1

I want to use JSCEP with Attribute Certificates (ACs), they are part of X.509. When I check the Java libraries. In the java.security.cert package a abstract X509Certificate is contained but this certificate inherits a getPublicKey method from java.security.cert.Certificate, which is not part of an AC.

My questions:

  • Could the X509Certificate be used without a public key. So that no problems in the other java classes like JcaX509CertificateConverter appear?
  • Should I implement a own AttributeCertificate class, which does not inherit from java.security.cert.Certificate?
  • What would be the best practice approach?
wake-0
  • 3,918
  • 5
  • 28
  • 45

1 Answers1

4

The X509Certificate class represents a Public Key Certificate (PKC), while an Attribute Certificate (AC), although it's a similar (but not that much) structure, has no public key. And they're not the same thing.

A X509Certificate can't be used without a public key, because the key is part of it. If you take a look at the RFC's definition, you'll see it's a mandatory field:

Certificate  ::=  SEQUENCE  {
    tbsCertificate       TBSCertificate,
    signatureAlgorithm   AlgorithmIdentifier,
    signatureValue       BIT STRING  }

TBSCertificate  ::=  SEQUENCE  {
    ... lots of fields...
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    ... }

SubjectPublicKeyInfo  ::=  SEQUENCE  {
    algorithm            AlgorithmIdentifier,
    subjectPublicKey     BIT STRING  }

The public key is also part of the definition of a PKC: something that binds an identity and a public key, as stated in the RFC:

...public key certificates, which are data structures that bind public key values to subjects


Attribute Certificates are defined in this RFC, which tells the differences from a PKC:

Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a passport: it identifies the holder, tends to last for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process.

In the same page, you can see that AC's structure is very different from a PKC, so an AC's implementation shouldn't inherit from X509Certificate. Although there are some similar fields, I don't think they're close enough to justify inheritance (and they also have different purposes and uses, which makes me discard inheritance at all).

The best approach in your case: I'd recommend using an existing implementation. BouncyCastle is one of them. If you can't use an external lib, you can use BouncyCastle's code as a reference.

Community
  • 1
  • 1
  • thank you very much for this good answer. Do you know if bouncycastle implements a protocol to manage ACs like the SCEP for PKCs? – wake-0 Apr 25 '17 at 19:35
  • Well, there's a `X509v2AttributeCertificateBuilder` class, I think you can use it (not sure if there's something more complete than that). I've found an example code [here](https://github.com/bcgit/bc-java/blob/master/misc/src/main/java/org/bouncycastle/jcajce/examples/AttrCertExample.java) –  Apr 25 '17 at 19:51