public class AttributeCertificate extends java.security.cert.Certificate implements ASN1Type, java.security.cert.X509Extension
Attribute Certificates (see RFC 5755) do not contain a public key, rather they bind some kind of property to some entity:
An attribute certificate (AC) may contain attributes that specify group
membership, role, security clearance, or other authorization information
associated with the AC holder
.
A public key certificate (PKC) can be considered to be like a passport: it
identifies the holder, tends to last for a long time, and should not
be trivial to obtain. An AC is more like an entry visa: it is
typically issued by a different authority and does not last for as
long a time. As acquiring an entry visa typically requires
presenting a passport, getting a visa can be a simpler process.
Authorization information may be placed in a PKC extension or placed
in a separate attribute certificate (AC). The placement of
authorization information in PKCs is usually undesirable for two
reasons. First, authorization information often does not have the
same lifetime as the binding of the identity and the public key.
When authorization information is placed in a PKC extension, the
general result is the shortening of the PKC useful lifetime. Second,
the PKC issuer is not usually authoritative for the authorization
information. This results in additional steps for the PKC issuer to
obtain authorization information from the authoritative source.
For these reasons, it is often better to separate authorization
information from the PKC. Yet, authorization information also needs
to be bound to an identity. An AC provides this binding; it is
simply a digitally signed (or certified) identity and set of
attributes.
An AC may be used with various security services, including access
control, data origin authentication, and non-repudiation.
PKCs can provide an identity to access control decision functions.
However, in many contexts the identity is not the criterion that is
used for access control decisions, rather the role or group-
membership of the accessor is the criterion used. Such access
control schemes are called role-based access control.
When making an access control decision based on an AC, an access
control decision function may need to ensure that the appropriate AC
holder is the entity that has requested access. One way in which the
linkage between the request or identity and the AC can be achieved
is the inclusion of a reference to a PKC within the AC and the use
of the private key corresponding to the PKC for authentication
within the access request.
The PKIX attribute certificate format is defined as an ASN.1 SEQUENCE structure containing the following components:
AttributeCertificate ::= SEQUENCE { acinfo AttributeCertificateInfo, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING }where signatureAlgorithm identifies the signature algorithm used by the issuer for computing the digital signature upon the ASN.1 DER encoded
AttributeCertificateInfo
structure, which itself is expressed as
ASN.1 SEQUENCE structure specifying holder and issuer of the AC, signature
algorithm (the same as specified in Certificate
above), version
and serial numbers, validity period, attributes and optionally unique
identifier of the issuer and certificate extensions:
AttributeCertificateInfo ::= SEQUENCE { version AttCertVersion -- version is v2, holder Holder, issuer AttCertIssuer, signature AlgorithmIdentifier, serialNumber CertificateSerialNumber, attrCertValidityPeriod AttCertValidityPeriod, attributes SEQUENCE OF Attribute, issuerUniqueID UniqueIdentifier OPTIONAL, extensions Extensions OPTIONAL }
where:
AttCertVersion ::= INTEGER { v2(1) }
Holder ::= SEQUENCE { baseCertificateID [0] IssuerSerial OPTIONAL, -- the issuer and serial number of -- the holder's Public Key Certificate entityName [1] GeneralNames OPTIONAL, -- the name of the claimant or role objectDigestInfo [2] ObjectDigestInfo OPTIONAL -- used to directly authenticate the holder, -- for example, an executable }
AttCertIssuer ::= CHOICE { v1Form GeneralNames, -- MUST NOT be used in this -- profile v2Form [0] V2Form -- v2 only
V2Form ::= SEQUENCE { issuerName GeneralNames OPTIONAL, baseCertificateID [0] IssuerSerial OPTIONAL, objectDigestInfo [1] ObjectDigestInfo OPTIONAL -- issuerName MUST be present in this profile -- baseCertificateID and objectDigestInfo MUST NOT -- be present in this profile }
AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL }
CertificateSerialNumber ::= INTEGER
AttCertValidityPeriod ::= SEQUENCE { notBeforeTime GeneralizedTime, notAfter GeneralizedTime }
Attribute ::= SEQUENCE { type AttributeType, values SET OF AttributeValue -- at least one value is required }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY DEFINED BY AttributeType
UniqueIdentifier ::= BIT STRING
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING }
For a detailed description of the several fields refer to RFC 5755)
For each value exists a set<Value>
and a
get<Value>
method.
After creating a new attribute certificate by means of the
default constructor
, setting AC
holder
and AC issuer
, setting validity period and
serial number
, and adding any
attribute
and
extension
to be included, finally the
certificate can be signed
with the private key of the issuer, e.g.:
// the public key certificate of the AC issuer X509Certificate acIssuerCert = ...; // the private signing key of the AC issuer PrivateKey acIssuerKey = ...; // create Attribute Certificate AttributeCertificate attributeCertificate = new AttributeCertificate(); // issuer V2Form v2Form = new V2Form((Name)acIssuerCert.getSubjectDN()); attributeCertificate.setIssuer(v2Form); // holder (from base certificate) X509Certificate baseCert = ...; Holder holder = new Holder(); holder.setBaseCertificateID(baseCert); attributeCertificate.setHolder(holder); // serial number attributeCertificate.setSerialNumber(BigInteger.valueOf(1)); // validity GregorianCalendar c = new GregorianCalendar(); Date notBeforeTime = c.getTime(); c.add(Calendar.MONTH, 1); Date notAfterTime = c.getTime(); attributeCertificate.setNotBeforeTime(notBeforeTime); attributeCertificate.setNotAfterTime(notAfterTime); // add any attributes (e.g. Role): GeneralName roleName = new GeneralName(GeneralName.uniformResourceIdentifier, "urn:sysadmin"); Role role = new Role(roleName); attributeCertificate.addAttribute(new Attribute(role)); .. // add any extensions (e.g. No Revocation Info Available): NoRevAvail noRevAvail = new NoRevAvail(); attributeCertificate.addExtension(noRevAvail); // sign attribute certificate attributeCertificate.sign(AlgorithmID.sha1WithRSAEncryption, acIssuerKey); // DER encode the certificate byte[] enc = attributeCertificate.getEncoded();
The AttributeCertificate(byte[])
and
AttributeCertificate(InputStream)
constructors may be used for parsing an AttributeCertificate from its DER
encoding, e.g.:
AttributeCertificate attributeCertificate = new AttributeCertificate(enc); // verify signature try { attributeCertificate.verify(acIssuerPublicKey_); } catch (SignatureException ex) { System.err.println("Signature verification failed: " + ex.getMessage()); throw ex; } // check any included attributes (e.g. Role): Attribute roleAttribute = attributeCertificate.getAttribute(Role.oid); if (roleAttribute != null) { // in our example we know that we have a single-valued Role attribute only Role role = (Role)roleAttribute.getAttributeValue(); // get role name GeneralName roleName = role.getRoleName(); System.out.println("Role name: " + roleName); } ... // check any included extension (e.g. No Revocation Info Available): NoRevAvail noRevAvail = (NoRevAvail)attributeCertificate.getExtension(NoRevAvail.oid); if (noRevAvail != null) { System.out.println("No revocation information available for this attribute certificate."); }
The Internet Attribute Certificate Profile for Authorization ( RFC 5755) only specified attribute certificate with version number v2 (1). However, this class is also able to parse v1 (0) attribute certificates according to the ITU X.509-1997 specification.
X509Extensions
,
V3Extension
,
UnknownExtension
,
Holder
,
AttCertIssuer
,
AttributeCertificateExtensions
,
AccessIdentity
,
ChargingIdentity
,
Clearance
,
Group
,
Role
,
ServiceAuthenticationInfo
,
AuditIdentity
,
TargetInformation
,
ProxyInfo
,
NoRevAvail
,
BasicAttConstraints
,
BasicAttConstraints
,
AcceptableCertPolicies
,
Serialized FormConstructor and Description |
---|
AttributeCertificate()
Default constructor for creating a new empty attribute certificate.
|
AttributeCertificate(byte[] array)
Creates an AttributeCertificate form a PEM or DER byte array.
|
AttributeCertificate(java.io.InputStream is)
Creates an AttributeCertificate from an input stream.
|
Modifier and Type | Method and Description |
---|---|
void |
addAttribute(Attribute attribute)
Adds one Attribute to this attribute certificate.
|
void |
addExtension(V3Extension e)
Adds the given X509v3 extension.
|
void |
checkValidity()
Checks if this attribute certificate currently is valid.
|
void |
checkValidity(java.util.Date date)
Checks if this attribute certificate would be valid at the given date
value.
|
int |
countExtensions()
Returns the number of extensions included into this certificate.
|
void |
decode(ASN1Object obj)
Creates an AttributeCertificate from an ASN1Object.
|
void |
decode(java.io.InputStream is)
Decodes an AttributeCertificate from an input stream.
|
byte[] |
getAcInfo()
Returns the DER encoded
AttributeCertificateInfo ASN.1 data
structure of this attribute certificate. |
Attribute |
getAttribute(ObjectID type)
Gets all the Attributes matching to a specific type (object identifier).
|
java.util.Enumeration |
getAttributes()
Gets the Attributes of this CertificateRequest.
|
java.util.Set |
getCriticalExtensionOIDs()
Returns a Set of the OID strings identifying the extension(s) that are
marked CRITICAL in this attribute certificate.
|
byte[] |
getEncoded()
Returns this attribute certificate as DER encoded ASN.1 data structure
|
V3Extension |
getExtension(ObjectID oid)
Returns a specific extension, identified by its object identifier.
|
byte[] |
getExtensionValue(java.lang.String oid)
Returns a byte array representing the DER encoding of the
extnValue OCTET STRING field of the extension identified by
the given OID string. |
byte[] |
getFingerprint()
Returns the fingerprint of this certificate.
|
byte[] |
getFingerprint(java.lang.String digestAlgorithm)
Returns the fingerprint of this certificate calculated with the given hash
algorithm.
|
byte[] |
getFingerprintSHA()
Get the SHA fingerprint of this attribute certificate.
|
Holder |
getHolder()
Returns the Holder of this attribute certificate.
|
AttCertIssuer |
getIssuer()
Returns the Issuer of this attribute certificate.
|
boolean[] |
getIssuerUniqueID()
Returns the issuer unique identifier of this certificate, or
null if no IssuerUniqueID is specified by this
certificate. |
java.util.Set |
getNonCriticalExtensionOIDs()
Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL
in this attribute certificate.
|
java.util.Date |
getNotAfterTime()
Returns the
notAfterTime value of this certificate. |
java.util.Date |
getNotBeforeTime()
Returns the
notBeforeTime value of this certificate. |
java.security.PublicKey |
getPublicKey()
Returns
null !!!! |
byte[] |
getRawExtensionValue(java.lang.String oid)
Returns a byte array representing the DER encoding of the extension value
identified by the given OID string.
|
java.math.BigInteger |
getSerialNumber()
Returns the serial number of this certificate as
BigInteger . |
java.lang.String |
getSigAlgName()
Returns the (JCA standard) name of the signature algorithm used by the issuer for signing
this certificate.
|
java.lang.String |
getSigAlgOID()
Returns the OID of the signature algorithm used by the issuer for signing
this certificate.
|
byte[] |
getSigAlgParams()
Returns the algorithm parameters associated with the signature algorithm
used by the issuer for signing this certificate.
|
byte[] |
getSignature()
Returns the signature value of this certificate.
|
AlgorithmID |
getSignatureAlgorithm()
Returns the signature algorithm of this certificate.
|
int |
getVersion()
Returns the version number of this certificate as
int . |
boolean |
hasExtensions()
Checks, if there are any extensions included into this certificate.
|
boolean |
hasUnsupportedCriticalExtension()
Returns true if there are unsupported critical extensions.
|
boolean |
isTargetFor(java.lang.Object server)
Checks if the given server/service is a valid target for this attribute
certificate.
|
java.util.Enumeration |
listExtensions()
Returns an enumeration of all extensions included in this attribute
certificate.
|
static void |
registerStandardAttributeImplementations()
Registers the IAIK-JCE implementing classes of the standard attributes
specified in RFC5755 to make them available for use with
AttributeCertificates.
|
void |
removeAllAttributes()
Removes all attributes included.
|
void |
removeAllExtensions()
Removes all extensions from this attribute certificate.
|
Attribute |
removeAttribute(ObjectID type)
Removes the attribute of the given type, if present.
|
boolean |
removeExtension(ObjectID oid)
Removes the extension specified by its object identifier.
|
void |
setAttributes(Attribute[] attributes)
Sets the Attributes of this Attribute certificate.
|
void |
setHolder(Holder holder)
Sets the Holder of this attribute certificate.
|
void |
setIssuer(AttCertIssuer issuer)
Sets the issuer of this attribute certificate.
|
void |
setIssuerUniqueID(boolean[] id)
Sets the issuer unique ID for this certificate.
|
void |
setNotAfterTime(java.util.Date validNotAfter)
Sets the
notAfterTime value of this certificate. |
void |
setNotBeforeTime(java.util.Date validNotBefore)
Sets the
notBeforeTime value of this atttribute certificate. |
void |
setSerialNumber(java.math.BigInteger serialNumber)
Sets the serial number of this certificate.
|
void |
setSignature(byte[] signatureValue)
Sets the signature value of this attribute certificate.
|
void |
setSignatureAlgorithm(AlgorithmID signatureAlg)
Sets the signature algorithm to be used for signing.
|
void |
sign(AlgorithmID signatureAlg,
java.security.PrivateKey issuerPK)
Signs the attribute certificate with the private key of the issuer.
|
void |
sign(AlgorithmID signatureAlg,
java.security.PrivateKey issuerPK,
java.security.spec.AlgorithmParameterSpec signatureParams,
java.security.Provider provider)
Signs the attribute certificate with the private key of the issuer.#
This method uses a Signature engine from the given provider
for signing the certificate. |
void |
sign(AlgorithmID signatureAlg,
java.security.PrivateKey issuerPK,
java.security.spec.AlgorithmParameterSpec signatureParams,
java.lang.String providerName)
Signs the attribute certificate with the private key of the issuer.
|
void |
sign(AlgorithmID signatureAlg,
java.security.PrivateKey issuerPK,
java.security.Provider provider)
Signs the attribute certificate with the private key of the issuer.#
This method uses a Signature engine from the given provider
for signing the certificate. |
void |
sign(AlgorithmID signatureAlg,
java.security.PrivateKey issuerPK,
java.lang.String providerName)
Signs the attribute certificate with the private key of the issuer.
|
ASN1Object |
toASN1Object()
Returns this attribute certificate as an ASN1Object.
|
byte[] |
toByteArray()
Returns this attribute certificate as DER encoded ASN.1 data structure.
|
java.lang.String |
toString()
Returns a string that represents the contents of the certificate.
|
java.lang.String |
toString(boolean detailed)
Returns a string that represents the contents of the certificate.
|
void |
verify(java.security.interfaces.DSAPublicKey key,
java.security.spec.DSAParameterSpec dsaParams)
Uses the given public DSA key and DSA parameters to verify this
certificate.
|
void |
verify(java.security.PublicKey key)
Verifies a certificate using the given public key.
|
void |
verify(java.security.PublicKey key,
java.security.spec.AlgorithmParameterSpec params)
Uses the given public key and parameters to verify this certificate.
|
void |
verify(java.security.PublicKey key,
java.security.spec.AlgorithmParameterSpec params,
java.security.Provider provider)
Uses the given public key and parameters to verify this certificate based
on a signature algorithm supplied by the specified provider.
|
void |
verify(java.security.PublicKey key,
java.security.spec.AlgorithmParameterSpec params,
java.lang.String providerName)
Uses the given public key and parameters to verify this certificate based
on a signature algorithm supplied by the specified provider.
|
void |
verify(java.security.PublicKey key,
java.security.spec.AlgorithmParameterSpec params,
java.lang.String providerName,
java.security.Provider provider)
Uses the given public key to verify a certificate based on a signature
algorithm supplied by the specified provider.
|
void |
verify(java.security.PublicKey key,
java.security.Provider provider)
Uses the given public key to verify a certificate based on a signature
algorithm supplied by the specified provider.
|
void |
verify(java.security.PublicKey key,
java.lang.String providerName)
Uses the given public key to verify a certificate based on a signature
algorithm supplied by the specified provider.
|
void |
writeTo(java.io.OutputStream os)
Writes this attribute certificate DER encoded to the given output stream.
|
public AttributeCertificate()
Any value may be set using the corresponding set<Value>
method. According to the Internet Attribute Certificate Profile for
Authorization presented in
RFC 5755) the version number is set to 2
indicating a
Version 2
attribute certificate. Note that this is not
the default version number (1).
public AttributeCertificate(java.io.InputStream is) throws java.io.IOException, java.security.cert.CertificateException
The supplied attribute certificate can be in PEM or DER format. This
constructor reads and decodes an AttributeCertificate that may have been
previously written (encoded) by calling method
writeTo(OutputStream)
.
For instance:
InputStream fis = new FileInputStream("cert.der"); AttributeCertificate cert = new AttributeCertificate(fis); fis.close();
is
- InputStream from which to create the certificatejava.io.IOException
- if the certificate cannot not be readjava.security.cert.CertificateException
- if the certificate cannot be parsedpublic AttributeCertificate(byte[] array) throws java.security.cert.CertificateException
This constructor may be used for parsing an already existing
AttributeCertifcate
ASN.1 object, supplied as DER encoded byte
array, which may have been created by calling the toByteArray
or the getEncoded
method.
array
- the byte array containing the DER encoded certificatejava.security.cert.CertificateException
- if the format of the cert is wrongpublic static void registerStandardAttributeImplementations()
AttributeCertificate
class; the registration is done automatically. SubjectDirectoryAttributes
public key certificate extension), but has not
used this AttributeCertificate
class so far, it may explicitly
call this method to register the default attribute implementations.public void decode(ASN1Object obj) throws CodingException
The given ASN1Object represents an already existing AttributeCertificate
which may have been created by calling the toASN1Object
method.
decode
in interface ASN1Type
obj
- the attribute certificate as ASN1ObjectCodingException
- if there is a problem when parsing the certificatepublic void decode(java.io.InputStream is) throws java.io.IOException, java.security.cert.CertificateException
is
- the InputStream from where the encoded certificate shall be readjava.io.IOException
- if an I/O error occursjava.security.cert.CertificateException
- if the certificate cannot be parsedpublic void sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK) throws java.security.cert.CertificateException, java.security.InvalidKeyException, java.security.NoSuchAlgorithmException
signatureAlg
- the AlgorithmID of the signature algorithmissuerPK
- the private key of the issuerjava.security.cert.CertificateException
- if the certificate could not be signedjava.security.InvalidKeyException
- if the format of the key is wrongjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmpublic void sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.lang.String providerName) throws java.security.cert.CertificateException, java.security.InvalidKeyException, java.security.NoSuchAlgorithmException
signatureAlg
- the AlgorithmID of the signature algorithmissuerPK
- the private key of the issuerproviderName
- the name of the provider supplying the Signature engine to be used;
if null
the first available provider will be used
the supports the signature algorithmjava.security.cert.CertificateException
- if the certificate could not be signedjava.security.InvalidKeyException
- if the format of the key is wrongjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmpublic void sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.security.spec.AlgorithmParameterSpec signatureParams, java.lang.String providerName) throws java.security.cert.CertificateException, java.security.InvalidKeyException, java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException
signatureAlg
- the AlgorithmID of the signature algorithmissuerPK
- the private key of the issuersignatureParams
- any signature parameters to -- if not null
-- be
used for initializing the Signature engine; if applicable the parameters
are also set for the signatureAlg
AlgorithmID (if it
does not contain any parameters yet)providerName
- the name of the provider supplying the Signature engine to be used;
if null
the first available provider will be used
the supports the signature algorithmjava.security.cert.CertificateException
- if the certificate could not be signedjava.security.InvalidKeyException
- if the format of the key is wrongjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmjava.security.InvalidAlgorithmParameterException
- if an error occurs when trying to set the signature parameterspublic void sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.security.Provider provider) throws java.security.cert.CertificateException, java.security.InvalidKeyException, java.security.NoSuchAlgorithmException
Signature
engine from the given provider
for signing the certificate.
Signature.getInstance(algorithm,provider)
is not available method Signature.getInstance(algorithm,provider.getName())
is tried.signatureAlg
- the AlgorithmID of the signature algorithmissuerPK
- the private key of the issuerprovider
- the provider supplying the Signature engine to be used;
if null
the first available provider will be used
the supports the signature algorithmjava.security.cert.CertificateException
- if the certificate could not be signedjava.security.InvalidKeyException
- if the format of the key is wrongjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmpublic void sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.security.spec.AlgorithmParameterSpec signatureParams, java.security.Provider provider) throws java.security.cert.CertificateException, java.security.InvalidKeyException, java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException
Signature
engine from the given provider
for signing the certificate.
Signature.getInstance(algorithm,provider)
is not available method Signature.getInstance(algorithm,provider.getName())
is tried.signatureAlg
- the AlgorithmID of the signature algorithmissuerPK
- the private key of the issuersignatureParams
- any signature parameters to -- if not null
-- be
used for initializing the Signature engine; if applicable the parameters
are also set for the signatureAlg
AlgorithmID (if it
does not contain any parameters yet)provider
- the provider supplying the Signature engine to be used;
if null
the first available provider will be used
the supports the signature algorithmjava.security.cert.CertificateException
- if the certificate could not be signedjava.security.InvalidKeyException
- if the format of the key is wrongjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmjava.security.InvalidAlgorithmParameterException
- if an error occurs when trying to set the signature parameterspublic void setSignature(byte[] signatureValue) throws java.security.cert.CertificateException
This method provides an alternative to method sign
when it is
required to set the signature value from outside (e.g. calculated by means
of a smartcard):
AttributeCertificate cert = ...; ... // set issuer, holder, attributes, ... ... // set the signature algorithm to be used for signing cert.setSignatureAlgorithm(AlgorithmID.sha1WithRSAEncryption); // get the to-be-signed value byte[] acInfo = cert.getAcInfo(); // now calculate the signature over the attribute certificate info byte[] signatureValue = calculateSignature(acInfo); // and set the signatureValue cert.setSignature(signatureValue); // encode the certificate byte[] encodedCert = cert.getEncoded();
signatureValue
- the signature calculated outsidejava.security.cert.CertificateException
- if the certificate could not be signedpublic void checkValidity(java.util.Date date) throws java.security.cert.CertificateExpiredException, java.security.cert.CertificateNotYetValidException
Attribute certificates have a limited period of validity prescribed by the
notBeforeTime
and notAfterTime
values. This
method just checks if the given date/time value lies between
notBeforeTime
and notAfterTime
and throws an
exception if this does not come true.
java.security.cert.CertificateExpiredException
- if the certificate alreay has expired or the notAfterTime
value yet has not been setjava.security.cert.CertificateNotYetValidException
- if the certificate yet is not valid or the notBeforeTime value
yet has not been setcheckValidity(java.util.Date)
public void checkValidity() throws java.security.cert.CertificateExpiredException, java.security.cert.CertificateNotYetValidException
notBeforeTime
and notAfterTime
values:
AttCertValidityPeriod ::= SEQUENCE { notBeforeTime GeneralizedTime, notAfterTime GeneralizedTime }The
notBeforeTime
and notAfterTime
time values
can be set by using the setNotBeforeTime
and setNotAfterTime
methods.
This checkValidity
method only calls
checkValidity(Date)
with the current date to
check if it lies between the two time values specified by
notBeforeTime
and notAfterTime
.
java.security.cert.CertificateExpiredException
- if the certificate already has expiredjava.security.cert.CertificateNotYetValidException
- if the certificate is yet not validGeneralizedTime
public byte[] getEncoded() throws java.security.cert.CertificateEncodingException
getEncoded
in class java.security.cert.Certificate
java.security.cert.CertificateEncodingException
- if the certificate cannot be encoded correctlypublic int getVersion()
int
. The
version number may specify a v1 or v2 attribute certificate.
ASN.1 definition:
AttCertVersion ::= INTEGER { v1(0), v2(1) }
int
, 1 for a v1
cert, 2 for a v2 certpublic java.math.BigInteger getSerialNumber()
BigInteger
.
Attribute certificates are labeled with positive serial numbers by the
issuing certification authority for unequivocally identifying them:
ASN.1 definition:
CertificateSerialNumber ::= INTEGER
BigInteger
public AttCertIssuer getIssuer()
The issuer
of an attribute certificate
either may be represented as V1Form
or as
V2Form
:
AttCertIssuer ::= CHOICE { v1Form GeneralNames, -- MUST NOT be used in this -- profile v2Form [0] V2Form -- v2 only }Attribute certificates conforming to the Internet Attribute Certificate Profile for Authorization presented in RFC 5755 are not allowed to use the
V1Form
choice for representing the issuer,
they should use the V2Form
:
V2Form ::= SEQUENCE { issuerName GeneralNames OPTIONAL, baseCertificateID [0] IssuerSerial OPTIONAL, objectDigestInfo [1] ObjectDigestInfo OPTIONAL -- issuerName MUST be present in this profile -- baseCertificateID and objectDigestInfo MUST NOT ACs conforming to this profile MUST use the v2Form choice, which MUST contain one and only one GeneralName in the issuerName, which MUST contain a non-empty distinguished name in the directoryName field. This means that all AC issuers MUST have non-empty distinguished names. ACs conforming to this profile MUST omit the baseCertificateID and objectDigestInfo fields. Part of the reason for the use of the v2Form containing only an issuerName is that it means that the AC issuer does not have to know which PKC the AC verifier will use for it (the AC issuer). Using the baseCertificateID field to reference the AC issuer would mean that the AC verifier would have to trust the PKC that the AC issuer chose (for itself) at AC creation time.
Use class Name
for creating a
V2Form
attCertIssuer holding a
directoryName
to be
set
as the issuer of an
AttributeCertificate:
Name issuerName = ...; V2Form v2Form = new V2Form(issuerName); attributeCertificate.setIssuer(v2Form);
AttCertIssuer
,
V1Form
,
V2Form
public Holder getHolder()
The Attribute certificates conforming to the Internet Attribute Certificate
Profile for Authorization presented in RFC 5755 specifies the
Holder
type for identifying the entity to which the
AttributeCertificate
belongs:
Holder ::= SEQUENCE { baseCertificateID [0] IssuerSerial OPTIONAL, -- the issuer and serial number of -- the holder's Public Key Certificate entityName [1] GeneralNames OPTIONAL, -- the name of the claimant or role objectDigestInfo [2] ObjectDigestInfo OPTIONAL -- used to directly authenticate the holder, -- for example, an executable }For any environment where the AC is passed in an authenticated message or session and where the authentication is based on the use of an X.509 public key certificate, the
holder
should be
identified by means of a baseCertificateID
pointing to the right X.509 public key certificate by
issuer name and issuer-specific serial number, e.g.:
X509Certificate baseCert = ...; IssuerSerial baseCertificateID = new IssuerSerial(baseCert); Holder holder = new Holder(); holder.setBaseCertificateID(baseCertificateID); attributeCertificate.setHolder(holder);If the holder field uses the
entityName
option and the underlying authentication is based on a PKC,
then the entityName MUST be the same as the PKC subject field or one of the
values of the PKC subjectAltName field extension (if present), e.g.:
X509Certificate cert = ...; Name subject = (Name)cert.getSubjectDN(); GeneralName subjectName = new GeneralName(GeneralName.directoryName, subject); GeneralNames entityName = new GeneralNames(subjectName); Holder holder = new Holder(); holder.setEntityName(entityName); attributeCertificate.setHolder(holder);The
ObjectDigestInfo
component may
be used for linking the AC to an object by placing a hash of that object
into the holder field of the AC. For example, this allows production of ACs
that are linked to public keys rather than names (see RFC 5755 for more information):
// the public key to which to link the AC: PublicKey publicKey = ...; // the digest algorithm to use AlgorithmID digestAlgorithm = ...; ObjectDigestInfo odi = new ObjectDigestInfo(publicKey, digestAlgorithm); Holder holder = new Holder(); holder.setObjectDigestInfo(odi); attributeCertificate.setHolder(holder);
Holder
,
IssuerSerial
,
ObjectDigestInfo
,
GeneralNames
public java.security.PublicKey getPublicKey()
null
!!!!
Attention!!! This method anytime returns null
since an
Attribute Certificate does not contain a public key. This method only is
included because inherited from java.security.cert.Certificate
which is the highest JCA "certificate level" and extended by this class to
incorporate attribute certificates into the JCA certificate management.
getPublicKey
in class java.security.cert.Certificate
null
public java.util.Date getNotBeforeTime()
notBeforeTime
value of this certificate.
The notBeforeTime
value denotes the date on which the
certificate becomes valid and can be set using the
setNotBeforeTime
method.
null
if the notBefore date has yet not been setcheckValidity(java.util.Date)
public java.util.Date getNotAfterTime()
notAfterTime
value of this certificate.
The notAfterTime
value denotes the date on which the
certificate's validity expires. The notAfterTime
date can be
set using the setNotAfterTime
method.
null
if the notAfter date has yet not been setcheckValidity(java.util.Date)
public byte[] getAcInfo() throws java.security.cert.CertificateEncodingException
AttributeCertificateInfo
ASN.1 data
structure of this attribute certificate.
AttributeCertificateInfo ::= SEQUENCE { version AttCertVersion DEFAULT v1, holder Holder, issuer AttCertIssuer, signature AlgorithmIdentifier, serialNumber CertificateSerialNumber, attrCertValidityPeriod AttCertValidityPeriod, attributes SEQUENCE OF Attribute, issuerUniqueID UniqueIdentifier OPTIONAL, extensions Extensions OPTIONAL }
AttributeCertificateInfo
as DER encoded
ASN.1 structurejava.security.cert.CertificateEncodingException
- if an encoding error occurspublic void setSignatureAlgorithm(AlgorithmID signatureAlg)
getAcInfo
before signing the cert. When using
this feature an application itself is responsible to ensure that the
signature algorithm specified by this method is equal to that supplied to
the sign(AlgorithmID, PrivateKey)
method when finally signing the certificate.signatureAlg
- the signature algorithm to be used for signingpublic byte[] getSignature()
public java.lang.String getSigAlgName()
For the RSA-PSS signature algorithm the JCA standard name is derived from the
algorithm id parameters. Since there is only one AlgorithmID
specified for RSA-PSS, hash algorithm and mask generation function are given by
the algorithm id parameters.
The JCA uses the <digest>with<RSA>and<mgf> naming scheme for RSA-PSS
where <digest> and <mgf> have to be got from the algorithm id parameters.
Thus the JCA standard name for, e.g., a RSA-PSS algorithm id
using SHA-256 as hash algorithm and MGF1 as mask generation function is
"SHA256withRSAandMGF1". If the parameters cannot be parsed, "RSASSA-PSS" is
returned as (general) signature algorithm name.
null
if the signature algorithm yet has not been
setpublic java.lang.String getSigAlgOID()
null
if the signature algorithm yet has not been setObjectID
,
AlgorithmID
public byte[] getSigAlgParams()
null
if there are no parameters used or
the signature algorithm yet has been not setpublic boolean[] getIssuerUniqueID()
null
if no IssuerUniqueID
is specified by this
certificate.
An IssuerUniqueID only may be included if the attribute certificate is
linked to a public key certificate
(PKC)
and this PKC contains the issuer unique id. In this case the issuer unique
ids of PKC and corresponding AC have to be the same.
The issuer unique identifier is defined as ASN.1 BIT STRING structure:
UniqueIdentifier ::= BIT STRINGThis method scans the issuer unique identifier and returns it as an array of boolean values.
IssuerUniqueID
of this certificate as array of
booleans, or null
if no issuer unique identifier is
specifiedpublic void verify(java.security.PublicKey key, java.lang.String providerName) throws java.security.cert.CertificateException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.NoSuchProviderException, java.security.SignatureException
verify
in class java.security.cert.Certificate
key
- the public key (of the issuer) to verify the certproviderName
- the name of the provider supplying the signature algorithm;
if null
the first available provider will be used
the supports the signature algorithmjava.security.cert.CertificateException
- if an encoding error occursjava.security.NoSuchAlgorithmException
- if there is no implementation for the algorithm used to sign
this certjava.security.InvalidKeyException
- if the format of the public key is wrongjava.security.NoSuchProviderException
- if there is no such providerjava.security.SignatureException
- if the signature does not verifypublic void verify(java.security.PublicKey key, java.security.Provider provider) throws java.security.cert.CertificateException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.SignatureException
This method uses a Signature
engine from the given provider
for verifying the certificate.
If Provider object based JCA/JCE Signature engine instantiation
is not available the Java VM in use (<1.4), this method tries to get an implementation
based on the provider name (if the Provider is installed within the Security Provider
framework). I.e. if method Signature.getInstance(algorithm,provider)
is not available method Signature.getInstance(algorithm,provider.getName())
is tried.
key
- the public key (of the issuer) to verify the certprovider
- the provider supplying the signature algorithm;
if null
the first available provider will be used
the supports the signature algorithmjava.security.cert.CertificateException
- if an encoding error occursjava.security.NoSuchAlgorithmException
- if there is no implementation for the algorithm used to sign
this certjava.security.InvalidKeyException
- if the format of the public key is wrongjava.security.SignatureException
- if the signature does not verifypublic void verify(java.security.PublicKey key, java.security.spec.AlgorithmParameterSpec params, java.lang.String providerName, java.security.Provider provider) throws java.security.cert.CertificateException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.NoSuchProviderException, java.security.SignatureException
key
- the public key (of the issuer) to verify the certparams
- Any parameters that may be required for signature verification,
e.g. when verifying a certificate that has been signed with
the (EC)DSA algorithm and the public (EC)DSA key used for verification
does not contain the (EC)DSA parameters.providerName
- the name of the provider supplying the signature algorithm;
maybe null
provider
- the provider supplying the signature algorithm;
maybe null
java.security.cert.CertificateException
- if an encoding error occursjava.security.NoSuchAlgorithmException
- if there is no implementation for the algorithm used to sign
this certjava.security.InvalidKeyException
- if the format of the public key is wrongjava.security.NoSuchProviderException
- if there is no such providerjava.security.SignatureException
- if the signature does not verifypublic void verify(java.security.PublicKey key) throws java.security.cert.CertificateException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.NoSuchProviderException, java.security.SignatureException
This method only calls verify(PublicKey,
String)
setting the provider name to null
for relying on the
default provider signature architecture.
verify
in class java.security.cert.Certificate
key
- the public key of the issuerjava.security.cert.CertificateException
- if an encoding error occursjava.security.NoSuchAlgorithmException
- if there is no implementation for the algorithm used to sign
this certjava.security.InvalidKeyException
- if the format of the public key is wrongjava.security.NoSuchProviderException
- if there is no default providerjava.security.SignatureException
- if the signature does not verifypublic void verify(java.security.interfaces.DSAPublicKey key, java.security.spec.DSAParameterSpec dsaParams) throws java.security.cert.CertificateException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.NoSuchProviderException, java.security.SignatureException
Attention! This method only may be used to verify a certificate that has been signed with the DSA algorithm and the public DSA key now used for verification does not contain the DSA parameters. Additionally this method only can be used with the IAIK provider.
key
- the public DSA key (of the issuer) to verify the certdsaParams
- the DSA parameters provided by other meansjava.security.cert.CertificateException
- if an encoding error occursjava.security.NoSuchAlgorithmException
- if there is no implementation for the algorithm used to sign
this certjava.security.InvalidKeyException
- if the format of the public key is wrongjava.security.NoSuchProviderException
- if there is no such providerjava.security.SignatureException
- if the signature does not verifypublic void verify(java.security.PublicKey key, java.security.spec.AlgorithmParameterSpec params) throws java.security.cert.CertificateException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.SignatureException
This method may be used to verify a certificate that has been signed with the (EC)DSA algorithm and the public (EC)DSA key now used for verification does not contain the (EC)DSA parameters.
key
- the public (EC)DSA key (of the issuer) to verify the certparams
- The parameters provided by other means. May be
java.security.spec.DSAParameterSpec
or
iaik.pkcs.pkcs1.RSAPssParameterSpec
.java.security.cert.CertificateException
- if an encoding error occursjava.security.NoSuchAlgorithmException
- if there is no implementation for the algorithm used to sign
this certjava.security.InvalidKeyException
- if the format of the public key is wrongjava.security.SignatureException
- if the signature does not verifypublic void verify(java.security.PublicKey key, java.security.spec.AlgorithmParameterSpec params, java.lang.String providerName) throws java.security.cert.CertificateException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.NoSuchProviderException, java.security.SignatureException
This method may be used to verify a certificate that has been signed with the (EC)DSA algorithm and the public (EC)DSA key now used for verification does not contain the (EC)DSA parameters.
key
- the public (EC)DSA key (of the issuer) to verify the certparams
- The parameters provided by other means. May be, e.g. a
java.security.spec.DSAParameterSpec
or
iaik.pkcs.pkcs1.RSAPssParameterSpec
.providerName
- the name of the provider supplying the signature algorithm;
if null
the first available provider will be used
the supports the signature algorithmjava.security.cert.CertificateException
- if an encoding error occursjava.security.NoSuchAlgorithmException
- if there is no implementation for the algorithm used to sign
this certjava.security.InvalidKeyException
- if the format of the public key is wrongjava.security.NoSuchProviderException
- if there is no such providerjava.security.SignatureException
- if the signature does not verifypublic void verify(java.security.PublicKey key, java.security.spec.AlgorithmParameterSpec params, java.security.Provider provider) throws java.security.cert.CertificateException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.SignatureException
This method may be used to verify a certificate that has been signed with the (EC)DSA algorithm and the public (EC)DSA key now used for verification does not contain the (EC)DSA parameters.
This method uses a Signature
engine from the given provider
for verifying the certificate.
If Provider object based JCA/JCE Signature engine instantiation
is not available the Java VM in use (<1.4), this method tries to get an implementation
based on the provider name (if the Provider is installed within the Security Provider
framework). I.e. if method Signature.getInstance(algorithm,provider)
is not available method Signature.getInstance(algorithm,provider.getName())
is tried.
key
- the public (EC)DSA key (of the issuer) to verify the certparams
- The parameters provided by other means. May be, e.g. a
java.security.spec.DSAParameterSpec
or
iaik.pkcs.pkcs1.RSAPssParameterSpec
.provider
- the provider supplying the signature algorithm;
if null
the first available provider will be used
the supports the signature algorithmjava.security.cert.CertificateException
- if an encoding error occursjava.security.NoSuchAlgorithmException
- if there is no implementation for the algorithm used to sign
this certjava.security.InvalidKeyException
- if the format of the public key is wrongjava.security.NoSuchProviderException
- if there is no such providerjava.security.SignatureException
- if the signature does not verifypublic ASN1Object toASN1Object()
toASN1Object
in interface ASN1Type
public byte[] toByteArray()
public void writeTo(java.io.OutputStream os) throws java.io.IOException
os
- the output stream where the certificate shall be written tojava.io.IOException
- if an I/O error occurspublic void setSerialNumber(java.math.BigInteger serialNumber)
serialNumber
- the serial number of the certificate as BigIntegergetSerialNumber()
public void setIssuer(AttCertIssuer issuer)
The issuer
of an attribute certificate
either may be represented as V1Form
or as
V2Form
:
AttCertIssuer ::= CHOICE { v1Form GeneralNames, -- MUST NOT be used in this -- profile v2Form [0] V2Form -- v2 only }Attribute certificates conforming to the Internet Attribute Certificate Profile for Authorization presented in RFC 5755 are not allowed to use the
V1Form
choice for representing the issuer,
they should use the V2Form
:
V2Form ::= SEQUENCE { issuerName GeneralNames OPTIONAL, baseCertificateID [0] IssuerSerial OPTIONAL, objectDigestInfo [1] ObjectDigestInfo OPTIONAL -- issuerName MUST be present in this profile -- baseCertificateID and objectDigestInfo MUST NOT ACs conforming to this profile MUST use the v2Form choice, which MUST contain one and only one GeneralName in the issuerName, which MUST contain a non-empty distinguished name in the directoryName field. This means that all AC issuers MUST have non-empty distinguished names. ACs conforming to this profile MUST omit the baseCertificateID and objectDigestInfo fields. Part of the reason for the use of the v2Form containing only an issuerName is that it means that the AC issuer does not have to know which PKC the AC verifier will use for it (the AC issuer). Using the baseCertificateID field to reference the AC issuer would mean that the AC verifier would have to trust the PKC that the AC issuer chose (for itself) at AC creation time.
Use class Name
for creating a
V2Form
attCertIssuer holding a
directoryName
to be
set
as the issuer of an
AttributeCertificate:
Name issuerName = ...; V2Form v2Form = new V2Form(issuerName); attributeCertificate.setIssuer(v2Form);
issuer
- the issuer of this attribute certificategetIssuer()
,
AttCertIssuer
,
V1Form
,
V2Form
public void setNotBeforeTime(java.util.Date validNotBefore)
notBeforeTime
value of this atttribute certificate.
For instance:
GregorianCalendar date = (GregorianCalendar) Calendar.getInstance(); cert.setNotBeforeTime(date.getTime());
The certificate is not valid before this Date.
validNotBefore
- Date when cert will become validgetNotBeforeTime()
public void setNotAfterTime(java.util.Date validNotAfter)
notAfterTime
value of this certificate.
For instance:
GregorianCalendar date = (GregorianCalendar) Calendar.getInstance(); date.add(Calendar.MONTH, 6); cert.setNotAfterTime(date.getTime());
The certificate will expire at this Date.
validNotAfter
- Date on which the certificate will expiregetNotAfterTime()
public void setHolder(Holder holder)
The Attribute certificates conforming to the Internet Attribute Certificate
Profile for Authorization presented in RFC 5755 specifies the
Holder
type for identifying the entity to which the
AttributeCertificate
belongs:
Holder ::= SEQUENCE { baseCertificateID [0] IssuerSerial OPTIONAL, -- the issuer and serial number of -- the holder's Public Key Certificate entityName [1] GeneralNames OPTIONAL, -- the name of the claimant or role objectDigestInfo [2] ObjectDigestInfo OPTIONAL -- used to directly authenticate the holder, -- for example, an executable }For any environment where the AC is passed in an authenticated message or session and where the authentication is based on the use of an X.509 public key certificate, the
holder
should be
identified by means of a baseCertificateID
pointing to the right X.509 public key certificate by
issuer name and issuer-specific serial number, e.g.:
X509Certificate baseCert = ...; IssuerSerial baseCertificateID = new IssuerSerial(baseCert); Holder holder = new Holder(); holder.setBaseCertificateID(baseCertificateID); attributeCertificate.setHolder(holder);If the holder field uses the
entityName
option and the underlying authentication is based on a PKC,
then the entityName MUST be the same as the PKC subject field or one of the
values of the PKC subjectAltName field extension (if present), e.g.:
X509Certificate cert = ...; Name subject = (Name)cert.getSubjectDN(); GeneralName subjectName = new GeneralName(GeneralName.directoryName, subject); GeneralNames entityName = new GeneralNames(subjectName); Holder holder = new Holder(); holder.setEntityName(entityName); attributeCertificate.setHolder(holder);The
ObjectDigestInfo
component may
be used for linking the AC to an object by placing a hash of that object
into the holder field of the AC. For example, this allows production of ACs
that are linked to public keys rather than names (see RFC 5755 for more information):
// the public key to which to link the AC: PublicKey publicKey = ...; // the digest algorithm to use AlgorithmID digestAlgorithm = ...; ObjectDigestInfo odi = new ObjectDigestInfo(publicKey, digestAlgorithm); Holder holder = new Holder(); holder.setObjectDigestInfo(odi); attributeCertificate.setHolder(holder);
holder
- the holder of this attribute certificateHolder
,
IssuerSerial
,
ObjectDigestInfo
,
GeneralNames
public void setIssuerUniqueID(boolean[] id)
An IssuerUniqueID only may be included if the attribute certificate is
linked to a public key certificate
(PKC)
and this PKC contains the issuer unique id. In this case the issuer unique
ids of PKC and corresponding AC have to be the same.
The issuer unique identifier is defined as ASN.1 BIT STRING structure:
UniqueIdentifier ::= BIT STRING
id
- the unique identifier of the issuer as array of boolean valuesgetIssuerUniqueID()
public AlgorithmID getSignatureAlgorithm()
AlgorithmID
public byte[] getFingerprint()
public byte[] getFingerprint(java.lang.String digestAlgorithm) throws java.security.NoSuchAlgorithmException
digestAlgorithm
- the digest algorithm to be usedjava.security.NoSuchAlgorithmException
- if the requested algorithm is not supportedpublic byte[] getFingerprintSHA()
public java.lang.String toString()
toString
in class java.security.cert.Certificate
public java.util.Set getCriticalExtensionOIDs()
getCriticalExtensionOIDs
in interface java.security.cert.X509Extension
null
getNonCriticalExtensionOIDs()
public java.util.Set getNonCriticalExtensionOIDs()
getNonCriticalExtensionOIDs
in interface java.security.cert.X509Extension
getCriticalExtensionOIDs()
public byte[] getExtensionValue(java.lang.String oid)
extnValue
OCTET STRING field of the extension identified by
the given OID string.
The OID string is represented by a set of non-negative integers separated
by periods, e.g. "2.5.29.15" for the KeyUsage
extension.
In ASN.1, the Extensions
field is defined as a SEQUENCE of
Extension:
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING }
where critical
specifies whether an extension has to be
treated as being critical or not; the default value is FALSE. An extension
is identified by its object identifier, specified in the
extnID
field. The extnValue
field is an OCTET
STRING which contains the DER encoding of the specific extension's ASN.1
representation itself. Only one instance of a particular extension may be
present.
The byte value returned by this method represents the DER encoding of the
extnValue (OCTET_STRING) from above, and the value of this OCTET STRING
represents the DER encoding of the specific extension's ASN.1
representation itself. If you want to get the DER encoding of the specific
extension's ASN.1 representation itself (not wrapped in an OCTET STRING),
use method getRawExtensionValue
.
getExtensionValue
in interface java.security.cert.X509Extension
oid
- the object identifier of the extension to be searched fornull
if no
extension with the specified oid is presentpublic byte[] getRawExtensionValue(java.lang.String oid)
The OID string is represented by a set of non-negative integers separated
by periods, e.g. "2.5.29.15" for the KeyUsage
extension.
In ASN.1, the Extensions
field is defined as a SEQUENCE of
Extension:
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING }
where critical
specifies whether an extension has to be
treated as being critical or not; the default value is FALSE. An extension
is identified by its object identifier, specified in the
extnID
field. The extnValue
field is an OCTET
STRING which contains the DER encoding of the specific extension's ASN.1
representation itself. Only one instance of a particular extension may be
present in a particular certificate.
The byte value returned by this method represents the DER encoding of the
specific extension's ASN.1 representation itself (i.e. the value of the
extnValue
OCTET STRING).
oid
- the object identifier of the extension to be searched fornull
if no extension with the specified oid is presentpublic void addExtension(V3Extension e) throws X509ExtensionException
For reading back some extension, use the getExtension(ObjectID)
method.
e
- the X509v3 extension to add to the list of extensionsX509ExtensionException
- if an error occurs while DER encoding the extensionV3Extension
public boolean removeExtension(ObjectID oid)
oid
- the object ID of the extension to removetrue
if the extension has been successfully removed,
false
otherwisepublic void removeAllExtensions()
public java.util.Enumeration listExtensions()
The enumeration returned may contain unknown extensions (instances
of UnknownExtension
if there are any
extensions included in this certificate, for which there exists no
registered implementation, and it may contain error extensions
(instances of ErrorExtension
)
indicating extensions which cannot be parsed properly because of some kind
of error.
If any extension cannot be parsed properly, an
ErrorExtension
is created from
it and written to the enumeration list returned by this method.
null
if there are
no extensions present at allpublic boolean hasExtensions()
true
if there are extensions, false
if
notpublic boolean hasUnsupportedCriticalExtension()
hasUnsupportedCriticalExtension
in interface java.security.cert.X509Extension
public int countExtensions()
public V3Extension getExtension(ObjectID oid) throws X509ExtensionInitException
If the extension cannot be initialized for some reason, an
X509ExtensionInitException is thrown. If the requested extension is an
unknown extension, which is not supported by a registered
implementation, this method creates and returns an
UnknownExtension
which may be queried
for obtaining as much information as possible about the unknown extension.
oid
- the object ID of the extensionnull
if the requested
extension is not presentX509ExtensionInitException
- if the extension can not be initializedpublic void addAttribute(Attribute attribute)
Since only one attribute per attribute type is allowed to be included in an attribute certificate this method replaces an already included attribute of same type with the given attribute.
Note that the attributes have to be set before the certificate is
signed
with the issuer's private
key!
attribute
- the Attribute to addpublic void setAttributes(Attribute[] attributes)
iaik.asn1.structures.Attribute
objects. signed
with the issuer's private
key!attributes
- the Attributes to setpublic void removeAllAttributes()
public Attribute removeAttribute(ObjectID type)
type
- the type OID identifying the attribute in mindnull
if no attribute has been
removed because no attribute with the given type is presentpublic java.util.Enumeration getAttributes()
null
is returned. Otherwise the attributes are
returned as an array of iaik.asn1.structures.Attribute
objects:
Attribute[] attributes = request.getAttributes(); if (attributes != null) { for (int i = 0; i < attributes.length; i++) { Attribute attr = attributes[i]; System.out.println(attr.getType()); ASN1Object[] asn1Obj = attr.getValue(); for (int j = 0; j < asn1Obj.length; j++) { System.out.println(asn1Obj[j].toString()); } } }
Attribute
;
the Enumeration maybe empty if there are no attributes includedpublic Attribute getAttribute(ObjectID type)
null
is returned.
Otherwise the matching attributes are returned as an array of
iaik.asn1.structures.Attribute
objects. The following sample queries if the challangePassword attribute is
included:
Attribute[] attributes = request.getAttributes(ObjectID.challengePassword); if (attributes != null) { // expected only one: Attribute attr = attributes[0]; System.out.println(attr.getType()); ASN1Object[] asn1Obj = attr.getValue(); // again, only one expected: System.out.println(asn1Obj[0].getValue()); }
null
if there are
no attributes of the given type includedpublic boolean isTargetFor(java.lang.Object server) throws TargetException
Based on the presence of the
TargetInformation
extension a server/service may decide whether to accept the attribute
certificate or not. If no TargetInformation is present the attribute
certificate is not targeted and may be accepted by any server/service. If a
TargetInformation is present the included Target elements have to be
checked to see if the current server "matches" the target
condition: the server can accept the attribute certificate if the server is
one of the included targetName elements, or if it is a member of one of the
included targetGroup elements. How group membership may be verified, may
depend on application specific settings. For instance, if a targetGroup
specifies a DNS domain the AC verifier will have to know the DNS domain to
which it belongs. Or, for instance, if a targetGroup specified
"PRINTERS" the AC verifier must know if it is a, e.g., printer or
print server (see RFC 5755).
This method returns true
if this attribute does not contain a
TargetInformation extension. If this attribute certificate contains a
TargetInformation extension the Target
elements included in
the TargetInformation extension are searched. In this case this method
returns true
if it detects a Target element that denotes the
given server/service as a valid target. It returns also true
if the TargetInformation extension does not contain any Target elements at
all (in which case this attribute certificate is not specially targeted and
can be accepted by any server). It returns false
if none of
the included Target elements denotes the server/service as valid target. It
throws a TargetException
if it cannot find a Target
element that accepts the server/service as valid Target but some of the
Target elements cannot handle the server/service and thus cannot provide a
reliable information.
The targeting check is controlled by the
TargetChecker
. For each single Target
element included in this TargetInformation extension, the default
TargetChecker implementation performs the following checks (in this order):
Target
object and is equal to
the AC Target element, the check returns true.
TargetName
or TargetGroup
and the
server is given as GeneralName
,
the check returns true if the GeneralName of the AC Target is equal to the
server GeneralName.
dNSName
the server maybe
given as TargetGroup or GeneralName. In this case the server GeneralName is
checked of being of type dNSName
,
uniformResourceIdentifier
or rfc822Name
. If the
server GeneralName is of any of these three types the check returns true if
the server name is in the domain specified by the dNSName of the AC
TargetGroup (i.e. it is checked if the server name ends with the dNSName
specified by the AC TargetGroup). If, for instance, the AC TargetGroup
specifies a dNSName like "iaik.at" and the server name is
"http://jce.iaik.at" the server is accepted as being a member of the
AC TargetGroup.
plug-in
its own
TargetChecker
implementation for
enforcing a more sophisticated target checking policy which may be tailored
to application specific requirements that cannot be considered by a general
default implementation.
MyTargetChecker myTargetChecker = ...; Target.setTargetChecker(myTargetChecker);
server
- the server/service to be checked for being a target of the ACtrue
if this attribute certificate does not contain a
TargetInformation extension or if a TargetInformation extension is
included and does not contain any Target elements or if it contains
a Target element that denotes the given server/service as a valid
target; false
if none of the included Target elements
denotes the server/service as valid targetTargetException
- if a TargetInformation extension is included in this attribute
certificate, or if a TargetInformation extension is included
and none of the Target elements in the TargetInformation
extension accepts the server/service as valid target, but some
of the Target elements cannot handle the server/service and
thus cannot provide a reliable information. For instance,
checking if a server/service belongs to some specific
TargetGroup
cannot be done in a general
way because membership of a target to a TargetGroup only can
be handled in application specific manner, e.g. (see RFC 5755): a
TargetGroup may specify "PRINTERS," and the AC verifier knows
if it is a printer or print server or not). In such cases the
isTargetFor check must be done in a different, application
specific way by implementing and
plugging-in
a special TargetChecker
.public java.lang.String toString(boolean detailed)
detailed
- whether or not to give detailed information about the certificate.