be.cardon.asn1.x509.extensions
Class CertificatePolicies

java.lang.Object
  org.bouncycastle.asn1.ASN1Encodable
      be.cardon.asn1.x509.extensions.CertificatePolicies

All Implemented Interfaces:

org.bouncycastle.asn1.DEREncodable

public class CertificatePolicies
extends org.bouncycastle.asn1.ASN1Encodable

Extension CertificatePolicies.

Documentation from RFC 3280:

The certificate policies extension contains a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers. Optional qualifiers, which MAY be present, are not expected to change the definition of the policy.

In an end entity certificate, these policy information terms indicate the policy under which the certificate has been issued and the purposes for which the certificate may be used. In a CA certificate, these policy information terms limit the set of policies for certification paths which include this certificate. When a CA does not wish to limit the set of policies for certification paths which include this certificate, it MAY assert the special policy anyPolicy, with a value of { 2 5 29 32 0 }.

Applications with specific policy requirements are expected to have a list of those policies which they will accept and to compare the policy OIDs in the certificate to that list. If this extension is critical, the path validation software MUST be able to interpret this extension (including the optional qualifier), or MUST reject the certificate.

To promote interoperability, this profile RECOMMENDS that policy information terms consist of only an OID. Where an OID alone is insufficient, this profile strongly recommends that use of qualifiers be limited to those identified in this section. When qualifiers are used with the special policy anyPolicy, they MUST be limited to the qualifiers identified in this section.

This specification defines two policy qualifier types for use by certificate policy writers and certificate issuers. The qualifier types are the CPS Pointer and User Notice qualifiers.

• The CPS Pointer qualifier contains a pointer to a Certification Practice Statement (CPS) published by the CA. The pointer is in the form of a URI. Processing requirements for this qualifier are a local matter. No action is mandated by this specification regardless of the criticality value asserted for the extension.
• User notice is intended for display to a relying party when a certificate is used. The application software SHOULD display all user notices in all certificates of the certification path used, except that if a notice is duplicated only one copy need be displayed. To prevent such duplication, this qualifier SHOULD only be present in end entity certificates and CA certificates issued to other organizations.

The user notice has two optional fields: the noticeRef field and the explicitText field.

• The noticeRef field, if used, names an organization and identifies, by number, a particular textual statement prepared by that organization. For example, it might identify the organization "CertsRUs" and notice number 1. In a typical implementation, the application software will have a notice file containing the current set of notices for CertsRUs; the application will extract the notice text from the file and display it. Messages MAY be multilingual, allowing the software to select the particular language message for its own environment.
• An explicitText field includes the textual statement directly in the certificate. The explicitText field is a string with a maximum size of 200 characters.

If both the noticeRef and explicitText options are included in the one qualifier and if the application software can locate the notice text indicated by the noticeRef option, then that text SHOULD be displayed; otherwise, the explicitText string SHOULD be displayed.

Note: While the explicitText has a maximum size of 200 characters, some non-conforming CAs exceed this limit. Therefore, certificate users SHOULD gracefully handle explicitText with more than 200 characters.

ASN.1 definitions:

   id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }

   anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificate-policies 0 }

   certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

   PolicyInformation ::= SEQUENCE {
        policyIdentifier   CertPolicyId,
        policyQualifiers   SEQUENCE SIZE (1..MAX) OF
                                PolicyQualifierInfo OPTIONAL }

   CertPolicyId ::= OBJECT IDENTIFIER

   PolicyQualifierInfo ::= SEQUENCE {
        policyQualifierId  PolicyQualifierId,
        qualifier          ANY DEFINED BY policyQualifierId }

   -- policyQualifierIds for Internet policy qualifiers

   id-qt          OBJECT IDENTIFIER ::=  { id-pkix 2 }
   id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
   id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }

   PolicyQualifierId ::=
        OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )

   Qualifier ::= CHOICE {
        cPSuri           CPSuri,
        userNotice       UserNotice }

   CPSuri ::= IA5String

   UserNotice ::= SEQUENCE {
        noticeRef        NoticeReference OPTIONAL,
        explicitText     DisplayText OPTIONAL}

   NoticeReference ::= SEQUENCE {
        organization     DisplayText,
        noticeNumbers    SEQUENCE OF INTEGER }

   DisplayText ::= CHOICE {
        ia5String        IA5String      (SIZE (1..200)),
        visibleString    VisibleString  (SIZE (1..200)),
        bmpString        BMPString      (SIZE (1..200)),
        utf8String       UTF8String     (SIZE (1..200)) }
   

Field Summary

static org.bouncycastle.asn1.DERObjectIdentifier

anyPolicy

Fields inherited from class org.bouncycastle.asn1.ASN1Encodable

BER, DER

Constructor Summary

CertificatePolicies(org.bouncycastle.asn1.ASN1Sequence seq)
Returns a new instance from an ASN1Sequence object.

CertificatePolicies(org.bouncycastle.asn1.DERObjectIdentifier p)
Creates a certificate policy with the given OID.

CertificatePolicies(java.lang.String p)
Creates a certificate policy with the policy given by the OID represented by the string p.

Method Summary

static CertificatePolicies	getInstance(java.lang.Object obj) Returns a new instance from an ASN1Sequence or a CertificatePolicies object.
java.util.Vector<PolicyInformation>	getPolicyInformations() Returns a vector with PolicyInformation.
void	setPolicyInformations(java.util.Vector<PolicyInformation> policies) Sets the PolicyInformation vector.
org.bouncycastle.asn1.DERObject	toASN1Object()
java.lang.String	toString() Returns a description of the value.

Methods inherited from class org.bouncycastle.asn1.ASN1Encodable

equals, getDEREncoded, getDERObject, getEncoded, getEncoded, hashCode

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

anyPolicy

public static final org.bouncycastle.asn1.DERObjectIdentifier anyPolicy

Constructor Detail

CertificatePolicies

public CertificatePolicies(org.bouncycastle.asn1.ASN1Sequence seq)

Returns a new instance from an ASN1Sequence object.

CertificatePolicies

public CertificatePolicies(org.bouncycastle.asn1.DERObjectIdentifier p)

Creates a certificate policy with the given OID.

CertificatePolicies

public CertificatePolicies(java.lang.String p)

Creates a certificate policy with the policy given by the OID represented by the string p.

Method Detail

getInstance

public static CertificatePolicies getInstance(java.lang.Object obj)

Returns a new instance from an ASN1Sequence or a CertificatePolicies object.

getPolicyInformations

public java.util.Vector<PolicyInformation> getPolicyInformations()

Returns a vector with PolicyInformation.

setPolicyInformations

public void setPolicyInformations(java.util.Vector<PolicyInformation> policies)

Sets the PolicyInformation vector.

toASN1Object

public org.bouncycastle.asn1.DERObject toASN1Object()

Specified by:

toASN1Object in class org.bouncycastle.asn1.ASN1Encodable

toString

public java.lang.String toString()

Returns a description of the value.

Overrides:

toString in class java.lang.Object