Attribute Certificate
The Set Attribute Ticket, which is used to authorize updates to key usage limits, has the format of an Attribute Certificate defined by PKIX (RFC 3281).
AttributeCertificate ::= SEQUENCE {
acinfo AttributeCertificateInfo,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
AttributeCertificateInfo ::= SEQUENCE {
version AttCertVersion -- version is v2,
holder Holder,
issuer AttCertIssuer,
signature AlgorithmIdentifier,
serialNumber CertificateSerialNumber,
attrCertValidityPeriod AttCertValidityPeriod,
attributes SEQUENCE OF Attribute,
issuerUniqueID UniqueIdentifier OPTIONAL,
extensions Extensions OPTIONAL
}
AttCertVersion ::= INTEGER { v2(1) }
Holder ::= SEQUENCE {
baseCertificateID [0] IssuerSerial OPTIONAL,
-- the issuer and serial number of
-- the holder's Public Key Certificate
entityName [1] GeneralNames OPTIONAL,
objectDigestInfo [2] ObjectDigestInfo OPTIONAL
-- used to directly authenticate the target key,
-- see further description below
}
ObjectDigestInfo ::= SEQUENCE {
digestedObjectType ENUMERATED {
publicKey (0),
publicKeyCert (1),
otherObjectTypes (2) },
-- otherObjectTypes only to be used
otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
-- must be OID_X509_ATTR_KEY_DIGEST
digestAlgorithm AlgorithmIdentifier,
objectDigest BIT STRING
}
The algorithm OID_X509_ATTR_KEY_DIGEST is:
objectDigest = Digest(Token_Serial_Number | Token_Label | ObjectID)
Where:
ObjectID is the concatenation of the CKA_LABEL and CKA_ID attributes of the target Object.
AttCertIssuer ::= CHOICE {
v1Form GeneralNames, -- MUST NOT be used in this
-- profile
v2Form [0] V2Form -- v2 only
}
V2Form ::= SEQUENCE {
issuerName GeneralNames OPTIONAL,
baseCertificateID [0] IssuerSerial OPTIONAL,
objectDigestInfo [1] ObjectDigestInfo OPTIONAL
-- issuerName MUST be present in this profile
-- baseCertificateID and objectDigestInfo MUST NOT
-- be present in this profile
}
IssuerSerial ::= SEQUENCE {
issuer GeneralNames,
serial CertificateSerialNumber,
issuerUID UniqueIdentifier OPTIONAL
}
AttCertValidityPeriod ::= SEQUENCE {
notBeforeTime GeneralizedTime,
notAfterTime GeneralizedTime
}
Attribute ::= SEQUENCE {
type AttributeType,
values SET OF AttributeValue
-- at least one value is required
}
AttributeType ::= OBJECT IDENTIFIER
-- there is a different OID for each type of Cryptoki Attribute
-- see below for a list
AttributeValue ::= ANY DEFINED BY AttributeType
-- the data type depends on the type field but it
-- represents the value part of the Cryptoki attribute.
OID Used to Indicate Key Digest Algorithm
| OID | OID-type |
|---|---|
| { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) objDigests(2) key(1) } | OID_X509_ATTR_KEY_DIGEST
|
| OID Value | OID-type | Cryptoki Attribute Type | DER Encoded Value |
|---|---|---|---|
| { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) usage_limit(1) } | OID_X509_ATTR_USAGE_LIMIT
|
CKA_USAGE_LIMIT | INTEGER |
| { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) end_date(2) } | OID_X509_ATTR_END_DATE
|
CKA_END_DATE | PrintableString |
| { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) start_date(3) } | OID_X509_ATTR_START_DATE
|
CKA_START_DATE | PrintableString |
| { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) safeNetInc(23629) safenetRoot(1) safenetHSM(4) ptkc(2) p11Attrs(1) admin_cert(4) } | OID_X509_ATTR_ADMIN_CERT
|
CKA_ADMIN_CERT |
