1/*
2 * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.  Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26package java.security.cert;
27
28import java.math.BigInteger;
29import java.security.*;
30import java.util.Collection;
31import java.util.Date;
32import java.util.List;
33import javax.security.auth.x500.X500Principal;
34
35import sun.security.x509.X509CertImpl;
36
37/**
38 * <p>
39 * Abstract class for X.509 certificates. This provides a standard
40 * way to access all the attributes of an X.509 certificate.
41 * <p>
42 * In June of 1996, the basic X.509 v3 format was completed by
43 * ISO/IEC and ANSI X9, which is described below in ASN.1:
44 * <pre>
45 * Certificate  ::=  SEQUENCE  {
46 *     tbsCertificate       TBSCertificate,
47 *     signatureAlgorithm   AlgorithmIdentifier,
48 *     signature            BIT STRING  }
49 * </pre>
50 * <p>
51 * These certificates are widely used to support authentication and
52 * other functionality in Internet security systems. Common applications
53 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),
54 * code signing for trusted software distribution, and Secure Electronic
55 * Transactions (SET).
56 * <p>
57 * These certificates are managed and vouched for by <em>Certificate
58 * Authorities</em> (CAs). CAs are services which create certificates by
59 * placing data in the X.509 standard format and then digitally signing
60 * that data. CAs act as trusted third parties, making introductions
61 * between principals who have no direct knowledge of each other.
62 * CA certificates are either signed by themselves, or by some other
63 * CA such as a "root" CA.
64 * <p>
65 * More information can be found in
66 * <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
67 * Public Key Infrastructure Certificate and CRL Profile</a>.
68 * <p>
69 * The ASN.1 definition of {@code tbsCertificate} is:
70 * <pre>
71 * TBSCertificate  ::=  SEQUENCE  {
72 *     version         [0]  EXPLICIT Version DEFAULT v1,
73 *     serialNumber         CertificateSerialNumber,
74 *     signature            AlgorithmIdentifier,
75 *     issuer               Name,
76 *     validity             Validity,
77 *     subject              Name,
78 *     subjectPublicKeyInfo SubjectPublicKeyInfo,
79 *     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
80 *                          -- If present, version must be v2 or v3
81 *     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
82 *                          -- If present, version must be v2 or v3
83 *     extensions      [3]  EXPLICIT Extensions OPTIONAL
84 *                          -- If present, version must be v3
85 *     }
86 * </pre>
87 * <p>
88 * Certificates are instantiated using a certificate factory. The following is
89 * an example of how to instantiate an X.509 certificate:
90 * <pre>
91 * try (InputStream inStream = new FileInputStream("fileName-of-cert")) {
92 *     CertificateFactory cf = CertificateFactory.getInstance("X.509");
93 *     X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
94 * }
95 * </pre>
96 *
97 * @author Hemma Prafullchandra
98 *
99 *
100 * @see Certificate
101 * @see CertificateFactory
102 * @see X509Extension
103 */
104
105public abstract class X509Certificate extends Certificate
106implements X509Extension {
107
108    private static final long serialVersionUID = -2491127588187038216L;
109
110    private transient X500Principal subjectX500Principal, issuerX500Principal;
111
112    /**
113     * Constructor for X.509 certificates.
114     */
115    protected X509Certificate() {
116        super("X.509");
117    }
118
119    /**
120     * Checks that the certificate is currently valid. It is if
121     * the current date and time are within the validity period given in the
122     * certificate.
123     * <p>
124     * The validity period consists of two date/time values:
125     * the first and last dates (and times) on which the certificate
126     * is valid. It is defined in
127     * ASN.1 as:
128     * <pre>
129     * validity             Validity
130     *
131     * Validity ::= SEQUENCE {
132     *     notBefore      CertificateValidityDate,
133     *     notAfter       CertificateValidityDate }
134     *
135     * CertificateValidityDate ::= CHOICE {
136     *     utcTime        UTCTime,
137     *     generalTime    GeneralizedTime }
138     * </pre>
139     *
140     * @exception CertificateExpiredException if the certificate has expired.
141     * @exception CertificateNotYetValidException if the certificate is not
142     * yet valid.
143     */
144    public abstract void checkValidity()
145        throws CertificateExpiredException, CertificateNotYetValidException;
146
147    /**
148     * Checks that the given date is within the certificate's
149     * validity period. In other words, this determines whether the
150     * certificate would be valid at the given date/time.
151     *
152     * @param date the Date to check against to see if this certificate
153     *        is valid at that date/time.
154     *
155     * @exception CertificateExpiredException if the certificate has expired
156     * with respect to the {@code date} supplied.
157     * @exception CertificateNotYetValidException if the certificate is not
158     * yet valid with respect to the {@code date} supplied.
159     *
160     * @see #checkValidity()
161     */
162    public abstract void checkValidity(Date date)
163        throws CertificateExpiredException, CertificateNotYetValidException;
164
165    /**
166     * Gets the {@code version} (version number) value from the
167     * certificate.
168     * The ASN.1 definition for this is:
169     * <pre>
170     * version  [0] EXPLICIT Version DEFAULT v1
171     *
172     * Version ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
173     * </pre>
174     * @return the version number, i.e. 1, 2 or 3.
175     */
176    public abstract int getVersion();
177
178    /**
179     * Gets the {@code serialNumber} value from the certificate.
180     * The serial number is an integer assigned by the certification
181     * authority to each certificate. It must be unique for each
182     * certificate issued by a given CA (i.e., the issuer name and
183     * serial number identify a unique certificate).
184     * The ASN.1 definition for this is:
185     * <pre>
186     * serialNumber     CertificateSerialNumber
187     *
188     * CertificateSerialNumber  ::=  INTEGER
189     * </pre>
190     *
191     * @return the serial number.
192     */
193    public abstract BigInteger getSerialNumber();
194
195    /**
196     * <strong>Denigrated</strong>, replaced by {@linkplain
197     * #getIssuerX500Principal()}. This method returns the {@code issuer}
198     * as an implementation specific Principal object, which should not be
199     * relied upon by portable code.
200     *
201     * <p>
202     * Gets the {@code issuer} (issuer distinguished name) value from
203     * the certificate. The issuer name identifies the entity that signed (and
204     * issued) the certificate.
205     *
206     * <p>The issuer name field contains an
207     * X.500 distinguished name (DN).
208     * The ASN.1 definition for this is:
209     * <pre>
210     * issuer    Name
211     *
212     * Name ::= CHOICE { RDNSequence }
213     * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
214     * RelativeDistinguishedName ::=
215     *     SET OF AttributeValueAssertion
216     *
217     * AttributeValueAssertion ::= SEQUENCE {
218     *                               AttributeType,
219     *                               AttributeValue }
220     * AttributeType ::= OBJECT IDENTIFIER
221     * AttributeValue ::= ANY
222     * </pre>
223     * The {@code Name} describes a hierarchical name composed of
224     * attributes,
225     * such as country name, and corresponding values, such as US.
226     * The type of the {@code AttributeValue} component is determined by
227     * the {@code AttributeType}; in general it will be a
228     * {@code directoryString}. A {@code directoryString} is usually
229     * one of {@code PrintableString},
230     * {@code TeletexString} or {@code UniversalString}.
231     *
232     * @return a Principal whose name is the issuer distinguished name.
233     */
234    public abstract Principal getIssuerDN();
235
236    /**
237     * Returns the issuer (issuer distinguished name) value from the
238     * certificate as an {@code X500Principal}.
239     * <p>
240     * It is recommended that subclasses override this method.
241     *
242     * @return an {@code X500Principal} representing the issuer
243     *          distinguished name
244     * @since 1.4
245     */
246    public X500Principal getIssuerX500Principal() {
247        if (issuerX500Principal == null) {
248            issuerX500Principal = X509CertImpl.getIssuerX500Principal(this);
249        }
250        return issuerX500Principal;
251    }
252
253    /**
254     * <strong>Denigrated</strong>, replaced by {@linkplain
255     * #getSubjectX500Principal()}. This method returns the {@code subject}
256     * as an implementation specific Principal object, which should not be
257     * relied upon by portable code.
258     *
259     * <p>
260     * Gets the {@code subject} (subject distinguished name) value
261     * from the certificate.  If the {@code subject} value is empty,
262     * then the {@code getName()} method of the returned
263     * {@code Principal} object returns an empty string ("").
264     *
265     * <p> The ASN.1 definition for this is:
266     * <pre>
267     * subject    Name
268     * </pre>
269     *
270     * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name}
271     * and other relevant definitions.
272     *
273     * @return a Principal whose name is the subject name.
274     */
275    public abstract Principal getSubjectDN();
276
277    /**
278     * Returns the subject (subject distinguished name) value from the
279     * certificate as an {@code X500Principal}.  If the subject value
280     * is empty, then the {@code getName()} method of the returned
281     * {@code X500Principal} object returns an empty string ("").
282     * <p>
283     * It is recommended that subclasses override this method.
284     *
285     * @return an {@code X500Principal} representing the subject
286     *          distinguished name
287     * @since 1.4
288     */
289    public X500Principal getSubjectX500Principal() {
290        if (subjectX500Principal == null) {
291            subjectX500Principal = X509CertImpl.getSubjectX500Principal(this);
292        }
293        return subjectX500Principal;
294    }
295
296    /**
297     * Gets the {@code notBefore} date from the validity period of
298     * the certificate.
299     * The relevant ASN.1 definitions are:
300     * <pre>
301     * validity             Validity
302     *
303     * Validity ::= SEQUENCE {
304     *     notBefore      CertificateValidityDate,
305     *     notAfter       CertificateValidityDate }
306     *
307     * CertificateValidityDate ::= CHOICE {
308     *     utcTime        UTCTime,
309     *     generalTime    GeneralizedTime }
310     * </pre>
311     *
312     * @return the start date of the validity period.
313     * @see #checkValidity
314     */
315    public abstract Date getNotBefore();
316
317    /**
318     * Gets the {@code notAfter} date from the validity period of
319     * the certificate. See {@link #getNotBefore() getNotBefore}
320     * for relevant ASN.1 definitions.
321     *
322     * @return the end date of the validity period.
323     * @see #checkValidity
324     */
325    public abstract Date getNotAfter();
326
327    /**
328     * Gets the DER-encoded certificate information, the
329     * {@code tbsCertificate} from this certificate.
330     * This can be used to verify the signature independently.
331     *
332     * @return the DER-encoded certificate information.
333     * @exception CertificateEncodingException if an encoding error occurs.
334     */
335    public abstract byte[] getTBSCertificate()
336        throws CertificateEncodingException;
337
338    /**
339     * Gets the {@code signature} value (the raw signature bits) from
340     * the certificate.
341     * The ASN.1 definition for this is:
342     * <pre>
343     * signature     BIT STRING
344     * </pre>
345     *
346     * @return the signature.
347     */
348    public abstract byte[] getSignature();
349
350    /**
351     * Gets the signature algorithm name for the certificate
352     * signature algorithm. An example is the string "SHA256withRSA".
353     * The ASN.1 definition for this is:
354     * <pre>
355     * signatureAlgorithm   AlgorithmIdentifier
356     *
357     * AlgorithmIdentifier  ::=  SEQUENCE  {
358     *     algorithm               OBJECT IDENTIFIER,
359     *     parameters              ANY DEFINED BY algorithm OPTIONAL  }
360     *                             -- contains a value of the type
361     *                             -- registered for use with the
362     *                             -- algorithm object identifier value
363     * </pre>
364     *
365     * <p>The algorithm name is determined from the {@code algorithm}
366     * OID string.
367     *
368     * @return the signature algorithm name.
369     */
370    public abstract String getSigAlgName();
371
372    /**
373     * Gets the signature algorithm OID string from the certificate.
374     * An OID is represented by a set of nonnegative whole numbers separated
375     * by periods.
376     * For example, the string "1.2.840.10040.4.3" identifies the SHA-1
377     * with DSA signature algorithm defined in
378     * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
379     * Identifiers for the Internet X.509 Public Key Infrastructure Certificate
380     * and CRL Profile</a>.
381     *
382     * <p>See {@link #getSigAlgName() getSigAlgName} for
383     * relevant ASN.1 definitions.
384     *
385     * @return the signature algorithm OID string.
386     */
387    public abstract String getSigAlgOID();
388
389    /**
390     * Gets the DER-encoded signature algorithm parameters from this
391     * certificate's signature algorithm. In most cases, the signature
392     * algorithm parameters are null; the parameters are usually
393     * supplied with the certificate's public key.
394     * If access to individual parameter values is needed then use
395     * {@link java.security.AlgorithmParameters AlgorithmParameters}
396     * and instantiate with the name returned by
397     * {@link #getSigAlgName() getSigAlgName}.
398     *
399     * <p>See {@link #getSigAlgName() getSigAlgName} for
400     * relevant ASN.1 definitions.
401     *
402     * @return the DER-encoded signature algorithm parameters, or
403     *         null if no parameters are present.
404     */
405    public abstract byte[] getSigAlgParams();
406
407    /**
408     * Gets the {@code issuerUniqueID} value from the certificate.
409     * The issuer unique identifier is present in the certificate
410     * to handle the possibility of reuse of issuer names over time.
411     * RFC 3280 recommends that names not be reused and that
412     * conforming certificates not make use of unique identifiers.
413     * Applications conforming to that profile should be capable of
414     * parsing unique identifiers and making comparisons.
415     *
416     * <p>The ASN.1 definition for this is:
417     * <pre>
418     * issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL
419     *
420     * UniqueIdentifier  ::=  BIT STRING
421     * </pre>
422     *
423     * @return the issuer unique identifier or null if it is not
424     * present in the certificate.
425     */
426    public abstract boolean[] getIssuerUniqueID();
427
428    /**
429     * Gets the {@code subjectUniqueID} value from the certificate.
430     *
431     * <p>The ASN.1 definition for this is:
432     * <pre>
433     * subjectUniqueID  [2]  IMPLICIT UniqueIdentifier OPTIONAL
434     *
435     * UniqueIdentifier  ::=  BIT STRING
436     * </pre>
437     *
438     * @return the subject unique identifier or null if it is not
439     * present in the certificate.
440     */
441    public abstract boolean[] getSubjectUniqueID();
442
443    /**
444     * Gets a boolean array representing bits of
445     * the {@code KeyUsage} extension, (OID = 2.5.29.15).
446     * The key usage extension defines the purpose (e.g., encipherment,
447     * signature, certificate signing) of the key contained in the
448     * certificate.
449     * The ASN.1 definition for this is:
450     * <pre>
451     * KeyUsage ::= BIT STRING {
452     *     digitalSignature        (0),
453     *     nonRepudiation          (1),
454     *     keyEncipherment         (2),
455     *     dataEncipherment        (3),
456     *     keyAgreement            (4),
457     *     keyCertSign             (5),
458     *     cRLSign                 (6),
459     *     encipherOnly            (7),
460     *     decipherOnly            (8) }
461     * </pre>
462     * RFC 3280 recommends that when used, this be marked
463     * as a critical extension.
464     *
465     * @return the KeyUsage extension of this certificate, represented as
466     * an array of booleans. The order of KeyUsage values in the array is
467     * the same as in the above ASN.1 definition. The array will contain a
468     * value for each KeyUsage defined above. If the KeyUsage list encoded
469     * in the certificate is longer than the above list, it will not be
470     * truncated. Returns null if this certificate does not
471     * contain a KeyUsage extension.
472     */
473    public abstract boolean[] getKeyUsage();
474
475    /**
476     * Gets an unmodifiable list of Strings representing the OBJECT
477     * IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the
478     * extended key usage extension, (OID = 2.5.29.37).  It indicates
479     * one or more purposes for which the certified public key may be
480     * used, in addition to or in place of the basic purposes
481     * indicated in the key usage extension field.  The ASN.1
482     * definition for this is:
483     * <pre>
484     * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
485     *
486     * KeyPurposeId ::= OBJECT IDENTIFIER
487     * </pre>
488     *
489     * Key purposes may be defined by any organization with a
490     * need. Object identifiers used to identify key purposes shall be
491     * assigned in accordance with IANA or ITU-T Rec. X.660 |
492     * ISO/IEC/ITU 9834-1.
493     * <p>
494     * This method was added to version 1.4 of the Java 2 Platform Standard
495     * Edition. In order to maintain backwards compatibility with existing
496     * service providers, this method is not {@code abstract}
497     * and it provides a default implementation. Subclasses
498     * should override this method with a correct implementation.
499     *
500     * @return the ExtendedKeyUsage extension of this certificate,
501     *         as an unmodifiable list of object identifiers represented
502     *         as Strings. Returns null if this certificate does not
503     *         contain an ExtendedKeyUsage extension.
504     * @throws CertificateParsingException if the extension cannot be decoded
505     * @since 1.4
506     */
507    public List<String> getExtendedKeyUsage() throws CertificateParsingException {
508        return X509CertImpl.getExtendedKeyUsage(this);
509    }
510
511    /**
512     * Gets the certificate constraints path length from the
513     * critical {@code BasicConstraints} extension, (OID = 2.5.29.19).
514     * <p>
515     * The basic constraints extension identifies whether the subject
516     * of the certificate is a Certificate Authority (CA) and
517     * how deep a certification path may exist through that CA. The
518     * {@code pathLenConstraint} field (see below) is meaningful
519     * only if {@code cA} is set to TRUE. In this case, it gives the
520     * maximum number of CA certificates that may follow this certificate in a
521     * certification path. A value of zero indicates that only an end-entity
522     * certificate may follow in the path.
523     * <p>
524     * The ASN.1 definition for this is:
525     * <pre>
526     * BasicConstraints ::= SEQUENCE {
527     *     cA                  BOOLEAN DEFAULT FALSE,
528     *     pathLenConstraint   INTEGER (0..MAX) OPTIONAL }
529     * </pre>
530     *
531     * @return the value of {@code pathLenConstraint} if the
532     * BasicConstraints extension is present in the certificate and the
533     * subject of the certificate is a CA, otherwise -1.
534     * If the subject of the certificate is a CA and
535     * {@code pathLenConstraint} does not appear,
536     * {@code Integer.MAX_VALUE} is returned to indicate that there is no
537     * limit to the allowed length of the certification path.
538     */
539    public abstract int getBasicConstraints();
540
541    /**
542     * Gets an immutable collection of subject alternative names from the
543     * {@code SubjectAltName} extension, (OID = 2.5.29.17).
544     * <p>
545     * The ASN.1 definition of the {@code SubjectAltName} extension is:
546     * <pre>
547     * SubjectAltName ::= GeneralNames
548     *
549     * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName
550     *
551     * GeneralName ::= CHOICE {
552     *      otherName                       [0]     OtherName,
553     *      rfc822Name                      [1]     IA5String,
554     *      dNSName                         [2]     IA5String,
555     *      x400Address                     [3]     ORAddress,
556     *      directoryName                   [4]     Name,
557     *      ediPartyName                    [5]     EDIPartyName,
558     *      uniformResourceIdentifier       [6]     IA5String,
559     *      iPAddress                       [7]     OCTET STRING,
560     *      registeredID                    [8]     OBJECT IDENTIFIER}
561     * </pre>
562     * <p>
563     * If this certificate does not contain a {@code SubjectAltName}
564     * extension, {@code null} is returned. Otherwise, a
565     * {@code Collection} is returned with an entry representing each
566     * {@code GeneralName} included in the extension. Each entry is a
567     * {@code List} whose first entry is an {@code Integer}
568     * (the name type, 0-8) and whose second entry is a {@code String}
569     * or a byte array (the name, in string or ASN.1 DER encoded form,
570     * respectively).
571     * <p>
572     * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
573     * names are returned as {@code String}s,
574     * using the well-established string formats for those types (subject to
575     * the restrictions included in RFC 3280). IPv4 address names are
576     * returned using dotted quad notation. IPv6 address names are returned
577     * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values
578     * representing the eight 16-bit pieces of the address. OID names are
579     * returned as {@code String}s represented as a series of nonnegative
580     * integers separated by periods. And directory names (distinguished names)
581     * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt">
582     * RFC 2253</a> string format. No standard string format is
583     * defined for otherNames, X.400 names, EDI party names, or any
584     * other type of names. They are returned as byte arrays
585     * containing the ASN.1 DER encoded form of the name.
586     * <p>
587     * Note that the {@code Collection} returned may contain more
588     * than one name of the same type. Also, note that the returned
589     * {@code Collection} is immutable and any entries containing byte
590     * arrays are cloned to protect against subsequent modifications.
591     * <p>
592     * This method was added to version 1.4 of the Java 2 Platform Standard
593     * Edition. In order to maintain backwards compatibility with existing
594     * service providers, this method is not {@code abstract}
595     * and it provides a default implementation. Subclasses
596     * should override this method with a correct implementation.
597     *
598     * @return an immutable {@code Collection} of subject alternative
599     * names (or {@code null})
600     * @throws CertificateParsingException if the extension cannot be decoded
601     * @since 1.4
602     */
603    public Collection<List<?>> getSubjectAlternativeNames()
604        throws CertificateParsingException {
605        return X509CertImpl.getSubjectAlternativeNames(this);
606    }
607
608    /**
609     * Gets an immutable collection of issuer alternative names from the
610     * {@code IssuerAltName} extension, (OID = 2.5.29.18).
611     * <p>
612     * The ASN.1 definition of the {@code IssuerAltName} extension is:
613     * <pre>
614     * IssuerAltName ::= GeneralNames
615     * </pre>
616     * The ASN.1 definition of {@code GeneralNames} is defined
617     * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}.
618     * <p>
619     * If this certificate does not contain an {@code IssuerAltName}
620     * extension, {@code null} is returned. Otherwise, a
621     * {@code Collection} is returned with an entry representing each
622     * {@code GeneralName} included in the extension. Each entry is a
623     * {@code List} whose first entry is an {@code Integer}
624     * (the name type, 0-8) and whose second entry is a {@code String}
625     * or a byte array (the name, in string or ASN.1 DER encoded form,
626     * respectively). For more details about the formats used for each
627     * name type, see the {@code getSubjectAlternativeNames} method.
628     * <p>
629     * Note that the {@code Collection} returned may contain more
630     * than one name of the same type. Also, note that the returned
631     * {@code Collection} is immutable and any entries containing byte
632     * arrays are cloned to protect against subsequent modifications.
633     * <p>
634     * This method was added to version 1.4 of the Java 2 Platform Standard
635     * Edition. In order to maintain backwards compatibility with existing
636     * service providers, this method is not {@code abstract}
637     * and it provides a default implementation. Subclasses
638     * should override this method with a correct implementation.
639     *
640     * @return an immutable {@code Collection} of issuer alternative
641     * names (or {@code null})
642     * @throws CertificateParsingException if the extension cannot be decoded
643     * @since 1.4
644     */
645    public Collection<List<?>> getIssuerAlternativeNames()
646        throws CertificateParsingException {
647        return X509CertImpl.getIssuerAlternativeNames(this);
648    }
649
650     /**
651     * Verifies that this certificate was signed using the
652     * private key that corresponds to the specified public key.
653     * This method uses the signature verification engine
654     * supplied by the specified provider. Note that the specified
655     * Provider object does not have to be registered in the provider list.
656     *
657     * This method was added to version 1.8 of the Java Platform Standard
658     * Edition. In order to maintain backwards compatibility with existing
659     * service providers, this method is not {@code abstract}
660     * and it provides a default implementation.
661     *
662     * @param key the PublicKey used to carry out the verification.
663     * @param sigProvider the signature provider.
664     *
665     * @exception NoSuchAlgorithmException on unsupported signature
666     * algorithms.
667     * @exception InvalidKeyException on incorrect key.
668     * @exception SignatureException on signature errors.
669     * @exception CertificateException on encoding errors.
670     * @exception UnsupportedOperationException if the method is not supported
671     * @since 1.8
672     */
673    public void verify(PublicKey key, Provider sigProvider)
674        throws CertificateException, NoSuchAlgorithmException,
675        InvalidKeyException, SignatureException {
676        // Android-changed: Use Certificate default implementation that
677        // throws UnsupportedOperationException.
678        // The method X509CertImpl calls this method, thus entering an
679        // infinite loop. This strange behaviour was checked to be not
680        // specific to libcore by running a test with vogar --mode=jvm
681        //
682        // X509CertImpl.verify(this, key, sigProvider);
683        super.verify(key, sigProvider);
684    }
685}
686