com.rsa.certj.cert

Class X509Certificate

java.lang.Object
  |
  +--com.rsa.certj.cert.Certificate
        |
        +--com.rsa.certj.cert.X509Certificate

All Implemented Interfaces:

Cloneable, Serializable

public class X509Certificate

extends Certificate

implements Cloneable, Serializable

This class builds and holds X.509 certificates.

Users of a public key must be confident that the associated private key is owned by the correct remote subject (person or system) with which an encryption or digital signature mechanism is to be used. This confidence is obtained by using public key certificates, which are data structures that bind public key values to subjects. The binding is asserted by having a trusted Certificate Authority (CA) digitally sign each certificate. A certificate has a limited valid lifetime which is indicated in its signed contents. A certificate's signature and lifetime can be independently checked by a certificate-using client. This means that certificates can be distributed via untrusted communications and server systems, and can be cached in unsecured storage in certificate-using systems. This class conforms to the X.509 standard.

An X.509 certificate consists of three elements; the inner DER encoding, which contains all the certificate information; the signature algorithm in the form of an AlgorithmIdentifier; and the signature.

 Certificate ::= SEQUENCE {
   innerDER              InnerDER,
   signatureAlgorithm    AlgorithmIdentifier, -- the identifier for the
                              cryptographic algorithm used by the CA to sign
                              this certificate.
   signature             BIT STRING  -- a digital signature computed upon
                                        the ASN.1 DER encoded innerDER.
  }

 InnerDER ::= SEQUENCE {
   version         [0]  EXPLICIT Version DEFAULT v1, -- the version of the 
                                                        encoded certificate.
   serialNumber         CertificateSerialNumber, -- an integer assigned by
                                                  the CA to each certificate.
   signature            AlgorithmIdentifier, -- the algorithm identifier for
                                                the algorithm used by the CA 
                                                to sign the certificate.
   issuer               Name, -- the entity who has signed and issued the
                                 certificate.
   validity             Validity, -- the time interval during which the CA 
                                  warrants that it will maintain information
                                  about the status of the certificate.
   subject              Name, -- the entity associated with the public key 
                                 stored in the subject public key field.
   subjectPublicKeyInfo SubjectPublicKeyInfo, -- carry the public key and 
                           identify the algorithm with which the key is used.
   issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                        -- If present, version must be v2 or v3,
                           used to handle the possibility of reuse of 
                           issuer names over time
   subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                        -- If present, version must be v2 or v3,
                           used to handle the possibility of reuse of 
                           subject names over time
   extensions      [3]  EXPLICIT Extensions OPTIONAL
                        -- If present, version must be v3,
                           provide methods for associating additional 
                           attributes with users or public keys and for
                           managing the certification hierarchy. 
  }

See the X500Name class for further descriptions of Name.

See the Crypto-J documentation for further descriptions of SubjectPublicKeyInfo.

When extensions are used, as expected in this profile, use X.509 version 3 (value is X509_VERSION_3). If no extensions are present, but a UniqueIdentifier is present, use version 2 (value is X509_VERSION_2). If only basic fields are present, use version 1 (the value is omitted from the certificate as the default value).

The serial number must be unique for each certificate issued by a given CA. That is, the issuer name and serial number identify a unique certificate.

The signature field in the InnerDER sequence must contain the same algorithm identifier as the signatureAlgorithm field in the sequence Certificate.

The subject name may be carried in the subject field and/or the subjectAltName extension. If the subject is a CA (the basic constraints extension is present and the value of cA is TRUE) then the subject field of this CA certificate must be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA. If subject naming information is present only in the subjectAltName extension (a key bound only to an e-mail address or URI), then the subject name must be an empty sequence and the subjectAltName extension must be critical. Where it is non-empty, the subject field must contain an X.500 distinguished name (DN).

Copyright © RSA Security Inc., 1998-2001. All rights reserved.

See Also

Serialized Form

Field Summary

static int	X509_VERSION_1 Sets the certificate to be version 1, or determines that an existing certificate is version 1.
static int	X509_VERSION_2 Sets the certificate to be version 2, or determines that an existing certificate is version 2.
static int	X509_VERSION_3 Sets the certificate to be version 3, or determines that an existing certificate is version 3.

Fields inherited from class com.rsa.certj.cert.Certificate

DSA_WITH_SHA1_X930, DSA_WITH_SHA1_X957, RSA_WITH_SHA1_ISO_OIW, RSA_WITH_SHA1_PKCS

Constructor Summary

X509Certificate()

Constructs an empty X.509Certificate object.

X509Certificate(byte[] x509CertBER, int offset, int special)

Constructs a signed X509Certificate object and initializes it with the values given by x509CertBER, the BER encoding of an X.509 signed certificate, beginning at offset.

X509Certificate(byte[] x509CertBER, int offset, int special, CertJ certJContext)

X509Certificate(CertJ certJContext)

Constructs an empty X.509Certificate object with CertJ context.

Method Summary

boolean	checkValidityDate(Date validityCheckDate) Checks the validity dates of this certificate against validityCheckDate.
Object	clone() Overrides the default clone method to get a deeper clone.
boolean	compareIssuerAndSerialNumber(byte[] issuerSerial, int offset, int len) Compares the given issuer and serial number (issuerSerial, the DER encoding of an issuer and serial number) to the issuer and serial number of this certificate.
boolean	compareSubjectName(X500Name subjectName) Compares the given name (subjectName) with the subject name of the certificate represented by this object.
boolean	equals(Object obj) Returns true if this object and obj contain the same X509Certificate, returns false otherwise.
int	getDEREncoding(byte[] encoding, int offset, int special) Places the DER encoding of the cert in this object into encoding, beginning at offset.
int	getDERLen(int special) Returns the number of bytes in the DER encoding of this certificate.
Date	getEndDate() Gets the end (also known as the "not after") date of this certificate.
X509V3Extensions	getExtensions() Gets the extensions in this certificate.
int	getInnerDER(byte[] encoding, int offset) Places the DER encoding of the inner DER of the certificate in this object into encoding, beginning at offset.
int	getInnerDERLen() Returns the size of the inner DER encoding of the certificate.
byte[]	getIssuerAndSerialNumber() Gets the issuer name and serial number as a single entity that can uniquely identify a certificate.
X500Name	getIssuerName() Gets the issuer name of this certificate.
byte[]	getIssuerUniqueID() Gets the UniqueIdentifier of the issuer of this certificate.
static int	getNextBEROffset(byte[] x509CertBER, int offset) Finds the index of the next element to encode, given x509CertBER, the BER encoding of an X.509 certificate beginning at offset.
byte[]	getSerialNumber() Gets the serial number of this certificate, and returns the result in a new byte array.
byte[]	getSignature() Gets the actual signature octets.
Date	getStartDate() Gets the start (also known as "not before") date of this certificate.
X500Name	getSubjectName() Gets the subject name of this certificate.
byte[]	getSubjectUniqueID() Gets the UniqueIdentifier of the subject of this certificate.
int	getVersion() Gets the version of this certificate.
void	setExtensions(X509V3Extensions extensions) Sets the extensions of this certificate to be extensions.
void	setInnerDER(byte[] x509InnerDER, int offset) Sets this object to be the unsigned certificate represented by x509InnerDER, the DER encoding of the inner certificate of an X.509 certificate, beginning at offset.
void	setIssuerName(X500Name issuerName) Sets the issuer name of this certificate to be issuerName.
void	setIssuerUniqueID(byte[] issuerUniqueID, int offset, int len) Sets the UniqueIentifier of the issuer of this certificate to issuerUniqueID, a value of length len beginning at offset.
void	setSerialNumber(byte[] serialNumber, int offset, int len) Sets the serial number of this certificate to be serialNumber, a value of length len, beginning at offset.
void	setSubjectName(X500Name subjectName) Sets the subject name of this certificate to be subjectName.
void	setSubjectUniqueID(byte[] subjectUniqueID, int offset, int len) Sets the UniqueIdentifier of the subject of this certificate to be subjectUniqueID, a value of length len beginning at offset.
void	setTimeType(boolean flag) Sets the flag specifying which type of time encoding to use.
void	setUnsignedCertFromPKCS10Request(PKCS10CertRequest certRequest) Creates an X.509 unsigned certificate from the information in a PKCS #10 certificate request.
void	setValidity(Date start, Date end) Sets the validity dates of the certificate with the specified start and end dates.
void	setVersion(int version) Sets the version of this certificate to be version.
void	signCertificate(String transformation, String device, com.rsa.jsafe.JSAFE_PrivateKey signingKey, SecureRandom random) Signs the certificate, using transformation and signingKey on the specified device.
boolean	verifyCertificateSignature(String device, com.rsa.jsafe.JSAFE_PublicKey verifyingKey, SecureRandom random) Verifies the signature on the certificate, using verifyingKey on the specified device.

Methods inherited from class com.rsa.certj.cert.Certificate

getCertJ, getDevice, getDeviceList, getSignatureAlgorithm, getSignatureAlgorithmDER, getSignatureFormat, getSignatureStandard, getSubjectPublicKey, getSubjectPublicKeyBER, getUniqueID, setCertJ, setSignatureStandard, setSubjectPublicKey, setSubjectPublicKey, signCertificate, verifyCertificateSignature, verifyCertificateSignature

Methods inherited from class java.lang.Object

getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

X509_VERSION_1

public static final int X509_VERSION_1

Sets the certificate to be version 1, or determines that an existing certificate is version 1.

X509_VERSION_2

public static final int X509_VERSION_2

Sets the certificate to be version 2, or determines that an existing certificate is version 2.

X509_VERSION_3

public static final int X509_VERSION_3

Sets the certificate to be version 3, or determines that an existing certificate is version 3.

Constructor Detail

X509Certificate

public X509Certificate()

Constructs an empty X.509Certificate object.

X509Certificate

public X509Certificate(CertJ certJContext)

Constructs an empty X.509Certificate object with CertJ context.

Parameters

certJContext

CertJ is a CertJ context.

X509Certificate

public X509Certificate(byte[] x509CertBER,
                       int offset,
                       int special)
                throws CertificateException

Constructs a signed X509Certificate object and initializes it with the values given by x509CertBER, the BER encoding of an X.509 signed certificate, beginning at offset.

This constructor only reads the certificate; it does not perform any verification.

The ASN.1 definition of an X.509 certificatge is:

 Certificate ::= SEQUENCE  { innerDER,
                             signatureAlgorithm,    
                             signature }

That definition means the tag will be 0x30. But a cert object can be part of a PKCS #7 message (or some other construct), and it may have a different tag due to IMPLICIT or EXPLICIT tags. For instance, if the definition is:

     cert   [2] IMPLICIT Certificate

the tag will change from 0x30 to 0xa2. Therefore, it is necessary to pass in the BER encoding of a certificate and to indicate the special nature of the encoding. That is the purpose of special. Set that argument to any special instructions of the BER encoding. For instance, to indicate the following:

      cert   [2] EXPLICIT Certificate

Pass in the following:

      special = (ASN1.CONTEXT_EXPLICIT | 2);

If there are no special circumstances, pass in the following:

     special = 0

The following ASN.1 constants are possible values for special: APP_IMPLICIT, APP_EXPLICIT, PRIVATE_IMPLICIT, PRIVATE_EXPLICIT, OPTIONAL, DEFAULT, CONTEXT_IMPLICIT, or CONTEXT_EXPLICIT.

Parameters

	x509CertBER		The BER encoding of an X.509 signed certificate.
	offset		The offset into x509CertBER where the encoding begins.
	special		The special BER circumstances of the encoding, if there are any.

Throws

CertificateException - If the BER encoding is not a valid X.509 certificate.

X509Certificate

public X509Certificate(byte[] x509CertBER,
                       int offset,
                       int special,
                       CertJ certJContext)
                throws CertificateException

Method Detail

getNextBEROffset

public static int getNextBEROffset(byte[] x509CertBER,
                                   int offset)
                            throws CertificateException

Finds the index of the next element to encode, given x509CertBER, the BER encoding of an X.509 certificate beginning at offset. In other words, gets the next offset after the certificate.

For example, if the offset is 120 and the certificate's BER encoding is 1819 bytes, this method returns 1939, the index immediately following the cert. That is, x509CertBER[120] is the first byte in the encoding of the cert, x509CertBER[1938] is the last byte in the encoding of the cert, and the next element begins at index 1939.

Parameters

	x509CertBER		The BER encoding of an X.509 certificate.
	offset		The offset into x509CertBER where the encoding begins.

Returns

An int that indicates the index to the next element in the BER encoding.

Throws

CertificateException - If the method cannot read the BER encoding.

getDERLen

public int getDERLen(int special)

Returns the number of bytes in the DER encoding of this certificate. If this object is not set with values, this method returns 0.

The ASN.1 definition of the certificate is:

      Certificate ::= SEQUENCE { . . . }

That definition means the tag will be 0x30. But a certificate object can be part of a PKCS #7 message (or some other construct), and it may have a different tag due to IMPLICIT or EXPLICIT. This can affect the length. For instance, a definition might include the following:

      cert   [2] EXPLICIT Certificate

Therefore, there must be a way to indicate that the DER encoding of the cert should follow the special nature of this particular encoding. That is the purpose of special. Set that argument to any special instructions of the DER encoding. For instance, to indicate the following:

      cert   [2] EXPLICIT Certificate

Pass in the following:

      special = (ASN1.CONTEXT_EXPLICIT | 2);

If there are no special circumstances, pass in:

      special = 0

The following ASN.1 constants are possible values for special: APP_IMPLICIT, APP_EXPLICIT, PRIVATE_IMPLICIT, PRIVATE_EXPLICIT, OPTIONAL, DEFAULT, CONTEXT_IMPLICIT, or CONTEXT_EXPLICIT.

Parameters

special

The special DER circumstances of the encoding, if there are any.

Returns

The size in bytes of the DER encoding of this certificate.

getDEREncoding

public int getDEREncoding(byte[] encoding,
                          int offset,
                          int special)
                   throws CertificateException

Places the DER encoding of the cert in this object into encoding, beginning at offset. To determine how long the encoding will be, call getDERLen. If this object is not set with a certificate or is not signed, this method throws an exception.

The ASN.1 definition of an X.509 cert is:

      Certificate ::= SEQUENCE  { . . . }

That definition means the tag will be 0x30, But a certificate can be part of a PKCS 7 message (or some other construct), and it may have a different tag due to IMPLICIT or EXPLICIT. For example, the definition could include:

     cert   [2] EXPLICIT Certificate

Therefore, there must be a way to indicate that the DER encoding should follow the special nature of this particular encoding. That is the purpose of special. Set that argument to any special instructions of the DER encoding. For instance, to indicate the following:

     cert   [2] EXPLICIT Certificate

Pass in the following:

     special = (ASN1.CONTEXT_EXPLICIT | 2);

If there are no special circumstances, pass in the following:

     special = 0

The following ASN.1 constants are possible values for special: APP_IMPLICIT, APP_EXPLICIT, PRIVATE_IMPLICIT, PRIVATE_EXPLICIT, OPTIONAL, DEFAULT, CONTEXT_IMPLICIT, or CONTEXT_EXPLICIT.

Parameters

	encoding		The byte array into which the result will be placed
	offset		The offset into encoding where the writing begins.
	special		The special DER circumstances of the encoding, if there are any.

Returns

The number of bytes actually placed into encoding.

Throws

CertificateException - If the certificate is not signed or not all required fields are set.

setInnerDER

public void setInnerDER(byte[] x509InnerDER,
                        int offset)
                 throws CertificateException

Sets this object to be the unsigned certificate represented by x509InnerDER, the DER encoding of the inner certificate of an X.509 certificate, beginning at offset.

If the object is set with certificate information, this method deletes any internal copy of that data and replaces it with the new certificate.

Parameters

	x509InnerDER		The DER encoding of the inner certificate of an X.509 unsigned certificate.
	offset		The offset into x509InnerDER where the encoding begins.

Throws

CertificateException - If the DER encoding is not a valid X.509 certificate.

getInnerDERLen

public int getInnerDERLen()

Returns the size of the inner DER encoding of the certificate. If this object is not set with values, this method returns 0.

Returns

The size in bytes of the inner DER encoding of the certificate information.

getInnerDER

public int getInnerDER(byte[] encoding,
                       int offset)
                throws CertificateException

Places the DER encoding of the inner DER of the certificate in this object into encoding, beginning at offset. To determine how long the encoding will be, call getInnerDERLen. If this object is not set with a certificate, this method throws an exception.

Parameters

	encoding		The byte array into which the result will be placed.
	offset		The offset into encoding where writing begins.

Returns

The number of bytes actually placed into encoding.

Throws

CertificateException - if the object is not set with a valid signed X.509 certificate.

setUnsignedCertFromPKCS10Request

public void setUnsignedCertFromPKCS10Request(PKCS10CertRequest certRequest)
                                      throws CertificateException

Creates an X.509 unsigned certificate from the information in a PKCS #10 certificate request. It checks all the request attributes for v3 extensions and converts them.

If this object is already set with certificate information, this method deletes any internal copy of that data and replaces it with the new certificate.

Parameters

certRequest

A PKCS10CertRequest object.

Throws

CertificateException - If the certificate request object does not contain all the necessary information.

getSignature

public byte[] getSignature()
                    throws CertificateException

Gets the actual signature octets. An X.509 certificate wraps the signature in a BIT STRING. This method unwraps it.

Overrides

getSignature in class Certificate

Returns

A new byte array that contains the signature octets.

Throws

CertificateException - If the certificate has not been signed.

setVersion

public void setVersion(int version)
                throws CertificateException

Sets the version of this certificate to be version. The input should be X509Certificate.X509_VERSION_1, X509Certificate.X509_VERSION_2, or X509Certificate.X509_VERSION_3.

If the certificate object possesses a signature, calling this method deletes the signature.

Parameters

version

The new version number for this certificate.

Throws

CertificateException - If the input value is an unsupported version number.

getVersion

public int getVersion()

Gets the version of this certificate. The result will be X509Certificate.X509_VERSION_1, X509Certificate.X509_VERSION_2, or X509Certificate.X509_VERSION_3. If the certificate has not yet been set, this method returns the default version number (v1).

Returns

An int that is the version number.

setSubjectName

public void setSubjectName(X500Name subjectName)
                    throws CertificateException

Sets the subject name of this certificate to be subjectName.

If the certificate object possesses a signature, calling this method deletes the signature.

Parameters

subjectName

An X500Name object that contains the name.

Throws

CertificateException - If the subjectName is invalid.

getSubjectName

public X500Name getSubjectName()

Gets the subject name of this certificate. If there is no subject name in this certificate, this method returns null.

Returns

A new X500Name object that contains the name.

setIssuerName

public void setIssuerName(X500Name issuerName)
                   throws CertificateException

Sets the issuer name of this certificate to be issuerName. If the certificate object possesses a signature, calling this method deletes the signature.

Parameters

issuerName

An X500Name object that contains the name.

Throws

CertificateException - If the issuerName is invalid.

getIssuerName

public X500Name getIssuerName()

Gets the issuer name of this certificate. If there is no issuer name in this certificate object, returns null.

Returns

A new X500Name object that contains the name.

setSerialNumber

public void setSerialNumber(byte[] serialNumber,
                            int offset,
                            int len)

Sets the serial number of this certificate to be serialNumber, a value of length len, beginning at offset. If the certificate object possesses a signature, calling this method deletes the signature.

Parameters

	serialNumber		A byte array that contains the serial number.
	offset		The offset into serialNumber where the value begins.
	len		The length in bytes of the serial number portion of serialNumber.

getSerialNumber

public byte[] getSerialNumber()

Gets the serial number of this certificate, and returns the result in a new byte array. If there is no serial number in this certificate, the length of the byte array is 0.

Returns

A new byte array that contains the serial number.

getIssuerAndSerialNumber

public byte[] getIssuerAndSerialNumber()
                                throws CertificateException

Gets the issuer name and serial number as a single entity that can uniquely identify a certificate. Returns the result in a new byte array that is the DER encoding of the following ASN.1 definition.

 IssuerAndSerialNumber ::= SEQUENCE {
   issuer        Name,
   serialNumber  CertificateSerialNumber }

 --see the X500Name class for a ASN.1 definition of Name.
 CertificateSerialNumber ::= INTEGER

Returns

A new byte array that contains the DER encoding of the issuer name and serial number.

Throws

CertificateException - If the certificate is not set with an issuer name or serial number.

compareIssuerAndSerialNumber

public boolean compareIssuerAndSerialNumber(byte[] issuerSerial,
                                            int offset,
                                            int len)

Compares the given issuer and serial number (issuerSerial, the DER encoding of an issuer and serial number) to the issuer and serial number of this certificate. This method is useful for finding a certificate in a collection.

Parameters

	issuerSerial		A byte array that contains the DER encoding of issuer name and serial number.
	offset		The offset into issuerSerial where the encoding begins.
	len		The length of the encoding in issuerSerial.

Returns

A boolean indicating whether the given issuer name and serial number matches the issuer name and serial number of the certificate represented by this object. Returns true if it matchs, false otherwise.

compareSubjectName

public boolean compareSubjectName(X500Name subjectName)

Compares the given name (subjectName) with the subject name of the certificate represented by this object. This method is useful for finding a certificate among a collection.

Parameters

subjectName

An X500Name object that contains the name to compare.

Returns

A boolean indicating whether the given name matches the subject name of the certificate represented by this object. Returns true if it matchess, false otherwise.

setTimeType

public void setTimeType(boolean flag)

Sets the flag specifying which type of time encoding to use.

Parameters

flag

A true value sets the encoding type to GeneralTime. A false value sets the encoding type to UTC.

setValidity

public void setValidity(Date start,
                        Date end)
                 throws CertificateException

Sets the validity dates of the certificate with the specified start and end dates. If the certificate object possesses a signature, calling this method deletes the signature.

Note: The start date is also known as the "not before" date. The end date is also known as the "not after" date.

Parameters

	start		A Date object specifying when the certificate is activated.
	end		A Date object specifying when the certificate expires.

Throws

CertificateException - If either of the two dates is null or if the end date is earlier than the start date.

getStartDate

public Date getStartDate()

Gets the start (also known as "not before") date of this certificate. If this certificate does not have a start date, returns null.

Returns

a Date object specifying when the certificate is activated.

getEndDate

public Date getEndDate()

Gets the end (also known as the "not after") date of this certificate. If this certificate does not have an end date, this method returns null.

Returns

A Date object specifying the expiration date of the certificate.

checkValidityDate

public boolean checkValidityDate(Date validityCheckDate)

Checks the validity dates of this certificate against validityCheckDate. That is, checks to see if validityCheckDate falls within the range of the start and end dates of this certificate.

For example, to check against the current date, call:

   cert.checkValidityDate (new Date ());
 

Parameters

validityCheckDate

The date against which to check.

Returns

A boolean indicating whether the given Date falls within the validity start and end dates of this certificate. Returns true if it does, false otherwise.

setIssuerUniqueID

public void setIssuerUniqueID(byte[] issuerUniqueID,
                              int offset,
                              int len)
                       throws CertificateException

Sets the UniqueIentifier of the issuer of this certificate to issuerUniqueID, a value of length len beginning at offset. This must be a version 2 or a version 3 certificate. If the certificate object possesses a signature, calling this method deletes the signature.

Parameters

	issuerUniqueID		A byte array that contains the ID.
	offset		The offset into issuerUniqueID where the value begins.
	len		The number of bytes of issuerUniqueID that make up the serial number.

Throws

CertificateException - If the certificate is not version 2 or version 3.

getIssuerUniqueID

public byte[] getIssuerUniqueID()

Gets the UniqueIdentifier of the issuer of this certificate. Returns the result in a new byte array. If this certificate does not have an issuer unique ID, this method returns null.

Returns

A new byte array that contains the issuer's unique ID.

setSubjectUniqueID

public void setSubjectUniqueID(byte[] subjectUniqueID,
                               int offset,
                               int len)
                        throws CertificateException

Sets the UniqueIdentifier of the subject of this certificate to be subjectUniqueID, a value of length len beginning at offset. This must be a version 2 or a version 3 certificate. If the certificate object possesses a signature, calling this method will deletes the signature.

Parameters

	subjectUniqueID		A byte array that contains the unique ID.
	offset		The offset into subjectUniqueID where the value begins.
	len		The number of bytes of subjectUniqueID that make up the unique ID.

Throws

CertificateException - If the certificate is not version 2 or version 3.

getSubjectUniqueID

public byte[] getSubjectUniqueID()

Gets the UniqueIdentifier of the subject of this certificate. Returns the result in a new byte array. If this certificate does not have a subject unique ID, returns null.

Returns

A new byte array that contains the unique ID of the subject.

setExtensions

public void setExtensions(X509V3Extensions extensions)
                   throws CertificateException

Sets the extensions of this certificate to be extensions. If the version associated with this object is not X509_VERSION_3, then this method sets it to X509_VERSION_3. If the certificate object possesses a signature, calling this method deletes the signature.

Parameters

extensions

An X509V3Extensions object that contains the extensions.

Throws

CertificateException - If the extensions are of the wrong type, or if cloning of the extensions fails.

getExtensions

public X509V3Extensions getExtensions()

Gets the extensions in this certificate. If there are no extensions, the count of the returned object will be 0.

Returns

An X509V3Extensions object that contains the extensions.

signCertificate

public void signCertificate(String transformation,
                            String device,
                            com.rsa.jsafe.JSAFE_PrivateKey signingKey,
                            SecureRandom random)
                     throws CertificateException

Signs the certificate, using transformation and signingKey on the specified device. The format of transformation follows the format specified in the Crypto-J class JSAFE_Signature. The following are examples of transformation arguments:

   "MD5/RSA/PKCS1Block01Pad"
   "SHA1/DSA"

The format of device follows the format specified in Crypto-J. The following are examples of device arguments:

   Java          --Perform signature using Java code
   Native        --Perform signature using the native link
   Native/Java   --Use native if possible, if not, use Java

Overrides

signCertificate in class Certificate

Parameters

	transformation		A String specifying the algorithm to use to sign the certificate.
	device		A String specifying the device or choice of devices to use in computing the signature.
	signingKey		A JSAFE_PrivateKey used to compute the signature.
	random		Random bytes. If the signature algorithm needs random bytes, get them from this object.

Throws

CertificateException - If the code cannot perform the specified transformation on the specified device, if the certificate is not set properly, or if the certificate is already signed.

verifyCertificateSignature

public boolean verifyCertificateSignature(String device,
                                          com.rsa.jsafe.JSAFE_PublicKey verifyingKey,
                                          SecureRandom random)
                                   throws CertificateException

Verifies the signature on the certificate, using verifyingKey on the specified device.

The format of device follows the format specified in Crypto-J. The following are example device arguments:

   Java          -- Perform verification using Java code
   Native        -- Perform verification using the native link
   Native/Java   -- Use native if possible, if not, use Java

Overrides

verifyCertificateSignature in class Certificate

Parameters

	device		A String specifying the device or choice of devices to use in computing the signature.
	verifyingKey		A JSAFE_PublicKey used to verify the signature.
	random		Random bytes. If the signature algorithm needs random bytes, get them from this object.

Returns

A boolean indicating whether the signature on the certificate is valid or not.

Throws

CertificateException - If the code cannot perform the signature algorithm on the specified device.

equals

public boolean equals(Object obj)

Returns true if this object and obj contain the same X509Certificate, returns false otherwise.

Overrides

equals in class Object

Parameters

obj

The instance of the X509Certificate object.

Returns

A boolean that indicates whether these objects are equal.

clone

public Object clone()
             throws CloneNotSupportedException

Overrides the default clone method to get a deeper clone.

Returns

A new X509Certificate object, a copy of this object.

Throws

CloneNotSupportedException - If the cloning operation is not successful.