be.cardon.asn1.x509.extensions
Class SubjectKeyIdentifier

java.lang.Object
  org.bouncycastle.asn1.ASN1Encodable
      be.cardon.asn1.x509.extensions.SubjectKeyIdentifier

All Implemented Interfaces:

org.bouncycastle.asn1.DEREncodable

public class SubjectKeyIdentifier
extends org.bouncycastle.asn1.ASN1Encodable

Extension SubjectKeyIdentifier.

Documentation from RFC 3280:

The subject key identifier extension provides a means of identifying certificates that contain a particular public key.

To facilitate certification path construction, this extension MUST appear in all conforming CA certificates, that is, all certificates including the basic constraints extension (section 4.2.1.10) where the value of cA is TRUE. The value of the subject key identifier MUST be the value placed in the key identifier field of the Authority Key Identifier extension (section 4.2.1.1) of certificates issued by the subject of this certificate.

For CA certificates, subject key identifiers SHOULD be derived from the public key or a method that generates unique values. Two common methods for generating key identifiers from the public key are:

• (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).
• (2) The keyIdentifier is composed of a four bit type field with the value 0100 followed by the least significant 60 bits of the SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bit string bits).

One common method for generating unique values is a monotonically increasing sequence of integers.

For end entity certificates, the subject key identifier extension provides a means for identifying certificates containing the particular public key used in an application. Where an end entity has obtained multiple certificates, especially from multiple CAs, the subject key identifier provides a means to quickly identify the set of certificates containing a particular public key. To assist applications in identifying the appropriate end entity certificate, this extension SHOULD be included in all end entity certificates.

For end entity certificates, subject key identifiers SHOULD be derived from the public key. Two common methods for generating key identifiers from the public key are identified above.

Where a key identifier has not been previously established, this specification RECOMMENDS use of one of these methods for generating keyIdentifiers. Where a key identifier has been previously established, the CA SHOULD use the previously established identifier.

This extension MUST NOT be marked critical.

The ASN.1 definitions are:

   id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }

   SubjectKeyIdentifier ::= KeyIdentifier

   KeyIdentifier ::= OCTET STRING
   

See Also:

AuthorityKeyIdentifier

Field Summary

Fields inherited from class org.bouncycastle.asn1.ASN1Encodable

BER, DER

Constructor Summary

SubjectKeyIdentifier(org.bouncycastle.asn1.ASN1OctetString keyid)
Creates an new object with the given KeyIdentifier.

SubjectKeyIdentifier(byte[] keyid)
Creates an new object with the given KeyIdentifier.

SubjectKeyIdentifier(SubjectPublicKeyInfo spki)
Calulates the KeyIdentifier using a SHA1 hash over the BIT STRING from SubjectPublicKeyInfo as defined in RFC 3280.

Method Summary

static SubjectKeyIdentifier	getInstance(org.bouncycastle.asn1.ASN1TaggedObject obj, boolean explicit) Creates an new object from an existing ASN.1 tagged object.
static SubjectKeyIdentifier	getInstance(java.lang.Object obj) Creates an new object from an existing ASN1OctetString or SubjectKeyIdentifier object.
byte[]	getKeyIdentifier() Returns the KeyIdentifier.
org.bouncycastle.asn1.DERObject	toASN1Object()

Methods inherited from class org.bouncycastle.asn1.ASN1Encodable

equals, getDEREncoded, getDERObject, getEncoded, getEncoded, hashCode

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SubjectKeyIdentifier

public SubjectKeyIdentifier(org.bouncycastle.asn1.ASN1OctetString keyid)

Creates an new object with the given KeyIdentifier.

SubjectKeyIdentifier

public SubjectKeyIdentifier(byte[] keyid)

Creates an new object with the given KeyIdentifier.

SubjectKeyIdentifier

public SubjectKeyIdentifier(SubjectPublicKeyInfo spki)
                     throws java.security.NoSuchAlgorithmException

Calulates the KeyIdentifier using a SHA1 hash over the BIT STRING from SubjectPublicKeyInfo as defined in RFC 3280.

Throws:

java.security.NoSuchAlgorithmException - if no SHA-1 MessageDigest service found.

Method Detail

getInstance

public static SubjectKeyIdentifier getInstance(org.bouncycastle.asn1.ASN1TaggedObject obj,
                                               boolean explicit)

Creates an new object from an existing ASN.1 tagged object.

getInstance

public static SubjectKeyIdentifier getInstance(java.lang.Object obj)

Creates an new object from an existing ASN1OctetString or SubjectKeyIdentifier object.

Throws:

java.lang.IllegalArgumentException - if the object is invalid, or null.

getKeyIdentifier

public byte[] getKeyIdentifier()

Returns the KeyIdentifier.

toASN1Object

public org.bouncycastle.asn1.DERObject toASN1Object()

Specified by:

toASN1Object in class org.bouncycastle.asn1.ASN1Encodable