|
6.0 (c) 2002 IAIK, (c) 2003 - 2022 SIC |
|
public interface CertificateResponse extends ASN1Type
Interface to be implemented by any class representing a response message for a single certificate.
The main purpose of this interface is to enforce that any
certificate response easily can be identified by the
ReqCert of the underlying
target certificate:
ReqCert ::= CHOICE {
certID CertID,
issuerSerial [0] IssuerandSerialNumber,
pKCert [1] Certificate,
name [2] GeneralName,
certHash [3] OCTET STRING}
| Modifier and Type | Method and Description |
|---|---|
ReqCert |
getReqCert()
Returns the reqCert of this certificate response.
|
boolean |
isResponseFor(ReqCert reqCert)
Checks if this is a certificate response for a certificate identified by the given
reqCert.
|
boolean |
isResponseFor(X509Certificate targetCert,
X509Certificate issuerCert,
GeneralName generalName)
Checks if this is a certificate response for the given certificate identifying
information.
|
java.lang.String |
toString()
Returns a String representation of this certificate response.
|
decode, toASN1ObjectReqCert getReqCert()
boolean isResponseFor(X509Certificate targetCert, X509Certificate issuerCert, GeneralName generalName) throws OCSPException
Since OCSP v2-01 (see draft-ietf-pkix-ocspv2-01) uses not less
than five alternatives (certID, issuerSerial, pKCert, name, certHash)
to identify the target cert for which status information shall be
obtained, it might be the -- hopefully not very probable -- case that
an OCSP server responds by using a different reqCert type (namely when
maintaining precomputed responses) as the one sent with the client
request.
If the reqCert types are the same in request and response, method
isResponseFor can be used for checking if
this certificate response actually is a response referring to the
certificate in mind. However, if request and response use different ReqCert
types (e.g. request: pkCert, response: certID) or they use a certID with
different hash algorithms, this method may be used for trying to "translate"
the given cert data into a reqCert of the type the reqCert of this certificate
response represents for checking if they are equal.
Translation thereby is performed according to the following rules:
targetCert and issuerCert have to be
supplied; generalName is ignored. From the given certs,
a certID is created and checked for equality with the certID of the
reqCert of this certificate response.
targetCert has to be supplied, issuerCert
and generalName are ignored. From the given target cert, an
IssuerAndSerialNumber object is created and checked for equality with the
issuerSerial of the reqCert of this certificate response.
targetCert has to be supplied, issuerCert and
generalName are ignored. The given target cert is checked
for equality with the pKCert of the reqCert of this certificate response.
targetCert or generalName have to be supplied,
issuerCert is ignored. If generalName is supplied,
it is compared with the GeneralName of the reqCert of this response. If
generalName is null, but targetCert is supplied,
a GeneralName of type directoryName is created from the target cert's
SubjectDN and checked for equality with the generalName of the reqCert of
this certificate response.
targetCert has to be supplied, issuerCert and
generalName are ignored. From the given target cert a SHA-1
hash is computed and compared with the certHash of the reqCert of this
certificate response.
This method only returns true if the supplied informations
fit to the type of the ReqCert of this response (according to the conditions
above) and identify the same certificate. In any other case this method returns
false (e.g. the ReqCert of this response represents a type for which
the supplied informations are not appropriate, or the type is ok but
another certificate is referenced).
Assuming, for instance, that the ReqCert of this response represents a certID,
but you expect a pKCert, method isResponseFor
will fail. Now you may supply both target cert and its issuing cert for checking
if this is a response for the target certificate in mind, e.g.:
// the target cert chain X509Certificate[] targetCerts = ...; boolean isResponseFor = certResponse.isResponseFor(targetCerts[0], targetCerts[1], null);
targetCert - the target cert, if requiredissuerCert - the cert of the target cert issuer, if requiredgeneralName - a general name (if required for reqCert type "name")true if this is a response for the target certificate
asked for; or false if this is not a response for the
target certificate in mind or not enough information is
provided for handling the type of the inherent ReqCertOCSPException - if some processing error occurs, e.g. if the ReqCert
of this response represents a CertID but the certID's hash algorithm
is not supported by the installed providersboolean isResponseFor(ReqCert reqCert)
reqCert - the reqCert identifying the certificate in mind
true if this is a certificate response for the certificate
identified by the given reqCert, false if notjava.lang.String toString()
toString in class java.lang.Object