All Packages  Class Hierarchy  This Package  Previous  Next  Index

Class netscape.security.x509.X509CertImpl

netscape.security.x509.X509CertImpl

public class X509CertImpl
implements DerEncoder
The X509CertImpl class represents an X.509 certificate. These certificates are widely used to support authentication and other functionality in Internet security systems. Common applications include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), code signing for trusted software distribution, and Secure Electronic Transactions (SET). There is a commercial infrastructure ready to manage large scale deployments of X.509 identity certificates.

These certificates are managed and vouched for by Certificate Authorities (CAs). CAs are services which create certificates by placing data in the X.509 standard format and then digitally signing that data. Such signatures are quite difficult to forge. CAs act as trusted third parties, making introductions between agents who have no direct knowledge of each other. CA certificates are either signed by themselves, or by some other CA such as a "root" CA.

RFC 1422 is very informative, though it does not describe much of the recent work being done with X.509 certificates. That includes a 1996 version (X.509v3) and a variety of enhancements being made to facilitate an explosion of personal certificates used as "Internet Drivers' Licences", or with SET for credit card transactions.

More recent work includes the IETF PKIX Working Group efforts, especially part 1.

See Also:
X509CertInfo

Variable Index

 o ALG_ID
 o algId
 o INFO
 o info
 o ISSUER_DN
 o NAME
Public attribute names.
 o PUBLIC_KEY
 o SERIAL_ID
 o SIG
 o SIG_ALG
 o SIGNATURE
 o signature
 o SIGNED_CERT
 o SUBJECT_DN
The following are defined for ease-of-use.

Constructor Index

 o X509CertImpl()
Default constructor.
 o X509CertImpl(byte[])
Unmarshals a certificate from its encoded form, parsing the encoded bytes.
 o X509CertImpl(DerValue)
Unmarshal a certificate from its encoded form, parsing a DER value.
 o X509CertImpl(InputStream)
unmarshals an X.509 certificate from an input stream.
 o X509CertImpl(X509CertInfo)
Construct an initialized X509 Certificate.

Method Index

 o checkValidity()
Checks that the certificate is currently valid, i.e.
 o checkValidity(Date)
Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.
 o decode(InputStream)
Decode an X.509 certificate from an input stream.
 o delete(String)
Delete the requested attribute from the certificate.
 o derEncode(OutputStream)
DER encode this object onto an output stream.
 o encode(OutputStream)
Appends the certificate to an output stream.
 o get(String)
Return the requested attribute from the certificate.
 o getBasicConstraints()
Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19).
 o getCriticalExtensionOIDs()
Gets a Set of the extension(s) marked CRITICAL in the certificate by OID strings.
 o getElements()
Return an enumeration of names of attributes existing within this attribute.
 o getEncoded()
Returns the encoded form of this certificate.
 o getExtension(String)
 o getExtensionValue(String)
Gets the DER encoded extension identified by the passed in oid String.
 o getIssuerDN()
Gets the issuer distinguished name from the certificate.
 o getIssuerUniqueID()
Gets the Issuer Unique Identity from the certificate.
 o getKeyUsage()
Get a boolean array representing the bits of the KeyUsage extension, (oid = 2.5.29.15).
 o getName()
Return the name of this attribute.
 o getNonCriticalExtensionOIDs()
Gets a Set of the extension(s) marked NON-CRITICAL in the certificate by OID strings.
 o getNotAfter()
Gets the notAfter date from the validity period of the certificate.
 o getNotBefore()
Gets the notBefore date from the validity period of the certificate.
 o getPublicKey()
Gets the publickey from this certificate.
 o getSerialNumber()
Gets the serial number from the certificate.
 o getSigAlgName()
Gets the signature algorithm name for the certificate signature algorithm.
 o getSigAlgOID()
Gets the signature algorithm OID string from the certificate.
 o getSigAlgParams()
Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.
 o getSignature()
Gets the raw Signature bits from the certificate.
 o getSubjectDN()
Gets the subject distinguished name from the certificate.
 o getSubjectUniqueID()
Gets the Subject Unique Identity from the certificate.
 o getTBSCertificate()
Gets the DER encoded certificate informations, the tbsCertificate from this certificate.
 o getVersion()
Gets the version number from the certificate.
 o set(String, Object)
Set the requested attribute in the certificate.
 o sign(PrivateKey, String)
Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name).
 o sign(PrivateKey, String, String)
Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name).
 o toString()
Returns a printable representation of the certificate.
 o verify(PublicKey)
Throws an exception if the certificate was not signed using the verification key provided.
 o verify(PublicKey, String)
Throws an exception if the certificate was not signed using the verification key provided.

Variables

 o NAME
 public static final String NAME
Public attribute names.

 o INFO
 public static final String INFO
 o ALG_ID
 public static final String ALG_ID
 o SIGNATURE
 public static final String SIGNATURE
 o SIGNED_CERT
 public static final String SIGNED_CERT
 o SUBJECT_DN
 public static final String SUBJECT_DN
The following are defined for ease-of-use. These are the most frequently retrieved attributes.

 o ISSUER_DN
 public static final String ISSUER_DN
 o SERIAL_ID
 public static final String SERIAL_ID
 o PUBLIC_KEY
 public static final String PUBLIC_KEY
 o SIG_ALG
 public static final String SIG_ALG
 o SIG
 public static final String SIG
 o info
 protected X509CertInfo info
 o algId
 protected AlgorithmId algId
 o signature
 protected byte signature[]

Constructors

 o X509CertImpl
 public X509CertImpl()
Default constructor.

 o X509CertImpl
 public X509CertImpl(byte certData[]) throws CertificateException
Unmarshals a certificate from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use certificate contents. That is, this is one of the more commonly used constructors. Note that the buffer must include only a certificate, and no "garbage" may be left at the end. If you need to ignore data at the end of a certificate, use another constructor.

Parameters:
certData - the encoded bytes, with no trailing padding.
Throws: CertificateException
on parsing and initialization errors.
 o X509CertImpl
 public X509CertImpl(InputStream in) throws CertificateException
unmarshals an X.509 certificate from an input stream.

Parameters:
in - an input stream holding at least one certificate
Throws: CertificateException
on parsing and initialization errors.
 o X509CertImpl
 public X509CertImpl(X509CertInfo certInfo)
Construct an initialized X509 Certificate. The certificate is stored in raw form and has to be signed to be useful.

Parameters:
s - info the X509CertificateInfo which the Certificate is to be created from.
 o X509CertImpl
 public X509CertImpl(DerValue derVal) throws CertificateException
Unmarshal a certificate from its encoded form, parsing a DER value. This form of constructor is used by agents which need to examine and use certificate contents.

Parameters:
derVal - the der value containing the encoded cert.
Throws: CertificateException
on parsing and initialization errors.

Methods

 o decode
 public void decode(InputStream in) throws CertificateException, IOException
Decode an X.509 certificate from an input stream.

Parameters:
in - an input stream holding at least one certificate
Throws: CertificateException
on parsing errors.
Throws: IOException
on other errors.
 o encode
 public void encode(OutputStream out) throws CertificateEncodingException
Appends the certificate to an output stream.

Parameters:
out - an input stream to which the certificate is appended.
Throws: CertificateEncodingException
on encoding errors.
 o derEncode
 public void derEncode(OutputStream out) throws IOException
DER encode this object onto an output stream. Implements the DerEncoder interface.

Parameters:
out - the output stream on which to write the DER encoding.
Throws: IOException
on encoding error.
 o getEncoded
 public byte[] getEncoded() throws CertificateEncodingException
Returns the encoded form of this certificate. It is assumed that each certificate type would have only a single form of encoding; for example, X.509 certificates would be encoded as ASN.1 DER.

Throws: CertificateEncodingException
if an encoding error occurs.
 o verify
 public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does not indicate that one should trust the entity which it represents.

Parameters:
key - the public key used for verification.
Throws: InvalidKeyException
on incorrect key.
Throws: NoSuchAlgorithmException
on unsupported signature algorithms.
Throws: NoSuchProviderException
if there's no default provider.
Throws: SignatureException
on signature errors.
Throws: CertificateException
on encoding errors.
 o verify
 public void verify(PublicKey key,
                    String sigProvider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does not indicate that one should trust the entity which it represents.

Parameters:
key - the public key used for verification.
sigProvider - the name of the provider.
Throws: NoSuchAlgorithmException
on unsupported signature algorithms.
Throws: InvalidKeyException
on incorrect key.
Throws: NoSuchProviderException
on incorrect provider.
Throws: SignatureException
on signature errors.
Throws: CertificateException
on encoding errors.
 o sign
 public void sign(PrivateKey key,
                  String algorithm) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.

Parameters:
key - the private key used for signing.
algorithm - the name of the signature algorithm used.
Throws: InvalidKeyException
on incorrect key.
Throws: NoSuchAlgorithmException
on unsupported signature algorithms.
Throws: NoSuchProviderException
if there's no default provider.
Throws: SignatureException
on signature errors.
Throws: CertificateException
on encoding errors.
 o sign
 public void sign(PrivateKey key,
                  String algorithm,
                  String provider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
Creates an X.509 certificate, and signs it using the key passed (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.

Parameters:
key - the private key used for signing.
algorithm - the name of the signature algorithm used.
provider - the name of the provider.
Throws: NoSuchAlgorithmException
on unsupported signature algorithms.
Throws: InvalidKeyException
on incorrect key.
Throws: NoSuchProviderException
on incorrect provider.
Throws: SignatureException
on signature errors.
Throws: CertificateException
on encoding errors.
 o checkValidity
 public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException
Checks that the certificate is currently valid, i.e. the current time is within the specified validity period.

Throws: CertificateExpiredException
if the certificate has expired.
Throws: CertificateNotYetValidException
if the certificate is not yet valid.
 o checkValidity
 public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException
Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.

Parameters:
date - the Date to check against to see if this certificate is valid at that date/time.
Throws: CertificateExpiredException
if the certificate has expired with respect to the date supplied.
Throws: CertificateNotYetValidException
if the certificate is not yet valid with respect to the date supplied.
 o get
 public Object get(String name) throws CertificateParsingException
Return the requested attribute from the certificate.

Parameters:
name - the name of the attribute.
Throws: CertificateParsingException
on invalid attribute identifier.
 o set
 public void set(String name,
                 Object obj) throws CertificateException, IOException
Set the requested attribute in the certificate.

Parameters:
name - the name of the attribute.
obj - the value of the attribute.
Throws: CertificateException
on invalid attribute identifier.
Throws: IOException
on encoding error of attribute.
 o delete
 public void delete(String name) throws CertificateException, IOException
Delete the requested attribute from the certificate.

Parameters:
name - the name of the attribute.
Throws: CertificateException
on invalid attribute identifier.
Throws: IOException
on other errors.
 o getElements
 public Enumeration getElements()
Return an enumeration of names of attributes existing within this attribute.

 o getName
 public String getName()
Return the name of this attribute.

 o toString
 public String toString()
Returns a printable representation of the certificate. This does not contain all the information available to distinguish this from any other certificate. The certificate must be fully constructed before this function may be called.

 o getPublicKey
 public PublicKey getPublicKey()
Gets the publickey from this certificate.

Returns:
the publickey.
 o getVersion
 public int getVersion()
Gets the version number from the certificate.

Returns:
the version number.
 o getSerialNumber
 public BigInteger getSerialNumber()
Gets the serial number from the certificate.

Returns:
the serial number.
 o getSubjectDN
 public Principal getSubjectDN()
Gets the subject distinguished name from the certificate.

Returns:
the subject name.
 o getIssuerDN
 public Principal getIssuerDN()
Gets the issuer distinguished name from the certificate.

Returns:
the issuer name.
 o getNotBefore
 public Date getNotBefore()
Gets the notBefore date from the validity period of the certificate.

Returns:
the start date of the validity period.
 o getNotAfter
 public Date getNotAfter()
Gets the notAfter date from the validity period of the certificate.

Returns:
the end date of the validity period.
 o getTBSCertificate
 public byte[] getTBSCertificate() throws CertificateEncodingException
Gets the DER encoded certificate informations, the tbsCertificate from this certificate. This can be used to verify the signature independently.

Returns:
the DER encoded certificate information.
Throws: CertificateEncodingException
if an encoding error occurs.
 o getSignature
 public byte[] getSignature()
Gets the raw Signature bits from the certificate.

Returns:
the signature.
 o getSigAlgName
 public String getSigAlgName()
Gets the signature algorithm name for the certificate signature algorithm. For example, the string "SHA-1/DSA" or "DSS".

Returns:
the signature algorithm name.
 o getSigAlgOID
 public String getSigAlgOID()
Gets the signature algorithm OID string from the certificate. For example, the string "1.2.840.10040.4.3"

Returns:
the signature algorithm oid string.
 o getSigAlgParams
 public byte[] getSigAlgParams()
Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.

Returns:
the DER encoded signature algorithm parameters, or null if no parameters are present.
 o getIssuerUniqueID
 public boolean[] getIssuerUniqueID()
Gets the Issuer Unique Identity from the certificate.

Returns:
the Issuer Unique Identity.
 o getSubjectUniqueID
 public boolean[] getSubjectUniqueID()
Gets the Subject Unique Identity from the certificate.

Returns:
the Subject Unique Identity.
 o getCriticalExtensionOIDs
 public Set getCriticalExtensionOIDs()
Gets a Set of the extension(s) marked CRITICAL in the certificate by OID strings.

Returns:
a set of the extension oid strings in the certificate that are marked critical.
 o getNonCriticalExtensionOIDs
 public Set getNonCriticalExtensionOIDs()
Gets a Set of the extension(s) marked NON-CRITICAL in the certificate by OID strings.

Returns:
a set of the extension oid strings in the certificate that are NOT marked critical.
 o getExtension
 public Extension getExtension(String oid)
 o getExtensionValue
 public byte[] getExtensionValue(String oid)
Gets the DER encoded extension identified by the passed in oid String.

Parameters:
oid - the Object Identifier value for the extension.
 o getKeyUsage
 public boolean[] getKeyUsage()
Get a boolean array representing the bits of the KeyUsage extension, (oid = 2.5.29.15).

Returns:
the bit values of this extension as an array of booleans.
 o getBasicConstraints
 public int getBasicConstraints()
Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19).

Returns:
the length of the constraint.

All Packages  Class Hierarchy  This Package  Previous  Next  Index