Source code: java/security/cert/X509Certificate.java
1 /* X509Certificate.java --- X.509 Certificate class
2 Copyright (C) 1999,2003 Free Software Foundation, Inc.
3
4 This file is part of GNU Classpath.
5
6 GNU Classpath is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2, or (at your option)
9 any later version.
10
11 GNU Classpath is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with GNU Classpath; see the file COPYING. If not, write to the
18 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
19 02110-1301 USA.
20
21 Linking this library statically or dynamically with other modules is
22 making a combined work based on this library. Thus, the terms and
23 conditions of the GNU General Public License cover the whole
24 combination.
25
26 As a special exception, the copyright holders of this library give you
27 permission to link this library with independent modules to produce an
28 executable, regardless of the license terms of these independent
29 modules, and to copy and distribute the resulting executable under
30 terms of your choice, provided that you also meet, for each linked
31 independent module, the terms and conditions of the license of that
32 module. An independent module is a module which is not derived from
33 or based on this library. If you modify this library, you may extend
34 this exception to your version of the library, but you are not
35 obligated to do so. If you do not wish to do so, delete this
36 exception statement from your version. */
37
38
39 package java.security.cert;
40
41 import java.math.BigInteger;
42 import java.security.Principal;
43 import java.util.Date;
44
45 /**
46 * X509Certificate is the abstract class for X.509 certificates.
47 * This provides a stanard class interface for accessing all
48 * the attributes of X.509 certificates.
49 *
50 * <p>In June 1996, the basic X.509 v3 format was finished by
51 * ISO/IEC and ANSI X.9. The ASN.1 DER format is below:
52 *
53 * <blockquote><pre>
54 * Certificate ::= SEQUENCE {
55 * tbsCertificate TBSCertificate,
56 * signatureAlgorithm AlgorithmIdentifier,
57 * signatureValue BIT STRING }
58 * </pre></blockquote>
59 *
60 * <p>These certificates are widely used in various Internet
61 * protocols to support authentication. It is used in
62 * Privacy Enhanced Mail (PEM), Transport Layer Security (TLS),
63 * Secure Sockets Layer (SSL), code signing for trusted software
64 * distribution, and Secure Electronic Transactions (SET).
65 *
66 * <p>The certificates are managed and vouched for by
67 * <I>Certificate Authorities</I> (CAs). CAs are companies or
68 * groups that create certificates by placing the data in the
69 * X.509 certificate format and signing it with their private
70 * key. CAs serve as trusted third parties by certifying that
71 * the person or group specified in the certificate is who
72 * they say they are.
73 *
74 * <p>The ASN.1 defintion for <I>tbsCertificate</I> is
75 *
76 * <blockquote><pre>
77 * TBSCertificate ::= SEQUENCE {
78 * version [0] EXPLICIT Version DEFAULT v1,
79 * serialNumber CertificateSerialNumber,
80 * signature AlgorithmIdentifier,
81 * issuer Name,
82 * validity Validity,
83 * subject Name,
84 * subjectPublicKeyInfo SubjectPublicKeyInfo,
85 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
86 * -- If present, version shall be v2 or v3
87 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
88 * -- If present, version shall be v2 or v3
89 * extensions [3] EXPLICIT Extensions OPTIONAL
90 * -- If present, version shall be v3
91 * }
92 *
93 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
94 *
95 * CertificateSerialNumber ::= INTEGER
96 *
97 * Validity ::= SEQUENCE {
98 * notBefore Time,
99 * notAfter Time }
100 *
101 * Time ::= CHOICE {
102 * utcTime UTCTime,
103 * generalTime GeneralizedTime }
104 *
105 * UniqueIdentifier ::= BIT STRING
106 *
107 * SubjectPublicKeyInfo ::= SEQUENCE {
108 * algorithm AlgorithmIdentifier,
109 * subjectPublicKey BIT STRING }
110 *
111 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
112 *
113 * Extension ::= SEQUENCE {
114 * extnID OBJECT IDENTIFIER,
115 * critical BOOLEAN DEFAULT FALSE,
116 * extnValue OCTET STRING }
117 * </pre></blockquote>
118 *
119 * Certificates are created with the CertificateFactory.
120 *
121 * <p>References:
122 *
123 * <ol>
124 * <li>Olivier Dubuisson, Philippe Fouquart (Translator) <i>ASN.1 -
125 * Communication between heterogeneous systems</i>, (C) September 2000,
126 * Morgan Kaufmann Publishers, ISBN 0-12-6333361-0. Available on-line at
127 * <a
128 * href="http://www.oss.com/asn1/dubuisson.html">http://www.oss.com/asn1/dubuisson.html</a></li>
129 * <li>R. Housley et al, <i><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC
130 * 3280: Internet X.509 Public Key Infrastructure Certificate and CRL
131 * Profile</a></i>.</li>
132 * </ol>
133 *
134 * @since JDK 1.2
135 * @author Mark Benvenuto
136 * @author Casey Marshall (rsdio@metastatic.org)
137 */
138 public abstract class X509Certificate
139 extends java.security.cert.Certificate // XXX workaround for gcj bug #17845
140 implements X509Extension
141 {
142 private static final long serialVersionUID = -2491127588187038216L;
143
144 /**
145 * Constructs a new certificate of the specified type.
146 */
147 protected X509Certificate()
148 {
149 super( "X.509" );
150 }
151
152 /**
153 Checks the validity of the X.509 certificate. It is valid
154 if the current date and time are within the period specified
155 by the certificate.
156
157 The ASN.1 DER encoding is:
158
159 validity Validity,
160
161 Validity ::= SEQUENCE {
162 notBefore Time,
163 notAfter Time }
164
165 Time ::= CHOICE {
166 utcTime UTCTime,
167 generalTime GeneralizedTime }
168
169 Consult rfc2459 for more information.
170
171 @throws CertificateExpiredException if the certificate expired
172 @throws CertificateNotYetValidException if the certificate is
173 not yet valid
174 */
175 public abstract void checkValidity()
176 throws CertificateExpiredException,
177 CertificateNotYetValidException;
178
179 /**
180 Checks the validity of the X.509 certificate for the
181 specified time and date. It is valid if the specified
182 date and time are within the period specified by
183 the certificate.
184
185 @throws CertificateExpiredException if the certificate expired
186 based on the date
187 @throws CertificateNotYetValidException if the certificate is
188 not yet valid based on the date
189 */
190 public abstract void checkValidity(Date date)
191 throws CertificateExpiredException,
192 CertificateNotYetValidException;
193
194 /**
195 Returns the version of this certificate.
196
197 The ASN.1 DER encoding is:
198
199 version [0] EXPLICIT Version DEFAULT v1,
200
201 Version ::= INTEGER { v1(0), v2(1), v3(2) }
202
203 Consult rfc2459 for more information.
204
205 @return version number of certificate
206 */
207 public abstract int getVersion();
208
209 /**
210 Gets the serial number for serial Number in
211 this Certifcate. It must be a unique number
212 unique other serial numbers from the granting CA.
213
214 The ASN.1 DER encoding is:
215
216 serialNumber CertificateSerialNumber,
217
218 CertificateSerialNumber ::= INTEGER
219
220 Consult rfc2459 for more information.
221
222 @return the serial number for this X509CRLEntry.
223 */
224 public abstract BigInteger getSerialNumber();
225
226 /**
227 Returns the issuer (issuer distinguished name) of the
228 Certificate. The issuer is the entity who signed
229 and issued the Certificate.
230
231 The ASN.1 DER encoding is:
232
233 issuer Name,
234
235 Name ::= CHOICE {
236 RDNSequence }
237
238 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
239
240 RelativeDistinguishedName ::=
241 SET OF AttributeTypeAndValue
242
243 AttributeTypeAndValue ::= SEQUENCE {
244 type AttributeType,
245 value AttributeValue }
246
247 AttributeType ::= OBJECT IDENTIFIER
248
249 AttributeValue ::= ANY DEFINED BY AttributeType
250
251 DirectoryString ::= CHOICE {
252 teletexString TeletexString (SIZE (1..MAX)),
253 printableString PrintableString (SIZE (1..MAX)),
254 universalString UniversalString (SIZE (1..MAX)),
255 utf8String UTF8String (SIZE (1.. MAX)),
256 bmpString BMPString (SIZE (1..MAX)) }
257
258 Consult rfc2459 for more information.
259
260 @return the issuer in the Principal class
261 */
262 public abstract Principal getIssuerDN();
263
264 /**
265 Returns the subject (subject distinguished name) of the
266 Certificate. The subject is the entity who the Certificate
267 identifies.
268
269 The ASN.1 DER encoding is:
270
271 subject Name,
272
273 Consult rfc2459 for more information.
274
275 @return the issuer in the Principal class
276 */
277 public abstract Principal getSubjectDN();
278
279 /**
280 Returns the date that this certificate is not to be used
281 before, <I>notBefore</I>.
282
283 The ASN.1 DER encoding is:
284
285 validity Validity,
286
287 Validity ::= SEQUENCE {
288 notBefore Time,
289 notAfter Time }
290
291 Time ::= CHOICE {
292 utcTime UTCTime,
293 generalTime GeneralizedTime }
294
295 Consult rfc2459 for more information.
296
297 @return the date <I>notBefore</I>
298 */
299 public abstract Date getNotBefore();
300
301 /**
302 Returns the date that this certificate is not to be used
303 after, <I>notAfter</I>.
304
305 @return the date <I>notAfter</I>
306 */
307 public abstract Date getNotAfter();
308
309
310 /**
311 Returns the <I>tbsCertificate</I> from the certificate.
312
313 @return the DER encoded tbsCertificate
314
315 @throws CertificateEncodingException if encoding error occurred
316 */
317 public abstract byte[] getTBSCertificate() throws CertificateEncodingException;
318
319 /**
320 Returns the signature in its raw DER encoded format.
321
322 The ASN.1 DER encoding is:
323
324 signatureValue BIT STRING
325
326 Consult rfc2459 for more information.
327
328 @return byte array representing signature
329 */
330 public abstract byte[] getSignature();
331
332 /**
333 Returns the signature algorithm used to sign the CRL.
334 An examples is "SHA-1/DSA".
335
336 The ASN.1 DER encoding is:
337
338 signatureAlgorithm AlgorithmIdentifier,
339
340 AlgorithmIdentifier ::= SEQUENCE {
341 algorithm OBJECT IDENTIFIER,
342 parameters ANY DEFINED BY algorithm OPTIONAL }
343
344 Consult rfc2459 for more information.
345
346 The algorithm name is determined from the OID.
347
348 @return a string with the signature algorithm name
349 */
350 public abstract String getSigAlgName();
351
352
353 /**
354 Returns the OID for the signature algorithm used.
355 Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
356
357 The ASN.1 DER encoding for the example is:
358
359 id-dsa-with-sha1 ID ::= {
360 iso(1) member-body(2) us(840) x9-57 (10040)
361 x9cm(4) 3 }
362
363 Consult rfc2459 for more information.
364
365 @return a string containing the OID.
366 */
367 public abstract String getSigAlgOID();
368
369
370 /**
371 Returns the AlgorithmParameters in the encoded form
372 for the signature algorithm used.
373
374 If access to the parameters is need, create an
375 instance of AlgorithmParameters.
376
377 @return byte array containing algorithm parameters, null
378 if no parameters are present in certificate
379 */
380 public abstract byte[] getSigAlgParams();
381
382
383 /**
384 Returns the issuer unique ID for this certificate.
385
386 The ASN.1 DER encoding is:
387
388 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
389 -- If present, version shall be v2 or v3
390
391 UniqueIdentifier ::= BIT STRING
392
393 Consult rfc2459 for more information.
394
395 @return bit representation of <I>issuerUniqueID</I>
396 */
397 public abstract boolean[] getIssuerUniqueID();
398
399 /**
400 Returns the subject unique ID for this certificate.
401
402 The ASN.1 DER encoding is:
403
404 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
405 -- If present, version shall be v2 or v3
406
407 UniqueIdentifier ::= BIT STRING
408
409 Consult rfc2459 for more information.
410
411 @return bit representation of <I>subjectUniqueID</I>
412 */
413 public abstract boolean[] getSubjectUniqueID();
414
415 /**
416 Returns a boolean array representing the <I>KeyUsage</I>
417 extension for the certificate. The KeyUsage (OID = 2.5.29.15)
418 defines the purpose of the key in the certificate.
419
420 The ASN.1 DER encoding is:
421
422 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
423
424 KeyUsage ::= BIT STRING {
425 digitalSignature (0),
426 nonRepudiation (1),
427 keyEncipherment (2),
428 dataEncipherment (3),
429 keyAgreement (4),
430 keyCertSign (5),
431 cRLSign (6),
432 encipherOnly (7),
433 decipherOnly (8) }
434
435 Consult rfc2459 for more information.
436
437 @return bit representation of <I>KeyUsage</I>
438 */
439 public abstract boolean[] getKeyUsage();
440
441 /**
442 Returns the certificate constraints path length from the
443 critical BasicConstraints extension, (OID = 2.5.29.19).
444
445 The basic constraints extensions is used to determine if
446 the subject of the certificate is a Certificate Authority (CA)
447 and how deep the certification path may exist. The
448 <I>pathLenConstraint</I> only takes affect if <I>cA</I>
449 is set to true. "A value of zero indicates that only an
450 end-entity certificate may follow in the path." (rfc2459)
451
452 The ASN.1 DER encoding is:
453
454 id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
455
456 BasicConstraints ::= SEQUENCE {
457 cA BOOLEAN DEFAULT FALSE,
458 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
459
460 Consult rfc2459 for more information.
461
462 @return the length of the path constraint if BasicConstraints
463 is present and cA is TRUE. Otherwise returns -1.
464 */
465 public abstract int getBasicConstraints();
466
467 // 1.4 instance methods.
468 // ------------------------------------------------------------------------
469
470 /**
471 * Returns the <code>ExtendedKeyUsage</code> extension of this
472 * certificate, or null if there is no extension present. The returned
473 * value is a {@link java.util.List} strings representing the object
474 * identifiers of the extended key usages. This extension has the OID
475 * 2.5.29.37.
476 *
477 * <p>The ASN.1 definition for this extension is:
478 *
479 * <blockquote><pre>
480 * ExtendedKeyUsage ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
481 *
482 * KeyPurposeId ::= OBJECT IDENTIFIER
483 * </pre></blockquote>
484 *
485 * @return The list of extension OIDs, or null if there are none
486 * present in this certificate.
487 * @throws CertificateParsingException If this extension cannot be
488 * parsed from its encoded form.
489 */
490 public java.util.List getExtendedKeyUsage()
491 throws CertificateParsingException
492 {
493 throw new UnsupportedOperationException();
494 }
495
496 /**
497 * Returns the alternative names for this certificate's subject (the
498 * owner), or null if there are none.
499 *
500 * <p>This is an X.509 extension with OID 2.5.29.17 and is defined by
501 * the ASN.1 construction:
502 *
503 * <blockquote><pre>
504 * SubjectAltNames ::= GeneralNames
505 *
506 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
507 *
508 * GeneralName ::= CHOICE {
509 * otherName [0] OtherName,
510 * rfc822Name [1] IA5String,
511 * dNSName [2] IA5String,
512 * x400Address [3] ORAddress,
513 * directoryName [4] Name,
514 * ediPartyName [5] EDIPartyName,
515 * uniformResourceIdentifier [6] IA5String,
516 * iPAddress [7] OCTET STRING,
517 * registeredID [8] OBJECT IDENTIFIER
518 * }
519 * </pre></blockquote>
520 *
521 * <p>The returned collection contains one or more two-element Lists,
522 * with the first object being an Integer representing the choice
523 * above (with value 0 through 8) and the second being an (a) String
524 * if the <code>GeneralName</code> is a rfc822Name, dNSName,
525 * uniformResourceIdentifier, iPAddress, or registeredID, or (b) a
526 * byte array of the DER encoded form for any others.
527 *
528 * @return The collection of alternative names, or null if there are
529 * none.
530 * @throws CertificateParsingException If the encoded extension cannot
531 * be parsed.
532 * @since JDK 1.4
533 */
534 public java.util.Collection getSubjectAlternativeNames()
535 throws CertificateParsingException
536 {
537 throw new UnsupportedOperationException();
538 }
539
540 /**
541 * Returns the alternative names for this certificate's issuer, or
542 * null if there are none.
543 *
544 * <p>This is an X.509 extension with OID 2.5.29.18, and is defined by
545 * the ASN.1 construction:
546 *
547 * <blockquote><pre>
548 * IssuerAltNames ::= GeneralNames
549 * </pre></blockquote>
550 *
551 * <p>The <code>GeneralNames</code> construct and the form of the
552 * returned collection are the same as with {@link
553 * #getSubjectAlternativeNames()}.
554 *
555 * @return The collection of alternative names, or null if there are
556 * none.
557 * @throws CertificateParsingException If the encoded extension cannot
558 * be parsed.
559 * @since JDK 1.4
560 */
561 public java.util.Collection getIssuerAlternativeNames()
562 throws CertificateParsingException
563 {
564 throw new UnsupportedOperationException();
565 }
566
567 /**
568 * Returns the X.500 distinguished name of this certificate's subject.
569 *
570 * @return The subject's X.500 distinguished name.
571 * @since JDK 1.4
572 */
573 public javax.security.auth.x500.X500Principal getSubjectX500Principal()
574 {
575 throw new UnsupportedOperationException();
576 }
577
578 /**
579 * Returns the X.500 distinguished name of this certificate's issuer.
580 *
581 * @return The issuer's X.500 distinguished name.
582 * @since JDK 1.4
583 */
584 public javax.security.auth.x500.X500Principal getIssuerX500Principal()
585 {
586 throw new UnsupportedOperationException();
587 }
588 }