com.entrust.toolkit.x509.policies

Class EntrustCertDefnSettings

java.lang.Object

com.entrust.toolkit.x509.policies.EntrustCertDefnSettings

public class EntrustCertDefnSettings
extends java.lang.Object

This class contains certificate-definition policy information. All the data in the following ASN.1 structure is represented.

 EntrustCertDefnInfo ::= SEQUENCE {
     certdefn        EntrustCertInfoId,
     policycertdn    DistinguishedName    OPTIONAL,
     policycert      [1] ANY              OPTIONAL -- the policy cert in some encoding
 };
 

In addition to providing access to the components from the structure above, access is also provided to each known certificate-definition policysetting contained within the policy certificate.

Since:

7.0

Field Summary

Fields

Modifier and Type	Field and Description
java.lang.String	m_sanHandling The certificate definition policy used to identify how SAN requests are handled in incoming CMP requests.

Constructor Summary

Constructors

Constructor and Description
EntrustCertDefnSettings(EntrustCertDefnInfo entrustCertDefnInfo) Creates an EntrustCertDefnSettings object from an EntrustCertDefnInfo structure.

Method Summary

Methods

Modifier and Type	Method and Description
Attribute	getAttribute(ObjectID oid) Returns the requested policy setting from the policy certificate.
EntrustCertInfoId	getCertdefn() Returns the certificate-definition identifier, which is the 'certdefn' component that was extracted from the EntrustCertDefnInfo structure.
java.lang.Boolean	getCMPUnknown() Returns the cd_cmp_unknown policy setting from the policy certificate.
byte[]	getEncodedCertDefnPolicyCert() Gets the DER-encoded certificate definition policy certificate.
java.lang.Boolean	getExcBasicConst() Returns the cd_exc_basicconst policy setting from the policy certificate.
java.lang.Boolean	getExcCDP() Returns the cd_exc_cdp policy setting from the policy certificate.
java.lang.Boolean	getExcEntVersInfo() Returns the cd_exc_entversinfo policy setting from the policy certificate.
java.lang.Boolean	getExcPrivKeyUsage() Returns the cd_exc_privkeyusage policy setting from the policy certificate.
java.lang.Boolean	getExcSubjKeyId() Returns the cd_exc_subjkeyid policy setting from the policy certificate.
java.lang.String	getKeyCSP() Returns the cd_key_csp policy setting from the policy certificate.
java.lang.String	getKeyType() Returns the cd_key_type policy setting from the policy certificate.
java.lang.String	getKeyUsage() Returns the cd_key_usage policy setting from the policy certificate.
java.lang.Integer	getLifetime() Returns the cd_lifetime policy setting from the policy certificate.
java.lang.String	getPivContainer() Returns the cd_piv_container policy setting from the policy certificate.
Name	getPolicycertdn() Returns the certificate-definition policy certificate DN, which is the 'policycertdn' component that was extracted from the EntrustCertDefnInfo structure.
java.lang.Integer	getPrivKeyUsage() Returns the cd_privkeyusage policy setting from the policy certificate.
java.lang.String	getPublishDN() Returns the cd_publish_dn policy setting from the policy certificate.
java.lang.String	getPublishPolicy() Returns the cd_publish_policy policy setting from the policy certificate.
java.util.Date	getUpdDate() Returns the cd_upd_date policy setting from the policy certificate.
int	getUpdPercent() Returns the cd_upd_percent policy setting from the policy certificate.
boolean	isCMPEnforce() Returns the cd_cmp_enforce policy setting from the policy certificate.
boolean	isCMPLatestSign() Returns the cd_cmp_latest_sign policy setting from the policy certificate.
boolean	isCMPOverride() Returns the cd_cmp_override policy setting from the policy certificate.
boolean	isCMPPublish() Returns the cd_cmp_publish policy setting from the policy certificate.
boolean	isCMPSignCMP() Returns the cd_cmp_sign_cmp policy setting from the policy certificate.
boolean	isExcCertPol() Returns the cd_exc_certpol policy setting from the policy certificate.
boolean	isExcSubjAltName() Returns the cd_exc_subjaltname policy setting from the policy certificate.
boolean	isIgnoreUserLife() Returns the cd_ignore_userlife policy setting from the policy certificate.
boolean	isKeyBackup() Returns the cd_key_backup policy setting from the policy certificate.
boolean	isKeyClientGen() Returns the cd_key_clientgen policy setting from the policy certificate.
boolean	isKeyCSPExport() Returns the cd_key_csp_export policy setting from the policy certificate.
boolean	isKeyCSPForSCLO() Returns the Key is for SmartCard Logon policy setting from the policy certificate.
boolean	isKeyCSPProtect() Returns the cd_key_csp_protect policy setting from the policy certificate.
boolean	isPublishExpired() Returns the cd_publish_expired policy setting from the policy certificate.
boolean	isPublishKeyUpd() Returns the cd_publish_keyupd policy setting from the policy certificate.
boolean	isPublishRevoked() Returns the cd_publish_revoked policy setting from the policy certificate.
boolean	isUpdDateEnabled() Returns the cd_upd_date_enabled policy setting from the policy certificate.
java.lang.String	toString() Creates a text representation of the certificate-definition information, including the values of each of the known policy settings (any policy setting that has an accessor API).

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

m_sanHandling

public java.lang.String m_sanHandling

The certificate definition policy used to identify how SAN requests are handled in incoming CMP requests.

Constructor Detail

EntrustCertDefnSettings

public EntrustCertDefnSettings(EntrustCertDefnInfo entrustCertDefnInfo)
                        throws CodingException

Creates an EntrustCertDefnSettings object from an EntrustCertDefnInfo structure.

The 'certdefn' and 'policycertdn' components are simply extracted and stored internally; while the 'policycert' component is extracted, ASN1 decoded into an Entrust Attribute Certificate object, and stored internally. This implementation of Entrust certificate-definition policy information requires that the 'policycert' component be an ASN1 encoded Entrust Attribute Certificate.

All the known certificate-definition policy settings are then extracted from the policy certificate as attributes. The following table indicates all the certificate-definition policy settings that are extracted, including the format expected, and default values. If one of the listed certificate-definition policy settings is not found in the policy certificate, the default value is used instead.

In all cases, except for known certificate-definition policies 'Encryption' and 'Verification', a policy certificate is required in the EntrustCertDefnInfo structure. If a known policy that is missing a policy certificate is encountered, known values (listed in the table below) are automatically set instead.

Entrust Certificate-Definition Policy Settings
Policy Name	ASN1 Format	Default Value	'Encryption' Value	'Verification' Value
cd_lifetime	INTEGER	none	36	36
cd_privkeyusage	INTEGER	none	70	70
cd_ignore_userlife	BOOLEAN	false	false	false
cd_publish_policy	UTF8String	"none" (ver-certs), "latest" (enc-certs)	"latest"	"none"
cd_publish_revoked	BOOLEAN	true	true	false
cd_publish_expired	BOOLEAN	true	true	false
cd_publish_dn	UTF8String	"current"	"match"	"match"
cd_publish_keyupd	BOOLEAN	true (enc-certs), false (ver-certs)	true	false
cd_exc_privkeyusage	BOOLEAN	none	false	false
cd_exc_basicconst	BOOLEAN	none	false	false
cd_exc_cdp	BOOLEAN	none	false	false
cd_exc_entversinfo	BOOLEAN	none	false	false
cd_exc_subjkeyid	BOOLEAN	none	false	false
cd_exc_certpol	BOOLEAN	false	false	false
cd_exc_subjaltname	BOOLEAN	false	false	false
cd_cmp_override	BOOLEAN	true	false	false
cd_cmp_unknown	BOOLEAN	none	false	false
cd_cmp_enforce	BOOLEAN	false	false	false
cd_cmp_latest_sign	BOOLEAN	true	true	true
cd_cmp_sign_cmp	BOOLEAN	false	false	true
cd_cmp_publish	BOOLEAN	false	false	false
cd_key_type	UTF8String	none	none	none
cd_key_backup	BOOLEAN	false	true	false
cd_key_clientgen	BOOLEAN	true	false	true
cd_key_usage	UTF8String	"both"	"encryption"	"verification"
cd_key_csp	UTF8String	""	""	""
cd_key_csp_protect	BOOLEAN	true	true	true
cd_key_csp_export	BOOLEAN	false	false	false
cd_piv_container	UTF8String	"None"	"None"	"None"
cd_upd_percent	INTEGER	0	0	0
cd_upd_date_enabled	BOOLEAN	false	false	false
cd_upd_date	UTCTime	none	000101000000Z	000101000000Z

Note:

This does not validate the policy certificate and instead assumes that it was received by some trusted means (PKIX-CMP). If this is not the case, the policy certificate must be validated before the policies can be trusted.

Parameters:

entrustCertDefnInfo - the EntrustCertDefnInfo structure that contains the certificate-definition policy information

Throws:

CodingException - thrown if an error occurs while decoding the policy certificate or any of the policy settings it contains

Method Detail

getCertdefn

public EntrustCertInfoId getCertdefn()

Returns the certificate-definition identifier, which is the 'certdefn' component that was extracted from the EntrustCertDefnInfo structure.

The certificate-definition identifier provides a unique identifier for the certificate-definition information

Returns:

the certificate-definition identifier

getPolicycertdn

public Name getPolicycertdn()

Returns the certificate-definition policy certificate DN, which is the 'policycertdn' component that was extracted from the EntrustCertDefnInfo structure. If the certificate-definition policy certificate DN was not set in the EntrustCertDefnInfo structure, null is returned.

The certificate-definition policy certificate DN provides the Distinguished Name (DN) of the associated certificate-definition policy certificate.

Returns:

the certificate-definition policy certificate DN

getAttribute

public Attribute getAttribute(ObjectID oid)

Returns the requested policy setting from the policy certificate. If the policy certificate does not contain the requested setting, null is returned.

Returns:

the policy setting

getLifetime

public java.lang.Integer getLifetime()

Returns the cd_lifetime policy setting from the policy certificate. If the policy certificate does not contain the cd_lifetime setting, null is returned.

Defines the lifetime of the certificate in months.

Returns:

the cd_lifetime certificate-definition policy setting

getPrivKeyUsage

public java.lang.Integer getPrivKeyUsage()

Returns the cd_privkeyusage policy setting from the policy certificate. If the policy certificate does not contain the cd_privkeyusage setting, null is returned.

Defines the private key usage period of a certificate, as a pecentage of the certificate lifetime.

Returns:

the cd_privkeyusage certificate-definition policy setting

isIgnoreUserLife

public boolean isIgnoreUserLife()

Returns the cd_ignore_userlife policy setting from the policy certificate. If the policy certificate does not contain the cd_ignore_userlife setting, a default value of false is returned.

Indicates if per user lifetime information should be ignored for this certificate.

Returns:

the cd_ignore_userlife certificate-definition policy setting

getPublishPolicy

public java.lang.String getPublishPolicy()

Returns the cd_publish_policy policy setting from the policy certificate. If the policy certificate does not contain the cd_publish_policy setting, a default value of "none" for verification certificates and "latest" for encryption certificates is returned.

Defines what certificates are published. Possible values are:

• all: publish all certificates
• latest: publish latest certificates
• none: publish no certificates

Returns:

the cd_publish_policy certificate-definition policy setting

isPublishRevoked

public boolean isPublishRevoked()

Returns the cd_publish_revoked policy setting from the policy certificate. If the policy certificate does not contain the cd_publish_revoked setting, a default value of true is returned.

Indicates if revoked certificates are published.

Returns:

the cd_publish_revoked certificate-definition policy setting

isPublishExpired

public boolean isPublishExpired()

Returns the cd_publish_expired policy setting from the policy certificate. If the policy certificate does not contain the cd_publish_expired setting, a default value of true is returned.

Indicates if expired certificates are published.

Returns:

the cd_publish_expired certificate-definition policy setting

getPublishDN

public java.lang.String getPublishDN()

Returns the cd_publish_dn policy setting from the policy certificate. If the policy certificate does not contain the cd_publish_dn setting, a default value of "current" is returned.

Indicates where a certificate should be published. Possible values are:

• current: publish to the user’s current DN
• match: publish to the user’s current DN if the subject DN of the certificate matches the current DN

Returns:

the cd_publish_dn certificate-definition policy setting

isPublishKeyUpd

public boolean isPublishKeyUpd()

Returns the cd_publish_keyupd policy setting from the policy certificate. If the policy certificate does not contain the cd_publish_keyupd setting, a default value of false for encryption certificates and true for verification certificates is returned.

Indicates if a new certificate should be published when an administrator performs a key update operation. For this setting to take effect, the certificate must meet the following criteria:

• publishing must be enabled
• keys must be server-side generated
• key backup must be enabled

Returns:

the cd_publish_keyupd certificate-definition policy setting

getExcPrivKeyUsage

public java.lang.Boolean getExcPrivKeyUsage()

Returns the cd_exc_privkeyusage policy setting from the policy certificate. If the policy certificate does not contain the cd_exc_privkeyusage setting, null is returned.

Indicates if the private key usage extension is excluded.

Returns:

the cd_exc_privkeyusage certificate-definition policy setting

getExcBasicConst

public java.lang.Boolean getExcBasicConst()

Returns the cd_exc_basicconst policy setting from the policy certificate. If the policy certificate does not contain the cd_exc_basicconst setting, null is returned.

Indicates if the basic constraints extension is excluded.

Returns:

the cd_exc_basicconst certificate-definition policy setting

getExcCDP

public java.lang.Boolean getExcCDP()

Returns the cd_exc_cdp policy setting from the policy certificate. If the policy certificate does not contain the cd_exc_cdp setting, null is returned.

Indicates if the CDP extension is excluded.

Returns:

the cd_exc_cdp certificate-definition policy setting

getExcEntVersInfo

public java.lang.Boolean getExcEntVersInfo()

Returns the cd_exc_entversinfo policy setting from the policy certificate. If the policy certificate does not contain the cd_exc_entversinfo setting, null is returned.

Indicates if the entrustVersInfo extension is excluded.

Returns:

the cd_exc_entversinfo certificate-definition policy setting

getExcSubjKeyId

public java.lang.Boolean getExcSubjKeyId()

Returns the cd_exc_subjkeyid policy setting from the policy certificate. If the policy certificate does not contain the cd_exc_subjkeyid setting, null is returned.

Indicates if the subjectKeyId extension is excluded.

Returns:

the cd_exc_subjkeyid certificate-definition policy setting

isExcCertPol

public boolean isExcCertPol()

Returns the cd_exc_certpol policy setting from the policy certificate. If the policy certificate does not contain the cd_exc_certpol setting, a default value of false is returned.

Indicates if the certificatePolicy extension includes the security policy and/or per user certificate policy OID lists.

Returns:

the cd_exc_certpol certificate-definition policy setting

isExcSubjAltName

public boolean isExcSubjAltName()

Returns the cd_exc_subjaltname policy setting from the policy certificate. If the policy certificate does not contain the cd_exc_subjaltname setting, a default value of false is returned.

Indicates if the subjectAltName extension is excluded.

Returns:

the cd_exc_subjaltname certificate-definition policy setting

isCMPOverride

public boolean isCMPOverride()

Returns the cd_cmp_override policy setting from the policy certificate. If the policy certificate does not contain the cd_cmp_override setting, a default value of true is returned.

Indicates if the contents of the CMP message can override other policy.

Returns:

the cd_cmp_override certificate-definition policy setting

getCMPUnknown

public java.lang.Boolean getCMPUnknown()

Returns the cd_cmp_unknown policy setting from the policy certificate. If the policy certificate does not contain the cd_cmp_unknown setting, null is returned.

Indicates if unknown extensions in CMP messages are used.

Returns:

the cd_cmp_unknown certificate-definition policy setting

isCMPEnforce

public boolean isCMPEnforce()

Returns the cd_cmp_enforce policy setting from the policy certificate. If the policy certificate does not contain the cd_cmp_enforce setting, a default value of false is returned.

Indicates if client policy is enforced.

Returns:

the cd_cmp_enforce certificate-definition policy setting

isCMPLatestSign

public boolean isCMPLatestSign()

Returns the cd_cmp_latest_sign policy setting from the policy certificate. If the policy certificate does not contain the cd_cmp_latest_sign setting, a default value of true is returned.

Indicates if only the latest certificate can be used for CMP signing.

Returns:

the cd_cmp_latest_sign certificate-definition policy setting

isCMPSignCMP

public boolean isCMPSignCMP()

Returns the cd_cmp_sign_cmp policy setting from the policy certificate. If the policy certificate does not contain the cd_cmp_sign_cmp setting, a default value of false is returned.

Indicates if these certificates can be used to sign CMP messages.

Returns:

the cd_cmp_sign_cmp certificate-definition policy setting

isCMPPublish

public boolean isCMPPublish()

Returns the cd_cmp_publish policy setting from the policy certificate. If the policy certificate does not contain the cd_cmp_publish setting, a default value of false is returned.

Indicates if the PKI should use the CMP publish flag.

Returns:

the cd_cmp_publish certificate-definition policy setting

getKeyType

public java.lang.String getKeyType()

Returns the cd_key_type policy setting from the policy certificate. If the policy certificate does not contain the cd_key_type setting, null is returned.

Indicates what kind of key should be created. Allowed values are:

• RSA-1024
• RSA-2048
• RSA-4096
• RSA-6144
• DSA-1024
• ECDSA

Returns:

the cd_key_type certificate-definition policy setting

isKeyBackup

public boolean isKeyBackup()

Returns the cd_key_backup policy setting from the policy certificate. If the policy certificate does not contain the cd_key_backup setting, a default value of false is returned.

Indicates if private keys should be backed up.

Returns:

the cd_key_backup certificate-definition policy setting

isKeyClientGen

public boolean isKeyClientGen()

Returns the cd_key_clientgen policy setting from the policy certificate. If the policy certificate does not contain the cd_key_clientgen setting, a default value of true is returned.

Indicates if keys should be generated by the client.

Returns:

the cd_key_clientgen certificate-definition policy setting

getKeyUsage

public java.lang.String getKeyUsage()

Returns the cd_key_usage policy setting from the policy certificate. If the policy certificate does not contain the cd_key_usage setting, a default value of "both" is returned.

Indicates what the keys are going to be used for. Possible values are:

• encryption: keys used for encryption only
• verification: keys used for verification only
• both: keys used for both encryption and verification

Returns:

the cd_key_usage certificate-definition policy setting

getKeyCSP

public java.lang.String getKeyCSP()

Returns the cd_key_csp policy setting from the policy certificate. If the policy certificate does not contain the cd_key_csp setting, null is returned.

Lists the name of the CSP that will manager the user’s keys. If no value is given, the application will use its default CSP.

Returns:

the cd_key_csp certificate-definition policy setting

isKeyCSPProtect

public boolean isKeyCSPProtect()

Returns the cd_key_csp_protect policy setting from the policy certificate. If the policy certificate does not contain the cd_key_csp_protect setting, a default value of true is returned.

Indicates if keys stored in a CSP should be stored protected or not.

Returns:

the cd_key_csp_protect certificate-definition policy setting

isKeyCSPForSCLO

public boolean isKeyCSPForSCLO()

Returns the Key is for SmartCard Logon policy setting from the policy certificate. If the policy certificate does not contain the setting, a default value of false is returned.

Indicates if a signing keypair can be used for Windows Smart Card Logon.

Returns:

the cd_key_csp_protect certificate-definition policy setting

isKeyCSPExport

public boolean isKeyCSPExport()

Returns the cd_key_csp_export policy setting from the policy certificate. If the policy certificate does not contain the cd_key_csp_export setting, a default value of false is returned.

Indicates if keys stored in a CSP should be marked so that they can be exported or not.

Returns:

the cd_key_csp_export certificate-definition policy setting

getPivContainer

public java.lang.String getPivContainer()

Returns the cd_piv_container policy setting from the policy certificate. If the policy certificate does not contain the cd_piv_container setting, a default value of null is returned.

Indicates the PIV container that should be used for storing the key. The following values are possible:

None	This certificate definition does not represent a PIV key/certificate
PivAuth	This certificate definition represents the "PIV Authentication" key/certificate
CardAuth	This certificate definition represents the "Card Authentication" key/certificate
DigSig	This certificate definition represents the "Digital Signature" key/certificate
KeyMgmt	This certificate definition represents the "Key Management" key/certificate

Returns:

the cd_piv_container certificate-definition policy setting

Since:

8.0

getUpdPercent

public int getUpdPercent()

Returns the cd_upd_percent policy setting from the policy certificate. If the policy certificate does not contain the cd_upd_percent setting, a default value of '0'.

Specifies the percent of the certificates lifetime that should pass before the client tries to update the key pair. If a value of 0 is specified, the client should use the default behaviour (i.e., 50% of the private key lifetime capped at a maximum of 100 days before the end of lifetime).

Returns:

the cd_upd_percent certificate-definition policy setting

isUpdDateEnabled

public boolean isUpdDateEnabled()

Returns the cd_upd_date_enabled policy setting from the policy certificate. If the policy certificate does not contain the cd_upd_date_enabled setting, a default value of false is returned.

Indicates to the client if it should check the certificates against the update date to see if they need to be updated. A value of true indicates that the check should be performed.

Returns:

the cd_upd_date_enabled certificate-definition policy setting

getUpdDate

public java.util.Date getUpdDate()

Returns the cd_upd_date policy setting from the policy certificate. If the policy certificate does not contain the cd_upd_date setting, null is returned.

Contains a date. The client should perform a key update on any key pairs whose latest certificate was issued before the given date. If the date is in the future w.r.t the client’s current time, the client should ignore the date and not use it to check for any certificates that need to be updated.

Returns:

the cd_upd_date certificate-definition policy setting

toString

public java.lang.String toString()

Creates a text representation of the certificate-definition information, including the values of each of the known policy settings (any policy setting that has an accessor API).

Overrides:

toString in class java.lang.Object

Returns:

a text representation of the certificate-definition information

getEncodedCertDefnPolicyCert

public byte[] getEncodedCertDefnPolicyCert()

Gets the DER-encoded certificate definition policy certificate.

Returns:

the DER-encoded certificate definition policy certificate; null when there is no policy certificate associated with this certificate definition policy

Since:

8.0