codec.x509
Class X509Certificate

java.lang.Object
  |
  +--java.security.cert.Certificate
        |
        +--java.security.cert.X509Certificate
              |
              +--codec.x509.X509Certificate

All Implemented Interfaces:

ASN1Type, Externalizable, Serializable, X509Extension

public class X509Certificate

extends X509Certificate

implements ASN1Type, Externalizable

Implements a X.509v3 certificate according to the following ASN.1 data structure:

 Certificate  ::=  SEQUENCE  {
 tbsCertificate			TBSCertificate,
 signatureAlgorithm		AlgorithmIdentifier,
 signatureValue      	BIT STRING
 }
 

If you want to create a certificate, follow these steps:

create a X509TBSCertificate object and fill it with sensible data

call the X509Certificate(X509TBSCertificate) constructor and pass the tbsCertificate as an argument

call setSignature with a pre-computed signature of the tbsCertificate

getEncoded() will return the DER-encoded certificate as a Byte array.

Example:

 PrivateKey CASigningKey = ...;
 X509Certificate CASignatureCert = ...;
 PublicKey subjectPublicKey = ...;
 Name issuerDN = new Name("cn=My CA, c=DE");
 Name subjectDN = new Name("cn=Myself, c=DE");
 Calendar validFrom = ...;
 Calendar validUntil = ...;
 X509TBSCertificate tbs = new X509TBSCertificate();
 tbs.setSerialNumber(new BigInteger("1"));
 tbs.setSubjectPublicKey(subjectPublicKey);
 tbs.setSubjectDN(subjectDN);
 tbs.setIssuerDN(issuerDN);
 tbs.setNotBefore(validFrom);
 tbs.setNotAfter(validUntil);
 X509Certificate theCert = new X509Certificate(tbs);
 Signature mySig = Signature.getInstance(...);
 mySig.initSign(CASigningKey);
 theCert.sign(mySig, CASignatureCert);
 

Author:

Markus Tak

See Also:

Serialized Form

Inner classes inherited from class java.security.cert.Certificate

Certificate.CertificateRep

Constructor Summary

X509Certificate()
Constructor that builds the data structure

X509Certificate(byte[] cert)
Contructor upon a DER-encoded Byte-Array

X509Certificate(InputStream in)
Constructor upon an InputStream

X509Certificate(X509TBSCertificate tbs)
Constructor upon a TBSCertificate.

Method Summary

void	addExtension(X509Extension ext) Adds an extension to this certificate.
void	checkConstraints() From interface ASN1Type
void	checkValidity() From java.security.cert.X509Certificate.
void	checkValidity(Calendar now) Checks the validity period of this certificate against the given Calendar instance.
void	checkValidity(Date date) From java.security.cert.X509Certificate.
void	decode(Decoder dec) From interface ASN1Type
void	encode(Encoder enc) From interface ASN1Type
int	getBasicConstraints() From java.security.cert.X509Certificate.
Constraint	getConstraint() From interface ASN1Type
Set	getCriticalExtensionOIDs() From java.security.cert.X509Extension.
byte[]	getEncoded() returns the DER-encoded bytearray of this certificate
Collection	getExtensions() Returns a Collection containing all extensions
byte[]	getExtensionValue(String ex) From java.security.cert.X509Extension.
Principal	getIssuerDN() From java.security.cert.X509Certificate.
boolean[]	getIssuerUniqueID() From java.security.cert.X509Certificate.
boolean[]	getKeyUsage() From java.security.cert.X509Certificate.
Set	getNonCriticalExtensionOIDs() From java.security.cert.X509Extension.
Date	getNotAfter() From java.security.cert.X509Certificate.
Date	getNotBefore() From java.security.cert.X509Certificate.
PublicKey	getPublicKey() From java.security.cert.X509Certificate.
BigInteger	getSerialNumber() From java.security.cert.X509Certificate.
String	getSigAlgName() From java.security.cert.X509Certificate.
String	getSigAlgOID() From java.security.cert.X509Certificate.
byte[]	getSigAlgParams() From java.security.cert.X509Certificate.
byte[]	getSignature() From java.security.cert.X509Certificate.
Principal	getSubjectDN() From java.security.cert.X509Certificate.
boolean[]	getSubjectUniqueID() From java.security.cert.X509Certificate.
int	getTag() From interface ASN1Type
int	getTagClass() From interface ASN1Type
byte[]	getTBSCertificate() From java.security.cert.X509Certificate.
byte[]	getTBSCertificate(AlgorithmIdentifier sigalg) Returns the to-be-signed (TBS) part of this certificate, meaning the byte-array that initializes the signature algorithm.
Object	getValue() From interface ASN1Type
int	getVersion() Returns the version of this X509 certificate (0=v1, 1=v2, 2=v3)
X509TBSCertificate	getX509TBSCertificate() Returns tbe TBSCertificate Block as an Object.
boolean	hasUnsupportedCriticalExtension() From java.security.cert.X509Extension.
boolean	isExplicit() From interface ASN1Type
boolean	isOptional() From interface ASN1Type
boolean	isType(int eins, int zwei) From interface ASN1Type
void	readExternal(ObjectInput s)
void	setConstraint(Constraint c) From interface ASN1Type
void	setExplicit(boolean ex) From interface ASN1Type
void	setOptional(boolean opt) From interface ASN1Type
void	setSignature(byte[] nsig) Sets the signature
void	setSignatureAlgorithm(AlgorithmIdentifier aid) sets the signature algorithm
void	setTBSCertificate(X509TBSCertificate tbs) Sets the TBS ("to-be-signed") part of this certificate.
void	sign(Signature sig, PublicKey signerPub) This methods implements an easy way to sign your certificate.
void	sign(Signature sig, X509Certificate cert) This methods implements an easy way to sign your certificate.
String	toString() human-readable String representation of this certificate
void	verify(PublicKey key) with this method, the certificate can be verified in an easy, but less secure way.
void	verify(PublicKey key, String pro) with this method, the certificate can be verified in an easy, but less secure way.
void	writeExternal(ObjectOutput s)

Methods inherited from class java.security.cert.Certificate

equals, getType, hashCode, writeReplace

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

X509Certificate

public X509Certificate()

Constructor that builds the data structure

X509Certificate

public X509Certificate(byte[] cert)
                throws CertificateEncodingException

Contructor upon a DER-encoded Byte-Array

X509Certificate

public X509Certificate(InputStream in)
                throws CertificateEncodingException

Constructor upon an InputStream

X509Certificate

public X509Certificate(X509TBSCertificate tbs)

Constructor upon a TBSCertificate. Use this one if you want to create a certificate.

Method Detail

setConstraint

public void setConstraint(Constraint c)

From interface ASN1Type

Specified by:

setConstraint in interface ASN1Type

Following copied from interface: codec.asn1.ASN1Type

Parameters:

o - The constraint to set.

getConstraint

public Constraint getConstraint()

From interface ASN1Type

Specified by:

getConstraint in interface ASN1Type

Following copied from interface: codec.asn1.ASN1Type

Returns:

The Constraint or null.

addExtension

public void addExtension(X509Extension ext)

Adds an extension to this certificate. Version info is updated automatically to "V3"

Parameters:

ext - the Extension to be added

checkConstraints

public void checkConstraints()
                      throws ConstraintException

From interface ASN1Type

Specified by:

checkConstraints in interface ASN1Type

Following copied from interface: codec.asn1.ASN1Type

See Also:

Constraint, ConstraintCollection

checkValidity

public void checkValidity()
                   throws CertificateExpiredException,
                          CertificateNotYetValidException

From java.security.cert.X509Certificate. Checks the validity period of this certificate against the actual date. The actual date is obtained via Calendar.getInstance(GMT).

Overrides:

checkValidity in class X509Certificate

Throws:

CertificateExpiredException -

CertificateNotYetValidException -

checkValidity

public void checkValidity(Date date)
                   throws CertificateExpiredException,
                          CertificateNotYetValidException

From java.security.cert.X509Certificate. Checks the validity period of this certificate against the given date.

Overrides:

checkValidity in class X509Certificate

Parameters:

date - Date to be checked against the validity period of this certificate

Throws:

CertificateExpiredException - if the certificate has expired

CertificateNotYetValidException - if the certificate is not valid yet.

checkValidity

public void checkValidity(Calendar now)
                   throws CertificateExpiredException,
                          CertificateNotYetValidException

Checks the validity period of this certificate against the given Calendar instance.

Parameters:

now - Calendar to be checked against the validity period of this certificate

Throws:

CertificateExpiredException - if the certificate has expired

CertificateNotYetValidException - if the certificate is not valid yet.

decode

public void decode(Decoder dec)
            throws ASN1Exception,
                   IOException

From interface ASN1Type

Specified by:

decode in interface ASN1Type

encode

public void encode(Encoder enc)
            throws ASN1Exception,
                   IOException

From interface ASN1Type

Specified by:

encode in interface ASN1Type

getBasicConstraints

public int getBasicConstraints()

From java.security.cert.X509Certificate. Returns the value of the pathLenConstraint in a BC extension if present and cA set to true. If the Basic Constraints extension (OID 2.5.29.19) is not present in this certificate, null is returned.

 BasicConstraints ::= SEQUENCE {
 cA                  BOOLEAN DEFAULT FALSE,
  pathLenConstraint   INTEGER (0..MAX) OPTIONAL
 }
 

Overrides:

getBasicConstraints in class X509Certificate

Returns:

the value of pathLenConstraint if present and cA set to true or null if the extension is not present

getCriticalExtensionOIDs

public Set getCriticalExtensionOIDs()

From java.security.cert.X509Extension. Gets a set of Strings containing all extension oids present being marked as critical.

Overrides:

getCriticalExtensionOIDs in class X509Certificate

getEncoded

public byte[] getEncoded()
                  throws CertificateEncodingException

returns the DER-encoded bytearray of this certificate

Overrides:

getEncoded in class Certificate

getExtensions

public Collection getExtensions()

Returns a Collection containing all extensions

getExtensionValue

public byte[] getExtensionValue(String ex)

From java.security.cert.X509Extension. Gets the value of the extensions denoted by ex or null if not present.

Overrides:

getExtensionValue in class X509Certificate

getIssuerDN

public Principal getIssuerDN()

From java.security.cert.X509Certificate. Returns this certificate's issuer as a Principal.

Overrides:

getIssuerDN in class X509Certificate

getIssuerUniqueID

public boolean[] getIssuerUniqueID()

From java.security.cert.X509Certificate. Returns the issuer's Unique ID or null if not present.

Overrides:

getIssuerUniqueID in class X509Certificate

getKeyUsage

public boolean[] getKeyUsage()

From java.security.cert.X509Certificate. Returns the bits of the KeyUsage extension (OID 2.5.29.15) if present in this certificate or null otherwise.

 KeyUsage ::= BIT STRING {
        digitalSignature        (0),
        nonRepudiation          (1),
        keyEncipherment         (2),
        dataEncipherment        (3),
        keyAgreement            (4),
        keyCertSign             (5),
        cRLSign                 (6),
        encipherOnly            (7),
        decipherOnly            (8)
 }
 

Overrides:

getKeyUsage in class X509Certificate

Returns:

the key usage bits if present in this certificate, otherwise null.

getNonCriticalExtensionOIDs

public Set getNonCriticalExtensionOIDs()

From java.security.cert.X509Extension. Gets a set of Strings containing all extension oids present being marked as critical.

Overrides:

getNonCriticalExtensionOIDs in class X509Certificate

getNotAfter

public Date getNotAfter()

From java.security.cert.X509Certificate. Returns the Date after which this certificate is not valid anymore.

Overrides:

getNotAfter in class X509Certificate

getNotBefore

public Date getNotBefore()

From java.security.cert.X509Certificate. Returns the Date before which this certificate is not valid.

Overrides:

getNotBefore in class X509Certificate

getPublicKey

public PublicKey getPublicKey()

From java.security.cert.X509Certificate. Returns the Public Key inside this certificate

Overrides:

getPublicKey in class Certificate

getSerialNumber

public BigInteger getSerialNumber()

From java.security.cert.X509Certificate. Returns the Serial Number of this certificate

Overrides:

getSerialNumber in class X509Certificate

getSigAlgName

public String getSigAlgName()

From java.security.cert.X509Certificate. Returns the Java-compliant Algorithm Name of the signature algorithm.

Overrides:

getSigAlgName in class X509Certificate

getSigAlgOID

public String getSigAlgOID()

From java.security.cert.X509Certificate. Returns the Object Identifier (OID) of the signature algorithm.

Overrides:

getSigAlgOID in class X509Certificate

getSigAlgParams

public byte[] getSigAlgParams()

From java.security.cert.X509Certificate. Returns the Algorithm Parameters for the signature algorithm in a DER encoded form.

Overrides:

getSigAlgParams in class X509Certificate

getSignature

public byte[] getSignature()

From java.security.cert.X509Certificate. Returns the signature of this certificate.

Overrides:

getSignature in class X509Certificate

getSubjectDN

public Principal getSubjectDN()

From java.security.cert.X509Certificate. Returns this certificate's subject as a Principal.

Overrides:

getSubjectDN in class X509Certificate

getSubjectUniqueID

public boolean[] getSubjectUniqueID()

From java.security.cert.X509Certificate. Returns the subject's Unique ID or null if not present.

Overrides:

getSubjectUniqueID in class X509Certificate

getTag

public int getTag()

From interface ASN1Type

Specified by:

getTag in interface ASN1Type

getTagClass

public int getTagClass()

From interface ASN1Type

Specified by:

getTagClass in interface ASN1Type

getTBSCertificate

public byte[] getTBSCertificate()
                         throws CertificateEncodingException

From java.security.cert.X509Certificate. Returns the to-be-signed (TBS) part of this certificate, meaning the byte-array that initializes the signature algorithm. If you want to access methods or field inside TBSCertificate, you should use getX509TBSCertificate instead.

Overrides:

getTBSCertificate in class X509Certificate

getX509TBSCertificate

public X509TBSCertificate getX509TBSCertificate()

Returns tbe TBSCertificate Block as an Object. If you just want to get the encoded TBSCertificate (in order to compute or verify a signature), you should use getTBSCertificate instead.

getTBSCertificate

public byte[] getTBSCertificate(AlgorithmIdentifier sigalg)
                         throws CertificateEncodingException

Returns the to-be-signed (TBS) part of this certificate, meaning the byte-array that initializes the signature algorithm. This method is especially for issuing a certificate because the signature algorithm has to be set to initialize correctly the TBS structure.

Parameters:

sigalg - AlgorithmID of the signature algorithm or null (verify)

Throws:

CertificateEncodingException - if TBSCertificate could not be encoded

getValue

public Object getValue()

From interface ASN1Type

Specified by:

getValue in interface ASN1Type

getVersion

public int getVersion()

Returns the version of this X509 certificate (0=v1, 1=v2, 2=v3)

Overrides:

getVersion in class X509Certificate

hasUnsupportedCriticalExtension

public boolean hasUnsupportedCriticalExtension()

From java.security.cert.X509Extension. Returns true if this certificate contains any extension being marked as critical but not supported by this implementation.

Currently, this function will always return false since extensions are managed in an abstract way.

Overrides:

hasUnsupportedCriticalExtension in class X509Certificate

isExplicit

public boolean isExplicit()

From interface ASN1Type

Specified by:

isExplicit in interface ASN1Type

isOptional

public boolean isOptional()

From interface ASN1Type

Specified by:

isOptional in interface ASN1Type

isType

public boolean isType(int eins,
                      int zwei)

From interface ASN1Type

Specified by:

isType in interface ASN1Type

Following copied from interface: codec.asn1.ASN1Type

Parameters:

tag - The tag to match.

tagclass - The tag class to match.

Returns:

true if this type matches the given tag and tag class.

setExplicit

public void setExplicit(boolean ex)

From interface ASN1Type

Specified by:

setExplicit in interface ASN1Type

setTBSCertificate

public void setTBSCertificate(X509TBSCertificate tbs)

Sets the TBS ("to-be-signed") part of this certificate. Note that no cloning is done, so side effects may occur!

setOptional

public void setOptional(boolean opt)

From interface ASN1Type

Specified by:

setOptional in interface ASN1Type

setSignature

public void setSignature(byte[] nsig)

Sets the signature

setSignatureAlgorithm

public void setSignatureAlgorithm(AlgorithmIdentifier aid)

sets the signature algorithm

Parameters:

aid - AlgorithmID of the signature algorithm

toString

public String toString()

human-readable String representation of this certificate

Overrides:

toString in class Certificate

verify

public void verify(PublicKey key)
            throws CertificateException,
                   NoSuchAlgorithmException,
                   InvalidKeyException,
                   NoSuchProviderException,
                   SignatureException

with this method, the certificate can be verified in an easy, but less secure way. If highest security is to be obtained, getTBSCertificate() and getSignature() should be used along with external verification code.

Overrides:

verify in class Certificate

Parameters:

key - the issuer's public key to verify the TBS certificate

verify

public void verify(PublicKey key,
                   String pro)
            throws CertificateException,
                   NoSuchAlgorithmException,
                   InvalidKeyException,
                   NoSuchProviderException,
                   SignatureException

with this method, the certificate can be verified in an easy, but less secure way. If highest security is to be obtained, getTBSCertificate() and getSignature() should be used along with an external verification.

Overrides:

verify in class Certificate

Parameters:

key - the issuer's public key to verify the TBS certificate

pro - Provider to be used for signature mechanism

sign

public void sign(Signature sig,
                 PublicKey signerPub)
          throws SignatureException,
                 CertificateEncodingException,
                 NoSuchAlgorithmException,
                 InvalidAlgorithmParameterException

This methods implements an easy way to sign your certificate. Note that TBSCertificate must be set before calling this method.

Parameters:

sig - a Signature engine that is initialized for signing with the appropriate private key

signerPub - the signer's public key

Throws:

SignatureException - if the signature could not be done

CertificateEncodingException - if an error occured during tbsCertificate encoding

NoSuchAlgorithmException - if the Public key or is not available signature algorithm

InvalidAlgorithmParameterException - if signature algorithm parameters could not be encoded correctly

sign

public void sign(Signature sig,
                 X509Certificate cert)
          throws SignatureException,
                 CertificateEncodingException,
                 NoSuchAlgorithmException,
                 InvalidAlgorithmParameterException

This methods implements an easy way to sign your certificate. Note that TBSCertificate must be set before calling this method.

Parameters:

sig - a Signature engine that is initialized for signing with the appropriate private key

cert - the signer's signature certificate

Throws:

SignatureException - if the signature could not be done

CertificateEncodingException - if an error occured during tbsCertificate encoding

NoSuchAlgorithmException - if the Public key or is not available signature algorithm

InvalidAlgorithmParameterException - if signature algorithm parameters could not be encoded correctly

writeExternal

public void writeExternal(ObjectOutput s)
                   throws IOException

Specified by:

writeExternal in interface Externalizable

readExternal

public void readExternal(ObjectInput s)
                  throws IOException

Specified by:

readExternal in interface Externalizable