X.509 证书定义

TSL/SSL X.509 评论

概念

  • 证书撤销列表 certificate revocation list (CRL)
  • 证书颁发机构 certification authority (CA)
  • 注册机构 registration authority (RA)
  • 公用密钥基础设施 Public Key Infrastructure (PKI)

编码

  • DER X.509依赖于的唯一编码规则(distinguished encoding rules,DER)是BER的子集
  • PEM 基于DER编码后内容使用BASE64编码且带头带尾的特定格式

    证书相关文件后缀

  • PEM
  • CER
  • CRT

证书字段

1
2
3
4
Certificate  ::=  SEQUENCE  {
       tbsCertificate       TBSCertificate,
       signatureAlgorithm   AlgorithmIdentifier,
       signatureValue       BIT STRING  }
TBSCertificate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
TBSCertificate  ::=  SEQUENCE  {
     version         [0]  EXPLICIT Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     extensions      [3]  EXPLICIT Extensions OPTIONAL
                          -- If present, version MUST be v3
     }
Version
1
Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
CertificateSerialNumber
1
CertificateSerialNumber  ::=  INTEGER
AlgorithmIdentifier
1
2
3
AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL  }
Name
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Name ::= CHOICE { -- only one possibility for now --
    rdnSequence  RDNSequence }

  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

  RelativeDistinguishedName ::=
    SET SIZE (1..MAX) OF AttributeTypeAndValue

  AttributeTypeAndValue ::= SEQUENCE {
    type     AttributeType,
    value    AttributeValue }

  AttributeType ::= OBJECT IDENTIFIER

  AttributeValue ::= ANY -- DEFINED BY AttributeType

  DirectoryString ::= CHOICE {
        teletexString           TeletexString (SIZE (1..MAX)),
        printableString         PrintableString (SIZE (1..MAX)),
        universalString         UniversalString (SIZE (1..MAX)),
        utf8String              UTF8String (SIZE (1..MAX)),
        bmpString               BMPString (SIZE (1..MAX)) }
Validity
1
2
3
4
5
Validity ::= SEQUENCE {
     notBefore      Time,
     notAfter       Time 
    
    }
Time
1
2
3
Time ::= CHOICE {
     utcTime        UTCTime,
     generalTime    GeneralizedTime }
UniqueIdentifier
1
UniqueIdentifier  ::=  BIT STRING
SubjectPublicKeyInfo
1
2
3
SubjectPublicKeyInfo  ::=  SEQUENCE  {
     algorithm            AlgorithmIdentifier,
     subjectPublicKey     BIT STRING  }
Extensions
1
Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
Extension
1
2
3
4
5
6
7
8
Extension  ::=  SEQUENCE  {
     extnID      OBJECT IDENTIFIER,
     critical    BOOLEAN DEFAULT FALSE,
     extnValue   OCTET STRING
                 -- contains the DER encoding of an ASN.1 value
                 -- corresponding to the extension type identified
                 -- by extnID
     }

参考资料

https://datatracker.ietf.org/doc/html/rfc5280#ref-X.690
https://www.cnblogs.com/NathanYang/p/9951282.html
https://www.cnblogs.com/20175211lyz/p/12722360.html

鲁大师Developer & Designer

个人简介。