iaik.x509.attr

Class Holder

java.lang.Object

iaik.x509.attr.Holder

public class Holder
extends java.lang.Object

This class implements the AC type Holder.

The Internet Attribute Certificate Profile for Authorization (RFC 5755) specifies the Holder type for identifying the entity to which the AttributeCertificate belongs:

 Holder ::= SEQUENCE {
    baseCertificateID   [0] IssuerSerial OPTIONAL,
                        -- the issuer and serial number of
                        -- the holder's Public Key Certificate
    entityName          [1] GeneralNames OPTIONAL,
                        -- the name of the claimant or role
    objectDigestInfo    [2] ObjectDigestInfo OPTIONAL
                        -- used to directly authenticate the holder,
                        -- for example, an executable
 }
 

For any environment where the AC is passed in an authenticated message or session and where the authentication is based on the use of an X.509 public key certificate, the holder should be identified by means of a baseCertificateID pointing to the right X.509 public key certificate by issuer name and issuer-specific serial number, e.g.:

 X509Certificate baseCert = ...;
 IssuerSerial baseCertificateID = new IssuerSerial(baseCert);
 Holder holder = new Holder();
 holder.setBaseCertificateID(baseCertificateID);
 attributeCertificate.setHolder(holder);
 

If the holder field uses the entityName option and the underlying authentication is based on a PKC, then the entityName MUST be the same as the PKC subject field or one of the values of the PKC subjectAltName field extension (if present), e.g.:

 X509Certificate cert = ...;
 Name subject = (Name)cert.getSubjectDN();
 GeneralName subjectName = new GeneralName(GeneralName.directoryName, subject);
 GeneralNames entityName = new GeneralNames(subjectName);
 Holder holder = new Holder();
 holder.setEntityName(entityName);
 attributeCertificate.setHolder(holder);
 

The ObjectDigestInfo component may be used for linking the AC to an object by placing a hash of that object into the holder field of the AC. For example, this allows production of ACs that are linked to public keys rather than names (see RFC 5755 for more information):

 // the public key to which to link the AC:
 PublicKey publicKey = ...;
 // the digest algorithm to use
 AlgorithmID digestAlgorithm = ...;
 ObjectDigestInfo odi = new ObjectDigestInfo(publicKey, digestAlgorithm);
 Holder holder = new Holder();
 holder.setObjectDigestInfo(odi);
 attributeCertificate.setHolder(holder);
 

Version:

File Revision 18

See Also:

AttributeCertificate, IssuerSerial, ObjectDigestInfo, GeneralNames

Constructor Summary

Constructors

Constructor and Description
Holder() Default constructor.
Holder(ASN1Object obj) Creates a Holder from its ASN.1 representation.

Method Summary

Methods

Modifier and Type	Method and Description
boolean	equals(java.lang.Object obj) Compares this Holder to the specified object.
IssuerSerial	getBaseCertificateID() Gets the baseCertificateID of this Holder, if set.
GeneralNames	getEntityName() Gets the entityName of this Holder, if set.
ObjectDigestInfo	getObjectDigestInfo() Gets the objectDigestInfo of this Holder, if set.
int	hashCode() Returns a hashcode for this Holder.
boolean	identifiesCert(X509Certificate cert) Checks if this Holder identifies the certificate.
void	setBaseCertificateID(IssuerSerial baseCertificateID) Sets the baseCertificateID of this Holder.
void	setBaseCertificateID(X509Certificate baseCertificate) Uses the given public key certificate to calculate and set the baseCertificateID of this Holder.
void	setEntityName(GeneralNames entityName) Sets the entityName of this Holder.
void	setEntityName(X509Certificate certificate) Sets the entityName of this Holder based on the given public key certificate.
void	setObjectDigestInfo(ObjectDigestInfo objectDigestInfo) Sets the objectDigestInfo of this Holder.
ASN1Object	toASN1Object() Returns this Holder as ASN1Object.
java.lang.String	toString() Returns a string giving some information about this Holder object.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

Holder

public Holder()

Default constructor. Creates an empty Holder object. Use the several setXXX method for setting the fields of this Holder object.

Holder

public Holder(ASN1Object obj)
       throws CodingException

Creates a Holder from its ASN.1 representation.

Parameters:

obj - the Holder as ASN1Object

Throws:

CodingException - if an decoding/parsing error occurs or the the information contained is not appropriate for a Holder

Method Detail

getBaseCertificateID

public IssuerSerial getBaseCertificateID()

Gets the baseCertificateID of this Holder, if set.

Returns:

the baseCertificateID IssuerSerial, if set

setBaseCertificateID

public void setBaseCertificateID(IssuerSerial baseCertificateID)

Sets the baseCertificateID of this Holder.

Parameters:

baseCertificateID - the baseCertificateID IssuerSerial to be set.

setBaseCertificateID

public void setBaseCertificateID(X509Certificate baseCertificate)

Uses the given public key certificate to calculate and set the baseCertificateID of this Holder.

Parameters:

baseCertificate - the base certificate from which to calculate the baseCertificateID IssuerSerial

getEntityName

public GeneralNames getEntityName()

Gets the entityName of this Holder, if set.

Returns:

the entityName GeneralNames, if set

setEntityName

public void setEntityName(GeneralNames entityName)

Sets the entityName of this Holder.

Parameters:

entityName - the entityName GeneralNames to be set.

setEntityName

public void setEntityName(X509Certificate certificate)
                   throws java.lang.IllegalArgumentException

Sets the entityName of this Holder based on the given public key certificate. If the certificate contains a non-empty subject field, the entityName is created from the subject field; otherwise it is created from the SubjectAltName extension, if present.

Parameters:

certificate - the certificate from which to create the entityName

Throws:

java.lang.IllegalArgumentException - if the given certificate contains an empty subject field, but does not contain the SubjectAltName extension

getObjectDigestInfo

public ObjectDigestInfo getObjectDigestInfo()

Gets the objectDigestInfo of this Holder, if set.

Returns:

the objectDigestInfo, if set

setObjectDigestInfo

public void setObjectDigestInfo(ObjectDigestInfo objectDigestInfo)

Sets the objectDigestInfo of this Holder.

Parameters:

objectDigestInfo - the objectDigestInfo to be set.

toASN1Object

public ASN1Object toASN1Object()

Returns this Holder as ASN1Object.

Returns:

this Holder as ASN1Object

equals

public boolean equals(java.lang.Object obj)

Compares this Holder to the specified object.

Overrides:

equals in class java.lang.Object

Parameters:

obj - the object to compare this Holder against.

Returns:

true, if the given object is equal to this Holder, false otherwise

hashCode

public int hashCode()

Returns a hashcode for this Holder.

Overrides:

hashCode in class java.lang.Object

Returns:

a hashcode for this Holder

identifiesCert

public boolean identifiesCert(X509Certificate cert)
                       throws java.security.NoSuchAlgorithmException,
                              java.security.cert.CertificateEncodingException

Checks if this Holder identifies the certificate.

In the case where the Holder of an AC is linked to particular certificate this method may be used for checking if the given cert "belongs" to this Holder by performing the following steps in the following order:

1. If this Holder contains the baseCertificateID component and the corresponding IssuerSerial identifies the given certificate, this method returns true; if the corresponding IssuerSerial does not identify the given certificate, this method returns false
2. If this Holder does not contain the baseCertificateID component but contains an entityName component which corresponds to the subject of the given certificate, this method returns true; if the entityName does not correspond to the subject of the given certificate, this method returns false.
   During the check above the following proceeding is used for comparing entityName against subjectAltName (in the given order):
   • If the given certificate contains a non-empty subject field, its contents has to match to the entityName of this Holder object
   • Otherwise the SubjectAltName extension is checked if each GeneralName of the entityName of this Holder is included in the SubjectAltName of the given certificate (note that not all GeneralName components of the SubjectAltName extensions must have been used for building the entity name).
3. If this Holder neither contains the baseCertificateID component nor the entityName component, but contains the objectDigestInfo component and the corresponding ObjectDigestInfo identifies the given certificate, this method returns true; if the corresponding ObjectDigestInfo does not identify the given certificate, this method returns false
4. If this Holder does not contain any components, this method return false

Note, that according to the proceeding above -- if more than one components are present -- only the first appearing component in the SEQUENCE of components is checked. If you want to check all included components you may get them and check them yourself.

Returns:

true if this Holder "links" to the given certificate according to the rules above, false if not

Throws:

java.security.NoSuchAlgorithmException - if this Holder only contains the objectDigestInfo component, but the digest algorithm (required for the check) used there is not supported

java.security.cert.CertificateEncodingException - if this Holder only contains the objectDigestInfo and an error occurs while encoding the certificate required for digest calculation

toString

public java.lang.String toString()

Returns a string giving some information about this Holder object.

Overrides:

toString in class java.lang.Object

Returns:

the string representation