| Constructor: |
|---|
 public X509Cert() {
}
Construct a uninitialized X509 Cert on which
decode must later be called (or which may be deserialized). |
public X509Cert(byte[] cert) throws IOException {
DerValue in = new DerValue (cert);
parse (in);
if (in.data.available () != 0)
throw new CertParseError ("garbage at end");
signedCert = cert;
} Unmarshals a certificate from its encoded form, parsing the
encoded bytes. This form of constructor is used by agents which
need to examine and use certificate contents. That is, this is
one of the more commonly used constructors. Note that the buffer
must include only a certificate, and no "garbage" may be left at
the end. If you need to ignore data at the end of a certificate,
use another constructor. Parameters:
cert - the encoded bytes, with no terminatu (CONSUMED)
IOException - when the certificate is improperly encoded.
- exception:
IOException - when the certificate is improperly encoded.
|
public X509Cert(DerValue derVal) throws IOException {
parse (derVal);
if (derVal.data.available () != 0)
throw new CertParseError ("garbage at end");
signedCert = derVal.toByteArray ();
} Unmarshal a certificate from its encoded form, parsing a DER value.
This form of constructor is used by agents which need to examine
and use certificate contents. Parameters:
derVal - the der value containing the encoded cert.
IOException - when the certificate is improperly encoded.
- exception:
IOException - when the certificate is improperly encoded.
|
public X509Cert(byte[] buf,
int offset,
int len) throws IOException {
DerValue in = new DerValue (buf, offset, len);
parse (in);
if (in.data.available () != 0)
throw new CertParseError ("garbage at end");
signedCert = new byte [len];
System.arraycopy (buf, offset, signedCert, 0, len);
} Unmarshals a certificate from its encoded form, parsing the
encoded bytes. This form of constructor is used by agents which
need to examine and use certificate contents. That is, this is
one of the most commonly used constructors. Parameters:
buf - the buffer holding the encoded bytes
offset - the offset in the buffer where the bytes begin
len - how many bytes of certificate exist
IOException - when the certificate is improperly encoded.
- exception:
IOException - when the certificate is improperly encoded.
|
public X509Cert(X500Name subjectName,
X509Key subjectPublicKey,
Date notBefore,
Date notAfter) throws CertException {
subject = subjectName;
if (!(subjectPublicKey instanceof PublicKey))
throw new CertException (CertException.err_INVALID_PUBLIC_KEY,
"Doesn't implement PublicKey interface");
// The X509 cert API requires X509 keys, else things break.
pubkey = subjectPublicKey;
notbefore = notBefore;
notafter = notAfter;
version = 0;
} Partially constructs a certificate from descriptive parameters.
This constructor may be used by Certificate Authority (CA) code,
which later signs and encodes the
certificate. Also, self-signed certificates serve as CA certificates,
and are sometimes used as certificate requests.
Until the certificate has been signed and encoded, some of
the mandatory fields in the certificate will not be available
via accessor functions: the serial number, issuer name and signing
algorithm, and of course the signed certificate. The fields passed
to this constructor are available, and must be non-null.
Note that the public key being signed is generally independent of
the signature algorithm being used. So for example Diffie-Hellman
keys (which do not support signatures) can be placed in X.509
certificates when some other signature algorithm (e.g. DSS/DSA,
or one of the RSA based algorithms) is used. Parameters:
subjectName - the X.500 distinguished name being certified
subjectPublicKey - the public key being certified. This
must be an "X509Key" implementing the "PublicKey" interface.
notBefore - the first time the certificate is valid
notAfter - the last time the certificate is valid
CertException - if the public key is inappropriate
- CertAndKeyGen
- exception:
CertException - if the public key is inappropriate
|
| Method from sun.security.x509.X509Cert Detail: |
|---|
public void decode(InputStream in) throws IOException {
DerValue val = new DerValue(in);
parse(val);
signedCert = val.toByteArray();
} Deprecated!Decode an X.509 certificate from an input stream. |
public void encode(OutputStream out) throws IOException {
out.write (getSignedCert ());
} Deprecated!Appends the certificate to an output stream. |
public byte[] encodeAndSign(BigInteger serial,
X500Signer issuer) throws IOException, SignatureException {
rawCert = null;
/*
* Get the remaining cert parameters, and make sure we have enough.
*
* We deduce version based on what attribute data are available
* For now, we have no attributes, so we always deduce X.509v1 !
*/
version = 0;
serialnum = serial;
this.issuer = issuer.getSigner ();
issuerSigAlg = issuer.getAlgorithmId ();
if (subject == null || pubkey == null
|| notbefore == null || notafter == null)
throw new IOException ("not enough cert parameters");
/*
* Encode the raw cert, create its signature and put it
* into the envelope.
*/
rawCert = DERencode ();
signedCert = sign (issuer, rawCert);
return signedCert;
} Deprecated!Creates an X.509 certificate, and signs it using the issuer
passed (associating a signature algorithm and an X.500 name).
This operation is used to implement the certificate generation
functionality of a certificate authority. |
public boolean equals(Object other) {
if (other instanceof X509Cert)
return equals ((X509Cert) other);
else
return false;
} Deprecated!Compares two certificates. This is false if the
certificates are not both X.509 certs, otherwise it
compares them as binary data. |
public boolean equals(X509Cert src) {
if (this == src)
return true;
if (signedCert == null || src.signedCert == null)
return false;
if (signedCert.length != src.signedCert.length)
return false;
for (int i = 0; i < signedCert.length; i++)
if (signedCert [i] != src.signedCert [i])
return false;
return true;
} Deprecated!Compares two certificates, returning false if any data
differs between the two. |
public String getFormat() {
return "X.509";
} Deprecated!Returns the "X.509" format identifier. |
public Principal getGuarantor() {
return getIssuerName ();
} Deprecated! |
public AlgorithmId getIssuerAlgorithmId() {
return issuerSigAlg;
} Deprecated!Returns the algorithm used by the issuer to sign the certificate.
Null is returned in the case of a partially constructed cert. |
public X500Name getIssuerName() {
return issuer;
} Deprecated!Returns the certificate issuer's X.500 distinguished name.
Null is returned in the case of a partially constructed cert. |
public Date getNotAfter() {
return new Date(notafter.getTime());
} Deprecated!Returns the last time the certificate is valid. |
public Date getNotBefore() {
return new Date(notbefore.getTime());
} Deprecated!Returns the first time the certificate is valid. |
public Principal getPrincipal() {
return getSubjectName ();
} Deprecated! |
public PublicKey getPublicKey() {
return pubkey;
} Deprecated!Returns the subject's public key. Note that some public key
algorithms support an optional certificate generation policy
where the keys in the certificates are not in themselves sufficient
to perform a public key operation. Those keys need to be augmented
by algorithm parameters, which the certificate generation policy
chose not to place in the certificate.
Two such public key algorithms are: DSS/DSA, where algorithm
parameters could be acquired from a CA certificate in the chain
of issuers; and Diffie-Hellman, with a similar solution although
the CA then needs both a Diffie-Hellman certificate and a signature
capable certificate. |
public BigInteger getSerialNumber() {
return serialnum;
} Deprecated!Returns the certificate's serial number.
Null is returned in the case of a partially constructed cert. |
public byte[] getSignedCert() {
return (byte[])signedCert.clone();
} Deprecated!Return the signed X.509 certificate as a byte array.
The bytes are in standard DER marshaled form.
Null is returned in the case of a partially constructed cert. |
public X500Signer getSigner(AlgorithmId algorithmId,
PrivateKey privateKey) throws NoSuchAlgorithmException, InvalidKeyException {
String algorithm;
Signature sig;
if (privateKey instanceof Key) {
Key key = (Key)privateKey;
algorithm = key.getAlgorithm();
} else {
throw new InvalidKeyException("private key not a key!");
}
sig = Signature.getInstance(algorithmId.getName());
if (!pubkey.getAlgorithm ().equals (algorithm)) {
throw new InvalidKeyException( "Private key algorithm " +
algorithm +
" incompatible with certificate " +
pubkey.getAlgorithm());
}
sig.initSign (privateKey);
return new X500Signer (sig, subject);
} Deprecated!Returns an X500Signer that may be used to create signatures. Those
signature may in turn be verified using this certificate (or a
copy of it).
NOTE: If the private key is by itself capable of
creating signatures, this fact may not be recognized at this time.
Specifically, the case of DSS/DSA keys which get their algorithm
parameters from higher in the certificate chain is not supportable
without using an X509CertChain API, and there is no current support
for other sources of algorithm parameters. |
public X500Name getSubjectName() {
return subject;
} Deprecated!Returns the subject's X.500 distinguished name. |
public Signature getVerifier(String algorithm) throws NoSuchAlgorithmException, InvalidKeyException {
String algName;
Signature sig;
sig = Signature.getInstance(algorithm);
sig.initVerify (pubkey);
return sig;
} Deprecated!Returns a signature object that may be used to verify signatures
created using a specified signature algorithm and the public key
contained in this certificate.
NOTE: If the public key in this certificate is not by
itself capable of verifying signatures, this may not be recognized
at this time. Specifically, the case of DSS/DSA keys which get
their algorithm parameters from higher in the certificate chain
is not supportable without using an X509CertChain API, and there
is no current support for other sources of algorithm parameters. |
public int getVersion() {
return version;
} Deprecated!Returns the X.509 version number of this certificate, zero based.
That is, "2" indicates an X.509 version 3 (1993) certificate,
and "0" indicates X.509v1 (1988).
Zero is returned in the case of a partially constructed cert. |
public int hashCode() {
int retval = 0;
for (int i = 0; i < signedCert.length; i++)
retval += signedCert [i] * i;
return retval;
} Deprecated!Calculates a hash code value for the object. Objects
which are equal will also have the same hashcode. |
public String toString() {
String s;
if (subject == null || pubkey == null
|| notbefore == null || notafter == null
|| issuer == null || issuerSigAlg == null
|| serialnum == null)
throw new NullPointerException ("X.509 cert is incomplete");
s = " X.509v" + (version + 1) + " certificate,\n";
s += " Subject is " + subject + "\n";
s += " Key: " + pubkey;
s += " Validity < " + notbefore + " > until < " + notafter + " >\n";
s += " Issuer is " + issuer + "\n";
s += " Issuer signature used " + issuerSigAlg.toString () + "\n";
s += " Serial number = " + Debug.toHexString(serialnum) + "\n";
// optional v2, v3 extras
return "[\n" + s + "]";
} Deprecated!Returns a printable representation of the certificate. This does not
contain all the information available to distinguish this from any
other certificate. The certificate must be fully constructed
before this function may be called; in particular, if you are
creating certificates you must call encodeAndSign() before calling
this function. |
public String toString(boolean detailed) {
return toString ();
} Deprecated!Returns a printable representation of the certificate. |
public void verify(PublicKey issuerPublicKey) throws CertException {
Date now = new Date ();
if (now.before (notbefore))
throw new CertException (CertException.verf_INVALID_NOTBEFORE);
if (now.after (notafter))
throw new CertException (CertException.verf_INVALID_EXPIRED);
if (signedCert == null)
throw new CertException (CertException.verf_INVALID_SIG,
"?? certificate is not signed yet ??");
//
// Verify the signature ...
//
String algName = null;
try {
Signature sigVerf = null;
algName = issuerSigAlg.getName();
sigVerf = Signature.getInstance(algName);
sigVerf.initVerify (issuerPublicKey);
sigVerf.update (rawCert, 0, rawCert.length);
if (!sigVerf.verify (signature)) {
throw new CertException (CertException.verf_INVALID_SIG,
"Signature ... by < " + issuer + " > for < " + subject + " >");
}
// Gag -- too many catch clauses, let most through.
} catch (NoSuchAlgorithmException e) {
throw new CertException (CertException.verf_INVALID_SIG,
"Unsupported signature algorithm (" + algName + ")");
} catch (InvalidKeyException e) {
// e.printStackTrace();
throw new CertException (CertException.err_INVALID_PUBLIC_KEY,
"Algorithm (" + algName + ") rejected public key");
} catch (SignatureException e) {
throw new CertException (CertException.verf_INVALID_SIG,
"Signature by < " + issuer + " > for < " + subject + " >");
}
} Deprecated!Throws an exception if the certificate is invalid because it is
now outside of the certificate's validity period, or because it
was not signed using the verification key provided. Successfully
verifying a certificate does not indicate that one should
trust the entity which it represents.
Note that since this class represents only a single X.509
certificate, it cannot know anything about the certificate chain
which is used to provide the verification key and to establish trust.
Other code must manage and use those cert chains.
For now, you must walk the cert chain being used to verify any
given cert. Start at the root, which is a self-signed certificate;
verify it using the key inside the certificate. Then use that to
verify the next certificate in the chain, issued by that CA. In
this manner, verify each certificate until you reach the particular
certificate you wish to verify. You should not use a certificate
if any of the verification operations for its certificate chain
were unsuccessful.
|
sun.security.x509.X509Cert
Save This Page