iaik.x509.extensions

Class SubjectInfoAccess

java.lang.Object

iaik.x509.V3Extension

iaik.x509.extensions.InfoAccess

iaik.x509.extensions.SubjectInfoAccess

public class SubjectInfoAccess
extends InfoAccess

This class implements the SubjectInfoAccess Extension.

The SubjectInfoAccess extension is a non critical private internet extension.

The SubjectInfoAccess extension is associated with a specific certificateExtension object identifier, derived from:

     id-pkix  OBJECT IDENTIFIER  ::=
             { iso(1) identified-organization(3) dod(6) internet(1)
                     security(5) mechanisms(5) pkix(7) }

     id-pe  OBJECT IDENTIFIER  ::=  { id-pkix 1 }

     id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 }
 

which corresponds to the OID string "1.3.6.1.5.5.5.7.1.11".

The X.509 Certificate and CRL profile presented in RFC 3280 specifies the SubjectInfoAccess extension for identicating how to access information and services for the subject of the certificate in which the extension appears. When the subject is a CA, information and services may include certificate validation services and CA policy data. When the subject is an end entity, the information describes the type of services offered and how to access them. In this case, the contents of this extension are defined in the protocol specifications for the suported services. This extension may be included in subject or CA certificates
ASN.1 definition:

 SubjectInfoAccessSyntax  ::=
          SEQUENCE SIZE (1..MAX) OF AccessDescription

 AccessDescription  ::=  SEQUENCE {
          accessMethod          OBJECT IDENTIFIER,
          accessLocation        GeneralName  }
 

Each entry in the sequence SubjectInfoAccessSyntax describes the format and location of additional information provided by the subject of the certificate in which this extension appears. The type and format of the information is specified by the accessMethod field; the accessLocation field specifies the location of the information. The retrieval mechanism may be implied by the accessMethod or specified by accessLocation.

The X.509 PKIX profile defines one access method to be used when the subject is a CA, and one access method to be used when the subject is an end entity. Additional access methods may be defined in the future in the protocol specifications for other services.

The id-ad-caRepository OID is used when the subject is a CA, and publishes its certificates and CRLs (if issued) in a repository. The accessLocation field is defined as a GeneralName, which can take several forms. Where the information is available via http, ftp, or ldap, accessLocation MUST be a uniformResourceIdentifier. Where the information is available via the directory access protocol (dap), accessLocation MUST be a directoryName. When the information is available via electronic mail, accessLocation MUST be an rfc822Name. The semantics of other name forms of of accessLocation (when accessMethod is id-ad-caRepository) are not defined by this specification.

The id-ad-timeStamping OID is used when the subject offers timestamping services using the Time Stamp Protocol. Where the timestamping services are available via http or ftp, accessLocation MUST be a uniformResourceIdentifier. Where the timestamping services are available via electronic mail, accessLocation MUST be an rfc822Name. Where timestamping services are available using TCP/IP, the dNSName and ipAddress name forms may be used.

A SubjectInfoAccess object may be created by either using the empty default constructor, or by directly supplying one access descritption which has to be of type AccessDescription, e.g.:

 String tspURL = "http://test.tsp.com/tsp";
 AccessDescription ad = new AccessDescription(ObjectID.timeStamping, tspURL);
 SubjectInfoAccess subjectInfoAccess = new SubjectInfoAccess(ad);
 

Any further access description can be added by using the addAccessDescription method:

 subjectInfoAccess.addAccessDescription(...);
 ...
 

For adding a SubjectInfoAccess extension object to a X509Certificate, use the addExtension method of the X509Certificate class:

 X505Certificate cert = new X509Certificate();
   ...
 cert.addExtension(subjectInfoAccess);
 

On the receiving side, you may check if a SubjectInfoAccess extension is included in a certificate and then look for any included AccessDescription, e.g.:

 X509Certificate cert = ...;
 SubjectInfoAccess subjectInfoAccess = (SubjectInfoAccess)cert.getExtension(SubjectInfoAccess.oid);
 if (subjectInfoAccess != null) {
   AccessDescription ad = subjectInfoAccess.getAccessDescription(ObjectID.timeStamping);
   if (ad != null) {
     String tspURL = ad.getUriAccessLocation();
     ...
   }
 }
 

Version:

File Revision 11

See Also:

AccessDescription, GeneralName, ObjectID, V3Extension, X509Extensions, X509Certificate, InfoAccess

Field Summary

Fields

Modifier and Type	Field and Description
static ObjectID	oid The object identifier of this SubjectInfoAccess extension.

Fields inherited from class iaik.x509.V3Extension

critical

Constructor Summary

Constructors

Constructor and Description
SubjectInfoAccess() Default constructor.
SubjectInfoAccess(AccessDescription accessDescription) Creates an SubjectInfoAccess object and adds a AccessDescription.

Method Summary

Methods

Modifier and Type	Method and Description
ObjectID	getObjectID() Returns the object ID of this SubjectInfoAccess extension
int	hashCode() Returns a hashcode for this identity.

Methods inherited from class iaik.x509.extensions.InfoAccess

addAccessDescription, getAccessDescription, getAccessDescriptions, init, removeAllAccessDescriptions, toASN1Object, toString

Methods inherited from class iaik.x509.V3Extension

getName, isCritical, setCritical

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

oid

public static final ObjectID oid

The object identifier of this SubjectInfoAccess extension. The corresponding OID string is "1.3.6.1.5.5.7.1.11".

Constructor Detail

SubjectInfoAccess

public SubjectInfoAccess()

Default constructor. Creates an empty SubjectInfoAccess object.

For adding a access description use the addAccessDescription method. Any AccessDescription to be added has to be of type iaik.asn1.structures.AccessDescription, e.g.:

 String tspURL = "http://test.tsp.com/tsp";
 AccessDescription ad = new AccessDescription(ObjectID.timeStamping, tspURL);
 SubjectInfoAccess subjectInfoAccess = new SubjectInfoAccess();
 subjectInfoAccess.addAccessDescription(ad);
 ...
 

See Also:

AccessDescription

SubjectInfoAccess

public SubjectInfoAccess(AccessDescription accessDescription)
                  throws java.lang.IllegalArgumentException

Creates an SubjectInfoAccess object and adds a AccessDescription.

The AccessDescription to be added has to be of type iaik.asn1.structures.AccessDescription, e.g.:

 String tspURL = "http://test.tsp.com/tsp";
 AccessDescription ad = new AccessDescription(ObjectID.timeStamping, tspURL);
 SubjectInfoAccess subjectInfoAccess = new SubjectInfoAccess(ad);
 ...
 

Parameters:

accessDescription - the AccessDescription to add

Throws:

java.lang.IllegalArgumentException - if a null object is supplied

See Also:

AccessDescription

Method Detail

getObjectID

public ObjectID getObjectID()

Returns the object ID of this SubjectInfoAccess extension

Specified by:

getObjectID in class V3Extension

Returns:

the object ID

hashCode

public int hashCode()

Returns a hashcode for this identity.

Specified by:

hashCode in class V3Extension

Returns:

a hash code for this identity