com.entrust.toolkit.credentials

Class EntrustP10CertReqInfo

java.lang.Object

com.entrust.toolkit.credentials.EntrustPKIXCMPInjectedCertReqInfo

com.entrust.toolkit.credentials.EntrustP10CertReqInfo

public class EntrustP10CertReqInfo
extends EntrustPKIXCMPInjectedCertReqInfo

A simple data structure that can be used in conjunction with EntrustP10CertRetriever to request issuance of unmanaged end user certificates from an Entrust Authority Security Manager (EASM) that supports PKIX-CMP in Administrator Authenticated (AA) mode (Supported on EASM 7.1 patch 96478 or later).

The data structure contains the following components:

Public Key

This key is generated by the requestor and injected into the PKIX-CMP protocol to provide the public key to the EASM for which certification is being requested.

Certificate Definition Identifier

The certificate definition identifier that the public key corresponds to. The EASM requires that the certificate definition identifier be specified for each public key that is being certified. The certificate definition contains policy information governing each key/certificate; it can also be used to set X.509 extensions that are to appear in every certificate.

X509 Certificate Extensions

A set of X.509 certificate extensions the client is requesting be included in the requested certificate.

User Certificate

The user certificate that was issued by the EASM for the public key; following a successful certification request, the end user certificate for the public key will be returned to the requestor in this component.

For details on AA-mode (Administrator Authenticate mode) and supported extensions, please refer to the class documentation of EntrustPKIXCMPInjectedCertReqInfo.

Since:

7.1sp1

See Also:

EntrustP10CertRetriever

Constructor Summary

Constructors

Constructor and Description
EntrustP10CertReqInfo(CertificateRequest p10CertReq, EntrustCertInfoId certDefnId) The constructor; creates a EntrustP10CertReqInfo object from a PKCS 10 certificate request and a certificate definition identifier.
EntrustP10CertReqInfo(CertificateRequest p10CertReq, java.lang.String certDefnName) The constructor; creates a EntrustP10CertReqInfo object from a PKCS 10 certificate request and a certificate definition identifier.
EntrustP10CertReqInfo(java.security.PublicKey publicKey, EntrustCertInfoId certDefnId, X509Extensions x509Extensions) The constructor; creates a EntrustP10CertReqInfo object from a public key and a certificate definition identifier.
EntrustP10CertReqInfo(java.security.PublicKey publicKey, java.lang.String certDefnName, X509Extensions x509Extensions) The constructor; creates a EntrustP10CertReqInfo object from a public key and a certificate definition name.

Method Summary

Methods

Modifier and Type	Method and Description
X509Certificate	getCACertificate() Returns the CA certificate when available for the Certificate Authority that the user exists on.
java.util.List<X509Certificate>	getIntermediateCACertificates() Returns the intermediate CA certificates when available, for the Certificate Authorities that are needed to build a certificate path from the user's CA to the root CA.
X509Certificate	getRootCACertificate() Returns the CA certificate when available for the Certificate Authority that is the root of trust for the user.
X509Certificate	getUserCertificate() Returns the end user certificate that was issued by an Entrust Authority Security Manager for the public key.

Methods inherited from class com.entrust.toolkit.credentials.EntrustPKIXCMPInjectedCertReqInfo

getCertDefnId, getOptionalValidity, getPKIArchiveOptions, getPOPOSigningKey, getPrivateKey, getPublicKey, getX509Extensions, setOptionalValidity, setPKIArchiveOptions, setPOPOSigningKey, setPrivateKey, setPublicKey, setX509Extensions

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

EntrustP10CertReqInfo

public EntrustP10CertReqInfo(java.security.PublicKey publicKey,
                     java.lang.String certDefnName,
                     X509Extensions x509Extensions)

The constructor; creates a EntrustP10CertReqInfo object from a public key and a certificate definition name.

Identification of which certificate definition the certificate request corresponds to is required by the EASM. In this case, the certificate definition name is used (Ex: 'Encryption', 'Verification', 'Dual Usage'...).

Proof of possession of the private key that corresponds to the provided public key is not (and cannot) be enforced by this API; it is the responsibility of the caller to check and enforce proof of possession.

Parameters:

publicKey - the public key that is being certified

certDefnName - the name of the certificate definition that the public key corresponds to

x509Extensions - requested X.509 extensions (OPTIONAL)

Throws:

java.lang.IllegalArgumentException - if the public key or certificate definition name are null

EntrustP10CertReqInfo

public EntrustP10CertReqInfo(java.security.PublicKey publicKey,
                     EntrustCertInfoId certDefnId,
                     X509Extensions x509Extensions)

The constructor; creates a EntrustP10CertReqInfo object from a public key and a certificate definition identifier.

Identification of which certificate definition the certificate request corresponds to is required by the EASM. In this case, the certificate definition identifier is used (consists of a certificate definition ID and name).

Proof of possession of the private key that corresponds to the provided public key is not (and cannot) be enforced by this API; it is the responsibility of the caller to check and enforce proof of possession.

Parameters:

publicKey - the public key that is being certified

certDefnId - the certificate definition identifier for the certificate definition that the public key corresponds to

x509Extensions - requested X.509 extensions (OPTIONAL)

Throws:

java.lang.IllegalArgumentException - if the public key or certificate definition identifier are null

EntrustP10CertReqInfo

public EntrustP10CertReqInfo(CertificateRequest p10CertReq,
                     java.lang.String certDefnName)

The constructor; creates a EntrustP10CertReqInfo object from a PKCS 10 certificate request and a certificate definition identifier.

The P10 certificate request MUST be self-signed; signed using the private key that corresponds to the public key contained in the request. This demonstrates proof of possession of the private key (ensures that the client actually possess the key pair for which certification is being requested). The public key and any requested X.509 extensions are extracted from the P10 certificate request; all other information contained in P10 certificate request is ignored.

Identification of which certificate definition the certificate request corresponds to is required by the EASM. In this case, the certificate definition name is used (Ex: 'Encryption', 'Verification', 'Dual Usage'...).

In P10, X.509 extensions can be requested by including a P9 extensionRequest attribute in the P10 certificate request. An extensionRequest attribute value contains the requested X509Extensions in ASN.1 format.

Parameters:

p10CertReq - a PKCS 10 certificate requires containing the public key that is being certified and any requested X.509 extensions

certDefnName - the name of the certificate definition that the public key corresponds to

Throws:

java.lang.IllegalArgumentException - if any of the parameters are null (all parameters are required), if signature verification for the P10 request fails (not self-signed), or if the P10 request contains improperly encoded/formatted X.509 extensions

EntrustP10CertReqInfo

public EntrustP10CertReqInfo(CertificateRequest p10CertReq,
                     EntrustCertInfoId certDefnId)

The constructor; creates a EntrustP10CertReqInfo object from a PKCS 10 certificate request and a certificate definition identifier.

The P10 certificate request MUST be self-signed; signed using the private key that corresponds to the public key contained in the request. This demonstrates proof of possession of the private key (ensures that the client actually possess the key pair for which certification is being requested). The public key and any requested X.509 extensions are extracted from the P10 certificate request; all other information contained in P10 certificate request is ignored.

Identification of which certificate definition the certificate request corresponds to is required by the EASM. In this case, the certificate definition identifier is used (consists of a certificate definition ID and name).

In P10, X.509 extensions can be requested by including a P9 extensionRequest attribute in the P10 certificate request. An extensionRequest attribute value contains the requested X509Extensions in ASN.1 format.

Parameters:

p10CertReq - a PKCS 10 certificate requires containing the public key that is being certified and any requested X.509 extensions

certDefnId - the certificate definition identifier for the certificate definition that the public key corresponds to

Throws:

java.lang.IllegalArgumentException - if any of the parameters are null (all parameters are required), if signature verification for the P10 request fails (not self-signed), or if the P10 request contains improperly encoded/formatted X.509 extensions

Method Detail

getUserCertificate

public X509Certificate getUserCertificate()

Returns the end user certificate that was issued by an Entrust Authority Security Manager for the public key.

Returns:

the requested user certificate

Since:

8.1

getCACertificate

public X509Certificate getCACertificate()

Returns the CA certificate when available for the Certificate Authority that the user exists on.

Returns:

the CA certificate

Since:

8.1

getRootCACertificate

public X509Certificate getRootCACertificate()

Returns the CA certificate when available for the Certificate Authority that is the root of trust for the user.

Returns:

the root CA certificate

Since:

8.1

getIntermediateCACertificates

public java.util.List<X509Certificate> getIntermediateCACertificates()

Returns the intermediate CA certificates when available, for the Certificate Authorities that are needed to build a certificate path from the user's CA to the root CA.

Returns:

the intermediate CA certificates as a List of X509Certificate objects