ProxyInfo (6.0 API Documentation)

java.lang.Object
- iaik.x509.V3Extension
- - iaik.x509.attr.extensions.ProxyInfo

```
public class ProxyInfo
extends V3Extension
```
This class implements the ProxyInfo attribute certificate extension.
When included in an attribute certificate, the ProxyInfo extension MUST be marked as being critical.
Each extension is associated with a specific certificateExtension object identifier. The OID for the ProxyInfo
```
 id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
              dod(6) internet(1) security(5) mechanisms(5) pkix(7) }

 id-pe   OBJECT IDENTIFIER ::= { id-pkix 1 }
 
 id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 }
 
```
which corresponds to the OID string "1.3.6.1.5.5.7.1.10".
The X.509 Attribute Certificate profile presented in RFC 5755 specifies the ProxyInfo extension to be used for proxying an attribute certificate from one server to another. Chains of proxies (where a number of servers is involved) are possible.
The ProxyInfo extension is defined as an ASN.1 SEQUENCE of Targets objects. Each Targets object can hold any number of Target elements of type TargetName, TargetGroup or TargetCert, however, the TargetCert choice must not be used (see RFC 5755):
```
 ProxyInfo ::= SEQUENCE OF Targets
 
 Targets ::= SEQUENCE OF Target

 Target  ::= CHOICE {
   targetName          [0] GeneralName,
   targetGroup         [1] GeneralName,
   targetCert          [2] TargetCert
 }

 TargetCert  ::= SEQUENCE {
   targetCertificate    IssuerSerial,
   targetName           GeneralName OPTIONAL,
   certDigestInfo       ObjectDigestInfo OPTIONAL
 }
 
```
When receiving an attribute certificate where the ProxyInfo extension is included, the AC verifier has to check if the sender -- which may be the AC holder or an intermediate server (proxy) -- was entitled to send the attribute certificate, and if the attribute certificate can be accepted by the AC verifier. This proxy check is successful if either the sender of the AC is the holder itself (in which case the current server must "match" the target condition of any of the included ProxySets (i.e. Targets objects), or if the sender of the AC and the current server are referred by the same ProxySet (i.e. sender and current server "match" the target condition of the same Targets object). "Matching" to a Targets object means that the sender/server must be one of the targetName elements of the Targets object, or that it must be a member of one of the targetGroup elements of the Targets object. How group membership may be verified, may depend on application specific settings. For instance, if a targetGroup specifies a DNS domain the AC verifier will have to know the DNS domain to which it belongs. Or, for instance, if a targetGroup specified "PRINTERS" the AC verifier must know if it is a, e.g., printer or print server (see RFC 5755).
If the attribute certificate has been proxied several times, the AC verifier must check that all targets on the path belong to the same proxySet (Targets object).
After having created a ProxyInfo extension object and having added any Targets objects as required, the ProxyInfo object has to be set as an extension for the AttributeCertificate object in mind, e.g.:
```
 // create ProxyInfo
 ProxyInfo proxyInfo = new ProxyInfo();
 // add two Targets
 TargetName targetName1 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.tugraz.at"));
 TargetName targetName2 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at"));
 // first Targets (ProxySet)
 Targets targets1 = new Targets();
 targets1.setTargets(new Target[] { targetName1, targetName2 });
 proxyInfo.addTargets(targets1);
 TargetName targetName3 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.iaik.at"));
 TargetName targetName4 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.tugraz.at"));
 // second Targets (ProxySet)
 Targets targets2 = new Targets();
 targets2.addTarget(targetName3);
 targets2.addTarget(targetName4);
 proxyInfo.addTargets(targets2);
 ...
 // add any further Targets objects if required
 ...
 // create attribute certificate
 AttributeCertificate ac = new AttributeCertificate();
 ...
 // set holder
 X509Certificate baseCert = ...;
 Holder holder = new Holder();
 holder.setBaseCertificateID(baseCert);
 ac.setHolder(holder);
 ...
 // set issuer, validity,...
 ...
 // add ProxyInfo extension
 ac.addExtension(proxyInfo);
 // sign and encode certificate
 ac.sign(...);
 byte[] encodedAc = ac.getEncoded();
 
```
On the receiving end use method getExtension of the AttributeCertificate to get a ProxyInfo extension -- if included -- from an Attribute Certificate:
```
 // the AttributeCertificate:
 AttributeCertificate ac = new AttributeCertificate(encodedAc);
 ...
 // verify signature, check validity,...
 ...
 // query for ProxyInfo extension:
 ProxyInfo proxyInfo = (ProxyInfo)ac.getExtension(ProxyInfo.oid);
 
```
Now you can use method checkProxy to check if you can accept the attribute certificate. When calling method checkProxy you have to specify the sender (from which you have received the attribute certificate) and the current server identity (to see if it matches the target condition). The targeting check is controlled by the TargetChecker. By default the TargetChecker performs an equality check; i.e. if the sender/server is given as Target object, it is checked of being equal to any of the included Target elements. For Target elements of type TargetName or TargetGroup the server object alternatively can be given as GeneralName object. For AC TargetGroup elements that contain a GeneralName of type dNSName a server GeneralName of type dNSName, uniformResourceIdentifier or rfc822Name also maybe checked of being in the domain specified by the AC TargetGroup dNSName. However, an application may @link iaik.x509.attr.Target#setTargetChecker plug-in} its own TargetChecker implementation for enforcing a more sophisticated target checking policy which may be tailored to application specific requirements that cannot be considered by a general default implementation.
As mentioned above the proxy check succeeds if either the sender of the AC is the holder itself (in which case the current server must "match" the target condition of any of the included ProxySets (Targets objects), or if the sender of the AC and the current server are refered by the same ProxySet (i.e. sender and current server "match" the target condition of the same Targets object). Following this, when calling method checkProxy the sender may be specified as Holder object (to be compared to the holder of the attribute certificate), or as Target or GeneralName object (to be searched of matching the target condition of any included ProxySets (Targets objects)). The server identity has to be specified as Target or GeneralName object (as long as the application has not plugged in its own TargetChecker).
If, for instance, for the example above, the sender is given as Holder object with the same base certificate and the current server is given as GeneralName ("http://jce.iaik.at"), the proxy check will succeed because the sender is equal to the holder and the current server is named by the first Targets element:
```
 // sender
 X509Certificate baseCert = ...;
 Holder sender = new Holder();
 sender.setBaseCertificateID(baseCert);
 // current server
 GeneralName server = new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at");
 // proxy check is successful:
 if (proxyInfo.checkProxy(sender, server)) {
    // success
 } else {
   // handle error condition
 }
 
```
The proxy check will also be successful for server names "http://jce.iaik.tugraz.at", "http://www.iaik.at" and "http://www.tugraz.at" (since named in the included Targets), but not for any other server name or if the sender is given as Holder that is not equal to the AC holder.
If the sender is not given as Holder object, but as GeneralName or Target, the proxy check will accept any of the names "http://jce.iaik.tugraz.at", "http://jce.iaik.at","http://www.iaik.at", "http://www.tugraz.at". However, since in this case sender and server must belong to the same ProxySet (Targets object), a sender-server pair like ("http://jce.iaik.at", "http://jce.iaik.tugraz.at") will be accepted, but a sender-server pair like ("http://jce.iaik.at", "http://www.tugraz.at") will be rejected:
```
 // sender
 GeneralName sender = new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at");
 // current server
 GeneralName server = new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.tugraz.at");
 // proxy check is successful (sender and server in same proxy set):
 if (proxyInfo.checkProxy(sender, server)) {
    // success
 } 
 
```
but:
```
 // sender
 GeneralName sender = new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at");
 // current server
 GeneralName server = new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.tugraz.at");
 // proxy check fails (sender and server in different proxy sets):
 if (!proxyInfo.checkProxy(sender, server)) {
    // reject
 } 
 
```
A proxy chain (where the attribute certificate has been proxied over a number of servers) may be checked by calling method checkProxyChain and specifying the proxy chain as array of Target elements. For instance, in the example above a proxy chain like "http://jce.iaik.at" - "http://jce.iaik.tugraz.at" will be accepted (since belonging to the same ProxySet), but the chain "http://jce.iaik.at" - "http://www.tugraz.at" will be rejected:
```
 TargetName proxyTarget1 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at"));
 TargetName proxyTarget2 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.tugraz.at"));
 Target[] proxyChain1 = { proxyTarget1, proxyTarget2 }
 // proxy chain check is successful (all in same proxy set):
 if (proxyInfo.checkProxyChain(proxyChain1)) {
    // success
 } 
 
```
but:
```
 TargetName proxyTarget3 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at"));
 TargetName proxyTarget4 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.tugraz.at"));
 Target[] proxyChain2 = { proxyTarget1, proxyTarget2 }
 // proxy chain check fails (different proxy sets):
 if (!proxyInfo.checkProxyChain(proxyChain2)) {
    // reject
 } 
 
```
Version:

File Revision 17

See Also:
GeneralName, V3Extension, AttributeCertificate, Target, Targets, TargetName, TargetGroup, TargetCert

Field Summary

Fields
Modifier and Type Field and Description

static ObjectID oid
The object identifier of this ProxyInfo extension.
- Fields inherited from class iaik.x509.V3Extension
  critical

Fields
Modifier and Type	Field and Description
`static ObjectID`	`oid` The object identifier of this ProxyInfo extension.

Constructor Summary

Constructors
Constructor and Description

ProxyInfo()
Default constructor.

Constructors
Constructor and Description
`ProxyInfo()` Default constructor.

Method Summary

Methods
Modifier and Type	Method and Description
`boolean`	`addTargets(Targets targets)` Adds the given Targets object.
`boolean`	`checkProxy(java.lang.Object sender, java.lang.Object server)` Checks if the attribute certificate containing this ProxyInfo can be accepted for the given sender-server pair.
`boolean`	`checkProxyChain(Target[] proxyChain)` Checks if the given proxy chain is valid for an attribute certificate containing this ProxyInfo extension.
`boolean`	`containsTargetElement(Target target)` Checks if the given Target element is contained in this ProxyInfo extension.
`ObjectID`	`getObjectID()` Returns the object ID of this `ProxyInfo` extension
`Target[]`	`getTargetElements()` Gets all Target elements included in the Targets objects of this ProxyInfo extension.
`Targets[]`	`getTargets()` Gets all Targets objects included in this ProxyInfo extension.
`Targets`	`getTargets(java.lang.Object server)` Searches if any of the included Targets contains a Target that matches the given server object.
`int`	`hashCode()` Returns a hashcode for this identity.
`void`	`init(ASN1Object obj)` Inits this `ProxyInfo` implementation with an ASN1object representing the value of this extension.
`int`	`numberOfTargetElements()` Returns the total number of Target elements that are contained in this ProxyInfo.
`int`	`numberOfTargets()` Returns the number of Targets objects that are contained in this ProxyInfo.
`void`	`removeAllTargets()` Removes all targets from this ProxyInfo.
`boolean`	`removeTargetElement(Target target)` Removes the given Target element from this ProxyInfo.
`boolean`	`removeTargets(Targets targets)` Removes the given Targets object from this ProxyInfo.
`void`	`setTargets(Targets[] targets)` Sets all Targets objects.
`void`	`specifyHolder(Holder holder)` Specifies the Holder of the attribute certificate to which this ProxyInfo extension belongs to.
`ASN1Object`	`toASN1Object()` Returns an ASN1Object representing the value of this `ProxyInfo` extension object.
`java.lang.String`	`toString()` Returns a string that represents the contents of this `ProxyInfo` extension.
`java.lang.String`	`toString(boolean detailed)` Returns a string that represents the contents of this `ProxyInfo` extension.

Methods inherited from class iaik.x509.V3Extension
getName, isCritical, setCritical

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, notify, notifyAll, wait, wait, wait

- Field Detail
  - oid
```
public static final ObjectID oid
```
    The object identifier of this ProxyInfo extension. The corresponding OID string is "1.3.6.1.5.5.7.1.10".
- Constructor Detail
  - ProxyInfo
```
public ProxyInfo()
```
    Default constructor. Creates an empty ProxyInfo object. Use method addTargets for adding Targets ProxySets (Targets objects) as required.
- Method Detail
  - getObjectID
```
public ObjectID getObjectID()
```
    Returns the object ID of this ProxyInfo extension
    
    Specified by:
    
    getObjectID in class V3Extension
    
    Returns:
    the object ID
  - init
```
public void init(ASN1Object obj)
          throws X509ExtensionException
```
    Inits this ProxyInfo implementation with an ASN1object representing the value of this extension.
    The given ASN1Object represents the SEQUENCE of Targets value of the ProxyInfo extension:
```
 ProxyInfo ::= SEQUENCE OF Targets
 
```
    When parsing the ASN.1 representation of an attribute certificate this method is used for properly initializing an included ProxyInfo extension. This method initializes the extension only with its value, but not with its critical specification. For that reason, this method shall not be explicitly called by an application.
    Specified by:
    
    init in class V3Extension
    
    Parameters:
    obj - the ProxyInfo as ASN1Object
    
    Throws:
    
    X509ExtensionException - If the extension value is not an ASN.1 SEQUENCE object or some error occurs when parsing the included Targets objects
  - toASN1Object
```
public ASN1Object toASN1Object()
                        throws X509ExtensionException
```
    Returns an ASN1Object representing the value of this ProxyInfo extension object.
    The returned ASN1Object is an ASN.1 SEQUENCE representing the value of this ProxyInfo extension:
```
 ProxyInfo ::= SEQUENCE OF Targets
 
```
    Specified by:
    
    toASN1Object in class V3Extension
    
    Returns:
    the value of this ProxyInfo as ASN1Object
    
    Throws:
    
    X509ExtensionException - if the extension could not be created
  - hashCode
```
public int hashCode()
```
    Returns a hashcode for this identity.
    
    Specified by:
    
    hashCode in class V3Extension
    
    Returns:
    a hash code for this identity
  - addTargets
```
public boolean addTargets(Targets targets)
```
    Adds the given Targets object.
    
    Parameters:
    targets - the Targets object to be added
    
    Returns:
    true if the Targets has been added, false if it has not been added because already contained in this ProxyInfo extension
  - setTargets
```
public void setTargets(Targets[] targets)
```
    Sets all Targets objects.
    
    Parameters:
    targets - the Targets to be set
  - removeTargets
```
public boolean removeTargets(Targets targets)
```
    Removes the given Targets object from this ProxyInfo.
    
    Parameters:
    targets - the Targets object to be removed
    
    Returns:
    true if the Targets object has been removed, false if no such Targets object was present
  - removeTargetElement
```
public boolean removeTargetElement(Target target)
```
    Removes the given Target element from this ProxyInfo.
    
    Parameters:
    target - the Target element to be removed
    
    Returns:
    true if the Target element has been removed, false if no such Target was present
  - removeAllTargets
```
public void removeAllTargets()
```
    Removes all targets from this ProxyInfo.
  - getTargets
```
public Targets[] getTargets()
```
    Gets all Targets objects included in this ProxyInfo extension.
    
    Returns:
    an array of all included Targets objects; the array may be empty
  - getTargetElements
```
public Target[] getTargetElements()
```
    Gets all Target elements included in the Targets objects of this ProxyInfo extension.
    This method steps through all included Targets objects and builds an array of all Target elements that are contained in the several Targets objects.
    
    Returns:
    an array of all included Target elements that are found in the Targets objects of this TargteInformation; the array may be empty
  - numberOfTargets
```
public int numberOfTargets()
```
    Returns the number of Targets objects that are contained in this ProxyInfo.
    
    Returns:
    the number of included Targets objects
  - numberOfTargetElements
```
public int numberOfTargetElements()
```
    Returns the total number of Target elements that are contained in this ProxyInfo.
    
    Returns:
    the number of included Target elements
  - getTargets
```
public Targets getTargets(java.lang.Object server)
                   throws TargetException
```
    Searches if any of the included Targets contains a Target that matches the given server object.
    This method steps through all Target elements included in this ProxyInfo extension. If it detects a Targets object that contains a Target element that denotes the given server/service as a valid target, this Targets object is returned.
    Since target checking may depend on application-specific requirements which cannot be known by this general default implementation, the default implementation of this method only can perform an equality check.
    This ProxyInfo belongs to the AttributeCertificate in mind and may contain any number of Target elements that may represent a TargetName, a TargetGroup or a TargetCert. The given server object only can be checked if it is given as Target object, too (in this case it is checked of being equal to any of the Target elements included in this ProxyInfo extension). If an included Target element represents a TargetName or a TargetGroup, the server object alternatively may be specified as GeneralName; in this case the TargetName/TargetGroup GeneralName is checked of being equal to the server GeneralName.
    In any other case -- if the supplied server object is not given as Target or GeneralName -- a TargetException is thrown indicating that the server object cannot be handled by this method. An application may implement its own TargetChecker and install it as application-wide TargetChecker to be used by calling method setTargetChecker:
```
 MyTargetChecker myTargetChecker = ...;
 Target.setTargetChecker(myTargetChecker);
 
```
    Parameters:
    server - the server/service to be checked for being a target of the AC
    
    Returns:
    the Targets object that contains a Target element that that denotes the given server/service as a valid target; or null if no Target for the given server can be found
    
    Throws:
    
    TargetException - if none of the Target element in this ProxyInfo extension accepts the server/service as valid target, but some of the Target elements cannot handle the server/service and thus cannot provide a reliable information. For instance, checking if a server/service belongs to some specific TargetGroup cannot be done in a general way because membership of a target to a TargetGroup only can be handled in application specfic manner, e.g. (see RFC 5755): a TargetGroup may specify a DNS domain and the AC verifier knows the DNS domain to which it belongs; or the TargetGroup specifies "PRINTERS," and the AC verifier knows if it is a printer or print server or not). In such cases the isTargetFor check must be done in a different, application specific way.
  - checkProxy
```
public boolean checkProxy(java.lang.Object sender,
                 java.lang.Object server)
                   throws TargetException
```
    Checks if the attribute certificate containing this ProxyInfo can be accepted for the given sender-server pair.
    When receiving an attribute certificate where the ProxyInfo extension is included, the AC verifier has to check if the sender -- which may be the AC holder or an intermediate server (proxy) -- was entitled to send the attribute certificate, and if the attribute certificate can be accepted by the AC verifier. This proxy check is successful if either the sender of the AC is the holder itself (in which case the current server must "match" the target condition of any of the included ProxySets (i.e. Targets objects), or if the sender of the AC and the current server are refered by the same ProxySet (i.e. sender and current server "match" the target condition of the same Targets object). "Matching" to a Targets object means that the sender/server must be one of the targetName elements of the Targets object, or that it must be a member of one of the targetGroup elements of the Targets object. How group membership may be verified, may depend on application specific settings. For instance, if a targetGroup specifies a DNS domain the AC verifier will have to know the DNS domain to which it belongs. Or, for instance, if a targetGroup specified "PRINTERS" the AC verifier must know if it is a, e.g., printer or print server (see RFC 5755).
    When calling this method you have to specify the sender (from which you have received the attribute certificate) and the current server identity (to see if it matches the target condition). The targeting check is controlled by the TargetChecker. When comaparing a given sender/server object against a Target element included in this ProxyInfo extension, the default TargetChecker implementation performs the following checks (in this order):
    1. If the server is given as Target object and is equal to the AC Target element, the check returns true.
    2. If the AC Target element represents a TargetName or TargetGroup and the server is given as GeneralName, the check returns true if the GeneralName of the AC Target is equal to the server GeneralName.
    3. If 1. and 2. have returned false and the AC Target is a TargetGroup containing a GeneralName of type dNSName the server maybe given as TargetGroup or GeneralName. In this case the server GeneralName is checked of being of type dNSName, uniformResourceIdentifier or rfc822Name. If the server GeneralName is of any of these three types the check returns true if the server name is in the domain specified by the dNSName of the AC TargetGroup (i.e. it is checked if the server name ends with the dNSName specified by the AC TargetGroup). If, for instance, the AC TargetGroup specifies a dNSName like "iaik.at" and the server name is "http://jce.iaik.at" the server is accepted as being a member of the AC TargetGroup.
    4. The check returns false, if any of the steps above has not come to a positive result.
    As seen from above the server can be given as Target object or -- if the TargetInformation contains TargetName or TargetGroup elements -- as GeneralName. In any other case -- if the supplied server object is not given as Target or GeneralName -- a TargetException is thrown indicating that the server object cannot be handled by the TargetChecker. An application may plug-in its own TargetChecker implementation for enforcing a more sophisticated target checking policy which may be tailored to application specific requirements that cannot be considered by a general default implementation.
    As mentioned above the proxy check succeeds if either the sender of the AC is the holder itself (in which case the current server must "match" the target condition of any of the included ProxySets (Targets objects), or if the sender of the AC and the current server are refered by the same ProxySet (i.e. sender and current server "match" the target condition of the same Targets object). Following this, when calling method checkProxy the sender may be specified as Holder object (to be compared to the holder of the attribute certificate), or as Target or GeneralName object (to be searched of matching the target condition of any included ProxySets (Targets objects)). The server identity has to be specified as Target or GeneralName object (as long as the application has not plugged in its own TargetChecker).
    For example, the holder field and ProxyInfo extension of an attribute certificate may have been created to contain the following values:
```
 // create ProxyInfo
 ProxyInfo proxyInfo = new ProxyInfo();
 // add two Targets
 TargetName targetName1 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.tugraz.at"));
 TargetName targetName2 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at"));
 // first Targets (ProxySet)
 Targets targets1 = new Targets();
 targets1.setTargets(new Target[] { targetName1, targetName2 });
 proxyInfo.addTargets(targets1);
 TargetName targetName3 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.iaik.at"));
 TargetName targetName4 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.tugraz.at"));
 // second Targets (ProxySet)
 Targets targets2 = new Targets();
 targets2.addTarget(targetName3);
 targets2.addTarget(targetName4);
 proxyInfo.addTargets(targets2);
 ...
 // add any further Targets objects if required
 ...
 // create attribute certificate
 AttributeCertificate ac = new AttributeCertificate();
 ...
 // set holder
 X509Certificate baseCert = ...;
 Holder holder = new Holder();
 holder.setBaseCertificateID(baseCert);
 ac.setHolder(holder);
 ...
 // set issuer, validity,...
 ...
 // add ProxyInfo extension
 ac.addExtension(proxyInfo);
 // sign and encode certificate
 ac.sign(...);
 byte[] encodedAc = ac.getEncoded();
 
```
    When the receiving this attribute certificate and using method checkProxy to validate the proxy information, the proxy check will succeed if the sender is given as Holder object with the same base certificate and the current server is given as GeneralName ("http://jce.iaik.at"): the sender is equal to the holder and the current server is named by the first Targets element:
```
 // sender
 X509Certificate baseCert = ...;
 Holder sender = new Holder();
 sender.setBaseCertificateID(baseCert);
 // current server
 GeneralName server = new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at");
 // proxy check is successful:
 if (proxyInfo.checkProxy(sender, server)) {
    // success
 } else {
   // handle error condition
 }
 
```
    The proxy check will also be successful for server names "http://jce.iaik.tugraz.at", "http://www.iaik.at" and "http://www.tugraz.at" (since named in the included Targets), but not for any other server name or if the sender is given as Holder that is not equal to the AC holder.
    If the sender is not given as Holder object, but as GeneralName or Target, the proxy check will accept any of the names "http://jce.iaik.tugraz.at", "http://jce.iaik.at","http://www.iaik.at", "http://www.tugraz.at". However, since in this case sender and server must belong to the same ProxySet (Targets object), a sender-server pair like ("http://jce.iaik.at", "http://jce.iaik.tugraz.at") will be accepted, but a sender-server pair like ("http://jce.iaik.at", "http://www.tugraz.at") will be rejected:
```
 // sender
 GeneralName sender = new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at");
 // current server
 GeneralName server = new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.tugraz.at");
 // proxy check is successful (sender and server in same proxy set):
 if (proxyInfo.checkProxy(sender, server)) {
    // success
 } 
 
```
    but:
```
 // sender
 GeneralName sender = new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at");
 // current server
 GeneralName server = new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.tugraz.at");
 // proxy check fails (sender and server in different proxy sets):
 if (!proxyInfo.checkProxy(sender, server)) {
    // reject
 } 
 
```
    Parameters:
    sender - the entity that has sent the attribute certificate containging this ProxyInfo extension
    server - the current server that has to be checked if it can accept the attribute certificate containing this ProxyInfo extension
    
    Returns:
    true if the proxy check is successful, false otherwise
    
    Throws:
    
    TargetException - if the proxy check cannot give a reliable answer (true/false) because any of the included Target elements cannot check the given sender/server object. For instance, checking if a sender/server belongs to some specific TargetGroup cannot be done in a general way because membership of a target to a TargetGroup only can be handled in application specfic manner, e.g. (see RFC 5755): a TargetGroup may specify a DNS domain and the AC verifier knows the DNS domain to which it belongs; or the TargetGroup specifies "PRINTERS," and the AC verifier knows if it is a printer or print server or not). In such cases the target condition check must be done in a different, application specific way by implementing and plugging-in a special TargetChecker.
  - checkProxyChain
```
public boolean checkProxyChain(Target[] proxyChain)
                        throws TargetException
```
    Checks if the given proxy chain is valid for an attribute certificate containing this ProxyInfo extension.
    If the attribute certificate has been proxied several times, the AC verifier must check that all targets on the path belong to the same proxySet (Targets object).
    When calling this method the targets on the path have to be supplied as array of Target elements. The proxy chain check succeeds if this ProxyInfo extension consists a Targets object to which all the given Target elements belong to.
    The targeting check is controlled by the TargetChecker. By default the TargetChecker performs an equality check; i.e. any of the Target elements of the given proxy chain is checked of being equal to any of the Target elements included in the reference Targets object of this ProxyInfo. An application may plug-in its own TargetChecker implementation for enforcing a more sophisticated target checking policy which may be tailored to application specific requirements that cannot be considered by a general default implementation.
    For example, the holder field and ProxyInfo extension of an attribute certificate may have been created to contain the following values:
```
 // create ProxyInfo
 ProxyInfo proxyInfo = new ProxyInfo();
 // add two Targets
 TargetName targetName1 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.tugraz.at"));
 TargetName targetName2 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at"));
 // first Targets (ProxySet)
 Targets targets1 = new Targets();
 targets1.setTargets(new Target[] { targetName1, targetName2 });
 proxyInfo.addTargets(targets1);
 TargetName targetName3 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.iaik.at"));
 TargetName targetName4 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.tugraz.at"));
 // second Targets (ProxySet)
 Targets targets2 = new Targets();
 targets2.addTarget(targetName3);
 targets2.addTarget(targetName4);
 proxyInfo.addTargets(targets2);
 ...
 // add any further Targets objects if required
 ...
 // create attribute certificate
 AttributeCertificate ac = new AttributeCertificate();
 ...
 // set holder
 X509Certificate baseCert = ...;
 Holder holder = new Holder();
 holder.setBaseCertificateID(baseCert);
 ac.setHolder(holder);
 ...
 // set issuer, validity,...
 ...
 // add ProxyInfo extension
 ac.addExtension(proxyInfo);
 // sign and encode certificate
 ac.sign(...);
 byte[] encodedAc = ac.getEncoded();
 
```
    When the receiving this attribute certificate and using method checkProxyChain to validate a proxy chain, a chain like "http://jce.iaik.at" - "http://jce.iaik.tugraz.at" will be accepted (since belonging to the same ProxySet), but the chain "http://jce.iaik.at" - "http://www.tugraz.at" will be rejected:
```
 TargetName proxyTarget1 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at"));
 TargetName proxyTarget2 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.tugraz.at"));
 Target[] proxyChain1 = { proxyTarget1, proxyTarget2 }
 // proxy chain check is successful (all in same proxy set):
 if (proxyInfo.checkProxyChain(proxyChain1)) {
   // success
 } 
 
```
    but:
```
 TargetName proxyTarget3 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://jce.iaik.at"));
 TargetName proxyTarget4 = new TargetName(new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.tugraz.at"));
 Target[] proxyChain2 = { proxyTarget1, proxyTarget2 }
 // proxy chain check fails (different proxy sets):
 if (!proxyInfo.checkProxyChain(proxyChain2)) {
    // reject
 } 
 
```
    Parameters:
    proxyChain - the proxy chain (array of Targets) to be checked
    
    Returns:
    true if this ProxyInfo contains a Targets objects to which all Target elements of the given ProxyChain belong to
    
    Throws:
    
    TargetException - if the proxy chain check cannot give a reliable answer (true/false) because any of the included Target elements cannot be checked by the installed TargetChecker
  - containsTargetElement
```
public boolean containsTargetElement(Target target)
```
    Checks if the given Target element is contained in this ProxyInfo extension.
    
    Parameters:
    target - the Target element to be checked if included
    
    Returns:
    true if the given Target is included, false if it is not included
  - specifyHolder
```
public void specifyHolder(Holder holder)
```
    Specifies the Holder of the attribute certificate to which this ProxyInfo extension belongs to. This method typically may not be used by an application. It only is used by the AttributeCertificate object to provide a reference to its Holder field which may be required for proxy checking.
    
    Parameters:
    holder - the Holder of the attribute certificate to which this ProxyInfo extension belongs to
  - toString
```
public java.lang.String toString()
```
    Returns a string that represents the contents of this ProxyInfo extension.
    
    Overrides:
    
    toString in class java.lang.Object
    
    Returns:
    the string representation
  - toString
```
public java.lang.String toString(boolean detailed)
```
    Returns a string that represents the contents of this ProxyInfo extension.
    
    Parameters:
    detailed - whether to give some detailed information about the included Targets objects
    
    Returns:
    the string representation

Class ProxyInfo

Field Summary

Fields inherited from class iaik.x509.V3Extension

Constructor Summary

Method Summary

Methods inherited from class iaik.x509.V3Extension

Methods inherited from class java.lang.Object

Field Detail

oid

Constructor Detail

ProxyInfo

Method Detail

getObjectID

init

toASN1Object

hashCode

addTargets

setTargets

removeTargets

removeTargetElement

removeAllTargets

getTargets

getTargetElements

numberOfTargets

numberOfTargetElements

getTargets

checkProxy

checkProxyChain

containsTargetElement

specifyHolder

toString

toString