Attribute Certificate

The Set Attribute Ticket, which is used to authorize updates to key usage limits, has the format of an Attribute Certificate defined by PKIX (RFC 3281).

AttributeCertificate ::= SEQUENCE {
   acinfo               AttributeCertificateInfo,
   signatureAlgorithm   AlgorithmIdentifier,
   signatureValue       BIT STRING
}
 
AttributeCertificateInfo ::= SEQUENCE {
      version              AttCertVersion -- version is v2,
      holder               Holder,
      issuer               AttCertIssuer,
      signature            AlgorithmIdentifier,
      serialNumber         CertificateSerialNumber,
      attrCertValidityPeriod   AttCertValidityPeriod,
      attributes           SEQUENCE OF Attribute,
      issuerUniqueID       UniqueIdentifier OPTIONAL,
      extensions           Extensions OPTIONAL
}
 
AttCertVersion ::= INTEGER { v2(1) }
 
Holder ::= SEQUENCE {
       baseCertificateID   [0] IssuerSerial OPTIONAL,
    -- the issuer and serial number of
    -- the holder's Public Key Certificate
 
       entityName          [1] GeneralNames OPTIONAL,
       objectDigestInfo    [2] ObjectDigestInfo OPTIONAL
           -- used to directly authenticate the target key,
           -- see further description below
}
 
ObjectDigestInfo ::= SEQUENCE {
       digestedObjectType  ENUMERATED {
       publicKey            (0),
       publicKeyCert        (1),
       otherObjectTypes     (2) },
       -- otherObjectTypes only to be used
       otherObjectTypeID   OBJECT IDENTIFIER OPTIONAL,
              -- must be OID_X509_ATTR_KEY_DIGEST
       digestAlgorithm     AlgorithmIdentifier,
       objectDigest        BIT STRING
            }

The algorithm OID_X509_ATTR_KEY_DIGEST is:

objectDigest  = Digest(Token_Serial_Number | Token_Label | ObjectID)

Where:

ObjectID is the concatenation of the CKA_LABEL and CKA_ID attributes of the target Object.

AttCertIssuer ::= CHOICE {
      v1Form   GeneralNames,  -- MUST NOT be used in this
                              -- profile
     v2Form   [0] V2Form     -- v2 only
}
 
V2Form ::= SEQUENCE {
     issuerName            GeneralNames  OPTIONAL,
     baseCertificateID     [0] IssuerSerial  OPTIONAL,
     objectDigestInfo      [1] ObjectDigestInfo  OPTIONAL
     -- issuerName MUST be present in this profile
     -- baseCertificateID and objectDigestInfo MUST NOT
     -- be present in this profile
}
 
IssuerSerial  ::=  SEQUENCE {
     issuer         GeneralNames,
     serial         CertificateSerialNumber,
     issuerUID      UniqueIdentifier OPTIONAL
}
 
AttCertValidityPeriod  ::= SEQUENCE {
     notBeforeTime  GeneralizedTime,
     notAfterTime   GeneralizedTime
}
 
 
Attribute ::= SEQUENCE {
     type      AttributeType,
     values    SET OF AttributeValue
     -- at least one value is required
}
 
AttributeType ::= OBJECT IDENTIFIER
-- there is a different OID for each type of Cryptoki Attribute
-- see below for a list
 
AttributeValue ::= ANY DEFINED BY AttributeType
      -- the data type depends on the type field but it 
      -- represents the value part of the Cryptoki attribute.

OID Used to Indicate Key Digest Algorithm

OID

OID-type

{ iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) objDigests(2) key(1) }

OID_X509_ATTR_KEY_DIGEST

 

OID Value

OID-type

Cryptoki Attribute Type

DER Encoded Value

{ iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) usage_limit(1) }

OID_X509_ATTR_USAGE_LIMIT

CKA_USAGE_LIMIT

INTEGER

{ iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) end_date(2) }

OID_X509_ATTR_END_DATE

CKA_END_DATE

PrintableString

{ iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) start_date(3) }

OID_X509_ATTR_START_DATE

CKA_START_DATE

PrintableString

{ iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) admin_cert(4) }

OID_X509_ATTR_ADMIN_CERT

CKA_ADMIN_CERT