Prev Class | Next Class | Frames | No Frames |
Summary: Nested | Field | Method | Constr | Detail: Nested | Field | Method | Constr |
java.lang.Object
java.security.cert.X509CertSelector
CertSelector
for X.509 certificates,
which allows a number of criteria to be set when accepting certificates,
from validity dates, to issuer and subject distinguished names, to some
of the various X.509 extensions.
Use of this class requires extensive knowledge of the Internet
Engineering Task Force's Public Key Infrastructure (X.509). The primary
document describing this standard is RFC 3280: Internet X.509
Public Key Infrastructure Certificate and Certificate Revocation List
(CRL) Profile.
Note that this class is not thread-safe. If multiple threads will
use or modify this class then they need to synchronize on the object.
Constructor Summary | |
|
Method Summary | |
void |
|
void |
|
void |
|
void |
|
Object |
|
byte[] |
|
int |
|
X509Certificate |
|
Date |
|
Set |
|
byte[] |
|
String |
|
boolean[] |
|
boolean |
|
byte[] |
|
Collection | |
Set |
|
Date |
|
BigInteger |
|
Collection |
|
byte[] |
|
String |
|
byte[] |
|
PublicKey |
|
String |
|
boolean |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void | |
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
String |
|
Methods inherited from class java.lang.Object | |
clone , equals , extends Object> getClass , finalize , hashCode , notify , notifyAll , toString , wait , wait , wait |
public X509CertSelector()
Creates a new X.509 certificate selector. The new selector will be empty, and will accept any certificate (provided that it is anX509Certificate
).
public void addPathToName(int id, byte[] name) throws IOException
Add a name to match in the NameConstraints extension. The argument is the DER-encoded bytes of a GeneralName structure. See the methodaddSubjectAlternativeName(int,byte[])
for the format of the GeneralName structure.
- Parameters:
id
- The name identifier. Must be between 0 and 8.name
- The DER-encoded bytes of the name to match.
- Throws:
IOException
- If the name DER is malformed.
public void addPathToName(int id, String name) throws IOException
Add a name to match in the NameConstraints extension. This method will only recognize certain types of name that have convenient string encodings. For robustness, you should use theaddPathToName(int,byte[])
method whenever possible.
- Parameters:
id
- The name identifier. Must be between 0 and 8.name
- The name.
- Throws:
IOException
- If the name cannot be decoded.
public void addSubjectAlternativeName(int id, byte[] name) throws IOException
Add a name, as DER-encoded bytes, to the subject alternative names criterion. The name is a GeneralName structure, which has the ASN.1 format:GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER }
- Parameters:
id
- The type of name this is.name
- The DER-encoded name.
- Throws:
IOException
- If the name is not a valid DER sequence.
public void addSubjectAlternativeName(int id, String name) throws IOException
Add a name to the subject alternative names criterion. This method will only recognize certain types of name that have convenient string encodings. For robustness, you should use theaddSubjectAlternativeName(int,byte[])
method whenever possible. This method can only decode certain name kinds of names as strings.
- Parameters:
id
- The type of name this is. Must be in the range [0,8].name
- The name.
- Throws:
IOException
- If the id is out of range, or if the name is null.
public byte[] getAuthorityKeyIdentifier()
Returns the authority key identifier criterion, ornull
if this value was not set. Note that the byte array is cloned to prevent modification.
- Returns:
- The authority key identifier.
public int getBasicConstraints()
Returns the basic constraints criterion, or -1 if this value is not set.
- Returns:
- The basic constraints.
public X509Certificate getCertificate()
Returns the certificate criterion, ornull
if this value was not set.
- Returns:
- The certificate.
public Date getCertificateValid()
Returns the date at which certificates must be valid, ornull
if this criterion was not set.
- Returns:
- The target certificate valitity date.
public SetgetExtendedKeyUsage()
Returns the set of extended key purpose IDs, as an unmodifiable set of OID strings. Returnsnull
if this criterion is not set.
- Returns:
- The set of key purpose OIDs (strings).
public byte[] getIssuerAsBytes() throws IOException
Returns the issuer criterion as a sequence of DER bytes, ornull
if this value was not set.
- Returns:
- The issuer.
public String getIssuerAsString()
Returns the issuer criterion as a string, ornull
if this value was not set.
- Returns:
- The issuer.
public boolean[] getKeyUsage()
Returns the public key usage criterion, ornull
if this value is not set. Note that the array is cloned to prevent modification.
- Returns:
- The public key usage.
public boolean getMatchAllSubjectAltNames()
Returns whether or not all specified alternative names must match. If false, a certificate is considered a match if one of the specified alternative names matches.
- Returns:
- true if all names must match.
public byte[] getNameConstraints()
Returns the name constraints criterion, ornull
if this value is not set. Note that the byte array is cloned to prevent modification.
- Returns:
- The name constraints.
public SetgetPolicy()
Returns the certificate policy extension that will be matched by this selector, or null if the certificate policy will not be matched.
- Returns:
- The policy to be matched, or null.
public Date getPrivateKeyValid()
This method, and its related X.509 certificate extension — the private key usage period — is not supported under the Internet PKI for X.509 certificates (PKIX), described in RFC 3280. As such, this method is not supported either. Do not use this method. It is not deprecated, as it is not deprecated in the Java standard, but it is basically a no-operation and simply returnsnull
.
- Returns:
- Null.
public BigInteger getSerialNumber()
Returns the serial number criterion, ornull
if this value was not set.
- Returns:
- The serial number.
public Collection
Get the subject alternative names criterion. The collection returned is a collection of pairs: the first element is anInteger
containing the name type, and the second is a byte array containing the DER-encoded name bytes.
- Returns:
- The subject alternative names criterion. Returns null if this criterion is not set.
public byte[] getSubjectAsBytes() throws IOException
Returns the subject criterion as a sequence of DER bytes, ornull
if this value is not set.
- Returns:
- The subject.
public String getSubjectAsString()
Returns the subject criterion as a string, ofnull
if this value was not set.
- Returns:
- The subject.
public byte[] getSubjectKeyIdentifier()
Returns the subject key identifier criterion, ornull
if this value was not set. Note that the byte array is cloned to prevent modification.
- Returns:
- The subject key identifier.
public PublicKey getSubjectPublicKey()
Returns the subject public key criterion, ornull
if this value is not set.
- Returns:
- The subject public key.
public String getSubjectPublicKeyAlgID()
Returns the public key algorithm ID that matching certificates must have, ornull
if this criterion was not set.
- Returns:
- The public key algorithm ID.
public boolean match(Certificate certificate)
Match a certificate. This method will check the given certificate against all the enabled criteria of this selector, and will returntrue
if the given certificate matches.
- Specified by:
- match in interface CertSelector
- Parameters:
certificate
- The certificate to check.
- Returns:
- true if the certificate matches all criteria.
public void setAuthorityKeyIdentifier(byte[] authKeyId)
Sets the authority key identifier criterion, ornull
to clear this criterion. Note that the byte array is cloned to prevent modification.
- Parameters:
authKeyId
- The authority key identifier.
public void setBasicConstraints(int basicConstraints)
Sets the basic constraints criterion. Specify -1 to clear this parameter.
- Parameters:
basicConstraints
- The new basic constraints value.
public void setCertificate(X509Certificate cert)
Sets the certificate criterion. If set, only certificates that are equal to the certificate passed here will be accepted.
- Parameters:
cert
- The certificate.
public void setCertificateValid(Date certValid)
Sets the date at which certificates must be valid. Specifynull
to clear this criterion.
- Parameters:
certValid
- The certificate validity date.
public void setExtendedKeyUsage(SetkeyPurposeSet) throws IOException
Sets the extended key usage criterion, as a set of OID strings. Specifynull
to clear this value.
- Parameters:
keyPurposeSet
- The set of key purpose OIDs.
- Throws:
IOException
- If any element of the set is not a valid OID string.
public void setIssuer(byte[] name) throws IOException
Sets the issuer, specified as the DER encoding of the issuer's distinguished name. Only certificates issued by this issuer will be accepted.
- Parameters:
name
- The DER encoding of the issuer's distinguished name.
- Throws:
IOException
- If the given name is incorrectly formatted.
public void setIssuer(String name) throws IOException
Sets the issuer, specified as a string representation of the issuer's distinguished name. Only certificates issued by this issuer will be accepted.
- Parameters:
name
- The string representation of the issuer's distinguished name.
- Throws:
IOException
- If the given name is incorrectly formatted.
public void setKeyUsage(boolean[] keyUsage)
Sets the public key usage criterion. Specifynull
to clear this value.
- Parameters:
keyUsage
- The public key usage.
public void setMatchAllSubjectAltNames(boolean matchAllNames)
Sets whether or not all subject alternative names must be matched. If false, then a certificate will be considered a match if one alternative name matches.
- Parameters:
matchAllNames
- Whether or not all alternative names must be matched.
public void setNameConstraints(byte[] nameConstraints) throws IOException
Sets the name constraints criterion; specifynull
to clear this criterion. Note that if non-null, the argument will be cloned to prevent modification.
- Parameters:
nameConstraints
- The new name constraints.
- Throws:
IOException
- If the argument is not a valid DER-encoded name constraints.
public void setPathToNames(Collection> names) throws IOException
Sets the pathToNames criterion. The argument is a collection of pairs, the first element of which is anInteger
giving the ID of the name, and the second element is either aString
or a byte array. SeeaddPathToName(int,byte[])
andaddPathToName(int,String)
for how these arguments are handled.
- Parameters:
names
- The names.
- Throws:
IOException
- If any argument is malformed.
public void setPolicy(Setpolicy) throws IOException
Sets the certificate policy to match, or null if this criterion should not be checked. Each element if the set must be a dotted-decimal form of certificate policy object identifier.
- Parameters:
policy
- The policy to match.
- Throws:
IOException
- If some element of the policy is not a valid policy extenison OID.
public void setPrivateKeyValid(Date UNUSED)
This method, and its related X.509 certificate extension — the private key usage period — is not supported under the Internet PKI for X.509 certificates (PKIX), described in RFC 3280. As such, this method is not supported either. Do not use this method. It is not deprecated, as it is not deprecated in the Java standard, but it is basically a no-operation.
- Parameters:
UNUSED
- Is silently ignored.
public void setSerialNumber(BigInteger serialNo)
Sets the serial number of the desired certificate. Only certificates that contain this serial number are accepted.
- Parameters:
serialNo
- The serial number.
public void setSubject(byte[] name) throws IOException
Sets the subject, specified as the DER encoding of the subject's distinguished name. Only certificates with the given subject will be accepted.
- Parameters:
name
- The DER encoding of the subject's distinguished name.
- Throws:
IOException
- If the given name is incorrectly formatted.
public void setSubject(String name) throws IOException
Sets the subject, specified as a string representation of the subject's distinguished name. Only certificates with the given subject will be accepted.
- Parameters:
name
- The string representation of the subject's distinguished name.
- Throws:
IOException
- If the given name is incorrectly formatted.
public void setSubjectAlternativeNames(Collection> altNames) throws IOException
Sets the subject alternative names critertion. Each element of the argument must be aList
that contains exactly two elements: the first anInteger
, representing the type of name, and the second either aString
or a byte array, representing the name itself.
- Parameters:
altNames
- The alternative names.
- Throws:
IOException
- If any element of the argument is invalid.
public void setSubjectKeyIdentifier(byte[] subjectKeyId)
Sets the subject key identifier criterion, ornull
to clear this criterion. Note that the byte array is cloned to prevent modification.
- Parameters:
subjectKeyId
- The subject key identifier.
public void setSubjectPublicKey(byte[] key) throws IOException
Sets the subject public key criterion as a DER-encoded key. Specifynull
to clear this value.
- Parameters:
key
- The DER-encoded key bytes.
- Throws:
IOException
- If the argument is not a valid DER-encoded key.
public void setSubjectPublicKey(PublicKey key)
Sets the subject public key criterion as an opaque representation. Specifynull
to clear this criterion.
- Parameters:
key
- The public key.
public void setSubjectPublicKeyAlgID(String sigId) throws IOException
Sets the public key algorithm ID that matching certificates must have. Specifynull
to clear this criterion.
- Parameters:
sigId
- The public key ID.
- Throws:
IOException
- If the specified ID is not a valid object identifier.