| java.lang.Object com.sun.portal.kssl.X509Certificate
X509Certificate | public class X509Certificate implements Certificate(Code) | | This class implements methods for creating X.509 certificates and
accessing their attributes such as subject/issuer names, public keys
and validity information. Publicly visible methods methods are
modeled after those in the X509Certificate classes
from J2SE (standard edition) but there are some differences and
these are documented below.
NOTE: For now, only X.509 certificates containing RSA public keys
and signed either using md5WithRSA or sha-1WithRSA are supported.
This version of the implementation is unable to parse certificates
containing DSA keys or signed using DSA. Certificates containing
RSA keys but signed using an unsupported algorithm (e.g. RSA_MD2)
can be parsed but cannot be verified. Not all version 3 extensions are
supported (only subjectAltName, basicConstraints, keyUsage and
extendedKeyUsage are recognized) but if an unrecognized
extension is marked critical, an error notification is generated.
See Also: com.sun.kssl.HandshakeListener |
Field Summary | |
final public static int | MISSING_PATH_LENGTH_CONSTRAINT Indicates that no information is available on
the pathLengthConstraint associated with this certificate
(this could happen if the certifiate is a v1 or v2 cert or
a v3 cert without basicConstraints or a non-CA v3 certificate). | final public static byte | NO_ERROR Indicates a no error condition. | final public static byte | TYPE_DNS_NAME DNS name alternative name type code. | final public static byte | TYPE_EMAIL_ADDRESS Email address (rfc 822) alternative name type code. | final public static byte | TYPE_URI URI alternative name type code. | final public static int | UNLIMITED_CERT_CHAIN_LENGTH Indicates there is no limit to the server certificate chain length. |
Constructor Summary | |
public | X509Certificate(byte ver, byte[] rawSerialNumber, String sub, String iss, long notBefore, long notAfter, byte[] mod, byte[] exp, byte[] chash, int pLen) Creates an X.509 certificate with the specified attributes.
This constructor is only used for creating trusted certificates. |
Method Summary | |
public void | checkExtensions() Checks if a certificate has any (version 3) extensions that
were not properly processed and continued use of this certificate
may be inconsistent with the issuer's intent. | public void | checkValidity() Checks if the certificate is currently valid. | public void | checkValidity(long time) Checks if the certificate is valid on the specified time. | public static X509Certificate | generateCertificate(byte[] buf, int off, int len) Creates a certificate by parsing the ASN.1 DER X.509 certificate
encoding in the specified buffer.
NOTE: In the standard edition, equivalent functionality
is provided by CertificateFactory.generateCertificate(InputStream). | public int | getBasicConstraints() Gets the certificate constraints path length from the
BasicConstraints extension. | public byte[] | getFingerprint() Gets the MD5 fingerprint of this certificate.
NOTE: this implementation returns a byte array filled
with zeros if there is no fingerprint associated with this
certificate. | public String | getIssuer() Gets the name of this certificate's issuer. | public int | getKeyUsage() Gets a 32-bit bit vector (in the form of an integer) in which
each position represents a purpose for which the public key in
the certificate may be used (iff that bit is set). | public long | getNotAfter() Gets the NotAfter date from the certificate's validity period. | public long | getNotBefore() Gets the NotBefore date from the certificate's validity period. | public PublicKey | getPublicKey() Gets the public key from this certificate. | public String | getSerialNumber() Gets the printable form of the serial number of this
Certificate . | public String | getSigAlgName() Gets the name of the algorithm used to sign the certificate. | public String | getSubject() Gets the name of this certificate's subject. | public Object | getSubjectAltName() Gets the subject alternative name or null if it was not in the
certificate. | public int | getSubjectAltNameType() Gets the type of subject alternative name. | public String | getType() Get the type of the Certificate . | public String | getVersion() Gets the raw X.509 version number of this certificate. | public String | toString() Returns a string representation of this certificate. | public void | verify(PublicKey pk) Checks if this certificate was signed using the private key
corresponding to the specified public key. |
MISSING_PATH_LENGTH_CONSTRAINT | final public static int MISSING_PATH_LENGTH_CONSTRAINT(Code) | | Indicates that no information is available on
the pathLengthConstraint associated with this certificate
(this could happen if the certifiate is a v1 or v2 cert or
a v3 cert without basicConstraints or a non-CA v3 certificate).
|
NO_ERROR | final public static byte NO_ERROR(Code) | | Indicates a no error condition.
|
TYPE_DNS_NAME | final public static byte TYPE_DNS_NAME(Code) | | DNS name alternative name type code.
|
TYPE_EMAIL_ADDRESS | final public static byte TYPE_EMAIL_ADDRESS(Code) | | Email address (rfc 822) alternative name type code.
|
TYPE_URI | final public static byte TYPE_URI(Code) | | URI alternative name type code.
|
UNLIMITED_CERT_CHAIN_LENGTH | final public static int UNLIMITED_CERT_CHAIN_LENGTH(Code) | | Indicates there is no limit to the server certificate chain length.
|
X509Certificate | public X509Certificate(byte ver, byte[] rawSerialNumber, String sub, String iss, long notBefore, long notAfter, byte[] mod, byte[] exp, byte[] chash, int pLen) throws Exception(Code) | | Creates an X.509 certificate with the specified attributes.
This constructor is only used for creating trusted certificates.
NOTE: All signature related values in these certificates
(such as the signing algorithm and signature) are set to null and
invoking methods that access signature information, e.g. verify()
and getSigAlgName() can produce unexpected errors.
Parameters: ver - byte containing X.509 version Parameters: rawSerialNumber - byte array containing the serial number Parameters: sub - subject name Parameters: iss - issuer name Parameters: notBefore - start of validity period expressed in millisecondssince midnight Jan 1, 1970 UTC Parameters: notAfter - end of validity period expressed as above Parameters: mod - modulus associated with the RSA Public Key Parameters: exp - exponent associated with the RSA Public Key Parameters: chash - 16-byte MD5 hash of the certificate's ASN.1 DER encoding Parameters: pLen - Is the pathLenConstraint associated with a version 3certificate. This parameter is ignored for v1 andv2 certificates. If a v3 certificate does nothave basicConstraints or is not a CA cert, callersshould pass MISSING_PATH_LENGTH_CONSTRAINT. If thev3 certificate has basicConstraints, CA is set butpathLenConstraint is missing (indicating no limiton the certificate chain), callers should passUNLIMITED_CERT_CHAIN_LENGTH. exception: Exception - in case of a problem with RSA public key parameters |
checkExtensions | public void checkExtensions() throws CertificateException(Code) | | Checks if a certificate has any (version 3) extensions that
were not properly processed and continued use of this certificate
may be inconsistent with the issuer's intent. This may happen, for
example, if the certificate has unrecognized critical extensions.
exception: CertificateException - with a reason ofr BAD_EXTENSIONS ifthere are any bad extensions |
checkValidity | public void checkValidity() throws CertificateException(Code) | | Checks if the certificate is currently valid. It is if the
current date and time are within the certificate's validity
period.
exception: CertificateException - with a reason of EXPIRED or NOT_YET_VALID |
checkValidity | public void checkValidity(long time) throws CertificateException(Code) | | Checks if the certificate is valid on the specified time. It is
if the specified time is within the certificate's validity
period.
NOTE: The standard edition provides a method with this
name but it throws different types of exceptions rather than
returning error codes.
Parameters: time - the time in milliseconds for which a certificate'svalidity is to be checked exception: CertificateException - with a reason of EXPIRED or NOT_YET_VALID |
generateCertificate | public static X509Certificate generateCertificate(byte[] buf, int off, int len) throws IOException(Code) | | Creates a certificate by parsing the ASN.1 DER X.509 certificate
encoding in the specified buffer.
NOTE: In the standard edition, equivalent functionality
is provided by CertificateFactory.generateCertificate(InputStream).
Parameters: buf - byte array to be read Parameters: off - offset within the byte array Parameters: len - number of bytes to be read a certificate object corresponding to the DER encodingor null (in case of an encoding problem) exception: IOException - if there is a parsing error |
getBasicConstraints | public int getBasicConstraints()(Code) | | Gets the certificate constraints path length from the
BasicConstraints extension.
The BasicConstraints extension identifies whether the
subject of the certificate is a Certificate Authority (CA) and how
deep a certification path may exist through the CA. The
pathLenConstraint field (see below) is meaningful only
if cA is set to TRUE. In this case, it gives the maximum
number of CA certificates that may follow this certificate in a
certification path. A value of zero indicates that only an end-entity
certificate may follow in the path.
Note that for RFC 2459 this extension is always marked critical
if cA is TRUE, meaning this certificate belongs to a
Certificate Authority.
The ASN.1 definition for this is:
BasicConstraints ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL
}
MISSING_PATH_LENGTH_CONSTRAINT if theBasicConstraints extension is absent or the subjectof the certificate is not a CA. If the subject of the certificateis a CA and pathLenConstraint does not appear, UNLIMITED_CERT_CHAIN_LENGTH is returned to indicate thatthere is no limit to the allowed length of the certification path.In all other situations, the actual value of the pathLenConstraint is returned. |
getFingerprint | public byte[] getFingerprint()(Code) | | Gets the MD5 fingerprint of this certificate.
NOTE: this implementation returns a byte array filled
with zeros if there is no fingerprint associated with this
certificate. This may happen if a null was passed to the
X509Certificate constructor.
a byte array containing this certificate's MD5 hash |
getIssuer | public String getIssuer()(Code) | | Gets the name of this certificate's issuer.
NOTE: The corresponding method in the standard edition
is getIssuerDN() and returns a Principal.
a string containing this certificate's issuer inuser-friendly form |
getKeyUsage | public int getKeyUsage()(Code) | | Gets a 32-bit bit vector (in the form of an integer) in which
each position represents a purpose for which the public key in
the certificate may be used (iff that bit is set). The correspondence
between bit positions and purposes is as follows:
digitalSignature | 0 |
nonRepudiation | 1 |
keyEncipherment | 2 |
dataEncipherment | 3 |
keyAgreement | 4 |
keyCertSign | 5 |
cRLSign | 6 |
encipherOnly | 7 |
decipherOnly | 8 |
serverAuth | 17 |
clientAuth | 18 |
codeSigning | 19 |
emailProtection | 20 |
ipsecEndSystem | 21 |
ipsecTunnel | 22 |
ipsecUser | 23 |
timeStamping | 24 |
a bitvector indicating approved usage of the certificatepublic key, -1 if neither a KeyUsage nor a critical extendedKeyUsageextension is present. |
getNotAfter | public long getNotAfter()(Code) | | Gets the NotAfter date from the certificate's validity period.
a date after which the certificate is not valid (expirationdate) |
getNotBefore | public long getNotBefore()(Code) | | Gets the NotBefore date from the certificate's validity period.
a date before which the certificate is not valid |
getSerialNumber | public String getSerialNumber()(Code) | | Gets the printable form of the serial number of this
Certificate .
If the serial number within the certificate
is binary is should be formatted as a string using
hexadecimal notation with each byte represented as two
hex digits separated byte ":" (Unicode x3A).
For example, 27:56:FA:80.
A string containing the serial numberin user-friendly form; NULL is returnedif there is no serial number. |
getSigAlgName | public String getSigAlgName()(Code) | | Gets the name of the algorithm used to sign the certificate.
the name of signature algorithm |
getSubject | public String getSubject()(Code) | | Gets the name of this certificate's subject.
NOTE: The corresponding method in the standard edition
is getSubjectDN() and returns a Principal.
a string containing this certificate's subject inuser-friendly form |
getSubjectAltName | public Object getSubjectAltName()(Code) | | Gets the subject alternative name or null if it was not in the
certificate.
type of subject alternative name or null |
getSubjectAltNameType | public int getSubjectAltNameType()(Code) | | Gets the type of subject alternative name.
type of subject alternative name |
getType | public String getType()(Code) | | Get the type of the Certificate .
The type of the Certificate ;the value MUST NOT be NULL . |
getVersion | public String getVersion()(Code) | | Gets the raw X.509 version number of this certificate. Version 1 is 0.
the X.509 logic version number (1, 2, 3) of the certificate |
toString | public String toString()(Code) | | Returns a string representation of this certificate.
a human readable string repesentation of this certificate |
verify | public void verify(PublicKey pk) throws CertificateException(Code) | | Checks if this certificate was signed using the private key
corresponding to the specified public key.
Parameters: pk - public key to be used for verifying certificate signature exception: CertificateException - if there is an error |
|
|