Appendix A. MATF Metadata 的 JSON Schema (JSON Schema for MATF Metadata)
中文导读: 本节对应 RFC 9932 的 Appendix A. MATF Metadata 的 JSON Schema (JSON Schema for MATF Metadata) 部分, 对应文档标题为 RFC 9932 - Mutually Authenticating TLS in the Context of Federations. 下方若包含英文 RFC 原文, 注册表名称, 字段名, 算法名, 对象标识符, 媒体类型, 邮箱地址, URL, 代码, ABNF, ASN.1, YANG, JSON, XML, 测试向量或参考文献条目, 均按规范原样保留, 因为这些内容需要与 RFC 文本, IANA 注册表, 实现代码或验证工具逐字一致. 中文段落用于说明本节的作用, 阅读重点和实现含义, 不改变任何协议语义或注册值.
本页包含机器可读或接近机器可读的规范材料. 对 ASN.1, YANG, JSON Schema, XML Schema, 伪代码, 注册模板, 常量表和算法标识符, 翻译时必须保留关键字, 类型名, OID, namespace, 枚举值, 字段名和语法结构. 实现者应把这些块视为生成代码, 配置模型, 验证输入或一致性测试的依据.
补充实现说明: 本页英文比例高, 是因为主要内容属于可复制的规范材料或实现材料. 在这类页面中, 语法关键字, 缩进, 字符串字面量, 枚举值, 路径, OID, namespace, JSON member, YANG leaf, ASN.1 type 和错误文本都可能被测试工具, 代码生成器或互操作实现直接消费. 因此, 译文只在代码块外说明结构和用途, 不在代码块内替换术语. 实现者应结合正文的语义说明检查默认值, 约束, 必选字段, 扩展点和安全影响, 并用原样保留的块进行验证.
以下 JSON Schema 定义 MATF metadata 的结构. 它符合 JSON Schema 标准的 draft 2020-12.
Version: 1.0.0
以下代码块按 [RFC8792] 使用 '\' 进行长行折行.
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://mtlsfed.se/schema/matf-metadata-schema.json",
"title": "JSON Schema for Mutually Authenticating TLS in the con\
\text of Federations",
"description": "Version: 1.0.0",
"type": "object",
"additionalProperties": true,
"required": [
"iat",
"exp",
"iss",
"version",
"entities"
],
"properties": {
"iat": {
"title": "Issued at",
"description": "Time at which the metadata was issued (U\
\NIX timestamp)",
"type": "integer",
"minimum": 0,
"examples": [
1755514949
]
},
"exp": {
"title": "Expiration time",
"description": "Time at which the metadata expires (UNIX\
\ timestamp)",
"type": "integer",
"minimum": 0,
"examples": [
1756119888
]
},
"iss": {
"title": "The federation issuing the metadata",
"description": "A URI that uniquely identifies the feder\
\ation that issued the metadata",
"type": "string",
"format": "uri",
"minLength": 1,
"examples": [
"https://example.com/federation"
]
},
"version": {
"title": "Metadata schema version",
"description": "Schema version follows semantic versioni\
\ng (https://semver.org)",
"type": "string",
"pattern": "^\\d+\\.\\d+\\.\\d+$",
"examples": [
"1.0.0"
]
},
"cache_ttl": {
"title": "Metadata cache TTL",
"description": "How long in seconds to cache metadata. T\
\he effective maximum is bounded by the exp claim.",
"type": "integer",
"minimum": 0,
"examples": [
3600
]
},
"entities": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/entity"
}
}
},
"$defs": {
"entity": {
"type": "object",
"additionalProperties": true,
"required": [
"entity_id",
"issuers"
],
"properties": {
"entity_id": {
"title": "Entity identifier",
"description": "Globally unique identifier for t\
\he entity.",
"type": "string",
"format": "uri",
"examples": [
"https://example.com"
]
},
"organization": {
"title": "Name of entity organization",
"description": "Name identifying the organizatio\
\n that the entity's metadata represents.",
"type": "string",
"examples": [
"Example Org"
]
},
"issuers": {
"title": "Entity certificate issuers",
"description": "A list of certificate issuers th\
\at are allowed to issue certificates for the entity's endpoints. Fo\
\r each issuer, the issuer's root CA certificate is included in the \
\x509certificate property (PEM-encoded).",
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/cert_issuers"
}
},
"servers": {
"type": "array",
"items": {
"$ref": "#/$defs/endpoint"
}
},
"clients": {
"type": "array",
"items": {
"$ref": "#/$defs/endpoint"
}
}
}
},
"endpoint": {
"type": "object",
"additionalProperties": true,
"required": [
"pins"
],
"properties": {
"description": {
"title": "Endpoint description",
"type": "string",
"examples": [
"SCIM Server 1"
]
},
"tags": {
"title": "Endpoint tags",
"description": "A list of strings that describe \
\the endpoint's capabilities.",
"type": "array",
"items": {
"type": "string",
"pattern": "^[a-z0-9]{1,64}$",
"examples": [
"xyzzy"
]
}
},
"base_uri": {
"title": "Endpoint base URI",
"type": "string",
"format": "uri",
"examples": [
"https://scim.example.com"
]
},
"pins": {
"title": "Certificate pin set",
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/pin_directive"
}
}
}
},
"cert_issuers": {
"title": "Certificate issuers",
"type": "object",
"additionalProperties": false,
"required": [
"x509certificate"
],
"properties": {
"x509certificate": {
"title": "X.509 Certificate (PEM)",
"type": "string",
"pattern": "^-----BEGIN CERTIFICATE-----(?:\\r?\\
\\n)(?:[A-Za-z0-9+/=]{64}\\r?\\n)*(?:[A-Za-z0-9+/=]{1,64}\\r?\\n)---\
\--END CERTIFICATE-----(?:\\r?\\n)?$"
}
}
},
"pin_directive": {
"title": "RFC 7469 pin directive",
"type": "object",
"additionalProperties": false,
"required": [
"alg",
"digest"
],
"properties": {
"alg": {
"title": "Directive name",
"type": "string",
"enum": [
"sha256"
],
"examples": [
"sha256"
]
},
"digest": {
"title": "Directive value (Base64)",
"type": "string",
"pattern": "^[A-Za-z0-9+/]{43}=$",
"examples": [
"HiMkrb4phPSP+OvGqmZd6sGvy7AUn4k3XEe8OMBrzt8\
\="
]
}
}
}
}
}