X509Certificate.java revision 897538a36c18f4db8f9f68ee566aec0bda842e9f
1/* 2 * Licensed to the Apache Software Foundation (ASF) under one or more 3 * contributor license agreements. See the NOTICE file distributed with 4 * this work for additional information regarding copyright ownership. 5 * The ASF licenses this file to You under the Apache License, Version 2.0 6 * (the "License"); you may not use this file except in compliance with 7 * the License. You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 */ 17 18package java.security.cert; 19 20import java.io.ByteArrayInputStream; 21import java.math.BigInteger; 22import java.security.Principal; 23import java.util.Collection; 24import java.util.Date; 25import java.util.List; 26 27import javax.security.auth.x500.X500Principal; 28 29/** 30 * Abstract base class for X.509 certificates. 31 * <p> 32 * This represents a standard way for accessing the attributes of X.509 33 * certificates. 34 * <p> 35 * The basic X.509 v3 format described in ASN.1: 36 * 37 * <pre> 38 * Certificate ::= SEQUENCE { 39 * tbsCertificate TBSCertificate, 40 * signatureAlgorithm AlgorithmIdentifier, 41 * signature BIT STRING } 42 * 43 * TBSCertificate ::= SEQUENCE { 44 * version [0] EXPLICIT Version DEFAULT v1, 45 * serialNumber CertificateSerialNumber, 46 * signature AlgorithmIdentifier, 47 * issuer Name, 48 * validity Validity, 49 * subject Name, 50 * subjectPublicKeyInfo SubjectPublicKeyInfo, 51 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 52 * -- If present, version must be v2 or v3 53 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 54 * -- If present, version must be v2 or v3 55 * extensions [3] EXPLICIT Extensions OPTIONAL 56 * -- If present, version must be v3 57 * } 58 * </pre> 59 * <p> 60 * For more information consult RFC 2459 61 * "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" at <a 62 * href 63 * ="http://www.ietf.org/rfc/rfc2459.txt">http://www.ietf.org/rfc/rfc2459.txt 64 * </a> . 65 */ 66public abstract class X509Certificate 67 extends Certificate implements X509Extension { 68 69 private static final long serialVersionUID = -2491127588187038216L; 70 71 /** 72 * Creates a new {@code X509Certificate}. 73 */ 74 protected X509Certificate() { 75 super("X.509"); 76 } 77 78 /** 79 * Checks whether the certificate is currently valid. 80 * <p> 81 * The validity defined in ASN.1: 82 * 83 * <pre> 84 * validity Validity 85 * 86 * Validity ::= SEQUENCE { 87 * notBefore CertificateValidityDate, 88 * notAfter CertificateValidityDate } 89 * 90 * CertificateValidityDate ::= CHOICE { 91 * utcTime UTCTime, 92 * generalTime GeneralizedTime } 93 * </pre> 94 * 95 * @throws CertificateExpiredException 96 * if the certificate has expired. 97 * @throws CertificateNotYetValidException 98 * if the certificate is not yet valid. 99 */ 100 public abstract void checkValidity() 101 throws CertificateExpiredException, CertificateNotYetValidException; 102 103 /** 104 * Checks whether the certificate is valid at the specified date. 105 * 106 * @param date 107 * the date to check the validity against. 108 * @throws CertificateExpiredException 109 * if the certificate has expired. 110 * @throws CertificateNotYetValidException 111 * if the certificate is not yet valid. 112 * @see #checkValidity() 113 */ 114 public abstract void checkValidity(Date date) 115 throws CertificateExpiredException, CertificateNotYetValidException; 116 117 /** 118 * Returns the certificates {@code version} (version number). 119 * <p> 120 * The version defined is ASN.1: 121 * 122 * <pre> 123 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 124 * </pre> 125 * 126 * @return the version number. 127 */ 128 public abstract int getVersion(); 129 130 /** 131 * Returns the {@code serialNumber} of the certificate. 132 * <p> 133 * The ASN.1 definition of {@code serialNumber}: 134 * 135 * <pre> 136 * CertificateSerialNumber ::= INTEGER 137 * </pre> 138 * 139 * @return the serial number. 140 */ 141 public abstract BigInteger getSerialNumber(); 142 143 /** 144 * Returns the {@code issuer} (issuer distinguished name) as an 145 * implementation specific {@code Principal} object. 146 * <p> 147 * The ASN.1 definition of {@code issuer}: 148 * 149 * <pre> 150 * issuer Name 151 * 152 * Name ::= CHOICE { 153 * RDNSequence } 154 * 155 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 156 * 157 * RelativeDistinguishedName ::= SET OF AttributeTypeAndValue 158 * 159 * AttributeTypeAndValue ::= SEQUENCE { 160 * type AttributeType, 161 * value AttributeValue } 162 * 163 * AttributeType ::= OBJECT IDENTIFIER 164 * 165 * AttributeValue ::= ANY DEFINED BY AttributeType 166 * </pre> 167 * 168 * <b>replaced by:</b> {@link #getIssuerX500Principal()}. 169 * 170 * @return the {@code issuer} as an implementation specific {@code 171 * Principal}. 172 */ 173 public abstract Principal getIssuerDN() ; 174 175 /** 176 * Returns the {@code issuer} (issuer distinguished name) as an {@code 177 * X500Principal}. 178 * 179 * @return the {@code issuer} (issuer distinguished name). 180 */ 181 public X500Principal getIssuerX500Principal() { 182 183 try { 184 // TODO if there is no X.509 certificate provider installed 185 // should we try to access Harmony X509CertImpl via classForName? 186 CertificateFactory factory = CertificateFactory 187 .getInstance("X.509"); 188 189 X509Certificate cert = (X509Certificate) factory 190 .generateCertificate(new ByteArrayInputStream(getEncoded())); 191 192 return cert.getIssuerX500Principal(); 193 194 } catch (Exception e) { 195 throw new RuntimeException("Failed to get X500Principal issuer", e); 196 } 197 } 198 199 /** 200 * Returns the {@code subject} (subject distinguished name) as an 201 * implementation specific {@code Principal} object. 202 * <p> 203 * The ASN.1 definition of {@code subject}: 204 * 205 * <pre> 206 * subject Name 207 * 208 * Name ::= CHOICE { 209 * RDNSequence } 210 * 211 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 212 * 213 * RelativeDistinguishedName ::= SET OF AttributeTypeAndValue 214 * 215 * AttributeTypeAndValue ::= SEQUENCE { 216 * type AttributeType, 217 * value AttributeValue } 218 * 219 * AttributeType ::= OBJECT IDENTIFIER 220 * 221 * AttributeValue ::= ANY DEFINED BY AttributeType 222 * </pre> 223 * 224 * <p> 225 * <b>replaced by:</b> {@link #getSubjectX500Principal()}. 226 * 227 * @return the {@code subject} (subject distinguished name). 228 */ 229 public abstract Principal getSubjectDN(); 230 231 /** 232 * Returns the {@code subject} (subject distinguished name) as an {@code 233 * X500Principal}. 234 * 235 * @return the {@code subject} (subject distinguished name) 236 */ 237 public X500Principal getSubjectX500Principal() { 238 239 try { 240 // TODO if there is no X.509 certificate provider installed 241 // should we try to access Harmony X509CertImpl via classForName? 242 CertificateFactory factory = CertificateFactory 243 .getInstance("X.509"); 244 245 X509Certificate cert = (X509Certificate) factory 246 .generateCertificate(new ByteArrayInputStream(getEncoded())); 247 248 return cert.getSubjectX500Principal(); 249 } catch (Exception e) { 250 throw new RuntimeException("Failed to get X500Principal subject", e); 251 } 252 } 253 254 /** 255 * Returns the {@code notBefore} date from the validity period of the 256 * certificate. 257 * 258 * @return the start of the validity period. 259 */ 260 public abstract Date getNotBefore(); 261 262 /** 263 * Returns the {@code notAfter} date of the validity period of the 264 * certificate. 265 * 266 * @return the end of the validity period. 267 */ 268 public abstract Date getNotAfter(); 269 270 /** 271 * Returns the {@code tbsCertificate} information from this certificate in 272 * DER-encoded format. 273 * 274 * @return the DER-encoded certificate information. 275 * @throws CertificateEncodingException 276 * if an error occurs in encoding 277 */ 278 public abstract byte[] getTBSCertificate() 279 throws CertificateEncodingException; 280 281 /** 282 * Returns the raw signature bits from the certificate. 283 * 284 * @return the raw signature bits from the certificate. 285 */ 286 public abstract byte[] getSignature(); 287 288 /** 289 * Returns the name of the algorithm for the certificate signature. 290 * 291 * @return the signature algorithm name. 292 */ 293 public abstract String getSigAlgName(); 294 295 /** 296 * Returns the OID of the signature algorithm from the certificate. 297 * 298 * @return the OID of the signature algorithm. 299 */ 300 public abstract String getSigAlgOID(); 301 302 /** 303 * Returns the parameters of the signature algorithm in DER-encoded format. 304 * 305 * @return the parameters of the signature algorithm, or {@code null} if 306 * none are used. 307 */ 308 public abstract byte[] getSigAlgParams(); 309 310 /** 311 * Returns the {@code issuerUniqueID} from the certificate. 312 * 313 * @return the {@code issuerUniqueID} or {@code null} if there's none in the 314 * certificate. 315 */ 316 public abstract boolean[] getIssuerUniqueID(); 317 318 /** 319 * Returns the {@code subjectUniqueID} from the certificate. 320 * 321 * @return the {@code subjectUniqueID} or null if there's none in the 322 * certificate. 323 */ 324 public abstract boolean[] getSubjectUniqueID(); 325 326 /** 327 * Returns the {@code KeyUsage} extension as a {@code boolean} array. 328 * <p> 329 * The ASN.1 definition of {@code KeyUsage}: 330 * 331 * <pre> 332 * KeyUsage ::= BIT STRING { 333 * digitalSignature (0), 334 * nonRepudiation (1), 335 * keyEncipherment (2), 336 * dataEncipherment (3), 337 * keyAgreement (4), 338 * keyCertSign (5), 339 * cRLSign (6), 340 * encipherOnly (7), 341 * decipherOnly (8) } 342 * 343 * </pre> 344 * 345 * @return the {@code KeyUsage} extension or {@code null} if there's none in 346 * the certificate. 347 */ 348 public abstract boolean[] getKeyUsage(); 349 350 /** 351 * Returns a read-only list of OID strings representing the {@code 352 * ExtKeyUsageSyntax} field of the extended key usage extension. 353 * 354 * @return the extended key usage extension, or {@code null} if there's none 355 * in the certificate. 356 * @throws CertificateParsingException 357 * if the extension decoding fails. 358 */ 359 public List<String> getExtendedKeyUsage() 360 throws CertificateParsingException { 361 return null; 362 } 363 364 /** 365 * Returns the path length of the certificate constraints from the {@code 366 * BasicContraints} extension. 367 * 368 * @return the path length of the certificate constraints if the extension 369 * is present or {@code -1} if the extension is not present. {@code 370 * Integer.MAX_VALUE} if there's not limit. 371 */ 372 public abstract int getBasicConstraints(); 373 374 /** 375 * Returns a read-only list of the subject alternative names from the 376 * {@code SubjectAltName} extension. 377 * <p> 378 * The ASN.1 definition of {@code SubjectAltName}: 379 * 380 * <pre> 381 * SubjectAltName ::= GeneralNames 382 * 383 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 384 * 385 * GeneralName ::= CHOICE { 386 * otherName [0] AnotherName, 387 * rfc822Name [1] IA5String, 388 * dNSName [2] IA5String, 389 * x400Address [3] ORAddress, 390 * directoryName [4] Name, 391 * ediPartyName [5] EDIPartyName, 392 * uniformResourceIdentifier [6] IA5String, 393 * iPAddress [7] OCTET STRING, 394 * registeredID [8] OBJECT IDENTIFIER } 395 * 396 * </pre> 397 * 398 * @return the subject alternative names or {@code null} if there are none 399 * in the certificate. 400 * @throws CertificateParsingException 401 * if decoding of the extension fails. 402 */ 403 public Collection<List<?>> getSubjectAlternativeNames() 404 throws CertificateParsingException { 405 return null; 406 } 407 408 /** 409 * Returns a read-only list of the issuer alternative names from the {@code 410 * IssuerAltName} extension. 411 * <p> 412 * The ASN.1 definition of {@code IssuerAltName}: 413 * 414 * <pre> 415 * IssuerAltName ::= GeneralNames 416 * 417 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 418 * 419 * GeneralName ::= CHOICE { 420 * otherName [0] AnotherName, 421 * rfc822Name [1] IA5String, 422 * dNSName [2] IA5String, 423 * x400Address [3] ORAddress, 424 * directoryName [4] Name, 425 * ediPartyName [5] EDIPartyName, 426 * uniformResourceIdentifier [6] IA5String, 427 * iPAddress [7] OCTET STRING, 428 * registeredID [8] OBJECT IDENTIFIER } 429 * 430 * </pre> 431 * 432 * @return the issuer alternative names of {@code null} if there are none in 433 * the certificate. 434 * @throws CertificateParsingException 435 * if decoding of the extension fails. 436 */ 437 public Collection<List<?>> getIssuerAlternativeNames() 438 throws CertificateParsingException { 439 return null; 440 } 441} 442