[Ericsson AB]

3 Certificate records

This chapter briefly describes erlang records derived from asn1 specifications used to handle X509 certificates. The intent is to describe the data types and not to specify the meaning of each component for this we refer you to RFC 3280.

Use the following include directive to get access to the records and constant macros described in the following sections.

 -include_lib("public_key/include/public_key.hrl"). 

3.1 Common Data Types

Common non standard erlang data types used to described the record fields in the below sections are defined in public key reference manual or follows here.

time() = uct_time() | general_time()

uct_time() = {utcTime, "YYMMDDHHMMSSZ"}

general_time() = {generalTime, "YYYYMMDDHHMMSSZ"}

general_name() = {rfc822Name, string()} | {dNSName, string()} | {x400Address, string()} | {directoryName, {rdnSequence, [#AttributeTypeAndValue'{}]}} | | {eidPartyName, special_string()} | {eidPartyName, special_string(), special_string()} | {uniformResourceIdentifier, string()} | {ipAddress, string()} | {registeredId, oid()} | {otherName, term()}

special_string() = {teletexString, string()} | {printableString, string()} | {universalString, string()} | {utf8String, string()} | {bmpString, string()}

dist_reason() = unused | keyCompromise | cACompromise | affiliationChanged | superseded | cessationOfOperation | certificateHold | privilegeWithdrawn | aACompromise

3.2 PKIX Certificates

#'Certificate'{
                tbsCertificate,        % #'TBSCertificate'{}
                signatureAlgorithm,    % #'AlgorithmIdentifier'{} 
                signature              % {0, binary()} - asn1 compact bitstring
               }.

#'TBSCertificate'{
          version,              % v1 | v2 | v3 
          serialNumber,         % integer() 
          signature,            % #'AlgorithmIdentifier'{} 
          issuer,               % {rdnSequence, [#AttributeTypeAndValue'{}]} 
          validity,             % #'Validity'{}
          subject,              % {rdnSequence, [#AttributeTypeAndValue'{}]} 
          subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{}
          issuerUniqueID,       % binary() | asn1_novalue
          subjectUniqueID,      % binary() | asn1_novalue
          extensions            % [#'Extension'{}] 
         }.
          
#'AlgorithmIdentifier'{
          algorithm,  % oid() 
          parameters  % asn1_der_encoded()
         }.
#'SignatureAlgorithm'{
          algorithm,  % id_signature_algorithm()
          parameters  % public_key_params()
         }.

id_signature_algorithm() = ?oid_name_as_erlang_atom for available oid names see table below. Ex: ?'id-dsa-with-sha1'

Signature algorithm oids
OID name
id-dsa-with-sha1
md2WithRSAEncryption
md5WithRSAEncryption
sha1WithRSAEncryption
ecdsa-with-SHA1
#'AttributeTypeAndValue'{
          type,   % id_attributes()
          value   % term() 
         }.

id_attributes() = ?oid_name_as_erlang_atom for available oid names see table below. Ex: ?'id-at-name'

Attribute oids
OID name Value type
id-at-name special_string()
id-at-surname special_string()
id-at-givenName special_string()
id-at-initials special_string()
id-at-generationQualifier special_string()
id-at-commonName special_string()
id-at-localityName special_string()
id-at-stateOrProvinceName special_string()
id-at-organizationName special_string()
id-at-title special_string()
id-at-dnQualifier {printableString, string()}
id-at-countryName {printableString, string()}
id-at-serialNumber {printableString, string()}
id-at-pseudonym special_string()
#'Validity'{ 
          notBefore, % time()
          notAfter   % time()
         }.
         
#'SubjectPublicKeyInfo'{
          algorithm,       % #AlgorithmIdentifier{} 
          subjectPublicKey % binary() 
         }.

#'SubjectPublicKeyInfoAlgorithm'{
          algorithm,  % id_public_key_algorithm()
          parameters  % public_key_params()
         }.

id_public_key_algorithm() = ?oid_name_as_erlang_atom for available oid names see table below. Ex: ?'id-dsa'

Public key algorithm oids
OID name
rsaEncryption
id-dsa
dhpublicnumber
ecdsa-with-SHA1
id-keyExchangeAlgorithm
#'Extension'{
          extnID,    % id_extensions() | oid() 
          critical,  % boolean()
          extnValue  % asn1_der_encoded() 
         }.

id_extensions() = ?oid_name_as_erlang_atom for available oid names see tables. Ex: ?'id-ce-authorityKeyIdentifier'Standard Certificate Extensions, Private Internet Extensions, CRL Extensions and CRL Entry Extensions.

3.3 Standard certificate extensions

Standard Certificate Extensions
OID name Value type
id-ce-authorityKeyIdentifier #'AuthorityKeyIdentifier'{}
id-ce-subjectKeyIdentifier oid()
id-ce-keyUsage [key_usasge()]
id-ce-privateKeyUsagePeriod #'PrivateKeyUsagePeriod'{}
id-ce-certificatePolicies #'PolicyInformation'{}
id-ce-policyMappings #'PolicyMappings_SEQOF'{}
id-ce-subjectAltName general_name()
id-ce-issuerAltName general_name()
id-ce-subjectDirectoryAttributes [#'Attribute'{}]
id-ce-basicConstraints #'BasicConstraints'{}
id-ce-nameConstraints #'NameConstraints'{}
id-ce-policyConstraints #'PolicyConstraints'{}
id-ce-extKeyUsage [id_key_purpose()]
id-ce-cRLDistributionPoints #'DistributionPoint'{}
id-ce-inhibitAnyPolicy integer()
id-ce-freshestCRL [#'DistributionPoint'{}]

key_usasge() = digitalSignature | nonRepudiation | keyEncipherment| dataEncipherment | keyAgreement | keyCertSign | cRLSign | encipherOnly | decipherOnly

id_key_purpose() = ?oid_name_as_erlang_atom for available oid names see table below. Ex: ?'id-kp-serverAuth'

Key purpose oids
OID name
id-kp-serverAuth
id-kp-clientAuth
id-kp-codeSigning
id-kp-emailProtection
id-kp-timeStamping
id-kp-OCSPSigning
#'AuthorityKeyIdentifier'{
          keyIdentifier,            % oid()
          authorityCertIssuer,      % general_name()
          authorityCertSerialNumber % integer() 
         }.

#'PrivateKeyUsagePeriod'{
          notBefore,   % general_time()
          notAfter     % general_time()
         }.

#'PolicyInformation'{
          policyIdentifier,  % oid()
          policyQualifiers   % [#PolicyQualifierInfo{}]
         }.

#'PolicyQualifierInfo'{
          policyQualifierId,   % oid()
          qualifier            % string() | #'UserNotice'{}
         }.

#'UserNotice'{
         noticeRef,   % #'NoticeReference'{}
         explicitText % string()
         }.

#'NoticeReference'{
         organization,    % string()
         noticeNumbers    % [integer()]
         }.

#'PolicyMappings_SEQOF'{
          issuerDomainPolicy,  % oid()
          subjectDomainPolicy  % oid()
         }.

#'Attribute'{
          type,  % oid()
          values % [asn1_der_encoded()]
          }).

#'BasicConstraints'{
          cA,               % boolean()
          pathLenConstraint % integer()
         }).

#'NameConstraints'{
          permittedSubtrees, % [#'GeneralSubtree'{}]
          excludedSubtrees   % [#'GeneralSubtree'{}]
         }).

#'GeneralSubtree'{
          base,    % general_name()
          minimum, % integer()
          maximum  % integer()
         }).

#'PolicyConstraints'{
          requireExplicitPolicy, % integer()
          inhibitPolicyMapping   % integer()
         }).

#'DistributionPoint'{
          distributionPoint, % general_name() | [#AttributeTypeAndValue{}]
          reasons,           % [dist_reason()]
          cRLIssuer          % general_name()
         }).

3.4 Private Internet Extensions

Private Internet Extensions
OID name Value type
id-pe-authorityInfoAccess [#'AccessDescription'{}]
id-pe-subjectInfoAccess [#'AccessDescription'{}]
#'AccessDescription'{
           accessMethod,    % oid()
           accessLocation   % general_name()
         }).

3.5 CRL and CRL Extensions Profile

#'CertificateList'{
          tbsCertList,        % #'TBSCertList{}
          signatureAlgorithm, % #'AlgorithmIdentifier'{} 
          signature           % {0, binary()} - asn1 compact bitstring
          }).

#'TBSCertList'{
      version,             % v2 (if defined)
      signature,           % #AlgorithmIdentifier{}
      issuer,              % {rdnSequence, [#AttributeTypeAndValue'{}]} 
      thisUpdate,          % time()
      nextUpdate,          % time() 
      revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}]
      crlExtensions        % [#'Extension'{}]
      }).

#'TBSCertList_revokedCertificates_SEQOF'{
         userCertificate,      % integer()
         revocationDate,       % timer()
         crlEntryExtensions    % [#'Extension'{}]
         }).
 

3.5.1 CRL Extensions

CRL Extensions
OID name Value type
id-ce-authorityKeyIdentifier #'AuthorityKeyIdentifier{}
id-ce-issuerAltName {rdnSequence, [#AttributeTypeAndValue'{}]}
id-ce-cRLNumber integer()
id-ce-deltaCRLIndicator integer()
id-ce-issuingDistributionPoint #'IssuingDistributionPoint'{}
id-ce-freshestCRL [#'Distributionpoint'{}]
#'IssuingDistributionPoint'{
          distributionPoint,         % general_name() | [#AttributeTypeAndValue'{}]
          onlyContainsUserCerts,     % boolean()
          onlyContainsCACerts,       % boolean()
          onlySomeReasons,           % [dist_reason()]
          indirectCRL,               % boolean()
          onlyContainsAttributeCerts % boolean()
          }).
      

3.5.2 CRL Entry Extensions

CRL Entry Extensions
OID name Value type
id-ce-cRLReason crl_reason()
id-ce-holdInstructionCode oid()
id-ce-invalidityDate general_time()
id-ce-certificateIssuer general_name()

crl_reason() = unspecified | keyCompromise | cACompromise | affiliationChanged | superseded | cessationOfOperation | certificateHold | removeFromCRL | privilegeWithdrawn | aACompromise


public_key 0.2
Copyright © 1991-2009 Ericsson AB