Package java.security.cert

Class X509CertSelector

java.lang.Object
java.security.cert.X509CertSelector
All Implemented Interfaces:
Cloneable, CertSelector
Direct Known Subclasses:
X509CertStoreSelector
public class X509CertSelector
extends Object
implements CertSelector
A certificate selector (CertSelector for selecting X509Certificates that match the specified criteria.

  • Constructor Details

    • X509CertSelector

      public X509CertSelector()
      Creates a new X509CertSelector.

  • Method Details

    • setCertificate

      public void setCertificate​(X509Certificate certificate)
      Sets the certificate that a matching certificate must be equal to.
      Parameters:
      certificate - the certificate to match, or null to not check this criteria.

    • getCertificate

      public X509Certificate getCertificate()
      Returns the certificate that a matching certificate must be equal to.
      Returns:
      the certificate to match, or null if this criteria is not checked.

    • setSerialNumber

      public void setSerialNumber​(BigInteger serialNumber)
      Sets the serial number that a certificate must match.
      Parameters:
      serialNumber - the serial number to match, or null to not check the serial number.

    • getSerialNumber

      public BigInteger getSerialNumber()
      Returns the serial number that a certificate must match.
      Returns:
      the serial number to match, or null if the serial number is not to be checked.

    • setIssuer

      public void setIssuer​(X500Principal issuer)
      Sets the issuer that a certificate must match.
      Parameters:
      issuer - the issuer to match, or null if the issuer is not to be checked.

    • getIssuer

      public X500Principal getIssuer()
      Returns the issuer that a certificate must match.
      Returns:
      the issuer that a certificate must match, or null if the issuer is not to be checked.

    • setIssuer

      public void setIssuer​(String issuerName) throws IOException
      Do not use, use getIssuer() or getIssuerAsBytes() instead. Sets the issuer that a certificate must match.
      Parameters:
      issuerName - the issuer in a RFC 2253 format string, or null to not check the issuer.
      Throws:
      IOException - if parsing the issuer fails.

    • getIssuerAsString

      public String getIssuerAsString()
      Do not use, use getIssuer() or getIssuerAsBytes() instead. Returns the issuer that a certificate must match in a RFC 2253 format string.
      Returns:
      the issuer in a RFC 2253 format string, or null if the issuer is not to be checked.

    • setIssuer

      public void setIssuer​(byte[] issuerDN) throws IOException
      Sets the issuer that a certificate must match.
      Parameters:
      issuerDN - the distinguished issuer name in ASN.1 DER encoded format, or null to not check the issuer.
      Throws:
      IOException - if decoding the issuer fail.

    • getIssuerAsBytes

      public byte[] getIssuerAsBytes() throws IOException
      Returns the issuer that a certificate must match.
      Returns:
      the distinguished issuer name in ASN.1 DER encoded format, or null if the issuer is not to be checked.
      Throws:
      IOException - if encoding the issuer fails.

    • setSubject

      public void setSubject​(X500Principal subject)
      Set the subject that a certificate must match.
      Parameters:
      subject - the subject distinguished name or null to not check the subject.

    • getSubject

      public X500Principal getSubject()
      Returns the subject that a certificate must match.
      Returns:
      the subject distinguished name, or null if the subject is not to be checked.

    • setSubject

      public void setSubject​(String subjectDN) throws IOException
      Do not use, use setSubject(byte[]) or setSubject(X500Principal) instead. Returns the subject that a certificate must match.
      Parameters:
      subjectDN - the subject distinguished name in RFC 2253 format or null to not check the subject.
      Throws:
      IOException - if decoding the subject fails.

    • getSubjectAsString

      public String getSubjectAsString()
      Do not use, use getSubject() or getSubjectAsBytes() instead. Returns the subject that a certificate must match.
      Returns:
      the subject distinguished name in RFC 2253 format, or null if the subject is not to be checked.

    • setSubject

      public void setSubject​(byte[] subjectDN) throws IOException
      Sets the subject that a certificate must match.
      Parameters:
      subjectDN - the subject distinguished name in ASN.1 DER format, or null to not check the subject.
      Throws:
      IOException - if decoding the subject fails.

    • getSubjectAsBytes

      public byte[] getSubjectAsBytes() throws IOException
      Returns the subject that a certificate must match.
      Returns:
      the subject distinguished name in ASN.1 DER format, or null if the subject is not to be checked.
      Throws:
      IOException - if encoding the subject fails.

    • setSubjectKeyIdentifier

      public void setSubjectKeyIdentifier​(byte[] subjectKeyIdentifier)
      Sets the criterion for the SubjectKeyIdentifier extension.

      The subjectKeyIdentifier should be a single DER encoded value.

      Parameters:
      subjectKeyIdentifier - the subject key identifier or null to disable this check.

    • getSubjectKeyIdentifier

      public byte[] getSubjectKeyIdentifier()
      Returns the criterion for the SubjectKeyIdentifier extension.
      Returns:
      the subject key identifier or null if it is not to be checked.

    • setAuthorityKeyIdentifier

      public void setAuthorityKeyIdentifier​(byte[] authorityKeyIdentifier)
      Sets the criterion for the AuthorityKeyIdentifier extension.
      Parameters:
      authorityKeyIdentifier - the authority key identifier, or null to disable this check.

    • getAuthorityKeyIdentifier

      public byte[] getAuthorityKeyIdentifier()
      Returns the criterion for the AuthorityKeyIdentifier extension.
      Returns:
      the authority key identifier, or null if it is not to be checked.

    • setCertificateValid

      public void setCertificateValid​(Date certificateValid)
      Sets the criterion for the validity date of the certificate.

      The certificate must be valid at the specified date.

      Parameters:
      certificateValid - the validity date or null to not check the date.

    • getCertificateValid

      public Date getCertificateValid()
      Returns the criterion for the validity date of the certificate.
      Returns:
      the validity date or null if the date is not to be checked.

    • setPrivateKeyValid

      public void setPrivateKeyValid​(Date privateKeyValid)
      Sets the criterion for the validity date of the private key.

      The private key must be valid at the specified date.

      Parameters:
      privateKeyValid - the validity date or null to not check the date.

    • getPrivateKeyValid

      public Date getPrivateKeyValid()
      Returns the criterion for the validity date of the private key.

      The private key must be valid at the specified date.

      Returns:
      the validity date or null if the date is not to be checked.

    • setSubjectPublicKeyAlgID

      public void setSubjectPublicKeyAlgID​(String oid) throws IOException
      Sets the criterion for the subject public key signature algorithm.

      The certificate must contain a subject public key with the algorithm specified.

      Parameters:
      oid - the OID (object identifier) of the signature algorithm or null to not check the OID.
      Throws:
      IOException - if the specified object identifier is invalid.

    • getSubjectPublicKeyAlgID

      public String getSubjectPublicKeyAlgID()
      Returns the criterion for the subject public key signature algorithm.
      Returns:
      the OID (object identifier) or the signature algorithm or null if it's not to be checked.

    • setSubjectPublicKey

      public void setSubjectPublicKey​(PublicKey key)
      Sets the criterion for the subject public key.
      Parameters:
      key - the subject public key or null to not check the key.

    • setSubjectPublicKey

      public void setSubjectPublicKey​(byte[] key) throws IOException
      Sets the criterion for the subject public key.
      Parameters:
      key - the subject public key in ASN.1 DER encoded format or null to not check the key.
      Throws:
      IOException - if decoding the the public key fails.

    • getSubjectPublicKey

      public PublicKey getSubjectPublicKey()
      Returns the criterion for the subject public key.
      Returns:
      the subject public key or null if the key is not to be checked.

    • setKeyUsage

      public void setKeyUsage​(boolean[] keyUsage)
      Sets the criterion for the KeyUsage extension.
      Parameters:
      keyUsage - the boolean array in the format as returned by X509Certificate.getKeyUsage(), or null to not check the key usage.

    • getKeyUsage

      public boolean[] getKeyUsage()
      Returns the criterion for the KeyUsage extension.
      Returns:
      the boolean array in the format as returned by X509Certificate.getKeyUsage(), or null if the key usage is not to be checked.

    • setExtendedKeyUsage

      public void setExtendedKeyUsage​(Set<String> keyUsage) throws IOException
      Sets the criterion for the ExtendedKeyUsage extension.
      Parameters:
      keyUsage - the set of key usage OIDs, or null to not check it.
      Throws:
      IOException - if one of the OIDs is invalid.

    • getExtendedKeyUsage

      public Set<String> getExtendedKeyUsage()
      Returns the criterion for the ExtendedKeyUsage extension.
      Returns:
      the set of key usage OIDs, or null if it's not to be checked.

    • setMatchAllSubjectAltNames

      public void setMatchAllSubjectAltNames​(boolean matchAllNames)
      Sets the flag for the matching behavior for subject alternative names.

      The flag indicates whether a certificate must contain all or at least one of the subject alternative names specified by setSubjectAlternativeNames(java.util.Collection<java.util.List<?>>) or addSubjectAlternativeName(int, java.lang.String).

      Parameters:
      matchAllNames - true if a certificate must contain all of the specified subject alternative names, otherwise false.

    • getMatchAllSubjectAltNames

      public boolean getMatchAllSubjectAltNames()
      Returns the flag for the matching behavior for subject alternative names.

      The flag indicates whether a certificate must contain all or at least one of the subject alternative names specified by setSubjectAlternativeNames(java.util.Collection<java.util.List<?>>) or addSubjectAlternativeName(int, java.lang.String).

      Returns:
      true if a certificate must contain all of the specified subject alternative names, otherwise false.

    • setSubjectAlternativeNames

      public void setSubjectAlternativeNames​(Collection<List<?>> names) throws IOException
      Sets the criterion for subject alternative names.

      the certificate must contain all or at least one of the specified subject alternative names. The behavior is specified by getMatchAllSubjectAltNames().

      The specified parameter names is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry must be an Integer specifying the name type (0-8), the second entry must be a String or a byte array specifying the name (in string or ASN.1 DER encoded form)

      Parameters:
      names - the names collection or null to not perform this check.
      Throws:
      IOException - if the decoding of a name fails.

    • addSubjectAlternativeName

      public void addSubjectAlternativeName​(int tag, String name) throws IOException
      Adds a subject alternative name to the respective criterion.
      Parameters:
      tag - the type of the name
      name - the name in string format.
      Throws:
      IOException - if parsing the name fails.

    • addSubjectAlternativeName

      public void addSubjectAlternativeName​(int tag, byte[] name) throws IOException
      Adds a subject alternative name to the respective criterion.
      Parameters:
      tag - the type of the name.
      name - the name in ASN.1 DER encoded form.
      Throws:
      IOException - if the decoding of the name fails.

    • getSubjectAlternativeNames

      public Collection<List<?>> getSubjectAlternativeNames()
      Returns the criterion for subject alternative names.

      the certificate must contain all or at least one of the specified subject alternative names. The behavior is specified by getMatchAllSubjectAltNames().

      The subject alternative names is a collection with an entry for each name included in the criterion. The name is specified as a List, the first entry is an Integer specifying the name type (0-8), the second entry is byte array specifying the name in ASN.1 DER encoded form)

      Returns:
      the names collection or null if none specified.

    • setNameConstraints

      public void setNameConstraints​(byte[] bytes) throws IOException
      Sets the criterion for the name constraints.

      The certificate must constraint subject and subject alternative names that match the specified name constraints.

      The name constraints in ASN.1: 

       NameConstraints ::= SEQUENCE {
        permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
        excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

 GeneralSubtree ::= SEQUENCE {
        base                    GeneralName,
        minimum         [0]     BaseDistance DEFAULT 0,
        maximum         [1]     BaseDistance OPTIONAL }

 BaseDistance ::= INTEGER (0..MAX)

 GeneralName ::= CHOICE {
        otherName                       [0]     OtherName,
        rfc822Name                      [1]     IA5String,
        dNSName                         [2]     IA5String,
        x400Address                     [3]     ORAddress,
        directoryName                   [4]     Name,
        ediPartyName                    [5]     EDIPartyName,
        uniformResourceIdentifier       [6]     IA5String,
        iPAddress                       [7]     OCTET STRING,
        registeredID                    [8]     OBJECT IDENTIFIER}
      Parameters:
      bytes - the name constraints in ASN.1 DER encoded format, or null to not check any constraints.
      Throws:
      IOException - if decoding the name constraints fail.

    • getNameConstraints

      public byte[] getNameConstraints()
      Returns the criterion for the name constraints.
      Returns:
      the name constraints or null if none specified.
      See Also:
      setNameConstraints(byte[])

    • setBasicConstraints

      public void setBasicConstraints​(int pathLen)
      Sets the criterion for the basic constraints extension.

      A value greater than or equal to zero indicates that a certificate must include a basic constraints extension with a path length of a least that value. A value of -2 indicates that only end-entity certificates are accepted. A value of -1 indicates that no check is done.

      Parameters:
      pathLen - the value specifying the criterion.
      Throws:
      IllegalArgumentException - if pathLen is less than -2.

    • getBasicConstraints

      public int getBasicConstraints()
      Returns the criterion for the basic constraints extension.

      A value greater than or equal to zero indicates that a certificate must include a basic constraints extension with a path length of a least that value. A value of -2 indicates that only end-entity certificates are accepted. A value of -1 indicates that no check is done.

      Returns:
      the value of the criterion.

    • setPolicy

      public void setPolicy​(Set<String> policies) throws IOException
      Sets the criterion for the policy constraint.

      The certificate must have at least one of the specified certificate policy extensions. For an empty set the certificate must have at least some policies in its policy extension.

      Parameters:
      policies - the certificate policy OIDs, an empty set, or null to not perform this check.
      Throws:
      IOException - if parsing the specified OIDs fails.

    • getPolicy

      public Set<String> getPolicy()
      Returns the criterion for the policy constraint.

      The certificate must have at least one of the certificate policy extensions. For an empty set the certificate must have at least some policies in its policy extension.

      Returns:
      the certificate policy OIDs, an empty set, or null if not to be checked.

    • addPathToName

      public void addPathToName​(int type, String name) throws IOException
      Adds a "pathToName" to the respective criterion.
      Parameters:
      type - the type of the name.
      name - the name in string format.
      Throws:
      IOException - if parsing fails.
      See Also:
      setPathToNames(java.util.Collection<java.util.List<?>>)

    • setPathToNames

      public void setPathToNames​(Collection<List<?>> names) throws IOException
      Sets the criterion for the pathToNames constraint.

      This allows to specify the complete set of names, a certificate's name constraints must permit.

      The specified parameter names is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry must be an Integer specifying the name type (0-8), the second entry must be a String or a byte array specifying the name (in string or ASN.1 DER encoded form)

      Parameters:
      names - the names collection or null to not perform this check.
      Throws:
      IOException - if decoding fails.

    • addPathToName

      public void addPathToName​(int type, byte[] name) throws IOException
      Adds a "pathToName" to the respective criterion.
      Parameters:
      type - the type of the name
      name - the name in ASN.1 DER encoded form.
      Throws:
      IOException - if decoding fails.
      See Also:
      setPathToNames(java.util.Collection<java.util.List<?>>)

    • getPathToNames

      public Collection<List<?>> getPathToNames()
      Returns the criterion for the pathToNames constraint.

      The constraint is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry is an Integer specifying the name type (0-8), the second entry is a byte array specifying the name in ASN.1 DER encoded form.

      Returns:
      the pathToNames constraint or null if none specified.

    • toString

      public String toString()
      Returns a string representation of this X509CertSelector instance.
      Overrides:
      toString in class Object
      Returns:
      a string representation of this X509CertSelector instance.

    • match

      public boolean match​(Certificate certificate)
      Returns whether the specified certificate matches all the criteria collected in this instance.
      Specified by:
      match in interface CertSelector
      Parameters:
      certificate - the certificate to check.
      Returns:
      true if the certificate matches all the criteria, otherwise false.

    • clone

      public Object clone()
      Clones this X509CertSelector instance.
      Specified by:
      clone in interface CertSelector
      Overrides:
      clone in class Object
      Returns:
      the cloned instance.