查看源代码 公钥记录
本章简要描述了从 ASN.1 规范派生的 Erlang 记录,用于处理公钥基础设施。其范围是描述每个组件的数据类型,而不是语义。有关语义的信息,请参阅以下各节中链接的相关标准和 RFC。
使用以下 include 指令来访问以下各节中描述的记录和常量宏
-include_lib("public_key/include/public_key.hrl").数据类型
以下是用于描述以下各节中记录字段的常见非标准 Erlang 数据类型,这些类型未在公钥参考手册中定义
time() = utc_time() | general_time()
utc_time() = {utcTime, "YYMMDDHHMMSSZ"}
general_time() = {generalTime, "YYYYMMDDHHMMSSZ"}
general_name() = {rfc822Name, string()} |
{dNSName, string()} |
{x400Address, string() |
{directoryName, {rdnSequence, [#'AttributeTypeAndValue'{}]}} |
{ediPartyName, special_string()} |
{ediPartyName, special_string(), special_string()} |
{uniformResourceIdentifier, string()} |
{iPAddress, string()} |
{registeredId, oid()} |
{otherName, term()}
special_string() = {teletexString, string()} |
{printableString, string()} |
{universalString, string()} |
{utf8String, binary()} |
{bmpString, string()}
dist_reason() = unused | keyCompromise | cACompromise | affiliationChanged |
cessationOfOperation | certificateHold | privilegeWithdrawn | aACompromise
OID_macro() = ?OID_name()
OID_name() = atom()RSA
以下是 Rivest-Shamir-Adleman 加密系统 (RSA)密钥的 Erlang 表示形式
#'RSAPublicKey'{
modulus, % pos_integer()
publicExponent % pos_integer()
}.
#'RSAPrivateKey'{
version, % two-prime | multi
modulus, % pos_integer()
publicExponent, % pos_integer()
privateExponent, % pos_integer()
prime1, % pos_integer()
prime2, % pos_integer()
exponent1, % pos_integer()
exponent2, % pos_integer()
coefficient, % pos_integer()
otherPrimeInfos % [#OtherPrimeInfo{}] | asn1_NOVALUE
}.
#'OtherPrimeInfo'{
prime, % pos_integer()
exponent, % pos_integer()
coefficient % pos_integer()
}.
#'RSASSA-PSS-params'{
hashAlgorithm, % #'HashAlgorithm'{}},
maskGenAlgorithm, % #'MaskGenAlgorithm'{}},
saltLength, % pos_integer(),
trailerField, % pos_integer()
}.
#'HashAlgorithm'{
algorithm, % oid()
parameters % defaults to asn1_NOVALUE
}.
#'MaskGenAlgorithm'{
algorithm, % oid()
parameters, % defaults to asn1_NOVALUE
}.DSA
以下是 数字签名算法 (DSA) 密钥的 Erlang 表示形式
#'DSAPrivateKey'{
version, % pos_integer()
p, % pos_integer()
q, % pos_integer()
g, % pos_integer()
y, % pos_integer()
x % pos_integer()
}.
#'Dss-Parms'{
p, % pos_integer()
q, % pos_integer()
g % pos_integer()
}.ECDSA 和 EDDSA
以下是 椭圆曲线数字签名算法 (ECDSA) 和 Edwards 曲线数字签名算法 (EDDSA) 的 Erlang 表示形式,其中私钥中的参数将为 {namedCurve, ?'id-Ed25519' | ?'id-Ed448'}。
#'ECPrivateKey'{
version, % pos_integer()
privateKey, % binary()
parameters, % {ecParameters, #'ECParameters'{}} |
% {namedCurve, Oid::tuple()} |
% {implicitlyCA, 'NULL'}
publicKey % bitstring()
}.
#'ECParameters'{
version, % pos_integer()
fieldID, % #'FieldID'{}
curve, % #'Curve'{}
base, % binary()
order, % pos_integer()
cofactor % pos_integer()
}.
#'Curve'{
a, % binary()
b, % binary()
seed % bitstring() - optional
}.
#'FieldID'{
fieldType, % oid()
parameters % Depending on fieldType
}.
#'ECPoint'{
point % binary() - the public key
}.PKIX 证书
以下是从 ASN.1 规范派生的 PKIX 证书的 Erlang 表示形式,另请参阅 X509 证书(RFC 5280),也称为 plain 类型
#'Certificate'{
tbsCertificate, % #'TBSCertificate'{}
signatureAlgorithm, % #'AlgorithmIdentifier'{}
signature % bitstring()
}.
#'TBSCertificate'{
version, % v1 | v2 | v3
serialNumber, % pos_integer()
signature, % #'AlgorithmIdentifier'{}
issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]
validity, % #'Validity'{}
subject, % {rdnSequence, [#AttributeTypeAndValue'{}]}
subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{}
issuerUniqueID, % binary() | asn1_novalue
subjectUniqueID, % binary() | asn1_novalue
extensions % [#'Extension'{}]
}.
#'AlgorithmIdentifier'{
algorithm, % oid()
parameters % der_encoded()
}.PKIX 证书的 Erlang 备用表示形式,也称为 otp 类型
#'OTPCertificate'{
tbsCertificate, % #'OTPTBSCertificate'{}
signatureAlgorithm, % #'SignatureAlgorithm'
signature % bitstring()
}.
#'OTPTBSCertificate'{
version, % v1 | v2 | v3
serialNumber, % pos_integer()
signature, % #'SignatureAlgorithm'
issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]}
validity, % #'Validity'{}
subject, % {rdnSequence, [#AttributeTypeAndValue'{}]}
subjectPublicKeyInfo, % #'OTPSubjectPublicKeyInfo'{}
issuerUniqueID, % binary() | asn1_novalue
subjectUniqueID, % binary() | asn1_novalue
extensions % [#'Extension'{}]
}.
#'SignatureAlgorithm'{
algorithm, % id_signature_algorithm()
parameters % asn1_novalue | #'Dss-Parms'{}
}.id_signature_algorithm() = OID_macro()
可用的 OID 名称如下
| OID 名称 |
|---|
| id-dsa-with-sha1 |
| id-dsaWithSHA1 (ISO 或上述 OID) |
| md2WithRSAEncryption |
| md5WithRSAEncryption |
| sha1WithRSAEncryption |
| sha-1WithRSAEncryption (ISO 或上述 OID) |
| sha224WithRSAEncryption |
| sha256WithRSAEncryption |
| sha512WithRSAEncryption |
| ecdsa-with-SHA1 |
表:签名算法 OID
数据类型 'AttributeTypeAndValue' 表示为以下 Erlang 记录
#'AttributeTypeAndValue'{
type, % id_attributes()
value % term()
}.属性 OID 名称原子及其对应的值类型如下
| OID 名称 | 值类型 |
|---|---|
| id-at-name | special_string() |
| id-at-surname | special_string() |
| id-at-givenName | special_string() |
| id-at-initials | special_string() |
| id-at-generationQualifier | special_string() |
| id-at-commonName | special_string() |
| id-at-localityName | special_string() |
| id-at-stateOrProvinceName | special_string() |
| id-at-organizationName | special_string() |
| id-at-title | special_string() |
| id-at-dnQualifier | {printableString, string()} |
| id-at-countryName | {printableString, string()} |
| id-at-serialNumber | {printableString, string()} |
| id-at-pseudonym | special_string() |
表:属性 OID
数据类型 'Validity'、'SubjectPublicKeyInfo' 和 'SubjectPublicKeyInfoAlgorithm' 表示为以下 Erlang 记录
#'Validity'{
notBefore, % time()
notAfter % time()
}.
#'SubjectPublicKeyInfo'{
algorithm, % #AlgorithmIdentifier{}
subjectPublicKey % binary()
}.
#'SubjectPublicKeyInfoAlgorithm'{
algorithm, % id_public_key_algorithm()
parameters % public_key_params()
}.公钥算法 OID 名称原子如下
| OID 名称 |
|---|
| rsaEncryption |
| id-dsa |
| dhpublicnumber |
| id-keyExchangeAlgorithm |
| id-ecPublicKey |
表:公钥算法 OID
#'Extension'{
extnID, % id_extensions() | oid()
critical, % boolean()
extnValue % der_encoded()
}.id_extensions() 标准证书扩展、私有 Internet 扩展、CRL 扩展 和 CRL 条目扩展。
标准证书扩展
标准证书扩展 OID 名称原子及其对应的值类型如下
| OID 名称 | 值类型 |
|---|---|
| id-ce-authorityKeyIdentifier | #'AuthorityKeyIdentifier'{} |
| id-ce-subjectKeyIdentifier | oid() |
| id-ce-keyUsage | [key_usage()] |
| id-ce-privateKeyUsagePeriod | #'PrivateKeyUsagePeriod'{} |
| id-ce-certificatePolicies | #'PolicyInformation'{} |
| id-ce-policyMappings | #'PolicyMappings_SEQOF'{} |
| id-ce-subjectAltName | general_name() |
| id-ce-issuerAltName | general_name() |
| id-ce-subjectDirectoryAttributes | [#'Attribute'{}] |
| id-ce-basicConstraints | #'BasicConstraints'{} |
| id-ce-nameConstraints | #'NameConstraints'{} |
| id-ce-policyConstraints | #'PolicyConstraints'{} |
| id-ce-extKeyUsage | [id_key_purpose()] |
| id-ce-cRLDistributionPoints | [#'DistributionPoint'{}] |
| id-ce-inhibitAnyPolicy | pos_integer() |
| id-ce-freshestCRL | [#'DistributionPoint'{}] |
表:标准证书扩展
这里
key_usage() = digitalSignature | nonRepudiation | keyEncipherment
| dataEncipherment | keyAgreement | keyCertSign
| cRLSign | encipherOnly | decipherOnly对于 id_key_purpose()
| OID 名称 |
|---|
| id-kp-serverAuth |
| id-kp-clientAuth |
| id-kp-codeSigning |
| id-kp-emailProtection |
| id-kp-timeStamping |
| id-kp-OCSPSigning |
表:密钥用途 OID
#'AuthorityKeyIdentifier'{
keyIdentifier, % oid()
authorityCertIssuer, % general_name()
authorityCertSerialNumber % pos_integer()
}.
#'PrivateKeyUsagePeriod'{
notBefore, % general_time()
notAfter % general_time()
}.
#'PolicyInformation'{
policyIdentifier, % oid()
policyQualifiers % [#PolicyQualifierInfo{}]
}.
#'PolicyQualifierInfo'{
policyQualifierId, % oid()
qualifier % string() | #'UserNotice'{}
}.
#'UserNotice'{
noticeRef, % #'NoticeReference'{}
explicitText % string()
}.
#'NoticeReference'{
organization, % string()
noticeNumbers % [pos_integer()]
}.
#'PolicyMappings_SEQOF'{
issuerDomainPolicy, % oid()
subjectDomainPolicy % oid()
}.
#'Attribute'{
type, % oid()
values % [der_encoded()]
}).
#'BasicConstraints'{
cA, % boolean()
pathLenConstraint % pos_integer()
}).
#'NameConstraints'{
permittedSubtrees, % [#'GeneralSubtree'{}]
excludedSubtrees % [#'GeneralSubtree'{}]
}).
#'GeneralSubtree'{
base, % general_name()
minimum, % pos_integer()
maximum % pos_integer()
}).
#'PolicyConstraints'{
requireExplicitPolicy, % pos_integer()
inhibitPolicyMapping % pos_integer()
}).
#'DistributionPoint'{
distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer,[#AttributeTypeAndValue{}]}
reasons, % [dist_reason()]
cRLIssuer % [general_name()]
}).私有 Internet 扩展
私有 Internet 扩展 OID 名称原子及其对应的值类型如下
| OID 名称 | 值类型 |
|---|---|
| id-pe-authorityInfoAccess | [#'AccessDescription'{}] |
| id-pe-subjectInfoAccess | [#'AccessDescription'{}] |
表:私有 Internet 扩展
#'AccessDescription'{
accessMethod, % oid()
accessLocation % general_name()
}).CRL 和 CRL 扩展配置文件
以下是从 ASN.1 规范和 RFC 5280 派生的 CRL 和 CRL 扩展配置文件的 Erlang 表示形式
#'CertificateList'{
tbsCertList, % #'TBSCertList{}
signatureAlgorithm, % #'AlgorithmIdentifier'{}
signature % bitstring()
}).
#'TBSCertList'{
version, % v2 (if defined)
signature, % #AlgorithmIdentifier{}
issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]}
thisUpdate, % time()
nextUpdate, % time()
revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}]
crlExtensions % [#'Extension'{}]
}).
#'TBSCertList_revokedCertificates_SEQOF'{
userCertificate, % pos_integer()
revocationDate, % timer()
crlEntryExtensions % [#'Extension'{}]
}).CRL 扩展
CRL 扩展 OID 名称原子及其对应的值类型如下
| OID 名称 | 值类型 |
|---|---|
| id-ce-authorityKeyIdentifier | #'AuthorityKeyIdentifier{} |
| id-ce-issuerAltName | {rdnSequence, [#AttributeTypeAndValue'{}]} |
| id-ce-cRLNumber | pos_integer() |
| id-ce-deltaCRLIndicator | pos_integer() |
| id-ce-issuingDistributionPoint | #'IssuingDistributionPoint'{} |
| id-ce-freshestCRL | [#'Distributionpoint'{}] |
表:CRL 扩展
这里,数据类型 'IssuingDistributionPoint' 表示为以下 Erlang 记录
#'IssuingDistributionPoint'{
distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer, [#'AttributeTypeAndValue'{}]}
onlyContainsUserCerts, % boolean()
onlyContainsCACerts, % boolean()
onlySomeReasons, % [dist_reason()]
indirectCRL, % boolean()
onlyContainsAttributeCerts % boolean()
}).CRL 条目扩展
CRL 条目扩展 OID 名称原子及其对应的值类型如下
| OID 名称 | 值类型 |
|---|---|
| id-ce-cRLReason | crl_reason() |
| id-ce-holdInstructionCode | oid() |
| id-ce-invalidityDate | general_time() |
| id-ce-certificateIssuer | general_name() |
表:CRL 条目扩展
这里
crl_reason() = unspecified | keyCompromise | cACompromise
| affiliationChanged | superseded | cessationOfOperation
| certificateHold | removeFromCRL
| privilegeWithdrawn | aACompromisePKCS#10 证书请求
以下是从 ASN.1 规范和 RFC 5280 派生的 PKCS#10 证书请求的 Erlang 表示形式
#'CertificationRequest'{
certificationRequestInfo, % #'CertificationRequestInfo'{},
signatureAlgorithm, % #'CertificationRequest_signatureAlgorithm'{}}.
signature % bitstring()
}.
#'CertificationRequestInfo'{
version, % atom(),
subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} ,
subjectPKInfo, % #'CertificationRequestInfo_subjectPKInfo'{},
attributes % [#'AttributePKCS-10' {}]
}.
#'CertificationRequestInfo_subjectPKInfo'{
algorithm, % #'CertificationRequestInfo_subjectPKInfo_algorithm'{}
subjectPublicKey % bitstring()
}.
#'CertificationRequestInfo_subjectPKInfo_algorithm'{
algorithm, % oid(),
parameters % der_encoded()
}.
#'CertificationRequest_signatureAlgorithm'{
algorithm, % oid(),
parameters % der_encoded()
}.
#'AttributePKCS-10'{
type, % oid(),
values % [der_encoded()]
}.