Package java.security.cert

Class X509Certificate

java.lang.Object
java.security.cert.Certificate
java.security.cert.X509Certificate
All Implemented Interfaces:
Serializable, X509Extension
Direct Known Subclasses:
OpenSSLX509Certificate, X509CertificateObject, X509CertImpl
public abstract class X509Certificate
extends Certificate
implements X509Extension
Abstract base class for X.509 certificates.

This represents a standard way for accessing the attributes of X.509 certificates.

The basic X.509 v3 format described in ASN.1: 

 Certificate  ::=  SEQUENCE  {
     tbsCertificate       TBSCertificate,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }

 TBSCertificate  ::=  SEQUENCE  {
      version         [0]  EXPLICIT Version DEFAULT v1,
      serialNumber         CertificateSerialNumber,
      signature            AlgorithmIdentifier,
      issuer               Name,
      validity             Validity,
      subject              Name,
      subjectPublicKeyInfo SubjectPublicKeyInfo,
      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                           -- If present, version must be v2 or v3
      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                           -- If present, version must be v2 or v3
      extensions      [3]  EXPLICIT Extensions OPTIONAL
                           -- If present, version must be v3
      }

For more information consult RFC 2459 "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" at http://www.ietf.org/rfc/rfc2459.txt .

See Also:
Serialized Form

  • Constructor Details

    • X509Certificate

      protected X509Certificate()
      Creates a new X509Certificate.

  • Method Details

    • checkValidity

      public abstract void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException
      Checks whether the certificate is currently valid.

      The validity defined in ASN.1: 

       validity             Validity

 Validity ::= SEQUENCE {
      notBefore       CertificateValidityDate,
      notAfter        CertificateValidityDate }

 CertificateValidityDate ::= CHOICE {
      utcTime         UTCTime,
      generalTime     GeneralizedTime }
      Throws:
      CertificateExpiredException - if the certificate has expired.
      CertificateNotYetValidException - if the certificate is not yet valid.

    • checkValidity

      public abstract void checkValidity​(Date date) throws CertificateExpiredException, CertificateNotYetValidException
      Checks whether the certificate is valid at the specified date.
      Parameters:
      date - the date to check the validity against.
      Throws:
      CertificateExpiredException - if the certificate has expired.
      CertificateNotYetValidException - if the certificate is not yet valid.
      See Also:
      checkValidity()

    • getVersion

      public abstract int getVersion()
      Returns the certificates version (version number).

      The version defined is ASN.1: 

       Version ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
      Returns:
      the version number.

    • getSerialNumber

      public abstract BigInteger getSerialNumber()
      Returns the serialNumber of the certificate.

      The ASN.1 definition of serialNumber: 

       CertificateSerialNumber  ::=  INTEGER
      Returns:
      the serial number.

    • getIssuerDN

      public abstract Principal getIssuerDN()
      Returns the issuer (issuer distinguished name) as an implementation specific Principal object.

      The ASN.1 definition of issuer: 

        issuer      Name

  Name ::= CHOICE {
      RDNSequence }

    RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

    RelativeDistinguishedName ::= SET OF AttributeTypeAndValue

    AttributeTypeAndValue ::= SEQUENCE {
      type     AttributeType,
      value    AttributeValue }

    AttributeType ::= OBJECT IDENTIFIER

    AttributeValue ::= ANY DEFINED BY AttributeType
      replaced by: getIssuerX500Principal().
      Returns:
      the issuer as an implementation specific Principal.

    • getIssuerX500Principal

      public X500Principal getIssuerX500Principal()
      Returns the issuer (issuer distinguished name) as an X500Principal.
      Returns:
      the issuer (issuer distinguished name).

    • getSubjectDN

      public abstract Principal getSubjectDN()
      Returns the subject (subject distinguished name) as an implementation specific Principal object.

      The ASN.1 definition of subject: 

       subject      Name

  Name ::= CHOICE {
      RDNSequence }

    RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

    RelativeDistinguishedName ::= SET OF AttributeTypeAndValue

    AttributeTypeAndValue ::= SEQUENCE {
      type     AttributeType,
      value    AttributeValue }

    AttributeType ::= OBJECT IDENTIFIER

    AttributeValue ::= ANY DEFINED BY AttributeType

      replaced by: getSubjectX500Principal().

      Returns:
      the subject (subject distinguished name).

    • getSubjectX500Principal

      public X500Principal getSubjectX500Principal()
      Returns the subject (subject distinguished name) as an X500Principal.
      Returns:
      the subject (subject distinguished name)

    • getNotBefore

      public abstract Date getNotBefore()
      Returns the notBefore date from the validity period of the certificate.
      Returns:
      the start of the validity period.

    • getNotAfter

      public abstract Date getNotAfter()
      Returns the notAfter date of the validity period of the certificate.
      Returns:
      the end of the validity period.

    • getTBSCertificate

      public abstract byte[] getTBSCertificate() throws CertificateEncodingException
      Returns the tbsCertificate information from this certificate in DER-encoded format.
      Returns:
      the DER-encoded certificate information.
      Throws:
      CertificateEncodingException - if an error occurs in encoding

    • getSignature

      public abstract byte[] getSignature()
      Returns the raw signature bits from the certificate.
      Returns:
      the raw signature bits from the certificate.

    • getSigAlgName

      public abstract String getSigAlgName()
      Returns the name of the algorithm for the certificate signature.
      Returns:
      the signature algorithm name.

    • getSigAlgOID

      public abstract String getSigAlgOID()
      Returns the OID of the signature algorithm from the certificate.
      Returns:
      the OID of the signature algorithm.

    • getSigAlgParams

      public abstract byte[] getSigAlgParams()
      Returns the parameters of the signature algorithm in DER-encoded format.
      Returns:
      the parameters of the signature algorithm, or null if none are used.

    • getIssuerUniqueID

      public abstract boolean[] getIssuerUniqueID()
      Returns the issuerUniqueID from the certificate.
      Returns:
      the issuerUniqueID or null if there's none in the certificate.

    • getSubjectUniqueID

      public abstract boolean[] getSubjectUniqueID()
      Returns the subjectUniqueID from the certificate.
      Returns:
      the subjectUniqueID or null if there's none in the certificate.

    • getKeyUsage

      public abstract boolean[] getKeyUsage()
      Returns the KeyUsage extension as a boolean array.

      The ASN.1 definition of KeyUsage: 

       KeyUsage ::= BIT STRING {
      digitalSignature        (0),
      nonRepudiation          (1),
      keyEncipherment         (2),
      dataEncipherment        (3),
      keyAgreement            (4),
      keyCertSign             (5),
      cRLSign                 (6),
      encipherOnly            (7),
      decipherOnly            (8) }
      Returns:
      the KeyUsage extension or null if there's none in the certificate.

    • getExtendedKeyUsage

      public List<String> getExtendedKeyUsage() throws CertificateParsingException
      Returns a read-only list of OID strings representing the ExtKeyUsageSyntax field of the extended key usage extension.
      Returns:
      the extended key usage extension, or null if there's none in the certificate.
      Throws:
      CertificateParsingException - if the extension decoding fails.

    • getBasicConstraints

      public abstract int getBasicConstraints()
      Returns the path length of the certificate constraints from the BasicContraints extension. If the certificate has no basic constraints or is not a certificate authority, -1 is returned. If the certificate is a certificate authority without a path length, Integer.MAX_VALUE is returned. Otherwise, the certificate authority's path length is returned.

    • getSubjectAlternativeNames

      public Collection<List<?>> getSubjectAlternativeNames() throws CertificateParsingException
      Returns a read-only list of the subject alternative names from the SubjectAltName extension.

      The ASN.1 definition of SubjectAltName: 

       SubjectAltName ::= GeneralNames

 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

 GeneralName ::= CHOICE {
      otherName                       [0]     AnotherName,
      rfc822Name                      [1]     IA5String,
      dNSName                         [2]     IA5String,
      x400Address                     [3]     ORAddress,
      directoryName                   [4]     Name,
      ediPartyName                    [5]     EDIPartyName,
      uniformResourceIdentifier       [6]     IA5String,
      iPAddress                       [7]     OCTET STRING,
      registeredID                    [8]     OBJECT IDENTIFIER }
      Returns:
      the subject alternative names or null if there are none in the certificate.
      Throws:
      CertificateParsingException - if decoding of the extension fails.

    • getIssuerAlternativeNames

      public Collection<List<?>> getIssuerAlternativeNames() throws CertificateParsingException
      Returns a read-only list of the issuer alternative names from the IssuerAltName extension.

      The ASN.1 definition of IssuerAltName: 

       IssuerAltName ::= GeneralNames

 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

 GeneralName ::= CHOICE {
      otherName                       [0]     AnotherName,
      rfc822Name                      [1]     IA5String,
      dNSName                         [2]     IA5String,
      x400Address                     [3]     ORAddress,
      directoryName                   [4]     Name,
      ediPartyName                    [5]     EDIPartyName,
      uniformResourceIdentifier       [6]     IA5String,
      iPAddress                       [7]     OCTET STRING,
      registeredID                    [8]     OBJECT IDENTIFIER }
      Returns:
      the issuer alternative names of null if there are none in the certificate.
      Throws:
      CertificateParsingException - if decoding of the extension fails.