Previous section.
Common Security: CDSA and CSSM, Version 2 (with corrigenda)
Copyright © 2000 The Open Group
OIDs for X.509 Certificate Library Modules
Overview
This chapter specifies object identifiers and corresponding data
structures for fields of X.509 Certificates and Certificate
Revocation Lists (CRLs). An OID can specify one field or
multiple fields contained in a certificate or CRL.
The OID also indicates the data representation of the field values.
One to three distinct representations are defined for each meaningful
aggregation of certificate field values:
-
BER/DER encoded values
The IETF standard specification of X.509 certificates and
the BER/DER encoding define one representation for certificate values.
-
Native platform encoding of a complex (bushy) data structure
For performance and when using certificate values locally,
applications can prefer decoded certificate values stored in
bushy data structures that are native to the platform.
C language structures are defined for each named aggregation of
certificate field values.
-
LDAP String format
The IETF standard format for LDAP strings is a valid representation
for selected fields of a certificate.
Some certificate fields can be returned to an application in
any of the three formats. Applications specify the desired format
by using distinct OID names. The OID names for a single field
in different representations share a common prefix. The selected
representation is identified by a unique OID suffix. This allows
applications to store tables of the common base and to select
the desired representation at runtime by appending the suffix
corresponding to the desired representation.
Interoperable Format Specifications for X.509
Certificate Library Service Provider X.509 Field OIDs
This section defines the OID names to be used to access
fields in X.509 certificates and CRLs. The format of the
data accessed with each OID is described.
Following sections then describe the OIDs upon which Certificate
and CRL OIDs are based:
Base of the Object Identifier Name Space
This specification defines five object identifiers, which form the base
arcs for Intel Corporation's CDSA name space.
INTEL OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741) }
The object identifier INTEL identifies the base arc of the Intel
Corporation name space under the registration authority of the joint ISO
and the International Telegraph and Telephone Consultative Committee.
INTEL_CDSASECURITY OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741) CDSA-security (2) }
The object identifier INTEL_CDSASECURITY identifies the base arc for
CDSA object identifiers with the Intel Corporation name space.
The CDSA name space is subdivided into two subarcs:
INTEL_SEC_FORMATS OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741) CDSA-security (2) formats (1) }
The object identifier INTEL_SEC_FORMATS identifies the base arc of
object identifiers representing the format or representation of a
CDSA security object within the Intel Corporation CDSA name space.
INTEL_SEC_ALGS OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741) CDSA-security (2) algs (2) 5 }
The object identifier INTEL_SEC_ALGS identifies the base arc of object
identifiers representing the format or representation of CDSA security
algorithms within the Intel Corporation CDSA name space.
The object identifier INTEL_SEC_FORMATS identifies the base arc of
object identifiers representing the format or representation of a
CDSA security object within the Intel Corporation CDSA name space.
A subarc for security object bundles is defined within the CDSA
formats object identifier name space.
INTEL_SEC_OBJECT_BUNDLE OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741)
CDSA-security (2) formats (1) bundle(4)}
The object identifier INTEL_SEC_OBJECT_BUNDLE identifies the base arc
for object identifiers representing bundles of CDSA security object
within the Intel Corporation CDSA name space.
INTEL_CERT_AND_PRIVATE_KEY_2_0 OBJECT IDENTIFIER ::=
{ joint-ise-ccitt (2) country (16) usa (840) org (1) intel (113741)
CDSA-security (2) formats (1) bundle (4) 1}
The object identifier INTEL_CERT_AND_PRIVATE_KEY_2_0 identifies a
certificate and private key object contained within a bundle.
Programmatic Definition of Base Object Identifiers
Programmatically these Intel base object identifiers are defined by
the following constants.
#define INTEL 96, 134, 72, 1, 134, 248, 77
#define INTEL_LENGTH 7
#define INTEL_CDSASECURITY INTEL, 2
#define INTEL_CDSASECURITY_LENGTH (INTEL_LENGTH + 1)
#define INTEL_SEC_FORMATS INTEL_CDSASECURITY, 1
#define INTEL_SEC_FORMATS_LENGTH (INTEL_CDSASECURITY_LENGTH + 1)
#define INTEL_SEC_ALGS INTEL_CDSASECURITY, 2, 5
#define INTEL_SEC_ALGS_LENGTH (INTEL_CDSASECURITY_LENGTH + 2)
#define INTEL_SEC_OBJECT_BUNDLE INTEL_SEC_FORMATS, 4
#define INTEL_SEC_OBJECT_BUNDLE_LENGTH (INTEL_SEC_FORMATS_LENGTH + 1)
#define INTEL_CERT_AND_PRIVATE_KEY_2_0 INTEL_SEC_OBJECT_BUNDLE, 1
#define INTEL_CERT_AND_PRIVATE_KEY_2_0_LENGTH
(INTEL_SEC_OBJECT_BUNDLE_LENGTH + 1)
Terminology
- BER Integer:
An integer value, base 256, in two's complement form, most significant
digit first, with a minimum number of octets.
Object Identifiers for X.509 V3 Certificates
Base Object Identifiers
This specification defines object identifiers to name fields and sets
of fields within an X.509 certificate. Each object identifier also indicates
the representation for the selected field or fields. Possible representations
include:
-
DER encoded value - as defined by defined the CCITT in Recommendation
X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988.
-
C language structure with values in native platform representation - a
data structure is defined for each set of fields that can be
reasonably represented as a C language data structure
-
LDAP String value - an LDAP string representation is defined for selected
certificate fields
Object identifiers are defined corresponding to the certificate fields
defined by the X.509 V1 standard and the X.509 V3 standard.
Two primary subarcs are defined for this purpose:
-
-
INTEL_X509V3_CERT_R08 OBJECT IDENTIFIER ::= { INTEL_SEC_FORMATS, 1, 1 }
INTEL_X509V3_SIGN_R08 OBJECT IDENTIFIER ::= { INTEL_SEC_FORMATS, 3, 2 }
The object identifier INTEL_X509V3_CERT_R08 identifies the base arc
for object identifiers representing the format and name of one or more
fields contained in an X.509 version 3 certificate. The object identifier
INTEL_X509V3_SIGN_R08 identifies the base arc for object identifiers
representing the format and name of the subfields of a digital signature
contained in an X.509 version 3 certificate
A subarc for X.509 version certificate extensions is defined under
INTEL_X509V3_CERT_R08 as follows:
-
-
INTEL_X509V3_CERT_PRIVATE_EXTENSIONS
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 50 }
Programmatic Definition of Base Object Identifiers
Programmatically, these object identifiers are defined by the
following constants.
/* Prefix for defining Certificate field OIDs */
#define INTEL_X509V3_CERT_R08 INTEL_SEC_FORMATS, 1, 1
#define INTEL_X509V3_CERT_R08_LENGTH INTEL_SEC_FORMATS_LENGTH + 2
/* Prefix for defining Certificate Extension field OIDs */
#define INTEL_X509V3_CERT_PRIVATE_EXTENSIONS INTEL_X509V3_CERT_R08, 50
#define INTEL_X509V3_CERT_PRIVATE_EXTENSIONS_LENGTH
INTEL_X509V3_CERT_R08_LENGTH + 1
/* Prefix for defining signature field OIDs */
#define INTEL_X509V3_SIGN_R08 INTEL_SEC_FORMATS, 3, 2
#define INTEL_X509V3_SIGN_R08_LENGTH INTEL_SEC_FORMATS_LENGTH + 2
/* Suffix specifying format or representation of a field value */
/* Note that if a format suffix is not specified, a flat data
representation is implied */
#define INTEL_X509_C_DATATYPE 1
#define INTEL_X509_LDAPSTRING_DATATYPE 2
Object Identifiers for Fields
This specification defines object identifiers for naming fields of
an X.509 version 3 or X.509 version 1 certificate. The object identifier
also indicates the representation or format of the specific field or
fields from the certificate. The valid representations include:
-
Flat data representation. Generally a DER encoded value - as defined by
the CCITT in Recommendation X.208: Specification of Abstract Syntax
Notation One (ASN.1). 1988 -- with the object type tag discarded.
When an OID indicates a flat data representation of a DER encoded value
(where the DER encoding includes tag, length & value), the tag of the
DER encoding is discarded,
FieldValue.Length
is the length (in bytes) of the value, and
FieldValue.Data
is the value. The length and value are contained in a single CSSM_DATA
structure.
-
C language structure with values in native platform representation - a
data structure is defined for each set of fields that can be reasonably
represented as a C language data structure. When an OID indicates
a C structure, the
FieldValue.Length
is the size (in bytes) of the pointer to the C structure, and
FieldValue.Data
points to the C structure.
-
LDAP String value - an LDAP string representation is defined for
selected certificate fields. When an OID indicates an LDAP string
representation, the
FieldValue.Length
is the length (in bytes) of the LDAP string and
FieldValue.Data
is the LDAP string. The LDAP string is represented as a
PrintableString
or in a UTF8 encoding as defined in LDAP RFC 2253.
Certificate OID Definition
The certificate object identifiers are defined as follows:
- X509V3SignedCertificate
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 0}
- X509V3SignedCertificateCStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 0, INTEL_X509_C_DATATYPE},
- X509V3TbsCertificate
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 1},
- X509V3TbsCertificateCStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 1, INTEL_X509_C_DATATYPE}
- X509V1Version
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 2}
- X509V1SerialNumber
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 3}
- X509V1IssuerName
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 5},
- X509V1IssuerNameCStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 5, INTEL_X509_C_DATATYPE}
- X509V1IssuerNameLDAP
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 5, INTEL_X509_LDAPSTRING_DATATYPE}
- X509V1ValidityNotBefore
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 6}
- X509V1ValidityNotAfter
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 7}
- X509V1SubjectName
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 8}
- X509V1SubjectNameCStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 8, INTEL_X509_C_DATATYPE}
- X509V1SubjectNameLDAP
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 8, INTEL_X509_LDAPSTRING_DATATYPE}
- CSSMKeyStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 20}
- X509V1SubjectPublicKeyCStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 20, INTEL_X509_C_DATATYPE}
- X509V1SubjectPublicKeyAlgorithm
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 9}
- X509V1SubjectPublicKeyAlgorithmParameters
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 18}
- X509V1SubjectPublicKey
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 10}
- X509V1CertificateIssuerUniqueId
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 11}
- X509V1CertificateSubjectUniqueId
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 12}
- X509V3CertificateExtensionsStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 21}
- X509V3CertificateExtensionsCStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 21, INTEL_X509_C_DATATYPE}
- X509V3CertificateNumberOfExtensions
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 14}
- X509V3CertificateExtensionStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 13}
- X509V3CertificateExtensionCStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 13, INTEL_X509_C_DATATYPE}
- X509V3CertificateExtensionId
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 15}
- X509V3CertificateExtensionCritical
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 16}
- X509V3CertificateExtensionType
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 19}
- X509V3CertificateExtensionValue
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 17}
Signature OID Definition
The signature object identifiers for a digital signature are defined
as follows:
- X509V1SignatureStruct
OBJECT IDENTIFIER :: = {INTEL_X509V3_SIGN_R08, 0}
- X509V1SignatureCStruct
OBJECT IDENTIFIER ::= {INTEL_X509V3_SIGN_R08, 0, INTEL_X509_C_DATATYPE}
- X509V1SignatureAlgorithm
OBJECT IDENTIFIER ::= {INTEL_X509V3_SIGN_R08, 1}
- X509V1SignatureAlgorithmParameters
OBJECT IDENTIFIER ::= {INTEL_X509V3_SIGN_R08, 3}
- X509V1Signature
OBJECT IDENTIFIER ::= {INTEL_X509V3_SIGN_R08, 2}
Extension OID Definition
The X.509 standard extension OIDs can be used to access the associated
certificate (and CRL) extension data.
In addition, Intel has defined and reserved a base object identifier
name space for the definition of new OIDs that name specific,
new certificate extensions.
- INTEL_X509V3_CERT_R08, 50
is reserved for the Extension Contents OID tree
- INTEL_X509V3_CERT_PRIVATE_EXTENSIONS
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_R08, 50}
Under the subarc INTEL_X509V3_CERT_PRIVATE_EXTENSIONS, Intel defines
the following object identifiers:
- SubjectSignatureBitmap
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_PRIVATE_EXTENSIONS,1}
- SubjectPicture
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_PRIVATE_EXTENSIONS,2}
- SubjectEmailAddress
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_PRIVATE_EXTENSIONS,3}
- UseExemptions
OBJECT IDENTIFIER ::= {INTEL_X509V3_CERT_PRIVATE_EXTENSIONS,4}
C Language Data Structures
This section defines the C Language Data Structures for X.509 Certificates
(and CRLs).
CSSM_BER_TAG
This data type defines CSSM programmatic names for the standard DER tags
found in DER-encoded values. These tag values are included in a
structure containing a certificate field value when the DER type
for that field is ambiguous.
typedef uint8 CSSM_BER_TAG;
#define BER_TAG_UNKNOWN 0
#define BER_TAG_BOOLEAN 1
#define BER_TAG_INTEGER 2
#define BER_TAG_BIT_STRING 3
#define BER_TAG_OCTET_STRING 4
#define BER_TAG_NULL 5
#define BER_TAG_OID 6
#define BER_TAG_OBJECT_DESCRIPTOR 7
#define BER_TAG_EXTERNAL 8
#define BER_TAG_REAL 9
#define BER_TAG_ENUMERATED 10
/* 12 to 15 are reserved for future versions of the recommendation */
#define BER_TAG_PKIX_UTF8_STRING 12
#define BER_TAG_SEQUENCE 16
#define BER_TAG_SET 17
#define BER_TAG_NUMERIC_STRING 18
#define BER_TAG_PRINTABLE_STRING 19
#define BER_TAG_T61_STRING 20
#define BER_TAG_TELETEX_STRING BER_TAG_T61_STRING
#define BER_TAG_VIDEOTEX_STRING 21
#define BER_TAG_IA5_STRING 22
#define BER_TAG_UTC_TIME 23
#define BER_TAG_GENERALIZED_TIME 24
#define BER_TAG_GRAPHIC_STRING 25
#define BER_TAG_ISO646_STRING 26
#define BER_TAG_GENERAL_STRING 27
#define BER_TAG_VISIBLE_STRING BER_TAG_ISO646_STRING
/* 28 - are reserved for future versions of the recommendation */
#define BER_TAG_PKIX_UNIVERSAL_STRING 28
#define BER_TAG_PKIX_BMP_STRING 30
CSSM_X509_ALGORITHM_IDENTIFIER
This structure holds an object identifier naming a cryptographic algorithm
and an optional set of parameters to be used as input to that algorithm.
typedef struct cssm_x509_algorithm_identifier {
CSSM_OID algorithm;
CSSM_DATA parameters;
} CSSM_X509_ALGORITHM_IDENTIFIER, *CSSM_X509_ALGORITHM_IDENTIFIER_PTR;
DESCRIPTION
- algorithm
An industry standard OID value naming a cryptographic algorithm.
- parameters
An optional algorithm-specific set of parameters to be used as input
to the algorithm. If no parameters are specified,
parameters.Length
= 0 and
parameters.Data
= NULL.
CSSM_X509_TYPE_VALUE_PAIR
This structure contain an type-value pair.
/* X509 Distinguished name structure */
typedef struct cssm_x509_type_value_pair {
CSSM_OID type;
CSSM_BER_TAG valueType; /* The Tag to be used when */
/*this value is BER encoded */
CSSM_DATA value;
} CSSM_X509_TYPE_VALUE_PAIR, *CSSM_X509_TYPE_VALUE_PAIR_PTR;
DESCRIPTION
- type
An industry standard OID identifying the type of the value.
- valueType
A tag to be used when the value is encoded.
- value
The data value.
CSSM_X509_RDN
This structure contains a Relative Distinguished Name composed of
an ordered set of type-value pairs.
typedef struct cssm_x509_rdn {
uint32 numberOfPairs;
CSSM_X509_TYPE_VALUE_PAIR_PTR AttributeTypeAndValue;
} CSSM_X509_RDN, *CSSM_X509_RDN_PTR;
DESCRIPTION
- numberOfPairs
The number of type-value pairs in the Relative Distinguished Name.
- AttributeTypeAndValue
A pointer to an array of type-value pairs.
CSSM_X509_NAME
This structure contains a set of Relative Distinguished Names.
typedef struct cssm_x509_name {
uint32 numberOfRDNs;
CSSM_X509_RDN_PTR RelativeDistinguishedName;
} CSSM_X509_NAME, *CSSM_X509_NAME_PTR;
DESCRIPTION
- numberOfRDNs
The number of Distinguished Names in this set.
- RelativeDistinguishedName
A pointer to an array of Relative Distinguished Names.
CSSM_X509_SUBJECT_PUBLIC_KEY_INFO
This structure contains the public key and the description of the
verification algorithm appropriate for use with this key.
/* Public key info struct */
typedef struct cssm_x509_subject_public_key_info {
CSSM_X509_ALGORITHM_IDENTIFIER algorithm;
CSSM_DATA subjectPublicKey;
} CSSM_X509_SUBJECT_PUBLIC_KEY_INFO, *CSSM_X509_SUBJECT_PUBLIC_KEY_INFO_PTR;
DESCRIPTION
- algorithm
A substructure containing the algorithm id and input parameters for
the algorithm.
- SubjectPublicKey
The public key material in an industry standard representation appropriate
for the keypair type.
CSSM_X509_TIME
Time is represented as a string according to the
definitions of
GeneralizedTime
and
UTCTime
defined in RFC 2459.
-
-
typedef struct cssm_x509_time {
CSSM_BER_TAG timeType;
CSSM_DATA time;
} CSSM_X509_TIME, *CSSM_X509_TIME_PTR;
DESCRIPTION
- timeType
A tag indicating the type of the time value.
- time
The time value.
CSSM_X509_VALIDITY
/* Validity struct */
typedef struct x509_validity {
CSSM_X509_TIME notBefore;
CSSM_X509_TIME notAfter;
} CSSM_X509_VALIDITY, *CSSM_X509_VALIDITY_PTR;
DESCRIPTION
- notBefore
A CSSM_X509_TIME indicating the beginning of the validity period for a certificate.
- notAfter
A CSSM_X509_TIME indicating the end of the validity period for a certificate.
CSSM_X509_OPTION
This data type is used to indicate the presence or absence of
an optional field value.
#define CSSM_X509_OPTION_PRESENT CSSM_TRUE
#define CSSM_X509_OPTION_NOT_PRESENT CSSM_FALSE
typedef CSSM_BOOL CSSM_X509_OPTION;
DESCRIPTION
- CSSM_X509_OPTION_PRESENT
indicates the value is present
- CSSM_X509_OPTION_NOT_PRESENT
indicates the value is not present
CSSM_X509EXT_BASICCONSTRAINTS
typedef struct cssm_x509ext_basicConstraints {
CSSM_BOOL cA;
CSSM_X509_OPTION pathLenConstraintPresent;
uint32 pathLenConstraint;
} CSSM_X509EXT_BASICCONSTRAINTS, *CSSM_X509EXT_BASICCONSTRAINTS_PTR;
DESCRIPTION
- cA
Indicates whether the certificate identifies a Certification Authority.
- pathLenConstraintPresent
Indicates whether the optional
pathLenConstraint
value is present.
- pathLenConstraint
An integer specifying the maximum number of certificates allowed in
a verifiable certificate chain including this CA certificate.
CSSM_X509EXT_DATA_FORMAT
This list defines the valid formats for a certificate extension.
typedef enum extension_data_format {
CSSM_X509_DATAFORMAT_ENCODED = 0,
CSSM_X509_DATAFORMAT_PARSED,
CSSM_X509_DATAFORMAT_PAIR,
} CSSM_X509EXT_DATA_FORMAT;
DESCRIPTION
- CSSM_X509_DATAFORMAT_ENCODED
Indicates that the extension value is returned as a tag and BER encoded value.
- CSSM_X509_DATAFORMAT_PARSED
Indicates that the extension value is in a parsed format associated
with the X509 Extension OID For instance, the parsed representation of
an extension with X509 Extension OID CSSMOID_X509ExtBasicConstraints
is X509EXT_BASICCONTRAINTS.
- CSSM_X509_DATAFORMAT_EXTPAIR
Indicates that the extension value is being returned in two representations,
encoded and parsed.
CSSM_X509EXT_TAGandVALUE
This structure contains a BER/DER encoded extension value and the type
of that value.
typedef struct cssm_x509_extensionTagAndValue {
CSSM_BER_TAG type;
CSSM_DATA value;
} CSSM_X509EXT_TAGandVALUE, *CSSM_X509EXT_TAGandVALUE_PTR;
DESCRIPTION
- type
A DER tag indicating the type of the encoded value in the extension.
- value
The encoded value stored in the extension.
CSSM_X509EXT_PAIR
This structure aggregates two extension representations: a tag and value,
and a parsed X509 extension representation.
typedef struct cssm_x509ext_pair {
CSSM_X509EXT_TAGandVALUE tagAndValue;
void *parsedValue;
} CSSM_X509EXT_PAIR, *CSSM_X509EXT_PAIR_PTR;
DESCRIPTION
- tagAndValue
A CSSM_X509EXT_TAGandVALUE structure.
- parsedValue
A pointer to a parsed representation of the extension; the format of
the data is determined based on the X509 extension OID specified.
CSSM_X509_EXTENSION
This structure contains a complete certificate extension.
/* Extension structure */
typedef struct cssm_x509_extension {
CSSM_OID extnId;
CSSM_BOOL critical;
CSSM_X509EXT_DATA_FORMAT format;
union cssm_x509ext_value {
CSSM_X509EXT_TAGandVALUE *tagAndValue;
void *parsedValue;
CSSM_X509EXT_PAIR *valuePair;
} value;
CSSM_DATA BERvalue;
} CSSM_X509_EXTENSION, *CSSM_X509_EXTENSION_PTR;
DESCRIPTION
- extnId
An OID uniquely naming the extension.
- critical
A flag indicating whether the extension is critical. If an extension
is critical, then the certificate can not be validly used by
any application that does not "understand" the meaning of the
extension and its contained value. If an extension is not critical,
the certificate can be validly used by any application regardless
of its knowledge and use of the extension.
- value
A pointer to the extension value represented in the specified format.
- BERvalue
A packed, BER/DER encoded representation of the extension value;
the encoding includes the extension tag, length and value.
CSSM_X509_EXTENSIONS
This structure contains the set of all certificate extensions
contained in a certificate.
typedef struct cssm_x509_extensions {
uint32 numberOfExtensions;
CSSM_X509_EXTENSION_PTR extensions;
} CSSM_X509_EXTENSIONS, *CSSM_X509_EXTENSIONS_PTR;
DESCRIPTION
- numberOfExtensions
The number of extensions contained in this structure.
- extensions
A pointer to a set of CSSM_X509_EXTENSION structures.
CSSM_X509_TBS_CERTIFICATE
This structure contains a complete X.509 certificate.
/* X509V3 certificate structure */
typedef struct cssm_x509_tbs_certificate {
CSSM_DATA version;
CSSM_DATA serialNumber;
CSSM_X509_ALGORITHM_IDENTIFIER signature;
CSSM_X509_NAME issuer;
CSSM_X509_VALIDITY validity;
CSSM_X509_NAME subject;
CSSM_X509_SUBJECT_PUBLIC_KEY_INFO subjectPublicKeyInfo;
CSSM_DATA issuerUniqueIdentifier;
CSSM_DATA subjectUniqueIdentifier;
CSSM_X509_EXTENSIONS extensions;
} CSSM_X509_TBS_CERTIFICATE, *CSSM_X509_TBS_CERTIFICATE_PTR;
DESCRIPTION
- version
An optional value indicating whether the certificate is an X.509 V1
certificate an X.509 V2 certificate or an X.509 V3 certificate.
The default version is X.509 V1.
- serialNumber
The certificate serial number. The serial number with the issuer
should form a unique identifier value for a certificate.
- signature
A structure containing the the cryptographic algorithm identifier and
an optional set of parameters to be used as input to that algorithm
to computer the cryptographic structure over the other fields in the
certificate.
- issuer
A structure containing the Relative Distinguished Name of the entity
who issued and signed the certificate.
- validity
A structure containing the beginning and end date for valid use
of this certificate.
- subject
A structure containing the Relative Distinguished Name of the entity
that is the subject of this certificate.
- subjectPublicKeyInfo
A structure containing the public key of a public-private keypair owned
by the certificate subject and the cryptographic algorithm identifier and
an optional set of parameters to be used as input to that algorithm
when using the public key.
- issuerUniqueIdentifier
An optional unique identifier for the issuing entity. If
issuerUniqueIdentifier
is not specified,
issuerUniqueIdentifier.Length
= 0 and
issuerUniqueIdentifier.Data
= NULL.
- subjectUniqueIdentifier
An optional unique identifier for the subject entity. If
subjectUniqueIdentifier
is not specified,
subjectUniqueIdentifier.Length
= 0 and
subjectUniqueIdentifier.Data
= NULL.
- extensions
An optional set of CSSM_X509_EXTENSION certificate structures.
If no extensions are specified,
extensions.numberOfExtensions
= 0.
CSSM_X509_SIGNATURE
This structure contains a cryptographic digital signature.
/* Signature structure */
typedef struct cssm_x509_signature {
CSSM_X509_ALGORITHM_IDENTIFIER algorithmIdentifier;
CSSM_DATA encrypted;
} CSSM_X509_SIGNATURE, *CSSM_X509_SIGNATURE_PTR;
DESCRIPTION
- algorithmIdentifier
A structure containing a description of the signing algorithm used
to create the digital signature. The signing algorithm indicates
the verification algorithm required to verify the signature.
- encrypted
The data generated by a signing operation.
CSSM_X509_SIGNED_CERTIFICATE
This structure associates a set of decoded certificate values with
the signature covering those values.
/* Signed certificate structure */
typedef struct cssm_x509_signed_certificate {
CSSM_X509_TBS_CERTIFICATE certificate;
CSSM_X509_SIGNATURE signature;
} CSSM_X509_SIGNED_CERTIFICATE, *CSSM_X509_SIGNED_CERTIFICATE_PTR;
DESCRIPTION
- certificate
A structure containing a decoded representation of an X.509 certificate.
- signature
A structure containing the signature over the certificate.
CSSM_X509EXT_POLICYQUALIFIERINFO
typedef struct cssm_x509ext_policyQualifierInfo {
CSSM_OID policyQualifierId;
CSSM_DATA value;
} CSSM_X509EXT_POLICYQUALIFIERINFO, *CSSM_X509EXT_POLICYQUALIFIERINFO_PTR;
DESCRIPTION
- policyQualifierId
An OID that uniquely identifies a policy.
- value
The encoded policy qualifier value; encoding includes the tag and length.
CSSM_X509EXT_POLICYQUALIFIERS
typedef struct cssm_x509ext_policyQualifiers {
uint32 numberOfPolicyQualifiers;
CSSM_X509EXT_POLICYQUALIFIERINFO *policyQualifier;
} CSSM_X509EXT_POLICYQUALIFIERS, *CSSM_X509EXT_POLICYQUALIFIERS_PTR;
DESCRIPTION
- numberOfPolicyQualifiers
The number of policy qualifiers.
- policyQualifier
A pointer to an array of policy qualifier structures
CSSM_X509EXT_POLICYINFO
typedef struct cssm_x509ext_policyInfo {
CSSM_OID policyIdentifier;
CSSM_X509EXT_POLICYQUALIFIERS policyQualifiers;
} CSSM_X509EXT_POLICYINFO, *CSSM_X509EXT_POLICYINFO_PTR;
DESCRIPTION
- policyIdentifier
An OID that uniquely identifies a policy.
- policyQualifiers
A pointer to a structure that that indicates the policy qualifiers
associated with the policy identifier.
Certificate OIDs and Certificate Data Structures
This section addresses the association between certificate OIDs and
certificate data structures.
The certificate object identifiers indicate selected fields from
an X.509 certificate. The object identifier is a required input
parameter to "create" certificates, "get" certificate values out
of the certificate, or "set" values for a certificate template
(in anticipation of creating a certificate). Certificate creation
functions accept input values as CSSM_FIELD structures.
Each CSSM_FIELD structure contains an OID and a value.
The value is contained in a CSSM_DATA structure. A CSSM_DATA structure
contains a length and a pointer to the actual data value.
The length indicates the number of bytes in the data value.
The length is represented as a platform-dependent 32-bit unsigned
integer. The data value referenced by the pointer is in one of
three encoding: BER/DER, LDAP string or native, bushy C language structure.
The CSSM "get" functions accept an OID as input and return a
single CSSM_DATA structure. The same use model is applied in this case.
The following table maps the object identifier for a selected set
of certificate fields to the structure and format accepted as
input by the "create" and "set" operations, and returned as output
by the "get" operation.
Certificate OID Name
| Structure and Format of the ->Data entry of a CSSM_DATA structure
|
---|
X509V3SignedCertificate
| BER/DER-encoded CSSM_X509_SIGNED_CERTIFICATE structure
|
X509V3SignedCertificateCStruct
| CSSM_X509_SIGNED_CERTIFICATE structure
|
X509V3TbsCertificate
| BER/DER-encoded, CSSM_X509_TBS_CERTIFICATE structure
|
X509V3TbsCertificateCStruct
| CSSM_X509_TBS_CERTIFICATE structure
|
X509V1Version
| BER Integer
|
X509V1SerialNumber
| BER Integer
|
X509V1IssuerName
| BER/DER-encoded CSSM_X509_NAME structure
|
X509V1IssuerNameCStruct
| CSSM_X509_NAME structure
|
X509V1IssuerNameLDAP
| LDAP string structure
|
X509V1ValidityNotBefore
| UTC Time string structure
|
X509V1ValidityNotAfter
| UTC Time string structure
|
X509V1SubjectName
| BER/DER-encoded CSSM_X509_NAME structure
|
X509V1SubjectNameCStruct
| CSSM_X509_NAME structure
|
X509V1SubjectNameLDAP
| LDAP string structure
|
CSSMKeyStruct
| CSSM_KEY structure
|
X509V1SubjectPublicKeyCStruct
| CSSM_X509_SUBJECT_PUBLIC_KEY_INFO structure
|
X509V1SubjectPublicKeyAlgorithm
| Algorithm OID
|
X509V1SubjectPublicKeyAlgorithmParameters
| BER/DER-encoded parameters
|
X509V1SubjectPublicKey
| Byte string
|
X509V1CertificateIssuerUniqueId
| Byte string
|
X509V1CertificateSubjectUniqueId
| Byte string
|
X509V3CertificateExtensionsStruct
| BER/DER-encoded CSSM_X509_EXTENSIONS structure
|
X509V3CertificateExtensionsCStruct
| CSSM_X509_EXTENSIONS structure
|
X509V3CertificateNumberOfExtensions
| Platform-dependent integer
|
X509V3CertificateExtensionStruct
| BER/DER-encoded CSSM_X509_EXTENSION structure
|
X509V3CertificateExtensionCStruct
| CSSM_X509_EXTENSION structure
|
X509V3CertificateExtensionId
| Extension OID
|
X509V3CertificateExtensionCritical
| CSSM_BOOL value
|
X509V3CertificateExtensionType
| CL_DER_TAG_TYPE
|
X509V3CertificateExtensionValue
| Byte string
|
Certificate Extension OIDs
| CSSM_X509_EXTENSION structure for the extension with the specified Certificate Extension OID
|
Signature OID Names
| Structure and Format of the ->Data entry of a CSSM_DATA structure
|
---|
X509V1SignatureStruct
| BER/DER-encoded CSSM_X509_SIGNATURE structure
|
X509V1SignatureCStruct
| CSSM_X509_SIGNATURE structure
|
X509V1SignatureAlgorithm
| Algorithm OID
|
X509V1SignatureAlgorithmParameters
| BER/DER encoded parameters
|
X509V1Signature
| Byte string
|