public class

X509CertImpl

extends X509Certificate
implements DerEncoder
java.lang.Object
   ↳ java.security.cert.Certificate
     ↳ java.security.cert.X509Certificate
       ↳ sun.security.x509.X509CertImpl

Class Overview

The X509CertImpl class represents an X.509 certificate. These certificates are widely used to support authentication and other functionality in Internet security systems. Common applications include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), code signing for trusted software distribution, and Secure Electronic Transactions (SET). There is a commercial infrastructure ready to manage large scale deployments of X.509 identity certificates.

These certificates are managed and vouched for by Certificate Authorities (CAs). CAs are services which create certificates by placing data in the X.509 standard format and then digitally signing that data. Such signatures are quite difficult to forge. CAs act as trusted third parties, making introductions between agents who have no direct knowledge of each other. CA certificates are either signed by themselves, or by some other CA such as a "root" CA.

RFC 1422 is very informative, though it does not describe much of the recent work being done with X.509 certificates. That includes a 1996 version (X.509v3) and a variety of enhancements being made to facilitate an explosion of personal certificates used as "Internet Drivers' Licences", or with SET for credit card transactions.

More recent work includes the IETF PKIX Working Group efforts, especially RFC2459.

See Also

Summary

Constants
String ALG_ID
String INFO
String ISSUER_DN
String NAME Public attribute names.
String PUBLIC_KEY
String SERIAL_ID
String SIG
String SIGNATURE
String SIGNED_CERT
String SIG_ALG
String SUBJECT_DN The following are defined for ease-of-use.
String VERSION
Fields
protected AlgorithmId algId
protected X509CertInfo info
protected byte[] signature
Public Constructors
X509CertImpl()
Default constructor.
X509CertImpl(byte[] certData)
Unmarshals a certificate from its encoded form, parsing the encoded bytes.
X509CertImpl(InputStream in)
unmarshals an X.509 certificate from an input stream.
X509CertImpl(X509CertInfo certInfo)
Construct an initialized X509 Certificate.
X509CertImpl(DerValue derVal)
Unmarshal a certificate from its encoded form, parsing a DER value.
Public Methods
void checkValidity()
Checks that the certificate is currently valid, i.e.
void checkValidity(Date date)
Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.
void delete(String name)
Delete the requested attribute from the certificate.
void derEncode(OutputStream out)
DER encode this object onto an output stream.
void encode(OutputStream out)
Appends the certificate to an output stream.
Object get(String name)
Return the requested attribute from the certificate.
AuthorityInfoAccessExtension getAuthorityInfoAccessExtension()
AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension()
Get AuthorityKeyIdentifier extension
int getBasicConstraints()
Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19).
BasicConstraintsExtension getBasicConstraintsExtension()
Get BasicConstraints extension
CRLDistributionPointsExtension getCRLDistributionPointsExtension()
Get CRLDistributionPoints extension
CertificatePoliciesExtension getCertificatePoliciesExtension()
Get CertificatePoliciesExtension
Set<String> getCriticalExtensionOIDs()
Gets a Set of the extension(s) marked CRITICAL in the certificate.
Enumeration<String> getElements()
Return an enumeration of names of attributes existing within this attribute.
byte[] getEncoded()
Returns the encoded form of this certificate.
byte[] getEncodedInternal()
Returned the encoding as an uncloned byte array.
static byte[] getEncodedInternal(Certificate cert)
Returned the encoding of the given certificate for internal use.
synchronized List<String> getExtendedKeyUsage()
This method are the overridden implementation of getExtendedKeyUsage method in X509Certificate in the Sun provider.
static List<String> getExtendedKeyUsage(X509Certificate cert)
This static method is the default implementation of the getExtendedKeyUsage method in X509Certificate.
ExtendedKeyUsageExtension getExtendedKeyUsageExtension()
Get ExtendedKeyUsage extension
Extension getExtension(ObjectIdentifier oid)
Gets the extension identified by the given ObjectIdentifier
byte[] getExtensionValue(String oid)
Gets the DER encoded extension identified by the given oid String.
IssuerAlternativeNameExtension getIssuerAlternativeNameExtension()
Get IssuerAlternativeName extension
static Collection<List<?>> getIssuerAlternativeNames(X509Certificate cert)
This static method is the default implementation of the getIssuerAlternaitveNames method in X509Certificate.
synchronized Collection<List<?>> getIssuerAlternativeNames()
This method are the overridden implementation of getIssuerAlternativeNames method in X509Certificate in the Sun provider.
Principal getIssuerDN()
Gets the issuer distinguished name from the certificate.
boolean[] getIssuerUniqueID()
Gets the Issuer Unique Identity from the certificate.
X500Principal getIssuerX500Principal()
Get issuer name as X500Principal.
static X500Principal getIssuerX500Principal(X509Certificate cert)
Extract the issuer X500Principal from an X509Certificate.
boolean[] getKeyUsage()
Get a boolean array representing the bits of the KeyUsage extension, (oid = 2.5.29.15).
String getName()
Return the name of this attribute.
NameConstraintsExtension getNameConstraintsExtension()
Get NameConstraints extension
Set<String> getNonCriticalExtensionOIDs()
Gets a Set of the extension(s) marked NON-CRITICAL in the certificate.
Date getNotAfter()
Gets the notAfter date from the validity period of the certificate.
Date getNotBefore()
Gets the notBefore date from the validity period of the certificate.
PolicyConstraintsExtension getPolicyConstraintsExtension()
Get PolicyConstraints extension
PolicyMappingsExtension getPolicyMappingsExtension()
Get PolicyMappingsExtension extension
PrivateKeyUsageExtension getPrivateKeyUsageExtension()
Get PrivateKeyUsage extension
PublicKey getPublicKey()
Gets the publickey from this certificate.
BigInteger getSerialNumber()
Gets the serial number from the certificate.
SerialNumber getSerialNumberObject()
Gets the serial number from the certificate as a SerialNumber object.
String getSigAlgName()
Gets the signature algorithm name for the certificate signature algorithm.
String getSigAlgOID()
Gets the signature algorithm OID string from the certificate.
byte[] getSigAlgParams()
Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.
byte[] getSignature()
Gets the raw Signature bits from the certificate.
SubjectAlternativeNameExtension getSubjectAlternativeNameExtension()
Get SubjectAlternativeName extension
synchronized Collection<List<?>> getSubjectAlternativeNames()
This method are the overridden implementation of getSubjectAlternativeNames method in X509Certificate in the Sun provider.
static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert)
This static method is the default implementation of the getSubjectAlternaitveNames method in X509Certificate.
Principal getSubjectDN()
Gets the subject distinguished name from the certificate.
SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension()
Get SubjectKeyIdentifier extension
boolean[] getSubjectUniqueID()
Gets the Subject Unique Identity from the certificate.
static X500Principal getSubjectX500Principal(X509Certificate cert)
Extract the subject X500Principal from an X509Certificate.
X500Principal getSubjectX500Principal()
Get subject name as X500Principal.
byte[] getTBSCertificate()
Gets the DER encoded certificate informations, the tbsCertificate from this certificate.
Extension getUnparseableExtension(ObjectIdentifier oid)
int getVersion()
Gets the version number from the certificate.
boolean hasUnsupportedCriticalExtension()
Return true if a critical extension is found that is not supported, otherwise return false.
static boolean isSelfIssued(X509Certificate cert)
Utility method to test if a certificate is self-issued.
static boolean isSelfSigned(X509Certificate cert, String sigProvider)
Utility method to test if a certificate is self-signed.
void set(String name, Object obj)
Set the requested attribute in the certificate.
void sign(PrivateKey key, String algorithm, String provider)
Creates an X.509 certificate, and signs it using the given key (associating a signature algorithm and an X.500 name).
void sign(PrivateKey key, String algorithm)
Creates an X.509 certificate, and signs it using the given key (associating a signature algorithm and an X.500 name).
static X509CertImpl toImpl(X509Certificate cert)
Utility method to convert an arbitrary instance of X509Certificate to a X509CertImpl.
String toString()
Returns a printable representation of the certificate.
synchronized void verify(PublicKey key, String sigProvider)
Throws an exception if the certificate was not signed using the verification key provided.
void verify(PublicKey key)
Throws an exception if the certificate was not signed using the verification key provided.
[Expand]
Inherited Methods
From class java.security.cert.X509Certificate
From class java.security.cert.Certificate
From class java.lang.Object
From interface java.security.cert.X509Extension
From interface sun.security.util.DerEncoder

Constants

public static final String ALG_ID

Constant Value: "algorithm"

public static final String INFO

Constant Value: "info"

public static final String ISSUER_DN

Constant Value: "x509.info.issuer.dname"

public static final String NAME

Public attribute names.

Constant Value: "x509"

public static final String PUBLIC_KEY

Constant Value: "x509.info.key.value"

public static final String SERIAL_ID

Constant Value: "x509.info.serialNumber.number"

public static final String SIG

Constant Value: "x509.signature"

public static final String SIGNATURE

Constant Value: "signature"

public static final String SIGNED_CERT

Constant Value: "signed_cert"

public static final String SIG_ALG

Constant Value: "x509.algorithm"

public static final String SUBJECT_DN

The following are defined for ease-of-use. These are the most frequently retrieved attributes.

Constant Value: "x509.info.subject.dname"

public static final String VERSION

Constant Value: "x509.info.version.number"

Fields

protected AlgorithmId algId

protected X509CertInfo info

protected byte[] signature

Public Constructors

public X509CertImpl ()

Default constructor.

public X509CertImpl (byte[] certData)

Unmarshals a certificate from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use certificate contents. That is, this is one of the more commonly used constructors. Note that the buffer must include only a certificate, and no "garbage" may be left at the end. If you need to ignore data at the end of a certificate, use another constructor.

Parameters
certData the encoded bytes, with no trailing padding.
Throws
CertificateException on parsing and initialization errors.

public X509CertImpl (InputStream in)

unmarshals an X.509 certificate from an input stream. If the certificate is RFC1421 hex-encoded, then it must begin with the line X509Factory.BEGIN_CERT and end with the line X509Factory.END_CERT.

Parameters
in an input stream holding at least one certificate that may be either DER-encoded or RFC1421 hex-encoded version of the DER-encoded certificate.
Throws
CertificateException on parsing and initialization errors.

public X509CertImpl (X509CertInfo certInfo)

Construct an initialized X509 Certificate. The certificate is stored in raw form and has to be signed to be useful.

public X509CertImpl (DerValue derVal)

Unmarshal a certificate from its encoded form, parsing a DER value. This form of constructor is used by agents which need to examine and use certificate contents.

Parameters
derVal the der value containing the encoded cert.
Throws
CertificateException on parsing and initialization errors.

Public Methods

public void checkValidity ()

Checks that the certificate is currently valid, i.e. the current time is within the specified validity period.

Throws
CertificateExpiredException if the certificate has expired.
CertificateNotYetValidException if the certificate is not yet valid.

public void checkValidity (Date date)

Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.

Parameters
date the Date to check against to see if this certificate is valid at that date/time.
Throws
CertificateExpiredException if the certificate has expired with respect to the date supplied.
CertificateNotYetValidException if the certificate is not yet valid with respect to the date supplied.

public void delete (String name)

Delete the requested attribute from the certificate.

Parameters
name the name of the attribute.
Throws
CertificateException on invalid attribute identifier.
IOException on other errors.

public void derEncode (OutputStream out)

DER encode this object onto an output stream. Implements the DerEncoder interface.

Parameters
out the output stream on which to write the DER encoding.
Throws
IOException on encoding error.

public void encode (OutputStream out)

Appends the certificate to an output stream.

Parameters
out an input stream to which the certificate is appended.
Throws
CertificateEncodingException on encoding errors.

public Object get (String name)

Return the requested attribute from the certificate. Note that the X509CertInfo is not cloned for performance reasons. Callers must ensure that they do not modify it. All other attributes are cloned.

Parameters
name the name of the attribute.
Throws
CertificateParsingException on invalid attribute identifier.

public AuthorityInfoAccessExtension getAuthorityInfoAccessExtension ()

public AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension ()

Get AuthorityKeyIdentifier extension

Returns
  • AuthorityKeyIdentifier object or null (if no such object in certificate)

public int getBasicConstraints ()

Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19).

Returns
  • the length of the constraint.

public BasicConstraintsExtension getBasicConstraintsExtension ()

Get BasicConstraints extension

Returns
  • BasicConstraints object or null (if no such object in certificate)

public CRLDistributionPointsExtension getCRLDistributionPointsExtension ()

Get CRLDistributionPoints extension

Returns
  • CRLDistributionPoints object or null (if no such object in certificate)

public CertificatePoliciesExtension getCertificatePoliciesExtension ()

Get CertificatePoliciesExtension

Returns
  • CertificatePoliciesExtension or null (if no such object in certificate)

public Set<String> getCriticalExtensionOIDs ()

Gets a Set of the extension(s) marked CRITICAL in the certificate. In the returned set, each extension is represented by its OID string.

Returns
  • a set of the extension oid strings in the certificate that are marked critical.

public Enumeration<String> getElements ()

Return an enumeration of names of attributes existing within this attribute.

public byte[] getEncoded ()

Returns the encoded form of this certificate. It is assumed that each certificate type would have only a single form of encoding; for example, X.509 certificates would be encoded as ASN.1 DER.

Returns
  • the encoded form of this certificate
Throws
CertificateEncodingException if an encoding error occurs.

public byte[] getEncodedInternal ()

Returned the encoding as an uncloned byte array. Callers must guarantee that they neither modify it nor expose it to untrusted code.

Throws
CertificateEncodingException

public static byte[] getEncodedInternal (Certificate cert)

Returned the encoding of the given certificate for internal use. Callers must guarantee that they neither modify it nor expose it to untrusted code. Uses getEncodedInternal() if the certificate is instance of X509CertImpl, getEncoded() otherwise.

Throws
CertificateEncodingException

public synchronized List<String> getExtendedKeyUsage ()

This method are the overridden implementation of getExtendedKeyUsage method in X509Certificate in the Sun provider. It is better performance-wise since it returns cached values.

Returns
  • the ExtendedKeyUsage extension of this certificate, as an unmodifiable list of object identifiers represented as Strings. Returns null if this certificate does not contain an ExtendedKeyUsage extension.
Throws
CertificateParsingException

public static List<String> getExtendedKeyUsage (X509Certificate cert)

This static method is the default implementation of the getExtendedKeyUsage method in X509Certificate. A X509Certificate provider generally should overwrite this to provide among other things caching for better performance.

Throws
CertificateParsingException

public ExtendedKeyUsageExtension getExtendedKeyUsageExtension ()

Get ExtendedKeyUsage extension

Returns
  • ExtendedKeyUsage extension object or null (if no such object in certificate)

public Extension getExtension (ObjectIdentifier oid)

Gets the extension identified by the given ObjectIdentifier

Parameters
oid the Object Identifier value for the extension.
Returns
  • Extension or null if certificate does not contain this extension

public byte[] getExtensionValue (String oid)

Gets the DER encoded extension identified by the given oid String.

Parameters
oid the Object Identifier value for the extension.

public IssuerAlternativeNameExtension getIssuerAlternativeNameExtension ()

Get IssuerAlternativeName extension

Returns
  • IssuerAlternativeName object or null (if no such object in certificate)

public static Collection<List<?>> getIssuerAlternativeNames (X509Certificate cert)

This static method is the default implementation of the getIssuerAlternaitveNames method in X509Certificate. A X509Certificate provider generally should overwrite this to provide among other things caching for better performance.

Throws
CertificateParsingException

public synchronized Collection<List<?>> getIssuerAlternativeNames ()

This method are the overridden implementation of getIssuerAlternativeNames method in X509Certificate in the Sun provider. It is better performance-wise since it returns cached values.

Returns
  • an immutable Collection of issuer alternative names (or null)
Throws
CertificateParsingException

public Principal getIssuerDN ()

Gets the issuer distinguished name from the certificate.

Returns
  • the issuer name.

public boolean[] getIssuerUniqueID ()

Gets the Issuer Unique Identity from the certificate.

Returns
  • the Issuer Unique Identity.

public X500Principal getIssuerX500Principal ()

Get issuer name as X500Principal. Overrides implementation in X509Certificate with a slightly more efficient version that is also aware of X509CertImpl mutability.

Returns
  • an X500Principal representing the issuer distinguished name

public static X500Principal getIssuerX500Principal (X509Certificate cert)

Extract the issuer X500Principal from an X509Certificate. Called from java.security.cert.X509Certificate.getIssuerX500Principal().

public boolean[] getKeyUsage ()

Get a boolean array representing the bits of the KeyUsage extension, (oid = 2.5.29.15).

Returns
  • the bit values of this extension as an array of booleans.

public String getName ()

Return the name of this attribute.

public NameConstraintsExtension getNameConstraintsExtension ()

Get NameConstraints extension

Returns
  • NameConstraints object or null (if no such object in certificate)

public Set<String> getNonCriticalExtensionOIDs ()

Gets a Set of the extension(s) marked NON-CRITICAL in the certificate. In the returned set, each extension is represented by its OID string.

Returns
  • a set of the extension oid strings in the certificate that are NOT marked critical.

public Date getNotAfter ()

Gets the notAfter date from the validity period of the certificate.

Returns
  • the end date of the validity period.

public Date getNotBefore ()

Gets the notBefore date from the validity period of the certificate.

Returns
  • the start date of the validity period.

public PolicyConstraintsExtension getPolicyConstraintsExtension ()

Get PolicyConstraints extension

Returns
  • PolicyConstraints object or null (if no such object in certificate)

public PolicyMappingsExtension getPolicyMappingsExtension ()

Get PolicyMappingsExtension extension

Returns
  • PolicyMappingsExtension object or null (if no such object in certificate)

public PrivateKeyUsageExtension getPrivateKeyUsageExtension ()

Get PrivateKeyUsage extension

Returns
  • PrivateKeyUsage object or null (if no such object in certificate)

public PublicKey getPublicKey ()

Gets the publickey from this certificate.

Returns
  • the publickey.

public BigInteger getSerialNumber ()

Gets the serial number from the certificate.

Returns
  • the serial number.

public SerialNumber getSerialNumberObject ()

Gets the serial number from the certificate as a SerialNumber object.

Returns
  • the serial number.

public String getSigAlgName ()

Gets the signature algorithm name for the certificate signature algorithm. For example, the string "SHA-1/DSA" or "DSS".

Returns
  • the signature algorithm name.

public String getSigAlgOID ()

Gets the signature algorithm OID string from the certificate. For example, the string "1.2.840.10040.4.3"

Returns
  • the signature algorithm oid string.

public byte[] getSigAlgParams ()

Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.

Returns
  • the DER encoded signature algorithm parameters, or null if no parameters are present.

public byte[] getSignature ()

Gets the raw Signature bits from the certificate.

Returns
  • the signature.

public SubjectAlternativeNameExtension getSubjectAlternativeNameExtension ()

Get SubjectAlternativeName extension

Returns
  • SubjectAlternativeName object or null (if no such object in certificate)

public synchronized Collection<List<?>> getSubjectAlternativeNames ()

This method are the overridden implementation of getSubjectAlternativeNames method in X509Certificate in the Sun provider. It is better performance-wise since it returns cached values.

Returns
  • an immutable Collection of subject alternative names (or null)
Throws
CertificateParsingException

public static Collection<List<?>> getSubjectAlternativeNames (X509Certificate cert)

This static method is the default implementation of the getSubjectAlternaitveNames method in X509Certificate. A X509Certificate provider generally should overwrite this to provide among other things caching for better performance.

Throws
CertificateParsingException

public Principal getSubjectDN ()

Gets the subject distinguished name from the certificate.

Returns
  • the subject name.

public SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension ()

Get SubjectKeyIdentifier extension

Returns
  • SubjectKeyIdentifier object or null (if no such object in certificate)

public boolean[] getSubjectUniqueID ()

Gets the Subject Unique Identity from the certificate.

Returns
  • the Subject Unique Identity.

public static X500Principal getSubjectX500Principal (X509Certificate cert)

Extract the subject X500Principal from an X509Certificate. Called from java.security.cert.X509Certificate.getSubjectX500Principal().

public X500Principal getSubjectX500Principal ()

Get subject name as X500Principal. Overrides implementation in X509Certificate with a slightly more efficient version that is also aware of X509CertImpl mutability.

Returns
  • an X500Principal representing the subject distinguished name

public byte[] getTBSCertificate ()

Gets the DER encoded certificate informations, the tbsCertificate from this certificate. This can be used to verify the signature independently.

Returns
  • the DER encoded certificate information.
Throws
CertificateEncodingException if an encoding error occurs.

public Extension getUnparseableExtension (ObjectIdentifier oid)

public int getVersion ()

Gets the version number from the certificate.

Returns
  • the version number, i.e. 1, 2 or 3.

public boolean hasUnsupportedCriticalExtension ()

Return true if a critical extension is found that is not supported, otherwise return false.

public static boolean isSelfIssued (X509Certificate cert)

Utility method to test if a certificate is self-issued. This is the case iff the subject and issuer X500Principals are equal.

public static boolean isSelfSigned (X509Certificate cert, String sigProvider)

Utility method to test if a certificate is self-signed. This is the case iff the subject and issuer X500Principals are equal AND the certificate's subject public key can be used to verify the certificate. In case of exception, returns false.

public void set (String name, Object obj)

Set the requested attribute in the certificate.

Parameters
name the name of the attribute.
obj the value of the attribute.
Throws
CertificateException on invalid attribute identifier.
IOException on encoding error of attribute.

public void sign (PrivateKey key, String algorithm, String provider)

Creates an X.509 certificate, and signs it using the given key (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.

Parameters
key the private key used for signing.
algorithm the name of the signature algorithm used.
provider the name of the provider.
Throws
NoSuchAlgorithmException on unsupported signature algorithms.
InvalidKeyException on incorrect key.
NoSuchProviderException on incorrect provider.
SignatureException on signature errors.
CertificateException on encoding errors.

public void sign (PrivateKey key, String algorithm)

Creates an X.509 certificate, and signs it using the given key (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.

Parameters
key the private key used for signing.
algorithm the name of the signature algorithm used.
Throws
InvalidKeyException on incorrect key.
NoSuchAlgorithmException on unsupported signature algorithms.
NoSuchProviderException if there's no default provider.
SignatureException on signature errors.
CertificateException on encoding errors.

public static X509CertImpl toImpl (X509Certificate cert)

Utility method to convert an arbitrary instance of X509Certificate to a X509CertImpl. Does a cast if possible, otherwise reparses the encoding.

Throws
CertificateException

public String toString ()

Returns a printable representation of the certificate. This does not contain all the information available to distinguish this from any other certificate. The certificate must be fully constructed before this function may be called.

Returns
  • a string representation of this certificate.

public synchronized void verify (PublicKey key, String sigProvider)

Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does not indicate that one should trust the entity which it represents.

Parameters
key the public key used for verification.
sigProvider the name of the provider.
Throws
NoSuchAlgorithmException on unsupported signature algorithms.
InvalidKeyException on incorrect key.
NoSuchProviderException on incorrect provider.
SignatureException on signature errors.
CertificateException on encoding errors.

public void verify (PublicKey key)

Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does not indicate that one should trust the entity which it represents.

Parameters
key the public key used for verification.
Throws
InvalidKeyException on incorrect key.
NoSuchAlgorithmException on unsupported signature algorithms.
NoSuchProviderException if there's no default provider.
SignatureException on signature errors.
CertificateException on encoding errors.