iaik.x509.attr.attributes

Class Group

java.lang.Object

iaik.asn1.structures.AttributeValue

iaik.x509.attr.attributes.IetfAttrSyntax

iaik.x509.attr.attributes.Group

All Implemented Interfaces:

ASN1Type

public class Group
extends IetfAttrSyntax

The Group attribute.

The X.509 Attribute Certificate profile (RFC 5755) specifies the Group attribute to be included as attribute in an AttributeCertificate for specifying group membership of the holder of the attribute certificate.

Each attribute is associated with a specific attribute type object identifier. The OID for the Group attribute is defined as follows:

 id-pkix  OBJECT IDENTIFIER  ::=
          { iso(1) identified-organization(3) dod(6) internet(1)
                  security(5) mechanisms(5) pkix(7) }
                  
 id-aca   OBJECT IDENTIFIER ::= { id-pkix 10 }
 
 id-aca-group   OBJECT IDENTIFIER ::= { id-aca 4 }
 

which corresponds to the OID string "1.3.6.1.5.5.7.10.4".

The ASN.1 structure of the Group attribute is defined by the the IetfAttrSyntax (see RFC 5755):

 IetfAttrSyntax ::= SEQUENCE {
   policyAuthority [0] GeneralNames    OPTIONAL,
   values          SEQUENCE OF CHOICE {
                  octets    OCTET STRING,
                  oid       OBJECT IDENTIFIER,
                  string    UTF8String
   }
 }
 

The policyAuthority field maybe set to separate between the AC issuer and the attribute policy authority. Although the values field is specified as SEQUENCE OF CHOICE of OCTET_STRING, ObjectID, or UTF8String types, only one of these types must be present. This means that in practice values only can be a SEQUENCE OF OCTET_STRING objects, a SEQUENCE OF ObjectID objects, or a SEQUENCE OF UTF8String objects.

When creating a Group attribute the values have to be supplied as array of byte[] values, or array of ObjectID values, or array of String values, e.g.:

 String value1 = "IAIK JavaSecurity";
 String value2 = "IAIK PKI";
 String[] values = { value1, value2 };
 Group group = new Group(values);
 

If required to separate between AC issuer and attribute policy authority, use method setPolicyAuthority for specifying the attribute policy authotity:

 GeneralNames policyAuthority = ...;
 group.setPolicyAuthority(policyAuthority);
 

Finally use method addAttribute of class AttributeCertificate to add the Group object as attribute to an AttributeCertificate:

 // create attribute certificate
 AttributeCertificate ac = new AttributeCertificate();
 ...
 // set holder, issuer, validity,...
 ...
 // add Group attribute
 ac.addAttribute(new Attribute(group));
 ...
 // sign and encode certificate
 ac.sign(...);
 byte[] encodedAc = ac.getEncoded(); 
 

On the receiving side use method getAttribute of class AttributeCertificate to get a Group attribute -- if included -- from an Attribute Certificate:

 // the AttributeCertificate:
 AttributeCertificate ac = new AttributeCertificate(encodedAc);
 ...
 // verify signature, check validity,...
 ...
 // query for Group attribute:
 Attribute groupAttribute = ac.getAttribute(Group.oid);
 if (groupAttribute != null) {
   // Group is only allowed to be a single-valued attribute
   Group group = (Group)groupAttribute.getAttributeValue();
   // get values
   ASN valueType = group.getASN1TypeOfValues();
   System.out.println("ASN.1 type of values is " + valueType.getName());
   Enumeration values = group.getValues();
   while (values.hasMoreElements()) {
     // we know that we only have used UTF8String values
     String value = (String)values.nextElement();
     System.out.println("AC holder is member of group: " + value);
   }
   // get policy authority, if included
   GeneralNames policyAuthority = group.getPolicyAuthority();
   if (policyAuthority != null) {
     ...
   }
 }  
 

See Also:

IetfAttrSyntax, AttributeCertificate, Attribute, GeneralName, GeneralNames, OCTET_STRING, ObjectID, UTF8String

Field Summary

Fields

Modifier and Type	Field and Description
static ObjectID	oid The attributeType object identifier of the Group attribute.

Constructor Summary

Constructors

Constructor and Description
Group() Empty default constructor.
Group(ASN1Object obj) Creates a Group object from its ASN.1 representation.
Group(byte[][] values) Creates a Group object for the given byte[] values array.
Group(ObjectID[] values) Creates a Group object for the given ObjectID values array.
Group(java.lang.String[] values) Creates a Group object for the given String values array.

Method Summary

Methods

Modifier and Type	Method and Description
ObjectID	getAttributeType() Returns the OID (1.3.6.1.5.5.7.10.4) identifying the Group attribute type.
boolean	multipleAllowed() Returns whether multiple Group values are allowed in the SET OF AttributeValue of the Attribute object to which this Group AttributeValue may belong to.

Methods inherited from class iaik.x509.attr.attributes.IetfAttrSyntax

containsValue, decode, getASN1TypeOfValues, getPolicyAuthority, getValues, numberOfValues, setPolicyAuthority, toASN1Object, toString

Methods inherited from class iaik.asn1.structures.AttributeValue

getName

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

oid

public static final ObjectID oid

The attributeType object identifier of the Group attribute. The corresponding OID string is "1.3.6.1.5.5.7.10.4".

Constructor Detail

Group

public Group()

Empty default constructor. Required for dynamic object creation. Shall not be used by an application.

Group

public Group(byte[][] values)
      throws java.lang.IllegalArgumentException

Creates a Group object for the given byte[] values array.
This constructor maybe used for creating a Group where the values field consists of OCTET_STRINGs only. The byte[] arrays supplied to this constructor represent the OCTET_STRING values.

Use method setPolicyAuthority for specifying an attribute policy authority, if required.

Parameters:

values - a number of byte arrays representing the OCTET_STRING values of this Group

Throws:

java.lang.IllegalArgumentException - if this Group only allows one value but the given array contains more than one value

java.lang.NullPointerException - if values is null

Group

public Group(ObjectID[] values)
      throws java.lang.IllegalArgumentException

Creates a Group object for the given ObjectID values array.
This constructor maybe used for creating a Group where the values field consists of ObjectIDs only.

Use method setPolicyAuthority for specifying an attribute policy authority, if required.

Parameters:

values - an ObjectID array representing the ObjectID values of this Group

Throws:

java.lang.IllegalArgumentException - if this Group only allows one value but the given array contains more than one value

java.lang.NullPointerException - if values is null

Group

public Group(java.lang.String[] values)
      throws java.lang.IllegalArgumentException

Creates a Group object for the given String values array.
This constructor maybe used for creating a Group where the values field consists of UTF8Strings only. The byte[] arrays supplied to this constructor represent the UTF8String values.

Use method setPolicyAuthority for specifying an attribute policy authority, if required.

Parameters:

values - an array of String objects representing the UTF8String values of this Group

Throws:

java.lang.IllegalArgumentException - if this Group only allows one value but the given array contains more than one value

java.lang.NullPointerException - if values is null

Group

public Group(ASN1Object obj)
      throws CodingException

Creates a Group object from its ASN.1 representation. This constructor parses the policyAuthority and values fields from the given ASN.1 object:

 Group ::= SEQUENCE {
   policyAuthority [0] GeneralNames    OPTIONAL,
   values          SEQUENCE OF CHOICE {
                  octets    OCTET STRING,
                  oid       OBJECT IDENTIFIER,
                  string    UTF8String
   }
 }
 

The policyAuthority field maybe set to separate between the AC issuer and the attribute policy authority. Although the values field is specified as SEQUENCE OF CHOICE of OCTET_STRING, ObjectID, or UTF8String types, only one of these types must be present. This means that in practice values only can be a SEQUENCE OF OCTET_STRING objects, a SEQUENCE OF ObjectID objects, or a SEQUENCE OF UTF8String objects.

Parameters:

obj - the Group as ASN1Object

Throws:

CodingException - if the ASN.1 object cannot be parsed or is invalid structured (e.g. if the values component does not contain only OCTET_STRING, ObjectID, or UTF8String objects

Method Detail

getAttributeType

public ObjectID getAttributeType()

Returns the OID (1.3.6.1.5.5.7.10.4) identifying the Group attribute type.

Specified by:

getAttributeType in class AttributeValue

Returns:

the OID identifying the Group attribute type.

multipleAllowed

public boolean multipleAllowed()

Returns whether multiple Group values are allowed in the SET OF AttributeValue of the Attribute object to which this Group AttributeValue may belong to.
This method returns false because a Group attribute must be single-valued, meaning that only one Group attribute value can be contained in the SET OF AttributeValue of the Attribute object. However, this does not reflect the values field of the Group which may contain an arbitrary number of UTF8String, ObjectID or OCTET_STRING values, all of the same ASN.1 type.

Overrides:

multipleAllowed in class AttributeValue

Returns:

false since only one Group is allowed in the SET OF AttributeValue