com.rsa.certj.cert.extensions

Class PolicyMappings

java.lang.Object
  |
  +--com.rsa.certj.cert.extensions.X509V3Extension
        |
        +--com.rsa.certj.cert.extensions.PolicyMappings

All Implemented Interfaces:

CertExtension, Cloneable, Serializable

public class PolicyMappings

extends X509V3Extension

implements Cloneable, Serializable, CertExtension

This class builds and holds the PolicyMappings extension. It is used in certificate authority (CA) certificates and lists one or more pairs of object identifiers (OIDs). Each pair includes an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates that the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. The issuing CA's users could accept an issuerDomainPolicy for certain applications. The policy mapping tells the issuing CA's users which policies associated with the subject CA are comparable to the policy they accept.

The ASN.1 definition is as follows:

 policyMappings EXTENSION ::= {
 	SYNTAX	PolicyMappingsSyntax
	IDENTIFIED BY id-ce-policyMappings }

 PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
	issuerDomainPolicy	CertPolicyId,
	subjectDomainPolicy	CertPolicyId }

 CertPolicyId ::= OBJECT IDENTIFIER
 

An example of policy mapping is as follows:

The U.S. government domain could have a policy called Canadian Trade and the Canadian government could have a policy called U.S. Trade. While the two policies are distinctly identified and defined, there could be an agreement between the two governments to accept certification paths extending cross-border, within the rules implied by these policies, for relevant purposes.

Policy mapping implies significant administrative overhead and the involvement of suitably diligent and authorized personnel in related decision-making. In general, it is preferable to agree upon more global use of common policies than it is to apply policy mapping. In the preceding example, it would be preferable for the U.S., Canada, and Mexico to agree upon a common policy for North American trade.

It is anticipated that policy mapping will be practical only in limited environments where policy statements are very simple.

Copyright © RSA Security Inc., 1999-2001. All rights reserved.

See Also

Serialized Form

Fields inherited from class com.rsa.certj.cert.extensions.X509V3Extension

ARCHIVE_CUTOFF, ARCHIVE_CUTOFF_OID, AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_OID, AUTHORITY_KEY_ID, BASIC_CONSTRAINTS, BIO_INFO, BIO_INFO_OID, CERT_POLICIES, CERTIFICATE_ISSUER, CRL_DISTRIBUTION_POINTS, CRL_NUMBER, CRL_REFERENCE, CRL_REFERENCE_OID, DELTA_CRL_INDICATOR, EXTENDED_KEY_USAGE, HOLD_INSTRUCTION_CODE, INHIBIT_ANY_POLICY, INVALIDITY_DATE, ISSUER_ALT_NAME, ISSUING_DISTRIBUTION_POINT, KEY_USAGE, NAME_CONSTRAINTS, NETSCAPE_BASE_URL, NETSCAPE_BASE_URL_OID, NETSCAPE_CA_POLICY_URL, NETSCAPE_CA_POLICY_URL_OID, NETSCAPE_CA_REVOCATION_URL, NETSCAPE_CA_REVOCATION_URL_OID, NETSCAPE_CERT_RENEWAL_URL, NETSCAPE_CERT_RENEWAL_URL_OID, NETSCAPE_CERT_TYPE, NETSCAPE_CERT_TYPE_OID, NETSCAPE_COMMENT, NETSCAPE_COMMENT_OID, NETSCAPE_REVOCATION_URL, NETSCAPE_REVOCATION_URL_OID, NETSCAPE_SSL_SERVER_NAME, NETSCAPE_SSL_SERVER_NAME_OID, NON_STANDARD_EXTENSION, OCSP_ACCEPTABLE_RESPONSES, OCSP_ACCEPTABLE_RESPONSES_OID, OCSP_NOCHECK, OCSP_NOCHECK_OID, OCSP_NONCE, OCSP_NONCE_OID, OCSP_SERVICE_LOCATOR, OCSP_SERVICE_LOCATOR_OID, POLICY_CONSTRAINTS, POLICY_MAPPINGS, PRIVATE_KEY_USAGE_PERIOD, QC_STATEMENTS, QC_STATEMENTS_OID, REASON_CODE, SUBJECT_ALT_NAME, SUBJECT_DIRECTORY_ATTRIBUTES, SUBJECT_KEY_ID, VERISIGN_CZAG, VERISIGN_CZAG_OID, VERISIGN_FIDELITY_ID, VERISIGN_FIDELITY_ID_OID, VERISIGN_JURISDICTION_HASH, VERISIGN_JURISDICTION_HASH_OID, VERISIGN_NETSCAPE_INBOX_V1, VERISIGN_NETSCAPE_INBOX_V1_OID, VERISIGN_NETSCAPE_INBOX_V2, VERISIGN_NETSCAPE_INBOX_V2_OID, VERISIGN_NON_VERIFIED, VERISIGN_NON_VERIFIED_OID, VERISIGN_SERIAL_NUMBER, VERISIGN_SERIAL_NUMBER_OID, VERISIGN_TOKEN_TYPE, VERISIGN_TOKEN_TYPE_OID

Constructor Summary

PolicyMappings()

Constructs an empty PolicyMappings object.

PolicyMappings(byte[] issuerDomainPolicy, int issuerOffset, int issuerLen, byte[] subjectDomainPolicy, int subjectOffset, int subjectLen, boolean criticality)

Creates a PolicyMappings object and initializes it with the given values.

Method Summary

Object	clone() Overrides the default clone method to get a deeper clone.
void	decodeValue(byte[] valueBER, int offset) Decode the value.
int	derEncodeValue(byte[] encoding, int offset) Place the encoding of the value into encoding, beginning at offset.
int	derEncodeValueInit() Initialize for encoding the value.
byte[]	getIssuerDomainPolicy(int index) Gets the specified issuer domain policy value.
int	getPolicyCount() Gets the policy count in this object.
byte[]	getSubjectDomainPolicy(int index) Gets the subject domain policy values.
void	setDomainPolicy(byte[] issData, int issOffset, int issLen, byte[] domData, int domOffset, int domLen) Sets the domain policy values.

Methods inherited from class com.rsa.certj.cert.extensions.X509V3Extension

extend, getCriticality, getDEREncoding, getDERLen, getExtensionType, getExtensionTypeString, getInstance, getNextBEROffset, isExtensionType, setCriticality, setEncoding, setSpecialOID, setStandardOID

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PolicyMappings

public PolicyMappings()

Constructs an empty PolicyMappings object.

PolicyMappings

public PolicyMappings(byte[] issuerDomainPolicy,
                      int issuerOffset,
                      int issuerLen,
                      byte[] subjectDomainPolicy,
                      int subjectOffset,
                      int subjectLen,
                      boolean criticality)

Creates a PolicyMappings object and initializes it with the given values.

Parameters

	issuerDomainPolicy		The certificate policy that is recognized in the issuing CA's domain.
	issuerOffset		The offset into the issuerDomainPolicy array where the issuer data begins.
	issuerLen		The length of the data in the issuerDomainPolicy array.
	subjectDomainPolicy		The certificate policy that is recognized in the subject CA's domain.
	subjectOffset		The offset into the subjectDomainPolicy array where the subject data begins.
	subjectLen		The length of the data in the subjectDomainPolicy array.
	criticality		The user-specified criticality.

Method Detail

decodeValue

public void decodeValue(byte[] valueBER,
                        int offset)
                 throws CertificateException

Decode the value. The input is the BER encoding that was wrapped in the OCTET STRING.

Overrides

decodeValue in class X509V3Extension

Parameters

	valueBER		The BER encoding of the extension's value.
	offset		The offset into valueBER where the encoding begins.

Throws

CertificateException - If the encoding is invalid for this extension.

setDomainPolicy

public void setDomainPolicy(byte[] issData,
                            int issOffset,
                            int issLen,
                            byte[] domData,
                            int domOffset,
                            int domLen)

Sets the domain policy values.

Parameters

	issData		The issuer domain policy OID value.
	issOffset		The offset into the issData array.
	issLen		The length of the data in the issData array.
	domData		The subject domain policy OID value.
	domOffset		The offset into the domData array.
	domLen		The length of the data in the domData array.

getIssuerDomainPolicy

public byte[] getIssuerDomainPolicy(int index)
                             throws CertificateException

Gets the specified issuer domain policy value.

Parameters

index

An index that specifies the policy mapping pair.

Returns

A new byte array that contains the issuer domain policy OID value.

Throws

CertificateException - If the specified index is invalid.

getSubjectDomainPolicy

public byte[] getSubjectDomainPolicy(int index)
                              throws CertificateException

Gets the subject domain policy values.

Parameters

index

The index that specifies the policy mapping pair.

Returns

A new byte array that contains the subject domain policy OID value.

Throws

CertificateException - If the specified index is invalid.

getPolicyCount

public int getPolicyCount()

Gets the policy count in this object.

Returns

The number of different policies in this object.

derEncodeValueInit

public int derEncodeValueInit()

Initialize for encoding the value.

Overrides

derEncodeValueInit in class X509V3Extension

Returns

How many bytes the encoding will be.

derEncodeValue

public int derEncodeValue(byte[] encoding,
                          int offset)

Place the encoding of the value into encoding, beginning at offset. This is the actual contents that are wrapped in the OCTET STRING (not the surrounding OCTET STRING tag and length).

Overrides

derEncodeValue in class X509V3Extension

Parameters

	encoding		The byte array into which the result will be placed.
	offset		The offest into encoding where the writing is to begin.

Returns

The number of bytes actually placed into encoding.

clone

public Object clone()
             throws CloneNotSupportedException

Overrides the default clone method to get a deeper clone.

Overrides

clone in class X509V3Extension

Returns

A new Policy Mappings object, a copy of this object.

Throws

CloneNotSupportedException - If the cloning operation is not successful.