2.公钥记录 | 2. Public-Key Records

2 公钥记录

本章简要描述从ASN.1规范派生的Erlang记录，这些规范用于处理公钥基础结构。范围是描述每个组件的数据类型，而不是语义。有关语义的信息，请参阅下面各节中链接的相关标准和RFCS。

使用以下Include指令访问以下部分中描述的记录和常量宏：

-include_lib("public_key/include/public_key.hrl").

2.1数据类型

常见的非标准Erlang数据类型用于描述以下部分中的记录字段，以及未在公钥中定义的数据类型Reference Manual如下所示：

time() =

utc_time() | general_time()

utc_time() =

{utcTime, "YYMMDDHHMMSSZ"}

general_time() =

{generalTime, "YYYYMMDDHHMMSSZ"}

general_name() =

{rfc822Name, string()}

| {dNSName, string()}

| {x400Address, string()}

| {directoryName, {rdnSequence, [#AttributeTypeAndValue'{}]}}

| {eidPartyName, special_string()}

| {eidPartyName, special_string(), special_string()}

| {uniformResourceIdentifier, string()}

| {ipAddress, string()}

| {registeredId, oid()}

| {otherName, term()}

special_string() =

{teletexString, string()}

| {printableString, string()}

| {universalString, string()}

| {utf8String, binary()}

| {bmpString, string()}

dist_reason() =

unused

| keyCompromise

| cACompromise

| affiliationChanged

| superseded

| cessationOfOperation

| certificateHold

| privilegeWithdrawn

| aACompromise

OID_macro() =

?OID_name()

OID_name() =

atom()

2.2 rsa

Rivest-Shamir-Adleman密码系统（RSA）密钥的Erlang表示如下：

#'RSAPublicKey'{
	  modulus,       % integer()
	  publicExponent % integer()
	  }.

#'RSAPrivateKey'{
          version,         % two-prime | multi
	  modulus,         % integer()
	  publicExponent,  % integer()
	  privateExponent, % integer()
	  prime1,          % integer() 
	  prime2,          % integer()
	  exponent1,       % integer()
	  exponent2,       % integer()
	  coefficient,     % integer()
	  otherPrimeInfos  % [#OtherPrimeInfo{}] | asn1_NOVALUE
	 }.

#'OtherPrimeInfo'{
	prime,           % integer()
	exponent,        % integer()
	coefficient      % integer()
 	 }.

2.3 DSA

Erlang表示Digital Signature Algorithm (DSA)键

	 
#'DSAPrivateKey',{
	  version,      % integer()
	  p,            % integer()
	  q,            % integer()
	  g,            % integer()
	  y,            % integer()
	  x             % integer()
	  }.

#'Dss-Parms',{
         p,         % integer()
	 q,         % integer()
	 g          % integer()
	 }.

2.4 ecdsa

Erlang表示Elliptic Curve Digital Signature Algorithm (ECDSA)键如下：

	 
#'ECPrivateKey'{
          version,       % integer()
	  privateKey,    % binary()  
          parameters,    % {ecParameters, #'ECParameters'{}} |
                         % {namedCurve, Oid::tuple()} |
                         % {implicitlyCA, 'NULL'}
	  publicKey      % bitstring()
	  }.
	  
#'ECParameters'{
      version,    % integer()
      fieldID,    % #'FieldID'{}
      curve,      % #'Curve'{}
      base,       % binary()       
      order,      % integer()        
      cofactor    % integer()
      }.
      
#'Curve'{
	a,        % binary()
	b,        % binary() 
	seed      % bitstring() - optional

	}.

#'FieldID'{
	fieldType,    % oid()
	parameters    % Depending on fieldType
	}.

#'ECPoint'{
      point %  binary() - the public key
      }.

2.5 PKIX证书

根据ASN.1规范派生的PKIX证书的Erlang表示形式也X509 certificates (RFC 5280)可以参考，也称为plain类型，如下所示：

#'Certificate'{
		tbsCertificate,        % #'TBSCertificate'{}
		signatureAlgorithm,    % #'AlgorithmIdentifier'{} 
		signature              % bitstring()
	       }.

#'TBSCertificate'{
	  version,              % v1 | v2 | v3 
	  serialNumber,         % integer() 
	  signature,            % #'AlgorithmIdentifier'{} 
	  issuer,               % {rdnSequence, [#AttributeTypeAndValue'{}]} 
	  validity,             % #'Validity'{}
	  subject,              % {rdnSequence, [#AttributeTypeAndValue'{}]} 
	  subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{}
	  issuerUniqueID,       % binary() | asn1_novalue
	  subjectUniqueID,      % binary() | asn1_novalue
	  extensions            % [#'Extension'{}] 
	 }.
	  
#'AlgorithmIdentifier'{
	  algorithm,  % oid() 
	  parameters  % der_encoded()
	 }.

PKIX证书的Erlang候补代表，也称为otp类型

#'OTPCertificate'{
		tbsCertificate,        % #'OTPTBSCertificate'{}
		signatureAlgorithm,    % #'SignatureAlgorithm'
		signature              % bitstring()
	       }.

#'OTPTBSCertificate'{
	  version,              % v1 | v2 | v3 
	  serialNumber,         % integer() 
	  signature,            % #'SignatureAlgorithm'
	  issuer,               % {rdnSequence, [#AttributeTypeAndValue'{}]} 
	  validity,             % #'Validity'{}
	  subject,              % {rdnSequence, [#AttributeTypeAndValue'{}]} 
	  subjectPublicKeyInfo, % #'OTPSubjectPublicKeyInfo'{}
	  issuerUniqueID,       % binary() | asn1_novalue
	  subjectUniqueID,      % binary() | asn1_novalue
	  extensions            % [#'Extension'{}] 
	 }.
	  
#'SignatureAlgorithm'{
	  algorithm,  % id_signature_algorithm()
	  parameters  % asn1_novalue | #'Dss-Parms'{}
	 }.

id_signature_algorithm() = OID_macro()

可用的OID名称如下：

OID名称

|:----|

| id-dsa-with-sha1 |

| id-dsaWithSHA1（上面的ISO或OID）|

| md2WithRSAEncryption |

md5 WithRSAEncryption

Sha1WithRSAEncryption

| sha-1WithRSAEncryption（ISO或OID至上）|

| sha224WithRSAEncryption |

| sha256WithRSAEncryption |

| sha512WithRSAEncryption |

| ecdsa-with-SHA1 |

数据类型'AttributeTypeAndValue'表示为以下erlang记录：

#'AttributeTypeAndValue'{
	  type,   % id_attributes()
	  value   % term() 
	 }.

属性OID名称原子及其相应的值类型如下：

OID 名称	值类型
id-at-name	special_string()
id-at-surname	special_string()
id-at-givenName	special_string()
id-at-initials	special_string()
id-at-generationQualifier	special_string()
id-at-commonName	special_string()
id-at-localityName	special_string()
id-at-stateOrProvinceName	special_string()
id-at-organizationName	special_string()
id-at-title	special_string()
id-at-dnQualifier	{printableString, string()}
id-at-countryName	{printableString, string()}
id-at-serialNumber	{printableString, string()}
id-at-pseudonym	special_string()

数据类型'Validity'，'SubjectPublicKeyInfo'和'SubjectPublicKeyInfoAlgorithm'表示为以下Erlang记录：

#'Validity'{ 
	  notBefore, % time()
	  notAfter   % time()
	 }.
	 
#'SubjectPublicKeyInfo'{
	  algorithm,       % #AlgorithmIdentifier{} 
	  subjectPublicKey % binary() 
	 }.

#'SubjectPublicKeyInfoAlgorithm'{
	  algorithm,  % id_public_key_algorithm()
	  parameters  % public_key_params()
	 }.

公开密钥算法OID名称原子如下：

OID名称

|:----|

| rsaEncryption |

| id-dsa |

| dhpublicnumber |

| id-keyExchangeAlgorithm |

| id-ecPublicKey |

#'Extension'{
	  extnID,    % id_extensions() | oid() 
	  critical,  % boolean()
	  extnValue  % der_encoded()
	 }.

id_extensions() Standard Certificate Extensions，Private Internet Extensions，CRL Extensions和CRL Entry Extensions。

2.6 标准证书扩展

标准证书扩展OID名称原子及其相应的值类型如下：

OID 名称	值名称
id-ce-authorityKeyIdentifier	#'AuthorityKeyIdentifier'{}
id-ce-subjectKeyIdentifier	oid()
id-ce-keyUsage	key_usage()
id-ce-privateKeyUsagePeriod	#'PrivateKeyUsagePeriod'{}
id-ce-certificatePolicies	#'PolicyInformation'{}
id-ce-policyMappings	#'PolicyMappings_SEQOF'{}
id-ce-subjectAltName	general_name()
id-ce-issuerAltName	general_name()
id-ce-subjectDirectoryAttributes	#'Attribute'{}
id-ce-basicConstraints	#'BasicConstraints'{}
id-ce-nameConstraints	#'NameConstraints'{}
id-ce-policyConstraints	#'PolicyConstraints'{}
id-ce-extKeyUsage	id_key_purpose()
id-ce-cRLDistributionPoints	#'DistributionPoint'{}
id-ce-inhibitAnyPolicy	integer()
id-ce-freshestCRL	#'DistributionPoint'{}

在此：

key_usage()=

digitalSignature

| nonRepudiation

| keyEncipherment

| dataEncipherment

| keyAgreement

| keyCertSign

| cRLSign

| encipherOnly

| decipherOnly

而为了id_key_purpose()*

OID名称

|:----|

| id-kp-serverAuth |

| id-kp-clientAuth |

| id-kp-codeSigning |

| id-kp-emailProtection |

| id-kp-timestamping |

| id-kp-OCSPSigning |

#'AuthorityKeyIdentifier'{
	  keyIdentifier,	    % oid()
	  authorityCertIssuer,      % general_name()
	  authorityCertSerialNumber % integer() 
	 }.

#'PrivateKeyUsagePeriod'{
	  notBefore,   % general_time()
	  notAfter     % general_time()
	 }.

#'PolicyInformation'{
	  policyIdentifier,  % oid()
	  policyQualifiers   % [#PolicyQualifierInfo{}]
	 }.

#'PolicyQualifierInfo'{
	  policyQualifierId,   % oid()
	  qualifier            % string() | #'UserNotice'{}
	 }.

#'UserNotice'{
         noticeRef,   % #'NoticeReference'{}
	 explicitText % string()
	 }.

#'NoticeReference'{
         organization,    % string()
	 noticeNumbers    % [integer()]
	 }.

#'PolicyMappings_SEQOF'{
	  issuerDomainPolicy,  % oid()
	  subjectDomainPolicy  % oid()
	 }.

#'Attribute'{
          type,  % oid()
	  values % [der_encoded()]
	  }).

#'BasicConstraints'{
	  cA,		    % boolean()
	  pathLenConstraint % integer()
	 }).

#'NameConstraints'{
	  permittedSubtrees, % [#'GeneralSubtree'{}]
	  excludedSubtrees   % [#'GeneralSubtree'{}]
	 }).

#'GeneralSubtree'{
	  base,    % general_name()
	  minimum, % integer()
	  maximum  % integer()
	 }).

#'PolicyConstraints'{
	  requireExplicitPolicy, % integer()
	  inhibitPolicyMapping   % integer()
	 }).

#'DistributionPoint'{
	  distributionPoint, % {fullName, [general_name()]} | {nameRelativeToCRLIssuer,
	  [#AttributeTypeAndValue{}]}
	  reasons,           % [dist_reason()]
	  cRLIssuer          % [general_name()]
	 }).

2.7 专用互联网扩展

私人互联网扩展OID名称原子及其相应的值类型如下所示：

OID名称	值类型
ID在-authorityInfoAccess	＃ 'AccessDescription'{}
ID在-subjectInfoAccess	＃ 'AccessDescription'{}

#'AccessDescription'{
           accessMethod,    % oid()
	   accessLocation   % general_name()
	 }).

2.8 CRL和CRL扩展配置文件

来自ASN.1规范和RFC 5280的CRL和CRL扩展配置文件的Erlang表示如下：

#'CertificateList'{
          tbsCertList,        % #'TBSCertList{}
          signatureAlgorithm, % #'AlgorithmIdentifier'{} 
          signature           % bitstring()
	  }).

#'TBSCertList'{
      version,             % v2 (if defined)
      signature,           % #AlgorithmIdentifier{}
      issuer,              % {rdnSequence, [#AttributeTypeAndValue'{}]} 
      thisUpdate,          % time()
      nextUpdate,          % time() 
      revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}]
      crlExtensions        % [#'Extension'{}]
      }).

#'TBSCertList_revokedCertificates_SEQOF'{
         userCertificate,      % integer()
 	 revocationDate,       % timer()
	 crlEntryExtensions    % [#'Extension'{}]
	 }).

CRL扩展

CRL扩展OID名称原子及其相应的值类型如下：

OID 名称	值类型
id-ce-authorityKeyIdentifier	#'AuthorityKeyIdentifier{}
id-ce-issuerAltName	{rdnSequence, #AttributeTypeAndValue'{}}
id-ce-cRLNumber	integer()
id-ce-deltaCRLIndicator	integer()
id-ce-issuingDistributionPoint	#'IssuingDistributionPoint'{}
id-ce-freshestCRL	#'Distributionpoint'{}

这里，数据类型'IssuingDistributionPoint'表示为以下Erlang记录：

#'IssuingDistributionPoint'{
          distributionPoint,         % {fullName, [general_name()]} | {nameRelativeToCRLIssuer,
	  [#AttributeTypeAndValue'{}]}
	  onlyContainsUserCerts,     % boolean()
	  onlyContainsCACerts,       % boolean()
	  onlySomeReasons,           % [dist_reason()]
	  indirectCRL,               % boolean()
	  onlyContainsAttributeCerts % boolean()
	  }).

CRL条目扩展

CRL条目扩展、OID名称、原子及其相应的值类型如下：

OID名称	值类型
id-ce-cRLReason	crl_reason()
id-ce-holdInstructionCode	oid()
id-ce-invalidityDate	general_time()
id-ce-certificateIssuer	general_name()

在此：

crl_reason()=

unspecified

| keyCompromise

| cACompromise

| affiliationChanged

| superseded

| cessationOfOperation

| certificateHold

| removeFromCRL

| privilegeWithdrawn

| aACompromise

PKcs#10认证请求

来自ASN.1规范和RFC 5280的PKCS＃10认证请求的Erlang表示如下：

#'CertificationRequest'{
          certificationRequestInfo #'CertificationRequestInfo'{},
	  signatureAlgorithm	   #'CertificationRequest_signatureAlgorithm'{}}.
	  signature                bitstring()
	  }

#'CertificationRequestInfo'{
	  version       atom(),
	  subject       {rdnSequence, [#AttributeTypeAndValue'{}]} ,
	  subjectPKInfo #'CertificationRequestInfo_subjectPKInfo'{},
	  attributes    [#'AttributePKCS-10' {}]
	  }

#'CertificationRequestInfo_subjectPKInfo'{
          algorithm		#'CertificationRequestInfo_subjectPKInfo_algorithm'{}
	  subjectPublicKey 	  bitstring()
	  }

#'CertificationRequestInfo_subjectPKInfo_algorithm'{
     algorithm = oid(),
     parameters = der_encoded()
}	  

#'CertificationRequest_signatureAlgorithm'{
     algorithm = oid(),
     parameters = der_encoded()
     }

#'AttributePKCS-10'{
    type = oid(),
    values = [der_encoded()]
}