+ Note: if the object has been read from an input stream, the only + time you can be sure if isExplicit is returning the true state of + affairs is if it returns false. An implicitly tagged object may appear + to be explicitly tagged, so you need to understand the context under + which the reading was done as well, see GetObject below.
++ Note: tagged objects are generally context dependent if you're + trying to extract a tagged object you should be going via the + appropriate GetInstance method.
+null if not set.
+ @param indirectReference The indirect reference or null if not set.
+ @param dataValueDescriptor The data value descriptor or null if not set.
+ @param externalData The external data in its encoded form.
+ null if not set.
+ @param indirectReference The indirect reference or null if not set.
+ @param dataValueDescriptor The data value descriptor or null if not set.
+ @param encoding The encoding to be used for the external data
+ @param externalData The external data
+ 0 single-ASN1-type1 OCTET STRING2 BIT STRING+ Normally in a certificate we would expect "Z" rather than "GMT", + however adding the "GMT" means we can just use: +
+ dateF = new SimpleDateFormat("yyyyMMddHHmmssz");
+
+ To read in the time and Get a date which is compatible with our local
+ time zone.
+ + @param time the time string.
++ Normally in a certificate we would expect "Z" rather than "GMT", + however adding the "GMT" means we can just use: +
+ dateF = new SimpleDateFormat("yyMMddHHmmssz");
+
+ To read in the time and Get a date which is compatible with our local
+ time zone.
+ + Note: In some cases, due to the local date processing, this + may lead to unexpected results. If you want to stick the normal + convention of 1950 to 2049 use the GetAdjustedTime() method.
++ If you use this interface your class should also implement the getInstance + pattern which takes a tag object and the tagging mode used. +
+
+ CAKeyUpdAnnContent ::= SEQUENCE {
+ oldWithNew CmpCertificate, -- old pub signed with new priv
+ newWithOld CmpCertificate, -- new pub signed with old priv
+ newWithNew CmpCertificate -- new pub signed with new priv
+ }
+
+ @return a basic ASN.1 object representation.
+ + CertConfirmContent ::= SEQUENCE OF CertStatus ++ @return a basic ASN.1 object representation. +
+ CertOrEncCert ::= CHOICE {
+ certificate [0] CMPCertificate,
+ encryptedCert [1] EncryptedValue
+ }
+
+ @return a basic ASN.1 object representation.
+
+ CertRepMessage ::= SEQUENCE {
+ caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
+ OPTIONAL,
+ response SEQUENCE OF CertResponse
+ }
+
+ @return a basic ASN.1 object representation.
+
+ CertResponse ::= SEQUENCE {
+ certReqId INTEGER,
+ -- to match this response with corresponding request (a value
+ -- of -1 is to be used if certReqId is not specified in the
+ -- corresponding request)
+ status PKIStatusInfo,
+ certifiedKeyPair CertifiedKeyPair OPTIONAL,
+ rspInfo OCTET STRING OPTIONAL
+ -- analogous to the id-regInfo-utf8Pairs string defined
+ -- for regInfo in CertReqMsg [CRMF]
+ }
+
+ @return a basic ASN.1 object representation.
+
+ CertStatus ::= SEQUENCE {
+ certHash OCTET STRING,
+ -- the hash of the certificate, using the same hash algorithm
+ -- as is used to create and verify the certificate signature
+ certReqId INTEGER,
+ -- to match this confirmation with the corresponding req/rep
+ statusInfo PKIStatusInfo OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+
+ CertifiedKeyPair ::= SEQUENCE {
+ certOrEncCert CertOrEncCert,
+ privateKey [0] EncryptedValue OPTIONAL,
+ -- see [CRMF] for comment on encoding
+ publicationInfo [1] PKIPublicationInfo OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+
+ Challenge ::= SEQUENCE {
+ owf AlgorithmIdentifier OPTIONAL,
+
+ -- MUST be present in the first Challenge; MAY be omitted in
+ -- any subsequent Challenge in POPODecKeyChallContent (if
+ -- omitted, then the owf used in the immediately preceding
+ -- Challenge is to be used).
+
+ witness OCTET STRING,
+ -- the result of applying the one-way function (owf) to a
+ -- randomly-generated INTEGER, A. [Note that a different
+ -- INTEGER MUST be used for each Challenge.]
+ challenge OCTET STRING
+ -- the encryption (under the public key for which the cert.
+ -- request is being made) of Rand, where Rand is specified as
+ -- Rand ::= SEQUENCE {
+ -- int INTEGER,
+ -- - the randomly-generated INTEGER A (above)
+ -- sender GeneralName
+ -- - the sender's name (as included in PKIHeader)
+ -- }
+ }
+
+ @return a basic ASN.1 object representation.
+
+ CMPCertificate ::= CHOICE {
+ x509v3PKCert Certificate
+ x509v2AttrCert [1] AttributeCertificate
+ }
+
+ Note: the addition of attribute certificates is a BC extension.
+
+ @return a basic ASN.1 object representation.
+ + CrlAnnContent ::= SEQUENCE OF CertificateList ++ @return a basic ASN.1 object representation. +
+ ErrorMsgContent ::= SEQUENCE {
+ pKIStatusInfo PKIStatusInfo,
+ errorCode INTEGER OPTIONAL,
+ -- implementation-specific error codes
+ errorDetails PKIFreeText OPTIONAL
+ -- implementation-specific error details
+ }
+
+ @return a basic ASN.1 object representation.
+ + GenMsgContent ::= SEQUENCE OF InfoTypeAndValue ++ @return a basic ASN.1 object representation. +
+ GenRepContent ::= SEQUENCE OF InfoTypeAndValue ++ @return a basic ASN.1 object representation. +
+ id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1}
+ CAProtEncCertValue ::= CMPCertificate
+ id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2}
+ SignKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier
+ id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3}
+ EncKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier
+ id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4}
+ PreferredSymmAlgValue ::= AlgorithmIdentifier
+ id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5}
+ CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent
+ id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6}
+ CurrentCRLValue ::= CertificateList
+ id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7}
+ UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER
+ id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10}
+ KeyPairParamReqValue ::= OBJECT IDENTIFIER
+ id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11}
+ KeyPairParamRepValue ::= AlgorithmIdentifer
+ id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12}
+ RevPassphraseValue ::= EncryptedValue
+ id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13}
+ ImplicitConfirmValue ::= NULL
+ id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14}
+ ConfirmWaitTimeValue ::= GeneralizedTime
+ id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15}
+ OrigPKIMessageValue ::= PKIMessages
+ id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16}
+ SuppLangTagsValue ::= SEQUENCE OF UTF8String
+
+ where
+
+ id-pkix OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3)
+ dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
+ and
+ id-it OBJECT IDENTIFIER ::= {id-pkix 4}
+
+
+ InfoTypeAndValue ::= SEQUENCE {
+ infoType OBJECT IDENTIFIER,
+ infoValue ANY DEFINED BY infoType OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+
+ KeyRecRepContent ::= SEQUENCE {
+ status PKIStatusInfo,
+ newSigCert [0] CMPCertificate OPTIONAL,
+ caCerts [1] SEQUENCE SIZE (1..MAX) OF
+ CMPCertificate OPTIONAL,
+ keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
+ CertifiedKeyPair OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+
+ OobCertHash ::= SEQUENCE {
+ hashAlg [0] AlgorithmIdentifier OPTIONAL,
+ certId [1] CertId OPTIONAL,
+ hashVal BIT STRING
+ -- hashVal is calculated over the Der encoding of the
+ -- self-signed certificate with the identifier certID.
+ }
+
+ @return a basic ASN.1 object representation.
+
+ PkiBody ::= CHOICE { -- message-specific body elements
+ ir [0] CertReqMessages, --Initialization Request
+ ip [1] CertRepMessage, --Initialization Response
+ cr [2] CertReqMessages, --Certification Request
+ cp [3] CertRepMessage, --Certification Response
+ p10cr [4] CertificationRequest, --imported from [PKCS10]
+ popdecc [5] POPODecKeyChallContent, --pop Challenge
+ popdecr [6] POPODecKeyRespContent, --pop Response
+ kur [7] CertReqMessages, --Key Update Request
+ kup [8] CertRepMessage, --Key Update Response
+ krr [9] CertReqMessages, --Key Recovery Request
+ krp [10] KeyRecRepContent, --Key Recovery Response
+ rr [11] RevReqContent, --Revocation Request
+ rp [12] RevRepContent, --Revocation Response
+ ccr [13] CertReqMessages, --Cross-Cert. Request
+ ccp [14] CertRepMessage, --Cross-Cert. Response
+ ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann.
+ cann [16] CertAnnContent, --Certificate Ann.
+ rann [17] RevAnnContent, --Revocation Ann.
+ crlann [18] CRLAnnContent, --CRL Announcement
+ pkiconf [19] PKIConfirmContent, --Confirmation
+ nested [20] NestedMessageContent, --Nested Message
+ genm [21] GenMsgContent, --General Message
+ genp [22] GenRepContent, --General Response
+ error [23] ErrorMsgContent, --Error Message
+ certConf [24] CertConfirmContent, --Certificate confirm
+ pollReq [25] PollReqContent, --Polling request
+ pollRep [26] PollRepContent --Polling response
+ }
+
+ @return a basic ASN.1 object representation.
+ + PkiConfirmContent ::= NULL ++ @return a basic ASN.1 object representation. +
+ PKIFailureInfo ::= BIT STRING {
+ badAlg (0),
+ -- unrecognized or unsupported Algorithm Identifier
+ badMessageCheck (1), -- integrity check failed (e.g., signature did not verify)
+ badRequest (2),
+ -- transaction not permitted or supported
+ badTime (3), -- messageTime was not sufficiently close to the system time, as defined by local policy
+ badCertId (4), -- no certificate could be found matching the provided criteria
+ badDataFormat (5),
+ -- the data submitted has the wrong format
+ wrongAuthority (6), -- the authority indicated in the request is different from the one creating the response token
+ incorrectData (7), -- the requester's data is incorrect (for notary services)
+ missingTimeStamp (8), -- when the timestamp is missing but should be there (by policy)
+ badPOP (9) -- the proof-of-possession failed
+ certRevoked (10),
+ certConfirmed (11),
+ wrongIntegrity (12),
+ badRecipientNonce (13),
+ timeNotAvailable (14),
+ -- the TSA's time source is not available
+ unacceptedPolicy (15),
+ -- the requested TSA policy is not supported by the TSA
+ unacceptedExtension (16),
+ -- the requested extension is not supported by the TSA
+ addInfoNotAvailable (17)
+ -- the additional information requested could not be understood
+ -- or is not available
+ badSenderNonce (18),
+ badCertTemplate (19),
+ signerNotTrusted (20),
+ transactionIdInUse (21),
+ unsupportedVersion (22),
+ notAuthorized (23),
+ systemUnavail (24),
+ systemFailure (25),
+ -- the request cannot be handled due to system failure
+ duplicateCertReq (26)
+
+ + PkiFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String ++
+ PkiHeader ::= SEQUENCE {
+ pvno INTEGER { cmp1999(1), cmp2000(2) },
+ sender GeneralName,
+ -- identifies the sender
+ recipient GeneralName,
+ -- identifies the intended recipient
+ messageTime [0] GeneralizedTime OPTIONAL,
+ -- time of production of this message (used when sender
+ -- believes that the transport will be "suitable"; i.e.,
+ -- that the time will still be meaningful upon receipt)
+ protectionAlg [1] AlgorithmIdentifier OPTIONAL,
+ -- algorithm used for calculation of protection bits
+ senderKID [2] KeyIdentifier OPTIONAL,
+ recipKID [3] KeyIdentifier OPTIONAL,
+ -- to identify specific keys used for protection
+ transactionID [4] OCTET STRING OPTIONAL,
+ -- identifies the transaction; i.e., this will be the same in
+ -- corresponding request, response, certConf, and PKIConf
+ -- messages
+ senderNonce [5] OCTET STRING OPTIONAL,
+ recipNonce [6] OCTET STRING OPTIONAL,
+ -- nonces used to provide replay protection, senderNonce
+ -- is inserted by the creator of this message; recipNonce
+ -- is a nonce previously inserted in a related message by
+ -- the intended recipient of this message
+ freeText [7] PKIFreeText OPTIONAL,
+ -- this may be used to indicate context-specific instructions
+ -- (this field is intended for human consumption)
+ generalInfo [8] SEQUENCE SIZE (1..MAX) OF
+ InfoTypeAndValue OPTIONAL
+ -- this may be used to convey context-specific information
+ -- (this field not primarily intended for human consumption)
+ }
+
+ @return a basic ASN.1 object representation.
+
+ PKIHeader ::= SEQUENCE {
+ pvno INTEGER { cmp1999(1), cmp2000(2) },
+ sender GeneralName,
+ -- identifies the sender
+ recipient GeneralName,
+ -- identifies the intended recipient
+ messageTime [0] GeneralizedTime OPTIONAL,
+ -- time of production of this message (used when sender
+ -- believes that the transport will be "suitable"; i.e.,
+ -- that the time will still be meaningful upon receipt)
+ protectionAlg [1] AlgorithmIdentifier OPTIONAL,
+ -- algorithm used for calculation of protection bits
+ senderKID [2] KeyIdentifier OPTIONAL,
+ recipKID [3] KeyIdentifier OPTIONAL,
+ -- to identify specific keys used for protection
+ transactionID [4] OCTET STRING OPTIONAL,
+ -- identifies the transaction; i.e., this will be the same in
+ -- corresponding request, response, certConf, and PKIConf
+ -- messages
+ senderNonce [5] OCTET STRING OPTIONAL,
+ recipNonce [6] OCTET STRING OPTIONAL,
+ -- nonces used to provide replay protection, senderNonce
+ -- is inserted by the creator of this message; recipNonce
+ -- is a nonce previously inserted in a related message by
+ -- the intended recipient of this message
+ freeText [7] PKIFreeText OPTIONAL,
+ -- this may be used to indicate context-specific instructions
+ -- (this field is intended for human consumption)
+ generalInfo [8] SEQUENCE SIZE (1..MAX) OF
+ InfoTypeAndValue OPTIONAL
+ -- this may be used to convey context-specific information
+ -- (this field not primarily intended for human consumption)
+ }
+
+ @return a basic ASN.1 object representation.
+
+ PkiMessage ::= SEQUENCE {
+ header PKIHeader,
+ body PKIBody,
+ protection [0] PKIProtection OPTIONAL,
+ extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
+ OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+ + PkiMessages ::= SEQUENCE SIZE (1..MAX) OF PkiMessage ++ @return a basic ASN.1 object representation. +
+ PkiStatusInfo ::= SEQUENCE {
+ status PKIStatus, (INTEGER)
+ statusString PkiFreeText OPTIONAL,
+ failInfo PkiFailureInfo OPTIONAL (BIT STRING)
+ }
+
+ PKIStatus:
+ granted (0), -- you got exactly what you asked for
+ grantedWithMods (1), -- you got something like what you asked for
+ rejection (2), -- you don't get it, more information elsewhere in the message
+ waiting (3), -- the request body part has not yet been processed, expect to hear more later
+ revocationWarning (4), -- this message contains a warning that a revocation is imminent
+ revocationNotification (5), -- notification that a revocation has occurred
+ keyUpdateWarning (6) -- update already done for the oldCertId specified in CertReqMsg
+
+ PkiFailureInfo:
+ badAlg (0), -- unrecognized or unsupported Algorithm Identifier
+ badMessageCheck (1), -- integrity check failed (e.g., signature did not verify)
+ badRequest (2), -- transaction not permitted or supported
+ badTime (3), -- messageTime was not sufficiently close to the system time, as defined by local policy
+ badCertId (4), -- no certificate could be found matching the provided criteria
+ badDataFormat (5), -- the data submitted has the wrong format
+ wrongAuthority (6), -- the authority indicated in the request is different from the one creating the response token
+ incorrectData (7), -- the requester's data is incorrect (for notary services)
+ missingTimeStamp (8), -- when the timestamp is missing but should be there (by policy)
+ badPOP (9) -- the proof-of-possession failed
+
+
+
+ PbmParameter ::= SEQUENCE {
+ salt OCTET STRING,
+ -- note: implementations MAY wish to limit acceptable sizes
+ -- of this string to values appropriate for their environment
+ -- in order to reduce the risk of denial-of-service attacks
+ owf AlgorithmIdentifier,
+ -- AlgId for a One-Way Function (SHA-1 recommended)
+ iterationCount INTEGER,
+ -- number of times the OWF is applied
+ -- note: implementations MAY wish to limit acceptable sizes
+ -- of this integer to values appropriate for their environment
+ -- in order to reduce the risk of denial-of-service attacks
+ mac AlgorithmIdentifier
+ -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+ } -- or HMAC [RFC2104, RFC2202])
+
+ @return a basic ASN.1 object representation.
+
+ PollRepContent ::= SEQUENCE OF SEQUENCE {
+ certReqId INTEGER,
+ checkAfter INTEGER, -- time in seconds
+ reason PKIFreeText OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+
+ PollReqContent ::= SEQUENCE OF SEQUENCE {
+ certReqId INTEGER
+ }
+
+ @return a basic ASN.1 object representation.
+ + PopoDecKeyChallContent ::= SEQUENCE OF Challenge ++ @return a basic ASN.1 object representation. +
+ PopoDecKeyRespContent ::= SEQUENCE OF INTEGER ++ @return a basic ASN.1 object representation. +
+ ProtectedPart ::= SEQUENCE {
+ header PKIHeader,
+ body PKIBody
+ }
+
+ @return a basic ASN.1 object representation.
+
+ RevAnnContent ::= SEQUENCE {
+ status PKIStatus,
+ certId CertId,
+ willBeRevokedAt GeneralizedTime,
+ badSinceDate GeneralizedTime,
+ crlDetails Extensions OPTIONAL
+ -- extra CRL details (e.g., crl number, reason, location, etc.)
+ }
+
+ @return a basic ASN.1 object representation.
+
+ RevDetails ::= SEQUENCE {
+ certDetails CertTemplate,
+ -- allows requester to specify as much as they can about
+ -- the cert. for which revocation is requested
+ -- (e.g., for cases in which serialNumber is not available)
+ crlEntryDetails Extensions OPTIONAL
+ -- requested crlEntryExtensions
+ }
+
+ @return a basic ASN.1 object representation.
+
+ RevRepContent ::= SEQUENCE {
+ status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
+ -- in same order as was sent in RevReqContent
+ revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL,
+ -- IDs for which revocation was requested
+ -- (same order as status)
+ crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL
+ -- the resulting CRLs (there may be more than one)
+ }
+
+ @return a basic ASN.1 object representation.
+ + RevReqContent ::= SEQUENCE OF RevDetails ++ @return a basic ASN.1 object representation. +
+ Attribute ::= SEQUENCE {
+ attrType OBJECT IDENTIFIER,
+ attrValues SET OF AttributeValue
+ }
+
+ + Attributes ::= + SET SIZE(1..MAX) OF Attribute -- according to RFC 5652 ++ @return +
+ AuthEnvelopedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ authEncryptedContentInfo EncryptedContentInfo,
+ authAttrs [1] IMPLICIT AuthAttributes OPTIONAL,
+ mac MessageAuthenticationCode,
+ unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL }
+
+
+ AuthEnvelopedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ authEncryptedContentInfo EncryptedContentInfo,
+ authAttrs [1] IMPLICIT AuthAttributes OPTIONAL,
+ mac MessageAuthenticationCode,
+ unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL }
+
+
+ AuthenticatedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ macAlgorithm MessageAuthenticationCodeAlgorithm,
+ digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
+ encapContentInfo EncapsulatedContentInfo,
+ authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
+ mac MessageAuthenticationCode,
+ unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL }
+
+ AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+ UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+ MessageAuthenticationCode ::= OCTET STRING
+
+
+ AuthenticatedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ macAlgorithm MessageAuthenticationCodeAlgorithm,
+ digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
+ encapContentInfo EncapsulatedContentInfo,
+ authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
+ mac MessageAuthenticationCode,
+ unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL }
+
+ AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+ UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+ MessageAuthenticationCode ::= OCTET STRING
+
+
+ CompressedData ::= Sequence {
+ version CMSVersion,
+ compressionAlgorithm CompressionAlgorithmIdentifier,
+ encapContentInfo EncapsulatedContentInfo
+ }
+
+
+ CompressedData ::= SEQUENCE {
+ version CMSVersion,
+ compressionAlgorithm CompressionAlgorithmIdentifier,
+ encapContentInfo EncapsulatedContentInfo
+ }
+
+
+ ContentInfo ::= Sequence {
+ contentType ContentType,
+ content
+ [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+
+
+ ContentInfo ::= SEQUENCE {
+ contentType ContentType,
+ content
+ [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+
+
+ EncryptedContentInfo ::= Sequence {
+ contentType ContentType,
+ contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
+ encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL
+ }
+
+
+ EncryptedContentInfo ::= SEQUENCE {
+ contentType ContentType,
+ contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
+ encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL
+ }
+
+
+ EncryptedData ::= SEQUENCE {
+ version CMSVersion,
+ encryptedContentInfo EncryptedContentInfo,
+ unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL }
+
+ @return a basic ASN.1 object representation.
+
+ EnvelopedData ::= Sequence {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ encryptedContentInfo EncryptedContentInfo,
+ unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL
+ }
+
+
+ EnvelopedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ encryptedContentInfo EncryptedContentInfo,
+ unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL
+ }
+
+
+ KekIdentifier ::= Sequence {
+ keyIdentifier OCTET STRING,
+ date GeneralizedTime OPTIONAL,
+ other OtherKeyAttribute OPTIONAL
+ }
+
+
+ KekRecipientInfo ::= Sequence {
+ version CMSVersion, -- always set to 4
+ kekID KekIdentifier,
+ keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+ encryptedKey EncryptedKey
+ }
+
+
+ KeyAgreeRecipientIdentifier ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ rKeyId [0] IMPLICIT RecipientKeyIdentifier
+ }
+
+
+ * KeyAgreeRecipientInfo ::= Sequence {
+ * version CMSVersion, -- always set to 3
+ * originator [0] EXPLICIT OriginatorIdentifierOrKey,
+ * ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
+ * keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+ * recipientEncryptedKeys RecipientEncryptedKeys
+ * }
+ *
+ * UserKeyingMaterial ::= OCTET STRING
+ *
+
+ KeyTransRecipientInfo ::= Sequence {
+ version CMSVersion, -- always set to 0 or 2
+ rid RecipientIdentifier,
+ keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+ encryptedKey EncryptedKey
+ }
+
+
+ MetaData ::= SEQUENCE {
+ hashProtected BOOLEAN,
+ fileName UTF8String OPTIONAL,
+ mediaType IA5String OPTIONAL,
+ otherMetaData Attributes OPTIONAL
+ }
+
+ @return
+
+ OriginatorIdentifierOrKey ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ subjectKeyIdentifier [0] SubjectKeyIdentifier,
+ originatorKey [1] OriginatorPublicKey
+ }
+
+ SubjectKeyIdentifier ::= OCTET STRING
+
+
+ OriginatorInfo ::= Sequence {
+ certs [0] IMPLICIT CertificateSet OPTIONAL,
+ crls [1] IMPLICIT CertificateRevocationLists OPTIONAL
+ }
+
+
+ OriginatorPublicKey ::= Sequence {
+ algorithm AlgorithmIdentifier,
+ publicKey BIT STRING
+ }
+
+
+ OtherKeyAttribute ::= Sequence {
+ keyAttrId OBJECT IDENTIFIER,
+ keyAttr ANY DEFINED BY keyAttrId OPTIONAL
+ }
+
+
+ OtherRecipientInfo ::= Sequence {
+ oriType OBJECT IDENTIFIER,
+ oriValue ANY DEFINED BY oriType }
+
+
+ OtherRevocationInfoFormat ::= SEQUENCE {
+ otherRevInfoFormat OBJECT IDENTIFIER,
+ otherRevInfo ANY DEFINED BY otherRevInfoFormat }
+
+
+ PasswordRecipientInfo ::= Sequence {
+ version CMSVersion, -- Always set to 0
+ keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier
+ OPTIONAL,
+ keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+ encryptedKey EncryptedKey }
+
+
+ RecipientEncryptedKey ::= SEQUENCE {
+ rid KeyAgreeRecipientIdentifier,
+ encryptedKey EncryptedKey
+ }
+
+
+ RecipientIdentifier ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ subjectKeyIdentifier [0] SubjectKeyIdentifier
+ }
+
+ SubjectKeyIdentifier ::= OCTET STRING
+
+
+ RecipientInfo ::= CHOICE {
+ ktri KeyTransRecipientInfo,
+ kari [1] KeyAgreeRecipientInfo,
+ kekri [2] KekRecipientInfo,
+ pwri [3] PasswordRecipientInfo,
+ ori [4] OtherRecipientInfo }
+
+
+ RecipientKeyIdentifier ::= Sequence {
+ subjectKeyIdentifier SubjectKeyIdentifier,
+ date GeneralizedTime OPTIONAL,
+ other OtherKeyAttribute OPTIONAL
+ }
+
+ SubjectKeyIdentifier ::= OCTET STRING
+
+
+ ScvpReqRes ::= SEQUENCE {
+ request [0] EXPLICIT ContentInfo OPTIONAL,
+ response ContentInfo }
+
+ @return the ASN.1 primitive representation.
+
+ SignedData ::= Sequence {
+ version CMSVersion,
+ digestAlgorithms DigestAlgorithmIdentifiers,
+ encapContentInfo EncapsulatedContentInfo,
+ certificates [0] IMPLICIT CertificateSet OPTIONAL,
+ crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
+ signerInfos SignerInfos
+ }
+
+
+ SignedData ::= SEQUENCE {
+ version CMSVersion,
+ digestAlgorithms DigestAlgorithmIdentifiers,
+ encapContentInfo EncapsulatedContentInfo,
+ certificates [0] IMPLICIT CertificateSet OPTIONAL,
+ crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
+ signerInfos SignerInfos
+ }
+
+
+ SignerIdentifier ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ subjectKeyIdentifier [0] SubjectKeyIdentifier
+ }
+
+ SubjectKeyIdentifier ::= OCTET STRING
+
+
+ SignerInfo ::= Sequence {
+ version Version,
+ SignerIdentifier sid,
+ digestAlgorithm DigestAlgorithmIdentifier,
+ authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
+ digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
+ encryptedDigest EncryptedDigest,
+ unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
+ }
+
+ EncryptedDigest ::= OCTET STRING
+
+ DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+
+ DigestEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+
+
+ Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime }
+
+
+ TimeStampAndCRL ::= SEQUENCE {
+ timeStamp TimeStampToken, -- according to RFC 3161
+ crl CertificateList OPTIONAL -- according to RFC 5280
+ }
+
+ @return
+ + TimeStampTokenEvidence ::= + SEQUENCE SIZE(1..MAX) OF TimeStampAndCrl ++ @return +
+ TimeStampedData ::= SEQUENCE {
+ version INTEGER { v1(1) },
+ dataUri IA5String OPTIONAL,
+ metaData MetaData OPTIONAL,
+ content OCTET STRING OPTIONAL,
+ temporalEvidence Evidence
+ }
+
+ @return
+
+ MQVuserKeyingMaterial ::= SEQUENCE {
+ ephemeralPublicKey OriginatorPublicKey,
+ addedukm [0] EXPLICIT UserKeyingMaterial OPTIONAL }
+
+
+ AttributeTypeAndValue ::= SEQUENCE {
+ type OBJECT IDENTIFIER,
+ value ANY DEFINED BY type }
+
+ @return a basic ASN.1 object representation.
+
+ CertId ::= SEQUENCE {
+ issuer GeneralName,
+ serialNumber INTEGER }
+
+ @return a basic ASN.1 object representation.
+ + CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg ++ @return a basic ASN.1 object representation. +
+ CertReqMsg ::= SEQUENCE {
+ certReq CertRequest,
+ pop ProofOfPossession OPTIONAL,
+ -- content depends upon key type
+ regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL }
+
+ @return a basic ASN.1 object representation.
+
+ CertRequest ::= SEQUENCE {
+ certReqId INTEGER, -- ID for matching request and reply
+ certTemplate CertTemplate, -- Selected fields of cert to be issued
+ controls Controls OPTIONAL } -- Attributes affecting issuance
+
+ @return a basic ASN.1 object representation.
+
+ CertTemplate ::= SEQUENCE {
+ version [0] Version OPTIONAL,
+ serialNumber [1] INTEGER OPTIONAL,
+ signingAlg [2] AlgorithmIdentifier OPTIONAL,
+ issuer [3] Name OPTIONAL,
+ validity [4] OptionalValidity OPTIONAL,
+ subject [5] Name OPTIONAL,
+ publicKey [6] SubjectPublicKeyInfo OPTIONAL,
+ issuerUID [7] UniqueIdentifier OPTIONAL,
+ subjectUID [8] UniqueIdentifier OPTIONAL,
+ extensions [9] Extensions OPTIONAL }
+
+ @return a basic ASN.1 object representation.
+
+ CertTemplate ::= SEQUENCE {
+ version [0] Version OPTIONAL,
+ serialNumber [1] INTEGER OPTIONAL,
+ signingAlg [2] AlgorithmIdentifier OPTIONAL,
+ issuer [3] Name OPTIONAL,
+ validity [4] OptionalValidity OPTIONAL,
+ subject [5] Name OPTIONAL,
+ publicKey [6] SubjectPublicKeyInfo OPTIONAL,
+ issuerUID [7] UniqueIdentifier OPTIONAL,
+ subjectUID [8] UniqueIdentifier OPTIONAL,
+ extensions [9] Extensions OPTIONAL }
+
+ @return a basic ASN.1 object representation.
+ + Controls ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue ++ @return a basic ASN.1 object representation. +
+ EncKeyWithID ::= SEQUENCE {
+ privateKey PrivateKeyInfo,
+ identifier CHOICE {
+ string UTF8String,
+ generalName GeneralName
+ } OPTIONAL
+ }
+
+ @return
+
+ EncryptedKey ::= CHOICE {
+ encryptedValue EncryptedValue, -- deprecated
+ envelopedData [0] EnvelopedData }
+ -- The encrypted private key MUST be placed in the envelopedData
+ -- encryptedContentInfo encryptedContent OCTET STRING.
+
+
+ EncryptedValue ::= SEQUENCE {
+ intendedAlg [0] AlgorithmIdentifier OPTIONAL,
+ -- the intended algorithm for which the value will be used
+ symmAlg [1] AlgorithmIdentifier OPTIONAL,
+ -- the symmetric algorithm used to encrypt the value
+ encSymmKey [2] BIT STRING OPTIONAL,
+ -- the (encrypted) symmetric key used to encrypt the value
+ keyAlg [3] AlgorithmIdentifier OPTIONAL,
+ -- algorithm used to encrypt the symmetric key
+ valueHint [4] OCTET STRING OPTIONAL,
+ -- a brief description or identifier of the encValue content
+ -- (may be meaningful only to the sending entity, and used only
+ -- if EncryptedValue might be re-examined by the sending entity
+ -- in the future)
+ encValue BIT STRING }
+ -- the encrypted value itself
+
+ @return a basic ASN.1 object representation.
+
+ OptionalValidity ::= SEQUENCE {
+ notBefore [0] Time OPTIONAL,
+ notAfter [1] Time OPTIONAL } --at least one MUST be present
+
+ @return a basic ASN.1 object representation.
+
+ PkiArchiveOptions ::= CHOICE {
+ encryptedPrivKey [0] EncryptedKey,
+ -- the actual value of the private key
+ keyGenParameters [1] KeyGenParameters,
+ -- parameters which allow the private key to be re-generated
+ archiveRemGenPrivKey [2] BOOLEAN }
+ -- set to TRUE if sender wishes receiver to archive the private
+ -- key of a key pair that the receiver generates in response to
+ -- this request; set to FALSE if no archival is desired.
+
+
+ PkiPublicationInfo ::= SEQUENCE {
+ action INTEGER {
+ dontPublish (0),
+ pleasePublish (1) },
+ pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }
+ -- pubInfos MUST NOT be present if action is "dontPublish"
+ -- (if action is "pleasePublish" and pubInfos is omitted,
+ -- "dontCare" is assumed)
+
+ @return a basic ASN.1 object representation.
+
+ PKMACValue ::= SEQUENCE {
+ algId AlgorithmIdentifier,
+ -- algorithm value shall be PasswordBasedMac 1.2.840.113533.7.66.13
+ -- parameter value is PBMParameter
+ value BIT STRING }
+
+ @return a basic ASN.1 object representation.
+
+ PopoPrivKey ::= CHOICE {
+ thisMessage [0] BIT STRING, -- Deprecated
+ -- possession is proven in this message (which contains the private
+ -- key itself (encrypted for the CA))
+ subsequentMessage [1] SubsequentMessage,
+ -- possession will be proven in a subsequent message
+ dhMAC [2] BIT STRING, -- Deprecated
+ agreeMAC [3] PKMACValue,
+ encryptedKey [4] EnvelopedData }
+
+
+ PopoSigningKey ::= SEQUENCE {
+ poposkInput [0] PopoSigningKeyInput OPTIONAL,
+ algorithmIdentifier AlgorithmIdentifier,
+ signature BIT STRING }
+ -- The signature (using "algorithmIdentifier") is on the
+ -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg
+ -- certReq CertTemplate contains the subject and publicKey values,
+ -- then poposkInput MUST be omitted and the signature MUST be
+ -- computed on the DER-encoded value of CertReqMsg certReq. If
+ -- the CertReqMsg certReq CertTemplate does not contain the public
+ -- key and subject values, then poposkInput MUST be present and
+ -- MUST be signed. This strategy ensures that the public key is
+ -- not present in both the poposkInput and CertReqMsg certReq
+ -- CertTemplate fields.
+
+ @return a basic ASN.1 object representation.
+
+ PopoSigningKeyInput ::= SEQUENCE {
+ authInfo CHOICE {
+ sender [0] GeneralName,
+ -- used only if an authenticated identity has been
+ -- established for the sender (e.g., a DN from a
+ -- previously-issued and currently-valid certificate
+ publicKeyMac PKMacValue },
+ -- used if no authenticated GeneralName currently exists for
+ -- the sender; publicKeyMac contains a password-based MAC
+ -- on the DER-encoded value of publicKey
+ publicKey SubjectPublicKeyInfo } -- from CertTemplate
+
+ @return a basic ASN.1 object representation.
+
+ ProofOfPossession ::= CHOICE {
+ raVerified [0] NULL,
+ -- used if the RA has already verified that the requester is in
+ -- possession of the private key
+ signature [1] PopoSigningKey,
+ keyEncipherment [2] PopoPrivKey,
+ keyAgreement [3] PopoPrivKey }
+
+ @return a basic ASN.1 object representation.
+
+ SinglePubInfo ::= SEQUENCE {
+ pubMethod INTEGER {
+ dontCare (0),
+ x500 (1),
+ web (2),
+ ldap (3) },
+ pubLocation GeneralName OPTIONAL }
+
+ @return a basic ASN.1 object representation.
+
+ Gost28147-89-Parameters ::=
+ SEQUENCE {
+ iv Gost28147-89-IV,
+ encryptionParamSet OBJECT IDENTIFIER
+ }
+
+ Gost28147-89-IV ::= OCTET STRING (SIZE (8))
+
+
+ CertificateValues ::= SEQUENCE OF Certificate
+
+
+ CommitmentTypeIndication ::= SEQUENCE {
+ commitmentTypeId CommitmentTypeIdentifier,
+ commitmentTypeQualifier SEQUENCE SIZE (1..MAX) OF
+ CommitmentTypeQualifier OPTIONAL }
+
+
+ CommitmentTypeQualifier ::= SEQUENCE {
+ commitmentTypeIdentifier CommitmentTypeIdentifier,
+ qualifier ANY DEFINED BY commitmentTypeIdentifier OPTIONAL }
+
+ CommitmentTypeQualifier instance.
+
+ @param commitmentTypeIdentifier a CommitmentTypeIdentifier value
+ CommitmentTypeQualifier instance.
+
+ @param commitmentTypeIdentifier a CommitmentTypeIdentifier value
+ @param qualifier the qualifier, defined by the above field.
+ CommitmentTypeQualifier instance.
+
+ @param as CommitmentTypeQualifier structure
+ encoded as an Asn1Sequence.
+ Asn1Object value
+
+ CompleteCertificateRefs ::= SEQUENCE OF OtherCertID
+
+
+ CompleteRevocationRefs ::= SEQUENCE OF CrlOcspRef
+
+
+ CrlIdentifier ::= SEQUENCE
+ {
+ crlissuer Name,
+ crlIssuedTime UTCTime,
+ crlNumber INTEGER OPTIONAL
+ }
+
+
+ CRLListID ::= SEQUENCE
+ {
+ crls SEQUENCE OF CrlValidatedID
+ }
+
+
+ CrlOcspRef ::= SEQUENCE {
+ crlids [0] CRLListID OPTIONAL,
+ ocspids [1] OcspListID OPTIONAL,
+ otherRev [2] OtherRevRefs OPTIONAL
+ }
+
+
+ CrlValidatedID ::= SEQUENCE {
+ crlHash OtherHash,
+ crlIdentifier CrlIdentifier OPTIONAL}
+
+
+ OcspIdentifier ::= SEQUENCE {
+ ocspResponderID ResponderID,
+ -- As in OCSP response data
+ producedAt GeneralizedTime
+ -- As in OCSP response data
+ }
+
+
+ OcspListID ::= SEQUENCE {
+ ocspResponses SEQUENCE OF OcspResponsesID
+ }
+
+
+ OcspResponsesID ::= SEQUENCE {
+ ocspIdentifier OcspIdentifier,
+ ocspRepHash OtherHash OPTIONAL
+ }
+
+
+ OtherCertID ::= SEQUENCE {
+ otherCertHash OtherHash,
+ issuerSerial IssuerSerial OPTIONAL
+ }
+
+
+ OtherHash ::= CHOICE {
+ sha1Hash OtherHashValue, -- This contains a SHA-1 hash
+ otherHash OtherHashAlgAndValue
+ }
+
+ OtherHashValue ::= OCTET STRING
+
+
+ OtherHashAlgAndValue ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ hashValue OtherHashValue
+ }
+
+ OtherHashValue ::= OCTET STRING
+
+
+ OtherRevRefs ::= SEQUENCE
+ {
+ otherRevRefType OtherRevRefType,
+ otherRevRefs ANY DEFINED BY otherRevRefType
+ }
+
+ OtherRevRefType ::= OBJECT IDENTIFIER
+
+
+ OtherRevVals ::= SEQUENCE
+ {
+ otherRevValType OtherRevValType,
+ otherRevVals ANY DEFINED BY otherRevValType
+ }
+
+ OtherRevValType ::= OBJECT IDENTIFIER
+
+
+ OtherSigningCertificate ::= SEQUENCE {
+ certs SEQUENCE OF OtherCertID,
+ policies SEQUENCE OF PolicyInformation OPTIONAL
+ }
+
+
+ RevocationValues ::= SEQUENCE {
+ crlVals [0] SEQUENCE OF CertificateList OPTIONAL,
+ ocspVals [1] SEQUENCE OF BasicOCSPResponse OPTIONAL,
+ otherRevVals [2] OtherRevVals OPTIONAL
+ }
+
+
+ SigPolicyQualifierInfo ::= SEQUENCE {
+ sigPolicyQualifierId SigPolicyQualifierId,
+ sigQualifier ANY DEFINED BY sigPolicyQualifierId
+ }
+
+ SigPolicyQualifierId ::= OBJECT IDENTIFIER
+
+
+ SignaturePolicyId ::= SEQUENCE {
+ sigPolicyIdentifier SigPolicyId,
+ sigPolicyHash SigPolicyHash,
+ sigPolicyQualifiers SEQUENCE SIZE (1..MAX) OF SigPolicyQualifierInfo OPTIONAL
+ }
+
+ SigPolicyId ::= OBJECT IDENTIFIER
+
+ SigPolicyHash ::= OtherHashAlgAndValue
+
+
+ SignaturePolicyIdentifier ::= CHOICE {
+ SignaturePolicyId SignaturePolicyId,
+ SignaturePolicyImplied SignaturePolicyImplied
+ }
+
+ SignaturePolicyImplied ::= NULL
+
+
+ SignerAttribute ::= SEQUENCE OF CHOICE {
+ claimedAttributes [0] ClaimedAttributes,
+ certifiedAttributes [1] CertifiedAttributes }
+
+ ClaimedAttributes ::= SEQUENCE OF Attribute
+ CertifiedAttributes ::= AttributeCertificate -- as defined in RFC 3281: see clause 4.1.
+
+
+ SignerLocation ::= SEQUENCE {
+ countryName [0] DirectoryString OPTIONAL,
+ localityName [1] DirectoryString OPTIONAL,
+ postalAddress [2] PostalAddress OPTIONAL }
+
+ PostalAddress ::= SEQUENCE SIZE(1..6) OF DirectoryString
+
+
+ SignerLocation ::= SEQUENCE {
+ countryName [0] DirectoryString OPTIONAL,
+ localityName [1] DirectoryString OPTIONAL,
+ postalAddress [2] PostalAddress OPTIONAL }
+
+ PostalAddress ::= SEQUENCE SIZE(1..6) OF DirectoryString
+
+ DirectoryString ::= CHOICE {
+ teletexString TeletexString (SIZE (1..MAX)),
+ printableString PrintableString (SIZE (1..MAX)),
+ universalString UniversalString (SIZE (1..MAX)),
+ utf8String UTF8String (SIZE (1.. MAX)),
+ bmpString BMPString (SIZE (1..MAX)) }
+
+
+ ContentHints ::= SEQUENCE {
+ contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL,
+ contentType ContentType }
+
+ + ContentIdentifier ::= OCTET STRING ++ id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 7 } +
+ EssCertID ::= SEQUENCE {
+ certHash Hash,
+ issuerSerial IssuerSerial OPTIONAL }
+
+
+ EssCertIDv2 ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier
+ DEFAULT {algorithm id-sha256},
+ certHash Hash,
+ issuerSerial IssuerSerial OPTIONAL
+ }
+
+ Hash ::= OCTET STRING
+
+ IssuerSerial ::= SEQUENCE {
+ issuer GeneralNames,
+ serialNumber CertificateSerialNumber
+ }
+
+
+ OtherCertID ::= SEQUENCE {
+ otherCertHash OtherHash,
+ issuerSerial IssuerSerial OPTIONAL }
+
+ OtherHash ::= CHOICE {
+ sha1Hash OCTET STRING,
+ otherHash OtherHashAlgAndValue }
+
+ OtherHashAlgAndValue ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ hashValue OCTET STRING }
+
+
+
+ OtherSigningCertificate ::= SEQUENCE {
+ certs SEQUENCE OF OtherCertID,
+ policies SEQUENCE OF PolicyInformation OPTIONAL
+ }
+
+ id-aa-ets-otherSigCert OBJECT IDENTIFIER ::= { iso(1)
+ member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
+ smime(16) id-aa(2) 19 }
+
+ SigningCertificate ::= SEQUENCE {
+ certs SEQUENCE OF EssCertID,
+ policies SEQUENCE OF PolicyInformation OPTIONAL
+ }
+
+ id-aa-signingCertificate OBJECT IDENTIFIER ::= { iso(1)
+ member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
+ smime(16) id-aa(2) 12 }
+
+ SigningCertificateV2 ::= SEQUENCE {
+ certs SEQUENCE OF EssCertIDv2,
+ policies SEQUENCE OF PolicyInformation OPTIONAL
+ }
+
+ id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= { iso(1)
+ member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
+ smime(16) id-aa(2) 47 }
+
+ CscaMasterList ::= SEQUENCE {
+ version CscaMasterListVersion,
+ certList SET OF Certificate }
+
+ CscaMasterListVersion :: INTEGER {v0(0)}
+
+
+ DataGroupHash ::= SEQUENCE {
+ dataGroupNumber DataGroupNumber,
+ dataGroupHashValue OCTET STRING }
+
+ DataGroupNumber ::= INTEGER {
+ dataGroup1 (1),
+ dataGroup1 (2),
+ dataGroup1 (3),
+ dataGroup1 (4),
+ dataGroup1 (5),
+ dataGroup1 (6),
+ dataGroup1 (7),
+ dataGroup1 (8),
+ dataGroup1 (9),
+ dataGroup1 (10),
+ dataGroup1 (11),
+ dataGroup1 (12),
+ dataGroup1 (13),
+ dataGroup1 (14),
+ dataGroup1 (15),
+ dataGroup1 (16) }
+
+
+
+ LDSSecurityObject ::= SEQUENCE {
+ version LDSSecurityObjectVersion,
+ hashAlgorithm DigestAlgorithmIdentifier,
+ dataGroupHashValues SEQUENCE SIZE (2..ub-DataGroups) OF DataHashGroup,
+ ldsVersionInfo LDSVersionInfo OPTIONAL
+ -- if present, version MUST be v1 }
+
+ DigestAlgorithmIdentifier ::= AlgorithmIdentifier,
+
+ LDSSecurityObjectVersion :: INTEGER {V0(0)}
+
+
+ LDSVersionInfo ::= SEQUENCE {
+ ldsVersion PRINTABLE STRING
+ unicodeVersion PRINTABLE STRING
+ }
+
+ @return
+ + DateOfCertGenSyntax ::= GeneralizedTime ++
+ ICCSNSyntax ::= OCTET STRING (SIZE(8..20)) ++
+ PKReferenceSyntax ::= OCTET STRING (SIZE(20)) ++
+ RestrictionSyntax ::= DirectoryString (SIZE(1..1024)) ++ + @see Org.BouncyCastle.Asn1.IsisMtt.X509.Restriction +
+ RetrieveIfAllowed ::= BOOLEAN ++
+ CertInDirSince ::= GeneralizedTime ++
+ NameAtBirth ::= DirectoryString(SIZE(1..64) ++ + Used in + {@link Org.BouncyCastle.Asn1.X509.SubjectDirectoryAttributes SubjectDirectoryAttributes} +
+ AdditionalInformationSyntax ::= DirectoryString (SIZE(1..2048)) ++ + @see Org.BouncyCastle.Asn1.IsisMtt.X509.AdditionalInformationSyntax +
+ LiabilityLimitationFlagSyntax ::= BOOLEAN ++
+ CertHash ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ certificateHash OCTET STRING
+ }
+
+
+ CertHash ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ certificateHash OCTET STRING
+ }
+
+
+ @param seq The ASN.1 sequence.
+
+ CertHash ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ certificateHash OCTET STRING
+ }
+
+
+ @return an Asn1Object
+
+ RequestedCertificate ::= CHOICE {
+ Certificate Certificate,
+ publicKeyCertificate [0] EXPLICIT OCTET STRING,
+ attributeCertificate [1] EXPLICIT OCTET STRING
+ }
+
+ null.
+
+ @param certificate Given as Certificate
+
+ RequestedCertificate ::= CHOICE {
+ Certificate Certificate,
+ publicKeyCertificate [0] EXPLICIT OCTET STRING,
+ attributeCertificate [1] EXPLICIT OCTET STRING
+ }
+
+
+ @return an Asn1Object
+ + AdditionalInformationSyntax ::= DirectoryString (SIZE(1..2048)) ++
+ AdditionalInformationSyntax ::= DirectoryString (SIZE(1..2048)) ++ + @return an Asn1Object +
+ AdmissionSyntax ::= SEQUENCE
+ {
+ admissionAuthority GeneralName OPTIONAL,
+ contentsOfAdmissions SEQUENCE OF Admissions
+ }
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityId OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+
+ ISIS-MTT PROFILE: The relatively complex structure of AdmissionSyntax
+ supports the following concepts and requirements:
+
+ AdmissionSyntax ::= SEQUENCE
+ {
+ admissionAuthority GeneralName OPTIONAL,
+ contentsOfAdmissions SEQUENCE OF Admissions
+ }
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityId OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+ @param seq The ASN.1 sequence.
+
+ AdmissionSyntax ::= SEQUENCE
+ {
+ admissionAuthority GeneralName OPTIONAL,
+ contentsOfAdmissions SEQUENCE OF Admissions
+ }
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityId OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+ @return an Asn1Object
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+
+
+ @see Org.BouncyCastle.Asn1.IsisMtt.X509.AdmissionSyntax
+ @see Org.BouncyCastle.Asn1.IsisMtt.X509.ProfessionInfo
+ @see Org.BouncyCastle.Asn1.IsisMtt.X509.NamingAuthority
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+
+ @param seq The ASN.1 sequence.
+ professionInfos is mandatory.
+
+ @param admissionAuthority The admission authority.
+ @param namingAuthority The naming authority.
+ @param professionInfos The profession infos.
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+
+
+ @return an Asn1Object
+
+ DeclarationOfMajoritySyntax ::= CHOICE
+ {
+ notYoungerThan [0] IMPLICIT INTEGER,
+ fullAgeAtCountry [1] IMPLICIT SEQUENCE
+ {
+ fullAge BOOLEAN DEFAULT TRUE,
+ country PrintableString (SIZE(2))
+ }
+ dateOfBirth [2] IMPLICIT GeneralizedTime
+ }
+
+
+ fullAgeAtCountry indicates the majority of the owner with respect to the laws
+ of a specific country.
+
+ DeclarationOfMajoritySyntax ::= CHOICE
+ {
+ notYoungerThan [0] IMPLICIT INTEGER,
+ fullAgeAtCountry [1] IMPLICIT SEQUENCE
+ {
+ fullAge BOOLEAN DEFAULT TRUE,
+ country PrintableString (SIZE(2))
+ }
+ dateOfBirth [2] IMPLICIT GeneralizedTime
+ }
+
+
+ @return an Asn1Object
+
+ MonetaryLimitSyntax ::= SEQUENCE
+ {
+ currency PrintableString (SIZE(3)),
+ amount INTEGER,
+ exponent INTEGER
+ }
+
+
+ currency must be the ISO code.
+
+ value = amount�10*exponent
+
+ MonetaryLimitSyntax ::= SEQUENCE
+ {
+ currency PrintableString (SIZE(3)),
+ amount INTEGER,
+ exponent INTEGER
+ }
+
+
+ @return an Asn1Object
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityID OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+ @see Org.BouncyCastle.Asn1.IsisMtt.X509.AdmissionSyntax
+
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityID OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+
+ @param seq The ASN.1 sequence.
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityID OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+
+ @return an Asn1Object
+ + ISIS-MTT PROFILE: The corresponding ProcurationSyntax contains either the + name of the person who is represented (subcomponent thirdPerson) or a + reference to his/her base certificate (in the component signingFor, + subcomponent certRef), furthermore the optional components country and + typeSubstitution to indicate the country whose laws apply, and respectively + the type of procuration (e.g. manager, procuration, custody). +
++ ISIS-MTT PROFILE: The GeneralName MUST be of type directoryName and MAY only + contain: - RFC3039 attributes, except pseudonym (countryName, commonName, + surname, givenName, serialNumber, organizationName, organizationalUnitName, + stateOrProvincename, localityName, postalAddress) and - SubjectDirectoryName + attributes (title, dateOfBirth, placeOfBirth, gender, countryOfCitizenship, + countryOfResidence and NameAtBirth). +
+
+ ProcurationSyntax ::= SEQUENCE {
+ country [1] EXPLICIT PrintableString(SIZE(2)) OPTIONAL,
+ typeOfSubstitution [2] EXPLICIT DirectoryString (SIZE(1..128)) OPTIONAL,
+ signingFor [3] EXPLICIT SigningFor
+ }
+
+ SigningFor ::= CHOICE
+ {
+ thirdPerson GeneralName,
+ certRef IssuerSerial
+ }
+
+
+
+ ProcurationSyntax ::= SEQUENCE {
+ country [1] EXPLICIT PrintableString(SIZE(2)) OPTIONAL,
+ typeOfSubstitution [2] EXPLICIT DirectoryString (SIZE(1..128)) OPTIONAL,
+ signingFor [3] EXPLICIT SigningFor
+ }
+
+ SigningFor ::= CHOICE
+ {
+ thirdPerson GeneralName,
+ certRef IssuerSerial
+ }
+
+
+ @param seq The ASN.1 sequence.
+ generalName or certRef MUST be
+ null.
+
+ @param country The country code whose laws apply.
+ @param typeOfSubstitution The type of procuration.
+ @param certRef Reference to certificate of the person who is represented.
+ generalName or certRef MUST be
+ null.
+
+ @param country The country code whose laws apply.
+ @param typeOfSubstitution The type of procuration.
+ @param thirdPerson The GeneralName of the person who is represented.
+
+ ProcurationSyntax ::= SEQUENCE {
+ country [1] EXPLICIT PrintableString(SIZE(2)) OPTIONAL,
+ typeOfSubstitution [2] EXPLICIT DirectoryString (SIZE(1..128)) OPTIONAL,
+ signingFor [3] EXPLICIT SigningFor
+ }
+
+ SigningFor ::= CHOICE
+ {
+ thirdPerson GeneralName,
+ certRef IssuerSerial
+ }
+
+
+ @return an Asn1Object
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOids SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+ @see Org.BouncyCastle.Asn1.IsisMtt.X509.AdmissionSyntax
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOids SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+ @param seq The ASN.1 sequence.
+ professionItems is mandatory, all other parameters are
+ optional.
+
+ @param namingAuthority The naming authority.
+ @param professionItems Directory strings of the profession.
+ @param professionOids DERObjectIdentfier objects for the
+ profession.
+ @param registrationNumber Registration number.
+ @param addProfessionInfo Additional infos in encoded form.
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOids SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+ @return an Asn1Object
+ + RestrictionSyntax ::= DirectoryString (SIZE(1..1024)) ++
+ RestrictionSyntax ::= DirectoryString (SIZE(1..1024)) ++ + @param restriction A IAsn1String. +
+ RestrictionSyntax ::= DirectoryString (SIZE(1..1024)) + ++ + @return an Asn1Object +
+ cast5CBCParameters ::= Sequence {
+ iv OCTET STRING DEFAULT 0,
+ -- Initialization vector
+ keyLength Integer
+ -- Key length, in bits
+ }
+
+
+ IDEA-CBCPar ::= Sequence {
+ iv OCTET STRING OPTIONAL -- exactly 8 octets
+ }
+
+
+ NetscapeCertType ::= BIT STRING {
+ SSLClient (0),
+ SSLServer (1),
+ S/MIME (2),
+ Object Signing (3),
+ Reserved (4),
+ SSL CA (5),
+ S/MIME CA (6),
+ Object Signing CA (7) }
+
+
+ PublicKeyAndChallenge ::= SEQUENCE {
+ spki SubjectPublicKeyInfo,
+ challenge IA5STRING
+ }
+
+
+
+ BasicOcspResponse ::= Sequence {
+ tbsResponseData ResponseData,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING,
+ certs [0] EXPLICIT Sequence OF Certificate OPTIONAL }
+
+
+ CertID ::= Sequence {
+ hashAlgorithm AlgorithmIdentifier,
+ issuerNameHash OCTET STRING, -- Hash of Issuer's DN
+ issuerKeyHash OCTET STRING, -- Hash of Issuers public key
+ serialNumber CertificateSerialNumber }
+
+
+ CertStatus ::= CHOICE {
+ good [0] IMPLICIT Null,
+ revoked [1] IMPLICIT RevokedInfo,
+ unknown [2] IMPLICIT UnknownInfo }
+
+
+ CrlID ::= Sequence {
+ crlUrl [0] EXPLICIT IA5String OPTIONAL,
+ crlNum [1] EXPLICIT Integer OPTIONAL,
+ crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
+
+
+ OcspRequest ::= Sequence {
+ tbsRequest TBSRequest,
+ optionalSignature [0] EXPLICIT Signature OPTIONAL }
+
+
+ OcspResponse ::= Sequence {
+ responseStatus OcspResponseStatus,
+ responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
+
+
+ OcspResponseStatus ::= Enumerated {
+ successful (0), --Response has valid confirmations
+ malformedRequest (1), --Illegal confirmation request
+ internalError (2), --Internal error in issuer
+ tryLater (3), --Try again later
+ --(4) is not used
+ sigRequired (5), --Must sign the request
+ unauthorized (6) --Request unauthorized
+ }
+
+
+ Request ::= Sequence {
+ reqCert CertID,
+ singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
+
+
+ ResponderID ::= CHOICE {
+ byName [1] Name,
+ byKey [2] KeyHash }
+
+
+ ResponseBytes ::= Sequence {
+ responseType OBJECT IDENTIFIER,
+ response OCTET STRING }
+
+
+ ResponseData ::= Sequence {
+ version [0] EXPLICIT Version DEFAULT v1,
+ responderID ResponderID,
+ producedAt GeneralizedTime,
+ responses Sequence OF SingleResponse,
+ responseExtensions [1] EXPLICIT Extensions OPTIONAL }
+
+
+ RevokedInfo ::= Sequence {
+ revocationTime GeneralizedTime,
+ revocationReason [0] EXPLICIT CRLReason OPTIONAL }
+
+
+ ServiceLocator ::= Sequence {
+ issuer Name,
+ locator AuthorityInfoAccessSyntax OPTIONAL }
+
+
+ Signature ::= Sequence {
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING,
+ certs [0] EXPLICIT Sequence OF Certificate OPTIONAL}
+
+
+ SingleResponse ::= Sequence {
+ certID CertID,
+ certStatus CertStatus,
+ thisUpdate GeneralizedTime,
+ nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
+ singleExtensions [1] EXPLICIT Extensions OPTIONAL }
+
+
+ TBSRequest ::= Sequence {
+ version [0] EXPLICIT Version DEFAULT v1,
+ requestorName [1] EXPLICIT GeneralName OPTIONAL,
+ requestList Sequence OF Request,
+ requestExtensions [2] EXPLICIT Extensions OPTIONAL }
+
+
+ Attr ::= Sequence {
+ attrType OBJECT IDENTIFIER,
+ attrValues Set OF AttributeValue
+ }
+
+
+ CertificationRequest ::= Sequence {
+ certificationRequestInfo CertificationRequestInfo,
+ signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
+ signature BIT STRING
+ }
+
+
+ CertificationRequestInfo ::= Sequence {
+ version Integer { v1(0) } (v1,...),
+ subject Name,
+ subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
+ attributes [0] Attributes{{ CRIAttributes }}
+ }
+
+ Attributes { ATTRIBUTE:IOSet } ::= Set OF Attr{{ IOSet }}
+
+ Attr { ATTRIBUTE:IOSet } ::= Sequence {
+ type ATTRIBUTE.&id({IOSet}),
+ values Set SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{\@type})
+ }
+
+
+ ContentInfo ::= Sequence {
+ contentType ContentType,
+ content
+ [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+
+
+ EncryptedData ::= Sequence {
+ version Version,
+ encryptedContentInfo EncryptedContentInfo
+ }
+
+
+ EncryptedContentInfo ::= Sequence {
+ contentType ContentType,
+ contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
+ encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL
+ }
+
+ EncryptedContent ::= OCTET STRING
+
+
+ EncryptedPrivateKeyInfo ::= Sequence {
+ encryptionAlgorithm AlgorithmIdentifier {{KeyEncryptionAlgorithms}},
+ encryptedData EncryptedData
+ }
+
+ EncryptedData ::= OCTET STRING
+
+ KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
+ ... -- For local profiles
+ }
+
+
+ MacData ::= SEQUENCE {
+ mac DigestInfo,
+ macSalt OCTET STRING,
+ iterations INTEGER DEFAULT 1
+ -- Note: The default is for historic reasons and its use is deprecated. A
+ -- higher value, like 1024 is recommended.
+
+ @return the basic DERObject construction.
+
+ PrivateKeyInfo ::= Sequence {
+ version Version,
+ privateKeyAlgorithm AlgorithmIdentifier {{PrivateKeyAlgorithms}},
+ privateKey PrivateKey,
+ attributes [0] IMPLICIT Attributes OPTIONAL
+ }
+ Version ::= Integer {v1(0)} (v1,...)
+
+ PrivateKey ::= OCTET STRING
+
+ Attributes ::= Set OF Attr
+
+
+ RSAES-OAEP-params ::= SEQUENCE {
+ hashAlgorithm [0] OAEP-PSSDigestAlgorithms DEFAULT sha1,
+ maskGenAlgorithm [1] PKCS1MGFAlgorithms DEFAULT mgf1SHA1,
+ pSourceAlgorithm [2] PKCS1PSourceAlgorithms DEFAULT pSpecifiedEmpty
+ }
+
+ OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
+ { OID id-sha1 PARAMETERS NULL }|
+ { OID id-sha256 PARAMETERS NULL }|
+ { OID id-sha384 PARAMETERS NULL }|
+ { OID id-sha512 PARAMETERS NULL },
+ ... -- Allows for future expansion --
+ }
+ PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
+ { OID id-mgf1 PARAMETERS OAEP-PSSDigestAlgorithms },
+ ... -- Allows for future expansion --
+ }
+ PKCS1PSourceAlgorithms ALGORITHM-IDENTIFIER ::= {
+ { OID id-pSpecified PARAMETERS OCTET STRING },
+ ... -- Allows for future expansion --
+ }
+
+ @return the asn1 primitive representing the parameters.
+
+ RsaPrivateKey ::= Sequence {
+ version Version,
+ modulus Integer, -- n
+ publicExponent Integer, -- e
+ privateExponent Integer, -- d
+ prime1 Integer, -- p
+ prime2 Integer, -- q
+ exponent1 Integer, -- d mod (p-1)
+ exponent2 Integer, -- d mod (q-1)
+ coefficient Integer -- (inverse of q) mod p
+ }
+
+ Version ::= Integer
+
+ This routine is written to output Pkcs1 version 0, private keys.
+
+ RSASSA-PSS-params ::= SEQUENCE {
+ hashAlgorithm [0] OAEP-PSSDigestAlgorithms DEFAULT sha1,
+ maskGenAlgorithm [1] PKCS1MGFAlgorithms DEFAULT mgf1SHA1,
+ saltLength [2] INTEGER DEFAULT 20,
+ trailerField [3] TrailerField DEFAULT trailerFieldBC
+ }
+
+ OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
+ { OID id-sha1 PARAMETERS NULL }|
+ { OID id-sha256 PARAMETERS NULL }|
+ { OID id-sha384 PARAMETERS NULL }|
+ { OID id-sha512 PARAMETERS NULL },
+ ... -- Allows for future expansion --
+ }
+
+ PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
+ { OID id-mgf1 PARAMETERS OAEP-PSSDigestAlgorithms },
+ ... -- Allows for future expansion --
+ }
+
+ TrailerField ::= INTEGER { trailerFieldBC(1) }
+
+ @return the asn1 primitive representing the parameters.
+
+ SignedData ::= Sequence {
+ version Version,
+ digestAlgorithms DigestAlgorithmIdentifiers,
+ contentInfo ContentInfo,
+ certificates
+ [0] IMPLICIT ExtendedCertificatesAndCertificates
+ OPTIONAL,
+ crls
+ [1] IMPLICIT CertificateRevocationLists OPTIONAL,
+ signerInfos SignerInfos }
+
+
+ SignerInfo ::= Sequence {
+ version Version,
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ digestAlgorithm DigestAlgorithmIdentifier,
+ authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
+ digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
+ encryptedDigest EncryptedDigest,
+ unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
+ }
+
+ EncryptedDigest ::= OCTET STRING
+
+ DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+
+ DigestEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+
+ + SMIMECapabilities ::= Sequence OF SMIMECapability ++
+ SMIMECapability ::= Sequence {
+ capabilityID OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY capabilityID OPTIONAL
+ }
+
+
+ SmimeEncryptionKeyPreference ::= CHOICE {
+ issuerAndSerialNumber [0] IssuerAndSerialNumber,
+ receipentKeyId [1] RecipientKeyIdentifier,
+ subjectAltKeyIdentifier [2] SubjectKeyIdentifier
+ }
+
+
+ Accuracy ::= SEQUENCE {
+ seconds INTEGER OPTIONAL,
+ millis [0] INTEGER (1..999) OPTIONAL,
+ micros [1] INTEGER (1..999) OPTIONAL
+ }
+
+
+ MessageImprint ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ hashedMessage OCTET STRING }
+
+
+
+ TstInfo ::= SEQUENCE {
+ version INTEGER { v1(1) },
+ policy TSAPolicyId,
+ messageImprint MessageImprint,
+ -- MUST have the same value as the similar field in
+ -- TimeStampReq
+ serialNumber INTEGER,
+ -- Time-Stamping users MUST be ready to accommodate integers
+ -- up to 160 bits.
+ genTime GeneralizedTime,
+ accuracy Accuracy OPTIONAL,
+ ordering BOOLEAN DEFAULT FALSE,
+ nonce INTEGER OPTIONAL,
+ -- MUST be present if the similar field was present
+ -- in TimeStampReq. In that case it MUST have the same value.
+ tsa [0] GeneralName OPTIONAL,
+ extensions [1] IMPLICIT Extensions OPTIONAL }
+
+
+
+ TimeStampReq ::= SEQUENCE {
+ version INTEGER { v1(1) },
+ messageImprint MessageImprint,
+ --a hash algorithm OID and the hash value of the data to be
+ --time-stamped
+ reqPolicy TSAPolicyId OPTIONAL,
+ nonce INTEGER OPTIONAL,
+ certReq BOOLEAN DEFAULT FALSE,
+ extensions [0] IMPLICIT Extensions OPTIONAL
+ }
+
+
+ TimeStampResp ::= SEQUENCE {
+ status PkiStatusInfo,
+ timeStampToken TimeStampToken OPTIONAL }
+
+
+ DirectoryString ::= CHOICE {
+ teletexString TeletexString (SIZE (1..MAX)),
+ printableString PrintableString (SIZE (1..MAX)),
+ universalString UniversalString (SIZE (1..MAX)),
+ utf8String UTF8String (SIZE (1..MAX)),
+ bmpString BMPString (SIZE (1..MAX)) }
+
+
+ AccessDescription ::= SEQUENCE {
+ accessMethod OBJECT IDENTIFIER,
+ accessLocation GeneralName }
+
+
+ AlgorithmIdentifier ::= Sequence {
+ algorithm OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY algorithm OPTIONAL }
+
+
+ AttCertIssuer ::= CHOICE {
+ v1Form GeneralNames, -- MUST NOT be used in this
+ -- profile
+ v2Form [0] V2Form -- v2 only
+ }
+
+
+ AttCertValidityPeriod ::= Sequence {
+ notBeforeTime GeneralizedTime,
+ notAfterTime GeneralizedTime
+ }
+
+
+ Attr ::= Sequence {
+ attrType OBJECT IDENTIFIER,
+ attrValues Set OF AttributeValue
+ }
+
+
+ AttributeCertificate ::= Sequence {
+ acinfo AttributeCertificateInfo,
+ signatureAlgorithm AlgorithmIdentifier,
+ signatureValue BIT STRING
+ }
+
+
+ AttributeCertificateInfo ::= Sequence {
+ version AttCertVersion -- version is v2,
+ holder Holder,
+ issuer AttCertIssuer,
+ signature AlgorithmIdentifier,
+ serialNumber CertificateSerialNumber,
+ attrCertValidityPeriod AttCertValidityPeriod,
+ attributes Sequence OF Attr,
+ issuerUniqueID UniqueIdentifier OPTIONAL,
+ extensions Extensions OPTIONAL
+ }
+
+ AttCertVersion ::= Integer { v2(1) }
+
+
+ id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
+
+ AuthorityInfoAccessSyntax ::=
+ Sequence SIZE (1..MAX) OF AccessDescription
+ AccessDescription ::= Sequence {
+ accessMethod OBJECT IDENTIFIER,
+ accessLocation GeneralName }
+
+ id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
+ id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
+ id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
+
+
+ id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
+
+ AuthorityKeyIdentifier ::= Sequence {
+ keyIdentifier [0] IMPLICIT KeyIdentifier OPTIONAL,
+ authorityCertIssuer [1] IMPLICIT GeneralNames OPTIONAL,
+ authorityCertSerialNumber [2] IMPLICIT CertificateSerialNumber OPTIONAL }
+
+ KeyIdentifier ::= OCTET STRING
+
+
+ + * SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence)new ASN1InputStream( + * publicKey.getEncoded()).readObject()); + * AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki); + *+ * + * +
+ BasicConstraints := Sequence {
+ cA Boolean DEFAULT FALSE,
+ pathLenConstraint Integer (0..MAX) OPTIONAL
+ }
+
+
+ CrlDistPoint ::= Sequence SIZE {1..MAX} OF DistributionPoint
+
+ + CRLNumber::= Integer(0..MAX) ++
+ CRLReason ::= Enumerated {
+ unspecified (0),
+ keyCompromise (1),
+ cACompromise (2),
+ affiliationChanged (3),
+ superseded (4),
+ cessationOfOperation (5),
+ certificateHold (6),
+ removeFromCRL (8),
+ privilegeWithdrawn (9),
+ aACompromise (10)
+ }
+
+ + CertPolicyId ::= OBJECT IDENTIFIER ++
+ CertificateList ::= Sequence {
+ tbsCertList TbsCertList,
+ signatureAlgorithm AlgorithmIdentifier,
+ signatureValue BIT STRING }
+
+
+ crossCertificatePairATTRIBUTE::={
+ WITH SYNTAX CertificatePair
+ EQUALITY MATCHING RULE certificatePairExactMatch
+ ID joint-iso-ccitt(2) ds(5) attributeType(4) crossCertificatePair(40)}
+
+
+ The forward elements of the crossCertificatePair attribute of a + CA's directory entry shall be used to store all, except self-issued + certificates issued to this CA. Optionally, the reverse elements of the + crossCertificatePair attribute, of a CA's directory entry may contain a + subset of certificates issued by this CA to other CAs. When both the forward + and the reverse elements are present in a single attribute value, issuer name + in one certificate shall match the subject name in the other and vice versa, + and the subject public key in one certificate shall be capable of verifying + the digital signature on the other certificate and vice versa. + + When a reverse element is present, the forward element value and the reverse + element value need not be stored in the same attribute value; in other words, + they can be stored in either a single attribute value or two attribute + values.+ +
+ CertificatePair ::= SEQUENCE {
+ forward [0] Certificate OPTIONAL,
+ reverse [1] Certificate OPTIONAL,
+ -- at least one of the pair shall be present -- }
+
+
+ CertificatePair ::= SEQUENCE {
+ forward [0] Certificate OPTIONAL,
+ reverse [1] Certificate OPTIONAL,
+ -- at least one of the pair shall be present -- }
+
+
+ @param seq The ASN.1 sequence.
+
+ CertificatePair ::= SEQUENCE {
+ forward [0] Certificate OPTIONAL,
+ reverse [1] Certificate OPTIONAL,
+ -- at least one of the pair shall be present -- }
+
+
+ @return a DERObject
+
+ CertificatePolicies ::= SEQUENCE SIZE {1..MAX} OF PolicyInformation
+
+
+ DigestInfo::=Sequence{
+ digestAlgorithm AlgorithmIdentifier,
+ digest OCTET STRING }
+
+ DisplayText class, used in
+ CertificatePolicies X509 V3 extensions (in policy qualifiers).
+
+ It stores a string in a chosen encoding. +
+ DisplayText ::= CHOICE {
+ ia5String IA5String (SIZE (1..200)),
+ visibleString VisibleString (SIZE (1..200)),
+ bmpString BMPString (SIZE (1..200)),
+ utf8String UTF8String (SIZE (1..200)) }
+
+ @see PolicyQualifierInfo
+ @see PolicyInformation
+ DisplayTextMaximumSize here.
+
+ DisplayText instance.
+
+ @param type the desired encoding type for the text.
+ @param text the text to store. Strings longer than 200
+ characters are truncated.
+ DisplayText instance.
+
+ @param text the text to encapsulate. Strings longer than 200
+ characters are truncated.
+ DisplayText instance.
+ Useful when reading back a DisplayText class
+ from it's Asn1Encodable form.
Asn1Encodable instance.
+ string object.
+
+ @return the stored text as a string.
+
+ DistributionPoint ::= Sequence {
+ distributionPoint [0] DistributionPointName OPTIONAL,
+ reasons [1] ReasonFlags OPTIONAL,
+ cRLIssuer [2] GeneralNames OPTIONAL
+ }
+
+
+ DistributionPointName ::= CHOICE {
+ fullName [0] GeneralNames,
+ nameRelativeToCRLIssuer [1] RDN
+ }
+
+ + extendedKeyUsage ::= Sequence SIZE (1..MAX) OF KeyPurposeId ++
+ GeneralName ::= CHOICE {
+ otherName [0] OtherName,
+ rfc822Name [1] IA5String,
+ dNSName [2] IA5String,
+ x400Address [3] ORAddress,
+ directoryName [4] Name,
+ ediPartyName [5] EDIPartyName,
+ uniformResourceIdentifier [6] IA5String,
+ iPAddress [7] OCTET STRING,
+ registeredID [8] OBJECT IDENTIFIER}
+
+ OtherName ::= Sequence {
+ type-id OBJECT IDENTIFIER,
+ value [0] EXPLICIT ANY DEFINED BY type-id }
+
+ EDIPartyName ::= Sequence {
+ nameAssigner [0] DirectoryString OPTIONAL,
+ partyName [1] DirectoryString }
+
+ + This constructor can handle: +
+ Note: A directory name can be encoded in different ways into a byte + representation. Be aware of this if the byte representation is used for + comparing results. +
+ + @param tag tag number + @param name string representation of name + @throws ArgumentException if the string encoding is not correct or + not supported. +
+ GeneralNames ::= Sequence SIZE {1..MAX} OF GeneralName
+
+
+
+ GeneralSubtree ::= SEQUENCE
+ {
+ baseName GeneralName,
+ minimum [0] BaseDistance DEFAULT 0,
+ maximum [1] BaseDistance OPTIONAL
+ }
+
+
+ @see org.bouncycastle.asn1.x509.NameConstraints
+
+
+ If minimum is null, zero is assumed, if
+ maximum is null, maximum is absent.
+ GeneralSubtree ::= SEQUENCE
+ {
+ baseName GeneralName,
+ minimum [0] BaseDistance DEFAULT 0,
+ maximum [1] BaseDistance OPTIONAL
+ }
+
+
+ @return a DERObject
+ + For an v2 attribute certificate this is: + +
+ Holder ::= SEQUENCE {
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ -- the issuer and serial number of
+ -- the holder's Public Key Certificate
+ entityName [1] GeneralNames OPTIONAL,
+ -- the name of the claimant or role
+ objectDigestInfo [2] ObjectDigestInfo OPTIONAL
+ -- used to directly authenticate the holder,
+ -- for example, an executable
+ }
+
+
+ + For an v1 attribute certificate this is: + +
+ subject CHOICE {
+ baseCertificateID [0] IssuerSerial,
+ -- associated with a Public Key Certificate
+ subjectName [1] GeneralNames },
+ -- associated with a name
+
+
+
+ Holder ::= Sequence {
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ -- the issuer and serial number of
+ -- the holder's Public Key Certificate
+ entityName [1] GeneralNames OPTIONAL,
+ -- the name of the claimant or role
+ objectDigestInfo [2] ObjectDigestInfo OPTIONAL
+ -- used to directly authenticate the holder,
+ -- for example, an executable
+ }
+
+ IetfAttrSyntax as specified by RFC3281.
+
+
+ IetfAttrSyntax ::= Sequence {
+ policyAuthority [0] GeneralNames OPTIONAL,
+ values Sequence OF CHOICE {
+ octets OCTET STRING,
+ oid OBJECT IDENTIFIER,
+ string UTF8String
+ }
+ }
+
+
+
+ IssuerSerial ::= Sequence {
+ issuer GeneralNames,
+ serial CertificateSerialNumber,
+ issuerUid UniqueIdentifier OPTIONAL
+ }
+
+
+ IssuingDistributionPoint ::= SEQUENCE {
+ distributionPoint [0] DistributionPointName OPTIONAL,
+ onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
+ onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
+ onlySomeReasons [3] ReasonFlags OPTIONAL,
+ indirectCRL [4] BOOLEAN DEFAULT FALSE,
+ onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
+
+ true then the CRL contains revocation
+ information about certificates ssued by other CAs.
+ @param onlyContainsAttributeCerts Covers revocation information for attribute certificates.
+ + KeyPurposeID ::= OBJECT IDENTIFIER ++
+ id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
+
+ KeyUsage ::= BIT STRING {
+ digitalSignature (0),
+ nonRepudiation (1),
+ keyEncipherment (2),
+ dataEncipherment (3),
+ keyAgreement (4),
+ keyCertSign (5),
+ cRLSign (6),
+ encipherOnly (7),
+ decipherOnly (8) }
+
+ permitted and excluded are Vectors of GeneralSubtree objects.
+ + @param permitted Permitted subtrees + @param excluded Excluded subtrees +NoticeReference class, used in
+ CertificatePolicies X509 V3 extensions
+ (in policy qualifiers).
+
+
+ NoticeReference ::= Sequence {
+ organization DisplayText,
+ noticeNumbers Sequence OF Integer }
+
+
+
+ @see PolicyQualifierInfo
+ @see PolicyInformation
+ NoticeReference instance.
+
+ @param organization a String value
+ @param numbers a Vector value
+ NoticeReference instance.
+
+ @param organization a String value
+ @param noticeNumbers an ASN1EncodableVector value
+ NoticeReference instance.
+
+ @param organization displayText
+ @param noticeNumbers an ASN1EncodableVector value
+ NoticeReference instance.
+ Useful for reconstructing a NoticeReference
+ instance from its encodable/encoded form.
Asn1Sequence value obtained from either
+ calling @{link ToAsn1Object()} for a NoticeReference
+ instance or from parsing it from a Der-encoded stream.
+ ToAsn1Object method here.
+
+ @return a Asn1Object value
+
+
+ ObjectDigestInfo ::= SEQUENCE {
+ digestedObjectType ENUMERATED {
+ publicKey (0),
+ publicKeyCert (1),
+ otherObjectTypes (2) },
+ -- otherObjectTypes MUST NOT
+ -- be used in this profile
+ otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
+ digestAlgorithm AlgorithmIdentifier,
+ objectDigest BIT STRING
+ }
+
+
+
+
+ If digestedObjectType is not {@link #publicKeyCert} or
+ {@link #publicKey} otherObjectTypeID must be given,
+ otherwise it is ignored.
otherObjectDigest.
+ @param digestAlgorithm The algorithm identifier for the hash.
+ @param objectDigest The hash value.
+
+
+ ObjectDigestInfo ::= SEQUENCE {
+ digestedObjectType ENUMERATED {
+ publicKey (0),
+ publicKeyCert (1),
+ otherObjectTypes (2) },
+ -- otherObjectTypes MUST NOT
+ -- be used in this profile
+ otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
+ digestAlgorithm AlgorithmIdentifier,
+ objectDigest BIT STRING
+ }
+
+
+
+ PolicyMappings ::= Sequence SIZE (1..MAX) OF Sequence {
+ issuerDomainPolicy CertPolicyId,
+ subjectDomainPolicy CertPolicyId }
+
+
+ @see RFC 3280, section 4.2.1.6
+ PolicyMappings instance.
+
+ @param seq an Asn1Sequence constructed as specified
+ in RFC 3280
+ PolicyMappings instance.
+
+ @param mappings a HashMap value that maps
+ string oids
+ to other string oids.
+
+ id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+ id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
+ id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
+ PolicyQualifierId ::=
+ OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
+
+
+ PolicyQualifierInfo ::= Sequence {
+ policyQualifierId PolicyQualifierId,
+ qualifier ANY DEFINED BY policyQualifierId }
+
+ PolicyQualifierInfo instance.
+
+ @param policyQualifierId a PolicyQualifierId value
+ @param qualifier the qualifier, defined by the above field.
+ PolicyQualifierInfo containing a
+ cPSuri qualifier.
+
+ @param cps the CPS (certification practice statement) uri as a
+ string.
+ PolicyQualifierInfo instance.
+
+ @param as PolicyQualifierInfo X509 structure
+ encoded as an Asn1Sequence.
+ Asn1Object value
+
+ PrivateKeyUsagePeriod ::= SEQUENCE
+ {
+ notBefore [0] GeneralizedTime OPTIONAL,
+ notAfter [1] GeneralizedTime OPTIONAL }
+
+
+ RSAPublicKey ::= Sequence {
+ modulus Integer, -- n
+ publicExponent Integer, -- e
+ }
+
+
+ ReasonFlags ::= BIT STRING {
+ unused(0),
+ keyCompromise(1),
+ cACompromise(2),
+ affiliationChanged(3),
+ superseded(4),
+ cessationOfOperation(5),
+ certficateHold(6)
+ }
+
+
+ RoleSyntax ::= SEQUENCE {
+ roleAuthority [0] GeneralNames OPTIONAL,
+ roleName [1] GeneralName
+ }
+
+
+ RoleSyntax. It must be an instance of RoleSyntax
+ or Asn1Sequence.
+ @return the instance of RoleSyntax built from the
+ supplied object.
+ @throws java.lang.ArgumentException if the object passed
+ to the factory is not an instance of RoleSyntax or
+ Asn1Sequence.
+ new RoleSyntax(null, roleName).
+ @param roleName the role name of this RoleSyntax.
+ string argument representing
+ the role name, builds a GeneralName to hold the role name
+ and calls the constructor that takes a GeneralName.
+ @param roleName
+ RoleSyntax by
+ extracting the encoded elements from the Asn1Sequence
+ object supplied.
+ @param seq an instance of Asn1Sequence that holds
+ the encoded elements used to build this RoleSyntax.
+ GeneralNames holding the
+ role authority of this RoleSyntax.
+ GeneralName holding the
+ role name of this RoleSyntax.
+ java.lang.string object.
+ @return the role name of this RoleSyntax represented as a
+ string object.
+ string[] object.
+ @return the role authority of this RoleSyntax represented as a
+ string[] array.
+ ToAsn1Object as
+ required by the superclass ASN1Encodable.
+
+
+ RoleSyntax ::= SEQUENCE {
+ roleAuthority [0] GeneralNames OPTIONAL,
+ roleName [1] GeneralName
+ }
+
+
+ SubjectDirectoryAttributes ::= Attributes
+ Attributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+ Attribute ::= SEQUENCE
+ {
+ type AttributeType
+ values SET OF AttributeValue
+ }
+
+ AttributeType ::= OBJECT IDENTIFIER
+ AttributeValue ::= ANY DEFINED BY AttributeType
+
+
+ @see org.bouncycastle.asn1.x509.X509Name for AttributeType ObjectIdentifiers.
+
+ SubjectDirectoryAttributes ::= Attributes
+ Attributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+ Attribute ::= SEQUENCE
+ {
+ type AttributeType
+ values SET OF AttributeValue
+ }
+
+ AttributeType ::= OBJECT IDENTIFIER
+ AttributeValue ::= ANY DEFINED BY AttributeType
+
+
+ @param seq
+ The ASN.1 sequence.
+
+ SubjectDirectoryAttributes ::= Attributes
+ Attributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+ Attribute ::= SEQUENCE
+ {
+ type AttributeType
+ values SET OF AttributeValue
+ }
+
+ AttributeType ::= OBJECT IDENTIFIER
+ AttributeValue ::= ANY DEFINED BY AttributeType
+
+
+ @return a DERObject
+ + SubjectKeyIdentifier::= OCTET STRING ++
+ (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the + value of the BIT STRING subjectPublicKey (excluding the tag, + length, and number of unused bits). ++ @param keyInfo the key info object containing the subjectPublicKey field. + @return the key identifier. +
+ (2) The keyIdentifier is composed of a four bit type field with + the value 0100 followed by the least significant 60 bits of the + SHA-1 hash of the value of the BIT STRING subjectPublicKey. ++ @param keyInfo the key info object containing the subjectPublicKey field. + @return the key identifier. +
+ The GetEncoded() method in the public keys in the JCE produces a DER + encoded one of these.
+
+ SubjectPublicKeyInfo ::= Sequence {
+ algorithm AlgorithmIdentifier,
+ publicKey BIT STRING }
+
+
+ TbsCertList ::= Sequence {
+ version Version OPTIONAL,
+ -- if present, shall be v2
+ signature AlgorithmIdentifier,
+ issuer Name,
+ thisUpdate Time,
+ nextUpdate Time OPTIONAL,
+ revokedCertificates Sequence OF Sequence {
+ userCertificate CertificateSerialNumber,
+ revocationDate Time,
+ crlEntryExtensions Extensions OPTIONAL
+ -- if present, shall be v2
+ } OPTIONAL,
+ crlExtensions [0] EXPLICIT Extensions OPTIONAL
+ -- if present, shall be v2
+ }
+
+
+ TbsCertificate ::= Sequence {
+ version [ 0 ] Version DEFAULT v1(0),
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ issuerUniqueID [ 1 ] IMPLICIT UniqueIdentifier OPTIONAL,
+ subjectUniqueID [ 2 ] IMPLICIT UniqueIdentifier OPTIONAL,
+ extensions [ 3 ] Extensions OPTIONAL
+ }
+
+ + Note: issuerUniqueID and subjectUniqueID are both deprecated by the IETF. This class + will parse them, but you really shouldn't be creating new ones.
+
+ Target ::= CHOICE {
+ targetName [0] GeneralName,
+ targetGroup [1] GeneralName,
+ targetCert [2] TargetCert
+ }
+
+
+ + The targetCert field is currently not supported and must not be used + according to RFC 3281.
+
+ obj can be a Target or a {@link Asn1TaggedObject}
+ Exactly one of the parameters must be not null.
+ Target ::= CHOICE {
+ targetName [0] GeneralName,
+ targetGroup [1] GeneralName,
+ targetCert [2] TargetCert
+ }
+
+
+ @return an Asn1Object
+ + SEQUENCE OF Targets ++ +
+ obj can be a TargetInformation or a {@link Asn1Sequence}
+ The ArrayList is cloned before it is returned.
+ + @return Returns the targets. ++ SEQUENCE OF Targets ++ +
+ According to RFC 3281 only one targets element must be produced. If + multiple targets are given in the constructor they are merged into one + targets element. If this was produced from a + {@link Org.BouncyCastle.Asn1.Asn1Sequence} the encoding is kept.
+ + @return an Asn1Object +
+ Targets ::= SEQUENCE OF Target
+
+ Target ::= CHOICE {
+ targetName [0] GeneralName,
+ targetGroup [1] GeneralName,
+ targetCert [2] TargetCert
+ }
+
+ TargetCert ::= SEQUENCE {
+ targetCertificate IssuerSerial,
+ targetName GeneralName OPTIONAL,
+ certDigestInfo ObjectDigestInfo OPTIONAL
+ }
+
+
+ @see org.bouncycastle.asn1.x509.Target
+ @see org.bouncycastle.asn1.x509.TargetInformation
+
+ obj can be a Targets or a {@link Asn1Sequence}
+ The ArrayList is copied.
+ + @param targets AnArrayList of {@link Target}s.
+ @see Target
+ @throws ArgumentException if the ArrayList contains not only Targets.
+ ArrayList.
+ + The ArrayList is cloned before it is returned.
+ + @return Returns the targets. ++ Targets ::= SEQUENCE OF Target ++ + @return an Asn1Object +
+ Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime }
+
+ UserNotice class, used in
+ CertificatePolicies X509 extensions (in policy
+ qualifiers).
+
+ UserNotice ::= Sequence {
+ noticeRef NoticeReference OPTIONAL,
+ explicitText DisplayText OPTIONAL}
+
+
+
+ @see PolicyQualifierId
+ @see PolicyInformation
+ UserNotice instance.
+
+ @param noticeRef a NoticeReference value
+ @param explicitText a DisplayText value
+ UserNotice instance.
+
+ @param noticeRef a NoticeReference value
+ @param str the explicitText field as a string.
+ UserNotice instance.
+ Useful from reconstructing a UserNotice instance
+ from its encodable/encoded form.
+
+ @param as an ASN1Sequence value obtained from either
+ calling @{link toASN1Object()} for a UserNotice
+ instance or from parsing it from a DER-encoded stream.
+ TbsCertificate ::= Sequence {
+ version [ 0 ] Version DEFAULT v1(0),
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ }
+
+
+
+ AttributeCertificateInfo ::= Sequence {
+ version AttCertVersion -- version is v2,
+ holder Holder,
+ issuer AttCertIssuer,
+ signature AlgorithmIdentifier,
+ serialNumber CertificateSerialNumber,
+ attrCertValidityPeriod AttCertValidityPeriod,
+ attributes Sequence OF Attr,
+ issuerUniqueID UniqueIdentifier OPTIONAL,
+ extensions Extensions OPTIONAL
+ }
+
+
+
+ V2Form ::= Sequence {
+ issuerName GeneralNames OPTIONAL,
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ objectDigestInfo [1] ObjectDigestInfo OPTIONAL
+ -- issuerName MUST be present in this profile
+ -- baseCertificateID and objectDigestInfo MUST NOT
+ -- be present in this profile
+ }
+
+
+ TbsCertList ::= Sequence {
+ version Version OPTIONAL,
+ -- if present, shall be v2
+ signature AlgorithmIdentifier,
+ issuer Name,
+ thisUpdate Time,
+ nextUpdate Time OPTIONAL,
+ revokedCertificates Sequence OF Sequence {
+ userCertificate CertificateSerialNumber,
+ revocationDate Time,
+ crlEntryExtensions Extensions OPTIONAL
+ -- if present, shall be v2
+ } OPTIONAL,
+ crlExtensions [0] EXPLICIT Extensions OPTIONAL
+ -- if present, shall be v2
+ }
+
+
+ Note: This class may be subject to change
+
+ TbsCertificate ::= Sequence {
+ version [ 0 ] Version DEFAULT v1(0),
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ issuerUniqueID [ 1 ] IMPLICIT UniqueIdentifier OPTIONAL,
+ subjectUniqueID [ 2 ] IMPLICIT UniqueIdentifier OPTIONAL,
+ extensions [ 3 ] Extensions OPTIONAL
+ }
+
+
+
+ Certificate ::= Sequence {
+ tbsCertificate TbsCertificate,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING
+ }
+
+ + it's is assumed the table contains Oid/string pairs.
++ It's is assumed the table contains Oid/string pairs.
++ it's is assumed the table contains Oid/string pairs.
++ It's is assumed the table contains Oid/string pairs.
+
+ Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+
+ Extension ::= SEQUENCE {
+ extnId EXTENSION.&id ({ExtensionSet}),
+ critical BOOLEAN DEFAULT FALSE,
+ extnValue OCTET STRING }
+
+
+ RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+ RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
+
+ AttributeTypeAndValue ::= SEQUENCE {
+ type OBJECT IDENTIFIER,
+ value ANY }
+
+ Note: if you're trying to be ultra orthodox, don't use this! It shouldn't be in here.
++ it's is assumed the table contains OID/string pairs, and the contents + of the table are copied into an internal table as part of the + construction process. The ordering ArrayList should contain the OIDs + in the order they are meant to be encoded or printed in ToString.
++ it's is assumed the table contains OID/string pairs, and the contents + of the table are copied into an internal table as part of the + construction process. The ordering ArrayList should contain the OIDs + in the order they are meant to be encoded or printed in ToString.
++ The passed in converter will be used to convert the strings into their + ASN.1 counterparts.
++ The passed in converter will be used to convert the strings into their + ASN.1 counterparts.
++ * An example of an encoder look like below: + *
+ * public class X509DirEntryConverter
+ * : X509NameEntryConverter
+ * {
+ * public Asn1Object GetConvertedValue(
+ * DerObjectIdentifier oid,
+ * string value)
+ * {
+ * if (str.Length() != 0 && str.charAt(0) == '#')
+ * {
+ * return ConvertHexEncoded(str, 1);
+ * }
+ * if (oid.Equals(EmailAddress))
+ * {
+ * return new DerIA5String(str);
+ * }
+ * else if (CanBePrintable(str))
+ * {
+ * return new DerPrintableString(str);
+ * }
+ * else if (CanBeUTF8(str))
+ * {
+ * return new DerUtf8String(str);
+ * }
+ * else
+ * {
+ * return new DerBmpString(str);
+ * }
+ * }
+ * }
+ *
+ *
+
+ BiometricData ::= SEQUENCE {
+ typeOfBiometricData TypeOfBiometricData,
+ hashAlgorithm AlgorithmIdentifier,
+ biometricDataHash OCTET STRING,
+ sourceDataUri IA5String OPTIONAL }
+
+
+ Iso4217CurrencyCode ::= CHOICE {
+ alphabetic PrintableString (SIZE 3), --Recommended
+ numeric INTEGER (1..999) }
+ -- Alphabetic or numeric currency code as defined in ISO 4217
+ -- It is recommended that the Alphabetic form is used
+
+
+ MonetaryValue ::= SEQUENCE {
+ currency Iso4217CurrencyCode,
+ amount INTEGER,
+ exponent INTEGER }
+ -- value = amount * 10^exponent
+
+
+ QCStatement ::= SEQUENCE {
+ statementId OBJECT IDENTIFIER,
+ statementInfo ANY DEFINED BY statementId OPTIONAL}
+
+
+ SemanticsInformation ::= SEQUENCE {
+ semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
+ nameRegistrationAuthorities NameRegistrationAuthorities
+ OPTIONAL }
+ (WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
+ WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})
+
+ NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF
+ GeneralName
+
+
+ TypeOfBiometricData ::= CHOICE {
+ predefinedBiometricType PredefinedBiometricType,
+ biometricDataOid OBJECT IDENTIFIER }
+
+ PredefinedBiometricType ::= INTEGER {
+ picture(0),handwritten-signature(1)}
+ (picture|handwritten-signature)
+
+
+ NameOrPseudonym ::= CHOICE {
+ surAndGivenName SEQUENCE {
+ surName DirectoryString,
+ givenName SEQUENCE OF DirectoryString
+ },
+ pseudonym DirectoryString
+ }
+
+
+ @see org.bouncycastle.asn1.x509.sigi.PersonalData
+
+
+ NameOrPseudonym ::= CHOICE {
+ surAndGivenName SEQUENCE {
+ surName DirectoryString,
+ givenName SEQUENCE OF DirectoryString
+ },
+ pseudonym DirectoryString
+ }
+
+ @param pseudonym pseudonym value to use.
+
+ NameOrPseudonym ::= CHOICE {
+ surAndGivenName SEQUENCE {
+ surName DirectoryString,
+ givenName SEQUENCE OF DirectoryString
+ },
+ pseudonym DirectoryString
+ }
+
+
+ @param seq The ASN.1 sequence.
+
+ NameOrPseudonym ::= CHOICE {
+ surAndGivenName SEQUENCE {
+ surName DirectoryString,
+ givenName SEQUENCE OF DirectoryString
+ },
+ pseudonym DirectoryString
+ }
+
+
+ @return an Asn1Object
+
+ PersonalData ::= SEQUENCE {
+ nameOrPseudonym NameOrPseudonym,
+ nameDistinguisher [0] INTEGER OPTIONAL,
+ dateOfBirth [1] GeneralizedTime OPTIONAL,
+ placeOfBirth [2] DirectoryString OPTIONAL,
+ gender [3] PrintableString OPTIONAL,
+ postalAddress [4] DirectoryString OPTIONAL
+ }
+
+
+ @see org.bouncycastle.asn1.x509.sigi.NameOrPseudonym
+ @see org.bouncycastle.asn1.x509.sigi.SigIObjectIdentifiers
+
+ PersonalData ::= SEQUENCE {
+ nameOrPseudonym NameOrPseudonym,
+ nameDistinguisher [0] INTEGER OPTIONAL,
+ dateOfBirth [1] GeneralizedTime OPTIONAL,
+ placeOfBirth [2] DirectoryString OPTIONAL,
+ gender [3] PrintableString OPTIONAL,
+ postalAddress [4] DirectoryString OPTIONAL
+ }
+
+
+ @param seq The ASN.1 sequence.
+
+ PersonalData ::= SEQUENCE {
+ nameOrPseudonym NameOrPseudonym,
+ nameDistinguisher [0] INTEGER OPTIONAL,
+ dateOfBirth [1] GeneralizedTime OPTIONAL,
+ placeOfBirth [2] DirectoryString OPTIONAL,
+ gender [3] PrintableString OPTIONAL,
+ postalAddress [4] DirectoryString OPTIONAL
+ }
+
+
+ @return an Asn1Object
+
+ KeySpecificInfo ::= Sequence {
+ algorithm OBJECT IDENTIFIER,
+ counter OCTET STRING SIZE (4..4)
+ }
+
+
+ OtherInfo ::= Sequence {
+ keyInfo KeySpecificInfo,
+ partyAInfo [0] OCTET STRING OPTIONAL,
+ suppPubInfo [2] OCTET STRING
+ }
+
+
+ Parameters ::= CHOICE {
+ ecParameters ECParameters,
+ namedCurve CURVES.&id({CurveNames}),
+ implicitlyCA Null
+ }
+
+
+ Curve ::= Sequence {
+ a FieldElement,
+ b FieldElement,
+ seed BIT STRING OPTIONAL
+ }
+
+
+ ECParameters ::= Sequence {
+ version Integer { ecpVer1(1) } (ecpVer1),
+ fieldID FieldID {{FieldTypes}},
+ curve X9Curve,
+ base X9ECPoint,
+ order Integer,
+ cofactor Integer OPTIONAL
+ }
+
+ + ECPoint ::= OCTET STRING ++
+ Octet string produced using ECPoint.GetEncoded().
++ FieldElement ::= OCTET STRING ++
+
F2.
+ @param primeP The prime p defining the prime field.
+ F2m.
+ @param m The exponent m of
+ F2m.
+ @param k1 The integer k1 where xm +
+ xk1 + 1
+ represents the reduction polynomial f(z).
+ F2m.
+ @param m The exponent m of
+ F2m.
+ @param k1 The integer k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k2 The integer k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k3 The integer k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z)..
+
+ FieldID ::= Sequence {
+ fieldType FIELD-ID.&id({IOSet}),
+ parameters FIELD-ID.&Type({IOSet}{@fieldType})
+ }
+
+ + Return an output stream which will save the data being written to + the compressed object. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Return an output stream which will compress the data as it is written to it. + The stream will be written out in chunks according to the size of the passed in buffer. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Note: if the buffer is not a power of 2 in length only the largest power of 2 + bytes worth of the buffer will be used. +
++ Note: using this may break compatibility with RFC 1991 compliant tools. + Only recent OpenPGP implementations are capable of accepting these streams. +
++ If buffer is non null stream assumed to be partial, otherwise the length will be used + to output a fixed length packet. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Return an output stream which will encrypt the data as it is written to it. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Return an output stream which will encrypt the data as it is written to it. + The stream will be written out in chunks according to the size of the passed in buffer. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Note: if the buffer is not a power of 2 in length only the largest power of 2 + bytes worth of the buffer will be used. +
++ Close off the encrypted object - this is equivalent to calling Close() on the stream + returned by the Open() method. +
++ Note: This does not close the underlying output stream, only the stream on top of + it created by the Open() method. +
++ A word for the unwary, the KeyId for an OpenPGP public key is calculated from + a hash that includes the time of creation, if you pass a different date to the + constructor below with the same public private key pair the KeyIs will not be the + same as for previous generations of the key, so ideally you only want to do + this once. +
++ Open a literal data packet, returning a stream to store the data inside the packet. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Open a literal data packet, returning a stream to store the data inside the packet, + as an indefinite length stream. The stream is written out as a series of partial + packets with a chunk size determined by the size of the passed in buffer. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Note: if the buffer is not a power of 2 in length only the largest power of 2 + bytes worth of the buffer will be used.
+
+ Open a literal data packet for the passed in
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Note: if this class finds a PgpPublicKey or a PgpSecretKey it + will create a PgpPublicKeyRing, or a PgpSecretKeyRing for each + key found. If all you are trying to do is read a key ring file use + either PgpPublicKeyRingBundle or PgpSecretKeyRingBundle.
+
+ Often PGP keyring files consist of multiple master keys, if you are trying to process
+ or construct one of these you should use the
+ Often PGP keyring files consist of multiple master keys, if you are trying to process
+ or construct one of these you should use the
+ Note: this overrides the generation of a creation time when the signature + is generated.
++ Format documented here: + http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/keyformat.txt;h=42c4b1f06faf1bbe71ffadc2fee0fad6bec91a97;hb=refs/heads/master +
++ CMSAuthenticatedDataGenerator fact = new CMSAuthenticatedDataGenerator(); + + fact.addKeyTransRecipient(cert); + + CMSAuthenticatedData data = fact.generate(content, algorithm, "BC"); ++
+ Note: that because we are in a streaming mode only one recipient can be tried and it is important + that the methods on the parser are called in the appropriate order. +
++ Example of use - assuming the first recipient matches the private key we have. +
+ CMSAuthenticatedDataParser ad = new CMSAuthenticatedDataParser(inputStream);
+
+ RecipientInformationStore recipients = ad.getRecipientInfos();
+
+ Collection c = recipients.getRecipients();
+ Iterator it = c.iterator();
+
+ if (it.hasNext())
+ {
+ RecipientInformation recipient = (RecipientInformation)it.next();
+
+ CMSTypedStream recData = recipient.getContentStream(privateKey, "BC");
+
+ processDataStream(recData.getContentStream());
+
+ if (!Arrays.equals(ad.getMac(), recipient.getMac())
+ {
+ System.err.println("Data corrupted!!!!");
+ }
+ }
+
+ Note: this class does not introduce buffering - if you are processing large files you should create
+ the parser with:
+ + CMSAuthenticatedDataParser ep = new CMSAuthenticatedDataParser(new BufferedInputStream(inputStream, bufSize)); ++ where bufSize is a suitably large buffer size. + +
+ A simple example of usage. +
+ CMSAuthenticatedDataStreamGenerator edGen = new CMSAuthenticatedDataStreamGenerator(); + + edGen.addKeyTransRecipient(cert); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + OutputStream out = edGen.open( + bOut, CMSAuthenticatedDataGenerator.AES128_CBC, "BC");* + out.write(data); + + out.close(); ++ +
+ * A simple example of usage.
+ *+ *
+ * CMSCompressedDataGenerator fact = new CMSCompressedDataGenerator(); + * CMSCompressedData data = fact.Generate(content, algorithm); + *+ * +
+ CMSCompressedDataParser cp = new CMSCompressedDataParser(inputStream); + + process(cp.GetContent().GetContentStream()); ++ Note: this class does not introduce buffering - if you are processing large files you should create + the parser with: +
+ CMSCompressedDataParser ep = new CMSCompressedDataParser(new BufferedInputStream(inputStream, bufSize)); ++ where bufSize is a suitably large buffer size. +
+ A simple example of usage. +
++ CMSCompressedDataStreamGenerator gen = new CMSCompressedDataStreamGenerator(); + + Stream cOut = gen.Open(outputStream, CMSCompressedDataStreamGenerator.ZLIB); + + cOut.Write(data); + + cOut.Close(); ++
+ CmsEnvelopedDataGenerator fact = new CmsEnvelopedDataGenerator(); + + fact.AddKeyTransRecipient(cert); + + CmsEnvelopedData data = fact.Generate(content, algorithm); ++
+ Note: that because we are in a streaming mode only one recipient can be tried and it is important + that the methods on the parser are called in the appropriate order. +
++ Example of use - assuming the first recipient matches the private key we have. +
+ CmsEnvelopedDataParser ep = new CmsEnvelopedDataParser(inputStream);
+
+ RecipientInformationStore recipients = ep.GetRecipientInfos();
+
+ Collection c = recipients.getRecipients();
+ Iterator it = c.iterator();
+
+ if (it.hasNext())
+ {
+ RecipientInformation recipient = (RecipientInformation)it.next();
+
+ CMSTypedStream recData = recipient.getContentStream(privateKey);
+
+ processDataStream(recData.getContentStream());
+ }
+
+ Note: this class does not introduce buffering - if you are processing large files you should create
+ the parser with:
+ + CmsEnvelopedDataParser ep = new CmsEnvelopedDataParser(new BufferedInputStream(inputStream, bufSize)); ++ where bufSize is a suitably large buffer size. + +
+ A simple example of usage. +
+ CmsEnvelopedDataStreamGenerator edGen = new CmsEnvelopedDataStreamGenerator(); + + edGen.AddKeyTransRecipient(cert); + + MemoryStream bOut = new MemoryStream(); + + Stream out = edGen.Open( + bOut, CMSEnvelopedDataGenerator.AES128_CBC);* + out.Write(data); + + out.Close(); ++ +
+ CMSEnvelopedDataGenerator fact = new CMSEnvelopedDataGenerator(); + + fact.addKeyTransRecipient(cert); + + CMSEnvelopedData data = fact.generate(content, algorithm, "BC"); ++
+ IX509Store certs = s.GetCertificates();
+ SignerInformationStore signers = s.GetSignerInfos();
+
+ foreach (SignerInformation signer in signers.GetSigners())
+ {
+ ArrayList certList = new ArrayList(certs.GetMatches(signer.SignerID));
+ X509Certificate cert = (X509Certificate) certList[0];
+
+ if (signer.Verify(cert.GetPublicKey()))
+ {
+ verified++;
+ }
+ }
+
+ + * A simple example of usage. + * + *
+ * IX509Store certs... + * IX509Store crls... + * CmsSignedDataGenerator gen = new CmsSignedDataGenerator(); + * + * gen.AddSigner(privKey, cert, CmsSignedGenerator.DigestSha1); + * gen.AddCertificates(certs); + * gen.AddCrls(crls); + * + * CmsSignedData data = gen.Generate(content); + *+ * +
+ Note: that because we are in a streaming mode only one signer can be tried and it is important + that the methods on the parser are called in the appropriate order. +
++ A simple example of usage for an encapsulated signature. +
++ Two notes: first, in the example below the validity of + the certificate isn't verified, just the fact that one of the certs + matches the given signer, and, second, because we are in a streaming + mode the order of the operations is important. +
+
+ CmsSignedDataParser sp = new CmsSignedDataParser(encapSigData);
+
+ sp.GetSignedContent().Drain();
+
+ IX509Store certs = sp.GetCertificates();
+ SignerInformationStore signers = sp.GetSignerInfos();
+
+ foreach (SignerInformation signer in signers.GetSigners())
+ {
+ ArrayList certList = new ArrayList(certs.GetMatches(signer.SignerID));
+ X509Certificate cert = (X509Certificate) certList[0];
+
+ Console.WriteLine("verify returns: " + signer.Verify(cert));
+ }
+
+ Note also: this class does not introduce buffering - if you are processing large files you should create
+ the parser with:
+ + CmsSignedDataParser ep = new CmsSignedDataParser(new BufferedInputStream(encapSigData, bufSize)); ++ where bufSize is a suitably large buffer size. +
+ The output stream is returned unclosed. +
+ @param original the signed data stream to be used as a base. + @param signerInformationStore the new signer information store to use. + @param out the stream to Write the new signed data object to. + @return out. ++ The output stream is returned unclosed. +
+ @param original the signed data stream to be used as a base. + @param certsAndCrls the new certificates and CRLs to be used. + @param out the stream to Write the new signed data object to. + @return out. + @exception CmsException if there is an error processing the CertStore ++ A simple example of usage. +
+
+ IX509Store certs...
+ CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+
+ gen.AddSigner(privateKey, cert, CmsSignedDataStreamGenerator.DIGEST_SHA1);
+
+ gen.AddCertificates(certs);
+
+ Stream sigOut = gen.Open(bOut);
+
+ sigOut.Write(Encoding.UTF8.GetBytes("Hello World!"));
+
+ sigOut.Close();
+
+ + Note: in the case where the underlying cipher is either a CFB cipher or an + OFB one the last block may not be a multiple of the block size. +
++ NOTE: This algorithm is only included for backwards compatibility + with legacy applications, it's not secure, don't use it for anything new!
+Implementation of RipeMD256.
+Note: this algorithm offers the same level of security as RipeMD128.
+Implementation of RipeMD 320.
+Note: this algorithm offers the same level of security as RipeMD160.
++ block word digest + SHA-1 512 32 160 + SHA-224 512 32 224 + SHA-256 512 32 256 + SHA-384 1024 64 384 + SHA-512 1024 64 512 ++
+ block word digest + SHA-1 512 32 160 + SHA-256 512 32 256 + SHA-384 1024 64 384 + SHA-512 1024 64 512 ++
+ block word digest + SHA-1 512 32 160 + SHA-256 512 32 256 + SHA-384 1024 64 384 + SHA-512 1024 64 512 ++
+ block word digest + SHA-1 512 32 160 + SHA-256 512 32 256 + SHA-384 1024 64 384 + SHA-512 1024 64 512 ++
null to use no parameters.
+ null to use no parameters.
+ + Tnepres is based on Serpent which was designed by Ross Anderson, Eli Biham and Lars Knudsen as a + candidate algorithm for the NIST AES Quest. Unfortunately there was an endianness issue + with test vectors in the AES submission and the resulting confusion lead to the Tnepres cipher + as well, which is a byte swapped version of Serpent. +
++ For full details see The Serpent home page +
++ For further details see: http://csrc.nist.gov/encryption/aes/. + + This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at + http://fp.gladman.plus.com/cryptography_technology/rijndael/ + + There are three levels of tradeoff of speed vs memory + Because java has no preprocessor, they are written as three separate classes from which to choose + + The fastest uses 8Kbytes of static tables to precompute round calculations, 4 256 word tables for encryption + and 4 for decryption. + + The middle performance version uses only one 256 word table for each, for a total of 2Kbytes, + adding 12 rotate operations per round to compute the values contained in the other tables from + the contents of the first. + + The slowest version uses no static tables at all and computes the values in each round. +
++ This file contains the middle performance version with 2Kbytes of static tables for round precomputation. +
++ For further details see: http://csrc.nist.gov/encryption/aes/. + + This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at + http://fp.gladman.plus.com/cryptography_technology/rijndael/ + + There are three levels of tradeoff of speed vs memory + Because java has no preprocessor), they are written as three separate classes from which to choose + + The fastest uses 8Kbytes of static tables to precompute round calculations), 4 256 word tables for encryption + and 4 for decryption. + + The middle performance version uses only one 256 word table for each), for a total of 2Kbytes), + adding 12 rotate operations per round to compute the values contained in the other tables from + the contents of the first + + The slowest version uses no static tables at all and computes the values in each round +
++ This file contains the fast version with 8Kbytes of static tables for round precomputation +
++ For further details see: http://csrc.nist.gov/encryption/aes/. + + This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at + http://fp.gladman.plus.com/cryptography_technology/rijndael/ + + There are three levels of tradeoff of speed vs memory + Because java has no preprocessor, they are written as three separate classes from which to choose + + The fastest uses 8Kbytes of static tables to precompute round calculations, 4 256 word tables for encryption + and 4 for decryption. + + The middle performance version uses only one 256 word table for each, for a total of 2Kbytes, + adding 12 rotate operations per round to compute the values contained in the other tables from + the contents of the first + + The slowest version uses no static tables at all and computes the values + in each round. +
++ This file contains the slowest performance version with no static tables + for round precomputation, but it has the smallest foot print. +
++ * Note: + *
+ http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc128_p3.pdf +
+ It is a third phase candidate in the eStream contest, and is patent-free. + No attacks are known as of today (April 2007). See + + http://www.ecrypt.eu.org/stream/hcp3.html +
++ http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc256_p3.pdf +
+ Its brother, HC-128, is a third phase candidate in the eStream contest. + The algorithm is patent-free. No attacks are known as of today (April 2007). + See + + http://www.ecrypt.eu.org/stream/hcp3.html +
++ This implementation is based on the "HOWTO: INTERNATIONAL DATA ENCRYPTION ALGORITHM" + implementation summary by Fauzan Mirza (F.U.Mirza@sheffield.ac.uk). (baring 1 typo at the + end of the mulinv function!). +
++ It can be found at ftp://ftp.funet.fi/pub/crypt/cryptography/symmetric/idea/ +
++ Note 1: This algorithm is patented in the USA, Japan, and Europe including + at least Austria, France, Germany, Italy, Netherlands, Spain, Sweden, Switzerland + and the United Kingdom. Non-commercial use is free, however any commercial + products are liable for royalties. Please see + www.mediacrypt.com for + further details. This announcement has been included at the request of + the patent holders. +
++ Note 2: Due to the requests concerning the above, this algorithm is now only + included in the extended assembly. It is not included in the default distributions. +
++ i.e. x * MulInv(x) == 1 (modulo BASE) +
++ i.e. x + AddInv(x) == 0 +
+RC5 Encryption Algorithm
+ publication in RSA CryptoBytes, Spring of 1995.
+ http://www.rsasecurity.com/rsalabs/cryptobytes.
+ + This implementation has a word size of 32 bits.
+RC5 Encryption Algorithm
+ publication in RSA CryptoBytes, Spring of 1995.
+ http://www.rsasecurity.com/rsalabs/cryptobytes.
+ + This implementation is set to work with a 64 bit word size.
++ Note: this implementation is based on information prior to readonly NIST publication. +
++ * Serpent was designed by Ross Anderson, Eli Biham and Lars Knudsen as a + * candidate algorithm for the NIST AES Quest. + *
+ *+ * For full details see The Serpent home page + *
+null to use the current key.
+ the 2 word (128 bit) tweak, or null to use the current tweak.
+ + *
+ * G(x) = x^4 + (a+1/a)x^3 + ax^2 + (a+1/a)x + 1 + *+ * where a = primitive root of field generator 0x14D + * +
+ doFinal leaves the MAC in the same state it was after the last init. +
+ @param out the array the MAC is to be output to. + @param outOff the offset into the out buffer the output is to start at. + @exception DataLengthException if there isn't enough space in out. + @exception InvalidOperationException if the MAC is not initialised. ++ Minimum entropy requirement is the security strength requested. +
+ @param engine underlying block cipher to use to support DRBG + @param keySizeInBits size of the key to use with the block cipher. + @param securityStrength security strength required (in bits) + @param entropySource source of entropy to use for seeding/reseeding. + @param personalizationString personalization string to distinguish this DRBG (may be null). + @param nonce nonce to further distinguish this DRBG (may be null). ++ Minimum entropy requirement is the security strength requested. +
+ @param digest source digest to use for DRB stream. + @param securityStrength security strength required (in bits) + @param entropySource source of entropy to use for seeding/reseeding. + @param personalizationString personalization string to distinguish this DRBG (may be null). + @param nonce nonce to further distinguish this DRBG (may be null). ++ Minimum entropy requirement is the security strength requested. +
+ @param hMac Hash MAC to base the DRBG on. + @param securityStrength security strength required (in bits) + @param entropySource source of entropy to use for seeding/reseeding. + @param personalizationString personalization string to distinguish this DRBG (may be null). + @param nonce nonce to further distinguish this DRBG (may be null). ++ Any SecureRandom created from a builder constructed like this will make use of input passed to SecureRandom.setSeed() if + the default SecureRandom does for its generateSeed() call. +
++ Any SecureRandom created from a builder constructed like this will make use of input passed to SecureRandom.setSeed() if + the passed in SecureRandom does for its generateSeed() call. +
+ @param entropySource + @param predictionResistant ++ Note: If this constructor is used any calls to setSeed() in the resulting SecureRandom will be ignored. +
+ @param entropySourceProvider a provider of EntropySource objects. ++ Any SecureRandom created from a builder constructed like this will make use of input passed to SecureRandom.setSeed() if + the default SecureRandom does for its generateSeed() call. +
++ Any SecureRandom created from a builder constructed like this will make use of input passed to SecureRandom.setSeed() if + the passed in SecureRandom does for its generateSeed() call. +
+ @param entropySource + @param predictionResistant ++ Note: If this constructor is used any calls to setSeed() in the resulting SecureRandom will be ignored. +
+ @param entropySourceProvider a provider of EntropySource objects. ++ Internal access to the digest is synchronized so a single one of these can be shared. +
++ Access to internals is synchronized so a single one of these can be shared. +
++ Based on an idea from Marcus Lippert. +
++ If fast is set to true, the code should be round about 8 times faster when + generating a long sequence of random bytes. 20 bytes of random values using + the fast mode take less than half a second on a Nokia e70. If fast is set to false, + it takes round about 2500 ms. +
+ @param numBytes the number of bytes to generate + @param fast true if fast mode should be used +
+ // First 1850 fractional digit of Pi number.
+ byte[] key = new BigInteger("14159265358979323846...5068006422512520511").ToByteArray();
+ s = 0;
+ P = new byte[256];
+ for (int i = 0; i < 256; i++)
+ {
+ P[i] = (byte) i;
+ }
+ for (int m = 0; m < 768; m++)
+ {
+ s = P[(s + P[m & 0xff] + key[m % key.length]) & 0xff];
+ byte temp = P[m & 0xff];
+ P[m & 0xff] = P[s & 0xff];
+ P[s & 0xff] = temp;
+ }
+ + note: This uses MTI/A0 key agreement in order to make the key agreement + secure against passive attacks. If you're doing Diffie-Hellman and both + parties have long term public keys you should look at using this. For + further information have a look at RFC 2631.
++ It's possible to extend this to more than two parties as well, for the moment + that is left as an exercise for the reader.
++ note: This is only the basic algorithm, it doesn't take advantage of + long term public keys if they are available. See the DHAgreement class + for a "better" implementation.
++ Note: As stated P1363 compatibility mode with ECDH can be preset, and + in this case the implementation doesn't have a ECDH compatibility mode + (if you want that just use ECDHBasicAgreement and note they both implement + BasicAgreement!).
++ The static property is checked during construction of the encoding object, it is set to + true by default. +
++ Note: can take a while...
++ This Generates keys consistent for use with ElGamal as described in + page 164 of "Handbook of Applied Cryptography".
++ * Note: can take a while... + *
++ The scheme is a simple extension of PKCS 5 V2.0 Scheme 1 using MD5 with an + iteration count of 1. +
++ The document this implementation is based on can be found at + + RSA's Pkcs12 Page +
++ The document this implementation is based on can be found at + + RSA's Pkcs5 Page +
++ The document this implementation is based on can be found at + + RSA's Pkcs5 Page
+k[0] ... k[15], r[0] ... r[15] with the required bits in r cleared
+ as per r (second 16 bytes) portion of the key.k[0] ... k[15], r[0] ... r[15]
+ k[0] ... k[15], r[0] ... r[15] with the required bits in r cleared
+ as per r portion of the key.+ CMAC is analogous to OMAC1 - see also en.wikipedia.org/wiki/CMAC +
+ CMAC is a NIST recomendation - see + csrc.nist.gov/CryptoToolkit/modes/800-38_Series_Publications/SP800-38B.pdf +
+ CMAC/OMAC1 is a blockcipher-based message authentication code designed and + analyzed by Tetsu Iwata and Kaoru Kurosawa. +
+ CMAC/OMAC1 is a simple variant of the CBC MAC (Cipher Block Chaining Message + Authentication Code). OMAC stands for One-Key CBC MAC. +
+ It supports 128- or 64-bits block ciphers, with any key size, and returns + a MAC with dimension less or equal to the block size of the underlying + cipher. +
++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. ++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. + @param padding the padding to be used to complete the last block. ++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param cfbBitSize the size of an output block produced by the CFB mode. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. ++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param cfbBitSize the size of an output block produced by the CFB mode. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. + @param padding a padding to be used. ++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. ++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. + @param padding the padding to be used to complete the last block. +null to use no parameters.
+ + Note: this mode is a packet mode - it needs all the data up front. +
++License for + Open-Source Software Implementations of OCB (Jan 9, 2013) - 'License 1'
+ Under this license, you are authorized to make, use, and distribute open-source software + implementations of OCB. This license terminates for you if you sue someone over their open-source + software implementation of OCB claiming that you have a patent covering their implementation. ++ This is a non-binding summary of a legal document (the link above). The parameters of the license + are specified in the license document and that document is controlling.
+ * For further info see RFC 2440. + *
++ This padding pads the block out compliment of the last bit + of the plain text. +
++ Note: this assumes that the last block of plain text is always + passed to it inside in. i.e. if inOff is zero, indicating the + entire block is to be overwritten with padding the value of in + should be the same as the last block of plain text. +
++ See "Applied + Cryptography" by Bruce Schneier for more information. +
+ @return true if the given DES key material is weak or semi-weak, + false otherwise. +null if not
+ set.
+ null if not set.
+ null if not set.
+ null if not set.
+ null if
+ not set.
+ YYYYMMDD email@address distinguisher, encoded to a byte
+ sequence using UTF-8 encoding.
+ null to use the current key.null to use the current tweak.+ Note: the usual length for the salt is the length of the hash + function used in bytes.
++ Note: the usual value for the salt length is the number of + bytes in the hash function.
++ The message digest hash, H, is encapsulated to form a byte string as follows +
++ EB = 06 || PS || 0xBA || H || TRAILER ++ where PS is a string of bytes all of value 0xBB of length such that |EB|=|n|, and TRAILER is the ISO/IEC 10118 part number†for the digest. The byte string, EB, is converted to an integer value, the message representative, f. +
+ This file could be more optimized. +
+
+ opaque ASN.1Cert<2^24-1>;
+
+ struct {
+ ASN.1Cert certificate_list<0..2^24-1>;
+ } Certificate;
+
+
+ @see Org.BouncyCastle.Asn1.X509.X509CertificateStructure
+ true if this certificate chain contains no certificates, or
+ false otherwise.
+
+ struct {
+ ClientCertificateType certificate_types<1..2^8-1>;
+ DistinguishedName certificate_authorities<3..2^16-1>
+ } CertificateRequest;
+
+
+ @see ClientCertificateType
+ @see X509Name
+ true if the current time should be used in the gmt_unix_time field of
+ Random, or false if gmt_unix_time should contain a cryptographically
+ random value.
+ From Knuth Vol 2, pg 395.
+true if the candidate is found to have any small factors,
+ false otherwise.
+ false if any witness to compositeness is found amongst the chosen bases
+ (so candidate is definitely NOT prime), or else true
+ (indicating primality with some probability dependent on the number of iterations
+ that were performed).
+ false if the specified base is a witness to compositeness (so
+ candidate is definitely NOT prime), or else true.
+ kP.
+ PreCompInfo for a point on this curve, under a given name. Used by
+ ECMultipliers to save the precomputation for this ECPoint for use
+ by subsequent multiplication.
+
+ @param point
+ The ECPoint to store precomputations for.
+ @param name
+ A String used to index precomputations of different types.
+ @param preCompInfo
+ The values precomputed by the ECMultiplier.
+ ECMultiplier, unless already set.
+ Fp (X9.62 s 4.2.1 pg 17).
+ @return The decoded point.
+ s0 and
+ s1 used for partial modular reduction for
+ Koblitz curves.
+ z2 + z = beta(X9.62
+ D.1.6) The other solution is z + 1.
+
+ @param beta
+ The value to solve the qradratic equation for.
+ @return the solution for z2 + z = beta or
+ null if no solution exists.
+ s0 and
+ s1 used for partial modular reduction for
+ Koblitz curves.
+ y2 + xy = x3 + ax2 + b.
+ m of F2m.
+ k where xm +
+ xk + 1 represents the reduction polynomial
+ f(z).k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).0k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).0k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).m of
+ F2m.
+ @param k The integer k where xm +
+ xk + 1 represents the reduction
+ polynomial f(z).
+ @param a The coefficient a in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param b The coefficient b in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ m of
+ F2m.
+ @param k The integer k where xm +
+ xk + 1 represents the reduction
+ polynomial f(z).
+ @param a The coefficient a in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param b The coefficient b in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param order The order of the main subgroup of the elliptic curve.
+ @param cofactor The cofactor of the elliptic curve, i.e.
+ #Ea(F2m) = h * n.
+ m of
+ F2m.
+ @param k1 The integer k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k2 The integer k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k3 The integer k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param a The coefficient a in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param b The coefficient b in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ m of
+ F2m.
+ @param k1 The integer k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k2 The integer k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k3 The integer k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param a The coefficient a in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param b The coefficient b in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param order The order of the main subgroup of the elliptic curve.
+ @param cofactor The cofactor of the elliptic curve, i.e.
+ #Ea(F2m) = h * n.
+ F2m in polynomial basis (PB)
+ representation. Both trinomial (Tpb) and pentanomial (Ppb) polynomial
+ basis representations are supported. Gaussian normal basis (GNB)
+ representation is not supported.
+ m of F2m.
+ LongArray holding the bits.
+ m of
+ F2m.
+ @param k1 The integer k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k2 The integer k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k3 The integer k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param x The BigInteger representing the value of the field element.
+ m of
+ F2m.
+ @param k The integer k where xm +
+ xk + 1 represents the reduction
+ polynomial f(z).
+ @param x The BigInteger representing the value of the field element.
+ a and b
+ are elements of the same field F2m
+ (having the same representation).
+ @param a field element.
+ @param b field element to be compared.
+ @throws ArgumentException if a and b
+ are not elements of the same field
+ F2m (having the same
+ representation).
+ F2m, either of
+ {@link F2mFieldElement.Tpb} (trinomial
+ basis representation) or
+ {@link F2mFieldElement.Ppb} (pentanomial
+ basis representation).
+ m of the reduction polynomial
+ f(z).
+ k where xm +
+ xk + 1 represents the reduction polynomial
+ f(z).k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).0k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).0k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).ECPoint by the given number.
+ @param k The multiplicator.
+ @return k * this.
+ SimpleBigDecimal is basically a
+ {@link java.math.BigInteger BigInteger} with a few digits on the right of
+ the decimal point. The number of (binary) digits on the right of the decimal
+ point is called the scale of the SimpleBigDecimal.
+ Unlike in {@link java.math.BigDecimal BigDecimal}, the scale is not adjusted
+ automatically, but must be set manually. All SimpleBigDecimals
+ taking part in the same arithmetic operation must have equal scale. The
+ result of a multiplication of two SimpleBigDecimals returns a
+ SimpleBigDecimal with double scale.
+ SimpleBigDecimal representing the same numerical
+ value as value.
+ @param value The value of the SimpleBigDecimal to be
+ created.
+ @param scale The scale of the SimpleBigDecimal to be
+ created.
+ @return The such created SimpleBigDecimal.
+ SimpleBigDecimal. The value of the
+ constructed SimpleBigDecimal Equals bigInt /
+ 2scale.
+ @param bigInt The bigInt value parameter.
+ @param scale The scale of the constructed SimpleBigDecimal.
+ αu's must be computed differently, see
+ e.g. "Guide to Elliptic Curve Cryptography", Darrel Hankerson,
+ Alfred Menezes, Scott Vanstone, Springer-Verlag New York Inc., 2004,
+ p. 121-122
+ αu's for a=0 as an array
+ of ZTauElements.
+ αu's for a=0 as an array
+ of TNAFs.
+ αu's for a=1 as an array
+ of ZTauElements.
+ αu's for a=1 as an array
+ of TNAFs.
+ λ of
+ Z[τ].
+ @param mu The parameter μ of the elliptic curve.
+ @param lambda The element λ of
+ Z[τ].
+ @return The norm of λ.
+ λ of
+ R[τ], where λ = u + vτ
+ and u and u are real numbers (elements of
+ R).
+ @param mu The parameter μ of the elliptic curve.
+ @param u The real part of the element λ of
+ R[τ].
+ @param v The τ-adic part of the element
+ λ of R[τ].
+ @return The norm of λ.
+ λ of R[τ]
+ to an element of Z[τ], such that their difference
+ has minimal norm. λ is given as
+ λ = λ0 + λ1τ.
+ @param lambda0 The component λ0.
+ @param lambda1 The component λ1.
+ @param mu The parameter μ of the elliptic curve. Must
+ equal 1 or -1.
+ @return The rounded element of Z[τ].
+ @throws ArgumentException if lambda0 and
+ lambda1 do not have same scale.
+ n. For an integer
+ k, the value λ = s k / n is
+ computed to c bits of accuracy.
+ @param k The parameter k.
+ @param s The curve parameter s0 or
+ s1.
+ @param vm The Lucas Sequence element Vm.
+ @param a The parameter a of the elliptic curve.
+ @param m The bit length of the finite field
+ Fm.
+ @param c The number of bits of accuracy, i.e. the scale of the returned
+ SimpleBigDecimal.
+ @return The value λ = s k / n computed to
+ c bits of accuracy.
+ τ-adic NAF (non-adjacent form) of an
+ element λ of Z[τ].
+ @param mu The parameter μ of the elliptic curve.
+ @param lambda The element λ of
+ Z[τ].
+ @return The τ-adic NAF of λ.
+ τ() to an
+ AbstractF2mPoint.
+ @param p The AbstractF2mPoint to which τ() is applied.
+ @return τ(p)
+ μ of the elliptic curve.
+ @param curve The elliptic curve from which to obtain μ.
+ The curve must be a Koblitz curve, i.e. a Equals
+ 0 or 1 and b Equals
+ 1.
+ @return μ of the elliptic curve.
+ @throws ArgumentException if the given ECCurve is not a Koblitz
+ curve.
+ Uk-1 and
+ Uk or Vk-1 and
+ Vk.
+ @param mu The parameter μ of the elliptic curve.
+ @param k The index of the second element of the Lucas Sequence to be
+ returned.
+ @param doV If set to true, computes Vk-1 and
+ Vk, otherwise Uk-1 and
+ Uk.
+ @return An array with 2 elements, containing Uk-1
+ and Uk or Vk-1
+ and Vk.
+ tw. If the width is
+ 4, then for mu = 1, tw = 6 and for
+ mu = -1, tw = 10
+ @param mu The parameter μ of the elliptic curve.
+ @param w The window width of the WTNAF.
+ @return the auxiliary value tw
+ s0 and
+ s1 used for partial modular reduction.
+ @param curve The elliptic curve for which to compute
+ s0 and s1.
+ @throws ArgumentException if curve is not a
+ Koblitz curve (Anomalous Binary Curve, ABC).
+ (τm - 1)/(τ - 1).
+ @param k The integer to be reduced.
+ @param m The bitlength of the underlying finite field.
+ @param a The parameter a of the elliptic curve.
+ @param s The auxiliary values s0 and
+ s1.
+ @param mu The parameter μ of the elliptic curve.
+ @param c The precision (number of bits of accuracy) of the partial
+ modular reduction.
+ @return ρ := k partmod (τm - 1)/(τ - 1)
+ BigInteger using the reduced τ-adic
+ NAF (RTNAF) method.
+ @param p The AbstractF2mPoint to Multiply.
+ @param k The BigInteger by which to Multiply p.
+ @return k * p
+ λ of Z[τ]
+ using the τ-adic NAF (TNAF) method.
+ @param p The AbstractF2mPoint to Multiply.
+ @param lambda The element λ of
+ Z[τ].
+ @return λ * p
+ λ of Z[τ]
+ using the τ-adic NAF (TNAF) method, given the TNAF
+ of λ.
+ @param p The AbstractF2mPoint to Multiply.
+ @param u The the TNAF of λ..
+ @return λ * p
+ [τ]-adic window NAF of an element
+ λ of Z[τ].
+ @param mu The parameter μ of the elliptic curve.
+ @param lambda The element λ of
+ Z[τ] of which to compute the
+ [τ]-adic NAF.
+ @param width The window width of the resulting WNAF.
+ @param pow2w 2width.
+ @param tw The auxiliary value tw.
+ @param alpha The αu's for the window width.
+ @return The [τ]-adic window NAF of
+ λ.
+ ECPoint for which to do the precomputation.
+ @param a The parameter a of the elliptic curve.
+ @return The precomputation array for p.
+ Z[τ]. Let
+ λ be an element of Z[τ]. Then
+ λ is given as λ = u + vτ. The
+ components u and v may be used directly, there
+ are no accessor methods.
+ Immutable class.
+ λ.
+ τ-adic" part of λ.
+ λ of
+ Z[τ].
+ @param u The "real" part of λ.
+ @param v The "τ-adic" part of
+ λ.
+ ECPoints.
+ ECPoint p by k, i.e.
+ p is added k times to itself.
+ @param p The ECPoint to be multiplied.
+ @param k The factor by which p is multiplied.
+ @return p multiplied by k.
+ ECPoints used for a fixed
+ point multiplication.
+ WNafMultiplier.
+ this by an integer k using the
+ Window NAF method.
+ @param k The integer by which this is multiplied.
+ @return A new ECPoint which equals this
+ multiplied by k.
+ ECPoints used for a Window
+ NAF multiplication.
+ ECPoints used
+ for a Window NAF multiplication.
+ ECPoint representing Twice(this). Used for the
+ Window NAF multiplication to create or extend the precomputed values.
+ w of the Window NAF. The width is
+ defined as the minimal number w, such that for any
+ w consecutive digits in the resulting representation, at
+ most one is non-zero.
+ @param k The integer of which the Window NAF is computed.
+ @return The Window NAF of the given width, such that the following holds:
+ k = ∑i=0l-1 ki2i
+ , where the ki denote the elements of the
+ returned byte[].
+ τ-adic Non-Adjacent Form) algorithm.
+ k using the reduced τ-adic NAF (RTNAF)
+ method.
+ @param p The AbstractF2mPoint to multiply.
+ @param k The integer by which to multiply k.
+ @return p multiplied by k.
+ λ of Z[τ] using
+ the τ-adic NAF (TNAF) method.
+ @param p The AbstractF2mPoint to multiply.
+ @param lambda The element λ of
+ Z[τ] of which to compute the
+ [τ]-adic NAF.
+ @return p multiplied by λ.
+ λ of Z[τ]
+ using the window τ-adic NAF (TNAF) method, given the
+ WTNAF of λ.
+ @param p The AbstractF2mPoint to multiply.
+ @param u The the WTNAF of λ..
+ @return λ * p
+ τ-adic Non-Adjacent Form) algorithm.
+ AbstractF2mPoints used for the
+ WTNAF multiplication in
+ {@link org.bouncycastle.math.ec.multiplier.WTauNafMultiplier.multiply()
+ WTauNafMultiplier.multiply()}.
+
+ BasicOcspResponse ::= SEQUENCE {
+ tbsResponseData ResponseData,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING,
+ certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
+ }
+
+
+ OcspRequest ::= SEQUENCE {
+ tbsRequest TBSRequest,
+ optionalSignature [0] EXPLICIT Signature OPTIONAL }
+
+ TBSRequest ::= SEQUENCE {
+ version [0] EXPLICIT Version DEFAULT v1,
+ requestorName [1] EXPLICIT GeneralName OPTIONAL,
+ requestList SEQUENCE OF Request,
+ requestExtensions [2] EXPLICIT Extensions OPTIONAL }
+
+ Signature ::= SEQUENCE {
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING,
+ certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL}
+
+ Version ::= INTEGER { v1(0) }
+
+ Request ::= SEQUENCE {
+ reqCert CertID,
+ singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
+
+ CertID ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ issuerNameHash OCTET STRING, -- Hash of Issuer's DN
+ issuerKeyHash OCTET STRING, -- Hash of Issuers public key
+ serialNumber CertificateSerialNumber }
+
+ + In the case of PKCS7 objects the reader will return a CMS ContentInfo object. Keys and + Certificates will be returned using the appropriate java.security type.
+
+ CertificationRequest ::= Sequence {
+ certificationRequestInfo CertificationRequestInfo,
+ signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
+ signature BIT STRING
+ }
+
+ CertificationRequestInfo ::= Sequence {
+ version Integer { v1(0) } (v1,...),
+ subject Name,
+ subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
+ attributes [0] Attributes{{ CRIAttributes }}
+ }
+
+ Attributes { ATTRIBUTE:IOSet } ::= Set OF Attr{{ IOSet }}
+
+ Attr { ATTRIBUTE:IOSet } ::= Sequence {
+ type ATTRIBUTE.&id({IOSet}),
+ values Set SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{\@type})
+ }
+
+ see
+
+ CertificationRequest ::= Sequence {
+ certificationRequestInfo CertificationRequestInfo,
+ signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
+ signature BIT STRING
+ }
+
+ CertificationRequestInfo ::= Sequence {
+ version Integer { v1(0) } (v1,...),
+ subject Name,
+ subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
+ attributes [0] Attributes{{ CRIAttributes }}
+ }
+
+ Attributes { ATTRIBUTE:IOSet } ::= Set OF Attr{{ IOSet }}
+
+ Attr { ATTRIBUTE:IOSet } ::= Sequence {
+ type ATTRIBUTE.&id({IOSet}),
+ values Set SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{\@type})
+ }
+
+ see
+ Set of X.509 attribute certificate
+ extensions that this PkixAttrCertChecker supports or
+ null if no extensions are supported.
+
+ Each element of the set is a String representing the
+ Object Identifier (OID) of the X.509 extension that is supported.
+
+ All X.509 attribute certificate extensions that a
+ PkixAttrCertChecker might possibly be able to process
+ should be included in the set.
+
Set of X.509 extension OIDs (in
+ String format) supported by this
+ PkixAttrCertChecker, or null if no
+ extensions are supported
+ unresolvedCritExts
+ collection.
+
+ @param attrCert The attribute certificate to be checked.
+ @param certPath The certificate path which belongs to the attribute
+ certificate issuer public key certificate.
+ @param holderCertPath The certificate path which belongs to the holder
+ certificate.
+ @param unresolvedCritExts a Collection of OID strings
+ representing the current set of unresolved critical extensions
+ @throws CertPathValidatorException if the specified attribute certificate
+ does not pass the check.
+ PkixAttrCertChecker
+
+ params must be an instance of
+ ExtendedPkixParameters.
+
+ The target constraints in the params must be an
+ X509AttrCertStoreSelector with at least the attribute
+ certificate criterion set. Obey that also target informations may be
+ necessary to correctly validate this attribute certificate.
+
+ The attribute certificate issuer must be added to the trusted attribute + issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}. +
+ @param certPath The certificate path which belongs to the attribute + certificate issuer public key certificate. + @param params The PKIX parameters. + @return APKIXCertPathValidatorResult of the result of
+ validating the certPath.
+ @throws InvalidAlgorithmParameterException if params is
+ inappropriate for this validator.
+ @throws CertPathValidatorException if the verification fails.
+ PkixBuilderParameters.
+
+ This method can be used to get a copy from other
+ PKIXBuilderParameters, PKIXParameters,
+ and ExtendedPKIXParameters instances.
+
PkixBuilderParameters instance.
+ ISet is null an
+ empty set is assumed.
+ ExtendedPKIXBuilderParameters and
+ PKIXBuilderParameters.
+
+ @param params Parameters to set.
+ @see org.bouncycastle.x509.ExtendedPKIXParameters#setParams(java.security.cert.PKIXParameters)
+ PKIXParameters object. Changes to the
+ copy will not affect the original and vice versa.
+
+ @return a copy of this PKIXParameters object
+ PKIXCertPathChecker.
+ *
+ * The forward flag specifies the order that certificates
+ * will be passed to the {@link #check check} method (forward or reverse). A
+ * PKIXCertPathChecker must support reverse checking
+ * and may support forward checking.
+ *
check method. If true,
+ * certificates are presented from target to most-trusted CA
+ * (forward); if false, from most-trusted CA to
+ * target (reverse).
+ * @exception CertPathValidatorException
+ * if this PKIXCertPathChecker is unable to
+ * check certificates in the specified order; it should never
+ * be thrown if the forward flag is false since reverse
+ * checking must be supported
+ PKIXCertPathChecker to perform its
+ checks when certificates are presented to the check method
+ in the forward direction (from target to most-trusted CA).
+
+ @return true if forward checking is supported,
+ false otherwise
+ Set of X.509 certificate extensions
+ * that this PKIXCertPathChecker supports (i.e. recognizes,
+ * is able to process), or null if no extensions are
+ * supported.
+ *
+ * Each element of the set is a String representing the
+ * Object Identifier (OID) of the X.509 extension that is supported. The OID
+ * is represented by a set of nonnegative integers separated by periods.
+ *
+ * All X.509 certificate extensions that a PKIXCertPathChecker
+ * might possibly be able to process should be included in the set.
+ *
Set of X.509 extension OIDs (in
+ * String format) supported by this
+ * PKIXCertPathChecker, or null if no
+ * extensions are supported
+ init method.
+
+ @param cert
+ the Certificate to be checked
+ @param unresolvedCritExts
+ a Collection of OID strings representing the
+ current set of unresolved critical extensions
+ @exception CertPathValidatorException
+ if the specified certificate does not pass the check
+ Object.clone()
+ method. All subclasses which maintain state must support and override
+ this method, if necessary.
+
+ @return a copy of this PKIXCertPathChecker
+ CertPathValidator implementations must include a class (the
+ SPI class) that extends this class (CertPathValidatorSpi)
+ and implements all of its methods. In general, instances of this class
+ should only be accessed through the CertPathValidator class.
+ For details, see the Java Cryptography Architecture.CertPathValidatorSpi instance concurrently should synchronize
+ amongst themselves and provide the necessary locking before calling the
+ wrapping CertPathValidator object.CertPathValidatorSpi may still
+ encounter concurrency issues, since multiple threads each
+ manipulating a different CertPathValidatorSpi instance need not
+ synchronize.
+ CertPathValidatorException provides support for wrapping
+ exceptions. The {@link #getCause getCause} method returns the throwable,
+ if any, that caused this exception to be thrown. CertPathValidatorException may also include the
+ certification path that was being validated when the exception was thrown
+ and the index of the certificate in the certification path that caused the
+ exception to be thrown. Use the {@link #getCertPath getCertPath} and
+ {@link #getIndex getIndex} methods to retrieve this information.PkixCertPathValidatorException with the given detail
+ message. A detail message is a String that describes this
+ particular exception.
+ PkixCertPathValidatorException with the specified
+ detail message and cause.
+ null
+ value is permitted, and indicates that the cause is
+ nonexistent or unknown.)
+ PkixCertPathValidatorException with the specified
+ detail message, cause, certification path, and index.
+ null if none)
+ the cause (or null if none)
+ the certification path that was in the process of being
+ validated when the error was encountered
+ the index of the certificate in the certification path that *
+ CertPathValidatorException.
+ null if neither the message nor cause were specifiedCertPath that was being validated when the
+ exception was thrown (or null if not specified)
+ CertPath is zero based. If no index has been set, -1 is
+ returned.
+
+ @return the index that has been set, or -1 if none has been set
+ TrustAnchor object if found or
+ null if not.
+ X500Principal.
+ This methods inherits DSA parameters from the indexed certificate or
+ previous certificates in the certificate chain to the returned
+ PublicKey. The list is searched upwards, meaning the end
+ certificate is at position 0 and previous certificates are following.
+
+ If the indexed certificate does not contain a DSA key this method simply + returns the public key. If the DSA key already contains DSA parameters + the key is also only returned. +
+ + @param certs The certification path. + @param index The index of the certificate which contains the public key + which should be extended with DSA parameters. + @return The public key of the certificate in list position +index extended with DSA parameters if applicable.
+ @throws Exception if DSA parameters cannot be inherited.
+ null.selector.
+
+ The issuerPrincipals are a collection with a single
+ X500Principal for X509Certificates. For
+ {@link X509AttributeCertificate}s the issuer may contain more than one
+ X500Principal.
+
issuerPrincipals does not
+ contain only X500Principals.
+ X509Certificate or
+ {@link org.bouncycastle.x509.X509AttributeCertificate} for
+ which the CRL should be searched.
+ @param currentDate The date for which the delta CRLs must be valid.
+ @param paramsPKIX The extended PKIX parameters.
+ @return A Set of X509CRLs with complete
+ CRLs.
+ @throws Exception if an exception occurs while picking the CRLs
+ or no CRLs are found.
+ Set of X509CRLs with delta CRLs.
+ @throws Exception if an exception occurs while picking the delta
+ CRLs.
+ Collection object containing the issuer
+ X509Certificates. Never null.
+
+ @exception Exception
+ if an error occurs.
+ null.
+ permitted with ip.
+
+ @param permitted A Set of permitted IP addresses with
+ their subnet mask as byte arrays.
+ @param ips The IP address with its subnet mask.
+ @return The Set of permitted IP ranges intersected with
+ ip.
+ excluded
+ with ip.
+
+ @param excluded A Set of excluded IP addresses with their
+ subnet mask as byte arrays.
+ @param ip The IP address with its subnet mask.
+ @return The Set of excluded IP ranges unified with
+ ip as byte arrays.
+ Set with the union of both addresses.
+ Set with the single IP address with its subnet
+ mask as a byte array or an empty Set.
+ ip is included in the permitted ISet
+ permitted.
+
+ @param permitted A Set of permitted IP addresses with
+ their subnet mask as byte arrays.
+ @param ip The IP address.
+ @throws PkixNameConstraintValidatorException
+ if the IP is not permitted.
+ ip is included in the excluded ISet
+ excluded.
+
+ @param excluded A Set of excluded IP addresses with their
+ subnet mask as byte arrays.
+ @param ip The IP address.
+ @throws PkixNameConstraintValidatorException
+ if the IP is excluded.
+ ip is constrained by
+ constraint.
+
+ @param ip The IP address.
+ @param constraint The constraint. This is an IP address concatenated with
+ its subnetmask.
+ @return true if constrained, false
+ otherwise.
+ email1 and email2 is
+ added to the union union. If email1 and
+ email2 have nothing in common they are added both.
+
+ @param email1 Email address constraint 1.
+ @param email2 Email address constraint 2.
+ @param union The union.
+ email1 and
+ email2 is added to the intersection intersect.
+
+ @param email1 Email address constraint 1.
+ @param email2 Email address constraint 2.
+ @param intersect The intersection.
+ name
+ name is
+ excluded.
+ ip1 with ip2. If ip1
+ is equal to ip2 0 is returned. If ip1 is bigger 1 is returned, -1
+ otherwise.
+
+ @param ip1 The first IP address.
+ @param ip2 The second IP address.
+ @return 0 if ip1 is equal to ip2, 1 if ip1 is bigger, -1 otherwise.
+ ip1 and
+ ip2.
+
+ @param ip1 The first IP address.
+ @param ip2 The second IP address.
+ @return The OR of ip1 and ip2.
+ (trustAnchors.isEmpty() == true)
+ @exception NullPointerException
+ if the specified Set is null
+ @exception ClassCastException
+ if any of the elements in the Set are not of type
+ java.security.cert.TrustAnchor
+ null, no constraints are defined.null)
+
+ @see #setTargetCertConstraints(CertSelector)
+ null)
+
+ @see #getTargetCertConstraints()
+ Set, which is
+ interpreted as meaning that any policy would be acceptable.
+
+ @return an immutable Set of initial policy OIDs in String
+ format, or an empty Set (implying any policy is
+ acceptable). Never returns null.
+
+ @see #setInitialPolicies(java.util.Set)
+ Set of initial policy identifiers (OID strings),
+ indicating that any one of these policies would be acceptable to the
+ certificate user for the purposes of certification path processing. By
+ default, any policy is acceptable (i.e. all policies), so a user that
+ wants to allow any policy as acceptable does not need to call this
+ method, or can call it with an empty Set (or
+ null).null)
+
+ @exception ClassCastException
+ if any of the elements in the set are not of type String
+
+ @see #getInitialPolicies()
+ List of additional certification path checkers. If
+ the specified List contains an object that is not a PKIXCertPathChecker,
+ it is ignored.PKIXCertPathChecker specified implements additional
+ checks on a certificate. Typically, these are checks to process and
+ verify private extensions contained in certificates. Each
+ PKIXCertPathChecker should be instantiated with any
+ initialization parameters needed to execute the check.CertPathValidator or CertPathBuilder. Each
+ of the specified PKIXCertPathCheckers will be called, in turn, by a PKIX
+ CertPathValidator or CertPathBuilder for
+ each certificate processed or validated.CertPathValidator or CertPathBuilder
+ must perform all of the required PKIX checks on each certificate. The one
+ exception to this rule is if the RevocationEnabled flag is set to false
+ (see the {@link #setRevocationEnabled(boolean) setRevocationEnabled}
+ method).java.security.cert.PKIXCertPathChecker
+ @see #getCertPathCheckers()
+ null)
+
+ @see #setCertPathCheckers(java.util.List)
+ PKIXCertPathChecker to the list of certification
+ path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
+ method for more details.
+
+ Note that the PKIXCertPathChecker is cloned to protect
+ against subsequent modifications.
PKIXCertPathChecker to add to the list of
+ checks. If null, the checker is ignored (not added to list).
+ Clone() under J2ME.
+ super.Clone() does not exist and fields are not copied.
+
+ @param params Parameters to set. If this are
+ ExtendedPkixParameters they are copied to.
+ false.
+
+ The IList is cloned.
+
stores is not
+ a {@link Store}.
+ + This method should be used to add local stores, like collection based + X.509 stores, if available. Local stores should be considered first, + before trying to use additional (remote) locations, because they do not + need possible additional network traffic. +
+ If store is null it is ignored.
+
+ You should not use this method. This method is used for adding additional + X.509 stores, which are used to add (remote) locations, e.g. LDAP, found + during X.509 object processing, e.g. in certificates or CRLs. This method + is used in PKIX certification path processing. +
+ If store is null it is ignored.
+
IList of additional Bouncy Castle
+ Stores used for finding CRLs, certificates, attribute
+ certificates or cross certificates.
+
+ @return an immutable IList of additional Bouncy Castle
+ Stores. Never null.
+
+ @see #addAddionalStore(Store)
+ IList of Bouncy Castle
+ Stores used for finding CRLs, certificates, attribute
+ certificates or cross certificates.
+
+ @return an immutable IList of Bouncy Castle
+ Stores. Never null.
+
+ @see #setStores(IList)
+ true if additional stores are used.
+ true if additional stores are used.
+ IX509Selector. If null, no constraints are
+ defined.
+
+ + The target certificate in a PKIX path may be a certificate or an + attribute certificate. +
+ Note that the IX509Selector returned is cloned to protect
+ against subsequent modifications.
+
IX509Selector specifying the constraints on the
+ target certificate or attribute certificate (or null)
+ @see #setTargetConstraints
+ @see X509CertStoreSelector
+ @see X509AttributeCertStoreSelector
+ IX509Selector. If null, no constraints are
+ defined.
+ + The target certificate in a PKIX path may be a certificate or an + attribute certificate. +
+ Note that the IX509Selector specified is cloned to protect
+ against subsequent modifications.
+
IX509Selector specifying the constraints on
+ the target certificate or attribute certificate (or
+ null)
+ @see #getTargetConstraints
+ @see X509CertStoreSelector
+ @see X509AttributeCertStoreSelector
+
+ The returned ISet consists of TrustAnchors.
+
+ The returned ISet is immutable. Never null
+
+ The trustedACIssuers must be a ISet of
+ TrustAnchor
+
+ The given set is cloned. +
+ + @param trustedACIssuers The trusted AC issuers to set. Is never +null.
+ @throws ClassCastException if an element of stores is not
+ a TrustAnchor.
+
+ The returned ISet is immutable and contains
+ Strings with the OIDs.
+
+ The ISet must contain Strings with the
+ OIDs.
+
+ The set is cloned. +
+ + @param necessaryACAttributes The necessary AC attributes to set. + @throws ClassCastException if an element of +necessaryACAttributes is not a
+ String.
+
+ The returned ISet is immutable and contains
+ Strings with the OIDs.
+
null.
+
+ The ISet must contain Strings with the
+ OIDs.
+
+ The set is cloned. +
+ + @param prohibitedACAttributes The prohibited AC attributes to set. + @throws ClassCastException if an element of +prohibitedACAttributes is not a
+ String.
+ null.
+
+ All elements in the ISet must a {@link PKIXAttrCertChecker}.
+
+ The given set is cloned. +
+ + @param attrCertCheckers The attribute certificate checkers to set. Is + nevernull.
+ @throws ClassCastException if an element of attrCertCheckers
+ is not a PKIXAttrCertChecker.
+ true if this reasons mask contains all possible
+ reasons.
+ + (i) If the distribution point name is present in the IDP CRL extension + and the distribution field is present in the DP, then verify that one of + the names in the IDP matches one of the names in the DP. If the + distribution point name is present in the IDP CRL extension and the + distribution field is omitted from the DP, then verify that one of the + names in the IDP matches one of the names in the cRLIssuer field of the + DP. +
++ (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL + extension, verify that the certificate does not include the basic + constraints extension with the cA boolean asserted. +
++ (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL + extension, verify that the certificate includes the basic constraints + extension with the cA boolean asserted. +
++ (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted. +
+ + @param dp The distribution point. + @param cert The certificate. + @param crl The CRL. + @throws AnnotatedException if one of the conditions is not met or an error occurs. +cert.
+ @throws AnnotatedException if one of the above conditions does not apply or an error
+ occurs.
+ cert.
+ @param cert The attribute certificate or certificate to check if it is
+ revoked.
+ @param defaultCRLSignCert The issuer certificate of the certificate cert.
+ @param defaultCRLSignKey The public key of the issuer certificate
+ defaultCRLSignCert.
+ @param paramsPKIX paramsPKIX PKIX parameters.
+ @param certPathCerts The certificates on the certification path.
+ @return A Set with all keys of possible CRL issuer
+ certificates.
+ @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
+ some error occurs.
+ cert.
+
+ @param dp The distribution point to consider.
+ @param paramsPKIX PKIX parameters.
+ @param cert Certificate to check if it is revoked.
+ @param validDate The date when the certificate revocation status should be
+ checked.
+ @param defaultCRLSignCert The issuer certificate of the certificate cert.
+ @param defaultCRLSignKey The public key of the issuer certificate
+ defaultCRLSignCert.
+ @param certStatus The current certificate revocation status.
+ @param reasonMask The reasons mask which is already checked.
+ @param certPathCerts The certificates of the certification path.
+ @throws AnnotatedException if the certificate is revoked or the status cannot be checked
+ or some error occurs.
+ cert.
+ @param workingPublicKey The public key of the issuer certificate sign.
+ @param certPathCerts The certificates of the certification path.
+ @throws AnnotatedException if the certificate is revoked or the status cannot be checked
+ or some error occurs.
+ attrCert.
+ @param validDate The date when the certificate revocation status should
+ be checked.
+ @param certPathCerts The certificates of the certification path to be
+ checked.
+
+ @throws CertPathValidatorException if the certificate is revoked or the
+ status cannot be checked or some error occurs.
+ attrCert.
+
+ @param dp The distribution point to consider.
+ @param attrCert The attribute certificate which should be checked.
+ @param paramsPKIX PKIX parameters.
+ @param validDate The date when the certificate revocation status should
+ be checked.
+ @param issuerCert Certificate to check if it is revoked.
+ @param reasonMask The reasons mask which is already checked.
+ @param certPathCerts The certificates of the certification path to be
+ checked.
+ @throws Exception if the certificate is revoked or the status
+ cannot be checked or some error occurs.
+
+ NameConstraints ::= SEQUENCE {
+ permittedSubtrees [0] GeneralSubtrees OPTIONAL,
+ excludedSubtrees [1] GeneralSubtrees OPTIONAL }
+
+ GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+
+ GeneralSubtree ::= SEQUENCE {
+ base GeneralName,
+ minimum [0] BaseDistance DEFAULT 0,
+ maximum [1] BaseDistance OPTIONAL }
+
+ BaseDistance ::= INTEGER (0..MAX)
+
+ GeneralName ::= CHOICE {
+ otherName [0] OtherName,
+ rfc822Name [1] IA5String,
+ dNSName [2] IA5String,
+ x400Address [3] ORAddress,
+ directoryName [4] Name,
+ ediPartyName [5] EDIPartyName,
+ uniformResourceIdentifier [6] IA5String,
+ iPAddress [7] OCTET STRING,
+ registeredID [8] OBJECT IDENTIFIER}
+
+
+ Note that the name constraints byte array supplied is cloned to protect
+ against subsequent modifications.
+ + Name constraints are an optional parameter, and are intended to be used + as additional constraints when validating an X.509 certification path. +
+ The name constraints are specified as a byte array. This byte array + contains the DER encoded form of the name constraints, as they + would appear in the NameConstraints structure defined in RFC 2459 + and X.509. The ASN.1 notation for this structure is supplied in the + documentation for the other constructors. +
+ Note that the name constraints byte array supplied here is cloned to + protect against subsequent modifications. +
+TrustAnchor where the most-trusted
+ CA is specified as a distinguished name and public key. Name constraints
+ are an optional parameter, and are intended to be used as additional
+ constraints when validating an X.509 certification path.
+ TrustAnchor.
+ TrustAnchor+ If a failure code is associated with the exception it can be retrieved using + the getFailureCode() method.
++ If genTime is null a timeNotAvailable error response will be returned. + + @param request the request this response is for. + @param serialNumber serial number for the response token. + @param genTime generation time for the response token. + @param provider provider to use for signature calculation. + @return + @throws NoSuchAlgorithmException + @throws NoSuchProviderException + @throws TSPException +
++ To be valid the token must be signed by the passed in certificate and + the certificate must be the one referred to by the SigningCertificate + attribute included in the hashed attributes of the token. The + certificate must also have the ExtendedKeyUsageExtension with only + KeyPurposeID.IdKPTimeStamping and have been valid at the time the + timestamp was created. +
++ A successful call to validate means all the above are true. +
++ The exception extends InvalidCastException to enable users to have a single handling case, + only introducing specific handling of this one if required. +
++ The purpose of UrlBase64 encoding is to provide a compact encoding of binary + data that is safe for use as an URL parameter. Base64 encoding does not + produce encoded values that are safe for use in URLs, since "/" can be + interpreted as a path delimiter; "+" is the encoded form of a space; and + "=" is used to separate a name from the corresponding value in an URL + parameter. +
++ The purpose of UrlBase64 encoding is to provide a compact encoding of binary + data that is safe for use as an URL parameter. Base64 encoding does not + produce encoded values that are safe for use in URLs, since "/" can be + interpreted as a path delimiter; "+" is the encoded form of a space; and + "=" is used to separate a name from the corresponding value in an URL + parameter. +
+
+ Holder ::= SEQUENCE {
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ -- the issuer and serial number of
+ -- the holder's Public Key Certificate
+ entityName [1] GeneralNames OPTIONAL,
+ -- the name of the claimant or role
+ objectDigestInfo [2] ObjectDigestInfo OPTIONAL
+ -- used to directly authenticate the holder,
+ -- for example, an executable
+ }
+
+
+ digestedObjectType can be one of the following:
+
otherObjectTypeID must not be empty.This cannot be used if a v1 attribute certificate is used.
+ + @param digestedObjectType The digest object type. + @param digestAlgorithm The algorithm identifier for the hash. + @param otherObjectTypeID The object type ID if +digestedObjectType is
+ otherObjectDigest.
+ @param objectDigest The hash value.
+ +
otherObjectTypeID must not be empty.null if no object
+ digest info is set.
+ null if no object digest info is set.
+ null if no object
+ digest info is set.
+ + Use this in preference to trying to recreate a principal from a string, not all + DNs are what they should be, so it's best to leave them encoded where they + can be.
++ At the moment this will deal with "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" + base 64 encoded certs, as well as the BER binaries of certificates and some classes of PKCS#7 + objects.
+isIndirect
+ is false {@link #getCertificateIssuer()} will always
+ return null, previousCertificateIssuer is
+ ignored. If this isIndirect is specified and this CrlEntry
+ has no certificate issuer CRL entry extension
+ previousCertificateIssuer is returned by
+ {@link #getCertificateIssuer()}.
+
+ @param c
+ TbsCertificateList.CrlEntry object.
+ @param isIndirect
+ true if the corresponding CRL is a indirect
+ CRL.
+ @param previousCertificateIssuer
+ Certificate issuer of the previous CrlEntry.
+
+ id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
+
+ KeyUsage ::= BIT STRING {
+ digitalSignature (0),
+ nonRepudiation (1),
+ keyEncipherment (2),
+ dataEncipherment (3),
+ keyAgreement (4),
+ keyCertSign (5),
+ cRLSign (6),
+ encipherOnly (7),
+ decipherOnly (8) }
+
+ Selector like implementation to select
+ attribute certificates from a given set of criteria.
+
+ @see org.bouncycastle.x509.X509AttributeCertificate
+ @see org.bouncycastle.x509.X509Store
+ true if the object matches this selector.X509AttributeCertificate
+ must contain at least one of the specified target names.
+ + Each attribute certificate may contain a target information extension + limiting the servers where this attribute certificate can be used. If + this extension is not present, the attribute certificate is not targeted + and may be accepted by any server. +
+ + @param name The name as a GeneralName (notnull)
+ X509AttributeCertificate
+ must contain at least one of the specified target names.
+ + Each attribute certificate may contain a target information extension + limiting the servers where this attribute certificate can be used. If + this extension is not present, the attribute certificate is not targeted + and may be accepted by any server. +
+ + @param name a byte array containing the name in ASN.1 DER encoded form of a GeneralName + @throws IOException if a parsing error occurs. +null is
+ given any will do.
+ + The collection consists of either GeneralName objects or byte[] arrays representing + DER encoded GeneralName structures. +
+ + @param names A collection of target names. + @throws IOException if a parsing error occurs. + @see #AddTargetName(byte[]) + @see #AddTargetName(GeneralName) +Lists
+ made up of an Integer in the first entry and a DER encoded
+ byte array or a String in the second entry.
+ The returned collection is immutable.
+ + @return The collection of target names + @see #setTargetNames(Collection) +X509AttributeCertificate
+ must contain at least one of the specified target groups.
+ + Each attribute certificate may contain a target information extension + limiting the servers where this attribute certificate can be used. If + this extension is not present, the attribute certificate is not targeted + and may be accepted by any server. +
+ + @param group The group as GeneralName form (notnull)
+ X509AttributeCertificate
+ must contain at least one of the specified target groups.
+ + Each attribute certificate may contain a target information extension + limiting the servers where this attribute certificate can be used. If + this extension is not present, the attribute certificate is not targeted + and may be accepted by any server. +
+ + @param name a byte array containing the group in ASN.1 DER encoded form of a GeneralName + @throws IOException if a parsing error occurs. +null is
+ given any will do.
+
+ The collection consists of GeneralName objects or byte[]
+ representing DER encoded GeneralNames.
+
Lists
+ made up of an Integer in the first entry and a DER encoded
+ byte array or a String in the second entry.
+ The returned collection is immutable.
+ + @return The collection of target groups. + @see #setTargetGroups(Collection) +IX509Selector implementation to select
+ certificate pairs, which are e.g. used for cross certificates. The set of
+ criteria is given from two X509CertStoreSelector objects,
+ each of which, if present, must match the respective component of a pair.
+ X509CertificatePair, this method
+ returns false.
+ X509CertificatePair to be tested.
+ true if the object matches this selector.ISet of DerObjectIdentifier objects.
+ X509Stores.+ The collection is copied. +
+ICollection.ICollection of X509Name objects
+ null is specified, then no such
+ optional information is provided.
+
+ @param attrCert the IX509AttributeCertificate being checked (or
+ null)
+ @see #getAttrCertificateChecking()
+ true only complete CRLs are returned. Defaults to
+ false.
+
+ @return true if only complete CRLs are returned.
+ false.
+
+ @return Returns true if only CRLs with the delta CRL
+ indicator extension are selected.
+ + The issuing distribution point extension is a CRL extension which + identifies the scope and the distribution point of a CRL. The scope + contains among others information about revocation reasons contained in + the CRL. Delta CRLs and complete CRLs must have matching issuing + distribution points.
++ The byte array is cloned to protect against subsequent modifications.
++ You must also enable or disable this criteria with + {@link #setIssuingDistributionPointEnabled(bool)}.
+ + @param issuingDistributionPoint The issuing distribution point to set. + This is the DER encoded OCTET STRING extension value. + @see #getIssuingDistributionPoint() +false.
+ + You may also set the issuing distribution point criteria if not a missing + issuing distribution point should be assumed.
+ + @return Returns if the issuing distribution point check is enabled. +null.
+
+ @return Returns the maximum base CRL number.
+ @see #setMaxBaseCRLNumber(BigInteger)
+ + Note: if the object has been read from an input stream, the only + time you can be sure if isExplicit is returning the true state of + affairs is if it returns false. An implicitly tagged object may appear + to be explicitly tagged, so you need to understand the context under + which the reading was done as well, see GetObject below.
++ Note: tagged objects are generally context dependent if you're + trying to extract a tagged object you should be going via the + appropriate GetInstance method.
+null if not set.
+ @param indirectReference The indirect reference or null if not set.
+ @param dataValueDescriptor The data value descriptor or null if not set.
+ @param externalData The external data in its encoded form.
+ null if not set.
+ @param indirectReference The indirect reference or null if not set.
+ @param dataValueDescriptor The data value descriptor or null if not set.
+ @param encoding The encoding to be used for the external data
+ @param externalData The external data
+ 0 single-ASN1-type1 OCTET STRING2 BIT STRING+ Normally in a certificate we would expect "Z" rather than "GMT", + however adding the "GMT" means we can just use: +
+ dateF = new SimpleDateFormat("yyyyMMddHHmmssz");
+
+ To read in the time and Get a date which is compatible with our local
+ time zone.
+ + @param time the time string.
++ Normally in a certificate we would expect "Z" rather than "GMT", + however adding the "GMT" means we can just use: +
+ dateF = new SimpleDateFormat("yyMMddHHmmssz");
+
+ To read in the time and Get a date which is compatible with our local
+ time zone.
+ + Note: In some cases, due to the local date processing, this + may lead to unexpected results. If you want to stick the normal + convention of 1950 to 2049 use the GetAdjustedTime() method.
++ If you use this interface your class should also implement the getInstance + pattern which takes a tag object and the tagging mode used. +
+
+ CAKeyUpdAnnContent ::= SEQUENCE {
+ oldWithNew CmpCertificate, -- old pub signed with new priv
+ newWithOld CmpCertificate, -- new pub signed with old priv
+ newWithNew CmpCertificate -- new pub signed with new priv
+ }
+
+ @return a basic ASN.1 object representation.
+ + CertConfirmContent ::= SEQUENCE OF CertStatus ++ @return a basic ASN.1 object representation. +
+ CertOrEncCert ::= CHOICE {
+ certificate [0] CMPCertificate,
+ encryptedCert [1] EncryptedValue
+ }
+
+ @return a basic ASN.1 object representation.
+
+ CertRepMessage ::= SEQUENCE {
+ caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
+ OPTIONAL,
+ response SEQUENCE OF CertResponse
+ }
+
+ @return a basic ASN.1 object representation.
+
+ CertResponse ::= SEQUENCE {
+ certReqId INTEGER,
+ -- to match this response with corresponding request (a value
+ -- of -1 is to be used if certReqId is not specified in the
+ -- corresponding request)
+ status PKIStatusInfo,
+ certifiedKeyPair CertifiedKeyPair OPTIONAL,
+ rspInfo OCTET STRING OPTIONAL
+ -- analogous to the id-regInfo-utf8Pairs string defined
+ -- for regInfo in CertReqMsg [CRMF]
+ }
+
+ @return a basic ASN.1 object representation.
+
+ CertStatus ::= SEQUENCE {
+ certHash OCTET STRING,
+ -- the hash of the certificate, using the same hash algorithm
+ -- as is used to create and verify the certificate signature
+ certReqId INTEGER,
+ -- to match this confirmation with the corresponding req/rep
+ statusInfo PKIStatusInfo OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+
+ CertifiedKeyPair ::= SEQUENCE {
+ certOrEncCert CertOrEncCert,
+ privateKey [0] EncryptedValue OPTIONAL,
+ -- see [CRMF] for comment on encoding
+ publicationInfo [1] PKIPublicationInfo OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+
+ Challenge ::= SEQUENCE {
+ owf AlgorithmIdentifier OPTIONAL,
+
+ -- MUST be present in the first Challenge; MAY be omitted in
+ -- any subsequent Challenge in POPODecKeyChallContent (if
+ -- omitted, then the owf used in the immediately preceding
+ -- Challenge is to be used).
+
+ witness OCTET STRING,
+ -- the result of applying the one-way function (owf) to a
+ -- randomly-generated INTEGER, A. [Note that a different
+ -- INTEGER MUST be used for each Challenge.]
+ challenge OCTET STRING
+ -- the encryption (under the public key for which the cert.
+ -- request is being made) of Rand, where Rand is specified as
+ -- Rand ::= SEQUENCE {
+ -- int INTEGER,
+ -- - the randomly-generated INTEGER A (above)
+ -- sender GeneralName
+ -- - the sender's name (as included in PKIHeader)
+ -- }
+ }
+
+ @return a basic ASN.1 object representation.
+
+ CMPCertificate ::= CHOICE {
+ x509v3PKCert Certificate
+ x509v2AttrCert [1] AttributeCertificate
+ }
+
+ Note: the addition of attribute certificates is a BC extension.
+
+ @return a basic ASN.1 object representation.
+ + CrlAnnContent ::= SEQUENCE OF CertificateList ++ @return a basic ASN.1 object representation. +
+ ErrorMsgContent ::= SEQUENCE {
+ pKIStatusInfo PKIStatusInfo,
+ errorCode INTEGER OPTIONAL,
+ -- implementation-specific error codes
+ errorDetails PKIFreeText OPTIONAL
+ -- implementation-specific error details
+ }
+
+ @return a basic ASN.1 object representation.
+ + GenMsgContent ::= SEQUENCE OF InfoTypeAndValue ++ @return a basic ASN.1 object representation. +
+ GenRepContent ::= SEQUENCE OF InfoTypeAndValue ++ @return a basic ASN.1 object representation. +
+ id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1}
+ CAProtEncCertValue ::= CMPCertificate
+ id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2}
+ SignKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier
+ id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3}
+ EncKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier
+ id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4}
+ PreferredSymmAlgValue ::= AlgorithmIdentifier
+ id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5}
+ CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent
+ id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6}
+ CurrentCRLValue ::= CertificateList
+ id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7}
+ UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER
+ id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10}
+ KeyPairParamReqValue ::= OBJECT IDENTIFIER
+ id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11}
+ KeyPairParamRepValue ::= AlgorithmIdentifer
+ id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12}
+ RevPassphraseValue ::= EncryptedValue
+ id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13}
+ ImplicitConfirmValue ::= NULL
+ id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14}
+ ConfirmWaitTimeValue ::= GeneralizedTime
+ id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15}
+ OrigPKIMessageValue ::= PKIMessages
+ id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16}
+ SuppLangTagsValue ::= SEQUENCE OF UTF8String
+
+ where
+
+ id-pkix OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3)
+ dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
+ and
+ id-it OBJECT IDENTIFIER ::= {id-pkix 4}
+
+
+ InfoTypeAndValue ::= SEQUENCE {
+ infoType OBJECT IDENTIFIER,
+ infoValue ANY DEFINED BY infoType OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+
+ KeyRecRepContent ::= SEQUENCE {
+ status PKIStatusInfo,
+ newSigCert [0] CMPCertificate OPTIONAL,
+ caCerts [1] SEQUENCE SIZE (1..MAX) OF
+ CMPCertificate OPTIONAL,
+ keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
+ CertifiedKeyPair OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+
+ OobCertHash ::= SEQUENCE {
+ hashAlg [0] AlgorithmIdentifier OPTIONAL,
+ certId [1] CertId OPTIONAL,
+ hashVal BIT STRING
+ -- hashVal is calculated over the Der encoding of the
+ -- self-signed certificate with the identifier certID.
+ }
+
+ @return a basic ASN.1 object representation.
+
+ PkiBody ::= CHOICE { -- message-specific body elements
+ ir [0] CertReqMessages, --Initialization Request
+ ip [1] CertRepMessage, --Initialization Response
+ cr [2] CertReqMessages, --Certification Request
+ cp [3] CertRepMessage, --Certification Response
+ p10cr [4] CertificationRequest, --imported from [PKCS10]
+ popdecc [5] POPODecKeyChallContent, --pop Challenge
+ popdecr [6] POPODecKeyRespContent, --pop Response
+ kur [7] CertReqMessages, --Key Update Request
+ kup [8] CertRepMessage, --Key Update Response
+ krr [9] CertReqMessages, --Key Recovery Request
+ krp [10] KeyRecRepContent, --Key Recovery Response
+ rr [11] RevReqContent, --Revocation Request
+ rp [12] RevRepContent, --Revocation Response
+ ccr [13] CertReqMessages, --Cross-Cert. Request
+ ccp [14] CertRepMessage, --Cross-Cert. Response
+ ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann.
+ cann [16] CertAnnContent, --Certificate Ann.
+ rann [17] RevAnnContent, --Revocation Ann.
+ crlann [18] CRLAnnContent, --CRL Announcement
+ pkiconf [19] PKIConfirmContent, --Confirmation
+ nested [20] NestedMessageContent, --Nested Message
+ genm [21] GenMsgContent, --General Message
+ genp [22] GenRepContent, --General Response
+ error [23] ErrorMsgContent, --Error Message
+ certConf [24] CertConfirmContent, --Certificate confirm
+ pollReq [25] PollReqContent, --Polling request
+ pollRep [26] PollRepContent --Polling response
+ }
+
+ @return a basic ASN.1 object representation.
+ + PkiConfirmContent ::= NULL ++ @return a basic ASN.1 object representation. +
+ PKIFailureInfo ::= BIT STRING {
+ badAlg (0),
+ -- unrecognized or unsupported Algorithm Identifier
+ badMessageCheck (1), -- integrity check failed (e.g., signature did not verify)
+ badRequest (2),
+ -- transaction not permitted or supported
+ badTime (3), -- messageTime was not sufficiently close to the system time, as defined by local policy
+ badCertId (4), -- no certificate could be found matching the provided criteria
+ badDataFormat (5),
+ -- the data submitted has the wrong format
+ wrongAuthority (6), -- the authority indicated in the request is different from the one creating the response token
+ incorrectData (7), -- the requester's data is incorrect (for notary services)
+ missingTimeStamp (8), -- when the timestamp is missing but should be there (by policy)
+ badPOP (9) -- the proof-of-possession failed
+ certRevoked (10),
+ certConfirmed (11),
+ wrongIntegrity (12),
+ badRecipientNonce (13),
+ timeNotAvailable (14),
+ -- the TSA's time source is not available
+ unacceptedPolicy (15),
+ -- the requested TSA policy is not supported by the TSA
+ unacceptedExtension (16),
+ -- the requested extension is not supported by the TSA
+ addInfoNotAvailable (17)
+ -- the additional information requested could not be understood
+ -- or is not available
+ badSenderNonce (18),
+ badCertTemplate (19),
+ signerNotTrusted (20),
+ transactionIdInUse (21),
+ unsupportedVersion (22),
+ notAuthorized (23),
+ systemUnavail (24),
+ systemFailure (25),
+ -- the request cannot be handled due to system failure
+ duplicateCertReq (26)
+
+ + PkiFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String ++
+ PkiHeader ::= SEQUENCE {
+ pvno INTEGER { cmp1999(1), cmp2000(2) },
+ sender GeneralName,
+ -- identifies the sender
+ recipient GeneralName,
+ -- identifies the intended recipient
+ messageTime [0] GeneralizedTime OPTIONAL,
+ -- time of production of this message (used when sender
+ -- believes that the transport will be "suitable"; i.e.,
+ -- that the time will still be meaningful upon receipt)
+ protectionAlg [1] AlgorithmIdentifier OPTIONAL,
+ -- algorithm used for calculation of protection bits
+ senderKID [2] KeyIdentifier OPTIONAL,
+ recipKID [3] KeyIdentifier OPTIONAL,
+ -- to identify specific keys used for protection
+ transactionID [4] OCTET STRING OPTIONAL,
+ -- identifies the transaction; i.e., this will be the same in
+ -- corresponding request, response, certConf, and PKIConf
+ -- messages
+ senderNonce [5] OCTET STRING OPTIONAL,
+ recipNonce [6] OCTET STRING OPTIONAL,
+ -- nonces used to provide replay protection, senderNonce
+ -- is inserted by the creator of this message; recipNonce
+ -- is a nonce previously inserted in a related message by
+ -- the intended recipient of this message
+ freeText [7] PKIFreeText OPTIONAL,
+ -- this may be used to indicate context-specific instructions
+ -- (this field is intended for human consumption)
+ generalInfo [8] SEQUENCE SIZE (1..MAX) OF
+ InfoTypeAndValue OPTIONAL
+ -- this may be used to convey context-specific information
+ -- (this field not primarily intended for human consumption)
+ }
+
+ @return a basic ASN.1 object representation.
+
+ PKIHeader ::= SEQUENCE {
+ pvno INTEGER { cmp1999(1), cmp2000(2) },
+ sender GeneralName,
+ -- identifies the sender
+ recipient GeneralName,
+ -- identifies the intended recipient
+ messageTime [0] GeneralizedTime OPTIONAL,
+ -- time of production of this message (used when sender
+ -- believes that the transport will be "suitable"; i.e.,
+ -- that the time will still be meaningful upon receipt)
+ protectionAlg [1] AlgorithmIdentifier OPTIONAL,
+ -- algorithm used for calculation of protection bits
+ senderKID [2] KeyIdentifier OPTIONAL,
+ recipKID [3] KeyIdentifier OPTIONAL,
+ -- to identify specific keys used for protection
+ transactionID [4] OCTET STRING OPTIONAL,
+ -- identifies the transaction; i.e., this will be the same in
+ -- corresponding request, response, certConf, and PKIConf
+ -- messages
+ senderNonce [5] OCTET STRING OPTIONAL,
+ recipNonce [6] OCTET STRING OPTIONAL,
+ -- nonces used to provide replay protection, senderNonce
+ -- is inserted by the creator of this message; recipNonce
+ -- is a nonce previously inserted in a related message by
+ -- the intended recipient of this message
+ freeText [7] PKIFreeText OPTIONAL,
+ -- this may be used to indicate context-specific instructions
+ -- (this field is intended for human consumption)
+ generalInfo [8] SEQUENCE SIZE (1..MAX) OF
+ InfoTypeAndValue OPTIONAL
+ -- this may be used to convey context-specific information
+ -- (this field not primarily intended for human consumption)
+ }
+
+ @return a basic ASN.1 object representation.
+
+ PkiMessage ::= SEQUENCE {
+ header PKIHeader,
+ body PKIBody,
+ protection [0] PKIProtection OPTIONAL,
+ extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
+ OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+ + PkiMessages ::= SEQUENCE SIZE (1..MAX) OF PkiMessage ++ @return a basic ASN.1 object representation. +
+ PkiStatusInfo ::= SEQUENCE {
+ status PKIStatus, (INTEGER)
+ statusString PkiFreeText OPTIONAL,
+ failInfo PkiFailureInfo OPTIONAL (BIT STRING)
+ }
+
+ PKIStatus:
+ granted (0), -- you got exactly what you asked for
+ grantedWithMods (1), -- you got something like what you asked for
+ rejection (2), -- you don't get it, more information elsewhere in the message
+ waiting (3), -- the request body part has not yet been processed, expect to hear more later
+ revocationWarning (4), -- this message contains a warning that a revocation is imminent
+ revocationNotification (5), -- notification that a revocation has occurred
+ keyUpdateWarning (6) -- update already done for the oldCertId specified in CertReqMsg
+
+ PkiFailureInfo:
+ badAlg (0), -- unrecognized or unsupported Algorithm Identifier
+ badMessageCheck (1), -- integrity check failed (e.g., signature did not verify)
+ badRequest (2), -- transaction not permitted or supported
+ badTime (3), -- messageTime was not sufficiently close to the system time, as defined by local policy
+ badCertId (4), -- no certificate could be found matching the provided criteria
+ badDataFormat (5), -- the data submitted has the wrong format
+ wrongAuthority (6), -- the authority indicated in the request is different from the one creating the response token
+ incorrectData (7), -- the requester's data is incorrect (for notary services)
+ missingTimeStamp (8), -- when the timestamp is missing but should be there (by policy)
+ badPOP (9) -- the proof-of-possession failed
+
+
+
+ PbmParameter ::= SEQUENCE {
+ salt OCTET STRING,
+ -- note: implementations MAY wish to limit acceptable sizes
+ -- of this string to values appropriate for their environment
+ -- in order to reduce the risk of denial-of-service attacks
+ owf AlgorithmIdentifier,
+ -- AlgId for a One-Way Function (SHA-1 recommended)
+ iterationCount INTEGER,
+ -- number of times the OWF is applied
+ -- note: implementations MAY wish to limit acceptable sizes
+ -- of this integer to values appropriate for their environment
+ -- in order to reduce the risk of denial-of-service attacks
+ mac AlgorithmIdentifier
+ -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+ } -- or HMAC [RFC2104, RFC2202])
+
+ @return a basic ASN.1 object representation.
+
+ PollRepContent ::= SEQUENCE OF SEQUENCE {
+ certReqId INTEGER,
+ checkAfter INTEGER, -- time in seconds
+ reason PKIFreeText OPTIONAL
+ }
+
+ @return a basic ASN.1 object representation.
+
+ PollReqContent ::= SEQUENCE OF SEQUENCE {
+ certReqId INTEGER
+ }
+
+ @return a basic ASN.1 object representation.
+ + PopoDecKeyChallContent ::= SEQUENCE OF Challenge ++ @return a basic ASN.1 object representation. +
+ PopoDecKeyRespContent ::= SEQUENCE OF INTEGER ++ @return a basic ASN.1 object representation. +
+ ProtectedPart ::= SEQUENCE {
+ header PKIHeader,
+ body PKIBody
+ }
+
+ @return a basic ASN.1 object representation.
+
+ RevAnnContent ::= SEQUENCE {
+ status PKIStatus,
+ certId CertId,
+ willBeRevokedAt GeneralizedTime,
+ badSinceDate GeneralizedTime,
+ crlDetails Extensions OPTIONAL
+ -- extra CRL details (e.g., crl number, reason, location, etc.)
+ }
+
+ @return a basic ASN.1 object representation.
+
+ RevDetails ::= SEQUENCE {
+ certDetails CertTemplate,
+ -- allows requester to specify as much as they can about
+ -- the cert. for which revocation is requested
+ -- (e.g., for cases in which serialNumber is not available)
+ crlEntryDetails Extensions OPTIONAL
+ -- requested crlEntryExtensions
+ }
+
+ @return a basic ASN.1 object representation.
+
+ RevRepContent ::= SEQUENCE {
+ status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
+ -- in same order as was sent in RevReqContent
+ revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL,
+ -- IDs for which revocation was requested
+ -- (same order as status)
+ crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL
+ -- the resulting CRLs (there may be more than one)
+ }
+
+ @return a basic ASN.1 object representation.
+ + RevReqContent ::= SEQUENCE OF RevDetails ++ @return a basic ASN.1 object representation. +
+ Attribute ::= SEQUENCE {
+ attrType OBJECT IDENTIFIER,
+ attrValues SET OF AttributeValue
+ }
+
+ + Attributes ::= + SET SIZE(1..MAX) OF Attribute -- according to RFC 5652 ++ @return +
+ AuthEnvelopedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ authEncryptedContentInfo EncryptedContentInfo,
+ authAttrs [1] IMPLICIT AuthAttributes OPTIONAL,
+ mac MessageAuthenticationCode,
+ unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL }
+
+
+ AuthEnvelopedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ authEncryptedContentInfo EncryptedContentInfo,
+ authAttrs [1] IMPLICIT AuthAttributes OPTIONAL,
+ mac MessageAuthenticationCode,
+ unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL }
+
+
+ AuthenticatedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ macAlgorithm MessageAuthenticationCodeAlgorithm,
+ digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
+ encapContentInfo EncapsulatedContentInfo,
+ authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
+ mac MessageAuthenticationCode,
+ unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL }
+
+ AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+ UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+ MessageAuthenticationCode ::= OCTET STRING
+
+
+ AuthenticatedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ macAlgorithm MessageAuthenticationCodeAlgorithm,
+ digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
+ encapContentInfo EncapsulatedContentInfo,
+ authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
+ mac MessageAuthenticationCode,
+ unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL }
+
+ AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+ UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+ MessageAuthenticationCode ::= OCTET STRING
+
+
+ CompressedData ::= Sequence {
+ version CMSVersion,
+ compressionAlgorithm CompressionAlgorithmIdentifier,
+ encapContentInfo EncapsulatedContentInfo
+ }
+
+
+ CompressedData ::= SEQUENCE {
+ version CMSVersion,
+ compressionAlgorithm CompressionAlgorithmIdentifier,
+ encapContentInfo EncapsulatedContentInfo
+ }
+
+
+ ContentInfo ::= Sequence {
+ contentType ContentType,
+ content
+ [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+
+
+ ContentInfo ::= SEQUENCE {
+ contentType ContentType,
+ content
+ [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+
+
+ EncryptedContentInfo ::= Sequence {
+ contentType ContentType,
+ contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
+ encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL
+ }
+
+
+ EncryptedContentInfo ::= SEQUENCE {
+ contentType ContentType,
+ contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
+ encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL
+ }
+
+
+ EncryptedData ::= SEQUENCE {
+ version CMSVersion,
+ encryptedContentInfo EncryptedContentInfo,
+ unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL }
+
+ @return a basic ASN.1 object representation.
+
+ EnvelopedData ::= Sequence {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ encryptedContentInfo EncryptedContentInfo,
+ unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL
+ }
+
+
+ EnvelopedData ::= SEQUENCE {
+ version CMSVersion,
+ originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
+ recipientInfos RecipientInfos,
+ encryptedContentInfo EncryptedContentInfo,
+ unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL
+ }
+
+
+ KekIdentifier ::= Sequence {
+ keyIdentifier OCTET STRING,
+ date GeneralizedTime OPTIONAL,
+ other OtherKeyAttribute OPTIONAL
+ }
+
+
+ KekRecipientInfo ::= Sequence {
+ version CMSVersion, -- always set to 4
+ kekID KekIdentifier,
+ keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+ encryptedKey EncryptedKey
+ }
+
+
+ KeyAgreeRecipientIdentifier ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ rKeyId [0] IMPLICIT RecipientKeyIdentifier
+ }
+
+
+ * KeyAgreeRecipientInfo ::= Sequence {
+ * version CMSVersion, -- always set to 3
+ * originator [0] EXPLICIT OriginatorIdentifierOrKey,
+ * ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
+ * keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+ * recipientEncryptedKeys RecipientEncryptedKeys
+ * }
+ *
+ * UserKeyingMaterial ::= OCTET STRING
+ *
+
+ KeyTransRecipientInfo ::= Sequence {
+ version CMSVersion, -- always set to 0 or 2
+ rid RecipientIdentifier,
+ keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+ encryptedKey EncryptedKey
+ }
+
+
+ MetaData ::= SEQUENCE {
+ hashProtected BOOLEAN,
+ fileName UTF8String OPTIONAL,
+ mediaType IA5String OPTIONAL,
+ otherMetaData Attributes OPTIONAL
+ }
+
+ @return
+
+ OriginatorIdentifierOrKey ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ subjectKeyIdentifier [0] SubjectKeyIdentifier,
+ originatorKey [1] OriginatorPublicKey
+ }
+
+ SubjectKeyIdentifier ::= OCTET STRING
+
+
+ OriginatorInfo ::= Sequence {
+ certs [0] IMPLICIT CertificateSet OPTIONAL,
+ crls [1] IMPLICIT CertificateRevocationLists OPTIONAL
+ }
+
+
+ OriginatorPublicKey ::= Sequence {
+ algorithm AlgorithmIdentifier,
+ publicKey BIT STRING
+ }
+
+
+ OtherKeyAttribute ::= Sequence {
+ keyAttrId OBJECT IDENTIFIER,
+ keyAttr ANY DEFINED BY keyAttrId OPTIONAL
+ }
+
+
+ OtherRecipientInfo ::= Sequence {
+ oriType OBJECT IDENTIFIER,
+ oriValue ANY DEFINED BY oriType }
+
+
+ OtherRevocationInfoFormat ::= SEQUENCE {
+ otherRevInfoFormat OBJECT IDENTIFIER,
+ otherRevInfo ANY DEFINED BY otherRevInfoFormat }
+
+
+ PasswordRecipientInfo ::= Sequence {
+ version CMSVersion, -- Always set to 0
+ keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier
+ OPTIONAL,
+ keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+ encryptedKey EncryptedKey }
+
+
+ RecipientEncryptedKey ::= SEQUENCE {
+ rid KeyAgreeRecipientIdentifier,
+ encryptedKey EncryptedKey
+ }
+
+
+ RecipientIdentifier ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ subjectKeyIdentifier [0] SubjectKeyIdentifier
+ }
+
+ SubjectKeyIdentifier ::= OCTET STRING
+
+
+ RecipientInfo ::= CHOICE {
+ ktri KeyTransRecipientInfo,
+ kari [1] KeyAgreeRecipientInfo,
+ kekri [2] KekRecipientInfo,
+ pwri [3] PasswordRecipientInfo,
+ ori [4] OtherRecipientInfo }
+
+
+ RecipientKeyIdentifier ::= Sequence {
+ subjectKeyIdentifier SubjectKeyIdentifier,
+ date GeneralizedTime OPTIONAL,
+ other OtherKeyAttribute OPTIONAL
+ }
+
+ SubjectKeyIdentifier ::= OCTET STRING
+
+
+ ScvpReqRes ::= SEQUENCE {
+ request [0] EXPLICIT ContentInfo OPTIONAL,
+ response ContentInfo }
+
+ @return the ASN.1 primitive representation.
+
+ SignedData ::= Sequence {
+ version CMSVersion,
+ digestAlgorithms DigestAlgorithmIdentifiers,
+ encapContentInfo EncapsulatedContentInfo,
+ certificates [0] IMPLICIT CertificateSet OPTIONAL,
+ crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
+ signerInfos SignerInfos
+ }
+
+
+ SignedData ::= SEQUENCE {
+ version CMSVersion,
+ digestAlgorithms DigestAlgorithmIdentifiers,
+ encapContentInfo EncapsulatedContentInfo,
+ certificates [0] IMPLICIT CertificateSet OPTIONAL,
+ crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
+ signerInfos SignerInfos
+ }
+
+
+ SignerIdentifier ::= CHOICE {
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ subjectKeyIdentifier [0] SubjectKeyIdentifier
+ }
+
+ SubjectKeyIdentifier ::= OCTET STRING
+
+
+ SignerInfo ::= Sequence {
+ version Version,
+ SignerIdentifier sid,
+ digestAlgorithm DigestAlgorithmIdentifier,
+ authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
+ digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
+ encryptedDigest EncryptedDigest,
+ unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
+ }
+
+ EncryptedDigest ::= OCTET STRING
+
+ DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+
+ DigestEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+
+
+ Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime }
+
+
+ TimeStampAndCRL ::= SEQUENCE {
+ timeStamp TimeStampToken, -- according to RFC 3161
+ crl CertificateList OPTIONAL -- according to RFC 5280
+ }
+
+ @return
+ + TimeStampTokenEvidence ::= + SEQUENCE SIZE(1..MAX) OF TimeStampAndCrl ++ @return +
+ TimeStampedData ::= SEQUENCE {
+ version INTEGER { v1(1) },
+ dataUri IA5String OPTIONAL,
+ metaData MetaData OPTIONAL,
+ content OCTET STRING OPTIONAL,
+ temporalEvidence Evidence
+ }
+
+ @return
+
+ MQVuserKeyingMaterial ::= SEQUENCE {
+ ephemeralPublicKey OriginatorPublicKey,
+ addedukm [0] EXPLICIT UserKeyingMaterial OPTIONAL }
+
+
+ AttributeTypeAndValue ::= SEQUENCE {
+ type OBJECT IDENTIFIER,
+ value ANY DEFINED BY type }
+
+ @return a basic ASN.1 object representation.
+
+ CertId ::= SEQUENCE {
+ issuer GeneralName,
+ serialNumber INTEGER }
+
+ @return a basic ASN.1 object representation.
+ + CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg ++ @return a basic ASN.1 object representation. +
+ CertReqMsg ::= SEQUENCE {
+ certReq CertRequest,
+ pop ProofOfPossession OPTIONAL,
+ -- content depends upon key type
+ regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL }
+
+ @return a basic ASN.1 object representation.
+
+ CertRequest ::= SEQUENCE {
+ certReqId INTEGER, -- ID for matching request and reply
+ certTemplate CertTemplate, -- Selected fields of cert to be issued
+ controls Controls OPTIONAL } -- Attributes affecting issuance
+
+ @return a basic ASN.1 object representation.
+
+ CertTemplate ::= SEQUENCE {
+ version [0] Version OPTIONAL,
+ serialNumber [1] INTEGER OPTIONAL,
+ signingAlg [2] AlgorithmIdentifier OPTIONAL,
+ issuer [3] Name OPTIONAL,
+ validity [4] OptionalValidity OPTIONAL,
+ subject [5] Name OPTIONAL,
+ publicKey [6] SubjectPublicKeyInfo OPTIONAL,
+ issuerUID [7] UniqueIdentifier OPTIONAL,
+ subjectUID [8] UniqueIdentifier OPTIONAL,
+ extensions [9] Extensions OPTIONAL }
+
+ @return a basic ASN.1 object representation.
+
+ CertTemplate ::= SEQUENCE {
+ version [0] Version OPTIONAL,
+ serialNumber [1] INTEGER OPTIONAL,
+ signingAlg [2] AlgorithmIdentifier OPTIONAL,
+ issuer [3] Name OPTIONAL,
+ validity [4] OptionalValidity OPTIONAL,
+ subject [5] Name OPTIONAL,
+ publicKey [6] SubjectPublicKeyInfo OPTIONAL,
+ issuerUID [7] UniqueIdentifier OPTIONAL,
+ subjectUID [8] UniqueIdentifier OPTIONAL,
+ extensions [9] Extensions OPTIONAL }
+
+ @return a basic ASN.1 object representation.
+ + Controls ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue ++ @return a basic ASN.1 object representation. +
+ EncKeyWithID ::= SEQUENCE {
+ privateKey PrivateKeyInfo,
+ identifier CHOICE {
+ string UTF8String,
+ generalName GeneralName
+ } OPTIONAL
+ }
+
+ @return
+
+ EncryptedKey ::= CHOICE {
+ encryptedValue EncryptedValue, -- deprecated
+ envelopedData [0] EnvelopedData }
+ -- The encrypted private key MUST be placed in the envelopedData
+ -- encryptedContentInfo encryptedContent OCTET STRING.
+
+
+ EncryptedValue ::= SEQUENCE {
+ intendedAlg [0] AlgorithmIdentifier OPTIONAL,
+ -- the intended algorithm for which the value will be used
+ symmAlg [1] AlgorithmIdentifier OPTIONAL,
+ -- the symmetric algorithm used to encrypt the value
+ encSymmKey [2] BIT STRING OPTIONAL,
+ -- the (encrypted) symmetric key used to encrypt the value
+ keyAlg [3] AlgorithmIdentifier OPTIONAL,
+ -- algorithm used to encrypt the symmetric key
+ valueHint [4] OCTET STRING OPTIONAL,
+ -- a brief description or identifier of the encValue content
+ -- (may be meaningful only to the sending entity, and used only
+ -- if EncryptedValue might be re-examined by the sending entity
+ -- in the future)
+ encValue BIT STRING }
+ -- the encrypted value itself
+
+ @return a basic ASN.1 object representation.
+
+ OptionalValidity ::= SEQUENCE {
+ notBefore [0] Time OPTIONAL,
+ notAfter [1] Time OPTIONAL } --at least one MUST be present
+
+ @return a basic ASN.1 object representation.
+
+ PkiArchiveOptions ::= CHOICE {
+ encryptedPrivKey [0] EncryptedKey,
+ -- the actual value of the private key
+ keyGenParameters [1] KeyGenParameters,
+ -- parameters which allow the private key to be re-generated
+ archiveRemGenPrivKey [2] BOOLEAN }
+ -- set to TRUE if sender wishes receiver to archive the private
+ -- key of a key pair that the receiver generates in response to
+ -- this request; set to FALSE if no archival is desired.
+
+
+ PkiPublicationInfo ::= SEQUENCE {
+ action INTEGER {
+ dontPublish (0),
+ pleasePublish (1) },
+ pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }
+ -- pubInfos MUST NOT be present if action is "dontPublish"
+ -- (if action is "pleasePublish" and pubInfos is omitted,
+ -- "dontCare" is assumed)
+
+ @return a basic ASN.1 object representation.
+
+ PKMACValue ::= SEQUENCE {
+ algId AlgorithmIdentifier,
+ -- algorithm value shall be PasswordBasedMac 1.2.840.113533.7.66.13
+ -- parameter value is PBMParameter
+ value BIT STRING }
+
+ @return a basic ASN.1 object representation.
+
+ PopoPrivKey ::= CHOICE {
+ thisMessage [0] BIT STRING, -- Deprecated
+ -- possession is proven in this message (which contains the private
+ -- key itself (encrypted for the CA))
+ subsequentMessage [1] SubsequentMessage,
+ -- possession will be proven in a subsequent message
+ dhMAC [2] BIT STRING, -- Deprecated
+ agreeMAC [3] PKMACValue,
+ encryptedKey [4] EnvelopedData }
+
+
+ PopoSigningKey ::= SEQUENCE {
+ poposkInput [0] PopoSigningKeyInput OPTIONAL,
+ algorithmIdentifier AlgorithmIdentifier,
+ signature BIT STRING }
+ -- The signature (using "algorithmIdentifier") is on the
+ -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg
+ -- certReq CertTemplate contains the subject and publicKey values,
+ -- then poposkInput MUST be omitted and the signature MUST be
+ -- computed on the DER-encoded value of CertReqMsg certReq. If
+ -- the CertReqMsg certReq CertTemplate does not contain the public
+ -- key and subject values, then poposkInput MUST be present and
+ -- MUST be signed. This strategy ensures that the public key is
+ -- not present in both the poposkInput and CertReqMsg certReq
+ -- CertTemplate fields.
+
+ @return a basic ASN.1 object representation.
+
+ PopoSigningKeyInput ::= SEQUENCE {
+ authInfo CHOICE {
+ sender [0] GeneralName,
+ -- used only if an authenticated identity has been
+ -- established for the sender (e.g., a DN from a
+ -- previously-issued and currently-valid certificate
+ publicKeyMac PKMacValue },
+ -- used if no authenticated GeneralName currently exists for
+ -- the sender; publicKeyMac contains a password-based MAC
+ -- on the DER-encoded value of publicKey
+ publicKey SubjectPublicKeyInfo } -- from CertTemplate
+
+ @return a basic ASN.1 object representation.
+
+ ProofOfPossession ::= CHOICE {
+ raVerified [0] NULL,
+ -- used if the RA has already verified that the requester is in
+ -- possession of the private key
+ signature [1] PopoSigningKey,
+ keyEncipherment [2] PopoPrivKey,
+ keyAgreement [3] PopoPrivKey }
+
+ @return a basic ASN.1 object representation.
+
+ SinglePubInfo ::= SEQUENCE {
+ pubMethod INTEGER {
+ dontCare (0),
+ x500 (1),
+ web (2),
+ ldap (3) },
+ pubLocation GeneralName OPTIONAL }
+
+ @return a basic ASN.1 object representation.
+
+ Gost28147-89-Parameters ::=
+ SEQUENCE {
+ iv Gost28147-89-IV,
+ encryptionParamSet OBJECT IDENTIFIER
+ }
+
+ Gost28147-89-IV ::= OCTET STRING (SIZE (8))
+
+
+ CertificateValues ::= SEQUENCE OF Certificate
+
+
+ CommitmentTypeIndication ::= SEQUENCE {
+ commitmentTypeId CommitmentTypeIdentifier,
+ commitmentTypeQualifier SEQUENCE SIZE (1..MAX) OF
+ CommitmentTypeQualifier OPTIONAL }
+
+
+ CommitmentTypeQualifier ::= SEQUENCE {
+ commitmentTypeIdentifier CommitmentTypeIdentifier,
+ qualifier ANY DEFINED BY commitmentTypeIdentifier OPTIONAL }
+
+ CommitmentTypeQualifier instance.
+
+ @param commitmentTypeIdentifier a CommitmentTypeIdentifier value
+ CommitmentTypeQualifier instance.
+
+ @param commitmentTypeIdentifier a CommitmentTypeIdentifier value
+ @param qualifier the qualifier, defined by the above field.
+ CommitmentTypeQualifier instance.
+
+ @param as CommitmentTypeQualifier structure
+ encoded as an Asn1Sequence.
+ Asn1Object value
+
+ CompleteCertificateRefs ::= SEQUENCE OF OtherCertID
+
+
+ CompleteRevocationRefs ::= SEQUENCE OF CrlOcspRef
+
+
+ CrlIdentifier ::= SEQUENCE
+ {
+ crlissuer Name,
+ crlIssuedTime UTCTime,
+ crlNumber INTEGER OPTIONAL
+ }
+
+
+ CRLListID ::= SEQUENCE
+ {
+ crls SEQUENCE OF CrlValidatedID
+ }
+
+
+ CrlOcspRef ::= SEQUENCE {
+ crlids [0] CRLListID OPTIONAL,
+ ocspids [1] OcspListID OPTIONAL,
+ otherRev [2] OtherRevRefs OPTIONAL
+ }
+
+
+ CrlValidatedID ::= SEQUENCE {
+ crlHash OtherHash,
+ crlIdentifier CrlIdentifier OPTIONAL}
+
+
+ OcspIdentifier ::= SEQUENCE {
+ ocspResponderID ResponderID,
+ -- As in OCSP response data
+ producedAt GeneralizedTime
+ -- As in OCSP response data
+ }
+
+
+ OcspListID ::= SEQUENCE {
+ ocspResponses SEQUENCE OF OcspResponsesID
+ }
+
+
+ OcspResponsesID ::= SEQUENCE {
+ ocspIdentifier OcspIdentifier,
+ ocspRepHash OtherHash OPTIONAL
+ }
+
+
+ OtherCertID ::= SEQUENCE {
+ otherCertHash OtherHash,
+ issuerSerial IssuerSerial OPTIONAL
+ }
+
+
+ OtherHash ::= CHOICE {
+ sha1Hash OtherHashValue, -- This contains a SHA-1 hash
+ otherHash OtherHashAlgAndValue
+ }
+
+ OtherHashValue ::= OCTET STRING
+
+
+ OtherHashAlgAndValue ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ hashValue OtherHashValue
+ }
+
+ OtherHashValue ::= OCTET STRING
+
+
+ OtherRevRefs ::= SEQUENCE
+ {
+ otherRevRefType OtherRevRefType,
+ otherRevRefs ANY DEFINED BY otherRevRefType
+ }
+
+ OtherRevRefType ::= OBJECT IDENTIFIER
+
+
+ OtherRevVals ::= SEQUENCE
+ {
+ otherRevValType OtherRevValType,
+ otherRevVals ANY DEFINED BY otherRevValType
+ }
+
+ OtherRevValType ::= OBJECT IDENTIFIER
+
+
+ OtherSigningCertificate ::= SEQUENCE {
+ certs SEQUENCE OF OtherCertID,
+ policies SEQUENCE OF PolicyInformation OPTIONAL
+ }
+
+
+ RevocationValues ::= SEQUENCE {
+ crlVals [0] SEQUENCE OF CertificateList OPTIONAL,
+ ocspVals [1] SEQUENCE OF BasicOCSPResponse OPTIONAL,
+ otherRevVals [2] OtherRevVals OPTIONAL
+ }
+
+
+ SigPolicyQualifierInfo ::= SEQUENCE {
+ sigPolicyQualifierId SigPolicyQualifierId,
+ sigQualifier ANY DEFINED BY sigPolicyQualifierId
+ }
+
+ SigPolicyQualifierId ::= OBJECT IDENTIFIER
+
+
+ SignaturePolicyId ::= SEQUENCE {
+ sigPolicyIdentifier SigPolicyId,
+ sigPolicyHash SigPolicyHash,
+ sigPolicyQualifiers SEQUENCE SIZE (1..MAX) OF SigPolicyQualifierInfo OPTIONAL
+ }
+
+ SigPolicyId ::= OBJECT IDENTIFIER
+
+ SigPolicyHash ::= OtherHashAlgAndValue
+
+
+ SignaturePolicyIdentifier ::= CHOICE {
+ SignaturePolicyId SignaturePolicyId,
+ SignaturePolicyImplied SignaturePolicyImplied
+ }
+
+ SignaturePolicyImplied ::= NULL
+
+
+ SignerAttribute ::= SEQUENCE OF CHOICE {
+ claimedAttributes [0] ClaimedAttributes,
+ certifiedAttributes [1] CertifiedAttributes }
+
+ ClaimedAttributes ::= SEQUENCE OF Attribute
+ CertifiedAttributes ::= AttributeCertificate -- as defined in RFC 3281: see clause 4.1.
+
+
+ SignerLocation ::= SEQUENCE {
+ countryName [0] DirectoryString OPTIONAL,
+ localityName [1] DirectoryString OPTIONAL,
+ postalAddress [2] PostalAddress OPTIONAL }
+
+ PostalAddress ::= SEQUENCE SIZE(1..6) OF DirectoryString
+
+
+ SignerLocation ::= SEQUENCE {
+ countryName [0] DirectoryString OPTIONAL,
+ localityName [1] DirectoryString OPTIONAL,
+ postalAddress [2] PostalAddress OPTIONAL }
+
+ PostalAddress ::= SEQUENCE SIZE(1..6) OF DirectoryString
+
+ DirectoryString ::= CHOICE {
+ teletexString TeletexString (SIZE (1..MAX)),
+ printableString PrintableString (SIZE (1..MAX)),
+ universalString UniversalString (SIZE (1..MAX)),
+ utf8String UTF8String (SIZE (1.. MAX)),
+ bmpString BMPString (SIZE (1..MAX)) }
+
+
+ ContentHints ::= SEQUENCE {
+ contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL,
+ contentType ContentType }
+
+ + ContentIdentifier ::= OCTET STRING ++ id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 7 } +
+ EssCertID ::= SEQUENCE {
+ certHash Hash,
+ issuerSerial IssuerSerial OPTIONAL }
+
+
+ EssCertIDv2 ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier
+ DEFAULT {algorithm id-sha256},
+ certHash Hash,
+ issuerSerial IssuerSerial OPTIONAL
+ }
+
+ Hash ::= OCTET STRING
+
+ IssuerSerial ::= SEQUENCE {
+ issuer GeneralNames,
+ serialNumber CertificateSerialNumber
+ }
+
+
+ OtherCertID ::= SEQUENCE {
+ otherCertHash OtherHash,
+ issuerSerial IssuerSerial OPTIONAL }
+
+ OtherHash ::= CHOICE {
+ sha1Hash OCTET STRING,
+ otherHash OtherHashAlgAndValue }
+
+ OtherHashAlgAndValue ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ hashValue OCTET STRING }
+
+
+
+ OtherSigningCertificate ::= SEQUENCE {
+ certs SEQUENCE OF OtherCertID,
+ policies SEQUENCE OF PolicyInformation OPTIONAL
+ }
+
+ id-aa-ets-otherSigCert OBJECT IDENTIFIER ::= { iso(1)
+ member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
+ smime(16) id-aa(2) 19 }
+
+ SigningCertificate ::= SEQUENCE {
+ certs SEQUENCE OF EssCertID,
+ policies SEQUENCE OF PolicyInformation OPTIONAL
+ }
+
+ id-aa-signingCertificate OBJECT IDENTIFIER ::= { iso(1)
+ member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
+ smime(16) id-aa(2) 12 }
+
+ SigningCertificateV2 ::= SEQUENCE {
+ certs SEQUENCE OF EssCertIDv2,
+ policies SEQUENCE OF PolicyInformation OPTIONAL
+ }
+
+ id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= { iso(1)
+ member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
+ smime(16) id-aa(2) 47 }
+
+ CscaMasterList ::= SEQUENCE {
+ version CscaMasterListVersion,
+ certList SET OF Certificate }
+
+ CscaMasterListVersion :: INTEGER {v0(0)}
+
+
+ DataGroupHash ::= SEQUENCE {
+ dataGroupNumber DataGroupNumber,
+ dataGroupHashValue OCTET STRING }
+
+ DataGroupNumber ::= INTEGER {
+ dataGroup1 (1),
+ dataGroup1 (2),
+ dataGroup1 (3),
+ dataGroup1 (4),
+ dataGroup1 (5),
+ dataGroup1 (6),
+ dataGroup1 (7),
+ dataGroup1 (8),
+ dataGroup1 (9),
+ dataGroup1 (10),
+ dataGroup1 (11),
+ dataGroup1 (12),
+ dataGroup1 (13),
+ dataGroup1 (14),
+ dataGroup1 (15),
+ dataGroup1 (16) }
+
+
+
+ LDSSecurityObject ::= SEQUENCE {
+ version LDSSecurityObjectVersion,
+ hashAlgorithm DigestAlgorithmIdentifier,
+ dataGroupHashValues SEQUENCE SIZE (2..ub-DataGroups) OF DataHashGroup,
+ ldsVersionInfo LDSVersionInfo OPTIONAL
+ -- if present, version MUST be v1 }
+
+ DigestAlgorithmIdentifier ::= AlgorithmIdentifier,
+
+ LDSSecurityObjectVersion :: INTEGER {V0(0)}
+
+
+ LDSVersionInfo ::= SEQUENCE {
+ ldsVersion PRINTABLE STRING
+ unicodeVersion PRINTABLE STRING
+ }
+
+ @return
+ + DateOfCertGenSyntax ::= GeneralizedTime ++
+ ICCSNSyntax ::= OCTET STRING (SIZE(8..20)) ++
+ PKReferenceSyntax ::= OCTET STRING (SIZE(20)) ++
+ RestrictionSyntax ::= DirectoryString (SIZE(1..1024)) ++ + @see Org.BouncyCastle.Asn1.IsisMtt.X509.Restriction +
+ RetrieveIfAllowed ::= BOOLEAN ++
+ CertInDirSince ::= GeneralizedTime ++
+ NameAtBirth ::= DirectoryString(SIZE(1..64) ++ + Used in + {@link Org.BouncyCastle.Asn1.X509.SubjectDirectoryAttributes SubjectDirectoryAttributes} +
+ AdditionalInformationSyntax ::= DirectoryString (SIZE(1..2048)) ++ + @see Org.BouncyCastle.Asn1.IsisMtt.X509.AdditionalInformationSyntax +
+ LiabilityLimitationFlagSyntax ::= BOOLEAN ++
+ CertHash ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ certificateHash OCTET STRING
+ }
+
+
+ CertHash ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ certificateHash OCTET STRING
+ }
+
+
+ @param seq The ASN.1 sequence.
+
+ CertHash ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ certificateHash OCTET STRING
+ }
+
+
+ @return an Asn1Object
+
+ RequestedCertificate ::= CHOICE {
+ Certificate Certificate,
+ publicKeyCertificate [0] EXPLICIT OCTET STRING,
+ attributeCertificate [1] EXPLICIT OCTET STRING
+ }
+
+ null.
+
+ @param certificate Given as Certificate
+
+ RequestedCertificate ::= CHOICE {
+ Certificate Certificate,
+ publicKeyCertificate [0] EXPLICIT OCTET STRING,
+ attributeCertificate [1] EXPLICIT OCTET STRING
+ }
+
+
+ @return an Asn1Object
+ + AdditionalInformationSyntax ::= DirectoryString (SIZE(1..2048)) ++
+ AdditionalInformationSyntax ::= DirectoryString (SIZE(1..2048)) ++ + @return an Asn1Object +
+ AdmissionSyntax ::= SEQUENCE
+ {
+ admissionAuthority GeneralName OPTIONAL,
+ contentsOfAdmissions SEQUENCE OF Admissions
+ }
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityId OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+
+ ISIS-MTT PROFILE: The relatively complex structure of AdmissionSyntax
+ supports the following concepts and requirements:
+
+ AdmissionSyntax ::= SEQUENCE
+ {
+ admissionAuthority GeneralName OPTIONAL,
+ contentsOfAdmissions SEQUENCE OF Admissions
+ }
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityId OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+ @param seq The ASN.1 sequence.
+
+ AdmissionSyntax ::= SEQUENCE
+ {
+ admissionAuthority GeneralName OPTIONAL,
+ contentsOfAdmissions SEQUENCE OF Admissions
+ }
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityId OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+ @return an Asn1Object
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+
+
+ @see Org.BouncyCastle.Asn1.IsisMtt.X509.AdmissionSyntax
+ @see Org.BouncyCastle.Asn1.IsisMtt.X509.ProfessionInfo
+ @see Org.BouncyCastle.Asn1.IsisMtt.X509.NamingAuthority
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+
+ @param seq The ASN.1 sequence.
+ professionInfos is mandatory.
+
+ @param admissionAuthority The admission authority.
+ @param namingAuthority The naming authority.
+ @param professionInfos The profession infos.
+
+ Admissions ::= SEQUENCE
+ {
+ admissionAuthority [0] EXPLICIT GeneralName OPTIONAL
+ namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL
+ professionInfos SEQUENCE OF ProfessionInfo
+ }
+
+
+
+ @return an Asn1Object
+
+ DeclarationOfMajoritySyntax ::= CHOICE
+ {
+ notYoungerThan [0] IMPLICIT INTEGER,
+ fullAgeAtCountry [1] IMPLICIT SEQUENCE
+ {
+ fullAge BOOLEAN DEFAULT TRUE,
+ country PrintableString (SIZE(2))
+ }
+ dateOfBirth [2] IMPLICIT GeneralizedTime
+ }
+
+
+ fullAgeAtCountry indicates the majority of the owner with respect to the laws
+ of a specific country.
+
+ DeclarationOfMajoritySyntax ::= CHOICE
+ {
+ notYoungerThan [0] IMPLICIT INTEGER,
+ fullAgeAtCountry [1] IMPLICIT SEQUENCE
+ {
+ fullAge BOOLEAN DEFAULT TRUE,
+ country PrintableString (SIZE(2))
+ }
+ dateOfBirth [2] IMPLICIT GeneralizedTime
+ }
+
+
+ @return an Asn1Object
+
+ MonetaryLimitSyntax ::= SEQUENCE
+ {
+ currency PrintableString (SIZE(3)),
+ amount INTEGER,
+ exponent INTEGER
+ }
+
+
+ currency must be the ISO code.
+
+ value = amount�10*exponent
+
+ MonetaryLimitSyntax ::= SEQUENCE
+ {
+ currency PrintableString (SIZE(3)),
+ amount INTEGER,
+ exponent INTEGER
+ }
+
+
+ @return an Asn1Object
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityID OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+ @see Org.BouncyCastle.Asn1.IsisMtt.X509.AdmissionSyntax
+
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityID OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+
+ @param seq The ASN.1 sequence.
+
+ NamingAuthority ::= SEQUENCE
+ {
+ namingAuthorityID OBJECT IDENTIFIER OPTIONAL,
+ namingAuthorityUrl IA5String OPTIONAL,
+ namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL
+ }
+
+
+ @return an Asn1Object
+ + ISIS-MTT PROFILE: The corresponding ProcurationSyntax contains either the + name of the person who is represented (subcomponent thirdPerson) or a + reference to his/her base certificate (in the component signingFor, + subcomponent certRef), furthermore the optional components country and + typeSubstitution to indicate the country whose laws apply, and respectively + the type of procuration (e.g. manager, procuration, custody). +
++ ISIS-MTT PROFILE: The GeneralName MUST be of type directoryName and MAY only + contain: - RFC3039 attributes, except pseudonym (countryName, commonName, + surname, givenName, serialNumber, organizationName, organizationalUnitName, + stateOrProvincename, localityName, postalAddress) and - SubjectDirectoryName + attributes (title, dateOfBirth, placeOfBirth, gender, countryOfCitizenship, + countryOfResidence and NameAtBirth). +
+
+ ProcurationSyntax ::= SEQUENCE {
+ country [1] EXPLICIT PrintableString(SIZE(2)) OPTIONAL,
+ typeOfSubstitution [2] EXPLICIT DirectoryString (SIZE(1..128)) OPTIONAL,
+ signingFor [3] EXPLICIT SigningFor
+ }
+
+ SigningFor ::= CHOICE
+ {
+ thirdPerson GeneralName,
+ certRef IssuerSerial
+ }
+
+
+
+ ProcurationSyntax ::= SEQUENCE {
+ country [1] EXPLICIT PrintableString(SIZE(2)) OPTIONAL,
+ typeOfSubstitution [2] EXPLICIT DirectoryString (SIZE(1..128)) OPTIONAL,
+ signingFor [3] EXPLICIT SigningFor
+ }
+
+ SigningFor ::= CHOICE
+ {
+ thirdPerson GeneralName,
+ certRef IssuerSerial
+ }
+
+
+ @param seq The ASN.1 sequence.
+ generalName or certRef MUST be
+ null.
+
+ @param country The country code whose laws apply.
+ @param typeOfSubstitution The type of procuration.
+ @param certRef Reference to certificate of the person who is represented.
+ generalName or certRef MUST be
+ null.
+
+ @param country The country code whose laws apply.
+ @param typeOfSubstitution The type of procuration.
+ @param thirdPerson The GeneralName of the person who is represented.
+
+ ProcurationSyntax ::= SEQUENCE {
+ country [1] EXPLICIT PrintableString(SIZE(2)) OPTIONAL,
+ typeOfSubstitution [2] EXPLICIT DirectoryString (SIZE(1..128)) OPTIONAL,
+ signingFor [3] EXPLICIT SigningFor
+ }
+
+ SigningFor ::= CHOICE
+ {
+ thirdPerson GeneralName,
+ certRef IssuerSerial
+ }
+
+
+ @return an Asn1Object
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOids SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+ @see Org.BouncyCastle.Asn1.IsisMtt.X509.AdmissionSyntax
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOids SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+ @param seq The ASN.1 sequence.
+ professionItems is mandatory, all other parameters are
+ optional.
+
+ @param namingAuthority The naming authority.
+ @param professionItems Directory strings of the profession.
+ @param professionOids DERObjectIdentfier objects for the
+ profession.
+ @param registrationNumber Registration number.
+ @param addProfessionInfo Additional infos in encoded form.
+
+ ProfessionInfo ::= SEQUENCE
+ {
+ namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
+ professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
+ professionOids SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
+ registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
+ addProfessionInfo OCTET STRING OPTIONAL
+ }
+
+
+ @return an Asn1Object
+ + RestrictionSyntax ::= DirectoryString (SIZE(1..1024)) ++
+ RestrictionSyntax ::= DirectoryString (SIZE(1..1024)) ++ + @param restriction A IAsn1String. +
+ RestrictionSyntax ::= DirectoryString (SIZE(1..1024)) + ++ + @return an Asn1Object +
+ cast5CBCParameters ::= Sequence {
+ iv OCTET STRING DEFAULT 0,
+ -- Initialization vector
+ keyLength Integer
+ -- Key length, in bits
+ }
+
+
+ IDEA-CBCPar ::= Sequence {
+ iv OCTET STRING OPTIONAL -- exactly 8 octets
+ }
+
+
+ NetscapeCertType ::= BIT STRING {
+ SSLClient (0),
+ SSLServer (1),
+ S/MIME (2),
+ Object Signing (3),
+ Reserved (4),
+ SSL CA (5),
+ S/MIME CA (6),
+ Object Signing CA (7) }
+
+
+ PublicKeyAndChallenge ::= SEQUENCE {
+ spki SubjectPublicKeyInfo,
+ challenge IA5STRING
+ }
+
+
+
+ BasicOcspResponse ::= Sequence {
+ tbsResponseData ResponseData,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING,
+ certs [0] EXPLICIT Sequence OF Certificate OPTIONAL }
+
+
+ CertID ::= Sequence {
+ hashAlgorithm AlgorithmIdentifier,
+ issuerNameHash OCTET STRING, -- Hash of Issuer's DN
+ issuerKeyHash OCTET STRING, -- Hash of Issuers public key
+ serialNumber CertificateSerialNumber }
+
+
+ CertStatus ::= CHOICE {
+ good [0] IMPLICIT Null,
+ revoked [1] IMPLICIT RevokedInfo,
+ unknown [2] IMPLICIT UnknownInfo }
+
+
+ CrlID ::= Sequence {
+ crlUrl [0] EXPLICIT IA5String OPTIONAL,
+ crlNum [1] EXPLICIT Integer OPTIONAL,
+ crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
+
+
+ OcspRequest ::= Sequence {
+ tbsRequest TBSRequest,
+ optionalSignature [0] EXPLICIT Signature OPTIONAL }
+
+
+ OcspResponse ::= Sequence {
+ responseStatus OcspResponseStatus,
+ responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
+
+
+ OcspResponseStatus ::= Enumerated {
+ successful (0), --Response has valid confirmations
+ malformedRequest (1), --Illegal confirmation request
+ internalError (2), --Internal error in issuer
+ tryLater (3), --Try again later
+ --(4) is not used
+ sigRequired (5), --Must sign the request
+ unauthorized (6) --Request unauthorized
+ }
+
+
+ Request ::= Sequence {
+ reqCert CertID,
+ singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
+
+
+ ResponderID ::= CHOICE {
+ byName [1] Name,
+ byKey [2] KeyHash }
+
+
+ ResponseBytes ::= Sequence {
+ responseType OBJECT IDENTIFIER,
+ response OCTET STRING }
+
+
+ ResponseData ::= Sequence {
+ version [0] EXPLICIT Version DEFAULT v1,
+ responderID ResponderID,
+ producedAt GeneralizedTime,
+ responses Sequence OF SingleResponse,
+ responseExtensions [1] EXPLICIT Extensions OPTIONAL }
+
+
+ RevokedInfo ::= Sequence {
+ revocationTime GeneralizedTime,
+ revocationReason [0] EXPLICIT CRLReason OPTIONAL }
+
+
+ ServiceLocator ::= Sequence {
+ issuer Name,
+ locator AuthorityInfoAccessSyntax OPTIONAL }
+
+
+ Signature ::= Sequence {
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING,
+ certs [0] EXPLICIT Sequence OF Certificate OPTIONAL}
+
+
+ SingleResponse ::= Sequence {
+ certID CertID,
+ certStatus CertStatus,
+ thisUpdate GeneralizedTime,
+ nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
+ singleExtensions [1] EXPLICIT Extensions OPTIONAL }
+
+
+ TBSRequest ::= Sequence {
+ version [0] EXPLICIT Version DEFAULT v1,
+ requestorName [1] EXPLICIT GeneralName OPTIONAL,
+ requestList Sequence OF Request,
+ requestExtensions [2] EXPLICIT Extensions OPTIONAL }
+
+
+ Attr ::= Sequence {
+ attrType OBJECT IDENTIFIER,
+ attrValues Set OF AttributeValue
+ }
+
+
+ CertificationRequest ::= Sequence {
+ certificationRequestInfo CertificationRequestInfo,
+ signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
+ signature BIT STRING
+ }
+
+
+ CertificationRequestInfo ::= Sequence {
+ version Integer { v1(0) } (v1,...),
+ subject Name,
+ subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
+ attributes [0] Attributes{{ CRIAttributes }}
+ }
+
+ Attributes { ATTRIBUTE:IOSet } ::= Set OF Attr{{ IOSet }}
+
+ Attr { ATTRIBUTE:IOSet } ::= Sequence {
+ type ATTRIBUTE.&id({IOSet}),
+ values Set SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{\@type})
+ }
+
+
+ ContentInfo ::= Sequence {
+ contentType ContentType,
+ content
+ [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+
+
+ EncryptedData ::= Sequence {
+ version Version,
+ encryptedContentInfo EncryptedContentInfo
+ }
+
+
+ EncryptedContentInfo ::= Sequence {
+ contentType ContentType,
+ contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
+ encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL
+ }
+
+ EncryptedContent ::= OCTET STRING
+
+
+ EncryptedPrivateKeyInfo ::= Sequence {
+ encryptionAlgorithm AlgorithmIdentifier {{KeyEncryptionAlgorithms}},
+ encryptedData EncryptedData
+ }
+
+ EncryptedData ::= OCTET STRING
+
+ KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
+ ... -- For local profiles
+ }
+
+
+ MacData ::= SEQUENCE {
+ mac DigestInfo,
+ macSalt OCTET STRING,
+ iterations INTEGER DEFAULT 1
+ -- Note: The default is for historic reasons and its use is deprecated. A
+ -- higher value, like 1024 is recommended.
+
+ @return the basic DERObject construction.
+
+ PrivateKeyInfo ::= Sequence {
+ version Version,
+ privateKeyAlgorithm AlgorithmIdentifier {{PrivateKeyAlgorithms}},
+ privateKey PrivateKey,
+ attributes [0] IMPLICIT Attributes OPTIONAL
+ }
+ Version ::= Integer {v1(0)} (v1,...)
+
+ PrivateKey ::= OCTET STRING
+
+ Attributes ::= Set OF Attr
+
+
+ RSAES-OAEP-params ::= SEQUENCE {
+ hashAlgorithm [0] OAEP-PSSDigestAlgorithms DEFAULT sha1,
+ maskGenAlgorithm [1] PKCS1MGFAlgorithms DEFAULT mgf1SHA1,
+ pSourceAlgorithm [2] PKCS1PSourceAlgorithms DEFAULT pSpecifiedEmpty
+ }
+
+ OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
+ { OID id-sha1 PARAMETERS NULL }|
+ { OID id-sha256 PARAMETERS NULL }|
+ { OID id-sha384 PARAMETERS NULL }|
+ { OID id-sha512 PARAMETERS NULL },
+ ... -- Allows for future expansion --
+ }
+ PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
+ { OID id-mgf1 PARAMETERS OAEP-PSSDigestAlgorithms },
+ ... -- Allows for future expansion --
+ }
+ PKCS1PSourceAlgorithms ALGORITHM-IDENTIFIER ::= {
+ { OID id-pSpecified PARAMETERS OCTET STRING },
+ ... -- Allows for future expansion --
+ }
+
+ @return the asn1 primitive representing the parameters.
+
+ RsaPrivateKey ::= Sequence {
+ version Version,
+ modulus Integer, -- n
+ publicExponent Integer, -- e
+ privateExponent Integer, -- d
+ prime1 Integer, -- p
+ prime2 Integer, -- q
+ exponent1 Integer, -- d mod (p-1)
+ exponent2 Integer, -- d mod (q-1)
+ coefficient Integer -- (inverse of q) mod p
+ }
+
+ Version ::= Integer
+
+ This routine is written to output Pkcs1 version 0, private keys.
+
+ RSASSA-PSS-params ::= SEQUENCE {
+ hashAlgorithm [0] OAEP-PSSDigestAlgorithms DEFAULT sha1,
+ maskGenAlgorithm [1] PKCS1MGFAlgorithms DEFAULT mgf1SHA1,
+ saltLength [2] INTEGER DEFAULT 20,
+ trailerField [3] TrailerField DEFAULT trailerFieldBC
+ }
+
+ OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
+ { OID id-sha1 PARAMETERS NULL }|
+ { OID id-sha256 PARAMETERS NULL }|
+ { OID id-sha384 PARAMETERS NULL }|
+ { OID id-sha512 PARAMETERS NULL },
+ ... -- Allows for future expansion --
+ }
+
+ PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
+ { OID id-mgf1 PARAMETERS OAEP-PSSDigestAlgorithms },
+ ... -- Allows for future expansion --
+ }
+
+ TrailerField ::= INTEGER { trailerFieldBC(1) }
+
+ @return the asn1 primitive representing the parameters.
+
+ SignedData ::= Sequence {
+ version Version,
+ digestAlgorithms DigestAlgorithmIdentifiers,
+ contentInfo ContentInfo,
+ certificates
+ [0] IMPLICIT ExtendedCertificatesAndCertificates
+ OPTIONAL,
+ crls
+ [1] IMPLICIT CertificateRevocationLists OPTIONAL,
+ signerInfos SignerInfos }
+
+
+ SignerInfo ::= Sequence {
+ version Version,
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ digestAlgorithm DigestAlgorithmIdentifier,
+ authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
+ digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
+ encryptedDigest EncryptedDigest,
+ unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
+ }
+
+ EncryptedDigest ::= OCTET STRING
+
+ DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+
+ DigestEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+
+ + SMIMECapabilities ::= Sequence OF SMIMECapability ++
+ SMIMECapability ::= Sequence {
+ capabilityID OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY capabilityID OPTIONAL
+ }
+
+
+ SmimeEncryptionKeyPreference ::= CHOICE {
+ issuerAndSerialNumber [0] IssuerAndSerialNumber,
+ receipentKeyId [1] RecipientKeyIdentifier,
+ subjectAltKeyIdentifier [2] SubjectKeyIdentifier
+ }
+
+
+ Accuracy ::= SEQUENCE {
+ seconds INTEGER OPTIONAL,
+ millis [0] INTEGER (1..999) OPTIONAL,
+ micros [1] INTEGER (1..999) OPTIONAL
+ }
+
+
+ MessageImprint ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ hashedMessage OCTET STRING }
+
+
+
+ TstInfo ::= SEQUENCE {
+ version INTEGER { v1(1) },
+ policy TSAPolicyId,
+ messageImprint MessageImprint,
+ -- MUST have the same value as the similar field in
+ -- TimeStampReq
+ serialNumber INTEGER,
+ -- Time-Stamping users MUST be ready to accommodate integers
+ -- up to 160 bits.
+ genTime GeneralizedTime,
+ accuracy Accuracy OPTIONAL,
+ ordering BOOLEAN DEFAULT FALSE,
+ nonce INTEGER OPTIONAL,
+ -- MUST be present if the similar field was present
+ -- in TimeStampReq. In that case it MUST have the same value.
+ tsa [0] GeneralName OPTIONAL,
+ extensions [1] IMPLICIT Extensions OPTIONAL }
+
+
+
+ TimeStampReq ::= SEQUENCE {
+ version INTEGER { v1(1) },
+ messageImprint MessageImprint,
+ --a hash algorithm OID and the hash value of the data to be
+ --time-stamped
+ reqPolicy TSAPolicyId OPTIONAL,
+ nonce INTEGER OPTIONAL,
+ certReq BOOLEAN DEFAULT FALSE,
+ extensions [0] IMPLICIT Extensions OPTIONAL
+ }
+
+
+ TimeStampResp ::= SEQUENCE {
+ status PkiStatusInfo,
+ timeStampToken TimeStampToken OPTIONAL }
+
+
+ DirectoryString ::= CHOICE {
+ teletexString TeletexString (SIZE (1..MAX)),
+ printableString PrintableString (SIZE (1..MAX)),
+ universalString UniversalString (SIZE (1..MAX)),
+ utf8String UTF8String (SIZE (1..MAX)),
+ bmpString BMPString (SIZE (1..MAX)) }
+
+
+ AccessDescription ::= SEQUENCE {
+ accessMethod OBJECT IDENTIFIER,
+ accessLocation GeneralName }
+
+
+ AlgorithmIdentifier ::= Sequence {
+ algorithm OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY algorithm OPTIONAL }
+
+
+ AttCertIssuer ::= CHOICE {
+ v1Form GeneralNames, -- MUST NOT be used in this
+ -- profile
+ v2Form [0] V2Form -- v2 only
+ }
+
+
+ AttCertValidityPeriod ::= Sequence {
+ notBeforeTime GeneralizedTime,
+ notAfterTime GeneralizedTime
+ }
+
+
+ Attr ::= Sequence {
+ attrType OBJECT IDENTIFIER,
+ attrValues Set OF AttributeValue
+ }
+
+
+ AttributeCertificate ::= Sequence {
+ acinfo AttributeCertificateInfo,
+ signatureAlgorithm AlgorithmIdentifier,
+ signatureValue BIT STRING
+ }
+
+
+ AttributeCertificateInfo ::= Sequence {
+ version AttCertVersion -- version is v2,
+ holder Holder,
+ issuer AttCertIssuer,
+ signature AlgorithmIdentifier,
+ serialNumber CertificateSerialNumber,
+ attrCertValidityPeriod AttCertValidityPeriod,
+ attributes Sequence OF Attr,
+ issuerUniqueID UniqueIdentifier OPTIONAL,
+ extensions Extensions OPTIONAL
+ }
+
+ AttCertVersion ::= Integer { v2(1) }
+
+
+ id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
+
+ AuthorityInfoAccessSyntax ::=
+ Sequence SIZE (1..MAX) OF AccessDescription
+ AccessDescription ::= Sequence {
+ accessMethod OBJECT IDENTIFIER,
+ accessLocation GeneralName }
+
+ id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
+ id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
+ id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
+
+
+ id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
+
+ AuthorityKeyIdentifier ::= Sequence {
+ keyIdentifier [0] IMPLICIT KeyIdentifier OPTIONAL,
+ authorityCertIssuer [1] IMPLICIT GeneralNames OPTIONAL,
+ authorityCertSerialNumber [2] IMPLICIT CertificateSerialNumber OPTIONAL }
+
+ KeyIdentifier ::= OCTET STRING
+
+
+ + * SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence)new ASN1InputStream( + * publicKey.getEncoded()).readObject()); + * AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki); + *+ * + * +
+ BasicConstraints := Sequence {
+ cA Boolean DEFAULT FALSE,
+ pathLenConstraint Integer (0..MAX) OPTIONAL
+ }
+
+
+ CrlDistPoint ::= Sequence SIZE {1..MAX} OF DistributionPoint
+
+ + CRLNumber::= Integer(0..MAX) ++
+ CRLReason ::= Enumerated {
+ unspecified (0),
+ keyCompromise (1),
+ cACompromise (2),
+ affiliationChanged (3),
+ superseded (4),
+ cessationOfOperation (5),
+ certificateHold (6),
+ removeFromCRL (8),
+ privilegeWithdrawn (9),
+ aACompromise (10)
+ }
+
+ + CertPolicyId ::= OBJECT IDENTIFIER ++
+ CertificateList ::= Sequence {
+ tbsCertList TbsCertList,
+ signatureAlgorithm AlgorithmIdentifier,
+ signatureValue BIT STRING }
+
+
+ crossCertificatePairATTRIBUTE::={
+ WITH SYNTAX CertificatePair
+ EQUALITY MATCHING RULE certificatePairExactMatch
+ ID joint-iso-ccitt(2) ds(5) attributeType(4) crossCertificatePair(40)}
+
+
+ The forward elements of the crossCertificatePair attribute of a + CA's directory entry shall be used to store all, except self-issued + certificates issued to this CA. Optionally, the reverse elements of the + crossCertificatePair attribute, of a CA's directory entry may contain a + subset of certificates issued by this CA to other CAs. When both the forward + and the reverse elements are present in a single attribute value, issuer name + in one certificate shall match the subject name in the other and vice versa, + and the subject public key in one certificate shall be capable of verifying + the digital signature on the other certificate and vice versa. + + When a reverse element is present, the forward element value and the reverse + element value need not be stored in the same attribute value; in other words, + they can be stored in either a single attribute value or two attribute + values.+ +
+ CertificatePair ::= SEQUENCE {
+ forward [0] Certificate OPTIONAL,
+ reverse [1] Certificate OPTIONAL,
+ -- at least one of the pair shall be present -- }
+
+
+ CertificatePair ::= SEQUENCE {
+ forward [0] Certificate OPTIONAL,
+ reverse [1] Certificate OPTIONAL,
+ -- at least one of the pair shall be present -- }
+
+
+ @param seq The ASN.1 sequence.
+
+ CertificatePair ::= SEQUENCE {
+ forward [0] Certificate OPTIONAL,
+ reverse [1] Certificate OPTIONAL,
+ -- at least one of the pair shall be present -- }
+
+
+ @return a DERObject
+
+ CertificatePolicies ::= SEQUENCE SIZE {1..MAX} OF PolicyInformation
+
+
+ DigestInfo::=Sequence{
+ digestAlgorithm AlgorithmIdentifier,
+ digest OCTET STRING }
+
+ DisplayText class, used in
+ CertificatePolicies X509 V3 extensions (in policy qualifiers).
+
+ It stores a string in a chosen encoding. +
+ DisplayText ::= CHOICE {
+ ia5String IA5String (SIZE (1..200)),
+ visibleString VisibleString (SIZE (1..200)),
+ bmpString BMPString (SIZE (1..200)),
+ utf8String UTF8String (SIZE (1..200)) }
+
+ @see PolicyQualifierInfo
+ @see PolicyInformation
+ DisplayTextMaximumSize here.
+
+ DisplayText instance.
+
+ @param type the desired encoding type for the text.
+ @param text the text to store. Strings longer than 200
+ characters are truncated.
+ DisplayText instance.
+
+ @param text the text to encapsulate. Strings longer than 200
+ characters are truncated.
+ DisplayText instance.
+ Useful when reading back a DisplayText class
+ from it's Asn1Encodable form.
Asn1Encodable instance.
+ string object.
+
+ @return the stored text as a string.
+
+ DistributionPoint ::= Sequence {
+ distributionPoint [0] DistributionPointName OPTIONAL,
+ reasons [1] ReasonFlags OPTIONAL,
+ cRLIssuer [2] GeneralNames OPTIONAL
+ }
+
+
+ DistributionPointName ::= CHOICE {
+ fullName [0] GeneralNames,
+ nameRelativeToCRLIssuer [1] RDN
+ }
+
+ + extendedKeyUsage ::= Sequence SIZE (1..MAX) OF KeyPurposeId ++
+ GeneralName ::= CHOICE {
+ otherName [0] OtherName,
+ rfc822Name [1] IA5String,
+ dNSName [2] IA5String,
+ x400Address [3] ORAddress,
+ directoryName [4] Name,
+ ediPartyName [5] EDIPartyName,
+ uniformResourceIdentifier [6] IA5String,
+ iPAddress [7] OCTET STRING,
+ registeredID [8] OBJECT IDENTIFIER}
+
+ OtherName ::= Sequence {
+ type-id OBJECT IDENTIFIER,
+ value [0] EXPLICIT ANY DEFINED BY type-id }
+
+ EDIPartyName ::= Sequence {
+ nameAssigner [0] DirectoryString OPTIONAL,
+ partyName [1] DirectoryString }
+
+ + This constructor can handle: +
+ Note: A directory name can be encoded in different ways into a byte + representation. Be aware of this if the byte representation is used for + comparing results. +
+ + @param tag tag number + @param name string representation of name + @throws ArgumentException if the string encoding is not correct or + not supported. +
+ GeneralNames ::= Sequence SIZE {1..MAX} OF GeneralName
+
+
+
+ GeneralSubtree ::= SEQUENCE
+ {
+ baseName GeneralName,
+ minimum [0] BaseDistance DEFAULT 0,
+ maximum [1] BaseDistance OPTIONAL
+ }
+
+
+ @see org.bouncycastle.asn1.x509.NameConstraints
+
+
+ If minimum is null, zero is assumed, if
+ maximum is null, maximum is absent.
+ GeneralSubtree ::= SEQUENCE
+ {
+ baseName GeneralName,
+ minimum [0] BaseDistance DEFAULT 0,
+ maximum [1] BaseDistance OPTIONAL
+ }
+
+
+ @return a DERObject
+ + For an v2 attribute certificate this is: + +
+ Holder ::= SEQUENCE {
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ -- the issuer and serial number of
+ -- the holder's Public Key Certificate
+ entityName [1] GeneralNames OPTIONAL,
+ -- the name of the claimant or role
+ objectDigestInfo [2] ObjectDigestInfo OPTIONAL
+ -- used to directly authenticate the holder,
+ -- for example, an executable
+ }
+
+
+ + For an v1 attribute certificate this is: + +
+ subject CHOICE {
+ baseCertificateID [0] IssuerSerial,
+ -- associated with a Public Key Certificate
+ subjectName [1] GeneralNames },
+ -- associated with a name
+
+
+
+ Holder ::= Sequence {
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ -- the issuer and serial number of
+ -- the holder's Public Key Certificate
+ entityName [1] GeneralNames OPTIONAL,
+ -- the name of the claimant or role
+ objectDigestInfo [2] ObjectDigestInfo OPTIONAL
+ -- used to directly authenticate the holder,
+ -- for example, an executable
+ }
+
+ IetfAttrSyntax as specified by RFC3281.
+
+
+ IetfAttrSyntax ::= Sequence {
+ policyAuthority [0] GeneralNames OPTIONAL,
+ values Sequence OF CHOICE {
+ octets OCTET STRING,
+ oid OBJECT IDENTIFIER,
+ string UTF8String
+ }
+ }
+
+
+
+ IssuerSerial ::= Sequence {
+ issuer GeneralNames,
+ serial CertificateSerialNumber,
+ issuerUid UniqueIdentifier OPTIONAL
+ }
+
+
+ IssuingDistributionPoint ::= SEQUENCE {
+ distributionPoint [0] DistributionPointName OPTIONAL,
+ onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
+ onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
+ onlySomeReasons [3] ReasonFlags OPTIONAL,
+ indirectCRL [4] BOOLEAN DEFAULT FALSE,
+ onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
+
+ true then the CRL contains revocation
+ information about certificates ssued by other CAs.
+ @param onlyContainsAttributeCerts Covers revocation information for attribute certificates.
+ + KeyPurposeID ::= OBJECT IDENTIFIER ++
+ id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
+
+ KeyUsage ::= BIT STRING {
+ digitalSignature (0),
+ nonRepudiation (1),
+ keyEncipherment (2),
+ dataEncipherment (3),
+ keyAgreement (4),
+ keyCertSign (5),
+ cRLSign (6),
+ encipherOnly (7),
+ decipherOnly (8) }
+
+ permitted and excluded are Vectors of GeneralSubtree objects.
+ + @param permitted Permitted subtrees + @param excluded Excluded subtrees +NoticeReference class, used in
+ CertificatePolicies X509 V3 extensions
+ (in policy qualifiers).
+
+
+ NoticeReference ::= Sequence {
+ organization DisplayText,
+ noticeNumbers Sequence OF Integer }
+
+
+
+ @see PolicyQualifierInfo
+ @see PolicyInformation
+ NoticeReference instance.
+
+ @param organization a String value
+ @param numbers a Vector value
+ NoticeReference instance.
+
+ @param organization a String value
+ @param noticeNumbers an ASN1EncodableVector value
+ NoticeReference instance.
+
+ @param organization displayText
+ @param noticeNumbers an ASN1EncodableVector value
+ NoticeReference instance.
+ Useful for reconstructing a NoticeReference
+ instance from its encodable/encoded form.
Asn1Sequence value obtained from either
+ calling @{link ToAsn1Object()} for a NoticeReference
+ instance or from parsing it from a Der-encoded stream.
+ ToAsn1Object method here.
+
+ @return a Asn1Object value
+
+
+ ObjectDigestInfo ::= SEQUENCE {
+ digestedObjectType ENUMERATED {
+ publicKey (0),
+ publicKeyCert (1),
+ otherObjectTypes (2) },
+ -- otherObjectTypes MUST NOT
+ -- be used in this profile
+ otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
+ digestAlgorithm AlgorithmIdentifier,
+ objectDigest BIT STRING
+ }
+
+
+
+
+ If digestedObjectType is not {@link #publicKeyCert} or
+ {@link #publicKey} otherObjectTypeID must be given,
+ otherwise it is ignored.
otherObjectDigest.
+ @param digestAlgorithm The algorithm identifier for the hash.
+ @param objectDigest The hash value.
+
+
+ ObjectDigestInfo ::= SEQUENCE {
+ digestedObjectType ENUMERATED {
+ publicKey (0),
+ publicKeyCert (1),
+ otherObjectTypes (2) },
+ -- otherObjectTypes MUST NOT
+ -- be used in this profile
+ otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
+ digestAlgorithm AlgorithmIdentifier,
+ objectDigest BIT STRING
+ }
+
+
+
+ PolicyMappings ::= Sequence SIZE (1..MAX) OF Sequence {
+ issuerDomainPolicy CertPolicyId,
+ subjectDomainPolicy CertPolicyId }
+
+
+ @see RFC 3280, section 4.2.1.6
+ PolicyMappings instance.
+
+ @param seq an Asn1Sequence constructed as specified
+ in RFC 3280
+ PolicyMappings instance.
+
+ @param mappings a HashMap value that maps
+ string oids
+ to other string oids.
+
+ id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+ id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
+ id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
+ PolicyQualifierId ::=
+ OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
+
+
+ PolicyQualifierInfo ::= Sequence {
+ policyQualifierId PolicyQualifierId,
+ qualifier ANY DEFINED BY policyQualifierId }
+
+ PolicyQualifierInfo instance.
+
+ @param policyQualifierId a PolicyQualifierId value
+ @param qualifier the qualifier, defined by the above field.
+ PolicyQualifierInfo containing a
+ cPSuri qualifier.
+
+ @param cps the CPS (certification practice statement) uri as a
+ string.
+ PolicyQualifierInfo instance.
+
+ @param as PolicyQualifierInfo X509 structure
+ encoded as an Asn1Sequence.
+ Asn1Object value
+
+ PrivateKeyUsagePeriod ::= SEQUENCE
+ {
+ notBefore [0] GeneralizedTime OPTIONAL,
+ notAfter [1] GeneralizedTime OPTIONAL }
+
+
+ RSAPublicKey ::= Sequence {
+ modulus Integer, -- n
+ publicExponent Integer, -- e
+ }
+
+
+ ReasonFlags ::= BIT STRING {
+ unused(0),
+ keyCompromise(1),
+ cACompromise(2),
+ affiliationChanged(3),
+ superseded(4),
+ cessationOfOperation(5),
+ certficateHold(6)
+ }
+
+
+ RoleSyntax ::= SEQUENCE {
+ roleAuthority [0] GeneralNames OPTIONAL,
+ roleName [1] GeneralName
+ }
+
+
+ RoleSyntax. It must be an instance of RoleSyntax
+ or Asn1Sequence.
+ @return the instance of RoleSyntax built from the
+ supplied object.
+ @throws java.lang.ArgumentException if the object passed
+ to the factory is not an instance of RoleSyntax or
+ Asn1Sequence.
+ new RoleSyntax(null, roleName).
+ @param roleName the role name of this RoleSyntax.
+ string argument representing
+ the role name, builds a GeneralName to hold the role name
+ and calls the constructor that takes a GeneralName.
+ @param roleName
+ RoleSyntax by
+ extracting the encoded elements from the Asn1Sequence
+ object supplied.
+ @param seq an instance of Asn1Sequence that holds
+ the encoded elements used to build this RoleSyntax.
+ GeneralNames holding the
+ role authority of this RoleSyntax.
+ GeneralName holding the
+ role name of this RoleSyntax.
+ java.lang.string object.
+ @return the role name of this RoleSyntax represented as a
+ string object.
+ string[] object.
+ @return the role authority of this RoleSyntax represented as a
+ string[] array.
+ ToAsn1Object as
+ required by the superclass ASN1Encodable.
+
+
+ RoleSyntax ::= SEQUENCE {
+ roleAuthority [0] GeneralNames OPTIONAL,
+ roleName [1] GeneralName
+ }
+
+
+ SubjectDirectoryAttributes ::= Attributes
+ Attributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+ Attribute ::= SEQUENCE
+ {
+ type AttributeType
+ values SET OF AttributeValue
+ }
+
+ AttributeType ::= OBJECT IDENTIFIER
+ AttributeValue ::= ANY DEFINED BY AttributeType
+
+
+ @see org.bouncycastle.asn1.x509.X509Name for AttributeType ObjectIdentifiers.
+
+ SubjectDirectoryAttributes ::= Attributes
+ Attributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+ Attribute ::= SEQUENCE
+ {
+ type AttributeType
+ values SET OF AttributeValue
+ }
+
+ AttributeType ::= OBJECT IDENTIFIER
+ AttributeValue ::= ANY DEFINED BY AttributeType
+
+
+ @param seq
+ The ASN.1 sequence.
+
+ SubjectDirectoryAttributes ::= Attributes
+ Attributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+ Attribute ::= SEQUENCE
+ {
+ type AttributeType
+ values SET OF AttributeValue
+ }
+
+ AttributeType ::= OBJECT IDENTIFIER
+ AttributeValue ::= ANY DEFINED BY AttributeType
+
+
+ @return a DERObject
+ + SubjectKeyIdentifier::= OCTET STRING ++
+ (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the + value of the BIT STRING subjectPublicKey (excluding the tag, + length, and number of unused bits). ++ @param keyInfo the key info object containing the subjectPublicKey field. + @return the key identifier. +
+ (2) The keyIdentifier is composed of a four bit type field with + the value 0100 followed by the least significant 60 bits of the + SHA-1 hash of the value of the BIT STRING subjectPublicKey. ++ @param keyInfo the key info object containing the subjectPublicKey field. + @return the key identifier. +
+ The GetEncoded() method in the public keys in the JCE produces a DER + encoded one of these.
+
+ SubjectPublicKeyInfo ::= Sequence {
+ algorithm AlgorithmIdentifier,
+ publicKey BIT STRING }
+
+
+ TbsCertList ::= Sequence {
+ version Version OPTIONAL,
+ -- if present, shall be v2
+ signature AlgorithmIdentifier,
+ issuer Name,
+ thisUpdate Time,
+ nextUpdate Time OPTIONAL,
+ revokedCertificates Sequence OF Sequence {
+ userCertificate CertificateSerialNumber,
+ revocationDate Time,
+ crlEntryExtensions Extensions OPTIONAL
+ -- if present, shall be v2
+ } OPTIONAL,
+ crlExtensions [0] EXPLICIT Extensions OPTIONAL
+ -- if present, shall be v2
+ }
+
+
+ TbsCertificate ::= Sequence {
+ version [ 0 ] Version DEFAULT v1(0),
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ issuerUniqueID [ 1 ] IMPLICIT UniqueIdentifier OPTIONAL,
+ subjectUniqueID [ 2 ] IMPLICIT UniqueIdentifier OPTIONAL,
+ extensions [ 3 ] Extensions OPTIONAL
+ }
+
+ + Note: issuerUniqueID and subjectUniqueID are both deprecated by the IETF. This class + will parse them, but you really shouldn't be creating new ones.
+
+ Target ::= CHOICE {
+ targetName [0] GeneralName,
+ targetGroup [1] GeneralName,
+ targetCert [2] TargetCert
+ }
+
+
+ + The targetCert field is currently not supported and must not be used + according to RFC 3281.
+
+ obj can be a Target or a {@link Asn1TaggedObject}
+ Exactly one of the parameters must be not null.
+ Target ::= CHOICE {
+ targetName [0] GeneralName,
+ targetGroup [1] GeneralName,
+ targetCert [2] TargetCert
+ }
+
+
+ @return an Asn1Object
+ + SEQUENCE OF Targets ++ +
+ obj can be a TargetInformation or a {@link Asn1Sequence}
+ The ArrayList is cloned before it is returned.
+ + @return Returns the targets. ++ SEQUENCE OF Targets ++ +
+ According to RFC 3281 only one targets element must be produced. If + multiple targets are given in the constructor they are merged into one + targets element. If this was produced from a + {@link Org.BouncyCastle.Asn1.Asn1Sequence} the encoding is kept.
+ + @return an Asn1Object +
+ Targets ::= SEQUENCE OF Target
+
+ Target ::= CHOICE {
+ targetName [0] GeneralName,
+ targetGroup [1] GeneralName,
+ targetCert [2] TargetCert
+ }
+
+ TargetCert ::= SEQUENCE {
+ targetCertificate IssuerSerial,
+ targetName GeneralName OPTIONAL,
+ certDigestInfo ObjectDigestInfo OPTIONAL
+ }
+
+
+ @see org.bouncycastle.asn1.x509.Target
+ @see org.bouncycastle.asn1.x509.TargetInformation
+
+ obj can be a Targets or a {@link Asn1Sequence}
+ The ArrayList is copied.
+ + @param targets AnArrayList of {@link Target}s.
+ @see Target
+ @throws ArgumentException if the ArrayList contains not only Targets.
+ ArrayList.
+ + The ArrayList is cloned before it is returned.
+ + @return Returns the targets. ++ Targets ::= SEQUENCE OF Target ++ + @return an Asn1Object +
+ Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime }
+
+ UserNotice class, used in
+ CertificatePolicies X509 extensions (in policy
+ qualifiers).
+
+ UserNotice ::= Sequence {
+ noticeRef NoticeReference OPTIONAL,
+ explicitText DisplayText OPTIONAL}
+
+
+
+ @see PolicyQualifierId
+ @see PolicyInformation
+ UserNotice instance.
+
+ @param noticeRef a NoticeReference value
+ @param explicitText a DisplayText value
+ UserNotice instance.
+
+ @param noticeRef a NoticeReference value
+ @param str the explicitText field as a string.
+ UserNotice instance.
+ Useful from reconstructing a UserNotice instance
+ from its encodable/encoded form.
+
+ @param as an ASN1Sequence value obtained from either
+ calling @{link toASN1Object()} for a UserNotice
+ instance or from parsing it from a DER-encoded stream.
+ TbsCertificate ::= Sequence {
+ version [ 0 ] Version DEFAULT v1(0),
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ }
+
+
+
+ AttributeCertificateInfo ::= Sequence {
+ version AttCertVersion -- version is v2,
+ holder Holder,
+ issuer AttCertIssuer,
+ signature AlgorithmIdentifier,
+ serialNumber CertificateSerialNumber,
+ attrCertValidityPeriod AttCertValidityPeriod,
+ attributes Sequence OF Attr,
+ issuerUniqueID UniqueIdentifier OPTIONAL,
+ extensions Extensions OPTIONAL
+ }
+
+
+
+ V2Form ::= Sequence {
+ issuerName GeneralNames OPTIONAL,
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ objectDigestInfo [1] ObjectDigestInfo OPTIONAL
+ -- issuerName MUST be present in this profile
+ -- baseCertificateID and objectDigestInfo MUST NOT
+ -- be present in this profile
+ }
+
+
+ TbsCertList ::= Sequence {
+ version Version OPTIONAL,
+ -- if present, shall be v2
+ signature AlgorithmIdentifier,
+ issuer Name,
+ thisUpdate Time,
+ nextUpdate Time OPTIONAL,
+ revokedCertificates Sequence OF Sequence {
+ userCertificate CertificateSerialNumber,
+ revocationDate Time,
+ crlEntryExtensions Extensions OPTIONAL
+ -- if present, shall be v2
+ } OPTIONAL,
+ crlExtensions [0] EXPLICIT Extensions OPTIONAL
+ -- if present, shall be v2
+ }
+
+
+ Note: This class may be subject to change
+
+ TbsCertificate ::= Sequence {
+ version [ 0 ] Version DEFAULT v1(0),
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ issuerUniqueID [ 1 ] IMPLICIT UniqueIdentifier OPTIONAL,
+ subjectUniqueID [ 2 ] IMPLICIT UniqueIdentifier OPTIONAL,
+ extensions [ 3 ] Extensions OPTIONAL
+ }
+
+
+
+ Certificate ::= Sequence {
+ tbsCertificate TbsCertificate,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING
+ }
+
+ + it's is assumed the table contains Oid/string pairs.
++ It's is assumed the table contains Oid/string pairs.
++ it's is assumed the table contains Oid/string pairs.
++ It's is assumed the table contains Oid/string pairs.
+
+ Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+
+ Extension ::= SEQUENCE {
+ extnId EXTENSION.&id ({ExtensionSet}),
+ critical BOOLEAN DEFAULT FALSE,
+ extnValue OCTET STRING }
+
+
+ RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+ RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
+
+ AttributeTypeAndValue ::= SEQUENCE {
+ type OBJECT IDENTIFIER,
+ value ANY }
+
+ Note: if you're trying to be ultra orthodox, don't use this! It shouldn't be in here.
++ it's is assumed the table contains OID/string pairs, and the contents + of the table are copied into an internal table as part of the + construction process. The ordering ArrayList should contain the OIDs + in the order they are meant to be encoded or printed in ToString.
++ it's is assumed the table contains OID/string pairs, and the contents + of the table are copied into an internal table as part of the + construction process. The ordering ArrayList should contain the OIDs + in the order they are meant to be encoded or printed in ToString.
++ The passed in converter will be used to convert the strings into their + ASN.1 counterparts.
++ The passed in converter will be used to convert the strings into their + ASN.1 counterparts.
++ * An example of an encoder look like below: + *
+ * public class X509DirEntryConverter
+ * : X509NameEntryConverter
+ * {
+ * public Asn1Object GetConvertedValue(
+ * DerObjectIdentifier oid,
+ * string value)
+ * {
+ * if (str.Length() != 0 && str.charAt(0) == '#')
+ * {
+ * return ConvertHexEncoded(str, 1);
+ * }
+ * if (oid.Equals(EmailAddress))
+ * {
+ * return new DerIA5String(str);
+ * }
+ * else if (CanBePrintable(str))
+ * {
+ * return new DerPrintableString(str);
+ * }
+ * else if (CanBeUTF8(str))
+ * {
+ * return new DerUtf8String(str);
+ * }
+ * else
+ * {
+ * return new DerBmpString(str);
+ * }
+ * }
+ * }
+ *
+ *
+
+ BiometricData ::= SEQUENCE {
+ typeOfBiometricData TypeOfBiometricData,
+ hashAlgorithm AlgorithmIdentifier,
+ biometricDataHash OCTET STRING,
+ sourceDataUri IA5String OPTIONAL }
+
+
+ Iso4217CurrencyCode ::= CHOICE {
+ alphabetic PrintableString (SIZE 3), --Recommended
+ numeric INTEGER (1..999) }
+ -- Alphabetic or numeric currency code as defined in ISO 4217
+ -- It is recommended that the Alphabetic form is used
+
+
+ MonetaryValue ::= SEQUENCE {
+ currency Iso4217CurrencyCode,
+ amount INTEGER,
+ exponent INTEGER }
+ -- value = amount * 10^exponent
+
+
+ QCStatement ::= SEQUENCE {
+ statementId OBJECT IDENTIFIER,
+ statementInfo ANY DEFINED BY statementId OPTIONAL}
+
+
+ SemanticsInformation ::= SEQUENCE {
+ semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
+ nameRegistrationAuthorities NameRegistrationAuthorities
+ OPTIONAL }
+ (WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
+ WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})
+
+ NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF
+ GeneralName
+
+
+ TypeOfBiometricData ::= CHOICE {
+ predefinedBiometricType PredefinedBiometricType,
+ biometricDataOid OBJECT IDENTIFIER }
+
+ PredefinedBiometricType ::= INTEGER {
+ picture(0),handwritten-signature(1)}
+ (picture|handwritten-signature)
+
+
+ NameOrPseudonym ::= CHOICE {
+ surAndGivenName SEQUENCE {
+ surName DirectoryString,
+ givenName SEQUENCE OF DirectoryString
+ },
+ pseudonym DirectoryString
+ }
+
+
+ @see org.bouncycastle.asn1.x509.sigi.PersonalData
+
+
+ NameOrPseudonym ::= CHOICE {
+ surAndGivenName SEQUENCE {
+ surName DirectoryString,
+ givenName SEQUENCE OF DirectoryString
+ },
+ pseudonym DirectoryString
+ }
+
+ @param pseudonym pseudonym value to use.
+
+ NameOrPseudonym ::= CHOICE {
+ surAndGivenName SEQUENCE {
+ surName DirectoryString,
+ givenName SEQUENCE OF DirectoryString
+ },
+ pseudonym DirectoryString
+ }
+
+
+ @param seq The ASN.1 sequence.
+
+ NameOrPseudonym ::= CHOICE {
+ surAndGivenName SEQUENCE {
+ surName DirectoryString,
+ givenName SEQUENCE OF DirectoryString
+ },
+ pseudonym DirectoryString
+ }
+
+
+ @return an Asn1Object
+
+ PersonalData ::= SEQUENCE {
+ nameOrPseudonym NameOrPseudonym,
+ nameDistinguisher [0] INTEGER OPTIONAL,
+ dateOfBirth [1] GeneralizedTime OPTIONAL,
+ placeOfBirth [2] DirectoryString OPTIONAL,
+ gender [3] PrintableString OPTIONAL,
+ postalAddress [4] DirectoryString OPTIONAL
+ }
+
+
+ @see org.bouncycastle.asn1.x509.sigi.NameOrPseudonym
+ @see org.bouncycastle.asn1.x509.sigi.SigIObjectIdentifiers
+
+ PersonalData ::= SEQUENCE {
+ nameOrPseudonym NameOrPseudonym,
+ nameDistinguisher [0] INTEGER OPTIONAL,
+ dateOfBirth [1] GeneralizedTime OPTIONAL,
+ placeOfBirth [2] DirectoryString OPTIONAL,
+ gender [3] PrintableString OPTIONAL,
+ postalAddress [4] DirectoryString OPTIONAL
+ }
+
+
+ @param seq The ASN.1 sequence.
+
+ PersonalData ::= SEQUENCE {
+ nameOrPseudonym NameOrPseudonym,
+ nameDistinguisher [0] INTEGER OPTIONAL,
+ dateOfBirth [1] GeneralizedTime OPTIONAL,
+ placeOfBirth [2] DirectoryString OPTIONAL,
+ gender [3] PrintableString OPTIONAL,
+ postalAddress [4] DirectoryString OPTIONAL
+ }
+
+
+ @return an Asn1Object
+
+ KeySpecificInfo ::= Sequence {
+ algorithm OBJECT IDENTIFIER,
+ counter OCTET STRING SIZE (4..4)
+ }
+
+
+ OtherInfo ::= Sequence {
+ keyInfo KeySpecificInfo,
+ partyAInfo [0] OCTET STRING OPTIONAL,
+ suppPubInfo [2] OCTET STRING
+ }
+
+
+ Parameters ::= CHOICE {
+ ecParameters ECParameters,
+ namedCurve CURVES.&id({CurveNames}),
+ implicitlyCA Null
+ }
+
+
+ Curve ::= Sequence {
+ a FieldElement,
+ b FieldElement,
+ seed BIT STRING OPTIONAL
+ }
+
+
+ ECParameters ::= Sequence {
+ version Integer { ecpVer1(1) } (ecpVer1),
+ fieldID FieldID {{FieldTypes}},
+ curve X9Curve,
+ base X9ECPoint,
+ order Integer,
+ cofactor Integer OPTIONAL
+ }
+
+ + ECPoint ::= OCTET STRING ++
+ Octet string produced using ECPoint.GetEncoded().
++ FieldElement ::= OCTET STRING ++
+
F2.
+ @param primeP The prime p defining the prime field.
+ F2m.
+ @param m The exponent m of
+ F2m.
+ @param k1 The integer k1 where xm +
+ xk1 + 1
+ represents the reduction polynomial f(z).
+ F2m.
+ @param m The exponent m of
+ F2m.
+ @param k1 The integer k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k2 The integer k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k3 The integer k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z)..
+
+ FieldID ::= Sequence {
+ fieldType FIELD-ID.&id({IOSet}),
+ parameters FIELD-ID.&Type({IOSet}{@fieldType})
+ }
+
+ + Return an output stream which will save the data being written to + the compressed object. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Return an output stream which will compress the data as it is written to it. + The stream will be written out in chunks according to the size of the passed in buffer. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Note: if the buffer is not a power of 2 in length only the largest power of 2 + bytes worth of the buffer will be used. +
++ Note: using this may break compatibility with RFC 1991 compliant tools. + Only recent OpenPGP implementations are capable of accepting these streams. +
++ If buffer is non null stream assumed to be partial, otherwise the length will be used + to output a fixed length packet. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Return an output stream which will encrypt the data as it is written to it. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Return an output stream which will encrypt the data as it is written to it. + The stream will be written out in chunks according to the size of the passed in buffer. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Note: if the buffer is not a power of 2 in length only the largest power of 2 + bytes worth of the buffer will be used. +
++ Close off the encrypted object - this is equivalent to calling Close() on the stream + returned by the Open() method. +
++ Note: This does not close the underlying output stream, only the stream on top of + it created by the Open() method. +
++ A word for the unwary, the KeyId for an OpenPGP public key is calculated from + a hash that includes the time of creation, if you pass a different date to the + constructor below with the same public private key pair the KeyIs will not be the + same as for previous generations of the key, so ideally you only want to do + this once. +
++ Open a literal data packet, returning a stream to store the data inside the packet. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Open a literal data packet, returning a stream to store the data inside the packet, + as an indefinite length stream. The stream is written out as a series of partial + packets with a chunk size determined by the size of the passed in buffer. +
+
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Note: if the buffer is not a power of 2 in length only the largest power of 2 + bytes worth of the buffer will be used.
+
+ Open a literal data packet for the passed in
+ The stream created can be closed off by either calling Close()
+ on the stream or Close() on the generator. Closing the returned
+ stream does not close off the Stream parameter
+ Note: if this class finds a PgpPublicKey or a PgpSecretKey it + will create a PgpPublicKeyRing, or a PgpSecretKeyRing for each + key found. If all you are trying to do is read a key ring file use + either PgpPublicKeyRingBundle or PgpSecretKeyRingBundle.
+
+ Often PGP keyring files consist of multiple master keys, if you are trying to process
+ or construct one of these you should use the
+ Often PGP keyring files consist of multiple master keys, if you are trying to process
+ or construct one of these you should use the
+ Note: this overrides the generation of a creation time when the signature + is generated.
++ Format documented here: + http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/keyformat.txt;h=42c4b1f06faf1bbe71ffadc2fee0fad6bec91a97;hb=refs/heads/master +
++ CMSAuthenticatedDataGenerator fact = new CMSAuthenticatedDataGenerator(); + + fact.addKeyTransRecipient(cert); + + CMSAuthenticatedData data = fact.generate(content, algorithm, "BC"); ++
+ Note: that because we are in a streaming mode only one recipient can be tried and it is important + that the methods on the parser are called in the appropriate order. +
++ Example of use - assuming the first recipient matches the private key we have. +
+ CMSAuthenticatedDataParser ad = new CMSAuthenticatedDataParser(inputStream);
+
+ RecipientInformationStore recipients = ad.getRecipientInfos();
+
+ Collection c = recipients.getRecipients();
+ Iterator it = c.iterator();
+
+ if (it.hasNext())
+ {
+ RecipientInformation recipient = (RecipientInformation)it.next();
+
+ CMSTypedStream recData = recipient.getContentStream(privateKey, "BC");
+
+ processDataStream(recData.getContentStream());
+
+ if (!Arrays.equals(ad.getMac(), recipient.getMac())
+ {
+ System.err.println("Data corrupted!!!!");
+ }
+ }
+
+ Note: this class does not introduce buffering - if you are processing large files you should create
+ the parser with:
+ + CMSAuthenticatedDataParser ep = new CMSAuthenticatedDataParser(new BufferedInputStream(inputStream, bufSize)); ++ where bufSize is a suitably large buffer size. + +
+ A simple example of usage. +
+ CMSAuthenticatedDataStreamGenerator edGen = new CMSAuthenticatedDataStreamGenerator(); + + edGen.addKeyTransRecipient(cert); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + OutputStream out = edGen.open( + bOut, CMSAuthenticatedDataGenerator.AES128_CBC, "BC");* + out.write(data); + + out.close(); ++ +
+ * A simple example of usage.
+ *+ *
+ * CMSCompressedDataGenerator fact = new CMSCompressedDataGenerator(); + * CMSCompressedData data = fact.Generate(content, algorithm); + *+ * +
+ CMSCompressedDataParser cp = new CMSCompressedDataParser(inputStream); + + process(cp.GetContent().GetContentStream()); ++ Note: this class does not introduce buffering - if you are processing large files you should create + the parser with: +
+ CMSCompressedDataParser ep = new CMSCompressedDataParser(new BufferedInputStream(inputStream, bufSize)); ++ where bufSize is a suitably large buffer size. +
+ A simple example of usage. +
++ CMSCompressedDataStreamGenerator gen = new CMSCompressedDataStreamGenerator(); + + Stream cOut = gen.Open(outputStream, CMSCompressedDataStreamGenerator.ZLIB); + + cOut.Write(data); + + cOut.Close(); ++
+ CmsEnvelopedDataGenerator fact = new CmsEnvelopedDataGenerator(); + + fact.AddKeyTransRecipient(cert); + + CmsEnvelopedData data = fact.Generate(content, algorithm); ++
+ Note: that because we are in a streaming mode only one recipient can be tried and it is important + that the methods on the parser are called in the appropriate order. +
++ Example of use - assuming the first recipient matches the private key we have. +
+ CmsEnvelopedDataParser ep = new CmsEnvelopedDataParser(inputStream);
+
+ RecipientInformationStore recipients = ep.GetRecipientInfos();
+
+ Collection c = recipients.getRecipients();
+ Iterator it = c.iterator();
+
+ if (it.hasNext())
+ {
+ RecipientInformation recipient = (RecipientInformation)it.next();
+
+ CMSTypedStream recData = recipient.getContentStream(privateKey);
+
+ processDataStream(recData.getContentStream());
+ }
+
+ Note: this class does not introduce buffering - if you are processing large files you should create
+ the parser with:
+ + CmsEnvelopedDataParser ep = new CmsEnvelopedDataParser(new BufferedInputStream(inputStream, bufSize)); ++ where bufSize is a suitably large buffer size. + +
+ A simple example of usage. +
+ CmsEnvelopedDataStreamGenerator edGen = new CmsEnvelopedDataStreamGenerator(); + + edGen.AddKeyTransRecipient(cert); + + MemoryStream bOut = new MemoryStream(); + + Stream out = edGen.Open( + bOut, CMSEnvelopedDataGenerator.AES128_CBC);* + out.Write(data); + + out.Close(); ++ +
+ CMSEnvelopedDataGenerator fact = new CMSEnvelopedDataGenerator(); + + fact.addKeyTransRecipient(cert); + + CMSEnvelopedData data = fact.generate(content, algorithm, "BC"); ++
+ IX509Store certs = s.GetCertificates();
+ SignerInformationStore signers = s.GetSignerInfos();
+
+ foreach (SignerInformation signer in signers.GetSigners())
+ {
+ ArrayList certList = new ArrayList(certs.GetMatches(signer.SignerID));
+ X509Certificate cert = (X509Certificate) certList[0];
+
+ if (signer.Verify(cert.GetPublicKey()))
+ {
+ verified++;
+ }
+ }
+
+ + * A simple example of usage. + * + *
+ * IX509Store certs... + * IX509Store crls... + * CmsSignedDataGenerator gen = new CmsSignedDataGenerator(); + * + * gen.AddSigner(privKey, cert, CmsSignedGenerator.DigestSha1); + * gen.AddCertificates(certs); + * gen.AddCrls(crls); + * + * CmsSignedData data = gen.Generate(content); + *+ * +
+ Note: that because we are in a streaming mode only one signer can be tried and it is important + that the methods on the parser are called in the appropriate order. +
++ A simple example of usage for an encapsulated signature. +
++ Two notes: first, in the example below the validity of + the certificate isn't verified, just the fact that one of the certs + matches the given signer, and, second, because we are in a streaming + mode the order of the operations is important. +
+
+ CmsSignedDataParser sp = new CmsSignedDataParser(encapSigData);
+
+ sp.GetSignedContent().Drain();
+
+ IX509Store certs = sp.GetCertificates();
+ SignerInformationStore signers = sp.GetSignerInfos();
+
+ foreach (SignerInformation signer in signers.GetSigners())
+ {
+ ArrayList certList = new ArrayList(certs.GetMatches(signer.SignerID));
+ X509Certificate cert = (X509Certificate) certList[0];
+
+ Console.WriteLine("verify returns: " + signer.Verify(cert));
+ }
+
+ Note also: this class does not introduce buffering - if you are processing large files you should create
+ the parser with:
+ + CmsSignedDataParser ep = new CmsSignedDataParser(new BufferedInputStream(encapSigData, bufSize)); ++ where bufSize is a suitably large buffer size. +
+ The output stream is returned unclosed. +
+ @param original the signed data stream to be used as a base. + @param signerInformationStore the new signer information store to use. + @param out the stream to Write the new signed data object to. + @return out. ++ The output stream is returned unclosed. +
+ @param original the signed data stream to be used as a base. + @param certsAndCrls the new certificates and CRLs to be used. + @param out the stream to Write the new signed data object to. + @return out. + @exception CmsException if there is an error processing the CertStore ++ A simple example of usage. +
+
+ IX509Store certs...
+ CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+
+ gen.AddSigner(privateKey, cert, CmsSignedDataStreamGenerator.DIGEST_SHA1);
+
+ gen.AddCertificates(certs);
+
+ Stream sigOut = gen.Open(bOut);
+
+ sigOut.Write(Encoding.UTF8.GetBytes("Hello World!"));
+
+ sigOut.Close();
+
+ + Note: in the case where the underlying cipher is either a CFB cipher or an + OFB one the last block may not be a multiple of the block size. +
++ NOTE: This algorithm is only included for backwards compatibility + with legacy applications, it's not secure, don't use it for anything new!
+Implementation of RipeMD256.
+Note: this algorithm offers the same level of security as RipeMD128.
+Implementation of RipeMD 320.
+Note: this algorithm offers the same level of security as RipeMD160.
++ block word digest + SHA-1 512 32 160 + SHA-224 512 32 224 + SHA-256 512 32 256 + SHA-384 1024 64 384 + SHA-512 1024 64 512 ++
+ block word digest + SHA-1 512 32 160 + SHA-256 512 32 256 + SHA-384 1024 64 384 + SHA-512 1024 64 512 ++
+ block word digest + SHA-1 512 32 160 + SHA-256 512 32 256 + SHA-384 1024 64 384 + SHA-512 1024 64 512 ++
+ block word digest + SHA-1 512 32 160 + SHA-256 512 32 256 + SHA-384 1024 64 384 + SHA-512 1024 64 512 ++
null to use no parameters.
+ null to use no parameters.
+ + Tnepres is based on Serpent which was designed by Ross Anderson, Eli Biham and Lars Knudsen as a + candidate algorithm for the NIST AES Quest. Unfortunately there was an endianness issue + with test vectors in the AES submission and the resulting confusion lead to the Tnepres cipher + as well, which is a byte swapped version of Serpent. +
++ For full details see The Serpent home page +
++ For further details see: http://csrc.nist.gov/encryption/aes/. + + This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at + http://fp.gladman.plus.com/cryptography_technology/rijndael/ + + There are three levels of tradeoff of speed vs memory + Because java has no preprocessor, they are written as three separate classes from which to choose + + The fastest uses 8Kbytes of static tables to precompute round calculations, 4 256 word tables for encryption + and 4 for decryption. + + The middle performance version uses only one 256 word table for each, for a total of 2Kbytes, + adding 12 rotate operations per round to compute the values contained in the other tables from + the contents of the first. + + The slowest version uses no static tables at all and computes the values in each round. +
++ This file contains the middle performance version with 2Kbytes of static tables for round precomputation. +
++ For further details see: http://csrc.nist.gov/encryption/aes/. + + This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at + http://fp.gladman.plus.com/cryptography_technology/rijndael/ + + There are three levels of tradeoff of speed vs memory + Because java has no preprocessor), they are written as three separate classes from which to choose + + The fastest uses 8Kbytes of static tables to precompute round calculations), 4 256 word tables for encryption + and 4 for decryption. + + The middle performance version uses only one 256 word table for each), for a total of 2Kbytes), + adding 12 rotate operations per round to compute the values contained in the other tables from + the contents of the first + + The slowest version uses no static tables at all and computes the values in each round +
++ This file contains the fast version with 8Kbytes of static tables for round precomputation +
++ For further details see: http://csrc.nist.gov/encryption/aes/. + + This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at + http://fp.gladman.plus.com/cryptography_technology/rijndael/ + + There are three levels of tradeoff of speed vs memory + Because java has no preprocessor, they are written as three separate classes from which to choose + + The fastest uses 8Kbytes of static tables to precompute round calculations, 4 256 word tables for encryption + and 4 for decryption. + + The middle performance version uses only one 256 word table for each, for a total of 2Kbytes, + adding 12 rotate operations per round to compute the values contained in the other tables from + the contents of the first + + The slowest version uses no static tables at all and computes the values + in each round. +
++ This file contains the slowest performance version with no static tables + for round precomputation, but it has the smallest foot print. +
++ * Note: + *
+ http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc128_p3.pdf +
+ It is a third phase candidate in the eStream contest, and is patent-free. + No attacks are known as of today (April 2007). See + + http://www.ecrypt.eu.org/stream/hcp3.html +
++ http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc256_p3.pdf +
+ Its brother, HC-128, is a third phase candidate in the eStream contest. + The algorithm is patent-free. No attacks are known as of today (April 2007). + See + + http://www.ecrypt.eu.org/stream/hcp3.html +
++ This implementation is based on the "HOWTO: INTERNATIONAL DATA ENCRYPTION ALGORITHM" + implementation summary by Fauzan Mirza (F.U.Mirza@sheffield.ac.uk). (baring 1 typo at the + end of the mulinv function!). +
++ It can be found at ftp://ftp.funet.fi/pub/crypt/cryptography/symmetric/idea/ +
++ Note 1: This algorithm is patented in the USA, Japan, and Europe including + at least Austria, France, Germany, Italy, Netherlands, Spain, Sweden, Switzerland + and the United Kingdom. Non-commercial use is free, however any commercial + products are liable for royalties. Please see + www.mediacrypt.com for + further details. This announcement has been included at the request of + the patent holders. +
++ Note 2: Due to the requests concerning the above, this algorithm is now only + included in the extended assembly. It is not included in the default distributions. +
++ i.e. x * MulInv(x) == 1 (modulo BASE) +
++ i.e. x + AddInv(x) == 0 +
+RC5 Encryption Algorithm
+ publication in RSA CryptoBytes, Spring of 1995.
+ http://www.rsasecurity.com/rsalabs/cryptobytes.
+ + This implementation has a word size of 32 bits.
+RC5 Encryption Algorithm
+ publication in RSA CryptoBytes, Spring of 1995.
+ http://www.rsasecurity.com/rsalabs/cryptobytes.
+ + This implementation is set to work with a 64 bit word size.
++ Note: this implementation is based on information prior to readonly NIST publication. +
++ * Serpent was designed by Ross Anderson, Eli Biham and Lars Knudsen as a + * candidate algorithm for the NIST AES Quest. + *
+ *+ * For full details see The Serpent home page + *
+null to use the current key.
+ the 2 word (128 bit) tweak, or null to use the current tweak.
+ + *
+ * G(x) = x^4 + (a+1/a)x^3 + ax^2 + (a+1/a)x + 1 + *+ * where a = primitive root of field generator 0x14D + * +
+ doFinal leaves the MAC in the same state it was after the last init. +
+ @param out the array the MAC is to be output to. + @param outOff the offset into the out buffer the output is to start at. + @exception DataLengthException if there isn't enough space in out. + @exception InvalidOperationException if the MAC is not initialised. ++ Minimum entropy requirement is the security strength requested. +
+ @param engine underlying block cipher to use to support DRBG + @param keySizeInBits size of the key to use with the block cipher. + @param securityStrength security strength required (in bits) + @param entropySource source of entropy to use for seeding/reseeding. + @param personalizationString personalization string to distinguish this DRBG (may be null). + @param nonce nonce to further distinguish this DRBG (may be null). ++ Minimum entropy requirement is the security strength requested. +
+ @param digest source digest to use for DRB stream. + @param securityStrength security strength required (in bits) + @param entropySource source of entropy to use for seeding/reseeding. + @param personalizationString personalization string to distinguish this DRBG (may be null). + @param nonce nonce to further distinguish this DRBG (may be null). ++ Minimum entropy requirement is the security strength requested. +
+ @param hMac Hash MAC to base the DRBG on. + @param securityStrength security strength required (in bits) + @param entropySource source of entropy to use for seeding/reseeding. + @param personalizationString personalization string to distinguish this DRBG (may be null). + @param nonce nonce to further distinguish this DRBG (may be null). ++ Any SecureRandom created from a builder constructed like this will make use of input passed to SecureRandom.setSeed() if + the default SecureRandom does for its generateSeed() call. +
++ Any SecureRandom created from a builder constructed like this will make use of input passed to SecureRandom.setSeed() if + the passed in SecureRandom does for its generateSeed() call. +
+ @param entropySource + @param predictionResistant ++ Note: If this constructor is used any calls to setSeed() in the resulting SecureRandom will be ignored. +
+ @param entropySourceProvider a provider of EntropySource objects. ++ Any SecureRandom created from a builder constructed like this will make use of input passed to SecureRandom.setSeed() if + the default SecureRandom does for its generateSeed() call. +
++ Any SecureRandom created from a builder constructed like this will make use of input passed to SecureRandom.setSeed() if + the passed in SecureRandom does for its generateSeed() call. +
+ @param entropySource + @param predictionResistant ++ Note: If this constructor is used any calls to setSeed() in the resulting SecureRandom will be ignored. +
+ @param entropySourceProvider a provider of EntropySource objects. ++ Internal access to the digest is synchronized so a single one of these can be shared. +
++ Access to internals is synchronized so a single one of these can be shared. +
++ Based on an idea from Marcus Lippert. +
++ If fast is set to true, the code should be round about 8 times faster when + generating a long sequence of random bytes. 20 bytes of random values using + the fast mode take less than half a second on a Nokia e70. If fast is set to false, + it takes round about 2500 ms. +
+ @param numBytes the number of bytes to generate + @param fast true if fast mode should be used +
+ // First 1850 fractional digit of Pi number.
+ byte[] key = new BigInteger("14159265358979323846...5068006422512520511").ToByteArray();
+ s = 0;
+ P = new byte[256];
+ for (int i = 0; i < 256; i++)
+ {
+ P[i] = (byte) i;
+ }
+ for (int m = 0; m < 768; m++)
+ {
+ s = P[(s + P[m & 0xff] + key[m % key.length]) & 0xff];
+ byte temp = P[m & 0xff];
+ P[m & 0xff] = P[s & 0xff];
+ P[s & 0xff] = temp;
+ }
+ + note: This uses MTI/A0 key agreement in order to make the key agreement + secure against passive attacks. If you're doing Diffie-Hellman and both + parties have long term public keys you should look at using this. For + further information have a look at RFC 2631.
++ It's possible to extend this to more than two parties as well, for the moment + that is left as an exercise for the reader.
++ note: This is only the basic algorithm, it doesn't take advantage of + long term public keys if they are available. See the DHAgreement class + for a "better" implementation.
++ Note: As stated P1363 compatibility mode with ECDH can be preset, and + in this case the implementation doesn't have a ECDH compatibility mode + (if you want that just use ECDHBasicAgreement and note they both implement + BasicAgreement!).
++ The static property is checked during construction of the encoding object, it is set to + true by default. +
++ Note: can take a while...
++ This Generates keys consistent for use with ElGamal as described in + page 164 of "Handbook of Applied Cryptography".
++ * Note: can take a while... + *
++ The scheme is a simple extension of PKCS 5 V2.0 Scheme 1 using MD5 with an + iteration count of 1. +
++ The document this implementation is based on can be found at + + RSA's Pkcs12 Page +
++ The document this implementation is based on can be found at + + RSA's Pkcs5 Page +
++ The document this implementation is based on can be found at + + RSA's Pkcs5 Page
+k[0] ... k[15], r[0] ... r[15] with the required bits in r cleared
+ as per r (second 16 bytes) portion of the key.k[0] ... k[15], r[0] ... r[15]
+ k[0] ... k[15], r[0] ... r[15] with the required bits in r cleared
+ as per r portion of the key.+ CMAC is analogous to OMAC1 - see also en.wikipedia.org/wiki/CMAC +
+ CMAC is a NIST recomendation - see + csrc.nist.gov/CryptoToolkit/modes/800-38_Series_Publications/SP800-38B.pdf +
+ CMAC/OMAC1 is a blockcipher-based message authentication code designed and + analyzed by Tetsu Iwata and Kaoru Kurosawa. +
+ CMAC/OMAC1 is a simple variant of the CBC MAC (Cipher Block Chaining Message + Authentication Code). OMAC stands for One-Key CBC MAC. +
+ It supports 128- or 64-bits block ciphers, with any key size, and returns + a MAC with dimension less or equal to the block size of the underlying + cipher. +
++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. ++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. + @param padding the padding to be used to complete the last block. ++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param cfbBitSize the size of an output block produced by the CFB mode. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. ++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param cfbBitSize the size of an output block produced by the CFB mode. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. + @param padding a padding to be used. ++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. ++ Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), + or 16 bits if being used as a data authenticator (FIPS Publication 113), + and in general should be less than the size of the block cipher as it reduces + the chance of an exhaustive attack (see Handbook of Applied Cryptography). +
+ @param cipher the cipher to be used as the basis of the MAC generation. + @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. + @param padding the padding to be used to complete the last block. +null to use no parameters.
+ + Note: this mode is a packet mode - it needs all the data up front. +
++License for + Open-Source Software Implementations of OCB (Jan 9, 2013) - 'License 1'
+ Under this license, you are authorized to make, use, and distribute open-source software + implementations of OCB. This license terminates for you if you sue someone over their open-source + software implementation of OCB claiming that you have a patent covering their implementation. ++ This is a non-binding summary of a legal document (the link above). The parameters of the license + are specified in the license document and that document is controlling.
+ * For further info see RFC 2440. + *
++ This padding pads the block out compliment of the last bit + of the plain text. +
++ Note: this assumes that the last block of plain text is always + passed to it inside in. i.e. if inOff is zero, indicating the + entire block is to be overwritten with padding the value of in + should be the same as the last block of plain text. +
++ See "Applied + Cryptography" by Bruce Schneier for more information. +
+ @return true if the given DES key material is weak or semi-weak, + false otherwise. +null if not
+ set.
+ null if not set.
+ null if not set.
+ null if not set.
+ null if
+ not set.
+ YYYYMMDD email@address distinguisher, encoded to a byte
+ sequence using UTF-8 encoding.
+ null to use the current key.null to use the current tweak.+ Note: the usual length for the salt is the length of the hash + function used in bytes.
++ Note: the usual value for the salt length is the number of + bytes in the hash function.
++ The message digest hash, H, is encapsulated to form a byte string as follows +
++ EB = 06 || PS || 0xBA || H || TRAILER ++ where PS is a string of bytes all of value 0xBB of length such that |EB|=|n|, and TRAILER is the ISO/IEC 10118 part number†for the digest. The byte string, EB, is converted to an integer value, the message representative, f. +
+ This file could be more optimized. +
+
+ opaque ASN.1Cert<2^24-1>;
+
+ struct {
+ ASN.1Cert certificate_list<0..2^24-1>;
+ } Certificate;
+
+
+ @see Org.BouncyCastle.Asn1.X509.X509CertificateStructure
+ true if this certificate chain contains no certificates, or
+ false otherwise.
+
+ struct {
+ ClientCertificateType certificate_types<1..2^8-1>;
+ DistinguishedName certificate_authorities<3..2^16-1>
+ } CertificateRequest;
+
+
+ @see ClientCertificateType
+ @see X509Name
+ true if the current time should be used in the gmt_unix_time field of
+ Random, or false if gmt_unix_time should contain a cryptographically
+ random value.
+ From Knuth Vol 2, pg 395.
+true if the candidate is found to have any small factors,
+ false otherwise.
+ false if any witness to compositeness is found amongst the chosen bases
+ (so candidate is definitely NOT prime), or else true
+ (indicating primality with some probability dependent on the number of iterations
+ that were performed).
+ false if the specified base is a witness to compositeness (so
+ candidate is definitely NOT prime), or else true.
+ kP.
+ PreCompInfo for a point on this curve, under a given name. Used by
+ ECMultipliers to save the precomputation for this ECPoint for use
+ by subsequent multiplication.
+
+ @param point
+ The ECPoint to store precomputations for.
+ @param name
+ A String used to index precomputations of different types.
+ @param preCompInfo
+ The values precomputed by the ECMultiplier.
+ ECMultiplier, unless already set.
+ Fp (X9.62 s 4.2.1 pg 17).
+ @return The decoded point.
+ s0 and
+ s1 used for partial modular reduction for
+ Koblitz curves.
+ z2 + z = beta(X9.62
+ D.1.6) The other solution is z + 1.
+
+ @param beta
+ The value to solve the qradratic equation for.
+ @return the solution for z2 + z = beta or
+ null if no solution exists.
+ s0 and
+ s1 used for partial modular reduction for
+ Koblitz curves.
+ y2 + xy = x3 + ax2 + b.
+ m of F2m.
+ k where xm +
+ xk + 1 represents the reduction polynomial
+ f(z).k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).0k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).0k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).m of
+ F2m.
+ @param k The integer k where xm +
+ xk + 1 represents the reduction
+ polynomial f(z).
+ @param a The coefficient a in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param b The coefficient b in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ m of
+ F2m.
+ @param k The integer k where xm +
+ xk + 1 represents the reduction
+ polynomial f(z).
+ @param a The coefficient a in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param b The coefficient b in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param order The order of the main subgroup of the elliptic curve.
+ @param cofactor The cofactor of the elliptic curve, i.e.
+ #Ea(F2m) = h * n.
+ m of
+ F2m.
+ @param k1 The integer k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k2 The integer k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k3 The integer k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param a The coefficient a in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param b The coefficient b in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ m of
+ F2m.
+ @param k1 The integer k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k2 The integer k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k3 The integer k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param a The coefficient a in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param b The coefficient b in the Weierstrass equation
+ for non-supersingular elliptic curves over
+ F2m.
+ @param order The order of the main subgroup of the elliptic curve.
+ @param cofactor The cofactor of the elliptic curve, i.e.
+ #Ea(F2m) = h * n.
+ F2m in polynomial basis (PB)
+ representation. Both trinomial (Tpb) and pentanomial (Ppb) polynomial
+ basis representations are supported. Gaussian normal basis (GNB)
+ representation is not supported.
+ m of F2m.
+ LongArray holding the bits.
+ m of
+ F2m.
+ @param k1 The integer k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k2 The integer k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param k3 The integer k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).
+ @param x The BigInteger representing the value of the field element.
+ m of
+ F2m.
+ @param k The integer k where xm +
+ xk + 1 represents the reduction
+ polynomial f(z).
+ @param x The BigInteger representing the value of the field element.
+ a and b
+ are elements of the same field F2m
+ (having the same representation).
+ @param a field element.
+ @param b field element to be compared.
+ @throws ArgumentException if a and b
+ are not elements of the same field
+ F2m (having the same
+ representation).
+ F2m, either of
+ {@link F2mFieldElement.Tpb} (trinomial
+ basis representation) or
+ {@link F2mFieldElement.Ppb} (pentanomial
+ basis representation).
+ m of the reduction polynomial
+ f(z).
+ k where xm +
+ xk + 1 represents the reduction polynomial
+ f(z).k1 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).0k2 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).0k3 where xm +
+ xk3 + xk2 + xk1 + 1
+ represents the reduction polynomial f(z).ECPoint by the given number.
+ @param k The multiplicator.
+ @return k * this.
+ SimpleBigDecimal is basically a
+ {@link java.math.BigInteger BigInteger} with a few digits on the right of
+ the decimal point. The number of (binary) digits on the right of the decimal
+ point is called the scale of the SimpleBigDecimal.
+ Unlike in {@link java.math.BigDecimal BigDecimal}, the scale is not adjusted
+ automatically, but must be set manually. All SimpleBigDecimals
+ taking part in the same arithmetic operation must have equal scale. The
+ result of a multiplication of two SimpleBigDecimals returns a
+ SimpleBigDecimal with double scale.
+ SimpleBigDecimal representing the same numerical
+ value as value.
+ @param value The value of the SimpleBigDecimal to be
+ created.
+ @param scale The scale of the SimpleBigDecimal to be
+ created.
+ @return The such created SimpleBigDecimal.
+ SimpleBigDecimal. The value of the
+ constructed SimpleBigDecimal Equals bigInt /
+ 2scale.
+ @param bigInt The bigInt value parameter.
+ @param scale The scale of the constructed SimpleBigDecimal.
+ αu's must be computed differently, see
+ e.g. "Guide to Elliptic Curve Cryptography", Darrel Hankerson,
+ Alfred Menezes, Scott Vanstone, Springer-Verlag New York Inc., 2004,
+ p. 121-122
+ αu's for a=0 as an array
+ of ZTauElements.
+ αu's for a=0 as an array
+ of TNAFs.
+ αu's for a=1 as an array
+ of ZTauElements.
+ αu's for a=1 as an array
+ of TNAFs.
+ λ of
+ Z[τ].
+ @param mu The parameter μ of the elliptic curve.
+ @param lambda The element λ of
+ Z[τ].
+ @return The norm of λ.
+ λ of
+ R[τ], where λ = u + vτ
+ and u and u are real numbers (elements of
+ R).
+ @param mu The parameter μ of the elliptic curve.
+ @param u The real part of the element λ of
+ R[τ].
+ @param v The τ-adic part of the element
+ λ of R[τ].
+ @return The norm of λ.
+ λ of R[τ]
+ to an element of Z[τ], such that their difference
+ has minimal norm. λ is given as
+ λ = λ0 + λ1τ.
+ @param lambda0 The component λ0.
+ @param lambda1 The component λ1.
+ @param mu The parameter μ of the elliptic curve. Must
+ equal 1 or -1.
+ @return The rounded element of Z[τ].
+ @throws ArgumentException if lambda0 and
+ lambda1 do not have same scale.
+ n. For an integer
+ k, the value λ = s k / n is
+ computed to c bits of accuracy.
+ @param k The parameter k.
+ @param s The curve parameter s0 or
+ s1.
+ @param vm The Lucas Sequence element Vm.
+ @param a The parameter a of the elliptic curve.
+ @param m The bit length of the finite field
+ Fm.
+ @param c The number of bits of accuracy, i.e. the scale of the returned
+ SimpleBigDecimal.
+ @return The value λ = s k / n computed to
+ c bits of accuracy.
+ τ-adic NAF (non-adjacent form) of an
+ element λ of Z[τ].
+ @param mu The parameter μ of the elliptic curve.
+ @param lambda The element λ of
+ Z[τ].
+ @return The τ-adic NAF of λ.
+ τ() to an
+ AbstractF2mPoint.
+ @param p The AbstractF2mPoint to which τ() is applied.
+ @return τ(p)
+ μ of the elliptic curve.
+ @param curve The elliptic curve from which to obtain μ.
+ The curve must be a Koblitz curve, i.e. a Equals
+ 0 or 1 and b Equals
+ 1.
+ @return μ of the elliptic curve.
+ @throws ArgumentException if the given ECCurve is not a Koblitz
+ curve.
+ Uk-1 and
+ Uk or Vk-1 and
+ Vk.
+ @param mu The parameter μ of the elliptic curve.
+ @param k The index of the second element of the Lucas Sequence to be
+ returned.
+ @param doV If set to true, computes Vk-1 and
+ Vk, otherwise Uk-1 and
+ Uk.
+ @return An array with 2 elements, containing Uk-1
+ and Uk or Vk-1
+ and Vk.
+ tw. If the width is
+ 4, then for mu = 1, tw = 6 and for
+ mu = -1, tw = 10
+ @param mu The parameter μ of the elliptic curve.
+ @param w The window width of the WTNAF.
+ @return the auxiliary value tw
+ s0 and
+ s1 used for partial modular reduction.
+ @param curve The elliptic curve for which to compute
+ s0 and s1.
+ @throws ArgumentException if curve is not a
+ Koblitz curve (Anomalous Binary Curve, ABC).
+ (τm - 1)/(τ - 1).
+ @param k The integer to be reduced.
+ @param m The bitlength of the underlying finite field.
+ @param a The parameter a of the elliptic curve.
+ @param s The auxiliary values s0 and
+ s1.
+ @param mu The parameter μ of the elliptic curve.
+ @param c The precision (number of bits of accuracy) of the partial
+ modular reduction.
+ @return ρ := k partmod (τm - 1)/(τ - 1)
+ BigInteger using the reduced τ-adic
+ NAF (RTNAF) method.
+ @param p The AbstractF2mPoint to Multiply.
+ @param k The BigInteger by which to Multiply p.
+ @return k * p
+ λ of Z[τ]
+ using the τ-adic NAF (TNAF) method.
+ @param p The AbstractF2mPoint to Multiply.
+ @param lambda The element λ of
+ Z[τ].
+ @return λ * p
+ λ of Z[τ]
+ using the τ-adic NAF (TNAF) method, given the TNAF
+ of λ.
+ @param p The AbstractF2mPoint to Multiply.
+ @param u The the TNAF of λ..
+ @return λ * p
+ [τ]-adic window NAF of an element
+ λ of Z[τ].
+ @param mu The parameter μ of the elliptic curve.
+ @param lambda The element λ of
+ Z[τ] of which to compute the
+ [τ]-adic NAF.
+ @param width The window width of the resulting WNAF.
+ @param pow2w 2width.
+ @param tw The auxiliary value tw.
+ @param alpha The αu's for the window width.
+ @return The [τ]-adic window NAF of
+ λ.
+ ECPoint for which to do the precomputation.
+ @param a The parameter a of the elliptic curve.
+ @return The precomputation array for p.
+ Z[τ]. Let
+ λ be an element of Z[τ]. Then
+ λ is given as λ = u + vτ. The
+ components u and v may be used directly, there
+ are no accessor methods.
+ Immutable class.
+ λ.
+ τ-adic" part of λ.
+ λ of
+ Z[τ].
+ @param u The "real" part of λ.
+ @param v The "τ-adic" part of
+ λ.
+ ECPoints.
+ ECPoint p by k, i.e.
+ p is added k times to itself.
+ @param p The ECPoint to be multiplied.
+ @param k The factor by which p is multiplied.
+ @return p multiplied by k.
+ ECPoints used for a fixed
+ point multiplication.
+ WNafMultiplier.
+ this by an integer k using the
+ Window NAF method.
+ @param k The integer by which this is multiplied.
+ @return A new ECPoint which equals this
+ multiplied by k.
+ ECPoints used for a Window
+ NAF multiplication.
+ ECPoints used
+ for a Window NAF multiplication.
+ ECPoint representing Twice(this). Used for the
+ Window NAF multiplication to create or extend the precomputed values.
+ w of the Window NAF. The width is
+ defined as the minimal number w, such that for any
+ w consecutive digits in the resulting representation, at
+ most one is non-zero.
+ @param k The integer of which the Window NAF is computed.
+ @return The Window NAF of the given width, such that the following holds:
+ k = ∑i=0l-1 ki2i
+ , where the ki denote the elements of the
+ returned byte[].
+ τ-adic Non-Adjacent Form) algorithm.
+ k using the reduced τ-adic NAF (RTNAF)
+ method.
+ @param p The AbstractF2mPoint to multiply.
+ @param k The integer by which to multiply k.
+ @return p multiplied by k.
+ λ of Z[τ] using
+ the τ-adic NAF (TNAF) method.
+ @param p The AbstractF2mPoint to multiply.
+ @param lambda The element λ of
+ Z[τ] of which to compute the
+ [τ]-adic NAF.
+ @return p multiplied by λ.
+ λ of Z[τ]
+ using the window τ-adic NAF (TNAF) method, given the
+ WTNAF of λ.
+ @param p The AbstractF2mPoint to multiply.
+ @param u The the WTNAF of λ..
+ @return λ * p
+ τ-adic Non-Adjacent Form) algorithm.
+ AbstractF2mPoints used for the
+ WTNAF multiplication in
+ {@link org.bouncycastle.math.ec.multiplier.WTauNafMultiplier.multiply()
+ WTauNafMultiplier.multiply()}.
+
+ BasicOcspResponse ::= SEQUENCE {
+ tbsResponseData ResponseData,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING,
+ certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
+ }
+
+
+ OcspRequest ::= SEQUENCE {
+ tbsRequest TBSRequest,
+ optionalSignature [0] EXPLICIT Signature OPTIONAL }
+
+ TBSRequest ::= SEQUENCE {
+ version [0] EXPLICIT Version DEFAULT v1,
+ requestorName [1] EXPLICIT GeneralName OPTIONAL,
+ requestList SEQUENCE OF Request,
+ requestExtensions [2] EXPLICIT Extensions OPTIONAL }
+
+ Signature ::= SEQUENCE {
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING,
+ certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL}
+
+ Version ::= INTEGER { v1(0) }
+
+ Request ::= SEQUENCE {
+ reqCert CertID,
+ singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
+
+ CertID ::= SEQUENCE {
+ hashAlgorithm AlgorithmIdentifier,
+ issuerNameHash OCTET STRING, -- Hash of Issuer's DN
+ issuerKeyHash OCTET STRING, -- Hash of Issuers public key
+ serialNumber CertificateSerialNumber }
+
+ + In the case of PKCS7 objects the reader will return a CMS ContentInfo object. Keys and + Certificates will be returned using the appropriate java.security type.
+
+ CertificationRequest ::= Sequence {
+ certificationRequestInfo CertificationRequestInfo,
+ signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
+ signature BIT STRING
+ }
+
+ CertificationRequestInfo ::= Sequence {
+ version Integer { v1(0) } (v1,...),
+ subject Name,
+ subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
+ attributes [0] Attributes{{ CRIAttributes }}
+ }
+
+ Attributes { ATTRIBUTE:IOSet } ::= Set OF Attr{{ IOSet }}
+
+ Attr { ATTRIBUTE:IOSet } ::= Sequence {
+ type ATTRIBUTE.&id({IOSet}),
+ values Set SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{\@type})
+ }
+
+ see
+
+ CertificationRequest ::= Sequence {
+ certificationRequestInfo CertificationRequestInfo,
+ signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
+ signature BIT STRING
+ }
+
+ CertificationRequestInfo ::= Sequence {
+ version Integer { v1(0) } (v1,...),
+ subject Name,
+ subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
+ attributes [0] Attributes{{ CRIAttributes }}
+ }
+
+ Attributes { ATTRIBUTE:IOSet } ::= Set OF Attr{{ IOSet }}
+
+ Attr { ATTRIBUTE:IOSet } ::= Sequence {
+ type ATTRIBUTE.&id({IOSet}),
+ values Set SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{\@type})
+ }
+
+ see
+ Set of X.509 attribute certificate
+ extensions that this PkixAttrCertChecker supports or
+ null if no extensions are supported.
+
+ Each element of the set is a String representing the
+ Object Identifier (OID) of the X.509 extension that is supported.
+
+ All X.509 attribute certificate extensions that a
+ PkixAttrCertChecker might possibly be able to process
+ should be included in the set.
+
Set of X.509 extension OIDs (in
+ String format) supported by this
+ PkixAttrCertChecker, or null if no
+ extensions are supported
+ unresolvedCritExts
+ collection.
+
+ @param attrCert The attribute certificate to be checked.
+ @param certPath The certificate path which belongs to the attribute
+ certificate issuer public key certificate.
+ @param holderCertPath The certificate path which belongs to the holder
+ certificate.
+ @param unresolvedCritExts a Collection of OID strings
+ representing the current set of unresolved critical extensions
+ @throws CertPathValidatorException if the specified attribute certificate
+ does not pass the check.
+ PkixAttrCertChecker
+
+ params must be an instance of
+ ExtendedPkixParameters.
+
+ The target constraints in the params must be an
+ X509AttrCertStoreSelector with at least the attribute
+ certificate criterion set. Obey that also target informations may be
+ necessary to correctly validate this attribute certificate.
+
+ The attribute certificate issuer must be added to the trusted attribute + issuers with {@link ExtendedPkixParameters#setTrustedACIssuers(Set)}. +
+ @param certPath The certificate path which belongs to the attribute + certificate issuer public key certificate. + @param params The PKIX parameters. + @return APKIXCertPathValidatorResult of the result of
+ validating the certPath.
+ @throws InvalidAlgorithmParameterException if params is
+ inappropriate for this validator.
+ @throws CertPathValidatorException if the verification fails.
+ PkixBuilderParameters.
+
+ This method can be used to get a copy from other
+ PKIXBuilderParameters, PKIXParameters,
+ and ExtendedPKIXParameters instances.
+
PkixBuilderParameters instance.
+ ISet is null an
+ empty set is assumed.
+ ExtendedPKIXBuilderParameters and
+ PKIXBuilderParameters.
+
+ @param params Parameters to set.
+ @see org.bouncycastle.x509.ExtendedPKIXParameters#setParams(java.security.cert.PKIXParameters)
+ PKIXParameters object. Changes to the
+ copy will not affect the original and vice versa.
+
+ @return a copy of this PKIXParameters object
+ PKIXCertPathChecker.
+ *
+ * The forward flag specifies the order that certificates
+ * will be passed to the {@link #check check} method (forward or reverse). A
+ * PKIXCertPathChecker must support reverse checking
+ * and may support forward checking.
+ *
check method. If true,
+ * certificates are presented from target to most-trusted CA
+ * (forward); if false, from most-trusted CA to
+ * target (reverse).
+ * @exception CertPathValidatorException
+ * if this PKIXCertPathChecker is unable to
+ * check certificates in the specified order; it should never
+ * be thrown if the forward flag is false since reverse
+ * checking must be supported
+ PKIXCertPathChecker to perform its
+ checks when certificates are presented to the check method
+ in the forward direction (from target to most-trusted CA).
+
+ @return true if forward checking is supported,
+ false otherwise
+ Set of X.509 certificate extensions
+ * that this PKIXCertPathChecker supports (i.e. recognizes,
+ * is able to process), or null if no extensions are
+ * supported.
+ *
+ * Each element of the set is a String representing the
+ * Object Identifier (OID) of the X.509 extension that is supported. The OID
+ * is represented by a set of nonnegative integers separated by periods.
+ *
+ * All X.509 certificate extensions that a PKIXCertPathChecker
+ * might possibly be able to process should be included in the set.
+ *
Set of X.509 extension OIDs (in
+ * String format) supported by this
+ * PKIXCertPathChecker, or null if no
+ * extensions are supported
+ init method.
+
+ @param cert
+ the Certificate to be checked
+ @param unresolvedCritExts
+ a Collection of OID strings representing the
+ current set of unresolved critical extensions
+ @exception CertPathValidatorException
+ if the specified certificate does not pass the check
+ Object.clone()
+ method. All subclasses which maintain state must support and override
+ this method, if necessary.
+
+ @return a copy of this PKIXCertPathChecker
+ CertPathValidator implementations must include a class (the
+ SPI class) that extends this class (CertPathValidatorSpi)
+ and implements all of its methods. In general, instances of this class
+ should only be accessed through the CertPathValidator class.
+ For details, see the Java Cryptography Architecture.CertPathValidatorSpi instance concurrently should synchronize
+ amongst themselves and provide the necessary locking before calling the
+ wrapping CertPathValidator object.CertPathValidatorSpi may still
+ encounter concurrency issues, since multiple threads each
+ manipulating a different CertPathValidatorSpi instance need not
+ synchronize.
+ CertPathValidatorException provides support for wrapping
+ exceptions. The {@link #getCause getCause} method returns the throwable,
+ if any, that caused this exception to be thrown. CertPathValidatorException may also include the
+ certification path that was being validated when the exception was thrown
+ and the index of the certificate in the certification path that caused the
+ exception to be thrown. Use the {@link #getCertPath getCertPath} and
+ {@link #getIndex getIndex} methods to retrieve this information.PkixCertPathValidatorException with the given detail
+ message. A detail message is a String that describes this
+ particular exception.
+ PkixCertPathValidatorException with the specified
+ detail message and cause.
+ null
+ value is permitted, and indicates that the cause is
+ nonexistent or unknown.)
+ PkixCertPathValidatorException with the specified
+ detail message, cause, certification path, and index.
+ null if none)
+ the cause (or null if none)
+ the certification path that was in the process of being
+ validated when the error was encountered
+ the index of the certificate in the certification path that *
+ CertPathValidatorException.
+ null if neither the message nor cause were specifiedCertPath that was being validated when the
+ exception was thrown (or null if not specified)
+ CertPath is zero based. If no index has been set, -1 is
+ returned.
+
+ @return the index that has been set, or -1 if none has been set
+ TrustAnchor object if found or
+ null if not.
+ X500Principal.
+ This methods inherits DSA parameters from the indexed certificate or
+ previous certificates in the certificate chain to the returned
+ PublicKey. The list is searched upwards, meaning the end
+ certificate is at position 0 and previous certificates are following.
+
+ If the indexed certificate does not contain a DSA key this method simply + returns the public key. If the DSA key already contains DSA parameters + the key is also only returned. +
+ + @param certs The certification path. + @param index The index of the certificate which contains the public key + which should be extended with DSA parameters. + @return The public key of the certificate in list position +index extended with DSA parameters if applicable.
+ @throws Exception if DSA parameters cannot be inherited.
+ null.selector.
+
+ The issuerPrincipals are a collection with a single
+ X500Principal for X509Certificates. For
+ {@link X509AttributeCertificate}s the issuer may contain more than one
+ X500Principal.
+
issuerPrincipals does not
+ contain only X500Principals.
+ X509Certificate or
+ {@link org.bouncycastle.x509.X509AttributeCertificate} for
+ which the CRL should be searched.
+ @param currentDate The date for which the delta CRLs must be valid.
+ @param paramsPKIX The extended PKIX parameters.
+ @return A Set of X509CRLs with complete
+ CRLs.
+ @throws Exception if an exception occurs while picking the CRLs
+ or no CRLs are found.
+ Set of X509CRLs with delta CRLs.
+ @throws Exception if an exception occurs while picking the delta
+ CRLs.
+ Collection object containing the issuer
+ X509Certificates. Never null.
+
+ @exception Exception
+ if an error occurs.
+ null.
+ permitted with ip.
+
+ @param permitted A Set of permitted IP addresses with
+ their subnet mask as byte arrays.
+ @param ips The IP address with its subnet mask.
+ @return The Set of permitted IP ranges intersected with
+ ip.
+ excluded
+ with ip.
+
+ @param excluded A Set of excluded IP addresses with their
+ subnet mask as byte arrays.
+ @param ip The IP address with its subnet mask.
+ @return The Set of excluded IP ranges unified with
+ ip as byte arrays.
+ Set with the union of both addresses.
+ Set with the single IP address with its subnet
+ mask as a byte array or an empty Set.
+ ip is included in the permitted ISet
+ permitted.
+
+ @param permitted A Set of permitted IP addresses with
+ their subnet mask as byte arrays.
+ @param ip The IP address.
+ @throws PkixNameConstraintValidatorException
+ if the IP is not permitted.
+ ip is included in the excluded ISet
+ excluded.
+
+ @param excluded A Set of excluded IP addresses with their
+ subnet mask as byte arrays.
+ @param ip The IP address.
+ @throws PkixNameConstraintValidatorException
+ if the IP is excluded.
+ ip is constrained by
+ constraint.
+
+ @param ip The IP address.
+ @param constraint The constraint. This is an IP address concatenated with
+ its subnetmask.
+ @return true if constrained, false
+ otherwise.
+ email1 and email2 is
+ added to the union union. If email1 and
+ email2 have nothing in common they are added both.
+
+ @param email1 Email address constraint 1.
+ @param email2 Email address constraint 2.
+ @param union The union.
+ email1 and
+ email2 is added to the intersection intersect.
+
+ @param email1 Email address constraint 1.
+ @param email2 Email address constraint 2.
+ @param intersect The intersection.
+ name
+ name is
+ excluded.
+ ip1 with ip2. If ip1
+ is equal to ip2 0 is returned. If ip1 is bigger 1 is returned, -1
+ otherwise.
+
+ @param ip1 The first IP address.
+ @param ip2 The second IP address.
+ @return 0 if ip1 is equal to ip2, 1 if ip1 is bigger, -1 otherwise.
+ ip1 and
+ ip2.
+
+ @param ip1 The first IP address.
+ @param ip2 The second IP address.
+ @return The OR of ip1 and ip2.
+ (trustAnchors.isEmpty() == true)
+ @exception NullPointerException
+ if the specified Set is null
+ @exception ClassCastException
+ if any of the elements in the Set are not of type
+ java.security.cert.TrustAnchor
+ null, no constraints are defined.null)
+
+ @see #setTargetCertConstraints(CertSelector)
+ null)
+
+ @see #getTargetCertConstraints()
+ Set, which is
+ interpreted as meaning that any policy would be acceptable.
+
+ @return an immutable Set of initial policy OIDs in String
+ format, or an empty Set (implying any policy is
+ acceptable). Never returns null.
+
+ @see #setInitialPolicies(java.util.Set)
+ Set of initial policy identifiers (OID strings),
+ indicating that any one of these policies would be acceptable to the
+ certificate user for the purposes of certification path processing. By
+ default, any policy is acceptable (i.e. all policies), so a user that
+ wants to allow any policy as acceptable does not need to call this
+ method, or can call it with an empty Set (or
+ null).null)
+
+ @exception ClassCastException
+ if any of the elements in the set are not of type String
+
+ @see #getInitialPolicies()
+ List of additional certification path checkers. If
+ the specified List contains an object that is not a PKIXCertPathChecker,
+ it is ignored.PKIXCertPathChecker specified implements additional
+ checks on a certificate. Typically, these are checks to process and
+ verify private extensions contained in certificates. Each
+ PKIXCertPathChecker should be instantiated with any
+ initialization parameters needed to execute the check.CertPathValidator or CertPathBuilder. Each
+ of the specified PKIXCertPathCheckers will be called, in turn, by a PKIX
+ CertPathValidator or CertPathBuilder for
+ each certificate processed or validated.CertPathValidator or CertPathBuilder
+ must perform all of the required PKIX checks on each certificate. The one
+ exception to this rule is if the RevocationEnabled flag is set to false
+ (see the {@link #setRevocationEnabled(boolean) setRevocationEnabled}
+ method).java.security.cert.PKIXCertPathChecker
+ @see #getCertPathCheckers()
+ null)
+
+ @see #setCertPathCheckers(java.util.List)
+ PKIXCertPathChecker to the list of certification
+ path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
+ method for more details.
+
+ Note that the PKIXCertPathChecker is cloned to protect
+ against subsequent modifications.
PKIXCertPathChecker to add to the list of
+ checks. If null, the checker is ignored (not added to list).
+ Clone() under J2ME.
+ super.Clone() does not exist and fields are not copied.
+
+ @param params Parameters to set. If this are
+ ExtendedPkixParameters they are copied to.
+ false.
+
+ The IList is cloned.
+
stores is not
+ a {@link Store}.
+ + This method should be used to add local stores, like collection based + X.509 stores, if available. Local stores should be considered first, + before trying to use additional (remote) locations, because they do not + need possible additional network traffic. +
+ If store is null it is ignored.
+
+ You should not use this method. This method is used for adding additional + X.509 stores, which are used to add (remote) locations, e.g. LDAP, found + during X.509 object processing, e.g. in certificates or CRLs. This method + is used in PKIX certification path processing. +
+ If store is null it is ignored.
+
IList of additional Bouncy Castle
+ Stores used for finding CRLs, certificates, attribute
+ certificates or cross certificates.
+
+ @return an immutable IList of additional Bouncy Castle
+ Stores. Never null.
+
+ @see #addAddionalStore(Store)
+ IList of Bouncy Castle
+ Stores used for finding CRLs, certificates, attribute
+ certificates or cross certificates.
+
+ @return an immutable IList of Bouncy Castle
+ Stores. Never null.
+
+ @see #setStores(IList)
+ true if additional stores are used.
+ true if additional stores are used.
+ IX509Selector. If null, no constraints are
+ defined.
+
+ + The target certificate in a PKIX path may be a certificate or an + attribute certificate. +
+ Note that the IX509Selector returned is cloned to protect
+ against subsequent modifications.
+
IX509Selector specifying the constraints on the
+ target certificate or attribute certificate (or null)
+ @see #setTargetConstraints
+ @see X509CertStoreSelector
+ @see X509AttributeCertStoreSelector
+ IX509Selector. If null, no constraints are
+ defined.
+ + The target certificate in a PKIX path may be a certificate or an + attribute certificate. +
+ Note that the IX509Selector specified is cloned to protect
+ against subsequent modifications.
+
IX509Selector specifying the constraints on
+ the target certificate or attribute certificate (or
+ null)
+ @see #getTargetConstraints
+ @see X509CertStoreSelector
+ @see X509AttributeCertStoreSelector
+
+ The returned ISet consists of TrustAnchors.
+
+ The returned ISet is immutable. Never null
+
+ The trustedACIssuers must be a ISet of
+ TrustAnchor
+
+ The given set is cloned. +
+ + @param trustedACIssuers The trusted AC issuers to set. Is never +null.
+ @throws ClassCastException if an element of stores is not
+ a TrustAnchor.
+
+ The returned ISet is immutable and contains
+ Strings with the OIDs.
+
+ The ISet must contain Strings with the
+ OIDs.
+
+ The set is cloned. +
+ + @param necessaryACAttributes The necessary AC attributes to set. + @throws ClassCastException if an element of +necessaryACAttributes is not a
+ String.
+
+ The returned ISet is immutable and contains
+ Strings with the OIDs.
+
null.
+
+ The ISet must contain Strings with the
+ OIDs.
+
+ The set is cloned. +
+ + @param prohibitedACAttributes The prohibited AC attributes to set. + @throws ClassCastException if an element of +prohibitedACAttributes is not a
+ String.
+ null.
+
+ All elements in the ISet must a {@link PKIXAttrCertChecker}.
+
+ The given set is cloned. +
+ + @param attrCertCheckers The attribute certificate checkers to set. Is + nevernull.
+ @throws ClassCastException if an element of attrCertCheckers
+ is not a PKIXAttrCertChecker.
+ true if this reasons mask contains all possible
+ reasons.
+ + (i) If the distribution point name is present in the IDP CRL extension + and the distribution field is present in the DP, then verify that one of + the names in the IDP matches one of the names in the DP. If the + distribution point name is present in the IDP CRL extension and the + distribution field is omitted from the DP, then verify that one of the + names in the IDP matches one of the names in the cRLIssuer field of the + DP. +
++ (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL + extension, verify that the certificate does not include the basic + constraints extension with the cA boolean asserted. +
++ (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL + extension, verify that the certificate includes the basic constraints + extension with the cA boolean asserted. +
++ (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted. +
+ + @param dp The distribution point. + @param cert The certificate. + @param crl The CRL. + @throws AnnotatedException if one of the conditions is not met or an error occurs. +cert.
+ @throws AnnotatedException if one of the above conditions does not apply or an error
+ occurs.
+ cert.
+ @param cert The attribute certificate or certificate to check if it is
+ revoked.
+ @param defaultCRLSignCert The issuer certificate of the certificate cert.
+ @param defaultCRLSignKey The public key of the issuer certificate
+ defaultCRLSignCert.
+ @param paramsPKIX paramsPKIX PKIX parameters.
+ @param certPathCerts The certificates on the certification path.
+ @return A Set with all keys of possible CRL issuer
+ certificates.
+ @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
+ some error occurs.
+ cert.
+
+ @param dp The distribution point to consider.
+ @param paramsPKIX PKIX parameters.
+ @param cert Certificate to check if it is revoked.
+ @param validDate The date when the certificate revocation status should be
+ checked.
+ @param defaultCRLSignCert The issuer certificate of the certificate cert.
+ @param defaultCRLSignKey The public key of the issuer certificate
+ defaultCRLSignCert.
+ @param certStatus The current certificate revocation status.
+ @param reasonMask The reasons mask which is already checked.
+ @param certPathCerts The certificates of the certification path.
+ @throws AnnotatedException if the certificate is revoked or the status cannot be checked
+ or some error occurs.
+ cert.
+ @param workingPublicKey The public key of the issuer certificate sign.
+ @param certPathCerts The certificates of the certification path.
+ @throws AnnotatedException if the certificate is revoked or the status cannot be checked
+ or some error occurs.
+ attrCert.
+ @param validDate The date when the certificate revocation status should
+ be checked.
+ @param certPathCerts The certificates of the certification path to be
+ checked.
+
+ @throws CertPathValidatorException if the certificate is revoked or the
+ status cannot be checked or some error occurs.
+ attrCert.
+
+ @param dp The distribution point to consider.
+ @param attrCert The attribute certificate which should be checked.
+ @param paramsPKIX PKIX parameters.
+ @param validDate The date when the certificate revocation status should
+ be checked.
+ @param issuerCert Certificate to check if it is revoked.
+ @param reasonMask The reasons mask which is already checked.
+ @param certPathCerts The certificates of the certification path to be
+ checked.
+ @throws Exception if the certificate is revoked or the status
+ cannot be checked or some error occurs.
+
+ NameConstraints ::= SEQUENCE {
+ permittedSubtrees [0] GeneralSubtrees OPTIONAL,
+ excludedSubtrees [1] GeneralSubtrees OPTIONAL }
+
+ GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+
+ GeneralSubtree ::= SEQUENCE {
+ base GeneralName,
+ minimum [0] BaseDistance DEFAULT 0,
+ maximum [1] BaseDistance OPTIONAL }
+
+ BaseDistance ::= INTEGER (0..MAX)
+
+ GeneralName ::= CHOICE {
+ otherName [0] OtherName,
+ rfc822Name [1] IA5String,
+ dNSName [2] IA5String,
+ x400Address [3] ORAddress,
+ directoryName [4] Name,
+ ediPartyName [5] EDIPartyName,
+ uniformResourceIdentifier [6] IA5String,
+ iPAddress [7] OCTET STRING,
+ registeredID [8] OBJECT IDENTIFIER}
+
+
+ Note that the name constraints byte array supplied is cloned to protect
+ against subsequent modifications.
+ + Name constraints are an optional parameter, and are intended to be used + as additional constraints when validating an X.509 certification path. +
+ The name constraints are specified as a byte array. This byte array + contains the DER encoded form of the name constraints, as they + would appear in the NameConstraints structure defined in RFC 2459 + and X.509. The ASN.1 notation for this structure is supplied in the + documentation for the other constructors. +
+ Note that the name constraints byte array supplied here is cloned to + protect against subsequent modifications. +
+TrustAnchor where the most-trusted
+ CA is specified as a distinguished name and public key. Name constraints
+ are an optional parameter, and are intended to be used as additional
+ constraints when validating an X.509 certification path.
+ TrustAnchor.
+ TrustAnchor+ If a failure code is associated with the exception it can be retrieved using + the getFailureCode() method.
++ If genTime is null a timeNotAvailable error response will be returned. + + @param request the request this response is for. + @param serialNumber serial number for the response token. + @param genTime generation time for the response token. + @param provider provider to use for signature calculation. + @return + @throws NoSuchAlgorithmException + @throws NoSuchProviderException + @throws TSPException +
++ To be valid the token must be signed by the passed in certificate and + the certificate must be the one referred to by the SigningCertificate + attribute included in the hashed attributes of the token. The + certificate must also have the ExtendedKeyUsageExtension with only + KeyPurposeID.IdKPTimeStamping and have been valid at the time the + timestamp was created. +
++ A successful call to validate means all the above are true. +
++ The exception extends InvalidCastException to enable users to have a single handling case, + only introducing specific handling of this one if required. +
++ The purpose of UrlBase64 encoding is to provide a compact encoding of binary + data that is safe for use as an URL parameter. Base64 encoding does not + produce encoded values that are safe for use in URLs, since "/" can be + interpreted as a path delimiter; "+" is the encoded form of a space; and + "=" is used to separate a name from the corresponding value in an URL + parameter. +
++ The purpose of UrlBase64 encoding is to provide a compact encoding of binary + data that is safe for use as an URL parameter. Base64 encoding does not + produce encoded values that are safe for use in URLs, since "/" can be + interpreted as a path delimiter; "+" is the encoded form of a space; and + "=" is used to separate a name from the corresponding value in an URL + parameter. +
+
+ Holder ::= SEQUENCE {
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ -- the issuer and serial number of
+ -- the holder's Public Key Certificate
+ entityName [1] GeneralNames OPTIONAL,
+ -- the name of the claimant or role
+ objectDigestInfo [2] ObjectDigestInfo OPTIONAL
+ -- used to directly authenticate the holder,
+ -- for example, an executable
+ }
+
+
+ digestedObjectType can be one of the following:
+
otherObjectTypeID must not be empty.This cannot be used if a v1 attribute certificate is used.
+ + @param digestedObjectType The digest object type. + @param digestAlgorithm The algorithm identifier for the hash. + @param otherObjectTypeID The object type ID if +digestedObjectType is
+ otherObjectDigest.
+ @param objectDigest The hash value.
+ +
otherObjectTypeID must not be empty.null if no object
+ digest info is set.
+ null if no object digest info is set.
+ null if no object
+ digest info is set.
+ + Use this in preference to trying to recreate a principal from a string, not all + DNs are what they should be, so it's best to leave them encoded where they + can be.
++ At the moment this will deal with "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" + base 64 encoded certs, as well as the BER binaries of certificates and some classes of PKCS#7 + objects.
+isIndirect
+ is false {@link #getCertificateIssuer()} will always
+ return null, previousCertificateIssuer is
+ ignored. If this isIndirect is specified and this CrlEntry
+ has no certificate issuer CRL entry extension
+ previousCertificateIssuer is returned by
+ {@link #getCertificateIssuer()}.
+
+ @param c
+ TbsCertificateList.CrlEntry object.
+ @param isIndirect
+ true if the corresponding CRL is a indirect
+ CRL.
+ @param previousCertificateIssuer
+ Certificate issuer of the previous CrlEntry.
+
+ id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
+
+ KeyUsage ::= BIT STRING {
+ digitalSignature (0),
+ nonRepudiation (1),
+ keyEncipherment (2),
+ dataEncipherment (3),
+ keyAgreement (4),
+ keyCertSign (5),
+ cRLSign (6),
+ encipherOnly (7),
+ decipherOnly (8) }
+
+ Selector like implementation to select
+ attribute certificates from a given set of criteria.
+
+ @see org.bouncycastle.x509.X509AttributeCertificate
+ @see org.bouncycastle.x509.X509Store
+ true if the object matches this selector.X509AttributeCertificate
+ must contain at least one of the specified target names.
+ + Each attribute certificate may contain a target information extension + limiting the servers where this attribute certificate can be used. If + this extension is not present, the attribute certificate is not targeted + and may be accepted by any server. +
+ + @param name The name as a GeneralName (notnull)
+ X509AttributeCertificate
+ must contain at least one of the specified target names.
+ + Each attribute certificate may contain a target information extension + limiting the servers where this attribute certificate can be used. If + this extension is not present, the attribute certificate is not targeted + and may be accepted by any server. +
+ + @param name a byte array containing the name in ASN.1 DER encoded form of a GeneralName + @throws IOException if a parsing error occurs. +null is
+ given any will do.
+ + The collection consists of either GeneralName objects or byte[] arrays representing + DER encoded GeneralName structures. +
+ + @param names A collection of target names. + @throws IOException if a parsing error occurs. + @see #AddTargetName(byte[]) + @see #AddTargetName(GeneralName) +Lists
+ made up of an Integer in the first entry and a DER encoded
+ byte array or a String in the second entry.
+ The returned collection is immutable.
+ + @return The collection of target names + @see #setTargetNames(Collection) +X509AttributeCertificate
+ must contain at least one of the specified target groups.
+ + Each attribute certificate may contain a target information extension + limiting the servers where this attribute certificate can be used. If + this extension is not present, the attribute certificate is not targeted + and may be accepted by any server. +
+ + @param group The group as GeneralName form (notnull)
+ X509AttributeCertificate
+ must contain at least one of the specified target groups.
+ + Each attribute certificate may contain a target information extension + limiting the servers where this attribute certificate can be used. If + this extension is not present, the attribute certificate is not targeted + and may be accepted by any server. +
+ + @param name a byte array containing the group in ASN.1 DER encoded form of a GeneralName + @throws IOException if a parsing error occurs. +null is
+ given any will do.
+
+ The collection consists of GeneralName objects or byte[]
+ representing DER encoded GeneralNames.
+
Lists
+ made up of an Integer in the first entry and a DER encoded
+ byte array or a String in the second entry.
+ The returned collection is immutable.
+ + @return The collection of target groups. + @see #setTargetGroups(Collection) +IX509Selector implementation to select
+ certificate pairs, which are e.g. used for cross certificates. The set of
+ criteria is given from two X509CertStoreSelector objects,
+ each of which, if present, must match the respective component of a pair.
+ X509CertificatePair, this method
+ returns false.
+ X509CertificatePair to be tested.
+ true if the object matches this selector.ISet of DerObjectIdentifier objects.
+ X509Stores.+ The collection is copied. +
+ICollection.ICollection of X509Name objects
+ null is specified, then no such
+ optional information is provided.
+
+ @param attrCert the IX509AttributeCertificate being checked (or
+ null)
+ @see #getAttrCertificateChecking()
+ true only complete CRLs are returned. Defaults to
+ false.
+
+ @return true if only complete CRLs are returned.
+ false.
+
+ @return Returns true if only CRLs with the delta CRL
+ indicator extension are selected.
+ + The issuing distribution point extension is a CRL extension which + identifies the scope and the distribution point of a CRL. The scope + contains among others information about revocation reasons contained in + the CRL. Delta CRLs and complete CRLs must have matching issuing + distribution points.
++ The byte array is cloned to protect against subsequent modifications.
++ You must also enable or disable this criteria with + {@link #setIssuingDistributionPointEnabled(bool)}.
+ + @param issuingDistributionPoint The issuing distribution point to set. + This is the DER encoded OCTET STRING extension value. + @see #getIssuingDistributionPoint() +false.
+ + You may also set the issuing distribution point criteria if not a missing + issuing distribution point should be assumed.
+ + @return Returns if the issuing distribution point check is enabled. +null.
+
+ @return Returns the maximum base CRL number.
+ @see #setMaxBaseCRLNumber(BigInteger)
+