Frames | No Frames |
1: /* X509Certificate.java --- X.509 Certificate class 2: Copyright (C) 1999,2003, 2006 Free Software Foundation, Inc. 3: 4: This file is part of GNU Classpath. 5: 6: GNU Classpath is free software; you can redistribute it and/or modify 7: it under the terms of the GNU General Public License as published by 8: the Free Software Foundation; either version 2, or (at your option) 9: any later version. 10: 11: GNU Classpath is distributed in the hope that it will be useful, but 12: WITHOUT ANY WARRANTY; without even the implied warranty of 13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14: General Public License for more details. 15: 16: You should have received a copy of the GNU General Public License 17: along with GNU Classpath; see the file COPYING. If not, write to the 18: Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 19: 02110-1301 USA. 20: 21: Linking this library statically or dynamically with other modules is 22: making a combined work based on this library. Thus, the terms and 23: conditions of the GNU General Public License cover the whole 24: combination. 25: 26: As a special exception, the copyright holders of this library give you 27: permission to link this library with independent modules to produce an 28: executable, regardless of the license terms of these independent 29: modules, and to copy and distribute the resulting executable under 30: terms of your choice, provided that you also meet, for each linked 31: independent module, the terms and conditions of the license of that 32: module. An independent module is a module which is not derived from 33: or based on this library. If you modify this library, you may extend 34: this exception to your version of the library, but you are not 35: obligated to do so. If you do not wish to do so, delete this 36: exception statement from your version. */ 37: 38: 39: package java.security.cert; 40: 41: import java.math.BigInteger; 42: import java.security.Principal; 43: import java.util.Date; 44: import java.util.List; 45: 46: /** 47: * X509Certificate is the abstract class for X.509 certificates. 48: * This provides a stanard class interface for accessing all 49: * the attributes of X.509 certificates. 50: * 51: * <p>In June 1996, the basic X.509 v3 format was finished by 52: * ISO/IEC and ANSI X.9. The ASN.1 DER format is below: 53: * 54: * <blockquote><pre> 55: * Certificate ::= SEQUENCE { 56: * tbsCertificate TBSCertificate, 57: * signatureAlgorithm AlgorithmIdentifier, 58: * signatureValue BIT STRING } 59: * </pre></blockquote> 60: * 61: * <p>These certificates are widely used in various Internet 62: * protocols to support authentication. It is used in 63: * Privacy Enhanced Mail (PEM), Transport Layer Security (TLS), 64: * Secure Sockets Layer (SSL), code signing for trusted software 65: * distribution, and Secure Electronic Transactions (SET). 66: * 67: * <p>The certificates are managed and vouched for by 68: * <I>Certificate Authorities</I> (CAs). CAs are companies or 69: * groups that create certificates by placing the data in the 70: * X.509 certificate format and signing it with their private 71: * key. CAs serve as trusted third parties by certifying that 72: * the person or group specified in the certificate is who 73: * they say they are. 74: * 75: * <p>The ASN.1 defintion for <I>tbsCertificate</I> is 76: * 77: * <blockquote><pre> 78: * TBSCertificate ::= SEQUENCE { 79: * version [0] EXPLICIT Version DEFAULT v1, 80: * serialNumber CertificateSerialNumber, 81: * signature AlgorithmIdentifier, 82: * issuer Name, 83: * validity Validity, 84: * subject Name, 85: * subjectPublicKeyInfo SubjectPublicKeyInfo, 86: * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 87: * -- If present, version shall be v2 or v3 88: * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 89: * -- If present, version shall be v2 or v3 90: * extensions [3] EXPLICIT Extensions OPTIONAL 91: * -- If present, version shall be v3 92: * } 93: * 94: * Version ::= INTEGER { v1(0), v2(1), v3(2) } 95: * 96: * CertificateSerialNumber ::= INTEGER 97: * 98: * Validity ::= SEQUENCE { 99: * notBefore Time, 100: * notAfter Time } 101: * 102: * Time ::= CHOICE { 103: * utcTime UTCTime, 104: * generalTime GeneralizedTime } 105: * 106: * UniqueIdentifier ::= BIT STRING 107: * 108: * SubjectPublicKeyInfo ::= SEQUENCE { 109: * algorithm AlgorithmIdentifier, 110: * subjectPublicKey BIT STRING } 111: * 112: * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension 113: * 114: * Extension ::= SEQUENCE { 115: * extnID OBJECT IDENTIFIER, 116: * critical BOOLEAN DEFAULT FALSE, 117: * extnValue OCTET STRING } 118: * </pre></blockquote> 119: * 120: * Certificates are created with the CertificateFactory. 121: * 122: * <p>References: 123: * 124: * <ol> 125: * <li>Olivier Dubuisson, Philippe Fouquart (Translator) <i>ASN.1 - 126: * Communication between heterogeneous systems</i>, (C) September 2000, 127: * Morgan Kaufmann Publishers, ISBN 0-12-6333361-0. Available on-line at 128: * <a 129: * href="http://www.oss.com/asn1/dubuisson.html">http://www.oss.com/asn1/dubuisson.html</a></li> 130: * <li>R. Housley et al, <i><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 131: * 3280: Internet X.509 Public Key Infrastructure Certificate and CRL 132: * Profile</a></i>.</li> 133: * </ol> 134: * 135: * @since 1.2 136: * @author Mark Benvenuto 137: * @author Casey Marshall (rsdio@metastatic.org) 138: */ 139: public abstract class X509Certificate 140: extends Certificate 141: implements X509Extension 142: { 143: private static final long serialVersionUID = -2491127588187038216L; 144: 145: /** 146: * Constructs a new certificate of the specified type. 147: */ 148: protected X509Certificate() 149: { 150: super( "X.509" ); 151: } 152: 153: /** 154: Checks the validity of the X.509 certificate. It is valid 155: if the current date and time are within the period specified 156: by the certificate. 157: 158: The ASN.1 DER encoding is: 159: 160: validity Validity, 161: 162: Validity ::= SEQUENCE { 163: notBefore Time, 164: notAfter Time } 165: 166: Time ::= CHOICE { 167: utcTime UTCTime, 168: generalTime GeneralizedTime } 169: 170: Consult rfc2459 for more information. 171: 172: @throws CertificateExpiredException if the certificate expired 173: @throws CertificateNotYetValidException if the certificate is 174: not yet valid 175: */ 176: public abstract void checkValidity() 177: throws CertificateExpiredException, 178: CertificateNotYetValidException; 179: 180: /** 181: Checks the validity of the X.509 certificate for the 182: specified time and date. It is valid if the specified 183: date and time are within the period specified by 184: the certificate. 185: 186: @throws CertificateExpiredException if the certificate expired 187: based on the date 188: @throws CertificateNotYetValidException if the certificate is 189: not yet valid based on the date 190: */ 191: public abstract void checkValidity(Date date) 192: throws CertificateExpiredException, 193: CertificateNotYetValidException; 194: 195: /** 196: Returns the version of this certificate. 197: 198: The ASN.1 DER encoding is: 199: 200: version [0] EXPLICIT Version DEFAULT v1, 201: 202: Version ::= INTEGER { v1(0), v2(1), v3(2) } 203: 204: Consult rfc2459 for more information. 205: 206: @return version number of certificate 207: */ 208: public abstract int getVersion(); 209: 210: /** 211: Gets the serial number for serial Number in 212: this Certifcate. It must be a unique number 213: unique other serial numbers from the granting CA. 214: 215: The ASN.1 DER encoding is: 216: 217: serialNumber CertificateSerialNumber, 218: 219: CertificateSerialNumber ::= INTEGER 220: 221: Consult rfc2459 for more information. 222: 223: @return the serial number for this X509CRLEntry. 224: */ 225: public abstract BigInteger getSerialNumber(); 226: 227: /** 228: Returns the issuer (issuer distinguished name) of the 229: Certificate. The issuer is the entity who signed 230: and issued the Certificate. 231: 232: The ASN.1 DER encoding is: 233: 234: issuer Name, 235: 236: Name ::= CHOICE { 237: RDNSequence } 238: 239: RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 240: 241: RelativeDistinguishedName ::= 242: SET OF AttributeTypeAndValue 243: 244: AttributeTypeAndValue ::= SEQUENCE { 245: type AttributeType, 246: value AttributeValue } 247: 248: AttributeType ::= OBJECT IDENTIFIER 249: 250: AttributeValue ::= ANY DEFINED BY AttributeType 251: 252: DirectoryString ::= CHOICE { 253: teletexString TeletexString (SIZE (1..MAX)), 254: printableString PrintableString (SIZE (1..MAX)), 255: universalString UniversalString (SIZE (1..MAX)), 256: utf8String UTF8String (SIZE (1.. MAX)), 257: bmpString BMPString (SIZE (1..MAX)) } 258: 259: Consult rfc2459 for more information. 260: 261: @return the issuer in the Principal class 262: */ 263: public abstract Principal getIssuerDN(); 264: 265: /** 266: Returns the subject (subject distinguished name) of the 267: Certificate. The subject is the entity who the Certificate 268: identifies. 269: 270: The ASN.1 DER encoding is: 271: 272: subject Name, 273: 274: Consult rfc2459 for more information. 275: 276: @return the issuer in the Principal class 277: */ 278: public abstract Principal getSubjectDN(); 279: 280: /** 281: Returns the date that this certificate is not to be used 282: before, <I>notBefore</I>. 283: 284: The ASN.1 DER encoding is: 285: 286: validity Validity, 287: 288: Validity ::= SEQUENCE { 289: notBefore Time, 290: notAfter Time } 291: 292: Time ::= CHOICE { 293: utcTime UTCTime, 294: generalTime GeneralizedTime } 295: 296: Consult rfc2459 for more information. 297: 298: @return the date <I>notBefore</I> 299: */ 300: public abstract Date getNotBefore(); 301: 302: /** 303: Returns the date that this certificate is not to be used 304: after, <I>notAfter</I>. 305: 306: @return the date <I>notAfter</I> 307: */ 308: public abstract Date getNotAfter(); 309: 310: 311: /** 312: Returns the <I>tbsCertificate</I> from the certificate. 313: 314: @return the DER encoded tbsCertificate 315: 316: @throws CertificateEncodingException if encoding error occurred 317: */ 318: public abstract byte[] getTBSCertificate() throws CertificateEncodingException; 319: 320: /** 321: Returns the signature in its raw DER encoded format. 322: 323: The ASN.1 DER encoding is: 324: 325: signatureValue BIT STRING 326: 327: Consult rfc2459 for more information. 328: 329: @return byte array representing signature 330: */ 331: public abstract byte[] getSignature(); 332: 333: /** 334: Returns the signature algorithm used to sign the CRL. 335: An examples is "SHA-1/DSA". 336: 337: The ASN.1 DER encoding is: 338: 339: signatureAlgorithm AlgorithmIdentifier, 340: 341: AlgorithmIdentifier ::= SEQUENCE { 342: algorithm OBJECT IDENTIFIER, 343: parameters ANY DEFINED BY algorithm OPTIONAL } 344: 345: Consult rfc2459 for more information. 346: 347: The algorithm name is determined from the OID. 348: 349: @return a string with the signature algorithm name 350: */ 351: public abstract String getSigAlgName(); 352: 353: 354: /** 355: Returns the OID for the signature algorithm used. 356: Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\ 357: 358: The ASN.1 DER encoding for the example is: 359: 360: id-dsa-with-sha1 ID ::= { 361: iso(1) member-body(2) us(840) x9-57 (10040) 362: x9cm(4) 3 } 363: 364: Consult rfc2459 for more information. 365: 366: @return a string containing the OID. 367: */ 368: public abstract String getSigAlgOID(); 369: 370: 371: /** 372: Returns the AlgorithmParameters in the encoded form 373: for the signature algorithm used. 374: 375: If access to the parameters is need, create an 376: instance of AlgorithmParameters. 377: 378: @return byte array containing algorithm parameters, null 379: if no parameters are present in certificate 380: */ 381: public abstract byte[] getSigAlgParams(); 382: 383: 384: /** 385: Returns the issuer unique ID for this certificate. 386: 387: The ASN.1 DER encoding is: 388: 389: issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 390: -- If present, version shall be v2 or v3 391: 392: UniqueIdentifier ::= BIT STRING 393: 394: Consult rfc2459 for more information. 395: 396: @return bit representation of <I>issuerUniqueID</I> 397: */ 398: public abstract boolean[] getIssuerUniqueID(); 399: 400: /** 401: Returns the subject unique ID for this certificate. 402: 403: The ASN.1 DER encoding is: 404: 405: subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 406: -- If present, version shall be v2 or v3 407: 408: UniqueIdentifier ::= BIT STRING 409: 410: Consult rfc2459 for more information. 411: 412: @return bit representation of <I>subjectUniqueID</I> 413: */ 414: public abstract boolean[] getSubjectUniqueID(); 415: 416: /** 417: Returns a boolean array representing the <I>KeyUsage</I> 418: extension for the certificate. The KeyUsage (OID = 2.5.29.15) 419: defines the purpose of the key in the certificate. 420: 421: The ASN.1 DER encoding is: 422: 423: id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } 424: 425: KeyUsage ::= BIT STRING { 426: digitalSignature (0), 427: nonRepudiation (1), 428: keyEncipherment (2), 429: dataEncipherment (3), 430: keyAgreement (4), 431: keyCertSign (5), 432: cRLSign (6), 433: encipherOnly (7), 434: decipherOnly (8) } 435: 436: Consult rfc2459 for more information. 437: 438: @return bit representation of <I>KeyUsage</I> 439: */ 440: public abstract boolean[] getKeyUsage(); 441: 442: /** 443: Returns the certificate constraints path length from the 444: critical BasicConstraints extension, (OID = 2.5.29.19). 445: 446: The basic constraints extensions is used to determine if 447: the subject of the certificate is a Certificate Authority (CA) 448: and how deep the certification path may exist. The 449: <I>pathLenConstraint</I> only takes affect if <I>cA</I> 450: is set to true. "A value of zero indicates that only an 451: end-entity certificate may follow in the path." (rfc2459) 452: 453: The ASN.1 DER encoding is: 454: 455: id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 456: 457: BasicConstraints ::= SEQUENCE { 458: cA BOOLEAN DEFAULT FALSE, 459: pathLenConstraint INTEGER (0..MAX) OPTIONAL } 460: 461: Consult rfc2459 for more information. 462: 463: @return the length of the path constraint if BasicConstraints 464: is present and cA is TRUE. Otherwise returns -1. 465: */ 466: public abstract int getBasicConstraints(); 467: 468: // 1.4 instance methods. 469: // ------------------------------------------------------------------------ 470: 471: /** 472: * Returns the <code>ExtendedKeyUsage</code> extension of this 473: * certificate, or null if there is no extension present. The returned 474: * value is a {@link java.util.List} strings representing the object 475: * identifiers of the extended key usages. This extension has the OID 476: * 2.5.29.37. 477: * 478: * <p>The ASN.1 definition for this extension is: 479: * 480: * <blockquote><pre> 481: * ExtendedKeyUsage ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 482: * 483: * KeyPurposeId ::= OBJECT IDENTIFIER 484: * </pre></blockquote> 485: * 486: * @return The list of extension OIDs, or null if there are none 487: * present in this certificate. 488: * @throws CertificateParsingException If this extension cannot be 489: * parsed from its encoded form. 490: */ 491: public java.util.List<String> getExtendedKeyUsage() 492: throws CertificateParsingException 493: { 494: throw new UnsupportedOperationException(); 495: } 496: 497: /** 498: * Returns the alternative names for this certificate's subject (the 499: * owner), or null if there are none. 500: * 501: * <p>This is an X.509 extension with OID 2.5.29.17 and is defined by 502: * the ASN.1 construction: 503: * 504: * <blockquote><pre> 505: * SubjectAltNames ::= GeneralNames 506: * 507: * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 508: * 509: * GeneralName ::= CHOICE { 510: * otherName [0] OtherName, 511: * rfc822Name [1] IA5String, 512: * dNSName [2] IA5String, 513: * x400Address [3] ORAddress, 514: * directoryName [4] Name, 515: * ediPartyName [5] EDIPartyName, 516: * uniformResourceIdentifier [6] IA5String, 517: * iPAddress [7] OCTET STRING, 518: * registeredID [8] OBJECT IDENTIFIER 519: * } 520: * </pre></blockquote> 521: * 522: * <p>The returned collection contains one or more two-element Lists, 523: * with the first object being an Integer representing the choice 524: * above (with value 0 through 8) and the second being an (a) String 525: * if the <code>GeneralName</code> is a rfc822Name, dNSName, 526: * uniformResourceIdentifier, iPAddress, or registeredID, or (b) a 527: * byte array of the DER encoded form for any others. 528: * 529: * @return The collection of alternative names, or null if there are 530: * none. 531: * @throws CertificateParsingException If the encoded extension cannot 532: * be parsed. 533: * @since JDK 1.4 534: */ 535: public java.util.Collection<List<?>> getSubjectAlternativeNames() 536: throws CertificateParsingException 537: { 538: throw new UnsupportedOperationException(); 539: } 540: 541: /** 542: * Returns the alternative names for this certificate's issuer, or 543: * null if there are none. 544: * 545: * <p>This is an X.509 extension with OID 2.5.29.18, and is defined by 546: * the ASN.1 construction: 547: * 548: * <blockquote><pre> 549: * IssuerAltNames ::= GeneralNames 550: * </pre></blockquote> 551: * 552: * <p>The <code>GeneralNames</code> construct and the form of the 553: * returned collection are the same as with {@link 554: * #getSubjectAlternativeNames()}. 555: * 556: * @return The collection of alternative names, or null if there are 557: * none. 558: * @throws CertificateParsingException If the encoded extension cannot 559: * be parsed. 560: * @since JDK 1.4 561: */ 562: public java.util.Collection<List<?>> getIssuerAlternativeNames() 563: throws CertificateParsingException 564: { 565: throw new UnsupportedOperationException(); 566: } 567: 568: /** 569: * Returns the X.500 distinguished name of this certificate's subject. 570: * 571: * @return The subject's X.500 distinguished name. 572: * @since JDK 1.4 573: */ 574: public javax.security.auth.x500.X500Principal getSubjectX500Principal() 575: { 576: throw new UnsupportedOperationException(); 577: } 578: 579: /** 580: * Returns the X.500 distinguished name of this certificate's issuer. 581: * 582: * @return The issuer's X.500 distinguished name. 583: * @since JDK 1.4 584: */ 585: public javax.security.auth.x500.X500Principal getIssuerX500Principal() 586: { 587: throw new UnsupportedOperationException(); 588: } 589: }