Cryptography Reference
In-Depth Information
Encoding with ASN.1
Certifi cates need to be precisely defi ned. Although this sort of structured data
is now usually represented and defi ned in XML, certifi cates have been around
for quite a while, longer than XML. They're specifi ed instead using a syntax
referred to as
Abstract Syntax Notation
(ASN), or ASN.1 (the .1 being the version
of Abstract Syntax Notation). ASN serves the same purpose as a DTD or an XSD
might serve in an XML context; it describes how elements are nested within
one another, what order they must occur in, and what type each is. Offi cial
ASN.1 looks quite a bit like a C
struct
defi nition, although the differences are
signifi cant enough that you can't map directly from one to another.
The certifi cate format that SSL/TLS uses is defi ned and maintained by the
International Telecommunication Union
(ITU) in a series of documents they just
refer to as the
X series
. The documents themselves can be found at
http://www
.itu.int/rec/T-REC-X/en
. Each one has a number, and the corresponding docu-
ment/standard is referred to as X.
nnn
where
nnn
is a number. So, for instance,
if you want to see the offi cial standard for X.509, you look under
http://www
.itu.int/rec/T-REC-X.509/en
. I'll refer to several of these specifi cations by
number throughout this chapter.
You may notice that the specifi cations presented here aren't always specifi c to
SSL/TLS. They were developed independently and adopted later by the Internet
consortium. As such, the specifi cations contain quite a few elements that aren't
necessarily relevant to the subject matter of this topic itself; I'll mention some of
these elements here but refer the interested reader to other sources for details.
Understanding Signed Certifi cate Structure
ASN.1 is used to describe the structure of an X.509 certifi cate, which is the
offi cial standard for public-key certifi cates and the format on which TLS 1.0
relies. X.509 has been through three revisions; the current, at the time of this
writing, revision of X.509 is 3. The top-level structure of an X.509v3 certifi cate
is shown in Listing 5-1.
Listing 5-1:
X.509 Certifi cate structure declaration
SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
(Continued)
Search WWH ::
Custom Search