Network Working Group                                            S. Legg
Request for Comments: 3687                           Adacel Technologies
Category: Standards Track                                  February 2004
        
Network Working Group                                            S. Legg
Request for Comments: 3687                           Adacel Technologies
Category: Standards Track                                  February 2004
        

Lightweight Directory Access Protocol (LDAP) and X.500 Component Matching Rules

轻型目录访问协议(LDAP)和X.500组件匹配规则

Status of this Memo

本备忘录的状况

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2004). All Rights Reserved.

版权所有(C)互联网协会(2004年)。版权所有。

Abstract

摘要

The syntaxes of attributes in a Lightweight Directory Access Protocol (LDAP) or X.500 directory range from simple data types, such as text string, integer, or boolean, to complex structured data types, such as the syntaxes of the directory schema operational attributes. Matching rules defined for the complex syntaxes usually only provide the most immediately useful matching capability. This document defines generic matching rules that can match any user selected component parts in an attribute value of any arbitrarily complex attribute syntax.

轻量级目录访问协议(LDAP)或X.500目录中属性的语法范围从简单的数据类型(如文本字符串、整数或布尔值)到复杂的结构化数据类型(如目录架构操作属性的语法)。为复杂语法定义的匹配规则通常只提供最直接有用的匹配功能。本文档定义了通用匹配规则,这些规则可以匹配任意复杂属性语法的属性值中的任何用户选择的零部件。

Table of Contents

目录

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Conventions. . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  ComponentAssertion . . . . . . . . . . . . . . . . . . . . . .  5
       3.1.  Component Reference. . . . . . . . . . . . . . . . . . .  6
             3.1.1.  Component Type Substitutions . . . . . . . . . .  7
             3.1.2.  Referencing SET, SEQUENCE and CHOICE Components.  8
             3.1.3.  Referencing SET OF and SEQUENCE OF Components. .  9
             3.1.4.  Referencing Components of Parameterized Types. . 10
             3.1.5.  Component Referencing Example. . . . . . . . . . 10
             3.1.6.  Referencing Components of Open Types . . . . . . 12
                     3.1.6.1. Open Type Referencing Example . . . . . 12
             3.1.7.  Referencing Contained Types. . . . . . . . . . . 14
                     3.1.7.1. Contained Type Referencing Example. . . 14
       3.2.  Matching of Components . . . . . . . . . . . . . . . . . 15
             3.2.1.  Applicability of Existing Matching Rules . . . . 17
                     3.2.1.1. String Matching . . . . . . . . . . . . 17
                     3.2.1.2. Telephone Number Matching . . . . . . . 17
                     3.2.1.3. Distinguished Name Matching . . . . . . 18
             3.2.2.  Additional Useful Matching Rules . . . . . . . . 18
                     3.2.2.1. The rdnMatch Matching Rule. . . . . . . 18
                     3.2.2.2. The presentMatch Matching Rule. . . . . 19
             3.2.3.  Summary of Useful Matching Rules . . . . . . . . 20
   4.  ComponentFilter. . . . . . . . . . . . . . . . . . . . . . . . 21
   5.  The componentFilterMatch Matching Rule . . . . . . . . . . . . 22
   6.  Equality Matching of Complex Components. . . . . . . . . . . . 24
       6.1.  The OpenAssertionType Syntax . . . . . . . . . . . . . . 24
       6.2.  The allComponentsMatch Matching Rule . . . . . . . . . . 25
       6.3.  Deriving Component Equality Matching Rules . . . . . . . 27
       6.4.  The directoryComponentsMatch Matching Rule . . . . . . . 28
   7.  Component Matching Examples. . . . . . . . . . . . . . . . . . 30
   8.  Security Considerations. . . . . . . . . . . . . . . . . . . . 37
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 37
   10. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 37
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38
       11.1.  Normative References. . . . . . . . . . . . . . . . . . 38
       11.2.  Informative References. . . . . . . . . . . . . . . . . 40
   12. Intellectual Property Statement. . . . . . . . . . . . . . . . 40
   13. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 41
   14. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 42
        
   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Conventions. . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  ComponentAssertion . . . . . . . . . . . . . . . . . . . . . .  5
       3.1.  Component Reference. . . . . . . . . . . . . . . . . . .  6
             3.1.1.  Component Type Substitutions . . . . . . . . . .  7
             3.1.2.  Referencing SET, SEQUENCE and CHOICE Components.  8
             3.1.3.  Referencing SET OF and SEQUENCE OF Components. .  9
             3.1.4.  Referencing Components of Parameterized Types. . 10
             3.1.5.  Component Referencing Example. . . . . . . . . . 10
             3.1.6.  Referencing Components of Open Types . . . . . . 12
                     3.1.6.1. Open Type Referencing Example . . . . . 12
             3.1.7.  Referencing Contained Types. . . . . . . . . . . 14
                     3.1.7.1. Contained Type Referencing Example. . . 14
       3.2.  Matching of Components . . . . . . . . . . . . . . . . . 15
             3.2.1.  Applicability of Existing Matching Rules . . . . 17
                     3.2.1.1. String Matching . . . . . . . . . . . . 17
                     3.2.1.2. Telephone Number Matching . . . . . . . 17
                     3.2.1.3. Distinguished Name Matching . . . . . . 18
             3.2.2.  Additional Useful Matching Rules . . . . . . . . 18
                     3.2.2.1. The rdnMatch Matching Rule. . . . . . . 18
                     3.2.2.2. The presentMatch Matching Rule. . . . . 19
             3.2.3.  Summary of Useful Matching Rules . . . . . . . . 20
   4.  ComponentFilter. . . . . . . . . . . . . . . . . . . . . . . . 21
   5.  The componentFilterMatch Matching Rule . . . . . . . . . . . . 22
   6.  Equality Matching of Complex Components. . . . . . . . . . . . 24
       6.1.  The OpenAssertionType Syntax . . . . . . . . . . . . . . 24
       6.2.  The allComponentsMatch Matching Rule . . . . . . . . . . 25
       6.3.  Deriving Component Equality Matching Rules . . . . . . . 27
       6.4.  The directoryComponentsMatch Matching Rule . . . . . . . 28
   7.  Component Matching Examples. . . . . . . . . . . . . . . . . . 30
   8.  Security Considerations. . . . . . . . . . . . . . . . . . . . 37
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 37
   10. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 37
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38
       11.1.  Normative References. . . . . . . . . . . . . . . . . . 38
       11.2.  Informative References. . . . . . . . . . . . . . . . . 40
   12. Intellectual Property Statement. . . . . . . . . . . . . . . . 40
   13. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 41
   14. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 42
        
1. Introduction
1. 介绍

The structure or data type of data held in an attribute of a Lightweight Directory Access Protocol (LDAP) [7] or X.500 [19] directory is described by the attribute's syntax. Attribute syntaxes range from simple data types, such as text string, integer, or boolean, to complex data types, for example, the syntaxes of the directory schema operational attributes.

轻量级目录访问协议(LDAP)[7]或X.500[19]目录的属性中保存的数据的结构或数据类型由属性的语法描述。属性语法的范围从简单数据类型(如文本字符串、整数或布尔值)到复杂数据类型(如目录架构操作属性的语法)。

In X.500, the attribute syntaxes are explicitly described by Abstract Syntax Notation One (ASN.1) [13] type definitions. ASN.1 type notation has a number of simple data types (e.g., PrintableString, INTEGER, BOOLEAN), and combining types (i.e., SET, SEQUENCE, SET OF, SEQUENCE OF, and CHOICE) for constructing arbitrarily complex data types from simpler component types. In LDAP, the attribute syntaxes are usually described in Augmented Backus-Naur Form (ABNF) [2], though there is an implied association between the LDAP attribute syntaxes and the X.500 ASN.1 types. To a large extent, the data types of attribute values in either an LDAP or X.500 directory are described by ASN.1 types. This formal description can be exploited to identify component parts of an attribute value for a variety of purposes. This document addresses attribute value matching.

在X.500中,属性语法由抽象语法符号1(ASN.1)[13]类型定义明确描述。ASN.1类型表示法有许多简单的数据类型(例如,PrintableString、INTEGER、BOOLEAN)和组合类型(即SET、SEQUENCE、SET of、SEQUENCE of和CHOICE),用于从简单的组件类型构造任意复杂的数据类型。在LDAP中,虽然LDAP属性语法与X.500 ASN.1类型之间存在隐含的关联,但属性语法通常以扩充的Backus Naur形式(ABNF)[2]进行描述。在很大程度上,LDAP或X.500目录中属性值的数据类型由ASN.1类型描述。可以利用这种形式化描述来识别属性值的组成部分,以达到各种目的。本文档介绍属性值匹配。

With any complex attribute syntax there is normally a requirement to partially match an attribute value of that syntax by matching only selected components of the value. Typically, matching rules specific to the attribute syntax are defined to fill this need. These highly specific matching rules usually only provide the most immediately useful matching capability. Some complex attribute syntaxes don't even have an equality matching rule let alone any additional matching rules for partial matching. This document defines a generic way of matching user selected components in an attribute value of any arbitrarily complex attribute syntax, where that syntax is described using ASN.1 type notation. All of the type notations defined in X.680 [13] are supported.

对于任何复杂的属性语法,通常都需要通过仅匹配值的选定组件来部分匹配该语法的属性值。通常,会定义特定于属性语法的匹配规则来满足此需求。这些高度特定的匹配规则通常只提供最直接有用的匹配功能。一些复杂的属性语法甚至没有相等匹配规则,更不用说任何用于部分匹配的附加匹配规则了。本文档定义了一种在任意复杂属性语法的属性值中匹配用户选择组件的通用方法,其中该语法使用ASN.1类型表示法进行描述。支持X.680[13]中定义的所有类型符号。

Section 3 describes the ComponentAssertion, a testable assertion about the value of a component of an attribute value of any complex syntax.

第3节描述了ComponentAssertion,这是一个关于任何复杂语法的属性值的组件值的可测试断言。

Section 4 introduces the ComponentFilter assertion, which is an expression of ComponentAssertions. The ComponentFilter enables more powerful filter matching of components in an attribute value.

第4节介绍ComponentFilter断言,它是ComponentAssertions的一个表达式。ComponentFilter支持对属性值中的组件进行更强大的过滤器匹配。

Section 5 defines the componentFilterMatch matching rule, which enables a ComponentFilter to be evaluated against attribute values.

第5节定义了componentFilterMatch匹配规则,该规则允许根据属性值评估ComponentFilter。

Section 6 defines matching rules for component-wise equality matching of attribute values of any syntax described by an ASN.1 type definition.

第6节定义了ASN.1类型定义所描述的任何语法的属性值的组件级相等匹配的匹配规则。

Examples showing the usage of componentFilterMatch are in Section 7.

显示componentFilterMatch用法的示例见第7节。

For a new attribute syntax, the Generic String Encoding Rules [9] and the specifications in sections 3 to 6 of this document make it possible to fully and precisely define the LDAP-specific encoding, the LDAP and X.500 binary encoding (and possibly other ASN.1 encodings in the future), a suitable equality matching rule, and a comprehensive collection of component matching capabilities, by simply writing down an ASN.1 type definition for the syntax. These implicit definitions are also automatically extended if the ASN.1 type is later extended. The algorithmic relationship between the ASN.1 type definition, the various encodings and the component matching behaviour makes directory server implementation support for the component matching rules amenable to automatic code generation from ASN.1 type definitions.

对于新的属性语法,通用字符串编码规则[9]和本文档第3节至第6节中的规范使其能够完全准确地定义LDAP特定编码、LDAP和X.500二进制编码(以及将来可能的其他ASN.1编码)、合适的相等匹配规则,以及组件匹配功能的综合集合,只需为语法编写ASN.1类型定义。如果以后扩展ASN.1类型,这些隐式定义也会自动扩展。ASN.1类型定义、各种编码和组件匹配行为之间的算法关系使得目录服务器实现对组件匹配规则的支持能够从ASN.1类型定义自动生成代码。

Schema designers have the choice of storing related items of data as a single attribute value of a complex syntax in some entry, or as a subordinate entry where the related data items are stored as separate attribute values of simpler syntaxes. The inability to search component parts of a complex syntax has been used as an argument for favouring the subordinate entries approach. The component matching rules provide the analogous matching capability on an attribute value of a complex syntax that a search filter has on a subordinate entry.

模式设计者可以选择将相关数据项存储为某个条目中复杂语法的单个属性值,或者作为从属条目,其中相关数据项存储为更简单语法的单独属性值。无法搜索复杂语法的组成部分已被用作支持从属条目方法的理由。组件匹配规则提供了对复杂语法的属性值的类似匹配功能,搜索过滤器在从属条目上具有这种功能。

Most LDAP syntaxes have corresponding ASN.1 type definitions, though they are usually not reproduced or referenced alongside the formal definition of the LDAP syntax. Syntaxes defined with only a character string encoding, i.e., without an explicit or implied corresponding ASN.1 type definition, cannot use the component matching capabilities described in this document unless and until a semantically equivalent ASN.1 type definition is defined for them.

大多数LDAP语法都有相应的ASN.1类型定义,尽管它们通常不会与LDAP语法的正式定义一起复制或引用。仅使用字符串编码定义的语法(即,没有显式或隐含的对应ASN.1类型定义)不能使用本文档中描述的组件匹配功能,除非为它们定义了语义等效的ASN.1类型定义。

2. Conventions
2. 习俗

Throughout this document "type" shall be taken to mean an ASN.1 type unless explicitly qualified as an attribute type, and "value" shall be taken to mean an ASN.1 value unless explicitly qualified as an attribute value.

在本文件中,“类型”应被视为ASN.1类型,除非明确限定为属性类型,“值”应被视为ASN.1值,除非明确限定为属性值。

Note that "ASN.1 value" does not mean a Basic Encoding Rules (BER) [17] encoded value. The ASN.1 value is an abstract concept that is independent of any particular encoding. BER is just one possible encoding of an ASN.1 value. The component matching rules operate at the abstract level without regard for the possible encodings of a value.

请注意,“ASN.1值”并不意味着基本编码规则(BER)[17]编码值。ASN.1值是一个抽象概念,独立于任何特定编码。BER只是ASN.1值的一种可能编码。组件匹配规则在抽象级别运行,不考虑值的可能编码。

Attribute type and matching rule definitions in this document are provided in both the X.500 [10] and LDAP [4] description formats. Note that the LDAP descriptions have been rendered with additional white-space and line breaks for the sake of readability.

本文档中的属性类型和匹配规则定义以X.500[10]和LDAP[4]描述格式提供。请注意,为了可读性,LDAP描述已使用额外的空格和换行符呈现。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED" and "MAY" in this document are to be interpreted as described in BCP 14, RFC 2119 [1]. The key word "OPTIONAL" is exclusively used with its ASN.1 meaning.

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不得”、“应”、“不应”、“建议”和“可”应按照BCP 14、RFC 2119[1]中的说明进行解释。关键词“可选”仅用于其ASN.1含义。

3. ComponentAssertion
3. 组件断言

A ComponentAssertion is an assertion about the presence, or values of, components within an ASN.1 value, i.e., an instance of an ASN.1 type. The ASN.1 value is typically an attribute value, where the ASN.1 type is the syntax of the attribute. However, a ComponentAssertion may also be applied to a component part of an attribute value. The assertion evaluates to either TRUE, FALSE or Undefined for each tested ASN.1 value.

ComponentAssertion是关于ASN.1值(即ASN.1类型的实例)中组件的存在或值的断言。ASN.1值通常是一个属性值,其中ASN.1类型是属性的语法。但是,ComponentAssertion也可以应用于属性值的组成部分。对于每个测试的ASN.1值,断言的计算结果为TRUE、FALSE或Undefined。

A ComponentAssertion is described by the following ASN.1 type (assumed to be defined with "EXPLICIT TAGS" in force):

ComponentAssertion由以下ASN.1类型描述(假定使用有效的“显式标记”定义):

      ComponentAssertion ::= SEQUENCE {
          component         ComponentReference (SIZE(1..MAX)) OPTIONAL,
          useDefaultValues  BOOLEAN DEFAULT TRUE,
          rule              MATCHING-RULE.&id,
          value             MATCHING-RULE.&AssertionType }
        
      ComponentAssertion ::= SEQUENCE {
          component         ComponentReference (SIZE(1..MAX)) OPTIONAL,
          useDefaultValues  BOOLEAN DEFAULT TRUE,
          rule              MATCHING-RULE.&id,
          value             MATCHING-RULE.&AssertionType }
        
      ComponentReference ::= UTF8String
        
      ComponentReference ::= UTF8String
        

MATCHING-RULE.&id equates to the OBJECT IDENTIFIER of a matching rule. MATCHING-RULE.&AssertionType is an open type (formerly known as the ANY type).

MATCHING-RULE。&id等于匹配规则的对象标识符。MATCHING-RULE.&AssertionType是一种开放类型(以前称为ANY类型)。

The "component" field of a ComponentAssertion identifies which component part of a value of some ASN.1 type is to be tested, the "useDefaultValues" field indicates whether DEFAULT values are to be substituted for absent component values, the "rule" field indicates

ComponentAssertion的“component”字段标识要测试某些ASN.1类型的值的哪个组件部分,“useDefaultValues”字段指示是否用默认值替换缺少的组件值,“rule”字段指示

how the component is to be tested, and the "value" field is an asserted ASN.1 value against which the component is tested. The ASN.1 type of the asserted value is determined by the chosen rule.

如何测试组件,“值”字段是一个断言的ASN.1值,组件将根据该值进行测试。断言值的ASN.1类型由所选规则确定。

The fields of a ComponentAssertion are described in detail in the following sections.

ComponentAssertion的字段将在以下部分中详细描述。

3.1. Component Reference
3.1. 组件参考

The component field in a ComponentAssertion is a UTF-8 character string [6] whose textual content is a component reference, identifying a component part of some ASN.1 type or value. A component reference conforms to the following ABNF [2], which extends the notation defined in Clause 14 of X.680 [13]:

ComponentAssertion中的component字段是一个UTF-8字符串[6],其文本内容是组件引用,用于标识某些ASN.1类型或值的组件部分。部件参考符合以下ABNF[2],扩展了X.680[13]第14条中定义的符号:

      component-reference = ComponentId *( "." ComponentId )
      ComponentId         = identifier /
                            from-beginning /
                            count /
                            from-end /       ; extends Clause 14
                            content /        ; extends Clause 14
                            select /         ; extends Clause 14
                            all
        
      component-reference = ComponentId *( "." ComponentId )
      ComponentId         = identifier /
                            from-beginning /
                            count /
                            from-end /       ; extends Clause 14
                            content /        ; extends Clause 14
                            select /         ; extends Clause 14
                            all
        
      identifier          = lowercase *alphanumeric
                               *(hyphen 1*alphanumeric)
      alphanumeric        = uppercase / lowercase / decimal-digit
      uppercase           = %x41-5A  ; "A" to "Z"
      lowercase           = %x61-7A  ; "a" to "z"
      hyphen              = "-"
        
      identifier          = lowercase *alphanumeric
                               *(hyphen 1*alphanumeric)
      alphanumeric        = uppercase / lowercase / decimal-digit
      uppercase           = %x41-5A  ; "A" to "Z"
      lowercase           = %x61-7A  ; "a" to "z"
      hyphen              = "-"
        
      from-beginning      = positive-number
      count               = "0"
      from-end            = "-" positive-number
      content             = %x63.6F.6E.74.65.6E.74 ; "content"
      select              = "(" Value *( "," Value ) ")"
      all                 = "*"
        
      from-beginning      = positive-number
      count               = "0"
      from-end            = "-" positive-number
      content             = %x63.6F.6E.74.65.6E.74 ; "content"
      select              = "(" Value *( "," Value ) ")"
      all                 = "*"
        

positive-number = non-zero-digit *decimal-digit

正数=非零位数*十进制位数

      decimal-digit       = %x30-39  ; "0" to "9"
      non-zero-digit      = %x31-39  ; "1" to "9"
        
      decimal-digit       = %x30-39  ; "0" to "9"
      non-zero-digit      = %x31-39  ; "1" to "9"
        

An <identifier> conforms to the definition of an identifier in ASN.1 notation (Clause 11.3 of X.680 [13]). It begins with a lowercase letter and is followed by zero or more letters, digits, and hyphens. A hyphen is not permitted to be the last character and a hyphen is not permitted to be followed by another hyphen.

<identifier>符合ASN.1注释中的标识符定义(X.680[13]第11.3条)。它以小写字母开头,后跟零个或多个字母、数字和连字符。不允许连字符作为最后一个字符,也不允许连字符后跟另一个连字符。

The <Value> rule is described by the Generic String Encoding Rules (GSER) [9].

<Value>规则由通用字符串编码规则(GSER)[9]描述。

A component reference is a sequence of one or more ComponentIds where each successive ComponentId identifies either an inner component at the next level of nesting of an ASN.1 combining type, i.e., SET, SEQUENCE, SET OF, SEQUENCE OF, or CHOICE, or a specific type within an ASN.1 open type.

组件引用是一个或多个组件的序列,其中每个后续组件标识ASN.1组合类型下一级嵌套的内部组件,即集合、序列、集合、序列或选择,或ASN.1开放类型中的特定类型。

A component reference is always considered in the context of a particular complex ASN.1 type. When applied to the ASN.1 type the component reference identifies a specific component type. When applied to a value of the ASN.1 type a component reference identifies zero, one or more component values of that component type. The component values are potentially in a DEFAULT value if useDefaultValues is TRUE. The specific component type identified by the component reference determines what matching rules are capable of being used to match the component values.

组件引用总是在特定复杂ASN.1类型的上下文中考虑。当应用于ASN.1类型时,组件引用标识特定的组件类型。当应用于ASN.1类型的值时,组件引用标识该组件类型的零、一个或多个组件值。如果useDefaultValues为TRUE,则组件值可能为默认值。组件引用标识的特定组件类型决定了能够使用哪些匹配规则来匹配组件值。

The component field in a ComponentAssertion may also be absent, in which case the identified component type is the ASN.1 type to which the ComponentAssertion is applied, and the identified component value is the whole ASN.1 value.

ComponentAssertion中的component字段也可能不存在,在这种情况下,标识的组件类型是应用ComponentAssertion的ASN.1类型,标识的组件值是整个ASN.1值。

A valid component reference for a particular complex ASN.1 type is constructed by starting with the outermost combining type and repeatedly selecting one of the permissible forms of ComponentId to identify successively deeper nested components. A component reference MAY identify a component with a complex ASN.1 type, i.e., it is not required that the component type identified by a component reference be a simple ASN.1 type.

特定复杂ASN.1类型的有效组件引用是通过从最外层的组合类型开始,并重复选择一种允许的ComponentId形式来构造的,以标识连续的更深嵌套组件。组件参考可识别具有复杂ASN.1类型的组件,即,不要求组件参考识别的组件类型为简单ASN.1类型。

3.1.1. Component Type Substitutions
3.1.1. 组件类型替换

ASN.1 type notation has a number of constructs for referencing other defined types, and constructs that are irrelevant for matching purposes. These constructs are not represented in a component reference in any way and substitutions of the component type are performed to eliminate them from further consideration. These substitutions automatically occur prior to each ComponentId, whether constructing or interpreting a component reference, but do not occur after the last ComponentId, except as allowed by Section 3.2.

ASN.1类型表示法有许多用于引用其他已定义类型的构造,以及与匹配目的无关的构造。这些构造不会以任何方式表示在组件引用中,并且会执行组件类型的替换以避免进一步考虑它们。这些替换自动发生在每个组件ID之前,无论是构造还是解释组件引用,但不会发生在最后一个组件ID之后,除非第3.2节允许。

If the ASN.1 type is an ASN.1 type reference then the component type is taken to be the actual definition on the right hand side of the type assignment for the referenced type.

如果ASN.1类型是ASN.1类型引用,则组件类型将被视为引用类型的类型分配右侧的实际定义。

If the ASN.1 type is a tagged type then the component type is taken to be the type without the tag.

如果ASN.1类型是带标记的类型,则组件类型将被视为不带标记的类型。

If the ASN.1 type is a constrained type (see X.680 [13] and X.682 [15] for the details of ASN.1 constraint notation) then the component type is taken to be the type without the constraint.

如果ASN.1类型是受约束类型(有关ASN.1约束表示法的详细信息,请参见X.680[13]和X.682[15]),则组件类型将被视为没有约束的类型。

If the ASN.1 type is an ObjectClassFieldType (Clause 14 of X.681 [14]) that denotes a specific ASN.1 type (e.g., MATCHING-RULE.&id denotes the OBJECT IDENTIFIER type) then the component type is taken to be the denoted type. Section 3.1.6 describes the case where the ObjectClassFieldType denotes an open type.

如果ASN.1类型是表示特定ASN.1类型的ObjectClassFieldType(X.681[14]第14条)(例如,MATCHING-RULE.&id表示对象标识符类型),则组件类型被视为表示的类型。第3.1.6节描述了ObjectClassFieldType表示开放类型的情况。

If the ASN.1 type is a selection type other than one used in the list of components for a SET or SEQUENCE type then the component type is taken to be the selected alternative type from the named CHOICE.

如果ASN.1类型是一种选择类型,而不是集合或序列类型的组件列表中使用的类型,则组件类型将被视为从命名选择中选择的替代类型。

If the ASN.1 type is a TypeFromObject (Clause 15 of X.681 [14]) then the component type is taken to be the denoted type.

如果ASN.1类型是TypeFromObject(X.681[14]第15条),则组件类型被视为表示的类型。

If the ASN.1 type is a ValueSetFromObjects (Clause 15 of X.681 [14]) then the component type is taken to be the governing type of the denoted values.

如果ASN.1类型是ValueSetFromObjects(X.681[14]第15条),则组件类型被视为所示值的控制类型。

3.1.2. Referencing SET, SEQUENCE and CHOICE Components
3.1.2. 参考集合、序列和选择组件

If the ASN.1 type is a SET or SEQUENCE type then the <identifier> form of ComponentId may be used to identify the component type within that SET or SEQUENCE having that identifier. If <identifier> references an OPTIONAL component type and that component is not present in a particular value then there are no corresponding component values. If <identifier> references a DEFAULT component type and useDefaultValues is TRUE (the default setting for useDefaultValues) and that component is not present in a particular value then the component value is taken to be the default value. If <identifier> references a DEFAULT component type and useDefaultValues is FALSE and that component is not present in a particular value then there are no corresponding component values.

如果ASN.1类型是集合或序列类型,那么可以使用组件ID的<identifier>形式来标识该集合或序列中具有该标识符的组件类型。如果<identifier>引用可选组件类型,并且该组件不存在于特定值中,则没有相应的组件值。如果<identifier>引用默认组件类型,并且useDefaultValues为TRUE(useDefaultValues的默认设置),并且该组件不存在于特定值中,则该组件值将被视为默认值。如果<identifier>引用默认组件类型,并且useDefaultValues为FALSE,并且该组件不存在于特定值中,则没有相应的组件值。

If the ASN.1 type is a CHOICE type then the <identifier> form of ComponentId may be used to identify the alternative type within that CHOICE having that identifier. If <identifier> references an alternative other than the one used in a particular value then there are no corresponding component values.

如果ASN.1类型是一种选择类型,那么可以使用组件ID的<identifier>形式来标识该选择中具有该标识符的替代类型。如果<identifier>引用了特定值中使用的替代值,则没有相应的组件值。

The COMPONENTS OF notation in Clause 24 of X.680 [13] augments the defined list of components in a SET or SEQUENCE type by including all the components of another defined SET or SEQUENCE type respectively. These included components are referenced directly by identifier as though they were defined in-line in the SET or SEQUENCE type containing the COMPONENTS OF notation.

X.680[13]第24条中的符号成分通过分别包括另一个已定义集合或序列类型的所有成分来扩充集合或序列类型中已定义的成分列表。这些包含的组件由标识符直接引用,就好像它们是在包含符号组件的集合或序列类型中在线定义的一样。

The SelectionType (Clause 29 of X.680 [13]), when used in the list of components for a SET or SEQUENCE type, includes a single component from a defined CHOICE type. This included component is referenced directly by identifier as though it was defined in-line in the SET or SEQUENCE type.

SelectionType(X.680[13]第29条)在集合或序列类型的组件列表中使用时,包括定义的选择类型中的单个组件。该包含的组件由标识符直接引用,就好像它是在集合或序列类型中在线定义的一样。

The REAL type is treated as though it is the SEQUENCE type defined in Clause 20.5 of X.680 [13].

实数类型被视为X.680[13]第20.5条中定义的序列类型。

The EMBEDDED PDV type is treated as though it is the SEQUENCE type defined in Clause 33.5 of X.680 [13].

嵌入式PDV类型被视为X.680[13]第33.5条中定义的序列类型。

The EXTERNAL type is treated as though it is the SEQUENCE type defined in Clause 8.18.1 of X.690 [17].

外部类型被视为X.690[17]第8.18.1条中定义的序列类型。

The unrestricted CHARACTER STRING type is treated as though it is the SEQUENCE type defined in Clause 40.5 of X.680 [13].

无限制字符串类型被视为X.680[13]第40.5条中定义的序列类型。

The INSTANCE OF type is treated as though it is the SEQUENCE type defined in Annex C of X.681 [14].

类型实例被视为X.681[14]附录C中定义的序列类型。

The <identifier> form MUST NOT be used on any other ASN.1 type.

<identifier>表单不得用于任何其他ASN.1类型。

3.1.3. Referencing SET OF and SEQUENCE OF Components
3.1.3. 组件的引用集和顺序

If the ASN.1 type is a SET OF or SEQUENCE OF type then the <from-beginning>, <from-end>, <count> and <all> forms of ComponentId may be used.

如果ASN.1类型是一组或一系列类型,则可以使用组件ID的<from start>、<from end>、<count>和<all>形式。

   The <from-beginning> form of ComponentId may be used to identify one
   instance (i.e., value) of the component type of the SET OF or
   SEQUENCE OF type (e.g., if Foo ::= SET OF Bar, then Bar is the
   component type), where the instances are numbered from one upwards.
   If <from-beginning> references a higher numbered instance than the
   last instance in a particular value of the SET OF or SEQUENCE OF type
   then there is no corresponding component value.
        
   The <from-beginning> form of ComponentId may be used to identify one
   instance (i.e., value) of the component type of the SET OF or
   SEQUENCE OF type (e.g., if Foo ::= SET OF Bar, then Bar is the
   component type), where the instances are numbered from one upwards.
   If <from-beginning> references a higher numbered instance than the
   last instance in a particular value of the SET OF or SEQUENCE OF type
   then there is no corresponding component value.
        

The <from-end> form of ComponentId may be used to identify one instance of the component type of the SET OF or SEQUENCE OF type, where "-1" is the last instance, "-2" is the second last instance,

ComponentId的<from end>形式可用于标识类型集合或类型序列的组件类型的一个实例,其中“-1”是最后一个实例,“-2”是第二个最后一个实例,

and so on. If <from-end> references a lower numbered instance than the first instance in a particular value of the SET OF or SEQUENCE OF type then there is no corresponding component value.

等等如果<from end>在类型集或类型序列的特定值中引用了编号低于第一个实例的实例,则没有相应的组件值。

The <count> form of ComponentId identifies a notional count of the number of instances of the component type in a value of the SET OF or SEQUENCE OF type. This count is not explicitly represented but for matching purposes it has an assumed ASN.1 type of INTEGER (0..MAX). A ComponentId of the <count> form, if used, MUST be the last ComponentId in a component reference.

ComponentId的<count>形式标识类型集合或类型序列值中组件类型实例数量的概念计数。此计数未显式表示,但出于匹配目的,它假定为ASN.1类型的整数(0..MAX)。<count>形式的组件ID(如果使用)必须是组件引用中的最后一个组件ID。

The <all> form of ComponentId may be used to simultaneously identify all instances of the component type of the SET OF or SEQUENCE OF type. It is through the <all> form that a component reference can identify more than one component value. However, if a particular value of the SET OF or SEQUENCE OF type is an empty list, then there are no corresponding component values.

ComponentId的<all>形式可用于同时标识类型集合或类型序列的组件类型的所有实例。正是通过<all>形式,组件引用可以识别多个组件值。但是,如果类型集合或序列的特定值为空列表,则不存在相应的组件值。

Where multiple component values are identified, the remaining ComponentIds in the component reference, if any, can identify zero, one or more subcomponent values for each of the higher level component values.

如果标识了多个组件值,那么组件引用中的其余组件(如果有)可以为每个更高级别的组件值标识零、一个或多个子组件值。

The corresponding ASN.1 type for the <from-beginning>, <from-end>, and <all> forms of ComponentId is the component type of the SET OF or SEQUENCE OF type.

ComponentId的<from start>、<from end>和<all>形式对应的ASN.1类型是类型集合或序列的组件类型。

The <from-beginning>, <count>, <from-end> and <all> forms MUST NOT be used on ASN.1 types other than SET OF or SEQUENCE OF.

除集合或序列外,ASN.1类型不得使用<from start>、<count>、<from end>和<all>表单。

3.1.4. Referencing Components of Parameterized Types
3.1.4. 引用参数化类型的组件

A component reference cannot be formed for a parameterized type unless the type has been used with actual parameters, in which case the type is treated as though the DummyReferences [16] have been substituted with the actual parameters.

除非已将参数化类型与实际参数一起使用,否则无法形成参数化类型的组件引用,在这种情况下,该类型被视为DummyReferences[16]已被实际参数替换。

3.1.5. Component Referencing Example
3.1.5. 组件引用示例

Consider the following ASN.1 type definitions.

考虑下面的ASN . 1类型定义。

      ExampleType ::= SEQUENCE {
          part1       [0] INTEGER,
          part2       [1] ExampleSet,
          part3       [2] SET OF OBJECT IDENTIFIER,
          part4       [3] ExampleChoice }
        
      ExampleType ::= SEQUENCE {
          part1       [0] INTEGER,
          part2       [1] ExampleSet,
          part3       [2] SET OF OBJECT IDENTIFIER,
          part4       [3] ExampleChoice }
        
      ExampleSet ::= SET {
          option      PrintableString,
          setting     BOOLEAN }
        
      ExampleSet ::= SET {
          option      PrintableString,
          setting     BOOLEAN }
        
      ExampleChoice ::= CHOICE {
          eeny-meeny  BIT STRING,
          miney-mo    OCTET STRING }
        
      ExampleChoice ::= CHOICE {
          eeny-meeny  BIT STRING,
          miney-mo    OCTET STRING }
        

Following are component references constructed with respect to the type ExampleType.

以下是针对ExampleType类型构造的组件引用。

The component reference "part1" identifies a component of a value of ExampleType having the ASN.1 tagged type [0] INTEGER.

组件参考“part1”标识了ExampleType值的组件,该值具有ASN.1标记的类型[0]整数。

The component reference "part2" identifies a component of a value of ExampleType having the ASN.1 type of [1] ExampleSet

组件参考“part2”标识了ExampleType值为[1]ExampleSet的ASN.1类型的组件

The component reference "part2.option" identifies a component of a value of ExampleType having the ASN.1 type of PrintableString. A ComponentAssertion could also be applied to a value of ASN.1 type ExampleSet, in which case the component reference "option" would identify the same kind of information.

组件参考“part2.option”标识了ExampleType值的组件,该值具有ASN.1类型的PrintableString。ComponentAssertion还可以应用于ASN.1类型ExampleSet的值,在这种情况下,组件引用“option”将标识相同类型的信息。

The component reference "part3" identifies a component of a value of ExampleType having the ASN.1 type of [2] SET OF OBJECT IDENTIFIER.

组件参考“part3”标识了ExampleType值的组件,该组件具有ASN.1类型的[2]组对象标识符。

The component reference "part3.2" identifies the second instance of the part3 SET OF. The instance has the ASN.1 type of OBJECT IDENTIFIER.

组件参考“part3.2”标识了part3组件集的第二个实例。该实例具有ASN.1类型的对象标识符。

The component reference "part3.0" identifies the count of the number of instances in the part3 SET OF. The count has the corresponding ASN.1 type of INTEGER (0..MAX).

组件参考“part3.0”标识了part3集合中实例数的计数。计数具有相应的ASN.1类型的整数(0..MAX)。

The component reference "part3.*" identifies all the instances in the part3 SET OF. Each instance has the ASN.1 type of OBJECT IDENTIFIER.

组件参考“part3.*”标识part3集合中的所有实例。每个实例都有ASN.1类型的对象标识符。

The component reference "part4" identifies a component of a value of ExampleType having the ASN.1 type of [3] ExampleChoice.

组件参考“part4”标识了ExampleType值为[3]ExampleChoice的ASN.1类型的组件。

The component reference "part4.miney-mo" identifies a component of a value of ExampleType having the ASN.1 type of OCTET STRING.

组件参考“part4.miney mo”标识ExampleType值的组件,该值具有ASN.1类型的八位字节字符串。

3.1.6. Referencing Components of Open Types
3.1.6. 引用开放类型的组件

If a sequence of ComponentIds identifies an ObjectClassFieldType denoting an open type (e.g., ATTRIBUTE.&Type denotes an open type) then the ASN.1 type of the component varies. An open type is typically constrained by some other component(s) in an outer enclosing type, either formally through the use of a component relation constraint [15], or informally in the accompanying text, so the actual ASN.1 type of a value of the open type will generally be known. The constraint will also limit the range of permissible types. The <select> form of ComponentId may be used to identify one of these permissible types in an open type. Subcomponents of that type can then be identified with further ComponentIds.

如果一系列组件标识了表示开放类型的ObjectClassFieldType(例如,ATTRIBUTE.&type表示开放类型),则组件的ASN.1类型会有所不同。开放类型通常由外部封闭类型中的某些其他组件约束,通过使用组件关系约束[15]正式约束,或在随附文本中非正式约束,因此开放类型值的实际ASN.1类型通常是已知的。该约束还将限制允许类型的范围。ComponentId的<select>形式可用于在开放类型中标识这些允许的类型之一。该类型的子组件可以用其他组件标识。

The other components constraining the open type are termed the referenced components [15]. The <select> form contains a list of one or more values which take the place of the value(s) of the referenced component(s) to uniquely identify one of the permissible types of the open type.

约束开放类型的其他组件称为引用组件[15]。<select>表格包含一个或多个值的列表,这些值代替引用组件的值,以唯一标识开放式类型的一种允许类型。

Where the open type is constrained by a component relation constraint, there is a <Value> in the <select> form for each of the referenced components in the component relation constraint, appearing in the same order. The ASN.1 type of each of these values is the same as the ASN.1 type of the corresponding referenced component. The type of a referenced component is potentially any ASN.1 type however it is typically an OBJECT IDENTIFIER or INTEGER, which means that the <Value> in the <select> form of ComponentId will nearly always be an <ObjectIdentifierValue> or <IntegerValue> [9]. Furthermore, component relation constraints typically have only one referenced component.

如果打开类型受组件关系约束约束,则组件关系约束中每个引用组件的<select>表单中都有一个<Value>,以相同的顺序出现。这些值的ASN.1类型与相应引用组件的ASN.1类型相同。引用组件的类型可能是任何ASN.1类型,但它通常是对象标识符或整数,这意味着组件ID的<select>形式中的<Value>几乎总是<ObjectIdentifierValue>或<IntegerValue>[9]。此外,组件关系约束通常只有一个引用组件。

Where the open type is not constrained by a component relation constraint, the specification introducing the syntax containing the open type should explicitly nominate the referenced components and their order, so that the <select> form can be used.

如果打开类型不受组件关系约束,则引入包含打开类型的语法的规范应明确指定引用的组件及其顺序,以便使用<select>表单。

If an instance of <select> contains a value other than the value of the referenced component used in a particular value of the outer enclosing type then there are no corresponding component values for the open type.

如果<select>的实例包含的值不是外部封闭类型的特定值中使用的引用组件的值,则开放类型没有相应的组件值。

3.1.6.1. Open Type Referencing Example
3.1.6.1. 打开类型引用示例

The ASN.1 type AttributeTypeAndValue [10] describes a single attribute value of a nominated attribute type.

ASN.1类型AttributeTypeAndValue[10]描述指定属性类型的单个属性值。

      AttributeTypeAndValue ::= SEQUENCE {
          type    ATTRIBUTE.&id ({SupportedAttributes}),
          value   ATTRIBUTE.&Type ({SupportedAttributes}{@type}) }
        
      AttributeTypeAndValue ::= SEQUENCE {
          type    ATTRIBUTE.&id ({SupportedAttributes}),
          value   ATTRIBUTE.&Type ({SupportedAttributes}{@type}) }
        

ATTRIBUTE.&id denotes an OBJECT IDENTIFIER and ({SupportedAttributes}) constrains the OBJECT IDENTIFIER to be a supported attribute type.

ATTRIBUTE.&id表示对象标识符,并且({SupportedAttributes})将对象标识符约束为受支持的属性类型。

ATTRIBUTE.&Type denotes an open type, in this case an attribute value, and ({SupportedAttributes}{@type}) is a component relation constraint that constrains the open type to be of the attribute syntax for the attribute type. The component relation constraint references only the "type" component, which has the ASN.1 type of OBJECT IDENTIFIER, thus if the <select> form of ComponentId is used to identify attribute values of specific attribute types it will contain a single OBJECT IDENTIFIER value.

ATTRIBUTE.&Type表示打开类型,在本例中为属性值,({SupportedAttributes}{@Type})是一个组件关系约束,它将打开类型约束为属性类型的属性语法。组件关系约束仅引用“类型”组件,该组件具有ASN.1类型的对象标识符,因此,如果使用组件ID的<select>形式来标识特定属性类型的属性值,则它将包含单个对象标识符值。

The component reference "value" on AttributeTypeAndValue refers to the open type.

AttributeTypeAndValue上的组件引用“value”引用打开类型。

One of the X.500 standard attributes is facsimileTelephoneNumber [12], which is identified with the OBJECT IDENTIFIER 2.5.4.23, and is defined to have the following syntax.

X.500标准属性之一是FacSimileLePhoneNumber[12],它由对象标识符2.5.4.23标识,并定义为具有以下语法。

      FacsimileTelephoneNumber ::= SEQUENCE {
          telephoneNumber PrintableString(SIZE(1..ub-telephone-number)),
          parameters      G3FacsimileNonBasicParameters OPTIONAL }
        
      FacsimileTelephoneNumber ::= SEQUENCE {
          telephoneNumber PrintableString(SIZE(1..ub-telephone-number)),
          parameters      G3FacsimileNonBasicParameters OPTIONAL }
        

The component reference "value.(2.5.4.23)" on AttributeTypeAndValue specifies an attribute value with the FacsimileTelephoneNumber syntax.

AttributeTypeAndValue上的组件参考“value.(2.5.4.23)”使用FacSimilePehonEnumber语法指定属性值。

The component reference "value.(2.5.4.23).telephoneNumber" on AttributeTypeAndValue identifies the telephoneNumber component of a facsimileTelephoneNumber attribute value. The component reference "value.(facsimileTelephoneNumber)" is equivalent to "value.(2.5.4.23)".

AttributeTypeAndValue上的组件参考“value.(2.5.4.23).telephoneNumber”标识FacSimilePhoneNumber属性值的telephoneNumber组件。部件参考“值(传真机号码)”等同于“值(2.5.4.23)”。

If the AttributeTypeAndValue ASN.1 value contains an attribute type other than facsimileTelephoneNumber then there are no corresponding component values for the component references "value.(2.5.4.23)" and "value.(2.5.4.23).telephoneNumber".

如果AttributeTypeAndValue ASN.1值包含除FacSimileLePhoneNumber之外的属性类型,则组件引用“value.(2.5.4.23)”和“value.(2.5.4.23).telephoneNumber”没有对应的组件值。

3.1.7. Referencing Contained Types
3.1.7. 引用包含的类型

Sometimes the contents of a BIT STRING or OCTET STRING value are required to be the encodings of other ASN.1 values of specific ASN.1 types. For example, the extnValue component of the Extension type component in the Certificate type [11] is an OCTET STRING that is required to contain a Distinguished Encoding Rules (DER) [17] encoding of a certificate extension value. It is useful to be able to refer to the embedded encoded value and its components. An embedded encoded value is here referred to as a contained value and its associated type as the contained type.

有时,位字符串或八位字符串值的内容需要是特定ASN.1类型的其他ASN.1值的编码。例如,证书类型[11]中的扩展类型组件的extnValue组件是包含证书扩展值的可分辨编码规则(DER)[17]编码所需的八位字节字符串。能够引用嵌入的编码值及其组件非常有用。嵌入式编码值在这里称为包含值,其关联类型称为包含类型。

If the ASN.1 type is a BIT STRING or OCTET STRING type containing encodings of other ASN.1 values then the <content> form of ComponentId may be used to identify the contained type. Subcomponents of that type can then be identified with further ComponentIds.

如果ASN.1类型是包含其他ASN.1值编码的位字符串或八位字符串类型,则可以使用组件ID的<content>形式来标识包含的类型。该类型的子组件可以用其他组件标识。

The contained type may be (effectively) an open type, constrained by some other component in an outer enclosing type (e.g., in a certificate Extension, extnValue is constrained by the chosen extnId). In these cases the next ComponentId, if any, MUST be of the <select> form.

所包含的类型可以(有效地)是开放类型,由外部封闭类型中的某些其他组件约束(例如,在证书扩展中,extnValue由所选extnId约束)。在这些情况下,下一个组件ID(如果有)必须是<select>形式。

For the purpose of building component references, the content of the extnValue OCTET STRING in the Extension type is assumed to be an open type having a notional component relation constraint with the extnId component as the single referenced component, i.e.,

为了构建组件引用,扩展类型中的extnValue八进制字符串的内容被假定为开放类型,具有概念组件关系约束,extnId组件作为单个引用组件,即。,

      EXTENSION.&ExtnType ({ExtensionSet}{@extnId})
        
      EXTENSION.&ExtnType ({ExtensionSet}{@extnId})
        

The data-value component of the associated types for the EMBEDDED PDV and CHARACTER STRING types is an OCTET STRING containing the encoding of a data value described by the identification component. For the purpose of building component references, the content of the data-value OCTET STRING in these types is assumed to be an open type having a notional component relation constraint with the identification component as the single referenced component.

嵌入式PDV和字符串类型的关联类型的数据值组件是包含由标识组件描述的数据值编码的八位字节字符串。为了构建组件引用,假设这些类型中的数据值八位字符串的内容为开放类型,具有概念组件关系约束,标识组件为单个引用组件。

3.1.7.1. Contained Type Referencing Example
3.1.7.1. 包含的类型引用示例

The Extension ASN.1 type [11] describes a single certificate extension value of a nominated extension type.

扩展ASN.1类型[11]描述了指定扩展类型的单个证书扩展值。

      Extension ::= SEQUENCE {
          extnId     EXTENSION.&id ({ExtensionSet}),
          critical   BOOLEAN DEFAULT FALSE,
          extnValue  OCTET STRING
              -- contains a DER encoding of a value of type &ExtnType
              -- for the extension object identified by extnId -- }
        
      Extension ::= SEQUENCE {
          extnId     EXTENSION.&id ({ExtensionSet}),
          critical   BOOLEAN DEFAULT FALSE,
          extnValue  OCTET STRING
              -- contains a DER encoding of a value of type &ExtnType
              -- for the extension object identified by extnId -- }
        

EXTENSION.&id denotes an OBJECT IDENTIFIER and ({ExtensionSet}) constrains the OBJECT IDENTIFIER to be the identifier of a supported certificate extension.

EXTENSION.&id表示对象标识符,({ExtensionSet})将对象标识符约束为受支持的证书扩展的标识符。

The component reference "extnValue" on Extension refers to a component type of OCTET STRING. The corresponding component values will be OCTET STRING values. The component reference "extnValue.content" on Extension refers to the type of the contained type, which in this case is an open type.

扩展名上的组件引用“extnValue”指的是八进制字符串的组件类型。相应的组件值将是八位字节字符串值。扩展上的组件引用“extnValue.content”引用包含类型的类型,在本例中是开放类型。

One of the X.509 [11] standard extensions is basicConstraints, which is identified with the OBJECT IDENTIFIER 2.5.29.19 and is defined to have the following syntax.

X.509[11]标准扩展之一是basicConstraints,它由对象标识符2.5.29.19标识,并定义为具有以下语法。

      BasicConstraintsSyntax ::= SEQUENCE {
          cA                 BOOLEAN DEFAULT FALSE,
          pathLenConstraint  INTEGER (0..MAX) OPTIONAL }
        
      BasicConstraintsSyntax ::= SEQUENCE {
          cA                 BOOLEAN DEFAULT FALSE,
          pathLenConstraint  INTEGER (0..MAX) OPTIONAL }
        

The component reference "extnValue.content.(2.5.29.19)" on Extension specifies a BasicConstraintsSyntax extension value and the component reference "extnValue.content.(2.5.29.19).cA" identifies the cA component of a BasicConstraintsSyntax extension value.

扩展上的组件引用“extnValue.content.(2.5.29.19)”指定BasicConstraintsSyntax扩展值,组件引用“extnValue.content.(2.5.29.19).cA”标识BasicConstraintsSyntax扩展值的cA组件。

3.2. Matching of Components
3.2. 部件匹配

The rule in a ComponentAssertion specifies how the zero, one or more component values identified by the component reference are tested by the assertion. Attribute matching rules are used to specify the semantics of the test.

ComponentAssertion中的规则指定断言如何测试由组件引用标识的零、一个或多个组件值。属性匹配规则用于指定测试的语义。

Each matching rule has a notional set of attribute syntaxes (typically one), defined as ASN.1 types, to which it may be applied. When used in a ComponentAssertion these matching rules apply to the same ASN.1 types, only in this context the corresponding ASN.1 values are not necessarily complete attribute values.

每个匹配规则都有一组概念上的属性语法(通常是一个),定义为ASN.1类型,可以应用于这些类型。当在ComponentAssertion中使用时,这些匹配规则适用于相同的ASN.1类型,仅在此上下文中,相应的ASN.1值不一定是完整的属性值。

Note that the referenced component type may be a tagged and/or constrained version of the expected attribute syntax (e.g., [0] INTEGER, whereas integerMatch would expect simply INTEGER), or an open type. Additional type substitutions of the kind described in

请注意,引用的组件类型可能是预期属性语法的标记和/或约束版本(例如,[0]整数,而integerMatch只期望整数),也可能是开放类型。中所述类型的其他类型替换

Section 3.1.1 are performed as required to reduce the component type to the same type as the attribute syntax expected by the matching rule.

根据需要执行第3.1.1节,以将组件类型减少到与匹配规则所期望的属性语法相同的类型。

If a matching rule applies to more than one attribute syntax (e.g., objectIdentifierFirstComponentMatch [12]) then the minimum number of substitutions required to conform to any one of those syntaxes is performed. If a matching rule can apply to any attribute syntax (e.g., the allComponentsMatch rule defined in Section 6.2) then the referenced component type is used as is, with no additional substitutions.

如果匹配规则适用于多个属性语法(例如objectIdentifierFirstComponentMatch[12]),则执行符合这些语法中任何一个所需的最小替换次数。如果匹配规则可应用于任何属性语法(例如,第6.2节中定义的allComponentsMatch规则),则引用的组件类型将按原样使用,无需额外替换。

The value in a ComponentAssertion will be of the assertion syntax (i.e., ASN.1 type) required by the chosen matching rule. Note that the assertion syntax of a matching rule is not necessarily the same as the attribute syntax(es) to which the rule may be applied.

ComponentAssertion中的值将是所选匹配规则所需的断言语法(即ASN.1类型)。请注意,匹配规则的断言语法不一定与可应用该规则的属性语法相同。

Some matching rules do not have a fixed assertion syntax (e.g., allComponentsMatch). The required assertion syntax is determined in each instance of use by the syntax of the attribute type to which the matching rule is applied. For these rules the ASN.1 type of the referenced component is used in place of an attribute syntax to decide the required assertion syntax.

某些匹配规则没有固定的断言语法(例如allComponentsMatch)。所需的断言语法由应用匹配规则的属性类型的语法在每个使用实例中确定。对于这些规则,使用被引用组件的ASN.1类型代替属性语法来决定所需的断言语法。

The ComponentAssertion is Undefined if:

如果出现以下情况,则ComponentAssertion未定义:

a) the matching rule in the ComponentAssertion is not known to the evaluating procedure,

a) 评估过程不知道ComponentAssertion中的匹配规则,

b) the matching rule is not applicable to the referenced component type, even with the additional type substitutions,

b) 匹配规则不适用于引用的组件类型,即使有其他类型替换,

c) the value in the ComponentAssertion does not conform to the assertion syntax defined for the matching rule,

c) ComponentAssertion中的值不符合为匹配规则定义的断言语法,

d) some part of the component reference identifies an open type in the tested value that cannot be decoded, or

d) 组件参考的某些部分标识了测试值中无法解码的开放类型,或

e) the implementation does not support the particular combination of component reference and matching rule.

e) 该实现不支持组件引用和匹配规则的特定组合。

If the ComponentAssertion is not Undefined then the ComponentAssertion evaluates to TRUE if there is at least one component value for which the matching rule applied to that component value returns TRUE, and evaluates to FALSE otherwise (which includes the case where there are no component values).

如果ComponentAssertion未定义,则如果应用于该组件值的匹配规则至少有一个组件值返回TRUE,则ComponentAssertion将计算为TRUE,否则将计算为FALSE(包括没有组件值的情况)。

3.2.1. Applicability of Existing Matching Rules
3.2.1. 现有匹配规则的适用性
3.2.1.1. String Matching
3.2.1.1. 字符串匹配

ASN.1 has a number of built in restricted character string types with different character sets and/or different character encodings. A directory user generally has little interest in the particular character set or encoding used to represent a character string component value, and some directory server implementations make no distinction between the different string types in their internal representation of values. So rather than define string matching rules for each of the restricted character string types, the existing case ignore and case exact string matching rules are extended to apply to component values of any of the restricted character string types and any ChoiceOfStrings type [9], in addition to component values of the DirectoryString type. This extension is only for the purposes of component matching described in this document.

ASN.1有许多内置的受限字符串类型,具有不同的字符集和/或不同的字符编码。目录用户通常对用于表示字符串组件值的特定字符集或编码不感兴趣,并且一些目录服务器实现在其值的内部表示中不区分不同的字符串类型。因此,除了DirectoryString类型的组件值外,现有的大小写忽略和大小写精确的字符串匹配规则被扩展以应用于任何受限字符串类型的组件值和任何ChoiceOffString类型[9],而不是为每个受限字符串类型定义字符串匹配规则。此扩展仅用于本文档中描述的组件匹配。

The relevant string matching rules are: caseIgnoreMatch, caseIgnoreOrderingMatch, caseIgnoreSubstringsMatch, caseExactMatch, caseExactOrderingMatch and caseExactSubstringsMatch. The relevant restricted character string types are: NumericString, PrintableString, VisibleString, IA5String, UTF8String, BMPString, UniversalString, TeletexString, VideotexString, GraphicString and GeneralString. A ChoiceOfStrings type is a purely syntactic CHOICE of these ASN.1 string types. Note that GSER [9] declares each and every use of the DirectoryString{} parameterized type to be a ChoiceOfStrings type.

相关的字符串匹配规则有:caseIgnoreMatch、caseIgnoreOrderingMatch、caseIgnoreSubstringsMatch、caseExactMatch、caseExactOrderingMatch和caseExactSubstringsMatch。相关的受限字符串类型有:NumericString、PrintableString、VisibleString、IA5String、UTF8String、BMPString、UniversalString、teletextstring、VideotexString、GraphicString和GeneralString。ChoiceofString类型是这些ASN.1字符串类型的纯语法选择。请注意,GSER[9]将DirectoryString{}参数化类型的每次使用都声明为choiceofString类型。

The assertion syntax of the string matching rules is still DirectoryString regardless of the string syntax of the component being matched. Thus an implementation will be called upon to compare a DirectoryString value to a value of one of the restricted character string types, or a ChoiceOfStrings type. As is the case when comparing two DirectoryStrings where the chosen alternatives are of different string types, the comparison proceeds so long as the corresponding characters are representable in both character sets. Otherwise matching returns FALSE.

不管所匹配组件的字符串语法如何,字符串匹配规则的断言语法仍然是DirectoryString。因此,将调用一个实现来比较DirectoryString值与一个受限字符串类型或ChoiceOffString类型的值。与比较两个DirectoryStrings时的情况一样,如果选择的替代项是不同的字符串类型,则只要相应的字符在两个字符集中都可以表示,就可以进行比较。否则,匹配返回FALSE。

3.2.1.2. Telephone Number Matching
3.2.1.2. 电话号码匹配

Early editions of X.520 [12] gave the syntax of the telephoneNumber attribute as a constrained PrintableString. The fourth edition of X.520 equates the ASN.1 type name TelephoneNumber to the constrained PrintableString and uses TelephoneNumber as the attribute and assertion syntax. For the purposes of component matching,

X.520[12]的早期版本将电话号码属性的语法作为受约束的可打印字符串给出。X.520的第四版将ASN.1类型名称TelephoneNumber等同于受约束的可打印字符串,并使用TelephoneNumber作为属性和断言语法。为了进行部件匹配,

telephoneNumberMatch and telephoneNumberSubstringsMatch are permitted to be applied to any PrintableString value, as well as to TelephoneNumber values.

允许将telephoneNumberMatch和telephoneNumberSubstringsMatch应用于任何可打印字符串值以及TelephoneNumber值。

3.2.1.3. Distinguished Name Matching
3.2.1.3. 可分辨名称匹配

The DistinguishedName type is defined by assignment to be the same as the RDNSequence type, however RDNSequence is sometimes directly used in other type definitions. For the purposes of component matching, distinguishedNameMatch is also permitted to be applied to values of the RDNSequence type.

DifferentiedName类型通过赋值定义为与RDNSequence类型相同,但RDNSequence有时直接用于其他类型定义。出于组件匹配的目的,DifferentiedNameMatch还允许应用于RDNSequence类型的值。

3.2.2. Additional Useful Matching Rules
3.2.2. 其他有用的匹配规则

This section defines additional matching rules that may prove useful in ComponentAssertions. These rules may also be used in extensibleMatch search filters [3].

本节定义了可能在组件断言中有用的其他匹配规则。这些规则也可用于ExtensionMatch搜索筛选器[3]。

3.2.2.1. The rdnMatch Matching Rule
3.2.2.1. RDN匹配规则

The distinguishedNameMatch matching rule can match whole distinguished names but it is sometimes useful to be able to match specific Relative Distinguished Names (RDNs) in a Distinguished Name (DN) without regard for the other RDNs in the DN. The rdnMatch matching rule allows component RDNs of a DN to be tested.

DifferentizedNameMatch匹配规则可以匹配整个可分辨名称,但有时可以匹配可分辨名称(DN)中的特定相对可分辨名称(RDN),而不考虑DN中的其他RDN。rdnMatch匹配规则允许测试DN的组件RDN。

The LDAP-style definitions for rdnMatch and its assertion syntax are:

rdnMatch的LDAP样式定义及其断言语法如下:

( 1.2.36.79672281.1.13.3 NAME 'rdnMatch' SYNTAX 1.2.36.79672281.1.5.0 )

(1.2.36.79672281.1.13.3名称“rdnMatch”语法1.2.36.79672281.1.5.0)

( 1.2.36.79672281.1.5.0 DESC 'RDN' )

(1.2.36.79672281.1.5.0描述“RDN”)

The LDAP-specific encoding for a value of the RDN syntax is given by the <RelativeDistinguishedNameValue> rule [9].

RDN语法值的LDAP特定编码由<RelativeDistinguishedNameValue>规则[9]给出。

The X.500-style definition for rdnMatch is:

rdnMatch的X.500样式定义为:

      rdnMatch MATCHING-RULE ::= {
          SYNTAX  RelativeDistinguishedName
          ID      { 1 2 36 79672281 1 13 3 } }
        
      rdnMatch MATCHING-RULE ::= {
          SYNTAX  RelativeDistinguishedName
          ID      { 1 2 36 79672281 1 13 3 } }
        

The rdnMatch rule evaluates to true if the component value and assertion value are the same RDN, using the same RDN comparison method as distinguishedNameMatch.

如果组件值和断言值是相同的RDN,则rdnMatch规则的计算结果为true,使用与DiscrimitedNameMatch相同的RDN比较方法。

When using rdnMatch to match components of DNs it is important to note that the LDAP-specific encoding of a DN [5] reverses the order of the RDNs. So for the DN represented in LDAP as "cn=Steven Legg,o=Adacel,c=AU", the RDN "cn=Steven Legg" corresponds to the component reference "3", or alternatively, "-1".

使用rdnMatch匹配DNs组件时,需要注意的是,DN[5]的LDAP特定编码颠倒了RDN的顺序。因此,对于LDAP中表示为“cn=Steven Legg,o=Adacel,c=AU”的DN,RDN“cn=Steven Legg”对应于组件参考“3”,或者“1”。

3.2.2.2. The presentMatch Matching Rule
3.2.2.2. presentMatch匹配规则

At times it would be useful to test not if a specific value of a particular component is present, but whether any value of a particular component is present. The presentMatch matching rule allows the presence of a particular component value to be tested.

有时,最好不要测试特定组件的特定值是否存在,而是测试特定组件的任何值是否存在。presentMatch匹配规则允许测试特定组件值的存在。

The LDAP-style definitions for presentMatch and its assertion syntax are:

presentMatch的LDAP样式定义及其断言语法如下:

( 1.2.36.79672281.1.13.5 NAME 'presentMatch' SYNTAX 1.2.36.79672281.1.5.1 )

(1.2.36.79672281.1.13.5名称“presentMatch”语法1.2.36.79672281.1.5.1)

( 1.2.36.79672281.1.5.1 DESC 'NULL' )

(1.2.36.79672281.1.5.1说明“空”)

The LDAP-specific encoding for a value of the NULL syntax is given by the <NullValue> rule [9].

空语法值的LDAP特定编码由<NullValue>规则[9]给出。

The X.500-style definition for presentMatch is:

presentMatch的X.500样式定义为:

      presentMatch MATCHING-RULE ::= {
          SYNTAX  NULL
          ID      { 1 2 36 79672281 1 13 5 } }
        
      presentMatch MATCHING-RULE ::= {
          SYNTAX  NULL
          ID      { 1 2 36 79672281 1 13 5 } }
        

When used in a extensible match filter item, presentMatch behaves like the "present" case of a regular search filter. In a ComponentAssertion, presentMatch evaluates to TRUE if and only if the component reference identifies one or more component values, regardless of the actual component value contents. Note that if useDefaultValues is TRUE then the identified component values may be (part of) a DEFAULT value.

在可扩展匹配筛选器项中使用时,presentMatch的行为类似于常规搜索筛选器的“present”情况。在ComponentAssertion中,当且仅当component引用标识一个或多个组件值时,presentMatch计算为TRUE,而不管实际的组件值内容如何。请注意,如果useDefaultValues为TRUE,则标识的组件值可能是默认值的一部分。

The notional count referenced by the <count> form of ComponentId is taken to be present if the SET OF value is present, and absent otherwise. Note that in ASN.1 notation an absent SET OF value is distinctly different from a SET OF value that is present but empty. It is up to the specification using the ASN.1 notation to decide whether the distinction matters. Often an empty SET OF component and an absent SET OF component are treated as semantically equivalent. If a SET OF value is present, but empty, a presentMatch on the SET OF component SHALL return TRUE and the notional count SHALL be regarded as present and equal to zero.

如果值集存在,则组件ID的<count>形式引用的概念计数被视为存在,否则不存在。请注意,在ASN.1符号中,缺失的值集与存在但为空的值集明显不同。这取决于使用ASN.1符号来决定区别是否重要的规范。通常,空的组件集和不存在的组件集在语义上是等价的。如果存在一组值,但为空,则组件集上的presentMatch应返回TRUE,且名义计数应视为存在且等于零。

3.2.3. Summary of Useful Matching Rules
3.2.3. 有用的匹配规则摘要

The following is a non-exhaustive list of useful matching rules and the ASN.1 types to which they can be applied, taking account of all the extensions described in Section 3.2.1, and the new matching rules defined in Section 3.2.2.

考虑到第3.2.1节中描述的所有扩展以及第3.2.2节中定义的新匹配规则,以下是有用的匹配规则及其可应用的ASN.1类型的非详尽列表。

      +================================+==============================+
      | Matching Rule                  | ASN.1 Type                   |
      +================================+==============================+
      | bitStringMatch                 | BIT STRING                   |
      +--------------------------------+------------------------------+
      | booleanMatch                   | BOOLEAN                      |
      +--------------------------------+------------------------------+
      | caseIgnoreMatch                | NumericString                |
      | caseIgnoreOrderingMatch        | PrintableString              |
      | caseIgnoreSubstringsMatch      | VisibleString (ISO646String) |
      | caseExactMatch                 | IA5String                    |
      | caseExactOrderingMatch         | UTF8String                   |
      | caseExactSubstringsMatch       | BMPString (UCS-2, UNICODE)   |
      |                                | UniversalString (UCS-4)      |
      |                                | TeletexString (T61String)    |
      |                                | VideotexString               |
      |                                | GraphicString                |
      |                                | GeneralString                |
      |                                | any ChoiceOfStrings type     |
      +--------------------------------+------------------------------+
      | caseIgnoreIA5Match             | IA5String                    |
      | caseExactIA5Match              |                              |
      +--------------------------------+------------------------------+
      | distinguishedNameMatch         | DistinguishedName            |
      |                                | RDNSequence                  |
      +--------------------------------+------------------------------+
      | generalizedTimeMatch           | GeneralizedTime              |
      | generalizedTimeOrderingMatch   |                              |
      +--------------------------------+------------------------------+
      | integerMatch                   | INTEGER                      |
      | integerOrderingMatch           |                              |
      +--------------------------------+------------------------------+
      | numericStringMatch             | NumericString                |
      | numericStringOrderingMatch     |                              |
      | numericStringSubstringsMatch   |                              |
      +--------------------------------+------------------------------+
      | objectIdentifierMatch          | OBJECT IDENTIFIER            |
      +--------------------------------+------------------------------+
      | octetStringMatch               | OCTET STRING                 |
      | octetStringOrderingMatch       |                              |
      | octetStringSubstringsMatch     |                              |
        
      +================================+==============================+
      | Matching Rule                  | ASN.1 Type                   |
      +================================+==============================+
      | bitStringMatch                 | BIT STRING                   |
      +--------------------------------+------------------------------+
      | booleanMatch                   | BOOLEAN                      |
      +--------------------------------+------------------------------+
      | caseIgnoreMatch                | NumericString                |
      | caseIgnoreOrderingMatch        | PrintableString              |
      | caseIgnoreSubstringsMatch      | VisibleString (ISO646String) |
      | caseExactMatch                 | IA5String                    |
      | caseExactOrderingMatch         | UTF8String                   |
      | caseExactSubstringsMatch       | BMPString (UCS-2, UNICODE)   |
      |                                | UniversalString (UCS-4)      |
      |                                | TeletexString (T61String)    |
      |                                | VideotexString               |
      |                                | GraphicString                |
      |                                | GeneralString                |
      |                                | any ChoiceOfStrings type     |
      +--------------------------------+------------------------------+
      | caseIgnoreIA5Match             | IA5String                    |
      | caseExactIA5Match              |                              |
      +--------------------------------+------------------------------+
      | distinguishedNameMatch         | DistinguishedName            |
      |                                | RDNSequence                  |
      +--------------------------------+------------------------------+
      | generalizedTimeMatch           | GeneralizedTime              |
      | generalizedTimeOrderingMatch   |                              |
      +--------------------------------+------------------------------+
      | integerMatch                   | INTEGER                      |
      | integerOrderingMatch           |                              |
      +--------------------------------+------------------------------+
      | numericStringMatch             | NumericString                |
      | numericStringOrderingMatch     |                              |
      | numericStringSubstringsMatch   |                              |
      +--------------------------------+------------------------------+
      | objectIdentifierMatch          | OBJECT IDENTIFIER            |
      +--------------------------------+------------------------------+
      | octetStringMatch               | OCTET STRING                 |
      | octetStringOrderingMatch       |                              |
      | octetStringSubstringsMatch     |                              |
        
      +--------------------------------+------------------------------+
      | presentMatch                   | any ASN.1 type               |
      +--------------------------------+------------------------------+
      | rdnMatch                       | RelativeDistinguishedName    |
      +--------------------------------+------------------------------+
      | telephoneNumberMatch           | PrintableString              |
      | telephoneNumberSubstringsMatch | TelephoneNumber              |
      +--------------------------------+------------------------------+
      | uTCTimeMatch                   | UTCTime                      |
      | uTCTimeOrderingMatch           |                              |
      +--------------------------------+------------------------------+
        
      +--------------------------------+------------------------------+
      | presentMatch                   | any ASN.1 type               |
      +--------------------------------+------------------------------+
      | rdnMatch                       | RelativeDistinguishedName    |
      +--------------------------------+------------------------------+
      | telephoneNumberMatch           | PrintableString              |
      | telephoneNumberSubstringsMatch | TelephoneNumber              |
      +--------------------------------+------------------------------+
      | uTCTimeMatch                   | UTCTime                      |
      | uTCTimeOrderingMatch           |                              |
      +--------------------------------+------------------------------+
        

Note that the allComponentsMatch matching rule defined in Section 6.2 can be used for equality matching of values of the ENUMERATED, NULL, REAL and RELATIVE-OID ASN.1 types, among other things.

请注意,第6.2节中定义的allComponentsMatch匹配规则可用于枚举、NULL、实数和相对OID ASN.1类型的值的相等匹配。

4. ComponentFilter
4. 组件过滤器

The ComponentAssertion allows the value(s) of any one component type in a complex ASN.1 type to be matched, but there is often a desire to match the values of more than one component type. A ComponentFilter is an assertion about the presence, or values of, multiple components within an ASN.1 value.

ComponentAssertion允许匹配复杂ASN.1类型中任何一种组件类型的值,但通常需要匹配多个组件类型的值。ComponentFilter是关于ASN.1值中多个组件的存在或值的断言。

The ComponentFilter assertion, an expression of ComponentAssertions, evaluates to either TRUE, FALSE or Undefined for each tested ASN.1 value.

ComponentFilter断言是ComponentAssertions的表达式,对于每个测试的ASN.1值,其计算结果为TRUE、FALSE或Undefined。

A ComponentFilter is described by the following ASN.1 type (assumed to be defined with "EXPLICIT TAGS" in force):

ComponentFilter由以下ASN.1类型描述(假定使用有效的“显式标记”定义):

      ComponentFilter ::= CHOICE {
          item  [0] ComponentAssertion,
          and   [1] SEQUENCE OF ComponentFilter,
          or    [2] SEQUENCE OF ComponentFilter,
          not   [3] ComponentFilter }
        
      ComponentFilter ::= CHOICE {
          item  [0] ComponentAssertion,
          and   [1] SEQUENCE OF ComponentFilter,
          or    [2] SEQUENCE OF ComponentFilter,
          not   [3] ComponentFilter }
        

Note: despite the use of SEQUENCE OF instead of SET OF for the "and" and "or" alternatives in ComponentFilter, the order of the component filters is not significant.

注:尽管ComponentFilter中的“and”和“or”选项使用了“的顺序”而不是“的集合”,但组件过滤器的顺序并不重要。

A ComponentFilter that is a ComponentAssertion evaluates to TRUE if the ComponentAssertion is TRUE, evaluates to FALSE if the ComponentAssertion is FALSE, and evaluates to Undefined otherwise.

如果ComponentAssertion为TRUE,则作为ComponentAssertion的ComponentFilter计算为TRUE;如果ComponentAssertion为FALSE,则计算为FALSE;否则计算为Undefined。

The "and" of a sequence of component filters evaluates to TRUE if the sequence is empty or if each component filter evaluates to TRUE, evaluates to FALSE if at least one component filter is FALSE, and evaluates to Undefined otherwise.

如果序列为空或如果每个组件筛选器的计算结果为真,则组件筛选器序列的“和”将计算为真;如果至少有一个组件筛选器为假,则计算为假;否则计算为未定义。

The "or" of a sequence of component filters evaluates to FALSE if the sequence is empty or if each component filter evaluates to FALSE, evaluates to TRUE if at least one component filter is TRUE, and evaluates to Undefined otherwise.

如果序列为空,或者如果每个组件筛选器的计算结果为FALSE,则组件筛选器序列的“或”计算结果为FALSE;如果至少一个组件筛选器为TRUE,则计算结果为TRUE;否则计算结果为未定义。

The "not" of a component filter evaluates to TRUE if the component filter is FALSE, evaluates to FALSE if the component filter is TRUE, and evaluates to Undefined otherwise.

如果组件筛选器为FALSE,则组件筛选器的“not”计算为TRUE;如果组件筛选器为TRUE,则计算为FALSE;否则计算为Undefined。

5. The componentFilterMatch Matching Rule
5. componentFilterMatch匹配规则

The componentFilterMatch matching rule allows a ComponentFilter to be applied to an attribute value. The result of the matching rule is the result of applying the ComponentFilter to the attribute value.

componentFilterMatch匹配规则允许将ComponentFilter应用于属性值。匹配规则的结果是将ComponentFilter应用于属性值的结果。

The LDAP-style definitions for componentFilterMatch and its assertion syntax are:

componentFilterMatch的LDAP样式定义及其断言语法如下:

( 1.2.36.79672281.1.13.2 NAME 'componentFilterMatch' SYNTAX 1.2.36.79672281.1.5.2 )

(1.2.36.79672281.1.13.2名称“componentFilterMatch”语法1.2.36.79672281.1.5.2)

( 1.2.36.79672281.1.5.2 DESC 'ComponentFilter' )

(1.2.36.79672281.1.5.2描述“组件过滤器”)

The LDAP-specific encoding for the ComponentFilter assertion syntax is specified by GSER [9].

ComponentFilter断言语法的LDAP特定编码由GSER[9]指定。

As a convenience to implementors, an equivalent ABNF description of the GSER encoding for ComponentFilter is provided here. In the event that there is a discrepancy between this ABNF and the encoding determined by GSER, GSER is to be taken as definitive. The GSER encoding of a ComponentFilter is described by the following equivalent ABNF:

为了方便实现人员,这里提供了ComponentFilter的GSER编码的等效ABNF描述。如果此ABNF与GSER确定的编码之间存在差异,则GSER将被视为最终编码。ComponentFilter的GSER编码由以下等效ABNF描述:

ComponentFilter = filter-item / and-filter / or-filter / not-filter

ComponentFilter=过滤器项/和过滤器/或过滤器/非过滤器

filter-item = item-chosen ComponentAssertion and-filter = and-chosen SequenceOfComponentFilter or-filter = or-chosen SequenceOfComponentFilter not-filter = not-chosen ComponentFilter

筛选器项=项选定组件断言和筛选器=和选定的组件筛选器序列或筛选器=或选定的组件筛选器序列非筛选器=未选定的组件筛选器

      item-chosen     = %x69.74.65.6D.3A  ; "item:"
      and-chosen      = %x61.6E.64.3A     ; "and:"
      or-chosen       = %x6F.72.3A        ; "or:"
      not-chosen      = %x6E.6F.74.3A     ; "not:"
        
      item-chosen     = %x69.74.65.6D.3A  ; "item:"
      and-chosen      = %x61.6E.64.3A     ; "and:"
      or-chosen       = %x6F.72.3A        ; "or:"
      not-chosen      = %x6E.6F.74.3A     ; "not:"
        
      SequenceOfComponentFilter = "{" [ sp ComponentFilter
                                     *( "," sp ComponentFilter) ] sp "}"
        
      SequenceOfComponentFilter = "{" [ sp ComponentFilter
                                     *( "," sp ComponentFilter) ] sp "}"
        

ComponentAssertion = "{" [ sp component "," ] [ sp useDefaultValues "," ] sp rule "," sp assertion-value sp "}" component = component-label msp StringValue useDefaultValues = use-defaults-label msp BooleanValue rule = rule-label msp ObjectIdentifierValue assertion-value = value-label msp Value

ComponentAssertion=“{[sp component],“][sp useDefaultValues],“]sp规则”,“sp断言值sp”}组件=组件标签msp StringValue useDefaultValues=使用默认标签msp BooleanValue规则=规则标签msp ObjectIdentifierValue断言值=值标签msp值

      component-label    = %x63.6F.6D.70.6F.6E.65.6E.74  ; "component"
      use-defaults-label = %x75.73.65.44.65.66.61.75.6C.74.56.61.6C.75
                           %x65.73                  ; "useDefaultValues"
      rule-label         = %x72.75.6C.65            ; "rule"
      value-label        = %x76.61.6C.75.65         ; "value"
        
      component-label    = %x63.6F.6D.70.6F.6E.65.6E.74  ; "component"
      use-defaults-label = %x75.73.65.44.65.66.61.75.6C.74.56.61.6C.75
                           %x65.73                  ; "useDefaultValues"
      rule-label         = %x72.75.6C.65            ; "rule"
      value-label        = %x76.61.6C.75.65         ; "value"
        
      sp                 =  *%x20  ; zero, one or more space characters
      msp                = 1*%x20  ; one or more space characters
        
      sp                 =  *%x20  ; zero, one or more space characters
      msp                = 1*%x20  ; one or more space characters
        

The ABNF for <Value>, <StringValue>, <ObjectIdentifierValue> and <BooleanValue> is defined by GSER [9].

<Value>、<StringValue>、<ObjectIdentifierValue>和<BooleanValue>的ABNF由GSER定义[9]。

The ABNF descriptions of LDAP-specific encodings for attribute syntaxes typically do not clearly or consistently delineate the component parts of an attribute value. A regular and uniform character string encoding for arbitrary component data types is needed to encode the assertion value in a ComponentAssertion. The <Value> rule from GSER provides a human readable text encoding for a component value of any arbitrary ASN.1 type.

属性语法的特定于LDAP的编码的ABNF描述通常不能清楚或一致地描述属性值的组成部分。对ComponentAssertion中的断言值进行编码时,需要对任意组件数据类型进行规则和统一的字符串编码。GSER的<Value>规则为任意ASN.1类型的组件值提供了人类可读的文本编码。

The X.500-style definition [10] for componentFilterMatch is:

componentFilterMatch的X.500样式定义[10]为:

      componentFilterMatch MATCHING-RULE ::= {
          SYNTAX  ComponentFilter
          ID      { 1 2 36 79672281 1 13 2 } }
        
      componentFilterMatch MATCHING-RULE ::= {
          SYNTAX  ComponentFilter
          ID      { 1 2 36 79672281 1 13 2 } }
        

A ComponentAssertion can potentially use any matching rule, including componentFilterMatch, so componentFilterMatch may be nested. The component references in a nested componentFilterMatch are relative to

ComponentAssertion可能使用任何匹配规则,包括componentFilterMatch,因此componentFilterMatch可以嵌套。嵌套componentFilterMatch中的组件引用是相对于

the component corresponding to the containing ComponentAssertion. In Section 7, an example search on the seeAlso attribute shows this usage.

与包含ComponentAssertion的组件相对应的组件。在第7节中,seeAllow属性的示例搜索显示了这种用法。

6. Equality Matching of Complex Components
6. 复杂元件的等匹配

It is possible to test if an attribute value of a complex ASN.1 syntax is the same as some purported (i.e., assertion) value by using a complicated ComponentFilter that tests if corresponding components are the same. However, it would be more convenient to be able to present a whole assertion value to a matching rule that could do the component-wise comparison of an attribute value with the assertion value for any arbitrary attribute syntax. Similarly, the ability to do a straightforward equality comparison of a component value that is itself of a complex ASN.1 type would also be convenient.

通过使用测试相应组件是否相同的复杂ComponentFilter,可以测试复杂ASN.1语法的属性值是否与某些声称的(即断言)值相同。但是,如果能够将整个断言值呈现给匹配规则,该规则可以对任意属性语法的属性值与断言值进行组件式比较,则会更方便。类似地,能够对本身属于复杂ASN.1类型的组件值进行简单的相等性比较也很方便。

It would be difficult to define a single matching rule that simultaneously satisfies all notions of what the equality matching semantics should be. For example, in some instances a case sensitive comparison of string components may be preferable to a case insensitive comparison. Therefore a basic equality matching rule, allComponentsMatch, is defined in Section 6.2, and the means to derive new matching rules from it with slightly different equality matching semantics are described in Section 6.3.

很难定义一个同时满足等式匹配语义应该是什么的所有概念的单一匹配规则。例如,在某些情况下,字符串组件的区分大小写比较可能比不区分大小写比较更可取。因此,第6.2节定义了一个基本的相等匹配规则allComponentsMatch,第6.3节描述了从该规则派生出具有略微不同相等匹配语义的新匹配规则的方法。

The directoryComponentsMatch defined in Section 6.4 is a derivation of allComponentsMatch that suits typical uses of the directory. Other specifications are free to derive new rules from allComponentsMatch or directoryComponentsMatch, that suit their usage of the directory.

第6.4节中定义的directoryComponentsMatch是allComponentsMatch的派生,适合目录的典型用途。其他规范可以自由地从AllComponentMatch或DirectoryComponentMatch派生新规则,这些规则适合它们对目录的使用。

The allComponentsMatch rule, the directoryComponentsMatch rule and any matching rules derived from them are collectively called component equality matching rules.

allComponentsMatch规则、directoryComponentsMatch规则以及由此派生的任何匹配规则统称为组件相等匹配规则。

6.1. The OpenAssertionType Syntax
6.1. OpenAssertionType语法

The component equality matching rules have a variable assertion syntax. In X.500 this is indicated by omitting the optional SYNTAX field in the MATCHING-RULE information object. The assertion syntax then defaults to the target attribute's syntax in actual usage, unless the description of the matching rule says otherwise. The SYNTAX field in the LDAP-specific encoding of a MatchingRuleDescription is mandatory, so the OpenAssertionType syntax is defined to fill the same role. That is, the OpenAssertionType syntax is semantically equivalent to an omitted SYNTAX field in an X.500 MATCHING-RULE information object. OpenAssertionType MUST NOT be used as the attribute syntax in an attribute type definition.

组件相等匹配规则具有可变断言语法。在X.500中,这通过省略MATCHING-RULE信息对象中的可选语法字段来表示。断言语法随后默认为实际使用中目标属性的语法,除非匹配规则的描述另有说明。MatchingRuleDescription的LDAP特定编码中的语法字段是必需的,因此定义OpenAssertionType语法来填充相同的角色。也就是说,OpenAssertionType语法在语义上等同于X.500匹配规则信息对象中省略的语法字段。OpenAssertionType不能用作属性类型定义中的属性语法。

Unless explicitly varied by the description of a particular matching rule, if an OpenAssertionType assertion value appears in a ComponentAssertion its LDAP-specific encoding is described by the <Value> rule in GSER [9], otherwise its LDAP-specific encoding is the encoding defined for the syntax of the attribute type to which the matching rule with the OpenAssertionType assertion syntax is applied.

除非通过特定匹配规则的描述进行明确更改,否则如果OpenAssertionType断言值出现在ComponentAssertion中,其LDAP特定编码由GSER[9]中的<value>规则描述,否则,其特定于LDAP的编码是为属性类型的语法定义的编码,该属性类型应用了带有OpenAssertionType断言语法的匹配规则。

The LDAP definition for the OpenAssertionType syntax is:

OpenAssertionType语法的LDAP定义为:

( 1.2.36.79672281.1.5.3 DESC 'OpenAssertionType' )

(1.2.36.79672281.1.5.3描述“OpenAssertionType”)

6.2. The allComponentsMatch Matching Rule
6.2. AllComponents匹配规则

The LDAP-style definition for allComponentsMatch is:

AllComponentMatch的LDAP样式定义为:

( 1.2.36.79672281.1.13.6 NAME 'allComponentsMatch' SYNTAX 1.2.36.79672281.1.5.3 )

(1.2.36.79672281.1.13.6名称“allComponentsMatch”语法1.2.36.79672281.1.5.3)

The X.500-style definition for allComponentsMatch is:

AllComponentMatch的X.500样式定义为:

      allComponentsMatch MATCHING-RULE ::= {
          ID      { 1 2 36 79672281 1 13 6 } }
        
      allComponentsMatch MATCHING-RULE ::= {
          ID      { 1 2 36 79672281 1 13 6 } }
        

When allComponentsMatch is used in a ComponentAssertion the assertion syntax is the same as the ASN.1 type of the identified component. Otherwise, the assertion syntax of allComponentsMatch is the same as the attribute syntax of the attribute to which the matching rule is applied.

在ComponentAssertion中使用AllComponentMatch时,断言语法与已标识组件的ASN.1类型相同。否则,allComponentsMatch的断言语法与应用匹配规则的属性的属性语法相同。

Broadly speaking, this matching rule evaluates to true if and only if corresponding components of the assertion value and the attribute or component value are the same.

广义地说,当且仅当断言值和属性或组件值的对应组件相同时,此匹配规则的计算结果为true。

In detail, equality is determined by the following cases applied recursively.

具体而言,相等性由以下递归应用的情况确定。

a) Two values of a SET or SEQUENCE type are the same if and only if, for each component type, the corresponding component values are either,

a) 集合或序列类型的两个值相同当且仅当对于每个组件类型,对应的组件值为,

1) both absent,

1) 两人都缺席,

2) both present and the same, or

2) 既存在又相同,或

3) absent or the same as the DEFAULT value for the component, if a DEFAULT value is defined.

3) 如果定义了默认值,则不存在或与组件的默认值相同。

Values of an EMBEDDED PDV, EXTERNAL, unrestricted CHARACTER STRING, or INSTANCE OF type are compared according to their respective associated SEQUENCE type (see Section 3.1.2).

嵌入式PDV、外部、非限制字符串或类型实例的值根据其各自关联的序列类型进行比较(见第3.1.2节)。

b) Two values of a SEQUENCE OF type are the same if and only if, the values have the same number of (possibly duplicated) instances and corresponding instances are the same.

b) 类型序列的两个值相同当且仅当这些值具有相同数量(可能重复)的实例且相应的实例相同时。

c) Two values of a SET OF type are the same if and only if, the values have the same number of instances and each distinct instance occurs in both values the same number of times, i.e., both values have the same instances, including duplicates, but in any order.

c) 一组类型的两个值是相同的当且仅当两个值具有相同的实例数,并且每个不同的实例在两个值中出现的次数相同,即两个值具有相同的实例,包括重复的实例,但顺序不同。

d) Two values of a CHOICE type are the same if and only if, both values are of the same chosen alternative and the component values are the same.

d) 选择类型的两个值相同当且仅当两个值都属于相同的选定备选方案且组件值相同时。

e) Two BIT STRING values are the same if and only if the values have the same number of bits and corresponding bits are the same. If the BIT STRING type is defined with a named bit list then trailing zero bits in the values are treated as absent for the purposes of this comparison.

e) 当且仅当两个位串值具有相同的位数且相应的位相同时,两个位串值才相同。如果使用命名位列表定义位字符串类型,则在进行此比较时,值中的尾随零位将被视为不存在。

f) Two BOOLEAN values are the same if and only if both are TRUE or both are FALSE.

f) 当且仅当两个布尔值均为真或均为假时,两个布尔值相同。

g) Two values of a string type are the same if and only if the values have the same number of characters and corresponding characters are the same. Letter case is significant. For the purposes of allComponentsMatch, the string types are NumericString, PrintableString, TeletexString (T61String), VideotexString, IA5String, GraphicString, VisibleString (ISO646String), GeneralString, UniversalString, BMPString, UTF8String, GeneralizedTime, UTCTime and ObjectDescriptor.

g) 字符串类型的两个值相同当且仅当值具有相同的字符数且相应的字符相同时。字母大小写意义重大。就所有组件匹配而言,字符串类型为NumericString、PrintableString、TeletextString(T61String)、VideotexString、IA5String、GraphicString、VisibleString(ISO646String)、GeneralString、UniversalString、BMPString、UTF8String、GeneralizedTime、UTCTime和ObjectDescriptor。

h) Two INTEGER values are the same if and only if the integers are equal.

h) 当且仅当两个整数相等时,两个整数值相同。

i) Two ENUMERATED values are the same if and only if the enumeration item identifiers are the same (equivalently, if the integer values associated with the identifiers are equal).

i) 当且仅当枚举项标识符相同时(当与标识符关联的整数值相等时),两个枚举值相同。

j) Two NULL values are always the same, unconditionally.

j) 两个空值总是无条件相同的。

k) Two OBJECT IDENTIFIER values are the same if and only if the values have the same number of arcs and corresponding arcs are the same.

k) 当且仅当两个对象标识符值具有相同的弧数且对应的弧相同时,两个对象标识符值才相同。

l) Two OCTET STRING values are the same if and only if the values have the same number of octets and corresponding octets are the same.

l) 两个八位字节字符串值相同当且仅当值具有相同的八位字节数且相应的八位字节相同时。

m) Two REAL values are the same if and only if they are both the same special value, or neither is a special value and they have the same base and represent the same real number. The special values for REAL are zero, PLUS-INFINITY and MINUS-INFINITY.

m) 两个实数相同当且仅当它们都是相同的特殊值,或者两者都不是特殊值且它们具有相同的基数并表示相同的实数。实数的特殊值为零、正无穷大和负无穷大。

n) Two RELATIVE-OID values are the same if and only if the values have the same number of arcs and corresponding arcs are the same. The respective starting nodes for the RELATIVE-OID values are disregarded in the comparison, i.e., they are assumed to be the same.

n) 当且仅当两个相对OID值具有相同的弧数且对应的弧相同时,两个相对OID值才相同。在比较中忽略相对OID值的各个起始节点,即,假设它们相同。

o) Two values of an open type are the same if and only if both are of the same ASN.1 type and are the same according to that type. If the actual ASN.1 type of the values is unknown then the allComponentsMatch rule evaluates to Undefined.

o) 打开类型的两个值是相同的当且仅当它们都属于相同的ASN.1类型并且根据该类型相同时。如果值的实际ASN.1类型未知,则allComponentsMatch规则的计算结果为Undefined。

Tags and constraints, being part of the type definition and not part of the abstract values, are ignored for matching purposes.

标记和约束是类型定义的一部分,而不是抽象值的一部分,出于匹配目的将被忽略。

The allComponentsMatch rule may be used as the defined equality matching rule for an attribute.

allComponentsMatch规则可用作属性的定义相等匹配规则。

6.3. Deriving Component Equality Matching Rules
6.3. 导出组件相等匹配规则

A new component equality matching rule with more refined matching semantics may be derived from allComponentsMatch, or any other component equality matching rule, using the convention described in this section.

使用本节中描述的约定,可以从allComponentsMatch或任何其他组件相等匹配规则派生具有更精确匹配语义的新组件相等匹配规则。

The matching behaviour of a derived component equality matching rule is specified by nominating, for each of one or more identified components, a commutative equality matching rule that will be used to match values of that component. This overrides the matching that would otherwise occur for values of that component using the base rule for the derivation. These overrides can be conveniently represented as rows in a table of the following form.

派生组件相等匹配规则的匹配行为是通过为一个或多个已识别组件中的每一个指定将用于匹配该组件的值的交换相等匹配规则来指定的。这将覆盖使用派生的基本规则对该组件的值进行的匹配。这些重写可以方便地表示为下表中的行。

      Component   |  Matching Rule
      ============+===============
                  |
                  |
        
      Component   |  Matching Rule
      ============+===============
                  |
                  |
        

Usually, all component values of a particular ASN.1 type are to be matched the same way. An ASN.1 type reference (e.g., DistinguishedName) or an ASN.1 built-in type name (e.g., INTEGER) in the Component column of the table specifies that the nominated equality matching rule is to be applied to all values of the named type, regardless of context.

通常,特定ASN.1类型的所有组件值都将以相同的方式进行匹配。表的Component列中的ASN.1类型引用(例如DifferentizedName)或ASN.1内置类型名(例如INTEGER)指定指定的相等匹配规则将应用于命名类型的所有值,而不考虑上下文。

An ASN.1 type reference with a component reference appended (separated by a ".") specifies that the nominated matching rule applies only to the identified components of values of the named type. Other component values that happen to be of the same ASN.1 type are not selected.

附加组件引用(以“.”分隔)的ASN.1类型引用指定指定的匹配规则仅适用于指定类型值的已标识组件。未选择与ASN.1类型相同的其他组件值。

Additional type substitutions as described in Section 3.2 are assumed to be performed to align the component type with the matching rule assertion syntax.

假设执行第3.2节所述的其他类型替换,以使组件类型与匹配规则断言语法一致。

Conceptually, the rows in a table for the base rule are appended to the rows in the table for a derived rule for the purpose of deciding the matching semantics of the derived rule. Notionally, allComponentsMatch has an empty table.

从概念上讲,基本规则表中的行被附加到派生规则表中的行,以确定派生规则的匹配语义。理论上,AllComponentMatch有一个空表。

A row specifying values of an outer containing type (e.g., DistinguishedName) takes precedence over a row specifying values of an inner component type (e.g., RelativeDistinguishedName), regardless of their order in the table. Specifying a row for component values of an inner type is only useful if a value of the type can also appear on its own, or as a component of values of a different outer type. For example, if there is a row for DistinguishedName then a row for RelativeDistinguishedName can only ever apply to RelativeDistinguishedName component values that are not part of a DistinguishedName. A row for values of an outer type in the table for the base rule takes precedence over a row for values of an inner type in the table for the derived rule.

指定外部包含类型(例如DifferentiedName)值的行优先于指定内部组件类型(例如RelativeDifferentingUISHEDName)值的行,而不管它们在表中的顺序如何。为内部类型的组件值指定行仅在该类型的值也可以单独出现或作为不同外部类型的值的组件出现时才有用。例如,如果存在DifferentiedName行,则RelativeDistinguishedName行只能应用于不属于DifferentiedName一部分的RelativeDistinguishedName组件值。基本规则表中外部类型值的行优先于派生规则表中内部类型值的行。

Where more than one row applies to a particular component value the earlier row takes precedence over the later row. Thus rows in the table for the derived rule take precedence over any rows for the same component in the table for the base rule.

如果有多行应用于特定组件值,则前一行优先于后一行。因此,派生规则表中的行优先于基本规则表中相同组件的任何行。

6.4. The directoryComponentsMatch Matching Rule
6.4. DirectoryComponents匹配规则

The directoryComponentsMatch matching rule is derived from the allComponentsMatch matching rule.

directoryComponentsMatch匹配规则派生自allComponentsMatch匹配规则。

The LDAP-style definition for directoryComponentsMatch is:

DirectoryComponentMatch的LDAP样式定义为:

( 1.2.36.79672281.1.13.7 NAME 'directoryComponentsMatch' SYNTAX 1.2.36.79672281.1.5.3 )

(1.2.36.79672281.1.13.7名称“目录组件匹配”语法1.2.36.79672281.1.5.3)

The X.500-style definition for directoryComponentsMatch is:

DirectoryComponents匹配的X.500样式定义为:

      directoryComponentsMatch MATCHING-RULE ::= {
          ID      { 1 2 36 79672281 1 13 7 } }
        
      directoryComponentsMatch MATCHING-RULE ::= {
          ID      { 1 2 36 79672281 1 13 7 } }
        

The matching semantics of directoryComponentsMatch are described by the following table, using the convention described in Section 6.3.

下表使用第6.3节中描述的约定描述了directoryComponentsMatch的匹配语义。

      ASN.1 Type                               | Matching Rule
      =========================================+========================
      RDNSequence                              | distinguishedNameMatch
      RelativeDistinguishedName                | rdnMatch
      TelephoneNumber                          | telephoneNumberMatch
      FacsimileTelephoneNumber.telephoneNumber | telephoneNumberMatch
      NumericString                            | numericStringMatch
      GeneralizedTime                          | generalizedTimeMatch
      UTCTime                                  | uTCTimeMatch
      DirectoryString{}                        | caseIgnoreMatch
      BMPString                                | caseIgnoreMatch
      GeneralString                            | caseIgnoreMatch
      GraphicString                            | caseIgnoreMatch
      IA5String                                | caseIgnoreMatch
      PrintableString                          | caseIgnoreMatch
      TeletexString                            | caseIgnoreMatch
      UniversalString                          | caseIgnoreMatch
      UTF8String                               | caseIgnoreMatch
      VideotexString                           | caseIgnoreMatch
      VisibleString                            | caseIgnoreMatch
        
      ASN.1 Type                               | Matching Rule
      =========================================+========================
      RDNSequence                              | distinguishedNameMatch
      RelativeDistinguishedName                | rdnMatch
      TelephoneNumber                          | telephoneNumberMatch
      FacsimileTelephoneNumber.telephoneNumber | telephoneNumberMatch
      NumericString                            | numericStringMatch
      GeneralizedTime                          | generalizedTimeMatch
      UTCTime                                  | uTCTimeMatch
      DirectoryString{}                        | caseIgnoreMatch
      BMPString                                | caseIgnoreMatch
      GeneralString                            | caseIgnoreMatch
      GraphicString                            | caseIgnoreMatch
      IA5String                                | caseIgnoreMatch
      PrintableString                          | caseIgnoreMatch
      TeletexString                            | caseIgnoreMatch
      UniversalString                          | caseIgnoreMatch
      UTF8String                               | caseIgnoreMatch
      VideotexString                           | caseIgnoreMatch
      VisibleString                            | caseIgnoreMatch
        

Notes:

笔记:

1) The DistinguishedName type is defined by assignment to be the same as the RDNSequence type. Some types (e.g., Name and LocalName) directly reference RDNSequence rather than DistinguishedName. Specifying RDNSequence captures all these DN-like types.

1) DifferentizedName类型通过赋值定义为与RDNSequence类型相同。某些类型(例如名称和本地名称)直接引用RDNSequence而不是DiscrimitedName。指定RDNSequence将捕获所有这些类似DN的类型。

2) A RelativeDistinguishedName value is only matched by rdnMatch if it is not part of an RDNSequence value.

2) RelativeDistinguishedName值只有在不是RDNSequence值的一部分时才由rdnMatch匹配。

3) The telephone number component of the FacsimileTelephoneNumber ASN.1 type [12] is defined as a constrained PrintableString. PrintableString component values that are part of a FacsimileTelephoneNumber value can be identified separately from

3) FacSimilePhoneNumber ASN.1类型[12]的电话号码组件定义为受约束的可打印字符串。作为FacSimileLePhoneNumber值一部分的可打印字符串组件值可以与

other components of PrintableString type by the specifier FacsimileTelephoneNumber.telephoneNumber, so that telephoneNumberMatch can be selectively applied. The fourth edition of X.520 defines the telephoneNumber component of FacsimileTelephoneNumber to be of the type TelephoneNumber, making the row for FacsimileTelephoneNumber.telephoneNumber components redundant.

由说明符FacSimileLePhoneNumber.telephoneNumber指定的可打印字符串类型的其他组件,以便可以有选择地应用telephoneNumberMatch。X.520的第四版将FacsimileTelephoneNumber的电话号码组件定义为telephoneNumber类型,使FacsimileTelephoneNumber.telephoneNumber组件的行冗余。

The directoryComponentsMatch rule may be used as the defined equality matching rule for an attribute.

directoryComponentsMatch规则可用作属性的定义相等匹配规则。

7. Component Matching Examples
7. 组件匹配示例

This section contains examples of search filters using the componentFilterMatch matching rule. The filters are described using the string representation of LDAP search filters [18]. Note that this representation requires asterisks to be escaped in assertion values (in these examples the assertion values are all <ComponentAssertion> encodings). The asterisks have not been escaped in these examples for the sake of clarity, and to avoid confusing the protocol representation of LDAP search filter assertion values, where such escaping does not apply. Line breaks and indenting have been added only as an aid to readability.

本节包含使用componentFilterMatch匹配规则的搜索筛选器示例。这些过滤器使用LDAP搜索过滤器的字符串表示进行描述[18]。请注意,此表示要求在断言值中转义星号(在这些示例中,断言值都是<ComponentAssertion>编码)。在这些示例中,为了清晰起见,并避免混淆LDAP搜索筛选器断言值的协议表示形式(此类转义不适用),没有转义星号。添加换行符和缩进只是为了提高可读性。

The example search filters using componentFilterMatch are all single extensible match filter items, though there is no reason why componentFilterMatch can't be used in more complicated search filters.

使用componentFilterMatch的示例搜索筛选器都是单个可扩展的匹配筛选器项,但没有理由不在更复杂的搜索筛选器中使用componentFilterMatch。

The first examples describe searches over the objectClasses schema operational attribute, which has an attribute syntax described by the ASN.1 type ObjectClassDescription [10], and holds the definitions of the object classes known to a directory server. The definition of ObjectClassDescription is as follows:

第一个示例描述了对objectClasses模式操作属性的搜索,该属性具有ASN.1类型ObjectClassDescription[10]描述的属性语法,并保存目录服务器已知的对象类的定义。ObjectClassDescription的定义如下:

      ObjectClassDescription ::= SEQUENCE {
          identifier       OBJECT-CLASS.&id,
          name             SET OF DirectoryString {ub-schema} OPTIONAL,
          description      DirectoryString {ub-schema} OPTIONAL,
          obsolete         BOOLEAN DEFAULT FALSE,
          information  [0] ObjectClassInformation }
        
      ObjectClassDescription ::= SEQUENCE {
          identifier       OBJECT-CLASS.&id,
          name             SET OF DirectoryString {ub-schema} OPTIONAL,
          description      DirectoryString {ub-schema} OPTIONAL,
          obsolete         BOOLEAN DEFAULT FALSE,
          information  [0] ObjectClassInformation }
        
      ObjectClassInformation ::= SEQUENCE {
          subclassOf       SET OF OBJECT-CLASS.&id OPTIONAL,
          kind             ObjectClassKind DEFAULT structural,
          mandatories  [3] SET OF ATTRIBUTE.&id OPTIONAL,
          optionals    [4] SET OF ATTRIBUTE.&id OPTIONAL }
        
      ObjectClassInformation ::= SEQUENCE {
          subclassOf       SET OF OBJECT-CLASS.&id OPTIONAL,
          kind             ObjectClassKind DEFAULT structural,
          mandatories  [3] SET OF ATTRIBUTE.&id OPTIONAL,
          optionals    [4] SET OF ATTRIBUTE.&id OPTIONAL }
        
      ObjectClassKind ::= ENUMERATED {
          abstract     (0),
          structural   (1),
          auxiliary    (2) }
        
      ObjectClassKind ::= ENUMERATED {
          abstract     (0),
          structural   (1),
          auxiliary    (2) }
        

OBJECT-CLASS.&id and ATTRIBUTE.&id are equivalent to the OBJECT IDENTIFIER ASN.1 type. A value of OBJECT-CLASS.&id is an OBJECT IDENTIFIER for an object class. A value of ATTRIBUTE.&id is an OBJECT IDENTIFIER for an attribute type.

OBJECT-CLASS.&id和ATTRIBUTE.&id等同于对象标识符ASN.1类型。OBJECT-CLASS.&id的值是对象类的对象标识符。ATTRIBUTE.&id的值是属性类型的对象标识符。

The following search filter finds the object class definition for the object class identified by the OBJECT IDENTIFIER 2.5.6.18:

以下搜索筛选器查找由对象标识符2.5.6.18标识的对象类的对象类定义:

      (objectClasses:componentFilterMatch:=
           item:{ component "identifier",
                  rule objectIdentifierMatch, value 2.5.6.18 })
        
      (objectClasses:componentFilterMatch:=
           item:{ component "identifier",
                  rule objectIdentifierMatch, value 2.5.6.18 })
        

A match on the "identifier" component of objectClasses values is equivalent to the objectIdentifierFirstComponentMatch matching rule applied to attribute values of the objectClasses attribute type. The componentFilterMatch matching rule subsumes the functionality of the objectIdentifierFirstComponentMatch, integerFirstComponentMatch and directoryStringFirstComponentMatch matching rules.

objectClasses值的“identifier”组件上的匹配相当于应用于objectClasses属性类型的属性值的objectIdentifierFirstComponentMatch匹配规则。componentFilterMatch匹配规则包含objectIdentifierFirstComponentMatch、integerFirstComponentMatch和directoryStringFirstComponentMatch匹配规则的功能。

The following search filter finds the object class definition for the object class called foobar:

以下搜索筛选器查找名为foobar的对象类的对象类定义:

      (objectClasses:componentFilterMatch:=
          item:{ component "name.*",
                 rule caseIgnoreMatch, value "foobar" })
        
      (objectClasses:componentFilterMatch:=
          item:{ component "name.*",
                 rule caseIgnoreMatch, value "foobar" })
        

An object class definition can have multiple names and the above filter will match an objectClasses value if any one of the names is "foobar".

一个对象类定义可以有多个名称,如果其中任何一个名称为“foobar”,则上述过滤器将匹配一个objectClasses值。

The component reference "name.0" identifies the notional count of the number of names in an object class definition. The following search filter finds object class definitions with exactly one name:

组件引用“name.0”标识对象类定义中名称数量的概念计数。以下搜索筛选器查找仅具有一个名称的对象类定义:

      (objectClasses:componentFilterMatch:=
          item:{ component "name.0", rule integerMatch, value 1 })
        
      (objectClasses:componentFilterMatch:=
          item:{ component "name.0", rule integerMatch, value 1 })
        

The "description" component of an ObjectClassDescription is defined to be an OPTIONAL DirectoryString. The following search filter finds object class definitions that have descriptions, regardless of the contents of the description string:

ObjectClassDescription的“描述”组件被定义为可选的DirectoryString。以下搜索筛选器查找具有描述的对象类定义,而不考虑描述字符串的内容:

      (objectClasses:componentFilterMatch:=
          item:{ component "description",
                 rule presentMatch, value NULL })
        
      (objectClasses:componentFilterMatch:=
          item:{ component "description",
                 rule presentMatch, value NULL })
        

The presentMatch returns TRUE if the description component is present and FALSE otherwise.

如果描述组件存在,则presentMatch返回TRUE,否则返回FALSE。

The following search filter finds object class definitions that don't have descriptions:

以下搜索筛选器查找没有描述的对象类定义:

      (objectClasses:componentFilterMatch:=
          not:item:{ component "description",
                     rule presentMatch, value NULL })
        
      (objectClasses:componentFilterMatch:=
          not:item:{ component "description",
                     rule presentMatch, value NULL })
        

The following search filter finds object class definitions with the word "bogus" in the description:

以下搜索筛选器查找描述中带有“伪造”一词的对象类定义:

      (objectClasses:componentFilterMatch:=
          item:{ component "description",
                 rule caseIgnoreSubstringsMatch,
                 value { any:"bogus" } })
        
      (objectClasses:componentFilterMatch:=
          item:{ component "description",
                 rule caseIgnoreSubstringsMatch,
                 value { any:"bogus" } })
        

The assertion value is of the SubstringAssertion syntax, i.e.,

断言值采用SubstringAssertion语法,即。,

      SubstringAssertion ::= SEQUENCE OF CHOICE {
          initial      [0] DirectoryString {ub-match},
          any          [1] DirectoryString {ub-match},
          final        [2] DirectoryString {ub-match} }
        
      SubstringAssertion ::= SEQUENCE OF CHOICE {
          initial      [0] DirectoryString {ub-match},
          any          [1] DirectoryString {ub-match},
          final        [2] DirectoryString {ub-match} }
        

The "obsolete" component of an ObjectClassDescription is defined to be DEFAULT FALSE. An object class is obsolete if the "obsolete" component is present and set to TRUE. The following search filter finds all obsolete object classes:

ObjectClassDescription的“过时”组件被定义为默认值FALSE。如果存在“过时”组件并将其设置为TRUE,则对象类是过时的。以下搜索筛选器查找所有过时的对象类:

      (objectClasses:componentFilterMatch:=
          item:{ component "obsolete", rule booleanMatch, value TRUE })
        
      (objectClasses:componentFilterMatch:=
          item:{ component "obsolete", rule booleanMatch, value TRUE })
        

An object class is not obsolete if the "obsolete" component is not present, in which case it defaults to FALSE, or is present but is explicitly set to FALSE. The following search filter finds all non-obsolete object classes:

如果“过时”组件不存在,则对象类不是过时的,在这种情况下,它默认为FALSE,或者存在但显式设置为FALSE。以下搜索筛选器查找所有未过时的对象类:

      (objectClasses:componentFilterMatch:=
          item:{ component "obsolete", rule booleanMatch, value FALSE })
        
      (objectClasses:componentFilterMatch:=
          item:{ component "obsolete", rule booleanMatch, value FALSE })
        

The useDefaultValues flag in the ComponentAssertion defaults to TRUE so the componentFilterMatch rule treats an absent "obsolete" component as being present and set to FALSE. The following search

ComponentAssertion中的useDefaultValues标志默认为TRUE,因此componentFilterMatch规则将不存在的“过时”组件视为存在并设置为FALSE。以下搜索

filter finds only object class definitions where the "obsolete" component has been explicitly set to FALSE, rather than implicitly defaulting to FALSE:

筛选器仅查找“过时”组件已显式设置为FALSE而不是隐式默认设置为FALSE的对象类定义:

      (objectClasses:componentFilterMatch:=
          item:{ component "obsolete", useDefaultValues FALSE,
                 rule booleanMatch, value FALSE })
        
      (objectClasses:componentFilterMatch:=
          item:{ component "obsolete", useDefaultValues FALSE,
                 rule booleanMatch, value FALSE })
        

With the useDefaultValues flag set to FALSE, if the "obsolete" component is absent the component reference identifies no component value and the matching rule will return FALSE. The matching rule can only return TRUE if the component is present and set to FALSE.

当useDefaultValues标志设置为FALSE时,如果缺少“过时”组件,则组件引用不会标识任何组件值,匹配规则将返回FALSE。仅当组件存在且设置为FALSE时,匹配规则才能返回TRUE。

The "information.kind" component of the ObjectClassDescription is an ENUMERATED type. The allComponentsMatch matching rule can be used to match values of an ENUMERATED type. The following search filter finds object class definitions for auxiliary object classes:

ObjectClassDescription的“information.kind”组件是枚举类型。allComponentsMatch匹配规则可用于匹配枚举类型的值。以下搜索筛选器查找辅助对象类的对象类定义:

      (objectClasses:componentFilterMatch:=
          item:{ component "information.kind",
                 rule allComponentsMatch, value auxiliary })
        
      (objectClasses:componentFilterMatch:=
          item:{ component "information.kind",
                 rule allComponentsMatch, value auxiliary })
        

The following search filter finds auxiliary object classes with commonName (cn or 2.5.4.3) as a mandatory attribute:

以下搜索筛选器查找commonName(cn或2.5.4.3)作为强制属性的辅助对象类:

      (objectClasses:componentFilterMatch:=and:{
          item:{ component "information.kind",
                 rule allComponentsMatch, value auxiliary },
          item:{ component "information.mandatories.*",
                 rule objectIdentifierMatch, value cn } })
        
      (objectClasses:componentFilterMatch:=and:{
          item:{ component "information.kind",
                 rule allComponentsMatch, value auxiliary },
          item:{ component "information.mandatories.*",
                 rule objectIdentifierMatch, value cn } })
        

The following search filter finds auxiliary object classes with commonName as a mandatory or optional attribute:

以下搜索筛选器查找commonName作为强制或可选属性的辅助对象类:

      (objectClasses:componentFilterMatch:=and:{
          item:{ component "information.kind",
                 rule allComponentsMatch, value auxiliary },
          or:{
              item:{ component "information.mandatories.*",
                     rule objectIdentifierMatch, value cn },
              item:{ component "information.optionals.*",
                     rule objectIdentifierMatch, value cn } } })
        
      (objectClasses:componentFilterMatch:=and:{
          item:{ component "information.kind",
                 rule allComponentsMatch, value auxiliary },
          or:{
              item:{ component "information.mandatories.*",
                     rule objectIdentifierMatch, value cn },
              item:{ component "information.optionals.*",
                     rule objectIdentifierMatch, value cn } } })
        

Extra care is required when matching optional SEQUENCE OF or SET OF components because of the distinction between an absent list of instances and a present, but empty, list of instances. The following search filter finds object class definitions with less than three

在匹配可选的组件序列或组件集时需要格外小心,因为缺少实例列表和存在但为空的实例列表之间存在区别。以下搜索筛选器查找少于三个的对象类定义

names, including object class definitions with a present but empty list of names, but does not find object class definitions with an absent list of names:

名称,包括存在但名称列表为空的对象类定义,但找不到缺少名称列表的对象类定义:

      (objectClasses:componentFilterMatch:=
          item:{ component "name.0",
                 rule integerOrderingMatch, value 3 })
        
      (objectClasses:componentFilterMatch:=
          item:{ component "name.0",
                 rule integerOrderingMatch, value 3 })
        

If the "name" component is absent the "name.0" component is also considered to be absent and the ComponentAssertion evaluates to FALSE. If the "name" component is present, but empty, the "name.0" component is also present and equal to zero, so the ComponentAssertion evaluates to TRUE. To also find the object class definitions with an absent list of names the following search filter would be used:

如果缺少“name”组件,“name.0”组件也被认为不存在,ComponentAssertion的计算结果为FALSE。如果“name”组件存在但为空,则“name.0”组件也存在且等于零,因此ComponentAssertion的计算结果为TRUE。要同时查找缺少名称列表的对象类定义,将使用以下搜索筛选器:

      (objectClasses:componentFilterMatch:=or:{
          not:item:{ component "name", rule presentMatch, value NULL },
          item:{ component "name.0",
                 rule integerOrderingMatch, value 3 } })
        
      (objectClasses:componentFilterMatch:=or:{
          not:item:{ component "name", rule presentMatch, value NULL },
          item:{ component "name.0",
                 rule integerOrderingMatch, value 3 } })
        

Distinguished names embedded in other syntaxes can be matched with a componentFilterMatch. The uniqueMember attribute type has an attribute syntax described by the ASN.1 type NameAndOptionalUID.

嵌入在其他语法中的可分辨名称可以与componentFilterMatch匹配。uniqueMember属性类型具有由ASN.1类型名称和OptionalUID描述的属性语法。

      NameAndOptionalUID ::= SEQUENCE {
          dn        DistinguishedName,
          uid       UniqueIdentifier OPTIONAL }
        
      NameAndOptionalUID ::= SEQUENCE {
          dn        DistinguishedName,
          uid       UniqueIdentifier OPTIONAL }
        

The following search filter finds values of the uniqueMember attribute containing the author's DN:

以下搜索筛选器查找包含作者DN的uniqueMember属性的值:

      (uniqueMember:componentFilterMatch:=
          item:{ component "dn",
                 rule distinguishedNameMatch,
                 value "cn=Steven Legg,o=Adacel,c=AU" })
        
      (uniqueMember:componentFilterMatch:=
          item:{ component "dn",
                 rule distinguishedNameMatch,
                 value "cn=Steven Legg,o=Adacel,c=AU" })
        

The DistinguishedName and RelativeDistinguishedName ASN.1 types are also complex ASN.1 types so the component matching rules can be applied to their inner components.

DifferentiedName和RelativeDistinguishedName ASN.1类型也是复杂的ASN.1类型,因此组件匹配规则可以应用于其内部组件。

      DistinguishedName   ::= RDNSequence
        
      DistinguishedName   ::= RDNSequence
        
      RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
        
      RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
        
      RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
          AttributeTypeAndValue
        
      RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
          AttributeTypeAndValue
        
      AttributeTypeAndValue ::= SEQUENCE {
          type        AttributeType ({SupportedAttributes}),
          value       AttributeValue ({SupportedAttributes}{@type}) }
        
      AttributeTypeAndValue ::= SEQUENCE {
          type        AttributeType ({SupportedAttributes}),
          value       AttributeValue ({SupportedAttributes}{@type}) }
        
      AttributeType ::= ATTRIBUTE.&id
        
      AttributeType ::= ATTRIBUTE.&id
        
      AttributeValue ::= ATTRIBUTE.&Type
        
      AttributeValue ::= ATTRIBUTE.&Type
        

ATTRIBUTE.&Type is an open type. A value of ATTRIBUTE.&Type is constrained by the type component of AttributeTypeAndValue to be of the attribute syntax of the nominated attribute type. Note: the fourth edition of X.500 extends and renames the AttributeTypeAndValue SEQUENCE type.

属性类型是开放类型。ATTRIBUTE.&Type的值由AttributeTypeAndValue的类型组件约束为指定属性类型的属性语法。注意:X.500的第四版扩展并重命名了AttributeTypeAndValue序列类型。

The seeAlso attribute has the DistinguishedName syntax. The following search filter finds seeAlso attribute values containing the RDN, "o=Adacel", anywhere in the DN:

SeeAllo属性具有DifferentizedName语法。以下搜索筛选器在DN中的任意位置查找包含RDN“o=Adacel”的属性值:

      (seeAlso:componentFilterMatch:=
          item:{ component "*", rule rdnMatch, value "o=Adacel" })
        
      (seeAlso:componentFilterMatch:=
          item:{ component "*", rule rdnMatch, value "o=Adacel" })
        

The following search filter finds all seeAlso attribute values with "cn=Steven Legg" as the RDN of the named entry (i.e., the "first" RDN in an LDAPDN or the "last" RDN in an X.500 DN):

以下搜索筛选器查找所有SeeAllow属性值,其中“cn=Steven Legg”作为命名条目的RDN(即LDAPDN中的“第一个”RDN或X.500 DN中的“最后一个”RDN):

      (seeAlso:componentFilterMatch:=
          item:{ component "-1",
                 rule rdnMatch, value "cn=Steven Legg" })
        
      (seeAlso:componentFilterMatch:=
          item:{ component "-1",
                 rule rdnMatch, value "cn=Steven Legg" })
        

The following search filter finds all seeAlso attribute values naming entries in the DIT subtree of "o=Adacel,c=AU":

以下搜索筛选器查找“o=Adacel,c=AU”的DIT子树中的所有SeeAllow属性值命名项:

      (seeAlso:componentFilterMatch:=and:{
          item:{ component "1", rule rdnMatch, value "c=AU" },
          item:{ component "2", rule rdnMatch, value "o=Adacel" } })
        
      (seeAlso:componentFilterMatch:=and:{
          item:{ component "1", rule rdnMatch, value "c=AU" },
          item:{ component "2", rule rdnMatch, value "o=Adacel" } })
        

The following search filter finds all seeAlso attribute values containing the naming attribute types commonName (cn) and telephoneNumber in the same RDN:

以下搜索筛选器在同一RDN中查找包含命名属性类型commonName(cn)和telephoneNumber的所有SeeAllow属性值:

      (seeAlso:componentFilterMatch:=
          item:{ component "*", rule componentFilterMatch,
                 value and:{
                     item:{ component "*.type",
                            rule objectIdentifierMatch, value cn },
                     item:{ component "*.type",
                            rule objectIdentifierMatch,
                            value telephoneNumber } } })
        
      (seeAlso:componentFilterMatch:=
          item:{ component "*", rule componentFilterMatch,
                 value and:{
                     item:{ component "*.type",
                            rule objectIdentifierMatch, value cn },
                     item:{ component "*.type",
                            rule objectIdentifierMatch,
                            value telephoneNumber } } })
        

The following search filter would find all seeAlso attribute values containing the attribute types commonName and telephoneNumber, but not necessarily in the same RDN:

以下搜索筛选器将查找包含属性类型commonName和telephoneNumber的所有SeeAllow属性值,但不一定在同一RDN中:

      (seeAlso:componentFilterMatch:=and:{
          item:{ component "*.*.type",
                 rule objectIdentifierMatch, value cn },
          item:{ component "*.*.type",
                 rule objectIdentifierMatch, value telephoneNumber } })
        
      (seeAlso:componentFilterMatch:=and:{
          item:{ component "*.*.type",
                 rule objectIdentifierMatch, value cn },
          item:{ component "*.*.type",
                 rule objectIdentifierMatch, value telephoneNumber } })
        

The following search filter finds all seeAlso attribute values containing the word "Adacel" in any organizationalUnitName (ou) attribute value in any AttributeTypeAndValue of any RDN:

以下搜索筛选器在任何RDN的任何AttributeTypeAndValue中的任何organizationalUnitName(ou)属性值中查找包含单词“Adacel”的所有SeeAllow属性值:

      (seeAlso:componentFilterMatch:=
          item:{ component "*.*.value.(2.5.4.11)",
                 rule caseIgnoreSubstringsMatch,
                 value { any:"Adacel" } })
        
      (seeAlso:componentFilterMatch:=
          item:{ component "*.*.value.(2.5.4.11)",
                 rule caseIgnoreSubstringsMatch,
                 value { any:"Adacel" } })
        

The component reference "*.*.value" identifies an open type, in this case an attribute value. In a particular AttributeTypeAndValue, if the attribute type is not organizationalUnitName then the ComponentAssertion evaluates to FALSE. Otherwise the substring assertion is evaluated against the attribute value.

组件引用“*.*.value”标识一个打开类型,在本例中是一个属性值。在特定的AttributeTypeAndValue中,如果属性类型不是organizationalUnitName,则ComponentAssertion的计算结果为FALSE。否则,将根据属性值计算子字符串断言。

Absent component references in ComponentAssertions can be exploited to avoid false positive matches on multi-valued attributes. For example, suppose there is a multi-valued attribute named productCodes, defined to have the Integer syntax (1.3.6.1.4.1.1466.115.121.1.27). Consider the following search filter:

可以利用ComponentAssertion中缺少的组件引用来避免多值属性上的误报匹配。例如,假设有一个名为productCodes的多值属性,该属性定义为整数语法(1.3.6.1.4.1.1466.115.121.1.27)。考虑下面的搜索过滤器:

      (&(!(productCodes:integerOrderingMatch:=3))
        (productCodes:integerOrderingMatch:=8))
        
      (&(!(productCodes:integerOrderingMatch:=3))
        (productCodes:integerOrderingMatch:=8))
        

An entry whose productCodes attribute contains only the values 1 and 10 will match the above filter. The first subfilter is satisfied by the value 10 (10 is not less than 3), and the second subfilter is satisfied by the value 1 (1 is less than 8). The following search filter can be used instead to only match entries that have a productCodes value in the range 3 to 7, because the ComponentFilter is evaluated against each productCodes value in isolation:

productCodes属性仅包含值1和10的条目将与上述过滤器匹配。第一子滤波器满足值10(10不小于3),第二子滤波器满足值1(1小于8)。以下搜索筛选器可用于仅匹配productCodes值在3到7范围内的条目,因为ComponentFilter是针对每个productCodes值单独计算的:

      (productCodes:componentFilterMatch:= and:{
           not:item:{ rule integerOrderingMatch, value 3 },
          item:{ rule integerOrderingMatch, value 8 } })
        
      (productCodes:componentFilterMatch:= and:{
           not:item:{ rule integerOrderingMatch, value 3 },
          item:{ rule integerOrderingMatch, value 8 } })
        

An entry whose productCodes attribute contains only the values 1 and 10 will not match the above filter.

productCodes属性仅包含值1和10的条目将与上述筛选器不匹配。

8. Security Considerations
8. 安全考虑

The component matching rules described in this document allow for a compact specification of matching capabilities that could otherwise have been defined by a plethora of specific matching rules, i.e., despite their expressiveness and flexibility the component matching rules do not behave in a way uncharacteristic of other matching rules, so the security issues for component matching rules are no different than for any other matching rule. However, because the component matching rules are applicable to any attribute syntax, support for them in a directory server may allow searching of attributes that were previously unsearchable by virtue of there not being a suitable matching rule. Such attribute types ought to be properly protected with appropriate access controls. A generic, interoperable access control mechanism has not yet been developed, however, and implementors should be aware of the interaction of that lack with the increased risk of exposure described above.

本文档中描述的组件匹配规则允许紧凑的匹配功能规范,否则可能由大量特定匹配规则定义,即,尽管组件匹配规则具有表达性和灵活性,但其行为方式与其他匹配规则不同,因此,组件匹配规则的安全问题与任何其他匹配规则的安全问题没有什么不同。但是,由于组件匹配规则适用于任何属性语法,因此目录服务器中对它们的支持可能允许搜索以前由于没有合适的匹配规则而无法搜索的属性。这些属性类型应该通过适当的访问控制得到适当的保护。然而,一种通用的、可互操作的访问控制机制尚未开发出来,实施者应该意识到这种缺乏与上述风险增加之间的相互作用。

9. Acknowledgements
9. 致谢

The author would like to thank Tom Gindin for private email discussions that clarified and refined the ideas presented in this document.

作者要感谢Tom Gindin的私人电子邮件讨论,这些讨论澄清并完善了本文中提出的观点。

10. IANA Considerations
10. IANA考虑

The Internet Assigned Numbers Authority (IANA) has updated the LDAP descriptors registry [8] as indicated by the following templates:

互联网分配号码管理局(IANA)已更新LDAP描述符注册表[8],如以下模板所示:

      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): componentFilterMatch
      Object Identifier: 1.2.36.79672281.1.13.2
      Person & email address to contact for further information:
        Steven Legg <steven.legg@adacel.com.au>
      Usage: other (matching rule)
      Specification: RFC 3687
      Author/Change Controller: IESG
        
      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): componentFilterMatch
      Object Identifier: 1.2.36.79672281.1.13.2
      Person & email address to contact for further information:
        Steven Legg <steven.legg@adacel.com.au>
      Usage: other (matching rule)
      Specification: RFC 3687
      Author/Change Controller: IESG
        
      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): rdnMatch
      Object Identifier: 1.2.36.79672281.1.13.3
      Person & email address to contact for further information:
        Steven Legg <steven.legg@adacel.com.au>
      Usage: other (matching rule)
      Specification: RFC 3687
      Author/Change Controller: IESG
        
      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): rdnMatch
      Object Identifier: 1.2.36.79672281.1.13.3
      Person & email address to contact for further information:
        Steven Legg <steven.legg@adacel.com.au>
      Usage: other (matching rule)
      Specification: RFC 3687
      Author/Change Controller: IESG
        
      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): presentMatch
      Object Identifier: 1.2.36.79672281.1.13.5
      Person & email address to contact for further information:
        Steven Legg <steven.legg@adacel.com.au>
      Usage: other (matching rule)
      Specification: RFC 3687
      Author/Change Controller: IESG
        
      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): presentMatch
      Object Identifier: 1.2.36.79672281.1.13.5
      Person & email address to contact for further information:
        Steven Legg <steven.legg@adacel.com.au>
      Usage: other (matching rule)
      Specification: RFC 3687
      Author/Change Controller: IESG
        
      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): allComponentsMatch
      Object Identifier: 1.2.36.79672281.1.13.6
      Person & email address to contact for further information:
        Steven Legg <steven.legg@adacel.com.au>
      Usage: other (matching rule)
      Specification: RFC 3687
      Author/Change Controller: IESG
        
      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): allComponentsMatch
      Object Identifier: 1.2.36.79672281.1.13.6
      Person & email address to contact for further information:
        Steven Legg <steven.legg@adacel.com.au>
      Usage: other (matching rule)
      Specification: RFC 3687
      Author/Change Controller: IESG
        
      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): directoryComponentsMatch
      Object Identifier: 1.2.36.79672281.1.13.7
      Person & email address to contact for further information:
        Steven Legg <steven.legg@adacel.com.au>
      Usage: other (matching rule)
      Specification: RFC 3687
      Author/Change Controller: IESG
        
      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): directoryComponentsMatch
      Object Identifier: 1.2.36.79672281.1.13.7
      Person & email address to contact for further information:
        Steven Legg <steven.legg@adacel.com.au>
      Usage: other (matching rule)
      Specification: RFC 3687
      Author/Change Controller: IESG
        

The object identifiers have been assigned for use in this specification by Adacel Technologies, under an arc assigned to Adacel by Standards Australia.

Adacel Technologies已根据澳大利亚标准局分配给Adacel的arc分配了对象标识符,以便在本规范中使用。

11. References
11. 工具书类
11.1. Normative References
11.1. 规范性引用文件

[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[1] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[2] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997.

[2] Crocker,D.,Ed.和P.Overell,“语法规范的扩充BNF:ABNF”,RFC 2234,1997年11月。

[3] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.

[3] Wahl,M.,Howes,T.和S.Kille,“轻量级目录访问协议(v3)”,RFC 2251,1997年12月。

[4] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997.

[4] Wahl,M.,Coulbeck,A.,Howes,T.和S.Kille,“轻量级目录访问协议(v3):属性语法定义”,RFC2252,1997年12月。

[5] Wahl, M., Kille S. and T. Howes. "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", RFC 2253, December 1997.

[5] 沃尔,M.,基尔S.和T.豪斯。“轻量级目录访问协议(v3):可分辨名称的UTF-8字符串表示”,RFC2253,1997年12月。

[6] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003.

[6] Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,2003年11月。

[7] Hodges, J. and R. Morgan, "Lightweight Directory Access Protocol (v3): Technical Specification", RFC 3377, September 2002.

[7] Hodges,J.和R.Morgan,“轻量级目录访问协议(v3):技术规范”,RFC3372002年9月。

[8] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 3383, September 2002.

[8] Zeilenga,K.,“轻量级目录访问协议(LDAP)的互联网分配号码管理局(IANA)注意事项”,BCP 64,RFC 3383,2002年9月。

[9] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1 Types", RFC 3641, October 2003.

[9] Legg,S.,“ASN.1类型的通用字符串编码规则(GSER)”,RFC3641,2003年10月。

   [10]  ITU-T Recommendation X.501 (1993) | ISO/IEC 9594-2:1994,
         Information Technology - Open Systems Interconnection - The
         Directory: Models
        
   [10]  ITU-T Recommendation X.501 (1993) | ISO/IEC 9594-2:1994,
         Information Technology - Open Systems Interconnection - The
         Directory: Models
        
   [11]  ITU-T Recommendation X.509 (1997) | ISO/IEC 9594-8:1998,
         Information Technology - Open Systems Interconnection - The
         Directory: Authentication Framework
        
   [11]  ITU-T Recommendation X.509 (1997) | ISO/IEC 9594-8:1998,
         Information Technology - Open Systems Interconnection - The
         Directory: Authentication Framework
        
   [12]  ITU-T Recommendation X.520 (1993) | ISO/IEC 9594-6:1994,
         Information technology - Open Systems Interconnection - The
         Directory: Selected attribute types
        
   [12]  ITU-T Recommendation X.520 (1993) | ISO/IEC 9594-6:1994,
         Information technology - Open Systems Interconnection - The
         Directory: Selected attribute types
        
   [13]  ITU-T Recommendation X.680 (07/02) | ISO/IEC 8824-1:2002,
         Information technology - Abstract Syntax Notation One (ASN.1):
         Specification of basic notation
        
   [13]  ITU-T Recommendation X.680 (07/02) | ISO/IEC 8824-1:2002,
         Information technology - Abstract Syntax Notation One (ASN.1):
         Specification of basic notation
        
   [14]  ITU-T Recommendation X.681 (07/02) | ISO/IEC 8824-2:2002,
         Information technology - Abstract Syntax Notation One (ASN.1):
         Information object specification
        
   [14]  ITU-T Recommendation X.681 (07/02) | ISO/IEC 8824-2:2002,
         Information technology - Abstract Syntax Notation One (ASN.1):
         Information object specification
        
   [15]  ITU-T Recommendation X.682 (07/02) | ISO/IEC 8824-3:2002,
         Information technology - Abstract Syntax Notation One (ASN.1):
         Constraint specification
        
   [15]  ITU-T Recommendation X.682 (07/02) | ISO/IEC 8824-3:2002,
         Information technology - Abstract Syntax Notation One (ASN.1):
         Constraint specification
        
   [16]  ITU-T Recommendation X.683 (07/02) | ISO/IEC 8824-4:2002,
         Information technology - Abstract Syntax Notation One (ASN.1):
         Parameterization of ASN.1 specifications
        
   [16]  ITU-T Recommendation X.683 (07/02) | ISO/IEC 8824-4:2002,
         Information technology - Abstract Syntax Notation One (ASN.1):
         Parameterization of ASN.1 specifications
        

[17] ITU-T Recommendation X.690 (07/02) | ISO/IEC 8825-1, Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)

[17] ITU-T建议X.690(07/02)| ISO/IEC 8825-1,信息技术-ASN.1编码规则:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)规范

12.2. Informative References
12.2. 资料性引用

[18] Howes, T., "The String Representation of LDAP Search Filters", RFC 2254, December 1997.

[18] Howes,T.,“LDAP搜索过滤器的字符串表示”,RFC 2254,1997年12月。

   [19]  ITU-T Recommendation X.500 (1993) | ISO/IEC 9594-1:1994,
         Information Technology - Open Systems Interconnection - The
         Directory: Overview of concepts, models and services
        
   [19]  ITU-T Recommendation X.500 (1993) | ISO/IEC 9594-1:1994,
         Information Technology - Open Systems Interconnection - The
         Directory: Overview of concepts, models and services
        
12. Intellectual Property Statement
12. 知识产权声明

The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。

13. Author's Address
13. 作者地址

Steven Legg Adacel Technologies Ltd. 250 Bay Street Brighton, Victoria 3186 AUSTRALIA

Steven Legg Adacel Technologies Ltd.澳大利亚维多利亚州布莱顿湾街250号,邮编:3186

   Phone: +61 3 8530 7710
   Fax:   +61 3 8530 7888
   EMail: steven.legg@adacel.com.au
        
   Phone: +61 3 8530 7710
   Fax:   +61 3 8530 7888
   EMail: steven.legg@adacel.com.au
        
14. Full Copyright Statement
14. 完整版权声明

Copyright (C) The Internet Society (2004). All Rights Reserved.

版权所有(C)互联网协会(2004年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。