|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--com.rsa.certj.cert.Certificate | +--com.rsa.certj.cert.X509Certificate
This class builds and holds X.509 certificates.
Users of a public key must be confident that the associated private key is owned by the correct remote subject (person or system) with which an encryption or digital signature mechanism is to be used. This confidence is obtained by using public key certificates, which are data structures that bind public key values to subjects. The binding is asserted by having a trusted Certificate Authority (CA) digitally sign each certificate. A certificate has a limited valid lifetime which is indicated in its signed contents. A certificate's signature and lifetime can be independently checked by a certificate-using client. This means that certificates can be distributed via untrusted communications and server systems, and can be cached in unsecured storage in certificate-using systems. This class conforms to the X.509 standard. An X.509 certificate consists of three elements; the inner DER encoding, which contains all the certificate information; the signature algorithm in the form of anAlgorithmIdentifier
; and the signature.
Certificate ::= SEQUENCE { innerDER InnerDER, signatureAlgorithm AlgorithmIdentifier, -- the identifier for the cryptographic algorithm used by the CA to sign this certificate. signature BIT STRING -- a digital signature computed upon the ASN.1 DER encoded innerDER. } InnerDER ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, -- the version of the encoded certificate. serialNumber CertificateSerialNumber, -- an integer assigned by the CA to each certificate. signature AlgorithmIdentifier, -- the algorithm identifier for the algorithm used by the CA to sign the certificate. issuer Name, -- the entity who has signed and issued the certificate. validity Validity, -- the time interval during which the CA warrants that it will maintain information about the status of the certificate. subject Name, -- the entity associated with the public key stored in the subject public key field. subjectPublicKeyInfo SubjectPublicKeyInfo, -- carry the public key and identify the algorithm with which the key is used. issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version must be v2 or v3, used to handle the possibility of reuse of issuer names over time subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version must be v2 or v3, used to handle the possibility of reuse of subject names over time extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version must be v3, provide methods for associating additional attributes with users or public keys and for managing the certification hierarchy. } |
X500Name
class for
further descriptions of Name
.
See the Crypto-J documentation for further descriptions of
SubjectPublicKeyInfo
.
When extensions are used, as expected in this profile,
use X.509 version 3
(value is X509_VERSION_3
).
If no extensions are present, but a
UniqueIdentifier
is present,
use version 2 (value is X509_VERSION_2
).
If only basic fields are present, use version 1 (the value is omitted from
the certificate as the default value).
The serial number must be unique
for each certificate issued by a given
CA. That is, the issuer name and serial number
identify a unique certificate.
The signature field in the InnerDER
sequence must contain the same
algorithm identifier as the signatureAlgorithm
field in the
sequence Certificate
.
The subject name may be carried in the subject field and/or the
subjectAltName
extension.
If the subject is a CA
(the
basic constraints extension is present
and the value of cA is TRUE
) then
the subject field of this CA certificate must be populated with a
non-empty distinguished name matching the contents of the issuer field in
all certificates issued by the subject CA. If subject naming information
is present only in the subjectAltName
extension (a key
bound only to an e-mail address or URI),
then the subject name must be an
empty sequence and the subjectAltName
extension must be
critical. Where it is non-empty, the
subject field must contain an X.500
distinguished name (DN).
Copyright © RSA Security Inc., 1998-2001. All rights reserved.
See Also
Field Summary |
|
static int |
X509_VERSION_1
Sets the certificate to be version 1, or determines that an existing certificate is version 1. |
static int |
X509_VERSION_2
Sets the certificate to be version 2, or determines that an existing certificate is version 2. |
static int |
X509_VERSION_3
Sets the certificate to be version 3, or determines that an existing certificate is version 3. |
Fields inherited from class com.rsa.certj.cert.Certificate |
DSA_WITH_SHA1_X930, DSA_WITH_SHA1_X957, RSA_WITH_SHA1_ISO_OIW, RSA_WITH_SHA1_PKCS |
Constructor Summary |
|
X509Certificate()
Constructs an empty |
|
X509Certificate(byte[] x509CertBER,
int offset,
int special)
Constructs a signed X509Certificate object and initializes it with the values given by x509CertBER, the BER encoding of an X.509 signed certificate, beginning at offset. |
|
X509Certificate(byte[] x509CertBER,
int offset,
int special,
CertJ certJContext)
|
|
X509Certificate(CertJ certJContext)
Constructs an empty |
Method Summary |
|
boolean |
checkValidityDate(Date validityCheckDate)
Checks the validity dates of this certificate against validityCheckDate. |
clone()
Overrides the default |
|
boolean |
compareIssuerAndSerialNumber(byte[] issuerSerial,
int offset,
int len)
Compares the given issuer and serial number (issuerSerial, the DER encoding of an issuer and serial number) to the issuer and serial number of this certificate. |
boolean |
compareSubjectName(X500Name subjectName)
Compares the given name (subjectName) with the subject name of the certificate represented by this object. |
boolean |
equals(Object obj)
Returns |
int |
getDEREncoding(byte[] encoding,
int offset,
int special)
Places the DER encoding of the cert in this object into encoding, beginning at offset. |
int |
getDERLen(int special)
Returns the number of bytes in the DER encoding of this certificate. |
getEndDate()
Gets the end (also known as the "not after") date of this certificate. |
|
getExtensions()
Gets the extensions in this certificate. |
|
int |
getInnerDER(byte[] encoding,
int offset)
Places the DER encoding of the inner DER of the certificate in this object into encoding, beginning at offset. |
int |
getInnerDERLen()
Returns the size of the inner DER encoding of the certificate. |
byte[] |
getIssuerAndSerialNumber()
Gets the issuer name and serial number as a single entity that can uniquely identify a certificate. |
getIssuerName()
Gets the issuer name of this certificate. |
|
byte[] |
getIssuerUniqueID()
Gets the |
static int |
getNextBEROffset(byte[] x509CertBER,
int offset)
Finds the index of the next element to encode, given x509CertBER, the BER encoding of an X.509 certificate beginning at offset. |
byte[] |
getSerialNumber()
Gets the serial number of this certificate,
and returns the result in a new
|
byte[] |
getSignature()
Gets the actual signature octets. |
getStartDate()
Gets the start (also known as "not before") date of this certificate. |
|
getSubjectName()
Gets the subject name of this certificate. |
|
byte[] |
getSubjectUniqueID()
Gets the |
int |
getVersion()
Gets the version of this certificate. |
void |
setExtensions(X509V3Extensions extensions)
Sets the extensions of this certificate to be extensions. |
void |
setInnerDER(byte[] x509InnerDER,
int offset)
Sets this object to be the unsigned certificate represented by x509InnerDER, the DER encoding of the inner certificate of an X.509 certificate, beginning at offset. |
void |
setIssuerName(X500Name issuerName)
Sets the issuer name of this certificate to be issuerName. |
void |
setIssuerUniqueID(byte[] issuerUniqueID,
int offset,
int len)
Sets the |
void |
setSerialNumber(byte[] serialNumber,
int offset,
int len)
Sets the serial number of this certificate to be serialNumber, a value of length len, beginning at offset. |
void |
setSubjectName(X500Name subjectName)
Sets the subject name of this certificate to be subjectName. |
void |
setSubjectUniqueID(byte[] subjectUniqueID,
int offset,
int len)
Sets the |
void |
setTimeType(boolean flag)
Sets the flag specifying which type of time encoding to use. |
void |
setUnsignedCertFromPKCS10Request(PKCS10CertRequest certRequest)
Creates an X.509 unsigned certificate from the information in a PKCS #10 certificate request. |
void |
setValidity(Date start,
Date end)
Sets the validity dates of the certificate with the specified start and end dates. |
void |
setVersion(int version)
Sets the version of this certificate to be version. |
void |
signCertificate(String transformation,
String device,
com.rsa.jsafe.JSAFE_PrivateKey signingKey,
SecureRandom random)
Signs the certificate, using transformation and signingKey on the specified device. |
boolean |
verifyCertificateSignature(String device,
com.rsa.jsafe.JSAFE_PublicKey verifyingKey,
SecureRandom random)
Verifies the signature on the certificate, using verifyingKey on the specified device. |
Methods inherited from class com.rsa.certj.cert.Certificate |
getCertJ, getDevice, getDeviceList, getSignatureAlgorithm, getSignatureAlgorithmDER, getSignatureFormat, getSignatureStandard, getSubjectPublicKey, getSubjectPublicKeyBER, getUniqueID, setCertJ, setSignatureStandard, setSubjectPublicKey, setSubjectPublicKey, signCertificate, verifyCertificateSignature, verifyCertificateSignature |
Methods inherited from class java.lang.Object |
getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
public static final int X509_VERSION_1
public static final int X509_VERSION_2
public static final int X509_VERSION_3
Constructor Detail |
public X509Certificate()
X.509Certificate
object.public X509Certificate(CertJ certJContext)
X.509Certificate
object with
CertJ context.Parameters
certJContext |
|
public X509Certificate(byte[] x509CertBER, int offset, int special) throws CertificateException
Certificate ::= SEQUENCE { innerDER, signatureAlgorithm, signature } |
0x30
.
But a cert object can be
part of a PKCS #7 message (or some other construct), and it may
have a different tag due to IMPLICIT
or EXPLICIT
tags. For instance,
if the definition is:
cert [2] IMPLICIT Certificate |
0x30
to 0xa2
.
Therefore, it is necessary to pass in the BER encoding of a
certificate and to indicate the special nature of the encoding.
That is the purpose of special. Set that argument to any
special instructions of the BER encoding.
For instance, to indicate the following:
cert [2] EXPLICIT Certificate |
special = (ASN1.CONTEXT_EXPLICIT | 2); |
special = 0 |
APP_IMPLICIT
, APP_EXPLICIT
,
PRIVATE_IMPLICIT
, PRIVATE_EXPLICIT
,
OPTIONAL
, DEFAULT
,
CONTEXT_IMPLICIT
,
or CONTEXT_EXPLICIT
.Parameters
x509CertBER | The BER encoding of an X.509 signed certificate. | ||
offset | The offset into x509CertBER where the encoding begins. | ||
special | The special BER circumstances of the encoding, if there are any. |
Throws
CertificateException
- If the BER encoding
is not a valid X.509 certificate.public X509Certificate(byte[] x509CertBER, int offset, int special, CertJ certJContext) throws CertificateException
Method Detail |
public static int getNextBEROffset(byte[] x509CertBER, int offset) throws CertificateException
x509CertBER[120]
is the
first byte in the encoding of the cert,
x509CertBER[1938]
is the
last byte in the encoding of the cert, and the next element begins
at index 1939.Parameters
x509CertBER | The BER encoding of an X.509 certificate. | ||
offset | The offset into x509CertBER where the encoding begins. |
Returns
int
that indicates the
index to the next element in the BER encoding.
Throws
CertificateException
- If the method cannot read the BER
encoding.public int getDERLen(int special)
0
.
The ASN.1 definition of the certificate is:
Certificate ::= SEQUENCE { . . . } |
0x30
.
But a certificate object
can be part of a PKCS #7 message (or some other construct), and it may
have a different tag due to IMPLICIT
or EXPLICIT
. This can affect the
length. For instance, a definition might include the following:
cert [2] EXPLICIT Certificate |
cert [2] EXPLICIT Certificate |
special = (ASN1.CONTEXT_EXPLICIT | 2); |
special = 0 |
APP_IMPLICIT
, APP_EXPLICIT
,
PRIVATE_IMPLICIT
, PRIVATE_EXPLICIT
,
OPTIONAL
, DEFAULT
,
CONTEXT_IMPLICIT
,
or CONTEXT_EXPLICIT
.Parameters
special | The special DER circumstances of the encoding, if there are any. |
Returns
public int getDEREncoding(byte[] encoding, int offset, int special) throws CertificateException
getDERLen
. If this object is not set with a
certificate or is not signed, this method throws an exception.
The ASN.1 definition of an X.509 cert is:
Certificate ::= SEQUENCE { . . . } |
cert [2] EXPLICIT Certificate |
cert [2] EXPLICIT Certificate |
special = (ASN1.CONTEXT_EXPLICIT | 2); |
special = 0 |
APP_IMPLICIT
, APP_EXPLICIT
,
PRIVATE_IMPLICIT
, PRIVATE_EXPLICIT
,
OPTIONAL
, DEFAULT
,
CONTEXT_IMPLICIT
,
or CONTEXT_EXPLICIT
.Parameters
encoding | The | ||
offset | The offset into encoding where the writing begins. | ||
special | The special DER circumstances of the encoding, if there are any. |
Returns
Throws
CertificateException
- If the certificate is not signed or not
all required fields are set.public void setInnerDER(byte[] x509InnerDER, int offset) throws CertificateException
Parameters
x509InnerDER | The DER encoding of the inner certificate of an X.509 unsigned certificate. | ||
offset | The offset into x509InnerDER where the encoding begins. |
Throws
CertificateException
- If the DER encoding
is not a valid X.509 certificate.public int getInnerDERLen()
0
.
Returns
public int getInnerDER(byte[] encoding, int offset) throws CertificateException
getInnerDERLen
.
If this object is
not set with a certificate, this method throws an exception.Parameters
encoding | The | ||
offset | The offset into encoding where writing begins. |
Returns
Throws
CertificateException
- if the object is not set with
a valid signed X.509 certificate.public void setUnsignedCertFromPKCS10Request(PKCS10CertRequest certRequest) throws CertificateException
Parameters
certRequest | A |
Throws
CertificateException
- If the certificate request object does
not contain all the necessary information.public byte[] getSignature() throws CertificateException
Overrides
getSignature
in class Certificate
Returns
byte
array
that contains the signature octets.
Throws
CertificateException
- If the certificate
has not been signed.public void setVersion(int version) throws CertificateException
X509Certificate.X509_VERSION_1
,
X509Certificate.X509_VERSION_2
, or
X509Certificate.X509_VERSION_3
.
If the certificate object possesses a signature, calling this
method deletes the signature.Parameters
version | The new version number for this certificate. |
Throws
CertificateException
- If the input value is an unsupported
version number.public int getVersion()
X509Certificate.X509_VERSION_1
,
X509Certificate.X509_VERSION_2
, or
X509Certificate.X509_VERSION_3
. If the certificate has
not yet been set, this method returns the default version number (v1).
Returns
int
that is the version number.public void setSubjectName(X500Name subjectName) throws CertificateException
Parameters
subjectName | An |
Throws
CertificateException
- If the subjectName is invalid.public X500Name getSubjectName()
null
.
Returns
X500Name
object that contains the name.public void setIssuerName(X500Name issuerName) throws CertificateException
Parameters
issuerName | An |
Throws
CertificateException
- If the issuerName is invalid.public X500Name getIssuerName()
null
.
Returns
X500Name
object that contains the name.public void setSerialNumber(byte[] serialNumber, int offset, int len)
Parameters
serialNumber | A | ||
offset | The offset into serialNumber where the value begins. | ||
len | The length in bytes of the serial number portion of serialNumber. |
public byte[] getSerialNumber()
byte
array. If there is no serial number
in this certificate, the length of the
byte
array is 0
.
Returns
byte
array that contains the serial number.public byte[] getIssuerAndSerialNumber() throws CertificateException
byte
array
that is the DER encoding of the following ASN.1 definition.
IssuerAndSerialNumber ::= SEQUENCE { issuer Name, serialNumber CertificateSerialNumber } --see the X500Name class for a ASN.1 definition of Name. CertificateSerialNumber ::= INTEGER |
Returns
byte
array that
contains the DER encoding
of the issuer name and serial number.
Throws
CertificateException
- If the certificate is not set with an
issuer name or serial number.public boolean compareIssuerAndSerialNumber(byte[] issuerSerial, int offset, int len)
Parameters
issuerSerial | A | ||
offset | The offset into issuerSerial where the encoding begins. | ||
len | The length of the encoding in issuerSerial. |
Returns
boolean
indicating
whether the given issuer name and
serial number matches the issuer name and serial number of the
certificate represented by this object. Returns
true
if it matchs, false
otherwise.public boolean compareSubjectName(X500Name subjectName)
Parameters
subjectName | An |
Returns
boolean
indicating whether
the given name matches the
subject name of the certificate
represented by this object. Returns
true
if it matchess,
false
otherwise.public void setTimeType(boolean flag)
Parameters
flag | A |
public void setValidity(Date start, Date end) throws CertificateException
Parameters
start | A | ||
end | A |
Throws
CertificateException
- If either of the two dates is
null
or if the end date is earlier than the
start date.public Date getStartDate()
null
.
Returns
Date
object
specifying when the certificate is activated.public Date getEndDate()
null
.
Returns
Date
object specifying the
expiration date of the certificate.public boolean checkValidityDate(Date validityCheckDate)
cert.checkValidityDate (new Date ()); |
Parameters
validityCheckDate | The date against which to check. |
Returns
boolean
indicating
whether the given Date
falls within
the validity start and end dates of this certificate. Returns
true
if it does, false
otherwise.public void setIssuerUniqueID(byte[] issuerUniqueID, int offset, int len) throws CertificateException
UniqueIentifier
of the
issuer of this certificate to
issuerUniqueID, a value of length len beginning at
offset. This must be a version 2 or a version 3 certificate.
If the certificate object possesses a signature, calling this
method deletes the signature.Parameters
issuerUniqueID | A | ||
offset | The offset into issuerUniqueID where the value begins. | ||
len | The number of bytes of issuerUniqueID that make up the serial number. |
Throws
CertificateException
- If the certificate
is not version 2 or version 3.public byte[] getIssuerUniqueID()
UniqueIdentifier
of the issuer of
this certificate. Returns the
result in a new byte
array. If this certificate does
not have an issuer unique ID, this method returns null
.
Returns
byte
array
that contains the issuer's unique ID.public void setSubjectUniqueID(byte[] subjectUniqueID, int offset, int len) throws CertificateException
UniqueIdentifier
of the
subject of this certificate to be
subjectUniqueID, a value of length len beginning at
offset. This must be a version 2 or a version 3 certificate.
If the certificate object possesses a signature, calling this
method will deletes the signature.Parameters
subjectUniqueID | A | ||
offset | The offset into subjectUniqueID where the value begins. | ||
len | The number of bytes of subjectUniqueID that make up the unique ID. |
Throws
CertificateException
- If the certificate is
not version 2 or version 3.public byte[] getSubjectUniqueID()
UniqueIdentifier
of the
subject of this certificate. Returns the
result in a new byte
array.
If this certificate does not have a subject
unique ID, returns null
.
Returns
byte
array
that contains the unique ID of the subject.public void setExtensions(X509V3Extensions extensions) throws CertificateException
X509_VERSION_3
, then this method sets it to
X509_VERSION_3
.
If the certificate object possesses a signature, calling this
method deletes the signature.Parameters
extensions | An |
Throws
CertificateException
- If the
extensions are of the wrong
type, or if cloning of the extensions fails.public X509V3Extensions getExtensions()
0
.
Returns
X509V3Extensions
object
that contains the extensions.public void signCertificate(String transformation, String device, com.rsa.jsafe.JSAFE_PrivateKey signingKey, SecureRandom random) throws CertificateException
JSAFE_Signature
. The following are examples of
transformation arguments:
"MD5/RSA/PKCS1Block01Pad" "SHA1/DSA" |
Java --Perform signature using Java code Native --Perform signature using the native link Native/Java --Use native if possible, if not, use Java |
Overrides
signCertificate
in class Certificate
Parameters
transformation | A | ||
device | A | ||
signingKey | A | ||
random | Random bytes. If the signature algorithm needs random bytes, get them from this object. |
Throws
CertificateException
- If the code cannot perform the
specified transformation on the specified device,
if the certificate is not set properly, or if the certificate is
already signed.public boolean verifyCertificateSignature(String device, com.rsa.jsafe.JSAFE_PublicKey verifyingKey, SecureRandom random) throws CertificateException
Java -- Perform verification using Java code Native -- Perform verification using the native link Native/Java -- Use native if possible, if not, use Java |
Overrides
verifyCertificateSignature
in class Certificate
Parameters
device | A | ||
verifyingKey | A | ||
random | Random bytes. If the signature algorithm needs random bytes, get them from this object. |
Returns
boolean
indicating whether the
signature on the certificate is valid or not.
Throws
CertificateException
- If the code cannot perform the
signature algorithm on the specified device.public boolean equals(Object obj)
true
if this object and obj contain
the same X509Certificate, returns false
otherwise.Overrides
equals
in class Object
Parameters
obj | The instance of the X509Certificate object. |
Returns
boolean
that indicates whether
these objects are equal.public Object clone() throws CloneNotSupportedException
clone
method
to get a deeper clone.
Returns
X509Certificate
object,
a copy of this object.
Throws
CloneNotSupportedException
- If the cloning operation
is not successful.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |