Path: blob/master/src/java.base/share/classes/javax/security/cert/X509Certificate.java
41159 views
/*1* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/242526package javax.security.cert;2728import java.io.InputStream;29import java.lang.Class;30import java.lang.reflect.Constructor;31import java.lang.reflect.InvocationTargetException;32import java.security.Security;3334import java.math.BigInteger;35import java.security.AccessController;36import java.security.Principal;37import java.security.PrivilegedAction;38import java.security.PublicKey;39import java.util.BitSet;40import java.util.Date;4142/**43* Abstract class for X.509 v1 certificates. This provides a standard44* way to access all the version 1 attributes of an X.509 certificate.45* Attributes that are specific to X.509 v2 or v3 are not available46* through this interface. Future API evolution will provide full access to47* complete X.509 v3 attributes.48* <p>49* The basic X.509 format was defined by50* ISO/IEC and ANSI X9 and is described below in ASN.1:51* <pre>52* Certificate ::= SEQUENCE {53* tbsCertificate TBSCertificate,54* signatureAlgorithm AlgorithmIdentifier,55* signature BIT STRING }56* </pre>57* <p>58* These certificates are widely used to support authentication and59* other functionality in Internet security systems. Common applications60* include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),61* code signing for trusted software distribution, and Secure Electronic62* Transactions (SET).63* <p>64* These certificates are managed and vouched for by <em>Certificate65* Authorities</em> (CAs). CAs are services which create certificates by66* placing data in the X.509 standard format and then digitally signing67* that data. CAs act as trusted third parties, making introductions68* between principals who have no direct knowledge of each other.69* CA certificates are either signed by themselves, or by some other70* CA such as a "root" CA.71* <p>72* The ASN.1 definition of {@code tbsCertificate} is:73* <pre>74* TBSCertificate ::= SEQUENCE {75* version [0] EXPLICIT Version DEFAULT v1,76* serialNumber CertificateSerialNumber,77* signature AlgorithmIdentifier,78* issuer Name,79* validity Validity,80* subject Name,81* subjectPublicKeyInfo SubjectPublicKeyInfo,82* }83* </pre>84* <p>85* Here is sample code to instantiate an X.509 certificate:86* <pre>87* InputStream inStream = new FileInputStream("fileName-of-cert");88* X509Certificate cert = X509Certificate.getInstance(inStream);89* inStream.close();90* </pre>91* OR92* <pre>93* byte[] certData = <certificate read from a file, say>94* X509Certificate cert = X509Certificate.getInstance(certData);95* </pre>96* <p>97* In either case, the code that instantiates an X.509 certificate98* consults the value of the {@code cert.provider.x509v1} security property99* to locate the actual implementation or instantiates a default implementation.100* <p>101* The {@code cert.provider.x509v1} property is set to a default102* implementation for X.509 such as:103* <pre>104* cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl105* </pre>106* <p>107* The value of this {@code cert.provider.x509v1} property has to be108* changed to instantiate another implementation. If this security109* property is not set, a default implementation will be used.110* Currently, due to possible security restrictions on access to111* Security properties, this value is looked up and cached at class112* initialization time and will fallback on a default implementation if113* the Security property is not accessible.114*115* <p><em>Note: The classes in the package {@code javax.security.cert}116* exist for compatibility with earlier versions of the117* Java Secure Sockets Extension (JSSE). New applications should instead118* use the standard Java SE certificate classes located in119* {@code java.security.cert}.</em></p>120*121* @author Hemma Prafullchandra122* @since 1.4123* @see Certificate124* @see java.security.cert.X509Extension125* @see java.security.Security security properties126* @deprecated Use the classes in {@code java.security.cert} instead.127*/128@SuppressWarnings("removal")129@Deprecated(since="9", forRemoval=true)130public abstract class X509Certificate extends Certificate {131132/**133* Constructor for subclasses to call.134*/135public X509Certificate() {}136137/**138* Constant to lookup in the Security properties file.139* In the Security properties file the default implementation140* for X.509 v3 is given as:141* <pre>142* cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl143* </pre>144*/145private static final String X509_PROVIDER = "cert.provider.x509v1";146private static String X509Provider;147148static {149X509Provider = AccessController.doPrivileged(150new PrivilegedAction<>() {151public String run() {152return Security.getProperty(X509_PROVIDER);153}154}155);156}157158/**159* Instantiates an X509Certificate object, and initializes it with160* the data read from the input stream {@code inStream}.161* The implementation (X509Certificate is an abstract class) is162* provided by the class specified as the value of the163* {@code cert.provider.x509v1} security property.164*165* <p>Note: Only one DER-encoded166* certificate is expected to be in the input stream.167* Also, all X509Certificate168* subclasses must provide a constructor of the form:169* <pre>{@code170* public <subClass>(InputStream inStream) ...171* }</pre>172*173* @param inStream an input stream with the data to be read to174* initialize the certificate.175* @return an X509Certificate object initialized with the data176* from the input stream.177* @exception CertificateException if a class initialization178* or certificate parsing error occurs.179*/180public static final X509Certificate getInstance(InputStream inStream)181throws CertificateException {182return getInst((Object)inStream);183}184185/**186* Instantiates an X509Certificate object, and initializes it with187* the specified byte array.188* The implementation (X509Certificate is an abstract class) is189* provided by the class specified as the value of the190* {@code cert.provider.x509v1} security property.191*192* <p>Note: All X509Certificate193* subclasses must provide a constructor of the form:194* <pre>{@code195* public <subClass>(InputStream inStream) ...196* }</pre>197*198* @param certData a byte array containing the DER-encoded199* certificate.200* @return an X509Certificate object initialized with the data201* from {@code certData}.202* @exception CertificateException if a class initialization203* or certificate parsing error occurs.204*/205public static final X509Certificate getInstance(byte[] certData)206throws CertificateException {207return getInst((Object)certData);208}209210private static final X509Certificate getInst(Object value)211throws CertificateException {212/*213* This turns out not to work for now. To run under JDK1.2 we would214* need to call beginPrivileged() but we can't do that and run215* under JDK1.1.216*/217String className = X509Provider;218if (className == null || className.isEmpty()) {219// shouldn't happen, but assume corrupted properties file220// provide access to sun implementation221className = "com.sun.security.cert.internal.x509.X509V1CertImpl";222}223try {224Class<?>[] params = null;225if (value instanceof InputStream) {226params = new Class<?>[] { InputStream.class };227} else if (value instanceof byte[]) {228params = new Class<?>[] { value.getClass() };229} else230throw new CertificateException("Unsupported argument type");231Class<?> certClass = Class.forName(className);232233// get the appropriate constructor and instantiate it234Constructor<?> cons = certClass.getConstructor(params);235236// get a new instance237Object obj = cons.newInstance(new Object[] {value});238return (X509Certificate)obj;239240} catch (ClassNotFoundException e) {241throw new CertificateException("Could not find class: " + e);242} catch (IllegalAccessException e) {243throw new CertificateException("Could not access class: " + e);244} catch (InstantiationException e) {245throw new CertificateException("Problems instantiating: " + e);246} catch (InvocationTargetException e) {247throw new CertificateException("InvocationTargetException: "248+ e.getTargetException());249} catch (NoSuchMethodException e) {250throw new CertificateException("Could not find class method: "251+ e.getMessage());252}253}254255/**256* Checks that the certificate is currently valid. It is if257* the current date and time are within the validity period given in the258* certificate.259* <p>260* The validity period consists of two date/time values:261* the first and last dates (and times) on which the certificate262* is valid. It is defined in263* ASN.1 as:264* <pre>265* validity Validity266*267* Validity ::= SEQUENCE {268* notBefore CertificateValidityDate,269* notAfter CertificateValidityDate }270*271* CertificateValidityDate ::= CHOICE {272* utcTime UTCTime,273* generalTime GeneralizedTime }274* </pre>275*276* @exception CertificateExpiredException if the certificate has expired.277* @exception CertificateNotYetValidException if the certificate is not278* yet valid.279*/280public abstract void checkValidity()281throws CertificateExpiredException, CertificateNotYetValidException;282283/**284* Checks that the specified date is within the certificate's285* validity period. In other words, this determines whether the286* certificate would be valid at the specified date/time.287*288* @param date the Date to check against to see if this certificate289* is valid at that date/time.290* @exception CertificateExpiredException if the certificate has expired291* with respect to the {@code date} supplied.292* @exception CertificateNotYetValidException if the certificate is not293* yet valid with respect to the {@code date} supplied.294* @see #checkValidity()295*/296public abstract void checkValidity(Date date)297throws CertificateExpiredException, CertificateNotYetValidException;298299/**300* Gets the {@code version} (version number) value from the301* certificate. The ASN.1 definition for this is:302* <pre>303* version [0] EXPLICIT Version DEFAULT v1304*305* Version ::= INTEGER { v1(0), v2(1), v3(2) }306* </pre>307*308* @return the version number from the ASN.1 encoding, i.e. 0, 1 or 2.309*/310public abstract int getVersion();311312/**313* Gets the {@code serialNumber} value from the certificate.314* The serial number is an integer assigned by the certification315* authority to each certificate. It must be unique for each316* certificate issued by a given CA (i.e., the issuer name and317* serial number identify a unique certificate).318* The ASN.1 definition for this is:319* <pre>320* serialNumber CertificateSerialNumber321*322* CertificateSerialNumber ::= INTEGER323* </pre>324*325* @return the serial number.326*/327public abstract BigInteger getSerialNumber();328329/**330* Gets the {@code issuer} (issuer distinguished name) value from331* the certificate. The issuer name identifies the entity that signed (and332* issued) the certificate.333*334* <p>The issuer name field contains an335* X.500 distinguished name (DN).336* The ASN.1 definition for this is:337* <pre>338* issuer Name339*340* Name ::= CHOICE { RDNSequence }341* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName342* RelativeDistinguishedName ::=343* SET OF AttributeValueAssertion344*345* AttributeValueAssertion ::= SEQUENCE {346* AttributeType,347* AttributeValue }348* AttributeType ::= OBJECT IDENTIFIER349* AttributeValue ::= ANY350* </pre>351* The {@code Name} describes a hierarchical name composed of352* attributes, such as country name, and corresponding values, such as US.353* The type of the {@code AttributeValue} component is determined by354* the {@code AttributeType}; in general it will be a355* {@code directoryString}. A {@code directoryString} is usually356* one of {@code PrintableString},357* {@code TeletexString} or {@code UniversalString}.358*359* @return a Principal whose name is the issuer distinguished name.360*/361public abstract Principal getIssuerDN();362363/**364* Gets the {@code subject} (subject distinguished name) value365* from the certificate.366* The ASN.1 definition for this is:367* <pre>368* subject Name369* </pre>370*371* <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name}372* and other relevant definitions.373*374* @return a Principal whose name is the subject name.375* @see #getIssuerDN()376*/377public abstract Principal getSubjectDN();378379/**380* Gets the {@code notBefore} date from the validity period of381* the certificate.382* The relevant ASN.1 definitions are:383* <pre>384* validity Validity385*386* Validity ::= SEQUENCE {387* notBefore CertificateValidityDate,388* notAfter CertificateValidityDate }389*390* CertificateValidityDate ::= CHOICE {391* utcTime UTCTime,392* generalTime GeneralizedTime }393* </pre>394*395* @return the start date of the validity period.396* @see #checkValidity()397*/398public abstract Date getNotBefore();399400/**401* Gets the {@code notAfter} date from the validity period of402* the certificate. See {@link #getNotBefore() getNotBefore}403* for relevant ASN.1 definitions.404*405* @return the end date of the validity period.406* @see #checkValidity()407*/408public abstract Date getNotAfter();409410/**411* Gets the signature algorithm name for the certificate412* signature algorithm. An example is the string "SHA-1/DSA".413* The ASN.1 definition for this is:414* <pre>415* signatureAlgorithm AlgorithmIdentifier416*417* AlgorithmIdentifier ::= SEQUENCE {418* algorithm OBJECT IDENTIFIER,419* parameters ANY DEFINED BY algorithm OPTIONAL }420* -- contains a value of the type421* -- registered for use with the422* -- algorithm object identifier value423* </pre>424*425* <p>The algorithm name is determined from the {@code algorithm}426* OID string.427*428* @return the signature algorithm name.429*/430public abstract String getSigAlgName();431432/**433* Gets the signature algorithm OID string from the certificate.434* An OID is represented by a set of positive whole numbers separated435* by periods.436* For example, the string "1.2.840.10040.4.3" identifies the SHA-1437* with DSA signature algorithm, as per the PKIX part I.438*439* <p>See {@link #getSigAlgName() getSigAlgName} for440* relevant ASN.1 definitions.441*442* @return the signature algorithm OID string.443*/444public abstract String getSigAlgOID();445446/**447* Gets the DER-encoded signature algorithm parameters from this448* certificate's signature algorithm. In most cases, the signature449* algorithm parameters are null; the parameters are usually450* supplied with the certificate's public key.451*452* <p>See {@link #getSigAlgName() getSigAlgName} for453* relevant ASN.1 definitions.454*455* @return the DER-encoded signature algorithm parameters, or456* null if no parameters are present.457*/458public abstract byte[] getSigAlgParams();459}460461462