|
|||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
An OCSP response for a single certificate.
Interface to be implemented by any class representing a response message for a single certificate.
The main purpose of this interface is to enforce that any
certificate response easily can be identified by the
ReqCert of the underlying
target certificate:
ReqCert ::= CHOICE {
certID CertID,
issuerSerial [0] IssuerandSerialNumber,
pKCert [1] Certificate,
name [2] GeneralName,
certHash [3] OCTET STRING}
| Method Summary | |
ReqCert |
getReqCert()
Returns the reqCert of this certificate response. |
boolean |
isResponseFor(ReqCert reqCert)
Checks if this is a certificate response for a certificate identified by the given reqCert. |
boolean |
isResponseFor(X509Certificate targetCert,
X509Certificate issuerCert,
GeneralName generalName)
Checks if this is a certificate response for the given certificate identifying information. |
String |
toString()
Returns a String representation of this certificate response. |
| Methods inherited from interface iaik.asn1.ASN1Type |
decode, toASN1Object |
| Method Detail |
public ReqCert getReqCert()
public boolean isResponseFor(X509Certificate targetCert,
X509Certificate issuerCert,
GeneralName generalName)
throws OCSPException
Since OCSP v2-01 (see draft-ietf-pkix-ocspv2-01) uses not less
than five alternatives (certID, issuerSerial, pKCert, name, certHash)
to identify the target cert for which status information shall be
obtained, it might be the -- hopefully not very probable -- case that
an OCSP server responds by using a different reqCert type (namely when
maintaining precompted responses) as the one sent with the client
request.
If the reqCert types are the same in request and response, method
isResponseFor can be used for checking if
this certificate response actually is a response referring to the
certificate in mind. However, if request and response use different ReqCert
types (e.g. request: pkCert, response: certID) or they use a certID with
different hash algorithms, this method may be used for trying to "translate"
the given cert data into a reqCert of the type the reqCert of this certificate
response represents for checking if they are equal.
Translation thereby is performed according to the following rules:
targetCert and issuerCert have to be
supplied; generalName is ignored. From the given certs,
a certID is created and checked for equality with the certID of the
reqCert of this certificate response.
targetCert has to be supplied, issuerCert
and generalName are ignored. From the given target cert, an
IssuerAndSerialNumber object is created and checked for equality with the
issuerSerial of the reqCert of this certificate response.
targetCert has to be supplied, issuerCert and
generalName are ignored. The given target cert is checked
for equality with the pKCert of the reqCert of this certificate response.
targetCert or generalName have to be supplied,
issuerCert is ignored. If generalName is supplied,
it is compared with the GeneralName of the reqCert of this response. If
generalName is null, but targetCert is supplied,
a GeneralName of type directoryName is created from the target certīs
SubjectDN and checked for equality with the generalName of the reqCert of
this certificate response.
targetCert has to be supplied, issuerCert and
generalName are ignored. From the given target cert a SHA-1
hash is computed and compared with the certHash of the reqCert of this
certificate response.
This method only returns true if the supplied informations
fit to the type of the ReqCert of this response (according to the conditions
above) and identify the same certificate. In any other case this method returns
false (e.g. the ReqCert of this response represents a type for which
the supplied informations are not appropriate, or the type is ok but
another certificate is referenced).
Assumimg, for instance, that the ReqCert of this response represents a certID,
but you expect a pKCert, method isResponseFor
will fail. Now you may supply both target cert and its issuing cert for checking
if this is a response for the target certificate in mind, e.g.:
// the target cert chain X509Certificate[] targetCerts = ...; booelan isResponseFor = certResponse.isResponseFor(targetCerts[0], targetCerts[1], null);
targetCert - the target cert, if requiredissuerCert - the cert of the target cert issuer, if requiredgeneralName - a general name (if required for reqCert type "name")true if this is a response for the target certificate
asked for; or false if this is not a response for the
target certificate in mind or not enough information is
provided for handling the type of the inherent ReqCertOCSPException - if some processing error occurs, e.g. if the ReqCert
of this response represents a CertID but the certIDīs hash algorithm
is not supported by the installed providerspublic boolean isResponseFor(ReqCert reqCert)
reqCert - the reqCert identifying the certificate in mind
true if this is a certificate response for the certificate
identified by the given reqCert, false if notpublic String toString()
toString in class Object
|
This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note). | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
IAIK-JCE 3.1 with IAIK-JCE CC Core 3.1, (c) 1997-2004 IAIK