com.entrust.toolkit.credentials

Interface CapiIdentityFilter

All Known Implementing Classes:

CapiIdentities

public interface CapiIdentityFilter

A CapiIdentityFilter is used by CapiIdentities to determine if a certificate belongs to the same identity as another existing identity.

For example, the default CapiIdentityFilter uses the CapiContainerName to determine if certificates belong to the same identity. Entrust uses a common CapiContainerName format across its products so that identities written with one product can be identified by another product. However, if the certificates that were part of an Entrust identity, or 3rd part identity are written to CAPI using an unknown format to the ContainerName, the toolkit will by default use the criteria specified in the default CapiIdentityFilter implemented in the CapiIdentities.matchIdentity(CapiIdentity, CapiCertificateAndKeyInfo) method. There are some scenarios such as a DN change that may have occurred during the lifetime of the identity that may not work, so in those situations, a custom CapiIdentityFilter could be used to find the required identity based on the appropriate criteria.

Since:

8.0 Patch

Method Summary

Methods

Modifier and Type	Method and Description
boolean	matchIdentity(CapiIdentity identity, CapiCertificateAndKeyInfo ccaki) This API allows an end-user application to define the matching rules for defining an identity.

Method Detail

matchIdentity

boolean matchIdentity(CapiIdentity identity,
                    CapiCertificateAndKeyInfo ccaki)

This API allows an end-user application to define the matching rules for defining an identity. For example, the end user may only want the container name to be used (which is what was done in version prior to 8.0).

In an Entrust Identity, there can be multiple certificates and keys. For example, encryption, verification and non-repudiation. When these certificates are stored in CAPI using Entrust, the CapiContainerName is normally used to find other certificates that may be associated with that identity. However, if certificates were added into CAPI using a third-party mechanism, such as a P11 driver, or an export from P12, then the Entrust container format will not be used.

Note: Because the Entrust CAPI container format was not used when writing the certificates into CAPI, this identity will not be able to be managed by the toolkit. Attempting to manage such an identity may result in undefined behaviour, and is not supported by the toolkit.

Parameters:

identity - The CapiIdenity

ccaki - The CapiCertificateAndKeyInfo

Returns:

true if the identities match, false if they do not match.