1 /* asn1x509-2.1.21.js (c) 2013-2022 Kenji Urushima | kjur.github.io/jsrsasign/license
  2  */
  3 /*
  4  * asn1x509.js - ASN.1 DER encoder classes for X.509 certificate
  5  *
  6  * Copyright (c) 2013-2023 Kenji Urushima (kenji.urushima@gmail.com)
  7  *
  8  * This software is licensed under the terms of the MIT License.
  9  * https://kjur.github.io/jsrsasign/license
 10  *
 11  * The above copyright and license notice shall be
 12  * included in all copies or substantial portions of the Software.
 13  */
 14 
 15 /**
 16  * @fileOverview
 17  * @name asn1x509-1.0.js
 18  * @author Kenji Urushima kenji.urushima@gmail.com
 19  * @version jsrsasign 10.9.0 asn1x509 2.1.21 (2023-Nov-27)
 20  * @since jsrsasign 2.1
 21  * @license <a href="https://kjur.github.io/jsrsasign/license/">MIT License</a>
 22  */
 23 
 24 /**
 25  * kjur's class library name space
 26  * // already documented in asn1-1.0.js
 27  * @name KJUR
 28  * @namespace kjur's class library name space
 29  */
 30 if (typeof KJUR == "undefined" || !KJUR) KJUR = {};
 31 
 32 /**
 33  * kjur's ASN.1 class library name space
 34  * // already documented in asn1-1.0.js
 35  * @name KJUR.asn1
 36  * @namespace
 37  */
 38 if (typeof KJUR.asn1 == "undefined" || !KJUR.asn1) KJUR.asn1 = {};
 39 
 40 /**
 41  * kjur's ASN.1 class for X.509 certificate library name space
 42  * <p>
 43  * <h4>FEATURES</h4>
 44  * <ul>
 45  * <li>easily issue any kind of certificate</li>
 46  * <li>APIs are very similar to BouncyCastle library ASN.1 classes. So easy to learn.</li>
 47  * </ul>
 48  * </p>
 49  * <h4>PROVIDED CLASSES</h4>
 50  * <ul>
 51  * <li>{@link KJUR.asn1.x509.Certificate}</li>
 52  * <li>{@link KJUR.asn1.x509.TBSCertificate}</li>
 53  * <li>{@link KJUR.asn1.x509.Extension} abstract class</li>
 54  * <li>{@link KJUR.asn1.x509.Extensions}</li>
 55  * <li>{@link KJUR.asn1.x509.SubjectPublicKeyInfo}</li>
 56  * <li>{@link KJUR.asn1.x509.AlgorithmIdentifier}</li>
 57  * <li>{@link KJUR.asn1.x509.GeneralNames}</li>
 58  * <li>{@link KJUR.asn1.x509.GeneralName}</li>
 59  * <li>{@link KJUR.asn1.x509.X500Name}</li>
 60  * <li>{@link KJUR.asn1.x509.RDN}</li>
 61  * <li>{@link KJUR.asn1.x509.AttributeTypeAndValue}</li>
 62  * <li>{@link KJUR.asn1.x509.DistributionPointName}</li>
 63  * <li>{@link KJUR.asn1.x509.DistributionPoint}</li>
 64  * <li>{@link KJUR.asn1.x509.PolicyInformation}</li>
 65  * <li>{@link KJUR.asn1.x509.PolicyQualifierInfo}</li>
 66  * <li>{@link KJUR.asn1.x509.UserNotice}</li>
 67  * <li>{@link KJUR.asn1.x509.NoticeReference}</li>
 68  * <li>{@link KJUR.asn1.x509.DisplayText}</li>
 69  * <li>{@link KJUR.asn1.x509.GeneralSubtree}</li>
 70  * <li>{@link KJUR.asn1.x509.CRL}</li>
 71  * <li>{@link KJUR.asn1.x509.TBSCertList}</li>
 72  * <li>{@link KJUR.asn1.x509.CRLEntry} (DEPRECATED)</li>
 73  * <li>{@link KJUR.asn1.x509.OID}</li>
 74  * </ul>
 75  * <h4>SUPPORTED EXTENSIONS</h4>
 76  * <ul>
 77  * <li>{@link KJUR.asn1.x509.AuthorityKeyIdentifier}</li>
 78  * <li>{@link KJUR.asn1.x509.SubjectKeyIdentifier}</li>
 79  * <li>{@link KJUR.asn1.x509.KeyUsage}</li>
 80  * <li>{@link KJUR.asn1.x509.CertificatePolicies}</li>
 81  * <li>{@link KJUR.asn1.x509.PolicyMappings} 2.5.29.33</li>
 82  * <li>{@link KJUR.asn1.x509.PolicyConstraints} 2.5.29.36</li>
 83  * <li>{@link KJUR.asn1.x509.InhibitAnyPolicy} 2.5.29.54</li>
 84  * <li>{@link KJUR.asn1.x509.SubjectAltName}</li>
 85  * <li>{@link KJUR.asn1.x509.IssuerAltName}</li>
 86  * <li>{@link KJUR.asn1.x509.BasicConstraints}</li>
 87  * <li>{@link KJUR.asn1.x509.NameConstraints}</li>
 88  * <li>{@link KJUR.asn1.x509.ExtKeyUsage}</li>
 89  * <li>{@link KJUR.asn1.x509.CRLDistributionPoints}</li>
 90  * <li>{@link KJUR.asn1.x509.AuthorityInfoAccess}</li>
 91  * <li>{@link KJUR.asn1.x509.CRLNumber}</li>
 92  * <li>{@link KJUR.asn1.x509.CRLReason}</li>
 93  * <li>{@link KJUR.asn1.x509.OCSPNonce}</li>
 94  * <li>{@link KJUR.asn1.x509.OCSPNoCheck}</li>
 95  * <li>{@link KJUR.asn1.x509.AdobeTimeStamp}</li>
 96  * <li>{@link KJUR.asn1.x509.SubjectDirectoryAttributes}</li>
 97  * <li>{@link KJUR.asn1.x509.PrivateExtension}</li>
 98  * </ul>
 99  * NOTE1: Please ignore method summary and document of this namespace. This caused by a bug of jsdoc2.<br/>
100  * NOTE2: SubjectAltName and IssuerAltName supported since 
101  * jsrsasign 6.2.3 asn1x509 1.0.19.<br/>
102  * NOTE3: CeritifcatePolicies supported supported since
103  * jsrsasign 8.0.23 asn1x509 1.1.12<br/>
104  * @name KJUR.asn1.x509
105  * @namespace
106  */
107 if (typeof KJUR.asn1.x509 == "undefined" || !KJUR.asn1.x509) KJUR.asn1.x509 = {};
108 
109 // === BEGIN Certificate ===================================================
110 
111 /**
112  * X.509 Certificate class to sign and generate hex encoded certificate
113  * @name KJUR.asn1.x509.Certificate
114  * @class X.509 Certificate class to sign and generate hex encoded certificate
115  * @property {Array} params JSON object of parameters
116  * @param {Array} params JSON object for Certificate parameters
117  * @extends KJUR.asn1.ASN1Object
118  * @description
119  * <br/>
120  * This class provides Certificate ASN.1 class structure
121  * defined in 
122  * <a href="https://tools.ietf.org/html/rfc5280#section-4.1">
123  * RFC 5280 4.1</a>.
124  * <pre>
125  * Certificate  ::=  SEQUENCE  {
126  *      tbsCertificate       TBSCertificate,
127  *      signatureAlgorithm   AlgorithmIdentifier,
128  *      signatureValue       BIT STRING  }
129  * </pre>
130  * Parameter "params" JSON object can be
131  * the same as {@link KJUR.asn1.x509.TBSCertificate}. 
132  * Then they are used to generate TBSCertificate.
133  * Additionally just for Certificate, following parameters can be used:
134  * <ul>
135  * <li>{TBSCertfificate}tbsobj - 
136  * specifies {@link KJUR.asn1.x509.TBSCertificate} 
137  * object to be signed if needed. 
138  * When this isn't specified, 
139  * this will be set from other parametes of TBSCertificate.</li>
140  * <li>{Object}cakey (OPTION) - specifies certificate signing private key.
141  * Parameter "cakey" or "sighex" shall be specified. Following
142  * values can be specified:
143  *   <ul>
144  *   <li>PKCS#1/5 or PKCS#8 PEM string of private key</li>
145  *   <li>RSAKey/DSA/ECDSA key object. {@link KEYUTIL.getKey} is useful
146  *   to generate a key object.</li>
147  *   </ul>
148  * </li>
149  * <li>{String}sighex (OPTION) - hexadecimal string of signature value
150  * (i.e. ASN.1 value(V) of signatureValue BIT STRING without
151  * unused bits)</li>
152  * </ul>
153  * CAUTION: APIs of this class have been totally updated without
154  * backward compatibility since jsrsasign 9.0.0.<br/>
155  * NOTE1: 'params' can be omitted.<br/>
156  * NOTE2: DSA/ECDSA is also supported for CA signging key from asn1x509 1.0.6.
157  * @example
158  * var cert = new KJUR.asn1.x509.Certificate({
159  *  version: 3,
160  *  serial: {hex: "1234..."},
161  *  sigalg: "SHA256withRSAandMGF1",
162  *  ...
163  *  sighex: "1d3f..." // sign() method won't be called
164  * });
165  *
166  * // sighex will by calculated by signing with cakey
167  * var cert = new KJUR.asn1.x509.Certificate({
168  *  version: 3,
169  *  serial: {hex: "2345..."},
170  *  sigalg: "SHA256withRSA",
171  *  ...
172  *  cakey: "-----BEGIN PRIVATE KEY..."
173  * });
174  *
175  * // use TBSCertificate object to sign
176  * var cert = new KJUR.asn1.x509.Certificate({
177  *  tbsobj: <<OBJ>>,
178  *  sigalg: "SHA256withRSA",
179  *  cakey: "-----BEGIN PRIVATE KEY..."
180  * });
181  */
182 KJUR.asn1.x509.Certificate = function(params) {
183     KJUR.asn1.x509.Certificate.superclass.constructor.call(this);
184     var _KJUR = KJUR,
185 	_KJUR_asn1 = _KJUR.asn1,
186 	_DERBitString = _KJUR_asn1.DERBitString,
187 	_DERSequence = _KJUR_asn1.DERSequence,
188 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
189 	_TBSCertificate = _KJUR_asn1_x509.TBSCertificate,
190 	_AlgorithmIdentifier = _KJUR_asn1_x509.AlgorithmIdentifier;
191 
192     this.params = undefined;
193 
194     /**
195      * set parameter<br/>
196      * @name setByParam
197      * @memberOf KJUR.asn1.x509.Certificate#
198      * @function
199      * @param params {Array} JSON object of certificate parameters
200      * @since jsrsasign 9.0.0 asn1hex 2.0.0
201      * @description
202      * This method will set parameter 
203      * {@link KJUR.asn1.x509.Certificate#params}
204      * to this object.
205      * @example
206      * cert = new KJUR.asn1.x509.Certificate();
207      * cert.setByParam({
208      *   version: 3,
209      *   serial: {hex: "1234..."},
210      *   ...
211      * });
212      */
213     this.setByParam = function(params) {
214 	this.params = params;
215     };
216 
217     /**
218      * sign certificate<br/>
219      * @name sign
220      * @memberOf KJUR.asn1.x509.Certificate#
221      * @function
222      * @description
223      * This method signs TBSCertificate with a specified 
224      * private key and algorithm by 
225      * this.params.cakey and this.params.sigalg parameter.
226      * @example
227      * cert = new KJUR.asn1.x509.Certificate({...});
228      * cert.sign()
229      */
230     this.sign = function() {
231 	var params = this.params;
232 
233 	var sigalg = params.sigalg;
234 	if (params.sigalg.name != undefined) 
235 	    sigalg = params.sigalg.name;
236 
237 	var hTBS = params.tbsobj.tohex();
238 	var sig = new KJUR.crypto.Signature({alg: sigalg});
239 	sig.init(params.cakey);
240 	sig.updateHex(hTBS);
241 	params.sighex = sig.sign();
242     };
243 
244     /**
245      * get PEM formatted certificate string after signed
246      * @name getPEM
247      * @memberOf KJUR.asn1.x509.Certificate#
248      * @function
249      * @return PEM formatted string of certificate
250      * @since jsrsasign 9.0.0 asn1hex 2.0.0
251      * @description
252      * This method returns a string of PEM formatted 
253      * certificate.
254      * @example
255      * cert = new KJUR.asn1.x509.Certificate({...});
256      * cert.getPEM() →
257      * "-----BEGIN CERTIFICATE-----\r\n..."
258      */
259     this.getPEM = function() {
260 	return hextopem(this.tohex(), "CERTIFICATE");
261     };
262 
263     this.tohex = function() {
264 	var params = this.params;
265 	
266 	if (params.tbsobj == undefined || params.tbsobj == null) {
267 	    params.tbsobj = new _TBSCertificate(params);
268 	}
269 
270 	if (params.sighex == undefined && params.cakey != undefined) {
271 	    this.sign();
272 	}
273 
274 	if (params.sighex == undefined) {
275 	    throw new Error("sighex or cakey parameter not defined");
276 	}
277 
278 	var a = [];
279 	a.push(params.tbsobj);
280 	a.push(new _AlgorithmIdentifier({name: params.sigalg}));
281 	a.push(new _DERBitString({hex: "00" + params.sighex}));
282 	var seq = new _DERSequence({array: a});
283 	return seq.tohex();
284     };
285     this.getEncodedHex = function() { return this.tohex(); };
286 
287     if (params != undefined) this.params = params;
288 };
289 extendClass(KJUR.asn1.x509.Certificate, KJUR.asn1.ASN1Object);
290 
291 /**
292  * ASN.1 TBSCertificate structure class<br/>
293  * @name KJUR.asn1.x509.TBSCertificate
294  * @class ASN.1 TBSCertificate structure class
295  * @property {Array} params JSON object of parameters
296  * @param {Array} params JSON object of TBSCertificate parameters
297  * @extends KJUR.asn1.ASN1Object
298  * @see KJUR.asn1.x509.Certificate
299  *
300  * @description
301  * <br/>
302  * NOTE: TBSCertificate class is updated without backward 
303  * compatibility from jsrsasign 9.0.0 asn1x509 2.0.0.
304  * Most of methods are removed and parameters can be set
305  * by JSON object.
306  *
307  * @example
308  * new TBSCertificate({
309  *  version: 3, // this can be omitted, the default is 3.
310  *  serial: {hex: "1234..."}, // DERInteger parameter
311  *  sigalg: "SHA256withRSA",
312  *  issuer: {array:[[{type:'O',value:'Test',ds:'prn'}]]}, // X500Name parameter
313  *  notbefore: "151231235959Z", // string, passed to Time
314  *  notafter: "251231235959Z", // string, passed to Time
315  *  subject: {array:[[{type:'O',value:'Test',ds:'prn'}]]}, // X500Name parameter
316  *  sbjpubkey: "-----BEGIN...", // KEYUTIL.getKey pubkey parameter
317  *  // As for extension parameters, please see extension class
318  *  // All extension parameters need to have "extname" parameter additionaly.
319  *  ext:[{ 
320  *   extname:"keyUsage",critical:true,
321  *   names:["digitalSignature","keyEncipherment"]
322  *  },{
323  *   extname:"cRLDistributionPoints",
324  *   array:[{dpname:{full:[{uri:"http://example.com/a1.crl"}]}}]
325  *  }, ...]
326  * })
327  *
328  * var tbsc = new TBSCertificate();
329  * tbsc.setByParam({version:3,serial:{hex:'1234...'},...});
330  */
331 KJUR.asn1.x509.TBSCertificate = function(params) {
332     KJUR.asn1.x509.TBSCertificate.superclass.constructor.call(this);
333     var _KJUR = KJUR,
334 	_KJUR_asn1 = _KJUR.asn1,
335 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
336 	_DERTaggedObject = _KJUR_asn1.DERTaggedObject,
337 	_DERInteger = _KJUR_asn1.DERInteger,
338 	_DERSequence = _KJUR_asn1.DERSequence,
339 	_AlgorithmIdentifier = _KJUR_asn1_x509.AlgorithmIdentifier,
340 	_Time = _KJUR_asn1_x509.Time,
341 	_X500Name = _KJUR_asn1_x509.X500Name,
342 	_Extensions = _KJUR_asn1_x509.Extensions,
343 	_SubjectPublicKeyInfo = _KJUR_asn1_x509.SubjectPublicKeyInfo;
344 
345     this.params = null;
346 
347     /**
348      * get array of ASN.1 object for extensions<br/>
349      * @name setByParam
350      * @memberOf KJUR.asn1.x509.TBSCertificate#
351      * @function
352      * @param {Array} JSON object of TBSCertificate parameters
353      * @example
354      * tbsc = new KJUR.asn1.x509.TBSCertificate();
355      * tbsc.setByParam({version:3, serial:{hex:'1234...'},...});
356      */
357     this.setByParam = function(params) {
358 	this.params = params;
359     };
360 
361     this.tohex = function() {
362 	var a = [];
363 	var params = this.params;
364 
365 	// X.509v3 default if params.version not defined
366 	if (params.version != undefined || params.version != 1) {
367 	    var version = 2; 
368 	    if (params.version != undefined) version = params.version - 1;
369 	    var obj = 
370 		new _DERTaggedObject({obj: new _DERInteger({'int': version})}) 
371 	    a.push(obj);
372 	}
373 
374 	a.push(new _DERInteger(params.serial));
375 	a.push(new _AlgorithmIdentifier({name: params.sigalg}));
376 	a.push(new _X500Name(params.issuer));
377 	a.push(new _DERSequence({array:[new _Time(params.notbefore),
378 					new _Time(params.notafter)]}));
379 	a.push(new _X500Name(params.subject));
380 	a.push(new _SubjectPublicKeyInfo(KEYUTIL.getKey(params.sbjpubkey)));
381 	if (params.ext !== undefined && params.ext.length > 0) {
382 	    a.push(new _DERTaggedObject({tag: "a3",
383 					 obj: new _Extensions(params.ext)}));
384 	}
385 
386 	var seq = new KJUR.asn1.DERSequence({array: a});
387 	return seq.tohex();
388     };
389     this.getEncodedHex = function() { return this.tohex(); };
390 
391     if (params !== undefined) this.setByParam(params);
392 };
393 extendClass(KJUR.asn1.x509.TBSCertificate, KJUR.asn1.ASN1Object);
394 
395 /**
396  * Extensions ASN.1 structure class<br/>
397  * @name KJUR.asn1.x509.Extensions
398  * @class Extensions ASN.1 structure class
399  * @param {Array} aParam array of JSON extension parameter
400  * @extends KJUR.asn1.ASN1Object
401  * @since jsrsasign 9.1.0 asn1x509 2.1.0
402  * @see KJUR.asn1.x509.TBSCertificate
403  * @see KJUR.asn1.x509.TBSCertList
404  * @see KJUR.asn1.csr.CertificationRequestInfo
405  * @see KJUR.asn1.x509.PrivateExtension
406  * @see KJUR.asn1.ocsp.ResponseData
407  * @see KJUR.asn1.ocsp.BasicOCSPResponse 
408  *
409  * @description
410  * This class represents
411  * <a href="https://tools.ietf.org/html/rfc5280#section-4.1">
412  * Extensions defined in RFC 5280 4.1</a> and
413  * <a href="https://tools.ietf.org/html/rfc5280#section-4.1.2.9">
414  * 4.1.2.9</a>.
415  * <pre>
416  * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
417  * </pre>
418  * <p>NOTE: From jsrsasign 9.1.1, private extension or
419  * undefined extension have been supported by
420  * {@link KJUR.asn1.x509.PrivateExtension}.</p>
421  * 
422  * Here is a list of available extensions:
423  * <ul>
424  * <li>{@link KJUR.asn1.x509.BasicConstraints}</li>
425  * <li>{@link KJUR.asn1.x509.KeyUsage}</li>
426  * <li>{@link KJUR.asn1.x509.SubjectKeyIdentifier}</li>
427  * <li>{@link KJUR.asn1.x509.AuthorityKeyIdentifier}</li>
428  * <li>{@link KJUR.asn1.x509.SubjectAltName}</li>
429  * <li>{@link KJUR.asn1.x509.IssuerAltName}</li>
430  * <li>{@link KJUR.asn1.x509.CRLDistributionPoints}</li>
431  * <li>{@link KJUR.asn1.x509.CertificatePolicies}</li>
432  * <li>{@link KJUR.asn1.x509.CRLNumber}</li>
433  * <li>{@link KJUR.asn1.x509.CRLReason}</li>
434  * <li>{@link KJUR.asn1.x509.OCSPNonce}</li>
435  * <li>{@link KJUR.asn1.x509.OCSPNoCheck}</li>
436  * <li>{@link KJUR.asn1.x509.AdobeTimeStamp}</li>
437  * <li>{@link KJUR.asn1.x509.SubjectDirectoryAttributes}</li>
438  * <li>{@link KJUR.asn1.x509.PrivateExtension}</li>
439  * </ul>
440  * You can also use {@link KJUR.asn1.x509.PrivateExtension} object
441  * to specify a unsupported extension.
442  *
443  * @example
444  * o = new KJUR.asn1.x509.Extensions([
445  *   {extname:"keyUsage",critical:true,names:["digitalSignature"]},
446  *   {extname:"subjectAltName",array:[{dns:"example.com"}]},
447  *   {extname:"1.2.3.4",extn:{prnstr:"aa"}} // private extension
448  * ]);
449  * o.tohex() → "30..."
450  */
451 KJUR.asn1.x509.Extensions = function(aParam) {
452     KJUR.asn1.x509.Extensions.superclass.constructor.call(this);
453     var _KJUR = KJUR,
454 	_KJUR_asn1 = _KJUR.asn1,
455 	_DERSequence = _KJUR_asn1.DERSequence,
456 	_KJUR_asn1_x509 = _KJUR_asn1.x509;
457     this.aParam = [];
458 
459     this.setByParam = function(aParam) { this.aParam = aParam; }
460 
461     this.tohex = function() {
462 	var a = [];
463 	for (var i = 0; i < this.aParam.length; i++) {
464 	    var param = this.aParam[i];
465 	    var extname = param.extname;
466 	    var obj = null;
467 
468 	    if (param.extn != undefined) {
469 		obj = new _KJUR_asn1_x509.PrivateExtension(param);
470 	    } else if (extname == "subjectKeyIdentifier") {
471 		obj = new _KJUR_asn1_x509.SubjectKeyIdentifier(param);
472 	    } else if (extname == "keyUsage") {
473 		obj = new _KJUR_asn1_x509.KeyUsage(param);
474 	    } else if (extname == "subjectAltName") {
475 		obj = new _KJUR_asn1_x509.SubjectAltName(param);
476 	    } else if (extname == "issuerAltName") {
477 		obj = new _KJUR_asn1_x509.IssuerAltName(param);
478 	    } else if (extname == "basicConstraints") {
479 		obj = new _KJUR_asn1_x509.BasicConstraints(param);
480 	    } else if (extname == "nameConstraints") {
481 		obj = new _KJUR_asn1_x509.NameConstraints(param);
482 	    } else if (extname == "cRLDistributionPoints") {
483 		obj = new _KJUR_asn1_x509.CRLDistributionPoints(param);
484 	    } else if (extname == "certificatePolicies") {
485 		obj = new _KJUR_asn1_x509.CertificatePolicies(param);
486 	    } else if (extname == "policyMappings") {
487 		obj = new _KJUR_asn1_x509.PolicyMappings(param);
488 	    } else if (extname == "policyConstraints") {
489 		obj = new _KJUR_asn1_x509.PolicyConstraints(param);
490 	    } else if (extname == "inhibitAnyPolicy") {
491 		obj = new _KJUR_asn1_x509.InhibitAnyPolicy(param);
492 	    } else if (extname == "authorityKeyIdentifier") {
493 		obj = new _KJUR_asn1_x509.AuthorityKeyIdentifier(param);
494 	    } else if (extname == "extKeyUsage") {
495 		obj = new _KJUR_asn1_x509.ExtKeyUsage(param);
496 	    } else if (extname == "authorityInfoAccess") {
497 		obj = new _KJUR_asn1_x509.AuthorityInfoAccess(param);
498 	    } else if (extname == "cRLNumber") {
499 		obj = new _KJUR_asn1_x509.CRLNumber(param);
500 	    } else if (extname == "cRLReason") {
501 		obj = new _KJUR_asn1_x509.CRLReason(param);
502 	    } else if (extname == "ocspNonce") {
503 		obj = new _KJUR_asn1_x509.OCSPNonce(param);
504 	    } else if (extname == "ocspNoCheck") {
505 		obj = new _KJUR_asn1_x509.OCSPNoCheck(param);
506 	    } else if (extname == "adobeTimeStamp") {
507 		obj = new _KJUR_asn1_x509.AdobeTimeStamp(param);
508 	    } else if (extname == "subjectDirectoryAttributes") {
509 		obj = new _KJUR_asn1_x509.SubjectDirectoryAttributes(param);
510 	    } else {
511 		throw new Error("extension not supported:"
512 				+ JSON.stringify(param));
513 	    }
514 	    if (obj != null) a.push(obj);
515 	}
516 
517 	var seq = new _DERSequence({array: a});
518 	return seq.tohex();
519     };
520     this.getEncodedHex = function() { return this.tohex(); };
521 
522     if (aParam != undefined) this.setByParam(aParam);
523 };
524 extendClass(KJUR.asn1.x509.Extensions, KJUR.asn1.ASN1Object);
525 
526 
527 // === END   TBSCertificate ===================================================
528 
529 // === BEGIN X.509v3 Extensions Related =======================================
530 
531 /**
532  * base Extension ASN.1 structure class
533  * @name KJUR.asn1.x509.Extension
534  * @class base Extension ASN.1 structure class
535  * @param {Array} params associative array of parameters (ex. {'critical': true})
536  * @extends KJUR.asn1.ASN1Object
537  * @description
538  * <pre>
539  * Extension  ::=  SEQUENCE  {
540  *     extnID      OBJECT IDENTIFIER,
541  *     critical    BOOLEAN DEFAULT FALSE,
542  *     extnValue   OCTET STRING  }
543  * </pre>
544  * @example
545  */
546 KJUR.asn1.x509.Extension = function(params) {
547     KJUR.asn1.x509.Extension.superclass.constructor.call(this);
548     var asn1ExtnValue = null,
549 	_KJUR = KJUR,
550 	_KJUR_asn1 = _KJUR.asn1,
551 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
552 	_DEROctetString = _KJUR_asn1.DEROctetString,
553 	_DERBitString = _KJUR_asn1.DERBitString,
554 	_DERBoolean = _KJUR_asn1.DERBoolean,
555 	_DERSequence = _KJUR_asn1.DERSequence;
556 
557     this.tohex = function() {
558         var asn1Oid = new _DERObjectIdentifier({'oid': this.oid});
559         var asn1EncapExtnValue =
560             new _DEROctetString({'hex': this.getExtnValueHex()});
561 
562         var asn1Array = new Array();
563         asn1Array.push(asn1Oid);
564         if (this.critical) asn1Array.push(new _DERBoolean());
565         asn1Array.push(asn1EncapExtnValue);
566 
567         var asn1Seq = new _DERSequence({'array': asn1Array});
568         return asn1Seq.tohex();
569     };
570     this.getEncodedHex = function() { return this.tohex(); };
571 
572     this.critical = false;
573     if (params !== undefined) {
574         if (params.critical !== undefined) {
575             this.critical = params.critical;
576         }
577     }
578 };
579 extendClass(KJUR.asn1.x509.Extension, KJUR.asn1.ASN1Object);
580 
581 /**
582  * KeyUsage ASN.1 structure class
583  * @name KJUR.asn1.x509.KeyUsage
584  * @class KeyUsage ASN.1 structure class
585  * @param {Array} params associative array of parameters (ex. {'bin': '11', 'critical': true})
586  * @extends KJUR.asn1.x509.Extension
587  * @description
588  * This class is for <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.3" target="_blank">KeyUsage</a> X.509v3 extension.
589  * <pre>
590  * id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
591  * KeyUsage ::= BIT STRING {
592  *   digitalSignature   (0),
593  *   nonRepudiation     (1),
594  *   keyEncipherment    (2),
595  *   dataEncipherment   (3),
596  *   keyAgreement       (4),
597  *   keyCertSign        (5),
598  *   cRLSign            (6),
599  *   encipherOnly       (7),
600  *   decipherOnly       (8) }
601  * </pre><br/>
602  * NOTE: 'names' parameter is supprted since jsrsasign 8.0.14.
603  * @example
604  * o = new KJUR.asn1.x509.KeyUsage({bin: "11"});
605  * o = new KJUR.asn1.x509.KeyUsage({critical: true, bin: "11"});
606  * o = new KJUR.asn1.x509.KeyUsage({names: ['digitalSignature', 'keyAgreement']});
607  */
608 KJUR.asn1.x509.KeyUsage = function(params) {
609     KJUR.asn1.x509.KeyUsage.superclass.constructor.call(this, params);
610 
611     var _Error = Error;
612 
613     var _nameValue = {
614 	digitalSignature:	0,
615 	nonRepudiation:		1,
616 	keyEncipherment:	2,
617 	dataEncipherment:	3,
618 	keyAgreement:		4,
619 	keyCertSign:		5,
620 	cRLSign:		6,
621 	encipherOnly:		7,
622 	decipherOnly:		8
623     };
624 
625     this.getExtnValueHex = function() {
626 	var binString = this.getBinValue();
627         this.asn1ExtnValue = new KJUR.asn1.DERBitString({bin: binString});
628         return this.asn1ExtnValue.tohex();
629     };
630 
631     this.getBinValue = function() {
632 	var params = this.params;
633 
634 	if (typeof params != "object" ||
635 	    (typeof params.names != "object" && typeof params.bin != "string"))
636 	    throw new _Error("parameter not yet set");
637 
638 	if (params.names != undefined) {
639 	    return namearraytobinstr(params.names, _nameValue);
640 	} else if (params.bin != undefined) {
641 	    return params.bin;
642 	} else {
643 	    throw new _Error("parameter not set properly");
644 	}
645     };
646 
647     this.oid = "2.5.29.15";
648     if (params !== undefined) this.params = params;
649 };
650 extendClass(KJUR.asn1.x509.KeyUsage, KJUR.asn1.x509.Extension);
651 
652 /**
653  * BasicConstraints ASN.1 structure class
654  * @name KJUR.asn1.x509.BasicConstraints
655  * @class BasicConstraints ASN.1 structure class
656  * @param {Array} params JSON object for parameters (ex. {cA:true,critical:true})
657  * @extends KJUR.asn1.x509.Extension
658  * @see {@link X509#getExtBasicConstraints}
659  * @description
660  * This class represents 
661  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.9">
662  * BasicConstraints extension defined in RFC 5280 4.2.1.9</a>.
663  * <pre>
664  *  id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
665  *  BasicConstraints ::= SEQUENCE {
666  *       cA                      BOOLEAN DEFAULT FALSE,
667  *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
668  * </pre>
669  * Its constructor can have following parameters:
670  * <ul>
671  * <li>{Boolean}cA - cA flag</li>
672  * <li>{Integer}pathLen - pathLen field value</li>
673  * <li>{Boolean}critical - critical flag</li>
674  * </ul>
675  * @example
676  * new KJUR.asn1.x509.BasicConstraints({
677  *   cA: true,
678  *   pathLen: 3,
679  *   critical: true
680  * })
681  */
682 KJUR.asn1.x509.BasicConstraints = function(params) {
683     KJUR.asn1.x509.BasicConstraints.superclass.constructor.call(this, params);
684     var _KJUR_asn1 = KJUR.asn1,
685 	_DERBoolean = _KJUR_asn1.DERBoolean,
686 	_DERInteger = _KJUR_asn1.DERInteger,
687 	_DERSequence = _KJUR_asn1.DERSequence;
688 
689     var cA = false;
690     var pathLen = -1;
691 
692     this.getExtnValueHex = function() {
693         var asn1Array = new Array();
694         if (this.cA) asn1Array.push(new _DERBoolean());
695         if (this.pathLen > -1)
696             asn1Array.push(new _DERInteger({'int': this.pathLen}));
697         var asn1Seq = new _DERSequence({'array': asn1Array});
698         this.asn1ExtnValue = asn1Seq;
699         return this.asn1ExtnValue.tohex();
700     };
701 
702     this.oid = "2.5.29.19";
703     this.cA = false;
704     this.pathLen = -1;
705     if (params !== undefined) {
706         if (params.cA !== undefined) {
707             this.cA = params.cA;
708         }
709         if (params.pathLen !== undefined) {
710             this.pathLen = params.pathLen;
711         }
712     }
713 };
714 extendClass(KJUR.asn1.x509.BasicConstraints, KJUR.asn1.x509.Extension);
715 
716 /**
717  * CRLDistributionPoints ASN.1 structure class
718  * @name KJUR.asn1.x509.CRLDistributionPoints
719  * @class CRLDistributionPoints ASN.1 structure class
720  * @param {Array} params associative array of parameters (ex. {'uri': 'http://a.com/', 'critical': true})
721  * @extends KJUR.asn1.x509.Extension
722  * @see {@link X509#getExtCRLDistributionPoints}
723  * @see {@link KJUR.asn1.x509.DistributionPoint}
724  * @see {@link KJUR.asn1.x509.GeneralNames}
725  * @description
726  * This class represents 
727  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.13">
728  * CRLDistributionPoints extension defined in RFC 5280 4.2.1.13</a>.
729  * <pre>
730  * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 }
731  * CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
732  * DistributionPoint ::= SEQUENCE {
733  *      distributionPoint       [0]     DistributionPointName OPTIONAL,
734  *      reasons                 [1]     ReasonFlags OPTIONAL,
735  *      cRLIssuer               [2]     GeneralNames OPTIONAL }
736  * DistributionPointName ::= CHOICE {
737  *      fullName                [0]     GeneralNames,
738  *      nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
739  * </pre>
740  * Constructor can have following parameter:
741  * <ul>
742  * <li>{Array}array - array of {@link KJUR.asn1.x509.DistributionPoint} parameter</li>
743  * <li>{Boolean}critical - critical flag</li>
744  * </ul>
745  * @example
746  * new KJUR.asn1.x509.CRLDistributionPoints({
747  *   array: [{fulluri: "http://aaa.com/"}, {fulluri: "ldap://aaa.com/"}],
748  *   critical: true
749  * })
750  */
751 KJUR.asn1.x509.CRLDistributionPoints = function(params) {
752     KJUR.asn1.x509.CRLDistributionPoints.superclass.constructor.call(this, params);
753     var _KJUR = KJUR,
754 	_KJUR_asn1 = _KJUR.asn1,
755 	_KJUR_asn1_x509 = _KJUR_asn1.x509;
756 
757     this.getExtnValueHex = function() {
758         return this.asn1ExtnValue.tohex();
759     };
760 
761     this.setByDPArray = function(dpArray) {
762 	var asn1Array = [];
763 	for (var i = 0; i < dpArray.length; i++) {
764 	    if (dpArray[i] instanceof KJUR.asn1.ASN1Object) {
765 		asn1Array.push(dpArray[i]);
766 	    } else {
767 		var dp = new _KJUR_asn1_x509.DistributionPoint(dpArray[i]);
768 		asn1Array.push(dp);
769 	    }
770 	}
771         this.asn1ExtnValue = new _KJUR_asn1.DERSequence({'array': asn1Array});
772     };
773 
774     this.setByOneURI = function(uri) {
775         var dp1 = new _KJUR_asn1_x509.DistributionPoint({fulluri: uri});
776         this.setByDPArray([dp1]);
777     };
778 
779     this.oid = "2.5.29.31";
780     if (params !== undefined) {
781         if (params.array !== undefined) {
782             this.setByDPArray(params.array);
783         } else if (params.uri !== undefined) {
784             this.setByOneURI(params.uri);
785         }
786     }
787 };
788 extendClass(KJUR.asn1.x509.CRLDistributionPoints, KJUR.asn1.x509.Extension);
789 
790 /**
791  * DistributionPoint ASN.1 structure class<br/>
792  * @name KJUR.asn1.x509.DistributionPoint
793  * @class DistributionPoint ASN.1 structure class
794  * @param {Array} params JSON object of parameters (OPTIONAL)
795  * @extends KJUR.asn1.ASN1Object
796  * @see {@link KJUR.asn1.x509.CRLDistributionPoints}
797  * @see {@link KJUR.asn1.x509.DistributionPointName}
798  * @see {@link KJUR.asn1.x509.GeneralNames}
799  * @see {@link X509#getDistributionPoint}
800  * @description
801  * This class represents 
802  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.13">
803  * DistributionPoint defined in RFC 5280 4.2.1.13</a>.
804  * <pre>
805  * DistributionPoint ::= SEQUENCE {
806  *      distributionPoint       [0]     DistributionPointName OPTIONAL,
807  *      reasons                 [1]     ReasonFlags OPTIONAL,
808  *      cRLIssuer               [2]     GeneralNames OPTIONAL }
809  * </pre>
810  * Constructor can have following parameter:
811  * <ul>
812  * <li>{String}fulluri - uri string for fullName uri. This has the same meaning for '{dpname: {full: [{uri: "..."]}}'.</li>
813  * <li>{Array}dpname - JSON object for {@link KJUR.asn1.x509.DistributionPointName} parameters</li>
814  * <li>{DistrubutionPoint}dpobj - {@link KJUR.asn1.x509.DistributionPointName} object (DEPRECATED)</li>
815  * </ul>
816  * <br/>
817  * NOTE1: Parameter "fulluri" and "dpname" supported 
818  * since jsrsasign 9.0.0 asn1x509 2.0.0.
819  * <br/>
820  * NOTE2: The "reasons" and "cRLIssuer" fields are currently
821  * not supported.
822  * @example
823  * new KJUR.asn1.x509.DistributionPoint(
824  *   {fulluri: "http://example.com/crl1.crl"})
825  * new KJUR.asn1.x509.DistributionPoint(
826  *   {dpname: {full: [{uri: "http://example.com/crl1.crl"}]}})
827  * new KJUR.asn1.x509.DistributionPoint(
828  *   {dpobj: new DistributionPoint(...)})
829  */
830 KJUR.asn1.x509.DistributionPoint = function(params) {
831     KJUR.asn1.x509.DistributionPoint.superclass.constructor.call(this);
832     var asn1DP = null,
833 	_KJUR = KJUR,
834 	_KJUR_asn1 = _KJUR.asn1,
835 	_DistributionPointName = _KJUR_asn1.x509.DistributionPointName;
836 
837     this.tohex = function() {
838         var seq = new _KJUR_asn1.DERSequence();
839         if (this.asn1DP != null) {
840             var o1 = new _KJUR_asn1.DERTaggedObject({'explicit': true,
841                                                      'tag': 'a0',
842                                                      'obj': this.asn1DP});
843             seq.appendASN1Object(o1);
844         }
845         this.hTLV = seq.tohex();
846         return this.hTLV;
847     };
848     this.getEncodedHex = function() { return this.tohex(); };
849 
850     if (params !== undefined) {
851         if (params.dpobj !== undefined) {
852             this.asn1DP = params.dpobj;
853         } else if (params.dpname !== undefined) {
854             this.asn1DP = new _DistributionPointName(params.dpname);
855 	} else if (params.fulluri !== undefined) {
856             this.asn1DP = new _DistributionPointName({full: [{uri: params.fulluri}]});
857 	}
858     }
859 };
860 extendClass(KJUR.asn1.x509.DistributionPoint, KJUR.asn1.ASN1Object);
861 
862 /**
863  * DistributionPointName ASN.1 structure class<br/>
864  * @name KJUR.asn1.x509.DistributionPointName
865  * @class DistributionPointName ASN.1 structure class
866  * @param {Array} params JSON object of parameters or GeneralNames object
867  * @extends KJUR.asn1.ASN1Object
868  * @see {@link KJUR.asn1.x509.CRLDistributionPoints}
869  * @see {@link KJUR.asn1.x509.DistributionPoint}
870  * @see {@link KJUR.asn1.x509.GeneralNames}
871  * @see {@link X509#getDistributionPointName}
872  * @description
873  * This class represents 
874  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.13">
875  * DistributionPointName defined in RFC 5280 4.2.1.13</a>.
876  * <pre>
877  * DistributionPointName ::= CHOICE {
878  *      fullName                [0]     GeneralNames,
879  *      nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
880  * </pre>
881  * Constructor can have following parameter:
882  * <ul>
883  * <li>{String}full - JSON object parameter of {@link KJUR.asn1.x509.GeneralNames} for 'fullName' field</li>
884  * <li>{GeneralNames} - {@link KJUR.asn1.x509.GeneralNames} object for 'fullName'</li>
885  * </ul>
886  * NOTE1: 'full' parameter have been suppored since jsrsasign 9.0.0 asn1x509 2.0.0.
887  * <br>
888  * NOTE2: The 'nameRelativeToCRLIssuer' field is currently not supported.
889  * @example
890  * new KJUR.asn1.x509.DistributionPointName({full: <<GeneralNamesParameter>>})
891  * new KJUR.asn1.x509.DistributionPointName({full: [{uri: <<CDPURI>>}]})
892  * new KJUR.asn1.x509.DistributionPointName({full: [{dn: <<DN Parameter>>}]}
893  * new KJUR.asn1.x509.DistributionPointName({full: [{uri: "http://example.com/root.crl"}]})
894  * new KJUR.asn1.x509.DistributionPointName({full: [{dn {str: "/C=US/O=Test"}}]})
895  * new KJUR.asn1.x509.DistributionPointName(new GeneralNames(...))
896  */
897 KJUR.asn1.x509.DistributionPointName = function(params) {
898     KJUR.asn1.x509.DistributionPointName.superclass.constructor.call(this);
899     var asn1Obj = null,
900 	type = null,
901 	tag = null,
902 	asn1V = null,
903 	_KJUR = KJUR,
904 	_KJUR_asn1 = _KJUR.asn1,
905 	_DERTaggedObject = _KJUR_asn1.DERTaggedObject;
906 
907     this.tohex = function() {
908         if (this.type != "full")
909             throw new Error("currently type shall be 'full': " + this.type);
910         this.asn1Obj = new _DERTaggedObject({'explicit': false,
911                                              'tag': this.tag,
912                                              'obj': this.asn1V});
913         this.hTLV = this.asn1Obj.tohex();
914         return this.hTLV;
915     };
916     this.getEncodedHex = function() { return this.tohex(); };
917 
918     if (params !== undefined) {
919         if (_KJUR_asn1.x509.GeneralNames.prototype.isPrototypeOf(params)) {
920             this.type = "full";
921             this.tag = "a0";
922             this.asn1V = params;
923 	} else if (params.full !== undefined) {
924             this.type = "full";
925             this.tag = "a0";
926             this.asn1V = new _KJUR_asn1.x509.GeneralNames(params.full);
927         } else {
928             throw new Error("This class supports GeneralNames only as argument");
929         }
930     }
931 };
932 extendClass(KJUR.asn1.x509.DistributionPointName, KJUR.asn1.ASN1Object);
933 
934 /**
935  * CertificatePolicies ASN.1 structure class
936  * @name KJUR.asn1.x509.CertificatePolicies
937  * @class CertificatePolicies ASN.1 structure class
938  * @param {Array} params associative array of parameters
939  * @extends KJUR.asn1.x509.Extension
940  * @since jsrsasign 8.0.23 asn1x509 1.1.12
941  * @see KJUR.asn1.x509.CertificatePolicies
942  * @see KJUR.asn1.x509.PolicyInformation
943  * @see KJUR.asn1.x509.PolicyQualifierInfo
944  * @see KJUR.asn1.x509.UserNotice
945  * @see KJUR.asn1.x509.NoticeReference
946  * @see KJUR.asn1.x509.DisplayText
947  * @description
948  * This class represents 
949  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
950  * CertificatePolicies extension defined in RFC 5280 4.2.1.4</a>.
951  * <pre>
952  * id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
953  * CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
954  * </pre>
955  * Its constructor can have following parameters:
956  * <ul>
957  * <li>array - array of {@link KJUR.asn1.x509.PolicyInformation} parameter</li>
958  * <li>critical - boolean: critical flag</li>
959  * </ul>
960  * NOTE: Returned JSON value format have been changed without 
961  * backward compatibility since jsrsasign 9.0.0 asn1x509 2.0.0.
962  * @example
963  * e1 = new KJUR.asn1.x509.CertificatePolicies({
964  *   array: [
965  *     { policyoid: "1.2.3.4.5",
966  *       array: [
967  *         { cps: "https://example.com/repository" },
968  *         { unotice: {
969  *           noticeref: { // CA SHOULD NOT use this by RFC
970  *             org: {type: "ia5", str: "Sample Org"},
971  *             noticenum: [{int: 5}, {hex: "01af"}]
972  *           },
973  *           exptext: {type: "ia5", str: "Sample Policy"}
974  *         }}
975  *       ]
976  *     }
977  *   ],
978  *   critical: true
979  * });
980  */
981 KJUR.asn1.x509.CertificatePolicies = function(params) {
982     KJUR.asn1.x509.CertificatePolicies.superclass.constructor.call(this, params);
983     var _KJUR = KJUR,
984 	_KJUR_asn1 = _KJUR.asn1,
985 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
986 	_DERSequence = _KJUR_asn1.DERSequence,
987 	_PolicyInformation = _KJUR_asn1_x509.PolicyInformation;
988 
989     this.params = null;
990 
991     this.getExtnValueHex = function() {
992 	var aPI = [];
993 	for (var i = 0; i < this.params.array.length; i++) {
994 	    aPI.push(new _PolicyInformation(this.params.array[i]));
995 	}
996 	var seq = new _DERSequence({array: aPI});
997 	this.asn1ExtnValue = seq;
998         return this.asn1ExtnValue.tohex();
999     };
1000 
1001     this.oid = "2.5.29.32";
1002     if (params !== undefined) {
1003 	this.params = params;
1004     }
1005 };
1006 extendClass(KJUR.asn1.x509.CertificatePolicies, KJUR.asn1.x509.Extension);
1007 
1008 // ===== BEGIN CertificatePolicies related classes =====
1009 /**
1010  * PolicyInformation ASN.1 structure class
1011  * @name KJUR.asn1.x509.PolicyInformation
1012  * @class PolicyInformation ASN.1 structure class
1013  * @param {Array} params JSON object of parameters
1014  * @extends KJUR.asn1.ASN1Object
1015  * @since jsrsasign 8.0.23 asn1x509 1.1.12
1016  * @see KJUR.asn1.x509.CertificatePolicies
1017  * @see KJUR.asn1.x509.PolicyInformation
1018  * @see KJUR.asn1.x509.PolicyQualifierInfo
1019  * @see KJUR.asn1.x509.UserNotice
1020  * @see KJUR.asn1.x509.NoticeReference
1021  * @see KJUR.asn1.x509.DisplayText
1022  * @description
1023  * This class represents 
1024  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
1025  * PolicyInformation defined in RFC 5280 4.2.1.4</a>.
1026  * <pre>
1027  * PolicyInformation ::= SEQUENCE {
1028  *      policyIdentifier   CertPolicyId,
1029  *      policyQualifiers   SEQUENCE SIZE (1..MAX) OF
1030  *                         PolicyQualifierInfo OPTIONAL }
1031  * CertPolicyId ::= OBJECT IDENTIFIER
1032  * Its constructor can have following parameters:
1033  * <ul>
1034  * <li>{String}policyoid - policy OID (ex. "1.2.3.4.5")</li>
1035  * <li>{Object}array - array of {@link KJUR.asn1.x509.PolicyQualifierInfo}
1036  * parameters (OPTIONAL)</li>
1037  * </ul>
1038  * @example
1039  * new KJUR.asn1.x509.PolicyInformation({
1040  *   policyoid: "1.2.3.4.5",
1041  *   array: [
1042  *     { cps: "https://example.com/repository" },
1043  *     { unotice: {
1044  *       noticeref: { // CA SHOULD NOT use this by RFC
1045  *         org: {type: "ia5", str: "Sample Org"},
1046  *         noticenum: [{int: 5}, {hex: "01af"}]
1047  *       },
1048  *       exptext: {type: "ia5", str: "Sample Policy"}
1049  *     }}
1050  *   ]
1051  * })
1052  */
1053 KJUR.asn1.x509.PolicyInformation = function(params) {
1054     KJUR.asn1.x509.PolicyInformation.superclass.constructor.call(this,
1055 								 params);
1056     var _KJUR_asn1 = KJUR.asn1,
1057 	_DERSequence = _KJUR_asn1.DERSequence,
1058 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
1059 	_PolicyQualifierInfo = _KJUR_asn1.x509.PolicyQualifierInfo;
1060 
1061     this.params = null;
1062 
1063     this.tohex = function() {
1064 	if (this.params.policyoid === undefined &&
1065 	    this.params.array === undefined)
1066 	    throw new Error("parameter oid and array missing");
1067 
1068 	// policy oid
1069 	var a = [new _DERObjectIdentifier(this.params.policyoid)];
1070 
1071 	// array of ASN1Object of PolicyQualifierInfo
1072 	if (this.params.array !== undefined) {
1073 	    var aPQI = [];
1074 	    for (var i = 0; i < this.params.array.length; i++) {
1075 		aPQI.push(new _PolicyQualifierInfo(this.params.array[i]));
1076 	    }
1077 	    if (aPQI.length > 0) {
1078 		a.push(new _DERSequence({array: aPQI}));
1079 	    }
1080 	}
1081 
1082 	var seq = new _DERSequence({array: a});
1083 	return seq.tohex();
1084     };
1085     this.getEncodedHex = function() { return this.tohex(); };
1086 
1087     if (params !== undefined) {
1088 	this.params = params;
1089     }
1090 };
1091 extendClass(KJUR.asn1.x509.PolicyInformation, KJUR.asn1.ASN1Object);
1092 
1093 /**
1094  * PolicyQualifierInfo ASN.1 structure class
1095  * @name KJUR.asn1.x509.PolicyQualifierInfo
1096  * @class PolicyQualifierInfo ASN.1 structure class
1097  * @param {Array} params associative array of parameters
1098  * @extends KJUR.asn1.ASN1Object
1099  * @since jsrsasign 8.0.23 asn1x509 1.1.12
1100  * @description
1101  * This class represents 
1102  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
1103  * PolicyQualifierInfo defined in RFC 5280 4.2.1.4</a>.
1104  * <pre>
1105  * PolicyQualifierInfo ::= SEQUENCE {
1106  *      policyQualifierId  PolicyQualifierId,
1107  *      qualifier          ANY DEFINED BY policyQualifierId }
1108  * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
1109  * CPSuri ::= IA5String
1110  * </pre>
1111  * Its constructor can have one of following two parameters:
1112  * <ul>
1113  * <li>{String}cps - URI string for CPS</li>
1114  * <li>{Object}unotice - {@link KJUR.asn1.x509.UserNotice} parameter</li>
1115  * </ul>
1116  * @example
1117  * new PolicyQualifierInfo({
1118  *   cps: "https://example.com/repository/cps"
1119  * })
1120  *
1121  * new PolicyQualifierInfo({
1122  *   unotice: {
1123  *     noticeref: { // CA SHOULD NOT use this by RFC
1124  *       org: {type: "bmp", str: "Sample Org"},
1125  *       noticenum: [{int: 3}, {hex: "01af"}]
1126  *     },
1127  *     exptext: {type: "ia5", str: "Sample Policy"}
1128  *   }
1129  * })
1130  */
1131 KJUR.asn1.x509.PolicyQualifierInfo = function(params) {
1132     KJUR.asn1.x509.PolicyQualifierInfo.superclass.constructor.call(this,
1133 								   params);
1134     var _KJUR_asn1 = KJUR.asn1,
1135 	_DERSequence = _KJUR_asn1.DERSequence,
1136 	_DERIA5String = _KJUR_asn1.DERIA5String,
1137 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
1138 	_UserNotice = _KJUR_asn1.x509.UserNotice;
1139 
1140     this.params = null;
1141 
1142     this.tohex = function() {
1143 	if (this.params.cps !== undefined) {
1144 	    var seq = new _DERSequence({array: [
1145 		new _DERObjectIdentifier({oid: '1.3.6.1.5.5.7.2.1'}),
1146 		new _DERIA5String({str: this.params.cps})
1147 	    ]});
1148 	    return seq.tohex();
1149 	}
1150 	if (this.params.unotice != undefined) {
1151 	    var seq = new _DERSequence({array: [
1152 		new _DERObjectIdentifier({oid: '1.3.6.1.5.5.7.2.2'}),
1153 		new _UserNotice(this.params.unotice)
1154 	    ]});
1155 	    return seq.tohex();
1156 	}
1157     };
1158     this.getEncodedHex = function() { return this.tohex(); };
1159 
1160     if (params !== undefined) {
1161 	this.params = params;
1162     }
1163 };
1164 extendClass(KJUR.asn1.x509.PolicyQualifierInfo, KJUR.asn1.ASN1Object);
1165 
1166 
1167 /**
1168  * UserNotice ASN.1 structure class
1169  * @name KJUR.asn1.x509.UserNotice
1170  * @class UserNotice ASN.1 structure class
1171  * @param {Array} params associative array of parameters
1172  * @extends KJUR.asn1.ASN1Object
1173  * @since jsrsasign 8.0.23 asn1x509 1.1.12
1174  * @description
1175  * This class represents 
1176  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
1177  * UserNotice defined in RFC 5280 4.2.1.4</a>.
1178  * <pre>
1179  * UserNotice ::= SEQUENCE {
1180  *      noticeRef        NoticeReference OPTIONAL,
1181  *      explicitText     DisplayText OPTIONAL }
1182  * </pre>
1183  * Its constructor can have following two parameters:
1184  * <ul>
1185  * <li>{Object}noticeref - {@link KJUR.asn1.x509.NoticeReference} parameter.
1186  * This SHALL NOT be set for conforming CA by RFC 5280. (OPTIONAL)</li>
1187  * <li>{Object}exptext - explicitText value
1188  * by {@link KJUR.asn1.x509.DisplayText} parameter (OPTIONAL)</li>
1189  * </ul>
1190  * @example
1191  * new UserNotice({
1192  *   noticeref: {
1193  *     org: {type: "bmp", str: "Sample Org"},
1194  *     noticenum: [{int: 3}, {hex: "01af"}]
1195  *   },
1196  *   exptext: {type: "ia5", str: "Sample Policy"}
1197  * })
1198  */
1199 KJUR.asn1.x509.UserNotice = function(params) {
1200     KJUR.asn1.x509.UserNotice.superclass.constructor.call(this, params);
1201     var _DERSequence = KJUR.asn1.DERSequence,
1202 	_DERInteger = KJUR.asn1.DERInteger,
1203 	_DisplayText = KJUR.asn1.x509.DisplayText,
1204 	_NoticeReference = KJUR.asn1.x509.NoticeReference;
1205 
1206     this.params = null;
1207 
1208     this.tohex = function() {
1209 	var a = [];
1210 	if (this.params.noticeref !== undefined) {
1211 	    a.push(new _NoticeReference(this.params.noticeref));
1212 	}
1213 	if (this.params.exptext !== undefined) {
1214 	    a.push(new _DisplayText(this.params.exptext));
1215 	}
1216 	var seq = new _DERSequence({array: a});
1217 	return seq.tohex();
1218     };
1219     this.getEncodedHex = function() { return this.tohex(); };
1220 
1221     if (params !== undefined) {
1222 	this.params = params;
1223     }
1224 };
1225 extendClass(KJUR.asn1.x509.UserNotice, KJUR.asn1.ASN1Object);
1226 
1227 /**
1228  * NoticeReference ASN.1 structure class
1229  * @name KJUR.asn1.x509.NoticeReference
1230  * @class NoticeReference ASN.1 structure class
1231  * @param {Array} params associative array of parameters
1232  * @extends KJUR.asn1.ASN1Object
1233  * @since jsrsasign 8.0.23 asn1x509 1.1.12
1234  * @description
1235  * This class represents 
1236  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
1237  * NoticeReference defined in RFC 5280 4.2.1.4</a>.
1238  * <pre>
1239  * NoticeReference ::= SEQUENCE {
1240  *      organization     DisplayText,
1241  *      noticeNumbers    SEQUENCE OF INTEGER }
1242  * </pre>
1243  * Its constructor can have following two parameters:
1244  * <ul>
1245  * <li>{Object}org - organization by {@link KJUR.asn1.x509.DisplayText}
1246  * parameter.</li>
1247  * <li>{Object}noticenum - noticeNumbers value by an array of
1248  * {@link KJUR.asn1.DERInteger} parameter</li>
1249  * </ul>
1250  * @example
1251  * new NoticeReference({
1252  *   org: {type: "bmp", str: "Sample Org"},
1253  *   noticenum: [{int: 3}, {hex: "01af"}]
1254  * })
1255  */
1256 KJUR.asn1.x509.NoticeReference = function(params) {
1257     KJUR.asn1.x509.NoticeReference.superclass.constructor.call(this, params);
1258     var _DERSequence = KJUR.asn1.DERSequence,
1259 	_DERInteger = KJUR.asn1.DERInteger,
1260 	_DisplayText = KJUR.asn1.x509.DisplayText;
1261 
1262     this.params = null;
1263 
1264     this.tohex = function() {
1265 	var a = [];
1266 	if (this.params.org !== undefined) {
1267 	    a.push(new _DisplayText(this.params.org));
1268 	}
1269 	if (this.params.noticenum !== undefined) {
1270 	    var aNoticeNum = [];
1271 	    var aNumParam = this.params.noticenum;
1272 	    for (var i = 0; i < aNumParam.length; i++) {
1273 		aNoticeNum.push(new _DERInteger(aNumParam[i]));
1274 	    }
1275 	    a.push(new _DERSequence({array: aNoticeNum}));
1276 	}
1277 	if (a.length == 0) throw new Error("parameter is empty");
1278 	var seq = new _DERSequence({array: a});
1279 	return seq.tohex();
1280     }
1281     this.getEncodedHex = function() { return this.tohex(); };
1282 
1283     if (params !== undefined) {
1284 	this.params = params;
1285     }
1286 };
1287 extendClass(KJUR.asn1.x509.NoticeReference, KJUR.asn1.ASN1Object);
1288 
1289 /**
1290  * DisplayText ASN.1 structure class
1291  * @name KJUR.asn1.x509.DisplayText
1292  * @class DisplayText ASN.1 structure class
1293  * @param {Array} params associative array of parameters
1294  * @extends KJUR.asn1.DERAbstractString
1295  * @since jsrsasign 8.0.23 asn1x509 1.1.12
1296  * @description
1297  * This class represents 
1298  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">
1299  * DisplayText defined in RFC 5280 4.2.1.4</a>.
1300  * <pre>
1301  * -- from RFC 5280 Appendix A
1302  * DisplayText ::= CHOICE {
1303  *      ia5String        IA5String      (SIZE (1..200)),
1304  *      visibleString    VisibleString  (SIZE (1..200)),
1305  *      bmpString        BMPString      (SIZE (1..200)),
1306  *      utf8String       UTF8String     (SIZE (1..200)) }
1307  * </pre>
1308  * {@link KJUR.asn1.DERAbstractString} parameters and methods
1309  * can be used.
1310  * Its constructor can also have following parameter:
1311  * <ul>
1312  * <li>{String} type - DirectoryString type of DisplayText.
1313  * "ia5" for IA5String, "vis" for VisibleString,
1314  * "bmp" for BMPString and "utf8" for UTF8String.
1315  * Default is "utf8". (OPTIONAL)</li>
1316  * </ul>
1317  * @example
1318  * new DisplayText({type: "bmp", str: "Sample Org"})
1319  * new DisplayText({type: "ia5", str: "Sample Org"})
1320  * new DisplayText({str: "Sample Org"})
1321  */
1322 KJUR.asn1.x509.DisplayText = function(params) {
1323     KJUR.asn1.x509.DisplayText.superclass.constructor.call(this, params);
1324 
1325     this.hT = "0c"; // DEFAULT "utf8"
1326 
1327     if (params !== undefined) {
1328 	if (params.type === "ia5") {
1329 	    this.hT = "16";
1330 	} else if (params.type === "vis") {
1331 	    this.hT = "1a";
1332 	} else if (params.type === "bmp") {
1333 	    this.hT = "1e";
1334 	}
1335     }
1336 };
1337 extendClass(KJUR.asn1.x509.DisplayText, KJUR.asn1.DERAbstractString);
1338 // ===== END CertificatePolicies related classes =====
1339 
1340 // =====================================================================
1341 
1342 /**
1343  * PolicyMappings ASN.1 structure class<br/>
1344  * @name KJUR.asn1.x509.PolicyMappings
1345  * @class PolicyMappings ASN.1 structure class
1346  * @param {Array} params associative array of parameters
1347  * @extends KJUR.asn1.x509.Extension
1348  * @since jsrsasign 10.6.1 asn1x509 2.1.17
1349  * @description
1350  * This class represents 
1351  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.5">
1352  * PolicyMappings extension defined in RFC 5280 4.2.1.5</a>.
1353  * <pre>
1354  * id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }
1355  * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
1356  *    issuerDomainPolicy      CertPolicyId,
1357  *    subjectDomainPolicy     CertPolicyId }
1358  * </pre>
1359  * Its constructor can have following parameters:
1360  * <ul>
1361  * <li>array - Array: one or more pairs of OIDS</li>
1362  * <li>critical - boolean: critical flag</li>
1363  * </ul>
1364  * OID in "array" can use an OID name registered in
1365  * {@link KJUR.asn1.x509.OID} such as "anyPolicy".
1366  * @example
1367  * e1 = new KJUR.asn1.x509.PolicyMappings({
1368  *   array: [["1.2.3", "0.1.2"], ["anyPolicy", "1.2.4"]],
1369  *   critical: true
1370  * });
1371  */
1372 KJUR.asn1.x509.PolicyMappings = function(params) {
1373     KJUR.asn1.x509.PolicyMappings.superclass.constructor.call(this, params);
1374     var _KJUR = KJUR,
1375 	_KJUR_asn1 = _KJUR.asn1,
1376 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
1377 	_newObject = _KJUR_asn1.ASN1Util.newObject;
1378 
1379     this.params = null;
1380 
1381     this.getExtnValueHex = function() {
1382 	var params = this.params;
1383 	var aItem = [];
1384 	for (var i = 0; i < params.array.length; i++) {
1385 	    var aOid = params.array[i];
1386 	    aItem.push({seq: [{oid: aOid[0]}, {oid: aOid[1]}]});
1387 	}
1388 	this.asn1ExtnValue = _newObject({seq: aItem});
1389         return this.asn1ExtnValue.tohex();
1390     };
1391 
1392     this.oid = "2.5.29.33";
1393     if (params !== undefined) {
1394 	this.params = params;
1395     }
1396 };
1397 extendClass(KJUR.asn1.x509.PolicyMappings, KJUR.asn1.x509.Extension);
1398 
1399 /**
1400  * PolicyConstraints ASN.1 structure class<br/>
1401  * @name KJUR.asn1.x509.PolicyConstraints
1402  * @class PolicyConstraints ASN.1 structure class
1403  * @param {Array} params associative array of parameters
1404  * @extends KJUR.asn1.x509.Extension
1405  * @since jsrsasign 10.6.1 asn1x509 2.1.17
1406  * @description
1407  * This class represents 
1408  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.11">
1409  * PolicyConstraints extension defined in RFC 5280 4.2.1.11</a>.
1410  * <pre>
1411  * id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }
1412  * PolicyConstraints ::= SEQUENCE {
1413  *    requireExplicitPolicy  [0] SkipCerts OPTIONAL,
1414  *    inhibitPolicyMapping   [1] SkipCerts OPTIONAL }
1415  * SkipCerts ::= INTEGER (0..MAX)
1416  * </pre>
1417  * Its constructor can have following parameters:
1418  * <ul>
1419  * <li>reqexp - integer: the number of additional certificates that may appear 
1420  * in the path before an explicit policy is required for the entire path.</li>
1421  * <li>inhibit - integer: the number of additional certificates that may appear 
1422  * in the path before policy mapping is no longer permitted.</li>
1423  * <li>critical - boolean: critical flag</li>
1424  * </ul>
1425  * @example
1426  * e1 = new KJUR.asn1.x509.PolicyConstraints({
1427  *   reqexp: 3,
1428  *   inhibit: 3,
1429  *   critical: true
1430  * });
1431  */
1432 KJUR.asn1.x509.PolicyConstraints = function(params) {
1433     KJUR.asn1.x509.PolicyConstraints.superclass.constructor.call(this, params);
1434     var _KJUR = KJUR,
1435 	_KJUR_asn1 = _KJUR.asn1,
1436 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
1437 	_newObject = _KJUR_asn1.ASN1Util.newObject;
1438 
1439     this.params = null;
1440 
1441     this.getExtnValueHex = function() {
1442 	var params = this.params;
1443 	var aItem = [];
1444 	if (params.reqexp != undefined) {
1445 	    aItem.push({tag: {tagi: "80", obj: {"int": params.reqexp}}});
1446 	}
1447 	if (params.inhibit != undefined) {
1448 	    aItem.push({tag: {tagi: "81", obj: {"int": params.inhibit}}});
1449 	}
1450 
1451 	this.asn1ExtnValue = _newObject({"seq": aItem});
1452         return this.asn1ExtnValue.tohex();
1453     };
1454 
1455     this.oid = "2.5.29.36";
1456     if (params !== undefined) {
1457 	this.params = params;
1458     }
1459 };
1460 extendClass(KJUR.asn1.x509.PolicyConstraints, KJUR.asn1.x509.Extension);
1461 
1462 /**
1463  * InhibitAnyPolicy ASN.1 structure class<br/>
1464  * @name KJUR.asn1.x509.InhibitAnyPolicy
1465  * @class InhibitAnyPolicy ASN.1 structure class
1466  * @param {Array} params associative array of parameters
1467  * @extends KJUR.asn1.x509.Extension
1468  * @since jsrsasign 10.6.1 asn1x509 2.1.17
1469  * @description
1470  * This class represents 
1471  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.14">
1472  * InhibitAnyPolicy extension defined in RFC 5280 4.2.1.14</a>.
1473  * <pre>
1474  * id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 }
1475  * InhibitAnyPolicy ::= SkipCerts
1476  * SkipCerts ::= INTEGER (0..MAX)
1477  * </pre>
1478  * Its constructor can have following parameters:
1479  * <ul>
1480  * <li>skip - the number of additional non-self-issued certificates that may appear
1481  * in the path before anyPolicy is no longer permitted<li>
1482  * <li>critical - boolean: critical flag</li>
1483  * </ul>
1484  * @example
1485  * e1 = new KJUR.asn1.x509.InhibitAnyPolicy({
1486  *   skip: 5,
1487  *   critical: true
1488  * });
1489  */
1490 KJUR.asn1.x509.InhibitAnyPolicy = function(params) {
1491     KJUR.asn1.x509.InhibitAnyPolicy.superclass.constructor.call(this, params);
1492     var _KJUR = KJUR,
1493 	_KJUR_asn1 = _KJUR.asn1,
1494 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
1495 	_newObject = _KJUR_asn1.ASN1Util.newObject;
1496 
1497     this.params = null;
1498 
1499     this.getExtnValueHex = function() {
1500 	this.asn1ExtnValue = _newObject({"int": this.params.skip});
1501         return this.asn1ExtnValue.tohex();
1502     };
1503 
1504     this.oid = "2.5.29.54";
1505     if (params !== undefined) {
1506 	this.params = params;
1507     }
1508 };
1509 extendClass(KJUR.asn1.x509.InhibitAnyPolicy, KJUR.asn1.x509.Extension);
1510 
1511 // =====================================================================
1512 /**
1513  * NameConstraints ASN.1 structure class<br/>
1514  * @name KJUR.asn1.x509.NameConstraints
1515  * @class NameConstraints ASN.1 structure class
1516  * @param {Array} params associative array of parameters
1517  * @extends KJUR.asn1.x509.Extension
1518  * @since jsrsasign 10.5.16 asn1x509 2.1.13
1519  * @see X509#getExtNameConstraints
1520  * @see KJUR.asn1.x509.GeneralSubtree
1521  * @see KJUR.asn1.x509.GeneralName
1522 
1523  * @description
1524  * This class provides X.509v3 NameConstraints extension.
1525  * defined in 
1526  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.10">
1527  * RFC 5280 4.2.1.10</a>.
1528  * <pre>
1529  * id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }
1530  * NameConstraints ::= SEQUENCE {
1531  *   permittedSubtrees  [0]  GeneralSubtrees OPTIONAL,
1532  *   excludedSubtrees   [1]  GeneralSubtrees OPTIONAL }
1533  * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
1534  * GeneralSubtree ::= SEQUENCE {
1535  *   base           GeneralName,
1536  *   minimum   [0]  BaseDistance DEFAULT 0,
1537  *   maximum   [1]  BaseDistance OPTIONAL }
1538  * BaseDistance ::= INTEGER (0..MAX)
1539  * </pre>
1540  *
1541  * @example
1542  * new NameConstraints({permit: [{dns: "example.com"}], critical: true})
1543  * new NameConstraints({exclude: [{uri: "example.com"}], critical: true})
1544  * new NameConstraints({exclude: [{dn: "/C=JP/O=T1"}], critical: true})
1545  * new NameConstraints({
1546  *   critical: true,
1547  *   permit: [{dn: "/C=JP/O=T1"}],
1548  *   exclude: [{dn: "/C=US/O=T1", max: 2}]})
1549  */
1550 KJUR.asn1.x509.NameConstraints = function(params) {
1551     KJUR.asn1.x509.NameConstraints.superclass.constructor.call(this, params);
1552     var _KJUR = KJUR,
1553 	_KJUR_asn1 = _KJUR.asn1,
1554 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
1555 	_newObject = _KJUR_asn1.ASN1Util.newObject,
1556 	_GeneralSubtree = _KJUR_asn1_x509.GeneralSubtree;
1557 
1558     this.params = null;
1559 
1560     this.getExtnValueHex = function() {
1561 	var params = this.params;
1562 	var aItem = [];
1563 	if (params.permit != undefined &&
1564 	    params.permit.length != undefined) {
1565 	    var aPermit = [];
1566 	    for (var i = 0; i < params.permit.length; i++) {
1567 		aPermit.push(new _GeneralSubtree(params.permit[i]));
1568 	    }
1569 	    aItem.push({tag: {tagi: "a0", obj: {seq: aPermit}}});
1570 	}
1571 
1572 	if (params.exclude != undefined &&
1573 	    params.exclude.length != undefined) {
1574 	    var aExclude = [];
1575 	    for (var i = 0; i < params.exclude.length; i++) {
1576 		aExclude.push(new _GeneralSubtree(params.exclude[i]));
1577 	    }
1578 	    aItem.push({tag: {tagi: "a1", obj: {seq: aExclude}}});
1579 	}
1580 
1581 	this.asn1ExtnValue = _newObject({seq: aItem});
1582         return this.asn1ExtnValue.tohex();
1583     };
1584 
1585     this.oid = "2.5.29.30";
1586     if (params !== undefined) this.params = params;
1587 };
1588 extendClass(KJUR.asn1.x509.NameConstraints, KJUR.asn1.x509.Extension);
1589 
1590 /**
1591  * GeneralSubtree ASN.1 structure class<br/>
1592  * @name KJUR.asn1.x509.GeneralSubtree
1593  * @class GeneralSubtree ASN.1 structure class
1594  * @since jsrsasign 10.5.16 asn1x509 2.1.13
1595  * @see KJUR.asn1.x509.NameConstraints
1596  * @see KJUR.asn1.x509.GeneralName
1597  * @see X509#getExtNameConstraints
1598  * @see X509#getGeneralSubtree
1599  *
1600  * @description
1601  * This class provides a encoder for GeneralSubtree 
1602  * defined in 
1603  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.10">
1604  * RFC 5280 4.2.1.10</a>. 
1605  * This will be used for nameConstraints extension.
1606  * <br>
1607  * Here is definition of the ASN.1 syntax:
1608  * <pre>
1609  * GeneralSubtree ::= SEQUENCE {
1610  *   base           GeneralName,
1611  *   minimum   [0]  BaseDistance DEFAULT 0,
1612  *   maximum   [1]  BaseDistance OPTIONAL }
1613  * BaseDistance ::= INTEGER (0..MAX)
1614  * </pre>
1615  * An argument for constructor is the same as
1616  * {@link KJUR.asn1.x509.GeneralName} except
1617  * this has following optional members:
1618  * <ul>
1619  * <li>min - {Number} value for the minimum field</li>
1620  * <li>max - {Number} value for the maximum field</li>
1621  * </ul>
1622  * Please note that min and max can't be specified since
1623  * they are prohibited in RFC 5280.
1624  *
1625  * @example
1626  * new GeneralSubtree({dns: "example.com"})
1627  * new GeneralSubtree({uri: ".example.com"})
1628  * new GeneralSubtree({dn: "/C=JP/O=Test1"})
1629  */
1630 KJUR.asn1.x509.GeneralSubtree = function(params) {
1631     KJUR.asn1.x509.GeneralSubtree.superclass.constructor.call(this);
1632 
1633     var _KJUR_asn1 = KJUR.asn1,
1634 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
1635 	_GeneralName = _KJUR_asn1_x509.GeneralName,
1636 	_newObject = _KJUR_asn1.ASN1Util.newObject;
1637 
1638     this.params = null;
1639 
1640     this.setByParam = function(params) {
1641 	this.params = params;
1642     };
1643 
1644     this.tohex = function() {
1645 	var params = this.params;
1646 
1647 	var aItem = [new _GeneralName(params)];
1648 	if (params.min != undefined)
1649 	    aItem.push({tag: {tagi:"80", obj: {"int": params.min}}});
1650 	if (params.max != undefined)
1651 	    aItem.push({tag: {tagi:"81", obj: {"int": params.max}}});
1652 
1653 	var dSeq = _newObject({seq: aItem});
1654 	return dSeq.tohex();
1655     }
1656     this.getEncodedHex = function() { return this.tohex(); };
1657 
1658     if (params !== undefined) this.setByParam(params);
1659 };
1660 extendClass(KJUR.asn1.x509.GeneralSubtree, KJUR.asn1.ASN1Object);
1661 
1662 // =====================================================================
1663 /**
1664  * KeyUsage ASN.1 structure class
1665  * @name KJUR.asn1.x509.ExtKeyUsage
1666  * @class ExtKeyUsage ASN.1 structure class
1667  * @param {Array} params associative array of parameters
1668  * @extends KJUR.asn1.x509.Extension
1669  * @description
1670  * @example
1671  * e1 = new KJUR.asn1.x509.ExtKeyUsage({
1672  *   critical: true,
1673  *   array: [
1674  *     {oid: '2.5.29.37.0'},  // anyExtendedKeyUsage
1675  *     {name: 'clientAuth'},
1676  *     "1.2.3.4",
1677  *     "serverAuth"
1678  *   ]
1679  * });
1680  * // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
1681  * // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
1682  * // KeyPurposeId ::= OBJECT IDENTIFIER
1683  */
1684 KJUR.asn1.x509.ExtKeyUsage = function(params) {
1685     KJUR.asn1.x509.ExtKeyUsage.superclass.constructor.call(this, params);
1686     var _KJUR = KJUR,
1687 	_KJUR_asn1 = _KJUR.asn1;
1688 
1689     this.setPurposeArray = function(purposeArray) {
1690         this.asn1ExtnValue = new _KJUR_asn1.DERSequence();
1691         for (var i = 0; i < purposeArray.length; i++) {
1692             var o = new _KJUR_asn1.DERObjectIdentifier(purposeArray[i]);
1693             this.asn1ExtnValue.appendASN1Object(o);
1694         }
1695     };
1696 
1697     this.getExtnValueHex = function() {
1698         return this.asn1ExtnValue.tohex();
1699     };
1700 
1701     this.oid = "2.5.29.37";
1702     if (params !== undefined) {
1703         if (params.array !== undefined) {
1704             this.setPurposeArray(params.array);
1705         }
1706     }
1707 };
1708 extendClass(KJUR.asn1.x509.ExtKeyUsage, KJUR.asn1.x509.Extension);
1709 
1710 /**
1711  * AuthorityKeyIdentifier ASN.1 structure class
1712  * @name KJUR.asn1.x509.AuthorityKeyIdentifier
1713  * @class AuthorityKeyIdentifier ASN.1 structure class
1714  * @param {Array} params associative array of parameters (ex. {kid: {hex: '89ab...'}, critical: true})
1715  * @extends KJUR.asn1.x509.Extension
1716  * @since asn1x509 1.0.8
1717  * @description
1718  * This class represents ASN.1 structure for <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.1">AuthorityKeyIdentifier in RFC 5280</a>.
1719  * Constructor of this class may have following parameters.: 
1720  * <ul>
1721  * <li>kid - When key object (RSA, KJUR.crypto.ECDSA/DSA) or PEM string of issuing authority public key or issuer certificate is specified, key identifier will be automatically calculated by the method specified in RFC 5280. When a hexadecimal string is specifed, kid will be set explicitly by it.</li>
1722  * <li>isscert - When PEM string of authority certificate is specified, both authorityCertIssuer and authorityCertSerialNumber will be set by the certificate.</li>
1723  * <li>issuer - {@link KJUR.asn1.x509.X500Name} parameter to specify issuer name explicitly.</li>
1724  * <li>sn - hexadecimal string to specify serial number explicitly.</li>
1725  * <li>critical - boolean to specify criticality of this extension
1726  * however conforming CA must mark this extension as non-critical in RFC 5280.</li>
1727  * </ul>
1728  * 
1729  * <pre>
1730  * d-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
1731  * AuthorityKeyIdentifier ::= SEQUENCE {
1732  *    keyIdentifier             [0] KeyIdentifier           OPTIONAL,
1733  *    authorityCertIssuer       [1] GeneralNames            OPTIONAL,
1734  *    authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
1735  * KeyIdentifier ::= OCTET STRING
1736  * </pre>
1737  *
1738  * @example
1739  * // 1. kid by key object
1740  * keyobj = KEYUTIL.getKey("-----BEGIN PUBLIC KEY...");
1741  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({kid: keyobj});
1742  * // 2. kid by PEM string of authority certificate or public key
1743  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({kid: "-----BEGIN..."});
1744  * // 3. specify kid explicitly
1745  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({kid: "8ab1d3..."});
1746  * });
1747  * // 4. issuer and serial number by auhtority PEM certificate
1748  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({isscert: "-----BEGIN..."});
1749  * // 5. issuer and serial number explicitly
1750  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({
1751  *   issuer: {ldapstr: "O=test,C=US"},
1752  *   sn: {hex: "1ac7..."}});
1753  * // 6. combination
1754  * e1 = new KJUR.asn1.x509.AuthorityKeyIdentifier({
1755  *   kid: "-----BEGIN CERTIFICATE...",
1756  *   isscert: "-----BEGIN CERTIFICATE..."});
1757  */
1758 KJUR.asn1.x509.AuthorityKeyIdentifier = function(params) {
1759     KJUR.asn1.x509.AuthorityKeyIdentifier.superclass.constructor.call(this, params);
1760     var _KJUR = KJUR,
1761 	_KJUR_asn1 = _KJUR.asn1,
1762 	_DERTaggedObject = _KJUR_asn1.DERTaggedObject,
1763 	_GeneralNames = _KJUR_asn1.x509.GeneralNames,
1764 	_isKey = _KJUR.crypto.Util.isKey;
1765 
1766     this.asn1KID = null;
1767     this.asn1CertIssuer = null; // X500Name hTLV
1768     this.asn1CertSN = null;
1769 
1770     this.getExtnValueHex = function() {
1771         var a = new Array();
1772         if (this.asn1KID)
1773             a.push(new _DERTaggedObject({'explicit': false,
1774                                          'tag': '80',
1775                                          'obj': this.asn1KID}));
1776 
1777         if (this.asn1CertIssuer)
1778             a.push(new _DERTaggedObject({'explicit': false,
1779                                          'tag': 'a1',
1780                                          'obj': new _GeneralNames([{dn: this.asn1CertIssuer}])}));
1781 
1782         if (this.asn1CertSN)
1783             a.push(new _DERTaggedObject({'explicit': false,
1784                                          'tag': '82',
1785                                          'obj': this.asn1CertSN}));
1786 
1787         var asn1Seq = new _KJUR_asn1.DERSequence({'array': a});
1788         this.asn1ExtnValue = asn1Seq;
1789         return this.asn1ExtnValue.tohex();
1790     };
1791 
1792     /**
1793      * set keyIdentifier value by DEROctetString parameter, key object or PEM file
1794      * @name setKIDByParam
1795      * @memberOf KJUR.asn1.x509.AuthorityKeyIdentifier#
1796      * @function
1797      * @param {Array} param parameter to set key identifier
1798      * @since asn1x509 1.0.8
1799      * @description
1800      * This method will set keyIdentifier by param.
1801      * Its key identifier value can be set by following type of param argument:
1802      * <ul>
1803      * <li>{str: "123"} - by raw string</li>
1804      * <li>{hex: "01af..."} - by hexadecimal value</li>
1805      * <li>RSAKey/DSA/ECDSA - by RSAKey, KJUR.crypto.{DSA/ECDSA} public key object.
1806      * key identifier value will be calculated by the method described in
1807      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
1808      * </li>
1809      * <li>certificate PEM string - extract subjectPublicKeyInfo from specified PEM
1810      * certificate and
1811      * key identifier value will be calculated by the method described in
1812      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
1813      * <li>PKCS#1/#8 public key PEM string - pem will be converted to a key object and
1814      * to PKCS#8 ASN.1 structure then calculate 
1815      * a key identifier value will be calculated by the method described in
1816      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
1817      * </ul>
1818      *
1819      * NOTE1: Automatic key identifier calculation is supported
1820      * since jsrsasign 8.0.16.
1821      *
1822      * @see KEYUTIL.getKeyID
1823      * 
1824      * @example
1825      * o = new KJUR.asn1.x509.AuthorityKeyIdentifier();
1826      * // set by hexadecimal string
1827      * o.setKIDByParam({hex: '1ad9...'});
1828      * // set by SubjectPublicKeyInfo of PEM certificate string
1829      * o.setKIDByParam("-----BEGIN CERTIFICATE...");
1830      * // set by PKCS#8 PEM public key string
1831      * o.setKIDByParam("-----BEGIN PUBLIC KEY...");
1832      * // set by public key object
1833      * pubkey = KEYUTIL.getKey("-----BEGIN CERTIFICATE...");
1834      * o.setKIDByParam(pubkey);
1835      */
1836     this.setKIDByParam = function(param) {
1837 	if (param.str !== undefined ||
1838 	    param.hex !== undefined) {
1839 	    this.asn1KID = new KJUR.asn1.DEROctetString(param);
1840 	} else if ((typeof param === "object" &&
1841 		    KJUR.crypto.Util.isKey(param)) ||
1842 		   (typeof param === "string" &&
1843 		    param.indexOf("BEGIN ") != -1)) {
1844 
1845 	    var keyobj = param;
1846 	    if (typeof param === "string") {
1847 		keyobj = KEYUTIL.getKey(param);
1848 	    }
1849 
1850 	    var kid = KEYUTIL.getKeyID(keyobj);
1851 	    this.asn1KID = new KJUR.asn1.DEROctetString({hex: kid});
1852 	}
1853     };
1854 
1855     /**
1856      * set authorityCertIssuer value by X500Name parameter
1857      * @name setCertIssuerByParam
1858      * @memberOf KJUR.asn1.x509.AuthorityKeyIdentifier#
1859      * @function
1860      * @param {Array} param parameter to set issuer name
1861      * @since asn1x509 1.0.8
1862      * @description
1863      * This method will set authorityCertIssuer name by param.
1864      * Issuer name can be set by following type of param argument:
1865      * <ul>
1866      * <li>str/ldapstr/hex/certsubject/certissuer - 
1867      * set issuer by {@link KJUR.asn1.x509.X500Name}
1868      * object with specified parameters.</li>
1869      * <li>PEM CERTIFICATE STRING - extract its subject name from 
1870      * specified issuer PEM certificate and set.
1871      * </ul>
1872      * NOTE1: Automatic authorityCertIssuer setting by certificate
1873      * is supported since jsrsasign 8.0.16.
1874      *
1875      * @see KJUR.asn1.x509.X500Name
1876      * @see KJUR.asn1.x509.GeneralNames
1877      * @see X509.getSubjectHex
1878      *
1879      * @example
1880      * var o = new KJUR.asn1.x509.AuthorityKeyIdentifier();
1881      * // 1. set it by string
1882      * o.setCertIssuerByParam({str: '/C=US/O=Test'});
1883      * // 2. set it by issuer PEM certificate
1884      * o.setCertIssuerByParam("-----BEGIN CERTIFICATE...");
1885      *
1886      */
1887     this.setCertIssuerByParam = function(param) {
1888 	if (param.str !== undefined ||
1889 	    param.ldapstr !== undefined ||
1890 	    param.hex !== undefined ||
1891 	    param.certsubject !== undefined ||
1892 	    param.certissuer !== undefined) {
1893             this.asn1CertIssuer = new KJUR.asn1.x509.X500Name(param);
1894 	} else if (typeof param === "string" &&
1895 		   param.indexOf("BEGIN ") != -1 &&
1896 		   param.indexOf("CERTIFICATE") != -1) {
1897             this.asn1CertIssuer = new KJUR.asn1.x509.X500Name({certissuer: param});
1898 	}
1899     };
1900 
1901     /**
1902      * set authorityCertSerialNumber value
1903      * @name setCertSerialNumberByParam
1904      * @memberOf KJUR.asn1.x509.AuthorityKeyIdentifier#
1905      * @function
1906      * @param {Object} param parameter to set serial number
1907      * @since asn1x509 1.0.8
1908      * @description
1909      * This method will set authorityCertSerialNumber by param.
1910      * Serial number can be set by following type of param argument:
1911      *
1912      * <ul>
1913      * <li>{int: 123} - by integer value</li>
1914      * <li>{hex: "01af"} - by hexadecimal integer value</li>
1915      * <li>{bigint: new BigInteger(...)} - by hexadecimal integer value</li>
1916      * <li>PEM CERTIFICATE STRING - extract serial number from issuer certificate and
1917      * set serial number.
1918      * 
1919      * NOTE1: Automatic authorityCertSerialNumber setting by certificate
1920      * is supported since jsrsasign 8.0.16.
1921      *
1922      * @see X509.getSerialNumberHex
1923      */
1924     this.setCertSNByParam = function(param) {
1925 	if (param.str !== undefined ||
1926 	    param.bigint !== undefined ||
1927 	    param.hex !== undefined) {
1928             this.asn1CertSN = new KJUR.asn1.DERInteger(param);
1929 	} else if (typeof param === "string" &&
1930 		   param.indexOf("BEGIN ") != -1 &&
1931 		   param.indexOf("CERTIFICATE")) {
1932 
1933             var x = new X509();
1934             x.readCertPEM(param);
1935 	    var sn = x.getSerialNumberHex();
1936 	    this.asn1CertSN = new KJUR.asn1.DERInteger({hex: sn});
1937 	}
1938     };
1939 
1940     this.oid = "2.5.29.35";
1941     if (params !== undefined) {
1942         if (params.kid !== undefined) {
1943             this.setKIDByParam(params.kid);
1944         }
1945         if (params.issuer !== undefined) {
1946             this.setCertIssuerByParam(params.issuer);
1947         }
1948         if (params.sn !== undefined) {
1949             this.setCertSNByParam(params.sn);
1950         }
1951 
1952 	if (params.issuersn !== undefined &&
1953 	    typeof params.issuersn === "string" &&
1954 	    params.issuersn.indexOf("BEGIN ") != -1 &&
1955 	    params.issuersn.indexOf("CERTIFICATE")) {
1956 	    this.setCertSNByParam(params.issuersn);
1957 	    this.setCertIssuerByParam(params.issuersn);
1958 	}
1959     }
1960 };
1961 extendClass(KJUR.asn1.x509.AuthorityKeyIdentifier, KJUR.asn1.x509.Extension);
1962 
1963 /**
1964  * SubjectKeyIdentifier extension ASN.1 structure class
1965  * @name KJUR.asn1.x509.SubjectKeyIdentifier
1966  * @class SubjectKeyIdentifier ASN.1 structure class
1967  * @param {Array} params associative array of parameters (ex. {kid: {hex: '89ab...'}, critical: true})
1968  * @extends KJUR.asn1.x509.Extension
1969  * @since asn1x509 1.1.7 jsrsasign 8.0.14
1970  * @description
1971  * This class represents ASN.1 structure for 
1972  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">
1973  * SubjectKeyIdentifier in RFC 5280</a>.
1974  * Constructor of this class may have following parameters:
1975  * <ul>
1976  * <li>kid - When key object (RSA, KJUR.crypto.ECDSA/DSA) or PEM string of subject public key or certificate is specified, key identifier will be automatically calculated by the method specified in RFC 5280. When a hexadecimal string is specifed, kid will be set explicitly by it.</li>
1977  * <li>critical - boolean to specify criticality of this extension
1978  * however conforming CA must mark this extension as non-critical in RFC 5280.</li>
1979  * </ul>
1980  * <pre>
1981  * d-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
1982  * SubjectKeyIdentifier ::= KeyIdentifier
1983  * KeyIdentifier ::= OCTET STRING
1984  * </pre>
1985  *
1986  * @example
1987  * // set by hexadecimal string
1988  * e = new KJUR.asn1.x509.SubjectKeyIdentifier({kid: {hex: '89ab'}});
1989  * // set by PEM public key or certificate string
1990  * e = new KJUR.asn1.x509.SubjectKeyIdentifier({kid: "-----BEGIN CERTIFICATE..."});
1991  * // set by public key object
1992  * pubkey = KEYUTIL.getKey("-----BEGIN CERTIFICATE...");
1993  * e = new KJUR.asn1.x509.SubjectKeyIdentifier({kid: pubkey});
1994  */
1995 KJUR.asn1.x509.SubjectKeyIdentifier = function(params) {
1996     KJUR.asn1.x509.SubjectKeyIdentifier.superclass.constructor.call(this, params);
1997     var _KJUR = KJUR,
1998 	_KJUR_asn1 = _KJUR.asn1,
1999 	_DEROctetString = _KJUR_asn1.DEROctetString;
2000 
2001     this.asn1KID = null;
2002 
2003     this.getExtnValueHex = function() {
2004         this.asn1ExtnValue = this.asn1KID;
2005         return this.asn1ExtnValue.tohex();
2006     };
2007 
2008     /**
2009      * set keyIdentifier value by DEROctetString parameter, key object or PEM file
2010      * @name setKIDByParam
2011      * @memberOf KJUR.asn1.x509.SubjectKeyIdentifier#
2012      * @function
2013      * @param {Array} param array of {@link KJUR.asn1.DERInteger} parameter
2014      * @since asn1x509 1.1.7 jsrsasign 8.0.14
2015      * @description
2016      * <ul>
2017      * <li>{str: "123"} - by raw string</li>
2018      * <li>{hex: "01af..."} - by hexadecimal value</li>
2019      * <li>RSAKey/DSA/ECDSA - by RSAKey, KJUR.crypto.{DSA/ECDSA} public key object.
2020      * key identifier value will be calculated by the method described in
2021      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
2022      * </li>
2023      * <li>certificate PEM string - extract subjectPublicKeyInfo from specified PEM
2024      * certificate and
2025      * key identifier value will be calculated by the method described in
2026      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
2027      * <li>PKCS#1/#8 public key PEM string - pem will be converted to a key object and
2028      * to PKCS#8 ASN.1 structure then calculate 
2029      * a key identifier value will be calculated by the method described in
2030      * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.2">RFC 5280 4.2.1.2 (1)</a>.
2031      * </ul>
2032      *
2033      * NOTE1: Automatic key identifier calculation is supported
2034      * since jsrsasign 8.0.16.
2035      *
2036      * @see KEYUTIL.getKeyID
2037      *
2038      * @example
2039      * o = new KJUR.asn1.x509.SubjectKeyIdentifier();
2040      * // set by hexadecimal string
2041      * o.setKIDByParam({hex: '1ad9...'});
2042      * // set by SubjectPublicKeyInfo of PEM certificate string
2043      * o.setKIDByParam("-----BEGIN CERTIFICATE...");
2044      * // set by PKCS#8 PEM public key string
2045      * o.setKIDByParam("-----BEGIN PUBLIC KEY...");
2046      * // set by public key object
2047      * pubkey = KEYUTIL.getKey("-----BEGIN CERTIFICATE...");
2048      * o.setKIDByParam(pubkey);
2049      */
2050     this.setKIDByParam = function(param) {
2051 	if (param.str !== undefined ||
2052 	    param.hex !== undefined) {
2053 	    this.asn1KID = new _DEROctetString(param);
2054 	} else if ((typeof param === "object" &&
2055 		    KJUR.crypto.Util.isKey(param)) ||
2056 		   (typeof param === "string" &&
2057 		    param.indexOf("BEGIN") != -1)) {
2058 
2059 	    var keyobj = param;
2060 	    if (typeof param === "string") {
2061 		keyobj = KEYUTIL.getKey(param);
2062 	    }
2063 
2064 	    var kid = KEYUTIL.getKeyID(keyobj);
2065 	    this.asn1KID = new KJUR.asn1.DEROctetString({hex: kid});
2066 	}
2067     };
2068 
2069     this.oid = "2.5.29.14";
2070     if (params !== undefined) {
2071 	if (params.kid !== undefined) {
2072 	    this.setKIDByParam(params.kid);
2073 	}
2074     }
2075 };
2076 extendClass(KJUR.asn1.x509.SubjectKeyIdentifier, KJUR.asn1.x509.Extension);
2077 
2078 /**
2079  * AuthorityInfoAccess ASN.1 structure class
2080  * @name KJUR.asn1.x509.AuthorityInfoAccess
2081  * @class AuthorityInfoAccess ASN.1 structure class
2082  * @param {Array} params JSON object of AuthorityInfoAccess parameters
2083  * @extends KJUR.asn1.x509.Extension
2084  * @since asn1x509 1.0.8
2085  * @see {@link X509#getExtAuthorityInfoAccess}
2086  * @description
2087  * This class represents 
2088  * <a href="https://tools.ietf.org/html/rfc5280#section-4.2.2.1">
2089  * AuthorityInfoAccess extension defined in RFC 5280 4.2.2.1</a>.
2090  * <pre>
2091  * id-pe OBJECT IDENTIFIER  ::=  { id-pkix 1 }
2092  * id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
2093  * AuthorityInfoAccessSyntax  ::=
2094  *         SEQUENCE SIZE (1..MAX) OF AccessDescription
2095  * AccessDescription  ::=  SEQUENCE {
2096  *         accessMethod          OBJECT IDENTIFIER,
2097  *         accessLocation        GeneralName  }
2098  * id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
2099  * id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
2100  * id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
2101  * </pre>
2102  * NOTE: Acceptable parameters have been changed since
2103  * from jsrsasign 9.0.0 asn1x509 2.0.0.
2104  * Parameter generated by {@link X509#getAuthorityInfoAccess}
2105  * can be accepted as a argument of this constructor.
2106  * @example
2107  * e1 = new KJUR.asn1.x509.AuthorityInfoAccess({
2108  *   array: [
2109  *     {ocsp: 'http://ocsp.example.org'},
2110  *     {caissuer: 'https://repository.example.org/aaa.crt'}
2111  *   ]
2112  * });
2113  */
2114 KJUR.asn1.x509.AuthorityInfoAccess = function(params) {
2115     KJUR.asn1.x509.AuthorityInfoAccess.superclass.constructor.call(this, params);
2116 
2117     this.setAccessDescriptionArray = function(aParam) {
2118         var aASN1 = new Array(),
2119 	    _KJUR = KJUR,
2120 	    _KJUR_asn1 = _KJUR.asn1,
2121 	    _DERSequence = _KJUR_asn1.DERSequence,
2122 	    _DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
2123 	    _GeneralName = _KJUR_asn1.x509.GeneralName;
2124 
2125         for (var i = 0; i < aParam.length; i++) {
2126 	    var adseq;
2127 	    var adparam = aParam[i];
2128 
2129 	    if (adparam.ocsp !== undefined) {
2130 		adseq = new _DERSequence({array: [
2131 		    new _DERObjectIdentifier({oid: "1.3.6.1.5.5.7.48.1"}),
2132 		    new _GeneralName({uri: adparam.ocsp})
2133 		]});
2134 	    } else if (adparam.caissuer !== undefined) {
2135 		adseq = new _DERSequence({array: [
2136 		    new _DERObjectIdentifier({oid: "1.3.6.1.5.5.7.48.2"}),
2137 		    new _GeneralName({uri: adparam.caissuer})
2138 		]});
2139 	    } else {
2140 		throw new Error("unknown AccessMethod parameter: " +
2141 				JSON.stringify(adparam));
2142 	    }
2143 	    aASN1.push(adseq);
2144         }
2145         this.asn1ExtnValue = new _DERSequence({'array':aASN1});
2146     };
2147 
2148     this.getExtnValueHex = function() {
2149         return this.asn1ExtnValue.tohex();
2150     };
2151 
2152     this.oid = "1.3.6.1.5.5.7.1.1";
2153     if (params !== undefined) {
2154         if (params.array !== undefined) {
2155             this.setAccessDescriptionArray(params.array);
2156         }
2157     }
2158 };
2159 extendClass(KJUR.asn1.x509.AuthorityInfoAccess, KJUR.asn1.x509.Extension);
2160 
2161 /**
2162  * SubjectAltName ASN.1 structure class<br/>
2163  * @name KJUR.asn1.x509.SubjectAltName
2164  * @class SubjectAltName ASN.1 structure class
2165  * @param {Array} params associative array of parameters
2166  * @extends KJUR.asn1.x509.Extension
2167  * @since jsrsasign 6.2.3 asn1x509 1.0.19
2168  * @see KJUR.asn1.x509.GeneralNames
2169  * @see KJUR.asn1.x509.GeneralName
2170  * @description
2171  * This class provides X.509v3 SubjectAltName extension.
2172  * <pre>
2173  * id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
2174  * SubjectAltName ::= GeneralNames
2175  * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
2176  * GeneralName ::= CHOICE {
2177  *   otherName                  [0] OtherName,
2178  *   rfc822Name                 [1] IA5String,
2179  *   dNSName                    [2] IA5String,
2180  *   x400Address                [3] ORAddress,
2181  *   directoryName              [4] Name,
2182  *   ediPartyName               [5] EDIPartyName,
2183  *   uniformResourceIdentifier  [6] IA5String,
2184  *   iPAddress                  [7] OCTET STRING,
2185  *   registeredID               [8] OBJECT IDENTIFIER }
2186  * </pre>
2187  * @example
2188  * e1 = new KJUR.asn1.x509.SubjectAltName({
2189  *   critical: true,
2190  *   array: [{uri: 'http://aaa.com/'}, {uri: 'http://bbb.com/'}]
2191  * });
2192  */
2193 KJUR.asn1.x509.SubjectAltName = function(params) {
2194     KJUR.asn1.x509.SubjectAltName.superclass.constructor.call(this, params)
2195 
2196     this.setNameArray = function(paramsArray) {
2197 	this.asn1ExtnValue = new KJUR.asn1.x509.GeneralNames(paramsArray);
2198     };
2199 
2200     this.getExtnValueHex = function() {
2201         return this.asn1ExtnValue.tohex();
2202     };
2203 
2204     this.oid = "2.5.29.17";
2205     if (params !== undefined) {
2206         if (params.array !== undefined) {
2207             this.setNameArray(params.array);
2208         }
2209     }
2210 };
2211 extendClass(KJUR.asn1.x509.SubjectAltName, KJUR.asn1.x509.Extension);
2212 
2213 /**
2214  * IssuerAltName ASN.1 structure class<br/>
2215  * @name KJUR.asn1.x509.IssuerAltName
2216  * @class IssuerAltName ASN.1 structure class
2217  * @param {Array} params associative array of parameters
2218  * @extends KJUR.asn1.x509.Extension
2219  * @since jsrsasign 6.2.3 asn1x509 1.0.19
2220  * @see KJUR.asn1.x509.GeneralNames
2221  * @see KJUR.asn1.x509.GeneralName
2222  * @description
2223  * This class provides X.509v3 IssuerAltName extension.
2224  * <pre>
2225  * id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 18 }
2226  * IssuerAltName ::= GeneralNames
2227  * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
2228  * GeneralName ::= CHOICE {
2229  *   otherName                  [0] OtherName,
2230  *   rfc822Name                 [1] IA5String,
2231  *   dNSName                    [2] IA5String,
2232  *   x400Address                [3] ORAddress,
2233  *   directoryName              [4] Name,
2234  *   ediPartyName               [5] EDIPartyName,
2235  *   uniformResourceIdentifier  [6] IA5String,
2236  *   iPAddress                  [7] OCTET STRING,
2237  *   registeredID               [8] OBJECT IDENTIFIER }
2238  * </pre>
2239  * @example
2240  * e1 = new KJUR.asn1.x509.IssuerAltName({
2241  *   critical: true,
2242  *   array: [{uri: 'http://aaa.com/'}, {uri: 'http://bbb.com/'}]
2243  * });
2244  */
2245 KJUR.asn1.x509.IssuerAltName = function(params) {
2246     KJUR.asn1.x509.IssuerAltName.superclass.constructor.call(this, params)
2247 
2248     this.setNameArray = function(paramsArray) {
2249 	this.asn1ExtnValue = new KJUR.asn1.x509.GeneralNames(paramsArray);
2250     };
2251 
2252     this.getExtnValueHex = function() {
2253         return this.asn1ExtnValue.tohex();
2254     };
2255 
2256     this.oid = "2.5.29.18";
2257     if (params !== undefined) {
2258         if (params.array !== undefined) {
2259             this.setNameArray(params.array);
2260         }
2261     }
2262 };
2263 extendClass(KJUR.asn1.x509.IssuerAltName, KJUR.asn1.x509.Extension);
2264 
2265 /**
2266  * SubjectDirectoryAttributes ASN.1 structure class<br/>
2267  * @name KJUR.asn1.x509.SubjectDirectoryAttributes
2268  * @class SubjectDirectoryAttributes ASN.1 structure class
2269  * @param {Array} params associative array of parameters
2270  * @extends KJUR.asn1.x509.Extension
2271  * @since jsrsasign 10.1.9 asn1x509 2.1.7
2272  * @see
2273  * 
2274  * @description
2275  * This class provides X.509v3 SubjectDirectoryAttributes extension
2276  * defined in <a href="https://tools.ietf.org/html/rfc3739#section-3.3.2">
2277  * RFC 3739 Qualified Certificate Profile section 3.3.2</a>.
2278  * <pre>
2279  * SubjectDirectoryAttributes ::= Attributes
2280  * Attributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
2281  * Attribute ::= SEQUENCE {
2282  *   type AttributeType 
2283  *   values SET OF AttributeValue }
2284  * AttributeType ::= OBJECT IDENTIFIER
2285  * AttributeValue ::= ANY DEFINED BY AttributeType
2286  * </pre>
2287  * Value of member "array" is an array which as following associative arrays as elements:
2288  * <ul>
2289  * <li>attr: OID name or value of attribute type (ex. "gender" or "1.2.3.4")</li>
2290  * <li>str: attribute value of pre defined types (See example for registered attribute types)</li>
2291  * <li>array: array of ASN.1 parameters as attribute value (See {@link KJUR.asn1.ASN1Util#newObject})</li>
2292  * </ul>
2293  * <br/>
2294  * NOTE: From jsrsasign 10.8.4, member "array in array" supported for an arbitrary
2295  * attribute value.
2296  *
2297  * @example
2298  * e1 = new KJUR.asn1.x509.SubjectDirectoryAttributes({
2299  *   extname: "subjectDirectoryAttributes",
2300  *   array: [
2301  *     { attr: "dateOfBirth", str: "19701231230000Z" },
2302  *     { attr: "placeOfBirth", str: "Tokyo" },
2303  *     { attr: "gender", str: "F" },
2304  *     { attr: "countryOfCitizenship", str: "JP" },
2305  *     { attr: "countryOfResidence", str: "JP" },
2306  *     { attr: "1.2.3.4.5", array: [{prnstr: {str: "aaa"}}] }
2307  *   ]
2308  * });
2309  */
2310 KJUR.asn1.x509.SubjectDirectoryAttributes = function(params) {
2311     KJUR.asn1.x509.SubjectDirectoryAttributes.superclass.constructor.call(this, params);
2312     var _KJUR_asn1 = KJUR.asn1,
2313 	_DERSequence = _KJUR_asn1.DERSequence,
2314 	_newObject = _KJUR_asn1.ASN1Util.newObject,
2315 	_name2oid = _KJUR_asn1.x509.OID.name2oid;
2316 
2317     this.params = null;
2318 
2319     this.getExtnValueHex = function() {
2320 	var a = [];
2321 	for (var i = 0; i < this.params.array.length; i++) {
2322 	    var pAttr = this.params.array[i];
2323 
2324 	    if (pAttr.attr != undefined && pAttr.array != undefined) {
2325 		var pObj = {"seq": [{"oid": pAttr.attr}, {"set": pAttr.array}]};
2326 		a.push(_newObject(pObj));
2327 		continue;
2328 	    }
2329 
2330 	    var newparam = {"seq": [{"oid": "1.2.3.4"}, {"set": [{"utf8str": "DE"}]}]};
2331 
2332 	    if (pAttr.attr == "dateOfBirth") {
2333 		newparam.seq[0].oid = _name2oid(pAttr.attr);
2334 		newparam.seq[1].set[0] = {"gentime": pAttr.str};
2335 	    } else if (pAttr.attr == "placeOfBirth") {
2336 		newparam.seq[0].oid = _name2oid(pAttr.attr);
2337 		newparam.seq[1].set[0] = {"utf8str": pAttr.str};
2338 	    } else if (pAttr.attr == "gender") {
2339 		newparam.seq[0].oid = _name2oid(pAttr.attr);
2340 		newparam.seq[1].set[0] = {"prnstr": pAttr.str};
2341 	    } else if (pAttr.attr == "countryOfCitizenship") {
2342 		newparam.seq[0].oid = _name2oid(pAttr.attr);
2343 		newparam.seq[1].set[0] = {"prnstr": pAttr.str};
2344 	    } else if (pAttr.attr == "countryOfResidence") {
2345 		newparam.seq[0].oid = _name2oid(pAttr.attr);
2346 		newparam.seq[1].set[0] = {"prnstr": pAttr.str};
2347 	    } else {
2348 		throw new Error("unsupported attribute: " + pAttr.attr);
2349 	    }
2350 	    a.push(new _newObject(newparam));
2351 	}
2352 	var seq = new _DERSequence({array: a});
2353 	this.asn1ExtnValue = seq;
2354         return this.asn1ExtnValue.tohex();
2355     };
2356 
2357     this.oid = "2.5.29.9";
2358     if (params !== undefined) {
2359 	this.params = params;
2360     }
2361 };
2362 extendClass(KJUR.asn1.x509.SubjectDirectoryAttributes, KJUR.asn1.x509.Extension);
2363 
2364 
2365 /**
2366  * priavte extension ASN.1 structure class<br/>
2367  * @name KJUR.asn1.x509.PrivateExtension
2368  * @class private extension ASN.1 structure class
2369  * @param {Array} params JSON object of private extension
2370  * @extends KJUR.asn1.x509.Extension
2371  * @since jsrsasign 9.1.1 asn1x509 
2372  * @see KJUR.asn1.ASN1Util.newObject
2373  *
2374  * @description
2375  * This class is to represent private extension or 
2376  * unsupported extension. 
2377  * <pre>
2378  * Extension  ::=  SEQUENCE  {
2379  *      extnID      OBJECT IDENTIFIER,
2380  *      critical    BOOLEAN DEFAULT FALSE,
2381  *      extnValue   OCTET STRING }
2382  * </pre>
2383  * Following properties can be set for JSON parameter:
2384  * <ul>
2385  * <li>{String}extname - string of OID or predefined extension name</li>
2386  * <li>{Boolean}critical - critical flag</li>
2387  * <li>{Object}extn - hexadecimal string or 
2388  * of {@link KJUR.asn1.ASN1Util.newObject} 
2389  * JSON parameter for extnValue field</li>
2390  * </li>
2391  * </ul>
2392  *
2393  * @example
2394  * // extn by hexadecimal
2395  * new KJUR.asn1.x509.PrivateExtension({
2396  *   extname: "1.2.3.4",
2397  *   critical: true,
2398  *   extn: "13026161" // means PrintableString "aa"
2399  * });
2400  *
2401  * // extn by JSON parameter
2402  * new KJUR.asn1.x509.PrivateExtension({
2403  *   extname: "1.2.3.5",
2404  *   extn: {seq: [{prnstr:"abc"},{utf8str:"def"}]}
2405  * });
2406  */
2407 KJUR.asn1.x509.PrivateExtension = function(params) {
2408     KJUR.asn1.x509.PrivateExtension.superclass.constructor.call(this, params)
2409 
2410     var _KJUR = KJUR,
2411 	_isHex = _KJUR.lang.String.isHex,
2412 	_KJUR_asn1 = _KJUR.asn1,
2413 	_name2oid = _KJUR_asn1.x509.OID.name2oid,
2414 	_newObject = _KJUR_asn1.ASN1Util.newObject;
2415 
2416     this.params = null;
2417 
2418     this.setByParam = function(params) {
2419 	this.oid = _name2oid(params.extname);
2420 	this.params = params;
2421     };
2422 
2423     this.getExtnValueHex = function() {
2424 	if (this.params.extname == undefined ||
2425 	    this.params.extn == undefined) {
2426 	    throw new Error("extname or extnhex not specified");
2427 	}
2428 
2429 	var extn = this.params.extn;
2430 	if (typeof extn == "string" && _isHex(extn)) {
2431 	    return extn;
2432 	} else if (typeof extn == "object") {
2433 	    try {
2434 		return _newObject(extn).tohex();
2435 	    } catch(ex) {}
2436 	}
2437 	throw new Error("unsupported extn value");
2438     };
2439 
2440     if (params != undefined) {
2441 	this.setByParam(params);
2442     }
2443 };
2444 extendClass(KJUR.asn1.x509.PrivateExtension, KJUR.asn1.x509.Extension);
2445 
2446 // === END   X.509v3 Extensions Related =======================================
2447 
2448 // === BEGIN CRL Related ===================================================
2449 /**
2450  * X.509 CRL class to sign and generate hex encoded CRL<br/>
2451  * @name KJUR.asn1.x509.CRL
2452  * @class X.509 CRL class to sign and generate hex encoded certificate
2453  * @property {Array} params JSON object of parameters
2454  * @param {Array} params JSON object of CRL parameters
2455  * @extends KJUR.asn1.ASN1Object
2456  * @since 1.0.3
2457  * @see KJUR.asn1.x509.TBSCertList
2458  * 
2459  * @description
2460  * This class represents CertificateList ASN.1 structur of X.509 CRL
2461  * defined in <a href="https://tools.ietf.org/html/rfc5280#section-5.1">
2462  * RFC 5280 5.1</a>
2463  * <pre>
2464  * CertificateList  ::=  SEQUENCE  {
2465  *     tbsCertList          TBSCertList,
2466  *     signatureAlgorithm   AlgorithmIdentifier,
2467  *     signatureValue       BIT STRING  }
2468  * </pre>
2469  * NOTE: CRL class is updated without backward 
2470  * compatibility from jsrsasign 9.1.0 asn1x509 2.1.0.
2471  * Most of methods are removed and parameters can be set
2472  * by JSON object.
2473  * <br/>
2474  * Constructor of this class can accept all
2475  * parameters of {@link KJUR.asn1.x509.TBSCertList}.
2476  * It also accept following parameters additionally:
2477  * <ul>
2478  * <li>{TBSCertList}tbsobj (OPTION) - 
2479  * specifies {@link KJUR.asn1.x509.TBSCertList} 
2480  * object to be signed if needed. 
2481  * When this isn't specified, 
2482  * this will be set from other parametes of TBSCertList.</li>
2483  * <li>{Object}cakey (OPTION) - specifies CRL signing private key.
2484  * Parameter "cakey" or "sighex" shall be specified. Following
2485  * values can be specified:
2486  *   <ul>
2487  *   <li>PKCS#1/5 or PKCS#8 PEM string of private key</li>
2488  *   <li>RSAKey/DSA/ECDSA key object. {@link KEYUTIL.getKey} is useful
2489  *   to generate a key object.</li>
2490  *   </ul>
2491  * </li>
2492  * <li>{String}sighex (OPTION) - hexadecimal string of signature value
2493  * (i.e. ASN.1 value(V) of signatureValue BIT STRING without
2494  * unused bits)</li>
2495  * </ul>
2496  *
2497  * @example
2498  * var crl = new KJUR.asn1.x509.CRL({
2499  *  sigalg: "SHA256withRSA",
2500  *  issuer: {str:'/C=JP/O=Test1'},
2501  *  thisupdate: "200821235959Z",
2502  *  nextupdate: "200828235959Z", // OPTION
2503  *  revcert: [{sn: {hex: "12ab"}, date: "200401235959Z"}],
2504  *  ext: [
2505  *   {extname: "cRLNumber", num: {'int': 8}},
2506  *   {extname: "authorityKeyIdentifier", "kid": {hex: "12ab"}}
2507  *  ],
2508  *  cakey: prvkey
2509  * });
2510  * crl.gettohex() → "30..."
2511  * crl.getPEM() → "-----BEGIN X509 CRL..."
2512  */
2513 KJUR.asn1.x509.CRL = function(params) {
2514     KJUR.asn1.x509.CRL.superclass.constructor.call(this);
2515     var _KJUR = KJUR,
2516 	_KJUR_asn1 = _KJUR.asn1,
2517 	_DERSequence = _KJUR_asn1.DERSequence,
2518 	_DERBitString = _KJUR_asn1.DERBitString,
2519 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
2520 	_AlgorithmIdentifier = _KJUR_asn1_x509.AlgorithmIdentifier,
2521 	_TBSCertList = _KJUR_asn1_x509.TBSCertList;
2522 
2523     this.params = undefined;
2524 
2525     this.setByParam = function(params) {
2526 	this.params = params;
2527     };
2528 
2529     /**
2530      * sign CRL<br/>
2531      * @name sign
2532      * @memberOf KJUR.asn1.x509.CRL#
2533      * @function
2534      * @description
2535      * This method signs TBSCertList with a specified 
2536      * private key and algorithm by 
2537      * this.params.cakey and this.params.sigalg parameter.
2538      * @example
2539      * crl = new KJUR.asn1.x509.CRL({..., cakey:prvkey});
2540      * crl.sign()
2541      */
2542     this.sign = function() {
2543 	var hTBSCL = (new _TBSCertList(this.params)).tohex();
2544 	var sig = new KJUR.crypto.Signature({alg: this.params.sigalg});
2545 	sig.init(this.params.cakey);
2546 	sig.updateHex(hTBSCL);
2547 	var sighex = sig.sign();
2548 	this.params.sighex = sighex;
2549     };
2550 
2551     /**
2552      * get PEM formatted CRL string after signed<br/>
2553      * @name getPEM
2554      * @memberOf KJUR.asn1.x509.CRL#
2555      * @function
2556      * @return PEM formatted string of CRL
2557      * @since jsrsasign 9.1.0 asn1hex 2.1.0
2558      * @description
2559      * This method returns a string of PEM formatted 
2560      * CRL.
2561      * @example
2562      * crl = new KJUR.asn1.x509.CRL({...});
2563      * crl.getPEM() →
2564      * "-----BEGIN X509 CRL-----\r\n..."
2565      */
2566     this.getPEM = function() {
2567 	return hextopem(this.tohex(), "X509 CRL");
2568     };
2569 
2570     this.tohex = function() {
2571 	var params = this.params;
2572 
2573 	if (params.tbsobj == undefined) {
2574 	    params.tbsobj = new _TBSCertList(params);
2575 	}
2576 
2577 	if (params.sighex == undefined && params.cakey != undefined) {
2578 	    this.sign();
2579 	}
2580 
2581 	if (params.sighex == undefined) {
2582 	    throw new Error("sighex or cakey parameter not defined");
2583 	}
2584 	
2585 	var a = [];
2586 	a.push(params.tbsobj);
2587 	a.push(new _AlgorithmIdentifier({name: params.sigalg}));
2588 	a.push(new _DERBitString({hex: "00" + params.sighex}));
2589 	var seq = new _DERSequence({array: a});
2590 	return seq.tohex();
2591     };
2592     this.getEncodedHex = function() { return this.tohex(); };
2593 
2594     if (params != undefined) this.params = params;
2595 };
2596 extendClass(KJUR.asn1.x509.CRL, KJUR.asn1.ASN1Object);
2597 
2598 /**
2599  * ASN.1 TBSCertList ASN.1 structure class for CRL<br/>
2600  * @name KJUR.asn1.x509.TBSCertList
2601  * @class TBSCertList ASN.1 structure class for CRL
2602  * @property {Array} params JSON object of parameters
2603  * @param {Array} params JSON object of TBSCertList parameters
2604  * @extends KJUR.asn1.ASN1Object
2605  * @since 1.0.3
2606  *
2607  * @description
2608  * This class represents TBSCertList of CRL defined in
2609  * <a href="https://tools.ietf.org/html/rfc5280#section-5.1">
2610  * RFC 5280 5.1</a>.
2611  * <pre>
2612  * TBSCertList  ::=  SEQUENCE  {
2613  *       version                 Version OPTIONAL,
2614  *                                    -- if present, MUST be v2
2615  *       signature               AlgorithmIdentifier,
2616  *       issuer                  Name,
2617  *       thisUpdate              Time,
2618  *       nextUpdate              Time OPTIONAL,
2619  *       revokedCertificates     SEQUENCE OF SEQUENCE  {
2620  *            userCertificate         CertificateSerialNumber,
2621  *            revocationDate          Time,
2622  *            crlEntryExtensions      Extensions OPTIONAL
2623  *                                     -- if present, version MUST be v2
2624  *                                 }  OPTIONAL,
2625  *       crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
2626  * }
2627  * </pre>
2628  * NOTE: TBSCertList class is updated without backward 
2629  * compatibility from jsrsasign 9.1.0 asn1x509 2.1.0.
2630  * Most of methods are removed and parameters can be set
2631  * by JSON object.
2632  * <br/>
2633  * Constructor of this class may have following parameters:
2634  * <ul>
2635  * <li>{Integer}version (OPTION) - version number. Omitted by default.</li>
2636  * <li>{String}sigalg - signature algorithm name</li>
2637  * <li>{Array}issuer - issuer parameter of {@link KJUR.asn1.x509.X500Name}</li>
2638  * <li>{String}thisupdate - thisUpdate field value</li>
2639  * <li>{String}nextupdate (OPTION) - thisUpdate field value</li>
2640  * <li>{Array}revcert (OPTION) - revokedCertificates field value as array
2641  *   Its element may have following property:
2642  *   <ul>
2643  *   <li>{Array}sn - serialNumber of userCertificate field specified
2644  *   by {@link KJUR.asn1.DERInteger}</li>
2645  *   <li>{String}date - revocationDate field specified by
2646  *   a string of {@link KJUR.asn1.x509.Time} parameter</li>
2647  *   <li>{Array}ext (OPTION) - array of CRL entry extension parameter</li>
2648  *   </ul>
2649  * </li>
2650  * </ul>
2651  * 
2652  * @example
2653  * var o = new KJUR.asn1.x509.TBSCertList({
2654  *  sigalg: "SHA256withRSA",
2655  *  issuer: {array: [[{type:'C',value:'JP',ds:'prn'}],
2656  *                   [{type:'O',value:'T1',ds:'prn'}]]},
2657  *  thisupdate: "200821235959Z",
2658  *  nextupdate: "200828235959Z", // OPTION
2659  *  revcert: [
2660  *   {sn: {hex: "12ab"}, date: "200401235959Z", ext: [{extname: "cRLReason", code:1}]},
2661  *   {sn: {hex: "12bc"}, date: "200405235959Z", ext: [{extname: "cRLReason", code:2}]}
2662  *  ],
2663  *  ext: [
2664  *   {extname: "cRLNumber", num: {'int': 8}},
2665  *   {extname: "authorityKeyIdentifier", "kid": {hex: "12ab"}}
2666  *  ]
2667  * });
2668  * o.tohex() → "30..."
2669  */
2670 KJUR.asn1.x509.TBSCertList = function(params) {
2671     KJUR.asn1.x509.TBSCertList.superclass.constructor.call(this);
2672     var	_KJUR = KJUR,
2673 	_KJUR_asn1 = _KJUR.asn1,
2674 	_DERInteger = _KJUR_asn1.DERInteger,
2675 	_DERSequence = _KJUR_asn1.DERSequence,
2676 	_DERTaggedObject = _KJUR_asn1.DERTaggedObject,
2677 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
2678 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
2679 	_AlgorithmIdentifier = _KJUR_asn1_x509.AlgorithmIdentifier,
2680 	_Time = _KJUR_asn1_x509.Time,
2681 	_Extensions = _KJUR_asn1_x509.Extensions,
2682 	_X500Name = _KJUR_asn1_x509.X500Name;
2683     this.params = null;
2684 
2685     /**
2686      * get array of ASN.1 object for extensions<br/>
2687      * @name setByParam
2688      * @memberOf KJUR.asn1.x509.TBSCertList#
2689      * @function
2690      * @param {Array} JSON object of TBSCertList parameters
2691      * @example
2692      * tbsc = new KJUR.asn1.x509.TBSCertificate();
2693      * tbsc.setByParam({version:3, serial:{hex:'1234...'},...});
2694      */
2695     this.setByParam = function(params) {
2696 	this.params = params;
2697     };
2698 
2699     /**
2700      * get DERSequence for revokedCertificates<br/>
2701      * @name getRevCertSequence
2702      * @memberOf KJUR.asn1.x509.TBSCertList#
2703      * @function
2704      * @return {@link KJUR.asn1.DERSequence} of revokedCertificates
2705      */
2706     this.getRevCertSequence = function() {
2707 	var a = [];
2708 	var aRevCert = this.params.revcert;
2709 	for (var i = 0; i < aRevCert.length; i++) {
2710 	    var aEntry = [
2711 		new _DERInteger(aRevCert[i].sn),
2712 		new _Time(aRevCert[i].date)
2713 	    ];
2714 	    if (aRevCert[i].ext != undefined) {
2715 		aEntry.push(new _Extensions(aRevCert[i].ext));
2716 	    }
2717 	    a.push(new _DERSequence({array: aEntry}));
2718 	}
2719 	return new _DERSequence({array: a});
2720     };
2721 
2722     this.tohex = function() {
2723 	var a = [];
2724 	var params = this.params;
2725 
2726 	if (params.version != undefined) {
2727 	    var version = params.version - 1; 
2728 	    var obj = new _DERInteger({'int': version});
2729 	    a.push(obj);
2730 	}
2731 
2732 	a.push(new _AlgorithmIdentifier({name: params.sigalg}));
2733 	a.push(new _X500Name(params.issuer));
2734 	a.push(new _Time(params.thisupdate));
2735 	if (params.nextupdate != undefined) 
2736 	    a.push(new _Time(params.nextupdate))
2737 	if (params.revcert != undefined) {
2738 	    a.push(this.getRevCertSequence());
2739 	}
2740 	if (params.ext != undefined) {
2741 	    var dExt = new _Extensions(params.ext);
2742 	    a.push(new _DERTaggedObject({tag:'a0',
2743 					 explicit:true,
2744 					 obj:dExt}));
2745 	}
2746 
2747 	var seq = new _DERSequence({array: a});
2748 	return seq.tohex();
2749     };
2750     this.getEncodedHex = function() { return this.tohex(); };
2751 
2752     if (params !== undefined) this.setByParam(params);
2753 };
2754 extendClass(KJUR.asn1.x509.TBSCertList, KJUR.asn1.ASN1Object);
2755 
2756 /**
2757  * ASN.1 CRLEntry structure class for CRL (DEPRECATED)<br/>
2758  * @name KJUR.asn1.x509.CRLEntry
2759  * @class ASN.1 CRLEntry structure class for CRL
2760  * @param {Array} params JSON object for CRL entry parameter
2761  * @extends KJUR.asn1.ASN1Object
2762  * @since 1.0.3
2763  * @see KJUR.asn1.x509.TBSCertList
2764  * @deprecated since jsrsasign 9.1.0 asn1x509 2.1.0
2765  * @description
2766  * This class is to represent revokedCertificate in TBSCertList.
2767  * However this is no more used by TBSCertList since
2768  * jsrsasign 9.1.0. So this class have been deprecated in 
2769  * jsrsasign 9.1.0.
2770  * <pre>
2771  * revokedCertificates     SEQUENCE OF SEQUENCE  {
2772  *     userCertificate         CertificateSerialNumber,
2773  *     revocationDate          Time,
2774  *     crlEntryExtensions      Extensions OPTIONAL
2775  *                             -- if present, version MUST be v2 }
2776  * </pre>
2777  * @example
2778  * var e = new KJUR.asn1.x509.CRLEntry({'time': {'str': '130514235959Z'}, 'sn': {'int': 234}});
2779  */
2780 KJUR.asn1.x509.CRLEntry = function(params) {
2781     KJUR.asn1.x509.CRLEntry.superclass.constructor.call(this);
2782     var sn = null,
2783 	time = null,
2784 	_KJUR = KJUR,
2785 	_KJUR_asn1 = _KJUR.asn1;
2786 
2787     /**
2788      * set DERInteger parameter for serial number of revoked certificate
2789      * @name setCertSerial
2790      * @memberOf KJUR.asn1.x509.CRLEntry
2791      * @function
2792      * @param {Array} intParam DERInteger parameter for certificate serial number
2793      * @description
2794      * @example
2795      * entry.setCertSerial({'int': 3});
2796      */
2797     this.setCertSerial = function(intParam) {
2798         this.sn = new _KJUR_asn1.DERInteger(intParam);
2799     };
2800 
2801     /**
2802      * set Time parameter for revocation date
2803      * @name setRevocationDate
2804      * @memberOf KJUR.asn1.x509.CRLEntry
2805      * @function
2806      * @param {Array} timeParam Time parameter for revocation date
2807      * @description
2808      * @example
2809      * entry.setRevocationDate({'str': '130508235959Z'});
2810      */
2811     this.setRevocationDate = function(timeParam) {
2812         this.time = new _KJUR_asn1.x509.Time(timeParam);
2813     };
2814 
2815     this.tohex = function() {
2816         var o = new _KJUR_asn1.DERSequence({"array": [this.sn, this.time]});
2817         this.TLV = o.tohex();
2818         return this.TLV;
2819     };
2820     this.getEncodedHex = function() { return this.tohex(); };
2821 
2822     if (params !== undefined) {
2823         if (params.time !== undefined) {
2824             this.setRevocationDate(params.time);
2825         }
2826         if (params.sn !== undefined) {
2827             this.setCertSerial(params.sn);
2828         }
2829     }
2830 };
2831 extendClass(KJUR.asn1.x509.CRLEntry, KJUR.asn1.ASN1Object);
2832 
2833 /**
2834  * CRLNumber CRL extension ASN.1 structure class<br/>
2835  * @name KJUR.asn1.x509.CRLNumber
2836  * @class CRLNumber CRL extension ASN.1 structure class
2837  * @extends KJUR.asn1.x509.Extension
2838  * @since jsrsasign 9.1.0 asn1x509 2.1.0
2839  * @see KJUR.asn1.x509.TBSCertList
2840  * @see KJUR.asn1.x509.Extensions
2841  * @description
2842  * This class represents ASN.1 structure for
2843  * CRLNumber CRL extension defined in
2844  * <a href="https://tools.ietf.org/html/rfc5280#section-5.2.3">
2845  * RFC 5280 5.2.3</a>.
2846  * <pre>
2847  * id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
2848  * CRLNumber ::= INTEGER (0..MAX)
2849  * </pre>
2850  * Constructor of this class may have following parameters:
2851  * <ul>
2852  * <li>{String}extname - name "cRLNumber". It is ignored in this class but
2853  * required to use with {@link KJUR.asn1.x509.Extensions} class. (OPTION)</li>
2854  * <li>{Object}num - CRLNumber value to specify
2855  * {@link KJUR.asn1.DERInteger} parameter.</li>
2856  * <li>{Boolean}critical - critical flag. Generally false and not specified
2857  * in this class.(OPTION)</li>
2858  * </ul>
2859  *
2860  * @example
2861  * new KJUR.asn1.x509.CRLNumber({extname:'cRLNumber',
2862  *                               num:{'int':147}})
2863  */
2864 KJUR.asn1.x509.CRLNumber = function(params) {
2865     KJUR.asn1.x509.CRLNumber.superclass.constructor.call(this, params);
2866     this.params = undefined;
2867 
2868     this.getExtnValueHex = function() {
2869         this.asn1ExtnValue = new KJUR.asn1.DERInteger(this.params.num);
2870         return this.asn1ExtnValue.tohex();
2871     };
2872 
2873     this.oid = "2.5.29.20";
2874     if (params != undefined) this.params = params;
2875 };
2876 extendClass(KJUR.asn1.x509.CRLNumber, KJUR.asn1.x509.Extension);
2877 
2878 /**
2879  * CRLReason CRL entry extension ASN.1 structure class<br/>
2880  * @name KJUR.asn1.x509.CRLReason
2881  * @class CRLReason CRL entry extension ASN.1 structure class
2882  * @extends KJUR.asn1.x509.Extension
2883  * @since jsrsasign 9.1.0 asn1x509 2.1.0
2884  * @see KJUR.asn1.x509.TBSCertList
2885  * @see KJUR.asn1.x509.Extensions
2886  * @description
2887  * This class represents ASN.1 structure for
2888  * CRLReason CRL entry extension defined in
2889  * <a href="https://tools.ietf.org/html/rfc5280#section-5.3.1">
2890  * RFC 5280 5.3.1</a>
2891  * <pre>
2892  * id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
2893  * -- reasonCode ::= { CRLReason }
2894  * CRLReason ::= ENUMERATED {
2895  *      unspecified             (0),
2896  *      keyCompromise           (1),
2897  *      cACompromise            (2),
2898  *      affiliationChanged      (3),
2899  *      superseded              (4),
2900  *      cessationOfOperation    (5),
2901  *      certificateHold         (6),
2902  *      removeFromCRL           (8),
2903  *      privilegeWithdrawn      (9),
2904  *      aACompromise           (10) }
2905  * </pre>
2906  * Constructor of this class may have following parameters:
2907  * <ul>
2908  * <li>{String}extname - name "cRLReason". It is ignored in this class but
2909  * required to use with {@link KJUR.asn1.x509.Extensions} class. (OPTION)</li>
2910  * <li>{Integer}code - reasonCode value</li>
2911  * <li>{Boolean}critical - critical flag. Generally false and not specified
2912  * in this class.(OPTION)</li>
2913  * </ul>
2914  *
2915  * @example
2916  * new KJUR.asn1.x509.CRLReason({extname:'cRLReason',code:4})
2917  */
2918 KJUR.asn1.x509.CRLReason = function(params) {
2919     KJUR.asn1.x509.CRLReason.superclass.constructor.call(this, params);
2920     this.params = undefined;
2921 
2922     this.getExtnValueHex = function() {
2923         this.asn1ExtnValue = new KJUR.asn1.DEREnumerated(this.params.code);
2924         return this.asn1ExtnValue.tohex();
2925     };
2926 
2927     this.oid = "2.5.29.21";
2928     if (params != undefined) this.params = params;
2929 };
2930 extendClass(KJUR.asn1.x509.CRLReason, KJUR.asn1.x509.Extension);
2931 
2932 // === END   CRL Related ===================================================
2933 
2934 // === BEGIN OCSP Related ===================================================
2935 /**
2936  * Nonce OCSP extension ASN.1 structure class<br/>
2937  * @name KJUR.asn1.x509.OCSPNonce
2938  * @class Nonce OCSP extension ASN.1 structure class
2939  * @extends KJUR.asn1.x509.Extension
2940  * @since jsrsasign 9.1.6 asn1x509 2.1.2
2941  * @param {Array} params JSON object for Nonce extension
2942  * @see KJUR.asn1.ocsp.ResponseData
2943  * @see KJUR.asn1.x509.Extensions
2944  * @see X509#getExtOCSPNonce
2945  * @description
2946  * This class represents
2947  * Nonce OCSP extension value defined in
2948  * <a href="https://tools.ietf.org/html/rfc6960#section-4.4.1">
2949  * RFC 6960 4.4.1</a> as JSON object.
2950  * <pre>
2951  * id-pkix-ocsp           OBJECT IDENTIFIER ::= { id-ad-ocsp }
2952  * id-pkix-ocsp-nonce     OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
2953  * Nonce ::= OCTET STRING
2954  * </pre>
2955  * Constructor of this class may have following parameters:
2956  * <ul>
2957  * <li>{String}extname - name "ocspNonce". It is ignored in this class but
2958  * required to use with {@link KJUR.asn1.x509.Extensions} class. (OPTION)</li>
2959  * <li>{String}hex - hexadecimal string of nonce value</li>
2960  * <li>{Number}int - integer of nonce value. "hex" or "int" needs to be
2961  * specified.</li>
2962  * <li>{Boolean}critical - critical flag. Generally false and not specified
2963  * in this class.(OPTION)</li>
2964  * </ul>
2965  *
2966  * @example
2967  * new KJUR.asn1.x509.OCSPNonce({extname:'ocspNonce',
2968  *                               hex: '12ab...'})
2969  */
2970 KJUR.asn1.x509.OCSPNonce = function(params) {
2971     KJUR.asn1.x509.OCSPNonce.superclass.constructor.call(this, params);
2972     this.params = undefined;
2973 
2974     this.getExtnValueHex = function() {
2975         this.asn1ExtnValue = new KJUR.asn1.DEROctetString(this.params);
2976         return this.asn1ExtnValue.tohex();
2977     };
2978 
2979     this.oid = "1.3.6.1.5.5.7.48.1.2";
2980     if (params != undefined) this.params = params;
2981 };
2982 extendClass(KJUR.asn1.x509.OCSPNonce, KJUR.asn1.x509.Extension);
2983 
2984 /**
2985  * OCSPNoCheck certificate ASN.1 structure class<br/>
2986  * @name KJUR.asn1.x509.OCSPNoCheck
2987  * @class OCSPNoCheck extension ASN.1 structure class
2988  * @extends KJUR.asn1.x509.Extension
2989  * @since jsrsasign 9.1.6 asn1x509 2.1.2
2990  * @param {Array} params JSON object for OCSPNoCheck extension
2991  * @see KJUR.asn1.x509.Extensions
2992  * @see X509#getExtOCSPNoCheck
2993  * @description
2994  * This class represents
2995  * OCSPNoCheck extension value defined in
2996  * <a href="https://tools.ietf.org/html/rfc6960#section-4.2.2.2.1">
2997  * RFC 6960 4.2.2.2.1</a> as JSON object.
2998  * <pre>
2999  * id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
3000  * </pre>
3001  * Constructor of this class may have following parameters:
3002  * <ul>
3003  * <li>{String}extname - name "ocspNoCheck". It is ignored in this class but
3004  * required to use with {@link KJUR.asn1.x509.Extensions} class. (OPTION)</li>
3005  * <li>{Boolean}critical - critical flag. Generally false and not specified
3006  * in this class.(OPTION)</li>
3007  * </ul>
3008  *
3009  * @example
3010  * new KJUR.asn1.x509.OCSPNonce({extname:'ocspNoCheck'})
3011  */
3012 KJUR.asn1.x509.OCSPNoCheck = function(params) {
3013     KJUR.asn1.x509.OCSPNoCheck.superclass.constructor.call(this, params);
3014     this.params = undefined;
3015 
3016     this.getExtnValueHex = function() {
3017         this.asn1ExtnValue = new KJUR.asn1.DERNull();
3018         return this.asn1ExtnValue.tohex();
3019     };
3020 
3021     this.oid = "1.3.6.1.5.5.7.48.1.5";
3022     if (params != undefined) this.params = params;
3023 };
3024 extendClass(KJUR.asn1.x509.OCSPNoCheck, KJUR.asn1.x509.Extension);
3025 
3026 // === END   OCSP Related ===================================================
3027 
3028 // === BEGIN Other X.509v3 Extensions========================================
3029 
3030 /**
3031  * AdobeTimeStamp X.509v3 extension ASN.1 encoder class<br/>
3032  * @name KJUR.asn1.x509.AdobeTimeStamp
3033  * @class AdobeTimeStamp X.509v3 extension ASN.1 encoder class
3034  * @extends KJUR.asn1.x509.Extension
3035  * @since jsrsasign 10.0.1 asn1x509 2.1.4
3036  * @param {Array} params JSON object for AdobeTimeStamp extension parameter
3037  * @see KJUR.asn1.x509.Extensions
3038  * @see X509#getExtAdobeTimeStamp
3039  * @description
3040  * This class represents
3041  * AdobeTimeStamp X.509v3 extension value defined in
3042  * <a href="https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/oids.html">
3043  * Adobe site</a> as JSON object.
3044  * <pre>
3045  * adbe- OBJECT IDENTIFIER ::=  { adbe(1.2.840.113583) acrobat(1) security(1) x509Ext(9) 1 }
3046  *  ::= SEQUENCE {
3047  *     version INTEGER  { v1(1) }, -- extension version
3048  *     location GeneralName (In v1 GeneralName can be only uniformResourceIdentifier)
3049  *     requiresAuth        boolean (default false), OPTIONAL }
3050  * </pre>
3051  * Constructor of this class may have following parameters:
3052  * <ul>
3053  * <li>{String}uri - RFC 3161 time stamp service URL</li>
3054  * <li>{Boolean}reqauth - authentication required or not</li>
3055  * </ul>
3056  * </pre>
3057  * <br/>
3058  * NOTE: This extesion doesn't seem to have official name. This may be called as "pdfTimeStamp".
3059  * @example
3060  * new KJUR.asn1.x509.AdobeTimesStamp({
3061  *   uri: "http://tsa.example.com/",
3062  *   reqauth: true
3063  * }
3064  */
3065 KJUR.asn1.x509.AdobeTimeStamp = function(params) {
3066     KJUR.asn1.x509.AdobeTimeStamp.superclass.constructor.call(this, params);
3067 
3068     var _KJUR = KJUR,
3069 	_KJUR_asn1 = _KJUR.asn1,
3070 	_DERInteger = _KJUR_asn1.DERInteger,
3071 	_DERBoolean = _KJUR_asn1.DERBoolean,
3072 	_DERSequence = _KJUR_asn1.DERSequence,
3073 	_GeneralName = _KJUR_asn1.x509.GeneralName;
3074 
3075     this.params = null;
3076 
3077     this.getExtnValueHex = function() {
3078 	var params = this.params;
3079 	var a = [new _DERInteger(1)];
3080 	a.push(new _GeneralName({uri: params.uri}));
3081 	if (params.reqauth != undefined) {
3082 	    a.push(new _DERBoolean(params.reqauth));
3083 	}
3084 
3085         this.asn1ExtnValue = new _DERSequence({array: a});
3086         return this.asn1ExtnValue.tohex();
3087     };
3088 
3089     this.oid = "1.2.840.113583.1.1.9.1";
3090     if (params !== undefined) this.setByParam(params);
3091 };
3092 extendClass(KJUR.asn1.x509.AdobeTimeStamp, KJUR.asn1.x509.Extension);
3093  
3094 // === END   Other X.509v3 Extensions========================================
3095 
3096 
3097 // === BEGIN X500Name Related =================================================
3098 /**
3099  * X500Name ASN.1 structure class
3100  * @name KJUR.asn1.x509.X500Name
3101  * @class X500Name ASN.1 structure class
3102  * @param {Array} params associative array of parameters (ex. {'str': '/C=US/O=a'})
3103  * @extends KJUR.asn1.ASN1Object
3104  * @see KJUR.asn1.x509.X500Name
3105  * @see KJUR.asn1.x509.RDN
3106  * @see KJUR.asn1.x509.AttributeTypeAndValue
3107  * @see X509#getX500Name
3108  * @description
3109  * This class provides DistinguishedName ASN.1 class structure
3110  * defined in <a href="https://tools.ietf.org/html/rfc2253#section-2">RFC 2253 section 2</a>.
3111  * <blockquote><pre>
3112  * DistinguishedName ::= RDNSequence
3113  * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
3114  * RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
3115  *   AttributeTypeAndValue
3116  * AttributeTypeAndValue ::= SEQUENCE {
3117  *   type  AttributeType,
3118  *   value AttributeValue }
3119  * </pre></blockquote>
3120  * <br/>
3121  * Argument for the constructor can be one of following parameters:
3122  * <ul>
3123  * <li>{Array}array - array of {@link KJUR.asn1.x509.RDN} parameter</li>
3124  * <li>`String}str - string for distingish name in OpenSSL One line foramt (ex: /C=US/O=test/CN=test) See <a href="https://github.com/kjur/jsrsasign/wiki/NOTE-distinguished-name-representation-in-jsrsasign">this</a> in detail.</li>
3125  * <li>{String}ldapstr - string for distinguish name in LDAP format (ex: CN=test,O=test,C=US)</li>
3126  * <li>{String}hex - hexadecimal string for ASN.1 distinguish name structure</li>
3127  * <li>{String}certissuer - issuer name in the specified PEM certificate</li>
3128  * <li>{String}certsubject - subject name in the specified PEM certificate</li>
3129  * <li>{String}rule - DirectoryString rule (ex. "prn" or "utf8")</li>
3130  * </ul>
3131  * <br/>
3132  * NOTE1: The "array" and "rule" parameters have been supported
3133  * since jsrsasign 9.0.0 asn1x509 2.0.0.
3134  * <br/>
3135  * NOTE2: Multi-valued RDN in "str" parameter have been
3136  * supported since jsrsasign 6.2.1 asn1x509 1.0.17.
3137  * @example
3138  * // 1. construct with array
3139  * new KJUR.asn1.x509.X500Name({array:[
3140  *   [{type:'C',value:'JP',ds:'prn'}],
3141  *   [{type:'O',value:'aaa',ds:'utf8'}, // multi-valued RDN
3142  *    {type:'CN',value:'bob@example.com',ds:'ia5'}]
3143  * ]})
3144  * // 2. construct with string
3145  * new KJUR.asn1.x509.X500Name({str: "/C=US/ST=NY/L=Ballston Spa/STREET=915 Stillwater Ave"});
3146  * new KJUR.asn1.x509.X500Name({str: "/CN=AAA/2.5.4.42=John/surname=Ray"});
3147  * new KJUR.asn1.x509.X500Name({str: "/C=US/O=aaa+CN=contact@example.com"}); // multi valued
3148  * // 3. construct by LDAP string
3149  * new KJUR.asn1.x509.X500Name({ldapstr: "CN=foo@example.com,OU=bbb,C=US"});
3150  * // 4. construct by ASN.1 hex string
3151  * new KJUR.asn1.x509.X500Name({hex: "304c3120..."});
3152  * // 5. construct by issuer of PEM certificate
3153  * new KJUR.asn1.x509.X500Name({certsubject: "-----BEGIN CERT..."});
3154  * // 6. construct by subject of PEM certificate
3155  * new KJUR.asn1.x509.X500Name({certissuer: "-----BEGIN CERT..."});
3156  * // 7. construct by object (DEPRECATED)
3157  * new KJUR.asn1.x509.X500Name({C:"US",O:"aaa",CN:"http://example.com/"});
3158  */
3159 KJUR.asn1.x509.X500Name = function(params) {
3160     KJUR.asn1.x509.X500Name.superclass.constructor.call(this);
3161     this.asn1Array = [];
3162     this.paramArray = [];
3163     this.sRule = "utf8";
3164     var _KJUR = KJUR,
3165 	_KJUR_asn1 = _KJUR.asn1,
3166 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
3167 	_RDN = _KJUR_asn1_x509.RDN,
3168 	_pemtohex = pemtohex;
3169 
3170     /**
3171      * set DN by OpenSSL oneline distinguished name string<br/>
3172      * @name setByString
3173      * @memberOf KJUR.asn1.x509.X500Name#
3174      * @function
3175      * @param {String} dnStr distinguished name by string (ex. /C=US/O=aaa)
3176      * @description
3177      * Sets distinguished name by string. 
3178      * dnStr must be formatted as 
3179      * "/type0=value0/type1=value1/type2=value2...".
3180      * No need to escape a slash in an attribute value.
3181      * @example
3182      * name = new KJUR.asn1.x509.X500Name();
3183      * name.setByString("/C=US/O=aaa/OU=bbb/CN=foo@example.com");
3184      * // no need to escape slash in an attribute value
3185      * name.setByString("/C=US/O=aaa/CN=1980/12/31");
3186      */
3187     this.setByString = function(dnStr, sRule) {
3188 	if (sRule !== undefined) this.sRule = sRule;
3189         var a = dnStr.split('/');
3190         a.shift();
3191 
3192 	var a1 = [];
3193 	for (var i = 0; i < a.length; i++) {
3194 	  if (a[i].match(/^[^=]+=.+$/)) {
3195 	    a1.push(a[i]);
3196 	  } else {
3197 	    var lastidx = a1.length - 1;
3198 	    a1[lastidx] = a1[lastidx] + "/" + a[i];
3199 	  }
3200 	}
3201 
3202         for (var i = 0; i < a1.length; i++) {
3203             this.asn1Array.push(new _RDN({'str':a1[i], rule:this.sRule}));
3204         }
3205     };
3206 
3207     /**
3208      * set DN by LDAP(RFC 2253) distinguished name string<br/>
3209      * @name setByLdapString
3210      * @memberOf KJUR.asn1.x509.X500Name#
3211      * @function
3212      * @param {String} dnStr distinguished name by LDAP string (ex. O=aaa,C=US)
3213      * @since jsrsasign 6.2.2 asn1x509 1.0.18
3214      * @see {@link KJUR.asn1.x509.X500Name.ldapToCompat}
3215      * @description
3216      * @example
3217      * name = new KJUR.asn1.x509.X500Name();
3218      * name.setByLdapString("CN=foo@example.com,OU=bbb,O=aaa,C=US");
3219      */
3220     this.setByLdapString = function(dnStr, sRule) {
3221 	if (sRule !== undefined) this.sRule = sRule;
3222 	var compat = _KJUR_asn1_x509.X500Name.ldapToCompat(dnStr);
3223 	this.setByString(compat, sRule);
3224     };
3225 
3226     /**
3227      * set DN by associative array<br/>
3228      * @name setByObject
3229      * @memberOf KJUR.asn1.x509.X500Name#
3230      * @function
3231      * @param {Array} dnObj associative array of DN (ex. {C: "US", O: "aaa"})
3232      * @since jsrsasign 4.9. asn1x509 1.0.13
3233      * @description
3234      * @example
3235      * name = new KJUR.asn1.x509.X500Name();
3236      * name.setByObject({C: "US", O: "aaa", CN="http://example.com/"1});
3237      */
3238     this.setByObject = function(dnObj, sRule) {
3239 	if (sRule !== undefined) this.sRule = sRule;
3240 
3241         // Get all the dnObject attributes and stuff them in the ASN.1 array.
3242         for (var x in dnObj) {
3243             if (dnObj.hasOwnProperty(x)) {
3244                 var newRDN = new _RDN({str: x + '=' + dnObj[x], rule: this.sRule});
3245                 // Initialize or push into the ANS1 array.
3246                 this.asn1Array ? this.asn1Array.push(newRDN)
3247                     : this.asn1Array = [newRDN];
3248             }
3249         }
3250     };
3251 
3252     this.setByParam = function(params) {
3253 	if (params.rule !== undefined) this.sRule = params.rule;
3254 
3255 	if (params.array !== undefined) {
3256 	    this.paramArray = params.array;
3257 	} else {
3258             if (params.str !== undefined) {
3259 		this.setByString(params.str);
3260             } else if (params.ldapstr !== undefined) {
3261 		this.setByLdapString(params.ldapstr);
3262 	    } else if (params.hex !== undefined) {
3263 		this.hTLV = params.hex;
3264             } else if (params.certissuer !== undefined) {
3265 		var x = new X509();
3266 		x.readCertPEM(params.certissuer);
3267 		this.hTLV = x.getIssuerHex();
3268             } else if (params.certsubject !== undefined) {
3269 		var x = new X509();
3270 		x.readCertPEM(params.certsubject);
3271 		this.hTLV = x.getSubjectHex();
3272 		// If params is an object, then set the ASN1 array
3273 		// just using the object attributes. 
3274 		// This is nice for fields that have lots of special
3275 		// characters (i.e. CN: 'https://www.github.com/kjur//').
3276             } else if (typeof params === "object" &&
3277 		       params.certsubject === undefined &&
3278 		       params.certissuer === undefined) {
3279 		this.setByObject(params);
3280             }
3281 	}
3282     }
3283 
3284     this.tohex = function() {
3285         if (typeof this.hTLV == "string") return this.hTLV;
3286 
3287 	if (this.asn1Array.length == 0 && this.paramArray.length > 0) {
3288 	    for (var i = 0; i < this.paramArray.length; i++) {
3289 		var param = {array: this.paramArray[i]};
3290 		if (this.sRule != "utf8") param.rule = this.sRule;
3291 		var asn1RDN = new _RDN(param);
3292 		this.asn1Array.push(asn1RDN);
3293 	    }
3294 	}
3295 
3296         var o = new _KJUR_asn1.DERSequence({"array": this.asn1Array});
3297         this.hTLV = o.tohex();
3298         return this.hTLV;
3299     };
3300     this.getEncodedHex = function() { return this.tohex(); };
3301 
3302     if (params !== undefined) this.setByParam(params);
3303 };
3304 extendClass(KJUR.asn1.x509.X500Name, KJUR.asn1.ASN1Object);
3305 
3306 /**
3307  * convert OpenSSL compat distinguished name format string to LDAP(RFC 2253) format<br/>
3308  * @name compatToLDAP
3309  * @memberOf KJUR.asn1.x509.X500Name
3310  * @function
3311  * @param {String} s distinguished name string in OpenSSL oneline compat (ex. /C=US/O=test)
3312  * @return {String} distinguished name string in LDAP(RFC 2253) format (ex. O=test,C=US)
3313  * @since jsrsasign 8.0.19 asn1x509 1.1.20
3314  * @description
3315  * This static method converts a distinguished name string in OpenSSL compat
3316  * format to LDAP(RFC 2253) format.
3317  * @see <a href="https://github.com/kjur/jsrsasign/wiki/NOTE-distinguished-name-representation-in-jsrsasign">jsrsasign wiki: distinguished name string difference between OpenSSL compat and LDAP(RFC 2253)</a>
3318  * @see <a href="https://www.openssl.org/docs/man1.0.2/man1/openssl-x509.html#NAME-OPTIONS">OpenSSL x509 command manual - NAME OPTIONS</a>
3319  * @example
3320  * KJUR.asn1.x509.X500Name.compatToLDAP("/C=US/O=test") → 'O=test,C=US'
3321  * KJUR.asn1.x509.X500Name.compatToLDAP("/C=US/O=a,a") → 'O=a\,a,C=US'
3322  */
3323 KJUR.asn1.x509.X500Name.compatToLDAP = function(s) {
3324     if (s.substr(0, 1) !== "/") throw "malformed input";
3325 
3326     var result = "";
3327     s = s.substr(1);
3328 
3329     var a = s.split("/");
3330     a.reverse();
3331     a = a.map(function(s) {return s.replace(/,/, "\\,")});
3332 
3333     return a.join(",");
3334 };
3335 
3336 /**
3337  * convert OpenSSL compat distinguished name format string to LDAP(RFC 2253) format (DEPRECATED)<br/>
3338  * @name onelineToLDAP
3339  * @memberOf KJUR.asn1.x509.X500Name
3340  * @function
3341  * @param {String} s distinguished name string in OpenSSL compat format (ex. /C=US/O=test)
3342  * @return {String} distinguished name string in LDAP(RFC 2253) format (ex. O=test,C=US)
3343  * @since jsrsasign 6.2.2 asn1x509 1.0.18
3344  * @see KJUR.asn1.x509.X500Name.compatToLDAP
3345  * @description
3346  * This method is deprecated. Please use 
3347  * {@link KJUR.asn1.x509.X500Name.compatToLDAP} instead.
3348  */
3349 KJUR.asn1.x509.X500Name.onelineToLDAP = function(s) {
3350     return KJUR.asn1.x509.X500Name.compatToLDAP(s);
3351 }
3352 
3353 /**
3354  * convert LDAP(RFC 2253) distinguished name format string to OpenSSL compat format<br/>
3355  * @name ldapToCompat
3356  * @memberOf KJUR.asn1.x509.X500Name
3357  * @function
3358  * @param {String} s distinguished name string in LDAP(RFC 2253) format (ex. O=test,C=US)
3359  * @return {String} distinguished name string in OpenSSL compat format (ex. /C=US/O=test)
3360  * @since jsrsasign 8.0.19 asn1x509 1.1.10
3361  * @description
3362  * This static method converts a distinguished name string in 
3363  * LDAP(RFC 2253) format to OpenSSL compat format.
3364  * @see <a href="https://github.com/kjur/jsrsasign/wiki/NOTE-distinguished-name-representation-in-jsrsasign">jsrsasign wiki: distinguished name string difference between OpenSSL compat and LDAP(RFC 2253)</a>
3365  * @example
3366  * KJUR.asn1.x509.X500Name.ldapToCompat('O=test,C=US') → '/C=US/O=test'
3367  * KJUR.asn1.x509.X500Name.ldapToCompat('O=a\,a,C=US') → '/C=US/O=a,a'
3368  * KJUR.asn1.x509.X500Name.ldapToCompat('O=a/a,C=US')  → '/C=US/O=a\/a'
3369  */
3370 KJUR.asn1.x509.X500Name.ldapToCompat = function(s) {
3371     var a = s.split(",");
3372 
3373     // join \,
3374     var isBSbefore = false;
3375     var a2 = [];
3376     for (var i = 0; a.length > 0; i++) {
3377 	var item = a.shift();
3378 	//console.log("item=" + item);
3379 
3380 	if (isBSbefore === true) {
3381 	    var a2last = a2.pop();
3382 	    var newitem = (a2last + "," + item).replace(/\\,/g, ",");
3383 	    a2.push(newitem);
3384 	    isBSbefore = false;
3385 	} else {
3386 	    a2.push(item);
3387 	}
3388 
3389 	if (item.substr(-1, 1) === "\\") isBSbefore = true;
3390     }
3391 
3392     a2 = a2.map(function(s) {return s.replace("/", "\\/")});
3393     a2.reverse();
3394     return "/" + a2.join("/");
3395 };
3396 
3397 /**
3398  * convert LDAP(RFC 2253) distinguished name format string to OpenSSL compat format (DEPRECATED)<br/>
3399  * @name ldapToOneline
3400  * @memberOf KJUR.asn1.x509.X500Name
3401  * @function
3402  * @param {String} s distinguished name string in LDAP(RFC 2253) format (ex. O=test,C=US)
3403  * @return {String} distinguished name string in OpenSSL compat format (ex. /C=US/O=test)
3404  * @since jsrsasign 6.2.2 asn1x509 1.0.18
3405  * @description
3406  * This method is deprecated. Please use 
3407  * {@link KJUR.asn1.x509.X500Name.ldapToCompat} instead.
3408  */
3409 KJUR.asn1.x509.X500Name.ldapToOneline = function(s) {
3410     return KJUR.asn1.x509.X500Name.ldapToCompat(s);
3411 };
3412 
3413 /**
3414  * RDN (Relative Distinguished Name) ASN.1 structure class
3415  * @name KJUR.asn1.x509.RDN
3416  * @class RDN (Relative Distinguished Name) ASN.1 structure class
3417  * @param {Array} params associative array of parameters (ex. {'str': 'C=US'})
3418  * @extends KJUR.asn1.ASN1Object
3419  * @see KJUR.asn1.x509.X500Name
3420  * @see KJUR.asn1.x509.RDN
3421  * @see KJUR.asn1.x509.AttributeTypeAndValue
3422  * @description
3423  * This class provides RelativeDistinguishedName ASN.1 class structure
3424  * defined in <a href="https://tools.ietf.org/html/rfc2253#section-2">RFC 2253 section 2</a>.
3425  * <blockquote><pre>
3426  * RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
3427  *   AttributeTypeAndValue
3428  *
3429  * AttributeTypeAndValue ::= SEQUENCE {
3430  *   type  AttributeType,
3431  *   value AttributeValue }
3432  * </pre></blockquote>
3433  * <br/>
3434  * NOTE1: The "array" and "rule" parameters have been supported
3435  * since jsrsasign 9.0.0 asn1x509 2.0.0.
3436  * <br/>
3437  * NOTE2: Multi-valued RDN in "str" parameter have been
3438  * supported since jsrsasign 6.2.1 asn1x509 1.0.17.
3439  * @example
3440  * new KJUR.asn1.x509.RDN({array: [ // multi-valued
3441  *    {type:"CN",value:"Bob",ds:"prn"},
3442  *    {type:"CN",value:"bob@example.com", ds:"ia5"}
3443  * ]});
3444  * new KJUR.asn1.x509.RDN({str: "CN=test"});
3445  * new KJUR.asn1.x509.RDN({str: "O=a+O=bb+O=c"}); // multi-valued
3446  * new KJUR.asn1.x509.RDN({str: "O=a+O=b\\+b+O=c"}); // plus escaped
3447  * new KJUR.asn1.x509.RDN({str: "O=a+O=\"b+b\"+O=c"}); // double quoted
3448  */
3449 KJUR.asn1.x509.RDN = function(params) {
3450     KJUR.asn1.x509.RDN.superclass.constructor.call(this);
3451     this.asn1Array = [];
3452     this.paramArray = [];
3453     this.sRule = "utf8"; // DEFAULT "utf8"
3454     var _AttributeTypeAndValue = KJUR.asn1.x509.AttributeTypeAndValue;
3455 
3456     this.setByParam = function(params) {
3457 	if (params.rule !== undefined) this.sRule = params.rule;
3458         if (params.str !== undefined) {
3459             this.addByMultiValuedString(params.str);
3460         }
3461 	if (params.array !== undefined) this.paramArray = params.array;
3462     };
3463 
3464     /**
3465      * add one AttributeTypeAndValue by string<br/>
3466      * @name addByString
3467      * @memberOf KJUR.asn1.x509.RDN#
3468      * @function
3469      * @param {String} s string of AttributeTypeAndValue
3470      * @return {Object} unspecified
3471      * @description
3472      * This method add one AttributeTypeAndValue to RDN object.
3473      * @example
3474      * rdn = new KJUR.asn1.x509.RDN();
3475      * rdn.addByString("CN=john");
3476      * rdn.addByString("serialNumber=1234"); // for multi-valued RDN
3477      */
3478     this.addByString = function(s) {
3479         this.asn1Array.push(new KJUR.asn1.x509.AttributeTypeAndValue({'str': s, rule: this.sRule}));
3480     };
3481 
3482     /**
3483      * add one AttributeTypeAndValue by multi-valued string<br/>
3484      * @name addByMultiValuedString
3485      * @memberOf KJUR.asn1.x509.RDN#
3486      * @function
3487      * @param {String} s string of multi-valued RDN
3488      * @return {Object} unspecified
3489      * @since jsrsasign 6.2.1 asn1x509 1.0.17
3490      * @description
3491      * This method add multi-valued RDN to RDN object.
3492      * @example
3493      * rdn = new KJUR.asn1.x509.RDN();
3494      * rdn.addByMultiValuedString("CN=john+O=test");
3495      * rdn.addByMultiValuedString("O=a+O=b\+b\+b+O=c"); // multi-valued RDN with quoted plus
3496      * rdn.addByMultiValuedString("O=a+O=\"b+b+b\"+O=c"); // multi-valued RDN with quoted quotation
3497      */
3498     this.addByMultiValuedString = function(s) {
3499 	var a = KJUR.asn1.x509.RDN.parseString(s);
3500 	for (var i = 0; i < a.length; i++) {
3501 	    this.addByString(a[i]);
3502 	}
3503     };
3504 
3505     this.tohex = function() {
3506 	if (this.asn1Array.length == 0 && this.paramArray.length > 0) {
3507 	    for (var i = 0; i < this.paramArray.length; i++) {
3508 		var param = this.paramArray[i];
3509 		if (param.rule !== undefined &&
3510 		    this.sRule != "utf8") {
3511 		    param.rule = this.sRule;
3512 		}
3513 		//alert(JSON.stringify(param));
3514 		var asn1ATV = new _AttributeTypeAndValue(param);
3515 		this.asn1Array.push(asn1ATV);
3516 	    }
3517 	}
3518         var o = new KJUR.asn1.DERSet({"array": this.asn1Array});
3519         this.TLV = o.tohex();
3520         return this.TLV;
3521     };
3522     this.getEncodedHex = function() { return this.tohex(); };
3523 
3524     if (params !== undefined) {
3525 	this.setByParam(params);
3526     }
3527 };
3528 extendClass(KJUR.asn1.x509.RDN, KJUR.asn1.ASN1Object);
3529 
3530 /**
3531  * parse multi-valued RDN string and split into array of 'AttributeTypeAndValue'<br/>
3532  * @name parseString
3533  * @memberOf KJUR.asn1.x509.RDN
3534  * @function
3535  * @param {String} s multi-valued string of RDN
3536  * @return {Array} array of string of AttributeTypeAndValue
3537  * @since jsrsasign 6.2.1 asn1x509 1.0.17
3538  * @description
3539  * This static method parses multi-valued RDN string and split into
3540  * array of AttributeTypeAndValue.
3541  * @example
3542  * KJUR.asn1.x509.RDN.parseString("CN=john") → ["CN=john"]
3543  * KJUR.asn1.x509.RDN.parseString("CN=john+OU=test") → ["CN=john", "OU=test"]
3544  * KJUR.asn1.x509.RDN.parseString('CN="jo+hn"+OU=test') → ["CN=jo+hn", "OU=test"]
3545  * KJUR.asn1.x509.RDN.parseString('CN=jo\+hn+OU=test') → ["CN=jo+hn", "OU=test"]
3546  * KJUR.asn1.x509.RDN.parseString("CN=john+OU=test+OU=t1") → ["CN=john", "OU=test", "OU=t1"]
3547  */
3548 KJUR.asn1.x509.RDN.parseString = function(s) {
3549     var a = s.split(/\+/);
3550 
3551     // join \+
3552     var isBSbefore = false;
3553     var a2 = [];
3554     for (var i = 0; a.length > 0; i++) {
3555 	var item = a.shift();
3556 	//console.log("item=" + item);
3557 
3558 	if (isBSbefore === true) {
3559 	    var a2last = a2.pop();
3560 	    var newitem = (a2last + "+" + item).replace(/\\\+/g, "+");
3561 	    a2.push(newitem);
3562 	    isBSbefore = false;
3563 	} else {
3564 	    a2.push(item);
3565 	}
3566 
3567 	if (item.substr(-1, 1) === "\\") isBSbefore = true;
3568     }
3569 
3570     // join quote
3571     var beginQuote = false;
3572     var a3 = [];
3573     for (var i = 0; a2.length > 0; i++) {
3574 	var item = a2.shift();
3575 
3576 	if (beginQuote === true) {
3577 	    var a3last = a3.pop();
3578 	    if (item.match(/"$/)) {
3579 		var newitem = (a3last + "+" + item).replace(/^([^=]+)="(.*)"$/, "$1=$2");
3580 		a3.push(newitem);
3581 		beginQuote = false;
3582 	    } else {
3583 		a3.push(a3last + "+" + item);
3584 	    }
3585 	} else {
3586 	    a3.push(item);
3587 	}
3588 
3589 	if (item.match(/^[^=]+="/)) {
3590 	    //console.log(i + "=" + item);
3591 	    beginQuote = true;
3592 	}
3593     }
3594     return a3;
3595 };
3596 
3597 /**
3598  * AttributeTypeAndValue ASN.1 structure class
3599  * @name KJUR.asn1.x509.AttributeTypeAndValue
3600  * @class AttributeTypeAndValue ASN.1 structure class
3601  * @param {Array} params JSON object for parameters (ex. {str: 'C=US'})
3602  * @extends KJUR.asn1.ASN1Object
3603  * @see KJUR.asn1.x509.X500Name
3604  * @see KJUR.asn1.x509.RDN
3605  * @see KJUR.asn1.x509.AttributeTypeAndValue
3606  * @see X509#getAttrTypeAndValue
3607  * @description
3608  * This class generates AttributeTypeAndValue defined in
3609  * <a href="https://tools.ietf.org/html/rfc5280#section-4.1.2.4">
3610  * RFC 5280 4.1.2.4</a>.
3611  * <pre>
3612  * AttributeTypeAndValue ::= SEQUENCE {
3613  *   type     AttributeType,
3614  *   value    AttributeValue }
3615  * AttributeType ::= OBJECT IDENTIFIER
3616  * AttributeValue ::= ANY -- DEFINED BY AttributeType
3617  * </pre>
3618  * The constructor argument can have following parameters:
3619  * <ul>
3620  * <li>{String}type - AttributeType name or OID(ex. C,O,CN)</li>
3621  * <li>{String}value - raw string of ASN.1 value of AttributeValue</li>
3622  * <li>{String}ds - DirectoryString type of AttributeValue</li>
3623  * <li>{String}rule - DirectoryString type rule (ex. "prn" or "utf8")
3624  * set DirectoryString type automatically when "ds" not specified.</li>
3625  * <li>{String}str - AttributeTypeAndVale string (ex. "C=US").
3626  * When type and value don't exists, 
3627  * this "str" will be converted to "type" and "value".
3628  * </li>
3629  * </ul>
3630  * <br
3631  * NOTE: Parameters "type", "value,", "ds" and "rule" have
3632  * been supported since jsrsasign 9.0.0 asn1x509 2.0.0.
3633  * @example
3634  * new KJUR.asn1.x509.AttributeTypeAndValue({type:'C',value:'US',ds:'prn'})
3635  * new KJUR.asn1.x509.AttributeTypeAndValue({type:'givenName',value:'John',ds:'prn'})
3636  * new KJUR.asn1.x509.AttributeTypeAndValue({type:'2.5.4.9',value:'71 Bowman St',ds:'prn'})
3637  * new KJUR.asn1.x509.AttributeTypeAndValue({str:'O=T1'})
3638  * new KJUR.asn1.x509.AttributeTypeAndValue({str:'streetAddress=71 Bowman St'})
3639  * new KJUR.asn1.x509.AttributeTypeAndValue({str:'O=T1',rule='prn'})
3640  * new KJUR.asn1.x509.AttributeTypeAndValue({str:'O=T1',rule='utf8'})
3641  */
3642 KJUR.asn1.x509.AttributeTypeAndValue = function(params) {
3643     KJUR.asn1.x509.AttributeTypeAndValue.superclass.constructor.call(this);
3644     this.sRule = "utf8";
3645     this.sType = null;
3646     this.sValue = null;
3647     this.dsType = null;
3648     var _KJUR = KJUR,
3649 	_KJUR_asn1 = _KJUR.asn1,
3650 	_DERSequence = _KJUR_asn1.DERSequence,
3651 	_DERUTF8String = _KJUR_asn1.DERUTF8String,
3652 	_DERPrintableString = _KJUR_asn1.DERPrintableString,
3653 	_DERTeletexString = _KJUR_asn1.DERTeletexString,
3654 	_DERIA5String = _KJUR_asn1.DERIA5String,
3655 	_DERVisibleString = _KJUR_asn1.DERVisibleString,
3656 	_DERBMPString = _KJUR_asn1.DERBMPString,
3657 	_isMail = _KJUR.lang.String.isMail,
3658 	_isPrintable = _KJUR.lang.String.isPrintable;
3659 
3660     this.setByParam = function(params) {
3661 	if (params.rule !== undefined) this.sRule = params.rule;
3662 	if (params.ds !== undefined)   this.dsType = params.ds;
3663 
3664         if (params.value === undefined &&
3665 	    params.str !== undefined) {
3666 	    var str = params.str;
3667             var matchResult = str.match(/^([^=]+)=(.+)$/);
3668             if (matchResult) {
3669 		this.sType = matchResult[1];
3670 		this.sValue = matchResult[2];
3671             } else {
3672 		throw new Error("malformed attrTypeAndValueStr: " +
3673 				attrTypeAndValueStr);
3674             }
3675 	    
3676 	    //this.setByString(params.str);
3677         } else {
3678 	    this.sType = params.type;
3679 	    this.sValue = params.value;
3680 	}
3681     };
3682 
3683     /*
3684      * @deprecated
3685      */
3686     this.setByString = function(sTypeValue, sRule) {
3687 	if (sRule !== undefined) this.sRule = sRule;
3688         var matchResult = sTypeValue.match(/^([^=]+)=(.+)$/);
3689         if (matchResult) {
3690             this.setByAttrTypeAndValueStr(matchResult[1], matchResult[2]);
3691         } else {
3692             throw new Error("malformed attrTypeAndValueStr: " +
3693 			    attrTypeAndValueStr);
3694         }
3695     };
3696 
3697     this._getDsType = function() {
3698 	var sType = this.sType;
3699 	var sValue = this.sValue;
3700 	var sRule = this.sRule;
3701 
3702 	if (sRule === "prn") {
3703 	    if (sType == "CN" && _isMail(sValue)) return "ia5";
3704 	    if (_isPrintable(sValue)) return "prn";
3705 	    return "utf8";
3706 	} else if (sRule === "utf8") {
3707 	    if (sType == "CN" && _isMail(sValue)) return "ia5";
3708 	    if (sType == "C") return "prn";
3709 	    return "utf8";
3710 	}
3711 	return "utf8"; // default
3712     };
3713 
3714     this.setByAttrTypeAndValueStr = function(sType, sValue, sRule) {
3715 	if (sRule !== undefined) this.sRule = sRule;
3716 	this.sType = sType;
3717 	this.sValue = sValue;
3718     };
3719 
3720     this.getValueObj = function(dsType, valueStr) {
3721         if (dsType == "utf8") return new _DERUTF8String({"str": valueStr});
3722         if (dsType == "prn")  return new _DERPrintableString({"str": valueStr});
3723         if (dsType == "tel")  return new _DERTeletexString({"str": valueStr});
3724         if (dsType == "ia5")  return new _DERIA5String({"str": valueStr});
3725         if (dsType == "vis")  return new _DERVisibleString({"str": valueStr});
3726         if (dsType == "bmp")  return new _DERBMPString({"str": valueStr});
3727         throw new Error("unsupported directory string type: type=" +
3728 			dsType + " value=" + valueStr);
3729     };
3730 
3731     this.tohex = function() {
3732 	if (this.dsType == null) this.dsType = this._getDsType();
3733 	var asn1Type = KJUR.asn1.x509.OID.atype2obj(this.sType);
3734 	var asn1Value = this.getValueObj(this.dsType, this.sValue);
3735         var o = new _DERSequence({"array": [asn1Type, asn1Value]});
3736         this.TLV = o.tohex();
3737         return this.TLV;
3738     }
3739 
3740     this.getEncodedHex = function() { return this.tohex(); };
3741 
3742     if (params !== undefined) {
3743 	this.setByParam(params);
3744     }
3745 };
3746 extendClass(KJUR.asn1.x509.AttributeTypeAndValue, KJUR.asn1.ASN1Object);
3747 
3748 // === END   X500Name Related =================================================
3749 
3750 // === BEGIN Other ASN1 structure class  ======================================
3751 
3752 /**
3753  * SubjectPublicKeyInfo ASN.1 structure class
3754  * @name KJUR.asn1.x509.SubjectPublicKeyInfo
3755  * @class SubjectPublicKeyInfo ASN.1 structure class
3756  * @param {Object} params parameter for subject public key
3757  * @extends KJUR.asn1.ASN1Object
3758  * @description
3759  * <br/>
3760  * As for argument 'params' for constructor, you can specify one of
3761  * following properties:
3762  * <ul>
3763  * <li>{@link RSAKey} object</li>
3764  * <li>{@link KJUR.crypto.ECDSA} object</li>
3765  * <li>{@link KJUR.crypto.DSA} object</li>
3766  * </ul>
3767  * NOTE1: 'params' can be omitted.<br/>
3768  * NOTE2: DSA/ECDSA key object is also supported since asn1x509 1.0.6.<br/>
3769  * <h4>EXAMPLE</h4>
3770  * @example
3771  * spki = new KJUR.asn1.x509.SubjectPublicKeyInfo(RSAKey_object);
3772  * spki = new KJUR.asn1.x509.SubjectPublicKeyInfo(KJURcryptoECDSA_object);
3773  * spki = new KJUR.asn1.x509.SubjectPublicKeyInfo(KJURcryptoDSA_object);
3774  */
3775 KJUR.asn1.x509.SubjectPublicKeyInfo = function(params) {
3776     KJUR.asn1.x509.SubjectPublicKeyInfo.superclass.constructor.call(this);
3777     var asn1AlgId = null,
3778 	asn1SubjPKey = null,
3779 	_KJUR = KJUR,
3780 	_KJUR_asn1 = _KJUR.asn1,
3781 	_DERInteger = _KJUR_asn1.DERInteger,
3782 	_DERBitString = _KJUR_asn1.DERBitString,
3783 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
3784 	_DERSequence = _KJUR_asn1.DERSequence,
3785 	_newObject = _KJUR_asn1.ASN1Util.newObject,
3786 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
3787 	_AlgorithmIdentifier = _KJUR_asn1_x509.AlgorithmIdentifier,
3788 	_KJUR_crypto = _KJUR.crypto,
3789 	_KJUR_crypto_ECDSA = _KJUR_crypto.ECDSA,
3790 	_KJUR_crypto_DSA = _KJUR_crypto.DSA;
3791 
3792     /*
3793      * @since asn1x509 1.0.7
3794      */
3795     this.getASN1Object = function() {
3796         if (this.asn1AlgId == null || this.asn1SubjPKey == null)
3797             throw "algId and/or subjPubKey not set";
3798         var o = new _DERSequence({'array':
3799                                   [this.asn1AlgId, this.asn1SubjPKey]});
3800         return o;
3801     };
3802 
3803     this.tohex = function() {
3804         var o = this.getASN1Object();
3805         this.hTLV = o.tohex();
3806         return this.hTLV;
3807     };
3808     this.getEncodedHex = function() { return this.tohex(); };
3809 
3810     /**
3811      * @name setPubKey
3812      * @memberOf KJUR.asn1.x509.SubjectPublicKeyInfo#
3813      * @function
3814      * @param {Object} {@link RSAKey}, {@link KJUR.crypto.ECDSA} or {@link KJUR.crypto.DSA} object
3815      * @since jsrsasign 8.0.0 asn1x509 1.1.0
3816      * @description
3817      * @example
3818      * spki = new KJUR.asn1.x509.SubjectPublicKeyInfo();
3819      * pubKey = KEYUTIL.getKey(PKCS8PUBKEYPEM);
3820      * spki.setPubKey(pubKey);
3821      */
3822     this.setPubKey = function(key) {
3823 	try {
3824 	    if (key instanceof RSAKey) {
3825 		var asn1RsaPub = _newObject({
3826 		    'seq': [{'int': {'bigint': key.n}}, {'int': {'int': key.e}}]
3827 		});
3828 		var rsaKeyHex = asn1RsaPub.tohex();
3829 		this.asn1AlgId = new _AlgorithmIdentifier({'name':'rsaEncryption'});
3830 		this.asn1SubjPKey = new _DERBitString({'hex':'00'+rsaKeyHex});
3831 	    }
3832 	} catch(ex) {};
3833 
3834 	try {
3835 	    if (key instanceof KJUR.crypto.ECDSA) {
3836 		var asn1Params = new _DERObjectIdentifier({'name': key.curveName});
3837 		this.asn1AlgId =
3838 		    new _AlgorithmIdentifier({'name': 'ecPublicKey',
3839 					      'asn1params': asn1Params});
3840 		this.asn1SubjPKey = new _DERBitString({'hex': '00' + key.pubKeyHex});
3841 	    }
3842 	} catch(ex) {};
3843 
3844 	try {
3845 	    if (key instanceof KJUR.crypto.DSA) {
3846 		var asn1Params = new _newObject({
3847 		    'seq': [{'int': {'bigint': key.p}},
3848 			    {'int': {'bigint': key.q}},
3849 			    {'int': {'bigint': key.g}}]
3850 		});
3851 		this.asn1AlgId =
3852 		    new _AlgorithmIdentifier({'name': 'dsa',
3853 					      'asn1params': asn1Params});
3854 		var pubInt = new _DERInteger({'bigint': key.y});
3855 		this.asn1SubjPKey = 
3856 		    new _DERBitString({'hex': '00' + pubInt.tohex()});
3857 	    }
3858 	} catch(ex) {};
3859     };
3860 
3861     if (params !== undefined) {
3862 	this.setPubKey(params);
3863     }
3864 };
3865 extendClass(KJUR.asn1.x509.SubjectPublicKeyInfo, KJUR.asn1.ASN1Object);
3866 
3867 /**
3868  * Time ASN.1 structure class<br/>
3869  * @name KJUR.asn1.x509.Time
3870  * @class Time ASN.1 structure class
3871  * @param {Array} params associative array of parameters (ex. {'str': '130508235959Z'})
3872  * @extends KJUR.asn1.ASN1Object
3873  * @see KJUR.asn1.DERUTCTime
3874  * @see KJUR.asn1.DERGeneralizedTime
3875  * @description
3876  * This class represents Time ASN.1 structure defined in 
3877  * <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>
3878  * <pre>
3879  * Time ::= CHOICE {
3880  *      utcTime        UTCTime,
3881  *      generalTime    GeneralizedTime }
3882  * </pre>
3883  *
3884  * @example
3885  * var t1 = new KJUR.asn1.x509.Time{'str': '130508235959Z'} // UTCTime by default
3886  * var t2 = new KJUR.asn1.x509.Time{'type': 'gen',  'str': '20130508235959Z'} // GeneralizedTime
3887  */
3888 KJUR.asn1.x509.Time = function(params) {
3889     KJUR.asn1.x509.Time.superclass.constructor.call(this);
3890     var type = null,
3891 	timeParams = null,
3892 	_KJUR = KJUR,
3893 	_KJUR_asn1 = _KJUR.asn1,
3894 	_DERUTCTime = _KJUR_asn1.DERUTCTime,
3895 	_DERGeneralizedTime = _KJUR_asn1.DERGeneralizedTime;
3896     this.params = null;
3897     this.type = null;
3898 
3899     // deprecated
3900     this.setTimeParams = function(timeParams) {
3901         this.timeParams = timeParams;
3902     }
3903 
3904     this.setByParam = function(params) {
3905 	this.params = params;
3906     };
3907 
3908     this.getType = function(s) {
3909         if (s.match(/^[0-9]{12}Z$/)) return "utc";
3910         if (s.match(/^[0-9]{14}Z$/)) return "gen";
3911         if (s.match(/^[0-9]{12}\.[0-9]+Z$/)) return "utc";
3912         if (s.match(/^[0-9]{14}\.[0-9]+Z$/)) return "gen";
3913 	return null;
3914     };
3915 
3916     this.tohex = function() {
3917 	var params = this.params;
3918         var o = null;
3919 
3920 	if (typeof params == "string") params = {str: params};
3921 	if (params != null &&
3922 	    params.str && 
3923 	    (params.type == null || params.type == undefined)) {
3924 	    params.type = this.getType(params.str);
3925 	}
3926 
3927 	if (params != null && params.str) {
3928 	    if (params.type == "utc") o = new _DERUTCTime(params.str);
3929 	    if (params.type == "gen") o = new _DERGeneralizedTime(params.str);
3930 	} else {
3931 	    if (this.type == "gen") {
3932 		o = new _DERGeneralizedTime();
3933 	    } else {
3934 		o = new _DERUTCTime();
3935 	    }
3936 	}
3937 
3938 	if (o == null) throw new Error("wrong setting for Time");
3939         this.TLV = o.tohex();
3940         return this.TLV;
3941     };
3942     this.getEncodedHex = function() { return this.tohex(); };
3943 
3944     if (params != undefined) this.setByParam(params);
3945 };
3946 
3947 KJUR.asn1.x509.Time_bak = function(params) {
3948     KJUR.asn1.x509.Time_bak.superclass.constructor.call(this);
3949     var type = null,
3950 	timeParams = null,
3951 	_KJUR = KJUR,
3952 	_KJUR_asn1 = _KJUR.asn1,
3953 	_DERUTCTime = _KJUR_asn1.DERUTCTime,
3954 	_DERGeneralizedTime = _KJUR_asn1.DERGeneralizedTime;
3955 
3956     this.setTimeParams = function(timeParams) {
3957         this.timeParams = timeParams;
3958     }
3959 
3960     this.tohex = function() {
3961         var o = null;
3962 
3963         if (this.timeParams != null) {
3964             if (this.type == "utc") {
3965                 o = new _DERUTCTime(this.timeParams);
3966             } else {
3967                 o = new _DERGeneralizedTime(this.timeParams);
3968             }
3969         } else {
3970             if (this.type == "utc") {
3971                 o = new _DERUTCTime();
3972             } else {
3973                 o = new _DERGeneralizedTime();
3974             }
3975         }
3976         this.TLV = o.tohex();
3977         return this.TLV;
3978     };
3979     this.getEncodedHex = function() { return this.tohex(); };
3980 
3981     this.type = "utc";
3982     if (params !== undefined) {
3983         if (params.type !== undefined) {
3984             this.type = params.type;
3985         } else {
3986             if (params.str !== undefined) {
3987                 if (params.str.match(/^[0-9]{12}Z$/)) this.type = "utc";
3988                 if (params.str.match(/^[0-9]{14}Z$/)) this.type = "gen";
3989             }
3990         }
3991         this.timeParams = params;
3992     }
3993 };
3994 extendClass(KJUR.asn1.x509.Time, KJUR.asn1.ASN1Object);
3995 
3996 /**
3997  * AlgorithmIdentifier ASN.1 structure class
3998  * @name KJUR.asn1.x509.AlgorithmIdentifier
3999  * @class AlgorithmIdentifier ASN.1 structure class
4000  * @param {Array} params associative array of parameters (ex. {'name': 'SHA1withRSA'})
4001  * @extends KJUR.asn1.ASN1Object
4002  * @description
4003  * The 'params' argument is an associative array and has following parameters:
4004  * <ul>
4005  * <li>name: algorithm name (MANDATORY, ex. sha1, SHA256withRSA)</li>
4006  * <li>asn1params: explicitly specify ASN.1 object for algorithm.
4007  * (OPTION)</li>
4008  * <li>paramempty: set algorithm parameter to NULL by force.
4009  * If paramempty is false, algorithm parameter will be set automatically.
4010  * If paramempty is false and algorithm name is "*withDSA" or "withECDSA" parameter field of
4011  * AlgorithmIdentifier will be ommitted otherwise
4012  * it will be NULL by default.
4013  * (OPTION, DEFAULT = false)</li>
4014  * </ul>
4015  * RSA-PSS algorithm names such as SHA{,256,384,512}withRSAandMGF1 are
4016  * special names. They will set a suite of algorithm OID and multiple algorithm
4017  * parameters. Its ASN.1 schema is defined in 
4018  * <a href="https://tools.ietf.org/html/rfc3447#appendix-A.2.3">RFC 3447 PKCS#1 2.1
4019  * section A.2.3</a>.
4020  * <blockquote><pre>
4021  * id-RSASSA-PSS  OBJECT IDENTIFIER ::= { pkcs-1 10 }
4022  * RSASSA-PSS-params ::= SEQUENCE {
4023  *   hashAlgorithm      [0] HashAlgorithm    DEFAULT sha1,
4024  *   maskGenAlgorithm   [1] MaskGenAlgorithm DEFAULT mgf1SHA1,
4025  *   saltLength         [2] INTEGER          DEFAULT 20,
4026  *   trailerField       [3] TrailerField     DEFAULT trailerFieldBC }
4027  * mgf1SHA1    MaskGenAlgorithm ::= {
4028  *   algorithm   id-mgf1,
4029  *   parameters  HashAlgorithm : sha1 }
4030  * id-mgf1     OBJECT IDENTIFIER ::= { pkcs-1 8 }
4031  * TrailerField ::= INTEGER { trailerFieldBC(1) }
4032  * </pre></blockquote>
4033  * Here is a table for PSS parameters:
4034  * <table>
4035  * <tr><th>Name</th><th>alg oid</th><th>pss hash</th><th>maskgen</th></th><th>pss saltlen</th><th>trailer</th></tr>
4036  * <tr><td>SHAwithRSAandMGF1</td><td>1.2.840.113549.1.1.10(rsapss)</td><td>default(sha1)</td><td>default(mgf1sha1)</td><td>default(20)</td><td>default(1)</td></tr>
4037  * <tr><td>SHA256withRSAandMGF1</td><td>1.2.840.113549.1.1.10(rsapss)</td><td>sha256</td><td>mgf1sha256</td><td>32</td><td>default(1)</td></tr>
4038  * <tr><td>SHA384withRSAandMGF1</td><td>1.2.840.113549.1.1.10(rsapss)</td><td>sha384</td><td>mgf1sha384</td><td>48</td><td>default(1)</td></tr>
4039  * <tr><td>SHA512withRSAandMGF1</td><td>1.2.840.113549.1.1.10(rsapss)</td><td>sha512</td><td>mgf1sha512</td><td>64</td><td>default(1)</td></tr>
4040  * </table>
4041  * Default value is omitted as defined in ASN.1 schema.
4042  * These parameters are interoperable to OpenSSL or IAIK toolkit.
4043  * <br/>
4044  * NOTE: RSA-PSS algorihtm names are supported since jsrsasign 8.0.21. 
4045  * @example
4046  * new KJUR.asn1.x509.AlgorithmIdentifier({name: "sha1"})
4047  * new KJUR.asn1.x509.AlgorithmIdentifier({name: "SHA256withRSA"})
4048  * new KJUR.asn1.x509.AlgorithmIdentifier({name: "SHA512withRSAandMGF1"}) // set parameters automatically
4049  * new KJUR.asn1.x509.AlgorithmIdentifier({name: "SHA256withRSA", paramempty: true})
4050  * new KJUR.asn1.x509.AlgorithmIdentifier({name: "rsaEncryption"})
4051  */
4052 KJUR.asn1.x509.AlgorithmIdentifier = function(params) {
4053     KJUR.asn1.x509.AlgorithmIdentifier.superclass.constructor.call(this);
4054     this.nameAlg = null;
4055     this.asn1Alg = null;
4056     this.asn1Params = null;
4057     this.paramEmpty = false;
4058 
4059     var _KJUR = KJUR,
4060 	_KJUR_asn1 = _KJUR.asn1,
4061 	_PSSNAME2ASN1TLV = _KJUR_asn1.x509.AlgorithmIdentifier.PSSNAME2ASN1TLV;
4062 
4063     this.tohex = function() {
4064         if (this.nameAlg === null && this.asn1Alg === null) {
4065             throw new Error("algorithm not specified");
4066         }
4067 
4068 	// for RSAPSS algorithm name
4069 	//  && this.hTLV === null
4070 	if (this.nameAlg !== null) {
4071 	    var hTLV = null;
4072 	    for (var key in _PSSNAME2ASN1TLV) {
4073 		if (key === this.nameAlg) {
4074 		    hTLV = _PSSNAME2ASN1TLV[key];
4075 		}
4076 	    }
4077 	    if (hTLV !== null) {
4078 		this.hTLV = hTLV;
4079 		return this.hTLV;
4080 	    }
4081 	}
4082 
4083         if (this.nameAlg !== null && this.asn1Alg === null) {
4084             this.asn1Alg = _KJUR_asn1.x509.OID.name2obj(this.nameAlg);
4085         }
4086         var a = [this.asn1Alg];
4087         if (this.asn1Params !== null) a.push(this.asn1Params);
4088 
4089         var o = new _KJUR_asn1.DERSequence({'array': a});
4090         this.hTLV = o.tohex();
4091         return this.hTLV;
4092     };
4093     this.getEncodedHex = function() { return this.tohex(); };
4094 
4095     if (params !== undefined) {
4096         if (params.name !== undefined) {
4097             this.nameAlg = params.name;
4098         }
4099         if (params.asn1params !== undefined) {
4100             this.asn1Params = params.asn1params;
4101         }
4102         if (params.paramempty !== undefined) {
4103             this.paramEmpty = params.paramempty;
4104         }
4105     }
4106 
4107     // set algorithm parameters will be ommitted for
4108     // "*withDSA" or "*withECDSA" otherwise will be NULL.
4109     if (this.asn1Params === null &&
4110 	this.paramEmpty === false &&
4111 	this.nameAlg !== null) {
4112 
4113 	if (this.nameAlg.name !== undefined) {
4114 	    this.nameAlg = this.nameAlg.name;
4115 	}
4116 	var lcNameAlg = this.nameAlg.toLowerCase();
4117 
4118 	if (lcNameAlg.substr(-7, 7) !== "withdsa" &&
4119 	    lcNameAlg.substr(-9, 9) !== "withecdsa") {
4120             this.asn1Params = new _KJUR_asn1.DERNull();
4121 	}
4122     }
4123 };
4124 extendClass(KJUR.asn1.x509.AlgorithmIdentifier, KJUR.asn1.ASN1Object);
4125 
4126 /**
4127  * AlgorithmIdentifier ASN.1 TLV string associative array for RSA-PSS algorithm names
4128  * @const
4129  */
4130 KJUR.asn1.x509.AlgorithmIdentifier.PSSNAME2ASN1TLV = {
4131     "SHAwithRSAandMGF1":
4132     "300d06092a864886f70d01010a3000",
4133     "SHA256withRSAandMGF1":
4134     "303d06092a864886f70d01010a3030a00d300b0609608648016503040201a11a301806092a864886f70d010108300b0609608648016503040201a203020120",
4135     "SHA384withRSAandMGF1":
4136     "303d06092a864886f70d01010a3030a00d300b0609608648016503040202a11a301806092a864886f70d010108300b0609608648016503040202a203020130",
4137     "SHA512withRSAandMGF1":
4138     "303d06092a864886f70d01010a3030a00d300b0609608648016503040203a11a301806092a864886f70d010108300b0609608648016503040203a203020140"
4139 };
4140 
4141 /**
4142  * GeneralName ASN.1 structure class<br/>
4143  * @name KJUR.asn1.x509.GeneralName
4144  * @class GeneralName ASN.1 structure class
4145  * @see KJUR.asn1.x509.OtherName
4146  * @see KJUR.asn1.x509.X500Name
4147  *
4148  * @description
4149  * <br/>
4150  * As for argument 'params' for constructor, you can specify one of
4151  * following properties:
4152  * <ul>
4153  * <li>rfc822 - rfc822Name[1] (ex. user1@foo.com)</li>
4154  * <li>dns - dNSName[2] (ex. foo.com)</li>
4155  * <li>uri - uniformResourceIdentifier[6] (ex. http://foo.com/)</li>
4156  * <li>dn - directoryName[4] 
4157  * distinguished name string or X500Name class parameters can be
4158  * specified (ex. "/C=US/O=Test", {hex: '301c...')</li>
4159  * <li>ldapdn - directoryName[4] (ex. O=Test,C=US)</li>
4160  * <li>certissuer - directoryName[4] (PEM or hex string of cert)</li>
4161  * <li>certsubj - directoryName[4] (PEM or hex string of cert)</li>
4162  * <li>ip - iPAddress[7] (ex. 192.168.1.1, 2001:db3::43, 3faa0101...)</li>
4163  * </ul>
4164  * NOTE1: certissuer and certsubj were supported since asn1x509 1.0.10.<br/>
4165  * NOTE2: dn and ldapdn were supported since jsrsasign 6.2.3 asn1x509 1.0.19.<br/>
4166  * NOTE3: ip were supported since jsrsasign 8.0.10 asn1x509 1.1.4.<br/>
4167  * NOTE4: X500Name parameters in dn were supported since jsrsasign 8.0.16.<br/>
4168  * NOTE5: otherName is supported since jsrsasign 10.5.3.<br/>
4169  *
4170  * Here is definition of the ASN.1 syntax:
4171  * <pre>
4172  * -- NOTE: under the CHOICE, it will always be explicit.
4173  * GeneralName ::= CHOICE {
4174  *   otherName                  [0] OtherName,
4175  *   rfc822Name                 [1] IA5String,
4176  *   dNSName                    [2] IA5String,
4177  *   x400Address                [3] ORAddress,
4178  *   directoryName              [4] Name,
4179  *   ediPartyName               [5] EDIPartyName,
4180  *   uniformResourceIdentifier  [6] IA5String,
4181  *   iPAddress                  [7] OCTET STRING,
4182  *   registeredID               [8] OBJECT IDENTIFIER }
4183  *
4184  * OtherName ::= SEQUENCE {
4185  *   type-id    OBJECT IDENTIFIER,
4186  *   value      [0] EXPLICIT ANY DEFINED BY type-id }
4187  * </pre>
4188  *
4189  * @example
4190  * gn = new KJUR.asn1.x509.GeneralName({dn:     '/C=US/O=Test'});
4191  * gn = new KJUR.asn1.x509.GeneralName({dn:     X500NameObject);
4192  * gn = new KJUR.asn1.x509.GeneralName({dn:     {str: /C=US/O=Test'});
4193  * gn = new KJUR.asn1.x509.GeneralName({dn:     {ldapstr: 'O=Test,C=US'});
4194  * gn = new KJUR.asn1.x509.GeneralName({dn:     {hex: '301c...'});
4195  * gn = new KJUR.asn1.x509.GeneralName({dn:     {certissuer: PEMCERTSTRING});
4196  * gn = new KJUR.asn1.x509.GeneralName({dn:     {certsubject: PEMCERTSTRING});
4197  * gn = new KJUR.asn1.x509.GeneralName({ip:     '192.168.1.1'});
4198  * gn = new KJUR.asn1.x509.GeneralName({ip:     '2001:db4::4:1'});
4199  * gn = new KJUR.asn1.x509.GeneralName({ip:     'c0a80101'});
4200  * gn = new KJUR.asn1.x509.GeneralName({rfc822: 'test@aaa.com'});
4201  * gn = new KJUR.asn1.x509.GeneralName({dns:    'aaa.com'});
4202  * gn = new KJUR.asn1.x509.GeneralName({uri:    'http://aaa.com/'});
4203  * gn = new KJUR.asn1.x509.GeneralName({other: {
4204  *   oid: "1.2.3.4",
4205  *   value: {utf8str: "example"} // any ASN.1 which passed to ASN1Util.newObject
4206  * }});
4207  *
4208  * gn = new KJUR.asn1.x509.GeneralName({ldapdn:     'O=Test,C=US'}); // DEPRECATED
4209  * gn = new KJUR.asn1.x509.GeneralName({certissuer: certPEM});       // DEPRECATED
4210  * gn = new KJUR.asn1.x509.GeneralName({certsubj:   certPEM});       // DEPRECATED
4211  */
4212 KJUR.asn1.x509.GeneralName = function(params) {
4213     KJUR.asn1.x509.GeneralName.superclass.constructor.call(this);
4214 
4215     var pTag = { rfc822: '81', dns: '82', dn: 'a4',  
4216 		 uri: '86', ip: '87', otherName: 'a0'},
4217 	_KJUR = KJUR,
4218 	_KJUR_asn1 = _KJUR.asn1,
4219 	_KJUR_asn1_x509 = _KJUR_asn1.x509,
4220 	_X500Name = _KJUR_asn1_x509.X500Name,
4221 	_OtherName = _KJUR_asn1_x509.OtherName,
4222 	_DERIA5String = _KJUR_asn1.DERIA5String,
4223 	_DERPrintableString = _KJUR_asn1.DERPrintableString,
4224 	_DEROctetString = _KJUR_asn1.DEROctetString,
4225 	_DERTaggedObject = _KJUR_asn1.DERTaggedObject,
4226 	_ASN1Object = _KJUR_asn1.ASN1Object,
4227 	_Error = Error;
4228 
4229     this.params = null;
4230 
4231     this.setByParam = function(params) {
4232 	this.params = params;
4233     };
4234 
4235     this.tohex = function() {
4236 	var params = this.params;
4237 	var hTag, explicitFlag, dObj;
4238 	var explicitFlag = false;
4239 	if (params.other !== undefined) {
4240 	    hTag = "a0",
4241 	    dObj = new _OtherName(params.other);
4242 	} else if (params.rfc822 !== undefined) {
4243 	    hTag = "81";
4244 	    dObj = new _DERIA5String({str: params.rfc822});
4245 	} else if (params.dns !== undefined) {
4246 	    hTag = "82";
4247 	    dObj = new _DERIA5String({str: params.dns});
4248 	} else if (params.dn !== undefined) {
4249 	    hTag = "a4";
4250 	    explicitFlag = true;
4251 	    if (typeof params.dn === "string") {
4252 		dObj = new _X500Name({str: params.dn});
4253 	    } else if (params.dn instanceof KJUR.asn1.x509.X500Name) {
4254 		dObj = params.dn;
4255 	    } else {
4256 		dObj = new _X500Name(params.dn);
4257 	    }
4258 	} else if (params.ldapdn !== undefined) {
4259 	    hTag = "a4";
4260 	    explicitFlag = true;
4261 	    dObj = new _X500Name({ldapstr: params.ldapdn});
4262 	} else if (params.certissuer !== undefined ||
4263 		   params.certsubj !== undefined) {
4264 	    hTag = "a4";
4265 	    explicitFlag = true;
4266 	    var isIssuer, certStr;
4267 	    var certHex = null;
4268 	    if (params.certsubj !== undefined) {
4269 		isIssuer = false;
4270 		certStr = params.certsubj;
4271 	    } else {
4272 		isIssuer = true;
4273 		certStr = params.certissuer;
4274 	    }
4275 
4276 	    if (certStr.match(/^[0-9A-Fa-f]+$/)) {
4277 		certHex == certStr;
4278             }
4279 	    if (certStr.indexOf("-----BEGIN ") != -1) {
4280 		certHex = pemtohex(certStr);
4281 	    }
4282 	    if (certHex == null) 
4283 		throw new Error("certsubj/certissuer not cert");
4284 
4285 	    var x = new X509();
4286 	    x.hex = certHex;
4287 
4288 	    var hDN;
4289 	    if (isIssuer) {
4290 		hDN = x.getIssuerHex();
4291 	    } else {
4292 		hDN = x.getSubjectHex();
4293 	    }
4294 	    dObj = new _ASN1Object();
4295 	    dObj.hTLV = hDN;
4296 	} else if (params.uri !== undefined) {
4297 	    hTag = "86";
4298 	    dObj = new _DERIA5String({str: params.uri});
4299 	} else if (params.ip !== undefined) {
4300 	    hTag = "87";
4301 	    var hIP;
4302 	    var ip = params.ip;
4303 	    try {
4304 		if (ip.match(/^[0-9a-f]+$/)) {
4305 		    var len = ip.length;
4306 		    if (len == 8 || len == 16 || len == 32 || len == 64) {
4307 			hIP = ip;
4308 		    } else {
4309 			throw "err";
4310 		    }
4311 		} else {
4312 		    hIP = iptohex(ip);
4313 		}
4314 	    } catch(ex) {
4315 		throw new _Error("malformed IP address: " + params.ip + ":" + ex.message);
4316 	    }
4317 	    dObj = new _DEROctetString({hex: hIP});
4318 	} else {
4319 	    throw new _Error("improper params");
4320 	}
4321 
4322 	var dTag = new _DERTaggedObject({tag: hTag,
4323 					 explicit: explicitFlag,
4324 					 obj: dObj});
4325 	return dTag.tohex();
4326     };
4327     this.getEncodedHex = function() { return this.tohex(); };
4328 
4329     if (params !== undefined) this.setByParam(params);
4330 };
4331 extendClass(KJUR.asn1.x509.GeneralName, KJUR.asn1.ASN1Object);
4332 
4333 /**
4334  * GeneralNames ASN.1 structure class<br/>
4335  * @name KJUR.asn1.x509.GeneralNames
4336  * @class GeneralNames ASN.1 structure class
4337  * @description
4338  * <br/>
4339  * <h4>EXAMPLE AND ASN.1 SYNTAX</h4>
4340  * @example
4341  * gns = new KJUR.asn1.x509.GeneralNames([{'uri': 'http://aaa.com/'}, {'uri': 'http://bbb.com/'}]);
4342  *
4343  * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
4344  */
4345 KJUR.asn1.x509.GeneralNames = function(paramsArray) {
4346     KJUR.asn1.x509.GeneralNames.superclass.constructor.call(this);
4347     var asn1Array = null,
4348 	_KJUR = KJUR,
4349 	_KJUR_asn1 = _KJUR.asn1;
4350 
4351     /**
4352      * set a array of {@link KJUR.asn1.x509.GeneralName} parameters<br/>
4353      * @name setByParamArray
4354      * @memberOf KJUR.asn1.x509.GeneralNames#
4355      * @function
4356      * @param {Array} paramsArray Array of {@link KJUR.asn1.x509.GeneralNames}
4357      * @description
4358      * <br/>
4359      * <h4>EXAMPLES</h4>
4360      * @example
4361      * gns = new KJUR.asn1.x509.GeneralNames();
4362      * gns.setByParamArray([{uri: 'http://aaa.com/'}, {uri: 'http://bbb.com/'}]);
4363      */
4364     this.setByParamArray = function(paramsArray) {
4365         for (var i = 0; i < paramsArray.length; i++) {
4366             var o = new _KJUR_asn1.x509.GeneralName(paramsArray[i]);
4367             this.asn1Array.push(o);
4368         }
4369     };
4370 
4371     this.tohex = function() {
4372         var o = new _KJUR_asn1.DERSequence({'array': this.asn1Array});
4373         return o.tohex();
4374     };
4375     this.getEncodedHex = function() { return this.tohex(); };
4376 
4377     this.asn1Array = new Array();
4378     if (typeof paramsArray != "undefined") {
4379         this.setByParamArray(paramsArray);
4380     }
4381 };
4382 extendClass(KJUR.asn1.x509.GeneralNames, KJUR.asn1.ASN1Object);
4383 
4384 /**
4385  * OtherName of GeneralName ASN.1 structure class<br/>
4386  * @name KJUR.asn1.x509.OtherName
4387  * @class OtherName ASN.1 structure class
4388  * @since jsrsasign 10.5.3 asn1x509 2.1.12
4389  * @see KJUR.asn1.x509.GeneralName
4390  * @see KJUR.asn1.ASN1Util.newObject
4391  *
4392  * @description
4393  * This class is for OtherName of GeneralName ASN.1 structure.
4394  * Constructor has two members:
4395  * <ul>
4396  * <li>oid - oid string (ex. "1.2.3.4")</li>
4397  * <li>value - JSON object passed to ASN1Util.newObject or ASN1Object object</li>
4398  * </ul>
4399  *
4400  * <pre>
4401  * OtherName ::= SEQUENCE {
4402  *   type-id    OBJECT IDENTIFIER,
4403  *   value      [0] EXPLICIT ANY DEFINED BY type-id }
4404  * </pre>
4405  *
4406  * @example
4407  * new KJUR.asn1.x509.OtherName({
4408  *   oid: "1.2.3.4",
4409  *   value: {prnstr: {str: "abc"}}
4410  * })
4411  */
4412 KJUR.asn1.x509.OtherName = function(params) {
4413     KJUR.asn1.x509.OtherName.superclass.constructor.call(this);
4414 
4415     var asn1Obj = null,
4416 	type = null,
4417 	_KJUR = KJUR,
4418 	_KJUR_asn1 = _KJUR.asn1,
4419 	_DERObjectIdentifier = _KJUR_asn1.DERObjectIdentifier,
4420 	_DERSequence = _KJUR_asn1.DERSequence,
4421 	_newObject = _KJUR_asn1.ASN1Util.newObject;
4422 
4423     this.params = null;
4424 
4425     this.setByParam = function(params) {
4426 	this.params = params;
4427     };
4428 
4429     this.tohex = function() {
4430 	var params = this.params;
4431 
4432 	if (params.oid == undefined || params.value == undefined)
4433 	    throw new Error("oid or value not specified");
4434 
4435 	var dOid = new _DERObjectIdentifier({oid: params.oid});
4436 	var dValue = _newObject({tag: {tag: "a0",
4437 				       explicit: true,
4438 				       obj: params.value}});
4439 	var dSeq = new _DERSequence({array: [dOid, dValue]});
4440 
4441         return dSeq.tohex();
4442     };
4443     this.getEncodedHex = function() { return this.tohex(); };
4444 
4445     if (params !== undefined) this.setByParam(params);
4446 };
4447 extendClass(KJUR.asn1.x509.OtherName, KJUR.asn1.ASN1Object);
4448 
4449 /**
4450  * static object for OID
4451  * @name KJUR.asn1.x509.OID
4452  * @class static object for OID
4453  * @property {Assoc Array} atype2oidList for short attribute type name and oid (ex. 'C' and '2.5.4.6')
4454  * @property {Assoc Array} name2oidList for oid name and oid (ex. 'keyUsage' and '2.5.29.15')
4455  * @property {Assoc Array} objCache for caching name and DERObjectIdentifier object
4456  *
4457  * @description
4458  * This class defines OID name and values.
4459  * AttributeType names registered in OID.atype2oidList are following:
4460  * <table style="border-width: thin; border-style: solid; witdh: 100%">
4461  * <tr><th>short</th><th>long</th><th>OID</th></tr>
4462  * <tr><td>CN</td>commonName<td></td><td>2.5.4.3</td></tr>
4463  * <tr><td>L</td><td>localityName</td><td>2.5.4.7</td></tr>
4464  * <tr><td>ST</td><td>stateOrProvinceName</td><td>2.5.4.8</td></tr>
4465  * <tr><td>O</td><td>organizationName</td><td>2.5.4.10</td></tr>
4466  * <tr><td>OU</td><td>organizationalUnitName</td><td>2.5.4.11</td></tr>
4467  * <tr><td>C</td><td></td>countryName<td>2.5.4.6</td></tr>
4468  * <tr><td>STREET</td>streetAddress<td></td><td>2.5.4.6</td></tr>
4469  * <tr><td>DC</td><td>domainComponent</td><td>0.9.2342.19200300.100.1.25</td></tr>
4470  * <tr><td>UID</td><td>userId</td><td>0.9.2342.19200300.100.1.1</td></tr>
4471  * <tr><td>SN</td><td>surname</td><td>2.5.4.4</td></tr>
4472  * <tr><td>DN</td><td>distinguishedName</td><td>2.5.4.49</td></tr>
4473  * <tr><td>E</td><td>emailAddress</td><td>1.2.840.113549.1.9.1</td></tr>
4474  * <tr><td></td><td>businessCategory</td><td>2.5.4.15</td></tr>
4475  * <tr><td></td><td>postalCode</td><td>2.5.4.17</td></tr>
4476  * <tr><td></td><td>jurisdictionOfIncorporationL</td><td>1.3.6.1.4.1.311.60.2.1.1</td></tr>
4477  * <tr><td></td><td>jurisdictionOfIncorporationSP</td><td>1.3.6.1.4.1.311.60.2.1.2</td></tr>
4478  * <tr><td></td><td>jurisdictionOfIncorporationC</td><td>1.3.6.1.4.1.311.60.2.1.3</td></tr>
4479  * </table>
4480  *
4481  * @example
4482  */
4483 KJUR.asn1.x509.OID = new function() {
4484     var _DERObjectIdentifier = KJUR.asn1.DERObjectIdentifier;
4485 
4486     this.name2oidList = {
4487 	'aes128-CBC':		'2.16.840.1.101.3.4.1.2',
4488 	'aes256-CBC':		'2.16.840.1.101.3.4.1.42',
4489 
4490         'sha1':                 '1.3.14.3.2.26',
4491         'sha256':               '2.16.840.1.101.3.4.2.1',
4492         'sha384':               '2.16.840.1.101.3.4.2.2',
4493         'sha512':               '2.16.840.1.101.3.4.2.3',
4494         'sha224':               '2.16.840.1.101.3.4.2.4',
4495         'md5':                  '1.2.840.113549.2.5',
4496         'md2':                  '1.3.14.7.2.2.1',
4497         'ripemd160':            '1.3.36.3.2.1',
4498 
4499 	'hmacWithSHA1':		'1.2.840.113549.2.7',
4500 	'hmacWithSHA224':	'1.2.840.113549.2.8',
4501 	'hmacWithSHA256':	'1.2.840.113549.2.9',
4502 	'hmacWithSHA384':	'1.2.840.113549.2.10',
4503 	'hmacWithSHA512':	'1.2.840.113549.2.11',
4504 
4505         'MD2withRSA':           '1.2.840.113549.1.1.2',
4506         'MD4withRSA':           '1.2.840.113549.1.1.3',
4507         'MD5withRSA':           '1.2.840.113549.1.1.4',
4508         'SHA1withRSA':          '1.2.840.113549.1.1.5',
4509 	'pkcs1-MGF':		'1.2.840.113549.1.1.8',
4510 	'rsaPSS':		'1.2.840.113549.1.1.10',
4511         'SHA224withRSA':        '1.2.840.113549.1.1.14',
4512         'SHA256withRSA':        '1.2.840.113549.1.1.11',
4513         'SHA384withRSA':        '1.2.840.113549.1.1.12',
4514         'SHA512withRSA':        '1.2.840.113549.1.1.13',
4515 
4516         'SHA1withECDSA':        '1.2.840.10045.4.1',
4517         'SHA224withECDSA':      '1.2.840.10045.4.3.1',
4518         'SHA256withECDSA':      '1.2.840.10045.4.3.2',
4519         'SHA384withECDSA':      '1.2.840.10045.4.3.3',
4520         'SHA512withECDSA':      '1.2.840.10045.4.3.4',
4521 
4522         'dsa':                  '1.2.840.10040.4.1',
4523         'SHA1withDSA':          '1.2.840.10040.4.3',
4524         'SHA224withDSA':        '2.16.840.1.101.3.4.3.1',
4525         'SHA256withDSA':        '2.16.840.1.101.3.4.3.2',
4526 
4527         'rsaEncryption':        '1.2.840.113549.1.1.1',
4528 
4529 	// X.500 AttributeType defined in RFC 4514
4530         'commonName':			'2.5.4.3',
4531         'countryName':			'2.5.4.6',
4532         'localityName':			'2.5.4.7',
4533         'stateOrProvinceName':		'2.5.4.8',
4534         'streetAddress':		'2.5.4.9',
4535         'organizationName':		'2.5.4.10',
4536         'organizationalUnitName':	'2.5.4.11',
4537         'domainComponent':		'0.9.2342.19200300.100.1.25',
4538         'userId':			'0.9.2342.19200300.100.1.1',
4539 	// other AttributeType name string
4540 	'surname':			'2.5.4.4',
4541         'givenName':                    '2.5.4.42',
4542         'title':			'2.5.4.12',
4543 	'distinguishedName':		'2.5.4.49',
4544 	'emailAddress':			'1.2.840.113549.1.9.1',
4545 	// other AttributeType name string (no short name)
4546 	'description':			'2.5.4.13',
4547 	'businessCategory':		'2.5.4.15',
4548 	'postalCode':			'2.5.4.17',
4549 	'uniqueIdentifier':		'2.5.4.45',
4550 	'organizationIdentifier':	'2.5.4.97',
4551 	'jurisdictionOfIncorporationL':	'1.3.6.1.4.1.311.60.2.1.1',
4552 	'jurisdictionOfIncorporationSP':'1.3.6.1.4.1.311.60.2.1.2',
4553 	'jurisdictionOfIncorporationC':	'1.3.6.1.4.1.311.60.2.1.3',
4554 
4555         'subjectDirectoryAttributes': '2.5.29.9',
4556         'subjectKeyIdentifier': '2.5.29.14',
4557         'keyUsage':             '2.5.29.15',
4558         'subjectAltName':       '2.5.29.17',
4559         'issuerAltName':        '2.5.29.18',
4560         'basicConstraints':     '2.5.29.19',
4561         'cRLNumber':     	'2.5.29.20',
4562         'cRLReason':     	'2.5.29.21',
4563         'nameConstraints':      '2.5.29.30',
4564         'cRLDistributionPoints':'2.5.29.31',
4565         'certificatePolicies':  '2.5.29.32',
4566         'anyPolicy':  		'2.5.29.32.0',
4567 	'policyMappings':	'2.5.29.33',
4568         'authorityKeyIdentifier':'2.5.29.35',
4569         'policyConstraints':    '2.5.29.36',
4570         'extKeyUsage':          '2.5.29.37',
4571 	'inhibitAnyPolicy':	'2.5.29.54',
4572         'authorityInfoAccess':  '1.3.6.1.5.5.7.1.1',
4573         'ocsp':                 '1.3.6.1.5.5.7.48.1',
4574         'ocspBasic':            '1.3.6.1.5.5.7.48.1.1',
4575         'ocspNonce':            '1.3.6.1.5.5.7.48.1.2',
4576         'ocspNoCheck':          '1.3.6.1.5.5.7.48.1.5',
4577         'caIssuers':            '1.3.6.1.5.5.7.48.2',
4578 
4579         'anyExtendedKeyUsage':  '2.5.29.37.0',
4580         'serverAuth':           '1.3.6.1.5.5.7.3.1',
4581         'clientAuth':           '1.3.6.1.5.5.7.3.2',
4582         'codeSigning':          '1.3.6.1.5.5.7.3.3',
4583         'emailProtection':      '1.3.6.1.5.5.7.3.4',
4584         'timeStamping':         '1.3.6.1.5.5.7.3.8',
4585         'ocspSigning':          '1.3.6.1.5.5.7.3.9',
4586 
4587 	// 'otherNameForms':	'1.3.6.1.5.5.7.8',
4588 	'smtpUTF8Mailbox':	'1.3.6.1.5.5.7.8.9',
4589 
4590         'dateOfBirth':          '1.3.6.1.5.5.7.9.1',
4591         'placeOfBirth':         '1.3.6.1.5.5.7.9.2',
4592         'gender':               '1.3.6.1.5.5.7.9.3',
4593         'countryOfCitizenship': '1.3.6.1.5.5.7.9.4',
4594         'countryOfResidence':   '1.3.6.1.5.5.7.9.5',
4595 
4596         'ecPublicKey':          '1.2.840.10045.2.1',
4597         'P-256':                '1.2.840.10045.3.1.7',
4598         'secp256r1':            '1.2.840.10045.3.1.7',
4599         'secp256k1':            '1.3.132.0.10',
4600         'secp384r1':            '1.3.132.0.34',
4601         'secp521r1':            '1.3.132.0.35',
4602 
4603         'pkcs5PBES2':           '1.2.840.113549.1.5.13',
4604         'pkcs5PBKDF2':          '1.2.840.113549.1.5.12',
4605 
4606         'des-EDE3-CBC':         '1.2.840.113549.3.7',
4607 
4608         'data':                 '1.2.840.113549.1.7.1', // CMS data
4609         'signed-data':          '1.2.840.113549.1.7.2', // CMS signed-data
4610         'enveloped-data':       '1.2.840.113549.1.7.3', // CMS enveloped-data
4611         'digested-data':        '1.2.840.113549.1.7.5', // CMS digested-data
4612         'encrypted-data':       '1.2.840.113549.1.7.6', // CMS encrypted-data
4613         'authenticated-data':   '1.2.840.113549.1.9.16.1.2', // CMS authenticated-data
4614         'tstinfo':              '1.2.840.113549.1.9.16.1.4', // RFC3161 TSTInfo
4615 	'signingCertificate':	'1.2.840.113549.1.9.16.2.12',// SMIME
4616 	'timeStampToken':	'1.2.840.113549.1.9.16.2.14',// sigTS
4617 	'signaturePolicyIdentifier':	'1.2.840.113549.1.9.16.2.15',// cades
4618 	'etsArchiveTimeStamp':	'1.2.840.113549.1.9.16.2.27',// SMIME
4619 	'signingCertificateV2':	'1.2.840.113549.1.9.16.2.47',// SMIME
4620 	'etsArchiveTimeStampV2':'1.2.840.113549.1.9.16.2.48',// SMIME
4621         'extensionRequest':     '1.2.840.113549.1.9.14',// CSR extensionRequest
4622 	'contentType':		'1.2.840.113549.1.9.3',//PKCS#9
4623 	'messageDigest':	'1.2.840.113549.1.9.4',//PKCS#9
4624 	'signingTime':		'1.2.840.113549.1.9.5',//PKCS#9
4625 	'counterSignature':	'1.2.840.113549.1.9.6',//PKCS#9
4626 	'archiveTimeStampV3':	'0.4.0.1733.2.4',//ETSI EN29319122/TS101733
4627 	'pdfRevocationInfoArchival':'1.2.840.113583.1.1.8', //Adobe
4628 	'adobeTimeStamp':	'1.2.840.113583.1.1.9.1', // Adobe
4629 	// CABF S/MIME BR
4630 	'smimeMailboxLegacy':		'2.23.140.1.5.1.1',
4631 	'smimeMailboxMulti':		'2.23.140.1.5.1.2',
4632 	'smimeMailboxStrict':		'2.23.140.1.5.1.3',
4633 	'smimeOrganizationLegacy':	'2.23.140.1.5.2.1',
4634 	'smimeOrganizationMulti':	'2.23.140.1.5.2.2',
4635 	'smimeOrganizationStrict':	'2.23.140.1.5.2.3',
4636 	'smimeSponsorLegacy':		'2.23.140.1.5.3.1',
4637 	'smimeSponsorMulti':		'2.23.140.1.5.3.2',
4638 	'smimeSponsorStrict':		'2.23.140.1.5.3.3',
4639 	'smimeIndividualLegacy':	'2.23.140.1.5.4.1',
4640 	'smimeIndividualMulti':		'2.23.140.1.5.4.2',
4641 	'smimeIndividualStrict':	'2.23.140.1.5.4.3',
4642     };
4643 
4644     this.atype2oidList = {
4645 	// RFC 4514 AttributeType name string (MUST recognized)
4646         'CN':		'2.5.4.3',
4647         'L':		'2.5.4.7',
4648         'ST':		'2.5.4.8',
4649         'O':		'2.5.4.10',
4650         'OU':		'2.5.4.11',
4651         'C':		'2.5.4.6',
4652         'STREET':	'2.5.4.9',
4653         'DC':		'0.9.2342.19200300.100.1.25',
4654         'UID':		'0.9.2342.19200300.100.1.1',
4655 	// other AttributeType name string
4656 	// http://blog.livedoor.jp/k_urushima/archives/656114.html
4657         'SN':		'2.5.4.4', // surname
4658         'T':		'2.5.4.12', // title
4659         'GN':		'2.5.4.42', // givenName
4660         'DN':		'2.5.4.49', // distinguishedName
4661         'E':		'1.2.840.113549.1.9.1', // emailAddress in MS.NET or Bouncy
4662 	// other AttributeType name string (no short name)
4663 	'description':			'2.5.4.13',
4664 	'businessCategory':		'2.5.4.15',
4665 	'postalCode':			'2.5.4.17',
4666 	'serialNumber':			'2.5.4.5',
4667 	'uniqueIdentifier':		'2.5.4.45',
4668 	'organizationIdentifier':	'2.5.4.97',
4669 	'jurisdictionOfIncorporationL':	'1.3.6.1.4.1.311.60.2.1.1',
4670 	'jurisdictionOfIncorporationSP':'1.3.6.1.4.1.311.60.2.1.2',
4671 	'jurisdictionOfIncorporationC':	'1.3.6.1.4.1.311.60.2.1.3'
4672     };
4673     
4674     this.objCache = {};
4675 
4676     /**
4677      * get DERObjectIdentifier by registered OID name
4678      * @name name2obj
4679      * @memberOf KJUR.asn1.x509.OID
4680      * @function
4681      * @param {String} name OID
4682      * @return {Object} DERObjectIdentifier instance
4683      * @see KJUR.asn1.DERObjectIdentifier
4684      *
4685      * @description
4686      * This static method returns DERObjectIdentifier object
4687      * for the specified OID.
4688      *
4689      * @example
4690      * var asn1ObjOID = KJUR.asn1.x509.OID.name2obj('SHA1withRSA');
4691      */
4692     this.name2obj = function(name) {
4693         if (typeof this.objCache[name] != "undefined")
4694             return this.objCache[name];
4695         if (typeof this.name2oidList[name] == "undefined")
4696             throw "Name of ObjectIdentifier not defined: " + name;
4697         var oid = this.name2oidList[name];
4698         var obj = new _DERObjectIdentifier({'oid': oid});
4699         this.objCache[name] = obj;
4700         return obj;
4701     };
4702 
4703     /**
4704      * get DERObjectIdentifier by registered attribute type name such like 'C' or 'CN'<br/>
4705      * @name atype2obj
4706      * @memberOf KJUR.asn1.x509.OID
4707      * @function
4708      * @param {String} atype short attribute type name such like 'C', 'CN' or OID
4709      * @return KJUR.asn1.DERObjectIdentifier instance
4710      * @description
4711      * @example
4712      * KJUR.asn1.x509.OID.atype2obj('CN') → DERObjectIdentifier of 2.5.4.3
4713      * KJUR.asn1.x509.OID.atype2obj('OU') → DERObjectIdentifier of 2.5.4.11
4714      * KJUR.asn1.x509.OID.atype2obj('streetAddress') → DERObjectIdentifier of 2.5.4.9
4715      * KJUR.asn1.x509.OID.atype2obj('2.5.4.9') → DERObjectIdentifier of 2.5.4.9
4716      */
4717     this.atype2obj = function(atype) {
4718         if (this.objCache[atype] !== undefined)
4719             return this.objCache[atype];
4720 
4721 	var oid;
4722 
4723 	if (atype.match(/^\d+\.\d+\.[0-9.]+$/)) {
4724 	    oid = atype;
4725 	} else if (this.atype2oidList[atype] !== undefined) {
4726 	    oid = this.atype2oidList[atype];
4727 	} else if (this.name2oidList[atype] !== undefined) {
4728 	    oid = this.name2oidList[atype];
4729     	} else {
4730             throw new Error("AttributeType name undefined: " + atype);
4731 	}
4732         var obj = new _DERObjectIdentifier({'oid': oid});
4733         this.objCache[atype] = obj;
4734         return obj;
4735     };
4736 
4737     /**
4738      * register OID list<br/>
4739      * @name registerOIDs
4740      * @memberOf KJUR.asn1.x509.OID
4741      * @function
4742      * @param {object} oids associative array of names and oids
4743      * @since jsrsasign 10.5.2 asn1x509 2.1.11
4744      * @see KJUR.asn1.x509.OID.checkOIDs
4745      * 
4746      * @description
4747      * This static method to register an oids to existing list
4748      * additionally.
4749      *
4750      * @example
4751      * KJUR.asn1.x509.OID.checkOIDs({
4752      *   "test1": "4.5.7.8"
4753      * }) // do nothing for invalid list
4754      *
4755      * KJUR.asn1.x509.OID.registerOIDs({
4756      *   "test1": "1.2.3",
4757      *   "test2": "0.2.3.4.23",
4758      * }) // successfully registered
4759      *
4760      * KJUR.asn1.x509.OID.name2oid("test1") → "1.2.3"
4761      */
4762     this.registerOIDs = function(oids) {
4763 	if (! this.checkOIDs(oids)) return;
4764 	for (var name in oids) {
4765 	    this.name2oidList[name] = oids[name];
4766 	}
4767     };
4768 
4769     /**
4770      * check validity for OID list<br/>
4771      * @name checkOIDs
4772      * @memberOf KJUR.asn1.x509.OID
4773      * @function
4774      * @param {object} oids associative array of names and oids
4775      * @return {boolean} return true when valid OID list otherwise false
4776      * @since jsrsasign 10.5.2 asn1x509 2.1.11
4777      * @see KJUR.asn1.x509.OID.registOIDs
4778      * 
4779      * @description
4780      * This static method validates an associative array
4781      * as oid list.
4782      *
4783      * @example
4784      * KJUR.asn1.x509.OID.checkOIDs(*non-assoc-array*) → false
4785      * KJUR.asn1.x509.OID.checkOIDs({}) → false
4786      * KJUR.asn1.x509.OID.checkOIDs({"test1": "apple"}) → false
4787      * KJUR.asn1.x509.OID.checkOIDs({
4788      *   "test1": "1.2.3",
4789      *   "test2": "0.2.3.4.23",
4790      * }) → true // valid oids
4791      * KJUR.asn1.x509.OID.checkOIDs({
4792      *   "test1": "4.5.7.8"
4793      * }) → false // invalid oid
4794      */
4795     this.checkOIDs = function(oids) {
4796 	try {
4797 	    var nameList = Object.keys(oids);
4798 	    if (nameList.length == 0)
4799 		return false;
4800 	    nameList.map(function(value, index, array) {
4801 		var oid = this[value];
4802 		if (! oid.match(/^[0-2]\.[0-9.]+$/))
4803 		    throw new Error("value is not OID");
4804 	    }, oids);
4805 	    return true;
4806 	} catch(ex) {
4807 	    return false;
4808 	}
4809     };
4810 
4811 
4812 };
4813 
4814 /**
4815  * convert OID to name<br/>
4816  * @name oid2name
4817  * @memberOf KJUR.asn1.x509.OID
4818  * @function
4819  * @param {String} oid dot noted Object Identifer string (ex. 1.2.3.4)
4820  * @return {String} OID name if registered otherwise empty string
4821  * @since asn1x509 1.0.9
4822  * @description
4823  * This static method converts OID string to its name.
4824  * If OID is undefined then it returns empty string (i.e. '').
4825  * @example
4826  * KJUR.asn1.x509.OID.oid2name("1.3.6.1.5.5.7.1.1") → 'authorityInfoAccess'
4827  */
4828 KJUR.asn1.x509.OID.oid2name = function(oid) {
4829     var list = KJUR.asn1.x509.OID.name2oidList;
4830     for (var name in list) {
4831         if (list[name] == oid) return name;
4832     }
4833     return '';
4834 };
4835 
4836 /**
4837  * convert OID to AttributeType name<br/>
4838  * @name oid2atype
4839  * @memberOf KJUR.asn1.x509.OID
4840  * @function
4841  * @param {String} oid dot noted Object Identifer string (ex. 1.2.3.4)
4842  * @return {String} OID AttributeType name if registered otherwise oid
4843  * @since jsrsasign 6.2.2 asn1x509 1.0.18
4844  * @description
4845  * This static method converts OID string to its AttributeType name.
4846  * If OID is not defined in OID.atype2oidList associative array then it returns OID
4847  * specified as argument.
4848  * @example
4849  * KJUR.asn1.x509.OID.oid2atype("2.5.4.3") → CN
4850  * KJUR.asn1.x509.OID.oid2atype("1.3.6.1.4.1.311.60.2.1.3") → jurisdictionOfIncorporationC
4851  * KJUR.asn1.x509.OID.oid2atype("0.1.2.3.4") → 0.1.2.3.4 // unregistered OID
4852  */
4853 KJUR.asn1.x509.OID.oid2atype = function(oid) {
4854     var list = KJUR.asn1.x509.OID.atype2oidList;
4855     for (var atype in list) {
4856         if (list[atype] == oid) return atype;
4857     }
4858     return oid;
4859 };
4860 
4861 /**
4862  * convert OID name to OID value<br/>
4863  * @name name2oid
4864  * @memberOf KJUR.asn1.x509.OID
4865  * @function
4866  * @param {String} name OID name or OID (ex. "sha1" or "1.2.3.4")
4867  * @return {String} dot noted Object Identifer string (ex. 1.2.3.4)
4868  * @since asn1x509 1.0.11
4869  * @description
4870  * This static method converts from OID name to OID string.
4871  * If OID is undefined then it returns empty string (i.e. '').
4872  * @example
4873  * KJUR.asn1.x509.OID.name2oid("authorityInfoAccess") → "1.3.6.1.5.5.7.1.1"
4874  * KJUR.asn1.x509.OID.name2oid("1.2.3.4") → "1.2.3.4"
4875  * KJUR.asn1.x509.OID.name2oid("UNKNOWN NAME") → ""
4876  */
4877 KJUR.asn1.x509.OID.name2oid = function(name) {
4878     if (name.match(/^[0-9.]+$/)) return name;
4879     var list = KJUR.asn1.x509.OID.name2oidList;
4880     if (list[name] === undefined) return '';
4881     return list[name];
4882 };
4883 
4884 /**
4885  * X.509 certificate and CRL utilities class<br/>
4886  * @name KJUR.asn1.x509.X509Util
4887  * @class X.509 certificate and CRL utilities class
4888  */
4889 KJUR.asn1.x509.X509Util = {};
4890 
4891 /**
4892  * issue a certificate in PEM format (DEPRECATED)
4893  * @name newCertPEM
4894  * @memberOf KJUR.asn1.x509.X509Util
4895  * @function
4896  * @param {Array} param JSON object of parameter to issue a certificate
4897  * @since asn1x509 1.0.6
4898  * @deprecated since jsrsasign 9.0.0 asn1x509 2.0.0. please move to {@link KJUR.asn1.x509.Certificate} constructor
4899  * @description
4900  * This method can issue a certificate by a simple
4901  * JSON object.
4902  * Signature value will be provided by signing with
4903  * private key using 'cakey' parameter or
4904  * hexadecimal signature value by 'sighex' parameter.
4905  * <br/>
4906  * NOTE: Algorithm parameter of AlgorithmIdentifier will
4907  * be set automatically by default. 
4908  * (see {@link KJUR.asn1.x509.AlgorithmIdentifier})
4909  * from jsrsasign 7.1.1 asn1x509 1.0.20.
4910  * <br/>
4911  * NOTE2: 
4912  * RSA-PSS algorithm has been supported from jsrsasign 8.0.21.
4913  * As for RSA-PSS signature algorithm names and signing parameters 
4914  * such as MGF function and salt length, please see
4915  * {@link KJUR.asn1.x509.AlgorithmIdentifier} class.
4916  *
4917  * @example
4918  * var certPEM = KJUR.asn1.x509.X509Util.newCertPEM({
4919  *   serial: {int: 4},
4920  *   sigalg: {name: 'SHA1withECDSA'},
4921  *   issuer: {str: '/C=US/O=a'},
4922  *   notbefore: {'str': '130504235959Z'},
4923  *   notafter: {'str': '140504235959Z'},
4924  *   subject: {str: '/C=US/O=b'},
4925  *   sbjpubkey: pubKeyObj,
4926  *   ext: [
4927  *     {basicConstraints: {cA: true, critical: true}},
4928  *     {keyUsage: {bin: '11'}},
4929  *   ],
4930  *   cakey: prvKeyObj
4931  * });
4932  * // -- or --
4933  * var certPEM = KJUR.asn1.x509.X509Util.newCertPEM({
4934  *   serial: {int: 4},
4935  *   sigalg: {name: 'SHA1withECDSA'},
4936  *   issuer: {str: '/C=US/O=a'},
4937  *   notbefore: {'str': '130504235959Z'},
4938  *   notafter: {'str': '140504235959Z'},
4939  *   subject: {str: '/C=US/O=b'},
4940  *   sbjpubkey: pubKeyPEM,
4941  *   ext: [
4942  *     {basicConstraints: {cA: true, critical: true}},
4943  *     {keyUsage: {bin: '11'}},
4944  *   ],
4945  *   cakey: [prvkey, pass]}
4946  * );
4947  * // -- or --
4948  * var certPEM = KJUR.asn1.x509.X509Util.newCertPEM({
4949  *   serial: {int: 1},
4950  *   sigalg: {name: 'SHA1withRSA'},
4951  *   issuer: {str: '/C=US/O=T1'},
4952  *   notbefore: {'str': '130504235959Z'},
4953  *   notafter: {'str': '140504235959Z'},
4954  *   subject: {str: '/C=US/O=T1'},
4955  *   sbjpubkey: pubKeyObj,
4956  *   sighex: '0102030405..'
4957  * });
4958  * // for the issuer and subject field, another
4959  * // representation is also available
4960  * var certPEM = KJUR.asn1.x509.X509Util.newCertPEM({
4961  *   serial: {int: 1},
4962  *   sigalg: {name: 'SHA256withRSA'},
4963  *   issuer: {C: "US", O: "T1"},
4964  *   notbefore: {'str': '130504235959Z'},
4965  *   notafter: {'str': '140504235959Z'},
4966  *   subject: {C: "US", O: "T1", CN: "http://example.com/"},
4967  *   sbjpubkey: pubKeyObj,
4968  *   sighex: '0102030405..'
4969  * });
4970  */
4971 KJUR.asn1.x509.X509Util.newCertPEM = function(param) {
4972     var _KJUR_asn1_x509 = KJUR.asn1.x509,
4973 	_TBSCertificate = _KJUR_asn1_x509.TBSCertificate,
4974 	_Certificate = _KJUR_asn1_x509.Certificate;
4975     var cert = new _Certificate(param);
4976     return cert.getPEM();
4977 };
4978 
4979