X509Certificate.java revision cec4dd4b1d33f78997603d0f89c0d0e56e64dbcd
1/* 2 * Licensed to the Apache Software Foundation (ASF) under one or more 3 * contributor license agreements. See the NOTICE file distributed with 4 * this work for additional information regarding copyright ownership. 5 * The ASF licenses this file to You under the Apache License, Version 2.0 6 * (the "License"); you may not use this file except in compliance with 7 * the License. You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 */ 17 18package java.security.cert; 19 20import java.io.ByteArrayInputStream; 21import java.math.BigInteger; 22import java.security.Principal; 23import java.util.Collection; 24import java.util.Date; 25import java.util.List; 26 27import javax.security.auth.x500.X500Principal; 28 29import org.apache.harmony.security.internal.nls.Messages; 30 31/** 32 * Abstract base class for X.509 certificates. 33 * <p> 34 * This represents a standard way for accessing the attributes of X.509 35 * certificates. 36 * <p> 37 * The basic X.509 v3 format described in ASN.1: 38 * 39 * <pre> 40 * Certificate ::= SEQUENCE { 41 * tbsCertificate TBSCertificate, 42 * signatureAlgorithm AlgorithmIdentifier, 43 * signature BIT STRING } 44 * 45 * TBSCertificate ::= SEQUENCE { 46 * version [0] EXPLICIT Version DEFAULT v1, 47 * serialNumber CertificateSerialNumber, 48 * signature AlgorithmIdentifier, 49 * issuer Name, 50 * validity Validity, 51 * subject Name, 52 * subjectPublicKeyInfo SubjectPublicKeyInfo, 53 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 54 * -- If present, version must be v2 or v3 55 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 56 * -- If present, version must be v2 or v3 57 * extensions [3] EXPLICIT Extensions OPTIONAL 58 * -- If present, version must be v3 59 * } 60 * </pre> 61 * <p> 62 * For more information consult RFC 2459 63 * "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" at <a 64 * href 65 * ="http://www.ietf.org/rfc/rfc2459.txt">http://www.ietf.org/rfc/rfc2459.txt 66 * </a> . 67 */ 68public abstract class X509Certificate 69 extends Certificate implements X509Extension { 70 71 private static final long serialVersionUID = -2491127588187038216L; 72 73 /** 74 * Creates a new {@code X509Certificate}. 75 */ 76 protected X509Certificate() { 77 super("X.509"); //$NON-NLS-1$ 78 } 79 80 /** 81 * Checks whether the certificate is currently valid. 82 * <p> 83 * The validity defined in ASN.1: 84 * 85 * <pre> 86 * validity Validity 87 * 88 * Validity ::= SEQUENCE { 89 * notBefore CertificateValidityDate, 90 * notAfter CertificateValidityDate } 91 * 92 * CertificateValidityDate ::= CHOICE { 93 * utcTime UTCTime, 94 * generalTime GeneralizedTime } 95 * </pre> 96 * 97 * @throws CertificateExpiredException 98 * if the certificate has expired. 99 * @throws CertificateNotYetValidException 100 * if the certificate is not yet valid. 101 */ 102 public abstract void checkValidity() 103 throws CertificateExpiredException, CertificateNotYetValidException; 104 105 /** 106 * Checks whether the certificate is valid at the specified date. 107 * 108 * @param date 109 * the date to check the validity against. 110 * @throws CertificateExpiredException 111 * if the certificate has expired. 112 * @throws CertificateNotYetValidException 113 * if the certificate is not yet valid. 114 * @see #checkValidity() 115 */ 116 public abstract void checkValidity(Date date) 117 throws CertificateExpiredException, CertificateNotYetValidException; 118 119 /** 120 * Returns the certificates {@code version} (version number). 121 * <p> 122 * The version defined is ASN.1: 123 * 124 * <pre> 125 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 126 * </pre> 127 * 128 * @return the version number. 129 */ 130 public abstract int getVersion(); 131 132 /** 133 * Returns the {@code serialNumber} of the certificate. 134 * <p> 135 * The ASN.1 definition of {@code serialNumber}: 136 * 137 * <pre> 138 * CertificateSerialNumber ::= INTEGER 139 * </pre> 140 * 141 * @return the serial number. 142 */ 143 public abstract BigInteger getSerialNumber(); 144 145 /** 146 * Returns the {@code issuer} (issuer distinguished name) as an 147 * implementation specific {@code Principal} object. 148 * <p> 149 * The ASN.1 definition of {@code issuer}: 150 * 151 * <pre> 152 * issuer Name 153 * 154 * Name ::= CHOICE { 155 * RDNSequence } 156 * 157 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 158 * 159 * RelativeDistinguishedName ::= SET OF AttributeTypeAndValue 160 * 161 * AttributeTypeAndValue ::= SEQUENCE { 162 * type AttributeType, 163 * value AttributeValue } 164 * 165 * AttributeType ::= OBJECT IDENTIFIER 166 * 167 * AttributeValue ::= ANY DEFINED BY AttributeType 168 * </pre> 169 * 170 * <b>replaced by:</b> {@link #getIssuerX500Principal()}. 171 * 172 * @return the {@code issuer} as an implementation specific {@code 173 * Principal}. 174 */ 175 public abstract Principal getIssuerDN() ; 176 177 /** 178 * Returns the {@code issuer} (issuer distinguished name) as an {@code 179 * X500Principal}. 180 * 181 * @return the {@code issuer} (issuer distinguished name). 182 */ 183 public X500Principal getIssuerX500Principal() { 184 185 try { 186 // TODO if there is no X.509 certificate provider installed 187 // should we try to access Harmony X509CertImpl via classForName? 188 CertificateFactory factory = CertificateFactory 189 .getInstance("X.509"); //$NON-NLS-1$ 190 191 X509Certificate cert = (X509Certificate) factory 192 .generateCertificate(new ByteArrayInputStream(getEncoded())); 193 194 return cert.getIssuerX500Principal(); 195 196 } catch (Exception e) { 197 throw new RuntimeException(Messages.getString("security.59"), e); //$NON-NLS-1$ 198 } 199 } 200 201 /** 202 * Returns the {@code subject} (subject distinguished name) as an 203 * implementation specific {@code Principal} object. 204 * <p> 205 * The ASN.1 definition of {@code subject}: 206 * 207 * <pre> 208 * subject Name 209 * 210 * Name ::= CHOICE { 211 * RDNSequence } 212 * 213 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 214 * 215 * RelativeDistinguishedName ::= SET OF AttributeTypeAndValue 216 * 217 * AttributeTypeAndValue ::= SEQUENCE { 218 * type AttributeType, 219 * value AttributeValue } 220 * 221 * AttributeType ::= OBJECT IDENTIFIER 222 * 223 * AttributeValue ::= ANY DEFINED BY AttributeType 224 * </pre> 225 * 226 * <p> 227 * <b>replaced by:</b> {@link #getSubjectX500Principal()}. 228 * 229 * @return the {@code subject} (subject distinguished name). 230 */ 231 public abstract Principal getSubjectDN(); 232 233 /** 234 * Returns the {@code subject} (subject distinguished name) as an {@code 235 * X500Principal}. 236 * 237 * @return the {@code subject} (subject distinguished name) 238 */ 239 public X500Principal getSubjectX500Principal() { 240 241 try { 242 // TODO if there is no X.509 certificate provider installed 243 // should we try to access Harmony X509CertImpl via classForName? 244 CertificateFactory factory = CertificateFactory 245 .getInstance("X.509"); //$NON-NLS-1$ 246 247 X509Certificate cert = (X509Certificate) factory 248 .generateCertificate(new ByteArrayInputStream(getEncoded())); 249 250 return cert.getSubjectX500Principal(); 251 252 } catch (Exception e) { 253 throw new RuntimeException(Messages.getString("security.5A"), e); //$NON-NLS-1$ 254 } 255 } 256 257 /** 258 * Returns the {@code notBefore} date from the validity period of the 259 * certificate. 260 * 261 * @return the start of the validity period. 262 */ 263 public abstract Date getNotBefore(); 264 265 /** 266 * Returns the {@code notAfter} date of the validity period of the 267 * certificate. 268 * 269 * @return the end of the validity period. 270 */ 271 public abstract Date getNotAfter(); 272 273 /** 274 * Returns the {@code tbsCertificate} information from this certificate in 275 * DER-encoded format. 276 * 277 * @return the DER-encoded certificate information. 278 * @throws CertificateEncodingException 279 * if an error occurs in encoding 280 */ 281 public abstract byte[] getTBSCertificate() 282 throws CertificateEncodingException; 283 284 /** 285 * Returns the raw signature bits from the certificate. 286 * 287 * @return the raw signature bits from the certificate. 288 */ 289 public abstract byte[] getSignature(); 290 291 /** 292 * Returns the name of the algorithm for the certificate signature. 293 * 294 * @return the signature algorithm name. 295 */ 296 public abstract String getSigAlgName(); 297 298 /** 299 * Returns the OID of the signature algorithm from the certificate. 300 * 301 * @return the OID of the signature algorithm. 302 */ 303 public abstract String getSigAlgOID(); 304 305 /** 306 * Returns the parameters of the signature algorithm in DER-encoded format. 307 * 308 * @return the parameters of the signature algorithm, or {@code null} if 309 * none are used. 310 */ 311 public abstract byte[] getSigAlgParams(); 312 313 /** 314 * Returns the {@code issuerUniqueID} from the certificate. 315 * 316 * @return the {@code issuerUniqueID} or {@code null} if there's none in the 317 * certificate. 318 */ 319 public abstract boolean[] getIssuerUniqueID(); 320 321 /** 322 * Returns the {@code subjectUniqueID} from the certificate. 323 * 324 * @return the {@code subjectUniqueID} or null if there's none in the 325 * certificate. 326 */ 327 public abstract boolean[] getSubjectUniqueID(); 328 329 /** 330 * Returns the {@code KeyUsage} extension as a {@code boolean} array. 331 * <p> 332 * The ASN.1 definition of {@code KeyUsage}: 333 * 334 * <pre> 335 * KeyUsage ::= BIT STRING { 336 * digitalSignature (0), 337 * nonRepudiation (1), 338 * keyEncipherment (2), 339 * dataEncipherment (3), 340 * keyAgreement (4), 341 * keyCertSign (5), 342 * cRLSign (6), 343 * encipherOnly (7), 344 * decipherOnly (8) } 345 * 346 * </pre> 347 * 348 * @return the {@code KeyUsage} extension or {@code null} if there's none in 349 * the certificate. 350 */ 351 public abstract boolean[] getKeyUsage(); 352 353 /** 354 * Returns a read-only list of OID strings representing the {@code 355 * ExtKeyUsageSyntax} field of the extended key usage extension. 356 * 357 * @return the extended key usage extension, or {@code null} if there's none 358 * in the certificate. 359 * @throws CertificateParsingException 360 * if the extension decoding fails. 361 */ 362 public List<String> getExtendedKeyUsage() 363 throws CertificateParsingException { 364 return null; 365 } 366 367 /** 368 * Returns the path length of the certificate constraints from the {@code 369 * BasicContraints} extension. 370 * 371 * @return the path length of the certificate constraints if the extension 372 * is present or {@code -1} if the extension is not present. {@code 373 * Integer.MAX_VALUE} if there's not limit. 374 */ 375 public abstract int getBasicConstraints(); 376 377 /** 378 * Returns a read-only list of the subject alternative names from the 379 * {@code SubjectAltName} extension. 380 * <p> 381 * The ASN.1 definition of {@code SubjectAltName}: 382 * 383 * <pre> 384 * SubjectAltName ::= GeneralNames 385 * 386 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 387 * 388 * GeneralName ::= CHOICE { 389 * otherName [0] AnotherName, 390 * rfc822Name [1] IA5String, 391 * dNSName [2] IA5String, 392 * x400Address [3] ORAddress, 393 * directoryName [4] Name, 394 * ediPartyName [5] EDIPartyName, 395 * uniformResourceIdentifier [6] IA5String, 396 * iPAddress [7] OCTET STRING, 397 * registeredID [8] OBJECT IDENTIFIER } 398 * 399 * </pre> 400 * 401 * @return the subject alternative names or {@code null} if there are none 402 * in the certificate. 403 * @throws CertificateParsingException 404 * if decoding of the extension fails. 405 */ 406 public Collection<List<?>> getSubjectAlternativeNames() 407 throws CertificateParsingException { 408 return null; 409 } 410 411 /** 412 * Returns a read-only list of the issuer alternative names from the {@code 413 * IssuerAltName} extension. 414 * <p> 415 * The ASN.1 definition of {@code IssuerAltName}: 416 * 417 * <pre> 418 * IssuerAltName ::= GeneralNames 419 * 420 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 421 * 422 * GeneralName ::= CHOICE { 423 * otherName [0] AnotherName, 424 * rfc822Name [1] IA5String, 425 * dNSName [2] IA5String, 426 * x400Address [3] ORAddress, 427 * directoryName [4] Name, 428 * ediPartyName [5] EDIPartyName, 429 * uniformResourceIdentifier [6] IA5String, 430 * iPAddress [7] OCTET STRING, 431 * registeredID [8] OBJECT IDENTIFIER } 432 * 433 * </pre> 434 * 435 * @return the issuer alternative names of {@code null} if there are none in 436 * the certificate. 437 * @throws CertificateParsingException 438 * if decoding of the extension fails. 439 */ 440 public Collection<List<?>> getIssuerAlternativeNames() 441 throws CertificateParsingException { 442 return null; 443 } 444} 445 446