OID: {iso(1) identified-organization(3) ieee(111) standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2) extension-standards(255) dot1(1) interfaces(1) eca-ee(9) major-version-3(3) minor-version-2(2)}
This is the parent structure for all structures exchanged between the ECA and the EE. An overview of this structure is as follows:
eeEcaCertRequest of type EeEcaCertRequest
contains the enrollment certificate request sent
by the EE to the ECA.
ecaEeCertResponse of type EcaEeCertResponse
contains the enrollment certificate response sent
by the ECA to the EE.
EcaEeInterfacePdu::= CHOICE {
eeEcaCertRequest EeEcaCertRequest,
ecaEeCertResponse EcaEeCertResponse,
...
}
This structure contains parameters needed to request an enrollment certificate from the ECA. The ECA may, subject to policy, issue an enrollment certificate with different contents than the contents requested. An overview of this structure is as follows:
version of type Uint8 (2)
contains the current version of the structure.
generationTime of type Time32
contains the generation time of EeEcaCertRequest.
type of type CertificateType
indicates whether the request is for an explicit or implicit
certificate (see 4.1.1, 4.1.4.3.2).
tbsCert of type ToBeSignedCertificate (WITH COMPONENTS {
...,
id (WITH COMPONENTS {
...,
linkageData ABSENT
}),
cracaId ('000000'H),
crlSeries (0),
appPermissions ABSENT,
certIssuePermissions ABSENT,
certRequestPermissions PRESENT,
verifyKeyIndicator (WITH COMPONENTS {
verificationKey
})
})
contains the parameters used by the ECA to generate the
enrollment certificate. tbsCert.verifyKeyIndicator.verificationKey
contains the public key information sent by the requester. The
verifyKeyIndicator field indicates the choice verificationKey even if type
is implicit, as this allows the requester to indicate which signature
algorithm and curve they are requesting. The value in this field is used
as the verification key in the certificate if the certificate issued in
response to this request is explicit, and as the input public key value
for implicit certificate generation if the certificate issued in response
to this request is implicit.
canonicalId of type IA5String OPTIONAL
shall be present and contain the canonical identifier
for the device per 4.1.4.2, if the enclosing EeEcaCertRequestSpdu was
signed by the canonical private key. The receiver is intended to use the
canonicalId to look up the canonical public key to verify the certificate
request.
NOTE:
EeEcaCertRequest ::= SEQUENCE {
version Uint8 (2),
generationTime Time32,
type CertificateType,
tbsCert ToBeSignedCertificate (WITH COMPONENTS {
...,
id (WITH COMPONENTS {
...,
linkageData ABSENT
}),
cracaId ('000000'H),
crlSeries (0),
appPermissions ABSENT,
certIssuePermissions ABSENT,
certRequestPermissions PRESENT,
verifyKeyIndicator (WITH COMPONENTS {
verificationKey
})
}),
canonicalId IA5String OPTIONAL,
...
}
This structure is used by the ECA to respond to an EE's enrollment certificate request. Additional bootstrapping information including the RA's certificate are provided by the DCM. The specification of the DCM is outside the scope of this document. An overview of this structure is as follows:
version of type Uint8 (2)
contains the current version of the structure.
generationTime of type Time32
contains the generation time of EcaEeCertResponse.
requestHash of type HashedId8
contains the following hash:
ecaCertChain of type SequenceOfCertificate
contains the ECA's currently valid certificate and the
certificate chain, up to and including the root CA.
certificate of type Certificate
contains the enrollment certificate generated by the
ECA, which shall be of the type indicated by the type field in the
corresponding request.
privateKeyInfo of type OCTET STRING (SIZE(32)) OPTIONAL
shall be present and contain the private key
reconstruction value, if certificate.type is implicit. This is used by the
EE as specified in 9.3.5.1.
The definition of validity for a certificate request, including constraints on the fields in this structure, is specified in 10.1.
EcaEeCertResponse ::= SEQUENCE {
version Uint8 (2),
generationTime Time32,
requestHash HashedId8,
ecaCertChain SequenceOfCertificate,
certificate Certificate,
privateKeyInfo OCTET STRING (SIZE(32)) OPTIONAL,
...
}