1/* 2 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27package javax.security.cert; 28 29import java.io.InputStream; 30import java.lang.Class; 31import java.lang.reflect.Constructor; 32import java.lang.reflect.InvocationTargetException; 33import java.security.Security; 34 35import java.math.BigInteger; 36import java.security.AccessController; 37import java.security.Principal; 38import java.security.PrivilegedAction; 39import java.security.PublicKey; 40import java.util.BitSet; 41import java.util.Date; 42 43/** 44 * Abstract class for X.509 v1 certificates. This provides a standard 45 * way to access all the version 1 attributes of an X.509 certificate. 46 * Attributes that are specific to X.509 v2 or v3 are not available 47 * through this interface. Future API evolution will provide full access to 48 * complete X.509 v3 attributes. 49 * <p> 50 * The basic X.509 format was defined by 51 * ISO/IEC and ANSI X9 and is described below in ASN.1: 52 * <pre> 53 * Certificate ::= SEQUENCE { 54 * tbsCertificate TBSCertificate, 55 * signatureAlgorithm AlgorithmIdentifier, 56 * signature BIT STRING } 57 * </pre> 58 * <p> 59 * These certificates are widely used to support authentication and 60 * other functionality in Internet security systems. Common applications 61 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), 62 * code signing for trusted software distribution, and Secure Electronic 63 * Transactions (SET). 64 * <p> 65 * These certificates are managed and vouched for by <em>Certificate 66 * Authorities</em> (CAs). CAs are services which create certificates by 67 * placing data in the X.509 standard format and then digitally signing 68 * that data. CAs act as trusted third parties, making introductions 69 * between principals who have no direct knowledge of each other. 70 * CA certificates are either signed by themselves, or by some other 71 * CA such as a "root" CA. 72 * <p> 73 * The ASN.1 definition of {@code tbsCertificate} is: 74 * <pre> 75 * TBSCertificate ::= SEQUENCE { 76 * version [0] EXPLICIT Version DEFAULT v1, 77 * serialNumber CertificateSerialNumber, 78 * signature AlgorithmIdentifier, 79 * issuer Name, 80 * validity Validity, 81 * subject Name, 82 * subjectPublicKeyInfo SubjectPublicKeyInfo, 83 * } 84 * </pre> 85 * <p> 86 * Here is sample code to instantiate an X.509 certificate: 87 * <pre> 88 * InputStream inStream = new FileInputStream("fileName-of-cert"); 89 * X509Certificate cert = X509Certificate.getInstance(inStream); 90 * inStream.close(); 91 * </pre> 92 * OR 93 * <pre> 94 * byte[] certData = <certificate read from a file, say> 95 * X509Certificate cert = X509Certificate.getInstance(certData); 96 * </pre> 97 * <p> 98 * In either case, the code that instantiates an X.509 certificate 99 * consults the value of the {@code cert.provider.x509v1} security property 100 * to locate the actual implementation or instantiates a default implementation. 101 * <p> 102 * The {@code cert.provider.x509v1} property is set to a default 103 * implementation for X.509 such as: 104 * <pre> 105 * cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl 106 * </pre> 107 * <p> 108 * The value of this {@code cert.provider.x509v1} property has to be 109 * changed to instantiate another implementation. If this security 110 * property is not set, a default implementation will be used. 111 * Currently, due to possible security restrictions on access to 112 * Security properties, this value is looked up and cached at class 113 * initialization time and will fallback on a default implementation if 114 * the Security property is not accessible. 115 * 116 * <p><em>Note: The classes in the package {@code javax.security.cert} 117 * exist for compatibility with earlier versions of the 118 * Java Secure Sockets Extension (JSSE). New applications should instead 119 * use the standard Java SE certificate classes located in 120 * {@code java.security.cert}.</em></p> 121 * 122 * @author Hemma Prafullchandra 123 * @since 1.4 124 * @see Certificate 125 * @see java.security.cert.X509Extension 126 * @see java.security.Security security properties 127 * @deprecated Use the classes in {@code java.security.cert} instead. 128 */ 129@Deprecated(since="9") 130public abstract class X509Certificate extends Certificate { 131 132 /* 133 * Constant to lookup in the Security properties file. 134 * In the Security properties file the default implementation 135 * for X.509 v3 is given as: 136 * <pre> 137 * cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl 138 * </pre> 139 */ 140 private static final String X509_PROVIDER = "cert.provider.x509v1"; 141 private static String X509Provider; 142 143 static { 144 X509Provider = AccessController.doPrivileged( 145 new PrivilegedAction<>() { 146 public String run() { 147 return Security.getProperty(X509_PROVIDER); 148 } 149 } 150 ); 151 } 152 153 /** 154 * Instantiates an X509Certificate object, and initializes it with 155 * the data read from the input stream {@code inStream}. 156 * The implementation (X509Certificate is an abstract class) is 157 * provided by the class specified as the value of the 158 * {@code cert.provider.x509v1} security property. 159 * 160 * <p>Note: Only one DER-encoded 161 * certificate is expected to be in the input stream. 162 * Also, all X509Certificate 163 * subclasses must provide a constructor of the form: 164 * <pre>{@code 165 * public <subClass>(InputStream inStream) ... 166 * }</pre> 167 * 168 * @param inStream an input stream with the data to be read to 169 * initialize the certificate. 170 * @return an X509Certificate object initialized with the data 171 * from the input stream. 172 * @exception CertificateException if a class initialization 173 * or certificate parsing error occurs. 174 */ 175 public static final X509Certificate getInstance(InputStream inStream) 176 throws CertificateException { 177 return getInst((Object)inStream); 178 } 179 180 /** 181 * Instantiates an X509Certificate object, and initializes it with 182 * the specified byte array. 183 * The implementation (X509Certificate is an abstract class) is 184 * provided by the class specified as the value of the 185 * {@code cert.provider.x509v1} security property. 186 * 187 * <p>Note: All X509Certificate 188 * subclasses must provide a constructor of the form: 189 * <pre>{@code 190 * public <subClass>(InputStream inStream) ... 191 * }</pre> 192 * 193 * @param certData a byte array containing the DER-encoded 194 * certificate. 195 * @return an X509Certificate object initialized with the data 196 * from {@code certData}. 197 * @exception CertificateException if a class initialization 198 * or certificate parsing error occurs. 199 */ 200 public static final X509Certificate getInstance(byte[] certData) 201 throws CertificateException { 202 return getInst((Object)certData); 203 } 204 205 private static final X509Certificate getInst(Object value) 206 throws CertificateException { 207 /* 208 * This turns out not to work for now. To run under JDK1.2 we would 209 * need to call beginPrivileged() but we can't do that and run 210 * under JDK1.1. 211 */ 212 String className = X509Provider; 213 if (className == null || className.length() == 0) { 214 // shouldn't happen, but assume corrupted properties file 215 // provide access to sun implementation 216 className = "com.sun.security.cert.internal.x509.X509V1CertImpl"; 217 } 218 try { 219 Class<?>[] params = null; 220 if (value instanceof InputStream) { 221 params = new Class<?>[] { InputStream.class }; 222 } else if (value instanceof byte[]) { 223 params = new Class<?>[] { value.getClass() }; 224 } else 225 throw new CertificateException("Unsupported argument type"); 226 Class<?> certClass = Class.forName(className); 227 228 // get the appropriate constructor and instantiate it 229 Constructor<?> cons = certClass.getConstructor(params); 230 231 // get a new instance 232 Object obj = cons.newInstance(new Object[] {value}); 233 return (X509Certificate)obj; 234 235 } catch (ClassNotFoundException e) { 236 throw new CertificateException("Could not find class: " + e); 237 } catch (IllegalAccessException e) { 238 throw new CertificateException("Could not access class: " + e); 239 } catch (InstantiationException e) { 240 throw new CertificateException("Problems instantiating: " + e); 241 } catch (InvocationTargetException e) { 242 throw new CertificateException("InvocationTargetException: " 243 + e.getTargetException()); 244 } catch (NoSuchMethodException e) { 245 throw new CertificateException("Could not find class method: " 246 + e.getMessage()); 247 } 248 } 249 250 /** 251 * Checks that the certificate is currently valid. It is if 252 * the current date and time are within the validity period given in the 253 * certificate. 254 * <p> 255 * The validity period consists of two date/time values: 256 * the first and last dates (and times) on which the certificate 257 * is valid. It is defined in 258 * ASN.1 as: 259 * <pre> 260 * validity Validity 261 * 262 * Validity ::= SEQUENCE { 263 * notBefore CertificateValidityDate, 264 * notAfter CertificateValidityDate } 265 * 266 * CertificateValidityDate ::= CHOICE { 267 * utcTime UTCTime, 268 * generalTime GeneralizedTime } 269 * </pre> 270 * 271 * @exception CertificateExpiredException if the certificate has expired. 272 * @exception CertificateNotYetValidException if the certificate is not 273 * yet valid. 274 */ 275 public abstract void checkValidity() 276 throws CertificateExpiredException, CertificateNotYetValidException; 277 278 /** 279 * Checks that the specified date is within the certificate's 280 * validity period. In other words, this determines whether the 281 * certificate would be valid at the specified date/time. 282 * 283 * @param date the Date to check against to see if this certificate 284 * is valid at that date/time. 285 * @exception CertificateExpiredException if the certificate has expired 286 * with respect to the {@code date} supplied. 287 * @exception CertificateNotYetValidException if the certificate is not 288 * yet valid with respect to the {@code date} supplied. 289 * @see #checkValidity() 290 */ 291 public abstract void checkValidity(Date date) 292 throws CertificateExpiredException, CertificateNotYetValidException; 293 294 /** 295 * Gets the {@code version} (version number) value from the 296 * certificate. The ASN.1 definition for this is: 297 * <pre> 298 * version [0] EXPLICIT Version DEFAULT v1 299 * 300 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 301 * </pre> 302 * 303 * @return the version number from the ASN.1 encoding, i.e. 0, 1 or 2. 304 */ 305 public abstract int getVersion(); 306 307 /** 308 * Gets the {@code serialNumber} value from the certificate. 309 * The serial number is an integer assigned by the certification 310 * authority to each certificate. It must be unique for each 311 * certificate issued by a given CA (i.e., the issuer name and 312 * serial number identify a unique certificate). 313 * The ASN.1 definition for this is: 314 * <pre> 315 * serialNumber CertificateSerialNumber 316 * 317 * CertificateSerialNumber ::= INTEGER 318 * </pre> 319 * 320 * @return the serial number. 321 */ 322 public abstract BigInteger getSerialNumber(); 323 324 /** 325 * Gets the {@code issuer} (issuer distinguished name) value from 326 * the certificate. The issuer name identifies the entity that signed (and 327 * issued) the certificate. 328 * 329 * <p>The issuer name field contains an 330 * X.500 distinguished name (DN). 331 * The ASN.1 definition for this is: 332 * <pre> 333 * issuer Name 334 * 335 * Name ::= CHOICE { RDNSequence } 336 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 337 * RelativeDistinguishedName ::= 338 * SET OF AttributeValueAssertion 339 * 340 * AttributeValueAssertion ::= SEQUENCE { 341 * AttributeType, 342 * AttributeValue } 343 * AttributeType ::= OBJECT IDENTIFIER 344 * AttributeValue ::= ANY 345 * </pre> 346 * The {@code Name} describes a hierarchical name composed of 347 * attributes, such as country name, and corresponding values, such as US. 348 * The type of the {@code AttributeValue} component is determined by 349 * the {@code AttributeType}; in general it will be a 350 * {@code directoryString}. A {@code directoryString} is usually 351 * one of {@code PrintableString}, 352 * {@code TeletexString} or {@code UniversalString}. 353 * 354 * @return a Principal whose name is the issuer distinguished name. 355 */ 356 public abstract Principal getIssuerDN(); 357 358 /** 359 * Gets the {@code subject} (subject distinguished name) value 360 * from the certificate. 361 * The ASN.1 definition for this is: 362 * <pre> 363 * subject Name 364 * </pre> 365 * 366 * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name} 367 * and other relevant definitions. 368 * 369 * @return a Principal whose name is the subject name. 370 * @see #getIssuerDN() 371 */ 372 public abstract Principal getSubjectDN(); 373 374 /** 375 * Gets the {@code notBefore} date from the validity period of 376 * the certificate. 377 * The relevant ASN.1 definitions are: 378 * <pre> 379 * validity Validity 380 * 381 * Validity ::= SEQUENCE { 382 * notBefore CertificateValidityDate, 383 * notAfter CertificateValidityDate } 384 * 385 * CertificateValidityDate ::= CHOICE { 386 * utcTime UTCTime, 387 * generalTime GeneralizedTime } 388 * </pre> 389 * 390 * @return the start date of the validity period. 391 * @see #checkValidity() 392 */ 393 public abstract Date getNotBefore(); 394 395 /** 396 * Gets the {@code notAfter} date from the validity period of 397 * the certificate. See {@link #getNotBefore() getNotBefore} 398 * for relevant ASN.1 definitions. 399 * 400 * @return the end date of the validity period. 401 * @see #checkValidity() 402 */ 403 public abstract Date getNotAfter(); 404 405 /** 406 * Gets the signature algorithm name for the certificate 407 * signature algorithm. An example is the string "SHA-1/DSA". 408 * The ASN.1 definition for this is: 409 * <pre> 410 * signatureAlgorithm AlgorithmIdentifier 411 * 412 * AlgorithmIdentifier ::= SEQUENCE { 413 * algorithm OBJECT IDENTIFIER, 414 * parameters ANY DEFINED BY algorithm OPTIONAL } 415 * -- contains a value of the type 416 * -- registered for use with the 417 * -- algorithm object identifier value 418 * </pre> 419 * 420 * <p>The algorithm name is determined from the {@code algorithm} 421 * OID string. 422 * 423 * @return the signature algorithm name. 424 */ 425 public abstract String getSigAlgName(); 426 427 /** 428 * Gets the signature algorithm OID string from the certificate. 429 * An OID is represented by a set of positive whole numbers separated 430 * by periods. 431 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1 432 * with DSA signature algorithm, as per the PKIX part I. 433 * 434 * <p>See {@link #getSigAlgName() getSigAlgName} for 435 * relevant ASN.1 definitions. 436 * 437 * @return the signature algorithm OID string. 438 */ 439 public abstract String getSigAlgOID(); 440 441 /** 442 * Gets the DER-encoded signature algorithm parameters from this 443 * certificate's signature algorithm. In most cases, the signature 444 * algorithm parameters are null; the parameters are usually 445 * supplied with the certificate's public key. 446 * 447 * <p>See {@link #getSigAlgName() getSigAlgName} for 448 * relevant ASN.1 definitions. 449 * 450 * @return the DER-encoded signature algorithm parameters, or 451 * null if no parameters are present. 452 */ 453 public abstract byte[] getSigAlgParams(); 454} 455