/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package java.security.cert; import java.io.ByteArrayInputStream; import java.math.BigInteger; import java.security.Principal; import java.util.Collection; import java.util.Date; import java.util.List; import javax.security.auth.x500.X500Principal; /** * Abstract base class for X.509 certificates. *
* This represents a standard way for accessing the attributes of X.509 * certificates. *
* The basic X.509 v3 format described in ASN.1: * *
* Certificate ::= SEQUENCE { * tbsCertificate TBSCertificate, * signatureAlgorithm AlgorithmIdentifier, * signature BIT STRING } * * TBSCertificate ::= SEQUENCE { * version [0] EXPLICIT Version DEFAULT v1, * serialNumber CertificateSerialNumber, * signature AlgorithmIdentifier, * issuer Name, * validity Validity, * subject Name, * subjectPublicKeyInfo SubjectPublicKeyInfo, * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, * -- If present, version must be v2 or v3 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, * -- If present, version must be v2 or v3 * extensions [3] EXPLICIT Extensions OPTIONAL * -- If present, version must be v3 * } **
* For more information consult RFC 2459 * "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" at http://www.ietf.org/rfc/rfc2459.txt * . */ public abstract class X509Certificate extends Certificate implements X509Extension { private static final long serialVersionUID = -2491127588187038216L; /** * Creates a new {@code X509Certificate}. */ protected X509Certificate() { super("X.509"); } /** * Checks whether the certificate is currently valid. *
* The validity defined in ASN.1: * *
* validity Validity * * Validity ::= SEQUENCE { * notBefore CertificateValidityDate, * notAfter CertificateValidityDate } * * CertificateValidityDate ::= CHOICE { * utcTime UTCTime, * generalTime GeneralizedTime } ** * @throws CertificateExpiredException * if the certificate has expired. * @throws CertificateNotYetValidException * if the certificate is not yet valid. */ public abstract void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException; /** * Checks whether the certificate is valid at the specified date. * * @param date * the date to check the validity against. * @throws CertificateExpiredException * if the certificate has expired. * @throws CertificateNotYetValidException * if the certificate is not yet valid. * @see #checkValidity() */ public abstract void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException; /** * Returns the certificates {@code version} (version number). *
* The version defined is ASN.1: * *
* Version ::= INTEGER { v1(0), v2(1), v3(2) } ** * @return the version number. */ public abstract int getVersion(); /** * Returns the {@code serialNumber} of the certificate. *
* The ASN.1 definition of {@code serialNumber}: * *
* CertificateSerialNumber ::= INTEGER ** * @return the serial number. */ public abstract BigInteger getSerialNumber(); /** * Returns the {@code issuer} (issuer distinguished name) as an * implementation specific {@code Principal} object. *
* The ASN.1 definition of {@code issuer}: * *
* issuer Name * * Name ::= CHOICE { * RDNSequence } * * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName * * RelativeDistinguishedName ::= SET OF AttributeTypeAndValue * * AttributeTypeAndValue ::= SEQUENCE { * type AttributeType, * value AttributeValue } * * AttributeType ::= OBJECT IDENTIFIER * * AttributeValue ::= ANY DEFINED BY AttributeType ** * replaced by: {@link #getIssuerX500Principal()}. * * @return the {@code issuer} as an implementation specific {@code * Principal}. */ public abstract Principal getIssuerDN() ; /** * Returns the {@code issuer} (issuer distinguished name) as an {@code * X500Principal}. * * @return the {@code issuer} (issuer distinguished name). */ public X500Principal getIssuerX500Principal() { try { // TODO if there is no X.509 certificate provider installed // should we try to access Harmony X509CertImpl via classForName? CertificateFactory factory = CertificateFactory .getInstance("X.509"); X509Certificate cert = (X509Certificate) factory .generateCertificate(new ByteArrayInputStream(getEncoded())); return cert.getIssuerX500Principal(); } catch (Exception e) { throw new RuntimeException("Failed to get X500Principal issuer", e); } } /** * Returns the {@code subject} (subject distinguished name) as an * implementation specific {@code Principal} object. *
* The ASN.1 definition of {@code subject}: * *
* subject Name * * Name ::= CHOICE { * RDNSequence } * * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName * * RelativeDistinguishedName ::= SET OF AttributeTypeAndValue * * AttributeTypeAndValue ::= SEQUENCE { * type AttributeType, * value AttributeValue } * * AttributeType ::= OBJECT IDENTIFIER * * AttributeValue ::= ANY DEFINED BY AttributeType ** *
* replaced by: {@link #getSubjectX500Principal()}. * * @return the {@code subject} (subject distinguished name). */ public abstract Principal getSubjectDN(); /** * Returns the {@code subject} (subject distinguished name) as an {@code * X500Principal}. * * @return the {@code subject} (subject distinguished name) */ public X500Principal getSubjectX500Principal() { try { // TODO if there is no X.509 certificate provider installed // should we try to access Harmony X509CertImpl via classForName? CertificateFactory factory = CertificateFactory .getInstance("X.509"); X509Certificate cert = (X509Certificate) factory .generateCertificate(new ByteArrayInputStream(getEncoded())); return cert.getSubjectX500Principal(); } catch (Exception e) { throw new RuntimeException("Failed to get X500Principal subject", e); } } /** * Returns the {@code notBefore} date from the validity period of the * certificate. * * @return the start of the validity period. */ public abstract Date getNotBefore(); /** * Returns the {@code notAfter} date of the validity period of the * certificate. * * @return the end of the validity period. */ public abstract Date getNotAfter(); /** * Returns the {@code tbsCertificate} information from this certificate in * DER-encoded format. * * @return the DER-encoded certificate information. * @throws CertificateEncodingException * if an error occurs in encoding */ public abstract byte[] getTBSCertificate() throws CertificateEncodingException; /** * Returns the raw signature bits from the certificate. * * @return the raw signature bits from the certificate. */ public abstract byte[] getSignature(); /** * Returns the name of the algorithm for the certificate signature. * * @return the signature algorithm name. */ public abstract String getSigAlgName(); /** * Returns the OID of the signature algorithm from the certificate. * * @return the OID of the signature algorithm. */ public abstract String getSigAlgOID(); /** * Returns the parameters of the signature algorithm in DER-encoded format. * * @return the parameters of the signature algorithm, or {@code null} if * none are used. */ public abstract byte[] getSigAlgParams(); /** * Returns the {@code issuerUniqueID} from the certificate. * * @return the {@code issuerUniqueID} or {@code null} if there's none in the * certificate. */ public abstract boolean[] getIssuerUniqueID(); /** * Returns the {@code subjectUniqueID} from the certificate. * * @return the {@code subjectUniqueID} or null if there's none in the * certificate. */ public abstract boolean[] getSubjectUniqueID(); /** * Returns the {@code KeyUsage} extension as a {@code boolean} array. *
* The ASN.1 definition of {@code KeyUsage}: * *
* KeyUsage ::= BIT STRING { * digitalSignature (0), * nonRepudiation (1), * keyEncipherment (2), * dataEncipherment (3), * keyAgreement (4), * keyCertSign (5), * cRLSign (6), * encipherOnly (7), * decipherOnly (8) } * ** * @return the {@code KeyUsage} extension or {@code null} if there's none in * the certificate. */ public abstract boolean[] getKeyUsage(); /** * Returns a read-only list of OID strings representing the {@code * ExtKeyUsageSyntax} field of the extended key usage extension. * * @return the extended key usage extension, or {@code null} if there's none * in the certificate. * @throws CertificateParsingException * if the extension decoding fails. */ public List
* The ASN.1 definition of {@code SubjectAltName}: * *
* SubjectAltName ::= GeneralNames * * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName * * GeneralName ::= CHOICE { * otherName [0] AnotherName, * rfc822Name [1] IA5String, * dNSName [2] IA5String, * x400Address [3] ORAddress, * directoryName [4] Name, * ediPartyName [5] EDIPartyName, * uniformResourceIdentifier [6] IA5String, * iPAddress [7] OCTET STRING, * registeredID [8] OBJECT IDENTIFIER } * ** * @return the subject alternative names or {@code null} if there are none * in the certificate. * @throws CertificateParsingException * if decoding of the extension fails. */ public Collection
* The ASN.1 definition of {@code IssuerAltName}: * *
* IssuerAltName ::= GeneralNames * * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName * * GeneralName ::= CHOICE { * otherName [0] AnotherName, * rfc822Name [1] IA5String, * dNSName [2] IA5String, * x400Address [3] ORAddress, * directoryName [4] Name, * ediPartyName [5] EDIPartyName, * uniformResourceIdentifier [6] IA5String, * iPAddress [7] OCTET STRING, * registeredID [8] OBJECT IDENTIFIER } * ** * @return the issuer alternative names of {@code null} if there are none in * the certificate. * @throws CertificateParsingException * if decoding of the extension fails. */ public Collection