be.cardon.asn1.x509.extensions
Class AuthorityKeyIdentifier

java.lang.Object
  org.bouncycastle.asn1.ASN1Encodable
      be.cardon.asn1.x509.extensions.AuthorityKeyIdentifier

All Implemented Interfaces:

org.bouncycastle.asn1.DEREncodable

public class AuthorityKeyIdentifier
extends org.bouncycastle.asn1.ASN1Encodable

Extension AuthorityKeyIdentifier.

Documentation from RFC 3280:

The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or on the issuer name and serial number.

The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction. There is one exception; where a CA distributes its public key in the form of a "self-signed" certificate, the authority key identifier MAY be omitted. The signature on a self-signed certificate is generated with the private key associated with the certificate's subject public key. (This proves that the issuer possesses both the public and private keys.) In this case, the subject and authority key identifiers would be identical, but only the subject key identifier is needed for certification path building.

The value of the keyIdentifier field SHOULD be derived from the public key used to verify the certificate's signature or a method that generates unique values. Two common methods for generating key identifiers from the public key, and one common method for generating unique values, are described in section 4.2.1.2 in RFC 3280. Where a key identifier has not been previously established, this specification RECOMMENDS use of one of these methods for generating keyIdentifiers. Where a key identifier has been previously established, the CA SHOULD use the previously established identifier.

This profile RECOMMENDS support for the key identifier method by all certificate users.

This extension MUST NOT be marked critical.

The ASN.1 definitions are :

   id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }

   AuthorityKeyIdentifier ::= SEQUENCE {
      keyIdentifier             [0] KeyIdentifier           OPTIONAL,
      authorityCertIssuer       [1] GeneralNames            OPTIONAL,
      authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }

   KeyIdentifier ::= OCTET STRING
   

Field Summary

Fields inherited from class org.bouncycastle.asn1.ASN1Encodable

BER, DER

Constructor Summary

AuthorityKeyIdentifier(org.bouncycastle.asn1.ASN1Sequence seq)
Decodes an existing AuthorityKeyIdentifier ASN.1 object.

AuthorityKeyIdentifier(byte[] keyIdentifier, GeneralNames authorityCertIssuer, java.math.BigInteger authorityCertSerialNumber)
Creates an AuthorityKeyIdentifier with a precomputed key identifier, the authorityCertIssuer and the serial number provided as well.

AuthorityKeyIdentifier(GeneralNames authorityCertIssuer, java.math.BigInteger authorityCertSerialNumber)
Creates an AuthorityKeyIdentifier with the authorityCertIssuer and the authorityCertSerialNumber provided.

AuthorityKeyIdentifier(SubjectPublicKeyInfo spki)
Calulates the {code keyIdentifier} field using a SHA1 hash over the BIT STRING from SubjectPublicKeyInfo as defined in RFC 3280.

AuthorityKeyIdentifier(SubjectPublicKeyInfo subjectPublicKeyInfo, GeneralNames authorityCertIssuer, java.math.BigInteger authorityCertSerialNumber)
Creates an AuthorityKeyIdentifier with the subjectPublicKeyInfo, the authorityCertIssuer and the authorityCertSerialNumber provided as well.

Method Summary

GeneralNames	getAuthorityCertIssuer() Returns the authorityCertIssuer element or null if absent.
java.math.BigInteger	getAuthorityCertSerialNumber() Returns the AuthorityCertSerialNumber element or null if absent.
static AuthorityKeyIdentifier	getInstance(org.bouncycastle.asn1.ASN1TaggedObject obj, boolean explicit) Creates an new object from an existing ASN.1 tagged object.
static AuthorityKeyIdentifier	getInstance(java.lang.Object obj) Creates an new object from an existing ASN1Sequence or AuthorityKeyIdentifier object.
byte[]	getKeyIdentifier() Returns the keyIdentifier element or null it absent.
org.bouncycastle.asn1.DERObject	toASN1Object()

Methods inherited from class org.bouncycastle.asn1.ASN1Encodable

equals, getDEREncoded, getDERObject, getEncoded, getEncoded, hashCode

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AuthorityKeyIdentifier

public AuthorityKeyIdentifier(org.bouncycastle.asn1.ASN1Sequence seq)

Decodes an existing AuthorityKeyIdentifier ASN.1 object.

Parameters:

seq - ASN.1 Sequence being the {code AuthorityKeyIdentifier}.

AuthorityKeyIdentifier

public AuthorityKeyIdentifier(SubjectPublicKeyInfo spki)
                       throws java.security.NoSuchAlgorithmException

Calulates the {code keyIdentifier} field using a SHA1 hash over the BIT STRING from SubjectPublicKeyInfo as defined in RFC 3280. Example of making a AuthorityKeyIdentifier:

   SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence)new ASN1InputStream(
       publicKey.getEncoded()).readObject());
   AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki);
 

Parameters:

spki - The SubjectPublicKeyInfo used to calculates the hash.

Throws:

java.security.NoSuchAlgorithmException - if no SHA-1 MessageDigest service found.

AuthorityKeyIdentifier

public AuthorityKeyIdentifier(SubjectPublicKeyInfo subjectPublicKeyInfo,
                              GeneralNames authorityCertIssuer,
                              java.math.BigInteger authorityCertSerialNumber)
                       throws java.security.NoSuchAlgorithmException

Creates an AuthorityKeyIdentifier with the subjectPublicKeyInfo, the authorityCertIssuer and the authorityCertSerialNumber provided as well.

Throws:

java.security.NoSuchAlgorithmException - if no SHA-1 MessageDigest service found.

AuthorityKeyIdentifier

public AuthorityKeyIdentifier(GeneralNames authorityCertIssuer,
                              java.math.BigInteger authorityCertSerialNumber)

Creates an AuthorityKeyIdentifier with the authorityCertIssuer and the authorityCertSerialNumber provided.

AuthorityKeyIdentifier

public AuthorityKeyIdentifier(byte[] keyIdentifier,
                              GeneralNames authorityCertIssuer,
                              java.math.BigInteger authorityCertSerialNumber)

Creates an AuthorityKeyIdentifier with a precomputed key identifier, the authorityCertIssuer and the serial number provided as well.

Method Detail

getInstance

public static AuthorityKeyIdentifier getInstance(org.bouncycastle.asn1.ASN1TaggedObject obj,
                                                 boolean explicit)

Creates an new object from an existing ASN.1 tagged object.

getInstance

public static AuthorityKeyIdentifier getInstance(java.lang.Object obj)

Creates an new object from an existing ASN1Sequence or AuthorityKeyIdentifier object.

Throws:

java.lang.IllegalArgumentException - if the object is invalid.

getKeyIdentifier

public byte[] getKeyIdentifier()

Returns the keyIdentifier element or null it absent.

getAuthorityCertIssuer

public GeneralNames getAuthorityCertIssuer()

Returns the authorityCertIssuer element or null if absent.

getAuthorityCertSerialNumber

public java.math.BigInteger getAuthorityCertSerialNumber()

Returns the AuthorityCertSerialNumber element or null if absent.

toASN1Object

public org.bouncycastle.asn1.DERObject toASN1Object()

Specified by:

toASN1Object in class org.bouncycastle.asn1.ASN1Encodable