Attribute Certificate
The Set Attribute Ticket, which is used to authorize updates to key usage limits, has the format of an Attribute Certificate defined by PKIX (RFC 3281).
AttributeCertificate ::= SEQUENCE { acinfo AttributeCertificateInfo, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } AttributeCertificateInfo ::= SEQUENCE { version AttCertVersion -- version is v2, holder Holder, issuer AttCertIssuer, signature AlgorithmIdentifier, serialNumber CertificateSerialNumber, attrCertValidityPeriod AttCertValidityPeriod, attributes SEQUENCE OF Attribute, issuerUniqueID UniqueIdentifier OPTIONAL, extensions Extensions OPTIONAL } AttCertVersion ::= INTEGER { v2(1) } Holder ::= SEQUENCE { baseCertificateID [0] IssuerSerial OPTIONAL, -- the issuer and serial number of -- the holder's Public Key Certificate entityName [1] GeneralNames OPTIONAL, objectDigestInfo [2] ObjectDigestInfo OPTIONAL -- used to directly authenticate the target key, -- see further description below } ObjectDigestInfo ::= SEQUENCE { digestedObjectType ENUMERATED { publicKey (0), publicKeyCert (1), otherObjectTypes (2) }, -- otherObjectTypes only to be used otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, -- must be OID_X509_ATTR_KEY_DIGEST digestAlgorithm AlgorithmIdentifier, objectDigest BIT STRING }
The algorithm OID_X509_ATTR_KEY_DIGEST
is:
objectDigest = Digest(Token_Serial_Number | Token_Label | ObjectID)
Where:
ObjectID
is the concatenation of the CKA_LABEL and CKA_ID attributes of the target Object.
AttCertIssuer ::= CHOICE { v1Form GeneralNames, -- MUST NOT be used in this -- profile v2Form [0] V2Form -- v2 only } V2Form ::= SEQUENCE { issuerName GeneralNames OPTIONAL, baseCertificateID [0] IssuerSerial OPTIONAL, objectDigestInfo [1] ObjectDigestInfo OPTIONAL -- issuerName MUST be present in this profile -- baseCertificateID and objectDigestInfo MUST NOT -- be present in this profile } IssuerSerial ::= SEQUENCE { issuer GeneralNames, serial CertificateSerialNumber, issuerUID UniqueIdentifier OPTIONAL } AttCertValidityPeriod ::= SEQUENCE { notBeforeTime GeneralizedTime, notAfterTime GeneralizedTime } Attribute ::= SEQUENCE { type AttributeType, values SET OF AttributeValue -- at least one value is required } AttributeType ::= OBJECT IDENTIFIER -- there is a different OID for each type of Cryptoki Attribute -- see below for a list AttributeValue ::= ANY DEFINED BY AttributeType -- the data type depends on the type field but it -- represents the value part of the Cryptoki attribute.
OID Used to Indicate Key Digest Algorithm
OID |
OID-type |
---|---|
{ iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) objDigests(2) key(1) } |
OID_X509_ATTR_KEY_DIGEST
|
OID Value |
OID-type |
Cryptoki Attribute Type |
DER Encoded Value |
---|---|---|---|
{ iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) usage_limit(1) } |
OID_X509_ATTR_USAGE_LIMIT
|
CKA_USAGE_LIMIT |
INTEGER |
{ iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) end_date(2) } |
OID_X509_ATTR_END_DATE
|
CKA_END_DATE |
PrintableString |
{ iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) start_date(3) } |
OID_X509_ATTR_START_DATE
|
CKA_START_DATE |
PrintableString |
{ iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) admin_cert(4) } |
OID_X509_ATTR_ADMIN_CERT
|
CKA_ADMIN_CERT |
|