* The basic X.509 format was defined by * ISO/IEC and ANSI X9 and is described below in ASN.1: *
* Certificate ::= SEQUENCE {
* tbsCertificate TBSCertificate,
* signatureAlgorithm AlgorithmIdentifier,
* signature BIT STRING }
*
* * These certificates are widely used to support authentication and * other functionality in Internet security systems. Common applications * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), * code signing for trusted software distribution, and Secure Electronic * Transactions (SET). *
* These certificates are managed and vouched for by Certificate * Authorities (CAs). CAs are services which create certificates by * placing data in the X.509 standard format and then digitally signing * that data. CAs act as trusted third parties, making introductions * between principals who have no direct knowledge of each other. * CA certificates are either signed by themselves, or by some other * CA such as a "root" CA. *
* The ASN.1 definition of tbsCertificate is:
*
* TBSCertificate ::= SEQUENCE {
* version [0] EXPLICIT Version DEFAULT v1,
* serialNumber CertificateSerialNumber,
* signature AlgorithmIdentifier,
* issuer Name,
* validity Validity,
* subject Name,
* subjectPublicKeyInfo SubjectPublicKeyInfo,
* }
*
* * Here is sample code to instantiate an X.509 certificate: *
* InputStream inStream = new FileInputStream("fileName-of-cert");
* X509Certificate cert = X509Certificate.getInstance(inStream);
* inStream.close();
*
* OR
* * byte[] certData = <certificate read from a file, say> * X509Certificate cert = X509Certificate.getInstance(certData); **
* In either case, the code that instantiates an X.509 certificate * consults the Java security properties file to locate the actual * implementation or instantiates a default implementation. *
* The Java security properties file is located in the file named * <JAVA_HOME>/lib/security/java.security. * <JAVA_HOME> refers to the value of the java.home system property, * and specifies the directory where the JRE is installed. * In the Security properties file, a default implementation * for X.509 v1 may be given such as: *
* cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl **
* The value of this cert.provider.x509v1 property has to be
* changed to instatiate another implementation. If this security
* property is not set, a default implementation will be used.
* Currently, due to possible security restrictions on access to
* Security properties, this value is looked up and cached at class
* initialization time and will fallback on a default implementation if
* the Security property is not accessible.
*
*
Note: The classes in the package javax.security.cert
* exist for compatibility with earlier versions of the
* Java Secure Sockets Extension (JSSE). New applications should instead
* use the standard Java SE certificate classes located in
* java.security.cert.
* cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl
*
*/
private static final String X509_PROVIDER = "cert.provider.x509v1";
private static String X509Provider;
static {
X509Provider = AccessController.doPrivileged(
new PrivilegedActioninStream.
* The implementation (X509Certificate is an abstract class) is
* provided by the class specified as the value of the
* cert.provider.x509v1
* property in the security properties file.
*
* Note: Only one DER-encoded
* certificate is expected to be in the input stream.
* Also, all X509Certificate
* subclasses must provide a constructor of the form:
*
* public <subClass>(InputStream inStream) ...
* cert.provider.x509v1
* property in the security properties file.
*
*
Note: All X509Certificate
* subclasses must provide a constructor of the form:
*
* public <subClass>(InputStream inStream) ...
* certData.
* @exception CertificateException if a class initialization
* or certificate parsing error occurs.
*/
public static final X509Certificate getInstance(byte[] certData)
throws CertificateException {
return getInst((Object)certData);
}
private static final X509Certificate getInst(Object value)
throws CertificateException {
/*
* This turns out not to work for now. To run under JDK1.2 we would
* need to call beginPrivileged() but we can't do that and run
* under JDK1.1.
*/
String className = X509Provider;
if (className == null || className.length() == 0) {
// shouldn't happen, but assume corrupted properties file
// provide access to sun implementation
className = "com.sun.security.cert.internal.x509.X509V1CertImpl";
}
try {
Class[] params = null;
if (value instanceof InputStream) {
params = new Class[] { InputStream.class };
} else if (value instanceof byte[]) {
params = new Class[] { value.getClass() };
} else
throw new CertificateException("Unsupported argument type");
Class certClass = Class.forName(className);
// get the appropriate constructor and instantiate it
Constructor cons = certClass.getConstructor(params);
// get a new instance
Object obj = cons.newInstance(new Object[] {value});
return (X509Certificate)obj;
} catch (ClassNotFoundException e) {
throw new CertificateException("Could not find class: " + e);
} catch (IllegalAccessException e) {
throw new CertificateException("Could not access class: " + e);
} catch (InstantiationException e) {
throw new CertificateException("Problems instantiating: " + e);
} catch (InvocationTargetException e) {
throw new CertificateException("InvocationTargetException: "
+ e.getTargetException());
} catch (NoSuchMethodException e) {
throw new CertificateException("Could not find class method: "
+ e.getMessage());
}
}
/**
* Checks that the certificate is currently valid. It is if
* the current date and time are within the validity period given in the
* certificate.
*
* The validity period consists of two date/time values: * the first and last dates (and times) on which the certificate * is valid. It is defined in * ASN.1 as: *
* validity Validity
* Validity ::= SEQUENCE {
* notBefore CertificateValidityDate,
* notAfter CertificateValidityDate }
* CertificateValidityDate ::= CHOICE {
* utcTime UTCTime,
* generalTime GeneralizedTime }
*
*
* @exception CertificateExpiredException if the certificate has expired.
* @exception CertificateNotYetValidException if the certificate is not
* yet valid.
*/
public abstract void checkValidity()
throws CertificateExpiredException, CertificateNotYetValidException;
/**
* Checks that the specified date is within the certificate's
* validity period. In other words, this determines whether the
* certificate would be valid at the specified date/time.
*
* @param date the Date to check against to see if this certificate
* is valid at that date/time.
* @exception CertificateExpiredException if the certificate has expired
* with respect to the date supplied.
* @exception CertificateNotYetValidException if the certificate is not
* yet valid with respect to the date supplied.
* @see #checkValidity()
*/
public abstract void checkValidity(Date date)
throws CertificateExpiredException, CertificateNotYetValidException;
/**
* Gets the version (version number) value from the
* certificate. The ASN.1 definition for this is:
*
* version [0] EXPLICIT Version DEFAULT v1
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
*
*
* @return the version number from the ASN.1 encoding, i.e. 0, 1 or 2.
*/
public abstract int getVersion();
/**
* Gets the serialNumber value from the certificate.
* The serial number is an integer assigned by the certification
* authority to each certificate. It must be unique for each
* certificate issued by a given CA (i.e., the issuer name and
* serial number identify a unique certificate).
* The ASN.1 definition for this is:
*
* serialNumber CertificateSerialNumber
*
* CertificateSerialNumber ::= INTEGER
*
*
* @return the serial number.
*/
public abstract BigInteger getSerialNumber();
/**
* Gets the issuer (issuer distinguished name) value from
* the certificate. The issuer name identifies the entity that signed (and
* issued) the certificate.
*
* The issuer name field contains an * X.500 distinguished name (DN). * The ASN.1 definition for this is: *
* issuer Name
*
* Name ::= CHOICE { RDNSequence }
* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
* RelativeDistinguishedName ::=
* SET OF AttributeValueAssertion
*
* AttributeValueAssertion ::= SEQUENCE {
* AttributeType,
* AttributeValue }
* AttributeType ::= OBJECT IDENTIFIER
* AttributeValue ::= ANY
*
* The Name describes a hierarchical name composed of
* attributes, such as country name, and corresponding values, such as US.
* The type of the AttributeValue component is determined by
* the AttributeType; in general it will be a
* directoryString. A directoryString is usually
* one of PrintableString,
* TeletexString or UniversalString.
*
* @return a Principal whose name is the issuer distinguished name.
*/
public abstract Principal getIssuerDN();
/**
* Gets the subject (subject distinguished name) value
* from the certificate.
* The ASN.1 definition for this is:
*
* subject Name
*
*
* See {@link #getIssuerDN() getIssuerDN} for Name
* and other relevant definitions.
*
* @return a Principal whose name is the subject name.
* @see #getIssuerDN()
*/
public abstract Principal getSubjectDN();
/**
* Gets the notBefore date from the validity period of
* the certificate.
* The relevant ASN.1 definitions are:
*
* validity Validity
*
* Validity ::= SEQUENCE {
* notBefore CertificateValidityDate,
* notAfter CertificateValidityDate }
* CertificateValidityDate ::= CHOICE {
* utcTime UTCTime,
* generalTime GeneralizedTime }
*
*
* @return the start date of the validity period.
* @see #checkValidity()
*/
public abstract Date getNotBefore();
/**
* Gets the notAfter date from the validity period of
* the certificate. See {@link #getNotBefore() getNotBefore}
* for relevant ASN.1 definitions.
*
* @return the end date of the validity period.
* @see #checkValidity()
*/
public abstract Date getNotAfter();
/**
* Gets the signature algorithm name for the certificate
* signature algorithm. An example is the string "SHA-1/DSA".
* The ASN.1 definition for this is:
*
* signatureAlgorithm AlgorithmIdentifier
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL }
* -- contains a value of the type
* -- registered for use with the
* -- algorithm object identifier value
*
*
* The algorithm name is determined from the algorithm
* OID string.
*
* @return the signature algorithm name.
*/
public abstract String getSigAlgName();
/**
* Gets the signature algorithm OID string from the certificate.
* An OID is represented by a set of positive whole numbers separated
* by periods.
* For example, the string "1.2.840.10040.4.3" identifies the SHA-1
* with DSA signature algorithm, as per the PKIX part I.
*
*
See {@link #getSigAlgName() getSigAlgName} for * relevant ASN.1 definitions. * * @return the signature algorithm OID string. */ public abstract String getSigAlgOID(); /** * Gets the DER-encoded signature algorithm parameters from this * certificate's signature algorithm. In most cases, the signature * algorithm parameters are null; the parameters are usually * supplied with the certificate's public key. * *
See {@link #getSigAlgName() getSigAlgName} for * relevant ASN.1 definitions. * * @return the DER-encoded signature algorithm parameters, or * null if no parameters are present. */ public abstract byte[] getSigAlgParams(); }