Object identifiers or OIDs are a mechanism for identifying 'things.' This is a pretty terrible definition, but the mechanism itself is by design vague in what it identifies, and so some context and examples will help clarify.
OIDs are numbers that are sequences to traverse a "tree" of concepts defined by the ITU and ISO/IEC. There are three roots: 0 is for ITU-T, 1 for ISO, and 2 is joint-isu-itu-t.
At each node in the tree, there's an assigning authority that defines what the numbers below mean. So, for example, the numbers under '1' are defined by ISO, but 1.3.6 is used by the Department of Defense (1.3.6 is ISO.identified-organization.DoD).
So this scheme often comes up communications systems that require a fair amount of standardization, as well as very open-ended systems like LDAP (lightweight directory access protocol) or SNMP (simple network management protocol).
OIDs show up a lot in X.509 certificates. These are the certs used in public-key infrastructure (PKI), i.e. the stuff powering HTTPS for example.
Each certificate carries a bunch of information within, and that information is tagged with the OID, which allows a consumer to understand the semantics of the values within.
The descriptions for many such protocols is done in Abstract Syntax Notation One (ASN.1), which is separate from the encoding, which could be DER for example (Distinguished Encoding Rules).
For some examples on how to use openssl to change certificate formats to/from DER, see How to convert a certificate into the appropriate format.
Note that for transmission, PEM is typically used, which basically adds some delimiters and base64-encodes things. See RFC 7486 for more details on this.
Other than ITU-T documentation (which requires membership), you can have your fill of certificate information from RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
For example, 2.5.29.9 is {joint-iso-itu-t(2) ds(5) certificateExtension(29) subjectDirectoryAttributes(9)}
, meaning it designates subject directory attributes, so things like subject nationality. Formally, the RFC describes as a sequence of attributes: SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
.
In Windows, you can access information from a certificate by using the CertCreateCertificateContext function from wincrypt.h
, followed by CertGetCertificateContextProperty. You'll see references to ASN.1 sequences in various property types.
The system itself is quite extensible, and with a table of OIDs you can query and modify via the OID Support Functions.
When I need to look something up by hand, I typically turn to oid-info.com. I have no relationship with them, I just like what the service they provide.
Happy object identifying!
Tags: crypto