com.rsa.certj.cert.extensions

Class IssuingDistributionPoint

java.lang.Object
  |
  +--com.rsa.certj.cert.extensions.X509V3Extension
        |
        +--com.rsa.certj.cert.extensions.IssuingDistributionPoint

All Implemented Interfaces:

Cloneable, CRLExtension, Serializable

public class IssuingDistributionPoint

extends X509V3Extension

implements Cloneable, Serializable, CRLExtension

This class builds and holds the IssuingDistributionPoint extension. This CRL extension field identifies the CRL distribution point for this particular CRL, and indicates if the CRL is limited to revocations for end-entity certificates only, for CA certificates only, or for a limited set of reasons only. The CRL is signed by the CRL issuer key; CRL distribution points do not have their own key pairs. However, for a CRL distributed using the X.500 directory, the CRL is stored in the entry of the CRL distribution point, which may not be the directory entry of the CRL issuer.

The CRL distribution point is a directory entry or other distribution source for CRLs. A CRL distributed through a CRL distribution point may contain revocation entries for only a subset of the full set of certificates issued by one CA or may contain revocation entries for multiple CAs.

The ASN.1 definition is as follows:

 issuingDistributionPoint EXTENSION ::= {
	SYNTAX	IssuingDistPointSyntax
	IDENTIFIED BY 	id-ce-issuingDistributionPoint }

 IssuingDistPointSyntax ::= SEQUENCE {
	distributionPoint	[0] DistributionPointName OPTIONAL,
	onlyContainsUserCerts	[1] BOOLEAN DEFAULT FALSE,
	onlyContainsCACerts	[2] BOOLEAN DEFAULT FALSE,
	onlySomeReasons		[3] ReasonFlags OPTIONAL,
	indirectCRL		[4] BOOLEAN DEFAULT FALSE }

 DistributionPointName ::= CHOICE {
 	fullName		[0]	GeneralNames,
	nameRelativeToCRLIssuer	[1]	RelativeDistinguishedName }

 ReasonFlags ::= BIT STRING {
	unused 			(0),
	keyCompromise 		(1), 
	cACompromise		(2), 
	affiliationChanged	(3), 
	superseded	      	(4),
	cessationOfOperation	(5),
	certificateHold 	(6) }
 

The distributionPoint component contains the name of the distribution point in one or more name forms. If this field is absent, the CRL must contain entries for all revoked unexpired certificates issued by the CRL issuer. If onlyContainsUserCerts is true, then the CRL only contains revocations for end-entity certificates. If onlyContainsCACerts is true, then the CRL only contains revocations for CA certificates. If onlySomeReasons is present, then the CRL only contains revocations for the identified reason or reasons; otherwise, the CRL contains revocations for all reasons. If indirectCRL is true, then the CRL may contain revocation notifications from CAs other than the issuer of the CRL.

This extension is always critical.

Copyright © RSA Security Inc., 1999-2001. All rights reserved.

See Also

Serialized Form

Field Summary

static int	AFFILIATION_CHANGED Indicates that the subject's name, or other information in the certificate, has been modified.
static int	CA_COMPROMISE Indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.
static int	CERTIFICATE_HOLD Indicates that the certificate is put on hold.
static int	CESSATION_OF_OPERATION Indicates that the certificate is no longer needed for the purpose for which it was issued.
static int	KEY_COMPROMISE Indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.
static int	REASON_FLAGS_BITS Indicates the number of reasonFlags bits.
static int	REASON_FLAGS_MASK Indicates which reasonFlags bits are meaningful.
static int	SUPERSEDED Indicates that the certificate has been superseded.
static int	UNUSED Indicates that reasonFlags component is not used in this extension.

Fields inherited from class com.rsa.certj.cert.extensions.X509V3Extension

ARCHIVE_CUTOFF, ARCHIVE_CUTOFF_OID, AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_OID, AUTHORITY_KEY_ID, BASIC_CONSTRAINTS, BIO_INFO, BIO_INFO_OID, CERT_POLICIES, CERTIFICATE_ISSUER, CRL_DISTRIBUTION_POINTS, CRL_NUMBER, CRL_REFERENCE, CRL_REFERENCE_OID, DELTA_CRL_INDICATOR, EXTENDED_KEY_USAGE, HOLD_INSTRUCTION_CODE, INHIBIT_ANY_POLICY, INVALIDITY_DATE, ISSUER_ALT_NAME, ISSUING_DISTRIBUTION_POINT, KEY_USAGE, NAME_CONSTRAINTS, NETSCAPE_BASE_URL, NETSCAPE_BASE_URL_OID, NETSCAPE_CA_POLICY_URL, NETSCAPE_CA_POLICY_URL_OID, NETSCAPE_CA_REVOCATION_URL, NETSCAPE_CA_REVOCATION_URL_OID, NETSCAPE_CERT_RENEWAL_URL, NETSCAPE_CERT_RENEWAL_URL_OID, NETSCAPE_CERT_TYPE, NETSCAPE_CERT_TYPE_OID, NETSCAPE_COMMENT, NETSCAPE_COMMENT_OID, NETSCAPE_REVOCATION_URL, NETSCAPE_REVOCATION_URL_OID, NETSCAPE_SSL_SERVER_NAME, NETSCAPE_SSL_SERVER_NAME_OID, NON_STANDARD_EXTENSION, OCSP_ACCEPTABLE_RESPONSES, OCSP_ACCEPTABLE_RESPONSES_OID, OCSP_NOCHECK, OCSP_NOCHECK_OID, OCSP_NONCE, OCSP_NONCE_OID, OCSP_SERVICE_LOCATOR, OCSP_SERVICE_LOCATOR_OID, POLICY_CONSTRAINTS, POLICY_MAPPINGS, PRIVATE_KEY_USAGE_PERIOD, QC_STATEMENTS, QC_STATEMENTS_OID, REASON_CODE, SUBJECT_ALT_NAME, SUBJECT_DIRECTORY_ATTRIBUTES, SUBJECT_KEY_ID, VERISIGN_CZAG, VERISIGN_CZAG_OID, VERISIGN_FIDELITY_ID, VERISIGN_FIDELITY_ID_OID, VERISIGN_JURISDICTION_HASH, VERISIGN_JURISDICTION_HASH_OID, VERISIGN_NETSCAPE_INBOX_V1, VERISIGN_NETSCAPE_INBOX_V1_OID, VERISIGN_NETSCAPE_INBOX_V2, VERISIGN_NETSCAPE_INBOX_V2_OID, VERISIGN_NON_VERIFIED, VERISIGN_NON_VERIFIED_OID, VERISIGN_SERIAL_NUMBER, VERISIGN_SERIAL_NUMBER_OID, VERISIGN_TOKEN_TYPE, VERISIGN_TOKEN_TYPE_OID

Constructor Summary

IssuingDistributionPoint()

Constructs an empty IssuingDistributionPoint object.

IssuingDistributionPoint(GeneralNames distributionPoint, boolean userCerts, boolean caCerts, int reason, boolean indirectCRL, boolean criticality)

Creates an IssuingDistributionPoint object from a GeneralNames distribution point and initializes it with the given values.

IssuingDistributionPoint(RDN distributionPoint, boolean userCerts, boolean caCerts, int reason, boolean indirectCRL, boolean criticality)

Creates an IssuingDistributionPoint object from an RDN distribution point and initializes it with the given values.

Method Summary

Object	clone() Overrides the default clone method to get a deeper clone.
void	decodeValue(byte[] valueBER, int offset) Decode the value.
int	derEncodeValue(byte[] encoding, int offset) Place the encoding of the value into encoding, beginning at offset.
int	derEncodeValueInit() Initialize for encoding the value.
boolean	getCACerts() Gets the onlyContainsCACerts field value.
Object	getDistributionPointName() Gets the DistributionPointName field's value.
boolean	getIndirectCRL() Gets the indirectCRL field value.
int	getReasonFlags() Gets the onlySomeReasons field value.
boolean	getUserCerts() Gets the onlyContainsUserCerts field value.
void	setCACerts(boolean caCerts) Sets the onlyContainsCACerts flag.
void	setIndirectCRL(boolean indirectCRL) Sets the indirectCRL flag.
void	setIssuingDistributionPointName(GeneralNames distributionPoint) Sets the issuing distribution point name for a GeneralNames distribution point.
void	setIssuingDistributionPointName(RDN distributionPoint) Sets the issuing distribution point name for an RDN distribution point.
void	setReasonFlags(int reason) Sets onlySomeReasons that is used in the IssuingDistPointSyntax ASN.1 structure.
void	setUserCerts(boolean userCerts) Sets the onlyContainsUserCerts flag.

Methods inherited from class com.rsa.certj.cert.extensions.X509V3Extension

extend, getCriticality, getDEREncoding, getDERLen, getExtensionType, getExtensionTypeString, getInstance, getNextBEROffset, isExtensionType, setCriticality, setEncoding, setSpecialOID, setStandardOID

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REASON_FLAGS_BITS

public static final int REASON_FLAGS_BITS

Indicates the number of reasonFlags bits.

REASON_FLAGS_MASK

public static final int REASON_FLAGS_MASK

Indicates which reasonFlags bits are meaningful.

UNUSED

public static final int UNUSED

Indicates that reasonFlags component is not used in this extension.

KEY_COMPROMISE

public static final int KEY_COMPROMISE

Indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.

CA_COMPROMISE

public static final int CA_COMPROMISE

Indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.

AFFILIATION_CHANGED

public static final int AFFILIATION_CHANGED

Indicates that the subject's name, or other information in the certificate, has been modified. There is no cause to suspect that the private key has been compromised.

SUPERSEDED

public static final int SUPERSEDED

Indicates that the certificate has been superseded. There is no cause to suspect that the private key has been compromised.

CESSATION_OF_OPERATION

public static final int CESSATION_OF_OPERATION

Indicates that the certificate is no longer needed for the purpose for which it was issued. There is no cause to suspect that the private key has been compromised.

CERTIFICATE_HOLD

public static final int CERTIFICATE_HOLD

Indicates that the certificate is put on hold.

Constructor Detail

IssuingDistributionPoint

public IssuingDistributionPoint()

Constructs an empty IssuingDistributionPoint object.

IssuingDistributionPoint

public IssuingDistributionPoint(RDN distributionPoint,
                                boolean userCerts,
                                boolean caCerts,
                                int reason,
                                boolean indirectCRL,
                                boolean criticality)

Creates an IssuingDistributionPoint object from an RDN distribution point and initializes it with the given values.

Parameters

	distributionPoint		An RDN object to use as the distribution point. If the RDN name is not set, pass null.
	userCerts		If true, the CRL only contains revocations for end-entity certificates.
	caCerts		If true, the CRL only contains revocations for CA certificates.
	reason		The revocation reasons. It should be one of the fields previously defined in this class. If this field is not set, pass -1.
	indirectCRL		If true, then the CRL may contain revocation notifications from CAs other than the issuer of the CRL.
	criticality		The user-specified criticality.

IssuingDistributionPoint

public IssuingDistributionPoint(GeneralNames distributionPoint,
                                boolean userCerts,
                                boolean caCerts,
                                int reason,
                                boolean indirectCRL,
                                boolean criticality)

Creates an IssuingDistributionPoint object from a GeneralNames distribution point and initializes it with the given values.

Parameters

	distributionPoint		A GeneralNames object to use as the distribution point. If the GeneralNames name is not set, pass null.
	userCerts		If true, the CRL only contains revocations for end-entity certificates.
	caCerts		If true, the CRL only contains revocations for CA certificates.
	reason		The revocation reasons. It should be one of the fields previously defined in this class. If this field is not set, pass -1.
	indirectCRL		If true, then the CRL may contain revocation notifications from CAs other than the issuer of the CRL.
	criticality		The user-specified criticality.

Method Detail

decodeValue

public void decodeValue(byte[] valueBER,
                        int offset)
                 throws CertificateException

Decode the value. The input is the BER encoding that was wrapped in the OCTET STRING.

Overrides

decodeValue in class X509V3Extension

Parameters

	valueBER		The BER encoding of the extension's value.
	offset		The offset into valueBER where the encoding begins.

Throws

CertificateException - If the encoding is invalid for this extension.

setIssuingDistributionPointName

public void setIssuingDistributionPointName(GeneralNames distributionPoint)

Sets the issuing distribution point name for a GeneralNames distribution point.

Parameters

distributionPoint

The distributionPoint field value given as a GeneralNames.

setIssuingDistributionPointName

public void setIssuingDistributionPointName(RDN distributionPoint)

Sets the issuing distribution point name for an RDN distribution point.

Parameters

distributionPoint

The distributionPoint field value given as an RDN.

setUserCerts

public void setUserCerts(boolean userCerts)

Sets the onlyContainsUserCerts flag.

Parameters

userCerts

If true, the CRL only contains revocations for end-entity certificates.

setCACerts

public void setCACerts(boolean caCerts)

Sets the onlyContainsCACerts flag.

Parameters

caCerts

If true, the CRL only contains revocations for CA certificates.

setReasonFlags

public void setReasonFlags(int reason)

Sets onlySomeReasons that is used in the IssuingDistPointSyntax ASN.1 structure.

Parameters

reason

The revocation reasons that can be one or more of the static field values previously defined in this class.

setIndirectCRL

public void setIndirectCRL(boolean indirectCRL)

Sets the indirectCRL flag.

Parameters

indirectCRL

If true, the CRL may contain revocation notifications from CAs other than the issuer of the CRL.

getDistributionPointName

public Object getDistributionPointName()

Gets the DistributionPointName field's value.

Returns

The distributionPoint field’s value. Since the distributionPoint value can be an RDN or a GeneralNames object, you must use 'instanceof' to determine the object type and to cast the object to the right object type. distributionPoint can also be null, if it has not been set.

getUserCerts

public boolean getUserCerts()

Gets the onlyContainsUserCerts field value.

Returns

A boolean that specifies if CRL only contains revocations for end-entity certificates.

getCACerts

public boolean getCACerts()

Gets the onlyContainsCACerts field value.

Returns

A boolean that specifies if CRL only contains revocations for CA certificates.

getReasonFlags

public int getReasonFlags()

Gets the onlySomeReasons field value.

Returns

Revocation reason flag. It will return -1, if reasonFlags is not set.

getIndirectCRL

public boolean getIndirectCRL()

Gets the indirectCRL field value.

Returns

A boolean that specifies if the CRL may contain revocation notifications from CAs other than the issuer of the CRL.

derEncodeValueInit

public int derEncodeValueInit()

Initialize for encoding the value.

Overrides

derEncodeValueInit in class X509V3Extension

Returns

How many bytes the encoding will be.

derEncodeValue

public int derEncodeValue(byte[] encoding,
                          int offset)

Place the encoding of the value into encoding, beginning at offset. This is the actual contents that are wrapped in the OCTET STRING (not the surrounding OCTET STRING tag and length).

Overrides

derEncodeValue in class X509V3Extension

Parameters

	encoding		The byte array into which the result will be placed.
	offset		The offest into encoding where the writing is to begin.

Returns

The number of bytes actually placed into encoding.

clone

public Object clone()
             throws CloneNotSupportedException

Overrides the default clone method to get a deeper clone.

Overrides

clone in class X509V3Extension

Returns

A new IssuingDistributionPoints object, a copy of this object.

Throws

CloneNotSupportedException - If the cloning operation is not successful.