W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

X509Data with improved example

From: Donald E. Eastlake 3rd <lde008@dma.isg.mot.com>
Date: Thu, 07 Sep 2000 17:51:13 -0400
Message-Id: <200009072151.RAA15483@noah.dma.isg.mot.com>
To: w3c-ietf-xmldsig@w3.org

I haven't wrapped the text because I wasn't sure what the best width
was but white space is ignored in Base64 so spaces and new lines can
be inserted withough effecting the encoded certifciates.  This is the
data provided by Tom Gindin.

Thanks,
Donald

<h3>4.4.4 The <a id="sec-X509Data"
name="sec-X509Data"><code>X509Data</code></a> Element</h3>

<p><u>An <code>X509Data</code> element within <code>KeyInfo</code>
contains one or more identifiers of keys or X509 certificates (or
certificates' identifiers or revocation lists).</u>  Five types of
<code>X509Data</code> are defined:

<ol>
  <li>The <code>X509IssuerSerial</code> element, which contains an
  X.509 issuer distinguished name/serial number pair that SHOULD be
  compliant with <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>,
  </li>
  <li>The <code>X509SubjectName</code> element, which contains an
  X.509 subject distinguished name that SHOULD be compliant with
  <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>, </li>
  <li>The <code>X509SKI</code> element, which contains an X.509 subject key
  identifier value.</li>
  <li>The <code>X509Certificate</code> element,
  which contains a Base64-encoded X.509v3 certificate, and</li>
  <li>The <code>X509CRL</code> element, which contains a
  Base64-encoded X.509v2 certificate revocation list (CRL).</li>
</ol>

<p>Multiple declarations about a single certificate (e.g., a
<code>X509SubjectName</code> and <code>X509IssuerSerial</code>
element) MUST be grouped inside a single <code>X509Data</code>
element; multiple declarations about the same key but different
certificates (related to that single key) MUST be grouped within a
single <code>KeyInfo</code> element but MAY occur in multiple
<code>X509Data</code> elements.  For example, the
following block contains two pointers to certificate-A (issuer/serial
number and SKI) and a single reference to certificate-B
(SubjectName) and also shows use of certificate elements:</p>

<pre class="xml-example">   &lt;KeyInfo&gt;
     &lt;X509Data&gt; &lt;!-- two pointers to certificate-A --&gt;
       &lt;X509IssuerSerial&gt; 
         &lt;X509IssuerName&gt;<span class="tx">CN=TAMURA Kent, OU=TRL, O=IBM, 
           L=Yamato-shi, ST=Kanagawa, C=JP</span>&lt;/X509IssuerName&gt;
         &lt;X509SerialNumber&gt;12345678&lt;/X509SerialNumber&gt;
       &lt;/X509IssuerSerial&gt;
       &lt;X509SKI&gt;31d97bd7&lt;/X509SKI&gt; 
     &lt;/X509Data&gt;
     &lt;X509Data&gt; &lt;!-- single pointer to certificate-B --&gt;
       &lt;X509SubjectName&gt;Subject of <u>Certificate B</u>&lt;/X509SubjectName&gt;
     &lt;/X509Data&gt; &lt;!-- certificate chain --&gt;
       &lt;!--Signer cert, issuer C=US,O=IBM,OU=FVT,CN=arbolCA serial 4--&gt;
       &lt;X509Certificate&gt;MIICXTCCAcagAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNGVlQxEDAOBgNVBAMTB2FyYm9sQ0EwHhcNMDAwODI0MTkyNTUyWhcNMDEwODI0MTkyNTUyWjBLMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNGVlQxIDAeBgNVBAMTF1RvbSBHaW5kaW4gRnJvbSBTdWJqZWN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD8C6/lRE65Okdr2/zKWzpF+wq98pyi0beJdq9vVDh8pz88NSLpvN+kUdoVIUY45Xuy0VN0qB+br8vUgG6ZfxtqLO23QrNIqsU8pAIFvQ2KdjkJnWR34yfgxIOtbqMM+l0ZE4mp+V2efnhi89NihTKOB3VcEsLnEBLy3Y3+/6r26wIDAQABo2EwXzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwEAYDVR0gBAkwBzAFBgNKQwcwEQYDVR0OBAoECMJJqBBTd2oEMBMGA1UdIwQMMAqACAEOauKKX+IEMA0GCSqGSIb3DQEBBQUAA4GBAFcdMyIpWjTT3Ulv84xPLSLAXoFaZn9SjkR+OffoekYKNNxIcugZvLAbtvANPqJAFAkXkrp9zrhFXEnVfyeER0KJKCC84GTaUfMeck65vU4OtwR7JzcPNoQyYuBjJt2B7jPAdCckfJqkvaR3UKN1cMJrGocv0PIyG721ROan3Cai
       &lt;/X509Certificate&gt;
       &lt;!-- intermediate cert subject C=US,O=IBM,OU=FVT,CN=arbolCA issuer,C=US,O=Bridgepoint,OU=FVT,CN=tootiseCA --&gt;
       &lt;X509Certificate&gt;MIICPzCCAaigAwIBAgIBBjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQnJpZGdlcG9pbnQxDDAKBgNVBAsTA0ZWVDESMBAGA1UEAxMJdG9vdGlzZUNBMB4XDTAwMDgyNDE5NTk0OVoXDTAyMDgyNDE5NTk0OVowOzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMDRlZUMRAwDgYDVQQDEwdhcmJvbENBMIGdMAsGCSqGSIb3DQEBAQOBjQAwgYkCgYEAqEF4pvvO3DjBPhXPyvBJ63lAaZXWcy7yDrMfZ8mc3IhC7B9jT3C0E5u6AALkbDdqNifyp8rlqCurjT5hzVGsCe8eKn9bjKli8GUvfX/67doh7otN5MPnu6Hq8DR8a2kjuYOT3S2qKptnlytQpG3BzgNmeaD+ijqICSHrkQcHPFMCAwEAAaNLMEkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0OBAoECAEOauKKX+IEMBMGA1UdIwQMMAqACL+hwm7BpGUEMA0GCSqGSIb3DQEBBQUAA4GBALEqW7CMC47FhMrOmh+R+1pVWtzAf87oajvMrtF7KykDj+jLEGjXnh5JMnO5e7EAHyitr1CG/p/R3u56UOzIiugvp159aiyn9up8rP1UHecGjmwYUoxpy5JC6HfSavx5uTVX5a49gn/JKX4qIcVyeVpO7y/9g9tTUfzdwKn6TmBK
       &lt;/X509Certificate&gt;
       &lt;!-- root cert subject C=US,O=Bridgepoint,OU=FVT,CN=tootiseCA --&gt;
       &lt;X509Certificate&gt;MIICSTCCAbKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQnJpZGdlcG9pbnQxDDAKBgNVBAsTA0ZWVDESMBAGA1UEAxMJdG9vdGlzZUNBMB4XDTAwMDgyMTE2MjkwMVoXDTMwMDgyMTE2MjkwMVowRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JyaWRnZXBvaW50MQwwCgYDVQQLEwNGVlQxEjAQBgNVBAMTCXRvb3Rpc2VDQTCBnTALBgkqhkiG9w0BAQEDgY0AMIGJAoGBALzPk+5Md5yzvKLzk20/Uh/50BlBkC1OxjEllTLl4WTBhZs4WvqCYZEri3OPnZ+m/uZTaBlDAauOfDj5dAdC1EN3eriYbK5gAKkvK1Qlyz7YPZz7tdqeIWjVXNtin9K1ye5/gviRA0/SKWPvpyqdCbWdSQkb9/s5oMSWwNdkCdpzAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MBEGA1UdDgQKBAi/ocJuwaRlBDATBgNVHSMEDDAKgAi/ocJuwaRlBDANBgkqhkiG9w0BAQUFAAOBgQAKDyn9kD0r/MAW5zCKU0mUWoa+ggo4aNgVplFFAEJdcUNGz9Zr81ggiOe2NLW59D4mGC+JbJ/yQPaUn/yLUlDaw6r7SpLFUm01DMJTDMuYqajFxujm9YZgfyrV7g5XUcqSQYB5DThEAMEwzx+9FO5MmpMTZcfwbBkN2UImct1Riw==
       &lt;/X509Certificate&gt;
     &lt;/X509Data&gt;
   &lt;/KeyInfo&gt;</pre>

<p><u>Note: Direct provision is not made for a PKCS#7 encoded
&quot;bag&quot; of certificates or CRLs but a set of certificates or a
CRL can occur within an <code>X509Data</code> element and multiple
<code>X509Data</code> elements can occur in a
<code>KeyInfo</code>. Whenever multiple certificates occur in an
<code>X509Data</code> element, at least one such certificate must
contain the public key which verifies the signature.</u></p>

<pre class="xml-dtd">
   Schema Definition:

   &lt;element name='X509Data'&gt; 
     &lt;complexType content='elementOnly'&gt; 
       &lt;choice minOccurs='1' maxOccurs='<u>1</u>'&gt;
         &lt;sequence minOccurs='1' maxOccurs='<u>unbounded</u>'&gt; 
           &lt;choice minOccurs='1' maxOccurs='1'&gt; 
             &lt;element ref='ds:X509IssuerSerial'/&gt;
             &lt;element name='X509SKI' type='ds:CryptoBinary'/&gt;
             &lt;element name='X509SubjectName' type='string'/&gt; 
             <u>&lt;element name='X509Certificate' type='ds:CryptoBinary'/&gt;</u>
           &lt;/choice&gt;  
         &lt;/sequence&gt;
         <u>&lt;element name='X509CRL' type='<u>ds:CryptoBinary</u>'/&gt;</u>
       &lt;/choice&gt;
     &lt;/complexType&gt;
   &lt;/element&gt;

   &lt;element name='X509IssuerSerial'&gt; 
     &lt;complexType content='elementOnly'&gt; 
       &lt;sequence minOccurs='1' maxOccurs='1'&gt; 
         &lt;element name='X509IssuerName' type='string' minOccurs='1' maxOccurs='1'/&gt; 
         &lt;element name='X509SerialNumber' type='<u>integer</u>' minOccurs='1' maxOccurs='1'/&gt; 
       &lt;/sequence&gt;
     &lt;/complexType&gt;
   &lt;/element&gt;
</pre>

<pre class="xml-dtd">
   DTD:

 <u>  &lt;!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName
                      X509Certificate)+ | X509CRL)&gt;</u>
   &lt;!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) &gt;
   &lt;!ELEMENT X509IssuerName (#PCDATA) &gt;
   &lt;!ELEMENT X509SubjectName (#PCDATA) &gt;
   &lt;!ELEMENT X509SerialNumber (#PCDATA) &gt;
   &lt;!ELEMENT X509SKI (#PCDATA) &gt;
   &lt;!ELEMENT X509Certificate (#PCDATA) &gt;
   &lt;!ELEMENT X509CRL (#PCDATA) &gt;
</pre>
Received on Thursday, 7 September 2000 17:51:24 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:11 GMT