OCSPCertStatusKeyAndCert (iSaSiLk 6.1 API Documentation)

java.lang.Object
- iaik.security.ssl.KeyAndCert
- - iaik.security.ssl.OCSPCertStatusKeyAndCert

All Implemented Interfaces:

java.lang.Cloneable
```
public class OCSPCertStatusKeyAndCert
extends KeyAndCert
```
This class represents server credentials to may be used for sending OCSP certificate status information about the server certificate when the client has sent a status_request extension.
Since OCSP cannot be handled in a crypto-provider independent way, using this class requires that you have IAIK-JCE (iaik_jce(_full).jar)) in your classpath.
When creating an OCSPCertStatusKeyAndCert object, specify server certificate chain (server certificate at index 0) and server private key. Additionally you may specify the url (only "http" is supported) of the OCSP responder to be contacted for getting status information about the server certificate, e.g.:
```
  // the server certificate chain
  X509Certificate[] serverCerts = ...;
  // the private key of the server
  PrivateKey serverPrivateKey = ...;
  // the url of the OCSP responder
  String responderUrl = "http://...";
  // create server credentials
  OCSPCertStatusKeyAndCert kac = new OCSPCertStatusKeyAndCert(serverCerts,
                                                              serverPrivateKey,
                                                              responderUrl);
 
```
Additionally/alternatively to specifying the resonder url by the constructor you may register responder url(s) by means of their responder ids, e.g.:
```
  // the public key of the responder
  PublicKey responderPublicKey = ...;
  // create responder id
  ResponderID byKeyID = new ResponderID(serverPublicKey);
  String responderUrl = "http://...";
  kac.addOCSPResponder(byKeyID, responderUrl);
  // the Name of the responder
  Name responderName = ...;
  // create responder id
  ResponderID byNameID = new ResponderID(responderName);
  responderUrl = "http://...";
  kac.addOCSPResponder(byNameID, responderUrl);
 
```
Registering OCSP responder urls in this way will help iSaSiLk to search for a responder url for a particular responder id that may be sent by the client within the status_request extension. If no responder urls are registered and no (default) responder url has been set when creating the OCSPCertStatusKeyAndCert iSaSiLk looks if the server certificate does contain an AuthorityInfoAccess extension from which to get the url of the OCSP responder.
See Also:

CertificateStatusRequest

Constructor Summary

Constructors
Constructor and Description
`OCSPCertStatusKeyAndCert(java.security.cert.X509Certificate[] chain, java.security.PrivateKey privateKey, java.lang.String responderUrl)` Creates a new OCSPCertStatusKeyAndCert object.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`addOCSPResponder(iaik.x509.ocsp.ResponderID responderId, java.lang.String responderUrl)` Registers the given (http) url for the given responder id.
`java.lang.Object`	`clone()` Gets a clone of this object.
`boolean`	`equals(java.lang.Object obj)` Tests if the given object is equal to this OCSPCertStatusKeyAndCert.
`byte[]`	`getCertificateStatus(int statusType, byte[] statusRequest, SSLTransport transport)` Gets information about the (revocation) status of the certificates of this KeyAndCertificate.
`int`	`hashCode()` Gets a hashcode for this object.
`java.lang.String`	`toString()` Gets a string representation of this object.

Methods inherited from class iaik.security.ssl.KeyAndCert
getCertificateChain, getCertificateType, getPrivateKey, getTLSServerNames, isTrustedBy, setTLSServerNames, setTrustedAuthorities

Methods inherited from class java.lang.Object
finalize, getClass, notify, notifyAll, wait, wait, wait

- Constructor Detail
  - OCSPCertStatusKeyAndCert
```
public OCSPCertStatusKeyAndCert(java.security.cert.X509Certificate[] chain,
                                java.security.PrivateKey privateKey,
                                java.lang.String responderUrl)
```
    Creates a new OCSPCertStatusKeyAndCert object. The given server certificate chain and the given server private key must be non-null and the chain has to consist of at least one element.
    
    Parameters:
    
    chain - the ceritificate chain with the end entity (server) certificate at index 0
    
    privateKey - the private server key
    
    responderUrl - the URL of the default OCSP responder (to be used if no responder ids are configured and/or the server certificate(s) do not contain an AuthoritiyInfoAccess extension pointing to an OCSP responder). This implementation supports http responders only.
    
    Throws:
    
    java.lang.NullPointerException - if both certificate chain and private key are null
    
    java.lang.IllegalArgumentException - if the given url is not an http url (does not start with "http"), or no OCSP CertID can be created for the server cert (because, for instance, the chain only contains one (the server) certificate which is not self-signed, or the chain is not ordered to have the server cert at index 0 and the server cert issuing ca cert at index 1,...)
- Method Detail
  - addOCSPResponder
```
public void addOCSPResponder(iaik.x509.ocsp.ResponderID responderId,
                             java.lang.String responderUrl)
```
    Registers the given (http) url for the given responder id.
    This method can be used to tell iSaSiLk where to find an OCSP responder for a particular responder id. When sending the status_request extension the client may specify a list of accepted ocsp responders may including their responder ids. Since a responder id does not contain an url, iSaSiLk must be configured to know how to map responder id to reponder url from where to get an ocsp response.
    
    Parameters:
    
    responderId - the id of the ocsp responder
    
    responderUrl - the url of the ocsp responder (only "http" urls are supported by this implementation)
    
    Throws:
    
    java.lang.NullPointerException - if responderId or responderUrl is null
    
    java.lang.IllegalArgumentException - if the given responder url is not an http url (does not start with "http")
  - getCertificateStatus
```
public byte[] getCertificateStatus(int statusType,
                                   byte[] statusRequest,
                                   SSLTransport transport)
                            throws SSLException
```
    Gets information about the (revocation) status of the certificates of this KeyAndCertificate. This method is used on the server side for asking for certficate status information when the client has sent a status_request extension within an extended client_hello message.
    If the client has sent a status_request extension and the server has agreed to provide a status responce, he will send a certificate_status handshake message immediately after the certificate message. This method is called by iSaSiLk to ask for status information of the certificates included in this server credentials. The given statusType indicates the type of status response expected by the client (currently only "ocsp" is defined and supported by this class). The given statusRequest represents the (TLS) encoded request field of the CertificateStatusRequest structure sent by the client (see RFC 4366):
```
 struct {
    CertificateStatusType status_type;
        select (status_type) {
            case ocsp: OCSPStatusRequest;
        } request;
    } CertificateStatusRequest;

    enum { ocsp(1), (255) } CertificateStatusType;

    struct {
        ResponderID responder_id_list<0..2^16-1>;
        Extensions  request_extensions;
    } OCSPStatusRequest;

    opaque ResponderID<1..2^16-1>;
    opaque Extensions<0..2^16-1>;
 
```
    The status response returned by this method must represent the (TLS) encoded response field of the CertificateStatus handshake message to be sent to the client (see RFC 4366):
```
 struct {
    CertificateStatusType status_type;
    select (status_type) {
        case ocsp: OCSPResponse;
    } response;
 } CertificateStatus;

 opaque OCSPResponse<1..2^24-1>;
 
```
    Overrides:
    
    getCertificateStatus in class KeyAndCert
    
    Parameters:
    
    statusType - the type of the certificate status request received from the client
    
    statusRequest - the (TLS) encoded status request received from the client
    
    transport - the current SSLTransport object (may be used for printing debug information)
    
    Returns:
    
    the (TLS) encoded status response of the the requested type containing (revocation) status information for the certificates contained in this server KeyAndCert
    
    Throws:
    
    SSLException - if an error occurs when processing the status request and/or creating the status response
    
    See Also:
    
    OCSPCertStatusKeyAndCert
  - clone
```
public java.lang.Object clone()
```
    Gets a clone of this object.
    
    Overrides:
    
    clone in class KeyAndCert
    
    Returns:
    
    the cloned object
  - hashCode
```
public int hashCode()
```
    Gets a hashcode for this object.
    
    Overrides:
    
    hashCode in class KeyAndCert
    
    Returns:
    
    the hashcode
  - equals
```
public boolean equals(java.lang.Object obj)
```
    Tests if the given object is equal to this OCSPCertStatusKeyAndCert.
    
    Overrides:
    
    equals in class KeyAndCert
    
    Parameters:
    
    obj - the object to be compared with this OCSPCertStatusKeyAndCert
    
    Returns:
    
    true if the two objects are equal, false if they are not equal
  - toString
```
public java.lang.String toString()
```
    Gets a string representation of this object.
    
    Overrides:
    
    toString in class KeyAndCert
    
    Returns:
    
    a string representation

Class OCSPCertStatusKeyAndCert

Constructor Summary

Method Summary

Methods inherited from class iaik.security.ssl.KeyAndCert

Methods inherited from class java.lang.Object

Constructor Detail

OCSPCertStatusKeyAndCert

Method Detail

addOCSPResponder

getCertificateStatus

clone

hashCode

equals

toString