iaik.x509.ocsp.extensions

Class Nonce

java.lang.Object

iaik.x509.V3Extension

iaik.x509.ocsp.extensions.Nonce

public class Nonce
extends V3Extension

This class implements the OCSP Nonce extension.

As with all OCSP extensions, support of the Nonce extension is optional for client and servers. The critical flag should not be set.

Each OCSP extension is associated with a specific ocsp extension object identifier, derived from RFC 2560, RFC 6960:

 id-pkix  OBJECT IDENTIFIER  ::=
        { iso(1) identified-organization(3) dod(6) internet(1)
          security(5) mechanisms(5) pkix(7) }

 id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }       
        -- arc for access descriptors

 id-ad-ocsp      OBJECT IDENTIFIER ::= { id-ad 1 }
 
 id-pkix-ocsp    OBJECT IDENTIFIER ::= { id-ad-ocsp }
 

The object identifier for the Nonce extension is defined as:

 id-pkix-ocsp-nonce           OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
 

which corresponds to the OID string "1.3.6.1.5.5.7.48.1.2".

The Online Certificate Status Protocol ( RFC 2560), RFC 6960) specifies the Nonce extension for cryptographically binding a request and a response to prevent replay attacks. The nonce is included as one of the requestExtensions in an OCSPRequest, while in responses it would be included as one of the responseExtensions. The extnValue is the value of the nonce.

For adding a Nonce extension object to a request or response, use method addExtension, e.g.:

 byte[] value = ...;
 Nonce nonce = new Nonce(value);
 ocspRequest.addExtension(nonce);
 

respectively:

 Nonce nonce = (Nonce)ocspRequest.getExtension(Nonce.oid);
 basicOCSPResponse.addExtension(nonce);
 

Version:

File Revision 11

See Also:

OCSPRequest, BasicOCSPResponse, V3Extension, X509Extensions

Field Summary

Fields

Modifier and Type	Field and Description
static ObjectID	oid The object identifier of this Nonce extension.

Fields inherited from class iaik.x509.V3Extension

critical

Constructor Summary

Constructors

Constructor and Description
Nonce() Default constructor.
Nonce(byte[] value) Creates a Nonce extension for the given value.

Method Summary

Methods

Modifier and Type	Method and Description
ObjectID	getObjectID() Returns the object ID of this Nonce extension
byte[]	getValue() Returns the nonce value.
static boolean	getWrapNonceValue() Gets whether to wrap the Nonce value into an ASN.1 OCTET_STRING before putting it into the OCSP Extension extnValue field.
int	hashCode() Returns a hashcode for this identity.
void	init(ASN1Object obj) Inits this Nonce implementation with an ASN1object representing the value of this extension.
void	setValue(byte[] value) Sets the nonce value.
static void	setWrapNonceValue(boolean wrap) Decides whether to wrap the Nonce value into an ASN.1 OCTET_STRING before putting it into the OCSP Extension extnValue field.
ASN1Object	toASN1Object() Returns an ASN1Object representing the value of this Nonce extension.
java.lang.String	toString() Returns a string that represents the contents of this Nonce extension.

Methods inherited from class iaik.x509.V3Extension

getName, isCritical, setCritical

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

oid

public static final ObjectID oid

The object identifier of this Nonce extension. The corresponding OID string is "1.3.6.1.5.5.7.48.1.2".

Constructor Detail

Nonce

public Nonce()

Default constructor. Creates an empty Nonce object. Use method setValue for setting the nonce value.

Nonce

public Nonce(byte[] value)

Creates a Nonce extension for the given value.

Parameters:

value - the nonce value

Method Detail

setWrapNonceValue

public static final void setWrapNonceValue(boolean wrap)

Decides whether to wrap the Nonce value into an ASN.1 OCTET_STRING before putting it into the OCSP Extension extnValue field.

RFC 2560 did not specify an ASN.1 representation for the Nonce extension and said that the extnValue is the value of the Nonce (see RFC 2560, section 4.4.1):

 The nonce cryptographically binds a request and a response to prevent
 replay attacks. The nonce is included as one of the requestExtensions
 in requests, while in responses it would be included as one of the
 responseExtensions. In both the request and the response, the nonce
 will be identified by the object identifier id-pkix-ocsp-nonce, while
 the extnValue is the value of the nonce.

  id-pkix-ocsp-nonce     OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
 

For that reason IAIK-JCE <= 5.01 has put the raw Nonce value into the OCSP Extension extnValue OCTET STRING:

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 

The next version of OCSP ( RFC 6960) will specify an ASN.1 syntax for the Nonce extension to clarify that the Nonce value has to be wrapped into an ASN.1 OCTET STRING before putting it into the Extension extnValue field:

 Nonce ::= OCTET STRING
 

For that reason IAIK-JCE > 5.01 now wraps the Nonce value into an OCTET STRING before putting it into the extnValue OCTET STRING. Thus the extnValue field contains a nested structure of one OCTET STRING (containing the raw Nonce value) wrapped by another OCTET STRING. This behaviour is more compliant with the general Extension syntax where each X.509 Extension has its specific ASN.1 syntax.

If you want to fall back to the old IAIK-JCE behaviour to not wrap the Nonce extension into an OCTET STRING you may call this method with false as parameter:

 Nonce.setWrapNonceValue(false);
 

Parameters:

wrap - true (default) to wrap the Nonce into an OCTET STRING, false to not wrap it

getWrapNonceValue

public static final boolean getWrapNonceValue()

Gets whether to wrap the Nonce value into an ASN.1 OCTET_STRING before putting it into the OCSP Extension extnValue field.

RFC 2560 did not specify an ASN.1 representation for the Nonce extension and said that the extnValue is the value of the Nonce (see RFC 2560, section 4.4.1):

 The nonce cryptographically binds a request and a response to prevent
 replay attacks. The nonce is included as one of the requestExtensions
 in requests, while in responses it would be included as one of the
 responseExtensions. In both the request and the response, the nonce
 will be identified by the object identifier id-pkix-ocsp-nonce, while
 the extnValue is the value of the nonce.

  id-pkix-ocsp-nonce     OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
 

For that reason IAIK-JCE <= 5.01 has put the raw Nonce value into the OCSP Extension extnValue OCTET STRING:

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 

The next version of OCSP ( RFC 6960) specifies an ASN.1 syntax for the Nonce extension to clarify that the Nonce value has to be wrapped into an ASN.1 OCTET STRING before putting it into the Extension extnValue field:

 Nonce ::= OCTET STRING
 

For that reason IAIK-JCE > 5.01 now wraps the Nonce value into an OCTET STRING before putting it into the extnValue OCTET STRING. Thus the extnValue field contains a nested structure of one OCTET STRING (containing the raw Nonce value) wrapped by another OCTET STRING. This behaviour is more compliant with the general Extension syntax where each X.509 Extension has its specific ASN.1 syntax.

If you want to switch back to the old IAIK-JCE behaviour to not wrap the Nonce extension into an OCTET STRING you may call method setWrapNonceValue with false as parameter:

 Nonce.setWrapNonceValue(false);
 

Returns:

true (default) to wrap the Nonce into an OCTET STRING, false to not wrap it

getObjectID

public ObjectID getObjectID()

Returns the object ID of this Nonce extension

Specified by:

getObjectID in class V3Extension

Returns:

the object ID

init

public void init(ASN1Object obj)

Inits this Nonce implementation with an ASN1object representing the value of this extension.

The given ASN1Object is the one created by toASN1Object().

This method is used by the X509Extensions class when parsing the ASN.1 representation of a OCSP object for properly initializing an included Nonce extension. This method initializes the extension only with its value, but not with its critical specification. For that reason, this method shall not be explicitly called by an application.

Specified by:

init in class V3Extension

Parameters:

obj - the Nonce as ASN1Object (OCTET STRING)

toASN1Object

public ASN1Object toASN1Object()

Returns an ASN1Object representing the value of this Nonce extension.

Specified by:

toASN1Object in class V3Extension

Returns:

the value of this Nonce as ASN1Object (OCTET STRING)

setValue

public void setValue(byte[] value)

Sets the nonce value.

Parameters:

value - the nonce value, as byte array

getValue

public byte[] getValue()

Returns the nonce value.

Returns:

the nonce value, as byte array

hashCode

public int hashCode()

Returns a hashcode for this identity.

Specified by:

hashCode in class V3Extension

Returns:

a hash code for this identity

toString

public java.lang.String toString()

Returns a string that represents the contents of this Nonce extension.

Overrides:

toString in class java.lang.Object

Returns:

the string representation