iaik.x509.qualified

Class QualifiedCertificate

java.lang.Object

java.security.cert.Certificate

java.security.cert.X509Certificate

iaik.x509.X509Certificate

iaik.x509.qualified.QualifiedCertificate

All Implemented Interfaces:

ASN1Type, java.io.Serializable, java.security.cert.X509Extension

public class QualifiedCertificate
extends X509Certificate

This class represents a QualifiedCertificate according to PKIX Qualified Certificate Profile.

The PKIX Qualified Certificate Profile, specified in RFC 3739 and based on the PKIX certificate profile (RFC 3280), defines a certificate format for identifying a person with high level of assurance in public non-repudiation servises. The term Qualifed Certifiacte is used to describe a certificate with a certain qualified status within applicable governing law. A CA issuing a qualified certificate has to include information in the certificate indicating that the certificate is a qualified one. The Qualified Certificate Profile describes two complementary ways for including this inforamtion:

• As information defined by a certificate policy included in the certificate policies extension.
• As a statement included in the Qualified Certificates Statements extension.

The most proper way for recognizing a CertificatePolicies extension containing a qualified PolicyInformation term may be by looking at the policy identifier associated with the PolicyInformation object. In similar way each QCStatement included in a QCStatements extension is identified by its own statement ID which may indicate a qualified statement.

This class includes a static part allowing applications to register object identifiers indicating qualified PolicyInformations and qualified QCStatement terms by using the following two methods, respectively:

• registerQualifiedPolicyIDs
• registerQualifiedQCStatementIDs

For asking whether a given object id indicates a qualified policy information an application may call method isQualifiedPolicyID, for asking whether a given object id indicates a qualified QC statement, method isQualifiedQCStatementID may be used.
Furthermore the static part of this class contains two methods allowing to search a CertificatePolicies (respectively QCStatements) extension for any included qualified PolicyInformation or QCStatement term, respectively:

• containsQualifiedPolicyInformations
• containsQualifiedQCStatements

Finally static method isQualifedCertificate(X509Certificate cert) may be used for asking whether a given X509Certificate object is a qualifed one or not.

The non static part of this class extends X509Certificate for providing a few methods allowing to set QCStatements, BiometricInfo and CertificatePolicies extensions immediately, and asking for any included qualified PolicyInformation and any included qualified QCStatement terms.

Version:

File Revision 16

See Also:

Serialized Form

Nested Class Summary

Nested classes/interfaces inherited from class java.security.cert.Certificate

java.security.cert.Certificate.CertificateRep

Constructor Summary

Constructors

Constructor and Description
QualifiedCertificate() Creates a new QualifiedCertificate object.
QualifiedCertificate(byte[] array) Creates a QualifiedCertificate from the given byte array.
QualifiedCertificate(java.io.InputStream is) Creates a QualifiedCertificate from an input stream.

Method Summary

Methods

Modifier and Type	Method and Description
void	addExtension(V3Extension e) Adds the given extension.
static void	clearRegisteredQualifiedPolicyIDs() Clears all registered qualified policy ids.
static void	clearRegisteredQualifiedQCStatementIDs() Clears all registered qualified statement ids.
static PolicyInformation[]	containsQualifiedPolicyInformations(CertificatePolicies certPolicies) Checks if the given CertificatePolicies extensions contains any PolicyInformations with an OID indicating a qualified certificate.
static QCStatement[]	containsQualifiedQCStatements(QCStatements qcStatements) Checks if the given QCStatements extension contains any QCStatement terms with an OID indicating a qualified certificate.
BiometricInfo	getBiometricInfo() Returns the BiometricInfo extension included in this certificate, if present.
CertificatePolicies	getCertificatePolicies() Returns the CertificatePolicies extension included in this certificate, if present.
QCStatements	getQCStatements() Returns the QCStatements extension included in this certificate, if present.
PolicyInformation[]	getQualifiedPolicyInformations() Gets any included qualified PolicyInformation terms.
QCStatement[]	getQualifiedQCStatements() Gets any included qualified QCStatement terms.
static ObjectID[]	getRegisteredQualifiedPolicyIDs() Gets the registered qualified policy IDs.
static ObjectID[]	getRegisteredQualifiedQCStatementIDs() Gets the registered qualified certificate statement IDs.
static QualifiedCertificate	isQualifedCertificate(X509Certificate cert) Checks if the given certificate is a qualified one.
static boolean	isQualifiedPolicyID(ObjectID oid) Asks if the given oid indicates a qualified certificate policy.
static boolean	isQualifiedQCStatementID(ObjectID oid) Asks if the given oid indicates a qualified certificate statement.
static boolean	registerQualifiedPolicyID(ObjectID oid) Adds the given OID to the pool of registered qualified policy IDs.
static void	registerQualifiedPolicyIDs(ObjectID[] oids) Registers qualified policy IDs.
static boolean	registerQualifiedQCStatementID(ObjectID oid) Adds the given OID to the pool of registered qualified statement IDs.
static void	registerQualifiedQCStatementIDs(ObjectID[] oids) Registers qualified certificate statement IDs.
void	removeAllExtensions() Removes all extensions from this certificate.
boolean	removeExtension(ObjectID oid) Removes the extension specified by its object identifier.
static boolean	removeRegisteredQualifiedPolicyID(ObjectID oid) Removes the given oid from the pool of registered qualified policy ids.
static boolean	removeRegisteredQualifiedQCStatementID(ObjectID oid) Removes the given oid from the pool of registered qualified statement ids.
void	setBiometricInfo(BiometricInfo biometricInfo) Sets the BiometricInfo extension.
void	setCertificatePolicies(CertificatePolicies certPolicies) Sets the CertificatePolicies extension.
void	setQCStatements(QCStatements qcStatements) Sets the QCStatements extension.

Methods inherited from class iaik.x509.X509Certificate

checkValidity, checkValidity, countExtensions, decode, decode, getBasicConstraints, getCriticalExtensionOIDs, getEmailAddresses, getEncoded, getExtension, getExtensionValue, getFingerprint, getFingerprint, getFingerprintSHA, getIssuerDN, getIssuerUniqueID, getKeyUsage, getNonCriticalExtensionOIDs, getNotAfter, getNotBefore, getPublicKey, getRawExtensionValue, getSerialNumber, getSigAlgName, getSigAlgOID, getSigAlgParams, getSignature, getSignatureAlgorithm, getSubjectDN, getSubjectUniqueID, getTBSCertificate, getVersion, hasExtensions, hasUnsupportedCriticalExtension, listExtensions, setIssuerDN, setIssuerUniqueID, setPublicKey, setSerialNumber, setSignature, setSignatureAlgorithm, setSubjectDN, setSubjectUniqueID, setValidNotAfter, setValidNotBefore, setVersion, sign, sign, sign, sign, sign, toASN1Object, toByteArray, toString, toString, verify, verify, verify, verify, verify, verify, verify, writeTo

Methods inherited from class java.security.cert.X509Certificate

getExtendedKeyUsage, getIssuerAlternativeNames, getIssuerX500Principal, getSubjectAlternativeNames, getSubjectX500Principal

Methods inherited from class java.security.cert.Certificate

equals, getType, hashCode, writeReplace

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

QualifiedCertificate

public QualifiedCertificate()

Creates a new QualifiedCertificate object.

This method may be used by an application representing a CA intending to issue qualified certificates. Since this class is extended from X509Certificate any method introduced there may be used for setting the several certificate fields, signing and encoding the certificate.
When using this constructor for creating a new qualified certificate and subsequently signing and encoding it, never a check is performed if the certificate contains any information (QCStatement or PolicyInformation) indicating that the certificate is a qualified certificate. This allows to create and encode new certificates without having to register any qualified policy or statement IDs. It is the responsibility of the application to include proper PolicyInformation or QCStatement term(s) for accounting the certificate for serving as qualified certificate.

See Also:

X509Certificate.X509Certificate()

QualifiedCertificate

public QualifiedCertificate(java.io.InputStream is)
                     throws java.io.IOException,
                            java.security.cert.CertificateException,
                            QualifiedCertificateException

Creates a QualifiedCertificate from an input stream.

The supplied certificate may be in DER or PEM format. Reading in an encoded certificate with this constructor only may be successful if the certificate contains any information (PolicyInformation or QCStatement) indicating the purpose of being a qualified certificate. In this way this constructor checks if the given certificate includes the CertificatePolicies or QCStatements extension. If the CertificatePolicies extension is present any included PolicyInformation term is checked if having a registered policy id. If the QCStatements extension is present any included QCStatement term is checked if having a registered statement id. If neither any qualified PolicyInformation nor any qualified QCStatement terms are included, this constructor fails in creating a QualifiedCertificate object by throwing a QualifiedCertificateException. However, if this constructor succeeds in creating a QualifiedCertificate object you later may use methods getQualifiedPolicyInformations and getQualifiedQCStatements for asking for the qualified PolicyInformation and/or QCStatement terms included in the certificate.

Notice. An application may prefer to use a QualifiedCertificateFactory for decoding qualified certificates obtaining a X509Certificate object for any certificate that is not a qualified one.

Parameters:

is - InputStream from which to create the certificate

Throws:

java.io.IOException - if the certificate cannot be read

java.security.cert.CertificateException - if the certificate cannot be parsed

QualifiedCertificateException - if the certificate cannot be created because it is no qualified certificate (i.e. having no qualified (registered) PolicyInformation or QCStatement terms)

QualifiedCertificate

public QualifiedCertificate(byte[] array)
                     throws java.security.cert.CertificateException,
                            QualifiedCertificateException

Creates a QualifiedCertificate from the given byte array.

The supplied certificate may be in DER or PEM format. Reading in an encoded certificate with this constructor only may be successful if the certificate contains any information (PolicyInformation or QCStatement) indicating the purpose of being a qualified certificate. In this way this constructor checks if the given certificate includes the CertificatePolicies or QCStatements extension. If the CertificatePolicies extension is present any included PolicyInformation term is checked if having a registered policy id. If the QCStatements extension is present any included QCStatement term is checked if having a registered statement id. If neither any qualified PolicyInformation nor any qualified QCStatement terms are included, this constructor fails in creating a QualifiedCertificate object by throwing a QualifiedCertificateException. However, if this constructor succeeds in creating a QualifiedCertificate object you later may use methods getQualifiedPolicyInformations and getQualifiedQCStatements for asking for the qualified PolicyInformation and/or QCStatement terms included in the certificate.

Notice. An application may prefer to use a QualifiedCertificateFactory for decoding qualified certificates obtaining a X509Certificate object for any certificate that is not a qualified one.

Parameters:

array - the DER (PEM) encoded byte array from which to create the certificate

Throws:

java.security.cert.CertificateException - if the certificate cannot be parsed

QualifiedCertificateException - if the certificate cannot be created because it is no qualified certificate (i.e. having no qualified (registered) PolicyInformation or QCStatement terms)

Method Detail

registerQualifiedPolicyIDs

public static void registerQualifiedPolicyIDs(ObjectID[] oids)

Registers qualified policy IDs.

According to the PKIX Qualified Certificate Policy profile a qualified certificate may be recognized by either having a proper QCStatement included or having been issued according to a specific policy included in the CertificatePolicies extension and identified by a corresponding object identifier. This method allows to register object identifiers indicating qualified certificate policy informations.

Parameters:

oids - the qualified policy IDs to be set

registerQualifiedPolicyID

public static boolean registerQualifiedPolicyID(ObjectID oid)

Adds the given OID to the pool of registered qualified policy IDs.

According to the PKIX Qualified Certificate Policy profile a qualified certificate may be recognized by either having a proper QCStatement included or having been issued according to a specific policy included in the CertificatePolicies extension and identified by a corresponding object identifier. This method allows to register an object identifier indicating a qualified certificate policy information.

Parameters:

oid - the qualified policy ID to be registered

Returns:

true if the given oid has been successfully added, false if it already has been registered and therefore cannot be added twice

getRegisteredQualifiedPolicyIDs

public static ObjectID[] getRegisteredQualifiedPolicyIDs()

Gets the registered qualified policy IDs.

According to the PKIX Qualified Certificate Policy profile a qualified certificate may be recognized by either having a proper QCStatement included or having been issued according to a specific policy included in the CertificatePolicies extension and identified by a corresponding object identifier. This method returns all policy IDs that have been registered when calling registerQualifiedPolicyIDs.

Returns:

an array containing all registered qualified policy IDs

removeRegisteredQualifiedPolicyID

public static boolean removeRegisteredQualifiedPolicyID(ObjectID oid)

Removes the given oid from the pool of registered qualified policy ids.

Parameters:

oid - the oid to be removed

Returns:

true if the oid has been registered and now removed, false otherwise

clearRegisteredQualifiedPolicyIDs

public static void clearRegisteredQualifiedPolicyIDs()

Clears all registered qualified policy ids.

isQualifiedPolicyID

public static boolean isQualifiedPolicyID(ObjectID oid)

Asks if the given oid indicates a qualified certificate policy.

Returns:

true if the given oid has been registered as qualified policy id, false otherwise

containsQualifiedPolicyInformations

public static PolicyInformation[] containsQualifiedPolicyInformations(CertificatePolicies certPolicies)

Checks if the given CertificatePolicies extensions contains any PolicyInformations with an OID indicating a qualified certificate.

Returns:

an array holding all qualified PolicyInformations included in the given CertificatePolicies extension, or null if there are no qualified PolicyInformations included

registerQualifiedQCStatementIDs

public static void registerQualifiedQCStatementIDs(ObjectID[] oids)

Registers qualified certificate statement IDs.

According to the PKIX Qualified Certificate Policy profile a qualified certificate may be recognized by either having a proper QCStatement included or having been issued according to a specific policy included in the CertificatePolicies extension and identified by a corresponding object identifier. This method allows to register object identifiers indicating qualified certificate statements.

Parameters:

oids - the qualified certificate statement IDs to be set

registerQualifiedQCStatementID

public static boolean registerQualifiedQCStatementID(ObjectID oid)

Adds the given OID to the pool of registered qualified statement IDs.

According to the PKIX Qualified Certificate Policy profile a qualified certificate may be recognized by either having a proper QCStatement included or having been issued according to a specific policy included in the CertificatePolicies extension and identified by a corresponding object identifier. This method allows to register an object identifier indicating a qualified certificate statement.

Parameters:

oid - the qualified certificate statement ID to be registered

Returns:

true if the given oid has been successfully added, false if it already has been registered and therefore cannot be added twice

getRegisteredQualifiedQCStatementIDs

public static ObjectID[] getRegisteredQualifiedQCStatementIDs()

Gets the registered qualified certificate statement IDs.

According to the PKIX Qualified Certificate Policy profile a qualified certificate may be recognized by either having a proper QCStatement included or having been issued according to a specific policy included in the CertificatePolicies extension and identified by a corresponding object identifier. This method returns all statement IDs that have been registered when calling registerQualifiedQCStatementIDs.

Returns:

an array containing all registered qualified certificate statement IDs

removeRegisteredQualifiedQCStatementID

public static boolean removeRegisteredQualifiedQCStatementID(ObjectID oid)

Removes the given oid from the pool of registered qualified statement ids.

Parameters:

oid - the oid to be removed

Returns:

true if the oid has been registered and now removed, false otherwise

clearRegisteredQualifiedQCStatementIDs

public static void clearRegisteredQualifiedQCStatementIDs()

Clears all registered qualified statement ids.

isQualifiedQCStatementID

public static boolean isQualifiedQCStatementID(ObjectID oid)

Asks if the given oid indicates a qualified certificate statement.

Returns:

true if the given oid has been registered as qualified certificate statement ID, false otherwise

containsQualifiedQCStatements

public static QCStatement[] containsQualifiedQCStatements(QCStatements qcStatements)

Checks if the given QCStatements extension contains any QCStatement terms with an OID indicating a qualified certificate.

Returns:

an array holding all qualified QCStatement terms included in the given QCStatements extension, or null if there are no qualified QCStatement terms included

isQualifedCertificate

public static QualifiedCertificate isQualifedCertificate(X509Certificate cert)
                                                  throws QualifiedCertificateException

Checks if the given certificate is a qualified one.

According to the PKIX Qualified Certificate Policy profile a qualified certificate may be recognized by either having a proper QCStatement included or having been issued according to a specific policy included in the CertificatePolicies extension and identified by a corresponding object identifier.

This method performs the following steps to see if the given certificate is a qualified one:

• If the QCStatements extension is present, this method steps through all included QCStatement terms asking their statement IDs if having been registered for indicating a qualified certificate.
• If the CertificatePolicies extension is present, this method steps through all included PolicyInformation terms asking their policy IDs if having been registered for indicating a qualified certificate.

If any PolicyInformation or QCStatement term(s) with an "qualified OID" are included this method converts the given X509Certificate object into a QualifiedCertificate object. An application may use methods getQualifiedPolicyInformations() and method getQualifiedQCStatements for obtaining the qualified PolicyInformation and/or QCStatement terms included in the QualifiedCertificate object returned by this method, e.g.:

 // the X.509 certificate to be asked if being a qualified one:
 X509Certificate cert = ...;
 try {
   QualifiedCertificate qualifiedCert =
     QualifiedCertificate.isQualifiedCertificate(cert);
   // get only the qualified PolicyInformation terms:
   PolicyInformation[] qualifiedPolicyInformations =
     qualifiedCert.getQualifiedPolicyInformations();
   if (qualifiedPolicyInformations == null) {
     System.out.println("No PolicyInformations indicating a qualified cert!");
   } else {
     System.out.println("Qualified PolicyInformations:");
     for (int i = 0; i < qualifiedPolicyInformations; i++) {
       System.out.println(qualifiedPolicyInformations[i].toString());
     }
   }
   // get only the qualified QCStatement terms:
   QCStatement[] qualifiedQCStatements =
     qualifiedCert.getQualifiedQCStatements();
   if (qualifiedQCStatements == null) {
     System.out.println("No QCStatements indicating a qualified cert!");
   } else {
     System.out.println("Qualified QCStatements:");
     for (int i = 0; i < qualifiedQCStatements; i++) {
       System.out.println(qualifiedQCStatements[i].toString());
     }
   }
 } catch (QualifiedCertificateException ex) {
   System.out.println("No qualified certificate!");
 }
 

Returns:

a QualifiedCertificate object created from the given X509Certificate if it constitutes a qualified certificate

Throws:

QualifiedCertificateException - if the given X.509 certificate cannot be converted since it no qualified certificate

setBiometricInfo

public void setBiometricInfo(BiometricInfo biometricInfo)
                      throws X509ExtensionException

Sets the BiometricInfo extension.

This method only provides an alternative way to addExtension for immediately adding a BiometricInfo extension.

Parameters:

biometricInfo - the BiometricInfo extension to be set

Throws:

X509ExtensionException - if an error occurs when adding the extension

setQCStatements

public void setQCStatements(QCStatements qcStatements)
                     throws X509ExtensionException

Sets the QCStatements extension.

This method only provides an alternative way to addExtension for immediately adding a QCStatements extension.

Parameters:

qcStatements - the QCStatements extension to be set

Throws:

X509ExtensionException - if an error occurs when adding the extension

setCertificatePolicies

public void setCertificatePolicies(CertificatePolicies certPolicies)
                            throws X509ExtensionException

Sets the CertificatePolicies extension.

This method only provides an alternative way to addExtension for immediately adding a CertificatePolicies extension.

Parameters:

certPolicies - the CertificatePolicies extension to be set

Throws:

X509ExtensionException - if an error occurs when adding the extension

addExtension

public void addExtension(V3Extension e)
                  throws X509ExtensionException

Adds the given extension.

Overrides:

addExtension in class X509Certificate

Parameters:

e - the extension to be added

Throws:

X509ExtensionException - if an error occurs when adding the extension

See Also:

V3Extension, X509Certificate.getBasicConstraints()

getBiometricInfo

public BiometricInfo getBiometricInfo()
                               throws X509ExtensionInitException

Returns the BiometricInfo extension included in this certificate, if present.

This method only provides an alternative way to getExtension for immediately getting an included BiometricInfo extension.

Returns:

the BiometricInfo extension included in this certificate, or null if this certificate does not contain the BiometricInfo extension

Throws:

X509ExtensionInitException - if the extension can not be initialized

getQCStatements

public QCStatements getQCStatements()
                             throws X509ExtensionInitException

Returns the QCStatements extension included in this certificate, if present.

This method only provides an alternative way to getExtension for immediately getting an included QCStatements extension.

Returns:

the QCStatements extension included in this certificate, or null if this certificate does not contain the QCStatements extension

Throws:

X509ExtensionInitException - if the extension can not be initialized

getCertificatePolicies

public CertificatePolicies getCertificatePolicies()
                                           throws X509ExtensionInitException

Returns the CertificatePolicies extension included in this certificate, if present.

This method only provides an alternative way to getExtension for immediately getting an included CertificatePolicies extension.

Returns:

the CertificatePolicies extension included in this certificate, or null if this certificate does not contain the CertificatePolicies extension

Throws:

X509ExtensionInitException - if the extension can not be initialized

removeExtension

public boolean removeExtension(ObjectID oid)

Removes the extension specified by its object identifier.

Overrides:

removeExtension in class X509Certificate

Parameters:

oid - the object ID of the extension to remove

Returns:

true if the extension has been successfully removed, false otherwise

removeAllExtensions

public void removeAllExtensions()

Removes all extensions from this certificate.

Overrides:

removeAllExtensions in class X509Certificate

getQualifiedQCStatements

public QCStatement[] getQualifiedQCStatements()

Gets any included qualified QCStatement terms.

This method returns all QCStatement terms having a qualified registered statement id. Note that the array of QCStatement terms returned by this method must not contain all the QCStatement terms included in the QCStatements extension of this certificate. There may be other QCStatement terms having no qualified statement id.

Returns:

an array holding all qualified QCStatement terms included in the QCStatements extension of this certificate, or null if this certificate does not contain a QCStatements extension or the QCStatements extension does not contain qualified statements

getQualifiedPolicyInformations

public PolicyInformation[] getQualifiedPolicyInformations()

Gets any included qualified PolicyInformation terms.

This method returns all PolicyInformation terms having a qualified registerQualifiedPolicyIDs policy id. Note that the array of PolicyInformation terms returned by this method must not contain all the PolicyInformation terms included in the CertificatePolicies extension of this certificate. There may be other PolicyInformation terms having no qualified policy id.

Returns:

an array holding all qualified PolicyInformation terms included in the CertificatePolicies extension of this certificate, or null if this certificate does not contain a CertificatePolicies extension or the CertificatePolicies extension does not contain qualified PolicyInformations