<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html xmlns:fn="http://www.w3.org/2005/02/xpath-functions"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <link rel="stylesheet" href="../../../../doc/otp_doc.css" type="text/css"> <title>Erlang -- Certificate records</title> </head> <body bgcolor="white" text="#000000" link="#0000ff" vlink="#ff00ff" alink="#ff0000"><div id="container"> <script id="js" type="text/javascript" language="JavaScript" src="../../../../doc/js/flipmenu/flipmenu.js"></script><script id="js2" type="text/javascript" src="../../../../doc/js/erlresolvelinks.js"></script><script language="JavaScript" type="text/javascript"> <!-- function getWinHeight() { var myHeight = 0; if( typeof( window.innerHeight ) == 'number' ) { //Non-IE myHeight = window.innerHeight; } else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) { //IE 6+ in 'standards compliant mode' myHeight = document.documentElement.clientHeight; } else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) { //IE 4 compatible myHeight = document.body.clientHeight; } return myHeight; } function setscrollpos() { var objf=document.getElementById('loadscrollpos'); document.getElementById("leftnav").scrollTop = objf.offsetTop - getWinHeight()/2; } function addEvent(obj, evType, fn){ if (obj.addEventListener){ obj.addEventListener(evType, fn, true); return true; } else if (obj.attachEvent){ var r = obj.attachEvent("on"+evType, fn); return r; } else { return false; } } addEvent(window, 'load', setscrollpos); //--></script><div id="leftnav"><div class="innertube"> <img alt="Erlang logo" src="../../../../doc/erlang-logo.png"><br><small><a href="users_guide.html">User's Guide</a><br><a href="index.html">Reference Manual</a><br><a href="release_notes.html">Release Notes</a><br><a href="../pdf/public_key-0.5.pdf">PDF</a><br><a href="../../../../doc/index.html">Top</a></small><p><strong>public_key</strong><br><strong>User's Guide</strong><br><small>Version 0.5</small></p> <br><a href="javascript:openAllFlips()">Expand All</a><br><a href="javascript:closeAllFlips()">Contract All</a><p><small><strong>Chapters</strong></small></p> <ul class="flipMenu" imagepath="../../../../doc/js/flipmenu"> <li id="no" title="Introduction" expanded="false">Introduction<ul> <li><a href="introduction.html"> Top of chapter </a></li> <li title="Purpose"><a href="introduction.html#id2260020">Purpose</a></li> <li title="Prerequisites"><a href="introduction.html#id2252226">Prerequisites</a></li> </ul> </li> <li id="no" title="Public key records" expanded="false">Public key records<ul> <li><a href="public_key_records.html"> Top of chapter </a></li> <li title="RSA as defined by the PKCS-1 standard and RFC 3447."><a href="public_key_records.html#id2257412">RSA as defined by the PKCS-1 standard and RFC 3447.</a></li> <li title="DSA as defined by Digital Signature Standard (NIST FIPS PUB 186-2) "><a href="public_key_records.html#id2259369">DSA as defined by Digital Signature Standard (NIST FIPS PUB 186-2) </a></li> </ul> </li> <li id="loadscrollpos" title="Certificate records" expanded="true">Certificate records<ul> <li><a href="cert_records.html"> Top of chapter </a></li> <li title="Common Data Types"><a href="cert_records.html#id2259515">Common Data Types</a></li> <li title=" PKIX Certificates"><a href="cert_records.html#id2259543"> PKIX Certificates</a></li> <li title="Standard certificate extensions"><a href="cert_records.html#id2260098">Standard certificate extensions</a></li> <li title="Private Internet Extensions"><a href="cert_records.html#id2258551">Private Internet Extensions</a></li> <li title=" CRL and CRL Extensions Profile"><a href="cert_records.html#id2259007"> CRL and CRL Extensions Profile</a></li> </ul> </li> </ul> </div></div> <div id="content"> <div class="innertube"> <h1>3 Certificate records</h1> <p>This chapter briefly describes erlang records derived from asn1 specifications used to handle X509 certificates. The intent is to describe the data types and not to specify the meaning of each component for this we refer you to RFC 3280. </p> <p>Use the following include directive to get access to the records and constant macros (OIDs) described in the following sections.</p> <div class="example"><pre> -include_lib("public_key/include/public_key.hrl"). </pre></div> <p>The used specification is available in <span class="code">OTP-PKIX.asn1</span>, which is an amelioration of the <span class="code">PKIX1Explicit88.asn1</span>, <span class="code">PKIX1Implicit88.asn1</span> and <span class="code">PKIX1Algorithms88.asn1</span> modules. You find all these modules in the <span class="code">asn1</span> subdirectory of the application <span class="code">public_key</span>. </p> <h3><a name="id2259515">3.1 Common Data Types</a></h3> <p>Common non standard erlang data types used to described the record fields in the below sections are defined in <span class="bold_code"><a href="public_key.html">public key reference manual </a></span> or follows here.</p> <p><span class="code">time() = uct_time() | general_time()</span></p> <p><span class="code">uct_time() = {utcTime, "YYMMDDHHMMSSZ"} </span></p> <p><span class="code">general_time() = {generalTime, "YYYYMMDDHHMMSSZ"} </span></p> <p><span class="code"> general_name() = {rfc822Name, string()} | {dNSName, string()} | {x400Address, string()} | {directoryName, {rdnSequence, [#AttributeTypeAndValue'{}]}} | | {eidPartyName, special_string()} | {eidPartyName, special_string(), special_string()} | {uniformResourceIdentifier, string()} | {ipAddress, string()} | {registeredId, oid()} | {otherName, term()} </span></p> <p><span class="code"> special_string() = {teletexString, string()} | {printableString, string()} | {universalString, string()} | {utf8String, string()} | {bmpString, string()} </span></p> <p><span class="code"> dist_reason() = unused | keyCompromise | cACompromise | affiliationChanged | superseded | cessationOfOperation | certificateHold | privilegeWithdrawn | aACompromise </span></p> <h3><a name="id2259543">3.2 PKIX Certificates</a></h3> <div class="example"><pre> #'Certificate'{ tbsCertificate, % #'TBSCertificate'{} signatureAlgorithm, % #'AlgorithmIdentifier'{} signature % {0, binary()} - asn1 compact bitstring }. #'TBSCertificate'{ version, % v1 | v2 | v3 serialNumber, % integer() signature, % #'AlgorithmIdentifier'{} issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} validity, % #'Validity'{} subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{} issuerUniqueID, % binary() | asn1_novalue subjectUniqueID, % binary() | asn1_novalue extensions % [#'Extension'{}] }. #'AlgorithmIdentifier'{ algorithm, % oid() parameters % asn1_der_encoded() }. #'SignatureAlgorithm'{ algorithm, % id_signature_algorithm() parameters % public_key_params() }. </pre></div> <p><span class="code"> id_signature_algorithm() = ?oid_name_as_erlang_atom</span> for available oid names see table below. Ex: ?'id-dsa-with-sha1'</p> <table border="1" cellpadding="2" cellspacing="0"> <tr> <td align="left" valign="middle">OID name</td> </tr> <tr> <td align="left" valign="middle">id-dsa-with-sha1</td> </tr> <tr> <td align="left" valign="middle">md2WithRSAEncryption</td> </tr> <tr> <td align="left" valign="middle">md5WithRSAEncryption</td> </tr> <tr> <td align="left" valign="middle">sha1WithRSAEncryption</td> </tr> <tr> <td align="left" valign="middle">ecdsa-with-SHA1</td> </tr> </table> <em>Table 3.1: Signature algorithm oids </em> <div class="example"><pre> #'AttributeTypeAndValue'{ type, % id_attributes() value % term() }. </pre></div> <p><span class="code">id_attributes() </span></p> <table border="1" cellpadding="2" cellspacing="0"> <tr> <td align="left" valign="middle">OID name</td> <td align="left" valign="middle">Value type</td> </tr> <tr> <td align="left" valign="middle">id-at-name</td> <td align="left" valign="middle">special_string()</td> </tr> <tr> <td align="left" valign="middle">id-at-surname</td> <td align="left" valign="middle">special_string()</td> </tr> <tr> <td align="left" valign="middle">id-at-givenName</td> <td align="left" valign="middle">special_string()</td> </tr> <tr> <td align="left" valign="middle">id-at-initials </td> <td align="left" valign="middle">special_string()</td> </tr> <tr> <td align="left" valign="middle">id-at-generationQualifier</td> <td align="left" valign="middle">special_string()</td> </tr> <tr> <td align="left" valign="middle">id-at-commonName</td> <td align="left" valign="middle">special_string()</td> </tr> <tr> <td align="left" valign="middle">id-at-localityName</td> <td align="left" valign="middle">special_string()</td> </tr> <tr> <td align="left" valign="middle">id-at-stateOrProvinceName</td> <td align="left" valign="middle">special_string()</td> </tr> <tr> <td align="left" valign="middle">id-at-organizationName</td> <td align="left" valign="middle">special_string()</td> </tr> <tr> <td align="left" valign="middle">id-at-title</td> <td align="left" valign="middle">special_string()</td> </tr> <tr> <td align="left" valign="middle">id-at-dnQualifier</td> <td align="left" valign="middle">{printableString, string()}</td> </tr> <tr> <td align="left" valign="middle">id-at-countryName</td> <td align="left" valign="middle">{printableString, string()}</td> </tr> <tr> <td align="left" valign="middle">id-at-serialNumber</td> <td align="left" valign="middle">{printableString, string()}</td> </tr> <tr> <td align="left" valign="middle">id-at-pseudonym</td> <td align="left" valign="middle">special_string()</td> </tr> </table> <em>Table 3.2: Attribute oids </em> <div class="example"><pre> #'Validity'{ notBefore, % time() notAfter % time() }. #'SubjectPublicKeyInfo'{ algorithm, % #AlgorithmIdentifier{} subjectPublicKey % binary() }. #'SubjectPublicKeyInfoAlgorithm'{ algorithm, % id_public_key_algorithm() parameters % public_key_params() }. </pre></div> <p><span class="code"> id_public_key_algorithm() </span></p> <table border="1" cellpadding="2" cellspacing="0"> <tr> <td align="left" valign="middle">OID name</td> </tr> <tr> <td align="left" valign="middle">rsaEncryption</td> </tr> <tr> <td align="left" valign="middle">id-dsa</td> </tr> <tr> <td align="left" valign="middle">dhpublicnumber</td> </tr> <tr> <td align="left" valign="middle">ecdsa-with-SHA1</td> </tr> <tr> <td align="left" valign="middle">id-keyExchangeAlgorithm</td> </tr> </table> <em>Table 3.3: Public key algorithm oids </em> <div class="example"><pre> #'Extension'{ extnID, % id_extensions() | oid() critical, % boolean() extnValue % asn1_der_encoded() }. </pre></div> <p><span class="code">id_extensions()</span> <span class="bold_code"><a href="#StdCertExt">Standard Certificate Extensions</a></span>, <span class="bold_code"><a href="#PrivIntExt">Private Internet Extensions</a></span>, <span class="bold_code"><a href="#CRLCertExt">CRL Extensions</a></span> and <span class="bold_code"><a href="#CRLEntryExt">CRL Entry Extensions</a></span>. </p> <h3><a name="id2260098">3.3 Standard certificate extensions</a></h3> <a name="StdCertExt"></a> <table border="1" cellpadding="2" cellspacing="0"> <tr> <td align="left" valign="middle">OID name</td> <td align="left" valign="middle">Value type</td> </tr> <tr> <td align="left" valign="middle">id-ce-authorityKeyIdentifier</td> <td align="left" valign="middle">#'AuthorityKeyIdentifier'{}</td> </tr> <tr> <td align="left" valign="middle">id-ce-subjectKeyIdentifier</td> <td align="left" valign="middle">oid()</td> </tr> <tr> <td align="left" valign="middle">id-ce-keyUsage</td> <td align="left" valign="middle"> [key_usage()]</td> </tr> <tr> <td align="left" valign="middle">id-ce-privateKeyUsagePeriod</td> <td align="left" valign="middle">#'PrivateKeyUsagePeriod'{}</td> </tr> <tr> <td align="left" valign="middle">id-ce-certificatePolicies</td> <td align="left" valign="middle">#'PolicyInformation'{}</td> </tr> <tr> <td align="left" valign="middle">id-ce-policyMappings</td> <td align="left" valign="middle">#'PolicyMappings_SEQOF'{}</td> </tr> <tr> <td align="left" valign="middle">id-ce-subjectAltName</td> <td align="left" valign="middle">general_name()</td> </tr> <tr> <td align="left" valign="middle">id-ce-issuerAltName</td> <td align="left" valign="middle">general_name()</td> </tr> <tr> <td align="left" valign="middle">id-ce-subjectDirectoryAttributes</td> <td align="left" valign="middle"> [#'Attribute'{}]</td> </tr> <tr> <td align="left" valign="middle">id-ce-basicConstraints</td> <td align="left" valign="middle">#'BasicConstraints'{}</td> </tr> <tr> <td align="left" valign="middle">id-ce-nameConstraints</td> <td align="left" valign="middle">#'NameConstraints'{}</td> </tr> <tr> <td align="left" valign="middle">id-ce-policyConstraints</td> <td align="left" valign="middle">#'PolicyConstraints'{}</td> </tr> <tr> <td align="left" valign="middle">id-ce-extKeyUsage</td> <td align="left" valign="middle">[id_key_purpose()]</td> </tr> <tr> <td align="left" valign="middle">id-ce-cRLDistributionPoints</td> <td align="left" valign="middle">#'DistributionPoint'{}</td> </tr> <tr> <td align="left" valign="middle">id-ce-inhibitAnyPolicy</td> <td align="left" valign="middle">integer()</td> </tr> <tr> <td align="left" valign="middle">id-ce-freshestCRL</td> <td align="left" valign="middle">[#'DistributionPoint'{}]</td> </tr> </table> <em>Table 3.4: Standard Certificate Extensions</em> <p><span class="code"> key_usage() = digitalSignature | nonRepudiation | keyEncipherment| dataEncipherment | keyAgreement | keyCertSign | cRLSign | encipherOnly | decipherOnly </span></p> <p><span class="code"> id_key_purpose()</span></p> <table border="1" cellpadding="2" cellspacing="0"> <tr> <td align="left" valign="middle">OID name</td> </tr> <tr> <td align="left" valign="middle">id-kp-serverAuth</td> </tr> <tr> <td align="left" valign="middle">id-kp-clientAuth</td> </tr> <tr> <td align="left" valign="middle">id-kp-codeSigning</td> </tr> <tr> <td align="left" valign="middle">id-kp-emailProtection</td> </tr> <tr> <td align="left" valign="middle">id-kp-timeStamping</td> </tr> <tr> <td align="left" valign="middle">id-kp-OCSPSigning</td> </tr> </table> <em>Table 3.5: Key purpose oids </em> <div class="example"><pre> #'AuthorityKeyIdentifier'{ keyIdentifier, % oid() authorityCertIssuer, % general_name() authorityCertSerialNumber % integer() }. #'PrivateKeyUsagePeriod'{ notBefore, % general_time() notAfter % general_time() }. #'PolicyInformation'{ policyIdentifier, % oid() policyQualifiers % [#PolicyQualifierInfo{}] }. #'PolicyQualifierInfo'{ policyQualifierId, % oid() qualifier % string() | #'UserNotice'{} }. #'UserNotice'{ noticeRef, % #'NoticeReference'{} explicitText % string() }. #'NoticeReference'{ organization, % string() noticeNumbers % [integer()] }. #'PolicyMappings_SEQOF'{ issuerDomainPolicy, % oid() subjectDomainPolicy % oid() }. #'Attribute'{ type, % oid() values % [asn1_der_encoded()] }). #'BasicConstraints'{ cA, % boolean() pathLenConstraint % integer() }). #'NameConstraints'{ permittedSubtrees, % [#'GeneralSubtree'{}] excludedSubtrees % [#'GeneralSubtree'{}] }). #'GeneralSubtree'{ base, % general_name() minimum, % integer() maximum % integer() }). #'PolicyConstraints'{ requireExplicitPolicy, % integer() inhibitPolicyMapping % integer() }). #'DistributionPoint'{ distributionPoint, % general_name() | [#AttributeTypeAndValue{}] reasons, % [dist_reason()] cRLIssuer % general_name() }). </pre></div> <h3><a name="id2258551">3.4 Private Internet Extensions</a></h3> <a name="PrivIntExt"></a> <table border="1" cellpadding="2" cellspacing="0"> <tr> <td align="left" valign="middle">OID name</td> <td align="left" valign="middle">Value type</td> </tr> <tr> <td align="left" valign="middle">id-pe-authorityInfoAccess</td> <td align="left" valign="middle">[#'AccessDescription'{}]</td> </tr> <tr> <td align="left" valign="middle">id-pe-subjectInfoAccess</td> <td align="left" valign="middle">[#'AccessDescription'{}]</td> </tr> </table> <em>Table 3.6: Private Internet Extensions</em> <div class="example"><pre> #'AccessDescription'{ accessMethod, % oid() accessLocation % general_name() }). </pre></div> <h3><a name="id2259007">3.5 CRL and CRL Extensions Profile</a></h3> <div class="example"><pre> #'CertificateList'{ tbsCertList, % #'TBSCertList{} signatureAlgorithm, % #'AlgorithmIdentifier'{} signature % {0, binary()} - asn1 compact bitstring }). #'TBSCertList'{ version, % v2 (if defined) signature, % #AlgorithmIdentifier{} issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} thisUpdate, % time() nextUpdate, % time() revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}] crlExtensions % [#'Extension'{}] }). #'TBSCertList_revokedCertificates_SEQOF'{ userCertificate, % integer() revocationDate, % timer() crlEntryExtensions % [#'Extension'{}] }). </pre></div> <h4>CRL Extensions </h4> <a name="CRLCertExt"></a> <table border="1" cellpadding="2" cellspacing="0"> <tr> <td align="left" valign="middle">OID name</td> <td align="left" valign="middle">Value type</td> </tr> <tr> <td align="left" valign="middle">id-ce-authorityKeyIdentifier</td> <td align="left" valign="middle">#'AuthorityKeyIdentifier{}</td> </tr> <tr> <td align="left" valign="middle">id-ce-issuerAltName</td> <td align="left" valign="middle">{rdnSequence, [#AttributeTypeAndValue'{}]}</td> </tr> <tr> <td align="left" valign="middle">id-ce-cRLNumber</td> <td align="left" valign="middle">integer()</td> </tr> <tr> <td align="left" valign="middle">id-ce-deltaCRLIndicator</td> <td align="left" valign="middle">integer()</td> </tr> <tr> <td align="left" valign="middle">id-ce-issuingDistributionPoint</td> <td align="left" valign="middle">#'IssuingDistributionPoint'{}</td> </tr> <tr> <td align="left" valign="middle">id-ce-freshestCRL</td> <td align="left" valign="middle">[#'Distributionpoint'{}]</td> </tr> </table> <em>Table 3.7: CRL Extensions</em> <div class="example"><pre> #'IssuingDistributionPoint'{ distributionPoint, % general_name() | [#AttributeTypeAndValue'{}] onlyContainsUserCerts, % boolean() onlyContainsCACerts, % boolean() onlySomeReasons, % [dist_reason()] indirectCRL, % boolean() onlyContainsAttributeCerts % boolean() }). </pre></div> <h4> CRL Entry Extensions </h4> <a name="CRLEntryExt"></a> <table border="1" cellpadding="2" cellspacing="0"> <tr> <td align="left" valign="middle">OID name</td> <td align="left" valign="middle">Value type</td> </tr> <tr> <td align="left" valign="middle">id-ce-cRLReason</td> <td align="left" valign="middle">crl_reason()</td> </tr> <tr> <td align="left" valign="middle">id-ce-holdInstructionCode</td> <td align="left" valign="middle">oid()</td> </tr> <tr> <td align="left" valign="middle">id-ce-invalidityDate</td> <td align="left" valign="middle">general_time()</td> </tr> <tr> <td align="left" valign="middle">id-ce-certificateIssuer</td> <td align="left" valign="middle">general_name()</td> </tr> </table> <em>Table 3.8: CRL Entry Extensions</em> <p><span class="code"> crl_reason() = unspecified | keyCompromise | cACompromise | affiliationChanged | superseded | cessationOfOperation | certificateHold | removeFromCRL | privilegeWithdrawn | aACompromise </span></p> </div> <div class="footer"> <hr> <p>Copyright © 2008-2010 Ericsson AB, All Rights Reserved</p> </div> </div> </div></body> </html>