All Tickets (see 8.2.3 and 8.2.4) are encoded as JSON documents. These JSON documents secured with digital signature applied to the general serialization described by RFC 7515. The structure of an RFC 7515 document is as follows.
{
"payload":"BASE64URL(UTF8(JSON encoded Ticket))",
"signatures":[
{"protected":"BASE64URL(UTF8(JSON encoded protected header))",
"header": JSON encoded header,
"signature":" BASE64URL(JWS Signature)"},
...
{"protected":"BASE64URL(UTF8(JSON encoded protected header))",
"header": JSON encoded header,
"signature":" BASE64URL(JWS Signature)"}]
}
Appendix A.6 in RFC 7515 provides an example of a document encoding using this structure.
The BASE64URL transform which allows binary data (e.g., UTF-8 encoded text) to be represented as ASCII.
The Ticket is encoded as a JSON object using the reversible JSON encoding defined in OPC 10000-6. This JSON object is converted to an UTF-8 byte array and then BASE64URL before being added to the document.
The protected header specifies the signing Certificate and other information needed to verify the Signature. The required fields are defined in Table 5.
The unprotected header is generally not used; however, it could be used for additional vendor specific information such as a RFC 3161 timestamp or other anti-forgery or validation metadata.
A Signature is computed on the following byte array:
<protected header>.<payload>
Tickets may have additional signatures added by any actor in the supply chain. For example, a CompositeBuilder shall add Signatures to all Tickets for Devices incorporated into the Composite. The protected header shall have the CompositeInstanceUri.
The Certificate and algorithms used to create the payload Signature are the same as the Certificate and algorithms used to create the RFC 7515 Signature. The RFC 7515 header provides the information needed to calculate the size of payload Signature.
Table 5 – RFC 7515 Header Fields
Header Field |
Type |
Description |
alg |
String |
The cryptographic algorithm used to sign the Ticket. The possible values are defined by RFC 7518. The default when using RSA public keys is “RS256”. |
x5c |
String [] |
The signing Certificate and all of its issuers. Each array element is base64 encoded (see RFC 4648) DER encoding. The first element is the signing Certificate. |
cty |
String |
The type of Ticket contained in the payload. This is media type defined by RFC 2045 with the leading “application/” omitted. The subtype is "opc-ticket+json". The type parameter is the name from BrowseName of the Structure. For example, the value for a DeviceIdentityTicketType is: opc-ticket+json;type=DeviceIdentityTicketType |
opc-uri |
String |
The CompositeInstanceUri if the Signature was created by a CompositeBuilder who has incorporated the Device into a Composite. |
The EncodedTicket is a simple DataType representing a JSON encoded Ticket.
Its representation in the AddressSpace is defined in Table 8.
Table 6 – EncodedTicket Definition
Attribute |
Value |
|||||
BrowseName |
0:EncodedTicket |
|||||
IsAbstract |
False |
|||||
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Other |
|
Subtype of the 0:String DataType defined in OPC 10000-5. |
||||||
|
||||||
Conformance Units |
||||||
Onboarding Ticket Reader |
The BaseTicketType is an abstract base class for a Ticket.
The fields of this DataType are defined in Table 7.
Table 7 – BaseTicketType Structure
Name |
Type |
Description |
BaseTicketType |
0:Structure |
Subtype of the Structure DataType defined in OPC 10000-5. |
manufacturerName |
0:String |
The name of the Manufacturer for the Device. |
modelName |
0:String |
The model name assigned by the Manufacturer. |
modelVersion |
0:String |
The model version assigned by the Manufacturer. |
hardwareRevision |
0:String |
The hardware revision assigned by the Manufacturer. Not specified if no hardware revision was assigned or known. |
softwareRevision |
0:String |
The software revision assigned by the Manufacturer. May not be the same as the current version of software installed on the Device. Not specified if no software revision was assigned or known. |
serialNumber |
0:String |
The serial number assigned by the Manufacturer. |
manufactureDate |
0:DateTime |
When the Device was manufactured. DateTime.MinValue if the date is not known. |
authorities |
2:CertificateAuthorityType [] |
A list of CAs need to validate DeviceIdentity Certificates on the Device that were installed when the Ticket was created. |
Its representation in the AddressSpace is defined in Table 8.
Table 8 – BaseTicketType Definition
Attribute |
Value |
|||||
BrowseName |
2:BaseTicketType |
|||||
IsAbstract |
True |
|||||
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Other |
|
Subtype of the Structure DataType defined in OPC 10000-5. |
||||||
|
||||||
Conformance Units |
||||||
Onboarding Ticket Reader |
The DeviceIdentityTicketType describes a single Device produced by a Manufacturer.
The fields of this DataType are defined in Table 9.
Table 9 – DeviceIdentityTicketType Structure
Name |
Type |
Description |
DeviceIdentityTicketType |
0:Structure |
Subtype of the 2:BaseTicketType DataType defined in 8.2.1. |
productInstanceUri |
0:UriString |
The ProductInstanceUri for the Device. |
Its representation in the AddressSpace is defined in Table 10.
Table 10 – DeviceIdentityTicketType Definition
Attribute |
Value |
|||||
BrowseName |
2:DeviceIdentityTicketType |
|||||
IsAbstract |
False |
|||||
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Other |
|
Subtype of the BaseTicketType DataType defined in 8.2.1. |
||||||
|
||||||
Conformance Units |
||||||
Onboarding Ticket Reader |
The CompositeIdentityTicketType describes a single Composite produced by a CompositeBuilder.
The fields of this DataType are defined in Table 11.
Table 11 – CompositeIdentityTicketType Structure
Name |
Type |
Description |
CompositeIdentityTicketType |
0:Structure |
Subtype of the 2:BaseTicketType DataType defined in 8.2.2. |
compositeInstanceUri |
0:UriString |
The ProductInstanceUri assigned to the Composite. This value appears in LDevID Certificates assigned to Devices by the CompositeBuilder (see 5.3). |
devices |
0:UriString [] |
A list of ProductInstanceUris for the Devices in the Composite that are externally visible. |
composites |
0:UriString [] |
A list of CompositeInstanceUris for the sub-components in the Composite that are externally visible. |
Its representation in the AddressSpace is defined in Table 12.
Table 12 – CompositeIdentityTicketType Definition
Attribute |
Value |
|||||
BrowseName |
2:CompositeIdentityTicketType |
|||||
IsAbstract |
False |
|||||
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Other |
|
Subtype of the BaseTicketType DataType defined in 8.2.2. |
||||||
|
||||||
Conformance Units |
||||||
Onboarding Ticket Reader |
The TicketListType describes a list of Devices and Composites which are part of a shipment from one organization to another.
The fields of this DataType are defined in Table 13.
Table 13 – TicketListType Structure
Name |
Type |
Description |
TicketListType |
0:Structure |
Subtype of the 0:Structure DataType defined in OPC 10000-5. |
devices |
0:EncodedTicket [] |
A list of signed DeviceIdentityTickets. The format is described in 8.1. |
composites |
0:EncodedTicket [] |
A list of signed CompositeIdentityTickets. The format is described in 8.1. |
Its representation in the AddressSpace is defined in Table 14.
Table 14 – TicketListType Definition
Attribute |
Value |
|||||
BrowseName |
2:TicketListType |
|||||
IsAbstract |
False |
|||||
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Other |
|
Subtype of the Structure DataType defined in OPC 10000-5. |
||||||
|
||||||
Conformance Units |
||||||
Onboarding Ticket Reader |
The CertificateAuthorityType describes a Certificate Authority (CA) used to issue Certificates to Devices, Composites or to organizations that create Tickets.
The fields of this DataType are defined in Table 15.
Table 15 – CertificateAuthorityType Structure
Name |
Type |
Description |
CertificateAuthorityType |
0:Structure |
Subtype of the 0:Structure DataType defined in OPC 10000-5. |
authorityCertificate |
0:ByteString |
The DER encoded Certificate used to issue Certificates. |
issuerCertificates |
0:ByteString [] |
The DER encoded form of the Issuer for the authorityCertificate. It should include the entire chain. |
Its representation in the AddressSpace is defined in Table 16.
Table 16 – CertificateAuthorityType Definition
Attribute |
Value |
|||||
BrowseName |
2:CertificateAuthorityType |
|||||
IsAbstract |
False |
|||||
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Other |
|
Subtype of the 0:Structure DataType defined in OPC 10000-5. |
||||||
|
||||||
Conformance Units |
||||||
Onboarding Ticket Reader |