com.rsa.certj.cert.extensions

Class ExtendedKeyUsage

java.lang.Object
  |
  +--com.rsa.certj.cert.extensions.X509V3Extension
        |
        +--com.rsa.certj.cert.extensions.ExtendedKeyUsage

All Implemented Interfaces:

CertExtension, Cloneable, Serializable

public class ExtendedKeyUsage

extends X509V3Extension

implements Cloneable, Serializable, CertExtension

This class builds and holds the ExtendedKeyUsage extension. It indicates one or more purposes for which the certified public key may be used, in addition to, or in place of, the basic purposes indicated in the key usage extension field. Key purposes may be defined by any organization, as needed. This extension may, at the option of the certificate issuer, be either critical or non-critical. If the extension is flagged critical, then the certificate must be used only for one of the purposes indicated.

If the extension is flagged non-critical, it indicates the intended purpose or purposes of the key. It may be used to find the correct key or certificate of an entity that has multiple keys or certificates. It is an advisory field and does not imply that usage of the key is restricted to the purpose indicated by the certificate authority . Certificate-using applications may nevertheless require that a particular purpose be indicated in order for the certificate to be acceptable to that application.

If a certificate contains both a critical key usage field and a critical extended key usage field, then both fields must be processed independently, and the certificate must only be used for a purpose consistent with both fields. If there is no purpose consistent with both fields, then the certificate must not be used for any purpose.

The ASN.1 definition is as follows:

 extKeyUsage EXTENSION ::= {
	SYNTAX	SEQUENCE SIZE (1..MAX) OF KeyPurposeId
	IDENTIFIED BY id-ce-extKeyUsage }

 KeyPurposeId ::= OBJECT IDENTIFIER

The PKIX specification (RFC.2459) defines eight PKIX extended key purpose OIDs. The PKIX definition is as follows:

 id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }
 id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }
 id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }
 id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
 id-kp-ipsecEndSystem  OBJECT IDENTIFIER ::= { id-kp 5 }
 id-kp-ipsecTunnel     OBJECT IDENTIFIER ::= { id-kp 6 }
 id-kp-ipsecUser       OBJECT IDENTIFIER ::= { id-kp 7 }
 id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }
 id-kp-OCSPSigning     OBJECT IDENTIFIER ::= { id-kp 9 }

Copyright © RSA Security Inc., 1999-2001. All rights reserved.

See Also

Serialized Form

Field Summary

static byte[]	ID_KP_CLIENT_AUTH Holds the PKIX extended key purpose OID for TLS Web client authentication.
static byte[]	ID_KP_CODE_SIGNING Holds the PKIX extended key purpose OID for signing downloadable executable code.
static byte[]	ID_KP_EMAIL_PROTECTION Holds the PKIX extended key purpose OID for e-mail protection.
static byte[]	ID_KP_OCSP_SIGNING Holds the PKIX extended key purpose OID for signing OCSP responses.
static byte[]	ID_KP_SERVER_AUTH Holds the PKIX extended key purpose OID for TLS Web server authentication.
static byte[]	ID_KP_TIME_STAMPING Holds the PKIX extended key purpose OID for binding the hash of an object to a time from an agreed-upon time source.

Fields inherited from class com.rsa.certj.cert.extensions.X509V3Extension

ARCHIVE_CUTOFF, ARCHIVE_CUTOFF_OID, AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_OID, AUTHORITY_KEY_ID, BASIC_CONSTRAINTS, BIO_INFO, BIO_INFO_OID, CERT_POLICIES, CERTIFICATE_ISSUER, CRL_DISTRIBUTION_POINTS, CRL_NUMBER, CRL_REFERENCE, CRL_REFERENCE_OID, DELTA_CRL_INDICATOR, EXTENDED_KEY_USAGE, HOLD_INSTRUCTION_CODE, INHIBIT_ANY_POLICY, INVALIDITY_DATE, ISSUER_ALT_NAME, ISSUING_DISTRIBUTION_POINT, KEY_USAGE, NAME_CONSTRAINTS, NETSCAPE_BASE_URL, NETSCAPE_BASE_URL_OID, NETSCAPE_CA_POLICY_URL, NETSCAPE_CA_POLICY_URL_OID, NETSCAPE_CA_REVOCATION_URL, NETSCAPE_CA_REVOCATION_URL_OID, NETSCAPE_CERT_RENEWAL_URL, NETSCAPE_CERT_RENEWAL_URL_OID, NETSCAPE_CERT_TYPE, NETSCAPE_CERT_TYPE_OID, NETSCAPE_COMMENT, NETSCAPE_COMMENT_OID, NETSCAPE_REVOCATION_URL, NETSCAPE_REVOCATION_URL_OID, NETSCAPE_SSL_SERVER_NAME, NETSCAPE_SSL_SERVER_NAME_OID, NON_STANDARD_EXTENSION, OCSP_ACCEPTABLE_RESPONSES, OCSP_ACCEPTABLE_RESPONSES_OID, OCSP_NOCHECK, OCSP_NOCHECK_OID, OCSP_NONCE, OCSP_NONCE_OID, OCSP_SERVICE_LOCATOR, OCSP_SERVICE_LOCATOR_OID, POLICY_CONSTRAINTS, POLICY_MAPPINGS, PRIVATE_KEY_USAGE_PERIOD, QC_STATEMENTS, QC_STATEMENTS_OID, REASON_CODE, SUBJECT_ALT_NAME, SUBJECT_DIRECTORY_ATTRIBUTES, SUBJECT_KEY_ID, VERISIGN_CZAG, VERISIGN_CZAG_OID, VERISIGN_FIDELITY_ID, VERISIGN_FIDELITY_ID_OID, VERISIGN_JURISDICTION_HASH, VERISIGN_JURISDICTION_HASH_OID, VERISIGN_NETSCAPE_INBOX_V1, VERISIGN_NETSCAPE_INBOX_V1_OID, VERISIGN_NETSCAPE_INBOX_V2, VERISIGN_NETSCAPE_INBOX_V2_OID, VERISIGN_NON_VERIFIED, VERISIGN_NON_VERIFIED_OID, VERISIGN_SERIAL_NUMBER, VERISIGN_SERIAL_NUMBER_OID, VERISIGN_TOKEN_TYPE, VERISIGN_TOKEN_TYPE_OID

Constructor Summary

ExtendedKeyUsage()

Constructs an empty ExtendedKeyUsage object.

ExtendedKeyUsage(byte[] keyPurpose, int offset, int len, boolean criticality)

Constructs an ExtendedKeyUsage object and initializes it with the given values.

Method Summary

void	addExtendedKeyUsage(byte[] data, int offset, int len) Adds an extended key usage to this extension.
Object	clone() Overrides the default clone method to get a deeper clone.
void	decodeValue(byte[] valueBER, int offset) Decode the value.
int	derEncodeValue(byte[] encoding, int offset) Place the encoding of the value into encoding, beginning at offset.
int	derEncodeValueInit() Initialize for encoding the value.
byte[]	getExtendedKeyUsage(int index) Gets the specified key purpose value.
int	getKeyUsageCount() Gets Key Usage Count.

Methods inherited from class com.rsa.certj.cert.extensions.X509V3Extension

extend, getCriticality, getDEREncoding, getDERLen, getExtensionType, getExtensionTypeString, getInstance, getNextBEROffset, isExtensionType, setCriticality, setEncoding, setSpecialOID, setStandardOID

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ID_KP_SERVER_AUTH

public static byte[] ID_KP_SERVER_AUTH

Holds the PKIX extended key purpose OID for TLS Web server authentication. The key usage bits that may be consistent are digitalSignature, keyEncipherment, or keyAgreement.

 id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
                   dod(6) internet(1) security(5) mechanisms(5) 7 }
 id-kp OBJECT IDENTIFIER ::= {id-pkix 3}
 id-kp-serverAuth = OBJECT IDENTIFIER ::= {id-kp 1}

ID_KP_CLIENT_AUTH

public static byte[] ID_KP_CLIENT_AUTH

Holds the PKIX extended key purpose OID for TLS Web client authentication. The key usage bits that may be consistent are digitalSignature and/or keyAgreement.

 id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
                   dod(6) internet(1) security(5) mechanisms(5) 7 }
 id-kp OBJECT IDENTIFIER ::= {id-pkix 3}
 id-kp-clientAuth = OBJECT IDENTIFIER ::= {id-kp 2}

ID_KP_CODE_SIGNING

public static byte[] ID_KP_CODE_SIGNING

Holds the PKIX extended key purpose OID for signing downloadable executable code. The key usage bits that may be consistent are digitalSignature.

 id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
                   dod(6) internet(1) security(5) mechanisms(5) 7 }
 id-kp OBJECT IDENTIFIER ::= {id-pkix 3}
 id-kp-codeSigning = OBJECT IDENTIFIER ::= {id-kp 3}

ID_KP_EMAIL_PROTECTION

public static byte[] ID_KP_EMAIL_PROTECTION

Holds the PKIX extended key purpose OID for e-mail protection. The key usage bits that may be consistent are digitalSignature, noRepudication, and/or (keyEncipherment or keyAgreement).

 id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
                   dod(6) internet(1) security(5) mechanisms(5) 7 }
 id-kp OBJECT IDENTIFIER ::= {id-pkix 3}
 id-kp-emailProtection = OBJECT IDENTIFIER ::= {id-kp 4}

ID_KP_TIME_STAMPING

public static byte[] ID_KP_TIME_STAMPING

Holds the PKIX extended key purpose OID for binding the hash of an object to a time from an agreed-upon time source. The key usage bits that may be consistent are digitalSignature, nonRepudiation.

 id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
                   dod(6) internet(1) security(5) mechanisms(5) 7 }
 id-kp OBJECT IDENTIFIER ::= {id-pkix 3}
 id-kp-timeStamping = OBJECT IDENTIFIER ::= {id-kp 8}

ID_KP_OCSP_SIGNING

public static byte[] ID_KP_OCSP_SIGNING

Holds the PKIX extended key purpose OID for signing OCSP responses.

 id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
                   dod(6) internet(1) security(5) mechanisms(5) 7 }
 id-kp OBJECT IDENTIFIER ::= {id-pkix 3}
 id-kp-OCSPSigning = OBJECT IDENTIFIER ::= {id-kp 9}

Constructor Detail

ExtendedKeyUsage

public ExtendedKeyUsage()

Constructs an empty ExtendedKeyUsage object.

ExtendedKeyUsage

public ExtendedKeyUsage(byte[] keyPurpose,
                        int offset,
                        int len,
                        boolean criticality)

Constructs an ExtendedKeyUsage object and initializes it with the given values.

Parameters

	keyPurpose		A byte array that contains the key usage.
	offset		The offset into the keyPurpose array.
	len		The length of the data in the keyPurpose array.
	criticality		The user-specified criticality.

Method Detail

decodeValue

public void decodeValue(byte[] valueBER,
                        int offset)
                 throws CertificateException

Decode the value. The input is the BER encoding that was wrapped in the OCTET STRING.

Overrides

decodeValue in class X509V3Extension

Parameters

	valueBER		The BER encoding of the extension's value.
	offset		The offset into valueBER where the encoding actually begins.

Throws

CertificateException - If the encoding is invalid for this extension.

addExtendedKeyUsage

public void addExtendedKeyUsage(byte[] data,
                                int offset,
                                int len)

Adds an extended key usage to this extension.

Parameters

	data		A byte array that contains the purposes for which the certified public key may be used.
	offset		The offset in the data array.
	len		The length of the data array.

getExtendedKeyUsage

public byte[] getExtendedKeyUsage(int index)
                           throws CertificateException

Gets the specified key purpose value.

Parameters

index

The index to the specified key purpose value.

Returns

A new byte array containing the key purpose ID value.

Throws

CertificateException - If the specified index is larger than the number of key usage elements in this extension.

getKeyUsageCount

public int getKeyUsageCount()

Gets Key Usage Count.

Returns

The number of key usage elements in this extension.

derEncodeValueInit

public int derEncodeValueInit()

Initialize for encoding the value.

Overrides

derEncodeValueInit in class X509V3Extension

Returns

How many bytes the encoding will be.

derEncodeValue

public int derEncodeValue(byte[] encoding,
                          int offset)

Place the encoding of the value into encoding, beginning at offset. This is the actual contents that are wrapped in the OCTET STRING (not the surrounding OCTET STRING tag and length).

Overrides

derEncodeValue in class X509V3Extension

Parameters

	encoding		The byte array into which the result will be placed.
	offset		The offest into encoding where the writing is to begin.

Returns

The number of bytes actually placed into encoding.

clone

public Object clone()
             throws CloneNotSupportedException

Overrides the default clone method to get a deeper clone.

Overrides

clone in class X509V3Extension

Returns

A new ExtendedKeyUsage object, a copy of this object.

Throws

CloneNotSupportedException - If the cloning operation is not successful.