be.cardon.asn1.x509.extensions
Class KeyUsage

java.lang.Object
  org.bouncycastle.asn1.ASN1Encodable
      org.bouncycastle.asn1.DERObject
          org.bouncycastle.asn1.DERBitString
              be.cardon.asn1.x509.extensions.KeyUsage

All Implemented Interfaces:

org.bouncycastle.asn1.DEREncodable, org.bouncycastle.asn1.DERString, org.bouncycastle.asn1.DERTags

public class KeyUsage
extends org.bouncycastle.asn1.DERBitString

Extension KeyUsage.

Documentation from RFC 3280:

The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. For example, when an RSA key should be used only to verify signatures on objects other than public key certificates and CRLs, the digitalSignature and/or nonRepudiation bits would be asserted. Likewise, when an RSA key should be used only for key management, the keyEncipherment bit would be asserted.

This extension MUST appear in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. When this extension appears, it SHOULD be marked critical.

ASN.1 definitions:

      id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }

      KeyUsage ::= BIT STRING {
           digitalSignature        (0),
           nonRepudiation          (1),
           keyEncipherment         (2),
           dataEncipherment        (3),
           keyAgreement            (4),
           keyCertSign             (5),
           cRLSign                 (6),
           encipherOnly            (7),
           decipherOnly            (8) }
   

Bits in the KeyUsage type are used as follows:

• The digitalSignature bit is asserted when the subject public key is used with a digital signature mechanism to support security services other than certificate signing (bit 5), or CRL signing (bit 6). Digital signature mechanisms are often used for entity authentication and data origin authentication with integrity.
• The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures used to provide a non- repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing. In the case of later conflict, a reliable third party may determine the authenticity of the signed data. Further distinctions between thedigitalSignature and nonRepudiation bits may be provided in specific certificate policies.
• The keyEncipherment bit is asserted when the subject public key is used for key transport. For example, when an RSA key is to be used for key management, then this bit is set.
• The dataEncipherment bit is asserted when the subject public key is used for enciphering user data, other than cryptographic keys.
• The keyAgreement bit is asserted when the subject public key is used for key agreement. For example, when a Diffie-Hellman key is to be used for key management, then this bit is set.
• The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (section 4.2.1.10) MUST also be asserted.
• The cRLSign bit is asserted when the subject public key is used for verifying a signature on certificate revocation list (e.g., a CRL, delta CRL, or an ARL). This bit MUST be asserted in certificates that are used to verify signatures on CRLs.
• The meaning of the encipherOnly bit is undefined in the absence of the keyAgreement bit. When the encipherOnly bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for enciphering data while performing key agreement.
• The meaning of the decipherOnly bit is undefined in the absence of the keyAgreement bit. When the decipherOnly bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for deciphering data while performing key agreement.

This profile does not restrict the combinations of bits that may be set in an instantiation of the keyUsage extension. However, appropriate values for keyUsage extensions for particular algorithms are specified in [PKIXALGS].

Field Summary

static int	cRLSign Usage cRLSign
static int	dataEncipherment Usage dataEncipherment
static int	decipherOnly Usage decipherOnly
static int	digitalSignature Usage digitalSignature
static int	encipherOnly Usage encipherOnly
static int	keyAgreement Usage keyAgreement
static int	keyCertSign Usage keyCertSign
static int	keyEncipherment Usage keyEncipherment
static int	nonRepudiation Usage nonRepudiation

Fields inherited from class org.bouncycastle.asn1.DERBitString

data, padBits

Fields inherited from class org.bouncycastle.asn1.ASN1Encodable

BER, DER

Fields inherited from interface org.bouncycastle.asn1.DERTags

APPLICATION, BIT_STRING, BMP_STRING, BOOLEAN, CONSTRUCTED, ENUMERATED, EXTERNAL, GENERAL_STRING, GENERALIZED_TIME, GRAPHIC_STRING, IA5_STRING, INTEGER, NULL, NUMERIC_STRING, OBJECT_IDENTIFIER, OCTET_STRING, PRINTABLE_STRING, SEQUENCE, SEQUENCE_OF, SET, SET_OF, T61_STRING, TAGGED, UNIVERSAL_STRING, UTC_TIME, UTF8_STRING, VIDEOTEX_STRING, VISIBLE_STRING

Constructor Summary

KeyUsage(org.bouncycastle.asn1.DERBitString usage)
Creates an new object from an existing ASN.1 DERBitString KeyUsage.

KeyUsage(int usage)
Creates an new object with the given usage(s).

Method Summary

int	getKeyUsage() Returns the keyUsage value.

Methods inherited from class org.bouncycastle.asn1.DERBitString

equals, getBytes, getBytes, getInstance, getInstance, getPadBits, getPadBits, getString, hashCode, intValue, toString

Methods inherited from class org.bouncycastle.asn1.DERObject

toASN1Object

Methods inherited from class org.bouncycastle.asn1.ASN1Encodable

getDEREncoded, getDERObject, getEncoded, getEncoded

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

digitalSignature

public static final int digitalSignature

Usage digitalSignature

See Also:

Constant Field Values

nonRepudiation

public static final int nonRepudiation

Usage nonRepudiation

See Also:

Constant Field Values

keyEncipherment

public static final int keyEncipherment

Usage keyEncipherment

See Also:

Constant Field Values

dataEncipherment

public static final int dataEncipherment

Usage dataEncipherment

See Also:

Constant Field Values

keyAgreement

public static final int keyAgreement

Usage keyAgreement

See Also:

Constant Field Values

keyCertSign

public static final int keyCertSign

Usage keyCertSign

See Also:

Constant Field Values

cRLSign

public static final int cRLSign

Usage cRLSign

See Also:

Constant Field Values

encipherOnly

public static final int encipherOnly

Usage encipherOnly

See Also:

Constant Field Values

decipherOnly

public static final int decipherOnly

Usage decipherOnly

See Also:

Constant Field Values

Constructor Detail

KeyUsage

public KeyUsage(int usage)

Creates an new object with the given usage(s).

Parameters:

usage - - the bitwise OR of the Key Usage flags giving the allowed uses for the key. e.g. (KeyUsage.keyEncipherment | KeyUsage.dataEncipherment)

KeyUsage

public KeyUsage(org.bouncycastle.asn1.DERBitString usage)

Creates an new object from an existing ASN.1 DERBitString KeyUsage.

Method Detail

getKeyUsage

public int getKeyUsage()

Returns the keyUsage value.