|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||
java.lang.Object
|
+--iaik.x509.V3Extension
|
+--iaik.x509.extensions.PolicyConstraints
This class implements the PolicyConstraints extension.
The PolicyConstraints extension is a standard X509v3 extension, which
may or may not be marked as being critical.
Each extension is associated with a specific certificateExtension
object identifier, derived from:
certificateExtension OBJECT IDENTIFIER ::=
{joint-iso-ccitt(2) ds(5) 29}
id-ce OBJECT IDENTIFIER ::= certificateExtension
The object identifier for the PolicyConstraints extension
is defined as:
id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
which corresponds to the OID string "2.5.29.36".
The X.509 Certificate and CRL profile presented in the PKIX internet draft draft-ietf-pkix-ipki-part1-07.txt specifies the policy contraints extension for constraining path validation in two ways. It can be used to prohibit policy mapping or require that each certificate in a path contains an acceptable policy identifier. The policy constraints extension can be used in certificates issued to CAs:
PolicyConstraints ::= SEQUENCE {
requireExplicitPolicy [0] SkipCerts OPTIONAL,
inhibitPolicyMapping [1] SkipCerts OPTIONAL }
SkipCerts ::= INTEGER (0..MAX)
If the inhibitPolicyMapping field is present, the value indicates the number of additional certificates that may appear in the path before policy mapping is no longer permitted. For example, a value of one indicates that policy mapping may be processed in certificates issued by the subject of this certificate, but not in additional certificates in the path.
If the requireExplicitPolicy field is present, subsequent certificates must include an acceptable policy identifier. The value of requireExplicitPolicy indicates the number of additional certificates that may appear in the path before an explicit policy is required. An acceptable policy identifier is the identifier of a policy required by the user of the certification path or the identifier of a policy which has been declared equivalent through policy mapping.
More information can be found in the PKIX internet draft draft-ietf-pkix-ipki-part1-07.txt, section 4.2.1.12 "Policy Constraints".
For adding a PolicyConstraints extension object to a X509Certificate,
use the addExtension method of the iaik.x509.X509Certificate class, e.g.:
PolicyConstraints policyConstraints = new PolicyConstraints(); policyConstraints.setRequireExplicitPolicy(3); policyConstraints.setInhibitExplicitPolicy(7); X509Certificate cert = new X509Certificate(); ... cert.addExtension(policyConstraints);
When intending to mark this extension as critical, use the setCritical
method of the iaik.x509.V3Extension
parent class (note that you have to mark an extension as critical before adding the
extension to a certificate), e.g.:
policyConstraints.setCritical(true);
PolicyMappings,
V3Extension,
X509Extensions,
X509Certificate| Field Summary | |
static ObjectID |
oid
The object identifier of this PolicyConstraints extension. |
| Fields inherited from class iaik.x509.V3Extension |
critical |
| Constructor Summary | |
PolicyConstraints()
Default constructor. |
|
| Method Summary | |
int |
getInhibitExplicitPolicy()
Returns the inhibitPolicyMapping value of this
PolicyConstraints extension specifying the
number of additional certificates that may appear in the path
before policy mapping is no longer permitted. |
ObjectID |
getObjectID()
Returns the object ID of this PolicyConstraints extension |
int |
getRequireExplicitPolicy()
Returns the requireExplicitPolicy value of this
PolicyConstraints extension specifying the
number of additional certificates that may appear in the path
before an explicit policy is required. |
int |
hashCode()
Returns a hashcode for this identity. |
void |
init(ASN1Object obj)
Inits this PolicyConstraints implementation with an ASN1object
representing the value of this extension. |
void |
setInhibitExplicitPolicy(int inhibitPolicyMapping)
Sets the inhibitPolicyMapping value of this
PolicyConstraints extension for specifying the
number of additional certificates that may appear in the path
before policy mapping is no longer permitted. |
void |
setRequireExplicitPolicy(int requireExplicitPolicy)
Sets the requireExplicitPolicy value of this
PolicyConstraints extension for specifying the
number of additional certificates that may appear in the path
before an explicit policy is required. |
ASN1Object |
toASN1Object()
Returns an ASN1Object representing the value of this PolicyConstraints
extension object. |
java.lang.String |
toString()
Returns a string that represents the contents of this PolicyConstraints extension. |
| Methods inherited from class iaik.x509.V3Extension |
getName,
isCritical,
setCritical |
| Methods inherited from class java.lang.Object |
clone,
equals,
finalize,
getClass,
notify,
notifyAll,
wait,
wait,
wait |
| Field Detail |
public static final ObjectID oid
PolicyConstraints extension.
The corresponding OID string is "2.5.29.36".| Constructor Detail |
public PolicyConstraints()
Creates an empty PolicyConstraints object.
InhibitExplicitPolicy and RequireExplicitPolicy
are initialized with -1 indicating that the corresponding values are not set.
Use setInhibitExplicitPolicy and/or
setRequireExplicitPolicy for
prohibiting policy mapping and/or requiring acceptable policy identifiers for
subsequent certificates.
If you want to specify this extension as critical before adding it to a
certificate, use the setCritical method of the
iaik.x509.V3Extension
parent class, e.g:
PolicyConstraints policyConstraints = new PolicyConstraints(); policyConstraints.setRequireExplicitPolicy(3); policyConstraints.setInhibitExplicitPolicy(7); policyConstraints.setCritical(true); X509Certificate cert = new X509Certificate(); ... cert.addExtension(policyConstraints);
V3Extension.setCritical(boolean)| Method Detail |
public ASN1Object toASN1Object()
PolicyConstraints
extension object.
The returned ASN1Object is an ASN.1 Sequence specifying any inhibitPolicyMapping and/or requireExplicitPolicy values for prohibiting policy mapping and/or requiring acceptable policy identifiers for subsequent certificates.
PolicyConstraints ::= SEQUENCE {
requireExplicitPolicy [0] SkipCerts OPTIONAL,
inhibitPolicyMapping [1] SkipCerts OPTIONAL }
The ASN1Object created by this method may be used as parameter for the
init method.PolicyConstraints as ASN1Object
public void init(ASN1Object obj)
throws X509ExtensionException
PolicyConstraints implementation with an ASN1object
representing the value of this extension.
The given ASN1Object represents a sequence of inhibitPolicyMapping and/or requireExplicitPolicy values for prohibiting policy mapping and/or requiring acceptable policy identifiers for subsequent certificates.
The given ASN1Object is the one created by toASN1Object().
This method is used by the X509Extensions class when parsing the ASN.1 representation
of a certificate for properly initializing an included
PolicyConstraints extension. This method initializes the
extension only with its value, but not with its critical
specification. For that reason, this method shall not be
explicitly called by an application.
obj - the PolicyConstraints as ASN1Objectpublic int hashCode()
public ObjectID getObjectID()
PolicyConstraints extensionpublic void setRequireExplicitPolicy(int requireExplicitPolicy)
requireExplicitPolicy value of this
PolicyConstraints extension for specifying the
number of additional certificates that may appear in the path
before an explicit policy is required.requireExplicitPolicy - the number of additional certificates
that may appear in the path before an
explicit policy is requiredgetRequireExplicitPolicy()public void setInhibitExplicitPolicy(int inhibitPolicyMapping)
inhibitPolicyMapping value of this
PolicyConstraints extension for specifying the
number of additional certificates that may appear in the path
before policy mapping is no longer permitted.inhibitPolicyMapping - the number of additional certificates
that may appear in the path before policy
mapping is no longer permitted.getInhibitExplicitPolicy()public int getRequireExplicitPolicy()
requireExplicitPolicy value of this
PolicyConstraints extension specifying the
number of additional certificates that may appear in the path
before an explicit policy is required.requireExplicitPolicy value specifying the
number of additional certificates that may appear in the path
before an explicit policy is required, or -1 if the
requireExplicitPolicy value has yet not been setsetRequireExplicitPolicy(int)public int getInhibitExplicitPolicy()
inhibitPolicyMapping value of this
PolicyConstraints extension specifying the
number of additional certificates that may appear in the path
before policy mapping is no longer permitted.inhibitPolicyMapping value specifying the
number of additional certificates that may appear in the
path before policy mapping is no longer permitted, or -1
if the inhibitPolicyMapping value has yet not
been setsetInhibitExplicitPolicy(int)public java.lang.String toString()
PolicyConstraints extension.
|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||