1. /*

  2.  * @(#)X509Certificate.java	1.22 01/11/29

  3.  *

  4.  * Copyright 2002 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7.  

  8. package java.security.cert;

  9. 

  10. import java.math.BigInteger;

  11. import java.security.Principal;

  12. import java.security.PublicKey;

  13. import java.util.Date;

  14. 

  15. /**

  16.  * <p>

  17.  * Abstract class for X.509 certificates. This provides a standard

  18.  * way to access all the attributes of an X.509 certificate.

  19.  * <p>

  20.  * In June of 1996, the basic X.509 v3 format was completed by

  21.  * ISO/IEC and ANSI X9, which is described below in ASN.1:

  22.  * <pre>

  23.  * Certificate  ::=  SEQUENCE  {

  24.  *     tbsCertificate       TBSCertificate,

  25.  *     signatureAlgorithm   AlgorithmIdentifier,

  26.  *     signature            BIT STRING  }

  27.  * </pre>

  28.  * <p>

  29.  * These certificates are widely used to support authentication and

  30.  * other functionality in Internet security systems. Common applications

  31.  * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),

  32.  * code signing for trusted software distribution, and Secure Electronic

  33.  * Transactions (SET).

  34.  * <p>

  35.  * These certificates are managed and vouched for by <em>Certificate

  36.  * Authorities</em> (CAs). CAs are services which create certificates by

  37.  * placing data in the X.509 standard format and then digitally signing

  38.  * that data. CAs act as trusted third parties, making introductions

  39.  * between principals who have no direct knowledge of each other.

  40.  * CA certificates are either signed by themselves, or by some other

  41.  * CA such as a "root" CA.

  42.  * <p>

  43.  * A good decription and profiling is provided in the IETF PKIX WG

  44.  * draft, Part I:  X.509 Certificate and CRL Profile,

  45.  * <draft-ietf-pkix-ipki-part1-07.txt>.

  46.  * <p>

  47.  * The ASN.1 definition of <code>tbsCertificate</code> is:

  48.  * <pre>

  49.  * TBSCertificate  ::=  SEQUENCE  {

  50.  *     version         [0]  EXPLICIT Version DEFAULT v1,

  51.  *     serialNumber         CertificateSerialNumber,

  52.  *     signature            AlgorithmIdentifier,

  53.  *     issuer               Name,

  54.  *     validity             Validity,

  55.  *     subject              Name,

  56.  *     subjectPublicKeyInfo SubjectPublicKeyInfo,

  57.  *     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,

  58.  *                          -- If present, version must be v2 or v3

  59.  *     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,

  60.  *                          -- If present, version must be v2 or v3

  61.  *     extensions      [3]  EXPLICIT Extensions OPTIONAL

  62.  *                          -- If present, version must be v3

  63.  *     }

  64.  * </pre>

  65.  * <p>

  66.  * Certificates are instantiated using a certificate factory. The following is

  67.  * an example of how to instantiate an X.509 certificate:

  68.  * <pre> 

  69.  * InputStream inStream = new FileInputStream("fileName-of-cert");

  70.  * CertificateFactory cf = CertificateFactory.getInstance("X.509");

  71.  * X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);

  72.  * inStream.close();

  73.  * </pre>

  74.  *

  75.  * @author Hemma Prafullchandra

  76.  *

  77.  * @version 1.22

  78.  *

  79.  * @see Certificate

  80.  * @see CertificateFactory

  81.  * @see X509Extension

  82.  */

  83. 

  84. public abstract class X509Certificate extends Certificate

  85. implements X509Extension {

  86. 

  87.     /**

  88.      * Constructor for X.509 certificates.

  89.      */

  90.     protected X509Certificate() {

  91. 	super("X.509");

  92.     }

  93. 

  94.     /**

  95.      * Checks that the certificate is currently valid. It is if

  96.      * the current date and time are within the validity period given in the

  97.      * certificate.

  98.      * <p>

  99.      * The validity period consists of two date/time values: 

  100.      * the first and last dates (and times) on which the certificate 

  101.      * is valid. It is defined in

  102.      * ASN.1 as:

  103.      * <pre>

  104.      * validity             Validity<p>

  105.      * Validity ::= SEQUENCE {

  106.      *     notBefore      CertificateValidityDate,

  107.      *     notAfter       CertificateValidityDate }<p>

  108.      * CertificateValidityDate ::= CHOICE {

  109.      *     utcTime        UTCTime,

  110.      *     generalTime    GeneralizedTime }

  111.      * </pre>

  112.      * 

  113.      * @exception CertificateExpiredException if the certificate has expired.

  114.      * @exception CertificateNotYetValidException if the certificate is not

  115.      * yet valid.

  116.      */

  117.     public abstract void checkValidity()

  118.         throws CertificateExpiredException, CertificateNotYetValidException;

  119. 

  120.     /**

  121.      * Checks that the given date is within the certificate's

  122.      * validity period. In other words, this determines whether the 

  123.      * certificate would be valid at the given date/time.

  124.      *

  125.      * @param date the Date to check against to see if this certificate

  126.      *        is valid at that date/time.

  127.      *

  128.      * @exception CertificateExpiredException if the certificate has expired

  129.      * with respect to the <code>date</code> supplied.

  130.      * @exception CertificateNotYetValidException if the certificate is not

  131.      * yet valid with respect to the <code>date</code> supplied.

  132.      * 

  133.      * @see #checkValidity()

  134.      */

  135.     public abstract void checkValidity(Date date)

  136.         throws CertificateExpiredException, CertificateNotYetValidException;

  137. 

  138.     /**

  139.      * Gets the <code>version</code> (version number) value from the

  140.      * certificate.

  141.      * The ASN.1 definition for this is:

  142.      * <pre>

  143.      * version  [0] EXPLICIT Version DEFAULT v1<p>

  144.      * Version ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

  145.      * </pre>

  146.      * @return the version number, i.e. 1, 2 or 3.

  147.      */

  148.     public abstract int getVersion();

  149. 

  150.     /**

  151.      * Gets the <code>serialNumber</code> value from the certificate.

  152.      * The serial number is an integer assigned by the certification

  153.      * authority to each certificate. It must be unique for each

  154.      * certificate issued by a given CA (i.e., the issuer name and

  155.      * serial number identify a unique certificate).

  156.      * The ASN.1 definition for this is:

  157.      * <pre>

  158.      * serialNumber     CertificateSerialNumber<p>

  159.      * 

  160.      * CertificateSerialNumber  ::=  INTEGER

  161.      * </pre>

  162.      *

  163.      * @return the serial number.

  164.      */

  165.     public abstract BigInteger getSerialNumber();

  166. 

  167.     /**

  168.      * Gets the <code>issuer</code> (issuer distinguished name) value from 

  169.      * the certificate. The issuer name identifies the entity that signed (and

  170.      * issued) the certificate. 

  171.      * 

  172.      * <p>The issuer name field contains an

  173.      * X.500 distinguished name (DN).

  174.      * The ASN.1 definition for this is:

  175.      * <pre>

  176.      * issuer    Name<p>

  177.      *

  178.      * Name ::= CHOICE { RDNSequence }

  179.      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

  180.      * RelativeDistinguishedName ::=

  181.      *     SET OF AttributeValueAssertion

  182.      *

  183.      * AttributeValueAssertion ::= SEQUENCE {

  184.      *                               AttributeType,

  185.      *                               AttributeValue }

  186.      * AttributeType ::= OBJECT IDENTIFIER

  187.      * AttributeValue ::= ANY

  188.      * </pre>

  189.      * The <code>Name</code> describes a hierarchical name composed of

  190.      * attributes,

  191.      * such as country name, and corresponding values, such as US.

  192.      * The type of the <code>AttributeValue</code> component is determined by

  193.      * the <code>AttributeType</code> in general it will be a 

  194.      * <code>directoryString</code>. A <code>directoryString</code> is usually 

  195.      * one of <code>PrintableString</code>,

  196.      * <code>TeletexString</code> or <code>UniversalString</code>.

  197.      * 

  198.      * @return a Principal whose name is the issuer distinguished name.

  199.      */

  200.     public abstract Principal getIssuerDN();

  201. 

  202.     /**

  203.      * Gets the <code>subject</code> (subject distinguished name) value 

  204.      * from the certificate.

  205.      * The ASN.1 definition for this is:

  206.      * <pre>

  207.      * subject    Name

  208.      * </pre>

  209.      * 

  210.      * <p>See {@link getIssuerDN()#getIssuerDN} for <code>Name</code> 

  211.      * and other relevant definitions.

  212.      * 

  213.      * @return a Principal whose name is the subject name.

  214.      */

  215.     public abstract Principal getSubjectDN();

  216. 

  217.     /**

  218.      * Gets the <code>notBefore</code> date from the validity period of 

  219.      * the certificate.

  220.      * The relevant ASN.1 definitions are:

  221.      * <pre>

  222.      * validity             Validity<p>

  223.      * 

  224.      * Validity ::= SEQUENCE {

  225.      *     notBefore      CertificateValidityDate,

  226.      *     notAfter       CertificateValidityDate }<p>

  227.      * CertificateValidityDate ::= CHOICE {

  228.      *     utcTime        UTCTime,

  229.      *     generalTime    GeneralizedTime }

  230.      * </pre>

  231.      *

  232.      * @return the start date of the validity period.

  233.      * @see #checkValidity

  234.      */

  235.     public abstract Date getNotBefore();

  236. 

  237.     /**

  238.      * Gets the <code>notAfter</code> date from the validity period of 

  239.      * the certificate. See {@link getNotBefore()#getNotBefore}

  240.      * for relevant ASN.1 definitions.

  241.      *

  242.      * @return the end date of the validity period.

  243.      * @see #checkValidity

  244.      */

  245.     public abstract Date getNotAfter();

  246. 

  247.     /**

  248.      * Gets the DER-encoded certificate information, the

  249.      * <code>tbsCertificate</code> from this certificate.

  250.      * This can be used to verify the signature independently.

  251.      *

  252.      * @return the DER-encoded certificate information.

  253.      * @exception CertificateEncodingException if an encoding error occurs.

  254.      */

  255.     public abstract byte[] getTBSCertificate()

  256.         throws CertificateEncodingException;

  257. 

  258.     /**

  259.      * Gets the <code>signature</code> value (the raw signature bits) from 

  260.      * the certificate.

  261.      * The ASN.1 definition for this is:

  262.      * <pre>

  263.      * signature     BIT STRING  

  264.      * </pre>

  265.      *

  266.      * @return the signature.

  267.      */

  268.     public abstract byte[] getSignature();

  269. 

  270.     /**

  271.      * Gets the signature algorithm name for the certificate

  272.      * signature algorithm. An example is the string "SHA-1/DSA".

  273.      * The ASN.1 definition for this is:

  274.      * <pre>

  275.      * signatureAlgorithm   AlgorithmIdentifier<p>

  276.      * AlgorithmIdentifier  ::=  SEQUENCE  {

  277.      *     algorithm               OBJECT IDENTIFIER,

  278.      *     parameters              ANY DEFINED BY algorithm OPTIONAL  }

  279.      *                             -- contains a value of the type

  280.      *                             -- registered for use with the

  281.      *                             -- algorithm object identifier value

  282.      * </pre>

  283.      * 

  284.      * <p>The algorithm name is determined from the <code>algorithm</code>

  285.      * OID string.

  286.      *

  287.      * @return the signature algorithm name.

  288.      */

  289.     public abstract String getSigAlgName();

  290. 

  291.     /**

  292.      * Gets the signature algorithm OID string from the certificate.

  293.      * An OID is represented by a set of positive whole numbers separated

  294.      * by periods.

  295.      * For example, the string "1.2.840.10040.4.3" identifies the SHA-1

  296.      * with DSA signature algorithm, as per the PKIX part I.

  297.      * 

  298.      * <p>See {@link getSigAlgName()#getSigAlgName} for 

  299.      * relevant ASN.1 definitions.

  300.      *

  301.      * @return the signature algorithm OID string.

  302.      */

  303.     public abstract String getSigAlgOID();

  304. 

  305.     /**

  306.      * Gets the DER-encoded signature algorithm parameters from this

  307.      * certificate's signature algorithm. In most cases, the signature

  308.      * algorithm parameters are null; the parameters are usually

  309.      * supplied with the certificate's public key.

  310.      * If access to individual parameter values is needed then use

  311.      * {@link java.security.AlgorithmParameters#AlgorithmParameters}

  312.      * and instantiate with the name returned by

  313.      * {@link getSigAlgName()#getSigAlgName}.

  314.      * 

  315.      * <p>See {@link getSigAlgName()#getSigAlgName} for 

  316.      * relevant ASN.1 definitions.

  317.      *

  318.      * @return the DER-encoded signature algorithm parameters, or

  319.      *         null if no parameters are present.

  320.      */

  321.     public abstract byte[] getSigAlgParams();

  322. 

  323.     /**

  324.      * Gets the <code>issuerUniqueID</code> value from the certificate.

  325.      * The issuer unique identifier is present in the certificate

  326.      * to handle the possibility of reuse of issuer names over time.

  327.      * The PKIX Part I recommends that names not be reused and that

  328.      * conforming certificates not make use of unique identifiers.

  329.      * Applications conforming to that profile should be capable of

  330.      * parsing unique identifiers and making comparisons.

  331.      * 

  332.      * <p>The ASN.1 definition for this is:

  333.      * <pre>

  334.      * issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL<p>

  335.      * UniqueIdentifier  ::=  BIT STRING

  336.      * </pre>

  337.      *

  338.      * @return the issuer unique identifier or null if it is not

  339.      * present in the certificate.

  340.      */

  341.     public abstract boolean[] getIssuerUniqueID();

  342. 

  343.     /**

  344.      * Gets the <code>subjectUniqueID</code> value from the certificate.

  345.      * 

  346.      * <p>The ASN.1 definition for this is:

  347.      * <pre>

  348.      * subjectUniqueID  [2]  IMPLICIT UniqueIdentifier OPTIONAL<p>

  349.      * UniqueIdentifier  ::=  BIT STRING

  350.      * </pre>

  351.      *

  352.      * @return the subject unique identifier or null if it is not

  353.      * present in the certificate.

  354.      */

  355.     public abstract boolean[] getSubjectUniqueID();

  356.    

  357.     /**

  358.      * Gets a boolean array representing bits of

  359.      * the <code>KeyUsage</code> extension, (OID = 2.5.29.15).

  360.      * The key usage extension defines the purpose (e.g., encipherment,

  361.      * signature, certificate signing) of the key contained in the

  362.      * certificate.

  363.      * The ASN.1 definition for this is:

  364.      * <pre>

  365.      * KeyUsage ::= BIT STRING {

  366.      *     digitalSignature        (0),

  367.      *     nonRepudiation          (1),

  368.      *     keyEncipherment         (2),

  369.      *     dataEncipherment        (3),

  370.      *     keyAgreement            (4),

  371.      *     keyCertSign             (5),

  372.      *     cRLSign                 (6),

  373.      *     encipherOnly            (7),

  374.      *     decipherOnly            (8) }

  375.      * </pre>

  376.      * The PKIX part I draft recommends that when used, this be marked

  377.      * as a critical extension.

  378.      *

  379.      * @return the bit values of the KeyUsage extension as an array of

  380.      * booleans,

  381.      * or null if the KeyUsage extension is not present in the certificate.

  382.      */

  383.     public abstract boolean[] getKeyUsage();

  384. 

  385.     /**

  386.      * Gets the certificate constraints path length from the

  387.      * critical <code>BasicConstraints</code> extension, (OID = 2.5.29.19).

  388.      * <p>

  389.      * The basic constraints extension identifies whether the subject

  390.      * of the certificate is a Certificate Authority (CA) and 

  391.      * how deep a certification path may exist through that CA. The 

  392.      * <code>pathLenConstraint</code> field (see below) is meaningful

  393.      * only if <code>cA</code> is set to TRUE. In this case, it gives the

  394.      * maximum number of CA certificates that may follow this certificate in a

  395.      * certification path. A value of zero indicates that only an end-entity

  396.      * certificate may follow in the path.

  397.      * <p>

  398.      * Note that for the PKIX profile this extension is always marked

  399.      * critical if <code>cA</code> is TRUE, meaning this certificate belongs

  400.      * to a Certificate Authority.

  401.      * <p>

  402.      * The ASN.1 definition for this is:

  403.      * <pre>

  404.      * BasicConstraints ::= SEQUENCE {

  405.      *     cA                  BOOLEAN DEFAULT FALSE,

  406.      *     pathLenConstraint   INTEGER (0..MAX) OPTIONAL }

  407.      * </pre>

  408.      *

  409.      * @return the length of the constraint if the BasicConstraints extension

  410.      * is present in the certificate and the <code>cA</code> value is TRUE. 

  411.      * Otherwise returns -1.

  412.      */

  413.     public abstract int getBasicConstraints();

  414. }