Previous section.

Common Security: CDSA and CSSM, Version 2 (with corrigenda)
Copyright © 2000 The Open Group

OIDs for X.509 Certificate Library Modules

Overview

This chapter specifies object identifiers and corresponding data structures for fields of X.509 Certificates and Certificate Revocation Lists (CRLs). An OID can specify one field or multiple fields contained in a certificate or CRL. The OID also indicates the data representation of the field values. One to three distinct representations are defined for each meaningful aggregation of certificate field values:

Some certificate fields can be returned to an application in any of the three formats. Applications specify the desired format by using distinct OID names. The OID names for a single field in different representations share a common prefix. The selected representation is identified by a unique OID suffix. This allows applications to store tables of the common base and to select the desired representation at runtime by appending the suffix corresponding to the desired representation.

Interoperable Format Specifications for X.509

Certificate Library Service Provider X.509 Field OIDs

This section defines the OID names to be used to access fields in X.509 certificates and CRLs. The format of the data accessed with each OID is described.

Following sections then describe the OIDs upon which Certificate and CRL OIDs are based:

Base of the Object Identifier Name Space

This specification defines five object identifiers, which form the base arcs for Intel Corporation's CDSA name space.

INTEL OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741) }

The object identifier INTEL identifies the base arc of the Intel Corporation name space under the registration authority of the joint ISO and the International Telegraph and Telephone Consultative Committee.

INTEL_CDSASECURITY OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741) CDSA-security (2) }

The object identifier INTEL_CDSASECURITY identifies the base arc for CDSA object identifiers with the Intel Corporation name space. The CDSA name space is subdivided into two subarcs:

INTEL_SEC_FORMATS OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741) CDSA-security (2) formats (1) }

The object identifier INTEL_SEC_FORMATS identifies the base arc of object identifiers representing the format or representation of a CDSA security object within the Intel Corporation CDSA name space.

INTEL_SEC_ALGS OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741) CDSA-security (2) algs (2) 5 }

The object identifier INTEL_SEC_ALGS identifies the base arc of object identifiers representing the format or representation of CDSA security algorithms within the Intel Corporation CDSA name space.

The object identifier INTEL_SEC_FORMATS identifies the base arc of object identifiers representing the format or representation of a CDSA security object within the Intel Corporation CDSA name space. A subarc for security object bundles is defined within the CDSA formats object identifier name space.

INTEL_SEC_OBJECT_BUNDLE OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741)
CDSA-security (2) formats (1) bundle(4)}

The object identifier INTEL_SEC_OBJECT_BUNDLE identifies the base arc for object identifiers representing bundles of CDSA security object within the Intel Corporation CDSA name space.

INTEL_CERT_AND_PRIVATE_KEY_2_0 OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741)
CDSA-security (2) formats (1) bundle (4) 1}

The object identifier INTEL_CERT_AND_PRIVATE_KEY_2_0 identifies a certificate and private key object contained within a bundle.

Programmatic Definition of Base Object Identifiers

Programmatically these Intel base object identifiers are defined by the following constants.

#define INTEL                           96, 134, 72, 1, 134, 248, 77 
#define INTEL_LENGTH                    7

#define INTEL_CDSASECURITY              INTEL, 2
#define INTEL_CDSASECURITY_LENGTH       (INTEL_LENGTH + 1)

#define INTEL_SEC_FORMATS               INTEL_CDSASECURITY, 1
#define INTEL_SEC_FORMATS_LENGTH        (INTEL_CDSASECURITY_LENGTH + 1)

#define INTEL_SEC_ALGS                  INTEL_CDSASECURITY, 2, 5  
#define INTEL_SEC_ALGS_LENGTH           (INTEL_CDSASECURITY_LENGTH + 2)

#define INTEL_SEC_OBJECT_BUNDLE         INTEL_SEC_FORMATS, 4
#define INTEL_SEC_OBJECT_BUNDLE_LENGTH  (INTEL_SEC_FORMATS_LENGTH + 1)

#define INTEL_CERT_AND_PRIVATE_KEY_2_0  INTEL_SEC_OBJECT_BUNDLE, 1
#define INTEL_CERT_AND_PRIVATE_KEY_2_0_LENGTH
                                   (INTEL_SEC_OBJECT_BUNDLE_LENGTH + 1)


Terminology

BER Integer:

An integer value, base 256, in two's complement form, most significant digit first, with a minimum number of octets.

Object Identifiers for X.509 V3 Certificates

Base Object Identifiers

This specification defines object identifiers to name fields and sets of fields within an X.509 certificate. Each object identifier also indicates the representation for the selected field or fields. Possible representations include:

Object identifiers are defined corresponding to the certificate fields defined by the X.509 V1 standard and the X.509 V3 standard. Two primary subarcs are defined for this purpose:


INTEL_X509V3_CERT_R08 OBJECT IDENTIFIER ::= { INTEL_SEC_FORMATS, 1, 1 } INTEL_X509V3_SIGN_R08 OBJECT IDENTIFIER ::= { INTEL_SEC_FORMATS, 3, 2 }

The object identifier INTEL_X509V3_CERT_R08 identifies the base arc for object identifiers representing the format and name of one or more fields contained in an X.509 version 3 certificate. The object identifier INTEL_X509V3_SIGN_R08 identifies the base arc for object identifiers representing the format and name of the subfields of a digital signature contained in an X.509 version 3 certificate

A subarc for X.509 version certificate extensions is defined under INTEL_X509V3_CERT_R08 as follows:


INTEL_X509V3_CERT_PRIVATE_EXTENSIONS OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 50 }

Programmatic Definition of Base Object Identifiers

Programmatically, these object identifiers are defined by the following constants.

/* Prefix for defining Certificate field OIDs */
#define INTEL_X509V3_CERT_R08           INTEL_SEC_FORMATS, 1, 1
#define INTEL_X509V3_CERT_R08_LENGTH    INTEL_SEC_FORMATS_LENGTH + 2

/* Prefix for defining Certificate Extension field OIDs */
#define INTEL_X509V3_CERT_PRIVATE_EXTENSIONS  INTEL_X509V3_CERT_R08, 50
#define INTEL_X509V3_CERT_PRIVATE_EXTENSIONS_LENGTH
                                       INTEL_X509V3_CERT_R08_LENGTH + 1

/* Prefix for defining signature field OIDs */
#define INTEL_X509V3_SIGN_R08           INTEL_SEC_FORMATS, 3, 2
#define INTEL_X509V3_SIGN_R08_LENGTH    INTEL_SEC_FORMATS_LENGTH + 2

/* Suffix specifying format or representation of a field value */
/* Note that if a format suffix is not specified, a flat data 
representation is implied */
#define INTEL_X509_C_DATATYPE              1
#define INTEL_X509_LDAPSTRING_DATATYPE     2


Object Identifiers for Fields

This specification defines object identifiers for naming fields of an X.509 version 3 or X.509 version 1 certificate. The object identifier also indicates the representation or format of the specific field or fields from the certificate. The valid representations include:

Certificate OID Definition

The certificate object identifiers are defined as follows:

X509V3SignedCertificate

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 0}

X509V3SignedCertificateCStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 0, INTEL_X509_C_DATATYPE},

X509V3TbsCertificate

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 1},

X509V3TbsCertificateCStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 1, INTEL_X509_C_DATATYPE}

X509V1Version

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 2}

X509V1SerialNumber

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 3}

X509V1IssuerName

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 5},

X509V1IssuerNameCStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 5, INTEL_X509_C_DATATYPE}

X509V1IssuerNameLDAP

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 5, INTEL_X509_LDAPSTRING_DATATYPE}

X509V1ValidityNotBefore

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 6}

X509V1ValidityNotAfter

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 7}

X509V1SubjectName

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 8}

X509V1SubjectNameCStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 8, INTEL_X509_C_DATATYPE}

X509V1SubjectNameLDAP

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 8, INTEL_X509_LDAPSTRING_DATATYPE}

CSSMKeyStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 20}

X509V1SubjectPublicKeyCStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 20, INTEL_X509_C_DATATYPE}

X509V1SubjectPublicKeyAlgorithm

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 9}

X509V1SubjectPublicKeyAlgorithmParameters

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 18}

X509V1SubjectPublicKey

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 10}

X509V1CertificateIssuerUniqueId

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 11}

X509V1CertificateSubjectUniqueId

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 12}

X509V3CertificateExtensionsStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 21}

X509V3CertificateExtensionsCStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 21, INTEL_X509_C_DATATYPE}

X509V3CertificateNumberOfExtensions

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 14}

X509V3CertificateExtensionStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 13}

X509V3CertificateExtensionCStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 13, INTEL_X509_C_DATATYPE}

X509V3CertificateExtensionId

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 15}

X509V3CertificateExtensionCritical

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 16}

X509V3CertificateExtensionType

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 19}

X509V3CertificateExtensionValue

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 17}

Signature OID Definition

The signature object identifiers for a digital signature are defined as follows:

X509V1SignatureStruct

OBJECT IDENTIFIER :: = {INTEL_X509V3_SIGN_R08, 0}

X509V1SignatureCStruct

OBJECT IDENTIFIER ::= {INTEL_X509V3_SIGN_R08, 0, INTEL_X509_C_DATATYPE}

X509V1SignatureAlgorithm

OBJECT IDENTIFIER ::= {INTEL_X509V3_SIGN_R08, 1}

X509V1SignatureAlgorithmParameters

OBJECT IDENTIFIER ::= {INTEL_X509V3_SIGN_R08, 3}

X509V1Signature

OBJECT IDENTIFIER ::= {INTEL_X509V3_SIGN_R08, 2}

Extension OID Definition

The X.509 standard extension OIDs can be used to access the associated certificate (and CRL) extension data.

In addition, Intel has defined and reserved a base object identifier name space for the definition of new OIDs that name specific, new certificate extensions.

INTEL_X509V3_CERT_R08, 50

is reserved for the Extension Contents OID tree

INTEL_X509V3_CERT_PRIVATE_EXTENSIONS

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 50}

Under the subarc INTEL_X509V3_CERT_PRIVATE_EXTENSIONS, Intel defines the following object identifiers:

SubjectSignatureBitmap

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_PRIVATE_EXTENSIONS,1}

SubjectPicture

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_PRIVATE_EXTENSIONS,2}

SubjectEmailAddress

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_PRIVATE_EXTENSIONS,3}

UseExemptions

OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_PRIVATE_EXTENSIONS,4}

C Language Data Structures

This section defines the C Language Data Structures for X.509 Certificates (and CRLs).

CSSM_BER_TAG

This data type defines CSSM programmatic names for the standard DER tags found in DER-encoded values. These tag values are included in a structure containing a certificate field value when the DER type for that field is ambiguous.

typedef uint8 CSSM_BER_TAG;

#define BER_TAG_UNKNOWN 0 #define BER_TAG_BOOLEAN 1 #define BER_TAG_INTEGER 2 #define BER_TAG_BIT_STRING 3 #define BER_TAG_OCTET_STRING 4 #define BER_TAG_NULL 5 #define BER_TAG_OID 6 #define BER_TAG_OBJECT_DESCRIPTOR 7 #define BER_TAG_EXTERNAL 8 #define BER_TAG_REAL 9 #define BER_TAG_ENUMERATED 10

/* 12 to 15 are reserved for future versions of the recommendation */ #define BER_TAG_PKIX_UTF8_STRING 12

#define BER_TAG_SEQUENCE 16 #define BER_TAG_SET 17

#define BER_TAG_NUMERIC_STRING 18 #define BER_TAG_PRINTABLE_STRING 19 #define BER_TAG_T61_STRING 20 #define BER_TAG_TELETEX_STRING BER_TAG_T61_STRING #define BER_TAG_VIDEOTEX_STRING 21 #define BER_TAG_IA5_STRING 22

#define BER_TAG_UTC_TIME 23 #define BER_TAG_GENERALIZED_TIME 24

#define BER_TAG_GRAPHIC_STRING 25 #define BER_TAG_ISO646_STRING 26 #define BER_TAG_GENERAL_STRING 27 #define BER_TAG_VISIBLE_STRING BER_TAG_ISO646_STRING

/* 28 - are reserved for future versions of the recommendation */ #define BER_TAG_PKIX_UNIVERSAL_STRING 28 #define BER_TAG_PKIX_BMP_STRING 30

CSSM_X509_ALGORITHM_IDENTIFIER

This structure holds an object identifier naming a cryptographic algorithm and an optional set of parameters to be used as input to that algorithm.

typedef struct cssm_x509_algorithm_identifier {
    CSSM_OID algorithm;        
    CSSM_DATA parameters;    
} CSSM_X509_ALGORITHM_IDENTIFIER, *CSSM_X509_ALGORITHM_IDENTIFIER_PTR;


DESCRIPTION

algorithm

An industry standard OID value naming a cryptographic algorithm.

parameters

An optional algorithm-specific set of parameters to be used as input to the algorithm. If no parameters are specified, parameters.Length = 0 and parameters.Data = NULL.

CSSM_X509_TYPE_VALUE_PAIR

This structure contain an type-value pair.

/* X509 Distinguished name structure */
typedef struct cssm_x509_type_value_pair {
    CSSM_OID type;
    CSSM_BER_TAG valueType;   /* The Tag to be used when */
                                  /*this value is BER encoded */
    CSSM_DATA value;
} CSSM_X509_TYPE_VALUE_PAIR, *CSSM_X509_TYPE_VALUE_PAIR_PTR;


DESCRIPTION

type

An industry standard OID identifying the type of the value.

valueType

A tag to be used when the value is encoded.

value

The data value.

CSSM_X509_RDN

This structure contains a Relative Distinguished Name composed of an ordered set of type-value pairs.

typedef struct cssm_x509_rdn {
    uint32 numberOfPairs;
    CSSM_X509_TYPE_VALUE_PAIR_PTR AttributeTypeAndValue;
} CSSM_X509_RDN, *CSSM_X509_RDN_PTR;


DESCRIPTION

numberOfPairs

The number of type-value pairs in the Relative Distinguished Name.

AttributeTypeAndValue

A pointer to an array of type-value pairs.

CSSM_X509_NAME

This structure contains a set of Relative Distinguished Names.

typedef struct cssm_x509_name {
    uint32 numberOfRDNs;
    CSSM_X509_RDN_PTR RelativeDistinguishedName;
} CSSM_X509_NAME, *CSSM_X509_NAME_PTR;


DESCRIPTION

numberOfRDNs

The number of Distinguished Names in this set.

RelativeDistinguishedName

A pointer to an array of Relative Distinguished Names.

CSSM_X509_SUBJECT_PUBLIC_KEY_INFO

This structure contains the public key and the description of the verification algorithm appropriate for use with this key.

/* Public key info struct */
typedef struct cssm_x509_subject_public_key_info {
    CSSM_X509_ALGORITHM_IDENTIFIER algorithm;         
    CSSM_DATA subjectPublicKey;   
} CSSM_X509_SUBJECT_PUBLIC_KEY_INFO, *CSSM_X509_SUBJECT_PUBLIC_KEY_INFO_PTR;


DESCRIPTION

algorithm

A substructure containing the algorithm id and input parameters for the algorithm.

SubjectPublicKey

The public key material in an industry standard representation appropriate for the keypair type.

CSSM_X509_TIME

Time is represented as a string according to the definitions of GeneralizedTime and UTCTime defined in RFC 2459.

typedef struct cssm_x509_time { CSSM_BER_TAG timeType; CSSM_DATA time; } CSSM_X509_TIME, *CSSM_X509_TIME_PTR;
DESCRIPTION

timeType

A tag indicating the type of the time value.

time

The time value.

CSSM_X509_VALIDITY


/* Validity struct */
typedef struct x509_validity {
    CSSM_X509_TIME notBefore;
    CSSM_X509_TIME notAfter;
} CSSM_X509_VALIDITY, *CSSM_X509_VALIDITY_PTR;


DESCRIPTION

notBefore

A CSSM_X509_TIME indicating the beginning of the validity period for a certificate.

notAfter

A CSSM_X509_TIME indicating the end of the validity period for a certificate.

CSSM_X509_OPTION

This data type is used to indicate the presence or absence of an optional field value.

#define CSSM_X509_OPTION_PRESENT CSSM_TRUE
#define CSSM_X509_OPTION_NOT_PRESENT CSSM_FALSE
typedef CSSM_BOOL CSSM_X509_OPTION;


DESCRIPTION

CSSM_X509_OPTION_PRESENT

indicates the value is present

CSSM_X509_OPTION_NOT_PRESENT

indicates the value is not present

CSSM_X509EXT_BASICCONSTRAINTS


typedef struct cssm_x509ext_basicConstraints {
    CSSM_BOOL cA;
    CSSM_X509_OPTION pathLenConstraintPresent;                
    uint32 pathLenConstraint;    
} CSSM_X509EXT_BASICCONSTRAINTS, *CSSM_X509EXT_BASICCONSTRAINTS_PTR;


DESCRIPTION

cA

Indicates whether the certificate identifies a Certification Authority.

pathLenConstraintPresent

Indicates whether the optional pathLenConstraint value is present.

pathLenConstraint

An integer specifying the maximum number of certificates allowed in a verifiable certificate chain including this CA certificate.

CSSM_X509EXT_DATA_FORMAT

This list defines the valid formats for a certificate extension.

typedef enum extension_data_format {
    CSSM_X509_DATAFORMAT_ENCODED = 0,
    CSSM_X509_DATAFORMAT_PARSED,
    CSSM_X509_DATAFORMAT_PAIR,
} CSSM_X509EXT_DATA_FORMAT;


DESCRIPTION

CSSM_X509_DATAFORMAT_ENCODED

Indicates that the extension value is returned as a tag and BER encoded value.

CSSM_X509_DATAFORMAT_PARSED

Indicates that the extension value is in a parsed format associated with the X509 Extension OID For instance, the parsed representation of an extension with X509 Extension OID CSSMOID_X509ExtBasicConstraints is X509EXT_BASICCONTRAINTS.

CSSM_X509_DATAFORMAT_EXTPAIR

Indicates that the extension value is being returned in two representations, encoded and parsed.

CSSM_X509EXT_TAGandVALUE

This structure contains a BER/DER encoded extension value and the type of that value.

typedef struct cssm_x509_extensionTagAndValue {
    CSSM_BER_TAG type;
    CSSM_DATA value;
} CSSM_X509EXT_TAGandVALUE, *CSSM_X509EXT_TAGandVALUE_PTR;


DESCRIPTION

type

A DER tag indicating the type of the encoded value in the extension.

value

The encoded value stored in the extension.

CSSM_X509EXT_PAIR

This structure aggregates two extension representations: a tag and value, and a parsed X509 extension representation.

typedef struct cssm_x509ext_pair {
    CSSM_X509EXT_TAGandVALUE tagAndValue;
    void *parsedValue;    
} CSSM_X509EXT_PAIR, *CSSM_X509EXT_PAIR_PTR;


DESCRIPTION

tagAndValue

A CSSM_X509EXT_TAGandVALUE structure.

parsedValue

A pointer to a parsed representation of the extension; the format of the data is determined based on the X509 extension OID specified.

CSSM_X509_EXTENSION

This structure contains a complete certificate extension.

/* Extension structure */
typedef struct cssm_x509_extension {
    CSSM_OID extnId;    
    CSSM_BOOL critical; 
    CSSM_X509EXT_DATA_FORMAT format;
    union cssm_x509ext_value {
        CSSM_X509EXT_TAGandVALUE *tagAndValue;
        void *parsedValue;
        CSSM_X509EXT_PAIR *valuePair;
    } value; 
    CSSM_DATA BERvalue;
} CSSM_X509_EXTENSION, *CSSM_X509_EXTENSION_PTR;


DESCRIPTION

extnId

An OID uniquely naming the extension.

critical

A flag indicating whether the extension is critical. If an extension is critical, then the certificate can not be validly used by any application that does not "understand" the meaning of the extension and its contained value. If an extension is not critical, the certificate can be validly used by any application regardless of its knowledge and use of the extension.

value

A pointer to the extension value represented in the specified format.

BERvalue

A packed, BER/DER encoded representation of the extension value; the encoding includes the extension tag, length and value.

CSSM_X509_EXTENSIONS

This structure contains the set of all certificate extensions contained in a certificate.

typedef struct cssm_x509_extensions {
    uint32 numberOfExtensions;
    CSSM_X509_EXTENSION_PTR extensions;
} CSSM_X509_EXTENSIONS, *CSSM_X509_EXTENSIONS_PTR;


DESCRIPTION

numberOfExtensions

The number of extensions contained in this structure.

extensions

A pointer to a set of CSSM_X509_EXTENSION structures.

CSSM_X509_TBS_CERTIFICATE

This structure contains a complete X.509 certificate.

/* X509V3 certificate structure */
typedef struct cssm_x509_tbs_certificate {
    CSSM_DATA version;            
    CSSM_DATA serialNumber;        
    CSSM_X509_ALGORITHM_IDENTIFIER signature;     
    CSSM_X509_NAME issuer;            
    CSSM_X509_VALIDITY validity;                  
    CSSM_X509_NAME subject;             
    CSSM_X509_SUBJECT_PUBLIC_KEY_INFO subjectPublicKeyInfo;  
    CSSM_DATA issuerUniqueIdentifier;  
    CSSM_DATA subjectUniqueIdentifier; 
    CSSM_X509_EXTENSIONS extensions;         
} CSSM_X509_TBS_CERTIFICATE, *CSSM_X509_TBS_CERTIFICATE_PTR;


DESCRIPTION

version

An optional value indicating whether the certificate is an X.509 V1 certificate an X.509 V2 certificate or an X.509 V3 certificate. The default version is X.509 V1.

serialNumber

The certificate serial number. The serial number with the issuer should form a unique identifier value for a certificate.

signature

A structure containing the the cryptographic algorithm identifier and an optional set of parameters to be used as input to that algorithm to computer the cryptographic structure over the other fields in the certificate.

issuer

A structure containing the Relative Distinguished Name of the entity who issued and signed the certificate.

validity

A structure containing the beginning and end date for valid use of this certificate.

subject

A structure containing the Relative Distinguished Name of the entity that is the subject of this certificate.

subjectPublicKeyInfo

A structure containing the public key of a public-private keypair owned by the certificate subject and the cryptographic algorithm identifier and an optional set of parameters to be used as input to that algorithm when using the public key.

issuerUniqueIdentifier

An optional unique identifier for the issuing entity. If issuerUniqueIdentifier is not specified, issuerUniqueIdentifier.Length = 0 and issuerUniqueIdentifier.Data = NULL.

subjectUniqueIdentifier

An optional unique identifier for the subject entity. If subjectUniqueIdentifier is not specified, subjectUniqueIdentifier.Length = 0 and subjectUniqueIdentifier.Data = NULL.

extensions

An optional set of CSSM_X509_EXTENSION certificate structures. If no extensions are specified, extensions.numberOfExtensions = 0.

CSSM_X509_SIGNATURE

This structure contains a cryptographic digital signature.

/* Signature structure */
typedef struct cssm_x509_signature {
    CSSM_X509_ALGORITHM_IDENTIFIER algorithmIdentifier;
    CSSM_DATA encrypted;
} CSSM_X509_SIGNATURE, *CSSM_X509_SIGNATURE_PTR;


DESCRIPTION

algorithmIdentifier

A structure containing a description of the signing algorithm used to create the digital signature. The signing algorithm indicates the verification algorithm required to verify the signature.

encrypted

The data generated by a signing operation.

CSSM_X509_SIGNED_CERTIFICATE

This structure associates a set of decoded certificate values with the signature covering those values.

/* Signed certificate structure */
typedef struct cssm_x509_signed_certificate {  
    CSSM_X509_TBS_CERTIFICATE certificate;    
    CSSM_X509_SIGNATURE signature;    
} CSSM_X509_SIGNED_CERTIFICATE, *CSSM_X509_SIGNED_CERTIFICATE_PTR;


DESCRIPTION

certificate

A structure containing a decoded representation of an X.509 certificate.

signature

A structure containing the signature over the certificate.

CSSM_X509EXT_POLICYQUALIFIERINFO


typedef struct cssm_x509ext_policyQualifierInfo {
    CSSM_OID policyQualifierId;
    CSSM_DATA value;
} CSSM_X509EXT_POLICYQUALIFIERINFO, *CSSM_X509EXT_POLICYQUALIFIERINFO_PTR;


DESCRIPTION

policyQualifierId

An OID that uniquely identifies a policy.

value

The encoded policy qualifier value; encoding includes the tag and length.

CSSM_X509EXT_POLICYQUALIFIERS


typedef struct cssm_x509ext_policyQualifiers {
    uint32 numberOfPolicyQualifiers;
    CSSM_X509EXT_POLICYQUALIFIERINFO *policyQualifier;
} CSSM_X509EXT_POLICYQUALIFIERS, *CSSM_X509EXT_POLICYQUALIFIERS_PTR;


DESCRIPTION

numberOfPolicyQualifiers

The number of policy qualifiers.

policyQualifier

A pointer to an array of policy qualifier structures

CSSM_X509EXT_POLICYINFO


typedef struct cssm_x509ext_policyInfo {
    CSSM_OID policyIdentifier;
    CSSM_X509EXT_POLICYQUALIFIERS policyQualifiers;
} CSSM_X509EXT_POLICYINFO, *CSSM_X509EXT_POLICYINFO_PTR;


DESCRIPTION

policyIdentifier

An OID that uniquely identifies a policy.

policyQualifiers

A pointer to a structure that that indicates the policy qualifiers associated with the policy identifier.

Certificate OIDs and Certificate Data Structures

This section addresses the association between certificate OIDs and certificate data structures.

The certificate object identifiers indicate selected fields from an X.509 certificate. The object identifier is a required input parameter to "create" certificates, "get" certificate values out of the certificate, or "set" values for a certificate template (in anticipation of creating a certificate). Certificate creation functions accept input values as CSSM_FIELD structures. Each CSSM_FIELD structure contains an OID and a value. The value is contained in a CSSM_DATA structure. A CSSM_DATA structure contains a length and a pointer to the actual data value. The length indicates the number of bytes in the data value. The length is represented as a platform-dependent 32-bit unsigned integer. The data value referenced by the pointer is in one of three encoding: BER/DER, LDAP string or native, bushy C language structure.

The CSSM "get" functions accept an OID as input and return a single CSSM_DATA structure. The same use model is applied in this case.

The following table maps the object identifier for a selected set of certificate fields to the structure and format accepted as input by the "create" and "set" operations, and returned as output by the "get" operation.

Certificate OID Name Structure and Format of the ->Data entry of a CSSM_DATA structure
X509V3SignedCertificate BER/DER-encoded CSSM_X509_SIGNED_CERTIFICATE structure
X509V3SignedCertificateCStruct CSSM_X509_SIGNED_CERTIFICATE structure
X509V3TbsCertificate BER/DER-encoded, CSSM_X509_TBS_CERTIFICATE structure
X509V3TbsCertificateCStruct CSSM_X509_TBS_CERTIFICATE structure
X509V1Version BER Integer
X509V1SerialNumber BER Integer
X509V1IssuerName BER/DER-encoded CSSM_X509_NAME structure
X509V1IssuerNameCStruct CSSM_X509_NAME structure
X509V1IssuerNameLDAP LDAP string structure
X509V1ValidityNotBefore UTC Time string structure
X509V1ValidityNotAfter UTC Time string structure
X509V1SubjectName BER/DER-encoded CSSM_X509_NAME structure
X509V1SubjectNameCStruct CSSM_X509_NAME structure
X509V1SubjectNameLDAP LDAP string structure
CSSMKeyStruct CSSM_KEY structure
X509V1SubjectPublicKeyCStruct CSSM_X509_SUBJECT_PUBLIC_KEY_INFO structure
X509V1SubjectPublicKeyAlgorithm Algorithm OID
X509V1SubjectPublicKeyAlgorithmParameters BER/DER-encoded parameters
X509V1SubjectPublicKey Byte string
X509V1CertificateIssuerUniqueId Byte string
X509V1CertificateSubjectUniqueId Byte string
X509V3CertificateExtensionsStruct BER/DER-encoded CSSM_X509_EXTENSIONS structure
X509V3CertificateExtensionsCStruct CSSM_X509_EXTENSIONS structure
X509V3CertificateNumberOfExtensions Platform-dependent integer
X509V3CertificateExtensionStruct BER/DER-encoded CSSM_X509_EXTENSION structure
X509V3CertificateExtensionCStruct CSSM_X509_EXTENSION structure
X509V3CertificateExtensionId Extension OID
X509V3CertificateExtensionCritical CSSM_BOOL value
X509V3CertificateExtensionType CL_DER_TAG_TYPE
X509V3CertificateExtensionValue Byte string
Certificate Extension OIDs CSSM_X509_EXTENSION structure for the extension with the specified Certificate Extension OID

Signature OID Names Structure and Format of the ->Data entry of a CSSM_DATA structure
X509V1SignatureStruct BER/DER-encoded CSSM_X509_SIGNATURE structure
X509V1SignatureCStruct CSSM_X509_SIGNATURE structure
X509V1SignatureAlgorithm Algorithm OID
X509V1SignatureAlgorithmParameters BER/DER encoded parameters
X509V1Signature Byte string


Contents Next section Index