synta-certificate 0.2.2

//! Well-known algorithm and attribute OID component arrays.
//!
//! Each constant is a `&[u32]` slice of OID arc values — exactly what
//! [`ObjectIdentifier::components`](synta::ObjectIdentifier::components)
//! returns — so callers can match without converting to a dotted-decimal
//! string:
//!
//! ```rust,ignore
//! use synta_certificate::oids;
//!
//! let name = match oid.components() {
//!     oids::ML_DSA_44 => "ML-DSA-44",
//!     oids::ML_DSA_65 => "ML-DSA-65",
//!     oids::ML_DSA_87 => "ML-DSA-87",
//!     c if c.starts_with(oids::RSA) => "RSA",
//!     _ => "Other",
//! };
//! ```
//!
//! All constants are generated from the ASN.1 schema in `asn1/X509-Certificate.asn1`
//! and re-exported here under ergonomic short names.
//!
//! Distinguished Name attribute OIDs live in [`attr`].
//!
//! ## Algorithm OID arcs
//!
//! | Constant | OID (dotted) | Standard |
//! |---|---|---|
//! | [`ML_DSA_44`] | 2.16.840.1.101.3.4.3.17 | FIPS 204 |
//! | [`ML_DSA_65`] | 2.16.840.1.101.3.4.3.18 | FIPS 204 |
//! | [`ML_DSA_87`] | 2.16.840.1.101.3.4.3.19 | FIPS 204 |
//! | [`ML_KEM_512`] | 2.16.840.1.101.3.4.4.1 | FIPS 203 |
//! | [`ML_KEM_768`] | 2.16.840.1.101.3.4.4.2 | FIPS 203 |
//! | [`ML_KEM_1024`] | 2.16.840.1.101.3.4.4.3 | FIPS 203 |
//! | [`ED25519`] | 1.3.101.112 | RFC 8410 |
//! | [`ED448`] | 1.3.101.113 | RFC 8410 |
//! | [`RSA_ENCRYPTION`] | 1.2.840.113549.1.1.1 | PKCS #1 |
//! | [`MD5_WITH_RSA`] | 1.2.840.113549.1.1.4 | PKCS #1 |
//! | [`SHA1_WITH_RSA`] | 1.2.840.113549.1.1.5 | PKCS #1 |
//! | [`SHA256_WITH_RSA`] | 1.2.840.113549.1.1.11 | PKCS #1 / RFC 4055 |
//! | [`SHA384_WITH_RSA`] | 1.2.840.113549.1.1.12 | PKCS #1 / RFC 4055 |
//! | [`SHA512_WITH_RSA`] | 1.2.840.113549.1.1.13 | PKCS #1 / RFC 4055 |
//! | [`EC_PUBLIC_KEY`] | 1.2.840.10045.2.1 | SEC 1 / RFC 5480 |
//! | [`ECDSA_WITH_SHA1`] | 1.2.840.10045.4.1 | ANSI X9.62 |
//! | [`ECDSA_WITH_SHA256`] | 1.2.840.10045.4.3.2 | RFC 5758 |
//! | [`ECDSA_WITH_SHA384`] | 1.2.840.10045.4.3.3 | RFC 5758 |
//! | [`ECDSA_WITH_SHA512`] | 1.2.840.10045.4.3.4 | RFC 5758 |
//! | [`RSA`] | 1.2.840.113549.1.1 (prefix) | PKCS #1 |
//! | [`ECDSA_SIG`] | 1.2.840.10045.4 (prefix) | ANSI X9.62 |
//! | [`ECDSA_KEY`] | 1.2.840.10045.2 (prefix) | ANSI X9.62 |
//! | [`DSA`] | 1.2.840.10040.4 (prefix) | FIPS 186 |

// ── ML-DSA (FIPS 204) ─────────────────────────────────────────────────────────
pub use crate::ID_ML_DSA_44 as ML_DSA_44;
pub use crate::ID_ML_DSA_65 as ML_DSA_65;
pub use crate::ID_ML_DSA_87 as ML_DSA_87;

// ── ML-KEM (FIPS 203) ─────────────────────────────────────────────────────────
pub use crate::ID_ML_KEM_1024 as ML_KEM_1024;
pub use crate::ID_ML_KEM_512 as ML_KEM_512;
pub use crate::ID_ML_KEM_768 as ML_KEM_768;

// ── EdDSA (RFC 8410) ──────────────────────────────────────────────────────────
pub use crate::ID_ED25519 as ED25519;
pub use crate::ID_ED448 as ED448;

// ── RSA (PKCS #1) — specific algorithm OIDs ──────────────────────────────────
pub use crate::MD5_WITH_RSA;
pub use crate::RSA_ENCRYPTION;
pub use crate::SHA1_WITH_RSA;
pub use crate::SHA256_WITH_RSA;
pub use crate::SHA384_WITH_RSA;
pub use crate::SHA512_WITH_RSA;

// ── ECDSA (ANSI X9.62 / RFC 5758) — specific algorithm OIDs ─────────────────
pub use crate::ECDSA_WITH_SHA1;
pub use crate::ECDSA_WITH_SHA256;
pub use crate::ECDSA_WITH_SHA384;
pub use crate::ECDSA_WITH_SHA512;
pub use crate::EC_PUBLIC_KEY;

// ── EC named curves (SEC 2 / RFC 5480) ───────────────────────────────────────

/// EC curve `prime256v1` / NIST P-256 (1.2.840.10045.3.1.7)
pub use crate::PRIME256V1 as EC_CURVE_P256;

/// EC curve `secp384r1` / NIST P-384 (1.3.132.0.34)
pub use crate::SECP384R1 as EC_CURVE_P384;

/// EC curve `secp521r1` / NIST P-521 (1.3.132.0.35)
pub use crate::SECP521R1 as EC_CURVE_P521;

/// EC curve `secp256k1` / Bitcoin curve (1.3.132.0.10)
pub use crate::SECP256K1 as EC_CURVE_SECP256K1;

// ── X.509v3 extension OIDs (RFC 5280 / 2.5.29.*) ─────────────────────────────

/// Authority Key Identifier (2.5.29.35)
pub use crate::ID_CE_AUTHORITY_KEY_IDENTIFIER as AUTHORITY_KEY_IDENTIFIER;
/// Basic Constraints (2.5.29.19)
pub use crate::ID_CE_BASIC_CONSTRAINTS as BASIC_CONSTRAINTS;
/// Certificate Issuer (2.5.29.26)
pub use crate::ID_CE_CERTIFICATE_ISSUER as CERTIFICATE_ISSUER;
/// Certificate Policies (2.5.29.32)
pub use crate::ID_CE_CERTIFICATE_POLICIES as CERTIFICATE_POLICIES;
/// CRL Distribution Points (2.5.29.31)
pub use crate::ID_CE_C_RLDISTRIBUTION_POINTS as CRL_DISTRIBUTION_POINTS;
/// CRL Number (2.5.29.20)
pub use crate::ID_CE_C_RLNUMBER as CRL_NUMBER;
/// CRL Reason Code (2.5.29.21)
pub use crate::ID_CE_C_RLREASON as CRL_REASON;
/// Delta CRL Indicator (2.5.29.24)
pub use crate::ID_CE_DELTA_CRLINDICATOR as DELTA_CRL_INDICATOR;
/// Extended Key Usage (2.5.29.37)
pub use crate::ID_CE_EXT_KEY_USAGE as EXTENDED_KEY_USAGE;
/// Invalidity Date (2.5.29.23)
pub use crate::ID_CE_INVALIDITY_DATE as INVALIDITY_DATE;
/// Issuer Alternative Name (2.5.29.18)
pub use crate::ID_CE_ISSUER_ALT_NAME as ISSUER_ALT_NAME;
/// Issuing Distribution Point (2.5.29.25)
pub use crate::ID_CE_ISSUING_DISTRIBUTION_POINT as ISSUING_DISTRIBUTION_POINT;
/// Key Usage (2.5.29.15)
pub use crate::ID_CE_KEY_USAGE as KEY_USAGE;
/// Name Constraints (2.5.29.30)
pub use crate::ID_CE_NAME_CONSTRAINTS as NAME_CONSTRAINTS;
/// Private Key Usage Period (2.5.29.16)
pub use crate::ID_CE_PRIVATE_KEY_USAGE_PERIOD as PRIVATE_KEY_USAGE_PERIOD;
/// Subject Alternative Name (2.5.29.17)
pub use crate::ID_CE_SUBJECT_ALT_NAME as SUBJECT_ALT_NAME;
/// Subject Directory Attributes (2.5.29.9)
pub use crate::ID_CE_SUBJECT_DIRECTORY_ATTRIBUTES as SUBJECT_DIRECTORY_ATTRIBUTES;
/// Subject Key Identifier (2.5.29.14)
pub use crate::ID_CE_SUBJECT_KEY_IDENTIFIER as SUBJECT_KEY_IDENTIFIER;
/// Embedded SCTs — Certificate Transparency (1.3.6.1.4.1.11129.2.4.2)
pub use crate::ID_CT_SCTS as CT_PRECERT_SCTS;
/// Authority Information Access (1.3.6.1.5.5.7.1.1)
pub use crate::ID_PE_AUTHORITY_INFO_ACCESS as AUTHORITY_INFO_ACCESS;

// ── id-ad accessMethod OIDs (RFC 5280 §4.2.2.1, 1.3.6.1.5.5.7.48.*) ─────────

/// CA issuers (1.3.6.1.5.5.7.48.2)
pub use crate::ID_AD_CA_ISSUERS as AD_CA_ISSUERS;
/// OCSP responder (1.3.6.1.5.5.7.48.1)
pub use crate::ID_AD_OCSP as AD_OCSP;

// ── OCSP OID arcs (RFC 6960 §4.2.1) ─────────────────────────────────────────

/// OCSP arc root — `id-pkix-ocsp` (1.3.6.1.5.5.7.48.1)
pub use crate::ocsp::ID_PKIX_OCSP;

/// `BasicOCSPResponse` `responseType` OID — `id-pkix-ocsp-basic`
/// (1.3.6.1.5.5.7.48.1.1)
pub use crate::ocsp::ID_PKIX_OCSP_BASIC;

// ── Extended Key Usage key-purpose OIDs (RFC 5280 §4.2.1.12, 1.3.6.1.5.5.7.3.*) ─

/// Any extended key usage — match any EKU-bearing cert (2.5.29.37.0)
pub use crate::ANY_EXTENDED_KEY_USAGE;
/// TLS client authentication (1.3.6.1.5.5.7.3.2)
pub use crate::ID_KP_CLIENT_AUTH as KP_CLIENT_AUTH;
/// Code signing (1.3.6.1.5.5.7.3.3)
pub use crate::ID_KP_CODE_SIGNING as KP_CODE_SIGNING;
/// Email protection / S/MIME (1.3.6.1.5.5.7.3.4)
pub use crate::ID_KP_EMAIL_PROTECTION as KP_EMAIL_PROTECTION;
/// OCSP signing (1.3.6.1.5.5.7.3.9)
pub use crate::ID_KP_OCSPSIGNING as KP_OCSP_SIGNING;
/// TLS server authentication (1.3.6.1.5.5.7.3.1)
pub use crate::ID_KP_SERVER_AUTH as KP_SERVER_AUTH;
/// Time stamping (1.3.6.1.5.5.7.3.8)
pub use crate::ID_KP_TIME_STAMPING as KP_TIME_STAMPING;

// ── SHA-1 hash algorithm (OIW arc, 1.3.14.3.2.26) ───────────────────────────

/// SHA-1 hash algorithm OID (`id-sha1`, 1.3.14.3.2.26, OIW arc).
///
/// Predates the NIST SHA-2 arc.  Still used as the default hash algorithm in
/// RSA-PSS and RSA-OAEP parameter blocks (RFC 8017 §9.1, §7.1).  Do not use
/// SHA-1 as a standalone digest for new protocols.
pub use crate::ID_SHA1;

// ── SHA-2 hash algorithms (FIPS 180-4) ───────────────────────────────────────
pub use crate::HASH_ALGS;
pub use crate::ID_SHA224;
pub use crate::ID_SHA256;
pub use crate::ID_SHA384;
pub use crate::ID_SHA512;
pub use crate::ID_SHA512_224;
pub use crate::ID_SHA512_256;

// ── SHA-3 hash algorithms and XOFs (FIPS 202) ────────────────────────────────
pub use crate::ID_SHA3_224;
pub use crate::ID_SHA3_256;
pub use crate::ID_SHA3_384;
pub use crate::ID_SHA3_512;
pub use crate::ID_SHAKE128;
pub use crate::ID_SHAKE256;

// ── SLH-DSA signature algorithms (FIPS 205) ──────────────────────────────────
pub use crate::ID_SLH_DSA_SHA2_128F;
pub use crate::ID_SLH_DSA_SHA2_128S;
pub use crate::ID_SLH_DSA_SHA2_192F;
pub use crate::ID_SLH_DSA_SHA2_192S;
pub use crate::ID_SLH_DSA_SHA2_256F;
pub use crate::ID_SLH_DSA_SHA2_256S;
pub use crate::ID_SLH_DSA_SHAKE_128F;
pub use crate::ID_SLH_DSA_SHAKE_128S;
pub use crate::ID_SLH_DSA_SHAKE_192F;
pub use crate::ID_SLH_DSA_SHAKE_192S;
pub use crate::ID_SLH_DSA_SHAKE_256F;
pub use crate::ID_SLH_DSA_SHAKE_256S;

// ── RSA / ECDSA / DSA (prefix OIDs) ──────────────────────────────────────────
//
// These algorithms share a common OID arc for all their variants.
// Use `components().starts_with(prefix)` rather than an exact match.

/// RSA signature / public-key OID prefix — `pkcs-1` (1.2.840.113549.1.1)
///
/// Covers all PKCS #1 v1.5 signature algorithms:
/// `sha1WithRSAEncryption`, `sha256WithRSAEncryption`, …
pub use crate::PKCS_1 as RSA;

/// ECDSA *signature* OID prefix — `ansiX962-signatures` arc (1.2.840.10045.4)
///
/// Covers `ecdsa-with-SHA1`, `ecdsa-with-SHA256`, `ecdsa-with-SHA384`, …
pub use crate::ANSI_X962_SIGNATURES as ECDSA_SIG;

/// ECDSA / EC *public-key* OID prefix — `ansiX962-keyType` arc (1.2.840.10045.2)
pub use crate::ANSI_X962_KEY_TYPE as ECDSA_KEY;

/// DSA OID prefix — `id-dsa` arc (1.2.840.10040.4)
///
/// Covers `id-dsa` (plain) and `id-dsa-with-sha1`, `id-dsa-with-sha224`, …
pub use crate::ID_DSA as DSA;

// ── X.500 / LDAP distinguished name attribute types ───────────────────────────

/// OID component arrays for well-known X.509 distinguished name attributes.
///
/// These are the same values matched by [`crate::name::format_dn`] when
/// formatting an RFC 4514 distinguished name string.
///
/// ```rust,ignore
/// use synta_certificate::oids::attr;
///
/// let label = match oid.components() {
///     attr::COMMON_NAME    => "CN",
///     attr::ORGANIZATION   => "O",
///     attr::COUNTRY        => "C",
///     _                    => "?",
/// };
/// ```
pub mod attr {
    pub use crate::ms_pki_types::ID_MS_EV_JURISDICTION_COUNTRY as JURISDICTION_COUNTRY;
    pub use crate::ms_pki_types::ID_MS_EV_JURISDICTION_LOCALITY as JURISDICTION_LOCALITY;
    pub use crate::ms_pki_types::ID_MS_EV_JURISDICTION_STATE as JURISDICTION_STATE;
    pub use crate::DOMAIN_COMPONENT;
    pub use crate::ID_AT_BUSINESS_CATEGORY as BUSINESS_CATEGORY;
    pub use crate::ID_AT_COMMON_NAME as COMMON_NAME;
    pub use crate::ID_AT_COUNTRY_NAME as COUNTRY;
    pub use crate::ID_AT_DN_QUALIFIER as DN_QUALIFIER;
    pub use crate::ID_AT_GENERATION_QUALIFIER as GENERATION_QUALIFIER;
    pub use crate::ID_AT_GIVEN_NAME as GIVEN_NAME;
    pub use crate::ID_AT_INITIALS as INITIALS;
    pub use crate::ID_AT_LOCALITY_NAME as LOCALITY;
    pub use crate::ID_AT_ORGANIZATIONAL_UNIT_NAME as ORG_UNIT;
    pub use crate::ID_AT_ORGANIZATION_IDENTIFIER as ORG_IDENTIFIER;
    pub use crate::ID_AT_ORGANIZATION_NAME as ORGANIZATION;
    pub use crate::ID_AT_POSTAL_CODE as POSTAL_CODE;
    pub use crate::ID_AT_PSEUDONYM as PSEUDONYM;
    pub use crate::ID_AT_SERIAL_NUMBER as SERIAL_NUMBER;
    pub use crate::ID_AT_STATE_OR_PROVINCE_NAME as STATE;
    pub use crate::ID_AT_STREET_ADDRESS as STREET;
    pub use crate::ID_AT_SURNAME as SURNAME;
    pub use crate::ID_AT_TITLE as TITLE;
    pub use crate::ID_EMAIL_ADDRESS as EMAIL_ADDRESS;
    pub use crate::UID as USER_ID;
}

// ── PKINIT OIDs (RFC 4556 + RFC 6112 + RFC 8636) ─────────────────────────────

/// PKINIT KRB5PrincipalName SAN OtherName type-id (1.3.6.1.5.2.2)
///
/// Used as the `type-id` field of an X.509 Subject Alternative Name `OtherName`
/// entry that carries a Kerberos principal name encoded as KRB5PrincipalName.
pub use crate::pkinit_types::ID_PKINIT_SAN;

/// PKINIT client authentication Extended Key Usage (1.3.6.1.5.2.3.4)
///
/// KDCs MUST require this EKU in client certificates during PKINIT exchanges.
pub use crate::pkinit_types::ID_PKINIT_KPCLIENT_AUTH;

/// PKINIT KDC Extended Key Usage (1.3.6.1.5.2.3.5)
///
/// PKINIT clients MUST verify that the KDC certificate contains this EKU.
pub use crate::pkinit_types::ID_PKINIT_KPKDC;

/// PKINIT pre-authentication data content type (1.3.6.1.5.2.3.1)
pub use crate::pkinit_types::ID_PKINIT_AUTH_DATA;

/// PKINIT DH key data content type (1.3.6.1.5.2.3.2)
pub use crate::pkinit_types::ID_PKINIT_DHKEY_DATA;

/// PKINIT reply key pack content type (1.3.6.1.5.2.3.3)
pub use crate::pkinit_types::ID_PKINIT_RKEY_DATA;

/// PKINIT KDF algorithm arc (1.3.6.1.5.2.3.6) — RFC 8636
pub use crate::pkinit_types::ID_PKINIT_KDF;

/// PKINIT KDF with SHA-1 (1.3.6.1.5.2.3.6.1) — RFC 8636
pub use crate::pkinit_types::ID_PKINIT_KDF_AH_SHA1;

/// PKINIT KDF with SHA-256 (1.3.6.1.5.2.3.6.2) — RFC 8636
pub use crate::pkinit_types::ID_PKINIT_KDF_AH_SHA256;

/// PKINIT KDF with SHA-384 (1.3.6.1.5.2.3.6.4) — RFC 8636
pub use crate::pkinit_types::ID_PKINIT_KDF_AH_SHA384;

/// PKINIT KDF with SHA-512 (1.3.6.1.5.2.3.6.3) — RFC 8636
pub use crate::pkinit_types::ID_PKINIT_KDF_AH_SHA512;

// ── Microsoft PKI OIDs (AD CS) ────────────────────────────────────────────────

/// Microsoft UPN Subject Alternative Name OtherName type-id (1.3.6.1.4.1.311.20.2.3)
///
/// Known as `szOID_NT_PRINCIPAL_NAME` in the Windows SDK.  The OtherName value
/// is a UTF8String carrying the User Principal Name (e.g. "user@REALM").
pub use crate::ms_pki_types::ID_MS_SAN_UPN;

/// Microsoft Certificate Template Name extension OID (1.3.6.1.4.1.311.20.2)
///
/// Known as `szOID_CERTIFICATE_TEMPLATE_NAME` / `szOID_ENROLLMENT_SUBTYPE`.
/// Windows 2000 / version 1 template name extension.  Value is a BMPString.
pub use crate::ms_pki_types::ID_MS_CERTIFICATE_TEMPLATE_NAME;

/// Microsoft Certificate Template Information extension OID (1.3.6.1.4.1.311.21.7)
///
/// Known as `szOID_CERTIFICATE_TEMPLATE`.  Windows Server 2003+ / version 2
/// template info extension.  Value is `MSCSTemplateV2` (OID + version numbers).
pub use crate::ms_pki_types::ID_MS_CERTIFICATE_TEMPLATE;

/// Microsoft smart card logon Extended Key Usage (1.3.6.1.4.1.311.20.2.2)
///
/// Known as `szOID_MS_KP_SMARTCARD_LOGON`.  Windows KDCs may accept certificates
/// with this EKU for PKINIT client authentication.
pub use crate::ms_pki_types::ID_MS_KP_SMARTCARD_LOGON;

/// Microsoft NTDS replication Extended Key Usage (1.3.6.1.4.1.311.25.1)
///
/// Known as `szOID_NTDS_REPLICATION`.  Used in domain controller certificates
/// for Active Directory replication and Windows PKINIT ([MS-PKCA]).
pub use crate::ms_pki_types::ID_MS_NTDS_REPLICATION;

// ── CMS content-type OIDs (RFC 5652 §14) ─────────────────────────────────────

/// CMS `id-data` content type — plain data (1.2.840.113549.1.7.1, RFC 5652 §4).
pub use crate::pkcs7_types::ID_DATA as CMS_DATA;

/// CMS `id-signedData` content type — digital signatures (1.2.840.113549.1.7.2,
/// RFC 5652 §5).
pub use crate::pkcs7_types::ID_SIGNED_DATA as CMS_SIGNED_DATA;

/// CMS `id-envelopedData` content type — encrypted for recipients
/// (1.2.840.113549.1.7.3, RFC 5652 §6).
pub use crate::pkcs7_types::ID_ENVELOPED_DATA as CMS_ENVELOPED_DATA;

/// CMS `id-digestedData` content type — data with a digest (1.2.840.113549.1.7.5,
/// RFC 5652 §7).
pub use crate::pkcs7_types::ID_DIGESTED_DATA as CMS_DIGESTED_DATA;

/// CMS `id-encryptedData` content type — symmetrically encrypted, no recipient
/// management (1.2.840.113549.1.7.6, RFC 5652 §8).
pub use crate::pkcs7_types::ID_ENCRYPTED_DATA as CMS_ENCRYPTED_DATA;

/// CMS `id-ct-authData` content type — MACed data (1.2.840.113549.1.9.16.1.2,
/// RFC 5652 §9).
pub use crate::pkcs7_types::ID_CT_AUTH_DATA as CMS_AUTH_DATA;

// ── CMS-KEM OtherRecipientInfo OIDs (RFC 9629 §6.2) ──────────────────────────

/// CMS-KEM `id-ori` — root arc for `OtherRecipientInfo` alternatives
/// (1.2.840.113549.1.9.16.13, RFC 9629).
pub use crate::cms_kem_types::ID_ORI as CMS_ORI;

/// CMS-KEM `id-ori-kem` — identifies a `KEMRecipientInfo` inside
/// `OtherRecipientInfo` (1.2.840.113549.1.9.16.13.3, RFC 9629).
pub use crate::cms_kem_types::ID_ORI_KEM as CMS_ORI_KEM;

// ── PKCS #9 attribute type OIDs (RFC 2985 / RFC 5652 §11) ────────────────────
//
// | Constant | OID (dotted) | Standard |
// |---|---|---|
// | [`PKCS9_CONTENT_TYPE`] | 1.2.840.113549.1.9.3 | RFC 5652 §11.1 |
// | [`PKCS9_MESSAGE_DIGEST`] | 1.2.840.113549.1.9.4 | RFC 5652 §11.2 |
// | [`PKCS9_SIGNING_TIME`] | 1.2.840.113549.1.9.5 | RFC 5652 §11.3 |
// | [`PKCS9_COUNTERSIGNATURE`] | 1.2.840.113549.1.9.6 | RFC 5652 §11.4 |
// | [`PKCS9_CHALLENGE_PASSWORD`] | 1.2.840.113549.1.9.7 | RFC 2986 §5.4.1 |
// | [`PKCS9_EMAIL_ADDRESS`] | 1.2.840.113549.1.9.1 | RFC 2985 §5.2.1 |
// | [`PKCS9_EXTENSION_REQUEST`] | 1.2.840.113549.1.9.14 | RFC 2985 §5.4.2 |
// | [`PKCS9_FRIENDLY_NAME`] | 1.2.840.113549.1.9.20 | RFC 7292 §B.3 |
// | [`PKCS9_LOCAL_KEY_ID`] | 1.2.840.113549.1.9.21 | RFC 7292 §B.3 |

/// PKCS #9 `id-contentType` signed attribute (1.2.840.113549.1.9.3, RFC 5652 §11.1).
///
/// Carries the content type of the encapsulated content as an OID.  MUST be
/// present in `SignerInfo.signedAttrs` whenever `encapContentInfo.eContent`
/// is present in a `SignedData`.
pub use crate::pkcs9_types::ID_CONTENT_TYPE as PKCS9_CONTENT_TYPE;

/// PKCS #9 `id-messageDigest` signed attribute (1.2.840.113549.1.9.4, RFC 5652 §11.2).
///
/// Carries the hash of the signed content as an OCTET STRING.  MUST be present
/// in `SignerInfo.signedAttrs` whenever `signedAttrs` is present.
pub use crate::pkcs9_types::ID_MESSAGE_DIGEST as PKCS9_MESSAGE_DIGEST;

/// PKCS #9 `id-signingTime` signed attribute (1.2.840.113549.1.9.5, RFC 5652 §11.3).
///
/// Carries the claimed time of signing as `UTCTime` or `GeneralizedTime`.
/// Note: the claimed time is not authenticated by the signature algorithm
/// itself; it is only as trustworthy as the signer.
pub use crate::pkcs9_types::ID_SIGNING_TIME as PKCS9_SIGNING_TIME;

/// PKCS #9 `id-countersignature` unsigned attribute (1.2.840.113549.1.9.6, RFC 5652 §11.4).
///
/// Carries a `SignerInfo` that signs the signature value of the containing
/// `SignerInfo`.  Placed in `SignerInfo.unsignedAttrs`.
pub use crate::pkcs9_types::ID_COUNTERSIGNATURE as PKCS9_COUNTERSIGNATURE;

/// PKCS #9 `id-challengePassword` attribute (1.2.840.113549.1.9.7, RFC 2986 §5.4.1).
///
/// A challenge password used for CSR revocation verification.  Value is a
/// `DirectoryString` (`PrintableString` or `UTF8String`).
pub use crate::pkcs9_types::ID_CHALLENGE_PASSWORD as PKCS9_CHALLENGE_PASSWORD;

/// PKCS #9 `id-emailAddress` attribute (1.2.840.113549.1.9.1, RFC 2985 §5.2.1).
///
/// Deprecated: use Subject Alternative Name (`id-ce-subjectAltName`) with an
/// `rfc822Name` entry instead.  Still common in legacy certificates and
/// S/MIME-era CAs.
pub use crate::pkcs9_types::ID_EMAIL_ADDRESS as PKCS9_EMAIL_ADDRESS;

/// PKCS #9 `id-extensionRequest` attribute (1.2.840.113549.1.9.14, RFC 2985 §5.4.2).
///
/// Carries a `SEQUENCE OF Extension` specifying the X.509v3 extensions to
/// include in the issued certificate.  The CA MAY honour any subset of
/// the requested extensions.  MUST be present in a CSR that requests
/// Subject Alternative Names or other extensions.
pub use crate::pkcs9_types::ID_EXTENSION_REQUEST as PKCS9_EXTENSION_REQUEST;

/// PKCS #9 `id-friendlyName` bag attribute (1.2.840.113549.1.9.20, RFC 7292 §B.3).
///
/// A human-readable alias (`BMPString`) for a PKCS #12 key or certificate bag.
pub use crate::pkcs9_types::ID_FRIENDLY_NAME as PKCS9_FRIENDLY_NAME;

/// PKCS #9 `id-localKeyId` bag attribute (1.2.840.113549.1.9.21, RFC 7292 §B.3).
///
/// An `OCTET STRING` identifier linking a private-key bag to the corresponding
/// certificate bag in a PKCS #12 file.
pub use crate::pkcs9_types::ID_LOCAL_KEY_ID as PKCS9_LOCAL_KEY_ID;

// ── PKCS #1 algorithm OIDs (RFC 8017) ────────────────────────────────────────
//
// | Constant | OID (dotted) | Purpose |
// |---|---|---|
// | [`RSASSA_PSS`] | 1.2.840.113549.1.1.10 | RSA-PSS signature |
// | [`RSAES_OAEP`] | 1.2.840.113549.1.1.7 | RSA-OAEP encryption |
// | [`MGF1`] | 1.2.840.113549.1.1.8 | Mask Generation Function 1 |
// | [`P_SPECIFIED`] | 1.2.840.113549.1.1.9 | pSource "P is specified" |
// | [`MD2_WITH_RSA`] | 1.2.840.113549.1.1.2 | MD2 with RSA (obsolete) |
// | [`SHA512_224_WITH_RSA`] | 1.2.840.113549.1.1.15 | SHA-512/224 with RSA |
// | [`SHA512_256_WITH_RSA`] | 1.2.840.113549.1.1.16 | SHA-512/256 with RSA |

/// `id-RSASSA-PSS` — RSA Probabilistic Signature Scheme (1.2.840.113549.1.1.10,
/// RFC 8017 §8.1).
///
/// Used as the `AlgorithmIdentifier.algorithm` OID for RSA-PSS signatures;
/// the parameters field carries [`crate::pkcs1_types::RsassaPssParams`].
pub use crate::pkcs1_types::ID_RSASSA_PSS as RSASSA_PSS;

/// `id-RSAES-OAEP` — RSA Optimal Asymmetric Encryption Padding (1.2.840.113549.1.1.7,
/// RFC 8017 §7.1).
///
/// Used as the `AlgorithmIdentifier.algorithm` OID for RSA-OAEP key encryption;
/// the parameters field carries [`crate::pkcs1_types::RsaesOaepParams`].
pub use crate::pkcs1_types::ID_RSAES_OAEP as RSAES_OAEP;

/// `id-mgf1` — Mask Generation Function 1 (1.2.840.113549.1.1.8, RFC 8017 §B.2.1).
///
/// Identifies MGF1 as the mask generation algorithm inside
/// [`crate::pkcs1_types::RsassaPssParams`] and [`crate::pkcs1_types::RsaesOaepParams`].
pub use crate::pkcs1_types::ID_MGF1 as MGF1;

/// `id-pSpecified` — pSource algorithm "P is specified" (1.2.840.113549.1.1.9,
/// RFC 8017 §A.2.1).
///
/// Identifies the label source algorithm inside
/// [`crate::pkcs1_types::RsaesOaepParams`].
pub use crate::pkcs1_types::ID_P_SPECIFIED as P_SPECIFIED;

/// `md2WithRSAEncryption` — MD2 with RSA, PKCS #1 v1.5 (1.2.840.113549.1.1.2,
/// RFC 8017 Appendix C).  Obsolete; do not use.
pub use crate::pkcs1_types::MD2_WITH_RSAENCRYPTION as MD2_WITH_RSA;

/// `sha512-224WithRSAEncryption` — SHA-512/224 with RSA, PKCS #1 v1.5
/// (1.2.840.113549.1.1.15, RFC 8017 Appendix C).
pub use crate::pkcs1_types::SHA512_224_WITH_RSAENCRYPTION as SHA512_224_WITH_RSA;

/// `sha512-256WithRSAEncryption` — SHA-512/256 with RSA, PKCS #1 v1.5
/// (1.2.840.113549.1.1.16, RFC 8017 Appendix C).
pub use crate::pkcs1_types::SHA512_256_WITH_RSAENCRYPTION as SHA512_256_WITH_RSA;

// ── RFC 9925 Unsigned X.509 Certificates ─────────────────────────────────────
//
// | Constant | OID (dotted) | Purpose |
// |---|---|---|
// | [`ALG_UNSIGNED`] | 1.3.6.1.5.5.7.6.36 | Unsigned signature algorithm |
// | [`RDNA_UNSIGNED`] | 1.3.6.1.5.5.7.25.1 | Unsigned issuer RDN placeholder |

/// `id-alg-unsigned` — unsigned signature algorithm identifier (1.3.6.1.5.5.7.6.36,
/// RFC 9925 §3).
///
/// Placed in both `Certificate.signatureAlgorithm` and `TBSCertificate.signature`
/// to mark a certificate as unsigned.  Algorithm parameters MUST be absent and
/// `signatureValue` MUST be a zero-length BIT STRING (DER: `03 01 00`).
///
/// Receivers MUST reject certificates using this OID during signature verification.
/// Receivers MAY accept them when processing certificates as unsigned containers.
pub use crate::rfc9925_types::ID_ALG_UNSIGNED as ALG_UNSIGNED;

/// `id-rdna-unsigned` — unsigned issuer RDN placeholder attribute (1.3.6.1.5.5.7.25.1,
/// RFC 9925 §5).
///
/// An optional placeholder Relative Distinguished Name attribute for the issuer
/// field of an unsigned certificate.  The attribute value is a zero-length
/// UTF8String.  RFC 4514 string representation: `1.3.6.1.5.5.7.25.1=#0C00`.
///
/// Senders may also copy the subject DN into the issuer DN (self-signed appearance)
/// instead of using this attribute.
pub use crate::rfc9925_types::ID_RDNA_UNSIGNED as RDNA_UNSIGNED;

// ── Attribute Certificate OIDs (RFC 5755) ────────────────────────────────────
//
// Attribute Certificate Issuer (ACA) service OIDs: id-aca arc (1.3.6.1.5.5.7.10.*)
// Private extension OIDs: id-pe arc (1.3.6.1.5.5.7.1.*)
// Attribute type OIDs: id-at arc (2.5.4.*)

/// `id-aca-authenticationInfo` (1.3.6.1.5.5.7.10.1, RFC 5755 §4.4.2).
///
/// AC attribute carrying authentication information.
pub use crate::attribute_cert_types::ID_ACA_AUTHENTICATION_INFO as ACA_AUTHENTICATION_INFO;

/// `id-aca-accessIdentity` (1.3.6.1.5.5.7.10.2, RFC 5755 §4.4.3).
///
/// AC attribute carrying an access identity.
pub use crate::attribute_cert_types::ID_ACA_ACCESS_IDENTITY as ACA_ACCESS_IDENTITY;

/// `id-aca-chargingIdentity` (1.3.6.1.5.5.7.10.3, RFC 5755 §4.4.4).
///
/// AC attribute carrying a charging identity.
pub use crate::attribute_cert_types::ID_ACA_CHARGING_IDENTITY as ACA_CHARGING_IDENTITY;

/// `id-aca-group` (1.3.6.1.5.5.7.10.4, RFC 5755 §4.4.5).
///
/// AC attribute carrying group membership information.
pub use crate::attribute_cert_types::ID_ACA_GROUP as ACA_GROUP;

/// `id-aca-encAttrs` (1.3.6.1.5.5.7.10.6, RFC 5755 §4.4.6).
///
/// AC attribute carrying encrypted attributes.
pub use crate::attribute_cert_types::ID_ACA_ENC_ATTRS as ACA_ENC_ATTRS;

/// `id-at-role` (2.5.4.72, RFC 5755 §4.4.5).
///
/// X.500 attribute type for carrying role information in an AC.
pub use crate::attribute_cert_types::ID_AT_ROLE as AT_ROLE;

/// `id-at-clearance` (2.5.4.55, RFC 5755 §4.4.6).
///
/// X.500 attribute type for carrying clearance information in an AC.
pub use crate::attribute_cert_types::ID_AT_CLEARANCE as AT_CLEARANCE;

/// `id-ce-targetInformation` (2.5.29.55, RFC 5755 §4.3.2).
///
/// Certificate extension that limits the scope of an AC to specific targets.
pub use crate::attribute_cert_types::ID_CE_TARGET_INFORMATION as CE_TARGET_INFORMATION;

/// `id-pe-acAuditIdentity` (1.3.6.1.5.5.7.1.4, RFC 5755 §4.5.1).
///
/// AC private extension carrying an audit identity reference.
pub use crate::attribute_cert_types::ID_PE_AC_AUDIT_IDENTITY as PE_AC_AUDIT_IDENTITY;

/// `id-pe-aaControls` (1.3.6.1.5.5.7.1.56, RFC 5755 §4.5.2).
///
/// AC private extension specifying which attributes an AC issuer is authorised to assert.
pub use crate::attribute_cert_types::ID_PE_AA_CONTROLS as PE_AA_CONTROLS;

/// `id-pe-acProxying` (1.3.6.1.5.5.7.1.10, RFC 5755 §4.5.3).
///
/// AC private extension enabling delegation of attribute authority.
pub use crate::attribute_cert_types::ID_PE_AC_PROXYING as PE_AC_PROXYING;

/// `id-pe-acmeIdentifier` (1.3.6.1.5.5.7.1.31, RFC 8737 §3).
///
/// X.509 extension OID for the ACME TLS-ALPN-01 domain validation certificate.
/// The extension MUST be critical.  Its value is the DER encoding of an
/// [`acme_types::Authorization`](crate::acme_types::Authorization) — a 32-byte
/// SHA-256 digest of the ACME key authorization string for the challenge token.
pub use crate::acme_types::ID_PE_ACME_IDENTIFIER as PE_ACME_IDENTIFIER;

// ── CRMF registration-control OIDs (RFC 4211 §6.1) ───────────────────────────
//
// id-regCtrl arc (1.3.6.1.5.5.7.5.1.*) — controls sent in CertReqMsg

/// `id-regCtrl` arc root (1.3.6.1.5.5.7.5.1, RFC 4211 §6.1).
pub use crate::crmf_types::ID_REG_CTRL as CRMF_REG_CTRL;

/// `id-regCtrl-regToken` (1.3.6.1.5.5.7.5.1.1, RFC 4211 §6.1.1).
///
/// A one-time secret used to prove the requester's identity to the CA.
pub use crate::crmf_types::ID_REG_CTRL_REG_TOKEN as CRMF_REG_CTRL_REG_TOKEN;

/// `id-regCtrl-authenticator` (1.3.6.1.5.5.7.5.1.2, RFC 4211 §6.1.2).
///
/// Shared secret used to authenticate the requester.
pub use crate::crmf_types::ID_REG_CTRL_AUTHENTICATOR as CRMF_REG_CTRL_AUTHENTICATOR;

/// `id-regCtrl-pkiPublicationInfo` (1.3.6.1.5.5.7.5.1.3, RFC 4211 §6.1.3).
///
/// Describes where the resulting certificate should be published.
pub use crate::crmf_types::ID_REG_CTRL_PKI_PUBLICATION_INFO as CRMF_REG_CTRL_PKI_PUBLICATION_INFO;

/// `id-regCtrl-pkiArchiveOptions` (1.3.6.1.5.5.7.5.1.4, RFC 4211 §6.1.4).
///
/// Requests that the private key or encrypted key be archived.
pub use crate::crmf_types::ID_REG_CTRL_PKI_ARCHIVE_OPTIONS as CRMF_REG_CTRL_PKI_ARCHIVE_OPTIONS;

/// `id-regCtrl-oldCertID` (1.3.6.1.5.5.7.5.1.5, RFC 4211 §6.1.5).
///
/// Identifies the certificate being replaced or renewed.
pub use crate::crmf_types::ID_REG_CTRL_OLD_CERT_ID as CRMF_REG_CTRL_OLD_CERT_ID;

/// `id-regCtrl-protocolEncrKey` (1.3.6.1.5.5.7.5.1.6, RFC 4211 §6.1.6).
///
/// Public key used to encrypt sensitive information in the response.
pub use crate::crmf_types::ID_REG_CTRL_PROTOCOL_ENCR_KEY as CRMF_REG_CTRL_PROTOCOL_ENCR_KEY;

/// `id-regInfo` arc root (1.3.6.1.5.5.7.5.2, RFC 4211 §6.2).
pub use crate::crmf_types::ID_REG_INFO as CRMF_REG_INFO;

/// `id-regInfo-utf8Pairs` (1.3.6.1.5.5.7.5.2.1, RFC 4211 §6.2.1).
///
/// A sequence of UTF-8 name=value pairs providing supplementary information.
pub use crate::crmf_types::ID_REG_INFO_UTF8_PAIRS as CRMF_REG_INFO_UTF8_PAIRS;

/// `id-regInfo-certReq` (1.3.6.1.5.5.7.5.2.2, RFC 4211 §6.2.2).
///
/// An embedded certificate request providing context for the current request.
pub use crate::crmf_types::ID_REG_INFO_CERT_REQ as CRMF_REG_INFO_CERT_REQ;

// ── CMP MAC algorithm and KGA OIDs (RFC 4210 / RFC 9480) ─────────────────────

/// `id-PasswordBasedMac` (1.2.840.113533.7.66.13, RFC 4210 §5.1.3.1).
///
/// Password-based MAC algorithm identifier used in CMP PKIHeader protection.
pub use crate::cmp_types::ID_PASSWORD_BASED_MAC as CMP_PASSWORD_BASED_MAC;

/// `id-DHBasedMac` (1.2.840.113533.7.66.30, RFC 4210 §5.1.3.2).
///
/// Diffie-Hellman-based MAC algorithm identifier used in CMP PKIHeader protection.
pub use crate::cmp_types::ID_DHBASED_MAC as CMP_DHBASED_MAC;

/// `id-KemBasedMac` (1.3.6.1.5.5.7.15.10, RFC 9480 §4).
///
/// KEM-based MAC algorithm identifier for CMP PKIHeader protection (post-quantum).
pub use crate::cmp_types::ID_KEM_BASED_MAC as CMP_KEM_BASED_MAC;

/// `id-kp-cmKGA` (1.3.6.1.5.5.7.3.32, RFC 9480 §3.2).
///
/// Extended Key Usage OID for a CMP Key Generation Authority (KGA).
pub use crate::cmp_types::ID_KP_CM_KGA as KP_CM_KGA;

/// `id-regCtrl-altCertTemplate` (1.3.6.1.5.5.7.5.1.7, RFC 9480 §5.1.7).
///
/// CMP registration control carrying an alternative certificate template.
pub use crate::cmp_types::ID_REG_CTRL_ALT_CERT_TEMPLATE as CMP_REG_CTRL_ALT_CERT_TEMPLATE;

/// `id-regCtrl-algID` (1.3.6.1.5.5.7.5.1.11, RFC 9480 §5.1.8).
///
/// CMP registration control requesting a specific algorithm for the issued certificate.
pub use crate::cmp_types::ID_REG_CTRL_ALG_ID as CMP_REG_CTRL_ALG_ID;

/// `id-regCtrl-rsaKeyLen` (1.3.6.1.5.5.7.5.1.12, RFC 9480 §5.1.9).
///
/// CMP registration control specifying the desired RSA key length.
pub use crate::cmp_types::ID_REG_CTRL_RSA_KEY_LEN as CMP_REG_CTRL_RSA_KEY_LEN;

// ── PKIXAlgs DSA, DH, and additional EC curve OIDs (RFC 3279) ────────────────

/// `id-dsa` (1.2.840.10040.4.1, RFC 3279 §2.3.2) — DSA public key algorithm OID.
///
/// The specific DSA public key OID, as distinct from the `DSA` prefix arc
/// (1.2.840.10040.4) which is available as [`DSA`].
pub use crate::pkixalgs_types::ID_DSA as DSA_KEY;

/// `id-dsa-with-sha1` (1.2.840.10040.4.3, RFC 3279 §2.3.2) — DSA with SHA-1 signature.
pub use crate::pkixalgs_types::ID_DSA_WITH_SHA1 as DSA_WITH_SHA1;

/// `dhpublicNumber` (1.2.840.10046.2.1, RFC 3279 §2.3.3) — Diffie-Hellman public key.
pub use crate::pkixalgs_types::DHPUBLICNUMBER as DH_PUBLIC_KEY;

/// EC curve `prime192v1` / NIST P-192 (1.2.840.10045.3.1.1, SEC 2).
pub use crate::pkixalgs_types::PRIME192V1 as EC_CURVE_P192;

/// EC curve `secp224r1` / NIST P-224 (1.3.132.0.33, SEC 2).
pub use crate::pkixalgs_types::SECP224R1 as EC_CURVE_P224;