Previous section.

Common Security: CDSA and CSSM, Version 2 (with corrigenda)
Copyright © 2000 The Open Group

OIDs for X.509 Certificate Revocation Lists

Base Object Identifiers

The following object identifiers define names for single fields or sets of related fields in an X.509 certificate revocation list (CRL). Each object identifier also indicates the representation for the selected field or fields. Possible representations include:

Object identifiers are defined corresponding to the CRL fields defined by the X.509 V2 standard. One primary subarc is defined for this purpose:

INTEL_X509V2_CRL_R08

OBJECT IDENTIFIER ::= { INTEL_SEC_FORMATS, 2, 1}

Programmatic Definition of Base Object Identifiers

Programmatically these object identifiers are defined by the following constants.

#define INTEL_X509V2_CRL_R08         INTEL_SEC_FORMATS,   2, 1
#define INTEL_X509V2_CRL_R08_LENGTH  INTEL_SEC_FORMATS_LENGTH+2


Object Identifiers for Fields

CRL OIDs

X509V2CRLSignedCrlStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 0 }

X509V2CRLSignedCrlCStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 0, INTEL_X509_C_DATATYPE }

X509V2CRLTbsCertListStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 1 }

X509V2CRLTbsCertListCStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 1, INTEL_X509_C_DATATYPE }

X509V2CRLVersion

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 2 }

X509V1CRLIssuerStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 3 }

X509V1CRLIssuerNameCStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 3, INTEL_X509_C_DATATYPE }

X509V1CRLIssuerNameLDAP

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 3, INTEL_X509_LDAPSTRING_DATATYPE }

X509V1CRLThisUpdate

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 4 }

X509V1CRLNextUpdate

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 5 }

CRL Entry (CRL CertList) OIDs

X509V1CRLRevokedCertificatesStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 7 }

X509V1CRLRevokedCertificatesCStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 7, INTEL_X509_C_DATATYPE }

X509V1CRLNumberOfRevokedCertEntries

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 6 }

X509V1CRLRevokedEntryStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 15 }

X509V1CRLRevokedEntryCStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 15, INTEL_X509_C_DATATYPE }

X509V1CRLRevokedEntrySerialNumber

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 16 }

X509V1CRLRevokedEntryRevocationDate

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 17 }

CRL Entry (CRL CertList) Extension OIDs

X509V2CRLRevokedEntryAllExtensionsStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 18 }

X509V2CRLRevokedEntryAllExtensionsCStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 18, INTEL_X509_C_DATATYPE }

X509V2CRLRevokedEntryNumberOfExtensions

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 20 }

X509V2CRLRevokedEntrySingleExtensionStruct

OBJECT IDENTIFIER ::{ INTEL_X509V2_CRL_R08, 19 }

X509V2CRLRevokedEntrySingleExtensionCStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 19, INTEL_X509_C_DATATYPE }

X509V2CRLRevokedEntryExtensionId

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 21 }

X509V2CRLRevokedEntryExtensionCritical

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 22 }

X509V2CRLRevokedEntryExtensionType

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 23 }

X509V2CRLRevokedEntryExtensionValue

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 24 }

CRL Extension OIDs

X509V2CRLAllExtensionsStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 8 }

X509V2CRLAllExtensionsCStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 8, INTEL_X509_C_DATATYPE }

X509V2CRLNumberOfExtensions

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 10 }

X509V2CRLSingleExtensionStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 9 }

X509V2CRLSingleExtensionCStruct

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 9, INTEL_X509_C_DATATYPE }

X509V2CRLExtensionId

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 11 }

X509V2CRLExtensionCritical

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 12 }

X509V2CRLExtensionType

OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 13 }

X509V2CRLExtensionValue
OBJECT IDENTIFIER ::= { INTEL_X509V2_CRL_R08, 14 }

C Language Data Structures for X.509 CRLs

CSSM_X509_REVOKED_CERT_ENTRY

This structure contains a single entry in a certificate revocation list.

/* x509V2 entry in the CRL revokedCertificates sequence */
typedef struct cssm_x509_revoked_cert_entry {
    CSSM_DATA certificateSerialNumber;
    CSSM_X509_TIME revocationDate; 
    CSSM_X509_EXTENSIONS extensions;
} CSSM_X509_REVOKED_CERT_ENTRY, *CSSM_X509_REVOKED_CERT_ENTRY_PTR;


DESCRIPTION

certificateSerialNumber

revocationDate

The date on which revocation occurred.

extensions

Optional sequence of CRL extensions. If no extensions are specified, extensions.Length = 0 and extensions.Data = NULL.

CSSM_X509_REVOKED_CERT_LIST

This structure defines an unordered linked list containing certificate revocation nodes. This structure aggregates the records describing revoked certificates.

typedef struct cssm_x509_revoked_cert_list {
    uint32 numberOfRevokedCertEntries;
    CSSM_X509_REVOKED_CERT_ENTRY_PTR revokedCertEntry;
} CSSM_X509_REVOKED_CERT_LIST, *CSSM_X509_REVOKED_CERT_LIST_PTR;


DESCRIPTION

numberOfRevokedCertEntries

Number of revoked certificates in the linked list.

revokedCertEntry

A pointer to the CRL entry describing a revoked sertificate.

CSSM_X509_TBS_CERTLIST

This structure defines a complete, but unsigned certificate revocation list. This includes the header information describing the CRL, and the list of CRL entries identifying the revoked certificates and describing the circumstances of the revocation operation.

/* x509v2 Certificate Revocation List (CRL) (unsigned) structure */
typedef struct cssm_x509_tbs_certlist {
    CSSM_DATA version;  
    CSSM_X509_ALGORITHM_IDENTIFIER signature;
    CSSM_X509_NAME issuer;   
    CSSM_X509_TIME thisUpdate;  
    CSSM_X509_TIME nextUpdate; 
    CSSM_X509_REVOKED_CERT_LIST_PTR revokedCertificates; 
    CSSM_X509_EXTENSIONS extensions; 
} CSSM_X509_TBS_CERTLIST, *CSSM_X509_TBS_CERTLIST_PTR;


DESCRIPTION

version

A BER Integer indicating the CRL version.

signature

A structure specifying the cryptographic signaturing algorithm and optional parameters that will be used to sign the CRL. This value may be NULL.

issuer

A structure containing relative distinguished name components that form the issuer name.

thisUpdate

The issue-date for this CRL.

nextUpdate

The planned date for issuing the next CRL.

revokedCertificates

A linked list of revoked certificate nodes.

extensions

An optional structure containing extension data that further describes the CRL. If no extensions are specified, extensions.Length = 0 and = NULL.

CSSM_X509_SIGNED_CRL

This structure aggregates an unsigned CRL and a signature over that CRL.

typedef struct cssm_x509_signed_crl {
    CSSM_X509_TBS_CERTLIST tbsCertList;
    CSSM_X509_SIGNATURE signature; 
} CSSM_X509_SIGNED_CRL, *CSSM_X509_SIGNED_CRL_PTR;


DESCRIPTION

tbsCertList

An unsigned structure containing header information describing the CRL and the list of revoked certificates .

signature

A structure containing the signature algorithm and parameters used to sign the tbsCerlist and the digital signature generated by that algorithm.

Associating CRL OIDs and CRL Data Structures

The CRL object identifiers indicate selected fields from an X.509 CRL. The object identifier is a required input parameter to "create" CRLs, "get" field values out of the CRL, or "set" values for a CRL template (in anticipation of creating a CRL). CRL creation functions accept input values as CSSM_FIELD structures. Each CSSM_FIELD structure contains an OID and a value. The value is contained in a CSSM_DATA structure. A CSSM_DATA structure contains a length and a pointer to the actual data value. The length indicates the number of bytes in the data value. The length is represented as a platform-dependent 32-bit unsigned integer. The data value referenced by the pointer is in one of three encoding: BER/DER, LDAP string or native, bushy C language structure.

The CSSM "get" functions accept an OID as input and return a single CSSM_DATA structure. The same use model is applied in this case.

The following table maps the object identifier for a selected set of CRL fields to the structure and format accepted as input by the "create" and "set" operations, and returned as output by the "get" operation.

CRL OID Names Structure and Format of the ->Data entry of a CSSM_DATA structure
X509V2CRLSignedCrlStruct BER/DER-encoded CSSM_X509_SIGNED_CRL structure
X509V2CRLSignedCrlCStruct CSSM_X509_SIGNED_CRL structure
X509V2CRLTbsCertListStruct BER/DER-encoded CSSM_X509_TBS_CERTLIST structure
X509V2CRLTbsCertListCStruct CSSM_X509_TBS_CERTLIST structure
X509V2CRLVersion BER Integer
X509V1CRLIssuerStruct BER/DER-encoded CSSM_X509_NAME structure
X509V1CRLIssuerNameCStruct CSSM_X509_NAME structure
X509V1CRLIssuerNameLDAP LDAP string
X509V1CRLThisUpdate UTC Time string
X509V1CRLNextUpdate UTC Time string
X509V1CRLRevokedCertificatesStruct BER/DER-encoded CSSM_X509_REVOKED_CERT_LIST structure
X509V1CRLRevokedCertificatesCStruct CSSM_X509_REVOKED_CERT_LIST structure
X509V1CRLNumberOfRevokedCertEntries Platform-dependent integer
X509V1CRLRevokedEntryStruct BER/DER-encoded CSSM_X509_REVOKED_CERT_ENTRY structure
X509V1CRLRevokedEntryCStruct CSSM_X509_REVOKED_CERT_ENTRY structure
X509V1CRLRevokedEntrySerialNumber BER Integer
X509V1CRLRevokedEntryRevocationDate UTC Time string
X509V2CRLRevokedEntryAllExtensionsStruct BER/DER-encoded CSSM_X509_EXTENSIONS structure
X509V2CRLRevokedEntryAllExtensionsCStruct CSSM_X509_EXTENSIONS structure
X509V2CRLRevokedEntryNumberOfExtensions Platform-dependent integer
X509V2CRLRevokedEntrySingleExtensionStruct BER/DER-encoded CSSM_X509_EXTENSION structure
X509V2CRLRevokedEntrySingleExtensionCStruct CSSM_X509_EXTENSION structure
X509V2CRLRevokedEntryExtensionId Extension OID
X509V2CRLRevokedEntryExtensionCritical CSSM_BOOL
X509V2CRLRevokedEntryExtensionType CL_DER_TAG_TYPE
X509V2CRLRevokedEntryExtensionValue Byte string
X509V2CRLAllExtensionsStruct BER/DER-encoded CSSM_X509_EXTENSIONS structure
X509V2CRLAllExtensionsCStruct CSSM_X509_EXTENSIONS structure
X509V2CRLNumberOfExtensions Platform-dependent integer
X509V2CRLSingleExtensionStruct BER/DER-encoded CSSM_X509_EXTENSION structure
X509V2CRLSingleExtensionCStruct CSSM_X509_EXTENSION structure
X509V2CRLExtensionId Extension OID
X509V2CRLExtensionCritical CSSM_BOOL
X509V2CRLExtensionType CL_DER_TAG_TYPE
X509V2CRLExtensionValue Byte string

Contents Next section Index