From 25575183ca581a080478ad499e308a76e44e4def Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Fri, 24 Apr 2015 17:42:54 +0200 Subject: public_key: Change structure to what editor intended --- lib/public_key/doc/src/Makefile | 3 +- lib/public_key/doc/src/cert_records.xml | 743 ----------------------- lib/public_key/doc/src/public_key.xml | 3 +- lib/public_key/doc/src/public_key_records.xml | 155 ----- lib/public_key/doc/src/records.xml | 821 +++++++++++++++++++++++++- 5 files changed, 804 insertions(+), 921 deletions(-) delete mode 100644 lib/public_key/doc/src/cert_records.xml delete mode 100644 lib/public_key/doc/src/public_key_records.xml (limited to 'lib/public_key/doc/src') diff --git a/lib/public_key/doc/src/Makefile b/lib/public_key/doc/src/Makefile index 17fb67e95c..2adc13a5cf 100644 --- a/lib/public_key/doc/src/Makefile +++ b/lib/public_key/doc/src/Makefile @@ -42,8 +42,7 @@ XML_REF6_FILES = XML_PART_FILES = part.xml part_notes.xml XML_CHAPTER_FILES = \ introduction.xml \ - public_key_records.xml \ - cert_records.xml \ + records.xml \ using_public_key.xml \ notes.xml diff --git a/lib/public_key/doc/src/cert_records.xml b/lib/public_key/doc/src/cert_records.xml deleted file mode 100644 index 4d4533fe21..0000000000 --- a/lib/public_key/doc/src/cert_records.xml +++ /dev/null @@ -1,743 +0,0 @@ - - - - -
- - 2008 - 2014 - Ericsson AB, All Rights Reserved - - - The contents of this file are subject to the Erlang Public License, - Version 1.1, (the "License"); you may not use this file except in - compliance with the License. You should have received a copy of the - Erlang Public License along with this software. If not, it can be - retrieved online at http://www.erlang.org/. - - Software distributed under the License is distributed on an "AS IS" - basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See - the License for the specific language governing rights and limitations - under the License. - - The Initial Developer of the Original Code is Ericsson AB. - - - Certificate Records - Ingela Anderton Andin - - - - - 2008-02-06 - A - cert_records.xml -
- -

This section briefly describes Erlang records derived from ASN.1 - specifications used to handle X509 certificates and CertificationRequest. - The scope is to describe the data types of each component, - not the semantics. For information on the semantics, refer to RFC 5280 and - PKCS-10. -

- -

Use the following include directive to get access to the - records and constant macros (OIDs) described in the following sections:

- - -include_lib("public_key/include/public_key.hrl"). - -

The used ASN.1 specifications are available in the asn1 subdirectory - of the public_key application.

- -
- Common Data Types - -

Common non-standard Erlang - data types used to describe the record fields in the - following sections are defined in the public_key Reference Manual, or - follows here:

- - - time() -

= uct_time() | general_time()

- - uct_time() -

= {utcTime, "YYMMDDHHMMSSZ"}

- - general_time() -

= {generalTime, "YYYYMMDDHHMMSSZ"}

- - general_name() - =

{rfc822Name, string()}

-

| {dNSName, string()}

-

| {x400Address, string()}

-

| {directoryName, {rdnSequence, [#AttributeTypeAndValue'{}]}}

-

| {eidPartyName, special_string()}

-

| {eidPartyName, special_string(), special_string()}

-

| {uniformResourceIdentifier, string()}

-

| {ipAddress, string()}

-

| {registeredId, oid()}

-

| {otherName, term()}

-
- - special_string() - =

{teletexString, string()}

-

| {printableString, string()}

-

| {universalString, string()}

-

| {utf8String, binary()}

-

| {bmpString, string()}

-
- - dist_reason() - =

unused

-

| keyCompromise

-

| cACompromise

-

| affiliationChanged

-

| superseded

-

| cessationOfOperation

-

| certificateHold

-

| privilegeWithdrawn

-

| aACompromise

-
-
- -
- -
- PKIX Certificates -

Erlang representation of PKIX certificates derived from ASN.1 - specifications and RFC 5280 are as follows:

- -#'Certificate'{ - tbsCertificate, % #'TBSCertificate'{} - signatureAlgorithm, % #'AlgorithmIdentifier'{} - signature % bitstring() - }. - -#'TBSCertificate'{ - version, % v1 | v2 | v3 - serialNumber, % integer() - signature, % #'AlgorithmIdentifier'{} - issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} - validity, % #'Validity'{} - subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} - subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{} - issuerUniqueID, % binary() | asn1_novalue - subjectUniqueID, % binary() | asn1_novalue - extensions % [#'Extension'{}] - }. - -#'AlgorithmIdentifier'{ - algorithm, % oid() - parameters % der_encoded() - }. - - -#'OTPCertificate'{ - tbsCertificate, % #'OTPTBSCertificate'{} - signatureAlgorithm, % #'SignatureAlgorithm' - signature % bitstring() - }. - -#'OTPTBSCertificate'{ - version, % v1 | v2 | v3 - serialNumber, % integer() - signature, % #'SignatureAlgorithm' - issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} - validity, % #'Validity'{} - subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} - subjectPublicKeyInfo, % #'OTPSubjectPublicKeyInfo'{} - issuerUniqueID, % binary() | asn1_novalue - subjectUniqueID, % binary() | asn1_novalue - extensions % [#'Extension'{}] - }. - -#'SignatureAlgorithm'{ - algorithm, % id_signature_algorithm() - parameters % asn1_novalue | #'Dss-Parms'{} - }. - -

Here, id_signature_algorithm() = ?OID name, for available OID names, for example -?id-dsa-with-sha1. That is, by prepending "?" to the OID name, represented as an Erlang atom.

-

The available OID names are as follows:

- - - OID Name - - - id-dsa-with-sha1 - - - id-dsaWithSHA1 (ISO or OID to above) - - - md2WithRSAEncryption - - - md5WithRSAEncryption - - - sha1WithRSAEncryption - - - sha-1WithRSAEncryption (ISO or OID to above) - - - sha224WithRSAEncryption - - - sha256WithRSAEncryption - - - sha512WithRSAEncryption - - - ecdsa-with-SHA1 - - Signature Algorithm OIDs -
- -

The data type 'AttributeTypeAndValue', is represented as - the following erlang record:

- - -#'AttributeTypeAndValue'{ - type, % id_attributes() - value % term() - }. - -

The attribute OID name atoms and their corresponding value types -are as follows:

- - - OID Name - Value Type - - - id-at-name - special_string() - - - id-at-surname - special_string() - - - id-at-givenName - special_string() - - - id-at-initials - special_string() - - - id-at-generationQualifier - special_string() - - - id-at-commonName - special_string() - - - id-at-localityName - special_string() - - - id-at-stateOrProvinceName - special_string() - - - id-at-organizationName - special_string() - - - id-at-title - special_string() - - - id-at-dnQualifier - {printableString, string()} - - - id-at-countryName - {printableString, string()} - - - id-at-serialNumber - {printableString, string()} - - - id-at-pseudonym - special_string() - - Attribute OIDs -
- -

The data types 'Validity', 'SubjectPublicKeyInfo', and -'SubjectPublicKeyInfoAlgorithm' are represented as the following Erlang records:

- - -#'Validity'{ - notBefore, % time() - notAfter % time() - }. - -#'SubjectPublicKeyInfo'{ - algorithm, % #AlgorithmIdentifier{} - subjectPublicKey % binary() - }. - -#'SubjectPublicKeyInfoAlgorithm'{ - algorithm, % id_public_key_algorithm() - parameters % public_key_params() - }. - -

The public-key algorithm OID name atoms are as follows:

- - - OID Name - - - rsaEncryption - - - id-dsa - - - dhpublicnumber - - - id-keyExchangeAlgorithm - - - id-ecPublicKey - - Public-Key Algorithm OIDs -
- - -#'Extension'{ - extnID, % id_extensions() | oid() - critical, % boolean() - extnValue % der_encoded() - }. - -

id_extensions() - Standard Certificate Extensions, - Private Internet Extensions, - CRL Extensions and - CRL Entry Extensions. -

- -
- -
- - Standard Certificate Extensions - -

The standard certificate extensions OID name atoms and their - corresponding value types are as follows:

- - - - OID Name - Value Type - - - id-ce-authorityKeyIdentifier - #'AuthorityKeyIdentifier'{} - - - id-ce-subjectKeyIdentifier - oid() - - - id-ce-keyUsage - [key_usage()] - - - id-ce-privateKeyUsagePeriod - #'PrivateKeyUsagePeriod'{} - - - id-ce-certificatePolicies - #'PolicyInformation'{} - - - - id-ce-policyMappings - #'PolicyMappings_SEQOF'{} - - - - id-ce-subjectAltName - general_name() - - - - id-ce-issuerAltName - general_name() - - - - id-ce-subjectDirectoryAttributes - [#'Attribute'{}] - - - - id-ce-basicConstraints - #'BasicConstraints'{} - - - id-ce-nameConstraints - #'NameConstraints'{} - - - id-ce-policyConstraints - #'PolicyConstraints'{} - - - id-ce-extKeyUsage - [id_key_purpose()] - - - - id-ce-cRLDistributionPoints - [#'DistributionPoint'{}] - - - - id-ce-inhibitAnyPolicy - integer() - - - - id-ce-freshestCRL - [#'DistributionPoint'{}] - - - - Standard Certificate Extensions -
- -

Here:

- - key_usage() - =

digitalSignature

-

| nonRepudiation

-

| keyEncipherment

-

| dataEncipherment

-

| keyAgreement

-

| keyCertSign

-

| cRLSign

-

| encipherOnly

-

| decipherOnly

-
-
- -

And for id_key_purpose():

- - - - OID Name - - - id-kp-serverAuth - - - id-kp-clientAuth - - - id-kp-codeSigning - - - id-kp-emailProtection - - - id-kp-timeStamping - - - id-kp-OCSPSigning - - Key Purpose OIDs -
- - -#'AuthorityKeyIdentifier'{ - keyIdentifier, % oid() - authorityCertIssuer, % general_name() - authorityCertSerialNumber % integer() - }. - -#'PrivateKeyUsagePeriod'{ - notBefore, % general_time() - notAfter % general_time() - }. - -#'PolicyInformation'{ - policyIdentifier, % oid() - policyQualifiers % [#PolicyQualifierInfo{}] - }. - -#'PolicyQualifierInfo'{ - policyQualifierId, % oid() - qualifier % string() | #'UserNotice'{} - }. - -#'UserNotice'{ - noticeRef, % #'NoticeReference'{} - explicitText % string() - }. - -#'NoticeReference'{ - organization, % string() - noticeNumbers % [integer()] - }. - -#'PolicyMappings_SEQOF'{ - issuerDomainPolicy, % oid() - subjectDomainPolicy % oid() - }. - -#'Attribute'{ - type, % oid() - values % [der_encoded()] - }). - -#'BasicConstraints'{ - cA, % boolean() - pathLenConstraint % integer() - }). - -#'NameConstraints'{ - permittedSubtrees, % [#'GeneralSubtree'{}] - excludedSubtrees % [#'GeneralSubtree'{}] - }). - -#'GeneralSubtree'{ - base, % general_name() - minimum, % integer() - maximum % integer() - }). - -#'PolicyConstraints'{ - requireExplicitPolicy, % integer() - inhibitPolicyMapping % integer() - }). - -#'DistributionPoint'{ - distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer, - [#AttributeTypeAndValue{}]} - reasons, % [dist_reason()] - cRLIssuer % [general_name()] - }). - -
- -
- - Private Internet Extensions - -

The private internet extensions OID name atoms and their corresponding value - types are as follows:

- - - - OID Name - Value Type - - - id-pe-authorityInfoAccess - [#'AccessDescription'{}] - - - id-pe-subjectInfoAccess - [#'AccessDescription'{}] - - Private Internet Extensions -
- - -#'AccessDescription'{ - accessMethod, % oid() - accessLocation % general_name() - }). - -
- -
- CRL and CRL Extensions Profile - -

Erlang representation of CRL and CRL extensions profile - derived from ASN.1 specifications and RFC 5280 are as follows:

- - -#'CertificateList'{ - tbsCertList, % #'TBSCertList{} - signatureAlgorithm, % #'AlgorithmIdentifier'{} - signature % bitstring() - }). - -#'TBSCertList'{ - version, % v2 (if defined) - signature, % #AlgorithmIdentifier{} - issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} - thisUpdate, % time() - nextUpdate, % time() - revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}] - crlExtensions % [#'Extension'{}] - }). - -#'TBSCertList_revokedCertificates_SEQOF'{ - userCertificate, % integer() - revocationDate, % timer() - crlEntryExtensions % [#'Extension'{}] - }). - -
- - CRL Extensions - -

The CRL extensions OID name atoms and their corresponding value types are as follows:

- - - - - OID Name - Value Type - - - id-ce-authorityKeyIdentifier - #'AuthorityKeyIdentifier{} - - - id-ce-issuerAltName - {rdnSequence, [#AttributeTypeAndValue'{}]} - - - id-ce-cRLNumber - integer() - - - id-ce-deltaCRLIndicator - integer() - - - id-ce-issuingDistributionPoint - #'IssuingDistributionPoint'{} - - - id-ce-freshestCRL - [#'Distributionpoint'{}] - - - CRL Extensions -
- -

Here, the data type 'IssuingDistributionPoint' is represented as - the following Erlang record:

- - -#'IssuingDistributionPoint'{ - distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer, - [#AttributeTypeAndValue'{}]} - onlyContainsUserCerts, % boolean() - onlyContainsCACerts, % boolean() - onlySomeReasons, % [dist_reason()] - indirectCRL, % boolean() - onlyContainsAttributeCerts % boolean() - }). -
- -
- - CRL Entry Extensions - -

The CRL entry extensions OID name atoms and their corresponding value types are as follows:

- - - - OID Name - Value Type - - - id-ce-cRLReason - crl_reason() - - - id-ce-holdInstructionCode - oid() - - - id-ce-invalidityDate - general_time() - - - id-ce-certificateIssuer - general_name() - - CRL Entry Extensions -
- - -

Here:

- - crl_reason() - =

unspecifiedc>

-

| keyCompromise

-

| cACompromise

-

| affiliationChanged

-

| superseded

-

| cessationOfOperation

-

| certificateHold

-

| removeFromCRL

-

| privilegeWithdrawn

-

| aACompromise

-
-
- -
- -
- - PKCS#10 Certification Request -

Erlang representation of a PKCS#10 certification request - derived from ASN.1 specifications and RFC 5280 are as follows:

- -#'CertificationRequest'{ - certificationRequestInfo #'CertificationRequestInfo'{}, - signatureAlgorithm #'CertificationRequest_signatureAlgorithm'{}}. - signature bitstring() - } - -#'CertificationRequestInfo'{ - version atom(), - subject {rdnSequence, [#AttributeTypeAndValue'{}]} , - subjectPKInfo #'CertificationRequestInfo_subjectPKInfo'{}, - attributes [#'AttributePKCS-10' {}] - } - -#'CertificationRequestInfo_subjectPKInfo'{ - algorithm #'CertificationRequestInfo_subjectPKInfo_algorithm'{} - subjectPublicKey bitstring() - } - -#'CertificationRequestInfo_subjectPKInfo_algorithm'{ - algorithm = oid(), - parameters = der_encoded() -} - -#'CertificationRequest_signatureAlgorithm'{ - algorithm = oid(), - parameters = der_encoded() - } - -#'AttributePKCS-10'{ - type = oid(), - values = [der_encoded()] -} -
- -
-
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index ddaa8c2530..3d5c135075 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -73,8 +73,7 @@ are generated from ASN.1 specifications and are documented in the User's Guide. See Public-key Records and X.509 Certificate Records. + marker="public_key_records">Public-key Records.

Use the following include directive to get access to the diff --git a/lib/public_key/doc/src/public_key_records.xml b/lib/public_key/doc/src/public_key_records.xml deleted file mode 100644 index 24f5faf38e..0000000000 --- a/lib/public_key/doc/src/public_key_records.xml +++ /dev/null @@ -1,155 +0,0 @@ - - - - -

- - 2008 - 2014 - Ericsson AB, All Rights Reserved - - - The contents of this file are subject to the Erlang Public License, - Version 1.1, (the "License"); you may not use this file except in - compliance with the License. You should have received a copy of the - Erlang Public License along with this software. If not, it can be - retrieved online at http://www.erlang.org/. - - Software distributed under the License is distributed on an "AS IS" - basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See - the License for the specific language governing rights and limitations - under the License. - - The Initial Developer of the Original Code is Ericsson AB. - - - Public-Key Records - Ingela Anderton Andin - - - - - 2008-02-06 - A - public_key_records.xml -
- -

This section briefly describes Erlang records derived from ASN.1 - specifications used to handle public and private keys. - The scope is to describe the data types of each component, - not the semantics. For information on the - semantics, refer to the relevant standards and RFCs.

- -

Use the following include directive to get access to the - records and constant macros described in the following sections:

- - -include_lib("public_key/include/public_key.hrl"). - -
- Common Data Types - -

Common non-standard Erlang - data types used to describe the record fields in the - following sections are defined in the public_key Reference Manual.

-
- -
- The RSA According to PKCS-1 and RFC 3447 -

RSA as defined by the PKCS-1 standard and - RFC 3447 follows:

- - -#'RSAPublicKey'{ - modulus, % integer() - publicExponent % integer() - }. - -#'RSAPrivateKey'{ - version, % two-prime | multi - modulus, % integer() - publicExponent, % integer() - privateExponent, % integer() - prime1, % integer() - prime2, % integer() - exponent1, % integer() - exponent2, % integer() - coefficient, % integer() - otherPrimeInfos % [#OtherPrimeInfo{}] | asn1_NOVALUE - }. - -#'OtherPrimeInfo'{ - prime, % integer() - exponent, % integer() - coefficient % integer() - }. - -
- -
- DSA According to DSS -

The DSA as defined by the - - Digital Signature Standard (DSS), NIST FIPS PUB 186-2 follows:

- - -#'DSAPrivateKey',{ - version, % integer() - p, % integer() - q, % integer() - g, % integer() - y, % integer() - x % integer() - }. - -#'Dss-Parms',{ - p, % integer() - q, % integer() - g % integer() - }. -
- -
- ECC According to RFC 5480 -

The Elliptic Curve (ECC) as defined by - RFC 5480 follows:

- - -#'ECPrivateKey'{ - version, % integer() - privateKey, % binary() - parameters, % der_encoded() - {'EcpkParameters', #'ECParameters'{}} | - {'EcpkParameters', {namedCurve, oid()}} | - {'EcpkParameters', 'NULL'} % Inherited by CA - publicKey % bitstring() - }. - -#'ECParameters'{ - version, % integer() - fieldID, % #'FieldID'{} - curve, % #'Curve'{} - base, % binary() - order, % integer() - cofactor % integer() - }. - -#'Curve'{ - a, % binary() - b, % binary() - seed % bitstring() - optional - - }. - -#'FieldID'{ - fieldType, % oid() - parameters % Depending on fieldType - }. - -#'ECPoint'{ - point % binary() - the public key - }. - - -
- - diff --git a/lib/public_key/doc/src/records.xml b/lib/public_key/doc/src/records.xml index 75265791af..ac1ecd176c 100644 --- a/lib/public_key/doc/src/records.xml +++ b/lib/public_key/doc/src/records.xml @@ -1,7 +1,7 @@ - + - +
2008 @@ -23,25 +23,808 @@ The Initial Developer of the Original Code is Ericsson AB. - Records - Tommy MÃ¥nevik + Public-Key Records + Ingela Anderton Andin + - 2015-04-01 - - records.xml + + + 2008-02-06 + A + public_key_records.xml
- -

This section describes Erlang records derived from ASN.1 specifications, - used to handle the following: -

- - Public and private keys - X509 certificates and CertificationRequest - -
+ +

This chapter briefly describes Erlang records derived from ASN.1 + specifications used to handle public key infrastructure. + The scope is to describe the data types of each component, + not the semantics. For information on the + semantics, refer to the relevant standards and RFCs linked in the sections below.

+ +

Use the following include directive to get access to the + records and constant macros described in the following sections:

+ + -include_lib("public_key/include/public_key.hrl"). + +
+ Data Types + +

Common non-standard Erlang + data types used to describe the record fields in the + following sections and which are not defined in the public_key Reference Manual + follows here:

+ + + time() +

= uct_time() | general_time()

+ + uct_time() +

= {utcTime, "YYMMDDHHMMSSZ"}

+ + general_time() +

= {generalTime, "YYYYMMDDHHMMSSZ"}

+ + general_name() + =

{rfc822Name, string()}

+

| {dNSName, string()}

+

| {x400Address, string()}

+

| {directoryName, {rdnSequence, [#AttributeTypeAndValue'{}]}}

+

| {eidPartyName, special_string()}

+

| {eidPartyName, special_string(), special_string()}

+

| {uniformResourceIdentifier, string()}

+

| {ipAddress, string()}

+

| {registeredId, oid()}

+

| {otherName, term()}

+
+ + special_string() + =

{teletexString, string()}

+

| {printableString, string()}

+

| {universalString, string()}

+

| {utf8String, binary()}

+

| {bmpString, string()}

+
+ + dist_reason() + =

unused

+

| keyCompromise

+

| cACompromise

+

| affiliationChanged

+

| superseded

+

| cessationOfOperation

+

| certificateHold

+

| privilegeWithdrawn

+

| aACompromise

+
+
+ +
+ +
+ RSA +

Erlang representation of + Rivest-Shamir-Adleman cryptosystem (RSA) keys follows:

+ + +#'RSAPublicKey'{ + modulus, % integer() + publicExponent % integer() + }. + +#'RSAPrivateKey'{ + version, % two-prime | multi + modulus, % integer() + publicExponent, % integer() + privateExponent, % integer() + prime1, % integer() + prime2, % integer() + exponent1, % integer() + exponent2, % integer() + coefficient, % integer() + otherPrimeInfos % [#OtherPrimeInfo{}] | asn1_NOVALUE + }. + +#'OtherPrimeInfo'{ + prime, % integer() + exponent, % integer() + coefficient % integer() + }. + +
+ +
+ DSA +

Erlang representation of Digigital Signature Algorithm (DSA) keys

+ +#'DSAPrivateKey',{ + version, % integer() + p, % integer() + q, % integer() + g, % integer() + y, % integer() + x % integer() + }. + +#'Dss-Parms',{ + p, % integer() + q, % integer() + g % integer() + }. + +
+ +
+ ECDSA +

Erlang representation of Elliptic Curve Digital Signature Algorithm (ECDSA) keys follows:

+ + +#'ECPrivateKey'{ + version, % integer() + privateKey, % octet_string() + parameters, % der_encoded() - {'EcpkParameters', #'ECParameters'{}} | + {'EcpkParameters', {namedCurve, oid()}} | + {'EcpkParameters', 'NULL'} % Inherited by CA + publicKey % bitstring() + }. + +#'ECParameters'{ + version, % integer() + fieldID, % #'FieldID'{} + curve, % #'Curve'{} + base, % octet_string() + order, % integer() + cofactor % integer() + }. + +#'Curve'{ + a, % octet_string() + b, % octet_string() + seed % bitstring() - optional + + }. + +#'FieldID'{ + fieldType, % oid() + parameters % Depending on fieldType + }. + +#'ECPoint'{ + point % octet_string() - the public key + }. +
+ +
+ PKIX Certificates +

Erlang representation of PKIX certificates derived from ASN.1 + specifications see also X509 certificates (RFC 5280) are as follows:

+ +#'Certificate'{ + tbsCertificate, % #'TBSCertificate'{} + signatureAlgorithm, % #'AlgorithmIdentifier'{} + signature % {0, binary()} - ASN1 compact bitstring + }. + +#'TBSCertificate'{ + version, % v1 | v2 | v3 + serialNumber, % integer() + signature, % #'AlgorithmIdentifier'{} + issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} + validity, % #'Validity'{} + subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} + subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{} + issuerUniqueID, % binary() | asn1_novalue + subjectUniqueID, % binary() | asn1_novalue + extensions % [#'Extension'{}] + }. + +#'AlgorithmIdentifier'{ + algorithm, % oid() + parameters % der_encoded() + }. + + +#'OTPCertificate'{ + tbsCertificate, % #'OTPTBSCertificate'{} + signatureAlgorithm, % #'SignatureAlgorithm' + signature % {0, binary()} - ASN1 compact bitstring + }. + +#'OTPTBSCertificate'{ + version, % v1 | v2 | v3 + serialNumber, % integer() + signature, % #'SignatureAlgorithm' + issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} + validity, % #'Validity'{} + subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} + subjectPublicKeyInfo, % #'OTPSubjectPublicKeyInfo'{} + issuerUniqueID, % binary() | asn1_novalue + subjectUniqueID, % binary() | asn1_novalue + extensions % [#'Extension'{}] + }. + +#'SignatureAlgorithm'{ + algorithm, % id_signature_algorithm() + parameters % asn1_novalue | #'Dss-Parms'{} + }. + +

Here, id_signature_algorithm() = ?OID name, for available OID names, for example +?id-dsa-with-sha1. That is, by prepending "?" to the OID name, represented as an Erlang atom.

+

The available OID names are as follows:

+ + + OID Name + + + id-dsa-with-sha1 + + + id-dsaWithSHA1 (ISO or OID to above) + + + md2WithRSAEncryption + + + md5WithRSAEncryption + + + sha1WithRSAEncryption + + + sha-1WithRSAEncryption (ISO or OID to above) + + + sha224WithRSAEncryption + + + sha256WithRSAEncryption + + + sha512WithRSAEncryption + + + ecdsa-with-SHA1 + + Signature Algorithm OIDs +
+ +

The data type 'AttributeTypeAndValue', is represented as + the following erlang record:

+ + +#'AttributeTypeAndValue'{ + type, % id_attributes() + value % term() + }. + +

The attribute OID name atoms and their corresponding value types +are as follows:

+ + + OID Name + Value Type + + + id-at-name + special_string() + + + id-at-surname + special_string() + + + id-at-givenName + special_string() + + + id-at-initials + special_string() + + + id-at-generationQualifier + special_string() + + + id-at-commonName + special_string() + + + id-at-localityName + special_string() + + + id-at-stateOrProvinceName + special_string() + + + id-at-organizationName + special_string() + + + id-at-title + special_string() + + + id-at-dnQualifier + {printableString, string()} + + + id-at-countryName + {printableString, string()} + + + id-at-serialNumber + {printableString, string()} + + + id-at-pseudonym + special_string() + + Attribute OIDs +
+ +

The data types 'Validity', 'SubjectPublicKeyInfo', and +'SubjectPublicKeyInfoAlgorithm' are represented as the following Erlang records:

+ + +#'Validity'{ + notBefore, % time() + notAfter % time() + }. + +#'SubjectPublicKeyInfo'{ + algorithm, % #AlgorithmIdentifier{} + subjectPublicKey % binary() + }. + +#'SubjectPublicKeyInfoAlgorithm'{ + algorithm, % id_public_key_algorithm() + parameters % public_key_params() + }. + +

The public-key algorithm OID name atoms are as follows:

+ + + OID Name + + + rsaEncryption + + + id-dsa + + + dhpublicnumber + + + id-keyExchangeAlgorithm + + + id-ecPublicKey + + Public-Key Algorithm OIDs +
+ + +#'Extension'{ + extnID, % id_extensions() | oid() + critical, % boolean() + extnValue % der_encoded() + }. + +

id_extensions() + Standard Certificate Extensions, + Private Internet Extensions, + CRL Extensions and + CRL Entry Extensions. +

+ +
+ +
+ + Standard Certificate Extensions + +

The standard certificate extensions OID name atoms and their + corresponding value types are as follows:

+ + + + OID Name + Value Type + + + id-ce-authorityKeyIdentifier + #'AuthorityKeyIdentifier'{} + + + id-ce-subjectKeyIdentifier + oid() + + + id-ce-keyUsage + [key_usage()] + + + id-ce-privateKeyUsagePeriod + #'PrivateKeyUsagePeriod'{} + + + id-ce-certificatePolicies + #'PolicyInformation'{} + + + + id-ce-policyMappings + #'PolicyMappings_SEQOF'{} + + + + id-ce-subjectAltName + general_name() + + + + id-ce-issuerAltName + general_name() + + + + id-ce-subjectDirectoryAttributes + [#'Attribute'{}] + + + + id-ce-basicConstraints + #'BasicConstraints'{} + + + id-ce-nameConstraints + #'NameConstraints'{} + + + id-ce-policyConstraints + #'PolicyConstraints'{} + + + id-ce-extKeyUsage + [id_key_purpose()] + + + + id-ce-cRLDistributionPoints + [#'DistributionPoint'{}] + + + + id-ce-inhibitAnyPolicy + integer() + + + + id-ce-freshestCRL + [#'DistributionPoint'{}] + + + + Standard Certificate Extensions +
+ +

Here:

+ + key_usage() + =

digitalSignature

+

| nonRepudiation

+

| keyEncipherment

+

| dataEncipherment

+

| keyAgreement

+

| keyCertSign

+

| cRLSign

+

| encipherOnly

+

| decipherOnly

+
+
+ +

And for id_key_purpose():

+ + + + OID Name + + + id-kp-serverAuth + + + id-kp-clientAuth + + + id-kp-codeSigning + + + id-kp-emailProtection + + + id-kp-timeStamping + + + id-kp-OCSPSigning + + Key Purpose OIDs +
+ + +#'AuthorityKeyIdentifier'{ + keyIdentifier, % oid() + authorityCertIssuer, % general_name() + authorityCertSerialNumber % integer() + }. + +#'PrivateKeyUsagePeriod'{ + notBefore, % general_time() + notAfter % general_time() + }. + +#'PolicyInformation'{ + policyIdentifier, % oid() + policyQualifiers % [#PolicyQualifierInfo{}] + }. + +#'PolicyQualifierInfo'{ + policyQualifierId, % oid() + qualifier % string() | #'UserNotice'{} + }. + +#'UserNotice'{ + noticeRef, % #'NoticeReference'{} + explicitText % string() + }. + +#'NoticeReference'{ + organization, % string() + noticeNumbers % [integer()] + }. + +#'PolicyMappings_SEQOF'{ + issuerDomainPolicy, % oid() + subjectDomainPolicy % oid() + }. + +#'Attribute'{ + type, % oid() + values % [der_encoded()] + }). + +#'BasicConstraints'{ + cA, % boolean() + pathLenConstraint % integer() + }). + +#'NameConstraints'{ + permittedSubtrees, % [#'GeneralSubtree'{}] + excludedSubtrees % [#'GeneralSubtree'{}] + }). + +#'GeneralSubtree'{ + base, % general_name() + minimum, % integer() + maximum % integer() + }). + +#'PolicyConstraints'{ + requireExplicitPolicy, % integer() + inhibitPolicyMapping % integer() + }). + +#'DistributionPoint'{ + distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer, + [#AttributeTypeAndValue{}]} + reasons, % [dist_reason()] + cRLIssuer % [general_name()] + }). + +
+ +
+ + Private Internet Extensions + +

The private internet extensions OID name atoms and their corresponding value + types are as follows:

+ + + + OID Name + Value Type + + + id-pe-authorityInfoAccess + [#'AccessDescription'{}] + + + id-pe-subjectInfoAccess + [#'AccessDescription'{}] + + Private Internet Extensions +
+ + +#'AccessDescription'{ + accessMethod, % oid() + accessLocation % general_name() + }). + +
- - +
+ CRL and CRL Extensions Profile + +

Erlang representation of CRL and CRL extensions profile + derived from ASN.1 specifications and RFC 5280 are as follows:

+ + +#'CertificateList'{ + tbsCertList, % #'TBSCertList{} + signatureAlgorithm, % #'AlgorithmIdentifier'{} + signature % {0, binary()} - ASN1 compact bitstring + }). + +#'TBSCertList'{ + version, % v2 (if defined) + signature, % #AlgorithmIdentifier{} + issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} + thisUpdate, % time() + nextUpdate, % time() + revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}] + crlExtensions % [#'Extension'{}] + }). + +#'TBSCertList_revokedCertificates_SEQOF'{ + userCertificate, % integer() + revocationDate, % timer() + crlEntryExtensions % [#'Extension'{}] + }). - +
+ + CRL Extensions + +

The CRL extensions OID name atoms and their corresponding value types are as follows:

+ + + + + OID Name + Value Type + + + id-ce-authorityKeyIdentifier + #'AuthorityKeyIdentifier{} + + + id-ce-issuerAltName + {rdnSequence, [#AttributeTypeAndValue'{}]} + + + id-ce-cRLNumber + integer() + + + id-ce-deltaCRLIndicator + integer() + + + id-ce-issuingDistributionPoint + #'IssuingDistributionPoint'{} + + + id-ce-freshestCRL + [#'Distributionpoint'{}] + + + CRL Extensions +
+ +

Here, the data type 'IssuingDistributionPoint' is represented as + the following Erlang record:

+ + +#'IssuingDistributionPoint'{ + distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer, + [#AttributeTypeAndValue'{}]} + onlyContainsUserCerts, % boolean() + onlyContainsCACerts, % boolean() + onlySomeReasons, % [dist_reason()] + indirectCRL, % boolean() + onlyContainsAttributeCerts % boolean() + }). +
+ +
+ + CRL Entry Extensions + +

The CRL entry extensions OID name atoms and their corresponding value types are as follows:

+ + + + OID Name + Value Type + + + id-ce-cRLReason + crl_reason() + + + id-ce-holdInstructionCode + oid() + + + id-ce-invalidityDate + general_time() + + + id-ce-certificateIssuer + general_name() + + CRL Entry Extensions +
+ + +

Here:

+ + crl_reason() + =

unspecifiedc>

+

| keyCompromise

+

| cACompromise

+

| affiliationChanged

+

| superseded

+

| cessationOfOperation

+

| certificateHold

+

| removeFromCRL

+

| privilegeWithdrawn

+

| aACompromise

+
+
+ +
+ +
+ + PKCS#10 Certification Request +

Erlang representation of a PKCS#10 certification request + derived from ASN.1 specifications and RFC 5280 are as follows:

+ +#'CertificationRequest'{ + certificationRequestInfo #'CertificationRequestInfo'{}, + signatureAlgorithm #'CertificationRequest_signatureAlgorithm'{}}. + signature {0, binary()} - ASN1 compact bitstring + } + +#'CertificationRequestInfo'{ + version atom(), + subject {rdnSequence, [#AttributeTypeAndValue'{}]} , + subjectPKInfo #'CertificationRequestInfo_subjectPKInfo'{}, + attributes [#'AttributePKCS-10' {}] + } + +#'CertificationRequestInfo_subjectPKInfo'{ + algorithm #'CertificationRequestInfo_subjectPKInfo_algorithm'{} + subjectPublicKey {0, binary()} - ASN1 compact bitstring + } + +#'CertificationRequestInfo_subjectPKInfo_algorithm'{ + algorithm = oid(), + parameters = der_encoded() +} + +#'CertificationRequest_signatureAlgorithm'{ + algorithm = oid(), + parameters = der_encoded() + } +#'AttributePKCS-10'{ + type = oid(), + values = [der_encoded()] +} +
+
+
-- cgit v1.2.3