前面对非显式证书公钥机制(无证书和隐式证书)的密钥生成过程进行了描述(SM2无证书及隐式证书公钥机制签名和加密过程详解(一)_sm2加密解密过程-CSDN博客),这里接着对隐式证书ASN.1模板和生成过程进行说明。
(1)隐式证书ASN.1模板
SequeceOfCertificate ::= SEQUENCE OF Certificate
Certificate ::= CertificateBase(ExplicitCertificate | Reserved)
CertificateBase ::= SEQUENCE {
version Uint8(3),
type CertificateType,
issuer IssuerIdentifier,
toBeSigned ToBeSignedCertificate,
signatre Signature OPTIONAL
}
CertificateType ::= ENUMERATED {
explicit,
reserved,
...
}
--显式证书,需具备CA签名,使用CA公钥验证
ExlipcitCertificate ::= CertificateBase (WITH COMPONENTS { ...,
type(explicit),
toBeSigned (WITH COMPONENTS { ...,
verifyKeyIndicator (WITH COMPONENTS {verificationKey})
}),
signatre PRESENT
})
--隐式证书,无需CA签名,使用声明公钥验证(即公钥还原数据)
Reserved ::= CertificateBase (WITH COMPONENTS { ...,
type(reserved),
toBeSigned(WITH COMPONENTS { ...,
verifyKeyIndicator(WITH COMPONENTS {reconstructionValue})
}),
signatre ABSENT
})
IssuerIdentifier ::= CHOICE {
sha256AndDigest HashedId8,
self SignedData ::= SEQUENCE {
hashId OBJECT IDENTIFIER,
tbsData ToBeSignedData,
signer SignerIdentifier,
signature Signature
} HashAlgorithm,
...,
sha384AndDigest HashedId8,
sm3AndDigest HashedId8
}
ToBeSignedCertificate ::= SEQUENCE {
id CertificateId,
cracaId HashedId3,
crlSeries CrlSeries,
validityPeriod ValidityPeriod,
region GeographicRegion OPTIONAL,
assuranceLevel SubjectAssurance OPTIONAL,
appPermissions SequenceOfAidSsp OPTIONAL,
cerIssuePermissions SequenceOfAidGroupPermissions OPTIONAL,
cerRequestPermissions SequenceOfAidGroupPermissions OPTIONAL,
canRequestRollover NULL OPTIONAL,
encryptionKey publicEncryptionKey OPTIONAL,
verifyKeyIndicator VerificationKeyIndicator,
...
}
(WITH COMPONENTS {..., appPermissions PRESENT} |
WITH COMPONENTS {..., cerIssuePermissions PRESENT} |
WITH COMPONENTS {..., cerRequestPermissions PRESENT})
CertificateId ::= CHOICE {
linkageData LinkageData,
name HostName,
binaryId OCTET STRING(SIZE(1..64)),
none NULL,
...
}
LinkageData ::= SEQUENCE {
iCert IValue,
linkage-value LinkageValue,
group-linkage-value GroupLinkageValue OPTIONAL
}
SequenceOfAidGroupPermissions ::= SEQUENCE OF AidGroupPermissions
AidGroupPermissions ::= SEQUENCE {
subjectPermissions SubjectPermissions,
minChainLength INTEGER DEFAULT 1,
chainLengthRange INTEGER DEFAULT 0,
eeType EndEntityType DEFAULT {app}
}
SubjectPermissions ::= CHOICE {
explicit SequenceOfAidSspRange,
all NULL,
...
}
EndEntityType ::= BIT STRING {app(0), enroll(1)}(size(8))(ALL EXCEPT{})
VerificationKeyIndicator ::= CHOICE {
verificationKey PublicVerificationKey,
reconstructionValue EccP256CurvePoint,
...
}
(2)隐式证书生成过程(简要)
1)KGC生成系统私钥ms和对应系统公钥Ppub。
2)KGC使用系统公钥Ppub向CA申请一张证书(标准证书申请流程)。
3)实体A将公钥数据UA等信息提交到KGC。
4)KGC验证隐式证书申请合法性,生成 ToBeSignedCertificate 中从id开始 encryptionKey 的部分。
5)KGC生成IDA(至少包括 ToBeSignedCertificate 中从 id 开始到 encryptionKey 之前的数据域)。
6)KGC将WA作为隐式证书中 verifyKeyIndicator 的数据,生成完整的隐式证书。
后续,将进一步介绍隐式证书COER编码机制、隐式证书实例及其使用。