Muokkaa

Jaa


Constants for Netscape Extensions

The following Netscape extensions are used with encode and decode operations. The Netscape predefined constants and object identifier strings are not be used directly with the encoding or decoding functions, CryptEncodeObject, CryptEncodeObjectEx, CryptSignAndEncodeCertificate, CryptDecodeObject, or CryptDecodeObjectEx. Instead, these extensions require the use of the lpszStructType shown.

For additional details that apply to some Netscape extensions, see the remarks following the table.

Netscape certificate extension object identifiers lpszStructType Corresponding pvStructInfo
szOID_NETSCAPE_BASE_URL"2.16.840.1.113730.1.2"
X509_ANY_STRING or X509_UNICODE_ANY_STRING
CERT_NAME_VALUE. The dwValueType member is set to CERT_RDN_IA5_STRING. The Value member's pbData member points to an IA5_STRING added to the beginning of all relative URL addresses in a certificate. This extension can be considered an optimization to reduce the size of the URL extensions.
szOID_NETSCAPE_CA_POLICY_URL"2.16.840.1.113730.1.8"
X509_ANY_STRING or X509_UNICODE_ANY_STRING
CERT_NAME_VALUE. The dwValueType member is set to CERT_RDN_IA5_STRING. The Value member's pbData member points to an IA5_STRING, the relative or absolute URL of the webpage describing the policies under which the certificate was issued.
szOID_NETSCAPE_CA_REVOCATION_URL"2.16.840.1.113730.1.4"
X509_ANY_STRING or X509_UNICODE_ANY_STRING
CERT_NAME_VALUE. The dwValueType member is set to CERT_RDN_IA5_STRING. The Value member's pbData member points to an IA5_STRING that is the relative or absolute URL used to check the revocation status of certificates signed by the certification authority that the current certificate belongs to.
szOID_NETSCAPE_CERT_RENEWAL_URL"2.16.840.1.113730.1.7"
X509_ANY_STRING or X509_UNICODE_ANY_STRING
CERT_NAME_VALUE. The dwValueType member is set to CERT_RDN_IA5_STRING. The Value member's pbData member points to an IA5_STRING that is the relative or absolute URL of a certificate renewal form.
szOID_NETSCAPE_CERT_SEQUENCE"2.16.840.1.113730.2.5"
PKCS_CONTENT_INFO_SEQUENCE_OF_ANY CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY
szOID_NETSCAPE_CERT_TYPE"2.16.840.1.113730.1.1"
X509_BITS CRYPT_BIT_BLOB
szOID_NETSCAPE_COMMENT"2.16.840.1.113730.1.13"
X509_ANY_STRING or X509_UNICODE_ANY_STRING
CERT_NAME_VALUE. The dwValueType member is set to CERT_RDN_IA5_STRING. The Value member's pbData member points to an IA5_STRING that is a comment to be display when the certificate is viewed.
szOID_NETSCAPE_REVOCATION_URL"2.16.840.1.113730.1.3"
X509_ANY_STRING or X509_UNICODE_ANY_STRING
CERT_NAME_VALUE. The dwValueType member is set to CERT_RDN_IA5_STRING. The Value member's pbData member points to an IA5_STRING that is a relative or absolute URL used to check the revocation status of the certificate.
szOID_NETSCAPE_SSL_SERVER_NAME"2.16.840.1.113730.1.12"
X509_ANY_STRING or X509_UNICODE_ANY_STRING
CERT_NAME_VALUE. The dwValueType member is set to CERT_RDN_IA5_STRING. The Value member's pbData member points to an IA5_STRING that is a shell expression used to match the host name off the SSL server using this certificate.

 

For all encoding functions that use either the X509_ANY_STRING or the X5O9_UNICODE_ANY_STRING lpszStructType, X509_ANY_STRING is used if the string format in the Value member's pbData member is ASCII, and X509_UNICODE_ANY_STRING is used if the string format is UNICODE. In the Unicode case, the string must be converted to an IA5_STRING before encoding by setting the dwValueType member of the CERT_NAME_VALUE structure to CERT_RDN_IA5_STRING.

For decoding functions, the user selects the format of the output string. Use X509_ANY_STRING if the desired string format is ASCII, and X509_UNICODE_ANY_STRING if the desired string format is Unicode.

For the szOID_NETSCAPE_CERT_RENEWAL_URL extension, the data structure contains a relative or absolute URL that points to a certificate renewal form. The renewal form will be accessed with an HTTP GET method using a URL that is the concatenation of the renewal-URL and certificate-serial-number. The certificate-serial-number is encoded as a string of ASCII hexadecimal digits. For example, if the netscape-base-url is https://certification authority URL/, the netscape-cert-renewal-url is cgi-bin/check-renew.cgi?, and the certificate serial number is 173420, the resulting URL would be: https://certification authority URL/cgi-bin/check-renew.cgi?02a56c. The document returned should be an HTML form that will allow the user to request a renewal of their certificate.

For the szOID_NETSCAPE_CERT_SEQUENCE extension using X509_ASN_ENCODING, the certificate is encoded as a PKCS_CONTENT_INFO structure wrapping a sequence of ANY. The value of the contentType member is pszObjId, while the content field is the following structure:

SequenceOfAny ::= SEQUENCE OF ANY

The CRYPT_DER_BLOBs in the CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY's rgValue member point to encoded X509 certificates.

For szOID_NETSCAPE_CERT_TYPE extensions, the following bits are defined.

Bit value Corresponding type
0x80 NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE
0x40 NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE
0x04 NETSCAPE_SSL_CA_CERT_TYPE

 

For the szOID_NETSCAPE_REVOCATION_URL extensions, a relative or absolute URL can be used to check the revocation status of a certificate. The revocation check will be performed as an HTTP GET method using a URL that is the concatenation of revocation-URL and certificate-serial-number. The certificate-serial-number is encoded as a string of ASCII hexadecimal digits. For example, if the netscape-base-url is https://www.certs-r-us.com/, the netscape-revocation-url is cgi-bin/check-rev.cgi?, and the certificate serial number is 173420, the resulting URL would be: https://www.certs-r-us.com/cgi-bin/check-rev.cgi?02a56c.

The server should return a document with a Content-Type of application/x-netscape-revocation. The document should contain a single ASCII digit, "1" if the certificate is not currently valid, and "0" if it is currently valid.

Note that for all of the URLs that include the certificate serial number, the serial number will be encoded as a string that consists of an even number of hexadecimal digits. If the number of significant digits is odd, the string will have a single leading zero to ensure an even number of digits is generated.