Well-known OIDs

synta.oids provides 70+ well-known OID constants as ObjectIdentifier instances (frozen, hashable). Import with import synta.oids as oids.

Algorithm OIDs

Constant	OID	Standard
`RSA_ENCRYPTION`	1.2.840.113549.1.1.1	PKCS #1
`MD5_WITH_RSA`	1.2.840.113549.1.1.4	PKCS #1
`SHA1_WITH_RSA`	1.2.840.113549.1.1.5	PKCS #1
`SHA256_WITH_RSA`	1.2.840.113549.1.1.11	RFC 4055
`SHA384_WITH_RSA`	1.2.840.113549.1.1.12	RFC 4055
`SHA512_WITH_RSA`	1.2.840.113549.1.1.13	RFC 4055
`EC_PUBLIC_KEY`	1.2.840.10045.2.1	RFC 5480
`ECDSA_WITH_SHA1`	1.2.840.10045.4.1	ANSI X9.62
`ECDSA_WITH_SHA256`	1.2.840.10045.4.3.2	RFC 5758
`ECDSA_WITH_SHA384`	1.2.840.10045.4.3.3	RFC 5758
`ECDSA_WITH_SHA512`	1.2.840.10045.4.3.4	RFC 5758
`ED25519`	1.3.101.112	RFC 8410
`ED448`	1.3.101.113	RFC 8410
`ML_DSA_44`	2.16.840.1.101.3.4.3.17	FIPS 204
`ML_DSA_65`	2.16.840.1.101.3.4.3.18	FIPS 204
`ML_DSA_87`	2.16.840.1.101.3.4.3.19	FIPS 204
`ML_KEM_512`	2.16.840.1.101.3.4.4.1	FIPS 203
`ML_KEM_768`	2.16.840.1.101.3.4.4.2	FIPS 203
`ML_KEM_1024`	2.16.840.1.101.3.4.4.3	FIPS 203
`EC_CURVE_P256`	1.2.840.10045.3.1.7	NIST P-256
`EC_CURVE_P384`	1.3.132.0.34	NIST P-384
`EC_CURVE_P521`	1.3.132.0.35	NIST P-521
`EC_CURVE_SECP256K1`	1.3.132.0.10	Bitcoin curve

Hash algorithm OIDs

Constant	OID	Standard
`SHA224`	2.16.840.1.101.3.4.2.4	FIPS 180-4
`SHA256`	2.16.840.1.101.3.4.2.1	FIPS 180-4
`SHA384`	2.16.840.1.101.3.4.2.2	FIPS 180-4
`SHA512`	2.16.840.1.101.3.4.2.3	FIPS 180-4
`SHA512_224`	2.16.840.1.101.3.4.2.5	FIPS 180-4
`SHA512_256`	2.16.840.1.101.3.4.2.6	FIPS 180-4
`SHA3_224`	2.16.840.1.101.3.4.2.7	FIPS 202
`SHA3_256`	2.16.840.1.101.3.4.2.8	FIPS 202
`SHA3_384`	2.16.840.1.101.3.4.2.9	FIPS 202
`SHA3_512`	2.16.840.1.101.3.4.2.10	FIPS 202
`SHAKE128`	2.16.840.1.101.3.4.2.11	FIPS 202
`SHAKE256`	2.16.840.1.101.3.4.2.12	FIPS 202

SLH_DSA_SHA2_128F, SLH_DSA_SHA2_128S, SLH_DSA_SHA2_192F, SLH_DSA_SHA2_192S, SLH_DSA_SHA2_256F, SLH_DSA_SHA2_256S, SLH_DSA_SHAKE_128F, SLH_DSA_SHAKE_128S, SLH_DSA_SHAKE_192F, SLH_DSA_SHAKE_192S, SLH_DSA_SHAKE_256F, SLH_DSA_SHAKE_256S.

Prefix OIDs

These are prefix arcs for use with oid.components() rather than exact match.

Constant	OID prefix	Covers
`RSA`	1.2.840.113549.1.1	All PKCS#1 signature algorithms
`ECDSA_SIG`	1.2.840.10045.4	All ECDSA signature algorithms
`ECDSA_KEY`	1.2.840.10045.2	EC public-key types
`DSA`	1.2.840.10040.4	DSA and DSA-with-hash algorithms

# Example: match any RSA algorithm
import synta.oids as oids
rsa_prefix = oids.RSA.components()
if cert.signature_algorithm_oid.components()[:len(rsa_prefix)] == rsa_prefix:
    print("RSA family")

X.509v3 extension OIDs

Constant	OID	RFC reference
`SUBJECT_ALT_NAME`	2.5.29.17	RFC 5280
`ISSUER_ALT_NAME`	2.5.29.18	RFC 5280
`BASIC_CONSTRAINTS`	2.5.29.19	RFC 5280
`KEY_USAGE`	2.5.29.15	RFC 5280
`EXTENDED_KEY_USAGE`	2.5.29.37	RFC 5280
`SUBJECT_KEY_IDENTIFIER`	2.5.29.14	RFC 5280
`AUTHORITY_KEY_IDENTIFIER`	2.5.29.35	RFC 5280
`CERTIFICATE_POLICIES`	2.5.29.32	RFC 5280
`CRL_DISTRIBUTION_POINTS`	2.5.29.31	RFC 5280
`AUTHORITY_INFO_ACCESS`	1.3.6.1.5.5.7.1.1	RFC 5280
`CT_PRECERT_SCTS`	1.3.6.1.4.1.11129.2.4.2	RFC 6962

Extended Key Usage (EKU) OIDs

Constant	OID	Use
`KP_SERVER_AUTH`	1.3.6.1.5.5.7.3.1	TLS server authentication
`KP_CLIENT_AUTH`	1.3.6.1.5.5.7.3.2	TLS client authentication
`KP_CODE_SIGNING`	1.3.6.1.5.5.7.3.3	Code signing
`KP_EMAIL_PROTECTION`	1.3.6.1.5.5.7.3.4	S/MIME
`KP_TIME_STAMPING`	1.3.6.1.5.5.7.3.8	RFC 3161 TSA
`KP_OCSP_SIGNING`	1.3.6.1.5.5.7.3.9	OCSP responder
`ANY_EXTENDED_KEY_USAGE`	2.5.29.37.0	Match any EKU

PKINIT OIDs (RFC 4556 / RFC 8636)

Constant	OID	Description
`ID_PKINIT_SAN`	1.3.6.1.5.2.2	KRB5PrincipalName OtherName type-id
`ID_PKINIT_KPCLIENT_AUTH`	1.3.6.1.5.2.3.4	PKINIT client auth EKU
`ID_PKINIT_KPKDC`	1.3.6.1.5.2.3.5	PKINIT KDC EKU
`ID_PKINIT_AUTH_DATA`	1.3.6.1.5.2.3.1	PA-PK-AS-REQ content type
`ID_PKINIT_DHKEY_DATA`	1.3.6.1.5.2.3.2	DH key data content type
`ID_PKINIT_RKEY_DATA`	1.3.6.1.5.2.3.3	Reply key pack content type
`ID_PKINIT_KDF`	1.3.6.1.5.2.3.6	KDF algorithm arc (RFC 8636)
`ID_PKINIT_KDF_AH_SHA1`	1.3.6.1.5.2.3.6.1	PKINIT KDF with SHA-1
`ID_PKINIT_KDF_AH_SHA256`	1.3.6.1.5.2.3.6.2	PKINIT KDF with SHA-256
`ID_PKINIT_KDF_AH_SHA384`	1.3.6.1.5.2.3.6.4	PKINIT KDF with SHA-384
`ID_PKINIT_KDF_AH_SHA512`	1.3.6.1.5.2.3.6.3	PKINIT KDF with SHA-512

Microsoft PKI OIDs

Constant	OID	Windows name
`ID_MS_SAN_UPN`	1.3.6.1.4.1.311.20.2.3	`szOID_NT_PRINCIPAL_NAME` — UPN in OtherName
`ID_MS_CERTIFICATE_TEMPLATE_NAME`	1.3.6.1.4.1.311.20.2	`szOID_CERTIFICATE_TEMPLATE_NAME` (v1)
`ID_MS_CERTIFICATE_TEMPLATE`	1.3.6.1.4.1.311.21.7	`szOID_CERTIFICATE_TEMPLATE` (v2)
`ID_MS_KP_SMARTCARD_LOGON`	1.3.6.1.4.1.311.20.2.2	`szOID_MS_KP_SMARTCARD_LOGON` EKU
`ID_MS_NTDS_REPLICATION`	1.3.6.1.4.1.311.25.1	`szOID_NTDS_REPLICATION` EKU

CMS content-type OIDs (RFC 5652)

Constant	OID	Name
`CMS_DATA`	1.2.840.113549.1.7.1	id-data
`CMS_SIGNED_DATA`	1.2.840.113549.1.7.2	id-signedData
`CMS_ENVELOPED_DATA`	1.2.840.113549.1.7.3	id-envelopedData
`CMS_DIGESTED_DATA`	1.2.840.113549.1.7.5	id-digestedData
`CMS_ENCRYPTED_DATA`	1.2.840.113549.1.7.6	id-encryptedData
`CMS_AUTH_DATA`	1.2.840.113549.1.9.16.1.2	id-ct-authData
`CMS_ORI`	1.2.840.113549.1.9.16.13	OtherRecipientInfo arc (RFC 9629)
`CMS_ORI_KEM`	1.2.840.113549.1.9.16.13.3	KEMRecipientInfo (RFC 9629)

PKCS#9 attribute OIDs

Constant	OID	Description
`PKCS9_EMAIL_ADDRESS`	1.2.840.113549.1.9.1	emailAddress
`PKCS9_CONTENT_TYPE`	1.2.840.113549.1.9.3	id-contentType
`PKCS9_MESSAGE_DIGEST`	1.2.840.113549.1.9.4	id-messageDigest
`PKCS9_SIGNING_TIME`	1.2.840.113549.1.9.5	id-signingTime
`PKCS9_COUNTERSIGNATURE`	1.2.840.113549.1.9.6	id-countersignature
`PKCS9_CHALLENGE_PASSWORD`	1.2.840.113549.1.9.7	id-challengePassword
`PKCS9_EXTENSION_REQUEST`	1.2.840.113549.1.9.14	id-extensionRequest
`PKCS9_FRIENDLY_NAME`	1.2.840.113549.1.9.20	id-friendlyName
`PKCS9_LOCAL_KEY_ID`	1.2.840.113549.1.9.21	id-localKeyId

OID helper functions

def identify_signature_algorithm(oid: ObjectIdentifier | str) -> str: ...
# Returns a display name such as "sha256WithRSAEncryption", "ecdsa-with-SHA256",
# "Ed25519", "ML-DSA-65", etc.  Returns "Other" for unknown OIDs.

def identify_public_key_algorithm(oid: ObjectIdentifier | str) -> str | None: ...
# Returns "RSA", "EC", "Ed25519", "ML-DSA-65", etc., or None for unknown OIDs.

def ec_curve_short_name(oid: ObjectIdentifier | str) -> str | None: ...
# Returns the ASN.1 short name, e.g. "prime256v1", "secp384r1".

def ec_curve_nist_name(oid: ObjectIdentifier | str) -> str | None: ...
# Returns the NIST name, e.g. "P-256", "P-384".  None for curves with no NIST name.

def ec_curve_key_bits(oid: ObjectIdentifier | str) -> int | None: ...
# Returns the field size in bits, e.g. 256, 384, 521.

def extension_oid_name(oid: ObjectIdentifier | str) -> str: ...
# Returns a display name, e.g. "X509v3 Subject Alternative Name".
# Returns the dotted-decimal string for unknown OIDs.

Usage

import synta.oids as oids

# Equality comparison against a string
assert oids.EC_PUBLIC_KEY == "1.2.840.10045.2.1"

# Use as a dict key (hashable)
lookup = {oids.SHA256: "SHA-256", oids.SHA384: "SHA-384"}
name = lookup.get(cert.signature_algorithm_oid, "unknown")

# OID helper functions
print(oids.identify_signature_algorithm(cert.signature_algorithm_oid))
print(oids.identify_public_key_algorithm(cert.public_key_algorithm_oid))

See also DN Attribute OIDs and PKCS#9 OIDs.

Synta Python Bindings