2.公钥记录 | 2. Public-Key Records
本章简要描述从ASN.1规范派生的Erlang记录,这些规范用于处理公钥基础结构。范围是描述每个组件的数据类型,而不是语义。有关语义的信息,请参阅下面各节中链接的相关标准和RFCS。
使用以下Include指令访问以下部分中描述的记录和常量宏:
-include_lib("public_key/include/public_key.hrl"). 2.1数据类型
常见的非标准Erlang数据类型用于描述以下部分中的记录字段,以及未在公钥中定义的数据类型Reference Manual如下所示:
time() =
utc_time() | general_time()
utc_time() =
{utcTime, "YYMMDDHHMMSSZ"}
general_time() =
{generalTime, "YYYYMMDDHHMMSSZ"}
general_name() =
{rfc822Name, string()}
| {dNSName, string()}
| {x400Address, string()}
| {directoryName, {rdnSequence, [#AttributeTypeAndValue'{}]}}
| {eidPartyName, special_string()}
| {eidPartyName, special_string(), special_string()}
| {uniformResourceIdentifier, string()}
| {ipAddress, string()}
| {registeredId, oid()}
| {otherName, term()}
special_string() =
{teletexString, string()}
| {printableString, string()}
| {universalString, string()}
| {utf8String, binary()}
| {bmpString, string()}
dist_reason() =
unused
| keyCompromise
| cACompromise
| affiliationChanged
| superseded
| cessationOfOperation
| certificateHold
| privilegeWithdrawn
| aACompromise
OID_macro() =
?OID_name()
OID_name() =
atom()
2.2 rsa
Rivest-Shamir-Adleman密码系统(RSA)密钥的Erlang表示如下:
#'RSAPublicKey'{
modulus, % integer()
publicExponent % integer()
}.
#'RSAPrivateKey'{
version, % two-prime | multi
modulus, % integer()
publicExponent, % integer()
privateExponent, % integer()
prime1, % integer()
prime2, % integer()
exponent1, % integer()
exponent2, % integer()
coefficient, % integer()
otherPrimeInfos % [#OtherPrimeInfo{}] | asn1_NOVALUE
}.
#'OtherPrimeInfo'{
prime, % integer()
exponent, % integer()
coefficient % integer()
}. 2.3 DSA
Erlang表示Digital Signature Algorithm (DSA)键
#'DSAPrivateKey',{
version, % integer()
p, % integer()
q, % integer()
g, % integer()
y, % integer()
x % integer()
}.
#'Dss-Parms',{
p, % integer()
q, % integer()
g % integer()
}. 2.4 ecdsa
#'ECPrivateKey'{
version, % integer()
privateKey, % binary()
parameters, % {ecParameters, #'ECParameters'{}} |
% {namedCurve, Oid::tuple()} |
% {implicitlyCA, 'NULL'}
publicKey % bitstring()
}.
#'ECParameters'{
version, % integer()
fieldID, % #'FieldID'{}
curve, % #'Curve'{}
base, % binary()
order, % integer()
cofactor % integer()
}.
#'Curve'{
a, % binary()
b, % binary()
seed % bitstring() - optional
}.
#'FieldID'{
fieldType, % oid()
parameters % Depending on fieldType
}.
#'ECPoint'{
point % binary() - the public key
}.2.5 PKIX证书
根据ASN.1规范派生的PKIX证书的Erlang表示形式也X509 certificates (RFC 5280)可以参考,也称为plain类型,如下所示:
#'Certificate'{
tbsCertificate, % #'TBSCertificate'{}
signatureAlgorithm, % #'AlgorithmIdentifier'{}
signature % bitstring()
}.
#'TBSCertificate'{
version, % v1 | v2 | v3
serialNumber, % integer()
signature, % #'AlgorithmIdentifier'{}
issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]}
validity, % #'Validity'{}
subject, % {rdnSequence, [#AttributeTypeAndValue'{}]}
subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{}
issuerUniqueID, % binary() | asn1_novalue
subjectUniqueID, % binary() | asn1_novalue
extensions % [#'Extension'{}]
}.
#'AlgorithmIdentifier'{
algorithm, % oid()
parameters % der_encoded()
}.PKIX证书的Erlang候补代表,也称为otp类型
#'OTPCertificate'{
tbsCertificate, % #'OTPTBSCertificate'{}
signatureAlgorithm, % #'SignatureAlgorithm'
signature % bitstring()
}.
#'OTPTBSCertificate'{
version, % v1 | v2 | v3
serialNumber, % integer()
signature, % #'SignatureAlgorithm'
issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]}
validity, % #'Validity'{}
subject, % {rdnSequence, [#AttributeTypeAndValue'{}]}
subjectPublicKeyInfo, % #'OTPSubjectPublicKeyInfo'{}
issuerUniqueID, % binary() | asn1_novalue
subjectUniqueID, % binary() | asn1_novalue
extensions % [#'Extension'{}]
}.
#'SignatureAlgorithm'{
algorithm, % id_signature_algorithm()
parameters % asn1_novalue | #'Dss-Parms'{}
}.id_signature_algorithm() = OID_macro()
可用的OID名称如下:
OID名称
|:----|
| id-dsa-with-sha1 |
| id-dsaWithSHA1(上面的ISO或OID)|
| md2WithRSAEncryption |
md5 WithRSAEncryption
Sha1WithRSAEncryption
| sha-1WithRSAEncryption(ISO或OID至上)|
| sha224WithRSAEncryption |
| sha256WithRSAEncryption |
| sha512WithRSAEncryption |
| ecdsa-with-SHA1 |
数据类型'AttributeTypeAndValue'表示为以下erlang记录:
#'AttributeTypeAndValue'{
type, % id_attributes()
value % term()
}.属性OID名称原子及其相应的值类型如下:
OID 名称 | 值类型 |
|---|---|
id-at-name | special_string() |
id-at-surname | special_string() |
id-at-givenName | special_string() |
id-at-initials | special_string() |
id-at-generationQualifier | special_string() |
id-at-commonName | special_string() |
id-at-localityName | special_string() |
id-at-stateOrProvinceName | special_string() |
id-at-organizationName | special_string() |
id-at-title | special_string() |
id-at-dnQualifier | {printableString, string()} |
id-at-countryName | {printableString, string()} |
id-at-serialNumber | {printableString, string()} |
id-at-pseudonym | special_string() |
数据类型'Validity','SubjectPublicKeyInfo'和'SubjectPublicKeyInfoAlgorithm'表示为以下Erlang记录:
#'Validity'{
notBefore, % time()
notAfter % time()
}.
#'SubjectPublicKeyInfo'{
algorithm, % #AlgorithmIdentifier{}
subjectPublicKey % binary()
}.
#'SubjectPublicKeyInfoAlgorithm'{
algorithm, % id_public_key_algorithm()
parameters % public_key_params()
}.公开密钥算法OID名称原子如下:
OID名称
|:----|
| rsaEncryption |
| id-dsa |
| dhpublicnumber |
| id-keyExchangeAlgorithm |
| id-ecPublicKey |
#'Extension'{
extnID, % id_extensions() | oid()
critical, % boolean()
extnValue % der_encoded()
}.id_extensions() Standard Certificate Extensions,Private Internet Extensions,CRL Extensions和CRL Entry Extensions。
2.6 标准证书扩展
标准证书扩展OID名称原子及其相应的值类型如下:
OID 名称 | 值名称 |
|---|---|
id-ce-authorityKeyIdentifier | #'AuthorityKeyIdentifier'{} |
id-ce-subjectKeyIdentifier | oid() |
id-ce-keyUsage | key_usage() |
id-ce-privateKeyUsagePeriod | #'PrivateKeyUsagePeriod'{} |
id-ce-certificatePolicies | #'PolicyInformation'{} |
id-ce-policyMappings | #'PolicyMappings_SEQOF'{} |
id-ce-subjectAltName | general_name() |
id-ce-issuerAltName | general_name() |
id-ce-subjectDirectoryAttributes | #'Attribute'{} |
id-ce-basicConstraints | #'BasicConstraints'{} |
id-ce-nameConstraints | #'NameConstraints'{} |
id-ce-policyConstraints | #'PolicyConstraints'{} |
id-ce-extKeyUsage | id_key_purpose() |
id-ce-cRLDistributionPoints | #'DistributionPoint'{} |
id-ce-inhibitAnyPolicy | integer() |
id-ce-freshestCRL | #'DistributionPoint'{} |
在此:
key_usage()=
digitalSignature
| nonRepudiation
| keyEncipherment
| dataEncipherment
| keyAgreement
| keyCertSign
| cRLSign
| encipherOnly
| decipherOnly
而为了id_key_purpose()*
OID名称
|:----|
| id-kp-serverAuth |
| id-kp-clientAuth |
| id-kp-codeSigning |
| id-kp-emailProtection |
| id-kp-timestamping |
| id-kp-OCSPSigning |
#'AuthorityKeyIdentifier'{
keyIdentifier, % oid()
authorityCertIssuer, % general_name()
authorityCertSerialNumber % integer()
}.
#'PrivateKeyUsagePeriod'{
notBefore, % general_time()
notAfter % general_time()
}.
#'PolicyInformation'{
policyIdentifier, % oid()
policyQualifiers % [#PolicyQualifierInfo{}]
}.
#'PolicyQualifierInfo'{
policyQualifierId, % oid()
qualifier % string() | #'UserNotice'{}
}.
#'UserNotice'{
noticeRef, % #'NoticeReference'{}
explicitText % string()
}.
#'NoticeReference'{
organization, % string()
noticeNumbers % [integer()]
}.
#'PolicyMappings_SEQOF'{
issuerDomainPolicy, % oid()
subjectDomainPolicy % oid()
}.
#'Attribute'{
type, % oid()
values % [der_encoded()]
}).
#'BasicConstraints'{
cA, % boolean()
pathLenConstraint % integer()
}).
#'NameConstraints'{
permittedSubtrees, % [#'GeneralSubtree'{}]
excludedSubtrees % [#'GeneralSubtree'{}]
}).
#'GeneralSubtree'{
base, % general_name()
minimum, % integer()
maximum % integer()
}).
#'PolicyConstraints'{
requireExplicitPolicy, % integer()
inhibitPolicyMapping % integer()
}).
#'DistributionPoint'{
distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer,
[#AttributeTypeAndValue{}]}
reasons, % [dist_reason()]
cRLIssuer % [general_name()]
}).2.7 专用互联网扩展
私人互联网扩展OID名称原子及其相应的值类型如下所示:
OID名称 | 值类型 |
|---|---|
ID在-authorityInfoAccess | # 'AccessDescription'{} |
ID在-subjectInfoAccess | # 'AccessDescription'{} |
#'AccessDescription'{
accessMethod, % oid()
accessLocation % general_name()
}).2.8 CRL和CRL扩展配置文件
来自ASN.1规范和RFC 5280的CRL和CRL扩展配置文件的Erlang表示如下:
#'CertificateList'{
tbsCertList, % #'TBSCertList{}
signatureAlgorithm, % #'AlgorithmIdentifier'{}
signature % bitstring()
}).
#'TBSCertList'{
version, % v2 (if defined)
signature, % #AlgorithmIdentifier{}
issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]}
thisUpdate, % time()
nextUpdate, % time()
revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}]
crlExtensions % [#'Extension'{}]
}).
#'TBSCertList_revokedCertificates_SEQOF'{
userCertificate, % integer()
revocationDate, % timer()
crlEntryExtensions % [#'Extension'{}]
}).CRL扩展
CRL扩展OID名称原子及其相应的值类型如下:
OID 名称 | 值类型 |
|---|---|
id-ce-authorityKeyIdentifier | #'AuthorityKeyIdentifier{} |
id-ce-issuerAltName | {rdnSequence, #AttributeTypeAndValue'{}} |
id-ce-cRLNumber | integer() |
id-ce-deltaCRLIndicator | integer() |
id-ce-issuingDistributionPoint | #'IssuingDistributionPoint'{} |
id-ce-freshestCRL | #'Distributionpoint'{} |
这里,数据类型'IssuingDistributionPoint'表示为以下Erlang记录:
#'IssuingDistributionPoint'{
distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer,
[#AttributeTypeAndValue'{}]}
onlyContainsUserCerts, % boolean()
onlyContainsCACerts, % boolean()
onlySomeReasons, % [dist_reason()]
indirectCRL, % boolean()
onlyContainsAttributeCerts % boolean()
}).CRL条目扩展
CRL条目扩展、OID名称、原子及其相应的值类型如下:
OID名称 | 值类型 |
|---|---|
id-ce-cRLReason | crl_reason() |
id-ce-holdInstructionCode | oid() |
id-ce-invalidityDate | general_time() |
id-ce-certificateIssuer | general_name() |
在此:
crl_reason()=
unspecified
| keyCompromise
| cACompromise
| affiliationChanged
| superseded
| cessationOfOperation
| certificateHold
| removeFromCRL
| privilegeWithdrawn
| aACompromise
PKcs#10认证请求
来自ASN.1规范和RFC 5280的PKCS#10认证请求的Erlang表示如下:
#'CertificationRequest'{
certificationRequestInfo #'CertificationRequestInfo'{},
signatureAlgorithm #'CertificationRequest_signatureAlgorithm'{}}.
signature bitstring()
}
#'CertificationRequestInfo'{
version atom(),
subject {rdnSequence, [#AttributeTypeAndValue'{}]} ,
subjectPKInfo #'CertificationRequestInfo_subjectPKInfo'{},
attributes [#'AttributePKCS-10' {}]
}
#'CertificationRequestInfo_subjectPKInfo'{
algorithm #'CertificationRequestInfo_subjectPKInfo_algorithm'{}
subjectPublicKey bitstring()
}
#'CertificationRequestInfo_subjectPKInfo_algorithm'{
algorithm = oid(),
parameters = der_encoded()
}
#'CertificationRequest_signatureAlgorithm'{
algorithm = oid(),
parameters = der_encoded()
}
#'AttributePKCS-10'{
type = oid(),
values = [der_encoded()]
} 本文档系腾讯云开发者社区成员共同维护,如有问题请联系 cloudcommunity@tencent.com
