SignerIdentifier
This structure allows the recipient of data to determine which
keying material to use to authenticate the data. It also indicates the
verification type to be used to generate the hash for verification, as
specified in 5.3.1.
- If the choice indicated is digest:
- The structure contains the HashedId8 of the relevant certificate. The
HashedId8 is calculated with the whole-certificate hash algorithm,
determined as described in 6.4.3.
- The verification type is certificate and the certificate data
passed to the hash function as specified in 5.3.1 is the authorization
certificate.
- If the choice indicated is certificate:
- The structure contains one or more Certificate structures, in order
such that the first certificate is the authorization certificate and each
subsequent certificate is the issuer of the one before it.
- The verification type is certificate and the certificate data
passed to the hash function as specified in 5.3.1 is the authorization
certificate.
- If the choice indicated is self:
- The structure does not contain any data beyond the indication that
the choice value is self.
- The verification type is self-signed.
Critical information fields:
- If present, this is a critical information field as defined in 5.2.6.
An implementation that does not recognize the CHOICE value for this type
when verifying a signed SPDU shall indicate that the signed SPDU is invalid.
- If present, certificate is a critical information field as defined in
5.2.6. An implementation that does not support the number of certificates
in certificate when verifying a signed SPDU shall indicate that the signed
SPDU is invalid. A compliant implementation shall support certificate
fields containing at least one certificate.
SignerIdentifier ::= CHOICE {
digest HashedId8,
certificate SequenceOfCertificate,
self NULL,
...
}