|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--com.rsa.certj.Provider | +--com.rsa.certj.provider.pki.CRS
This class provides the necessary functionality to send
certificate requests to and receive certificate responses from a
Certification Authority (CA) that uses the Certificate Request
Syntax (CRS). Information needed to construct a complete CRS
certificate request may be found in the VeriSign CRS Profile
Specification, available from VeriSign. Because the options for
creating certificate requests are many, this document details the
options and combinations of data that are used to format a
certificate request. In particular, read the sections
of the specification regarding the
content of regInfo
strings carefully.
PKIMessage
class, which is used by both
certification requests and responses, includes the following
fields:PKIMessage
class must be set to perform message signing with a
CRS Registration Authority (RA) certificate. To sign the
message with the end-entity key rather than with the RA key,
set this field to null
.
This field holds a PKCS #7-defined SignerInfo
object with a number of subfields: PKIMessage
class must be valid so that messages can be enveloped.
This field holds a PKCS #7-defined
RecipientInfo
object. It is used to identify
the certificate that contains the public key of the intended
CRS Autoresponder.
Enveloped messages are strongly recommended if a
certification request contains registration information that
should be protected from snooping. Otherwise, the use of
enveloping is at the discretion of the application
developer.
PKIMessage
class does not need to be set by the application. The
service provider will set this field appropriately when the
request is composed and when a response is received.
PKIMessage
class is used to associate requests
with responses. If this field is null
, the
service provider automatically generates a transaction
ID that complies with the CRS specification.
PKIMessage
class serve functions specific to
the message type: PKIMessage
class are not used by
this service provider. PKIMessage
fields described
above, a certification request object contains the following
PKIRequestMessage
fields:PKIRequestMessage
class is used to set the
characteristics of the certificate to be issued. Correct and
complete use of this field is critical to the success of the
certification request.
PKIRequestMessage
class does not need to be
set, because
PKIRequestMessage.PKI_POP_SIGNATURE
is the only
proof-of-possession that this service provider can use. The
provider will set this automatically.
PKIRequestMessage
class is implicitly required
by the service provider, because every type of certification request
uses this field. The contents of this field depend
on the certificate issuance particulars, so it is necessary
to have CRS-specific knowledge of the requirements.PKIService.generateProofOfPossession
is unnecessary for this provider and should be set to null
.
The PKIInterface.validateProofOfPossession
SPI method is not used by this provider.
After the CA processes the certification request, it returns
status information and, if successful, a certificate. In
addition to the PKIMessage
fields described above,
the certification response object will contain the following
PKIResponseMessage
fields:PKIResponseMessage
class will contain a
PKIStatusInfo
object with four data items:PKIStatusInfo.PKI_STATUS_GRANTED
(0
).
null
as the delimiter.
PKIResponseMessage
class will contain the same
regInfo information that was provided in the
corresponding certification request, if the CRS autoresponder
was sufficiently successful in parsing the request.
PKIResponseMessage
class will contain the requested
certificate, if the request is successful. Any additional
certificates may be found in the extraCerts field of
PKIMessage
in the response object.
PKIResponseMessage
class is always ignored by this
service provider.ProtectInfo
object is passed into some of the
SPI methods for this provider. This service provider,
specifically, uses the certPathCtx
field of
ProtectionInfoPublicKey
to compose and
decompose signed or enveloped messages. This protection context
is composed with the following components:
Field Summary |
|
static int |
POP_TYPE_CSR
Indicates that it uses Certificate Signing Request (CSR) when providing proof-of-possession. |
Constructor Summary |
|
CRS(String name,
File configFile)
Constructs a |
|
CRS(String name,
InputStream configStream)
Constructs a |
|
CRS(String name,
String configFileName)
Constructs a |
Method Summary |
|
instantiate(CertJ certJ)
Creates a |
|
void |
saveCertificate(PKIResponseMessage response)
Does not do anything. |
void |
saveData(byte[] data,
String fileName)
Does not do anything. |
void |
saveMessage(byte[] bytes,
PKIMessage message,
ProtectInfo protectInfo)
Does not do anything. |
Methods inherited from class com.rsa.certj.Provider |
getName, getType |
Methods inherited from class java.lang.Object |
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
public static final int POP_TYPE_CSR
Constructor Detail |
public CRS(String name, InputStream configStream) throws InvalidParameterException
CRS
object, using a
configStream that is given as an
InputStream
.Parameters
name | A | ||
configStream | An dest ,
http.proxy , profile , and
timeoutSecs .
dest specifies the location(s) of the
OnSite CRS auto-responder(s).
http.proxy specifies the hostname:port of
any HTTP proxies which may exist between the application and
the CRS auto-responder.
profile specifies the particular CRS
profile that is implemented by the responder, in anticipation
that there may be subtle differences. The current
implementation of this service provider has only been tested
with the VeriSign OnSite responder, and its profile name has
been chosen to be VeriSign . If this optional
entry is left unspecified, it will default to
VeriSign .
timeoutSecs specifies how many seconds
the application should wait before giving up on socket
communication.
For example, the contents of the configuration file might be:
dest=http://onsite-admin.verisign.com/cgi-bin/crs.exe http.proxy=proxy1.mycompany.com:80 http.proxy=proxy2.mycompany.com:80 profile=VeriSign timoutSecs=20 |
Throws
InvalidParameterException
- If any
argument is invalid.public CRS(String name, File configFile) throws InvalidParameterException
CRS
object, using a
configFile that is given as a File
.Parameters
name | A | ||
configFile | A dest ,
http.proxy , profile , and
timeoutSecs .
dest specifies the location(s) of the
OnSite CRS auto-responder(s).
http.proxy specifies the hostname:port of
any HTTP proxies which may exist between the application and
the CRS auto-responder.
profile specifies the particular CRS
profile that is implemented by the responder, in anticipation
that there may be subtle differences. The current
implementation of this service provider has only been tested
with the VeriSign OnSite responder, and its profile name has
been chosen to be VeriSign . If this optional
entry is left unspecified, it will default to
VeriSign .
timeoutSecs specifies how many seconds
the application should wait before giving up on socket
communication.
For example, the contents of the configuration file might be:
dest=http://onsite-admin.verisign.com/cgi-bin/crs.exe http.proxy=proxy1.mycompany.com:80 http.proxy=proxy2.mycompany.com:80 profile=VeriSign timoutSecs=3 |
Throws
InvalidParameterException
- If any
argument is invalid.public CRS(String name, String configFileName) throws InvalidParameterException
CRS
object using a
configFileName that is given as a String
.Parameters
name | A | ||
configFileName | A dest ,
http.proxy , profile , and
timeoutSecs .
dest specifies the location(s) of the
OnSite CRS auto-responder(s).
http.proxy specifies the hostname:port of
any HTTP proxies which may exist between the application and
the CRS auto-responder.
profile specifies the particular CRS
profile that is implemented by the responder, in anticipation
that there may be subtle differences. The current
implementation of this service provider has only been tested
with the VeriSign OnSite responder, and its profile name has
been chosen to be VeriSign . If this optional
entry is left unspecified, it will default to
VeriSign .
timeoutSecs specifies how many seconds
the application should wait before giving up on socket
communication.
For example, the contents of the configuration file might be:
dest=http://onsite-admin.verisign.com/cgi-bin/crs.exe http.proxy=proxy1.mycompany.com:80 http.proxy=proxy2.mycompany.com:80 profile=VeriSign timeoutSecs=3 |
Throws
InvalidParameterException
- If any
argument is invalid.Method Detail |
public ProviderImplementation instantiate(CertJ certJ) throws ProviderManagementException
ProviderImplementation
object that
handles CRS PKI SPI methods.
This method is called by CertJ.registerService
when
an object of the CRS
class is being registered.
Applications do not have to call this method.Overrides
instantiate
in class Provider
Parameters
certJ | A |
Returns
ProviderImplementation
object that
provides the SPI implementations for CRS PKI providers.
Throws
ProviderManagementException
- If
instantiation of the CRS PKI provider fails.public void saveMessage(byte[] bytes, PKIMessage message, ProtectInfo protectInfo) throws PKIException
saveMessage
in interface PKIDebug
Parameters
bytes | A | ||
message | A | ||
protectInfo | A |
Throws
PKIException
- If saving the message
fails.public void saveCertificate(PKIResponseMessage response) throws PKIException
saveCertificate
in interface PKIDebug
Parameters
response | A |
Throws
PKIException
- If saving the certificate
returned fails.public void saveData(byte[] data, String fileName) throws PKIException
saveData
in interface PKIDebug
Parameters
data | A | ||
fileName | A |
Throws
PKIException
- If saving the data
fails.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |