iaik.x509

Class X509NetscapeExtensions

java.lang.Object

iaik.x509.X509NetscapeExtensions

public class X509NetscapeExtensions
extends java.lang.Object

This class is used to deal with X.509v3 certificate and X.509v2 CRL extensions.

The X.509v3 certificate format has been introduced by ISO/IEC and ANSI X9 to add the the Extensions field to the X.509v2 certificate format for including some additional information. Extension support for CRLs has been introduced by the X.509v2 CRL format (see PKIX internet draft draft-ietf-pkix-ipki-part1-07.txt). An extension may be a defined standard extension (e.g. certificatePolicies, keyUsage, ...), or it may be a private extension providing some community-specific information. If an extension is marked as critical, but the certificate handling software cannot parse this extension, the appertaining certifcate has to be rejected. Non-Critical extensions can be ignored, if they cannot be handled (i.e. of unknown state).

In ASN.1, the Extensions field is defined as a SEQUENCE of Extension:

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 

where critical specifies whether an extension has to be treated as being critical or not; the default value is FALSE. An extension can be identified by its object identifier, given in the extnID field. The value of the extension is represented as ASN.1 encoded OCTET STRING data structure in the extnValue field. Only one instance of a particular extension may be present in a particular certiifcate.

The X509v3 certificate format presented in the PKIX internet draft draft-ietf-pkix-ipki-part1-07.txt recommends that confirming CAs shall support the BasicConstraints, KeyUsage and CertificatePolicies extensions. issuerAltName and subjectAltName extensions have to be supported if certificates with empty issuer/subject fields are issued.

This class consits of two parts:

• a static part: is responsible for registering implementations of extensions
• a dynamic part: manages the extensions

Every class which implements a specific extension must first register itself. The, for instance, IssuerAltName class registers itself as implementation of the IssuerAltName extension by calling the register method with object identifier and implementing runtime class:

  public static ObjectID oid = new ObjectID("2.5.29.18");
  static {
    Class _IssuerAltName = new IssuerAltName().getClass();
    X509Extensions.register(oid, _IssuerAltName);
  }
 

At this time, per default, implementations of the following extensions are registered:

• X.509v3 extensions:
  • AuthorityKeyIdentifier
  • BasicConstraints
  • CertificatePolicies
  • CRLDistributionPoints
  • IssuerAltName
  • KeyUsage
  • NameConstraints
  • PolicyConstraints
  • PolicyMappings
  • PrivateKeyUsagePeriod
  • SubjectAltName
  • SubjectKeyIdentifier

• X.509v2 CRL (entry) extensions:
  • CRLNumber
  • ReasonCode

• Netscape Certificate Extensions:
  • NetscapeBaseUrl
  • NetscapeCaPolicyUrl
  • NetscapeCaRevocationUrl
  • NetscapeCertRenewalUrl
  • NetscapeCertType
  • NetscapeComment
  • NetscapeRevocationUrl
  • NetscapeSSLServerName

The dynamic part of this class provides a variety of useful methods for managing extensions. Most of these methods are, for instance, internally called within the X509Certificate class for adding, accessing and removing extensions of a X509 certificate, or for querying for the properties of included extensions.

This class manages extensions by maintaining two separate hashtables for storing critical and noncritical extensions. When an extension has to be added to one of the two hashtables by calling the addExtension method, the DER encoded value of the extension is put into the corresponding hashtable using the OID of the extension as key. In the same way, when an already existing X509Extensions object is parsed for any included extensions, only their DER encoded values are put into the hashtables. For saving time, the extensions are not actually parsed for their internal structures at this time. Parsing some extension is induced when reading it back from one of the hashtables by calling getExtension(ObjectID). Only at this time actually the appropriate implementation class is instantiated and initialized through the DER encoded extension value derived from the corresponding hashtable. If the initialization process fails for some reason, a X509ExtensionInitException is thrown. If the extension just initialized is an unknown extension (i.e. an extension, for which there exists no registered implementation), an UnknownExtension object is created and returned by the getExtension method to be parsed for obtaining as much information as possible from the unknown extension. When using the listExtensions method for obtaining all the extensions included in the actual X509Extensions object, an enumeration is returned containing an UnknownExtension for any included unknown extension, and an ErrorExtension for any extension which cannot be initialized because it is burdened with some kind of error. Note the difference: Within the IAIK-JCE environment, an unknown extension denotes an extension, for which there exists no registered implementation; whereas an error extension represents an - registered or unknown - erroneous extension which cannot be parsed properly.

See Also:

V3Extension, X509Certificate, RevokedCertificate, X509CRL

Constructor Summary

Constructors

Constructor and Description
X509NetscapeExtensions()

Method Summary

Methods

Modifier and Type	Method and Description
static void	register()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

X509NetscapeExtensions

public X509NetscapeExtensions()

Method Detail

register

public static void register()