All Packages Class Hierarchy This Package Previous Next Index
Class netscape.security.x509.X509CertImpl
netscape.security.x509.X509CertImpl
- public class X509CertImpl
- implements DerEncoder
The X509CertImpl class represents an X.509 certificate. These certificates
are widely used to support authentication and other functionality in
Internet security systems. Common applications include Privacy Enhanced
Mail (PEM), Transport Layer Security (SSL), code signing for trusted
software distribution, and Secure Electronic Transactions (SET). There
is a commercial infrastructure ready to manage large scale deployments
of X.509 identity certificates.
These certificates are managed and vouched for by Certificate
Authorities (CAs). CAs are services which create certificates by
placing data in the X.509 standard format and then digitally signing
that data. Such signatures are quite difficult to forge. CAs act as
trusted third parties, making introductions between agents who have no
direct knowledge of each other. CA certificates are either signed by
themselves, or by some other CA such as a "root" CA.
RFC 1422 is very informative, though it does not describe much
of the recent work being done with X.509 certificates. That includes
a 1996 version (X.509v3) and a variety of enhancements being made to
facilitate an explosion of personal certificates used as "Internet
Drivers' Licences", or with SET for credit card transactions.
More recent work includes the IETF PKIX Working Group efforts,
especially part 1.
- See Also:
- X509CertInfo
-
ALG_ID
-
-
algId
-
-
INFO
-
-
info
-
-
ISSUER_DN
-
-
NAME
- Public attribute names.
-
PUBLIC_KEY
-
-
SERIAL_ID
-
-
SIG
-
-
SIG_ALG
-
-
SIGNATURE
-
-
signature
-
-
SIGNED_CERT
-
-
SUBJECT_DN
- The following are defined for ease-of-use.
-
X509CertImpl()
- Default constructor.
-
X509CertImpl(byte[])
- Unmarshals a certificate from its encoded form, parsing the
encoded bytes.
-
X509CertImpl(DerValue)
- Unmarshal a certificate from its encoded form, parsing a DER value.
-
X509CertImpl(InputStream)
- unmarshals an X.509 certificate from an input stream.
-
X509CertImpl(X509CertInfo)
- Construct an initialized X509 Certificate.
-
checkValidity()
- Checks that the certificate is currently valid, i.e.
-
checkValidity(Date)
- Checks that the specified date is within the certificate's
validity period, or basically if the certificate would be
valid at the specified date/time.
-
decode(InputStream)
- Decode an X.509 certificate from an input stream.
-
delete(String)
- Delete the requested attribute from the certificate.
-
derEncode(OutputStream)
- DER encode this object onto an output stream.
-
encode(OutputStream)
- Appends the certificate to an output stream.
-
get(String)
- Return the requested attribute from the certificate.
-
getBasicConstraints()
- Get the certificate constraints path length from the
the critical BasicConstraints extension, (oid = 2.5.29.19).
-
getCriticalExtensionOIDs()
- Gets a Set of the extension(s) marked CRITICAL in the
certificate by OID strings.
-
getElements()
- Return an enumeration of names of attributes existing within this
attribute.
-
getEncoded()
- Returns the encoded form of this certificate.
-
getExtension(String)
-
-
getExtensionValue(String)
- Gets the DER encoded extension identified by the passed
in oid String.
-
getIssuerDN()
- Gets the issuer distinguished name from the certificate.
-
getIssuerUniqueID()
- Gets the Issuer Unique Identity from the certificate.
-
getKeyUsage()
- Get a boolean array representing the bits of the KeyUsage extension,
(oid = 2.5.29.15).
-
getName()
- Return the name of this attribute.
-
getNonCriticalExtensionOIDs()
- Gets a Set of the extension(s) marked NON-CRITICAL in the
certificate by OID strings.
-
getNotAfter()
- Gets the notAfter date from the validity period of the certificate.
-
getNotBefore()
- Gets the notBefore date from the validity period of the certificate.
-
getPublicKey()
- Gets the publickey from this certificate.
-
getSerialNumber()
- Gets the serial number from the certificate.
-
getSigAlgName()
- Gets the signature algorithm name for the certificate
signature algorithm.
-
getSigAlgOID()
- Gets the signature algorithm OID string from the certificate.
-
getSigAlgParams()
- Gets the DER encoded signature algorithm parameters from this
certificate's signature algorithm.
-
getSignature()
- Gets the raw Signature bits from the certificate.
-
getSubjectDN()
- Gets the subject distinguished name from the certificate.
-
getSubjectUniqueID()
- Gets the Subject Unique Identity from the certificate.
-
getTBSCertificate()
- Gets the DER encoded certificate informations, the
tbsCertificate from this certificate.
-
getVersion()
- Gets the version number from the certificate.
-
set(String, Object)
- Set the requested attribute in the certificate.
-
sign(PrivateKey, String)
- Creates an X.509 certificate, and signs it using the key
passed (associating a signature algorithm and an X.500 name).
-
sign(PrivateKey, String, String)
- Creates an X.509 certificate, and signs it using the key
passed (associating a signature algorithm and an X.500 name).
-
toString()
- Returns a printable representation of the certificate.
-
verify(PublicKey)
- Throws an exception if the certificate was not signed using the
verification key provided.
-
verify(PublicKey, String)
- Throws an exception if the certificate was not signed using the
verification key provided.
NAME
public static final String NAME
- Public attribute names.
INFO
public static final String INFO
ALG_ID
public static final String ALG_ID
SIGNATURE
public static final String SIGNATURE
SIGNED_CERT
public static final String SIGNED_CERT
SUBJECT_DN
public static final String SUBJECT_DN
- The following are defined for ease-of-use. These
are the most frequently retrieved attributes.
ISSUER_DN
public static final String ISSUER_DN
SERIAL_ID
public static final String SERIAL_ID
PUBLIC_KEY
public static final String PUBLIC_KEY
SIG_ALG
public static final String SIG_ALG
SIG
public static final String SIG
info
protected X509CertInfo info
algId
protected AlgorithmId algId
signature
protected byte signature[]
X509CertImpl
public X509CertImpl()
- Default constructor.
X509CertImpl
public X509CertImpl(byte certData[]) throws CertificateException
- Unmarshals a certificate from its encoded form, parsing the
encoded bytes. This form of constructor is used by agents which
need to examine and use certificate contents. That is, this is
one of the more commonly used constructors. Note that the buffer
must include only a certificate, and no "garbage" may be left at
the end. If you need to ignore data at the end of a certificate,
use another constructor.
- Parameters:
- certData - the encoded bytes, with no trailing padding.
- Throws: CertificateException
- on parsing and initialization errors.
X509CertImpl
public X509CertImpl(InputStream in) throws CertificateException
- unmarshals an X.509 certificate from an input stream.
- Parameters:
- in - an input stream holding at least one certificate
- Throws: CertificateException
- on parsing and initialization errors.
X509CertImpl
public X509CertImpl(X509CertInfo certInfo)
- Construct an initialized X509 Certificate. The certificate is stored
in raw form and has to be signed to be useful.
- Parameters:
- s - info the X509CertificateInfo which the Certificate is to be
created from.
X509CertImpl
public X509CertImpl(DerValue derVal) throws CertificateException
- Unmarshal a certificate from its encoded form, parsing a DER value.
This form of constructor is used by agents which need to examine
and use certificate contents.
- Parameters:
- derVal - the der value containing the encoded cert.
- Throws: CertificateException
- on parsing and initialization errors.
decode
public void decode(InputStream in) throws CertificateException, IOException
- Decode an X.509 certificate from an input stream.
- Parameters:
- in - an input stream holding at least one certificate
- Throws: CertificateException
- on parsing errors.
- Throws: IOException
- on other errors.
encode
public void encode(OutputStream out) throws CertificateEncodingException
- Appends the certificate to an output stream.
- Parameters:
- out - an input stream to which the certificate is appended.
- Throws: CertificateEncodingException
- on encoding errors.
derEncode
public void derEncode(OutputStream out) throws IOException
- DER encode this object onto an output stream.
Implements the
DerEncoder interface.
- Parameters:
- out
- the output stream on which to write the DER encoding.
- Throws: IOException
- on encoding error.
getEncoded
public byte[] getEncoded() throws CertificateEncodingException
- Returns the encoded form of this certificate. It is
assumed that each certificate type would have only a single
form of encoding; for example, X.509 certificates would
be encoded as ASN.1 DER.
- Throws: CertificateEncodingException
- if an encoding error occurs.
verify
public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
- Throws an exception if the certificate was not signed using the
verification key provided. Successfully verifying a certificate
does not indicate that one should trust the entity which
it represents.
- Parameters:
- key - the public key used for verification.
- Throws: InvalidKeyException
- on incorrect key.
- Throws: NoSuchAlgorithmException
- on unsupported signature
algorithms.
- Throws: NoSuchProviderException
- if there's no default provider.
- Throws: SignatureException
- on signature errors.
- Throws: CertificateException
- on encoding errors.
verify
public void verify(PublicKey key,
String sigProvider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
- Throws an exception if the certificate was not signed using the
verification key provided. Successfully verifying a certificate
does not indicate that one should trust the entity which
it represents.
- Parameters:
- key - the public key used for verification.
- sigProvider - the name of the provider.
- Throws: NoSuchAlgorithmException
- on unsupported signature
algorithms.
- Throws: InvalidKeyException
- on incorrect key.
- Throws: NoSuchProviderException
- on incorrect provider.
- Throws: SignatureException
- on signature errors.
- Throws: CertificateException
- on encoding errors.
sign
public void sign(PrivateKey key,
String algorithm) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
- Creates an X.509 certificate, and signs it using the key
passed (associating a signature algorithm and an X.500 name).
This operation is used to implement the certificate generation
functionality of a certificate authority.
- Parameters:
- key - the private key used for signing.
- algorithm - the name of the signature algorithm used.
- Throws: InvalidKeyException
- on incorrect key.
- Throws: NoSuchAlgorithmException
- on unsupported signature
algorithms.
- Throws: NoSuchProviderException
- if there's no default provider.
- Throws: SignatureException
- on signature errors.
- Throws: CertificateException
- on encoding errors.
sign
public void sign(PrivateKey key,
String algorithm,
String provider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
- Creates an X.509 certificate, and signs it using the key
passed (associating a signature algorithm and an X.500 name).
This operation is used to implement the certificate generation
functionality of a certificate authority.
- Parameters:
- key - the private key used for signing.
- algorithm - the name of the signature algorithm used.
- provider - the name of the provider.
- Throws: NoSuchAlgorithmException
- on unsupported signature
algorithms.
- Throws: InvalidKeyException
- on incorrect key.
- Throws: NoSuchProviderException
- on incorrect provider.
- Throws: SignatureException
- on signature errors.
- Throws: CertificateException
- on encoding errors.
checkValidity
public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException
- Checks that the certificate is currently valid, i.e. the current
time is within the specified validity period.
- Throws: CertificateExpiredException
- if the certificate has expired.
- Throws: CertificateNotYetValidException
- if the certificate is not
yet valid.
checkValidity
public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException
- Checks that the specified date is within the certificate's
validity period, or basically if the certificate would be
valid at the specified date/time.
- Parameters:
- date - the Date to check against to see if this certificate
is valid at that date/time.
- Throws: CertificateExpiredException
- if the certificate has expired
with respect to the
date supplied.
- Throws: CertificateNotYetValidException
- if the certificate is not
yet valid with respect to the
date supplied.
get
public Object get(String name) throws CertificateParsingException
- Return the requested attribute from the certificate.
- Parameters:
- name - the name of the attribute.
- Throws: CertificateParsingException
- on invalid attribute identifier.
set
public void set(String name,
Object obj) throws CertificateException, IOException
- Set the requested attribute in the certificate.
- Parameters:
- name - the name of the attribute.
- obj - the value of the attribute.
- Throws: CertificateException
- on invalid attribute identifier.
- Throws: IOException
- on encoding error of attribute.
delete
public void delete(String name) throws CertificateException, IOException
- Delete the requested attribute from the certificate.
- Parameters:
- name - the name of the attribute.
- Throws: CertificateException
- on invalid attribute identifier.
- Throws: IOException
- on other errors.
getElements
public Enumeration getElements()
- Return an enumeration of names of attributes existing within this
attribute.
getName
public String getName()
- Return the name of this attribute.
toString
public String toString()
- Returns a printable representation of the certificate. This does not
contain all the information available to distinguish this from any
other certificate. The certificate must be fully constructed
before this function may be called.
getPublicKey
public PublicKey getPublicKey()
- Gets the publickey from this certificate.
- Returns:
- the publickey.
getVersion
public int getVersion()
- Gets the version number from the certificate.
- Returns:
- the version number.
getSerialNumber
public BigInteger getSerialNumber()
- Gets the serial number from the certificate.
- Returns:
- the serial number.
getSubjectDN
public Principal getSubjectDN()
- Gets the subject distinguished name from the certificate.
- Returns:
- the subject name.
getIssuerDN
public Principal getIssuerDN()
- Gets the issuer distinguished name from the certificate.
- Returns:
- the issuer name.
getNotBefore
public Date getNotBefore()
- Gets the notBefore date from the validity period of the certificate.
- Returns:
- the start date of the validity period.
getNotAfter
public Date getNotAfter()
- Gets the notAfter date from the validity period of the certificate.
- Returns:
- the end date of the validity period.
getTBSCertificate
public byte[] getTBSCertificate() throws CertificateEncodingException
- Gets the DER encoded certificate informations, the
tbsCertificate from this certificate.
This can be used to verify the signature independently.
- Returns:
- the DER encoded certificate information.
- Throws: CertificateEncodingException
- if an encoding error occurs.
getSignature
public byte[] getSignature()
- Gets the raw Signature bits from the certificate.
- Returns:
- the signature.
getSigAlgName
public String getSigAlgName()
- Gets the signature algorithm name for the certificate
signature algorithm.
For example, the string "SHA-1/DSA" or "DSS".
- Returns:
- the signature algorithm name.
getSigAlgOID
public String getSigAlgOID()
- Gets the signature algorithm OID string from the certificate.
For example, the string "1.2.840.10040.4.3"
- Returns:
- the signature algorithm oid string.
getSigAlgParams
public byte[] getSigAlgParams()
- Gets the DER encoded signature algorithm parameters from this
certificate's signature algorithm.
- Returns:
- the DER encoded signature algorithm parameters, or
null if no parameters are present.
getIssuerUniqueID
public boolean[] getIssuerUniqueID()
- Gets the Issuer Unique Identity from the certificate.
- Returns:
- the Issuer Unique Identity.
getSubjectUniqueID
public boolean[] getSubjectUniqueID()
- Gets the Subject Unique Identity from the certificate.
- Returns:
- the Subject Unique Identity.
getCriticalExtensionOIDs
public Set getCriticalExtensionOIDs()
- Gets a Set of the extension(s) marked CRITICAL in the
certificate by OID strings.
- Returns:
- a set of the extension oid strings in the
certificate that are marked critical.
getNonCriticalExtensionOIDs
public Set getNonCriticalExtensionOIDs()
- Gets a Set of the extension(s) marked NON-CRITICAL in the
certificate by OID strings.
- Returns:
- a set of the extension oid strings in the
certificate that are NOT marked critical.
getExtension
public Extension getExtension(String oid)
getExtensionValue
public byte[] getExtensionValue(String oid)
- Gets the DER encoded extension identified by the passed
in oid String.
- Parameters:
- oid - the Object Identifier value for the extension.
getKeyUsage
public boolean[] getKeyUsage()
- Get a boolean array representing the bits of the KeyUsage extension,
(oid = 2.5.29.15).
- Returns:
- the bit values of this extension as an array of booleans.
getBasicConstraints
public int getBasicConstraints()
- Get the certificate constraints path length from the
the critical BasicConstraints extension, (oid = 2.5.29.19).
- Returns:
- the length of the constraint.
All Packages Class Hierarchy This Package Previous Next Index