iaik.x509.attr.extensions

Class AuditIdentity

java.lang.Object

iaik.x509.V3Extension

iaik.x509.attr.extensions.AuditIdentity

public class AuditIdentity
extends V3Extension

This class implements the AuditIdentity attribute certificate extension.

When included in an attribute certificate, the AuditIdentity extension MUST be marked as being critical.

Each extension is associated with a specific certificateExtension object identifier. The OID for the AuditIdentity

 id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
              dod(6) internet(1) security(5) mechanisms(5) pkix(7) }

 id-pe   OBJECT IDENTIFIER ::= { id-pkix 1 }
 
 id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 }
 

which corresponds to the OID string "1.3.6.1.5.5.7.1.4".

The X.509 Attribute Certificate profile presented in RFC 5755 specifies the AuditIdentity extension to be used for audit/logging purposes without identifying the AC holder.
In situations where it should not be possible to directly identify individuals from information contained in audit trails should not provide information to directly identify individuals, the AC holder field cannot be used for audit/logging purposes. In such situations audit/logging can be done by using the value containded in the AuditIdentity extension. When using the AuditIdentity value together with the attribute certificate's issuer/serial number information for audit/logging, it should only be possible to derive the AC holder's identity when consulting the AC issuer. Thus audit/logging is anonymously, but with help of the AC issuer the AC holder's identity can be derived in the case when some misuse is detected.

The value of the AuditIdentity extension is defined as ASN.1 OCTET STRING which is not allowed to be empty and must not contain more than 20 octets (see RFC 5755 for more information):

 AuditIdentity ::= OCTET STRING
 

For adding an AuditIdentity extension object to an AttributeCertificate, use the addExtension method of class iaik.x509.attr.AttributeCertificate, e.g.:

 byte[] value = ...;
 AuditIdentity auditIdentity = new AuditIdentity(value);
 AttributeCertificate ac = new AttributeCertificate();
   ...
 ac.addExtension(auditIdentity);
 

On the receiving end use method getExtension method of the iaik.x509.attr.AttributeCertificate to get an AuditIdentity extension -- if included -- from an Attribute Certificate. On the server/service side, for instance, the AC issuer/serial may be used with the AuditIdentity value for audit/logging purposes in a way like:

 // the AttributeCertificate:
 AttributeCertificate ac = ...;
 ...
 // query for AuditIdentity extension:
 AuditIdentity auditIdentity = (AuditIdentity)ac.getExtension(AuditIdentity.oid);
 if (auditIdentity != null) {
   // AuditIdentity included
   byte[] auditValue = auditIdentity.getValue();
   // now use Issuer/serial and AuditIdentity value for logging, e.g.:
   log(ac.getIssuer() + " / " + ac.getSerialNumber().toString(16) + ", " + Util.toString(auditValue));
 } 
 

Version:

File Revision 4

See Also:

OCTET_STRING, V3Extension, AttributeCertificate

Field Summary

Fields

Modifier and Type	Field and Description
static ObjectID	oid The object identifier of this AuditIdentity extension.

Fields inherited from class iaik.x509.V3Extension

critical

Constructor Summary

Constructors

Constructor and Description
AuditIdentity() Default constructor.
AuditIdentity(byte[] value) Creates an AuditIdentity extension with the given value.

Method Summary

Methods

Modifier and Type	Method and Description
boolean	equals(java.lang.Object otherObject) Compares this object with the given one.
ObjectID	getObjectID() Returns the object ID of this AuditIdentity extension
byte[]	getValue() Returns the value of this AuditIdentity extension.
int	hashCode() Returns a hashcode for this identity.
void	init(ASN1Object obj) Inits this AuditIdentity implementation with an ASN1object representing the value of this extension.
void	setValue(byte[] value) Sets the value of this AuditIdentity extension.
ASN1Object	toASN1Object() Returns an ASN1Object representing the value of this AuditIdentity extension object.
java.lang.String	toString() Returns a string that represents the contents of this AuditIdentity extension.

Methods inherited from class iaik.x509.V3Extension

getName, isCritical, setCritical

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

oid

public static final ObjectID oid

The object identifier of this AuditIdentity extension. The corresponding OID string is "1.3.6.1.5.5.7.1.4".

Constructor Detail

AuditIdentity

public AuditIdentity()

Default constructor. Creates an empty AuditIdentity object.

Use the setValue method for setting the value of the AuditIdentity extension, e.g.:

 AuditIdentity auditIdentity = new AuditIdentity();
 byte[] value = ...;
 auditIdentity.set(value);
 

AuditIdentity

public AuditIdentity(byte[] value)

Creates an AuditIdentity extension with the given value.

For instance:

 byte[] value = ...;
 AuditIdentity auditIdentity = new AuditIdentity(value);
 

Parameters:

value - the value of the AuditIdentity extension

Throws:

java.lang.NullPointerException - if the given value is null

java.lang.IllegalArgumentException - if the given value is zero bytes long or is longer than 20 bytes

Method Detail

getObjectID

public ObjectID getObjectID()

Returns the object ID of this AuditIdentity extension

Specified by:

getObjectID in class V3Extension

Returns:

the object ID

init

public void init(ASN1Object obj)
          throws X509ExtensionException

Inits this AuditIdentity implementation with an ASN1object representing the value of this extension.

The given ASN1Object represents the OCTET STRING value of the AuditIdentity extension.

When parsing the ASN.1 representation of an attribute certificate this method is used for properly initializing an included AuditIdentity extension. This method initializes the extension only with its value, but not with its critical specification. For that reason, this method shall not be explicitly called by an application.

Specified by:

init in class V3Extension

Parameters:

obj - the AuditIdentity as ASN1Object

Throws:

X509ExtensionException - If the extension value is not an ASN.1 OCTET STRING object

toASN1Object

public ASN1Object toASN1Object()

Returns an ASN1Object representing the value of this AuditIdentity extension object.

The returned ASN1Object is an ASN.1 OCTET_STRING representing the value of this AuditIdentity extension:

 AuditIdentity ::= OCTET STRING
 

Specified by:

toASN1Object in class V3Extension

Returns:

the value of this AuditIdentity as ASN1Object

setValue

public void setValue(byte[] value)

Sets the value of this AuditIdentity extension.

For instance:

 AuditIdentity auditIdentity = new AuditIdentity();
 byte[] value = ...;
 auditIdentity.setValue(value);
 

Parameters:

value - the value to be set

Throws:

java.lang.NullPointerException - if the given value is null

java.lang.IllegalArgumentException - if the given value is zero bytes long or is longer than 20 bytes

See Also:

getValue()

getValue

public byte[] getValue()

Returns the value of this AuditIdentity extension.

Returns:

the value, as byte array (not cloned)

See Also:

setValue(byte[])

hashCode

public int hashCode()

Returns a hashcode for this identity.

Specified by:

hashCode in class V3Extension

Returns:

a hash code for this identity

equals

public boolean equals(java.lang.Object otherObject)

Compares this object with the given one.

This method returns true if both AuditIdentity objects contain the same value or both AuditIdentity contain null as value.

Overrides:

equals in class java.lang.Object

Parameters:

otherObject - the other object to compare with.

Returns:

true, if this object is equal to the other object, false otherwise.

toString

public java.lang.String toString()

Returns a string that represents the contents of this AuditIdentity extension.

Overrides:

toString in class java.lang.Object

Returns:

the string representation