Default constructor.
Unmarshals a certificate from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use certificate contents. That is, this is one of the more commonly used constructors. Note that the buffer must include only a certificate, and no "garbage" may be left at the end. If you need to ignore data at the end of a certificate, use another constructor.
unmarshals an X.509 certificate from an input stream. If the certificate is RFC1421 hex-encoded, then it must begin with the line X509Factory.BEGIN_CERT and end with the line X509Factory.END_CERT.
Construct an initialized X509 Certificate. The certificate is stored in raw form and has to be signed to be useful.
Unmarshal a certificate from its encoded form, parsing a DER value. This form of constructor is used by agents which need to examine and use certificate contents.
Checks that the certificate is currently valid, i.e. the current time is within the specified validity period.
Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.
DER encode this object onto an output stream. Implements the <code>DerEncoder</code> interface.
Appends the certificate to an output stream.
Return the requested attribute from the certificate.
Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19). @return the length of the constraint.
Gets a Set of the extension(s) marked CRITICAL in the certificate. In the returned set, each extension is represented by its OID string.
Return an enumeration of names of attributes existing within this attribute.
Returns the encoded form of this certificate. It is assumed that each certificate type would have only a single form of encoding; for example, X.509 certificates would be encoded as ASN.1 DER.
Returned the encoding as an uncloned byte array. Callers must guarantee that they neither modify it nor expose it to untrusted code.
This method are the overridden implementation of getExtendedKeyUsage method in X509Certificate in the Sun provider. It is better performance-wise since it returns cached values.
Gets the extension identified by the given ObjectIdentifier
Gets the DER encoded extension identified by the given oid string.
Gets the issuer distinguished name from the certificate.
Gets the Issuer Unique Identity from the certificate.
Get issuer name as X500Principal. Overrides implementation in X509Certificate with a slightly more efficient version that is also aware of X509CertImpl mutability.
Get a bool array representing the bits of the KeyUsage extension, (oid = 2.5.29.15). @return the bit values of this extension as an array of booleans.
Return the name of this attribute.
Gets a Set of the extension(s) marked NON-CRITICAL in the certificate. In the returned set, each extension is represented by its OID string.
Gets the notAfter date from the validity period of the certificate.
Gets the notBefore date from the validity period of the certificate.
Gets the publickey from this certificate.
Gets the serial number from the certificate.
Gets the serial number from the certificate as a SerialNumber object.
Gets the signature algorithm name for the certificate signature algorithm. For example, the string "SHA-1/DSA" or "DSS".
Gets the signature algorithm OID string from the certificate. For example, the string "1.2.840.10040.4.3"
Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.
Gets the raw Signature bits from the certificate.
Gets the subject distinguished name from the certificate.
Returns the subject's key identifier, or null
Gets the Subject Unique Identity from the certificate.
Get subject name as X500Principal. Overrides implementation in X509Certificate with a slightly more efficient version that is also aware of X509CertImpl mutability.
Gets the DER encoded certificate informations, the <code>tbsCertificate</code> from this certificate. This can be used to verify the signature independently.
Gets the version number from the certificate.
Return true if a critical extension is found that is not supported, otherwise return false.
Delete the requested attribute from the certificate.
Set the requested attribute in the certificate.
Creates an X.509 certificate, and signs it using the given key (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.
Creates an X.509 certificate, and signs it using the given key (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.
Returns a printable representation of the certificate. This does not contain all the information available to distinguish this from any other certificate. The certificate must be fully constructed before this function may be called.
Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does <em>not</em> indicate that one should trust the entity which it represents.
Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does <em>not</em> indicate that one should trust the entity which it represents.
Throws an exception if the certificate was not signed using the verification key provided. This method uses the signature verification engine supplied by the specified provider. Note that the specified Provider object does not have to be registered in the provider list. Successfully verifying a certificate does <em>not</em> indicate that one should trust the entity which it represents.
Returned the encoding of the given certificate for internal use. Callers must guarantee that they neither modify it nor expose it to untrusted code. Uses getEncodedInternal() if the certificate is instance of X509CertImpl, getEncoded() otherwise.
This static method is the default implementation of the getExtendedKeyUsage method in X509Certificate. A X509Certificate provider generally should overwrite this to provide among other things caching for better performance.
Gets the requested finger print of the certificate. The result only contains 0-9 and A-F. No small case, no colon.
Extract the issuer X500Principal from an X509Certificate. Called from java.security.cert.X509Certificate.getIssuerX500Principal().
Extract the subject X500Principal from an X509Certificate. Called from java.security.cert.X509Certificate.getSubjectX500Principal().
Utility method to test if a certificate is self-issued. This is the case iff the subject and issuer X500Principals are equal.
Utility method to test if a certificate is self-signed. This is the case iff the subject and issuer X500Principals are equal AND the certificate's subject key can be used to verify the certificate. In case of exception, returns false.
Utility method to convert an arbitrary instance of X509Certificate to a X509CertImpl. Does a cast if possible, otherwise reparses the encoding.
This static method is the default implementation of the verify(PublicKey key, Provider sigProvider) method in X509Certificate. Called from java.security.cert.X509Certificate.verify(PublicKey key, Provider sigProvider)
Public attribute names.
The following are defined for ease-of-use. These are the most frequently retrieved attributes.
Checks that the certificate is currently valid. It is if the current date and time are within the validity period given in the certificate. <p> The validity period consists of two date/time values: the first and last dates (and times) on which the certificate is valid. It is defined in ASN.1 as: <pre> validity Validity
Checks that the given date is within the certificate's validity period. In other words, this determines whether the certificate would be valid at the given date/time.
Gets the {@code version} (version number) value from the certificate. The ASN.1 definition for this is: <pre> version [0] EXPLICIT Version DEFAULT v1
Gets the {@code serialNumber} value from the certificate. The serial number is an integer assigned by the certification authority to each certificate. It must be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). The ASN.1 definition for this is: <pre> serialNumber CertificateSerialNumber
<strong>Denigrated</strong>, replaced by {@linkplain #getIssuerX500Principal()}. This method returns the {@code issuer} as an implementation specific Principal object, which should not be relied upon by portable code.
Returns the issuer (issuer distinguished name) value from the certificate as an {@code X500Principal}. <p> It is recommended that subclasses override this method.
<strong>Denigrated</strong>, replaced by {@linkplain #getSubjectX500Principal()}. This method returns the {@code subject} as an implementation specific Principal object, which should not be relied upon by portable code.
Returns the subject (subject distinguished name) value from the certificate as an {@code X500Principal}. If the subject value is empty, then the {@code getName()} method of the returned {@code X500Principal} object returns an empty string (""). <p> It is recommended that subclasses override this method.
Gets the {@code notBefore} date from the validity period of the certificate. The relevant ASN.1 definitions are: <pre> validity Validity
Gets the {@code notAfter} date from the validity period of the certificate. See {@link #getNotBefore() getNotBefore} for relevant ASN.1 definitions.
Gets the DER-encoded certificate information, the {@code tbsCertificate} from this certificate. This can be used to verify the signature independently.
Gets the {@code signature} value (the raw signature bits) from the certificate. The ASN.1 definition for this is: <pre> signature BIT STRING </pre>
Gets the signature algorithm name for the certificate signature algorithm. An example is the string "SHA256withRSA". The ASN.1 definition for this is: <pre> signatureAlgorithm AlgorithmIdentifier
Gets the signature algorithm OID string from the certificate. An OID is represented by a set of nonnegative whole numbers separated by periods. For example, the string "1.2.840.10040.4.3" identifies the SHA-1 with DSA signature algorithm defined in <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRL Profile</a>.
Gets the DER-encoded signature algorithm parameters from this certificate's signature algorithm. In most cases, the signature algorithm parameters are null; the parameters are usually supplied with the certificate's key. If access to individual parameter values is needed then use {@link java.security.AlgorithmParameters AlgorithmParameters} and instantiate with the name returned by {@link #getSigAlgName() getSigAlgName}.
Gets the {@code issuerUniqueID} value from the certificate. The issuer unique identifier is present in the certificate to handle the possibility of reuse of issuer names over time. RFC 3280 recommends that names not be reused and that conforming certificates not make use of unique identifiers. Applications conforming to that profile should be capable of parsing unique identifiers and making comparisons.
Gets the {@code subjectUniqueID} value from the certificate.
Gets a bool array representing bits of the {@code KeyUsage} extension, (OID = 2.5.29.15). The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The ASN.1 definition for this is: <pre> KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } </pre> RFC 3280 recommends that when used, this be marked as a critical extension.
Gets the certificate constraints path length from the critical {@code BasicConstraints} extension, (OID = 2.5.29.19). <p> The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA) and how deep a certification path may exist through that CA. The {@code pathLenConstraint} field (see below) is meaningful only if {@code cA} is set to TRUE. In this case, it gives the maximum number of CA certificates that may follow this certificate in a certification path. A value of zero indicates that only an end-entity certificate may follow in the path. <p> The ASN.1 definition for this is: <pre> BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } </pre>
Verifies that this certificate was signed using the private key that corresponds to the specified key. This method uses the signature verification engine supplied by the specified provider. Note that the specified Provider object does not have to be registered in the provider list.
DER encode this object and write the results to a stream.
The X509CertImpl class represents an X.509 certificate. These certificates are widely used to support authentication and other functionality in Internet security systems. Common applications include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), code signing for trusted software distribution, and Secure Electronic Transactions (SET). There is a commercial infrastructure ready to manage large scale deployments of X.509 identity certificates.
<P>These certificates are managed and vouched for by <em>Certificate Authorities</em> (CAs). CAs are services which create certificates by placing data in the X.509 standard format and then digitally signing that data. Such signatures are quite difficult to forge. CAs act as trusted third parties, making introductions between agents who have no direct knowledge of each other. CA certificates are either signed by themselves, or by some other CA such as a "root" CA.
<P>RFC 1422 is very informative, though it does not describe much of the recent work being done with X.509 certificates. That includes a 1996 version (X.509v3) and a variety of enhancements being made to facilitate an explosion of personal certificates used as "Internet Drivers' Licences", or with SET for credit card transactions.
<P>More recent work includes the IETF PKIX Working Group efforts, especially RFC2459.
@author Dave Brownell @author Amit Kapoor @author Hemma Prafullchandra @see X509CertInfo