Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/javax/security/cert/X509Certificate.java
38918 views
/*1* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/242526package javax.security.cert;2728import java.io.InputStream;29import java.lang.Class;30import java.lang.reflect.Constructor;31import java.lang.reflect.InvocationTargetException;32import java.security.Security;3334import java.math.BigInteger;35import java.security.AccessController;36import java.security.Principal;37import java.security.PrivilegedAction;38import java.security.PublicKey;39import java.util.BitSet;40import java.util.Date;4142/**43* Abstract class for X.509 v1 certificates. This provides a standard44* way to access all the version 1 attributes of an X.509 certificate.45* Attributes that are specific to X.509 v2 or v3 are not available46* through this interface. Future API evolution will provide full access to47* complete X.509 v3 attributes.48* <p>49* The basic X.509 format was defined by50* ISO/IEC and ANSI X9 and is described below in ASN.1:51* <pre>52* Certificate ::= SEQUENCE {53* tbsCertificate TBSCertificate,54* signatureAlgorithm AlgorithmIdentifier,55* signature BIT STRING }56* </pre>57* <p>58* These certificates are widely used to support authentication and59* other functionality in Internet security systems. Common applications60* include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),61* code signing for trusted software distribution, and Secure Electronic62* Transactions (SET).63* <p>64* These certificates are managed and vouched for by <em>Certificate65* Authorities</em> (CAs). CAs are services which create certificates by66* placing data in the X.509 standard format and then digitally signing67* that data. CAs act as trusted third parties, making introductions68* between principals who have no direct knowledge of each other.69* CA certificates are either signed by themselves, or by some other70* CA such as a "root" CA.71* <p>72* The ASN.1 definition of {@code tbsCertificate} is:73* <pre>74* TBSCertificate ::= SEQUENCE {75* version [0] EXPLICIT Version DEFAULT v1,76* serialNumber CertificateSerialNumber,77* signature AlgorithmIdentifier,78* issuer Name,79* validity Validity,80* subject Name,81* subjectPublicKeyInfo SubjectPublicKeyInfo,82* }83* </pre>84* <p>85* Here is sample code to instantiate an X.509 certificate:86* <pre>87* InputStream inStream = new FileInputStream("fileName-of-cert");88* X509Certificate cert = X509Certificate.getInstance(inStream);89* inStream.close();90* </pre>91* OR92* <pre>93* byte[] certData = <certificate read from a file, say>94* X509Certificate cert = X509Certificate.getInstance(certData);95* </pre>96* <p>97* In either case, the code that instantiates an X.509 certificate98* consults the value of the {@code cert.provider.x509v1} security property99* to locate the actual implementation or instantiates a default implementation.100* <p>101* The {@code cert.provider.x509v1} property is set to a default102* implementation for X.509 such as:103* <pre>104* cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl105* </pre>106* <p>107* The value of this {@code cert.provider.x509v1} property has to be108* changed to instantiate another implementation. If this security109* property is not set, a default implementation will be used.110* Currently, due to possible security restrictions on access to111* Security properties, this value is looked up and cached at class112* initialization time and will fallback on a default implementation if113* the Security property is not accessible.114*115* <p><em>Note: The classes in the package {@code javax.security.cert}116* exist for compatibility with earlier versions of the117* Java Secure Sockets Extension (JSSE). New applications should instead118* use the standard Java SE certificate classes located in119* {@code java.security.cert}.</em></p>120*121* @author Hemma Prafullchandra122* @since 1.4123* @see Certificate124* @see java.security.cert.X509Extension125* @see java.security.Security security properties126*/127public abstract class X509Certificate extends Certificate {128129/*130* Constant to lookup in the Security properties file.131* In the Security properties file the default implementation132* for X.509 v3 is given as:133* <pre>134* cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl135* </pre>136*/137private static final String X509_PROVIDER = "cert.provider.x509v1";138private static String X509Provider;139140static {141X509Provider = AccessController.doPrivileged(142new PrivilegedAction<String>() {143public String run() {144return Security.getProperty(X509_PROVIDER);145}146}147);148}149150/**151* Instantiates an X509Certificate object, and initializes it with152* the data read from the input stream {@code inStream}.153* The implementation (X509Certificate is an abstract class) is154* provided by the class specified as the value of the155* {@code cert.provider.x509v1} security property.156*157* <p>Note: Only one DER-encoded158* certificate is expected to be in the input stream.159* Also, all X509Certificate160* subclasses must provide a constructor of the form:161* <pre>{@code162* public <subClass>(InputStream inStream) ...163* }</pre>164*165* @param inStream an input stream with the data to be read to166* initialize the certificate.167* @return an X509Certificate object initialized with the data168* from the input stream.169* @exception CertificateException if a class initialization170* or certificate parsing error occurs.171*/172public static final X509Certificate getInstance(InputStream inStream)173throws CertificateException {174return getInst((Object)inStream);175}176177/**178* Instantiates an X509Certificate object, and initializes it with179* the specified byte array.180* The implementation (X509Certificate is an abstract class) is181* provided by the class specified as the value of the182* {@code cert.provider.x509v1} security property.183*184* <p>Note: All X509Certificate185* subclasses must provide a constructor of the form:186* <pre>{@code187* public <subClass>(InputStream inStream) ...188* }</pre>189*190* @param certData a byte array containing the DER-encoded191* certificate.192* @return an X509Certificate object initialized with the data193* from {@code certData}.194* @exception CertificateException if a class initialization195* or certificate parsing error occurs.196*/197public static final X509Certificate getInstance(byte[] certData)198throws CertificateException {199return getInst((Object)certData);200}201202private static final X509Certificate getInst(Object value)203throws CertificateException {204/*205* This turns out not to work for now. To run under JDK1.2 we would206* need to call beginPrivileged() but we can't do that and run207* under JDK1.1.208*/209String className = X509Provider;210if (className == null || className.length() == 0) {211// shouldn't happen, but assume corrupted properties file212// provide access to sun implementation213className = "com.sun.security.cert.internal.x509.X509V1CertImpl";214}215try {216Class<?>[] params = null;217if (value instanceof InputStream) {218params = new Class<?>[] { InputStream.class };219} else if (value instanceof byte[]) {220params = new Class<?>[] { value.getClass() };221} else222throw new CertificateException("Unsupported argument type");223Class<?> certClass = Class.forName(className);224225// get the appropriate constructor and instantiate it226Constructor<?> cons = certClass.getConstructor(params);227228// get a new instance229Object obj = cons.newInstance(new Object[] {value});230return (X509Certificate)obj;231232} catch (ClassNotFoundException e) {233throw new CertificateException("Could not find class: " + e);234} catch (IllegalAccessException e) {235throw new CertificateException("Could not access class: " + e);236} catch (InstantiationException e) {237throw new CertificateException("Problems instantiating: " + e);238} catch (InvocationTargetException e) {239throw new CertificateException("InvocationTargetException: "240+ e.getTargetException());241} catch (NoSuchMethodException e) {242throw new CertificateException("Could not find class method: "243+ e.getMessage());244}245}246247/**248* Checks that the certificate is currently valid. It is if249* the current date and time are within the validity period given in the250* certificate.251* <p>252* The validity period consists of two date/time values:253* the first and last dates (and times) on which the certificate254* is valid. It is defined in255* ASN.1 as:256* <pre>257* validity Validity258*259* Validity ::= SEQUENCE {260* notBefore CertificateValidityDate,261* notAfter CertificateValidityDate }262*263* CertificateValidityDate ::= CHOICE {264* utcTime UTCTime,265* generalTime GeneralizedTime }266* </pre>267*268* @exception CertificateExpiredException if the certificate has expired.269* @exception CertificateNotYetValidException if the certificate is not270* yet valid.271*/272public abstract void checkValidity()273throws CertificateExpiredException, CertificateNotYetValidException;274275/**276* Checks that the specified date is within the certificate's277* validity period. In other words, this determines whether the278* certificate would be valid at the specified date/time.279*280* @param date the Date to check against to see if this certificate281* is valid at that date/time.282* @exception CertificateExpiredException if the certificate has expired283* with respect to the {@code date} supplied.284* @exception CertificateNotYetValidException if the certificate is not285* yet valid with respect to the {@code date} supplied.286* @see #checkValidity()287*/288public abstract void checkValidity(Date date)289throws CertificateExpiredException, CertificateNotYetValidException;290291/**292* Gets the {@code version} (version number) value from the293* certificate. The ASN.1 definition for this is:294* <pre>295* version [0] EXPLICIT Version DEFAULT v1296*297* Version ::= INTEGER { v1(0), v2(1), v3(2) }298* </pre>299*300* @return the version number from the ASN.1 encoding, i.e. 0, 1 or 2.301*/302public abstract int getVersion();303304/**305* Gets the {@code serialNumber} value from the certificate.306* The serial number is an integer assigned by the certification307* authority to each certificate. It must be unique for each308* certificate issued by a given CA (i.e., the issuer name and309* serial number identify a unique certificate).310* The ASN.1 definition for this is:311* <pre>312* serialNumber CertificateSerialNumber313*314* CertificateSerialNumber ::= INTEGER315* </pre>316*317* @return the serial number.318*/319public abstract BigInteger getSerialNumber();320321/**322* Gets the {@code issuer} (issuer distinguished name) value from323* the certificate. The issuer name identifies the entity that signed (and324* issued) the certificate.325*326* <p>The issuer name field contains an327* X.500 distinguished name (DN).328* The ASN.1 definition for this is:329* <pre>330* issuer Name331*332* Name ::= CHOICE { RDNSequence }333* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName334* RelativeDistinguishedName ::=335* SET OF AttributeValueAssertion336*337* AttributeValueAssertion ::= SEQUENCE {338* AttributeType,339* AttributeValue }340* AttributeType ::= OBJECT IDENTIFIER341* AttributeValue ::= ANY342* </pre>343* The {@code Name} describes a hierarchical name composed of344* attributes, such as country name, and corresponding values, such as US.345* The type of the {@code AttributeValue} component is determined by346* the {@code AttributeType}; in general it will be a347* {@code directoryString}. A {@code directoryString} is usually348* one of {@code PrintableString},349* {@code TeletexString} or {@code UniversalString}.350*351* @return a Principal whose name is the issuer distinguished name.352*/353public abstract Principal getIssuerDN();354355/**356* Gets the {@code subject} (subject distinguished name) value357* from the certificate.358* The ASN.1 definition for this is:359* <pre>360* subject Name361* </pre>362*363* <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name}364* and other relevant definitions.365*366* @return a Principal whose name is the subject name.367* @see #getIssuerDN()368*/369public abstract Principal getSubjectDN();370371/**372* Gets the {@code notBefore} date from the validity period of373* the certificate.374* The relevant ASN.1 definitions are:375* <pre>376* validity Validity377*378* Validity ::= SEQUENCE {379* notBefore CertificateValidityDate,380* notAfter CertificateValidityDate }381*382* CertificateValidityDate ::= CHOICE {383* utcTime UTCTime,384* generalTime GeneralizedTime }385* </pre>386*387* @return the start date of the validity period.388* @see #checkValidity()389*/390public abstract Date getNotBefore();391392/**393* Gets the {@code notAfter} date from the validity period of394* the certificate. See {@link #getNotBefore() getNotBefore}395* for relevant ASN.1 definitions.396*397* @return the end date of the validity period.398* @see #checkValidity()399*/400public abstract Date getNotAfter();401402/**403* Gets the signature algorithm name for the certificate404* signature algorithm. An example is the string "SHA-1/DSA".405* The ASN.1 definition for this is:406* <pre>407* signatureAlgorithm AlgorithmIdentifier408*409* AlgorithmIdentifier ::= SEQUENCE {410* algorithm OBJECT IDENTIFIER,411* parameters ANY DEFINED BY algorithm OPTIONAL }412* -- contains a value of the type413* -- registered for use with the414* -- algorithm object identifier value415* </pre>416*417* <p>The algorithm name is determined from the {@code algorithm}418* OID string.419*420* @return the signature algorithm name.421*/422public abstract String getSigAlgName();423424/**425* Gets the signature algorithm OID string from the certificate.426* An OID is represented by a set of positive whole numbers separated427* by periods.428* For example, the string "1.2.840.10040.4.3" identifies the SHA-1429* with DSA signature algorithm, as per the PKIX part I.430*431* <p>See {@link #getSigAlgName() getSigAlgName} for432* relevant ASN.1 definitions.433*434* @return the signature algorithm OID string.435*/436public abstract String getSigAlgOID();437438/**439* Gets the DER-encoded signature algorithm parameters from this440* certificate's signature algorithm. In most cases, the signature441* algorithm parameters are null; the parameters are usually442* supplied with the certificate's public key.443*444* <p>See {@link #getSigAlgName() getSigAlgName} for445* relevant ASN.1 definitions.446*447* @return the DER-encoded signature algorithm parameters, or448* null if no parameters are present.449*/450public abstract byte[] getSigAlgParams();451}452453454