| blob | 6b764842f61847c689fb5d8bfd51be7d870db4d7 |
1 /* X509Certificate.java --- X.509 Certificate class
2 Copyright (C) 1999,2003 Free Software Foundation, Inc.
4 This file is part of GNU Classpath.
6 GNU Classpath is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2, or (at your option)
9 any later version.
11 GNU Classpath is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GNU Classpath; see the file COPYING. If not, write to the
18 Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19 02111-1307 USA.
21 Linking this library statically or dynamically with other modules is
22 making a combined work based on this library. Thus, the terms and
23 conditions of the GNU General Public License cover the whole
24 combination.
26 As a special exception, the copyright holders of this library give you
27 permission to link this library with independent modules to produce an
28 executable, regardless of the license terms of these independent
29 modules, and to copy and distribute the resulting executable under
30 terms of your choice, provided that you also meet, for each linked
31 independent module, the terms and conditions of the license of that
32 module. An independent module is a module which is not derived from
33 or based on this library. If you modify this library, you may extend
34 this exception to your version of the library, but you are not
35 obligated to do so. If you do not wish to do so, delete this
36 exception statement from your version. */
45 /**
46 * X509Certificate is the abstract class for X.509 certificates.
47 * This provides a stanard class interface for accessing all
48 * the attributes of X.509 certificates.
49 *
50 * <p>In June 1996, the basic X.509 v3 format was finished by
51 * ISO/IEC and ANSI X.9. The ASN.1 DER format is below:
52 *
53 * <blockquote><pre>
54 * Certificate ::= SEQUENCE {
55 * tbsCertificate TBSCertificate,
56 * signatureAlgorithm AlgorithmIdentifier,
57 * signatureValue BIT STRING }
58 * </pre></blockquote>
59 *
60 * <p>These certificates are widely used in various Internet
61 * protocols to support authentication. It is used in
62 * Privacy Enhanced Mail (PEM), Transport Layer Security (TLS),
63 * Secure Sockets Layer (SSL), code signing for trusted software
64 * distribution, and Secure Electronic Transactions (SET).
65 *
66 * <p>The certificates are managed and vouched for by
67 * <I>Certificate Authorities</I> (CAs). CAs are companies or
68 * groups that create certificates by placing the data in the
69 * X.509 certificate format and signing it with their private
70 * key. CAs serve as trusted third parties by certifying that
71 * the person or group specified in the certificate is who
72 * they say they are.
73 *
74 * <p>The ASN.1 defintion for <I>tbsCertificate</I> is
75 *
76 * <blockquote><pre>
77 * TBSCertificate ::= SEQUENCE {
78 * version [0] EXPLICIT Version DEFAULT v1,
79 * serialNumber CertificateSerialNumber,
80 * signature AlgorithmIdentifier,
81 * issuer Name,
82 * validity Validity,
83 * subject Name,
84 * subjectPublicKeyInfo SubjectPublicKeyInfo,
85 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
86 * -- If present, version shall be v2 or v3
87 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
88 * -- If present, version shall be v2 or v3
89 * extensions [3] EXPLICIT Extensions OPTIONAL
90 * -- If present, version shall be v3
91 * }
92 *
93 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
94 *
95 * CertificateSerialNumber ::= INTEGER
96 *
97 * Validity ::= SEQUENCE {
98 * notBefore Time,
99 * notAfter Time }
100 *
101 * Time ::= CHOICE {
102 * utcTime UTCTime,
103 * generalTime GeneralizedTime }
104 *
105 * UniqueIdentifier ::= BIT STRING
106 *
107 * SubjectPublicKeyInfo ::= SEQUENCE {
108 * algorithm AlgorithmIdentifier,
109 * subjectPublicKey BIT STRING }
110 *
111 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
112 *
113 * Extension ::= SEQUENCE {
114 * extnID OBJECT IDENTIFIER,
115 * critical BOOLEAN DEFAULT FALSE,
116 * extnValue OCTET STRING }
117 * </pre></blockquote>
118 *
119 * Certificates are created with the CertificateFactory.
120 *
121 * <p>References:
122 *
123 * <ol>
124 * <li>Olivier Dubuisson, Philippe Fouquart (Translator) <i>ASN.1 -
125 * Communication between heterogeneous systems</i>, (C) September 2000,
126 * Morgan Kaufmann Publishers, ISBN 0-12-6333361-0. Available on-line at
127 * <a
128 * href="http://www.oss.com/asn1/dubuisson.html">http://www.oss.com/asn1/dubuisson.html</a></li>
129 * <li>R. Housley et al, <i><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC
130 * 3280: Internet X.509 Public Key Infrastructure Certificate and CRL
131 * Profile</a></i>.</li>
132 * </ol>
133 *
134 * @since JDK 1.2
135 * @author Mark Benvenuto
136 * @author Casey Marshall (rsdio@metastatic.org)
137 */
139 {
142 /**
143 * Constructs a new certificate of the specified type.
144 */
146 {
148 }
150 /**
151 Checks the validity of the X.509 certificate. It is valid
152 if the current date and time are within the period specified
153 by the certificate.
155 The ASN.1 DER encoding is:
157 validity Validity,
159 Validity ::= SEQUENCE {
160 notBefore Time,
161 notAfter Time }
163 Time ::= CHOICE {
164 utcTime UTCTime,
165 generalTime GeneralizedTime }
167 Consult rfc2459 for more information.
169 @throws CertificateExpiredException if the certificate expired
170 @throws CertificateNotYetValidException if the certificate is
171 not yet valid
172 */
175 CertificateNotYetValidException;
177 /**
178 Checks the validity of the X.509 certificate for the
179 specified time and date. It is valid if the specified
180 date and time are within the period specified by
181 the certificate.
183 @throws CertificateExpiredException if the certificate expired
184 based on the date
185 @throws CertificateNotYetValidException if the certificate is
186 not yet valid based on the date
187 */
190 CertificateNotYetValidException;
192 /**
193 Returns the version of this certificate.
195 The ASN.1 DER encoding is:
197 version [0] EXPLICIT Version DEFAULT v1,
199 Version ::= INTEGER { v1(0), v2(1), v3(2) }
201 Consult rfc2459 for more information.
203 @return version number of certificate
204 */
207 /**
208 Gets the serial number for serial Number in
209 this Certifcate. It must be a unique number
210 unique other serial numbers from the granting CA.
212 The ASN.1 DER encoding is:
214 serialNumber CertificateSerialNumber,
216 CertificateSerialNumber ::= INTEGER
218 Consult rfc2459 for more information.
220 @return the serial number for this X509CRLEntry.
221 */
224 /**
225 Returns the issuer (issuer distinguished name) of the
226 Certificate. The issuer is the entity who signed
227 and issued the Certificate.
229 The ASN.1 DER encoding is:
231 issuer Name,
233 Name ::= CHOICE {
234 RDNSequence }
236 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
238 RelativeDistinguishedName ::=
239 SET OF AttributeTypeAndValue
241 AttributeTypeAndValue ::= SEQUENCE {
242 type AttributeType,
243 value AttributeValue }
245 AttributeType ::= OBJECT IDENTIFIER
247 AttributeValue ::= ANY DEFINED BY AttributeType
249 DirectoryString ::= CHOICE {
250 teletexString TeletexString (SIZE (1..MAX)),
251 printableString PrintableString (SIZE (1..MAX)),
252 universalString UniversalString (SIZE (1..MAX)),
253 utf8String UTF8String (SIZE (1.. MAX)),
254 bmpString BMPString (SIZE (1..MAX)) }
256 Consult rfc2459 for more information.
258 @return the issuer in the Principal class
259 */
262 /**
263 Returns the subject (subject distinguished name) of the
264 Certificate. The subject is the entity who the Certificate
265 identifies.
267 The ASN.1 DER encoding is:
269 subject Name,
271 Consult rfc2459 for more information.
273 @return the issuer in the Principal class
274 */
277 /**
278 Returns the date that this certificate is not to be used
279 before, <I>notBefore</I>.
281 The ASN.1 DER encoding is:
283 validity Validity,
285 Validity ::= SEQUENCE {
286 notBefore Time,
287 notAfter Time }
289 Time ::= CHOICE {
290 utcTime UTCTime,
291 generalTime GeneralizedTime }
293 Consult rfc2459 for more information.
295 @return the date <I>notBefore</I>
296 */
299 /**
300 Returns the date that this certificate is not to be used
301 after, <I>notAfter</I>.
303 @return the date <I>notAfter</I>
304 */
308 /**
309 Returns the <I>tbsCertificate</I> from the certificate.
311 @return the DER encoded tbsCertificate
313 @throws CertificateEncodingException if encoding error occurred
314 */
317 /**
318 Returns the signature in its raw DER encoded format.
320 The ASN.1 DER encoding is:
322 signatureValue BIT STRING
324 Consult rfc2459 for more information.
326 @return byte array representing signature
327 */
330 /**
331 Returns the signature algorithm used to sign the CRL.
332 An examples is "SHA-1/DSA".
334 The ASN.1 DER encoding is:
336 signatureAlgorithm AlgorithmIdentifier,
338 AlgorithmIdentifier ::= SEQUENCE {
339 algorithm OBJECT IDENTIFIER,
340 parameters ANY DEFINED BY algorithm OPTIONAL }
342 Consult rfc2459 for more information.
344 The algorithm name is determined from the OID.
346 @return a string with the signature algorithm name
347 */
351 /**
352 Returns the OID for the signature algorithm used.
353 Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
355 The ASN.1 DER encoding for the example is:
357 id-dsa-with-sha1 ID ::= {
358 iso(1) member-body(2) us(840) x9-57 (10040)
359 x9cm(4) 3 }
361 Consult rfc2459 for more information.
363 @return a string containing the OID.
364 */
368 /**
369 Returns the AlgorithmParameters in the encoded form
370 for the signature algorithm used.
372 If access to the parameters is need, create an
373 instance of AlgorithmParameters.
375 @return byte array containing algorithm parameters, null
376 if no parameters are present in certificate
377 */
381 /**
382 Returns the issuer unique ID for this certificate.
384 The ASN.1 DER encoding is:
386 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
387 -- If present, version shall be v2 or v3
389 UniqueIdentifier ::= BIT STRING
391 Consult rfc2459 for more information.
393 @return bit representation of <I>issuerUniqueID</I>
394 */
397 /**
398 Returns the subject unique ID for this certificate.
400 The ASN.1 DER encoding is:
402 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
403 -- If present, version shall be v2 or v3
405 UniqueIdentifier ::= BIT STRING
407 Consult rfc2459 for more information.
409 @return bit representation of <I>subjectUniqueID</I>
410 */
413 /**
414 Returns a boolean array representing the <I>KeyUsage</I>
415 extension for the certificate. The KeyUsage (OID = 2.5.29.15)
416 defines the purpose of the key in the certificate.
418 The ASN.1 DER encoding is:
420 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
422 KeyUsage ::= BIT STRING {
423 digitalSignature (0),
424 nonRepudiation (1),
425 keyEncipherment (2),
426 dataEncipherment (3),
427 keyAgreement (4),
428 keyCertSign (5),
429 cRLSign (6),
430 encipherOnly (7),
431 decipherOnly (8) }
433 Consult rfc2459 for more information.
435 @return bit representation of <I>KeyUsage</I>
436 */
439 /**
440 Returns the certificate constraints path length from the
441 critical BasicConstraints extension, (OID = 2.5.29.19).
443 The basic constraints extensions is used to determine if
444 the subject of the certificate is a Certificate Authority (CA)
445 and how deep the certification path may exist. The
446 <I>pathLenConstraint</I> only takes affect if <I>cA</I>
447 is set to true. "A value of zero indicates that only an
448 end-entity certificate may follow in the path." (rfc2459)
450 The ASN.1 DER encoding is:
452 id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
454 BasicConstraints ::= SEQUENCE {
455 cA BOOLEAN DEFAULT FALSE,
456 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
458 Consult rfc2459 for more information.
460 @return the length of the path constraint if BasicConstraints
461 is present and cA is TRUE. Otherwise returns -1.
462 */
465 // 1.4 instance methods.
466 // ------------------------------------------------------------------------
468 /**
469 * Returns the <code>ExtendedKeyUsage</code> extension of this
470 * certificate, or null if there is no extension present. The returned
471 * value is a {@link java.util.List} strings representing the object
472 * identifiers of the extended key usages. This extension has the OID
473 * 2.5.29.37.
474 *
475 * <p>The ASN.1 definition for this extension is:
476 *
477 * <blockquote><pre>
478 * ExtendedKeyUsage ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
479 *
480 * KeyPurposeId ::= OBJECT IDENTIFIER
481 * </pre></blockquote>
482 *
483 * @return The list of extension OIDs, or null if there are none
484 * present in this certificate.
485 * @throws CertificateParsingException If this extension cannot be
486 * parsed from its encoded form.
487 */
489 throws CertificateParsingException
490 {
492 }
494 /**
495 * Returns the alternative names for this certificate's subject (the
496 * owner), or null if there are none.
497 *
498 * <p>This is an X.509 extension with OID 2.5.29.17 and is defined by
499 * the ASN.1 construction:
500 *
501 * <blockquote><pre>
502 * SubjectAltNames ::= GeneralNames
503 *
504 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
505 *
506 * GeneralName ::= CHOICE {
507 * otherName [0] OtherName,
508 * rfc822Name [1] IA5String,
509 * dNSName [2] IA5String,
510 * x400Address [3] ORAddress,
511 * directoryName [4] Name,
512 * ediPartyName [5] EDIPartyName,
513 * uniformResourceIdentifier [6] IA5String,
514 * iPAddress [7] OCTET STRING,
515 * registeredID [8] OBJECT IDENTIFIER
516 * }
517 * </pre></blockquote>
518 *
519 * <p>The returned collection contains one or more two-element Lists,
520 * with the first object being an Integer representing the choice
521 * above (with value 0 through 8) and the second being an (a) String
522 * if the <code>GeneralName</code> is a rfc822Name, dNSName,
523 * uniformResourceIdentifier, iPAddress, or registeredID, or (b) a
524 * byte array of the DER encoded form for any others.
525 *
526 * @return The collection of alternative names, or null if there are
527 * none.
528 * @throws CertificateParsingException If the encoded extension cannot
529 * be parsed.
530 * @since JDK 1.4
531 */
533 throws CertificateParsingException
534 {
536 }
538 /**
539 * Returns the alternative names for this certificate's issuer, or
540 * null if there are none.
541 *
542 * <p>This is an X.509 extension with OID 2.5.29.18, and is defined by
543 * the ASN.1 construction:
544 *
545 * <blockquote><pre>
546 * IssuerAltNames ::= GeneralNames
547 * </pre></blockquote>
548 *
549 * <p>The <code>GeneralNames</code> construct and the form of the
550 * returned collection are the same as with {@link
551 * #getSubjectAlternativeNames()}.
552 *
553 * @return The collection of alternative names, or null if there are
554 * none.
555 * @throws CertificateParsingException If the encoded extension cannot
556 * be parsed.
557 * @since JDK 1.4
558 */
560 throws CertificateParsingException
561 {
563 }
565 /**
566 * Returns the X.500 distinguished name of this certificate's subject.
567 *
568 * @return The subject's X.500 distinguished name.
569 * @since JDK 1.4
570 */
572 {
574 }
576 /**
577 * Returns the X.500 distinguished name of this certificate's issuer.
578 *
579 * @return The issuer's X.500 distinguished name.
580 * @since JDK 1.4
581 */
583 {
585 }
586 }