iaik.x509.ocsp
Class ReqCert

java.lang.Object
  |
  +--iaik.x509.ocsp.ReqCert

public class ReqCert

extends Object

This class implements the OCSPv2 type "ReqCert".

OCSPv2 specifies the ReqCert type for identifying a target certificate when creating a Request to be sent to an OCSP server by one of the following types (the id also is included by the response sent back from the server):

• certID (OCSP certID)
• issuerSerial (CMS, PKCS#7 IssuerAndSerialNumber)
• pKCert (X.509 certificate)
• name (X.509 GeneralName)
• certHash (SHA-1 hash of the cert encoding)

ASN.1 definition:

 ReqCert  ::= CHOICE {
   certID            CertID,
   issuerSerial      [0] IssuerandSerialNumber,
   pKCert            [1] Certificate,
   name              [2] GeneralName,
   certHash          [3] OCTET STRING}
 

When creating a ReqCert object, specify the intended type and the value to be set, e.g.:

 CertID certID = ...;
 ReqCert reqCert = new ReqCert(ReqCert.certID, certID);
 

Depending on the type the value has to be an object according to the following assignment:

  TYPE                              VALUE
  ====                              =====
  certID       (0):                 iaik.x509.ocsp.CertID
  issuerSerial (1):                 iaik.pkcs.pkcs7.IssuerAndSerialNumber
  pKCert       (2):                 iaik.x509.X509Certificate
  name         (3):                 iaik.asn1.structures.GeneralName
  certHash     (4):                 byte array or X509Certificate
 

Please be aware that for type certHash the value may be specified either as byte array (already calcualted SHA-1 hash), or as X509Certificate; if the latter applies the hash is calculated automatically.

An OCSP requestor will include the reqCert in a single Request whereas a responder will include it in a single response:

 Request request = new Request(reqCert);
 

respectively

 SingleResponse singleResponse = new SingleResponse(reqCert, certStatus, thisUpdate);
 

Version:

File Revision 16

See Also:

CertID, IssuerAndSerialNumber, X509Certificate, GeneralName, Request, SingleResponse

Field Summary

static int	certHash ReqCert type certHash (4).
static int	certID ReqCert type CertID (0).
static int	issuerSerial ReqCert type issuerSerial (1).
static int	name ReqCert type name (3).
static int	pKCert ReqCert type pKCert (2).

Constructor Summary

ReqCert(ASN1Object obj)
Creates a ReqCert from an ASN1Object.

ReqCert(int type, Object reqCert)
Creates a ReqCert for given type and value.

Method Summary

boolean	equals(Object obj) Compares this ReqCert with the given ReqCert.
Object	getReqCert() Returns the value of this reqCert.
int	getType() Returns the type of this reqCert which may lie between 0 and 4.
String	getTypeName() Returns the type of this reqCert as String.
int	hashCode() Returns a hash code value for this object.
boolean	isReqCertFor(X509Certificate targetCert, X509Certificate issuerCert, GeneralName generalName) Checks if this is a ReqCert for the given certificate identifying information.
ASN1Object	toASN1Object() Returns this ReqCert object as ASN1Object.
String	toString() Returns a string that represents the contents of this reqCert.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

certID

public static final int certID

ReqCert type CertID (0). (OCSP CertID)

issuerSerial

public static final int issuerSerial

ReqCert type issuerSerial (1). (CMS, PKCS#7 IssuerAndSerialNumber)

pKCert

public static final int pKCert

ReqCert type pKCert (2). (X.509 certificate)

name

public static final int name

ReqCert type name (3). (X.509 GeneralName)

certHash

public static final int certHash

ReqCert type certHash (4). (SHA-1 hash of certificate)

Constructor Detail

ReqCert

public ReqCert(int type,
               Object reqCert)
        throws IllegalArgumentException

Creates a ReqCert for given type and value.

When creating a new ReqCert object you have to specify type and corresponding value. The value has to be an object according to the following assignment:

  TYPE                              VALUE
  ====                              =====
  certID       (0):                 iaik.x509.ocsp.CertID
  issuerSerial (1):                 iaik.pkcs.pkcs7.IssuerAndSerialNumber
  pKCert       (2):                 iaik.x509.X509Certificate
  name         (3):                 iaik.asn1.structures.GeneralName
  certHash     (4):                 byte array or X509Certificate
 

Please be aware that for type certHash the value may be specified either as byte array (already calcualted SHA-1 hash), or as X509Certificate; if the latter applies the hash is calculated automatically, e.g.:

 X509Certificate targetCert = ...;
 ReqCert reqCert = new ReqCert(ReqCert.certHash, targetCert;
 

to be distinguished from:

 X509Certificate targetCert = ...;
 ReqCert reqCert = new ReqCert(ReqCert.pKCert, targetCert;
 

where whole the cert is used for identification.

Parameters:

type - the type of the reqCert; a valid type must be used (0 ... 4)

reqCert - the value for this type of reqCert

Throws:

IllegalArgumentException - if the supplied type is not defined, i.e. the int specificier is "out-of-range" (only 0...4 is allowed)

ReqCert

public ReqCert(ASN1Object obj)
        throws CodingException

Creates a ReqCert from an ASN1Object. The supplied ASN1Object represents an already existing ReqCert that may have been created by means of the toASN1Object method.

Parameters:

obj - the reqCert as ASN1Object

Throws:

CodingException - if the ASN1Object is not a ReqCert or some parsing error occurs; or the supplied ReqCert type is not known

Method Detail

toASN1Object

public ASN1Object toASN1Object()
                        throws CodingException

Returns this ReqCert object as ASN1Object.

Returns:

the value of ReqCert as ASN1Object

Throws:

CodingException - if the ASN1Object cannot be created for some reason, e.g. the type is not supported

getReqCert

public Object getReqCert()

Returns the value of this reqCert.

Depending on the type this ReqCert represents this method returns an object according to the following assignment:

  TYPE                              VALUE
  ====                              =====
  certID       (0):                 iaik.x509.ocsp.CertID
  issuerSerial (1):                 iaik.pkcs.pkcs7.IssuerAndSerialNumber
  pKCert       (2):                 iaik.x509.X509Certificate
  name         (3):                 iaik.asn1.structures.GeneralName
  certHash     (4):                 byte array
 

Returns:

the value of this reqCert

getType

public int getType()

Returns the type of this reqCert which may lie between 0 and 4.

• 0: certID
• 1: issuerSerial
• 2: pKCert
• 3: name
• 4: certHash

Returns:

the type of this general name

getTypeName

public String getTypeName()

Returns the type of this reqCert as String.

• 0: certID
• 1: issuerSerial
• 2: pKCert
• 3: name
• 4: certHash

Returns:

the type of this general name

equals

public boolean equals(Object obj)

Compares this ReqCert with the given ReqCert.

Overrides:

equals in class Object

Parameters:

obj - the other ReqCert

Returns:

true, if the two ReqCerts are equal, false otherwise

isReqCertFor

public boolean isReqCertFor(X509Certificate targetCert,
                            X509Certificate issuerCert,
                            GeneralName generalName)
                     throws OCSPException

Checks if this is a ReqCert for the given certificate identifying information.

Since OCSP v2-01 (see draft-ietf-pkix-ocspv2-01) uses not less than five alternatives (certID, issuerSerial, pKCert, name, certHash) to identify the target cert for which status information shall be obtained, it might be the -- hopefully not very probable -- case that an OCSP server responds by using a different reqCert type (namely when maintaining precompted responses) as the one sent with the client request.
If the reqCert types are the same in request and response, method equals can be used for checking the two reqCert IDs of referring to the same certificate. However, if the two types are not the same (e.g. request: pkCert, response: certID) or are two certIDs with different hash algorithms, this method may be used for trying to "translate" the given cert data into a reqCert of the type this reqCert represents for checking if they are equal. Translation thereby is performed according to the following rules:

• If this reqCert has type certID, both targetCert and issuerCert have to be supplied, generalName is ignored. From the given certs, a certID is created and checked for equality with the one of this reqCert.
• If this reqCert has type issuerSerial, the targetCert has to be supplied, issuerCert and generalName are ignored. From the given target cert, an IssuerAndSerialNumber object is created and checked for equality with the issuerAndSerial of this reqCert.
• If this reqCert has type pKCert, the targetCert has to be supplied, issuerCert and generalName are ignored. The given target cert is checked for equality with the pKCert of this reqCert.
• If this reqCert has type name, targetCert or generalName have to be supplied, issuerCert is ignored. If generalName is supplied, it is compared with the GeneralName of this reqCert. If generalName is null, but targetCert is supplied, a GeneralName of type directoryName is created from the target certīs SubjectDN and checked for equality with the generalName of this reqCert.
• If this reqCert has type certHash, the targetCert has to be supplied, issuerCert and generalName are ignored. From the given target cert a SHA-1 hash is computed and compared with the certHash of this reqCert.

This method only returns true if the supplied informations fit to the type this ReqCert represents (according to the conditions above) and identify the same certificate. In any other case this method returns false (e.g. this ReqCert represents a type for which the supplied informations are not appropriate, or the type is ok but another certificate is referenced).

Assumimg, for instance, that this ReqCert represents a certID, but you expect a pKCert, method equals will fail. Now you may supply both target cert and its issuing cert for checking if this ReqCert identifies the target certificate in mind, e.g.:

 // the target cert chain
 X509Certificate[] targetCerts = ...;
 booelan isReqCertFor = reqCert.isReqCertFor(targetCerts[0], targetCerts[1], null);
 

Parameters:

targetCert - the target cert, if required

issuerCert - the cert of the target cert issuer, if required

generalName - a general name (if required for reqCert type "name")

Returns:

true if this ReqCert identifies the target certificate asked for; or false if this ReqCert does not identify the target certificate in mind or not enough information is provided for handling the cert type of this ReqCert

Throws:

OCSPException - if some processing error occurs, e.g. if this ReqCert represents a CertID but the certIDīs hash algorithm is not supported by the installed providers

hashCode

public int hashCode()

Returns a hash code value for this object.

Overrides:

hashCode in class Object

Returns:

a hash code value for this object

toString

public String toString()

Returns a string that represents the contents of this reqCert.

Overrides:

toString in class Object

Returns:

the string representation