檢視原始碼 公開金鑰記錄
本章簡要描述了從 ASN.1 規範衍生的 Erlang 記錄,這些記錄用於處理公開金鑰基礎設施。其範圍是描述每個元件的資料類型,而不是語意。有關語意資訊,請參閱以下章節中連結的相關標準和 RFC。
使用以下 include 指令來存取以下章節中描述的記錄和常數巨集
-include_lib("public_key/include/public_key.hrl").資料類型
以下章節中用於描述記錄欄位,且未在公開金鑰參考手冊中定義的常見非標準 Erlang 資料類型如下
time() = utc_time() | general_time()
utc_time() = {utcTime, "YYMMDDHHMMSSZ"}
general_time() = {generalTime, "YYYYMMDDHHMMSSZ"}
general_name() = {rfc822Name, string()} |
{dNSName, string()} |
{x400Address, string() |
{directoryName, {rdnSequence, [#'AttributeTypeAndValue'{}]}} |
{ediPartyName, special_string()} |
{ediPartyName, special_string(), special_string()} |
{uniformResourceIdentifier, string()} |
{iPAddress, string()} |
{registeredId, oid()} |
{otherName, term()}
special_string() = {teletexString, string()} |
{printableString, string()} |
{universalString, string()} |
{utf8String, binary()} |
{bmpString, string()}
dist_reason() = unused | keyCompromise | cACompromise | affiliationChanged |
cessationOfOperation | certificateHold | privilegeWithdrawn | aACompromise
OID_macro() = ?OID_name()
OID_name() = atom()RSA
Rivest-Shamir-Adleman (RSA) 金鑰的 Erlang 表示形式如下
#'RSAPublicKey'{
modulus, % pos_integer()
publicExponent % pos_integer()
}.
#'RSAPrivateKey'{
version, % two-prime | multi
modulus, % pos_integer()
publicExponent, % pos_integer()
privateExponent, % pos_integer()
prime1, % pos_integer()
prime2, % pos_integer()
exponent1, % pos_integer()
exponent2, % pos_integer()
coefficient, % pos_integer()
otherPrimeInfos % [#OtherPrimeInfo{}] | asn1_NOVALUE
}.
#'OtherPrimeInfo'{
prime, % pos_integer()
exponent, % pos_integer()
coefficient % pos_integer()
}.
#'RSASSA-PSS-params'{
hashAlgorithm, % #'HashAlgorithm'{}},
maskGenAlgorithm, % #'MaskGenAlgorithm'{}},
saltLength, % pos_integer(),
trailerField, % pos_integer()
}.
#'HashAlgorithm'{
algorithm, % oid()
parameters % defaults to asn1_NOVALUE
}.
#'MaskGenAlgorithm'{
algorithm, % oid()
parameters, % defaults to asn1_NOVALUE
}.DSA
數位簽章演算法 (DSA) 金鑰的 Erlang 表示形式
#'DSAPrivateKey'{
version, % pos_integer()
p, % pos_integer()
q, % pos_integer()
g, % pos_integer()
y, % pos_integer()
x % pos_integer()
}.
#'Dss-Parms'{
p, % pos_integer()
q, % pos_integer()
g % pos_integer()
}.ECDSA 和 EDDSA
橢圓曲線數位簽章演算法 (ECDSA) 和 Edwards 曲線數位簽章演算法 (EDDSA) 的 Erlang 表示形式,其中私密金鑰中的參數將為 {namedCurve, ?'id-Ed25519' | ?'id-Ed448'}。
#'ECPrivateKey'{
version, % pos_integer()
privateKey, % binary()
parameters, % {ecParameters, #'ECParameters'{}} |
% {namedCurve, Oid::tuple()} |
% {implicitlyCA, 'NULL'}
publicKey % bitstring()
}.
#'ECParameters'{
version, % pos_integer()
fieldID, % #'FieldID'{}
curve, % #'Curve'{}
base, % binary()
order, % pos_integer()
cofactor % pos_integer()
}.
#'Curve'{
a, % binary()
b, % binary()
seed % bitstring() - optional
}.
#'FieldID'{
fieldType, % oid()
parameters % Depending on fieldType
}.
#'ECPoint'{
point % binary() - the public key
}.PKIX 憑證
從 ASN.1 規範衍生的 PKIX 憑證的 Erlang 表示形式,另請參閱 X509 憑證 (RFC 5280),也稱為 plain 類型,如下所示
#'Certificate'{
tbsCertificate, % #'TBSCertificate'{}
signatureAlgorithm, % #'AlgorithmIdentifier'{}
signature % bitstring()
}.
#'TBSCertificate'{
version, % v1 | v2 | v3
serialNumber, % pos_integer()
signature, % #'AlgorithmIdentifier'{}
issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]
validity, % #'Validity'{}
subject, % {rdnSequence, [#AttributeTypeAndValue'{}]}
subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{}
issuerUniqueID, % binary() | asn1_novalue
subjectUniqueID, % binary() | asn1_novalue
extensions % [#'Extension'{}]
}.
#'AlgorithmIdentifier'{
algorithm, % oid()
parameters % der_encoded()
}.PKIX 憑證的 Erlang 替代表示形式,也稱為 otp 類型
#'OTPCertificate'{
tbsCertificate, % #'OTPTBSCertificate'{}
signatureAlgorithm, % #'SignatureAlgorithm'
signature % bitstring()
}.
#'OTPTBSCertificate'{
version, % v1 | v2 | v3
serialNumber, % pos_integer()
signature, % #'SignatureAlgorithm'
issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]}
validity, % #'Validity'{}
subject, % {rdnSequence, [#AttributeTypeAndValue'{}]}
subjectPublicKeyInfo, % #'OTPSubjectPublicKeyInfo'{}
issuerUniqueID, % binary() | asn1_novalue
subjectUniqueID, % binary() | asn1_novalue
extensions % [#'Extension'{}]
}.
#'SignatureAlgorithm'{
algorithm, % id_signature_algorithm()
parameters % asn1_novalue | #'Dss-Parms'{}
}.id_signature_algorithm() = OID_macro()
可用的 OID 名稱如下
| OID 名稱 |
|---|
| id-dsa-with-sha1 |
| id-dsaWithSHA1 (ISO 或以上 OID) |
| md2WithRSAEncryption |
| md5WithRSAEncryption |
| sha1WithRSAEncryption |
| sha-1WithRSAEncryption (ISO 或以上 OID) |
| sha224WithRSAEncryption |
| sha256WithRSAEncryption |
| sha512WithRSAEncryption |
| ecdsa-with-SHA1 |
表格:簽章演算法 OID
資料類型 'AttributeTypeAndValue',表示為以下 erlang 記錄
#'AttributeTypeAndValue'{
type, % id_attributes()
value % term()
}.屬性 OID 名稱原子及其對應的值類型如下
| OID 名稱 | 值類型 |
|---|---|
| id-at-name | special_string() |
| id-at-surname | special_string() |
| id-at-givenName | special_string() |
| id-at-initials | special_string() |
| id-at-generationQualifier | special_string() |
| id-at-commonName | special_string() |
| id-at-localityName | special_string() |
| id-at-stateOrProvinceName | special_string() |
| id-at-organizationName | special_string() |
| id-at-title | special_string() |
| id-at-dnQualifier | {printableString, string()} |
| id-at-countryName | {printableString, string()} |
| id-at-serialNumber | {printableString, string()} |
| id-at-pseudonym | special_string() |
表格:屬性 OID
資料類型 'Validity'、'SubjectPublicKeyInfo' 和 'SubjectPublicKeyInfoAlgorithm' 表示為以下 Erlang 記錄
#'Validity'{
notBefore, % time()
notAfter % time()
}.
#'SubjectPublicKeyInfo'{
algorithm, % #AlgorithmIdentifier{}
subjectPublicKey % binary()
}.
#'SubjectPublicKeyInfoAlgorithm'{
algorithm, % id_public_key_algorithm()
parameters % public_key_params()
}.公開金鑰演算法 OID 名稱原子如下
| OID 名稱 |
|---|
| rsaEncryption |
| id-dsa |
| dhpublicnumber |
| id-keyExchangeAlgorithm |
| id-ecPublicKey |
表格:公開金鑰演算法 OID
#'Extension'{
extnID, % id_extensions() | oid()
critical, % boolean()
extnValue % der_encoded()
}.id_extensions() 標準憑證擴展、私有網路擴展、CRL 擴展 和 CRL 條目擴展。
標準憑證擴展
標準憑證擴展 OID 名稱原子及其對應的值類型如下
| OID 名稱 | 值類型 |
|---|---|
| id-ce-authorityKeyIdentifier | #'AuthorityKeyIdentifier'{} |
| id-ce-subjectKeyIdentifier | oid() |
| id-ce-keyUsage | [key_usage()] |
| id-ce-privateKeyUsagePeriod | #'PrivateKeyUsagePeriod'{} |
| id-ce-certificatePolicies | #'PolicyInformation'{} |
| id-ce-policyMappings | #'PolicyMappings_SEQOF'{} |
| id-ce-subjectAltName | general_name() |
| id-ce-issuerAltName | general_name() |
| id-ce-subjectDirectoryAttributes | [#'Attribute'{}] |
| id-ce-basicConstraints | #'BasicConstraints'{} |
| id-ce-nameConstraints | #'NameConstraints'{} |
| id-ce-policyConstraints | #'PolicyConstraints'{} |
| id-ce-extKeyUsage | [id_key_purpose()] |
| id-ce-cRLDistributionPoints | [#'DistributionPoint'{}] |
| id-ce-inhibitAnyPolicy | pos_integer() |
| id-ce-freshestCRL | [#'DistributionPoint'{}] |
表格:標準憑證擴展
此處
key_usage() = digitalSignature | nonRepudiation | keyEncipherment
| dataEncipherment | keyAgreement | keyCertSign
| cRLSign | encipherOnly | decipherOnly對於 id_key_purpose()
| OID 名稱 |
|---|
| id-kp-serverAuth |
| id-kp-clientAuth |
| id-kp-codeSigning |
| id-kp-emailProtection |
| id-kp-timeStamping |
| id-kp-OCSPSigning |
表格:金鑰用途 OID
#'AuthorityKeyIdentifier'{
keyIdentifier, % oid()
authorityCertIssuer, % general_name()
authorityCertSerialNumber % pos_integer()
}.
#'PrivateKeyUsagePeriod'{
notBefore, % general_time()
notAfter % general_time()
}.
#'PolicyInformation'{
policyIdentifier, % oid()
policyQualifiers % [#PolicyQualifierInfo{}]
}.
#'PolicyQualifierInfo'{
policyQualifierId, % oid()
qualifier % string() | #'UserNotice'{}
}.
#'UserNotice'{
noticeRef, % #'NoticeReference'{}
explicitText % string()
}.
#'NoticeReference'{
organization, % string()
noticeNumbers % [pos_integer()]
}.
#'PolicyMappings_SEQOF'{
issuerDomainPolicy, % oid()
subjectDomainPolicy % oid()
}.
#'Attribute'{
type, % oid()
values % [der_encoded()]
}).
#'BasicConstraints'{
cA, % boolean()
pathLenConstraint % pos_integer()
}).
#'NameConstraints'{
permittedSubtrees, % [#'GeneralSubtree'{}]
excludedSubtrees % [#'GeneralSubtree'{}]
}).
#'GeneralSubtree'{
base, % general_name()
minimum, % pos_integer()
maximum % pos_integer()
}).
#'PolicyConstraints'{
requireExplicitPolicy, % pos_integer()
inhibitPolicyMapping % pos_integer()
}).
#'DistributionPoint'{
distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer,[#AttributeTypeAndValue{}]}
reasons, % [dist_reason()]
cRLIssuer % [general_name()]
}).私有網路擴展
私有網路擴展 OID 名稱原子及其對應的值類型如下
| OID 名稱 | 值類型 |
|---|---|
| id-pe-authorityInfoAccess | [#'AccessDescription'{}] |
| id-pe-subjectInfoAccess | [#'AccessDescription'{}] |
表格:私有網路擴展
#'AccessDescription'{
accessMethod, % oid()
accessLocation % general_name()
}).CRL 和 CRL 擴展設定檔
從 ASN.1 規範和 RFC 5280 衍生的 CRL 和 CRL 擴展設定檔的 Erlang 表示形式如下
#'CertificateList'{
tbsCertList, % #'TBSCertList{}
signatureAlgorithm, % #'AlgorithmIdentifier'{}
signature % bitstring()
}).
#'TBSCertList'{
version, % v2 (if defined)
signature, % #AlgorithmIdentifier{}
issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]}
thisUpdate, % time()
nextUpdate, % time()
revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}]
crlExtensions % [#'Extension'{}]
}).
#'TBSCertList_revokedCertificates_SEQOF'{
userCertificate, % pos_integer()
revocationDate, % timer()
crlEntryExtensions % [#'Extension'{}]
}).CRL 擴展
CRL 擴展 OID 名稱原子及其對應的值類型如下
| OID 名稱 | 值類型 |
|---|---|
| id-ce-authorityKeyIdentifier | #'AuthorityKeyIdentifier{} |
| id-ce-issuerAltName | {rdnSequence, [#AttributeTypeAndValue'{}]} |
| id-ce-cRLNumber | pos_integer() |
| id-ce-deltaCRLIndicator | pos_integer() |
| id-ce-issuingDistributionPoint | #'IssuingDistributionPoint'{} |
| id-ce-freshestCRL | [#'Distributionpoint'{}] |
表格:CRL 擴展
在此,資料類型 'IssuingDistributionPoint' 表示為以下 Erlang 記錄
#'IssuingDistributionPoint'{
distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer, [#'AttributeTypeAndValue'{}]}
onlyContainsUserCerts, % boolean()
onlyContainsCACerts, % boolean()
onlySomeReasons, % [dist_reason()]
indirectCRL, % boolean()
onlyContainsAttributeCerts % boolean()
}).CRL 條目擴展
CRL 條目擴展 OID 名稱原子及其對應的值類型如下
| OID 名稱 | 值類型 |
|---|---|
| id-ce-cRLReason | crl_reason() |
| id-ce-holdInstructionCode | oid() |
| id-ce-invalidityDate | general_time() |
| id-ce-certificateIssuer | general_name() |
表格:CRL 條目擴展
此處
crl_reason() = unspecified | keyCompromise | cACompromise
| affiliationChanged | superseded | cessationOfOperation
| certificateHold | removeFromCRL
| privilegeWithdrawn | aACompromisePKCS#10 憑證請求
從 ASN.1 規範和 RFC 5280 衍生的 PKCS#10 憑證請求的 Erlang 表示形式如下
#'CertificationRequest'{
certificationRequestInfo, % #'CertificationRequestInfo'{},
signatureAlgorithm, % #'CertificationRequest_signatureAlgorithm'{}}.
signature % bitstring()
}.
#'CertificationRequestInfo'{
version, % atom(),
subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} ,
subjectPKInfo, % #'CertificationRequestInfo_subjectPKInfo'{},
attributes % [#'AttributePKCS-10' {}]
}.
#'CertificationRequestInfo_subjectPKInfo'{
algorithm, % #'CertificationRequestInfo_subjectPKInfo_algorithm'{}
subjectPublicKey % bitstring()
}.
#'CertificationRequestInfo_subjectPKInfo_algorithm'{
algorithm, % oid(),
parameters % der_encoded()
}.
#'CertificationRequest_signatureAlgorithm'{
algorithm, % oid(),
parameters % der_encoded()
}.
#'AttributePKCS-10'{
type, % oid(),
values % [der_encoded()]
}.