mirror of
git://gcc.gnu.org/git/gcc.git
synced 2024-12-26 03:59:10 +08:00
a729a4e9ab
Sat Aug 19 11:00:53 2000 Anthony Green <green@redhat.com> * java/util/jar/Attributes.java, java/util/jar/JarEntry.java, java/util/jar/JarException.java, java/util/jar/JarFile.java, java/util/jar/JarInputStream.java, java/util/jar/JarOutputStream.java, java/util/jar/Manifest.java, java/util/Set.java, java/util/Map.java, java/util/Bucket.java, java/util/AbstractSet.java, java/util/BasicMapEntry.java, java/security/cert/CRL.java, java/security/cert/CRLException.java, java/security/cert/Certificate.java, java/security/cert/CertificateEncodingException.java, java/security/cert/CertificateException.java, java/security/cert/CertificateExpiredException.java, java/security/cert/CertificateFactory.java, java/security/cert/CertificateFactorySpi.java, java/security/cert/CertificateNotYetValidException.java, java/security/cert/CertificateParsingException.java, java/security/cert/X509CRL.java, java/security/cert/X509CRLEntry.java, java/security/cert/X509Certificate.java, java/security/cert/X509Extension.java: Imported from Classpath. * java/util/Hashtable.java: Imported from Classpath. * java/util/zip/ZipInputStream.java: Create stub for createZipEntry. * gcj/javaprims.h: Updated class list. * Makefile.in, gcj/Makefile.in: Rebuilt. * Makefile.am (ordinary_java_source_files): Add these new classes. From-SVN: r35809
445 lines
13 KiB
Java
445 lines
13 KiB
Java
/* X509Certificate.java --- X.509 Certificate class
|
|
Copyright (C) 1999 Free Software Foundation, Inc.
|
|
|
|
This file is part of GNU Classpath.
|
|
|
|
GNU Classpath is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2, or (at your option)
|
|
any later version.
|
|
|
|
GNU Classpath is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with GNU Classpath; see the file COPYING. If not, write to the
|
|
Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
|
|
02111-1307 USA.
|
|
|
|
As a special exception, if you link this library with other files to
|
|
produce an executable, this library does not by itself cause the
|
|
resulting executable to be covered by the GNU General Public License.
|
|
This exception does not however invalidate any other reasons why the
|
|
executable file might be covered by the GNU General Public License. */
|
|
|
|
|
|
package java.security.cert;
|
|
import java.math.BigInteger;
|
|
import java.security.Principal;
|
|
import java.security.PublicKey;
|
|
import java.security.NoSuchAlgorithmException;
|
|
import java.security.InvalidKeyException;
|
|
import java.security.NoSuchProviderException;
|
|
import java.security.SignatureException;
|
|
import java.util.Date;
|
|
|
|
/**
|
|
X509Certificate is the abstract class for X.509 certificates.
|
|
This provides a stanard class interface for accessing all
|
|
the attributes of X.509 certificates.
|
|
|
|
In June 1996, the basic X.509 v3 format was finished by
|
|
ISO/IEC and ANSI X.9. The ASN.1 DER format is below:
|
|
|
|
Certificate ::= SEQUENCE {
|
|
tbsCertificate TBSCertificate,
|
|
signatureAlgorithm AlgorithmIdentifier,
|
|
signatureValue BIT STRING }
|
|
|
|
These certificates are widely used in various Internet
|
|
protocols to support authentication. It is used in
|
|
Privacy Enhanced Mail (PEM), Transport Layer Security (TLS),
|
|
Secure Sockets Layer (SSL), code signing for trusted software
|
|
distribution, and Secure Electronic Transactions (SET).
|
|
|
|
The certificates are managed and vouched for by
|
|
<I>Certificate Authorities</I> (CAs). CAs are companies or
|
|
groups that create certificates by placing the data in the
|
|
X.509 certificate format and signing it with their private
|
|
key. CAs serve as trusted third parties by certifying that
|
|
the person or group specified in the certificate is who
|
|
they say they are.
|
|
|
|
The ASN.1 defintion for <I>tbsCertificate</I> is
|
|
|
|
TBSCertificate ::= SEQUENCE {
|
|
version [0] EXPLICIT Version DEFAULT v1,
|
|
serialNumber CertificateSerialNumber,
|
|
signature AlgorithmIdentifier,
|
|
issuer Name,
|
|
validity Validity,
|
|
subject Name,
|
|
subjectPublicKeyInfo SubjectPublicKeyInfo,
|
|
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
|
|
-- If present, version shall be v2 or v3
|
|
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
|
|
-- If present, version shall be v2 or v3
|
|
extensions [3] EXPLICIT Extensions OPTIONAL
|
|
-- If present, version shall be v3
|
|
}
|
|
|
|
Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
|
|
|
CertificateSerialNumber ::= INTEGER
|
|
|
|
Validity ::= SEQUENCE {
|
|
notBefore Time,
|
|
notAfter Time }
|
|
|
|
Time ::= CHOICE {
|
|
utcTime UTCTime,
|
|
generalTime GeneralizedTime }
|
|
|
|
UniqueIdentifier ::= BIT STRING
|
|
|
|
SubjectPublicKeyInfo ::= SEQUENCE {
|
|
algorithm AlgorithmIdentifier,
|
|
subjectPublicKey BIT STRING }
|
|
|
|
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
|
|
|
|
Extension ::= SEQUENCE {
|
|
extnID OBJECT IDENTIFIER,
|
|
critical BOOLEAN DEFAULT FALSE,
|
|
extnValue OCTET STRING }
|
|
|
|
|
|
Certificates are created with the CertificateFactory.
|
|
For more information about X.509 certificates, consult
|
|
rfc2459.
|
|
|
|
@since JDK 1.2
|
|
|
|
@author Mark Benvenuto
|
|
*/
|
|
public abstract class X509Certificate extends Certificate implements X509Extension
|
|
{
|
|
|
|
/**
|
|
Constructs a new certificate of the specified type.
|
|
*/
|
|
protected X509Certificate()
|
|
{
|
|
super( "X.509" );
|
|
}
|
|
|
|
/**
|
|
Checks the validity of the X.509 certificate. It is valid
|
|
if the current date and time are within the period specified
|
|
by the certificate.
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
validity Validity,
|
|
|
|
Validity ::= SEQUENCE {
|
|
notBefore Time,
|
|
notAfter Time }
|
|
|
|
Time ::= CHOICE {
|
|
utcTime UTCTime,
|
|
generalTime GeneralizedTime }
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@throws CertificateExpiredException if the certificate expired
|
|
@throws CertificateNotYetValidException if the certificate is
|
|
not yet valid
|
|
*/
|
|
public abstract void checkValidity()
|
|
throws CertificateExpiredException,
|
|
CertificateNotYetValidException;
|
|
|
|
/**
|
|
Checks the validity of the X.509 certificate for the
|
|
specified time and date. It is valid if the specified
|
|
date and time are within the period specified by
|
|
the certificate.
|
|
|
|
@throws CertificateExpiredException if the certificate expired
|
|
based on the date
|
|
@throws CertificateNotYetValidException if the certificate is
|
|
not yet valid based on the date
|
|
*/
|
|
public abstract void checkValidity(Date date)
|
|
throws CertificateExpiredException,
|
|
CertificateNotYetValidException;
|
|
|
|
/**
|
|
Returns the version of this certificate.
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
version [0] EXPLICIT Version DEFAULT v1,
|
|
|
|
Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return version number of certificate
|
|
*/
|
|
public abstract int getVersion();
|
|
|
|
/**
|
|
Gets the serial number for serial Number in
|
|
this Certifcate. It must be a unique number
|
|
unique other serial numbers from the granting CA.
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
serialNumber CertificateSerialNumber,
|
|
|
|
CertificateSerialNumber ::= INTEGER
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return the serial number for this X509CRLEntry.
|
|
*/
|
|
public abstract BigInteger getSerialNumber();
|
|
|
|
/**
|
|
Returns the issuer (issuer distinguished name) of the
|
|
Certificate. The issuer is the entity who signed
|
|
and issued the Certificate.
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
issuer Name,
|
|
|
|
Name ::= CHOICE {
|
|
RDNSequence }
|
|
|
|
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
|
|
|
|
RelativeDistinguishedName ::=
|
|
SET OF AttributeTypeAndValue
|
|
|
|
AttributeTypeAndValue ::= SEQUENCE {
|
|
type AttributeType,
|
|
value AttributeValue }
|
|
|
|
AttributeType ::= OBJECT IDENTIFIER
|
|
|
|
AttributeValue ::= ANY DEFINED BY AttributeType
|
|
|
|
DirectoryString ::= CHOICE {
|
|
teletexString TeletexString (SIZE (1..MAX)),
|
|
printableString PrintableString (SIZE (1..MAX)),
|
|
universalString UniversalString (SIZE (1..MAX)),
|
|
utf8String UTF8String (SIZE (1.. MAX)),
|
|
bmpString BMPString (SIZE (1..MAX)) }
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return the issuer in the Principal class
|
|
*/
|
|
public abstract Principal getIssuerDN();
|
|
|
|
/**
|
|
Returns the subject (subject distinguished name) of the
|
|
Certificate. The subject is the entity who the Certificate
|
|
identifies.
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
subject Name,
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return the issuer in the Principal class
|
|
*/
|
|
public abstract Principal getSubjectDN();
|
|
|
|
/**
|
|
Returns the date that this certificate is not to be used
|
|
before, <I>notBefore</I>.
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
validity Validity,
|
|
|
|
Validity ::= SEQUENCE {
|
|
notBefore Time,
|
|
notAfter Time }
|
|
|
|
Time ::= CHOICE {
|
|
utcTime UTCTime,
|
|
generalTime GeneralizedTime }
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return the date <I>notBefore</I>
|
|
*/
|
|
public abstract Date getNotBefore();
|
|
|
|
/**
|
|
Returns the date that this certificate is not to be used
|
|
after, <I>notAfter</I>.
|
|
|
|
@return the date <I>notAfter</I>
|
|
*/
|
|
public abstract Date getNotAfter();
|
|
|
|
|
|
/**
|
|
Returns the <I>tbsCertificate</I> from the certificate.
|
|
|
|
@return the DER encoded tbsCertificate
|
|
|
|
@throws CertificateEncodingException if encoding error occured
|
|
*/
|
|
public abstract byte[] getTBSCertificate() throws CertificateEncodingException;
|
|
|
|
/**
|
|
Returns the signature in its raw DER encoded format.
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
signatureValue BIT STRING
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return byte array representing signature
|
|
*/
|
|
public abstract byte[] getSignature();
|
|
|
|
/**
|
|
Returns the signature algorithm used to sign the CRL.
|
|
An examples is "SHA-1/DSA".
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
signatureAlgorithm AlgorithmIdentifier,
|
|
|
|
AlgorithmIdentifier ::= SEQUENCE {
|
|
algorithm OBJECT IDENTIFIER,
|
|
parameters ANY DEFINED BY algorithm OPTIONAL }
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
The algorithm name is determined from the OID.
|
|
|
|
@return a string with the signature algorithm name
|
|
*/
|
|
public abstract String getSigAlgName();
|
|
|
|
|
|
/**
|
|
Returns the OID for the signature algorithm used.
|
|
Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
|
|
|
|
The ASN.1 DER encoding for the example is:
|
|
|
|
id-dsa-with-sha1 ID ::= {
|
|
iso(1) member-body(2) us(840) x9-57 (10040)
|
|
x9cm(4) 3 }
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return a string containing the OID.
|
|
*/
|
|
public abstract String getSigAlgOID();
|
|
|
|
|
|
/**
|
|
Returns the AlgorithmParameters in the encoded form
|
|
for the signature algorithm used.
|
|
|
|
If access to the parameters is need, create an
|
|
instance of AlgorithmParameters.
|
|
|
|
@return byte array containing algorithm parameters, null
|
|
if no parameters are present in certificate
|
|
*/
|
|
public abstract byte[] getSigAlgParams();
|
|
|
|
|
|
/**
|
|
Returns the issuer unique ID for this certificate.
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
|
|
-- If present, version shall be v2 or v3
|
|
|
|
UniqueIdentifier ::= BIT STRING
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return bit representation of <I>issuerUniqueID</I>
|
|
*/
|
|
public abstract boolean[] getIssuerUniqueID();
|
|
|
|
/**
|
|
Returns the subject unique ID for this certificate.
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
|
|
-- If present, version shall be v2 or v3
|
|
|
|
UniqueIdentifier ::= BIT STRING
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return bit representation of <I>subjectUniqueID</I>
|
|
*/
|
|
public abstract boolean[] getSubjectUniqueID();
|
|
|
|
/**
|
|
Returns a boolean array representing the <I>KeyUsage</I>
|
|
extension for the certificate. The KeyUsage (OID = 2.5.29.15)
|
|
defines the purpose of the key in the certificate.
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
|
|
|
|
KeyUsage ::= BIT STRING {
|
|
digitalSignature (0),
|
|
nonRepudiation (1),
|
|
keyEncipherment (2),
|
|
dataEncipherment (3),
|
|
keyAgreement (4),
|
|
keyCertSign (5),
|
|
cRLSign (6),
|
|
encipherOnly (7),
|
|
decipherOnly (8) }
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return bit representation of <I>KeyUsage</I>
|
|
*/
|
|
public abstract boolean[] getKeyUsage();
|
|
|
|
/**
|
|
Returns the certificate constraints path length from the
|
|
critical BasicConstraints extension, (OID = 2.5.29.19).
|
|
|
|
The basic constraints extensions is used to determine if
|
|
the subject of the certificate is a Certificate Authority (CA)
|
|
and how deep the certification path may exist. The
|
|
<I>pathLenConstraint</I> only takes affect if <I>cA</I>
|
|
is set to true. "A value of zero indicates that only an
|
|
end-entity certificate may follow in the path." (rfc2459)
|
|
|
|
The ASN.1 DER encoding is:
|
|
|
|
id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
|
|
|
|
BasicConstraints ::= SEQUENCE {
|
|
cA BOOLEAN DEFAULT FALSE,
|
|
pathLenConstraint INTEGER (0..MAX) OPTIONAL }
|
|
|
|
Consult rfc2459 for more information.
|
|
|
|
@return the length of the path constraint if BasicConstraints
|
|
is present and cA is TRUE. Otherwise returns -1.
|
|
*/
|
|
public abstract int getBasicConstraints();
|
|
|
|
|
|
}
|