com.ibm.security12.sun.security.x509
Class X509CertImpl

java.lang.Object
  |
  +--com.ibm.security12.java.security.cert.Certificate
        |
        +--com.ibm.security12.java.security.cert.X509Certificate
              |
              +--com.ibm.security12.sun.security.x509.X509CertImpl

public class X509CertImpl
extends X509Certificate
implements DerEncoder

The X509CertImpl class represents an X.509 certificate. These certificates are widely used to support authentication and other functionality in Internet security systems. Common applications include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), code signing for trusted software distribution, and Secure Electronic Transactions (SET). There is a commercial infrastructure ready to manage large scale deployments of X.509 identity certificates.

These certificates are managed and vouched for by Certificate Authorities (CAs). CAs are services which create certificates by placing data in the X.509 standard format and then digitally signing that data. Such signatures are quite difficult to forge. CAs act as trusted third parties, making introductions between agents who have no direct knowledge of each other. CA certificates are either signed by themselves, or by some other CA such as a "root" CA.

RFC 1422 is very informative, though it does not describe much of the recent work being done with X.509 certificates. That includes a 1996 version (X.509v3) and a variety of enhancements being made to facilitate an explosion of personal certificates used as "Internet Drivers' Licences", or with SET for credit card transactions.

More recent work includes the IETF PKIX Working Group efforts, especially part 1.

Version:
1.103 98/09/11
Author:
Dave Brownell, Amit Kapoor, Hemma Prafullchandra
See Also:
X509CertInfo

Field Summary
static String ALG_ID
           
protected  AlgorithmId algId
           
protected  X509CertInfo info
           
static String INFO
           
static String ISSUER_DN
           
static String NAME
          Public attribute names.
static String PUBLIC_KEY
           
static String SERIAL_ID
           
static String SIG
           
static String SIG_ALG
           
protected  byte[] signature
           
static String SIGNATURE
           
static String SIGNED_CERT
           
static String SUBJECT_DN
          The following are defined for ease-of-use.
 
Constructor Summary
X509CertImpl()
          Default constructor.
X509CertImpl(byte[] certData)
          Unmarshals a certificate from its encoded form, parsing the encoded bytes.
X509CertImpl(DerValue derVal)
          Unmarshal a certificate from its encoded form, parsing a DER value.
X509CertImpl(InputStream in)
          unmarshals an X.509 certificate from an input stream.
X509CertImpl(X509CertInfo certInfo)
          Construct an initialized X509 Certificate.
 
Method Summary
 void checkValidity()
          Checks that the certificate is currently valid, i.e.
 void checkValidity(Date date)
          Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.
 void delete(String name)
          Delete the requested attribute from the certificate.
 void derEncode(OutputStream out)
          DER encode this object onto an output stream.
 void encode(OutputStream out)
          Appends the certificate to an output stream.
 Object get(String name)
          Return the requested attribute from the certificate.
 int getBasicConstraints()
          Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19).
 Set getCriticalExtensionOIDs()
          Gets a Set of the extension(s) marked CRITICAL in the certificate.
 Enumeration getElements()
          Return an enumeration of names of attributes existing within this attribute.
 byte[] getEncoded()
          Returns the encoded form of this certificate.
 byte[] getExtensionValue(String oid)
          Gets the DER encoded extension identified by the given oid String.
 Principal getIssuerDN()
          Gets the issuer distinguished name from the certificate.
 boolean[] getIssuerUniqueID()
          Gets the Issuer Unique Identity from the certificate.
 boolean[] getKeyUsage()
          Get a boolean array representing the bits of the KeyUsage extension, (oid = 2.5.29.15).
 String getName()
          Return the name of this attribute.
 Set getNonCriticalExtensionOIDs()
          Gets a Set of the extension(s) marked NON-CRITICAL in the certificate.
 Date getNotAfter()
          Gets the notAfter date from the validity period of the certificate.
 Date getNotBefore()
          Gets the notBefore date from the validity period of the certificate.
 PublicKey getPublicKey()
          Gets the publickey from this certificate.
 java.math.BigInteger getSerialNumber()
          Gets the serial number from the certificate.
 String getSigAlgName()
          Gets the signature algorithm name for the certificate signature algorithm.
 String getSigAlgOID()
          Gets the signature algorithm OID string from the certificate.
 byte[] getSigAlgParams()
          Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.
 byte[] getSignature()
          Gets the raw Signature bits from the certificate.
 Principal getSubjectDN()
          Gets the subject distinguished name from the certificate.
 boolean[] getSubjectUniqueID()
          Gets the Subject Unique Identity from the certificate.
 byte[] getTBSCertificate()
          Gets the DER encoded certificate informations, the tbsCertificate from this certificate.
 int getVersion()
          Gets the version number from the certificate.
 boolean hasUnsupportedCriticalExtension()
          Return true if a critical extension is found that is not supported, otherwise return false.
 void set(String name, Object obj)
          Set the requested attribute in the certificate.
 void sign(PrivateKey key, String algorithm)
          Creates an X.509 certificate, and signs it using the given key (associating a signature algorithm and an X.500 name).
 void sign(PrivateKey key, String algorithm, String provider)
          Creates an X.509 certificate, and signs it using the given key (associating a signature algorithm and an X.500 name).
 String toString()
          Returns a printable representation of the certificate.
 void verify(PublicKey key)
          Throws an exception if the certificate was not signed using the verification key provided.
 void verify(PublicKey key, String sigProvider)
          Throws an exception if the certificate was not signed using the verification key provided.
 
Methods inherited from class com.ibm.security12.java.security.cert.Certificate
equals, getType, hashCode
 
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait
 

Field Detail

NAME

public static final String NAME
Public attribute names.

INFO

public static final String INFO

ALG_ID

public static final String ALG_ID

SIGNATURE

public static final String SIGNATURE

SIGNED_CERT

public static final String SIGNED_CERT

SUBJECT_DN

public static final String SUBJECT_DN
The following are defined for ease-of-use. These are the most frequently retrieved attributes.

ISSUER_DN

public static final String ISSUER_DN

SERIAL_ID

public static final String SERIAL_ID

PUBLIC_KEY

public static final String PUBLIC_KEY

SIG_ALG

public static final String SIG_ALG

SIG

public static final String SIG

info

protected X509CertInfo info

algId

protected AlgorithmId algId

signature

protected byte[] signature
Constructor Detail

X509CertImpl

public X509CertImpl()
Default constructor.

X509CertImpl

public X509CertImpl(byte[] certData)
             throws CertificateException
Unmarshals a certificate from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use certificate contents. That is, this is one of the more commonly used constructors. Note that the buffer must include only a certificate, and no "garbage" may be left at the end. If you need to ignore data at the end of a certificate, use another constructor.
Parameters:
certData - the encoded bytes, with no trailing padding.
Throws:
CertificateException - on parsing and initialization errors.

X509CertImpl

public X509CertImpl(InputStream in)
             throws CertificateException
unmarshals an X.509 certificate from an input stream.
Parameters:
in - an input stream holding at least one certificate
Throws:
CertificateException - on parsing and initialization errors.

X509CertImpl

public X509CertImpl(X509CertInfo certInfo)
Construct an initialized X509 Certificate. The certificate is stored in raw form and has to be signed to be useful.

X509CertImpl

public X509CertImpl(DerValue derVal)
             throws CertificateException
Unmarshal a certificate from its encoded form, parsing a DER value. This form of constructor is used by agents which need to examine and use certificate contents.
Parameters:
derVal - the der value containing the encoded cert.
Throws:
CertificateException - on parsing and initialization errors.
Method Detail

encode

public void encode(OutputStream out)
            throws CertificateEncodingException
Appends the certificate to an output stream.
Parameters:
out - an input stream to which the certificate is appended.
Throws:
CertificateEncodingException - on encoding errors.

derEncode

public void derEncode(OutputStream out)
               throws IOException
DER encode this object onto an output stream. Implements the DerEncoder interface.
Specified by:
derEncode in interface DerEncoder
Parameters:
out - the output stream on which to write the DER encoding.
Throws:
IOException - on encoding error.

getEncoded

public byte[] getEncoded()
                  throws CertificateEncodingException
Returns the encoded form of this certificate. It is assumed that each certificate type would have only a single form of encoding; for example, X.509 certificates would be encoded as ASN.1 DER.
Throws:
CertificateEncodingException - if an encoding error occurs.
Overrides:
getEncoded in class Certificate

verify

public void verify(PublicKey key)
            throws CertificateException,
                   NoSuchAlgorithmException,
                   InvalidKeyException,
                   NoSuchProviderException,
                   SignatureException
Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does not indicate that one should trust the entity which it represents.
Parameters:
key - the public key used for verification.
Throws:
InvalidKeyException - on incorrect key.
NoSuchAlgorithmException - on unsupported signature algorithms.
NoSuchProviderException - if there's no default provider.
SignatureException - on signature errors.
CertificateException - on encoding errors.
Overrides:
verify in class Certificate

verify

public void verify(PublicKey key,
                   String sigProvider)
            throws CertificateException,
                   NoSuchAlgorithmException,
                   InvalidKeyException,
                   NoSuchProviderException,
                   SignatureException
Throws an exception if the certificate was not signed using the verification key provided. Successfully verifying a certificate does not indicate that one should trust the entity which it represents.
Parameters:
key - the public key used for verification.
sigProvider - the name of the provider.
Throws:
NoSuchAlgorithmException - on unsupported signature algorithms.
InvalidKeyException - on incorrect key.
NoSuchProviderException - on incorrect provider.
SignatureException - on signature errors.
CertificateException - on encoding errors.
Overrides:
verify in class Certificate

sign

public void sign(PrivateKey key,
                 String algorithm)
          throws CertificateException,
                 NoSuchAlgorithmException,
                 InvalidKeyException,
                 NoSuchProviderException,
                 SignatureException
Creates an X.509 certificate, and signs it using the given key (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.
Parameters:
key - the private key used for signing.
algorithm - the name of the signature algorithm used.
Throws:
InvalidKeyException - on incorrect key.
NoSuchAlgorithmException - on unsupported signature algorithms.
NoSuchProviderException - if there's no default provider.
SignatureException - on signature errors.
CertificateException - on encoding errors.

sign

public void sign(PrivateKey key,
                 String algorithm,
                 String provider)
          throws CertificateException,
                 NoSuchAlgorithmException,
                 InvalidKeyException,
                 NoSuchProviderException,
                 SignatureException
Creates an X.509 certificate, and signs it using the given key (associating a signature algorithm and an X.500 name). This operation is used to implement the certificate generation functionality of a certificate authority.
Parameters:
key - the private key used for signing.
algorithm - the name of the signature algorithm used.
provider - the name of the provider.
Throws:
NoSuchAlgorithmException - on unsupported signature algorithms.
InvalidKeyException - on incorrect key.
NoSuchProviderException - on incorrect provider.
SignatureException - on signature errors.
CertificateException - on encoding errors.

checkValidity

public void checkValidity()
                   throws CertificateExpiredException,
                          CertificateNotYetValidException
Checks that the certificate is currently valid, i.e. the current time is within the specified validity period.
Throws:
CertificateExpiredException - if the certificate has expired.
CertificateNotYetValidException - if the certificate is not yet valid.
Overrides:
checkValidity in class X509Certificate

checkValidity

public void checkValidity(Date date)
                   throws CertificateExpiredException,
                          CertificateNotYetValidException
Checks that the specified date is within the certificate's validity period, or basically if the certificate would be valid at the specified date/time.
Parameters:
date - the Date to check against to see if this certificate is valid at that date/time.
Throws:
CertificateExpiredException - if the certificate has expired with respect to the date supplied.
CertificateNotYetValidException - if the certificate is not yet valid with respect to the date supplied.
Overrides:
checkValidity in class X509Certificate

get

public Object get(String name)
           throws CertificateParsingException
Return the requested attribute from the certificate.
Parameters:
name - the name of the attribute.
Throws:
CertificateParsingException - on invalid attribute identifier.

set

public void set(String name,
                Object obj)
         throws CertificateException,
                IOException
Set the requested attribute in the certificate.
Parameters:
name - the name of the attribute.
obj - the value of the attribute.
Throws:
CertificateException - on invalid attribute identifier.
IOException - on encoding error of attribute.

delete

public void delete(String name)
            throws CertificateException,
                   IOException
Delete the requested attribute from the certificate.
Parameters:
name - the name of the attribute.
Throws:
CertificateException - on invalid attribute identifier.
IOException - on other errors.

getElements

public Enumeration getElements()
Return an enumeration of names of attributes existing within this attribute.

getName

public String getName()
Return the name of this attribute.

toString

public String toString()
Returns a printable representation of the certificate. This does not contain all the information available to distinguish this from any other certificate. The certificate must be fully constructed before this function may be called.
Overrides:
toString in class Certificate

getPublicKey

public PublicKey getPublicKey()
Gets the publickey from this certificate.
Returns:
the publickey.
Overrides:
getPublicKey in class Certificate

getVersion

public int getVersion()
Gets the version number from the certificate.
Returns:
the version number, i.e. 1, 2 or 3.
Overrides:
getVersion in class X509Certificate

getSerialNumber

public java.math.BigInteger getSerialNumber()
Gets the serial number from the certificate.
Returns:
the serial number.
Overrides:
getSerialNumber in class X509Certificate

getSubjectDN

public Principal getSubjectDN()
Gets the subject distinguished name from the certificate.
Returns:
the subject name.
Overrides:
getSubjectDN in class X509Certificate

getIssuerDN

public Principal getIssuerDN()
Gets the issuer distinguished name from the certificate.
Returns:
the issuer name.
Overrides:
getIssuerDN in class X509Certificate

getNotBefore

public Date getNotBefore()
Gets the notBefore date from the validity period of the certificate.
Returns:
the start date of the validity period.
Overrides:
getNotBefore in class X509Certificate

getNotAfter

public Date getNotAfter()
Gets the notAfter date from the validity period of the certificate.
Returns:
the end date of the validity period.
Overrides:
getNotAfter in class X509Certificate

getTBSCertificate

public byte[] getTBSCertificate()
                         throws CertificateEncodingException
Gets the DER encoded certificate informations, the tbsCertificate from this certificate. This can be used to verify the signature independently.
Returns:
the DER encoded certificate information.
Throws:
CertificateEncodingException - if an encoding error occurs.
Overrides:
getTBSCertificate in class X509Certificate

getSignature

public byte[] getSignature()
Gets the raw Signature bits from the certificate.
Returns:
the signature.
Overrides:
getSignature in class X509Certificate

getSigAlgName

public String getSigAlgName()
Gets the signature algorithm name for the certificate signature algorithm. For example, the string "SHA-1/DSA" or "DSS".
Returns:
the signature algorithm name.
Overrides:
getSigAlgName in class X509Certificate

getSigAlgOID

public String getSigAlgOID()
Gets the signature algorithm OID string from the certificate. For example, the string "1.2.840.10040.4.3"
Returns:
the signature algorithm oid string.
Overrides:
getSigAlgOID in class X509Certificate

getSigAlgParams

public byte[] getSigAlgParams()
Gets the DER encoded signature algorithm parameters from this certificate's signature algorithm.
Returns:
the DER encoded signature algorithm parameters, or null if no parameters are present.
Overrides:
getSigAlgParams in class X509Certificate

getIssuerUniqueID

public boolean[] getIssuerUniqueID()
Gets the Issuer Unique Identity from the certificate.
Returns:
the Issuer Unique Identity.
Overrides:
getIssuerUniqueID in class X509Certificate

getSubjectUniqueID

public boolean[] getSubjectUniqueID()
Gets the Subject Unique Identity from the certificate.
Returns:
the Subject Unique Identity.
Overrides:
getSubjectUniqueID in class X509Certificate

hasUnsupportedCriticalExtension

public boolean hasUnsupportedCriticalExtension()
Return true if a critical extension is found that is not supported, otherwise return false.

getCriticalExtensionOIDs

public Set getCriticalExtensionOIDs()
Gets a Set of the extension(s) marked CRITICAL in the certificate. In the returned set, each extension is represented by its OID string.
Returns:
a set of the extension oid strings in the certificate that are marked critical.

getNonCriticalExtensionOIDs

public Set getNonCriticalExtensionOIDs()
Gets a Set of the extension(s) marked NON-CRITICAL in the certificate. In the returned set, each extension is represented by its OID string.
Returns:
a set of the extension oid strings in the certificate that are NOT marked critical.

getExtensionValue

public byte[] getExtensionValue(String oid)
Gets the DER encoded extension identified by the given oid String.
Parameters:
oid - the Object Identifier value for the extension.

getKeyUsage

public boolean[] getKeyUsage()
Get a boolean array representing the bits of the KeyUsage extension, (oid = 2.5.29.15).
Returns:
the bit values of this extension as an array of booleans.
Overrides:
getKeyUsage in class X509Certificate

getBasicConstraints

public int getBasicConstraints()
Get the certificate constraints path length from the the critical BasicConstraints extension, (oid = 2.5.29.19).
Returns:
the length of the constraint.
Overrides:
getBasicConstraints in class X509Certificate