X509Data ElementAn X509Data element within KeyInfo
contains one or more identifiers of keys or X509 certificates (or
certificates' identifiers or revocation lists). Five types of
X509Data are defined:
X509IssuerSerial element, which contains an
X.509 issuer distinguished name/serial number pair that SHOULD be
compliant with RFC2253 [LDAP-DN],
X509SubjectName element, which contains an
X.509 subject distinguished name that SHOULD be compliant with
RFC2253 [LDAP-DN], X509SKI element, which contains an X.509 subject key
identifier value.X509Certificate element,
which contains a Base64-encoded X.509v3 certificate, andX509CRL element, which contains a
Base64-encoded X.509v2 certificate revocation list (CRL).Multiple declarations about a single certificate (e.g., a
X509SubjectName and X509IssuerSerial
element) MUST be grouped inside a single X509Data
element; multiple declarations about the same key but different
certificates (related to that single key) MUST be grouped within a
single KeyInfo element but MAY occur in multiple
X509Data elements. For example, the
following block contains two pointers to certificate-A (issuer/serial
number and SKI) and a single reference to certificate-B
(SubjectName):
<KeyInfo>
<X509Data> <!-- two pointers to certificate-A -->
<X509IssuerSerial>
<X509IssuerName>CN=TAMURA Kent, OU=TRL, O=IBM,
L=Yamato-shi, ST=Kanagawa, C=JP</X509IssuerName>
<X509SerialNumber>12345678</X509SerialNumber>
</X509IssuerSerial>
<X509SKI>31d97bd7</X509SKI>
</X509Data>
<X509Data> <!-- single pointer to certificate-B -->
<X509SubjectName>Subject of Certificate B</X509SubjectName>
</X509Data>
<X509Data> <!-- certificate chain -->
<X509Certificate> Certificate of D signed by CA <X509Certificate>
<X509Certificate> Certificate of CA signed by Root <X509Certificate>
<X509Certificate> Certificate Root <X509Certificate>
</X509Data>
</KeyInfo>
Note: Direct provision is not made for a PKCS#7 encoded
"bag" of certificates or CRLs but such a set of
certificates or CRLs can occur within an X509Data element. Whenever
multiple certificates occur in an X509Data element, at
least one such certificate must contain the public key which verifies
the signature.
Schema Definition:
<element name='X509Data'>
<complexType content='elementOnly'>
<choice minOccurs='1' maxOccurs='1'>
<sequence minOccurs='1' maxOccurs='unbounded'>
<choice minOccurs='1' maxOccurs='1'>
<element ref='ds:X509IssuerSerial'/>
<element name='X509SKI' type='ds:CryptoBinary'/>
<element name='X509SubjectName' type='string'/>
<element name='X509Certificate' type='ds:CryptoBinary'/>
</choice>
</sequence>
<element name='X509CRL' type='ds:CryptoBinary'/>
</choice>
</complexType>
</element>
<element name='X509IssuerSerial'>
<complexType content='elementOnly'>
<sequence minOccurs='1' maxOccurs='1'>
<element name='X509IssuerName' type='string' minOccurs='1' maxOccurs='1'/>
<element name='X509SerialNumber' type='integer' minOccurs='1' maxOccurs='1'/>
</sequence>
</complexType>
</element>
DTD:
<!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName
X509Certificate)+ | X509CRL)>
<!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) >
<!ELEMENT X509IssuerName (#PCDATA) >
<!ELEMENT X509SubjectName (#PCDATA) >
<!ELEMENT X509SerialNumber (#PCDATA) >
<!ELEMENT X509SKI (#PCDATA) >
<!ELEMENT X509Certificate (#PCDATA) >
<!ELEMENT X509CRL (#PCDATA) >