• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Certificate Framework Overview
2
3
4The certificate framework shields the differences between third-party certificate algorithm libraries. It provides the capabilities of parsing and validating a certificate, certificate extensions, and a certificate revocation list (CRL), and validating a certificate chain.
5
6
7You can use the APIs provided by the certificate framework to easily complete your development.
8
9
10> **NOTE**
11> The certificate framework provides the capabilities of processing certificates and CRL data, but does not provide the capabilities of generating or issuing certificates or CRLs. Certificates and CRLs are issued by a certificate authority (CA) rather than a single application.
12
13
14## Basic Concepts
15
16The certificate framework provides APIs for parsing, serializing, signing an X.509 certificate, verifying the signature of an X.509 certificate, and operating X.509 CRLs and the certificate chain validator.
17
18Before you get started, familiarity with the basic certificate concepts is helpful, which include but are not limited to the following:
19
20- Digital certificate
21- X.509 (also referred to as "X509" in this document)
22- Certificate chain
23- To Be Signed (TBS)
24- CRL
25
26
27## Certificate Specifications
28
29The following describes certificate specifications.
30
31
32### Certificate Chain Validation
33
34The certificate chain validator does not verify the certificate validity period because the device system time is always untrusted. To check the validity of a certificate, use [checkValidityWithDate()](../../reference/apis-device-certificate-kit/js-apis-cert.md#checkvaliditywithdate) of **X509Cert**.
35
36
37### Certificate Format
38
39Currently, only the certificates in DER and PEM formats are supported.
40
41
42### X.509 Certificate Structure
43
44![](figures/X509_certificate_structure.png)
45
46Certificate example:
47
48![](figures/certificate_example.png)
49
50
51### X.509 CRL Structure
52
53![](figures/CRL_structure.png)
54
55CRL example:
56
57![](figures/CRL_example.png)
58
59
60## Constraints
61
62The certificate framework depends on the basic algorithm capabilities of the Crypto Architecture Kit, which does not support multi-thread concurrent operations. For details, see [Constraints](../../security/CryptoArchitectureKit/crypto-architecture-kit-intro.md#constraints).
63
64
65## Development
66
67You can use the certificate framework to implement the following functionalities. Before you start, be sure to familiarize yourself with [Certificate Specifications](#certificate-specifications).
68
69- [Certificate Development](create-parse-verify-cert-object.md)
70- [Certificate Extension Development](create-parse-verify-certextension-object.md)
71- [CRL Development](create-parse-verify-crl-object.md)
72- [Certificate Chain Validator Development](create-verify-cerchainvalidator-object.md)
73- [Certificate and CRL Collection Development](create-get-cert-crl-object.md)
74- [Certificate Chain Development](create-verify-certchain-object.md)
75- [Creating a TrustAnchor Object Array from a p12 File](create-trustanchor-from-p12.md)
76
77The certificate framework provides the following classes.
78
79| Name| Class| Description|
80| -------- | -------- | -------- |
81| X.509 certificate| [X509Cert](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509cert) | Provides APIs for parsing, serializing, and signing an X.509 certificate, verifying an X.509 certificate signature, and obtaining certificate information.|
82| Certificate extension| [CertExtension](../../reference/apis-device-certificate-kit/js-apis-cert.md#certextension10) | Provides APIs for obtaining X.509 certificate extensions, such as CA and CRL distribution points.|
83| X.509 CRL| [X509CRL](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509crl11) | Provides APIs for parsing and serializing an X.509 CRL, and obtaining X.509 CRL information.|
84| Certificate chain validator| [CertChainValidator](../../reference/apis-device-certificate-kit/js-apis-cert.md#certchainvalidator) | Provides APIs for validating a certificate chain (excluding the certificate validity period) and obtaining the certificate chain algorithm.|
85| Certificate and CRL collection| [CertCRLCollection](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcrlcollection11) | Provides APIs for obtaining information about the certificate and CRL collection.|
86| X.509 certificate chain| [X509CertChain](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509certchain11) | Provides APIs for obtaining the certificate list and validating a certificate chain.|
87