|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--iaik.x509.V3Extension | +--iaik.x509.extensions.PolicyConstraints
This class implements the PolicyConstraints
extension.
The PolicyConstraints
extension is a standard X509v3 extension, which
may or may not be marked as being critical.
Each extension is associated with a specific certificateExtension
object identifier, derived from:
certificateExtension OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} id-ce OBJECT IDENTIFIER ::= certificateExtension
The object identifier for the PolicyConstraints
extension
is defined as:
id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
which corresponds to the OID string "2.5.29.36".
The X.509 Certificate and CRL profile presented in RFC 2459 specifies the policy contraints extension for constraining path validation in two ways. It can be used to prohibit policy mapping or require that each certificate in a path contains an acceptable policy identifier. The policy constraints extension can be used in certificates issued to CAs:
PolicyConstraints ::= SEQUENCE { requireExplicitPolicy [0] SkipCerts OPTIONAL, inhibitPolicyMapping [1] SkipCerts OPTIONAL }
SkipCerts ::= INTEGER (0..MAX)
If the inhibitPolicyMapping field is present, the value indicates the number of additional certificates that may appear in the path before policy mapping is no longer permitted. For example, a value of one indicates that policy mapping may be processed in certificates issued by the subject of this certificate, but not in additional certificates in the path.
If the requireExplicitPolicy field is present, subsequent certificates must include an acceptable policy identifier. The value of requireExplicitPolicy indicates the number of additional certificates that may appear in the path before an explicit policy is required. An acceptable policy identifier is the identifier of a policy required by the user of the certification path or the identifier of a policy which has been declared equivalent through policy mapping.
More information can be found in RFC 2459, section 4.2.1.12 "Policy Constraints".
For adding a PolicyConstraints
extension object to a X509Certificate,
use the addExtension
method of the iaik.x509.X509Certificate
class, e.g.:
PolicyConstraints policyConstraints = new PolicyConstraints(); policyConstraints.setRequireExplicitPolicy(3); policyConstraints.setInhibitExplicitPolicy(7); X509Certificate cert = new X509Certificate(); ... cert.addExtension(policyConstraints);
When intending to mark this extension as critical, use the setCritical
method of the iaik.x509.V3Extension
parent class (note that you have to mark an extension as critical before adding the
extension to a certificate), e.g.:
policyConstraints.setCritical(true);
PolicyMappings
,
V3Extension
,
X509Extensions
,
X509Certificate
Field Summary | |
static ObjectID |
oid
The object identifier of this PolicyConstraints extension.
|
Fields inherited from class iaik.x509.V3Extension |
critical |
Constructor Summary | |
PolicyConstraints()
Default constructor. |
Method Summary | |
int |
getInhibitExplicitPolicy()
Deprecated. see getInhibitPolicyMapping() |
int |
getInhibitPolicyMapping()
Returns the inhibitPolicyMapping value of this
PolicyConstraints extension specifying the
number of additional certificates that may appear in the path
before policy mapping is no longer permitted. |
ObjectID |
getObjectID()
Returns the object ID of this PolicyConstraints extension |
int |
getRequireExplicitPolicy()
Returns the requireExplicitPolicy value of this
PolicyConstraints extension specifying the
number of additional certificates that may appear in the path
before an explicit policy is required. |
int |
hashCode()
Returns a hashcode for this identity. |
void |
init(ASN1Object obj)
Inits this PolicyConstraints implementation with an ASN1object
representing the value of this extension.
|
void |
setInhibitExplicitPolicy(int inhibitPolicyMapping)
Deprecated. see setInhibitPolicyMapping() |
void |
setInhibitPolicyMapping(int inhibitPolicyMapping)
Sets the inhibitPolicyMapping value of this
PolicyConstraints extension for specifying the
number of additional certificates that may appear in the path
before policy mapping is no longer permitted. |
void |
setRequireExplicitPolicy(int requireExplicitPolicy)
Sets the requireExplicitPolicy value of this
PolicyConstraints extension for specifying the
number of additional certificates that may appear in the path
before an explicit policy is required. |
ASN1Object |
toASN1Object()
Returns an ASN1Object representing the value of this PolicyConstraints
extension object.
|
String |
toString()
Returns a string that represents the contents of this PolicyConstraints extension. |
Methods inherited from class iaik.x509.V3Extension |
getName, isCritical, setCritical |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, notify, notifyAll, wait, wait, wait |
Field Detail |
public static final ObjectID oid
PolicyConstraints
extension.
The corresponding OID string is "2.5.29.36".Constructor Detail |
public PolicyConstraints()
Creates an empty PolicyConstraints
object.
InhibitExplicitPolicy
and RequireExplicitPolicy
are initialized with -1 indicating that the corresponding values are not set.
Use setInhibitExplicitPolicy
and/or
setRequireExplicitPolicy
for
prohibiting policy mapping and/or requiring acceptable policy identifiers for
subsequent certificates.
If you want to specify this extension as critical before adding it to a
certificate, use the setCritical
method of the
iaik.x509.V3Extension
parent class, e.g:
PolicyConstraints policyConstraints = new PolicyConstraints(); policyConstraints.setRequireExplicitPolicy(3); policyConstraints.setInhibitExplicitPolicy(7); policyConstraints.setCritical(true); X509Certificate cert = new X509Certificate(); ... cert.addExtension(policyConstraints);
V3Extension.setCritical(boolean)
Method Detail |
public ASN1Object toASN1Object()
PolicyConstraints
extension object.
The returned ASN1Object is an ASN.1 Sequence specifying any inhibitPolicyMapping and/or requireExplicitPolicy values for prohibiting policy mapping and/or requiring acceptable policy identifiers for subsequent certificates.
PolicyConstraints ::= SEQUENCE { requireExplicitPolicy [0] SkipCerts OPTIONAL, inhibitPolicyMapping [1] SkipCerts OPTIONAL }The ASN1Object created by this method may be used as parameter for the
init
method.toASN1Object
in class V3Extension
PolicyConstraints
as ASN1Objectpublic void init(ASN1Object obj) throws X509ExtensionException
PolicyConstraints
implementation with an ASN1object
representing the value of this extension.
The given ASN1Object represents a sequence of inhibitPolicyMapping and/or requireExplicitPolicy values for prohibiting policy mapping and/or requiring acceptable policy identifiers for subsequent certificates.
The given ASN1Object is the one created by toASN1Object()
.
This method is used by the X509Extensions
class when parsing the ASN.1 representation
of a certificate for properly initializing an included
PolicyConstraints extension. This method initializes the
extension only with its value, but not with its critical
specification. For that reason, this method shall not be
explicitly called by an application.
init
in class V3Extension
obj
- the PolicyConstraints as ASN1ObjectX509ExtensionException
- if the extension could not be parsedpublic int hashCode()
hashCode
in class V3Extension
public ObjectID getObjectID()
PolicyConstraints
extensiongetObjectID
in class V3Extension
public void setRequireExplicitPolicy(int requireExplicitPolicy)
requireExplicitPolicy
value of this
PolicyConstraints
extension for specifying the
number of additional certificates that may appear in the path
before an explicit policy is required.requireExplicitPolicy
- the number of additional certificates
that may appear in the path before an
explicit policy is requiredgetRequireExplicitPolicy()
public void setInhibitPolicyMapping(int inhibitPolicyMapping)
inhibitPolicyMapping
value of this
PolicyConstraints
extension for specifying the
number of additional certificates that may appear in the path
before policy mapping is no longer permitted.inhibitPolicyMapping
- the number of additional certificates
that may appear in the path before policy
mapping is no longer permitted.getInhibitPolicyMapping()
public void setInhibitExplicitPolicy(int inhibitPolicyMapping)
public int getRequireExplicitPolicy()
requireExplicitPolicy
value of this
PolicyConstraints
extension specifying the
number of additional certificates that may appear in the path
before an explicit policy is required.requireExplicitPolicy
value specifying the
number of additional certificates that may appear in the path
before an explicit policy is required, or -1 if the
requireExplicitPolicy
value has yet not been setsetRequireExplicitPolicy(int)
public int getInhibitPolicyMapping()
inhibitPolicyMapping
value of this
PolicyConstraints
extension specifying the
number of additional certificates that may appear in the path
before policy mapping is no longer permitted.inhibitPolicyMapping
value specifying the
number of additional certificates that may appear in the
path before policy mapping is no longer permitted, or -1
if the inhibitPolicyMapping
value has yet not
been setsetInhibitPolicyMapping(int)
public int getInhibitExplicitPolicy()
public String toString()
PolicyConstraints
extension.toString
in class Object
|
This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note). | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |