Newer
Older
* discussion.
*
* @param certRequestPermissions: indicates the permissions that the
* certificate holder can request in its certificate. A valid instance of this
* array contains no more than one entry whose psidSspRange field indicates
* all. If the array has multiple entries and one entry has its psidSspRange
* field indicate all, then the entry indicating all specifies the permissions
* for all PSIDs other than the ones explicitly specified in the other entries.
* See the description of PsidGroupPermissions for further discussion.
* @param canRequestRollover: indicates that the certificate may be used to
* sign a request for another certificate with the same permissions. This
* field is provided for future use and its use is not defined in this
* version of this standard.
*
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
* @param encryptionKey: contains a public key for encryption for which the
* certificate holder holds the corresponding private key.
*
* @param verifyKeyIndicator: contains material that may be used to recover
* the public key that may be used to verify data signed by this certificate.
*
* @param flags: indicates additional yes/no properties of the certificate
* holder. The only bit with defined semantics in this string in this version
* of this standard is usesCubk. If set, the usesCubk bit indicates that the
* certificate holder supports the compact unified butterfly key response.
* Further material about the compact unified butterfly key response can be
* found in IEEE Std 1609.2.1.
*
* @note usesCubk is only relevant for CA certificates, and the only
* functionality defined associated with this field is associated with
* consistency checks on received certificate responses. No functionality
* associated with communications between peer SDEEs is defined associated
* with this field.
*
* @param appExtensions: indicates additional permissions that may be applied
* to application activities that the certificate holder is carrying out.
*
* @param certIssueExtensions: indicates additional permissions to issue
* certificates containing endEntityExtensions.
*
* @param certRequestExtensions: indicates additional permissions to request
* certificates containing endEntityExtensions.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2. The canonicalization
* applies to the PublicEncryptionKey and to the VerificationKeyIndicator.
*
* If the PublicEncryptionKey contains a BasePublicEncryptionKey that is an
* elliptic curve point (i.e., of type EccP256CurvePoint or EccP384CurvePoint),
* then the elliptic curve point is encoded in compressed form, i.e., such
* that the choice indicated within the Ecc*CurvePoint is compressed-y-0 or
* compressed-y-1.
*
* @note Critical information fields:
* - If present, appPermissions is a critical information field as defined
* in 5.2.6. If an implementation of verification does not support the number
* of PsidSsp in the appPermissions field of a certificate that signed a
* signed SPDU, that implementation shall indicate that the signed SPDU is
* invalid in the sense of 4.2.2.3.2, that is, it is invalid in the sense
* that its validity cannot be established.. A conformant implementation
* shall support appPermissions fields containing at least eight entries.
* It may be the case that an implementation of verification does not support
* the number of entries in the appPermissions field and the appPermissions
* field is not relevant to the verification: this will occur, for example,
* if the certificate in question is a CA certificate and so the
* certIssuePermissions field is relevant to the verification and the
* appPermissions field is not. In this case, whether the implementation
* indicates that the signed SPDU is valid (because it could validate all
* relevant fields) or invalid (because it could not parse the entire
* certificate) is implementation-specific.
* - If present, certIssuePermissions is a critical information field as
* defined in 5.2.6. If an implementation of verification does not support
* the number of PsidGroupPermissions in the certIssuePermissions field of a
* CA certificate in the chain of a signed SPDU, the implementation shall
* indicate that the signed SPDU is invalid in the sense of 4.2.2.3.2, that
* is, it is invalid in the sense that its validity cannot be established.
* A conformant implementation shall support certIssuePermissions fields
* containing at least eight entries.
* It may be the case that an implementation of verification does not support
* the number of entries in the certIssuePermissions field and the
* certIssuePermissions field is not relevant to the verification: this will
* occur, for example, if the certificate in question is the signing
* certificate for the SPDU and so the appPermissions field is relevant to
* the verification and the certIssuePermissions field is not. In this case,
* whether the implementation indicates that the signed SPDU is valid
* (because it could validate all relevant fields) or invalid (because it
* could not parse the entire certificate) is implementation-specific.
* - If present, certRequestPermissions is a critical information field as
* defined in 5.2.6. If an implementaiton of verification of a certificate
* request does not support the number of PsidGroupPermissions in
* certRequestPermissions, the implementation shall indicate that the signed
* SPDU is invalid in the sense of 4.2.2.3.2, that is, it is invalid in the
* sense that its validity cannot be established. A conformant implementation
* shall support certRequestPermissions fields containing at least eight
* entries.
* It may be the case that an implementation of verification does not support
* the number of entries in the certRequestPermissions field and the
* certRequestPermissions field is not relevant to the verification: this will
* occur, for example, if the certificate in question is the signing
* certificate for the SPDU and so the appPermissions field is relevant to
* the verification and the certRequestPermissions field is not. In this
* case, whether the implementation indicates that the signed SPDU is valid
* (because it could validate all relevant fields) or invalid (because it
* could not parse the entire certificate) is implementation-specific.
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
ToBeSignedCertificate ::= SEQUENCE {
id CertificateId,
cracaId HashedId3,
crlSeries CrlSeries,
validityPeriod ValidityPeriod,
region GeographicRegion OPTIONAL,
assuranceLevel SubjectAssurance OPTIONAL,
appPermissions SequenceOfPsidSsp OPTIONAL,
certIssuePermissions SequenceOfPsidGroupPermissions OPTIONAL,
certRequestPermissions SequenceOfPsidGroupPermissions OPTIONAL,
canRequestRollover NULL OPTIONAL,
encryptionKey PublicEncryptionKey OPTIONAL,
verifyKeyIndicator VerificationKeyIndicator,
...,
flags BIT STRING {usesCubk (0)} (SIZE (8)) OPTIONAL,
appExtensions SequenceOfAppExtensions,
certIssueExtensions SequenceOfCertIssueExtensions,
certRequestExtension SequenceOfCertRequestExtensions
}
(WITH COMPONENTS { ..., appPermissions PRESENT} |
WITH COMPONENTS { ..., certIssuePermissions PRESENT} |
WITH COMPONENTS { ..., certRequestPermissions PRESENT})
* @brief This structure contains information that is used to identify the
* certificate holder if necessary.
*
* @param linkageData: is used to identify the certificate for revocation
* purposes in the case of certificates that appear on linked certificate
* CRLs. See 5.1.3 and 7.3 for further discussion.
*
* @param name: is used to identify the certificate holder in the case of
* non-anonymous certificates. The contents of this field are a matter of
* @param binaryId: supports identifiers that are not human-readable.
* @param none: indicates that the certificate does not include an identifier.
*
* @note Critical information fields:
* - If present, this is a critical information field as defined in 5.2.6.
* An implementation that does not recognize the choice indicated in this
* field shall reject a signed SPDU as invalid.
CertificateId ::= CHOICE {
linkageData LinkageData,
name Hostname,
binaryId OCTET STRING(SIZE(1..64)),
none NULL,
...
}
* @brief This structure contains information that is matched against
* information obtained from a linkage ID-based CRL to determine whether the
* containing certificate has been revoked. See 5.1.3.4 and 7.3 for details
* of use.
*/
LinkageData ::= SEQUENCE {
iCert IValue,
linkage-value LinkageValue,
group-linkage-value GroupLinkageValue OPTIONAL
}
/**
* @brief This type indicates which type of permissions may appear in
* end-entity certificates the chain of whose permissions passes through the
* PsidGroupPermissions field containing this value. If app is indicated, the
* end-entity certificate may contain an appPermissions field. If enroll is
* indicated, the end-entity certificate may contain a certRequestPermissions
EndEntityType ::=
BIT STRING {app (0), enrol (1) } (SIZE (8)) (ALL EXCEPT {})
* @brief This structure states the permissions that a certificate holder has
* with respect to issuing and requesting certificates for a particular set
* @param subjectPermissions: indicates PSIDs and SSP Ranges covered by this
* @param minChainLength: and chainLengthRange indicate how long the
* certificate chain from this certificate to the end-entity certificate is
* permitted to be. As specified in 5.1.2.1, the length of the certificate
* chain is the number of certificates "below" this certificate in the chain,
* down to and including the end-entity certificate. The length is permitted
* to be (a) greater than or equal to minChainLength certificates and (b)
* less than or equal to minChainLength + chainLengthRange certificates. A
* value of 0 for minChainLength is not permitted when this type appears in
* the certIssuePermissions field of a ToBeSignedCertificate; a certificate
* that has a value of 0 for this field is invalid. The value -1 for
* chainLengthRange is a special case: if the value of chainLengthRange is -1
* it indicates that the certificate chain may be any length equal to or
* greater than minChainLength. See the examples below for further discussion.
* @param eeType: takes one or more of the values app and enroll and indicates
* the type of certificates or requests that this instance of
* PsidGroupPermissions in the certificate is entitled to authorize.
* Different instances of PsidGroupPermissions within a ToBeSignedCertificate
* may have different values for eeType.
* - If this field indicates app, the chain is allowed to end in an
* authorization certificate, i.e., a certficate in which these permissions
* appear in an appPermissions field (in other words, if the field does not
* indicate app and the chain ends in an authorization certificate, the
* chain shall be considered invalid).
* - If this field indicates enroll, the chain is allowed to end in an
* enrollment certificate, i.e., a certificate in which these permissions
* appear in a certReqPermissions permissions field (in other words, if the
* field does not indicate enroll and the chain ends in an enrollment
* certificate, the chain shall be considered invalid).
PsidGroupPermissions ::= SEQUENCE {
subjectPermissions SubjectPermissions,
minChainLength INTEGER DEFAULT 1,
chainLengthRange INTEGER DEFAULT 0,
eeType EndEntityType DEFAULT {app}
}
* @brief This type is used for clarity of definitions.
*/
SequenceOfPsidGroupPermissions ::= SEQUENCE OF PsidGroupPermissions
* @brief This indicates the PSIDs and associated SSPs for which certificate
* issuance or request permissions are granted by a PsidGroupPermissions
* structure. If this takes the value explicit, the enclosing
* PsidGroupPermissions structure grants certificate issuance or request
* permissions for the indicated PSIDs and SSP Ranges. If this takes the
* value all, the enclosing PsidGroupPermissions structure grants certificate
* issuance or request permissions for all PSIDs not indicated by other
* PsidGroupPermissions in the same certIssuePermissions or
* certRequestPermissions field.
*
* @note Critical information fields:
* - If present, this is a critical information field as defined in 5.2.6.
* An implementation that does not recognize the indicated CHOICE when
* verifying a signed SPDU shall indicate that the signed SPDU is
* invalidin the sense of 4.2.2.3.2, that is, it is invalid in the sense that
* its validity cannot be established.
* - If present, explicit is a critical information field as defined in
* 5.2.6. An implementation that does not support the number of PsidSspRange
* in explicit when verifying a signed SPDU shall indicate that the signed
* SPDU is invalid in the sense of 4.2.2.3.2, that is, it is invalid in the
* sense that its validity cannot be established. A conformant implementation
* shall support explicit fields containing at least eight entries.
SubjectPermissions ::= CHOICE {
explicit SequenceOfPsidSspRange,
all NULL,
...
}
* @brief The contents of this field depend on whether the certificate is an
* implicit or an explicit certificate.
*
* @param verificationKey: is included in explicit certificates. It contains
* the public key to be used to verify signatures generated by the holder of
* the Certificate.
*
* @param reconstructionValue: is included in implicit certificates. It
* contains the reconstruction value, which is used to recover the public key
* as specified in SEC 4 and 5.3.2.
*
* @note Critical information fields: If present, this is a critical
* information field as defined in 5.2.5. An implementation that does not
* recognize the indicated CHOICE for this type when verifying a signed SPDU
* shall indicate that the signed SPDU is invalid indicate that the signed
* SPDU is invalid in the sense of 4.2.2.3.2, that is, it is invalid in the
* sense that its validity cannot be established.
*
* @note Canonicalization: This data structure is subject to canonicalization
* for the relevant operations specified in 6.1.2. The canonicalization
* applies to the PublicVerificationKey and to the EccP256CurvePoint. The
* EccP256CurvePoint is encoded in compressed form, i.e., such that the
* choice indicated within the EccP256CurvePoint is compressed-y-0 or
* compressed-y-1.
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
VerificationKeyIndicator ::= CHOICE {
verificationKey PublicVerificationKey,
reconstructionValue EccP256CurvePoint,
...
}
/**
* @brief This structure uses the parameterized type Extension to define an
* Ieee1609ContributedHeaderInfoExtension as an open Extension Content field
* identified by an extension identifier. The extension identifier value is
* unique to extensions defined by ETSI and need not be unique among all
* extension identifier values defined by all contributing organizations.
*/
Ieee1609ContributedHeaderInfoExtension ::=
Extension{{Ieee1609HeaderInfoExtensions}}
/**
* @brief This is an integer used to identify an
* Ieee1609ContributedHeaderInfoExtension.
*/
Ieee1609HeaderInfoExtensionId ::= ExtId
p2pcd8ByteLearningRequestId Ieee1609HeaderInfoExtensionId ::= 1
/**
* @brief This is the ASN.1 Information Object Class that associates IEEE
* 1609 HeaderInfo contributed extensions with the appropriate
* Ieee1609HeaderInfoExtensionId value.
*/
Ieee1609HeaderInfoExtensions EXT-TYPE ::= {
{HashedId8 IDENTIFIED BY p2pcd8ByteLearningRequestId},
...
}
/**
* @brief This structure contains any AppExtensions that apply to the
* certificate holder. As specified in 5.2.4.2.3, each individual
* AppExtension type is associated with consistency conditions, specific to
* that extension, that govern its consistency with SPDUs signed by the
* certificate holder and with the CertIssueExtensions in the CA certificates
* in that certificate holders chain. Those consistency conditions are
* specified for each individual AppExtension below.
*/
SequenceOfAppExtensions ::= SEQUENCE (SIZE(1..MAX)) OF AppExtension
/**
* @brief This structure contains an individual AppExtension. AppExtensions
* specified in this standard are drawn from the ASN.1 Information Object Set
* SetCertExtensions. This set, and its use in the AppExtension type, is
* structured so that each AppExtension is associated with a
* CertIssueExtension and a CertRequestExtension and all are identified by
* the same id value. In this structure:
*
* @param id: identifies the extension type.
*
* @param content: provides the content of the extension.
*/
AppExtension ::= SEQUENCE {
id CERT-EXT-TYPE.&id({SetCertExtensions}),
content CERT-EXT-TYPE.&App({SetCertExtensions}{@.id})
}
/**
* @brief This field contains any CertIssueExtensions that apply to the
* certificate holder. As specified in 5.2.4.2.3, each individual
* CertIssueExtension type is associated with consistency conditions,
* specific to that extension, that govern its consistency with
* AppExtensions in certificates issued by the certificate holder and with
* the CertIssueExtensions in the CA certificates in that certificate
* holders chain. Those consistency conditions are specified for each
* individual CertIssueExtension below.
*/
SequenceOfCertIssueExtensions ::=
SEQUENCE (SIZE(1..MAX)) OF CertIssueExtension
/**
* @brief This field contains an individual CertIssueExtension.
* CertIssueExtensions specified in this standard are drawn from the ASN.1
* Information Object Set SetCertExtensions. This set, and its use in the
* CertIssueExtension type, is structured so that each CertIssueExtension
* is associated with a AppExtension and a CertRequestExtension and all are
* identified by the same id value. In this structure:
*
* @param id: identifies the extension type.
*
* @param permissions: indicates the permissions. Within this field.
* - all indicates that the certificate is entitled to issue all values of
* the extension.
* - specific is used to specify which values of the extension may be
* issued in the case where all does not apply.
*/
CertIssueExtension ::= SEQUENCE {
id CERT-EXT-TYPE.&id({SetCertExtensions}),
permissions CHOICE {
specific CERT-EXT-TYPE.&Issue({SetCertExtensions}{@.id}),
all NULL
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
}
/**
* @brief This field contains any CertRequestExtensions that apply to the
* certificate holder. As specified in 5.2.4.2.3, each individual
* CertRequestExtension type is associated with consistency conditions,
* specific to that extension, that govern its consistency with
* AppExtensions in certificates issued by the certificate holder and with
* the CertRequestExtensions in the CA certificates in that certificate
* holders chain. Those consistency conditions are specified for each
* individual CertRequestExtension below.
*/
SequenceOfCertRequestExtensions ::= SEQUENCE (SIZE(1..MAX)) OF CertRequestExtension
/**
* @brief This field contains an individual CertRequestExtension.
* CertRequestExtensions specified in this standard are drawn from the
* ASN.1 Information Object Set SetCertExtensions. This set, and its use in
* the CertRequestExtension type, is structured so that each
* CertRequestExtension is associated with a AppExtension and a
* CertRequestExtension and all are identified by the same id value. In this
* structure:
*
* @param id: identifies the extension type.
*
* @param permissions: indicates the permissions. Within this field.
* - all indicates that the certificate is entitled to issue all values of
* the extension.
* - specific is used to specify which values of the extension may be
* issued in the case where all does not apply.
*/
CertRequestExtension ::= SEQUENCE {
id CERT-EXT-TYPE.&id({SetCertExtensions}),
permissions CHOICE {
content CERT-EXT-TYPE.&Req({SetCertExtensions}{@.id}),
all NULL
}
}
/**
* @brief This type is the AppExtension used to identify an operating
* organization. The associated CertIssueExtension and CertRequestExtension
* are both of type OperatingOrganizationId.
* To determine consistency between this type and an SPDU, the SDEE
* specification for that SPDU is required to specify how the SPDU can be
* used to determine an OBJECT IDENTIFIER (for example, by including the
* full OBJECT IDENTIFIER in the SPDU, or by including a RELATIVE-OID with
* clear instructions about how a full OBJECT IDENTIFIER can be obtained from
* the RELATIVE-OID). The SPDU is then consistent with this type if the
* OBJECT IDENTIFIER determined from the SPDU is identical to the OBJECT
* IDENTIFIER contained in this field.
* This AppExtension does not have consistency conditions with a
* corresponding CertIssueExtension. It can appear in a certificate issued
* by any CA.
*/
OperatingOrganizationId ::= OBJECT IDENTIFIER
certExtId-OperatingOrganization ExtId ::= 1
/**
* @brief This Information Object is an instance of the Information Object
* Class CERT-EXT-TYPE. It is defined to bind together the AppExtension,
* CertIssueExtension, and CertRequestExtension types associated with the
* use of an operating organization identifier, and to assocaute them all
* with the extension identifier value certExtId-OperatingOrganization.
*/
instanceOperatingOrganizationCertExtensions CERT-EXT-TYPE ::= {
ID certExtId-OperatingOrganization
APP OperatingOrganizationId
ISSUE NULL
REQUEST NULL
}
/**
* @brief This Information Object Set is a collection of Information Objects
* used to contain the AppExtension, CertIssueExtension, and
* CertRequestExtension types associated with a specific use of certificate
* extensions. In this version of this standard it only has a single entry
* instanceOperatingOrganizationCertExtensions.
*/
SetCertExtensions CERT-EXT-TYPE ::= {
instanceOperatingOrganizationCertExtensions,
...
}