com.entrust.toolkit.credentials

Class CardMSCertReqInfo

java.lang.Object

com.entrust.toolkit.credentials.EntrustPKIXCMPInjectedCertReqInfo

com.entrust.toolkit.credentials.CardMSCertReqInfo

public class CardMSCertReqInfo
extends EntrustPKIXCMPInjectedCertReqInfo

The class represents certificate request information that is injected into the Entrust Certificate Management Protocol (PKIX-CMP) by a Card Management System (CardMS).

It is a simple data structure that allows getting/setting of all the various data components it contains. These components are the following:

Certificate Definition Identifier

An identifier for the certificate definition this certificate request information corresponds to.

Public Key

The public key for which certification is being requested (required during initialization and key certificate/update for a certificate definition that indicates client key generation; required during recovery and certificate store synchronization for a certificate definition that indicates client key generation and no key backup).

Proof of Possession of Signing Key

Provides proof of possession for a signing private key. The CardMS API requires proof of possession for initialization and recovery operations for a certificate definition that indicates either 'verification' or 'both' key usage when operating in normal mode. Proof of possession is not required using PKIX-CMP in Administrator Authenticated mode (AA mode); however, if provided it will be checked and enforced.

X509 Certificate Extensions

A set of X.509 certificate extensions the client is requesting be included in the requested certificate. Requesting extensions is only supported when operating PKIX-CMP in AA mode.

For details on AA mode and supported extensions, please refer to the class documentation of EntrustPKIXCMPInjectedCertReqInfo.

Since:

7.1sp1

See Also:

CMPForCardMS, EntrustPKIXCMPInjectedCertReqInfo

Constructor Summary

Constructors

Constructor and Description
CardMSCertReqInfo(EntrustCertInfoId certDefnId) A constructor; creates a new CardMSCertReqInfo object containing a certificate definition.
CardMSCertReqInfo(EntrustCertInfoId certDefnId, java.security.PublicKey publicKey) A constructor; creates a new CardMSCertReqInfo object containing a certificate definition and public key.
CardMSCertReqInfo(EntrustCertInfoId certDefnId, java.security.PublicKey publicKey, POPOSigningKey popoSigningKey) A constructor; creates a new CardMSCertReqInfo object containing a certificate definition, public key, and proof of possession for a signing private key.
CardMSCertReqInfo(EntrustCertInfoId certDefnId, java.security.PublicKey publicKey, POPOSigningKey popoSigningKey, X509Extensions x509Extensions) A constructor; creates a new CardMSCertReqInfo object containing a certificate definition, public key,proof of possession for a signing private key, and X.509 certificate extensions.
CardMSCertReqInfo(PKIArchiveOptions pkiArchiveOptions, EntrustCertInfoId certDefnId, java.security.PublicKey publicKey) A constructor; creates a new CardMSCertReqInfo object containing a certificate definition, public key, and private key archive information.
CardMSCertReqInfo(PKIArchiveOptions pkiArchiveOptions, EntrustCertInfoId certDefnId, java.security.PublicKey publicKey, X509Extensions x509Extensions) A constructor; creates a new CardMSCertReqInfo object containing a certificate definition, public key, private key archive information, and X.509 certificate extensions.

Method Summary

Methods

Modifier and Type	Method and Description
PKIArchiveOptions	getPKIArchiveOptions() Returns archive information pertaining to the private key.
POPOSigningKey	getPOPOSigningKey() Returns the proof of possession of a signing private key.
void	setPKIArchiveOptions(PKIArchiveOptions pkiArchiveOptions) Sets the archive information pertaining to the private key.
void	setPOPOSigningKey(POPOSigningKey popoSigningKey) Sets the proof of possession of a signing private key.
void	setPublicKey(java.security.PublicKey publicKey) Sets the public key for which certificate is being requested.

Methods inherited from class com.entrust.toolkit.credentials.EntrustPKIXCMPInjectedCertReqInfo

getCertDefnId, getOptionalValidity, getPrivateKey, getPublicKey, getX509Extensions, setOptionalValidity, setPrivateKey, setX509Extensions

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CardMSCertReqInfo

public CardMSCertReqInfo(EntrustCertInfoId certDefnId)

A constructor; creates a new CardMSCertReqInfo object containing a certificate definition.

Parameters:

certDefnId - the identifier for the certificate definition that the injected public key corresponds to

CardMSCertReqInfo

public CardMSCertReqInfo(EntrustCertInfoId certDefnId,
                 java.security.PublicKey publicKey)

A constructor; creates a new CardMSCertReqInfo object containing a certificate definition and public key.

Allows the public key to be generated by the CardMS and injected into a PKIX-CMP operation. When used in an Initialization or Key Update/Certification operation, the public key must be set for a certificate definition that indicates client key generation. When used in a Recovery or Certificate Store Synchronization operation, the public key must be set for a certificate definition that indicates client key generation and no key backup.

Parameters:

certDefnId - the identifier for the certificate definition that the injected public key corresponds to

publicKey - the public key for which certification is being requested (OPTIONAL)

CardMSCertReqInfo

public CardMSCertReqInfo(EntrustCertInfoId certDefnId,
                 java.security.PublicKey publicKey,
                 POPOSigningKey popoSigningKey)

A constructor; creates a new CardMSCertReqInfo object containing a certificate definition, public key, and proof of possession for a signing private key.

Allows the public key to be generated by the CardMS and injected into a PKIX-CMP operation. When used in an Initialization or Key Update/Certification operation, the public key must be set for a certificate definition that indicates client key generation. When used in a Recovery or Certificate Store Synchronization operation, the public key must be set for a certificate definition that indicates client key generation and no key backup.

Proof of possession must be set for a signing/verification key pair when using PKIX-CMP in normal mode (not AA mode). It is required by the EASM to demonstrate that the CMS actually has the private signing key. Proof of possession is not required using PKIX-CMP in AA mode; however, if provided it will be checked and enforced.

Parameters:

certDefnId - the identifier for the certificate definition that the injected public key corresponds to

publicKey - the public key for which certification is being requested (OPTIONAL)

popoSigningKey - proof of possession of a signing private key (OPTIONAL)

CardMSCertReqInfo

public CardMSCertReqInfo(EntrustCertInfoId certDefnId,
                 java.security.PublicKey publicKey,
                 POPOSigningKey popoSigningKey,
                 X509Extensions x509Extensions)

A constructor; creates a new CardMSCertReqInfo object containing a certificate definition, public key,proof of possession for a signing private key, and X.509 certificate extensions.

Allows the public key to be generated by the CardMS and injected into a PKIX-CMP operation. When used in an Initialization or Key Update/Certification operation, the public key must be set for a certificate definition that indicates client key generation. When used in a Recovery or Certificate Store Synchronization operation, the public key must be set for a certificate definition that indicates client key generation and no key backup.

Proof of possession must be set for a signing/verification key pair when using PKIX-CMP in normal mode (not AA mode). It is required by the EASM to demonstrate that the CMS actually has the private signing key. Proof of possession is not required using PKIX-CMP in AA mode; however, if provided it will be checked and enforced.

Requesting X.509 extensions is not permitted when using PKIX-CMP in normal mode (not AA mode). For details on AA mode and supported extensions, please refer to the class documentation of EntrustPKIXCMPInjectedCertReqInfo.

Parameters:

certDefnId - the identifier for the certificate definition that the injected public key corresponds to

publicKey - the public key for which certification is being requested (OPTIONAL)

popoSigningKey - proof of possession of a signing private key (OPTIONAL)

x509Extensions - X.509 extensions (including extension values) that are requested to be included in the end user certificate (OPTIONAL)

Since:

7.2

CardMSCertReqInfo

public CardMSCertReqInfo(PKIArchiveOptions pkiArchiveOptions,
                 EntrustCertInfoId certDefnId,
                 java.security.PublicKey publicKey)

A constructor; creates a new CardMSCertReqInfo object containing a certificate definition, public key, and private key archive information.

Allows the public key to be generated by the CardMS and injected into a PKIX-CMP operation. When used in an Initialization or Key Update/Certification operation, the public key must be set for a certificate definition that indicates client key generation. When used in a Recovery or Certificate Store Synchronization operation, the public key must be set for a certificate definition that indicates client key generation and no key backup.

Archive information allows the client to provide a copy of the client generated private key to the server for backup. If not provided, no backup is assumed.

Parameters:

pkiArchiveOptions - archive information pertaining to the private key (OPTIONAL)

certDefnId - the identifier for the certificate definition that the injected public key corresponds to

publicKey - the public key for which certification is being requested (OPTIONAL)

Since:

8.0 Patch

CardMSCertReqInfo

public CardMSCertReqInfo(PKIArchiveOptions pkiArchiveOptions,
                 EntrustCertInfoId certDefnId,
                 java.security.PublicKey publicKey,
                 X509Extensions x509Extensions)

A constructor; creates a new CardMSCertReqInfo object containing a certificate definition, public key, private key archive information, and X.509 certificate extensions.

Allows the public key to be generated by the CardMS and injected into a PKIX-CMP operation. When used in an Initialization or Key Update/Certification operation, the public key must be set for a certificate definition that indicates client key generation. When used in a Recovery or Certificate Store Synchronization operation, the public key must be set for a certificate definition that indicates client key generation and no key backup.

Archive information allows the client to provide a copy of the client generated private key to the server for backup. If not provided, no backup is assumed.

Requesting X.509 extensions is not permitted when using PKIX-CMP in normal mode (not AA mode). For details on AA mode and supported extensions, please refer to the class documentation of EntrustPKIXCMPInjectedCertReqInfo.

Parameters:

pkiArchiveOptions - archive information pertaining to the private key (OPTIONAL)

certDefnId - the identifier for the certificate definition that the injected public key corresponds to

publicKey - the public key for which certification is being requested (OPTIONAL)

x509Extensions - X.509 extensions (including extension values) that are requested to be included in the end user certificate (OPTIONAL)

Since:

8.0 Patch

Method Detail

setPublicKey

public void setPublicKey(java.security.PublicKey publicKey)

Sets the public key for which certificate is being requested.

Allows the public key to be generated by the CardMS and injected into a PKIX-CMP operation. When used in an Initialization or Key Update/Certification operation, the public key must be set for a certificate definition that indicates client key generation. When used in a Recovery or Certificate Store Synchronization operation, the public key must be set for a certificate definition that indicates client key generation and no key backup.

Overrides:

setPublicKey in class EntrustPKIXCMPInjectedCertReqInfo

Parameters:

publicKey - the public key for which certification is being requested (OPTIONAL)

See Also:

EntrustPKIXCMPInjectedCertReqInfo.getPublicKey()

setPOPOSigningKey

public void setPOPOSigningKey(POPOSigningKey popoSigningKey)

Sets the proof of possession of a signing private key.

Overrides:

setPOPOSigningKey in class EntrustPKIXCMPInjectedCertReqInfo

Parameters:

popoSigningKey - proof of possession of a signing private key (OPTIONAL)

See Also:

getPOPOSigningKey()

setPKIArchiveOptions

public void setPKIArchiveOptions(PKIArchiveOptions pkiArchiveOptions)

Sets the archive information pertaining to the private key.

Overrides:

setPKIArchiveOptions in class EntrustPKIXCMPInjectedCertReqInfo

Parameters:

pkiArchiveOptions - archive information pertaining to the private key (OPTIONAL)

Since:

8.0 Patch

See Also:

getPKIArchiveOptions()

getPOPOSigningKey

public POPOSigningKey getPOPOSigningKey()

Returns the proof of possession of a signing private key.

Proof of possession must be set for a signing/verification key pair when using PKIX-CMP in normal mode (not AA mode). It is required by the EASM to demonstrate that the CMS actually has the private signing key. Proof of possession is not required using PKIX-CMP in AA mode; however, if provided it will be checked and enforced.

Overrides:

getPOPOSigningKey in class EntrustPKIXCMPInjectedCertReqInfo

Returns:

proof of possession of a signing private key

getPKIArchiveOptions

public PKIArchiveOptions getPKIArchiveOptions()

Returns archive information pertaining to the private key.

Archive information must be provided to the EASM for each certificate that is requested. When not set, a default structure indicating that the private key is not backed up is sent to the server. Currently, both the encryptedPrivKey and archiveRemGenPrivKey formats of archive information are supported. For a client generated private key that requires backup, the encryptedPrivKey format is used to indicate that backup is required and securely transfer the private key to the server for backup. For a private key that is server generated or does not require backup, the archiveRemGenPrivKey format is used to indicate whether or not the key should be backed up by the server.

Overrides:

getPKIArchiveOptions in class EntrustPKIXCMPInjectedCertReqInfo

Returns:

archive information pertaining to the private key

Since:

8.0 Patch