|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--iaik.x509.V3Extension | +--iaik.x509.extensions.KeyUsage
This class implements the KeyUsage
extension.
The KeyUsage
extension is a standard X509v3 extension, which
shall be marked as being critical when used.
Each extension is associated with a specific certificateExtension
object identifier, derived from:
certificateExtension OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} id-ce OBJECT IDENTIFIER ::= certificateExtension
The object identifier for the KeyUsage
extension
is defined as:
id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
which corresponds to the OID string "2.5.29.15".
The X.509 Certificate and CRL profile presented in RFC 2459 specifies the key usage extension for defining the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate:
KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) }
The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. For example, when a RSA key should be used only for signing, the digitalSignature and nonRepudiation bits would be asserted. Likewise, when a RSA key should be used only for key management, the keyEncipherment bit would be asserted.
More information can be found in RFC 2459, section 4.2.1.3 "Key Usage".
For adding a KeyUsage
extension object to a X509Certificate, use the
addExtension
method of the iaik.x509.X509Certificate
class, e.g.:
X509Certificate cert = new X509Certificate(); ... KeyUsage keyUsage = new KeyUsage( KeyUsage.digitalSignature | KeyUsage.nonRepudiation| KeyUsage.keyEncipherment| KeyUsage.dataEncipherment| KeyUsage.keyCertSign | KeyUsage.cRLSign); keyUsage.setCritical(true); cert.addExtension(keyUsage);
Since the KeyUsage
extension is a critical extension, critical
has to be set to true
before adding the KeyUsage
extension
to a certificate:
keyUsage.setCritical(true);
X509Certificate
,
X509Extensions
,
V3Extension
Field Summary | |
static int |
cRLSign
The cRLSign keyUsage purpose indicating to use the subject public key for verifying a signature on CRLs. |
static int |
dataEncipherment
The dataEncipherment keyUsage purpose indicating to use the subject public key for enciphering user data, other than cryptographic keys. |
static int |
decipherOnly
The decipherOnly keyUsage purpose indicating that the subject public key may be used only for enciphering data while performing key agreement, if the keyAgreement bit also is set. |
static int |
digitalSignature
The digitalSignature keyUsage purpose indicating to use the subject public key for verifying digital signatures that have purposes other than non-repudiation, certificate signature, and CRL signature. |
static int |
encipherOnly
The encipherOnly keyUsage purpose indicating that the subject public key may be used only for enciphering data while performing key agreement, if the keyAgreement bit also is set. |
static int |
keyAgreement
The keyAgreement keyUsage purpose indicating to use the subject public key for key agreement. |
static int |
keyCertSign
The keyCertSign keyUsage purpose indicating to use the subject public key for verifying a signature on certificates. |
static int |
keyEncipherment
The keyEncipherment keyUsage purpose indicating to use the subject public key for key transport. |
static int |
nonRepudiation
The nonRepudiation keyUsage purpose indicating to use the subject public key for verifying digital signatures used to provide a non- repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing. |
static ObjectID |
oid
The object identifier of this KeyUsage extension.
|
Fields inherited from class iaik.x509.V3Extension |
critical |
Constructor Summary | |
KeyUsage()
Default constructor. |
|
KeyUsage(int keyUsage)
Constructs a KeyUsage extension with a defined key usage parameter.
|
Method Summary | |
int |
get()
Returns the key usage value as an integer. |
boolean[] |
getBooleanArray()
Return the key usage value as a boolean array. |
ObjectID |
getObjectID()
Returns the object ID of this KeyUsage extension |
int |
hashCode()
Returns a hashcode for this identity. |
void |
init(ASN1Object obj)
Inits this KeyUsage implementation with an ASN1Object
representing the value of this extension.
|
boolean |
isSet(int keyUsage)
Return whether the specified key usage values are set. |
void |
set(int keyUsage)
Sets the purpose of the key (e.g.: cRLSign | digitalSignature). |
ASN1Object |
toASN1Object()
Returns an ASN1Object representing the value of this KeyUsage
extension object.
|
String |
toString()
Returns a string that represents the contents of this KeyUsage extension. |
Methods inherited from class iaik.x509.V3Extension |
getName, isCritical, setCritical |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, notify, notifyAll, wait, wait, wait |
Field Detail |
public static final ObjectID oid
KeyUsage
extension.
The corresponding OID string is "2.5.29.15".public static final int digitalSignature
public static final int nonRepudiation
public static final int keyEncipherment
public static final int dataEncipherment
public static final int keyAgreement
public static final int keyCertSign
public static final int cRLSign
public static final int encipherOnly
public static final int decipherOnly
Constructor Detail |
public KeyUsage()
KeyUsage
object.
Per default the keyUsage
value is set to 0 indicating that it is not set.
Use set
for explicitly setting the key usage
value.
Do not forget to specify this extension as critical before adding it to a certificate, e.g.:
KeyUsage keyUsage = new KeyUsage(); keyUsage.set( KeyUsage.digitalSignature | KeyUsage.nonRepudiation| KeyUsage.keyEncipherment| KeyUsage.dataEncipherment| KeyUsage.keyCertSign | KeyUsage.cRLSign); keyUsage.setCritical(true); X509Certificate = new X509Certificate(); ... cert.addExtension(bc);
V3Extension.setCritical(boolean)
public KeyUsage(int keyUsage)
KeyUsage
extension with a defined key usage parameter.
Do not forget to specify this extension as critical before adding it to a certificate:
KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation| KeyUsage.keyEncipherment| KeyUsage.dataEncipherment| KeyUsage.keyCertSign | KeyUsage.cRLSign); keyUsage.setCritical(true); X509Certificate = new X509Certificate(); ... cert.addExtension(bc);
keyUsage
- the purpose of this keyMethod Detail |
public ObjectID getObjectID()
KeyUsage
extensiongetObjectID
in class V3Extension
public void set(int keyUsage)
For instance:
KeyUsage keyUsage = new KeyUsage(); keyUsage.set( KeyUsage.digitalSignature | KeyUsage.cRLSign);
keyUsage
- the key usage bit stringpublic void init(ASN1Object obj)
KeyUsage
implementation with an ASN1Object
representing the value of this extension.
The given ASN1Object indicates the key usage purpose.
The given ASN1Object is the one created by toASN1Object()
.
This method is used by the X509Extensions
class when parsing the ASN.1 representation
of a certificate for properly initializing an included
KeyUsage extension. This method initializes the
extension only with its value, but not with its critical
specification. For that reason, this method shall not be
explicitly called by an application.
init
in class V3Extension
obj
- the KeyUsage as ASN1Objectpublic ASN1Object toASN1Object()
KeyUsage
extension object.
The returned ASN1Object is an ASN.1 BIT_STRING indicating the key usage purpose:
KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) }
toASN1Object
in class V3Extension
KeyUsage
as ASN1Objectpublic int hashCode()
hashCode
in class V3Extension
public int get()
Note the "big endian" representation of the BIT STRING representing the
value of this KeyUsage
extension: the least significant
bit indicates the purpose with the lowest bit value, meaning that the integer
value 1 specifies the "digitalSignature" purpose, and the integer
value 256 (binary 100000000, hexadecimal 100) specifies the "decipherOnly" purpose.
set(int)
public boolean[] getBooleanArray()
It will always have nine elements, element 0 is digitalSignature, element 1 nonRepudiation, etc.
public boolean isSet(int keyUsage)
keyUsage.isSet(KeyUsage.keyCertSign)
returns true if the keyCertSign bit
is set.public String toString()
KeyUsage
extension.toString
in class Object
|
This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note). | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |