com.entrust.toolkit.x509.policies

Class ClientSettings

java.lang.Object

com.entrust.toolkit.x509.policies.ClientSettings

public final class ClientSettings
extends java.lang.Object

The ClientSettings class provides an interface to the client settings.

Client settings are specified at the PKI and are retrieved from the PKI during login. They are represented by two certificates — an attribute certificate, and an Entrust policy certificate, or client settings certificate.

Client settings are retrieved by the Toolkit during login and user creation, so the Toolkit application does not need to request them explicitly. The following code fragment demonstrates how to display a list of the client settings currently in effect.

     int status = user.login(credreader, password);
     System.out.println(user.getClientSettings());
 

The following code fragment demonstrates how to display the password rules that were applied during a user initialization.

     int status = user.login(credreader, password);
     user.getClientSetting().getPasswordRuleTester().toString();
 

Note:

When using the "get"-type APIs for retrieving client settings, applications should use the method isValid() to determine whether the values came from a validated policy certificate or just a default returned because no policy certificate was available.

Calling any of the "set"-type APIs that override existing settings will cause the settings to no longer be considered valid; all future calls to isValid() will return false. The source of the client settings will be set to SOURCE_USER_DEFINED

See Also:

User, PasswordRuleTester, SearchBase

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
class	ClientSettings.DefaultPolicyValues Contains default policy values for the various policies held in a user's client settings.

Field Summary

Fields

Modifier and Type	Field and Description
static int	SOURCE_CACHE Indicates the source of the client settings values are from previously cached values.
static int	SOURCE_DEFAULT Indicates the source of the client settings values are just the default values.
static int	SOURCE_DIRECTORY Indicates the source of the client settings values are from the Directory.
static int	SOURCE_PKIXCMP Indicates the source of the client settings values are from a PKIX-CMP transaction.
static int	SOURCE_USER_DEFINED Indicates the source of the client settings values are from user-defined values.

Constructor Summary

Constructors

Constructor and Description
ClientSettings() Creates a ClientSettings object and initializes it using the default policy values.
ClientSettings(EntrustClientInfo entrustClientInfo) Create a ClientSettings object using and initializes it from an EntrustClientInfo structure that was received using the PKIX-CMP protocol.
ClientSettings(User user) Creates a new ClientSettings object, initializes it with the default policy values and associates these settings with the indicated user.
ClientSettings(User user, X509Certificate caCert, java.math.BigInteger clientRoleId, X509Certificate rootCaCert) Creates a ClientSettings object using and initializes it using a User object and that user's certificates.
ClientSettings(User user, X509Certificate caCert, X509Certificate userCert, X509Certificate rootCaCert) Creates a ClientSettings object using and initializes it using a User object and that user's certificates.
ClientSettings(User user, X509Certificate caCert, X509Certificate userCert, X509Certificate rootCaCert, java.math.BigInteger clientRoleId) Creates a ClientSettings object and initializes it using a User object, the user's certificates.
ClientSettings(X509Certificate caCert, X509Certificate rootCaCert) Creates a ClientSettings object using just the CA certs.

Method Summary

Methods

Modifier and Type	Method and Description
void	addAcceptablePolicy(ObjectID acceptablePolicy) Allows an application to add an acceptable policy for use during certificate validation, regardless of the default permission or the permission set in the client settings certificate.
void	assertAllowedHashAlgorithm(AlgorithmID algorithm) Ensures that the indicated hash algorithm is allowed under the client policy settings.
void	assertAllowedHashAlgorithm(AlgorithmID algorithm) Ensures that the indicated hash algorithm is allowed under the client policy settings.
void	clear() Clears the client settings.
java.util.List<ObjectID>	getAcceptablePolicyOids() Retrieves a List of the acceptable policy ObjectIDs.
java.util.List<java.lang.String>	getAllowedEncryptionAlgorithms() Retrieves a List of allowed symmetric encryption algorithms.
java.util.List<java.lang.String>	getAllowedHashAlgorithms() Retrieves a List of allowed hashing algorithms.
boolean	getAllowNoCapiProtection() Controls whether unprotected CAPI key storage is allowed.
boolean	getAllowServerLogin() Controls whether or not the user can create a .ual file that will allow client software allows the user to log in via the Server Login procedure.
boolean	getApplicationFlags() Retrieves the first Entrust application flag.
Attribute	getAttribute(java.lang.String oidString) Returns the Attribute associated with the given OID.
BIT_STRING	getBusinessControlFlags() Retrieve the business control flags, if any, from the client settings certificate.
X509Certificate	getCaCertificate(boolean checkForUpdate) Retrieves the CA certificate with which these ClientSettings were validated.
int	getCAVersion() Deprecated. as of 7.0, since there is no way to determine the CA version
IniFile	getCertificates() Returns the main policy certificate and the client settings certificate in an IniFile.
int	getClientNKeyType() Returns an integer setting, which identifies the client PKIX type — 1 or 2.
int	getClientSettingsSource() Returns the source of the client settings values.
int	getCRLGracePeriod() Return the grace period for CRLs, in hours.
static java.util.List<EntrustSigConfig>	getDefaultProtocolSigningAlgs(java.util.List<EntrustSigConfig> callerConfiguredDefaultProtocolSigningAlgs) Returns the default list of signature algorithms that are permitted for use in the PKIX-CMP protocol.
boolean	getDirectoryConsistencyChecking() This client settings flag controls whether Entrust clients ensure that the directory entry DN matches the certificate subject when they retrieve certificates from a Directory.
java.util.List<java.lang.String>	getDNencoding() Retrieves DN encoding types, as a List of Strings.
byte[]	getEncodedRolePolicyCert() Gets the DER-encoded role policy certificate.
java.lang.String	getEncryptionKeyType() Returns the client encryption key type — RSA-1024, for example.
boolean	getEnforceIdentityUse() Controls whether or not the client software enforces the use of an identity device.
boolean	getEnforceTokenUse() Returns whether or not the user's credentials must be stored on a PKCS#11 token.
void	getFresh(User user, X509Certificate caCert, X509Certificate userCertificate, X509Certificate rootCaCert) Retrieves fresh settings from the Directory, not from the policy certificate cache.
java.lang.String	getHttpProxy() Returns the HTTP proxy URL, which specifies the HTTP proxy for retrieving CRLs.
boolean	getInhibitAnyPolicy() Get the inhibit any-policy business control flag, if any, from the client settings certificate.
boolean	getInhibitPolicyMapping() Get the inhibit policy mapping business control flag.
boolean	getKeyBackupAllowed() Returns the key-backup-allowed flag as specified in the policy certificate.
java.lang.String	getMessageOfTheDay() Returns the message-of-the-day string in the client-settings certificate, if any, which the application can present to the user.
boolean	getOfflineProfileUse() This attribute controls whether or not client software should write the Profile of a roaming user to disk after login.
PasswordRuleTester	getPasswordRuleTester() Retrieves a PasswordRuleTester that will apply the rules appropriate for the current user, based on the user's role.
PasswordRuleTester	getPasswordRuleTester(java.lang.String userCategory) Retrieves a PasswordRuleTester that will apply the rules appropriate for the current user according to the role specified in the user's verification certificate.
boolean	getPermitCApab() Returns whether or not the client is permitted to use a CA personal address book.
boolean	getPermitNonRoaming() Returns whether or not the user is permitted to have a profile on the desktop.
boolean	getPermitP12Export() Returns whether or not the client is allowed to export keying material to a PKCS#12 file.
boolean	getPermitPAB() Returns whether or not the client is permitted to use a personal address book.
boolean	getPermitRoaming() Returns whether or not the user is permitted to have a roaming profile.
int	getPKCS12ExportMinimumHashCount() Retrieves the minimum hash count to use when exporting keying material to a PKCS#12 file, if it is specified in the client settings.
int	getPolicyCertificateLifeTime() Retrieves the policy certificate lifetime in days.
boolean	getPrivateKeyExportFromCapi() Controls whether the keys can be exported from CAPI
java.lang.String	getProfileProtectionPolicy() Returns the Profile protection policy setting, which should be used if the application has not decided to override the policy setting.
boolean	getProtectKeyTransfer() Returns an indicator of whether or not protected key transfer is enforced for Entrust Digital Identities on Cryptoki devices (tokens).
java.util.List<EntrustSigConfig>	getProtocolSigningAlgs(java.util.List<EntrustSigConfig> callerConfiguredDefaultProtocolSigningAlgs) Returns a list of signature algorithms that are permitted for use in the PKIX-CMP protocol.
java.util.List<EntrustSymmEncConfig>	getProtocolSymmetricEncAlgs() Returns a list of symmetric encryption algorithms that are permitted for use in the PKIX-CMP protocol.
boolean	getPublicTokenCerts() Returns a boolean, which indicates if the client will store certificates in public memory on tokens.
boolean	getRequirePolicyOIDs() Get the require policy OIDs business control flag, if any, from the client settings certificate.
X509Certificate	getRootCaCertificate(boolean checkForUpdate) Returns the top-level trusted root CA certificate.
java.util.List<SearchBase>	getSearchBaseList() Retrieves a list of SearchBase objects that are specified in the policy certificate.
java.lang.String	getSigningKeyType() Returns the client signing key type — RSA-2048, for example.
boolean	getSkipRLcheck() Returns a boolean determining how the application handles revocation list (RL) checks.
boolean	getSuppressAuthorityRevocationChecks(boolean defValue) Returns a boolean to indicate whether the toolkit will suppress authority revocation checking.
User	getUser() Returns the user that these client settings are associated with.
java.lang.String	getUserEncKeyAlgm() Retrieves the PKIX protocol encryption algorithm used to encrypt the PKIX communication between the client and authority.
void	init(ClientSettings clientSettings) Copies another ClientSettings object into this one.
boolean	isAllExportable() Indicates whether or not a user's private keys are all marked as exportable by policy ('entrustAllExportable').
boolean	isAllowedHashAlgorithm(AlgorithmID algorithm) Determines whether or not the indicated hash algorithm is allowed under the client policy settings.
boolean	isAllowedHashAlgorithm(AlgorithmID algorithm) Determines whether or not the indicated hash algorithm is allowed under the client policy settings.
boolean	isFeatureV2Profile() Retrieves an indicator of whether the Security Manager supports V2-key-pair profiles.
boolean	issuedByUpdatedCAkey(X509Certificate cert) Checks an X509Certificate to determine if it was signed by the same key that signed the main policy certificate.
boolean	isValid() Determines whether or not the policy certificates are valid.
boolean	isXCertCacheEnabled() Gets the role policy setting that controls whether or not the user's cross-certificate cache (XCC) is enabled.
void	resetAcceptablePolicies() Allows an application to reset the list of acceptable policy for use during certificate validation to the default (any policy is accepted), regardless of the default permission or the permission set in the client settings certificate.
void	setAllowCAPAB(boolean permit) Allows the application to permit or prevent the use of a CA private address book (CA PAB) regardless of the default permission or the permission set in the client settings certificate, if any.
void	setAttribute(Attribute attribute) Adds the given Attribute to the set of client settings, overriding any existing value for that attribute.
void	setInhibitAnyPolicy(boolean inhibitAnyPolicy) Allows an application to permit or prevent the usage of the special policy anyPolicy during certificate validation, regardless of the default permission or the permission set in the client settings certificate.
void	setInhibitPolicyMapping(boolean inhibitPolicyMapping) Allows an application to permit or prevent policy mapping during certificate validation, regardless of the default permission or the permission set in the client settings certificate.
void	setRequireExplicitPolicy(boolean requireExplicitPolicy) Allows an application to require or not require explicit policy during certificate validation, regardless of the default permission or the permission set in the client settings certificate.
void	setXCertCacheEnabled(boolean xCertCacheEnabled) Sets the role policy setting that controls whether or not the user's cross-certificate cache (XCC) is enabled.
java.lang.String	toString() Shows the contents of the internal policy certificates as a String.
void	updateUserPolicyCertCache(User user) Adds the main policy certificate and role policy certificate to the user's policy certificate cache.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

SOURCE_DEFAULT

public static final int SOURCE_DEFAULT

Indicates the source of the client settings values are just the default values.

Since:

7.0

See Also:

Constant Field Values

SOURCE_CACHE

public static final int SOURCE_CACHE

Indicates the source of the client settings values are from previously cached values.

Since:

7.0

See Also:

Constant Field Values

SOURCE_DIRECTORY

public static final int SOURCE_DIRECTORY

Indicates the source of the client settings values are from the Directory.

Since:

7.0

See Also:

Constant Field Values

SOURCE_PKIXCMP

public static final int SOURCE_PKIXCMP

Indicates the source of the client settings values are from a PKIX-CMP transaction.

Since:

7.0

See Also:

Constant Field Values

SOURCE_USER_DEFINED

public static final int SOURCE_USER_DEFINED

Indicates the source of the client settings values are from user-defined values.

Since:

7.0

See Also:

Constant Field Values

Constructor Detail

ClientSettings

public ClientSettings()

Creates a ClientSettings object and initializes it using the default policy values.

ClientSettings

public ClientSettings(User user)

Creates a new ClientSettings object, initializes it with the default policy values and associates these settings with the indicated user.

The Toolkit uses this constructor internally when the user logs in; a Toolkit application should never need to call this API

Parameters:

user - the user that these client setting are associated with

ClientSettings

public ClientSettings(User user,
              X509Certificate caCert,
              X509Certificate userCert,
              X509Certificate rootCaCert)
               throws CertificationRootException

Creates a ClientSettings object using and initializes it using a User object and that user's certificates.

The Toolkit uses this constructor internally when the user logs in and the Toolkit application does not usually need to use it.

Parameters:

user - the user whose client settings are being created

caCert - the user's CA certificate

Note

Because the user is not necessarily logged in when the ClientSettings object is created, the CA certificate must be provided here. The User class does not permit access to the certificates until the user has logged in

userCert - the user's verification certificate; it contains a certificate extension that determines the user's role

rootCaCert - if the user is on a subordinate CA within a CA hierarchy, this contains the CA certificate of the root CA in the hierarchy; otherwise null

Throws:

CertificateRootException - thrown if the user's certificates could not be validated

CertificationRootException

ClientSettings

public ClientSettings(User user,
              X509Certificate caCert,
              X509Certificate userCert,
              X509Certificate rootCaCert,
              java.math.BigInteger clientRoleId)
               throws CertificationRootException

Creates a ClientSettings object and initializes it using a User object, the user's certificates.

The Toolkit uses this constructor internally when the user logs in and the Toolkit application does not usually need to use it.

This constructor supports two sources for the Role ID. To support V1 users, the Role ID from the userCert will be used. For V2 users, the value from the clientRoleId parameter will be used. Where both are present, the clientRoleId is the preferred value.

Parameters:

user - the user whose client settings are being created

caCert - the user's CA certificate

Note

Because the user is not necessarily logged in when the ClientSettings object is created, the CA certificate must be provided here. The User class does not permit access to the certificates until the user has logged in

userCert - the user's verification certificate; it contains a certificate extension that determines the user's role

rootCaCert - if the user is on a subordinate CA within a CA hierarchy, this contains the CA certificate of the root CA in the hierarchy; otherwise null

clientRoleId - the id of the client role attribute certificate.

Throws:

CertificateRootException - thrown if the user's certificates could not be validated

CertificationRootException

ClientSettings

public ClientSettings(X509Certificate caCert,
              X509Certificate rootCaCert)
               throws CertificationRootException

Creates a ClientSettings object using just the CA certs. This is only really useful for validating the ClientSettings object.

The Toolkit uses this constructor internally when the user logs in and the Toolkit application does not usually need to use it.

Parameters:

caCert - the user's CA certificate

Note

Because the user is not necessarily logged in when the ClientSettings object is created, the CA certificate must be provided here. The User class does not permit access to the certificates until the user has logged in

rootCaCert - if the user is on a subordinate CA within a CA hierarchy, this contains the CA certificate of the root CA in the hierarchy; otherwise null

Throws:

CertificateRootException - thrown if the user's certificates could not be validated

CertificationRootException

ClientSettings

public ClientSettings(User user,
              X509Certificate caCert,
              java.math.BigInteger clientRoleId,
              X509Certificate rootCaCert)
               throws CertificationRootException

Creates a ClientSettings object using and initializes it using a User object and that user's certificates.

The Toolkit uses this constructor internally when the user logs in. Applications should not use this constructor.

Parameters:

user - the user whose client settings are being created

caCert - the user's CA certificate

Note

Because the user is not necessarily logged in when the ClientSettings object is created, the CA certificate must be provided here. The User class does not permit access to the certificates until the user has logged in

clientRoleId - the id of the client role attribute certificate

rootCaCert - if the user is on a subordinate CA within a CA hierarchy, this contains the CA certificate of the root CA in the hierarchy; otherwise null

Throws:

CertificateRootException - thrown if the user's certificates could not be validated

CertificationRootException

ClientSettings

public ClientSettings(EntrustClientInfo entrustClientInfo)
               throws java.security.cert.CertificateException

Create a ClientSettings object using and initializes it from an EntrustClientInfo structure that was received using the PKIX-CMP protocol.

Parameters:

entrustClientInfo - an EntrustClientInfo structure that contains client settings data

Throws:

java.security.cert.CertificateException - thrown if an error occurred while decoding or parsing the client settings

Since:

7.0

Method Detail

init

public void init(ClientSettings clientSettings)

Copies another ClientSettings object into this one. This only performs a shallow copy, so the object copied from should not be used after this call or there will be unpredictable results.

Parameters:

clientSettings - the source object to be copied in to this one.

isValid

public boolean isValid()

Determines whether or not the policy certificates are valid. "Valid" in this context means that they were signed by a CA, and that CA's signature is trusted.

If this method returns true then the settings can be trusted. If it returns false, then an application may want to call getClientSettingsSource() to see if the source of the client settings is acceptable for the application's purposes.

Returns:

true if the main policy certificate and the client settings certificate for this user have been validated.

getClientSettingsSource

public int getClientSettingsSource()

Returns the source of the client settings values.

This will be one of the following values:

• SOURCE_DEFAULT
• SOURCE_CACHE
• SOURCE_DIRECTORY
• SOURCE_PKIXCMP
• SOURCE_USER_DEFINED

Returns:

the source of the client settings values.

Since:

7.0

getFresh

public void getFresh(User user,
            X509Certificate caCert,
            X509Certificate userCertificate,
            X509Certificate rootCaCert)
              throws java.security.cert.CertificateException

Retrieves fresh settings from the Directory, not from the policy certificate cache.

If the current ClientSettings have already been retrieved from the Directory, this method does nothing.

The Toolkit uses this method internally when the user logs in — Toolkit applications do not usually need to use it.

Parameters:

user - The User associated with these client settings

caCert - the CA certificate of the user.

Note

Because the user is not necessarily logged in when the ClientSettings object is created, the certificate must be provided here. The User class does not permit access to the certificates until the user has logged in.

userCertificate - the user's verification certificate. A certificate extension determines the user's role.

rootCaCert - if the user is on a subordinate CA within a CA hierarchy, this is the CA certificate of the root CA in the hierarchy; otherwise null.

Throws:

java.security.cert.CertificateException - if new settings cannot be retrieved from the Directory.

clear

public void clear()

Clears the client settings.

getPasswordRuleTester

public PasswordRuleTester getPasswordRuleTester()
                                         throws java.security.cert.CertificateException

Retrieves a PasswordRuleTester that will apply the rules appropriate for the current user, based on the user's role.

A user's role and the policies applicable to the user are set at the PKI by a Security Officer or Administrator and are specified in the user's verification and encryption certificates. If the user's certificates do not specify a user role, or no client settings certificate is available at runtime, then this method returns default password rules for an End User role.

Throws:

java.security.cert.CertificateException - if the settings encoded in the policy certificate are invalid

getPasswordRuleTester

public PasswordRuleTester getPasswordRuleTester(java.lang.String userCategory)
                                         throws java.security.cert.CertificateException

Retrieves a PasswordRuleTester that will apply the rules appropriate for the current user according to the role specified in the user's verification certificate.

If the certificate does not specify a role for the user, the PasswordRuleTester encapsulates password rules appropriate for an End User, administrator, or security officer according to whether the userCategory parameter is set to user, adm, or officer.

If a client settings certificate is not available, the method returns the default password rules, which are appropriate for an End User.

Parameters:

userCategory - determines the kind of password rules returned by this method

Throws:

java.security.cert.CertificateException - if the settings encoded in the policy certificate are invalid

getSearchBaseList

public java.util.List<SearchBase> getSearchBaseList()

Retrieves a list of SearchBase objects that are specified in the policy certificate.

A Toolkit application might use this list when searching Directories for recipients' encryption certificates.

The default is an empty List.

Returns:

a List of the search bases that are specified in the policy certificate.

getKeyBackupAllowed

public boolean getKeyBackupAllowed()

Returns the key-backup-allowed flag as specified in the policy certificate.

The default value is true

Note

This setting is enforced by the PKI, and the Toolkit abides by it.

Returns:

the key-backup-allowed flag.

getUserEncKeyAlgm

public java.lang.String getUserEncKeyAlgm()

Retrieves the PKIX protocol encryption algorithm used to encrypt the PKIX communication between the client and authority.

The default value is "RSA-2048"

Returns:

the PKIX protocol encryption algorithm.

isFeatureV2Profile

public boolean isFeatureV2Profile()
                           throws java.security.cert.CertificateException

Retrieves an indicator of whether the Security Manager supports V2-key-pair profiles.

A V2-key-pair profile has a certificate definition policy attached to each certificate; it was created using an Entrust Security Manager 7.0 or later and has no restrictions on the number of key-pairs (certificate streams) in the profile. A V1-key-pair profile has client policy settings attached to the user's role; it was created using an Entrust Security Manager pre-7.0 and restricts the profile to either 1-key-pair or 2-key-pair.

Returns:

true if the Security Manager supports V2 profiles; false otherwise.

Throws:

java.security.cert.CertificateException - thrown an error occurred while extracting the client policy setting from the main policy certificate

Since:

7.0

getAttribute

public Attribute getAttribute(java.lang.String oidString)

Returns the Attribute associated with the given OID. This method first tries to get the attribute from the role policy certificate, and if it is not found there it tries the main policy certificate.

Parameters:

oidString - The string representing the OID of the desired attribute

Returns:

The Attribute associated with the given OID of the given OID, null if not found.

See Also:

Attribute

getAllowedEncryptionAlgorithms

public java.util.List<java.lang.String> getAllowedEncryptionAlgorithms()

Retrieves a List of allowed symmetric encryption algorithms.

An application might use this method to prevent the user from encrypting with algorithms that are not authorized by the security officer.

The default value is a List containing the string "ALL", which means all algorithms are allowed.

Note

The Toolkit does not enforce this setting — it must be enforced by the application.

Returns:

a List of allowed symmetric encryption algorithms.

getAllowedHashAlgorithms

public java.util.List<java.lang.String> getAllowedHashAlgorithms()

Retrieves a List of allowed hashing algorithms.

An application might use this method to prevent the user from using hash algorithms that are not authorized by the security officer.

The default value is a List containing the string "ALL", which means all algorithms are allowed.

Note

The Toolkit does not enforce this setting — it must be enforced by the application.

Returns:

a List of allowed hashing algorithms.

getPermitRoaming

public boolean getPermitRoaming()

Returns whether or not the user is permitted to have a roaming profile.

The default value is true.

Note

The Toolkit does not enforce this setting.

Returns:

whether or not the user is permitted to have a roaming profile.

getPermitNonRoaming

public boolean getPermitNonRoaming()

Returns whether or not the user is permitted to have a profile on the desktop.

The default value is true.

Note

The Toolkit does not enforce this setting.

Returns:

whether or not the user is permitted to have a desktop profile.

getEnforceTokenUse

public boolean getEnforceTokenUse()

Returns whether or not the user's credentials must be stored on a PKCS#11 token.

The default value is false.

Note

The Toolkit enforces this setting.

Returns:

whether or not the user's credentials must be stored on a PKCS#11 token.

getPermitPAB

public boolean getPermitPAB()

Returns whether or not the client is permitted to use a personal address book. That is, whether or not the client is permitted to explicitly trust individual end-user certificates, or if the trust must come from a CA.

The default value is true.

Note

The Toolkit does not enforce this setting.

Returns:

whether or not the client is permitted to use a personal address book.

getPermitCApab

public boolean getPermitCApab()

Returns whether or not the client is permitted to use a CA personal address book. That is, the client can choose to trust root CAs other than its own, and all certificates and CRLs signed by that CA.

The default value is false.

Note

The Toolkit enforces this setting.

Returns:

whether or not the client is permitted to use a CA personal address book.

getCRLGracePeriod

public int getCRLGracePeriod()

Return the grace period for CRLs, in hours. This is the number of hours a CRL can be used after it expires, to account for Directory or PKI outages.

The default value is 2 hours.

Note

The Toolkit does not use this setting.

Returns:

the grace period for CRLs, in hours.

getPermitP12Export

public boolean getPermitP12Export()

Returns whether or not the client is allowed to export keying material to a PKCS#12 file. Even if export is allowed, the individual certificates must contain a special extension that allows export.

The default value is false.

Note

The Toolkit enforces this setting.

Returns:

whether or not the client is allowed to export keying material to a PKCS#12 file.

getPKCS12ExportMinimumHashCount

public int getPKCS12ExportMinimumHashCount()

Retrieves the minimum hash count to use when exporting keying material to a PKCS#12 file, if it is specified in the client settings.

The default value is 2000.

Note

The Toolkit enforces this setting.

Returns:

the minimum PKCS#12 export hash count.

getCAVersion

public int getCAVersion()

Deprecated. as of 7.0, since there is no way to determine the CA version

This method used to returns the CA version as specified in the policy certificate.

The version in the policy certificate has not been changed since PKI 5.0 and this means there is no way to tell between CA versions 5, 6, and 7. Given that the Toolkit can no longer communicate with any PKI version prior to 5.0, this method is of no use.

Returns:

the version of the CA, always 4, indicating a PKI version 5, 6, or 7

getMessageOfTheDay

public java.lang.String getMessageOfTheDay()

Returns the message-of-the-day string in the client-settings certificate, if any, which the application can present to the user.

The default value is an empty String.

Note

The Toolkit does not use this setting.

Returns:

the message of the day.

getProfileProtectionPolicy

public java.lang.String getProfileProtectionPolicy()

Returns the Profile protection policy setting, which should be used if the application has not decided to override the policy setting. If no value has been specified in the policy, the default value will be returned.

The default value is CAST.

Returns:

The Profile protection policy

getHttpProxy

public java.lang.String getHttpProxy()

Returns the HTTP proxy URL, which specifies the HTTP proxy for retrieving CRLs.

The default value is an empty String.

Note

The Toolkit does not use this setting.

Returns:

the HTTP proxy URL

getSkipRLcheck

public boolean getSkipRLcheck()

Returns a boolean determining how the application handles revocation list (RL) checks.

The default value is false.

Note

The Toolkit uses this setting.

Returns:

false, when RL checks should be processed, and true, when RL checks should be skipped.

getSuppressAuthorityRevocationChecks

public boolean getSuppressAuthorityRevocationChecks(boolean defValue)

Returns a boolean to indicate whether the toolkit will suppress authority revocation checking. Possible values are as follows:

false to indicate that authority revocation checking should be performed

true to indicate that authority revocation checking should not be done for this CA

The default value is false which means revocation checking will be performed.

Note

The Toolkit uses this setting.

Parameters:

defValue - The default value to use when the policy has not been set. Since this policy is meant to override the entrustSkipRLCheck policy when it is set, the toolkit will use the value of the entrustSkipRLCheck as the default value when it is not set.

Returns:

false, when RL checks should be processed, and true, when RL checks should be skipped.

getPolicyCertificateLifeTime

public int getPolicyCertificateLifeTime()

Retrieves the policy certificate lifetime in days.

Entrust Authority uses this value to set the policy certificate lifetime when it issues a new policy certificate. This is not the remaining lifetime of the current policy certificate.

The default value is 30 days.

Note

The Toolkit uses the notBefore and notAfter dates in the policy certificates to determine validity instead of this setting.

Returns:

the policy certificate lifetime in days.

getClientNKeyType

public int getClientNKeyType()

Returns an integer setting, which identifies the client PKIX type — 1 or 2. This corresponds to the "ProfileType=PKIX_2" entry in the profile. This value is only relevant when using a 6.0 PKI. With a 7.0 PKI this value has no meaning.

The default value is 2, which corresponds to "PKIX_2".

Note

The Toolkit does not use this value.

Returns:

the client type

getPublicTokenCerts

public boolean getPublicTokenCerts()

Returns a boolean, which indicates if the client will store certificates in public memory on tokens.

When this value is set to true all user-certificate should be stored in public memory on tokens; normally all certificates are stored in private memory.

The default value is false.

Note

The Toolkit enforces this setting.

Returns:

whether or not certificates will be stored in public memory on tokens.

getSigningKeyType

public java.lang.String getSigningKeyType()

Returns the client signing key type — RSA-2048, for example.

The default value is RSA-2048.

Note

The Toolkit enforces this setting.

Returns:

the client signing key type

getEncryptionKeyType

public java.lang.String getEncryptionKeyType()

Returns the client encryption key type — RSA-1024, for example.

The default value is RSA-2048.

Note

The Toolkit enforces this setting.

Returns:

the client encryption key type

getApplicationFlags

public boolean getApplicationFlags()

Retrieves the first Entrust application flag. Entrust applications can use this flag to determine if S/MIME usage should be enforced, or if other protected data formats (such as Entrust Archive) are acceptable. While the Entrust application flags are actually a bit string, only the first bit is ever used and there are no plans to use additional bits.

The default value is false.

Note

The Toolkit does not enforce this setting.

Returns:

whether or not S/MIME usage should be enforced.

getOfflineProfileUse

public boolean getOfflineProfileUse()

This attribute controls whether or not client software should write the Profile of a roaming user to disk after login.

The default value is false.

Note

The Toolkit does not use this setting.

Returns:

whether or not client software should write the Profile of a roaming user to disk after login.

getAllowServerLogin

public boolean getAllowServerLogin()

Controls whether or not the user can create a .ual file that will allow client software allows the user to log in via the Server Login procedure.

The default value is false.

Note

The Toolkit enforces this setting.

Returns:

whether or not usage of Server Login is permitted.

getPrivateKeyExportFromCapi

public boolean getPrivateKeyExportFromCapi()

Controls whether the keys can be exported from CAPI

The default value is false.

Note

The Toolkit enforces this setting.

Returns:

whether or not usage of Server Login is permitted.

getAllowNoCapiProtection

public boolean getAllowNoCapiProtection()

Controls whether unprotected CAPI key storage is allowed. This allows keys in CAPI to be protected (the default), or not protected when they are stored in CAPI.

The default value is false.

Note

The Toolkit enforces this setting.

Returns:

whether or not unprotected CAPI key storage is permitted.

getEnforceIdentityUse

public boolean getEnforceIdentityUse()

Controls whether or not the client software enforces the use of an identity device.

The default value is false.

Note

The Toolkit does not enforce this setting.

Returns:

whether or not the usage of biometric identity devices is enforced.

getAcceptablePolicyOids

public java.util.List<ObjectID> getAcceptablePolicyOids()

Retrieves a List of the acceptable policy ObjectIDs.

The default value is a List containing ObjectID.anyPolicy.

Note

The Toolkit uses this setting during certificate validation.

Returns:

a List of the acceptable policy ObjectIDs.

getBusinessControlFlags

public BIT_STRING getBusinessControlFlags()

Retrieve the business control flags, if any, from the client settings certificate.

The bit string represents the following controls:

1. Policy mapping is inhibited
2. Existence of Acceptable Policy OIDs are enforced
3. Strict PKIX RFC 3280 compliance
4. Strict FPKI compliance
5. Inhibit use of anyPolicy

The default value is a bit string with 5 bits set as follows: false, false, false, false, false

Note

The Toolkit enforces settings a, b and e, but does not enforce settings c and d.

Returns:

the business control flags

getInhibitPolicyMapping

public boolean getInhibitPolicyMapping()

Get the inhibit policy mapping business control flag.

When policy certificate extensions are tested as part of X509 certificate validation, this setting determines whether policy mappings will be disallowed when determining which policy OIDs are acceptable. The default is false, i.e. policy mappings are allowed when determining the acceptable policy OIDs.

The default value is false

Note

The Toolkit enforces this setting.

Returns:

the inhibit policy mapping business control flag.

getInhibitAnyPolicy

public boolean getInhibitAnyPolicy()

Get the inhibit any-policy business control flag, if any, from the client settings certificate.

When testing policy certificate extensions in X509 certificates, this setting specifies whether anyPolicy policy identifier (2.5.29.32.0) should be processed. If this is set to false the anyPolicy OID can be considered a match to any other policy OIDs.

The default value is false

Note

The Toolkit enforces this setting.

Returns:

the inhibit any-policy business control flag.

getRequirePolicyOIDs

public boolean getRequirePolicyOIDs()

Get the require policy OIDs business control flag, if any, from the client settings certificate.

When testing policy certificate extensions in X509 certificates, this setting specifies whether any policy OIDs are acceptable, or only those contained in the acceptable policy OIDs section of the client settings. If this is set to true and no acceptable policy OIDs are set in the user's client settings certificate, all X509 certificate path validation will fail.

The default value is false

Note

The Toolkit enforces this setting.

Returns:

the require policy OIDs business control flag.

getDNencoding

public java.util.List<java.lang.String> getDNencoding()

Retrieves DN encoding types, as a List of Strings.

The default value is a List containing "printable", "teletex", "utf8"

Note

The Toolkit does not enforce this setting.

Returns:

a List of Strings for DN encoding types

getDirectoryConsistencyChecking

public boolean getDirectoryConsistencyChecking()

This client settings flag controls whether Entrust clients ensure that the directory entry DN matches the certificate subject when they retrieve certificates from a Directory.

The default value is true

Note

The Toolkit does not enforce this setting.

Returns:

whether or not the subject DN in a certificate must match the location in the Directory it was retrieved from.

getProtectKeyTransfer

public boolean getProtectKeyTransfer()

Returns an indicator of whether or not protected key transfer is enforced for Entrust Digital Identities on Cryptoki devices (tokens).

When set to true, this indicates that when private keys are transferred to tokens, they must be encrypted. In order for this to happen, the token must support the secure transfer of keys.

The default value is false.

Note

The Toolkit enforces this setting.

Returns:

true if protected key transfer must be enforced; false otherwise

isXCertCacheEnabled

public boolean isXCertCacheEnabled()

Gets the role policy setting that controls whether or not the user's cross-certificate cache (XCC) is enabled.

This policy controls the usage of the cross-certificate cache. When enabled, the cross-certificate cache will automatically be used by an Entrust user whose digital identity is in Entrust Profile (EPF) or Entrust PKCS#11 (P11) format. At user login time the CA certificates contained the the user's XCC file will automatically be read and made available to the user's certificate validation engine. At logout time, the CA certificates currently cached in memory by the certificate validation engine will automatically be written out to the user's XCC file.

The cross-certificate cache contains all CA certificates (cross-certificates, link certificates, and self-signed certificates) that were used when performing certificate validation. Its purpose is to facilitate certificate validation when the user is offline and unable to access the Directory for certificate path building.

The default value for this policy value is controlled by the com.entrust.toolkit.x509.policies.ClientSettings.enableCacheUsage.xcc Java System property. When set to "false" (not case sensitive), the default value for this policy is false; otherwise it is true.

Returns:

true if the cross-certificate cache is enabled; false otherwise

Since:

8.0

See Also:

ArchiveCertCache

getProtocolSymmetricEncAlgs

public java.util.List<EntrustSymmEncConfig> getProtocolSymmetricEncAlgs()
                                                                 throws java.security.cert.CertificateException

Returns a list of symmetric encryption algorithms that are permitted for use in the PKIX-CMP protocol.

This list contains one or more values and is ordered according to preference. The following values are permitted as of Security Manager 8.1 (identified by algorithm name or algorithm alias):

Algorithm Name	Algorithm Aliases	Symmetric Encryption Algorithm Configuration
AES-CBC-128	AES-128	EntrustSymmEncConfig.AES_CBC_128
AES-CBC-192	AES-192	EntrustSymmEncConfig.AES_CBC_192
AES-CBC-256	AES-256, AES	EntrustSymmEncConfig.AES_CBC_256
CAST5-CBC-80	CAST-80	EntrustSymmEncConfig.CAST5_CBC_80
CAST5-CBC-128	CAST-128	EntrustSymmEncConfig.CAST5_CBC_128
TRIPLEDES-CBC-192	TRIPLEDES	EntrustSymmEncConfig.TRIPLEDES_CBC_192

When Security Manager needs to encrypt a value in a PKIX-CMP response message, it will use this list to decide which algorithm to use. It will select the first algorithm from the list that is also supported by the client and offers sufficient security to protect the payload. This is the first algorithm in the list (that the client also supports) that offers equivalent or higher security than the payload. If none of the algorithms in the list that are also supported by the client offer adequate security, then the transaction is aborted and an error is returned to the client.

Similarly, when a client needs to encrypt a value in a PKIX-CMP request message, it also uses this list to decide which algorithm to use. It will select the first algorithm from the list that offers sufficient security to protect the payload (Note: the server must support all algorithms in this list). If none of the algorithms in the list offer adequate security, then the transaction is aborted and an error is returned to the server.

This policy setting is found in the main policy certificate and was introduced in Security Manager 8.1. When communicating with an older version of Security Manager, this policy is not available. In this case, a default value will be returned: AES-CBC-256 when very strong cryptography is permitted by the J2SE, AES-CBC-128 otherwise.

Note: All private keys and symmetric keys have a known security strength; refer to NIST SP 800-57 for security strength values.

Returns:

an unmodifiable list of symmetric encryption algorithms permitted for use in PKIX-CMP

Throws:

java.security.cert.CertificateException - if the main policy certificate contains an improperly encoded protocol symmetric encryption algorithms attribute

Since:

8.0

getProtocolSigningAlgs

public java.util.List<EntrustSigConfig> getProtocolSigningAlgs(java.util.List<EntrustSigConfig> callerConfiguredDefaultProtocolSigningAlgs)
                                                        throws java.security.cert.CertificateException

Returns a list of signature algorithms that are permitted for use in the PKIX-CMP protocol.

This list contains one or more values and is ordered according to preference. The following values are permitted as of Security Manager 8.1 (identified by algorithm name or algorithm alias):

Algorithm Name	Signature Algorithm Configuration
RSA-SHA1	EntrustSigConfig.RSA_SHA1
RSA-SHA224	EntrustSigConfig.RSA_SHA224
RSA-SHA256	EntrustSigConfig.RSA_SHA256
RSA-SHA384	EntrustSigConfig.RSA_SHA384
RSA-SHA512	EntrustSigConfig.RSA_SHA512
RSA-RECOMMENDED	EntrustSigConfig.RSA_RECOMMENDED
RSAPSS-SHA1	EntrustSigConfig.RSAPSS_SHA1
RSAPSS-SHA224	EntrustSigConfig.RSAPSS_SHA224
RSAPSS-SHA256	EntrustSigConfig.RSAPSS_SHA256
RSAPSS-SHA384	EntrustSigConfig.RSAPSS_SHA384
RSAPSS-SHA512	EntrustSigConfig.RSAPSS_SHA512
RSAPSS-RECOMMENDED	EntrustSigConfig.RSAPSS_RECOMMENDED
ECDSA-SHA1	EntrustSigConfig.ECDSA_SHA1
ECDSA-SHA224	EntrustSigConfig.ECDSA_SHA224
ECDSA-SHA256	EntrustSigConfig.ECDSA_SHA256
ECDSA-SHA384	EntrustSigConfig.ECDSA_SHA384
ECDSA-SHA512	EntrustSigConfig.ECDSA_SHA512
ECDSA-RECOMMENDED	EntrustSigConfig.ECDSA_RECOMMENDED
DSA-SHA1	EntrustSigConfig.DSA_SHA1

When Security Manager needs to sign a PKIX-CMP response message, it will use this list to decide which algorithm to use. It will select the first algorithm from the list that is compatible with the PKIX-CMP signing key and is also supported by the client. If none of the algorithms in the list that are compatible with the PKIX-CMP signing key and supported by the client, then the transaction is aborted and an error is returned to the client.

Similarly, when a client needs to sign a PKIX-CMP request message, or demonstration proof-of-possession via signing, it also uses this list to decide which algorithm to use. It will select the first algorithm from the list that is compatible with the PKIX-CMP signing key (Note: the server must support all algorithms in this list). If none of the algorithms in the list are compatible with the PKIX-CMP signing key, then the transaction is aborted and an error is returned to the server.

This policy setting is found in the main policy certificate and was introduced in Security Manager 8.1. When communicating with an older version of Security Manager, this policy is not available. In this case, a default value will be returned; refer to getDefaultProtocolSigningAlgs(List) for details on configuration of the default value.

Parameters:

callerConfiguredDefaultProtocolSigningAlgs - [OPTIONAL] a custom default value for the PKIX-CMP signature algorithm configuration list provided by the caller

Returns:

an unmodifiable list of signature algorithms permitted for use in PKIX-CMP

Throws:

java.security.cert.CertificateException - if the main policy certificate contains an improperly encoded protocol signature algorithms attribute

Since:

8.0

getDefaultProtocolSigningAlgs

public static java.util.List<EntrustSigConfig> getDefaultProtocolSigningAlgs(java.util.List<EntrustSigConfig> callerConfiguredDefaultProtocolSigningAlgs)

Returns the default list of signature algorithms that are permitted for use in the PKIX-CMP protocol.

When client settings are not available (prior to a PKIX-CMP general message request in certain cases), the default list of signature algorithms is required. There are multiple ways that the default list can be configured; the first value that is available from the list below is returned.

Custom Default (configured by caller)

Optionally provided by the caller through the callerConfiguredDefaultProtocolSigningAlgs API parameter

System Default

Hard coded to 'RSA-SHA1, ECDSA-SHA1, DSA-SHA1' (always available)

Parameters:

callerConfiguredDefaultProtocolSigningAlgs - [OPTIONAL] a custom default value for the PKIX-CMP signature algorithm configuration list provided by the caller

Returns:

the default PKIX-CMP signature algorithm list

Since:

8.0

isAllExportable

public boolean isAllExportable()

Indicates whether or not a user's private keys are all marked as exportable by policy ('entrustAllExportable').

This role policy setting is an implicit override of the PKCS12ExportPermission (2.16.840.1.114027.30.1) extension, allowing legacy non-exportable key pairs to be retroactively marked as 'exportable'. When set to true, the certificates of all the user's key pairs in a digital identity implicitly have the PKCS12ExportPermission extension.

Returns:

true if the user's private keys are all marked as exportable by policy; false otherwise

Since:

7.2 SP2 Patch

setAttribute

public void setAttribute(Attribute attribute)
                  throws UserFailureException

Adds the given Attribute to the set of client settings, overriding any existing value for that attribute. This works for any attribute, but requires detailed knowledge of the way the attribute is supposed to be encoded to work successfully.

Parameters:

attribute - the Attribute to set.

Throws:

UserFailureException - if the User associated with this object must have valid settings signed by a CA.

Since:

7.0

setAllowCAPAB

public void setAllowCAPAB(boolean permit)
                   throws UserFailureException

Allows the application to permit or prevent the use of a CA private address book (CA PAB) regardless of the default permission or the permission set in the client settings certificate, if any. Calling this method causes the settings to no longer be considered valid; all future calls to isValid() will return false.

For example, a user can invoke this method before adding an additional trusted root certificate to the certificate verifier (User.addTrustedCertificate(cert)), and that root will be trusted even if the user's client-settings certificate does not allow that.

     user.login( credReader, password );
     user.getCertVerifier().getClientSettings().setAllowCAPAB(true);
     user.addTrustedCertificate(new X509Certificate(new FileInputStream("trustedRoot.cer"));
  

Parameters:

permit - whether or not the use of a CA private address book is allowed.

Throws:

UserFailureException - if the User associated with this object must have valid settings signed by a CA.

setInhibitPolicyMapping

public void setInhibitPolicyMapping(boolean inhibitPolicyMapping)
                             throws UserFailureException

Allows an application to permit or prevent policy mapping during certificate validation, regardless of the default permission or the permission set in the client settings certificate.

Parameters:

inhibitPolicyMapping - whether or not policy mapping is inhibited (disallowed).

Throws:

UserFailureException - if the User associated with this object must have valid settings signed by a CA.

Since:

7.0

setInhibitAnyPolicy

public void setInhibitAnyPolicy(boolean inhibitAnyPolicy)
                         throws UserFailureException

Allows an application to permit or prevent the usage of the special policy anyPolicy during certificate validation, regardless of the default permission or the permission set in the client settings certificate.

Parameters:

inhibitAnyPolicy - whether or not usage of anyPolicy is inhibited (disallowed).

Throws:

UserFailureException - if the User associated with this object must have valid settings signed by a CA.

Since:

7.0

setRequireExplicitPolicy

public void setRequireExplicitPolicy(boolean requireExplicitPolicy)
                              throws UserFailureException

Allows an application to require or not require explicit policy during certificate validation, regardless of the default permission or the permission set in the client settings certificate.

Parameters:

requireExplicitPolicy - whether or not explicit policy mapping is required.

Throws:

UserFailureException - if the User associated with this object must have valid settings signed by a CA.

Since:

7.0

addAcceptablePolicy

public void addAcceptablePolicy(ObjectID acceptablePolicy)
                         throws UserFailureException

Allows an application to add an acceptable policy for use during certificate validation, regardless of the default permission or the permission set in the client settings certificate. If no acceptable policies had been set and the default anyPolicy was being used, this removes anyPolicy from the list of acceptable policies.

Note:

Calling this method causes the settings to no longer be considered valid; all future calls to isValid() will return false. The source of the client settings will be set to SOURCE_USER_DEFINED

Parameters:

acceptablePolicy - a policy acceptable for use during certificate validation

Throws:

UserFailureException - if the User associated with this object must have valid settings signed by a CA.

Since:

7.0

resetAcceptablePolicies

public void resetAcceptablePolicies()
                             throws UserFailureException

Allows an application to reset the list of acceptable policy for use during certificate validation to the default (any policy is accepted), regardless of the default permission or the permission set in the client settings certificate.

Note:

Calling this method causes the settings to no longer be considered valid; all future calls to isValid() will return false. The source of the client settings will be set to SOURCE_USER_DEFINED

Throws:

UserFailureException - if the User associated with this object must have valid settings signed by a CA.

Since:

7.0

setXCertCacheEnabled

public void setXCertCacheEnabled(boolean xCertCacheEnabled)
                          throws UserFailureException

Sets the role policy setting that controls whether or not the user's cross-certificate cache (XCC) is enabled.

For additional details on a user's cross-certificate cache refer to isXCertCacheEnabled();

Parameters:

xCertCacheEnabled - true if the cross-certificate cache is to be enabled; false otherwise

Throws:

UserFailureException

Since:

8.0

issuedByUpdatedCAkey

public boolean issuedByUpdatedCAkey(X509Certificate cert)
                             throws java.security.cert.CertificateException

Checks an X509Certificate to determine if it was signed by the same key that signed the main policy certificate.

This method checks that the AuthorityKeyIdentifier, matches, but does not check the subject and issuer DNs nor does it validate the signature. Those checks must be performed elsewhere if required.

Parameters:

cert - certificate to be checked

Returns:

true if the the authority key identifier in the certificate matches the authority key identifier in the main policy certificate

Throws:

java.security.cert.CertificateException - thrown if the main policy certificate has not been validated at the time this method is invoked.

getCaCertificate

public X509Certificate getCaCertificate(boolean checkForUpdate)

Retrieves the CA certificate with which these ClientSettings were validated.

If a CA key update has occurred, that current CA certificate might not be the one in the user's Profile.

Parameters:

checkForUpdate - If true, try an online check for an updated CA certificate. If false, just return the CA certificate used to validate the current settings.

getRootCaCertificate

public X509Certificate getRootCaCertificate(boolean checkForUpdate)

Returns the top-level trusted root CA certificate.

If the user is on a subordinate CA within a strict CA hierarchy, the top-level trusted root CA certificate can be different from the direct CA certificate. This method checks whether the top-level root CA key has been updated since the user last logged in and, if so, returns the most recent certificate of the top-level CA. If the user is not on a subordinate CA within a strict hierarchy (e.g. the user is on the top-level CA itself), this method returns null. The Toolkit uses this methods internally when the user logs in and Toolkit applications do not typically need to use it.

Parameters:

checkForUpdate - If true, try an online check for an updated Root CA certificate. If false, just return the current Root CA certificate.

Returns:

The most recent CA certificate of a top-level trusted root CA.

getCertificates

public IniFile getCertificates()

Returns the main policy certificate and the client settings certificate in an IniFile.

updateUserPolicyCertCache

public void updateUserPolicyCertCache(User user)

Adds the main policy certificate and role policy certificate to the user's policy certificate cache.

If the user does not yet have a policy certificate cache, a new one is automatically created.

Parameters:

user - the User whose cache will be updated.

Since:

7.0

toString

public java.lang.String toString()

Shows the contents of the internal policy certificates as a String.

Overrides:

toString in class java.lang.Object

getUser

public User getUser()

Returns the user that these client settings are associated with.

This API can return null if the client settings were not associated with a user.

Returns:

the user that these client settings are associated with

Since:

7.1 SP1 Patch

assertAllowedHashAlgorithm

public void assertAllowedHashAlgorithm(AlgorithmID algorithm)
                                throws DisallowedAlgorithmException

Ensures that the indicated hash algorithm is allowed under the client policy settings.

This call checks the 'entrustAllowedHashAlgms' client policy setting to see if the hash algorithm is allowed. A null algorithm is ignored and considered allowed.

Currently the 'entrustAllowedHashAlgms' client policy setting IS NOT enforced automatically anywhere throughout the Toolkit. However, by calling this API when a hash algorithm is being selected for use in a digital signature operation, the 'entrustAllowedHashAlgms' client policy setting can be manually enforced for that specific operation. A specific example of where one may want to manually enforce setting is prior to creation of a PKCS#7 signed data structure.

Parameters:

algorithm - the hash algorithm

Throws:

DisallowedAlgorithmException - if the hash algorithm is not allowed

assertAllowedHashAlgorithm

public void assertAllowedHashAlgorithm(AlgorithmID algorithm)
                                throws DisallowedAlgorithmException

Ensures that the indicated hash algorithm is allowed under the client policy settings.

Parameters:

algorithm - the hash algorithm

Throws:

DisallowedAlgorithmException - if the hash algorithm is not allowed

See Also:

assertAllowedHashAlgorithm(AlgorithmID)

isAllowedHashAlgorithm

public boolean isAllowedHashAlgorithm(AlgorithmID algorithm)

Determines whether or not the indicated hash algorithm is allowed under the client policy settings.

This call checks the 'entrustAllowedHashAlgms' client policy setting to see if the hash algorithm is allowed. A null algorithm is ignored and considered allowed.

Parameters:

algorithm - the hash algorithm

Returns:

true if the hash algorithm is allowed; false otherwise

isAllowedHashAlgorithm

public boolean isAllowedHashAlgorithm(AlgorithmID algorithm)

Determines whether or not the indicated hash algorithm is allowed under the client policy settings.

Parameters:

algorithm - the hash algorithm

Returns:

true if the hash algorithm is allowed; false otherwise

See Also:

isAllowedHashAlgorithm(AlgorithmID)

getEncodedRolePolicyCert

public byte[] getEncodedRolePolicyCert()

Gets the DER-encoded role policy certificate.

Returns:

the DER-encoded of the role policy certificate; null if the role policy certificate is not available

Since:

8.0