1 /* X509Certificate.java --- X.509 Certificate class
2 Copyright (C) 1999,2003 Free Software Foundation, Inc.
4 This file is part of GNU Classpath.
6 GNU Classpath is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2, or (at your option)
11 GNU Classpath is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GNU Classpath; see the file COPYING. If not, write to the
18 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
21 Linking this library statically or dynamically with other modules is
22 making a combined work based on this library. Thus, the terms and
23 conditions of the GNU General Public License cover the whole
26 As a special exception, the copyright holders of this library give you
27 permission to link this library with independent modules to produce an
28 executable, regardless of the license terms of these independent
29 modules, and to copy and distribute the resulting executable under
30 terms of your choice, provided that you also meet, for each linked
31 independent module, the terms and conditions of the license of that
32 module. An independent module is a module which is not derived from
33 or based on this library. If you modify this library, you may extend
34 this exception to your version of the library, but you are not
35 obligated to do so. If you do not wish to do so, delete this
36 exception statement from your version. */
39 package java.security.cert;
41 import java.math.BigInteger;
42 import java.security.Principal;
43 import java.util.Date;
44 import java.util.List;
47 * X509Certificate is the abstract class for X.509 certificates.
48 * This provides a stanard class interface for accessing all
49 * the attributes of X.509 certificates.
51 * <p>In June 1996, the basic X.509 v3 format was finished by
52 * ISO/IEC and ANSI X.9. The ASN.1 DER format is below:
55 * Certificate ::= SEQUENCE {
56 * tbsCertificate TBSCertificate,
57 * signatureAlgorithm AlgorithmIdentifier,
58 * signatureValue BIT STRING }
61 * <p>These certificates are widely used in various Internet
62 * protocols to support authentication. It is used in
63 * Privacy Enhanced Mail (PEM), Transport Layer Security (TLS),
64 * Secure Sockets Layer (SSL), code signing for trusted software
65 * distribution, and Secure Electronic Transactions (SET).
67 * <p>The certificates are managed and vouched for by
68 * <I>Certificate Authorities</I> (CAs). CAs are companies or
69 * groups that create certificates by placing the data in the
70 * X.509 certificate format and signing it with their private
71 * key. CAs serve as trusted third parties by certifying that
72 * the person or group specified in the certificate is who
75 * <p>The ASN.1 defintion for <I>tbsCertificate</I> is
78 * TBSCertificate ::= SEQUENCE {
79 * version [0] EXPLICIT Version DEFAULT v1,
80 * serialNumber CertificateSerialNumber,
81 * signature AlgorithmIdentifier,
85 * subjectPublicKeyInfo SubjectPublicKeyInfo,
86 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
87 * -- If present, version shall be v2 or v3
88 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
89 * -- If present, version shall be v2 or v3
90 * extensions [3] EXPLICIT Extensions OPTIONAL
91 * -- If present, version shall be v3
94 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
96 * CertificateSerialNumber ::= INTEGER
98 * Validity ::= SEQUENCE {
104 * generalTime GeneralizedTime }
106 * UniqueIdentifier ::= BIT STRING
108 * SubjectPublicKeyInfo ::= SEQUENCE {
109 * algorithm AlgorithmIdentifier,
110 * subjectPublicKey BIT STRING }
112 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
114 * Extension ::= SEQUENCE {
115 * extnID OBJECT IDENTIFIER,
116 * critical BOOLEAN DEFAULT FALSE,
117 * extnValue OCTET STRING }
118 * </pre></blockquote>
120 * Certificates are created with the CertificateFactory.
125 * <li>Olivier Dubuisson, Philippe Fouquart (Translator) <i>ASN.1 -
126 * Communication between heterogeneous systems</i>, (C) September 2000,
127 * Morgan Kaufmann Publishers, ISBN 0-12-6333361-0. Available on-line at
129 * href="http://www.oss.com/asn1/dubuisson.html">http://www.oss.com/asn1/dubuisson.html</a></li>
130 * <li>R. Housley et al, <i><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC
131 * 3280: Internet X.509 Public Key Infrastructure Certificate and CRL
132 * Profile</a></i>.</li>
136 * @author Mark Benvenuto
137 * @author Casey Marshall (rsdio@metastatic.org)
139 public abstract class X509Certificate
140 extends java.security.cert.Certificate // XXX workaround for gcj bug #17845
141 implements X509Extension
143 private static final long serialVersionUID = -2491127588187038216L;
146 * Constructs a new certificate of the specified type.
148 protected X509Certificate()
154 Checks the validity of the X.509 certificate. It is valid
155 if the current date and time are within the period specified
158 The ASN.1 DER encoding is:
162 Validity ::= SEQUENCE {
168 generalTime GeneralizedTime }
170 Consult rfc2459 for more information.
172 @throws CertificateExpiredException if the certificate expired
173 @throws CertificateNotYetValidException if the certificate is
176 public abstract void checkValidity()
177 throws CertificateExpiredException,
178 CertificateNotYetValidException;
181 Checks the validity of the X.509 certificate for the
182 specified time and date. It is valid if the specified
183 date and time are within the period specified by
186 @throws CertificateExpiredException if the certificate expired
188 @throws CertificateNotYetValidException if the certificate is
189 not yet valid based on the date
191 public abstract void checkValidity(Date date)
192 throws CertificateExpiredException,
193 CertificateNotYetValidException;
196 Returns the version of this certificate.
198 The ASN.1 DER encoding is:
200 version [0] EXPLICIT Version DEFAULT v1,
202 Version ::= INTEGER { v1(0), v2(1), v3(2) }
204 Consult rfc2459 for more information.
206 @return version number of certificate
208 public abstract int getVersion();
211 Gets the serial number for serial Number in
212 this Certifcate. It must be a unique number
213 unique other serial numbers from the granting CA.
215 The ASN.1 DER encoding is:
217 serialNumber CertificateSerialNumber,
219 CertificateSerialNumber ::= INTEGER
221 Consult rfc2459 for more information.
223 @return the serial number for this X509CRLEntry.
225 public abstract BigInteger getSerialNumber();
228 Returns the issuer (issuer distinguished name) of the
229 Certificate. The issuer is the entity who signed
230 and issued the Certificate.
232 The ASN.1 DER encoding is:
239 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
241 RelativeDistinguishedName ::=
242 SET OF AttributeTypeAndValue
244 AttributeTypeAndValue ::= SEQUENCE {
246 value AttributeValue }
248 AttributeType ::= OBJECT IDENTIFIER
250 AttributeValue ::= ANY DEFINED BY AttributeType
252 DirectoryString ::= CHOICE {
253 teletexString TeletexString (SIZE (1..MAX)),
254 printableString PrintableString (SIZE (1..MAX)),
255 universalString UniversalString (SIZE (1..MAX)),
256 utf8String UTF8String (SIZE (1.. MAX)),
257 bmpString BMPString (SIZE (1..MAX)) }
259 Consult rfc2459 for more information.
261 @return the issuer in the Principal class
263 public abstract Principal getIssuerDN();
266 Returns the subject (subject distinguished name) of the
267 Certificate. The subject is the entity who the Certificate
270 The ASN.1 DER encoding is:
274 Consult rfc2459 for more information.
276 @return the issuer in the Principal class
278 public abstract Principal getSubjectDN();
281 Returns the date that this certificate is not to be used
282 before, <I>notBefore</I>.
284 The ASN.1 DER encoding is:
288 Validity ::= SEQUENCE {
294 generalTime GeneralizedTime }
296 Consult rfc2459 for more information.
298 @return the date <I>notBefore</I>
300 public abstract Date getNotBefore();
303 Returns the date that this certificate is not to be used
304 after, <I>notAfter</I>.
306 @return the date <I>notAfter</I>
308 public abstract Date getNotAfter();
312 Returns the <I>tbsCertificate</I> from the certificate.
314 @return the DER encoded tbsCertificate
316 @throws CertificateEncodingException if encoding error occurred
318 public abstract byte[] getTBSCertificate() throws CertificateEncodingException;
321 Returns the signature in its raw DER encoded format.
323 The ASN.1 DER encoding is:
325 signatureValue BIT STRING
327 Consult rfc2459 for more information.
329 @return byte array representing signature
331 public abstract byte[] getSignature();
334 Returns the signature algorithm used to sign the CRL.
335 An examples is "SHA-1/DSA".
337 The ASN.1 DER encoding is:
339 signatureAlgorithm AlgorithmIdentifier,
341 AlgorithmIdentifier ::= SEQUENCE {
342 algorithm OBJECT IDENTIFIER,
343 parameters ANY DEFINED BY algorithm OPTIONAL }
345 Consult rfc2459 for more information.
347 The algorithm name is determined from the OID.
349 @return a string with the signature algorithm name
351 public abstract String getSigAlgName();
355 Returns the OID for the signature algorithm used.
356 Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
358 The ASN.1 DER encoding for the example is:
360 id-dsa-with-sha1 ID ::= {
361 iso(1) member-body(2) us(840) x9-57 (10040)
364 Consult rfc2459 for more information.
366 @return a string containing the OID.
368 public abstract String getSigAlgOID();
372 Returns the AlgorithmParameters in the encoded form
373 for the signature algorithm used.
375 If access to the parameters is need, create an
376 instance of AlgorithmParameters.
378 @return byte array containing algorithm parameters, null
379 if no parameters are present in certificate
381 public abstract byte[] getSigAlgParams();
385 Returns the issuer unique ID for this certificate.
387 The ASN.1 DER encoding is:
389 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
390 -- If present, version shall be v2 or v3
392 UniqueIdentifier ::= BIT STRING
394 Consult rfc2459 for more information.
396 @return bit representation of <I>issuerUniqueID</I>
398 public abstract boolean[] getIssuerUniqueID();
401 Returns the subject unique ID for this certificate.
403 The ASN.1 DER encoding is:
405 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
406 -- If present, version shall be v2 or v3
408 UniqueIdentifier ::= BIT STRING
410 Consult rfc2459 for more information.
412 @return bit representation of <I>subjectUniqueID</I>
414 public abstract boolean[] getSubjectUniqueID();
417 Returns a boolean array representing the <I>KeyUsage</I>
418 extension for the certificate. The KeyUsage (OID = 2.5.29.15)
419 defines the purpose of the key in the certificate.
421 The ASN.1 DER encoding is:
423 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
425 KeyUsage ::= BIT STRING {
426 digitalSignature (0),
429 dataEncipherment (3),
436 Consult rfc2459 for more information.
438 @return bit representation of <I>KeyUsage</I>
440 public abstract boolean[] getKeyUsage();
443 Returns the certificate constraints path length from the
444 critical BasicConstraints extension, (OID = 2.5.29.19).
446 The basic constraints extensions is used to determine if
447 the subject of the certificate is a Certificate Authority (CA)
448 and how deep the certification path may exist. The
449 <I>pathLenConstraint</I> only takes affect if <I>cA</I>
450 is set to true. "A value of zero indicates that only an
451 end-entity certificate may follow in the path." (rfc2459)
453 The ASN.1 DER encoding is:
455 id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
457 BasicConstraints ::= SEQUENCE {
458 cA BOOLEAN DEFAULT FALSE,
459 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
461 Consult rfc2459 for more information.
463 @return the length of the path constraint if BasicConstraints
464 is present and cA is TRUE. Otherwise returns -1.
466 public abstract int getBasicConstraints();
468 // 1.4 instance methods.
469 // ------------------------------------------------------------------------
472 * Returns the <code>ExtendedKeyUsage</code> extension of this
473 * certificate, or null if there is no extension present. The returned
474 * value is a {@link java.util.List} strings representing the object
475 * identifiers of the extended key usages. This extension has the OID
478 * <p>The ASN.1 definition for this extension is:
481 * ExtendedKeyUsage ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
483 * KeyPurposeId ::= OBJECT IDENTIFIER
484 * </pre></blockquote>
486 * @return The list of extension OIDs, or null if there are none
487 * present in this certificate.
488 * @throws CertificateParsingException If this extension cannot be
489 * parsed from its encoded form.
491 public java.util.List<String> getExtendedKeyUsage()
492 throws CertificateParsingException
494 throw new UnsupportedOperationException();
498 * Returns the alternative names for this certificate's subject (the
499 * owner), or null if there are none.
501 * <p>This is an X.509 extension with OID 2.5.29.17 and is defined by
502 * the ASN.1 construction:
505 * SubjectAltNames ::= GeneralNames
507 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
509 * GeneralName ::= CHOICE {
510 * otherName [0] OtherName,
511 * rfc822Name [1] IA5String,
512 * dNSName [2] IA5String,
513 * x400Address [3] ORAddress,
514 * directoryName [4] Name,
515 * ediPartyName [5] EDIPartyName,
516 * uniformResourceIdentifier [6] IA5String,
517 * iPAddress [7] OCTET STRING,
518 * registeredID [8] OBJECT IDENTIFIER
520 * </pre></blockquote>
522 * <p>The returned collection contains one or more two-element Lists,
523 * with the first object being an Integer representing the choice
524 * above (with value 0 through 8) and the second being an (a) String
525 * if the <code>GeneralName</code> is a rfc822Name, dNSName,
526 * uniformResourceIdentifier, iPAddress, or registeredID, or (b) a
527 * byte array of the DER encoded form for any others.
529 * @return The collection of alternative names, or null if there are
531 * @throws CertificateParsingException If the encoded extension cannot
535 public java.util.Collection<List<?>> getSubjectAlternativeNames()
536 throws CertificateParsingException
538 throw new UnsupportedOperationException();
542 * Returns the alternative names for this certificate's issuer, or
543 * null if there are none.
545 * <p>This is an X.509 extension with OID 2.5.29.18, and is defined by
546 * the ASN.1 construction:
549 * IssuerAltNames ::= GeneralNames
550 * </pre></blockquote>
552 * <p>The <code>GeneralNames</code> construct and the form of the
553 * returned collection are the same as with {@link
554 * #getSubjectAlternativeNames()}.
556 * @return The collection of alternative names, or null if there are
558 * @throws CertificateParsingException If the encoded extension cannot
562 public java.util.Collection<List<?>> getIssuerAlternativeNames()
563 throws CertificateParsingException
565 throw new UnsupportedOperationException();
569 * Returns the X.500 distinguished name of this certificate's subject.
571 * @return The subject's X.500 distinguished name.
574 public javax.security.auth.x500.X500Principal getSubjectX500Principal()
576 throw new UnsupportedOperationException();
580 * Returns the X.500 distinguished name of this certificate's issuer.
582 * @return The issuer's X.500 distinguished name.
585 public javax.security.auth.x500.X500Principal getIssuerX500Principal()
587 throw new UnsupportedOperationException();