Nebula DEFINITIONS AUTOMATIC TAGS ::= BEGIN

Name ::= UTF8String (SIZE (1..253))
Time ::= INTEGER (0..18446744073709551615) -- Seconds since unix epoch, uint64 maximum
Network ::= OCTET STRING (SIZE (5,17)) -- IP addresses are 4 or 16 bytes + 1 byte for the prefix length
Curve ::= ENUMERATED {
    curve25519 (0),
    p256 (1)
}

-- The maximum size of a certificate must not exceed 65536 bytes
Certificate ::= SEQUENCE {
    details OCTET STRING,
    curve Curve DEFAULT curve25519,
    publicKey OCTET STRING,
    -- signature(details + curve + publicKey) using the appropriate method for curve
    signature OCTET STRING
}

Details ::= SEQUENCE {
    name Name,

    -- At least 1 ipv4 or ipv6 address must be present if isCA is false
    networks SEQUENCE OF Network OPTIONAL,
    unsafeNetworks SEQUENCE OF Network OPTIONAL,
    groups SEQUENCE OF Name OPTIONAL,
    isCA BOOLEAN DEFAULT false,
    notBefore Time,
    notAfter Time,

    -- issuer is only required if isCA is false, if isCA is true then it must not be present
    issuer OCTET STRING OPTIONAL,
    ...
    -- New fields can be added below here
}

END