iaik.x509.attr

Class AttributeCertificate

java.lang.Object

java.security.cert.Certificate

iaik.x509.attr.AttributeCertificate

All Implemented Interfaces:

ASN1Type, java.io.Serializable, java.security.cert.X509Extension

public class AttributeCertificate
extends java.security.cert.Certificate
implements ASN1Type, java.io.Serializable, java.security.cert.X509Extension

This class represents an attribute certificate, as specified by PKIX Internet Attribute Certificate Profile.

Attribute Certificates (see draft-ietf-pkix-ac509prof-06.txt) do not contain a public key, rather they bind some kind of property to some entity.
An attribute certificate (AC) may contain attributes that specify group membership, role, security clearance, or other authorization information associated with the AC holder. *

A public key certificate (PKC) can be considered to be like a passport: it identifies the holder, tends to last for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process.

Authorization information may be placed in a PKC extension or placed in a separate attribute certificate (AC). The placement of authorization information in PKCs is usually undesirable for two reasons. First, authorization information often does not have the same lifetime as the binding of the identity and the public key. When authorization information is placed in a PKC extension, the general result is the shortening of the PKC useful lifetime. Second, the PKC issuer is not usually authoritative for the authorization information. This results in additional steps for the PKC issuer to obtain authorization information from the authoritative source.
For these reasons, it is often better to separate authorization information from the PKC. Yet, authorization information also needs to be bound to an identity. An AC provides this binding; it is simply a digitally signed (or certified) identity and set of attributes.
An AC may be used with various security services, including access control, data origin authentication, and non-repudiation.
PKCs can provide an identity to access control decision functions. However, in many contexts the identity is not the criterion that is used for access control decisions, rather the role or group- membership of the accessor is the criterion used. Such access control schemes are called role-based access control.
When making an access control decision based on an AC, an access control decision function may need to ensure that the appropriate AC holder is the entity that has requested access. One way in which the linkage between the request or identity and the AC can be achieved is the inclusion of a reference to a PKC within the AC and the use of the private key corresponding to the PKC for authentication within the access request.

The PKIX attribute certificate format is defined as an ASN.1 SEQUENCE structure containing the following components:

 AttributeCertificate ::= SEQUENCE {
   acinfo               AttributeCertificateInfo,
   signatureAlgorithm   AlgorithmIdentifier,
   signatureValue       BIT STRING
 }
 

where signatureAlgorithm identifies the signature algorithm used by the issuer for computing the digital signature upon the ASN.1 DER encoded AttributeCertificateInfo structure, which itself is expressed as ASN.1 SEQUENCE structure specifying holder and issuer of the AC, signature algorithm (the same as specified in Certificate above), version and serial numbers, validity period, attributes and optionally unique identifier of the issuer and certificate extensions:

 AttributeCertificateInfo ::= SEQUENCE {
   version                 AttCertVersion DEFAULT v1,
   holder                  Holder,
   issuer                  AttCertIssuer,
   signature               AlgorithmIdentifier,
   serialNumber            CertificateSerialNumber,
   attrCertValidityPeriod  AttCertValidityPeriod,
   attributes              SEQUENCE OF Attribute,
   issuerUniqueID          UniqueIdentifier OPTIONAL,
   extensions              Extensions OPTIONAL
 }
 

where:

 AttCertVersion  ::=  INTEGER  {  v1(0), v2(1)  }
 

 Holder ::= SEQUENCE {
   baseCertificateID   [0] IssuerSerial OPTIONAL,
                       -- the issuer and serial number of
                       -- the holder's Public Key Certificate
   entityName          [1] GeneralNames OPTIONAL,
                      -- the name of the claimant or role
   objectDigestInfo    [2] ObjectDigestInfo OPTIONAL
                      -- if present, version must be v2 }
 

 AttCertIssuer ::= CHOICE {
   v1Form   GeneralNames,  -- v1 or v2
   v2Form   [0] V2Form     -- v2 only  }
 

 V2Form ::= SEQUENCE {
   issuerName            GeneralNames  OPTIONAL,
   baseCertificateID     [0] IssuerSerial  OPTIONAL,
   objectDigestInfo      [1] ObjectDigestInfo  OPTIONAL
          -- at least one of issuerName, baseCertificateID
          -- or objectDigestInfo MUST be present }
 

 AlgorithmIdentifier  ::=  SEQUENCE  {
   algorithm               OBJECT IDENTIFIER,
   parameters              ANY DEFINED BY algorithm OPTIONAL  }
 

 CertificateSerialNumber  ::=  INTEGER
 

 AttCertValidityPeriod ::= SEQUENCE {
   notBeforeTime  GeneralizedTime,
   notAfter       GeneralizedTime }
 

 Attribute ::= SEQUENCE {
   type      AttributeType,
   values    SET OF AttributeValue
     -- at least one value is required }
 

 AttributeType ::= OBJECT IDENTIFIER
 

 AttributeValue ::= ANY DEFINED BY AttributeType
 

 UniqueIdentifier  ::=  BIT STRING
 

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 

For a detailled description of the several fields refer to draft-ietf-pkix-ac509prof-06.txt

For each value extists a set<Value> and a get<Value> method.

After creating a new attribute certificate by means of the default constructor, setting AC holder and AC issuer, setting validity period and serial number, and adding any attribute and extension to be included, finally the certificate can be signed with the private key of the issuer.

The AttributeCertificate(byte[]) and AttributeCertificate(InputStream) constructors may be used for parsing an AttributeCertificate from its DER encoding.

See Also:

X509Extensions, V3Extension, UnknownExtension, Holder, AttCertIssuer, Attribute, Serialized Form

Nested Class Summary

Nested classes/interfaces inherited from class java.security.cert.Certificate

java.security.cert.Certificate.CertificateRep

Constructor Summary

Constructors

Constructor and Description
AttributeCertificate() Default constructor for creating a new empty attribute certificate.
AttributeCertificate(byte[] array) Creates an AttributeCertificate form a PEM or DER byte array.
AttributeCertificate(java.io.InputStream is) Creates an AttributeCertificate from an input stream.

Method Summary

Methods

Modifier and Type	Method and Description
void	addAttribute(Attribute attribute) Adds one Atribute to this attribute certificate.
void	addExtension(V3Extension e) Adds the given X509v3 extension.
void	checkValidity() Checks if this attribute certificate currently is valid.
void	checkValidity(java.util.Date date) Checks if this attribute certificate would be valid at the given date value.
int	countExtensions() Returns the number of extensions included into this certificate.
void	decode(ASN1Object obj) Creates an AttributeCertificate from an ASN1Object.
void	decode(java.io.InputStream is) Decodes an AttributeCertificate from an inputstream.
byte[]	getAcInfo() Returns the DER encoded AttributeCertificateInfo ASN.1 data structure of this attribute certificate.
Attribute	getAttribute(ObjectID type) Gets all the Atributes matching to a specific type (object identifier).
java.util.Enumeration	getAttributes() Gets the Atributes of this CertificateRequest.
java.util.Set	getCriticalExtensionOIDs() Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this attribute certificate.
byte[]	getEncoded() Returns this attribute certificate as DER encoded ASN.1 data structure
V3Extension	getExtension(ObjectID oid) Returns a specific extension, identified by its object identifier.
byte[]	getExtensionValue(java.lang.String oid) Returns a byte array representing the DER encoding of the extension value identified by the passed-in OID string.
byte[]	getFingerprint() Returns the fingerprint of this certificate.
byte[]	getFingerprint(java.lang.String digestAlgorithm) Returns the fingerprint of this certificate calculated with the given hash algorithm.
Holder	getHolder() Returns the Holder of this attribute certificate.
AttCertIssuer	getIssuer() Returns the Issuer of this attribute certificate.
boolean[]	getIssuerUniqueID() Returns the issuer unique identifier of this certificate, or null if no IssuerUniqueID is specified by this certificate.
java.util.Set	getNonCriticalExtensionOIDs() Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this attribute certificate.
java.util.Date	getNotAfterTime() Returns the notAfterTime value of this certificate.
java.util.Date	getNotBeforeTime() Returns the notBeforeTime value of this certificate.
java.security.PublicKey	getPublicKey() Returns null!!!!
java.math.BigInteger	getSerialNumber() Returns the serial number of this certificate as BigInteger.
java.lang.String	getSigAlgName() Returns the name of the signature algorithm used by the issuer for signing this certificate.
java.lang.String	getSigAlgOID() Returns the OID of the signature algorithm used by the issuer for signing this certificate.
byte[]	getSigAlgParams() Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this certificate.
byte[]	getSignature() Returns the signature value of this certificate.
AlgorithmID	getSignatureAlgorithm() Returns the signature algorithm of this certificate.
int	getVersion() Returns the version number of this certificate as int.
boolean	hasExtensions() Checks, if there are any extensions included into this certificate.
boolean	hasUnsupportedCriticalExtension() Returns true if there are unsupported critical extensions.
java.util.Enumeration	listExtensions() Returns an enumeration of all extensions included in this attribute certificate.
void	removeAllAttributes() Removes all attributes included.
void	removeAllExtensions() Removes all extensions from this attribute certificate.
Attribute	removeAttribute(ObjectID type) Removes the attribute of the given type, if present.
boolean	removeExtension(ObjectID oid) Removes the extension specified by its object identifier.
void	setAttributes(Attribute[] attributes) Sets the Atributes of this Attribute certificate.
void	setHolder(Holder holder) Sets the Holder of this attribute certificate.
void	setIssuer(AttCertIssuer issuer) Sets the issuer of this attribute certificate.
void	setIssuerUniqueID(boolean[] id) Sets the issuer unique ID for this certificate.
void	setNotAfterTime(java.util.Date validNotAfter) Sets the notAfterTime value of this certificate.
void	setNotBeforeTime(java.util.Date validNotBefore) Sets the notBeforeTime value of this atttribute certificate.
void	setSerialNumber(java.math.BigInteger serialNumber) Sets the serial number of this certificate.
void	setSignatureAlgorithm(AlgorithmID signatureAlg) Sets the signature algorithm to be used for signing.
void	sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK) Signs the attribute certificate with the private key of the issuer.
ASN1Object	toASN1Object() Returns this attribute certificate as an ASN1Object.
byte[]	toByteArray() Returns this attribute certificate as DER encoded ASN.1 data structure.
java.lang.String	toString() Returns a string that represents the contents of the certificate.
java.lang.String	toString(boolean detailed) Returns a string that represents the contents of the certificate.
void	verify(java.security.interfaces.DSAPublicKey key, java.security.spec.DSAParameterSpec dsaParams) Uses the given public DSA key and DSA parameters to verify this certificate.
void	verify(java.security.PublicKey key) Verifies a certificate using the given public key.
void	verify(java.security.PublicKey key, java.lang.String sigProvider) Uses the given public key to verify a certificate based on a signature algorithm supplied by the specified provider.
void	writeTo(java.io.OutputStream os) Writes this attribute certificate DER encoded to the given output stream.

Methods inherited from class java.security.cert.Certificate

equals, getType, hashCode, writeReplace

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

AttributeCertificate

public AttributeCertificate()

Default constructor for creating a new empty attribute certificate.

Any value may be set using the corrseponding set<Value> method. According to the Internet Attribute Certificate Profile for Authorization presented in draft-ietf-pkix-ac509prof-06.txt the version number is set to 2 indicating a Version 2 attribute certificate. Note that this is not the default version number (1).

AttributeCertificate

public AttributeCertificate(java.io.InputStream is)
                     throws java.io.IOException,
                            java.security.cert.CertificateException

Creates an AttributeCertificate from an input stream.

The supplied attribute certificate can be in PEM or DER format. This constructor reads and decodes an AttributeCertificate that may have been previously written (encoded) by calling method writeTo(OutputStream).

For instance:

 InputStream fis = new FileInputStream("cert.der");
 AttributeCertificate cert = new AttributeCertificate(fis);
 fis.close();
 

Parameters:

is - InputStream from which to create the certificate

Throws:

java.io.IOException - if the certificate cannot not be read

java.security.cert.CertificateException - if the certificate cannot be parsed

AttributeCertificate

public AttributeCertificate(byte[] array)
                     throws java.security.cert.CertificateException

Creates an AttributeCertificate form a PEM or DER byte array.

This constructor may be used for parsing an already exisiting AttributeCertifcate ASN.1 object, supplied as DER encoded byte array, which may have been created by calling the toByteArray or the getEncoded method.

Parameters:

array - the byte array containing the DER encoded certificate

Throws:

java.security.cert.CertificateException - if the format of the cert is wrong

Method Detail

decode

public void decode(ASN1Object obj)
            throws CodingException

Creates an AttributeCertificate from an ASN1Object.

The given ASN1Object represents an already existing AttributeCertificate which may have been created by calling the toASN1Object method.

Specified by:

decode in interface ASN1Type

Parameters:

obj - the attribute certificate as ASN1Object

Throws:

CodingException - if there is a problem when parsing the certificate

decode

public void decode(java.io.InputStream is)
            throws java.io.IOException,
                   java.security.cert.CertificateException

Decodes an AttributeCertificate from an inputstream. The given InputStream supplies the certificate in DER or PEM encoded format. This method internally is called when creating a AttributeCertificate from an InputStream.

Parameters:

is - the InputStream from where the encoded certificate shall be read

Throws:

java.io.IOException - if an I/O error occurs

java.security.cert.CertificateException - if the certificate cannot be parsed

sign

public void sign(AlgorithmID signatureAlg,
        java.security.PrivateKey issuerPK)
          throws java.security.cert.CertificateException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException

Signs the attribute certificate with the private key of the issuer.

Parameters:

signatureAlg - the AlgorithmID of the signature algorithm

issuerPK - the private key of the issuer

Throws:

java.security.cert.CertificateException - if the certificate could not be signed

java.security.InvalidKeyException - if the format of the key is wrong

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

checkValidity

public void checkValidity(java.util.Date date)
                   throws java.security.cert.CertificateExpiredException,
                          java.security.cert.CertificateNotYetValidException

Checks if this attribute certificate would be valid at the given date value.

Attribute certificates have a limited period of validity prescribed by the notBeforeTime and notAfterTime values. This method just checks if the given date/time value lies between notBeforeTime and notAfterTime and throws an exception if this does not come true.

Throws:

java.security.cert.CertificateExpiredException - if the certificate alreay has expired or the notAfterTime value yet has not been set

java.security.cert.CertificateNotYetValidException - if the certificate yet is not valid or the notBeforeTime value yet has not been set

See Also:

checkValidity(java.util.Date)

checkValidity

public void checkValidity()
                   throws java.security.cert.CertificateExpiredException,
                          java.security.cert.CertificateNotYetValidException

Checks if this attribute certificate currently is valid. Certificates have a limited period of validity prescribed by the notBeforeTime and notAfterTime values:

 AttCertValidityPeriod ::= SEQUENCE {
    notBeforeTime      GeneralizedTime,
    notAfterTime       GeneralizedTime }
 

The notBeforeTime and notAfterTime time values can be set by using the setValidNotBeforeTime and setValidNotAfterTime methods.

This checkValidity method only calls checkValidity(Date) with the current date to check if it lies between the two time values specified by notBeforeTime and notAfterTime.

Throws:

java.security.cert.CertificateExpiredException - if the certificate already has expired

java.security.cert.CertificateNotYetValidException - if the certificate is yet not valid

See Also:

GeneralizedTime

getEncoded

public byte[] getEncoded()
                  throws java.security.cert.CertificateEncodingException

Returns this attribute certificate as DER encoded ASN.1 data structure

Specified by:

getEncoded in class java.security.cert.Certificate

Returns:

a byte array holding the DER encoded attribute certificate ASN.1 data structure

Throws:

java.security.cert.CertificateEncodingException - if the certificate cannot be encoded correctly

getVersion

public int getVersion()

Returns the version number of this certificate as int. The version number may specify a v1 or v2 attribute certificate.

ASN.1 definition:

 AttCertVersion  ::=  INTEGER  {  v1(0), v2(1) }
 

Returns:

version number of the certificate as int, 1 for a v1 cert, 2 for a v2 cert

getSerialNumber

public java.math.BigInteger getSerialNumber()

Returns the serial number of this certificate as BigInteger. Attribute certificates are labelled with positive serial numbers by the issuing certification authority for unequivocally identifying them:

ASN.1 definition:

 CertificateSerialNumber  ::=  INTEGER
 

Returns:

the serial number of this certificate as BigInteger

getIssuer

public AttCertIssuer getIssuer()

Returns the Issuer of this attribute certificate.

The issuer of an attribute certificate either may be represented as V1Form or as V2Form:

 AttCertIssuer ::= CHOICE {
    v1Form   GeneralNames,  -- v1 or v2
    v2Form   [0] V2Form     -- v2 only
 }
 

Attribute certifcates conforming to the Internet Attribute Certificate Profile for Authorization presented in draft-ietf-pkix-ac509prof-06.txt are not allowed to use the V2Form choice for representing the issuer:

 V2Form ::= SEQUENCE {
   issuerName            GeneralNames  OPTIONAL,
   baseCertificateID     [0] IssuerSerial  OPTIONAL,
   objectDigestInfo      [1] ObjectDigestInfo  OPTIONAL
           -- at least one of issuerName, baseCertificateID
           -- or objectDigestInfo MUST be present
 }
 

They must use the V1Form choice, which must contain one and only one GeneralName, which must contain a non-empty distinguished name in the directoryName field. This means that all AC issuers must have non-empty distinguished names:
Part of the reason for the use of the v1Form field is that it means that the AC issuer does not have to know which PKC the AC verifier will use for it (the AC issuer). Using the baseCertificateID field to reference the AC issuer would mean that the AC verifier would have to trust the PKC that the AC issuer chose (for itself) at AC creation time.

Use class GeneralNames for creating a V1Form attCertIssuer holding a directoryName to be set as the issuer of an AttributeCertificate:

 Name issuerName = ...;
 V1Form v1Form = new V1Form(issuerName);
 attributeCertificate.setIssuer(v1Form);
 

Returns:

the issuer of this certificate

See Also:

AttCertIssuer, V1Form, V2Form

getHolder

public Holder getHolder()

Returns the Holder of this attribute certificate. The Internet Attribute Certificate Profile for Authorization specifies the Holder type for identifying the entity to which the AttributeCertificate belongs:

 Holder ::= SEQUENCE {
    baseCertificateID   [0] IssuerSerial OPTIONAL,
                        -- the issuer and serial number of
                        -- the holder's Public Key Certificate
    entityName          [1] GeneralNames OPTIONAL,
                        -- the name of the claimant or role
    objectDigestInfo    [2] ObjectDigestInfo OPTIONAL
                        -- if present, version must be v2
 }
 

For any environment where the AC is passed in an authenticated message or session and where the authentication is based on the use of an X.509 public key certificate, the holder should be identified by means of a baseCertificateID pointing to the right X.509 public key certificate by issuer name and issuer-specific serial number, e.g.:

 X509Certificate baseCert = ...;
 IssuerSerial baseCertificateID = new IssuerSerial(baseCert);
 Holder holder = new Holder();
 holder.setBaseCertificateID(baseCertificateID);
 attributeCertificate.setHolder(holder);
 

If the holder field uses the entityName option and the underlying authentication is based on a PKC, then the entityName MUST be the same as the PKC subject field or one of the values of the PKC subjectAltName field extension (if present), e.g.:

 X509Certificate cert = ...;
 Name subject = (Name)cert.getSubjectDN();
 GeneralName subjectName = new GeneralName(GeneralName.directoryName, subject);
 GeneralNames entityName = new GeneralNames(subjectName);
 Holder holder = new Holder();
 holder.setEntityName(entityName);
 attributeCertificate.setHolder(holder);
 

The ObjectDigestInfo component may be used for linking the AC to an object by placing a hash of that object into the holder field of the AC. For example, this allows production of ACs that are linked to public keys rather than names (see draft-ietf-pkix-ac509prof-06.txt for more information):

 // the public key to which to link the AC:
 PublicKey publicKey = ...;
 // the digest algorithm to use
 AlgorithmID digestAlgorithm = ...;
 ObjectDigestInfo odi = new ObjectDigestInfo(publicKey, digestAlgorithm);
 Holder holder = new Holder();
 holder.setObjectDigestInfo(odi);
 attributeCertificate.setHolder(holder);
 

Returns:

the holder of this attribute certificate

See Also:

Holder, IssuerSerial, ObjectDigestInfo, GeneralNames

getPublicKey

public java.security.PublicKey getPublicKey()

Returns null!!!!

Attention!!! This method anytime returns null since a Attribute Certificate does not contain a public key. This method only is included because inherited from java.security.cert.Certificate which is the highest JCA "cerrificate level" and extended by this class to incorporate attribute certificates into the JCA certificate management.

Specified by:

getPublicKey in class java.security.cert.Certificate

Returns:

null

getNotBeforeTime

public java.util.Date getNotBeforeTime()

Returns the notBeforeTime value of this certificate.

The notBeforeTime value denotes the date on which the certificate becomes valid and can be set using the setNotBeforeTime method.

Returns:

the date on which this certificate becomes valid, or null if the notBefore date has yet not been set

See Also:

checkValidity(java.util.Date)

getNotAfterTime

public java.util.Date getNotAfterTime()

Returns the notAfterTime value of this certificate.

The notAfterTime value denotes the date on which the certificate´s validity expires. The notAfterTime date can be set using the setNotAfterTime method.

Returns:

the date on which the certificate´s validity expires, or null if the notAfter date has yet not been set

See Also:

checkValidity(java.util.Date)

getAcInfo

public byte[] getAcInfo()
                 throws java.security.cert.CertificateEncodingException

Returns the DER encoded AttributeCertificateInfo ASN.1 data structure of this attribute certificate.

 AttributeCertificateInfo ::= SEQUENCE {
    version              AttCertVersion DEFAULT v1,
    holder               Holder,
    issuer               AttCertIssuer,
    signature            AlgorithmIdentifier,
    serialNumber         CertificateSerialNumber,
    attrCertValidityPeriod   AttCertValidityPeriod,
    attributes           SEQUENCE OF Attribute,
    issuerUniqueID       UniqueIdentifier OPTIONAL,
    extensions           Extensions OPTIONAL
 }
 

Returns:

the inherent AttributeCertificateInfo as DER encoded ASN.1 structure

Throws:

java.security.cert.CertificateEncodingException - if an encoding error occurs

setSignatureAlgorithm

public void setSignatureAlgorithm(AlgorithmID signatureAlg)

Sets the signature algorithm to be used for signing. This method only provides a way for setting the signature algorithm if an application wants to call getAcInfo before signing the cert. When using this fearure an application itsself is responsible to ensure that the signature algorithm specified by this method is equal to that supplied to the sign(AlgorithmID, PrivateKey) method when finally signing the certificate.

Parameters:

signatureAlg - the signature algorithm to be used for signing

getSignature

public byte[] getSignature()

Returns the signature value of this certificate. The signature is defined as an ASN.1 BIT STRING structure. This method returns the inherent signature value as byte array.

Returns:

the signature value as byte array

getSigAlgName

public java.lang.String getSigAlgName()

Returns the name of the signature algorithm used by the issuer for signing this certificate.

Returns:

the name of the signature algorithm, e.g. "md5WithRSAEncryption", or null if the signature algorithm yet has not been set

getSigAlgOID

public java.lang.String getSigAlgOID()

Returns the OID of the signature algorithm used by the issuer for signing this certificate. An object identifier consists of a sequence of integer components and is used for identifying, e.g. the signature algorithm used for this certificate. This method returns the OID in String representation, e.g. "1.2.840.113549.1.1.4"

Returns:

the OID of the signature algorithm as String representation, or null if the signature algorithm yet has not been set

See Also:

ObjectID, AlgorithmID

getSigAlgParams

public byte[] getSigAlgParams()

Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this certificate. The parameters are returned as DER encoded ASN.1 data structure.

Returns:

the signature algorithm parameters as DER encoded ASN.1 data structure, or null if there are no parameters used or the signature algorithm yet has been not set

getIssuerUniqueID

public boolean[] getIssuerUniqueID()

Returns the issuer unique identifier of this certificate, or null if no IssuerUniqueID is specified by this certificate.

An IssuerUniqueID only may be included if the attribute certificate is linked to a public key certificate (PKC) and this PKC contains the issuer unique id. In this case the issuer unique ids of PKC and corresponding AC have to be the same.

The issuer unique identifier is defined as ASN.1 BIT STRING structure:

 UniqueIdentifier  ::=  BIT STRING
 

This method scans the issuer unique identifier and returns it as an array of boolean values.

Returns:

the IssuerUniqueID of this certificate as array of booleans, or null if no issuer unique identifier is speciifed

verify

public void verify(java.security.PublicKey key,
          java.lang.String sigProvider)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Uses the given public key to verify a certificate based on a signature algorithm supplied by the specified provider.

Specified by:

verify in class java.security.cert.Certificate

Parameters:

key - the public key (of the issuer) to verify the cert

sigProvider - the name of the provider supplying the signature algorithm

Throws:

java.security.cert.CertificateException - if an encoding error occurs

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.NoSuchProviderException - if there is no such provider

java.security.SignatureException - if the signature does not verify

verify

public void verify(java.security.PublicKey key)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Verifies a certificate using the given public key.

This method only calls verify(PublicKey, String) setting the provider name to null for relying on the default provider signature architecture.

Specified by:

verify in class java.security.cert.Certificate

Parameters:

key - the public key of the issuer

Throws:

java.security.cert.CertificateException - if an encoding error occurs

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.NoSuchProviderException - if there is no default provider

java.security.SignatureException - if the signature does not verify

verify

public void verify(java.security.interfaces.DSAPublicKey key,
          java.security.spec.DSAParameterSpec dsaParams)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Uses the given public DSA key and DSA parameters to verify this certificate.

Attention! This method only may be used to verify a certificate that has been signed with the DSA algorithm and the public DSA key now used for verification does not contain the DSA parameters. Additionally this method only can be used with the Entrust provider.

Parameters:

key - the public DSA key (of the issuer) to verify the cert

dsaParams - the DSA parameters provided by other means

Throws:

java.security.cert.CertificateException - if an encoding error occurs

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this cert

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.NoSuchProviderException - if there is no such provider

java.security.SignatureException - if the signature does not verify

toASN1Object

public ASN1Object toASN1Object()

Returns this attribute certificate as an ASN1Object.

Specified by:

toASN1Object in interface ASN1Type

Returns:

this attribute certificate as ASN1Object

toByteArray

public byte[] toByteArray()

Returns this attribute certificate as DER encoded ASN.1 data structure.

Returns:

this attribute certificate in a byte array in DER format

writeTo

public void writeTo(java.io.OutputStream os)
             throws java.io.IOException

Writes this attribute certificate DER encoded to the given output stream.

Parameters:

os - the output stream where the certifiacte shall be written to

Throws:

java.io.IOException - if an I/O error occurs

setSerialNumber

public void setSerialNumber(java.math.BigInteger serialNumber)

Sets the serial number of this certificate.

Parameters:

serialNumber - the serial number of the certificate as BigInteger

See Also:

getSerialNumber()

setIssuer

public void setIssuer(AttCertIssuer issuer)

Sets the issuer of this attribute certificate.

The issuer of an attribute certificate either may be represented as V1Form or as V2Form:

 AttCertIssuer ::= CHOICE {
    v1Form   GeneralNames,  -- v1 or v2
    v2Form   [0] V2Form     -- v2 only
 }
 

Attribute certifcates conforming to the Internet Attribute Certificate Profile for Authorization presented in draft-ietf-pkix-ac509prof-06.txt are not allowed to use the V2Form choice for representing the issuer:

 V2Form ::= SEQUENCE {
   issuerName            GeneralNames  OPTIONAL,
   baseCertificateID     [0] IssuerSerial  OPTIONAL,
   objectDigestInfo      [1] ObjectDigestInfo  OPTIONAL
           -- at least one of issuerName, baseCertificateID
           -- or objectDigestInfo MUST be present
 }
 

They must use the V1Form choice, which must contain one and only one GeneralName, which must contain a non-empty distinguished name in the directoryName field. This means that all AC issuers must have non-empty distinguished names:
Part of the reason for the use of the v1Form field is that it means that the AC issuer does not have to know which PKC the AC verifier will use for it (the AC issuer). Using the baseCertificateID field to reference the AC issuer would mean that the AC verifier would have to trust the PKC that the AC issuer chose (for itself) at AC creation time.

Use class GeneralNames for creating a V1Form attCertIssuer holding a directoryName to be set as the issuer of an AttributeCertificate:

 Name issuerName = ...;
 V1Form v1Form = new V1Form(issuerName);
 attributeCertificate.setIssuer(v1Form);
 

See Also:

AttributeCertificate#getIssuerDN, AttCertIssuer, V1Form, V2Form

setNotBeforeTime

public void setNotBeforeTime(java.util.Date validNotBefore)

Sets the notBeforeTime value of this atttribute certificate.

For instance:

 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 cert.setNotBeforeTime(date.getTime());
 

The certificate is not valid before this Date.

Parameters:

validNotBefore - Date when cert will become valid

See Also:

getNotBeforeTime()

setNotAfterTime

public void setNotAfterTime(java.util.Date validNotAfter)

Sets the notAfterTime value of this certificate.

For instance:

 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 date.add(Calendar.MONTH, 6);
 cert.setNotAfterTime(date.getTime());
 

The certificate will expire at this Date.

Parameters:

validNotAfter - Date on which the certificate will expire

See Also:

getNotAfterTime()

setHolder

public void setHolder(Holder holder)

Sets the Holder of this attribute certificate. The Internet Attribute Certificate Profile for Authorization specifies the Holder type for identifying the entity to which the AttributeCertificate belongs:

 Holder ::= SEQUENCE {
    baseCertificateID   [0] IssuerSerial OPTIONAL,
                        -- the issuer and serial number of
                        -- the holder's Public Key Certificate
    entityName          [1] GeneralNames OPTIONAL,
                        -- the name of the claimant or role
    objectDigestInfo    [2] ObjectDigestInfo OPTIONAL
                        -- if present, version must be v2
 }
 

For any environment where the AC is passed in an authenticated message or session and where the authentication is based on the use of an X.509 public key certificate, the holder should be identified by means of a baseCertificateID pointing to the right X.509 public key certificate by issuer name and issuer-specific serial number, e.g.:

 X509Certificate baseCert = ...;
 IssuerSerial baseCertificateID = new IssuerSerial(baseCert);
 Holder holder = new Holder();
 holder.setBaseCertificateID(baseCertificateID);
 attributeCertificate.setHolder(holder);
 

If the holder field uses the entityName option and the underlying authentication is based on a PKC, then the entityName MUST be the same as the PKC subject field or one of the values of the PKC subjectAltName field extension (if present), e.g.:

 X509Certificate cert = ...;
 Name subject = (Name)cert.getSubjectDN();
 GeneralName subjectName = new GeneralName(GeneralName.directoryName, subject);
 GeneralNames entityName = new GeneralNames(subjectName);
 Holder holder = new Holder();
 holder.setEntityName(entityName);
 attributeCertificate.setHolder(holder);
 

The ObjectDigestInfo component may be used for linking the AC to an object by placing a hash of that object into the holder field of the AC. For example, this allows production of ACs that are linked to public keys rather than names (see draft-ietf-pkix-ac509prof-06.txt for more information):

 // the public key to which to link the AC:
 PublicKey publicKey = ...;
 // the digest algorithm to use
 AlgorithmID digestAlgorithm = ...;
 ObjectDigestInfo odi = new ObjectDigestInfo(publicKey, digestAlgorithm);
 Holder holder = new Holder();
 holder.setObjectDigestInfo(odi);
 attributeCertificate.setHolder(holder);
 

Parameters:

holder - the holder of this attribute certificate

See Also:

Holder, IssuerSerial, ObjectDigestInfo, GeneralNames

setIssuerUniqueID

public void setIssuerUniqueID(boolean[] id)

Sets the issuer unique ID for this certificate.

An IssuerUniqueID only may be included if the attribute certificate is linked to a public key certificate (PKC) and this PKC contains the issuer unique id. In this case the issuer unique ids of PKC and corresponding AC have to be the same.

The issuer unique identifier is defined as ASN.1 BIT STRING structure:

 UniqueIdentifier  ::=  BIT STRING
 

Parameters:

id - the unique identifier of the issuer as array of boolean values

See Also:

getIssuerUniqueID()

getSignatureAlgorithm

public AlgorithmID getSignatureAlgorithm()

Returns the signature algorithm of this certificate.

Returns:

the AlgorithmID of the signature algorithm used for signing this certificate

See Also:

AlgorithmID

getFingerprint

public byte[] getFingerprint()

Returns the fingerprint of this certificate. This is a MD5 hash of the DER encoded certificate.

Returns:

the fingerprint of the certificate

getFingerprint

public byte[] getFingerprint(java.lang.String digestAlgorithm)
                      throws java.security.NoSuchAlgorithmException

Returns the fingerprint of this certificate calculated with the given hash algorithm.

Parameters:

digestAlgorithm - the digest algorithm to be used

Returns:

the fingerprint of the certificate

Throws:

java.security.NoSuchAlgorithmException - if the requested algorithm is not supported

toString

public java.lang.String toString()

Returns a string that represents the contents of the certificate.

Specified by:

toString in class java.security.cert.Certificate

Returns:

the string representation

getCriticalExtensionOIDs

public java.util.Set getCriticalExtensionOIDs()

Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this attribute certificate. Extensions can be marked as being critical. If the certificate handling software cannot parse such an extension, the appertaining certifcate has to be rejected. Non-Critical extensions can be ignored, if they cannot be handled (i.e. of unknown state).

Specified by:

getCriticalExtensionOIDs in interface java.security.cert.X509Extension

Returns:

a Set (or an empty Set if none are marked critical) of the extension OID strings for extensions that are marked critical. If there are no extensions present at all, then this method returns null

See Also:

getNonCriticalExtensionOIDs()

getNonCriticalExtensionOIDs

public java.util.Set getNonCriticalExtensionOIDs()

Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this attribute certificate.

Specified by:

getNonCriticalExtensionOIDs in interface java.security.cert.X509Extension

Returns:

a Set (or an empty Set if none are marked non-critical) of the extension OID strings for extensions that are marked non-critical. If there are no extensions present at all, then this method returns null.

See Also:

getCriticalExtensionOIDs()

getExtensionValue

public byte[] getExtensionValue(java.lang.String oid)

Returns a byte array representing the DER encoding of the extension value identified by the passed-in OID string.

The oid string is represented by a set of positive whole numbers separated by periods, e.g. "2.5.29.55" for the ACTargeting extension.

In ASN.1, the Extensions field is defined as a SEQUENCE of Extension:

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 

where critical specifies whether an extension has to be treated as being critical or not; the default value is FALSE. An extension can be identified by its object identifier, given in the extnID field. The value of the extension is represented as ASN.1 OCTET STRING data structure in the extnValue field. Only one instance of a particular extension may be present in a particular certificate.

Attention! The byte value returned by this method does not represent the DER encoding of the extnValue (OCTET_STRING) from above; rather it represents the DER encoding of the specific extension´s ASN.1 representation itsself. So, for example, when asking for an ACTargeting extension, the corresponding DER encoded ASN.1 SEQUENCE OF value will be returned:

 Targets ::= SEQUENCE OF Target

 Target  ::= CHOICE {
   targetName          [0] GeneralName,
   targetGroup         [1] GeneralName,
   targetCert          [2] TargetCert
 }

 TargetCert  ::= SEQUENCE {
   targetCertificate    IssuerSerial,
   targetName           GeneralName OPTIONAL,
   certDigestInfo       ObjectDigestInfo OPTIONAL
 }
 

Specified by:

getExtensionValue in interface java.security.cert.X509Extension

Parameters:

oid - the Object Identifier of the extension to be queried for

Returns:

the DER encoded ASN.1 representation of extension value or null if it is not present

addExtension

public void addExtension(V3Extension e)
                  throws X509ExtensionException

Adds the given X509v3 extension.

For reading back some extension, use the getExtension(ObjectID) method.

Parameters:

e - the X509v3 extension to add to the list of extensions

Throws:

X509ExtensionException - if an error occurs while DER encoding the extension

See Also:

V3Extension

removeExtension

public boolean removeExtension(ObjectID oid)

Removes the extension specified by its object identifier.

Parameters:

objectID - the object ID of the extension to remove

Returns:

true if the extension has been successfully removed, false otherwise

removeAllExtensions

public void removeAllExtensions()

Removes all extensions from this attribute certificate.

listExtensions

public java.util.Enumeration listExtensions()

Returns an enumeration of all extensions included in this attribute certificate.

The enumeration returned may contain unknown extensions (instances of UnknownExtension if there are any extensions included in this certificate, for which there exists no registered implementation, and it may contain error extensions (instances of ErrorExtension) indicating extensions which cannot be parsed properly because of some kind of error.

If any extension cannot be parsed properly, an ErrorExtension is created from it and written to the enumeration list returned by this method.

Returns:

an enumeration of the extensions, or null if there are no extensions present at all

hasExtensions

public boolean hasExtensions()

Checks, if there are any extensions included into this certificate.

Returns:

true if there are extensions, false if not

hasUnsupportedCriticalExtension

public boolean hasUnsupportedCriticalExtension()

Returns true if there are unsupported critical extensions.

Specified by:

hasUnsupportedCriticalExtension in interface java.security.cert.X509Extension

Returns:

true, if there are unsupported critical extensions

countExtensions

public int countExtensions()

Returns the number of extensions included into this certificate.

Returns:

the number of extensions

getExtension

public V3Extension getExtension(ObjectID oid)
                         throws X509ExtensionInitException

Returns a specific extension, identified by its object identifier.

If the extension cannot be initialized for some reason, an X509ExtensionInitException is thrown. If the requested extension is an unknown extension, which is not supported by a registered implementation, this method creates and returns an UnknownExtension which may be queried for obtaining as much information as possible about the unknown extension.

Parameters:

objectID - the object ID of the extension

Returns:

the desired extension or null if the requested extension is not present

Throws:

X509ExtensionInitException - if the extension can not be initialized

addAttribute

public void addAttribute(Attribute attribute)

Adds one Atribute to this attribute certificate.

Since only one attribute per attribute type is allowed to be included in an attribute certificate this method replaces an already included attribute of same type with the given attribute.

Note that the attributes have to be set before the certificate is signed with the issuer´s private key!

Parameters:

attribute - the Attribute to add

setAttributes

public void setAttributes(Attribute[] attributes)

Sets the Atributes of this Attribute certificate. The given attributes have to be an array of iaik.asn1.structures.Attribute objects.
Note that the attributes have to be set before the certificate is signed with the issuer´s private key!

Parameters:

attributes - the Attributes to set

removeAllAttributes

public void removeAllAttributes()

Removes all attributes included.

removeAttribute

public Attribute removeAttribute(ObjectID type)

Removes the attribute of the given type, if present.

Parameters:

type - the type OID identifying the attribute in mind

Returns:

the attribute removed or null if no attribute has been removed because no attribute with the given type is present

getAttributes

public java.util.Enumeration getAttributes()

Gets the Atributes of this CertificateRequest. If no Attributes are included, null is returned. Otherwise the atributes are returned as an array of iaik.asn1.structures.Attribute objects:

 Attribute[] attributes = request.getAttributes();
 if (attributes != null) {
   for (int i = 0; i < attributes.length; i++) {
     Attribute attr = attributes[i];
     System.out.println(attr.getType());
     ASN1Object[] asn1Obj = attr.getValue();
     for (int j = 0; j < asn1Obj.length; j++) {
       System.out.println(asn1Obj[j].toString());
     }
   }
 }
 

Returns:

the attributes of this request as array of iaik.asn1.structures.Attribute, or null if there are no attributes included

getAttribute

public Attribute getAttribute(ObjectID type)

Gets all the Atributes matching to a specific type (object identifier). If no Attributes of given type are included, null is returned. Otherwise the matching atributes are returned as an array of iaik.asn1.structures.Attribute objects. The following sample queries if the challangePassword attribute is included:

 Attribute[] attributes = request.getAttributes(ObjectID.challengePassword);
 if (attributes != null) {
   //expected only one:
   Attribute attr = attributes[0];
   System.out.println(attr.getType());
   ASN1Object[] asn1Obj = attr.getValue();
   //again, only one expected:
   System.out.println(asn1Obj[0].getValue());
 }
 

Returns:

all the attributes of given type as array of iaik.asn1.structures.Attribute, or null if there are no attributes of the given type included

toString

public java.lang.String toString(boolean detailed)

Returns a string that represents the contents of the certificate.

Parameters:

detailed - whether or not to give detailed information about the certificate.

Returns:

the string representation