|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--iaik.x509.V3Extension
This class is the basic implementation for X.509v3 certificate and X.509v2 CRL extensions. Every class, which implements an extension must be derived from this class.
ITU-T X.509 defines a standard certificate format to be used along with the X.500 naming tree conventions. The first version has been published as X509v1 format in 1988, and has been extended in 1993 by version 2 about two fields for uniquely identifying certificate subject and issuer.
The X.509v3 certificate format - introduced by ISO/IEC and ANSI X9 - extends its
predecessor v2 format about the Extensions field for including some additional
information. Extension support for CRLs has been introduced by the X.509v2 CRL format
(see RFC 2459). An extension may be
a defined standard extension (e.g. certificatePolicies
,
keyUsage
, ...), or it may be a private extension providing some
community-specific information. If an extension is marked as critical, but
the certificate handling software cannot parse this extension, the appertaining
certifcate has to be rejected (respectively CRL validation must fail).
Non-Critical extensions can be ignored, if they cannot be handled
(i.e. of unknown state).
In ASN.1, the Extensions
field is defined as a SEQUENCE of Extension:
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING }
where critical
specifies whether an extension has to be treated
as being critical or not; the default value is FALSE. An extension can be identified by
its object identifier, given in the extnID
field. The value of the extension
is represented as ASN.1 encoded OCTET STRING data structure in the extnValue
field. Only one instance of a particular extension may be present in a particular
certiifcate.
The X509v3 certificate profile presented in RFC 2459
prescribes that confirming CAs must support the AuthorityKeyIdentifier
,
SubjectKeyIdentifer
, BasicConstraints
, KeyUsage
and CertificatePolicies
extensions. The SubjectAltName
extensions has to be supported if certificates with empty subject fields are issued.
Note, that this class per default sets the critical
value to
false
indicating a non-critical extension. When including a critical
extension into a certificate (or CRL) do not forget to set critical
to true
using the setCritical
method
before adding the particular extension to the certificate (or CRL):
<Extension_extending_V3Extension>.setCritical(true); cert.addExtension(<Extension_extending_V3Extension>);
X509Extensions
,
X509Certificate
Field Summary | |
protected boolean |
critical
Specifies, if the actual V3Extension is critical or not. |
Constructor Summary | |
V3Extension()
|
Method Summary | |
String |
getName()
Returns the name of the extension. |
abstract ObjectID |
getObjectID()
Returns the object ID of the extension. |
abstract int |
hashCode()
Returns the hash code of the extension. |
abstract void |
init(ASN1Object obj)
Inits the implementation with an ASN1Object. |
boolean |
isCritical()
Returns true , if this extension is critical. |
V3Extension |
setCritical(boolean critical)
Set the critical value of this extension. |
abstract ASN1Object |
toASN1Object()
Returns an ASN.1 representation of a particular extension. |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
protected boolean critical
true
, the extension is a critical
one; if the value of this field is false
(default), the
extension is non-critical.Constructor Detail |
public V3Extension()
Method Detail |
public abstract void init(ASN1Object obj) throws X509ExtensionException
X509Extensions
class when parsing the ASN.1 representation
of a certificate (or a CRL) for properly initializing any
included extension. This method initilaizes a specific
extension only with its value, but not with its critical
specification. For that reason, this method shall not be
explicitly called by an application.obj
- the extension value as ASN1ObjectX509ExtensionException
- if the extension could not parse the ASN1Objectpublic abstract ASN1Object toASN1Object() throws X509ExtensionException
The genearal ASN.1 definition of an X.509 extension looks like:
Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING }
where critical
specifies whether an extension has to be treated
as being critical or not; the default value is FALSE. An extension can be identified by
its object identifier, given in the extnID
field. The value of the extension
is represented as ASN.1 encoded OCTET STRING data structure in the extnValue
field.
Attention! The ASN1Object returned by this method does
not represent the extnValue (OCTET_STRING) from above;
rather it represents the specific extension´s ASN.1 representation itsself.
So, for example, when implementig the BasicConstraints
extension, the corresponding ASN.1 Sequence will be returned:
BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL }
X509ExtensionException
- if the extension could not be createdpublic abstract ObjectID getObjectID()
public abstract int hashCode()
hashCode
in class Object
public String getName()
public V3Extension setCritical(boolean critical)
caCert.addExtension(new KeyUsage(KeyUsage.keyCertSign).setCritical(true));
critical
- true
if the extension is critical,
false
if notpublic boolean isCritical()
true
, if this extension is critical.true
if the extension is critical, false
if not
|
This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note). | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |