Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES
SUMMARY:  INNER | FIELD | CONSTR | METHOD DETAIL:  FIELD | CONSTR | METHOD

iaik.x509.ocsp.utils
Class TrustedResponders

java.lang.Object
  |
  +--iaik.x509.ocsp.utils.TrustedResponders
public class TrustedResponders
extends Object

A simple repository for mapping trust between responders to ca certificates.

If a basic OCSP response is not signed by the same issuer that has signed the target certificate the OCSP client has to check if the response signer is authorized to sign the response. In this case the certificate of the response signer has to be issued by the issuer of the target certificate and has to contain the ExtendedKeyUsage extension indicating the id-kp-OCSPSigning purpose.
This class provides a simple mechanism allowing to specify the set of CAs for which each responder is trusted.

Responders are identified by its ResponderID. When calling method addTrustedResponderEntry supply the ID of the responder in mind and a CA certificate which has authorized this responder for signing the response, e.g.: 

 // targetCerts[0] contains the certificate for which revocation information shall be requested
 // targetCerts[0] is signed by targetCerts[1]
 X509Certificate[] targetCerts = ...;
 // responder cert is the cert used by the responder for signing a response
 X509Certificate responderCert = ...;
 // we want to trust this responders for signing responses for certs issued by targetCerts[1]
 TrustedResponders trustedResponders = new TrustedResponders();
 ResponderID responderID = new ResponderID((Name)responderCerts.getSubjectDN());
 trustedResponders.add(responderID, targetCerts[1]);
Note: this class provides are very simple trust repository utility maintained by a hashtable with one entry for each particular responderID. Each responder entry has its trusted CA certificates attached; so one CA certificate may appear repeatedly (e.g. for responder 1 and responder 2,...). An application may which to implement a more comprehensive strategy.

Version:
File Revision 9

Constructor Summary
TrustedResponders()
          Default constructor.
 
Method Summary
 boolean addTrustedResponderEntry(ResponderID responderID, X509Certificate caCert)
          Trust the given reponderID for signing responses for certs issued by the given CA.
 void clearAllEntries()
          Clear all entries.
 boolean isTrustedResponder(ResponderID responderID, X509Certificate responderCert, X509Certificate caCert)
          Checks if we can trust the given responder for signing responses for certs issued by the given CA.
 boolean removeTrustedResponder(ResponderID responderID)
          Removes the given responder from the trust repository.
 boolean removeTrustedResponderEntry(ResponderID responderID, X509Certificate caCert)
          Do not longer trust the given responder for signing responses for certs issued by the given CA cert.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

TrustedResponders

public TrustedResponders()
Default constructor. Creates an empty repository.
Method Detail

addTrustedResponderEntry

public boolean addTrustedResponderEntry(ResponderID responderID,
                                        X509Certificate caCert)
Trust the given reponderID for signing responses for certs issued by the given CA.
Parameters:
responderID - the ID of the responder to trust for signing responses for certs issued by the given CA cert
caCert - responses for certs issued by this CA cert can be signed by the given responder
Returns:
true if the entry has been added, false if it has been not added (because already included)

removeTrustedResponder

public boolean removeTrustedResponder(ResponderID responderID)
Removes the given responder from the trust repository. This action may indicate not to trust this resonder if its cert is not equal to the CA cert that has issued the target cert.
Parameters:
responderID - the ID of the responder to remove
Returns:
true if the responder has been removed, false if not (because there was no such responder set)

removeTrustedResponderEntry

public boolean removeTrustedResponderEntry(ResponderID responderID,
                                           X509Certificate caCert)
Do not longer trust the given responder for signing responses for certs issued by the given CA cert.
Parameters:
responderID - the ID of the responder not to trust longer for signing responses for certs issued by the given CA cert
caCert - responses for certs issued by this CA cert cannot be signed by the given responder
Returns:
true if the entry has been removed, false if not (because there was no such entry)

isTrustedResponder

public boolean isTrustedResponder(ResponderID responderID,
                                  X509Certificate responderCert,
                                  X509Certificate caCert)
Checks if we can trust the given responder for signing responses for certs issued by the given CA. This method checks if a for the given responderID a CA cert is in the cache. If yes, the given responder cert has to be issued by the given CA cert.
Parameters:
responderID - the ID of the resonder in mind
caCert - the CA cert
responderCert - the cert of the responder
Returns:
true if we can trust the given responder for signing responses for certs issued by the given CA, false if not

clearAllEntries

public void clearAllEntries()
Clear all entries.
Overview  Package   Class  Tree  Deprecated  Index  Help 
This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note).
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES
SUMMARY:  INNER | FIELD | CONSTR | METHOD DETAIL:  FIELD | CONSTR | METHOD
IAIK-JCE 3.1 with IAIK-JCE CC Core 3.1, (c) 1997-2004 IAIK