iaik.smime.ess
Class SigningCertificateV2

java.lang.Object
  extended by iaik.asn1.structures.AttributeValue
      extended by iaik.smime.ess.ESSAttributeValue
          extended by iaik.smime.ess.SigningCertificate
              extended by iaik.smime.ess.SigningCertificateV2
All Implemented Interfaces:
ASN1Type

public class SigningCertificateV2
extends SigningCertificate

This class implements the S/MIMEv3 ESS SigningCertificateV2 type.

The SigningCertificateV2 has been introduced by RFC 5035 to make it possible to use the SigningCertificate attribute with other hash algorithms than SHA-1 (see RFC 5035):

 SigningCertificateV2 ::=  SEQUENCE {
    certs        SEQUENCE OF ESSCertIDv2,
    policies     SEQUENCE OF PolicyInformation OPTIONAL
 }
 
ESSCertIDv2 ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier DEFAULT {algorithm id-sha256}, certHash Hash, issuerSerial IssuerSerial OPTIONAL } Hash ::= OCTET STRING IssuerSerial ::= SEQUENCE { issuer GeneralNames, serialNumber CertificateSerialNumber }

Both, SigningCertificate and SigningCertificateV2 attribute may be used to include certificate identification information into the signed attributes of a CMS SignerInfo object.

The ESSCertIDv2 type is used for for identifying a certificate by cert hash and optionally issuer information and issuer-specific certificate serial number. PolicyInformations (X.509) are used for indicating the policy under which a certificate has been issued and the purposes for which the certificate may be used.

When creating a SigningCertificateV2, you either immediately may supply the ESSCertIDv2 objects to be added or you may supply certificates to let this class calculate the corresponding ESSCertIDv2 objects, e.g.:

 // the cert used for signing:
 X509Certificate signerCert = ...;
 // the issuer of the signer:
 X509Certificate issuerCert = ...;
 // an attribute certificate:
 AttributeCertificate attributeCert = ...;
 // the certificate of the signer must be the first!
 Certificate[] certs = { signerCert, issuerCert, attributeCert };
 SigningCertificateV2 signingCertificate = new SigningCertificateV2(certs);
 
Use method setPolicies for including any PolicyInformation terms:
 PolicyInformation[] policies = ...;
 signingCertificate.setPolicies(policies);
 
For adding a SigningCertificateV2 to the signed attributes field of a SignerInfo object, use method setSignedAttributes:
 Attribute[] signedAttributes = ...;
 ...
 signedAttributes[i] = new Attribute(signingCertificate);
 ...
 signerInfo.setSignedAttributes(signedAttributes);
 
Use method getSignedAttributeValue for getting the SigningCertificate (if included) attribute from a SignerInfo object:
 SigningCertificateV2 signingCertificate = 
   (SigningCertificateV2)signerInfo.getSignedAttributeValue(SigningCertificateV2.oid);
 if (signingCertificate != null) {
   ...
 }
 

See Also:
SigningCertificate, ESSIssuerSerial, ESSCertIDv2, X509Certificate, AttributeCertificate, Attribute, PolicyInformation, CertificateSet, SignerInfo

Field Summary
static ObjectID oid
          The attributeType object identifier of this SigningCertificateV2 extension.
 
Constructor Summary
SigningCertificateV2()
          Empty default constructor.
SigningCertificateV2(ASN1Object obj)
          Creates a new SigningCertificateV2 from an ASN1Object.
SigningCertificateV2(java.security.cert.Certificate[] certs)
          Creates a SigningCertificateV2 attribute for the given certificates.
SigningCertificateV2(java.security.cert.Certificate[] certs, AlgorithmID hashAlgorithm, boolean includeIssuerSerial)
          Creates a SigningCertificateV2 attribute for the given certificates.
SigningCertificateV2(java.security.cert.Certificate[] certs, AlgorithmID hashAlgorithm, boolean includeIssuerSerial, SecurityProvider securityProvider)
          Creates a SigningCertificateV2 attribute for the given certificates.
SigningCertificateV2(java.security.cert.Certificate[] certs, boolean includeIssuerSerial)
          Creates a SigningCertificateV2 attribute for the given certificates.
SigningCertificateV2(java.security.cert.Certificate[] certs, boolean includeIssuerSerial, SecurityProvider securityProvider)
          Creates a SigningCertificateV2 attribute for the given certificates.
SigningCertificateV2(CertificateSet certSet, AlgorithmID hashAlgorithm, boolean includeIssuerSerial)
          Creates a SigningCertificateV2 attribute for the given certificates.
SigningCertificateV2(CertificateSet certSet, boolean includeIssuerSerial)
          Creates a SigningCertificateV2 attribute for the given certificates.
SigningCertificateV2(ESSCertIDv2[] essCertIDs)
          Creates a SigningCertificateV2 for the given ESSCertIDv2 objects.
 
Method Summary
 ObjectID getAttributeType()
          Returns the OID identifying the SigningCertificateV2 attribute type.
 
Methods inherited from class iaik.smime.ess.SigningCertificate
countPolicies, decode, equals, getAuthorizedCertificates, getESSCertID, getESSCertIDs, getPolicies, getPolicyInformationCerts, getPolicyInformations, getSecurityProvider, hashCode, isSignerCertificate, setPolicies, setSecurityProvider, toASN1Object, toString
 
Methods inherited from class iaik.smime.ess.ESSAttributeValue
multipleAllowed
 
Methods inherited from class iaik.asn1.structures.AttributeValue
getName
 
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait
 

Field Detail

oid

public static final ObjectID oid
The attributeType object identifier of this SigningCertificateV2 extension. The corresponding OID string is "1.2.840.113549.1.9.16.2.47".

Constructor Detail

SigningCertificateV2

public SigningCertificateV2()
Empty default constructor. Required for dynamic object creation. Shall not be used by an application!


SigningCertificateV2

public SigningCertificateV2(ESSCertIDv2[] essCertIDs)
Creates a SigningCertificateV2 for the given ESSCertIDv2 objects.

Parameters:
essCertIDs - the cert IDs to be set

SigningCertificateV2

public SigningCertificateV2(java.security.cert.Certificate[] certs)
                     throws java.security.NoSuchAlgorithmException,
                            java.security.cert.CertificateException
Creates a SigningCertificateV2 attribute for the given certificates.

Attention! Only X.509 public key certificates (instances of iaik.x509.X509Certificate) or X.509 attribute certificates (instances of iaik.x509.attr.AttributeCertificate) can be handled by this constructor; PKCS#6 ExtendedCertificates are obsolete and therefore not supported.

When using the constructor for creating a SigningCertificateV2 attribute, the IssuerSerial component is calculated and set for each ESSCertID element to be created. For cert hash calculation SHA-256 is used as default.

Parameters:
certs - the certificates for which to create a SigningCertificateV2 (may be instances of iaik.x509.X509Certificate and/or instances of iaik.x509.attr.AttributeCertificate
Throws:
java.lang.IllegalArgumentException - if any of the supplied certificates is not an iaik.x509.X509Certificate or iaik.x509.attr.AttributeCertificate
java.security.NoSuchAlgorithmException - if SHA-256, required for hash computation, is not supported by the installed providers
java.security.cert.CertificateException - if an error occurs while encoding any of the certificates for computing the hash, or any of the given certificates is an attribute certificate, but the issuer information included is not sufficient to construct an IssuerSerial (if V2Form is used for indicating the issuer, but not the issuerName option)

SigningCertificateV2

public SigningCertificateV2(java.security.cert.Certificate[] certs,
                            boolean includeIssuerSerial)
                     throws java.security.NoSuchAlgorithmException,
                            java.security.cert.CertificateException
Creates a SigningCertificateV2 attribute for the given certificates.

Attention! Only X.509 public key certificates (instances of iaik.x509.X509Certificate) or X.509 attribute certificates (instances of iaik.x509.attr.AttributeCertificate) can be handled by this constructor; PKCS#6 ExtendedCertificates are obsolete and therefore not supported.
When using the constructor for creating a SigningCertificateV2 attribute SHA-256 is used as default for cert hash calculation.

Parameters:
certs - the certificates for which to create an SigningCertificateV2 (may be instances of iaik.x509.X509Certificate and/or instances of iaik.x509.attr.AttributeCertificate
includeIssuerSerial - if the IssuerSerial component should be set for the ESSCertIDs to be created for the given certificates
Throws:
java.lang.IllegalArgumentException - if any of the supplied certificates is not an iaik.x509.X509Certificate or iaik.x509.attr.AttributeCertificate
java.security.NoSuchAlgorithmException - if SHA-256, required for hash computation, is not supported by the installed providers
java.security.cert.CertificateException - if an error occurs while encoding any of the certificates for computing the hash, or any of the given certificates is an attribute certificate, but the issuer information included is not sufficient to construct an IssuerSerial (if V2Form is used for indicating the issuer, but not the issuerName option)

SigningCertificateV2

public SigningCertificateV2(java.security.cert.Certificate[] certs,
                            boolean includeIssuerSerial,
                            SecurityProvider securityProvider)
                     throws java.security.NoSuchAlgorithmException,
                            java.security.cert.CertificateException
Creates a SigningCertificateV2 attribute for the given certificates.

Attention! Only X.509 public key certificates (instances of iaik.x509.X509Certificate) or X.509 attribute certificates (instances of iaik.x509.attr.AttributeCertificate) can be handled by this constructor; PKCS#6 ExtendedCertificates are obsolete and therefore not supported.
When using the constructor for creating a SigningCertificateV2 attribute SHA-256 is used as default for cert hash calculation.

Parameters:
certs - the certificates for which to create an SigningCertificateV2 (may be instances of iaik.x509.X509Certificate and/or instances of iaik.x509.attr.AttributeCertificate
includeIssuerSerial - if the IssuerSerial component should be set for the ESSCertIDs to be created for the given certificates
securityProvider - the SecurityProvider to be explicitly used for the cryptographic operations (cert hash calculation) required by this object, if null the default system-wide installed security provider will be used
Throws:
java.lang.IllegalArgumentException - if any of the supplied certificates is not an iaik.x509.X509Certificate or iaik.x509.attr.AttributeCertificate
java.security.NoSuchAlgorithmException - if SHA-256, required for hash computation, is not supported by the installed providers
java.security.cert.CertificateException - if an error occurs while encoding any of the certificates for computing the hash, or any of the given certificates is an attribute certificate, but the issuer information included is not sufficient to construct an IssuerSerial (if V2Form is used for indicating the issuer, but not the issuerName option)

SigningCertificateV2

public SigningCertificateV2(java.security.cert.Certificate[] certs,
                            AlgorithmID hashAlgorithm,
                            boolean includeIssuerSerial)
                     throws java.security.NoSuchAlgorithmException,
                            java.security.cert.CertificateException
Creates a SigningCertificateV2 attribute for the given certificates.

Attention! Only X.509 public key certificates (instances of iaik.x509.X509Certificate) or X.509 attribute certificates (instances of iaik.x509.attr.AttributeCertificate) can be handled by this constructor; PKCS#6 ExtendedCertificates are obsolete and therefore not supported.

Parameters:
certs - the certificates for which to create a SigningCertificateV2 (may be instances of iaik.x509.X509Certificate and/or instances of iaik.x509.attr.AttributeCertificate
hashAlgorithm - the hash algorithm to be used for cert hash calculation
includeIssuerSerial - if the IssuerSerial component should be set for the ESSCertIDs to be created for the given certificates
Throws:
java.lang.IllegalArgumentException - if any of the supplied certificates is not an iaik.x509.X509Certificate or iaik.x509.attr.AttributeCertificate
java.security.NoSuchAlgorithmException - if the requested hash algorithm is not supported by the installed providers
java.security.cert.CertificateException - if an error occurs while encoding any of the certificates for computing the hash, or any of the given certificates is an attribute certificate, but the issuer information included is not sufficient to construct an IssuerSerial (if V2Form is used for indicating the issuer, but not the issuerName option)

SigningCertificateV2

public SigningCertificateV2(java.security.cert.Certificate[] certs,
                            AlgorithmID hashAlgorithm,
                            boolean includeIssuerSerial,
                            SecurityProvider securityProvider)
                     throws java.security.NoSuchAlgorithmException,
                            java.security.cert.CertificateException
Creates a SigningCertificateV2 attribute for the given certificates.

Attention! Only X.509 public key certificates (instances of iaik.x509.X509Certificate) or X.509 attribute certificates (instances of iaik.x509.attr.AttributeCertificate) can be handled by this constructor; PKCS#6 ExtendedCertificates are obsolete and therefore not supported.

Parameters:
certs - the certificates for which to create a SigningCertificateV2 (may be instances of iaik.x509.X509Certificate and/or instances of iaik.x509.attr.AttributeCertificate
hashAlgorithm - the hash algorithm to be used for cert hash calculation
includeIssuerSerial - if the IssuerSerial component should be set for the ESSCertIDs to be created for the given certificates
securityProvider - the SecurityProvider to be explicitly used for the cryptographic operations (cert hash calculation) required by this object, if null the default system-wide installed security provider will be used
Throws:
java.lang.IllegalArgumentException - if any of the supplied certificates is not an iaik.x509.X509Certificate or iaik.x509.attr.AttributeCertificate
java.security.NoSuchAlgorithmException - if the requested hash algorithm is not supported by the installed providers
java.security.cert.CertificateException - if an error occurs while encoding any of the certificates for computing the hash, or any of the given certificates is an attribute certificate, but the issuer information included is not sufficient to construct an IssuerSerial (if V2Form is used for indicating the issuer, but not the issuerName option)

SigningCertificateV2

public SigningCertificateV2(CertificateSet certSet,
                            boolean includeIssuerSerial)
                     throws java.security.NoSuchAlgorithmException,
                            java.security.cert.CertificateException
Creates a SigningCertificateV2 attribute for the given certificates.

Attention! Only X.509 public key certificates (instances of iaik.x509.X509Certificate) or X.509 attribute certificates (instances of iaik.x509.attr.AttributeCertificate) can be handled by this constructor; PKCS#6 ExtendedCertificates are obsolete and therefore not supported.
When using the constructor for creating a SigningCertificateV2 attribute SHA-256 is used as default for cert hash calculation.

Parameters:
certSet - the certificates for which to create a SigningCertificateV2 (may be instances of iaik.x509.X509Certificate and/or instances of iaik.x509.attr.AttributeCertificate
includeIssuerSerial - if the IssuerSerial component should be set for the ESSCertIDs to be created for the given certificates
Throws:
java.lang.IllegalArgumentException - if any of the supplied certificates is not an iaik.x509.X509Certificate or iaik.x509.attr.AttributeCertificate
java.security.NoSuchAlgorithmException - if SHA-256, required for hash computation, is not supported by the installed providers
java.security.cert.CertificateException - if an error occurs while encoding any of the certificates for computing the hash, or any of the given certificates is an attribute certificate, but the issuer information included is not sufficient to construct an IssuerSerial (if V2Form is used for indicating the issuer, but not the issuerName option)

SigningCertificateV2

public SigningCertificateV2(CertificateSet certSet,
                            AlgorithmID hashAlgorithm,
                            boolean includeIssuerSerial)
                     throws java.security.NoSuchAlgorithmException,
                            java.security.cert.CertificateException
Creates a SigningCertificateV2 attribute for the given certificates.

Attention! Only X.509 public key certificates (instances of iaik.x509.X509Certificate) or X.509 attribute certificates (instances of iaik.x509.attr.AttributeCertificate) can be handled by this constructor; PKCS#6 ExtendedCertificates are obsolete and therefore not supported.

Parameters:
certSet - the certificates for which to create a SigningCertificateV2 (may be instances of iaik.x509.X509Certificate and/or instances of iaik.x509.attr.AttributeCertificate
hashAlgorithm - the hash algorithm to be used for cert hash calculation
includeIssuerSerial - if the IssuerSerial component should be set for the ESSCertIDs to be created for the given certificates
Throws:
java.lang.IllegalArgumentException - if any of the supplied certificates is not an iaik.x509.X509Certificate or iaik.x509.attr.AttributeCertificate
java.security.NoSuchAlgorithmException - if SHA-256, required for hash computation, is not supported by the installed providers
java.security.cert.CertificateException - if an error occurs while encoding any of the certificates for computing the hash, or any of the given certificates is an attribute certificate, but the issuer information included is not sufficient to construct an IssuerSerial (if V2Form is used for indicating the issuer, but not the issuerName option)

SigningCertificateV2

public SigningCertificateV2(ASN1Object obj)
                     throws CodingException
Creates a new SigningCertificateV2 from an ASN1Object.

Parameters:
obj - the SigningCertificateV2 as ASN1Object
Throws:
CodingException - if the ASN1Object could not be parsed
Method Detail

getAttributeType

public ObjectID getAttributeType()
Returns the OID identifying the SigningCertificateV2 attribute type.

Overrides:
getAttributeType in class SigningCertificate
Returns:
the OID ("1.2.840.113549.1.9.16.2.47") identifying the SigningCertificateV2 attribute type.

This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note).

IAIK-CMS 6.0, (c) 2002 IAIK, (c) 2003, 2023 SIC