GB/T 20518-2018 English PDFUS$1159.00 ยท In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 20518-2018: Information security technology -- Public key infrastructure -- Digital certificate format Status: Valid GB/T 20518: Historical versions
Basic dataStandard ID: GB/T 20518-2018 (GB/T20518-2018)Description (Translated English): Information security technology -- Public key infrastructure -- Digital certificate format Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 58,550 Date of Issue: 2018-06-07 Date of Implementation: 2019-01-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 20518-2018: Information security technology -- Public key infrastructure -- Digital certificate format---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information security technology--Public key infrastructure--Digital certificate format ICS 35.040 L80 National Standards of People's Republic of China Replace GB/T 20518-2006 Information Security Technology Public Key Infrastructure Digital certificate format Published on.2018-06-07 2019-01-01 implementation State market supervision and administration China National Standardization Administration issued ContentForeword III 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 2 5 Digital Certificate and CRL 2 5.1 Overview 2 5.2 Digital Certificate Format 2 5.3 CRL format 20 6 support for algorithm technology 24 Appendix A (Normative) Structure of the certificate 25 Appendix B (Normative Appendix) Structure Example of Certificate 27 Appendix C (Normative Appendix) Certificate Revocation List Contents Table 29 Appendix D (informative) Digital certificate coding example 48 Appendix E (informative) Algorithm Technical Support 52 Reference 53ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard replaces GB/T 20518-2006 "Information Security Technology Public Key Infrastructure Digital Certificate Format", and The main technical changes compared with GB/T 20518-2006 are as follows. --- Added support for SM2 and SM3 cryptographic algorithms in Appendix E algorithm technical support; deleted MD5, SHA-1 algorithmIntroduction--- Added the basic structure of the 5.3 certificate revocation list and the contents of the extensions in the digital certificate format; --- Revised the value of some OIDs in 5.2.4. Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents. This standard is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). This standard was drafted. Shanghai Geer Software Co., Ltd., Changchun Jida Zhengyuan Information Technology Co., Ltd., Shanghai Digital Certificate Certification Center Co., Ltd., China Financial Certification Center, Beijing Haitai Fangyuan Technology Co., Ltd., Beijing Digital Certification Co., Ltd. Wuxi Jiangnan Information Security Engineering Technology Center, Chengdu Weishitong Information Industry Co., Ltd., Xingtang Communication Technology Co., Ltd., Shandong An Information Technology Co., Ltd., National Information Security Engineering Technology Research Center. The main drafters of this standard. Liu Ping, Zheng Qiang, Yang Wenshan, Zhao Lili, Han Wei, Zhao Gaixia, Fu Dapeng, Jiang Hongyu, Luo Jun, Xu Mingyi, Wang Nina, Kong Fanyu, Yuan Feng. The previous versions of the standards replaced by this standard are. ---GB/T 20518-2006. Information Security Technology Public Key Infrastructure Digital certificate format1 ScopeThis standard specifies the basic structure of digital certificates and certificate revocation lists, and the contents of each data item. This standard applies to the development of digital certificate authentication systems, the operation of digital certificate certification institutions and security applications based on digital certificates.2 Normative referencesThe following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article. For the undated references, the latest edition (including all amendments) applies to this document. GB/T 16262.1-2006 Information Technology Abstract Syntax Notation 1 (ASN.1) Part 1. Basic notation specification GB/T 16264.8-2005 Information technology open systems interconnection directory - Part 8. Public key and attribute certificate framework GB/T 17969.1-2015 Information technology - Open systems interconnection OSI registration procedures - Part 1 . General procedures GB/T 35275 SM2 cryptographic algorithm cryptographic signature message syntax specification GB/T 35276 SM2 cryptographic algorithm usage specification PKCS Certificate authority; certificationauthority; CA The authority responsible for creating and assigning certificates, trusted by users. The certificate authority can also create a key for the user. 3.6 Certificate revocation list distribution point CRLdistributionpoint A CRL directory entry or other CRL distribution source, the CRL distributed through the CRL distribution point may contain only one CA The revocation of a subset of the issued certificate set may also include revocations with multiple CAs. 3.7 Digital certificate digitalcertificate A digitally signed third-party certificate authority (CA) that is authoritative, credible, and impartial. The digitized file of the letter.4 AbbreviationsThe following abbreviations apply to this document. CA Certificate Authority (CertificationAuthority) CRL certificate revocation list (CertificateRevocationList) DIT Directory Information Tree System (DirectoryInformationTree) OID object identifier (ObjectID) PKI Public Key Infrastructure (Publickeyinfrastructure)5 Digital certificates and CRLs5.1 Overview Digital certificates have the following characteristics. --- Any user who can obtain and use the certificate authority's public key can restore the public key authenticated by the certification body; --- Except for the certification body, no other organization can change the certificate, the certificate is unforgeable. Since certificates are unforgeable, they can be published by placing them in a directory without having to specifically protect them later. The certificate authority generates a user certificate by signing the information set, and the information set includes a distinguishable user name, a public key, and a The unique identifier that contains the user's additional information. The exact format of the unique identifier content is not specified here, but is left to the authentication machine. Construct a definition. The unique identifier can be, for example, an object identifier, a certificate, a date, or a certificate indicating the validity of the distinguished username. Other forms of the book. Specifically, if the distinguished name of a user certificate is A, the unique identifier is UA, and the certificate is A user certificate, named CA, whose unique identifier is UCA, is generated in the following form. CA< \u003cA\u003e>=CA{V, SN, AI, CA, UCA, A, UA, Ap, TA}\u003c/a\u003e Here V is the certificate version; SN is the certificate serial number; AI is the algorithm identifier used to sign the certificate; UCA is the optional only CA Uniform identifier; UA is the optional unique identifier of User A; Ap is the public key of User A; TA indicates the validity period of the certificate, consisting of two The date is composed of the time period between the two is the validity period of the certificate. The certificate validity period is a time interval in which time, The CA shall ensure that the status information of the certificate is maintained, that is, the information about the revocation is released. Since the TA is assumed to be no less than 24h Changes in the cycle require the system to be based on Greenwich Mean Time. The signature on the certificate can be used by any user who knows the CA public key CAp Used to verify the validity of the certificate. The CRL is a list file issued by the CA for the revoked certificate, which can be used for the application system to authenticate the user certificate. Sex. The CRL follows the certificate revocation list format of the X.509V2 standard. 5.2 Digital Certificate Format 5.2.1 Overview This standard uses GB/T 16262.1-2006 specific coding rules (DER) to encode the information in the following certificate items. Form a specific certificate data structure. The ASN.1DER code is an encoding system for the tag, length and value of each element. 5.2.2 Data Structure of the Basic Certificate Domain The basic data structure of a digital certificate is as follows. Certificate ..= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BITSTRING } TBSCertificate ..= SEQUENCE { Version [0] EXPLICITVersionDEFAUTv1, serialNumber CertificateSerialNumber, Signature AlgorithmIdentifier, Issuer Name, Validity Validity, Subject Name, subjectPublicKeyInfoSubjectPublicKeyInfo, issuerUniqueID [1]IMPLICITUniqueIdentifierOPTIONAL, -- If it does, version must be v2 or v3 subjectUniqueID[2]IMPLICITUniqueIdentifierOPTIONAL, -- If it does, version must be v2 or v3 Extensions [3]EXPLICITExtensionsOPTIONAL extension -- If it does, version must be v3 Version ..= INTEGER { v1(0),v2(1),v3(2) } CertificateSerialNumber ..= INTEGER Validity..=SEQUENCE{ notBefore Time, notAfter Time} Time..=CHOICE{ utcTime UTCTime, generalTime GeneralizedTime} UniqueIdentifier ..= BITSTRING SubjectPublicKeyInfo ..= SEQUENCE { Algorithm AlgorithmIdentifier, subjectPublicKey BITSTRING } Extensions ..= SEQUENCESIZE(1.MAX)OFExtension Extension ..= SEQUENCE { extnID OBJECTIDENTIFIER, Critical BOOLEANDEFAULTFALSE, extnValue OCTETSTRING } The above certificate data structure is composed of three domains. tbsCertificate, signatureAlgorithm and signatureValue. These ones The meaning of the domain is as follows. The tbsCertificate field contains the principal name and issuer name, the principal's public key, the validity period of the certificate, and other related information. The signatureAlgorithm field contains the identifier of the cryptographic algorithm used by the certificate issuing authority to issue the certificate. An algorithm identifier The ASN.1 structure is as follows. AlgorithmIdentifier ..= SEQUENCE { Algorithm OBJECTIDENTIFIER, Parameters ANYDEFINEDBYalgorithmOPTIONAL} The algorithm identifier is used to identify a cryptographic algorithm in which the OBJECTIDENTIFIER portion identifies the specific algorithm. among them The content of the optional parameters is completely dependent on the identified algorithm. The algorithm identifier of the domain should be the signature identifier in tbsCertificate The signature algorithm items are the same. If the signature algorithm is SM2, there is no parameter. The signatureValue field contains the result of digitally signing the tbsCertificate field. Tbs-coded with ASN.1DER Certificate is entered as a digital signature, and the result of the signature is encoded into a BITSTRING type according to ASN.1 and saved in the certificate. Within the signature value field. If the signature algorithm is SM2, the SM2 cryptographic algorithm signature data format is shown in GB/T 35276. 5.2.3 TBSCertificate data structure 5.2.3.1 Version Version This item describes the version number of the encoded certificate. 5.2.3.2 Serial number Serialnumber The serial number is a positive integer assigned by the CA to each certificate, and the serial number of each certificate issued by a CA should be unique (this Similarly, a certificate can be uniquely identified by the issuer's name and serial number. The CA should ensure that the serial number is a non-negative integer. serial number It can be a long integer and the certificate user should be able to process serial number values up to 20 8-bit bytes. CA should ensure that no more than 20 8 are used The serial number of the bit byte. 5.2.3.3 Signature Algorithm Signature This entry contains the identifier of the cryptographic algorithm used by the CA to issue the certificate. This algorithm identifier should be associated with the signature in the certificate. The algorithm identifiers for the rithm entries are the same. The content of the optional parameters is completely dependent on the specific algorithm identified, and can support user-defined signatures. algorithm. 5.2.3.4 Issuer Issuer This item identifies the entity for certificate signing and certificate issuance. It should contain a non-empty screening name (DN-distinguished Name). This item is defined as the Name type, and its ASN.1 structure is as follows. Name..=CHOICE{RDNSequence} RDNSequence..=SEQUENCEOFRelativeDistinguishedName RelativeDistinguishedName..=SETOFAttributeTypeAndValue AttributeTypeAndValue..=SEQUENCE{ Type AttributeType, Value AttributeValue} AttributeType..= OBJECTIDENTIFIER AttributeValue..= ANYDEFINEDBYAttributeType DirectoryString..=CHOICE{ teletexString TeletexString(SIZE(1.MAX)), printableString PrintableString(SIZE(1.MAX)), universalString UniversalString(SIZE(1.MAX)), Utf8String UTF8String(SIZE(1.MAX)), bmpString BMPString(SIZE(1.MAX))} Name describes the name of the hierarchy consisting of some attributes, such as the country name and the corresponding value, such as "country=CN". Where At- The type of the tributeValue part is determined by the AttributeType, which is usually a DirectoryString type. DirectoryString types are defined as PrintableString, TeletexString, BMPString, UTF8String, and Uni- One of the versalString types. UTF8String encoding is the preferred encoding. 5.2.3.5 Validity Validity 5.2.3.5.1 Overview The certificate validity period is a period of time during which the CA guarantees that it will maintain information about the status of the certificate. The item is represented As a SEQUEENCE type data with two time values. the start time of the certificate validity period (notBefore) and the validity period of the certificate End time (notAfter). Both NotBefore and notAfter can be used as UTCTime type or General- The izedTime type is encoded. 5.2.3.5.2 Encoding type requirements CAs that comply with this standard should encode this time as UTCTime type before 2049 (including 2049), in 2050 After that, the encoding is of the GeneralizedTime type. 5.2.3.5.3 World Time UTCTime This item is a standard ASN.1 type for international applications where only local time is not enough. UTCTime passed The two low digits determine the year and the time is accurate to one minute or one second. UTCTime contains Z (for Zulu, or Greenwich Mean Time) Or time difference. In this standard, the UTCTime value is expressed in Greenwich Mean Time (Zulu) and should contain seconds even if the value of the second is zero. (ie the time format is YYMMDDHHMMSSZ). The system pair year field (YY) should be interpreted as follows. When YY is greater than or equal to 50, the year should be interpreted as 19YY; when YY is less than 50, the year should be interpreted as 20YY. 5.2.3.5.4 Universal time type GeneralizedTime This item is a standard ASN.1 type that represents the variable accuracy of time. The GeneralizedTime field can contain a local and The time difference between Greenwich Mean Time. In this standard, the GeneralizedTime value shall be expressed in Greenwich Mean Time and shall contain seconds even if the value of the second is zero (ie The time format is YYYYMMDDHHMMSSZ). The GeneralizedTime value must never contain fractional seconds. 5.2.3.6 Subject Subject The subject item describes the entity that corresponds to the public key in the subject's public key entry. The subject name can appear in the subject item and/or subject optional Replace the name extension item (subjectAltName). If the principal is a CA, then the principal should be a non-empty and issuer The content matches the distinguished name (distinguishedname). If the subject's naming information only appears in the subject alternative replacement name expansion In the exhibit item (for example, the key is only bound to an email address or URL), then the subject name should be an empty sequence, and the subject can be replaced. The name extension should be identified as critical. When the subject item is not empty, this item shall contain an X.500 Distinguished Name (DN), a CA-certified entity for each subject entity. The name should be unique. A CA can issue multiple certificates for the same principal entity with the same distinguished name. The subject name extension is defined as the name type of GB/T 16264.8-2005. 5.2.3.7 Subject Public Key Information SubjectPublicKeyInfo This item is used to identify the public key and the corresponding public key algorithm. The public key algorithm uses the algorithm identifier AlgorithmIdentifier structure to Said. When the public key algorithm is SM2, the AlgorithmIdentifier structure is defined in GB/T 35275; when the public key algorithm is RSA, Al- GorithmIdentifier structure definition see PKCS 5.2.3.8 Issuer unique identifier issuerUniqueID This item is mainly used to deal with the reuse of the subject or issuer name. This standard recommends different entity names not to be reused, In- Do not use a unique identifier for the ternet network certificate. A certificate issuing authority that complies with this standard shall not generate a unique identifier with the issuer. Certificate, but should be able to parse the item and compare it during the application process. 5.2.3.9 Subject unique identifier subjectUniqueID This item is mainly used to deal with the reuse of subject names. This standard recommends not to reuse different entity names and is not recommended. For this item, the certificate issuing authority that complies with this standard shall not generate a certificate with the subject unique identifier, but shall be able to resolve it during the application process. Unique identifiers and comparisons. 5.2.3.10 extension extensions The entry is a sequence of one or more certificate extensions (SEQUENCE) whose content and data structure are defined in 5.2.4. 5.2.4 Certificate Extension Domain and Its Data Structure 5.2.4.1 Certificate extension The certificate extensions defined in this standard provide methods for associating some additional attributes with users or public keys and the management of certificate structures. method. Digital certificates allow the definition of standard extensions and private extensions. Extensions in each certificate can be defined as critical and non-critical Sexual. An extension consists of three parts, which are the extension type, the extension key, and the extension value. Extension criticality (extension Criticality) tells a user of a certificate whether to ignore an extension type. Certificate application system does not recognize critical When expanding, the certificate should be rejected, and if the non-critical extension is not recognized, the extension's information can be ignored. This article defines some standard extensions. It is important to note that in the actual application process, if a critical extension is adopted, This certificate may not be available in some general-purpose applications. Each extension includes an object identifier OID and an ASN.1 structure. When an extension appears in the certificate, the OID is used as The extnID entry appears, and its corresponding ASN.1 encoding structure is the value of the 8-bit string extnValue. Specific to a particular certificate The extension can only appear once. For example, a certificate can only contain one certificate authority key identifier extension. One extension contains one Boolean values are used to indicate the criticality of the extension. The default value is FALSE, which is non-critical. The text of each extension points to the key The acceptable value of the sex item. CAs that comply with this standard should support extensions such as key identifiers, basic restrictions, key usage, and certificate......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 20518-2018_English be delivered?Answer: Upon your order, we will start to translate GB/T 20518-2018_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 20518-2018_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 20518-2018_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.Question 5: Should I purchase the latest version GB/T 20518-2018?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 20518-2018 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. |
