AttributeCertificate (6.2 API Documentation)

java.lang.Object
- java.security.cert.Certificate
- - iaik.x509.attr.AttributeCertificate

All Implemented Interfaces:: ASN1Type, java.io.Serializable, java.security.cert.X509Extension

public class AttributeCertificate
extends java.security.cert.Certificate
implements ASN1Type, java.security.cert.X509Extension

This class represents an attribute certificate, as specified by the PKIX Internet Attribute Certificate Profile for Authorization.

Attribute Certificates (see RFC 5755) do not contain a public key, rather they bind some kind of property to some entity:

 An attribute certificate (AC) may contain attributes that specify group 
 membership, role, security clearance, or other authorization information
 associated with the AC holder. 
 
 A public key certificate (PKC) can be considered to be like a passport: it
 identifies the holder, tends to last for a long time, and should not
 be trivial to obtain. An AC is more like an entry visa: it is
 typically issued by a different authority and does not last for as
 long a time. As acquiring an entry visa typically requires
 presenting a passport, getting a visa can be a simpler process.
 
 Authorization information may be placed in a PKC extension or placed
 in a separate attribute certificate (AC). The placement of
 authorization information in PKCs is usually undesirable for two
 reasons. First, authorization information often does not have the
 same lifetime as the binding of the identity and the public key.
 When authorization information is placed in a PKC extension, the
 general result is the shortening of the PKC useful lifetime. Second,
 the PKC issuer is not usually authoritative for the authorization
 information. This results in additional steps for the PKC issuer to
 obtain authorization information from the authoritative source.
 
 For these reasons, it is often better to separate authorization
 information from the PKC. Yet, authorization information also needs
 to be bound to an identity. An AC provides this binding; it is
 simply a digitally signed (or certified) identity and set of
 attributes.
 
 An AC may be used with various security services, including access
 control, data origin authentication, and non-repudiation.
 
 PKCs can provide an identity to access control decision functions.
 However, in many contexts the identity is not the criterion that is
 used for access control decisions, rather the role or group-
 membership of the accessor is the criterion used. Such access
 control schemes are called role-based access control.
 
 When making an access control decision based on an AC, an access
 control decision function may need to ensure that the appropriate AC
 holder is the entity that has requested access. One way in which the
 linkage between the request or identity and the AC can be achieved
 is the inclusion of a reference to a PKC within the AC and the use
 of the private key corresponding to the PKC for authentication
 within the access request.

The PKIX attribute certificate format is defined as an ASN.1 SEQUENCE structure containing the following components:

 AttributeCertificate ::= SEQUENCE {
   acinfo               AttributeCertificateInfo,
   signatureAlgorithm   AlgorithmIdentifier,
   signatureValue       BIT STRING
 }

where signatureAlgorithm identifies the signature algorithm used by the issuer for computing the digital signature upon the ASN.1 DER encoded AttributeCertificateInfo structure, which itself is expressed as ASN.1 SEQUENCE structure specifying holder and issuer of the AC, signature algorithm (the same as specified in Certificate above), version and serial numbers, validity period, attributes and optionally unique identifier of the issuer and certificate extensions:

 AttributeCertificateInfo ::= SEQUENCE {
   version                 AttCertVersion -- version is v2,
   holder                  Holder,
   issuer                  AttCertIssuer,
   signature               AlgorithmIdentifier,
   serialNumber            CertificateSerialNumber,
   attrCertValidityPeriod  AttCertValidityPeriod,
   attributes              SEQUENCE OF Attribute,
   issuerUniqueID          UniqueIdentifier OPTIONAL,
   extensions              Extensions OPTIONAL
 }

where:

 AttCertVersion  ::=  INTEGER { v2(1) }
 

 Holder ::= SEQUENCE {
      baseCertificateID   [0] IssuerSerial OPTIONAL,
                          -- the issuer and serial number of
                          -- the holder's Public Key Certificate
      entityName          [1] GeneralNames OPTIONAL,
                          -- the name of the claimant or role
      objectDigestInfo    [2] ObjectDigestInfo OPTIONAL
                          -- used to directly authenticate the holder,
                          -- for example, an executable
 }
 

 AttCertIssuer ::= CHOICE {
      v1Form   GeneralNames,  -- MUST NOT be used in this
                              -- profile
      v2Form   [0] V2Form     -- v2 only
 

 V2Form ::= SEQUENCE {
   issuerName            GeneralNames  OPTIONAL,
   baseCertificateID     [0] IssuerSerial  OPTIONAL,
   objectDigestInfo      [1] ObjectDigestInfo  OPTIONAL
           -- issuerName MUST be present in this profile
           -- baseCertificateID and objectDigestInfo MUST NOT
           -- be present in this profile
 }
 

 AlgorithmIdentifier  ::=  SEQUENCE  {
   algorithm               OBJECT IDENTIFIER,
   parameters              ANY DEFINED BY algorithm OPTIONAL  }
 

 CertificateSerialNumber  ::=  INTEGER
 

 AttCertValidityPeriod ::= SEQUENCE {
   notBeforeTime  GeneralizedTime,
   notAfter       GeneralizedTime }
 

 Attribute ::= SEQUENCE {
   type      AttributeType,
   values    SET OF AttributeValue
     -- at least one value is required }
 

 AttributeType ::= OBJECT IDENTIFIER
 

 AttributeValue ::= ANY DEFINED BY AttributeType
 

 UniqueIdentifier  ::=  BIT STRING
 

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }

For a detailed description of the several fields refer to RFC 5755)

For each value exists a set<Value> and a get<Value> method.

After creating a new attribute certificate by means of the default constructor, setting AC holder and AC issuer, setting validity period and serial number, and adding any attribute and extension to be included, finally the certificate can be signed with the private key of the issuer, e.g.:

 // the public key certificate of the AC issuer
 X509Certificate acIssuerCert = ...;
 // the private signing key of the AC issuer
 PrivateKey acIssuerKey = ...; 
 // create Attribute Certificate
 AttributeCertificate attributeCertificate = new AttributeCertificate();
 // issuer
 V2Form v2Form = new V2Form((Name)acIssuerCert.getSubjectDN());
 attributeCertificate.setIssuer(v2Form);
 // holder (from base certificate)
 X509Certificate baseCert = ...;
 Holder holder = new Holder();
 holder.setBaseCertificateID(baseCert);
 attributeCertificate.setHolder(holder);
 // serial number
 attributeCertificate.setSerialNumber(BigInteger.valueOf(1));
 // validity
 GregorianCalendar c = new GregorianCalendar();
 Date notBeforeTime = c.getTime();
 c.add(Calendar.MONTH, 1);
 Date notAfterTime = c.getTime();
 attributeCertificate.setNotBeforeTime(notBeforeTime);
 attributeCertificate.setNotAfterTime(notAfterTime);
 // add any attributes (e.g. Role):
 GeneralName roleName = new GeneralName(GeneralName.uniformResourceIdentifier, "urn:sysadmin");
 Role role = new Role(roleName);
 attributeCertificate.addAttribute(new Attribute(role));
 ..
 // add any extensions (e.g. No Revocation Info Available):
 NoRevAvail noRevAvail = new NoRevAvail();
 attributeCertificate.addExtension(noRevAvail);
 // sign attribute certificate
 attributeCertificate.sign(AlgorithmID.sha1WithRSAEncryption, acIssuerKey);
 // DER encode the certificate      
 byte[] enc = attributeCertificate.getEncoded();

The AttributeCertificate(byte[]) and AttributeCertificate(InputStream) constructors may be used for parsing an AttributeCertificate from its DER encoding, e.g.:

 AttributeCertificate attributeCertificate = new AttributeCertificate(enc);
 // verify signature
 try {
   attributeCertificate.verify(acIssuerPublicKey_);
 } catch (SignatureException ex) {
   System.err.println("Signature verification failed: " + ex.getMessage());
   throw ex;
 }
 // check any included attributes (e.g. Role):
 Attribute roleAttribute = attributeCertificate.getAttribute(Role.oid);
 if (roleAttribute != null) {
   // in our example we know that we have a single-valued Role attribute only
   Role role = (Role)roleAttribute.getAttributeValue();
   // get role name
   GeneralName roleName = role.getRoleName();
   System.out.println("Role name: " + roleName);
 } 
 ...
 // check any included extension (e.g. No Revocation Info Available):
 NoRevAvail noRevAvail = (NoRevAvail)attributeCertificate.getExtension(NoRevAvail.oid);
 if (noRevAvail != null) { 
   System.out.println("No revocation information available for this attribute certificate.");
 }

The Internet Attribute Certificate Profile for Authorization ( RFC 5755) only specified attribute certificate with version number v2 (1). However, this class is also able to parse v1 (0) attribute certificates according to the ITU X.509-1997 specification.

Version:: File Revision 40
See Also:: X509Extensions, V3Extension, UnknownExtension, Holder, AttCertIssuer, AttributeCertificateExtensions, AccessIdentity, ChargingIdentity, Clearance, Group, Role, ServiceAuthenticationInfo, AuditIdentity, TargetInformation, ProxyInfo, NoRevAvail, BasicAttConstraints, BasicAttConstraints, AcceptableCertPolicies, Serialized Form

Nested Class Summary
- Nested classes/interfaces inherited from class java.security.cert.Certificate
  java.security.cert.Certificate.CertificateRep

Constructor Summary

Constructors
Constructor and Description
`AttributeCertificate()` Default constructor for creating a new empty attribute certificate.
`AttributeCertificate(byte[] array)` Creates an AttributeCertificate form a PEM or DER byte array.
`AttributeCertificate(java.io.InputStream is)` Creates an AttributeCertificate from an input stream.

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`addAttribute(Attribute attribute)` Adds one Attribute to this attribute certificate.
`void`	`addExtension(V3Extension e)` Adds the given X509v3 extension.
`void`	`checkValidity()` Checks if this attribute certificate currently is valid.
`void`	`checkValidity(java.util.Date date)` Checks if this attribute certificate would be valid at the given date value.
`int`	`countExtensions()` Returns the number of extensions included into this certificate.
`void`	`decode(ASN1Object obj)` Creates an AttributeCertificate from an ASN1Object.
`void`	`decode(java.io.InputStream is)` Decodes an AttributeCertificate from an input stream.
`byte[]`	`getAcInfo()` Returns the DER encoded `AttributeCertificateInfo` ASN.1 data structure of this attribute certificate.
`Attribute`	`getAttribute(ObjectID type)` Gets all the Attributes matching to a specific type (object identifier).
`java.util.Enumeration`	`getAttributes()` Gets the Attributes of this CertificateRequest.
`java.util.Set`	`getCriticalExtensionOIDs()` Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this attribute certificate.
`byte[]`	`getEncoded()` Returns this attribute certificate as DER encoded ASN.1 data structure
`V3Extension`	`getExtension(ObjectID oid)` Returns a specific extension, identified by its object identifier.
`byte[]`	`getExtensionValue(java.lang.String oid)` Returns a byte array representing the DER encoding of the `extnValue` OCTET STRING field of the extension identified by the given OID string.
`byte[]`	`getFingerprint()` Returns the fingerprint of this certificate.
`byte[]`	`getFingerprint(java.lang.String digestAlgorithm)` Returns the fingerprint of this certificate calculated with the given hash algorithm.
`byte[]`	`getFingerprintSHA()` Get the SHA fingerprint of this attribute certificate.
`Holder`	`getHolder()` Returns the Holder of this attribute certificate.
`AttCertIssuer`	`getIssuer()` Returns the Issuer of this attribute certificate.
`boolean[]`	`getIssuerUniqueID()` Returns the issuer unique identifier of this certificate, or `null` if no `IssuerUniqueID` is specified by this certificate.
`java.util.Set`	`getNonCriticalExtensionOIDs()` Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this attribute certificate.
`java.util.Date`	`getNotAfterTime()` Returns the `notAfterTime` value of this certificate.
`java.util.Date`	`getNotBeforeTime()` Returns the `notBeforeTime` value of this certificate.
`java.security.PublicKey`	`getPublicKey()` Returns `null`!!!!
`byte[]`	`getRawExtensionValue(java.lang.String oid)` Returns a byte array representing the DER encoding of the extension value identified by the given OID string.
`java.math.BigInteger`	`getSerialNumber()` Returns the serial number of this certificate as `BigInteger`.
`java.lang.String`	`getSigAlgName()` Returns the (JCA standard) name of the signature algorithm used by the issuer for signing this certificate.
`java.lang.String`	`getSigAlgOID()` Returns the OID of the signature algorithm used by the issuer for signing this certificate.
`byte[]`	`getSigAlgParams()` Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this certificate.
`byte[]`	`getSignature()` Returns the signature value of this certificate.
`AlgorithmID`	`getSignatureAlgorithm()` Returns the signature algorithm of this certificate.
`int`	`getVersion()` Returns the version number of this certificate as `int`.
`boolean`	`hasExtensions()` Checks, if there are any extensions included into this certificate.
`boolean`	`hasUnsupportedCriticalExtension()` Returns true if there are unsupported critical extensions.
`boolean`	`isTargetFor(java.lang.Object server)` Checks if the given server/service is a valid target for this attribute certificate.
`java.util.Enumeration`	`listExtensions()` Returns an enumeration of all extensions included in this attribute certificate.
`static void`	`registerStandardAttributeImplementations()` Registers the IAIK-JCE implementing classes of the standard attributes specified in RFC5755 to make them available for use with AttributeCertificates.
`void`	`removeAllAttributes()` Removes all attributes included.
`void`	`removeAllExtensions()` Removes all extensions from this attribute certificate.
`Attribute`	`removeAttribute(ObjectID type)` Removes the attribute of the given type, if present.
`boolean`	`removeExtension(ObjectID oid)` Removes the extension specified by its object identifier.
`void`	`setAttributes(Attribute[] attributes)` Sets the Attributes of this Attribute certificate.
`void`	`setHolder(Holder holder)` Sets the Holder of this attribute certificate.
`void`	`setIssuer(AttCertIssuer issuer)` Sets the issuer of this attribute certificate.
`void`	`setIssuerUniqueID(boolean[] id)` Sets the issuer unique ID for this certificate.
`void`	`setNotAfterTime(java.util.Date validNotAfter)` Sets the `notAfterTime` value of this certificate.
`void`	`setNotBeforeTime(java.util.Date validNotBefore)` Sets the `notBeforeTime` value of this atttribute certificate.
`void`	`setSerialNumber(java.math.BigInteger serialNumber)` Sets the serial number of this certificate.
`void`	`setSignature(byte[] signatureValue)` Sets the signature value of this attribute certificate.
`void`	`setSignatureAlgorithm(AlgorithmID signatureAlg)` Sets the signature algorithm to be used for signing.
`void`	`sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK)` Signs the attribute certificate with the private key of the issuer.
`void`	`sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.security.spec.AlgorithmParameterSpec signatureParams, java.security.Provider provider)` Signs the attribute certificate with the private key of the issuer.# This method uses a `Signature` engine from the given provider for signing the certificate.
`void`	`sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.security.spec.AlgorithmParameterSpec signatureParams, java.lang.String providerName)` Signs the attribute certificate with the private key of the issuer.
`void`	`sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.security.Provider provider)` Signs the attribute certificate with the private key of the issuer.# This method uses a `Signature` engine from the given provider for signing the certificate.
`void`	`sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.lang.String providerName)` Signs the attribute certificate with the private key of the issuer.
`ASN1Object`	`toASN1Object()` Returns this attribute certificate as an ASN1Object.
`byte[]`	`toByteArray()` Returns this attribute certificate as DER encoded ASN.1 data structure.
`java.lang.String`	`toString()` Returns a string that represents the contents of the certificate.
`java.lang.String`	`toString(boolean detailed)` Returns a string that represents the contents of the certificate.
`void`	`verify(java.security.interfaces.DSAPublicKey key, java.security.spec.DSAParameterSpec dsaParams)` Uses the given public DSA key and DSA parameters to verify this certificate.
`void`	`verify(java.security.PublicKey key)` Verifies a certificate using the given public key.
`void`	`verify(java.security.PublicKey key, java.security.spec.AlgorithmParameterSpec params)` Uses the given public key and parameters to verify this certificate.
`void`	`verify(java.security.PublicKey key, java.security.spec.AlgorithmParameterSpec params, java.security.Provider provider)` Uses the given public key and parameters to verify this certificate based on a signature algorithm supplied by the specified provider.
`void`	`verify(java.security.PublicKey key, java.security.spec.AlgorithmParameterSpec params, java.lang.String providerName)` Uses the given public key and parameters to verify this certificate based on a signature algorithm supplied by the specified provider.
`void`	`verify(java.security.PublicKey key, java.security.spec.AlgorithmParameterSpec params, java.lang.String providerName, java.security.Provider provider)` Uses the given public key to verify a certificate based on a signature algorithm supplied by the specified provider.
`void`	`verify(java.security.PublicKey key, java.security.Provider provider)` Uses the given public key to verify a certificate based on a signature algorithm supplied by the specified provider.
`void`	`verify(java.security.PublicKey key, java.lang.String providerName)` Uses the given public key to verify a certificate based on a signature algorithm supplied by the specified provider.
`void`	`writeTo(java.io.OutputStream os)` Writes this attribute certificate DER encoded to the given output stream.

Methods inherited from class java.security.cert.Certificate
equals, getType, hashCode, writeReplace

Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait

- Constructor Detail
  - AttributeCertificate
```
public AttributeCertificate()
```
    Default constructor for creating a new empty attribute certificate.
    Any value may be set using the corresponding set<Value> method. According to the Internet Attribute Certificate Profile for Authorization presented in RFC 5755) the version number is set to 2 indicating a Version 2 attribute certificate. Note that this is not the default version number (1).
  - AttributeCertificate
```
public AttributeCertificate(java.io.InputStream is)
                     throws java.io.IOException,
                            java.security.cert.CertificateException
```
    Creates an AttributeCertificate from an input stream.
    The supplied attribute certificate can be in PEM or DER format. This constructor reads and decodes an AttributeCertificate that may have been previously written (encoded) by calling method writeTo(OutputStream).
    For instance:
```
 InputStream fis = new FileInputStream("cert.der");
 AttributeCertificate cert = new AttributeCertificate(fis);
 fis.close();
 
```
    Parameters:
    
    is - InputStream from which to create the certificate
    
    Throws:
    
    java.io.IOException - if the certificate cannot not be read
    
    java.security.cert.CertificateException - if the certificate cannot be parsed
  - AttributeCertificate
```
public AttributeCertificate(byte[] array)
                     throws java.security.cert.CertificateException
```
    Creates an AttributeCertificate form a PEM or DER byte array.
    This constructor may be used for parsing an already existing AttributeCertifcate ASN.1 object, supplied as DER encoded byte array, which may have been created by calling the toByteArray or the getEncoded method.
    
    Parameters:
    
    array - the byte array containing the DER encoded certificate
    
    Throws:
    
    java.security.cert.CertificateException - if the format of the cert is wrong
- Method Detail
  - registerStandardAttributeImplementations
```
public static void registerStandardAttributeImplementations()
```
    Registers the IAIK-JCE implementing classes of the standard attributes specified in RFC5755 to make them available for use with AttributeCertificates. The following attribute implementations are registered:
    An application must not explicitly call this method for using the attribute implementation listed above with this AttributeCertificate class; the registration is done automatically.
    However, if an application wants to use any of the attribute implementations outside the scope of Attribute certificates (e.g. within a SubjectDirectoryAttributes public key certificate extension), but has not used this AttributeCertificate class so far, it may explicitly call this method to register the default attribute implementations.
  - decode
```
public void decode(ASN1Object obj)
            throws CodingException
```
    Creates an AttributeCertificate from an ASN1Object.
    The given ASN1Object represents an already existing AttributeCertificate which may have been created by calling the toASN1Object method.
    
    Specified by:
    
    decode in interface ASN1Type
    
    Parameters:
    
    obj - the attribute certificate as ASN1Object
    
    Throws:
    
    CodingException - if there is a problem when parsing the certificate
  - decode
```
public void decode(java.io.InputStream is)
            throws java.io.IOException,
                   java.security.cert.CertificateException
```
    Decodes an AttributeCertificate from an input stream. The given InputStream supplies the certificate in DER or PEM encoded format. This method internally is called when creating an AttributeCertificate from an InputStream.
    
    Parameters:
    
    is - the InputStream from where the encoded certificate shall be read
    
    Throws:
    
    java.io.IOException - if an I/O error occurs
    
    java.security.cert.CertificateException - if the certificate cannot be parsed
  - sign
```
public void sign(AlgorithmID signatureAlg,
                 java.security.PrivateKey issuerPK)
          throws java.security.cert.CertificateException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException
```
    Signs the attribute certificate with the private key of the issuer.
    
    Parameters:
    
    signatureAlg - the AlgorithmID of the signature algorithm
    
    issuerPK - the private key of the issuer
    
    Throws:
    
    java.security.cert.CertificateException - if the certificate could not be signed
    
    java.security.InvalidKeyException - if the format of the key is wrong
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm
  - sign
```
public void sign(AlgorithmID signatureAlg,
                 java.security.PrivateKey issuerPK,
                 java.lang.String providerName)
          throws java.security.cert.CertificateException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException
```
    Signs the attribute certificate with the private key of the issuer.
    
    Parameters:
    
    signatureAlg - the AlgorithmID of the signature algorithm
    
    issuerPK - the private key of the issuer
    
    providerName - the name of the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm
    
    Throws:
    
    java.security.cert.CertificateException - if the certificate could not be signed
    
    java.security.InvalidKeyException - if the format of the key is wrong
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm
  - sign
```
public void sign(AlgorithmID signatureAlg,
                 java.security.PrivateKey issuerPK,
                 java.security.spec.AlgorithmParameterSpec signatureParams,
                 java.lang.String providerName)
          throws java.security.cert.CertificateException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException,
                 java.security.InvalidAlgorithmParameterException
```
    Signs the attribute certificate with the private key of the issuer.
    
    Parameters:
    
    signatureAlg - the AlgorithmID of the signature algorithm
    
    issuerPK - the private key of the issuer
    
    signatureParams - any signature parameters to -- if not null -- be used for initializing the Signature engine; if applicable the parameters are also set for the signatureAlg AlgorithmID (if it does not contain any parameters yet)
    
    providerName - the name of the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm
    
    Throws:
    
    java.security.cert.CertificateException - if the certificate could not be signed
    
    java.security.InvalidKeyException - if the format of the key is wrong
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm
    
    java.security.InvalidAlgorithmParameterException - if an error occurs when trying to set the signature parameters
  - sign
```
public void sign(AlgorithmID signatureAlg,
                 java.security.PrivateKey issuerPK,
                 java.security.Provider provider)
          throws java.security.cert.CertificateException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException
```
    Signs the attribute certificate with the private key of the issuer.#
    This method uses a Signature engine from the given provider for signing the certificate.
    If Provider object based JCA/JCE Signature engine instantiation is not available the Java VM in use (<1.4), this method tries to get an implementation based on the provider name (if the Provider is installed within the Security Provider framework). I.e. if method Signature.getInstance(algorithm,provider) is not available method Signature.getInstance(algorithm,provider.getName()) is tried.
    
    Parameters:
    
    signatureAlg - the AlgorithmID of the signature algorithm
    
    issuerPK - the private key of the issuer
    
    provider - the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm
    
    Throws:
    
    java.security.cert.CertificateException - if the certificate could not be signed
    
    java.security.InvalidKeyException - if the format of the key is wrong
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm
  - sign
```
public void sign(AlgorithmID signatureAlg,
                 java.security.PrivateKey issuerPK,
                 java.security.spec.AlgorithmParameterSpec signatureParams,
                 java.security.Provider provider)
          throws java.security.cert.CertificateException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException,
                 java.security.InvalidAlgorithmParameterException
```
    Signs the attribute certificate with the private key of the issuer.#
    This method uses a Signature engine from the given provider for signing the certificate.
    If Provider object based JCA/JCE Signature engine instantiation is not available the Java VM in use (<1.4), this method tries to get an implementation based on the provider name (if the Provider is installed within the Security Provider framework). I.e. if method Signature.getInstance(algorithm,provider) is not available method Signature.getInstance(algorithm,provider.getName()) is tried.
    
    Parameters:
    
    signatureAlg - the AlgorithmID of the signature algorithm
    
    issuerPK - the private key of the issuer
    
    signatureParams - any signature parameters to -- if not null -- be used for initializing the Signature engine; if applicable the parameters are also set for the signatureAlg AlgorithmID (if it does not contain any parameters yet)
    
    provider - the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm
    
    Throws:
    
    java.security.cert.CertificateException - if the certificate could not be signed
    
    java.security.InvalidKeyException - if the format of the key is wrong
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm
    
    java.security.InvalidAlgorithmParameterException - if an error occurs when trying to set the signature parameters
  - setSignature
```
public void setSignature(byte[] signatureValue)
                  throws java.security.cert.CertificateException
```
    Sets the signature value of this attribute certificate.
    This method provides an alternative to method sign when it is required to set the signature value from outside (e.g. calculated by means of a smartcard):
```
 AttributeCertificate cert = ...;
 ...
 // set issuer, holder, attributes, ...
 ...
 // set the signature algorithm to be used for signing
 cert.setSignatureAlgorithm(AlgorithmID.sha1WithRSAEncryption);
 // get the to-be-signed value
 byte[] acInfo = cert.getAcInfo();
 // now calculate the signature over the attribute certificate info
 byte[] signatureValue = calculateSignature(acInfo);
 // and set the signatureValue
 cert.setSignature(signatureValue);
 // encode the certificate
 byte[] encodedCert = cert.getEncoded();
 
```
    Parameters:
    
    signatureValue - the signature calculated outside
    
    Throws:
    
    java.security.cert.CertificateException - if the certificate could not be signed
  - checkValidity
```
public void checkValidity(java.util.Date date)
                   throws java.security.cert.CertificateExpiredException,
                          java.security.cert.CertificateNotYetValidException
```
    Checks if this attribute certificate would be valid at the given date value.
    Attribute certificates have a limited period of validity prescribed by the notBeforeTime and notAfterTime values. This method just checks if the given date/time value lies between notBeforeTime and notAfterTime and throws an exception if this does not come true.
    
    Throws:
    
    java.security.cert.CertificateExpiredException - if the certificate alreay has expired or the notAfterTime value yet has not been set
    
    java.security.cert.CertificateNotYetValidException - if the certificate yet is not valid or the notBeforeTime value yet has not been set
    
    See Also:
    
    checkValidity(java.util.Date)
  - checkValidity
```
public void checkValidity()
                   throws java.security.cert.CertificateExpiredException,
                          java.security.cert.CertificateNotYetValidException
```
    Checks if this attribute certificate currently is valid. Certificates have a limited period of validity prescribed by the notBeforeTime and notAfterTime values:
```
 AttCertValidityPeriod ::= SEQUENCE {
    notBeforeTime      GeneralizedTime,
    notAfterTime       GeneralizedTime }
 
```
    The notBeforeTime and notAfterTime time values can be set by using the setNotBeforeTime and setNotAfterTime methods.
    This checkValidity method only calls checkValidity(Date) with the current date to check if it lies between the two time values specified by notBeforeTime and notAfterTime.
    Throws:
    
    java.security.cert.CertificateExpiredException - if the certificate already has expired
    
    java.security.cert.CertificateNotYetValidException - if the certificate is yet not valid
    
    See Also:
    
    GeneralizedTime
  - getEncoded
```
public byte[] getEncoded()
                  throws java.security.cert.CertificateEncodingException
```
    Returns this attribute certificate as DER encoded ASN.1 data structure
    
    Specified by:
    
    getEncoded in class java.security.cert.Certificate
    
    Returns:
    
    a byte array holding the DER encoded attribute certificate ASN.1 data structure
    
    Throws:
    
    java.security.cert.CertificateEncodingException - if the certificate cannot be encoded correctly
  - getVersion
```
public int getVersion()
```
    Returns the version number of this certificate as int. The version number may specify a v1 or v2 attribute certificate.
    ASN.1 definition:
    AttCertVersion ::= INTEGER { v1(0), v2(1) }
    Returns:
    
    version number of the certificate as int, 1 for a v1 cert, 2 for a v2 cert
  - getSerialNumber
```
public java.math.BigInteger getSerialNumber()
```
    Returns the serial number of this certificate as BigInteger. Attribute certificates are labeled with positive serial numbers by the issuing certification authority for unequivocally identifying them:
    ASN.1 definition:
    CertificateSerialNumber ::= INTEGER
    Returns:
    
    the serial number of this certificate as BigInteger
  - getIssuer
```
public AttCertIssuer getIssuer()
```
    Returns the Issuer of this attribute certificate.
    The issuer of an attribute certificate either may be represented as V1Form or as V2Form:
```
 AttCertIssuer ::= CHOICE {
   v1Form   GeneralNames,  -- MUST NOT be used in this
                           -- profile
   v2Form   [0] V2Form     -- v2 only
 }
 
```
    Attribute certificates conforming to the Internet Attribute Certificate Profile for Authorization presented in RFC 5755 are not allowed to use the V1Form choice for representing the issuer, they should use the V2Form :
```
 V2Form ::= SEQUENCE {
   issuerName            GeneralNames  OPTIONAL,
   baseCertificateID     [0] IssuerSerial  OPTIONAL,
   objectDigestInfo      [1] ObjectDigestInfo  OPTIONAL
           -- issuerName MUST be present in this profile
           -- baseCertificateID and objectDigestInfo MUST NOT
 
 ACs conforming to this profile MUST use the v2Form choice, which MUST
 contain one and only one GeneralName in the issuerName, which MUST
 contain a non-empty distinguished name in the directoryName field.
 This means that all AC issuers MUST have non-empty distinguished
 names.  ACs conforming to this profile MUST omit the
 baseCertificateID and objectDigestInfo fields.
 
 Part of the reason for the use of the v2Form containing only an
 issuerName is that it means that the AC issuer does not have to know
 which PKC the AC verifier will use for it (the AC issuer).  Using the
 baseCertificateID field to reference the AC issuer would mean that
 the AC verifier would have to trust the PKC that the AC issuer chose
 (for itself) at AC creation time.
 
```
    Use class Name for creating a V2Form attCertIssuer holding a directoryName to be set as the issuer of an AttributeCertificate:
```
 Name issuerName = ...;
 V2Form v2Form = new V2Form(issuerName);
 attributeCertificate.setIssuer(v2Form);
 
```
    Returns:
    
    the issuer of this certificate
    
    See Also:
    
    AttCertIssuer, V1Form, V2Form
  - getHolder
```
public Holder getHolder()
```
    Returns the Holder of this attribute certificate.
    The Attribute certificates conforming to the Internet Attribute Certificate Profile for Authorization presented in RFC 5755 specifies the Holder type for identifying the entity to which the AttributeCertificate belongs:
```
 Holder ::= SEQUENCE {
   baseCertificateID   [0] IssuerSerial OPTIONAL,
                       -- the issuer and serial number of
                       -- the holder's Public Key Certificate
   entityName          [1] GeneralNames OPTIONAL,
                       -- the name of the claimant or role
   objectDigestInfo    [2] ObjectDigestInfo OPTIONAL
                       -- used to directly authenticate the holder,
                       -- for example, an executable
 }
 
```
    For any environment where the AC is passed in an authenticated message or session and where the authentication is based on the use of an X.509 public key certificate, the holder should be identified by means of a baseCertificateID pointing to the right X.509 public key certificate by issuer name and issuer-specific serial number, e.g.:
```
 X509Certificate baseCert = ...;
 IssuerSerial baseCertificateID = new IssuerSerial(baseCert);
 Holder holder = new Holder();
 holder.setBaseCertificateID(baseCertificateID);
 attributeCertificate.setHolder(holder);
 
```
    If the holder field uses the entityName option and the underlying authentication is based on a PKC, then the entityName MUST be the same as the PKC subject field or one of the values of the PKC subjectAltName field extension (if present), e.g.:
```
 X509Certificate cert = ...;
 Name subject = (Name)cert.getSubjectDN();
 GeneralName subjectName = new GeneralName(GeneralName.directoryName, subject);
 GeneralNames entityName = new GeneralNames(subjectName);
 Holder holder = new Holder();
 holder.setEntityName(entityName);
 attributeCertificate.setHolder(holder);
 
```
    The ObjectDigestInfo component may be used for linking the AC to an object by placing a hash of that object into the holder field of the AC. For example, this allows production of ACs that are linked to public keys rather than names (see RFC 5755 for more information):
```
 // the public key to which to link the AC:
 PublicKey publicKey = ...;
 // the digest algorithm to use
 AlgorithmID digestAlgorithm = ...;
 ObjectDigestInfo odi = new ObjectDigestInfo(publicKey, digestAlgorithm);
 Holder holder = new Holder();
 holder.setObjectDigestInfo(odi);
 attributeCertificate.setHolder(holder);
 
```
    Returns:
    
    the holder of this attribute certificate
    
    See Also:
    
    Holder, IssuerSerial, ObjectDigestInfo, GeneralNames
  - getPublicKey
```
public java.security.PublicKey getPublicKey()
```
    Returns null!!!!
    Attention!!! This method anytime returns null since an Attribute Certificate does not contain a public key. This method only is included because inherited from java.security.cert.Certificate which is the highest JCA "certificate level" and extended by this class to incorporate attribute certificates into the JCA certificate management.
    
    Specified by:
    
    getPublicKey in class java.security.cert.Certificate
    
    Returns:
    
    null
  - getNotBeforeTime
```
public java.util.Date getNotBeforeTime()
```
    Returns the notBeforeTime value of this certificate.
    The notBeforeTime value denotes the date on which the certificate becomes valid and can be set using the setNotBeforeTime method.
    
    Returns:
    
    the date on which this certificate becomes valid, or null if the notBefore date has yet not been set
    
    See Also:
    
    checkValidity(java.util.Date)
  - getNotAfterTime
```
public java.util.Date getNotAfterTime()
```
    Returns the notAfterTime value of this certificate.
    The notAfterTime value denotes the date on which the certificate's validity expires. The notAfterTime date can be set using the setNotAfterTime method.
    
    Returns:
    
    the date on which the certificate's validity expires, or null if the notAfter date has yet not been set
    
    See Also:
    
    checkValidity(java.util.Date)
  - getAcInfo
```
public byte[] getAcInfo()
                 throws java.security.cert.CertificateEncodingException
```
    Returns the DER encoded AttributeCertificateInfo ASN.1 data structure of this attribute certificate.
```
 AttributeCertificateInfo ::= SEQUENCE {
    version              AttCertVersion DEFAULT v1,
    holder               Holder,
    issuer               AttCertIssuer,
    signature            AlgorithmIdentifier,
    serialNumber         CertificateSerialNumber,
    attrCertValidityPeriod   AttCertValidityPeriod,
    attributes           SEQUENCE OF Attribute,
    issuerUniqueID       UniqueIdentifier OPTIONAL,
    extensions           Extensions OPTIONAL
 }
 
```
    Returns:
    
    the inherent AttributeCertificateInfo as DER encoded ASN.1 structure
    
    Throws:
    
    java.security.cert.CertificateEncodingException - if an encoding error occurs
  - setSignatureAlgorithm
```
public void setSignatureAlgorithm(AlgorithmID signatureAlg)
```
    Sets the signature algorithm to be used for signing. This method only provides a way for setting the signature algorithm if an application wants to call getAcInfo before signing the cert. When using this feature an application itself is responsible to ensure that the signature algorithm specified by this method is equal to that supplied to the sign(AlgorithmID, PrivateKey) method when finally signing the certificate.
    
    Parameters:
    
    signatureAlg - the signature algorithm to be used for signing
  - getSignature
```
public byte[] getSignature()
```
    Returns the signature value of this certificate. The signature is defined as an ASN.1 BIT STRING structure. This method returns the inherent signature value as byte array.
    
    Returns:
    
    the signature value as byte array
  - getSigAlgName
```
public java.lang.String getSigAlgName()
```
    Returns the (JCA standard) name of the signature algorithm used by the issuer for signing this certificate.
    For the RSA-PSS signature algorithm the JCA standard name is derived from the algorithm id parameters. Since there is only one AlgorithmID specified for RSA-PSS, hash algorithm and mask generation function are given by the algorithm id parameters. The JCA uses the <digest>with<RSA>and<mgf> naming scheme for RSA-PSS where <digest> and <mgf> have to be got from the algorithm id parameters. Thus the JCA standard name for, e.g., a RSA-PSS algorithm id using SHA-256 as hash algorithm and MGF1 as mask generation function is "SHA256withRSAandMGF1". If the parameters cannot be parsed, "RSASSA-PSS" is returned as (general) signature algorithm name.
    
    Returns:
    
    the name of the signature algorithm, e.g. "sha1WithRSAEncryption", or null if the signature algorithm yet has not been set
  - getSigAlgOID
```
public java.lang.String getSigAlgOID()
```
    Returns the OID of the signature algorithm used by the issuer for signing this certificate. An object identifier consists of a sequence of integer components and is used for identifying, e.g. the signature algorithm used for this certificate. This method returns the OID in String representation, e.g. "1.2.840.113549.1.1.4"
    
    Returns:
    
    the OID of the signature algorithm as String representation, or null if the signature algorithm yet has not been set
    
    See Also:
    
    ObjectID, AlgorithmID
  - getSigAlgParams
```
public byte[] getSigAlgParams()
```
    Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this certificate. The parameters are returned as DER encoded ASN.1 data structure.
    
    Returns:
    
    the signature algorithm parameters as DER encoded ASN.1 data structure, or null if there are no parameters used or the signature algorithm yet has been not set
  - getIssuerUniqueID
```
public boolean[] getIssuerUniqueID()
```
    Returns the issuer unique identifier of this certificate, or null if no IssuerUniqueID is specified by this certificate.
    An IssuerUniqueID only may be included if the attribute certificate is linked to a public key certificate (PKC) and this PKC contains the issuer unique id. In this case the issuer unique ids of PKC and corresponding AC have to be the same.
    The issuer unique identifier is defined as ASN.1 BIT STRING structure:
```
 UniqueIdentifier  ::=  BIT STRING
 
```
    This method scans the issuer unique identifier and returns it as an array of boolean values.
    Returns:
    
    the IssuerUniqueID of this certificate as array of booleans, or null if no issuer unique identifier is specified
  - verify
```
public void verify(java.security.PublicKey key,
                   java.lang.String providerName)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException
```
    Uses the given public key to verify a certificate based on a signature algorithm supplied by the specified provider.
    
    Specified by:
    
    verify in class java.security.cert.Certificate
    
    Parameters:
    
    key - the public key (of the issuer) to verify the cert
    
    providerName - the name of the provider supplying the signature algorithm; if null the first available provider will be used the supports the signature algorithm
    
    Throws:
    
    java.security.cert.CertificateException - if an encoding error occurs
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert
    
    java.security.InvalidKeyException - if the format of the public key is wrong
    
    java.security.NoSuchProviderException - if there is no such provider
    
    java.security.SignatureException - if the signature does not verify
  - verify
```
public void verify(java.security.PublicKey key,
                   java.security.Provider provider)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.SignatureException
```
    Uses the given public key to verify a certificate based on a signature algorithm supplied by the specified provider.
    This method uses a Signature engine from the given provider for verifying the certificate.
    If Provider object based JCA/JCE Signature engine instantiation is not available the Java VM in use (<1.4), this method tries to get an implementation based on the provider name (if the Provider is installed within the Security Provider framework). I.e. if method Signature.getInstance(algorithm,provider) is not available method Signature.getInstance(algorithm,provider.getName()) is tried.
    
    Overrides:
    
    verify in class java.security.cert.Certificate
    
    Parameters:
    
    key - the public key (of the issuer) to verify the cert
    
    provider - the provider supplying the signature algorithm; if null the first available provider will be used the supports the signature algorithm
    
    Throws:
    
    java.security.cert.CertificateException - if an encoding error occurs
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert
    
    java.security.InvalidKeyException - if the format of the public key is wrong
    
    java.security.SignatureException - if the signature does not verify
  - verify
```
public void verify(java.security.PublicKey key,
                   java.security.spec.AlgorithmParameterSpec params,
                   java.lang.String providerName,
                   java.security.Provider provider)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException
```
    Uses the given public key to verify a certificate based on a signature algorithm supplied by the specified provider.
    
    Parameters:
    
    key - the public key (of the issuer) to verify the cert
    
    params - Any parameters that may be required for signature verification, e.g. when verifying a certificate that has been signed with the (EC)DSA algorithm and the public (EC)DSA key used for verification does not contain the (EC)DSA parameters.
    
    providerName - the name of the provider supplying the signature algorithm; maybe null
    
    provider - the provider supplying the signature algorithm; maybe null
    
    Throws:
    
    java.security.cert.CertificateException - if an encoding error occurs
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert
    
    java.security.InvalidKeyException - if the format of the public key is wrong
    
    java.security.NoSuchProviderException - if there is no such provider
    
    java.security.SignatureException - if the signature does not verify
  - verify
```
public void verify(java.security.PublicKey key)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException
```
    Verifies a certificate using the given public key.
    This method only calls verify(PublicKey, String) setting the provider name to null for relying on the default provider signature architecture.
    
    Specified by:
    
    verify in class java.security.cert.Certificate
    
    Parameters:
    
    key - the public key of the issuer
    
    Throws:
    
    java.security.cert.CertificateException - if an encoding error occurs
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert
    
    java.security.InvalidKeyException - if the format of the public key is wrong
    
    java.security.NoSuchProviderException - if there is no default provider
    
    java.security.SignatureException - if the signature does not verify
  - verify
```
public void verify(java.security.interfaces.DSAPublicKey key,
                   java.security.spec.DSAParameterSpec dsaParams)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException
```
    Uses the given public DSA key and DSA parameters to verify this certificate.
    Attention! This method only may be used to verify a certificate that has been signed with the DSA algorithm and the public DSA key now used for verification does not contain the DSA parameters. Additionally this method only can be used with the IAIK provider.
    
    Parameters:
    
    key - the public DSA key (of the issuer) to verify the cert
    
    dsaParams - the DSA parameters provided by other means
    
    Throws:
    
    java.security.cert.CertificateException - if an encoding error occurs
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert
    
    java.security.InvalidKeyException - if the format of the public key is wrong
    
    java.security.NoSuchProviderException - if there is no such provider
    
    java.security.SignatureException - if the signature does not verify
  - verify
```
public void verify(java.security.PublicKey key,
                   java.security.spec.AlgorithmParameterSpec params)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.SignatureException
```
    Uses the given public key and parameters to verify this certificate. This may be especially useful for (EC)DSA key and (EC)DSA parameters or for signature schemes which require parameters, e.g. RSA-PSS.
    This method may be used to verify a certificate that has been signed with the (EC)DSA algorithm and the public (EC)DSA key now used for verification does not contain the (EC)DSA parameters.
    
    Parameters:
    
    key - the public (EC)DSA key (of the issuer) to verify the cert
    
    params - The parameters provided by other means. May be java.security.spec.DSAParameterSpec or iaik.pkcs.pkcs1.RSAPssParameterSpec.
    
    Throws:
    
    java.security.cert.CertificateException - if an encoding error occurs
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert
    
    java.security.InvalidKeyException - if the format of the public key is wrong
    
    java.security.SignatureException - if the signature does not verify
  - verify
```
public void verify(java.security.PublicKey key,
                   java.security.spec.AlgorithmParameterSpec params,
                   java.lang.String providerName)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException
```
    Uses the given public key and parameters to verify this certificate based on a signature algorithm supplied by the specified provider. This may be especially useful for (EC)DSA key and (EC)DSA parameters or for signature schemes which require parameters, e.g. RSA-PSS.
    This method may be used to verify a certificate that has been signed with the (EC)DSA algorithm and the public (EC)DSA key now used for verification does not contain the (EC)DSA parameters.
    
    Parameters:
    
    key - the public (EC)DSA key (of the issuer) to verify the cert
    
    params - The parameters provided by other means. May be, e.g. a java.security.spec.DSAParameterSpec or iaik.pkcs.pkcs1.RSAPssParameterSpec.
    
    providerName - the name of the provider supplying the signature algorithm; if null the first available provider will be used the supports the signature algorithm
    
    Throws:
    
    java.security.cert.CertificateException - if an encoding error occurs
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert
    
    java.security.InvalidKeyException - if the format of the public key is wrong
    
    java.security.NoSuchProviderException - if there is no such provider
    
    java.security.SignatureException - if the signature does not verify
  - verify
```
public void verify(java.security.PublicKey key,
                   java.security.spec.AlgorithmParameterSpec params,
                   java.security.Provider provider)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.SignatureException
```
    Uses the given public key and parameters to verify this certificate based on a signature algorithm supplied by the specified provider. This may be especially useful for (EC)DSA key and (EC)DSA parameters or for signature schemes which require parameters, e.g. RSA-PSS.
    This method may be used to verify a certificate that has been signed with the (EC)DSA algorithm and the public (EC)DSA key now used for verification does not contain the (EC)DSA parameters.
    This method uses a Signature engine from the given provider for verifying the certificate.
    If Provider object based JCA/JCE Signature engine instantiation is not available the Java VM in use (<1.4), this method tries to get an implementation based on the provider name (if the Provider is installed within the Security Provider framework). I.e. if method Signature.getInstance(algorithm,provider) is not available method Signature.getInstance(algorithm,provider.getName()) is tried.
    
    Parameters:
    
    key - the public (EC)DSA key (of the issuer) to verify the cert
    
    params - The parameters provided by other means. May be, e.g. a java.security.spec.DSAParameterSpec or iaik.pkcs.pkcs1.RSAPssParameterSpec.
    
    provider - the provider supplying the signature algorithm; if null the first available provider will be used the supports the signature algorithm
    
    Throws:
    
    java.security.cert.CertificateException - if an encoding error occurs
    
    java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert
    
    java.security.InvalidKeyException - if the format of the public key is wrong
    
    java.security.NoSuchProviderException - if there is no such provider
    
    java.security.SignatureException - if the signature does not verify
  - toASN1Object
```
public ASN1Object toASN1Object()
```
    Returns this attribute certificate as an ASN1Object.
    
    Specified by:
    
    toASN1Object in interface ASN1Type
    
    Returns:
    
    this attribute certificate as ASN1Object
  - toByteArray
```
public byte[] toByteArray()
```
    Returns this attribute certificate as DER encoded ASN.1 data structure.
    
    Returns:
    
    this attribute certificate in a byte array in DER format
  - writeTo
```
public void writeTo(java.io.OutputStream os)
             throws java.io.IOException
```
    Writes this attribute certificate DER encoded to the given output stream.
    
    Parameters:
    
    os - the output stream where the certificate shall be written to
    
    Throws:
    
    java.io.IOException - if an I/O error occurs
  - setSerialNumber
```
public void setSerialNumber(java.math.BigInteger serialNumber)
```
    Sets the serial number of this certificate.
    
    Parameters:
    
    serialNumber - the serial number of the certificate as BigInteger
    
    See Also:
    
    getSerialNumber()
  - setIssuer
```
public void setIssuer(AttCertIssuer issuer)
```
    Sets the issuer of this attribute certificate.
    The issuer of an attribute certificate either may be represented as V1Form or as V2Form:
```
 AttCertIssuer ::= CHOICE {
   v1Form   GeneralNames,  -- MUST NOT be used in this
                           -- profile
   v2Form   [0] V2Form     -- v2 only
 }
 
```
    Attribute certificates conforming to the Internet Attribute Certificate Profile for Authorization presented in RFC 5755 are not allowed to use the V1Form choice for representing the issuer, they should use the V2Form :
```
 V2Form ::= SEQUENCE {
   issuerName            GeneralNames  OPTIONAL,
   baseCertificateID     [0] IssuerSerial  OPTIONAL,
   objectDigestInfo      [1] ObjectDigestInfo  OPTIONAL
           -- issuerName MUST be present in this profile
           -- baseCertificateID and objectDigestInfo MUST NOT
 
 ACs conforming to this profile MUST use the v2Form choice, which MUST
 contain one and only one GeneralName in the issuerName, which MUST
 contain a non-empty distinguished name in the directoryName field.
 This means that all AC issuers MUST have non-empty distinguished
 names.  ACs conforming to this profile MUST omit the
 baseCertificateID and objectDigestInfo fields.
 
 Part of the reason for the use of the v2Form containing only an
 issuerName is that it means that the AC issuer does not have to know
 which PKC the AC verifier will use for it (the AC issuer).  Using the
 baseCertificateID field to reference the AC issuer would mean that
 the AC verifier would have to trust the PKC that the AC issuer chose
 (for itself) at AC creation time.
 
```
    Use class Name for creating a V2Form attCertIssuer holding a directoryName to be set as the issuer of an AttributeCertificate:
```
 Name issuerName = ...;
 V2Form v2Form = new V2Form(issuerName);
 attributeCertificate.setIssuer(v2Form);
 
```
    Parameters:
    
    issuer - the issuer of this attribute certificate
    
    See Also:
    
    getIssuer(), AttCertIssuer, V1Form, V2Form
  - setNotBeforeTime
```
public void setNotBeforeTime(java.util.Date validNotBefore)
```
    Sets the notBeforeTime value of this atttribute certificate.
    For instance:
```
 GregorianCalendar date = (GregorianCalendar) Calendar.getInstance();
 cert.setNotBeforeTime(date.getTime());
 
```
    The certificate is not valid before this Date.
    Parameters:
    
    validNotBefore - Date when cert will become valid
    
    See Also:
    
    getNotBeforeTime()
  - setNotAfterTime
```
public void setNotAfterTime(java.util.Date validNotAfter)
```
    Sets the notAfterTime value of this certificate.
    For instance:
```
 GregorianCalendar date = (GregorianCalendar) Calendar.getInstance();
 date.add(Calendar.MONTH, 6);
 cert.setNotAfterTime(date.getTime());
 
```
    The certificate will expire at this Date.
    Parameters:
    
    validNotAfter - Date on which the certificate will expire
    
    See Also:
    
    getNotAfterTime()
  - setHolder
```
public void setHolder(Holder holder)
```
    Sets the Holder of this attribute certificate.
    The Attribute certificates conforming to the Internet Attribute Certificate Profile for Authorization presented in RFC 5755 specifies the Holder type for identifying the entity to which the AttributeCertificate belongs:
```
 Holder ::= SEQUENCE {
   baseCertificateID   [0] IssuerSerial OPTIONAL,
                       -- the issuer and serial number of
                       -- the holder's Public Key Certificate
   entityName          [1] GeneralNames OPTIONAL,
                       -- the name of the claimant or role
   objectDigestInfo    [2] ObjectDigestInfo OPTIONAL
                       -- used to directly authenticate the holder,
                       -- for example, an executable
 }
 
```
    For any environment where the AC is passed in an authenticated message or session and where the authentication is based on the use of an X.509 public key certificate, the holder should be identified by means of a baseCertificateID pointing to the right X.509 public key certificate by issuer name and issuer-specific serial number, e.g.:
```
 X509Certificate baseCert = ...;
 IssuerSerial baseCertificateID = new IssuerSerial(baseCert);
 Holder holder = new Holder();
 holder.setBaseCertificateID(baseCertificateID);
 attributeCertificate.setHolder(holder);
 
```
    If the holder field uses the entityName option and the underlying authentication is based on a PKC, then the entityName MUST be the same as the PKC subject field or one of the values of the PKC subjectAltName field extension (if present), e.g.:
```
 X509Certificate cert = ...;
 Name subject = (Name)cert.getSubjectDN();
 GeneralName subjectName = new GeneralName(GeneralName.directoryName, subject);
 GeneralNames entityName = new GeneralNames(subjectName);
 Holder holder = new Holder();
 holder.setEntityName(entityName);
 attributeCertificate.setHolder(holder);
 
```
    The ObjectDigestInfo component may be used for linking the AC to an object by placing a hash of that object into the holder field of the AC. For example, this allows production of ACs that are linked to public keys rather than names (see RFC 5755 for more information):
```
 // the public key to which to link the AC:
 PublicKey publicKey = ...;
 // the digest algorithm to use
 AlgorithmID digestAlgorithm = ...;
 ObjectDigestInfo odi = new ObjectDigestInfo(publicKey, digestAlgorithm);
 Holder holder = new Holder();
 holder.setObjectDigestInfo(odi);
 attributeCertificate.setHolder(holder);
 
```
    Parameters:
    
    holder - the holder of this attribute certificate
    
    See Also:
    
    Holder, IssuerSerial, ObjectDigestInfo, GeneralNames
  - setIssuerUniqueID
```
public void setIssuerUniqueID(boolean[] id)
```
    Sets the issuer unique ID for this certificate.
    An IssuerUniqueID only may be included if the attribute certificate is linked to a public key certificate (PKC) and this PKC contains the issuer unique id. In this case the issuer unique ids of PKC and corresponding AC have to be the same.
    The issuer unique identifier is defined as ASN.1 BIT STRING structure:
```
 UniqueIdentifier  ::=  BIT STRING
 
```
    Parameters:
    
    id - the unique identifier of the issuer as array of boolean values
    
    See Also:
    
    getIssuerUniqueID()
  - getSignatureAlgorithm
```
public AlgorithmID getSignatureAlgorithm()
```
    Returns the signature algorithm of this certificate.
    
    Returns:
    
    the AlgorithmID of the signature algorithm used for signing this certificate
    
    See Also:
    
    AlgorithmID
  - getFingerprint
```
public byte[] getFingerprint()
```
    Returns the fingerprint of this certificate. This is a MD5 hash of the DER encoded certificate.
    
    Returns:
    
    the fingerprint of the certificate
  - getFingerprint
```
public byte[] getFingerprint(java.lang.String digestAlgorithm)
                      throws java.security.NoSuchAlgorithmException
```
    Returns the fingerprint of this certificate calculated with the given hash algorithm.
    
    Parameters:
    
    digestAlgorithm - the digest algorithm to be used
    
    Returns:
    
    the fingerprint of the certificate
    
    Throws:
    
    java.security.NoSuchAlgorithmException - if the requested algorithm is not supported
  - getFingerprintSHA
```
public byte[] getFingerprintSHA()
```
    Get the SHA fingerprint of this attribute certificate. The result is cached for subsequent calls.
    
    Returns:
    
    the SHA fingerprint
  - toString
```
public java.lang.String toString()
```
    Returns a string that represents the contents of the certificate.
    
    Specified by:
    
    toString in class java.security.cert.Certificate
    
    Returns:
    
    the string representation
  - getCriticalExtensionOIDs
```
public java.util.Set getCriticalExtensionOIDs()
```
    Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this attribute certificate. Extensions can be marked as being critical. If the certificate handling software cannot parse such an extension, the appertaining certificate has to be rejected. Non-Critical extensions can be ignored, if they cannot be handled (i.e. of unknown state).
    
    Specified by:
    
    getCriticalExtensionOIDs in interface java.security.cert.X509Extension
    
    Returns:
    
    a Set (or an empty Set if none are marked critical) of the extension OID strings for extensions that are marked critical. If there are no extensions present at all, then this method returns null
    
    See Also:
    
    getNonCriticalExtensionOIDs()
  - getNonCriticalExtensionOIDs
```
public java.util.Set getNonCriticalExtensionOIDs()
```
    Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this attribute certificate.
    
    Specified by:
    
    getNonCriticalExtensionOIDs in interface java.security.cert.X509Extension
    
    Returns:
    
    a Set (or an empty Set if none are marked non-critical) of the extension OID strings for extensions that are marked non-critical. If there are no extensions present at all, then this method returns null.
    
    See Also:
    
    getCriticalExtensionOIDs()
  - getExtensionValue
```
public byte[] getExtensionValue(java.lang.String oid)
```
    Returns a byte array representing the DER encoding of the extnValue OCTET STRING field of the extension identified by the given OID string.
    The OID string is represented by a set of non-negative integers separated by periods, e.g. "2.5.29.15" for the KeyUsage extension.
    In ASN.1, the Extensions field is defined as a SEQUENCE of Extension:
```
 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 
 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 
```
    where critical specifies whether an extension has to be treated as being critical or not; the default value is FALSE. An extension is identified by its object identifier, specified in the extnID field. The extnValue field is an OCTET STRING which contains the DER encoding of the specific extension's ASN.1 representation itself. Only one instance of a particular extension may be present.
    The byte value returned by this method represents the DER encoding of the extnValue (OCTET_STRING) from above, and the value of this OCTET STRING represents the DER encoding of the specific extension's ASN.1 representation itself. If you want to get the DER encoding of the specific extension's ASN.1 representation itself (not wrapped in an OCTET STRING), use method getRawExtensionValue.
    Specified by:
    
    getExtensionValue in interface java.security.cert.X509Extension
    
    Parameters:
    
    oid - the object identifier of the extension to be searched for
    
    Returns:
    
    the DER encoded extnValue OCTET STRING or null if no extension with the specified oid is present
  - getRawExtensionValue
```
public byte[] getRawExtensionValue(java.lang.String oid)
```
    Returns a byte array representing the DER encoding of the extension value identified by the given OID string.
    The OID string is represented by a set of non-negative integers separated by periods, e.g. "2.5.29.15" for the KeyUsage extension.
    In ASN.1, the Extensions field is defined as a SEQUENCE of Extension:
```
 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 
 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 
```
    where critical specifies whether an extension has to be treated as being critical or not; the default value is FALSE. An extension is identified by its object identifier, specified in the extnID field. The extnValue field is an OCTET STRING which contains the DER encoding of the specific extension's ASN.1 representation itself. Only one instance of a particular extension may be present in a particular certificate.
    The byte value returned by this method represents the DER encoding of the specific extension's ASN.1 representation itself (i.e. the value of the extnValue OCTET STRING).
    Parameters:
    
    oid - the object identifier of the extension to be searched for
    
    Returns:
    
    the DER encoded ASN.1 representation of the extension or null if no extension with the specified oid is present
  - addExtension
```
public void addExtension(V3Extension e)
                  throws X509ExtensionException
```
    Adds the given X509v3 extension.
    For reading back some extension, use the getExtension(ObjectID) method.
    
    Parameters:
    
    e - the X509v3 extension to add to the list of extensions
    
    Throws:
    
    X509ExtensionException - if an error occurs while DER encoding the extension
    
    See Also:
    
    V3Extension
  - removeExtension
```
public boolean removeExtension(ObjectID oid)
```
    Removes the extension specified by its object identifier.
    
    Parameters:
    
    oid - the object ID of the extension to remove
    
    Returns:
    
    true if the extension has been successfully removed, false otherwise
  - removeAllExtensions
```
public void removeAllExtensions()
```
    Removes all extensions from this attribute certificate.
  - listExtensions
```
public java.util.Enumeration listExtensions()
```
    Returns an enumeration of all extensions included in this attribute certificate.
    The enumeration returned may contain unknown extensions (instances of UnknownExtension if there are any extensions included in this certificate, for which there exists no registered implementation, and it may contain error extensions (instances of ErrorExtension) indicating extensions which cannot be parsed properly because of some kind of error.
    If any extension cannot be parsed properly, an ErrorExtension is created from it and written to the enumeration list returned by this method.
    
    Returns:
    
    an enumeration of the extensions, or null if there are no extensions present at all
  - hasExtensions
```
public boolean hasExtensions()
```
    Checks, if there are any extensions included into this certificate.
    
    Returns:
    
    true if there are extensions, false if not
  - hasUnsupportedCriticalExtension
```
public boolean hasUnsupportedCriticalExtension()
```
    Returns true if there are unsupported critical extensions.
    
    Specified by:
    
    hasUnsupportedCriticalExtension in interface java.security.cert.X509Extension
    
    Returns:
    
    true, if there are unsupported critical extensions
  - countExtensions
```
public int countExtensions()
```
    Returns the number of extensions included into this certificate.
    
    Returns:
    
    the number of extensions
  - getExtension
```
public V3Extension getExtension(ObjectID oid)
                         throws X509ExtensionInitException
```
    Returns a specific extension, identified by its object identifier.
    If the extension cannot be initialized for some reason, an X509ExtensionInitException is thrown. If the requested extension is an unknown extension, which is not supported by a registered implementation, this method creates and returns an UnknownExtension which may be queried for obtaining as much information as possible about the unknown extension.
    
    Parameters:
    
    oid - the object ID of the extension
    
    Returns:
    
    the desired extension or null if the requested extension is not present
    
    Throws:
    
    X509ExtensionInitException - if the extension can not be initialized
  - addAttribute
```
public void addAttribute(Attribute attribute)
```
    Adds one Attribute to this attribute certificate.
    Since only one attribute per attribute type is allowed to be included in an attribute certificate this method replaces an already included attribute of same type with the given attribute.
    Note that the attributes have to be set before the certificate is signed with the issuer's private key!
    
    Parameters:
    
    attribute - the Attribute to add
  - setAttributes
```
public void setAttributes(Attribute[] attributes)
```
    Sets the Attributes of this Attribute certificate. The given attributes have to be an array of iaik.asn1.structures.Attribute objects.
    Note that the attributes have to be set before the certificate is signed with the issuer's private key!
    
    Parameters:
    
    attributes - the Attributes to set
  - removeAllAttributes
```
public void removeAllAttributes()
```
    Removes all attributes included.
  - removeAttribute
```
public Attribute removeAttribute(ObjectID type)
```
    Removes the attribute of the given type, if present.
    
    Parameters:
    
    type - the type OID identifying the attribute in mind
    
    Returns:
    
    the attribute removed or null if no attribute has been removed because no attribute with the given type is present
  - getAttributes
```
public java.util.Enumeration getAttributes()
```
    Gets the Attributes of this CertificateRequest. If no Attributes are included, null is returned. Otherwise the attributes are returned as an array of iaik.asn1.structures.Attribute objects:
```
 Attribute[] attributes = request.getAttributes();
 if (attributes != null) {
   for (int i = 0; i < attributes.length; i++) {
     Attribute attr = attributes[i];
     System.out.println(attr.getType());
     ASN1Object[] asn1Obj = attr.getValue();
     for (int j = 0; j < asn1Obj.length; j++) {
       System.out.println(asn1Obj[j].toString());
     }
   }
 }
 
```
    Returns:
    
    the attributes included in this attribute certificate as Enumeration of Attribute; the Enumeration maybe empty if there are no attributes included
  - getAttribute
```
public Attribute getAttribute(ObjectID type)
```
    Gets all the Attributes matching to a specific type (object identifier). If no Attributes of given type are included, null is returned. Otherwise the matching attributes are returned as an array of iaik.asn1.structures.Attribute objects. The following sample queries if the challangePassword attribute is included:
```
 Attribute[] attributes = request.getAttributes(ObjectID.challengePassword);
 if (attributes != null) {
   // expected only one:
   Attribute attr = attributes[0];
   System.out.println(attr.getType());
   ASN1Object[] asn1Obj = attr.getValue();
   // again, only one expected:
   System.out.println(asn1Obj[0].getValue());
 }
 
```
    Returns:
    
    all the attributes of given type as array of iaik.asn1.structures.Attribute, or null if there are no attributes of the given type included
  - isTargetFor
```
public boolean isTargetFor(java.lang.Object server)
                    throws TargetException
```
    Checks if the given server/service is a valid target for this attribute certificate.
    Based on the presence of the TargetInformation extension a server/service may decide whether to accept the attribute certificate or not. If no TargetInformation is present the attribute certificate is not targeted and may be accepted by any server/service. If a TargetInformation is present the included Target elements have to be checked to see if the current server "matches" the target condition: the server can accept the attribute certificate if the server is one of the included targetName elements, or if it is a member of one of the included targetGroup elements. How group membership may be verified, may depend on application specific settings. For instance, if a targetGroup specifies a DNS domain the AC verifier will have to know the DNS domain to which it belongs. Or, for instance, if a targetGroup specified "PRINTERS" the AC verifier must know if it is a, e.g., printer or print server (see RFC 5755).
    This method returns true if this attribute does not contain a TargetInformation extension. If this attribute certificate contains a TargetInformation extension the Target elements included in the TargetInformation extension are searched. In this case this method returns true if it detects a Target element that denotes the given server/service as a valid target. It returns also true if the TargetInformation extension does not contain any Target elements at all (in which case this attribute certificate is not specially targeted and can be accepted by any server). It returns false if none of the included Target elements denotes the server/service as valid target. It throws a TargetException if it cannot find a Target element that accepts the server/service as valid Target but some of the Target elements cannot handle the server/service and thus cannot provide a reliable information.
    The targeting check is controlled by the TargetChecker. For each single Target element included in this TargetInformation extension, the default TargetChecker implementation performs the following checks (in this order):
    1. If the server is given as Target object and is equal to the AC Target element, the check returns true.
    2. If the AC Target element represents a TargetName or TargetGroup and the server is given as GeneralName, the check returns true if the GeneralName of the AC Target is equal to the server GeneralName.
    3. If 1. and 2. have returned false and the AC Target is a TargetGroup containing a GeneralName of type dNSName the server maybe given as TargetGroup or GeneralName. In this case the server GeneralName is checked of being of type dNSName, uniformResourceIdentifier or rfc822Name. If the server GeneralName is of any of these three types the check returns true if the server name is in the domain specified by the dNSName of the AC TargetGroup (i.e. it is checked if the server name ends with the dNSName specified by the AC TargetGroup). If, for instance, the AC TargetGroup specifies a dNSName like "iaik.at" and the server name is "http://jce.iaik.at" the server is accepted as being a member of the AC TargetGroup.
    4. The check returns false, if any of the steps above has not come to a positive result.
    As seen from above the server can be given as Target object or -- if the TargetInformation contains TargetName or TargetGroup elements -- as GeneralName. In any other case -- if the supplied server object is not given as Target or GeneralName -- a TargetException is thrown indicating that the server object cannot be handled by the TargetChecker. An application may plug-in its own TargetChecker implementation for enforcing a more sophisticated target checking policy which may be tailored to application specific requirements that cannot be considered by a general default implementation.
```
 MyTargetChecker myTargetChecker = ...;
 Target.setTargetChecker(myTargetChecker);
 
```
    Parameters:
    
    server - the server/service to be checked for being a target of the AC
    
    Returns:
    
    true if this attribute certificate does not contain a TargetInformation extension or if a TargetInformation extension is included and does not contain any Target elements or if it contains a Target element that denotes the given server/service as a valid target; false if none of the included Target elements denotes the server/service as valid target
    
    Throws:
    
    TargetException - if a TargetInformation extension is included in this attribute certificate, or if a TargetInformation extension is included and none of the Target elements in the TargetInformation extension accepts the server/service as valid target, but some of the Target elements cannot handle the server/service and thus cannot provide a reliable information. For instance, checking if a server/service belongs to some specific TargetGroup cannot be done in a general way because membership of a target to a TargetGroup only can be handled in application specific manner, e.g. (see RFC 5755): a TargetGroup may specify "PRINTERS," and the AC verifier knows if it is a printer or print server or not). In such cases the isTargetFor check must be done in a different, application specific way by implementing and plugging-in a special TargetChecker.
  - toString
```
public java.lang.String toString(boolean detailed)
```
    Returns a string that represents the contents of the certificate.
    
    Parameters:
    
    detailed - whether or not to give detailed information about the certificate.
    
    Returns:
    
    the string representation

Class AttributeCertificate

Nested Class Summary

Nested classes/interfaces inherited from class java.security.cert.Certificate

Constructor Summary

Method Summary

Methods inherited from class java.security.cert.Certificate

Methods inherited from class java.lang.Object

Constructor Detail

AttributeCertificate

AttributeCertificate

AttributeCertificate

Method Detail

registerStandardAttributeImplementations

decode

decode

sign

sign

sign

sign

sign

setSignature

checkValidity

checkValidity

getEncoded

getVersion

getSerialNumber

getIssuer

getHolder

getPublicKey

getNotBeforeTime

getNotAfterTime

getAcInfo

setSignatureAlgorithm

getSignature

getSigAlgName

getSigAlgOID

getSigAlgParams

getIssuerUniqueID

verify

verify

verify

verify

verify

verify

verify

verify

toASN1Object

toByteArray

writeTo

setSerialNumber

setIssuer

setNotBeforeTime

setNotAfterTime

setHolder

setIssuerUniqueID

getSignatureAlgorithm

getFingerprint

getFingerprint

getFingerprintSHA

toString

getCriticalExtensionOIDs

getNonCriticalExtensionOIDs

getExtensionValue

getRawExtensionValue

addExtension

removeExtension

removeAllExtensions

listExtensions

hasExtensions

hasUnsupportedCriticalExtension

countExtensions

getExtension

addAttribute

setAttributes

removeAllAttributes

removeAttribute

getAttributes

getAttribute

isTargetFor

toString