Source for java.security.cert.X509Certificate

   1: /* X509Certificate.java --- X.509 Certificate class
   2:    Copyright (C) 1999,2003 Free Software Foundation, Inc.
   3: 
   4: This file is part of GNU Classpath.
   5: 
   6: GNU Classpath is free software; you can redistribute it and/or modify
   7: it under the terms of the GNU General Public License as published by
   8: the Free Software Foundation; either version 2, or (at your option)
   9: any later version.
  10:  
  11: GNU Classpath is distributed in the hope that it will be useful, but
  12: WITHOUT ANY WARRANTY; without even the implied warranty of
  13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14: General Public License for more details.
  15: 
  16: You should have received a copy of the GNU General Public License
  17: along with GNU Classpath; see the file COPYING.  If not, write to the
  18: Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  19: 02110-1301 USA.
  20: 
  21: Linking this library statically or dynamically with other modules is
  22: making a combined work based on this library.  Thus, the terms and
  23: conditions of the GNU General Public License cover the whole
  24: combination.
  25: 
  26: As a special exception, the copyright holders of this library give you
  27: permission to link this library with independent modules to produce an
  28: executable, regardless of the license terms of these independent
  29: modules, and to copy and distribute the resulting executable under
  30: terms of your choice, provided that you also meet, for each linked
  31: independent module, the terms and conditions of the license of that
  32: module.  An independent module is a module which is not derived from
  33: or based on this library.  If you modify this library, you may extend
  34: this exception to your version of the library, but you are not
  35: obligated to do so.  If you do not wish to do so, delete this
  36: exception statement from your version. */
  37: 
  38: 
  39: package java.security.cert;
  40: 
  41: import java.math.BigInteger;
  42: import java.security.Principal;
  43: import java.util.Date;
  44: 
  45: /**
  46:  * X509Certificate is the abstract class for X.509 certificates.
  47:  * This provides a stanard class interface for accessing all 
  48:  * the attributes of X.509 certificates.
  49:  *
  50:  * <p>In June 1996, the basic X.509 v3 format was finished by 
  51:  * ISO/IEC and ANSI X.9. The ASN.1 DER format is below:
  52:  *
  53:  * <blockquote><pre>
  54:  * Certificate  ::=  SEQUENCE  {
  55:  *   tbsCertificate       TBSCertificate,
  56:  *   signatureAlgorithm   AlgorithmIdentifier,
  57:  *   signatureValue       BIT STRING  }
  58:  * </pre></blockquote>
  59:  *
  60:  * <p>These certificates are widely used in various Internet 
  61:  * protocols to support authentication. It is used in 
  62:  * Privacy Enhanced Mail (PEM), Transport Layer Security (TLS),
  63:  * Secure Sockets Layer (SSL), code signing for trusted software
  64:  * distribution, and Secure Electronic Transactions (SET).
  65:  *
  66:  * <p>The certificates are managed and vouched for by 
  67:  * <I>Certificate Authorities</I> (CAs). CAs are companies or 
  68:  * groups that create certificates by placing the data in the 
  69:  * X.509 certificate format and signing it with their private
  70:  * key. CAs serve as trusted third parties by certifying that
  71:  * the person or group specified in the certificate is who
  72:  * they say they are. 
  73:  *
  74:  * <p>The ASN.1 defintion for <I>tbsCertificate</I> is
  75:  * 
  76:  * <blockquote><pre>
  77:  * TBSCertificate  ::=  SEQUENCE  {
  78:  *   version         [0]  EXPLICIT Version DEFAULT v1,
  79:  *   serialNumber         CertificateSerialNumber,
  80:  *   signature            AlgorithmIdentifier,
  81:  *   issuer               Name,
  82:  *   validity             Validity,
  83:  *   subject              Name,
  84:  *   subjectPublicKeyInfo SubjectPublicKeyInfo,
  85:  *   issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
  86:  *                        -- If present, version shall be v2 or v3
  87:  *   subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
  88:  *                        -- If present, version shall be v2 or v3
  89:  *   extensions      [3]  EXPLICIT Extensions OPTIONAL
  90:  *                        -- If present, version shall be v3
  91:  * }
  92:  *
  93:  * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
  94:  *
  95:  * CertificateSerialNumber  ::=  INTEGER
  96:  *
  97:  * Validity ::= SEQUENCE {
  98:  *   notBefore      Time,
  99:  *   notAfter       Time }
 100:  *
 101:  * Time ::= CHOICE {
 102:  *   utcTime        UTCTime,
 103:  *   generalTime    GeneralizedTime }
 104:  *
 105:  * UniqueIdentifier  ::=  BIT STRING
 106:  *
 107:  * SubjectPublicKeyInfo  ::=  SEQUENCE  {
 108:  *   algorithm            AlgorithmIdentifier,
 109:  *   subjectPublicKey     BIT STRING  }
 110:  *
 111:  * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 112:  *
 113:  * Extension  ::=  SEQUENCE  {
 114:  *   extnID      OBJECT IDENTIFIER,
 115:  *   critical    BOOLEAN DEFAULT FALSE,
 116:  *   extnValue   OCTET STRING  }
 117:  * </pre></blockquote>
 118:  * 
 119:  * Certificates are created with the CertificateFactory.
 120:  *
 121:  * <p>References:
 122:  *
 123:  * <ol>
 124:  * <li>Olivier Dubuisson, Philippe Fouquart (Translator) <i>ASN.1 -
 125:  * Communication between heterogeneous systems</i>, (C) September 2000,
 126:  * Morgan Kaufmann Publishers, ISBN 0-12-6333361-0. Available on-line at
 127:  * <a
 128:  * href="http://www.oss.com/asn1/dubuisson.html">http://www.oss.com/asn1/dubuisson.html</a></li>
 129:  * <li>R. Housley et al, <i><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC
 130:  * 3280: Internet X.509 Public Key Infrastructure Certificate and CRL
 131:  * Profile</a></i>.</li>
 132:  * </ol>
 133:  *
 134:  * @since JDK 1.2
 135:  * @author Mark Benvenuto
 136:  * @author Casey Marshall (rsdio@metastatic.org)
 137:  */
 138: public abstract class X509Certificate
 139:   extends java.security.cert.Certificate  // XXX workaround for gcj bug #17845
 140:   implements X509Extension
 141: {
 142:   private static final long serialVersionUID = -2491127588187038216L;
 143: 
 144:   /**
 145:    * Constructs a new certificate of the specified type.
 146:    */
 147:   protected X509Certificate()
 148:   {
 149:     super( "X.509" );
 150:   }
 151: 
 152:   /**
 153:      Checks the validity of the X.509 certificate. It is valid
 154:      if the current date and time are within the period specified
 155:      by the certificate.
 156: 
 157:      The ASN.1 DER encoding is:
 158: 
 159:      validity             Validity,
 160: 
 161:      Validity ::= SEQUENCE {
 162:      notBefore      Time,
 163:      notAfter       Time }
 164: 
 165:      Time ::= CHOICE {
 166:      utcTime        UTCTime,
 167:      generalTime    GeneralizedTime }
 168: 
 169:      Consult rfc2459 for more information.
 170: 
 171:      @throws CertificateExpiredException if the certificate expired
 172:      @throws CertificateNotYetValidException if the certificate is 
 173:      not yet valid
 174:   */
 175:   public abstract void checkValidity()
 176:     throws CertificateExpiredException,
 177:     CertificateNotYetValidException;
 178: 
 179:   /**
 180:      Checks the validity of the X.509 certificate for the 
 181:      specified time and date. It is valid if the specified 
 182:      date and time are within the period specified by 
 183:      the certificate.
 184: 
 185:      @throws CertificateExpiredException if the certificate expired 
 186:      based on the date
 187:      @throws CertificateNotYetValidException if the certificate is 
 188:      not yet valid based on the date
 189:   */
 190:   public abstract void checkValidity(Date date)
 191:     throws CertificateExpiredException,
 192:     CertificateNotYetValidException;
 193: 
 194:   /**
 195:      Returns the version of this certificate.
 196: 
 197:      The ASN.1 DER encoding is:
 198: 
 199:      version         [0]  EXPLICIT Version DEFAULT v1,
 200: 
 201:      Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
 202: 
 203:      Consult rfc2459 for more information.
 204: 
 205:      @return version number of certificate    
 206:   */
 207:   public abstract int getVersion();
 208: 
 209:   /**
 210:      Gets the serial number for serial Number in
 211:      this Certifcate. It must be a unique number 
 212:      unique other serial numbers from the granting CA.
 213: 
 214:      The ASN.1 DER encoding is:
 215: 
 216:      serialNumber         CertificateSerialNumber,
 217: 
 218:      CertificateSerialNumber  ::=  INTEGER
 219: 
 220:      Consult rfc2459 for more information.
 221: 
 222:      @return the serial number for this X509CRLEntry.
 223:   */
 224:   public abstract BigInteger getSerialNumber();
 225: 
 226:   /**
 227:      Returns the issuer (issuer distinguished name) of the 
 228:      Certificate. The issuer is the entity who signed 
 229:      and issued the Certificate.
 230: 
 231:      The ASN.1 DER encoding is:
 232: 
 233:      issuer                  Name,
 234: 
 235:      Name ::= CHOICE {
 236:      RDNSequence }
 237: 
 238:      RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 239: 
 240:      RelativeDistinguishedName ::=
 241:      SET OF AttributeTypeAndValue
 242: 
 243:      AttributeTypeAndValue ::= SEQUENCE {
 244:      type     AttributeType,
 245:      value    AttributeValue }
 246: 
 247:      AttributeType ::= OBJECT IDENTIFIER
 248: 
 249:      AttributeValue ::= ANY DEFINED BY AttributeType
 250: 
 251:      DirectoryString ::= CHOICE {
 252:      teletexString           TeletexString (SIZE (1..MAX)),
 253:      printableString         PrintableString (SIZE (1..MAX)),
 254:      universalString         UniversalString (SIZE (1..MAX)),
 255:      utf8String              UTF8String (SIZE (1.. MAX)),
 256:      bmpString               BMPString (SIZE (1..MAX)) }
 257: 
 258:      Consult rfc2459 for more information.
 259: 
 260:      @return the issuer in the Principal class
 261:   */
 262:   public abstract Principal getIssuerDN();
 263: 
 264:   /**
 265:      Returns the subject (subject distinguished name) of the 
 266:      Certificate. The subject is the entity who the Certificate
 267:      identifies.
 268: 
 269:      The ASN.1 DER encoding is:
 270: 
 271:      subject              Name,
 272: 
 273:      Consult rfc2459 for more information.
 274: 
 275:      @return the issuer in the Principal class
 276:   */
 277:   public abstract Principal getSubjectDN();
 278: 
 279:   /**
 280:      Returns the date that this certificate is not to be used
 281:      before, <I>notBefore</I>.
 282: 
 283:      The ASN.1 DER encoding is:
 284: 
 285:      validity             Validity,
 286: 
 287:      Validity ::= SEQUENCE {
 288:      notBefore      Time,
 289:      notAfter       Time }
 290: 
 291:      Time ::= CHOICE {
 292:      utcTime        UTCTime,
 293:      generalTime    GeneralizedTime }
 294: 
 295:      Consult rfc2459 for more information.
 296: 
 297:      @return the date <I>notBefore</I>
 298:   */
 299:   public abstract Date getNotBefore();
 300: 
 301:   /**
 302:      Returns the date that this certificate is not to be used
 303:      after, <I>notAfter</I>.
 304: 
 305:      @return the date <I>notAfter</I>
 306:   */
 307:   public abstract Date getNotAfter();
 308: 
 309: 
 310:   /**
 311:      Returns the <I>tbsCertificate</I> from the certificate.
 312: 
 313:      @return the DER encoded tbsCertificate
 314: 
 315:      @throws CertificateEncodingException if encoding error occurred
 316:   */
 317:   public abstract byte[] getTBSCertificate() throws CertificateEncodingException;
 318: 
 319:   /**
 320:      Returns the signature in its raw DER encoded format.
 321: 
 322:      The ASN.1 DER encoding is:
 323: 
 324:      signatureValue       BIT STRING
 325: 
 326:      Consult rfc2459 for more information.
 327: 
 328:      @return byte array representing signature
 329:   */
 330:   public abstract byte[] getSignature();
 331: 
 332:   /**
 333:      Returns the signature algorithm used to sign the CRL. 
 334:      An examples is "SHA-1/DSA".
 335: 
 336:      The ASN.1 DER encoding is:
 337: 
 338:      signatureAlgorithm   AlgorithmIdentifier,
 339: 
 340:      AlgorithmIdentifier  ::=  SEQUENCE  {
 341:      algorithm               OBJECT IDENTIFIER,
 342:      parameters              ANY DEFINED BY algorithm OPTIONAL  }
 343: 
 344:      Consult rfc2459 for more information.
 345: 
 346:      The algorithm name is determined from the OID.
 347: 
 348:      @return a string with the signature algorithm name
 349:   */
 350:   public abstract String getSigAlgName();
 351: 
 352: 
 353:   /**
 354:      Returns the OID for the signature algorithm used.
 355:      Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
 356: 
 357:      The ASN.1 DER encoding for the example is:
 358: 
 359:      id-dsa-with-sha1 ID  ::=  {
 360:      iso(1) member-body(2) us(840) x9-57 (10040)
 361:      x9cm(4) 3 }
 362: 
 363:      Consult rfc2459 for more information.
 364: 
 365:      @return a string containing the OID.
 366:   */
 367:   public abstract String getSigAlgOID();
 368: 
 369: 
 370:   /**
 371:      Returns the AlgorithmParameters in the encoded form
 372:      for the signature algorithm used. 
 373: 
 374:      If access to the parameters is need, create an 
 375:      instance of AlgorithmParameters.
 376: 
 377:      @return byte array containing algorithm parameters, null
 378:      if no parameters are present in certificate
 379:   */
 380:   public abstract byte[] getSigAlgParams();
 381: 
 382: 
 383:   /**
 384:      Returns the issuer unique ID for this certificate.
 385: 
 386:      The ASN.1 DER encoding is:
 387: 
 388:      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
 389:      -- If present, version shall be v2 or v3
 390: 
 391:      UniqueIdentifier  ::=  BIT STRING
 392:     
 393:      Consult rfc2459 for more information.
 394: 
 395:      @return bit representation of <I>issuerUniqueID</I>
 396:   */
 397:   public abstract boolean[] getIssuerUniqueID();
 398: 
 399:   /**
 400:      Returns the subject unique ID for this certificate.
 401: 
 402:      The ASN.1 DER encoding is:
 403: 
 404:      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
 405:      -- If present, version shall be v2 or v3
 406: 
 407:      UniqueIdentifier  ::=  BIT STRING
 408:     
 409:      Consult rfc2459 for more information.
 410: 
 411:      @return bit representation of <I>subjectUniqueID</I>
 412:   */
 413:   public abstract boolean[] getSubjectUniqueID();
 414: 
 415:   /**
 416:      Returns a boolean array representing the <I>KeyUsage</I> 
 417:      extension for the certificate. The KeyUsage (OID = 2.5.29.15)
 418:      defines the purpose of the key in the certificate.
 419: 
 420:      The ASN.1 DER encoding is:
 421: 
 422:      id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
 423: 
 424:      KeyUsage ::= BIT STRING {
 425:      digitalSignature        (0),
 426:      nonRepudiation          (1),
 427:      keyEncipherment         (2),
 428:      dataEncipherment        (3),
 429:      keyAgreement            (4),
 430:      keyCertSign             (5),
 431:      cRLSign                 (6),
 432:      encipherOnly            (7),
 433:      decipherOnly            (8) }
 434: 
 435:      Consult rfc2459 for more information.
 436: 
 437:      @return bit representation of <I>KeyUsage</I>
 438:   */
 439:   public abstract boolean[] getKeyUsage();
 440: 
 441:   /**
 442:      Returns the certificate constraints path length from the
 443:      critical BasicConstraints extension, (OID = 2.5.29.19).    
 444: 
 445:      The basic constraints extensions is used to determine if 
 446:      the subject of the certificate is a Certificate Authority (CA) 
 447:      and how deep the certification path may exist. The 
 448:      <I>pathLenConstraint</I> only takes affect if <I>cA</I>
 449:      is set to true. "A value of zero indicates that only an 
 450:      end-entity certificate may follow in the path." (rfc2459)
 451:     
 452:      The ASN.1 DER encoding is:
 453: 
 454:      id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
 455: 
 456:      BasicConstraints ::= SEQUENCE {
 457:      cA                      BOOLEAN DEFAULT FALSE,
 458:      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
 459: 
 460:      Consult rfc2459 for more information.
 461: 
 462:      @return the length of the path constraint if BasicConstraints
 463:      is present and cA is TRUE. Otherwise returns -1.
 464:   */
 465:   public abstract int getBasicConstraints();
 466: 
 467:   // 1.4 instance methods.
 468:   // ------------------------------------------------------------------------
 469: 
 470:   /**
 471:    * Returns the <code>ExtendedKeyUsage</code> extension of this
 472:    * certificate, or null if there is no extension present. The returned
 473:    * value is a {@link java.util.List} strings representing the object
 474:    * identifiers of the extended key usages. This extension has the OID
 475:    * 2.5.29.37.
 476:    *
 477:    * <p>The ASN.1 definition for this extension is:
 478:    *
 479:    * <blockquote><pre> 
 480:    * ExtendedKeyUsage ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
 481:    *
 482:    * KeyPurposeId ::= OBJECT IDENTIFIER
 483:    * </pre></blockquote>
 484:    *
 485:    * @return The list of extension OIDs, or null if there are none
 486:    * present in this certificate.
 487:    * @throws CertificateParsingException If this extension cannot be
 488:    * parsed from its encoded form.
 489:    */
 490:   public java.util.List getExtendedKeyUsage()
 491:     throws CertificateParsingException
 492:   {
 493:     throw new UnsupportedOperationException();
 494:   }
 495: 
 496:   /**
 497:    * Returns the alternative names for this certificate's subject (the
 498:    * owner), or null if there are none.
 499:    *
 500:    * <p>This is an X.509 extension with OID 2.5.29.17 and is defined by
 501:    * the ASN.1 construction:
 502:    *
 503:    * <blockquote><pre>
 504:    * SubjectAltNames ::= GeneralNames
 505:    *
 506:    * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
 507:    *
 508:    * GeneralName ::= CHOICE {
 509:    *   otherName                 [0]   OtherName,
 510:    *   rfc822Name                [1]   IA5String,
 511:    *   dNSName                   [2]   IA5String,
 512:    *   x400Address               [3]   ORAddress,
 513:    *   directoryName             [4]   Name,
 514:    *   ediPartyName              [5]   EDIPartyName,
 515:    *   uniformResourceIdentifier [6]   IA5String,
 516:    *   iPAddress                 [7]   OCTET STRING,
 517:    *   registeredID              [8]   OBJECT IDENTIFIER
 518:    * }
 519:    * </pre></blockquote>
 520:    *
 521:    * <p>The returned collection contains one or more two-element Lists,
 522:    * with the first object being an Integer representing the choice
 523:    * above (with value 0 through 8) and the second being an (a) String
 524:    * if the <code>GeneralName</code> is a rfc822Name, dNSName,
 525:    * uniformResourceIdentifier, iPAddress, or registeredID, or (b) a
 526:    * byte array of the DER encoded form for any others.
 527:    *
 528:    * @return The collection of alternative names, or null if there are
 529:    * none.
 530:    * @throws CertificateParsingException If the encoded extension cannot
 531:    * be parsed.
 532:    * @since JDK 1.4
 533:    */
 534:   public java.util.Collection getSubjectAlternativeNames()
 535:     throws CertificateParsingException
 536:   {
 537:     throw new UnsupportedOperationException();
 538:   }
 539: 
 540:   /**
 541:    * Returns the alternative names for this certificate's issuer, or
 542:    * null if there are none.
 543:    *
 544:    * <p>This is an X.509 extension with OID 2.5.29.18, and is defined by
 545:    * the ASN.1 construction:
 546:    *
 547:    * <blockquote><pre>
 548:    * IssuerAltNames ::= GeneralNames
 549:    * </pre></blockquote>
 550:    *
 551:    * <p>The <code>GeneralNames</code> construct and the form of the
 552:    * returned collection are the same as with {@link
 553:    * #getSubjectAlternativeNames()}.
 554:    *
 555:    * @return The collection of alternative names, or null if there are
 556:    * none.
 557:    * @throws CertificateParsingException If the encoded extension cannot
 558:    * be parsed.
 559:    * @since JDK 1.4
 560:    */
 561:   public java.util.Collection getIssuerAlternativeNames()
 562:     throws CertificateParsingException
 563:   {
 564:     throw new UnsupportedOperationException();
 565:   }
 566: 
 567:   /**
 568:    * Returns the X.500 distinguished name of this certificate's subject.
 569:    *
 570:    * @return The subject's X.500 distinguished name.
 571:    * @since JDK 1.4
 572:    */
 573:   public javax.security.auth.x500.X500Principal getSubjectX500Principal()
 574:   {
 575:     throw new UnsupportedOperationException();
 576:   }
 577:  
 578:   /**
 579:    * Returns the X.500 distinguished name of this certificate's issuer.
 580:    *
 581:    * @return The issuer's X.500 distinguished name.
 582:    * @since JDK 1.4
 583:    */
 584:   public javax.security.auth.x500.X500Principal getIssuerX500Principal()
 585:   {
 586:     throw new UnsupportedOperationException();
 587:   }
 588: }