X509CertSelector.SetAuthorityKeyIdentifier(Byte[]) Method

Definition

Sets the authorityKeyIdentifier criterion.

[Android.Runtime.Register("setAuthorityKeyIdentifier", "([B)V", "GetSetAuthorityKeyIdentifier_arrayBHandler")]
public virtual void SetAuthorityKeyIdentifier (byte[]? authorityKeyID);
[<Android.Runtime.Register("setAuthorityKeyIdentifier", "([B)V", "GetSetAuthorityKeyIdentifier_arrayBHandler")>]
abstract member SetAuthorityKeyIdentifier : byte[] -> unit
override this.SetAuthorityKeyIdentifier : byte[] -> unit

Parameters

authorityKeyID
Byte[]

the authority key identifier (or null)

Attributes

Remarks

Sets the authorityKeyIdentifier criterion. The X509Certificate must contain an AuthorityKeyIdentifier extension for which the contents of the extension value matches the specified criterion value. If the criterion value is null, no authorityKeyIdentifier check will be done.

If authorityKeyID is not null, it should contain a single DER encoded value corresponding to the contents of the extension value (not including the object identifier, criticality setting, and encapsulating OCTET STRING) for an AuthorityKeyIdentifier extension. The ASN.1 notation for this structure follows.

{@code
            AuthorityKeyIdentifier ::= SEQUENCE {
               keyIdentifier             [0] KeyIdentifier           OPTIONAL,
               authorityCertIssuer       [1] GeneralNames            OPTIONAL,
               authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }

            KeyIdentifier ::= OCTET STRING
            }

Authority key identifiers are not parsed by the X509CertSelector. Instead, the values are compared using a byte-by-byte comparison.

When the keyIdentifier field of AuthorityKeyIdentifier is populated, the value is usually taken from the SubjectKeyIdentifier extension in the issuer's certificate. Note, however, that the result of X509Certificate.getExtensionValue(<SubjectKeyIdentifier Object Identifier>) on the issuer's certificate may NOT be used directly as the input to setAuthorityKeyIdentifier. This is because the SubjectKeyIdentifier contains only a KeyIdentifier OCTET STRING, and not a SEQUENCE of KeyIdentifier, GeneralNames, and CertificateSerialNumber. In order to use the extension value of the issuer certificate's SubjectKeyIdentifier extension, it will be necessary to extract the value of the embedded KeyIdentifier OCTET STRING, then DER encode this OCTET STRING inside a SEQUENCE. For more details on SubjectKeyIdentifier, see #setSubjectKeyIdentifier(byte[] subjectKeyID).

Note also that the byte array supplied here is cloned to protect against subsequent modifications.

Java documentation for java.security.cert.X509CertSelector.setAuthorityKeyIdentifier(byte[]).

Portions of this page are modifications based on work created and shared by the Android Open Source Project and used according to terms described in the Creative Commons 2.5 Attribution License.

Applies to