B.4. CRL 扩展
B.4.1. 关于 CRL 扩展
由 ANSI X9 和 ISO/IEC/ITU 为 X.509 CRL 定义的扩展 [X.509] [X9.55] 允许与 CRL 关联的其他属性。Internet X.509 公共密钥基础架构证书和 CRL 配置集 (通过 RFC 5 280)提供,推荐在 CRL 中使用一组扩展。这些扩展称为 标准 CRL 扩展。
标准还允许创建自定义扩展并包含在 CRL 中。这些扩展称为 私有、专有 或自定义 CRL 扩展,并可包含对机构或业务唯一的信息。应用程序可能无法验证包含私有关键扩展的 CRL,因此不建议在一般上下文中使用自定义扩展。
注意
在 CCITT Recommendations X.208 和 X.209 中,在 CCITT Recommendations X.208 和 X.209 中指定了抽象语法行为(ASN.1)和可辨识(DER)标准。有关 ASN.1 和 DER 的快速摘要,请参阅 A Layman's Guide to a ASN.1、BER 和 DER,它可从 RSA 实验室程序网站 http://www.rsa.com 获得。
B.4.1.1. CRL 扩展结构
CRL 扩展由以下部分组成:
- 扩展的对象标识符(OID)。此标识符唯一标识扩展。它还决定 value 字段中的值的 ASN.1 类型以及值的解释方式。当扩展出现在 CRL 中时,OID 显示为扩展名 ID 字段(extnID),对应的 ASN.1 编码结构显示为八进制字符串(extnValue)的值;示例显示在 例 B.4 “Pretty-Print Certificate Extensions 示例” 中。
- 标志或布尔值字段名为 critical。分配给此字段的 true 或 false 值指示扩展是否对 CRL 至关重要。
- 如果扩展至关重要,并且 CRL 发送到不基于扩展 ID 理解扩展的应用程序,则应用程序必须拒绝 CRL。
- 如果扩展不重要,并且 CRL 发送到不理解扩展 ID 的扩展的应用程序,则应用程序可以忽略扩展并接受 CRL。
- 包含扩展名值的 DER 编码的八进制字符串。
接收 CRL 的应用程序会检查扩展 ID,以确定它是否可以识别 ID。如果能够,它会使用扩展 ID 来确定所使用的值类型。
B.4.1.2. CRL 和 CRL Entry Extensions 示例
以下是 X.509 CRL 版本 2 扩展名示例。CertificateCertificate Systemnbsp;System 可以显示 CRL 可读打印格式,如下所示。如示例所示,CRL 扩展按顺序显示,且每个 CRL 只能有一个特定扩展实例;例如: CRL 只能包含一个授权密钥标识符扩展。但是,CRL-entry 扩展会出现在 CRL 中的相应条目中。
Certificate Revocation List:
Data:
Version: v2
Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Issuer: CN=Certificate Authority,O=Example Domain
This Update: Wednesday, July 29, 2009 8:59:48 AM GMT-08:00
Next Update: Friday, July 31, 2009 8:59:48 AM GMT-08:00
Revoked Certificates: 1-3 of 3
Serial Number: 0x11
Revocation Date: Thursday, July 23, 2009 10:07:15 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Privilege_Withdrawn
Serial Number: 0x1A
Revocation Date: Wednesday, July 29, 2009 8:50:11 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Certificate_Hold
Identifier: Invalidity Date - 2.5.29.24
Critical: no
Invalidity Date: Sun Jul 26 23:00:00 GMT-08:00 2009
Serial Number: 0x19
Revocation Date: Wednesday, July 29, 2009 8:50:49 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Key_Compromise
Identifier: Invalidity Date - 2.5.29.24
Critical: no
Invalidity Date: Fri Jul 24 23:00:00 GMT-08:00 2009
Extensions:
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName: http://example.com:9180/ca/ocsp
Identifier: Issuer Alternative Name - 2.5.29.18
Critical: no
Issuer Names:
DNSName: example.com
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
50:52:0C:AA:22:AC:8A:71:E3:91:0C:C5:77:21:46:9C:
0F:F8:30:60
Identifier: Freshest CRL - 2.5.29.46
Critical: no
Number of Points: 1
Point 0
Distribution Point: [URIName: http://server.example.com:8443/ca/ee/ca/getCRL?op=getDeltaCRL&crlIssuingPoint=MasterCRL]
Identifier: CRL Number - 2.5.29.20
Critical: no
Number: 39
Identifier: Issuing Distribution Point - 2.5.29.28
Critical: yes
Distribution Point:
Full Name:
URIName: http://example.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
Only Contains User Certificates: no
Only Contains CA Certificates: no
Indirect CRL: no
Signature:
Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Signature:
47:D2:CD:C9:E5:F5:9D:56:0A:97:31:F5:D5:F2:51:EB:
1F:CF:FA:9E:63:D4:80:13:85:E5:D8:27:F0:69:67:B5:
89:4F:59:5E:69:E4:39:93:61:F2:E3:83:51:0B:68:26:
CD:99:C4:A2:6C:2B:06:43:35:36:38:07:34:E4:93:80:
99:2F:79:FB:76:E8:3D:4C:15:5A:79:4E:E5:3F:7E:FC:
D8:78:0D:1D:59:A0:4C:14:42:B7:22:92:89:38:3A:4C:
4A:3A:06:DE:13:74:0E:E9:63:74:D0:2F:46:A1:03:37:
92:F0:93:D9:AA:F8:13:C5:06:25:02:B0:FD:3B:41:E7:
62:6F:67:A3:9F:F5:FA:03:41:DA:8D:FD:EA:2F:E3:2B:
3E:F8:E9:CC:3B:9F:E4:ED:73:F2:9E:B9:54:14:C1:34:
68:A7:33:8F:AF:38:85:82:40:A2:06:97:3C:B4:88:43:
7B:AF:5D:87:C4:47:63:4A:11:65:E3:75:55:4D:98:97:
C2:2E:62:08:A4:04:35:5A:FE:0A:5A:6E:F1:DE:8E:15:
27:1E:0F:87:33:14:16:2E:57:F7:DC:77:BE:D2:75:AB:
A9:7C:42:1F:84:6D:40:EC:E7:ED:84:F8:14:16:28:33:
FD:11:CD:C5:FC:49:B7:7B:39:57:B3:E6:36:E5:CD:B6
delta CRL 是 CRL 的子集,仅包含上一次 CRL 发布后的更改。包含 delta CRL 指示器扩展的任何 CRL 都是 delta CRL。
ertificate Revocation List:
Data:
Version: v2
Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Issuer: CN=Certificate Authority,O=SjcRedhat Domain
This Update: Wednesday, July 29, 2009 9:02:28 AM GMT-08:00
Next Update: Thursday, July 30, 2009 9:02:28 AM GMT-08:00
Revoked Certificates:
Serial Number: 0x1A
Revocation Date: Wednesday, July 29, 2009 9:00:48 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Remove_from_CRL
Serial Number: 0x17
Revocation Date: Wednesday, July 29, 2009 9:02:16 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Certificate_Hold
Identifier: Invalidity Date - 2.5.29.24
Critical: no
Invalidity Date: Mon Jul 27 23:00:00 GMT-08:00 2009
Extensions:
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName: http://server.example.com:8443/ca/ocsp
Identifier: Delta CRL Indicator - 2.5.29.27
Critical: yes
Base CRL Number: 39
Identifier: Issuer Alternative Name - 2.5.29.18
Critical: no
Issuer Names:
DNSName: a-f8.sjc.redhat.com
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
50:52:0C:AA:22:AC:8A:71:E3:91:0C:C5:77:21:46:9C:
0F:F8:30:60
Identifier: CRL Number - 2.5.29.20
Critical: no
Number: 41
Identifier: Issuing Distribution Point - 2.5.29.28
Critical: yes
Distribution Point:
Full Name:
URIName: http://server.example.com:8443/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
Only Contains User Certificates: no
Only Contains CA Certificates: no
Indirect CRL: no
Signature:
Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Signature:
68:28:DA:90:D5:39:CB:6D:BE:42:04:77:C9:E4:09:60:
C1:97:A6:99:AB:A0:5B:A2:F3:8B:5E:4E:D6:05:70:B0:
87:1F:D7:0E:4B:C6:B2:DE:8B:92:D8:7C:3B:36:1C:79:
96:2A:64:E6:7A:25:1D:E7:40:62:48:7A:24:C9:9D:11:
A6:7F:BB:6B:03:A0:9C:1D:BC:1C:EE:9A:4B:A6:48:2C:
3B:5E:2B:B1:70:3C:C3:42:96:28:26:AB:82:18:F2:E9:
F2:55:48:A8:7E:7F:FE:D4:3D:0B:EA:A2:2F:4E:E6:C3:
C3:C1:6A:E5:C6:85:5B:42:B1:70:2A:C6:E1:D9:0C:AF:
DA:01:22:FF:80:6E:2E:A7:E5:34:DC:AF:E6:C2:B5:B3:
1B:FC:28:36:8A:91:4A:22:E7:03:A5:ED:4E:62:0C:D9:
7F:81:BB:80:99:B8:61:2A:02:C6:9C:41:2E:01:82:21:
80:82:69:52:BD:B2:AA:DB:0F:80:0A:7E:2A:F3:15:32:
69:D2:40:0D:39:59:93:75:A2:ED:24:70:FB:EE:19:C0:
BE:A2:14:36:D0:AC:E8:E2:EE:23:83:DD:BC:DF:38:1A:
9E:37:AF:E3:50:D9:47:9D:22:7C:36:35:BF:13:2C:16:
A2:79:CF:05:41:88:8E:B6:A2:4E:B3:48:6D:69:C6:38