Class X509CertImpl
- All Implemented Interfaces:
Serializable
,X509Extension
,DerEncoder
These certificates are managed and vouched for by Certificate Authorities (CAs). CAs are services which create certificates by placing data in the X.509 standard format and then digitally signing that data. Such signatures are quite difficult to forge. CAs act as trusted third parties, making introductions between agents who have no direct knowledge of each other. CA certificates are either signed by themselves, or by some other CA such as a "root" CA.
RFC 1422 is very informative, though it does not describe much of the recent work being done with X.509 certificates. That includes a 1996 version (X.509v3) and a variety of enhancements being made to facilitate an explosion of personal certificates used as "Internet Drivers' Licences", or with SET for credit card transactions.
More recent work includes the IETF PKIX Working Group efforts, especially part 1.
- Version:
- 1.94 97/12/10
- See Also:
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from class java.security.cert.Certificate
Certificate.CertificateRep
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final String
protected AlgorithmId
private static final String
private static final String
private static final String
protected X509CertInfo
static final String
static final String
private static final String
static final org.slf4j.Logger
private static final String
static final String
Public attribute names.static final String
private boolean
static final String
(package private) static final long
static final String
static final String
protected byte[]
static final String
static final String
private byte[]
static final String
The following are defined for ease-of-use.private static final String
-
Constructor Summary
ConstructorsConstructorDescriptionDefault constructor.X509CertImpl
(byte[] certData) Unmarshals a certificate from its encoded form, parsing the encoded bytes.X509CertImpl
(byte[] certData, X509CertInfo certInfo) As a special optimization, this constructor acts as X509CertImpl(byte[]) except that it takes an X509CertInfo which it uses as a 'hint' for how to construct one field.unmarshals an X.509 certificate from an input stream.X509CertImpl
(DerValue derVal) Unmarshal a certificate from its encoded form, parsing a DER value.X509CertImpl
(X509CertInfo certInfo) Construct an initialized X509 Certificate. -
Method Summary
Modifier and TypeMethodDescriptionvoid
Checks that the certificate is currently valid, i.e.void
checkValidity
(Date date) Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.void
decode
(InputStream in) Decode an X.509 certificate from an input stream.void
Delete the requested attribute from the certificate.void
derEncode
(OutputStream out) DER encode this object onto an output stream.void
encode
(OutputStream out) Appends the certificate to an output stream.boolean
Return the requested attribute from the certificate.int
Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19).boolean
Gets a Set of the extension(s) marked CRITICAL in the certificate by OID strings.Return an enumeration of names of attributes existing within this attribute.byte[]
Returns the encoded form of this certificate.getExtension
(String oid) byte[]
getExtensionValue
(String oid) Gets the DER encoded extension identified by the passed in oid String.getInfo()
Deprecated.Use getIssuerName() or getIssuerX500Principal() instead.boolean[]
Gets the Issuer Unique Identity from the certificate.boolean[]
Get a boolean array representing the bits of the KeyUsage extension, (oid = 2.5.29.15).getName()
Return the name of this attribute.Gets a Set of the extension(s) marked NON-CRITICAL in the certificate by OID strings.Gets the notAfter date from the validity period of the certificate.Gets the notBefore date from the validity period of the certificate.Gets the publickey from this certificate.Gets the serial number from the certificate.Gets the signature algorithm name for the certificate signature algorithm.Gets the signature algorithm OID string from the certificate.byte[]
Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.byte[]
Gets the raw Signature bits from the certificate.Deprecated.Use getSubjectName() or getSubjectX500Principal() instead.boolean[]
Gets the Subject Unique Identity from the certificate.byte[]
Gets the DER encoded certificate informations, thetbsCertificate
from this certificate.int
Gets the version number from the certificate.int
hashCode()
boolean
private void
private void
readObject
(ObjectInputStream stream) Serialization read ...void
Set the requested attribute in the certificate.void
sign
(PrivateKey key, String algorithm) Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name).void
sign
(PrivateKey key, String algorithm, String provider) Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name).toString()
Returns a printable representation of the certificate.void
Throws an exception if the certificate was not signed using the verification key provided.void
Throws an exception if the certificate was not signed using the verification key provided.private void
writeObject
(ObjectOutputStream stream) Serialization write ...protected Object
Methods inherited from class java.security.cert.X509Certificate
getExtendedKeyUsage, getIssuerAlternativeNames, getIssuerX500Principal, getSubjectAlternativeNames, getSubjectX500Principal, verify
Methods inherited from class java.security.cert.Certificate
getType
-
Field Details
-
CANNOT_OVERWRITE_EXISTING_CERTIFICATE
- See Also:
-
MISSING_CERTIFICATE_TO_ENCODE
- See Also:
-
UNABLE_TO_PARSE_CERTIFICATE_DATA
- See Also:
-
logger
public static final org.slf4j.Logger logger -
serialVersionUID
static final long serialVersionUID- See Also:
-
DOT
- See Also:
-
NAME
Public attribute names.- See Also:
-
INFO
- See Also:
-
ALG_ID
- See Also:
-
SIGNATURE
- See Also:
-
SIGNED_CERT
- See Also:
-
SUBJECT_DN
The following are defined for ease-of-use. These are the most frequently retrieved attributes.- See Also:
-
ISSUER_DN
- See Also:
-
SERIAL_ID
- See Also:
-
PUBLIC_KEY
- See Also:
-
SIG_ALG
- See Also:
-
SIG
- See Also:
-
readOnly
private boolean readOnly -
signedCert
private byte[] signedCert -
info
-
algId
-
signature
protected byte[] signature -
KEY_USAGE_OID
- See Also:
-
BASIC_CONSTRAINT_OID
- See Also:
-
-
Constructor Details
-
X509CertImpl
public X509CertImpl()Default constructor. -
X509CertImpl
Unmarshals a certificate from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use certificate contents. That is, this is one of the more commonly used constructors. Note that the buffer must include only a certificate, and no "garbage" may be left at the end. If you need to ignore data at the end of a certificate, use another constructor.- Parameters:
certData
- the encoded bytes, with no trailing padding.- Throws:
CertificateException
- on parsing and initialization errors.
-
X509CertImpl
As a special optimization, this constructor acts as X509CertImpl(byte[]) except that it takes an X509CertInfo which it uses as a 'hint' for how to construct one field.- Parameters:
certData
- the encode bytes, with no traiing paddingcertInfo
- the certInfo which has already been constructed from the certData- Throws:
CertificateException
-
X509CertImpl
unmarshals an X.509 certificate from an input stream.- Parameters:
in
- an input stream holding at least one certificate- Throws:
CertificateException
- on parsing and initialization errors.
-
X509CertImpl
Construct an initialized X509 Certificate. The certificate is stored in raw form and has to be signed to be useful.- Parameters:
certInfo
- the X509CertificateInfo which the Certificate is to be created from.
-
X509CertImpl
Unmarshal a certificate from its encoded form, parsing a DER value. This form of constructor is used by agents which need to examine and use certificate contents.- Parameters:
derVal
- the der value containing the encoded cert.- Throws:
CertificateException
- on parsing and initialization errors.
-
-
Method Details
-
hasUnsupportedCriticalExtension
public boolean hasUnsupportedCriticalExtension()- Specified by:
hasUnsupportedCriticalExtension
in interfaceX509Extension
-
decode
Decode an X.509 certificate from an input stream.- Parameters:
in
- an input stream holding at least one certificate- Throws:
CertificateException
- on parsing errors.IOException
- on other errors.
-
encode
Appends the certificate to an output stream.- Parameters:
out
- an input stream to which the certificate is appended.- Throws:
CertificateEncodingException
- on encoding errors.
-
derEncode
DER encode this object onto an output stream. Implements theDerEncoder
interface.- Specified by:
derEncode
in interfaceDerEncoder
- Parameters:
out
- the output stream on which to write the DER encoding.- Throws:
IOException
- on encoding error.
-
getEncoded
Returns the encoded form of this certificate. It is assumed that each certificate type would have only a single form of encoding; for example, X.509 certificates would be encoded as ASN.1 DER.- Specified by:
getEncoded
in classCertificate
- Throws:
CertificateEncodingException
- if an encoding error occurs.
-
verify
public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does not indicate that one should trust the entity which it represents.- Specified by:
verify
in classCertificate
- Parameters:
key
- the public key used for verification.- Throws:
InvalidKeyException
- on incorrect key.NoSuchAlgorithmException
- on unsupported signature algorithms.NoSuchProviderException
- if there's no default provider.SignatureException
- on signature errors.CertificateException
- on encoding errors.
-
verify
public void verify(PublicKey key, String sigProvider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does not indicate that one should trust the entity which it represents.- Specified by:
verify
in classCertificate
- Parameters:
key
- the public key used for verification.sigProvider
- the name of the provider.- Throws:
NoSuchAlgorithmException
- on unsupported signature algorithms.InvalidKeyException
- on incorrect key.NoSuchProviderException
- on incorrect provider.SignatureException
- on signature errors.CertificateException
- on encoding errors.
-
sign
public void sign(PrivateKey key, String algorithm) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.- Parameters:
key
- the private key used for signing.algorithm
- the name of the signature algorithm used.- Throws:
InvalidKeyException
- on incorrect key.NoSuchAlgorithmException
- on unsupported signature algorithms.NoSuchProviderException
- if there's no default provider.SignatureException
- on signature errors.CertificateException
- on encoding errors.
-
sign
public void sign(PrivateKey key, String algorithm, String provider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.- Parameters:
key
- the private key used for signing.algorithm
- the name of the signature algorithm used.provider
- the name of the provider.- Throws:
NoSuchAlgorithmException
- on unsupported signature algorithms.InvalidKeyException
- on incorrect key.NoSuchProviderException
- on incorrect provider.SignatureException
- on signature errors.CertificateException
- on encoding errors.
-
checkValidity
Checks that the certificate is currently valid, i.e. the current time is within the specified validity period.- Specified by:
checkValidity
in classX509Certificate
- Throws:
CertificateExpiredException
- if the certificate has expired.CertificateNotYetValidException
- if the certificate is not yet valid.
-
checkValidity
public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.- Specified by:
checkValidity
in classX509Certificate
- Parameters:
date
- the Date to check against to see if this certificate is valid at that date/time.- Throws:
CertificateExpiredException
- if the certificate has expired with respect to thedate
supplied.CertificateNotYetValidException
- if the certificate is not yet valid with respect to thedate
supplied.
-
get
Return the requested attribute from the certificate.- Parameters:
name
- the name of the attribute.- Throws:
CertificateParsingException
- on invalid attribute identifier.
-
set
Set the requested attribute in the certificate.- Parameters:
name
- the name of the attribute.obj
- the value of the attribute.- Throws:
CertificateException
- on invalid attribute identifier.IOException
- on encoding error of attribute.
-
delete
Delete the requested attribute from the certificate.- Parameters:
name
- the name of the attribute.- Throws:
CertificateException
- on invalid attribute identifier.IOException
- on other errors.
-
getElements
Return an enumeration of names of attributes existing within this attribute. -
getName
Return the name of this attribute. -
toString
Returns a printable representation of the certificate. This does not contain all the information available to distinguish this from any other certificate. The certificate must be fully constructed before this function may be called.- Specified by:
toString
in classCertificate
-
getPublicKey
Gets the publickey from this certificate.- Specified by:
getPublicKey
in classCertificate
- Returns:
- the publickey.
-
getVersion
public int getVersion()Gets the version number from the certificate.- Specified by:
getVersion
in classX509Certificate
- Returns:
- the version number.
-
getSerialNumber
Gets the serial number from the certificate.- Specified by:
getSerialNumber
in classX509Certificate
- Returns:
- the serial number.
-
getSubjectDN
Deprecated.Use getSubjectName() or getSubjectX500Principal() instead.Gets the subject distinguished name from the certificate.- Specified by:
getSubjectDN
in classX509Certificate
- Returns:
- the subject name.
-
getSubjectName
-
getSubjectObj
-
getInfo
-
getIssuerDN
Deprecated.Use getIssuerName() or getIssuerX500Principal() instead.Gets the issuer distinguished name from the certificate.- Specified by:
getIssuerDN
in classX509Certificate
- Returns:
- the issuer name.
-
getIssuerName
-
getIssuerObj
-
getNotBefore
Gets the notBefore date from the validity period of the certificate.- Specified by:
getNotBefore
in classX509Certificate
- Returns:
- the start date of the validity period.
-
getNotAfter
Gets the notAfter date from the validity period of the certificate.- Specified by:
getNotAfter
in classX509Certificate
- Returns:
- the end date of the validity period.
-
getTBSCertificate
Gets the DER encoded certificate informations, thetbsCertificate
from this certificate. This can be used to verify the signature independently.- Specified by:
getTBSCertificate
in classX509Certificate
- Returns:
- the DER encoded certificate information.
- Throws:
CertificateEncodingException
- if an encoding error occurs.
-
getSignature
public byte[] getSignature()Gets the raw Signature bits from the certificate.- Specified by:
getSignature
in classX509Certificate
- Returns:
- the signature.
-
getSigAlgName
Gets the signature algorithm name for the certificate signature algorithm. For example, the string "SHA-1/DSA" or "DSS".- Specified by:
getSigAlgName
in classX509Certificate
- Returns:
- the signature algorithm name.
-
getSigAlgOID
Gets the signature algorithm OID string from the certificate. For example, the string "1.2.840.10040.4.3"- Specified by:
getSigAlgOID
in classX509Certificate
- Returns:
- the signature algorithm oid string.
-
getSigAlgParams
public byte[] getSigAlgParams()Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.- Specified by:
getSigAlgParams
in classX509Certificate
- Returns:
- the DER encoded signature algorithm parameters, or null if no parameters are present.
-
getIssuerUniqueID
public boolean[] getIssuerUniqueID()Gets the Issuer Unique Identity from the certificate.- Specified by:
getIssuerUniqueID
in classX509Certificate
- Returns:
- the Issuer Unique Identity.
-
getSubjectUniqueID
public boolean[] getSubjectUniqueID()Gets the Subject Unique Identity from the certificate.- Specified by:
getSubjectUniqueID
in classX509Certificate
- Returns:
- the Subject Unique Identity.
-
getCriticalExtensionOIDs
Gets a Set of the extension(s) marked CRITICAL in the certificate by OID strings.- Specified by:
getCriticalExtensionOIDs
in interfaceX509Extension
- Returns:
- a set of the extension oid strings in the certificate that are marked critical.
-
getNonCriticalExtensionOIDs
Gets a Set of the extension(s) marked NON-CRITICAL in the certificate by OID strings.- Specified by:
getNonCriticalExtensionOIDs
in interfaceX509Extension
- Returns:
- a set of the extension oid strings in the certificate that are NOT marked critical.
-
getExtension
-
getExtensionValue
Gets the DER encoded extension identified by the passed in oid String.- Specified by:
getExtensionValue
in interfaceX509Extension
- Parameters:
oid
- the Object Identifier value for the extension.
-
getKeyUsage
public boolean[] getKeyUsage()Get a boolean array representing the bits of the KeyUsage extension, (oid = 2.5.29.15).- Specified by:
getKeyUsage
in classX509Certificate
- Returns:
- the bit values of this extension as an array of booleans.
-
getBasicConstraints
public int getBasicConstraints()Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19).- Specified by:
getBasicConstraints
in classX509Certificate
- Returns:
- the length of the constraint.
-
getBasicConstraintsIsCA
public boolean getBasicConstraintsIsCA() -
parse
- Throws:
CertificateException
IOException
-
writeObject
Serialization write ... X.509 certificates serialize as themselves, and they're parsed when they get read back. (Actually they serialize as some type data from the serialization subsystem, then the cert data.)- Throws:
CertificateException
-
readObject
Serialization read ... X.509 certificates serialize as themselves, and they're parsed when they get read back.- Throws:
CertificateException
IOException
-
writeReplace
- Overrides:
writeReplace
in classCertificate
- Throws:
ObjectStreamException
-
hashCode
public int hashCode()- Overrides:
hashCode
in classCertificate
-
equals
- Overrides:
equals
in classCertificate
-