Newer
Older
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
* @param appPermissions indicates the permissions that the certificate
* holder has to sign application data with this certificate. A valid
* instance of appPermissions contains any particular Psid value in at most
* one entry.
*
* @param certIssuePermissions indicates the permissions that the certificate
* holder has to sign certificates with this certificate. A valid instance of
* this array contains no more than one entry whose psidSspRange field
* indicates all. If the array has multiple entries and one entry has its
* psidSspRange field indicate all, then the entry indicating all specifies
* the permissions for all PSIDs other than the ones explicitly specified in
* the other entries. See the description of PsidGroupPermissions for further
* discussion.
*
* @param certRequestPermissions indicates the permissions that the
* certificate holder has to sign certificate requests with this certificate.
* A valid instance of this array contains no more than one entry whose
* psidSspRange field indicates all. If the array has multiple entries and
* one entry has its psidSspRange field indicate all, then the entry
* indicating all specifies the permissions for all PSIDs other than the ones
* explicitly specified in the other entries. See the description of
* PsidGroupPermissions for further discussion.
*
* @param canRequestRollover indicates that the certificate may be used to
* sign a request for another certificate with the same permissions. This
* field is provided for future use and its use is not defined in this
* version of this standard.
*
* @param encryptionKey contains a public key for encryption for which the
* certificate holder holds the corresponding private key.
*
* @param verifyKeyIndicator contains material that may be used to recover
* the public key that may be used to verify data signed by this certificate.
*/
ToBeSignedCertificate ::= SEQUENCE {
id CertificateId,
cracaId HashedId3,
crlSeries CrlSeries,
validityPeriod ValidityPeriod,
region GeographicRegion OPTIONAL,
assuranceLevel SubjectAssurance OPTIONAL,
appPermissions SequenceOfPsidSsp OPTIONAL,
certIssuePermissions SequenceOfPsidGroupPermissions OPTIONAL,
certRequestPermissions SequenceOfPsidGroupPermissions OPTIONAL,
canRequestRollover NULL OPTIONAL,
encryptionKey PublicEncryptionKey OPTIONAL,
verifyKeyIndicator VerificationKeyIndicator,
...
}
(WITH COMPONENTS { ..., appPermissions PRESENT} |
WITH COMPONENTS { ..., certIssuePermissions PRESENT} |
WITH COMPONENTS { ..., certRequestPermissions PRESENT})
/**
* @class CertificateId
*
* @brief This structure contains information that is used to identify the
* certificate holder if necessary.
*
* <br><br><b>Critical information fields</b>:
* <ul>
* <li> If present, this is a critical information field as defined in 5.2.6.
* An implementation that does not recognize the choice indicated in this
* field shall reject a signed SPDU as invalid.</li>
* </ul>
*
* <b>Parameters</b>:
*
* @param linkageData is used to identify the certificate for revocation
* purposes in the case of certificates that appear on linked certificate
* CRLs. See 5.1.3 and 7.3 for further discussion.
*
* @param name is used to identify the certificate holder in the case of
* non-anonymous certificates. The contents of this field are a matter of
* policy and should be human-readable.
*
* @param binaryId supports identifiers that are not human-readable.
*
* @param none indicates that the certificate does not include an identifier.
*/
CertificateId ::= CHOICE {
linkageData LinkageData,
name Hostname,
binaryId OCTET STRING(SIZE(1..64)),
none NULL,
...
}
/**
* @class LinkageData
*
* @brief This structure contains information that is matched against
* information obtained from a linkage ID-based CRL to determine whether the
* containing certificate has been revoked. See 5.1.3.4 and 7.3 for details
* of use.
*/
LinkageData ::= SEQUENCE {
iCert IValue,
linkage-value LinkageValue,
group-linkage-value GroupLinkageValue OPTIONAL
}
/**
* @class EndEntityType
*
* @brief This type indicates which type of permissions may appear in
* end-entity certificates the chain of whose permissions passes through the
* PsidGroupPermissions field containing this value. If app is indicated, the
* end-entity certificate may contain an appPermissions field. If enroll is
* indicated, the end-entity certificate may contain a certRequestPermissions
* field.
*/
EndEntityType ::= BIT STRING {
app (0),
enroll (1)
} (SIZE (8)) (ALL EXCEPT {})
/**
* @class PsidGroupPermissions
*
* @brief This structure states the permissions that a certificate holder has
* with respect to issuing and requesting certificates for a particular set
* of PSIDs. In this structure:
*
* <br><br> For examples, see D.5.3 and D.5.4.
*
* @param subjectPermissions indicates PSIDs and SSP Ranges covered by this
* field.
*
* @param minChainLength and chainLengthRange indicate how long the
* certificate chain from this certificate to the end-entity certificate is
* permitted to be. As specified in 5.1.2.1, the length of the certificate
* chain is the number of certificates "below" this certificate in the chain,
* down to and including the end-entity certificate. The length is permitted
* to be (a) greater than or equal to minChainLength certificates and (b)
* less than or equal to minChainLength + chainLengthRange certificates. A
* value of 0 for minChainLength is not permitted when this type appears in
* the certIssuePermissions field of a ToBeSignedCertificate; a certificate
* that has a value of 0 for this field is invalid. The value â1 for
* chainLengthRange is a special case: if the value of chainLengthRange is â1
* it indicates that the certificate chain may be any length equal to or
* greater than minChainLength. See the examples below for further discussion.
*
* @param eeType takes one or more of the values app and enroll and indicates
* the type of certificates or requests that this instance of
* PsidGroupPermissions in the certificate is entitled to authorize. If this
* field indicates app, the chain is allowed to end in an authorization
* certificate, i.e., a certficate in which these permissions appear in an
* appPermissions field (in other words, if the field does not indicate app
* but the chain ends in an authorization certificate, the chain shall be
* considered invalid). If this field indicates enroll, the chain is allowed
* to end in an enrollment certificate, i.e., a certificate in which these
* permissions appear in a certReqPermissions permissions field), or both (in
* other words, if the field does not indicate app but the chain ends in an
* authorization certificate, the chain shall be considered invalid).
* Different instances of PsidGroupPermissions within a ToBeSignedCertificate
* may have different values for eeType.
*/
PsidGroupPermissions ::= SEQUENCE {
subjectPermissions SubjectPermissions,
minChainLength INTEGER DEFAULT 1,
chainLengthRange INTEGER DEFAULT 0,
eeType EndEntityType DEFAULT {app}
}
/**
* @class SequenceOfPsidGroupPermissions
*
* @brief This type is used for clarity of definitions.
*/
SequenceOfPsidGroupPermissions ::= SEQUENCE OF PsidGroupPermissions
/**
* @class SubjectPermissions
*
* @brief This indicates the PSIDs and associated SSPs for which certificate
* issuance or request permissions are granted by a PsidGroupPermissions
* structure. If this takes the value explicit, the enclosing
* PsidGroupPermissions structure grants certificate issuance or request
* permissions for the indicated PSIDs and SSP Ranges. If this takes the
* value all, the enclosing PsidGroupPermissions structure grants certificate
* issuance or request permissions for all PSIDs not indicated by other
* PsidGroupPermissions in the same certIssuePermissions or
* certRequestPermissions field.
*
* <br><br><b>Critical information fields</b>:
* <ul>
* <li> If present, this is a critical information field as defined in 5.2.6.
* An implementation that does not recognize the indicated CHOICE when
* verifying a signed SPDU shall indicate that the signed SPDU is
* invalid.</li>
*
* <li> If present, explicit is a critical information field as defined in
* 5.2.6. An implementation that does not support the number of PsidSspRange
* in explicit when verifying a signed SPDU shall indicate that the signed
* SPDU is invalid. A compliant implementation shall support explicit fields
* containing at least eight entries.</li>
* </ul>
*/
SubjectPermissions ::= CHOICE {
explicit SequenceOfPsidSspRange,
all NULL,
...
}
/**
* @class VerificationKeyIndicator
*
* @brief The contents of this field depend on whether the certificate is an
* implicit or an explicit certificate.
*
* <br><br><b>Critical information fields</b>: If present, this is a critical
* information field as defined in 5.2.5. An implementation that does not
* recognize the indicated CHOICE for this type when verifying a signed SPDU
* shall indicate that the signed SPDU is invalid.
*
* <br><br><b>Parameters</b>:
*
* @param verificationKey is included in explicit certificates. It contains
* the public key to be used to verify signatures generated by the holder of
* the Certificate.
*
* @param reconstructionValue is included in implicit certificates. It
* contains the reconstruction value, which is used to recover the public key
* as specified in SEC 4 and 5.3.2.
*/
VerificationKeyIndicator ::= CHOICE {
verificationKey PublicVerificationKey,
reconstructionValue EccP256CurvePoint,
...
}
END