• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Certificate Framework Overview
2
3<!--Kit: Device Certificate Kit-->
4<!--Subsystem: Security-->
5<!--Owner: @zxz--3-->
6<!--Designer: @lanming-->
7<!--Tester: @PAFT-->
8<!--Adviser: @zengyawen-->
9
10The certificate framework shields the differences between third-party certificate algorithm libraries. It provides the capabilities of parsing and validating a certificate, certificate extensions, and a certificate revocation list (CRL), and validating a certificate chain.
11
12You can use the APIs provided by the certificate framework to easily complete your development.
13
14> **NOTE**
15> The certificate framework provides the capabilities of processing certificates and CRL data, but does not provide the capabilities of generating or issuing certificates or CRLs. Certificates and CRLs are issued by a certificate authority (CA) rather than a single application.
16
17## Basic Concepts
18
19The certificate framework provides APIs for parsing, serializing, signing an X.509 certificate, verifying the signature of an X.509 certificate, and operating X.509 CRLs and the certificate chain validator.
20
21Before you get started, familiarity with the basic certificate concepts is helpful, which include but are not limited to the following:
22
23- Digital certificate<br>- X.509 (also referred to as "X509" in this document)<br>- Certificate chain<br>- To Be Signed (TBS)<br>- CRL
24
25## Certificate Specifications
26
27The following describes certificate specifications.
28
29### Certificate Chain Validation
30
31The certificate chain validator does not verify the certificate validity period because the device system time is always untrusted. To check the validity of a certificate, use [checkValidityWithDate()](../../reference/apis-device-certificate-kit/js-apis-cert.md#checkvaliditywithdate) of **X509Cert**.
32
33### Certificate Format
34
35Currently, only the certificates in DER and PEM formats are supported.
36
37### X.509 Certificate Structure
38
39![](figures/X509_certificate_structure.png)
40
41Certificate example:
42
43![](figures/certificate_example.png)
44
45### X.509 CRL Structure
46
47![](figures/CRL_structure.png)
48
49CRL example:
50
51![](figures/CRL_example.png)
52
53## Constraints
54
55The certificate framework depends on the basic algorithm capabilities of the Crypto Architecture Kit, which does not support multi-thread concurrent operations. For details, see [Constraints](../CryptoArchitectureKit/crypto-architecture-kit-intro.md#constraints).
56
57## Development
58
59You can use the certificate framework to implement the following functionalities. Before you start, be sure to familiarize yourself with [Certificate Specifications](#certificate-specifications).
60
61- [Certificate Development](create-parse-verify-cert-object.md)
62- [Certificate Extension Development](create-parse-verify-certextension-object.md)
63- [CRL Development](create-parse-verify-crl-object.md)
64- [Certificate Chain Validator Development](create-verify-cerchainvalidator-object.md)
65- [Certificate and CRL Collection Development](create-get-cert-crl-object.md)
66- [Certificate Chain Development](create-verify-certchain-object.md)
67- [Creating a TrustAnchor Object Array from a p12 File](create-trustanchor-from-p12.md)
68
69The following table lists the classes provided by the certificate framework. Based on the classes, you can learn the related APIs.
70
71| Name| Class| Description|
72| -------- | -------- | -------- |
73| X.509 certificate| [X509Cert](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509cert) | Parses and serializes X.509 certificates, verifies X.509 certificate signatures, and queries certificate information.|
74| Certificate extension| [CertExtension](../../reference/apis-device-certificate-kit/js-apis-cert.md#certextension10) | Obtains the extended fields in the X.509 certificate, such as whether the CA is used and the CRL distribution point.|
75| X.509 CRL| [X509CRL](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509crl11) | Provides features such as X.509 certificate revocation list parsing, serialization, and information query.|
76| Certificate chain validator| [CertChainValidator](../../reference/apis-device-certificate-kit/js-apis-cert.md#certchainvalidator) | Verifies the certificate chain (excluding the certificate validity period) and queries the certificate chain algorithm name.|
77| Certificate and CRL collection| [CertCRLCollection](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcrlcollection11) | Queries certificates and certificate revocation lists (CRLs).|
78| X.509 certificate chain| [X509CertChain](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509certchain11) | Verifies the certificate chain and obtains the certificate list.|
79