Ticket Syntax – OPC Unified Architecture – Part 21: Device Onboarding

8 Ticket Syntax

8.1 Signed Ticket Encoding

All Tickets (see 8.2.3 and 8.2.4) are encoded as JSON documents. These JSON documents secured with digital signature applied to the general serialization described by RFC 7515. The structure of an RFC 7515 document is as follows.


     {
      "payload":"BASE64URL(UTF8(JSON encoded Ticket))",
      "signatures":[
       {"protected":"BASE64URL(UTF8(JSON encoded protected header))",
        "header": JSON encoded header,
        "signature":" BASE64URL(JWS Signature)"},
       ...
       {"protected":"BASE64URL(UTF8(JSON encoded protected header))",
        "header": JSON encoded header,
        "signature":" BASE64URL(JWS Signature)"}]
     }

Appendix A.6 in RFC 7515 provides an example of a document encoding using this structure.

The BASE64URL transform which allows binary data (e.g., UTF-8 encoded text) to be represented as ASCII.

The Ticket is encoded as a JSON object using the reversible JSON encoding defined in OPC 10000-6. This JSON object is converted to an UTF-8 byte array and then BASE64URL before being added to the document.

The protected header specifies the signing Certificate and other information needed to verify the Signature. The required fields are defined in Table 5.

The unprotected header is generally not used; however, it could be used for additional vendor specific information such as a RFC 3161 timestamp or other anti-forgery or validation metadata.

A Signature is computed on the following byte array:

	<protected header>.<payload>

Tickets may have additional signatures added by any actor in the supply chain. For example, a CompositeBuilder shall add Signatures to all Tickets for Devices incorporated into the Composite. The protected header shall have the CompositeInstanceUri.

The Certificate and algorithms used to create the payload Signature are the same as the Certificate and algorithms used to create the RFC 7515 Signature. The RFC 7515 header provides the information needed to calculate the size of payload Signature.

Table 5 – RFC 7515 Header Fields

Header Field	Type	Description
alg	String	The cryptographic algorithm used to sign the Ticket. The possible values are defined by RFC 7518. The default when using RSA public keys is “RS256”.
x5c	String []	The signing Certificate and all of its issuers. Each array element is base64 encoded (see RFC 4648) DER encoding. The first element is the signing Certificate.
cty	String	The type of Ticket contained in the payload. This is media type defined by RFC 2045 with the leading “application/” omitted. `The subtype is "opc-ticket+json".` The type parameter is the name from BrowseName of the Structure. For example, the value for a DeviceIdentityTicketType is: `opc-ticket+json;type=DeviceIdentityTicketType`
opc-uri	String	The CompositeInstanceUri if the Signature was created by a CompositeBuilder who has incorporated the Device into a Composite.

8.2 Ticket Types

8.2.1 EncodedTicket

The EncodedTicket is a simple DataType representing a JSON encoded Ticket.

Its representation in the AddressSpace is defined in Table 8.

Table 6 – EncodedTicket Definition

Attribute		Value
BrowseName		0:EncodedTicket
IsAbstract		False

References	NodeClass		BrowseName	DataType	TypeDefinition	Other
Subtype of the 0:String DataType defined in OPC 10000-5.

Conformance Units
Onboarding Ticket Reader

8.2.2 BaseTicketType

The BaseTicketType is an abstract base class for a Ticket.

The fields of this DataType are defined in Table 7.

Table 7 – BaseTicketType Structure

Name	Type	Description
BaseTicketType	0:Structure	Subtype of the Structure DataType defined in OPC 10000-5.
manufacturerName	0:String	The name of the Manufacturer for the Device.
modelName	0:String	The model name assigned by the Manufacturer. Not specified if no model name was assigned or known.
modelVersion	0:String	The model version assigned by the Manufacturer. Not specified if no model version was assigned or known.
hardwareRevision	0:String	The hardware revision assigned by the Manufacturer. Not specified if no hardware revision was assigned or known.
softwareRevision	0:String	The software revision assigned by the Manufacturer. May not be the same as the current version of software installed on the Device. Not specified if no software revision was assigned or known.
serialNumber	0:String	The serial number assigned by the Manufacturer. Not specified if no serial number was assigned or known.
manufactureDate	0:DateTime	When the Device was manufactured. DateTime.MinValue if the date is not known.
authorities	2:CertificateAuthorityType []	A list of CAs need to validate DeviceIdentity Certificates on the Device that were installed when the Ticket was created.

Its representation in the AddressSpace is defined in Table 8.

Table 8 – BaseTicketType Definition

Attribute		Value
BrowseName		2:BaseTicketType
IsAbstract		True

References	NodeClass		BrowseName	DataType	TypeDefinition	Other
Subtype of the Structure DataType defined in OPC 10000-5.

Conformance Units
Onboarding Ticket Reader

8.2.3 DeviceIdentityTicketType

The DeviceIdentityTicketType describes a single Device produced by a Manufacturer.

The fields of this DataType are defined in Table 9.

Table 9 – DeviceIdentityTicketType Structure

Name	Type	Description
DeviceIdentityTicketType	0:Structure	Subtype of the 2:BaseTicketType DataType defined in 8.2.1.
productInstanceUri	0:UriString	The ProductInstanceUri for the Device.

Its representation in the AddressSpace is defined in Table 10.

Table 10 – DeviceIdentityTicketType Definition

Attribute		Value
BrowseName		2:DeviceIdentityTicketType
IsAbstract		False

References	NodeClass		BrowseName	DataType	TypeDefinition	Other
Subtype of the BaseTicketType DataType defined in 8.2.1.

Conformance Units
Onboarding Ticket Reader

8.2.4 CompositeIdentityTicketType

The CompositeIdentityTicketType describes a single Composite produced by a CompositeBuilder.

The fields of this DataType are defined in Table 11.

Table 11 – CompositeIdentityTicketType Structure

Name	Type	Description
CompositeIdentityTicketType	0:Structure	Subtype of the 2:BaseTicketType DataType defined in 8.2.2.
compositeInstanceUri	0:UriString	The ProductInstanceUri assigned to the Composite. This value appears in LDevID Certificates assigned to Devices by the CompositeBuilder (see 5.3).
devices	0:UriString []	A list of ProductInstanceUris for the Devices in the Composite that are externally visible.
composites	0:UriString []	A list of CompositeInstanceUris for the sub-components in the Composite that are externally visible.

Its representation in the AddressSpace is defined in Table 12.

Table 12 – CompositeIdentityTicketType Definition

Attribute		Value
BrowseName		2:CompositeIdentityTicketType
IsAbstract		False

References	NodeClass		BrowseName	DataType	TypeDefinition	Other
Subtype of the BaseTicketType DataType defined in 8.2.2.

Conformance Units
Onboarding Ticket Reader

8.2.5 TicketListType

The TicketListType describes a list of Devices and Composites which are part of a shipment from one organization to another.

The fields of this DataType are defined in Table 13.

Table 13 – TicketListType Structure

Name	Type	Description
TicketListType	0:Structure	Subtype of the 0:Structure DataType defined in OPC 10000-5.
devices	0:EncodedTicket []	A list of signed DeviceIdentityTickets. The format is described in 8.1.
composites	0:EncodedTicket []	A list of signed CompositeIdentityTickets. The format is described in 8.1.

Name

Type

Description

TicketListType

0:Structure

Subtype of the 0:Structure DataType defined in OPC 10000-5.

devices

0:EncodedTicket []

A list of signed DeviceIdentityTickets.

The format is described in 8.1.

composites

0:EncodedTicket []

A list of signed CompositeIdentityTickets.

The format is described in 8.1.

Its representation in the AddressSpace is defined in Table 14.

Table 14 – TicketListType Definition

Attribute		Value
BrowseName		2:TicketListType
IsAbstract		False

References	NodeClass		BrowseName	DataType	TypeDefinition	Other
Subtype of the Structure DataType defined in OPC 10000-5.

Conformance Units
Onboarding Ticket Reader

8.2.6 CertificateAuthorityType

The CertificateAuthorityType describes a Certificate Authority (CA) used to issue Certificates to Devices, Composites or to organizations that create Tickets.

The fields of this DataType are defined in Table 15.

Table 15 – CertificateAuthorityType Structure

Name	Type	Description
CertificateAuthorityType	0:Structure	Subtype of the 0:Structure DataType defined in OPC 10000-5.
authorityCertificate	0:ByteString	The DER encoded Certificate used to issue Certificates.
issuerCertificates	0:ByteString []	The DER encoded form of the Issuer for the authorityCertificate. It should include the entire chain.

Name

Type

Description

CertificateAuthorityType

0:Structure

Subtype of the 0:Structure DataType defined in OPC 10000-5.

authorityCertificate

0:ByteString

The DER encoded Certificate used to issue Certificates.

issuerCertificates

0:ByteString []

The DER encoded form of the Issuer for the authorityCertificate.

It should include the entire chain.

Its representation in the AddressSpace is defined in Table 16.

Table 16 – CertificateAuthorityType Definition

Attribute		Value
BrowseName		2:CertificateAuthorityType
IsAbstract		False

References	NodeClass		BrowseName	DataType	TypeDefinition	Other
Subtype of the 0:Structure DataType defined in OPC 10000-5.

Conformance Units
Onboarding Ticket Reader