KMIP Support for NAECertificates
CADP for Java NAECertificates can be created by associating the certificate name with a CADP for Java KMIPSession (as opposed to an NAESession, the standard for XML certificate handling):
NAECertificate cert = new NAECertificate(name, kmipSession);
As with operations on Keys and SecretData, operations on certificates generate KMIP rather than XML.
Supported NAECertificate methods
void NAECertificate.importCertificate()
byte[] cert.certificateExport()
void NAECertificate.delete()
Certificates and their operations can be included in KMIP Batches.
KMIP certificate attributes
Attributes for Certificate Managed Objects include: Certificate Issuer, Certificate Identifier, Digest, Cryptographic Length, Object Type, Certificate Type, Unique Identifier, Certificate Subject, Name, Cryptographic Algorithm, and Initial Date.
The list of KMIP attributes is returned by the KMIP session instance method:
session.listKMIPAttributes( )
Note that CADP for Java supports the following KMIP certificate-specific Attributes (in addition to supporting the standard KMIP Object Attributes for all Key Manager server-managed objects):
KMIPCertificateIdentifier
KMIPCertificateIssuer
KMIPCertificateType
KMIPCertificatedSubject
Supported attribute operations
The KMIP managed object attributes for NAECertificates associated with KMIP Sessions may be added, (and, if not read-only) modified and deleted for Certificates in the same manner as the other KMIP Managed Objects (Symmetric Key, Public/Private Key, Template, and Secret Data). For details, refer to Operations Supported by KMIP Attributes.
Certificate-specific KMIP attribute support
KMIP Attribute wrapper Java objects are included in the CADP for Java 6.4 com.ingrian.security.nae package to support KMIP-specific Certificate attributes. The first three are objects wrapping the members of KMIP structures. All KMIP Certificate Attributes are read-only as per the KMIP specification. Attempts to change the attributes are rejected by the server and will result in an NAEException being thrown.
As with all KMIP Attributes, these may be instantiated and included in a KMIPAttributes object for querying certificate managed objects:
KMIPCertificateIdentifier (KMIP 1.2 specification section 3.10) members include:
Issuer
Issuer Distinguished Name as a comma separated string of attribute-values of the form: CN=KMIP,OU=OASIS,O=TEST,C=US
SerialNumber
A Java String representing the Certificate's serial number. Note that it will be returned as a java.lang.String, including leading zeros, if any. When queried, leading zeros also must be presented to the server (i.e., "01" differs from "1" and will not Locate the same certificates)
KMIPCertificateIssuer (KMIP 1.2 specification section 3.12)
Certificate Issuer Distinguished Name
Certificate Issuer Distinguished Name as a comma separated string of attribute-values of the form: CN=KMIP,OU=OASIS,O=TEST,C=US
Certificate Issuer Alternative Name
Certificate Issuer Alternative Name as a comma separated string of attribute-values of the form: DNS.1=example.com,DNS.2=oasis-open.org
If there is no alternative name, a null value is returned and a null should be passed for purposes of Locating certificates
KMIPCertificateSubject (KMIP 1.2 specification section 3.12)
Certificate Subject Distinguished Name
Certificate Subject Distinguished Name as a comma separated string of attribute-values of the form: CN=KMIP,OU=OASIS,O=TEST,C=US
Certificate Subject Alternative Name
Certificate Subject Alternative Name as a comma separated string of attribute-values of the form: DNS.1=example.com,DNS.2=oasis-open.org
If there is no alternative name, a null value is returned and a null should be passed for purposes of Locating certificates
KMIPCertificateType (KMIP 1.2 specification section 3.8)
An enumeration of certificate types as specified in the KMIP 1.2 specification (see KMIP Specification section 9.1.3.2.6).
The enumeration KMIPCertificateTypes is a Java enumeration class which contains enumeration values for the KMIP Certificate types from the KMIP Specification. Use KMIPCertificateTypes enums for locate() operations.
X509 / An X.509 client certificate
PGP / A PGP certificate
Note
PGP certificates are not supported by the CADP for Java.
Retrieving KMIP certificate attributes
To retrieve instances of KMIP Certificate-specific attribute objects, there are four new KMIPAttributes methods, which can be used as follows:
KMIPCertificateIdentifier id = serverAttributes.getCertificateIdentifier();
KMIPCertificateType type = serverAttributes.getCertificateType();
KMIPCertificateSubject cs = serverAttributes.getCertificateSubject();
KMIPCertificateIssuer ci = serverAttributes.getCertificateIssuer();
Using attributes as JavaBeans
The KMIP Certificate attributes are JavaBeans and have getters and setters for the object's members, for example:
cs.getIssuer();
id.getSerialNumber();
id.setSerialNumber("01");
Note
Setter methods may be used, but the attributes are read-only; they cannot be changed on the server with the modifyAttribute() method.
Locating certificate managed objects by attribute
You can locate NAECertificate managed objects by attribute, just as you can locate other KMIP Managed Object attributes.
Instantiate one of the KMIP Certificate attributes, set the class member values and add it to a KMIPAttributes object.
Then, as with any managed object search, use the locate method on the KMIP Session.
The
locate()method will instantiate and return an object of typeNAECertificatein addition to the other NAE managed object types such as NAEPublicKey, NAEPrivateKey, NAESecretKey, and KMIPSecretData.
