Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES
SUMMARY:  INNER | FIELD | CONSTR | METHOD DETAIL:  FIELD | CONSTR | METHOD

iaik.x509.attr
Class Holder

java.lang.Object
  |
  +--iaik.x509.attr.Holder
public class Holder
extends Object

This class implements the AC type Holder.

The Internet Attribute Certificate Profile for Authorization (RFC 3281) specifies the Holder type for identifying the entity to which the AttributeCertificate belongs: 

 Holder ::= SEQUENCE {
    baseCertificateID   [0] IssuerSerial OPTIONAL,
                        -- the issuer and serial number of
                        -- the holder's Public Key Certificate
    entityName          [1] GeneralNames OPTIONAL,
                        -- the name of the claimant or role
    objectDigestInfo    [2] ObjectDigestInfo OPTIONAL
                        -- used to directly authenticate the holder,
                        -- for example, an executable
 }
For any environment where the AC is passed in an authenticated message or session and where the authentication is based on the use of an X.509 public key certificate, the holder should be identified by means of a baseCertificateID pointing to the right X.509 public key certificate by issuer name and issuer-specific serial number, e.g.: 
 X509Certificate baseCert = ...;
 IssuerSerial baseCertificateID = new IssuerSerial(baseCert);
 Holder holder = new Holder();
 holder.setBaseCertificateID(baseCertificateID);
 attributeCertificate.setHolder(holder);

If the holder field uses the entityName option and the underlying authentication is based on a PKC, then the entityName MUST be the same as the PKC subject field or one of the values of the PKC subjectAltName field extension (if present), e.g.: 
 X509Certificate cert = ...;
 Name subject = (Name)cert.getSubjectDN();
 GeneralName subjectName = new GeneralName(GeneralName.directoryName, subject);
 GeneralNames entityName = new GeneralNames(subjectName);
 Holder holder = new Holder();
 holder.setEntityName(entityName);
 attributeCertificate.setHolder(holder);
The ObjectDigestInfo component may be used for linking the AC to an object by placing a hash of that object into the holder field of the AC. For example, this allows production of ACs that are linked to public keys rather than names (see RFC 3281 for more information): 
 // the public key to which to link the AC:
 PublicKey publicKey = ...;
 // the digest algorithm to use
 AlgorithmID digestAlgorithm = ...;
 ObjectDigestInfo odi = new ObjectDigestInfo(publicKey, digestAlgorithm);
 Holder holder = new Holder();
 holder.setObjectDigestInfo(odi);
 attributeCertificate.setHolder(holder);

Version:
File Revision 17
See Also:
AttributeCertificate, IssuerSerial, ObjectDigestInfo, GeneralNames

Constructor Summary
Holder()
          Default constructor.
Holder(ASN1Object obj)
          Creates a Holder from its ASN.1 representation.
 
Method Summary
 boolean equals(Object obj)
          Compares this Holder to the specified object.
 IssuerSerial getBaseCertificateID()
          Gets the baseCertificateID of this Holder, if set.
 GeneralNames getEntityName()
          Gets the entityName of this Holder, if set.
 ObjectDigestInfo getObjectDigestInfo()
          Gets the objectDigestInfo of this Holder, if set.
 int hashCode()
          Returns a hashcode for this Holder.
 boolean identifiesCert(X509Certificate cert)
          Checks if this Holder identifies the certificate.
 void setBaseCertificateID(IssuerSerial baseCertificateID)
          Sets the baseCertificateID of this Holder.
 void setEntityName(GeneralNames entityName)
          Sets the entityName of this Holder.
 void setObjectDigestInfo(ObjectDigestInfo objectDigestInfo)
          Sets the objectDigestInfo of this Holder.
 ASN1Object toASN1Object()
          Returns this Holder as ASN1Object.
 String toString()
          Returns a string giving some information about this Holder object.
 
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait
 

Constructor Detail

Holder

public Holder()
Default constructor. Creates an empty Holder object. Use the several setXXX method for setting the fields of this Holder object.

Holder

public Holder(ASN1Object obj)
       throws CodingException
Creates a Holder from its ASN.1 representation.
Parameters:
obj - the Holder as ASN1Object
Throws:
CodingException - if an decoding/parsing error occurs or the the information contained is not appropriate for a Holder
Method Detail

getBaseCertificateID

public IssuerSerial getBaseCertificateID()
Gets the baseCertificateID of this Holder, if set.
Returns:
the baseCertificateID IssuerSerial, if set

setBaseCertificateID

public void setBaseCertificateID(IssuerSerial baseCertificateID)
Sets the baseCertificateID of this Holder.
Parameters:
the - baseCertificateID IssuerSerial to be set.

getEntityName

public GeneralNames getEntityName()
Gets the entityName of this Holder, if set.
Returns:
the entityName GeneralNames, if set

setEntityName

public void setEntityName(GeneralNames entityName)
Sets the entityName of this Holder.
Parameters:
the - entityName GeneralNames to be set.

getObjectDigestInfo

public ObjectDigestInfo getObjectDigestInfo()
Gets the objectDigestInfo of this Holder, if set.
Returns:
the objectDigestInfo, if set

setObjectDigestInfo

public void setObjectDigestInfo(ObjectDigestInfo objectDigestInfo)
Sets the objectDigestInfo of this Holder.
Parameters:
the - objectDigestInfo to be set.

toASN1Object

public ASN1Object toASN1Object()
Returns this Holder as ASN1Object.
Returns:
this Holder as ASN1Object

equals

public boolean equals(Object obj)
Compares this Holder to the specified object.
Overrides:
equals in class Object
Parameters:
obj - the object to compare this Holder against.
Returns:
true, if the given object is equal to this Holder, false otherwise

hashCode

public int hashCode()
Returns a hashcode for this Holder.
Overrides:
hashCode in class Object
Returns:
a hashcode for this Holder

identifiesCert

public boolean identifiesCert(X509Certificate cert)
                       throws NoSuchAlgorithmException,
                              CertificateEncodingException
Checks if this Holder identifies the certificate.

In the case where the Holder of an AC is linked to particular certificate this method may be used for checking if the given cert "belongs" to this Holder by performing the following steps in the following order:

  1. If this Holder contains the baseCertificateID component and the corresponding IssuerSerial identifies the given certificate, this method returns true; if the corresponding IssuerSerial does not identify the given certificate, this method returns false
  2. If this Holder does not contain the baseCertificateID component but contains an entityName component which corresponds to the subject of the given certificate, this method returns true; if the entityName does not correspond to the subject of the given certificate, this method returns false.
    During the check above the following proceeding is used for comparing entityName against subjectAltName (in the given order):
    • If the given certificate contains a non-empty subject field, its contents has to match to the entityName of this Holder object
    • Otherwise the SubjectAltName extension is checked if each GeneralName of the entityName of this Holder is included in the SubjectAltName of the given certificate (note that not all GeneralName components of the SubjectAltName extensions must have been used for building the entity name).
  3. If this Holder neither contains the baseCertificateID component nor the entityName component, but contains the objectDigestInfo component and the corresponding ObjectDigestInfo identifies the given certificate, this method returns true; if the corresponding ObjectDigestInfo does not identify the given certificate, this method returns false
  4. If this Holder does not contain any components, this method return false
Note, that according to the proceeding above -- if more than one components are present -- only the first appearing component in the SEQUENCE of components is checked. If you want to check all included components you may get them and check them yourself.
Returns:
true if this Holder "links" to the given certificate according to the rules above, false if not
Throws:
NoSuchAlgorithmException - if this Holder only contains the objectDigestInfo component, but the digest algorithm (required for the check) used there is not supported
CertificateEncodingException - if this Holder only contains the objectDigestInfo and an error occurs while encoding the certificate required for digest calculation

toString

public String toString()
Returns a string giving some information about this Holder object.
Overrides:
toString in class Object
Returns:
the string representation
Overview  Package   Class  Tree  Deprecated  Index  Help 
This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note).
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES
SUMMARY:  INNER | FIELD | CONSTR | METHOD DETAIL:  FIELD | CONSTR | METHOD
IAIK-JCE 3.1 with IAIK-JCE CC Core 3.1, (c) 1997-2004 IAIK