iaik.x509.ocsp
Interface CertificateResponse

All Superinterfaces:
ASN1Type
All Known Implementing Classes:
SingleResponse

public interface CertificateResponse
extends ASN1Type

An OCSP response for a single certificate.

Interface to be implemented by any class representing a response message for a single certificate.

The main purpose of this interface is to enforce that any certificate response easily can be identified by the ReqCert of the underlying target certificate:

 ReqCert  ::= CHOICE {
   certID            CertID,
   issuerSerial      [0] IssuerandSerialNumber,
   pKCert            [1] Certificate,
   name              [2] GeneralName,
   certHash          [3] OCTET STRING}
 

Version:
File Revision 11

Method Summary
 ReqCert getReqCert()
          Returns the reqCert of this certificate response.
 boolean isResponseFor(ReqCert reqCert)
          Checks if this is a certificate response for a certificate identified by the given reqCert.
 boolean isResponseFor(X509Certificate targetCert, X509Certificate issuerCert, GeneralName generalName)
          Checks if this is a certificate response for the given certificate identifying information.
 String toString()
          Returns a String representation of this certificate response.
 
Methods inherited from interface iaik.asn1.ASN1Type
decode, toASN1Object
 

Method Detail

getReqCert

public ReqCert getReqCert()
Returns the reqCert of this certificate response.
Returns:
the reqCert identifying the target certificate.

isResponseFor

public boolean isResponseFor(X509Certificate targetCert,
                             X509Certificate issuerCert,
                             GeneralName generalName)
                      throws OCSPException
Checks if this is a certificate response for the given certificate identifying information.

Since OCSP v2-01 (see draft-ietf-pkix-ocspv2-01) uses not less than five alternatives (certID, issuerSerial, pKCert, name, certHash) to identify the target cert for which status information shall be obtained, it might be the -- hopefully not very probable -- case that an OCSP server responds by using a different reqCert type (namely when maintaining precompted responses) as the one sent with the client request.
If the reqCert types are the same in request and response, method isResponseFor can be used for checking if this certificate response actually is a response referring to the certificate in mind. However, if request and response use different ReqCert types (e.g. request: pkCert, response: certID) or they use a certID with different hash algorithms, this method may be used for trying to "translate" the given cert data into a reqCert of the type the reqCert of this certificate response represents for checking if they are equal. Translation thereby is performed according to the following rules:

Note that any reqCert type can be created if target cert and issuer cert a set.

This method only returns true if the supplied informations fit to the type of the ReqCert of this response (according to the conditions above) and identify the same certificate. In any other case this method returns false (e.g. the ReqCert of this response represents a type for which the supplied informations are not appropriate, or the type is ok but another certificate is referenced).

Assumimg, for instance, that the ReqCert of this response represents a certID, but you expect a pKCert, method isResponseFor will fail. Now you may supply both target cert and its issuing cert for checking if this is a response for the target certificate in mind, e.g.:

 // the target cert chain
 X509Certificate[] targetCerts = ...;
 booelan isResponseFor = certResponse.isResponseFor(targetCerts[0], targetCerts[1], null);
 
Parameters:
targetCert - the target cert, if required
issuerCert - the cert of the target cert issuer, if required
generalName - a general name (if required for reqCert type "name")
Returns:
true if this is a response for the target certificate asked for; or false if this is not a response for the target certificate in mind or not enough information is provided for handling the type of the inherent ReqCert
Throws:
OCSPException - if some processing error occurs, e.g. if the ReqCert of this response represents a CertID but the certIDīs hash algorithm is not supported by the installed providers

isResponseFor

public boolean isResponseFor(ReqCert reqCert)
Checks if this is a certificate response for a certificate identified by the given reqCert. Attention! When using this method for asking if this certificate response corresponds to the given reqCert be sure that the reqCert of the CertificateResponse has the same type as the given reqCert (as usual).
Parameters:
reqCert - the reqCert identifying the certificate in mind true if this is a certificate response for the certificate identified by the given reqCert, false if not

toString

public String toString()
Returns a String representation of this certificate response.
Overrides:
toString in class Object
Returns:
a String representation

This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note).

IAIK-JCE 3.1 with IAIK-JCE CC Core 3.1, (c) 1997-2004 IAIK