1 /* X509Certificate.java --- X.509 Certificate class
2 Copyright (C) 1999,2003 Free Software Foundation, Inc.
4 This file is part of GNU Classpath.
6 GNU Classpath is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2, or (at your option)
11 GNU Classpath is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GNU Classpath; see the file COPYING. If not, write to the
18 Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
21 Linking this library statically or dynamically with other modules is
22 making a combined work based on this library. Thus, the terms and
23 conditions of the GNU General Public License cover the whole
26 As a special exception, the copyright holders of this library give you
27 permission to link this library with independent modules to produce an
28 executable, regardless of the license terms of these independent
29 modules, and to copy and distribute the resulting executable under
30 terms of your choice, provided that you also meet, for each linked
31 independent module, the terms and conditions of the license of that
32 module. An independent module is a module which is not derived from
33 or based on this library. If you modify this library, you may extend
34 this exception to your version of the library, but you are not
35 obligated to do so. If you do not wish to do so, delete this
36 exception statement from your version. */
39 package java
.security
.cert
;
41 import java
.math
.BigInteger
;
42 import java
.security
.Principal
;
43 import java
.util
.Date
;
46 * X509Certificate is the abstract class for X.509 certificates.
47 * This provides a stanard class interface for accessing all
48 * the attributes of X.509 certificates.
50 * <p>In June 1996, the basic X.509 v3 format was finished by
51 * ISO/IEC and ANSI X.9. The ASN.1 DER format is below:
54 * Certificate ::= SEQUENCE {
55 * tbsCertificate TBSCertificate,
56 * signatureAlgorithm AlgorithmIdentifier,
57 * signatureValue BIT STRING }
60 * <p>These certificates are widely used in various Internet
61 * protocols to support authentication. It is used in
62 * Privacy Enhanced Mail (PEM), Transport Layer Security (TLS),
63 * Secure Sockets Layer (SSL), code signing for trusted software
64 * distribution, and Secure Electronic Transactions (SET).
66 * <p>The certificates are managed and vouched for by
67 * <I>Certificate Authorities</I> (CAs). CAs are companies or
68 * groups that create certificates by placing the data in the
69 * X.509 certificate format and signing it with their private
70 * key. CAs serve as trusted third parties by certifying that
71 * the person or group specified in the certificate is who
74 * <p>The ASN.1 defintion for <I>tbsCertificate</I> is
77 * TBSCertificate ::= SEQUENCE {
78 * version [0] EXPLICIT Version DEFAULT v1,
79 * serialNumber CertificateSerialNumber,
80 * signature AlgorithmIdentifier,
84 * subjectPublicKeyInfo SubjectPublicKeyInfo,
85 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
86 * -- If present, version shall be v2 or v3
87 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
88 * -- If present, version shall be v2 or v3
89 * extensions [3] EXPLICIT Extensions OPTIONAL
90 * -- If present, version shall be v3
93 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
95 * CertificateSerialNumber ::= INTEGER
97 * Validity ::= SEQUENCE {
103 * generalTime GeneralizedTime }
105 * UniqueIdentifier ::= BIT STRING
107 * SubjectPublicKeyInfo ::= SEQUENCE {
108 * algorithm AlgorithmIdentifier,
109 * subjectPublicKey BIT STRING }
111 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
113 * Extension ::= SEQUENCE {
114 * extnID OBJECT IDENTIFIER,
115 * critical BOOLEAN DEFAULT FALSE,
116 * extnValue OCTET STRING }
117 * </pre></blockquote>
119 * Certificates are created with the CertificateFactory.
124 * <li>Olivier Dubuisson, Philippe Fouquart (Translator) <i>ASN.1 -
125 * Communication between heterogeneous systems</i>, (C) September 2000,
126 * Morgan Kaufmann Publishers, ISBN 0-12-6333361-0. Available on-line at
128 * href="http://www.oss.com/asn1/dubuisson.html">http://www.oss.com/asn1/dubuisson.html</a></li>
129 * <li>R. Housley et al, <i><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC
130 * 3280: Internet X.509 Public Key Infrastructure Certificate and CRL
131 * Profile</a></i>.</li>
135 * @author Mark Benvenuto
136 * @author Casey Marshall (rsdio@metastatic.org)
138 public abstract class X509Certificate
extends Certificate
implements X509Extension
140 private static final long serialVersionUID
= -2491127588187038216L;
143 * Constructs a new certificate of the specified type.
145 protected X509Certificate()
151 Checks the validity of the X.509 certificate. It is valid
152 if the current date and time are within the period specified
155 The ASN.1 DER encoding is:
159 Validity ::= SEQUENCE {
165 generalTime GeneralizedTime }
167 Consult rfc2459 for more information.
169 @throws CertificateExpiredException if the certificate expired
170 @throws CertificateNotYetValidException if the certificate is
173 public abstract void checkValidity()
174 throws CertificateExpiredException
,
175 CertificateNotYetValidException
;
178 Checks the validity of the X.509 certificate for the
179 specified time and date. It is valid if the specified
180 date and time are within the period specified by
183 @throws CertificateExpiredException if the certificate expired
185 @throws CertificateNotYetValidException if the certificate is
186 not yet valid based on the date
188 public abstract void checkValidity(Date date
)
189 throws CertificateExpiredException
,
190 CertificateNotYetValidException
;
193 Returns the version of this certificate.
195 The ASN.1 DER encoding is:
197 version [0] EXPLICIT Version DEFAULT v1,
199 Version ::= INTEGER { v1(0), v2(1), v3(2) }
201 Consult rfc2459 for more information.
203 @return version number of certificate
205 public abstract int getVersion();
208 Gets the serial number for serial Number in
209 this Certifcate. It must be a unique number
210 unique other serial numbers from the granting CA.
212 The ASN.1 DER encoding is:
214 serialNumber CertificateSerialNumber,
216 CertificateSerialNumber ::= INTEGER
218 Consult rfc2459 for more information.
220 @return the serial number for this X509CRLEntry.
222 public abstract BigInteger
getSerialNumber();
225 Returns the issuer (issuer distinguished name) of the
226 Certificate. The issuer is the entity who signed
227 and issued the Certificate.
229 The ASN.1 DER encoding is:
236 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
238 RelativeDistinguishedName ::=
239 SET OF AttributeTypeAndValue
241 AttributeTypeAndValue ::= SEQUENCE {
243 value AttributeValue }
245 AttributeType ::= OBJECT IDENTIFIER
247 AttributeValue ::= ANY DEFINED BY AttributeType
249 DirectoryString ::= CHOICE {
250 teletexString TeletexString (SIZE (1..MAX)),
251 printableString PrintableString (SIZE (1..MAX)),
252 universalString UniversalString (SIZE (1..MAX)),
253 utf8String UTF8String (SIZE (1.. MAX)),
254 bmpString BMPString (SIZE (1..MAX)) }
256 Consult rfc2459 for more information.
258 @return the issuer in the Principal class
260 public abstract Principal
getIssuerDN();
263 Returns the subject (subject distinguished name) of the
264 Certificate. The subject is the entity who the Certificate
267 The ASN.1 DER encoding is:
271 Consult rfc2459 for more information.
273 @return the issuer in the Principal class
275 public abstract Principal
getSubjectDN();
278 Returns the date that this certificate is not to be used
279 before, <I>notBefore</I>.
281 The ASN.1 DER encoding is:
285 Validity ::= SEQUENCE {
291 generalTime GeneralizedTime }
293 Consult rfc2459 for more information.
295 @return the date <I>notBefore</I>
297 public abstract Date
getNotBefore();
300 Returns the date that this certificate is not to be used
301 after, <I>notAfter</I>.
303 @return the date <I>notAfter</I>
305 public abstract Date
getNotAfter();
309 Returns the <I>tbsCertificate</I> from the certificate.
311 @return the DER encoded tbsCertificate
313 @throws CertificateEncodingException if encoding error occurred
315 public abstract byte[] getTBSCertificate() throws CertificateEncodingException
;
318 Returns the signature in its raw DER encoded format.
320 The ASN.1 DER encoding is:
322 signatureValue BIT STRING
324 Consult rfc2459 for more information.
326 @return byte array representing signature
328 public abstract byte[] getSignature();
331 Returns the signature algorithm used to sign the CRL.
332 An examples is "SHA-1/DSA".
334 The ASN.1 DER encoding is:
336 signatureAlgorithm AlgorithmIdentifier,
338 AlgorithmIdentifier ::= SEQUENCE {
339 algorithm OBJECT IDENTIFIER,
340 parameters ANY DEFINED BY algorithm OPTIONAL }
342 Consult rfc2459 for more information.
344 The algorithm name is determined from the OID.
346 @return a string with the signature algorithm name
348 public abstract String
getSigAlgName();
352 Returns the OID for the signature algorithm used.
353 Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
355 The ASN.1 DER encoding for the example is:
357 id-dsa-with-sha1 ID ::= {
358 iso(1) member-body(2) us(840) x9-57 (10040)
361 Consult rfc2459 for more information.
363 @return a string containing the OID.
365 public abstract String
getSigAlgOID();
369 Returns the AlgorithmParameters in the encoded form
370 for the signature algorithm used.
372 If access to the parameters is need, create an
373 instance of AlgorithmParameters.
375 @return byte array containing algorithm parameters, null
376 if no parameters are present in certificate
378 public abstract byte[] getSigAlgParams();
382 Returns the issuer unique ID for this certificate.
384 The ASN.1 DER encoding is:
386 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
387 -- If present, version shall be v2 or v3
389 UniqueIdentifier ::= BIT STRING
391 Consult rfc2459 for more information.
393 @return bit representation of <I>issuerUniqueID</I>
395 public abstract boolean[] getIssuerUniqueID();
398 Returns the subject unique ID for this certificate.
400 The ASN.1 DER encoding is:
402 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
403 -- If present, version shall be v2 or v3
405 UniqueIdentifier ::= BIT STRING
407 Consult rfc2459 for more information.
409 @return bit representation of <I>subjectUniqueID</I>
411 public abstract boolean[] getSubjectUniqueID();
414 Returns a boolean array representing the <I>KeyUsage</I>
415 extension for the certificate. The KeyUsage (OID = 2.5.29.15)
416 defines the purpose of the key in the certificate.
418 The ASN.1 DER encoding is:
420 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
422 KeyUsage ::= BIT STRING {
423 digitalSignature (0),
426 dataEncipherment (3),
433 Consult rfc2459 for more information.
435 @return bit representation of <I>KeyUsage</I>
437 public abstract boolean[] getKeyUsage();
440 Returns the certificate constraints path length from the
441 critical BasicConstraints extension, (OID = 2.5.29.19).
443 The basic constraints extensions is used to determine if
444 the subject of the certificate is a Certificate Authority (CA)
445 and how deep the certification path may exist. The
446 <I>pathLenConstraint</I> only takes affect if <I>cA</I>
447 is set to true. "A value of zero indicates that only an
448 end-entity certificate may follow in the path." (rfc2459)
450 The ASN.1 DER encoding is:
452 id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
454 BasicConstraints ::= SEQUENCE {
455 cA BOOLEAN DEFAULT FALSE,
456 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
458 Consult rfc2459 for more information.
460 @return the length of the path constraint if BasicConstraints
461 is present and cA is TRUE. Otherwise returns -1.
463 public abstract int getBasicConstraints();
465 // 1.4 instance methods.
466 // ------------------------------------------------------------------------
469 * Returns the <code>ExtendedKeyUsage</code> extension of this
470 * certificate, or null if there is no extension present. The returned
471 * value is a {@link java.util.List} strings representing the object
472 * identifiers of the extended key usages. This extension has the OID
475 * <p>The ASN.1 definition for this extension is:
478 * ExtendedKeyUsage ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
480 * KeyPurposeId ::= OBJECT IDENTIFIER
481 * </pre></blockquote>
483 * @return The list of extension OIDs, or null if there are none
484 * present in this certificate.
485 * @throws CertificateParsingException If this extension cannot be
486 * parsed from its encoded form.
488 public java
.util
.List
getExtendedKeyUsage()
489 throws CertificateParsingException
491 throw new UnsupportedOperationException();
495 * Returns the alternative names for this certificate's subject (the
496 * owner), or null if there are none.
498 * <p>This is an X.509 extension with OID 2.5.29.17 and is defined by
499 * the ASN.1 construction:
502 * SubjectAltNames ::= GeneralNames
504 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
506 * GeneralName ::= CHOICE {
507 * otherName [0] OtherName,
508 * rfc822Name [1] IA5String,
509 * dNSName [2] IA5String,
510 * x400Address [3] ORAddress,
511 * directoryName [4] Name,
512 * ediPartyName [5] EDIPartyName,
513 * uniformResourceIdentifier [6] IA5String,
514 * iPAddress [7] OCTET STRING,
515 * registeredID [8] OBJECT IDENTIFIER
517 * </pre></blockquote>
519 * <p>The returned collection contains one or more two-element Lists,
520 * with the first object being an Integer representing the choice
521 * above (with value 0 through 8) and the second being an (a) String
522 * if the <code>GeneralName</code> is a rfc822Name, dNSName,
523 * uniformResourceIdentifier, iPAddress, or registeredID, or (b) a
524 * byte array of the DER encoded form for any others.
526 * @return The collection of alternative names, or null if there are
528 * @throws CertificateParsingException If the encoded extension cannot
532 public java
.util
.Collection
getSubjectAlternativeNames()
533 throws CertificateParsingException
535 throw new UnsupportedOperationException();
539 * Returns the alternative names for this certificate's issuer, or
540 * null if there are none.
542 * <p>This is an X.509 extension with OID 2.5.29.18, and is defined by
543 * the ASN.1 construction:
546 * IssuerAltNames ::= GeneralNames
547 * </pre></blockquote>
549 * <p>The <code>GeneralNames</code> construct and the form of the
550 * returned collection are the same as with {@link
551 * #getSubjectAlternativeNames()}.
553 * @return The collection of alternative names, or null if there are
555 * @throws CertificateParsingException If the encoded extension cannot
559 public java
.util
.Collection
getIssuerAlternativeNames()
560 throws CertificateParsingException
562 throw new UnsupportedOperationException();
566 * Returns the X.500 distinguished name of this certificate's subject.
568 * @return The subject's X.500 distinguished name.
571 public javax
.security
.auth
.x500
.X500Principal
getSubjectX500Principal()
573 throw new UnsupportedOperationException();
577 * Returns the X.500 distinguished name of this certificate's issuer.
579 * @return The issuer's X.500 distinguished name.
582 public javax
.security
.auth
.x500
.X500Principal
getIssuerX500Principal()
584 throw new UnsupportedOperationException();