGIN CERTIFICATE...",
1399  *   isscert: "-----BEGIN CERTIFICATE..."});
1400  */
1401 KJUR.asn1.x509.AuthorityKeyIdentifier = function(params) {
1402     KJUR.asn1.x509.AuthorityKeyIdentifier.superclass.constructor.call(this, params);
1403     var _KJUR = KJUR,
1404 	_KJUR_asn1 = _KJUR.asn1,
1405 	_DERTaggedObject = _KJUR_asn1.DERTaggedObject,
1406 	_GeneralNames = _KJUR_asn1.x509.GeneralNames,
1407 	_isKey = _KJUR.crypto.Util.isKey;
1408 
1409     this.asn1KID = null;
1410     this.asn1CertIssuer = null; // X500Name hTLV
1411     this.asn1CertSN = null;
1412 
1413     this.getExtnValueHex = function() {
1414         var a = new Array();
1415         if (this.asn1KID)
1416             a.push(new _DERTaggedObject({'explicit': false,
1417                                          'tag': '80',
1418                                          'obj': this.asn1KID}));
1419 
1420         if (this.asn1CertIssuer)
1421             a.push(new _DERTaggedObject({'explicit': false,
1422                                          'tag': 'a1',
1423                                          'obj': new _GeneralNames([{dn: this.asn1CertIssuer}])}));
1424 
1425         if (this.asn1CertSN)
1426             a.push(new _DERTaggedObject({'explicit': false,
1427                                          'tag': '82',
1428                                          'obj': this.asn1CertSN}));
1429 
1430         var asn1Seq = new _KJUR_asn1.DERSequence({'array': a});
1431         this.asn1ExtnValue = asn1Seq;
1432         return this.asn1ExtnValue.getEncodedHex();
1433     };
1434 
1435     /**
1436      * set keyIdentifier value by DEROctetString parameter, key object or PEM file
1437      * @name setKIDByParam
1438      * @memberOf KJUR.asn1.x509.AuthorityKeyIdentifier#
1439      * @function
1440      * @param {Array} param parameter to set key identifier
1441      * @since asn1x509 1.0.8
1442      * @description
1443      * This method will set keyIdentifier by param.
1444      * Its key identifier value can be set by following type of param argument:
1445      * <ul>
1446      * <li>{str: "123"} - by raw string</li>
1447      * <li>{hex: "01af..."} - by hexadecimal value</li>
1448      * <li>RSAKey/DSA/ECDSA - by RSAKey, KJUR.crypto.{DSA/ECDSA} public key object.
1449      * key identifier value will be calculated by the method described in
1450      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
1451      * </li>
1452      * <li>certificate PEM string - extract subjectPublicKeyInfo from specified PEM
1453      * certificate and
1454      * key identifier value will be calculated by the method described in
1455      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
1456      * <li>PKCS#1/#8 public key PEM string - pem will be converted to a key object and
1457      * to PKCS#8 ASN.1 structure then calculate 
1458      * a key identifier value will be calculated by the method described in
1459      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
1460      * </ul>
1461      *
1462      * NOTE1: Automatic key identifier calculation is supported
1463      * since jsrsasign 8.0.16.
1464      *
1465      * @see KEYUTIL.getKeyID
1466      * 
1467      * @example
1468      * o = new KJUR.asn1.x509.AuthorityKeyIdentifier();
1469      * // set by hexadecimal string
1470      * o.setKIDByParam({hex: '1ad9...'});
1471      * // set by SubjectPublicKeyInfo of PEM certificate string
1472      * o.setKIDByParam("-----BEGIN CERTIFICATE...");
1473      * // set by PKCS#8 PEM public key string
1474      * o.setKIDByParam("-----BEGIN PUBLIC KEY...");
1475      * // set by public key object
1476      * pubkey = KEYUTIL.getKey("-----BEGIN CERTIFICATE...");
1477      * o.setKIDByParam(pubkey);
1478      */
1479     this.setKIDByParam = function(param) {
1480 	if (param.str !== undefined ||
1481 	    param.hex !== undefined) {
1482 	    this.asn1KID = new KJUR.asn1.DEROctetString(param);
1483 	} else if ((typeof param === "object" &&
1484 		    KJUR.crypto.Util.isKey(param)) ||
1485 		   (typeof param === "string" &&
1486 		    param.indexOf("BEGIN ") != -1)) {
1487 
1488 	    var keyobj = param;
1489 	    if (typeof param === "string") {
1490 		keyobj = KEYUTIL.getKey(param);
1491 	    }
1492 
1493 	    var kid = KEYUTIL.getKeyID(keyobj);
1494 	    this.asn1KID = new KJUR.asn1.DEROctetString({hex: kid});
1495 	}
1496     };
1497 
1498     /**
1499      * set authorityCertIssuer value by X500Name parameter
1500      * @name setCertIssuerByParam
1501      * @memberOf KJUR.asn1.x509.AuthorityKeyIdentifier#
1502      * @function
1503      * @param {Array} param parameter to set issuer name
1504      * @since asn1x509 1.0.8
1505      * @description
1506      * This method will set authorityCertIssuer name by param.
1507      * Issuer name can be set by following type of param argument:
1508      * <ul>
1509      * <li>str/ldapstr/hex/certsubject/certissuer - 
1510      * set issuer by {@link KJUR.asn1.x509.X500Name}
1511      * object with specified parameters.</li>
1512      * <li>PEM CERTIFICATE STRING - extract its subject name from 
1513      * specified issuer PEM certificate and set.
1514      * </ul>
1515      * NOTE1: Automatic authorityCertIssuer setting by certificate
1516      * is supported since jsrsasign 8.0.16.
1517      *
1518      * @see KJUR.asn1.x509.X500Name
1519      * @see KJUR.asn1.x509.GeneralNames
1520      * @see X509.getSubjectHex
1521      *
1522      * @example
1523      * var o = new KJUR.asn1.x509.AuthorityKeyIdentifier();
1524      * // 1. set it by string
1525      * o.setCertIssuerByParam({str: '/C=US/O=Test'});
1526      * // 2. set it by issuer PEM certificate
1527      * o.setCertIssuerByParam("-----BEGIN CERTIFICATE...");
1528      *
1529      */
1530     this.setCertIssuerByParam = function(param) {
1531 	if (param.str !== undefined ||
1532 	    param.ldapstr !== undefined ||
1533 	    param.hex !== undefined ||
1534 	    param.certsubject !== undefined ||
1535 	    param.certissuer !== undefined) {
1536             this.asn1CertIssuer = new KJUR.asn1.x509.X500Name(param);
1537 	} else if (typeof param === "string" &&
1538 		   param.indexOf("BEGIN ") != -1 &&
1539 		   param.indexOf("CERTIFICATE") != -1) {
1540             this.asn1CertIssuer = new KJUR.asn1.x509.X500Name({certissuer: param});
1541 	}
1542     };
1543 
1544     /**
1545      * set authorityCertSerialNumber value
1546      * @name setCertSerialNumberByParam
1547      * @memberOf KJUR.asn1.x509.AuthorityKeyIdentifier#
1548      * @function
1549      * @param {Object} param parameter to set serial number
1550      * @since asn1x509 1.0.8
1551      * @description
1552      * This method will set authorityCertSerialNumber by param.
1553      * Serial number can be set by following type of param argument:
1554      *
1555      * <ul>
1556      * <li>{int: 123} - by integer value</li>
1557      * <li>{hex: "01af"} - by hexadecimal integer value</li>
1558      * <li>{bigint: new BigInteger(...)} - by hexadecimal integer value</li>
1559      * <li>PEM CERTIFICATE STRING - extract serial number from issuer certificate and
1560      * set serial number.
1561      * 
1562      * NOTE1: Automatic authorityCertSerialNumber setting by certificate
1563      * is supported since jsrsasign 8.0.16.
1564      *
1565      * @see X509.getSerialNumberHex
1566      */
1567     this.setCertSNByParam = function(param) {
1568 	if (param.str !== undefined ||
1569 	    param.bigint !== undefined ||
1570 	    param.hex !== undefined) {
1571             this.asn1CertSN = new KJUR.asn1.DERInteger(param);
1572 	} else if (typeof param === "string" &&
1573 		   param.indexOf("BEGIN ") != -1 &&
1574 		   param.indexOf("CERTIFICATE")) {
1575 
1576             var x = new X509();
1577             x.readCertPEM(param);
1578 	    var sn = x.getSerialNumberHex();
1579 	    this.asn1CertSN = new KJUR.asn1.DERInteger({hex: sn});
1580 	}
1581     };
1582 
1583     this.oid = "2.5.29.35";
1584     if (params !== undefined) {
1585         if (params.kid !== undefined) {
1586             this.setKIDByParam(params.kid);
1587         }
1588         if (params.issuer !== undefined) {
1589             this.setCertIssuerByParam(params.issuer);
1590         }
1591         if (params.sn !== undefined) {
1592             this.setCertSNByParam(params.sn);
1593         }
1594 
1595 	if (params.issuersn !== undefined &&
1596 	    typeof params.issuersn === "string" &&
1597 	    params.issuersn.indexOf("BEGIN ") != -1 &&
1598 	    params.issuersn.indexOf("CERTIFICATE")) {
1599 	    this.setCertSNByParam(params.issuersn);
1600 	    this.setCertIssuerByParam(params.issuersn);
1601 	}
1602     }
1603 };
1604 extendClass(KJUR.asn1.x509.AuthorityKeyIdentifier, KJUR.asn1.x509.Extension);
1605 
1606 /**
1607  * SubjectKeyIdentifier extension ASN.1 structure class
1608  * @name KJUR.asn1.x509.SubjectKeyIdentifier
1609  * @class SubjectKeyIdentifier ASN.1 structure class
1610  * @param {Array} params associative array of parameters (ex. {kid: {hex: '89ab...'}, critical: true})
1611  * @extends KJUR.asn1.x509.Extension
1612  * @since asn1x509 1.1.7 jsrsasign 8.0.14
1613  * @description
1614  * This class represents ASN.1 structure for 
1615  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">
1616  * SubjectKeyIdentifier in RFC 5280</a>.
1617  * Constructor of this class may have following parameters:
1618  * <ul>
1619  * <li>kid - When key object (RSA, KJUR.crypto.ECDSA/DSA) or PEM string of subject public key or certificate is specified, key identifier will be automatically calculated by the method specified in RFC 5280. When a hexadecimal string is specifed, kid will be set explicitly by it.</li>
1620  * <li>critical - boolean to specify criticality of this extension
1621  * however conforming CA must mark this extension as non-critical in RFC 5280.</li>
1622  * </ul>
1623  * <pre>
1624  * d-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
1625  * SubjectKeyIdentifier ::= KeyIdentifier
1626  * KeyIdentifier ::= OCTET STRING
1627  * </pre>
1628  *
1629  * @example
1630  * // set by hexadecimal string
1631  * e = new KJUR.asn1.x509.SubjectKeyIdentifier({kid: {hex: '89ab'}});
1632  * // set by PEM public key or certificate string
1633  * e = new KJUR.asn1.x509.SubjectKeyIdentifier({kid: "-----BEGIN CERTIFICATE..."});
1634  * // set by public key object
1635  * pubkey = KEYUTIL.getKey("-----BEGIN CERTIFICATE...");
1636  * e = new KJUR.asn1.x509.SubjectKeyIdentifier({kid: pubkey});
1637  */
1638 KJUR.asn1.x509.SubjectKeyIdentifier = function(params) {
1639     KJUR.asn1.x509.SubjectKeyIdentifier.superclass.constructor.call(this, params);
1640     var _KJUR = KJUR,
1641 	_KJUR_asn1 = _KJUR.asn1,
1642 	_DEROctetString = _KJUR_asn1.DEROctetString;
1643 
1644     this.asn1KID = null;
1645 
1646     this.getExtnValueHex = function() {
1647         this.asn1ExtnValue = this.asn1KID;
1648         return this.asn1ExtnValue.getEncodedHex();
1649     };
1650 
1651     /**
1652      * set keyIdentifier value by DEROctetString parameter, key object or PEM file
1653      * @name setKIDByParam
1654      * @memberOf KJUR.asn1.x509.SubjectKeyIdentifier#
1655      * @function
1656      * @param {Array} param array of {@link KJUR.asn1.DERInteger} parameter
1657      * @since asn1x509 1.1.7 jsrsasign 8.0.14
1658      * @description
1659      * <ul>
1660      * <li>{str: "123"} - by raw string</li>
1661      * <li>{hex: "01af..."} - by hexadecimal value</li>
1662      * <li>RSAKey/DSA/ECDSA - by RSAKey, KJUR.crypto.{DSA/ECDSA} public key object.
1663      * key identifier value will be calculated by the method described in
1664      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
1665      * </li>
1666      * <li>certificate PEM string - extract subjectPublicKeyInfo from specified PEM
1667      * certificate and
1668      * key identifier value will be calculated by the method described in
1669      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
1670      * <li>PKCS#1/#8 public key PEM string - pem will be converted to a key object and
1671      * to PKCS#8 ASN.1 structure then calculate 
1672      * a key identifier value will be calculated by the method described in
1673      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
1674      * </ul>
1675      *
1676      * NOTE1: Automatic key identifier calculation is supported
1677      * since jsrsasign 8.0.16.
1678      *
1679      * @see KEYUTIL.getKeyID
1680      *
1681      * @example
1682      * o = new KJUR.asn1.x509.SubjectKeyIdentifier();
1683      * // set by hexadecimal string
1684      * o.setKIDByParam({hex: '1ad9...'});
1685      * // set by SubjectPublicKeyInfo of PEM certificate string
1686      * o.setKIDByParam("-----BEGIN CERTIFICATE...");
1687      * // set by PKCS#8 PEM public key string
1688      * o.setKIDByParam("-----BEGIN PUBLIC KEY...");
1689      * // set by public key object
1690      * pubkey = KEYUTIL.getKey("-----BEGIN CERTIFICATE...");
1691      * o.setKIDByParam(pubkey);
1692      */
1693     this.setKIDByParam = function(param) {
1694 	if (param.str !== undefined ||
1695 	    param.hex !== undefined) {
1696 	    this.asn1KID = new _DEROctetString(param);
1697 	} else if ((typeof param === "object" &&
1698 		    KJUR.crypto.Util.isKey(param)) ||
1699 		   (typeof param === "string" &&
1700 		    param.indexOf("BEGIN") != -1)) {
1701 
1702 	    var keyobj = param;
1703 	    if (typeof param === "string") {
1704 		keyobj = KEYUTIL.getKey(param);
1705 	    }
1706 
1707 	    var kid = KEYUTIL.getKeyID(keyobj);
1708 	    this.asn1KID = new KJUR.asn1.DEROctetString({hex: kid});
1709 	}
1710     };
1711 
1712     this.oid = "2.5.29.14";
1713     if (params !== undefined) {
1714 	if (params.kid !== undefined) {
1715 	    this.setKIDByParam(params.kid);
1716 	}
1717     }
1718 };
1719 extendClass(KJUR.asn1.x509.SubjectKeyIdentifier, KJUR.asn1.x509.Extension);
1720 
1721 /**
1722  * AuthorityInfoAccess ASN.1 structure class
1723  * @name KJUR.asn1.x509.AuthorityInfoAccess
1724  * @class AuthorityInfoAccess ASN.1 structure class
1725  * @param {Array} params JSON object of AuthorityInfoAccess parameters
1726  * @extends KJUR.asn1.x509.Extension
1727  * @since asn1x509 1.0.8
1728  * @see {@link X509#getExtAuthorityInfoAccess}
1729  * @description
1730  * This class represents 
1731  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.2.1">
1732  * AuthorityInfoAccess extension defined in RFC 5280 4.2.2.1</a>.
1733  * <pre>
1734  * id-pe OBJECT IDENTIFIER  ::=  { id-pkix 1 }
1735  * id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
1736  * AuthorityInfoAccessSyntax  ::=
1737  *         SEQUENCE SIZE (1..MAX) OF AccessDescription
1738  * AccessDescription  ::=  SEQUENCE {
1739  *         accessMethod          OBJECT IDENTIFIER,
1740  *         accessLocation        GeneralName  }
1741  * id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
1742  * id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
1743  * id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
1744  * </pre>
1745  * NOTE: Acceptable parameters have been changed since
1746  * from jsrsasign 9.0.0 asn1x509 2.0.0.
1747  * Parameter generated by {@link X509#getAuthorityInfoAccess}
1748  * can be accepted as a argument of this constructor.
1749  * @example
1750  * e1 = new KJUR.asn1.x509.AuthorityInfoAccess({
1751  *   array: [
1752  *     {ocsp: 'http://ocsp.example.org'},
1753  *     {caissuer: 'https://repository.example.org/aaa.crt'}
1754  *   ]
1755  * });
1756  */
1757 KJUR.asn1.x509.AuthorityInfoAccess = function(params) {
1758     KJUR.asn1.x509.AuthorityInfoAccess.superclass.constructor.call(this, params);
1759 
1760     this.setAccessDescriptionArray = function(aParam) {
1761         var aASN1 = new Array(),
1762 	    _KJUR = KJUR,
1763 	    _KJUR_asn1 = _KJUR.asn1,
1764 	    _DERSequence = _KJUR_asn1.DERSequence,
1765 	    _DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
1766 	    _GeneralName = _KJUR_asn1.x509.GeneralName;
1767 
1768         for (var i = 0; i < aParam.length; i++) {
1769 	    var adseq;
1770 	    var adparam = aParam[i];
1771 
1772 	    if (adparam.ocsp !== undefined) {
1773 		adseq = new _DERSequence({array: [
1774 		    new _DERObjectIdentifier({oid: "1.3.6.1.5.5.7.48.1"}),
1775 		    new _GeneralName({uri: adparam.ocsp})
1776 		]});
1777 	    } else if (adparam.caissuer !== undefined) {
1778 		adseq = new _DERSequence({array: [
1779 		    new _DERObjectIdentifier({oid: "1.3.6.1.5.5.7.48.2"}),
1780 		    new _GeneralName({uri: adparam.caissuer})
1781 		]});
1782 	    } else {
1783 		throw new Error("unknown AccessMethod parameter: " +
1784 				JSON.stringify(adparam));
1785 	    }
1786 	    aASN1.push(adseq);
1787         }
1788         this.asn1ExtnValue = new _DERSequence({'array':aASN1});
1789     };
1790 
1791     this.getExtnValueHex = function() {
1792         return this.asn1ExtnValue.getEncodedHex();
1793     };
1794 
1795     this.oid = "1.3.6.1.5.5.7.1.1";
1796     if (params !== undefined) {
1797         if (params.array !== undefined) {
1798             this.setAccessDescriptionArray(params.array);
1799         }
1800     }
1801 };
1802 extendClass(KJUR.asn1.x509.AuthorityInfoAccess, KJUR.asn1.x509.Extension);
1803 
1804 /**
1805  * SubjectAltName ASN.1 structure class<br/>
1806  * @name KJUR.asn1.x509.SubjectAltName
1807  * @class SubjectAltName ASN.1 structure class
1808  * @param {Array} params associative array of parameters
1809  * @extends KJUR.asn1.x509.Extension
1810  * @since jsrsasign 6.2.3 asn1x509 1.0.19
1811  * @see KJUR.asn1.x509.GeneralNames
1812  * @see KJUR.asn1.x509.GeneralName
1813  * @description
1814  * This class provides X.509v3 SubjectAltName extension.
1815  * <pre>
1816  * id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
1817  * SubjectAltName ::= GeneralNames
1818  * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
1819  * GeneralName ::= CHOICE {
1820  *   otherName                  [0] OtherName,
1821  *   rfc822Name                 [1] IA5String,
1822  *   dNSName                    [2] IA5String,
1823  *   x400Address                [3] ORAddress,
1824  *   directoryName              [4] Name,
1825  *   ediPartyName               [5] EDIPartyName,
1826  *   uniformResourceIdentifier  [6] IA5String,
1827  *   iPAddress                  [7] OCTET STRING,
1828  *   registeredID               [8] OBJECT IDENTIFIER }
1829  * </pre>
1830  * @example
1831  * e1 = new KJUR.asn1.x509.SubjectAltName({
1832  *   critical: true,
1833  *   array: [{uri: 'http://aaa.com/'}, {uri: 'http://bbb.com/'}]
1834  * });
1835  */
1836 KJUR.asn1.x509.SubjectAltName = function(params) {
1837     KJUR.asn1.x509.SubjectAltName.superclass.constructor.call(this, params)
1838 
1839     this.setNameArray = function(paramsArray) {
1840 	this.asn1ExtnValue = new KJUR.asn1.x509.GeneralNames(paramsArray);
1841     };
1842 
1843     this.getExtnValueHex = function() {
1844         return this.asn1ExtnValue.getEncodedHex();
1845     };
1846 
1847     this.oid = "2.5.29.17";
1848     if (params !== undefined) {
1849         if (params.array !== undefined) {
1850             this.setNameArray(params.array);
1851         }
1852     }
1853 };
1854 extendClass(KJUR.asn1.x509.SubjectAltName, KJUR.asn1.x509.Extension);
1855 
1856 /**
1857  * IssuerAltName ASN.1 structure class<br/>
1858  * @name KJUR.asn1.x509.IssuerAltName
1859  * @class IssuerAltName ASN.1 structure class
1860  * @param {Array} params associative array of parameters
1861  * @extends KJUR.asn1.x509.Extension
1862  * @since jsrsasign 6.2.3 asn1x509 1.0.19
1863  * @see KJUR.asn1.x509.GeneralNames
1864  * @see KJUR.asn1.x509.GeneralName
1865  * @description
1866  * This class provides X.509v3 IssuerAltName extension.
1867  * <pre>
1868  * id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 18 }
1869  * IssuerAltName ::= GeneralNames
1870  * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
1871  * GeneralName ::= CHOICE {
1872  *   otherName                  [0] OtherName,
1873  *   rfc822Name                 [1] IA5String,
1874  *   dNSName                    [2] IA5String,
1875  *   x400Address                [3] ORAddress,
1876  *   directoryName              [4] Name,
1877  *   ediPartyName               [5] EDIPartyName,
1878  *   uniformResourceIdentifier  [6] IA5String,
1879  *   iPAddress                  [7] OCTET STRING,
1880  *   registeredID               [8] OBJECT IDENTIFIER }
1881  * </pre>
1882  * @example
1883  * e1 = new KJUR.asn1.x509.IssuerAltName({
1884  *   critical: true,
1885  *   array: [{uri: 'http://aaa.com/'}, {uri: 'http://bbb.com/'}]
1886  * });
1887  */
1888 KJUR.asn1.x509.IssuerAltName = function(params) {
1889     KJUR.asn1.x509.IssuerAltName.superclass.constructor.call(this, params)
1890 
1891     this.setNameArray = function(paramsArray) {
1892 	this.asn1ExtnValue = new KJUR.asn1.x509.GeneralNames(paramsArray);
1893     };
1894 
1895     this.getExtnValueHex = function() {
1896         return this.asn1ExtnValue.getEncodedHex();
1897     };
1898 
1899     this.oid = "2.5.29.18";
1900     if (params !== undefined) {
1901         if (params.array !== undefined) {
1902             this.setNameArray(params.array);
1903         }
1904     }
1905 };
1906 extendClass(KJUR.asn1.x509.IssuerAltName, KJUR.asn1.x509.Extension);
1907 
1908 /**
1909  * SubjectDirectoryAttributes ASN.1 structure class<br/>
1910  * @name KJUR.asn1.x509.SubjectDirectoryAttributes
1911  * @class SubjectDirectoryAttributes ASN.1 structure class
1912  * @param {Array} params associative array of parameters
1913  * @extends KJUR.asn1.x509.Extension
1914  * @since jsrsasign 10.1.9 asn1x509 2.1.7
1915  * @description
1916  * This class provides X.509v3 SubjectDirectoryAttributes extension
1917  * defined in <a href="https://tools.ietf.org/html/rfc3739#section-3.3.2">
1918  * RFC 3739 Qualified Certificate Profile section 3.3.2</a>.
1919  * <pre>
1920  * SubjectDirectoryAttributes ::= Attributes
1921  * Attributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
1922  * Attribute ::= SEQUENCE {
1923  *   type AttributeType 
1924  *   values SET OF AttributeValue }
1925  * AttributeType ::= OBJECT IDENTIFIER
1926  * AttributeValue ::= ANY DEFINED BY AttributeType
1927  * </pre>
1928  * @example
1929  * e1 = new KJUR.asn1.x509.SubjectDirectoryAttributes({
1930  *   extname: "subjectDirectoryAttributes",
1931  *   array: [
1932  *     { attr: "dateOfBirth", str: "19701231230000Z" },
1933  *     { attr: "placeOfBirth", str: "Tokyo" },
1934  *     { attr: "gender", str: "F" },
1935  *     { attr: "countryOfCitizenship", str: "JP" },
1936  *     { attr: "countryOfResidence", str: "JP" }
1937  *   ]
1938  * });
1939  */
1940 KJUR.asn1.x509.SubjectDirectoryAttributes = function(params) {
1941     KJUR.asn1.x509.SubjectDirectoryAttributes.superclass.constructor.call(this, params);
1942     var _KJUR_asn1 = KJUR.asn1,
1943 	_DERSequence = _KJUR_asn1.DERSequence,
1944 	_newObject = _KJUR_asn1.ASN1Util.newObject,
1945 	_name2oid = _KJUR_asn1.x509.OID.name2oid;
1946 
1947     this.params = null;
1948 
1949     this.getExtnValueHex = function() {
1950 	var a = [];
1951 	for (var i = 0; i < this.params.array.length; i++) {
1952 	    var pAttr = this.params.array[i];
1953 
1954 	    var newparam = {
1955 		"seq": [
1956 		    {"oid": "1.2.3.4"},
1957 		    {"set": [{"utf8str": "DE"}]}
1958 		]
1959 	    };
1960 
1961 	    if (pAttr.attr == "dateOfBirth") {
1962 		newparam.seq[0].oid = _name2oid(pAttr.attr);
1963 		newparam.seq[1].set[0] = {"gentime": pAttr.str};
1964 	    } else if (pAttr.attr == "placeOfBirth") {
1965 		newparam.seq[0].oid = _name2oid(pAttr.attr);
1966 		newparam.seq[1].set[0] = {"utf8str": pAttr.str};
1967 	    } else if (pAttr.attr == "gender") {
1968 		newparam.seq[0].oid = _name2oid(pAttr.attr);
1969 		newparam.seq[1].set[0] = {"prnstr": pAttr.str};
1970 	    } else if (pAttr.attr == "countryOfCitizenship") {
1971 		newparam.seq[0].oid = _name2oid(pAttr.attr);
1972 		newparam.seq[1].set[0] = {"prnstr": pAttr.str};
1973 	    } else if (pAttr.attr == "countryOfResidence") {
1974 		newparam.seq[0].oid = _name2oid(pAttr.attr);
1975 		newparam.seq[1].set[0] = {"prnstr": pAttr.str};
1976 	    } else {
1977 		throw new Error("unsupported attribute: " + pAttr.attr);
1978 	    }
1979 	    a.push(new _newObject(newparam));
1980 	}
1981 	var seq = new _DERSequence({array: a});
1982 	this.asn1ExtnValue = seq;
1983         return this.asn1ExtnValue.getEncodedHex();
1984     };
1985 
1986     this.oid = "2.5.29.9";
1987     if (params !== undefined) {
1988 	this.params = params;
1989     }
1990 };
1991 extendClass(KJUR.asn1.x509.SubjectDirectoryAttributes, KJUR.asn1.x509.Extension);
1992 
1993 
1994 /**
1995  * priavte extension ASN.1 structure class<br/>
1996  * @name KJUR.asn1.x509.PrivateExtension
1997  * @class private extension ASN.1 structure class
1998  * @param {Array} params JSON object of private extension
1999  * @extends KJUR.asn1.x509.Extension
2000  * @since jsrsasign 9.1.1 asn1x509 
2001  * @see KJUR.asn1.ASN1Util.newObject
2002  *
2003  * @description
2004  * This class is to represent private extension or 
2005  * unsupported extension. 
2006  * <pre>
2007  * Extension  ::=  SEQUENCE  {
2008  *      extnID      OBJECT IDENTIFIER,
2009  *      critical    BOOLEAN DEFAULT FALSE,
2010  *      extnValue   OCTET STRING }
2011  * </pre>
2012  * Following properties can be set for JSON parameter:
2013  * <ul>
2014  * <li>{String}extname - string of OID or predefined extension name</li>
2015  * <li>{Boolean}critical - critical flag</li>
2016  * <li>{Object}extn - hexadecimal string or 
2017  * of {@link KJUR.asn1.ASN1Util.newObject} 
2018  * JSON parameter for extnValue field</li>
2019  * </li>
2020  * </ul>
2021  *
2022  * @example
2023  * // extn by hexadecimal
2024  * new KJUR.asn1.x509.PrivateExtension({
2025  *   extname: "1.2.3.4",
2026  *   critical: true,
2027  *   extn: "13026161" // means PrintableString "aa"
2028  * });
2029  *
2030  * // extn by JSON parameter
2031  * new KJUR.asn1.x509.PrivateExtension({
2032  *   extname: "1.2.3.5",
2033  *   extn: {seq: [{prnstr:"abc"},{utf8str:"def"}]}
2034  * });
2035  */
2036 KJUR.asn1.x509.PrivateExtension = function(params) {
2037     KJUR.asn1.x509.PrivateExtension.superclass.constructor.call(this, params)
2038 
2039     var _KJUR = KJUR,
2040 	_isHex = _KJUR.lang.String.isHex,
2041 	_KJUR_asn1 = _KJUR.asn1,
2042 	_name2oid = _KJUR_asn1.x509.OID.name2oid,
2043 	_newObject = _KJUR_asn1.ASN1Util.newObject;
2044 
2045     this.params = null;
2046 
2047     this.setByParam = function(params) {
2048 	this.oid = _name2oid(params.extname);
2049 	this.params = params;
2050     };
2051 
2052     this.getExtnValueHex = function() {
2053 	if (this.params.extname == undefined ||
2054 	    this.params.extn == undefined) {
2055 	    throw new Error("extname or extnhex not specified");
2056 	}
2057 
2058 	var extn = this.params.extn;
2059 	if (typeof extn == "string" && _isHex(extn)) {
2060 	    return extn;
2061 	} else if (typeof extn == "object") {
2062 	    try {
2063 		return _newObject(extn).getEncodedHex();
2064 	    } catch(ex) {}
2065 	}
2066 	throw new Error("unsupported extn value");
2067     };
2068 
2069     if (params != undefined) {
2070 	this.setByParam(params);
2071     }
2072 };
2073 extendClass(KJUR.asn1.x509.PrivateExtension, KJUR.asn1.x509.Extension);
2074 
2075 // === END   X.509v3 Extensions Related =======================================
2076 
2077 // === BEGIN CRL Related ===================================================
2078 /**
2079  * X.509 CRL class to sign and generate hex encoded CRL<br/>
2080  * @name KJUR.asn1.x509.CRL
2081  * @class X.509 CRL class to sign and generate hex encoded certificate
2082  * @property {Array} params JSON object of parameters
2083  * @param {Array} params JSON object of CRL parameters
2084  * @extends KJUR.asn1.ASN1Object
2085  * @since 1.0.3
2086  * @see KJUR.asn1.x509.TBSCertList
2087  * 
2088  * @description
2089  * This class represents CertificateList ASN.1 structur of X.509 CRL
2090  * defined in <a href="https://tools.ietf.org/html/rfc5280#section-5.1">
2091  * RFC 5280 5.1</a>
2092  * <pre>
2093  * CertificateList  ::=  SEQUENCE  {
2094  *     tbsCertList          TBSCertList,
2095  *     signatureAlgorithm   AlgorithmIdentifier,
2096  *     signatureValue       BIT STRING  }
2097  * </pre>
2098  * NOTE: CRL class is updated without backward 
2099  * compatibility from jsrsasign 9.1.0 asn1x509 2.1.0.
2100  * Most of methods are removed and parameters can be set
2101  * by JSON object.
2102  * <br/>
2103  * Constructor of this class can accept all
2104  * parameters of {@link KJUR.asn1.x509.TBSCertList}.
2105  * It also accept following parameters additionally:
2106  * <ul>
2107  * <li>{TBSCertList}tbsobj (OPTION) - 
2108  * specifies {@link KJUR.asn1.x509.TBSCertList} 
2109  * object to be signed if needed. 
2110  * When this isn't specified, 
2111  * this will be set from other parametes of TBSCertList.</li>
2112  * <li>{Object}cakey (OPTION) - specifies CRL signing private key.
2113  * Parameter "cakey" or "sighex" shall be specified. Following
2114  * values can be specified:
2115  *   <ul>
2116  *   <li>PKCS#1/5 or PKCS#8 PEM string of private key</li>
2117  *   <li>RSAKey/DSA/ECDSA key object. {@link KEYUTIL.getKey} is useful
2118  *   to generate a key object.</li>
2119  *   </ul>
2120  * </li>
2121  * <li>{String}sighex (OPTION) - hexadecimal string of signature value
2122  * (i.e. ASN.1 value(V) of signatureValue BIT STRING without
2123  * unused bits)</li>
2124  * </ul>
2125  *
2126  * @example
2127  * var crl = new KJUR.asn1.x509.CRL({
2128  *  sigalg: "SHA256withRSA",
2129  *  issuer: {str:'/C=JP/O=Test1'},
2130  *  thisupdate: "200821235959Z",
2131  *  nextupdate: "200828235959Z", // OPTION
2132  *  revcert: [{sn: {hex: "12ab"}, date: "200401235959Z"}],
2133  *  ext: [
2134  *   {extname: "cRLNumber", num: {'int': 8}},
2135  *   {extname: "authorityKeyIdentifier", "kid": {hex: "12ab"}}
2136  *  ],
2137  *  cakey: prvkey
2138  * });
2139  * crl.getEncodedHex() → "30..."
2140  * crl.getPEM() → "-----BEGIN X509 CRL..."
2141  */
2142 KJUR.asn1.x509.CRL = function(params) {
2143     KJUR.asn1.x509.CRL.superclass.constructor.call(this);
2144     var _KJUR = KJUR,
2145 	_KJUR_asn1 = _KJUR.asn1,
2146 	_DERSequence = _KJUR_asn1.DERSequence,
2147 	_DERBitString = _KJUR_asn1.DERBitString,
2148 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
2149 	_AlgorithmIdentifier = _KJUR_asn1_x509.AlgorithmIdentifier,
2150 	_TBSCertList = _KJUR_asn1_x509.TBSCertList;
2151 
2152     this.params = undefined;
2153 
2154     this.setByParam = function(params) {
2155 	this.params = params;
2156     };
2157 
2158     /**
2159      * sign CRL<br/>
2160      * @name sign
2161      * @memberOf KJUR.asn1.x509.CRL#
2162      * @function
2163      * @description
2164      * This method signs TBSCertList with a specified 
2165      * private key and algorithm by 
2166      * this.params.cakey and this.params.sigalg parameter.
2167      * @example
2168      * crl = new KJUR.asn1.x509.CRL({..., cakey:prvkey});
2169      * crl.sign()
2170      */
2171     this.sign = function() {
2172 	var hTBSCL = (new _TBSCertList(this.params)).getEncodedHex();
2173 	var sig = new KJUR.crypto.Signature({alg: this.params.sigalg});
2174 	sig.init(this.params.cakey);
2175 	sig.updateHex(hTBSCL);
2176 	var sighex = sig.sign();
2177 	this.params.sighex = sighex;
2178     };
2179 
2180     /**
2181      * get PEM formatted CRL string after signed<br/>
2182      * @name getPEM
2183      * @memberOf KJUR.asn1.x509.CRL#
2184      * @function
2185      * @return PEM formatted string of CRL
2186      * @since jsrsasign 9.1.0 asn1hex 2.1.0
2187      * @description
2188      * This method returns a string of PEM formatted 
2189      * CRL.
2190      * @example
2191      * crl = new KJUR.asn1.x509.CRL({...});
2192      * crl.getPEM() →
2193      * "-----BEGIN X509 CRL-----\r\n..."
2194      */
2195     this.getPEM = function() {
2196 	return hextopem(this.getEncodedHex(), "X509 CRL");
2197     };
2198 
2199     this.getEncodedHex = function() {
2200 	var params = this.params;
2201 
2202 	if (params.tbsobj == undefined) {
2203 	    params.tbsobj = new _TBSCertList(params);
2204 	}
2205 
2206 	if (params.sighex == undefined && params.cakey != undefined) {
2207 	    this.sign();
2208 	}
2209 
2210 	if (params.sighex == undefined) {
2211 	    throw new Error("sighex or cakey parameter not defined");
2212 	}
2213 	
2214 	var a = [];
2215 	a.push(params.tbsobj);
2216 	a.push(new _AlgorithmIdentifier({name: params.sigalg}));
2217 	a.push(new _DERBitString({hex: "00" + params.sighex}));
2218 	var seq = new _DERSequence({array: a});
2219 	return seq.getEncodedHex();
2220     };
2221 
2222     if (params != undefined) this.params = params;
2223 };
2224 extendClass(KJUR.asn1.x509.CRL, KJUR.asn1.ASN1Object);
2225 
2226 /**
2227  * ASN.1 TBSCertList ASN.1 structure class for CRL<br/>
2228  * @name KJUR.asn1.x509.TBSCertList
2229  * @class TBSCertList ASN.1 structure class for CRL
2230  * @property {Array} params JSON object of parameters
2231  * @param {Array} params JSON object of TBSCertList parameters
2232  * @extends KJUR.asn1.ASN1Object
2233  * @since 1.0.3
2234  *
2235  * @description
2236  * This class represents TBSCertList of CRL defined in
2237  * <a href="https://tools.ietf.org/html/rfc5280#section-5.1">
2238  * RFC 5280 5.1</a>.
2239  * <pre>
2240  * TBSCertList  ::=  SEQUENCE  {
2241  *       version                 Version OPTIONAL,
2242  *                                    -- if present, MUST be v2
2243  *       signature               AlgorithmIdentifier,
2244  *       issuer                  Name,
2245  *       thisUpdate              Time,
2246  *       nextUpdate              Time OPTIONAL,
2247  *       revokedCertificates     SEQUENCE OF SEQUENCE  {
2248  *            userCertificate         CertificateSerialNumber,
2249  *            revocationDate          Time,
2250  *            crlEntryExtensions      Extensions OPTIONAL
2251  *                                     -- if present, version MUST be v2
2252  *                                 }  OPTIONAL,
2253  *       crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
2254  * }
2255  * </pre>
2256  * NOTE: TBSCertList class is updated without backward 
2257  * compatibility from jsrsasign 9.1.0 asn1x509 2.1.0.
2258  * Most of methods are removed and parameters can be set
2259  * by JSON object.
2260  * <br/>
2261  * Constructor of this class may have following parameters:
2262  * <ul>
2263  * <li>{Integer}version (OPTION) - version number. Omitted by default.</li>
2264  * <li>{String}sigalg - signature algorithm name</li>
2265  * <li>{Array}issuer - issuer parameter of {@link KJUR.asn1.x509.X500Name}</li>
2266  * <li>{String}thisupdate - thisUpdate field value</li>
2267  * <li>{String}nextupdate (OPTION) - thisUpdate field value</li>
2268  * <li>{Array}revcert (OPTION) - revokedCertificates field value as array
2269  *   Its element may have following property:
2270  *   <ul>
2271  *   <li>{Array}sn - serialNumber of userCertificate field specified
2272  *   by {@link KJUR.asn1.DERInteger}</li>
2273  *   <li>{String}date - revocationDate field specified by
2274  *   a string of {@link KJUR.asn1.x509.Time} parameter</li>
2275  *   <li>{Array}ext (OPTION) - array of CRL entry extension parameter</li>
2276  *   </ul>
2277  * </li>
2278  * </ul>
2279  * 
2280  * @example
2281  * var o = new KJUR.asn1.x509.TBSCertList({
2282  *  sigalg: "SHA256withRSA",
2283  *  issuer: {array: [[{type:'C',value:'JP',ds:'prn'}],
2284  *                   [{type:'O',value:'T1',ds:'prn'}]]},
2285  *  thisupdate: "200821235959Z",
2286  *  nextupdate: "200828235959Z", // OPTION
2287  *  revcert: [
2288  *   {sn: {hex: "12ab"}, date: "200401235959Z", ext: [{extname: "cRLReason", code:1}]},
2289  *   {sn: {hex: "12bc"}, date: "200405235959Z", ext: [{extname: "cRLReason", code:2}]}
2290  *  ],
2291  *  ext: [
2292  *   {extname: "cRLNumber", num: {'int': 8}},
2293  *   {extname: "authorityKeyIdentifier", "kid": {hex: "12ab"}}
2294  *  ]
2295  * });
2296  * o.getEncodedHex() → "30..."
2297  */
2298 KJUR.asn1.x509.TBSCertList = function(params) {
2299     KJUR.asn1.x509.TBSCertList.superclass.constructor.call(this);
2300     var	_KJUR = KJUR,
2301 	_KJUR_asn1 = _KJUR.asn1,
2302 	_DERInteger = _KJUR_asn1.DERInteger,
2303 	_DERSequence = _KJUR_asn1.DERSequence,
2304 	_DERTaggedObject = _KJUR_asn1.DERTaggedObject,
2305 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
2306 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
2307 	_AlgorithmIdentifier = _KJUR_asn1_x509.AlgorithmIdentifier,
2308 	_Time = _KJUR_asn1_x509.Time,
2309 	_Extensions = _KJUR_asn1_x509.Extensions,
2310 	_X500Name = _KJUR_asn1_x509.X500Name;
2311     this.params = null;
2312 
2313     /**
2314      * get array of ASN.1 object for extensions<br/>
2315      * @name setByParam
2316      * @memberOf KJUR.asn1.x509.TBSCertList#
2317      * @function
2318      * @param {Array} JSON object of TBSCertList parameters
2319      * @example
2320      * tbsc = new KJUR.asn1.x509.TBSCertificate();
2321      * tbsc.setByParam({version:3, serial:{hex:'1234...'},...});
2322      */
2323     this.setByParam = function(params) {
2324 	this.params = params;
2325     };
2326 
2327     /**
2328      * get DERSequence for revokedCertificates<br/>
2329      * @name getRevCertSequence
2330      * @memberOf KJUR.asn1.x509.TBSCertList#
2331      * @function
2332      * @return {@link KJUR.asn1.DERSequence} of revokedCertificates
2333      */
2334     this.getRevCertSequence = function() {
2335 	var a = [];
2336 	var aRevCert = this.params.revcert;
2337 	for (var i = 0; i < aRevCert.length; i++) {
2338 	    var aEntry = [
2339 		new _DERInteger(aRevCert[i].sn),
2340 		new _Time(aRevCert[i].date)
2341 	    ];
2342 	    if (aRevCert[i].ext != undefined) {
2343 		aEntry.push(new _Extensions(aRevCert[i].ext));
2344 	    }
2345 	    a.push(new _DERSequence({array: aEntry}));
2346 	}
2347 	return new _DERSequence({array: a});
2348     };
2349 
2350     this.getEncodedHex = function() {
2351 	var a = [];
2352 	var params = this.params;
2353 
2354 	if (params.version != undefined) {
2355 	    var version = params.version - 1; 
2356 	    var obj = new _DERInteger({'int': version});
2357 	    a.push(obj);
2358 	}
2359 
2360 	a.push(new _AlgorithmIdentifier({name: params.sigalg}));
2361 	a.push(new _X500Name(params.issuer));
2362 	a.push(new _Time(params.thisupdate));
2363 	if (params.nextupdate != undefined) 
2364 	    a.push(new _Time(params.nextupdate))
2365 	if (params.revcert != undefined) {
2366 	    a.push(this.getRevCertSequence());
2367 	}
2368 	if (params.ext != undefined) {
2369 	    var dExt = new _Extensions(params.ext);
2370 	    a.push(new _DERTaggedObject({tag:'a0',
2371 					 explicit:true,
2372 					 obj:dExt}));
2373 	}
2374 
2375 	var seq = new _DERSequence({array: a});
2376 	return seq.getEncodedHex();
2377     };
2378 
2379     if (params !== undefined) this.setByParam(params);
2380 };
2381 extendClass(KJUR.asn1.x509.TBSCertList, KJUR.asn1.ASN1Object);
2382 
2383 /**
2384  * ASN.1 CRLEntry structure class for CRL (DEPRECATED)<br/>
2385  * @name KJUR.asn1.x509.CRLEntry
2386  * @class ASN.1 CRLEntry structure class for CRL
2387  * @param {Array} params JSON object for CRL entry parameter
2388  * @extends KJUR.asn1.ASN1Object
2389  * @since 1.0.3
2390  * @see KJUR.asn1.x509.TBSCertList
2391  * @deprecated since jsrsasign 9.1.0 asn1x509 2.1.0
2392  * @description
2393  * This class is to represent revokedCertificate in TBSCertList.
2394  * However this is no more used by TBSCertList since
2395  * jsrsasign 9.1.0. So this class have been deprecated in 
2396  * jsrsasign 9.1.0.
2397  * <pre>
2398  * revokedCertificates     SEQUENCE OF SEQUENCE  {
2399  *     userCertificate         CertificateSerialNumber,
2400  *     revocationDate          Time,
2401  *     crlEntryExtensions      Extensions OPTIONAL
2402  *                             -- if present, version MUST be v2 }
2403  * </pre>
2404  * @example
2405  * var e = new KJUR.asn1.x509.CRLEntry({'time': {'str': '130514235959Z'}, 'sn': {'int': 234}});
2406  */
2407 KJUR.asn1.x509.CRLEntry = function(params) {
2408     KJUR.asn1.x509.CRLEntry.superclass.constructor.call(this);
2409     var sn = null,
2410 	time = null,
2411 	_KJUR = KJUR,
2412 	_KJUR_asn1 = _KJUR.asn1;
2413 
2414     /**
2415      * set DERInteger parameter for serial number of revoked certificate
2416      * @name setCertSerial
2417      * @memberOf KJUR.asn1.x509.CRLEntry
2418      * @function
2419      * @param {Array} intParam DERInteger parameter for certificate serial number
2420      * @description
2421      * @example
2422      * entry.setCertSerial({'int': 3});
2423      */
2424     this.setCertSerial = function(intParam) {
2425         this.sn = new _KJUR_asn1.DERInteger(intParam);
2426     };
2427 
2428     /**
2429      * set Time parameter for revocation date
2430      * @name setRevocationDate
2431      * @memberOf KJUR.asn1.x509.CRLEntry
2432      * @function
2433      * @param {Array} timeParam Time parameter for revocation date
2434      * @description
2435      * @example
2436      * entry.setRevocationDate({'str': '130508235959Z'});
2437      */
2438     this.setRevocationDate = function(timeParam) {
2439         this.time = new _KJUR_asn1.x509.Time(timeParam);
2440     };
2441 
2442     this.getEncodedHex = function() {
2443         var o = new _KJUR_asn1.DERSequence({"array": [this.sn, this.time]});
2444         this.TLV = o.getEncodedHex();
2445         return this.TLV;
2446     };
2447 
2448     if (params !== undefined) {
2449         if (params.time !== undefined) {
2450             this.setRevocationDate(params.time);
2451         }
2452         if (params.sn !== undefined) {
2453             this.setCertSerial(params.sn);
2454         }
2455     }
2456 };
2457 extendClass(KJUR.asn1.x509.CRLEntry, KJUR.asn1.ASN1Object);
2458 
2459 /**
2460  * CRLNumber CRL extension ASN.1 structure class<br/>
2461  * @name KJUR.asn1.x509.CRLNumber
2462  * @class CRLNumber CRL extension ASN.1 structure class
2463  * @extends KJUR.asn1.x509.Extension
2464  * @since jsrsasign 9.1.0 asn1x509 2.1.0
2465  * @see KJUR.asn1.x509.TBSCertList
2466  * @see KJUR.asn1.x509.Extensions
2467  * @description
2468  * This class represents ASN.1 structure for
2469  * CRLNumber CRL extension defined in
2470  * <a href="https://tools.ietf.org/html/rfc5280#section-5.2.3">
2471  * RFC 5280 5.2.3</a>.
2472  * <pre>
2473  * id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
2474  * CRLNumber ::= INTEGER (0..MAX)
2475  * </pre>
2476  * Constructor of this class may have following parameters:
2477  * <ul>
2478  * <li>{String}extname - name "cRLNumber". It is ignored in this class but
2479  * required to use with {@link KJUR.asn1.x509.Extensions} class. (OPTION)</li>
2480  * <li>{Object}num - CRLNumber value to specify
2481  * {@link KJUR.asn1.DERInteger} parameter.</li>
2482  * <li>{Boolean}critical - critical flag. Generally false and not specified
2483  * in this class.(OPTION)</li>
2484  * </ul>
2485  *
2486  * @example
2487  * new KJUR.asn1.x509.CRLNumber({extname:'cRLNumber',
2488  *                               num:{'int':147}})
2489  */
2490 KJUR.asn1.x509.CRLNumber = function(params) {
2491     KJUR.asn1.x509.CRLNumber.superclass.constructor.call(this, params);
2492     this.params = undefined;
2493 
2494     this.getExtnValueHex = function() {
2495         this.asn1ExtnValue = new KJUR.asn1.DERInteger(this.params.num);
2496         return this.asn1ExtnValue.getEncodedHex();
2497     };
2498 
2499     this.oid = "2.5.29.20";
2500     if (params != undefined) this.params = params;
2501 };
2502 extendClass(KJUR.asn1.x509.CRLNumber, KJUR.asn1.x509.Extension);
2503 
2504 /**
2505  * CRLReason CRL entry extension ASN.1 structure class<br/>
2506  * @name KJUR.asn1.x509.CRLReason
2507  * @class CRLReason CRL entry extension ASN.1 structure class
2508  * @extends KJUR.asn1.x509.Extension
2509  * @since jsrsasign 9.1.0 asn1x509 2.1.0
2510  * @see KJUR.asn1.x509.TBSCertList
2511  * @see KJUR.asn1.x509.Extensions
2512  * @description
2513  * This class represents ASN.1 structure for
2514  * CRLReason CRL entry extension defined in
2515  * <a href="https://tools.ietf.org/html/rfc5280#section-5.3.1">
2516  * RFC 5280 5.3.1</a>
2517  * <pre>
2518  * id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
2519  * -- reasonCode ::= { CRLReason }
2520  * CRLReason ::= ENUMERATED {
2521  *      unspecified             (0),
2522  *      keyCompromise           (1),
2523  *      cACompromise            (2),
2524  *      affiliationChanged      (3),
2525  *      superseded              (4),
2526  *      cessationOfOperation    (5),
2527  *      certificateHold         (6),
2528  *      removeFromCRL           (8),
2529  *      privilegeWithdrawn      (9),
2530  *      aACompromise           (10) }
2531  * </pre>
2532  * Constructor of this class may have following parameters:
2533  * <ul>
2534  * <li>{String}extname - name "cRLReason". It is ignored in this class but
2535  * required to use with {@link KJUR.asn1.x509.Extensions} class. (OPTION)</li>
2536  * <li>{Integer}code - reasonCode value</li>
2537  * <li>{Boolean}critical - critical flag. Generally false and not specified
2538  * in this class.(OPTION)</li>
2539  * </ul>
2540  *
2541  * @example
2542  * new KJUR.asn1.x509.CRLReason({extname:'cRLReason',code:4})
2543  */
2544 KJUR.asn1.x509.CRLReason = function(params) {
2545     KJUR.asn1.x509.CRLReason.superclass.constructor.call(this, params);
2546     this.params = undefined;
2547 
2548     this.getExtnValueHex = function() {
2549         this.asn1ExtnValue = new KJUR.asn1.DEREnumerated(this.params.code);
2550         return this.asn1ExtnValue.getEncodedHex();
2551     };
2552 
2553     this.oid = "2.5.29.21";
2554     if (params != undefined) this.params = params;
2555 };
2556 extendClass(KJUR.asn1.x509.CRLReason, KJUR.asn1.x509.Extension);
2557 
2558 // === END   CRL Related ===================================================
2559 
2560 // === BEGIN OCSP Related ===================================================
2561 /**
2562  * Nonce OCSP extension ASN.1 structure class<br/>
2563  * @name KJUR.asn1.x509.OCSPNonce
2564  * @class Nonce OCSP extension ASN.1 structure class
2565  * @extends KJUR.asn1.x509.Extension
2566  * @since jsrsasign 9.1.6 asn1x509 2.1.2
2567  * @param {Array} params JSON object for Nonce extension
2568  * @see KJUR.asn1.ocsp.ResponseData
2569  * @see KJUR.asn1.x509.Extensions
2570  * @see X509#getExtOCSPNonce
2571  * @description
2572  * This class represents
2573  * Nonce OCSP extension value defined in
2574  * <a href="https://tools.ietf.org/html/rfc6960#section-4.4.1">
2575  * RFC 6960 4.4.1</a> as JSON object.
2576  * <pre>
2577  * id-pkix-ocsp           OBJECT IDENTIFIER ::= { id-ad-ocsp }
2578  * id-pkix-ocsp-nonce     OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
2579  * Nonce ::= OCTET STRING
2580  * </pre>
2581  * Constructor of this class may have following parameters:
2582  * <ul>
2583  * <li>{String}extname - name "ocspNonce". It is ignored in this class but
2584  * required to use with {@link KJUR.asn1.x509.Extensions} class. (OPTION)</li>
2585  * <li>{String}hex - hexadecimal string of nonce value</li>
2586  * <li>{Number}int - integer of nonce value. "hex" or "int" needs to be
2587  * specified.</li>
2588  * <li>{Boolean}critical - critical flag. Generally false and not specified
2589  * in this class.(OPTION)</li>
2590  * </ul>
2591  *
2592  * @example
2593  * new KJUR.asn1.x509.OCSPNonce({extname:'ocspNonce',
2594  *                               hex: '12ab...'})
2595  */
2596 KJUR.asn1.x509.OCSPNonce = function(params) {
2597     KJUR.asn1.x509.OCSPNonce.superclass.constructor.call(this, params);
2598     this.params = undefined;
2599 
2600     this.getExtnValueHex = function() {
2601         this.asn1ExtnValue = new KJUR.asn1.DEROctetString(this.params);
2602         return this.asn1ExtnValue.getEncodedHex();
2603     };
2604 
2605     this.oid = "1.3.6.1.5.5.7.48.1.2";
2606     if (params != undefined) this.params = params;
2607 };
2608 extendClass(KJUR.asn1.x509.OCSPNonce, KJUR.asn1.x509.Extension);
2609 
2610 /**
2611  * OCSPNoCheck certificate ASN.1 structure class<br/>
2612  * @name KJUR.asn1.x509.OCSPNoCheck
2613  * @class OCSPNoCheck extension ASN.1 structure class
2614  * @extends KJUR.asn1.x509.Extension
2615  * @since jsrsasign 9.1.6 asn1x509 2.1.2
2616  * @param {Array} params JSON object for OCSPNoCheck extension
2617  * @see KJUR.asn1.x509.Extensions
2618  * @see X509#getExtOCSPNoCheck
2619  * @description
2620  * This class represents
2621  * OCSPNoCheck extension value defined in
2622  * <a href="https://tools.ietf.org/html/rfc6960#section-4.2.2.2.1">
2623  * RFC 6960 4.2.2.2.1</a> as JSON object.
2624  * <pre>
2625  * id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
2626  * </pre>
2627  * Constructor of this class may have following parameters:
2628  * <ul>
2629  * <li>{String}extname - name "ocspNoCheck". It is ignored in this class but
2630  * required to use with {@link KJUR.asn1.x509.Extensions} class. (OPTION)</li>
2631  * <li>{Boolean}critical - critical flag. Generally false and not specified
2632  * in this class.(OPTION)</li>
2633  * </ul>
2634  *
2635  * @example
2636  * new KJUR.asn1.x509.OCSPNonce({extname:'ocspNoCheck'})
2637  */
2638 KJUR.asn1.x509.OCSPNoCheck = function(params) {
2639     KJUR.asn1.x509.OCSPNoCheck.superclass.constructor.call(this, params);
2640     this.params = undefined;
2641 
2642     this.getExtnValueHex = function() {
2643         this.asn1ExtnValue = new KJUR.asn1.DERNull();
2644         return this.asn1ExtnValue.getEncodedHex();
2645     };
2646 
2647     this.oid = "1.3.6.1.5.5.7.48.1.5";
2648     if (params != undefined) this.params = params;
2649 };
2650 extendClass(KJUR.asn1.x509.OCSPNoCheck, KJUR.asn1.x509.Extension);
2651 
2652 // === END   OCSP Related ===================================================
2653 
2654 // === BEGIN Other X.509v3 Extensions========================================
2655 
2656 /**
2657  * AdobeTimeStamp X.509v3 extension ASN.1 encoder class<br/>
2658  * @name KJUR.asn1.x509.AdobeTimeStamp
2659  * @class AdobeTimeStamp X.509v3 extension ASN.1 encoder class
2660  * @extends KJUR.asn1.x509.Extension
2661  * @since jsrsasign 10.0.1 asn1x509 2.1.4
2662  * @param {Array} params JSON object for AdobeTimeStamp extension parameter
2663  * @see KJUR.asn1.x509.Extensions
2664  * @see X509#getExtAdobeTimeStamp
2665  * @description
2666  * This class represents
2667  * AdobeTimeStamp X.509v3 extension value defined in
2668  * <a href="https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/oids.html">
2669  * Adobe site</a> as JSON object.
2670  * <pre>
2671  * adbe- OBJECT IDENTIFIER ::=  { adbe(1.2.840.113583) acrobat(1) security(1) x509Ext(9) 1 }
2672  *  ::= SEQUENCE {
2673  *     version INTEGER  { v1(1) }, -- extension version
2674  *     location GeneralName (In v1 GeneralName can be only uniformResourceIdentifier)
2675  *     requiresAuth        boolean (default false), OPTIONAL }
2676  * </pre>
2677  * Constructor of this class may have following parameters:
2678  * <ul>
2679  * <li>{String}uri - RFC 3161 time stamp service URL</li>
2680  * <li>{Boolean}reqauth - authentication required or not</li>
2681  * </ul>
2682  * </pre>
2683  * <br/>
2684  * NOTE: This extesion doesn't seem to have official name. This may be called as "pdfTimeStamp".
2685  * @example
2686  * new KJUR.asn1.x509.AdobeTimesStamp({
2687  *   uri: "http://tsa.example.com/",
2688  *   reqauth: true
2689  * }
2690  */
2691 KJUR.asn1.x509.AdobeTimeStamp = function(params) {
2692     KJUR.asn1.x509.AdobeTimeStamp.superclass.constructor.call(this, params);
2693 
2694     var _KJUR = KJUR,
2695 	_KJUR_asn1 = _KJUR.asn1,
2696 	_DERInteger = _KJUR_asn1.DERInteger,
2697 	_DERBoolean = _KJUR_asn1.DERBoolean,
2698 	_DERSequence = _KJUR_asn1.DERSequence,
2699 	_GeneralName = _KJUR_asn1.x509.GeneralName;
2700 
2701     this.params = null;
2702 
2703     this.getExtnValueHex = function() {
2704 	var params = this.params;
2705 	var a = [new _DERInteger(1)];
2706 	a.push(new _GeneralName({uri: params.uri}));
2707 	if (params.reqauth != undefined) {
2708 	    a.push(new _DERBoolean(params.reqauth));
2709 	}
2710 
2711         this.asn1ExtnValue = new _DERSequence({array: a});
2712         return this.asn1ExtnValue.getEncodedHex();
2713     };
2714 
2715     this.oid = "1.2.840.113583.1.1.9.1";
2716     if (params !== undefined) this.setByParam(params);
2717 };
2718 extendClass(KJUR.asn1.x509.AdobeTimeStamp, KJUR.asn1.x509.Extension);
2719  
2720 // === END   Other X.509v3 Extensions========================================
2721 
2722 
2723 // === BEGIN X500Name Related =================================================
2724 /**
2725  * X500Name ASN.1 structure class
2726  * @name KJUR.asn1.x509.X500Name
2727  * @class X500Name ASN.1 structure class
2728  * @param {Array} params associative array of parameters (ex. {'str': '/C=US/O=a'})
2729  * @extends KJUR.asn1.ASN1Object
2730  * @see KJUR.asn1.x509.X500Name
2731  * @see KJUR.asn1.x509.RDN
2732  * @see KJUR.asn1.x509.AttributeTypeAndValue
2733  * @see X509#getX500Name
2734  * @description
2735  * This class provides DistinguishedName ASN.1 class structure
2736  * defined in <a href="https://tools.ietf.org/html/rfc2253#section-2">RFC 2253 section 2</a>.
2737  * <blockquote><pre>
2738  * DistinguishedName ::= RDNSequence
2739  * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
2740  * RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
2741  *   AttributeTypeAndValue
2742  * AttributeTypeAndValue ::= SEQUENCE {
2743  *   type  AttributeType,
2744  *   value AttributeValue }
2745  * </pre></blockquote>
2746  * <br/>
2747  * Argument for the constructor can be one of following parameters:
2748  * <ul>
2749  * <li>{Array}array - array of {@link KJUR.asn1.x509.RDN} parameter</li>
2750  * <li>`String}str - string for distingish name in OpenSSL One line foramt (ex: /C=US/O=test/CN=test) See <a href="https://github.com/kjur/jsrsasign/wiki/NOTE-distinguished-name-representation-in-jsrsasign">this</a> in detail.</li>
2751  * <li>{String}ldapstr - string for distinguish name in LDAP format (ex: CN=test,O=test,C=US)</li>
2752  * <li>{String}hex - hexadecimal string for ASN.1 distinguish name structure</li>
2753  * <li>{String}certissuer - issuer name in the specified PEM certificate</li>
2754  * <li>{String}certsubject - subject name in the specified PEM certificate</li>
2755  * <li>{String}rule - DirectoryString rule (ex. "prn" or "utf8")</li>
2756  * </ul>
2757  * <br/>
2758  * NOTE1: The "array" and "rule" parameters have been supported
2759  * since jsrsasign 9.0.0 asn1x509 2.0.0.
2760  * <br/>
2761  * NOTE2: Multi-valued RDN in "str" parameter have been
2762  * supported since jsrsasign 6.2.1 asn1x509 1.0.17.
2763  * @example
2764  * // 1. construct with array
2765  * new KJUR.asn1.x509.X500Name({array:[
2766  *   [{type:'C',value:'JP',ds:'prn'}],
2767  *   [{type:'O',value:'aaa',ds:'utf8'}, // multi-valued RDN
2768  *    {type:'CN',value:'bob@example.com',ds:'ia5'}]
2769  * ]})
2770  * // 2. construct with string
2771  * new KJUR.asn1.x509.X500Name({str: "/C=US/ST=NY/L=Ballston Spa/STREET=915 Stillwater Ave"});
2772  * new KJUR.asn1.x509.X500Name({str: "/CN=AAA/2.5.4.42=John/surname=Ray"});
2773  * new KJUR.asn1.x509.X500Name({str: "/C=US/O=aaa+CN=contact@example.com"}); // multi valued
2774  * // 3. construct by LDAP string
2775  * new KJUR.asn1.x509.X500Name({ldapstr: "CN=foo@example.com,OU=bbb,C=US"});
2776  * // 4. construct by ASN.1 hex string
2777  * new KJUR.asn1.x509.X500Name({hex: "304c3120..."});
2778  * // 5. construct by issuer of PEM certificate
2779  * new KJUR.asn1.x509.X500Name({certsubject: "-----BEGIN CERT..."});
2780  * // 6. construct by subject of PEM certificate
2781  * new KJUR.asn1.x509.X500Name({certissuer: "-----BEGIN CERT..."});
2782  * // 7. construct by object (DEPRECATED)
2783  * new KJUR.asn1.x509.X500Name({C:"US",O:"aaa",CN:"http://example.com/"});
2784  */
2785 KJUR.asn1.x509.X500Name = function(params) {
2786     KJUR.asn1.x509.X500Name.superclass.constructor.call(this);
2787     this.asn1Array = [];
2788     this.paramArray = [];
2789     this.sRule = "utf8";
2790     var _KJUR = KJUR,
2791 	_KJUR_asn1 = _KJUR.asn1,
2792 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
2793 	_RDN = _KJUR_asn1_x509.RDN,
2794 	_pemtohex = pemtohex;
2795 
2796     /**
2797      * set DN by OpenSSL oneline distinguished name string<br/>
2798      * @name setByString
2799      * @memberOf KJUR.asn1.x509.X500Name#
2800      * @function
2801      * @param {String} dnStr distinguished name by string (ex. /C=US/O=aaa)
2802      * @description
2803      * Sets distinguished name by string. 
2804      * dnStr must be formatted as 
2805      * "/type0=value0/type1=value1/type2=value2...".
2806      * No need to escape a slash in an attribute value.
2807      * @example
2808      * name = new KJUR.asn1.x509.X500Name();
2809      * name.setByString("/C=US/O=aaa/OU=bbb/CN=foo@example.com");
2810      * // no need to escape slash in an attribute value
2811      * name.setByString("/C=US/O=aaa/CN=1980/12/31");
2812      */
2813     this.setByString = function(dnStr, sRule) {
2814 	if (sRule !== undefined) this.sRule = sRule;
2815         var a = dnStr.split('/');
2816         a.shift();
2817 
2818 	var a1 = [];
2819 	for (var i = 0; i < a.length; i++) {
2820 	  if (a[i].match(/^[^=]+=.+$/)) {
2821 	    a1.push(a[i]);
2822 	  } else {
2823 	    var lastidx = a1.length - 1;
2824 	    a1[lastidx] = a1[lastidx] + "/" + a[i];
2825 	  }
2826 	}
2827 
2828         for (var i = 0; i < a1.length; i++) {
2829             this.asn1Array.push(new _RDN({'str':a1[i], rule:this.sRule}));
2830         }
2831     };
2832 
2833     /**
2834      * set DN by LDAP(RFC 2253) distinguished name string<br/>
2835      * @name setByLdapString
2836      * @memberOf KJUR.asn1.x509.X500Name#
2837      * @function
2838      * @param {String} dnStr distinguished name by LDAP string (ex. O=aaa,C=US)
2839      * @since jsrsasign 6.2.2 asn1x509 1.0.18
2840      * @see {@link KJUR.asn1.x509.X500Name.ldapToCompat}
2841      * @description
2842      * @example
2843      * name = new KJUR.asn1.x509.X500Name();
2844      * name.setByLdapString("CN=foo@example.com,OU=bbb,O=aaa,C=US");
2845      */
2846     this.setByLdapString = function(dnStr, sRule) {
2847 	if (sRule !== undefined) this.sRule = sRule;
2848 	var compat = _KJUR_asn1_x509.X500Name.ldapToCompat(dnStr);
2849 	this.setByString(compat, sRule);
2850     };
2851 
2852     /**
2853      * set DN by associative array<br/>
2854      * @name setByObject
2855      * @memberOf KJUR.asn1.x509.X500Name#
2856      * @function
2857      * @param {Array} dnObj associative array of DN (ex. {C: "US", O: "aaa"})
2858      * @since jsrsasign 4.9. asn1x509 1.0.13
2859      * @description
2860      * @example
2861      * name = new KJUR.asn1.x509.X500Name();
2862      * name.setByObject({C: "US", O: "aaa", CN="http://example.com/"1});
2863      */
2864     this.setByObject = function(dnObj, sRule) {
2865 	if (sRule !== undefined) this.sRule = sRule;
2866 
2867         // Get all the dnObject attributes and stuff them in the ASN.1 array.
2868         for (var x in dnObj) {
2869             if (dnObj.hasOwnProperty(x)) {
2870                 var newRDN = new _RDN({str: x + '=' + dnObj[x], rule: this.sRule});
2871                 // Initialize or push into the ANS1 array.
2872                 this.asn1Array ? this.asn1Array.push(newRDN)
2873                     : this.asn1Array = [newRDN];
2874             }
2875         }
2876     };
2877 
2878     this.setByParam = function(params) {
2879 	if (params.rule !== undefined) this.sRule = params.rule;
2880 
2881 	if (params.array !== undefined) {
2882 	    this.paramArray = params.array;
2883 	} else {
2884             if (params.str !== undefined) {
2885 		this.setByString(params.str);
2886             } else if (params.ldapstr !== undefined) {
2887 		this.setByLdapString(params.ldapstr);
2888 	    } else if (params.hex !== undefined) {
2889 		this.hTLV = params.hex;
2890             } else if (params.certissuer !== undefined) {
2891 		var x = new X509();
2892 		x.readCertPEM(params.certissuer);
2893 		this.hTLV = x.getIssuerHex();
2894             } else if (params.certsubject !== undefined) {
2895 		var x = new X509();
2896 		x.readCertPEM(params.certsubject);
2897 		this.hTLV = x.getSubjectHex();
2898 		// If params is an object, then set the ASN1 array
2899 		// just using the object attributes. 
2900 		// This is nice for fields that have lots of special
2901 		// characters (i.e. CN: 'https://www.github.com/kjur//').
2902             } else if (typeof params === "object" &&
2903 		       params.certsubject === undefined &&
2904 		       params.certissuer === undefined) {
2905 		this.setByObject(params);
2906             }
2907 	}
2908     }
2909 
2910     this.getEncodedHex = function() {
2911         if (typeof this.hTLV == "string") return this.hTLV;
2912 
2913 	if (this.asn1Array.length == 0 && this.paramArray.length > 0) {
2914 	    for (var i = 0; i < this.paramArray.length; i++) {
2915 		var param = {array: this.paramArray[i]};
2916 		if (this.sRule != "utf8") param.rule = this.sRule;
2917 		var asn1RDN = new _RDN(param);
2918 		this.asn1Array.push(asn1RDN);
2919 	    }
2920 	}
2921 
2922         var o = new _KJUR_asn1.DERSequence({"array": this.asn1Array});
2923         this.hTLV = o.getEncodedHex();
2924         return this.hTLV;
2925     };
2926 
2927     if (params !== undefined) this.setByParam(params);
2928 };
2929 extendClass(KJUR.asn1.x509.X500Name, KJUR.asn1.ASN1Object);
2930 
2931 /**
2932  * convert OpenSSL compat distinguished name format string to LDAP(RFC 2253) format<br/>
2933  * @name compatToLDAP
2934  * @memberOf KJUR.asn1.x509.X500Name
2935  * @function
2936  * @param {String} s distinguished name string in OpenSSL oneline compat (ex. /C=US/O=test)
2937  * @return {String} distinguished name string in LDAP(RFC 2253) format (ex. O=test,C=US)
2938  * @since jsrsasign 8.0.19 asn1x509 1.1.20
2939  * @description
2940  * This static method converts a distinguished name string in OpenSSL compat
2941  * format to LDAP(RFC 2253) format.
2942  * @see <a href="https://github.com/kjur/jsrsasign/wiki/NOTE-distinguished-name-representation-in-jsrsasign">jsrsasign wiki: distinguished name string difference between OpenSSL compat and LDAP(RFC 2253)</a>
2943  * @see <a href="https://www.openssl.org/docs/man1.0.2/man1/openssl-x509.html#NAME-OPTIONS">OpenSSL x509 command manual - NAME OPTIONS</a>
2944  * @example
2945  * KJUR.asn1.x509.X500Name.compatToLDAP("/C=US/O=test") → 'O=test,C=US'
2946  * KJUR.asn1.x509.X500Name.compatToLDAP("/C=US/O=a,a") → 'O=a\,a,C=US'
2947  */
2948 KJUR.asn1.x509.X500Name.compatToLDAP = function(s) {
2949     if (s.substr(0, 1) !== "/") throw "malformed input";
2950 
2951     var result = "";
2952     s = s.substr(1);
2953 
2954     var a = s.split("/");
2955     a.reverse();
2956     a = a.map(function(s) {return s.replace(/,/, "\\,")});
2957 
2958     return a.join(",");
2959 };
2960 
2961 /**
2962  * convert OpenSSL compat distinguished name format string to LDAP(RFC 2253) format (DEPRECATED)<br/>
2963  * @name onelineToLDAP
2964  * @memberOf KJUR.asn1.x509.X500Name
2965  * @function
2966  * @param {String} s distinguished name string in OpenSSL compat format (ex. /C=US/O=test)
2967  * @return {String} distinguished name string in LDAP(RFC 2253) format (ex. O=test,C=US)
2968  * @since jsrsasign 6.2.2 asn1x509 1.0.18
2969  * @see KJUR.asn1.x509.X500Name.compatToLDAP
2970  * @description
2971  * This method is deprecated. Please use 
2972  * {@link KJUR.asn1.x509.X500Name.compatToLDAP} instead.
2973  */
2974 KJUR.asn1.x509.X500Name.onelineToLDAP = function(s) {
2975     return KJUR.asn1.x509.X500Name.compatToLDAP(s);
2976 }
2977 
2978 /**
2979  * convert LDAP(RFC 2253) distinguished name format string to OpenSSL compat format<br/>
2980  * @name ldapToCompat
2981  * @memberOf KJUR.asn1.x509.X500Name
2982  * @function
2983  * @param {String} s distinguished name string in LDAP(RFC 2253) format (ex. O=test,C=US)
2984  * @return {String} distinguished name string in OpenSSL compat format (ex. /C=US/O=test)
2985  * @since jsrsasign 8.0.19 asn1x509 1.1.10
2986  * @description
2987  * This static method converts a distinguished name string in 
2988  * LDAP(RFC 2253) format to OpenSSL compat format.
2989  * @see <a href="https://github.com/kjur/jsrsasign/wiki/NOTE-distinguished-name-representation-in-jsrsasign">jsrsasign wiki: distinguished name string difference between OpenSSL compat and LDAP(RFC 2253)</a>
2990  * @example
2991  * KJUR.asn1.x509.X500Name.ldapToCompat('O=test,C=US') → '/C=US/O=test'
2992  * KJUR.asn1.x509.X500Name.ldapToCompat('O=a\,a,C=US') → '/C=US/O=a,a'
2993  * KJUR.asn1.x509.X500Name.ldapToCompat('O=a/a,C=US')  → '/C=US/O=a\/a'
2994  */
2995 KJUR.asn1.x509.X500Name.ldapToCompat = function(s) {
2996     var a = s.split(",");
2997 
2998     // join \,
2999     var isBSbefore = false;
3000     var a2 = [];
3001     for (var i = 0; a.length > 0; i++) {
3002 	var item = a.shift();
3003 	//console.log("item=" + item);
3004 
3005 	if (isBSbefore === true) {
3006 	    var a2last = a2.pop();
3007 	    var newitem = (a2last + "," + item).replace(/\\,/g, ",");
3008 	    a2.push(newitem);
3009 	    isBSbefore = false;
3010 	} else {
3011 	    a2.push(item);
3012 	}
3013 
3014 	if (item.substr(-1, 1) === "\\") isBSbefore = true;
3015     }
3016 
3017     a2 = a2.map(function(s) {return s.replace("/", "\\/")});
3018     a2.reverse();
3019     return "/" + a2.join("/");
3020 };
3021 
3022 /**
3023  * convert LDAP(RFC 2253) distinguished name format string to OpenSSL compat format (DEPRECATED)<br/>
3024  * @name ldapToOneline
3025  * @memberOf KJUR.asn1.x509.X500Name
3026  * @function
3027  * @param {String} s distinguished name string in LDAP(RFC 2253) format (ex. O=test,C=US)
3028  * @return {String} distinguished name string in OpenSSL compat format (ex. /C=US/O=test)
3029  * @since jsrsasign 6.2.2 asn1x509 1.0.18
3030  * @description
3031  * This method is deprecated. Please use 
3032  * {@link KJUR.asn1.x509.X500Name.ldapToCompat} instead.
3033  */
3034 KJUR.asn1.x509.X500Name.ldapToOneline = function(s) {
3035     return KJUR.asn1.x509.X500Name.ldapToCompat(s);
3036 };
3037 
3038 /**
3039  * RDN (Relative Distinguished Name) ASN.1 structure class
3040  * @name KJUR.asn1.x509.RDN
3041  * @class RDN (Relative Distinguished Name) ASN.1 structure class
3042  * @param {Array} params associative array of parameters (ex. {'str': 'C=US'})
3043  * @extends KJUR.asn1.ASN1Object
3044  * @see KJUR.asn1.x509.X500Name
3045  * @see KJUR.asn1.x509.RDN
3046  * @see KJUR.asn1.x509.AttributeTypeAndValue
3047  * @description
3048  * This class provides RelativeDistinguishedName ASN.1 class structure
3049  * defined in <a href="https://tools.ietf.org/html/rfc2253#section-2">RFC 2253 section 2</a>.
3050  * <blockquote><pre>
3051  * RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
3052  *   AttributeTypeAndValue
3053  *
3054  * AttributeTypeAndValue ::= SEQUENCE {
3055  *   type  AttributeType,
3056  *   value AttributeValue }
3057  * </pre></blockquote>
3058  * <br/>
3059  * NOTE1: The "array" and "rule" parameters have been supported
3060  * since jsrsasign 9.0.0 asn1x509 2.0.0.
3061  * <br/>
3062  * NOTE2: Multi-valued RDN in "str" parameter have been
3063  * supported since jsrsasign 6.2.1 asn1x509 1.0.17.
3064  * @example
3065  * new KJUR.asn1.x509.RDN({array: [ // multi-valued
3066  *    {type:"CN",value:"Bob",ds:"prn"},
3067  *    {type:"CN",value:"bob@example.com", ds:"ia5"}
3068  * ]});
3069  * new KJUR.asn1.x509.RDN({str: "CN=test"});
3070  * new KJUR.asn1.x509.RDN({str: "O=a+O=bb+O=c"}); // multi-valued
3071  * new KJUR.asn1.x509.RDN({str: "O=a+O=b\\+b+O=c"}); // plus escaped
3072  * new KJUR.asn1.x509.RDN({str: "O=a+O=\"b+b\"+O=c"}); // double quoted
3073  */
3074 KJUR.asn1.x509.RDN = function(params) {
3075     KJUR.asn1.x509.RDN.superclass.constructor.call(this);
3076     this.asn1Array = [];
3077     this.paramArray = [];
3078     this.sRule = "utf8"; // DEFAULT "utf8"
3079     var _AttributeTypeAndValue = KJUR.asn1.x509.AttributeTypeAndValue;
3080 
3081     this.setByParam = function(params) {
3082 	if (params.rule !== undefined) this.sRule = params.rule;
3083         if (params.str !== undefined) {
3084             this.addByMultiValuedString(params.str);
3085         }
3086 	if (params.array !== undefined) this.paramArray = params.array;
3087     };
3088 
3089     /**
3090      * add one AttributeTypeAndValue by string<br/>
3091      * @name addByString
3092      * @memberOf KJUR.asn1.x509.RDN#
3093      * @function
3094      * @param {String} s string of AttributeTypeAndValue
3095      * @return {Object} unspecified
3096      * @description
3097      * This method add one AttributeTypeAndValue to RDN object.
3098      * @example
3099      * rdn = new KJUR.asn1.x509.RDN();
3100      * rdn.addByString("CN=john");
3101      * rdn.addByString("serialNumber=1234"); // for multi-valued RDN
3102      */
3103     this.addByString = function(s) {
3104         this.asn1Array.push(new KJUR.asn1.x509.AttributeTypeAndValue({'str': s, rule: this.sRule}));
3105     };
3106 
3107     /**
3108      * add one AttributeTypeAndValue by multi-valued string<br/>
3109      * @name addByMultiValuedString
3110      * @memberOf KJUR.asn1.x509.RDN#
3111      * @function
3112      * @param {String} s string of multi-valued RDN
3113      * @return {Object} unspecified
3114      * @since jsrsasign 6.2.1 asn1x509 1.0.17
3115      * @description
3116      * This method add multi-valued RDN to RDN object.
3117      * @example
3118      * rdn = new KJUR.asn1.x509.RDN();
3119      * rdn.addByMultiValuedString("CN=john+O=test");
3120      * rdn.addByMultiValuedString("O=a+O=b\+b\+b+O=c"); // multi-valued RDN with quoted plus
3121      * rdn.addByMultiValuedString("O=a+O=\"b+b+b\"+O=c"); // multi-valued RDN with quoted quotation
3122      */
3123     this.addByMultiValuedString = function(s) {
3124 	var a = KJUR.asn1.x509.RDN.parseString(s);
3125 	for (var i = 0; i < a.length; i++) {
3126 	    this.addByString(a[i]);
3127 	}
3128     };
3129 
3130     this.getEncodedHex = function() {
3131 	if (this.asn1Array.length == 0 && this.paramArray.length > 0) {
3132 	    for (var i = 0; i < this.paramArray.length; i++) {
3133 		var param = this.paramArray[i];
3134 		if (param.rule !== undefined &&
3135 		    this.sRule != "utf8") {
3136 		    param.rule = this.sRule;
3137 		}
3138 		//alert(JSON.stringify(param));
3139 		var asn1ATV = new _AttributeTypeAndValue(param);
3140 		this.asn1Array.push(asn1ATV);
3141 	    }
3142 	}
3143         var o = new KJUR.asn1.DERSet({"array": this.asn1Array});
3144         this.TLV = o.getEncodedHex();
3145         return this.TLV;
3146     };
3147 
3148     if (params !== undefined) {
3149 	this.setByParam(params);
3150     }
3151 };
3152 extendClass(KJUR.asn1.x509.RDN, KJUR.asn1.ASN1Object);
3153 
3154 /**
3155  * parse multi-valued RDN string and split into array of 'AttributeTypeAndValue'<br/>
3156  * @name parseString
3157  * @memberOf KJUR.asn1.x509.RDN
3158  * @function
3159  * @param {String} s multi-valued string of RDN
3160  * @return {Array} array of string of AttributeTypeAndValue
3161  * @since jsrsasign 6.2.1 asn1x509 1.0.17
3162  * @description
3163  * This static method parses multi-valued RDN string and split into
3164  * array of AttributeTypeAndValue.
3165  * @example
3166  * KJUR.asn1.x509.RDN.parseString("CN=john") → ["CN=john"]
3167  * KJUR.asn1.x509.RDN.parseString("CN=john+OU=test") → ["CN=john", "OU=test"]
3168  * KJUR.asn1.x509.RDN.parseString('CN="jo+hn"+OU=test') → ["CN=jo+hn", "OU=test"]
3169  * KJUR.asn1.x509.RDN.parseString('CN=jo\+hn+OU=test') → ["CN=jo+hn", "OU=test"]
3170  * KJUR.asn1.x509.RDN.parseString("CN=john+OU=test+OU=t1") → ["CN=john", "OU=test", "OU=t1"]
3171  */
3172 KJUR.asn1.x509.RDN.parseString = function(s) {
3173     var a = s.split(/\+/);
3174 
3175     // join \+
3176     var isBSbefore = false;
3177     var a2 = [];
3178     for (var i = 0; a.length > 0; i++) {
3179 	var item = a.shift();
3180 	//console.log("item=" + item);
3181 
3182 	if (isBSbefore === true) {
3183 	    var a2last = a2.pop();
3184 	    var newitem = (a2last + "+" + item).replace(/\\\+/g, "+");
3185 	    a2.push(newitem);
3186 	    isBSbefore = false;
3187 	} else {
3188 	    a2.push(item);
3189 	}
3190 
3191 	if (item.substr(-1, 1) === "\\") isBSbefore = true;
3192     }
3193 
3194     // join quote
3195     var beginQuote = false;
3196     var a3 = [];
3197     for (var i = 0; a2.length > 0; i++) {
3198 	var item = a2.shift();
3199 
3200 	if (beginQuote === true) {
3201 	    var a3last = a3.pop();
3202 	    if (item.match(/"$/)) {
3203 		var newitem = (a3last + "+" + item).replace(/^([^=]+)="(.*)"$/, "$1=$2");
3204 		a3.push(newitem);
3205 		beginQuote = false;
3206 	    } else {
3207 		a3.push(a3last + "+" + item);
3208 	    }
3209 	} else {
3210 	    a3.push(item);
3211 	}
3212 
3213 	if (item.match(/^[^=]+="/)) {
3214 	    //console.log(i + "=" + item);
3215 	    beginQuote = true;
3216 	}
3217     }
3218     return a3;
3219 };
3220 
3221 /**
3222  * AttributeTypeAndValue ASN.1 structure class
3223  * @name KJUR.asn1.x509.AttributeTypeAndValue
3224  * @class AttributeTypeAndValue ASN.1 structure class
3225  * @param {Array} params JSON object for parameters (ex. {str: 'C=US'})
3226  * @extends KJUR.asn1.ASN1Object
3227  * @see KJUR.asn1.x509.X500Name
3228  * @see KJUR.asn1.x509.RDN
3229  * @see KJUR.asn1.x509.AttributeTypeAndValue
3230  * @see X509#getAttrTypeAndValue
3231  * @description
3232  * This class generates AttributeTypeAndValue defined in
3233  * <a href="https://tools.ietf.org/html/rfc5280#section-4.1.2.4">
3234  * RFC 5280 4.1.2.4</a>.
3235  * <pre>
3236  * AttributeTypeAndValue ::= SEQUENCE {
3237  *   type     AttributeType,
3238  *   value    AttributeValue }
3239  * AttributeType ::= OBJECT IDENTIFIER
3240  * AttributeValue ::= ANY -- DEFINED BY AttributeType
3241  * </pre>
3242  * The constructor argument can have following parameters:
3243  * <ul>
3244  * <li>{String}type - AttributeType name or OID(ex. C,O,CN)</li>
3245  * <li>{String}value - raw string of ASN.1 value of AttributeValue</li>
3246  * <li>{String}ds - DirectoryString type of AttributeValue</li>
3247  * <li>{String}rule - DirectoryString type rule (ex. "prn" or "utf8")
3248  * set DirectoryString type automatically when "ds" not specified.</li>
3249  * <li>{String}str - AttributeTypeAndVale string (ex. "C=US").
3250  * When type and value don't exists, 
3251  * this "str" will be converted to "type" and "value".
3252  * </li>
3253  * </ul>
3254  * <br
3255  * NOTE: Parameters "type", "value,", "ds" and "rule" have
3256  * been supported since jsrsasign 9.0.0 asn1x509 2.0.0.
3257  * @example
3258  * new KJUR.asn1.x509.AttributeTypeAndValue({type:'C',value:'US',ds:'prn'})
3259  * new KJUR.asn1.x509.AttributeTypeAndValue({type:'givenName',value:'John',ds:'prn'})
3260  * new KJUR.asn1.x509.AttributeTypeAndValue({type:'2.5.4.9',value:'71 Bowman St',ds:'prn'})
3261  * new KJUR.asn1.x509.AttributeTypeAndValue({str:'O=T1'})
3262  * new KJUR.asn1.x509.AttributeTypeAndValue({str:'streetAddress=71 Bowman St'})
3263  * new KJUR.asn1.x509.AttributeTypeAndValue({str:'O=T1',rule='prn'})
3264  * new KJUR.asn1.x509.AttributeTypeAndValue({str:'O=T1',rule='utf8'})
3265  */
3266 KJUR.asn1.x509.AttributeTypeAndValue = function(params) {
3267     KJUR.asn1.x509.AttributeTypeAndValue.superclass.constructor.call(this);
3268     this.sRule = "utf8";
3269     this.sType = null;
3270     this.sValue = null;
3271     this.dsType = null;
3272     var _KJUR = KJUR,
3273 	_KJUR_asn1 = _KJUR.asn1,
3274 	_DERSequence = _KJUR_asn1.DERSequence,
3275 	_DERUTF8String = _KJUR_asn1.DERUTF8String,
3276 	_DERPrintableString = _KJUR_asn1.DERPrintableString,
3277 	_DERTeletexString = _KJUR_asn1.DERTeletexString,
3278 	_DERIA5String = _KJUR_asn1.DERIA5String,
3279 	_DERVisibleString = _KJUR_asn1.DERVisibleString,
3280 	_DERBMPString = _KJUR_asn1.DERBMPString,
3281 	_isMail = _KJUR.lang.String.isMail,
3282 	_isPrintable = _KJUR.lang.String.isPrintable;
3283 
3284     this.setByParam = function(params) {
3285 	if (params.rule !== undefined) this.sRule = params.rule;
3286 	if (params.ds !== undefined)   this.dsType = params.ds;
3287 
3288         if (params.value === undefined &&
3289 	    params.str !== undefined) {
3290 	    var str = params.str;
3291             var matchResult = str.match(/^([^=]+)=(.+)$/);
3292             if (matchResult) {
3293 		this.sType = matchResult[1];
3294 		this.sValue = matchResult[2];
3295             } else {
3296 		throw new Error("malformed attrTypeAndValueStr: " +
3297 				attrTypeAndValueStr);
3298             }
3299 	    
3300 	    //this.setByString(params.str);
3301         } else {
3302 	    this.sType = params.type;
3303 	    this.sValue = params.value;
3304 	}
3305     };
3306 
3307     /*
3308      * @deprecated
3309      */
3310     this.setByString = function(sTypeValue, sRule) {
3311 	if (sRule !== undefined) this.sRule = sRule;
3312         var matchResult = sTypeValue.match(/^([^=]+)=(.+)$/);
3313         if (matchResult) {
3314             this.setByAttrTypeAndValueStr(matchResult[1], matchResult[2]);
3315         } else {
3316             throw new Error("malformed attrTypeAndValueStr: " +
3317 			    attrTypeAndValueStr);
3318         }
3319     };
3320 
3321     this._getDsType = function() {
3322 	var sType = this.sType;
3323 	var sValue = this.sValue;
3324 	var sRule = this.sRule;
3325 
3326 	if (sRule === "prn") {
3327 	    if (sType == "CN" && _isMail(sValue)) return "ia5";
3328 	    if (_isPrintable(sValue)) return "prn";
3329 	    return "utf8";
3330 	} else if (sRule === "utf8") {
3331 	    if (sType == "CN" && _isMail(sValue)) return "ia5";
3332 	    if (sType == "C") return "prn";
3333 	    return "utf8";
3334 	}
3335 	return "utf8"; // default
3336     };
3337 
3338     this.setByAttrTypeAndValueStr = function(sType, sValue, sRule) {
3339 	if (sRule !== undefined) this.sRule = sRule;
3340 	this.sType = sType;
3341 	this.sValue = sValue;
3342     };
3343 
3344     this.getValueObj = function(dsType, valueStr) {
3345         if (dsType == "utf8") return new _DERUTF8String({"str": valueStr});
3346         if (dsType == "prn")  return new _DERPrintableString({"str": valueStr});
3347         if (dsType == "tel")  return new _DERTeletexString({"str": valueStr});
3348         if (dsType == "ia5")  return new _DERIA5String({"str": valueStr});
3349         if (dsType == "vis")  return new _DERVisibleString({"str": valueStr});
3350         if (dsType == "bmp")  return new _DERBMPString({"str": valueStr});
3351         throw new Error("unsupported directory string type: type=" +
3352 			dsType + " value=" + valueStr);
3353     };
3354 
3355     this.getEncodedHex = function() {
3356 	if (this.dsType == null) this.dsType = this._getDsType();
3357 	var asn1Type = KJUR.asn1.x509.OID.atype2obj(this.sType);
3358 	var asn1Value = this.getValueObj(this.dsType, this.sValue);
3359         var o = new _DERSequence({"array": [asn1Type, asn1Value]});
3360         this.TLV = o.getEncodedHex();
3361         return this.TLV;
3362     };
3363 
3364     if (params !== undefined) {
3365 	this.setByParam(params);
3366     }
3367 };
3368 extendClass(KJUR.asn1.x509.AttributeTypeAndValue, KJUR.asn1.ASN1Object);
3369 
3370 // === END   X500Name Related =================================================
3371 
3372 // === BEGIN Other ASN1 structure class  ======================================
3373 
3374 /**
3375  * SubjectPublicKeyInfo ASN.1 structure class
3376  * @name KJUR.asn1.x509.SubjectPublicKeyInfo
3377  * @class SubjectPublicKeyInfo ASN.1 structure class
3378  * @param {Object} params parameter for subject public key
3379  * @extends KJUR.asn1.ASN1Object
3380  * @description
3381  * <br/>
3382  * As for argument 'params' for constructor, you can specify one of
3383  * following properties:
3384  * <ul>
3385  * <li>{@link RSAKey} object</li>
3386  * <li>{@link KJUR.crypto.ECDSA} object</li>
3387  * <li>{@link KJUR.crypto.DSA} object</li>
3388  * </ul>
3389  * NOTE1: 'params' can be omitted.<br/>
3390  * NOTE2: DSA/ECDSA key object is also supported since asn1x509 1.0.6.<br/>
3391  * <h4>EXAMPLE</h4>
3392  * @example
3393  * spki = new KJUR.asn1.x509.SubjectPublicKeyInfo(RSAKey_object);
3394  * spki = new KJUR.asn1.x509.SubjectPublicKeyInfo(KJURcryptoECDSA_object);
3395  * spki = new KJUR.asn1.x509.SubjectPublicKeyInfo(KJURcryptoDSA_object);
3396  */
3397 KJUR.asn1.x509.SubjectPublicKeyInfo = function(params) {
3398     KJUR.asn1.x509.SubjectPublicKeyInfo.superclass.constructor.call(this);
3399     var asn1AlgId = null,
3400 	asn1SubjPKey = null,
3401 	_KJUR = KJUR,
3402 	_KJUR_asn1 = _KJUR.asn1,
3403 	_DERInteger = _KJUR_asn1.DERInteger,
3404 	_DERBitString = _KJUR_asn1.DERBitString,
3405 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
3406 	_DERSequence = _KJUR_asn1.DERSequence,
3407 	_newObject = _KJUR_asn1.ASN1Util.newObject,
3408 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
3409 	_AlgorithmIdentifier = _KJUR_asn1_x509.AlgorithmIdentifier,
3410 	_KJUR_crypto = _KJUR.crypto,
3411 	_KJUR_crypto_ECDSA = _KJUR_crypto.ECDSA,
3412 	_KJUR_crypto_DSA = _KJUR_crypto.DSA;
3413 
3414     /*
3415      * @since asn1x509 1.0.7
3416      */
3417     this.getASN1Object = function() {
3418         if (this.asn1AlgId == null || this.asn1SubjPKey == null)
3419             throw "algId and/or subjPubKey not set";
3420         var o = new _DERSequence({'array':
3421                                   [this.asn1AlgId, this.asn1SubjPKey]});
3422         return o;
3423     };
3424 
3425     this.getEncodedHex = function() {
3426         var o = this.getASN1Object();
3427         this.hTLV = o.getEncodedHex();
3428         return this.hTLV;
3429     };
3430 
3431     /**
3432      * @name setPubKey
3433      * @memberOf KJUR.asn1.x509.SubjectPublicKeyInfo#
3434      * @function
3435      * @param {Object} {@link RSAKey}, {@link KJUR.crypto.ECDSA} or {@link KJUR.crypto.DSA} object
3436      * @since jsrsasign 8.0.0 asn1x509 1.1.0
3437      * @description
3438      * @example
3439      * spki = new KJUR.asn1.x509.SubjectPublicKeyInfo();
3440      * pubKey = KEYUTIL.getKey(PKCS8PUBKEYPEM);
3441      * spki.setPubKey(pubKey);
3442      */
3443     this.setPubKey = function(key) {
3444 	try {
3445 	    if (key instanceof RSAKey) {
3446 		var asn1RsaPub = _newObject({
3447 		    'seq': [{'int': {'bigint': key.n}}, {'int': {'int': key.e}}]
3448 		});
3449 		var rsaKeyHex = asn1RsaPub.getEncodedHex();
3450 		this.asn1AlgId = new _AlgorithmIdentifier({'name':'rsaEncryption'});
3451 		this.asn1SubjPKey = new _DERBitString({'hex':'00'+rsaKeyHex});
3452 	    }
3453 	} catch(ex) {};
3454 
3455 	try {
3456 	    if (key instanceof KJUR.crypto.ECDSA) {
3457 		var asn1Params = new _DERObjectIdentifier({'name': key.curveName});
3458 		this.asn1AlgId =
3459 		    new _AlgorithmIdentifier({'name': 'ecPublicKey',
3460 					      'asn1params': asn1Params});
3461 		this.asn1SubjPKey = new _DERBitString({'hex': '00' + key.pubKeyHex});
3462 	    }
3463 	} catch(ex) {};
3464 
3465 	try {
3466 	    if (key instanceof KJUR.crypto.DSA) {
3467 		var asn1Params = new _newObject({
3468 		    'seq': [{'int': {'bigint': key.p}},
3469 			    {'int': {'bigint': key.q}},
3470 			    {'int': {'bigint': key.g}}]
3471 		});
3472 		this.asn1AlgId =
3473 		    new _AlgorithmIdentifier({'name': 'dsa',
3474 					      'asn1params': asn1Params});
3475 		var pubInt = new _DERInteger({'bigint': key.y});
3476 		this.asn1SubjPKey = 
3477 		    new _DERBitString({'hex': '00' + pubInt.getEncodedHex()});
3478 	    }
3479 	} catch(ex) {};
3480     };
3481 
3482     if (params !== undefined) {
3483 	this.setPubKey(params);
3484     }
3485 };
3486 extendClass(KJUR.asn1.x509.SubjectPublicKeyInfo, KJUR.asn1.ASN1Object);
3487 
3488 /**
3489  * Time ASN.1 structure class<br/>
3490  * @name KJUR.asn1.x509.Time
3491  * @class Time ASN.1 structure class
3492  * @param {Array} params associative array of parameters (ex. {'str': '130508235959Z'})
3493  * @extends KJUR.asn1.ASN1Object
3494  * @see KJUR.asn1.DERUTCTime
3495  * @see KJUR.asn1.DERGeneralizedTime
3496  * @description
3497  * This class represents Time ASN.1 structure defined in 
3498  * <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>
3499  * <pre>
3500  * Time ::= CHOICE {
3501  *      utcTime        UTCTime,
3502  *      generalTime    GeneralizedTime }
3503  * </pre>
3504  *
3505  * @example
3506  * var t1 = new KJUR.asn1.x509.Time{'str': '130508235959Z'} // UTCTime by default
3507  * var t2 = new KJUR.asn1.x509.Time{'type': 'gen',  'str': '20130508235959Z'} // GeneralizedTime
3508  */
3509 KJUR.asn1.x509.Time = function(params) {
3510     KJUR.asn1.x509.Time.superclass.constructor.call(this);
3511     var type = null,
3512 	timeParams = null,
3513 	_KJUR = KJUR,
3514 	_KJUR_asn1 = _KJUR.asn1,
3515 	_DERUTCTime = _KJUR_asn1.DERUTCTime,
3516 	_DERGeneralizedTime = _KJUR_asn1.DERGeneralizedTime;
3517     this.params = null;
3518     this.type = null;
3519 
3520     // deprecated
3521     this.setTimeParams = function(timeParams) {
3522         this.timeParams = timeParams;
3523     }
3524 
3525     this.setByParam = function(params) {
3526 	this.params = params;
3527     };
3528 
3529     this.getType = function(s) {
3530         if (s.match(/^[0-9]{12}Z$/)) return "utc";
3531         if (s.match(/^[0-9]{14}Z$/)) return "gen";
3532         if (s.match(/^[0-9]{12}\.[0-9]+Z$/)) return "utc";
3533         if (s.match(/^[0-9]{14}\.[0-9]+Z$/)) return "gen";
3534 	return null;
3535     };
3536 
3537     this.getEncodedHex = function() {
3538 	var params = this.params;
3539         var o = null;
3540 
3541 	if (typeof params == "string") params = {str: params};
3542 	if (params != null &&
3543 	    params.str && 
3544 	    (params.type == null || params.type == undefined)) {
3545 	    params.type = this.getType(params.str);
3546 	}
3547 
3548 	if (params != null && params.str) {
3549 	    if (params.type == "utc") o = new _DERUTCTime(params.str);
3550 	    if (params.type == "gen") o = new _DERGeneralizedTime(params.str);
3551 	} else {
3552 	    if (this.type == "gen") {
3553 		o = new _DERGeneralizedTime();
3554 	    } else {
3555 		o = new _DERUTCTime();
3556 	    }
3557 	}
3558 
3559 	if (o == null) throw new Error("wrong setting for Time");
3560         this.TLV = o.getEncodedHex();
3561         return this.TLV;
3562     };
3563 
3564     if (params != undefined) this.setByParam(params);
3565 };
3566 
3567 KJUR.asn1.x509.Time_bak = function(params) {
3568     KJUR.asn1.x509.Time_bak.superclass.constructor.call(this);
3569     var type = null,
3570 	timeParams = null,
3571 	_KJUR = KJUR,
3572 	_KJUR_asn1 = _KJUR.asn1,
3573 	_DERUTCTime = _KJUR_asn1.DERUTCTime,
3574 	_DERGeneralizedTime = _KJUR_asn1.DERGeneralizedTime;
3575 
3576     this.setTimeParams = function(timeParams) {
3577         this.timeParams = timeParams;
3578     }
3579 
3580     this.getEncodedHex = function() {
3581         var o = null;
3582 
3583         if (this.timeParams != null) {
3584             if (this.type == "utc") {
3585                 o = new _DERUTCTime(this.timeParams);
3586             } else {
3587                 o = new _DERGeneralizedTime(this.timeParams);
3588             }
3589         } else {
3590             if (this.type == "utc") {
3591                 o = new _DERUTCTime();
3592             } else {
3593                 o = new _DERGeneralizedTime();
3594             }
3595         }
3596         this.TLV = o.getEncodedHex();
3597         return this.TLV;
3598     };
3599 
3600     this.type = "utc";
3601     if (params !== undefined) {
3602         if (params.type !== undefined) {
3603             this.type = params.type;
3604         } else {
3605             if (params.str !== undefined) {
3606                 if (params.str.match(/^[0-9]{12}Z$/)) this.type = "utc";
3607                 if (params.str.match(/^[0-9]{14}Z$/)) this.type = "gen";
3608             }
3609         }
3610         this.timeParams = params;
3611     }
3612 };
3613 extendClass(KJUR.asn1.x509.Time, KJUR.asn1.ASN1Object);
3614 
3615 /**
3616  * AlgorithmIdentifier ASN.1 structure class
3617  * @name KJUR.asn1.x509.AlgorithmIdentifier
3618  * @class AlgorithmIdentifier ASN.1 structure class
3619  * @param {Array} params associative array of parameters (ex. {'name': 'SHA1withRSA'})
3620  * @extends KJUR.asn1.ASN1Object
3621  * @description
3622  * The 'params' argument is an associative array and has following parameters:
3623  * <ul>
3624  * <li>name: algorithm name (MANDATORY, ex. sha1, SHA256withRSA)</li>
3625  * <li>asn1params: explicitly specify ASN.1 object for algorithm.
3626  * (OPTION)</li>
3627  * <li>paramempty: set algorithm parameter to NULL by force.
3628  * If paramempty is false, algorithm parameter will be set automatically.
3629  * If paramempty is false and algorithm name is "*withDSA" or "withECDSA" parameter field of
3630  * AlgorithmIdentifier will be ommitted otherwise
3631  * it will be NULL by default.
3632  * (OPTION, DEFAULT = false)</li>
3633  * </ul>
3634  * RSA-PSS algorithm names such as SHA{,256,384,512}withRSAandMGF1 are
3635  * special names. They will set a suite of algorithm OID and multiple algorithm
3636  * parameters. Its ASN.1 schema is defined in 
3637  * <a href="https://tools.ietf.org/html/rfc3447#appendix-A.2.3">RFC 3447 PKCS#1 2.1
3638  * section A.2.3</a>.
3639  * <blockquote><pre>
3640  * id-RSASSA-PSS  OBJECT IDENTIFIER ::= { pkcs-1 10 }
3641  * RSASSA-PSS-params ::= SEQUENCE {
3642  *   hashAlgorithm      [0] HashAlgorithm    DEFAULT sha1,
3643  *   maskGenAlgorithm   [1] MaskGenAlgorithm DEFAULT mgf1SHA1,
3644  *   saltLength         [2] INTEGER          DEFAULT 20,
3645  *   trailerField       [3] TrailerField     DEFAULT trailerFieldBC }
3646  * mgf1SHA1    MaskGenAlgorithm ::= {
3647  *   algorithm   id-mgf1,
3648  *   parameters  HashAlgorithm : sha1 }
3649  * id-mgf1     OBJECT IDENTIFIER ::= { pkcs-1 8 }
3650  * TrailerField ::= INTEGER { trailerFieldBC(1) }
3651  * </pre></blockquote>
3652  * Here is a table for PSS parameters:
3653  * <table>
3654  * <tr><th>Name</th><th>alg oid</th><th>pss hash</th><th>maskgen</th></th><th>pss saltlen</th><th>trailer</th></tr>
3655  * <tr><td>SHAwithRSAandMGF1</td><td>1.2.840.113549.1.1.10(rsapss)</td><td>default(sha1)</td><td>default(mgf1sha1)</td><td>default(20)</td><td>default(1)</td></tr>
3656  * <tr><td>SHA256withRSAandMGF1</td><td>1.2.840.113549.1.1.10(rsapss)</td><td>sha256</td><td>mgf1sha256</td><td>32</td><td>default(1)</td></tr>
3657  * <tr><td>SHA384withRSAandMGF1</td><td>1.2.840.113549.1.1.10(rsapss)</td><td>sha384</td><td>mgf1sha384</td><td>48</td><td>default(1)</td></tr>
3658  * <tr><td>SHA512withRSAandMGF1</td><td>1.2.840.113549.1.1.10(rsapss)</td><td>sha512</td><td>mgf1sha512</td><td>64</td><td>default(1)</td></tr>
3659  * </table>
3660  * Default value is omitted as defined in ASN.1 schema.
3661  * These parameters are interoperable to OpenSSL or IAIK toolkit.
3662  * <br/>
3663  * NOTE: RSA-PSS algorihtm names are supported since jsrsasign 8.0.21. 
3664  * @example
3665  * new KJUR.asn1.x509.AlgorithmIdentifier({name: "sha1"})
3666  * new KJUR.asn1.x509.AlgorithmIdentifier({name: "SHA256withRSA"})
3667  * new KJUR.asn1.x509.AlgorithmIdentifier({name: "SHA512withRSAandMGF1"}) // set parameters automatically
3668  * new KJUR.asn1.x509.AlgorithmIdentifier({name: "SHA256withRSA", paramempty: true})
3669  * new KJUR.asn1.x509.AlgorithmIdentifier({name: "rsaEncryption"})
3670  */
3671 KJUR.asn1.x509.AlgorithmIdentifier = function(params) {
3672     KJUR.asn1.x509.AlgorithmIdentifier.superclass.constructor.call(this);
3673     this.nameAlg = null;
3674     this.asn1Alg = null;
3675     this.asn1Params = null;
3676     this.paramEmpty = false;
3677 
3678     var _KJUR = KJUR,
3679 	_KJUR_asn1 = _KJUR.asn1,
3680 	_PSSNAME2ASN1TLV = _KJUR_asn1.x509.AlgorithmIdentifier.PSSNAME2ASN1TLV;
3681 
3682     this.getEncodedHex = function() {
3683         if (this.nameAlg === null && this.asn1Alg === null) {
3684             throw new Error("algorithm not specified");
3685         }
3686 
3687 	// for RSAPSS algorithm name
3688 	//  && this.hTLV === null
3689 	if (this.nameAlg !== null) {
3690 	    var hTLV = null;
3691 	    for (var key in _PSSNAME2ASN1TLV) {
3692 		if (key === this.nameAlg) {
3693 		    hTLV = _PSSNAME2ASN1TLV[key];
3694 		}
3695 	    }
3696 	    if (hTLV !== null) {
3697 		this.hTLV = hTLV;
3698 		return this.hTLV;
3699 	    }
3700 	}
3701 
3702         if (this.nameAlg !== null && this.asn1Alg === null) {
3703             this.asn1Alg = _KJUR_asn1.x509.OID.name2obj(this.nameAlg);
3704         }
3705         var a = [this.asn1Alg];
3706         if (this.asn1Params !== null) a.push(this.asn1Params);
3707 
3708         var o = new _KJUR_asn1.DERSequence({'array': a});
3709         this.hTLV = o.getEncodedHex();
3710         return this.hTLV;
3711     };
3712 
3713     if (params !== undefined) {
3714         if (params.name !== undefined) {
3715             this.nameAlg = params.name;
3716         }
3717         if (params.asn1params !== undefined) {
3718             this.asn1Params = params.asn1params;
3719         }
3720         if (params.paramempty !== undefined) {
3721             this.paramEmpty = params.paramempty;
3722         }
3723     }
3724 
3725     // set algorithm parameters will be ommitted for
3726     // "*withDSA" or "*withECDSA" otherwise will be NULL.
3727     if (this.asn1Params === null &&
3728 	this.paramEmpty === false &&
3729 	this.nameAlg !== null) {
3730 
3731 	if (this.nameAlg.name !== undefined) {
3732 	    this.nameAlg = this.nameAlg.name;
3733 	}
3734 	var lcNameAlg = this.nameAlg.toLowerCase();
3735 
3736 	if (lcNameAlg.substr(-7, 7) !== "withdsa" &&
3737 	    lcNameAlg.substr(-9, 9) !== "withecdsa") {
3738             this.asn1Params = new _KJUR_asn1.DERNull();
3739 	}
3740     }
3741 };
3742 extendClass(KJUR.asn1.x509.AlgorithmIdentifier, KJUR.asn1.ASN1Object);
3743 
3744 /**
3745  * AlgorithmIdentifier ASN.1 TLV string associative array for RSA-PSS algorithm names
3746  * @const
3747  */
3748 KJUR.asn1.x509.AlgorithmIdentifier.PSSNAME2ASN1TLV = {
3749     "SHAwithRSAandMGF1":
3750     "300d06092a864886f70d01010a3000",
3751     "SHA256withRSAandMGF1":
3752     "303d06092a864886f70d01010a3030a00d300b0609608648016503040201a11a301806092a864886f70d010108300b0609608648016503040201a203020120",
3753     "SHA384withRSAandMGF1":
3754     "303d06092a864886f70d01010a3030a00d300b0609608648016503040202a11a301806092a864886f70d010108300b0609608648016503040202a203020130",
3755     "SHA512withRSAandMGF1":
3756     "303d06092a864886f70d01010a3030a00d300b0609608648016503040203a11a301806092a864886f70d010108300b0609608648016503040203a203020140"
3757 };
3758 
3759 /**
3760  * GeneralName ASN.1 structure class<br/>
3761  * @name KJUR.asn1.x509.GeneralName
3762  * @class GeneralName ASN.1 structure class
3763  * @description
3764  * <br/>
3765  * As for argument 'params' for constructor, you can specify one of
3766  * following properties:
3767  * <ul>
3768  * <li>rfc822 - rfc822Name[1] (ex. user1@foo.com)</li>
3769  * <li>dns - dNSName[2] (ex. foo.com)</li>
3770  * <li>uri - uniformResourceIdentifier[6] (ex. http://foo.com/)</li>
3771  * <li>dn - directoryName[4] 
3772  * distinguished name string or X500Name class parameters can be
3773  * specified (ex. "/C=US/O=Test", {hex: '301c...')</li>
3774  * <li>ldapdn - directoryName[4] (ex. O=Test,C=US)</li>
3775  * <li>certissuer - directoryName[4] (PEM or hex string of cert)</li>
3776  * <li>certsubj - directoryName[4] (PEM or hex string of cert)</li>
3777  * <li>ip - iPAddress[7] (ex. 192.168.1.1, 2001:db3::43, 3faa0101...)</li>
3778  * </ul>
3779  * NOTE1: certissuer and certsubj were supported since asn1x509 1.0.10.<br/>
3780  * NOTE2: dn and ldapdn were supported since jsrsasign 6.2.3 asn1x509 1.0.19.<br/>
3781  * NOTE3: ip were supported since jsrsasign 8.0.10 asn1x509 1.1.4.<br/>
3782  * NOTE4: X500Name parameters in dn were supported since jsrsasign 8.0.16.<br/>
3783  *
3784  * Here is definition of the ASN.1 syntax:
3785  * <pre>
3786  * -- NOTE: under the CHOICE, it will always be explicit.
3787  * GeneralName ::= CHOICE {
3788  *   otherName                  [0] OtherName,
3789  *   rfc822Name                 [1] IA5String,
3790  *   dNSName                    [2] IA5String,
3791  *   x400Address                [3] ORAddress,
3792  *   directoryName              [4] Name,
3793  *   ediPartyName               [5] EDIPartyName,
3794  *   uniformResourceIdentifier  [6] IA5String,
3795  *   iPAddress                  [7] OCTET STRING,
3796  *   registeredID               [8] OBJECT IDENTIFIER }
3797  * </pre>
3798  *
3799  * @example
3800  * gn = new KJUR.asn1.x509.GeneralName({dn:     '/C=US/O=Test'});
3801  * gn = new KJUR.asn1.x509.GeneralName({dn:     X500NameObject);
3802  * gn = new KJUR.asn1.x509.GeneralName({dn:     {str: /C=US/O=Test'});
3803  * gn = new KJUR.asn1.x509.GeneralName({dn:     {ldapstr: 'O=Test,C=US'});
3804  * gn = new KJUR.asn1.x509.GeneralName({dn:     {hex: '301c...'});
3805  * gn = new KJUR.asn1.x509.GeneralName({dn:     {certissuer: PEMCERTSTRING});
3806  * gn = new KJUR.asn1.x509.GeneralName({dn:     {certsubject: PEMCERTSTRING});
3807  * gn = new KJUR.asn1.x509.GeneralName({ip:     '192.168.1.1'});
3808  * gn = new KJUR.asn1.x509.GeneralName({ip:     '2001:db4::4:1'});
3809  * gn = new KJUR.asn1.x509.GeneralName({ip:     'c0a80101'});
3810  * gn = new KJUR.asn1.x509.GeneralName({rfc822: 'test@aaa.com'});
3811  * gn = new KJUR.asn1.x509.GeneralName({dns:    'aaa.com'});
3812  * gn = new KJUR.asn1.x509.GeneralName({uri:    'http://aaa.com/'});
3813  *
3814  * gn = new KJUR.asn1.x509.GeneralName({ldapdn:     'O=Test,C=US'}); // DEPRECATED
3815  * gn = new KJUR.asn1.x509.GeneralName({certissuer: certPEM});       // DEPRECATED
3816  * gn = new KJUR.asn1.x509.GeneralName({certsubj:   certPEM});       // DEPRECATED
3817  */
3818 KJUR.asn1.x509.GeneralName = function(params) {
3819     KJUR.asn1.x509.GeneralName.superclass.constructor.call(this);
3820     var asn1Obj = null,
3821 	type = null,
3822 	pTag = {rfc822: '81', dns: '82', dn: 'a4',  uri: '86', ip: '87'},
3823 	_KJUR = KJUR,
3824 	_KJUR_asn1 = _KJUR.asn1,
3825 	_DERSequence = _KJUR_asn1.DERSequence,
3826 	_DEROctetString = _KJUR_asn1.DEROctetString,
3827 	_DERIA5String = _KJUR_asn1.DERIA5String,
3828 	_DERTaggedObject = _KJUR_asn1.DERTaggedObject,
3829 	_ASN1Object = _KJUR_asn1.ASN1Object,
3830 	_X500Name = _KJUR_asn1.x509.X500Name,
3831 	_pemtohex = pemtohex;
3832 	
3833     this.explicit = false;
3834 
3835     this.setByParam = function(params) {
3836         var str = null;
3837         var v = null;
3838 
3839 	if (params === undefined) return;
3840 
3841         if (params.rfc822 !== undefined) {
3842             this.type = 'rfc822';
3843             v = new _DERIA5String({str: params[this.type]});
3844         }
3845 
3846         if (params.dns !== undefined) {
3847             this.type = 'dns';
3848             v = new _DERIA5String({str: params[this.type]});
3849         }
3850 
3851         if (params.uri !== undefined) {
3852             this.type = 'uri';
3853             v = new _DERIA5String({str: params[this.type]});
3854         }
3855 
3856         if (params.dn !== undefined) {
3857 	    this.type = 'dn';
3858 	    this.explicit = true;
3859 	    if (typeof params.dn === "string") {
3860 		v = new _X500Name({str: params.dn});
3861 	    } else if (params.dn instanceof KJUR.asn1.x509.X500Name) {
3862 		v = params.dn;
3863 	    } else {
3864 		v = new _X500Name(params.dn);
3865 	    }
3866 	}
3867 
3868         if (params.ldapdn !== undefined) {
3869 	    this.type = 'dn';
3870 	    this.explicit = true;
3871 	    v = new _X500Name({ldapstr: params.ldapdn});
3872 	}
3873 
3874 	if (params.certissuer !== undefined) {
3875 	    this.type = 'dn';
3876 	    this.explicit = true;
3877 	    var certStr = params.certissuer;
3878 	    var certHex = null;
3879 
3880 	    if (certStr.match(/^[0-9A-Fa-f]+$/)) {
3881 		certHex == certStr;
3882             }
3883 
3884 	    if (certStr.indexOf("-----BEGIN ") != -1) {
3885 		certHex = _pemtohex(certStr);
3886 	    }
3887 
3888 	    if (certHex == null) throw "certissuer param not cert";
3889 	    var x = new X509();
3890 	    x.hex = certHex;
3891 	    var dnHex = x.getIssuerHex();
3892 	    v = new _ASN1Object();
3893 	    v.hTLV = dnHex;
3894 	}
3895 
3896 	if (params.certsubj !== undefined) {
3897 	    this.type = 'dn';
3898 	    this.explicit = true;
3899 	    var certStr = params.certsubj;
3900 	    var certHex = null;
3901 	    if (certStr.match(/^[0-9A-Fa-f]+$/)) {
3902 		certHex == certStr;
3903             }
3904 	    if (certStr.indexOf("-----BEGIN ") != -1) {
3905 		certHex = _pemtohex(certStr);
3906 	    }
3907 	    if (certHex == null) throw "certsubj param not cert";
3908 	    var x = new X509();
3909 	    x.hex = certHex;
3910 	    var dnHex = x.getSubjectHex();
3911 	    v = new _ASN1Object();
3912 	    v.hTLV = dnHex;
3913 	}
3914 
3915 	if (params.ip !== undefined) {
3916 	    this.type = 'ip';
3917 	    this.explicit = false;
3918 	    var ip = params.ip;
3919 	    var hIP;
3920 	    var malformedIPMsg = "malformed IP address";
3921 	    if (ip.match(/^[0-9.]+[.][0-9.]+$/)) { // ipv4
3922 		hIP = intarystrtohex("[" + ip.split(".").join(",") + "]");
3923 		if (hIP.length !== 8) throw malformedIPMsg;
3924 	    } else if (ip.match(/^[0-9A-Fa-f:]+:[0-9A-Fa-f:]+$/)) { // ipv6
3925 		hIP = ipv6tohex(ip);
3926 	    } else if (ip.match(/^([0-9A-Fa-f][0-9A-Fa-f]){1,}$/)) { // hex
3927 		hIP = ip;
3928 	    } else {
3929 		throw malformedIPMsg;
3930 	    }
3931 	    v = new _DEROctetString({hex: hIP});
3932 	}
3933 
3934         if (this.type == null)
3935             throw "unsupported type in params=" + params;
3936         this.asn1Obj = new _DERTaggedObject({'explicit': this.explicit,
3937                                              'tag': pTag[this.type],
3938                                              'obj': v});
3939     };
3940 
3941     this.getEncodedHex = function() {
3942         return this.asn1Obj.getEncodedHex();
3943     }
3944 
3945     if (params !== undefined) {
3946         this.setByParam(params);
3947     }
3948 
3949 };
3950 extendClass(KJUR.asn1.x509.GeneralName, KJUR.asn1.ASN1Object);
3951 
3952 /**
3953  * GeneralNames ASN.1 structure class<br/>
3954  * @name KJUR.asn1.x509.GeneralNames
3955  * @class GeneralNames ASN.1 structure class
3956  * @description
3957  * <br/>
3958  * <h4>EXAMPLE AND ASN.1 SYNTAX</h4>
3959  * @example
3960  * gns = new KJUR.asn1.x509.GeneralNames([{'uri': 'http://aaa.com/'}, {'uri': 'http://bbb.com/'}]);
3961  *
3962  * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
3963  */
3964 KJUR.asn1.x509.GeneralNames = function(paramsArray) {
3965     KJUR.asn1.x509.GeneralNames.superclass.constructor.call(this);
3966     var asn1Array = null,
3967 	_KJUR = KJUR,
3968 	_KJUR_asn1 = _KJUR.asn1;
3969 
3970     /**
3971      * set a array of {@link KJUR.asn1.x509.GeneralName} parameters<br/>
3972      * @name setByParamArray
3973      * @memberOf KJUR.asn1.x509.GeneralNames#
3974      * @function
3975      * @param {Array} paramsArray Array of {@link KJUR.asn1.x509.GeneralNames}
3976      * @description
3977      * <br/>
3978      * <h4>EXAMPLES</h4>
3979      * @example
3980      * gns = new KJUR.asn1.x509.GeneralNames();
3981      * gns.setByParamArray([{uri: 'http://aaa.com/'}, {uri: 'http://bbb.com/'}]);
3982      */
3983     this.setByParamArray = function(paramsArray) {
3984         for (var i = 0; i < paramsArray.length; i++) {
3985             var o = new _KJUR_asn1.x509.GeneralName(paramsArray[i]);
3986             this.asn1Array.push(o);
3987         }
3988     };
3989 
3990     this.getEncodedHex = function() {
3991         var o = new _KJUR_asn1.DERSequence({'array': this.asn1Array});
3992         return o.getEncodedHex();
3993     };
3994 
3995     this.asn1Array = new Array();
3996     if (typeof paramsArray != "undefined") {
3997         this.setByParamArray(paramsArray);
3998     }
3999 };
4000 extendClass(KJUR.asn1.x509.GeneralNames, KJUR.asn1.ASN1Object);
4001 
4002 /**
4003  * static object for OID
4004  * @name KJUR.asn1.x509.OID
4005  * @class static object for OID
4006  * @property {Assoc Array} atype2oidList for short attribute type name and oid (ex. 'C' and '2.5.4.6')
4007  * @property {Assoc Array} name2oidList for oid name and oid (ex. 'keyUsage' and '2.5.29.15')
4008  * @property {Assoc Array} objCache for caching name and DERObjectIdentifier object
4009  * @description
4010  * This class defines OID name and values.
4011  * AttributeType names registered in OID.atype2oidList are following:
4012  * <table style="border-width: thin; border-style: solid; witdh: 100%">
4013  * <tr><th>short</th><th>long</th><th>OID</th></tr>
4014  * <tr><td>CN</td>commonName<td></td><td>2.5.4.3</td></tr>
4015  * <tr><td>L</td><td>localityName</td><td>2.5.4.7</td></tr>
4016  * <tr><td>ST</td><td>stateOrProvinceName</td><td>2.5.4.8</td></tr>
4017  * <tr><td>O</td><td>organizationName</td><td>2.5.4.10</td></tr>
4018  * <tr><td>OU</td><td>organizationalUnitName</td><td>2.5.4.11</td></tr>
4019  * <tr><td>C</td><td></td>countryName<td>2.5.4.6</td></tr>
4020  * <tr><td>STREET</td>streetAddress<td></td><td>2.5.4.6</td></tr>
4021  * <tr><td>DC</td><td>domainComponent</td><td>0.9.2342.19200300.100.1.25</td></tr>
4022  * <tr><td>UID</td><td>userId</td><td>0.9.2342.19200300.100.1.1</td></tr>
4023  * <tr><td>SN</td><td>surname</td><td>2.5.4.4</td></tr>
4024  * <tr><td>DN</td><td>distinguishedName</td><td>2.5.4.49</td></tr>
4025  * <tr><td>E</td><td>emailAddress</td><td>1.2.840.113549.1.9.1</td></tr>
4026  * <tr><td></td><td>businessCategory</td><td>2.5.4.15</td></tr>
4027  * <tr><td></td><td>postalCode</td><td>2.5.4.17</td></tr>
4028  * <tr><td></td><td>jurisdictionOfIncorporationL</td><td>1.3.6.1.4.1.311.60.2.1.1</td></tr>
4029  * <tr><td></td><td>jurisdictionOfIncorporationSP</td><td>1.3.6.1.4.1.311.60.2.1.2</td></tr>
4030  * <tr><td></td><td>jurisdictionOfIncorporationC</td><td>1.3.6.1.4.1.311.60.2.1.3</td></tr>
4031  * </table>
4032  *
4033  * @example
4034  */
4035 KJUR.asn1.x509.OID = new function(params) {
4036     this.atype2oidList = {
4037 	// RFC 4514 AttributeType name string (MUST recognized)
4038         'CN':		'2.5.4.3',
4039         'L':		'2.5.4.7',
4040         'ST':		'2.5.4.8',
4041         'O':		'2.5.4.10',
4042         'OU':		'2.5.4.11',
4043         'C':		'2.5.4.6',
4044         'STREET':	'2.5.4.9',
4045         'DC':		'0.9.2342.19200300.100.1.25',
4046         'UID':		'0.9.2342.19200300.100.1.1',
4047 	// other AttributeType name string
4048 	// http://blog.livedoor.jp/k_urushima/archives/656114.html
4049         'SN':		'2.5.4.4', // surname
4050         'T':		'2.5.4.12', // title
4051         'DN':		'2.5.4.49', // distinguishedName
4052         'E':		'1.2.840.113549.1.9.1', // emailAddress in MS.NET or Bouncy
4053 	// other AttributeType name string (no short name)
4054 	'description':			'2.5.4.13',
4055 	'businessCategory':		'2.5.4.15',
4056 	'postalCode':			'2.5.4.17',
4057 	'serialNumber':			'2.5.4.5',
4058 	'uniqueIdentifier':		'2.5.4.45',
4059 	'organizationIdentifier':	'2.5.4.97',
4060 	'jurisdictionOfIncorporationL':	'1.3.6.1.4.1.311.60.2.1.1',
4061 	'jurisdictionOfIncorporationSP':'1.3.6.1.4.1.311.60.2.1.2',
4062 	'jurisdictionOfIncorporationC':	'1.3.6.1.4.1.311.60.2.1.3'
4063     };
4064     this.name2oidList = {
4065         'sha1':                 '1.3.14.3.2.26',
4066         'sha256':               '2.16.840.1.101.3.4.2.1',
4067         'sha384':               '2.16.840.1.101.3.4.2.2',
4068         'sha512':               '2.16.840.1.101.3.4.2.3',
4069         'sha224':               '2.16.840.1.101.3.4.2.4',
4070         'md5':                  '1.2.840.113549.2.5',
4071         'md2':                  '1.3.14.7.2.2.1',
4072         'ripemd160':            '1.3.36.3.2.1',
4073 
4074         'MD2withRSA':           '1.2.840.113549.1.1.2',
4075         'MD4withRSA':           '1.2.840.113549.1.1.3',
4076         'MD5withRSA':           '1.2.840.113549.1.1.4',
4077         'SHA1withRSA':          '1.2.840.113549.1.1.5',
4078 	'pkcs1-MGF':		'1.2.840.113549.1.1.8',
4079 	'rsaPSS':		'1.2.840.113549.1.1.10',
4080         'SHA224withRSA':        '1.2.840.113549.1.1.14',
4081         'SHA256withRSA':        '1.2.840.113549.1.1.11',
4082         'SHA384withRSA':        '1.2.840.113549.1.1.12',
4083         'SHA512withRSA':        '1.2.840.113549.1.1.13',
4084 
4085         'SHA1withECDSA':        '1.2.840.10045.4.1',
4086         'SHA224withECDSA':      '1.2.840.10045.4.3.1',
4087         'SHA256withECDSA':      '1.2.840.10045.4.3.2',
4088         'SHA384withECDSA':      '1.2.840.10045.4.3.3',
4089         'SHA512withECDSA':      '1.2.840.10045.4.3.4',
4090 
4091         'dsa':                  '1.2.840.10040.4.1',
4092         'SHA1withDSA':          '1.2.840.10040.4.3',
4093         'SHA224withDSA':        '2.16.840.1.101.3.4.3.1',
4094         'SHA256withDSA':        '2.16.840.1.101.3.4.3.2',
4095 
4096         'rsaEncryption':        '1.2.840.113549.1.1.1',
4097 
4098 	// X.500 AttributeType defined in RFC 4514
4099         'commonName':			'2.5.4.3',
4100         'countryName':			'2.5.4.6',
4101         'localityName':			'2.5.4.7',
4102         'stateOrProvinceName':		'2.5.4.8',
4103         'streetAddress':		'2.5.4.9',
4104         'organizationName':		'2.5.4.10',
4105         'organizationalUnitName':	'2.5.4.11',
4106         'domainComponent':		'0.9.2342.19200300.100.1.25',
4107         'userId':			'0.9.2342.19200300.100.1.1',
4108 	// other AttributeType name string
4109 	'surname':			'2.5.4.4',
4110         'givenName':                    '2.5.4.42',
4111         'title':			'2.5.4.12',
4112 	'distinguishedName':		'2.5.4.49',
4113 	'emailAddress':			'1.2.840.113549.1.9.1',
4114 	// other AttributeType name string (no short name)
4115 	'description':			'2.5.4.13',
4116 	'businessCategory':		'2.5.4.15',
4117 	'postalCode':			'2.5.4.17',
4118 	'uniqueIdentifier':		'2.5.4.45',
4119 	'organizationIdentifier':	'2.5.4.97',
4120 	'jurisdictionOfIncorporationL':	'1.3.6.1.4.1.311.60.2.1.1',
4121 	'jurisdictionOfIncorporationSP':'1.3.6.1.4.1.311.60.2.1.2',
4122 	'jurisdictionOfIncorporationC':	'1.3.6.1.4.1.311.60.2.1.3',
4123 
4124         'subjectDirectoryAttributes': '2.5.29.9',
4125         'subjectKeyIdentifier': '2.5.29.14',
4126         'keyUsage':             '2.5.29.15',
4127         'subjectAltName':       '2.5.29.17',
4128         'issuerAltName':        '2.5.29.18',
4129         'basicConstraints':     '2.5.29.19',
4130         'cRLNumber':     	'2.5.29.20',
4131         'cRLReason':     	'2.5.29.21',
4132         'nameConstraints':      '2.5.29.30',
4133         'cRLDistributionPoints':'2.5.29.31',
4134         'certificatePolicies':  '2.5.29.32',
4135         'anyPolicy':  		'2.5.29.32.0',
4136         'authorityKeyIdentifier':'2.5.29.35',
4137         'policyConstraints':    '2.5.29.36',
4138         'extKeyUsage':          '2.5.29.37',
4139         'authorityInfoAccess':  '1.3.6.1.5.5.7.1.1',
4140         'ocsp':                 '1.3.6.1.5.5.7.48.1',
4141         'ocspBasic':            '1.3.6.1.5.5.7.48.1.1',
4142         'ocspNonce':            '1.3.6.1.5.5.7.48.1.2',
4143         'ocspNoCheck':          '1.3.6.1.5.5.7.48.1.5',
4144         'caIssuers':            '1.3.6.1.5.5.7.48.2',
4145 
4146         'anyExtendedKeyUsage':  '2.5.29.37.0',
4147         'serverAuth':           '1.3.6.1.5.5.7.3.1',
4148         'clientAuth':           '1.3.6.1.5.5.7.3.2',
4149         'codeSigning':          '1.3.6.1.5.5.7.3.3',
4150         'emailProtection':      '1.3.6.1.5.5.7.3.4',
4151         'timeStamping':         '1.3.6.1.5.5.7.3.8',
4152         'ocspSigning':          '1.3.6.1.5.5.7.3.9',
4153 
4154         'dateOfBirth':          '1.3.6.1.5.5.7.9.1',
4155         'placeOfBirth':         '1.3.6.1.5.5.7.9.2',
4156         'gender':               '1.3.6.1.5.5.7.9.3',
4157         'countryOfCitizenship': '1.3.6.1.5.5.7.9.4',
4158         'countryOfResidence':   '1.3.6.1.5.5.7.9.5',
4159 
4160         'ecPublicKey':          '1.2.840.10045.2.1',
4161         'P-256':                '1.2.840.10045.3.1.7',
4162         'secp256r1':            '1.2.840.10045.3.1.7',
4163         'secp256k1':            '1.3.132.0.10',
4164         'secp384r1':            '1.3.132.0.34',
4165         'secp521r1':            '1.3.132.0.35',
4166 
4167         'pkcs5PBES2':           '1.2.840.113549.1.5.13',
4168         'pkcs5PBKDF2':          '1.2.840.113549.1.5.12',
4169 
4170         'des-EDE3-CBC':         '1.2.840.113549.3.7',
4171 
4172         'data':                 '1.2.840.113549.1.7.1', // CMS data
4173         'signed-data':          '1.2.840.113549.1.7.2', // CMS signed-data
4174         'enveloped-data':       '1.2.840.113549.1.7.3', // CMS enveloped-data
4175         'digested-data':        '1.2.840.113549.1.7.5', // CMS digested-data
4176         'encrypted-data':       '1.2.840.113549.1.7.6', // CMS encrypted-data
4177         'authenticated-data':   '1.2.840.113549.1.9.16.1.2', // CMS authenticated-data
4178         'tstinfo':              '1.2.840.113549.1.9.16.1.4', // RFC3161 TSTInfo
4179 	'signingCertificate':	'1.2.840.113549.1.9.16.2.12',// SMIME
4180 	'timeStampToken':	'1.2.840.113549.1.9.16.2.14',// sigTS
4181 	'signaturePolicyIdentifier':	'1.2.840.113549.1.9.16.2.15',// cades
4182 	'etsArchiveTimeStamp':	'1.2.840.113549.1.9.16.2.27',// SMIME
4183 	'signingCertificateV2':	'1.2.840.113549.1.9.16.2.47',// SMIME
4184 	'etsArchiveTimeStampV2':'1.2.840.113549.1.9.16.2.48',// SMIME
4185         'extensionRequest':     '1.2.840.113549.1.9.14',// CSR extensionRequest
4186 	'contentType':		'1.2.840.113549.1.9.3',//PKCS#9
4187 	'messageDigest':	'1.2.840.113549.1.9.4',//PKCS#9
4188 	'signingTime':		'1.2.840.113549.1.9.5',//PKCS#9
4189 	'counterSignature':	'1.2.840.113549.1.9.6',//PKCS#9
4190 	'archiveTimeStampV3':	'0.4.0.1733.2.4',//ETSI EN29319122/TS101733
4191 	'pdfRevocationInfoArchival':'1.2.840.113583.1.1.8', //Adobe
4192 	'adobeTimeStamp':	'1.2.840.113583.1.1.9.1' // Adobe
4193     };
4194 
4195     this.objCache = {};
4196 
4197     /**
4198      * get DERObjectIdentifier by registered OID name
4199      * @name name2obj
4200      * @memberOf KJUR.asn1.x509.OID
4201      * @function
4202      * @param {String} name OID
4203      * @description
4204      * @example
4205      * var asn1ObjOID = OID.name2obj('SHA1withRSA');
4206      */
4207     this.name2obj = function(name) {
4208         if (typeof this.objCache[name] != "undefined")
4209             return this.objCache[name];
4210         if (typeof this.name2oidList[name] == "undefined")
4211             throw "Name of ObjectIdentifier not defined: " + name;
4212         var oid = this.name2oidList[name];
4213         var obj = new KJUR.asn1.DERObjectIdentifier({'oid': oid});
4214         this.objCache[name] = obj;
4215         return obj;
4216     };
4217 
4218     /**
4219      * get DERObjectIdentifier by registered attribute type name such like 'C' or 'CN'<br/>
4220      * @name atype2obj
4221      * @memberOf KJUR.asn1.x509.OID
4222      * @function
4223      * @param {String} atype short attribute type name such like 'C', 'CN' or OID
4224      * @return {@link KJUR.asn1.DERObjectIdentifier} instance
4225      * @description
4226      * @example
4227      * KJUR.asn1.x509.OID.atype2obj('CN') → DERObjectIdentifier of 2.5.4.3
4228      * KJUR.asn1.x509.OID.atype2obj('OU') → DERObjectIdentifier of 2.5.4.11
4229      * KJUR.asn1.x509.OID.atype2obj('streetAddress') → DERObjectIdentifier of 2.5.4.9
4230      * KJUR.asn1.x509.OID.atype2obj('2.5.4.9') → DERObjectIdentifier of 2.5.4.9
4231      */
4232     this.atype2obj = function(atype) {
4233         if (this.objCache[atype] !== undefined)
4234             return this.objCache[atype];
4235 
4236 	var oid;
4237 
4238 	if (atype.match(/^\d+\.\d+\.[0-9.]+$/)) {
4239 	    oid = atype;
4240 	} else if (this.atype2oidList[atype] !== undefined) {
4241 	    oid = this.atype2oidList[atype];
4242 	} else if (this.name2oidList[atype] !== undefined) {
4243 	    oid = this.name2oidList[atype];
4244     	} else {
4245             throw "AttributeType name undefined: " + atype;
4246 	}
4247         var obj = new KJUR.asn1.DERObjectIdentifier({'oid': oid});
4248         this.objCache[atype] = obj;
4249         return obj;
4250     };
4251 };
4252 
4253 /**
4254  * convert OID to name<br/>
4255  * @name oid2name
4256  * @memberOf KJUR.asn1.x509.OID
4257  * @function
4258  * @param {String} oid dot noted Object Identifer string (ex. 1.2.3.4)
4259  * @return {String} OID name if registered otherwise empty string
4260  * @since asn1x509 1.0.9
4261  * @description
4262  * This static method converts OID string to its name.
4263  * If OID is undefined then it returns empty string (i.e. '').
4264  * @example
4265  * KJUR.asn1.x509.OID.oid2name("1.3.6.1.5.5.7.1.1") → 'authorityInfoAccess'
4266  */
4267 KJUR.asn1.x509.OID.oid2name = function(oid) {
4268     var list = KJUR.asn1.x509.OID.name2oidList;
4269     for (var name in list) {
4270         if (list[name] == oid) return name;
4271     }
4272     return '';
4273 };
4274 
4275 /**
4276  * convert OID to AttributeType name<br/>
4277  * @name oid2atype
4278  * @memberOf KJUR.asn1.x509.OID
4279  * @function
4280  * @param {String} oid dot noted Object Identifer string (ex. 1.2.3.4)
4281  * @return {String} OID AttributeType name if registered otherwise oid
4282  * @since jsrsasign 6.2.2 asn1x509 1.0.18
4283  * @description
4284  * This static method converts OID string to its AttributeType name.
4285  * If OID is not defined in OID.atype2oidList associative array then it returns OID
4286  * specified as argument.
4287  * @example
4288  * KJUR.asn1.x509.OID.oid2atype("2.5.4.3") → CN
4289  * KJUR.asn1.x509.OID.oid2atype("1.3.6.1.4.1.311.60.2.1.3") → jurisdictionOfIncorporationC
4290  * KJUR.asn1.x509.OID.oid2atype("0.1.2.3.4") → 0.1.2.3.4 // unregistered OID
4291  */
4292 KJUR.asn1.x509.OID.oid2atype = function(oid) {
4293     var list = KJUR.asn1.x509.OID.atype2oidList;
4294     for (var atype in list) {
4295         if (list[atype] == oid) return atype;
4296     }
4297     return oid;
4298 };
4299 
4300 /**
4301  * convert OID name to OID value<br/>
4302  * @name name2oid
4303  * @memberOf KJUR.asn1.x509.OID
4304  * @function
4305  * @param {String} name OID name or OID (ex. "sha1" or "1.2.3.4")
4306  * @return {String} dot noted Object Identifer string (ex. 1.2.3.4)
4307  * @since asn1x509 1.0.11
4308  * @description
4309  * This static method converts from OID name to OID string.
4310  * If OID is undefined then it returns empty string (i.e. '').
4311  * @example
4312  * KJUR.asn1.x509.OID.name2oid("authorityInfoAccess") → "1.3.6.1.5.5.7.1.1"
4313  * KJUR.asn1.x509.OID.name2oid("1.2.3.4") → "1.2.3.4"
4314  * KJUR.asn1.x509.OID.name2oid("UNKNOWN NAME") → ""
4315  */
4316 KJUR.asn1.x509.OID.name2oid = function(name) {
4317     if (name.match(/^[0-9.]+$/)) return name;
4318     var list = KJUR.asn1.x509.OID.name2oidList;
4319     if (list[name] === undefined) return '';
4320     return list[name];
4321 };
4322 
4323 /**
4324  * X.509 certificate and CRL utilities class<br/>
4325  * @name KJUR.asn1.x509.X509Util
4326  * @class X.509 certificate and CRL utilities class
4327  */
4328 KJUR.asn1.x509.X509Util = {};
4329 
4330 /**
4331  * issue a certificate in PEM format (DEPRECATED)
4332  * @name newCertPEM
4333  * @memberOf KJUR.asn1.x509.X509Util
4334  * @function
4335  * @param {Array} param JSON object of parameter to issue a certificate
4336  * @since asn1x509 1.0.6
4337  * @deprecated since jsrsasign 9.0.0 asn1x509 2.0.0. please move to {@link KJUR.asn1.x509.Certificate} constructor
4338  * @description
4339  * This method can issue a certificate by a simple
4340  * JSON object.
4341  * Signature value will be provided by signing with
4342  * private key using 'cakey' parameter or
4343  * hexadecimal signature value by 'sighex' parameter.
4344  * <br/>
4345  * NOTE: Algorithm parameter of AlgorithmIdentifier will
4346  * be set automatically by default. 
4347  * (see {@link KJUR.asn1.x509.AlgorithmIdentifier})
4348  * from jsrsasign 7.1.1 asn1x509 1.0.20.
4349  * <br/>
4350  * NOTE2: 
4351  * RSA-PSS algorithm has been supported from jsrsasign 8.0.21.
4352  * As for RSA-PSS signature algorithm names and signing parameters 
4353  * such as MGF function and salt length, please see
4354  * {@link KJUR.asn1.x509.AlgorithmIdentifier} class.
4355  *
4356  * @example
4357  * var certPEM = KJUR.asn1.x509.X509Util.newCertPEM({
4358  *   serial: {int: 4},
4359  *   sigalg: {name: 'SHA1withECDSA'},
4360  *   issuer: {str: '/C=US/O=a'},
4361  *   notbefore: {'str': '130504235959Z'},
4362  *   notafter: {'str': '140504235959Z'},
4363  *   subject: {str: '/C=US/O=b'},
4364  *   sbjpubkey: pubKeyObj,
4365  *   ext: [
4366  *     {basicConstraints: {cA: true, critical: true}},
4367  *     {keyUsage: {bin: '11'}},
4368  *   ],
4369  *   cakey: prvKeyObj
4370  * });
4371  * // -- or --
4372  * var certPEM = KJUR.asn1.x509.X509Util.newCertPEM({
4373  *   serial: {int: 4},
4374  *   sigalg: {name: 'SHA1withECDSA'},
4375  *   issuer: {str: '/C=US/O=a'},
4376  *   notbefore: {'str': '130504235959Z'},
4377  *   notafter: {'str': '140504235959Z'},
4378  *   subject: {str: '/C=US/O=b'},
4379  *   sbjpubkey: pubKeyPEM,
4380  *   ext: [
4381  *     {basicConstraints: {cA: true, critical: true}},
4382  *     {keyUsage: {bin: '11'}},
4383  *   ],
4384  *   cakey: [prvkey, pass]}
4385  * );
4386  * // -- or --
4387  * var certPEM = KJUR.asn1.x509.X509Util.newCertPEM({
4388  *   serial: {int: 1},
4389  *   sigalg: {name: 'SHA1withRSA'},
4390  *   issuer: {str: '/C=US/O=T1'},
4391  *   notbefore: {'str': '130504235959Z'},
4392  *   notafter: {'str': '140504235959Z'},
4393  *   subject: {str: '/C=US/O=T1'},
4394  *   sbjpubkey: pubKeyObj,
4395  *   sighex: '0102030405..'
4396  * });
4397  * // for the issuer and subject field, another
4398  * // representation is also available
4399  * var certPEM = KJUR.asn1.x509.X509Util.newCertPEM({
4400  *   serial: {int: 1},
4401  *   sigalg: {name: 'SHA256withRSA'},
4402  *   issuer: {C: "US", O: "T1"},
4403  *   notbefore: {'str': '130504235959Z'},
4404  *   notafter: {'str': '140504235959Z'},
4405  *   subject: {C: "US", O: "T1", CN: "http://example.com/"},
4406  *   sbjpubkey: pubKeyObj,
4407  *   sighex: '0102030405..'
4408  * });
4409  */
4410 KJUR.asn1.x509.X509Util.newCertPEM = function(param) {
4411     var _KJUR_asn1_x509 = KJUR.asn1.x509,
4412 	_TBSCertificate = _KJUR_asn1_x509.TBSCertificate,
4413 	_Certificate = _KJUR_asn1_x509.Certificate;
4414     var cert = new _Certificate(param);
4415     return cert.getPEM();
4416 };
4417 
4418