GNU Classpath (0.20) | |
Frames | No Frames |
1: /* X509Certificate.java --- X.509 Certificate class 2: Copyright (C) 1999,2003 Free Software Foundation, Inc. 3: 4: This file is part of GNU Classpath. 5: 6: GNU Classpath is free software; you can redistribute it and/or modify 7: it under the terms of the GNU General Public License as published by 8: the Free Software Foundation; either version 2, or (at your option) 9: any later version. 10: 11: GNU Classpath is distributed in the hope that it will be useful, but 12: WITHOUT ANY WARRANTY; without even the implied warranty of 13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14: General Public License for more details. 15: 16: You should have received a copy of the GNU General Public License 17: along with GNU Classpath; see the file COPYING. If not, write to the 18: Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 19: 02110-1301 USA. 20: 21: Linking this library statically or dynamically with other modules is 22: making a combined work based on this library. Thus, the terms and 23: conditions of the GNU General Public License cover the whole 24: combination. 25: 26: As a special exception, the copyright holders of this library give you 27: permission to link this library with independent modules to produce an 28: executable, regardless of the license terms of these independent 29: modules, and to copy and distribute the resulting executable under 30: terms of your choice, provided that you also meet, for each linked 31: independent module, the terms and conditions of the license of that 32: module. An independent module is a module which is not derived from 33: or based on this library. If you modify this library, you may extend 34: this exception to your version of the library, but you are not 35: obligated to do so. If you do not wish to do so, delete this 36: exception statement from your version. */ 37: 38: 39: package java.security.cert; 40: 41: import java.math.BigInteger; 42: import java.security.Principal; 43: import java.util.Date; 44: 45: /** 46: * X509Certificate is the abstract class for X.509 certificates. 47: * This provides a stanard class interface for accessing all 48: * the attributes of X.509 certificates. 49: * 50: * <p>In June 1996, the basic X.509 v3 format was finished by 51: * ISO/IEC and ANSI X.9. The ASN.1 DER format is below: 52: * 53: * <blockquote><pre> 54: * Certificate ::= SEQUENCE { 55: * tbsCertificate TBSCertificate, 56: * signatureAlgorithm AlgorithmIdentifier, 57: * signatureValue BIT STRING } 58: * </pre></blockquote> 59: * 60: * <p>These certificates are widely used in various Internet 61: * protocols to support authentication. It is used in 62: * Privacy Enhanced Mail (PEM), Transport Layer Security (TLS), 63: * Secure Sockets Layer (SSL), code signing for trusted software 64: * distribution, and Secure Electronic Transactions (SET). 65: * 66: * <p>The certificates are managed and vouched for by 67: * <I>Certificate Authorities</I> (CAs). CAs are companies or 68: * groups that create certificates by placing the data in the 69: * X.509 certificate format and signing it with their private 70: * key. CAs serve as trusted third parties by certifying that 71: * the person or group specified in the certificate is who 72: * they say they are. 73: * 74: * <p>The ASN.1 defintion for <I>tbsCertificate</I> is 75: * 76: * <blockquote><pre> 77: * TBSCertificate ::= SEQUENCE { 78: * version [0] EXPLICIT Version DEFAULT v1, 79: * serialNumber CertificateSerialNumber, 80: * signature AlgorithmIdentifier, 81: * issuer Name, 82: * validity Validity, 83: * subject Name, 84: * subjectPublicKeyInfo SubjectPublicKeyInfo, 85: * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 86: * -- If present, version shall be v2 or v3 87: * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 88: * -- If present, version shall be v2 or v3 89: * extensions [3] EXPLICIT Extensions OPTIONAL 90: * -- If present, version shall be v3 91: * } 92: * 93: * Version ::= INTEGER { v1(0), v2(1), v3(2) } 94: * 95: * CertificateSerialNumber ::= INTEGER 96: * 97: * Validity ::= SEQUENCE { 98: * notBefore Time, 99: * notAfter Time } 100: * 101: * Time ::= CHOICE { 102: * utcTime UTCTime, 103: * generalTime GeneralizedTime } 104: * 105: * UniqueIdentifier ::= BIT STRING 106: * 107: * SubjectPublicKeyInfo ::= SEQUENCE { 108: * algorithm AlgorithmIdentifier, 109: * subjectPublicKey BIT STRING } 110: * 111: * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension 112: * 113: * Extension ::= SEQUENCE { 114: * extnID OBJECT IDENTIFIER, 115: * critical BOOLEAN DEFAULT FALSE, 116: * extnValue OCTET STRING } 117: * </pre></blockquote> 118: * 119: * Certificates are created with the CertificateFactory. 120: * 121: * <p>References: 122: * 123: * <ol> 124: * <li>Olivier Dubuisson, Philippe Fouquart (Translator) <i>ASN.1 - 125: * Communication between heterogeneous systems</i>, (C) September 2000, 126: * Morgan Kaufmann Publishers, ISBN 0-12-6333361-0. Available on-line at 127: * <a 128: * href="http://www.oss.com/asn1/dubuisson.html">http://www.oss.com/asn1/dubuisson.html</a></li> 129: * <li>R. Housley et al, <i><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 130: * 3280: Internet X.509 Public Key Infrastructure Certificate and CRL 131: * Profile</a></i>.</li> 132: * </ol> 133: * 134: * @since JDK 1.2 135: * @author Mark Benvenuto 136: * @author Casey Marshall (rsdio@metastatic.org) 137: */ 138: public abstract class X509Certificate 139: extends java.security.cert.Certificate // XXX workaround for gcj bug #17845 140: implements X509Extension 141: { 142: private static final long serialVersionUID = -2491127588187038216L; 143: 144: /** 145: * Constructs a new certificate of the specified type. 146: */ 147: protected X509Certificate() 148: { 149: super( "X.509" ); 150: } 151: 152: /** 153: Checks the validity of the X.509 certificate. It is valid 154: if the current date and time are within the period specified 155: by the certificate. 156: 157: The ASN.1 DER encoding is: 158: 159: validity Validity, 160: 161: Validity ::= SEQUENCE { 162: notBefore Time, 163: notAfter Time } 164: 165: Time ::= CHOICE { 166: utcTime UTCTime, 167: generalTime GeneralizedTime } 168: 169: Consult rfc2459 for more information. 170: 171: @throws CertificateExpiredException if the certificate expired 172: @throws CertificateNotYetValidException if the certificate is 173: not yet valid 174: */ 175: public abstract void checkValidity() 176: throws CertificateExpiredException, 177: CertificateNotYetValidException; 178: 179: /** 180: Checks the validity of the X.509 certificate for the 181: specified time and date. It is valid if the specified 182: date and time are within the period specified by 183: the certificate. 184: 185: @throws CertificateExpiredException if the certificate expired 186: based on the date 187: @throws CertificateNotYetValidException if the certificate is 188: not yet valid based on the date 189: */ 190: public abstract void checkValidity(Date date) 191: throws CertificateExpiredException, 192: CertificateNotYetValidException; 193: 194: /** 195: Returns the version of this certificate. 196: 197: The ASN.1 DER encoding is: 198: 199: version [0] EXPLICIT Version DEFAULT v1, 200: 201: Version ::= INTEGER { v1(0), v2(1), v3(2) } 202: 203: Consult rfc2459 for more information. 204: 205: @return version number of certificate 206: */ 207: public abstract int getVersion(); 208: 209: /** 210: Gets the serial number for serial Number in 211: this Certifcate. It must be a unique number 212: unique other serial numbers from the granting CA. 213: 214: The ASN.1 DER encoding is: 215: 216: serialNumber CertificateSerialNumber, 217: 218: CertificateSerialNumber ::= INTEGER 219: 220: Consult rfc2459 for more information. 221: 222: @return the serial number for this X509CRLEntry. 223: */ 224: public abstract BigInteger getSerialNumber(); 225: 226: /** 227: Returns the issuer (issuer distinguished name) of the 228: Certificate. The issuer is the entity who signed 229: and issued the Certificate. 230: 231: The ASN.1 DER encoding is: 232: 233: issuer Name, 234: 235: Name ::= CHOICE { 236: RDNSequence } 237: 238: RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 239: 240: RelativeDistinguishedName ::= 241: SET OF AttributeTypeAndValue 242: 243: AttributeTypeAndValue ::= SEQUENCE { 244: type AttributeType, 245: value AttributeValue } 246: 247: AttributeType ::= OBJECT IDENTIFIER 248: 249: AttributeValue ::= ANY DEFINED BY AttributeType 250: 251: DirectoryString ::= CHOICE { 252: teletexString TeletexString (SIZE (1..MAX)), 253: printableString PrintableString (SIZE (1..MAX)), 254: universalString UniversalString (SIZE (1..MAX)), 255: utf8String UTF8String (SIZE (1.. MAX)), 256: bmpString BMPString (SIZE (1..MAX)) } 257: 258: Consult rfc2459 for more information. 259: 260: @return the issuer in the Principal class 261: */ 262: public abstract Principal getIssuerDN(); 263: 264: /** 265: Returns the subject (subject distinguished name) of the 266: Certificate. The subject is the entity who the Certificate 267: identifies. 268: 269: The ASN.1 DER encoding is: 270: 271: subject Name, 272: 273: Consult rfc2459 for more information. 274: 275: @return the issuer in the Principal class 276: */ 277: public abstract Principal getSubjectDN(); 278: 279: /** 280: Returns the date that this certificate is not to be used 281: before, <I>notBefore</I>. 282: 283: The ASN.1 DER encoding is: 284: 285: validity Validity, 286: 287: Validity ::= SEQUENCE { 288: notBefore Time, 289: notAfter Time } 290: 291: Time ::= CHOICE { 292: utcTime UTCTime, 293: generalTime GeneralizedTime } 294: 295: Consult rfc2459 for more information. 296: 297: @return the date <I>notBefore</I> 298: */ 299: public abstract Date getNotBefore(); 300: 301: /** 302: Returns the date that this certificate is not to be used 303: after, <I>notAfter</I>. 304: 305: @return the date <I>notAfter</I> 306: */ 307: public abstract Date getNotAfter(); 308: 309: 310: /** 311: Returns the <I>tbsCertificate</I> from the certificate. 312: 313: @return the DER encoded tbsCertificate 314: 315: @throws CertificateEncodingException if encoding error occurred 316: */ 317: public abstract byte[] getTBSCertificate() throws CertificateEncodingException; 318: 319: /** 320: Returns the signature in its raw DER encoded format. 321: 322: The ASN.1 DER encoding is: 323: 324: signatureValue BIT STRING 325: 326: Consult rfc2459 for more information. 327: 328: @return byte array representing signature 329: */ 330: public abstract byte[] getSignature(); 331: 332: /** 333: Returns the signature algorithm used to sign the CRL. 334: An examples is "SHA-1/DSA". 335: 336: The ASN.1 DER encoding is: 337: 338: signatureAlgorithm AlgorithmIdentifier, 339: 340: AlgorithmIdentifier ::= SEQUENCE { 341: algorithm OBJECT IDENTIFIER, 342: parameters ANY DEFINED BY algorithm OPTIONAL } 343: 344: Consult rfc2459 for more information. 345: 346: The algorithm name is determined from the OID. 347: 348: @return a string with the signature algorithm name 349: */ 350: public abstract String getSigAlgName(); 351: 352: 353: /** 354: Returns the OID for the signature algorithm used. 355: Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\ 356: 357: The ASN.1 DER encoding for the example is: 358: 359: id-dsa-with-sha1 ID ::= { 360: iso(1) member-body(2) us(840) x9-57 (10040) 361: x9cm(4) 3 } 362: 363: Consult rfc2459 for more information. 364: 365: @return a string containing the OID. 366: */ 367: public abstract String getSigAlgOID(); 368: 369: 370: /** 371: Returns the AlgorithmParameters in the encoded form 372: for the signature algorithm used. 373: 374: If access to the parameters is need, create an 375: instance of AlgorithmParameters. 376: 377: @return byte array containing algorithm parameters, null 378: if no parameters are present in certificate 379: */ 380: public abstract byte[] getSigAlgParams(); 381: 382: 383: /** 384: Returns the issuer unique ID for this certificate. 385: 386: The ASN.1 DER encoding is: 387: 388: issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 389: -- If present, version shall be v2 or v3 390: 391: UniqueIdentifier ::= BIT STRING 392: 393: Consult rfc2459 for more information. 394: 395: @return bit representation of <I>issuerUniqueID</I> 396: */ 397: public abstract boolean[] getIssuerUniqueID(); 398: 399: /** 400: Returns the subject unique ID for this certificate. 401: 402: The ASN.1 DER encoding is: 403: 404: subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 405: -- If present, version shall be v2 or v3 406: 407: UniqueIdentifier ::= BIT STRING 408: 409: Consult rfc2459 for more information. 410: 411: @return bit representation of <I>subjectUniqueID</I> 412: */ 413: public abstract boolean[] getSubjectUniqueID(); 414: 415: /** 416: Returns a boolean array representing the <I>KeyUsage</I> 417: extension for the certificate. The KeyUsage (OID = 2.5.29.15) 418: defines the purpose of the key in the certificate. 419: 420: The ASN.1 DER encoding is: 421: 422: id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } 423: 424: KeyUsage ::= BIT STRING { 425: digitalSignature (0), 426: nonRepudiation (1), 427: keyEncipherment (2), 428: dataEncipherment (3), 429: keyAgreement (4), 430: keyCertSign (5), 431: cRLSign (6), 432: encipherOnly (7), 433: decipherOnly (8) } 434: 435: Consult rfc2459 for more information. 436: 437: @return bit representation of <I>KeyUsage</I> 438: */ 439: public abstract boolean[] getKeyUsage(); 440: 441: /** 442: Returns the certificate constraints path length from the 443: critical BasicConstraints extension, (OID = 2.5.29.19). 444: 445: The basic constraints extensions is used to determine if 446: the subject of the certificate is a Certificate Authority (CA) 447: and how deep the certification path may exist. The 448: <I>pathLenConstraint</I> only takes affect if <I>cA</I> 449: is set to true. "A value of zero indicates that only an 450: end-entity certificate may follow in the path." (rfc2459) 451: 452: The ASN.1 DER encoding is: 453: 454: id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 455: 456: BasicConstraints ::= SEQUENCE { 457: cA BOOLEAN DEFAULT FALSE, 458: pathLenConstraint INTEGER (0..MAX) OPTIONAL } 459: 460: Consult rfc2459 for more information. 461: 462: @return the length of the path constraint if BasicConstraints 463: is present and cA is TRUE. Otherwise returns -1. 464: */ 465: public abstract int getBasicConstraints(); 466: 467: // 1.4 instance methods. 468: // ------------------------------------------------------------------------ 469: 470: /** 471: * Returns the <code>ExtendedKeyUsage</code> extension of this 472: * certificate, or null if there is no extension present. The returned 473: * value is a {@link java.util.List} strings representing the object 474: * identifiers of the extended key usages. This extension has the OID 475: * 2.5.29.37. 476: * 477: * <p>The ASN.1 definition for this extension is: 478: * 479: * <blockquote><pre> 480: * ExtendedKeyUsage ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 481: * 482: * KeyPurposeId ::= OBJECT IDENTIFIER 483: * </pre></blockquote> 484: * 485: * @return The list of extension OIDs, or null if there are none 486: * present in this certificate. 487: * @throws CertificateParsingException If this extension cannot be 488: * parsed from its encoded form. 489: */ 490: public java.util.List getExtendedKeyUsage() 491: throws CertificateParsingException 492: { 493: throw new UnsupportedOperationException(); 494: } 495: 496: /** 497: * Returns the alternative names for this certificate's subject (the 498: * owner), or null if there are none. 499: * 500: * <p>This is an X.509 extension with OID 2.5.29.17 and is defined by 501: * the ASN.1 construction: 502: * 503: * <blockquote><pre> 504: * SubjectAltNames ::= GeneralNames 505: * 506: * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 507: * 508: * GeneralName ::= CHOICE { 509: * otherName [0] OtherName, 510: * rfc822Name [1] IA5String, 511: * dNSName [2] IA5String, 512: * x400Address [3] ORAddress, 513: * directoryName [4] Name, 514: * ediPartyName [5] EDIPartyName, 515: * uniformResourceIdentifier [6] IA5String, 516: * iPAddress [7] OCTET STRING, 517: * registeredID [8] OBJECT IDENTIFIER 518: * } 519: * </pre></blockquote> 520: * 521: * <p>The returned collection contains one or more two-element Lists, 522: * with the first object being an Integer representing the choice 523: * above (with value 0 through 8) and the second being an (a) String 524: * if the <code>GeneralName</code> is a rfc822Name, dNSName, 525: * uniformResourceIdentifier, iPAddress, or registeredID, or (b) a 526: * byte array of the DER encoded form for any others. 527: * 528: * @return The collection of alternative names, or null if there are 529: * none. 530: * @throws CertificateParsingException If the encoded extension cannot 531: * be parsed. 532: * @since JDK 1.4 533: */ 534: public java.util.Collection getSubjectAlternativeNames() 535: throws CertificateParsingException 536: { 537: throw new UnsupportedOperationException(); 538: } 539: 540: /** 541: * Returns the alternative names for this certificate's issuer, or 542: * null if there are none. 543: * 544: * <p>This is an X.509 extension with OID 2.5.29.18, and is defined by 545: * the ASN.1 construction: 546: * 547: * <blockquote><pre> 548: * IssuerAltNames ::= GeneralNames 549: * </pre></blockquote> 550: * 551: * <p>The <code>GeneralNames</code> construct and the form of the 552: * returned collection are the same as with {@link 553: * #getSubjectAlternativeNames()}. 554: * 555: * @return The collection of alternative names, or null if there are 556: * none. 557: * @throws CertificateParsingException If the encoded extension cannot 558: * be parsed. 559: * @since JDK 1.4 560: */ 561: public java.util.Collection getIssuerAlternativeNames() 562: throws CertificateParsingException 563: { 564: throw new UnsupportedOperationException(); 565: } 566: 567: /** 568: * Returns the X.500 distinguished name of this certificate's subject. 569: * 570: * @return The subject's X.500 distinguished name. 571: * @since JDK 1.4 572: */ 573: public javax.security.auth.x500.X500Principal getSubjectX500Principal() 574: { 575: throw new UnsupportedOperationException(); 576: } 577: 578: /** 579: * Returns the X.500 distinguished name of this certificate's issuer. 580: * 581: * @return The issuer's X.500 distinguished name. 582: * @since JDK 1.4 583: */ 584: public javax.security.auth.x500.X500Principal getIssuerX500Principal() 585: { 586: throw new UnsupportedOperationException(); 587: } 588: }
GNU Classpath (0.20) |