使用ASN.1语言描述,我们可以将X509Certificate抽象为以下结构:
Certificate ::= SEQUENCE {tbsCertificate TBSCertificate,signatureAlgorithm AlgorithmIdentifier,signature BIT STRING }
即基本证书域、签名算法、签名值。
其中TBSCertificate的结构为:
TBSCertificate ::= SEQUENCE {version [0] EXPLICIT Version DEFAULT v1,serialNumber CertificateSerialNumber,signature AlgorithmIdentifier,issuer Name,validity Validity,subject Name,subjectPublicKeyInfo SubjectPublicKeyInfo,issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,-- If present, version must be v2 or v3subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,-- If present, version must be v2 or v3extensions [3] EXPLICIT Extensions OPTIONAL-- If present, version must be v3}
即版本、序列号、签名算法、颁发者、有效期、使用者、主体公钥信息、扩展项。
主体公钥信息:
SubjectPublicKeyInfo ::= SEQUENCE {algorithm AlgorithmIdentifier,subjectPublicKey BIT STRING }
算法标识符:
AlgorithmIdentifier ::= SEQUENCE {algorithm OBJECT IDENTIFIER,parameters ANY DEFINED BY algorithm OPTIONAL }