2008 2014 Ericsson AB, All Rights Reserved The contents of this file are subject to the Erlang Public License, Version 1.1, (the "License"); you may not use this file except in compliance with the License. You should have received a copy of the Erlang Public License along with this software. If not, it can be retrieved online at http://www.erlang.org/. Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. The Initial Developer of the Original Code is Ericsson AB. Certificate Records Ingela Anderton Andin 2008-02-06 A cert_records.xml

This section briefly describes Erlang records derived from ASN.1 specifications used to handle X509 certificates and CertificationRequest. The scope is to describe the data types of each component, not the semantics. For information on the semantics, refer to RFC 5280 and PKCS-10.

Use the following include directive to get access to the records and constant macros (OIDs) described in the following sections:

-include_lib("public_key/include/public_key.hrl").

The used ASN.1 specifications are available in the asn1 subdirectory of the public_key application.

Common Data Types

Common non-standard Erlang data types used to describe the record fields in the following sections are defined in the public_key Reference Manual, or follows here:

time()

= uct_time() | general_time()

 uct_time()

= {utcTime, "YYMMDDHHMMSSZ"}

 general_time()

= {generalTime, "YYYYMMDDHHMMSSZ"}

 general_name() =

{rfc822Name, string()}

| {dNSName, string()}

| {x400Address, string()}

| {directoryName, {rdnSequence, [#AttributeTypeAndValue'{}]}}

| {eidPartyName, special_string()}

| {eidPartyName, special_string(), special_string()}

| {uniformResourceIdentifier, string()}

| {ipAddress, string()}

| {registeredId, oid()}

| {otherName, term()}

 special_string() =

{teletexString, string()}

| {printableString, string()}

| {universalString, string()}

| {utf8String, binary()}

| {bmpString, string()}

 dist_reason() =

unused

| keyCompromise

| cACompromise

| affiliationChanged

| superseded

| cessationOfOperation

| certificateHold

| privilegeWithdrawn

| aACompromise
PKIX Certificates

Erlang representation of PKIX certificates derived from ASN.1 specifications and RFC 5280 are as follows:

#'Certificate'{ tbsCertificate, % #'TBSCertificate'{} signatureAlgorithm, % #'AlgorithmIdentifier'{} signature % bitstring() }. #'TBSCertificate'{ version, % v1 | v2 | v3 serialNumber, % integer() signature, % #'AlgorithmIdentifier'{} issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} validity, % #'Validity'{} subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{} issuerUniqueID, % binary() | asn1_novalue subjectUniqueID, % binary() | asn1_novalue extensions % [#'Extension'{}] }. #'AlgorithmIdentifier'{ algorithm, % oid() parameters % der_encoded() }. #'OTPCertificate'{ tbsCertificate, % #'OTPTBSCertificate'{} signatureAlgorithm, % #'SignatureAlgorithm' signature % bitstring() }. #'OTPTBSCertificate'{ version, % v1 | v2 | v3 serialNumber, % integer() signature, % #'SignatureAlgorithm' issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} validity, % #'Validity'{} subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} subjectPublicKeyInfo, % #'OTPSubjectPublicKeyInfo'{} issuerUniqueID, % binary() | asn1_novalue subjectUniqueID, % binary() | asn1_novalue extensions % [#'Extension'{}] }. #'SignatureAlgorithm'{ algorithm, % id_signature_algorithm() parameters % asn1_novalue | #'Dss-Parms'{} }.

Here, id_signature_algorithm() = ?OID name, for available OID names, for example ?id-dsa-with-sha1. That is, by prepending "?" to the OID name, represented as an Erlang atom.

The available OID names are as follows:

OID Name id-dsa-with-sha1 id-dsaWithSHA1 (ISO or OID to above) md2WithRSAEncryption md5WithRSAEncryption sha1WithRSAEncryption sha-1WithRSAEncryption (ISO or OID to above) sha224WithRSAEncryption sha256WithRSAEncryption sha512WithRSAEncryption ecdsa-with-SHA1 Signature Algorithm OIDs

The data type 'AttributeTypeAndValue', is represented as the following erlang record:

#'AttributeTypeAndValue'{ type, % id_attributes() value % term() }.

The attribute OID name atoms and their corresponding value types are as follows:

OID Name Value Type id-at-name special_string() id-at-surname special_string() id-at-givenName special_string() id-at-initials special_string() id-at-generationQualifier special_string() id-at-commonName special_string() id-at-localityName special_string() id-at-stateOrProvinceName special_string() id-at-organizationName special_string() id-at-title special_string() id-at-dnQualifier {printableString, string()} id-at-countryName {printableString, string()} id-at-serialNumber {printableString, string()} id-at-pseudonym special_string() Attribute OIDs

The data types 'Validity', 'SubjectPublicKeyInfo', and 'SubjectPublicKeyInfoAlgorithm' are represented as the following Erlang records:

#'Validity'{ notBefore, % time() notAfter % time() }. #'SubjectPublicKeyInfo'{ algorithm, % #AlgorithmIdentifier{} subjectPublicKey % binary() }. #'SubjectPublicKeyInfoAlgorithm'{ algorithm, % id_public_key_algorithm() parameters % public_key_params() }.

The public-key algorithm OID name atoms are as follows:

OID Name rsaEncryption id-dsa dhpublicnumber id-keyExchangeAlgorithm id-ecPublicKey Public-Key Algorithm OIDs
#'Extension'{ extnID, % id_extensions() | oid() critical, % boolean() extnValue % der_encoded() }.

id_extensions() Standard Certificate Extensions, Private Internet Extensions, CRL Extensions and CRL Entry Extensions.

Standard Certificate Extensions

The standard certificate extensions OID name atoms and their corresponding value types are as follows:

OID Name Value Type id-ce-authorityKeyIdentifier #'AuthorityKeyIdentifier'{} id-ce-subjectKeyIdentifier oid() id-ce-keyUsage [key_usage()] id-ce-privateKeyUsagePeriod #'PrivateKeyUsagePeriod'{} id-ce-certificatePolicies #'PolicyInformation'{} id-ce-policyMappings #'PolicyMappings_SEQOF'{} id-ce-subjectAltName general_name() id-ce-issuerAltName general_name() id-ce-subjectDirectoryAttributes [#'Attribute'{}] id-ce-basicConstraints #'BasicConstraints'{} id-ce-nameConstraints #'NameConstraints'{} id-ce-policyConstraints #'PolicyConstraints'{} id-ce-extKeyUsage [id_key_purpose()] id-ce-cRLDistributionPoints [#'DistributionPoint'{}] id-ce-inhibitAnyPolicy integer() id-ce-freshestCRL [#'DistributionPoint'{}] Standard Certificate Extensions

Here:

key_usage() =

digitalSignature

| nonRepudiation

| keyEncipherment

| dataEncipherment

| keyAgreement

| keyCertSign

| cRLSign

| encipherOnly

| decipherOnly

And for id_key_purpose():

OID Name id-kp-serverAuth id-kp-clientAuth id-kp-codeSigning id-kp-emailProtection id-kp-timeStamping id-kp-OCSPSigning Key Purpose OIDs
#'AuthorityKeyIdentifier'{ keyIdentifier, % oid() authorityCertIssuer, % general_name() authorityCertSerialNumber % integer() }. #'PrivateKeyUsagePeriod'{ notBefore, % general_time() notAfter % general_time() }. #'PolicyInformation'{ policyIdentifier, % oid() policyQualifiers % [#PolicyQualifierInfo{}] }. #'PolicyQualifierInfo'{ policyQualifierId, % oid() qualifier % string() | #'UserNotice'{} }. #'UserNotice'{ noticeRef, % #'NoticeReference'{} explicitText % string() }. #'NoticeReference'{ organization, % string() noticeNumbers % [integer()] }. #'PolicyMappings_SEQOF'{ issuerDomainPolicy, % oid() subjectDomainPolicy % oid() }. #'Attribute'{ type, % oid() values % [der_encoded()] }). #'BasicConstraints'{ cA, % boolean() pathLenConstraint % integer() }). #'NameConstraints'{ permittedSubtrees, % [#'GeneralSubtree'{}] excludedSubtrees % [#'GeneralSubtree'{}] }). #'GeneralSubtree'{ base, % general_name() minimum, % integer() maximum % integer() }). #'PolicyConstraints'{ requireExplicitPolicy, % integer() inhibitPolicyMapping % integer() }). #'DistributionPoint'{ distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer, [#AttributeTypeAndValue{}]} reasons, % [dist_reason()] cRLIssuer % [general_name()] }).
Private Internet Extensions

The private internet extensions OID name atoms and their corresponding value types are as follows:

OID Name Value Type id-pe-authorityInfoAccess [#'AccessDescription'{}] id-pe-subjectInfoAccess [#'AccessDescription'{}] Private Internet Extensions
#'AccessDescription'{ accessMethod, % oid() accessLocation % general_name() }).
CRL and CRL Extensions Profile

Erlang representation of CRL and CRL extensions profile derived from ASN.1 specifications and RFC 5280 are as follows:

#'CertificateList'{ tbsCertList, % #'TBSCertList{} signatureAlgorithm, % #'AlgorithmIdentifier'{} signature % bitstring() }). #'TBSCertList'{ version, % v2 (if defined) signature, % #AlgorithmIdentifier{} issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} thisUpdate, % time() nextUpdate, % time() revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}] crlExtensions % [#'Extension'{}] }). #'TBSCertList_revokedCertificates_SEQOF'{ userCertificate, % integer() revocationDate, % timer() crlEntryExtensions % [#'Extension'{}] }).
CRL Extensions

The CRL extensions OID name atoms and their corresponding value types are as follows:

OID Name Value Type id-ce-authorityKeyIdentifier #'AuthorityKeyIdentifier{} id-ce-issuerAltName {rdnSequence, [#AttributeTypeAndValue'{}]} id-ce-cRLNumber integer() id-ce-deltaCRLIndicator integer() id-ce-issuingDistributionPoint #'IssuingDistributionPoint'{} id-ce-freshestCRL [#'Distributionpoint'{}] CRL Extensions

Here, the data type 'IssuingDistributionPoint' is represented as the following Erlang record:

#'IssuingDistributionPoint'{ distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer, [#AttributeTypeAndValue'{}]} onlyContainsUserCerts, % boolean() onlyContainsCACerts, % boolean() onlySomeReasons, % [dist_reason()] indirectCRL, % boolean() onlyContainsAttributeCerts % boolean() }).
CRL Entry Extensions

The CRL entry extensions OID name atoms and their corresponding value types are as follows:

OID Name Value Type id-ce-cRLReason crl_reason() id-ce-holdInstructionCode oid() id-ce-invalidityDate general_time() id-ce-certificateIssuer general_name() CRL Entry Extensions

Here:

crl_reason() =

unspecifiedc>

| keyCompromise

| cACompromise

| affiliationChanged

| superseded

| cessationOfOperation

| certificateHold

| removeFromCRL

| privilegeWithdrawn

| aACompromise
PKCS#10 Certification Request

Erlang representation of a PKCS#10 certification request derived from ASN.1 specifications and RFC 5280 are as follows:

#'CertificationRequest'{ certificationRequestInfo #'CertificationRequestInfo'{}, signatureAlgorithm #'CertificationRequest_signatureAlgorithm'{}}. signature bitstring() } #'CertificationRequestInfo'{ version atom(), subject {rdnSequence, [#AttributeTypeAndValue'{}]} , subjectPKInfo #'CertificationRequestInfo_subjectPKInfo'{}, attributes [#'AttributePKCS-10' {}] } #'CertificationRequestInfo_subjectPKInfo'{ algorithm #'CertificationRequestInfo_subjectPKInfo_algorithm'{} subjectPublicKey bitstring() } #'CertificationRequestInfo_subjectPKInfo_algorithm'{ algorithm = oid(), parameters = der_encoded() } #'CertificationRequest_signatureAlgorithm'{ algorithm = oid(), parameters = der_encoded() } #'AttributePKCS-10'{ type = oid(), values = [der_encoded()] }