com.rsa.certj.cert

Class Certificate

java.lang.Object
  |
  +--com.rsa.certj.cert.Certificate

All Implemented Interfaces:

Cloneable, Serializable

Direct Known Subclasses:

X509Certificate

public abstract class Certificate

extends Object

implements Cloneable, Serializable

This class builds and holds certificates. It is the base class for certificates. There are many kinds of certificates, the most popular is X.509. This class is general; subclasses implement the details. Because this general certificate class does not perform any of the activities of a specified certificate (a certificate defined by some standard), it is an abstract class.

Copyright © RSA Security Inc., 1998-2001. All rights reserved.

See Also

Serialized Form

Field Summary

static int	DSA_WITH_SHA1_X930 Use this flag in setSignatureStandard if the signing transformation is SHA1/DSA and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the X9.30 standard.
static int	DSA_WITH_SHA1_X957 Use this flag in setSignatureStandard if the signing transformation is SHA1/DSA and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the X9.57 standard.
static int	RSA_WITH_SHA1_ISO_OIW Use this flag in setSignatureStandard if the signing transformation is SHA1/RSA/PKCS1Block01Pad and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the ISO OIW.
static int	RSA_WITH_SHA1_PKCS Use this flag in setSignatureStandard if the signing transformation is SHA1/RSA/PKCS1Block01Pad and if the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the PKCS.

Constructor Summary

Certificate()

Method Summary

CertJ	getCertJ() This is a method to get the CertJ context dynamically.
String	getDevice() Gets the name of the device that performed the signing or verification.
String[]	getDeviceList() Gets a list of names of devices that performed the individual elements of the signature or verification operation, such as digest, signature algorithm, and padding scheme.
abstract byte[]	getSignature() Gets the actual signature octets.
String	getSignatureAlgorithm() Gets the signature algorithm.
byte[]	getSignatureAlgorithmDER() Gets the DER encoding of the signature algorithm.
String	getSignatureFormat(String transformation) Gets the String that should be used when calling the JSAFE_Signature method getDERAlgorithmID.
int	getSignatureStandard() Gets the signature standard of this object and returns one of the previously defined fields in this class.
com.rsa.jsafe.JSAFE_PublicKey	getSubjectPublicKey(String device) Gets the public key from the certificate request specified in device.
byte[]	getSubjectPublicKeyBER() Gets the public key BER from the certificate.
byte[]	getUniqueID() Gets a unique identifier for this certificate.
void	setCertJ(CertJ certJContext) This is a method to set the CertJ context dynamically.
void	setSignatureStandard(int standardFlag) Sets this object to the specified standard.
void	setSubjectPublicKey(byte[] publicKeyBER, int offset) Sets the public key in this certificate request to be the public key represented by the BER encoding publicKeyBER.
void	setSubjectPublicKey(com.rsa.jsafe.JSAFE_PublicKey publicKey) Sets the public key in this certificate to be public key.
void	signCertificate(byte[] signatureAlgorithmBER, int offset, String device, com.rsa.jsafe.JSAFE_PrivateKey signingKey, SecureRandom random) Signs the certificate using the algorithm represented by the algorithm identifier signatureAlgorithmBER, and signingKey on the specified device.
abstract void	signCertificate(String transformation, String device, com.rsa.jsafe.JSAFE_PrivateKey signingKey, SecureRandom random) Signs the certificate using transformation and signingKey, on the specified device.
boolean	verifyCertificateSignature(String device, byte[] verifyingKeyBER, int offset, SecureRandom random) Verifies the signature of the certificate using the public key represented by verifyingKeyBER, the BER encoding of a public key, on the specified device.
boolean	verifyCertificateSignature(String device, Certificate signerCert, SecureRandom random) Verifies the signature of the certificate using the public key found in signerCert on the specified device.
abstract boolean	verifyCertificateSignature(String device, com.rsa.jsafe.JSAFE_PublicKey verifyingKey, SecureRandom random) Verifies the signature of the certificate, using verifyingKey on the specified device.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

RSA_WITH_SHA1_PKCS

public static final int RSA_WITH_SHA1_PKCS

Use this flag in setSignatureStandard if the signing transformation is SHA1/RSA/PKCS1Block01Pad and if the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the PKCS. This is the default. If setSignatureStandard is not called and the transformation is SHA1/RSA/PKCS1Block01Pad, the signature algorithm's BER follows the PKCS. Use this only when the digest algorithm is SHA1. For all other RSA signatures, do not set the signature standard.

RSA_WITH_SHA1_ISO_OIW

public static final int RSA_WITH_SHA1_ISO_OIW

Use this flag in setSignatureStandard if the signing transformation is SHA1/RSA/PKCS1Block01Pad and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the ISO OIW. This is NOT the default. If setSignatureStandard is not called and the transformation is SHA1/RSA/PKCS1Block01Pad, the signature algorithm's BER follows the PKCS. Use this only when the digest algorithm is SHA1. For all other RSA signatures, do not set the signature standard.

DSA_WITH_SHA1_X930

public static final int DSA_WITH_SHA1_X930

Use this flag in setSignatureStandard if the signing transformation is SHA1/DSA and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the X9.30 standard. This is the default. If setSignatureStandard is not called and the transformation is SHA1/DSA, the signature algorithm's BER will follow X9.30.

DSA_WITH_SHA1_X957

public static final int DSA_WITH_SHA1_X957

Use this flag in setSignatureStandard if the signing transformation is SHA1/DSA and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the X9.57 standard. This is NOT the default. If setSignatureStandard is not called and the transformation is SHA1/DSA, the signature algorithm's BER should follow X9.30.

Constructor Detail

Certificate

public Certificate()

Method Detail

setCertJ

public final void setCertJ(CertJ certJContext)

This is a method to set the CertJ context dynamically. Applications either call this method or instantiate X509Certificate object with CertJ context specified to initialize CertJ context. The value is checked when it is used.

Parameters

certJContex

CertJ

getCertJ

public final CertJ getCertJ()

This is a method to get the CertJ context dynamically. The toolkit does not use it for the time being.

Returns

CertJ context

getSignatureAlgorithm

public String getSignatureAlgorithm()
                             throws CertificateException

Gets the signature algorithm. The return value is a String, following the format specified in the Crypto-J class JSAFE_Signature.

The following are examples of returned signature algorithms:

   "MD5/RSA/PKCS1Block01Pad"
   "SHA1/DSA"

Returns

A String specifying the signature algorithm

Throws

CertificateException - If the certificate has not been set with a signature algorithm.

getSignatureAlgorithmDER

public byte[] getSignatureAlgorithmDER()
                                throws CertificateException

Gets the DER encoding of the signature algorithm.

Returns

A new byte array that contains the DER encoding of the signature algorithm.

Throws

CertificateException - If the certificate has not been set with a signature algorithm.

getSignature

public abstract byte[] getSignature()
                             throws CertificateException

Gets the actual signature octets.

Returns

A new byte array that contains the signature octets.

Throws

CertificateException - If the certificate has not been signed.

getDevice

public String getDevice()
                 throws CertificateException

Gets the name of the device that performed the signing or verification. The format of device follows the format specified in Crypto-J.

The following are examples of device arguments:

   Java          --Perform signature using Java code
   Native        --Perform signature using the native link
   Native/Java   --Use native if possible, if not, use Java

Returns

A String specifying the device chosen to perform the signing or verification.

Throws

CertificateException - If the object has not been set with a device.

getDeviceList

public String[] getDeviceList()
                       throws CertificateException

Gets a list of names of devices that performed the individual elements of the signature or verification operation, such as digest, signature algorithm, and padding scheme.

The format of device follows the format specified in Crypto-J.

The following are examples of device agruments:

   Java          --Perform signature using Java code
   Native        --Perform signature using the native link
   Native/Java   --Use native if possible, if not, use Java

Returns

A String array specifying the devices chosen to perform the signing or verification.

Throws

CertificateException - If the object has not been set with a device.

setSignatureStandard

public void setSignatureStandard(int standardFlag)

Sets this object to the specified standard. This will affect only the BER encoding of the signature algorithm ID. Use one of fields defined in the this class.

• For RSA signatures, the Public Key Cryptography Standards (PKCS) defined an OID for sha1WithRSAEncryption. Later, the ISO Open Systems Environment Implementors' Workshop (OIW) defined a new OID. This class is able to read either OID in an existing certificate. To create a certificate using the ISO OIW OID, call this method with the argument RSA_WITH_SHA1_ISO_OIW. If this method is not called or if it is called with the argument RSA_WITH_SHA1_PKCS when creating certificates, this class uses the OID defined in the PKCS.

• For DSA, the X9.30 standard defined the sha1WithDSA signature OID and the DSA key OID. Later, the X9.57 standard defined a new OID. It also redefined the ASN.1 definition of the DSA parameters (p, q, and g). This class can read either OID in an existing certificate. To create a certificate using the X9.57 OID, and to represent the public key in it with DSA parameters as defined in X9.57, call this method with the argument DSA_WITH_SHA1_X957. If this method is not called or if it is called with the argument DSA_WITH_SHA1_X930) when creating certificates, this class will use the OID defined in X9.30 and represent the public key as defined in X9.30.

Parameters

standardFlag

One of the fields previously defined in this class that indicates which standard to use.

getSignatureStandard

public int getSignatureStandard()

Gets the signature standard of this object and returns one of the previously defined fields in this class.

For RSA signatures, the Public Key Cryptography Standards (PKCS) defined an OID for sha1WithRSAEncryption. Later, the ISO Open Systems Environment Implementors' Workshop (OIW) defined a new OID.

For DSA, the X9.30 standard defined the sha1WithDSA signature OID and the DSA key OID. Later, the X9.57 standard defined a new OID. It also redefined the ASN.1 definition of the DSA parameters (p, q, and g). If a signature standard is not set, it will return -1.

Returns

The signature algorithm format that indicates which standard to use. It should be one of the fields previously defined in this class.

getSignatureFormat

public String getSignatureFormat(String transformation)

Gets the String that should be used when calling the JSAFE_Signature method getDERAlgorithmID. A return value of null means that the following default value will be used:

• For RSA, PKCS defined sha1WithRSAEncryption.
• For DSA, X.930 defined DSA_WITH_SHA1_X930.

Parameters

transformation

A String following the format specified in the Crypto-J class JSAFE_Signature. The following are examples of transformation arguments: "SHA1/RSA/PKCS1Block01Pad" "SHA1/DSA"

Returns

A String indicating the appropriate format.

setSubjectPublicKey

public void setSubjectPublicKey(com.rsa.jsafe.JSAFE_PublicKey publicKey)
                         throws CertificateException

Sets the public key in this certificate to be public key. If the algorithm of the public key requires system parameters, they must be in the key object for security reasons, as specified in PKIX. If the certificate object possesses a signature, calling this method deletes the signature.

Parameters

publicKey

A JSAFE_PublicKey object that contains the public key.

Throws

CertificateException - If the public key object is not valid.

setSubjectPublicKey

public void setSubjectPublicKey(byte[] publicKeyBER,
                                int offset)
                         throws CertificateException

Sets the public key in this certificate request to be the public key represented by the BER encoding publicKeyBER. The input should follow the ASN.1 definition SubjectPublicKeyInfo, as follows:

   SubjectPublicKeyInfo ::= SEQUENCE {
     algorithmID       AlgorithmIdentifier,
     subjectPublicKey  BIT STRING }

If the certificate request object has a signature, calling this method deletes the signature.

Parameters

	publicKeyBER		The BER encoding of a public key.
	offset		The offset into publicKeyBER where the encoding begins.

Throws

CertificateException - If the public key BER is not a valid public key.

getSubjectPublicKey

public com.rsa.jsafe.JSAFE_PublicKey getSubjectPublicKey(String device)
                                                  throws CertificateException

Gets the public key from the certificate request specified in device.

Parameters

device

A String that specifies the device or choice of devices to use in computing the signature.

Returns

A JSAFE_PublicKey object that contains the public key.

Throws

CertificateException - If the certificate has not been set with a public key.

getSubjectPublicKeyBER

public byte[] getSubjectPublicKeyBER()
                              throws CertificateException

Gets the public key BER from the certificate.

Returns

A byte array that contains the public key BER.

Throws

CertificateException - If the certificate has not been set with a public key.

getUniqueID

public byte[] getUniqueID()

Gets a unique identifier for this certificate. The ID is not required to be a standard ID. It is a way to identify a certificate uniquely by subtype. For example, an X509Certificate returns a byte array based on the serial number and issuer name. This implementation returns an MD5 hash of the subject's public key.

Returns

A byte array that contains the unique ID.

signCertificate

public abstract void signCertificate(String transformation,
                                     String device,
                                     com.rsa.jsafe.JSAFE_PrivateKey signingKey,
                                     SecureRandom random)
                              throws CertificateException

Signs the certificate using transformation and signingKey, on the specified device. The format of transformation follows the format specified in the Crypto-J class JSAFE_Signature. The following are examples of transformation arguments:

   "MD5/RSA/PKCS1Block01Pad"
   "SHA1/DSA"

The format of device follows the format specified in Crypto-J.

The following are examples of device arguments:

   Java          --Perform signature using Java code
   Native        --Perform signature using the native link
   Native/Java   --Use native if possible, if not, use Java

Parameters

	transformation		A String that specifies the algorithm to use to sign the certificate.
	device		A String that specifies the device or choice of devices to use in computing the signature.
	signingKey		A JSAFE_PrivateKey used to compute the signature.
	random		Random bytes. If the signature algorithm needs random bytes, get them from this object.

Throws

CertificateException - If the code cannot perform the specified transformation on the specified device, if the certificate is not set correctly, or if the certificate is already signed.

signCertificate

public void signCertificate(byte[] signatureAlgorithmBER,
                            int offset,
                            String device,
                            com.rsa.jsafe.JSAFE_PrivateKey signingKey,
                            SecureRandom random)
                     throws CertificateException

Signs the certificate using the algorithm represented by the algorithm identifier signatureAlgorithmBER, and signingKey on the specified device. If this algorithm needs system parameters, this method expects them to be contained in either the algorithm identifier or the key.

The format of device follows the format specified in Crypto-J.

The following are examples of device arguments:

   Java          --Perform signature using Java code
   Native        --Perform signature using the native link
   Native/Java   --Use native if possible, if not, use Java

Parameters

	signatureAlgorithmBER		The BER encoding of the AlgorithmIdentifier.
	offset		The offset into signatureAlgorithmBER where the encoding begins.
	device		A String that specifies the device or choice of devices to use in computing the signature.
	signingKey		A JSAFE_PrivateKey used to compute the signature.
	random		Random bytes. If the signature algorithm needs random bytes, get them from this object.

Throws

CertificateException - If the code cannot perform the specified transformation on the specified device, if the certificate is not set correctly, or if the certificate is already signed.

verifyCertificateSignature

public abstract boolean verifyCertificateSignature(String device,
                                                   com.rsa.jsafe.JSAFE_PublicKey verifyingKey,
                                                   SecureRandom random)
                                            throws CertificateException

Verifies the signature of the certificate, using verifyingKey on the specified device.

The format of device follows the format specified in Crypto-J.

The following are examples of device arguments:

   Java          --Perform signature using Java code
   Native        --Perform signature using the native link
   Native/Java   --Use native if possible, if not, use Java

Parameters

	device		A String that specifies the device or choice of devices to use in computing the signature.
	verifyingKey		A JSAFE_PublicKey used to verify the signature.
	random		Random bytes. If the signature algorithm needs random bytes, get them from this object.

Returns

A boolean indicating whether the signature on the certificate is valid.

Throws

CertificateException - If the code cannot perform the signature algorithm on the specified device.

verifyCertificateSignature

public boolean verifyCertificateSignature(String device,
                                          byte[] verifyingKeyBER,
                                          int offset,
                                          SecureRandom random)
                                   throws CertificateException

Verifies the signature of the certificate using the public key represented by verifyingKeyBER, the BER encoding of a public key, on the specified device. This method expects the input of the key to follow the ASN.1 definition SubjectPublicKeyInfo, as follows:

   SubjectPublicKeyInfo ::= SEQUENCE {
     algorithmID       AlgorithmIdentifier,
     subjectPublicKey  BIT STRING }

If the signature algorithm needs system parameters, this method expects them to be contained within the SubjectPublicKeyInfo.

The format of device follows the format specified in Crypto-J.

The following are examples of device arguments:

   Java          --Perform signature using Java code
   Native        --Perform signature using the native link
   Native/Java   --Use native if possible, if not, use Java

Parameters

	device		A String that specifies the device or choice of devices to use in computing the signature.
	verifyingKeyBER		The BER encoding of a public key.
	offset		The offset into verifyingKeyBER where the encoding begins.
	random		Random bytes. If the signature algorithm needs random bytes, get them from this object.

Returns

A boolean that indicates whether the signature on the certificate is valid.

Throws

CertificateException - If the code cannot perform the signature algorithm on the specified device.

verifyCertificateSignature

public boolean verifyCertificateSignature(String device,
                                          Certificate signerCert,
                                          SecureRandom random)
                                   throws CertificateException

Verifies the signature of the certificate using the public key found in signerCert on the specified device. If the algorithm needs system parameters, this method uses those in the SubjectPublicKeyInfo of the signerCert, for security reasons as specified in PKIX.

The format of device follows the format specified in Crypto-J.

The following are examples of device arguments:

   Java         --Perform signature using Java code
   Native       --Perform signature using the native link
   Native/Java  --Use native if possible, if not, use Java

Parameters

	device		A String that specifies the device or choice of devices to use in computing the signature.
	signerCert		A certificate that contains the public key of the entity that signed the certificate from which the signature is being verified.
	random		Random bytes. If the signature algorithm needs random bytes, get them from this object.

Returns

A boolean indicating whether the signature on the certificate is valid.

Throws

CertificateException - If the code cannot perform the signature algorithm on the specified device.