pyasn1-alt-modules 0.4.5__py3-none-any.whl

pyasn1_alt_modules/rfc6960.py

@@ -0,0 +1,234 @@
+#
+# This file is part of pyasn1-alt-modules software.
+#
+# Created by Russ Housley.
+# Modified by Russ Housley to include the opentypemap manager.
+#
+# Copyright (c) 2019-2024, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+# Online Certificate Status Protocol (OCSP)
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc6960.txt
+#
+
+from pyasn1.type import char
+from pyasn1.type import namedtype
+from pyasn1.type import tag
+from pyasn1.type import univ
+from pyasn1.type import useful
+
+from pyasn1_alt_modules import rfc2560
+from pyasn1_alt_modules import rfc5280
+from pyasn1_alt_modules import opentypemap
+
+certificateExtensionsMap = opentypemap.get('certificateExtensionsMap')
+
+ocspResponseMap = opentypemap.get('ocspResponseMap')
+
+MAX = float('inf')
+
+
+# Imports from RFC 5280
+
+AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
+AuthorityInfoAccessSyntax = rfc5280.AuthorityInfoAccessSyntax
+Certificate = rfc5280.Certificate
+CertificateSerialNumber = rfc5280.CertificateSerialNumber
+CRLReason = rfc5280.CRLReason
+Extensions = rfc5280.Extensions
+GeneralName = rfc5280.GeneralName
+Name = rfc5280.Name
+
+id_kp = rfc5280.id_kp
+
+id_ad_ocsp = rfc5280.id_ad_ocsp
+
+
+# Imports from the original OCSP module in RFC 2560
+
+AcceptableResponses = rfc2560.AcceptableResponses
+ArchiveCutoff = rfc2560.ArchiveCutoff
+CertStatus = rfc2560.CertStatus
+KeyHash = rfc2560.KeyHash
+OCSPResponse = rfc2560.OCSPResponse
+OCSPResponseStatus = rfc2560.OCSPResponseStatus
+ResponseBytes = rfc2560.ResponseBytes
+RevokedInfo = rfc2560.RevokedInfo
+UnknownInfo = rfc2560.UnknownInfo
+Version = rfc2560.Version
+
+id_kp_OCSPSigning = rfc2560.id_kp_OCSPSigning
+
+id_pkix_ocsp = rfc2560.id_pkix_ocsp
+id_pkix_ocsp_archive_cutoff = rfc2560.id_pkix_ocsp_archive_cutoff
+id_pkix_ocsp_basic = rfc2560.id_pkix_ocsp_basic
+id_pkix_ocsp_crl = rfc2560.id_pkix_ocsp_crl
+id_pkix_ocsp_nocheck = rfc2560.id_pkix_ocsp_nocheck
+id_pkix_ocsp_nonce = rfc2560.id_pkix_ocsp_nonce
+id_pkix_ocsp_response = rfc2560.id_pkix_ocsp_response
+id_pkix_ocsp_service_locator = rfc2560.id_pkix_ocsp_service_locator
+
+
+# Additional object identifiers
+
+id_pkix_ocsp_pref_sig_algs = id_pkix_ocsp + (8, )
+id_pkix_ocsp_extended_revoke = id_pkix_ocsp + (9, )
+
+
+# Updated structures (mostly to improve openTypes support)
+
+class CertID(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('hashAlgorithm', AlgorithmIdentifier()),
+        namedtype.NamedType('issuerNameHash', univ.OctetString()),
+        namedtype.NamedType('issuerKeyHash', univ.OctetString()),
+        namedtype.NamedType('serialNumber', CertificateSerialNumber())
+    )
+
+
+class SingleResponse(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('certID', CertID()),
+        namedtype.NamedType('certStatus', CertStatus()),
+        namedtype.NamedType('thisUpdate', useful.GeneralizedTime()),
+        namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('singleExtensions', Extensions().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
+    )
+
+
+class ResponderID(univ.Choice):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('byName', Name().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
+        namedtype.NamedType('byKey', KeyHash().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
+    )
+
+
+class ResponseData(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.DefaultedNamedType('version', Version('v1').subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.NamedType('responderID', ResponderID()),
+        namedtype.NamedType('producedAt', useful.GeneralizedTime()),
+        namedtype.NamedType('responses', univ.SequenceOf(
+            componentType=SingleResponse())),
+        namedtype.OptionalNamedType('responseExtensions', Extensions().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
+    )
+
+
+class BasicOCSPResponse(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('tbsResponseData', ResponseData()),
+        namedtype.NamedType('signatureAlgorithm', AlgorithmIdentifier()),
+        namedtype.NamedType('signature', univ.BitString()),
+        namedtype.OptionalNamedType('certs', univ.SequenceOf(
+            componentType=Certificate()).subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0)))
+    )
+
+
+class Request(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('reqCert', CertID()),
+        namedtype.OptionalNamedType('singleRequestExtensions', Extensions().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
+    )
+
+
+class Signature(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('signatureAlgorithm', AlgorithmIdentifier()),
+        namedtype.NamedType('signature', univ.BitString()),
+        namedtype.OptionalNamedType('certs', univ.SequenceOf(
+            componentType=Certificate()).subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0)))
+    )
+
+
+class TBSRequest(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.DefaultedNamedType('version', Version('v1').subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('requestorName', GeneralName().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
+        namedtype.NamedType('requestList', univ.SequenceOf(
+            componentType=Request())),
+        namedtype.OptionalNamedType('requestExtensions', Extensions().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
+    )
+
+
+class OCSPRequest(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('tbsRequest', TBSRequest()),
+        namedtype.OptionalNamedType('optionalSignature', Signature().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
+    )
+
+
+# Previously omitted structure
+
+class ServiceLocator(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('issuer', Name()),
+        namedtype.NamedType('locator', AuthorityInfoAccessSyntax())
+    )
+
+
+# Additional structures
+
+class CrlID(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('crlUrl', char.IA5String().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.OptionalNamedType('crlNum', univ.Integer().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
+        namedtype.OptionalNamedType('crlTime', useful.GeneralizedTime().subtype(
+            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
+    )
+
+
+class PreferredSignatureAlgorithm(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('sigIdentifier', AlgorithmIdentifier()),
+        namedtype.OptionalNamedType('certIdentifier', AlgorithmIdentifier())
+    )
+
+
+class PreferredSignatureAlgorithms(univ.SequenceOf):
+    componentType = PreferredSignatureAlgorithm()
+
+
+
+# Update the OCSP Response Map
+
+_ocspResponseMapUpdate = {
+    id_pkix_ocsp_basic: BasicOCSPResponse(),
+}
+
+ocspResponseMap.update(_ocspResponseMapUpdate)
+
+
+# Update the Certificate Extension Extensions Map
+
+_certificateExtensionsMapUpdate = {
+    # Certificate Extension
+    id_pkix_ocsp_nocheck: univ.Null(""),
+    # OCSP Request Extensions
+    id_pkix_ocsp_nonce: univ.OctetString(),
+    id_pkix_ocsp_response: AcceptableResponses(),
+    id_pkix_ocsp_service_locator: ServiceLocator(),
+    id_pkix_ocsp_pref_sig_algs: PreferredSignatureAlgorithms(),
+    # OCSP Response Extensions
+    id_pkix_ocsp_crl: CrlID(),
+    id_pkix_ocsp_archive_cutoff: ArchiveCutoff(),
+    id_pkix_ocsp_extended_revoke: univ.Null(""),
+}
+
+certificateExtensionsMap.update(_certificateExtensionsMapUpdate)

pyasn1_alt_modules/rfc6962.py

@@ -0,0 +1,52 @@
+#
+# This file is part of pyasn1-alt-modules software.
+#
+# Created by Russ Housley.
+# Modified by Russ Housley to include the opentypemap manager.
+#
+# Copyright (c) 2021-2024, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+# Certificate Transparency
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc6962.txt
+#
+
+from pyasn1.type import univ
+
+from pyasn1_alt_modules import opentypemap
+
+certificateExtensionsMap = opentypemap.get('certificateExtensionsMap')
+
+
+class SignedCertificateTimestampList(univ.OctetString):
+    pass
+
+
+id_ce_embeddedSCT = univ.ObjectIdentifier('1.3.6.1.4.1.11129.2.4.2')
+
+
+id_ce_criticalPoison = univ.ObjectIdentifier('1.3.6.1.4.1.11129.2.4.3')
+
+
+id_kp_precertificateSigning = univ.ObjectIdentifier('1.3.6.1.4.1.11129.2.4.4')
+
+
+id_pkix_ocsp_SCT = univ.ObjectIdentifier('1.3.6.1.4.1.11129.2.4.5')
+
+
+# Update the Certificate Extension Map
+#
+# Note that rfc6960.py also uses this same map for OCSP extensions.
+# The id_ce_criticalPoison OID is not automatically added to the map
+# because normal relying parties are supposed to reject certificates
+# that contain it.
+
+_certificateExtensionsMapUpdate = {
+    id_ce_embeddedSCT: SignedCertificateTimestampList(),
+    # id_ce_criticalPoison: univ.Null(""),
+    id_pkix_ocsp_SCT: SignedCertificateTimestampList(),
+}
+
+certificateExtensionsMap.update(_certificateExtensionsMapUpdate)

pyasn1_alt_modules/rfc7030.py

@@ -0,0 +1,70 @@
+#
+# This file is part of pyasn1-alt-modules software.
+#
+# Created by Russ Housley with assistance from asn1ate v.0.6.0.
+# Modified by Russ Housley to include the opentypemap manager.
+#
+# Copyright (c) 2019-2024, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+# Enrollment over Secure Transport (EST)
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc7030.txt
+#
+
+from pyasn1.type import constraint
+from pyasn1.type import namedtype
+from pyasn1.type import univ
+
+from pyasn1_alt_modules import rfc5652
+from pyasn1_alt_modules import opentypemap
+
+cmsAttributesMap = opentypemap.get('cmsAttributesMap')
+
+MAX = float('inf')
+
+
+# Imports from RFC 5652
+
+Attribute = rfc5652.Attribute
+
+
+# Asymmetric Decrypt Key Identifier Attribute
+
+id_aa_asymmDecryptKeyID = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.54')
+
+class AsymmetricDecryptKeyIdentifier(univ.OctetString):
+    pass
+
+
+aa_asymmDecryptKeyID = Attribute()
+aa_asymmDecryptKeyID['attrType'] = id_aa_asymmDecryptKeyID
+aa_asymmDecryptKeyID['attrValues'][0] = AsymmetricDecryptKeyIdentifier()
+
+
+# CSR Attributes
+
+class AttrOrOID(univ.Choice):
+    pass
+
+AttrOrOID.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('oid', univ.ObjectIdentifier()),
+    namedtype.NamedType('attribute', Attribute())
+)
+
+
+class CsrAttrs(univ.SequenceOf):
+    pass
+
+CsrAttrs.componentType = AttrOrOID()
+CsrAttrs.subtypeSpec=constraint.ValueSizeConstraint(0, MAX)
+
+   
+# Update CMS Attribute Map
+
+_cmsAttributesMapUpdate = {
+    id_aa_asymmDecryptKeyID: AsymmetricDecryptKeyIdentifier(),
+}
+
+cmsAttributesMap.update(_cmsAttributesMapUpdate)

pyasn1_alt_modules/rfc7191.py

@@ -0,0 +1,267 @@
+# This file is being contributed to of pyasn1-modules software.
+#
+# Created by Russ Housley without assistance from the asn1ate tool.
+# Modified by Russ Housley to add support for opentypes.
+# Modified by Russ Housley to include the opentypemap manager.
+#
+# Copyright (c) 2019-2024, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+# CMS Key Package Receipt and Error Content Types
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc7191.txt
+
+from pyasn1.type import constraint
+from pyasn1.type import namedtype
+from pyasn1.type import namedval
+from pyasn1.type import opentype
+from pyasn1.type import tag
+from pyasn1.type import univ
+
+from pyasn1_alt_modules import rfc5280
+from pyasn1_alt_modules import opentypemap
+
+cmsAttributesMap = opentypemap.get('cmsAttributesMap')
+
+cmsContentTypesMap = opentypemap.get('cmsContentTypesMap')
+
+MAX = float('inf')
+
+
+# Import from RFC 5280
+
+DistinguishedName = rfc5280.DistinguishedName
+
+
+# SingleAttribute is the same as Attribute in RFC 5652, except that the
+# attrValues SET must have one and only one member
+
+class AttributeValue(univ.Any):
+    pass
+
+
+class AttributeValues(univ.SetOf):
+    pass
+
+AttributeValues.componentType = AttributeValue()
+AttributeValues.sizeSpec = univ.Set.sizeSpec + constraint.ValueSizeConstraint(1, 1)
+
+
+class SingleAttribute(univ.Sequence):
+    pass
+
+SingleAttribute.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('attrType', univ.ObjectIdentifier()),
+    namedtype.NamedType('attrValues', AttributeValues(),
+        openType=opentype.OpenType('attrType', cmsAttributesMap)
+    )
+)
+
+
+# SIR Entity Name
+
+class SIREntityNameType(univ.ObjectIdentifier):
+    pass
+
+
+class SIREntityNameValue(univ.Any):
+    pass
+
+
+class SIREntityName(univ.Sequence):
+    pass
+
+SIREntityName.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('sirenType', SIREntityNameType()),
+    namedtype.NamedType('sirenValue', univ.OctetString())
+    # CONTAINING the DER-encoded SIREntityNameValue
+)
+
+
+class SIREntityNames(univ.SequenceOf):
+    pass
+
+SIREntityNames.componentType = SIREntityName()
+SIREntityNames.sizeSpec=constraint.ValueSizeConstraint(1, MAX)
+
+
+id_dn = univ.ObjectIdentifier('2.16.840.1.101.2.1.16.0')
+
+
+class siren_dn(SIREntityName):
+    def __init__(self):
+        SIREntityName.__init__(self)
+        self['sirenType'] = id_dn
+
+
+# Key Package Error CMS Content Type
+
+class EnumeratedErrorCode(univ.Enumerated):
+    pass
+
+# Error codes with values <= 33 are aligned with RFC 5934
+EnumeratedErrorCode.namedValues = namedval.NamedValues(
+    ('decodeFailure', 1),
+    ('badContentInfo', 2),
+    ('badSignedData', 3),
+    ('badEncapContent', 4),
+    ('badCertificate', 5),
+    ('badSignerInfo', 6),
+    ('badSignedAttrs', 7),
+    ('badUnsignedAttrs', 8),
+    ('missingContent', 9),
+    ('noTrustAnchor', 10),
+    ('notAuthorized', 11),
+    ('badDigestAlgorithm', 12),
+    ('badSignatureAlgorithm', 13),
+    ('unsupportedKeySize', 14),
+    ('unsupportedParameters', 15),
+    ('signatureFailure', 16),
+    ('insufficientMemory', 17),
+    ('incorrectTarget', 23),
+    ('missingSignature', 29),
+    ('resourcesBusy', 30),
+    ('versionNumberMismatch', 31),
+    ('revokedCertificate', 33),
+    ('ambiguousDecrypt', 60),
+    ('noDecryptKey', 61),
+    ('badEncryptedData', 62),
+    ('badEnvelopedData', 63),
+    ('badAuthenticatedData', 64),
+    ('badAuthEnvelopedData', 65),
+    ('badKeyAgreeRecipientInfo', 66),
+    ('badKEKRecipientInfo', 67),
+    ('badEncryptContent', 68),
+    ('badEncryptAlgorithm', 69),
+    ('missingCiphertext', 70),
+    ('decryptFailure', 71),
+    ('badMACAlgorithm', 72),
+    ('badAuthAttrs', 73),
+    ('badUnauthAttrs', 74),
+    ('invalidMAC', 75),
+    ('mismatchedDigestAlg', 76),
+    ('missingCertificate', 77),
+    ('tooManySigners', 78),
+    ('missingSignedAttributes', 79),
+    ('derEncodingNotUsed', 80),
+    ('missingContentHints', 81),
+    ('invalidAttributeLocation', 82),
+    ('badMessageDigest', 83),
+    ('badKeyPackage', 84),
+    ('badAttributes', 85),
+    ('attributeComparisonFailure', 86),
+    ('unsupportedSymmetricKeyPackage', 87),
+    ('unsupportedAsymmetricKeyPackage', 88),
+    ('constraintViolation', 89),
+    ('ambiguousDefaultValue', 90),
+    ('noMatchingRecipientInfo', 91),
+    ('unsupportedKeyWrapAlgorithm', 92),
+    ('badKeyTransRecipientInfo', 93),
+    ('other', 127)
+)
+
+
+class ErrorCodeChoice(univ.Choice):
+    pass
+
+ErrorCodeChoice.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('enum', EnumeratedErrorCode()),
+    namedtype.NamedType('oid', univ.ObjectIdentifier())
+)
+
+
+class KeyPkgID(univ.OctetString):
+    pass
+
+
+class KeyPkgIdentifier(univ.Choice):
+    pass
+
+KeyPkgIdentifier.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('pkgID', KeyPkgID()),
+    namedtype.NamedType('attribute', SingleAttribute())
+)
+
+
+class KeyPkgVersion(univ.Integer):
+    pass
+
+
+KeyPkgVersion.namedValues = namedval.NamedValues(
+    ('v1', 1),
+    ('v2', 2)
+)
+
+KeyPkgVersion.subtypeSpec = constraint.ValueRangeConstraint(1, 65535)
+
+
+id_ct_KP_keyPackageError = univ.ObjectIdentifier('2.16.840.1.101.2.1.2.78.6')
+
+class KeyPackageError(univ.Sequence):
+    pass
+
+KeyPackageError.componentType = namedtype.NamedTypes(
+    namedtype.DefaultedNamedType('version', KeyPkgVersion().subtype(value='v2')),
+    namedtype.OptionalNamedType('errorOf', KeyPkgIdentifier().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))),
+    namedtype.NamedType('errorBy', SIREntityName()),
+    namedtype.NamedType('errorCode', ErrorCodeChoice())
+)
+
+
+# Key Package Receipt CMS Content Type
+
+id_ct_KP_keyPackageReceipt = univ.ObjectIdentifier('2.16.840.1.101.2.1.2.78.3')
+
+class KeyPackageReceipt(univ.Sequence):
+    pass
+
+KeyPackageReceipt.componentType = namedtype.NamedTypes(
+    namedtype.DefaultedNamedType('version', KeyPkgVersion().subtype(value='v2')),
+    namedtype.NamedType('receiptOf', KeyPkgIdentifier()),
+    namedtype.NamedType('receivedBy', SIREntityName())
+)
+
+
+# Key Package Receipt Request Attribute
+
+class KeyPkgReceiptReq(univ.Sequence):
+    pass
+
+KeyPkgReceiptReq.componentType = namedtype.NamedTypes(
+    namedtype.DefaultedNamedType('encryptReceipt', univ.Boolean().subtype(value=0)),
+    namedtype.OptionalNamedType('receiptsFrom', SIREntityNames().subtype(
+        implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+    namedtype.NamedType('receiptsTo', SIREntityNames())
+)
+
+
+id_aa_KP_keyPkgIdAndReceiptReq = univ.ObjectIdentifier('2.16.840.1.101.2.1.5.65')
+
+class KeyPkgIdentifierAndReceiptReq(univ.Sequence):
+    pass
+
+KeyPkgIdentifierAndReceiptReq.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('pkgID', KeyPkgID()),
+    namedtype.OptionalNamedType('receiptReq', KeyPkgReceiptReq())
+)
+
+
+# Update the of CMS Attributes Map
+
+_cmsAttributesMapUpdate = {
+    id_aa_KP_keyPkgIdAndReceiptReq: KeyPkgIdentifierAndReceiptReq(),
+}
+
+cmsAttributesMap.update(_cmsAttributesMapUpdate)
+
+
+# Update the CMS Content Types Maps
+
+_cmsContentTypesMapUpdate = {
+    id_ct_KP_keyPackageError: KeyPackageError(),
+    id_ct_KP_keyPackageReceipt: KeyPackageReceipt(),
+}
+
+cmsContentTypesMap.update(_cmsContentTypesMapUpdate)

pyasn1_alt_modules/rfc7229.py

@@ -0,0 +1,29 @@
+#
+# This file is part of pyasn1-alt-modules software.
+#
+# Created by Russ Housley.
+#
+# Copyright (c) 2019-2024, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+# Object Identifiers for Test Certificate Policies
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc7229.txt
+#
+
+from pyasn1.type import univ
+
+
+id_pkix = univ.ObjectIdentifier('1.3.6.1.5.5.7')
+
+id_TEST = id_pkix + (13, )
+
+id_TEST_certPolicyOne   = id_TEST + (1, )
+id_TEST_certPolicyTwo   = id_TEST + (2, )
+id_TEST_certPolicyThree = id_TEST + (3, )
+id_TEST_certPolicyFour  = id_TEST + (4, )
+id_TEST_certPolicyFive  = id_TEST + (5, )
+id_TEST_certPolicySix   = id_TEST + (6, )
+id_TEST_certPolicySeven = id_TEST + (7, )
+id_TEST_certPolicyEight = id_TEST + (8, )