|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectjava.security.cert.Certificate
java.security.cert.X509Certificate
public abstract class X509Certificate
X509Certificate is the abstract class for X.509 certificates. This provides a stanard class interface for accessing all the attributes of X.509 certificates.
In June 1996, the basic X.509 v3 format was finished by ISO/IEC and ANSI X.9. The ASN.1 DER format is below:
Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING }
These certificates are widely used in various Internet protocols to support authentication. It is used in Privacy Enhanced Mail (PEM), Transport Layer Security (TLS), Secure Sockets Layer (SSL), code signing for trusted software distribution, and Secure Electronic Transactions (SET).
The certificates are managed and vouched for by Certificate Authorities (CAs). CAs are companies or groups that create certificates by placing the data in the X.509 certificate format and signing it with their private key. CAs serve as trusted third parties by certifying that the person or group specified in the certificate is who they say they are.
The ASN.1 defintion for tbsCertificate is
Certificates are created with the CertificateFactory.TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version shall be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version shall be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version shall be v3 } Version ::= INTEGER { v1(0), v2(1), v3(2) } CertificateSerialNumber ::= INTEGER Validity ::= SEQUENCE { notBefore Time, notAfter Time } Time ::= CHOICE { utcTime UTCTime, generalTime GeneralizedTime } UniqueIdentifier ::= BIT STRING SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING }
References:
Nested Class Summary |
---|
Nested classes/interfaces inherited from class java.security.cert.Certificate |
---|
Certificate.CertificateRep |
Constructor Summary | |
---|---|
protected |
X509Certificate()
Constructs a new certificate of the specified type. |
Method Summary | |
---|---|
abstract void |
checkValidity()
Checks the validity of the X.509 certificate. |
abstract void |
checkValidity(Date date)
Checks the validity of the X.509 certificate for the specified time and date. |
abstract int |
getBasicConstraints()
Returns the certificate constraints path length from the critical BasicConstraints extension, (OID = 2.5.29.19). |
List<String> |
getExtendedKeyUsage()
Returns the ExtendedKeyUsage extension of this
certificate, or null if there is no extension present. |
Collection<List<?>> |
getIssuerAlternativeNames()
Returns the alternative names for this certificate's issuer, or null if there are none. |
abstract Principal |
getIssuerDN()
Returns the issuer (issuer distinguished name) of the Certificate. |
abstract boolean[] |
getIssuerUniqueID()
Returns the issuer unique ID for this certificate. |
X500Principal |
getIssuerX500Principal()
Returns the X.500 distinguished name of this certificate's issuer. |
abstract boolean[] |
getKeyUsage()
Returns a boolean array representing the KeyUsage extension for the certificate. |
abstract Date |
getNotAfter()
Returns the date that this certificate is not to be used after, notAfter. |
abstract Date |
getNotBefore()
Returns the date that this certificate is not to be used before, notBefore. |
abstract BigInteger |
getSerialNumber()
Gets the serial number for serial Number in this Certifcate. |
abstract String |
getSigAlgName()
Returns the signature algorithm used to sign the CRL. |
abstract String |
getSigAlgOID()
Returns the OID for the signature algorithm used. |
abstract byte[] |
getSigAlgParams()
Returns the AlgorithmParameters in the encoded form for the signature algorithm used. |
abstract byte[] |
getSignature()
Returns the signature in its raw DER encoded format. |
Collection<List<?>> |
getSubjectAlternativeNames()
Returns the alternative names for this certificate's subject (the owner), or null if there are none. |
abstract Principal |
getSubjectDN()
Returns the subject (subject distinguished name) of the Certificate. |
abstract boolean[] |
getSubjectUniqueID()
Returns the subject unique ID for this certificate. |
X500Principal |
getSubjectX500Principal()
Returns the X.500 distinguished name of this certificate's subject. |
abstract byte[] |
getTBSCertificate()
Returns the tbsCertificate from the certificate. |
abstract int |
getVersion()
Returns the version of this certificate. |
Methods inherited from class java.security.cert.Certificate |
---|
equals, getEncoded, getPublicKey, getType, hashCode, toString, verify, verify, writeReplace |
Methods inherited from class java.lang.Object |
---|
clone, finalize, getClass, notify, notifyAll, wait, wait, wait |
Methods inherited from interface java.security.cert.X509Extension |
---|
getCriticalExtensionOIDs, getExtensionValue, getNonCriticalExtensionOIDs, hasUnsupportedCriticalExtension |
Constructor Detail |
---|
protected X509Certificate()
Method Detail |
---|
public abstract void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException
CertificateExpiredException
- if the certificate expired
CertificateNotYetValidException
- if the certificate is
not yet validpublic abstract void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException
CertificateExpiredException
- if the certificate expired
based on the date
CertificateNotYetValidException
- if the certificate is
not yet valid based on the datepublic abstract int getVersion()
public abstract BigInteger getSerialNumber()
public abstract Principal getIssuerDN()
public abstract Principal getSubjectDN()
public abstract Date getNotBefore()
public abstract Date getNotAfter()
public abstract byte[] getTBSCertificate() throws CertificateEncodingException
CertificateEncodingException
- if encoding error occurredpublic abstract byte[] getSignature()
public abstract String getSigAlgName()
public abstract String getSigAlgOID()
public abstract byte[] getSigAlgParams()
public abstract boolean[] getIssuerUniqueID()
public abstract boolean[] getSubjectUniqueID()
public abstract boolean[] getKeyUsage()
public abstract int getBasicConstraints()
public List<String> getExtendedKeyUsage() throws CertificateParsingException
ExtendedKeyUsage
extension of this
certificate, or null if there is no extension present. The returned
value is a List
strings representing the object
identifiers of the extended key usages. This extension has the OID
2.5.29.37.
The ASN.1 definition for this extension is:
ExtendedKeyUsage ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeId ::= OBJECT IDENTIFIER
CertificateParsingException
- If this extension cannot be
parsed from its encoded form.public Collection<List<?>> getSubjectAlternativeNames() throws CertificateParsingException
This is an X.509 extension with OID 2.5.29.17 and is defined by the ASN.1 construction:
SubjectAltNames ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER }
The returned collection contains one or more two-element Lists,
with the first object being an Integer representing the choice
above (with value 0 through 8) and the second being an (a) String
if the GeneralName
is a rfc822Name, dNSName,
uniformResourceIdentifier, iPAddress, or registeredID, or (b) a
byte array of the DER encoded form for any others.
CertificateParsingException
- If the encoded extension cannot
be parsed.public Collection<List<?>> getIssuerAlternativeNames() throws CertificateParsingException
This is an X.509 extension with OID 2.5.29.18, and is defined by the ASN.1 construction:
IssuerAltNames ::= GeneralNames
The GeneralNames
construct and the form of the
returned collection are the same as with getSubjectAlternativeNames()
.
CertificateParsingException
- If the encoded extension cannot
be parsed.public X500Principal getSubjectX500Principal()
public X500Principal getIssuerX500Principal()
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |