iaik.x509.extensions
Class KeyUsage

java.lang.Object
  |
  +--iaik.x509.V3Extension
        |
        +--iaik.x509.extensions.KeyUsage

public class KeyUsage
extends V3Extension

This class implements the KeyUsage extension.

The KeyUsage extension is a standard X509v3 extension, which shall be marked as being critical when used.

Each extension is associated with a specific certificateExtension object identifier, derived from:

 certificateExtension  OBJECT IDENTIFIER ::=
                            {joint-iso-ccitt(2) ds(5) 29}
 id-ce                 OBJECT IDENTIFIER ::=  certificateExtension
 

The object identifier for the KeyUsage extension is defined as:

id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }

which corresponds to the OID string "2.5.29.15".

The X.509 Certificate and CRL profile presented in RFC 2459 specifies the key usage extension for defining the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate:

 KeyUsage ::= BIT STRING {
    digitalSignature        (0),
    nonRepudiation          (1),
    keyEncipherment         (2),
    dataEncipherment        (3),
    keyAgreement            (4),
    keyCertSign             (5),
    cRLSign                 (6),
    encipherOnly            (7),
    decipherOnly            (8) }
 

The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. For example, when a RSA key should be used only for signing, the digitalSignature and nonRepudiation bits would be asserted. Likewise, when a RSA key should be used only for key management, the keyEncipherment bit would be asserted.

More information can be found in RFC 2459, section 4.2.1.3 "Key Usage".

For adding a KeyUsage extension object to a X509Certificate, use the addExtension method of the iaik.x509.X509Certificate class, e.g.:

 X509Certificate cert = new X509Certificate();
  ...
 KeyUsage keyUsage = new KeyUsage( KeyUsage.digitalSignature |
                                   KeyUsage.nonRepudiation|
                                   KeyUsage.keyEncipherment|
                                   KeyUsage.dataEncipherment|
                                   KeyUsage.keyCertSign |
                                   KeyUsage.cRLSign);
 keyUsage.setCritical(true);
 cert.addExtension(keyUsage);
 

Since the KeyUsage extension is a critical extension, critical has to be set to true before adding the KeyUsage extension to a certificate:

 keyUsage.setCritical(true);
 

Version:
File Revision 23
See Also:
X509Certificate, X509Extensions, V3Extension

Field Summary
static int cRLSign
          The cRLSign keyUsage purpose indicating to use the subject public key for verifying a signature on CRLs.
static int dataEncipherment
          The dataEncipherment keyUsage purpose indicating to use the subject public key for enciphering user data, other than cryptographic keys.
static int decipherOnly
          The decipherOnly keyUsage purpose indicating that the subject public key may be used only for enciphering data while performing key agreement, if the keyAgreement bit also is set.
static int digitalSignature
          The digitalSignature keyUsage purpose indicating to use the subject public key for verifying digital signatures that have purposes other than non-repudiation, certificate signature, and CRL signature.
static int encipherOnly
          The encipherOnly keyUsage purpose indicating that the subject public key may be used only for enciphering data while performing key agreement, if the keyAgreement bit also is set.
static int keyAgreement
          The keyAgreement keyUsage purpose indicating to use the subject public key for key agreement.
static int keyCertSign
          The keyCertSign keyUsage purpose indicating to use the subject public key for verifying a signature on certificates.
static int keyEncipherment
          The keyEncipherment keyUsage purpose indicating to use the subject public key for key transport.
static int nonRepudiation
          The nonRepudiation keyUsage purpose indicating to use the subject public key for verifying digital signatures used to provide a non- repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing.
static ObjectID oid
          The object identifier of this KeyUsage extension.
 
Fields inherited from class iaik.x509.V3Extension
critical
 
Constructor Summary
KeyUsage()
          Default constructor.
KeyUsage(int keyUsage)
          Constructs a KeyUsage extension with a defined key usage parameter.
 
Method Summary
 int get()
          Returns the key usage value as an integer.
 boolean[] getBooleanArray()
          Return the key usage value as a boolean array.
 ObjectID getObjectID()
          Returns the object ID of this KeyUsage extension
 int hashCode()
          Returns a hashcode for this identity.
 void init(ASN1Object obj)
          Inits this KeyUsage implementation with an ASN1Object representing the value of this extension.
 boolean isSet(int keyUsage)
          Return whether the specified key usage values are set.
 void set(int keyUsage)
          Sets the purpose of the key (e.g.: cRLSign | digitalSignature).
 ASN1Object toASN1Object()
          Returns an ASN1Object representing the value of this KeyUsage extension object.
 String toString()
          Returns a string that represents the contents of this KeyUsage extension.
 
Methods inherited from class iaik.x509.V3Extension
getName, isCritical, setCritical
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, notify, notifyAll, wait, wait, wait
 

Field Detail

oid

public static final ObjectID oid
The object identifier of this KeyUsage extension. The corresponding OID string is "2.5.29.15".

digitalSignature

public static final int digitalSignature
The digitalSignature keyUsage purpose indicating to use the subject public key for verifying digital signatures that have purposes other than non-repudiation, certificate signature, and CRL signature.

nonRepudiation

public static final int nonRepudiation
The nonRepudiation keyUsage purpose indicating to use the subject public key for verifying digital signatures used to provide a non- repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing. .

keyEncipherment

public static final int keyEncipherment
The keyEncipherment keyUsage purpose indicating to use the subject public key for key transport.

dataEncipherment

public static final int dataEncipherment
The dataEncipherment keyUsage purpose indicating to use the subject public key for enciphering user data, other than cryptographic keys.

keyAgreement

public static final int keyAgreement
The keyAgreement keyUsage purpose indicating to use the subject public key for key agreement.

keyCertSign

public static final int keyCertSign
The keyCertSign keyUsage purpose indicating to use the subject public key for verifying a signature on certificates.

cRLSign

public static final int cRLSign
The cRLSign keyUsage purpose indicating to use the subject public key for verifying a signature on CRLs.

encipherOnly

public static final int encipherOnly
The encipherOnly keyUsage purpose indicating that the subject public key may be used only for enciphering data while performing key agreement, if the keyAgreement bit also is set.

decipherOnly

public static final int decipherOnly
The decipherOnly keyUsage purpose indicating that the subject public key may be used only for enciphering data while performing key agreement, if the keyAgreement bit also is set.
Constructor Detail

KeyUsage

public KeyUsage()
Default constructor. Creates an empty KeyUsage object.

Per default the keyUsage value is set to 0 indicating that it is not set. Use set for explicitly setting the key usage value.

Do not forget to specify this extension as critical before adding it to a certificate, e.g.:

 KeyUsage keyUsage = new KeyUsage();
 keyUsage.set( KeyUsage.digitalSignature |
                KeyUsage.nonRepudiation|
                KeyUsage.keyEncipherment|
                KeyUsage.dataEncipherment|
                KeyUsage.keyCertSign |
                KeyUsage.cRLSign);
 keyUsage.setCritical(true);
 X509Certificate = new X509Certificate();
  ...
 cert.addExtension(bc);
 

See Also:
V3Extension.setCritical(boolean)

KeyUsage

public KeyUsage(int keyUsage)
Constructs a KeyUsage extension with a defined key usage parameter.

Do not forget to specify this extension as critical before adding it to a certificate:

 KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature |
                                  KeyUsage.nonRepudiation|
                                  KeyUsage.keyEncipherment|
                                  KeyUsage.dataEncipherment|
                                  KeyUsage.keyCertSign |
                                  KeyUsage.cRLSign);
 keyUsage.setCritical(true);
 X509Certificate = new X509Certificate();
  ...
 cert.addExtension(bc);
 

Parameters:
keyUsage - the purpose of this key
Method Detail

getObjectID

public ObjectID getObjectID()
Returns the object ID of this KeyUsage extension
Overrides:
getObjectID in class V3Extension
Returns:
the object ID

set

public void set(int keyUsage)
Sets the purpose of the key (e.g.: cRLSign | digitalSignature).

For instance:

 KeyUsage keyUsage = new KeyUsage();
 keyUsage.set( KeyUsage.digitalSignature |
               KeyUsage.cRLSign);
 
Parameters:
keyUsage - the key usage bit string

init

public void init(ASN1Object obj)
Inits this KeyUsage implementation with an ASN1Object representing the value of this extension.

The given ASN1Object indicates the key usage purpose.

The given ASN1Object is the one created by toASN1Object().

This method is used by the X509Extensions class when parsing the ASN.1 representation of a certificate for properly initializing an included KeyUsage extension. This method initializes the extension only with its value, but not with its critical specification. For that reason, this method shall not be explicitly called by an application.

Overrides:
init in class V3Extension
Parameters:
obj - the KeyUsage as ASN1Object

toASN1Object

public ASN1Object toASN1Object()
Returns an ASN1Object representing the value of this KeyUsage extension object.

The returned ASN1Object is an ASN.1 BIT_STRING indicating the key usage purpose:

 KeyUsage ::= BIT STRING {
    digitalSignature        (0),
    nonRepudiation          (1),
    keyEncipherment         (2),
    dataEncipherment        (3),
    keyAgreement            (4),
    keyCertSign             (5),
    cRLSign                 (6),
    encipherOnly            (7),
    decipherOnly            (8) }
 

Overrides:
toASN1Object in class V3Extension
Returns:
the value of this KeyUsage as ASN1Object

hashCode

public int hashCode()
Returns a hashcode for this identity.
Overrides:
hashCode in class V3Extension
Returns:
a hash code for this identity

get

public int get()
Returns the key usage value as an integer.

Note the "big endian" representation of the BIT STRING representing the value of this KeyUsage extension: the least significant bit indicates the purpose with the lowest bit value, meaning that the integer value 1 specifies the "digitalSignature" purpose, and the integer value 256 (binary 100000000, hexadecimal 100) specifies the "decipherOnly" purpose.

Returns:
the key usage value as integer representation
See Also:
set(int)

getBooleanArray

public boolean[] getBooleanArray()
Return the key usage value as a boolean array.

It will always have nine elements, element 0 is digitalSignature, element 1 nonRepudiation, etc.


isSet

public boolean isSet(int keyUsage)
Return whether the specified key usage values are set. For example, keyUsage.isSet(KeyUsage.keyCertSign) returns true if the keyCertSign bit is set.

toString

public String toString()
Returns a string that represents the contents of this KeyUsage extension.
Overrides:
toString in class Object
Returns:
the string representation

This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note).

IAIK-JCE 3.1 with IAIK-JCE CC Core 3.1, (c) 1997-2004 IAIK