public abstract class

X509Certificate

extends Certificate
implements X509Extension
java.lang.Object
   ↳ java.security.cert.Certificate
     ↳ java.security.cert.X509Certificate

Class Overview

Abstract base class for X.509 certificates.

This represents a standard way for accessing the attributes of X.509 certificates.

The basic X.509 v3 format described in ASN.1:

 Certificate  ::=  SEQUENCE  {
     tbsCertificate       TBSCertificate,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }
     
 TBSCertificate  ::=  SEQUENCE  {
      version         [0]  EXPLICIT Version DEFAULT v1,
      serialNumber         CertificateSerialNumber,
      signature            AlgorithmIdentifier,
      issuer               Name,
      validity             Validity,
      subject              Name,
      subjectPublicKeyInfo SubjectPublicKeyInfo,
      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                           -- If present, version must be v2 or v3
      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                           -- If present, version must be v2 or v3
      extensions      [3]  EXPLICIT Extensions OPTIONAL
                           -- If present, version must be v3
      }
 

For more information consult RFC 2459 "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" at http://www.ietf.org/rfc/rfc2459.txt .

Summary

Protected Constructors
X509Certificate()
Creates a new X509Certificate.
Public Methods
abstract void checkValidity()
Checks whether the certificate is currently valid.
abstract void checkValidity(Date date)
Checks whether the certificate is valid at the specified date.
abstract int getBasicConstraints()
Returns the path length of the certificate constraints from the BasicContraints extension.
List<String> getExtendedKeyUsage()
Returns a read-only list of OID strings representing the ExtKeyUsageSyntax field of the extended key usage extension.
Collection<List<?>> getIssuerAlternativeNames()
Returns a read-only list of the issuer alternative names from the IssuerAltName extension.
abstract Principal getIssuerDN()
Returns the issuer (issuer distinguished name) as an implementation specific Principal object.
abstract boolean[] getIssuerUniqueID()
Returns the issuerUniqueID from the certificate.
X500Principal getIssuerX500Principal()
Returns the issuer (issuer distinguished name) as an X500Principal.
abstract boolean[] getKeyUsage()
Returns the KeyUsage extension as a boolean array.
abstract Date getNotAfter()
Returns the notAfter date of the validity period of the certificate.
abstract Date getNotBefore()
Returns the notBefore date from the validity period of the certificate.
abstract BigInteger getSerialNumber()
Returns the serialNumber of the certificate.
abstract String getSigAlgName()
Returns the name of the algorithm for the certificate signature.
abstract String getSigAlgOID()
Returns the OID of the signature algorithm from the certificate.
abstract byte[] getSigAlgParams()
Returns the parameters of the signature algorithm in DER-encoded format.
abstract byte[] getSignature()
Returns the raw signature bits from the certificate.
Collection<List<?>> getSubjectAlternativeNames()
Returns a read-only list of the subject alternative names from the SubjectAltName extension.
abstract Principal getSubjectDN()
Returns the subject (subject distinguished name) as an implementation specific Principal object.
abstract boolean[] getSubjectUniqueID()
Returns the subjectUniqueID from the certificate.
X500Principal getSubjectX500Principal()
Returns the subject (subject distinguished name) as an X500Principal.
abstract byte[] getTBSCertificate()
Returns the tbsCertificate information from this certificate in DER-encoded format.
abstract int getVersion()
Returns the certificates version (version number).
[Expand]
Inherited Methods
From class java.security.cert.Certificate
From class java.lang.Object
From interface java.security.cert.X509Extension

Protected Constructors

protected X509Certificate ()

Creates a new X509Certificate.

Public Methods

public abstract void checkValidity ()

Checks whether the certificate is currently valid.

The validity defined in ASN.1:

 validity             Validity
 
 Validity ::= SEQUENCE { 
      notBefore       CertificateValidityDate, 
      notAfter        CertificateValidityDate }
 
 CertificateValidityDate ::= CHOICE { 
      utcTime         UTCTime, 
      generalTime     GeneralizedTime }
 

Throws
CertificateExpiredException if the certificate has expired.
CertificateNotYetValidException if the certificate is not yet valid.

public abstract void checkValidity (Date date)

Checks whether the certificate is valid at the specified date.

Parameters
date the date to check the validity against.
Throws
CertificateExpiredException if the certificate has expired.
CertificateNotYetValidException if the certificate is not yet valid.
See Also

public abstract int getBasicConstraints ()

Returns the path length of the certificate constraints from the BasicContraints extension.

Returns
  • the path length of the certificate constraints if the extension is present or -1 if the extension is not present. Integer.MAX_VALUE if there's not limit.

public List<String> getExtendedKeyUsage ()

Returns a read-only list of OID strings representing the ExtKeyUsageSyntax field of the extended key usage extension.

Returns
  • the extended key usage extension, or null if there's none in the certificate.
Throws
CertificateParsingException if the extension decoding fails.

public Collection<List<?>> getIssuerAlternativeNames ()

Returns a read-only list of the issuer alternative names from the IssuerAltName extension.

The ASN.1 definition of IssuerAltName:

 IssuerAltName ::= GeneralNames
 
 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
 
 GeneralName ::= CHOICE {
      otherName                       [0]     AnotherName,
      rfc822Name                      [1]     IA5String,
      dNSName                         [2]     IA5String,
      x400Address                     [3]     ORAddress,
      directoryName                   [4]     Name,
      ediPartyName                    [5]     EDIPartyName,
      uniformResourceIdentifier       [6]     IA5String,
      iPAddress                       [7]     OCTET STRING,
      registeredID                    [8]     OBJECT IDENTIFIER }
 
 

Returns
  • the issuer alternative names of null if there are none in the certificate.
Throws
CertificateParsingException if decoding of the extension fails.

public abstract Principal getIssuerDN ()

Returns the issuer (issuer distinguished name) as an implementation specific Principal object.

The ASN.1 definition of issuer:

  issuer      Name
 
  Name ::= CHOICE {
      RDNSequence }
 
    RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 
    RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
 
    AttributeTypeAndValue ::= SEQUENCE {
      type     AttributeType,
      value    AttributeValue }
 
    AttributeType ::= OBJECT IDENTIFIER
 
    AttributeValue ::= ANY DEFINED BY AttributeType
 

replaced by: getIssuerX500Principal().

Returns
  • the issuer as an implementation specific Principal.

public abstract boolean[] getIssuerUniqueID ()

Returns the issuerUniqueID from the certificate.

Returns
  • the issuerUniqueID or null if there's none in the certificate.

public X500Principal getIssuerX500Principal ()

Returns the issuer (issuer distinguished name) as an X500Principal.

Returns
  • the issuer (issuer distinguished name).

public abstract boolean[] getKeyUsage ()

Returns the KeyUsage extension as a boolean array.

The ASN.1 definition of KeyUsage:

 KeyUsage ::= BIT STRING {
      digitalSignature        (0),
      nonRepudiation          (1),
      keyEncipherment         (2),
      dataEncipherment        (3),
      keyAgreement            (4),
      keyCertSign             (5),
      cRLSign                 (6),
      encipherOnly            (7),
      decipherOnly            (8) }
 
 

Returns
  • the KeyUsage extension or null if there's none in the certificate.

public abstract Date getNotAfter ()

Returns the notAfter date of the validity period of the certificate.

Returns
  • the end of the validity period.

public abstract Date getNotBefore ()

Returns the notBefore date from the validity period of the certificate.

Returns
  • the start of the validity period.

public abstract BigInteger getSerialNumber ()

Returns the serialNumber of the certificate.

The ASN.1 definition of serialNumber:

 CertificateSerialNumber  ::=  INTEGER
 

Returns
  • the serial number.

public abstract String getSigAlgName ()

Returns the name of the algorithm for the certificate signature.

Returns
  • the signature algorithm name.

public abstract String getSigAlgOID ()

Returns the OID of the signature algorithm from the certificate.

Returns
  • the OID of the signature algorithm.

public abstract byte[] getSigAlgParams ()

Returns the parameters of the signature algorithm in DER-encoded format.

Returns
  • the parameters of the signature algorithm, or null if none are used.

public abstract byte[] getSignature ()

Returns the raw signature bits from the certificate.

Returns
  • the raw signature bits from the certificate.

public Collection<List<?>> getSubjectAlternativeNames ()

Returns a read-only list of the subject alternative names from the SubjectAltName extension.

The ASN.1 definition of SubjectAltName:

 SubjectAltName ::= GeneralNames
 
 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
 
 GeneralName ::= CHOICE {
      otherName                       [0]     AnotherName,
      rfc822Name                      [1]     IA5String,
      dNSName                         [2]     IA5String,
      x400Address                     [3]     ORAddress,
      directoryName                   [4]     Name,
      ediPartyName                    [5]     EDIPartyName,
      uniformResourceIdentifier       [6]     IA5String,
      iPAddress                       [7]     OCTET STRING,
      registeredID                    [8]     OBJECT IDENTIFIER }
 
 

Returns
  • the subject alternative names or null if there are none in the certificate.
Throws
CertificateParsingException if decoding of the extension fails.

public abstract Principal getSubjectDN ()

Returns the subject (subject distinguished name) as an implementation specific Principal object.

The ASN.1 definition of subject:

 subject      Name
 
  Name ::= CHOICE {
      RDNSequence }
 
    RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 
    RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
 
    AttributeTypeAndValue ::= SEQUENCE {
      type     AttributeType,
      value    AttributeValue }
 
    AttributeType ::= OBJECT IDENTIFIER
 
    AttributeValue ::= ANY DEFINED BY AttributeType
 

replaced by: getSubjectX500Principal().

Returns
  • the subject (subject distinguished name).

public abstract boolean[] getSubjectUniqueID ()

Returns the subjectUniqueID from the certificate.

Returns
  • the subjectUniqueID or null if there's none in the certificate.

public X500Principal getSubjectX500Principal ()

Returns the subject (subject distinguished name) as an X500Principal.

Returns
  • the subject (subject distinguished name)

public abstract byte[] getTBSCertificate ()

Returns the tbsCertificate information from this certificate in DER-encoded format.

Returns
  • the DER-encoded certificate information.
Throws
CertificateEncodingException if an error occurs in encoding

public abstract int getVersion ()

Returns the certificates version (version number).

The version defined is ASN.1:

 Version ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
 

Returns
  • the version number.