Validity Period & Revocation
X.509 certificates define a validity period which should be shorter than the expected factoring time of a brute force attack on the public-key algorithm. This plays an important role in the key size of the key pair to avoid such attacks. AuthAgent X.509 supports this feature when the current time is available on the embedded device via manual settings, real-time clock hardware, or via an (S)NTP client. However, if an entity's private key is compromised before it expires, or if the CA's key is compromised or it can no longer vouch for the certificate holder, the certificate needs to be revoked. X.509 Certificates can be revoked by the CA that issued them. AuthAgent X.509 also supports RFC 3280 Certificate Revocation Lists (CRLs) which are time-stamped lists of certificates that are revoked but have not yet expired. In AuthAgent X.509's implementation, a CRL is optionally checked against when verifying a certificate. AuthAgent X.509 also supports RFC 2560 for Online Certificate Status Protocol (OCSP), using which the revocation status of certificates can be checked in a more real-time manner as compared to CRL which is used offline.
X.509 Certificates, private keys, CRLs, certificate requests can be distributed in various file formats. AuthAgent X.509 supports the following file formats:
PEM-formatted Base-64 Certificates
PKCS12 certificate-key pair
PKCS7 signed certificates and CRLs
PKCS10 certificate request
PKCS8 private key
AuthAgent X.509 provides a library with an API that is independent of the underlying X.509 implementation. This enables the software using X.509 based digital certificates for authentication to be designed and implemented, independent of the changes in the X.509 implementation. A default implementation that reads PEM formatted certificates and uses ASN.1 objects is included internally. AuthAgent X.509 also includes I/O abstractions for storing, modifying, and retrieving trusted CA certificates and CRLs.
AuthAgent X.509 can be used as a stand-alone authentication mechanism for embedded applications in situations where device identity or access control has to be established. Additionally, AuthAgent X.509 is natively integrated with TeamF1's network security protocol implementations providing authentication for SSLimSecure (SSL), SSHield (SSH), V-IPSecure (IPsec), and X-Calibur (802.1X). It can also be used for the initial identification phase of Kerberos authentication in PKINIT mode, and can be integrated with various third-party protocol implementations.
Available in full-source format
Certification validation procedure can be customized
API abstractions that allow any custom X.509 implementation to be used
Unwanted components can be scaled out