This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. X509_Certificate_Object 2.0 04/08/2013 The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. X509_Certificate object represents a public key certificate for use in a public key infrastructure. The X509CertificateObjectType type is intended to characterize X.509 certificates. Certificate represents the contents of an X.509 certificate, including items such as issuer, subject, and others. Certificate Signature contains the signature and signature algorithm of this X.509 certificate. The X509CertificateType type represents the contents of an X.509 certificate, including items such as issuer, subject, and others. Version describes the version of the encoded certificate. The serial number is a unique identifier for each X.509 certificate issued by a specific Certificate Authority. The signature algorithm is the algorithm used to sign the X.509 certificate. The issuer is the Certificate Authority who issued the X.509 certificate. Validity is the time interval during which the issuer warrants that it will maintain information about the status of the certificate. The subject identifies the entity associated with the public key stored in the subject public key field of the X.509 certificate. The Subject Public Key is used to carry the public key and identify the algorithm with which the key is used. The Standard_Extensions field captures standard X509 V3 extensions that may be specified in the certificate. The Non_Standard_Extensions field captures non-standard X509 extensions that may be specified in the certificate. The X509CertificateSignatureType contains the signature and signature algorithm of this X.509 certificate. Signature Algorithm contains the algorithm identifier for the algorithm used by the Certificate Authority to compute the signature. Signature contains a digital signature computed upon this X.509 certificate. The SubjectPublicKeyType is used to carry the public key and identify the algorithm with which the key is used. Public Key Algorithm is the algorithm with which to encrypt data being sent to the subject. RSA Public Key is the public key contained in this X.509 certificate. The ValidityType type is the time interval during which the issuer warrants that it will maintain information about the status of the certificate. Not before is the date on which the certificate validity period begins. Not after is the date on which the certificate validity period ends. The RSAPublicKeyType captures details of RSA public keys. Modulus is the modulus portion of a public key. Exponent is the exponent portion of a public key. The X509V3ExtensionsType captures the standard X509 V3 Extensions that may be used in X509 certificates. Based on RFC 3280, "Standard Extensions": http://www.ietf.org/rfc/rfc3280.txt The Basic_Constraints field captures a multi-valued extension which indicates whether a certificate is a CA certificate. The first (mandatory) name is CA followed by TRUE or FALSE. If CA is TRUE then an optional pathlen name followed by an non-negative value can be included. Also equivalent to the object ID (OID) value of 2.5.29.19. The Name_Constraints field captures a name space within which all subject names in subsequent certificates in a certification path MUST be located. Also equivalent to the object ID (OID) value of 2.5.29.30. The Policy_Constraints field captures any constraints on path validation for certificates issued to CAs. Also equivalent to the object ID (OID) value of 2.5.29.36. The Key_Usage element field captures a multi-valued extension consisting of a list of names of the permitted key usages. Also equivalent to the object ID (OID) value of 2.5.29.15. The Extended_Key_Usage field captures a list of usages indicating purposes for which the certificate public key can be used for. Also equivalent to the object ID (OID) value of 2.5.29.37. The Subject_Key_Identifier field captures the identifier that provides a means of identifying certificates that contain a particular public key. Also equivalent to the object ID (OID) value of 2.5.29.14. The Authority_Key_Identifier field captures the identifier that provides a means of identifying the public key corresponding to the private key used to sign a certificate. Also equivalent to the object ID (OID) value of 2.5.29.35. The Subject_Alternative_Name field captures the additional identities to be bound to the subject of the certificate. Also equivalent to the object ID (OID) value of 2.5.29.17. The Issuer_Alternative_Name field captures the additional identities to be bound to the issuer of the certificate. Also equivalent to the object ID (OID) value of 2.5.29.18. The Subject_Directory_Attributes field captures the identification attributes (e.g., nationality) of the subject. Also equivalent to the object ID (OID) value of 2.5.29.9. The CRL_Distribution_Points field captures how CRL information is obtained. Also equivalent to the object ID (OID) value of 2.5.29.31. The Inhibit_Any_Policy field the number of additional certificates that may appear in the path before anyPolicy is no longer permitted. Also equivalent to the object ID (OID) value of 2.5.29.54. The Private_Key_Usage_Period field captures the validity period for the private key, if it is different from the validity period of the certificate. Also equivalent to the object ID (OID) value of 2.5.29.16. The Certificate_Policies field captures a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers. Also equivalent to the object ID (OID) value of 2.5.29.32. The Policy_Mappings field captures one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates whether the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. Also equivalent to the object ID (OID) value of 2.5.29.33. The NonStandardX509ExtensionsType captures some non-standard or deprecated X509 extensions that may be useful. Based on the OpenSSL "Deprecated Extensions" documentation: https://www.openssl.org/docs/apps/x509v3_config.html#Deprecated_Extensions. Also based on the Alvestrand certificateExtension reference: http://www.alvestrand.no/objectid/2.5.29.html The Netscape_Comment field captures a comment which may be displayed when the certificate is viewed in some browsers. The Netscape_Certificate_Type field captures a list of flags which indicate the purposes for which a certificate could be used. The Old_Authority_Key_Identifier captures the old version of the authority key identifier, equivalent to the object ID (OID) value of 2.5.29.1. The Old_Primary_Key_Attributes field captures the old version of the primary key attributes, equivalent to the object ID (OID) value of 2.5.29.2.