2008 2011 Ericsson AB, All Rights Reserved The contents of this file are subject to the Erlang Public License, Version 1.1, (the "License"); you may not use this file except in compliance with the License. You should have received a copy of the Erlang Public License along with this software. If not, it can be retrieved online at http://www.erlang.org/. Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. The Initial Developer of the Original Code is Ericsson AB. Certificate records Ingela Anderton Andin 2008-02-06 A cert_records.xml

This chapter briefly describes erlang records derived from asn1 specifications used to handle X509 certificates. The intent is to describe the data types and not to specify the meaning of each component for this we refer you to RFC 5280.

Use the following include directive to get access to the records and constant macros (OIDs) described in the following sections.

-include_lib("public_key/include/public_key.hrl").

The used asn1 specifications are available asn1 subdirectory of the application public_key.

Common Data Types

Common non standard erlang data types used to described the record fields in the below sections are defined in public key reference manual or follows here.

oid() - a tuple of integers as generated by the asn1 compiler.

time() = uct_time() | general_time()

uct_time() = {utcTime, "YYMMDDHHMMSSZ"}

general_time() = {generalTime, "YYYYMMDDHHMMSSZ"}

general_name() = {rfc822Name, string()} | {dNSName, string()} | {x400Address, string()} | {directoryName, {rdnSequence, [#AttributeTypeAndValue'{}]}} | | {eidPartyName, special_string()} | {eidPartyName, special_string(), special_string()} | {uniformResourceIdentifier, string()} | {ipAddress, string()} | {registeredId, oid()} | {otherName, term()}

special_string() = {teletexString, string()} | {printableString, string()} | {universalString, string()} | {utf8String, string()} | {bmpString, string()}

dist_reason() = unused | keyCompromise | cACompromise | affiliationChanged | superseded | cessationOfOperation | certificateHold | privilegeWithdrawn | aACompromise

PKIX Certificates #'Certificate'{ tbsCertificate, % #'TBSCertificate'{} signatureAlgorithm, % #'AlgorithmIdentifier'{} signature % {0, binary()} - asn1 compact bitstring }. #'TBSCertificate'{ version, % v1 | v2 | v3 serialNumber, % integer() signature, % #'AlgorithmIdentifier'{} issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} validity, % #'Validity'{} subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{} issuerUniqueID, % binary() | asn1_novalue subjectUniqueID, % binary() | asn1_novalue extensions % [#'Extension'{}] }. #'AlgorithmIdentifier'{ algorithm, % oid() parameters % asn1_der_encoded() }. #'OTPCertificate'{ tbsCertificate, % #'OTPTBSCertificate'{} signatureAlgorithm, % #'SignatureAlgorithm' signature % {0, binary()} - asn1 compact bitstring }. #'OTPTBSCertificate'{ version, % v1 | v2 | v3 serialNumber, % integer() signature, % #'SignatureAlgorithm' issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} validity, % #'Validity'{} subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{} issuerUniqueID, % binary() | asn1_novalue subjectUniqueID, % binary() | asn1_novalue extensions % [#'Extension'{}] }. #'SignatureAlgorithm'{ algorithm, % id_signature_algorithm() parameters % asn1_novalue | #'Dss-Parms'{} }.

id_signature_algorithm() = ?oid_name_as_erlang_atom for available oid names see table below. Ex: ?'id-dsa-with-sha1'

OID name id-dsa-with-sha1 md2WithRSAEncryption md5WithRSAEncryption sha1WithRSAEncryption ecdsa-with-SHA1 Signature algorithm oids
#'AttributeTypeAndValue'{ type, % id_attributes() value % term() }.

id_attributes()

OID name Value type id-at-name special_string() id-at-surname special_string() id-at-givenName special_string() id-at-initials special_string() id-at-generationQualifier special_string() id-at-commonName special_string() id-at-localityName special_string() id-at-stateOrProvinceName special_string() id-at-organizationName special_string() id-at-title special_string() id-at-dnQualifier {printableString, string()} id-at-countryName {printableString, string()} id-at-serialNumber {printableString, string()} id-at-pseudonym special_string() Attribute oids
#'Validity'{ notBefore, % time() notAfter % time() }. #'SubjectPublicKeyInfo'{ algorithm, % #AlgorithmIdentifier{} subjectPublicKey % binary() }. #'SubjectPublicKeyInfoAlgorithm'{ algorithm, % id_public_key_algorithm() parameters % public_key_params() }.

id_public_key_algorithm()

OID name rsaEncryption id-dsa dhpublicnumber ecdsa-with-SHA1 id-keyExchangeAlgorithm Public key algorithm oids
#'Extension'{ extnID, % id_extensions() | oid() critical, % boolean() extnValue % asn1_der_encoded() }.

id_extensions() Standard Certificate Extensions, Private Internet Extensions, CRL Extensions and CRL Entry Extensions.

Standard certificate extensions OID name Value type id-ce-authorityKeyIdentifier #'AuthorityKeyIdentifier'{} id-ce-subjectKeyIdentifier oid() id-ce-keyUsage [key_usage()] id-ce-privateKeyUsagePeriod #'PrivateKeyUsagePeriod'{} id-ce-certificatePolicies #'PolicyInformation'{} id-ce-policyMappings #'PolicyMappings_SEQOF'{} id-ce-subjectAltName general_name() id-ce-issuerAltName general_name() id-ce-subjectDirectoryAttributes [#'Attribute'{}] id-ce-basicConstraints #'BasicConstraints'{} id-ce-nameConstraints #'NameConstraints'{} id-ce-policyConstraints #'PolicyConstraints'{} id-ce-extKeyUsage [id_key_purpose()] id-ce-cRLDistributionPoints #'DistributionPoint'{} id-ce-inhibitAnyPolicy integer() id-ce-freshestCRL [#'DistributionPoint'{}] Standard Certificate Extensions

key_usage() = digitalSignature | nonRepudiation | keyEncipherment| dataEncipherment | keyAgreement | keyCertSign | cRLSign | encipherOnly | decipherOnly

id_key_purpose()

OID name id-kp-serverAuth id-kp-clientAuth id-kp-codeSigning id-kp-emailProtection id-kp-timeStamping id-kp-OCSPSigning Key purpose oids
#'AuthorityKeyIdentifier'{ keyIdentifier, % oid() authorityCertIssuer, % general_name() authorityCertSerialNumber % integer() }. #'PrivateKeyUsagePeriod'{ notBefore, % general_time() notAfter % general_time() }. #'PolicyInformation'{ policyIdentifier, % oid() policyQualifiers % [#PolicyQualifierInfo{}] }. #'PolicyQualifierInfo'{ policyQualifierId, % oid() qualifier % string() | #'UserNotice'{} }. #'UserNotice'{ noticeRef, % #'NoticeReference'{} explicitText % string() }. #'NoticeReference'{ organization, % string() noticeNumbers % [integer()] }. #'PolicyMappings_SEQOF'{ issuerDomainPolicy, % oid() subjectDomainPolicy % oid() }. #'Attribute'{ type, % oid() values % [asn1_der_encoded()] }). #'BasicConstraints'{ cA, % boolean() pathLenConstraint % integer() }). #'NameConstraints'{ permittedSubtrees, % [#'GeneralSubtree'{}] excludedSubtrees % [#'GeneralSubtree'{}] }). #'GeneralSubtree'{ base, % general_name() minimum, % integer() maximum % integer() }). #'PolicyConstraints'{ requireExplicitPolicy, % integer() inhibitPolicyMapping % integer() }). #'DistributionPoint'{ distributionPoint, % general_name() | [#AttributeTypeAndValue{}] reasons, % [dist_reason()] cRLIssuer % general_name() }).
Private Internet Extensions OID name Value type id-pe-authorityInfoAccess [#'AccessDescription'{}] id-pe-subjectInfoAccess [#'AccessDescription'{}] Private Internet Extensions
#'AccessDescription'{ accessMethod, % oid() accessLocation % general_name() }).
CRL and CRL Extensions Profile #'CertificateList'{ tbsCertList, % #'TBSCertList{} signatureAlgorithm, % #'AlgorithmIdentifier'{} signature % {0, binary()} - asn1 compact bitstring }). #'TBSCertList'{ version, % v2 (if defined) signature, % #AlgorithmIdentifier{} issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} thisUpdate, % time() nextUpdate, % time() revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}] crlExtensions % [#'Extension'{}] }). #'TBSCertList_revokedCertificates_SEQOF'{ userCertificate, % integer() revocationDate, % timer() crlEntryExtensions % [#'Extension'{}] }).
CRL Extensions OID name Value type id-ce-authorityKeyIdentifier #'AuthorityKeyIdentifier{} id-ce-issuerAltName {rdnSequence, [#AttributeTypeAndValue'{}]} id-ce-cRLNumber integer() id-ce-deltaCRLIndicator integer() id-ce-issuingDistributionPoint #'IssuingDistributionPoint'{} id-ce-freshestCRL [#'Distributionpoint'{}] CRL Extensions
#'IssuingDistributionPoint'{ distributionPoint, % general_name() | [#AttributeTypeAndValue'{}] onlyContainsUserCerts, % boolean() onlyContainsCACerts, % boolean() onlySomeReasons, % [dist_reason()] indirectCRL, % boolean() onlyContainsAttributeCerts % boolean() }).
CRL Entry Extensions OID name Value type id-ce-cRLReason crl_reason() id-ce-holdInstructionCode oid() id-ce-invalidityDate general_time() id-ce-certificateIssuer general_name() CRL Entry Extensions

crl_reason() = unspecified | keyCompromise | cACompromise | affiliationChanged | superseded | cessationOfOperation | certificateHold | removeFromCRL | privilegeWithdrawn | aACompromise