Cryptography Reference
In-Depth Information
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version shall be v3
}
Excerpted from
http://www.ietf.org/rfc/rfc2459.txt
The syntax is given in ASN.1. ASN.1 syntax isn't covered completely here;
however, you have to understand a fair bit of it to analyze X.509 because X.509
makes use of most of ASN.1. See
http://luca.ntop.org/Teaching/Appunti/
asn1.html
for a complete overview of ASN.1 syntax.
The fi rst line here in the top-level structure of the X.509v3 certifi cate is
SEQUENCE
.
An ASN.1 SEQUENCE is analogous to a C
struct
, which may be confusing to a
C programmer because
sequence
sounds more like an array. An ASN.1 sequence
groups other elements. As you can see, this sequence contains 10 subelements.
The most important of these, of course, is the seventh,
subjectPublicKeyInfo
,
because the primary purpose of a certifi cate is to transmit a public key.
Each subelement is presented with a name followed by a type — just like
a C
struct
, but inverted. Each of these is examined in detail in the following
sections. I'll go over the meaning of each at a high-level, and then come back
and show you how to parse a real certifi cate; if some of this seems a bit abstract,
the code samples at the end of this chapter should clear up the intent behind
all of these elements.
Version
version [0] EXPLICIT Version DEFAULT v1
The version is an integer between 0 and 2, with 0 representing version 1, 1 rep-
resenting version 2, 2 representing version 3, and so on. The version number
indicates how to parse the remaining structures. For example, the comments
at the bottom that indicate
issuerUniqueId
,
subjectUniqueId
, and
extensions
cannot be present if the version is less than 2. However, the original X.509
specifi cation didn't include a version number, so it's necessary for the parser to
fi rst check to see if a version number is present. If no version number is present,
the parser should assume that the version number is 0 (that is, v1). That's the
meaning of the
EXPLICIT DEFAULT v1
in the declaration.
The type
Version
itself is defi ned in the specifi cation as
Version ::= INTEGER { v1(0), v2(1), v3(2) }
This tells you that the version fi eld is an integer and that it can take on three
discrete values.
Search WWH ::
Custom Search