public class X509Data extends BaseElement implements KeyInfoElement
Type="http://www.w3.org/2000/09/xmldsig#X509Data
" (this can be used within a RetrievalMethod or
Reference element to identify the referent's type)An X509Data element within KeyInfo contains one
or more identifiers of keys or X509 certificates (or certificates'
identifiers or a revocation list). The content of X509Data is:
X509IssuerSerial element, which
contains an X.509 issuer distinguished name/serial number
pair. The distinguished name SHOULD be represented as a
string that complies with section 3 of RFC4514 [LDAP-DN], to be generated
according to the Distinguished Name Encoding Rules section
below,X509SubjectName element, which
contains an X.509 subject distinguished name that SHOULD be
represented as a string that complies with section 3 of
RFC4514 [LDAP-DN],
to be generated according to the Distinguished Name Encoding Rules section
below,X509SKI element, which contains the
base64 encoded plain (i.e. non-DER-encoded) value of a X509
V.3 SubjectKeyIdentifier extension.X509Certificate element, which
contains a base64-encoded [X509v3] certificate, andX509CRL element, which contains a
base64-encoded certificate revocation list (CRL) [X509v3].Any X509IssuerSerial, X509SKI, and
X509SubjectName elements that appear MUST refer to the
certificate or certificates containing the validation key. All such elements
that refer to a particular individual certificate MUST be grouped inside a
single X509Data element and if the certificate to which they
refer appears, it MUST also be in that X509Data element.
Any X509IssuerSerial, X509SKI, and
X509SubjectName elements that relate to the same key but
different certificates MUST be grouped within a single KeyInfo
but MAY occur in multiple X509Data elements.
All certificates appearing in an X509Data element MUST relate
to the validation key by either containing it or being part of a
certification chain that terminates in a certificate containing the
validation key.
No ordering is implied by the above constraints. The comments in the following instance demonstrate these constraints:
<KeyInfo>
<X509Data> <!-- two pointers to certificate-A -->
<X509IssuerSerial>
<X509IssuerName>CN=TAMURA Kent, OU=TRL, O=IBM,
L=Yamato-shi, ST=Kanagawa, C=JP</X509IssuerName>
<X509SerialNumber>12345678</X509SerialNumber>
</X509IssuerSerial>
<X509SKI>31d97bd7</X509SKI>
</X509Data>
<X509Data><!-- single pointer to certificate-B -->
<X509SubjectName>Subject of Certificate B</X509SubjectName>
</X509Data>
<X509Data> <!-- certificate chain -->
<!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4-->
<X509Certificate>MIICXTCCA..</X509Certificate>
<!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US
issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
<X509Certificate>MIICPzCCA...</X509Certificate>
<!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
<X509Certificate>MIICSTCCA...</X509Certificate>
</X509Data>
</KeyInfo>
Note, there is no direct provision for a PKCS#7 encoded "bag" of
certificates or CRLs. However, a set of certificates and CRLs can occur
within an X509Data element and multiple X509Data
elements can occur in a KeyInfo. Whenever multiple certificates
occur in an X509Data element, at least one such certificate must
contain the public key which verifies the signature.
To encode a distinguished name
(X509IssuerSerial,X509SubjectName, and
KeyName if appropriate), the encoding rules in
section 2 of RFC 4514 [LDAP-DN] SHOULD be applied, except that the character
escaping rules in section 2.4 of RFC 4514 [LDAP-DN] MAY be augmented as follows:
Since a XML document logically consists of characters, not octets, the resulting Unicode string is finally encoded according to the character encoding used for producing the physical representation of the XML document.
The following schema fragment specifies the expected content contained within this class.
<complexType name="X509DataType">
<complexContent>
<restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
<sequence maxOccurs="unbounded">
<choice>
<element name="X509IssuerSerial" type="{http://www.w3.org/2000/09/xmldsig#}X509IssuerSerialType"/>
<element name="X509SKI" type="{http://www.w3.org/2001/XMLSchema}base64Binary"/>
<element name="X509SubjectName" type="{http://www.w3.org/2001/XMLSchema}string"/>
<element name="X509Certificate" type="{http://www.w3.org/2001/XMLSchema}base64Binary"/>
<element name="X509CRL" type="{http://www.w3.org/2001/XMLSchema}base64Binary"/>
<any processContents='lax' namespace='##other'/>
</choice>
</sequence>
</restriction>
</complexContent>
</complexType>
mContext, mElement, mId| Constructor and Description |
|---|
X509Data(Context aBaglam) |
X509Data(org.w3c.dom.Element aElement,
Context aContext)
Construct X509Data from existing
|
| Modifier and Type | Method and Description |
|---|---|
void |
add(X509DataElement aElement) |
X509DataElement |
get(int aIndex) |
int |
getElementCount() |
java.lang.String |
getLocalName() |
java.lang.String |
toString() |
addBigIntegerElement, addLineBreak, addLineBreak, checkNamespace, createElement, generateAndSetId, getAttribute, getBigIntegerFromElement, getChildText, getContext, getDocument, getElement, getId, getNamespace, insertBase64EncodedElement, insertElement, insertTextElement, selectChildElement, selectChildren, setIdpublic X509Data(Context aBaglam)
public X509Data(org.w3c.dom.Element aElement,
Context aContext)
throws XMLSignatureException
aElement - xml elementaContext - according to contextXMLSignatureException - when structure is invalid or can not be
resolved appropriatelypublic int getElementCount()
public X509DataElement get(int aIndex)
public void add(X509DataElement aElement)
public java.lang.String toString()
toString in class java.lang.Objectpublic java.lang.String getLocalName()
getLocalName in class BaseElementCopyright © 2025. All rights reserved.