-- TLS WWW server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
• TBSCertificate
• 基本项 • 扩展项
5
TBSCertificate
TBSCertificate ::= SEQUENCE { version signature issuer validity subject [0] EXPLICIT Version DEFAULT v1, CertificateSerialNumber, AlgorithmIdentifier, Name, Validity, Name, serialNumber
7
扩展项
• 扩展项表示
Extension ::= SEQUENCE { extnID critical OBJECT IDENTIFIER, BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING }
• Standard Extensions (16项，X.509中规定的)
subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 extensions }
17
OBJECT IDENTIFIER ::= { id-kp 9 }
与证书策略相关的扩展项
• Certificate Policies（证书策略） • Policy Mappings（策略映射） • Policy Constraints（策略限制） • Inhibit Any-Policy（禁止Any-Policy)
-- TLS WWW client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement
16
id-kp-codeSigning
OBJECT IDENTIFIER ::= { id-kp 3 }
-- Binding the hash of an object to a time -- Key usage bits that may be consistent: digitalSignature -- and/or nonRepudiation id-kp-OCSPSigning -- Signing OCSP responses -- Key usage bits that may be consistent: digitalSignature -- and/or nonRepudiation
• 自签证书是自颁发证书的一种
• 交叉证书(cross certificate)
• End-entity Certificate
11
扩展项分类
•
密钥标识符
• • Authority Key Identifier Subject Key Identifier
•
可选替换名
• • Subject Alternative Name Issuer Alternative Name Basic Constraints Name Constraints CRL Distribution Points Freshest CRL Private Key Usage Period Subject Directory Attributes
18
Certificate Policies（证书策略） Policies（证书策略）
• 定义
certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } CertPolicyId ::= OBJECT IDENTIFIER PolicyQualifierInfo ::= SEQUENCE { policyQualifierId PolicyQualifierId, qualifier ANY DEFINED BY policyQualifierId }
• Authority Key Identifier • Subject Key Identifier • Key Usage • Private Key Usage Period • Certificate Policies • Policy Mappings
8
• Subject Alternative Name • Issuer Alternative Name • Subject Directory Attributes • Basic Constraints • Name Constraints • Policy Constraints • Extended Key Usage • CRL Distribution Points • Inhibit Any-Policy • Freshest CRL
15
(0), (1), (2), (3), (4), (5), (6), (7), (8) }
密钥用途相关（续） 密钥用途相关（
•
Extended Key Usage（扩展密钥用途）
• 一般只用于实体证书，可根据用户的自身情况设置关键值
anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
• RFC3280 (替换了RFC2459）
• Certificate and CRL profile • 国标《数字证书格式》对应RFC3280
• RFC3281
• Attribute Certificate Profile
4
X.509证书格式 三、X.509证书格式
• 证书
Certificate ::= SEQUENCE { tbsCertificate signatureValue TBSCertificate, BIT STRING } signatureAlgorithm Algori培训材料之二
吉大正元信息技术股份有限公司
主要内容
• 数字证书的概念 • 证书标准 • X.509证书格式 • 国标中规定的扩展项 • DN规划 • OID管理
2
一、数字证书的概念
• 数字证书？
• 公钥证书 • 属性证书 • PGP证书 • SET证书 • 合格证书（qualified certificate）
9
• Internet Certificate Extensions （RFC3280中规定的）
• Authority Information Access • Subject Information Access
10
证书种类
• CA Certificate
• 自颁发证书(self-issued certificate) • 自签证书(self-signed certificate)
19
• 说明
• •
•
因特网专用扩展 • • Authority Information Access Subject Information Access
12
密钥标识符
• 扩展域
• Authority Key Identifier • Subject Key Identifier
• 目的
• 标识密钥，以帮助路径构造
• 取值方式
• 由公钥衍生
• SHA-1 • 0100 + 60bits （从SHA-1中取）
• 唯一确定的值，单调递增的整数
• 设置
• 必须有，非关键
13
认证路径（证书链） 认证路径（证书链）
相同 自签证书 AKID = W 相同 AKID = W 相同 AKID = X 相同 AKID = Y SKID = Z SKID = Y SKID = X SKID = W
3
二、证书标准
• ITU X.509 | ISO/IEC 9594-8
• V3(1997)，Authentication Framework • 4th_Edition，Public-key and Attribute Certificate Frameworks • GB/T16264.8 对应ITU X.509
•
密钥用途相关
• • Key Usage Extended Key Usage
•
限制
• •
•
与证书策略相关的扩展项
• • • • Certificate Policies Policy Mappings Policy Constraints Inhibit Any-Policy